From 8d75abadd5070fbb7cf28c7ec1cd2d47442ba36b Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 20 Jul 2023 15:38:37 -0600 Subject: [PATCH 01/74] bump for v23.08.0 development --- docker-compose-standalone.yml | 44 +++++++------- docker-compose.yml | 44 +++++++------- docs/contributing-pcap.md | 2 +- docs/download.md | 4 +- docs/hedgehog-iso-build.md | 2 +- docs/kubernetes.md | 88 ++++++++++++++-------------- docs/malcolm-iso.md | 2 +- docs/quickstart.md | 38 ++++++------ docs/ubuntu-install-example.md | 38 ++++++------ kubernetes/03-opensearch.yml | 4 +- kubernetes/04-dashboards.yml | 2 +- kubernetes/05-upload.yml | 4 +- kubernetes/06-pcap-monitor.yml | 4 +- kubernetes/07-arkime.yml | 4 +- kubernetes/08-api.yml | 2 +- kubernetes/09-dashboards-helper.yml | 2 +- kubernetes/10-zeek.yml | 4 +- kubernetes/11-suricata.yml | 4 +- kubernetes/12-file-monitor.yml | 4 +- kubernetes/13-filebeat.yml | 4 +- kubernetes/14-logstash.yml | 4 +- kubernetes/15-netbox-redis.yml | 4 +- kubernetes/16-netbox-redis-cache.yml | 2 +- kubernetes/17-netbox-postgres.yml | 4 +- kubernetes/18-netbox.yml | 4 +- kubernetes/19-htadmin.yml | 4 +- kubernetes/20-pcap-capture.yml | 4 +- kubernetes/21-zeek-live.yml | 4 +- kubernetes/22-suricata-live.yml | 4 +- kubernetes/23-freq.yml | 2 +- kubernetes/98-nginx-proxy.yml | 4 +- 31 files changed, 170 insertions(+), 170 deletions(-) diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 7a0a1fff9..3e298d7ac 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -4,7 +4,7 @@ version: '3.7' services: opensearch: - image: ghcr.io/idaholab/malcolm/opensearch:23.07.1 + image: ghcr.io/idaholab/malcolm/opensearch:23.08.0 restart: "no" stdin_open: false tty: true @@ -37,7 +37,7 @@ services: retries: 3 start_period: 180s dashboards-helper: - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.07.1 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.0 restart: "no" stdin_open: false tty: true @@ -64,7 +64,7 @@ services: retries: 3 start_period: 30s dashboards: - image: ghcr.io/idaholab/malcolm/dashboards:23.07.1 + image: ghcr.io/idaholab/malcolm/dashboards:23.08.0 restart: "no" stdin_open: false tty: true @@ -90,7 +90,7 @@ services: retries: 3 start_period: 210s logstash: - image: ghcr.io/idaholab/malcolm/logstash-oss:23.07.1 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.0 restart: "no" stdin_open: false tty: true @@ -132,7 +132,7 @@ services: retries: 3 start_period: 600s filebeat: - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.07.1 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.0 restart: "no" stdin_open: false tty: true @@ -167,7 +167,7 @@ services: retries: 3 start_period: 60s arkime: - image: ghcr.io/idaholab/malcolm/arkime:23.07.1 + image: ghcr.io/idaholab/malcolm/arkime:23.08.0 restart: "no" stdin_open: false tty: true @@ -203,7 +203,7 @@ services: retries: 3 start_period: 210s zeek: - image: ghcr.io/idaholab/malcolm/zeek:23.07.1 + image: ghcr.io/idaholab/malcolm/zeek:23.08.0 restart: "no" stdin_open: false tty: true @@ -241,7 +241,7 @@ services: retries: 3 start_period: 60s zeek-live: - image: ghcr.io/idaholab/malcolm/zeek:23.07.1 + image: ghcr.io/idaholab/malcolm/zeek:23.08.0 restart: "no" stdin_open: false tty: true @@ -269,7 +269,7 @@ services: - ./zeek-logs/extract_files:/zeek/extract_files - ./zeek/intel:/opt/zeek/share/zeek/site/intel suricata: - image: ghcr.io/idaholab/malcolm/suricata:23.07.1 + image: ghcr.io/idaholab/malcolm/suricata:23.08.0 restart: "no" stdin_open: false tty: true @@ -305,7 +305,7 @@ services: retries: 3 start_period: 120s suricata-live: - image: ghcr.io/idaholab/malcolm/suricata:23.07.1 + image: ghcr.io/idaholab/malcolm/suricata:23.08.0 restart: "no" stdin_open: false tty: true @@ -331,7 +331,7 @@ services: - ./suricata-logs:/var/log/suricata - ./suricata/rules:/opt/suricata/rules:ro file-monitor: - image: ghcr.io/idaholab/malcolm/file-monitor:23.07.1 + image: ghcr.io/idaholab/malcolm/file-monitor:23.08.0 restart: "no" stdin_open: false tty: true @@ -357,7 +357,7 @@ services: retries: 3 start_period: 60s pcap-capture: - image: ghcr.io/idaholab/malcolm/pcap-capture:23.07.1 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.0 restart: "no" stdin_open: false tty: true @@ -379,7 +379,7 @@ services: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./pcap/upload:/pcap pcap-monitor: - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.07.1 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.0 restart: "no" stdin_open: false tty: true @@ -405,7 +405,7 @@ services: retries: 3 start_period: 90s upload: - image: ghcr.io/idaholab/malcolm/file-upload:23.07.1 + image: ghcr.io/idaholab/malcolm/file-upload:23.08.0 restart: "no" stdin_open: false tty: true @@ -433,7 +433,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.07.1 + image: ghcr.io/idaholab/malcolm/htadmin:23.08.0 restart: "no" stdin_open: false tty: true @@ -458,7 +458,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.07.1 + image: ghcr.io/idaholab/malcolm/freq:23.08.0 restart: "no" stdin_open: false tty: true @@ -480,7 +480,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.07.1 + image: ghcr.io/idaholab/malcolm/netbox:23.08.0 restart: "no" stdin_open: false tty: true @@ -511,7 +511,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.07.1 + image: ghcr.io/idaholab/malcolm/postgresql:23.08.0 restart: "no" stdin_open: false tty: true @@ -535,7 +535,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.07.1 + image: ghcr.io/idaholab/malcolm/redis:23.08.0 restart: "no" stdin_open: false tty: true @@ -563,7 +563,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.07.1 + image: ghcr.io/idaholab/malcolm/redis:23.08.0 restart: "no" stdin_open: false tty: true @@ -590,7 +590,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.07.1 + image: ghcr.io/idaholab/malcolm/api:23.08.0 command: gunicorn --bind 0:5000 manage:app restart: "no" stdin_open: false @@ -614,7 +614,7 @@ services: retries: 3 start_period: 60s nginx-proxy: - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.07.1 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.0 restart: "no" stdin_open: false tty: true diff --git a/docker-compose.yml b/docker-compose.yml index 817a26cb5..cf73424cb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,7 @@ services: build: context: . dockerfile: Dockerfiles/opensearch.Dockerfile - image: ghcr.io/idaholab/malcolm/opensearch:23.07.1 + image: ghcr.io/idaholab/malcolm/opensearch:23.08.0 restart: "no" stdin_open: false tty: true @@ -43,7 +43,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards-helper.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.07.1 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.0 restart: "no" stdin_open: false tty: true @@ -73,7 +73,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards:23.07.1 + image: ghcr.io/idaholab/malcolm/dashboards:23.08.0 restart: "no" stdin_open: false tty: true @@ -102,7 +102,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: ghcr.io/idaholab/malcolm/logstash-oss:23.07.1 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.0 restart: "no" stdin_open: false tty: true @@ -151,7 +151,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.07.1 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.0 restart: "no" stdin_open: false tty: true @@ -189,7 +189,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:23.07.1 + image: ghcr.io/idaholab/malcolm/arkime:23.08.0 restart: "no" stdin_open: false tty: true @@ -231,7 +231,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.07.1 + image: ghcr.io/idaholab/malcolm/zeek:23.08.0 restart: "no" stdin_open: false tty: true @@ -273,7 +273,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.07.1 + image: ghcr.io/idaholab/malcolm/zeek:23.08.0 restart: "no" stdin_open: false tty: true @@ -305,7 +305,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.07.1 + image: ghcr.io/idaholab/malcolm/suricata:23.08.0 restart: "no" stdin_open: false tty: true @@ -344,7 +344,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.07.1 + image: ghcr.io/idaholab/malcolm/suricata:23.08.0 restart: "no" stdin_open: false tty: true @@ -373,7 +373,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/file-monitor:23.07.1 + image: ghcr.io/idaholab/malcolm/file-monitor:23.08.0 restart: "no" stdin_open: false tty: true @@ -402,7 +402,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-capture:23.07.1 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.0 restart: "no" stdin_open: false tty: true @@ -427,7 +427,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.07.1 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.0 restart: "no" stdin_open: false tty: true @@ -456,7 +456,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: ghcr.io/idaholab/malcolm/file-upload:23.07.1 + image: ghcr.io/idaholab/malcolm/file-upload:23.08.0 restart: "no" stdin_open: false tty: true @@ -484,7 +484,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.07.1 + image: ghcr.io/idaholab/malcolm/htadmin:23.08.0 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -512,7 +512,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.07.1 + image: ghcr.io/idaholab/malcolm/freq:23.08.0 build: context: . dockerfile: Dockerfiles/freq.Dockerfile @@ -537,7 +537,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.07.1 + image: ghcr.io/idaholab/malcolm/netbox:23.08.0 build: context: . dockerfile: Dockerfiles/netbox.Dockerfile @@ -572,7 +572,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.07.1 + image: ghcr.io/idaholab/malcolm/postgresql:23.08.0 build: context: . dockerfile: Dockerfiles/postgresql.Dockerfile @@ -599,7 +599,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.07.1 + image: ghcr.io/idaholab/malcolm/redis:23.08.0 build: context: . dockerfile: Dockerfiles/redis.Dockerfile @@ -630,7 +630,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.07.1 + image: ghcr.io/idaholab/malcolm/redis:23.08.0 build: context: . dockerfile: Dockerfiles/redis.Dockerfile @@ -660,7 +660,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.07.1 + image: ghcr.io/idaholab/malcolm/api:23.08.0 build: context: . dockerfile: Dockerfiles/api.Dockerfile @@ -690,7 +690,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.07.1 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.0 restart: "no" stdin_open: false tty: true diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index 3f5397d3c..3f1defd2e 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -1,6 +1,6 @@ # PCAP processors -When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload/` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.07.1 release]({{ site.github.repository_url }}/releases/tag/v23.07.1)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: +When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload/` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.08.0 release]({{ site.github.repository_url }}/releases/tag/v23.08.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory diff --git a/docs/download.md b/docs/download.md index acd66e703..a26ec1818 100644 --- a/docs/download.md +++ b/docs/download.md @@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [malcolm-23.07.1.iso](/iso/malcolm-23.07.1.iso) (4.6GiB) | [`f6a244079ea016269454ad4d19b20672952417a88599fa7536bf476056f619f6`](/iso/malcolm-23.07.1.iso.sha256.txt) | +| [malcolm-23.08.0.iso](/iso/malcolm-23.08.0.iso) (4.6GiB) | [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/malcolm-23.08.0.iso.sha256.txt) | ## Hedgehog Linux @@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [hedgehog-23.07.1.iso](/iso/hedgehog-23.07.1.iso) (2.3GiB) | [`4e92f2df34884b381885256ab74535bd9c3e38b7b6e14e2403524651fed759a3`](/iso/hedgehog-23.07.1.iso.sha256.txt) | +| [hedgehog-23.08.0.iso](/iso/hedgehog-23.08.0.iso) (2.3GiB) | [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/hedgehog-23.08.0.iso.sha256.txt) | ## Warning diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index ee7ad904b..f3ad1f03c 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-23.07.1.iso" +Finished, created "/sensor-build/hedgehog-23.08.0.iso" … ``` diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 263e30e66..3f14f3be1 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -274,28 +274,28 @@ agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 861.34m | 14.36% | 19.55Gi | 9.29Gi | 61.28Gi | 11 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.07.1 | -file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.07.1 | -zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.07.1 | -dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.07.1 | -upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.07.1 | -filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.07.1 | -zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.07.1 | -logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.07.1 | -netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.07.1 | -suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.07.1 | -dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.07.1 | -netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.07.1 | -suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.07.1 | -freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.07.1 | -arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.07.1 | -pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.07.1 | -pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.07.1 | -netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.07.1 | -htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.07.1 | -netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.07.1 | -nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.07.1 | -opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.07.1 | +api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.08.0 | +file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.08.0 | +zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.08.0 | +dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.08.0 | +upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.08.0 | +filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.08.0 | +zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.08.0 | +logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.08.0 | +netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.08.0 | +suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.08.0 | +dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.08.0 | +netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.08.0 | +suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.08.0 | +freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.08.0 | +arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.08.0 | +pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.08.0 | +pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.08.0 | +netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.08.0 | +htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.08.0 | +netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.08.0 | +nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.08.0 | +opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.08.0 | ``` The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes. @@ -551,28 +551,28 @@ agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 552.71m | 9.21% | 19.55Gi | 13.27Gi | 61.28Gi | 12 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.07.1 | -netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.07.1 | -dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.07.1 | -freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.07.1 | -pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.07.1 | -nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.07.1 | -htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.07.1 | -opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.07.1 | -zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.07.1 | -dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.07.1 | -arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.07.1 | -api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.07.1 | -netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.07.1 | -pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.07.1 | -suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.07.1 | -suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.07.1 | -netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.07.1 | -zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.07.1 | -filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.07.1 | -file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.07.1 | -upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.07.1 | -logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.07.1 | +netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.08.0 | +netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.08.0 | +dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.08.0 | +freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.08.0 | +pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.08.0 | +nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.08.0 | +htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.08.0 | +opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.08.0 | +zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.08.0 | +dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.08.0 | +arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.08.0 | +api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.08.0 | +netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.08.0 | +pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.08.0 | +suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.08.0 | +suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.08.0 | +netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.08.0 | +zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.08.0 | +filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.08.0 | +file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.08.0 | +upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.08.0 | +logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.08.0 | ``` View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`): diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index 79ecbb1c1..a18ab5792 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-23.07.1.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-23.08.0.iso" … ``` diff --git a/docs/quickstart.md b/docs/quickstart.md index 64b5b30a4..f17313c10 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`: ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.07.1 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.07.1 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.07.1 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.07.1 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.07.1 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.07.1 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.07.1 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.07.1 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.07.1 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.07.1 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 23.07.1 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.07.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.07.1 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.07.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.07.1 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.07.1 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.07.1 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.07.1 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.07.1 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.08.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.08.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.08.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.08.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.08.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.08.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.08.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.08.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.08.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.08.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.08.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.08.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.08.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.08.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.08.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.08.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.08.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.08.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.08.0 xxxxxxxxxxxx 3 days ago 1GB ``` ### Import from pre-packaged tarballs diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 162b000bd..2037330cf 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -256,25 +256,25 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.07.1 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.07.1 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.07.1 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.07.1 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.07.1 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.07.1 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.07.1 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.07.1 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.07.1 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.07.1 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 23.07.1 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.07.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.07.1 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.07.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.07.1 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.07.1 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.07.1 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.07.1 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.07.1 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.08.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.08.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.08.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.08.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.08.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.08.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.08.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.08.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.08.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.08.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.08.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.08.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.08.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.08.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.08.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.08.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.08.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.08.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.08.0 xxxxxxxxxxxx 3 days ago 1GB ``` Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing. diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml index 14607990e..fbd2e3172 100644 --- a/kubernetes/03-opensearch.yml +++ b/kubernetes/03-opensearch.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: opensearch-container - image: ghcr.io/idaholab/malcolm/opensearch:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/opensearch:development imagePullPolicy: Always stdin: false tty: true @@ -69,7 +69,7 @@ spec: subPath: "opensearch" initContainers: - name: opensearch-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml index 7ca5e4069..cfbb8b422 100644 --- a/kubernetes/04-dashboards.yml +++ b/kubernetes/04-dashboards.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-container - image: ghcr.io/idaholab/malcolm/dashboards:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dashboards:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml index 91104fa89..3fa05500c 100644 --- a/kubernetes/05-upload.yml +++ b/kubernetes/05-upload.yml @@ -34,7 +34,7 @@ spec: spec: containers: - name: upload-container - image: ghcr.io/idaholab/malcolm/file-upload:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/file-upload:development imagePullPolicy: Always stdin: false tty: true @@ -75,7 +75,7 @@ spec: subPath: "upload" initContainers: - name: upload-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml index a6d1fd0ba..70da6fc02 100644 --- a/kubernetes/06-pcap-monitor.yml +++ b/kubernetes/06-pcap-monitor.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: pcap-monitor-container - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/pcap-monitor:development imagePullPolicy: Always stdin: false tty: true @@ -70,7 +70,7 @@ spec: name: pcap-monitor-zeek-volume initContainers: - name: pcap-monitor-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml index 8f2e89f65..ec138d853 100644 --- a/kubernetes/07-arkime.yml +++ b/kubernetes/07-arkime.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: arkime-container - image: ghcr.io/idaholab/malcolm/arkime:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/arkime:development imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "arkime" initContainers: - name: arkime-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml index b9281e6e0..fb5ea2acf 100644 --- a/kubernetes/08-api.yml +++ b/kubernetes/08-api.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: api-container - image: ghcr.io/idaholab/malcolm/api:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/api:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml index d67888078..529647210 100644 --- a/kubernetes/09-dashboards-helper.yml +++ b/kubernetes/09-dashboards-helper.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-helper-container - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dashboards-helper:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml index d9e68bd9f..3f02eb94e 100644 --- a/kubernetes/10-zeek.yml +++ b/kubernetes/10-zeek.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-offline-container - image: ghcr.io/idaholab/malcolm/zeek:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/zeek:development imagePullPolicy: Always stdin: false tty: true @@ -68,7 +68,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml index 8651fd142..5e31720b6 100644 --- a/kubernetes/11-suricata.yml +++ b/kubernetes/11-suricata.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-offline-container - image: ghcr.io/idaholab/malcolm/suricata:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/suricata:development imagePullPolicy: Always stdin: false tty: true @@ -61,7 +61,7 @@ spec: name: suricata-offline-custom-rules-volume initContainers: - name: suricata-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml index 7c3a30a08..9cf768a47 100644 --- a/kubernetes/12-file-monitor.yml +++ b/kubernetes/12-file-monitor.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: file-monitor-container - image: ghcr.io/idaholab/malcolm/file-monitor:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/file-monitor:development imagePullPolicy: Always stdin: false tty: true @@ -81,7 +81,7 @@ spec: name: file-monitor-yara-rules-custom-volume initContainers: - name: file-monitor-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml index 20405c4fa..da45a94d1 100644 --- a/kubernetes/13-filebeat.yml +++ b/kubernetes/13-filebeat.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: filebeat-container - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/filebeat-oss:development imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "nginx" initContainers: - name: filebeat-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml index c70cd7057..8f9029b76 100644 --- a/kubernetes/14-logstash.yml +++ b/kubernetes/14-logstash.yml @@ -49,7 +49,7 @@ spec: # topologyKey: "kubernetes.io/hostname" containers: - name: logstash-container - image: ghcr.io/idaholab/malcolm/logstash-oss:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/logstash-oss:development imagePullPolicy: Always stdin: false tty: true @@ -113,7 +113,7 @@ spec: subPath: "logstash" initContainers: - name: logstash-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml index 1b44d5b45..922f54f1d 100644 --- a/kubernetes/15-netbox-redis.yml +++ b/kubernetes/15-netbox-redis.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-container - image: ghcr.io/idaholab/malcolm/redis:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/redis:development imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: netbox/redis initContainers: - name: netbox-redis-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml index 9a6a9bb53..0fef1bbf0 100644 --- a/kubernetes/16-netbox-redis-cache.yml +++ b/kubernetes/16-netbox-redis-cache.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-cache-container - image: ghcr.io/idaholab/malcolm/redis:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/redis:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml index 041f521b2..55a066358 100644 --- a/kubernetes/17-netbox-postgres.yml +++ b/kubernetes/17-netbox-postgres.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-postgres-container - image: ghcr.io/idaholab/malcolm/postgresql:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/postgresql:development imagePullPolicy: Always stdin: false tty: true @@ -74,7 +74,7 @@ spec: subPath: netbox/postgres initContainers: - name: netbox-postgres-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml index f5e68f26e..5f8d90dad 100644 --- a/kubernetes/18-netbox.yml +++ b/kubernetes/18-netbox.yml @@ -36,7 +36,7 @@ spec: spec: containers: - name: netbox-container - image: ghcr.io/idaholab/malcolm/netbox:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/netbox:development imagePullPolicy: Always stdin: false tty: true @@ -90,7 +90,7 @@ spec: subPath: netbox/media initContainers: - name: netbox-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml index 032b94af4..de5293761 100644 --- a/kubernetes/19-htadmin.yml +++ b/kubernetes/19-htadmin.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: htadmin-container - image: ghcr.io/idaholab/malcolm/htadmin:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/htadmin:development imagePullPolicy: Always stdin: false tty: true @@ -63,7 +63,7 @@ spec: subPath: "htadmin" initContainers: - name: htadmin-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml index e5a0a3193..275cffe99 100644 --- a/kubernetes/20-pcap-capture.yml +++ b/kubernetes/20-pcap-capture.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: pcap-capture-container - image: ghcr.io/idaholab/malcolm/pcap-capture:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/pcap-capture:development imagePullPolicy: Always stdin: false tty: true @@ -46,7 +46,7 @@ spec: subPath: "upload" initContainers: - name: pcap-capture-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml index 89a99df3a..e9651aa99 100644 --- a/kubernetes/21-zeek-live.yml +++ b/kubernetes/21-zeek-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-live-container - image: ghcr.io/idaholab/malcolm/zeek:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/zeek:development imagePullPolicy: Always stdin: false tty: true @@ -60,7 +60,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml index bcf568008..eade40dc2 100644 --- a/kubernetes/22-suricata-live.yml +++ b/kubernetes/22-suricata-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-live-container - image: ghcr.io/idaholab/malcolm/suricata:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/suricata:development imagePullPolicy: Always stdin: false tty: true @@ -51,7 +51,7 @@ spec: name: suricata-live-suricata-logs-volume initContainers: - name: suricata-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml index 824b611cc..b9dc580df 100644 --- a/kubernetes/23-freq.yml +++ b/kubernetes/23-freq.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: freq-container - image: ghcr.io/idaholab/malcolm/freq:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/freq:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml index 2ec8d3a23..94e7861e2 100644 --- a/kubernetes/98-nginx-proxy.yml +++ b/kubernetes/98-nginx-proxy.yml @@ -39,7 +39,7 @@ spec: spec: containers: - name: nginx-proxy-container - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/nginx-proxy:development imagePullPolicy: Always stdin: false tty: true @@ -95,7 +95,7 @@ spec: subPath: "nginx" initContainers: - name: nginx-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.07.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true From d6baf66e5b534fb2771caef88eaf8de1841eb3b4 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 25 Jul 2023 06:47:03 -0600 Subject: [PATCH 02/74] updating to debian 12, broken, wip --- Dockerfiles/api.Dockerfile | 6 +++--- Dockerfiles/arkime.Dockerfile | 6 +++--- Dockerfiles/file-monitor.Dockerfile | 4 ++-- Dockerfiles/file-upload.Dockerfile | 4 ++-- Dockerfiles/freq.Dockerfile | 2 +- Dockerfiles/htadmin.Dockerfile | 2 +- Dockerfiles/pcap-capture.Dockerfile | 2 +- Dockerfiles/pcap-monitor.Dockerfile | 2 +- Dockerfiles/suricata.Dockerfile | 8 ++++---- Dockerfiles/zeek.Dockerfile | 22 +++++++++++----------- 10 files changed, 29 insertions(+), 29 deletions(-) diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile index 4b181663b..c00b0da2a 100644 --- a/Dockerfiles/api.Dockerfile +++ b/Dockerfiles/api.Dockerfile @@ -1,4 +1,4 @@ -FROM python:3-slim-bullseye as builder +FROM python:3-slim-bookworm as builder ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -18,7 +18,7 @@ WORKDIR /usr/src/app RUN python3 -m pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/app/wheels -r requirements.txt \ && flake8 --ignore=E203,E501,F401,W503 -FROM python:3-slim-bullseye +FROM python:3-slim-bookworm # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -79,7 +79,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic RUN apt-get -q update \ && apt-get -y -q --no-install-recommends upgrade \ - && apt-get -y -q --no-install-recommends install curl netcat rsync tini \ + && apt-get -y -q --no-install-recommends install curl netcat-openbsd rsync tini \ && python3 -m pip install --upgrade pip \ && python3 -m pip install --no-cache /wheels/* \ && groupadd --gid ${DEFAULT_GID} ${PGROUP} \ diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 7b3850acf..be80789c2 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim AS build +FROM debian:12-slim AS build # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. @@ -71,7 +71,7 @@ RUN apt-get -q update && \ rm -f ${ARKIME_DIR}/wiseService/source.* ${ARKIME_DIR}/etc/*.systemd.service && \ bash -c "file ${ARKIME_DIR}/bin/* ${ARKIME_DIR}/node-v*/bin/* | grep 'ELF 64-bit' | sed 's/:.*//' | xargs -l -r strip -v --strip-unneeded" -FROM debian:11-slim +FROM debian:12-slim LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -133,7 +133,7 @@ ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST COPY --from=build $ARKIME_DIR $ARKIME_DIR -RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \ +RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.list && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 8f0fa94b5..afd7a15d7 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -99,7 +99,7 @@ ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/ -RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \ +RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.list && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install --no-install-recommends -y -q \ diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 5d0a8ddef..191630303 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim AS build +FROM debian:12-slim AS build # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. @@ -21,7 +21,7 @@ RUN apt-get -q update && \ rm -rf /jQuery-File-Upload/*.html /jQuery-File-Upload/test/ /jQuery-File-Upload/server/gae-go/ \ /jQuery-File-Upload/server/gae-python/ -FROM debian:11-slim AS runtime +FROM debian:12-slim AS runtime LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile index e11bdb862..07b7d50e5 100644 --- a/Dockerfiles/freq.Dockerfile +++ b/Dockerfiles/freq.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index 35c3728e9..6fda61fe3 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile index 8254959cb..6244eaad9 100644 --- a/Dockerfiles/pcap-capture.Dockerfile +++ b/Dockerfiles/pcap-capture.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index b445677f6..eaf7ad1d9 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index 5e4d4ab0f..a45c56d1a 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -49,11 +49,11 @@ ENV SURICATA_UPDATE_DIR "$SURICATA_MANAGED_DIR/update" ENV SURICATA_UPDATE_SOURCES_DIR "$SURICATA_UPDATE_DIR/sources" ENV SURICATA_UPDATE_CACHE_DIR "$SURICATA_UPDATE_DIR/cache" -RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \ - echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list && \ +RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.list && \ + echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ - apt-get install -q -y -t bullseye-backports --no-install-recommends \ + apt-get install -q -y -t bookworm-backports --no-install-recommends \ libhtp2 \ suricata \ suricata-update && \ diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index 3ba9394da..15b38a130 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. @@ -114,16 +114,16 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ cd /tmp/zeek-packages && \ if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS && \ curl -sSL --remote-name-all \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-client_${ZEEK_VERSION}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VERSION}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-btest_${ZEEK_VERSION}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VERSION}_all.deb" && \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-client_${ZEEK_VERSION}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VERSION}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest_${ZEEK_VERSION}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VERSION}_all.deb" && \ dpkg -i ./*.deb && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ From 7c4db680889e665ceb654081907b167bcf24b818 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 25 Jul 2023 08:13:11 -0600 Subject: [PATCH 03/74] bump opensearch to v2.9.0 and supercronic to v0.2.26 --- Dockerfiles/dashboards-helper.Dockerfile | 4 ++-- Dockerfiles/dashboards.Dockerfile | 16 ++++++++-------- Dockerfiles/file-monitor.Dockerfile | 4 ++-- Dockerfiles/filebeat.Dockerfile | 4 ++-- Dockerfiles/netbox.Dockerfile | 4 ++-- Dockerfiles/opensearch.Dockerfile | 2 +- Dockerfiles/suricata.Dockerfile | 4 ++-- Dockerfiles/zeek.Dockerfile | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile index 4953e5aa6..d6b1b44d5 100644 --- a/Dockerfiles/dashboards-helper.Dockerfile +++ b/Dockerfiles/dashboards-helper.Dockerfile @@ -47,10 +47,10 @@ ENV DASHBOARDS_URL $DASHBOARDS_URL ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE ENV PATH="/data:${PATH}" -ENV SUPERCRONIC_VERSION "0.2.25" +ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV ECS_RELEASES_URL "https://api.github.com/repos/elastic/ecs/releases/latest" diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile index 9ab901727..5512cf253 100644 --- a/Dockerfiles/dashboards.Dockerfile +++ b/Dockerfiles/dashboards.Dockerfile @@ -14,10 +14,10 @@ ENV PGROUP "dashboarder" ENV TERM xterm -ARG OPENSEARCH_VERSION="2.8.0" +ARG OPENSEARCH_VERSION="2.9.0" ENV OPENSEARCH_VERSION $OPENSEARCH_VERSION -ARG OPENSEARCH_DASHBOARDS_VERSION="2.8.0" +ARG OPENSEARCH_DASHBOARDS_VERSION="2.9.0" ENV OPENSEARCH_DASHBOARDS_VERSION $OPENSEARCH_DASHBOARDS_VERSION # base system dependencies for checking out and building plugins @@ -71,7 +71,7 @@ RUN eval "$(nodenv init -)" && \ # runtime ################################################################## -FROM opensearchproject/opensearch-dashboards:2.8.0 +FROM opensearchproject/opensearch-dashboards:2.9.0 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -93,7 +93,7 @@ ENV PUSER_PRIV_DROP true ENV TERM xterm ENV TINI_VERSION v0.19.0 -ENV OSD_TRANSFORM_VIS_VERSION 2.8.0 +ENV OSD_TRANSFORM_VIS_VERSION 2.9.0 ARG OPENSEARCH_URL="http://opensearch:9200" ARG OPENSEARCH_LOCAL="true" @@ -127,10 +127,10 @@ RUN yum upgrade -y && \ cd /usr/share/opensearch-dashboards/plugins && \ /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/kbnSankeyVis.zip --allow-root && \ cd /tmp && \ - # unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ - # sed -i "s/2\.7\.0/2\.8\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \ - # sed -i "s/2\.7\.0/2\.8\.0/g" opensearch-dashboards/transformVis/package.json && \ - # zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ + unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ + sed -i "s/2\.8\.0/2\.9\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \ + sed -i "s/2\.8\.0/2\.9\.0/g" opensearch-dashboards/transformVis/package.json && \ + zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ cd /usr/share/opensearch-dashboards/plugins && \ /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/transformVis.zip --allow-root && \ rm -rf /tmp/transformVis /tmp/opensearch-dashboards && \ diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index afd7a15d7..38f513f3d 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -91,10 +91,10 @@ ENV EXTRACTED_FILE_HTTP_SERVER_ENCRYPT $EXTRACTED_FILE_HTTP_SERVER_ENCRYPT ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT -ENV SUPERCRONIC_VERSION "0.2.25" +ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/ diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index b52dc85af..e44b466dd 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -59,10 +59,10 @@ ARG FILEBEAT_TCP_PARSE_TARGET_FIELD="" ARG FILEBEAT_TCP_PARSE_DROP_FIELD="" ARG FILEBEAT_TCP_TAG="_malcolm_beats" -ENV SUPERCRONIC_VERSION "0.2.25" +ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV TINI_VERSION v0.19.0 diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index f7485d881..c759469a1 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -22,10 +22,10 @@ ENV PUSER "boxer" ENV PGROUP "boxer" ENV PUSER_PRIV_DROP true -ENV SUPERCRONIC_VERSION "0.2.25" +ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV NETBOX_DEVICETYPE_LIBRARY_URL "https://codeload.github.com/netbox-community/devicetype-library/tar.gz/master" diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile index 97d61bc68..533bf4235 100644 --- a/Dockerfiles/opensearch.Dockerfile +++ b/Dockerfiles/opensearch.Dockerfile @@ -1,4 +1,4 @@ -FROM opensearchproject/opensearch:2.8.0 +FROM opensearchproject/opensearch:2.9.0 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index a45c56d1a..cd8f57a4c 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -28,10 +28,10 @@ ENV PGROUP "suricata" ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true -ENV SUPERCRONIC_VERSION "0.2.25" +ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV YQ_VERSION "4.33.3" diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index 15b38a130..f37ed4915 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -37,10 +37,10 @@ ARG ZEEK_VERSION=5.2.2-0 ENV ZEEK_LTS $ZEEK_LTS ENV ZEEK_VERSION $ZEEK_VERSION -ENV SUPERCRONIC_VERSION "0.2.25" +ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "642f4f5a2b67f3400b5ea71ff24f18c0a7d77d49" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" # for build From 1f5a9d32def6a992e9c1e06e95c75f57380723b8 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 25 Jul 2023 12:35:35 -0600 Subject: [PATCH 04/74] for idaholab/Malcolm#228, add more vendors to NetBox manufacturers list --- netbox/manufacturers-default.json | 48 +++++++++++++++++++++++++++++++ netbox/scripts/netbox_init.py | 33 ++++++++++++++++++++- netbox/supervisord.conf | 1 + 3 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 netbox/manufacturers-default.json diff --git a/netbox/manufacturers-default.json b/netbox/manufacturers-default.json new file mode 100644 index 000000000..3b5c06c3d --- /dev/null +++ b/netbox/manufacturers-default.json @@ -0,0 +1,48 @@ +{ + "manufacturers": [ + { + "name": "ABB", + "description": "" + }, + { + "name": "Accenture", + "description": "" + }, + { + "name": "Emerson Electric", + "description": "" + }, + { + "name": "General Electric", + "description": "" + }, + { + "name": "Hitachi", + "description": "" + }, + { + "name": "Honeywell", + "description": "" + }, + { + "name": "Mitsubishi", + "description": "" + }, + { + "name": "Oracle", + "description": "" + }, + { + "name": "Schneider Electric", + "description": "" + }, + { + "name": "Yokogawa Electric", + "description": "" + }, + { + "name": "Unspecified", + "description": "" + } + ] +} diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index 1f04b14b2..dd0098ca3 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -199,6 +199,14 @@ def main(): required=False, help="Manufacturers to create", ) + parser.add_argument( + '--manufacturers', + dest='manufacturersFileName', + type=str, + default=None, + required=False, + help="Filename of JSON file containing default manufacturers (see also -m/--manufacturer)", + ) parser.add_argument( '-r', '--device-role', @@ -383,10 +391,33 @@ def main(): except pynetbox.RequestError as nbe: logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manufacturerName}\": {nbe}") + except Exception as e: + logging.error(f"{type(e).__name__} processing manufacturers: {e}") + + try: + # load manufacturers-default.json from file + manufacturersJson = None + if args.manufacturersFileName is not None and os.path.isfile(args.manufacturersFileName): + with open(args.manufacturersFileName) as f: + manufacturersJson = json.load(f) + if manufacturersJson is not None and "manufacturers" in manufacturersJson: + for manuf in [m for m in manufacturersJson["manufacturers"] if "name" in m]: + manufDef = { + "name": manuf["name"], + "slug": slugify(manuf["name"]), + } + if ("description" in manuf) and manuf["description"]: + manufDef["description"] = manuf["description"] + try: + nb.dcim.manufacturers.create(manufDef) + except pynetbox.RequestError as nbe: + logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manuf["name"]}\": {nbe}") + manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()} logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }") + except Exception as e: - logging.error(f"{type(e).__name__} processing manufacturers: {e}") + logging.error(f"{type(e).__name__} processing manufacturers JSON \"{args.manufacturersFileName}\": {e}") # ###### DEVICE ROLES ########################################################################################## try: diff --git a/netbox/supervisord.conf b/netbox/supervisord.conf index d7e1b8e47..d95c87a6e 100644 --- a/netbox/supervisord.conf +++ b/netbox/supervisord.conf @@ -41,6 +41,7 @@ command=/opt/netbox/venv/bin/python /usr/local/bin/netbox_init.py --library "%(ENV_NETBOX_DEVICETYPE_LIBRARY_PATH)s" --service-templates /etc/service-template-defaults.json --device-roles /etc/device-roles-defaults.json + --manufacturers /etc/manufacturers-default.json autostart=true autorestart=false startsecs=0 From 997b4f94aa555121fe93135158e9990f5eb805d6 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 25 Jul 2023 13:10:10 -0600 Subject: [PATCH 05/74] fix dashboards build --- Dockerfiles/dashboards.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile index 5512cf253..48827add1 100644 --- a/Dockerfiles/dashboards.Dockerfile +++ b/Dockerfiles/dashboards.Dockerfile @@ -93,7 +93,7 @@ ENV PUSER_PRIV_DROP true ENV TERM xterm ENV TINI_VERSION v0.19.0 -ENV OSD_TRANSFORM_VIS_VERSION 2.9.0 +ENV OSD_TRANSFORM_VIS_VERSION 2.8.0 ARG OPENSEARCH_URL="http://opensearch:9200" ARG OPENSEARCH_LOCAL="true" From 4736f443a5428fb09cf4bbe52a3d03f6068882d1 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 25 Jul 2023 15:56:01 -0600 Subject: [PATCH 06/74] fixes for bookworm --- Dockerfiles/api.Dockerfile | 4 ++-- Dockerfiles/arkime.Dockerfile | 11 +++++------ Dockerfiles/file-monitor.Dockerfile | 12 ++++++------ Dockerfiles/file-upload.Dockerfile | 2 +- Dockerfiles/filebeat.Dockerfile | 4 ++-- Dockerfiles/freq.Dockerfile | 2 +- Dockerfiles/htadmin.Dockerfile | 2 +- Dockerfiles/netbox.Dockerfile | 2 +- Dockerfiles/pcap-monitor.Dockerfile | 3 +-- Dockerfiles/suricata.Dockerfile | 14 ++++++-------- Dockerfiles/zeek.Dockerfile | 2 +- .../hooks/normal/0910-sensor-build.hook.chroot | 2 +- shared/bin/manuf-oui-parse.py | 2 +- 13 files changed, 29 insertions(+), 33 deletions(-) diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile index c00b0da2a..edf8f67f7 100644 --- a/Dockerfiles/api.Dockerfile +++ b/Dockerfiles/api.Dockerfile @@ -8,8 +8,8 @@ ENV PYTHONUNBUFFERED 1 RUN apt-get update -q \ && apt-get -y -q upgrade \ && apt-get install -y gcc \ - && python3 -m pip install --upgrade pip \ - && python3 -m pip install flake8 + && python3 -m pip install --break-system-packages --no-cache-dir --upgrade pip \ + && python3 -m pip install --break-system-packages --no-cache-dir flake8 COPY ./api /usr/src/app/ COPY scripts/malcolm_utils.py /usr/src/app/ diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index be80789c2..4883e378d 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -49,7 +49,7 @@ RUN apt-get -q update && \ swig \ wget \ zlib1g-dev && \ - pip3 install --no-cache-dir beautifulsoup4 && \ + python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 && \ cd /opt && \ git clone --recurse-submodules --branch="$ARKIME_VERSION" "$ARKIME_URL" "./arkime-"$ARKIME_VERSION && \ cd "./arkime-"$ARKIME_VERSION && \ @@ -133,7 +133,7 @@ ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST COPY --from=build $ARKIME_DIR $ARKIME_DIR -RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.list && \ +RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ @@ -148,14 +148,13 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l libkrb5-3 \ libmaxminddb0 \ libpcap0.8 \ - libssl1.0 \ + libssl3 \ libtool \ libwww-perl \ libyaml-0-2 \ libzmq5 \ procps \ psmisc \ - python \ python3 \ python3-pip \ python3-setuptools \ @@ -168,11 +167,11 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l wget \ tini \ tar gzip unzip cpio bzip2 lzma xz-utils p7zip-full unrar zlib1g && \ - pip3 install --no-cache-dir beautifulsoup4 pyzmq watchdog && \ + python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 pyzmq watchdog && \ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \ ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \ ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \ - apt-get -q -y --purge remove gcc gcc-10 cpp cpp-10 libssl-dev && \ + apt-get -q -y --purge remove gcc gcc-12 cpp cpp-12 libssl-dev && \ apt-get -q -y autoremove && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 38f513f3d..c596525a1 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -99,7 +99,7 @@ ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/ -RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.list && \ +RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install --no-install-recommends -y -q \ @@ -112,13 +112,13 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l gcc \ git \ jq \ - libclamunrar9 \ + libclamunrar11 \ libjansson-dev \ libjansson4 \ libmagic-dev \ libmagic1 \ libssl-dev \ - libssl1.1 \ + libssl3 \ libtool \ make \ pkg-config \ @@ -135,7 +135,7 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l python3-requests \ python3-zmq \ rsync && \ - pip3 install clamd supervisor yara-python python-magic psutil pycryptodome watchdog && \ + python3 -m pip install --break-system-packages --no-cache-dir clamd supervisor yara-python python-magic psutil pycryptodome watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ @@ -167,9 +167,9 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l automake \ build-essential \ gcc \ - gcc-8 \ + gcc-12 \ libc6-dev \ - libgcc-8-dev \ + libgcc-12-dev \ libjansson-dev \ libmagic-dev \ libssl-dev \ diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 191630303..974dc0806 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -46,7 +46,7 @@ ENV PUSER_PRIV_DROP false ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm -ARG PHP_VERSION=7.4 +ARG PHP_VERSION=8.2 ENV PHP_VERSION $PHP_VERSION ARG SITE_NAME="Capture File and Log Archive Upload" diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index e44b466dd..b6513e860 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/beats/filebeat-oss:8.8.2 +FROM docker.elastic.co/beats/filebeat-oss:8.9.0 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -93,7 +93,7 @@ RUN apt-get -q update && \ unar \ unzip \ xz-utils && \ - python3 -m pip install patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ + python3 -m pip --break-system-packages --no-cache-dir install patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile index 07b7d50e5..2034e3203 100644 --- a/Dockerfiles/freq.Dockerfile +++ b/Dockerfiles/freq.Dockerfile @@ -40,7 +40,7 @@ RUN apt-get -q update && \ python3-pip \ rsync \ tini && \ - pip3 install supervisor six && \ + pip3 install --break-system-packages supervisor six && \ cd /opt && \ mkdir -p ./freq_server && \ curl -sSL "$FREQ_URL" | tar xzvf - -C ./freq_server --strip-components 1 && \ diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index 6fda61fe3..35c3728e9 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -1,4 +1,4 @@ -FROM debian:12-slim +FROM debian:11-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index c759469a1..424654f63 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -48,7 +48,7 @@ RUN apt-get -q update && \ rsync \ supervisor \ tini && \ - /opt/netbox/venv/bin/python -m pip install psycopg2 pynetbox python-slugify randomcolor && \ + /opt/netbox/venv/bin/python -m pip install --break-system-packages --no-cache-dir psycopg2 pynetbox python-slugify randomcolor && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index eaf7ad1d9..f5e1fc84e 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -52,7 +52,6 @@ RUN apt-get -q update && \ libzmq5 \ procps \ psmisc \ - python \ python3-pip \ python3-setuptools \ python3-wheel \ @@ -62,7 +61,7 @@ RUN apt-get -q update && \ vim-tiny && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && \ - pip3 install --no-cache-dir opensearch-py pyzmq python-magic requests watchdog && \ + python3 -m pip install --break-system-packages --no-cache-dir opensearch-py pyzmq python-magic requests watchdog && \ groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index cd8f57a4c..9d8b1e249 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -49,14 +49,9 @@ ENV SURICATA_UPDATE_DIR "$SURICATA_MANAGED_DIR/update" ENV SURICATA_UPDATE_SOURCES_DIR "$SURICATA_UPDATE_DIR/sources" ENV SURICATA_UPDATE_CACHE_DIR "$SURICATA_UPDATE_DIR/cache" -RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.list && \ - echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list && \ +RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ - apt-get install -q -y -t bookworm-backports --no-install-recommends \ - libhtp2 \ - suricata \ - suricata-update && \ apt-get install -q -y --no-install-recommends \ bc \ curl \ @@ -73,6 +68,7 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l libgeoip1 \ libhiredis0.14 \ libhtp2 \ + libhtp2 \ libhyperscan5 \ libjansson4 \ liblua5.1-0 \ @@ -98,10 +94,12 @@ RUN sed -i "s/bookworm main/bookworm main contrib non-free/g" /etc/apt/sources.l python3-zmq \ rsync \ supervisor \ - vim-tiny \ + suricata \ + suricata-update \ tini \ + vim-tiny \ zlib1g && \ - pip3 install --no-cache-dir watchdog && \ + python3 -m pip install --break-system-packages --no-cache-dir watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index f37ed4915..137589e86 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -109,7 +109,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ tini \ vim-tiny \ zlib1g-dev && \ - pip3 install --no-cache-dir pymisp stix2 taxii2-client dateparser && \ + python3 -m pip install --break-system-packages --no-cache-dir pymisp stix2 taxii2-client dateparser && \ mkdir -p /tmp/zeek-packages && \ cd /tmp/zeek-packages && \ if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS && \ diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index aadf77802..db81af5ee 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -20,7 +20,7 @@ export PATH="${ZEEK_DIR}"/bin:$PATH SURICATA_RULES_DIR="/etc/suricata/rules" -BEATS_VER="8.8.2" +BEATS_VER="8.9.0" BEATS_OSS="-oss" BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" diff --git a/shared/bin/manuf-oui-parse.py b/shared/bin/manuf-oui-parse.py index 7cc0be2f4..e37d65ed0 100755 --- a/shared/bin/manuf-oui-parse.py +++ b/shared/bin/manuf-oui-parse.py @@ -17,7 +17,7 @@ except ImportError: import yaml -DEFAULT_MANUF_URL = "https://gitlab.com/wireshark/wireshark/raw/master/manuf" +DEFAULT_MANUF_URL = "https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf" padded_mac_low = '00:00:00:00:00:00' padded_mac_high = 'FF:FF:FF:FF:FF:FF' mac_pattern = re.compile(r"[-:\.]") From 8b1a7228b7d63b0f9b2a3ebda70fd1c7641d7a09 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 25 Jul 2023 16:25:05 -0600 Subject: [PATCH 07/74] work in progress for ISOs for bookworm, broken at the moment --- malcolm-iso/build.sh | 12 +++--------- malcolm-iso/config/archives/docker.list.binary | 2 +- malcolm-iso/config/archives/docker.list.chroot | 2 +- malcolm-iso/config/archives/fasttrack.list.binary | 2 -- malcolm-iso/config/archives/fasttrack.list.chroot | 2 -- malcolm-iso/config/archives/fluentbit.list.binary | 2 +- malcolm-iso/config/archives/fluentbit.list.chroot | 2 +- .../config/includes.binary/install/preseed_base.cfg | 7 +++---- malcolm-iso/config/package-lists/system.list.chroot | 1 - malcolm-iso/vagrant/Vagrantfile | 7 ++----- sensor-iso/arkime/Dockerfile | 4 ++-- sensor-iso/build.sh | 12 +++--------- sensor-iso/config/archives/fasttrack.list.binary | 2 -- sensor-iso/config/archives/fasttrack.list.chroot | 2 -- sensor-iso/config/archives/fluentbit.list.binary | 2 +- sensor-iso/config/archives/fluentbit.list.chroot | 2 +- .../hooks/normal/0910-sensor-build.hook.chroot | 2 +- .../config/includes.binary/install/preseed_base.cfg | 7 +++---- sensor-iso/config/package-lists/system.list.chroot | 1 - sensor-iso/vagrant/Vagrantfile | 7 ++----- 20 files changed, 25 insertions(+), 55 deletions(-) delete mode 100644 malcolm-iso/config/archives/fasttrack.list.binary delete mode 100644 malcolm-iso/config/archives/fasttrack.list.chroot delete mode 100644 sensor-iso/config/archives/fasttrack.list.binary delete mode 100644 sensor-iso/config/archives/fasttrack.list.chroot diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index b16f38132..d829923e5 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -3,7 +3,7 @@ IMAGE_NAME=malcolm IMAGE_PUBLISHER=idaholab IMAGE_VERSION=1.0.0 -IMAGE_DISTRIBUTION=bullseye +IMAGE_DISTRIBUTION=bookworm BUILD_ERROR_CODE=1 @@ -70,12 +70,6 @@ if [ -d "$WORKDIR" ]; then chown -R root:root * - # if fasttrack.debian.net is down, use mirror.linux.pizza instead - FASTTRACK_MIRROR=$(( curl -fsSL -o /dev/null "https://fasttrack.debian.net/debian-fasttrack/" 2>/dev/null && echo "fasttrack.debian.net" ) || ( curl -fsSL -o /dev/null "https://mirror.linux.pizza/debian-fasttrack/" 2>/dev/null && echo "mirror.linux.pizza" )) - if [[ -n "$FASTTRACK_MIRROR" ]] && [[ "$FASTTRACK_MIRROR" != "fasttrack.debian.net" ]]; then - sed -i "s/fasttrack.debian.net/$FASTTRACK_MIRROR/g" ./config/archives/fasttrack.list.* - fi - # configure installation options YML_IMAGE_VERSION="$(grep -P "^\s+image:\s*malcolm" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && IMAGE_VERSION="$YML_IMAGE_VERSION" @@ -210,7 +204,7 @@ if [ -d "$WORKDIR" ]; then --apt-source-archives false \ --architectures amd64 \ --archive-areas 'main contrib non-free' \ - --backports true \ + --backports false \ --binary-images iso-hybrid \ --bootappend-install "auto=true locales=en_US.UTF-8 keyboard-layouts=us" \ --bootappend-live "boot=live components username=analyst nosplash random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem systemd.unified_cgroup_hierarchy=1" \ @@ -218,7 +212,7 @@ if [ -d "$WORKDIR" ]; then --debian-installer live \ --debian-installer-distribution $IMAGE_DISTRIBUTION \ --debian-installer-gui false \ - --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,debian-archive-keyring,fasttrack-archive-keyring,jq,openssl --no-merged-usr" \ + --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,debian-archive-keyring,jq,openssl --no-merged-usr" \ --distribution $IMAGE_DISTRIBUTION \ --image-name "$IMAGE_NAME" \ --iso-application "$IMAGE_NAME" \ diff --git a/malcolm-iso/config/archives/docker.list.binary b/malcolm-iso/config/archives/docker.list.binary index dfe8f16e8..f36f764bc 100644 --- a/malcolm-iso/config/archives/docker.list.binary +++ b/malcolm-iso/config/archives/docker.list.binary @@ -1,2 +1,2 @@ -deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable +deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable diff --git a/malcolm-iso/config/archives/docker.list.chroot b/malcolm-iso/config/archives/docker.list.chroot index dfe8f16e8..f36f764bc 100644 --- a/malcolm-iso/config/archives/docker.list.chroot +++ b/malcolm-iso/config/archives/docker.list.chroot @@ -1,2 +1,2 @@ -deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable +deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable diff --git a/malcolm-iso/config/archives/fasttrack.list.binary b/malcolm-iso/config/archives/fasttrack.list.binary deleted file mode 100644 index f2126f979..000000000 --- a/malcolm-iso/config/archives/fasttrack.list.binary +++ /dev/null @@ -1,2 +0,0 @@ -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-fasttrack main contrib non-free -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-backports-staging main contrib non-free diff --git a/malcolm-iso/config/archives/fasttrack.list.chroot b/malcolm-iso/config/archives/fasttrack.list.chroot deleted file mode 100644 index f2126f979..000000000 --- a/malcolm-iso/config/archives/fasttrack.list.chroot +++ /dev/null @@ -1,2 +0,0 @@ -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-fasttrack main contrib non-free -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-backports-staging main contrib non-free diff --git a/malcolm-iso/config/archives/fluentbit.list.binary b/malcolm-iso/config/archives/fluentbit.list.binary index 2eeb67a7c..7bbcff079 100644 --- a/malcolm-iso/config/archives/fluentbit.list.binary +++ b/malcolm-iso/config/archives/fluentbit.list.binary @@ -1 +1 @@ -deb https://packages.fluentbit.io/debian/bullseye bullseye main \ No newline at end of file +deb https://packages.fluentbit.io/debian/bookworm bookworm main \ No newline at end of file diff --git a/malcolm-iso/config/archives/fluentbit.list.chroot b/malcolm-iso/config/archives/fluentbit.list.chroot index 2eeb67a7c..7bbcff079 100644 --- a/malcolm-iso/config/archives/fluentbit.list.chroot +++ b/malcolm-iso/config/archives/fluentbit.list.chroot @@ -1 +1 @@ -deb https://packages.fluentbit.io/debian/bullseye bullseye main \ No newline at end of file +deb https://packages.fluentbit.io/debian/bookworm bookworm main \ No newline at end of file diff --git a/malcolm-iso/config/includes.binary/install/preseed_base.cfg b/malcolm-iso/config/includes.binary/install/preseed_base.cfg index ba6dd9e87..bd5c1acf1 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_base.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_base.cfg @@ -32,10 +32,9 @@ d-i apt-setup/use_mirror boolean false d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - echo 'deb http://deb.debian.org/debian bullseye main contrib non-free' > /target/etc/apt/sources.list; \ - echo 'deb http://security.debian.org/debian-security bullseye-security main contrib non-free' >> /target/etc/apt/sources.list; \ - echo 'deb http://deb.debian.org/debian bullseye-updates main contrib non-free' >> /target/etc/apt/sources.list; \ - echo 'deb http://deb.debian.org/debian bullseye-backports main contrib non-free' >> /target/etc/apt/sources.list; \ + echo 'deb http://deb.debian.org/debian bookworm main contrib non-free' > /target/etc/apt/sources.list; \ + echo 'deb http://security.debian.org/debian-security bookworm-security main contrib non-free' >> /target/etc/apt/sources.list; \ + echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target bash /usr/local/bin/agg-init.sh; \ in-target bash -c "(virt-what | grep -q vmware) || apt-get purge -y open-vm-tools-desktop"; \ in-target bash -c "(virt-what | grep -q virtualbox) || apt-get purge -y virtualbox-guest*"; \ diff --git a/malcolm-iso/config/package-lists/system.list.chroot b/malcolm-iso/config/package-lists/system.list.chroot index 8ad560c97..860b6990c 100644 --- a/malcolm-iso/config/package-lists/system.list.chroot +++ b/malcolm-iso/config/package-lists/system.list.chroot @@ -35,7 +35,6 @@ dosfstools ebtables efibootmgr eject -fasttrack-archive-keyring fatresize file findutils diff --git a/malcolm-iso/vagrant/Vagrantfile b/malcolm-iso/vagrant/Vagrantfile index c1aef65f7..5a41ffa67 100644 --- a/malcolm-iso/vagrant/Vagrantfile +++ b/malcolm-iso/vagrant/Vagrantfile @@ -14,7 +14,7 @@ end Vagrant.configure("2") do |config| config.vm.define "vagrant-malcolm-build" - config.vm.box = "bento/debian-11" + config.vm.box = "bento/debian-12" config.vm.network "private_network", type: "dhcp" config.ssh.config = "ssh_config" @@ -41,10 +41,7 @@ Vagrant.configure("2") do |config| export DEBIAN_FRONTEND=noninteractive sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list apt-get -qqy update - echo "deb http://httpredir.debian.org/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list - echo "deb-src http://httpredir.debian.org/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list - apt-get -qqy update - apt-get -t bullseye-backports -y install \ + apt-get -y install \ apt-transport-https \ bc \ build-essential \ diff --git a/sensor-iso/arkime/Dockerfile b/sensor-iso/arkime/Dockerfile index 555a31757..c36a92c84 100644 --- a/sensor-iso/arkime/Dockerfile +++ b/sensor-iso/arkime/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:11-slim +FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. @@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND noninteractive ENV ARKIME_VERSION "4.3.2" ENV ARKIME_DIR "/opt/arkime" -RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \ +RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \ apt-get -q update && \ apt-get install -q -y --no-install-recommends \ build-essential \ diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 3438477eb..851617da1 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -3,7 +3,7 @@ IMAGE_NAME=hedgehog IMAGE_PUBLISHER=idaholab IMAGE_VERSION=1.0.0 -IMAGE_DISTRIBUTION=bullseye +IMAGE_DISTRIBUTION=bookworm BUILD_ERROR_CODE=1 @@ -56,12 +56,6 @@ if [ -d "$WORKDIR" ]; then chown -R root:root * - # if fasttrack.debian.net is down, use mirror.linux.pizza instead - FASTTRACK_MIRROR=$(( curl -fsSL -o /dev/null "https://fasttrack.debian.net/debian-fasttrack/" 2>/dev/null && echo "fasttrack.debian.net" ) || ( curl -fsSL -o /dev/null "https://mirror.linux.pizza/debian-fasttrack/" 2>/dev/null && echo "mirror.linux.pizza" )) - if [[ -n "$FASTTRACK_MIRROR" ]] && [[ "$FASTTRACK_MIRROR" != "fasttrack.debian.net" ]]; then - sed -i "s/fasttrack.debian.net/$FASTTRACK_MIRROR/g" ./config/archives/fasttrack.list.* - fi - if [[ -f "$SCRIPT_PATH/shared/version.txt" ]]; then SHARED_IMAGE_VERSION="$(cat "$SCRIPT_PATH/shared/version.txt" | head -n 1)" [[ -n $SHARED_IMAGE_VERSION ]] && IMAGE_VERSION="$SHARED_IMAGE_VERSION" @@ -188,7 +182,7 @@ if [ -d "$WORKDIR" ]; then --apt-source-archives false \ --architectures amd64 \ --archive-areas 'main contrib non-free' \ - --backports true \ + --backports false \ --binary-images iso-hybrid \ --bootappend-install "auto=true locales=en_US.UTF-8 keyboard-layouts=us" \ --bootappend-live "boot=live components username=sensor nosplash random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem systemd.unified_cgroup_hierarchy=1" \ @@ -196,7 +190,7 @@ if [ -d "$WORKDIR" ]; then --debian-installer live \ --debian-installer-distribution $IMAGE_DISTRIBUTION \ --debian-installer-gui false \ - --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,debian-archive-keyring,fasttrack-archive-keyring,jq,openssl --no-merged-usr" \ + --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,debian-archive-keyring,jq,openssl --no-merged-usr" \ --distribution $IMAGE_DISTRIBUTION \ --image-name "$IMAGE_NAME" \ --iso-application "$IMAGE_NAME" \ diff --git a/sensor-iso/config/archives/fasttrack.list.binary b/sensor-iso/config/archives/fasttrack.list.binary deleted file mode 100644 index f2126f979..000000000 --- a/sensor-iso/config/archives/fasttrack.list.binary +++ /dev/null @@ -1,2 +0,0 @@ -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-fasttrack main contrib non-free -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-backports-staging main contrib non-free diff --git a/sensor-iso/config/archives/fasttrack.list.chroot b/sensor-iso/config/archives/fasttrack.list.chroot deleted file mode 100644 index f2126f979..000000000 --- a/sensor-iso/config/archives/fasttrack.list.chroot +++ /dev/null @@ -1,2 +0,0 @@ -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-fasttrack main contrib non-free -deb https://fasttrack.debian.net/debian-fasttrack/ bullseye-backports-staging main contrib non-free diff --git a/sensor-iso/config/archives/fluentbit.list.binary b/sensor-iso/config/archives/fluentbit.list.binary index 2eeb67a7c..7bbcff079 100644 --- a/sensor-iso/config/archives/fluentbit.list.binary +++ b/sensor-iso/config/archives/fluentbit.list.binary @@ -1 +1 @@ -deb https://packages.fluentbit.io/debian/bullseye bullseye main \ No newline at end of file +deb https://packages.fluentbit.io/debian/bookworm bookworm main \ No newline at end of file diff --git a/sensor-iso/config/archives/fluentbit.list.chroot b/sensor-iso/config/archives/fluentbit.list.chroot index 2eeb67a7c..7bbcff079 100644 --- a/sensor-iso/config/archives/fluentbit.list.chroot +++ b/sensor-iso/config/archives/fluentbit.list.chroot @@ -1 +1 @@ -deb https://packages.fluentbit.io/debian/bullseye bullseye main \ No newline at end of file +deb https://packages.fluentbit.io/debian/bookworm bookworm main \ No newline at end of file diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index db81af5ee..e09489035 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -199,7 +199,7 @@ EOF ### # suricata -apt-get install -t bullseye-backports --no-install-recommends -y -q suricata suricata-update +apt-get install --no-install-recommends -y -q suricata suricata-update /usr/bin/suricata-update -v -D /var/lib/suricata --etopen diff --git a/sensor-iso/config/includes.binary/install/preseed_base.cfg b/sensor-iso/config/includes.binary/install/preseed_base.cfg index 4ecdc391c..8e2507844 100644 --- a/sensor-iso/config/includes.binary/install/preseed_base.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_base.cfg @@ -43,10 +43,9 @@ d-i apt-setup/use_mirror boolean false d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - echo 'deb http://deb.debian.org/debian bullseye main contrib non-free' > /target/etc/apt/sources.list; \ - echo 'deb http://security.debian.org/debian-security bullseye-security main contrib non-free' >> /target/etc/apt/sources.list; \ - echo 'deb http://deb.debian.org/debian bullseye-updates main contrib non-free' >> /target/etc/apt/sources.list; \ - echo 'deb http://deb.debian.org/debian bullseye-backports main contrib non-free' >> /target/etc/apt/sources.list; \ + echo 'deb http://deb.debian.org/debian bookworm main contrib non-free' > /target/etc/apt/sources.list; \ + echo 'deb http://security.debian.org/debian-security bookworm-security main contrib non-free' >> /target/etc/apt/sources.list; \ + echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target touch /etc/capture_storage_format; \ in-target bash /usr/local/bin/sensor-init.sh; \ in-target bash -c "(virt-what | grep -q vmware) || apt-get purge -y open-vm-tools-desktop"; \ diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index 2fe6b6fb4..3ca52abe6 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -34,7 +34,6 @@ dosfstools ebtables efibootmgr eject -fasttrack-archive-keyring fatresize file findutils diff --git a/sensor-iso/vagrant/Vagrantfile b/sensor-iso/vagrant/Vagrantfile index ed2974bbd..cf8819929 100644 --- a/sensor-iso/vagrant/Vagrantfile +++ b/sensor-iso/vagrant/Vagrantfile @@ -14,7 +14,7 @@ end Vagrant.configure("2") do |config| config.vm.define "vagrant-hedgehog-build" - config.vm.box = "bento/debian-11" + config.vm.box = "bento/debian-12" config.vm.network "private_network", type: "dhcp" config.ssh.config = "ssh_config" @@ -41,10 +41,7 @@ Vagrant.configure("2") do |config| export DEBIAN_FRONTEND=noninteractive sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list apt-get -qqy update - echo "deb http://httpredir.debian.org/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list - echo "deb-src http://httpredir.debian.org/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list - apt-get -qqy update - apt-get -t bullseye-backports -y install \ + apt-get -y install \ apt-transport-https \ bc \ build-essential \ From 671a5d500bed47e116f178da0469c73dfd65272b Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 25 Jul 2023 16:30:28 -0600 Subject: [PATCH 08/74] work in progress for ISOs for bookworm, broken at the moment --- malcolm-iso/build.sh | 4 ++-- malcolm-iso/config/includes.binary/install/preseed_base.cfg | 2 +- malcolm-iso/vagrant/Vagrantfile | 2 +- sensor-iso/build.sh | 4 ++-- sensor-iso/config/includes.binary/install/preseed_base.cfg | 2 +- sensor-iso/vagrant/Vagrantfile | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index d829923e5..5d003f956 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -203,7 +203,7 @@ if [ -d "$WORKDIR" ]; then --apt-secure true \ --apt-source-archives false \ --architectures amd64 \ - --archive-areas 'main contrib non-free' \ + --archive-areas 'main contrib non-free non-free-firmware' \ --backports false \ --binary-images iso-hybrid \ --bootappend-install "auto=true locales=en_US.UTF-8 keyboard-layouts=us" \ @@ -221,7 +221,7 @@ if [ -d "$WORKDIR" ]; then --linux-flavours "amd64:amd64" \ --linux-packages "linux-image linux-headers" \ --memtest none \ - --parent-archive-areas 'main contrib non-free' \ + --parent-archive-areas 'main contrib non-free non-free-firmware' \ --parent-debian-installer-distribution $IMAGE_DISTRIBUTION \ --parent-distribution $IMAGE_DISTRIBUTION \ --security true \ diff --git a/malcolm-iso/config/includes.binary/install/preseed_base.cfg b/malcolm-iso/config/includes.binary/install/preseed_base.cfg index bd5c1acf1..1d18bfce4 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_base.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_base.cfg @@ -32,7 +32,7 @@ d-i apt-setup/use_mirror boolean false d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - echo 'deb http://deb.debian.org/debian bookworm main contrib non-free' > /target/etc/apt/sources.list; \ + echo 'deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware' > /target/etc/apt/sources.list; \ echo 'deb http://security.debian.org/debian-security bookworm-security main contrib non-free' >> /target/etc/apt/sources.list; \ echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target bash /usr/local/bin/agg-init.sh; \ diff --git a/malcolm-iso/vagrant/Vagrantfile b/malcolm-iso/vagrant/Vagrantfile index 5a41ffa67..0558db616 100644 --- a/malcolm-iso/vagrant/Vagrantfile +++ b/malcolm-iso/vagrant/Vagrantfile @@ -39,7 +39,7 @@ Vagrant.configure("2") do |config| config.vm.provision "shell", inline: <<-STEP1 dpkg-reconfigure debconf -f noninteractive -p critical export DEBIAN_FRONTEND=noninteractive - sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list + sed -i "s/main/main contrib non-free non-free-firmware/g" /etc/apt/sources.list apt-get -qqy update apt-get -y install \ apt-transport-https \ diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 851617da1..e85287b7c 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -181,7 +181,7 @@ if [ -d "$WORKDIR" ]; then --apt-secure true \ --apt-source-archives false \ --architectures amd64 \ - --archive-areas 'main contrib non-free' \ + --archive-areas 'main contrib non-free non-free-firmware' \ --backports false \ --binary-images iso-hybrid \ --bootappend-install "auto=true locales=en_US.UTF-8 keyboard-layouts=us" \ @@ -199,7 +199,7 @@ if [ -d "$WORKDIR" ]; then --linux-flavours "amd64:amd64" \ --linux-packages "linux-image linux-headers" \ --memtest none \ - --parent-archive-areas 'main contrib non-free' \ + --parent-archive-areas 'main contrib non-free non-free-firmware' \ --parent-debian-installer-distribution $IMAGE_DISTRIBUTION \ --parent-distribution $IMAGE_DISTRIBUTION \ --security true \ diff --git a/sensor-iso/config/includes.binary/install/preseed_base.cfg b/sensor-iso/config/includes.binary/install/preseed_base.cfg index 8e2507844..81b5ba435 100644 --- a/sensor-iso/config/includes.binary/install/preseed_base.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_base.cfg @@ -43,7 +43,7 @@ d-i apt-setup/use_mirror boolean false d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - echo 'deb http://deb.debian.org/debian bookworm main contrib non-free' > /target/etc/apt/sources.list; \ + echo 'deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware' > /target/etc/apt/sources.list; \ echo 'deb http://security.debian.org/debian-security bookworm-security main contrib non-free' >> /target/etc/apt/sources.list; \ echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target touch /etc/capture_storage_format; \ diff --git a/sensor-iso/vagrant/Vagrantfile b/sensor-iso/vagrant/Vagrantfile index cf8819929..500ab7083 100644 --- a/sensor-iso/vagrant/Vagrantfile +++ b/sensor-iso/vagrant/Vagrantfile @@ -39,7 +39,7 @@ Vagrant.configure("2") do |config| config.vm.provision "shell", inline: <<-STEP1 dpkg-reconfigure debconf -f noninteractive -p critical export DEBIAN_FRONTEND=noninteractive - sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list + sed -i "s/main/main contrib non-free non-free-firmware/g" /etc/apt/sources.list apt-get -qqy update apt-get -y install \ apt-transport-https \ From c22847716165a1d1c8b9a08af1eb3cee5ed46ff9 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 11:17:39 -0600 Subject: [PATCH 09/74] updating to debian 12, broken, wip --- docs/hedgehog-iso-build.md | 4 ++-- docs/malcolm-iso.md | 4 ++-- kubernetes/vagrant/Vagrantfile | 2 +- .../normal/0169-pip-installs.hook.chroot | 2 +- .../0990-remove-unwanted-pkg.hook.chroot | 1 - .../config/package-lists/system.list.chroot | 3 +-- .../package-lists/virtualguest.list.chroot | 2 -- scripts/malcolm_appliance_packager.sh | 2 +- scripts/third-party-logs/fluent-bit-setup.ps1 | 2 +- sensor-iso/build.sh | 2 +- .../normal/0169-pip-installs.hook.chroot | 2 +- .../normal/0910-sensor-build.hook.chroot | 20 +++++++++---------- .../0990-remove-unwanted-pkg.hook.chroot | 1 - .../config/package-lists/build.list.chroot | 2 +- .../package-lists/desktopmanager.list.chroot | 2 +- .../config/package-lists/system.list.chroot | 3 +-- .../package-lists/virtualguest.list.chroot | 2 -- 17 files changed, 24 insertions(+), 32 deletions(-) diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index f3ad1f03c..cba7600e1 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -5,7 +5,7 @@ Official downloads of the Hedgehog Linux installer ISO are not provided: however * [Vagrant](https://www.vagrantup.com/) - [`vagrant-reload`](https://github.com/aidanns/vagrant-reload) plugin - [`vagrant-sshfs`](https://github.com/dustymabe/vagrant-sshfs) plugin - - [`bento/debian-11`](https://app.vagrantup.com/bento/boxes/debian-11) Vagrant box + - [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box The build should work with either the [VirtualBox](https://www.virtualbox.org/) provider or the [libvirt](https://libvirt.org/) provider: @@ -13,7 +13,7 @@ The build should work with either the [VirtualBox](https://www.virtualbox.org/) - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin * [libvirt](https://libvirt.org/) - [`vagrant-libvirt`](https://github.com/vagrant-libvirt/vagrant-libvirt) provider plugin - - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-11`](https://app.vagrantup.com/bento/boxes/debian-11) Vagrant box to `libvirt` format + - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box to `libvirt` format To perform a clean build the Hedgehog Linux installer ISO, navigate to your local [Malcolm]({{ site.github.repository_url }}/) working copy and run: diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index a18ab5792..2d5d9666b 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -17,7 +17,7 @@ Official downloads of the Malcolm installer ISO are not provided: however, it ca * [Vagrant](https://www.vagrantup.com/) - [`vagrant-reload`](https://github.com/aidanns/vagrant-reload) plugin - [`vagrant-sshfs`](https://github.com/dustymabe/vagrant-sshfs) plugin - - [`bento/debian-11`](https://app.vagrantup.com/bento/boxes/debian-11) Vagrant box + - [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box The build should work with either the [VirtualBox](https://www.virtualbox.org/) provider or the [libvirt](https://libvirt.org/) provider: @@ -25,7 +25,7 @@ The build should work with either the [VirtualBox](https://www.virtualbox.org/) - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin * [libvirt](https://libvirt.org/) - [`vagrant-libvirt`](https://github.com/vagrant-libvirt/vagrant-libvirt) provider plugin - - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-11`](https://app.vagrantup.com/bento/boxes/debian-11) Vagrant box to `libvirt` format + - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box to `libvirt` format To perform a clean build of the Malcolm installer ISO, navigate to the local Malcolm working copy and run: diff --git a/kubernetes/vagrant/Vagrantfile b/kubernetes/vagrant/Vagrantfile index fefc7d6d8..054b20104 100644 --- a/kubernetes/vagrant/Vagrantfile +++ b/kubernetes/vagrant/Vagrantfile @@ -130,7 +130,7 @@ agent_script_1 = <<-SHELL SHELL Vagrant.configure("2") do |config| - config.vm.box = "bento/debian-11" + config.vm.box = "bento/debian-12" config.ssh.config = "ssh_config" config.vm.define "server", primary: true do |server| diff --git a/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 605e90427..f59667626 100755 --- a/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -4,7 +4,7 @@ export LC_ALL=C.UTF-8 export LANG=C.UTF-8 # python 3 -pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ +pip3 install --break-system-packages --no-compile --no-cache-dir --force-reinstall --upgrade \ debinterface \ kubernetes \ python-dotenv \ diff --git a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index caaabeb8c..a661ffbcc 100755 --- a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -32,7 +32,6 @@ dpkg -l | awk '/^rc/ { print $2 }' | xargs -r -l dpkg --purge # disable automatic/initial running of some services (but don't abort if we fail) systemctl disable ctrl-alt-del.target || true -systemctl disable hddtemp.service || true systemctl disable apt-daily.service || true systemctl disable apt-daily.timer || true systemctl disable apt-daily-upgrade.timer || true diff --git a/malcolm-iso/config/package-lists/system.list.chroot b/malcolm-iso/config/package-lists/system.list.chroot index 860b6990c..8598d8205 100644 --- a/malcolm-iso/config/package-lists/system.list.chroot +++ b/malcolm-iso/config/package-lists/system.list.chroot @@ -63,7 +63,6 @@ gvfs-backends gvfs-daemons gvfs-fuse gzip -hddtemp hdparm hfsplus hfsprogs @@ -85,7 +84,7 @@ libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libssl-dev -libssl1.1 +libssl3 libykpers-1-1 libyubikey0 lm-sensors diff --git a/malcolm-iso/config/package-lists/virtualguest.list.chroot b/malcolm-iso/config/package-lists/virtualguest.list.chroot index 2c9182560..35946639a 100644 --- a/malcolm-iso/config/package-lists/virtualguest.list.chroot +++ b/malcolm-iso/config/package-lists/virtualguest.list.chroot @@ -1,5 +1,3 @@ open-vm-tools-desktop qemu-guest-agent virt-what -virtualbox-guest-utils -virtualbox-guest-x11 \ No newline at end of file diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index 716f4cbcc..bf7787aaa 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -130,7 +130,7 @@ if mkdir "$DESTDIR"; then ln -s ./install.py configure popd >/dev/null 2>&1 pushd .. >/dev/null 2>&1 - DESTNAME="$RUN_PATH/$(basename $DESTDIR).tar.xz" + DESTNAME="$RUN_PATH/$(basename $DESTDIR).tar.gz" README="$RUN_PATH/$(basename $DESTDIR).README.txt" cp $VERBOSE "$SCRIPT_PATH/install.py" "$RUN_PATH/" cp $VERBOSE "$SCRIPT_PATH/malcolm_common.py" "$RUN_PATH/" diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1 index 83916837b..87a2818e2 100644 --- a/scripts/third-party-logs/fluent-bit-setup.ps1 +++ b/scripts/third-party-logs/fluent-bit-setup.ps1 @@ -9,7 +9,7 @@ ############################################################################### $fluent_bit_version = '2.1' -$fluent_bit_full_version = '2.1.6' +$fluent_bit_full_version = '2.1.8' ############################################################################### # select an item from a menu provided in an array diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index e85287b7c..de961a1d5 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -74,7 +74,7 @@ if [ -d "$WORKDIR" ]; then echo "#!/bin/sh" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot echo "export LC_ALL=C.UTF-8" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot echo "export LANG=C.UTF-8" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot - echo -n "pip3 install --system --no-compile --no-cache-dir --force-reinstall --upgrade" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot + echo -n "python3 -m pip install --break-system-packages --no-compile --no-cache-dir --force-reinstall --upgrade" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot while read LINE; do echo -n -e " \\\\\n $LINE" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot done <"$SCRIPT_PATH/interface/requirements.txt" diff --git a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 952ce3fc4..fc48f7cbf 100755 --- a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -6,7 +6,7 @@ export LC_ALL=C.UTF-8 export LANG=C.UTF-8 # python 3 -pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ +pip3 install --break-system-packages --no-compile --no-cache-dir --force-reinstall --upgrade \ clamd \ dateparser \ debinterface \ diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index e09489035..61bd4022d 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -64,16 +64,16 @@ mkdir -p /tmp/zeek-packages "${CCACHE_DIR}" cd /tmp/zeek-packages if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS curl -sSL --remote-name-all \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeek${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-client_${ZEEK_VER}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VER}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-btest_${ZEEK_VER}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_11/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VER}_all.deb" + "https://download.zeek.org/binary-packages/Debian_12/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-client_${ZEEK_VER}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VER}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest_${ZEEK_VER}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VER}_all.deb" dpkg -i ./*.deb # plugins diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 1e893eed0..84ac2ca2a 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -44,7 +44,6 @@ dpkg -l | awk '/^rc/ { print $2 }' | xargs -r -l dpkg --purge # disable automatic running of some services (but don't abort if we fail) systemctl disable supervisor.service || true systemctl disable ctrl-alt-del.target || true -systemctl disable hddtemp.service || true systemctl disable apt-daily.service || true systemctl disable apt-daily.timer || true systemctl disable apt-daily-upgrade.timer || true diff --git a/sensor-iso/config/package-lists/build.list.chroot b/sensor-iso/config/package-lists/build.list.chroot index 7cd4a9e5a..33ece4536 100644 --- a/sensor-iso/config/package-lists/build.list.chroot +++ b/sensor-iso/config/package-lists/build.list.chroot @@ -20,7 +20,7 @@ libpcap0.8 libsodium-dev libsodium23 libssl-dev -libssl1.1 +libssl3 libtcmalloc-minimal4 locales-all make diff --git a/sensor-iso/config/package-lists/desktopmanager.list.chroot b/sensor-iso/config/package-lists/desktopmanager.list.chroot index e000d5318..ad2156d0f 100644 --- a/sensor-iso/config/package-lists/desktopmanager.list.chroot +++ b/sensor-iso/config/package-lists/desktopmanager.list.chroot @@ -9,7 +9,7 @@ fonts-symbola galculator gnome-themes-extra gvfs-backends -libclamunrar9 +libclamunrar11 libnotify-bin light-locker mousepad diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index 3ca52abe6..d0540662b 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -61,7 +61,6 @@ gvfs-backends gvfs-daemons gvfs-fuse gzip -hddtemp hdparm hfsplus hfsprogs @@ -72,7 +71,7 @@ javascript-common jq less libatomic1 -libffi7 +libffi8 libgtk2.0-bin libjson-perl libkrb5-3 diff --git a/sensor-iso/config/package-lists/virtualguest.list.chroot b/sensor-iso/config/package-lists/virtualguest.list.chroot index 2c9182560..35946639a 100644 --- a/sensor-iso/config/package-lists/virtualguest.list.chroot +++ b/sensor-iso/config/package-lists/virtualguest.list.chroot @@ -1,5 +1,3 @@ open-vm-tools-desktop qemu-guest-agent virt-what -virtualbox-guest-utils -virtualbox-guest-x11 \ No newline at end of file From 5d506921a140459245771b539ac870d6911a636f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 11:45:36 -0600 Subject: [PATCH 10/74] updating to debian 12, broken, wip --- Dockerfiles/filebeat.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index b6513e860..c577e1fe1 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -93,7 +93,7 @@ RUN apt-get -q update && \ unar \ unzip \ xz-utils && \ - python3 -m pip --break-system-packages --no-cache-dir install patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ + python3 -m pip install --break-system-packages --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ From 8b5943ac5c57686f7bd6084cd3c188d810c93d19 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 11:55:31 -0600 Subject: [PATCH 11/74] updating to debian 12, broken, wip --- shared/bin/agg-init.sh | 2 +- shared/bin/common-init.sh | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/shared/bin/agg-init.sh b/shared/bin/agg-init.sh index 9b7a1de0e..fd7bb2cc8 100755 --- a/shared/bin/agg-init.sh +++ b/shared/bin/agg-init.sh @@ -40,7 +40,7 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then # if we need to import prebuilt Malcolm docker images, do so now (but not if we're in a live-usb boot) DOCKER_DRIVER="$(docker info 2>/dev/null | grep 'Storage Driver' | cut -d' ' -f3)" - if [[ -n $DOCKER_DRIVER ]] && [[ "$DOCKER_DRIVER" != "vfs" ]] && [[ -r /malcolm_images.tar.xz ]]; then + if [[ -n $DOCKER_DRIVER ]] && [[ "$DOCKER_DRIVER" != "vfs" ]] && ! grep -q boot=live /proc/cmdline; then docker load -q -i /malcolm_images.tar.xz && rm -f /malcolm_images.tar.xz fi diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index ddc0bbd26..242c3c82f 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -115,17 +115,18 @@ function BadTelemetry() { echo >> /etc/hosts echo '127.0.0.1 _googlecast._tcp.local' >> /etc/hosts echo '127.0.0.1 accounts.google.com' >> /etc/hosts + echo '127.0.0.1 census.netbox.dev' >> /etc/hosts echo '127.0.0.1 clients.l.google.com' >> /etc/hosts + echo '127.0.0.1 connectivitycheck.gstatic.com' >> /etc/hosts + echo '127.0.0.1 detectportal.firefox.com' >> /etc/hosts + echo '127.0.0.1 detectportal.prod.mozaws.net' >> /etc/hosts echo '127.0.0.1 fonts.googleapis.com' >> /etc/hosts + echo '127.0.0.1 incoming.telemetry.mozilla.org' >> /etc/hosts + echo '127.0.0.1 prod.detectportal.prod.cloudops.mozgcp.net' >> /etc/hosts echo '127.0.0.1 safebrowsing-cache.google.com' >> /etc/hosts echo '127.0.0.1 safebrowsing.clients.google.com' >> /etc/hosts echo '127.0.0.1 update.googleapis.com' >> /etc/hosts echo '127.0.0.1 www.google-analytics.com' >> /etc/hosts echo '127.0.0.1 www.gstatic.com' >> /etc/hosts - echo '127.0.0.1 connectivitycheck.gstatic.com' >> /etc/hosts - echo '127.0.0.1 incoming.telemetry.mozilla.org' >> /etc/hosts - echo '127.0.0.1 detectportal.firefox.com' >> /etc/hosts - echo '127.0.0.1 prod.detectportal.prod.cloudops.mozgcp.net' >> /etc/hosts - echo '127.0.0.1 detectportal.prod.mozaws.net' >> /etc/hosts fi } From 4c770f673d14b7e183eb57577f09f0d321740c09 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 11:58:06 -0600 Subject: [PATCH 12/74] Fix filebeat build --- Dockerfiles/filebeat.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index c577e1fe1..c77d29c50 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -93,7 +93,7 @@ RUN apt-get -q update && \ unar \ unzip \ xz-utils && \ - python3 -m pip install --break-system-packages --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ + python3 -m pip install --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ From 6284eec6b4bf1a749e40899376a87d9794f0bfef Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 12:15:48 -0600 Subject: [PATCH 13/74] updating to debian 12, broken, wip --- sensor-iso/config/package-lists/build.list.chroot | 1 + 1 file changed, 1 insertion(+) diff --git a/sensor-iso/config/package-lists/build.list.chroot b/sensor-iso/config/package-lists/build.list.chroot index 33ece4536..7afaf8176 100644 --- a/sensor-iso/config/package-lists/build.list.chroot +++ b/sensor-iso/config/package-lists/build.list.chroot @@ -15,6 +15,7 @@ libmagic-dev libmagic1 libmaxminddb-dev libmaxminddb0 +libnl-3-dev libpcap-dev libpcap0.8 libsodium-dev From f141c07d725a3ad0902528ceec2eb7694449d674 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 13:26:03 -0600 Subject: [PATCH 14/74] remove package --- .../config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot | 1 + .../config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot | 1 + 2 files changed, 2 insertions(+) diff --git a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index a661ffbcc..79df3e4a2 100755 --- a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -11,6 +11,7 @@ apt-get -y --purge remove bluez-firmware \ gdebi* \ gdb \ firmware-netronome \ + firmware-nvidia* \ firmware-qcom-soc \ gnome-accessibility-themes \ libasound2-plugins \ diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 84ac2ca2a..841171c7d 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -16,6 +16,7 @@ apt-get -y --purge remove \ bluez-firmware \ cracklib-runtime \ firmware-netronome \ + firmware-nvidia* \ firmware-qcom-soc \ gdb \ gdebi* \ From e37d9873f96ad1288d895dbe5a599b8d0112a08f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 13:31:47 -0600 Subject: [PATCH 15/74] update live-build --- .../malcolm-iso-build-docker-wrap-push-ghcr.yml | 4 ++-- .../sensor-iso-build-docker-wrap-push-ghcr.yml | 10 ++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index a33321072..a1a450ccc 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -70,12 +70,12 @@ jobs: virt-what \ xorriso \ xz-utils - git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20210407' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build + git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20230131' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build cd /tmp/live-build dpkg-buildpackage -b -uc -us cd /tmp sudo dpkg -i /tmp/live-build*.deb - rm -rf /tmp/live-build + sudo rm -rf /tmp/live-build /tmp/live-build*.deb - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml index 2fe46a799..edd8ecc3d 100644 --- a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml @@ -66,10 +66,12 @@ jobs: squashfs-tools \ virt-what \ xorriso - git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20210407' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build - cd /tmp/live-build - dpkg-buildpackage -b -uc -us - sudo dpkg -i /tmp/live-build*.deb + git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20230131' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build + cd /tmp/live-build + dpkg-buildpackage -b -uc -us + cd /tmp + sudo dpkg -i /tmp/live-build*.deb + sudo rm -rf /tmp/live-build /tmp/live-build*.deb - name: Checkout uses: actions/checkout@v3 From 6094c64fe583f359cfeca96533dd65a6b0af5b99 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 13:39:17 -0600 Subject: [PATCH 16/74] documentation update --- docs/development.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/development.md b/docs/development.md index 5993f641f..37da486d6 100644 --- a/docs/development.md +++ b/docs/development.md @@ -52,24 +52,24 @@ $ ./scripts/build.sh Then, go take a walk or something since it will be a while. When you are done, you can run `docker images` and see if you have fresh images for: * `ghcr.io/idaholab/malcolm/api` (based on `python:3-slim`) -* `ghcr.io/idaholab/malcolm/arkime` (based on `debian:11-slim`) +* `ghcr.io/idaholab/malcolm/arkime` (based on `debian:12-slim`) * `ghcr.io/idaholab/malcolm/dashboards-helper` (based on `alpine:3.18`) * `ghcr.io/idaholab/malcolm/dashboards` (based on `opensearchproject/opensearch-dashboards`) -* `ghcr.io/idaholab/malcolm/file-monitor` (based on `debian:11-slim`) -* `ghcr.io/idaholab/malcolm/file-upload` (based on `debian:11-slim`) +* `ghcr.io/idaholab/malcolm/file-monitor` (based on `debian:12-slim`) +* `ghcr.io/idaholab/malcolm/file-upload` (based on `debian:12-slim`) * `ghcr.io/idaholab/malcolm/filebeat-oss` (based on `docker.elastic.co/beats/filebeat-oss`) -* `ghcr.io/idaholab/malcolm/freq` (based on `debian:11-slim`) +* `ghcr.io/idaholab/malcolm/freq` (based on `debian:12-slim`) * `ghcr.io/idaholab/malcolm/htadmin` (based on `debian:11-slim`) * `ghcr.io/idaholab/malcolm/logstash-oss` (based on `opensearchproject/logstash-oss-with-opensearch-output-plugin`) * `ghcr.io/idaholab/malcolm/netbox` (based on `netboxcommunity/netbox:latest`) * `ghcr.io/idaholab/malcolm/nginx-proxy` (based on `alpine:3.18`) * `ghcr.io/idaholab/malcolm/opensearch` (based on `opensearchproject/opensearch`) -* `ghcr.io/idaholab/malcolm/pcap-capture` (based on `debian:11-slim`) -* `ghcr.io/idaholab/malcolm/pcap-monitor` (based on `debian:11-slim`) +* `ghcr.io/idaholab/malcolm/pcap-capture` (based on `debian:12-slim`) +* `ghcr.io/idaholab/malcolm/pcap-monitor` (based on `debian:12-slim`) * `ghcr.io/idaholab/malcolm/postgresql` (based on `postgres:14-alpine`) * `ghcr.io/idaholab/malcolm/redis` (based on `redis:7-alpine`) -* `ghcr.io/idaholab/malcolm/suricata` (based on `debian:11-slim`) -* `ghcr.io/idaholab/malcolm/zeek` (based on `debian:11-slim`) +* `ghcr.io/idaholab/malcolm/suricata` (based on `debian:12-slim`) +* `ghcr.io/idaholab/malcolm/zeek` (based on `debian:12-slim`) Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions for GitHub to build the docker images, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. The resulting images are named according to the pattern `ghcr.io/owner/malcolm/image:branch` (e.g., if you have forked Malcolm with the GitHub user `romeogdetlevjr`, the `Arkime` container built for the `main` would be named `ghcr.io/romeogdetlevjr/malcolm/arkime:main`). To run your local instance of Malcolm using these images instead of the official ones, you willll need to edit your `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script `./shared/bin/github_image_helper.sh` to pull and re-tag the images. From 4e0ea6ae76823fa65ecf554dc0b437e4a4a58ed5 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 13:40:18 -0600 Subject: [PATCH 17/74] update certifi to 2023.07.22 --- sensor-iso/interface/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor-iso/interface/requirements.txt b/sensor-iso/interface/requirements.txt index 1cf7ef0c4..e2b579534 100644 --- a/sensor-iso/interface/requirements.txt +++ b/sensor-iso/interface/requirements.txt @@ -1,4 +1,4 @@ -certifi==2022.12.7 +certifi==2023.07.22 chardet==5.1.0 click==8.1.3 Flask==2.3.2 From c040bccd0b33982595c38fa7d5018b20aeaae5ad Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 14:49:38 -0600 Subject: [PATCH 18/74] simplify install by asking if a forwarder is going to be used or not instead of asking about individual ports --- docs/malcolm-hedgehog-e2e-iso-install.md | 42 +++++++++++----------- docs/ubuntu-install-example.md | 15 ++++---- scripts/install.py | 46 ++++++++++++++++++------ 3 files changed, 63 insertions(+), 40 deletions(-) diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index ded84b0a9..5ea807a38 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -189,26 +189,28 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - Malcolm will [map MAC addresses](https://standards.ieee.org/products-programs/regauth/) to hardware manufacturer when possible. Users probably want to answer **Y** to this question. * **Perform string randomness scoring on some fields?** - If enabled, domain names observed in network traffic (from DNS queries and SSL server names) will be assigned entropy scores as calculated by [`freq`](https://github.com/MarkBaggett/freq). Users probably want to answer **Y** to this question. -* **Expose OpenSearch port to external hosts?** - - Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux) to TCP port 9200 so that Arkime sessions can be written to Malcolm's OpenSearch database. -* **Expose Logstash port to external hosts?** - - Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux) to TCP port 5044 so that Zeek and Suricata logs can be ingested by Malcolm's Logstash instance. -* **Expose Filebeat TCP port to external hosts?** - - Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux for resource utilization metrics or other forwarders for other [third-Party logs](third-party-logs.md#ThirdPartyLogs)) to TCP port 5045. -* **Use default field values for Filebeat TCP listener?** - - Answer **Y** to use the defaults and skip the next five questions about the Filebeat TCP listener. -* **Select log format for messages sent to Filebeat TCP listener** - - Possible choices include `json` and `raw`; users probably want to choose `json`. -* **Source field to parse for messages sent to Filebeat TCP listener** - - The default choice (and the one Hedgehog Linux will be sending) is `message`. -* **Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener** - - The default choice (and the one that corresponds to Malcolm's dashboards built for the resource utilization metrics sent by Hedgehog Linux) is `miscbeat`. -* **Field to drop from events sent to Filebeat TCP listener** - - Users most likely want this to be the default, `message`, to match the field name specified above. -* **Tag to apply to messages sent to Filebeat TCP listener** - - The default is `_malcolm_beats`, which is used by Malcolm to recognize and parse metrics sent from Hedgehog Linux. -* **Expose SFTP server (for PCAP upload) to external hosts?** - - Users should answer **N** unless they plan to use SFTP/SCP to [upload](upload.md#Upload) PCAP files to Malcolm; answering **Y** will expose TCP port 8022 in Malcolm's firewall for SFTP/SCP connections +* **Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?** + - Answer **yes** or **no** in order for Malcolm's firewall to allow or block connections for OpenSearch, Logstash, and Filebeat TCP, bypassing the following several questions in this list. Answer **customize** to proceed to answer the following related questions individually. + - **Expose OpenSearch port to external hosts?** + + Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux) to TCP port 9200 so that Arkime sessions can be written to Malcolm's OpenSearch database. + - **Expose Logstash port to external hosts?** + + Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux) to TCP port 5044 so that Zeek and Suricata logs can be ingested by Malcolm's Logstash instance. + - **Expose Filebeat TCP port to external hosts?** + + Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux for resource utilization metrics or other forwarders for other [third-Party logs](third-party-logs.md#ThirdPartyLogs)) to TCP port 5045. + - **Use default field values for Filebeat TCP listener?** + + Answer **Y** to use the defaults and skip the next five questions about the Filebeat TCP listener. + - **Select log format for messages sent to Filebeat TCP listener** + + Possible choices include `json` and `raw`; users probably want to choose `json`. + - **Source field to parse for messages sent to Filebeat TCP listener** + + The default choice (and the one Hedgehog Linux will be sending) is `message`. + - **Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener** + + The default choice (and the one that corresponds to Malcolm's dashboards built for the resource utilization metrics sent by Hedgehog Linux) is `miscbeat`. + - **Field to drop from events sent to Filebeat TCP listener** + + Users most likely want this to be the default, `message`, to match the field name specified above. + - **Tag to apply to messages sent to Filebeat TCP listener** + + The default is `_malcolm_beats`, which is used by Malcolm to recognize and parse metrics sent from Hedgehog Linux. + - **Expose SFTP server (for PCAP upload) to external hosts?** + + Users should answer **N** unless they plan to use SFTP/SCP to [upload](upload.md#Upload) PCAP files to Malcolm; answering **Y** will expose TCP port 8022 in Malcolm's firewall for SFTP/SCP connections * **Enable file extraction with Zeek?** - Answer **Y** to indicate that Zeek should [extract files](file-scanning.md#ZeekFileExtraction) transfered in observed network traffic. * **Select file extraction behavior** diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 2037330cf..91be88741 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -148,23 +148,20 @@ Perform hardware vendor OUI lookups for MAC addresses? (Y/n): y Perform string randomness scoring on some fields? (Y/n): y -Expose OpenSearch port to external hosts? (y/N): n - -Expose Logstash port to external hosts? (y/N): n - -Expose Filebeat TCP port to external hosts? (y/N): y - -Use default field values for Filebeat TCP listener? (Y/n): y - -Expose SFTP server (for PCAP upload) to external hosts? (y/N): n +1: no +2: yes +3: customize +Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder? (no): 1 Enable file extraction with Zeek? (y/N): y + 1: none 2: known 3: mapped 4: all 5: interesting Select file extraction behavior (none): 5 + 1: quarantined 2: all 3: none diff --git a/scripts/install.py b/scripts/install.py index 295e9ba39..0d7daf716 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -809,16 +809,36 @@ def tweak_malcolm_runtime( autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True) autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=True) + openPortsSelection = 'unset' if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: - opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo( - 'Expose OpenSearch port to external hosts?', default=expose_opensearch_default - ) - logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=expose_logstash_default) - filebeatTcpOpen = InstallerYesOrNo( - 'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default - ) + openPortsOptions = ('no', 'yes', 'customize') + while openPortsSelection not in [x[0] for x in openPortsOptions]: + openPortsSelection = InstallerChooseOne( + 'Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?', + choices=[(x, '', x == openPortsOptions[0]) for x in openPortsOptions], + )[0] + if openPortsSelection == 'n': + opensearchOpen = False + logstashOpen = False + filebeatTcpOpen = False + elif openPortsSelection == 'y': + opensearchOpen = True + logstashOpen = True + filebeatTcpOpen = True + else: + openPortsSelection = 'c' + opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo( + 'Expose OpenSearch port to external hosts?', default=expose_opensearch_default + ) + logstashOpen = InstallerYesOrNo( + 'Expose Logstash port to external hosts?', default=expose_logstash_default + ) + filebeatTcpOpen = InstallerYesOrNo( + 'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default + ) else: opensearchOpen = not opensearchPrimaryRemote + openPortsSelection = 'y' logstashOpen = True filebeatTcpOpen = True @@ -827,8 +847,10 @@ def tweak_malcolm_runtime( filebeatTcpTargetField = 'miscbeat' filebeatTcpDropField = filebeatTcpSourceField filebeatTcpTag = '_malcolm_beats' - if filebeatTcpOpen and not InstallerYesOrNo( - 'Use default field values for Filebeat TCP listener?', default=True + if ( + filebeatTcpOpen + and (openPortsSelection == 'c') + and not InstallerYesOrNo('Use default field values for Filebeat TCP listener?', default=True) ): allowedFilebeatTcpFormats = ('json', 'raw') filebeatTcpFormat = 'unset' @@ -855,8 +877,10 @@ def tweak_malcolm_runtime( default=filebeatTcpTag, ) - sftpOpen = (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( - 'Expose SFTP server (for PCAP upload) to external hosts?', default=expose_sftp_default + sftpOpen = ( + (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) + and (openPortsSelection == 'c') + and InstallerYesOrNo('Expose SFTP server (for PCAP upload) to external hosts?', default=expose_sftp_default) ) # input file extraction parameters From 9eadf1ec639039514095f5ddb17c902746d49443 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 16:26:52 -0600 Subject: [PATCH 19/74] set up skeleton for initial user if it hasn't been done --- shared/bin/agg-init.sh | 3 +++ shared/bin/common-init.sh | 18 ++++++++++++++++-- shared/bin/preseed_late_user_config.sh | 1 + shared/bin/sensor-init.sh | 9 +++++++-- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/shared/bin/agg-init.sh b/shared/bin/agg-init.sh index fd7bb2cc8..3f8d0857f 100755 --- a/shared/bin/agg-init.sh +++ b/shared/bin/agg-init.sh @@ -15,6 +15,9 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then MAIN_USER="$(id -nu 1000)" if [[ -n $MAIN_USER ]]; then + # setup initial user's home directory if it hasn't been done + InjectSkeleton "$MAIN_USER" + # fix some permisions to make sure things belong to the right person FixPermissions "$MAIN_USER" diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 242c3c82f..458ecdf4e 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -44,6 +44,19 @@ function CleanDefaultAccounts() { chmod 600 "/etc/crontab" "/etc/group-" "/etc/gshadow-" "/etc/passwd-" "/etc/shadow-" >/dev/null 2>&1 || true chmod 700 "/etc/cron.hourly" "/etc/cron.daily" "/etc/cron.weekly" "/etc/cron.monthly" "/etc/cron.d" >/dev/null 2>&1 || true } + +# setup initially-created user's directory based on /etc/skel +function InjectSkeleton() { + if [ -n "$1" ]; then + USER_TO_FIX="$1" + USER_HOME="$(getent passwd "$USER_TO_FIX" | cut -d: -f6)" + if [ -d "$USER_HOME" ] && [ -d /etc/skel ] && [ ! -d "$USER_HOME"/.config ]; then + rsync -a /etc/skel/ "$USER_HOME"/ + chown -R "$(id -u "$USER_TO_FIX"):$(id -g "$USER_TO_FIX")" "$USER_HOME" + fi + fi +} + # if the network configuration files for the interfaces haven't been set to come up on boot, configure that function InitializeSensorNetworking() { unset NEED_NETWORKING_RESTART @@ -96,8 +109,9 @@ function InitializeAggregatorNetworking() { function FixPermissions() { if [ -n "$1" ]; then USER_TO_FIX="$1" - [ -d /home/"$USER_TO_FIX" ] && find /home/"$USER_TO_FIX" \( -type d -o -type f \) -exec chmod o-rwx "{}" \; - [ -d /home/"$USER_TO_FIX" ] && find /home/"$USER_TO_FIX" -type f -name ".*" -exec chmod g-wx "{}" \; + USER_HOME="$(getent passwd "$USER_TO_FIX" | cut -d: -f6)" + [ -d "$USER_HOME" ] && find "$USER_HOME" \( -type d -o -type f \) -exec chmod o-rwx "{}" \; + [ -d "$USER_HOME" ] && find "$USER_HOME" -type f -name ".*" -exec chmod g-wx "{}" \; if [ ! -f /etc/cron.allow ] || ! grep -q "$USER_TO_FIX" /etc/cron.allow; then echo "$USER_TO_FIX" >> /etc/cron.allow fi diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh index 2081162ed..f5036608a 100755 --- a/shared/bin/preseed_late_user_config.sh +++ b/shared/bin/preseed_late_user_config.sh @@ -7,6 +7,7 @@ # prompt whether or not to lock screen for the GUI session on inactivity # prompt whether to use U.S. DoD login banner (https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2015-06-26/finding/V-56585) # prompt for disabling IPV6 or not +# prompt for enabling SSH password authentication # this is a debconf-compatible script . /usr/share/debconf/confmodule diff --git a/shared/bin/sensor-init.sh b/shared/bin/sensor-init.sh index 5a46cd726..95d8a05d4 100755 --- a/shared/bin/sensor-init.sh +++ b/shared/bin/sensor-init.sh @@ -119,8 +119,13 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then # if the network configuration files for the interfaces haven't been set to come up on boot, configure that now. InitializeSensorNetworking - # fix some permisions to make sure things belong to the right person - [[ -n $MAIN_USER ]] && FixPermissions "$MAIN_USER" + if [[ -n $MAIN_USER ]]; then + # setup initial user's home directory if it hasn't been done + InjectSkeleton "$MAIN_USER" + + # fix some permisions to make sure things belong to the right person + FixPermissions "$MAIN_USER" + fi # block some call-homes BadTelemetry From ccc95040b43f34a650b3880b058a6d4dbac04284 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jul 2023 16:30:35 -0600 Subject: [PATCH 20/74] set up skeleton for initial user if it hasn't been done --- shared/bin/common-init.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 458ecdf4e..3922e05cf 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -51,8 +51,7 @@ function InjectSkeleton() { USER_TO_FIX="$1" USER_HOME="$(getent passwd "$USER_TO_FIX" | cut -d: -f6)" if [ -d "$USER_HOME" ] && [ -d /etc/skel ] && [ ! -d "$USER_HOME"/.config ]; then - rsync -a /etc/skel/ "$USER_HOME"/ - chown -R "$(id -u "$USER_TO_FIX"):$(id -g "$USER_TO_FIX")" "$USER_HOME" + rsync -a --ignore-existing --chown="$(id -u "$USER_TO_FIX"):$(id -g "$USER_TO_FIX")" /etc/skel/ "$USER_HOME"/ fi fi } From e7c3909f632510d1f3f2dc3b0e01906636f0a63c Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 27 Jul 2023 09:59:20 -0600 Subject: [PATCH 21/74] fix version extraction from build --- .github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml | 2 +- .github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml | 2 +- malcolm-iso/build.sh | 2 +- sensor-iso/build_via_vagrant.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index a1a450ccc..9f68aaaa8 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -92,7 +92,7 @@ jobs: - name: Extract Malcolm version shell: bash - run: echo "mversion=$(grep -P "^\s+image:\s*malcolm" docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT + run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT id: extract_malcolm_version - name: Build image diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml index edd8ecc3d..3cfe30c26 100644 --- a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml @@ -88,7 +88,7 @@ jobs: - name: Extract Malcolm version shell: bash - run: echo "mversion=$(grep -P "^\s+image:\s*malcolm" docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT + run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT id: extract_malcolm_version - name: Build image diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 5d003f956..acb14c7f6 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -71,7 +71,7 @@ if [ -d "$WORKDIR" ]; then chown -R root:root * # configure installation options - YML_IMAGE_VERSION="$(grep -P "^\s+image:\s*malcolm" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" + YML_IMAGE_VERSION="$(grep -P "^\s+image:.*/malcolm/" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && IMAGE_VERSION="$YML_IMAGE_VERSION" sed -i "s@^\(title-text[[:space:]]*:\).*@\1 \"Malcolm $IMAGE_VERSION $(date +'%Y-%m-%d %H:%M:%S')\"@g" ./config/bootloaders/grub-pc/live-theme/theme.txt cp ./config/includes.binary/install/preseed_multipar.cfg ./config/includes.binary/install/preseed_multipar_crypto.cfg diff --git a/sensor-iso/build_via_vagrant.sh b/sensor-iso/build_via_vagrant.sh index 73aa5b738..7fd7fd43d 100755 --- a/sensor-iso/build_via_vagrant.sh +++ b/sensor-iso/build_via_vagrant.sh @@ -88,7 +88,7 @@ cp -r "$SCRIPT_PATH"/../shared \ cp "$SCRIPT_PATH"/../scripts/documentation_build.sh "$SCRIPT_PATH"/docs/ cp "$SCRIPT_PATH"/../scripts/malcolm_utils.py "$SCRIPT_PATH"/shared/bin/ -YML_IMAGE_VERSION="$(grep -P "^\s+image:\s*malcolm" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" +YML_IMAGE_VERSION="$(grep -P "^\s+image:.*/malcolm/" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && echo "$YML_IMAGE_VERSION" > "$SCRIPT_PATH"/shared/version.txt [[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]] && echo "$MAXMIND_GEOIP_DB_LICENSE_KEY" > "$SCRIPT_PATH"/shared/maxmind_license.txt [[ ${#GITHUB_TOKEN} -gt 1 ]] && echo "GITHUB_TOKEN=$GITHUB_TOKEN" >> "$SCRIPT_PATH"/shared/environment.chroot From ae1018a10f025b2d2b98c37c2edae8dd954c8d63 Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 27 Jul 2023 12:49:01 -0600 Subject: [PATCH 22/74] get tool via deb rather than just binary --- .../config/hooks/normal/0910-agg-build.hook.chroot | 11 ++++------- .../config/hooks/normal/0910-sensor-build.hook.chroot | 8 +++----- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot index 02879baec..a01be53f0 100755 --- a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot @@ -106,14 +106,11 @@ chown root:root ./croc # step RELEASE_URL="https://api.github.com/repos/smallstep/cli/releases/latest" -RELEASE_FILE_REGEX="_linux_.+amd64\\\.tar\\\.gz$" +RELEASE_FILE_REGEX="step-cli.*amd64\\\.deb$" cd /tmp -mkdir -p ./step -curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq ".[] | select(.browser_download_url|test(\"$RELEASE_FILE_REGEX\")) | .browser_download_url" | tr -d '"')" | tar xzf - -C ./step --strip-components 1 -mv ./step/bin/step /usr/local/bin/step -chmod 755 /usr/local/bin/step -chown root:root /usr/local/bin/step -rm -rf /tmp/step* +curl -o ./step_amd64.deb "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq ".[] | select(.browser_download_url|test(\"$RELEASE_FILE_REGEX\")) | .browser_download_url" | tr -d '"')" +dpkg -i /tmp/step_amd64.deb +rm -rf /tmp/step_amd64.deb ### # stern diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 61bd4022d..667322070 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -267,11 +267,9 @@ chmod 755 /usr/local/bin/croc # step cd /tmp -mkdir -p ./step -curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$STEP_RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq '.[] | select(.browser_download_url|test("_linux_.+amd64\\.tar\\.gz$")) | .browser_download_url' | tr -d '"')" | tar xzf - -C ./step --strip-components 1 -mv ./step/bin/step /usr/local/bin/step -chmod 755 /usr/local/bin/step -rm -rf /tmp/step* +curl -o ./step_amd64.deb "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$STEP_RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq '.[] | select(.browser_download_url|test("step-cli.*amd64\\.deb$")) | .browser_download_url' | tr -d '"')" +dpkg -i /tmp/step_amd64.deb +rm -rf /tmp/step_amd64.deb ### # update clamav signatures From eb4f023d6c63efc61aa7845b0e12d17410f74542 Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 27 Jul 2023 13:01:36 -0600 Subject: [PATCH 23/74] Remove build packages --- .../config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot | 2 +- .../config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 79df3e4a2..c82c4394d 100755 --- a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -1,7 +1,7 @@ #!/bin/bash # remove development packages -apt-get -y --purge remove build-essential $(dpkg --get-selections | grep -v deinstall$ | cut -f1 | grep -P -- '-dev(:\w+)?$' | grep -Pv -- '^(dpkg|libgcc)') || true +apt-get -y --purge remove build-essential sparse $(dpkg --get-selections | grep -v deinstall$ | cut -f1 | grep -P -- '-dev(:\w+)?$' | grep -Pv -- '^(dpkg|libgcc)') || true # remove unwanted packages apt-get -y --purge remove bluez-firmware \ diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 841171c7d..fc7e13f32 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -8,6 +8,7 @@ apt-get -y --purge remove \ gdb \ libc6-dbg \ ninja-build \ + sparse \ $(dpkg --get-selections | grep -Pv "(^(dpkg|libbroker|libc6|libcrypt|libdbus|libffi|libfl|libgcc|libmaxminddb|libncurses|libnsl|libobjc|libomp|libpcap|libssl|libstdc|libtinfo|libtirpc|libxml|libyaml|libz|linux-libc|zeek|zlib1g)|deinstall$)" | cut -f1 | grep -P -- '-dev(:\w+)?$') || true rm -rf /var/spool/ccache From 09da8141edd096abfd730471c7d30a614bb67ddc Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 27 Jul 2023 14:52:02 -0600 Subject: [PATCH 24/74] bump opensearch-py API to v2.3.0 --- api/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/requirements.txt b/api/requirements.txt index a46da061d..e2919f390 100644 --- a/api/requirements.txt +++ b/api/requirements.txt @@ -1,7 +1,7 @@ pytz==2021.3 Flask==2.3.2 gunicorn==20.1.0 -opensearch-py==2.2.0 +opensearch-py==2.3.0 requests==2.31.0 regex==2022.3.2 dateparser==1.1.1 \ No newline at end of file From a01752e2aae623020825c2a18d63dcd6c8c757d6 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 07:47:39 -0600 Subject: [PATCH 25/74] apparently gvfs-backends relies on libx265 --- .../config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot | 1 - .../config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot | 1 - 2 files changed, 2 deletions(-) diff --git a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index c82c4394d..99d3535c4 100755 --- a/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -16,7 +16,6 @@ apt-get -y --purge remove bluez-firmware \ gnome-accessibility-themes \ libasound2-plugins \ libx264* \ - libx265* \ nvidia* \ pavucontrol \ poppler-data \ diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index fc7e13f32..609068bc6 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -24,7 +24,6 @@ apt-get -y --purge remove \ gnome-accessibility-themes \ libasound2-plugins \ libx264* \ - libx265* \ lintian \ nvidia* \ network-manager* \ From 40606d771be84fb225737ccf647d4b5c99fa9f6b Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 08:23:15 -0600 Subject: [PATCH 26/74] libpcre3 in Arkime container --- Dockerfiles/arkime.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 4883e378d..1c3156e31 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -33,6 +33,7 @@ RUN apt-get -q update && \ libkrb5-dev \ libmaxminddb-dev \ libpcap0.8-dev \ + libpcre3 \ libssl-dev \ libtool \ libwww-perl \ From 3ac0ec9ba7a178643a4908900cfc2b7f27ee0048 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 08:24:14 -0600 Subject: [PATCH 27/74] libpcre3 in sensor-iso --- sensor-iso/config/package-lists/system.list.chroot | 1 + 1 file changed, 1 insertion(+) diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index d0540662b..3244434ce 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -84,6 +84,7 @@ libpam-pwquality libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 +libpcre3 libtool libtsan0 libubsan1 From b1d3120ff973145874aca85f82ce12021a935abc Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 08:31:54 -0600 Subject: [PATCH 28/74] shutdown no longer takes an argument in supervisorctl --- sensor-iso/interface/sensor_ctl/control.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sensor-iso/interface/sensor_ctl/control.sh b/sensor-iso/interface/sensor_ctl/control.sh index 522fb2b68..eb020d25d 100755 --- a/sensor-iso/interface/sensor_ctl/control.sh +++ b/sensor-iso/interface/sensor_ctl/control.sh @@ -12,8 +12,12 @@ CONTROL_VARS_FILE="control_vars.conf" CONTROL_COMMAND="$(basename "${BASH_SOURCE[0]}")" if [[ ($# -eq 0) || (($# -eq 1) && ("$1" = "all")) ]]; then - # no arguments, defaults to all managed processes - CONTROL_PROCESS="all" + if [[ "$CONTROL_COMMAND" = "shutdown" ]]; then + CONTROL_PROCESS=() + else + # no arguments, defaults to all managed processes + CONTROL_PROCESS="all" + fi else # eg., tcpdump, zeek CONTROL_PROCESS="$@" From 811f61ff5abbb63e23a857a66f1f0ea196fc6f03 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 08:35:18 -0600 Subject: [PATCH 29/74] wireshark master/manuf is no longer published on github, use release-4.0 instead but need to figure out a more permanent solution --- Dockerfiles/arkime.Dockerfile | 2 +- arkime/scripts/arkime_update_geo.sh | 2 +- sensor-iso/build.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 1c3156e31..6936a286a 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -206,7 +206,7 @@ RUN [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ] && for DB in ASN Country City; do rm -f "GeoLite2-$DB*"; \ done; \ curl -s -S -L -o $ARKIME_DIR/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" && \ - curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf" + curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf" RUN groupadd --gid $DEFAULT_GID $PGROUP && \ useradd -M --uid $DEFAULT_UID --gid $DEFAULT_GID --home $ARKIME_DIR $PUSER && \ diff --git a/arkime/scripts/arkime_update_geo.sh b/arkime/scripts/arkime_update_geo.sh index 5e26566a2..64be5973e 100755 --- a/arkime/scripts/arkime_update_geo.sh +++ b/arkime/scripts/arkime_update_geo.sh @@ -8,7 +8,7 @@ wget -nv --no-check-certificate -O ipv4-address-space.csv_new https://www.iana.o mv -f ipv4-address-space.csv_new ipv4-address-space.csv || \ rm -f ipv4-address-space.csv_new -wget -nv -O oui.txt_new https://raw.githubusercontent.com/wireshark/wireshark/master/manuf && \ +wget -nv -O oui.txt_new https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf && \ mv -f oui.txt_new oui.txt || \ rm -f oui.txt_new diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index de961a1d5..981c9ff64 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -161,7 +161,7 @@ if [ -d "$WORKDIR" ]; then fi fi curl -s -S -L -o ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" - curl -s -S -L -o oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf" + curl -s -S -L -o oui.txt "https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf" popd >/dev/null 2>&1 # clone and build Arkime .deb package in its own clean environment (rather than in hooks/) From 70ed7795ed452033d77c453df29192ae9ca83224 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 08:54:38 -0600 Subject: [PATCH 30/74] fix htpdate --- shared/bin/configure-interfaces.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py index bd5d17a67..23f061756 100755 --- a/shared/bin/configure-interfaces.py +++ b/shared/bin/configure-interfaces.py @@ -52,8 +52,8 @@ class Constants: TIME_SYNC_NTP = 'ntp' TIME_SYNC_HTPDATE = 'htpdate' TIME_SYNC_HTPDATE_CRON = '/etc/cron.d/htpdate' - TIME_SYNC_HTPDATE_TEST_COMMAND = '/usr/sbin/htpdate -4 -a -b -d' - TIME_SYNC_HTPDATE_COMMAND = '/usr/sbin/htpdate -4 -a -b -l -s' + TIME_SYNC_HTPDATE_TEST_COMMAND = '/usr/sbin/htpdate -4 -a -d' + TIME_SYNC_HTPDATE_COMMAND = '/usr/sbin/htpdate -4 -a -l -s' TIME_SYNC_NTP_CONFIG = '/etc/ntp.conf' SSHD_CONFIG_FILE = "/etc/ssh/sshd_config" From 5e7e041bce26473a3b3e63fdf45ca258f668ddd8 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 10:13:11 -0600 Subject: [PATCH 31/74] azure documentation stub out (idaholab/Malcolm#231) --- docs/README.md | 1 + docs/kubernetes-azure.md | 20 ++++++++++++++++++++ docs/kubernetes.md | 1 + 3 files changed, 22 insertions(+) create mode 100644 docs/kubernetes-azure.md diff --git a/docs/README.md b/docs/README.md index c929dde23..6bc2c152a 100644 --- a/docs/README.md +++ b/docs/README.md @@ -104,6 +104,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation - [Deployment Example](kubernetes.md#Example) - [Future Enhancements](kubernetes.md#Future) - [Deploying Malcolm on Amazon Elastic Kubernetes Service (EKS)](kubernetes-eks.md#KubernetesEKS) + - [Deploying Malcolm on Microsoft Azure Kubernetes Service (AKS)](kubernetes-azure.md#KubernetesAzure) * [Deploying Malcolm in Other Third-Party Environments](third-party-envs.md#ThirdPartyEnv) * [Hardening](hardening.md#Hardening) - [Compliance Exceptions](hardening.md#ComplianceExceptions) diff --git a/docs/kubernetes-azure.md b/docs/kubernetes-azure.md new file mode 100644 index 000000000..f2eca28c8 --- /dev/null +++ b/docs/kubernetes-azure.md @@ -0,0 +1,20 @@ +# Deploying Malcolm on Microsoft Azure Kubernetes Service (AKS) + +* [Deploying Malcolm on Microsoft Azure Kubernetes Service (AKS)](#KubernetesAzure) + - [Prerequisites](#Prerequisites) + - [Procedure](#Procedure) +* [Attribution](#AzureAttribution) + +This document outlines the process of setting up a cluster on Microsoft [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/products/kubernetes-service) using [Azure](https://azure.microsoft.com/en-us/) in preparation for [**Deploying Malcolm with Kubernetes**](kubernetes.md). + +This is a work-in-progress document that is still a bit rough around the edges. Any feedback is welcome in the [relevant issue](https://github.com/idaholab/Malcolm/issues/231) on GitHub. + +This document assumes good working knowledge of Azure and Azure Kubernetes Service (AKS). Good documentation resources can be found in the [Azure documentation](https://learn.microsoft.com/en-us/azure/), the [AKS documentation](https://learn.microsoft.com/en-us/azure/aks/) and the [AKS Workshop](https://www.microsoft.com/azure/partners/news/article/azure-kubernetes-service-workshop). + +## Prerequisites + +## Procedure + +## Attribution + +Microsoft Azure, the Microsoft Azure logo, Azure, and any other Microsoft Azure Marks used in these materials are trademarks of Microsoft Corporation or its affiliates in the United States and/or other countries. The information about providers and services contained in this document is for instructional purposes and does not constitute endorsement or recommendation. diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 3f14f3be1..308bc5ae5 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -15,6 +15,7 @@ - [Horizontal Scaling](#FutureScaleOut) - [Helm Chart](#FutureHelmChart) * [Deploying Malcolm on Amazon Elastic Kubernetes Service (EKS)](kubernetes-eks.md#KubernetesEKS) +* [Deploying Malcolm on Microsoft Azure Kubernetes Service (AKS)](kubernetes-azure.md#KubernetesAzure) This document assumes good working knowledge of Kubernetes (K8s). The comprehensive [Kubernetes documentation](https://kubernetes.io/docs/home/) is a good place to go for more information about Kubernetes. From 41b2e85c6a546493597971696879ac9c44b7d420 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 11:29:43 -0600 Subject: [PATCH 32/74] azure documentation stub out (idaholab/Malcolm#231) --- docs/kubernetes-azure.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/kubernetes-azure.md b/docs/kubernetes-azure.md index f2eca28c8..76a3f7329 100644 --- a/docs/kubernetes-azure.md +++ b/docs/kubernetes-azure.md @@ -9,10 +9,12 @@ This document outlines the process of setting up a cluster on Microsoft [Azure K This is a work-in-progress document that is still a bit rough around the edges. Any feedback is welcome in the [relevant issue](https://github.com/idaholab/Malcolm/issues/231) on GitHub. -This document assumes good working knowledge of Azure and Azure Kubernetes Service (AKS). Good documentation resources can be found in the [Azure documentation](https://learn.microsoft.com/en-us/azure/), the [AKS documentation](https://learn.microsoft.com/en-us/azure/aks/) and the [AKS Workshop](https://www.microsoft.com/azure/partners/news/article/azure-kubernetes-service-workshop). +This document assumes good working knowledge of Azure and Azure Kubernetes Service (AKS). Good documentation resources can be found in the [Azure documentation](https://learn.microsoft.com/en-us/azure/), the [AKS documentation](https://learn.microsoft.com/en-us/azure/aks/), [Kubernetes core concepts for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads), and the [AKS Workshop](https://www.microsoft.com/azure/partners/news/article/azure-kubernetes-service-workshop). ## Prerequisites +* [az cli](https://learn.microsoft.com/en-us/cli/azure/) - the Azure Command Line Interface with functioning access to the Azure infrastructure + ## Procedure ## Attribution From f3ac600229a4bc2917e197c01d6010f48606c5c1 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 11:55:48 -0600 Subject: [PATCH 33/74] be more forceful about rsync --- shared/bin/common-init.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 3922e05cf..645e0d181 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -50,8 +50,10 @@ function InjectSkeleton() { if [ -n "$1" ]; then USER_TO_FIX="$1" USER_HOME="$(getent passwd "$USER_TO_FIX" | cut -d: -f6)" - if [ -d "$USER_HOME" ] && [ -d /etc/skel ] && [ ! -d "$USER_HOME"/.config ]; then + if [ -d "$USER_HOME" ] && [ -d /etc/skel ] && [ ! -f "$USER_HOME"/.config/skel.synced ]; then rsync -a --ignore-existing --chown="$(id -u "$USER_TO_FIX"):$(id -g "$USER_TO_FIX")" /etc/skel/ "$USER_HOME"/ + date -Iseconds > "$USER_HOME"/.config/skel.synced + chown $(id -u "$USER_TO_FIX"):$(id -g "$USER_TO_FIX") "$USER_HOME"/.config/skel.synced fi fi } From ff8e94687420630a85cc49e12c6212d496314dfc Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 28 Jul 2023 14:39:31 -0600 Subject: [PATCH 34/74] set some packages as manually installed --- malcolm-iso/config/includes.binary/install/preseed_base.cfg | 1 + sensor-iso/config/includes.binary/install/preseed_base.cfg | 1 + 2 files changed, 2 insertions(+) diff --git a/malcolm-iso/config/includes.binary/install/preseed_base.cfg b/malcolm-iso/config/includes.binary/install/preseed_base.cfg index 1d18bfce4..6c455c4db 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_base.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_base.cfg @@ -36,6 +36,7 @@ d-i preseed/late_command string \ echo 'deb http://security.debian.org/debian-security bookworm-security main contrib non-free' >> /target/etc/apt/sources.list; \ echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target bash /usr/local/bin/agg-init.sh; \ + in-target bash -c "( apt-mark manual aide aide-common step-cli ) || true"; \ in-target bash -c "(virt-what | grep -q vmware) || apt-get purge -y open-vm-tools-desktop"; \ in-target bash -c "(virt-what | grep -q virtualbox) || apt-get purge -y virtualbox-guest*"; \ in-target bash -c "(virt-what | grep -q -E 'qemu|kvm') || apt-get purge -y qemu-guest-agent"; \ diff --git a/sensor-iso/config/includes.binary/install/preseed_base.cfg b/sensor-iso/config/includes.binary/install/preseed_base.cfg index 81b5ba435..49bd4cd6d 100644 --- a/sensor-iso/config/includes.binary/install/preseed_base.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_base.cfg @@ -48,6 +48,7 @@ d-i preseed/late_command string \ echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target touch /etc/capture_storage_format; \ in-target bash /usr/local/bin/sensor-init.sh; \ + in-target bash -c "( apt-mark manual aide aide-common filebeat libbroker-dev netsniff-ng step-cli suricata* yara zeek* ) || true"; \ in-target bash -c "(virt-what | grep -q vmware) || apt-get purge -y open-vm-tools-desktop"; \ in-target bash -c "(virt-what | grep -q virtualbox) || apt-get purge -y virtualbox-guest*"; \ in-target bash -c "(virt-what | grep -q -E 'qemu|kvm') || apt-get purge -y qemu-guest-agent"; \ From db2889598cdef678098c78799afce26e30a797b0 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 31 Jul 2023 09:01:35 -0600 Subject: [PATCH 35/74] don't install packages in hooks, do it with config/packages.chroot --- .../hooks/normal/0910-agg-build.hook.chroot | 14 +--- .../hooks/normal/0992-localepurge.hook.chroot | 2 - .../includes.binary/install/preseed_base.cfg | 1 - .../config/package-lists/system.list.chroot | 2 + sensor-iso/build.sh | 46 ++++++++++--- .../normal/0910-sensor-build.hook.chroot | 66 ++----------------- .../hooks/normal/0992-localepurge.hook.chroot | 1 - .../includes.binary/install/preseed_base.cfg | 1 - .../config/package-lists/sensor.list.chroot | 4 +- .../config/package-lists/system.list.chroot | 2 + shared/aide/Dockerfile | 33 ---------- shared/aide/build-aide-deb.sh | 49 -------------- shared/aide/build-docker-image.sh | 11 ---- 13 files changed, 53 insertions(+), 179 deletions(-) delete mode 100644 shared/aide/Dockerfile delete mode 100755 shared/aide/build-aide-deb.sh delete mode 100755 shared/aide/build-docker-image.sh diff --git a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot index a01be53f0..7f04f501d 100755 --- a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot @@ -1,9 +1,6 @@ #!/bin/bash -apt-get -qqy update - -# aide itself was built from github master branch (for JSON output) -apt-get install --no-install-recommends -y -q aide-common +# tweak some stuff for aide chmod a-x /etc/cron.daily/aide chattr +i /etc/cron.daily/aide mkdir -p /etc/aide/aide.conf.d /var/lib/aide @@ -104,15 +101,6 @@ chmod 755 ./croc chown root:root ./croc ### -# step -RELEASE_URL="https://api.github.com/repos/smallstep/cli/releases/latest" -RELEASE_FILE_REGEX="step-cli.*amd64\\\.deb$" -cd /tmp -curl -o ./step_amd64.deb "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq ".[] | select(.browser_download_url|test(\"$RELEASE_FILE_REGEX\")) | .browser_download_url" | tr -d '"')" -dpkg -i /tmp/step_amd64.deb -rm -rf /tmp/step_amd64.deb -### - # stern RELEASE_URL="https://api.github.com/repos/stern/stern/releases/latest" RELEASE_FILE_REGEX="_linux_amd64\\\.tar\\\.gz$" diff --git a/malcolm-iso/config/hooks/normal/0992-localepurge.hook.chroot b/malcolm-iso/config/hooks/normal/0992-localepurge.hook.chroot index 777533438..08f4e6a07 100755 --- a/malcolm-iso/config/hooks/normal/0992-localepurge.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0992-localepurge.hook.chroot @@ -13,8 +13,6 @@ localepurge localepurge/none_selected boolean false EOF debconf-set-selections < /tmp/localepurge.preseed rm -f /tmp/localepurge.preseed -apt-get -qqy update -apt-get -y install localepurge dpkg-reconfigure --frontend=noninteractive localepurge sed -i "s/^\(USE_DPKG\)/#\1/" /etc/locale.nopurge sed -i "s/^\(NEEDSCONFIGFIRST\)/#\1/" /etc/locale.nopurge diff --git a/malcolm-iso/config/includes.binary/install/preseed_base.cfg b/malcolm-iso/config/includes.binary/install/preseed_base.cfg index 6c455c4db..1d18bfce4 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_base.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_base.cfg @@ -36,7 +36,6 @@ d-i preseed/late_command string \ echo 'deb http://security.debian.org/debian-security bookworm-security main contrib non-free' >> /target/etc/apt/sources.list; \ echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target bash /usr/local/bin/agg-init.sh; \ - in-target bash -c "( apt-mark manual aide aide-common step-cli ) || true"; \ in-target bash -c "(virt-what | grep -q vmware) || apt-get purge -y open-vm-tools-desktop"; \ in-target bash -c "(virt-what | grep -q virtualbox) || apt-get purge -y virtualbox-guest*"; \ in-target bash -c "(virt-what | grep -q -E 'qemu|kvm') || apt-get purge -y qemu-guest-agent"; \ diff --git a/malcolm-iso/config/package-lists/system.list.chroot b/malcolm-iso/config/package-lists/system.list.chroot index 8598d8205..9525899e4 100644 --- a/malcolm-iso/config/package-lists/system.list.chroot +++ b/malcolm-iso/config/package-lists/system.list.chroot @@ -1,4 +1,6 @@ accountsservice +aide +aide-common apache2-utils apparmor apparmor-profiles diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 981c9ff64..b9dd55696 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -5,6 +5,13 @@ IMAGE_PUBLISHER=idaholab IMAGE_VERSION=1.0.0 IMAGE_DISTRIBUTION=bookworm +ZEEK_DISTRO=Debian_12 +ZEEK_VER=5.2.2-0 +ZEEK_LTS= + +BEATS_VER="8.9.0" +BEATS_OSS="-oss" + BUILD_ERROR_CODE=1 if [ "$(id -u)" != "0" ]; then @@ -94,8 +101,6 @@ if [ -d "$WORKDIR" ]; then echo "$PKG" >> ./config/package-lists/firmwares.list.chroot done - mkdir -p ./config/includes.chroot/opt/hedgehog_install_artifacts - # copy the interface code into place for the resultant image mkdir -p ./config/includes.chroot/opt rsync -a "$SCRIPT_PATH/interface/" ./config/includes.chroot/opt/sensor/ @@ -140,11 +145,33 @@ if [ -d "$WORKDIR" ]; then ln -r -s ./config/includes.chroot/usr/share/images/hedgehog/*wallpaper*.png ./config/includes.chroot/usr/share/images/desktop-base/ find "$SCRIPT_PATH/docs/images/hedgehog/logo/font/" -type f -name "*.ttf" -exec cp "{}" ./config/includes.chroot/usr/share/fonts/truetype/ubuntu/ \; - # clone and build aide .deb package in its own clean environment (rather than in hooks/) - bash "$SCRIPT_PATH/shared/aide/build-docker-image.sh" - docker run --rm -v "$SCRIPT_PATH"/shared/aide:/build aide-build:latest -o /build - cp "$SCRIPT_PATH/shared/aide"/*.deb ./config/includes.chroot/opt/hedgehog_install_artifacts/ - mv "$SCRIPT_PATH/shared/aide"/*.deb ./config/packages.chroot/ + # download deb files to be installed during installation + pushd ./config/packages.chroot/ >/dev/null 2>&1 + + # zeek + if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS + curl -sSL --remote-name-all \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-client_${ZEEK_VER}_all.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VER}_all.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-btest_${ZEEK_VER}_all.deb" \ + "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VER}_all.deb" + + # filebeat + BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" + BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" + for BEAT in filebeat; do + BEATS_URL="$(echo "$BEATS_DEB_URL_TEMPLATE" | sed "s/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEAT/g")" + BEATS_DEB="$BEAT-$BEATS_VER-amd64.deb" + curl -f -L -o "$BEATS_DEB" "$BEATS_URL" + done + + popd >/dev/null 2>&1 # grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc. mkdir -p "$SCRIPT_PATH/arkime/etc" @@ -168,9 +195,12 @@ if [ -d "$WORKDIR" ]; then rsync -a "$SCRIPT_PATH"/shared/arkime_patch "$SCRIPT_PATH"/arkime/arkime_patch bash "$SCRIPT_PATH/arkime/build-docker-image.sh" docker run --rm -v "$SCRIPT_PATH"/arkime:/build arkime-build:latest -o /build - cp "$SCRIPT_PATH/arkime"/*.deb ./config/includes.chroot/opt/hedgehog_install_artifacts/ mv "$SCRIPT_PATH/arkime"/*.deb ./config/packages.chroot/ + # save these extra debs off into hedgehog_install_artifacts + mkdir -p ./config/includes.chroot/opt/hedgehog_install_artifacts + cp ./config/packages.chroot/*.deb ./config/includes.chroot/opt/hedgehog_install_artifacts/ + mkdir -p ./config/includes.installer cp -v ./config/includes.binary/install/* ./config/includes.installer/ cp -v ./config/includes.chroot/usr/local/bin/preseed_partman_determine_disk.sh ./config/includes.installer/ diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 667322070..98c17ab2a 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -13,34 +13,22 @@ GITHUB_API_CURL_ARGS+=( -H ) GITHUB_API_CURL_ARGS+=( "Accept: application/vnd.github.v3+json" ) [[ -n "$GITHUB_TOKEN" ]] && GITHUB_API_CURL_ARGS+=( -H ) && GITHUB_API_CURL_ARGS+=( "Authorization: token $GITHUB_TOKEN" ) -ZEEK_VER=5.2.2-0 -ZEEK_LTS= ZEEK_DIR="/opt/zeek" export PATH="${ZEEK_DIR}"/bin:$PATH SURICATA_RULES_DIR="/etc/suricata/rules" -BEATS_VER="8.9.0" -BEATS_OSS="-oss" -BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" -BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" - NETSNIFF_RELEASE_URL="https://api.github.com/repos/netsniff-ng/netsniff-ng/releases/latest" CAPA_RELEASE_URL="https://api.github.com/repos/fireeye/capa/releases/latest" YQ_RELEASE_URL="https://api.github.com/repos/mikefarah/yq/releases/latest" SUPERCRONIC_RELEASE_URL="https://api.github.com/repos/aptible/supercronic/releases/latest" CROC_RELEASE_URL="https://api.github.com/repos/schollz/croc/releases/latest" -STEP_RELEASE_URL="https://api.github.com/repos/smallstep/cli/releases/latest" YARA_RELEASE_URL="https://api.github.com/repos/VirusTotal/yara/releases/latest" YARA_RULES_SRC_DIR="/opt/yara-rules-src" YARA_RULES_DIR="/opt/yara-rules" mkdir -p /opt/hedgehog_install_artifacts/ -apt-get -qqy update - -# an arkime .deb is built and installed in a different context - # Install netsniff-ng cd /tmp mkdir ./netsniff-ng @@ -57,26 +45,10 @@ cd /tmp rm -Rf ./netsniff-ng ## -# Download and install zeek, spicy and 3rd-party zeek plugins -mkdir -p /tmp/zeek-packages "${CCACHE_DIR}" - -# zeek -cd /tmp/zeek-packages -if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS -curl -sSL --remote-name-all \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-client_${ZEEK_VER}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VER}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest_${ZEEK_VER}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VER}_all.deb" -dpkg -i ./*.deb - -# plugins +# Download and install spicy and 3rd-party zeek plugins +mkdir -p "${CCACHE_DIR}" + +# zeek plugins cd /tmp zkg autoconfig --force bash /usr/local/bin/zeek_install_plugins.sh @@ -107,12 +79,11 @@ touch /opt/sensor/sensor_ctl/zeek/intel/__load__.zeek # cleanup cd /usr/local/src tar czf zeek-$ZEEK_VER-hedgehog.tar.gz -C /opt zeek spicy -mv ./zeek-$ZEEK_VER-hedgehog.tar.gz /tmp/zeek-packages /opt/hedgehog_install_artifacts/ +mv ./zeek-$ZEEK_VER-hedgehog.tar.gz /opt/hedgehog_install_artifacts/ rm -Rf zeek-$ZEEK_VER* ### -# aide itself was built from github master branch (for JSON output) -apt-get install --no-install-recommends -y -q aide-common +# tweak some stuff for aide chmod a-x /etc/cron.daily/aide chattr +i /etc/cron.daily/aide mkdir -p /etc/aide/aide.conf.d /var/lib/aide @@ -198,9 +169,7 @@ cat << 'EOF' >> /etc/aide/aide.conf.d/00_local_excludes EOF ### -# suricata -apt-get install --no-install-recommends -y -q suricata suricata-update - +# update suricata rules /usr/bin/suricata-update -v -D /var/lib/suricata --etopen cd "${SURICATA_RULES_DIR}"/.. @@ -265,32 +234,11 @@ mv ./croc /usr/local/bin/croc chmod 755 /usr/local/bin/croc ### -# step -cd /tmp -curl -o ./step_amd64.deb "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$STEP_RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq '.[] | select(.browser_download_url|test("step-cli.*amd64\\.deb$")) | .browser_download_url' | tr -d '"')" -dpkg -i /tmp/step_amd64.deb -rm -rf /tmp/step_amd64.deb -### - # update clamav signatures freshclam --stdout --quiet --no-warnings ### -# install filebeat -for BEAT in filebeat; do - BEATS_URL="$(echo "$BEATS_DEB_URL_TEMPLATE" | sed "s/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEAT/g")" - BEATS_DEB="$BEAT-$BEATS_VER-amd64.deb" - pushd /tmp && \ - curl -f -L -o "$BEATS_DEB" "$BEATS_URL" && \ - dpkg -i "$BEATS_DEB" && \ - cp "$BEATS_DEB" /opt/hedgehog_install_artifacts/ && \ - rm -rf "$BEATS_DEB" && \ - popd -done - -### - # set up capabilities for network-related tools chown root:netdev /usr/sbin/netsniff-ng && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng diff --git a/sensor-iso/config/hooks/normal/0992-localepurge.hook.chroot b/sensor-iso/config/hooks/normal/0992-localepurge.hook.chroot index bfce4cfe2..08f4e6a07 100755 --- a/sensor-iso/config/hooks/normal/0992-localepurge.hook.chroot +++ b/sensor-iso/config/hooks/normal/0992-localepurge.hook.chroot @@ -13,7 +13,6 @@ localepurge localepurge/none_selected boolean false EOF debconf-set-selections < /tmp/localepurge.preseed rm -f /tmp/localepurge.preseed -apt-get -y install localepurge dpkg-reconfigure --frontend=noninteractive localepurge sed -i "s/^\(USE_DPKG\)/#\1/" /etc/locale.nopurge sed -i "s/^\(NEEDSCONFIGFIRST\)/#\1/" /etc/locale.nopurge diff --git a/sensor-iso/config/includes.binary/install/preseed_base.cfg b/sensor-iso/config/includes.binary/install/preseed_base.cfg index 49bd4cd6d..81b5ba435 100644 --- a/sensor-iso/config/includes.binary/install/preseed_base.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_base.cfg @@ -48,7 +48,6 @@ d-i preseed/late_command string \ echo 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target touch /etc/capture_storage_format; \ in-target bash /usr/local/bin/sensor-init.sh; \ - in-target bash -c "( apt-mark manual aide aide-common filebeat libbroker-dev netsniff-ng step-cli suricata* yara zeek* ) || true"; \ in-target bash -c "(virt-what | grep -q vmware) || apt-get purge -y open-vm-tools-desktop"; \ in-target bash -c "(virt-what | grep -q virtualbox) || apt-get purge -y virtualbox-guest*"; \ in-target bash -c "(virt-what | grep -q -E 'qemu|kvm') || apt-get purge -y qemu-guest-agent"; \ diff --git a/sensor-iso/config/package-lists/sensor.list.chroot b/sensor-iso/config/package-lists/sensor.list.chroot index 02e62b868..90bb0c502 100644 --- a/sensor-iso/config/package-lists/sensor.list.chroot +++ b/sensor-iso/config/package-lists/sensor.list.chroot @@ -1 +1,3 @@ -fluent-bit \ No newline at end of file +fluent-bit +suricata +suricata-update diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index 3244434ce..b1cb7cc67 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -1,4 +1,6 @@ accountsservice +aide +aide-common apparmor apparmor-profiles apparmor-utils diff --git a/shared/aide/Dockerfile b/shared/aide/Dockerfile deleted file mode 100644 index 45740b249..000000000 --- a/shared/aide/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM debian:11-slim - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -LABEL maintainer="malcolm@inl.gov" - -ENV DEBIAN_FRONTEND noninteractive - -RUN apt-get -q update && \ - apt-get install -q -y --no-install-recommends \ - autoconf \ - autoconf-archive \ - automake \ - autotools-dev \ - binutils \ - bison \ - build-essential \ - ca-certificates \ - checkinstall \ - flex \ - git \ - libmhash-dev \ - libpcre2-dev \ - libtool \ - m4 \ - make \ - pkg-config \ - zlib1g-dev && \ - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* - -ADD build-aide-deb.sh /usr/local/bin/ - -ENTRYPOINT ["/bin/bash", "/usr/local/bin/build-aide-deb.sh"] diff --git a/shared/aide/build-aide-deb.sh b/shared/aide/build-aide-deb.sh deleted file mode 100755 index 132181cf2..000000000 --- a/shared/aide/build-aide-deb.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -AIDE_URL="https://github.com/aide/aide.git" -AIDE_BRANCH=master -OUTPUT_DIR="/tmp" -unset VERBOSE - -while getopts o:v opts; do - case ${opts} in - o) OUTPUT_DIR=${OPTARG} ;; - v) VERBOSE=1 ;; - esac -done - -set -e -if [[ -n $VERBOSE ]]; then - set -x -fi - -apt-get -q update - -cd /tmp -git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --no-tags --branch="$AIDE_BRANCH" "$AIDE_URL" "./aide-$AIDE_BRANCH" -cd "./aide-$AIDE_BRANCH" -AIDE_COMMIT_DATE="$(git log -1 --format="%at" | xargs -I{} date -d @{} "+%Y%m%d%H%M%S")" - -bash ./autogen.sh -./configure --prefix=/usr -make -checkinstall -y -D \ - --strip=yes \ - --stripso=yes \ - --install=no \ - --fstrans=no \ - --pkgname=aide \ - --pkgversion="$AIDE_COMMIT_DATE" \ - --pkgarch="amd64" \ - --pkgsource="$AIDE_URL" - -ls -l *.deb && mv -v *.deb "$OUTPUT_DIR"/ - -cd /tmp - -if [[ -n $VERBOSE ]]; then - set +x -fi -set +e diff --git a/shared/aide/build-docker-image.sh b/shared/aide/build-docker-image.sh deleted file mode 100755 index ccfd1d43b..000000000 --- a/shared/aide/build-docker-image.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -# force-navigate to script directory -SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -pushd "$SCRIPT_PATH" >/dev/null 2>&1 - -docker build -t aide-build:latest . - -popd >/dev/null 2>&1 From 0e1bbb350211eed77f95bf5ec55daab59c3e0027 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 31 Jul 2023 09:55:03 -0600 Subject: [PATCH 36/74] build YARA deb outside of hooks --- sensor-iso/build.sh | 5 +++ .../normal/0910-sensor-build.hook.chroot | 33 +--------------- .../0990-remove-unwanted-pkg.hook.chroot | 1 - .../config/package-lists/build.list.chroot | 1 - .../config/package-lists/net.list.chroot | 1 + sensor-iso/yara/Dockerfile | 28 ++++++++++++++ sensor-iso/yara/build-docker-image.sh | 11 ++++++ sensor-iso/yara/build-yara-deb.sh | 38 +++++++++++++++++++ 8 files changed, 84 insertions(+), 34 deletions(-) create mode 100644 sensor-iso/yara/Dockerfile create mode 100755 sensor-iso/yara/build-docker-image.sh create mode 100755 sensor-iso/yara/build-yara-deb.sh diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index b9dd55696..6df7453f4 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -173,6 +173,11 @@ if [ -d "$WORKDIR" ]; then popd >/dev/null 2>&1 + # clone and build yara .deb package in its own clean environment (rather than in hooks/) + bash "$SCRIPT_PATH/yara/build-docker-image.sh" + docker run --rm -v "$SCRIPT_PATH"/yara:/build yara-build:latest -o /build + mv "$SCRIPT_PATH/yara"/*.deb ./config/packages.chroot/ + # grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc. mkdir -p "$SCRIPT_PATH/arkime/etc" pushd "$SCRIPT_PATH/arkime/etc" diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 98c17ab2a..f1e5b234b 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -18,33 +18,15 @@ export PATH="${ZEEK_DIR}"/bin:$PATH SURICATA_RULES_DIR="/etc/suricata/rules" -NETSNIFF_RELEASE_URL="https://api.github.com/repos/netsniff-ng/netsniff-ng/releases/latest" CAPA_RELEASE_URL="https://api.github.com/repos/fireeye/capa/releases/latest" YQ_RELEASE_URL="https://api.github.com/repos/mikefarah/yq/releases/latest" SUPERCRONIC_RELEASE_URL="https://api.github.com/repos/aptible/supercronic/releases/latest" CROC_RELEASE_URL="https://api.github.com/repos/schollz/croc/releases/latest" -YARA_RELEASE_URL="https://api.github.com/repos/VirusTotal/yara/releases/latest" YARA_RULES_SRC_DIR="/opt/yara-rules-src" YARA_RULES_DIR="/opt/yara-rules" mkdir -p /opt/hedgehog_install_artifacts/ -# Install netsniff-ng -cd /tmp -mkdir ./netsniff-ng -NETSNIFF_VER="$(curl "${GITHUB_API_CURL_ARGS[@]}" "$NETSNIFF_RELEASE_URL" | jq '.tag_name' | tr -d '"' | sed 's/^v//')" -curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$NETSNIFF_RELEASE_URL" | jq '.tarball_url' | tr -d '"')" | tar xzf - -C ./netsniff-ng --strip-components 1 -cd ./netsniff-ng -./configure --prefix=/usr --disable-geoip -make netsniff-ng -# make netsniff-ng_install -checkinstall -y -D --strip=yes --stripso=yes --install=yes --fstrans=no --pkgname="netsniff-ng" --pkgversion="$NETSNIFF_VER" --pkgarch="amd64" --pkgsource="$NETSNIFF_URL" make netsniff-ng_install -cp *.deb /opt/hedgehog_install_artifacts/ - -cd /tmp -rm -Rf ./netsniff-ng -## - # Download and install spicy and 3rd-party zeek plugins mkdir -p "${CCACHE_DIR}" @@ -177,20 +159,7 @@ tar czf suricata-rules-hedgehog.tar.gz "$(basename "${SURICATA_RULES_DIR}")" mv ./suricata-rules-hedgehog.tar.gz /opt/hedgehog_install_artifacts/ ### -# yara -cd /tmp -mkdir ./yara -YARA_VER="$(curl "${GITHUB_API_CURL_ARGS[@]}" "$YARA_RELEASE_URL" | jq '.tag_name' | tr -d '"' | sed 's/^v//')" -curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$YARA_RELEASE_URL" | jq '.tarball_url' | tr -d '"')" | tar xzf - -C ./yara --strip-components 1 -cd ./yara -./bootstrap.sh -./configure --prefix=/usr --with-crypto --enable-magic --enable-cuckoo --enable-dotnet -make -#make install -checkinstall -y -D --strip=yes --stripso=yes --install=yes --fstrans=no --pkgname="yara" --pkgversion="$YARA_VER" --pkgarch="amd64" --pkgsource="$YARA_URL" -cp *.deb /opt/hedgehog_install_artifacts/ -cd /tmp -rm -rf /yara +# update yara rules mkdir -p "${YARA_RULES_DIR}"/custom "${YARA_RULES_SRC_DIR}" /usr/local/bin/yara_rules_setup.sh -r "${YARA_RULES_SRC_DIR}" -y "${YARA_RULES_DIR}" diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 609068bc6..5464579c9 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -4,7 +4,6 @@ # remove development packages not necessary for building dynamic Zeek plugins apt-get -y --purge remove \ - checkinstall \ gdb \ libc6-dbg \ ninja-build \ diff --git a/sensor-iso/config/package-lists/build.list.chroot b/sensor-iso/config/package-lists/build.list.chroot index 7afaf8176..b0ee3b83c 100644 --- a/sensor-iso/config/package-lists/build.list.chroot +++ b/sensor-iso/config/package-lists/build.list.chroot @@ -1,6 +1,5 @@ bison ccache -checkinstall cmake gcc g++ diff --git a/sensor-iso/config/package-lists/net.list.chroot b/sensor-iso/config/package-lists/net.list.chroot index 6e75c971b..511f0fb59 100644 --- a/sensor-iso/config/package-lists/net.list.chroot +++ b/sensor-iso/config/package-lists/net.list.chroot @@ -13,6 +13,7 @@ libpcap0.8 libssh2-1 macchanger netcat-openbsd +netsniff-ng ntp openssh-client openssh-server diff --git a/sensor-iso/yara/Dockerfile b/sensor-iso/yara/Dockerfile new file mode 100644 index 000000000..4afe51c14 --- /dev/null +++ b/sensor-iso/yara/Dockerfile @@ -0,0 +1,28 @@ +FROM debian:12-slim + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +LABEL maintainer="malcolm@inl.gov" + +ENV DEBIAN_FRONTEND noninteractive + +RUN apt-get -q update && \ + apt-get install -q -y --no-install-recommends \ + automake \ + bison \ + ca-certificates \ + checkinstall \ + curl \ + flex \ + gcc \ + libjansson-dev \ + libmagic-dev \ + libssl-dev \ + libtool \ + make \ + pkg-config && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +ADD build-yara-deb.sh /usr/local/bin/ + +ENTRYPOINT ["/bin/bash", "/usr/local/bin/build-yara-deb.sh"] diff --git a/sensor-iso/yara/build-docker-image.sh b/sensor-iso/yara/build-docker-image.sh new file mode 100755 index 000000000..190dd2454 --- /dev/null +++ b/sensor-iso/yara/build-docker-image.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +# force-navigate to script directory +SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +pushd "$SCRIPT_PATH" >/dev/null 2>&1 + +docker build -t yara-build:latest . + +popd >/dev/null 2>&1 diff --git a/sensor-iso/yara/build-yara-deb.sh b/sensor-iso/yara/build-yara-deb.sh new file mode 100755 index 000000000..dd8415742 --- /dev/null +++ b/sensor-iso/yara/build-yara-deb.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +YARA_URL="https://github.com/VirusTotal/YARA" +YARA_VER="$(curl -sqI "$YARA_URL/releases/latest" | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}' | sed 's/^v//')" +OUTPUT_DIR="/tmp" +unset VERBOSE + +while getopts o:v opts; do + case ${opts} in + o) OUTPUT_DIR=${OPTARG} ;; + v) VERBOSE=1 ;; + esac +done + +set -e +if [[ -n $VERBOSE ]]; then + set -x +fi + + +cd /tmp +mkdir ./yara +curl -sSL "$YARA_URL/tarball/v$YARA_VER" | tar xzf - -C ./yara --strip-components 1 +cd ./yara +./bootstrap.sh +./configure --prefix=/usr --with-crypto --enable-magic --enable-cuckoo +make +checkinstall -y -D --strip=yes --stripso=yes --install=no --fstrans=no --pkgname=yara --pkgversion="$YARA_VER" --pkgarch="amd64" --pkgsource="$YARA_URL" +ls -l *.deb && mv -v *.deb "$OUTPUT_DIR"/ + +cd /tmp + +if [[ -n $VERBOSE ]]; then + set +x +fi +set +e From 79523f7cc74e7dc15d08b70b9111a2f6bb1bde08 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 31 Jul 2023 09:56:36 -0600 Subject: [PATCH 37/74] get AIDE from repos rather than building for Malcolm ISO --- malcolm-iso/build.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index acb14c7f6..7776458c6 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -172,11 +172,6 @@ if [ -d "$WORKDIR" ]; then cat "$SCRIPT_PATH/shared/environment.chroot" >> ./config/environment.chroot echo "PYTHONDONTWRITEBYTECODE=1" >> ./config/environment.chroot - # clone and build aide .deb package in its own clean environment (rather than in hooks/) - bash "$SCRIPT_PATH/../shared/aide/build-docker-image.sh" - docker run --rm -v "$SCRIPT_PATH"/../shared/aide:/build aide-build:latest -o /build - mv "$SCRIPT_PATH/../shared/aide"/*.deb ./config/packages.chroot/ - # copy shared scripts and some branding stuff mkdir -p ./config/includes.chroot/usr/local/bin/ rsync -a "$SCRIPT_PATH/../shared/bin/" ./config/includes.chroot/usr/local/bin/ From 608015a6d8a48cee34202476bdb32616e7ccdcaa Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 31 Jul 2023 13:16:05 -0600 Subject: [PATCH 38/74] install filebeat from apt repo --- sensor-iso/build.sh | 9 ------ sensor-iso/config/archives/beats.key.binary | 31 +++++++++++++++++++ sensor-iso/config/archives/beats.key.chroot | 31 +++++++++++++++++++ sensor-iso/config/archives/beats.list.binary | 1 + sensor-iso/config/archives/beats.list.chroot | 2 ++ .../config/package-lists/sensor.list.chroot | 1 + 6 files changed, 66 insertions(+), 9 deletions(-) create mode 100644 sensor-iso/config/archives/beats.key.binary create mode 100644 sensor-iso/config/archives/beats.key.chroot create mode 100644 sensor-iso/config/archives/beats.list.binary create mode 100644 sensor-iso/config/archives/beats.list.chroot diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 6df7453f4..3193505be 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -162,15 +162,6 @@ if [ -d "$WORKDIR" ]; then "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-btest_${ZEEK_VER}_all.deb" \ "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VER}_all.deb" - # filebeat - BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" - BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" - for BEAT in filebeat; do - BEATS_URL="$(echo "$BEATS_DEB_URL_TEMPLATE" | sed "s/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEAT/g")" - BEATS_DEB="$BEAT-$BEATS_VER-amd64.deb" - curl -f -L -o "$BEATS_DEB" "$BEATS_URL" - done - popd >/dev/null 2>&1 # clone and build yara .deb package in its own clean environment (rather than in hooks/) diff --git a/sensor-iso/config/archives/beats.key.binary b/sensor-iso/config/archives/beats.key.binary new file mode 100644 index 000000000..1b50dcca7 --- /dev/null +++ b/sensor-iso/config/archives/beats.key.binary @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sensor-iso/config/archives/beats.key.chroot b/sensor-iso/config/archives/beats.key.chroot new file mode 100644 index 000000000..1b50dcca7 --- /dev/null +++ b/sensor-iso/config/archives/beats.key.chroot @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sensor-iso/config/archives/beats.list.binary b/sensor-iso/config/archives/beats.list.binary new file mode 100644 index 000000000..c469d1942 --- /dev/null +++ b/sensor-iso/config/archives/beats.list.binary @@ -0,0 +1 @@ +deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main \ No newline at end of file diff --git a/sensor-iso/config/archives/beats.list.chroot b/sensor-iso/config/archives/beats.list.chroot new file mode 100644 index 000000000..65858a0c3 --- /dev/null +++ b/sensor-iso/config/archives/beats.list.chroot @@ -0,0 +1,2 @@ +deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main + diff --git a/sensor-iso/config/package-lists/sensor.list.chroot b/sensor-iso/config/package-lists/sensor.list.chroot index 90bb0c502..7af1c3a42 100644 --- a/sensor-iso/config/package-lists/sensor.list.chroot +++ b/sensor-iso/config/package-lists/sensor.list.chroot @@ -1,3 +1,4 @@ +filebeat fluent-bit suricata suricata-update From 3bb964d614e2accb64c6c443a048dfa71dce7826 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 31 Jul 2023 15:48:39 -0600 Subject: [PATCH 39/74] Fix netbox script --- netbox/scripts/netbox_init.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index dd0098ca3..40f232e7d 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -411,7 +411,7 @@ def main(): try: nb.dcim.manufacturers.create(manufDef) except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manuf["name"]}\": {nbe}") + logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manuf['name']}\": {nbe}") manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()} logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }") From 4c1644a594a136d504145f318cd0065d1606a39a Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 1 Aug 2023 12:08:44 -0600 Subject: [PATCH 40/74] Fixes for arkime and upload containers --- Dockerfiles/arkime.Dockerfile | 7 ++++--- file-upload/nginx/sites-available/default | 2 +- file-upload/supervisord.conf | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 6936a286a..48efa51eb 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -33,7 +33,7 @@ RUN apt-get -q update && \ libkrb5-dev \ libmaxminddb-dev \ libpcap0.8-dev \ - libpcre3 \ + libpcre3-dev \ libssl-dev \ libtool \ libwww-perl \ @@ -50,7 +50,7 @@ RUN apt-get -q update && \ swig \ wget \ zlib1g-dev && \ - python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 && \ + python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 meson && \ cd /opt && \ git clone --recurse-submodules --branch="$ARKIME_VERSION" "$ARKIME_URL" "./arkime-"$ARKIME_VERSION && \ cd "./arkime-"$ARKIME_VERSION && \ @@ -149,6 +149,7 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour libkrb5-3 \ libmaxminddb0 \ libpcap0.8 \ + libpcre3 \ libssl3 \ libtool \ libwww-perl \ @@ -164,9 +165,9 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour rsync \ sudo \ supervisor \ + tini \ vim-tiny \ wget \ - tini \ tar gzip unzip cpio bzip2 lzma xz-utils p7zip-full unrar zlib1g && \ python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 pyzmq watchdog && \ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \ diff --git a/file-upload/nginx/sites-available/default b/file-upload/nginx/sites-available/default index 68fb276d8..003e2bc20 100644 --- a/file-upload/nginx/sites-available/default +++ b/file-upload/nginx/sites-available/default @@ -22,7 +22,7 @@ server { fastcgi_send_timeout 300s; fastcgi_busy_buffers_size 384k; fastcgi_request_buffering off; - fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; } location ~ /\.ht { diff --git a/file-upload/supervisord.conf b/file-upload/supervisord.conf index abcac3abe..25e2322c6 100644 --- a/file-upload/supervisord.conf +++ b/file-upload/supervisord.conf @@ -25,7 +25,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:php] -command=php-fpm7.4 -F -R -g /tmp/php-fpm.pid +command=php-fpm8.2 -F -R -g /tmp/php-fpm.pid stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 redirect_stderr=true From 067fa9a11ff5fedeadfa3f0221983e166a715e33 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 1 Aug 2023 13:46:56 -0600 Subject: [PATCH 41/74] handle changes to ICSNPP parsers with source_ip/destination_ip fields idaholab/Malcolm#233 --- .../29a1b290-eb98-11e9-a384-0fcf32210194.json | 3 - .../2bec1490-eb94-11e9-a384-0fcf32210194.json | 3 - .../e76d05c0-eb9f-11e9-a384-0fcf32210194.json | 2 - logstash/pipelines/zeek/11_zeek_parse.conf | 92 +++++++++---------- logstash/pipelines/zeek/12_zeek_mutate.conf | 9 ++ 5 files changed, 55 insertions(+), 54 deletions(-) diff --git a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json index 965fadb4e..9940028e3 100644 --- a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -368,7 +368,6 @@ "destination.ip", "event.action", "event.result", - "network.is_orig", "zeek.cip.direction", "zeek.cip.cip_sequence_count", "zeek.cip.class_id", @@ -457,7 +456,6 @@ "destination.ip", "event.action", "event.result", - "network.is_orig", "zeek.enip.options", "zeek.enip.sender_context", "zeek.enip.session_handle", @@ -500,7 +498,6 @@ "columns": [ "source.ip", "destination.ip", - "network.is_orig", "zeek.cip_io.connection_id", "zeek.cip_io.sequence_number", "zeek.cip_io.data_length", diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index fbca23fdf..2f218e86c 100644 --- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -435,7 +435,6 @@ "columns": [ "source.ip", "destination.ip", - "network.is_orig", "zeek.bacnet.bvlc_function", "zeek.bacnet.pdu_type", "zeek.bacnet.pdu_service", @@ -478,7 +477,6 @@ "columns": [ "source.ip", "destination.ip", - "network.is_orig", "zeek.bacnet_property.pdu_service", "zeek.bacnet_property.object_type", "zeek.bacnet.instance_number", @@ -522,7 +520,6 @@ "columns": [ "source.ip", "destination.ip", - "network.is_orig", "zeek.bacnet_discovery.pdu_service", "zeek.bacnet_discovery.object_type", "zeek.bacnet.instance_number", diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index 8e9e8ec31..523c02acd 100644 --- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -359,7 +359,6 @@ "source.port", "destination.ip", "destination.port", - "network.is_orig", "event.action", "event.result", "zeek.s7comm.pdu_reference", @@ -400,7 +399,6 @@ "source.port", "destination.ip", "destination.port", - "network.is_orig", "event.action", "event.result", "zeek.uid" diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index d0bfcdd10..5f84a1906 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -214,7 +214,7 @@ filter { id => "dissect_zeek_bacnet" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}" } } if ("_dissectfailure" in [tags]) { @@ -225,7 +225,7 @@ filter { } ruby { id => "ruby_zip_zeek_bacnet" - init => "$zeek_bacnet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]" + init => "$zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]" code => "event.set('[zeek_cols]', $zeek_bacnet_field_names.zip(event.get('[message]')).to_h)" } } @@ -275,7 +275,7 @@ filter { id => "dissect_zeek_bsap_ip_header" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}" } } if ("_dissectfailure" in [tags]) { @@ -286,7 +286,7 @@ filter { } ruby { id => "ruby_zip_zeek_bsap_ip_header" - init => "$zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]" + init => "$zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]" code => "event.set('[zeek_cols]', $zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)" } } @@ -309,7 +309,7 @@ filter { id => "dissect_zeek_bsap_ip_rdb" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" } } if ("_dissectfailure" in [tags]) { @@ -320,7 +320,7 @@ filter { } ruby { id => "ruby_zip_zeek_bsap_ip_rdb" - init => "$zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]" + init => "$zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]" code => "event.set('[zeek_cols]', $zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)" } } @@ -343,7 +343,7 @@ filter { id => "dissect_zeek_bsap_serial_header" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}" } } if ("_dissectfailure" in [tags]) { @@ -354,7 +354,7 @@ filter { } ruby { id => "ruby_zip_zeek_bsap_serial_header" - init => "$zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]" + init => "$zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]" code => "event.set('[zeek_cols]', $zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)" } } @@ -377,7 +377,7 @@ filter { id => "dissect_zeek_bsap_serial_rdb" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" } } if ("_dissectfailure" in [tags]) { @@ -388,7 +388,7 @@ filter { } ruby { id => "ruby_zip_zeek_bsap_serial_rdb" - init => "$zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'func_code', 'variable_count', 'variables', 'variable_value' ]" + init => "$zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]" code => "event.set('[zeek_cols]', $zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)" } } @@ -411,7 +411,7 @@ filter { id => "dissect_zeek_bsap_serial_rdb_ext" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}" } } if ("_dissectfailure" in [tags]) { @@ -422,7 +422,7 @@ filter { } ruby { id => "ruby_zip_zeek_bsap_serial_rdb_ext" - init => "$zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]" + init => "$zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]" code => "event.set('[zeek_cols]', $zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)" } } @@ -451,7 +451,7 @@ filter { id => "dissect_zeek_bacnet_device_control" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}" } } if ("_dissectfailure" in [tags]) { @@ -462,7 +462,7 @@ filter { } ruby { id => "ruby_zip_zeek_bacnet_device_control" - init => "$zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]" + init => "$zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]" code => "event.set('[zeek_cols]', $zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)" } } @@ -485,7 +485,7 @@ filter { id => "dissect_zeek_bacnet_discovery" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}" } } if ("_dissectfailure" in [tags]) { @@ -496,7 +496,7 @@ filter { } ruby { id => "ruby_zip_zeek_bacnet_discovery" - init => "$zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'pdu_service', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]" + init => "$zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]" code => "event.set('[zeek_cols]', $zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)" } } @@ -519,7 +519,7 @@ filter { id => "dissect_zeek_bacnet_property" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}" } } if ("_dissectfailure" in [tags]) { @@ -530,7 +530,7 @@ filter { } ruby { id => "ruby_zip_zeek_bacnet_property" - init => "$zeek_bacnet_property_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]" + init => "$zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]" code => "event.set('[zeek_cols]', $zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)" } } @@ -555,7 +555,7 @@ filter { id => "dissect_zeek_cip" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" } } if ("_dissectfailure" in [tags]) { @@ -566,7 +566,7 @@ filter { } ruby { id => "ruby_zip_zeek_cip" - init => "$zeek_cip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" + init => "$zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" code => "event.set('[zeek_cols]', $zeek_cip_field_names.zip(event.get('[message]')).to_h)" } } @@ -588,7 +588,7 @@ filter { id => "dissect_zeek_cip_identity" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" } } if ("_dissectfailure" in [tags]) { @@ -599,7 +599,7 @@ filter { } ruby { id => "ruby_zip_zeek_cip_identity" - init => "$zeek_cip_identity_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'device_status', 'serial_number', 'product_name', 'device_state' ]" + init => "$zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'device_status', 'serial_number', 'product_name', 'device_state' ]" code => "event.set('[zeek_cols]', $zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)" } } @@ -620,7 +620,7 @@ filter { id => "dissect_zeek_cip_io" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" } } if ("_dissectfailure" in [tags]) { @@ -631,7 +631,7 @@ filter { } ruby { id => "ruby_zip_zeek_cip_io" - init => "$zeek_cip_io_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" + init => "$zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" code => "event.set('[zeek_cols]', $zeek_cip_io_field_names.zip(event.get('[message]')).to_h)" } } @@ -805,7 +805,7 @@ filter { id => "dissect_zeek_dnp3_control" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}" } } if ("_dissectfailure" in [tags]) { @@ -816,7 +816,7 @@ filter { } ruby { id => "ruby_zip_zeek_dnp3_control" - init => "$zeek_dnp3_control_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]" + init => "$zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]" code => "event.set('[zeek_cols]', $zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)" } } @@ -836,7 +836,7 @@ filter { id => "dissect_zeek_dnp3_objects" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}" } } if ("_dissectfailure" in [tags]) { @@ -847,7 +847,7 @@ filter { } ruby { id => "ruby_zip_zeek_dnp3_objects" - init => "$zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]" + init => "$zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]" code => "event.set('[zeek_cols]', $zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)" } } @@ -942,7 +942,7 @@ filter { id => "dissect_zeek_enip" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" } } if ("_dissectfailure" in [tags]) { @@ -953,7 +953,7 @@ filter { } ruby { id => "ruby_zip_zeek_enip" - init => "$zeek_enip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" + init => "$zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" code => "event.set('[zeek_cols]', $zeek_enip_field_names.zip(event.get('[message]')).to_h)" } } @@ -1623,7 +1623,7 @@ filter { id => "dissect_zeek_cotp" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}" } } if ("_dissectfailure" in [tags]) { @@ -1634,7 +1634,7 @@ filter { } ruby { id => "ruby_zip_zeek_cotp" - init => "$zeek_cotp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'pdu_code', 'pdu_name' ]" + init => "$zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]" code => "event.set('[zeek_cols]', $zeek_cotp_field_names.zip(event.get('[message]')).to_h)" } } @@ -1938,7 +1938,7 @@ filter { id => "dissect_zeek_modbus_detailed" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" } } if ("_dissectfailure" in [tags]) { @@ -1949,7 +1949,7 @@ filter { } ruby { id => "ruby_zip_zeek_modbus_detailed" - init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" + init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" code => "event.set('[zeek_cols]', $zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)" } } @@ -1969,7 +1969,7 @@ filter { id => "dissect_zeek_modbus_mask_write_register" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" } } if ("_dissectfailure" in [tags]) { @@ -1980,7 +1980,7 @@ filter { } ruby { id => "ruby_zip_zeek_modbus_mask_write_register" - init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" + init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" code => "event.set('[zeek_cols]', $zeek_modbus_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" } } @@ -1999,7 +1999,7 @@ filter { id => "dissect_zeek_modbus_read_write_multiple_registers" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" } } if ("_dissectfailure" in [tags]) { @@ -2010,7 +2010,7 @@ filter { } ruby { id => "ruby_zip_zeek_modbus_read_write_multiple_registers" - init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" + init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" code => "event.set('[zeek_cols]', $zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)" } } @@ -2549,7 +2549,7 @@ filter { id => "dissect_zeek_s7comm" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}" } } if ("_dissectfailure" in [tags]) { @@ -2560,7 +2560,7 @@ filter { } ruby { id => "ruby_zip_zeek_s7comm" - init => "$zeek_s7comm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]" + init => "$zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]" code => "event.set('[zeek_cols]', $zeek_s7comm_field_names.zip(event.get('[message]')).to_h)" } } @@ -2583,7 +2583,7 @@ filter { id => "dissect_zeek_s7comm_plus" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}" } } if ("_dissectfailure" in [tags]) { @@ -2594,7 +2594,7 @@ filter { } ruby { id => "ruby_zip_zeek_s7comm_plus" - init => "$zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]" + init => "$zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]" code => "event.set('[zeek_cols]', $zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)" } } @@ -2617,7 +2617,7 @@ filter { id => "dissect_zeek_s7comm_read_szl" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}" } } if ("_dissectfailure" in [tags]) { @@ -2628,7 +2628,7 @@ filter { } ruby { id => "ruby_zip_zeek_s7comm_read_szl" - init => "$zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]" + init => "$zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]" code => "event.set('[zeek_cols]', $zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)" } } @@ -2651,7 +2651,7 @@ filter { id => "dissect_zeek_s7comm_upload_download" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" } } if ("_dissectfailure" in [tags]) { @@ -2662,7 +2662,7 @@ filter { } ruby { id => "ruby_zip_zeek_s7comm_upload_download" - init => "$zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" + init => "$zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" code => "event.set('[zeek_cols]', $zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)" } } diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index ad3bc4873..1ae4e31cb 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -41,6 +41,15 @@ filter { rename => { "[zeek][%{[log_source]}][community_id]" => "[network][community_id]" } } + # we'll just save the "true" source and destination fields. + # see, for example, https://github.com/cisagov/icsnpp-bacnet#source-and-destination-fields + mutate { id => "mutate_remove_zeek_common_fields" + remove_field => [ + "[zeek][%{[log_source]}][drop_orig_h]", + "[zeek][%{[log_source]}][drop_orig_p]", + "[zeek][%{[log_source]}][drop_resp_h]", + "[zeek][%{[log_source]}][drop_resp_p]" ] } + # create a repeatable fingerprint for document ID fingerprint { id => "fingerprint_zeek_event_hash" From eea83cfb41fd7b223bc33932cde92bc96a3b7b03 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 1 Aug 2023 16:08:00 -0600 Subject: [PATCH 42/74] work in progress for idaholab/Malcolm#228, add more vendors to NetBox manufacturers list. using generic initializer rather than custom python script --- Dockerfiles/netbox.Dockerfile | 15 +- netbox/config/plugins.py | 4 +- netbox/device-roles-defaults.json | 260 -------------- netbox/manufacturers-default.json | 48 --- netbox/preload/device_roles.yml | 282 +++++++++++++++ netbox/preload/manufacturers.yml | 22 ++ netbox/preload/service_templates.yml | 274 +++++++++++++++ netbox/scripts/netbox_init.py | 117 ------- netbox/service-template-defaults.json | 486 -------------------------- netbox/supervisord.conf | 3 - 10 files changed, 593 insertions(+), 918 deletions(-) delete mode 100644 netbox/device-roles-defaults.json delete mode 100644 netbox/manufacturers-default.json create mode 100644 netbox/preload/device_roles.yml create mode 100644 netbox/preload/manufacturers.yml create mode 100644 netbox/preload/service_templates.yml delete mode 100644 netbox/service-template-defaults.json diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 424654f63..ffe6f88e7 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -28,34 +28,43 @@ ENV SUPERCRONIC "supercronic-linux-amd64" ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" +ENV YQ_VERSION "4.33.3" +ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" + ENV NETBOX_DEVICETYPE_LIBRARY_URL "https://codeload.github.com/netbox-community/devicetype-library/tar.gz/master" ARG NETBOX_DEVICETYPE_LIBRARY_PATH="/opt/netbox-devicetype-library" ARG NETBOX_DEFAULT_SITE=Malcolm ARG NETBOX_CRON=true +ARG NETBOX_PRELOAD_PATH="/opt/netbox-preload" ENV BASE_PATH netbox ENV NETBOX_DEVICETYPE_LIBRARY_PATH $NETBOX_DEVICETYPE_LIBRARY_PATH ENV NETBOX_DEFAULT_SITE $NETBOX_DEFAULT_SITE ENV NETBOX_CRON $NETBOX_CRON +ENV NETBOX_PRELOAD_PATH $NETBOX_PRELOAD_PATH RUN apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ + git \ jq \ procps \ psmisc \ rsync \ supervisor \ tini && \ - /opt/netbox/venv/bin/python -m pip install --break-system-packages --no-cache-dir psycopg2 pynetbox python-slugify randomcolor && \ + /opt/netbox/venv/bin/python -m pip install --break-system-packages --no-cache-dir 'git+https://github.com/mmguero-dev/netbox-initializers' psycopg2 pynetbox python-slugify randomcolor && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" && \ ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic && \ touch "${SUPERCRONIC_CRONTAB}" && \ - apt-get -q -y autoremove && \ + curl -fsSL -o /usr/bin/yq "${YQ_URL}" && \ + chmod 755 /usr/bin/yq && \ + apt-get -q -y --purge remove git && \ + apt-get -q -y --purge autoremove && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ groupadd --gid ${DEFAULT_GID} ${PUSER} && \ @@ -80,7 +89,7 @@ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 netbox/scripts/* /usr/local/bin/ COPY --chmod=644 netbox/supervisord.conf /etc/supervisord.conf -COPY --chmod=644 netbox/*-defaults.json /etc/ +COPY --chmod=644 netbox/preload/*.yml $NETBOX_PRELOAD_PATH/ EXPOSE 9001 diff --git a/netbox/config/plugins.py b/netbox/config/plugins.py index c0b1a1fb5..f170eef4e 100644 --- a/netbox/config/plugins.py +++ b/netbox/config/plugins.py @@ -4,7 +4,9 @@ # To learn how to build images with your required plugins # See https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins -# PLUGINS = ["netbox_bgp"] +PLUGINS = [ + 'netbox_initializers', +] # PLUGINS_CONFIG = { # "netbox_bgp": { diff --git a/netbox/device-roles-defaults.json b/netbox/device-roles-defaults.json deleted file mode 100644 index 503edd9dc..000000000 --- a/netbox/device-roles-defaults.json +++ /dev/null @@ -1,260 +0,0 @@ -{ - "device-roles": [ - { - "name": "Access point", - "description": "" - }, - { - "name": "Application server", - "description": "" - }, - { - "name": "Authentication server", - "description": "" - }, - { - "name": "BAS", - "description": "Building automation" - }, - { - "name": "BMS", - "description": "Building management" - }, - { - "name": "Bridge", - "description": "" - }, - { - "name": "CNC", - "description": "Computer numerical control" - }, - { - "name": "Camera", - "description": "" - }, - { - "name": "Cloud server", - "description": "" - }, - { - "name": "Collaboration server", - "description": "" - }, - { - "name": "DCS", - "description": "Distributed control" - }, - { - "name": "DHCP server", - "description": "Dynamic host communication protocol server" - }, - { - "name": "DNS server", - "description": "Domain name system server" - }, - { - "name": "Database server", - "description": "" - }, - { - "name": "Domain controller", - "description": "" - }, - { - "name": "EACS", - "description": "Electronic access control" - }, - { - "name": "Fax", - "description": "" - }, - { - "name": "File server", - "description": "" - }, - { - "name": "Firewall", - "description": "" - }, - { - "name": "Gateway", - "description": "" - }, - { - "name": "Gateway", - "description": "" - }, - { - "name": "HMI", - "description": "Human machine interface" - }, - { - "name": "HVAC", - "description": "Heating, ventilation and air conditioning" - }, - { - "name": "Historian", - "description": "" - }, - { - "name": "Hub", - "description": "" - }, - { - "name": "Hypervisor", - "description": "" - }, - { - "name": "IDS", - "description": "Intrusion detection system" - }, - { - "name": "IIoT", - "description": "Industrial internet of things device" - }, - { - "name": "IPS", - "description": "Intrusion prevention system" - }, - { - "name": "IoT", - "description": "Internet of things device" - }, - { - "name": "KVM", - "description": "Keyboard, video and mouse switch" - }, - { - "name": "Kiosk", - "description": "" - }, - { - "name": "Lighting", - "description": "Lighting controls" - }, - { - "name": "Load balancer", - "description": "" - }, - { - "name": "MES", - "description": "Manufacturing execution system" - }, - { - "name": "Mail server", - "description": "" - }, - { - "name": "Media server", - "description": "" - }, - { - "name": "Modem", - "description": "" - }, - { - "name": "NAS", - "description": "Network attached storage" - }, - { - "name": "NTP server", - "description": "Network time protocol server" - }, - { - "name": "Network sensor", - "description": "" - }, - { - "name": "PLC", - "description": "Programmable logic controller" - }, - { - "name": "PLM", - "description": "Product lifecycle management system" - }, - { - "name": "Photocopier", - "description": "" - }, - { - "name": "Physical sensor", - "description": "" - }, - { - "name": "Print server", - "description": "" - }, - { - "name": "Printer", - "description": "" - }, - { - "name": "Proxy server", - "description": "" - }, - { - "name": "RTU", - "description": "Remote terminal unit" - }, - { - "name": "Real-time communication server", - "description": "" - }, - { - "name": "Repeater", - "description": "" - }, - { - "name": "Router", - "description": "" - }, - { - "name": "SCADA", - "description": "Supervisory control and data acquisition" - }, - { - "name": "SIEM", - "description": "Security information and event management" - }, - { - "name": "Safety automation system", - "description": "" - }, - { - "name": "Scanner", - "description": "" - }, - { - "name": "Server", - "description": "" - }, - { - "name": "Switch", - "description": "" - }, - { - "name": "Telephony", - "description": "" - }, - { - "name": "VCS", - "description": "Version control system" - }, - { - "name": "VFD", - "description": "Variable frequency drive" - }, - { - "name": "VPN server", - "description": "Virtual private network server" - }, - { - "name": "Web server", - "description": "" - }, - { - "name": "Workstation", - "description": "" - } - ] -} diff --git a/netbox/manufacturers-default.json b/netbox/manufacturers-default.json deleted file mode 100644 index 3b5c06c3d..000000000 --- a/netbox/manufacturers-default.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "manufacturers": [ - { - "name": "ABB", - "description": "" - }, - { - "name": "Accenture", - "description": "" - }, - { - "name": "Emerson Electric", - "description": "" - }, - { - "name": "General Electric", - "description": "" - }, - { - "name": "Hitachi", - "description": "" - }, - { - "name": "Honeywell", - "description": "" - }, - { - "name": "Mitsubishi", - "description": "" - }, - { - "name": "Oracle", - "description": "" - }, - { - "name": "Schneider Electric", - "description": "" - }, - { - "name": "Yokogawa Electric", - "description": "" - }, - { - "name": "Unspecified", - "description": "" - } - ] -} diff --git a/netbox/preload/device_roles.yml b/netbox/preload/device_roles.yml new file mode 100644 index 000000000..eb4c48c44 --- /dev/null +++ b/netbox/preload/device_roles.yml @@ -0,0 +1,282 @@ +- name: Access point + slug: access-point + color: 87e5da + vm_role: true +- name: Application server + slug: application-server + color: 57d7e0 + vm_role: true +- name: Authentication server + slug: authentication-server + color: ff7a89 + vm_role: true +- name: BAS + slug: bas + description: Building automation + color: c37fe8 + vm_role: true +- name: BMS + slug: bms + description: Building management + color: ff6519 + vm_role: true +- name: Bridge + slug: bridge + color: dfffa5 + vm_role: true +- name: CNC + slug: cnc + description: Computer numerical control + color: 0aaf28 + vm_role: true +- name: Camera + slug: camera + color: adffda + vm_role: true +- name: Cloud server + slug: cloud-server + color: 75ef5d + vm_role: true +- name: Collaboration server + slug: collaboration-server + color: 8b4adb + vm_role: true +- name: DCS + slug: dcs + description: Distributed control system + color: 2f7ad6 + vm_role: true +- name: DHCP server + slug: dhcp-server + description: Dynamic host communication protocol server + color: 9d28cc + vm_role: true +- name: DNS server + slug: dns-server + description: Domain name system server + color: 17d3c0 + vm_role: true +- name: Database server + slug: database-server + color: 9ca8f4 + vm_role: true +- name: Domain controller + slug: domain-controller + color: f945b4 + vm_role: true +- name: EACS + slug: eacs + description: Electronic access control + color: f24dc9 + vm_role: true +- name: Fax + slug: fax + color: 89f497 + vm_role: true +- name: File server + slug: file-server + color: 82ef7f + vm_role: true +- name: Firewall + slug: firewall + color: e4ccff + vm_role: true +- name: Gateway + slug: gateway + color: 9ea6e5 + vm_role: true +- name: Gateway + slug: gateway + color: bb4ce8 + vm_role: true +- name: HMI + slug: hmi + description: Human machine interface + color: eda484 + vm_role: true +- name: HVAC + slug: hvac + description: Heating, ventilation and air conditioning + color: 6cd89b + vm_role: true +- name: Historian + slug: historian + color: 0971f9 + vm_role: true +- name: Hub + slug: hub + color: bb93e2 + vm_role: true +- name: Hypervisor + slug: hypervisor + color: a7f99f + vm_role: true +- name: IDS + slug: ids + description: Intrusion detection system + color: acfca1 + vm_role: true +- name: IIoT + slug: iiot + description: Industrial internet of things device + color: b50a3b + vm_role: true +- name: IPS + slug: ips + description: Intrusion prevention system + color: dd80b0 + vm_role: true +- name: IoT + slug: iot + description: Internet of things device + color: a4d86c + vm_role: true +- name: KVM + slug: kvm + description: Keyboard, video and mouse switch + color: be9bf7 + vm_role: true +- name: Kiosk + slug: kiosk + color: e22522 + vm_role: true +- name: Lighting + slug: lighting + description: Lighting controls + color: ea8604 + vm_role: true +- name: Load balancer + slug: load-balancer + color: 17d68d + vm_role: true +- name: MES + slug: mes + description: Manufacturing execution system + color: a82327 + vm_role: true +- name: Mail server + slug: mail-server + color: 9ab52f + vm_role: true +- name: Media server + slug: media-server + color: ef88ef + vm_role: true +- name: Modem + slug: modem + color: c41924 + vm_role: true +- name: NAS + slug: nas + description: Network attached storage + color: 7ef7d5 + vm_role: true +- name: NTP server + slug: ntp-server + description: Network time protocol server + color: 8abdd8 + vm_role: true +- name: Network sensor + slug: network-sensor + color: aefcbd + vm_role: true +- name: PLC + slug: plc + description: Programmable logic controller + color: ead27c + vm_role: true +- name: PLM + slug: plm + description: Product lifecycle management system + color: 5996c1 + vm_role: true +- name: Photocopier + slug: photocopier + color: ccb2f4 + vm_role: true +- name: Physical sensor + slug: physical-sensor + color: fcedb8 + vm_role: true +- name: Print server + slug: print-server + color: f966f7 + vm_role: true +- name: Printer + slug: printer + color: d13ec7 + vm_role: true +- name: Proxy server + slug: proxy-server + color: b42ef2 + vm_role: true +- name: RTU + slug: rtu + description: Remote terminal unit + color: e817b0 + vm_role: true +- name: Real-time communication server + slug: real-time-communication-server + color: 38c4b8 + vm_role: true +- name: Repeater + slug: repeater + color: de50e0 + vm_role: true +- name: Router + slug: router + color: e5929d + vm_role: true +- name: SCADA + slug: scada + description: Supervisory control and data acquisition + color: fc11b6 + vm_role: true +- name: SIEM + slug: siem + description: Security information and event management + color: 48c97c + vm_role: true +- name: Safety automation system + slug: safety-automation-system + color: 387f02 + vm_role: true +- name: Scanner + slug: scanner + color: 9f97db + vm_role: true +- name: Server + slug: server + color: 2b8aad + vm_role: true +- name: Switch + slug: switch + color: 32c949 + vm_role: true +- name: Telephony + slug: telephony + color: ed477e + vm_role: true +- name: VCS + slug: vcs + description: Version control system + color: 9abaf9 + vm_role: true +- name: VFD + slug: vfd + description: Variable frequency drive + color: b9e224 + vm_role: true +- name: VPN server + slug: vpn-server + description: Virtual private network server + color: 931504 + vm_role: true +- name: Web server + slug: web-server + color: e285bd + vm_role: true +- name: Workstation + slug: workstation + color: afa1f4 + vm_role: true diff --git a/netbox/preload/manufacturers.yml b/netbox/preload/manufacturers.yml new file mode 100644 index 000000000..f2c5337b4 --- /dev/null +++ b/netbox/preload/manufacturers.yml @@ -0,0 +1,22 @@ +- name: ABB + slug: abb +- name: Accenture + slug: accenture +- name: Emerson Electric + slug: emerson-electric +- name: General Electric + slug: general-electric +- name: Hitachi + slug: hitachi +- name: Honeywell + slug: honeywell +- name: Mitsubishi + slug: mitsubishi +- name: Oracle + slug: oracle +- name: Schneider Electric + slug: schneider-electric +- name: Yokogawa Electric + slug: yokogawa-electric +- name: Unspecified + slug: unspecified diff --git a/netbox/preload/service_templates.yml b/netbox/preload/service_templates.yml new file mode 100644 index 000000000..51c35a821 --- /dev/null +++ b/netbox/preload/service_templates.yml @@ -0,0 +1,274 @@ +- name: FTP + protocol: TCP + ports: + - 20 + - 21 +- name: SSH + protocol: TCP + ports: + - 22 +- name: Telnet + protocol: TCP + ports: + - 23 +- name: SMTP + protocol: TCP + ports: + - 25 + - 2525 +- name: DNS (UDP) + protocol: UDP + ports: + - 53 + - 853 + - 5353 +- name: DNS (TCP) + protocol: TCP + ports: + - 53 + - 853 + - 5353 +- name: DHCP + protocol: UDP + ports: + - 67 + - 68 + - 546 + - 547 +- name: HTTP + protocol: TCP + ports: + - 80 + - 8000 + - 8080 +- name: COTP and S7comm + protocol: TCP + ports: + - 102 +- name: POP3 + protocol: TCP + ports: + - 110 +- name: SFTP + protocol: TCP + ports: + - 115 +- name: NTP + protocol: TCP + ports: + - 123 +- name: Microsoft-DS (UDP) + protocol: UDP + ports: + - 135 + - 137 + - 138 + - 445 + - 3702 +- name: Microsoft-DS (TCP) + protocol: TCP + ports: + - 135 + - 139 + - 445 + - 5357 + - 5358 +- name: NetBIOS (TCP) + protocol: TCP + ports: + - 137 + - 138 + - 139 +- name: NetBIOS (UDP) + protocol: UDP + ports: + - 137 + - 138 + - 139 +- name: IMAP + protocol: TCP + ports: + - 143 +- name: SNMP + protocol: UDP + ports: + - 161 + - 162 +- name: LDAP (UDP) + protocol: UDP + ports: + - 389 + - 3268 +- name: LDAP (TCP) + protocol: TCP + ports: + - 389 + - 3268 +- name: HTTPS + protocol: TCP + ports: + - 443 + - 8443 +- name: SMTP SSL/TLS + protocol: TCP + ports: + - 465 + - 587 +- name: IPSec (UDP) + protocol: UDP + ports: + - 500 + - 4500 +- name: IPSec (TCP) + protocol: TCP + ports: + - 500 + - 4500 +- name: Modbus (UDP) + protocol: UDP + ports: + - 502 +- name: Modbus (TCP) + protocol: TCP + ports: + - 502 + - 802 +- name: Syslog (UDP) + protocol: UDP + ports: + - 514 + - 601 +- name: Syslog (TCP) + protocol: TCP + ports: + - 514 + - 601 +- name: LPD + protocol: TCP + ports: + - 515 +- name: IPP and CUPS (UDP) + protocol: UDP + ports: + - 631 +- name: IPP and CUPS (TCP) + protocol: TCP + ports: + - 631 +- name: LDAP SSL/TLS (UDP) + protocol: UDP + ports: + - 636 + - 3269 +- name: LDAP SSL/TLS (TCP) + protocol: TCP + ports: + - 636 + - 3269 +- name: rsync + protocol: TCP + ports: + - 873 +- name: FTP SSL/TLS + protocol: TCP + ports: + - 989 + - 990 +- name: Telnet SSL/TLS + protocol: TCP + ports: + - 992 +- name: IMAP SSL/TLS + protocol: TCP + ports: + - 993 +- name: POP3 SSL/TLS + protocol: TCP + ports: + - 995 +- name: OpenVPN (UDP) + protocol: UDP + ports: + - 1194 +- name: OpenVPN (TCP) + protocol: TCP + ports: + - 1194 +- name: MSSQL + protocol: TCP + ports: + - 1433 + - 1434 + - 5022 +- name: Tabular Data Stream + protocol: TCP + ports: + - 1443 +- name: CIP and EtherNet/IP (UDP) + protocol: UDP + ports: + - 2222 + - 44818 +- name: CIP and EtherNet/IP (TCP) + protocol: TCP + ports: + - 2222 + - 44818 +- name: MySQL + protocol: TCP + ports: + - 3306 +- name: RDP + protocol: TCP + ports: + - 3389 +- name: LLMNR (UDP) + protocol: UDP + ports: + - 5355 +- name: LLMNR (TCP) + protocol: TCP + ports: + - 5355 +- name: PostgreSQL + protocol: TCP + ports: + - 5432 +- name: VNC + protocol: TCP + ports: + - 5800 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + - 5905 + - 5906 + - 5907 + - 5908 + - 5909 + - 5910 + - 6000 +- name: AppSocket and JetDirect + protocol: TCP + ports: + - 9100 + - 9101 + - 9102 +- name: Git + protocol: TCP + ports: + - 9418 +- name: BACnet (UDP) + protocol: UDP + ports: + - 47808 +- name: BACnet (TCP) + protocol: TCP + ports: + - 47808 +- name: WireGuard + protocol: UDP + ports: + - 51820 diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index 40f232e7d..660196a0d 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -165,14 +165,6 @@ def main(): required=False, help="Filename of JSON file containing network subnet/host name mapping", ) - parser.add_argument( - '--service-templates', - dest='serviceTemplateFileName', - type=str, - default=None, - required=False, - help="Filename of JSON file containing default service template definitions", - ) parser.add_argument( '--default-group', dest='defaultGroupName', @@ -199,14 +191,6 @@ def main(): required=False, help="Manufacturers to create", ) - parser.add_argument( - '--manufacturers', - dest='manufacturersFileName', - type=str, - default=None, - required=False, - help="Filename of JSON file containing default manufacturers (see also -m/--manufacturer)", - ) parser.add_argument( '-r', '--device-role', @@ -217,14 +201,6 @@ def main(): required=False, help="Device role(s) to create (see also --device-roles)", ) - parser.add_argument( - '--device-roles', - dest='deviceRolesFileName', - type=str, - default=None, - required=False, - help="Filename of JSON file containing default device role definitions (see also -r/--device-role)", - ) parser.add_argument( '-y', '--device-type', @@ -394,31 +370,6 @@ def main(): except Exception as e: logging.error(f"{type(e).__name__} processing manufacturers: {e}") - try: - # load manufacturers-default.json from file - manufacturersJson = None - if args.manufacturersFileName is not None and os.path.isfile(args.manufacturersFileName): - with open(args.manufacturersFileName) as f: - manufacturersJson = json.load(f) - if manufacturersJson is not None and "manufacturers" in manufacturersJson: - for manuf in [m for m in manufacturersJson["manufacturers"] if "name" in m]: - manufDef = { - "name": manuf["name"], - "slug": slugify(manuf["name"]), - } - if ("description" in manuf) and manuf["description"]: - manufDef["description"] = manuf["description"] - try: - nb.dcim.manufacturers.create(manufDef) - except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manuf['name']}\": {nbe}") - - manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()} - logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }") - - except Exception as e: - logging.error(f"{type(e).__name__} processing manufacturers JSON \"{args.manufacturersFileName}\": {e}") - # ###### DEVICE ROLES ########################################################################################## try: deviceRolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()} @@ -441,33 +392,6 @@ def main(): except Exception as e: logging.error(f"{type(e).__name__} processing device roles: {e}") - try: - # load device-roles-defaults.json from file - deviceRolesJson = None - if args.deviceRolesFileName is not None and os.path.isfile(args.deviceRolesFileName): - with open(args.deviceRolesFileName) as f: - deviceRolesJson = json.load(f) - if deviceRolesJson is not None and "device-roles" in deviceRolesJson: - for role in [r for r in deviceRolesJson["device-roles"] if "name" in r]: - roleDef = { - "name": role["name"], - "slug": slugify(role["name"]), - "vm_role": True, - "color": randColor.generate()[0][1:], - } - if ("description" in role) and role["description"]: - roleDef["description"] = role["description"] - try: - nb.dcim.device_roles.create(roleDef) - except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__name__} processing device role \"{role['name']}\": {nbe}") - - deviceRoles = {x.name: x for x in nb.dcim.device_roles.all()} - logging.debug(f"Device roles (after): { {k:v.id for k, v in deviceRoles.items()} }") - - except Exception as e: - logging.error(f"{type(e).__name__} processing device roles JSON \"{args.deviceRolesFileName}\": {e}") - # ###### DEVICE TYPES ########################################################################################## try: deviceTypesPreExisting = {x.model: x for x in nb.dcim.device_types.all()} @@ -514,47 +438,6 @@ def main(): except Exception as e: logging.error(f"{type(e).__name__} processing sites: {e}") - # ###### Service templates ##################################################################################### - try: - # load service-template-defaults.json from file - serviceTemplatesJson = None - if args.serviceTemplateFileName is not None and os.path.isfile(args.serviceTemplateFileName): - with open(args.serviceTemplateFileName) as f: - serviceTemplatesJson = json.load(f) - if serviceTemplatesJson is not None and "service-templates" in serviceTemplatesJson: - for srv in serviceTemplatesJson["service-templates"]: - if ( - ("name" in srv) - and (srv["name"]) - and ("protocols" in srv) - and (len(srv["protocols"]) > 0) - and ("ports" in srv) - and (len(srv["ports"]) > 0) - ): - for prot in srv["protocols"]: - srvName = f"{srv['name']} ({prot.upper()})" if (len(srv["protocols"]) > 1) else srv["name"] - portInts = [p for p in srv["ports"] if isinstance(p, int)] - for portRange in [ - r.split('-') for r in srv["ports"] if isinstance(r, str) and re.match(r'^\d+-\d+$', r) - ]: - portInts = portInts + list(range(int(portRange[0]), int(portRange[1]) + 1)) - srvTempl = { - "name": srvName, - "protocol": prot.lower(), - "ports": list(set(portInts)), - } - if ("description" in srv) and srv["description"]: - srvTempl["description"] = srv["description"] - try: - nb.ipam.service_templates.create( - srvTempl, - ) - except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__name__} processing service template \"{srvName}\": {nbe}") - - except Exception as e: - logging.error(f"{type(e).__name__} processing service templates JSON \"{args.serviceTemplateFileName}\": {e}") - # ###### Net Map ############################################################################################### try: # load net-map.json from file diff --git a/netbox/service-template-defaults.json b/netbox/service-template-defaults.json deleted file mode 100644 index d9475942e..000000000 --- a/netbox/service-template-defaults.json +++ /dev/null @@ -1,486 +0,0 @@ -{ - "service-templates": [ - { - "name": "FTP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 20, - 21 - ] - }, - { - "name": "SSH", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 22 - ] - }, - { - "name": "Telnet", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 23 - ] - }, - { - "name": "SMTP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 25, - 2525 - ] - }, - { - "name": "DNS", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 53, - 853, - 5353 - ] - }, - { - "name": "DHCP", - "description": "", - "protocols": [ - "udp" - ], - "ports": [ - 67, - 68, - 546, - 547 - ] - }, - { - "name": "HTTP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 80, - 8000, - 8080 - ] - }, - { - "name": "COTP and S7comm", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 102 - ] - }, - { - "name": "POP3", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 110 - ] - }, - { - "name": "SFTP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 115 - ] - }, - { - "name": "NTP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 123 - ] - }, - { - "name": "Microsoft-DS (UDP)", - "description": "", - "protocols": [ - "udp" - ], - "ports": [ - 135, - 137, - 138, - 445, - 3702 - ] - }, - { - "name": "Microsoft-DS (TCP)", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 135, - 139, - 445, - 5357, - 5358 - ] - }, - { - "name": "NetBIOS", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - "137-139" - ] - }, - { - "name": "IMAP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 143 - ] - }, - { - "name": "SNMP", - "description": "", - "protocols": [ - "udp" - ], - "ports": [ - 161, - 162 - ] - }, - { - "name": "LDAP", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 389, - 3268 - ] - }, - { - "name": "HTTPS", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 443, - 8443 - ] - }, - { - "name": "SMTP SSL/TLS", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 465, - 587 - ] - }, - { - "name": "IPSec", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 500, - 4500 - ] - }, - { - "name": "Modbus", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 502 - ] - }, - { - "name": "Syslog", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 514, - 601 - ] - }, - { - "name": "LPD", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 515 - ] - }, - { - "name": "IPP and CUPS", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 631 - ] - }, - { - "name": "LDAP SSL/TLS", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 636, - 3269 - ] - }, - { - "name": "Modbus/TCP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 802 - ] - }, - { - "name": "rsync", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 873 - ] - }, - { - "name": "FTP SSL/TLS", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 989, - 990 - ] - }, - { - "name": "Telnet SSL/TLS", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 992 - ] - }, - { - "name": "IMAP SSL/TLS", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 993 - ] - }, - { - "name": "POP3 SSL/TLS", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 995 - ] - }, - { - "name": "OpenVPN", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 1194 - ] - }, - { - "name": "MSSQL", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 1433, - 1434, - 5022 - ] - }, - { - "name": "Tabular Data Stream", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 1443 - ] - }, - { - "name": "CIP and EtherNet/IP", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 2222, - 44818 - ] - }, - { - "name": "MySQL", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 3306 - ] - }, - { - "name": "RDP", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 3389 - ] - }, - { - "name": "LLMNR", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 5355 - ] - }, - { - "name": "PostgreSQL", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 5432 - ] - }, - { - "name": "VNC", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 5800, - "5900-5910", - 6000 - ] - }, - { - "name": "AppSocket and JetDirect", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - "9100-9102" - ] - }, - { - "name": "Git", - "description": "", - "protocols": [ - "tcp" - ], - "ports": [ - 9418 - ] - }, - { - "name": "BACnet", - "description": "", - "protocols": [ - "tcp", - "udp" - ], - "ports": [ - 47808 - ] - }, - { - "name": "WireGuard", - "description": "", - "protocols": [ - "udp" - ], - "ports": [ - 51820 - ] - } - ] -} diff --git a/netbox/supervisord.conf b/netbox/supervisord.conf index d95c87a6e..ce5980afb 100644 --- a/netbox/supervisord.conf +++ b/netbox/supervisord.conf @@ -39,9 +39,6 @@ command=/opt/netbox/venv/bin/python /usr/local/bin/netbox_init.py --token "%(ENV_SUPERUSER_API_TOKEN)s" --net-map /usr/local/share/net-map.json --library "%(ENV_NETBOX_DEVICETYPE_LIBRARY_PATH)s" - --service-templates /etc/service-template-defaults.json - --device-roles /etc/device-roles-defaults.json - --manufacturers /etc/manufacturers-default.json autostart=true autorestart=false startsecs=0 From df85ace6bb777c95c1cbc5a69c7610e1d9452cf0 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 2 Aug 2023 07:49:37 -0600 Subject: [PATCH 43/74] populate netbox preload directory in ISO and packaged Malcolm. WIP for idaholab/Malcolm#228 --- docker-compose-standalone.yml | 1 + docker-compose.yml | 2 +- kubernetes/18-netbox.yml | 13 ++++--------- malcolm-iso/build.sh | 2 ++ scripts/malcolm_appliance_packager.sh | 3 ++- scripts/malcolm_kubernetes.py | 12 +++--------- 6 files changed, 13 insertions(+), 20 deletions(-) diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 3e298d7ac..8570b85ec 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -504,6 +504,7 @@ services: - ./netbox/config:/etc/netbox/config:ro - ./netbox/media:/opt/netbox/netbox/media:rw - ./net-map.json:/usr/local/share/net-map.json:ro + - ./netbox/preload:/opt/netbox-preload/configmap:ro healthcheck: test: ["CMD", "curl", "--silent", "http://localhost:8080/netbox/api/" ] interval: 60s diff --git a/docker-compose.yml b/docker-compose.yml index cf73424cb..5d3612bad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -564,7 +564,7 @@ services: - ./netbox/config:/etc/netbox/config:ro - ./netbox/media:/opt/netbox/netbox/media:rw - ./net-map.json:/usr/local/share/net-map.json:ro - - ./netbox/service-template-defaults.json:/etc/service-template-defaults.json:ro + - ./netbox/preload:/opt/netbox-preload/configmap:ro healthcheck: test: ["CMD", "curl", "--silent", "http://localhost:8080/netbox/api/" ] interval: 60s diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml index 5f8d90dad..f81438018 100644 --- a/kubernetes/18-netbox.yml +++ b/kubernetes/18-netbox.yml @@ -81,10 +81,8 @@ spec: name: netbox-netmap-json-volume - mountPath: /etc/netbox/config/configmap name: netbox-config-volume - - mountPath: /etc/netbox/reports/configmap - name: netbox-reports-volume - - mountPath: /etc/netbox/scripts/configmap - name: netbox-scripts-volume + - mountPath: /opt/netbox-preload/configmap + name: netbox-preload-volume - mountPath: /opt/netbox/netbox/media name: netbox-media-volume subPath: netbox/media @@ -113,12 +111,9 @@ spec: - name: netbox-config-volume configMap: name: netbox-config - - name: netbox-reports-volume + - name: netbox-preload-volume configMap: - name: netbox-reports - - name: netbox-scripts-volume - configMap: - name: netbox-scripts + name: netbox-preload - name: netbox-media-volume persistentVolumeClaim: claimName: config-claim diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 7776458c6..8b21afeda 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -102,6 +102,7 @@ if [ -d "$WORKDIR" ]; then mkdir -p "$MALCOLM_DEST_DIR/netbox/media/" mkdir -p "$MALCOLM_DEST_DIR/netbox/postgres/" mkdir -p "$MALCOLM_DEST_DIR/netbox/redis/" + mkdir -p "$MALCOLM_DEST_DIR/netbox/preload/" mkdir -p "$MALCOLM_DEST_DIR/nginx/ca-trust/" mkdir -p "$MALCOLM_DEST_DIR/nginx/certs/" mkdir -p "$MALCOLM_DEST_DIR/kubernetes/" @@ -146,6 +147,7 @@ if [ -d "$WORKDIR" ]; then cp ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/" cp ./logstash/maps/malcolm_severity.yaml "$MALCOLM_DEST_DIR/logstash/maps/" cp -r ./netbox/config/ "$MALCOLM_DEST_DIR/netbox/" + cp ./netbox/preload/*.yml "$MALCOLM_DEST_DIR/netbox/preload/" touch "$MALCOLM_DEST_DIR"/firstrun popd >/dev/null 2>&1 diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index bf7787aaa..f6812c517 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -67,10 +67,10 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/htadmin/" mkdir $VERBOSE -p "$DESTDIR/logstash/certs/" mkdir $VERBOSE -p "$DESTDIR/logstash/maps/" - mkdir $VERBOSE -p "$DESTDIR/netbox/" mkdir $VERBOSE -p "$DESTDIR/netbox/media/" mkdir $VERBOSE -p "$DESTDIR/netbox/postgres/" mkdir $VERBOSE -p "$DESTDIR/netbox/redis/" + mkdir $VERBOSE -p "$DESTDIR/netbox/preload/" mkdir $VERBOSE -p "$DESTDIR/nginx/ca-trust/" mkdir $VERBOSE -p "$DESTDIR/nginx/certs/" mkdir $VERBOSE -p "$DESTDIR/opensearch-backup/" @@ -103,6 +103,7 @@ if mkdir "$DESTDIR"; then cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/" cp $VERBOSE ./logstash/maps/malcolm_severity.yaml "$DESTDIR/logstash/maps/" cp $VERBOSE -r ./netbox/config/ "$DESTDIR/netbox/" + cp $VERBOSE ./netbox/preload/*.yml "$DESTDIR/netbox/preload/" unset CONFIRMATION echo "" diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py index af95d2ba2..ebb150d0b 100644 --- a/scripts/malcolm_kubernetes.py +++ b/scripts/malcolm_kubernetes.py @@ -132,19 +132,13 @@ 'netbox-config': [ { 'secret': False, - 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('netbox', 'config'), 'configuration')), + 'path': os.path.join(MalcolmPath, os.path.join('netbox', 'config')), }, ], - 'netbox-reports': [ + 'netbox-preload': [ { 'secret': False, - 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('netbox', 'config'), 'reports')), - }, - ], - 'netbox-scripts': [ - { - 'secret': False, - 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('netbox', 'config'), 'scripts')), + 'path': os.path.join(MalcolmPath, os.path.join('netbox', 'preload')), }, ], 'htadmin-config': [ From f08ef8f7fd5734ac243b4b024b178e6650964e18 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 2 Aug 2023 08:54:53 -0600 Subject: [PATCH 44/74] load netbox-initializers in netbox_init.py. WIP for idaholab/Malcolm#228 --- Dockerfiles/netbox.Dockerfile | 26 ++++++++------- netbox/scripts/netbox_init.py | 63 ++++++++++++++++++++++++++++++----- 2 files changed, 69 insertions(+), 20 deletions(-) diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index ffe6f88e7..8771589c1 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -38,6 +38,7 @@ ARG NETBOX_DEFAULT_SITE=Malcolm ARG NETBOX_CRON=true ARG NETBOX_PRELOAD_PATH="/opt/netbox-preload" +ENV NETBOX_PATH /opt/netbox ENV BASE_PATH netbox ENV NETBOX_DEVICETYPE_LIBRARY_PATH $NETBOX_DEVICETYPE_LIBRARY_PATH ENV NETBOX_DEFAULT_SITE $NETBOX_DEFAULT_SITE @@ -54,11 +55,11 @@ RUN apt-get -q update && \ rsync \ supervisor \ tini && \ - /opt/netbox/venv/bin/python -m pip install --break-system-packages --no-cache-dir 'git+https://github.com/mmguero-dev/netbox-initializers' psycopg2 pynetbox python-slugify randomcolor && \ - curl -fsSLO "$SUPERCRONIC_URL" && \ + "${NETBOX_PATH}/venv/bin/python" -m pip install --break-system-packages --no-cache-dir 'git+https://github.com/mmguero-dev/netbox-initializers' psycopg2 pynetbox python-slugify randomcolor && \ + curl -fsSLO "${SUPERCRONIC_URL}" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ - chmod +x "$SUPERCRONIC" && \ - mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" && \ + chmod +x "${SUPERCRONIC}" && \ + mv "${SUPERCRONIC}" "/usr/local/bin/${SUPERCRONIC}" && \ ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic && \ touch "${SUPERCRONIC_CRONTAB}" && \ curl -fsSL -o /usr/bin/yq "${YQ_URL}" && \ @@ -71,23 +72,24 @@ RUN apt-get -q update && \ useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} && \ usermod -a -G tty ${PUSER} && \ mkdir -p /opt/unit "${NETBOX_DEVICETYPE_LIBRARY_PATH}" && \ - chown -R $PUSER:root /etc/netbox /opt/unit /opt/netbox && \ + chown -R $PUSER:root /etc/netbox /opt/unit "${NETBOX_PATH}" && \ cd "$(dirname "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" && \ - curl -sSL "$NETBOX_DEVICETYPE_LIBRARY_URL" | tar xzvf - -C ./"$(basename "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" --strip-components 1 && \ - mkdir -p /opt/netbox/netbox/$BASE_PATH && \ - mv /opt/netbox/netbox/static /opt/netbox/netbox/$BASE_PATH/static && \ + curl -sSL "${NETBOX_DEVICETYPE_LIBRARY_URL}" | tar xzvf - -C ./"$(basename "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" --strip-components 1 && \ + mkdir -p "${NETBOX_PATH}/netbox/${BASE_PATH}" && \ + mv "${NETBOX_PATH}/netbox/static" "${NETBOX_PATH}/netbox/${BASE_PATH}/static" && \ jq '. += { "settings": { "http": { "discard_unsafe_fields": false } } }' /etc/unit/nginx-unit.json | jq 'del(.listeners."[::]:8080")' | jq 'del(.listeners."[::]:8081")' | jq ".routes.main[0].match.uri = \"/${BASE_PATH}/static/*\"" > /etc/unit/nginx-unit-new.json && \ mv /etc/unit/nginx-unit-new.json /etc/unit/nginx-unit.json && \ chmod 644 /etc/unit/nginx-unit.json && \ - tr -cd '\11\12\15\40-\176' < /opt/netbox/netbox/netbox/configuration.py > /opt/netbox/netbox/netbox/configuration_ascii.py && \ - mv /opt/netbox/netbox/netbox/configuration_ascii.py /opt/netbox/netbox/netbox/configuration.py && \ - sed -i "s/\('CENSUS_REPORTING_ENABLED',[[:space:]]*\)True/\1False/" /opt/netbox/netbox/netbox/settings.py && \ - sed -i -E 's@^([[:space:]]*\-\-(state|tmp))([[:space:]])@\1dir\3@g' /opt/netbox/launch-netbox.sh + tr -cd '\11\12\15\40-\176' < "${NETBOX_PATH}/netbox/${BASE_PATH}/configuration.py" > "${NETBOX_PATH}/netbox/${BASE_PATH}/configuration_ascii.py" && \ + mv "${NETBOX_PATH}/netbox/${BASE_PATH}/configuration_ascii.py" "${NETBOX_PATH}/netbox/${BASE_PATH}/configuration.py" && \ + sed -i "s/\('CENSUS_REPORTING_ENABLED',[[:space:]]*\)True/\1False/" "${NETBOX_PATH}/netbox/${BASE_PATH}/settings.py" && \ + sed -i -E 's@^([[:space:]]*\-\-(state|tmp))([[:space:]])@\1dir\3@g' "${NETBOX_PATH}/launch-netbox.sh" COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 netbox/scripts/* /usr/local/bin/ +COPY --chmod=644 scripts/malcolm_utils.py /usr/local/bin/ COPY --chmod=644 netbox/supervisord.conf /etc/supervisord.conf COPY --chmod=644 netbox/preload/*.yml $NETBOX_PRELOAD_PATH/ diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index 660196a0d..26b1dd8f9 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -14,6 +14,7 @@ import re import sys import time +import malcolm_utils from collections.abc import Iterable from datetime import datetime @@ -157,7 +158,6 @@ def main(): help="Site(s) to create", ) parser.add_argument( - '-n', '--net-map', dest='netMapFileName', type=str, @@ -211,15 +211,33 @@ def main(): required=False, help="Device types(s) to create", ) + parser.add_argument( + '-n', + '--netbox', + dest='netboxDir', + type=str, + default=os.getenv('NETBOX_PATH', '/opt/netbox'), + required=False, + help="NetBox installation directory", + ) parser.add_argument( '-l', '--library', dest='libraryDir', type=str, - default=None, + default=os.getenv('NETBOX_DEVICETYPE_LIBRARY_PATH', '/opt/netbox-devicetype-library'), required=False, help="Directory containing NetBox device type library", ) + parser.add_argument( + '-p', + '--preload', + dest='preloadDir', + type=str, + default=os.getenv('NETBOX_PRELOAD_PATH', '/opt/netbox-preload'), + required=False, + help="Directory containing netbox-initializers files to preload", + ) try: parser.error = parser.exit args = parser.parse_args() @@ -367,6 +385,8 @@ def main(): except pynetbox.RequestError as nbe: logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manufacturerName}\": {nbe}") + manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()} + logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }") except Exception as e: logging.error(f"{type(e).__name__} processing manufacturers: {e}") @@ -389,6 +409,8 @@ def main(): except pynetbox.RequestError as nbe: logging.warning(f"{type(nbe).__name__} processing device role \"{deviceRoleName}\": {nbe}") + deviceRoles = {x.name: x for x in nb.dcim.device_roles.all()} + logging.debug(f"Device roles (after): { {k:v.id for k, v in deviceRoles.items()} }") except Exception as e: logging.error(f"{type(e).__name__} processing device roles: {e}") @@ -409,7 +431,7 @@ def main(): }, ) except pynetbox.RequestError as nbe: - logging.warning(f"{type(nbe).__model__} processing device type \"{deviceTypeModel}\": {nbe}") + logging.warning(f"{type(nbe).__name__} processing device type \"{deviceTypeModel}\": {nbe}") deviceTypes = {x.model: x for x in nb.dcim.device_types.all()} logging.debug(f"Device types (after): { {k:v.id for k, v in deviceTypes.items()} }") @@ -614,13 +636,38 @@ def main(): except Exception as e: logging.error(f"{type(e).__name__} processing net map JSON \"{args.netMapFileName}\": {e}") + # ###### Netbox-Initializers ################################################################################### + netboxVenvPy = os.path.join(os.path.join(os.path.join(args.netboxDir, 'venv'), 'bin'), 'python') + manageScript = os.path.join(os.path.join(args.netboxDir, 'netbox'), 'manage.py') + if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir): + try: + with malcolm_utils.pushd(os.path.dirname(manageScript)): + retcode, output = malcolm_utils.run_process( + [ + netboxVenvPy, + os.path.basename(manageScript), + "load_initializer_data", + "--path", + args.preloadDir, + ], + logger=logging, + ) + if retcode == 0: + logging.debug(f"netbox-initializers: {retcode} {output}") + else: + logging.error(f"Error processing netbox-initializers: {retcode} {output}") + + except Exception as e: + logging.error(f"{type(e).__name__} processing netbox-initializers: {e}") + # ###### Library ############################################################################################### - try: - counter = import_library(nb, args.libraryDir) - logging.debug(f"import library results: { counter }") + if os.path.isdir(args.libraryDir): + try: + counter = import_library(nb, args.libraryDir) + logging.debug(f"import library results: { counter }") - except Exception as e: - logging.error(f"{type(e).__name__} processing library: {e}") + except Exception as e: + logging.error(f"{type(e).__name__} processing library: {e}") ################################################################################################### From d47eb1d8ef79eae9d8754da122d64e52796019d0 Mon Sep 17 00:00:00 2001 From: SG Date: Wed, 2 Aug 2023 09:55:42 -0600 Subject: [PATCH 45/74] added option for scripting github_image-helper.sh --- scripts/github_image_helper.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh index 9f922d03e..124a9e0e5 100755 --- a/scripts/github_image_helper.sh +++ b/scripts/github_image_helper.sh @@ -181,7 +181,7 @@ for i in "${!FUNCTIONS[@]}"; do printf "%s\t%s\n" "$IPLUS" "${FUNCTIONS[$i]}" done echo -n "Operation:" -read USER_FUNCTION_IDX +[[ -n "${1-}" ]] && USER_FUNCTION_IDX="$1" || read USER_FUNCTION_IDX if (( $USER_FUNCTION_IDX > 0 )) && (( $USER_FUNCTION_IDX <= "${#FUNCTIONS[@]}" )); then # execute one function, à la carte From 8f95f8516c5a887231265b1f5109ab303746846a Mon Sep 17 00:00:00 2001 From: SG Date: Wed, 2 Aug 2023 10:12:29 -0600 Subject: [PATCH 46/74] update docs --- docs/asset-interaction-analysis.md | 7 +++++++ netbox/preload/initializers.txt | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 netbox/preload/initializers.txt diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md index e536b67a8..dced1e2ce 100644 --- a/docs/asset-interaction-analysis.md +++ b/docs/asset-interaction-analysis.md @@ -7,6 +7,7 @@ - [Via passively-gathered network traffic metadata](#NetBoxPopPassive) - [Via active discovery](#NetBoxPopActive) * [Compare NetBox inventory with database of known vulnerabilities](#NetBoxVuln) +* [Preloading NetBox inventory](#NetBoxPreload) * [Backup and restore](#NetBoxBackup) Malcolm provides an instance of [NetBox](https://netbox.dev/), an open-source "solution for modeling and documenting modern networks." The NetBox web interface is available at at **https://localhost/netbox/** if connecting locally. @@ -112,6 +113,12 @@ See [idaholab/Malcolm#136](https://github.com/idaholab/Malcolm/issues/136). See [idaholab/Malcolm#134](https://github.com/idaholab/Malcolm/issues/134). +## Preloading NetBox inventory + +YML files in [`./netbox/preload`]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/netbox/preload/) under the Malcolm installation directory will be preloaded upon startup using the third-party [netbox-initializers](https://github.com/tobiasge/netbox-initializers) plugin. Examples illustrating the format of these YML files can be found at its [GitHub repository](https://github.com/tobiasge/netbox-initializers/tree/main/src/netbox_initializers/initializers/yaml). + +[workflow files] + ## Backup and Restore The NetBox database may be backed up and restored using `./scripts/netbox-backup` and `./scripts/netbox-restore`, respectively. While Malcolm is running, run the following command from within the Malcolm installation directory to backup the entire NetBox database: diff --git a/netbox/preload/initializers.txt b/netbox/preload/initializers.txt new file mode 100644 index 000000000..6640ff227 --- /dev/null +++ b/netbox/preload/initializers.txt @@ -0,0 +1,2 @@ +Files in this directory should be formatted for import by the netbox-initializers +plugin (https://github.com/tobiasge/netbox-initializers). \ No newline at end of file From a2eefe9f4800a13bbd7503def80b7d44cf1a1038 Mon Sep 17 00:00:00 2001 From: SG Date: Wed, 2 Aug 2023 10:40:33 -0600 Subject: [PATCH 47/74] documentation update --- docs/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/README.md b/docs/README.md index 6bc2c152a..f391d3e16 100644 --- a/docs/README.md +++ b/docs/README.md @@ -89,6 +89,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation * [Via passively-gathered network traffic metadata](asset-interaction-analysis.md#NetBoxPopPassive) * [Via active discovery](asset-interaction-analysis.md#NetBoxPopActive) + [Compare NetBox inventory with database of known vulnerabilities](asset-interaction-analysis.md#NetBoxVuln) + + [Preloading NetBox inventory](asset-interaction-analysis.md#NetBoxPreload) + [Backup and restore](asset-interaction-analysis.md#NetBoxBackup) - [CyberChef](cyberchef.md#CyberChef) - [API](api.md#API) From 507d66bb1fd8cf49582cdcd0fa674af618513a9a Mon Sep 17 00:00:00 2001 From: SG Date: Wed, 2 Aug 2023 11:03:46 -0600 Subject: [PATCH 48/74] adjust default netbox dashboard --- Dockerfiles/netbox.Dockerfile | 9 +- netbox/patch/remove-news-feed.patch | 21 +++++ netbox/preload/device_roles.yml | 134 ++++++++++++++-------------- 3 files changed, 95 insertions(+), 69 deletions(-) create mode 100644 netbox/patch/remove-news-feed.patch diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 8771589c1..19799aec9 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -45,17 +45,22 @@ ENV NETBOX_DEFAULT_SITE $NETBOX_DEFAULT_SITE ENV NETBOX_CRON $NETBOX_CRON ENV NETBOX_PRELOAD_PATH $NETBOX_PRELOAD_PATH +ADD netbox/patch/* /tmp/netbox-patches/ + RUN apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ git \ jq \ + patch \ procps \ psmisc \ rsync \ supervisor \ tini && \ "${NETBOX_PATH}/venv/bin/python" -m pip install --break-system-packages --no-cache-dir 'git+https://github.com/mmguero-dev/netbox-initializers' psycopg2 pynetbox python-slugify randomcolor && \ + cd "${NETBOX_PATH}" && \ + bash -c 'for i in /tmp/netbox-patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \ curl -fsSLO "${SUPERCRONIC_URL}" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "${SUPERCRONIC}" && \ @@ -64,7 +69,7 @@ RUN apt-get -q update && \ touch "${SUPERCRONIC_CRONTAB}" && \ curl -fsSL -o /usr/bin/yq "${YQ_URL}" && \ chmod 755 /usr/bin/yq && \ - apt-get -q -y --purge remove git && \ + apt-get -q -y --purge remove patch git && \ apt-get -q -y --purge autoremove && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ @@ -74,7 +79,7 @@ RUN apt-get -q update && \ mkdir -p /opt/unit "${NETBOX_DEVICETYPE_LIBRARY_PATH}" && \ chown -R $PUSER:root /etc/netbox /opt/unit "${NETBOX_PATH}" && \ cd "$(dirname "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" && \ - curl -sSL "${NETBOX_DEVICETYPE_LIBRARY_URL}" | tar xzvf - -C ./"$(basename "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" --strip-components 1 && \ + curl -sSL "${NETBOX_DEVICETYPE_LIBRARY_URL}" | tar xzf - -C ./"$(basename "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" --strip-components 1 && \ mkdir -p "${NETBOX_PATH}/netbox/${BASE_PATH}" && \ mv "${NETBOX_PATH}/netbox/static" "${NETBOX_PATH}/netbox/${BASE_PATH}/static" && \ jq '. += { "settings": { "http": { "discard_unsafe_fields": false } } }' /etc/unit/nginx-unit.json | jq 'del(.listeners."[::]:8080")' | jq 'del(.listeners."[::]:8081")' | jq ".routes.main[0].match.uri = \"/${BASE_PATH}/static/*\"" > /etc/unit/nginx-unit-new.json && \ diff --git a/netbox/patch/remove-news-feed.patch b/netbox/patch/remove-news-feed.patch new file mode 100644 index 000000000..45d754807 --- /dev/null +++ b/netbox/patch/remove-news-feed.patch @@ -0,0 +1,21 @@ +diff -Naur a/netbox/extras/constants.py b/netbox/extras/constants.py +--- a/netbox/extras/constants.py 2023-08-02 10:43:07.996021664 -0600 ++++ b/netbox/extras/constants.py 2023-08-02 10:47:21.220034275 -0600 +@@ -76,17 +76,6 @@ + } + }, + { +- 'widget': 'extras.RSSFeedWidget', +- 'width': 4, +- 'height': 4, +- 'title': 'NetBox News', +- 'config': { +- 'feed_url': 'http://netbox.dev/rss/', +- 'max_entries': 10, +- 'cache_timeout': 14400, +- } +- }, +- { + 'widget': 'extras.ObjectCountsWidget', + 'width': 4, + 'height': 3, diff --git a/netbox/preload/device_roles.yml b/netbox/preload/device_roles.yml index eb4c48c44..3068b7785 100644 --- a/netbox/preload/device_roles.yml +++ b/netbox/preload/device_roles.yml @@ -1,282 +1,282 @@ - name: Access point slug: access-point - color: 87e5da + color: Pink vm_role: true - name: Application server slug: application-server - color: 57d7e0 + color: Green vm_role: true - name: Authentication server slug: authentication-server - color: ff7a89 + color: Dark Green vm_role: true - name: BAS slug: bas description: Building automation - color: c37fe8 + color: Amber vm_role: true - name: BMS slug: bms description: Building management - color: ff6519 + color: Amber vm_role: true - name: Bridge slug: bridge - color: dfffa5 + color: Pink vm_role: true - name: CNC slug: cnc description: Computer numerical control - color: 0aaf28 + color: Indigo vm_role: true - name: Camera slug: camera - color: adffda + color: Amber vm_role: true - name: Cloud server slug: cloud-server - color: 75ef5d + color: Green vm_role: true - name: Collaboration server slug: collaboration-server - color: 8b4adb + color: Green vm_role: true - name: DCS slug: dcs description: Distributed control system - color: 2f7ad6 + color: Purple vm_role: true - name: DHCP server slug: dhcp-server description: Dynamic host communication protocol server - color: 9d28cc + color: Dark Green vm_role: true - name: DNS server slug: dns-server description: Domain name system server - color: 17d3c0 + color: Dark Green vm_role: true - name: Database server slug: database-server - color: 9ca8f4 + color: Green vm_role: true - name: Domain controller slug: domain-controller - color: f945b4 + color: Dark Green vm_role: true - name: EACS slug: eacs description: Electronic access control - color: f24dc9 + color: Amber vm_role: true - name: Fax slug: fax - color: 89f497 + color: Cyan vm_role: true - name: File server slug: file-server - color: 82ef7f + color: Green vm_role: true - name: Firewall slug: firewall - color: e4ccff + color: Dark Red vm_role: true - name: Gateway slug: gateway - color: 9ea6e5 - vm_role: true -- name: Gateway - slug: gateway - color: bb4ce8 + color: Pink vm_role: true - name: HMI slug: hmi description: Human machine interface - color: eda484 + color: Purple vm_role: true - name: HVAC slug: hvac description: Heating, ventilation and air conditioning - color: 6cd89b + color: Amber vm_role: true - name: Historian slug: historian - color: 0971f9 + color: Purple vm_role: true - name: Hub slug: hub - color: bb93e2 + color: Grey vm_role: true - name: Hypervisor slug: hypervisor - color: a7f99f + color: Light Green vm_role: true - name: IDS slug: ids description: Intrusion detection system - color: acfca1 + color: Fuchsia vm_role: true - name: IIoT slug: iiot description: Industrial internet of things device - color: b50a3b + color: Purple vm_role: true - name: IPS slug: ips description: Intrusion prevention system - color: dd80b0 + color: Fuchsia vm_role: true - name: IoT slug: iot description: Internet of things device - color: a4d86c + color: Light Blue vm_role: true - name: KVM slug: kvm description: Keyboard, video and mouse switch - color: be9bf7 + color: Light Blue vm_role: true - name: Kiosk slug: kiosk - color: e22522 + color: Light Blue vm_role: true - name: Lighting slug: lighting description: Lighting controls - color: ea8604 + color: Amber vm_role: true - name: Load balancer slug: load-balancer - color: 17d68d + color: Pink vm_role: true - name: MES slug: mes description: Manufacturing execution system - color: a82327 + color: Indigo vm_role: true - name: Mail server slug: mail-server - color: 9ab52f + color: Green vm_role: true - name: Media server slug: media-server - color: ef88ef + color: Green vm_role: true - name: Modem slug: modem - color: c41924 + color: Pink vm_role: true - name: NAS slug: nas description: Network attached storage - color: 7ef7d5 + color: Green vm_role: true - name: NTP server slug: ntp-server description: Network time protocol server - color: 8abdd8 + color: Dark Green vm_role: true - name: Network sensor slug: network-sensor - color: aefcbd + color: Fuchsia vm_role: true - name: PLC slug: plc description: Programmable logic controller - color: ead27c + color: Purple vm_role: true - name: PLM slug: plm description: Product lifecycle management system - color: 5996c1 + color: Indigo vm_role: true - name: Photocopier slug: photocopier - color: ccb2f4 + color: Light Blue vm_role: true - name: Physical sensor slug: physical-sensor - color: fcedb8 + color: Indigo vm_role: true - name: Print server slug: print-server - color: f966f7 + color: Green vm_role: true - name: Printer slug: printer - color: d13ec7 + color: Light Blue vm_role: true - name: Proxy server slug: proxy-server - color: b42ef2 + color: Dark Green vm_role: true - name: RTU slug: rtu description: Remote terminal unit - color: e817b0 + color: Purple vm_role: true - name: Real-time communication server slug: real-time-communication-server - color: 38c4b8 + color: Dark Green vm_role: true - name: Repeater slug: repeater - color: de50e0 + color: Pink vm_role: true - name: Router slug: router - color: e5929d + color: Pink vm_role: true - name: SCADA slug: scada description: Supervisory control and data acquisition - color: fc11b6 + color: Purple vm_role: true - name: SIEM slug: siem description: Security information and event management - color: 48c97c + color: Fuchsia vm_role: true - name: Safety automation system slug: safety-automation-system - color: 387f02 + color: Amber vm_role: true - name: Scanner slug: scanner - color: 9f97db + color: Light Blue vm_role: true - name: Server slug: server - color: 2b8aad + color: Green vm_role: true - name: Switch slug: switch - color: 32c949 + color: Grey vm_role: true - name: Telephony slug: telephony - color: ed477e + color: Cyan vm_role: true - name: VCS slug: vcs description: Version control system - color: 9abaf9 + color: Green vm_role: true - name: VFD slug: vfd description: Variable frequency drive - color: b9e224 + color: Indigo vm_role: true - name: VPN server slug: vpn-server description: Virtual private network server - color: 931504 + color: Dark Green vm_role: true - name: Web server slug: web-server - color: e285bd + color: Green vm_role: true - name: Workstation slug: workstation - color: afa1f4 + color: Light Green + vm_role: true +- name: Virtual Machine Server + slug: vm-server + color: Light Green vm_role: true From d8f84692b0d3c43354e1233dd66af0d8d20e1dd1 Mon Sep 17 00:00:00 2001 From: SG Date: Wed, 2 Aug 2023 11:04:13 -0600 Subject: [PATCH 49/74] update arkime to v4.4.0 (https://github.com/arkime/arkime/blob/9473d2f03530d2bd7dd849fbf4f7aad7f9f1fe20/CHANGELOG#L33-L55) --- Dockerfiles/arkime.Dockerfile | 2 +- sensor-iso/arkime/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 48efa51eb..3a441d65d 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -4,7 +4,7 @@ FROM debian:12-slim AS build ENV DEBIAN_FRONTEND noninteractive -ENV ARKIME_VERSION "v4.3.2" +ENV ARKIME_VERSION "v4.4.0" ENV ARKIME_DIR "/opt/arkime" ENV ARKIME_URL "https://github.com/arkime/arkime.git" ENV ARKIME_LOCALELASTICSEARCH no diff --git a/sensor-iso/arkime/Dockerfile b/sensor-iso/arkime/Dockerfile index c36a92c84..e2fa621d3 100644 --- a/sensor-iso/arkime/Dockerfile +++ b/sensor-iso/arkime/Dockerfile @@ -6,7 +6,7 @@ LABEL maintainer="malcolm@inl.gov" ENV DEBIAN_FRONTEND noninteractive -ENV ARKIME_VERSION "4.3.2" +ENV ARKIME_VERSION "4.4.0" ENV ARKIME_DIR "/opt/arkime" RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \ From d087da65d179ae72e3b301107429d6b93d4275e3 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 7 Aug 2023 13:07:47 -0600 Subject: [PATCH 50/74] slightly update threshold for matching --- logstash/ruby/netbox_enrich.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb index 3cea6ec06..b3076f932 100644 --- a/logstash/ruby/netbox_enrich.rb +++ b/logstash/ruby/netbox_enrich.rb @@ -164,7 +164,7 @@ def register(params) _autopopulate_fuzzy_threshold_str = ENV[_autopopulate_fuzzy_threshold_str_env] end if _autopopulate_fuzzy_threshold_str.nil? || _autopopulate_fuzzy_threshold_str.empty? - @autopopulate_fuzzy_threshold = 0.75 + @autopopulate_fuzzy_threshold = 0.80 else @autopopulate_fuzzy_threshold = _autopopulate_fuzzy_threshold_str.to_f end From 1dfd197f08cc475990a85743bed9db4ac35d8c92 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 7 Aug 2023 13:43:51 -0600 Subject: [PATCH 51/74] Update netbox to v3.5.7 (https://github.com/netbox-community/netbox/releases/tag/v3.5.7) --- Dockerfiles/netbox.Dockerfile | 2 +- Dockerfiles/postgresql.Dockerfile | 4 ++-- Dockerfiles/redis.Dockerfile | 2 +- config/netbox-common.env.example | 1 - scripts/install.py | 6 ------ scripts/malcolm_common.py | 1 + 6 files changed, 5 insertions(+), 11 deletions(-) diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 19799aec9..64e1b6256 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -1,4 +1,4 @@ -FROM netboxcommunity/netbox:v3.5.4 +FROM netboxcommunity/netbox:v3.5.7 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index ea4e14f69..757d13684 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -1,4 +1,4 @@ -FROM postgres:14-alpine +FROM postgres:15-alpine # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -44,7 +44,7 @@ ENTRYPOINT ["/sbin/tini", \ "--", \ "/usr/bin/docker-uid-gid-setup.sh", \ "/usr/local/bin/service_check_passthrough.sh", \ - "-s", "netbox"] + "-s", "netbox-postgres"] CMD ["/usr/bin/docker-entrypoint.sh", "postgres"] diff --git a/Dockerfiles/redis.Dockerfile b/Dockerfiles/redis.Dockerfile index a25c17c72..6585f2ea2 100644 --- a/Dockerfiles/redis.Dockerfile +++ b/Dockerfiles/redis.Dockerfile @@ -35,7 +35,7 @@ ENTRYPOINT ["/sbin/tini", \ "--", \ "/usr/local/bin/docker-uid-gid-setup.sh", \ "/usr/local/bin/service_check_passthrough.sh", \ - "-s", "netbox"] + "-s", "netbox-redis"] # to be populated at build-time: ARG BUILD_DATE diff --git a/config/netbox-common.env.example b/config/netbox-common.env.example index a8e81103a..882cc64ae 100644 --- a/config/netbox-common.env.example +++ b/config/netbox-common.env.example @@ -7,5 +7,4 @@ NETBOX_DEFAULT_SITE=Malcolm NETBOX_DISABLED=true NETBOX_POSTGRES_DISABLED=true NETBOX_REDIS_DISABLED=true -NETBOX_REDIS_CACHE_DISABLED=true NETBOX_CRON=true diff --git a/scripts/install.py b/scripts/install.py index 0d7daf716..896d318f9 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -1167,12 +1167,6 @@ def tweak_malcolm_runtime( 'NETBOX_REDIS_DISABLED', TrueOrFalseNoQuote(not netboxEnabled), ), - # enable/disable netbox (redis cache) - EnvValue( - os.path.join(args.configDir, 'netbox-common.env'), - 'NETBOX_REDIS_CACHE_DISABLED', - TrueOrFalseNoQuote(not netboxEnabled), - ), # HTTPS (nginxSSL=True) vs unencrypted HTTP (nginxSSL=False) EnvValue( os.path.join(args.configDir, 'nginx.env'), diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index b200bfa1e..3aecd642e 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -677,6 +677,7 @@ def DownloadToFile(url, local_filename, debug=False): | curl.+localhost.+GET\s+/api/status\s+200 | DEPRECATION | descheduling\s+job\s*id + | (relation|SELECT)\s+"django_content_type" | eshealth | esindices/list | executing\s+attempt_(transition|set_replica_count)\s+for From 53c062545464260318594ff2e318906e73785ee0 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 8 Aug 2023 08:40:24 -0600 Subject: [PATCH 52/74] idaholab/Malcolm#234, update logstash-oss container to 8.9.0 and handle loading large YAML documents in mac_lookup.rb and netbox_enrich.rb --- Dockerfiles/logstash.Dockerfile | 5 +++-- logstash/ruby/mac_lookup.rb | 16 +++++++++++++++- logstash/ruby/netbox_enrich.rb | 17 +++++++++++++++-- 3 files changed, 33 insertions(+), 5 deletions(-) diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index ddd84f7ea..7c6ab795a 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,4 +1,4 @@ -FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:8.6.1 +FROM docker.elastic.co/logstash/logstash-oss:8.9.0 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -66,13 +66,14 @@ RUN set -x && \ echo "gem 'deep_merge'" >> /usr/share/logstash/Gemfile && \ echo "gem 'fuzzy-string-match'" >> /usr/share/logstash/Gemfile && \ echo "gem 'stringex'" >> /usr/share/logstash/Gemfile && \ + echo "gem 'psych'" >> /usr/share/logstash/Gemfile && \ /usr/share/logstash/bin/ruby -S bundle install && \ logstash-plugin install --preserve logstash-filter-translate logstash-filter-cidr logstash-filter-dns \ logstash-filter-json logstash-filter-prune logstash-filter-http \ logstash-filter-grok logstash-filter-geoip logstash-filter-uuid \ logstash-filter-kv logstash-filter-mutate logstash-filter-dissect \ logstash-filter-fingerprint logstash-filter-useragent \ - logstash-input-beats logstash-output-elasticsearch && \ + logstash-input-beats logstash-output-elasticsearch logstash-output-opensearch && \ apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages autoremove && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/bin/jruby \ diff --git a/logstash/ruby/mac_lookup.rb b/logstash/ruby/mac_lookup.rb index 9af301f68..ae2ec0687 100644 --- a/logstash/ruby/mac_lookup.rb +++ b/logstash/ruby/mac_lookup.rb @@ -3,11 +3,13 @@ def concurrency end def register(params) + require 'psych' + @source = params["source"] @target = params["target"] if File.exist?(params["map_path"]) @macarray = Array.new - YAML.safe_load(File.read(params["map_path"])).each do |mac| + psych_load_yaml(params["map_path"]).each do |mac| @macarray.push([mac_string_to_integer(mac['low']), mac_string_to_integer(mac['high']), mac['name']]) end # Array.bsearch only works on a sorted array @@ -57,6 +59,18 @@ def mac_string_to_integer(string) string.tr('.:-','').to_i(16) end +def psych_load_yaml(filename) + parser = Psych::Parser.new(Psych::TreeBuilder.new) + parser.code_point_limit = 64*1024*1024 + parser.parse(IO.read(filename, :mode => 'r:bom|utf-8')) + yaml_obj = Psych::Visitors::ToRuby.create().accept(parser.handler.root) + if yaml_obj.is_a?(Array) && (yaml_obj.length() == 1) + yaml_obj.first + else + yaml_obj + end +end + ############################################################################### # tests diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb index b3076f932..4d0c9c608 100644 --- a/logstash/ruby/netbox_enrich.rb +++ b/logstash/ruby/netbox_enrich.rb @@ -9,6 +9,7 @@ def register(params) require 'ipaddr' require 'json' require 'lru_redux' + require 'psych' require 'stringex_lite' # global enable/disable for this plugin based on environment variable(s) @@ -116,7 +117,7 @@ def register(params) _vendor_oui_map_path = params.fetch("vendor_oui_map_path", "/etc/vendor_macs.yaml") if File.exist?(_vendor_oui_map_path) @macarray = Array.new - YAML.safe_load(File.read(_vendor_oui_map_path)).each do |mac| + psych_load_yaml(_vendor_oui_map_path).each do |mac| @macarray.push([mac_string_to_integer(mac['low']), mac_string_to_integer(mac['high']), mac['name']]) end # Array.bsearch only works on a sorted array @@ -129,7 +130,7 @@ def register(params) _vm_oui_map_path = params.fetch("vm_oui_map_path", "/etc/vm_macs.yaml") if File.exist?(_vm_oui_map_path) @vm_namesarray = Set.new - YAML.safe_load(File.read(_vm_oui_map_path)).each do |mac| + psych_load_yaml(_vm_oui_map_path).each do |mac| @vm_namesarray.add(mac['name'].to_s.downcase) end else @@ -724,6 +725,18 @@ def mac_string_to_integer(string) string.tr('.:-','').to_i(16) end +def psych_load_yaml(filename) + parser = Psych::Parser.new(Psych::TreeBuilder.new) + parser.code_point_limit = 64*1024*1024 + parser.parse(IO.read(filename, :mode => 'r:bom|utf-8')) + yaml_obj = Psych::Visitors::ToRuby.create().accept(parser.handler.root) + if yaml_obj.is_a?(Array) && (yaml_obj.length() == 1) + yaml_obj.first + else + yaml_obj + end +end + def collect_values(hashes) # https://stackoverflow.com/q/5490952 hashes.reduce({}){ |h, pairs| pairs.each { |k,v| (h[k] ||= []) << v}; h } From f0220d3cbe8d7f6b7be390ae72e2eba6fa798b73 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 10:48:45 -0600 Subject: [PATCH 53/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- Dockerfiles/file-upload.Dockerfile | 91 +++++--- config/upload.env.example | 1 - docs/contributing-pcap.md | 2 +- file-upload/docker-entrypoint.sh | 10 +- .../jquery-file-upload/bootstrap.min.css | 12 - file-upload/jquery-file-upload/index.html | 215 ------------------ file-upload/jquery-file-upload/index.php | 23 -- file-upload/nginx/sites-available/default | 10 +- file-upload/php/config.php | 20 ++ file-upload/php/submit.php | 109 +++++++++ file-upload/site/index.html | 138 +++++++++++ file-upload/supervisord.conf | 10 + kubernetes/05-upload.yml | 4 +- malcolm-iso/build.sh | 13 +- pcap/upload/tmp/.gitignore | 3 + pcap/upload/variants/.gitignore | 3 + scripts/control.py | 4 +- scripts/malcolm_appliance_packager.sh | 13 +- 18 files changed, 363 insertions(+), 318 deletions(-) delete mode 100644 config/upload.env.example delete mode 100644 file-upload/jquery-file-upload/bootstrap.min.css delete mode 100644 file-upload/jquery-file-upload/index.html delete mode 100644 file-upload/jquery-file-upload/index.php create mode 100644 file-upload/php/config.php create mode 100644 file-upload/php/submit.php create mode 100644 file-upload/site/index.html create mode 100644 pcap/upload/tmp/.gitignore create mode 100644 pcap/upload/variants/.gitignore diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 974dc0806..e2cc7c501 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -1,25 +1,19 @@ -FROM debian:12-slim AS build +FROM debian:12-slim AS npmget # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. ENV DEBIAN_FRONTEND noninteractive -ENV JQUERY_FILE_UPLOAD_VERSION v9.19.1 -ENV JQUERY_FILE_UPLOAD_URL "https://github.com/blueimp/jQuery-File-Upload/archive/${JQUERY_FILE_UPLOAD_VERSION}.tar.gz" - RUN apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ - apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages install --no-install-recommends npm node-encoding git ca-certificates curl wget && \ - npm install -g bower && \ - mkdir -p /jQuery-File-Upload && \ - curl -sSL "$JQUERY_FILE_UPLOAD_URL" | tar xzvf - -C /jQuery-File-Upload --strip-components 1 && \ - cd /jQuery-File-Upload && \ - bower --allow-root install bootstrap && \ - bower --allow-root install jquery && \ - bower --allow-root install blueimp-gallery && \ - bower --allow-root install bootstrap-tagsinput && \ - rm -rf /jQuery-File-Upload/*.html /jQuery-File-Upload/test/ /jQuery-File-Upload/server/gae-go/ \ - /jQuery-File-Upload/server/gae-python/ + apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages install --no-install-recommends npm node-encoding git ca-certificates && \ + npm install -g \ + filepond \ + filepond-plugin-file-validate-size \ + filepond-plugin-file-validate-type \ + filepond-plugin-file-metadata \ + filepond-plugin-file-rename \ + @jcubic/tagger FROM debian:12-slim AS runtime @@ -49,56 +43,82 @@ ENV TERM xterm ARG PHP_VERSION=8.2 ENV PHP_VERSION $PHP_VERSION -ARG SITE_NAME="Capture File and Log Archive Upload" -ENV SITE_NAME $SITE_NAME +ARG FILEPOND_SERVER_BRANCH=master +ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH + +ENV SUPERCRONIC_VERSION "0.2.26" +ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" +ENV SUPERCRONIC "supercronic-linux-amd64" +ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" +ENV SUPERCRONIC_CRONTAB "/etc/crontab" -COPY --from=build /jQuery-File-Upload/ /var/www/upload/ +COPY --from=npmget /usr/local/lib/node_modules/filepond /var/www/upload/filepond +COPY --from=npmget /usr/local/lib/node_modules/filepond-plugin-file-validate-size /var/www/upload/filepond-plugin-file-validate-size +COPY --from=npmget /usr/local/lib/node_modules/filepond-plugin-file-validate-type /var/www/upload/filepond-plugin-file-validate-type +COPY --from=npmget /usr/local/lib/node_modules/filepond-plugin-file-metadata /var/www/upload/filepond-plugin-file-metadata +COPY --from=npmget /usr/local/lib/node_modules/filepond-plugin-file-rename /var/www/upload/filepond-plugin-file-rename +COPY --from=npmget /usr/local/lib/node_modules/@jcubic /var/www/upload/@jcubic RUN apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages install --no-install-recommends \ - wget \ ca-certificates \ - openssh-server \ - supervisor \ - vim-tiny \ + curl \ + file \ less \ + nginx-light \ + openssh-server \ php$PHP_VERSION \ - php$PHP_VERSION-fpm \ php$PHP_VERSION-apcu \ - nginx-light \ + php$PHP_VERSION-fpm \ rsync \ - tini && \ + supervisor \ + tini \ + vim-tiny && \ + curl -fsSLO "$SUPERCRONIC_URL" && \ + echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ + chmod +x "$SUPERCRONIC" && \ + mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" && \ + ln -sr "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic && \ + mkdir -p /var/www/upload/server/php \ + /tmp/filepond-server && \ + cd /tmp && \ + curl -sSL "https://github.com/pqina/filepond-server-php/archive/${FILEPOND_SERVER_BRANCH}.tar.gz" | tar xzvf - -C ./filepond-server --strip-components 1 && \ + rsync -a --include="*/" --include="*.php" --exclude="*" ./filepond-server/ /var/www/upload/server/php/ && \ apt-get clean -y -q && \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 file-upload/docker-entrypoint.sh /docker-entrypoint.sh ADD docs/images/logo/Malcolm_banner.png /var/www/upload/Malcolm_banner.png -ADD file-upload/jquery-file-upload/bootstrap.min.css /var/www/upload/bower_components/bootstrap/dist/css/bootstrap.min.css -ADD file-upload/jquery-file-upload/index.html /var/www/upload/index.html -ADD file-upload/jquery-file-upload/index.php /var/www/upload/server/php/index.php ADD file-upload/nginx/sites-available/default /etc/nginx/sites-available/default ADD file-upload/php/php.ini /etc/php/$PHP_VERSION/fpm/php.ini +ADD file-upload/*.php /var/www/upload/server/php/ +ADD file-upload/site/index.html /var/www/upload/index.html ADD file-upload/sshd_config /tmp/sshd_config ADD file-upload/supervisord.conf /supervisord.conf -RUN mkdir -p /var/run/sshd /var/www/upload/server/php/chroot /run/php && \ - mv /var/www/upload/server/php/files /var/www/upload/server/php/chroot && \ +RUN mkdir -p /run/php \ + /var/run/sshd \ + /var/www/upload/server/php/chroot/files && \ ln -s /var/www/upload/server/php/chroot/files /var/www/upload/server/php/files && \ ln -sr /var/www/upload /var/www/upload/upload && \ perl -i -pl -e 's/^#?(\s*PermitRootLogin\s+)[\w\-]+$/$1no/i;' \ - -e 's/^#?(\s*PasswordAuthentication\s+)\w+$/$1no/i' /etc/ssh/sshd_config && \ - chmod a+x /docker-entrypoint.sh && \ + -e 's/^#?(\s*PasswordAuthentication\s+)\w+$/$1no/i' /etc/ssh/sshd_config && \ cat /tmp/sshd_config >>/etc/ssh/sshd_config && \ + touch ${SUPERCRONIC_CRONTAB} && \ chmod 775 /var/www/upload/server/php/chroot/files && \ - chmod 755 /var /var/www /var/www/upload /var/www/upload/server /var/www/upload/server/php \ + chmod 755 /var \ + /var/www \ + /var/www/upload \ + /var/www/upload/server \ + /var/www/upload/server/php \ /var/www/upload/server/php/chroot && \ echo "Put your files into /files. Don't use subdirectories." \ >/var/www/upload/server/php/chroot/README.txt && \ - rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* /var/www/upload/server/php/chroot/files/.gitignore /tmp/sshd_config + rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* VOLUME [ "/var/www/upload/server/php/chroot/files" ] EXPOSE 22 80 @@ -112,7 +132,6 @@ ENTRYPOINT ["/usr/bin/tini", \ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf", "-u", "root", "-n"] - # to be populated at build-time: ARG BUILD_DATE ARG MALCOLM_VERSION diff --git a/config/upload.env.example b/config/upload.env.example deleted file mode 100644 index ebc4e3d25..000000000 --- a/config/upload.env.example +++ /dev/null @@ -1 +0,0 @@ -SITE_NAME=Capture File and Log Archive Upload \ No newline at end of file diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index 3f1defd2e..591e9027a 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -1,6 +1,6 @@ # PCAP processors -When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload/` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.08.0 release]({{ site.github.repository_url }}/releases/tag/v23.08.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: +When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.08.0 release]({{ site.github.repository_url }}/releases/tag/v23.08.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory diff --git a/file-upload/docker-entrypoint.sh b/file-upload/docker-entrypoint.sh index 95685445f..a702ddb2f 100755 --- a/file-upload/docker-entrypoint.sh +++ b/file-upload/docker-entrypoint.sh @@ -3,10 +3,9 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. -if [[ -z $SITE_NAME || -z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]] +if [[-z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]] then - echo "Please set the site name, username and (openssl-encrypted then base64-encoded) password by adding the following arguments to docker run/create:" - echo " -e SITE_NAME='...'" + echo "Please set the SSH username and (openssl-encrypted then base64-encoded) password by adding the following arguments to docker run/create:" echo " -e MALCOLM_USERNAME='...'" echo " -e MALCOLM_PASSWORD='...'" exit 1 @@ -21,10 +20,9 @@ then useradd -g $PGROUP -d /var/www/upload/server/php/chroot -s /sbin/nologin "$MALCOLM_USERNAME" usermod --password "$(echo -n "$MALCOLM_PASSWORD" | base64 -d)" "$MALCOLM_USERNAME" chown :$PGROUP /var/www/upload/server/php/chroot/files + chown :$PGROUP /var/www/upload/server/php/chroot/files/{tmp,variants} || true chmod 775 /var/www/upload/server/php/chroot/files - - # This will break if $SITE_NAME contains a slash... - sed -i 's/%SITE_NAME%/'"$SITE_NAME"'/g' /var/www/upload/index.html + chmod 775 /var/www/upload/server/php/chroot/files/{tmp,variants} || true else echo "skipping one-time setup tasks" 1>&2 diff --git a/file-upload/jquery-file-upload/bootstrap.min.css b/file-upload/jquery-file-upload/bootstrap.min.css deleted file mode 100644 index 523da07bf..000000000 --- a/file-upload/jquery-file-upload/bootstrap.min.css +++ /dev/null @@ -1,12 +0,0 @@ -/*! - * Bootswatch v4.4.1 - * Homepage: https://bootswatch.com - * Copyright 2012-2020 Thomas Park - * Licensed under MIT - * Based on Bootstrap -*//*! - * Bootstrap v4.4.1 (https://getbootstrap.com/) - * Copyright 2011-2019 The Bootstrap Authors - * Copyright 2011-2019 Twitter, Inc. - * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - */:root{--blue: #007bff;--indigo: #6610f2;--purple: #6f42c1;--pink: #e83e8c;--red: #ee5f5b;--orange: #fd7e14;--yellow: #f89406;--green: #62c462;--teal: #20c997;--cyan: #5bc0de;--white: #fff;--gray: #7A8288;--gray-dark: #3A3F44;--primary: #3A3F44;--secondary: #7A8288;--success: #62c462;--info: #5bc0de;--warning: #f89406;--danger: #ee5f5b;--light: #e9ecef;--dark: #272B30;--breakpoint-xs: 0;--breakpoint-sm: 576px;--breakpoint-md: 768px;--breakpoint-lg: 992px;--breakpoint-xl: 1200px;--font-family-sans-serif: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";--font-family-monospace: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace}*,*::before,*::after{-webkit-box-sizing:border-box;box-sizing:border-box}html{font-family:sans-serif;line-height:1.15;-webkit-text-size-adjust:100%;-webkit-tap-highlight-color:rgba(0,0,0,0)}article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}body{margin:0;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";font-size:0.9375rem;font-weight:400;line-height:1.5;color:#aaa;text-align:left;background-color:#272B30}[tabindex="-1"]:focus:not(:focus-visible){outline:0 !important}hr{-webkit-box-sizing:content-box;box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:0.5rem}p{margin-top:0;margin-bottom:1rem}abbr[title],abbr[data-original-title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0;text-decoration-skip-ink:none}address{margin-bottom:1rem;font-style:normal;line-height:inherit}ol,ul,dl{margin-top:0;margin-bottom:1rem}ol ol,ul ul,ol ul,ul ol{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}b,strong{font-weight:bolder}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}a{color:#fff;text-decoration:none;background-color:transparent}a:hover{color:#d9d9d9;text-decoration:underline}a:not([href]){color:inherit;text-decoration:none}a:not([href]):hover{color:inherit;text-decoration:none}pre,code,kbd,samp{font-family:SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;font-size:1em}pre{margin-top:0;margin-bottom:1rem;overflow:auto}figure{margin:0 0 1rem}img{vertical-align:middle;border-style:none}svg{overflow:hidden;vertical-align:middle}table{border-collapse:collapse}caption{padding-top:0.75rem;padding-bottom:0.75rem;color:#7A8288;text-align:left;caption-side:bottom}th{text-align:inherit}label{display:inline-block;margin-bottom:0.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}input,button,select,optgroup,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}button,input{overflow:visible}button,select{text-transform:none}select{word-wrap:normal}button,[type="button"],[type="reset"],[type="submit"]{-webkit-appearance:button}button:not(:disabled),[type="button"]:not(:disabled),[type="reset"]:not(:disabled),[type="submit"]:not(:disabled){cursor:pointer}button::-moz-focus-inner,[type="button"]::-moz-focus-inner,[type="reset"]::-moz-focus-inner,[type="submit"]::-moz-focus-inner{padding:0;border-style:none}input[type="radio"],input[type="checkbox"]{-webkit-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="date"],input[type="time"],input[type="datetime-local"],input[type="month"]{-webkit-appearance:listbox}textarea{overflow:auto;resize:vertical}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;max-width:100%;padding:0;margin-bottom:.5rem;font-size:1.5rem;line-height:inherit;color:inherit;white-space:normal}progress{vertical-align:baseline}[type="number"]::-webkit-inner-spin-button,[type="number"]::-webkit-outer-spin-button{height:auto}[type="search"]{outline-offset:-2px;-webkit-appearance:none}[type="search"]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}output{display:inline-block}summary{display:list-item;cursor:pointer}template{display:none}[hidden]{display:none !important}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{margin-bottom:0.5rem;font-weight:500;line-height:1.2}h1,.h1{font-size:2.34375rem}h2,.h2{font-size:1.875rem}h3,.h3{font-size:1.640625rem}h4,.h4{font-size:1.40625rem}h5,.h5{font-size:1.171875rem}h6,.h6{font-size:0.9375rem}.lead{font-size:1.171875rem;font-weight:300}.display-1{font-size:6rem;font-weight:300;line-height:1.2}.display-2{font-size:5.5rem;font-weight:300;line-height:1.2}.display-3{font-size:4.5rem;font-weight:300;line-height:1.2}.display-4{font-size:3.5rem;font-weight:300;line-height:1.2}hr{margin-top:1rem;margin-bottom:1rem;border:0;border-top:1px solid rgba(0,0,0,0.1)}small,.small{font-size:80%;font-weight:400}mark,.mark{padding:0.2em;background-color:#fcf8e3}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none}.list-inline-item{display:inline-block}.list-inline-item:not(:last-child){margin-right:0.5rem}.initialism{font-size:90%;text-transform:uppercase}.blockquote{margin-bottom:1rem;font-size:1.171875rem}.blockquote-footer{display:block;font-size:80%;color:#7A8288}.blockquote-footer::before{content:"\2014\00A0"}.img-fluid{max-width:100%;height:auto}.img-thumbnail{padding:0.25rem;background-color:#272B30;border:1px solid #dee2e6;border-radius:0.25rem;max-width:100%;height:auto}.figure{display:inline-block}.figure-img{margin-bottom:0.5rem;line-height:1}.figure-caption{font-size:90%;color:#7A8288}code{font-size:87.5%;color:#e83e8c;word-wrap:break-word}a>code{color:inherit}kbd{padding:0.2rem 0.4rem;font-size:87.5%;color:#fff;background-color:#272B30;border-radius:0.2rem}kbd kbd{padding:0;font-size:100%;font-weight:700}pre{display:block;font-size:87.5%;color:inherit}pre code{font-size:inherit;color:inherit;word-break:normal}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width: 576px){.container{max-width:540px}}@media (min-width: 768px){.container{max-width:720px}}@media (min-width: 992px){.container{max-width:960px}}@media (min-width: 1200px){.container{max-width:1140px}}.container-fluid,.container-sm,.container-md,.container-lg,.container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width: 576px){.container,.container-sm{max-width:540px}}@media (min-width: 768px){.container,.container-sm,.container-md{max-width:720px}}@media (min-width: 992px){.container,.container-sm,.container-md,.container-lg{max-width:960px}}@media (min-width: 1200px){.container,.container-sm,.container-md,.container-lg,.container-xl{max-width:1140px}}.row{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-15px;margin-left:-15px}.no-gutters{margin-right:0;margin-left:0}.no-gutters>.col,.no-gutters>[class*="col-"]{padding-right:0;padding-left:0}.col-1,.col-2,.col-3,.col-4,.col-5,.col-6,.col-7,.col-8,.col-9,.col-10,.col-11,.col-12,.col,.col-auto,.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm,.col-sm-auto,.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12,.col-md,.col-md-auto,.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg,.col-lg-auto,.col-xl-1,.col-xl-2,.col-xl-3,.col-xl-4,.col-xl-5,.col-xl-6,.col-xl-7,.col-xl-8,.col-xl-9,.col-xl-10,.col-xl-11,.col-xl-12,.col-xl,.col-xl-auto{position:relative;width:100%;padding-right:15px;padding-left:15px}.col{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-1{margin-left:8.3333333333%}.offset-2{margin-left:16.6666666667%}.offset-3{margin-left:25%}.offset-4{margin-left:33.3333333333%}.offset-5{margin-left:41.6666666667%}.offset-6{margin-left:50%}.offset-7{margin-left:58.3333333333%}.offset-8{margin-left:66.6666666667%}.offset-9{margin-left:75%}.offset-10{margin-left:83.3333333333%}.offset-11{margin-left:91.6666666667%}@media (min-width: 576px){.col-sm{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-sm-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-sm-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-sm-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-sm-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-sm-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-sm-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-sm-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-sm-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-sm-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-sm-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-sm-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-sm-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-sm-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-sm-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-sm-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-sm-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-sm-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-sm-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-sm-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-sm-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-sm-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-sm-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-sm-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-sm-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-sm-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-sm-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-sm-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-sm-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-sm-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-sm-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-sm-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-sm-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-sm-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-sm-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-sm-0{margin-left:0}.offset-sm-1{margin-left:8.3333333333%}.offset-sm-2{margin-left:16.6666666667%}.offset-sm-3{margin-left:25%}.offset-sm-4{margin-left:33.3333333333%}.offset-sm-5{margin-left:41.6666666667%}.offset-sm-6{margin-left:50%}.offset-sm-7{margin-left:58.3333333333%}.offset-sm-8{margin-left:66.6666666667%}.offset-sm-9{margin-left:75%}.offset-sm-10{margin-left:83.3333333333%}.offset-sm-11{margin-left:91.6666666667%}}@media (min-width: 768px){.col-md{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-md-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-md-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-md-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-md-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-md-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-md-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-md-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-md-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-md-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-md-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-md-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-md-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-md-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-md-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-md-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-md-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-md-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-md-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-md-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-md-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-md-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-md-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-md-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-md-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-md-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-md-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-md-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-md-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-md-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-md-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-md-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-md-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-md-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-md-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-md-0{margin-left:0}.offset-md-1{margin-left:8.3333333333%}.offset-md-2{margin-left:16.6666666667%}.offset-md-3{margin-left:25%}.offset-md-4{margin-left:33.3333333333%}.offset-md-5{margin-left:41.6666666667%}.offset-md-6{margin-left:50%}.offset-md-7{margin-left:58.3333333333%}.offset-md-8{margin-left:66.6666666667%}.offset-md-9{margin-left:75%}.offset-md-10{margin-left:83.3333333333%}.offset-md-11{margin-left:91.6666666667%}}@media (min-width: 992px){.col-lg{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-lg-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-lg-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-lg-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-lg-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-lg-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-lg-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-lg-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-lg-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-lg-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-lg-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-lg-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-lg-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-lg-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-lg-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-lg-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-lg-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-lg-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-lg-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-lg-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-lg-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-lg-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-lg-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-lg-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-lg-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-lg-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-lg-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-lg-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-lg-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-lg-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-lg-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-lg-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-lg-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-lg-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-lg-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-lg-0{margin-left:0}.offset-lg-1{margin-left:8.3333333333%}.offset-lg-2{margin-left:16.6666666667%}.offset-lg-3{margin-left:25%}.offset-lg-4{margin-left:33.3333333333%}.offset-lg-5{margin-left:41.6666666667%}.offset-lg-6{margin-left:50%}.offset-lg-7{margin-left:58.3333333333%}.offset-lg-8{margin-left:66.6666666667%}.offset-lg-9{margin-left:75%}.offset-lg-10{margin-left:83.3333333333%}.offset-lg-11{margin-left:91.6666666667%}}@media (min-width: 1200px){.col-xl{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;max-width:100%}.row-cols-xl-1>*{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-xl-2>*{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-xl-3>*{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.row-cols-xl-4>*{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-xl-5>*{-webkit-box-flex:0;-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-xl-6>*{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-xl-auto{-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-xl-1{-webkit-box-flex:0;-ms-flex:0 0 8.3333333333%;flex:0 0 8.3333333333%;max-width:8.3333333333%}.col-xl-2{-webkit-box-flex:0;-ms-flex:0 0 16.6666666667%;flex:0 0 16.6666666667%;max-width:16.6666666667%}.col-xl-3{-webkit-box-flex:0;-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-xl-4{-webkit-box-flex:0;-ms-flex:0 0 33.3333333333%;flex:0 0 33.3333333333%;max-width:33.3333333333%}.col-xl-5{-webkit-box-flex:0;-ms-flex:0 0 41.6666666667%;flex:0 0 41.6666666667%;max-width:41.6666666667%}.col-xl-6{-webkit-box-flex:0;-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-xl-7{-webkit-box-flex:0;-ms-flex:0 0 58.3333333333%;flex:0 0 58.3333333333%;max-width:58.3333333333%}.col-xl-8{-webkit-box-flex:0;-ms-flex:0 0 66.6666666667%;flex:0 0 66.6666666667%;max-width:66.6666666667%}.col-xl-9{-webkit-box-flex:0;-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-xl-10{-webkit-box-flex:0;-ms-flex:0 0 83.3333333333%;flex:0 0 83.3333333333%;max-width:83.3333333333%}.col-xl-11{-webkit-box-flex:0;-ms-flex:0 0 91.6666666667%;flex:0 0 91.6666666667%;max-width:91.6666666667%}.col-xl-12{-webkit-box-flex:0;-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-xl-first{-webkit-box-ordinal-group:0;-ms-flex-order:-1;order:-1}.order-xl-last{-webkit-box-ordinal-group:14;-ms-flex-order:13;order:13}.order-xl-0{-webkit-box-ordinal-group:1;-ms-flex-order:0;order:0}.order-xl-1{-webkit-box-ordinal-group:2;-ms-flex-order:1;order:1}.order-xl-2{-webkit-box-ordinal-group:3;-ms-flex-order:2;order:2}.order-xl-3{-webkit-box-ordinal-group:4;-ms-flex-order:3;order:3}.order-xl-4{-webkit-box-ordinal-group:5;-ms-flex-order:4;order:4}.order-xl-5{-webkit-box-ordinal-group:6;-ms-flex-order:5;order:5}.order-xl-6{-webkit-box-ordinal-group:7;-ms-flex-order:6;order:6}.order-xl-7{-webkit-box-ordinal-group:8;-ms-flex-order:7;order:7}.order-xl-8{-webkit-box-ordinal-group:9;-ms-flex-order:8;order:8}.order-xl-9{-webkit-box-ordinal-group:10;-ms-flex-order:9;order:9}.order-xl-10{-webkit-box-ordinal-group:11;-ms-flex-order:10;order:10}.order-xl-11{-webkit-box-ordinal-group:12;-ms-flex-order:11;order:11}.order-xl-12{-webkit-box-ordinal-group:13;-ms-flex-order:12;order:12}.offset-xl-0{margin-left:0}.offset-xl-1{margin-left:8.3333333333%}.offset-xl-2{margin-left:16.6666666667%}.offset-xl-3{margin-left:25%}.offset-xl-4{margin-left:33.3333333333%}.offset-xl-5{margin-left:41.6666666667%}.offset-xl-6{margin-left:50%}.offset-xl-7{margin-left:58.3333333333%}.offset-xl-8{margin-left:66.6666666667%}.offset-xl-9{margin-left:75%}.offset-xl-10{margin-left:83.3333333333%}.offset-xl-11{margin-left:91.6666666667%}}.table{width:100%;margin-bottom:1rem;color:#fff}.table th,.table td{padding:0.75rem;vertical-align:top;border-top:1px solid rgba(0,0,0,0.6)}.table thead th{vertical-align:bottom;border-bottom:2px solid rgba(0,0,0,0.6)}.table tbody+tbody{border-top:2px solid rgba(0,0,0,0.6)}.table-sm th,.table-sm td{padding:0.3rem}.table-bordered{border:1px solid rgba(0,0,0,0.6)}.table-bordered th,.table-bordered td{border:1px solid rgba(0,0,0,0.6)}.table-bordered thead th,.table-bordered thead td{border-bottom-width:2px}.table-borderless th,.table-borderless td,.table-borderless thead th,.table-borderless tbody+tbody{border:0}.table-striped tbody tr:nth-of-type(odd){background-color:rgba(255,255,255,0.05)}.table-hover tbody tr:hover{color:#fff;background-color:rgba(255,255,255,0.075)}.table-primary,.table-primary>th,.table-primary>td{background-color:#c8c9cb}.table-primary th,.table-primary td,.table-primary thead th,.table-primary tbody+tbody{border-color:#999b9e}.table-hover .table-primary:hover{background-color:#bbbcbf}.table-hover .table-primary:hover>td,.table-hover .table-primary:hover>th{background-color:#bbbcbf}.table-secondary,.table-secondary>th,.table-secondary>td{background-color:#dadcde}.table-secondary th,.table-secondary td,.table-secondary thead th,.table-secondary tbody+tbody{border-color:#babec1}.table-hover .table-secondary:hover{background-color:#cdcfd2}.table-hover .table-secondary:hover>td,.table-hover .table-secondary:hover>th{background-color:#cdcfd2}.table-success,.table-success>th,.table-success>td{background-color:#d3eed3}.table-success th,.table-success td,.table-success thead th,.table-success tbody+tbody{border-color:#ade0ad}.table-hover .table-success:hover{background-color:#c1e7c1}.table-hover .table-success:hover>td,.table-hover .table-success:hover>th{background-color:#c1e7c1}.table-info,.table-info>th,.table-info>td{background-color:#d1edf6}.table-info th,.table-info td,.table-info thead th,.table-info tbody+tbody{border-color:#aadeee}.table-hover .table-info:hover{background-color:#bce5f2}.table-hover .table-info:hover>td,.table-hover .table-info:hover>th{background-color:#bce5f2}.table-warning,.table-warning>th,.table-warning>td{background-color:#fde1b9}.table-warning th,.table-warning td,.table-warning thead th,.table-warning tbody+tbody{border-color:#fbc77e}.table-hover .table-warning:hover{background-color:#fcd6a0}.table-hover .table-warning:hover>td,.table-hover .table-warning:hover>th{background-color:#fcd6a0}.table-danger,.table-danger>th,.table-danger>td{background-color:#fad2d1}.table-danger th,.table-danger td,.table-danger thead th,.table-danger tbody+tbody{border-color:#f6acaa}.table-hover .table-danger:hover{background-color:#f8bcba}.table-hover .table-danger:hover>td,.table-hover .table-danger:hover>th{background-color:#f8bcba}.table-light,.table-light>th,.table-light>td{background-color:#f9fafb}.table-light th,.table-light td,.table-light thead th,.table-light tbody+tbody{border-color:#f4f5f7}.table-hover .table-light:hover{background-color:#eaedf1}.table-hover .table-light:hover>td,.table-hover .table-light:hover>th{background-color:#eaedf1}.table-dark,.table-dark>th,.table-dark>td{background-color:#c3c4c5}.table-dark th,.table-dark td,.table-dark thead th,.table-dark tbody+tbody{border-color:#8f9193}.table-hover .table-dark:hover{background-color:#b6b7b8}.table-hover .table-dark:hover>td,.table-hover .table-dark:hover>th{background-color:#b6b7b8}.table-active,.table-active>th,.table-active>td{background-color:rgba(255,255,255,0.075)}.table-hover .table-active:hover{background-color:rgba(242,242,242,0.075)}.table-hover .table-active:hover>td,.table-hover .table-active:hover>th{background-color:rgba(242,242,242,0.075)}.table .thead-dark th{color:#fff;background-color:#3A3F44;border-color:rgba(0,0,0,0.6)}.table .thead-light th{color:#52575C;background-color:#e9ecef;border-color:rgba(0,0,0,0.6)}.table-dark{color:#fff;background-color:#3A3F44}.table-dark th,.table-dark td,.table-dark thead th{border-color:rgba(0,0,0,0.6)}.table-dark.table-bordered{border:0}.table-dark.table-striped tbody tr:nth-of-type(odd){background-color:rgba(255,255,255,0.05)}.table-dark.table-hover tbody tr:hover{color:#fff;background-color:rgba(255,255,255,0.075)}@media (max-width: 575.98px){.table-responsive-sm{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-sm>.table-bordered{border:0}}@media (max-width: 767.98px){.table-responsive-md{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-md>.table-bordered{border:0}}@media (max-width: 991.98px){.table-responsive-lg{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-lg>.table-bordered{border:0}}@media (max-width: 1199.98px){.table-responsive-xl{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-xl>.table-bordered{border:0}}.table-responsive{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive>.table-bordered{border:0}.form-control{display:block;width:100%;height:calc(1.5em + 1.5rem + 2px);padding:0.75rem 1rem;font-size:0.9375rem;font-weight:400;line-height:1.5;color:#52575C;background-color:#fff;background-clip:padding-box;border:1px solid #ced4da;border-radius:0.25rem;-webkit-transition:border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.form-control{-webkit-transition:none;transition:none}}.form-control::-ms-expand{background-color:transparent;border:0}.form-control:-moz-focusring{color:transparent;text-shadow:0 0 0 #52575C}.form-control:focus{color:#52575C;background-color:#fff;border-color:#757f89;outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.form-control::-webkit-input-placeholder{color:#7A8288;opacity:1}.form-control::-ms-input-placeholder{color:#7A8288;opacity:1}.form-control::placeholder{color:#7A8288;opacity:1}.form-control:disabled,.form-control[readonly]{background-color:#ccc;opacity:1}select.form-control:focus::-ms-value{color:#52575C;background-color:#fff}.form-control-file,.form-control-range{display:block;width:100%}.col-form-label{padding-top:calc(0.75rem + 1px);padding-bottom:calc(0.75rem + 1px);margin-bottom:0;font-size:inherit;line-height:1.5}.col-form-label-lg{padding-top:calc(0.5rem + 1px);padding-bottom:calc(0.5rem + 1px);font-size:1.171875rem;line-height:1.5}.col-form-label-sm{padding-top:calc(0.25rem + 1px);padding-bottom:calc(0.25rem + 1px);font-size:0.8203125rem;line-height:1.5}.form-control-plaintext{display:block;width:100%;padding:0.75rem 0;margin-bottom:0;font-size:0.9375rem;line-height:1.5;color:#aaa;background-color:transparent;border:solid transparent;border-width:1px 0}.form-control-plaintext.form-control-sm,.form-control-plaintext.form-control-lg{padding-right:0;padding-left:0}.form-control-sm{height:calc(1.5em + 0.5rem + 2px);padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5;border-radius:0.2rem}.form-control-lg{height:calc(1.5em + 1rem + 2px);padding:0.5rem 1rem;font-size:1.171875rem;line-height:1.5;border-radius:0.3rem}select.form-control[size],select.form-control[multiple]{height:auto}textarea.form-control{height:auto}.form-group{margin-bottom:1rem}.form-text{display:block;margin-top:0.25rem}.form-row{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-5px;margin-left:-5px}.form-row>.col,.form-row>[class*="col-"]{padding-right:5px;padding-left:5px}.form-check{position:relative;display:block;padding-left:1.25rem}.form-check-input{position:absolute;margin-top:0.3rem;margin-left:-1.25rem}.form-check-input[disabled] ~ .form-check-label,.form-check-input:disabled ~ .form-check-label{color:#7A8288}.form-check-label{margin-bottom:0}.form-check-inline{display:-webkit-inline-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding-left:0;margin-right:0.75rem}.form-check-inline .form-check-input{position:static;margin-top:0;margin-right:0.3125rem;margin-left:0}.valid-feedback{display:none;width:100%;margin-top:0.25rem;font-size:80%;color:#62c462}.valid-tooltip{position:absolute;top:100%;z-index:5;display:none;max-width:100%;padding:0.25rem 0.5rem;margin-top:.1rem;font-size:0.8203125rem;line-height:1.5;color:#fff;background-color:rgba(98,196,98,0.9);border-radius:0.25rem}.was-validated :valid ~ .valid-feedback,.was-validated :valid ~ .valid-tooltip,.is-valid ~ .valid-feedback,.is-valid ~ .valid-tooltip{display:block}.was-validated .form-control:valid,.form-control.is-valid{border-color:#62c462;padding-right:calc(1.5em + 1.5rem);background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%2362c462' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");background-repeat:no-repeat;background-position:right calc(0.375em + 0.375rem) center;background-size:calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .form-control:valid:focus,.form-control.is-valid:focus{border-color:#62c462;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.was-validated textarea.form-control:valid,textarea.form-control.is-valid{padding-right:calc(1.5em + 1.5rem);background-position:top calc(0.375em + 0.375rem) right calc(0.375em + 0.375rem)}.was-validated .custom-select:valid,.custom-select.is-valid{border-color:#62c462;padding-right:calc(0.75em + 3.125rem);background:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233A3F44' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right 1rem center/8px 10px,url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%2362c462' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e") #fff no-repeat center right 2rem/calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .custom-select:valid:focus,.custom-select.is-valid:focus{border-color:#62c462;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.was-validated .form-check-input:valid ~ .form-check-label,.form-check-input.is-valid ~ .form-check-label{color:#62c462}.was-validated .form-check-input:valid ~ .valid-feedback,.was-validated .form-check-input:valid ~ .valid-tooltip,.form-check-input.is-valid ~ .valid-feedback,.form-check-input.is-valid ~ .valid-tooltip{display:block}.was-validated .custom-control-input:valid ~ .custom-control-label,.custom-control-input.is-valid ~ .custom-control-label{color:#62c462}.was-validated .custom-control-input:valid ~ .custom-control-label::before,.custom-control-input.is-valid ~ .custom-control-label::before{border-color:#62c462}.was-validated .custom-control-input:valid:checked ~ .custom-control-label::before,.custom-control-input.is-valid:checked ~ .custom-control-label::before{border-color:#87d287;background-color:#87d287}.was-validated .custom-control-input:valid:focus ~ .custom-control-label::before,.custom-control-input.is-valid:focus ~ .custom-control-label::before{-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.was-validated .custom-control-input:valid:focus:not(:checked) ~ .custom-control-label::before,.custom-control-input.is-valid:focus:not(:checked) ~ .custom-control-label::before{border-color:#62c462}.was-validated .custom-file-input:valid ~ .custom-file-label,.custom-file-input.is-valid ~ .custom-file-label{border-color:#62c462}.was-validated .custom-file-input:valid:focus ~ .custom-file-label,.custom-file-input.is-valid:focus ~ .custom-file-label{border-color:#62c462;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.25)}.invalid-feedback{display:none;width:100%;margin-top:0.25rem;font-size:80%;color:#ee5f5b}.invalid-tooltip{position:absolute;top:100%;z-index:5;display:none;max-width:100%;padding:0.25rem 0.5rem;margin-top:.1rem;font-size:0.8203125rem;line-height:1.5;color:#fff;background-color:rgba(238,95,91,0.9);border-radius:0.25rem}.was-validated :invalid ~ .invalid-feedback,.was-validated :invalid ~ .invalid-tooltip,.is-invalid ~ .invalid-feedback,.is-invalid ~ .invalid-tooltip{display:block}.was-validated .form-control:invalid,.form-control.is-invalid{border-color:#ee5f5b;padding-right:calc(1.5em + 1.5rem);background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' fill='none' stroke='%23ee5f5b' viewBox='0 0 12 12'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23ee5f5b' stroke='none'/%3e%3c/svg%3e");background-repeat:no-repeat;background-position:right calc(0.375em + 0.375rem) center;background-size:calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .form-control:invalid:focus,.form-control.is-invalid:focus{border-color:#ee5f5b;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.was-validated textarea.form-control:invalid,textarea.form-control.is-invalid{padding-right:calc(1.5em + 1.5rem);background-position:top calc(0.375em + 0.375rem) right calc(0.375em + 0.375rem)}.was-validated .custom-select:invalid,.custom-select.is-invalid{border-color:#ee5f5b;padding-right:calc(0.75em + 3.125rem);background:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233A3F44' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right 1rem center/8px 10px,url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' fill='none' stroke='%23ee5f5b' viewBox='0 0 12 12'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23ee5f5b' stroke='none'/%3e%3c/svg%3e") #fff no-repeat center right 2rem/calc(0.75em + 0.75rem) calc(0.75em + 0.75rem)}.was-validated .custom-select:invalid:focus,.custom-select.is-invalid:focus{border-color:#ee5f5b;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.was-validated .form-check-input:invalid ~ .form-check-label,.form-check-input.is-invalid ~ .form-check-label{color:#ee5f5b}.was-validated .form-check-input:invalid ~ .invalid-feedback,.was-validated .form-check-input:invalid ~ .invalid-tooltip,.form-check-input.is-invalid ~ .invalid-feedback,.form-check-input.is-invalid ~ .invalid-tooltip{display:block}.was-validated .custom-control-input:invalid ~ .custom-control-label,.custom-control-input.is-invalid ~ .custom-control-label{color:#ee5f5b}.was-validated .custom-control-input:invalid ~ .custom-control-label::before,.custom-control-input.is-invalid ~ .custom-control-label::before{border-color:#ee5f5b}.was-validated .custom-control-input:invalid:checked ~ .custom-control-label::before,.custom-control-input.is-invalid:checked ~ .custom-control-label::before{border-color:#f38c89;background-color:#f38c89}.was-validated .custom-control-input:invalid:focus ~ .custom-control-label::before,.custom-control-input.is-invalid:focus ~ .custom-control-label::before{-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.was-validated .custom-control-input:invalid:focus:not(:checked) ~ .custom-control-label::before,.custom-control-input.is-invalid:focus:not(:checked) ~ .custom-control-label::before{border-color:#ee5f5b}.was-validated .custom-file-input:invalid ~ .custom-file-label,.custom-file-input.is-invalid ~ .custom-file-label{border-color:#ee5f5b}.was-validated .custom-file-input:invalid:focus ~ .custom-file-label,.custom-file-input.is-invalid:focus ~ .custom-file-label{border-color:#ee5f5b;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.25)}.form-inline{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center}.form-inline .form-check{width:100%}@media (min-width: 576px){.form-inline label{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;margin-bottom:0}.form-inline .form-group{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-flex:0;-ms-flex:0 0 auto;flex:0 0 auto;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin-bottom:0}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-plaintext{display:inline-block}.form-inline .input-group,.form-inline .custom-select{width:auto}.form-inline .form-check{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;width:auto;padding-left:0}.form-inline .form-check-input{position:relative;-ms-flex-negative:0;flex-shrink:0;margin-top:0;margin-right:0.25rem;margin-left:0}.form-inline .custom-control{-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center}.form-inline .custom-control-label{margin-bottom:0}}.btn{display:inline-block;font-weight:400;color:#aaa;text-align:center;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-color:transparent;border:1px solid transparent;padding:0.75rem 1rem;font-size:0.9375rem;line-height:1.5;border-radius:0.25rem;-webkit-transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.btn{-webkit-transition:none;transition:none}}.btn:hover{color:#aaa;text-decoration:none}.btn:focus,.btn.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.btn.disabled,.btn:disabled{opacity:0.65}a.btn.disabled,fieldset:disabled a.btn{pointer-events:none}.btn-primary{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-primary:hover{color:#fff;background-color:#282c2f;border-color:#232628}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#282c2f;border-color:#232628;-webkit-box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5);box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5)}.btn-primary.disabled,.btn-primary:disabled{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-primary:not(:disabled):not(.disabled):active,.btn-primary:not(:disabled):not(.disabled).active,.show>.btn-primary.dropdown-toggle{color:#fff;background-color:#232628;border-color:#1d1f22}.btn-primary:not(:disabled):not(.disabled):active:focus,.btn-primary:not(:disabled):not(.disabled).active:focus,.show>.btn-primary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5);box-shadow:0 0 0 0.2rem rgba(88,92,96,0.5)}.btn-secondary{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-secondary:hover{color:#fff;background-color:#686f74;border-color:#62686d}.btn-secondary:focus,.btn-secondary.focus{color:#fff;background-color:#686f74;border-color:#62686d;-webkit-box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5);box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5)}.btn-secondary.disabled,.btn-secondary:disabled{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-secondary:not(:disabled):not(.disabled):active,.btn-secondary:not(:disabled):not(.disabled).active,.show>.btn-secondary.dropdown-toggle{color:#fff;background-color:#62686d;border-color:#5c6267}.btn-secondary:not(:disabled):not(.disabled):active:focus,.btn-secondary:not(:disabled):not(.disabled).active:focus,.show>.btn-secondary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5);box-shadow:0 0 0 0.2rem rgba(142,149,154,0.5)}.btn-success{color:#fff;background-color:#62c462;border-color:#62c462}.btn-success:hover{color:#fff;background-color:#46ba46;border-color:#42b142}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#46ba46;border-color:#42b142;-webkit-box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5);box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5)}.btn-success.disabled,.btn-success:disabled{color:#fff;background-color:#62c462;border-color:#62c462}.btn-success:not(:disabled):not(.disabled):active,.btn-success:not(:disabled):not(.disabled).active,.show>.btn-success.dropdown-toggle{color:#fff;background-color:#42b142;border-color:#3fa73f}.btn-success:not(:disabled):not(.disabled):active:focus,.btn-success:not(:disabled):not(.disabled).active:focus,.show>.btn-success.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5);box-shadow:0 0 0 0.2rem rgba(122,205,122,0.5)}.btn-info{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-info:hover{color:#fff;background-color:#3bb4d8;border-color:#31b0d5}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#3bb4d8;border-color:#31b0d5;-webkit-box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5);box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5)}.btn-info.disabled,.btn-info:disabled{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-info:not(:disabled):not(.disabled):active,.btn-info:not(:disabled):not(.disabled).active,.show>.btn-info.dropdown-toggle{color:#fff;background-color:#31b0d5;border-color:#2aaacf}.btn-info:not(:disabled):not(.disabled):active:focus,.btn-info:not(:disabled):not(.disabled).active:focus,.show>.btn-info.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5);box-shadow:0 0 0 0.2rem rgba(116,201,227,0.5)}.btn-warning{color:#fff;background-color:#f89406;border-color:#f89406}.btn-warning:hover{color:#fff;background-color:#d37e05;border-color:#c67605}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#d37e05;border-color:#c67605;-webkit-box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5);box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5)}.btn-warning.disabled,.btn-warning:disabled{color:#fff;background-color:#f89406;border-color:#f89406}.btn-warning:not(:disabled):not(.disabled):active,.btn-warning:not(:disabled):not(.disabled).active,.show>.btn-warning.dropdown-toggle{color:#fff;background-color:#c67605;border-color:#ba6f04}.btn-warning:not(:disabled):not(.disabled):active:focus,.btn-warning:not(:disabled):not(.disabled).active:focus,.show>.btn-warning.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5);box-shadow:0 0 0 0.2rem rgba(249,164,43,0.5)}.btn-danger{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-danger:hover{color:#fff;background-color:#ea3d38;border-color:#e9322d}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#ea3d38;border-color:#e9322d;-webkit-box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5);box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5)}.btn-danger.disabled,.btn-danger:disabled{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-danger:not(:disabled):not(.disabled):active,.btn-danger:not(:disabled):not(.disabled).active,.show>.btn-danger.dropdown-toggle{color:#fff;background-color:#e9322d;border-color:#e82721}.btn-danger:not(:disabled):not(.disabled):active:focus,.btn-danger:not(:disabled):not(.disabled).active:focus,.show>.btn-danger.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5);box-shadow:0 0 0 0.2rem rgba(241,119,116,0.5)}.btn-light{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-light:hover{color:#272B30;background-color:#d3d9df;border-color:#cbd3da}.btn-light:focus,.btn-light.focus{color:#272B30;background-color:#d3d9df;border-color:#cbd3da;-webkit-box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5);box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5)}.btn-light.disabled,.btn-light:disabled{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-light:not(:disabled):not(.disabled):active,.btn-light:not(:disabled):not(.disabled).active,.show>.btn-light.dropdown-toggle{color:#272B30;background-color:#cbd3da;border-color:#c4ccd4}.btn-light:not(:disabled):not(.disabled):active:focus,.btn-light:not(:disabled):not(.disabled).active:focus,.show>.btn-light.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5);box-shadow:0 0 0 0.2rem rgba(204,207,210,0.5)}.btn-dark{color:#fff;background-color:#272B30;border-color:#272B30}.btn-dark:hover{color:#fff;background-color:#16181b;border-color:#101214}.btn-dark:focus,.btn-dark.focus{color:#fff;background-color:#16181b;border-color:#101214;-webkit-box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5);box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5)}.btn-dark.disabled,.btn-dark:disabled{color:#fff;background-color:#272B30;border-color:#272B30}.btn-dark:not(:disabled):not(.disabled):active,.btn-dark:not(:disabled):not(.disabled).active,.show>.btn-dark.dropdown-toggle{color:#fff;background-color:#101214;border-color:#0a0b0d}.btn-dark:not(:disabled):not(.disabled):active:focus,.btn-dark:not(:disabled):not(.disabled).active:focus,.show>.btn-dark.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5);box-shadow:0 0 0 0.2rem rgba(71,75,79,0.5)}.btn-outline-primary{color:#3A3F44;border-color:#3A3F44}.btn-outline-primary:hover{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-outline-primary:focus,.btn-outline-primary.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5)}.btn-outline-primary.disabled,.btn-outline-primary:disabled{color:#3A3F44;background-color:transparent}.btn-outline-primary:not(:disabled):not(.disabled):active,.btn-outline-primary:not(:disabled):not(.disabled).active,.show>.btn-outline-primary.dropdown-toggle{color:#fff;background-color:#3A3F44;border-color:#3A3F44}.btn-outline-primary:not(:disabled):not(.disabled):active:focus,.btn-outline-primary:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-primary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5)}.btn-outline-secondary{color:#7A8288;border-color:#7A8288}.btn-outline-secondary:hover{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-outline-secondary:focus,.btn-outline-secondary.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5);box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5)}.btn-outline-secondary.disabled,.btn-outline-secondary:disabled{color:#7A8288;background-color:transparent}.btn-outline-secondary:not(:disabled):not(.disabled):active,.btn-outline-secondary:not(:disabled):not(.disabled).active,.show>.btn-outline-secondary.dropdown-toggle{color:#fff;background-color:#7A8288;border-color:#7A8288}.btn-outline-secondary:not(:disabled):not(.disabled):active:focus,.btn-outline-secondary:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-secondary.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5);box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5)}.btn-outline-success{color:#62c462;border-color:#62c462}.btn-outline-success:hover{color:#fff;background-color:#62c462;border-color:#62c462}.btn-outline-success:focus,.btn-outline-success.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5)}.btn-outline-success.disabled,.btn-outline-success:disabled{color:#62c462;background-color:transparent}.btn-outline-success:not(:disabled):not(.disabled):active,.btn-outline-success:not(:disabled):not(.disabled).active,.show>.btn-outline-success.dropdown-toggle{color:#fff;background-color:#62c462;border-color:#62c462}.btn-outline-success:not(:disabled):not(.disabled):active:focus,.btn-outline-success:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-success.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5)}.btn-outline-info{color:#5bc0de;border-color:#5bc0de}.btn-outline-info:hover{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-outline-info:focus,.btn-outline-info.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5);box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5)}.btn-outline-info.disabled,.btn-outline-info:disabled{color:#5bc0de;background-color:transparent}.btn-outline-info:not(:disabled):not(.disabled):active,.btn-outline-info:not(:disabled):not(.disabled).active,.show>.btn-outline-info.dropdown-toggle{color:#fff;background-color:#5bc0de;border-color:#5bc0de}.btn-outline-info:not(:disabled):not(.disabled):active:focus,.btn-outline-info:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-info.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5);box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5)}.btn-outline-warning{color:#f89406;border-color:#f89406}.btn-outline-warning:hover{color:#fff;background-color:#f89406;border-color:#f89406}.btn-outline-warning:focus,.btn-outline-warning.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5);box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5)}.btn-outline-warning.disabled,.btn-outline-warning:disabled{color:#f89406;background-color:transparent}.btn-outline-warning:not(:disabled):not(.disabled):active,.btn-outline-warning:not(:disabled):not(.disabled).active,.show>.btn-outline-warning.dropdown-toggle{color:#fff;background-color:#f89406;border-color:#f89406}.btn-outline-warning:not(:disabled):not(.disabled):active:focus,.btn-outline-warning:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-warning.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5);box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5)}.btn-outline-danger{color:#ee5f5b;border-color:#ee5f5b}.btn-outline-danger:hover{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-outline-danger:focus,.btn-outline-danger.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5)}.btn-outline-danger.disabled,.btn-outline-danger:disabled{color:#ee5f5b;background-color:transparent}.btn-outline-danger:not(:disabled):not(.disabled):active,.btn-outline-danger:not(:disabled):not(.disabled).active,.show>.btn-outline-danger.dropdown-toggle{color:#fff;background-color:#ee5f5b;border-color:#ee5f5b}.btn-outline-danger:not(:disabled):not(.disabled):active:focus,.btn-outline-danger:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-danger.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5)}.btn-outline-light{color:#e9ecef;border-color:#e9ecef}.btn-outline-light:hover{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-outline-light:focus,.btn-outline-light.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5);box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5)}.btn-outline-light.disabled,.btn-outline-light:disabled{color:#e9ecef;background-color:transparent}.btn-outline-light:not(:disabled):not(.disabled):active,.btn-outline-light:not(:disabled):not(.disabled).active,.show>.btn-outline-light.dropdown-toggle{color:#272B30;background-color:#e9ecef;border-color:#e9ecef}.btn-outline-light:not(:disabled):not(.disabled):active:focus,.btn-outline-light:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-light.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5);box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5)}.btn-outline-dark{color:#272B30;border-color:#272B30}.btn-outline-dark:hover{color:#fff;background-color:#272B30;border-color:#272B30}.btn-outline-dark:focus,.btn-outline-dark.focus{-webkit-box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5);box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5)}.btn-outline-dark.disabled,.btn-outline-dark:disabled{color:#272B30;background-color:transparent}.btn-outline-dark:not(:disabled):not(.disabled):active,.btn-outline-dark:not(:disabled):not(.disabled).active,.show>.btn-outline-dark.dropdown-toggle{color:#fff;background-color:#272B30;border-color:#272B30}.btn-outline-dark:not(:disabled):not(.disabled):active:focus,.btn-outline-dark:not(:disabled):not(.disabled).active:focus,.show>.btn-outline-dark.dropdown-toggle:focus{-webkit-box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5);box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5)}.btn-link{font-weight:400;color:#fff;text-decoration:none}.btn-link:hover{color:#d9d9d9;text-decoration:underline}.btn-link:focus,.btn-link.focus{text-decoration:underline;-webkit-box-shadow:none;box-shadow:none}.btn-link:disabled,.btn-link.disabled{color:#7A8288;pointer-events:none}.btn-lg,.btn-group-lg>.btn{padding:0.5rem 1rem;font-size:1.171875rem;line-height:1.5;border-radius:0.3rem}.btn-sm,.btn-group-sm>.btn{padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5;border-radius:0.2rem}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:0.5rem}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{-webkit-transition:opacity 0.15s linear;transition:opacity 0.15s linear}@media (prefers-reduced-motion: reduce){.fade{-webkit-transition:none;transition:none}}.fade:not(.show){opacity:0}.collapse:not(.show){display:none}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height 0.35s ease;transition:height 0.35s ease}@media (prefers-reduced-motion: reduce){.collapsing{-webkit-transition:none;transition:none}}.dropup,.dropright,.dropdown,.dropleft{position:relative}.dropdown-toggle{white-space:nowrap}.dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:"";border-top:0.3em solid;border-right:0.3em solid transparent;border-bottom:0;border-left:0.3em solid transparent}.dropdown-toggle:empty::after{margin-left:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:10rem;padding:0.5rem 0;margin:0.125rem 0 0;font-size:0.9375rem;color:#aaa;text-align:left;list-style:none;background-color:#3A3F44;background-clip:padding-box;border:1px solid rgba(0,0,0,0.6);border-radius:0.25rem}.dropdown-menu-left{right:auto;left:0}.dropdown-menu-right{right:0;left:auto}@media (min-width: 576px){.dropdown-menu-sm-left{right:auto;left:0}.dropdown-menu-sm-right{right:0;left:auto}}@media (min-width: 768px){.dropdown-menu-md-left{right:auto;left:0}.dropdown-menu-md-right{right:0;left:auto}}@media (min-width: 992px){.dropdown-menu-lg-left{right:auto;left:0}.dropdown-menu-lg-right{right:0;left:auto}}@media (min-width: 1200px){.dropdown-menu-xl-left{right:auto;left:0}.dropdown-menu-xl-right{right:0;left:auto}}.dropup .dropdown-menu{top:auto;bottom:100%;margin-top:0;margin-bottom:0.125rem}.dropup .dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:"";border-top:0;border-right:0.3em solid transparent;border-bottom:0.3em solid;border-left:0.3em solid transparent}.dropup .dropdown-toggle:empty::after{margin-left:0}.dropright .dropdown-menu{top:0;right:auto;left:100%;margin-top:0;margin-left:0.125rem}.dropright .dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:"";border-top:0.3em solid transparent;border-right:0;border-bottom:0.3em solid transparent;border-left:0.3em solid}.dropright .dropdown-toggle:empty::after{margin-left:0}.dropright .dropdown-toggle::after{vertical-align:0}.dropleft .dropdown-menu{top:0;right:100%;left:auto;margin-top:0;margin-right:0.125rem}.dropleft .dropdown-toggle::after{display:inline-block;margin-left:0.255em;vertical-align:0.255em;content:""}.dropleft .dropdown-toggle::after{display:none}.dropleft .dropdown-toggle::before{display:inline-block;margin-right:0.255em;vertical-align:0.255em;content:"";border-top:0.3em solid transparent;border-right:0.3em solid;border-bottom:0.3em solid transparent}.dropleft .dropdown-toggle:empty::after{margin-left:0}.dropleft .dropdown-toggle::before{vertical-align:0}.dropdown-menu[x-placement^="top"],.dropdown-menu[x-placement^="right"],.dropdown-menu[x-placement^="bottom"],.dropdown-menu[x-placement^="left"]{right:auto;bottom:auto}.dropdown-divider{height:0;margin:0.5rem 0;overflow:hidden;border-top:1px solid rgba(0,0,0,0.15)}.dropdown-item{display:block;width:100%;padding:0.25rem 1.5rem;clear:both;font-weight:400;color:#aaa;text-align:inherit;white-space:nowrap;background-color:transparent;border:0}.dropdown-item:hover,.dropdown-item:focus{color:#fff;text-decoration:none;background-color:#272B30}.dropdown-item.active,.dropdown-item:active{color:#fff;text-decoration:none;background-color:#3A3F44}.dropdown-item.disabled,.dropdown-item:disabled{color:#7A8288;pointer-events:none;background-color:transparent}.dropdown-menu.show{display:block}.dropdown-header{display:block;padding:0.5rem 1.5rem;margin-bottom:0;font-size:0.8203125rem;color:#7A8288;white-space:nowrap}.dropdown-item-text{display:block;padding:0.25rem 1.5rem;color:#aaa}.btn-group,.btn-group-vertical{position:relative;display:-webkit-inline-box;display:-ms-inline-flexbox;display:inline-flex;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover{z-index:1}.btn-group>.btn:focus,.btn-group>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn.active{z-index:1}.btn-toolbar{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.btn-toolbar .input-group{width:auto}.btn-group>.btn:not(:first-child),.btn-group>.btn-group:not(:first-child){margin-left:-1px}.btn-group>.btn:not(:last-child):not(.dropdown-toggle),.btn-group>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:not(:first-child),.btn-group>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.dropdown-toggle-split{padding-right:0.75rem;padding-left:0.75rem}.dropdown-toggle-split::after,.dropup .dropdown-toggle-split::after,.dropright .dropdown-toggle-split::after{margin-left:0}.dropleft .dropdown-toggle-split::before{margin-right:0}.btn-sm+.dropdown-toggle-split,.btn-group-sm>.btn+.dropdown-toggle-split{padding-right:0.375rem;padding-left:0.375rem}.btn-lg+.dropdown-toggle-split,.btn-group-lg>.btn+.dropdown-toggle-split{padding-right:0.75rem;padding-left:0.75rem}.btn-group-vertical{-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;-webkit-box-align:start;-ms-flex-align:start;align-items:flex-start;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group{width:100%}.btn-group-vertical>.btn:not(:first-child),.btn-group-vertical>.btn-group:not(:first-child){margin-top:-1px}.btn-group-vertical>.btn:not(:last-child):not(.dropdown-toggle),.btn-group-vertical>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:not(:first-child),.btn-group-vertical>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-top-right-radius:0}.btn-group-toggle>.btn,.btn-group-toggle>.btn-group>.btn{margin-bottom:0}.btn-group-toggle>.btn input[type="radio"],.btn-group-toggle>.btn input[type="checkbox"],.btn-group-toggle>.btn-group>.btn input[type="radio"],.btn-group-toggle>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:stretch;-ms-flex-align:stretch;align-items:stretch;width:100%}.input-group>.form-control,.input-group>.form-control-plaintext,.input-group>.custom-select,.input-group>.custom-file{position:relative;-webkit-box-flex:1;-ms-flex:1 1 0%;flex:1 1 0%;min-width:0;margin-bottom:0}.input-group>.form-control+.form-control,.input-group>.form-control+.custom-select,.input-group>.form-control+.custom-file,.input-group>.form-control-plaintext+.form-control,.input-group>.form-control-plaintext+.custom-select,.input-group>.form-control-plaintext+.custom-file,.input-group>.custom-select+.form-control,.input-group>.custom-select+.custom-select,.input-group>.custom-select+.custom-file,.input-group>.custom-file+.form-control,.input-group>.custom-file+.custom-select,.input-group>.custom-file+.custom-file{margin-left:-1px}.input-group>.form-control:focus,.input-group>.custom-select:focus,.input-group>.custom-file .custom-file-input:focus ~ .custom-file-label{z-index:3}.input-group>.custom-file .custom-file-input:focus{z-index:4}.input-group>.form-control:not(:last-child),.input-group>.custom-select:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.form-control:not(:first-child),.input-group>.custom-select:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.input-group>.custom-file{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center}.input-group>.custom-file:not(:last-child) .custom-file-label,.input-group>.custom-file:not(:last-child) .custom-file-label::after{border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.custom-file:not(:first-child) .custom-file-label{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-prepend,.input-group-append{display:-webkit-box;display:-ms-flexbox;display:flex}.input-group-prepend .btn,.input-group-append .btn{position:relative;z-index:2}.input-group-prepend .btn:focus,.input-group-append .btn:focus{z-index:3}.input-group-prepend .btn+.btn,.input-group-prepend .btn+.input-group-text,.input-group-prepend .input-group-text+.input-group-text,.input-group-prepend .input-group-text+.btn,.input-group-append .btn+.btn,.input-group-append .btn+.input-group-text,.input-group-append .input-group-text+.input-group-text,.input-group-append .input-group-text+.btn{margin-left:-1px}.input-group-prepend{margin-right:-1px}.input-group-append{margin-left:-1px}.input-group-text{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding:0.75rem 1rem;margin-bottom:0;font-size:0.9375rem;font-weight:400;line-height:1.5;color:#52575C;text-align:center;white-space:nowrap;background-color:#e9ecef;border:1px solid #ced4da;border-radius:0.25rem}.input-group-text input[type="radio"],.input-group-text input[type="checkbox"]{margin-top:0}.input-group-lg>.form-control:not(textarea),.input-group-lg>.custom-select{height:calc(1.5em + 1rem + 2px)}.input-group-lg>.form-control,.input-group-lg>.custom-select,.input-group-lg>.input-group-prepend>.input-group-text,.input-group-lg>.input-group-append>.input-group-text,.input-group-lg>.input-group-prepend>.btn,.input-group-lg>.input-group-append>.btn{padding:0.5rem 1rem;font-size:1.171875rem;line-height:1.5;border-radius:0.3rem}.input-group-sm>.form-control:not(textarea),.input-group-sm>.custom-select{height:calc(1.5em + 0.5rem + 2px)}.input-group-sm>.form-control,.input-group-sm>.custom-select,.input-group-sm>.input-group-prepend>.input-group-text,.input-group-sm>.input-group-append>.input-group-text,.input-group-sm>.input-group-prepend>.btn,.input-group-sm>.input-group-append>.btn{padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5;border-radius:0.2rem}.input-group-lg>.custom-select,.input-group-sm>.custom-select{padding-right:2rem}.input-group>.input-group-prepend>.btn,.input-group>.input-group-prepend>.input-group-text,.input-group>.input-group-append:not(:last-child)>.btn,.input-group>.input-group-append:not(:last-child)>.input-group-text,.input-group>.input-group-append:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group>.input-group-append:last-child>.input-group-text:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.input-group-append>.btn,.input-group>.input-group-append>.input-group-text,.input-group>.input-group-prepend:not(:first-child)>.btn,.input-group>.input-group-prepend:not(:first-child)>.input-group-text,.input-group>.input-group-prepend:first-child>.btn:not(:first-child),.input-group>.input-group-prepend:first-child>.input-group-text:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.custom-control{position:relative;display:block;min-height:1.40625rem;padding-left:1.5rem}.custom-control-inline{display:-webkit-inline-box;display:-ms-inline-flexbox;display:inline-flex;margin-right:1rem}.custom-control-input{position:absolute;left:0;z-index:-1;width:1rem;height:1.203125rem;opacity:0}.custom-control-input:checked ~ .custom-control-label::before{color:#fff;border-color:#3A3F44;background-color:#3A3F44}.custom-control-input:focus ~ .custom-control-label::before{-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-control-input:focus:not(:checked) ~ .custom-control-label::before{border-color:#757f89}.custom-control-input:not(:disabled):active ~ .custom-control-label::before{color:#fff;background-color:#9098a0;border-color:#9098a0}.custom-control-input[disabled] ~ .custom-control-label,.custom-control-input:disabled ~ .custom-control-label{color:#7A8288}.custom-control-input[disabled] ~ .custom-control-label::before,.custom-control-input:disabled ~ .custom-control-label::before{background-color:#ccc}.custom-control-label{position:relative;margin-bottom:0;vertical-align:top}.custom-control-label::before{position:absolute;top:0.203125rem;left:-1.5rem;display:block;width:1rem;height:1rem;pointer-events:none;content:"";background-color:#fff;border:#999 solid 1px}.custom-control-label::after{position:absolute;top:0.203125rem;left:-1.5rem;display:block;width:1rem;height:1rem;content:"";background:no-repeat 50% / 50% 50%}.custom-checkbox .custom-control-label::before{border-radius:0.25rem}.custom-checkbox .custom-control-input:checked ~ .custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%23fff' d='M6.564.75l-3.59 3.612-1.538-1.55L0 4.26l2.974 2.99L8 2.193z'/%3e%3c/svg%3e")}.custom-checkbox .custom-control-input:indeterminate ~ .custom-control-label::before{border-color:#3A3F44;background-color:#3A3F44}.custom-checkbox .custom-control-input:indeterminate ~ .custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='4' viewBox='0 0 4 4'%3e%3cpath stroke='%23fff' d='M0 2h4'/%3e%3c/svg%3e")}.custom-checkbox .custom-control-input:disabled:checked ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-checkbox .custom-control-input:disabled:indeterminate ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-radio .custom-control-label::before{border-radius:50%}.custom-radio .custom-control-input:checked ~ .custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%23fff'/%3e%3c/svg%3e")}.custom-radio .custom-control-input:disabled:checked ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-switch{padding-left:2.25rem}.custom-switch .custom-control-label::before{left:-2.25rem;width:1.75rem;pointer-events:all;border-radius:0.5rem}.custom-switch .custom-control-label::after{top:calc(0.203125rem + 2px);left:calc(-2.25rem + 2px);width:calc(1rem - 4px);height:calc(1rem - 4px);background-color:#999;border-radius:0.5rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-transform 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-transform 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:transform 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:transform 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-transform 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.custom-switch .custom-control-label::after{-webkit-transition:none;transition:none}}.custom-switch .custom-control-input:checked ~ .custom-control-label::after{background-color:#fff;-webkit-transform:translateX(0.75rem);transform:translateX(0.75rem)}.custom-switch .custom-control-input:disabled:checked ~ .custom-control-label::before{background-color:rgba(58,63,68,0.5)}.custom-select{display:inline-block;width:100%;height:calc(1.5em + 1.5rem + 2px);padding:0.75rem 2rem 0.75rem 1rem;font-size:0.9375rem;font-weight:400;line-height:1.5;color:#52575C;vertical-align:middle;background:#fff url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233A3F44' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right 1rem center/8px 10px;border:1px solid #ced4da;border-radius:0.25rem;-webkit-appearance:none;-moz-appearance:none;appearance:none}.custom-select:focus{border-color:#757f89;outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-select:focus::-ms-value{color:#52575C;background-color:#fff}.custom-select[multiple],.custom-select[size]:not([size="1"]){height:auto;padding-right:1rem;background-image:none}.custom-select:disabled{color:#7A8288;background-color:#e9ecef}.custom-select::-ms-expand{display:none}.custom-select:-moz-focusring{color:transparent;text-shadow:0 0 0 #52575C}.custom-select-sm{height:calc(1.5em + 0.5rem + 2px);padding-top:0.25rem;padding-bottom:0.25rem;padding-left:0.5rem;font-size:0.8203125rem}.custom-select-lg{height:calc(1.5em + 1rem + 2px);padding-top:0.5rem;padding-bottom:0.5rem;padding-left:1rem;font-size:1.171875rem}.custom-file{position:relative;display:inline-block;width:100%;height:calc(1.5em + 1.5rem + 2px);margin-bottom:0}.custom-file-input{position:relative;z-index:2;width:100%;height:calc(1.5em + 1.5rem + 2px);margin:0;opacity:0}.custom-file-input:focus ~ .custom-file-label{border-color:#757f89;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-file-input[disabled] ~ .custom-file-label,.custom-file-input:disabled ~ .custom-file-label{background-color:#ccc}.custom-file-input:lang(en) ~ .custom-file-label::after{content:"Browse"}.custom-file-input ~ .custom-file-label[data-browse]::after{content:attr(data-browse)}.custom-file-label{position:absolute;top:0;right:0;left:0;z-index:1;height:calc(1.5em + 1.5rem + 2px);padding:0.75rem 1rem;font-weight:400;line-height:1.5;color:#52575C;background-color:#fff;border:1px solid #ced4da;border-radius:0.25rem}.custom-file-label::after{position:absolute;top:0;right:0;bottom:0;z-index:3;display:block;height:calc(1.5em + 1.5rem);padding:0.75rem 1rem;line-height:1.5;color:#52575C;content:"Browse";background-color:#e9ecef;border-left:inherit;border-radius:0 0.25rem 0.25rem 0}.custom-range{width:100%;height:1.4rem;padding:0;background-color:transparent;-webkit-appearance:none;-moz-appearance:none;appearance:none}.custom-range:focus{outline:none}.custom-range:focus::-webkit-slider-thumb{-webkit-box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-range:focus::-moz-range-thumb{box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-range:focus::-ms-thumb{box-shadow:0 0 0 1px #272B30,0 0 0 0.2rem rgba(58,63,68,0.25)}.custom-range::-moz-focus-outer{border:0}.custom-range::-webkit-slider-thumb{width:1rem;height:1rem;margin-top:-0.25rem;background-color:#3A3F44;border:0;border-radius:1rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;-webkit-appearance:none;appearance:none}@media (prefers-reduced-motion: reduce){.custom-range::-webkit-slider-thumb{-webkit-transition:none;transition:none}}.custom-range::-webkit-slider-thumb:active{background-color:#9098a0}.custom-range::-webkit-slider-runnable-track{width:100%;height:0.5rem;color:transparent;cursor:pointer;background-color:#dee2e6;border-color:transparent;border-radius:1rem}.custom-range::-moz-range-thumb{width:1rem;height:1rem;background-color:#3A3F44;border:0;border-radius:1rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;-moz-appearance:none;appearance:none}@media (prefers-reduced-motion: reduce){.custom-range::-moz-range-thumb{-webkit-transition:none;transition:none}}.custom-range::-moz-range-thumb:active{background-color:#9098a0}.custom-range::-moz-range-track{width:100%;height:0.5rem;color:transparent;cursor:pointer;background-color:#dee2e6;border-color:transparent;border-radius:1rem}.custom-range::-ms-thumb{width:1rem;height:1rem;margin-top:0;margin-right:0.2rem;margin-left:0.2rem;background-color:#3A3F44;border:0;border-radius:1rem;-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;appearance:none}@media (prefers-reduced-motion: reduce){.custom-range::-ms-thumb{-webkit-transition:none;transition:none}}.custom-range::-ms-thumb:active{background-color:#9098a0}.custom-range::-ms-track{width:100%;height:0.5rem;color:transparent;cursor:pointer;background-color:transparent;border-color:transparent;border-width:0.5rem}.custom-range::-ms-fill-lower{background-color:#dee2e6;border-radius:1rem}.custom-range::-ms-fill-upper{margin-right:15px;background-color:#dee2e6;border-radius:1rem}.custom-range:disabled::-webkit-slider-thumb{background-color:#999}.custom-range:disabled::-webkit-slider-runnable-track{cursor:default}.custom-range:disabled::-moz-range-thumb{background-color:#999}.custom-range:disabled::-moz-range-track{cursor:default}.custom-range:disabled::-ms-thumb{background-color:#999}.custom-control-label::before,.custom-file-label,.custom-select{-webkit-transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.custom-control-label::before,.custom-file-label,.custom-select{-webkit-transition:none;transition:none}}.nav{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;padding-left:0;margin-bottom:0;list-style:none}.nav-link{display:block;padding:0.5rem 1rem}.nav-link:hover,.nav-link:focus{text-decoration:none}.nav-link.disabled{color:#7A8288;pointer-events:none;cursor:default}.nav-tabs{border-bottom:1px solid rgba(0,0,0,0.6)}.nav-tabs .nav-item{margin-bottom:-1px}.nav-tabs .nav-link{border:1px solid transparent;border-top-left-radius:0.25rem;border-top-right-radius:0.25rem}.nav-tabs .nav-link:hover,.nav-tabs .nav-link:focus{border-color:rgba(0,0,0,0.6)}.nav-tabs .nav-link.disabled{color:#7A8288;background-color:transparent;border-color:transparent}.nav-tabs .nav-link.active,.nav-tabs .nav-item.show .nav-link{color:#fff;background-color:#272B30;border-color:rgba(0,0,0,0.6)}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.nav-pills .nav-link{border-radius:0.25rem}.nav-pills .nav-link.active,.nav-pills .show>.nav-link{color:#fff;background-color:#3A3F44}.nav-fill .nav-item{-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto;text-align:center}.nav-justified .nav-item{-ms-flex-preferred-size:0;flex-basis:0;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;text-align:center}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.navbar{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;padding:0 1rem}.navbar .container,.navbar .container-fluid,.navbar .container-sm,.navbar .container-md,.navbar .container-lg,.navbar .container-xl{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between}.navbar-brand{display:inline-block;padding-top:0.32421875rem;padding-bottom:0.32421875rem;margin-right:1rem;font-size:1.171875rem;line-height:inherit;white-space:nowrap}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-nav{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;padding-left:0;margin-bottom:0;list-style:none}.navbar-nav .nav-link{padding-right:0;padding-left:0}.navbar-nav .dropdown-menu{position:static;float:none}.navbar-text{display:inline-block;padding-top:0.5rem;padding-bottom:0.5rem}.navbar-collapse{-ms-flex-preferred-size:100%;flex-basis:100%;-webkit-box-flex:1;-ms-flex-positive:1;flex-grow:1;-webkit-box-align:center;-ms-flex-align:center;align-items:center}.navbar-toggler{padding:0.25rem 0.75rem;font-size:1.171875rem;line-height:1;background-color:transparent;border:1px solid transparent;border-radius:0.25rem}.navbar-toggler:hover,.navbar-toggler:focus{text-decoration:none}.navbar-toggler-icon{display:inline-block;width:1.5em;height:1.5em;vertical-align:middle;content:"";background:no-repeat center center;background-size:100% 100%}@media (max-width: 575.98px){.navbar-expand-sm>.container,.navbar-expand-sm>.container-fluid,.navbar-expand-sm>.container-sm,.navbar-expand-sm>.container-md,.navbar-expand-sm>.container-lg,.navbar-expand-sm>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 576px){.navbar-expand-sm{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-sm .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-sm .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-sm .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-sm>.container,.navbar-expand-sm>.container-fluid,.navbar-expand-sm>.container-sm,.navbar-expand-sm>.container-md,.navbar-expand-sm>.container-lg,.navbar-expand-sm>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-sm .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-sm .navbar-toggler{display:none}}@media (max-width: 767.98px){.navbar-expand-md>.container,.navbar-expand-md>.container-fluid,.navbar-expand-md>.container-sm,.navbar-expand-md>.container-md,.navbar-expand-md>.container-lg,.navbar-expand-md>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 768px){.navbar-expand-md{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-md .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-md .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-md .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-md>.container,.navbar-expand-md>.container-fluid,.navbar-expand-md>.container-sm,.navbar-expand-md>.container-md,.navbar-expand-md>.container-lg,.navbar-expand-md>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-md .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-md .navbar-toggler{display:none}}@media (max-width: 991.98px){.navbar-expand-lg>.container,.navbar-expand-lg>.container-fluid,.navbar-expand-lg>.container-sm,.navbar-expand-lg>.container-md,.navbar-expand-lg>.container-lg,.navbar-expand-lg>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 992px){.navbar-expand-lg{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-lg .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-lg .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-lg .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-lg>.container,.navbar-expand-lg>.container-fluid,.navbar-expand-lg>.container-sm,.navbar-expand-lg>.container-md,.navbar-expand-lg>.container-lg,.navbar-expand-lg>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-lg .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-lg .navbar-toggler{display:none}}@media (max-width: 1199.98px){.navbar-expand-xl>.container,.navbar-expand-xl>.container-fluid,.navbar-expand-xl>.container-sm,.navbar-expand-xl>.container-md,.navbar-expand-xl>.container-lg,.navbar-expand-xl>.container-xl{padding-right:0;padding-left:0}}@media (min-width: 1200px){.navbar-expand-xl{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-xl .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand-xl .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-xl .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand-xl>.container,.navbar-expand-xl>.container-fluid,.navbar-expand-xl>.container-sm,.navbar-expand-xl>.container-md,.navbar-expand-xl>.container-lg,.navbar-expand-xl>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-xl .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-xl .navbar-toggler{display:none}}.navbar-expand{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row nowrap;flex-flow:row nowrap;-webkit-box-pack:start;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand>.container,.navbar-expand>.container-fluid,.navbar-expand>.container-sm,.navbar-expand>.container-md,.navbar-expand>.container-lg,.navbar-expand>.container-xl{padding-right:0;padding-left:0}.navbar-expand .navbar-nav{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.navbar-expand .navbar-nav .dropdown-menu{position:absolute}.navbar-expand .navbar-nav .nav-link{padding-right:0.5rem;padding-left:0.5rem}.navbar-expand>.container,.navbar-expand>.container-fluid,.navbar-expand>.container-sm,.navbar-expand>.container-md,.navbar-expand>.container-lg,.navbar-expand>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand .navbar-collapse{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand .navbar-toggler{display:none}.navbar-light .navbar-brand{color:#3A3F44}.navbar-light .navbar-brand:hover,.navbar-light .navbar-brand:focus{color:#3A3F44}.navbar-light .navbar-nav .nav-link{color:rgba(0,0,0,0.5)}.navbar-light .navbar-nav .nav-link:hover,.navbar-light .navbar-nav .nav-link:focus{color:#3A3F44}.navbar-light .navbar-nav .nav-link.disabled{color:rgba(0,0,0,0.3)}.navbar-light .navbar-nav .show>.nav-link,.navbar-light .navbar-nav .active>.nav-link,.navbar-light .navbar-nav .nav-link.show,.navbar-light .navbar-nav .nav-link.active{color:#3A3F44}.navbar-light .navbar-toggler{color:rgba(0,0,0,0.5);border-color:rgba(0,0,0,0.1)}.navbar-light .navbar-toggler-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='30' height='30' viewBox='0 0 30 30'%3e%3cpath stroke='rgba(0, 0, 0, 0.5)' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e")}.navbar-light .navbar-text{color:rgba(0,0,0,0.5)}.navbar-light .navbar-text a{color:#3A3F44}.navbar-light .navbar-text a:hover,.navbar-light .navbar-text a:focus{color:#3A3F44}.navbar-dark .navbar-brand{color:#fff}.navbar-dark .navbar-brand:hover,.navbar-dark .navbar-brand:focus{color:#fff}.navbar-dark .navbar-nav .nav-link{color:rgba(255,255,255,0.5)}.navbar-dark .navbar-nav .nav-link:hover,.navbar-dark .navbar-nav .nav-link:focus{color:#fff}.navbar-dark .navbar-nav .nav-link.disabled{color:rgba(255,255,255,0.25)}.navbar-dark .navbar-nav .show>.nav-link,.navbar-dark .navbar-nav .active>.nav-link,.navbar-dark .navbar-nav .nav-link.show,.navbar-dark .navbar-nav .nav-link.active{color:#fff}.navbar-dark .navbar-toggler{color:rgba(255,255,255,0.5);border-color:rgba(255,255,255,0.1)}.navbar-dark .navbar-toggler-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='30' height='30' viewBox='0 0 30 30'%3e%3cpath stroke='rgba(255, 255, 255, 0.5)' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e")}.navbar-dark .navbar-text{color:rgba(255,255,255,0.5)}.navbar-dark .navbar-text a{color:#fff}.navbar-dark .navbar-text a:hover,.navbar-dark .navbar-text a:focus{color:#fff}.card{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;min-width:0;word-wrap:break-word;background-color:#32383e;background-clip:border-box;border:1px solid rgba(0,0,0,0.6);border-radius:0.25rem}.card>hr{margin-right:0;margin-left:0}.card>.list-group:first-child .list-group-item:first-child{border-top-left-radius:0.25rem;border-top-right-radius:0.25rem}.card>.list-group:last-child .list-group-item:last-child{border-bottom-right-radius:0.25rem;border-bottom-left-radius:0.25rem}.card-body{-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto;min-height:1px;padding:1.25rem}.card-title{margin-bottom:0.75rem}.card-subtitle{margin-top:-0.375rem;margin-bottom:0}.card-text:last-child{margin-bottom:0}.card-link:hover{text-decoration:none}.card-link+.card-link{margin-left:1.25rem}.card-header{padding:0.75rem 1.25rem;margin-bottom:0;background-color:#515960;border-bottom:1px solid rgba(0,0,0,0.6)}.card-header:first-child{border-radius:calc(0.25rem - 1px) calc(0.25rem - 1px) 0 0}.card-header+.list-group .list-group-item:first-child{border-top:0}.card-footer{padding:0.75rem 1.25rem;background-color:#515960;border-top:1px solid rgba(0,0,0,0.6)}.card-footer:last-child{border-radius:0 0 calc(0.25rem - 1px) calc(0.25rem - 1px)}.card-header-tabs{margin-right:-0.625rem;margin-bottom:-0.75rem;margin-left:-0.625rem;border-bottom:0}.card-header-pills{margin-right:-0.625rem;margin-left:-0.625rem}.card-img-overlay{position:absolute;top:0;right:0;bottom:0;left:0;padding:1.25rem}.card-img,.card-img-top,.card-img-bottom{-ms-flex-negative:0;flex-shrink:0;width:100%}.card-img,.card-img-top{border-top-left-radius:calc(0.25rem - 1px);border-top-right-radius:calc(0.25rem - 1px)}.card-img,.card-img-bottom{border-bottom-right-radius:calc(0.25rem - 1px);border-bottom-left-radius:calc(0.25rem - 1px)}.card-deck .card{margin-bottom:15px}@media (min-width: 576px){.card-deck{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap;margin-right:-15px;margin-left:-15px}.card-deck .card{-webkit-box-flex:1;-ms-flex:1 0 0%;flex:1 0 0%;margin-right:15px;margin-bottom:0;margin-left:15px}}.card-group>.card{margin-bottom:15px}@media (min-width: 576px){.card-group{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-flow:row wrap;flex-flow:row wrap}.card-group>.card{-webkit-box-flex:1;-ms-flex:1 0 0%;flex:1 0 0%;margin-bottom:0}.card-group>.card+.card{margin-left:0;border-left:0}.card-group>.card:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.card-group>.card:not(:last-child) .card-img-top,.card-group>.card:not(:last-child) .card-header{border-top-right-radius:0}.card-group>.card:not(:last-child) .card-img-bottom,.card-group>.card:not(:last-child) .card-footer{border-bottom-right-radius:0}.card-group>.card:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.card-group>.card:not(:first-child) .card-img-top,.card-group>.card:not(:first-child) .card-header{border-top-left-radius:0}.card-group>.card:not(:first-child) .card-img-bottom,.card-group>.card:not(:first-child) .card-footer{border-bottom-left-radius:0}}.card-columns .card{margin-bottom:0.75rem}@media (min-width: 576px){.card-columns{-webkit-column-count:3;column-count:3;-webkit-column-gap:1.25rem;column-gap:1.25rem;orphans:1;widows:1}.card-columns .card{display:inline-block;width:100%}}.accordion>.card{overflow:hidden}.accordion>.card:not(:last-of-type){border-bottom:0;border-bottom-right-radius:0;border-bottom-left-radius:0}.accordion>.card:not(:first-of-type){border-top-left-radius:0;border-top-right-radius:0}.accordion>.card>.card-header{border-radius:0;margin-bottom:-1px}.breadcrumb{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;padding:0.75rem 1rem;margin-bottom:1rem;list-style:none;background-color:#e9ecef;border-radius:0.25rem}.breadcrumb-item+.breadcrumb-item{padding-left:0.5rem}.breadcrumb-item+.breadcrumb-item::before{display:inline-block;padding-right:0.5rem;color:#7A8288;content:"/"}.breadcrumb-item+.breadcrumb-item:hover::before{text-decoration:underline}.breadcrumb-item+.breadcrumb-item:hover::before{text-decoration:none}.breadcrumb-item.active{color:#999}.pagination{display:-webkit-box;display:-ms-flexbox;display:flex;padding-left:0;list-style:none;border-radius:0.25rem}.page-link{position:relative;display:block;padding:0.5rem 0.75rem;margin-left:-1px;line-height:1.25;color:#fff;background-color:transparent;border:1px solid rgba(0,0,0,0.6)}.page-link:hover{z-index:2;color:#fff;text-decoration:none;background-color:transparent;border-color:rgba(0,0,0,0.6)}.page-link:focus{z-index:3;outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.25)}.page-item:first-child .page-link{margin-left:0;border-top-left-radius:0.25rem;border-bottom-left-radius:0.25rem}.page-item:last-child .page-link{border-top-right-radius:0.25rem;border-bottom-right-radius:0.25rem}.page-item.active .page-link{z-index:3;color:#fff;background-color:transparent;border-color:rgba(0,0,0,0.6)}.page-item.disabled .page-link{color:#7A8288;pointer-events:none;cursor:auto;background-color:transparent;border-color:rgba(0,0,0,0.6)}.pagination-lg .page-link{padding:0.75rem 1.5rem;font-size:1.171875rem;line-height:1.5}.pagination-lg .page-item:first-child .page-link{border-top-left-radius:0.3rem;border-bottom-left-radius:0.3rem}.pagination-lg .page-item:last-child .page-link{border-top-right-radius:0.3rem;border-bottom-right-radius:0.3rem}.pagination-sm .page-link{padding:0.25rem 0.5rem;font-size:0.8203125rem;line-height:1.5}.pagination-sm .page-item:first-child .page-link{border-top-left-radius:0.2rem;border-bottom-left-radius:0.2rem}.pagination-sm .page-item:last-child .page-link{border-top-right-radius:0.2rem;border-bottom-right-radius:0.2rem}.badge{display:inline-block;padding:0.25em 0.4em;font-size:75%;font-weight:700;line-height:1;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:0.25rem;-webkit-transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;transition:color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out, -webkit-box-shadow 0.15s ease-in-out}@media (prefers-reduced-motion: reduce){.badge{-webkit-transition:none;transition:none}}a.badge:hover,a.badge:focus{text-decoration:none}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.badge-pill{padding-right:0.6em;padding-left:0.6em;border-radius:10rem}.badge-primary{color:#fff;background-color:#3A3F44}a.badge-primary:hover,a.badge-primary:focus{color:#fff;background-color:#232628}a.badge-primary:focus,a.badge-primary.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5);box-shadow:0 0 0 0.2rem rgba(58,63,68,0.5)}.badge-secondary{color:#fff;background-color:#7A8288}a.badge-secondary:hover,a.badge-secondary:focus{color:#fff;background-color:#62686d}a.badge-secondary:focus,a.badge-secondary.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5);box-shadow:0 0 0 0.2rem rgba(122,130,136,0.5)}.badge-success{color:#fff;background-color:#62c462}a.badge-success:hover,a.badge-success:focus{color:#fff;background-color:#42b142}a.badge-success:focus,a.badge-success.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5);box-shadow:0 0 0 0.2rem rgba(98,196,98,0.5)}.badge-info{color:#fff;background-color:#5bc0de}a.badge-info:hover,a.badge-info:focus{color:#fff;background-color:#31b0d5}a.badge-info:focus,a.badge-info.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5);box-shadow:0 0 0 0.2rem rgba(91,192,222,0.5)}.badge-warning{color:#fff;background-color:#f89406}a.badge-warning:hover,a.badge-warning:focus{color:#fff;background-color:#c67605}a.badge-warning:focus,a.badge-warning.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5);box-shadow:0 0 0 0.2rem rgba(248,148,6,0.5)}.badge-danger{color:#fff;background-color:#ee5f5b}a.badge-danger:hover,a.badge-danger:focus{color:#fff;background-color:#e9322d}a.badge-danger:focus,a.badge-danger.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5);box-shadow:0 0 0 0.2rem rgba(238,95,91,0.5)}.badge-light{color:#272B30;background-color:#e9ecef}a.badge-light:hover,a.badge-light:focus{color:#272B30;background-color:#cbd3da}a.badge-light:focus,a.badge-light.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5);box-shadow:0 0 0 0.2rem rgba(233,236,239,0.5)}.badge-dark{color:#fff;background-color:#272B30}a.badge-dark:hover,a.badge-dark:focus{color:#fff;background-color:#101214}a.badge-dark:focus,a.badge-dark.focus{outline:0;-webkit-box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5);box-shadow:0 0 0 0.2rem rgba(39,43,48,0.5)}.jumbotron{padding:2rem 1rem;margin-bottom:2rem;background-color:#1c1e22;border-radius:0.3rem}@media (min-width: 576px){.jumbotron{padding:4rem 2rem}}.jumbotron-fluid{padding-right:0;padding-left:0;border-radius:0}.alert{position:relative;padding:0.75rem 1.25rem;margin-bottom:1rem;border:1px solid transparent;border-radius:0.25rem}.alert-heading{color:inherit}.alert-link{font-weight:700}.alert-dismissible{padding-right:3.90625rem}.alert-dismissible .close{position:absolute;top:0;right:0;padding:0.75rem 1.25rem;color:inherit}.alert-primary{color:#1e2123;background-color:#d8d9da;border-color:#c8c9cb}.alert-primary hr{border-top-color:#bbbcbf}.alert-primary .alert-link{color:#060708}.alert-secondary{color:#3f4447;background-color:#e4e6e7;border-color:#dadcde}.alert-secondary hr{border-top-color:#cdcfd2}.alert-secondary .alert-link{color:#272a2c}.alert-success{color:#336633;background-color:#e0f3e0;border-color:#d3eed3}.alert-success hr{border-top-color:#c1e7c1}.alert-success .alert-link{color:#224422}.alert-info{color:#2f6473;background-color:#def2f8;border-color:#d1edf6}.alert-info hr{border-top-color:#bce5f2}.alert-info .alert-link{color:#20454f}.alert-warning{color:#814d03;background-color:#feeacd;border-color:#fde1b9}.alert-warning hr{border-top-color:#fcd6a0}.alert-warning .alert-link{color:#4f2f02}.alert-danger{color:#7c312f;background-color:#fcdfde;border-color:#fad2d1}.alert-danger hr{border-top-color:#f8bcba}.alert-danger .alert-link{color:#572221}.alert-light{color:#797b7c;background-color:#fbfbfc;border-color:#f9fafb}.alert-light hr{border-top-color:#eaedf1}.alert-light .alert-link{color:#606162}.alert-dark{color:#141619;background-color:#d4d5d6;border-color:#c3c4c5}.alert-dark hr{border-top-color:#b6b7b8}.alert-dark .alert-link{color:black}@-webkit-keyframes progress-bar-stripes{from{background-position:1rem 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:1rem 0}to{background-position:0 0}}.progress{display:-webkit-box;display:-ms-flexbox;display:flex;height:1rem;overflow:hidden;font-size:0.703125rem;background-color:#1c1e22;border-radius:0.25rem}.progress-bar{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;overflow:hidden;color:#7A8288;text-align:center;white-space:nowrap;background-color:#3A3F44;-webkit-transition:width 0.6s ease;transition:width 0.6s ease}@media (prefers-reduced-motion: reduce){.progress-bar{-webkit-transition:none;transition:none}}.progress-bar-striped{background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-size:1rem 1rem}.progress-bar-animated{-webkit-animation:progress-bar-stripes 1s linear infinite;animation:progress-bar-stripes 1s linear infinite}@media (prefers-reduced-motion: reduce){.progress-bar-animated{-webkit-animation:none;animation:none}}.media{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:start;-ms-flex-align:start;align-items:flex-start}.media-body{-webkit-box-flex:1;-ms-flex:1;flex:1}.list-group{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;padding-left:0;margin-bottom:0}.list-group-item-action{width:100%;color:#fff;text-align:inherit}.list-group-item-action:hover,.list-group-item-action:focus{z-index:1;color:#fff;text-decoration:none;background-color:#3e444c}.list-group-item-action:active{color:#aaa;background-color:#e9ecef}.list-group-item{position:relative;display:block;padding:0.75rem 1.25rem;background-color:#32383e;border:1px solid rgba(0,0,0,0.6)}.list-group-item:first-child{border-top-left-radius:0.25rem;border-top-right-radius:0.25rem}.list-group-item:last-child{border-bottom-right-radius:0.25rem;border-bottom-left-radius:0.25rem}.list-group-item.disabled,.list-group-item:disabled{color:#52575C;pointer-events:none;background-color:#32383e}.list-group-item.active{z-index:2;color:#fff;background-color:#3e444c;border-color:rgba(0,0,0,0.6)}.list-group-item+.list-group-item{border-top-width:0}.list-group-item+.list-group-item.active{margin-top:-1px;border-top-width:1px}.list-group-horizontal{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal .list-group-item.active{margin-top:0}.list-group-horizontal .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}@media (min-width: 576px){.list-group-horizontal-sm{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-sm .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-sm .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-sm .list-group-item.active{margin-top:0}.list-group-horizontal-sm .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-sm .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width: 768px){.list-group-horizontal-md{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-md .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-md .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-md .list-group-item.active{margin-top:0}.list-group-horizontal-md .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-md .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width: 992px){.list-group-horizontal-lg{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-lg .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-lg .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-lg .list-group-item.active{margin-top:0}.list-group-horizontal-lg .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-lg .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width: 1200px){.list-group-horizontal-xl{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-xl .list-group-item:first-child{border-bottom-left-radius:0.25rem;border-top-right-radius:0}.list-group-horizontal-xl .list-group-item:last-child{border-top-right-radius:0.25rem;border-bottom-left-radius:0}.list-group-horizontal-xl .list-group-item.active{margin-top:0}.list-group-horizontal-xl .list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-xl .list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}.list-group-flush .list-group-item{border-right-width:0;border-left-width:0;border-radius:0}.list-group-flush .list-group-item:first-child{border-top-width:0}.list-group-flush:last-child .list-group-item:last-child{border-bottom-width:0}.list-group-item-primary{color:#1e2123;background-color:#c8c9cb}.list-group-item-primary.list-group-item-action:hover,.list-group-item-primary.list-group-item-action:focus{color:#1e2123;background-color:#bbbcbf}.list-group-item-primary.list-group-item-action.active{color:#fff;background-color:#1e2123;border-color:#1e2123}.list-group-item-secondary{color:#3f4447;background-color:#dadcde}.list-group-item-secondary.list-group-item-action:hover,.list-group-item-secondary.list-group-item-action:focus{color:#3f4447;background-color:#cdcfd2}.list-group-item-secondary.list-group-item-action.active{color:#fff;background-color:#3f4447;border-color:#3f4447}.list-group-item-success{color:#336633;background-color:#d3eed3}.list-group-item-success.list-group-item-action:hover,.list-group-item-success.list-group-item-action:focus{color:#336633;background-color:#c1e7c1}.list-group-item-success.list-group-item-action.active{color:#fff;background-color:#336633;border-color:#336633}.list-group-item-info{color:#2f6473;background-color:#d1edf6}.list-group-item-info.list-group-item-action:hover,.list-group-item-info.list-group-item-action:focus{color:#2f6473;background-color:#bce5f2}.list-group-item-info.list-group-item-action.active{color:#fff;background-color:#2f6473;border-color:#2f6473}.list-group-item-warning{color:#814d03;background-color:#fde1b9}.list-group-item-warning.list-group-item-action:hover,.list-group-item-warning.list-group-item-action:focus{color:#814d03;background-color:#fcd6a0}.list-group-item-warning.list-group-item-action.active{color:#fff;background-color:#814d03;border-color:#814d03}.list-group-item-danger{color:#7c312f;background-color:#fad2d1}.list-group-item-danger.list-group-item-action:hover,.list-group-item-danger.list-group-item-action:focus{color:#7c312f;background-color:#f8bcba}.list-group-item-danger.list-group-item-action.active{color:#fff;background-color:#7c312f;border-color:#7c312f}.list-group-item-light{color:#797b7c;background-color:#f9fafb}.list-group-item-light.list-group-item-action:hover,.list-group-item-light.list-group-item-action:focus{color:#797b7c;background-color:#eaedf1}.list-group-item-light.list-group-item-action.active{color:#fff;background-color:#797b7c;border-color:#797b7c}.list-group-item-dark{color:#141619;background-color:#c3c4c5}.list-group-item-dark.list-group-item-action:hover,.list-group-item-dark.list-group-item-action:focus{color:#141619;background-color:#b6b7b8}.list-group-item-dark.list-group-item-action.active{color:#fff;background-color:#141619;border-color:#141619}.close{float:right;font-size:1.40625rem;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.5}.close:hover{color:#000;text-decoration:none}.close:not(:disabled):not(.disabled):hover,.close:not(:disabled):not(.disabled):focus{opacity:.75}button.close{padding:0;background-color:transparent;border:0;-webkit-appearance:none;-moz-appearance:none;appearance:none}a.close.disabled{pointer-events:none}.toast{max-width:350px;overflow:hidden;font-size:0.875rem;background-color:#32383e;background-clip:padding-box;border:1px solid rgba(0,0,0,0.2);-webkit-box-shadow:0 0.25rem 0.75rem rgba(0,0,0,0.1);box-shadow:0 0.25rem 0.75rem rgba(0,0,0,0.1);-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);opacity:0;border-radius:0.25rem}.toast:not(:last-child){margin-bottom:0.75rem}.toast.showing{opacity:1}.toast.show{display:block;opacity:1}.toast.hide{display:none}.toast-header{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding:0.25rem 0.75rem;color:#aaa;background-color:#32383e;background-clip:padding-box;border-bottom:1px solid rgba(0,0,0,0.2)}.toast-body{padding:0.75rem}.modal-open{overflow:hidden}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal{position:fixed;top:0;left:0;z-index:1050;display:none;width:100%;height:100%;overflow:hidden;outline:0}.modal-dialog{position:relative;width:auto;margin:0.5rem;pointer-events:none}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform 0.3s ease-out;transition:-webkit-transform 0.3s ease-out;transition:transform 0.3s ease-out;transition:transform 0.3s ease-out, -webkit-transform 0.3s ease-out;-webkit-transform:translate(0, -50px);transform:translate(0, -50px)}@media (prefers-reduced-motion: reduce){.modal.fade .modal-dialog{-webkit-transition:none;transition:none}}.modal.show .modal-dialog{-webkit-transform:none;transform:none}.modal.modal-static .modal-dialog{-webkit-transform:scale(1.02);transform:scale(1.02)}.modal-dialog-scrollable{display:-webkit-box;display:-ms-flexbox;display:flex;max-height:calc(100% - 1rem)}.modal-dialog-scrollable .modal-content{max-height:calc(100vh - 1rem);overflow:hidden}.modal-dialog-scrollable .modal-header,.modal-dialog-scrollable .modal-footer{-ms-flex-negative:0;flex-shrink:0}.modal-dialog-scrollable .modal-body{overflow-y:auto}.modal-dialog-centered{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;min-height:calc(100% - 1rem)}.modal-dialog-centered::before{display:block;height:calc(100vh - 1rem);content:""}.modal-dialog-centered.modal-dialog-scrollable{-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;height:100%}.modal-dialog-centered.modal-dialog-scrollable .modal-content{max-height:none}.modal-dialog-centered.modal-dialog-scrollable::before{content:none}.modal-content{position:relative;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;width:100%;pointer-events:auto;background-color:#32383e;background-clip:padding-box;border:1px solid rgba(0,0,0,0.2);border-radius:0.3rem;outline:0}.modal-backdrop{position:fixed;top:0;left:0;z-index:1040;width:100vw;height:100vh;background-color:#000}.modal-backdrop.fade{opacity:0}.modal-backdrop.show{opacity:0.5}.modal-header{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:start;-ms-flex-align:start;align-items:flex-start;-webkit-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;padding:1rem 1rem;border-bottom:1px solid rgba(0,0,0,0.2);border-top-left-radius:calc(0.3rem - 1px);border-top-right-radius:calc(0.3rem - 1px)}.modal-header .close{padding:1rem 1rem;margin:-1rem -1rem -1rem auto}.modal-title{margin-bottom:0;line-height:1.5}.modal-body{position:relative;-webkit-box-flex:1;-ms-flex:1 1 auto;flex:1 1 auto;padding:1rem}.modal-footer{display:-webkit-box;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:end;-ms-flex-pack:end;justify-content:flex-end;padding:0.75rem;border-top:1px solid rgba(0,0,0,0.2);border-bottom-right-radius:calc(0.3rem - 1px);border-bottom-left-radius:calc(0.3rem - 1px)}.modal-footer>*{margin:0.25rem}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width: 576px){.modal-dialog{max-width:500px;margin:1.75rem auto}.modal-dialog-scrollable{max-height:calc(100% - 3.5rem)}.modal-dialog-scrollable .modal-content{max-height:calc(100vh - 3.5rem)}.modal-dialog-centered{min-height:calc(100% - 3.5rem)}.modal-dialog-centered::before{height:calc(100vh - 3.5rem)}.modal-sm{max-width:300px}}@media (min-width: 992px){.modal-lg,.modal-xl{max-width:800px}}@media (min-width: 1200px){.modal-xl{max-width:1140px}}.tooltip{position:absolute;z-index:1070;display:block;margin:0;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";font-style:normal;font-weight:400;line-height:1.5;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;white-space:normal;line-break:auto;font-size:0.8203125rem;word-wrap:break-word;opacity:0}.tooltip.show{opacity:0.9}.tooltip .arrow{position:absolute;display:block;width:0.8rem;height:0.4rem}.tooltip .arrow::before{position:absolute;content:"";border-color:transparent;border-style:solid}.bs-tooltip-top,.bs-tooltip-auto[x-placement^="top"]{padding:0.4rem 0}.bs-tooltip-top .arrow,.bs-tooltip-auto[x-placement^="top"] .arrow{bottom:0}.bs-tooltip-top .arrow::before,.bs-tooltip-auto[x-placement^="top"] .arrow::before{top:0;border-width:0.4rem 0.4rem 0;border-top-color:#000}.bs-tooltip-right,.bs-tooltip-auto[x-placement^="right"]{padding:0 0.4rem}.bs-tooltip-right .arrow,.bs-tooltip-auto[x-placement^="right"] .arrow{left:0;width:0.4rem;height:0.8rem}.bs-tooltip-right .arrow::before,.bs-tooltip-auto[x-placement^="right"] .arrow::before{right:0;border-width:0.4rem 0.4rem 0.4rem 0;border-right-color:#000}.bs-tooltip-bottom,.bs-tooltip-auto[x-placement^="bottom"]{padding:0.4rem 0}.bs-tooltip-bottom .arrow,.bs-tooltip-auto[x-placement^="bottom"] .arrow{top:0}.bs-tooltip-bottom .arrow::before,.bs-tooltip-auto[x-placement^="bottom"] .arrow::before{bottom:0;border-width:0 0.4rem 0.4rem;border-bottom-color:#000}.bs-tooltip-left,.bs-tooltip-auto[x-placement^="left"]{padding:0 0.4rem}.bs-tooltip-left .arrow,.bs-tooltip-auto[x-placement^="left"] .arrow{right:0;width:0.4rem;height:0.8rem}.bs-tooltip-left .arrow::before,.bs-tooltip-auto[x-placement^="left"] .arrow::before{left:0;border-width:0.4rem 0 0.4rem 0.4rem;border-left-color:#000}.tooltip-inner{max-width:200px;padding:0.25rem 0.5rem;color:#fff;text-align:center;background-color:#000;border-radius:0.25rem}.popover{position:absolute;top:0;left:0;z-index:1060;display:block;max-width:276px;font-family:-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";font-style:normal;font-weight:400;line-height:1.5;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;white-space:normal;line-break:auto;font-size:0.8203125rem;word-wrap:break-word;background-color:#32383e;background-clip:padding-box;border:1px solid rgba(0,0,0,0.2);border-radius:0.3rem}.popover .arrow{position:absolute;display:block;width:1rem;height:0.5rem;margin:0 0.3rem}.popover .arrow::before,.popover .arrow::after{position:absolute;display:block;content:"";border-color:transparent;border-style:solid}.bs-popover-top,.bs-popover-auto[x-placement^="top"]{margin-bottom:0.5rem}.bs-popover-top>.arrow,.bs-popover-auto[x-placement^="top"]>.arrow{bottom:calc(-0.5rem - 1px)}.bs-popover-top>.arrow::before,.bs-popover-auto[x-placement^="top"]>.arrow::before{bottom:0;border-width:0.5rem 0.5rem 0;border-top-color:rgba(0,0,0,0.25)}.bs-popover-top>.arrow::after,.bs-popover-auto[x-placement^="top"]>.arrow::after{bottom:1px;border-width:0.5rem 0.5rem 0;border-top-color:#32383e}.bs-popover-right,.bs-popover-auto[x-placement^="right"]{margin-left:0.5rem}.bs-popover-right>.arrow,.bs-popover-auto[x-placement^="right"]>.arrow{left:calc(-0.5rem - 1px);width:0.5rem;height:1rem;margin:0.3rem 0}.bs-popover-right>.arrow::before,.bs-popover-auto[x-placement^="right"]>.arrow::before{left:0;border-width:0.5rem 0.5rem 0.5rem 0;border-right-color:rgba(0,0,0,0.25)}.bs-popover-right>.arrow::after,.bs-popover-auto[x-placement^="right"]>.arrow::after{left:1px;border-width:0.5rem 0.5rem 0.5rem 0;border-right-color:#32383e}.bs-popover-bottom,.bs-popover-auto[x-placement^="bottom"]{margin-top:0.5rem}.bs-popover-bottom>.arrow,.bs-popover-auto[x-placement^="bottom"]>.arrow{top:calc(-0.5rem - 1px)}.bs-popover-bottom>.arrow::before,.bs-popover-auto[x-placement^="bottom"]>.arrow::before{top:0;border-width:0 0.5rem 0.5rem 0.5rem;border-bottom-color:rgba(0,0,0,0.25)}.bs-popover-bottom>.arrow::after,.bs-popover-auto[x-placement^="bottom"]>.arrow::after{top:1px;border-width:0 0.5rem 0.5rem 0.5rem;border-bottom-color:#32383e}.bs-popover-bottom .popover-header::before,.bs-popover-auto[x-placement^="bottom"] .popover-header::before{position:absolute;top:0;left:50%;display:block;width:1rem;margin-left:-0.5rem;content:"";border-bottom:1px solid #2c3036}.bs-popover-left,.bs-popover-auto[x-placement^="left"]{margin-right:0.5rem}.bs-popover-left>.arrow,.bs-popover-auto[x-placement^="left"]>.arrow{right:calc(-0.5rem - 1px);width:0.5rem;height:1rem;margin:0.3rem 0}.bs-popover-left>.arrow::before,.bs-popover-auto[x-placement^="left"]>.arrow::before{right:0;border-width:0.5rem 0 0.5rem 0.5rem;border-left-color:rgba(0,0,0,0.25)}.bs-popover-left>.arrow::after,.bs-popover-auto[x-placement^="left"]>.arrow::after{right:1px;border-width:0.5rem 0 0.5rem 0.5rem;border-left-color:#32383e}.popover-header{padding:0.5rem 0.75rem;margin-bottom:0;font-size:0.9375rem;background-color:#2c3036;border-bottom:1px solid #202328;border-top-left-radius:calc(0.3rem - 1px);border-top-right-radius:calc(0.3rem - 1px)}.popover-header:empty{display:none}.popover-body{padding:0.5rem 0.75rem;color:#aaa}.carousel{position:relative}.carousel.pointer-event{-ms-touch-action:pan-y;touch-action:pan-y}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner::after{display:block;clear:both;content:""}.carousel-item{position:relative;display:none;float:left;width:100%;margin-right:-100%;-webkit-backface-visibility:hidden;backface-visibility:hidden;-webkit-transition:-webkit-transform 0.6s ease-in-out;transition:-webkit-transform 0.6s ease-in-out;transition:transform 0.6s ease-in-out;transition:transform 0.6s ease-in-out, -webkit-transform 0.6s ease-in-out}@media (prefers-reduced-motion: reduce){.carousel-item{-webkit-transition:none;transition:none}}.carousel-item.active,.carousel-item-next,.carousel-item-prev{display:block}.carousel-item-next:not(.carousel-item-left),.active.carousel-item-right{-webkit-transform:translateX(100%);transform:translateX(100%)}.carousel-item-prev:not(.carousel-item-right),.active.carousel-item-left{-webkit-transform:translateX(-100%);transform:translateX(-100%)}.carousel-fade .carousel-item{opacity:0;-webkit-transition-property:opacity;transition-property:opacity;-webkit-transform:none;transform:none}.carousel-fade .carousel-item.active,.carousel-fade .carousel-item-next.carousel-item-left,.carousel-fade .carousel-item-prev.carousel-item-right{z-index:1;opacity:1}.carousel-fade .active.carousel-item-left,.carousel-fade .active.carousel-item-right{z-index:0;opacity:0;-webkit-transition:opacity 0s 0.6s;transition:opacity 0s 0.6s}@media (prefers-reduced-motion: reduce){.carousel-fade .active.carousel-item-left,.carousel-fade .active.carousel-item-right{-webkit-transition:none;transition:none}}.carousel-control-prev,.carousel-control-next{position:absolute;top:0;bottom:0;z-index:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;width:15%;color:#fff;text-align:center;opacity:0.5;-webkit-transition:opacity 0.15s ease;transition:opacity 0.15s ease}@media (prefers-reduced-motion: reduce){.carousel-control-prev,.carousel-control-next{-webkit-transition:none;transition:none}}.carousel-control-prev:hover,.carousel-control-prev:focus,.carousel-control-next:hover,.carousel-control-next:focus{color:#fff;text-decoration:none;outline:0;opacity:0.9}.carousel-control-prev{left:0}.carousel-control-next{right:0}.carousel-control-prev-icon,.carousel-control-next-icon{display:inline-block;width:20px;height:20px;background:no-repeat 50% / 100% 100%}.carousel-control-prev-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='%23fff' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath d='M5.25 0l-4 4 4 4 1.5-1.5L4.25 4l2.5-2.5L5.25 0z'/%3e%3c/svg%3e")}.carousel-control-next-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='%23fff' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath d='M2.75 0l-1.5 1.5L3.75 4l-2.5 2.5L2.75 8l4-4-4-4z'/%3e%3c/svg%3e")}.carousel-indicators{position:absolute;right:0;bottom:0;left:0;z-index:15;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;padding-left:0;margin-right:15%;margin-left:15%;list-style:none}.carousel-indicators li{-webkit-box-sizing:content-box;box-sizing:content-box;-webkit-box-flex:0;-ms-flex:0 1 auto;flex:0 1 auto;width:30px;height:3px;margin-right:3px;margin-left:3px;text-indent:-999px;cursor:pointer;background-color:#fff;background-clip:padding-box;border-top:10px solid transparent;border-bottom:10px solid transparent;opacity:.5;-webkit-transition:opacity 0.6s ease;transition:opacity 0.6s ease}@media (prefers-reduced-motion: reduce){.carousel-indicators li{-webkit-transition:none;transition:none}}.carousel-indicators .active{opacity:1}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center}@-webkit-keyframes spinner-border{to{-webkit-transform:rotate(360deg);transform:rotate(360deg)}}@keyframes spinner-border{to{-webkit-transform:rotate(360deg);transform:rotate(360deg)}}.spinner-border{display:inline-block;width:2rem;height:2rem;vertical-align:text-bottom;border:0.25em solid currentColor;border-right-color:transparent;border-radius:50%;-webkit-animation:spinner-border .75s linear infinite;animation:spinner-border .75s linear infinite}.spinner-border-sm{width:1rem;height:1rem;border-width:0.2em}@-webkit-keyframes spinner-grow{0%{-webkit-transform:scale(0);transform:scale(0)}50%{opacity:1}}@keyframes spinner-grow{0%{-webkit-transform:scale(0);transform:scale(0)}50%{opacity:1}}.spinner-grow{display:inline-block;width:2rem;height:2rem;vertical-align:text-bottom;background-color:currentColor;border-radius:50%;opacity:0;-webkit-animation:spinner-grow .75s linear infinite;animation:spinner-grow .75s linear infinite}.spinner-grow-sm{width:1rem;height:1rem}.align-baseline{vertical-align:baseline !important}.align-top{vertical-align:top !important}.align-middle{vertical-align:middle !important}.align-bottom{vertical-align:bottom !important}.align-text-bottom{vertical-align:text-bottom !important}.align-text-top{vertical-align:text-top !important}.bg-primary{background-color:#3A3F44 !important}a.bg-primary:hover,a.bg-primary:focus,button.bg-primary:hover,button.bg-primary:focus{background-color:#232628 !important}.bg-secondary{background-color:#7A8288 !important}a.bg-secondary:hover,a.bg-secondary:focus,button.bg-secondary:hover,button.bg-secondary:focus{background-color:#62686d !important}.bg-success{background-color:#62c462 !important}a.bg-success:hover,a.bg-success:focus,button.bg-success:hover,button.bg-success:focus{background-color:#42b142 !important}.bg-info{background-color:#5bc0de !important}a.bg-info:hover,a.bg-info:focus,button.bg-info:hover,button.bg-info:focus{background-color:#31b0d5 !important}.bg-warning{background-color:#f89406 !important}a.bg-warning:hover,a.bg-warning:focus,button.bg-warning:hover,button.bg-warning:focus{background-color:#c67605 !important}.bg-danger{background-color:#ee5f5b !important}a.bg-danger:hover,a.bg-danger:focus,button.bg-danger:hover,button.bg-danger:focus{background-color:#e9322d !important}.bg-light{background-color:#e9ecef !important}a.bg-light:hover,a.bg-light:focus,button.bg-light:hover,button.bg-light:focus{background-color:#cbd3da !important}.bg-dark{background-color:#272B30 !important}a.bg-dark:hover,a.bg-dark:focus,button.bg-dark:hover,button.bg-dark:focus{background-color:#101214 !important}.bg-white{background-color:#fff !important}.bg-transparent{background-color:transparent !important}.border{border:1px solid #dee2e6 !important}.border-top{border-top:1px solid #dee2e6 !important}.border-right{border-right:1px solid #dee2e6 !important}.border-bottom{border-bottom:1px solid #dee2e6 !important}.border-left{border-left:1px solid #dee2e6 !important}.border-0{border:0 !important}.border-top-0{border-top:0 !important}.border-right-0{border-right:0 !important}.border-bottom-0{border-bottom:0 !important}.border-left-0{border-left:0 !important}.border-primary{border-color:#3A3F44 !important}.border-secondary{border-color:#7A8288 !important}.border-success{border-color:#62c462 !important}.border-info{border-color:#5bc0de !important}.border-warning{border-color:#f89406 !important}.border-danger{border-color:#ee5f5b !important}.border-light{border-color:#e9ecef !important}.border-dark{border-color:#272B30 !important}.border-white{border-color:#fff !important}.rounded-sm{border-radius:0.2rem !important}.rounded{border-radius:0.25rem !important}.rounded-top{border-top-left-radius:0.25rem !important;border-top-right-radius:0.25rem !important}.rounded-right{border-top-right-radius:0.25rem !important;border-bottom-right-radius:0.25rem !important}.rounded-bottom{border-bottom-right-radius:0.25rem !important;border-bottom-left-radius:0.25rem !important}.rounded-left{border-top-left-radius:0.25rem !important;border-bottom-left-radius:0.25rem !important}.rounded-lg{border-radius:0.3rem !important}.rounded-circle{border-radius:50% !important}.rounded-pill{border-radius:50rem !important}.rounded-0{border-radius:0 !important}.clearfix::after{display:block;clear:both;content:""}.d-none{display:none !important}.d-inline{display:inline !important}.d-inline-block{display:inline-block !important}.d-block{display:block !important}.d-table{display:table !important}.d-table-row{display:table-row !important}.d-table-cell{display:table-cell !important}.d-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}@media (min-width: 576px){.d-sm-none{display:none !important}.d-sm-inline{display:inline !important}.d-sm-inline-block{display:inline-block !important}.d-sm-block{display:block !important}.d-sm-table{display:table !important}.d-sm-table-row{display:table-row !important}.d-sm-table-cell{display:table-cell !important}.d-sm-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-sm-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media (min-width: 768px){.d-md-none{display:none !important}.d-md-inline{display:inline !important}.d-md-inline-block{display:inline-block !important}.d-md-block{display:block !important}.d-md-table{display:table !important}.d-md-table-row{display:table-row !important}.d-md-table-cell{display:table-cell !important}.d-md-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-md-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media (min-width: 992px){.d-lg-none{display:none !important}.d-lg-inline{display:inline !important}.d-lg-inline-block{display:inline-block !important}.d-lg-block{display:block !important}.d-lg-table{display:table !important}.d-lg-table-row{display:table-row !important}.d-lg-table-cell{display:table-cell !important}.d-lg-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-lg-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media (min-width: 1200px){.d-xl-none{display:none !important}.d-xl-inline{display:inline !important}.d-xl-inline-block{display:inline-block !important}.d-xl-block{display:block !important}.d-xl-table{display:table !important}.d-xl-table-row{display:table-row !important}.d-xl-table-cell{display:table-cell !important}.d-xl-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-xl-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}@media print{.d-print-none{display:none !important}.d-print-inline{display:inline !important}.d-print-inline-block{display:inline-block !important}.d-print-block{display:block !important}.d-print-table{display:table !important}.d-print-table-row{display:table-row !important}.d-print-table-cell{display:table-cell !important}.d-print-flex{display:-webkit-box !important;display:-ms-flexbox !important;display:flex !important}.d-print-inline-flex{display:-webkit-inline-box !important;display:-ms-inline-flexbox !important;display:inline-flex !important}}.embed-responsive{position:relative;display:block;width:100%;padding:0;overflow:hidden}.embed-responsive::before{display:block;content:""}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object,.embed-responsive video{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive-21by9::before{padding-top:42.8571428571%}.embed-responsive-16by9::before{padding-top:56.25%}.embed-responsive-4by3::before{padding-top:75%}.embed-responsive-1by1::before{padding-top:100%}.flex-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}@media (min-width: 576px){.flex-sm-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-sm-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-sm-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-sm-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-sm-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-sm-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-sm-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-sm-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-sm-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-sm-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-sm-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-sm-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-sm-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-sm-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-sm-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-sm-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-sm-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-sm-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-sm-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-sm-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-sm-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-sm-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-sm-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-sm-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-sm-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-sm-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-sm-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-sm-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-sm-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-sm-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-sm-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-sm-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-sm-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-sm-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}@media (min-width: 768px){.flex-md-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-md-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-md-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-md-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-md-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-md-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-md-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-md-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-md-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-md-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-md-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-md-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-md-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-md-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-md-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-md-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-md-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-md-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-md-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-md-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-md-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-md-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-md-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-md-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-md-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-md-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-md-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-md-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-md-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-md-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-md-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-md-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-md-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-md-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}@media (min-width: 992px){.flex-lg-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-lg-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-lg-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-lg-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-lg-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-lg-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-lg-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-lg-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-lg-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-lg-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-lg-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-lg-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-lg-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-lg-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-lg-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-lg-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-lg-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-lg-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-lg-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-lg-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-lg-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-lg-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-lg-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-lg-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-lg-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-lg-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-lg-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-lg-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-lg-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-lg-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-lg-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-lg-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-lg-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-lg-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}@media (min-width: 1200px){.flex-xl-row{-webkit-box-orient:horizontal !important;-webkit-box-direction:normal !important;-ms-flex-direction:row !important;flex-direction:row !important}.flex-xl-column{-webkit-box-orient:vertical !important;-webkit-box-direction:normal !important;-ms-flex-direction:column !important;flex-direction:column !important}.flex-xl-row-reverse{-webkit-box-orient:horizontal !important;-webkit-box-direction:reverse !important;-ms-flex-direction:row-reverse !important;flex-direction:row-reverse !important}.flex-xl-column-reverse{-webkit-box-orient:vertical !important;-webkit-box-direction:reverse !important;-ms-flex-direction:column-reverse !important;flex-direction:column-reverse !important}.flex-xl-wrap{-ms-flex-wrap:wrap !important;flex-wrap:wrap !important}.flex-xl-nowrap{-ms-flex-wrap:nowrap !important;flex-wrap:nowrap !important}.flex-xl-wrap-reverse{-ms-flex-wrap:wrap-reverse !important;flex-wrap:wrap-reverse !important}.flex-xl-fill{-webkit-box-flex:1 !important;-ms-flex:1 1 auto !important;flex:1 1 auto !important}.flex-xl-grow-0{-webkit-box-flex:0 !important;-ms-flex-positive:0 !important;flex-grow:0 !important}.flex-xl-grow-1{-webkit-box-flex:1 !important;-ms-flex-positive:1 !important;flex-grow:1 !important}.flex-xl-shrink-0{-ms-flex-negative:0 !important;flex-shrink:0 !important}.flex-xl-shrink-1{-ms-flex-negative:1 !important;flex-shrink:1 !important}.justify-content-xl-start{-webkit-box-pack:start !important;-ms-flex-pack:start !important;justify-content:flex-start !important}.justify-content-xl-end{-webkit-box-pack:end !important;-ms-flex-pack:end !important;justify-content:flex-end !important}.justify-content-xl-center{-webkit-box-pack:center !important;-ms-flex-pack:center !important;justify-content:center !important}.justify-content-xl-between{-webkit-box-pack:justify !important;-ms-flex-pack:justify !important;justify-content:space-between !important}.justify-content-xl-around{-ms-flex-pack:distribute !important;justify-content:space-around !important}.align-items-xl-start{-webkit-box-align:start !important;-ms-flex-align:start !important;align-items:flex-start !important}.align-items-xl-end{-webkit-box-align:end !important;-ms-flex-align:end !important;align-items:flex-end !important}.align-items-xl-center{-webkit-box-align:center !important;-ms-flex-align:center !important;align-items:center !important}.align-items-xl-baseline{-webkit-box-align:baseline !important;-ms-flex-align:baseline !important;align-items:baseline !important}.align-items-xl-stretch{-webkit-box-align:stretch !important;-ms-flex-align:stretch !important;align-items:stretch !important}.align-content-xl-start{-ms-flex-line-pack:start !important;align-content:flex-start !important}.align-content-xl-end{-ms-flex-line-pack:end !important;align-content:flex-end !important}.align-content-xl-center{-ms-flex-line-pack:center !important;align-content:center !important}.align-content-xl-between{-ms-flex-line-pack:justify !important;align-content:space-between !important}.align-content-xl-around{-ms-flex-line-pack:distribute !important;align-content:space-around !important}.align-content-xl-stretch{-ms-flex-line-pack:stretch !important;align-content:stretch !important}.align-self-xl-auto{-ms-flex-item-align:auto !important;align-self:auto !important}.align-self-xl-start{-ms-flex-item-align:start !important;align-self:flex-start !important}.align-self-xl-end{-ms-flex-item-align:end !important;align-self:flex-end !important}.align-self-xl-center{-ms-flex-item-align:center !important;align-self:center !important}.align-self-xl-baseline{-ms-flex-item-align:baseline !important;align-self:baseline !important}.align-self-xl-stretch{-ms-flex-item-align:stretch !important;align-self:stretch !important}}.float-left{float:left !important}.float-right{float:right !important}.float-none{float:none !important}@media (min-width: 576px){.float-sm-left{float:left !important}.float-sm-right{float:right !important}.float-sm-none{float:none !important}}@media (min-width: 768px){.float-md-left{float:left !important}.float-md-right{float:right !important}.float-md-none{float:none !important}}@media (min-width: 992px){.float-lg-left{float:left !important}.float-lg-right{float:right !important}.float-lg-none{float:none !important}}@media (min-width: 1200px){.float-xl-left{float:left !important}.float-xl-right{float:right !important}.float-xl-none{float:none !important}}.overflow-auto{overflow:auto !important}.overflow-hidden{overflow:hidden !important}.position-static{position:static !important}.position-relative{position:relative !important}.position-absolute{position:absolute !important}.position-fixed{position:fixed !important}.position-sticky{position:-webkit-sticky !important;position:sticky !important}.fixed-top{position:fixed;top:0;right:0;left:0;z-index:1030}.fixed-bottom{position:fixed;right:0;bottom:0;left:0;z-index:1030}@supports (position: -webkit-sticky) or (position: sticky){.sticky-top{position:-webkit-sticky;position:sticky;top:0;z-index:1020}}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0, 0, 0, 0);white-space:nowrap;border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;overflow:visible;clip:auto;white-space:normal}.shadow-sm{-webkit-box-shadow:0 0.125rem 0.25rem rgba(0,0,0,0.075) !important;box-shadow:0 0.125rem 0.25rem rgba(0,0,0,0.075) !important}.shadow{-webkit-box-shadow:0 0.5rem 1rem rgba(0,0,0,0.15) !important;box-shadow:0 0.5rem 1rem rgba(0,0,0,0.15) !important}.shadow-lg{-webkit-box-shadow:0 1rem 3rem rgba(0,0,0,0.175) !important;box-shadow:0 1rem 3rem rgba(0,0,0,0.175) !important}.shadow-none{-webkit-box-shadow:none !important;box-shadow:none !important}.w-25{width:25% !important}.w-50{width:50% !important}.w-75{width:75% !important}.w-100{width:100% !important}.w-auto{width:auto !important}.h-25{height:25% !important}.h-50{height:50% !important}.h-75{height:75% !important}.h-100{height:100% !important}.h-auto{height:auto !important}.mw-100{max-width:100% !important}.mh-100{max-height:100% !important}.min-vw-100{min-width:100vw !important}.min-vh-100{min-height:100vh !important}.vw-100{width:100vw !important}.vh-100{height:100vh !important}.stretched-link::after{position:absolute;top:0;right:0;bottom:0;left:0;z-index:1;pointer-events:auto;content:"";background-color:rgba(0,0,0,0)}.m-0{margin:0 !important}.mt-0,.my-0{margin-top:0 !important}.mr-0,.mx-0{margin-right:0 !important}.mb-0,.my-0{margin-bottom:0 !important}.ml-0,.mx-0{margin-left:0 !important}.m-1{margin:0.25rem !important}.mt-1,.my-1{margin-top:0.25rem !important}.mr-1,.mx-1{margin-right:0.25rem !important}.mb-1,.my-1{margin-bottom:0.25rem !important}.ml-1,.mx-1{margin-left:0.25rem !important}.m-2{margin:0.5rem !important}.mt-2,.my-2{margin-top:0.5rem !important}.mr-2,.mx-2{margin-right:0.5rem !important}.mb-2,.my-2{margin-bottom:0.5rem !important}.ml-2,.mx-2{margin-left:0.5rem !important}.m-3{margin:1rem !important}.mt-3,.my-3{margin-top:1rem !important}.mr-3,.mx-3{margin-right:1rem !important}.mb-3,.my-3{margin-bottom:1rem !important}.ml-3,.mx-3{margin-left:1rem !important}.m-4{margin:1.5rem !important}.mt-4,.my-4{margin-top:1.5rem !important}.mr-4,.mx-4{margin-right:1.5rem !important}.mb-4,.my-4{margin-bottom:1.5rem !important}.ml-4,.mx-4{margin-left:1.5rem !important}.m-5{margin:3rem !important}.mt-5,.my-5{margin-top:3rem !important}.mr-5,.mx-5{margin-right:3rem !important}.mb-5,.my-5{margin-bottom:3rem !important}.ml-5,.mx-5{margin-left:3rem !important}.p-0{padding:0 !important}.pt-0,.py-0{padding-top:0 !important}.pr-0,.px-0{padding-right:0 !important}.pb-0,.py-0{padding-bottom:0 !important}.pl-0,.px-0{padding-left:0 !important}.p-1{padding:0.25rem !important}.pt-1,.py-1{padding-top:0.25rem !important}.pr-1,.px-1{padding-right:0.25rem !important}.pb-1,.py-1{padding-bottom:0.25rem !important}.pl-1,.px-1{padding-left:0.25rem !important}.p-2{padding:0.5rem !important}.pt-2,.py-2{padding-top:0.5rem !important}.pr-2,.px-2{padding-right:0.5rem !important}.pb-2,.py-2{padding-bottom:0.5rem !important}.pl-2,.px-2{padding-left:0.5rem !important}.p-3{padding:1rem !important}.pt-3,.py-3{padding-top:1rem !important}.pr-3,.px-3{padding-right:1rem !important}.pb-3,.py-3{padding-bottom:1rem !important}.pl-3,.px-3{padding-left:1rem !important}.p-4{padding:1.5rem !important}.pt-4,.py-4{padding-top:1.5rem !important}.pr-4,.px-4{padding-right:1.5rem !important}.pb-4,.py-4{padding-bottom:1.5rem !important}.pl-4,.px-4{padding-left:1.5rem !important}.p-5{padding:3rem !important}.pt-5,.py-5{padding-top:3rem !important}.pr-5,.px-5{padding-right:3rem !important}.pb-5,.py-5{padding-bottom:3rem !important}.pl-5,.px-5{padding-left:3rem !important}.m-n1{margin:-0.25rem !important}.mt-n1,.my-n1{margin-top:-0.25rem !important}.mr-n1,.mx-n1{margin-right:-0.25rem !important}.mb-n1,.my-n1{margin-bottom:-0.25rem !important}.ml-n1,.mx-n1{margin-left:-0.25rem !important}.m-n2{margin:-0.5rem !important}.mt-n2,.my-n2{margin-top:-0.5rem !important}.mr-n2,.mx-n2{margin-right:-0.5rem !important}.mb-n2,.my-n2{margin-bottom:-0.5rem !important}.ml-n2,.mx-n2{margin-left:-0.5rem !important}.m-n3{margin:-1rem !important}.mt-n3,.my-n3{margin-top:-1rem !important}.mr-n3,.mx-n3{margin-right:-1rem !important}.mb-n3,.my-n3{margin-bottom:-1rem !important}.ml-n3,.mx-n3{margin-left:-1rem !important}.m-n4{margin:-1.5rem !important}.mt-n4,.my-n4{margin-top:-1.5rem !important}.mr-n4,.mx-n4{margin-right:-1.5rem !important}.mb-n4,.my-n4{margin-bottom:-1.5rem !important}.ml-n4,.mx-n4{margin-left:-1.5rem !important}.m-n5{margin:-3rem !important}.mt-n5,.my-n5{margin-top:-3rem !important}.mr-n5,.mx-n5{margin-right:-3rem !important}.mb-n5,.my-n5{margin-bottom:-3rem !important}.ml-n5,.mx-n5{margin-left:-3rem !important}.m-auto{margin:auto !important}.mt-auto,.my-auto{margin-top:auto !important}.mr-auto,.mx-auto{margin-right:auto !important}.mb-auto,.my-auto{margin-bottom:auto !important}.ml-auto,.mx-auto{margin-left:auto !important}@media (min-width: 576px){.m-sm-0{margin:0 !important}.mt-sm-0,.my-sm-0{margin-top:0 !important}.mr-sm-0,.mx-sm-0{margin-right:0 !important}.mb-sm-0,.my-sm-0{margin-bottom:0 !important}.ml-sm-0,.mx-sm-0{margin-left:0 !important}.m-sm-1{margin:0.25rem !important}.mt-sm-1,.my-sm-1{margin-top:0.25rem !important}.mr-sm-1,.mx-sm-1{margin-right:0.25rem !important}.mb-sm-1,.my-sm-1{margin-bottom:0.25rem !important}.ml-sm-1,.mx-sm-1{margin-left:0.25rem !important}.m-sm-2{margin:0.5rem !important}.mt-sm-2,.my-sm-2{margin-top:0.5rem !important}.mr-sm-2,.mx-sm-2{margin-right:0.5rem !important}.mb-sm-2,.my-sm-2{margin-bottom:0.5rem !important}.ml-sm-2,.mx-sm-2{margin-left:0.5rem !important}.m-sm-3{margin:1rem !important}.mt-sm-3,.my-sm-3{margin-top:1rem !important}.mr-sm-3,.mx-sm-3{margin-right:1rem !important}.mb-sm-3,.my-sm-3{margin-bottom:1rem !important}.ml-sm-3,.mx-sm-3{margin-left:1rem !important}.m-sm-4{margin:1.5rem !important}.mt-sm-4,.my-sm-4{margin-top:1.5rem !important}.mr-sm-4,.mx-sm-4{margin-right:1.5rem !important}.mb-sm-4,.my-sm-4{margin-bottom:1.5rem !important}.ml-sm-4,.mx-sm-4{margin-left:1.5rem !important}.m-sm-5{margin:3rem !important}.mt-sm-5,.my-sm-5{margin-top:3rem !important}.mr-sm-5,.mx-sm-5{margin-right:3rem !important}.mb-sm-5,.my-sm-5{margin-bottom:3rem !important}.ml-sm-5,.mx-sm-5{margin-left:3rem !important}.p-sm-0{padding:0 !important}.pt-sm-0,.py-sm-0{padding-top:0 !important}.pr-sm-0,.px-sm-0{padding-right:0 !important}.pb-sm-0,.py-sm-0{padding-bottom:0 !important}.pl-sm-0,.px-sm-0{padding-left:0 !important}.p-sm-1{padding:0.25rem !important}.pt-sm-1,.py-sm-1{padding-top:0.25rem !important}.pr-sm-1,.px-sm-1{padding-right:0.25rem !important}.pb-sm-1,.py-sm-1{padding-bottom:0.25rem !important}.pl-sm-1,.px-sm-1{padding-left:0.25rem !important}.p-sm-2{padding:0.5rem !important}.pt-sm-2,.py-sm-2{padding-top:0.5rem !important}.pr-sm-2,.px-sm-2{padding-right:0.5rem !important}.pb-sm-2,.py-sm-2{padding-bottom:0.5rem !important}.pl-sm-2,.px-sm-2{padding-left:0.5rem !important}.p-sm-3{padding:1rem !important}.pt-sm-3,.py-sm-3{padding-top:1rem !important}.pr-sm-3,.px-sm-3{padding-right:1rem !important}.pb-sm-3,.py-sm-3{padding-bottom:1rem !important}.pl-sm-3,.px-sm-3{padding-left:1rem !important}.p-sm-4{padding:1.5rem !important}.pt-sm-4,.py-sm-4{padding-top:1.5rem !important}.pr-sm-4,.px-sm-4{padding-right:1.5rem !important}.pb-sm-4,.py-sm-4{padding-bottom:1.5rem !important}.pl-sm-4,.px-sm-4{padding-left:1.5rem !important}.p-sm-5{padding:3rem !important}.pt-sm-5,.py-sm-5{padding-top:3rem !important}.pr-sm-5,.px-sm-5{padding-right:3rem !important}.pb-sm-5,.py-sm-5{padding-bottom:3rem !important}.pl-sm-5,.px-sm-5{padding-left:3rem !important}.m-sm-n1{margin:-0.25rem !important}.mt-sm-n1,.my-sm-n1{margin-top:-0.25rem !important}.mr-sm-n1,.mx-sm-n1{margin-right:-0.25rem !important}.mb-sm-n1,.my-sm-n1{margin-bottom:-0.25rem !important}.ml-sm-n1,.mx-sm-n1{margin-left:-0.25rem !important}.m-sm-n2{margin:-0.5rem !important}.mt-sm-n2,.my-sm-n2{margin-top:-0.5rem !important}.mr-sm-n2,.mx-sm-n2{margin-right:-0.5rem !important}.mb-sm-n2,.my-sm-n2{margin-bottom:-0.5rem !important}.ml-sm-n2,.mx-sm-n2{margin-left:-0.5rem !important}.m-sm-n3{margin:-1rem !important}.mt-sm-n3,.my-sm-n3{margin-top:-1rem !important}.mr-sm-n3,.mx-sm-n3{margin-right:-1rem !important}.mb-sm-n3,.my-sm-n3{margin-bottom:-1rem !important}.ml-sm-n3,.mx-sm-n3{margin-left:-1rem !important}.m-sm-n4{margin:-1.5rem !important}.mt-sm-n4,.my-sm-n4{margin-top:-1.5rem !important}.mr-sm-n4,.mx-sm-n4{margin-right:-1.5rem !important}.mb-sm-n4,.my-sm-n4{margin-bottom:-1.5rem !important}.ml-sm-n4,.mx-sm-n4{margin-left:-1.5rem !important}.m-sm-n5{margin:-3rem !important}.mt-sm-n5,.my-sm-n5{margin-top:-3rem !important}.mr-sm-n5,.mx-sm-n5{margin-right:-3rem !important}.mb-sm-n5,.my-sm-n5{margin-bottom:-3rem !important}.ml-sm-n5,.mx-sm-n5{margin-left:-3rem !important}.m-sm-auto{margin:auto !important}.mt-sm-auto,.my-sm-auto{margin-top:auto !important}.mr-sm-auto,.mx-sm-auto{margin-right:auto !important}.mb-sm-auto,.my-sm-auto{margin-bottom:auto !important}.ml-sm-auto,.mx-sm-auto{margin-left:auto !important}}@media (min-width: 768px){.m-md-0{margin:0 !important}.mt-md-0,.my-md-0{margin-top:0 !important}.mr-md-0,.mx-md-0{margin-right:0 !important}.mb-md-0,.my-md-0{margin-bottom:0 !important}.ml-md-0,.mx-md-0{margin-left:0 !important}.m-md-1{margin:0.25rem !important}.mt-md-1,.my-md-1{margin-top:0.25rem !important}.mr-md-1,.mx-md-1{margin-right:0.25rem !important}.mb-md-1,.my-md-1{margin-bottom:0.25rem !important}.ml-md-1,.mx-md-1{margin-left:0.25rem !important}.m-md-2{margin:0.5rem !important}.mt-md-2,.my-md-2{margin-top:0.5rem !important}.mr-md-2,.mx-md-2{margin-right:0.5rem !important}.mb-md-2,.my-md-2{margin-bottom:0.5rem !important}.ml-md-2,.mx-md-2{margin-left:0.5rem !important}.m-md-3{margin:1rem !important}.mt-md-3,.my-md-3{margin-top:1rem !important}.mr-md-3,.mx-md-3{margin-right:1rem !important}.mb-md-3,.my-md-3{margin-bottom:1rem !important}.ml-md-3,.mx-md-3{margin-left:1rem !important}.m-md-4{margin:1.5rem !important}.mt-md-4,.my-md-4{margin-top:1.5rem !important}.mr-md-4,.mx-md-4{margin-right:1.5rem !important}.mb-md-4,.my-md-4{margin-bottom:1.5rem !important}.ml-md-4,.mx-md-4{margin-left:1.5rem !important}.m-md-5{margin:3rem !important}.mt-md-5,.my-md-5{margin-top:3rem !important}.mr-md-5,.mx-md-5{margin-right:3rem !important}.mb-md-5,.my-md-5{margin-bottom:3rem !important}.ml-md-5,.mx-md-5{margin-left:3rem !important}.p-md-0{padding:0 !important}.pt-md-0,.py-md-0{padding-top:0 !important}.pr-md-0,.px-md-0{padding-right:0 !important}.pb-md-0,.py-md-0{padding-bottom:0 !important}.pl-md-0,.px-md-0{padding-left:0 !important}.p-md-1{padding:0.25rem !important}.pt-md-1,.py-md-1{padding-top:0.25rem !important}.pr-md-1,.px-md-1{padding-right:0.25rem !important}.pb-md-1,.py-md-1{padding-bottom:0.25rem !important}.pl-md-1,.px-md-1{padding-left:0.25rem !important}.p-md-2{padding:0.5rem !important}.pt-md-2,.py-md-2{padding-top:0.5rem !important}.pr-md-2,.px-md-2{padding-right:0.5rem !important}.pb-md-2,.py-md-2{padding-bottom:0.5rem !important}.pl-md-2,.px-md-2{padding-left:0.5rem !important}.p-md-3{padding:1rem !important}.pt-md-3,.py-md-3{padding-top:1rem !important}.pr-md-3,.px-md-3{padding-right:1rem !important}.pb-md-3,.py-md-3{padding-bottom:1rem !important}.pl-md-3,.px-md-3{padding-left:1rem !important}.p-md-4{padding:1.5rem !important}.pt-md-4,.py-md-4{padding-top:1.5rem !important}.pr-md-4,.px-md-4{padding-right:1.5rem !important}.pb-md-4,.py-md-4{padding-bottom:1.5rem !important}.pl-md-4,.px-md-4{padding-left:1.5rem !important}.p-md-5{padding:3rem !important}.pt-md-5,.py-md-5{padding-top:3rem !important}.pr-md-5,.px-md-5{padding-right:3rem !important}.pb-md-5,.py-md-5{padding-bottom:3rem !important}.pl-md-5,.px-md-5{padding-left:3rem !important}.m-md-n1{margin:-0.25rem !important}.mt-md-n1,.my-md-n1{margin-top:-0.25rem !important}.mr-md-n1,.mx-md-n1{margin-right:-0.25rem !important}.mb-md-n1,.my-md-n1{margin-bottom:-0.25rem !important}.ml-md-n1,.mx-md-n1{margin-left:-0.25rem !important}.m-md-n2{margin:-0.5rem !important}.mt-md-n2,.my-md-n2{margin-top:-0.5rem !important}.mr-md-n2,.mx-md-n2{margin-right:-0.5rem !important}.mb-md-n2,.my-md-n2{margin-bottom:-0.5rem !important}.ml-md-n2,.mx-md-n2{margin-left:-0.5rem !important}.m-md-n3{margin:-1rem !important}.mt-md-n3,.my-md-n3{margin-top:-1rem !important}.mr-md-n3,.mx-md-n3{margin-right:-1rem !important}.mb-md-n3,.my-md-n3{margin-bottom:-1rem !important}.ml-md-n3,.mx-md-n3{margin-left:-1rem !important}.m-md-n4{margin:-1.5rem !important}.mt-md-n4,.my-md-n4{margin-top:-1.5rem !important}.mr-md-n4,.mx-md-n4{margin-right:-1.5rem !important}.mb-md-n4,.my-md-n4{margin-bottom:-1.5rem !important}.ml-md-n4,.mx-md-n4{margin-left:-1.5rem !important}.m-md-n5{margin:-3rem !important}.mt-md-n5,.my-md-n5{margin-top:-3rem !important}.mr-md-n5,.mx-md-n5{margin-right:-3rem !important}.mb-md-n5,.my-md-n5{margin-bottom:-3rem !important}.ml-md-n5,.mx-md-n5{margin-left:-3rem !important}.m-md-auto{margin:auto !important}.mt-md-auto,.my-md-auto{margin-top:auto !important}.mr-md-auto,.mx-md-auto{margin-right:auto !important}.mb-md-auto,.my-md-auto{margin-bottom:auto !important}.ml-md-auto,.mx-md-auto{margin-left:auto !important}}@media (min-width: 992px){.m-lg-0{margin:0 !important}.mt-lg-0,.my-lg-0{margin-top:0 !important}.mr-lg-0,.mx-lg-0{margin-right:0 !important}.mb-lg-0,.my-lg-0{margin-bottom:0 !important}.ml-lg-0,.mx-lg-0{margin-left:0 !important}.m-lg-1{margin:0.25rem !important}.mt-lg-1,.my-lg-1{margin-top:0.25rem !important}.mr-lg-1,.mx-lg-1{margin-right:0.25rem !important}.mb-lg-1,.my-lg-1{margin-bottom:0.25rem !important}.ml-lg-1,.mx-lg-1{margin-left:0.25rem !important}.m-lg-2{margin:0.5rem !important}.mt-lg-2,.my-lg-2{margin-top:0.5rem !important}.mr-lg-2,.mx-lg-2{margin-right:0.5rem !important}.mb-lg-2,.my-lg-2{margin-bottom:0.5rem !important}.ml-lg-2,.mx-lg-2{margin-left:0.5rem !important}.m-lg-3{margin:1rem !important}.mt-lg-3,.my-lg-3{margin-top:1rem !important}.mr-lg-3,.mx-lg-3{margin-right:1rem !important}.mb-lg-3,.my-lg-3{margin-bottom:1rem !important}.ml-lg-3,.mx-lg-3{margin-left:1rem !important}.m-lg-4{margin:1.5rem !important}.mt-lg-4,.my-lg-4{margin-top:1.5rem !important}.mr-lg-4,.mx-lg-4{margin-right:1.5rem !important}.mb-lg-4,.my-lg-4{margin-bottom:1.5rem !important}.ml-lg-4,.mx-lg-4{margin-left:1.5rem !important}.m-lg-5{margin:3rem !important}.mt-lg-5,.my-lg-5{margin-top:3rem !important}.mr-lg-5,.mx-lg-5{margin-right:3rem !important}.mb-lg-5,.my-lg-5{margin-bottom:3rem !important}.ml-lg-5,.mx-lg-5{margin-left:3rem !important}.p-lg-0{padding:0 !important}.pt-lg-0,.py-lg-0{padding-top:0 !important}.pr-lg-0,.px-lg-0{padding-right:0 !important}.pb-lg-0,.py-lg-0{padding-bottom:0 !important}.pl-lg-0,.px-lg-0{padding-left:0 !important}.p-lg-1{padding:0.25rem !important}.pt-lg-1,.py-lg-1{padding-top:0.25rem !important}.pr-lg-1,.px-lg-1{padding-right:0.25rem !important}.pb-lg-1,.py-lg-1{padding-bottom:0.25rem !important}.pl-lg-1,.px-lg-1{padding-left:0.25rem !important}.p-lg-2{padding:0.5rem !important}.pt-lg-2,.py-lg-2{padding-top:0.5rem !important}.pr-lg-2,.px-lg-2{padding-right:0.5rem !important}.pb-lg-2,.py-lg-2{padding-bottom:0.5rem !important}.pl-lg-2,.px-lg-2{padding-left:0.5rem !important}.p-lg-3{padding:1rem !important}.pt-lg-3,.py-lg-3{padding-top:1rem !important}.pr-lg-3,.px-lg-3{padding-right:1rem !important}.pb-lg-3,.py-lg-3{padding-bottom:1rem !important}.pl-lg-3,.px-lg-3{padding-left:1rem !important}.p-lg-4{padding:1.5rem !important}.pt-lg-4,.py-lg-4{padding-top:1.5rem !important}.pr-lg-4,.px-lg-4{padding-right:1.5rem !important}.pb-lg-4,.py-lg-4{padding-bottom:1.5rem !important}.pl-lg-4,.px-lg-4{padding-left:1.5rem !important}.p-lg-5{padding:3rem !important}.pt-lg-5,.py-lg-5{padding-top:3rem !important}.pr-lg-5,.px-lg-5{padding-right:3rem !important}.pb-lg-5,.py-lg-5{padding-bottom:3rem !important}.pl-lg-5,.px-lg-5{padding-left:3rem !important}.m-lg-n1{margin:-0.25rem !important}.mt-lg-n1,.my-lg-n1{margin-top:-0.25rem !important}.mr-lg-n1,.mx-lg-n1{margin-right:-0.25rem !important}.mb-lg-n1,.my-lg-n1{margin-bottom:-0.25rem !important}.ml-lg-n1,.mx-lg-n1{margin-left:-0.25rem !important}.m-lg-n2{margin:-0.5rem !important}.mt-lg-n2,.my-lg-n2{margin-top:-0.5rem !important}.mr-lg-n2,.mx-lg-n2{margin-right:-0.5rem !important}.mb-lg-n2,.my-lg-n2{margin-bottom:-0.5rem !important}.ml-lg-n2,.mx-lg-n2{margin-left:-0.5rem !important}.m-lg-n3{margin:-1rem !important}.mt-lg-n3,.my-lg-n3{margin-top:-1rem !important}.mr-lg-n3,.mx-lg-n3{margin-right:-1rem !important}.mb-lg-n3,.my-lg-n3{margin-bottom:-1rem !important}.ml-lg-n3,.mx-lg-n3{margin-left:-1rem !important}.m-lg-n4{margin:-1.5rem !important}.mt-lg-n4,.my-lg-n4{margin-top:-1.5rem !important}.mr-lg-n4,.mx-lg-n4{margin-right:-1.5rem !important}.mb-lg-n4,.my-lg-n4{margin-bottom:-1.5rem !important}.ml-lg-n4,.mx-lg-n4{margin-left:-1.5rem !important}.m-lg-n5{margin:-3rem !important}.mt-lg-n5,.my-lg-n5{margin-top:-3rem !important}.mr-lg-n5,.mx-lg-n5{margin-right:-3rem !important}.mb-lg-n5,.my-lg-n5{margin-bottom:-3rem !important}.ml-lg-n5,.mx-lg-n5{margin-left:-3rem !important}.m-lg-auto{margin:auto !important}.mt-lg-auto,.my-lg-auto{margin-top:auto !important}.mr-lg-auto,.mx-lg-auto{margin-right:auto !important}.mb-lg-auto,.my-lg-auto{margin-bottom:auto !important}.ml-lg-auto,.mx-lg-auto{margin-left:auto !important}}@media (min-width: 1200px){.m-xl-0{margin:0 !important}.mt-xl-0,.my-xl-0{margin-top:0 !important}.mr-xl-0,.mx-xl-0{margin-right:0 !important}.mb-xl-0,.my-xl-0{margin-bottom:0 !important}.ml-xl-0,.mx-xl-0{margin-left:0 !important}.m-xl-1{margin:0.25rem !important}.mt-xl-1,.my-xl-1{margin-top:0.25rem !important}.mr-xl-1,.mx-xl-1{margin-right:0.25rem !important}.mb-xl-1,.my-xl-1{margin-bottom:0.25rem !important}.ml-xl-1,.mx-xl-1{margin-left:0.25rem !important}.m-xl-2{margin:0.5rem !important}.mt-xl-2,.my-xl-2{margin-top:0.5rem !important}.mr-xl-2,.mx-xl-2{margin-right:0.5rem !important}.mb-xl-2,.my-xl-2{margin-bottom:0.5rem !important}.ml-xl-2,.mx-xl-2{margin-left:0.5rem !important}.m-xl-3{margin:1rem !important}.mt-xl-3,.my-xl-3{margin-top:1rem !important}.mr-xl-3,.mx-xl-3{margin-right:1rem !important}.mb-xl-3,.my-xl-3{margin-bottom:1rem !important}.ml-xl-3,.mx-xl-3{margin-left:1rem !important}.m-xl-4{margin:1.5rem !important}.mt-xl-4,.my-xl-4{margin-top:1.5rem !important}.mr-xl-4,.mx-xl-4{margin-right:1.5rem !important}.mb-xl-4,.my-xl-4{margin-bottom:1.5rem !important}.ml-xl-4,.mx-xl-4{margin-left:1.5rem !important}.m-xl-5{margin:3rem !important}.mt-xl-5,.my-xl-5{margin-top:3rem !important}.mr-xl-5,.mx-xl-5{margin-right:3rem !important}.mb-xl-5,.my-xl-5{margin-bottom:3rem !important}.ml-xl-5,.mx-xl-5{margin-left:3rem !important}.p-xl-0{padding:0 !important}.pt-xl-0,.py-xl-0{padding-top:0 !important}.pr-xl-0,.px-xl-0{padding-right:0 !important}.pb-xl-0,.py-xl-0{padding-bottom:0 !important}.pl-xl-0,.px-xl-0{padding-left:0 !important}.p-xl-1{padding:0.25rem !important}.pt-xl-1,.py-xl-1{padding-top:0.25rem !important}.pr-xl-1,.px-xl-1{padding-right:0.25rem !important}.pb-xl-1,.py-xl-1{padding-bottom:0.25rem !important}.pl-xl-1,.px-xl-1{padding-left:0.25rem !important}.p-xl-2{padding:0.5rem !important}.pt-xl-2,.py-xl-2{padding-top:0.5rem !important}.pr-xl-2,.px-xl-2{padding-right:0.5rem !important}.pb-xl-2,.py-xl-2{padding-bottom:0.5rem !important}.pl-xl-2,.px-xl-2{padding-left:0.5rem !important}.p-xl-3{padding:1rem !important}.pt-xl-3,.py-xl-3{padding-top:1rem !important}.pr-xl-3,.px-xl-3{padding-right:1rem !important}.pb-xl-3,.py-xl-3{padding-bottom:1rem !important}.pl-xl-3,.px-xl-3{padding-left:1rem !important}.p-xl-4{padding:1.5rem !important}.pt-xl-4,.py-xl-4{padding-top:1.5rem !important}.pr-xl-4,.px-xl-4{padding-right:1.5rem !important}.pb-xl-4,.py-xl-4{padding-bottom:1.5rem !important}.pl-xl-4,.px-xl-4{padding-left:1.5rem !important}.p-xl-5{padding:3rem !important}.pt-xl-5,.py-xl-5{padding-top:3rem !important}.pr-xl-5,.px-xl-5{padding-right:3rem !important}.pb-xl-5,.py-xl-5{padding-bottom:3rem !important}.pl-xl-5,.px-xl-5{padding-left:3rem !important}.m-xl-n1{margin:-0.25rem !important}.mt-xl-n1,.my-xl-n1{margin-top:-0.25rem !important}.mr-xl-n1,.mx-xl-n1{margin-right:-0.25rem !important}.mb-xl-n1,.my-xl-n1{margin-bottom:-0.25rem !important}.ml-xl-n1,.mx-xl-n1{margin-left:-0.25rem !important}.m-xl-n2{margin:-0.5rem !important}.mt-xl-n2,.my-xl-n2{margin-top:-0.5rem !important}.mr-xl-n2,.mx-xl-n2{margin-right:-0.5rem !important}.mb-xl-n2,.my-xl-n2{margin-bottom:-0.5rem !important}.ml-xl-n2,.mx-xl-n2{margin-left:-0.5rem !important}.m-xl-n3{margin:-1rem !important}.mt-xl-n3,.my-xl-n3{margin-top:-1rem !important}.mr-xl-n3,.mx-xl-n3{margin-right:-1rem !important}.mb-xl-n3,.my-xl-n3{margin-bottom:-1rem !important}.ml-xl-n3,.mx-xl-n3{margin-left:-1rem !important}.m-xl-n4{margin:-1.5rem !important}.mt-xl-n4,.my-xl-n4{margin-top:-1.5rem !important}.mr-xl-n4,.mx-xl-n4{margin-right:-1.5rem !important}.mb-xl-n4,.my-xl-n4{margin-bottom:-1.5rem !important}.ml-xl-n4,.mx-xl-n4{margin-left:-1.5rem !important}.m-xl-n5{margin:-3rem !important}.mt-xl-n5,.my-xl-n5{margin-top:-3rem !important}.mr-xl-n5,.mx-xl-n5{margin-right:-3rem !important}.mb-xl-n5,.my-xl-n5{margin-bottom:-3rem !important}.ml-xl-n5,.mx-xl-n5{margin-left:-3rem !important}.m-xl-auto{margin:auto !important}.mt-xl-auto,.my-xl-auto{margin-top:auto !important}.mr-xl-auto,.mx-xl-auto{margin-right:auto !important}.mb-xl-auto,.my-xl-auto{margin-bottom:auto !important}.ml-xl-auto,.mx-xl-auto{margin-left:auto !important}}.text-monospace{font-family:SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace !important}.text-justify{text-align:justify !important}.text-wrap{white-space:normal !important}.text-nowrap{white-space:nowrap !important}.text-truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text-left{text-align:left !important}.text-right{text-align:right !important}.text-center{text-align:center !important}@media (min-width: 576px){.text-sm-left{text-align:left !important}.text-sm-right{text-align:right !important}.text-sm-center{text-align:center !important}}@media (min-width: 768px){.text-md-left{text-align:left !important}.text-md-right{text-align:right !important}.text-md-center{text-align:center !important}}@media (min-width: 992px){.text-lg-left{text-align:left !important}.text-lg-right{text-align:right !important}.text-lg-center{text-align:center !important}}@media (min-width: 1200px){.text-xl-left{text-align:left !important}.text-xl-right{text-align:right !important}.text-xl-center{text-align:center !important}}.text-lowercase{text-transform:lowercase !important}.text-uppercase{text-transform:uppercase !important}.text-capitalize{text-transform:capitalize !important}.font-weight-light{font-weight:300 !important}.font-weight-lighter{font-weight:lighter !important}.font-weight-normal{font-weight:400 !important}.font-weight-bold{font-weight:700 !important}.font-weight-bolder{font-weight:bolder !important}.font-italic{font-style:italic !important}.text-white{color:#fff !important}.text-primary{color:#3A3F44 !important}a.text-primary:hover,a.text-primary:focus{color:#17191b !important}.text-secondary{color:#7A8288 !important}a.text-secondary:hover,a.text-secondary:focus{color:#565b60 !important}.text-success{color:#62c462 !important}a.text-success:hover,a.text-success:focus{color:#3b9e3b !important}.text-info{color:#5bc0de !important}a.text-info:hover,a.text-info:focus{color:#28a1c5 !important}.text-warning{color:#f89406 !important}a.text-warning:hover,a.text-warning:focus{color:#ad6704 !important}.text-danger{color:#ee5f5b !important}a.text-danger:hover,a.text-danger:focus{color:#e51d18 !important}.text-light{color:#e9ecef !important}a.text-light:hover,a.text-light:focus{color:#bdc6cf !important}.text-dark{color:#272B30 !important}a.text-dark:hover,a.text-dark:focus{color:#050506 !important}.text-body{color:#aaa !important}.text-muted{color:#7A8288 !important}.text-black-50{color:rgba(0,0,0,0.5) !important}.text-white-50{color:rgba(255,255,255,0.5) !important}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.text-decoration-none{text-decoration:none !important}.text-break{word-break:break-word !important;overflow-wrap:break-word !important}.text-reset{color:inherit !important}.visible{visibility:visible !important}.invisible{visibility:hidden !important}@media print{*,*::before,*::after{text-shadow:none !important;-webkit-box-shadow:none !important;box-shadow:none !important}a:not(.btn){text-decoration:underline}abbr[title]::after{content:" (" attr(title) ")"}pre{white-space:pre-wrap !important}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}@page{size:a3}body{min-width:992px !important}.container{min-width:992px !important}.navbar{display:none}.badge{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #dee2e6 !important}.table-dark{color:inherit}.table-dark th,.table-dark td,.table-dark thead th,.table-dark tbody+tbody{border-color:rgba(0,0,0,0.6)}.table .thead-dark th{color:inherit;border-color:rgba(0,0,0,0.6)}}.navbar{border:1px solid rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3)}.navbar .container{padding:0}.navbar .navbar-toggler{border-color:rgba(0,0,0,0.6)}.navbar-fixed-top{border-width:0 0 1px 0}.navbar-fixed-bottom{border-width:1px 0 0 0}.navbar .nav-link{padding:1rem;border-left:1px solid rgba(255,255,255,0.1);border-right:1px solid rgba(0,0,0,0.2)}.navbar .nav-link:hover,.navbar .nav-link:focus{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border-left:1px solid rgba(0,0,0,0.2)}.navbar-brand{padding:0.75rem 1rem calc(54px - 0.75rem - 30px);margin-right:0;border-right:1px solid rgba(0,0,0,0.2)}.navbar .nav-item.active .nav-link{background-color:rgba(0,0,0,0.3);border-left:1px solid rgba(0,0,0,0.2)}.navbar-nav .nav-item+.nav-item{margin-left:0}.navbar.bg-light{text-shadow:1px 1px 1px rgba(0,0,0,0.1)}.navbar.bg-light .nav-link:hover,.navbar.bg-light .nav-link:focus{background-image:-webkit-gradient(linear, left top, left bottom, from(#4e5458), color-stop(40%, #565b60), to(#5b6165));background-image:linear-gradient(#4e5458, #565b60 40%, #5b6165);background-repeat:no-repeat;-webkit-filter:none;filter:none;border-left:1px solid rgba(0,0,0,0.2)}@media (max-width: 576px){.navbar-expand-sm .navbar-brand,.navbar-expand-sm .nav-link{border:none !important}}@media (max-width: 768px){.navbar-expand-md .navbar-brand,.navbar-expand-md .nav-link{border:none !important}}@media (max-width: 992px){.navbar-expand-lg .navbar-brand,.navbar-expand-lg .nav-link{border:none !important}}.btn{border-color:rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3)}.btn:not([disabled]):not(.disabled).active,.btn.disabled{border-color:rgba(0,0,0,0.6);-webkit-box-shadow:none;box-shadow:none}.btn:hover,.btn:focus,.btn:not([disabled]):not(.disabled):active,.btn:not([disabled]):not(.disabled):active:hover,.btn:not([disabled]):not(.disabled).active:hover{border-color:rgba(0,0,0,0.6)}.btn-primary{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-primary:not([disabled]):not(.disabled):hover,.btn-primary:not([disabled]):not(.disabled):focus,.btn-primary:not([disabled]):not(.disabled):active:hover,.btn-primary:not([disabled]):not(.disabled).active:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-secondary{background-image:-webkit-gradient(linear, left top, left bottom, from(#8a9196), color-stop(60%, #7A8288), to(#70787d));background-image:linear-gradient(#8a9196, #7A8288 60%, #70787d);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-secondary:not([disabled]):not(.disabled):hover,.btn-secondary:not([disabled]):not(.disabled):focus,.btn-secondary:not([disabled]):not(.disabled):active,.btn-secondary:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#4e5458), color-stop(40%, #565b60), to(#5b6165));background-image:linear-gradient(#4e5458, #565b60 40%, #5b6165);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-success{background-image:-webkit-gradient(linear, left top, left bottom, from(#78cc78), color-stop(60%, #62c462), to(#53be53));background-image:linear-gradient(#78cc78, #62c462 60%, #53be53);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#fff}.btn-success:not([disabled]):not(.disabled):hover,.btn-success:not([disabled]):not(.disabled):focus,.btn-success:not([disabled]):not(.disabled):active,.btn-success:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#379337), color-stop(40%, #3b9e3b), to(#3ea63e));background-image:linear-gradient(#379337, #3b9e3b 40%, #3ea63e);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-info{background-image:-webkit-gradient(linear, left top, left bottom, from(#74cae3), color-stop(60%, #5bc0de), to(#4ab9db));background-image:linear-gradient(#74cae3, #5bc0de 60%, #4ab9db);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#fff}.btn-info:not([disabled]):not(.disabled):hover,.btn-info:not([disabled]):not(.disabled):focus,.btn-info:not([disabled]):not(.disabled):active,.btn-info:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#2596b8), color-stop(40%, #28a1c5), to(#29a8cd));background-image:linear-gradient(#2596b8, #28a1c5 40%, #29a8cd);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-warning{background-image:-webkit-gradient(linear, left top, left bottom, from(#faa123), color-stop(60%, #f89406), to(#e48806));background-image:linear-gradient(#faa123, #f89406 60%, #e48806);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#fff}.btn-warning:not([disabled]):not(.disabled):hover,.btn-warning:not([disabled]):not(.disabled):focus,.btn-warning:not([disabled]):not(.disabled):active,.btn-warning:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#9e5f04), color-stop(40%, #ad6704), to(#b76d04));background-image:linear-gradient(#9e5f04, #ad6704 40%, #b76d04);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-danger{background-image:-webkit-gradient(linear, left top, left bottom, from(#f17a77), color-stop(60%, #ee5f5b), to(#ec4d49));background-image:linear-gradient(#f17a77, #ee5f5b 60%, #ec4d49);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-danger:not([disabled]):not(.disabled):hover,.btn-danger:not([disabled]):not(.disabled):focus,.btn-danger:not([disabled]):not(.disabled):active,.btn-danger:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#d71c16), color-stop(40%, #e51d18), to(#e8241f));background-image:linear-gradient(#d71c16, #e51d18 40%, #e8241f);background-repeat:no-repeat;-webkit-filter:none;filter:none}.btn-link,.btn-link:hover{border-color:transparent}.btn-group .btn.active,.btn-group-vertical .btn.active{border-color:rgba(0,0,0,0.6)}h1,h2,h3,h4,h5,h6{text-shadow:-1px -1px 0 rgba(0,0,0,0.3)}.table-primary,.table-secondary,.table-success,.table-info,.table-warning,.table-danger{color:#fff}.table-primary,.table-primary>th,.table-primary>td{background-color:#3A3F44}.table-secondary,.table-secondary>th,.table-secondary>td{background-color:#7A8288}.table-light,.table-light>th,.table-light>td{background-color:#e9ecef}.table-dark,.table-dark>th,.table-dark>td{background-color:#272B30}.table-success,.table-success>th,.table-success>td{background-color:#62c462}.table-info,.table-info>th,.table-info>td{background-color:#5bc0de}.table-danger,.table-danger>th,.table-danger>td{background-color:#ee5f5b}.table-warning,.table-warning>th,.table-warning>td{background-color:#f89406}.table-active,.table-active>th,.table-active>td{background-color:rgba(255,255,255,0.075)}.table-hover .table-primary:hover,.table-hover .table-primary:hover>th,.table-hover .table-primary:hover>td{background-color:#2e3236}.table-hover .table-secondary:hover,.table-hover .table-secondary:hover>th,.table-hover .table-secondary:hover>td{background-color:#6e757b}.table-hover .table-light:hover,.table-hover .table-light:hover>th,.table-hover .table-light:hover>td{background-color:#dadfe4}.table-hover .table-dark:hover,.table-hover .table-dark:hover>th,.table-hover .table-dark:hover>td{background-color:#1c1e22}.table-hover .table-success:hover,.table-hover .table-success:hover>th,.table-hover .table-success:hover>td{background-color:#4fbd4f}.table-hover .table-info:hover,.table-hover .table-info:hover>th,.table-hover .table-info:hover>td{background-color:#46b8da}.table-hover .table-danger:hover,.table-hover .table-danger:hover>th,.table-hover .table-danger:hover>td{background-color:#ec4844}.table-hover .table-warning:hover,.table-hover .table-warning:hover>th,.table-hover .table-warning:hover>td{background-color:#df8505}.table-hover .table-active:hover,.table-hover .table-active:hover>th,.table-hover .table-active:hover>td{background-color:rgba(255,255,255,0.075)}legend{color:#fff}.input-group-addon{background-image:-webkit-gradient(linear, left top, left bottom, from(#8a9196), color-stop(60%, #7A8288), to(#70787d));background-image:linear-gradient(#8a9196, #7A8288 60%, #70787d);background-repeat:no-repeat;-webkit-filter:none;filter:none;text-shadow:1px 1px 1px rgba(0,0,0,0.3);color:#fff}.nav-tabs .nav-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6)}.nav-tabs .nav-link:not([disabled]):not(.disabled):hover,.nav-tabs .nav-link:not([disabled]):not(.disabled):focus,.nav-tabs .nav-link:not([disabled]):not(.disabled):active,.nav-tabs .nav-link:not([disabled]):not(.disabled).active{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.nav-tabs .nav-link.disabled{border:1px solid rgba(0,0,0,0.6)}.nav-tabs .nav-link,.nav-tabs .nav-link:hover{color:#fff}.nav-pills .nav-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3);color:#fff}.nav-pills .nav-link:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6)}.nav-pills .nav-link.active,.nav-pills .nav-link:hover{background-color:transparent;background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;border:1px solid rgba(0,0,0,0.6)}.nav-pills .nav-link.disabled,.nav-pills .nav-link.disabled:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none;color:#7A8288}.pagination .page-link{text-shadow:1px 1px 1px rgba(0,0,0,0.3);background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.pagination .page-link:hover{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none;text-decoration:none}.pagination .page-item.active .page-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#101112), color-stop(40%, #17191b), to(#1b1e20));background-image:linear-gradient(#101112, #17191b 40%, #1b1e20);background-repeat:no-repeat;-webkit-filter:none;filter:none}.pagination .page-item.disabled .page-link{background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.breadcrumb{border:1px solid rgba(0,0,0,0.6);text-shadow:1px 1px 1px rgba(0,0,0,0.3);background-color:transparent;background-image:-webkit-gradient(linear, left top, left bottom, from(#484e55), color-stop(60%, #3A3F44), to(#313539));background-image:linear-gradient(#484e55, #3A3F44 60%, #313539);background-repeat:no-repeat;-webkit-filter:none;filter:none}.breadcrumb a,.breadcrumb a:hover{color:#fff}.alert .close{color:#000;text-decoration:none}.alert{border:none;color:#fff}.alert a,.alert .alert-link{color:#fff;text-decoration:underline}.alert-primary{background-color:#3A3F44}.alert-secondary{background-color:#7A8288}.alert-success{background-color:#62c462}.alert-info{background-color:#5bc0de}.alert-warning{background-color:#f89406}.alert-danger{background-color:#ee5f5b}.alert-light{background-color:#e9ecef}.alert-dark{background-color:#272B30}.alert-light,.alert-light a:not(.btn),.alert-light .alert-link{color:#272B30}.badge-success,.badge-warning,.badge-info{color:#fff}.jumbotron{border:1px solid rgba(0,0,0,0.6)}.list-group-item:hover{background-color:#1c1e22} diff --git a/file-upload/jquery-file-upload/index.html b/file-upload/jquery-file-upload/index.html deleted file mode 100644 index f77ea8b5b..000000000 --- a/file-upload/jquery-file-upload/index.html +++ /dev/null @@ -1,215 +0,0 @@ - - - - - - - -%SITE_NAME% - - - - - - - - - - - - - - - - - - - -
- %SITE_NAME% -
-
-

%SITE_NAME%

-
-
-
-
- -
- -
-
- - - - Add files... - - - -    - - - -
- -
- -
-
-
- -
 
-
-
-
-
-
- Tags: -
-
- -
- -
- -
-
-
-
- - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/file-upload/jquery-file-upload/index.php b/file-upload/jquery-file-upload/index.php deleted file mode 100644 index b2a0f7494..000000000 --- a/file-upload/jquery-file-upload/index.php +++ /dev/null @@ -1,23 +0,0 @@ - 'handle_file_post', + 'BASE64_ENCODED_FILE_OBJECTS' => 'handle_base64_encoded_file_post', + 'TRANSFER_IDS' => 'handle_transfer_ids_post' +]); + +function console_log($data, $add_script_tags = false) { + $command = 'console.log('. json_encode($data, JSON_HEX_TAG).');'; + if ($add_script_tags) { + $command = ''; + } + echo $command; +} + +function sanitize_tagged_filename($filename) { + $info = pathinfo($filename); + $name = sanitize_tagged_filename_part($info['filename']); + $extension = sanitize_tagged_filename_part($info['extension']); + return (strlen($name) > 0 ? $name : '_') . '.' . $extension; +} + +function sanitize_tagged_filename_part($str) { + return preg_replace("/[^a-zA-Z0-9\s_\(\)\.,-]/", "", $str); +} + +function move_temp_file_prefixed($file, $path, $prefix) { + move_uploaded_file($file['tmp_name'], $path . DIRECTORY_SEPARATOR . sanitize_tagged_filename($prefix . $file['name'])); +} + +function move_file_prefixed($file, $path, $prefix) { + if (is_uploaded_file($file['tmp_name'])) { + return move_temp_file_prefixed($file, $path, $prefix); + } + return rename($file['tmp_name'], $path . DIRECTORY_SEPARATOR . sanitize_tagged_filename($prefix . $file['name'])); +} + + +function handle_file_post($files) { + + foreach($files as $file) { + FilePond\move_file($file, UPLOAD_DIR); + } + +} + +function handle_base64_encoded_file_post($files) { + + foreach ($files as $file) { + + // Suppress error messages, we'll assume these file objects are valid + /* Expected format: + { + "id": "iuhv2cpsu", + "name": "picture.jpg", + "type": "image/jpeg", + "size": 20636, + "metadata" : {...} + "data": "/9j/4AAQSkZJRgABAQEASABIAA..." + } + */ + $file = @json_decode($file); + if (!is_object($file)) continue; + + FilePond\write_file( + UPLOAD_DIR, + base64_decode($file->data), + FilePond\sanitize_filename($file->name) + ); + } + +} + +function handle_transfer_ids_post($ids) { + + foreach ($ids as $id) { + + $transfer = FilePond\get_transfer(TRANSFER_DIR, $id); + if (!$transfer) continue; + + $new_name_prefix = ''; + if (isset($_POST["tags"]) && (strlen($_POST["tags"]) > 0)) { + $new_name_prefix = $_POST["tags"] . ",USERTAG,"; + } + + $files = $transfer->getFiles(defined('TRANSFER_PROCESSOR') ? TRANSFER_PROCESSOR : null); + if($files != null){ + foreach($files as $file) { + move_file_prefixed($file, UPLOAD_DIR, $new_name_prefix); + } + } + + FilePond\remove_transfer_directory(TRANSFER_DIR, $id); + } + + $return_to = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/upload'; + header("Location: ". $return_to); +} \ No newline at end of file diff --git a/file-upload/site/index.html b/file-upload/site/index.html new file mode 100644 index 000000000..6e916079b --- /dev/null +++ b/file-upload/site/index.html @@ -0,0 +1,138 @@ + + + + + + + File Upload + + + + + +
+ + +
+ + + +
+ + + + + + + + + + + + \ No newline at end of file diff --git a/file-upload/supervisord.conf b/file-upload/supervisord.conf index 25e2322c6..89e2b32ee 100644 --- a/file-upload/supervisord.conf +++ b/file-upload/supervisord.conf @@ -38,3 +38,13 @@ killasgroup=true stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 redirect_stderr=true + +[program:cron] +autorestart=true +command=/usr/local/bin/supercronic -json "%(ENV_SUPERCRONIC_CRONTAB)s" +user=%(ENV_PUSER)s +stopasgroup=true +killasgroup=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml index 3fa05500c..257437cd2 100644 --- a/kubernetes/05-upload.yml +++ b/kubernetes/05-upload.yml @@ -52,8 +52,6 @@ spec: name: ssl-env - secretRef: name: auth-env - - configMapRef: - name: upload-env env: - name: VIRTUAL_HOST value: "upload.malcolm.local" @@ -84,7 +82,7 @@ spec: name: process-env env: - name: PUSER_MKDIR - value: "/data/pcap:upload" + value: "/data/pcap:upload/tmp,upload/variants" volumeMounts: - name: upload-pcap-volume mountPath: "/data/pcap" diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 8b21afeda..849d8b12a 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -109,19 +109,20 @@ if [ -d "$WORKDIR" ]; then mkdir -p "$MALCOLM_DEST_DIR/opensearch-backup/" mkdir -p "$MALCOLM_DEST_DIR/opensearch/nodes/" mkdir -p "$MALCOLM_DEST_DIR/pcap/processed/" - mkdir -p "$MALCOLM_DEST_DIR/pcap/upload/" + mkdir -p "$MALCOLM_DEST_DIR/pcap/upload/tmp/" + mkdir -p "$MALCOLM_DEST_DIR/pcap/upload/variants/" mkdir -p "$MALCOLM_DEST_DIR/scripts/" - mkdir -p "$MALCOLM_DEST_DIR/suricata-logs/live" + mkdir -p "$MALCOLM_DEST_DIR/suricata-logs/live/" mkdir -p "$MALCOLM_DEST_DIR/suricata/rules/" mkdir -p "$MALCOLM_DEST_DIR/yara/rules/" mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/current/" - mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/extract_files/preserved" - mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/extract_files/quarantine" + mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/extract_files/preserved/" + mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/extract_files/quarantine/" mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/live/" mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/processed/" mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/upload/" - mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/MISP" - mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/STIX" + mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/MISP/" + mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/STIX/" cp ./docker-compose-standalone.yml "$MALCOLM_DEST_DIR/docker-compose.yml" cp ./net-map.json "$MALCOLM_DEST_DIR/" cp ./scripts/install.py "$MALCOLM_DEST_DIR/scripts/" diff --git a/pcap/upload/tmp/.gitignore b/pcap/upload/tmp/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/pcap/upload/tmp/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/pcap/upload/variants/.gitignore b/pcap/upload/variants/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/pcap/upload/variants/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/scripts/control.py b/scripts/control.py index 73401cbc5..4e404dfbf 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -827,7 +827,7 @@ def stop(wipe=False): BoundPath("opensearch", "/usr/share/opensearch/data", True, ["nodes"], None), BoundPath("pcap-monitor", "/pcap", True, ["processed", "upload"], None), BoundPath("suricata", "/var/log/suricata", True, None, ["."]), - BoundPath("upload", "/var/www/upload/server/php/chroot/files", True, None, None), + BoundPath("upload", "/var/www/upload/server/php/chroot/files", True, ["tmp", "variants"], None), BoundPath("zeek", "/zeek/extract_files", True, None, None), BoundPath("zeek", "/zeek/upload", True, None, None), BoundPath("zeek-live", "/zeek/live", True, ["spool"], None), @@ -973,7 +973,7 @@ def start(): BoundPath("opensearch", "/opt/opensearch/backup", False, None, None), BoundPath("pcap-monitor", "/pcap", False, ["processed", "upload"], None), BoundPath("suricata", "/var/log/suricata", False, ["live"], None), - BoundPath("upload", "/var/www/upload/server/php/chroot/files", False, None, None), + BoundPath("upload", "/var/www/upload/server/php/chroot/files", False, ["tmp", "variants"], None), BoundPath("zeek", "/zeek/extract_files", False, None, None), BoundPath("zeek", "/zeek/upload", False, None, None), BoundPath("zeek", "/opt/zeek/share/zeek/site/intel", False, ["MISP", "STIX"], None), diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index f6812c517..beab9b8cc 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -76,20 +76,21 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/opensearch-backup/" mkdir $VERBOSE -p "$DESTDIR/opensearch/nodes/" mkdir $VERBOSE -p "$DESTDIR/pcap/processed/" - mkdir $VERBOSE -p "$DESTDIR/pcap/upload/" + mkdir $VERBOSE -p "$DESTDIR/pcap/upload/tmp/" + mkdir $VERBOSE -p "$DESTDIR/pcap/upload/variants/" mkdir $VERBOSE -p "$DESTDIR/config/" mkdir $VERBOSE -p "$DESTDIR/scripts/" - mkdir $VERBOSE -p "$DESTDIR/suricata-logs/live" + mkdir $VERBOSE -p "$DESTDIR/suricata-logs/live/" mkdir $VERBOSE -p "$DESTDIR/suricata/rules/" mkdir $VERBOSE -p "$DESTDIR/yara/rules/" mkdir $VERBOSE -p "$DESTDIR/zeek-logs/current/" - mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/preserved" - mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/quarantine" + mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/preserved/" + mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/quarantine/" mkdir $VERBOSE -p "$DESTDIR/zeek-logs/live/" mkdir $VERBOSE -p "$DESTDIR/zeek-logs/processed/" mkdir $VERBOSE -p "$DESTDIR/zeek-logs/upload/" - mkdir $VERBOSE -p "$DESTDIR/zeek/intel/MISP" - mkdir $VERBOSE -p "$DESTDIR/zeek/intel/STIX" + mkdir $VERBOSE -p "$DESTDIR/zeek/intel/MISP/" + mkdir $VERBOSE -p "$DESTDIR/zeek/intel/STIX/" cp $VERBOSE ./config/*.example "$DESTDIR/config/" cp $VERBOSE ./docker-compose-standalone.yml "$DESTDIR/docker-compose.yml" From 720b73562aa644f318c7f96766e0b731bc56d04f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 10:51:26 -0600 Subject: [PATCH 54/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- docker-compose-standalone.yml | 1 - docker-compose.yml | 1 - docs/malcolm-config.md | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 8570b85ec..fea9928f5 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -416,7 +416,6 @@ services: - ./config/process.env - ./config/ssl.env - ./config/auth.env - - ./config/upload.env environment: VIRTUAL_HOST : 'upload.malcolm.local' depends_on: diff --git a/docker-compose.yml b/docker-compose.yml index 5d3612bad..a8e340449 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -467,7 +467,6 @@ services: - ./config/process.env - ./config/ssl.env - ./config/auth.env - - ./config/upload.env environment: VIRTUAL_HOST : 'upload.malcolm.local' depends_on: diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 77989cd73..a99202165 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -67,7 +67,7 @@ Although the configuration script automates many of the following configuration - `SURICATA_ROTATED_PCAP` - if set to `true`, Suricata can analyze PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `SURICATA_AUTO_ANALYZE_PCAP_FILES`); if `SURICATA_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Suricata will see duplicate traffic - `SURICATA_…` - the [`suricata` container entrypoint script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py) can use **many** more environment variables to tweak [suricata.yaml](https://github.com/OISF/suricata/blob/master/suricata.yaml.in); in that script, `DEFAULT_VARS` defines those variables (albeit without the `SURICATA_` prefix you must add to each for use) Note that for some variables (e.g., something with a sequence like `HOME_NET`) Suricata wants values to be quoted. To accomplish that in the `suricata.env` file, use outer single quotes with inner double quotes, like this: + `SURICATA_HOME_NET='"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"'` -* **`upload-common.env`** and **`upload.env`** - settings for dealing with PCAP files [uploaded](upload.md#Upload) to Malcolm for analysis +* **`upload-common.env`** - settings for dealing with PCAP files [uploaded](upload.md#Upload) to Malcolm for analysis - `AUTO_TAG` – if set to `true`, Malcolm will automatically create Arkime sessions and Zeek logs with tags based on the filename, as described in [Tagging](upload.md#Tagging) (default `true`) * **`zeek.env`**, **`zeek-secret.env`**, **`zeek-live.env`** and **`zeek-offline.env`** - settings for [Zeek](https://www.zeek.org/index.html) and for scanning [extracted files](file-scanning.md#ZeekFileExtraction) Zeek observes in network traffic - `EXTRACTED_FILE_CAPA_VERBOSE` – if set to `true`, all Capa rule hits will be logged; otherwise (`false`) only [MITRE ATT&CK® technique](https://attack.mitre.org/techniques) classifications will be logged From 972ebf730396a3e0c49a160738ba873adfb99649 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 10:57:03 -0600 Subject: [PATCH 55/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- file-upload/docker-entrypoint.sh | 7 ++----- scripts/install.py | 3 ++- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/file-upload/docker-entrypoint.sh b/file-upload/docker-entrypoint.sh index a702ddb2f..79a073871 100755 --- a/file-upload/docker-entrypoint.sh +++ b/file-upload/docker-entrypoint.sh @@ -2,17 +2,14 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -if [[-z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]] -then +if [[ -z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]]; then echo "Please set the SSH username and (openssl-encrypted then base64-encoded) password by adding the following arguments to docker run/create:" echo " -e MALCOLM_USERNAME='...'" echo " -e MALCOLM_PASSWORD='...'" exit 1 fi -if ! getent passwd "$MALCOLM_USERNAME" >/dev/null -then +if ! getent passwd "$MALCOLM_USERNAME" >/dev/null; then # Make sure every container gets its own SSH host keys the first time around rm -f /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server diff --git a/scripts/install.py b/scripts/install.py index 896d318f9..ef6474a19 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -751,7 +751,8 @@ def tweak_malcolm_runtime( indexDirFull, indexSnapshotDirFull, os.path.join(pcapDirFull, 'processed'), - os.path.join(pcapDirFull, 'upload'), + os.path.join(pcapDirFull, os.path.join('upload', 'tmp')), + os.path.join(pcapDirFull, os.path.join('upload', 'variants')), os.path.join(suricataLogDirFull, 'live'), os.path.join(zeekLogDirFull, 'current'), os.path.join(zeekLogDirFull, 'live'), From a530fc0765b64f00bd6f13b3443a0ffc25789285 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 11:00:09 -0600 Subject: [PATCH 56/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- scripts/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/build.sh b/scripts/build.sh index 751bc78b1..e3c5635e3 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -93,7 +93,7 @@ fi # we're going to do some validation that some things got pulled/built correctly FILES_IN_IMAGES=( "/usr/share/filebeat/filebeat.yml;filebeat-oss" - "/var/www/upload/js/jquery.fileupload.js;file-upload" + "/var/www/upload/filepond/dist/filepond.js;file-upload" "/opt/freq_server/freq_server.py;freq" "/var/www/htadmin/htadmin.php;htadmin" "/etc/ip_protocol_name_to_number.yaml;logstash" From fe2188c5eccdd0fc096c9e7a89fb2882b3c02c10 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 11:18:02 -0600 Subject: [PATCH 57/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- Dockerfiles/file-upload.Dockerfile | 2 +- file-upload/site/index.html | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index e2cc7c501..995afd06a 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -95,7 +95,7 @@ COPY --chmod=755 file-upload/docker-entrypoint.sh /docker-entrypoint.sh ADD docs/images/logo/Malcolm_banner.png /var/www/upload/Malcolm_banner.png ADD file-upload/nginx/sites-available/default /etc/nginx/sites-available/default ADD file-upload/php/php.ini /etc/php/$PHP_VERSION/fpm/php.ini -ADD file-upload/*.php /var/www/upload/server/php/ +ADD file-upload/php/*.php /var/www/upload/server/php/ ADD file-upload/site/index.html /var/www/upload/index.html ADD file-upload/sshd_config /tmp/sshd_config ADD file-upload/supervisord.conf /supervisord.conf diff --git a/file-upload/site/index.html b/file-upload/site/index.html index 6e916079b..4c447a190 100644 --- a/file-upload/site/index.html +++ b/file-upload/site/index.html @@ -5,8 +5,8 @@ File Upload - - + + + %SITE_NAME% +

Network Traffic Artifact Upload

+

- +
@@ -114,6 +129,7 @@ tag_limit: 16, wrap: true, add_on_blur: true, + placeholder: 'User-defined tags', link: function(name) { return false; }, From 6daa4c5c720d9a9e45867eb5509067b2524632ac Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 11:41:57 -0600 Subject: [PATCH 60/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- docs/README.md | 2 +- docs/images/screenshots/malcolm_upload.png | Bin 140465 -> 106654 bytes docs/quickstart.md | 4 ++-- docs/upload.md | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/README.md b/docs/README.md index f391d3e16..cee5df17e 100644 --- a/docs/README.md +++ b/docs/README.md @@ -41,7 +41,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation - [Stopping and restarting Malcolm](running.md#StopAndRestart) - [Clearing Malcolm's data](running.md#Wipe) - [Temporary read-only interface](running.md#ReadOnlyUI) -* [Capture file and log archive upload](upload.md#Upload) +* [Network traffic artifact upload](upload.md#Upload) - [Tagging](upload.md#Tagging) - [Processing uploaded PCAPs with Zeek and Suricata](upload.md#UploadPCAPProcessors) * [Live analysis](live-analysis.md#LiveAnalysis) diff --git a/docs/images/screenshots/malcolm_upload.png b/docs/images/screenshots/malcolm_upload.png index f56b4c79f1f0ddda3949b67de69c9abdbde5c6c5..f71dcbb8b854baa82561fa971687ae22a64eb97f 100644 GIT binary patch literal 106654 zcmZ^~WmsHY(rlm`s~_OwQ8-k!xiMjkrD6^K79CqEGZ$P^x*>($A=FP%WyE@cV=aFcs_g}{vatL zsN$h_>;r3{GuU>ccs4HDOh4)rzq{_mZXo;}N=TCUocd#*`~k&Re}NIQ;Diq!A>i{U zlN7)os2J~rc(v@3s<%nhn^Y{QKK=Z5guYN;*wwL|yfD3b2QdD7+V#zRZ(_pz^kL#N zh#K~{AsQnb4ipju%*Vj*f<43r|NobpEMmkxXn>N7gS2A&|HpTFh;z{xp+eK({%;rf z&-F5I;cxNZUBDYLs|{ZXNdizM zRkVOH*&jc2G_*y*E|wOi|1N${nc(|U!?-)E2MUx3Z3ZBIIoI+7-&9dsJCe`makH!> zTS!GEX`%Y$7b2_F2k-^HoBm4Ksv9O0R#1o=z`{@&$+-n|%DK9-PH^r6Rz3H#3>-wF zesBGROG--G9KyF3Nro!O#B|&HFu6k%+V8(&*MYpB?NyCy{YGFEt2MuPK+aZ4-v9an zTkAf_mV~u$^p@QehEOAHAkY-$gA9RpgpPp`bbgK|A|{f%JoUX$j|qpR7GEd;Qc+Kj zW}*DYP2Q)B=0Bu0J^mp>jMp+UA~}ClT;u^Exgb59BqpJ1OsCFqpsdqGi?ZWE6EhVR ztow!!J1yN3>RnEv*J&H9d6sL6r<~j%ak>}YKf8@z47?=1JRHTAF#a>pAN6gMem-AH z|IT1PYh3KH+TLnEs_w6-={~&4>v+EWbuq7PpV!^37f-c!&JX3X>Go#?T@>_}{pPee zX<(heebsPiS$FgK+8YBuLW-k0dt_`mIB-cj-phe?yWrOpKZS@y6tRnRn1GH=Ym`^u zZ-Sy0g>uB#Cka7lDQN-@U?oP|gQ|pNj5zQODoLFM&J#V%?xGhC)wZX%-*mC_1P(74 z?&JqvD5%x|>&Gw&dHz@6HDTy0q&O)H%dC)FoWoy@eBqj8ZuirH^R50lp1VID7lWT2 z`;pmG_XjY~f1Cf4gaTCW51r-VAiIDBK@cq9;83e>KX{}#==gH8uoL`QPr<&28;E%- z8G66xyI5;z@Lf7Nxa4E?&H6w<{SA0E@M=0Q$1DYJJpy#iA7umuKQc2jE2ydM&1YCn z;KF!K@;%Ypwg093Hed2k=m2xMQJiU0x7gW z@0G!tpbWX_Af6ukfqmiU=H`c>i1a{lO;6-z8~*Ynd}S)iU*?bwjUbX7WC5c)g@Iuh z;|+f$n>D?#f$S|D-pT1NOZt_e9vOqE@enRW1xv4@Sxrgt&+~FS3>2az20D7wNk>FnTi1uH2?=2r z6Sy(jLj@hBujMg7a;jhwHZC}6wLhajj~I=m>_wB9n<$u>u{6DYDXQ}0bSaw?`+(vo z^9$Oj!oG$G&~en)*E2e9i^RgC(C$`u-D+KB-W$dJW<`E4)IF9_@0Dz)_nRy`+&v=1 zIyr}mhJmNF`1Izq^w*oC78hW@?~>^c|C6~w5wB5XBSSb8zqH-z74Y8$9M{`#DqImp z>=3mK&SVHE3<8s_!V*LvT^bfEfSf$x7VdyPwaBY(Xhek8A3&LyrYTN7P26iJY{j7zDMq-F;Rs&nukVo!8x6Uli#*Z^!p zjPD1s@R0l=RiPQC#WBN(lMqm#|Y)~I3e=$V_*#XlB6#S z^&|?=woz|58!!GVFznj02&G$xbhBkJ7a z&dKy_HX2}RY6^iUrh^Tal@L(kw3p%aAK3IJ3a;s|+-$|B;6?`X(H;}fzO$afRMa+BdGMI61YLtKoI*2pz!wO%qAZVTP_-gu4s{N zs(fF~(UHl>*jU9iIT?|tZ(z!Bdut2rO7Y@(gjUeRql=Wbw9|pZO0;)Npvl7z>5z!( zl~C~@8!e)U4%J9Ni$0`qc=Qa<;aDRWO|&;G1|j)~g;Z+!1TDZsS&fBROs`Ce(CeG& zAVEMNh3(Gvwu&l)nl=dvIDq$QcBdBq;7U2F_iW~hPO+>I?2$*W?T~aYd6-}hH>#(? z*Xk}B|NR>avvcQT0Qcw1tu|o6M16M4np*}!eJO_`6A~HHR{*#VK!g#vz=LZ98YpE& zB{E;If>XkU@%|*Npe|lS2#u{;Kj?9KlF`Z|3Jv+@@_B*IsGz-gKH-$<_CB3>AcP(< zyHRnH0p@{3=vhoe%-|;C%}8L|DkwDAz}^iz0T@h78DUyf#8Xu&*6KSyJ1fbWqjkKf zOC5nMsVaF$qgp0Z=RHS~$zOAJ!Q33ZJ*5~%30H~4*-nuE)zIK%57jOjmv`cc>+)7RKc%LeV7`=9bQ zUMZ*S`Ft_#ILUi=Zz|cN*uzvbPu;SamW23UJ_(Z z`is=f)0l2Jx^Pxt{>SNBKJo|gs{aR?4LrJJ#roS%d8I%ArR6->)!`FXj>MW*6MM>}b z^B`lYv|Eg(3ngh=rz0@!%h*+FN$ssA({-H3S##rQ>drqSJsSd^%aFl?K~q6*Pn!MH zL#K$S=)+Ks@U(Q$XwP=AeV+XtvV>HWsHSH$)E|=V7WA+={0g)j7m|?JOmYJbZ2WcV zHef)2aFP)^Iy$YX@jj4*11JrYG~os0&oBB(%%U_2=*SQ&B?eQ2TU~Tvp2BEvBQ9Z% zUz0u-A-Yh<>{irY$+738ISn;iYEj1Y=8&knBD=u@yn{-g#q7JoPkIUXq zZHE0Ysu8O8w?1=3+zWFV*WyGzSa)mg`pUov_EBVEhecfYH%{<=cxC!@ZB0DY+Z1R? zM-JcR%)!f^;`74xNM$F~Vy76f3WtiQcJbQ&TLB68YG(&KCvzWoREq&nVLwNmLzeEo zXTa!yZ<|^q65N7}n|3etuno#(2&I@jhDBAMX zzkAy9^M&GL$+?yr6{cbz%tF?wm6=I$xqh-d)aKGy-Ok*bnk2#td!GCbJ1iDH&%0)j4B^a;77(ora zd?*-}x!}+RXLX1B*-)B!b{QN>ae<1eY8${z*r7FOB=bL`Y&*|;o?I&Td@w+>;DoR!kVI0)Jg-bE(MUrB^z|*NeU`zs>Xx)KMlr85lA>8k{qpsba3YFX@pv4 zj~J}j9D1Qg#>Z8mm=;vk!5N}MV&ZH6FDntU$>{t((_64ZbT5Lm z@r#lH&t4bXgJZG6iAX1Qov@!lcinHVPZ#I?s896oV2}`Lg626443}^cq|5=NxuFt1JTPp&Wh8HHQEzRiB_afv* zUixccmZR3D_ggAku~bn7sFQ_{4~cGG#R!zDJ;g1_!=nRGV=gN$hM}OKC>I)geR*Os z9mA@WNjtN)}?0T8rfNUCR8y%!hh{=WHJV zv0P-COM)?eaq~uk(UG?Vb~p$gGwCcu(V>-4&^hE^gt#aShDo;$%;vb@@!ytsQ#v59 zWzPQO{?>J~$A9dqZ=r}-`>0yYo?fRF&3Ru+)PLv1nDLKoprYPNVQD5`Y&JN~Id%E$ zuw6tFpBkG}4rY^}bNGVOc77=;YL=+rF-?(Zw6mejOtx$D5gjV;hKMy%prW{g=1m62 zOoiOFb_3icgYd zCCr|NFZF&t7=s%A%Q3Hl9e0q6N5{-uKbjLbBbJD7t?uWay@fc%;J+(vjgC*YtHQ2k zd~nY_)nFcrLc(4-lX{3*T6=-w=-f(czZCgP^=cNznYfqbYvw}24 zRnG!2c3b~k!B?rO(w-k6jLGS?Fc71IdgE+UV*BW&`L>4s^c_WSdi>=5xo5DzwLP;K z(mdT3?VJjVXKC?Z7V|}u0MOi2w_ThqILf-96R585bCZMy7|0Tw3PUGTL20X4b(DX! zBv_e|?9F2zUhVP1`~J84N{b84$=r9z6LIx<=|b(p)Epd&(Kz3?QdjdREv=4wovZVq zrd3^h&Af0+jAO(ZwMKq%xd}tSh&RHH_;5jM&_^HY`dciL%3;9Q~TVrba$^qPON?WD7X*WjcTqu|& zKKi&n5E}AMOU`}*2lo%KZ&=%q4$6X;YiGXd(8gRN7Bq_% z;j0e&zC3p>#2i{HokW~YP|y7WAtq=Q6j<2UGy!2bd5WZv#NE7SOAS=h)6L1q7I&O5CRrkP(e7k6>&l zf$!ZS-kl=$0mOzYe+5w(rrYJIG9dDQ=8uUV%)j6KhD(i*%5}`i{Aq{EPk*Q*wW5{O zpi-=K-tEwJRv#Y4ozd0R&iR{70zWJYpeKfayB0iynV6ebU=d94(uSuF2_H)|Uf^y4 zQ?s+HvoR}}s@Y|lGx&|4@A8C0RWh3GH>zJVU}|-09zrMiatvvmFfcG?0VW;y0IKjM z8*lGt%NDZ^JpL;$@YuU~Eds7?CHt*uYWPsk2p{F)Vp1fc=SPs&G+(p*u{T<~Z|1dI z!8|6n%3vOQ@`9chgPzw3tM*@-DnsMDlL~%Jz&QKTDpZYb$0vR73+VY8{a7$SE*Dr> z3(VMMG9D_m;{2@Zf*yj5KkpLW%y#SDQKic2cCmYdBV%G>(z^0HapLSZ)NqS0(ga57 zbq(?8{gQc38PmQ-;-bTy0V}f62aVGE5?H+w%x^+%q-_hnuN`>s9BcvWc^pxl?$;9PZ&O=tb1(q(I+X2M`{ELPaH&gydnkr<7!F^u%IjQBfH&hC{^t=a5nXggV=C<5Zq6Y5~rnjiOS+c3(tf zrd=_jP_gtAnpbuwp~Us{vJsBg6eVl<*V*~yT4j&l>lIO@UYAx=bYUSk>^_+! zPW8+;^NE3n{hXRGT%SyY`su9O3}-OG=06b%rewG_Qqu`>p|}9xNTHmhPs--G%`Wg; zGjPm7!LrLBd2jf=y-@yj5qC`&WT_}|AghE=YhM24+?r=n&AG804+Y|Hm@)Gs=SYX` zSnd4za=T)c*y(k5irGHLvzuGgW;7^I2X!sF_|`DVhrgij$NQ!G-som$k397CZsYZq zebr?~R(2qf&ilsOSOHA^>bH1(aTNl_!He%>`-eESzSyd$QiVoHcPm zPpF^IyI*yS2@kvfvIaTdblt5h^EW4;kh2ha9WyE1nDbU5ls3-~q-4i`o8-Z~{@#Ax zhp4TCs@<sZKJm9qLO!RM@)fhSGV`&Aaqe%x_O?9xk(ux^D2a&N-P2jy712@L>yR% zjwqy4Hf#J|==h$``-@v9ftf6Z=2VMzmNG5^MO`1RIg@_syUwY$ZiV23e){>f1aPVw zZ%m)D!qBiM%6p;*K8ok*sL;ftlXx7bHMO3vx*$o$3J3DoYkEn=^V}0&%SqWKo;yoG zCqw7FqL|AeW7HR+OevBqW~)ZoS@Mf&{q(o>ohO1vS)-J7IB;FSZU!PxL51o?N)X3U zd!DxKraWhF!mpp zxz?2Y-j*#BZ!+iSZOXaA`jgf5{$A}btg&TW{gZ={?>Tt3n4S&JK_vfMG{DYKwDO#U z*<^MV+p%pK{}yEQJJYmo3ELpR^z#5^2whtF=4R=RY$!qkrUewI6Je&E9g-}VP@q`bL?8HvZ(_Jl1&oZ0 zl)vwfw$I#Z^(ajWnf>;IQXY-~7Bs3!^}!emo6!JKJ2j`#+ACs*2L?QhCF^{UAHRXZ z5+jg-q;Z=Dp4#OjsS~1uL07oOk_+~@I5*#llcA>X8$NB&-xpk02&$O4Zr`9q*>cBj zB|gA9t{_h!P&?KcYIKzWj7#`Sv#U~2CXkEAf`UTGy!0s{=+?zHk~B!VO1I(qmTkM3 zb}Dm5#0PU5lUWGCMd=#geLW?vDsT$ldvV%vM*Dnsx)w=S-3n2mR;4rm_15_3hmpIk z4c}zd5lL5Mw%@B~k)3sP?%WZjvi&`h&v`GbmBrF<3f$+8lj*Dex%Ba??yIb`(lgIT zSC@girjyWLneU9Bi_|-(K@&RXGDZxlgY&?!um~_X0Oe^km__Mv|-xi+0^-_JP(7QrbSQrEFcJ}td9}AwYOL3rw zTlTV9;7n_WbAvuMtL-&XDLAuIrPq)>W@|+YD+^EX>vtm0(}ohPh*s<0$`_IkQs0Of z7?3eHgc>YY5|tUmO@7$NA18h&Aw$8yUF&dHze*Q@ecS6oCE)r#SCO)vA6dg8XA}2l zGiS$-pyqpDV>^Sj-rxXwaw+Cdk>3mG#aadkOtW=Y zoie9Kl zcq#j)D$b?6nu?h*j(rORIp&bB@XH0(vdwaal48pCY~`-GXEuXrk52hZ4g4o;@ly5@D#Cd- zW;Da54`crO6Im-R`D@XqWt1E)8)+yaL`Zm3mi2;kY^$n8t=x`P3;Sl-sf;6qeu#4{ z*CHg@%zH;z?B(fDxYKnW$6gagmj?{8y^Q(pcU z((5n=OMUx=PEvLEinBDB6XPpVAoqLTe8AtL^j~gF7IVqp4{(jD?6x=`8T=CT@Q>M_ z#`>ikl9H3RXHW@6B2-qw&Uo=9eWo)e$i7rsIXi6Nag3!HAD_eRCil)_q;%-kv7yq< zV{aWVbuqap@K|ZaiF$Ln?M3zdu|yIWG++T~QiM$6t@QdTbqOJ1{iT`Qp2*55RJ146 z{H<{mjE3%fgNpue4u|GWp1)+Z*pAUzS^ZNZECYWUGcV@9trUvZ}* z+_F0Uy5C?qszvh0{PGGOZvQQFa@+>Rx|iEYuGz#pOV*C@P7O&F*gjgJoufmXkZ?%I z)shp8(}+jmrU!A>^aSJo=}X4pC=#Y`mp`LMQvglCK~x^ zt00z7so3E(;bTd{CJ0|as>Z%;_tUv7Bm2le`cLPUuP0f)S}%P^7CIVE*E90`s;V%r zmp^`%x&agNr<1V(YTE&vFQ|O?xj;5pIh!1%Q>G=8bhkIu4Earw25mX{K&a6} zyOvDOUGAn3^vGy2MOOGGC|e;j6o86%#^z_&DQTyXgW5%?wZHaW{Y^pAN>MwaPCMfK zkMWn|Q`TnU)hku;Ox|ua;FjaY-*NIH$CUHV+;CC7$0u{g3TTRUpa8Wj?7*n7)aqEU zTstG;1g5RN%&1g4JxC@}z7zabS9_7du>2~9?;21U0)pRqIxz4A#7BbE{=k-rE!O?^ za@HY>kVzXL3`>IK0fw_VbQV>ff7R-HKex8H$sUDhwuD;JR{rUef~Md4^+6#cyLpby znEBCm5H>-Lecgjh&vQ4KG8n~gKE78$+qh^yBYD*XG%gUHj0gT@hu2B0bgzLQ!>yB@ zNLX0Vyly{{vF%b`A8j-X$&}ay1wql}_m_D)JnCzpCJQ*N()G*XDi!xRerd=764cXj zq>43~&lqp}qZdiF-yWiuOLbrJk$*ls!dIXvBYWnSdBh|q9|{@wTujuZh=|lsQB^ZO zJ;q9syh*aV*t$2Kl`jK3kmSL47g2RNwa`}8y18qJLLQN|vij|zHD)Qyn8O3#uvgcrwE3QiUjSd`=8 zx|c~KhxP_iILNEY%!^c>mp;sA>U4;KojJ)$8l0!wQ*>1kl86`rjP3%FF!U5!J2Y2O zGNHbFbb`dF%~}slVbXX$i(2S}#EM)8!UpMvE0o~fx8)!{7S6qbsS{hZhwS{gKeX^_D)m>yiBT>?sKi3+~6c~Nem%(T>Y-#}~u zfF{sB#k@3wnXxIyZbwG>!E9@T(Q-hsjc|@wM!Br7u?@8;wRl<+9)*|vxSD_6o3gSv z``JDLCR3Q8irTTs>}bO}P=&9-+s)@;?Svt7-1Q%l4)&d-<1;qZ0yh_JsAXw~TCAdK z2?y|;v~@MfZ!dLWQ8lAg{yTcA*04VbVPHiS`MNmXb517Ma5-?jvpG3CUoy_`d536h zH5&GpjqjP)#+7w|@ZAs3RhRY!pSeF`;+^p><_X%6@EsWLM>ic@y}cJEzI?oDaYE$WmGbf=EQr~DY;`t z8`&~|QO(fJA)W!z@H0{2rpwNQbq1*qJ|DddaOc{>QMftuDDbd zm@>>Nff&T zjgYyF404~Ujh9pR`?(rlS0S`Tyi_jUV2X=oo27gt2zl7|7E+nQY`e^YZJ;R$DL;Z- zF($NAG#vHTJb`~=Ii1iVseNZBIcj)^Y^6@Y(KxnsyJD}tOR*wt$Kvf zb}#WfIW`zu+pZZ7qIjj|(E9A&+G__A^)SmW6%$-4Y|U=J1c+ifbigSO z{yZxv(Y&CkDQ>~3DMagRVgBmZk;5~OWzG%v_qVDUM6imlV~S<_mUgqGHl(u%7OxJ- z!S$^m5vlNRh~TCQDM&A%zkHL!2TIq;fA8aj+SC>2I%9zI4 z_fBDYZFxWI#&3cqhmUH0R?muNC*U(c+i{uxKGhO=_9VdgGQT;L#Wa5cnxy3QN%^WD zbARtKhqPdg84efrHe}D_E0TK|7x&4~{Zt|Q~!=0;gkENn6aaHQr}JXVb&6&MF; z7(s3zh3F@%Ma;n=z?kgI3MtqUNDem#=%iAX?CXOVY!FhxN^V+gs`-SCOctNX1|0}< z!w)Z})~wm}Y%Bs@JrG86A!Ij8dj+~gP&B3Ik8<9>6@FDLd&R&do>K}?(Og_5Ynm=5 zE~E(E=Fd43AL{XVuwhS5#~{LwA?S!eo8PfQB4ob2$KiPTyS_ypp5k*uP8nOC5W#Sh zAcPsl&;c~q{+;p1ePZLNfDSx9cHVT(TSu?8t)XK_EzgKmWlozE-DtV($8^KI?I9xA ztBBNl**j;yqk%SbFdEn=)SuxF6bL2Wqk@H+gXput&-zHkk_YTORjz&I zn+FRuIqfLXyj_k5&7gSSp(tEgQ$=0$FI=E}o$NURmo`2>@a&_1)^WzSYr1U-l3uN{ zN6)|%y2g}{msj@#-knyJ3!ejk)p4M)iHV_!EN<1)R=&p1-@hWsb>Q{p1y&JoyHO{j zyZ~5w4b*S)hg1Eofb$nq#zV6R7|7m~m>3u;hd86()SNdL>*=q-isIa4<&F(<$}vp9 zhV`R*pbV3d_7f=$h2B5=_bG+k0eNEifdp4c4Tg;J{Y@o)UqYUrZDamcJOT#~x* z;#N5plELsP3FTXtZCWIx8fsi<=m}a0KCMzJ{L`t3etM_8K5z{tdulM% zW||&ejU?p7lvg-#fd)gw*PBQAnhfjeHkd>zd9?vMYgkEvYR_ks!m$VuAuqW7l+zgu z`0@Qc@Wh}#mn7laJST=hKz|{H;n*7hefa4VNUWKxo{9RbXCOtT-1zUoisg42b2&2i zq4Rw&2*da?OEA!IxYUksh6+x{lZmIZ$uT(A&9?}wN;qLY>}A*k8Gih*PhEqBp(0GTI%d>R{4u{cZ+U=w}| z^BsAaA#eKrk@cYJ)dg|h&7yJa)=A3-pJ5bleAkf+^#rHhkGV803Ioxmp49{f{GS46 zrA0yrK?uEQLD)wXj7Qu*cai$1Yu^0-+*b(+4IpeOl#KNzq;kY5$Lv-(D>_svJrYE0 z;jT^bl2p>*28s;424V||%|>3BVJRhGikt}6pj~u@!7G`FpT;{KudC;0H$+{ZCR}2K zXDb~h(-8WTzU9ip&Y^oF@5)#j9*W03^T35Vjnz6Hp(Ej?ekb|6R!D#%sfmsuI<1!g z3=P*RCWLj4sAca!`bJ4XgHhDjDHfKdkUU>+VTayd_pwiPiv%LW#AM@L6xsj`j@g7hSBFk?2$WrXsNE7}%BX}VUxU<*Y&Dt3zKQtx%YdeN z)~?e|F?(}60n(TzljzUzy~!7FV}Bv9>&0k(WXN2TZFH5XwBIOO^Z=_vs;>CF#gBT` zvwUg=yjib3hpemL-!|S}a+Ew+CgodJ*7uzAE6~8)jl=O`9oTPUOL}}9Cjy2BD;alt70pq%ShfH%L~O{ZcmZo2|Pk+CA(8K%3(P07Dsv1ke|0^cj@P!{UY8 z5yLU^XR)pqHuJ11N4|aSL)?w6Gj@-MdP>gEJ&3Ve%Xhrih)%LaR@hb9F%FFLtAs#I z*&`t@Mc)y-QwS0bOijMb1nMa-BEJ&F_6t=W^J|cnG29qYFDoYjwx&lJEO-WU=NK@Pa?9UHCVkAx&P$8+UhvwF+Eo-i3wOOWSR?DM?T>##o7#s zylYYB4ellKfwJqmQBwsf-wE6Ay+m(oY%GqZT$0&ISF;*zeZR`HK^iw_8~SDO zr4yE4>!!SqU28=!l@h2}bX{(aS$~GuHBcV;KCNtQ`@<4i1fTQBIe6c|QAS&#`5`_| zvcQchguxe(g4ji;m4b9~!!2H?tazR-%`&~zX!m5~MIFmZ8AWt@lRn}3eEOs+i4b=0 zED=6C683=!0$I_lkTnLlTY^sMOF)nMw7c*$XiSDs5K7fYQe1!{Nwd_}AqE#Fz=Rep zAVFPgz=?*z3%!-+x>#pR5db*`5*~>u9f4t@!443Hi>{A=Dci&d_-=4<28Z3hes4Ik z8XpMR!8e4geyjdRsCNpFNeEd)OA3e0^iwZ752CWU4)~wX67UbhfAITjyxutDuoo(f z5F~t!UaaR4wklpWo^;`NQZ|v@~?Wvak!v6CinwH^|#xeJ-VnsARW*uiaRXs7_v{AlAkq#Mb zF7N??I=XCUbADb=OZQq^k4s{(8+Ym&`kl?}F^xDUy}252Q0w@ev#<&jGY^(&oVY-nw6@PJAl@UYPz zxnAE38@1o-)5e?KFOeoro7L3A>0G~uU-|-r(q8PpY-PoKZ1K*CR$0Z~s z759P})YP5C9yD%u-wdY@49Z?fhO(733+u=7kc1xW)4d3J)q+d(7is?zN^;!&W>M5v zshF-{ff`?RL;@d^feV)qxADfv&)-qda>BwkZ7Zc+3m{}_JNQAlmyO+&TLh!5!}nxG z6oPsZ<6Bm@okb!eAW%@43Kdo(mUZtC6n0?&^{J{-a2bRjH_xtG)UKkYmRourc8{?e z0V|FJB&U?5)tkP!=2Voc)DE6}eGy*;zA)Z2;L+&g<73kPrBCK?AV+y&?hcLW?e`I} z^On}~ZaAQb8Xr-F5>GW5uo;mWXyjxMcZHY!%T>|nA_g|^b%IQQNAp$X0dbVr#}g|l z6Ehxv8)apQTS=)i^nXe9fG~r~dF8vwGW69;jHan9!S2 zsjQJlMec^)zbf>BKh_h6bw+AF(C^s1ClB7OghEZ!Mq*A#-Sq2xrZ`{*^E=1X=gKKdWQdCOw2t^hm zBDE}?RTu?DTW`En9+=AA!5{N!PFhQ*)&ao61AU2bNG^cXv+2L3(VCADDE5Zs1H3^q z6))9_EHAfK!6q&4pPied-I?m@_;%6T5xeDel`!Da80tYXTY7uEq#rQd{#W9VTT~*Y z&@CmvHTd~LsV?#@hUxE8X$qf65VXP0gojL;a|W|{QC@|s&zTGYN<~B*AG68@YmR+2 zn$5{wdQdG;s7;vo;7CgnM|Wsd+jjOYSCK~9d6gu)Y5l<{wWdTNZSvjW3iHui zhZM1d2Gg1{@V)YXf$FT<1VtN;@}!e8r#6wPF3=##v}rV2#IN{F<4YC`GV%t`>FBKe z@LBjvLr?Q`P!OA4TX!QKAlxFkFMGsp0i3ac<>>M^#Y4Yp#SH>7qaLqTJaBS-D5jzK z1%GtgLAP>x3>8Xf4kM=0X(1Z2R^wy6>G*WgLI)`z{{pp2VBVbdX8>%>#bTPt4is6O zE|Sg|1NnL}n3oT+>%Sr-4h6xdZK35v(|TSJlC0zUAG#CyI0`6HTREPt@_~<82sIUE z4uq8(?+%GYrF&-prTvaI{8f~~)djPLQm^5a)p2IcPkxJBY%MTaSu{!o8jk&1Ms7=dt&gA>mw8?D4iHl3ME8GG>+=J(sZ zA&d<#$twjVrONf<;bCrU=xz>|vc=>`{ozui*B^~4Sb&7SzJdl?j_bzit%}q_6!^|mbA~j?CSVzHVS+nPbC~~D5K}JaX30?i^|SMZ=J4MJuZxj zXlw0kUeY#O56df5Gz~!+zIK0y-$k$+nGR`#zfb24*RY!# zRD{FuF%PH)m#J`n;Aud_s?tWr{mJG-3%^hz{a|D{jznyy#GmOQusGw}8UVacZ&)mr zHc3`gb3$x!4!NNMR|VbK5wQl9`W;Xgf;qI9Gg^we90L``uL%J1o22PF+5=PtUm_OB zlNBnl@+y(=e39~ekvY;12hw5*iiGlVsS7Bs+>rr3pM(Kw7Kjb+7k0q%Pc1AWM+qV{ zs=~NRKO>KJH*t);-yQMlDY?yx$*X3rH2S;+>6;pLe~_c3HX^lT9gf3#3YYF&tOEMe zNk>_}U|cd3i!7zxS7jFb6xTq=8ffIUZtgDBBm3HM%&eOCJL^nLU3TGQr-93OD2kGw zoO`k|**j0@H$I_O^|JLp-Z2-u_xY@Cc;R}27(@bhpRl=^p$-F@_i7Y%vS1Bn`|Khv zSHtdIx!xz6!bWR@D3Wy~-}20AJ)ems@<7(x`>H_D-{S9edtCRzrtmXsKH~`N$b$k; zfY}QhD$8k&z)Bns`D`A|uC&>K)U3&?%n3P%+E`Up)l?SC1SLTYy2-|1#Vf4Bl58M? z`>NwG4X$~I@!uuSiN=T`{bvN_;b1bV8lBfQYH|@Qw-dU)(--XR4D>L{qt_drEQj-)#=A@AB!W{vG- z$wny2b;;K$S`#9A?EY!1>qFeg+1c!TaymhwLwOKY+t~$1yFZ42JErLf9+b*6EZ8>2 zWN8ynI3Gk~WVU~b0H%j3NQ*se6Y#+DoD}*@l{WiiuG2%Ay|Rj!bc9rNVW~(&%}7X= zqY*REt3+OLY6DV5O0joq)ZIuM&3bpXAC%BD~_v zEk6Sj9L+z~{}+3I8C7NUt`DP1gLDb9=n|0b?v!qjloF)7k?!sW=`QK+1_6ZQhQPx0JkOl-&g;7F@~_M)`|4GC$My}WSpO$wO25a8|NfaO zH=HApbjQ;h65f35 za79-coQ|nem4YWl?DN=+zg@uN{-6{gIQo+pe4QztK{7R`hQ6c(Sp;WmKUaX)NCa0rP_%|K%Zo>UrY3ap^rSrhk z;{J7rcEEzYX-AU++xFV3|nevCur4ic*+ndo}*} zyEI*HNv8&}TpgCd)!1u(YQJLDs@XG%80Pu_1AqV8a(RkSWwNP2B|XC8?As)sO0yJ# zJ1@Vu{)ztc-COUQUSf`d?FFs6%k!~Lw)*{SjKp3S7{x79dJt#M zm&nC+J5fV*Ur&G+xu^3oMuV5Mz(+;)7i@W&D zcKE;rAK~b~HGnWHB`>P{Nz=|xK)`pS6N7A4*@AMrK(8P*AQ0Z@u)))EMb9tdLM%VJ z1@<4Jw0$%a&|iRHI6e2TFTcZnn=FGQmzMwIS7;bH41o(uSKq#1Tv@G5#LTrH{LGj6 zfxf=JtM1=DMFa!~+v>u~R99{hggQB;#Q`v!pJ)CGr10DaVf|vr9QOyvrkG`t;q@r{ zpA!aq++t49b9#?9E^|Cl{E0!d?J`5C3VQNCe(Uj9s$SK+3u~3gvqV$zL_$J368iif zbP+OC1=$N#h5Mx&45%u@RKuu%d12s5&<7F=1RFUu!|~nr`@gOKZZ@M^aWa%X%jzR) zSYQwyIgpQHhXQeul1a9~o>gp!`{sDpB|tv7d^{*0?Kyi_Zu@Uk|7rS=z)gXQe8vh6 zjVPiw7_C*@-VxT%zrce=+GX3&sQ*u?Gl^TDeZ>muJRiPUmCufA>io7oKPeG}eV*Q& z#+;_+#&Z3&F>*+<88-}X9jf7CzG}&5%!r#Nrt&}2A$F|Zqy^f6T-7n~mIQMYw4HnX zhW(0FM(}7R%;Iy^>-|Sj)sHuk8R{h=RCM%%7aVE>;|GzB64_+b$={n?xCf z(&3)Dd^ICFcC*9ZFpp8qcxWJT(r_!sLdgwVX5=HjsjR$GU&u|yXPa)Z2z(#!a5WV? zJ_$+5Y_Xmn#Gk0Oew-Z+GCOM~s(P4<*&0BzT$>r3jnVP2cjpeKedSlV!dvtB1paLX zhz=GNdD;Q1?9L(P-s(j^BJh|+WRR-PBg1yN3`Hi1lTciO*M1_QCb==v(_1||vT3|z z1ubl#X0$imYr|uMeu@g!LB{2Hh)2T2>GF7Y*$@KXuC*Z%vn8dfs+vwX`+5j;l$gCA zT;0O87fkyRGYh-#ZS!tlYQ4LH&u-!A+AlWH;|F&UomvDA*CCff{Fo|{O((3Qi^Rdb zKA_#Y0w8)i?c#j1ycrc28v}sPt8S&E+8(w2o1H|P!Pl(mUJ43z9w;=L$Zar#e64l?V%8$6yy_;@`>S1pi&F|MQIW*K{6s~)3Qmz2$9GJX?Zke}z zDZXg}7p#po`nVl;Cs=rb`>lJ~%$xbNxNdH+^PM)VrQu1RAEXMggcHywO6gb2c_Iis zpzSUdh{Ubsi7cYpBW~uUO74^yvIzTAIH@a2L`Dy+hEw=9Y5#40u`Wd_*x+`*C}x3N z8vn8O(s@UDTnO>t;16BL?=Ho*mij`%VO(IegP)lVdZtSNn175lW8&qNbRjP%r?$eA zrdoGi{$-WoPHPHz=`Bn|#|}u*5Zn#iL~IpbZzg3(Q$xVn)Ie@bCb@29@RzpK7SmXJ|zTv53G?-C>X zzkmNS>~HXGTDuqg`wIy*^Q!+BMWGKevB0ufALFicr}v}$X-Mt4=K(gm74q>L@ua6p zkF8kAgqF#_X?a;tq;D?yYRhD5W^5dyULpndm!|F<#AW8I|2GYcQ%Ydg_>qfKk$M_= z-C2KWry=ncaca!zx)AEQ?^AxVDaX5*Y3$9sNMN1df~HVnd;Jrl=|jfFmUMf2o5ExW zg-XP?_dDI|_@g}l$CON$KiPiqOjT#IS!tu1QRS5h1chU^0ew+e{{!iz|J3jern)K%|J?%WJ2ol&ffiAcFJ$T7e9oO{ ze=^^=>tq8;#!I)sx_;7~k@st3s}<|+i)zMyCxC-)3|!r3_;Eg64D_@$Q1!Ieqx}H* zR@z6cD31u-EDXN8Gsrh9JV6AEp6!u|bfqX(L{zvxo>(tf=evHcR$j)V zjMap+1|zHydp!xD05zr`=g&RkzWzlCx@9mpMCLnY>lOCL5t*=J%y$%Wl-OmQzopYg z+G$|}kiwIG3krOSjg7UJPq9FPR>mZ{TZLdfk(P9K&AW3AG761!S&Qoa6O2iMP~s>{ zEpn{&HMXkKZ;qB~wN_5}gImS-;t_5{oD+D;H65UGVgrq=5D! zqv7IN@lTr&7)fjE%3~*aA7cAI4 zAU85J{ZF~V8pc!3mTi@*xzzUiQr_sVb`Zfef#UKfRlB`NqR}=1K(%NnD`Mi>_@tEd z({eO+1<*$dKU9l-fd0^G{A!XsOV(zJ(hi?(fxdU?uk_9a6a_~LRUhY!GXm3Lq0dAH zH!V(HI{>%_%DTI^kbOE*r8oRkzSAVzn2T6mBphN5KP$y*I;J>R!#kl)b_k@gx)i+6 zuy7#vqg?l&iIlE7t@lru4UH+1DtY{v$uR@wU$ykZlCqE?=rb%vBO1AXypv2h>yJq* zQYOr2+{y5Qezx;m$td0eCux=z#XT*CYom=M>tg>WT%!9}hnL4V(pz86vjV)Fs7g!` z5ri-VX%#mYVz`UQp5k?WMdbsbTD&A&oVgGiDWVC1yllKk8EqNk_ozg)qTCZWozbk= z#%+xLM#pF(nBkL1{`PV$u2B{7Yd1S(f}f|~!^@0{#bQzxIKNF;J9_i1fBasisQ`9{FqUH3bJ%W5!-Mn$B__l@vrbg|Oh&uAJIt6Z?yiCwtM@xFAvh}Zh z_*%8z+AYOY>%p0l0nJx6BSN!ezFYP#siUuA=R+&P5Sr@||mN-ZO=AQu6ZFO0?~sxAshr z;`d)p^(t;X_8gjojTu-S(v}uK++lSaUb5!;^=hyDoc+;&3Ar%I5ft^nL96_`|MvvY zREtZ!@%;R4o}mpWxsD3S_LaLRYFnVXr!Hj6?}bW}JzucBvgsKSN4@pm*AT?o@jQb9 zVGM86Af&jTW2UJkQr&_O|E=5pBKxY3@V!-`XJ|^L-}T25qA@13pzYeXvn`Tbq1k|| zp6c_ROr$9ORt}Q#t4?JGb%aphzspC2?X%zin+r+8#vUn98AKB`2&G9pe0xWA~-v zRzwG$G?%XA#E&JCHAw_V7~sPD89Q#s_Fm`C;-@`)K}7wk_ynLD{y}-ab9A0L&*Ppi ziUirEEtcG8D*VmVNer|W^xEC)xiSB3XULmMN-Gm^Wk z?WjPa^on^OdEmgQdBn%xG)rw(b^#HyN4T`q@-1UzkRg}DU-1#6UKz|7zMle|o@F+f z$(6rl-OXTNVAg;7en{AA^ZStiqtm+-DbyhcYY5-c_QMGBpdx<=-G$oJe4W}}Do ze5Wm`#18Z6NDe&rIn8HLv+{OS_wz5T(DC8xotll`fAI1^i~{T`JfJd@t?=7AZ>^d$ zXy?NVc;OmA7kjVq(s=>7fgh@pQ#mT6$rr+E8WE?y zuUA6W62n@clkJ^}(8P3&CG|(aC95jEB_KQ%5wJFiPCQ7yQB-(p1Lq0q7*v%_8%W7EJr97h;`Lnt zwyYS!>s&6!h(!l?)QIY713JRh?h%3*5H|S&!8a)6tu20=pY#JP)$ogRa=JLEv@iR( zy@3YhH;KHg0tQ!eyZx9^u9*+GUbmR2C)v?%4se^AN|`YT-65FqQ&qUcT_J}2eJ5lh z50vlJN{0^U|8X6*@ix=4r$(GE3hE)XoV z@9&TamkCU8>ZSGx!*@aiTuNj*1`!A=^Az2Cs zSF~J!I>vpq6aONXxbF`jSU?wqg&rsg(L+^o_E2;F(S?Pt%HbRUl++*=!7X-229K}i zlo5KXsvOD%9PKN$39PRGMKSYakW+C~jwXw-*Pw zm?}Mri1ScfL}y#e8_wl3WcMq}W|#^fRF#S`F$oU8!_gS^3qQB=<*BwzXr^bqgYgU! zlEi?tKubnJlzf+_@+7Tb>ndO^J^hDOQ3~7V5igv+DcElVDsXVct5pyLZVVl~19%v7 zTH-wmdrf{W&B7Q9JgbzwgSw7~cKK}As|7Q=C96i7M8rf&XN2?#S=+r=sV1L0Z+8ej zZAV{nnZqK_;7Iw!{yaQ_|M&fD1Ff?YRzpASn}uXbz8}m-3mE}Fv3+(6F$Hm3gz>OU z?oDQsyFet&LRY4}tu}`uo-lqsf~`AL5=l(MSi!t*~W-uVwcR=N5qUjDOkQ}XCfHf6?w1zg7NJl z`aapT7wka$v+_!UI>AL->waOnY8vAG$Zp?+p_l1R#FR~8-M#G|h~@kn(e<8TgHVpC zg}tD!%-%|aB=jz{QCv}xq`@rlb62qk1{Oilw32Jg{F=koqiBXmV2)8>nKHKdW#BYOe(myjh{Ivq+VmF=mVu{2MNUz!T zRNZ{2(yhbX_YYz#nX$0QfI*ec(v&uvvWOWQLwP^xL0}}=my&j7(g>+)w}y$WU!8jbH2&q1rqc+J(61>4;adGy+f$H`@Q zSF&k|YNFyoo^(oO<=W5lzW~9fR1m=)+yBooFtYv*eOBhf+e1dNq)fAkbBA~03yL8w zPj>K?Onsv>nkHM>CB?P3OC-DEy#O0)sXx43zBOkS^ z zO@h_$@b}B8$K%~+xlkaU&0j`WP$P95QPfrrAP?3cD>q~hGU=1POwwk84q_Ye5m@ps zZX#{E2!jupUsF?{(#W{BP@JTR%-qM=jIxPRlfD8dgAD+2yBv9!ztrax2{)3))ySIs zV`Dfaf@km&h*S6Iy8PKz*UrE((>RRJWM=+Pn5Ikc;^dD1akc{|2kRR}!R6?Gi)#-k z;0CFpyoGT*F~kC%019z-ex3-`ZP7LVdqAeBsM>Ppg<-_IcFqZU+q(cH*AJ@4HsK`G zDW9PA;iz~nyW{^|5A@C0{3&4}(duX3!E4ybn|{dB74Gg8V(J;a>$ zQ=_%Gj7%73&{$Q~)X>En#GfnPn_992UYfFe&^4@wB!zPFIDYRD?Bbwm?b}7C1+Cxu zgj!d?ovs|@Qzf3+qpts)pl0%v;*{1Z!6NJRH7ScSn7B|qTGFR_uI#&@89r-;Q_^NL zPLCMU3j{>A}UJcGn$R{_)C}T|Ycq0%xSGHCKQ{dPlB_jQQPR*iX$?4P*s! z3?f{z>k9E|RcAyLlpeD;Xfj9&{8W>7G}G`37HaK4#rA3(HE-<;vG)#84fPkA69NDb zU84*+MieLk@vit+b6D|8e-PX8=iqXkr&TY^@YyU^+VIO;?0~Rz>jl+MuNkB$P-8Uu zyWHF`tx}$T`yz*YvvS=rr<&UJ_Y>`(#uvD=&-4B2(qn@%yc__r4#bd(=97sAe)6rF zwM;Z|nFLzmOPa18m;gYc;|P$>ayH1vpO;cW!9PK0il2pk7W{6*2Ki6)Ax5$uGm`r&}j`l_xt#l@~F89%o)D)hqL1(lA9kJxZa(l7jdCB|zr~B_skJ zOI?z`L(f@LDvF8XLaH}``+6vi)>4Y@0LUo1a-dukfyS@E!&uRO9GvfqgB##V*8>hN ztgD2KOW<}3%M<8V@RvLoe$1TR$MHOTuFHNzMn2tN$O#Sq{c1YyOB}7Nzh zr$W%E$|r`7l+Y;GG)%|)NyDc-&SEwJi8-CZyLF6XZ*3Y#yrv%hzGRxbytd853!>qc z%_!beP>f$N(K4ayOB>pl)TI9cbZ?|Seypp|IUA_^XfFI;SOA?<+~)NarwmFX!TTFZ z>rupYX&3sX}MD8!I^YO;)7FIER7v9jM_a>I?4Ch1o^Lta-FI`E;IG^9W zBMCs1^TWB>Hz7=Z!EXZ>>5~ zuiwJLFBPcpmJ2{0QVH#In!g8@VwQg7Sqz9X5{ffj{9zvESX)T5urH}W#+5|>sc`56 zQQrWA!0!Z#!dJ2AN5yu(C-L|lz8s9&7d)i?X{f78YolQ9WutP55JDrI=zXe~ltx;@ zpr8yg{AFA6eZy8AeZkK4hpJNZ-VKjXz28Z+jI^j$<3(c%4~I4o4(P|E(YW8<5G}PI zj`c&5h0N$8OZ4^!0O~Ya0y)b+cVtKk>A{;)Whmk7cTr~Nwbho*1MbhDZ_ob#1$P-O zVP{Ssh4cH39foHHUjP}8ls$w`HAs|uyOsf}-NPkWhGEL}dK2p5rf?7g<8OJx^l#wd zG!W{aJiuO!%Dl~gDP%kShpUYLbwj+`pP zLQX+3K(F~5J+Dm7vk)_8D|{%mhulS2iMxS)^8f8lP@j zzu730jmY#SW`RRf56Zo;LVWY)D-INRn4mQbvIXb=WD7!bFCaTzvvN5FU}HtsR52j{ ze6N~?*Md^fp4;%$aqH8FySKj<^?I&YDX$tpY8uO^UPO+lq3*@~jDSWBgNjpmd{J|l z(Tj4eTA*(v?*Xm?RX(b>;LRFz^)Gs~!*s7!7!<)dfS`|VfZO~>fCIuQdh?5b4A4FMEeEABu6e#K_aLaUzKT3qknc)sl9>Ex~gpI@7mZR-s2xW)_KJf7S*Qz@={nB zVEUEg*nyS^yaQcdG`WJZG?ZO;^JBiHrGJD9lgwyoHKPx*=~y$es!z;b2tsmgwcI0h zN$#UMRJHNCAoF|kvi#M+;rZ!k@>egl)Ys;r_Ev=jFmF;x_n9|(yX~9dQF+nn3d`8O z>a}~3Jgv%6sE|nHv5(9JI}C*7)n^B-RSO=BPqM)T@6M+xybOELePJ6rX4Y`5)k~Fd_{(yg7HEa-70R7^xS|6_#0gmwxgYLA#y#+d2>y6gx z-?!0kvaa+qaky>8$Ll!uLcl94Jw4RCc zFC&v1RKs^Aif>G?*Y$~y2Pt<8433J$5)ydO332?|9$1XuB8%B~x`~`3Th^GDm&P@( zi{?}Q6^XW1`o3a&Wi#8N(~XYzlTnF=C(a!%S3ZGkmOU~qYa`}YqLkYN-M{5Bx0^>| zy+m&DjlEB2A^AwpG1%duq1?Wj(+<-Kp-w&xAb;~38>4<{=vTgIoVBc^q!SUqv_-wR zH^&(7Rj=#yDM?~A?ki-~Hm5!Be>Q~<5%{bF6&KhIFR;&}~g z#xyDa=gF1Su6@;Zy9Z`dqyoGZoB4F#iC6eI+1V*JjWWd- z>oA`kx%k-L?4&Y}tl~BjOf`M+U|-pc)DOFkZSeL|N#kC{0upD<7_cN3vUg4?87l^v zBZz75Q}I)^$8H|0@b_IKKFVG9jD35C&^&K84pO{D+OoN7S-&jjE6FXC_#Q@WU7j9fvW$ zO0-l%-+OE)y6g;BJnAL?`nC94oG74tEj0o{yJlG>>AK(Lk4)M5C*f|OnaUXbt2GF- z?E(75)Z=l%%Y7%+>_>`~2+^Oh#C?z3vu%^hgIPn5+vesV?jR^ht{<)+5MzYADTRE= zJ16)C<)DZ#LmIk#e_}M%_0IHIE-rWcLkZ|cRWScuo+_KcHMQG7gxaEs%QaSrn678( z-FvxlN^P%NuBnve@t1plwk#Pf9z#yHSoFQOb4n~XJPrww*M*YXW+dmuzNyN(^XB16 z+O7B+lTmO{4@e$LKT@Q_WLV#Fi=+N<1C3Wi%-OWsy!DB?bJq}zp?@{D>pdR`#%%Au za1B%<*@{J z86Ohq3X7Q%9SP;3UT+zsjr7*s=UA@3e%4jO^t(vKj}67HtwEMR@XYOqC>kg8bW6>hZKj)ctNKW+*=j z&BFZro4EEKf9UV;VNo0F7-8LkIz1?CClxrW`{>z>$=R#e zM*ec>y`UCEgqX$)+HXlU?|l#d@$FU6y6e$5f<N3#{f5t8QA-Y#@c1^5=b*gr~#s2=lE$`OWY<;< zwmido#Dm>8xK{B6bk4RLZsE7P~!vcrsF#{@?SDr8IWjU~3mSZx^#n8w#NH|Mc#)w(+*p17eP_loIQP{)%{gTfr=ru3*K8g>fRmh#ciN1WdfdqFm{# zLUW@EP{I6jAVrwDRqkomu-s{Q71F@mIOOu$@C~<}NTPASm+w}#;KQjus*6^ub46C6 zR8Q1HsHK9yZT`i{>MG|Y)g)XGg>11H*EMUDI6+m1YopF=MMT1fRI+=t{F1)BK$GDx zD|?c4Pww_xH<{NWG-@aO+_L(1HWWa&ni)G0hfaNHQCxH@qL7A`STab4DJ>Vv*LpR! zu(Ygrdf}i$pk11>L`&DLq*x$#5y^YK6DA;!)Gg%h9OQo{-5bXTE3z>X)N0CxypoQo zny$79^pP^msVp|#&RVVO-x3%~Moi!G>P~P!7lyQ}cVS$geHRbUw_0lOdtkC&yOS zo8gURYw%IloCF-$yE}8Kr#Lp(O2bfpXW!F&s?cWF=a$|Q?ixU`aje<*&GEhQG?KT0 zZX|t^OGV#_1VP8rZm^^oaxn}pO{qr@OZVy|VE*Z9X;4W5_qp<)M@)h7Sb##~y0{bu zDzS&`F$VP*WX#D&e803c)Rj_Q9J5dxNwuu+jNd@;-UNt5xINxE)f!Krb64bIen{Ay zeS*fP^`sJxL&8b89U(XR-BwX+!x-mRSRD4AQq4O=ER%UFyK`Ub9v5@*jgPmX&Fm3Rk#whpU7N55upY7 z6v)e7I4q5`rbEHQqHD)exhkP4Ts^rr3E5N+D9`c{iq>^*x<8RK{JdvrW3Tro9%)-`ID9 zX0i?DMs1+rHB&BM1OfMd=K8Ntq*G*D?+&oaelyIkKrN z;__VUFquoQkAp|*)}5Dw{*0)Vne^=W+G{1t#8pl|<(EAdVAJQ9CLP7GFUiNTE?wMd zEDv=c7*x4MV2F^wpgyp;2{KJ+sR$(f8Yxrz8@WN-y+?Z7ul}Q$)~T#VQN413yl%%* zIg84JlKea*fu@8uy%;@Vqd)%FzhX#yevhJ9U}^DBoPxM=^+CE!(d2*%#f}iws_#+K z@-YkHqf+VT)*7;Jg2q}gB1+Z~(69q=(=O{&0#^gH1+lr_+cvf9yFq{(etL1k&lCKT z@=#eAzzrLAFp)QJgV^?Pl+nOux);CvpMcPgPn(IXoLuC4zWx=(sCVo#JT8AB>Uys; zY%r;=_Gcu)O5xW0#I$$_BDL3jLD=y0z4{(I?1V8nt$J=NN7&!-37J=w5))%M`&z!58^I+Cx-r8?gJn&N}a5<*P|;c zZro13g-&gJ0s) zn1o1ix;Cgq@WBB3y-Ge)^zdF1^??-SpoEF3paLSxo9|$SO%qq##)3pkx)XD>7*BPm zS}g5;has&(3wMWNgSxfzzBnLUEacrbQklLaT^2=gr^Y>{A+N|9>Bi-?>qVPEo$`^3SxSBP5*P}p2&yKN4?DAs6vzr2B5z1 zg}=O6ZsOw=#+!U?`FE1{gb(Pr$~I{B`@;w0=jRYv=M648&suY?r_-;?H}7ji5k+K*zbQf!W4*_{;XR8sHHN6) z@=dGSPdTb#Hs&C?Nhe3PDkvv@uACk;&&GDra~?bO?|O}f$~*kNCzS;FN-B}?hw)a# zvd^iSTWU%NX>W{haNfqaB7p6fMGCg#q%0-82-Flg`tV!5^T0!Z`Ar6+X>Ku}#d(nG zZmm~4+8-XyCozIc=4&2Y2|WKe&6$jTCCh?A?L~)D0_y48081IE72A8Y+?9RIcz3a8 z>+&{Lj#Z}aWnhCAZCR7a-d~v&B9lpeF)jp1vW|Ty11WMFW*8w{I3zt`T8Ac6)7usVYCL>KBXwL)w;4#~8_`CW8wFFSDkuY+{;RK2Hvh zr9Ems&g+)O$DY#VTeG$b=eoM)LP5dq$1acu56{ol)2!h35->jjmqYF|!7C{Tm4z7s z>kCcv_C_Q^ZUTt(9MDm}oA~5)KkBeQU0?#>Og#97$8bapO|F<+OdPE02@&E_C};Lv z~|1NQI&ScXv?!(O79se56Y*6k`m$&Vt7Fx&;g()FYopM5cr;}SXH zWvUspTST1;O8Q#rm!vBeFQ2e@VhU8**LH6ACDv|Ep7^tk^o1p4~oUeIw+y|m$eA#cF}+%PGeSHKK0gtG3);cY#s zhYvO}o}3pX~x8Gox8A7NIw z-(T3+k61z@)xGxFfLpnePh*qT*cK{LZky$tb@XFb@Fl0q93=M9A#&TocodDl?;oqz zdTS`3Y!=Mh8;d^j%}oL)3hYYVz!2<-By@ap$!H`r^jDb1mj{Wp7E`v|9Xkwa+=bOh zCqk&{mk5 zO2zV?!wAzktm1~TI^&`6eLlv=D=A4NcB_*~=8A;!G)jcY$h6pBqG~l(M1gQKSZIsi z9!4a2MCc&58Ha0(ay?O{T$7ow!LO9-#WlD#K^CyVh9i2}aA@+h!D3L&awO_7sC9_n zxc-5NKbWxab8wL-fbG4gMBSFki;b`m!JAlwJ z-7-a}M{Mj>p;arTs56^P3d5l@y|1usLxQ*;UYvX~dB7(a1|89_SyuydS@((&dK4^10-vXj6ae_}bqMXJaCtK?CVGg?M zdIOWyhKw4O89AQk+sXQs_sN;)wL?<3f}^NfS{2<;yj8Rv~XC1EY*7 z9dk;D^%4^t_eZ?!n}jH(rQ{P6Fxm5+Eub?cDPl;8#qI6aeMF6-_>sK6an-x`^GORf z38NC~&<0{P4%^j#++#|3glBPlLZKj_FOLfm*-q(n&4zsVsrZiVAitd>q6u@@;Sb8B z6fEkGaR_9rd)+khA08%&?}OYoD9NWRpQtPtK2l)t*E7($#tdQvp@u*H6JJg6bYfMk zi#?pm3-0po^~7*-u+A~s&{|_km#nK1I#W-;$po}1qDsNs-mkH}_;FAeZ|1%%HB@*4 z*=Qa~q?Lo7ubV(zCW*kNEfz|W1GikO3gMsd@Y-8FSK(bdrUFfr=L~ExwSiMl6rICB z$~)Y9wn~3B{+^Yf*e~NwehS&71p z7%EAYYw0^*_BcD+G774r#8R9$QvW^=(=M2kX7aJ|Zx*AgDypf`=x_<|{?Tmn>^u@w zRVXdWBCofYz0;T-U>|246rjTq`;hd#scCC*lHQ!w4rXVVK7# zI>agi;fY*@h}`#bKWyOaL_q~}Hnz0?RT?=51AyZv1)rBWJE<^AG|sJH*k0aPZuc=d!@X+F68|2(D>QIVJ(C*{O!<=Q+&RyZ@+S$MV!ozmS&_}U{!wE z1Hnj5UXILBNk@!y?OEwJ7kGiC=EEFJYL+JyYT<$$C|bAushET<5rnrYp^1sq5^=Qm z+WDtb9Ni!I`BeyAG-1mq_M9=*mfoX;uX0+g&>eEnO*Z7iDYrY*QKG9qyS!SV!bBNJ zf|A^#iw0kgT&Z51=u3R@JjO051H~=z%4V{ceY0DsN{{~-<6C6eThkuZYSPw?FuIE+ zPtRP``UQ^15}oE+R0ZyX(o8Q_ztO#^yltS+gWSpzD19|wropI7LzYIsd%p;D@!~-F zRt3oHi#~Epr7S!w&VCh9)2~^b&m;U~%R->@0HOR=vtYf_*4(k|bBn0TB2H;bA_hAv z)PtgA{->orf`D_PPB9pO*b#cnVi>#Sqwp=+7b>r-I_^rZ#6ov;@~U?9da{e;(y6N2 zuhKjLKZeJbam>{zrJ3V8CH>a9_LSOU4G)3fMGWG}gw~=@Mk*}5sCSC{fst|G?()#& z@gUXS_F9KV&ox}NB95#;23LIrFBscKtz9A%Zz$T=0aI;bGOs{?Tw7x-I>~BES~@mw zbFW=l=o$Yr9I~IJpNuEcB>ID2agE76=|Z}mG}2pMY2`zXL>7~ghb6C8LQe9LCuY;9 zqz_tT^x8kr6BeBg&COP+MT3xI0n^#TK08H#|Nf{>o3B3pDCk|ye`KW)AuN# zmKc$KIa){ti01sE4*!CD%K{1Ia%1`uUEa%8DiRCG<^0e@9j`L(&XaDnfiG?~8G8b| z!~`MZ@4)>Tz=i#Q{+f(=>@^HRRiC?$*Ee|hJ{nH7?+=;Ld@?VE8|tx)V}hVbzVisa zn>GJfk_&!bGJ#ZTkle()dU8^E9(ug4qKb_H-wMIN2!PeCo@B9UQ2P51MCfxi9&H>6 zoc-wxoHkSA%%`Zux~&anHs|9hr#n|*sMs5ikV5@EtUFvfn<_b}Fn$}LhK9Sf|BVxd zqjTtwfrmj8Azw!qF<>T7m#9#`3FkBACE!$2~izDStM#@~)XtN|=;^ReF0 zCKx5O)q2wL#^cDe5(Gr0n@2__mCOd@B6zP6Y_wtn95?zx-8=qq5S>Skn>Gbu=A=NE zpKw?$ei44N$r;2U#{i_6qUtvFm1$JrQuv5(Xdt{|ay?!<<`ZL};0_3hPfMefOJf_Z?Pgzj#ocT-v^%rsej}gT zn}P5eEmt??1h6R)`8?1|jV3u)EH^cPUU)%-Q$68-VF4^=OBZ{QMBq4diUW)~Z#fK2 z+{EWk;qin;DMQ1?IoOOn5cifbYFG+VF!`-lDKz3**pQC{}-|9JKBgG;d!421lT z-~8vju&9-)WG-rEsBBu@4xxadvm(F+5gw;N52Louf9iY`&a*UL;shX z$L4B+`(LkrBMUswrfd<^|9R&xKY@au`(LkLXc^R&F|JjHUjNTK2R~6fyIOVU$6iFUA+Hoef}T0cyy_&*)FxXxzRoec_(baC+$zyv)XV&eBaT`?TyX<{XOocxnp%rlT4^b%n2rAM zQQ%k$fSA5k+B1mkw?Id4I@@ZwNeKyumIBnalLVh1REQhF{GAf@3hg8ZKq@k72BXgE zmgFWUZRV?iE(b5?$5xQ5w}IJ?KhM9W!qvz>-)y4kgBU(3(H9z?$e|rLKC#o~YWkn< zsAf<0mIj6#4{QEtBLL~+X||pkXr@82bE1V(_%a&z=Z5BV%^^ zX4*0AnO>vLH`-)l)2V+LEdrgC+Kb~Q&S@$)q8E$O2LlcSGc(E&%zy0o&HZ%5RdsW3 z^0`n_I#h5cu@KZ24S#BA~wdMn#;hj64!L1U`!EFe7oSDe@EPZp1725U2;4cStMk=~6 zCLXr?T*<8JtpBvsI_@j4?k`|GytftOd9#u&>D%j3Xc-Hd8yvvJghaX-FairxD@+p8 z6&n}#ef5-QRXP2m(%KN*g=L0}FFA`V=O4%THb4#bR&YjwTprF{AO1m)hJxqIereHm zZoXu#(B8QC+s_kc+G_}APqj-fjFUxOb_u5C?wsO0bJ$#Dl!NEsLq2B$qotWmdKC>m zox)cL3SRzbrM=Y?bfmnOfL+40ih=+u%2E#EK%qlUn&Ty zSvf+>yq-7JCz=5c%U~3Za-l4~K9@M3tE~YtyTz}cD^yR&8`}r7Wd%aMP_e=&_DOS4 z!ArO2o+JyFF`(BFWywIACI4b%n`MAwsodD<2UlkAC&c6nJ(td8=$GMjwJ@lY1|=y! zCb7riAi9Py8=jv}F+4VQLFha}Q#4erRVR{(J3IMxu96oROSP;6v^5Zm1Oz<3*OQoT?M}6|`Jr4Xck-cTRdyfZK4zO>K(Ge(ZGaRR--OtlfQc?;Un@MdwpC7O7_Y0CofZ!_yJw5&C zWz8^yW_8Z5axGTLc*=n;Y?FN`kUE<7H4AruQt|d5msS2kW*;cYHtUIuVajd;Kpd;} zdG=myvH?TEzUA`9##n^-05@;e9HCd$O~L1r<^UHo$-a0gQ_85qy9n;LKmXovxr zT(%_|dT!zXn{@R-14Uy^h&}9j6--c!B%uEKyL^fuhsWsvVfp!A!!?*F!)>bS8^^y0 zpSBg4$?K8?_W7-V$h6d!dNm3GN&x=Ra`VjfCWz+{RveeEfC@R1w>3c=DNx)xPZ5w$ z=a3V4yihsb_fz}^<|!S1H4qJI+(q!|;)2GHYkuL7c0`j>_@W>~O#)64ozL@QqtJX4 z=tWV29;up1^d_3c5Ojv3VGyM^Q1c%RpO>*4!QR$3A`oYBet~ zT+1m=)kD{yVncvA-P-3E9Jyu|Aic0E*`#4dTvSvvnr_okGFWdsj44c}=*avk03`+5QTFu;|6SZZ+<^5Qn_}dEOQ?xrXMeHU;(V+z^qrRy(#TLOxzi;f zf*68fPuuz&koNVGWv6ab3;8LD@WYy(8a8Sqk=0dVrSJT7w~)9F%maU*Zh&hItLJfjVIxyv!xqT4{nq|3B>g zWmJ@F{{{>T3|)gDf($TpNh=J}-3W=d+v-&<_Jw##Q^+$&yLdQ z_%qN<#n8oSeJdCVA#;3J-d#+bcUfVXVXtK4*AdXIL*&X zeHplUe6e#dZ>(TTflw-WT9UO&2_v>v=;Kb;SF^~0$;Z!tM3uJx5z8%8v zjKhyh7Ntaxh{mIe=xa9rvRC%uJP8p0?iMJ_xsYHk`o2Ao?Mlzs4+RmMHBO9B{L4>` zvE&YvkvBu2X`sO-o?|mWpSWFsQWOZ@)*9qX9i70KmEsvBEB(X#sIeofpyFNQL8z&G)ugYA$&L-~h zUFYne|Nd6OJz%CcJ3&r<&}A?7rpt`khn5=={Aef&eq2`#)>BWs^ttzwt~qTC+SJMM zxuZJ|(jPbqohbuN>ot=LV0C&<4kvW_upzC4aB zWdz1Gw07DnU9SAxHq<`m1``Jh8cQplogixHt@fzJ)vdMirgXTFbsw%!5H`M>I!3eJ zsgC~%!FLgSWdU+9-U9?M96Sv-pyw9dsVt0v#y$!6tI7G`7g0xU(NtUh4+dX_A3P_v z-&zXhc;!Ten402}hya#w*2=KHqDv_F#v3sS}k zz0@z_t%GrLO=MQ|FeIMbr|*=#C(}}_%iOT2*DcbHti&u>CyvvzY(+l3oDaQoY#x(3meHF9>a~YOe|FuwPMD4GxZfla=xP8h36onfn zP1{+t1eN{tQBi3~EQ5&u`6n)9x^4N2I9M^B&9ueRVM?;sQ9g4m6dR|gk}RHlg~yj~ z)#7Y0*+Ns{x8|g7EK$iZ5inox5jmxQl~A9Skc>4TEdB(GEt1K1?3<$mF|11%rNdZE zT+EcBvoTsWE0`_br5LhYOt|aLg7iLueH5NPK({r%Y^)z5?&nIkadzaFkPv5z8nY0; z!fo)Gxu}4(Ch*LczBwcaKT8S4@`ZzX;KHD=0fS<5Uu5hmILx95Ae4x5T6CI`e}QlW z{}I71@Uc!oD>~m@Te_J#adqT3_b@+nMq9ctYkLVAwMFeMK+~4y=7_)q#*q@vpqV%b zNQN0OA*5B|P{+N5;LkM8m~VYAwu8Tqlw|Z@u_4KzW&IfT6LTYoj%{JMeAn+MC1UF% zo$Yp7@aG&fsx}#vqgAQPD4viXQGALJe)W+8!wT$5m^_nm%upNTA(^#q4QPj;@4r*q z5A+hqo8CC~I-zhZE{$!qK13VC=UTZ`;L4Z6=*9Up5WA5loyAU>kz1q-w1N?Smuw<| z^V4^$T_9*l8za+d8kUWF$8r#0_9jB@J{-6M85;&MdlhKPT7q!$jbT`n1Hp#0?P5>r zkm_A0Yw8?pee!sUNk>5{>39beju>y|A-p5ZbIpv$8}FIJ3p!L=?=q*{FX(f7l80Xc zl`?YX>xs!pZN20iPDvi(&iK}7W+HTB%4%dkg+j5*I3_ufKLh-?B7slnss#M(Oih~i zAeDu@j?#H{bmsJv$r;m|B`n6MCjH!>?xN?P)$W5&M>U@|2%8Ni=qUWRrz&hC`PG|D zQ8=kWaQiVPEac(l*Mj7kwG1`hF$A+wIE7GoeaC)zg+eotmWeS!*o5~ooSNTaiZtnZCz=Iv z_}r-E(G#sr8gN=J(`Mt; z2;j!kMd_TA%+YQ+3Pd1jPMTwkK*3*U%YG+qi`wR$zD!tJsOkhLrf(gK{cv%HzQWa| zACL=^vmskA=Y5Nwqryu(1>L01Nqj8U$`xVqD3-O(E7~A&6D51G+L3x=Y+$u-5di=D z^R?#hbDB>D>rnIRK_JAT`?Xd#ZYylVon3bY@mbozO|h{$bTo{Y6`learqme5$;2PT zq7zGjeKa+;J-GTPXqY1NNGx-2`wbo8^;p@h@?CeZrr|FTJe29XXN0hG`>7Q##+gEb zz;{O2ogjPuvS>9-s8O?%-zefj9vX5~8@Hp>Y44IGDm?-c#jUZD5u(5O|{BTw7DE^2X z5DE&q%!D-eOZuho7Bbjsz8W|&Vch01{+w2; z*GHpjKOiGrrs^uF$JZbgG!Mb@gA(gp8xiqVfsfzSx>gu6cEpC{4RV>Q5c6aw^o*!X z4?HeMZiJwJ8|K^PU`LhtMiW<<(v53A9;m``y<|8cGi) z9$!V_99Cv=-V_rv@pEDN^y$FL)i-S%BxxK-<>=Ph%jdTC^)SH#q01>w7yV5xv>s*O zhq)t5o%;P%v{1PqozZO$;M2N8v}VZ&MW8Reh*jpaS?G;XeTL#g{?;qe!?d5G4QW*fF;;!J}9%`;O_}?l%obIU4c7l|e_#4*ZNv#MLe#+@lmd#9w^HbM~zPpC3{!~8HMxlWuhF`^k3 zcbo}eTTr>jrnX~G;G+@xR&qbdTZ0{A02Ha4Z?eWIBhRvHIHa$72=sdj&_G-g$?F&G z0fB0&KK5cXfoJK_6d%XKKx%%lac`^@(xBu>pf)&VH*9OrSk|Od>#=-|S(=anY267+={0VN zmk_eDoZSAMSWW4a>0iKZU1yy$>dpKz2nxq7#f^yAa61 zRY-`h(GeyD^I(Ih@y61?`b={aFVd#~XvF7Y;j)Et=5 zD|Hqp!e*oW>%p~t_VPH^ZT{oRY`6vn0ug$lHJz7sNUVhI=$gMys4C9UqiV8-sgQ9W zxVgI$tvC$!9N*(Q~14g)?wfg%9X;)I0WhSd} zYGQ2s8Fu+66{0<;ook4qe5>L*#@21`R?h^Q%Z8zqw#LfF+Mu}|QYOsZ*MIKXxr909 zJf5`1>181X&JQVcNaqIX_8=e{Rt~IM&UcWoVFTn1v*_uG%c7nJz{>3j!4>XeXOE)LW5(_ zLP|Ny(Dn3jf1R|zrq?;kTl8R_`qiwqHjz`hISp!(K?1_0bu&#wBp`hhJ-YxzwsT*M z`7PnKt67#=`x;-QMPk5JzlT;-#T@@xANmV zdN`0X+8KgNT*(SOki*E_y-eWJf6}cEY&N0S7(}GmI}UDu8v*0Yw+Y?1&d|qfaS&PY z=`s;nlL$mr63oj8soO&DBKaqls1W6WSsCAvOSEhaOcG-e+buCzyW~uS89q^}-}zg; zG6`=}eEH_DbYWt@WA41!AVTvBAt#ARj5is+_vg zkU%hFHQl?BONmxWe1%;^CV%UasIBe!On>Y8HOo8OY%t4mr%)v7;LLFHLXQiQam&`5 za(N(2%s5GsK!`xLoYeB^+&b0(r8f%X-?!4mwv2AJKSbf!MwZ)s;Ej9%d86`fIeak! zjY=v6NxFeA=1*|G8P&Tj+5u2_XG+IS{M-qm%k~r0JveCCDnAx;JD$GY7;M>|GE$Rz zCwy!M8^H+NE8?&>RyfYYj>gJ$9F7CbqV9ONt?Wr$hIJ|0O(Z{#Kb02z-2XOso`nK& zN@y@f^Nm3k+h%@yAr*}Z{6;F-PCHp>So8*$)%zEQ;gb8?IUl>(f&31XAHlaGC*w!n z8J77vOj$oiR(N+o+Zu-5MtA4tL`s4g)%+yLHesta0uKw9Bs81|?;-hoNE+d>b%r#m z%|Fg{-Y2I0wU?@yf1DX?E4o6`d1{IdF>}7u zk&AXcwvDmNgKDACKGGRpT*$Dhq(9)Ge>VrvQeaHCKf+w_v%nJCQiNJ=Ra78t#}MRn zBG=V7aNQYpf-o`fhB8&f`5u`5P8@$$k)J_sGqVc|(lrWFc zY~MWx6%wi^gCZcNez*R~5|v|Zi|5*Ngg4#Sh=}hdMd4(Sdbf`enw;%lp(A$)#0sK| zy+;81UM5^&%{h~p!us(Iy&>;f-`gQ#?$4eTEj*UZ{?ytm-t=Sj*O@603CS&7M9-u! z49fX`_IvCtmC%6GV z4`IytvEOZsS=bs)XyjZl7LMFE1ukoE$T)}uSw$E?=@p89QD|*pt%w03NeiI@GZGU+ z55cdyKY1~vv=T%K?$|T1{>qetdKGAt8Dz}hr!ebv#cz6VaW5lIoxHYglk;_WIpYM; zU2jzEoE*1uF`DxX*^1KHSh`2-LL(UXwhmRX5Qe7UR5}G249dDXhfz0qj0_`%+ND}Q z@wZXaj~sX41Xl9SbTe^nF&%vKG`uLBvycqw#z&_<N233RXdJccGM4`c#kJ*A^W z{o%yVd7k!?AX=+r1KRp;EI^OrgeMOY<6V}WOTZ(y!4?$oahKsNY&m9#hvXp@b|b|b zjOImyw-viSEtf08Qr_?2_17h6opR9>Zd^N{P>e#rflEln{@9!qBoDRVmr*#p$G!U) zZJ-0D;hp@r@8bmtO&{5&dJ zz~(2}YY_<(g@0;^opa)zxjpagcnf}PRTW*EhfIthurV@30y%eV{8FrbWK%7vOX0RX z1GbFU^;!to9)&eENGsN1VvhmoXOI1|OPVg; zImxEC9y0*tGO}l_OVqCXZ04cl*Q$;hrkXcMdbt z`xtXoTIusEbYfQOCwBniunE5?-aR8c2>lCu1I~<%g2Y8#n^y(9>LS)xzW{4!(To34 zVf*uUtd~H9RYwL=X5b}r0ZqXA3+_V3>;jQ6I@H;p3=j*!4q%shMnMF_azNkRWn=8is+q&KR=8*RRm9T{@f)F5GDVomcPS# zaVNJsVw``u(0^`ed2!3KqosR)LSX*(akw^c_!BwariL>A`~Uy*T>)Bx{vaW16YHdo!yeE4h+x){=EhN`zH7i1hgz* zV`EcPOXFrMsD7vlz!*uHnXqkK=F14L&2bj}H(F_)bRsGbN}lUgt6c%ekJl-j7G^-q zfO&&N8<>LsF7$uD?_z|2W@M1#*8Z&bcIyrMm2Sfi3T{_N-w-b;pyGLYStP6+H;zp` zty_COC^3RVG~sDqhAPkyYHQ}aNPGS6l_6tq|3)M8hRG7YF)RImxX}Zi$Y|vC>nPjf zPvb(iBaQ(te+(B!xYINIfw246QS}#$784;l+4j@ewwry7z1xl|sT_j~8Il)y{Z69- z``JxHzIET1afvVgdQSa!kYu!=W7U4OB#hg!nUgiKUkgpzhS|&rVeh>PB0ey1P4jI4 zfbLU|VFB{r?0)b(C>27-=?2Z_Bj*&e!K(LE04#1NTndTPwGB*CyTYS3#QrwSF#-R- zH~i~71z&}*pNp9Y892w)l$eG)^1Vh^1ay)e>G`;r4ZTfcWoM6Y6!?twe(0ckp!ZF0 zdur9)zS6!*&tF>OIf>M+eiDO{s8_1pdZqWc3M?u^G7aBXywj94RAXIsOs80$JUdm` z?YdVSdoM0+l>P5x9|fX+GFZY(#sF@k!)7_6t7H~(BCpYcp2sBPwLu@=iSfL<^NoCH zDL~w=Yj1NQQZbozckAU(=4Z-&8R)+gWC`izo7}9lXmi+i^HFj}fqHDip zE94&&pr#%U*n`NZT zVigGzBL{cxCr`8|zjSSuY@wly^==ZevC+8z>HKx{WXvubm*1->Hmg^=l^swsn(jNkiJd7SOFOwrJlCCWpT_WbV@rsiV`J^O2UG<=p` zAV-w4X>R~t;NPYhN(pf@$NaP!x##0fL>bf3zNS3(SiJu`U)oKQ>}Ml4`i|nDZkgHC z{S#3`OqG*=`>YJMpc;G>H_o&9m_VK|wk7eLd-aE%}JuT_8Js8~v&??{`E;34U zAMoV3wPdV3Ch)gmQ+Os*N(`HpTIDZ#FBUk2z{t~(Nj)-Bas!>{oYZ7pwbr|?{ul1OnBuT;*v=HYVO`Y z|B^g;KR&X%Xt}3~QaZ8cV{ebS!$FFEQ6_v^I!L8oY~#k6&vN{R>&>`(j0U-Oibp$@ zZ_Pa0`usBv8b1xY%GEz-8jY-Xj^}51dPRKX{k8av&>v4r_#QtXI-%hO`RdXS=077zZf9#@8o?>CvcG8S_ETjfTK*%^mBcbXDV8EH z=M?k^CxdyBk#0UeemGv(BW4c7T}&EoTDL-;0aDMDyY}A3 zVzZgG*jn##hx^Ne$Wkf2dMO^Hu>(e-n@CUvpn)LV#a@0Q|xFVIS*ut#YXT& zH2$_mDr7Duxn^^g{p1TdgkBsHNBpBUiG#gy^RRB5?y1V)>((!|AM=E^4&&`kP}8Nx zz5rEaRQpWgb3?7;#Cvo0>p5HxQ>^r>4A|~xOc?Y~@iJ+j-O>oO5HUY2K-w@pL-x__ z46X_83^x*1`plBmS0Ay3h?Kwl<*-Y1-$dR?>VZho+rSg_Fyd8!PV|KFFSq@Nr44iT z&F*rT;7eB?1T3VWx9?3p+&gYOd@G7AB-cHCyIL!;H&Xi5$bfwStf!_@!0ha<%kFA4CqHrsO(xm`u(yi`jN*HLWMwQodCtM;F8R(!eYaGvz}TezTd#6z zLRHIfqoS`4;vvpxR0P`f`)4LD<8rGmrU)Kjsotqb{W^8`0hK?wn)O92DnuioGyT;K z{r1ON?VD*3VdZz6y7l!T(=zFMmW7Hr7$zKzirsaXW=yj*`jo=KL6W*B|E!r$=9Blk z_3AH;N;vgU(qYE!>xDv8Z+l1{U$EUZ60cL z<|;h<5)v1JdwJn=Vq0nH)qdIWD+uiU-dMD5AyV+D@r1I{@#NN(4)?FSuR6PzyXbk} z_m5WJ zVKQjSt;20pS}e^7ROzM4?7EY707y+8{AqFGVSE5t-!oxl#`ljlE$)AQfjVe41|&Ov z1-3Cy(596WuvxM!?Js0An7CI~R=#`)3R(etHqbbmal#!p-~!&5!fQG*Y>b3<+`9jT zl}qPEFj){FJZqw%sRL3c8utB}E2~D^-##wRMKV4G=SnZgAlrcpHqd*gn|TZ>>b+7R zoUOQ^6aqoqhYSFQ_6jgAnTX@9+%Io`n|u7XQ!jxO+m#3T)sU_^{=MXLHif*vqdPs~ zuZl8X1V*NHX{*2KnjBJ6Tbh%{Ip zbzSszdpzN|(TngVIlkP@wX?rC(6z~9zuLEaa`o_#UiiUaj$X|@)%&_psmk>RDv(DLxe-Y8>yJJekPj={=q{T}=KE zbopJ5>5>;E-D3dak^TNLi~IE}%ii9v_RS&LIhzJ!9j5vpwn-_9Ppa3L-WrPQhP%L? z-hX&Czwg|k(x|WL!~S5Eu3tSSOn4vmX}V6s<)`I|rF4b7ft>4E^QgNJFx6tFed8-X z8tO(;ZvMKb%^XF(X}1$6N=PmO~P{39n{%Z5+5JtjILTA&CQ$YQ!G4No>O?rD<7J7C}T?W;4V zt1G2L*#fxWPCKPGL0AY7Vbof#MdLMr`EFPp%jY+#Q~=@%#iHM992k4(7#Y8|u?EyIz&+LSe5>tG@%;Zp0GQfr9h+@l`cOvaSPUOTN!jJkV;i(02sLm%l{5 zQ_wD9?8xy?XO)f-mqpH#u5sHfG`zXmwQzISgOdQ18_UJc)fPp^073lP7UET75uixtoDaXitxcP75{vTwlD`^Q}2NXMmQ!YJ~sk z)0=eMSSub^)RNXH5mU%;G?q4f6dud+uTsT`j12SQj}^CPY@X}h0a zh1Xq@-WX~pOF2!Vc$9AE(VFUP&brv6$>7Oq)B&i@0RGcu0$eB=Kt(^#qXRnkw^$*Bk`;5J z2cVdu4*q%p6TgG`31pbwVJNzgBoa){4J+)kOfDbJYGArP+HhoDJwPMle8Y3IL64N0 z^FZO*fyeiaMlbr@y$(D({sKCc1V|}RMoB}RvDs)nlSAh*EulhI=u1A}bjwo#nx23y zPFy#c%|{U4vX5pN%d9i!kcj)+VrgWDR$(i@5PIz$D($gE-sxy%x#1B>&4rn9S! z-*1#LQ|fk*kbz6rr^CcOZFnz)0)Z(JXzbMANw|FXGr6(YqN~78wCv801^#{0)6G)v z+fw>;o~$=+MriJvaKDw0BtNdd!_w7_bPXNhPFxfPPB*^z+y48$@(!hR#Z0vsV`~Jk zoIcvOl15hPlY>o`I&!ULJu$YgJ#J^y9OewG^PMh8jaRz7mFi&K3{!cLY30u#C2kP+ zl+pJ?KIHN2LTYzgKwC)NXOVpaUZmq#)$kP~0+@K}7Bn&s<`BikAGu(|6@9$qxS%gl8E=&kP9 z>Jy#qvJ5)Q`}HIt_Cm6{+^5W-APEDr-7+?=cgvgk{QhD=fu3T&^e_Ke zPYkb(oL5MnD&k@6MQ!lEfkki{#O5}JAjQt(=wQF$LD(+onagN1*QUnF?fRd;=H^2+ z=S9=V_nKB}aLEXm@Bh#|3XpDk7S1u_TQ=S#mJc=?VOS1CC`!1C<%`84R5m*T0Dl)4 zXkSRk+-dUDf7(d7bweh<&$UplQ|HQoTc4=*YI{;gzs_Sd#)pqe$lOtB%AE4f3AGJV zJnpIZUCERYs^W`+J31LWi|09by_P+zY$>2Z<@&xySLp7#zok)xXMoC^!Vhg#xE4YL zck7SdFIRe83Hc(MnkihZaRnq^d|3M!%o_|v%v9!T6^40|u8 z!183GzC=+}EKko|lA|06iHk^$ORjxC^;UwH=)2i9OGtMzN-VIz*0PDuH|WUwX~h^+ zV}>+J9{RYodg>0{_fc}`Q#g-^X=A9*IS3q(( zY1Djz#^Qeh=rs|Ic#ycF(gw93Ukm2xeq89h|6+(k3j(3WtoI85t(^dPnX5Gn-WaSt zIv9XCAf!HL%6Px}TdXT{gP^?_O~Kur&x>3$suu`c+trf^B;cTx+DyC70D}tI7roBu z*P(Ru7AAARBiA*#rD>s4&wxE1%H0mhvz%;xR8+*8TZ7+eSh#mxB%fZovDal6%A75A zc(2|xXhh#|QRbVPXoMLRR1AZK(up}q9Scoh5PeFA-I>ag-KFQ8FZoAylBxH3e z9{B!Y8M*h8mBj%4#Aw=UN)Dzq{MAdqXi|upF(KifaK*HrC~_mwJUI0?z38Vnh-*ue z`a5e=dJXd^^$kDHqLC7fh=iQ>oM$>E9}Fy@VTy_m>MKM(*K+BXh?@b#)+QW=LrxSHPjk_1+rxqg%z%QNImdhO zMM8nKj#2}}3{MMknts%wGT>d|5W%bn2d;)y(1gN00O8|-3k^+DEORmbD+)*)IP|n4 z4l=)%nu~wA`vB$xi6>c;S^$@oKQG1VXFmj^%P?Fd7A8aIOQPl2QBHp!ofL9zB4c zlY&;2>WB%6Y>cy8=0mB97wMG9h!Esfmry`E^iJ}l+!s4)-}59SG(M)PjH+mrk?!&E z@@fKp*6U>RYyjE1vmkRbnUIpb>w?@JM8;3b`mxm0QK&{8xzfu}4D@#SaCRJL6SObwFBb~nCyR`MWU+|tN@r~zmu z91z9Q1id`9`&tBfV#}HC*hDbUb#xS)wD2{07gtOK;0}u0>~x&)jzpyZ8*W|D7R;Hd zl6;@)>xXg6f8Q%!1PcvlisHgB+NcbnihgJ+IUg;Yz|u#9&EiIcLQ-wf7S_UIa9Rj2 z624-$*+K6?hR<3RX2@r8ds+Uc(_%5GO;lgL;_+;Zkb4lg)AqcS8O6Qr7P-kvt;yJ< z9{TJf2N;3*2KA^=Dw1FKUkD%?j+$GcU9&m-vL+|TZtL*~f5$dYu3 zal}ON-qovdbgtzZf6`4=%+|?s(bS5QS+-?4>mA-`#F_e3TcuH4@anP#M#g5u)G#}l zZ{+l4G#TU)>o*0%D=bLI*?1UipjVVQFm2R;fzo#C-O8)WX#h8oO(tsAbQz&lU}l78 zi7Zn~IBsebKfC9nTWmz&(juoGLI`8u#DgUHWTZttKYx+4+%X|QkG8+|k~{xNh+Vb{ zbu^MV*#SG}Lg>Pe7Oj72(NuRGlBaHc%jHR-w~*%#1M@_P&rN70s*oG10GyRL!6;v+L z5zd9hi$BbNEyit)ZmIy|#Nk~rzb>SfIq#lhk!?sr z&-U1tDJyhYo44m-*Mkb9;ftvb1R_)OX_~!y(ZiOeN(o4JdeL2a5RYxe&810ly*Kpk zJmDVyG1sQNz;4(FnNu6}KYQ0>sCQGH)>>b2aeiES<$(z2cJ%AlD*5+&+8gG6C}F%+ z7V+=vFd4=;#nhJEw&@*&#C5>KUSexROsH7Cl+)9owe>&$S}&?n1bQPGMSeJ8O+cew z7u9X#6fJeBur2(oI^rJxe%sJlG-YvQf?$|DkiirJt-KI2S|^kP0K@-g{87fN39Hzh zygeB<#|^l$CZMqYqGf4V`%9jMzF~j(^nJhTpTX_9Z`R)Mf?BpW5nN*4u6jK3D!y9r zQv*V-hfhnX3^3^Wd@pRQ#ju^5!#O;KpF^BNNEiHul)LYwzW!>=ijB`5VO16Awceq3 zhYiR4wE~HOj!F65yt3)+*ood>2K{(Xu;hq)3IcNr!|JNB^<;iLE#ix*Ej`H6W6FDX zFe6~7id{Wy5bo9ZQcipdsCmRGV9?bRuiQqTr4hF331km8k6~VuQU!ySq|Dz*s7IgK&KhJZ3(ISnI+w&I(9dD% zvI&5kM1d*zu2j!NU9$awKj608C#nvhak+D6!r%Ul1(@Ks$o!jQk4@3#iJA{J$*p$4 z<_#pADsI0TCGPxWcRfOHMvOhPI`NTGmZ)+_`O|RXt3S$_!f;=~J`P`Dgn!#)2{PBA;O;n~8`2w2 zS*s}OAV`A$Wgq5N!Tv{xci#@jR7R9ewr&Q2LO6F&Njsa|)Gl z`^4WM{j#Vp%r#uU#Mq8|Fzy9!G|1=H(l{qErdK;@an! zY4;{$x(e}I2T%Ss9V&1Jg0-=F{pJ(vCwuj$m1~4B%b=5{%rE&bUyl%d@Q3%@mfGos zMijMwkCy%3Lb+_lQS$KS!RyFO7j1zK1s034*mN2yaoK-7cN*j=uO*ZFa$g!T|MwJ0 zlx;`xcxAu|nOLoPMwE=>Os)J(#(C3|J9}^K7^J9l=_I;Mu^$uS<_&E-bX9BeClGPv zNjhcju57AM5O!E)P^@Edjb}N=idsnF?sBR5&iEFE+j?qK zYfsx;^ka`!Xmzvx%gX72Ude+iMprSie@hJhr?826 zijGb#f;?6W2$WxOP=3s#l8ZZ#*s(s6TJFwG}A~kL{!)B+|0X^%B@#vN64ky z7*_Z$iRL!G_utDU{|XFc&RG(&v-#d1uB8I*Zx0X`y8E%vP_IgfRP5|4yI!&J&s1ra z%LtMK9DMSg%DX&vE0v44C{|_yPFRJ7g@5%CDgV7L@UMr5Qez=hsMJ+;KWeCfLbc~> ztp~hZAbo1=G=}e>j*0qNC;^!8f5~qB=e-2b$7_>McLajW|NCe7EdcFMh!ihV``z$h zm;fq-q18_Rw=?ipiuC_3FLJ;I+=8-a{I)I}MFuWBIM-kFk3;3pG4uwqACZv)7wUe0 zjko`NFXM3mn<0B-k@~ymLCXV(jzn1Zo8LTZFyxgya5FvXb_;*|JPZKHGRLGLqWHU^ zfYO5tziP`eV*A?`_}6o9C0xQKBe$;P`rmN?HSq6H01TqvXypFg^8`nN8So}Z*8H14 z{qN^ihy;kC@5p7te-umqe7yg^rWOT|2rSBE>b|}acJ_8%FXf*xc!mG|TP!$W;}Wy0 z>FFi0f?Ods?&VfFil^v`pjjy(CP1)?Es_4axd?`|vL)n)#Q~sN;Sf>Xt>J2Ph07+x zVufp$VXnkKjQ)U_Bzz@56IR3t{XWD z&XmmS!1@#V8mpje%X*qz)9Xd$05MGhi>w zkt)~xqd@-WaSTE1>!uQ+m$G~G59RE^GTxXd`E9fD1M$v z)zD&eFMnEld;5zL?JN;Z&|f9?dgp5pr~w{Pp3|hrm%Xq0l0VE(MXTtDL$0`U+x|1-o?VwJZ=P9Cg4<-X@|g(8re5YN*j*3r#lkcBJZ|E#0uTt zu^X>)X;;^d|mibqkKGfl~4(0H_DRe#>F$_iLnGxS0Ve049XJk~z9q@u9|UmL9G z9ghLk{_e~V%U#mD%j&i2e2M*8ztW~R79a0^_-Rw8alXo5fAofq?dDCx^V?7C2eNrb z&D=ewfZo1cp+U*3lbpnCrWk78B;X-y0$NfG^}~DrS!t*X4Xhu3?wlxfY$)Q5W(Hqb z)3Msqb4CPGCfn~E_W~goSQKB2(F#>ooNEnt_n2bj8VE_{G3pMEJYHQT30&pv{?wH+ z>HHojNC@7;20?rH>Q>kM4#@h~G;{;kWEhc717ny3@&}j1@lU{o?4_ ztu>tSMxUywN1Kv?rZI}-aWb}o3^4MkpbuZmg5;iVH}389Ryt4n`kdE0oW%)?j=0kd zeU$ĚJj*j1#G{C~Pa3G@J)OZHA|Gbdd5mNV(eN zj*o%Ik1^H2(-n^UJ{`1fGd}A$WLPfKfTPCK#HDCTF7fll1zv`4W#T3?3WsBT@`L3@ zV^vNj5W?JB^Le&oJPtpc{uK@u zRXvgW_xx~@DC|eG?qyQ}M$)vm9MgB88mVAe3nsIa_T0{3}!$C+dLlOwbY-rdNN2nAk8oA(4QhG zeNH2waQC9C7VEKrpQ4?;eUB}$TR zd95%K1Aq3x3e~vx>UnYyEeXw5xdnf~$qXNm0ZinNAWvKDeX5F8?W~13_Xc`c+0C|n zQ?Yc?7G+gCi@gsm>LUNWz@elUrb0Gr^v`YDC4#a7LQa=Uo0smae~Cwu5x`~x51T+F zw=q&OkOZ)G`Jz5RqxAU0vzz;tt; zdlvA@H(Wba+muK>jpOd)$SEYV$L=e6F4WHUh^h>tfkA1K59JZX$r2ucED;2GI4rt1ciRl-!{D-peTf zJ2F|@e(B|lHDMtkp!)1GxLOl%;=Vu8y!|F)|BlEieF$URis#2gHJt}+XB!Qs+_#H4 zmkVL+C&Lab%7I0=uzA5yzs0Hn&_KbM{tELAml^4uA)q@Hbg+Tb5dDA{XN#RFEG$9C zHu$sLCjIM2(AS*IQJndl1f0i^*T%9G3JM0FIijLp1l#0ZE#Q9Pv7&g3^($*i7%OYz z8Dmys2GYe%Kg?`HnlJ4d*at`U-|j2}cJxXKld*chNS$slHr0zuxX#s=aNTKFan`S`plQUmvCGlu=M`m6(-LIqgtouMj*Ab`{y zZh6y}0R-XV7p4g}S(~esSkzC8m)pqS(jZ? zf$fW9HlK29KdtV!`PWTrrmO*PZjjle(fe^@Zs(`P)rVxE?0Ic_frno|~?7M^QGe?m;5mr3A=oWsoY3H(qd9s9R=^O#_f)Kk%yc|6>B$X zs}E#vc2x~XB#(hF&DR}}SrK&N)Z|4vk?mvu0w(G834+X1PZMg<*tBTUP$bzPpV~fU zp7PUu`^&h=vBq)yK}dNd!w=_dCJ5YV@*OaY;%pXVg_<=#gau4^eE;u>(nfEuyekMP z3}2wbd+6XXfrmFQZ0~;`&xxiz;B4P<{Ou5}QoOI^HVe(3)RDm~6%HAR|LisKet)Ct zLPO2F?L%kBs-bxMeU~l|$s`?`lsChxgXf2|-}VLu6uHnLtqN5Q&lnuNiDx%g&V`UN zLFV;&7TOiqTr2|iZ*mp5>@WruKT3*cb}TF#jaw1x$Acj(GnLg$?_kFf zZfa5SXUW;#gjdJKq^b*CS?cCE>8jmbdbT2xpHgSKuJbJEOQ9&BH(%ZBlwnK{4i0YD z2inWCppocGj@D4&Q+NAoiR+S;k2G(ittaiMPFk$HlkzUp&~UOSlZf&Zz%eQt^G_t@ zvcaT0+rr|3p49|4ea*KpH_ACO?`S-F^XX(me5ekjRXNfNOuQ{VgU())H5agW{l~UW zK`ZZ4b#rG0B<&sjKE4=S<%*1=0oXuTL^^0fEIgPN-1RDv4%lK{zSsqt zx+}X2`nQHLQdx0Zhg7Lz4c|IAew`t@!(W^->XT??BJSh403E=g6f_1^PG^| z!L%JH=;9_!&dwH_3Hi6HP-6DJZzqf|j>`_H5|>1@2sPDA(z(P9a>>ZDDovUqs`|YKg87%`GnjfsSpnfS0JTt2seW z$Et9}O(d<@ALs-ZFcBaeHxrxORSNJUJsX$tNRvQ=u;;-n_3^?7%6rcg4DozxPHzM? zLw@3a-+s`YUOSTn&`l~*-oJ1NzgS$qEfan=h=Z%Ijimp$f0$dP^$|4+#LJxf+Xh9J z`b0n7V06AX+rW8d%7qS|zx`nM{U1{UAA;x+A&OgGIVBH*?h+#;--<~kVcEkE!tDE= zKll}P(r$^rKDKqcA@jgg294T8cziFrVT3$g4sV&zc_(WluWJy{D7M5a_GSoMU=dp% zvBf?!^HdLwTA}18VJOywWw72CI_~&BsMqK%=#Egn0=vp@k+NJZ%jNs%#Wl1AZYP(M z-YuI2buK&sAVVlLB=R|O&NJ(qfSP<}5}R83rqUHzl>(?w@uM$9Wd24?zMg%TYY)Jz z^2$~jO|s{XddkEqrExjkCqxKD)xNPo>_T6?a)=RmkX0so$u|X_sn%?A1(qLGp3S&c zWl;n_FB(eL5e$340D;vUcFi2Vr9!@Vj?L3*wPK|aE?b^3)k*8O_lEZ8rz&4Y27x|< z_p8EjL}Ui1B%h;mK)Yy4pF1Z5aCG@}u?1ZH-7!v|SH&&eIuUEd_5%eRVGcp`g?GMjNJzR1Qxmu})KL~25uH6by_4bLApwN!?u zf`R4|Hm+#B!#+|t0v3Z3W1`LR0W6hfBm(cb0J_?E)WoQWGMg3wcV*NVlo{JPKS{oP zV!-<0v9Y<`XZL}O6*>a_VnfsNS%;h;Cg3p(V8z|6#%W>@_^A{Q!Rz1D^4GT6XNdj0 zLOl|ZedXkk@uv|E8Hik(&1b$uyt*9(4I}^l-t~jXm5=pJV)joAMzKDus|lq$Q&4+# zY~ZueHDTAwn0g?jpusk3cmpc*~L%9zkFsgbDDzNX#M;-qyPep z2?&jhM#rkYaU-0IR~8``-oM|oK(0AV;oJ8@_IhDLFFyBel5UXhMRyAbNOvRM-4YAwM!LHZkdTf&eSF?9_V-<9@AsVRoa^lW z)&*U&gZiK8ga(va-?&6yVXYZJ@j}( zpTRx_e{J|{?L)<50&Cb4>U-00&il9ci0IgO6npFz41WDv_5z`X0u?jJ9ObLsz)_wE zA7xoBzBN%KUnvmJ)A>4iqdz|0(<2>S$MRKB8s_%GNQ0fRWs~#7sjz^KzZDu^LUu*= z3lin{gd7_8>W^E51*#RkARhZ3DUbZp*asTbE)?*E`AFq;YEYtOqC~6{gsN?DMdcP# z%MYZ9<>7pkXv#V9cr?ZkMkF(hLh)>+@)m$TnP}`KnZ7=rKq@)tq6ZGS!%)?OU5XqH zprSNk3-WxT>d-kmQf>EE2Cglb&ayfjQ8`sm2SJft6==dRBkwL-hwxE?Q_InQEO)Td zy%TAyY<;PCS%87rz2l)mr;lAo19le8CM~(e!)w9Yf1;4SDri6TPJ1(y_gc zahkX436;z$Fja>GJED_{AhKZ9-@q*RIz%^EC^rHa@AS27R%4%EhtMglnDhC zZ4I28*LJWk@)HDf^|(EVbK01xr5RA5uGfdtb@0rhhtKxslJ5v6nJV%NRf}M>n`}gN zLc2oo61`#i8*;1lM#9Y=&+X!vd$CZbmK0TF=$Q|tEH*-m8Zs{+KtZ!Tis8RsMZQ!> zme1Tm_!RDTU}_FOeQyNOLz!(&M(wxLJ3T`(IRFEcZ}5`ECjRwMx`p>-wFY zLSm4ml-gL}ip!4yNJu<_&TY3)!xaX#_>nJ`P%t)1oQjT%NKiL^g8T&lT zeb%Szul~9QW_>IWz^!uFT0{N{;F`)0#;Dxg-O=+3>%aJK2X%LMo439LTfRx6l%DeI zDt_{0B^SppD-E;s%O|_MAEPA)seyY6u0Ok7n^E{tS^PC@f4|HCu7C0Ldp`6dH2swt zeSf)p4E#s)4*MAT-{1ZtmSO5b+KhkyhyYYPjxJ>7xGnH$C|0cmM0tK+MGb=^}q;avR?t>E^{c+#l{7;_Wy5_oM%Gk973Fw%xFPM*q`a z|Gp!5kURVz9u({Xq>OZ4$SzQSxO0Z(W#)g~>OVj2-H*($48GLpLH@&?dqW|luaAqF z{6h=yW14?{qo%euRAB#-koKRR0+_Bxe|YHse@&MUEe<#(6e)f}w64Ev%xweQVHyO0ca3cz4kgdgco*(i_YX5{ z!0Yo$gr+~j6-}HDg^x+UA00|m$~~p&>j@?&_{hLW6C?b`X8-B4-pCJQhIJGvszJny zY1+7abF@#uQnM_w*aWi)DA2-RR7sFFKNh{GU`%v8l{aZQ1nMdee zq|e%M+F|}QYcf7tBHjnE6!EYW#| zPCX-V^Jm`rkWq14hLmP@CVQMqz2CN2fUssKgkpcLeTh`%h2% z<00x>Ai;zfO!iM6aWHjs|LMykaDjlrBpliO^J4#NFqSENF1A&JP(vcj^&+FdyxOZI zSp$69P%W#G3ktUIaPMU02#-#CBlURULAVs_e;UDZtalAy5jvuWu?fiWslG=;=^D22 zFUS@zZ&PNM7G)lBj7oQ-z5adcM`#k;4vRO~URX5h-UvaHXS@M7^7VU@YFU(Ce+c#= zH&l%lCF`MYE#_|2qPRJZ?da$xZ^-cZMi@cW>b2E~)64viIQ!$;2PQt>JoqE&bi!lG zX>icXsuV6?jW*hAxj3$LV3yr(QSwC$RR#1;Om9muCe3_Pa&g$mvn9K+&jrzwBJ61A z#A5cP>QI!VC$H*J)OyKitKN9NYUw*L##mk5Slw)wQL*IUf>N|wFCriz)J`+y5`_nu zuG;RW@>Uu~6S=j#IJ{%iU?W^2x2`^*aT_9xq_3r8!`V#b4V>5c5OiAjS!ULYbGn8; z&RF)Ry)s_`%+8l3bpV{XU`?2%A4?BE!ACXXm@k(>dM4^~WjJadW`zN^FB*OAs%ZHF zit|>glFe+xo|Dk!6~ney)OWIbJ#6K%Y;V@XtLY?9<4$wszf3rW;)_mU#F z1z(LUVbP3s<&MswImy}FQ7ZgLjScM4EOq<_o3(&qt|k!*>y-FaX%mgyG!_~)g=j$j zMN2G)s?9-VU3#f0^D@oBnU9mFs(<+vnq)Nk1bJXy{EdxmcvC6W2d^Q`W4*vO*Y_Bs z8LC(fkFgTh=PhKjWg?M|-P;dFPm-qw!;9c!<5ZIP>ClEe#Vg&M`*6^jNI0w9g3456 z0-?Hla+^11zdbc2d@XrC_-t=NcYZbzy@a18nqM`5eLrW)J|0n~t2ptQaan-mKFP)g z(BLQMomYnD`>sn5eI5l{u`z{#)PE)vf9;Aobg>u9Vy5$NG}=B3b+g{?IXv+?)U4b; zg~I)KAQ{x;DAKKY)~%E8S*BE<^2l^t;rQYr@knP-Xv1JV_TqlkOaY#ZOFy8_~8@n}snna#CRdfqm73CpkK)*Xwkx?#Crz3dR;1 zDXScPY|9S^VpX)wCN=tSX!W{66xci|-G&Kb5%<$#yE=<{b#P?G%UrSsou?K(O+7N0 zm|k>#cFJ*R4AuZ3#;_ylaQ2Og!^H@UC&nB80cb%c~r$(fqeWZan4CEc@qkIdACwgxihZqVzXo5BG8U@62fp#P=KQ;pXbg) zEql+RUE1*qQNm-AaE7AlUUTKE3k2e6-=Al2aU5=+(JD+>^jRCv9PD#qXV3Qxulh89 zRwC`QZPDAeu!-}g{HIf;j8uIo%Cy4ueLWXUBrJg2Ah;sX9`O%K|;Vd%SiVneRfaumHXg~!`W>_4mUQDS++Q9>%>igInt_8IQW{q-r^n`jY0{rg&tI$erEvm^DP&GevS2O(i)vW){IgJC+<2U2-TAw|tR@Z$$MKz|i4SX=-o0Ho395Hg zW5z{0VIV2TUD&0C^XvChwpQxQ2Lo~tWSi(xNWam&3bNwO*wb{)RHZd}n+XpdtRtxeMDvQr`L z(4di(yJQq=N0agq?|pW9e7`lCv$L}`^wXIJA)sHDg6LV#+b*fJqr-#^Vc|*k^7tDJ z@ULYxalJ~p@8RBrD=&+$TR6h$GF+gpW1;_8;o@Qtk0skgAMV9YAr6rj?v6U^64m1x z!X3*^Z;2pGbPnIN_i9%>)d_8;P~bw9ai5uQwZiG$i4|VFwhWtbY6-i(y1S@Vq*0t* zajp~(!rK%%VdqxqD@M?Xc4XET`_gb>8P2%re`?)*C-sPfp;p?I-oRyTUPS@JQi!5+771!}W(p$B&DVA9n`<3l;=j*6VHk5h z87>#5(7mWXk;4EJ6SoOJ!E$&%nB1sQZJ&d3Hn%L7P)G+ zT-}?f+6wU$sTr5S>ko|oRcZY=XulwGV1TFb>sZEHFqGjCsQa^66cbtu1y@yy-FEeN zzHU4|I{jMCefMd)Qb-rkMgQAYP=~&+d1MXC9>kx@^=M8RdZpUs+!f+iO(|u@P=C1E|0(8_cedha7SZM=gZs z>p6Df7YuYaBHaC)cnG2wdN9@ zkGh$O!{enE9tt0PeD21t1Nx0Mu#?bEr|Bd$O@c~*DQA|7 z2Zij^NB*OvGCPEyl17Ln zY~1dJ=}6|e)FG0&aHnenbf+{HpX>K&vQOb;5r-2+ELkq6o@WeDo4?jF<*8{^a~WN{ zK(2yj2*CX+3x}Y6LFaYj!5rGbwk&Wj3&qy$%j_g!9#};ofXGA)l@Dy7ON;19m<*!Ni=<}gAQAD@qIl%oQSa77g>egz-`(l za6Ih6?U;12bsUW#%0nJss?F&2{=RFNw5)LFT?>_`l0c5`5e;s_?oPc3&skTj*}!X*;oRy&I@M1wZdOBwbDPY?#Xeubby?!$i?Ycoy#`b`hku z1lD9l*RYG9n<|0V$EaOSYo0QA`G(cV>|~f_3!*%Nm=l3h(3zUbmVU;^tVQa(Qx&SF;H~KA(>H*z!K(>%2{Ifutm+`4VS& z#;R9dfAz$$)omZ9_K%51;jSaQ8~A+A$t?}U#W2mJ!q72<>S|?tP&fza(xG-1%)XV; z6(XU8BCGBdlCq%S+7KtV7aP#R83Viw4vJN;HogdskHd}jr=DpXZT z$Py_G9_zj^aJ?6<)7PHMPo7DQ{a5 ziI$4qY*ekIHRB7v)4V2z&=VF1krPmHK9kCpuS3baW`t&@!9b)RbF0{V;Lk~jEL2l{ zmstX^>7$wJGN3`tSWobDC4n^bV=$7o>KaEvODpM@jDqZUBf$=$Yh`@=O@>!^sF#$F z+7urvN=c0hwAK2;Y%QC(D{>Jjr@Jf4@%o&>tT|xCdf<&NcUD$?4}me3(em&2M>Zd< z={DV@<*%SB!*>Q0dP&s?&cRh{f~(V+Wv6Cz&crnh6oWrzs_QS-%jUf4t)y6I;KQ@} z!f7keh&mOke^;;zwtrmqKnKx6lW$_oCd8Xm$zP)h1{#&jq|97@=)ILPyHx`{HomW!OP|^Ny5L?k3QUz#DQT16|3urS}&NJHRQFJ z&Wgj-^h>*Q&mR|f4lQxVkJG4&D{lv<;LfaO>62S*l)eX%Obo;SeL5}-zesw&x{{Ci zltdEEibe8bobI(C_Lpm=@5N?_1A+d)U}K%8@Qm}Dc+GdgO^7Ix4R7WOiUP^dI9w-8 zjN|yVGP^5k>9CS_Y|99Ppt_Y&WXjQ?BT+Z-dSp<9f$AvN)vg}q*8!}Ld!P-TqI#|E zd1r3dDBC0=_F@LxRp3(=ectuc0uP2NXjJ!b<}tY2VYJx-4}saLUIQ;h}Y52 zn)s=*&gVOq$WqjYeACI9waoTOe8X zhV@0dPiY{FSCJ`Myckq8<9Xd&a#LLf&0>x@JAxJREbV}ZP5 z-73`%6NiXCUO%h)W-AInKIjLbx>s-aa;(5`0OwU0VaSD*Yv)hF4xFT42k1hBRiYVC zIL}geS5Ku^!+v{YJZL~ClTnzNp?noTL_~`)l+HlkytjQ}6B$NYF@aoa@+rh)D{KKE zku9)=DcCnguSeF zN|HFNu+s%}y4Il(3h&E0UQyzPsAGY8VZx5#LiUbq6L%=ipu^BzkP|yu8ANilX0Ft0 zjzVSzkvI;f%$~g0c>>mLr55zUfu076l9qP0wzu`p4fU7h9hyC=hmYUlUz!EJ3yjaJ z(y=`I{#=HFm+m)%q3tZOG8=fk#RUD;E5^c?B3_PaM7h`1tI*P7j9Q(-d0DzOSmu(J z!AOLU$-oz3?KrZ@oQh%4s9&}c2gg`gHvT4N{sm$>#X**!5U6k16B#MHJ|s|#zI3z6 zD0`J(S{y`0t+R(2%i+-*HljBeX(^7~1n|BspoCiA9a2gAV5G3mwNktaJ9^wA8wZ)O zHB+MXxPhzO4Evq(5Fh@fJO#z_Z8#(5^~v&%q|B&Mr|fU2h6ari>UlZSX~{q}v7P?8 z+5knN&u>DF-K5@|f<~-ZZphDwK7SsfNnwGeVy@rk|Mjb$9mVp)@hR|oJvz$$z zN)(P_LeLB^PmKhbGEs&!h1kj;9?Cmj)Nx0%qT}7i5K3rvd&h^vL2NQxrSy;9j(bUnpKKB9*KA%WaNHdB{qR zB}US23;QX(VifWFilq0srvy6BU)#8_MvM1==)j1MJrV5FCy{jn{!aed#0@&tYsR)8D4T@IqwVD zjVH3{AY4AL{~2sNgors1D|*d@9j_C<4?cjI?>GIf5mK-b{lmdrS?Dc^0AjbAk6^P4 zFjCS;!})b}135&UnC_+Up;)cO_N%CtL4IP{V4{KCXK!o2**9qgzZaWgUn{@(xId3G z_RYof-A{Sjk5qzNR9Ef%h+fz!f z+9P&!XUU%-%)f>K%nUVbLCBP|K}?m#-s1r1_rM)pU47l$*gd0J$@5>Zk8S_(DHDy% zut)im^55A_r(mR{_g$Tx;_DOr$H#!onJlWA3j$&RU!=gpkrDTW{J%Xmr*~O*7 zC|Z7=7AT!p1$v$kI;in2HVCi<95}>Z_w4=62mf297H;FW%*!^&wr!7UE>Td7TGF1AK-pVTYhGDwg>7>Eb>Y@C!xleo zXB+5wuS+Tk4|3{yv8MEIBleG%;3Bw6MY!&g7H7}jf;R9TrvM-y=3e7Frv7~uT7B0; zlvwlAf7e6&eAi%OfE2H1J|Hdg{q29tlhA5(%N+PvbVcD-@u7L=eJk(A(6O8bOROLN z=~9#r|3u`)$NnE8@Ba{az^eOSAo3ECca^eI=T$xgt)HF60tsrQ&0b3kO~vO@w+bG+ zpElBR7^dpdImXWMH!;MIw$F~PxMHozN+hRZjd5h8j*`4QS7CN|%o8*Rvnz%MO3V6+ zX!v7ESMsbsI-FCNWXm1gFqz)YV-6d>x!zj$?>scVx}@mn?C%`3b6(5(hZZ0(wR9G2 z51qf+qr&}?r-^6GJ`A8OJ2qyy-3p#_S^=xl@6o@}5 z{%rlZT&q;l&}U2NFe@c>iSWV_a^k#n@yS;uDOT`bpPuq-oqK*S6gtQ?<7c?z`q@7! zi%&@m<`_lVzNXfB(z~^0T}Z%|K1&%sVL?B0T6WI*B*R=h>7cY3LvU7Lj(E^+RQs6Z z9Y=$x_EZe;`)YKTU5KV~#lb)sC}nF^OZhra49=xR&uQm!aBs6)$xkAgc&%-Q z-c+eO3*GV3cVN19`bI5lbz*#j&t-j1UcA)MU~JKL-}OBUS^+s{)mFqeGX|@Dsi4X9 z*j^&q_T;ls^TvKyO8v=!h$@x#9LLDxV|TxU*B$(Fbg$NKS{T!)IJ0-CHiv$Sblw_> z+1TK07ORSqWs?tUNq65G-?ci?%{X3pzn`E!>oHfcA29T~@!vgH_wVnGc*RQ|9-fYS zKS8S~^Q!dXP#OyWGew_WBK5zcXwJ^QJ5ha^(9~=d2jcM3l-PVho2AZ275}DG0!Xdb zO`P+k=6H0jCK_Z9j{7N>b~&)tYGS(NYoSDSOPh{gS1rD7(M4p|PN_WNo^d8eTJ9wFJay?z}>uvZC4S1bdYimL-mlhtm`6 z`cvCgu+P(;hvxBGdVbLV7XNMbo9c-%Kw}y3bQP!CC;&MC+?3m9p9t>Qrs-`b_Y0!i zyXJwtqc|%6*^Cd}Ro{qMa^(Hu-JkQHf+)w>=_AMy*b<^DD9s!qtag*4gw?$g>-m4m zsFwMlhhRZxT`!0%E|iPCNyA%i?pA%`4M#qmOFdwCsq_5Wbz^*o;=g75dJa}ho!n1X zN2!?3Kd>8ao{?ATE|nS4&Z@w?M=%O!p%31&Co0h&qN+UVpi3MzeTT^Q)wfZ%l;>D2 zK0bR8XLzsw7!S2Ox)!QC?>wAAe@tyIe#f~g>5=99SPEtC=Cm?6yE?r}785TxZ3zsS zSs1I<0Z9E+E1q4TfF-0mjfHp>h~tFwlK20R1p?;u9@MR`)X-Y0iEkw>GpS5>*e z(D>*L6G>!rv#or+R6Odpgj9vCEY`Oe>dS6Z=gHKAd1x{D^{xCN>AdP|ggeE}9A85` zg^DyS*vUSKVU|#1k%d^-5j@XQmS&%L*1UD=u>dYD(Cbek)fl8-YbbiMS`tf{fAchZ zMf92;A=$e1#i@ zc6FH}@Y2(qEU}e5sl-nP>Ls$e?)Eyled2 z%zLvhtcjyG<+wC@dpdO?>!*Fs4sY4IZ_eEb&cEFrSrz~QdAp5bG&<`*$fmVpX^a|L z3&p-sQ^d3#An?&2K;BsjyG?uw*0o3;^&H~!NaSQCzjVqqEd0*bKdsJcg}su}MM8i- z!O5ZrWS>e1?eQLDfplq7tM90&6Vi^)=&J^X`FD7va&PWZZ*U!ZU>^}V5t;$aA(`{@ z%+*qI&$|?verK!CWP!ub@MqHB+JteVYgRtsmEF>5PXI%5xg2l#R^~oGV?!jN&$s#s zxx_;bBS#PEgT$ls4*gqE8buP8fwr2n(cQ-uMCShf>2=}o99RPm`oeJCOeo654Jw@{ zu)X*tS4qRqUX|A+({ zRne-ctee+mM-!dzJ+jwl#%!fFA7ToCVt2Xv0d~?EJ4&DP3BI5S$&(FJu$lerOIv`8VL}|U>xA*Kee*R&86qlygT%n7 zAN~eH>f)Fr4R@GX4svdD#-o8kfSv_Y&(Oaqlx1@IIsc!3rCSh|4*$Y+__VZ~O|dwh zMs8klg&Xfb$OhhPw~fwtw}0k9YQ}s5{*E~|6~*2@-BZ(0D{0{`z`Al?v4#UV_of2d zg-1>$EG4#QK^z%A%IjdRVyuHdKAneSm8!x1Tkxg+4ZA0yi;}eHsq|41G&Nj^PA^1J zwi`fv5o!>hZ&IO*79z29rA%8zB$oOTJ~iQ)&39J9tu&}il<*-0JrrWNaLV<~GAx)q zb{=$-?tJy-8^=j`<`skuPRbLfco9Rmn!mG5o$&33+UMleNNXJ@XTE%I4)>#Kw#3Wc zfx%BPiLx~-17@kvzJ#DEN7}Jm#uHe?dG0IXEGMyJq(`t+2}8b{*>gf@+f5}coAHmg zf-j9!dEr8hi}wTO8Tf^(l1*;OA?Q*UL~xtd-)?PE*dB*QFuFE>;L0(sgeTlqU@{uS zsoYuDR$#;^Mp5J+O(*5pIi7epmbK1l$u_GElRKHtA3yEao+exN54^)d;&B03V znP$7)4{OCXP4*_LiGrqgW{hhm!MwG%2_Ur7kwgbO@70ejUYH~(yJqmOZ)srne!6W< z#76iRDd-KuORyiB1)x@{(T0h{ll{VUP+3b*9)nqK?K5x>a{%TE zErEGV;jzJZ*=tGQ*L1CgP%SRhaw2Ri^|s7gt2h@hjc7j0|xz^5Rt&iQd{HjsVD#C}_X6?@M5#?RYOvmIbU4uI;FF)`P&?Ai2 zqt)1;y82Jg_3hE$iS1|OXB3s)d=P}iD_P~qUE&{o%TipzD7W_&=1&2UOlTQ>rK!SQjp~o7jrpS#=~rFcwsy8Wt+@ZOG;zgt2p{ zw*)M)m`~Iz4oq$)wgT&e15|GQ+f_brHV*giz}vx zndp+w!?tn=?qOSpAf%wM7yIGt$T3eG>Omr@asqe4Fg{tU(z}n z;qns{@2Uyl)J{8`fxFP+5Jka`!NFKo8MZLVtXiG5NBLP}E10oT_3}KhKc$*K<}VCx zbktxxDb6=bjhA!sa6V<1n%aV?k22ynctya+O9?V#_y*?2meTaO*|+s~O}5{u#Cj=< zN{x3z729u;f#PbCV1aHciv+H}TV3PKg3zclJpFz)Wjz|8jj&@LYyjK@zU&t^npD;Q z3k;!__qVRrtB9lJpGFNR(ZPFg44WOn(UkTz1E*FZ4!zS=jmP2x-=;Z7a%E zgr*lsE0UR1!`;64ZOMFWq;U4tOh#O6=NP4E;dO&Zw7gDPimyx+|NgDWO|wUiX9acT z%PIQW1-$LyuMgfN5}LPH@^09>DATqDM`Y?>zB0m9oAb_633W8ORG3?HD43Rtcl##x zh@&=b(fUk~c=UrN%uIn^&*!friq@#V1U+CXr_dqO6*7^>?9Du~{Yupj3&?>0EarT= zQSDAEeQgB5iu4XfNfJpiLq^8Nd3npER!@MIiI1om9N!W!Nj=1~pm~104KpoQM2Eev zlimT^!{{d0lr5h9PD%~THLI^;preP6{lyRtn#)~2!6%};teKJAfILP#?RNtz7Bq+F zOLBmcg9ZRCr4Da5wtin}6W4K#yJZ-~M#;D)tk{5;qwmb-LAf%+ZpCtqKdE6|X z_xixWi6roV;!>_Y$PS2FF|QHp|Y&TM|!ILw9udYshGEQF?7(!kSFH8jE5bJP+7AYOa}u z1x$_{;yc{0v%&y1ws2T$a-h)}_H?$d^W`;%gDM~|G{Y$%cJZ)H-VOaim}VpqWZ58R z=iv;18A)%pQT?FQAc}NJ3+)6c+(Tx-VF-^C^TlLzeVKt%p@t7QfAi|{;(1Poy+5nk~en1Lmy1K zh`4y%u&PeyKl3ZIr(04rx?`Sz9aDJ>CM#PkfBX0iu@=o29f3GA20dQUP~Z!rL| z6YC@U|Ebzdkoj*KYs9_BoT1gQasbhvxCl71$08?wA3&Z6k8^#sBLDupL}RfBAr|JEj=~0Ovv>8i#)_R z{fj*G>13AM(fioAwID*X=gc<$UigS0;cWH!G9>+QjEY+I6q=d9)?D?Cv^=mON0Fi< zcc@KMJHmvNA6nt!C&>NuIr5OFN9Pnf%iN3o_RZo61))c$nE%u=dBt|ntN zR}dL5RDG^#!MwWHr0G(2&YM&Yztw(}8nw967XeV0m%D;9?g3LwF`qy(8TEm>dis-t zpRENz0-~k~=_mbYUplSo_?D0fSzd9%hTI5^xELaY{g8)&PbB>n3mz}tlR}@4J2Dmj zisyxlfc9g81y|&q4~pQcV~VV8_L=OLC}VFidHG0KUfN)SolWQ7<~Gt}F9?t$etKHe zYa+1}NodPL*z8U`zGH@}XbG!`J+?>Ib z4**T&{3myrfz)3_BHMmV;^Ge;aWMDU%h4L8=zUMBdk`VL5S())AO94 ziI?x$!ZIqR>ZC^#BF8Ac?fj%S>9c2o@U-b_36qKO{x-3K>$1B*%Jtf~y~B z@)`{wPl$-<$DC;6To5K3wg}dherM~R6KnOeMe(>ox`sFLsQt1Dnqj)KQ~WUHmlJmj&QNEi8)NoAiBXc^i8Nt)9{UFsuJ`&iT}m z@Ai0`5p>SY%{c&4h+Y#-&6Jng&9wB^DbGYnW0}o5*ofyF4UN4Ynci z@$u$txSfMS5FcvPx1bgI_zj?gyMg|;wo^lRlgw`;0_Y%FXf?&Jlv-4dH;>s@UcJJ5 z4}DZylKBP>^pLYW2}vmIX=$S?P6O2*6YQYY{aZY3c_KUY+f2=0!5{tUQoi1R>j$w{L3J0W;Q1gRzY$n!N_16I zqgWP*V6(SHSW*?X>Z-L7j5ksMVsMY-+oTQ|R?|rwhmK zsinAlJAl0}rO{pciWZL^;OUv%8F_x+@!rs-fF?gLW;R8l1;3cfyN8U(o zHV4dkHw=H6tWuhh5+P=nLf61YS`bS#4tUyBGKBUSH&S7zNTOd)E#NuI1rnRujz9Ab z8*d|7xj{a=o<%&;dcZIB8+)GNy@y=9&G-y(BYKkxyZ`aa6Q4o6NtrQS9{sjLfeuLM z?*JkFcKO2wY-}pTsWoysroJz0zX#+=eMqF9&>u%o!zTe*W&PMkE~o)KL-q9Vrh(jP zMrbv4X}I8af4{?!3rBLE5oQvE=PbLRV4WGAH1(0!_n~g+;PgP$B zu)4hTy*ci0%$hU&M6V+bm_nUho%p*7-$7x{G`JCn-#F7!Qu#@MvFB{!? zUwydQCUu zaEqDs?lkNEkFA4oq1{dZ27BEH2$$DGNnrecav4d)%1&_KuVF{WgPYxQ)4ebvWP98`{v7A=`#G$=;$v9*Uagow){WW`xqdeJh>jP=RlSOUy zHO%DdUdj|+<&UgqCChf`FjC&DF$)iAqr}gO^!1;hG)g|X7if4IdUD<6oVy;8o0q`- z^Py@*9-$729IfxH_094RGryYJd!v19#qA-`ReJrJq)h8GWBlzAPT`U{7G2)N;eV7y zbm*$>qzcQjfC+eCQ!%@s>68r3Xr~Uo- zNd#)rvDY9E74^I#08;bWdAfA!tU!2ufWrC2Mp@hBBH|r9zI9nL)wzlV^?6K#hPLXl z&oWfPqG9%_JVrN+tICsHU3}%FTJ(t*^12 z&6E;rrm~c2G{q9;az_@orN_I&V+O5vnKM=Z#wvuZd6-CpVL-L;Q4-Gr-eKAM6rdE0#f zPjBb-Ilk7z%qfPihO1B5PDdIYY%qoW0C1oItSpHgk*k7{l@1B=*{xYurUxs;S@%rr zB-2^u{4>{P3JC!5L{X&%B=L4Ey(sTzG@mcqyCR3Va6CP81u)FL1LuR(r8jr*< z_M*i2X%1PbL4fHN1N>*{&si{eTUWfRKIWOW0>44YwctDs_|SMX8=5@^y@`6~6>7Lm zXX7-qFI@`V$4&FyOO)_i3Fq`8?4^38HH9SjfHJvM7|D$lmrsET88oTm@& z&FY&bGsAPOJ{Tn-)Ut7Td)2FJU?_9UGL(1wop+q;572#gzwhWDCZ2wY-ISf?O@C(| z&l-KifJQ3x?sG{RlMmF;b)IOKWdF`^5;c;A*t)WLRK3al6`FEpDHIA=V z&r1*4m6BwMp3B>Kd7VAuEhC&zmz>@}#)G)KD~S1e!vtk2<@g#L?bpH>ju-Caa%G=4 zwU*%zv9emI*%=gF8uB=?3N_Un!^RT%vD}#4Z|GuxIcy(J9B%!RIzZCAnV|xkZTdZQ zP$VC5aH*KklAmBkG2XuqKi++6b4PlZfCFjKUUcl%c^dCfG(Xz(rE7B|QcIcVsDm!}f;vhy5xG{yrJHxokOUl&1-k7Dt6AA9!UF?dnwv_Xy%P~ub<;xywFoxgcRHcE0U=E< zFY{frbMd{2zr@=B&iYAhbpqdg{gU#pCug4@!LP=C%blH>kAZ@skh|5;8gN z$BUQ301O+~U!>wZePB4De$;#I+r$Dh+}ya{I=~emVVyc_$IG`EqYG&EW1j*u=FR+T zO>_pE^4BiJGh0F|@`Z`rkjJBzS~|Wrz1&N?Qsr{ze2Js?i@`9DRo2h%gSx}_?soco zfPF3CiiCi^1A#6f;^I>LoR6M=Un?*6NRO%1(koTuYw#trlyuMpc=i8DR#Bl@j*6k9 zzp1saSXn)|J8gL}>9R(_x1A4jNZ;Uc9m+XhH%< z3PuPwL8)z}XGO76r$aH_;NS-k{*Mg1J{0nrfFDKuG;K#q&oWudA_NRX#S5PmF>^UBAYqw_%)bU>DVi?$yc zUTdP$&8~4i#yEXX!_jiU*4L!kk~wh&bVB^qa7d)jYfe)%aZXu-My`FK0VR6GBS>|y zH2~wV(W4eLpIWU;e7V&^z%6}aciHPlnieIgQkKBq<+ZjIsWM^zatX7QI^%WuMeHM~ zzt|0Dxn%D*X`{p?g#!8mLHqED1vuM2K3!P==okA;k|MbPa~q(QVg0;}0ZKQn@J0Ak z)0Cn`hjutK8ciXZg#u*Vscn~+@#VF`P2q-MvspEBGZo?GnM2@~AJRKO$8H{-m_9I1 zE0uVuh(A<3NkzQf#%SKnWQoTt8v$v~LSu3b)K!1CA3zK@rZ$pdudxl4S~oFugTAVX z!2adgrTeX6W*ons#IT8_Rn^9+XJX?H<=7VrbuYwnSd2SSpGyr7FHj!JOHzaP+Sd6p zJBh_U2v;%h)lU2YgUgiS0IWI8MEL2}!^lQ=)=#I;U1X9&Nq9_eFYSVOIlgdaU#;8z zY9@taphFz>xf$p8jA_1#s`Z7(*RQ#P8si+f82elgM$D`0>l|FM%keF&B)=jzrLXj6nTC%(Jbpa;PFBnvQn}p1ME&c^&OwP zh;(Z;GUW4nBXtl@Rx=T!A>0}z&;{dkx%|&IMEV-;|4kbr<{)#pXiDUvQ`u)9M|S30 zSTyoNJO&TAqKpiit&~*$WFjr`icuSc zBbP~NSt(fYZ9Wm44G5eT-O}CXbQ^#BoVTXhG@p%EgsJXkglID!#&kY#mII+#=!@mX zHyp2Q$5E7#36;AMV(3t18^UdL9!>7cNgDND#h7I;BvmR3w!6j*1Ek*PctNXPm`9CX z{~xd=VkwTU{hKSX>8WTk%zMA1W4FuzZdF`N{K7lN33yAK5!<%UfCNCx*lUK;CQ_d2 zAlNL_WsNU3n7ltJqW!|8zGABfYKKcxCG0YG@O6SO;dxy|Jd1%M)!)e-7Lj);ur z(ojz3MzsZdc{2wZwwv%bQ;DrsNq13cheJ|ZANWO>2=YfF2rWwS`t;#9#&JhuZG~xY z_Ie>&#%RVjx`|*|;#%J`{EI?mW2ihy3QN^r-G2rMX$K4Zg$YM z&}L>E6)kf6n_bD^K^n4$?AN;Y|F;+s13C*O^4a1!L7uY-yns$FvB9H2&A8rZrE)b7 z3&dPYSG$+E(5_JaC_EniS<&6Bt-@bk#1i<1H~;b?A_OFuJt^{SN8>ntfOs2tX2? zUZv&8lP`(7{BUH%LWK-Bru4mLQ8)kiAYDq#cbTsLwq(+@5%hTt=|=j7A9_d-!NY-u>HEC0O)Ykc{4w2LBj!{I8>5o z7BOO}(j$e61k8NA*iYi>%d)()oI=l-oVFyG13b!YkuOaTxlEtD);LS&&)veHMhRAm z)Z}#kAMCw#Sd`z}FDf7+AfTi)3P^*1bPCel4bsxx45=X9AW{lQ!wlWsEje^Z2}8%w zuphqXx6f<*_Bm%?`+d)K&UNj7<{y~nS!><1;{L?FWLsip+_;@k{)JHSmKTowi*J0J zd+HYE*RE3dQv01W-qMP>rw#7@pfOp_dt%?yR(o9g`0*yF`a(DM2~FZ_a@yo|>o1`V6#70LC<6lO3&Fi>z7$8yS+PR)J^;Wc8? zaJK=b0l&?M9{4D7`bW8ut9U#SwG_ZSCeZK#}=ReWOx^+-4R>%KVB|2*DG9NEkB4Ka5Wh zW~czHe)J;T{&!U5Zq50Ds83d>Y~I;bMtK~q^)b^@(V~2gp)GXuJV0*AAD{-uK8j~a zP>RUuAk7wk_IWVz^bY0t9R9qcC5VF3BTnf!#acNt$U-EPjQk02qzk~z9)#!A?O|M_ zCr~{!E_#tg2a@pY8F4=bVB*|D9>vNhigZ((L7DKOUcd}-Jonfq=+B*%HaZ#6ok#z* zmjNJyW@5)mF^$3_CuJBheB#K&sEl3GEu(7^&!YhpHaO_nrQ-=i?4Y5Ia=%#Z+2;Ui zguZ-+^?MF;x5wJce*xs&GfAcHu~n!;pjfYOF92kmQaYmPA$|;&4i+{R78djo_m7no(~HPXw!IeK(}utX%Rl!L zKq#7RHT_~VSKI60_}F>SZ{^|y=E%seny$s6^}~*8Kk?5s2cSEa%>Jo)DBb^BncprN z_JAbsuIPC}lpAC8HwmuVX{Ob+fAg*HRc}ZM6^pany}asoaq(UeMudgM^%N$ptwpe} zN>X__?2r5#nj=hj+Pn2oJ57R$Lc{jp@X&GaMOKX#Q1_?PKbn$%tIWH>$=~|XHM!R* zf}U7yrGt0w6KTo3XTs47ukXLUj~xFzlp^$@5sLl+1pVf@;+`yzMqzAY2=nN`v^2 z!tdTM9|#Qg(rJ@y4TIClmCD)ZTvrw^EkAZ|GtsB}wTobSrG$PUvEbD+)j4ENZU#kM z)fuOC?8rsOha(|)mGU^;e=K|t;g^rTP~lF<;V1>0_zd(Nqn@$0B;YEVtBC*pT@mWl zo|xJ69R3M~Bt5#_r#ia*bL0&8(RISN1XA^RLxhjlMz4Q+7Vv2QQM$LSAFj(N+I_V0 z4AqF?=7n?nTywNf5G018+f@b)4TCp^d2XAW^~EEJer?CycU$oHRn6RUzE17&w%l;WgB3zA$>Nj2bm%Hq86S$Ujz}{P6}_bVR)NKA9|f zmu#7Nbw}-MS8Tmf%hGi95L9l)9(SV!_vC6*vC?!3KGDAhI+n)XvXPUm?C68CRAAH( zP3bo+F^S2~szE~HliLfrBpV%qe}ww6@E6>N6?ys!>6;uPZK7>gf-~4p>>D6&Gi9~8 z7Wd)|QU2^Eg<{?PAzR0?xfu({A_`~#DU#{ZwQnLWJ$67;%O~Rz-yi+Ci$C>aY+Od; zVKQnL2Iw)YCCa1apexqSq^%&?C+$8ll`x~FM7FH~7aaoVole=F} zgA6ocBK{h%PDHuFu096yg)Jx{$&p{y@L7yc+P#1GSb|TS+l0;X0eiKJv~QDAaxO#F{Y)UX2D*00Z$1z$+hcc{ihqpe*{ zQZDVMM3eqLIq!Z?^8OWiy=8WC4cR+08#uD=Cwv@x5M2lr%_EAp1wrChw ztk5OfbSf^IYkIwKeloj_gN}}wP(6GbwJj?ZuS3(QSf}tQOX8Q|@MohFZizWHJ>gh- z*<1p~Vu5=ZZ!}c;1QVwRmPKcYC*^$L?eatA4yxFpZjaofR9d6dErWkQE-j<8NSXR_ zTNgJJ=QCI*Ek600u-UmlR`VwCku9jsId4{%NTZNpg8ogNW$*_bpCks}<2Z`zJu$fs zpP7mQLoACim7q#KQA|=^Dxo3+Di*+4wkP&;wxT?B5)$~riet4V@10h?RXIQJkR%@+0H&79vwB#fD;^#!a*I*XdtD(r?xsU63HPTLxm>(T zeZh%wwU+xGMGmnA863rA3~nbivcvg_=ic-^F8mT(=5BWT0Pb` z6!YpoCHy*fD8AfBL*qUqu3jx#`kBA-8ODbd+p{lS<_;tB@P>QEI#XzM>v}{r7hPO; z@D7@;<`c*ypgpm@f_`;%sx_avjm%rx=M=P5EsmU<2T0z$W;2DJ&HA^i2E`u=oXp^A!BNY&zB&ZPjP|- z=rz1AK3*l)=-KkEi9EsJOivY%AF`Sd9kTW;o8vrhHsWfTdVSjSktHLMvy!M6g9a<{ zEBUnq8Z~w*|^Bzm` zbD1B|KCUFem8Lyv40YZutl1TiM9(?-0+W}r6PHtIY;l~CPQP!H?;xqpnj_xYY=1_a zt)1@1%_3s7%xnhr;?+&ovDLzaRg2-Xu(Z9Z)p@pyaM&@5U17uFkvW^glyM2JWqJ@9 zmrHF+g801PIraI~4;qv0Hn8d8XO9w-?E;+3{>LtZ!(SmnvPDt9E^GdjOEN7n(3-X8 zBf%#MElOhKKFwJZFfQMt2K0O4TS#l6hHEZ$y~Mi+?)ocW4{cPt6=JVXd=lg{`tuHc zx}YETYWG(zosdbswm$QSjN1LgCN9{tuS8gFQs!N}!b}{dUx?6kzOv_l6)Hq@0g2@4 z?zs|5>i^^@>+ccV*C(tzfou zm)piteh4k{YVznLvMeZ*Z=?9YghFfcm{_@ihJS_B78 z0_F$b`46@?f*t(*Nl%lK_^BJa7FG*rtxMn72E7Q0Qy(65d6<-LpEEv2{<+(%G3C0^ zDY%(AH>&Zqh>K;P71Cb3&I^G(dcKQl?oJ@YA(^?-ow1!XmkShF*Doj4f^`KCz(<@L zm_$_rbNhvthI6GtN^O;g9rQxBllxhVUe)z}?J1&HO}7~`8hP~@zs>G11L$Yi_NyGW zJg0$tQb44Wcm}I3x#VITC_<3v;$z{@#S92@r+4tOKC7QQrkedjlvcJ{apKv^wvv+LijJ?n*x?D`)o5c~FH za$8%cEP6IANOtmYtnKeH4yY#hJ>+H-u326^`sTJGZ;K`&E&f?PVG4$bS;$)htJg4@ z-yN(au?Y>8Q}A#cy4-alzKS|OS2<@gOhbRFPs-hgOoAUhB^Q&a!pq-}nU?4vBY4eV z{dQ5*j-SE!kkM5|;2Va}9@LK#yi!VDRqt{kA;ZK{md}{TsT~pv-1PQ9h{C+-a&H@S zt;3)SxGqbb8f6Pbtv%Ej7@xN>yz?6yO{->7Zv~1~GjN`6u@-kg6isI8kca4+{fsMt z8m4tdL9-HXYSHSV2v(N~?P?1W`6dqczxf`itU3Z5<4g9jgtw&RW88d8`|EFq7=Jrl z3F{*^-6!#g(2*Z0jmiyZr|(yJrTVn~Cu|!m6+%M#-?adrK!b&&w~aB_*d(bNXZ>A? zOj*P|l$ftp(5`1O>IU<1oz+Ik)+YSoWOp#GibU|HObdZCi15G-Iapvn&2ufxmPl&IuRZ5>gF{d|8$?RJ z!>-%?_ST^FU^zN?^+0RSqCZeI0||&wo=RnP5Hd*yIF)+X(zH3^gkOfexM{HnM7!hP zOtX|{K>cD72-MeDF6*Rhyjt`Jn2Wn{-HXvZ(oY;)=b=3d*S)*oo!gzG>}yNU)5>!n zHC32q$h)U{OUw7)v^e;4B2;=vb6Kf<;OO$+ElQbp#)J7AMo1_W`!uGgotaD8GKQ(^4+ISPNHRq9iT&SPCVtj%S~e3Z!4cQY`1 zdd@3HO@SCG{kcHkE7v=mV$P}f8aY87Ruz;P(Ya%sdb;9*)(0nWd|a!!^O3T>c^y@6 zKEnpU#pyjTcSf7?l$wB{ zR_$7Wp%1hKRu*HlHlCKfbK@?}HRPBwEBd2dJd+Gm;BOypmKL+poU@L17@FTbHjGfm z5}IsB!emG;GZ`lenGwQG_M9u`xK|d$g>S}R;xxHk%mCD4;d`}NM69KvzBjcx)GPAD zYRhuaX*+_R9Ht9twUH-~VJ17 zOy?0gj!j~nWSX-+))zOU?<-4UpDQs;Hbyj;++49jq4ukbh9BjSOG85lUMcoywHkIW z*?5mjn&De0&e)rz%^f8f|j7X}UL_AGn9n$xT`jCj-}vq*B} zrWRbC_Fhaa{--Sy8haOcgm*s~GYCDL z@7z?3-!muv6?LFZLG0wQrLz#BwjrrpOECaF?;~`ade9U^oSp{VS^V0v_iTwaI&Yuh zzEt$wSMbt7)zoE>-Yq&}q!GF&ns36?Z*WOp!99fTk@~U^sNDQx%G*Er$JEdY7ATgu zJ)yC7BEO_*0LDUVhzRF=;>FW83F4EPiaGb?hN}+~T^NO}%|b7m%Z;W2!78f!%Ry?k zQ$LbRV#^Qms@n}irCD`pUH?wI7m(4$Ovc#(NO^s;m(^{$4RJA3Bu;5p_}9MvgEyQ> zAbW%4tX1Ev>0*cp2=K(lp5mS1r|s$kQ2Iqmk8<{!o4BOp&L+ zscZar;HEM&l`1@!JbDvGu(g+e`!k|*=-1Q=7?Q|hVIESa8DbhNatZwPysb?J<7!xn z!l<+CxdKxRFWIgxxKehE3n+1Mhb*)muib2Cw%8bZR^H(VXu2$403+1TxBYA&^p8x9 zL@x0Y^_;zl*`$v0{kCi>i%AV!Or4Eg$FN1;_@yrtJoV>vyYsC)1nAt)k0;7;5*45t zIcBxZWl)?>aq<2RJa*j{!+vE@LLn277&^c1o|EfGYoPdj)q6;x=!u-!CvlgOu3ie^ zOZ?iKx|1yEkx8Sfn@?RlLv6@kB6KIqDd2m3+loD_ zoJQz|tX%e-E#~la;~0Iu%eSQ@7uFC%_9kz(1%(Q=2$F9%4t2Q_kx9J9;4rVq6;lQohd_;uO#k%is#0FQc+N^MYT4%YW#sjXFxBWDsFwK@{0xJ26X+1OK( zgQW(YK-V(Q?ia;pQ1_C~>48a!X{DDc|aO#2r|55vf!2917>Kmsop z1nPWKmfzx$s5`_iy5Txkj=EA?^&Ds%egC1KSzjFw=|L0R;e3mTIra{3UQr|$v6cuFZ9Z@^>5!D zZ?w&60mfh2bNw~pctP;hmvYo?r{UQ00ONPF`fR3y-cqB%+l|C-v6b~V@evna=F8pD zxtZ-2ha=o}mamX)Jo}Og&14i(Iw4M3UYd(1HC4(|<}Wl`l)k&2IadA)j{<2;Y`8op z5|dFa)Xacl&H0JqRJ0a5p^(HZKOwT;j(re}OagPYaScf_FZDAHTJUR3agJqCA4-ga zRXT8O_wxE~?gKSKcOfZt>TlGVrQ^MuGK)U`-aq?+`Jo_Aa`4= z3BJy%c&WmTI^%7U*}e}1&3jYsKo)pSIXrTZn`a@o&1;? zWzGpn5s&@CH5)SXc02%0XIuQt<0urkGeNV(p~2R8?G3)QcdcdQqj5np4>=`NRLmH3 z03O4tK%hha^=NnpCgb%G+NWkOi+E?Uh z8JueL%5fbq@-T338-irtxNwPe&M-}JPq3F%QmpV7A>hd%i$uz0s)i6H{p0UJb(ON*#kzCGxX##i8FOTIs?Mn7l*VeMNBa` zXX;;MPp(iZiQ?KJNPKFVFApy9lDsXK#zr^hmlHp_jLh8ESs4LY{Q#A$Lkc1Qh*XdZ zcM$dok$#D`Pt5SQ4g79X3zebJMhZ)uxok5-xZf6={Fyl)HN=tPnN%63nY6faDBlhw zFBF@E==qv)X10hd9%{bgkR2u>W;5zE!tZgrhuDNV4j?X{p?NGqwpXyhG{#OE;T9$D z#BJ2Sd65|5d`#{;#M9jS)z;IIgUa8s)VoQlsC++1|E!{kv7;^q*Cr&qAa*b4HIWEO zpItY!eW_<)Aih+lIU&T#3}qc}wdjv+_pz|>11=b|Mm3D) z*|TTB|8u+Vf3cp!Vd1*jFEb(Q`w{#6x1;_YHt&b}{yuX5Cw(rN>jKtqTuTtNNPvR$ zaM^^iQQN-u(-V;=_-l|ZIDb-6&R|6E@9&TDiFJMsH#0Gj9K8V@W}NT!1yOlA*jxRI zyZ_S_TExME&OW3x=9oO`1ZqacB49 zCXIs^4i)u^aErdRJjov&@GpC=$Xe9!>SK5eoP$UP`UzjTP?>{^iTc&6@skC}w>XO3$qU!GXXE7;e(sM_`dyhcB4dy?; zVb1#xx%;|YRvG{7&BJ#9k>}TRmCFBn2<{=8iu&ELi4uRYiT-~0vO52cu z#X9Lp8ry_Beih`;?eXVnwJ+cwel<^;bW^!HAyvIO?Tto}c2TaH5h5l!Tlyz1{dF5H zr6QW1p+B1@{ACq2RT~@;zU}>0b#y6(vQ5o;Y!;(pIO@3wx_L^m{(RkIT4Y3~ z0%)AMXGAn`4sMRBdUKzIh4B+@+~nZtrODJ^i^aouX8-b(RK{voqV3byWvP!~tPSlZ zNdhNB&d_K&&Mt?LQ9GuB(-vqIe||Y{*4pCCM{2()9m9^x^(S^qr^uM)Ym` zM)Yz1zeM!umg+mK-@lN^DgK#s!#flYbLhRA^#C z8h@Z&`qJ>BlbM&jNlZ9?^iE82F%>q(<+jG5=pWhV%j++U9x}+9kY{3HAatef# zyN`IBe@0(Hd}12-eT|w3zS@lqIcm3KelD7bUdhZf-6snK$RN zB{tgFiVEa|vOd!d%4Fm5FU!2CJ@RjN>Y{|c!5nN%HKdhGjQc$((zdGNbrcBc2^8GF zgS@?EaccLD8P)<0PNg@d)Y())XwnD&(-dE{PCe$tV`^>J+?fM8`}A`j+%0A^(_d%L zLt6g;#K@~ICg4ozxmB}%F%(F}))33MP$y27ah*;@Dmlrjv9Q8Y=p$4r??mXa)v5eV z^YZ=hvvP=_{n`T-?_NX7uiQ>|3;&L{xsdSwjyu3C4!)P;8s!;S1&VrVag%hQ6( z>iujZO%FHBVT*6w{(+mdL+v+TA<>;fZaRmygrF{$i@<6%{quA7WbSQN4Kxk~(WsO< z-6iQP+l;GNZ=VAkHrHh+o5vu(2Ak_d$hGOmI)Le&B7gDQA=kg<$v*W`kJa4aqDRI@ z03FW6YF^~I6>>b{8m_K@#0kb9M8pf_*Nv+>J|=4 z&j<3w42GqL6ZrS;pvzy$zU#{MrO6dZm5@^PsmaKM_DL%zBJz z8MMnp>6&ZZgG4^ZUVE+t_U=v}7f)}UHql&8%YRGG;yn-y5F;D9m^OUu&0SkqA*Ngw zn%}CzZ@j!!)w(|#=p9yg-P2`dNam4|zynh0X(dsL#l4Z>zlQYl7;NMPP^{Y3_f6AdTKs&~ z|0nHtNt>yQJl~CexF24vtJa@p>2WsNd`{acXMXbevFo!$4y+&ke7TM|5V$YY(aR zONuU+TtmnlW{qspc)`>cn zbXjH@0}a`n5Er43XRyBnfa#)wA4a4_i^nHUB^NCZ_SC-`B3(m=8)X)>k0Tfm%GQp> zNjsD)Cr2W@(YVQW1m+T6fU0-Rs~gprRl!da>`?UTr;BNNCNc!pt4aka;#hna)SNZN zB=x)5A*OECyX8WWZjBV(+(T3J%i<4`!9Z?IcD**(FYkJo6l8t_hga*TUs^T8Km-c6_8T>av zZ`4Dh(RZ7~;kyd1zBadZ88kZ@WA)&{)51*cZs|AeKM}EL05S-@0yS??rB17mzKC_* z$$Wl0r%)5?krltE<@Ji`>T1%wDjKZS@byQG8&Lkz&xx8W-RWg(jnWvOm+kXK>Y!+L zWd199cTa`z@f%zrOONlSJHw8Rbj;_gufg5Mc#mOjb`vky4eDyOI8E2(Y`ED)bNw{2 zB2SZia^;L)gi_lpz#^<0MXj|ZhdKjrQ-+KNr3kvgBOW@?I&u*{^}-9tQKQ?8)h>Vf z1RedPjBzUb9Ad_me8<3hQSuU+iN_-rItP5I0;ESo5+1)X zPY=HU{Lxl4^T|w)=*;@t7OyN_D#Oqs^~e-5#IOBx;EWuS4&xH!byM+JmAdgMCjo;)*(UL`85Sx) zOi?jt`vZ*^#cB=CO^~Tu^i3|SVl$uGNdo5zLLO<*q&q zE0cY_i}g>3F0b$}gN@Fs zgd#uPD97(H%LiwA3(fwT;tEgW(hfPuNa4_1tmH8*UTxth0n%&EeU7>P?FQRhOk^J{ z1PT8)9}J!W4jN1la#VHa0@wD1!DD+|o$o4Vg&p|6X7GyYfCf5pA%RJ@WjQ&~NMa+o zL|O6V!5v4K=#BF`Xd;Y?1E~&~>VLw|qC^V_y`jrfIs#Td!Tgzhhm`1YLMg!L5e*Q!wYcl;ZM8eCA-1cYg+^ zouUTbScr`Ee5u#>;eFrDF%lc-TI5>bguJnIis$!XXeq^`%{2yG#;eOKJ#8dv0wB|E zSJ08v=SaHSd}`(H_B2>!qQ!-{yl>*bxUDUUiNS> z)#?x4x7}^eGu{k~)Aao~<0zwXF^D-;`X1DYXFqj%#wPde%gO=#v`Jo}bO-6h5_kD# zuMt>P54)L@Z|SM4H~C#&wc#!ztJ2%UON-iDuS;<-Ka(-PVa@@24&({xu&y#cV?Zhj z8g^)~mX@_oAcH5bKVwrH15+YJ;yb=%7z1(rjuPB)DiHfj*R`#~qxFO`(ZZLWuee_a zxNyFnX?>JjQhu)>9$aKRgs&|4YA)j04pRzGcc=?JG&if+ z&JWuK&kOU*c^vzSQaXCx2x|UU18M=Xn(#n$#XnKlz7kwC#*Lu%AdO0I%C1=$)M`=n*;aJxzR2#4NBBU`vzkheCk;W zFB;_EWW5Wq#Dg7O_!HZ|3*fAA+4ZAj;}=1S)Eixb_!-Za3^E@aGUD40d?$vu#mOIb z_DwrFHgfI;321Gwkm|P@PLR5)KtuDkG(uvBHRAF90LvniTb5N+iwZJxnkFlyPBgW$ zu!eWOdge|gvRRzyx`hLp_uBm*r=-MD!0FU?m52A{xI*sTKcLT3I&@Aj{mZ4NQ)OOo zSI(?fvLP%>(C2UiUNt}lyeWF|&f+V0ta2C~=o4$0Q-QQ$PL6vd%UdK&q?){W!o#on zx;itRuN=lCv5(F8l!(K%6%E7Y9}3y&J9OaUp>sz*Rjd&}rw@VFgVoi= zbGG$s^haIKp?n=}5tgLHQudl3!3H~%=s$t_-c2Vaop227X1kG>BK3eynY)YzJk5N5v`d9dt?*juVy?oD^T2<_u*-kX0*fEEKi|& zUQw&K7xewOr#F@5N1#g&$Ev;H-(9daebuFm48wDK-}x*m;rdwd*8!f8;RzD;$|n=N zlN&*q9;7P5$RuL5wAQ~#nSeG5JD|R?dOM=*WiZ9)C#-oV!Q^^?JXOx`Z53cGrYd@!PhOzT+jaU_FKK_=r=5wwl;sh2vO{d zR;8xLmoaK=wfwU8A3h`iGBVdv;Dk+&iOvJh-j35q0x=z}Xdw5wtn&Y{7(RZe>94X? zk+^I#lvt4PT(4$XAy7$_-^@Al*qT7{CrsBG;5vQ0=H zPK6DI{K-u!s^6y%N=SMT!#dg|ZoEk}CSs{pu%7eneNa%{0&x}Y30^5cyX?Owf!BW^ znRFiaG5rZ&Gf*ws+fBmxhg6<(m zOxHxFBLDdlLSPbZdGb9eBkm93fG|KpKDLjKfc0qode*+9lOBIZq-I{4N-vWz>tKpG z*U{*`=qQc_5UMXMk7<7MVcbn@t;cy!)%A(g@+tMUs$$0g*UQgPwXl;4Y2fhix(ny1 ztG|JXA@t<_G~u63dl=8}uL7%#iAiILmnQPY?N)w{7+Ep!sCMU)wan~v{RcPAzj3pD z6aFH0;&~_weu7Pgy?#29_|b3W12T^3Xx;h$$iQds8W*=VDIa((_!FS^tf#A0O45(x z0d)QFe?%bO%^@#1ZN5%zjsc1f!0>S;dQ;-44<5s)rk?&a`qJQ*=)~M!4w~ar*!@V4 z7FMG^^fFhhMy{*6Q0wr27`p%X5T?U_r_G_R&vT^SJhTK@Q9)f%$FTeV?y=1+6^6rS zF4*@;d=5%k{~A8rU?AuYv}J#DrraVF>>PT^IM{2#BC#f<1M%V6xYhESs$!^^7%_*e zO3Kf2Lf@;>Zd8*Y1TVhd{#^ulr`~Wx%ifVr1k@hXHc-Kgw{3+QiG72XGVUi2GbV?v zr~wz>Sn0FB8brbzUEx?x1zyyr`t(tJ1bc$MN^%z49yg@;*mj)0?(5w2HFiiy9&`Ch zVh_8MU^EbGHxaKa#>Yi;n%q?sVz7uxit(HD(W@^&6`vC?jnb~)}r#`4uY)pxYiB31p3bZ`5 z&>2huI4; zqd@JW^8_Y(^%b**^G}-B7mHz^KVDZ@B)5}|=Hx!Iatk8ib(Zw`uDG;zj&s!b5KuEE zjuE+jHz^JxA;4p@a&)&BxjxcRha_N>2PQK4u|S3KRbR5kzc za+fcuC0CMH&h_3$G{BXRB|fp$Ge6G~7j$vi)p6g$5q?=_w($Z;aU%K0VFqPfHqEcV z4yheGAxT{LKGf}eX$+Om3wmjIGGb2C{PG z${+FS9igkYU9D1oaamc}>Y9^n(rJ=x4E2H4T8d1D!{TY|0|wHQ;GKge%GE2Zy+nch z+LT(&-bty_;x(bg=Jm*8$J)@towZ@9YOWHe?s7gCa1ibZRgNP^a=k+`x+VXZ20xAQ zt)ga+(MCO!M|Jq5bQCv6_VpV@fwU|v8}Kf-aETz`2|PQvu0@Rez7);hE#W3hNJ(yRmKUzWrqy(F zEy0D~sE!nV)V;VuhU@$4*pSpIawHL<-*kY7QV(K?m1m`1@Z1igPGiV@Lmi~KumE#s zGjBOq_i(E(-Mo}(8apuKBb?YVa!cjppfN|5@PVCsN@$6Wq#aG3)p>rMEFAfkJRBi` z1b9MI3LV|WxR$C-h6?ZsRPz{5LAP}cjzhHPiiMp2q6q!vMj)0CVN%PeNZXlFI{ad0 zolJ?m+8%~nvmWGg)L6$2+A7uVT!Zb2?9TUmmFkBe4&h7V4&g_{5~)oLTZLqgYP03mH6t!IHMqn3Bs9>(E!EMq;Fo;93X zUOT7VFNXaC7|nI$;i?NEp;F;2Km44PEqC^`2LjS!j@Cf=~fzH_HM%70~a|1C*10~WCAsCs;RRuTz z_bm7X%lFrqj-u=DArnuXekUI8`@|nMuc~0tK77fs1lU=&gLiDxZbp>*!>sAUzD1~K znjm!7v|{xn@7?fu8Qe~yCA`6K+SX+m+j^{{KYQK>$Dh3X{f!W3Dz?)3KdT zsBVdh7p9q69d^-*F_Ae6$pXnh^6yDdk4#Gv;9hj-r{jeK$-1VgM`#e5F##y;8m}De zp?1;Cr7RKK(v8a_X5TW}k7%m-0EbM8#;~#wGUBw~(Y(-<(*pW!VNeSBs%@7dfto z&F`%@@;M$%*Vso!J`=zr!S7fFSO_-*Gs`+ES%cmF0x^A>91UVXl3LQTb2lvuLcN_~ayWnJoF%E`2`Oui5cm`bFo*G=)iWI#Gn1z6oF$0;l$e>XOUUsD0$mWQ$<2V;YA>28e-{9$TETwtX| zwPi2j>PJtx=rxcfkcyY~RcmISt^>~R1Y5Ad-U2^B6ZM-RPdzp3Si~cNx43O3u+&*l z@gQNsd_O_Y-o?OOyeo$7NdvEak-LLM$zr?B8*`bkltGw)P$x@%Vu1+X-n+>$ksrAB zkaO~gaj@dTryTyZ0_6tq6!;{3@`fI*1xYVJ^kUUlnV)id*DH|uiauu$>p^xip!7Pu zo!A(;Srk;50q3|Gr0i*kRYoR!3>rZulNY{ELhuepF(uczTwP7mcwl3wZdy*GljBpr9K}Q{^AL`i1q%S46+2ci*&6I)4V=3;y93S*Q|0YFqLj;S)+B#%P1S3 zd#2PM$ZX}C2$OT@rNQzPAS?9KZ1ySyE!s%v!|T#t>o*teIkZt>n5)s&y;fJ<1?_pZ>z6hN8PCrAMoMr=Dy~G zw#p~LE&8n{w~A9&#a7MkBE%nGY>g)_V}n&Z^(R}}ftsZ0=aGz44Si|@9hOKF8plrP zF%LlY)i5Q;Fizr~Tm+SjYP;Uu)|ezwe>dho!izRlLnV%K2);f1P&8Akq-_Z~s8JW1 za>lf}+O(N7vWq`fwO1XZ_kdZk{wOqeE~*qW*m^n882{rRqad%T5U`h0+2HJdP*$q#qL;#N~8glh3oxGeW1Qp${0Xbc#* zi-L{xS7;TmFuh9KQAEj{)o#^EN5AP4dq~cbJaV^-x3YPQAQ8o7cW0{khb&(2KgLC8 ztE&)DQZF*t5y8~iE}x9}+}~gtRwi@=2Q|s7pnmkrip{Z9_=z#|rVxXZ+BR-jePG-l z{+R2!!&bV`5)z8+g&xYWd-ZPmbeD-9uq?YG0HDSC7gwC&No9&z@I37TK7dL_+rcV| zC#D()JEc>tFT_8>(R=?_jDiB)o{>YZ%Y$-V$>33Kz9+$L1!6@eeX&YbRF=1jCR+~G zllOXv7BoK{)C_6Of>oTgC4d4c|Ch!=x8;z8a1W>bHIxvSU#Sm@m&n_#m5mr<^!tVJ zU`BNW+eSR5R}kuE2brPjyeTBB*(kY1gU^sjHRY)ksypA{Bud-luf9R&?fCM5_Q=-R zvmP?$#fg>w?Hl~xzQO+r-yr^TMZJ6X$S0)UyjJ~x>>)G)OQz+6#phEJf9M-uoa_ln z+bc$=&R^l4?k=Tpxci$9?%9AGD2#K<%Aum3jQbYjX53Z)^eLG}^EgXixe$NNhpkH8H+Mi{au* z|Eq+6$nM$2OJ0G_Dy&a_D+4(+VU5ZzQdcwEe#TP=AQPbAO6m$Ks~j~Y?8|>E?<%9B z?7FrfjUa-+0}P6kGy+nRigb5KNQ=~fz@XI7(hVY=O1DU(bcuAspp3L2-FyevyVmzI zJU_pGA3tUd>ppXzd(P~0&ffdl*L6U$!qK}GX6@yYmNrrt(tG~ubum>BdU%7?@vcb6 zpK@ldFPd-0E#C)rYA7~^-w@F2{8Ff}KZD99G1qSX8gwCF)Ssl?O<44GX#jzNJ34`3 zh0SAD`wji0T4Q;*;4_)S?@<1L%4(Zm5Z2K=eF>!@?4?n9XP~F@D7=WpAly1DODW2> z%Prg$I$QKuNVmZ>M$3II>QNLg^7BW%M?&+ki~3{8cf3dtxtE)75FScKbXaihycqxD zv2kansSjETm~R4I8$x)sdRBGOybA{fuU|ND4$M50(=o$LbD?^G7HCx&Y{zu(@fR@W zb46-EJ8y_uqk?ibyWDWiwyQ43cx00MzFppNeV~%DZrygj{tS%0x71@ij7P{WsP6UZ za@smfxp|;H_v6yT_|5MRv~jtOCvI|x8~+Ou#VRm4{Bl8$%x1h|L`0*y*%-EB$glqV z#9p02WIO%F%Ml6B?-Lk%HI@KB;i|OdOf0u(q+gcU18#WNq=8qrlm|Epq#hHJP`$C( zUbhE5^WhUg_Gnh*eCRV7uNe?2+yHV%dD%Q9YzU?$A@>?RSyq1et)unE!jdZ4muS$^>QBfT-k5mWOpQQ_*ql@ya_ z-JoJ~hRY?~7Wp+~4rU_^Jk+zO#ifIxA-)WUs#>)olWgD<%dA#P>f08{q^3HxQXFmYsob9Bi$~hgucs zWWOh^Kec`E^07a=3*AZm>$Y3!8f*vw!|F0eT6{hr$svvP@@_j$@(rCafF7LPI;|8e7hf0x3re*y_ z4llm7sedu%|EOsR>68Kb${`I{5NF=93aaDnxC%UH2OWybx!!aq+!Io0k}q|B`hAUNIG3(aWh1(Hh_h4b*1BggSd(j-xCT|f@hh-p+5s*{UI zR@bnR`a-zgWPEdOUC3rKq#E9Gb_PqyB>teTvG%y3%4$x6D3!Mo!`iUVt;qD`l#qa>^&f*CG6iIxgEn7D~^F;680mR6Xt{eC557MaPo$>a8U`^7@NjB+fhbpsN$)jv@m z?*&)G=@jOEPe_c3WS{FY1o?9Tp!U#1TJ@ml&r&1rA5raBIwMj*vm=cv_?NQ+8Y%QP zGP9HbHJ{wZKvd){DZlPvTyYKExJyAXVc74fU}Pk{E;bJkBWO!;xth`D$Nu+>_8i7b zkfiCe9!|K+f42KeDgFlukjoR5-}C$5%=~}eb;zV^U_$~4siS#BDV;-?4)p#z4gGhw zU}8pB=XBRIA~Tth3I6m{O0x^rLPKzm5Lw+mo83z5QL#SixqEsLPHWpQg^CaX>N7?o z)ln?IKrp2vWC%{j$|^6V;PH6WdQA6nZS7w?Pr*A^bG2LE!!90yKnzkq%`7as$8+Yo zTX`$4Z{sS;RE0nojht>`GBT}4p#Hb59Nv;Iz_u_RQ?6`i zuvgU^VMNL_7PXDC7>d(8$5hH2(hH~-e3q{j>@*)BMj%D-=Uszj8wpgW)7W0UERs&~ zLxGL_EW>tnNt6++Fy?au?geV~oRjZz!?Q3yI_S2AQMIkm_+!gi zs-zI<WC#$7pG4UO7g|H}|K8%YI=qK~^DbhVcXepB8u*d-+o}c|8C$2VT z5sqp_7r13C{>_9fBTEk9Xzy#nZEK0hn9K`t{F$XK?-+ zy?6$wcf?a{$GWmos0@O#3AstqdDs7rAOC`Z>ED5I_%oVbztR64hUf1zYP1XrS6Bn9qVz2AkgWps`I?e@}(+I-hZ|MmC(^Ugb(5nLH8#_2$pWoSpxj!!-6%l4K*sA?8gl+L{Vs4STXtVP*)U04BQBifKS~P`uvT$fQN~Eu9d57 z)G3E^z(Pa`p*>AXqt%8%Xa?f)k7_AaQA%wv(#4~$hXW4^*|;$mS?Rls*4fT{SJ8X( zyW^HhzgO3C*ds_^39=4lNaUi#qtL@)o~K%dr^pI5r}vPTxa5rQjHSat|;^;0uy0kitjE|X9+WcUFLr2zOl{@)mdl6?QV$x_Xa~ZR! zIjR@{GPA09N?{UgA?Wh}+XNtudWbG|9O$?+V^5(`k`G$f!;>< z9Vo24PG8h)tKiu~l{8_*a3>Vt+nC{4^m0{B6tGgt+`)H$Ghj+gMPYEH?8k#*cuZty zY1hMH3@Ay9^M9rl7gq6$O|GH2 zYgex)#PYmuI1T$g%4|>(Mi<3~kcT#D^D)@6rrMix;v6tT^)=WJ&BkAd?SK7+GPLHB z;Qm>Q&-lB}c81FxXOpFw$vnn}Ud?lO`|HF1Cx(^Xz&_ zPVP@z8^wf(y_Nyu!EajkN|JfxlnRH0`%m}o@~d%J&nZ9g^+9$CZiF;6Rsq270;d3H zMSQgZQpo?Xk4j!z#=1W>ixERLid1yj#1BmO$r4L#YJpO)og!U(BZU;0lDd_4UF~ zD!DpAKhqQI#8&zuTE*vE%plZ@>vLBMQ3o2m9I=h|b9&F)S_bO*Fd(#;n$W_D8d<}4 z#}3{J{&?Z&K{}VnLPX+-yF^TTa5_*-XmM&C8hT_GdQ$nPT0ao5@bp1h@k*{g{T-S3 z7b&%l();q+1_~q-3GuWsW4#GwA&t?65`nFI+dr$$V=TQ+RL(~J0LgvAsJmx6OdITp zY=BAY4+LZ8G~Z4O?eg*?O`k44R%t3xR7V)~i#I%`w@~5Ge49li4MxvE*GD}|p{NwiDzuY8 z8JB5xmc|O|s_pVfbm`oJ<>nYukmZDyvNmRwNiJK{%6Gf$aaX55Ma{=8C^?HUe~Me1 zPNOg3Jb5CueGZvNv{a`OJ7THI#EHGyJF(#ITATt3edL#lI4lh$|`QXXoYfnSBG_F8F zw~7zCmV1_`{Cn@KJe&3>f9~qdjcvPmuDCB9sPY;y-L*X%49ikUWzB&VN$X>FCh}OC z<#-we6uqOpul%8Dx?|s6Co>xDoDM2`X^JAwHE0$<{g@BKg0F>d&On{WLh~OwaoI(E4~Gv7 zbL|ck@D{r6`>s?a)XZ_hJS14iIXSba_G8CLL}Pg=?OLDCG8VD&Mjx!N>Nl&d)&_Hz z8VXsKIiGXvzdHWdK4_Axj#ekw_L`-CCeD1~n;KR`>Kw~%r=-8Z(=t13We zsO@V>#z4xrw%|WM4f6NAl~R`Pxh5Y&JX4h`dg9|=4Xbl=sLonkXU{IxdN3|X1|8;5 z?`p`NQmwWjrEt-<4Du+6z{0~e82S36L+Z%rhX*MngHS+sx^N9MvxYo0I|_zvJ}LT~pQjk8M!1=Sl+8X76yNfR0tQ+cMuRcD?& zoHnkhrgZu%{-f|i5BS<}{&k`D=`n55sZV;pUNHDlQy0u|j*+tcx+xHB&D*>!-(K6F zS^38FtrpI>z*=c=lwbHyZec{};kX+492fU5iiuLoB=^r&d18o<>Yp5IU!5mtNiGa@ z2Mf{Ve@^h6qHfFQV@n1kfm*Fbg}H;8-t%L*bC1-4S;nyib_5$)m51Wi3rRnJ%*K}Z zCAMSZ6fHG(b{D&!`)`iLdJa+5`un-bVX$`|eHN*<1; zvH>})cw21GXup)XS`~|JPBE;VwyGF#l0)u~rQyM97Hj^Smkgb8{!g$ay~zDa0o;=sly>q#tWGR;0s@a6Qi;*GIPcXrM_atSIIz zXpRX?>DIC>5EKRLWHcr1mAXAc%C8-JoZOvwby(gabnm9X(U?`ih~WJ}TO~a)YDVlnr%3xulP)F<1aIC6T-JiZ!S{~DhUD_e9E-(rs3@eq+b18R8G?Wwa2C#YQDixx~I>Zg8q;n`loQ{ikA)nw|d92yt8`DJ1b0ROdXTfTRDu2wAxB zqWr+&D5DyGX8FTo#OwWyy|1=C?71G>HOCV^zK2Bt*1rAATX9(Qjqt2O4pmwE-@CN= zFG;?Sz8o4d^5+t7@tNCwPX=w}U0di4XjR^dSX>{Ub=+)KC5P7M_b9q7?N!?sry@nG z+4YN>+A?i%%heO|bT(pgC&|sK_eM&yyW5O_&_&zrRU7E=;>RQ zLrZN3F5M&AwWs*X*LgHB3=&HJw zDx!JZzP)-Mn#;dWsn@qTDKfLL9C5zlzOtegX9!N3t;^XNz$$2D%%ZErZeKA-(to@8 zBJLjoRlZt~N;R){u)j%BtoYRSb?+(vaQrx4)x)>1l{{rd>FurFMX5^!T%g~^-}orl zS!^v*Y>(dWm2Pud1j%{M$XeJH7?;cRS$L3dxb&1EayKmPYgX<6f^c0^sG-QzI`@zP zEKD%7N4xOoexxs)j)>vg<*4qf1dRkbVOE8KYHI$U^lAOVO4#K`K-z)ag+_Um4%%vmN9#df3(^3EhVP zbTSNu5q3*ka`L(PPeGs%hmn7H1TQ|bT=H0UoUd$jnrEG_Y`Jfy*s@Q{7Iu4z+gW$; zk!}$wjg~C;V;FZCl38ngOJ}5Fs&&$ib=7m0R#RT;s5+>Mfqi}F)vC40;~^Pa&syVt zEq;vxsWMv=+XRZK<#u#N@Xzymu|STZ=S{iJh*Gwlo14nU?reba=^WaWW{z@^mR*72 zYK=+VoKBVeo4SqcvkH0yPQ-ckJBCYv713L9AmZ#jEnJXd$~jH0_bY1T*NXok5!7{_ z`2p6Yb*cFx*L2UF5WKYBK&W9r&}ba+F5istZ;S6)l^g!NXfv;N#)u5#Bmj}5hw_!<+T#50K;M9}7_+6l|ti1%oI4dPZayXF=l z=Qd(gdo+nxqop+d<+P*zRokF zzRE(0@n*sl9aIa^wW649i*!Sv1bO1kxS;WglUdrsl+n8vNxKJNgVJ|1zoi`N|M>D# z;FvXvH=_j-I5+>`Dqje!N)&r3MKp>|(5)E*)~XxU*BMcgfY4%b6||1uS;sktq2AGs zEA-(wX2IgWAvI=F75CJHz2+5a#P}~qBSf3I;4^`W#>+Q@2EG0W%_b9Mbq}IX&?mJ@ z!lK{Y(yZ7KPK2O*;Z5|%*btWx=2h~pCEg0(CaNayW(FLmg2U3v!hbw)wGrAVS-SH4 zW=Tv)z%Aej-q7PqMY8DbCe3HOo+yvKNAO4{g*#55ri4gs3_#K+M$yZu@* zxBkSJEDR?O8NMes?LtQvMgRLMht$F9p1ME9@?nk0O zM18W|kg$B`&eJ;z($BSD8y}=U@}rol4T;WMN~qau)m1v`c{qVJ`|utbItBv<%~{5W zWzgF(5JvU`DU3k%`*-gJ%7x%6^L&2i5ZSC#vV3E!i&XU4UYzP<0}tBAvM>C+3HV`Z zhgiJY8rd2~Xi4P{rwGWCKD~4AUmtGir)WrAySr$TcmC!1n0zOXX8Jz*+dKdAd_=z& z1JT3%*RQzq*Yf@USU$pdio`9x|1aN<`dzQk?#hGM(Q)tG{kKORRPwKDsK2>H!v%*< z-TjYac!$~~G1|ZE@UNYt&fwn;0QLD>-+Q6JuDyT%fw-j4?;vq8@BRBGQOkD!_6|^= ze-yhb4KVZg*SBy7J@V-taOi{o*d%J1?>|D}bH*K7>`LK(4TL*rvbb-7UGM&5lc;6D ze=Iwz-HChXBzyG@q=x_h;I{g1%2S55T^Xlt{N8?Yw;B~xFUd1EC zr+t(9jfb0Cvb9yrmZ}Xa+1Ey%c~opMY3ZWR;ZX>wZ}Ye35L<3Q-z#pP1;R{UdT#mb zY?`jwkdTs7+<>*A7Q^^>EJA8>)#P0()`1Ab&IfeG$S1k^jF=8=PPvCVM%pv4;B5i- z&(H8{y^h;dN3Cs`k1J~t0^jPTGUR&wmY#^d`LqqCd-taX?$F%<7eo`(-TPH`15NL} zgAS9w3d_$SW?Ol*wT-z86*teVX-n4G&8EfgJqh%>~E-Ev+=!ydN zw2Fyo8&@Uc+2r&;*rv%3>o0_*rSN3inO-&uuwy3Yo_LEMT!^#w@lUkqhXG5OAt!ET z%)A`o9UW2>QqXz_aIFRc9{q+`_CX^CApwEv(h|R|Q}tM49HXt{VYYf=!)5~UwWkLr zrVLx~N!_zqrIW^YTu;~r>SBj&HBRHdgz(%ST{)_@aAEjelqxXs-vSpOI05pp{zeNG zZW#8)?LA*Gx_TJYWj&Ww@nja1>MOE#F6@qIu}=}or*)-c3li|>JfZp#v z-q8CLPCR|13~>u`4H!RDcrC}x@Tc|#E}?+i>XDz9i^H$ItxG+{1(On6WxZS5r8u-8 zO=^r1FJP>uhc~6cvj=S$DR~2dXITA0$O`)f*->&48GsaEPtUJ2^&s?&R}Krw6%Yqv zqKcObPV;1^)%bBX_ox8gt(d@PWKlU=2nQkGJQ89MN_&PBlo676E`w!I>R)5#fo*Bo zrGEE|iH5^^rW>o<(9_Zdbv0QK`k{nG{PoSF!nVrPAGfMPtv>=7Jf7$>qN`4>ULZ@M z@*uAJqnQFy-zfe7rdOgUXaIerLqYKOC$H)maYKQG-1uN-ybyxeoRak1!fa>?`Tio} zxs(A~jTIi46j!`l#BQ$n_SRE)wNF|2%VZ&tLBbeAGVHpz>@crfcWQ!Ug@3H4lu~7;uxwHG-f(}_CNZi=AwpZPC|G=K- zw0FRy^f7{1e}jmR8K93&U_lG<9CNeAI@8r4c~B!8ZB5>Yu~YQ$m((D6rqP`X3ovu- z15kr`XlUcBC)@5DkudJ-TezFe@jG^+yEfcG$muv@pVQmJv*n+*1#o|R6-f>;Z}o6$ zoLf2xkvOV0fALMLUXA+*R<56AvH5B$YlN1Ls-1keogE!4X{kR-47F4hFk*qV%o;M} zRuwitIlykaiS}4)bSWam$M@szKt^8nxQ(`oW)NFO`>S$xiYI^Gi{uj&HW!0cVE;x$ zf_PtF0&pnlU=JcDnRo#z>jOFj`qPe>Ixq+99m5#n7)S>C2Rgchw4+s7ZYYE%@Ja8r zhsEU2ozK!u$0y!tR`xF>?Cg*7NsJd1e+HC?vx7Jd12_{NZGN98l%1xc$YXXxlOwno zyL)Q3(|<$kBGxHx(A<{ZA?2&%<0c_T5}wDK+`+=e8`f<~cG&L4*xmD?K_ff?zro5( z*EWY z?#g!_XN8;p%IXKxXzysS>4r66FVzo{Y`#7ylV(Y96If|$qrBIVbX)5{!|@dRyo@}) zzfWpdzSZBq<>>nCsLosjg8+u!85nTA)Xlq75^wG7{wg#4p5NF0FT0!d#e%_tLrnSw zl!ifR(u5ahXUM3e;k-<0fv6(8l!BI=_}m+;B2}|z2>MHB#Af2OqpFc(j;v#eYgdOd zYoA)4z{-;1N{M||YFWyt8y4KAIyU2t2i?-`jEdi)I??KmQdjmgIs+}O6oxKdFfEoG zs!p|W(H;E5f^Y>Gd_Y_qU8>I{+0oSK7 zO7Sq~#1Ld?UWiP(2unWY%RT&X?v}lGv`wGS<`hY%ovk<69F0{sr!>9P#l75>FRYot zeQqv!KX9BYvOaB^5`UpqyIic1kdY>}S?aO6J}6c+aJ?`lbbL0ZQy&1z^qZ6RPL}oA zsk_fC!j?iy7kM_Rw7>faQRl)-m96hOZ;^Cqtcn?TwT~rsXdnXm2=MJjrwfW_6@9SdB?gndQQW z33h0%6nI4vOg8Oh_a~}YR2#Gy<7G&chgRJE^L{=GqKGoZqXI$tUm5;L z<*6Q0oms&MROqy$M)1H3R%`B2SFfR>5e(^!_3$G(tm!Otf0qa8Oz-#-71XoLK4MUqy?X!D-Z zyrv^&I5*6E;0g{7Pg}U<-R6#G!FcF%-Vb77;d!@wlNWj7wq|p*2=uuv<#3ik|YP5g2IUK3EP1I%k;bO>bzCM!?&ZcnGAHSA>^>`@&ZY^!Z; zIJBajUY&ZDrQf#PoTQn){0%y06EGwJM+06@+#dan3ujr--qB)*bQIyoX)^PPu@$Vz z$J0!uUC&O9Q#spKNoLr9SJ|=sV)5n!GA_pH==~D#o8JMkV1?z%i(+Z6P92>pMa$X4 z)1CNEk`4ee@xBh{yF^6v1y&5Y%isApZtFY>Ru!D7Jn#~qx%1hOQDh;0)KF8pz9RNN zRv{8lP1S$-Op@8h!ppqw)Mp46*&Ac2HxW z$pCQDCv1Qk0psor#P4{3-j?;38gtVs>=xJWU1l-jA!T{*zbk8&!0*?5uQw?Rd&8I` z*%jrEQHc?;O9>o0g-V2_&3jeUsD_^UmpYsWTc}^i4|31ltoM2gFGCcID}* z_{VdOM|#TxG3FtVlj;#W8yaa{E`1{J135MgJRO<67MN1cN-Q zJ!p{%4~Jqa)?{C-EiTV1d+;SZZ$6QvO+QmMs}aSGwXAiIb$?SgSCTd|*O}ANDu$o^ zl$PchQdxtil5kiQq|Z1&%0bX1ETVTZ8kd zOc3bqb283rJkF{fTsvP*iM)R{zd}3#YY{xEFzf~o!~&gE0j;N|EJkj<2FJxYRg=eg zs}bYe@}puksLaApMSqZcT7H#S2h$e{PUh+w{(ug)srEee(~Gl}p_3buF&B}y3b5KR zwz<^#u`o5Ks=4)Xz=PzlC14R-s4h(8)1Yuzlu{OY0FIHE@5qfvIkhRh#&{LKL!D#v zcAR;rDA2{Budk2!yk*ckJs7^c{bJOMpziK(awhf{6UgwpbUFN$Ujy*Q*syEmIlRGM zLJ;FM^K}9iIyQjGQ%lJ* zATmNTW5z8A$Yx*8)PjD|%gPueF)>oZyco<8V#m(>-Ye|0vy0Dwt@DJ4kHSsNCKJtP zqwM|_sp%Ofg2&{|r7)5A&XI7B7Qprr-d3l$^u~#fsa<|bH(^_P!$=FnApmwcUE17y zHO}L*NGT3du+rTJ-6V^yb1aG(1oY$eol=c-Xl7gr8mHp>Q_QBE$v*xAo=~9u4$^tF zai&4@@2C!Z`qz;%oG^0IgaP)8#4_|XpJRqwGiT%VkrL}tBh==yJgp@p z-?#ICb4Mou-80AhPVvh*LVW>Jjh<9`ib*P z`wc=f0y&v^!~C;rR~&~0?zU*wbfcrj@6@C9(IP@hKBavUa+6u0djpv^I56LfPwxu~ zxC3o%n|G$_>&LDT!}&qq{xL6=rq(n$bnVDw@Nl`Cgj3P zKMA{bs^~zn0#dv!rq|o!@>_F#rAB`T+`zQ#VaWS;@syNAJ5vNHBn_`lu7_8Z8s}a; zt2)&-$dovdX(n}8AtpwPVt*_fEEUyYr9iDbI7Aamth%b{*ogKLAZ&t=Cgz`-d2P9I zszUzw0f7enOi@2(qg5;<0}@DXMM$XN-((~Qz(FLq0_sCEr?+~t9_#70&>QG%RF^zi znJEhe=A@Q?c+T{*B(#KIB;9vv`>b=zk?4?V?FE!&So0p`Duwra=Qv!JZsyavo8sl# zm2bC}z6?pN=YhO$(y5AhnD>OG?|2#+OAg*{?N2rhvs)Me;>1uIEkHF@$*Uw2owy*| z6vbQLTm+lJ3;j*N;0qaiCDOr1GaEpu;YnGWg1W@)%KszOt3?90+5?*UBHsnJ+q=oEzVAc@{U4l<*Q4mSh-BYqryEp!o=u9tzwC z9~#BHW5KQ^@djg!e=LkYbl~`u@W`=Do)(88SR;oU-jj-`ELH$*%lFRjDXOy7?lhHu znw8gV)Z(q`k%oDT*U_a5u!zHcoPRS@REo+UZ7bTC+|U7yr$fgi3M;Ljku}~`m5@6+ z$CAN>Lb2TYsr_Ee#xY~+4#rK*%YwGY@C8ceEG+(_|ZPlS`Zam`#W#O@8btrG6b z9i^#-P{x7Iv5n4(88WrpQek&UQys=&-@&+MWT+j&)FM1VlSeU!`J^ATiD} zFOL6Qw~Wq5eS~3iZJ^F^vYSZ{=`6=l9bl!|6PKejbM?Mf!%8(!aSA5^?YkQ`iKVSvtl>=|Q{#M61Ff??v{o z6!*%*=pKN%VYztl?B1O%KBz*`Kp+JvYp-h=4YR9SR|ZxX5NkEcM^94R`P7&l{gjzi zGv&2B_)fnHqiV!aZk;E&11g}5(m{pwE3y$J78`3T9)xB9xpi5~2- zv(+|IH*$v^HD5_iJ>9%`^kRJf%hbt=w_|R;IO-Ii)X$Zx1UKg0M8LGMQ{E97?O5__ zA~bSLZ?9C(_oXTc{yxMz=m%D)hKyG=dHCS3C?$P!uL({gr$9tJs=eC|XWwoix}Kp$ zVU|x*7i7@2z2A zKgpGWj>g^&x7c&3o+*wPptgeCR5gSFdB#YAkhNjkQzOZdvc9^4e(#{J%>ibLpzdJ3~jZp0@4Stv%13+K& zLd!rCz4iFA^Qs!xcE2LN|EY?XRKdc$9EZb;#Nbv~Y=#t{M=3j|N?K8xVwB2~`*gyJ zI>=3;JX1WWaAn>@&PAmwiTY(t#O+9;B`p$n32M9g zW`%IyWf&M#%l3Xon`!p6>-bO3tU`&FX(e6{Pk+g=A8OG2Vj&N-^5gSZW?ty3hvcpL z;0ni4F%P4kp_Ax3TeKe{H#&{>O0{fVH5F6#B8zMRd!(OYAoCsylW@hE%WR(TK%?(NlPfnjk66U{ zgH$DWGNHE`I4If9WnO%nvO08sx3U<*;@O<*9afU-tjdv?Pghmm>h)HUZGNZpN!>*I zO8F+Ul$=2o|5^@cH)UnymFWjW*Rt2jjHb3W+NK4AW~6tFaMQIuE95vJy~b2aj6*oo z?zlT>;*vaNr^T*q3uq0FT-OKKg8O=@Qlu^y-S1F4z2$7*wYzq;+$UAT0h2~fZC#Nf z6U0pvCB9yAKm2`#-@bK1-C_Ur;L_jZ=q;*Z#|CSPs2dx=Z*1r4hAqDAd#E^T6J|*u zE3zF6l!~A>vdLZ2aHc16U6pwyuRg&sxJ;5XncX5ox!n-U=w&V>;*;F(C)9;DE0c2B zWZwDghnHNYp|~NT>5E|x8u)stghpzWI9+2z9gCphGH_2OIW4W*CNCDJZc*A zK*QP05)h~!OyNq%g`M&dcw*WLs#$~l^vFU>Cn~C>MNKL#%;2Sn&0w9C@T(Q}#H3YL z%d3*X_AI2L=_<#7`pCwtm7*h>*yUF#Mdi@EM;Ur5Z?>7c$D_B(p8h4r5#o`-_Y@U< zBziS)%JB-Z_r3sJF4+gTR5sF9znge(S%y+1SvN0?o`T`jXW~C+asH?(AOEr(u>G-i z_|bok2Ew!^-4LJa5*ef4$#wH1Nz=a@(ic{a7;+QX5TzxafBCYYwUr@j9vqJf6;YA-mpaytCc&m?5mLLfl*6%a zO&3dgCsOcPCg+jz#8B9j7-UG#-jCMOd1kTl-XhJEW238Zx+~J%pglWKwb_D9fOr?N zpQxP68^Du(K;d9hdp-^s9%jEa(DCo+bH0ywk}6m<)`u79srZU4DU)E-Zdo-weaSFn zEFaBWF)n!`YW<2AFM`6qFE)Udw6i16t}1<>@!~H*TwIoGI6YzHCzbksQSpLm6!!4s z!0rg99%;%jwAS;AI&oZ=ZNbBQx@^XRA}@(bOnwUFcV5bI7Lt8tx6R0b+Mi-$5Ud7^ z;j3sV9t+=?p6+_BYC-+E`RD8Ru5F|NBcN|>jerv|rhVfPruNWrkvy_+pv7c9lhOTqvb9r1^k1vlyN(%&DW1MkVI?Uc$oZL>wq4%YagZTv#d}csJQ85t_O(A`A82{WPz(|F} zusQOm(WR}3m$|BwVF%9I>*MHzza zC{uLa$B)H`v$Aa0zF1J$1zV-)r}dqv0i4g=Zaa*L-@Pa*-Ou0HU}oi1CbO+Us*wxK zXo0;S5p6Lc7w0e*CA%fl*@>K5tQq{<{Ok=XGxn)>>L+-gQ1rz{>esk>aHNlz0fQJy zc_aE+v2%0GS=j17+U3$7CdY4=y58{1Z97UpV(CKMPVx&vb=5{2J;hD-Un>UX!2-sh zUwR2EG5-LISX5HF>|20FJp7vmqX)fhkA=`;(gP}Hj0U#VgI-8!vcmKC_a%!lLWLb` zkVj?X17j{SXcpT-hw!re7)FEZ7`$)NUvG(WM{r%mAFMB&(=HVp@%3tqZ%-N?9X62}C zw$>*tM*!p7-?Q;?dB)%z?y9BKUL-QEDV-vx`ob9U}@!CojpWa zTTW44QWYV7Qv}IZ3Cm~L9$H-|7aX4JDjZaCKfNsmD;27E1+Dh^u7>7+@7$c&1wzvd zZ$M({E_2T^Qr&|RkH(;?ZSfj_qN>Lr>@>ft?%<53(z5B|3f#tneJ;g~8`ZYUGic<2 zXn2&;ShG;w{aP2XvVp(z9Y+I zX1r5%BxY_{7wX3CU~0mM@E(_e0=KA7$M!*MO7Drc?FhqS7@~lBg1fQAW#0q`J0C)0 z;t5}x^jIW7T(Mb+T7$I4eU~PCDLk_AO<6Sz%V>X`JtIrUF9po?jUZLJraq5S8bs=$ zD{RC=JJL>Er1nxffz*h?^;U%ZFGh%S#@ga>c*)7ql7TKNXQt59Af-%W>`1cqTb_ehQB3d>zNhCj11Pf z7U|LJ7A~RYx12&woDTEIf;>}%%g) zvV1z5R8Ls2ALOw_xZ|eVfC~`MBThH8CaSd`mvSLHrn*HUKqmVvs61PVq zn>A;t#8by<=Or(h_73MkpojX-kTEBLWARa(&Xg4L?InENQ#01t7blX znbwyNXMX;K?^^95$rVd;PzO@JZMPb_ARE?jKK5N9HJ2ECc(}ak_FK5T6G(|lDV2cV zsQaVby+C=8cjE;qWv>L}QEl=%d}%d~m<}OsC1j8*#_{ zl1O^K{gint;kD0b&}T#I0EhzN=-Tn<8zYs`+vf0KGiK_QkG+#5{kxCf4<+*!?sjOM z?yw%=a_|wWwQgV*IaR6If|*%5Xpj9U=lv6qn40gN6Lc*@=~SS3(^) zYF&A0nE!Y^B_&YZ`L8rFr{-Jf=vb1Q4-t+=%1sfi_emDYY=dVH{k7{n z;%8KIXt87{gynpr5WvYY9RR&NYw0o#rK$`{&~_DaD=#n1<9FQ2ma9{d1vAgk7Vgkm zZnW)_t$)%Q^iGgB2kqKJjB1eA1Y zvh1BUwrL`B?>oe4iJq}5$XTo&kIIp#JHEJgKL1GQ_Cqd)keGgunO$ns-k!)L&okb& zolCFMoO#ArsPwKvw)<^&wcZPyv9?pq!j#ma?|b!`ZtsbDhdT3)ah#ZYFRkTI_;oq+ zB1ZZUN+{1oO-=Abe0xr!XY6!5x0v@%5)o2IBub>@=H`2UfF-hf$!O^XcK(xgisLR5 zG|xgP63Z3q{U>>?{Na;rPc!O2+Pe8)+InR@6$#GY?B+Aq-8XsJ)g@ZAQMq4QHpQ)6 z>0&+zhU}12hViE1^x>C4Ek7W53?x;heX1mO!|^xivGFXv0lYVMulX*-C>#pvA?qkf z7ocWWAIv&Xw`b6VuMd}rih87G6i+%YFVgNwIi4298l_I(q1MFkroAm}pS(w-VO;g} zVj$~@1V`?mqdsp=nYD#QP#i=ggQ1ts{i;!G=N<1>EW9`Z)z*fEDyv3nG;Hq{aK0S?W;7krqKODJ7zw!2Msz+*DEH)s6P7orZu z{k|_XFc_BorLBD3u~)-l6}FZa#GS$?7Pait9#qzBm)@it287`a{6vpNXDXiJcW0IB zS}tVT7@K^j=d=FawJgHMQePfe%AKJq${&LBGNwB`rl7GgH8n?j%*|=iwaAaU^;_Sk z$uSGK4ez+P8}H8T&%_C$`Z6+_;!VG7_NRxQKXb4j3Gw~>@p5Zi4a%Oyw=y%ao5Y#> z^ge{tuhpXmZ6;n^)MI3!;$ogKp>HHMWUd+=Uf8Az~;s0ris;zYbfAuFFf z4qFnYS}b^ewnRtA0>>n@P|57%6Js%u;s~u2)VBl9UyoXN?JwR3hCf+q6QFE)!{~ou z`CvFDR$++(!sLN=xhmfYH_=4~&y;G%LPj*=R#zF1@Rvt-dvRi!gn6J^aW5ARI~Rh3 z0N&V@2m94XGA7H3DJ5ybV09TC5hK@i)-o4TnakydxBLzc8(YlpfnF~FrB~U3oDCNu z4CnN;IwFX$%+|IxaXEwyb?@h_bYn9ip*M~IRA-Sd-S=F8Rc6}Te?MXN$K*PB^_Itw zM2x%Vpl@k?)QfeB{6!8==IheP~N^|qV zqw9MPx7zZR)KF+tw->!6-1cD1>UBG&h>c zi_DM?ZPa`Y5I)ZtEof=-QdWo0QS_^5G$qWssnXyGkm=p4(zeKEK5=~D&f z?tS7uf=QKS=V+vQMug+^ ztC-3h-reLl!XBhE&89^Ua)Qe#>n3BiD5Xih6l9Va9To@iUSy_!H!*)d_O%B)Hawy# zgT@Y+mYR*`DsIx`4Fc>nvdupHeRBV+?@EiksXdQb)jPSCE!4OdP#h*(=)klDGJ95G*TW;|`4$&G*dx_b%a?sz zkdlas*Nli6AIH4)sLt1ZWe*fG+}#02udm(bjpv?gJ=P2}dRl6%3z`UzW1-_n5&sNZ zWpgr8$&Pb607|cg!3d5yXINahMMVuAOxHP=M5J5j#JQ8TGJc|@?*aMf{G^rH0W%&L zF=rp0Ti2aZLn9@bV2ni_p~N<0eI*j(8*FR{sa~2)fx8X)4D}Sn%G(;yG*8X`OTSn5 z#Qb_cwcI>i^8CrFnps9pCwZ=Tjyk;)tdtLyPw~}kOX`$5X}IWu-o(-@McxuEbjC*M zEEMLpPA%+CZpT2HxJ~JPUt3Z})HFc%pJ@PbeDp*hOtlR;J~N??XRak^X1^n2T$hlk zu=?`^$zhyY*r0foULX$=Qk$EON?V@WPpFX4?Am{x&QIEAl~_V++Y*IhYchns#lb8y zjCiRJx_M=#Kln6nh21RTg$cM7C6~3^FrJ@byI!tags(#f5~dC(JB*?)Q<4Xsu|yjC z+mVZ1jpEyGpP6r?x5_8_JlkkfBy`}ylvdF9WN3c)@Oszj@~Ah5JGIS7N9iHXrIJe2 zcG)nE_R6blz)_m0mnR@X>i+HJsiM!>+_1K>jDP+gl4{5+;Fj(5wBp-iJ3Sh6Gv2w)RwkmAm2Ypn1@=O&_wRu_B#MWKeBN+Ib48q>Oa6 zY6QZ0c=&aOodj9KabJCL5qO#6$ew~&N`IH<>`X~wY{htf2;7@y_GKqh3XlDC$Z9u# zQK=QADGclyx9IW?s(M;;`DE-1XNqhuwMg)ENvS!D)o0<*aSE_tUu-zdo}cgORo=d< zfi2<@YF23GKJ?}A1P8D0khq#WNKqbHk(X@U?Z;oD zKOc_CIPhVyxh%2uW$_9>{CW*k+_TP(U=%j?N~^$r=xv0b?q|<>`@KObJUUv7?@oO} zt*h61Knf2>GTp7zZZ={X8R7K8wWbI}3=q

)Y)|V#(|g`%vSAT{cIA@1{*yPp}dP z(R_cSpy1cm#XVnB8jLb`f_oGeBVx@>|9K&GY2@)4Mb_3`k{(T@7rzqRjk?4isug>O2 zPQ|Amkm|NB3VD(BG)VQFV+(noqP#*M@_BI)Ex?`%B4OVB0mUZ$Ps-@ZW}p<=k#cda zudCy89b72c(PXqL&fWu{2e7e+X&s~%o5^6OnZy9KlPhzqn?e)_m zBF;N*fOS0B_SP-^(>Px6(N?i((?Qxj1J`B4`Ig48fx7yMq1|LcOR78_J3BCymzt^~ za6${^i+UoVH4x&8uA=fvE_v9Z)pLLz7{#u9RNcG}B&AevgsMX$?EQNh*hlav zmm79BtV`b3z6z-YS87+>X}!D{<17#%G5V-zs*C)@l$L9Vk*$_un#9wE@*aj|oK zb7*+!M1U|B7OsVob!xn4*F-*>>c#e$nw($U;o;L4&e{@|VG^eHqD9%c+$OaXw5)wo zdmC-t+?a&kR}R%&$=8E-g~jsex(ni!>&`43e#FIb7Vc7QOVn89-Gu@>j+xGRNr%KJ zL8Gw5O4rekvB9)ezOqxi zuq$af8DU{Qw_Iwx@V{C{_l`fkyvU~`-Yx<}jJ7u=Q+>bT_rTJvSTH}PJ!FTcw7KGdj-}l(HNwUNSE~`nEIb!yZKMD!$iBO$ zkL2@?bx+w)wC+y;w#6y^jY=zubJL612HnL#8sj{$bOB3EMNsbpLE0}D>6SSmKVQ=) z=+=ETI7GBsBPMz?b;m5<=qZi!#IjO0)Xzj|Un+LEKnt(%&N^~KSZA)Usvf5pz(zVM zB4|574H$~T{#PnQ>0XB?c(G+wklfsyf2g?NUvGq*FR* zYv~^yA}6;Ecww*PdccJxtrU3qi1nHw%PLfRq8lk{9b>oYO>Rr+oGuRr($MLh)1K!) z6d4_zYOKAXAVw;2eYfQC(7R?4qJdedsKLF&*%A9+^hfdhka%+o2~9r@MM7xo-x|OE z_H^Fv#bXW=Bao*r^I#kIvyjUP6#Cv>LK)AB7N)1Y~cWsflxj zsERU1FW=OpDGmsKa3UQ}j+K{VS4MQSpbR1ftX12!K!QcPbHc6cE^lLxU6mR{}unwY}wagdjhE~3E` zyW5YN9btW@S#C4XpDDFf@F7dK7d-P)S4#mU6&q{CGvxwdLg1O~V%3eYlrSavoU@^{ ztP`xQ^^&j#6RK2MCTfZI`yQU-ZNAn>gvpCB838|pE!jhq^TXi15{kqQj;uu3lC#&C z>2Q=+|J5eR_PvToP;8T+zHB?AJ)6xgV2DTyCN{l>WimHL5${ zsDz?u4*cu`GH|u$z5xlo19OL# zEH~|XT6t}bdxWF6&>SsxIy^hiSHN|?zP>3EgiACkzXd4pBe&|m)C{wu1WgzBTjW@% zCS3y8%p=`9Evs2Lg@Y~@M50gxwxQ>9BVtH-s*l-kI9pS9{-IHjn8JO&a2X)Cq-2b2&fq3j4| z-s|?is!j9Vz~dOmQle@RI~T?WXr3;y@+wT5m`{WkIku`#0nQkXI$vzbeUZ7bc8ecR zsbcbup;7v~yt{F}d3 zT$&;w9QQ^H=iwyAQ9Jv%Bw4-<2r#_srHO-x7H2~gJDDhDKO~rW28``q)8krOdt_lv z9KD?xr<7z=K_d6`0!gw0bgrS%s1bstW;ow=+R%L=$<5mkN@`bQNXRB6AyMFeSsoW! z_ArkIWyi0L_~X}nW&PJ&Px6_I6#0w0_bs#W2K1!oeTquwRVfck zjmZWcPFM|3)Kc>Qp76Sh>-?ADRq;=E3uSnHi9&Pj*dBao7rXF@iloMT>n%+~shnQs zRum^mLB|i&?&P{iKQa4K_;I1YEZ1w2-p>~>XBYEn#jpT4YY1iR@oquk&eGW9c}IXfX=nV=g@EM{cIQQQ4c?zwd0l{(y`5e-eV zlm^fu$F{kc4*sAX0(sQ^yl1+u{ri4C3OtU3Ogl!*jPzxoL#)zqSpIkcs`OZx6AL)k z^Wq`=s@NCs{4CFOJiJ&KEJamgyt2uTBK-57jhzm7+%a|VwSIU!A5uNP6r--^+Q1fE zbg9s#m}iQQz*Krq7ONr z)1wQ0A=M^mI9wz)RTI^l+K zLeck&M+-JbCE7=2X#*#tk`FTwQ&zeqn=5hY_N%asy?NE64~qkoNfX{w51~}&cuj?nCr6AVxNn){=@a}p@rA z;#KhoAH5F6yatpiq^YhneMeW-DGv3`&DL3XnO5vLK88gC-4hLcQd%2cs^T+{P!jY~ zI_2uL%Hrjr@F*m&L9w)z3fi{6RnRdq!cVM)9P9YWlMK)9ad&opTbJbQ|6D?Ie)HO* zH8c`?yAKo_W`HmgDoclF$RCtJ`4gZA6Ql;wyA)HTB$<8b!BO9PC2u|3XW8`)$y2WJItGW`P zt7K&456dK1(kJ6dvmF|LXOHRdUEhsdKxnmWa7`FNjBsso`OuVDR_0h#`o-eYtlVgu zfhxI@y`O3?-)jIP0k3JJ$v}Gdf`QQR;vj0^023WKwovqG`#0VA-=i<6f-sNitOcT! z>zleF6w6;79U4J=X!xeUf^7-CWxt@GR|j~bJ(DI?JWB!k$D%k1?c+zas`Y^sel{yc z&jE@9#i6YOCl2CpmgpY3D)k(#5bqOzO;NGh+w%@VVScFVX@op|Iu;vZV~-kVm%n&c zS#8l5-OB_=XFTAipBv`wZlwyvImy5~t?BsOaVQrEEni+N%oA2k(JGi6@Mc%^2x4#L zZL>XTj_KcC8CzuARIq@QcDKDZEcf7BJBbQ0Bs#amC6!7d(7Yb{RbY3fJBpD{7P-J z?=d0~Ko~QqP-lBTMtkgC4q20?Dw8l$y-Y>~F-cM~PxU&<#^mZ-)2&4k%H6zRkgAX) zc>nRIQ=*uVLk3ruy~sIwEO>vIypc%=v5KIREKtn7H*hgwwm=i2TT+OS5O0AF6jKgs z<;}=T$lc#d2*F=v^1xt-(-e{OYzi!Edc{cTDbFv*2hdwS*Lo@Ugb!%YU_~=Sy>S%+ z33dkVKOGHh)=0%#T={vI+Cx?q&NPw9re-=3 z5I|U|4Asrnp&R8IeD-|MUN;7{Wq5$O7U&Rd+~rM5!H&%U8?#kE@e{-g%q<_J|=Xkxp3e;>adSnuC(!y9t>ptJ~%(pHe zTYZe(k8V|4@D6(;WTL{qY2Xe&RTXHffHc8}jU_vyr;HYxDOk{=Zq?9QGiOtiw`y*o z(FtvBpK>zKI5K(1D`_YvlTu%@l^rLF!lU6jM7E5sA?incNg&-1iWBv^BnevF^kx#f z?F4y{HMrnnRRTGz|AVoX2lI3Y==9>A3R`6M+B?#L(J-wlX4MViR0+If7Fd%o3bPdmrh1F!0=`s$7kr?$_}WyTY>Jko*ScF94)c)!gAugv}hm-IM);|8Pjyd49jCp`n8>! zHQYT!E-~CSX;X^za}V=F5HkaVw5GSE$n7~b`R-w~-F?Ra+EW)29roR64Gj&7DI2ZA z$rw~2z{<R@CmI)3Gi6+P)0B1rTfb!Q7x(}mgBH~ zSP!1DkLB=4B4lJ{Zf<-et~gF)-}U9Z3kA|!A6XB-aTM|@Nl+a`y=zA7^yF~d(se+H zxYz1MaC>|VY-jjvh+=BW;0xevQyc0~YZgcYBPCI^zO9OZN(e{GWaJWOeJ?CI$|AB$ z-6 z?wSs*33Z8eZh*@4rczH;UeA)d;2ie!X!BgGw0A>NLSk{QyyncYxfm*paz3?7;(a$> zNI9iq)MNr%LD8~CF3*R%X+)MUbspK*KcW=Ye}$}&EqzeF!r)gX<(N-@GLxCT^agJl z|9J1vkM`^7l}LBrXo`e+4e-oUT&TB3|Ma^M(ZwHMyjUX27fX66d#x+q;39th8NCP%=F z-y1Y2C<=J#;q-)t0@?IQi70b%5b4GC`?8Mws|7^cj-j~mz9g)a{O*yc{~3Vlh{Qw1 z)lF=uC?S8P3kEDE?HRk@S(#Jo%x7{_eQY`8++G}-R)qzDd<^817i*asEM|i=BFt+i;5Z` zwHZ8-_~LqF(7@mtJ3<#V-Q_LzW%z|(qwFrMjEQ#A;xXdg8d)2K&ugQpnHPn8S=N0* z8-_m?M@_?Yjk2dx>uJ7kHV>|#>m2&=C2amREpX_*=Ozy_`cQ%QTbRH?Nqb#p|HBbp zN6=3gu!S1N0(|f_)(4%Tvz4Ao;Z?ahozPD#iF-`%2}%ARdtVt9)!X)~fP^?AEdv8e zDk(5@%7Ao8%21+o!_bXLOP6$acMK&cAl;q9&|9vAfEwR>ahEULS=jPfP@fM86o`X?odcSPUC8P?IQ-%(Xik zYnEMdi(j2>9tEfwy&`gWaV2#W&#Les-hQ7_t8NhO?RO{V&j}yCn%Y|k9@&B^4-Dro zIGj9Y!(sxIk6sCli@Ws)=4q;|6rd74X|S_ia0q_+)i7&YA1IzT-0`WrWd6-Ws%K%* zc5Vp*RP8BCj>0Y}TR>O;G%d+;JsZOe?$E@-!{??OhzrhxqxkLFqr7=?)8es(&PXrF zwiUD1?%ea34s%`QqZ_iB3tF>xse0Dy(Z*^mDriD_A9Vl@4mEDPi(y6h(n0^nEFaPL z6gXev0-`=Jy?v)%Iy~9ob$RKkrh*-7)%%#?Gfa(+VCem;0+XC>DH3t!NAkqVaZ}Y_}MtoxQrz^wpb6k%x$Z=hTf7YhT}~OW5%&Vw3m} zm==|W6~Say%BP=|p-caybTJ7k{u1^ur{086k}B~9>x2~kGA41x)TnvhX_#;r<4(pY zD@kFT54#}-ZMSOUD}hyx|HukMW&gYUPSR^~3uF45r1vk%`B!lHxA+hLopdAmkJsm4 z)tCSE^8amHsvQ!HY?Z=h#cec!wtfe!m$c%I+x~CAeiMC@C4J+@0oW8}O0h_R-zel> zT=2(R$uc-4fyUb>I$p0Xe9g)nC%Ks;)@;1!2@DPcwP>I`c8&A_eq^e~t3nPY7V^vZ zbHmP(P9}y!>@nMKtHI(*&uS}%&ngS^`NYK=YUbmn&233{gR z*DQTyic+i!iCR8E|D-=a-bc`>;k6FU?0Uo`L@HeE3Z&%{kto~Q5%dxhwwlc3*OsPo zTTDq6wch#EZJ(`!UoRSa)8&oN^m8!BgbDt_zWh~G=Ia?2B%B^tvZw{lW`?kSM-SKTaS z-HmAId2OE@CQmy!It-^F??NU$9CH8`*VjZOtD{ki$z{1ZD7+kgx0`^|iV^A0H%(?g zY|W~)-f}YFChZxNVI25HU}wnB{`jq=vV%N}(7~9<@eX&!Y#>;>{I12m{XhhCV9|)` zu>paJ^Uj}NZI98H-Cl`QBLe{U`!#9jstZ&$b~qI^TEEsK!rajK7o7K)k5bs1zYYlA zsBSImJ(_npOY6Fd`KKi49`+Yp6x6o;7VP`CrGgyBeHWJ)sjR?2?8_h03_}Y?Yp#Np zq#@B>ck6d1TGG?va)T>;t2rFPto{QcXBJ`NK?^LpjOeI5)wi%p&doZ~R30%oQ6PUD ze)e*Amvp8*i%yFDWkGA^#nq0`^>VbAS6pGCIsNg)V^kpS%v-7>D~y+7WT->O7o0pq z7aIMa-~rV@5Az?_SDbeZJR~!-&mNVKn3K($IV;m!J36yB87W?Va)9fitxZ8pOoGZ= zS}*8^;D_G1Be-UoY7Fvp&yY`pelge9S}K$g*dx8-gBbd%o}J3_g1JDE-@~B ziR>xs!YPSb(9PC6Enr{41H`*P@G)owd47Wwc<@gzhjIaw`)Lk@q%QrF(0(e4ro683 zdBl*EE#uQCcRKV%mpury!mLIXXiL%WblYI8?Cvg@_dshiLozkp>UM7c2w#!SshWcJ z7A%#uUO2WnKL1Bse|G>$^Q9Whl^la=j?9SC~Jq8y9pYbe_*B`|2%?k}2=o zqvJC{lnEI<3u;~T$nzHZD}5ZXP?<0A4xR5@znQ0vQc5)YTg%Z|uHM~N{MOdVm`iV; zR2Cg%v+Pdm@`1+|5l&uWRC!>`jH`0A?5#X)sH#{4^8Hh?hKtYF^Da^>KZHxq=;YP2 zU;B+Q5c)j3k~zXLZTs+RP|U^4l6QnrU`&KA1v=iewVAPP-IPF0ouxV!le$LL5y~z% z_mpOC_-V(*)JVkZ%nFp`KSx)FVXuR&OzYDvnH-)W5bE%Sh$p*H`ND(1GMXo*8wL2m zd5QkiAqdJxuy}aqnRFr>#>n-XdTgp7NBiOj!liR6nz-(Yhy{MU5;FgZA+gi=lhyaV z*MJBO+V)dmDvei2+tmX1TS4ZJSI|Fdu!GqX4{8%+WTk4#o;zlURk*r zb+LZ`_>~k_<|if;v}&!gtTo&vK`AL6Fnm+z z)#Z?e$e-aGvQ`F%18#ex>>|R!Ykdh4?8EG13&RStwXq`_i|)N$Hi2SYxXq!+=IzJv zPA61@chTH-g*kO=R0E%oS&FxLz=AKrr!|v{q9G)d?JrwH#$;iTkA%$^69QvnbM4Am zS~x7G6f|7Rl?hqhPYSMH03=&(9dm-04h>NyP9Bz@GbNJf>FDir>LtJqW)(7$r1z(X zrlhtfO4jYiYYdEo(w(p&`ZUxZ%lN8dr}}&Q4apE2bIk5Cy*;Ksdd5}zLwTx~nZwNL zGk$pB35r)4_h#B&se#``1$!wgm`E#S4Rh(btuIpDLkLD=v{zr7U5JIsD5g2$}nmS6@GFc?biO632lNM%#xLI|5!*GP3e&i&!8~$`*V{ z)=GSI0qLA8DGPBy=8`BP8YtwZr>6_2BL!jR6U8|Q3LK$VOA$jH+FW9hHBLu>$(Iv* z9_Kh7H~oj~lhk6oOiaG4t*g{0b0YikU1Mi4*nA0Y&h)TmF@Q^js)qC+*?(itjI6)4-rb zW1cff*RpPT>v8=6vjp(J^0I{8KuY+y}c^g+iY((HvMuQ zMPz}KTsC-&nowdZ+3t`nc0YD_b~eu-Jd!TuOYWMH>n36{rh1rjHPtSkAO&`sK=Bf6 z=}fxm&G<|4BhAQCiPJ)!+G5GuS>BK=Gpp|vwxg(QX~}>FLBwgWjIJabK+?xF5*B8D z;TO!Uw%xm#oMUJx(?mx{r-15IcJTd~Y8|wII3Exc44?|Oh)wfoMPj+GlsE;@C)|@W{~U5k4`o^m?)jCSrY^56RZcs|lN_>2>Ppy>r#!QUkI8TA`-^ko%Ai>z>EO z>BA_!M<)2*tU1rq*3Z)@vkX)X)wphUH`hD00|d<(?07zIGO~8LUrv*%*=zCK9n#PU z#j*Rc_SmtbPj~vcSGw;j^Zp`DRGDaPm7U12~6{)I~4EE$YA_ZI0}&! zj&V6bI5=hs)OcxL2YSqxP|)Pk8=%?tb9VMrR>8fw<$+yBv<5|F{K}Qq?agx6U5?>m zu?@8MR%qMqo{R98&R4MnY-p;ARdt#G7fc4OKF8<(13W87>l*M&&ZrD3etcmbEl*gz0IhUM;VVWgPmh2sg@i(#iK zBe|S3ildKok7#=~{JdHUAFnW@D%@3qF0U?UiOuv(N9@`a!*e!Aa~W;V<6Cd#L3;jq zi5jk3=bJ%bqRp}CX^BPK>J)6Y$QbLpMK|rek|a1$n&K!ghvM4NvSgaw$FG)VVUf%v z*`|Hr@45r`iGp5!kQ}s09qmzDtSG*UpPhe`ryCq`KsTcF{q1W{R@^{bHKN#VcusOI zyk;ELsggeRl^g2&nik%J0Kv1kweesFby_)SyvCAqk0@pU~T#qp}Sxg^O5J4oqkTJUb?4+ts6r}GU0Hzn&p^6m~j8kf%Fhh*th*n@os4xjE1uccJ{3WS-uBk*4OJG zXg_|Q*?>FCh|tAGRv5*w5T6iN0;{fF#>|^c>>7uX76JdKbDgc=Nc)|;eNL8by%ru? z=-y0G+52x4McD=W1#8_J4FS}vkG0&(qiQPOqdK6gI%{K@7M#_Jv#d>Q-PTx{aa zv%$twcPUexAn`aoRo)f`Po>2NhalT_MX&Zn{GVINl>^A8tHIPKE1dtBzoVpS@Yxl{$yBN8??k)G@1mC;Je*x2E0H z_{hsq^sxBXdB+A9XAH?vwK0g`qo)SLHk&_MmsR^!>Gl@fuXIih#HApSWZ~uc)%;w3 zPYO6apzM-lsXs=F0x0ihIXi|0XPW$e`Y`*2UHxP?SdQPnqPi?12wp%{b|2T4xFeZc zQKjZHvhcXn+ucL8!!)0nl5{)}IWp-|w1wi?uE0Xa=XVXuP8zn1h0}-|BA@4W zDum)um`t1HSy}zumJ4ER&4-tPqtZRd@p!$=iCMgDo{?5vFIfI#Lx#n0&e$m%61t8v z-@%u^R+JPtsrvgzPtLVQl}5Zq`D)&U%)r!Wl-}(Q66_c=4;ci`75u`MmDONKflX{O z)@YR?ezuATP!nsNYT2~8$L&iN-MGj4S9<1=kRGr-8c^rhY{8;@`?i^bcEoDYV{HV7 z!iV7uA`G)~1Ve$1p2Ee~?nDLaklJ|cmSOx5`nZfq9hhJ6hv?&Fws-0RvK=MbQA-!` zx@5NI;*WKIoawe;iHpgiI{P_|D0zBcPXWj1Q8Me=zq;9}Ps=w^!q4DRFhpOiC%C!X*1ORb(o@!5x(%R$xu;#A zN{ySPrS*RfBG?U@4!6jwJy&w^C!gS3tzLP&lz8(-6zF3z&<_ho4Xo`&VCVOJv8RitMU&DsLWGZ9M`vCVOjnUkz7*X4 zG8&Wr+f*JaK=l;Gu16vIcRwGlKW8gGI!(-JY?5KAce}mbw^{uH7rXct4A$;+Xj-`2 zh{iv{FF@(ryq5)49}tWR74H3X+(EoeN2gk<;!`lTmg13D&7r8I0_xCcUeMdj5Q90F zvu4Ibo8u=~&g}<}gQ&Uo#50}A2{z;VYkm>%iAiUsF>7DRBO9;_JazG?nQ8bg_rkR9 z(jU`x#e58p^Z)H;Cl7GK+H$*H{hGy#W>rx*>vY%Q1+v0i5oC*GXuX>sCmM91H7sd9TEKD_@~~gG ztjjl#jJZCc$l!66f~6)|pQjL1wV?WXVv&Sl2(1@$j$Ou@2nTUEQjQdD;I+06(B+}j z`1sLtf~}ZnuTpokZ)5+;1u*l7i?du;{S~jxn&5GoT0|Y*%SWxL9GH@`e8kowrX?#Q zxii_Tyl316>ffx#RVAwG<{(36XB0O`P^6r%WQ9F_oAuT_#t!8(P=1@f?Kvg-+rhB~ zms#^%x8#9+h7pAnPnuo?SM_+46!MR>Q~c zkllB;Unmb-$wY*Iy`sCsH{ICPBK@a}lAO_R^?iYSZ}pe>SaGCOXU2YssaebWi*riH zs62zLhIYS@T%WmrB9`!ks*KvVva-@-U?*YghiWI46L`B{@Mh=vIQ15{4`gg?`eIl; z&EqzwOKW6iB6lRu@Ep}pHd7+Ig2a^ZWM~c`JxTPEx!}8(!Rt(86Hr18&~W6Zy0dg+ z2AJ{Xuj+BWD&qo(G;N}|OlX|{StZ2;^-?vg$CWQw;#0P8uWPIW69+8|OG0V=@rRn} z4OLZ3J!$=xUr}_0R%_0(kVr*R+f@`^5sNo%8JIlkjSkcJBu~4s;^mfT_pV;IX_dz; z8pSRVQKeY{QU{!hcQsKOC@PAS#liD+XkAr|=@QURxTPIZoN7OzBXSJTAV`SBwCLr6i{iJnpzx#E(&HVgnnRW~-F zWV3Eot=sWIo@!y$R(JoR8g+>TRQPVBHD)euU2^Nyg7Zy{nVa-z&Fqzqf+nyk@Lfy> zgN#-SDc(}|3ZbISnB;Gdo?!5s3yB~;j$|tX7bXa`8C|8iKTIC7K4!Nb)Wcb^*mAUy zO&F%JEjbbSn~p>q_EJR(_srL0?uJQO%`frhwCPh@N9o3OfwA5D>zeT&rL&7-Qfy)| z*}7u)!rHGX)Q(W8vIvgvcz^9}NBrORcXwzz_@C=15%G61tKy}Qdhr{j5Q>9NDP2K{ z$Nqj~FTUjXPK=3-yrG+6Vq?>AfXA{{DC5fNit7M0Mut+ZBjQJfBEBtmgM(g0No9$S zM$>&zqBhP>Dup9|CMwyqU`G0%-ECUcO|EUZN+bu09&pna;s*!DK}e}G`PHsCs;|~e zsY*g@(ReB}n@pa|voI>p8`pF)W}Sgr(wHriv-+*BR?<4fQ}|_3jjCc}bTzSlNIYOX zlrYFp&syt7724{PaxC%;fnobu)yq;OtH#c@BgARd%0T zd!2{#V_LUU=#`F}-Jbi!By?hdD(GN+exO^{vo-TL5&iPAVwv2hRmn+G0c+cnjVZzl)(tO;2G3J@{0 zej+1(e~m-&L+yu3-e^QN-1q(c2e_$s@E*Jnz5j5EHhr|UQ-r7UGheSp4_I4MYsW6Y zbE#CXENpsdsqGuh6r;)*xNWE>@7BXwVq2XB#+ot85iXq*g&Zh+o~F*bIZ*5R4gjFj z9*S6QhcGD!&go?Hn-yQE57?{YggoRF(qzhfBTF2`dYh(ak`J%mdPCHJ=aJ&?5Bv({ zR;o`F43=*j3RN)y+5eS&1<9!+2!SSQYFl0^nhjYmExj3E<>E2gW7t>dc zOKr~+9Gf_eg{rQ_AOL>*9T?Sw7(^%!YHwKOpGtY*=YP4g0Gr%387qHX5#T=)SDKgS zbDV>^m%}=OePir^ziRkr(%v;GVD-jfefLIg>S*pfNIgKJi2ka(+BPNE(%j^0RTv`T zHGOf#Nx9tO_z~M9KuN2}FT=v~BO{hZ)MHC1;}Z7xzFqlcWYko!Ntxu|SSpp(UQB1h zu@&QLBph68t?sGSDOfUV9n`sy91le>R=PVY#2V|zTXgRhJ%6t={Yb`FM#w%?rPp6! zqVsjfz{5y{9a`VqKm(-XI=9SR!nB#cCL4I7a73v*c%91tZ#4LDeKalmK${UfrdRpM z{Sv3jClr-!?RnELx6az_rn5-po93d-I7D*<0GuQY%{OuJ8k(4F!(-Rqq7FUXoAco- zuzlxS{j}eQuC!E%cKQ6URNykPhe>A;nQ|t~LHyzZboq^kkMFG`z*CA*-7N8$R9?hZ zz)$*6@}8Q@qIw zptO{A|M>7H&LAt#i_?dI8mKBy)6iy!*+GxFbwa@eDdkI!P9TQa`8r}3)__c!cS1Le zUx`%yRxqkp*IPa4Qh8OZfLlWWRNo%!wf*=efsL3OJoY~SOYtDDlo+AOMhK;=-}?jrGk?rBS9FX511sOVuc=%~rgrw>0!YMCyUzGWz3a>*Yc6V2jP(>I8JOR1_V%)dos_eQ}p(;0IqlJdB zk$vx$^;j@^SQxB#T1_jUt;LzI5+!HcEuXpaCX z&NfqAeLu5ZyP~(_B6>kb5dSM-1{8JRqYzO4H9+?DMyYJCKYL) zXDEw|Ee_>mO$Yvp_>4j2e(jRFZ5CJnhd~)FN@>AkFI~=h!5TW@+uwhxIIp*ovi&Nf z`VOJ%9szwC><)08e|{Pvm)AU}UpAz4^_HHQ*4Xv3I?d?)${LGHqj7=UXu3vT%HA}b z3aG5THS}s}#vGcE@~)pApWscdO!o&qd%-HFy^=V>FY*_M<}gdG!v114;8u-;*){IU znHX_6-c`@2kiHoS9`Ky$U$~4F8ggoC zRM9A;@r76$&}3IvHzo0C()33?Q}0siI38Cn;5n+}Q%A6R%w_09CcWzE3U= z@bNgAe03u=?Zt^Z+r6iWTV8rCS8HJvg%a?C%PQdj(Ht3Ke41^oTky?f$fe171J4nMsS#Ak6EC|28C8>>nAdeSh38P2W+L(Xlwa)MGamJzpXSgndE3FVD8z}z-8 zlpq=4k%b~bQ6JfdCh0s&-`t+4FgvNGdA3aibKiJ+7c7w_SGly|R=U~wSEmSI zjD+33SXTS8vs9qsRU-lg<&fKciJ9C&yKZ2*s@AKyo$sU58Sqfx))-Eg&?};n(E^)W zOjwN`=_XxMUF@e=aH|dDAujWb!^!*nfv(yp5qGB6YE_b4Fwxrg)sKrnIl&QedHGzs z*?#v`%EKb!gvN>vKNZUoz!xEuSi$#y>?zaU@d`&o@mDjRupj>#Wt~(4HJ`!KXs5#h z6>h(3yDSJQ;oOYT)W~F(Sl=pm5SqND*6al!uCY6KsYx!MMk>Utrs0PJ7;jcAOEp<2 z4w`OS5yJ63zTkKs|3%`|h-_E>Yk{PX7-ZVU=$Co?0(Pfb;Ux36dmK)z(&^?77pgHI z&Gfe<^`e~gX4OMY?yjMfbO%l%hsN#GSvl;x@EyjRgBUi%Ljt z8DvXdsv>tUpGl3;yLT^Y_ojjh7FXvz_(fEkYyIPaxm$~^7gmYWbKfNjBTveUi}FP{ zYdmDtYU$)^wNd1nuaAK5c^S0J3fU(Q%2F})bgDpIiuPvjJOlu?vrem8ruo7phS724 zZjP-Rsr`eTE_)kSGnFf~r9bkwMd^FkLLOe~PPUlE{u=r=Eu!U_%qnumvwG98N7p(= z#%>XaGe!o~JuK<5R{o=Iqj6E{_VE6Pv%l(g1kFdeL!Q^IZd#}&_2#h1Z(0mx>Qc%MMIN5eZy=Ehj zF_tN5YspkZzAJ93#7M*81_5c+vSuGIx|GGbLHM@Rg%ph_U1ioCfCzpyhdQUX<*j#Psq%fN(oLv zDa{FjUJ!7rF&M~UmY+vO%_Ta9hjcaB-xn$9urK)e5ZW#4Wks8nt^$M9GZ1c8f*O|l9m)BJ_N7-AmDz7<~6kNifn&1EG-ti@7SvfF<7LJU?S$}LT24HQRt%PC^1i(aoP|Gf9>s|=rvQYT_^IDjeJZuoHdto^D;oeQYL zuM=Q1%`72e!+L36Fdg{AZY=uBbh;_wvl~7K@zA)Oo=z1jra2-UQ;dZUT!m76=HLx7 z9;12}7tdH#J}Os)t9%legUYp6B8DsDllqG3lSijB+RSlu*t$e&w!tsLE7(JjBIG zRez>%$FWYc3-L!FBnFJ9=FloyHnR9PBRQykD;AcF=xL*h#?EbJiS6Bh#(~ zum%e*GM^n@CG#o&bZRYd)~a@XNz#41APc%rump%M*x+Z4pXr~T;R2tJ_9y|U93Y`b zhwii2w-ISnmmz3337LC}fa>Z(tE*ETqmJykSkKxo&0+AcJAIe1YP3N+Z8iZPCse)A zg%F`@YVBRM>XR*fOTZxR-n?YfY_*wHE{Az+brJ>)>R0DBD6H~2$qh!Ol?Lc_X}tdh zDONVljo4j77}O`i-YEfZFoeOYV-^d#u2BR#e%R)7^JARWFGcIL~_waLQw9d0E3;6_G=r2PA@5fPsmsN4cGmSctA3#R=c=wuo1j0_b3mH^}r#HEv7 zY9CU{lRr#v8)r_33vMqX5CA8fX;wjI_}6eUuDKnhVzpqP_fb7R21?I6$V*ZFG00FR zJZ~9_Q`SM`r(gaKtc@Bt8t)0**y;X!f#Y#th7n<=%Moc}A!o{nHFtib40L`&jEB{A ztzbu9eZk}IV?wEWJMzZBHw^#1$;MNsTA4pHB6^X357P0e=fL65gKWl8IHqZf>OPwG zvk15N`5k$2&$xc2+N6|jhh6^pn2ibH=KeRNmkv6{5nbanZA1H8WabMm|L}6mW0a#Q z=Ocv+>0cxA9_sS3sByFc+Y<_+K&-u1^5@^a<(5GW^UZ^{Tv0AXp2ne+JcrTelp5iv zITRTeyX5`(rxHKLQ(#<}?W)di|5duTF9tKY*2bF`+M`3SecOyu6hwK(D=fZeB>mjD z^lyCYk4$c|Rbl3~n6colUa~#G5xi~_%2#d}A+|Pyok$;qz5ML~@kR?HMJ@cC{XO0v z{q=j~-*(2|UHD`5s{Xcm&3LEC{#d>L+poWmKo_;=D_!0~|MRE66IH=MfxyD$_s0Kq z*#G(jXVjL2QK6sy&xilLOMwn$0u}iCreys0sr_pV@0ABnf&8A2rqKUSQ~dAp^ncFd z-<$AnO884n|E7e0Q^LO~;XmZ;|2OP_^(Y{uOk}QT;>{a%l94Dv&=5MeDgOTcfp1a> zF30Kj=bY@{7{3&y;R+TR{d6|$cFrLv`;6^;?%Xrg_}qcVz@o&7zx#m+GVXqM9t}H7 z$>%vTxaQOQB6xTP4e*aT{^SD&#A`C{EWdT@I$?KTpSYRKLk>>P2)a8jdc41SOVsp< zP2}JXs^okB_%!a$frYq2l;&T#0DwBx4@jSkjOKuzQSuh9?MzoV>kFp4Z9<|Cdz9tP z+GszG6<3CGYo_YVUPd{7M_X4pymU7DRu(5@^A04W8lF4>Wm#AErbVW{E>KBj#|VYR91t68tOyKU>;6B9rQgTK$TJ zn!k_ovvePQyQpil7)||`PvsZT{s4w|#1VIs^OC{kPbp^hF5a7%h?tK?X@z3u&o*E& z*40l8uv9h3;_T>NV%4%;5RwUSBl!BW)Je7+N<$f03ZImJez*gz#GQ>piqF(GEh~}7 z+aH@Mk%9_sEMzx^ND60Rj>z`p`rUVt2;Kbc{U5(^O0vW=x|cX)WSavcpi|$!&_#(E z&B_Y7e|o|aXMU7PiUMxcM=FtOC9I7A4@%@hu~{YO4PBCKWN?Q>T9a?zl!MCvti)Eg zvxr=rn>7n zsS{_@AJY(yP1`AJ(*4g`ZHTeYA7JP{aN4A(>mC{!SV_;&SM>LHRIe*(SUki5SOeXn zElHO&6`1z7dt0G+0BfUXJJr5M0bzh-_UMcZQ1Ud!gBS0qQ26WA)`;m3^jrFk#!ku6 zQ6E*@ET$$?ANyzp>U!2J@W0;lNEOBU^Mo}I$HgB}FpzvbIb`0>&}YMJR}i%Lu~6f~ z>1Am0Zl}ir1?0-(QNY|yx(f7%v~8+US689GKQuYP)m104-0^xQQ!tA`re>l+Ck~%Q z-P?Xw6K6tneFkzyxTEn>S=CeEj9PLiYD<5-Y#S=)b#Sr#I~4t&`2l{UFwCCH<++bIg_n@}0o ziv0)vHECu4O|RR@L;L>2$*C5`j!B70oWqyL2LArs2Ye^e7ykZ2WY_{HZN#v3%vR0nZZPsztP2yC>%O7n3j=oQw$U9uzCd8Ew<8v!H!VV6q%i`#ocGl zBR=wKej>uc71()+oVX_b4$I@P}D4s@{LtXLI?g?zt<`u&=E8`{&)Rf&w2z=M8gwS zGWs|X#LsPl6hu+1jS(SgH$5gzfwOu`hW;cg-M-ZnB9q`L*jgBZdPm@@14`Bg;2IbiQS-fw9QS`r zh2!|w#0ZubEqvtRezUZ-1+|dhZ+H29ZWlpAL**+{3W~LyaQS|gWCIUZyZGTpaTaLy zzoOR^ldYRa%4LlikX&%}IW*t3yKh6~^^qasI_8F4(+@C!=)l9+7JjgDmO?%>QPw_(U`oD%4`wb3_kv>2@Ue(00mBS6UX*Z92u(CxoZPo@;blLFzWJOofM%EYZQ z!{&d3xh%qdRgN@xI43BSkpsT~)k!?af_jtE7cbyy;3?KOHX!(FUI*e~PK30fdwp;J zF^^t)$Z)odSo_pv7Avv)o@ystv9ojKz=Q<<^ZM28> z&v$eiTZe|#cWX|*GwN04M(1DR?KhD5TRlJ$~Gpk7xPu=x6`e z3S-PU!MTSHRJeLNCPLsHXOBqxS-Kb4sXFj)Rr)mbm=9=H`p9TY^a8RMjlR*)ky$BJ zuKC~P8%Gkr9~_9>VJmK`yglpPj?-G!Ex`(EXB-pU|Urlh&WfuMVUPQP|XGye1 ziOF((6pX4FXH*+*GL?$)CpXM@0PR=G%~<W4(WH-VK%8JVsURnL*rEO$rpC1M7)wtm8 z6}w?2DOi4j*I|@Bz+SN`cBa{SFy0Zur29FbE&$`Fi|;a%f5qXa$P>vAqs#K=&yiTp zSgsxOz0EIJlh%PVZ~8KxUN`L;J7c+!ZV4aa0u~!@8^z9MYqa?=9+8ECaUO7Z*m}S=fZ232|%GbY%NL~+?aO_8>sUTxLOQo^KKF$WpmPFP@wDz zA8oC2g-S`i;@4TE9A8a!cW<&qY73(LVfw>*vXN1Cw|4Q|i)Ct6{K%Fps^7^*JIRUq zqvos*$~HDndL+c3S2pF$Gry>w7*$& z9|)|a(glx3C;45x7u~gKs^Z0jlv#i3%43tr49D>BynnGUZW)XIWOqBvc)ir8OtnY* z>CQObaof@xVw+iwqa|YH&d(7I;jD-o8;^^7f|oa9I5kbn%jD0-ZS4HrUs;fl`DgTJ z4q0yrI%DWv|79$%W-AZZ!;`Fs8lfaRWM6{%>3@ahSic`nRkJy= z+}6FWzsgoM^y`Tk-g%gLitoAc_T|&($~d*iDL&d%MF|(Z!Q`QGT?5VI@W-#|yx1rL z6~6^T@@$M#9@Zmz8}=WwB%zdftLuxI_`AD@NoVSok{3hIz_@trRlT*n$E)ujSwhJ? zV1E8OH0VPwIi9>8xy|@YbX~dqbRtcLT_x*=mKR*1T(iZC3t$)xI?mCw}f#_2S77VZF{<-ncO4j z$L8jNqY=Mj+7fcc+(|0XBKjjDxSsBkWb9EXjx~>UvXrpT;@NFjj%0k|lC5gi+bKs^ z@-4ry=)$5W#UizoyNuPnn|n(azL84_?+0oq>Qq}EjH4HQY){0Yj~UziaamJ%Uya>% zSKK-9CSX_O`ykviuENs)UiiIaAup0e%e%+$Xvd@@NuH;cVjX+jUdCw6xrn4p;~%Mk z$D!gMT&d$IwSzUUjGy_N^C11W>dmIht%h43iwmu&H zMGJn!r2VSFWP}=pHv;bJ7`var)q})_ss^81wafC-jYdLp8Wnswc%(;04c$izC)=i1 zx|Th6Ui3(HBWKg`o2;8~kg-gVH7y#4JK^LDB>DR@R$C{@4av0SV-3BwG7l_gadpwg zrqi7ry~q~32ZFR;onl3F=NmhUbg&XIL7%H3Shhwpc-_Gv{kJWu0T-umbjlht8csg4 zpUP^^$Sdo9BGVMc9Ui0P&;HxC=d;$V4*~P!VDYw5Uz?>!tmT(*>#Y;JmeV1RLrMq8 zd6$aKX`bo6=>nS7{rg71Q_}_#$35`6+ro^ZSjQFtFbwRYTYi2%hsqM;FyxcHm0ft^ zTV>ZuNf2i0rQJ@mMDslTbW+WIL?OAYVY(`!(V)U~P>n)prY2wzAhZOe_>}$CK}u2T zv-!ngpa*igJ-|OCo)-+Z7)z(L+Vmi#Z@E=ZEo|?JW&F_Qd-m(7tmPY0$c^pFgah2f zjIa3L-M&4xUWg-@E`)LJP`L~*zcI2Dz_VyQGHyuoyQQx zU9~}@y}q1dO28dk%)rd-vua#U3V+aUw64Tf26|vbK|R9lq_Z}U60&r0gdOMIpQl1f z@%0c#;m3~*i!Oy1ULV*GHq_-q&)$uKUjms$=z( zzJM%C^-y_6QZqHUS9B-{8-42pzmIS`{$6XGDlYl~4GmiJrp>#{X5(nk=EDl+=Nij^ zhaOie#dB^u^}~V3M@*_*EAJD~nnpVAf>V7mi^0WOc_hdUCnn+RRTzb!J+GojW>(=+ z_wYxlxP6Uq;CNxCO4nm-HZ4r!oQLd29dDR5YY7qv_My0dGRx72B~Y+$Yb#Y)8gI}K z*|_J9+qKEuW|M_M+cSFRrSZ>R?*zAMB#E5$o@*2VEe8ZV)|lyAj}|0^bvYbU1at!U z?EuZ5QOCBUYwuJNob|nUg)V|A*;3{HGgu^gKaT)qNv|&t4eih9mk~9NlQUwZd)08% z@4+8LB!a4g!@dWqbM0@nI|NE&G|}3VkMfQb3!G16I^}Ty`PAhJW#$r9R$E>1)iP6S0|7FJwxbjFL-QjTzXR4u|39pnZh5 z$yo=THamL>unF@I;6cllDXMJ6s!f&i4p5cVtzY<%G0Y0{F|__tfwGaWB6o4;?V)x+ zGv|p{YTluYV6k+KX9LE`U7tK~_eYUwOTS)@Y9d+{XS_b)9ML~p6Mxhr9`ib{C*_rh zmGA&n`TeM}!cJ^(UqS9~b!>uM3%fl2-ImoTJtYISuWszgSt)>!ea?l>27PB+^klrMU*Y zyu`6&cz@zEer~wO_H@xvkeg!8+nUEKBxs)gm((@B%fP~?qC7!KWi?m%3-f*FkgkJ` zvha4!A;L+GCd#8aXlwY5>D9sONxc2(nZf<8S`j(kjqTkKCwNQ9w3d-^fPZD2k-k_* zEB%e35ZJ=WGNW@shj9swwp+{2-1@WZ`~30GP>?Yn_|-s+h-|*m9~%cy*S4FI`)&jyePqB<{f-6V#*fe-l z6M1nMG)lyxl-O@vMm(+kDARt|i(w&10B_SO{H%K=_cl>X^ zPx+kR_nhmz{J%JFxaRV@UH9H=uf6WI*ZO?cj@ZJCz9LU}j@yC%(!y6aQ_=bPIli`@ z7f#w_)z{8__D*n=RLNm#l^jpm-LlwBEiUEWX=>%q%%O?~Sz@?xls!>!_+1O!DOWxw zm8X%qHAinp(?rG^uHOyc*qy1dZL59$*l-e&iir(slozr6zC6aiUx^KA#=*a9@%CiH z)=_RpgGcbbi0!IBz?mQxa@pp(9y{$A&u2ALMu;nujzcaS z=#G6=fs~xLt~wBR*X-IS5_m2udJ}ASv^@+Nu}(2>f+#4m4Mh^xC;VOqRsbs6s9p#h zKF1^R5Uc=Y8q|u3=Cl}bI9Z(t;8NWQz~L#m95b(F@k>!mwDV%QzB0YUxd2z``=^&> zos}qNiVej+G+*3o;4IQ+-uK&yeLnK4 zUMTP|^6Da9t{f!QFhPh?$(qEu;1S{`WrWWa;se2e(#;s55vej2EfZ7IC6(&xE-hQe zH?N)gDtQh>9Y#7&0#k_gm7b7_^*D3e!_kl zob&x@`T3sgzFyNvMxompGQMPEjLoZJk48B>`{vJ{SR2W@pB_(6&)ZXqmt2P4q2f?> zn`oob%WfBfu{BdBTy*H$!}#|C@VO!FY{T`l+=O!Lh(wPq#=%*L4rIq; za&&j9cBO>DI?`(AX8=9b2%4rt1dBjOp#`N0v8P;nS8bbmOQg2Z&Pwzf@gPDWK!4ou zK4?-;IY+AdaN-CvdcAtd^-$`Yj&uOx0tbW}lYvBiHIY40DY#v{7q#LB{#?)>Ne=#sph#8Mk2tXL; zats}72Kfd2oE4uL#BbRc@{x7Q9i83Xm3npQcr(xPdp2;HSqB3*sqllY%so~`XpVl3 zy!h*Cg~Qxg!{&r2{s!-4If>&~#{Dwh6`DvI)hpL)l9-3ivjICfngq#G;bNEeeKhh+ zC`9{Zj%-ML_U#-oV$GG^9sg5)W-6o4#T3HEdF567Zc=f<>MGn*#^60kERb$h>zD0M z#XFI5zM?G36*L*%AOR7ZZH(gy=blGU9wrs&H>YX{1mdmc)akw;2~sMyv3{wZ`v8~N zQMb>oF+Hr5&Gf5#%68NWGb1O~^UFQU-UZcc7x{x2j^m~Gwx2yJS5v~3xO2##8FHBR zU1DsE*tQEacvkg>e6rhlhLwdzUh)oZ583*(pZbKE%73K2<}>LU;n%T|Z;tCpo=45m z@KZK^S#q224=%AjR~WQ~!Gg|8n~44c6#O$U^xgbdKH2>#5OgcIqc~*z;k)w8uUPTA zk#1%DN!8dL3*Do4FTP=7)l(%5REl0z+1&G)bbnIMH9V%9cWLt}Tn>EO(_koN*bSkq z3_bkWB0(b8o4&<1SJ#40@ghe*bVYs|j5mkvcrpi1MX|vmN1;z&`F#>Uc08vd)ia zr8eYS27m3;u8EaE#T{inIi8#F;Np88s;ee0iX$l08|j2|&QVke(%1Pzq7ePc`6bga zgf3m?2_JjSz|MYAdU69=ZY)vR{6r(X?PFR}1YdmZd+BKgs^zyIa=B9m%Lk5glVRmbEnRhnfOXsg0k-( zeF6F@RCenMy+#lAl}d{XZBChsLv)YXA$cbU-V5x5ZqH2e_RmHcq!U)}Dtb3`_@32O zoVeZY^ej%2yC<3p?8-z7ppU4FpB~#yQw8YQH!S~j;txw&(u`ZG@mJR5LU%Rs!CDi? zK6~aFuk5P#E2VRezC(8MRI!t#aHLXS8+~N6EZTOvqTOaUbT%}cByxBuv?uSpJjQ1OtOg474ERV9ba4u`)O+@>n z)u~a|b}<}1MAIDHVB5!X$>2vQA*$Bgh=A7TxiwOSz~)Cg9Al0SZV9{CYjl9V$hXPZ z+dij&xV}YfrWN>7oGgAd?FeR(H@_B{%6Rikwf<jE`%Q|(i2;6D)Il$@_m)Du$ zzJYGD7}5AEYH_C8R%aU+#fWtquBW1rS1^*_p6zCgI&{gv1;`O85T8^V8)gK;T>0|D zBUC#L-)$l{8Dm3$vPG=YZd%eDKDak1TaBZWdv2-?wC4?&&;>0VUXTi90$l@`+5x*y zDmX`{GI}IWLW^xIVCI}cJJYSxT)Ki|2fNGbWv>HjuF%^5aF0H8Vs}QJB_6 z`4yj6w)w`l8Lo9a%1y$Kmgg?=I{xX8v)0L1sHkWo^u=yth6mR?LTW=a)IO|jE`7+i z`;non+gO8)?+|Wbq?xIxk$6L~&B=X&#|j*9gY1da9lPmZ`|HT#uDiVNO-GmV49YY+ z4hcAYw%uCjTa!>6M|LdrGbfd~dxM8qo)Smmmp{**?4D!h!{>SkZQ?jBnO>m9%HO|N zW56j8c}Si}{zS-@<-!DcN~GKHU45gzX|t{jks0WgRt6i-@6r1)W$m~-7?&;wg(jv6 z*YCTLK6fQW7x|3pC_xDaR`)&Jmk!0_McE)?s4Lb7}HN1@N zT|Bu`ectR#pBSA}oQSHqK-r9;-wrA>M<9^#Oaw>pT^FA+g}2DSXP$ab!tAgrSuDZG zIL0usL>w=NIST%>;rNhfJ9$1a&F97+u}+-hm$=FpW!yCh?B1(cOoX}zwGf45_j z0q|O4ozuWz82~}Pbum#1{Y;f)Wfe^+#HB4>b0e`R`I{BiK%LjasSQ&W&!3{VjkA*T zg!#r<=;r$w>{R^uT*tXHFJu8wEa*BLZs4+{*ZaB#M_e+Zkts0=9PL4Ffd9%}Mr>sk z?ZOhXmNSvQKG5LZk@?}rUswQrp9n`Tk?{)lK8c@}G4^iTXnq!wGL@J-+2W+i%mKS6 zc{9%J{u5PgXKfTwo?SDPt(9`bx9g7R=k=(`Eqp><8yZh~-vK_2&$5iRp*RibpF^p7922RJx5Za~u9Z_Re7EMkvJ5ApW4 zx61Yj?_%;=&G`TDWo1@^jwy;STBv?4d7VYQaj+6_54Q`(#+Q`a2W-xLf}rBee@Z5w z-#PxOsPDT$p<{Uu;qc9PzvBs&)=+OLPWL$rw^yhYwvC20rxq404m}I~dr>z<-F8-% zpn8?JBxOU6*Vebj9;Qc(#5UQhhnI!KbT;6XtHV<^E6x;F&NS+eF-JkfWy_mqWfszYAHnsr0O%r6#WLxQ4x7Wq?$EE$Kf$p zGSE=0&f&y(+UBAZeOppTS=%35(d(NHu7cSO)~-8qS4hI0Pl52@XH)%fHSQ+b+sSq4 zPl3VPAvinYj#!zd+XC+&F)H5Q*%NaehnoC|DnF6Ry0D-#GH}tk5=sZo(|AGJ#|mXi z9}1r1$KGNxnAvt8i!Z|!O%u%_Rw3A;nOu0@brsNXB!j6vLZmFH*m$wE-=h^AWkO@Z zw+?r6+)W;H@*w!qCAHv(#Qp3bW|H{k>OODEfTHJM5BeCwCj&PVHKqd!oRke+2mp=j67^0BC8ykq;$txvh%YqO?!PV5&V>A6`p z4;D>|rTNRc82W1JoRbQU8IvU*Eu&;+_shEMHOF6^)^2|Evgx&QYd`bSE9>}JY^4;P z_9^g?2G*#}%lY2t=ZkT|Q$ed}CPDV`P1;(`XMv&zm^ySfv^_laU$#FP{`RE8e8qwU{dzWyMy9>zJ#) z_ol>~cSd{oI-r420Jn)3x5N1+u zG#w8Yly&*a#;jc31tNK0rz{$jZxx8oMDq1y)}Cm->PH9iJx%wcHSr)A^OXw}>Sh#a zlcQUH_v(C(!5xUO%=YZZe`sZ2uOkBmMaFe~{JzvMYU30hSke=|e=dJLeA_Kf1~MID zTo8zm%?NdfvN|vnn2-_MX5DDLDzz&e_mc2c^VzSnQrbuN7s^VVbd~2Qe`Z%T&spHN z+EG3^o22M=G8S>l+iy3(D0Q*^pm{H9Fa~>H`G0W%`fEk&2al}E(}|&O$P3kp>X@| zMLoHhiBNp|=Nq-&@{eZp>ae>aQet!sFR@hheXHk)Kn*ykv_zGSB&%yO6R=@R8!TW5~d^-Qjq5Px!zZD zJfv4%+8O9VP;&L%!>fFaq#VOBpQ{j61CuKSeP~(xG-#UIN-@&qVNT8!#D&7HQmY$2 z5NbF_ouhR#`2^Ls9@x6tUQ}MQWA#u!bbXn{&~~Y`in2T1=qiN4VzjGRc0Bv{np6_! z)1N$s-O#jT|7Jil-oo(2oI!E^V7;MqrN)*@d+^H#8}K|j^4-0Al%HQ4m46Y-lT#FB zBJ_L>ff-CYmNACQX%}5iM~*T1Y3Ai}f07Z+<$e%L7RIWN9sRxMe0c_QYf9DS39eY@ zjL6vek4Gut)6@nH47GH2*imFL7$(iJESh&IU*{dVbPTP2SZFg@uOOmkkc*y<8J$Co z>g%eQ=UB33$$lhai4D>-X^x^Li6Tus#m?*GUU=?#_)-E3Wa%XYI?wo0^1;e(p1Hy4 zRkV3$&GXYI?*}54s(l2;r6=S^xTm-cpLTW%!nVuQ4BAs&n;X=ujiv28Y!Lpt}mB`>) zG;v+Gryx1Un@JAJZ@k1541+bk!8#jzcdxs`ppaMCeVzLjhVedFv$*6mF!t$Pj7~+?fUUIrx^xU9m&AL5n$f- z1K0lfOs-}<-Zo@C26(7A3`n+jX@%|+gCCz|-)H}e0Pvp>Vddek%(FcJ;*p>NPDKG6 zJXa3}@E3YasnYzog4A8;5TwNBx%|G%j|P;Z>7dx3KrF&03*j&KZ8dMaZo02~!lCR^ zeHdNB(4w-FN!QXPfMr_uqHv_^lXLsQh8|KNG|;&kx6Wt1`dRxYu_omvJP~y5g^=vo z5|vP;X=m{4!Ttb3PRb>ol9Gl_`pi=yiz3@tzxBs(f$Az_jgV!-pvjr8R+E5nR`%t& z_4pZN+TzcYygj%e2C?Yfq&_FcIu?en&ZnIIP^Tt z2T6lSw&I1W#+8v22ReFyrkx}v1$>WcPmwS$4_4VqxLR8#LpIHlRj8&q=L&Mqd75sV zVeFp1%hiC&v!bagE;H5_TlsoY=XuADqN3+#6GcZ-lSB1MA63$xZ6#N;=lTqJiu!JQ z)gR9hQ;y1YZC9mP#;tv7Q$5eK_K#^GM=&Exl-P*l@b*-~RxLbyWGEY29rkAua%((Lzx%@eeBJXD6#d(SjB%3W*CTE$A zP-g{bm9BNQI_kfumCIFcwm8eUmo`YaF|{PyHNawCW=Ab*euELSDZy|0X?RD_rj&(K}>nJ*!_-=soyY zvFlt}pMd4EUq0f%1Is}~)>nARaw7f4TKUn+!Kn&uSKVrzWrGv3sEGPGNx{ZR$LuiW z>oZgPVaM7f_aTs)llrnhIpj)j3k9@ZD7^X8nQS7-qVWb+oHJ{a_xTm45D7(WZbRHx zn^diDMc&$hT@!wSneJiRDJ-hqYx53s+Z|_Dma~X(6>45is>R$vvl544a6u;z2NQ8RIEq zlZKXU|Ga@|+EIN5POaahrWi9}ORQ}rEGn}}xzcV(r+NXq>kD2_w3CKVoce5wy~#ZQ zgLl@hk)6RFbrE;ppPB1HL@tqfQVrR~!@e8GJjNA)(O}~wAK6I{3NZKjb&{n_2>f#3 zc@}F|CC|gtD%QG)rI||hGpT0TE*@;b3`+pYI{AQo%9J?n3Yw5@kPI_24Y*}6LaD%a zX?KX??7+Fr!$0JxW6Xy1QEZ4yWGarj?k@Uvt-v#aPJZ~BSB-OYV59x;0Oi6mmvPrG zZbN@4-nZCNFT0s-bnyPyJ|Qm~USmy9r^4F^!(#6!NA7Qf4VK9huuR>pcyr}58!S+z zyllF|HgozpYM@=tky_3IAJ3?C?I(uB3JJiE0Jwz^(^t7)F z^+(%Y6~pyMN0WIgDE7#QoF5;e$hvq)hw7o{XIj=$%|fyb4r$oa+!E(ci>q`dRek$E zuXH)$QPnWC)eDoq&sR@W;y5SI^scMNx+pu(Volz-p7gC-c|bsK>02g$;Ctw0-Bl~8 zmjSUd@0&t5z_U0}WbN0L{Tr+9)z;WtA0f1_wAbc*CD`lAuf6eG?&$SfDzqa%JXeU% zQ~sNF_b19p=HoB)AZ{EM=pK=mM_Fo(rz%g?GV8`*j5aPauv~PY*VKY?=6pW@c!NUG zGm--6jz)B3tZhLBIT!&|i?;2m_m2O_t}-$-dA1k!O82WJn<;umCpwbqjk{|m+(0EZ zudK$NITyujG+3A(BeSu@?3`3wz~1>M{`oKeFNXD>s$=5-s)QIAQ2yk|)P$FKvs&~0 zDovPmq0p$NsYkgS!$|HA!OO8XSgSg96?J^R4ZBr`s1kSON%p2^`*N`expcM;7RX3J z%{;1vc9#8I;rF^G&@4y>$j$1#SHnxmhZ`uvU=oy?2k{#5ia;Q$F~`^S^lauanviuc z$62N%-|UEcJldESBytlASK>PMcgUHDGb_Xl$u}}E}?THnE9}FdDJ;NiA=B%<9&d7YVw;@&+ zji{YGGM^d#-vMY(?TCLNmwa9VspM{;dILbDiJJcb%f?9l1(q%I!T1|2`_Fj%-Z1>9 z=933E`07`{UGWPNYwgwsSouC&qP)3CKJ};c59*TT9-a|q5D6bk+>u*W#dto?gEMdMH}G+K-T<9_ex7Gp^*r8f&OS>O;0^x z`FB)L>Hisu>zr;1*a3h+5A%+P!{wFeb~3ym%^uD&Kc`E&Bx#l z?0+{=D-5u}kZkVhYWsr$l9479fHB(;*AX(I$>2ZHuSWT+6EBqau3gw{=lZ$UT ziMjUF{?v<&gO{~BbxdAU{0KTHDE9D{a;|y8Mc>T}tYUH9V0M6g@z*;1!X7DU{X%iO z8&6yC2HGxI;>{qxrfQoy#^duN9H^p4*d=yBOupiTFB%wCLQOz;BX!$2+_OFETr(awI z7jk*^>l+!LA|*8j5tzAyx5@n)UAAu~cd>q?Cxm5ZB6k*%nLATeWUu5qFcz25{zLb7 zF>T2sN{|LS4-RPGV&S3gH^-DR*jx2*e%soODeWNv!@k`D;rIPK<1&DfuI!V>4&6D10&=GB+|x1;*Z{flt>9f~|VZDvLCa&bM2ii=)+ zM_wWw_Aa=JeM(0+s$K|3QyNRnK!?tDui!p$u@iAI_k8Tbo4B^P#M-VI+b%Cm4daIO z?#b#64Y6XpQj~fFZbJk;xw;l~*fnczL`uMm`uq!O5`}{#bte5@d?#kLrC#OgBAAE6u_AEaa7BKku_*T|P zJ^x@+{VwZi&@EzO;*iM5w)Zg%oJXheC7#D=Z`|T*Go$GN+s_Es;5$E>sQP!`P@8ML`vQ{h*x(`fEXL#ZOYUjoo$+I9Qa z-lvRUZs-j~#Xi|iQaQnpJHe0Nx?b317-uMz-o|#TasO%|rs@>B8F;^*&`wFh>`T6iSy(XfT2BPlYW8vM1(mWZqUyLMIn<^L$--zmJFDKWr+Ktu@@sDJ>C z5!UD~XdnwcIgRMU^Q0ef7wk!Ulqfd+6Y2K36(hcuyse@Ao9tqcmAjt5ab<`}J#1Ax9?IHjHR<(~5|E*6p zAmh?5)s*-PvtZ9H4iV=#No->upRY(adkb83L(6*(tlURz`qqialzE_Xo-cIGu)- zJ{>bgz6MFnS*>ddS6x+i=_xC^m9z#xA5CD+Ze8IpM--QwC1n}N+v^{mmn?NZ_Nv`l z@G90GsbN8?t%hp(RsKZJMJ|3YE+?tjzF)^@V4F7T%rc92);2m#R5R~7S67Hm^j*1{ zXjLY$*B-Lga5MyEZ6{d_Uh*$UqbraH^n8d9zJ%9IPu|#uaFSJ;szgnj)`Ymk^B|lr zum>2Yfy(f+F=1^Y@*=jPCwjj8)ZR3ub3=FK#yRO$KAq>!M$#L|+dW--SU|(FEmKtnby~ASL)RWM6+;0DjH7!nPuzYf$IR9M3$LdrM%G#Y$xCwZa3@&&n?RYGx>n;9mx#IVn|;n-->W(*aBl4yis3L4dxyW zTLlZUi6Dmp!!Ey^!#&;}3R?%c2Q>~34|;8#9`-E^ohsj{P8F|PcIbNrXY2h}H1?C} z@mr`HA#Odvj35MZ52q98)O*)IAkByL9xho^)AM+MvPi(1%m*|y?%7=yLMMJKZUgE5 z0!CeMIU=wg6Nm`yjjI$w%O-qy~DoO#{r6VnnUVWZ>kt&9?ny8p=&wOH;Bih2vGdFPkDQV&tDNqw4Y1`=uw8XHk}ueQxnIhQ5V( z(C&kP*(S0yOWIPu{E$55vi2Hrg{G^4cAZ$d@fKWh5P)&?MW%|XysCHEp=M_ihmdoJ zEzXT}%>>7t>-b0Cc0A(txmnV`8BoJ`o|xuY#FOe8`iqHpO?mC;EUd^;iWpr#=zh*k zF$&WU6Uv)0xV5>)ZdATCb{#4-D)naq)hD zPY@&5S6f%NyV*{4Vz^#)vXYMRL1WCQoUKJ{z zqaUOEp4%w`*&dZpQhvAndzU4DVF5518CTdns}O-O#R9kaveACj&bEcCkzx~hZT*^a z{)**CuA*Ijg4S?Nq1F`T{wivluzFDcRsX9VIi6wv=UbN@w;4Si@!4NGR44(!S1Te$po%x+O*@CqWVcFyT|xiTUW>}Wo&-~p{1 zO^`GKJ{pxtR=)E-gQnX?&JE_5Opf=r*%$ERgUtlCMMl& zva2a%4>QwiD9$7gB`#5CJ9fJqdV|OEZS{fPfNx8AdrJ^2t3qaPx)5!+kyuE7u?Ze0 z435D~{wV`d(vCcy)Uk>?uS9%kh?w2E+bqA6soa0)R=$+HV|VyHdr}mbo}h?M_Qq8$ z+Kgak9qw1;!NWc{rQ%}&tvT5-WDzWD_iBJt<7COOSCz6Z_*Sp1_iIHanWF^@Yb6pN z=R8&dWh*Nh_0LIUS$n4;)i=|cKb|Mnp@zGLvHSSkXXK33e7$=Qi9HQ2v0rt(>JZR9 zzx3UlzUQSfjA+}v13%Wwl)aaU{YqKsCDO@!AQS7c*h@TfYD&tGgSsi>$88VMml|7_u$7wBv8MAKxHvL<8Q>+N*yk@orza*% zl5*{^OJu7^mo|e}tk~j*N%`)^tv~-feEAObk%*cL>mgXQHG8f|L=z%bh$ENITR2Ti zXFV|#{nS7_@vKK~(tj#ziG<6l1v=<*VJmC+^{%tESPtCa%S)_G^RH*oToU&M9FI~+ z1-)7-=+QA@@%{+RV3*06K$taOP#s1^nl^+7z&DAU&d(AB=-8~ob9o=h67i)zQS4%atUhqLu!A--hMeaAlJ{$JFxwBAtZ-XZCRzEc-~nDl?%MSJ>Aju?S- z_vm_v7A+?_3+6u3pay!dl2?iW4*G?zHFR~%TGMrE z*u@U?j^{&H($oA!+2}r)qX^=#oAK0UxQL8MNxMspektf8x1+ zQRiMf(|wu+0`ce!SKoPw{gG&({_V;^N3Wt)Lg9;S#87&@{RFJxS!C~nVd=ii6{ioo zehVg(=t*(X;;mC;*7Bjys04;Fs5bZ#>_7u9Wbxud*F^Ies7*#p`MUa^C+<7|(eh*{ zKB0kIqg`v8Cw*tx7H+i#0e6h7kztK?@ISeE`=Qv4KmVlM3WU`@h?0JX+Tj!hxyHf@ zllV&gM(Z!{EqyU(5cQq&cY;oK!eFDeQy&q9$z4SH5pl8&HMpQdmx>+%*=4!t%e8{& zXXk^_+~)X+oEt&{Pu$uUrab^?=xJ_v+y1JDb$B_Ci)YGRXFuP&6OU&jvAwLAK{eJ} zrhMPr7^h{+R)?r-Y*He4t0%_nY)*=st%u=if#xMyga%-0^B7Y@GdYLjQ0>yu)yfIQ^Aw!nn1y)Rb2G-kn`DgN;7ge8KH1emF(z2q@it=We| zS*LG9v~w#h?}mT0(R7`%xwP?6@wIw(1(g>)fwqYSklLCG+o_ktQ0fRV zGjr6!*RzDqtPam66bjH#4M;%mO^JIUYGi^V&Omx`CnsKU+RVYogMeN;%t`nL#1t({YVc9D3#Y zY0a_lSRK#z+kt2&3-)`re9L2DeT#j}oN|@(N2xWbu35wHId+Vx8r{ip!$Wc^*x}P2|_a?G3zc8aSkw1IV$k_-Fbhpw&7Sfy>oIQb3 zf=F4@jij0$>rdN0&u1+FmGf4_25*ZuClOmts3}k18K1t(f}~GX1FxSR)FRD8X}E{% zWP@vp>pm{uF@y5YRblN(H!4~k!qpH*jacwqx_K%nAEaLN1K}nTc-qWYfE;eALjkA!5VxY(GDA4_(O&M2w z3k8EUPkcc?VeTt(Dl&U=@eE1x&1UDz)=>diT;rhi4<@L!7 zehp-CDvZjnDm#l`feAUz$iK^xyA`P4)4HYXw~znE$bh7Y9WFnokP{XwrORNNY#j_cHLDi!TzQYc%nU( zzpC6s?|C*A0wG}OR`eXVF<5PJoio3;sLZ;#2$HWe{CbuI^sKV-`ZdhM#WO3}dSkS7 zzB`m-vH(&Om+iXvdb!;U?{7!^Fr*V$)YqqLQuUq;++H90TBeg=Kxgr&rXcKBn;NA{ zd$G)A?i((QZ*tyQv+7lQ6i%Nk4u=xb>emY+I_*}r>!L+#LSTYN*WnZbRBF}$zSjV+HYkaEa}cG(Tn5k!-ezlr8ggAP zdTHOxg5;M~bjk)G*?lglTPiE@ZN;K)MsusZ(Z&)u`l(TEx8V<};C?dDw~q7&8?TM> zbPt5Ss;gIfxo&sN1Nv0a^cn)urRnA514UGb%LS{kSWxB?>LFc>vV~JOCxRx93Py)| zWVxRX{FE70IdEB>I)A)w$v2B)5-k)QdU$ByQk1rH5y-*5(X$T}q1v8_SpD^tcF%*; zaFc3T<$yq*R%nCb@nWUtB+Gfh_1fiR?67Eaqf zFv-cd!|A8#h+6Ny1CMQ(sIqsq^A=>f+xVcde@|_@YSVjlBBjnnRHJLa84As@?gRS$ zPJ{zDtQu(cWun*KO=C1w!ozD$*ZSf;R)wv}-F1Ul4biMS>5zf5Cb6%pHjr zq^F$U1Y7|jm7J#s(GKTn8L(3Zys!D^jO2#ZGgt7-^`ce^(Q~+NxgvxDSWl+C`NA+> z+8W2c0t2&=oxx&rq1_HkfC+IZ>I~f6l2}VNF_O=k4gRF?AO%Xc@WZXdFGMXS$V`rj zhq1dE_*f$6!e(lKuA$R$&TYD&ri#3wQqKwm3-Af1f^Tyd+=Q$7uhUbs6_LekzAu|R zegQEA=?9Sf5n*wU4eC}i+*bGqBH|r8AI(z(WmF<JYS&p1?kv?p9KtX#|x39LGdcK_MyvJ~|?>igH!V zR}8={^cXs%sw37K&qtTmMvE{WWp3aDJ+zCe}GOQbyF&6slY`3hp;0k}a}5R%-5j5sFZ{8uxy?sWDAExfD! z^3sn}b&Rh82hEW=mv&bdZGFYZ{otx{Z>@8(N1s=BY;g*3E_IWUc;9$t+=&$TF-PEJB_6YN(D-f?6mgXExd1m zEeRTu9X$yndX}bxbe4`w*R#prar*Y`X!+FBqj*TM@2mCFuiXpUbP{=C9i;E=QVF`Q z2-lpwSHl=FULfIm;Nq?5LAY*$VcBLzI-8$R|3w%524gPL)r%#&DBZzF0RoxcG+9cF zMG#JK9!x}_I4bVVpE*7pfeZ>9vWyMh9Y^x6Rx}S5R9;<}(|x^SS*xxk0}foaea-g& zI&i4~2QI$<9JnO2vgdy2L^H_J7uV|OahY_#)sF2;6JqF6D?n^@;Bo%i$OX3ec=7Y3 zQ7UgO)=EZu7EYxG?yWSNyL(7^@e{HI{S(Q3C!iC9p1c%MXlNi7hcx&G;(1~KHWEI{ z6EPO%fOti>eAFoM1MsOSl?x4{{^u~ba~l&l2HwQo#X{Z@Z)R9E zkZdV*BLMU2jB-%3{Scte{a(R!ZPPku6DoZD>g=Z%KPzC(xYdM+Lb`*WvKd2NRp^b2cb?kq9$Uw%`O@J--@ zr}!P>6d59GAMxtx=Nb}4CbFaL4qy}~z$oZ!XYeQ#f@P_G zo5{;x2in(>gJ@eA3WcUHXqkD(2cP>a5@5W6)}}dXN@0D2`AAytC2|pszpUeS6*d1_ z1R?FVA0dqBus8T^cV6hcL!tU8eiHC{11j0{6J6f|R6>5ak>fNyarm13#|jPn`*&&# zI@u-`gI++nSQII^*^50w^UZ5^jK2v=dwLTPux@{L+4B&5c1iPLj3iwvqHP_Na zIydQ%{&r@2PWa7vBaT$qO=+FSt635K&iuLbFHH^%et74Z$YGjc-1+Hsn#X!BCO=8` zKk>z1zijU)qzcltMUchE*}Ci;(U1mz_oW9+D!u<~<-OxlCl$r9oBlwCG)+eg!?A|_ zYPxGj!Ea&8f5e0c-@3lo2l_glqaC)V1WrGj*$Q|ZXe=g@K6_vGD~vhn5B6E8c3A$n ztvegVZ$BSWl>Pm$0sO5iziS0b$q!E)Hb!O#uFLzD-oE|m>q^!8L5v?Tt!BR;@ZXH( zpH#-nJAi(3c0N^0{VnJ><=k$f5`#X$VZo93>xBE8&5BVn0fsLbl-(`z+iv*BnjYc+ zqV3+=Km9%A{`<|ZU%W$cFbSJ%|&o-hCFoJaxDbKmEc{;N8^_}>69R&JeBH2-x@bAadv z_Z|oTcXbc~>+rQnd71pb&IvOZ5Y1o0|LDJ}BZm@L2f{S2*5@3ziuK0R8RzKy&tQAZP_{$XkwH|INfK5vgK3G{>RarJ(Ow_UWlZ)Nrw)r_!5yux6FBKn>sj21`da3-1h&QTwQ4&! zJ;6xib&Me8e*#@m%22vFUTPURRp+VR*`TE6u=_BOCud{;Xvx99SE4!^D&?J(MVq5npj^ySP{qT=1{PpX}O>qcC!`=5_7Ox!U zD}k>vIq8-|pNnW^<5cilBH1y5AH)l}ZVM0bh@XFK016BbwkOKf*>ulz%S=01dXj3{ zyw7l>eQjoaa!@5h`#-i;d?pUUQiPo)Z{7MLJ2O>Ht3NYEpOV6Q4+B@E!ZEHpk=CSh zvCO^eC|ERjA)pa`7^T>b^*?k-*@+Ff@e{%wdTzOgLP;NNQU-bp`cJTre1ji@EtJNV zQX{x5dxdkA^N|-NZ%cEFCduHgOYCs?hP>2E=ok>RJM8?V(yX|yJt=YU!ui*F{c;!L1eDwdyESw2Q2rbR2gYQY2%You`da=IxdgaDZuAcc zZQXNRQtEK9uvHkB3dxyWGAsU30;7r&Dp8{f0SppZyU zHd*Pwe73Z@>u_~(M;f@3mRZ%SLvI7!a2*E;j_e#TVP0zONv0B2Ut78#&AFh=WqM(J zUPmj9-&K=3(KSGrZyb=A9x;#w=J2hrMf8mJr+F>3g3O0&-|u@luCP|bCREFL?g6>R zOpShVd?7U}$1NHz+eYf@wdIMkIhC9>6a_wPr2oU2o_xIlP$|=svQZ_fi7yB8oWx0<)Sn(oUnh4#T}f2Ly_f?iCRCSR>M-t%}{x|BL7ib_PCbpt zO3P0DR^XD=*~PK<1S9=C#s@$~-_CV^Wb5e6_wq0vBuHinZsmKit-Yl+=~%2+GvhIo z_j>qZ-=4%`#HTO`>w2KQ_VjsDpB{m=bei4>VnV+zk}0Kq}=waCS<(tSJE1 zE~TW_pg44q6$2wyZ@&1=&FCLb+U0C`rW$V`$o3ZIO^(VVMpO$&gq+V_3>&g3myVS9 zSf6IhiYf0tekA%nxjShA7K*@ zU-NPIzpftWLcHmF-Lbl@3f#6Al<4@PBT6JWH(Jg#;0@?u<-i*ZVOvNuejj0MJ%*_3 z-NGUg_-buutdHJZToQ9;Y_dN26-4jt6!1L2;$1jh1G;;f8(gXv>5&*-N)~E$M_roN z7=#(|r=7NW-{oKVxuBlj^;?wwM}+l`0*KYmP7DOZo06N;lB zp({n1nH&fW$z*N1dGls8pCX$yP|u>}E9^8M%!+%N#njX9K;k720bv|Y{mPG;$i#lS zFg5xZ)#yU!Gh9Kr(ibl!8JSG0etj{hrw(Zlu6CTb(eK<6LDmJc+vdH~uM6kt)`8~T zob@d(m%DaBwZSW9KX)q?4HSo>nK6tJDaie_DgTJg_hLLYU|I(L3D zC5U~*t29JbI9+I-GiP&E>%M6};gdFVyIZSqEFW#wiyBJyTz>LD0={l!y4Oe>-p1fc?f1S=rhO zYp(zis}4$SS3YG={v*#p#S*Xi04?mTBJrPzN2Ugow0TgW1efb5w;uI0zolQgxBwcd`|K7FY6S6!)P zIpWM8B;m$^ST~(}n$swpKxJ9LrB-8KCu?}eoC?enSS=rud`9X`;(^uNE5BsOMNN^T zZJ=XGJu2$kyoK#6awI2fgJw&WU{$%~V}mLH8xh#^VK`SgyXP>n>&{>vIfD)9icCo;)%6o;)yH4;R2GJMwJ~I2#H4h zd7RZ$#dras#)R6LfL8LM2Qu#GMNpW@dGF^MeoN1?E3=&v_9ei-mnxG*SLgkO1sDna zmNcB#zNc!ri418BE(#dy(bb~LrCL7C?skvesmHIUzDz_lT$$2Xju?sZV_CDc|Cl6;8g4Ar(zj;}aV&b> zR$|JHh>Y24f{KB`w&%D0n*$d6<$!S+-Jl7SF5JY^{F$jicVQ8Spa4Z?Hvob1;{Rjs zJ)@%Bnzlhv1Ql9T1eA;lC|ROpp+zL;oCJy81SLuqK|qn5bIvqKYBC6@yn%+HxMe_Xc>i{AI%wJTh8Rh8aIo`B`Ig&R&OVoB;hEshGT_fsRC zQ`N{#J45uz8}z%8pT0UlsZ()}-bJ85t=7%~Dvl~dqr+W=K8NI^)GfxSn^{&* z$~a`0>H0F|UO5q*I&Z1Z2Q^m6?ax*}PlcN=Tv@Zfe-lCyK+5)DDwn(88E&3U(Xe28 zAC^v%m@9WDn{Gm+)HfqZ$M4*te9+c;w_`_+u~=A=%S>Iaa&)yt-60*vp%#Vc_ z|B8b_(R*K8ibSHJ{|W^~0c^az*^Di7wKea11A!0&pIL8w@u5sq5n(Us%6@_Rx<%yZ z;Hsd>nb%hiDAY=e&Bl?GO}Fyhw;+-c0qaGkR2bf(DP2t zY0-g?Td{9a23qlnM4x+k%Oph5X}$Gv>8p)jCd@PKk@=}2SM~UmoU{fVCke9LwMU9X zIVe)hml66Ck9DC?gsj3`e^Jpd6uo4cC~nof%fQ{goYRq?b&I1}WpOsjqHnx(UPDJBC(_T^Za(bV z+-Z1>oXKgmVHRa$x|eq*x59&($%%bsb7}wVkk(2}-fHkx|I)LuCnmE?IJ$tXC5R>(_-^g1BbIqn>)jCt_y0yK{`=H;p4nymSK#tn zKxq9zN`W2s4_^gT-3@Z=^*`(e*q5gZ7gfozj{k=r-T;A`{*`}Oq2HSW(vwtw+NGx# zym~I@aL=s%AAU#+ELiQ0zmMdfPXIL+{O`;D^KxkF?rnmp|Uomhn&UAm? z7y!;X{p$+-&nt4j3_WKXLKi@U+KW_}!>h(XbxUso|S@Vd*o45KKPvM2(}q^(m+9n*PxAz$T^7pZ@UIbYP!E@?Jg>rD?!CyXv3J zq?_D3xq*34n(Dz|kTj}XBri9--9f5VX6#&vTJ35C2?qwhV9Ll@X7pRT{a1on-7Pe& zWwCZMUmKqa`rZ3*tu;u`b!Kg>M)~wZNf=j4A9f(-s(u%{^=Ktl3|#>gb{yGFJdenDWgGW@2yld!tzssFI0fVPlVAWj(>a9{L=z z^rAqs*m(3?E^5*It$L9oM5`Evi14WQ`4&KC zAP5^(eWsqbA67Rw;d#dDcbz6OvqQZ-FrE+UR@mD?^5E5vY~#-Twp~}Lum@32g5}Yf z%<64;T%uH&$?R+gTeIa>EkPTrKLROw^PGw259Uxh=FE@nVs~fU88!gc6LM}ebdUTI zcWObf-pEKS=xAv%QXP99V}ItUuaMhGdu2X5WhX%(^B#9|HZ9jyx5gv=7*;raXSmcP z63ZSH38)IK1EObPi46T}6Ckb~20am*jith+155*FzPyP&YHn7`bU9+P{dcrYdn4{V z+@63aq#EXPe#}r?^x@@j12aQ!y*(9sLZY2%=!ZneDmqBjC!W;Z=7sMMy!!shLfePN&1P<;>K41c&|(iV^Vo60A97;!eR&I?4dz7{r|<~dH)Sh_t4G!y?RLDEIKxXxt-D@?&bJzglnji27|m|*hFX0vLFH02 z@U=tj=0qG&kp|9ErobOx+xlYMmLL@uucki5kxZ_GrK9n)Sbi0m!Sx%$8_hNJiKuULp=bu9mKc@VWA^~@Hz zx#N1TR(W?CAynT1uzXV7Eb9W7^!eyHE?>tFr& zQ&4-PeiT57?9@4ZcbOJyc}9;-f3RFVUj4Ggk(g{9Rnn?zWj#^caj+vz!u+DT%)+>7 z#wMfqDx1w64YcFjXqD}YF$_=UdbanfuKhTQIa z;vDXa3H(2fnupm&_IIko9z*eJ=sqEP1e!_#zC&y^GBCBTJ%N)vLOS*C-335NkIqnt zR}YIPav`&h6q^69W?_$00y()d2XCa14W)J>M z&DT~ob81nPp9(Auzty`10e~i%j3n~e3{(HISSaivH)Z2a#T>0WL@iFBcq7A$Ix=$m zRw)g5)ZD#&gT5q#=ntm(J9f4j6G#rtau6sB{a&WDyfauZ@-QD=NMx%C;^It|BVO#D z=vnKDE75xcDjb}jvou@fINl8**6WU(krBnRPxeztv?R;Sjq;f#-FVd5bZd?05%K5+ zJI$I?My)CrtDLPVihu3vyLas8ep~8_ZQx|2FFAEmm5W9%{q--BtfTHw7xqd@BXvNM zyPz_grS?HPcV3fXU5u8b>r@iG*#}Xg#4!|AiFN8ITU>g564&ZpbDDe*p|`%CcC{E~ zQ27$$|9>ZJ4ou*Pv8Jal2nH z^smU-5oQG$oC49M#UOWolw}KOKGCd8e3{MyS!K`-YK^}n^=Kq zljY)TISeVp*Lw_y)}yPuSBCfUk4v0&{JYN_R^v*06`kBgj4)y44qD#oR*R;8aBYHR z&LcK#Bbxg-%Y>;dR3Izy`!4a>P#)CjK8WJj6|8?U2|@53gvDF@O`E=%W^u0ViJpF; zNPBw?VmI5##*?qcOOZ?H;OlsfraD?_x2l#}rxbRO)dB??wO&t8!Dqz_zZ`{(^avU> ztxGDTf8sf1G+fWMz=p!i<)7UZT9MKDm<=6CgsbP@>(D^Fp@>)%@E_|e_ZTkeLW;w6 z?1y{lR}bIkc3S_~nqx1q>%R%wE+eTc-lm5xto2t1r55JiaWj8%G-#DAfAnpX zg*Pkh510->G+T2W^fE;9k2?g4qc`M&E&8yK8o?6ZPZ9)VVH;r3H@PpyrS99xirds# zd^>O$qjEoi)<9*5_bevwdn8ODQs=Umnjha~zMWhVQ%=ui(n-r2&l9yn!P`cv5}Lbr zs2#{;`|I1ISm8Zj33^GxHV_Og#kz3<|m{}rqGSDzo--mu-g z2W<+8Z&w^|Xm*nHG=8bcCtxbShCh1!>zh_A=MIHdJ*+L<*?W}aAA)Or9$2&9@c(uZ z5nmCmU7n|Cc;{pCO%><`FGho>%-7AjwH{702D)Hvq6GiJS(rQn-&uR@$}=M`J{`vh zv_a9$k7lj?Ag=bxq2q8r6uK+y@vOg6YwgxQHuOH&CiuIj4@f~!_l?Lem+sxuh;xFZ za&Ub7-y9F%j-CiAf-Hw}t!AhqyAS~D4z{`*sGW_v;(5dD=20DKnH_Zk8XcyA^eR6H zt%LQDM&$()l~TIhTAP_{&+h>Y8P$*iAforBtRf7i3@`>otarKp<;@NK>xj4;x%u3#F z-qR|FA#@u&U+c0VsXO zE@qz?A7D)!QD*}~m2bRjceNd^5(?e>NX&Rz#6~<*+Y(F@eR8zd##~gp6uvC6Em5d< zB%@tn{fL6MAiCChD{im7W`gymFp;NFa=p!A(riccguH0l#AS4HcFQX9&%NEs^_HDO zAK%bL3l6fs#na%5qQwG%Ni;m;MUw0-dg5NIpesB$TK7DU^R^dK z4CmWavP~ATYSh8*Lzmtgq#qNQn4pvDOeMP}Xm%s?JyG#JuZO8 z$T}vamn>boyj?j*(Qt7fzk;2O43sJIu2MLkov?9&$fhmkar#X6nXHe&w3N`)SdA0C zUbQNA2i-S28_kT-`Mlsn$N9ncrn^n(Vj_?>Sq1N^zqRkaIB*VA={BJ_zxZQdV`JI>S=lONBGpFLSdpHVqjTN>a@{{HY*O|HdVO4xOJmDi1HXVSA zu==QszS_CZ_na2-NIN6NxFhbn#|btvANxHzJrnIW_PJU5kycvFXq}zL^PpJTtHj@; z0XN|#>#MsJ`B^aAlOM?@0A@m2EV{KvI_oQE%F>|=^`hk(EQ`;a)8Ba0qVHh8zqmS{ zl)xw`H@WJWHQ5I~4Irhn$_qw%j#gaS(Y7n)cVce%gbR@Gz1|02VRsKtEYnx@ zxn=)X0Q>C1&-*2o!^*kJnR$?0?iCh|waa&f-sU_|NE$`N;*n@;RXMFwkBG!`7~Wg# z&CJhu5h{MTy~t|Toy6m%XLy(2HloUr{Ed|YV1m~}9LkLBMk^oN?r+fPNbwoBlBIdg z&9sGgc2BZ$CBsawL!V8^Q01#5%G5%=yzu4dwOn#Fit6nbHlh}~bvBf09OagC?n8YE zv70S*nR4+_C3f@FQjtvMC)Fas_av^x6jg)+w@500)MjX_E0(LHw$xMmtXqWQ0Z6Hq zx4>&Q7?ZcdXgqaadOp8K%3^$46+DAVZ1M2yP8v(=HUZ}}R~KvnIoe&d8ShiIhMetB z6S<0ZM6nik>t8|ziyRIm?Ik)1#FAod-V0?P?ojwV>GryWFZ=K?^eQP|JXOOq#z~5q zdHQ>R8FLQcC|Wg@=Gq=^Kib-g(HeKjFU{pdz`N7YgWYEB5mKgIppa84Un!mkPB&Iv z#|U&%$pi(rxxaHoQt7;F%skS5(P+z3w4z&1$9H)EPP<-*Rs&$nqENPgLb6B~b^7{y z5x;7OE1j*9e1S8C$rBA?JXCf!yib6wQCpz?(XX^`iaNOZ0zZ- zclFt=k5p8g#P;nOcslMRn)l8?iahsx4i!(mZEldC;^!p%Z7XS&0aHojN6VJ#p?#X+ z7`qN~_(t2~ZK4%GJ&EI;ykFAjqx1OH4~|p~{-c(hSCB?iIsFRH8JObR={eT(vXa}p ztIf@lL6HrGdUn3PG8zS(aQwkgT!tqEtQ`HzOG4Xr6Wuy@p3M|qt*7+d@FgX8;hLE2 z4C;B^x=}P*IJHn|x}^Fj6S&~KSNb^$p(E;9fjc>!I$v5(9~amOSY7NhVb&Ot0h!*Z zc|hfm-hQ_*_~o41k|GGGEuvSjpGY1(_})c>N{+vv7(DP&p}8>d*ur@G%!`{I%9M z)E4^}tqxB1Cge7TP(A@XmgXR0Gq1Fpzs|MyQMvwD2755?ZM?r>$h$!<==i?a-}GWm zoN~4O-MbtwQ$|4OpK4PdYXMDTkRy+qTqdhQrQy8+caLXEU5?l-h;u8)TGXIO--;s7 zq9a!TEL0*-9bx)@K%Xuv2PbB{0VV0(Z~il_jjMa6n9eGm*J^bW29z7C9gXWO+F);Z zhe;;NO+QOM(ezR!APr-j3v{b~94?=XR=ycSv4h)Tx@Is^PRAEFahLovDYLq!zRMy# zF-x5V^eZZHg0pd>kKs<@9V3rJeT@RmMvpp!28AxW7e*Hcr%GN=iE9~p_yMZ&Fs`%# z240|3@$+=;>gjc$i(*+RMBNIoDg~N+cSE ztqy%_4`Cz}pMoj*o0cbplRW&YkLq1=6*eYa=Q{7soh-j(Ivryd7Bk=Hz_{W4p9vPKmHVi<+J9*3IW$6JgM4;cKfGIR73`yg+&pI-9fJQ?BNB~Sg}n>6RT zJ+yhFJ&9L*vClK)_|=+N)xP?nfE-8>pxir^YVe{)7j1*7k$czR zUozs^d;qKSZ4@)QueZiY)MDsMD1a%+VYHjgLpQ11Hc6+;iq%7^Ibr zsHkDnTM9=?0sDU3+N-N*Ce^o%cs}H#{d{6>*qKL`iZgctNKeeyk2a?82TU6!H;{65 z*{nLq7&!y#f|lF?x9X_*h)3j|!b3C9^EtQXy387irsT(K`Av3L)@5h)-H5-aMi_Vu z!!I znv#s1K+_i6FNXanPS{>Qi-kC5$;Mh1En1tGC;HZnAXiHwKL~KY#MHaj=&7ho@Ifpo z_^g+XEAjdcPs-tZLp>ni+yqovLoa3N$G#V&c*lLOKdHcLE#gtQ?CbF!t;5swSoLJuL^I4{L|V{v2f>}^d(OPyEpFL zXNSw|!QFa*@US6lzYvoc9JFz~_U4GwWj_tCaKb~duj+0%b>Tqxp|u6i!p79usZ-H% zF1UQp-OWZoB?}h62-b`?R<%o5txcTY+OFK8kW`0CxzqAZwgR)uAe1A1z-ReWis~oX$ zp{fUUxi6)xdDEogdCMP2$0%mS<&{iarwOf)qyL2(bG4FrW6ldMy0GZNJwQ3Rjdtx1 z*#&tSM3rwSIk|^`dCXNh8q58($iTyLz%i^q%o{>L!c-~!M@-6eE^YSDuZknqPy$H# z2@s-Nyo7`tB(Z?4lZ+?Qa7u2ja~U{!M)NtVDdaKcvx&&#Y6sY`Y}uG*KF-!`hY52& z_kOSX3oC$@Dd#VgwWCzbD~;Rk5kEMoc@#X}0zgB{${A~O#nb_KvWGyAhfaRoCo*;> zc<0fIIeOr=I5RF8yZ#*D>0Oh7ytFr$(3_}Fj&U4@qB_(#1(V@2*?7{l$*T>yNbUsp*+^-mwkouKyv}uasf*L39kWqp+NF(p`NP2jBT(3~Z0AHpUYH=@ z&|VgKHu)GdzEB*o+ZmdKdN)c(>R&TVkJLM?>dWqq-UIfvGDe+?^1s z`Q?)%Pady1W#Z0LQ&8FY7M%xmM+0i33q)`5ruP|cG`w-f6e6H;OZG1%8&}j&DFP~wC_89lZ&Itv*kBVcE1JWiWtP~?^a(b z^?gmg@jZY{V=i8rOz+a`Pz%p-OH2xsA{fvJvk$5Xe$;C9^*q*q6br;5jq8$mvflUb zjDpN1?1nSPhS*U0?|vAe=5wCAtD@$EYcPs91rr6h{qBzIwF9Wa=A1@fJf9O03L|eEs-T{p9eAoR8Ibrdyy90`xjW-{^7Te! zFGWvAnvpLpR=Wb-*dv`ckgpMk93t8E0K}|c$Mws#<+k%;9b3jfMZcDhX+oipf*>kE zmA)wm^glSvEzDtDa%-5Gf);wm!qf5p7i8EG} z*iu;2Knc{0p16#-z9s}E(k~m2v*gN5LpIvp=mOuQE|0r^x+4;FUjd*$_SAE%-oPp+ z8%)IEf|)O1@Crz5w1sm-iL1klMUKpWos=plqyRyADqx*{xSCoW=EJfj*6FVbB|8n%<7TH)CW#F z(9NGuam0H^q`a47-wv$qRSU}0y#=2x8E~?lXDn_?^1PwIy-j_z%5x+0~4Hl)$-L#BEvCB`Cg@XV~5tA91R`% zZpF10n{3t|S+J37%1%(vB<>r7*Nk>_VIC8LOsZp46G$rxigEaCN}+Jx>NvmMT-ma^ zi%XGE*LNQ7?YXMu?#%l2j?P=R3-1dxxQ?d1-A_}uTMEMgHmXc=so}-XWC&y!O5x*6 zbid2&Z}!o#)_E39f!!=9dzIW9l-oon^VQgF^*I`xbWa)@VA^j|ZFb?2gJfATeEvIk zW1#wYVDff3;+{RB)yDydievnR&T^&=iLDm1wqIE$tNF#&XrlgZQEBr9i~2Q3pX;DY z_16M;)B`D_VRLOp1FmHUi}EQz9$T?;y#^r=il3-di#omJCy;;Gn8~m8Ah@Y$HC+aQS5iIdMdN@8*26Cx-OZn7_ErBky3DXtv>NS#w=FG3~{D zj&e_|GzOOH0p9?#gSJOJqXK>!^2=c1Nt{+bwi4lHPev_)1g*q`5$*j<(k+^GE|GdF zufO>ht&saP`dRM-FmH;shH?2hH$bjG7;G-ZPnO3G>t*HI=ob62Q7HPfFHZpC z?|zefiK{117lCph1alXF(R0*;d~Tv3C*_IPvT(>LWL>-yNWsTVf+1V^@pLICKGl4= z7Fn_U+MR6suv$M8X(GrZSsr*wza`lE^A>`nVXw1+wihPZvM`XJeGpAccGgg(U~ATs zD;86jo}(7jh)%S3bL@&6$Z{!-)v_x|MC}@xa>J>WZ7S7+Oj6zdNfrGTABJz~YP1BcSnm$t<37Z~mxwp6ZNLk!qp)Df)TsBT zI$iV>v~-djWa{E(=!^&HQmc8?hN=q%A=_hk$12}|KLFA~F>^#VV^>UqhwpsfA#Vvv zzEX0ty>GZ=Xp5bzTM8{I`zo(9PtEyz!L(DW_293t%(gY#rUQ6@Ms;fAqLk?5@^3C_g7Sdi%U1U&XF)Yd!y$|jiXXM9aS@TNa z7dqwo3i+ek{EO?P?x*BQ7Vm^?#`he%B*wHxRDilP#N5)acXJ-OmrnvZJs>Ms$FvRe zYAz`xp9Vq_ck0V7Dti~P*WWQ583%$7`;rgmTf*bj9;om<6Y0Yq6^?P3F7!;H)PJ2P zlkqq)4w#ErNh3+xnxpFkPx@{WF`uNr>&XNC3{y1-R)#Imd-@UpFYnpFr zsQ>fk+eH^Y66V^6v7DyowC0#y6miMWN`%{NyV}t~r72hNCsX0FQU1~qWVhXXcgHoA z4>>j4ORpi2o#awu6zK9rH?}5xB;GltBn}mh%|5_uNXZUVEUSBa8XS<>9FH*W0I|;~ zu9^VIs652T*P4u6*Mc<>B1VC;8J^afLU(^=np)4>$M-N6JKH{Vf!?uT$aWa_ZhVDx zMUC7tPg%L9Bq%h<)E!n1Yf^R9{jpmA+eQ z=;N{54e~J8OFOnehGun+HZN4_w!t*Y6h1ZhRK>6>v!lB z*`I_`@Jj6VD6T`Hs#Yz7A(HtA0AjMnsEXR^nB=su>s5bS%ge_Zt9QpwRC^gn(ZE(+ zn6&H?7}TT4ci}ESRz`*1wZm6Jdow%UVWG$K>P8!*@Tzn9j$ZS_oxTg2ElI*Pa;@9N zT8uV+&eu)R8%EzdMfcty;rN~&z+>m22-@aeUFcYG$&>hWyLfq&AA=SKZmY=Hn3mJ6 z@oI(jt-1!k=<;;*v%4zzB%fE$Gih5>IN7(J zTw8!i(p%I9vTQG3O8K3}Bo4N5n=RO4_sqJdkwmPGbA5>bsxR1L_V;1?TlZmDSg;_YDh+cX1!TX1?;w z1yFKdocYJl{^eCa#RXpVbB>4EP}+Ove@vOnHcg^As5L4X^5Ij9C`7V5?@$4wCQqvwn5{)dkAHuX z7$l~WIqYu!ZFOEe0L9@Ssqs|AXe*yC&#h*tBic<9YoAR1j)R35ya4Xew!%*UDrJ>| zE%0Q-H9@8QEm6uW-*?xzE&6r!c?B)9Wn&{gLG`bK^?mib2%?M4U+X27 z2TZX7RwYD5o&QVMi(`<&4nDifaS2!Gn(EtPkhqUfGs6A0@sy&&j>g6ZK&EAnsQLpp1yJlgz*#Lw5(VV`u}8pvvW|9; zKfclN3m_Z8)TAnZXX^jKWB5u2HuHbg&;NX*P_QZ*VV0~vHbwXkd#{t{ZwLDyPaF4v z$cegW%98wZfB*UggL6uycr5&H)a4&flagRn9@}4HnEoL)f3K?^bWGU(z={6Hd;I?g z{QtfK7V*%W?@rj>B>4lS@0@;IXa9$s%91s6jt?Rj- zoWwsDq>Yf6b4Jg<>sRVQnZkA^FIxO>@%j7dE77^8n526w@yC1R_6Xcb8LPs7^ac7$ zGrt3rBCx7PsL?r-=kJgI`?RkN?qoDZm*9_AL-bs{z5Tx3{BM;E> zV*#J&`vWF$TC=!~%yeNH&+!S}Rq z)Khsq?C5--kI$K`4M}9B|IkOYwpYJZvv1n{2%$77k;$XXePI2oG8FD{)@W(1U-u~6 zDLE=VKDaILYmM#MdI;G^=Dp0f2^VrB?$^vHBua;UcgN~ce>e<|=QG(_}Z^=Vx_BIb?JbN-8nC%RnLfurLToRdtTW1^dORoFKks|v#P%Vob__q3~(NE^AH z(FOh9_I(8)b!Wut^8Zk|PjBCBbyUf7*JS-PYS}uHFyU0+Iu(Lw`EFwn&JI%zE@2C{ zolcxPp%rbB-FTQiS^9f1H_yAj;P@w8^lD`YVbM}v98RwhGAQvG#`ZtcZN%TZNQZ^*W78&JLQ?blCb)|oeOdBlVkxI|2?A$lU z`^39c5#pB#{7>uSg?1=nd5#3zqWOX$)7AFNbfA31Azw3X-;UF<|H@*Y%{$AndT1Pv z#RHNq2PXAG>*nh1#oo3in)>jM;n|?E0s*~3p|0t5cjKOrR8IFFEEV(pJsetC;}WY8 zN9S~jc-oc+@)0k13-st7%efkDfccxtNI+Y2|9JBTt%dBnVWgZ4zcaRs+iLt1-vykr zTVS?)BvJl8I^q6nB*76IA()Lt>d@RTNw>!BiIX~&egUfmt^@6RAaD1tg!R$h(89eY zbo9A1fmfnkqktv5>$<%FOtpxK#=S@GQ?yH?I`tCG_miXDumpa))}3WOS%;42;?1qt z3$dW4?#X35$O7Z$bW6A+)r6zRYPLhZ@yb5F*i`Ejl>W`HXT3QV1oL}42EMh5g$4Zu zdJ~A5{l^Av5-P$&W4NILX%Ybp9i&~+{C4wgF>i=791(F?k7%ci7n{APZlWW%ly9G? zWH1g3E4vBgnLI?)Z1_&aTAte8Kufo|x6&6zZcnI=$m!uF13Hn;YCTYSAbTy7S=7oZp(KxS$O6 z`HctJ&h}m`v0QC}i4$Q)-#@(oeLH44W4Vx2mdM-?yU$qm`j`2#NvJ3_HvQTMDh;vL zXT&e_xOZ1EOf+u$#oQL7irc!`^2t#|uDhfNCJV)eAW*BN6UC;(CM>!L2i@|_Yc%KO zsa8P!vuMv;th)ajVul*4X^4kk5FEBM-odUG0$}wRUgX4VUpHRIE|s7#N{eX2zPqm> z=>dM{+8eDB<1j)6VfwwbiP9}Qo~t57QGk?wgkYRC@EABi*jx0q=gkIWSbP5{aqZU6 z-EQwtuI}IBTmf9DQiY?KsQPe2U*ALlWVBgw8zUK;Zp6jQNj%+*g)I8DvUo&y87kIC zi_uEW)_N1=k)jpW<6$Pu>g{IUzO8`f^`PE4X}$I&D#9~00WhU>3&HTP08;ky33QZ& z`}1bM>%4osQh6HrET9|$5ZCKu^ON<%fkUmNlH!WqTUqyE=+cf=Tnhm+xd~|mT2Hrl z&&$8PFrS2shpsU8$dKrlH7I-n!*c`N67 zw|jb2UvM?C_gG8?gDziY)5Pb3;&UFjJ$b}v|F8}Jzgz&fJ6?Al8?`E{EEb!s>)+j+ zHLrU0J_o&wj(iST9{I$NsC;;;`#6@{ql}P-za3XyhTdsS7aMDFclqZQF~w60fc`ju z%B(W4sT_7csVVWxR<6VEyu9h13KKY;n=}^>PyI^1`S?|v4*0xDx7;Xq*%3JJspEG1 z6MxQ?c?B&5ku-lh^-H2pdQdxvT9{#HsXuIOY&={ezn;Mil?1Uv1w^xKy#*aoVY4q= zQ0r~&YWY^nW4E_j;K9KzZDE-mWAeq4dxfBl2eotECIxCee|fdd`L^k7%-}4ld1)@xd{g z)v?lz(adV$#Ec4fNI!!ghh? zb8*!SMn%CctpHY@>Dsjs_EHGfaY+LKJd_B+{M-DDAIOWc-Q#w<{Zu3X7}Nh0sM^L! z62FLen5uQBKFDqFMCf4b7$*ms--Wc)o(F`WHis?An4qdsvsPFsYQR4njqQrWK+bLXQI-i8lQ<84&P#jok@J~ts6rY#AryV+PL zAu;UQ#^!pZRoyq|;XRq%aaRQs{b#%pKkL>GJma(<;$Sii`esht4s|WDiJO8|jkWxj zi2F@X6kuDZv6^Iz*;R;5KCj2mR6C=CTh~aHycXlv-7eVJ*mQlfZ!3tyVcG{eRIU|T&iJT6yl9Gl{9U%+t7HG!=>@F1(g*{ zT}uhsopmt3kTc`y&wC%rg|9Velpf3H?S;5F7&J=K)MlIFB2^5eSD*o=avVTFw^zm# zx~#`j>iB}FgeiwhOeLBbSl{f9R{0&WHYVV@VNV}%k;p}_tYQi*?z5V2?`;8$OrquH zjz_t+`$yGh<*5qYYp}T^OREFyG@FX~L#r@$MhxjW1S+ZycNUh z{W_u*TNDyHL#Dq!7yR<>8f1Adcm2x+X1_viz(BT{tYnL-r4=aDZ0qT{^>qAv_~2J* zFwqZz+h)W<#z7v4@yj=YMd>C9RSn>mi!YUR%3?kTB1W8EuC|+C3L4vBi|F*|M_*+G z!sT~EmoQbAfYXt*zkOM>Q>}D(*RZp)sMvkWg{0b9}VzKKgLuc&jy8G#N>$^#d5?yDE&SZ*#F9Wm+;rIk_aGUUet(O<>9H z$bdk;>3XC_lYr8}?~!yKS|c4@+y>$t z!mMm)y(SA+RnD)d(T1I5TzUQ^E?sc)}j( z5SAaDII$M{(|e^;8KDCQ&U+y^|I<6WXV%vVLTsvS20e5QJd|V zAADgn!u-e0_Vf@4A42B?Nxpi%dmiZncr6RR$6%~4Hq{37|N3Ym8^@teP+z|?B%xCR zFYM~>1-GGR+DFgzM&D{!w#(X?q^SRFy-cJp z$rpjC&5U|S!^2Pvo+|1*=1ajZib-{BZp@vAp!gn9Z^e-0@%58&XClo54j z_scfDYLU+&n!8jicR4Mq=XF-x!J|~e-pp24M@ywr@$8r5$26?2UYpj}6lt5U8eh9U zSpOvCgkZLVx{v+{S-&+Hul>-xdWIkdsEpjY*F{fFKX+KP%=Y&hT%Dn=yS_4(x;j;D zA1hEfIU%#lO{ktt(;@44!1)X*7lI&_)p)a`f7GEck#6ms1rzi;qi5!_Fn?IuXhMY1 zhXs$xEvu(#cU4ywnRCZlIK?lS%7YAE8;v6iVMO;W@=ubz^uxBFvKtzb zhu;-O2;@AwIFylX!)t?i#yYT8*j3HV%FgSsrUh+A>onx?&KE^5V5>29B|6bT+OeER zn<`e$wsqgWs9k3XiA^f`tSExpq5lCCflAq9kj_-3Y{!uF7P%L?NeSHjZfu?&$MxH2 z9o0i7Df69Nu z_;l3fvC;OE0u33<08-WhDkL3#YHKR(BM4;HJ28S!h1FB<%Z7#(5evW6{#P%kwqTND ztO)LSos&Y>mAffjL6%2temRJy5??v(Nzj-PL&q?OVKJQSJ7h^s?c4|_>au+&)wMKG z200bALW>b7cj<|CC8u{eQVQ8Wd9Ruypvziu^rn%Ws4L;|*imJV;_l6Sz5FbspN6L9 zotbT8{wpR`af|#?tN5`RT}%;Q?WWScV`Rm&dh4E38J9|wTL9M=!zmcMcppFYGu2tQ z^6OkrEMH$4R5e40ztMTEmWIRfTh6y0MN_(V!$+JWuR{*svEj@w+tlrqrA|(RqfNZF zt;$#e+^IV!_=JPI5|QD7t~u-h7?0D;xZGNmu9t=Wiz*Ch(btBqQwn^}3Z%$o=Md>f znsKnMBl6`dy5m?0<~mQz;=P$74Vog_h|Bhp^lJ8goj8rZU-_wBq-0kvX`QnxBB-^R zD)_w4scnMwvi@5fZ@lgAX%kUG_R@CB*o@Rv(qk)4L?XE;xA6ng+|0H)ap-~g!>I}H zB%y(=cy8+)s#fd*)Dcncs7zpG+3HbXI`K;BSotw-8Fp9AL ziRJT@X0qgTwS3Yg@2F_U!%ZU56GDDBsQ5E}7HFZ%l4z~5g|&Y9{FJDxMpq*{%<%;* zic!WHE2hNzH97=~N>p6El;)=BhGBtLp;faxWpgt{T1~r?wdX;b zIye13=mbhuI^C+0%yN|=6VPg{d^!1vHRqA?b)uYOWqOAzvUfbxrjj~cLTNXDF24bC zfuu~kPL`8(U8Kr!wVD+BF_Q8{uXtCbbBgKIagO}8#Jt^g&d5hNHtah%2BrezHJ&ug z>IH)=>FMcoG#EjL<6EGghnnFMYk^(`H5TXKU_Pl&-kF!mhg11-Qwd*ee7usNtm(o= zD8}$&Ef_J|ayw+$w}i5)N?_wbIA$97H(MA-NS0PdTCenp@MfFe`h87SGm(=P8tpI9 z_WWBpQ&6Q6<2S1z#C`PmIjydqS+b2wJ)tUhI4vtlrQ_I~8^VYC4zRNWyAryU3w&-z zW4fh`RgB=W67u`x@4$-~sQr!DxMc5|>mP=?QHD3{8%PDi5r{|71IWvAP z>!N>)d@x5}jmo80KrYVk8l*!lFE8pc=L1<{V^Zn=8K(P!8Ha>?aBa47YN$HI0q6%z zd9U&RHnXTu|37)U-BeQ9$-!`2M*z~0gmL6(cWB$?k%HtOyR*m51e%ze@bS*n7*cEWc*qTSPjQZWR%vyBh%!q`SMjySYF~m2O0(JEU7c z8VTv{2I+j)h5Fy#_rCY@?Bo6Pet5rm$a$Ty)~s1GvwkyE!x&42WFp|xmcysoia{!P zy4yWZNB|SSP0KjVz`=2vNB7t|f-JNOt3yxG>SgcP3juEHvCaX;X@qDrXiMXCbTnGk z!>>z8$#VbJ!MLdmQS}+CrAju5z57br!BDr|S)b7HL2U}a~jHhM9`-in!*+cQ4u`fa*T4JIy_TEJJSx^(xT1|?a@2M1he53u(6;ERLSQA}fLPt%?OchK!FP;!D1OPl(1vFSD`X`6dEDRnMnJiVyi+7e zDLyL7cMGyr<#9r9-7(vq{M2D?>#)D4rFWIX;5e=9Ez3hn^(70xyVr1Y*0vqJAxWxk zdK8sflb_)t`6Q3q)_JnzSktNQPQlvloeL>`lcOl9PZ@P?fn9{-swf*^i5)iqO z>pV&}!9KTxmLeISWO<<}s|sSSfoZgc2k5yJ<0V~BSI+QkPukI{G#eqhE-tP=auB}c zj?BG##7J*G3Mq3d}Ar2VoXTdqr}(-#fv*JnesA zrsOmCF^7}iFnu{=ex(5Dm7o6ee79?r7Od5-blQm9RsOsEHaZ0`Da`q3ljJDpb$@R4 z$_eOrC09F%C5gHoH>)M1@C0YaQ?-eHZT>cQFS9wsj4exVELV@y@d%SQfR||{hKbW- zmDZd8fJI+XR(bV|J6oripF4lu*VcgZJbEX9x516kpdWQAvL_IM}x468kVd~a%1XKp3~wu-}q{c_klL`bW4u^|!8)q3Gx z_IhaNg^@V^2ho-he$oor>@5*iXB76T|)d5y=VTInXif;;S*@4X#aaxk*o z5wt;nk8H#8rkN6UnQ#eG8DT;p1Tx%G|L31}wz1Ls1gEC({Eu5Nc)$Xf<& z+ytuJ^1P0DH3xESX|OTqBdjHBn#l)5G(IFxBtSI8ESbm%m2)iLhDz4M@0smWS5{g= zdZ-zr#{>H$(7oRlvuR&-8c}KAy-!bHRcBPjPBXA(Dfs!zte?j9s%@o@jv<2ryqf!A z`;2wUeTU)jssaHEog|E%2A~Z_h--L4mhtkmFpI6Etn+uzmB8srvXNO zdhH}Rd=lL7_&xlky*|H})ifDy`zvFv-sCH32^btQ98yKhB#(%MZJ!(>^1||EI14;~ z)+pb(8i%3gRr-O$vi_yY;t8~t~{cU(R#I*_V+`SgFoZz(85J-ap^{< z)w%5p!UcA?JBz2wPFrIvO@|{5Q+&5=}onOxWjGCFH(@T@{AFcnfJ96 zqqW+y9#Z);BV@R&&j|7suO5(UBG(6oX5cZ^?3kizvSDVm$mqT3eZ+ZvV%NjND}#cl z#iup+L>z1T&=3jD=yln>*E#i-5mV;gpY@hs=FlnEGDy=gp_8%;C)KZhh`r?J9vY|@ zrFn9CI=7Qgu$QYu)L>H|P|H(EzO|Kx*k}vGk3-!e(#y&_kx6tA%MeLif1#I!j0ig- zZ}O~LwhHm`1`RF1t8V{tIDvDb7QuEU4405_M1GAEN31<(JZy%{=gn!lE-^8iaL{Xb ztEUG3=i;QHavo35tE)cjY2px~U%m{2l=7+tz02W4G`f(6Kyd5rU0I-e$|fQsYk35@ zWX4|`rLO@pFw&NHVz;MN*wbkzaLq!!lP>1v4=JpWN}lmrrev|bfx{KK__SRyU}Ifh zjbEdejY~L6t%yQ~bB4G}=ZT>wr#F$)eHL&){!t7OzJN3kOOLXAV6QC(>-4(wWCDh! zkd&IWXXf75%g~IAt{vQ9$fTGx3mIX9;^2oLf%lxXuiziD^TVtn9EuvV{p>H#%5boK zdWuf$uR%0AKQYBc#c75te6rP&MlBd!+@}TSU9I$RZD}(!bGp`?1m?t@XC0#jJN@+`IcYXl!YfeE4wvf2Lv7Tv_0iK9Rs5Vz!0?>56PEg~qiT@)7LMmRb@WENqz$9`lBgQq8H{Q7TjU`eU-OJr+e{ zF5w&2?C3SF#f@s-wo^Qxg0thZX*dJ+$mT&F@wW^b{B=4@UQ5T{!u2*G^LzEJ`05T| zu={wJF;bgTC;TX#%0@-&laI>n`@bf`^1jU#ku_}k5;uURE1rpf@M5GY`)R>NuZ-g`68enE#pB%=^?J0QNH!i$FzSOn| zDE_%>n{D8+6f;n~t1|ZKm;qIu1ubAW6{2pMeasa-3zs{F+#If zq>Yt|M!4V@7ZKvKcL(mNRJ#`&%Kj+EY^zEy`=Q4w-wRi_8U+v6ya2_6zSI*LQ&+`f z)^gp?^L^96eRp5pGluq-AHA<@YDyv=EBwo*hZ?3(M@BYdUUHgtvX()p_oKrbN8x}i zG}%WgaKQTffPNbCBbJbXzX6|zVQUzj$qvI-ylkp>fKf+;`1}I1eTOVm8BQZZc}88m z)0OX%do)=qAhFs)fA?$s>2ePPVh)M_qRNe0swFZSY%=UX#dDQ=ZujQ%!gc0L&pXCP z2>PfkCD$tqhSAG1=EvSFE2wLhu8QX|GSE^X^1n)I)k*Q)%9ZAcsCGheIo@e^W23>O z?m>yYLioAlH+w{{j6fV(3n!9r0-tu+Nu8eP%vgSuciH-le|+r^-X@_ zIKImwJadj(u-g+>;sG){@kmu{Lg$%^;Ear~MZ~zkh?H%z2QjNyqSAZNp@r_&P&wr+ z^u-YtX%3AH|A8*}+8Z;xYK^m#mZ$nj=lkWZ(%tmXB$NgH1xz=}2PJPyCaweFGlec3 zEEV(FHDtY?1V)o(#>shTN*l+{)}G}Ky;mZzUwbo*<;3ywqCPp5mIZV9-g30I3@RE; zw4|Bcx74CucE#@KUD1v?KjaO4rFd#q`;gKtnl%f@ph)D4B{!Fm#RJ}PlYzZmJ&KZz ze)^4m7;CXMs`nvPs;7B(22`fW`)jdC!fl<#USIZU&~c%wct}8UXGL?1<;4Vdj^rt6 zK&(1AZAxi*R^_O(-oBbzAV;SwRQ9B^zSNORkZ+bE#siE>ecbCeI@_@L@AsJPA!r-9x)YK{RT%2cI1y0TW+oF0% zHoEd)*E{>`lvh+o@huVoc|smNjyf;l9aghbR!j(E8Is<8=;2qnD}=QEgf~n{VE+c< z|DdZnhb-Xy?dl6bDm|U#o~h{Tr(DZp*{PX*p@Us-1-cu8?PbcN6P8>`BR^b9OB=*K zVtg@nzWei&-@z1>Qt(z8Ra|Ibq4~{oq-V=a)hhmCIU?b)<=)~JWg0xr8vBlrGN;{2>=oD zWcy2gz&~@KZgNmzEXnEH^RA(rzUfStBn-6fSm_&h<0f3k85gLJP0Ya#RAn*r_s1Nc zx9vj` zozkgt_wVQbisphCfjou6?naY~GrwzmMh0x8K&>m2Iut@@x%D{it40tAi3~;`T zzX;uB{s&*+Sd)(Czc=#$^wF(I7zZdy$D=VPBBw{>)ob2C5K-?w}5 z;zc?t9MxXfU1@1)TW9vBwVlH2A7=!+rE_M~thCePb}~r(jK{uUAf7X!=#rd_(u+qh zu{uu8oAd*plIQ_Ytst}U^Pe}{i}bw*xj&C_$2iDSLiXX&U1{IoESCv{U~sdM+naG7 zr-Pfh4h~1A!Oo5^uh~H$=)Bik+;CL7Jm8GV%7k|8!5^u*#tA{i5ZBbCfvi*SCPW&)^f$A7MJ{1VNyIuslT9vs3j?#AQKX5)8B6nP~*0#d*6<=>egC zE6hG+KWU{Nhm{57Y-g|72<+~#;B6e!n~ha|--|#L2(%c%vq~0n#I^e#O%yJFSOCJ< zHPy%DvL7XgBEtmq`B`Z-8DDLbp9t3`^Y#u5%pfFOf%p$|;2n`xR3<6QC%c5k7c0`p({s z;r4YuYJ!jN>UBlLqTE9#LCUW_8y{g?l63aR_6c4^jOuwbi zvC;j%zUkpI_$CGGUr|BmH@z?bYQzk+X8|1k7Kn&6J1SQvFbQDdk%h*0;@6%yIk^Ni zkHZbFCS#Jt>Q**hQ=d>L!=<}^zk)X@*Ke?4NL1ds@ zK4XT-Wc{{+A8tecqn^pamKcUlSfpdnQ0BJ?L_qyqyY@uBProiT#0M`#V4OWRfcg*& z2Q2D?q!+)3UkLn#os-J)!SC4~gli$4LU>Tc-#e&-u+_K>UA}vV$0cZA>o#tRrCJVt!Yxt(>h#R9{h|ID)}cu*xLwI$Z?2Q|Yj zEH2)^Pue~XLBHnKJ)y&vEkotwt)JVGB^-xsfgvrNX6IW@XJzy71Ee(M!W zB@ntQh(MkEuLu5l<68^F&k-o1ckq_d<&3)b2Rc+ulC=6 z`TJ>6(m*_ikWxo}YpZ|1tVtQVX>D{CYyI_EfB*9ZC78PPd;R9Wr~B`}K?g}U52{|B z49DpI^A{q2d=J)m%6!q4m&7We8p(f}ied~u+Hr?*adBor27JN|-WS^1+T1@nH~#%) zq2J`|g%}tV^w+hhXio4Z|FY%Y&K=mI!oh>DAn!6Vyhqhv{jV+q7gZYn$9u&=@74Yu zdawWgqW_mez>VbEM*c{gRev$_J_%`o!l!kW@WCNOJQMO{dLlnWlQOh@A>ucp;*TFa zCDhvpj&p-yP+89Ljv(T*#aMY|cB{0&1QY>*JXd339Ue~{`D@vHtQYi`Bu;kdm+_SGF78PA1TH}G6xzLpt^r3YWt zsxs4lA%6@aE3;#cJG>Fug6!YF=}Oqu#er=Ks?yKV=z$326A*4#_WmuI-?bmoyKo|p z(E9Q&AAIyOVpnb*FEFt)?%=||UQNh1`t*S`UE-~Oc5KJKCN05dC6hk=?KBg+f!@h? z`mSK#((M2X=!i)3fBLBB$CKGVK9OopYYjCp6XgjR6I&;jAhrK&_@=JBFoPDznvH>> z0^M=r4cq6lkBEvVX$JmxcUB!uGX4HVVnW3*lZ}?76kA&*;C)4*>l&Ms>FBVShSg;6 zMzJeW#JNeywpb}x6@oQDn+->%{#gXhOB;9ZUJhnzm?-ATk}@%ssMcJ%NTo89*xA_; zhNgj}(8~puI&i?~>gql>oHK+kuulZ?QoG)ckGTMI86K`HjwbYYn_u+$^33k)+^Of% z89la0HK*e6Vw^>;$~L2;vS!)BX0GMy4PS}4)8=qHC7IV9H|y_t2a-7ZYLk&~8Ei-| zcfaezb9+5yw;4CC%#Z2z7Fp>@z+~2E#idtI-g0~YG)(Bz8=QgNJR#K*b2RlzQ^*Wo z%~O7cM~`4!c4xjuq|`DQUp@~6J+bFr6iZ+;GCa)CTWkm?i8URMG6Ht<=Ln+D>IeR7 z#fHyBL?rJ3OJfUI85!QNJp-}=76nfk7#LD444opV7#$`!awn1SncRt)O_1B0uD$jr z7e2-FI@Po@IUU?PJw4TJ%Py$`W&LKnE?y1i%b^u$`)GJkHO_|^Zh=6TZou6Kh<&MC zIJ14J!Lv%TRLvSEg(-VyaVfd|cUM|Nm z@)|N0YS$mjnx5)^dl1iM#k_J;btlwYFi6_7 zwz+u~Q;I+-;e1tOl?vYd!GU4`RfR;#_%`bbDm%Ss0W?~0BfXB;WdG#koGBO@S9{Qi z$%Z_bLY?2R8W`KJ7a=)NAdFV4{WlQCgQshnJ$nZ%&Hh9HQI1BaYwhccGI@-$vRcm| z``mbm8kl}O9(s#0QL(}P9G8vA_}hoH{T+m~xv_n$iN(IYKGmy>2R)b8?6{Ygd70l! zW`VvBM+zfhBi={aUz@0R(eH+!pTA7H;;?GZH!Sel9>G0b_$jk*p2X4X4fA+j>q{TW zK)IPgvI?bR4PiJ&5X3+X($wFNM^<4Kr+S^0<{6l)M7?=-V?y?= zNybdp9~;}3UY)x@OxmGha(7y9+#ZB6?i^?%k5xl=40zzHL3f{IGgDGtnVqTAQZ0?> zXIg}*=HIqJK}jZ)8PCf~L$!rhBY8@L#`;VBaTpvn(`}IgSN>#pmmhk+kChp)z@w8w zeoWTEKZ7>eY){W<9SN=~b*(URsLH{BY_eOn3`D(+`lM_BEkDLN&Fe#q%l0`N?S&V` zN>9qoKrp8R9s9_$vJ>->Y;+$VfvFlNB7>3drJz?QZ$RAE91JjEcw+pno(NZ`)qes=U&3LwlV@Pf7 z?N9klrgN7kdO-Q09?8+=et|3euWxXhL0=KM53WqE?ykDM6KL^_>q%|QZJ@XxgKX(@ zyXRtJdaa*(@v~?jXMPxVbzkW2pZt(W*qEOF(28IN5DHAzEl+yYW62^2`JW$I@e_^~ z`K&|%@xzp7U}x*nqU5fC^E>b%<% z&qg$Rv-f^H%S67cC>V7s63JW={){Kx&%IxwhW9KkZN*ITEu|L=T}c?>NS@iQ+=#_U zYd~?ap^>EN>86e3K&hL8RNC3L$nN0#M$+J3bBI31(bwKg7BoQq&?r+OxOrc-_i}+c zez1KVRxbrn&@MP_O*s#dGW5s+Tel=SA!Jq1%7;dGAJBEhHqdP(oB_IxR3zdP@{>-9 z26;oFQU4F`<8zH8U&K>1t8D&I|6o_9JP{TO7)0H!kNf5}Icn;2Pnv%;6`kuBBg3oY z`NRQSX0&2=>Jwe;o@DHBZ231*IXINMbUIM$K$mf}U^ctuoBXNq0w>++M5z;x z{c=xEY`RnP`B75&EZ;V$W6Plw^;Ghk;chk zr(vyTJXLyQxlYCg_5k?!6_j-}Co89Tn8Ix4Ux_Uf%h^r(1_iID!w)vNd|cqc19WAw zu9Izn^zg_YRBG8dw}NS~1ccR$W{YHGtZ0>s)Utvg%$16ofi|C85wnWpp-n3*9FGQx}yS)3BfL#iBdLD{qMj)L}a{Mb_QixGL?bb zaWIu!XayOEie1i1yW(ve;#NdG$_vx6 zbQxHW-OuCK1^6{Bmr|_|C;^7@p>>xAMC0#vdOXuzz1{Y8q1(O%8xyN1Z`D@ON$v!` z_iObxwim}F+Y&P~Gh=n$F_kVOJA59Gx`#D2H3u4oe3CjOUr?5fK9PM7q@XatIKFN) zm!c-`PC@RuEG{W&VGNhg&KGq-s^(ZrDW6s8Y+TKRLc)<;{nKJ0*XnbcjXQ7SDI2(@ zGUnGxu*%0HK5u57ISkXr6vQ)Itzb>one1L?9jghq@|cTUew6(A1e;bh-B+FagsX0Z zG(lg#hLqRUSDUZ)k@&IYx8sqCFBUZCc@14pFC~gfjb0kGRLPyr2gAMgAmyL1OE4SL zv|6Go(~%-;H(Ch~^kds(mDMxD>I~k6m`kMe&_+w%RY*voV!<=Al)2f@N}P7(Em z*mD#q5|kG&DsB!OhCP=XZCs6t1kPlkIS=_-Inp%>85&Yjj{0`e(tR5)siq??d* z*RPAv6;d9|knkSP+Arw^AT;&%zPgaT_{c6fFSA(|2;p(rmdgt2leP@?MBGl7<}dsl z`%S{f5CZ_W%B9slLTo5MTV?oVF6+%cX9PxqqRU{=Nl$T!AYf)t0ot0MZ*62CLppc7gzuFhHn${gzx1lJnW=?1DC}aLP z&Vq8jCZFAU6|0!>N~irk87N(`dXrVk4gB4DIH_GGhsGPBqS5!x83Lh=8tIhkG<-}dP!@I{GYKVA59bIt2d~o zC=0xr+z~eZQlwt5eDQNpxHWP_kB<4hdO;hchz-_2VYKqqkCJvy1^|PQzl2Dlx1EM`6AU%STE&+ zEGjlGzr;y>2W2fwMJJe7;ToR^oGya8Nd3G+viyf6oUT+Q2ASgM3J7?V=@yavuJTD~ zpMYZSqV4`Dw7yxOG5YW@r~j<>RBb-RegQ+#Dwt-y0?(`YYDGCV^5nyifI+QTntBXJtR z<$UgLat|{RU)(~`Vc#|LzBv3B6piHAp_B)Jh5xK(U0dOg%K5g;hYQoHzIi@k8MkuL;c?MB49TEYbR0F_ODK%ko_s{bhzUC!O!Etj7N*9-Q^9epkfAM-|9U`eX&H76 zi$G4j(MS*yX;E2zk8ed8t$cb9dZl(u6ivV=Q~QL~GH1suJ(e;_Q#~iW zIG|@qF~c&{_=Z--df=m|{unh`>15u(u_W7t-MURYnf*O@57;-O$cyBhY;tvyb8 z;6tgy*a<^rAFuGTupV7$BB7&=IsnIvU&=GNs<;L5KA&Q5wCEei=&(zjw)utE`E0F zR3rS+hy0|M%Uv;ydRtV7I~;dFiLJnUVqU{Dp3F(T*!Q}aHIW9}efZQg^l5^$`%Vv+= zbO>^{w$)Xv^IXUK30fORpa}uT{f?silN+F*N2p^edQX=F^6urV&?m?}qkP`|h{BIr zktEyrh)(k`X`*{yV@Z)kcWK~Vfw@4lXlNY2Vj%Gohkc)$AxjIzqTKNprq41mJgZ`j zoaF(-Lp;#Pfy>56wiHJ3uIo2Pa#ptftas zgQ~)1i@riBpbo)#=ahmwJ3v@!*Kd4;w6J>^4{N1CH;TE`@LL#}w^T!KGthv@%iZ&v z`hbYwkr1k!|rFZaHfpV{o~?X|6yES5N)A(v%jYz-2TrKN|b zW@RA|W)nyp1ch!b*O=_`^N=Vxcay?BVa*?!v}-M4YaNYGGgDo~@gP26-BsvdvmhY+ zT+K|AF4zu2oY}Kupk!sgdLH;Dx4r%e@4yxF_QW{#cg|`-Dvh+7AFpZyL+n){niUo! z1Fou_1k8;XTm$emAN*Q#H za+RXkG?aptUZh<)>y0NrZTD|TGg>bJ+WmJM0t|xaH&A9BjO9M+w%Qd7qVgqD8dLyAx zJfEsPxs%9h?TdiXQjRHmy!(!M`TJe%BfW;_`wLY!bNr+EYDITjb3!5_AfBc-3qLC- zgzkQ^o>mSp4EF z&# z9xR7!1zYUA1lbA>HF*isbQ;+rve$f=U#Fy6KQ4=AE4*J0#p3GOG~3;exG>l4w^9-m zZdGyTvgWL0H!L^<*z-gswH-_!D6+uJpwvJTB*Db#!nRsV6>?<*s7AoW8t&AIneSi;UiQ zkWm$>14$nUG*hKwrJlHv&NI!Q(rhtsa`BioO0H8l#h_D%Z>v<^C_v67wky0(v4lk` zDk9kEDV^>_@5lTio+|_#f#K4ELGlmrTvo=GTau3onCHl(kfgB<4Or3MW-Wp+bDP7nyUMj0@b{v0RxmE!^X(^#h4WVnK67@dm`0!KbZ%`s)7H*qu%#_pJKUaKSg!E{ zewD*R5M|V3B$QWwzVMR+bygR^V!azV^gkRk6-M*-)~C=)T!ihMmUj^qF22+l_4*U{ zsy}|jjjR%k5v1aXs;MxqYq$6g_hH8TsRSp-giz@ z)7Nph<;hvF|1FvDip2|fCD{hE941mwZ&NbkfC=-ySnDIt`+ z`GQT#PZ}?8ge+!71d`8oV0IX*KJxBaMAzScbBZH0>*O`Rvx}Y?$21~K6l?=cVa$`G z8(B`YK3t#1C}Cpayi^is>v-PUI(Ii9QEMF=)Aw;^$NWZaOo-|w&1G1-V~SmT`Ub}3 zIT0}#H~v0l1bHa;6k~;uF{RTQ833$wxM_XwI@2@_$Tnsefz`nV)<(hK2ONSEz!6lf zH*pH3K45m$b37Z2|KdZcd|7>$RETsUza=p6o}o)$MD5AWg7c+Sj~OpQpY%-+?UbiC zi*Z^)crpyv;A0&W>^+)0E&)8&VpDBhC^RM8=j?Q@TWTLDrDwUqKlq7`Y<;;yT<49c zWUnY;X_Hlvve&c?ldL8GCE0ms?-htlZ79*%+x5Li@UFjD94>CI^4fcNcY1n`WDg&rgQAo$yWDYHyO}ot?cx1q^GY+-3@er#Ou54-bYV0{fECeq5Z)D}SW&B?b3@N1I6dR2qiu`bj#skdib(sWxC0EnM9%jFuyEozqYs)pYiTMH1NeoJFf3l(fm&EOXl`yK zU=Q`6EncO4ZYsq=)z;82@hx7cN~#as5z44|2OG(KYgF;w@AYpxI53QN5?*`Ao!Bn4 zBeBwaNBzozCmt!vr@P10L^CF-v5}lukH!)13e1}AMq6e!^7#*U1=GIFevROmY@*?p z20Z0&6q>eWB$5^uJzEZi-)g4m(>E-;)hz=2kQSu>%lj zdsA&lf||4k-h(h=K0cZolafg}YeV^Pyyo@(jSVTUC$nT8DTF6>j#eS{9dE(gD9Nle zx9-giJi4q{;%KX_d3-`-)B1G?Rs{hgF!Bo?^Q%))26>4I|#|IsFt>)Wl}j zobuJ_ze1+WRDYLuouKW+4Jjme)5?KC&MC=gzEb$wDQk3IdW?kb^rz!dTNs3e(e+CA zlHiQ8!TpRTP&_d6=HQyqooIez{*7{wMuw}coukHgG*Um(i3iKWeXLWw`ekPc5G9>T z(>t0QY`!u-W5>?T9SoJ{lY5>zO55*+1{UmZh|`OdJP5IMYF?&Gs!;P2Gl6BUKSG~6 zSnW`&DChD>VD9{0k9X|6>mOfcGNQ*~y+^NsTRr0a+CzydL2Ww8;y_VTqYi%+k1jAc zG_9`7E-j?qP>zoFpF~VIJ)Tu= zHG1wb>xko+{^S|ra|CNh6&H_Qp2Z0BH+pt%yvK3#`e~lUfT7KTPuVJ?Z+q0t>2XE- zc{}lQFIDthv033~stp}%KIP*Vms;kZD#OMA?2#|eRq@sQgiEFHZsUo-urZ;rG6F9` z&cMJF4i;JD8m*e1X9+fM>8h`s_rXdtEDk2=<_N5tqG0?jCw&6tq;q8ZVGDyoAHINl zT|47Wq6Q25_GI%L=S&esi%g23F$M-5KA@yg$@LebGQGrI<7gtQI$vxn8V*Con7TayO~XArjJUSFVyDzmDqL06?YPPx!j08OEBb4Y40Ti0JXtzV#U=8( zFME7}qCsX^^s5+Mkx_(?@XOsXr2|t2gj=yxq~|WkXDtx&I}etgjwhwZ`!G4`j888N z*iLp@fuZY)p(VV7v{ZNQ9W-`&FPUsWMnl+gVrYPi6U!3;wY>ms)7EN66Fd17?Kdgy zs1*FQDo^2)L!RJ(1c|AAxwy*GGZl2MVTqpF;ry?HO4hfqw6I8mS++M`x_=vF$^`u|{|G!bSzTJYWZT0o+ayOqp|8Ee$;tI(|BNqli2{q`}-?uj|as z>>~KDlmy2Jg{WCkOquJJ2 zP`2fb2Le*M<%-3`Rx+h(D^FOW(PbvUL6%Y4W#^8KQ`F0u-6yPDk*5Z@5D1Sma320w zTX`TPrdFfUMaMr;VikKm@O*qTQ@`&`=T?du$=?0QP!|UMZ~GKuZhBdjfn(%Nu)X$d zA_1Ogwrjg0_%6D{+H`x==F53-7%CW3h>d+X9FqiHJ!X&}Z{l=v?<|3oDC&jHf1cr*`gQ9Wcw$29a>=03q{bk;-Odxd@ zdS8bCSUSVQW%1HKEh@dGPRblNy>_B;V7DG)J_nuuHAbXhAomrgV()49{>tRoSzl78 zLLH}lu3BjA3~0@_(>PEpzS}nImW%aPi;zu7aGTrqXkTb42&Ia174XuMnahqwCsS^7 zMbc8obn^F*n3xb1meUkih!(A<1fQ~PGJbi+%1iA*sLnWKyJ`(`A{y;gLG(ri>J1qD z&)&e^Cu@)xL0J$MspPSk11tN1>^V6-H#&2-G(FORVRdOBgx;DyB=oh&Qp$@qv3Bzd zEW$AO?fw$Ek_k(pv$vS?-eKBe+jd+DYTmmmo1bGI1sA^HlXJ-|pY2}%#tbVbEi3)+ zoVi6A+DK26$KaqVX6AX$H7&C}=4)EAW44+W@gT2*y4pdeD!k0g;WV@fJqqa%rTM&2 z^+Mt~<3Qrr$H9rGc>))?9)PeOrv3UCJ{=jHTk}{+^_d55SG~5mT6rKuepTye%nJv< ztKRbtJxZz(R@dZwoPG{JDPP2RVAN+onp88tsRIQU*IrY!y! zhUHg|1^gy?j_%_fmI~<>UL=e~14YKq!U7UGPgtWFWsL83<f@$+^P7Da%}X^T}$Dd4s2;cO|%Jv&lmC^DjbHT0k0Wk|Lj@U zmIDQ5bd+?92ol=j4H_Ipw1a{G{1JKoYbAjP$6vqoyjr(;rw|do!L?C`UqF0T7U=ai zMtxU|;BG)*!41C-Ayt34yi+HCsD1T|wcHlTTZ;OJ=#|<=RLP6p5w{a5hMurzUorfqu zQGq>|GCbP9t6=M;bbMg3LGfbOgJPuIPI^q*RBCK9S%x}`Nw;OL0)?Thzmey1Hf9rp+LKLXRx-npOsc) zV&jNQ*e~UTL>KgJh3(~+e;5PY0tKYFHW$8DXq9Q@DA>u09VLCum015FB5h=_?A}iEcr1uot{qo6*^Ou!mT8 zKKK(>0OqtMH2P7hMSRi}>1A*Xpkm3G@)W-=LArI%Jx0LVvT9pW!yQ7m?=;Roq0s*} zXTBNpSi%6|{+Lr=k2`ZVa36r`+*Mn6aQT4f96%1~SG_0FY7$sFIt0c<^4;=Z!#n2h z8wfGt=Gl4He9^JP!82ql^=+Y&@i{>unie{lk!k$ASUB2eUvH?(1vS3@Z9EKB{i?<| zd8>Tzm`a#JB18L&uXJ0VrGN1)YbGe9FWfuc4`}`xwK5`Us#;UFnEJp|cMAr{{%d`+ z9h*oTM=txYj0`?>+KcBfGyondf3U=Y-8!&G5S4$14diLqQ0>;`&@Hz2^I+n z>3Bl)IP|U={oK-0U{ku387c8gQ`Owtd)saafqU>wbVSZpel!7hFW z0zWiD{31-Ch#JhdL>Zt3UcHL_g>@cNW4f=hf5`l>Rp9}K%n^&Rrn*_+A>*sf_XB%h zr6W9E?q%2o1E~M&n_uI*JcjhY8DC#Ml&LD`m@?FDH{WrN>3fDb_O_pC&D6<6S}6me zb|PF_j*6>fgnn)uTQZL8En-f6mclO>BSbX99VEaYKmN*(b!{zH_sN^%KGL zzuW0ler6RXH2HWpCPf9)nei^<#_g$vc0x8n_Rfkw;KC>MhpZ}J5`%6l87QVr*?(^etuCU+h=n}+1!h=-*rZ6Y zeW)R1z5wfst=Fv6sU{jk!SY}{&|7-n^|~Er7!h4~-1p8sLal-+K5Q z%>&EMxr{;hfRS;@0wgvwGC*BWm46OZ{?R1=A`J8y8R5q%y}zL43-E^7v+@7#Ixqt? zzcq}<*|K^Yx^U~6^g?f68YEu;Rc90T9hl3X6?vzTT7V?iFnf$Wo452 zOjq)*7>J7^+?$YpKZg4&-1&dfwoTV?3;K(;7o%u>?BzEZ#u!7gP2avD`3WWH+RkS@ zFzf93a7!=?nn0iL_aC00?|U!!WOr87(h_xHae>8BV9XYIjSisYTAG^ki;EpivNoQh zzbptdP*8)h_cay`RBivaxZiI=-}mk@#ce>q@c+N)|Eoh#p*&PTq~cWg_HUB-zjn_H zOvJ9}5q|D>Fz(I&k~#4wPWC4V55osFC~|sh{@VHf{$~^nH0Q@xNFVEe!06MnfHLH( zQ2Xc9q>pJSDOyWkKT$YK`z=Kqw50FMb$8DQXFzxw!(c>c>B zd{dzoz_9WEln2mx2mGC->0!z1fBD&e-E2SscqOS5`Jw+6Mf_)Upv#v)5NLIH{3q;h z|A!0Qp^91|$>}eq`@d!apdqlpcI>$m(DwB2REDNlxa9g|-JUexszA=R=g%kY6$-wy zt6-3$O2a=-gI#Ft!CPOw7tPiNQ&NH$`nu%h^s#zKTprB>O-OFh9Slr?D*=F#3EdylI&{&d$3ZF7W1laA5XQjO#-f zoN2UdojEw{{&xg^q{qAZNJrZth+EZ{9PBAPk<)T^h%&OTX&7#m*$b#1T<_}d`dc8P zO5ik6o~D~_3wJ8e%e3#jpjP*B-c(DTafWBgdXJzPldL~j=XzhUd(o9XCta$}Xe6Ob z)oBA`OUkz7BmQkkM&G;2V5Uvsp5qGrG?A+mYI2o04l=lY(k7p(bJ|Q8 z_V>SAvh^h>p4W&FpwSOUjI6aA2>~r&1dD*t8j0d9q1+c{_FnGOf#lj~8AdFfjvsqb z{TrC8izm0Fct%DBfGZG$#Uh$hcwAC*t~?*WS&D%y%kT^K%7m4*=_n(SSYX>Haa+fm zf8%siEd`m96u!6L?HdD@zB=8oWUq)g zT9Rzah2G;9*dA?EJWr`}vo~lT{uVX2w`^XK#>JYF~G76dvL;<8)+20W09XL=dwMpjZ zYP#|?q$*!J{e7O=Q2W}CS_J9_O;~>ZnXyVU5`L>6FdCKCL!?D&ncPo(_;8nXav>Kd zyOS?f#?V2IKr`I&)|mgU&*^PH@3QYJvXsWd)2 z0+!SCTj?*%`+!2`XyS+zS(N0`sAqWW zfb~?>>+0E?^eg;f+VI8Tlbi$xo%xh6vw_h^KbE`KCVeoemGXUmOqTm64Wi}!$QQlw z6De17wf|;c5<${1&{g}vxPVq!@{w^*;uVzezG8wB-W%CQ4KOg*Rc=3Vg~h_!{Q`nh zCvFSCUAETk+P+L71$`k&m%0+L08Fob@h*{fq5)84Do0<~%ty?kPGyfR$BXs0k?W4n zCpqm8@eSd7mm7;rCF7QJwesMfMvw)(q*g?&_ux>A-7MSx6&W#)GcoM2yg<%-up7>~-i3jI83QGB`OPo5K!>XY z#DOdo7XZ;C)2Y`NURj?=W5sq@=SS;j!=MK^TOB*Ak)^Fqm~CNaqVGa2k(# z9gN4R>v9@>cij$HUij2q!B=d^wX>x*G+1wt5QZ$=MxR7KFyF zF`P{f%jYE@L>X6W3D$;e?kE>%UyMENLfH5q`eqJfNl1EXdPb6fa>xSO_0C!gyD2Ft zY;pG=iP!?vaP52j4}KJG{pFdBZ;TiKXVm- z*sJL3=BD?N+TkR%e(hr9p%s^7hCiHA2#+j^$5-#p^y{^mJO*!_5>Up>$a49*zhNyM zF8q-Qe69y_`goqz@In1)78=4Wxh5qzlZL)MnPXKJ#TuBzYXE9&9GNkk2f zf>*eNu?4Dd`x~KHlp`wRSO78SM^y3X_MRxLPYHioYj6T=AF%q-NI0Y_mYiniPjLR@ z#OvsgRWNzdT%J$rgER{b8Y$zX?dfVbGS5o_=dGzAo2L;0fjSS66X}uGg++GtQ;>&2 zq%px_wl^V*kG8w}JeQ){h^8*twW;HSj(1!8tE7rgrlm|*DU&Ycb6t+#!fNdd#6CDy z$2~BaPuNTVh3VKmquD119qF_V%aBjm^;$mKq>inCR#O5M{Rc3omFA0hB;1s-3>oR3 zy50)CQTxZoqf$~oK<~fd;Jz8qzU}YQ*Bn~<)ROOaXMKE~w|Q~~tY-~sX)@+5iYf)2 zjvh_3mH{@1jmf=@v0|yZrm}6fOom@xa%027FHQ5oK`fOv>X3;yiW)p`6FEE$Zp!EgXn@xQBRz0E}`he!Z zXG98AbUWIb@Rnl8}-RknZkxE{x~id*Azc_89xe_l@zs{}>Ed>x!A@JkH}JxO@;O_P%1c zamo8IgAw~#!u~tjqw$e7qZfVm8tG7NHu=BI;jB-UPyTUh`!J0}9YxFzY##5mN^)At zV)`NNgF+E^T&mUcgHHGJ;B=N)1;qkT76&ftF(&d}0;Z}bKAB{`oSUfdR^h$s7Wyt$duK@3DDCre$g_U}yC^u_s>v^rX3X6#eomI4E zHe-PIEo13$nNulriY&9N*eSQ8Ja32<{1 z1NJi=vLi~qII8_-0VKm;D>;^DH~PP^sqhwBIm(C<^js-#>w`l3>8sBB`J*XM}j%%Z$7f*W0SNlPaW`F5^${jga@}l;WfKEOkkr#&*EmxsVD5zvUk6He$&9Z#o zH9P*rMSDvdaJkS_ePAY9_+YA|qf;j5ZKIT}dB>*lj53UjFL~~B2)dK*^_c#xNe@mL zL&pp(VwSJ1=C4%p0H5^Fi{`0 z_kKMs$1``5vKY2Ho-y;x5I~Wm+FQ0ep12Jh4)_!*G^!WY4+1_U2tuBTTvJPc@*#jt!YWxSuSQT}`qOQ)qbv)na7-9AYkkfe9R7oxb`E}}o=E7mYAQqJh{Iv3YSo}##K86{?6n6U%~oPsE3cUJ#Npb=X zFa0mO3k#4Rs0b*! z8T@b-885(9AL-whs#sVa&uk10$4HRyHT>z1PliV1ku^+!Gou+hEhblyTZQUCAM!8t z0C2LjH%klFr5+ClYqc zTkuL*4Bcm5=O-!~@32*HKd@+S<5C>UfF9s|1m~Zn=teW_<3c-Ny;Zv2 z)>eC8*cXivYib2`L;PUCy55$LpM)~0ak$~wG^gTS@Y^?T89s##kG=_N9OlJx9Cc2T zsJgqB;GO5|qys%QljU766{*NxK<)>~e!s$S+g0qh87+HY{xt`(u~=iURDi~3ZCP~_ z#9BDXiAHnRd{}RH*OKI6FfTk8>n2sZb`ME`V3s;V$5}otMZ!>}+0Zl3f!#0CLYH%y zI%QC9YVi+H_676Q%kUVc-rmgUj86FywVB>Q>5=E%yN35=F!qkuBg4zz$%}F#leg!* zV@y{Iv@gt-9*-%kn6P1#2wR^JA%`kr9evfwjL-y_cJez|=lT$tM&q9=+rY$fKJ(bB zdUN&RTJkDODJxRWz(G_@ZkCuXRgrLjJNw$>SK`$rM%`~VAzEc>Z1(0$5HShGV{SQS zWTAWkmQv;*jMc&ZGeZqrXo+QG3h#HOY8sHroO1C~%vd_-Jki;Fl>RzX0lTdEf1ztwvOC?lh;^ zo}xQxWzbvKX=wLnbBt}A6*#(xa|N0WF;!2fs4N!<4lb|y4JdvXBZQGXKm!|T@%q5t zk5_T>YqT3D|vS?MdciZ98&l_jp+Jm5Vu56k2o5OXF00 z_At%56v8STM!l8G+6_YP)1l6=s8~@2h!#Z!26tevgz@UI^!tyYA8x&f5y>;-H?G^NSd`By?rz=ADnECW+!Q{I%!!K zoxX~LK(sI)@PRnDA?zfX&@grE`6TQR1DpVWlMJb7n8X}hzu6Qtu=2yt zZU=fyN<@7PUcoA7bx+8~!aIzl=1wV45X-;yylkABn&sBRwth|!bUfd#3l!AdKtcWL ztBtPd@zgH`^$j-8h1`D#Z{B@c>k}mk?GNz?(@d@|+Fy{@tnow^d_q3Vs!6U^UkY6E zUct7neL@Bi6mp(7w_f1bEsWl&s;V{B(>E`qt&UHvvav&(cyPO5vw)2NJ)4-WEGgX`d|w?&(lH;}~>ea5VkfJzWOV(j@$?d)gi5p6*``DzeujD0M`0 zN|{9eANO?epm^S?1uovzjK0gU%WOiza7bty1n%NpDn{%cTUAzEfVtDBMxi&^VhaU% zn!Z^=cugv#1PA;kB(yoFH)%aX4WNM(BE6hFIT-aXUs#w{*?}~K5FK8CUjsh?%)i9U zZHWBWu(T~~>pr?H2mN^IPFTm5@r9sgk{h%8N*yCy7}H8wPhX$Pp1^(<)MBfOvPFFv z-|JgC)X0I#oiyn`o@sn9#+#+AYX&9Y9Hsf&Y#6Z|chUEA6wCS=B~&u^=*`!Wl`Os`+R2WBspn65qggs`2TaSRAkhB68C=i*`!?ZKwed8 znDg5E)Dp8x@?=FDw%<<}d&T;_?*O3JPPlR3zRhVB!cFBU1xZCyP-ms?G{2s|ox(?4 zu$szSsoyrYx088WXB(CMp*4z$4SB2PxzJSdl|Ukk_5i#f-NC$aBjr?%vPyTV=bf{D z8vmQ-Kv*>+V{9Xufk(_b<1(pefT}J>TECkisilX0n+p2HwI!zY5)(O075wC zYa|#%+`7Qy{BuJ2tA)?X!sh;IXbGVsHbzCyAU66Qck4<*X1SWb$!1FPcyMWOSm+ZE z2mW8owXy|KU?EAEp9)3`#{iDOT3B1$q{(*ooDOKfC2k075WTs;<+>UUs?hh#3Kf{U z#$6$VwI;LL`vN4jUTDlA<>H;G5zCkE&IBH4+g=d!v!IYjY+;5 zbkY@x}#ymr%jCJ$hu{b%=jxfoZW>Bw$U*$6Hg0yHB^Cxpr%{S-fHv*V+WZH`< zv5CmaEiTX1XYOh=5wHPhfi4oI{5U>V-^;4qUKB`3rp90gjb5X z^rgs2k)-ETdKRxv-*?NF-2Dg+Ow9IZt&~#-$9B{&H>&Ed!3RpTW4mdTHd}pf>8k@zUXwImOt&eD}ttJCgOBQEU zGBFObq3}uXvjnWScb^Qdl-kN81ZQBebTo4nH@#(9X{splH{r%tgZ1e6C(YDf= za-bMc>0=QSh9pk&%F)Q+mNAWE6Zcs)oe%BJ{a6WHQOdk$=}CYQL>_43LpQt`L_e>A zc;dNtFF}TDq5FdjpQmfbD&@7mJNv;clY*q?vZUYo=_Tv1?_O<#29Lu(&7?bSCle7h zoZ73y^wVDHL>@xNSd%mIkmS=NVO*m4T74XBtTc=l4;mB^$$0Hs=!H&p=NeFMhaawo z)!{NwNE9}VUG`~gyKM_6lrQH*Ga)%`1ti&&i&gmCScnurK0A1_km60%0o6i9OdCdn z(mzalV6vp^qLStB;#ipY#`2NP#5nY3W`>N|`e8mj*OEJlLMa9_#$TXn(07YqddM}N zlDj{r{hw!bJQ={Jnd?+(xz%6~w_nXK~n^LuQ56-Dr{B@dQPYu{i7by~h`F$bff#1i3 z+S#@S_?amj4jdkrCia#MMS`UrO&>OO#=!);c?iJz3l$|T08qVS{@U)x+`aN~cNX)` zEnw96rco~PF&uNVCmybF!tve8hO@278JBn>Z$QW1(wsszJOA)==skfNN}aYh9pkm+ zPFX%|!px4*C1{UBnzy_mddB27cM~7sNVpx{kWLvD6-!e`AuVj_aCw+8c$Oyf4l9-r z=}EYv-bayy&e*KW_wD*4$*&t&3g{oH1O)maW`Rg1U9K#9J`%)ovUy4a%UM{PO z#5?V^V#9}yVh({MxX0#cV#OFPTa`yxcSs>gHJTJfH(JaC^|o`GdC2TEQPIP71jDv4 zy$eZ;zOO<=p(MSsErqvg3YV?zOsgD+mG>ZX-BHYLFP`cyjo46p$Hum^*44R{9p?># z0ZAMtA{ioLb}ui~HIw*|0_eQ`w!iV&Jwph_9<9!8Vhu;RmBen;@_tjRJT8!T1j4{K zlGk?QVJ=7MFaI<*rzPsuu}d8f@K2xb-`mXn?Vr9^VI`6X{L}Fd+bdxHX;G42{%MQ$ ze%k|>f7q+*04! zP%3uIq3c+kp(OO%1e)N#hNJXxsZqiFZQoUUfR_o(nsj zesdN<^8??+2$U^iVg6};%;Y$M@|!ZNCb{8=)kLO?$)N(ME>tgqQagNXh|7Dy9yUGV zaUn9`s@0h}`aZTam^zB?ev9g!b2|g7&85K1N2$~-?AS<(6w73!p;T#~sgy6aI*Zf5 z{6U45qk!K~SSi+8UCKi+g?s|wXTBSJBbNcb<{5ga6GO77=p%wbyR|oPiHxlWvEzsy zHlGyIHP3e$9gk!o^gju;W9KA5KH5qfXuS^tBb3wUbMA)nrRbhBu9(=`$?IQ`r&lSW zJW7{fqu_gBkcl<>553;U_AsVZN|9qFk&Fi-7xpCULoIfRn~4&V2eqkGC_b4+FzJ%B zX;5s{S#8?mWIWTv#s?UeFR|tiL&XwWtYrCgte6e!@LbVz`}3aU^OqMbwUC{=ovQec zAVZ58uUKTb0s=4lE|=AF7~uurALv4FXv$yl)INf$1y}*ceE76A7bl5IwZ3_X`})ZP zhMthyX#OCBXIp`eqBdtJ%)n;4bwi-mR=O9(A7zid`_j*KujS|hW1C6#2J(Bk;76|T zbLMfj(vB@4Tx~;X(;3n6&E|$v-Oi~P1mfK$6T{7?b&^o;ET%(xJrpdnjH&ASItO zsA6&)1%-#5^sB;37iqNemNz|21ZNB`i+0E-+4GtP)E=9X)TrrIH? zgWXFJ4@-WsDKDQYB)i}KX-$X3fAvor$!F5#vM&taX49QYmmRwE3aA-VbRh%67)&F| zIqxRElesr=P0BJWG!Wy2oH1mDDCp%3bWnDc6zbBZF?uMD(e>A+k;N=^3i<_Jkt$;m$LIXY*>lOsg|`$ElvE}7Ms-H*fIXC|#fm40W*`Q$*#+Cvb-{y!cIP$EZJ1E;cH zOC+023)Ei~_ieV1lsp5-knV|$^RYKCJlB3D<{B2+Eb0E-D+ViVQ|`)??ktBwip5nE z_0C8$gSwi0-<2`WGl2}-FSF(YWE|gO;+v-)xCMa;0=GLegTAysN?2C(5umb%Wm>L8 zMUWS#hQmcJI$ly!d?;eoHnx7|9hqcrsn{>K)MmQakzzC>R!#S$>-izyxP+V+UFL&s zECOoFi#D?m|&<=IAwsFD2Mhr-5ul4oG28&#|BG%NAs zaDvx36ClN+)o-WDmqriY!SvOF|C@l?47QU^zZOs*cBNb;)qY+FtJrAPvvcBDI1Q{4 zXCc7#@K{^2gPFz~ti3mEo{!)A>wLWoD<}5`1~rQ{B5G7-d^2!@8LXpe;bD6PN%&0~`FS1`&G2?{Y4_)V?60wiVck{QX_1X=&v_Z77!~Ff|wtAF-~3 zv&z-l`CDhTZBC%$Mz@<%cy$y$X#+IKN-glJ?e!1$x8(u@!}!kEdBKYi124kLlx^(K z!s!zCT@xF_u3%H%J62?rPg+gL+uQrnSF^G}v@Hq~M&F#r08FhEp3K=X?{*U8+Gahw zWAYVT=_IUB0G~l~H0*w1;Mlg1FVg$>!QtU)Kvb*?@oAogcb1Vsm6Duu0*i{_Hkcfn z=Mv_#7BAi}uN?X!7ET6I*H^#{f?i@*CM} zssUe@zt;JMM1!JUOw8cD`0g|1tKx<>V zEdrwp4O(AmV*m|J7@MC9q35?Ympu7JQpp3%m+io~&hHmW=j#9x2x9x1n5H4OzVLD0 zeQpw!K!|!{2iY#z6U*YL0Txr@sipXlhl5Rp-Fx^|W>MP+eMeZ6gvwxJrY*wv$iXon zG6ePTGqG(ue>RQMw)XW1^fVpZisGxCm0vFg|Kw5F@_-=-gL`3}?bp{GB9Mtcp%Mgn0K{E*@=c$AN!%w~7{~d451y8C zplLFPp-ldYSlZgc1_<%TPi!k7evKGoo~Q`JOk$WatUP?V1|F_|utQ%(5FCF_Ly!Wz za@SqfM-U#H4ub!M_j;BWL?}J}3-fl7v-$t{N&n>^Z5GFl{AK}ucOCEr|K+Ft|K}$O z)4_$`qW#dBBveP+M6Z?GlzK%PzM zeqqNG3sruH2XzI8UU`l*&_aFvkRMzV=9AXSO93Iat*p6L+!6U;y^)*%dk)L6q@msc zSrZG1g1(sb)o7ZTT9NAl#bHuCPbO7==bSOdd)!3N+wQsvI#Qi|@}_jFK= z_SWuVuOC9=`S!pb6&01;c|T6<_K0C3&q)k3#+}K9Cg2<7+L#>HLx@Jx0-6TPO&C(k z8r&Cx2ll2gkf^Ee`T;imet_loRJdPGe9bv~O~7l+4>+RFsX#Oh*q2y#$5SyTK|#Ue zlOWy>qPzZIXH5GC2Hxv{xCDZwYU(N@tAY3!7QiGAAOi#a{g{ncr#F=gH2rkEG<=># zF;Gxf;XHC)d6QIoXew}8W`I;?I(q8@2^|W6=Ydl9tV4vZAad`+Rx%-}xc*ZziyUE5 zsGFmCHmjY!T&Bslr}m zmftXdce`}%j=>NKEM1e#*J+*D=jnIUO_Up#~p+1ZYlC{*{rJ7{eMT7ZK!Aq0KHY%q7l_tQ zyrCWR;hb;bzw?}f43Q6qlg-*Rh>c>udKbYSpuptAjxO6cvN`E-zw>bTJyf$oRm8~v)(9HgT z@=ocJ*VVhuv<G|%dpqRz6QXXe>cH#(SNGJ82c zq0X8E`vAg7_nuOlB?ATvvZ6Xcw7k%tnG28D-nhmi{T7ReddUYv%$ z-J>#=0=u+a6hk?V^q?FyH}-ky=|bY{qo9TE$VMU|#7gU#&rQwHh}9@oNww>Q2>p2;$HFDH*0uZTVK1RfR98f$?w-T4gWcb*j)-WRxtn54cBR~4)2w7!Y@ z$(23T^VlBDl*A0#Vp$vlqM1B}=IkEj6TN9?b7URvsaj{5Nj}E(zeuE~X(%p?cg0C~ zTyEc!2=`mxI+*O=EB3w;d9E-|M+xzG3QTy7T!K(UOks#9Lb=mSl`GC-lxL%$KzXrh zxm!LSQCGv8vqN&>m}`-AYCQA)_Yi~~UhT3fOD14^>^FHCs_l?R40pNWJa%k5+XrPbrh}*S3t1M&9RtUYYyfq%957RA@l7$s~bEk`9h3L+S1`I&vO}3ReRN7h{ zzBPK2*Sk51^^uJ4bS@>4n;%XmX_SrMXH?E_=EUXivg|0#?0Y(4E0jJ^ls?f>t2Y!a z$$@GynpF_sTfX{GUeAo91L^eh3k@?4)WwJk9Go|F1(M^;|l>Aso-vQX|I*l)EHSi7SK)Tr38iz zj??Yiw-w^9KJr}$~YzNk0Lmvi`tz;YD|H{NSA&N(eF;a0fACcwYc|+lx ztVy3E-O`iD%h9k*@`e;RYX`R)0lAmif4*5P`W!CVj5dj1gsWj|f6*jM>FB2`I*wB@kQ++kNf5d9dZIdh&P*>ucGf^lCxu3TU+1Wm|n}a ziss4~HbF*rUZ1)cK+;Ek#^=3rKj*7;>V_8mnME8+am3A=D7k8}o!lqfV94H*o^)$iN;88k9I_O3Gw3t*zX5}Qp+kq&j6ZO;T8iLFmEWKJ$BX9_dT^~e}`K#r& z1Kvxft(j)rNi7{b$)dGD4f%!$)HaXSnfQ;Ot_TCitB6 zPTFB~6wOGti2Mlvb&LlRs%XwhO|P zEwvW2YGjFfZ&qVit+n^##kP7k-m0$8*GMm$3H~cm+`ESx-);sBm(0*ceKJO^a9`81>hGvyK=W{LN?Y;bwN3vxpYy*U`3jybz5zPuH42HLiS1JN0^dWV{?P>xTIA7hiS_ zksrPwui9Jc51R2h)z%11@}SM^yXw3iAfLbn$Sz8%-eJm{%<7d==IQ?C_RGONb2fLAq zo5i4IelO&SiK1PzKTI60T5Rn1%qVrlJhV^-#58^o2I=6$`!B#&yER=OBqA0x-!uO5 zc(&eIRw2MBf3hK;^mwO?tD9I0EMzVl6l*>>9S4)>%IB{#E`K>eW%h}r7@4BsV89u% zl;HhDEgX>JHypG)Gn^N1W?p(BQAo!ugEtxfFvpAwTm2c}k;hcJyn=Jk;*@xbylt2? z^8}B97_Q`#`<#uCL4x^E>G z6{Iwrn7X%~yAyRu4ze52%aM9~0f}%{SFJ~U9uZ$;uNNv%p~$9vc~v|nY5 zE^7Ggk9U1KIZbTh8v!*s3MadJG6Q9j_s|G9pKlnr6ARP^QPI*Ol6#+~A0DS|IrqyO zn@=00hb=%L=KzQ;tkZmap;aMi5u+)C0$!@pp;#W7$-*?RrF zCyH;X=MY+GuP%I(TD`lV<9()e=8Syj1)aet%!M7FKK0i8ovGWVI z8tvg=&=y4a(&IK}V_MQv{*$%r`+e*m++R3$HF!MCQF>glK5o0v@c{SLi`M()WfKl@ z7Nz{j@+pgA3*{DH-``iD-GF{?Yh=w{tl=mJI_TP8I_Pxy$Kn7r#$(pb5Y(0SHf4QXo&e zUK$}#p&WAw_^g}oQyj&)aC@df@yIo9Yx%R6uCoE~C*=SuhCpt$Y}H-RzBQ-qqb=|8 zD4Vc(F75mSmX1Cv34vsF#BkUP4~HP=3|wlzV@9VI=hWKOW-d)m$RhlTU1tRgNJxY} zu6iUcRUk35m7Lx)T-W~06-;C0=E`3W)z?YBplgiG*x3u*=X@@>%1$hIX{}k}Q0)}q zxhp_)vYOho2bKP}qg|BL5y$UJ;r);w06Mw^%k=)MH~OawQ9B={Ge<{G8BU<<>Hy zJrOexdFpm~dS?yDxbl?l^#X6QLsvAqpgHDn)#O}Ni9R7!fp&mKMPA4F_iGCI&BVPC zMq0cAGuxsnyH3=11GX)OiKK)X02W!D(fUGQjF@}#28=;=P$fWEe+JHGyr7+bE41GK zCA2mkJ|VooQf5Ijs0eG`d|3-l0GnpbeQG25Xu0BpmAvy?zF%peVUlBdC>#*KoqnW_ zivI25o1U$t=j>N%37oro%z+ISXD#3QNuRJ9#6!5=j_Cq2r4U1~WPcYZpzT)KK8f8t zrKIFSBtyg}7+!xy=k0x$n1f73xj=Zh1!4OkQOep|sJN1MlZwv#SP|t@9xpVtk-0!K zboSaTu`AF-PrK$W?iT65`ba1Yu6u>VQQFk${D&;`^9pR0D>v<~q;4qVr*U zms@V8r6@Q!IPamnNSjmjej3P?Y?&)0JbV{?rM5%WFJe92xa?1sM03ycWjiXdrqDO5 z?l|6L>?>>f9L$hb)9}<}hkjNH_ zr5$a&HrmIBo8dUnpxII1o40M9#b}X{luQXSE%i|wg89A{HZM**G<0$fa;`_T%~dC5 zQ7g&vd4Pv0eg1mewRFyHi)`u*Zcx8O3WY~=VaIS4a$>zF*2|qM+q0k(+Zq?Rf|5kl ziz-RNksK&*B&+^awg2{vm&iv32{Pxtc-&;GiRNoB#+q-ZetZTp;$o$_s4)^gvS0#%M2>eAO?{YT*8rg1tR4%c> zo5tZ9RvcHk+n@phL%+xn67?Of{m1n%r2C;6g zF;%Uie5HbP?+d|ez&GBr$*7C1cBkEZGSjxR);{=A74-ue!)vm}BcJB>8-+dE6Y@)C z>sD2E3kssp)vJI=GeTs1+#9E5-uRO<=17J9E>?%h33H8cQJCMqV`Y085*B&)PHdYU z(XvR#`A>oj>8$97joT}r>h$)F&Aue`8ToW9fdiP3SH{t&bCOdjp>|iZBIotXnABA@RQ(AXbKh5d8O0Er z+b2=gGM+<=A%0Al=-gI%rm@lZXj>2;zw2dH>YoVuU!{oeE7i$aD6zgREx;21SBN2Os7QUvx`CNid8dG^z*M0O{h2Y#YwM7j=6g+I z8Xpr!`iFQwJ`J?#ZpDd||jmIjMw~9~gr``4K&tBiYtu-ZYE^J3nWTk(zcWHI*jXN#SU- zd0)ZKaZWVx?1I~+s>-xGgrm|Er?SH4vFy10cCHrEnc&&2zNf=v+%B$Z%Vlvq*{?*8 zLh#=^f3D=ofN%Amm$=eOzP{EW(SfgTTu7eO*yvTQB+$G0|w3rD@-mV)E&SQP{} z_7^F0gJ%0XgdTkQjFnjJggE3RJ!E|Mne76=Y~a|&q^u>-K8ryOB$$Bq*%IhN{sZl^H%$8sFl9pPY9D+0 zbq#`-GCe^1OpuZVw9gil`XTu0sUi@>W79#2?Y{L;wQ^&<nl}c1RVL7o5Rrcynr$pDoqyt-w*DHwITE&^obS+UH(-uA%?YK95>-XE6iXNkvEc zno=GwxwltzXCguezdY}FFfMR2U;UmO&^}ARw9i_^ano){&WbMhkZ3xIWFe%KXG*hj zvj`+|-64BQdBKScoKq0^mK){6YF+GE0|SK`GR&Mk>+_+nW_p_5PYd{RWR?vKWJQa% z=d!VD_ZshCX5GVvXP;Vw!6_TI8g$jcv09h|netqXKQa`%3G z-2PN}r@@_0I{U_;5-Hw%fpk<~8oUUdV`}GnGOhQOq6iC$bPu)^OYv?hR>uKexew5b z&&3Y-ym6@;c=q@-k5?q7bjsxe0#_ByaEU;Hum}2+%B|V&1`EwzTAs~n9cL}Mb?qAJ z=onrcD`;Mr32FkVZiCIz_pwws2F?$Qon4ReyCW+%0G;(8HAf5oz+j}BnB}l3!Rq4E zb#qM@Te##WGIh&mR5^=Tfs&K7dV43m+dbc3t2r9$_3BuZ)nk;JbcPL-KnN<$NHAsu z-@=ch&R*zmSuFbJqeCIJL1ZZC0vztzlf*$gD3j|Jeh*)5fNQ`SYRQ_*{jvz z0Gou0U>;`-q*{;H9zgrtcddQK^99;x#b4TIbo5CoVP?$!sgE@54=vyB;Y74H|7HPZ zo(Hxsc5f>nL0q^j{Ufz%K?)Wv6Q>>fW|ClN!fNZ{bA}K5o=XBeNXDN#-}P-PBV{j~ zNsB@+|Cs^*U$ywBV9)py1pf^z>xBhoCFZifs`DF$BS)^XU4q9W)$oTA%TmDt=K=#% z&ZwMSGq;hhc!PJ&+S42%qghFfT>P2>wgS74l#|rbNyAED#In;5ZnQ!U%>*-^t!@5T zQNUPv`$wZaPL-fQv?d9bS|vA8G2zMe6Owng0xUQv(Z~=buQ6rNAO1RALR^=^BfflC zTG;8}Ky1A?;r2`^>XO$b@@s~k?vKWBHMtk4o-=1y$*Z%G{vGt<*+b#bk++SBHs$SM z&eNjP5j5|mdex^+fO=>LENukb=q~ycl7iR2d?Gww8}`c$$0SP>3P*j}&_-I$sV=SJ z)E|lOwc5JyyzLF;11`KfIp?M3#s=pHYaJhrNq;;D2$V3C5koa5+8k>e82GM&ftu=b z0h6WKSpNH2ykV*rBqw}|Lbfxv;di|8tmlHDwY^o$c)XKFB$-JidSIZf7h$J($Hn#x z?mJnl*)IpQ-JspSI-sLFUoeVcXuWs)xFv4U7&8=Ug!nNrHF3h?Y@i5$cgWLS?}`u6&D+c(w4%uCAw3`RTAL=+vZ zVS6KQ?t2SGcX@|fWiEIlYb27LHG1XWDh4HWY}JiK%s)MFsmfXNMPW4R7p?v(#T)`o zl~(K0$Z9j;#i~_U)LtMhv^Iy5Fr$X1o1xhWq z1Qph(dm^{lD3uWm81^GSJQEc|-ZP{HcgffoGb@`sZ)p34EOLgX^=WK|G1D{Ej90?d z3wF%nib%PpMv}Z&2`}gmVp}Braz)&G9CXafoZe3Bfy^pJ%7>5RJPU5U!u}%ZLJ!gV z2bB5yaJawc4*N@m(}eX825D|#k652DN?bDOrA*=6Gon39T2G^IjP#KUY@*OxyGmw7 z|FHBV_mN@B<7!Q62c@}m{|~#dQ)?eDnH)P*KP{q+mj^-g)Ms5V5lF;gtLK}5kbsq_ z1{H(+{-I)!11{M1|I8BjikR_oj!$9>B!eq6rSz3gn(R>49)Yz@Kg6hzUKbZ^ZItyq zGDJbV6({l_8IZqj(M+#@VTZ6d#R;k@L{9|?1HBz=c=Kd8PcUT>Ek!z#Jpt1>TUFe7 zcL4CJ5bZDK5nglOSugks6JuDwM%Gc!nC34p;t?_k9cAY(B6%$jYv!tyTJ*5&aiDj{ zl)HI`$?A4YUjWEiFLhi3F7hRX?lMnl-V%SHG zsW&E<3)Hr+gOyM;<6d6dwrl4t(L*4V?ohb}Hq^?nhs25j+fc(QunrR@{?!8cDHkl= za7FW9&Pvp9aVDY6a5%wa((6(yin*Tn#3ff0Vq#}x`iEigcrZa~Fsl+bh+N{vEXn|# zZZ)OU|8Qn^i%3B$>kfLf=}Ye3z6tWJqwibs-Hh^8$F`rv`VSq@N`NW^`;C}q>AAoG zO=b_|(PHkTnn0EO)A!eE!t@F<$04e=W(ITkcG~}WB7o8s0h>^JN|@=m!S1Z5kCQ~B z<`XlTT%d*6GUOh3QBzsP&36Z6V9#R|Mw*P8>jQX>=O;D?vk{Qvho2p7QgE^0A@3j) zR*+lr0B5x=7Y}r#4R>0wfvt+*OT8Po$3UKI&-4a2xJQQfo0mY-ygZi%sCGNuaXJ)L zfJQ>1C{iE?9BwvErYiECkW~e5bN#H-nFOCpO<}QDbcz6)ENeE-@0Wic{D2v z#532|?`wwy!um8JnP)tc1_;-jby>TwQOa-goJXKOXsS0O9;UPm48+GX{j^c8D^Z*u zGPjCLOj;a`v7#)~>N>piOYs)28KncY6@Z-k!>r#tCfF%U-IY>tcW34YUX=e(0S&Cp z0e@9M|6o!ZDi^#CX@}sy`1xUDDc}h>+K#iLsEU9mfQywcH0+eZ1Bpin|IbvN+) zf!F1ZSLL)=BH$eEndVafFEU<|X#rC}Z^}Q?x>i7k3K;?gbTQRW1@!U`4v3#QIgGKP z@c*X@=qUVBLNcJoL+y-W=yjPvj~|VAUQH4hc%NA9 zfDkmMuFjV0#?&MYSfq)SrV@?*#{iv%cC1&*?nhFwRi$4^_Vy!e-;eq{71}&b-q+$X zeN=1`Rriuq4E0A)Q1gx^6Je&tgJJ^b9h>#TXEXIY%x3pscy{uCq=4q*eBObN(Enw# zLz~9)S^>RC8gs{v0wwTj&m+%u@#9unU;-+@v`gADCM^?`wdw;82JLuee^`}T8A1W@ zz62}MCFK22k+bW{gt2z*Va$~RzWW&HN&Gl=bhAXSx{xS~R4LxZy{!n+UBv4|gC?}w ze4m)M*shKsl(q}+r`>maCfvLhBggTQqU-GJUemJqqVkxE9Xr%^Yh!ZEcAhp2!4P`W zq;H_C@Q$$!y{-W4k(NHs1_u56$Z98cpsE`?eaO!eH?=_9Y8nIWk`|zYT|>FGD>cOf z6Eyw#5gEmvm#f)cBQ#x5GxKjmUrX;Xu6%+rD0%TG;s+KNx{%+Z{Oo8m#G@pq*C+^@2qjC!(HGB z6&2RSBhYlo5`V;AYWnm0ugmGp{>}F@QZ&!iyE|jy{+Vg5s~o z$H(k!!^9~E*QB^`4JZTr-1++_6!5fvvWS0;r2LtVJi+8JY{UPz3$_36kN!+jKL5Xa zPWdAad#AWb7KV<0S&;nsu}Sb2e5qk+c$lG&_TTu2|Df6^vcfW;len3eviya8{_Bs1 zH(=dQ_uZKIUw;d0x4)JO%lE-BC1W-Evuwfd-~RanUo=qcf$b(5cEZ!2-RLhXjGsUL zzf?k9WCUlzN=JZ7O(pn%tXS?r#gt-hS?>t+wqGRN0~25W+k1~sAHgmDOnA{Z$d|9I z$NRpx`bHcde?6R=f`3rkz0(WUsXJ7`ILI;TQv46O8%4};22^z@wW+dypzey11_#p@ z!%6g-k35imX1FIhtNuG5HAwevNef$mkRrc$i&n*Y1^t6~(TmZdYG&C|9LG^2m{%ZlGb_>Ds z1qDSD`Ni3O3nQzFNZy3Q*^v;Q-nmNT9r8l1@5(AW`j3leW5~%Y4ih$J+Ci~xt9(97 zOxXOxX+3;H$7A9SdP0TA(=_oN{pD|^d~a}>-{yWTm|M%{C^Fso@@a{OkMCa9&=TN# z3G3?WVEh9b8Bt&Yw@sYVi|n2c(+1?sF8jfHrW2p;fO7PqEL!gT%3BiT4dDYUN!ydJ zga(|ObQk(lFc|^ec};KI?vL5MB@w`Azv6EO`v*%YkQVyljH^7KYh^5+Ml1&8|0VFj z{Lfep+GXJE^56NN!PH2=?m=CGh@jV6)O@^HIrBgSA;`Ymbo#D9jg!dJN^Q)CXB~qE zRo+((%#Hyt`7^x_(MYa-%a|M>e7iszbYr8CGSkIPshIqxb8_#`j7kh?CP%Uk=j&3I zlMM=yYv*kyE*s@|%j2~|El}u#R2`cQ)Vn7U3zA<;Kg4};Ur$?nW;&KCBCsKq$WS;c z?ywJ~qdmV|3#V8A#D;g?unidiH;b$;yu7}COGrql%)S1hHq$ZuDz|wUpYzskln6*_ z1Zl024KFM+1s+uzuE-ud4ycX`>?Hw$R6~MCtlD7p{m)J~dR<0%)+m;Mlpp;f8>gY5 z7_+bm3NT%4`gX0t!0in@BD6TkJ)oSPd{#OR?9V>%;mB1vo=vCwt6`)0>a#s@rEEl@ z04yhWKE6>{X&q35o?x!?q2r;)GQ~!B1g6mC-2xVtv1+S(ff(cgLc@8u)%HI+d>wOR z=73ub3fzcfxd7ZxSrj;wgy{7p^2(|vrB0+d3+2IVm-nk*F137|@oqlZ!?!&@P66Mu z<$QdL&uR0Sn|0Xwc(GTny~EZBen&_C$YNNzUh@Jur zUndOglZpll>VFl1?k;tQyqlHIQZ44^7ZBKik=H*eUvB5dQ<~HOL)+_q!IRqvI`lqk zKsL2`BxEXt=m*!1vGI7T;pVpVStW(hh35+P=^^=BhA76lP$#QdV+Ux?h{b^SzyOTZ z)^YuR*n7*MxVEkDHz6cgaBm16T!RxN1czWDxJ!UWf(5rglE$TRcLD@=_h7+0xVyVI z`Yy8NIp?|iymda@Pq*%_E~+cFd#$~z80>CX_xUlejpZl z_Q;c28~b6-soq!zO`U>-&P0z-d8d{SpqX)inCF20g~(GhlG8Vj#^Jq#%60Ehbn2a+ zu{FNa3JF6}E6@nxSf&M%MFl3Yr|!AL!tZ+)a!(@m!-%p42`O+ zH0{oIYJpNLP6F9fHJ~IM%dEQ>$A)?~#q;=``9$uZ_g!;44@taNp_cHQn{#tku6O&| z4R6_oTsL3*$xr}mbHTm3z*ZJBI|~A<1y46XHQKFgD8ES%#J6MgcPpRWcDX8anhLIE zVjRlX$)jpYShf6+I%U7x}#||bHM)bVIgdxzQpuabr?Mn5^dkmR>lk&;_eXl|K z)U?HqT#hMN@nre8O!vVijl8z@K>VM^W5G5R3zqGW{_aG&>MASi)vd}uvF*z3@k(O% z^?_t5K>a=aULJa+0{^zw0}cS6jfHQw?nPJgS9=$VG^)KmpFMOLaOND!nSWKFQ@Iu( zAEn9P5rnTIw?8N628ctG&3qovtuq`=sGO*AdaiKmh^krs1YG{%R=`pA)O88hY*rdj zL-GO`AAl4hEYndyfK77d7y<@OB*^@M zZdA^)HN;=SfVJtBk_*%{pS3zq9z|=J(;G9LdtXYJv6w$qDgPRX$NGh!aGDbMFMDxe z88DJ$v~KsI%=ASgZZVsi&VCtfHssb`i-4o*twvo_HFbJ@f=Jq6iGWx}bMNA~BJ#EV z&Qv-DgYFXSu)OSdYrtWLq$R*Zeg(upHD9w#OT5d|l1n^g8E<kEtJUOwGrtVHwok--K_w3;kfZbCr#(wbypzXSYgO?il2;9K%uT42Stbs9` zPbIZaRORe@)!p#1q0p&)llfe95?(`CR9+m1HR^|aVn!UD_#%NyOQVJ<-h8XCv5~?< ze`rPv8&%wEM)x2MI0C0UmR5>Wr`Dd;J7rG*ps!6HkJm6iO`ZqJ0p=>7@*xcDWmOg~jm` zh5YBA!t{V08=MwU}|3CE4MY+H~D-_$&^7y;)#_Oh4h)&`Dvyh(+# z%$ZM1PRDK!EmF%!^dhZ>BvzS|p8@L8$Kz8=D?QB>>)p4yFRKdt0F=AdvidJ+S{EO> zuaJCoX0_hX*aZ^Di-1i={UYY3R8F+f(W__=QA&MQd?wYs^xHwWlK`vUwf5B?Fn9Cy zPGk-+`@v7r7`S#WH0gFG>K>-gx>@Xd!;jX6F|s4D?0{27VP7GNpbD=?eu9owt`Kr_ zCkkU!Ks^y4xrxhn)yz)=4Vn5N5L^&{QPA^>|D*tIGO2pw=BV_#KcY8ZSQ?*64N+9H zY#}o=)ws86SEJl0fXCAIC+{z^{64&ecvDypu2%CHj;@$M<`ENjM9SSUro*UJRU^^M zTPCaN3Wcv9^!x+h&Q*RoWs?nk5tgv)N;-&H4-?NQ!{RI;zaBvbddc_{(9XVSP>Ic{ z()=KuHwbWR^O4>ZF=-W+((H`y;CE*Oj~aT)(ApIfd1foJ-*-R3Ht7vdFXJu4x3lSx zPv2?8)}+et%|%{9#225WClQS=Gr99GbJniAa}a*RGW5V27RKeOSETnkV*lCs6?R|p zaf%8_U5YF|Q&vb}!Io_6gXqA`$m?k;bX8#s)(nHt;0i~^z78ny9^4n(ygtw_U_ z5ZU&h&Z-Ts#kYpH;Kxl;(@12UxKz*3dJZ>pQaoGtLTvYixSwz3fCBNEeBVBo%McG( z>a;VNMT>^Gnbf^r-2zK>Rc1yvGxLNRE2eV%IwT1e3I|>}YYs>XgS^iBSJ}X{3bNXX zEU=PGA;(}gHm+0ATG`Pe>6htHh_}@|#tm$Ji|71_XA|XD)ek3R?vAOzI|%fBH=40g zaNg%iebT-%W5nqK9OZ>Ew4n8Df~=U-gCi{*iibG1I1gpT=zL6g zL$QaX+u4K@pRmCz&3j$|{O2Iwi+u7qE0|JP^DV`^z&AqkDrIYg{ZZaJP?t+3F-+-b zV-uTOTaFF=)PGMAjlgJaU0;{eRmk4zrGTl;`znr9mrGZxi{0~z*v6NJNt8``VSzk= z>T2R~e}SfmxW(h4lZ`j-lbR#u6tUqJf{ICLeDk_t4`p?teq3lj9ie|EZDx8d1 zcXqk3<45pX@^BLDtNihD{g6Q<;V|1H)xdv)W0G=RWr_Lh=5Lh1R^=x|8Y zc2|g(O6b$E7D4{N201E}y9;9^NeuE}RVs07nC*9QukT!MyzyLb67X^GFNIC}uG>mU zg4H8|F>^s6mJ#b0$z{OglK)x=R%pNVbSG9`t4e~Lg19+hIui-dUkCZcAq}R{_%13rK$&d@RjHmNnW)Y;NdMW8#4Ru(71CCjwHbr`c-=TG%LlAW! zpQPKrc_!5Lee6r=Zo@{~m1{Rm>Ft1e`bXSJ>91eS-z^Kk2#cRTydR)$frql~1?9`p z3N%CC9ObC}bRDq`-F~PgO4@JOEfMOu$x|(;k+|kHG&Y7H3u|u=7ot&7Qw?dOrfnRq z^ht{erC3G(Oxk2Zo~H{qQ{_3^nI%6wJRH|emj_wgicKRahHU)8%+&Yd>^SR!UZHAdNvvlROx4qs)t^4^lSNyTnC1%g=R7FhYlu&T49DayOP6HCYKWH?g zKSt$kzTLO5iPDEk;0x(4q}3YzaxT^|=>eI-wgOL!lV!Qi!xd9-nJQX~dDc1_TVvpJ zv^C;dRPUG>mhZs1H=WED=dh1N&$W?R@+@Ae8`34vbYNLFOh!o#rgz6YE)Uu=<3 zPXa2lW5}(?gscW}?-UiV_`kR9>tO?$*j2!7W0?w(6#rIBsw(R{U1>rSFoj1L?dQfgpu{ZRoZOINdzKOR4%Yvi4z&&a?j zb1kQ}-??xICgK(VObjoBKyKK)o$}EYF&vlN^?H-U`f)1VL!5&L_tQ+ivczDHl-lB2 zMaI}REK6XBac{8sBJl7wlSPYaV7k&eWG;Ge*X1u3!1D>wXi(*Xs)q+cipQGkGCY5N z|HHSz?Zz(C3jEFNbm8J9#k*N;X6R|-ZQ*qilxyUCT({ndMECOI^3^f7MQar1H;<@A zLP0WH65D_x*-x+`U~FL%s?Pn{>-f(l(1^hsFzp{b&<7|k$betOoZLt%=^Kck`!42p zhK&03#dmUVR(L|i1w>YyB__Qv{yHp{tbcUnQ0n#;h?kD?pjg68U6GX{LbPW;<=8+G zM?kI!@gQZ2*p^g=xD{Hz>F*sc@e;zLw@t*Ze4%4+a>EcEVBJ5LbP6Xa1bpHaR3O?` z>+#9Z9R^94BO!~P+bqlIMz1K9?tWuV44zLws}U)32q*avPR(Wh=11~93 z=3}Jsz67VYzCEV3s2pTfF3xPRhD&@)iNO3R_gq9h&9-?q_sELr%TWyS;(CfJs+X4< zwc_Lf?|d7On%cMR_VPzOKr!LGpOqMSuDX>Qs+(_}iSAf8+*cHjS92Gd<>!Gjs^@*FulKZ9VnKfD<9`MXicjd%p^mvH(a>aWZ^k3(h!~Whk zj)?PKBICIx#hWw}(k<`r*Rz>vht-KCXwa^l7~Gqpst?ycf~}VUopUfm9aw9_Kb4~> zfdmriua1cjhy!HJ*z|xk=2j%6vp!lr+YktQvNmM8tl}Z^pgGI6 zcKY$z7ub+1^CT|H{rw-H#3{VWGHjnqVd{zrjl!k4LMUq0<2i2$ouNL5DsX+0`xo+>Ro+}ILFX03ai9>v|;$$dffcEF@AMFGF zCf#5DvtDQ~hlq^`7uy7>Dpfv3AKO#A0J{lCH^Mctq@d-1u0`uZNNgj&nZPTt$XKmO!YysMV4kTzXfDqQ7Q zx5A5Nq4XIC8`tF6Oz@(cqjj-XCrk=%O0v6P($KUo;uoeqpEDimm)xL`MclcLCSEBj z*L9~ay{VpM^qlqA*J#=4D!hKlz;q9PH3kf=X$VO%)$dgoSa|>VC?QaxZ=c&UXR!8x zAW&5)qrUGP8r}v%%w7Z<9xMmvM_peCa7zvbzs6lP*CHdMv|LrrcWtO=2$*cyxSJubOWX72(Nm&6NbmY zPH1ol?S35)`V>=2lYz?lW2?sxPhOIAwQZIVzBkc_4vHR_(|(u|f#RUG$PDKu&1gt7 za}L+XivdFwWta1rk-!L>ZvPu!Kij5{zd=a$YqW232RYrc zg3)a&T*J{Snv%?2b?fV_nNy~Y3;&lZKjUAA^0~StPE#KB%zM5;V?hUJJyUj5`jR(B z`k=8Jo1}sVN32>;(>;+4V*P7=*^}~DHXauL(~T>o^)>kEV|m7X~6rmW0e~A z!fVf2q~*-;^Rrk;ulie%=_+KA`*(MmAVfhFp8VYVH`{K>1YAs1;(z zOZ}ziBYM<ea?lZgFtyi)5D$=H@567!6n%3SKo9yPaOI{wX{cIm1zbtj#2!>bY8Jf`c~Sn$T!BSIQf+q)kq;Rh0U z?n0<)Jy4e#eKzX19O9vZNL*II&BC`>InKMU$u^IxVhT%()p-%=o>T6ZKx=>_?zfk> zFS9N#GrElxTcoH^!!U@ygfCF6xZ0prVXA^J{EVRxCN*V{z{m9iqu(wN1F+L|TNAeX zUjF;D5RWJh8r#(DTCAk&e7=OS{Y(+vv9#N zC4>zW+E2$z{X(AxL;&{hs3%yq>eCExDyJCY#ZuW%4WyLwGZ@SkBKkN_@uRaN#r$#-d^)4qa=f&hM6Z9M1d)U&+)@ZkOHe(xz zyKVn1^AJg1=W$G$K~($^wo?%ONo;OMhKfinGkUd+!y7=NK_0v@l-wR911w!F{D}1E z$?ed_Kh~f>|9&#Vv5nw*Bcs4Ug^Fv06Hb)q@7wxVIbWKkB7X=&g#3b-^L*foej53= zkrZEOucXoTWFd0jGvppG|DWm6%7PVqM}8|(r8*tKTfJh0=p6$S$wXQ<^k>iJ{d%@( zNwB|;88A)ZefVr|xH{zEHCWMAR_8h%4LP5U9Q_co-LPNydB`laJ)ui{t0$FO95iJa zz`!6Kp209y&q$s2N>t-CM}tELPxL~nn2g@-e3pKwo_tIYPUOp~`yzwDbG6%EJZw(m ze4@QO^(Aj0SfTCK6RX~V?&!${i4nU3)zf8~j8cPjdc=9%M?Ln1Y7$kWiDwwdEh!9< z&>B5RdOTg?J(O>kgS;B9;x1&dkY(&d2)u9rU#Qthw5_Glm#Kae{s#vF%$Jvem-~ z%x~x1G15i& z{#y`$cPnM3lPMA~#E-tF&mVvLUrpJ$@%GXg&(XI0bd^bkjphas3_4PtP^{?{!>){H z%EHdB4IJm_VwdtZJkQ!=(RqPD=_Sb$ylilJQ&W+eR=6{_PKPQ3QF4qtfD+BmK&lTz z477J)h9o?F8Lw>6!3%^wK4bLcYGgud=e8Q4A~(xuPq2%kyx$%QzLV$;5+%cPe55C* zVtN7B<*QsLp?#lqKKm_>ls)I;xlxJoI`>S{ZN_jHr}$oQOt`2n{v{1~IqSq&W+FCN zLn-ikL1b>n49+MqgM@0sbJ#%{*N*?eipk93Fc<0N5t>d^U>^^dh$@4_^i-Ax{+Ob` zk)*(Djp0ic4W&{Tom^>@N3vdPDVu5A`iczRl}Vj+`$K7XyC}HE^jUVgm@@_&?R_}0 zjs@h47*c1i|Ha$ALP(K$m9^M-Z+?CzX=d;gdeXN2iKp2I#NyhTi6?q+!fy z-e9Pa>iDz>0%*x_m&WzF5%svCkKki0-RB_V*szW&&S|CVswJ0iJDl`5ZxN|uf?Hya zwb>h5ZN)$X69SKXpgxkVk>B8n8Jg*)lFe7R=Z}24-(us<9*o))Ruz$%3-|D9RXh-Kc;fXHjamscil(E}C=yu|Q0AV2k7>~S^mYz=7NXQ65m&8j z{6+YL-3Vi+Yb}>o=}op_vyTQH9F3X=#{SwK1On^t>gum#Hw^h*T6?UEO1~q0m6h!%O5@F5{Z{ z#*hBYpG)V8>A&k#q1k7>v$2fOk9x5ULm98oM(A}O!F`Wqe8TXSa}Up_o4ckyTZT~4 z-Y(vnYiF_Sv3ZH`+%*y}dy)HLWWP)^EQLT!1j*bqpkhB*_u->zZt!eeWGQ1Qx9;EIcFJC?Nf_mvp5-o9#EK`x z#r6s3*~Oy85BJQTvRlei;VWNMCk@Yi<=+=Ha{XB%i0UMM9a|#<@vYG^R<%3fz)y}v z-?xh{{kUQ2=3i0iXS^xKgpY>sVeAd+^A%kP*;HkU`8?gTxhNj16UW(~k!)?Jy7=hu zV=L>*yrCJ$vA6aCR&SzZM>$}3!oW9SI|Nsnt&&{XcF{-S4c7T$u#)Y%(kg1O~d=~Z+mR5Mv znavp+{*j@lThY8!D|nu+gN}IE_c9abt#^T_+Olh5UqRT_YQ$C#%#T2K*luaCgCxxI z)FkB920xQPwO~XV2%8Ghe^UQ5ftOyY?)=n{>;{w4V2i~C4s}SXU8^N>7mAvkp%idhe^A2eO7Bz z!aVrFd=YpMP%X<-io*5<8QQnm}jxi85tVV4}+ zz!knnC%=sII~hAYmyd#wm5uAr0@=SMF5q2vZx(m{Jxs3z+R*TF>d=?Gs8RZ=e45?q zvnN<%wJ52sKwDtHh=f-KGzWXOuy7xM+QvV~rrbyTw-!+N6aW{lU_)n8|0$r3*;Kau zjRm-A!<~)*aMSI3m!90X@aErcO0kX&SP07$zpAgp+>+0H=Pi(F|Iv2Ml;)^4vA zMnS4Q2>E`emCys6#&Do$#J>Jw)uZ4;KOh5N6eUL}6g)k(QT#PK-n0lSs3$x(ZZ$&wDyeqIU z^~Uz=oqd>cKOuh!Sjb14T4vy(k|aLC*v)nc&E)=EOUXnj)|Ol)iQRrEI6x=mUxhIu zJ@GTyXODuMWgFJMnCzXCcMqFuii8cxpU3n9Iexb$&?JX3FT1KgQ;!8~L?c#zE)!~C zPXyH`EnG)ov+DyL6*`k+UR0xTjqSd6r%fr)oVm?5PUqP?iTw!)@J8Kqd;EQ|5bM5J zIAz5e{byupj|vp+lgd<*%oHdLAY27Rz~HBK$MApfbk7IO@7u?!;LW{c$^981kl#z} zI|Z(>f()dY{6>jszl-aR1@kvn7k@z`CFFZI(+ z>b}&HQ>vw@Iw!-EcG;L$pE{0f_{vmsaB(>H4)iaGy+S{>Ti$00z!ZN4OmP&f$;W?9 z(oYWe-Yu5S{n!d&k_Elc`5RT1EY^p7$HXq5TQfi=?#}%wj{6h3{xMClXc)D!(Hz6tLK`na5!z5bm3{thgy zdeZbR4_)(DCB!F@H5@c&Q;H>tQl{)syS!gw^!iXxENX#?_R!z?^9Nl*v2zK?LTA+U ztJjyh5xCn9syWRLj(b!lu&@I8bb3dix2`O|pXAjV@EE2k#KnKj9-MAdpyMW=#?89p z`Rv3%P=9GR#8)DQCq;buAs6sraQwcQWJ6A~bN*WP&G*?;NWl4bBbg@=5m<>Ew>qSg z7q9g7U4Y!K+5~N2QfjLkt0Ct1s8U1%Ps524%m!4i|F~DT*ZqwK;}J}L z)z^Xcig7T<_0qHD^rb>eZ!elpD`lwj53;}gj9@5Gfb6p7C;Xk+0Cy=;TzG5691$6* zob4vg+qV&`SuesE6UCA< zYaTrmirCq;_8FZA4n92NiL(52RD86>Kfw+NeAY|;{{8>{vhe-hNjRGEvHj&F{_5wy zN47=+_+MNd_W%1DKsVeM^;MlA$N#I2_xCj@{{N=@Q~&<%l_8UZu3KTNBY)D+ zzbxjr@A%v5W@u$#138cte*Dk~Pr z8vq+JS@`Emw^#%7BcVDv3bIzpBbmX)Ma<_1c;f#VwZFdGk^pmV&H8zEx@!Rgy1Z%s z;@^$?*Do_c!1Qpvk^!5OSpv7#bol2co&&3#`JC5VP(oJ%(73Vx(749mjZ3|6+&3<+ zc<%quG`9Pu?b7{!wP}&ah*=bs1_%*val)|@4Pa^2ABZf|@P+5pT%MI8*v&c7;rN?ugG&^d==cGhLLBv;cRU7NHrpa zQdO%Tbx6m^;UvvFBA*JWOxRpCNjF2sfnBN^4#3AA^Tfi21jhioEnlWy948zVWJk9AZ8%_|kDy@9dT3!`sUNOy) z3K8Terk2)Ek(|16?w4-9Bo}abpv7hBDd)RF$)6#!$gw?HoP3B5EOkT$$_p7JX^)|n>ib)ydcwBgF1#}IidFfW{AJ7k^2yORl)Hne?ijYR>YR>&&tvj91?PLN- z(3zP50OXjTfLSBB*sNbN1mv7)IYP2AlT9*qQ`f4|)0>dmyrf^4;ovqZCMDEq_8l(_+ zkwS^w*w}~#0tF&XS4#xobPVsc`q|xHKPH@EQ0P%X$>p+|EY8khB|nDrm$RX3yBEE2 zT!Cx|o+JGU0NFbH_NMHAxvbs1c2#)a@eC7r3T+wVdB$bHXF&*#03{Yj6%D>s73 zJkp+Bue7g4yl*zR=&ptd>x_NZd{o?YoiRLLy4)3v8J((->e|7f=ZsqhLHUja%y4J4P~~sc)Of?aj3+bj={;cbcmu3O9&PhzJD#5~=s?89jDC3XnP+ zdbB%Sw)=V9W5{D`l5lZ#^}Te5WWUx@UwmQ^<4C6GYHxH$KqQ@V>1$WSCx`~aOYh?j z_S~gqWnXkELv%Cs#IghNZ8zTv#@v*VE`ROFzHpfweAU1T4RL&bcfwa8dBv>NfVWK7 zU|CY+<;)%IONp~xmB2*A&}lxLWX9%8bfO5JopMDH!|opquEz@t>36#7 zAg$H;Qf{UgqffH!kAsqaCL}{YQ6oMDPmF)gUOd>AZjZSqvE09xXN?&uh)E#>$&Ibe z?{%H+ev*VhfgIq;9yM(LYEnOdekuS{__`ZQnXySg_~e0BQRqieAjHLX5l!lR{tT5 zvJ*3CWc1xs>0&VdsK3i7yZQx zluFI#o~QtU%oI@ojNNzv;Jzh`zVX}RwZAaI(S725(5Fsf~0I zuy-hvqio4I@(yINGG&(P4Hmpn@C(c&^FEAIvv9)-WYB|A|oe*72o}13WO=#rtSvd%*PuGH+938Vxa{=`yG$ z^Mpav7&PkMF$m6Y;v>qfe1B0|8AQmI;at2&ud%?>aAL8}WN=sYAsagxhq*wNAVtts zHZb!|ryT?7&|x}~olRlF#=*fdB(1S7kIRZKpdqo^B9=f?qghW^>|Z5Z#vXj^W818e6$dLJq2uNb{VSEU9ol8qB^jX3nm)>qnym2)2d?$BW` z9Cv~d3dmt!W_OP6N_slEE!J)~b(!KlG>?QNOCYdDpH~XsJTY9|;--IF!!CSvLQQ?7 z-ON`j0AtS-BH}R`am?)3wVvlAAEZcwmAKBYrIb!QRpa-*@Ti9!SO<8S_6qvY!(pjV zNc?&ylXQ#9?}-1`eUNaUj#Oakgz0iyC@E6$?TIf^eN~cVG?bK-T&f%x)~Mf8?}MLN zQd`*m98oOV{6Txb6)`}tnjWw}kHtThcIZ8SuvMxPVw%Xe`G`4%EqYJ9?m6vkZ1`Mn zuQnMPp6eMRprdR%Ti?#}?PtAw;@!(oL8A?d3pkvzPHKO9K=Wnu{j@I9t-cM!{J|*u zvia=A7LS!FDd*U=R@JwH3WHbRfVMZOEAs^4+#?P_XTHlojU8s}_^Ru#m)A-AO`W89 zGx6B^(GbvKoE`u;Td=%3@b_=>lMvWC1c%gAj9bY1_jA(4NRA14576e~Nxk1_(Y zgo#48aKLd*ZVi$ki|0o7e6v%gu)fzJ92mE6gX-qn)3oTPa#%OKRH7MAPo*orP17@O z(p_SbB6v18Yk@+a-Gy=}T0eYv+ldXl2lO;XT-uBC>ZSTL)j-$h`@jaEo4ar{*o}OE zAaBN@md{>Hyk8%vSt7sElSBBR08{}Q(1BzvtdavK+px2R8+L#T$I5}9#oRQIUWrfa z&emgIE&`mTS?}RE9F0()a>%N25-}xEAVgr~8|=UlYUw84KL(R)PxZPO<6FBPmGr=hW{4GrOCa<84T#?vA!KY47A$@AI7^NeXIkE*yzl;>%ibC3in~qTHR3 z`sYl{uad9gqB&t1V@Z&CkE>_j1~0A?-p}PK_Jds-&o$)B?HmEdn_JfXQGED6N?J6m!l{w#{Wl5xPfT><)GTM%x`abnjzE*zzfv_gr-Lq;k< z+@6BrQ$|-LCpEh2TlmFA;Kn7JK#^Mi78QxMVar0gf7l%x0!OCiw0QQKNQLLYh<_t_ z7UTNP{u+_}v73V)-HQWBOEoYNF0OkA)JjOWP|A51MIZ$E+GGn!`i`=8^rnAUs4mDZ zN+XQR@^pnPg3b;esM-np$l~xEW?O~#hpX+iDi)AD*d#v8xt`xtEcY;S zTa(uSjv1nh8ZTyl>*{N7N_ zV=?yAWxkId#tztkKA_~aXLI~1Xy<8;D8hs6MaL||U$hMpWv?hK7O7<0nQfP!(=0Fm z#kT%wFpxNFkWedwOrKsixmy~x)eLX^^2Smt)P9#QBv zyF>Wo^8{8v@UJ%7_-IJ<{&#xU;yKRmW?oDYZ2CE#n<<7}sY`6` z9tr}OhJnm>QAH&?x%vf#~%ajt%`!c;?a;jQLmZbb$D zYfTDh%9NiZJ_cwAX};IaGz4#idUk&B5;gz50=f5#XX)v+G+`S0*Jsm`%byR8pix?R zAAgR7Nw`23-^0^pvXmb!Pn4211C+st>@bKUit(%B<=LL$ilWCFJoZBczDEj>7e7Ka zp+R?$tNXg&1aI>Pr84Z(anoefTCR^v5IIHb7B^qw+-Ji;?jlDv&ABm34MIUd zaXDNa4_PnvYOasJr`O$2ow8yfmq~%m?)!Pq?_yYZ*RolF5!^3Mz*I|ID=vIni<9EA zgAKPgyTq3&6Ee7}6(^(vmN*&m!D!iFJQ zET(}dhRo8KMpo>qMSt%^a7yNfR`|O)Au84I=J?aXL$hfAs-JNopfTRiH3Dd0^Bt*> zh4_Uh-LQowe@X%8u(1)F;5nBp9vh_GY>*f~VBT~8Gl?YeR%I0jH=BN=Kqd69>UyHe zx?Z{jWrA8N|6fUG>?PnGP{iZ}n0Joiq1y`Fp|<+P;FI_Jdb3LTl8!&5vE%q1yrVGV zRA5Js-Q3+Xf1wR#$mhpM&I2c5e{7W6uTIjUt0IfQFEUGHX$I{1O@+0NLUe0vTUVO1?@NO~`5YKl$CS&}U;_WT%$42F zX0!y@tLGVoo9>m8Le)|JmiRW7W4D3IHX$9F3>n$GTYtmO$Mpd0oU1?HT^T1_Z6yg~ z_Y?tzpx37s0pWIAt5BLWBm(RqmnFoufZEM zF*^{%8R-4k)yw`hc9A}2%eME#GiDAs7581LFX_N^Y)3d$r@lp3Pn6*B;E{-a_xu(t?cW>Rtg z4m`^P1(!d8XB`WGCKe#L$FjA`f?@2(6E2TYT%O)vr3$F6{&5v2lN!2I7d$rM^FGJ= z4Ok%|kn}7DE-{4$#}8KqbA9AdJ_CH;9{|FF6#|57XSD|KWM^XKzWqwi%TU{{+puDZ z{B(1i7yUkqEVwM$xo9_J)29&1LZZa2jF@i&;b?kudY#7c)&gqL{)`$ogIm3x-HK|{ zFy3Nn^yihKoC&dbt>ru)P%S%T4`Qx|ddvo?oQ@@b-11>I#V#2@M>wk+fY8h8T0F_a zoixJvgP-bJRCMF8qqt0yy(DPv=-Db@2k(E^khuS>hvqxW*hhaEHy&723+?EsSS%_24b;lHEJ|tS8TD+IZ1O zNmFz#G2VfiZdlL4Kw#;1TX?x5!F$svya!oaAGh{OIB{&5e%FBhL)p446|j}dM$({M zv~q}{$taYl+~VmNxdvuX>SF?ZwCl!ej`R*h=4%JawObojgx3fMUc2WUZlmU6pi952 z_N7SI#qqLNa#83kL0)o~ts;HoV-%J#qBqxTg8(1n!r-xDj<)%WT;}alaBs`4w9Fe| z4-<(Xpy&h@Q)-f9+3q*|Eb=e#bMrA-6()IL)U#=*VjzjBs)-Xc!#fHRI>+CTf;ba< zKQ-L{V<8rBjC#dx80dH=C~a|D#_Y@I#24T}MPz?u_6$@N6&2-{`UeBaB7VOZat^`y zii^9B{AIRqpVhc3XAtUF!q-X~v5YlFkr-~98-ZObfK zk;?|>CJ*GD19lI&`GBYzz8}`pfyesZu5kZ~;8gdeD=KuqYdZ9DBJjj&EU>|YG0Wc& zhd7gX->Fysu~QAC+fzbi#Qwmb%a{5~01W!t?h5XKV>@Cwa`FA4@2F7+ z61s3p_hahP%?;YWKxl7Mk*2B3Xz`Wj>2^Jx=6ZGf83YoPW1t{m)yp*VqKvpYFUEnc z)UHt6mqS%n+V8rx9||?^qR9C_7KMs-Dz6u;@Lazi0YaGByA=~Pr#2}>gKk_!!+v8- zYWnAs{&UCW*Myp`3=AlxN10up+P8Vdy8+<#AS-~c+=i{dz5sp}tKSaqPqg*A55L_K}4j|PUS!eC7@ENpA-!qgkn4kzQ>^BxrnFz(4BNZtokzGxM&i{ zc=#tj03YG9$z(w9HFF0m?)QCq_#BgOiV8So>qT^MI zl}Z}+-Y>@R>~`{?>?c$Q&YeAg_f#Ly(^L2$YSJXlMGt!*=fu()AIAx~Ks!PI;dk!s z4*-Qm_ZYOx{3`&1Hfm{jSn@=Bkz^qV(xQ-3{sSo)W5HnPNzkebj8wjs$OM zu4SWIg!!j*(kxV0wuebb+{CH>1%nnpdj0{6AzrD8?}>4g&kf`>=&atHJo zdB-Mqet5O4>KAUSFZ24YD09->DbM?CKkw!N+e^7z1;2ik8rKN)My=pcXRuS!J`5-gpeNG7stg=?U5~nZ zaO{)H;jsVa;_;=S>@EXQtrZOb*ao)D_=NBH<&tU!&c5+Dv@90p(j+s5L!QfqcWMrBM`Isua+(22xySIxFJgi)y3+vLLQo9EiGs zgn5Jy=3l(Wrlhi)T@Iu0-kYI68=$e;pC>G>ccQR)^@;MyG7UiJFc3eU_kVpbI|}vK zj8Mj(RI{1V)~jA`?~&Fi2f)4ln*Rqy-qQGcIcxsEEN7PIwmU>0MrTx&1uD3{?I(PA z!^h39sxU}Pf>XM?Ydu`>jaRfpIv5{G&AtoakuUmPBj z0J6)|P)?b`b|sjSa>`}2WE}jx_c@iUfyoV&sLU4G>BkOx)?%o)(?WS+D)D2r6Bqk! zghFNE0ztRF{lyY4ozpSKE7-xD7KZgF)Y>$!N6@HO(`OzDxk158}()lW_ zP(u6TLSeY`?USe5B~pkP#dtx7vEN}5;>d0?qLJ1@_30b4&Y5ZNjP&S~gKD$qr5V02 z6#^v&^wm;Z>;UICH;8^s*9e4!tXN=r)ock6#NRwvvk_H>inv{?vUSTW^|gNk4**E} zL8#_~*p??^ITsy{XaYS2pG_lS;sH5+4|YGNE?vEjVahTzFiC@+m&n}Gnycl;5AWapxOqiU_6|{EQ%@Z*+dSpWpr@=K<3@A|DoQN(LT+L~-QHF1m$*>P`v{VY2$JP|4ix zriKs@b%mJJ4^qBQ{knQm9Q;~3CHoJszdXaH{7pu?$w{pC!b+&^dk+t~t9HZl;WvC2 zxAn*u>*QZ#D5F}|SW4=(3A3cR4D(R-m)hnU`JUs)Is`;L1(F*VDRCp`@d4zR*Nh#) z%3!_+4BmY7=;H;MTpu?E7CUGb=6)yd`uE8@P^IomXa_ca|3>*tL>>ZXHO_3Ao%O$q z!(4TbULPa$E0-(Dub>YwJr;gzyD>xAHz|x{iCM%QiiPwADb0GZ%3QhO@ozqwH?-?> zHko+)5<2z*$tT=Wx)R&@*O`1jAz~!#mh;TP=3H(5TuG&lPpn|qjT0!guo2X#Zy4Fd?5xMPWz=K4V(AI7^ZHyKKWF zZ&-<0>Ys#k?-;Vp2x1c@WzEL}3JlLnj)9(G^TMJX{Ve*nEF=4(viH!0IDeu|?`Clx z+EhLtK^#YoAGGMzUi>(6+~3^O*b`2EFB`Ga83~Bw z5aNa>g+C1``}K`VF${o@PY#bo?TucrCf9z+l9Q42dL1-sbS=yv+~ZF$LLMD{X^dV5 z8nk?G>N&#}n>zeYq_m}EaVZme*Jwe?;88(hvEvT4Hk^f0>?zECiD7KT;n3> zjoxIXYB5Gb7>|J>U;f$FG9$(*w;lo8GQTJDbJ6z+;>_Qfaj|pdQ+a7J@YFaiVP3Z( zv?F#__OK;Oj+AoUSYj=qk6-zKpBaD_v9~mkBg*<$nOD)hBbt zY0OhM$$kk2UdEwH{v$UHjb&swC5@+vmo&@;()yeGsB)mjcgI0sn26DKYpIR3pa zDF0;O-yXOu8c3ZIejh?8#O+%f7!T1i)4wOY`!nm!&VK{g8!6hos?bmOyA1-5m*pK_ zgI!eOlFq4sb8)36ivJS}zCx%@`9z6c?^?n|>hSEI!q#pU<+pvJ%X_T=j(c<-qC)$y z{C>+qLd*9=F1CIf80y6P`kj1hpXk4GQE#Y#6iAY{3(YHzOE(Ae_#VjysPp`#lS9Gu z_M&F%EUuF;A!{HRiXhIZ?ZXX4_@fIQ_BMH?!FCPq`m9ASaGS!1JFX-_7ADAlDzh`dG<0e zFt71+aSS=^^RVd8QD7&~IE5cM(AGHv$0xRCoY(#F@%D}TZ@dqmni`Y7xafk+br+3|z z$xi_|-@wvgev@_SL*J&NYo~!DB(9VG!UG7%*uex0qtM+|c~c+UKmIq*9K4o$-3C|7 zJid$3+XAJY?TCHc;(5RZl#)Pe%h1Bdp-*+foGCrs;^!0%H3c zg&$L;@ZA8Zdn_vH`+y@mGfi%agQKBgw@^T0#jh)zOO`F$^;&4Bp3sRhrntDc6S5Q4 zZy#L z)|+ndBEkc)oO5i8r8qx+e7DPHT{nx5a>Cco&Jh*wa%BCNK8%gE0h;{m<80u%{!gi! zr|#WdCinL^pO^=14lZppMAQ^;{YcxP0wZcsJ457$sW&u zb5)W{7jE|0BoA3;Sguy^=Y{>dJvQrlS$tF{nE%hcX*JL5uve^B>T8L0cYaR$7!4eL znYQ=x)aCCs6?fm;*nR0jYI(b`a$~eVXtv1~GkH7osW@cLP~P4lD)IRec7dAgvg;m3dZFOpe{_I0nSVE_V8S3j3^ HP6@127.0.0.1:8022/files` +* [Network Traffic Artifact Upload (Web)](upload.md#Upload): **https://localhost/upload/** +* [Network Traffic Artifact Upload (SFTP)](upload.md#Upload): `sftp://@127.0.0.1:8022/files` * [NetBox](asset-interaction-analysis.md#AssetInteractionAnalysis): **https://localhost/netbox/** * [Account Management](authsetup.md#AuthBasicAccountManagement): **https://localhost/auth/** \ No newline at end of file diff --git a/docs/upload.md b/docs/upload.md index 12c112f02..4c3b8bb6f 100644 --- a/docs/upload.md +++ b/docs/upload.md @@ -1,12 +1,12 @@ -# Capture file and log archive upload +# Network traffic artifact upload -* [Capture file and log archive upload](#Upload) +* [Network traffic artifact upload](#Upload) - [Tagging](#Tagging) - [Processing uploaded PCAPs with Zeek and Suricata](#UploadPCAPProcessors) Malcolm serves a web browser-based upload form for uploading PCAP files and Zeek logs at **https://localhost/upload/** if connecting locally. -![Capture File and Log Archive Upload](./images/screenshots/malcolm_upload.png) +![Network traffic artifact upload](./images/screenshots/malcolm_upload.png) Additionally, there is a writable `files` directory on an SFTP server served on port 8022 (e.g., `sftp://USERNAME@localhost:8022/files/` if connecting locally). From ceacedf42ab01974b901b6f4dc9ef2be5ed1182f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 11:54:55 -0600 Subject: [PATCH 61/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- .../filebeat-watch-zeeklogs-uploads-folder.py | 12 ++++++++++++ pcap-monitor/scripts/watch-pcap-uploads-folder.py | 12 ++++++++++++ shared/bin/watch_common.py | 3 ++- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py index 43978a662..1dfccf54a 100755 --- a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py +++ b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py @@ -104,6 +104,17 @@ def main(): type=str, required=False, ) + parser.add_argument( + '--recursive', + dest='recursiveAll', + help="Monitor all directories underneath --directory", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=False, + required=False, + ) parser.add_argument( '-p', '--polling', @@ -224,6 +235,7 @@ def main(): watch_common.WatchAndProcessDirectory( watchDirs, args.polling, + args.recursiveAll, file_processor, { "logger": logging, diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.py b/pcap-monitor/scripts/watch-pcap-uploads-folder.py index afe8699b6..dbc9a7fa7 100755 --- a/pcap-monitor/scripts/watch-pcap-uploads-folder.py +++ b/pcap-monitor/scripts/watch-pcap-uploads-folder.py @@ -115,6 +115,17 @@ def main(): type=str, required=False, ) + parser.add_argument( + '--recursive', + dest='recursiveAll', + help="Monitor all directories underneath --directory", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=False, + required=False, + ) parser.add_argument( '-p', '--polling', @@ -244,6 +255,7 @@ def main(): watch_common.WatchAndProcessDirectory( watchDirs, args.polling, + args.recursiveAll, file_processor, { "logger": logging, diff --git a/shared/bin/watch_common.py b/shared/bin/watch_common.py index 17caa9300..9457a1604 100644 --- a/shared/bin/watch_common.py +++ b/shared/bin/watch_common.py @@ -287,6 +287,7 @@ def ProcessFileEventWorker(workerArgs): def WatchAndProcessDirectory( directories, polling, + recursive, fileProcessor, fileProcessorKwargs, assumeClosedSec, @@ -301,7 +302,7 @@ def WatchAndProcessDirectory( ) for directory in directories: loggerToUse.info(f"🗐\tScheduling {directory}") - observer.schedule(handler, directory, recursive=True) + observer.schedule(handler, directory, recursive=recursive) observer.start() try: From c965496b81d300af1a38ae2da1ee8bc65334b4ac Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 12:12:45 -0600 Subject: [PATCH 62/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- file-upload/site/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file-upload/site/index.html b/file-upload/site/index.html index 768c65682..6119534f0 100644 --- a/file-upload/site/index.html +++ b/file-upload/site/index.html @@ -65,8 +65,8 @@

Network Traffic Artifact Upload


- + From 4707ac055550f352d570b6e2418b55a2168d6f75 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 12:14:06 -0600 Subject: [PATCH 63/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- docs/images/screenshots/malcolm_upload.png | Bin 106654 -> 99148 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/docs/images/screenshots/malcolm_upload.png b/docs/images/screenshots/malcolm_upload.png index f71dcbb8b854baa82561fa971687ae22a64eb97f..62e54eb2d93a30323af8771e39f5acbfd58ac9a5 100644 GIT binary patch delta 71833 zcmeEuWn5HW+b-QPG|146v`R>KHwY+_0@4Erg2ZNMB_su8DCv-tlo+~0QAuHF=?3Yu z`9JS@&ikJ8et*B5-*11I0rp-q_gd?|ulu^LMOFvSa0E^~4FLiV2MrC4Sern*nq|u# z@I$KVx42(nlVgO<`{OE8V#(_nVNqcRMZM$B31&T=r|O>fKfh0%KcyGXYLFkztfngW zX0Nq@J^5BD)Jx|>>(|yHjwa2lNm7ia-_z-P!vbPsZ9QdatCSLY;h2lOJ2Q0?jT5{t zt-G9m4fe*;*ZDqj{#9L!-xhM?Cqr%&HOM&uMvsJ9v zq-CDIy0n8n%UQdX#-E3OrM(M$4+1oj)%1;ZmQET|D~vcoju2c2enaX5iB#Sq-+;{7 zN%g~TBZI3p35e(XIt!ZIvKf~6oc-0+F9&oSzm?Y@jMm+!5bPZ9dU!|^4Qm{3@k^fY zWRvTY45(TPe86SAlr4E$_s%i_m*u`MCtDoMuO&-)Z)X1_!$;1 zL5e3!FbWBc6kd+KmZP{=yK~c#15uouKUipGC5QVFp#%`Yw!fbOE;foTUey96`^^X5 zU+sO!#D}LAOJE(?G=InkIMIttf^-rvU1e_mE{7=96>h&QKH8RIw88QW;Coij_Y>#A z51Ef68~hD(tdMR*E)QNF8X?}NeF3~L0wdRwF8!}PVSO(*V2Z9O!AHde(|R06Nr`qn zg)^RxM>?DL)Z{kXJ=Lln?VTI}Y^o$Yxrgfh=d9^sqB9r9MBtGOH!l2@u{-+9Pqb$nN-8{OnQoJTAh{G>x3CmnM8t6ZJ z*IXlC^p^8~zxw{JnKe2w%ZPkpd2^ko)WszvnK$9tlk)ldimC!hzr>{Yf!KRu#G4%$ z!Wbd!rktFd7m2N%p_rezu}Lax1$kwMS)PwL&(^zUDYJZW%kth=2n$YnqW}GKpH8Km zx@Io50I_t6YVd zWv30q`<3s66e+00^7ZPR!31#Q2%Niqf84Zr_|9M*LH@K+yc8=zoZ}U9IyV;S6#mJP zVG(jAY(>4FL*geemMXBoU-oO)n8RV{zHS`WbgP)zTh^kn&w2vy$)6AQegGoAf^klEVE?N_htNS`eB7{3))5Lr0*Uz`=8y#dWR9QC&j7TvZsdrdv z%>EQP$b{DQ>^v@b6r^7Z-i3!(TnI0{=X>AT-!tri-11r+Ah`aLl%B(7MWH0irhc%=-R@ufY?SFc#-8xVU7s99DB^$hsvHjNDw+Yg zPQWpkkf+Xj@RHH2$)^E2;umW^_1CEYEjQU|MOs43(!;&GudhUSC8^GNa?FzM>4Me zJC*;B)^x+otY=TdcM#w0Y!*B8%kg-7ps78YXZ?krRSVQuj724H!#!6Yoki@_VZ=42 zrV3gLfO(r{CGy~+KAVO27=?Gbhbzm4PR@)@05!*Cm&0)6gb-ukD&e^lYLk#ux))v( z&$|=?)xz0Qex6e?pPr+H=q+2GW6Q#ho2RRC#l_l3!zz8hzSp3JRjQ~@AFd8v4yv<~ zVu-r==0$6hVi9+*(|f(4_a!#N6Lp+6Mg^yh=c`l5w-HJj^^}KO&23-)j)M2vVtQc< zL%d=ahCc9@txw}&;XQiV;#-|%>uWx}zBpD7{DEksrSms3Z(H}q(7kaneTMfQd7&t- z(P*C-=Qdlf7<92FvGFSxL5^oc5WPb2_>1jz?{&?dlHqeRWxM%revexsUifV!@x!e6 zAOyl|{Le&(2EzmMtr<8>x%7^#>o69yFtdBYp~?JC70<$igd9e`AqU32k}IHF|unvD0i-7gd*O9gRJ* z=vWx(eelCibSXu;D0jHh%zf>(k$k#@S0N(sboy}v<_zfvhpw$g;;-IYV*M-M+%lf#4lwL1*5LL4~+aTyP} z=rxHE6l3LaeW7{Q7Et=*Gl8O6!$HolW#e@EZ3egz7EnYWgLj#<^G;)h=^Sb83sjJMFk)9%IX%gMjY zHIuzG`m0@aq6iPgh@8Ak=}SPve_@G1DPFTT=e5EP5ynX8houP)tGS*3Fw{LiB%I1P z*28gbA&oz0a;GbM^7-Bq-*>IKPzlfcFOCzO`7IdY3+!6kGj(OhdkeBIxg1k}0b<3K zX5YgBF7GIGCAOq3)@1D>FHDzt8Tx8Ay=SKpvqQ51l2RQ}&n={-YVwfQl>-g)Z#37( zsuYbo$r9#TUSo{N7kh2H?|k&Bs?d^H7i_;WXnwWvDLhz#*CaeOzS!z4;<~9#H+dW_ z!M1mWbajSW`Ab9Zx4Z!jy?*`yb%3Ylr5z)WGjM!PIwe~zYDzUrqjIALOO+LFO4yqCe?upZ&@OE4?$**VLHoCP3j{>^LB)($__79wL-lOl=!~VR@3!7raCGTjv zy}2YK`|{nZ;`gp$tpE!KE6}~T`*rVwuFScTdt$OU-0fu@iC> ztP@jm5;e(>))KKbNe18k)y&tY2rEbGtheKt{MqM%{rQlx6psn$brN<;KjEk2KVME& zA92F|VuhZInMFTnqWWAml3X&GIX{d5@6o<6+y>sxcKcFeP(5XgO&#E%(SE|=;Z+i! z`eND#Wp2!~<`alGRo7oH=pmBDgYKiMl44j9_zJj*j;vq$UFWq;sfM~)E8iJRO3{`T z`v!L_ss&@!5P?b7%$`>QLf$Whu^6!U$g*+t@fKgYEYK!+VA+@_l(9$6|FpmREkzfJ zVYTh~f#}~+$vv&4NkEAY9~!}e_36pyrvrQKw~TeHkvmOr*;&iujgG|~0g(**Wc!`j z2KUlIUJJT6UkzTouUThgg<{3gySM14LLw%O8(9^&TOXc15?#-W09a{$&2v!=(ikks z)wpr$r`Z4gdRAOMZ?2?a;>7dQ8FA@;q`@A{OlHIST@E91qXBqc>hrt#QH|a8!?%)6 z=7W^7ECm{ClUX$Tobs#5%NqMaAmpSkaBaLCenVPLgc(yv?a{ zTi4*NcbPd$O4*Mq-9K_441NZut{2h3m)kGTUS(T-eZBW#gr0h!Ei<|R2EQ(?86=}h zOyoO1S{-NMfk;A{F~%s29C(a`E``{$H-460r|lc?0el%fjQQMShDtsw@hhbfC3ob8GIyK8nhHz#V9u(|d!;S?pb zlP7|u@uahL`rLkjP{B~Tz;(7>#AQlIun0?v^A}d!t*E*LR>nJew?=uBglf$%n>!Qj z13VK%+}${H-NY?BnKFUR6@zet0^c(C(hUI1DGNi@=`onMYFhR?2`?f!&!W?vYXuY# z6;TYkM5+qhm}_*#;x~J@H@e|bE9yxQIyY5aLQ)8t=U@c!){E;ydCw;W*QK6Xj8yY* zsA$ovkWq8qhc8w?hI%rWBvJ}aD2^ZH0nUnQmE39IVvoX6t^l}{QP&2C*5(=A^={&1X>D?mrR?R?(P7 z@=>qfgkvylk}o4r=y1oPUF^aC3-b_yof|B$v<_wfD=~E`x{c?2(=NxJZ8BF87mgcw z&bqs54)k@`Agx8;+uOo{mCxMwA3KafrOm~1*}k(zK48aYrLOqa;^##tWEDJ`5Yo`R zKl67fT5u)He>WGI5P|Ld>%KyOp2*+Uv-t@>s20zYE?Mbt693WINk|wmZQ{Zw%Q~l@ z@A|LPag5M)t_2->Y6=MLE(_HS#P@JY%<8JBIpa#93`IIDP;3hZp!A`$xekX9`@pWW z>WlR(UnU`65dx; z>`cG8dHQ_R%|{gtDvU^Y;$`JIBu73cMRFD)s6#wUN_qVbSAO`3Jt>!9Rn_^COkiA@ zJeYF-_P$I0`^gC6XaGa?ZyAa8<9@MjD0K0`N;=r6m}R43$Cb=Mrg!PcDzX_qWC%0ss z?5rJ=xj!a-X3l#+;H3&@6KQB}-PIpFDoC|RWCE_fiM4Z*0gm}=vv@BH&x*YC5jS>W z#4A7jHcN`~ohK_Us?_E(5^`7P-|dWmiMYa)S5j0rRZ8NCT94-eZ@L5HBT=fh#PUOT z?!Gv4-s++Y1y20IGK_hKzb*?mwi*bvb1?)~N{DCiN3MT$XZY!UDi zu6LPceI`1bWQ$9!4wsTFFrQZ9G3S1N*ejmvTekT~qgyVB2tiRq4rB>jJN;_532JtU z*3ozeF8RF_=*1Z1ffYo`v$VTtpQuAH3b-eEhKN@jDB#e&@d8sWj=`6g-+-^~4a;^) zjFBV)6?k!+An?3dX+=gj@Xh5;L!GY^*EF%H&BPfwhX$TP zQv7}PR-!Y;mekG@l<#Va$qHCF;_x1<(-JF6aWMi{9%Dbt5j(yE*~u0G(*pQFyxcEl zu+BRVv#H8sq-!ukNl7NG+25KsxMk+7*s{Cs&9^=dSnN+=V|f%U)~)u1wq&Hh5tqKp zXJ;n-2hF9G(F6HUy8aV%KDLfh-*z!ee=!em1%XV!9+4nPl4J+96e3kD1Cmy4q%6M2|BIupY|HWzDivT(!l0ep)kmON{oR`b$Q?8QQ#p_kT&p3o}c* ze7*6#;3<+|Qtub7#B0`S0j=yT;KmP*2Z^&LVU|LYW=-FmTE zMrOU{vLF<&94nTu`koP3WImRb?3798N<_ntN4xPhyzRd}tK>|G2j9xkV&RZLX%EfT zMnngtExbk^UAXGz6R&C?6b=nNd*wycf>~-*LSEf)Zm;F*C22R993T1eB3vfd{oCQ` zOj!QZk*IAik$e`3ucFma^c-5LZjjRK0Q<>zB?A<%ZZ7JFS?`1Sl<60_6AenD@5Rz;YTdL?J$(y73V=?&@YKUPkzI9)nwK4J-XA z+z0qQDQWu3p50W58YxcVVapTq_bv`^--Nv2Wbze{WsrR0{;O3gPup_h$cz}BbhWT+ zgH%ckRgg-Z@Ng;s<@b)jT1}K*hiU8A=Q8DjC>%Pw7$uhvAgeWyG z)40AkF?5B+ipjlkgVvlse8bpg_(zCK0jc|i6+RTK4j06gNBnh7l-O|(<#fABD8)NNU+=Y^4TAHv`=-Va zRcu`Lq3pFH9|3ef;LUpGYxBPAZVKJM*L+fgx0zIqaJJ-gP3HwRKN;+}iHCVVzw*pA z6(Y$5B(hX7*daUM9#Og^ss_LWB9H%fY2k)nVwQS=+QoBc=kCcbA#cDtTHkdaZIwilG|5DW2xsy>$sBq zhO(6g1@FqAHH=Q;0!s{@Ud)Kj`uSG>A?dTZq>^jW^`#_E?Zo>PjjX7W{zsnEcB$bL z0Z6YF0;q-Hw)ag-eX4$+K1y8sBftoyt6TDA0M!6;HF_||I4<|q-px?3oDh6@&TH&v z#$;n-qfzS!9()<>kyA3T;+tb-6= zbjGk?<#ZHol%$Bp`TAk9NBXTZ+&O|K}eP*%nJ-K?qF&kc8a>r^n=(ckcq{S-ShrbL@Z7x(do|Y z`lUy${RozOv+E_O9%9Qj5D!2ky*FQ}Fgc86@ylNAhn~KY=SIRYagQHWv2@LPg~?hW zZioiVv;B7^7WyEGNE{sa`cA{bhxXf>XUs0<0H_vToLLzg35~`vNDk`CUMFwX^vlDE zU7zxslaj3aRkmG}9&b+@nxx->#uq<|^$m*kSmX~iXRGuXAHIyg0vAQ|1%8lqQXGWv z$_WGwbHMGjL9Rl$(K;QRNS5f!H>j8!B8FC2;f|^i%t?#ziDQ&5tt4}bB1p^tY_8uk zN02|Cr_L9?PO5C9a99Lf`8XiVBupMQ0_V`c`*+nDrtvN0`5@>^-Ejlztn za?jS_st34ks+GW!$TvcLse!?c(m?KLK3Mv#Eun=7i|u$vb>AT6`!O%fDm2&}7ZfAq zOU0T;N6kTX{tc#cByJch%qlNjyTWzqRqo1XVRmh04E5Q44yq8``SN>;8$Dp8ex1E` z3GvyUV&V37Bw9xTglJb7bXbJ!Y5`!XGZ#y^!6I?FvIMTZEhnrdDxOQ~V&Gy?d~wbo zqhR%*S292azYK%myU1BjZO?LO-(GA9Zp<}#m1Tm!f>#LLOT8bNtu$o&ZHx)VU**_>HHytN?Y1Q^)yilSwB{7UVFY}X7AI!Yi6 zA-_3mzddh_$v|3yha}a`)k#n* zP%5PB89a(#q%CJyu1he+io+qk_s0Pt8|TZIYY3cIyQ3My&7z;XilqiT>KDnw)F@ak= z9>ji7_m+c*8&5I&VOmT7*K;1Kr8Vy@u;ak?tG{6(Xsg8X?^2Xl7x%hjMyg0Pw>$`- ze;TbzXbzliP3pF{dfk&^-~3UseCaV;54fJt2ik(U;Fr5l>>{C%5_6P{#b>{xwZmEW z_DmK}a4g@lSnVWN@bT_o;~R6>L@M()C*bO!&*JO7<3=@n=+v<7^>j!CC^XJj4|u*= z!rIK)aitu@k!Zyt@ts4tHZT-Iif^ZKrdhSe2ll;!C-U$ymO$9?WfEIT5^xdZjM6go zx*66+$+_XT@H7ygg_EJTuA%T&I>-jE=-_!Kl@=JnV`cJa;SM-bW-eVH!%XnH2?Tu( zdT0m_)5UvAOb0p^k5R~}4(u(Cc$V8ya6uUQb^20?vz|l4X`X;`7sk6kr{c`qHf;!2 zY^iL4=0B`Ek7)W)Bj~z-(kwU3x5?0#2rNop?vUcngYFwpPQ&6rjqRLA(7TPhPmIu* zcaJZ-HlHi}QAPzLgGVx5_j8c5OD%p!o2AtCTat01k)nJh`tMU->Ir(V<5Vq;f;*iGA)H!d#C|%+} zwZj|7zaq6a=_%`pVr!I zmwL=#;7UOd)}rFL&RF!6QBPsH4Lz7G$_vfjTXfs4Yq0%~pMw;GEQ#L%-G@#?BZ{BGHlh>kGbX=XK&xmh6Z z#yPQci&RMzXy!rI#b~{|6lqP0!FX@K9Me*)1L&e_TVI`*yG(c!XVb!7M@VjYr>Tu{+lk7^rN47Y4(cfq_c{^2sWa4oR^Bfc)#h zquAK$9eyjBV7yQ%3?Y}sOo<2kYxI^MtRbTNJ#(S~=Y5Tvla+gy!t*k(cV-^_q_>K> zYn&c4&ZQZmgk<}07!T$__t*~`QY-cD_F*Ay_b!Al4iWlYBt65Ca zqlm*b9YOITt9MP+t^51iVazuEJIQ=z2GQk(iBli=pS}7^aKrHG9(Eio+f?d32zEb$ z>|9jgw3Q`Ds&}$N01)`uqgh%U6pYfgt*{NVr6GlVwoO~ltBKv`GC9N#Bs!&0Bi6%o zxh_Ez!QC=Cijxa5_Vue?ko4@&gDWN z95F(aXrmAS`#7tD@Aqi?iqQ=Nx6Rj<&kY|BbPBX&wg3mc^oD-1RssF*twa&l{3Nnm z$_6MoaZ1lG;?i1GYY=KX`o!SJJzNdmAS8O&TIe$L5{_wsHnrdBj7*bV?Br2nRz(YA zkQCJ7K8n2TD|bai?h~)j2}k&&*+lMagp54y783KK5Rc!d&ULu?Wnzy9#oLjuvAmQx z>?9OKNDH&$Y54S~tABJN>3)E9mR-Hn6TOvRQ!f-fR#g(&7v)+{`!2h$1_?({kNQJw zJ0JU0P)UUjKNycjk_{yJfP5{;b3|9x%MXV_FeX`RMK!e4md(MX!S(I?!yhl>l0t zj4s?of*<@90BMO6`voJXj$X1R-k5m!$fJtLSdK$uD>hdm3t9lLPB`M!qg&VUffTDulWgV}-_MPQ;UTrI%CVLkKCkQP}FGwkWa?{}E9K zJRBLXHPX;z-fQut0m;_H00V4lZR&`W*SZLW~bV)V`;Xx@0RJG$AOid4yQu3v=nR zS(KjIa4tjrDy2B0lR1%zEo^use!Yj}S+_8yxI&OQaDW8{o0}aBHUU@ob5?Y6yjZYz z!2G-z%{c#pE|gxp?HHF_yy`$VIzw8Nt#IkB2^{mUEicwH8U8XjBBe=qi1&B~D|Br-F*OB)p&yi~4bHTs%De9nGu!-r|6 z6b}e^m5&vt%IK$LGKp{Rn-OQZuYhc>63cd5R|!QfKI!RB9~PZz>^g_OeP;P)gJYp2 z?Y^(m6jks(i)Siws83Xk1uI(;nrP_`*Lk!<0%K73jc~Uf)M3kGptZ)DXCopw&XDy=Pt6(%tRR_4=s&HzxbyV9Z{EoDbVahsZ!Mo9`*XaV~_yi9l`CRT>pGcagY z1b zGZA|-0t1g#OdPRlv#9f4ECO^|9wm)^U;?H%8JdK*_c39LOtH!uD5MGjJ?_^* z^lsuPsLyvr-DuW+c{&!D74*+-XE1u2NNV!U05mn&B;B^8j8ao)2UI5J9xCdlm6=4!D7lPL&+7h$ zZv~n(3#+J_xCZxA8Vi@;_-*n6##jl8kfn8q_&)Y;+R_a1Bd)Zu{SQ!j=w)p40k?3U zk^)Lj#K2{fY!}`TSD(u#Fz=%BT|@yD90}2wyVqrp)g+3*py&i3I4_<75AmRCKGPtc zG`d!(pmwRq^g$uv4?5ASc)Z*6Nkk)y5lez5N>yGX>pl`@N42J8;-~^^lb(GVn_vjN zZvh<`PdsOooBON9a61!+8Z(<~mb3T5QJ$xTj}tL)J6#csW@=GR{(0i-bYsj>rM_#^ z5&1)>7oG%ANEl06Gw}Ai+jUjhKGr``_5N_{Hl72o$Xb3F);&F-mdV093W&jOS?792 zKmmH%ogOqH>(Vja(MltCw9?Ubl{?rtX5oRrYCJ7twl$FK8CcfoIk3T&;utj7KW`UW z9;$z!&n}9;#@{+ivleuHfp1>Z_wuQN`r`$k`DNmcpDO znvM{x^D)r(Rn2jAc!Z5uexi&mLB1VUng9`B8_g`!{K5Jf*E3*BU5{nXYJ!HFCBG=# zh9Q{@Bl3Yd|HU3>#o~?>7T@eAc@%Q?MU?QV%Cw~grUN(v)tMqUqi!P!x#A}$y{AN5 z0N&O>y&4`AvWQ@`Y>db#BAmOe?x^QCrGl=6%bgGza^SBAfi2Ht$0}Df9YVo-lGFLM z@7~pxQtYz0oMuwl&XpF6XVdAxyVAdiCpU%s4XLyC=S9)s!!f;9?5)t?y`oa2i{~#g z3{gmjo2=?l2j*WqSvxN=*Z#p$KL9hTKJ8b%*KogvBPI##IFNbWgfiAIF5o%TSVgI* z#k;IKbxMHc#%$ytC)(3Hg8Wyybvp>6q$u!|QOGrPcZfdq&k+|mW(H*oS#5hvmmMt& zgHJzJ8||`o`gKpOS*^W@<9GH2j=46W_Op5a5-iHEvf%1Ibzpc5yc$1OwDLWAhoJW{ zjg+9a{N?f7;oLw>%wt6wO%;#5cVC&#f(`GzaD?Cw2z`~=18RJD*E}SIaPF6@qCgag z8T>6MI!K1`;CUbq^tc5nDx@qxWeX9F&+D51u~ZA@hjG$%P7+x~JC-m7x~@0Kh#6{5 zz2CS?rrZ%VncTpFBmJSkRFd=zV8EROief`}|wHH1MF9xIr| zhGz_C!6hi2vI?A9qZFT0LLcVfRbq)j$I+*@hN{^+5`7}tRh~s);Qp%gqF@-5%2N^x z!<`k9@fEhZVPUs^Kq`!XtvnU?po3T8DPjx{#3dmlK!qLeElL8PRBV`b1&!17>VtUH+tu9&UCo!6Z|Y=*M^0 zLxRL6+2;pcL0}K*%LxH}t19}ekS3nFQt~Mb+_>ifv&-g6-yg-OJj-gZtC! zfLJxULO50!^Tx*m5*Tl-V{r9Y^`cwp;W7Wa;MbdzVaey&?iG8-d~R22oID6SIjmJY${?p@|F zz`(tDD|QTVaJg^U);7m{d>_h2<*(ffu(0f4Z|Sg z5ZHS(+H|g>!|cnIt3lq)g(sU!i$y6!M9E8AEFD8=!TBfB)eR%^9J<_lMEzEMC$aG_ zv`HLAW$QoZ+av~a0~wb7_e+#879aV>&UVB7FLK$4h;{sKX0}E)e4gHoUg`l27DO=o zC`fe20EK7Aar94N0RBs5U8+C%Urb?8PgVzJeSm%S2%{wi+>)n)T#m}=tdBomKM>fj+rmq9VA7US?GVno)4 zB+jN)-(+S{)5?k>Pg~!PW33R^3`O94lw5&#)c)`Tay!RNECW~H@G7Y-+d*8O15?>! z2noZdpwOy8d+I6EZGz|IHu(yy4r}}6#|`OXlU_$S2fQ$)O^J6fdc2=-jm}T)Zes+9 z=y(R(eWC52WhQzEZVsaN%wYe4)zga!<|Uh8P~)IYWA{k_yFMW}42vY7IuwN_=6bg` zWkOZaJ#~;7U1lG?%h2Eh7zxp683baAod)az-XCS*U9PpE4R2t=^vh3bJ& z=3wF`S6@jI!Fyk0Z0+%(e`w~e7F(Csq^&Mu0~i{05$EJB!&Jb`>rrQJg}2YO`^`x$ zw0om@p>RxkTZB8;(L>jwR3zN{J>=nRQcsgW{3{wpksWTIe75PueNWAv8qSsH3d%PE%8Z~g48gpULXqs%(O^A>u)Di}H772)l=Uf$s`Dv|?Vy99}n@AQ7NkQ+PR!@KXsk7sDQ z0D7&zu^3L7FIymcX&E`I)ZW0-ZWM{a(;{IQ$LM4DQkKjjDIg`WP^q&=?x6m1g1QA` zybsiwl>Hxq_8vpR>@+|utUD*br|NrqntPPVl-lxiWWy~g_=>iXYr;nD)jJ=ENT`&G zsl(K`Ex&vYvX;oUu1BU}s|g>v?-JS{@G*i?0ccN41E0w!)dc;=v2dsIgQpU3!J%uq_`G8Nc?bgh z3sj6R);}JAfBqm|j*=pcLCifXhrL2L*;Lu@`M>U#J7on&_a6~c)lAYaqTn)1ynDFB zXDH==y7ymC07ntL8)Y)U>q}BXC@p3D8;L$O48=Fs*Jm#jQPfGY6 zl^Umng@siKLOvipP$=*ak8_;Me6w-slM43L!4D~5gR0(vfz2)>BeOlauk`N)opg~; zAPpWpl4l0B)*Qj@*#=8d*Ll{hU+(dTtAiSO5yb4kO?Ny?7$24Fj{ebpP#e}fP z!#h)o;GGUlig8H_jh9!97%(2mP+!%cl78NqgscYIoqYem90A2=Jm$smMG<}w{P;Wb z3}=|8)nvtQ5tnYYrn-rdL^0j0oDpAgag{i_`vsaQi8v=?q%+K<|JY@!3a|h*NZQ3Z zk-C19#7D8#hcCV4vE!uu&jzhlTRl`KN6BeuXuik;xKOpnd=w^Q2_;+9{k_+cFD4TL zJ=r;UwoiROy~a3SqR97c>omyKQ*SEQkan~SJ?yIvHAv`2UmK?y?-S zCPdCi-Pl-v74g&o7pkiV@>=vXkDQ8~fNv2NkL(7U&%Zl&nk2rGlF*bJaSBz78sZmx zv?nl9`s;oFxcCBD2Q5{s(i>N$o}4NCe=nkcUcl4Xt6rTGm^HYyelenYj%lU`&)XAQ zC|UV5sSdw7R|L&_^Dj4~onNZ0@1urUU_hSF_X3NdhtCm5nVbRofWIgEFO?r8aSV5! zmH%`_;bTa?-bp;5;LPxRkwR`gsQ-ta>u{TfbTT$V{S+?0KKOwrFG zu~JvI`{91+BfPR mcZPq(_`b9!N6HJ`-)D;A~r>>M1Lva10eW0}8!@0_rJmolXE4h4u*L7VP>S{3Z^WLPaPDafeAMH!}8c7pySkl8Lj`u-LfuT!ac9>O7AH+p^= z#xn$^9GvMF30;%>cNP2Bi%%hP5rk08wf7&!>_w_y8Vv`fW%{lxWfa(EBGVnUClGr= zEPa0*bIW6C8Cbt+1OIh!NCB3JIjZq?^6bUvT7mw%(BFp&IUeCNhx%Kptx#TsyKY*| zusnG4OQvJcDf|L-R(g&}&mR%SGRa!pTpj631pKYKJEkZCp0;)Tp8wX|cQJfJbgnJ% zQX`yzYNfQSzj-P4u1BaRP z`3o%xH7BTDqmhMI^Hej-*1ZwRho?XG3bf!hhkrRTS3+tWhDKy%xB!zU?!~h1M>|Pb zy$RE}#(YK^IIjan48>Z88yp1_n;wq}Sn&M05SrZCpE#=V*`wB7KJe6wwV`6y`J7uI zIr)`wzT7F$ueK-faATO|aO6t3B(B8bOG`lBuM@$cLUs4m4Xn|xaob6wp_YkBMFu9& z!EDJ&qMhT2@`VQNH!;Aixr$GanAI60{dK}s$uFxnPr02juW28@D&96&MeH_jRT%yL zDCJi(oc=&HD?sFE_pKf_NzC%^*9$42h0O9!Rm8`~7Xf9W60_Puqt8zt{jS2L5SO{! zejowpV9*J`9`0S{08ky7d$4VYc*SS$k`|Gs$}JDV`ikU$ z1HYBUXtzYM+rLjvq0*?gb|6Ds=KL_xA;TwOC-Ss^<@I_mK5Ww;#}Pfg-8Q|i&09L6TF`trlZ>7P z+(n(EH1;IlE!%f9BK2H{6x2qHs!kFtF#4iL_Qto4N~*Ij?7|YiraqCebfY^Cc`7S; z?7`hIa~8p9!0s-;@$iqIL}DU4r^mXa2JPi}_CU!@S0Khg`PP`=P(XOEKrib(w zKVaF%;4vWFuQ(LcTEINvGFoeb2$onJ&CJ(jxh2SDrEI7D3@IcNU`FaMRJqU`<&;6;nSp2bvSUAbR^`S06=oW2N8Id;&qfxw-=s<~?O z$!dArl+B(kzPp9d9Yd4xI<=R|c}N>Gd%{LVzs`(d;v^7g^7@-m1DoXy+@46C=UpXC zNyb%eW70Uw+nh>2J3jcqBzVN2h3ZdXD?*5Sf1fx}kl_9dws}E*Wa0$t1A?;iSMSQ_ zYt6zB5T`AFVDl-5YDpQZ=nTDe!(z$vlQKL%qf;ga{7Bgue#utmw7d*5+JZ%qOV8gP zskV2y0d9bopMoD@U{2h*$G0%O{jk9D$vQY8NL_-wNPa7e&)z&gXcGBmLB=5I^CM8o z?=b(y1tcjvkN@cNfK-P0>)+l6g<5pi=b%68#1Gu!iFaNm&<@Y_`)l?&^l2k3SLSp) zSJB|BkLyl&wf)FF%P5VUE$|;=7^}q4E)D|aftRO`l{h3M%-)=C^MKxyc+e^7I7W4R zu$JNe0rb)N-6JIFG%eE2769F1ZmajHpjVN8Xvaf&YUBNX4`%7RvW2{Z=_?Y2= z=XtgPpCwCEaVOB!mR)zf>*)BjAZzZ;&CfPS3c{(&qYry>(3tmCf!aJq&5ORr=dcUi zl1}b@dnWh2GD;q{XC&K+d$)}DU&`hUZ*hu({rOSIc(kgqT92*vrLW#@H@{V(3$I;^VZ3j>uyN{56J(j9`*jnXOIh=4R4y4i$)pwb9} zfD$6z!l97{0qJfI-QC=cU;Om*#&iF;_n-6ZbM`*7XJ)NgGqc`ztx@XSP?R5f0emD= zb=v+aA~0kNP>rPcgr)>aPH3)UT{B#JDQw`zJ<|s^FTxK}d3D*foLoOuu@`VVEr^cC zpv^apj2uTg4S8}AwFkn{;k$u{2RVBu;xoX;PRT{phO&qKI8OHGV#hhIy-P)o&R3ag z@citV)!u2_(~pDfI+AwkR7O`qX}F&UmV?dBs?g;Dk2T)wY1$~mhlV341?!Ttd>|#T zX0MY4^68`J;hI1_GSAA}d))m7ZBjlUK-2$Ok+fDk6%3dqx|QO4W=T#D>4OA(yNNQ6 zH*kI55J&@ZbhCr85Ehf&ru*6kv(==FJW@g0647G??C@tJ;&s@IlYV~BHUe=(cHpxQ zAOI>-0>~7yXoQ10^bQdf`vfWe*@)O^56F8>lZ*n%j2)E@3(hH#Ad~p4yK#;v4PuDP z9$CF`vb%6YeCs|01CxghW?)WPHJ~54zskj$?P&I1{pC?ogme*q=t1IhuivKk*&wlZ zU>27bcKvHGIWV$Zo;fEnN|02aT+ztidh#+TII z(aQG11_b*zx0x@RVYkbTk83V?vW>oeo;)z&$j&?4ZBpduATSY$^3Z!HuLOU)GfGFE zVdFo)m)D70qGfPj0)&DNY{oSbwX8qpc2kbDW0iBnC$_KvYu@BL=rGyZI6&J2_AI^D z{oKkjBih&Xi&JLLHs?X=Ozn5C#E9LhP{r2`2t1-}iHzX)tu8im)TdJPF(^8joBj`}EgSdzi%Mv~_n8ujMD?6> zqznuVM%e&Bd3NU;A;{Npp}dD_v=>5jcgxy2kf?21;~Ua2;kWp`99N^1L0*fKK~lD@ zI23r#JB?~y*^UcI_4dx!jvMZKclVuogGS^>Jo7VN-y^LNy(;Wp*qhHNH2WTQx4 zCCc93+pv&#ahor}o3`6&s~n-w8gUb}o;R_ixaa^S*`%8c1->p(|C;M$z|0Gdt5S{F*Gjblwx85VYXSBh0^bC(pwV`%q zbZCgQqf2W#o2RJOc?&^rwz5=QkBwRX`to6&qD6Tcyo`j?p_>fE*po(fD*#%%Q{0Wv zRqrcqtAPn6_HC!sXF&R0)+g{6go)2Uei{qr+D@WS)|0yjh?@EyWSI4bY^Uz6&n}68 z=6w4uvGS+V5^5%+>PDX(1&@yt7;07LYemZ-iX&3i|bo}yD2uPjc{cbffgFsdF&1ZuZ5(BsfcGw)mY{M2Nm;@ zzWd6>l|D-qiK{Jbeh^4PmN-}+<-3bCIWwfQwT`^kVj z)JMU_O~D-?5iIliP2}6<6fdPB4-PQQb(YLzM_U^V#+v@&1q;{mUnp*)*bnO6n5x!# zO?pGx-54unSkeA5(vvLMrDL89Utb2jcR7z;B>)h-tVO^x8OqUc+?f^knQ2m(X-Kyj zD{<`R9yuvMw8tYTA+S)A(6PS3x_pnUsf>dC`bz{7T$ehE0P zcuFwHCs?Fd%@h)2zg(ME_h6W{^ixS%%aM>4B|LI$D;jZmE^9)Z`y`XYpwA!#*3dY?~S_*@?I~)Nu*U2b_EQr4x(qi)-N=@I(CXAi(P`17~~>vkWa{xttJYC>@-c z8-sA%eOWTeJD;p>5cCmnR-jwX(=E$Wp7m=(lnA2q&Koc7a1%oEb1U!=!ywzKyfF`L zEAWRI$9bRXTq$b4)P69k3Qi%=W`sy5_Yc8ee^q8teoZD2->QtTXZkE$)Z(znkk|mF z{(}`O4^oU9;ymt?G!?e=VU#m&t3gJcTF-K!gCCExt3oGnM!kWgRFlWGuA92#%>Fx3 zCnxTkGD_wDIAPJS)ZgEG4#s6 z!=(D8;&7w17qFV1ynfFUM~kL>Vt^AEPK)NykZf(j# zkiXGv)R3Uzh>Kvw$P7}Text=L2=K<+sd8V=7_{w zd47*P0ti{k6s>1~+@)u@8~4zjT7qbO&pJXA|IU>K7<+2ukH|WA8t{O~1ox#~)hhia z7UJWQr!No19tAYuu|5G>I)0?YFl*$ztln^^_|5KSgo?ex<@=iLn6I|I!B*P}+RsbXQDTV{OjY6%Fll=3;XAKI zg+V40a5`vK(V1y9y^cZN$Zf^giv{vl-fL@%0BRcCD#j?J7iIVMlqma{h3F_KPQ`Pq zQLF?(F%*c_r}193f;hGz{^(0VmOe^^jVd2K7wrgH3B3nYsR#BW>zFv z>B^}hRl+f*k49bknV}yA6pF0Brw9Xj3`mj%k)WT_S_v%^1}^+A(aFFF#(oG^PDaB% zGCz;!@m7A5sfsPiDK82p$w%QAZ$Pkkdw{sBN68*lIA+|dch&@Luxn_^3E<*t^E_v_(TuF7HQ?4Cs%rlON%y+^PHw^2fiThTI)lSlc`=I|SB!;XQ;5G=lZH zP7##Zi-l{w_PJK~T={wouqM#Ik#CUEHWHyY+8tQARx5>%X%uUJVSZhcCO4D#f$XZM zP0CZ1*M1s6FkG6@p&wR%dK=^=ajqjW_sZ&7U#UouV%jCD0|HU<+Kl4E{ zuat(+O;|;NOhC;&v@tOaLU5QPVV4Esm#m=X{jX_M9|MW<1Vq``1C z{k4BN(-@p7%1HWGT{L_T{0@?ja~IXGKXppk5%TzT8{=rqHK%?`Ya3v0q{CNJQYX~F zRrOn^VnrT$io3>nXaqP=gCO_FlP^e5@D~$D(+d16E)Kg=GGj6&9>I)kHw1@k;KHN~x)SepW3V0d6 z?*4uo#Cl)4VXmFzkg3d(`)HI5#V{y$)aE4K{uZ}Ia#q!;p$f2T+%;B{gjXY*xNwuk zx=X66(hfc{dtM7Yq=pJ*?FE86Cym#(EUxw{&%0KU!dod{eu5~3jmymBNT@2@HSxY0 z*Kq5~j9arR#I87RPHphd$gSK;T_^5@(k)hw;m6rH$1_)ue&@2XMOsG{jbMkMjdi4o z)*m5#0(lvcw}5{-UhENmJJf%{7p}-@zTfY61E>FZwt&98rdp_>(G!Fy8&Y=S*PQ-& z<1-s{*4-VQQfNV_d@O_*RW6T6^)?d=ArraEYy<3zD+B?)fgd-RDxdu$U@8D>al}cg zlRhqEP#csXbMUiLUynFX)hBd_1_e(r)l~qUDyQVaDJ2)Z_G|SXls5WA{bt|*MExIR&0_{0sePj0skfm<3*^b~+o zTi&+LLjs$nujOl7l5_0QGPf3?(zL4K!(3IL;KKkFLfZaXr_m&H_ko*O!QPWxAyf99 z@0Go=%Y8K;2i`rkrm>KA7yFE#0A|ergR&lbh1~?Mf({NUFmfSPJx85M?Y!mnO|0Lo z+b)(BcmDyn|8hP6k$$2#?j+0vQC%ce%ec#jcw)>b1E=aFt$LDB0J(6Hr zCnEq|#scX}GQX}P!D}GR|Hfxb;@rDyw4#qwHcI2S7}HLG7v@m+_!D7uTW~4QbGNb$ z{(scuFQ8GZ46pr;KVs;^sAEdmIN{6|Yy{f2i`6A9=koU|Z}!R2^GAhvCd=`X(#;CN z7{XuQnHDAX1Swp(euc)(Wu18!*xgNOdxi8-xb?hHeI75ea}o1|4snYZpx z*Yu5ufFaYxwz-*dO!ha64@SAtN9H-U9j@|wc1!FDFfuaT_Gp;lKPJ;90TcSYl4AB z>TOg(g|k9Z1Lr}!5&WXcCBq8-qYE|7296PP_CTLbP76~4#}KxsWT^`?eB#-D8jjZb z#e%lqnuZyrMd^R;rJudlOzS@crr1qukzcH`)&o(E1VO+b0Cxvk1yyM}+LSl0Qls8e z4Jr0(weVCSJWWy|rV^xi$EE0Da|6~X&`m%`@cK!aLyy}NhZpW9t1uoe?*}!M|B=i) z%AJXmP}LmM+u2zkI3PMdaN~T=kGmSgA7`A~CO__MnyXpy&uHSZ?AAXu+4Qy_s{}$e z1WJ^{Gic3jkM@bY^4`6zDr97wtzKECZ&+TZuX*YXB3cOrQ%l}iEYq*JQ|?;RJWn=% z{F`S3#Jp3)R8>n3Rw=skP+2i z^g59#1c&?`krofm_@|E)WERHP{)k*F%f|gz!Rr!AJom~_g?>h^v-lyAA-Qf&)3jrF z%7+|9CvX_4h@^niQHf29-22@TR@iFmx-d7{LFd2E>!Vpnzou$h4C_jg8)A+V=GaUgY$rS0!Yo-C2&%3@ zl}(Vsg-_TAqh%r3m))Rf7IURu;syU3C{vVnR*I4iUa4^DRK;pgCn2b*UZBoNs{*d~ zEPSr75V@R=$i}LCs@1dgWjo{9SU~4!YydKPjvR{vl?(Xd8?^F?sVJnQqr-7_mTIiR zJ{8OwEIC|Y#1Y4=8H>U3h2wNT#PIYXn56cZsOLsPo?)$~X1-xMK@^36w>B6BoO1ah zh=v~F1}ddR3%x}~yT?GE^PD~?Q>xrbHQ&mtBU#W*#nOLi9RJVz+%CJO+D9}@LV z&MPG25~iC!V*C;(d($cgyc_aGipJk*b>Nbh~l60(D?hmXg3T$@dTT&o3a@x zoo>?2kZsj4|E`gLTMVQdrY5BVkK_%B0fRP@A7oLOV!Ii}-TWDaGT??(5i`?5g3?X~ zQW&^mjN3@iaK*t(YP6V`$TlJrQ*1CO`F%`bD+$J{n~bG+FFQW}l@EG9Z>DNDO~QEp7;NwobXi08X9|Ve|DSaL@c-BWPoB*3MLKKK7o^arjj%<& zJ$Gv_pgCWZkyAyg?)Y4S=>N~qQ~8piubG+hsL<2@j)Kg0?8nO_|FNQ=MeUcNRD`sJ zH+g0De!%0hI;C*t_uYGPuln17EG4&p3h zTIo=_#hXR^sge!j_mJgVuf+Huzt1-yLJejq-eLVYS&JlfG^gQx>XGVKn2maE|1R96 zK+Z|fCI-)+0ISNPl+xr^--EHk3B>t?X|_RnbpSfo)0fP)>bS)+F`o1pU|b^P3D?qp3|c zf)Fs>o9h}s^uK+<2c~YoW)DlaVT``W3Mc=WNciVNz+X_l|0@C+UjKAx%Eg}80xA50 zi#y}VbG$L{XIYq+%WkJ2SciB22_M!KbU?lzbREAh^8C7}a@`0j%On`Am>Lgym*qg8 zr>c()vxoj3TsRu^bTrr{e897<_tO1JK2EL_kC@`*bvdk>?vA|5xwT(3p5i+~?AQg& z#+z}befF5uV&mEDFKE@btufXsXe9YL6**r2-r2uY4 zRBcx())YM?3IO+7@vMe9cBqY3nnFD+8=0ag06J9U&Blh`JzALnk$%DY!Z7BKF(cM5 zIqQDbua~J?yyv*hVc!+1#^94sD146Zks*r;tD2z^7pCBHv}1(6LfW6zF18Nz=DW=L zI3R%&{_&OjKXnG1@DHvfCV=~@vH>skq0(pPYxNYe^XvT~1W2*CT z^5|%0XLxp(U0hXWZdYRl4cChnqrJmPJjcC3CUL=mtuy`Uq@zG*duaY*=X-hj{1loQ zRuURvj(Wu&_NTI5uMWtLgRoC43;VEcP%S2{qL&{4wURI!{vvt9R4y^E@G{W~*dmAu zBQCvtw|zyCd;YR024TN##Z_P!CWo5MI$o!{rJ43-peFbWrRjY6%z0Nb)`Z;E(o1dGAk`$dm;Vx{y2>p2GMcQ7kz`;DCg`M)te1|lhO?Us#9qjCsOfDB26g2(n$M? zY|O>I-kaaNvc?rYh45G%a+~a{*y0_&AHc;1Ym3KBUtrj&#i`k<`cy=k2S#U1{B)YI zm{N)m)4-so$9{x8?dg+Q=>3PHm``Ox7yw8T?JsPWn-T6$LWk?%pDq_wvbWI9A>V}% z(UFpldhxvDJ$N30iHDATU47#IYa&5P{TmT<#YvoVUKoHaV8ZT5vtCOArS1?eeDd;b9g`Y-hr( zs4)>INZ7B~qV{GRg3rbJjXg9%$w-gwwW#<woggn*fvq!-1{N2D%~Z>Ar+$3`QUXJy?4(F`ILHG+p;bQiQ1TZHIwvDl)* z+q|f4!-3TY<+e@wARQqwER_vp?nlXzq-UwO%eAyO7%ja)F!H_6)(04Pz1MqG?zw>NRU<3S z^jU}miis57#hhBmyIRzhI~dPfSf^ERdBjA=xG`jiv0#7QUJ=SmK?Xz-@rk_W99^b^ zJT)<0c3XVQG}8`d_9O96cZ}jfXrsug(TJomoy^hEec&%Vlb1xMl|n{xe&a|?Z;R-V zk2yOd!Ko~c?+HO5O0Dpb`^+fbNQ6FZefsf+HzLKBTEPGH{8NYsg=;9j*p3IKe-m2= zV~vEb?xV)S1_$#%;A^K-dYTaD5`mGZ;E?U78s&Q(wvP>?t~OI*PW3d~rRBc(4>4+r zNA$7vWlua$Ylvb?c}hn6U+d>ieWS9veU1W+Uqo@jxsbzFp|Qi@nj$xcH+HLOddKC? z+?~e)wd`64J}S}SSu414HzXbuIN);YJZ*D;%N1_KrS8Giux00-tj?@D&H#;lI(@5_ z-aA{=`eO~R;Zq983MwWA&BLuL<|&Zag8GTQ6`Uf!u#Q%#qOhf`5bz~xW)njK(bBks2|m+$nvS{-COQqA&7I6rSzxyfE%Z!F^bWe=uAE4#`coJ`0A-o=G)GW zy$!QuGkA(3mq`;fTPN!jYGS^oorELdw?V~fPhP(stHxPj>@18}h<}Oe z39JND(;ZOD#E19aVG2N_W_HCT1;QY%cO)exkp(sHJl%LCj{Fn>87Y=pQmm>BSK#*T z?b-;tX~juJo(?(uJ@N=?tkTklsqfu;_LI&h+dQE)v`yy9KT^|MQr7MCeGDK8Ks)9Odrj^he{yF&{S*`InxShCunWT^#l*+vR$%@|ou{qNB$V-W4;8ZXfQu=b;T35IBno{_T^S-if3^x{C2@(riocgwyDH z6g{3EXuJYM@}F3!e+|y9beB(((WQH-c=x?0JbfI=DYvF-(J9&R=^!#qN79>=Y`-RE zMjOwrj+07Y>LjrW(!MS%wYqj6!*r=ilHIxTqql8ERhP;BOw{{zVtN!Z&T;qsIS>2x zuYu#HWe&WSDpgfHcgd-YKN-s=zWMCDNo>L0^e}lFh!)HeUH2YeQ;##&burG(oXp44 z6jqc<9i||8U6Jod_00u~eFzt>MGV!hf3sYT8I@HQ`b9AUmZxdGs#zL`!g<^=osJ5Z z#CrJck*T}t^`t~XJy>0u5vB9$RqMU(Bjw&ZaS~P0-?OwL;&iNdY!8Jhbi(A_Ln?1KJk24b-mTf8- zB8U$yXJX@BN!2qVz(`CPSju8?&3DVP8e;sakeAP8!ZM}ZU^>J|#ESF~m@V2aNnzD2 zS2KvOeLKAE>DIE*Y~G-$0jnMwvdcDHhds}o(Jq&l%iVUr*2RY|zPXlli2J=?C?VH6 z4S4PGskY~%eiJi~B1$)POTQiBLQR9J8~A@6nztZ2kNx~;ULE^`9|;I#VSWJ3Em~Lc zTL?(FV*h+NzPg1Vjcb2^F@F3l(QiwjM)Z|5T;&Q0jnAFue^33q5`rM0k`dQBgpj=z z4kv@?NHh!#(8_j6dpqdQ-M* z&T)^AWZjjC>{2SXd1N~BxRxEOi2!DMABw)vZ$sQqOx6DpGMOOGb_`3F2qlAZ%ls>` z&uA}~duY_og{U(z2zz6^Cx@UX$7j(Fvh!VXJ+=r}O{re2`V$Wl%r zgcvlZr1x=IuEuluOhq^{Q;Dz`5HC9tp)F$Hj+4*jjZeDg5~GS7mV&I+O!vFapX4((f2!1Y2TiU4?>oV~_J3}GU&VBh(fInATd)4O6$uBGxMY%T?&ZIF z4E)nYl=%=OGD|{}e}DLAIN-KBLM*ZQlv0%KH|Q^egXR1Kf*=A4VhC-a3vJH2ayDY9rVRf+^Y2?I zwIMgT!)i|RqG{l4Lw+<=RN~=eBC+ERCr&?~{=K=gqIitjUy5G7%$SU!8S-0b4qd?a z+FJx11IX_DTjswVBcn*E>|O~TFvrm{rHaKDZn6Cq$c0hv(W8TQjatO$?e7)_ ze6A6XauzKdOuYPW1^*sq{t9;}XWO56*WLT04FLd+SOXrJba=oY#l2?~YlsRx@#g-0 z*n!U>NrN_&FPsedkK(wVf_DgZPp$rt1X?&~RH0=2=>I7VfS{SCfw$=A_lN$_CtNZF zNI1x}yz@tK?N7iv3eC&8znGH0T1&|X>T#pPBI6&WMTUZR-oNVA`c*o>&vuJJ!GRI5 z(Ejufb)zHz2NM@wYN6C0y*i7A3q@*+O8>6}{r=y`2>9oX|93+A|4>H1>Hq(gkp3&9 zRbuz$DK|KH28pbrA3j}}ym}_%YTp7ElipXGGaQNx<(?1R@=HCJx?pxpD#aw8sND0z z7%;(Gmis|!JZsc#0($zfEHQtGYPKps2U|(Q$b8xqEG|&J0VLF(A9XBt#F%Z4&%k%v zTHBRHuUVbIK%?DWkp*_UAGQ_py%fS3U`kG%tLIbPZ^)Atg&s>tWIPGQ@Bi##y*hb{ ze;W&{dvB!iHucY;6Z!r|=-It)KZTy5*8mBZ#31fC*S}Qa0GN544TG31IuI47 z6XfDjxmb-T9q&Fo6USgS^xma|!IzTggoN}By)Io=!A#H2b&Jt{5NwRcVRzW(kEZIu zRDe}`S~|5a-s<<|#yfA0)1_y*X?pvv4dR&f&9`u^4Ey5~64J2@S+s-^I)Z7sO(*=C zAn&=%x+?c0UcZe2!1S~o7hq!EF81}UZ})iq*7O|?v4+NhpObea8#3#xc8O_r&CZ3B zY|k}F=-nHv%!04CkagM$MpP5CsK;*g z)86a0W2NR1lTOFbROzlTLb9uZ7PUrB$7VDzfI}*J-NW_5eXQ6d>y6i%Z0d*yeaiBq zNp@GspTmT5031(TZ&Nsaj+*vYe)WD$;V`R1E04X7tVJLYRsQm9xeLskVhR)}nZsmf zHtGdWg_+VD8^QFpv_!$)7aa^|!$9T}X=!;dmu-eiu4X|$wH7+=V~2kr=>q+&gK#o_ zYWw>Ag1li9qM@)bc|jxQ()u$w-ADH9$pS71Ubl~iFViDF!^E@6trx#M?N5`$Samst zucGs9JeH0ikGa0I2VRxg4oDSLZA5!Xy@@T35TzgZ?87?Yw((3;MmM0N$sp`1)-*nw*5vYSHv z`H|pOtaV{+t53ao5(v0|PvBHDbf5F!y?k+gw8;ez%r3DU0O&hXIZ_9QnG;2PJYOr8 z7I%Nknr{i~z`9nS9_Y;40gs#1fk1ihQ%#{XF&|C1$9lrJnUUR zfCMwPU1{YAQil4Az1QCpg(tS}#3dwZ4crH0*nRA*)C<`!&kW)!3zw(6FVC!xKY#(=K)=V>HZJL3v%-5SaLT#6=FM>P zRV)};6`e1SdM=pM-jVK-C%Fj{-dlg7y0_|At(Y{dn)`x{x83XNlz8%1FXU~1RHh4h zyVXe3+^|1l2ADR*uHk$(5GQn)Z$)HEU*lB}(NSxS^7b?n3K@?dm|?0B0t2ekzrR`Wv3gyOhWYJk%h_( zmb&Qqg_Gq>K{AGv5Q21ykjJAF3wkgURSXs>&#OaBSxe^Tf!>R$iRUYkRH4VcD9yw7 zn<1}jy^dj&49q#v&MQB}S?`>lEGX*((1V@FI92=Dk7iG-kL^O0U&X%`G{_TwVv7|Y zM(^<=e5KZ1nML==@_zV)eYGNDltjTyC^(w7-Y4sU>2kpo!}12)Z{Ihs``mlD^wiCW zwK9gsU--u)GB!Q*L>4 zS)gz_i+C)ksgs2UQkHe=5`l-(XVz%LN~zp`o4%g1TL^9MiI&fQPK*K6k*W=ID02dQ zrE3VJ?s^Tz19xpaWfr8~;@4jX5z|*T?gtSYCY+R3Z{MZDB7FqaK$U;T9v4br6r0s1 z9CtE2eotq-_sqaWBMc!#L+>VFqd*`dEEtDJ2HW(Wj1>aV298knb?!IrYaI;usJ-L@ zWh3INL!l$jG|0`mVjX;Bgp$B?q;O*_K3f%QLb4Zg!e&c|`86k+`6;B=c^HAw_B>EP zp4{jIUn4RkrSbd~-mwL^xxNeLPnh%w3JQWn*iYB!Pm>XdPw?5eP5{ki3e3F4l4iqCKm*YVW(aTzrR ziO9tY4Homg%60iVotD-g#!c{?Iv)dz*)di$0TLe-3J=q=8L!w2?YhJ_o=3%2k%D&h z!o}kG8kMxix0|m*84kv|Evhe%CQQ3hfvQ^tazI=sd%`NPSzbWhx)lMN*tedWo)Wlh z8|Zp5R$`=&>k5zanS5x9AOoUinO>lR#+wY$*RMQ$AkN}B`q$cpZvdQP&2>L)Kfba3 zXklWWknj;BFO57as?!&N<@L_v!C0-JjUwl@C>5VP-&T&AaS>=*3ArzK@d^v@w68jS zcLx!h^hD(7MEls_aBbKn4i6C(Gjgdr35JlNh$uU4-nfsPjZ9WpFCsg=@d-@v=iF@uO&x)o2EYot{LoYKBOUAZAS1t=*yTKT7iXKdpu~lk2!2>(4JBK%- zZV~75$<&QGlP7(4%;h<>8P5Ph!J~`Kx$LjJi4(Qm_Ztv#)o8OoGuj(Wy#iVh?-=;^}_IY(R%^4xWJRov4%Dv@t zw(4MK^-h>$cs)}sOG)*(W?!E!-2D7;R=$wX8QzFVYqi!JZciU@{)kcVy4}ekg!kVb<>ecUm#uuLy=}i96lheBmQm;K70D4M zwVG(K5-kD;!y@F!7(^E%(wi_(dBoz1X>Xch^Vge;s|fpVP>^}Jn<3cSUW@Bws%wpN z{L=<*(@da|hayNjriyLwu0OQYxI0`5-{+`{eDw{_vnH5pskm(sJd-JQIn~RMx}5km z!^e`#eAF;S;o|i#AM5W=xiE)&fQKb0ZwX!4nos~f&5HZRKSz$(tOB^V`ygvuhjFv9 zqO^c8A(N#vrn$xR;fP+eW6cXC9YQM~=i-3`=JZPf_Ly%178Tvoa#|z47(~!fH=D^5 z=|mR3D_+wtJa=qUMpXuLL@3Dj6E3m`AU2&rigQK0yLDe4_wl`IS2Ms*^O?fkpSLqh22Ainj{+LY-*EcTcDJ~KHzT?jU5 zv)AY6NPD=tlD%BEgJ(e~2*c^k-?D+lq^y7@W@@3{h|N-!TuQ^?Ras3=(;*=usQV0! z(M+mpgYnRvuhehY$Zgb&S+!-h2wv45euixx2_A^(ZzX0Q^_fpH^X1K(M`~WwT~5uI1hV3qSV>7g>-i zNO+8{1LxLi7W~JjrqHhD@uZ_ggf>uV7dx_AVZMkwvlZPajyxpC>d;a3z!3&Td@llf z7OT-0KKyxZ(sIIl6hA5!Gv%e}@80nWc>SU(F|@F;1eGNdv{v6o!w6H%o(m7%>p<-t zmd>cD6RwcM?0tdt2+I^o*2j-ZG0Togc%o_>Bs>_%7hSH-fx}Vp)CVVe@fDKfVJTSuN61WFV znA#&`S>&{3TwBF?J{Nd6wem?(a&wY`{Gn9O2txg_92d_N@cekI-dibt_h7bY_ERm- z{DBRRZOiA#(J~z1m=Qd<520<1+q#+AJov)CNKn)WL7MXDDEVkCAt7+@e0#m@xk*i~ ze#s64t=6lgvqui!FbdY%J-f97wR0u*ShH)SvnDVHQfM^$)So_P!}xx7T(3D^W|!>F zPo!=;S@hH^37EW0y}ELO{v{Rf+qlpj{hu3ZQ+WgozC5D_Mc%2!9??1HfQ{*LJtB79 zMU;5ARlo6f2<6>c4aO|KlRmw|1^%Yew*4LlE1ajQ@j~U9Jl2C>s1WU7I(ya+<<@15 zYe}ozwhP`8M^yQu4QqWmCe)&}WLzYtmzEcKA$r6rJXXoXM64-khkYTaTva0_OA^=!p^_Y}RyM{o1>BRFfl1K|j5+|FM&risucBxS2t$%5ItUnC zT0Za>WPee-Uo2jG$g5LjlWnM_%%t}94SPhDY@WU3vOK%2WAZc)PfN!;*d}-igJGY^ z#NjA@W6CP6B^Fmx^~~)hpB^>dyX#S&AT5*Y$ZrVW?q)1*?aB zU^jt&1ZQdS$`WgaAluwf1e=&^tUYP--z~U+OcMhJHQ#5a|iAz zHYzq;dJ68#dRfsP0Qy4xHhTtEx>De4BNdin3MTPeN(AIo`!~Z7NViof}IbyZn@1W1Y56% zJF^?*QWI<5;BtO!=3bmq-;j2mvGsJ#Topu`oOh}Xf;3_C@nT8OzN2vbO~0qF_KCx8 zOY-Ec^Lk7^p}?c#ECq*w@Qr(H?IlBwd8;|LMC}SghHOOiWA#aTT>uf=htPUL=!W40 zjAPim<1<2BpLuf%joxYV*D@5cjwv>oFS_Mn`uVww+Kk3Yg?>%GDT%e43zj_V2C|Df z!gL9gWW69pyB|9>?_x+d|byZ7<|$Hd^>&zOkyq<3Geaxti&KN@wMk3X31ZU zQz$*?z3a)~nF+da^F`Vs+XzU4r{dse<(N)j^btfvL;xecczxr|Wip8cZTCtkgh)0$ zIZxJQqmm8y-2Spjxb4&6`gZL6%Hik_m*Pk8ju6TpKSyqYuPwP`TZH`M-TT*53igxv zub#xe{ck0;piI8j2kGC`^LL*wXc000^Aor^{z?qGbdM?`G5+@P{`&%OWrv;e%eQ|T zadgv&DEZA1ym{Z4A?VAUn2})rwYqB&?^?TX-`G`XKg__ApYL6 z8-f2n%i$;f^uMN_I;v6f@oWxB?)`$22HAz|Fa{yk@rI2 zabKv-GIYjt`@c#EGsV?gs1!1G0Z3#-rf&=$NfK>plMiAnKKt{(he*09deXt%wW{bA zJ9ux{BIjEGJ?t@_EBor$xOdm9G~LeySdVCe1x_Wx&hPH z)|R_||9cAP249V`-G|+b=2WHjofhbyD$;HU`2>?N z?ayq=wD}Z$S728GhtE)t(?CRDQ1mfzW5}P#z&ZLs!I-97Z7aW zX>Yp1zGwVj9V{sp8%l#Ow!B6)UqR;*o?UrhrX9@ghx03X@KdS9j))T`-1LLl1N>+n zdwY}oG57*Nw-z3z3-0sH`RGZMwsn;~OkU5>dlw6FDoct8c%O$ZV zNfhi?aT$UbaGS$W23>=NZLS3arL4X%8AJjV z+fe`P3z*pV#7#%j0U*V>@y;7&I=u4E%=Jq8h{MWjemp6RVGmJ{vj)#TMuez2Z61C35fJb^8!0g=Ra*PyNE|2dI3hO!vQd1N94)QXh zsUD_wwQHST*huKtkZD&j&E{YM49|whTJA~8%4l08_C)#7DC&=SEl29Z7E67V+XqCI zqFVH{I%vr4qPV?yy7cP5I};P72u2)y8PhGu2SS~F%`J}Vw0kIi6%f#)3mVLs3LbEe zf00-(K)KS}RwqfyMP}!&)F}~;-<|V$mCQ+@q3^uLwZFm+HMCvt2c0zz@KE+^>jfRp z%Kg!d5a)tn{ds()j@US-#U_mzxx#T`xxkX4OvmC9kY{SFwOQocw(V#T*b^;(?Wsgi ze81vqsmN;tCUZ8t4lsflW8T^Gvc=qfot5cMAfRE(Y|Fy^!!-Y8Yy=}6>5+ZB^m0AZ z#Pg#Q;Z&hdFf)s;+zgkNeL7`}go_%Vw?Y|A#&b2ui$Uy<4@o96JWlsbuZt6CmzR8~ z-*yehHnN?`)Z^TD6fGdtk=&}^@q|6^tc@0=RiCc9@a;$vQ~*G`a7YS$V>Mu;^g)1$ zSc-elXTM#7o8)||+EE|SEO+O>+qa}!``Jk!%Jt%EqGZ{k>=CoxV-((Pkgpmajo7w% zA>y3E#GkRs^uqktG1UGP0{U#2-s;t`@UizhbmuF2$$@BgiTARnhj*hOzSI1xaF{m` zQJ;5KYy5tVE6+@nDZ20@=`}Z_fq_)FgzIkZYYZRu=pA0CmTyIf91b?YL)pzk{K z(aTiraOKEXhlP;RVx6?W8H0%SdPM1SLc@`}8jf;z9GS@Ue}t05q8EH zy*L7-bZdDY?CP_9aEF~w0iZ*isATl;%4N~-%_^S?uyu;V}9iv!S)iU-jiXBw>^$Hs|%ldz(eST@mNWZ3$O8BYd z{ZNKk#x#!lnW_sBnA2G)`z?~s9I=~b+lVtYONM^u_W*#cU(TI$X0&T^`!I9!?c1u( zw^-GkaccKv@S&p^rbY|t)#l2v*;*pZ+XV@9MpsvXq_3yb5L)4CQZV9{`v-UPO?pC0 z+$WgdkJ=_+@N6KvbU-8*-=-YPwN;?3ckP||w#7^%w1H%?s^Zl}LZemp(iBYlq2A;y z#qQmLSwP0JUM!W-nz72h?@Y{1dBB%0Q3IoL*CHH^Z)1-6PRb0{3ETT>*i&A`3G|Lj zqk3izS5o$E>!DU0puo9Z)3#{;hlm!IgYT+UsIlMFfm?jOB7Lho9w!sBpx^r%oDn8IkXnp#0s9Px4(8YztzT>=p z6A`vXvimwW)se$*KP2d!3>d4-b4zyJGOMsPrh=JmVfA(#-j9&QhYpSuXB6)C*^w`U zdM0Kh6Cqb4eg6RPXx2Em|5liapc-4zd(0aoJ4W-eMhKlRpxVuFI8VBDnJdfG_G?^( zGw5mMZ5uuUP9}J{PQy^)(G?-INBS3Ewn>g9&e}u)MNB>$o1}hUe-W9+4~fwif&*L{ zbkgARhH}!i5#C?tXu=!RgtCtse%}!xB-4tf&hse`#VC-{-1qs*=s_$)UFwGKmE5tH z{zA8ro4qqall)XjHHg*XdohN$B+Fb}7$(1S799qMjFziQv z9WZzLr~$}cEtufRojs8YB;1B+`6H37mwB%(4DC;HqAzu1wUKb7FW1iH=x#mjTGWeQ zW6P*l+T9_9%zgI}J2f*LJ(kqw0Hwb$?xh(1&d44l(-nVT{lZ1t{dm1aATtg6MW-|TV- zO}!7SK0Ec^gyg@OVKWh&$|*(LasytdsXcd*`<_()9eQmWM^mw8gNVU*@iyJ2#sUO6 z?1Zw~rhF~z@kL09eG5%wl#xS_Ihi(z+XsjNAx&4HlsVF1pjO$m8W6xwFrMtV&c zE}!YUGxM=0I#(Y7t*>0pg|Z0=kM=pr7CXF3p-njqd8*AkNx}P(zD69IjbI{}+k7@k ziRN*HNm?%k9HoHsU`(5Fn%%_jpK_H#-`5%!d*=*z6%2KTv+1rrAMne={I1qG*J~_Y zV$`gjYU=vyKE|Jn=7Cuogs-WsD^sx=yOcrWW;e@K#=Cx>cZKL#zN+4#tAA2y;h z=Fv4F+4ixoHpTT8xvd9OXx6W3hA$`cXt>C4VSsz)|KRPd!>a1Oy>CGg5dlTwmXwkP zMY;v)l5UWa?#>0GAhl_b7U}M8>F$nAcSz@kccFI}_c_mbpX)ro|MqpUgSFrtN$q+@AdY8}jl|5a2NLW#b1T3VfKA+{4Eq%^g4(igG)BFi@7vt{a5($1 zdXL%^=eY!phqEZ5?gqa0AYU~LvWyA49}~HHt#M7yWMwl9-6owQMr}S3HA~I-_Fg}IdHOH3yVimnbvj{ZRrBUB1|+lsNQrK-Wll5lV5#4N<>m(W`kHr5ccLYoJt#`-DNo5fC@-8o;vZs&J zhK61*SmwCpui=fH3_{DB6~YeWEHDPC95;-gt@>HAk4ylGe(VRfelk-W$C!@Q3pw1a zn$L?R>h)DbwCEj7Y4rVG-7~O?I*2=a9RjvarynqJR|-*cW%De?biQdju;uZs@vl>N z=9vh?#N|OyY0%=rcMVA5ukKw$hZ-50pwsfv0igiwB{P~2Bv8rDKPla)S(Y|H_X zfNEAaduAoGrekhgwrE~!6E=)lHxr&VrM^{aZgN1u07KtRyo-RqOpKyo^1KIG@%cwL zrPisa>WqbT=p$~TuwDQGN!2m_6JtFScw?+%8g4vEbC8^SMltfRNjY5Os@JsG7uTz1 z$;vsDjBZ)Uw@Rg?rMMtZEJt)$t!>VQaZ0JkvE~3Lk-GIlc6e^*vDSmr6uB&%jCe^f zfRT}BZR7w!DAEM~#K-4JF=;Wm;VN-H-IqcI>v=qvOfWJo0E#c}ec-~A@YA&y$v*zL z5Rv^PY`8_5BlQaXez1L;7U3Pnsjqm|CXu%@+|b~JGG7`(i6R$6s%()6fS4SX%`;7~ zAC7ia?n)_?5!ng z-+R3ib};y;n%LxAq=C!Av`&RwmK!pxvGk&J)5LJ=rLoxF*g8?^P*9Fs2#fv42;r^B z(-^nl!82^&=gr%_ew-{ws1;H=zsRgk`@CkdqEdI00KX`n6EkLpKl!ZU%N#=TT1AOo zZf;vtFzuy7_U7dqc|p|Rb$yb_;p<9)%rw0a%B?!OPcg}^xo1Ak1(_n zUpF;Z$HcmbE@y@h%UqT0JP>HUK<9k9md=;xGHP8kbp z*YEn>CNB*{AXd+0iG(uV19L6v;h09$zi#uNq5rs8y@mw~ohm=rC~jCOb@4gftI%cC z$%osGb-Gn}%d-Kj?mNRrrG`wLo}BOVrlpOoSih_Xq)RPC%5LxCNu-)64%M;6zyZ6q!eARJXZsWPGmqzmA1dTP~;u4ZKmyCOSJAknKJsDHCKz-U&ZY0~c?1i@FdXwP=a;V_S+ zpWSn|j8xIA2ydR-$kvcJIm^n>+cWL%xtic$B{I|cVeWaLPE@1u@hC+-I-CH<)~ zH;-%jom^rvUSr}ZScVMPCkq0uR#y*D*e=Zoa5i(~HlooLST%XQyTNEkMCp|@t2rFy z{RqV@7B`!49K{5v2)FuvoFo?;QQSc<8XgZRkEtq*zFY+d@^1O=F0MuPKnJR`1@ktP z4y98r66O@!qCz$w^;x_9ql7f&AMw2ixSFOXl%HZ6{}C)**MGsH5;%BOZQ)Es95*jEk{IPuD6?^uz{Nk z-d722pWq{-M^6qkIoub=?NS+a9S zj{Bpm`~U+}v$flGH9_$6(S1|S{Au;$@CoMya2K5h!q9u)7*2@5c1oPflG$cYW=AV< z42nY>Cpe3JxML$~)pOAxAR!<0Y(!O)B>cQi)?sWYbGD*`aAr|J_(ReS4r6^3=2ui! z6Bi{`&N>AN6I(wiCC!#aFs{BL^x=xvrCHCI6(+C%tp#5MDuP^f7t=zH22h!x&DD~X zqstf(&tk5%uX2Qk5U9{aIzKgmeL76FTcT0Fgknt7MbAgh!pEXH-l#Ht6vBv6cXCA9hF=V4(Z{3Y}%S z*fL$>pox1X1YI=2^tlazoS=D>geHMDD!rAu-cq5UGsX1c@!OH9c&5-^K zBU#0@IWB>vx7Hg5d4UEjs3kl3hVhgI>)YygIy`{YH5SfXS zlo$m|agAq_T(4%}yupUT?VwjV=sv@U20q9#f3{2goeuQSdE^HHQv)>$)XEjcNij^X zkyXa5@~{--C>44T2u5^=&KOma`e_mE4IdZKA@Om+{K4iiV+3OcBO)(TEL~D_1{Fq4 zA{6HJswc@K3k#nhIxqx0tqJDDfNf`$t3pw9WF1ZkLD@6N!4#1(r;`IL*FB3Z+lb_| zU4=WY?-_d<7}x>HD{sC&`gvNw-Fi#=n!YuMe$iev0`a_0dCy_DRcGmB+tW(h-k&tq zH?sVr&NgQw@t&CQ_N#W>M?|N@e!>Q|oR7Exc*wnnR=*YN;U7{cfBJBwm;IRMqJkkG zEnl%7#8Ggv1tfp2KR@gxy7C?-_!hC;t}5(qPdT$DtTcZ3$q<3cNh~TeUQkwF?b1tg*v&rM1jHw691Gvy~Owpbb&d~f^$QYPSw1PpgoSL%O z6E}G{lTTYC*7U}yeh!IkGXcv=X;Au{L-Iy zqL;ksSe@#UpkQMF%>xSuZ@hRTRAdg$t8LiI_&&4M$hV6Fez?R%6F4b7FMS+e*r2nh zs2~*!XJHhmsXg5~%pLlA!7+@>b{^@TCG>YR@ogrva@^u1^0NQQ|2M!1G| z*z~0DGs7dk&LiBMfR0LntS@!J^T+4^`{Ej;_V`V=9b2KHRORctg5e<_RF(z~mEj>a z1$t04uoqrr+t9V-B^C`Ga%pyuCA5wlguzn?>Z(`h71?i$DKX+T-6l!}Tj(5wAWa0l zwb-3eKN8b=Wy<`o5sJwx=SjN9!7v|SbTmg$Z0%Kw&(t$m6h_|Z25x-hcIZxU(hHo8 z>d6f_$Jv-sJ?n!W@v?1e4QERA^m2bqRxqA&Ox;&!&|S8E!2^9)?!cCBBU>+zdns9; z$>z)C8xoY?#~4QfClp;?c-%u&Vb!h=iw{ZzVu}60yiACFirDzbB%;hMiW1nOW{H@j zD_1i+*N%-9{SbLhU#)SC_M{ANeEB&N(IvYkh4v(Wlfp6^=x3Bis4Sf1dPG7#Z{!DU zAZ$-&S6wwY)>O+pUoO(FhLm{MMJ?X``d@QG;C~7V{~vKe;9o#tGr}W9@e0K(_T1oU z@8izNPW?(AW97v7O0_47z=1`G@gvX|0X*eHhR)xJ!qIvq_`T87qbmEQ^2=^13BPi*X z3^J<>PML$Egl`9mq#cE9+&c6q+V?S zP(&3YrL8qD6%oAacBSPC7#IoC3M~&&ZSU?Eow1egRe4rj^(8RDE z!jT*fIlg4g=g*B}o(Qma-HIGRq#_xVxo}lfNy}RN0QPz6xQrc3S8Oi`=}tCqF(fyK z6XTe07R;)zNoNJ9sU5;UV%TsjKzuFJE6uRFpOy^fTYyS`pV*m;MFQC85G0lBq!s}l zJY(M*|2We4WX|nDt%K;dB*eobfhS{-4dN4i=2GTZA%1F`3ted-XzSlHi+EtIG30S6 zT9NCfZ@b4L8~{juNhmeZ)ht>X9hOCV>+HJh70w#HU8%XM1k>ZPq#A*ZcL!9m z1wMn;z`%rv536dX4uTi-3?Ffwen!%9H%&@c1=^}cIYf-YwQXSco;m=BeFNdN7^)Oi zd>|H8;ucK(s47tldo3pyAk!C(?#SRL)3)f_KIC0^uSd^fPi`bjfFkRq$$67v@`#aXDct2s{zw+@lEC~1l*&y zmAW3pdxE{rDGREehkA~#bqgXp?hBxy$n==ao^PH_wX&2~+4@S)VCpjXh$a_nev%4f z!k8{IaQ#%3W>^Qd3Ls25FoG5FBMW6sB;2o)yfe3V1okjP&gmW=1mu2rt#v zf^sHauOzzW;>=$R0K@2wH>%cl=n`n5rpk1B#d}`}N(puXf)ME|rDe<1&7!?c|BV~| zuVBNgcUZvDPux)Xe4Oc!K4N>quhFf)%rM;V_>D+9nQuH5rWjVjs!a^%#TKa|{r~`O zAf`Pij3!Zar`X4x<;SZpkVZQmW?huaHU{?W+_Q!A=J8fnk@#f=Jwd-iI{TH$tYWjq z859(4GpULIDa0ucHP^9*pUs1ACQBMOR?v`-*)9t$m3P>;raH|gzwlXgPT|IfZtxI< zlFp{*>4<19kYq&@4qCd`1`&iiC=(w1fDmnU$R^E92W0oWmV)(xi+b2GHv4wfQW1Hw z#u}Adt8@IPs0 zQ740~dmGyUbgvyU&Mm;V@@k_sg8`UN0yJxoVLSTS%udnko9E1Dv&xTvQ2iqBb&)Om zUH98~wLPtF8 z)GQjF)Wk2zdYVt%n%~A~hS2TY3+)TKpRhoWt2#m>Fa6DEMnBci;;C8|-F12UWAErm z`ukepGVJ*>S2nucebBv!CLvG#Q#i0&rDu|+YKzqX+wL_n@|7R2JMFx83{_yW%Iaax zzvfpREq+)QN=q%)PE+8CUQgzVEa#5dy+DwnbUzfty_~LKa;kUCk_A7`G=2WEG>ath zbT9er6ijZFaCo?jPIrz$%;&$&HM`cKS4#{ z{~uM{!KAsS76D1wk)ILp5^_%^<3~E&a5o%FjZ|Fg)Ts})-q(@O=0{Flv)-Gwy88q^ z%5lZ7AD^ypJ6$kQs(t#T_H6GBo6W(8bDeYZbH^?~nhD=g%vTdrx+)eUTaIdYu>ApC zE9S(lp=HYH40+6vKlY=-*+)vQMSb${KBRo~ z{EGIvCY|+>G7Uveb0|U8Vqm`}I9I4$eZmANF1js_KT}Ozfap!{EtjD73ofR9y$~Xd z-&S|FuU}{fs$pb316oVY8d9y57Nmd$ELG_N*#>Fxti_zX=Ev$HR-w#OcoT(rs$ugp z6?tt7_~wUfm(hu)@Z5u7kd zx@VPy>VBS+CC5n;$_2Z!pkDFN=70&Z2dYEfa&1$bgr$KgXtFbpcS@`nmSg=x>UH!{i`aZ+!wknEG z852sbyjcb%K*NY9s6o$K+2E}zi*eINOOa<9JHS*$XvVR3`#L#lh8YgFvQ)u=D}ePY z=MUHhltK8T1QZ)nQIS6TA^xpvuLcznPB=6@~$m+MCmwxtklZuobjUO_Y|<= zV#9J~u97Cxo|c4ZdhZlVdV>YL4a|Atti-yLq~cJ(>|Ji{UeWCbBL>4gIx>OMbVIu{ zG$=KKSzOt=9hcMJ$)fGmL}eaRb-~jG%eWpZxwO?GIxr6!NiH&(3n?_)QLvZ5@>P;m zG>+Gy&J-W6cwMuuMiHT=(*BXho7XLP4DrX>ja909O?m0?(;WCZ;Tb+a8*_Fz1%3))?+>E!0kt$K2J%e7L~$>TB+7zV%lY z?o633g@kIsY^N_1Xq*{Y=@+>~0X0gXnD{FTWY3Jjh`uGK+athpYw7qo&h}Wxr&8tN zI*F2kQe=hh9rHTg_*{SsdPQgXtW{=eIFl(gz*XHyK69B5btP%8CAxbfW%Q0Z+j2rC zDu9UO*G8YBGAw*(WA(B=IP=S+nFg@MsE=TvCHB!Y=d?}E(7L$E5s$At0Nc%5qhCAS ze$5VMd8hY&%${T8;2ZGDbeR&fnIRL;V3F=0fNFl!bKXyLUMsVDRgA)i&LFiU6Fo<* zAdQ^L5&L>FX;Py#dIfgY8oZF2*g;SDu{;3!`MA3;bWM*J-@=PGq_ne(U!%&9H@}9B z&h0EjKljS&K7&)0Xu=X2b9B(e;wbV@faI(z^I-#}N+tTTEofNpNN$1k;)iBROJ1hn z_sj$c!QxP5<=$E(vEKUe622wLC)mQ^0oT377#z`QhH7C*3Au>!;La!OB_$7zdu3Pzfl!LCl4u|mEhe7^^( z+@P+o2XkKG;^ZtaMTC1i+XcS>{nK?1=x*t-S<1uSH#N*=Mnm#gX6j^FH65NNE=YyG<9o3R~9679c? z)=52Lc(h*v1r3WX2C^?48N^2Ek7lAbdN<*U^_)0kXeU8~FZ~iSCEDawknX7pj&RJD zmtK+qW~Z_{3x}ZTSfn!w*jeT_UeU9q;~^Zm-o3WoyehvSt}wge0=kkXG5m+-o=gq z@@`Ents<7DM>1)0VPRBC2byr+uIXX{ScSUhDyJK59tSg;+}=NzcY*{EXksbAdc{St zYry6(l|M6PZ{&SfIJZ5ySeN})bV{(RfN=o00gjSId$?GW!nj(2G5`EhJA!jsO%c2rUm^=JLp+O6ioYGauXb5Z=?+;qoSx#)25d}(eDYf43 zBiM|A@e=p9538cV(2-1sSs>-L1NSlhZ=~`25dI1pf$yZTheF_d^U#lMc~RO>v!cLctd3S>;}!rXbafV|w{8w?BZ9@2 z=%0WcYM@nEaQ5VJT6`~Ef$}|sy+vy{AtUI6HvA9DMd}cfv#UoBJY1fXxc*t!l9{9h zc6&hzZRycNO%!WuPm4+`%$4wNvw7i%*?c~ZT? z3qrCemDB!YH3`LLtwE(tXRsj>mInsL#D-v<zqF&dL$u)H z{dD$?-evmPul^#YJR2y6H5ASxX4J9@J;5h~NZPL4Myp~j=Z@gDrn@{%%S_fY@?E(A z7i#G|8+kU@v*L@hUJOjJH10t+JS>H40x0IWM@osbhYGOJW!QO8Q>&zsaU(h1+X3~C zE?+m)P#9I(IZX*BUJ^=*LFq;jTL*QAKm^IHDoIGZv9T*r_$JkZ`|0MdkGw5HHK^n# zoDhF&dtO>u3t{#WC$LaDyb2y$0M8_jkOTi%H*pUx#td}-%#T7W74`xoq$`qDo{xGD zaLleI4ihuGmAE$^anKj;)xo1`f|q0Wz5icCa=TY)=RPvapVd9yx{0kw5_kwmuy{|4!_QKquWPZhnK0te~F@f6kvlAj-L_Ovp zRq!|P2>eYRbKCZyc2N?8vh~+>sUPR^iw7qhv-x+g$ST`jB4a-uV+{G-&tOWw&LZ`-kpM46bL58n@+5sPUteuz|!pNrA2Y;YzC=N zRrQ()D0bYhIr140>mPWHB=P(>f`JkJcVHRjpDGOas<50_N!V;nBP%?6s-&OxrLl3o;`w)&}QOrPL!i2zG>NYj@;q(b|{YDu^jM*xR|uV?CTiq=ZQf?!)A91F&w ztt41Q74Aiud;ZHf+_@!NuK}5a#{w%Q1YM19#&w#1FOgfLfPo581wWa&?z=@l8e%XR z)IGrg-H627;QoRTe}!Xr#OnbS3a}v9U{3w69`Z$__S)o;?$@{Rg3>nK4Y2)AaP6ew zs|oP1{5QaPzwKjvEOkPN+Jy1*8r5q9H#f#eulpjS3KF3G@y9F88d6$vE$@;#4v88L zT0$MozhKHg^)FUrgxdA}WMtL>Tq|9p`rx3T$DYgnkrETO5h#EC!+(#HRVpY>(p!3u zYA^aBH#VB~|C&ky|BfZUO@RLdmHc-7zhlY&7?lM69ZUZARFXPf_kW8@0{@OBe|Yl$ z-%?57-?1dP{Qb9t@qdj<0{@OB|6^40&-wQ&mi&)VN#NhHv{7*ws(f@C{$PU0u3TO1oZ}kzDFGXfGbcsl0VwHM^f1?m?C$6Aw5s;U zO9ngPQfw0E8QkWEFwpkJSE_W|x>gwW z?gg7%>OVE_DE-Lg)(f6XZ}un?6Dx;0p5BoUXk1*`GF~K-Ktf&_e)_rd6;}(hp~fZW zI6(8Hy}~g;7|inYEd00!b{f5>0yhK|g0BH>?nkS!>PApYx)*oHLPwUH-kZ z0s2t2&U9wjQd35#m6jYosBjFVk@GBo)=;+|>dX5@hCVRO9X4ifMIhH%uA_B^2m)eB zg-p5@``j|67L;rjQ$0KUD^Vf*(ec_p3!w1Gf>i2*2g;kP-YyX1k4{Y#r#ZJ*{j6pD zOUkGMoB1EJN#MVOlYg_x!>y&~vUoy{hz9;8Z`~^eN)$@V%5)Yph zBL#WJ^ztNSddJy~QQf%9&yMCtJa>_mH=VB7t$15(@Y3rXIF_0dxPuK{39VCJ`7s`p zCyis~GIme_eB4_s3Qr7QF&M*$6&dXK8|emA)j>YJLI3dlhsK4kz}7UPjlAB`@ot>p zopZYPkdiJ2ij0Jr?CY+lNCt?Jl$B{174;8OwTRx8(yIanUor46_(vxub*@^)Wb#-p_$aUrp zw#gXsI=g&Ur|Qj}Nba4f?TNc5xKd!UWUgV6ha2OTuj>n8nXHN&vx{eDY6TmBKf&N# zKW8Vd_Ba~foURc*AKsoIo^45b@xWrNQJ%KY7x$|wgT4C7KBH;Y6Ev6O%4(+>;Zxx( zX1B58AtKe1hSC}ib*7hqcO|XWHv&o@Pg8`BEyk5oo$tN%7HuckyQf@1wv3deyRnp; z-My~ZRTEnQtOvd}N1I_v2(YSp_x@eSVwQ%*+W5^h&4qmz8Px4T@h3xE{#bmR6X)#M ze~dW-j;DhI#$7qNzF(Nd7T*|zuo`wxai&=aco!unUJh__ZvfL%J8>MFwrs9l-68R( zEBf^P`#1xa;vzF;VmCjILhguwl;&l>Y>IaKysWEvgitNvLMFeL{+b$I#g4MF~v z>wjkKBFEqQK~w$G-x*GgjCf$>q_ag2yKHMo!)_Am0S?_@uA@lqrHx#?dr}gF%rzj; zB$g?&_o*w9tLC;|0PY37Vt*aa!YBW2APtv#+-||=W{TBIvaJBt9@teLD58X6ONpFU zcEcb^PK?{Dpop^Cq|(KrpWo^TsIo7Q_bYW}&<(pLpsAYHV2(bCbq%*Q4J9Soui^xv zGSM;Myb8Cdt!*AtKLCdf=HnOpJ1 zu>jH9xn7lG8bE5`7%ZVzP~0yXMl7RgF-Wus4;C7JngT zXAr#^d&_>hR2iWa14Y55yQZ@0d}1#qVKf@6)^Jn3ArEV+z8YuMFV#~bFwdh z7V%bPD$7uy$8=o6Ykep_d(%Ymt*who(Uf~*f+yR5F>;lLP$W>xC?An#oc{F99FVru zTf5D~c3ktI@(w@PbPyRp`*0qov+hlGoU_V9M%F(vpdn?py)tFQP>V?py_F9&8nzx8k(D9+Ldnn{H8jS5QAPcWTS|3-be$E_EZ$SXm zQ&}yLacxJ`aO`~@FSmd|h`2EEu$nN6H6Kf99(mjoiLd1hQunKoa>*-2$CA(J>qQg* zuNyPcc9ptJ(q%@TFn0QLR#soW$K}Qfl*F9&Vj}#;xE>Id^QwLx(QO(ylr$aF_93T67Ef^X&=dg@4TU&eZQg!mL6f9h9 zc1gCIt)dk+5W!~_S12yChKXkO#AS)bQIh)HG<#)S#o!QzwZ(5pf58POl(fE!uniK? z@KVdF@nMV1Fcf~}n&%rz}#DYFs15r~*i(30OKDHiou z*``^mH46$Vq&h3*oYiw6bOG3$HROT@fG=S&=V}K;ziI{}64(Rsq5B1QKcG~V8HPsD zPfyXrFzlx?$3`W}@@6BpB8sIM41Pq?Mw)tl_E>f2ehk)pjdGCopmH|b+I(^eyZMIG zv6#V%lYSYIOp&NRXWo(&bIOXesacW5B#xtNLuBrFH{5qT%5#lJ&*Br?ja>ov2uijKZrAOUl=>^lh_C zf4@71jGDZv9tQ7N4<8k;{X%fmj=aqm#aOLP3y6VbOAJOZn2&#%N;o~Q z2v@Qk6(f5Y)T_`nh&5mfibo3JYvs!A31VB=>MEh~Fm#Lb74@{^*!MDAw2mLSoB|uSV zd&P`%L%9(b`FVUFoAJ4=uVhU56RXH4afdqVZPEBK(@e?~+7jwHj*y&m291@sC`Qhe zfRdFVna(91{HcKUpVo}u%Wroi;hZf^v$RwY+zva2o2cq@%09opU5d$QwyPn~tf4e% zX>xWsuxOhbLM%W%0t=|ig4;SW6znijpIpg~=o&hJw=XdYK$5DZ%!w(sAoAYtx6oN?DPdS803m7K zH6-=BSPOL;KHuyAadTt9x!Cb z_?42%iF*v-m4z`S7J`)Y?C`VuhkqdHVegjQ>hXOG3{klQd_K~b+XG|{7pA2%`5VBC zdTFBRndb-dD` z3vp`7SU)Eh+cMpGN}s%(0Yk^b4?h&w|I~k6eV1Pb*colRcREQ$7jxV`eKt2Qz<4O!bRue00dv>H4m`+oN^{vv zgO0lT8xXDh35X_JIlKe4mmyKOSnXOc!fWZ}-~Llz#eugOJsksUP9gR}U9pp9d*oH5 z|8y>O0$xW4#WvAhn3}k*e3|buqk3==sp|I~x0=+O;-F}^We(|S~R_v23>b* zi#L6}F=$gU+6P94{iRH1gp*fO5ov7sbhrNC3X1nT>@#ums#VmeL6 zin^oJ`++$cN1$D|tj8kFiI!A_nsr9~AV8}3Yv0oXJqKdOJExar@4=Qv&%m9W;m3yC zbKPw{VJZ`wDW+<&inR0K!E0c%e5{1>YgUNn*Bm6mU5SpP^9^Z8LHM9G&EM?>>xC#fXKBENMt^xv~K& zV00pqStFd6L_bwUFsYy!=?5V>UcL8L&oOuE4R!W-!FY{a9=5CyB!Ej0%T$#XrV>kx zSOQNKM^{A~-7sY4)a>)0g_qxP=n`-( zyliaweEuA@L(p}6hUk(Nt3H9~uVw-kv#FegW@{U9_M_2^T!b(6BV0@8D9F>jTru_t zt+RGDx_c9+A(=%;PAnVqEom__A=bx-*cSJ;#-v*4W42rJu}ir4uj9-fg9+u4&8g&- zP|`HKNy$tFUn@8vE$9QF4PRKjLSTT|1Wk9;{n*D0hrA#M_f|FV>K2}s%6m(%RJj7_ z{@hW)Evn(^#xU!XUhY3Yn)77Bz7cHn*&E3dP^^P%Wiejv@IgUW!xXwwNHcPO#$!L> zcLHN(<)_F63)Y3xJ~x&&N~ffO!L zP}hMBh0iLvQo((b<0Bo^R4Hik(-1@tgtcead0JFrH^0=7_uxPo@?pa+lR%0G_sfxo zx=u*T|0=|UQqSUBjGa6cR3*+HuNbH0*3xOaxE5lj>EQ**bD$%mu&N9jCbwp-1F115 zcUes={ZCd^%zQh>+2dhW!+2$&WobEYmVn8H5uEqdC|&J1CTj5PoJy7lxxsJ z`#@&Fl%%cOxNT~N8V(*Ka0DPDBZZ#UU71&PVXaZV{>i}$6u-$lIC*}JJ`r-c-pUJ) zF+MN`Ub`}d*yu^beBKN0p=ulAhG4OGO_eLzrKEv{hirOp3Dtr%66iVxCWqIdcd;ni z4kZ;ii%C`u_fffJx~sQ@^Def<7&LE$lB#sIxgDr{E6VhZd)_^ReEt#!a!=`R+DmYt z>>BhLH)w`Ql9(Qe*=J?o4Is7`E#=LY7rPQF(&?fl=u?Bac?QjjA!aM$MD@^Ld=n>v zprfY`(ZC~FpMYll`IleM!O~NEOf09kZZfSN@gxVZN0!DTgig^O8)*sbN293CYDoy@ zNF_1hNQjGAnW9ve9i2VOYWY}xhB&G_#CLC!rmYPMDl;XH45s=)Nh<*%B|8M1abxq3 zxNM<~XFOS?1y5TBb&J6j2DO5TV7iQ%a@GhnYvP0H;Nw}Z&$T_22Jn#isr%fX-*&-& z^bhX5hIhw0cW-UEKBKm@G$bhPBA`C!^}-XD4EAi#2nh|RjmlWtRwL2Q5;k!7Ct7 zd<(o0J&kjJT;=6pwiiFI;b4{g1bSDzX7LdcQh^z1^Q5+R7WPTQeH0>8?Bdp$p)hUN zBK(od1AIWSfV&_HeYx|4^9wo)Ea-GwSEhHHAuj`SPU$e1CX2 zSJ1w-1c--5%JmvSF(1q6`N@S=6MlB5GNNO)`<0&)*2L}`7(Z*4PKE%E?PP=IJ z3l_i6`^kKP&Pw+D68+I5Ww*3+(50fQOI&2SPU@2FN`3sJC_O5H>96 zB0I@SjhK8se4t2>5ZrpB4Cdx|SXP^W2$VdJHilw9Q~{yWb&>to-@K#ZVRkstmS4Ie z9FX~pZi+(0Q<|UC=tspR>Y7bBxbwDOY#HnILk>gAS(FE!qut)>UjFjyx203S%M(+H zEqruXQ>u!JMTd$4kPMYU2{9xzH2WGB6Y6dB0wJ#1ukY}Vq>$ON*V19_Lp*FM<66V` zSngwlf1OVBH-^4XkpPdSHb#iduo?IsN1;UP$}Ak0427lRW&Iq!l|v>Q&F0sOs$*zm z?_`_uuY-1f3O>FAxYx^wah`S@78W9B=Aaw6juC!QHd-aqxW6N3e(RVXPVpyexjT{vY!EUu(IcK^4U40+cVST(*`ATX8Ety@`-kxE6lV^;fH>TmIsI3x3{XkIX`HKXmDc&QsK70DKz8D$Uc>IMxi?xnpJL{pN1`enV?- zec|KN>tZ8GaVudbW8Y08u&6FrG(L40?m}0;MfjtW+_$^uu}5uT`Nhym-P;-vvw;JD zqug-Muh0ywhDG$>1eZ%nv*kD_i^D}`^!=E4hhWcV0g0#$+`m|@cGT4u6ZJ-{65nAJ zZEF2pk@<-c9D7mzV4c4@eE!j&*FS(CM`T#!werOimkf{1Hfa}^us?sQ)U@oY#8K%p z^GKV)&Q9U;&Z~?sX>W3us~+j&0Th@C$B0}MXp(>|^Y*v`RV#J-i`!)zw69J*C12U(N!sf2bW_dhuX4yj*SwT&B&fBS9s+QM!44IEvNP%FdiT4=%-V5);;@U zJoe0c?9-LkL;4^$TFKz9Seold(53pq`O(m_&6-?Y3S*YCrjcNCxskVKX>LRo`(fyP z7!(kT{s1d?jB2bc-+IK5>`KVya+2>-rTnVCDb5<)Ek)nYu_{lO#?=GtKQaH0IwZxY)_x396*PppX%0f)Zs|IBE zV`GkeY%&ram)YaeM7mz&pYQJOb}xAh<^d6YEi(yKlUr%`BA8W{3V8NE^|~+A#`7<| z9wB0@SwoUxs}AXs_axV^p+`K>Zyh#ze0)$XlehKZSX>@ymN4zjPSj_3_E3@&n3p!pYy%k!K(d+H@^B zU+4|*kPjJCl1SEwX9@{a?P{h~(k|5+UhRCiiwZ0xr7~@_*Kp;AJvr-@plsh8+Cgm=FKL|WH;~950s4LEP%_iLz31M+N74@=Z(}eisQYNgj9!@tyF<2pcsI1pn@VOK& zRn9u2-9mFeu+I|?2E)-j^{DPv%hug!x^23c0EM;2sg{V!FUA0g zy<*2KW)@da_#kTbcv{W8%NJ)QoXzI-T10;8JA{T+dU6T42iWE@)n|kH3|egqxfn+A zUIb-!HErR7)2CaVd#8F*9UnEHbd(vdRD={5OR_4`DU80w^97HU{wegm&j}COOV+l~ zUd12#fais;pY5IF134OmmxsupFKZ%wSk_Cqk+mo0<=C^eEt>nq=rb)WM-29m+Txm0 zYoOxj-KACg3F7`Oytzaz?p7gt2?E*$dPngY&AlA)A% zJ^c(<$4d-n)eq>#^09}&U^KGq_6)u2Ooh5;g#7_W`~fN}FjGCN!NLrC-Hw58UK$xZ zO>ezoC~FNi{ob9R?<4QP@!gIE&6%hDiZ!=#Y2nQ{aX=Qur8Z2QRSs82W<6@lEj3tb zv{!GR*O|2v5EfW$wBRivhF>U;Ycg3iD9>+`K1s}SFF)q;a=x8`+OlA1umjn7jPB$s zf#a&bF_SGI))BYdFNF9tvUF$T%UvJ_Wpk^cYPm?-EHXdnRg}vxG98!m?18aMyi`Yn zYjpd&O7DL77$IlP75JMRJM{E`ic>(vu)Orx8=t9r66oYPQ86nRxvLftj6<5yt@<@F z=QY;eHFRl#70O?1jXHqaQ?z9gP7U&Qv6GoGQ1?avT|g?_m&{M@3c;^=0-t^^hD)LF0j9vl=s|7qcO@Bq~^ znhO#8Jk=a5vwsBjsYlD@Q72vE5Dxb}n^%nFS{L?q{nD)=p#Nt(d(Wd`{g1Ulwe-gX|0Q8`oNKk*z5-GfYB%Z}L?=c~x9#zU zlPrafKc6n>4K8{55rh;$Ye>pg=E?a%yWRmFvoj{}6o>-T7v~6PkHeRT!hj2?a#+Uo z>{fEO*l))c-Fc%vg#kI};%ArF&I75}`fNO9UdP$A>K^L^24+nB-cT&sRIlk*p0hNm zrP0MhP-JOZFZ^9(DNrf7_SJ;LMy16R;UF*H!&S=lYqo!T(K!EMG4qAXtDC4`3B1na z7*tr^qNOj)pow4xRD41Z@OIFggnOKh2`gI9ycN=u4L<6OI;ALhj~zuTD7_RCG;|N0 z{pQm8@pFT3ca4)8^)nibs8Tl%YbuIarKBac*6}0yZ zUs}VV@>gbkc1-<7^Ef*8eC7@kG72co4F18db^5zstK)o8 zMFOxJJGs;;UsS@ttsKAUoYX_?P!EffkZA9td}dA`y?9wC51C3YLZJawLI9+27gX{o zRP2Tj*mut0JD!-Ru?n>YfhtdAZEy+(rO|^)D5;btL0fL~40)}hDw1EO-0F%a=w_Aa z+sS?qu1e1R{}p%M@l^N!|1T9qMhO>=C@cF)*}IaEy?02~Au~n1NpxjL$j+9%j=d!# zTlOq_ubgB1zK$kc{XU=D_j|jppFiCE;dp!R*Yo*!KJJgji7OF*CoTeQQSXguY6zw?%QozP~d3@&xg`_lu9nN9s(BbCWv8^#Q1R00k(c8vmCWC+?)~PMJub zYjvovI&`)_^;3;gG`55>0Wcn7#Hj_Tqj%3FC?U>;-3c0D3jPxgSYt^1#iv)rRxa+`8Jk( zWm}4xVPR1RPr4p8HB*N`s-6u=!yz z`%NOb#h)jzYexT_fyKM$E zd8%QgvEA(}`JtYH+`XT@|4fSnv}?4_5*BZrscbG|bD_ZiU|Z$)v8}c{U$Cvgh%eYy zM7z%RR&IcK>NlGu$6nzCJ~uE|`pcQpm_U2cbzQ6Gu}A&(?Ukn@a_*(1_slTa8Mmtm zCHSBl{6AA$M{QYqUgsrx{tntYaxRmkJC7_uX+$MMQz{i>z@ACn=#GZSDDk3_;+z|T zqBdcXO-g%`kwHFJZ*X{h7V2xEv~$E2+a_}FQ6xxt^-%8EiA8KYJ}j`g-Qfy$6iolt&mvRJYsntQm#@aJ;> zwI24%iGujlQ-KJ}4_z4~CvJ>USoL6G;BxU}WkBYM*UF!Pza0~^NO19jRWNJi=>42E zcP(fS2Y~Bv>^+=<*AMs{6%|1%qun*+PgZBE*1wrCj5EP0Un5? zgqfW;;FeF#wjKm!U18clLt7EHx}M|xTraop#9KTSPE2}Og$tN@O;@yPikFkhJ9IrH z7zQrkLBD3l?4Iywzxx4@Vtpp2>o42&vbm+lTnmtk6h7QcAy|*XK3;Si4!1$@p#FyDtY{JuCKU5GWFa6!%-tyvaqkK(CG;dFVIDmr*L(#em;(% z{{y-)1R6Z*MIY|d4(}i(v)Dd)CD7M_@s8}tiZVUQ*i8H&TYd0mRP4cdyhZMW;ZBm#z+F%p%0IS`1sN-F85p|&eB?swdBsAj?X8GIK+1z z%=1&!cKM~(=5@*?)=?Te_&l^6Dz$V_%hAtKemwWW{xW1c*3+YJ^PtLPy8F{Po+KhF zxic@aZ5Q!?gR=JC<U99o!LA-I@vf*lL`_LzQnp-z+ zD+)iu4Rx-*s$R?S0+bCv4iHL{*Wb>b#!D8RcbAvCj|7EWytsD}T2$P6Bok4UZ9cj9 zsAy3gdZk;NiDd}HE7TI_2Phu`;kkL7qN0geH{8VvB>a4X9Tzdq9csL~crcAU9>X+3Tx8&+~u?Dk!dSXUfpS>~+2lg`4ryaFe-Xl%vG zv|D9escGo7vZ~Hoa1l_OWCJ2j<_w-glJE0$NG|4Vyz}Cv!%j&Uhs*Z9Q__cZwy#9_ zm|6;3%Y3|jFed0+Hfh@V&~q5gS9x~waZ-TFVXto0W_#K=tTpwX;~O>Fn_wBBWK?mP zDq3t|5`NRQG@SB>FxVFS*|Pn+GN=ayeU}DXF=3b%##@3bFNQSx`)axDI&S%|>GFw? zd#TInh6$V$GE=jBdyWW)+o!ulmFES3>86KLAItT9mchWN8?9?4UOcoC%}I3_A(>Qw z0rE$llWD)bq1=}Iyh%?epJZg?m=9~;#S2m-P@F1)I;+(=Rw?49eMz!;(R0I9;O!4y zTW&)PoFg*LzcZ@XQqc9p3ny3oZg`$CAfg~mNrvYDZK~VuxP87AdyWB$jeM*%-G2=) z%i?Q4j(AF?c;^Z4$W&TNWNJ^DoIi5je^>qDU9JJ(<7}|IW<%z=GeGvt{(dBcjprbo z#yfiFo_nK&<{TFw>^zSU=!wb*SBeX(KJ0`XmmFzvrWRpZC#fqe9BtfbzwThEs)I`o z^_>g!wegU+_aFg>;-0xCGrH$>{5y&DzAYg6a!fl6h^Mz#J9v0BUFwP6;hGySc6u%(6PjY>GvpbnyIk_X+ z9A`3DHrQuyfHCrM%rn-N z2bv=2`fL0a)y1otn7IqAk^x<&J$}=SduD|yI8344@Dc4)jR3hYkvrZu2^IXW`l$v? zVw<_UDCzgiL;^tT7d^0?*AUDLkil(iq;93vih1n&9ZzZv<|HmSsO}jC(h$FU80tm* znWE-n{=3+%F1iz%O}a|tS!QI%2O!xG-8?6hD&)e$st&x)(S71eEH2!*%x7~^ZcP{` z-C2HB1GE1|4TK$s(bA25?b1JO9gg`nOYozFIZh{=Xku%uR{UZc%A9TqALxJtlO%j~{g)#^U|5h6OSCm2M z_tN0Mq6|X6mj?e8W$?TH^{X`auPB4i@1?LMV@lfqbTl<@FlpfFbs9yBNoaBdLow4V8dV5L`0_*fZ2ggYSuTnGI zDP~}EZS{oqs$KWC2Igand{FJkGIE0MsOGMNSEB|` zULE9s&91 zVT(^E+B0ex{6hk0^$~g>q0#Z-_pdnUh?%^XTM0Ym)BsE8?Hk&aN{>Po$cIh|amCZTSI80aL-27)29T|dz0lsH z2Zdj75W+X`t$_H-J2svAOxDTwm)jtYaYBm3vf}kHj9R&&qhgw!WLA5|*W;BU-kFzh z+wUf3n~25mJ0R2AOXVCk%uvdOR#ma)C9|gGF@mzRAwi!Oi#>R?Xu<4Tn9uUEU+q}3 z%pPrdB0QL{Nb4f-H!9=|2ji%tUgr4lsV%G{hxPC)Ub&#^rE~#MGLFrHDb6Ht(}yUDC>u%>Ya;^*Sv5rf&T6`ur%J`AM}D%dFG1gs2=Io?A7uX zSKK+udE1DAD{D#=Q*41LyvTqBGR>Zi4Zf%ZvfR@=W%&a!4>>98n>E44% zd1Z~LrD)MX%{8zYL^a+RhQh|Gd=~-*uvYdBj)dg7FCZrrrJXq-Ex)+$F32`GTp)s( zTzyBN%#9w*?i8Co)MgUEyJs*~hzEM1Zp;r#p}6@VIY;wWof5N^8JVd1rx$#S<&z$f z*$?!sT~r~noy=!@KN&2*pzjoNX*fM%QsP}Y&qvKdRV^H=OEb_xo1?Sv(pL!Uw!;wp zr&HX?v+oz}Sho{T?`@tSIpWny(!fb`$Pga;il!F|<`BE$|Gy!8- zg>+bBTgX2?!F3SP0t?eerXxG;lYjtk@JQ?ngtZB0!FIF=Kj?Pb@;wLA-W_(k|APs! z+wjv5i4giPG(t(M4u1G-?6Gypew3}QTX_>E5;>x^+IuPAbFK8%|4kx<4r+we?g3g7 z>)E?i&t_2k!}klArL>_N93CfNL6_{473Z$}2bqxUumy2`Yf-c4qQK6Q?)6J*wLGz#r#nd6QR73gmaco_jGHJ!*vqz^MH@7VmEZEUqE8YH+xBmr zh(D}|zjY$w%m3Dic&mj!PJtF#vHwZr6T#4=SM}MM>g*? z(v!!{5sl>${n=rsJKqSX_4cM8pIu+SSNQ*8vD$QeWwFY1%jz~(JulR`tU;p9{dZQx zt&me>Fs~2EIE!?#oD-`Yf-?zh?elKyO@vWU(@x3SwQZ|Tc$$|?5dGFrQqIZq7LcKW z0{hkQhYoEtsJ%3+v6~TQz{mpH-rgiEBbg1}!JonK&_Z3c;b;}lR}`y4D;mWLCa7p0 zZLSDEU_lCgvqcC|0?A%UNi)H94XqU>(Z41*FA8+=Q-f9_? zH{UDa2G#kzG*=psp0D}BhpJV2x4bhGQm>v1Flf4s|4tFeFI=dDRp zR&FV|hY|z&qERXl1dGJBBd>mZT5xj*-`mOe-R5xv9U)VlJTi7yhGw^z{It*>@! zsb!?%oEu7zx>sgnoda)Z4C}MF=PrFT>pYB-IU+_%pAO8fw@kUhORvM#|3cjp@sKji znuzlZ=$a`>n;k@xS(O}n*3g370&ipo17nxusN?*qZj(9Q6q^f6<=wsL%nglhXgQ9P zKq=t{^dYI)6Fg83Y&@k z{Bh*S(zxtY!21K(U4mQ;PS)q$F59z0(1nx-=KjaQKvL@rR#>yHw-A8u!bQb_9xRpS zpI=7I<+zsWgUFkS!Mi>XbB>eFKBmQ65USM)0C|rjKjl60Ek7n@-;D^*R8G7U8p|QNV*A=L>nosDwdTow;A1VzR&!d+ z*;^I5Too92rg$d!%W#$x*`s}~pYG>4S7UDE$rS5{7Itc;zO7HV|J1k~M6n*SAVR={ zc+i5FBS_Z8^tQW80$N_|kS@w9+H7bcyP+DZ#D_oYtIHG-p8V0xOrdLsCSzy2P=l^Z zB7vC{0fMzCvA5L7ah+2?db^RzOobzMctsPXGzkkO1Ee*q9yIwhErc?k%SuS^;;&U! zB+am{#6$>aF++v9{+A&dY&MzmLi_H*f4<+ao_91Z5-vgjMN z3~BgSzc5+}6%-|A%`IWSbS0MEX=b|qMQC0I@G7d(b=9(*#=*5saqE$w&a0W>trf7@==rPFLj1P4zi9vN z+=R&>oUhaLO~ln}cPqP;`g)PR{9?1iGm1P(wXcxu{)05k{a58p}FCDMmb=N;c!4)o(id21$U=T{%IhJsz) zqf>(h3F*NlDA^*7cQ#->P6L5?-Dcz7rZkGVQniXRX_75YC69|(LqbP)8-nOf2ngv3 zl^ZRNJ~NZFWl-to?Uu0+sU2u~k6n7EhE4?8g+MZ?=ZA6E;{ zRYt;kROa;0AuHRlza&7)_kaY*t^EW@SBP$ed$u5;CP-1sKbIAZtbv-H9ocQ%oOONM z5?!R%8y9O*T{ak$S(r4;pJD{HLgZv+wzK|X^iEN;r9WI+{6XM(vF|hp&J< zTY?Xa+`+3^TJ?YdabfU+(CkJJvwNfzZ{gx#Y;8U%-adx)grk_Q-R$4{4+$+^-JC6; zJ4<|a24vJFDw%lca1M$fk_Kgyr<-=E&GN6lkyDwVVYL-ne50V+HNPz&gVMseGWQ2^ zq)}S))A=Fy%|)aP8070pNSeADRJU|e<ap)>|6SxbOZCDrhr!z}K*|mDnqwyIDN1~tk#lNpKlD-GqF9^#(fnia&fvMyFxwYs52Vy) z%plr?=l)=B@?9~~YBwg&ur4^|-g{C`Pu)p6RQB#m{eE$!h>$z`e#5#!i34^+=$qeg z2@@9j8rLL%YvixzUR}=m!B?9}EP$c1hE_Wg2;8KbN08=2qGhT)8q(%HT>_c(v)l38 zAVzag7k}+?8;68q%(*2BgTn!jv2@?ug$7z--6m9~YvYBbii_=3B6MjXv(3wK5N4Xz z!z}yS1Q7BtOZh0$M@YboFtjt3jU(kPdQE_hu8uy}?SwZOWd^Sv>kp^X50(y`tLEAC z7nD|?wkkrdR+Ul9HnxW+%fEcX5V?xe=Ujb+)ofTyuszIFV{3iFoJ>4h5KeF8Du=@e z&%yc#Ot3z$V)TyIE^m@D(L>pHM&B!0-*rYVFL8*{GGD#TYTT_M_yIHSuq}#6rGjsS zTdvykRUM-`N0!>$Boc!ks%R6{poyD)axUco4KbNTZgR&hUzJV}?ueFsk=cTRML_^Y zI!_D_pCRp5_p@|S_VnuD#0675PV=9_D9%6@>zh8pi^|gX^5%98Tw#4m*+UnI%|FZy zC|;wk!a#>R%3{GvZ94;q`ne?9%e2~cB%jW?I{?<_hV)<3`dLvLqq2)lU~CaTNy!k_ z*yyMB+;ayLw#Jc_gS7<~q8>KZJ){R(>B7LdyiICBV{~E`fv;^rlr$E>W1^N*W-gzM%sxw|YQRm66LLJ;9f|=U)0a z|68KtRwrPw$|WZCc-otGjD*C#^2DAk_vx6{WMMz6QOOu;u+= z_A#7zrah~_Bq6b<1uVSmCqxQkMtj*MDQ`LmgIQz{sC_MW?`DCrMPu92-Ttx&QAgGu z%0qhvJ9Xo!`+MiEK?CD$lnn03h~EbczG=gCqXz-ZyS4P)518yB^vM_r-mQ zbIg-+{SxQ+8k^h0T4DVFaUCuC#nTcbx`;kOmSw6PsmwH>tn)io&tUZ@kCIh(Hbi@c zV^He>7(hCOiyzRioOPB+N2@A^G4PeEbL`uvF!WpbXCc6);`oeW8Y_z_mp>)vPN5aO z#`Gxyi*9rsY< zHhc|3=#Q8SZ$Cak_JoDXr{2%2?u#lLU1aQ<+#vXQeYP)VD#BbCT%#Tw6|=nV6H8_> zHa1o#rJ(Z?_ivG@PZWTOXl;D_$}>qLBcqMe+}Sxf28~er{kv6ty_Ju!3QZ2~DcEs8 z5f=M8#QYXIC=vaE?CiT8ku-(lTPieL7I^vR4jmhin|YgxnMUy@ij39UU5fRA%+rhK61icHj7b4PE#QIo6 z${o{~`?9ppqUa>;Cn{f;_G%uQc>>-z(bp0;42)rfY!s$k0Sccq>Mtvq78x^q{P-~) zAIeRETyf?@ew62-MV|0$y^{oxg`(G1ozf3& z{>x7UA3*S|K)K(mVsTKQN@Q*t>Q&M0JZTJQu*|mU!0Cd)%((ljvT>o z6~7^(c)TG(*aq>(DO_9@U}cRGd`P7QuJi_qBlHJsNBjTWxW;SwcnNu)WQk}JIlvET zIn&;rOCrWu%8g9~85|f#+keztB69h2zElq3H$)!EhRr=fz{5N}J?$SDqQ*#HFLK~< z^yM@_7$47^0h{P_cJTmUlShr!&#Y;#P%E%=Ow~0vW3PMmocZN^5nQ@O#muY;G4~`X zGF-cM4SS*R#U8gP9(Td7N7PwZjgV^OlBwO(Rgqtwau;y`jU~hj|L`gN?>_W1e`NnA z|K~OZZma{>%Knz1e`K%zc2j@5C7B~G|H}io4as_47rb-rsm>AbB`zv`BmLT)C;tO? CUPSx= delta 79212 zcmeGEbySp5*ggu&Fm$IVLwA?J(B0ClbgI+f6$IR=%On8hti;el{(WBqbS0!s0b{ycD z$Zdlk?zaLC_&se0gON#$da9)A%Y3PdxO@H_duliGH`w;jx9Uc7e<)TXmu^dFVl^dI@Lc+xVuVl?Ct4JqwJz)~yCTi(piP<*Ri z7Iv~9&JupnnkDY_hSI(3l;QX7Q)^Oqy8-p33x9v_l(=rO-?jfQV% zCMR~~r(bH`QefYBX>dryd zl@f~IHln2SOG#dt26Hwz$Ms4~iSV1>l(`QM>10;z=jD;Q6W>UZzM~r0awj+S5bWla zNJ+Y7V6!Z-XLvFF2M{-XWM>Qg^!H~M2ck^UX;RrL8u2mIrQjSagT8Rif~+*&m?@D2 zBNzWNCwjEkr~!t8Kdp147x06n^3ZSvLC3$@6Y7Q%Get>=mD!(qxcybhe+H`HUlXaX zbGTEvic9%Z-_mG-(AKQ72D)l)J~}U37DMq&x%CU(e4@@C`*oOgYo|m}AoS5~@^qQnVf~u?@qs8VR>MKmwp( zW|QK=!po!|ogwI-*f9tj>-acjhAhm7omP8dE0q|&x#oEt%7+Feo9j+k#^+ifyxZt5 znBE@9QE6pMrh!%I;UpiCiR~NNpIHzP24WsW7d~bu<|6q1?qbP$Jqa7Li?F?KB)!v@ z7)sm_6w9}=E#Mk(fxMaITwcn2P05ow1<1l#eG4+02JqxD9D~ z=)+=vdv=|&$>2a7l4U&BRGYUx#e55T6u#`c8$>-T5d3IFiQ@CkLA&LqLJgTlmY=sY z^^oM8C;mZ!vE_S1f9uS7+DoaNE8!jD_g(oliOQ~-FY4cHZ}-4Q$5=xNPSFYsSVxsh z>jS|~n)Nq-HR8*dbLQ68u2T&NKcK5aRnyL>efrbTD~f(*ie<-l4J}pXN)##fC(W+D z={PkmoZRM6hpA1Sn8>g90qdsx_Hs~N>|*!n#9{aGizettaH1m1Tl!3PFwr!_*$I;h zaxH;eiZFD=W#^>8V9pi+rUz z(BS*Qe0O~|xbo9ln&{_PV3(^~pu5G%#xMqp^0IY^4psMBgrKu8Fllsh6tR5mw|aQg z{1S8u(Cj7IsX=W}gw)i+cduVpdYwOvoi`dDMK%aD_W7V$xjhUa z^f7ILdspNYt9HiSMmcLsUlpDnEG>ziv5sPPGCwa>gkA{6DN$Fo`8JwOR(wd|&SbnH zD*V#@In2I4+Qox@IY8{km7hAAJcr?dl-P4icQik&+WC+)##Nx8@(utYBZPGu~SiYE=`+X^uh8N7@1}?XQLq9Y4MP8p258v2#tnB?= ze4e1pW~gT^q4GA<#21#r6RR$eDd^VWZQ8ONl*0REz~Qlk`H0xR;>aIHNRo@=Pf9U` zE^`gRxBRY4=R%5Mw2*@PJJcq#EQnba5#kgC%*GtpMh+E(jTrvc-?4l?{Ptr<_V60WDkMc z+nQ~}N5o}-t(F^lBLiLmD^EKvgqZ9_gEL2;k99;@Mm=$K_WO2ffiYiat4exIo5~~q zR8GTFNovHS0%c$te|h4^bKOYZ&QQ|8J8^{SFdm0WJ$M#ogbFWI{)6A$ zwO6g(2(eg20V#LN>f}B86V3ouxg=bQl&b+I+dr)pwQhV#!NsM~>@0?Xk&3wj@U_Ul zw{f|zYaQ+a&0~waD<(Ldi!$B?I;a;Eg4E~P+2rHx)@Mie0e5pWgv&XLrb>Oi2WM7i{ zXdv$wY-8%H=!rzx$LE=XN?OomaPA!1Uc^A%viE%W!hm79ediX!!!#YPo>Vz;Us(RH zh@7XeENwSQcup%xXzujdc)qU<+p5a%1BpC6nDAE6PlkWQR9`yn_dvPfe(VZo#}>oh zPor<8oL=RfI!2Wq=EKDbnDI8xovrCCnR(>Y`J}QMI7k26>hLx3$Q4}S8 zHR|QcRY(u5&}oY_sQMHKSJO(Ei5XPQK5;dEju$@ELh|9uGBy!;C}q}JoqpI-=nENg zC_Aj_hov6`sLJ;bRr%kDl!_K8j|8a7)@}Su&Feod7Iy~utlTELo_sx$mfe82+CSIS zjAfVnxu_HOR9IcyXCGo@ftKS&%6h*2O9hxL%9=6KH@D#o9&qz{&rvDy?nj>z`@Kj; zihnhuiMZv*PLq7)@$cH(aA~8-v+Cw;q@}&mMO9C&eUuA%dyg++z(PvWpMRlMEr#tA zhhAa+i||h>$L8&b#DVI;;*WY_9liB37#S(W-^FT~sf#Gmr}Q4r^A2mx#@fD}|AE5j z&2ezUn5B3WHhAG2+>?JTIKBScI1rY@)7iv^3^!-(+?k!atNlJo7CQuQR zAadyOW~=9KW)uhF6&~dL@kUQ9b-A4{*4gEJlca=M5%5L$D&A zeB9olFg7b7^UsQ{TBeTbOXTro&}tAJpOy{hdbMth=%N%$z&`)^*z#0yY@omS+$TTF z3x|Z5flzcF4hv~LpLKed{DJwinEi&dTi*5bv!$SToZyQM#AF@=5R;?N zS+L|m<4nZ;k1bBZb}m=r(@pCfu1NnWiR0E?xh}Q+xV=3YC5iYlU32S89kAdvWk2Y| zmlQTMOyn& zDMctYB;Cv-ikAVus$5km6!z}*zLWC^oa!nIK;b0@RYrPI=-b~j$qlo-dgIV*oy}i= zF{lfH7+(~^vyB8j@-t@Eb`-JYUm_mw+As1ilGedPs5SBX1NYCCO{p&On7TJrz*TWKiS(3sTNJI^43Db88<-^P@ z94svT84F7a+S#n__W+~sf%?M)ACXYe1m%%NVj$3IA79FU&>X2~T>Q($_H+dP^8L-A z=k`RA{YZ|O_>%gr2PIX4V-Msoom<~R=!eijwxrcPg3A8X;I$%l zH3{ECt0^_TlRB)3VH&5?w3n`ljf?LzVlXls=e51J)R<4!&csG^sPsuNc20o|F-T$E zMf+>~M$WBey-G$!Lw*)4RwM^kt7kB_L6G7nrHW#ySM$F3uHaqtrTcsRoLa@~**%$f zLXm+mYU65K8FhJZFEz_H-QY53xA3>Q)^kvj!!RJd>}#!MSYe??%_oevs<_>Rp_RxJ z@T94Fnrd2MH%QRdH9V#Cx006YG`Tj0rN70{Yj#AJ8Tu$qG8N^O*iaU{5KF~;rpf*D z&ct_=8WAC%5$_y58foNXU>&a57f)-GMp}bh+dfLP9Moe)yrxTK(5WTeA083CaV5_B z%VGZgZK7M-RnIVoTzr%$VzpgU53QqkWhI91kD=WzX~nynQ#X$RXLQ^;H24bU;<;AV zGd1IN*)MvnlcJMvgN3!>2qv!FUOKoLt=}5SokH@>&!KwL$JScuju8@FiNpgze##Va zKxmqWMUs!C5kGmY5|2wn{D{=<>~CuAn{k*}+Xk&XqiFnc`>ozi66l5tpQXvi4-q z6SzilvaYUjYKIY{N`ZWoc%yQ(y83sIGeXnGiZ}p+M#!#7d4T292W0;iG*du_Se8@u zznTcpGz6DHAIgMp6J&-Qh&tMbs3X$ij8FtMYtkEm3F~lzphrL_5J6LH6HyXyyhe%{Y-*IP?^C)klq#$pmew#eof{RqQ; zrCasV8cnK@lH$JM3;B}#yN>OB(lg1LCc84`{MWDHDksdcTdI2f(&^kwye&iq381jQ zYQy5gg&yl=am8K?#x#018yNC9JrM~6`mE<$YT_|H?JJS@zuMd50;9{Aou=r`?6b%@ ztDkeGO0XAcu$JdQBK~PoW_`RilnpC|r1`}VX^c;7_HmTtogJKY5f!<237H|fzD2pO zwiP4ca)_>B@l^o;DPE;N!ic+-xPXY^_$t#U#VTp}!ZP?N*2rWn(9F8l9I)$g8oTs4 z4a=D897oflDYzVNDqyX+kas($2QTe!pHTPT-`zOno%c-T-ROK^GKY<5R+5P7;GULO zwIyK^Jl$$*yV-9MA7_?=GBUaR`P=GuvQ`Ywc1@DGzf=&l^FLTKnvV7~U$*EOt+wVf zuFUxuaI&6mS$UJ5OI+KhdL=VRXlmLP(EQc({BsI-tAW;6YrN=+dZF7$qbo~y!~z(A+u;js)?u#J<#eIEp^fA>>TO{PhXkj9J? z9!A#K?_RI5#h-GACHVH9fSH=-Yf_~AdPci%K7@Nr=jpS*g+D|-G?DguE)a~WVi0~C zhCqfomK|b`s7UD%x0*p9mHRw+Tpn1G0Z9JKImFN*s{|QPzs8Z$Qc8fAkWO9V&iLmD zWJp&4iI1o2N81%s6o0l#U5)IqQ3?e-SNi>T+De&%E~mtrtTaHAB;cfI4*SD*FVJt7Qc*DW-9HJv89tV+w;F1nz&5$ekOlq~1*g(h7ki!frx4B@_8qmHgW1wAD zlE+m4X7bv2y6;I90KqWg`iuem|2DxbQVh!I*e9eG1U{BV!-e?4H&8+i2tOiHc;2dEB?*m0Soz{M7sWCP{t6)Ff6jtg5j5 zmU^J(^GEgFFKr2GwZ~;aK3LLo%{w1S*#z$i*yM^nf;j!Q#}iW4 zyeK>z7wO=ZlG3N~F~KN@GjDm58qTp3#4L%rEOPCLaE&$;V(R_y=3*f>`sed#k(HF7 zCk>>s#uX3z*!5+7sHqQt;3k45ujelP6#N)$n5e!p1hfkLq^OHJr%$6Hf zB#ABs=u6)oD%^>TXUyErPCCgOTGlL0f2Mf}6Qnk~g|GzG%(yPLHn+{guW$?ml~`c( ziWrl!odmkC7rxhjpcWme(~01D*?`^Yn84Se75Bthc&75As_nY$Trq0H>~qzIMQ47A zW;ScpkMpd6JNVg@ID&7;*DIr0|xX;*?pho!5>_YzpD{iHkq{{XOzCq@`|l>t0CKC+~(ot=aYm zI7EyBwLXd@{cwMxMUBLFFv+8CGLNPA7k-^XV#-~_qfssU-v_;fxf~^2kJ;AAEgLjI z%n72{Iw*J_^+}&@f~*0K;!20L_y^`hF5^n_lz`I-@7?KwuE*yGOLRtcz6u`{V=P>F zH6^C0y!U2>zqU#%Q;(@8edM$;l-cX+o-vQpfLd;Cota=M3xk()P^6NAD9{0=ds@?}Cj4cg(2}w#m8XglC9QtLYDSSR}TT!5K^eFX2 zyWbgbo1q(7CCV3dYuvH@*R!lQdH{eOLT7gel@3Ba$iV6ZeW z!_}jLZVkHoM*wo4a`SH$NfG^-%`56QJ}huZSZdzV;OKTToN>5u-nbNq=O0;YxkYwO z$>mn1sTwWimdvJ2xwai73KnVaTd?xCYNC;BL(=)oyH9-4XM1SdbG&C?x9P+0aJ0kw zCyF%cOXQ$#A@0124Zs99?^*P%PE1U!wH&nJ`R_VZ0uZTeb=TIuQoxEyo(c`y%``Fe z?MiplyS5_{+LPE}ho*4Sj~VD+4@6vMU&-OEiiV45^2WjD;_6q=az5$*yVLe@zd7Hl zb?@R7^LQ1pyU=VVDCFIj*agR878B5nE`b;^upZ9JPDhcl!LHj`>Jm?DbU!PGg&sx>etg+tT3#kEHCbcA7hC)8Mu)UPTGS2w$f7Oxy7A-r_LoecY>_^anI;I)~UdaI9 z6f{rLJ2$zYiws*8#SWAEN1BkxlwY9aN)tBF1 zCFa07aZIJ#fwHvrIbQlWr$3HHVr|j?V0dER(Ab>CF~>c8b1M1_Q|1zd-h4d3Rrl6& zZ?;~q{*B@2_co^~-iJKHwpUQ45J7lWSg|Wo8*t^}cexy4Kaj#v`(~0;4X&!1u<|oz z5Xe?V0awSSS^ogsvVlzM2~mv}pdo7IHftI?amvK3(fW6}N@NKDq_k87Iu@9GDUmUo7}oj%~nxSa*fni(!sl02o+t zA~s>O`_~T=4}LVl=|;DFaxNq8!4iPNu07qG6P;l7qXm)?PB$2c0RaJmUGRS_jLVye z59ig*UFj#XY1yENcD|v@&czb#{9Sx0-q9i?$;>zFU+{pHD7Jw-DgU_Fk3h;lqbc6Y z{5zj>d#Lo18&K?bc$C~@GV$q}^EqOkg}^clEEvua(~l7mvj#M#T>K}3-BWKXUewzG zXZD&6R3J%4Zr8hg8C~jJ7rxiN-PT*$o*}tqhbfBVE#|8ry8Mfs69H0L1X#3@v3^#3 zs_-CitsH#AS|uj#UCvJa6ksY@ILST=%R0T7a+mdtvkrThxl>_#J< zw?ZK>nv$nX24D_8%Fas!Tvi{LgnG^goDAy~KYwBgRg(0DS>X%6`8~GCdXK-d{&%vx zNEQJ~lq2v+n*v45U7ZBb&p0Ol6mOg}FGHTzL!xR{2Uc?B%EnJP@N6Ezviu12sce4h z;GFm8GreY6AQi14}dR>1XM%`cpd0~KZEaESQZzA134;`0d`m=7x@ zffrBX$>Xxz`Adk}J1)brLcXv~$~?=S!=cVPyl_W$N$2^ep0FmC)RSHTMV8GcC%C{@ z7=M7c;`4rnr1WS+IH9Ca*cW39KPA`pyK`=10%Me{aP-9z+!CNB*_{4-9jE>%4)^+t zJ^$~h;UdR#M9jeekt8*Xm9-X@E8&v{MEjMr{DkV7Q8fWILFkj+`Q~32t3aj1UVJ-u zzEjnX8|X@%#BjblbCMygl`WzveRrzAw;ik#w9w+S<7A}}-nfYkM?%q`BsEK)jw!Uo zGcY3v@Ij+>qtaaPe|L?t(@k6OPcf$l1!bjHIqBx!nE^*XADi;VK**=Z9Hto0P_Vp< zwPbDefA@D@sZnfszVd;W%UB$ywT1LoMK06qM0C<-ZP$Of%AD<8u;4BKw6f>!bj>j^8U4UB(;7Tikia5@j7?#SDq{3&!fWnT;%O_m>a2#Q z!M1k_ii&4pFp-vm4dT0QDJwR^_ow43UP%W2=2jIe(gNA8@I7GVH46sb`Yx$78N1V! zl#~o+yS07kt+(qZm1EQi5b;0X{kTv^2FB75d^&OqbZ(r3!pjvQo0Q#@q01lLO7TO_ zKqIBzA&Rx7g=9l;;*E!HeV{Lq$?J>;TM^s3vvqlD5>P*%3$ryEMvkdqe{FiLyzq-E{cGyBLis~vwxKQik4q#v(dB)d=Gew?HbxO| z>@o!Iixye!Dk2nTkZ~0PoE@bc6X^(fKe4 zBbBiek(lJ+!)@jhr&aCuNftle*?&=7cEd*nZ07pBk?YIIJ_`XLu{C;(V0^()Yb=o? zS%h#faeBqeMoi~6zzE>+;15v5E@?CjBVM^J81eyha&wO_Tbj2@JU2G(2VtJn0LP|wIW@}LDVm?_3c`oWktP5ZA+oai} z*&3~m6A+1HzW=J8%6aYQ4q!vas|{~E1+s0^qRxJza4iwjTLrVG;8m87S4wxM$lh3)dN8_5HEA@`=M`H8-;x7 z;+*B|$ps4lkV9|E=#RaIxiug}z2+tpdi_{nRzmS-j(AT2vxi?V>)>`2+1HSUMqMcN zS`H}` zsX++HKUh74ye51d_*Xs-Lm7!b$$Bb~%j=%x7A75)(~&*jHXxamFx)7oY#CT65)BoN_i(3u1UH0`-y^Y_?^$m z3DD`htZcu3x8y$ksMEGFuId;%WXyXAu{Eku`rLyf01O0o)r zu!YZcgNXLAiOl&s2n1(Xe92k_8H>p;|=&C7=lU!G((6t#WYC%4rJ z$bhvuWL1FC0NeK!vW_s|4hK#Esyt1;uQEs66TweD zm$T@&#>x_yEJj9R?#i3{n}gBgFq#!iMMCFJ zc^t^}tyP_y+iwPE)VnZTisLg1KL+AX66daEBb01pFpa|_?F2XgfO@B%iS#ry23+rBVcU`%cy z)V|&RQ{~3mF;c`i)!Vo!A?Vq!e6yUF+7_lnuA_8Y1&;->ej zOHRZg!P*mnaQ{a(5da(-7VqYVZ)l@rJ70$8VZ5*$2b@&1A$INOo@CU~ z2|~%wCLxiI*!wcJ>jSC3)a+fXDf6xMiQ-A-oCU~b;vEs_Vmvt)^gW?oyJlRzn3;|r zsS#a+$?uZr;5ks;n5qW3p%7wF726y;?DBoUVFZ8%-IW25ouf(B0&oK`ZiG(e)t$>F zgDYw6 zgWq407k9JOd8VO^#$hCa)y+L;)isK3xXy*K9e8l`0+F6E={Vu=(AcGblh~!Auvli1 zwbC>z{A?wO)}O#QzhOkkli%V%h+m&_wjTSI1A{prL-mD#Epm6}>jiSRkq=H3nv<|3%?6~uIJ;kDRbH&^0M7`im0@}crJgnQLI zCCFuR%*0zN2D^KFKa1UJC5QroX&2s0q5Yse$~{CjOmCV6i0ngb0DO-JClJ2$AE8`i87Fr*kb8&uZEw0oco}x!H)BvQKui{t z?}Q4rYWDK^GFX{UXKTYZdxDY6RnbvGnJ%U7D#v1^jne1Swr%rzQ+`PKtwTAX94_pXUG6#C>>fQQt z!9CQH!fnedYQU%HgYh3&)Ba)5{Jf_{0jy~Zp2vnvXE0!esc}Z~h35mkpn%(F7b3zE z_LVZBKXQ>Sy>mJyPynNuanH)WY&f(oi=MW|gI@;6;ZjD6Z4oaQkB>{dJ6Q<07Bun4#L zrW(qbU2qMR6A**Mcsfu2i1@0~&)91{EeoE$VuA6%-Ii;_yjXF(!fP`EuggE#M8IK} z)Y{*`gn-QyBlu9y8n1oYIh|`t zwZvGl@=|EIgIMp*^X?B5tvx3^Dab^!QC;6xR>L!k9$P}BD>jQq2ao@R=B~|9Lg}+U z*)_TFwOxKXe|zl6?i6b`)}V`m$@?20LLV?9D}WKx93$QXX%?o01dvGhAqM3NLSStI z7MO|83Zuto&dC8`^9b}yc9B4H)@_!x;zh#^%Z<*G$I|HFzgcOT1$Gb7VG4Ay52%hQ zEH=b^{n0};mDnyQS0Y*YI8O}aCp?7%o`beUBo8e$xi4)-4o&1;#F+IcF*+PpoH=W}mz53pbuCznP7Cj6lDr&1DxB6EpR9V;CAbw{m}%J_ArPjs)`5yWQ2x zhi7_lR1km2W{Qi?()&iqi+NAEmQYVvrOQZwsutoiz+d&|*p5Uz`oL+@AbWn;MRX$> z0aSPk85M>tx$bJImITz}MSt&Y7&dW(l{Fp&+Z=%vv3ErB)vm6+c8we`RtWuvKlv*u zz;%=hbp-h5sj}hYxe?}x+9AQ{v0s+`JU~>u+Y*5(P+=SBmCgf zXvaJk)$h(#d?iRUIjZ02Yt`ylmRY9KfD(h#%@7?b*qt-*rmov2;u?(&Ed0+(Y?jCNFJC~U2IZt z&mqP;fR7Gr=U*Lc5YlB9!P(&X0g!RPoKiGd+z6RXjqC+A`okR*(5<@yW>i=(3=H_g z^+FnYA06Xc3E5G%{hn1*TBboXq;@UYm`x33#49?_H83MN9yt*;-G<`?bY;s|+ z5KYVK(1c3LXfGXLkVly7x7uag3EVartY#?jKv;{c3Lk1j2N1_kq2;AkUz_MUk9<45 z5~xTGLuzeJ;3_8C4SozT*-+1S0n1PCCCyRy@dOPn1!X9DK5&_12B#YI0_b`s)k0hp zJYM*YPxrIt8XDvn=E8`q>khtBtyV=xpJXnRLvz$(x-z*U`An!ANoD2R>a3y+k2d zG2FU$`Bq_1lvN{W1QC2azWNUEBj;bmu>ft$*QRlK(|HSUoOUESyZ6w+pR@UA@U3x$ zO(MkdFqenxv^C9!Nq}juSMIvTU2_!E0UA`EULc%r;P9!O?+1Z^g7E2};Vc0@FrmK! zHZSaDBSAAgCK2uKJIzpWeo=57;Aq%61kEAIn+-n5P0Pj+`s>Gx0zO(p#XV%&Js6#efD_&g&Tx)#($Xe`GSwRh3VtW|h>;^fs zIxshT3%2ouRu=6dx1iB_G1- ze$bB*Ikpjsf+EsKbxY_mNU;AYX9~`3iOTEm5^J2!alnu_1Qs$42s{9tGe8#o4E z!vVb+%Ju&+H?PQ9K#AF%mWCi;a%x~cDv&ytzI536jN?v*Z!3rL6KS}_Hmiti>ER<$ zTig4^kYL{b?*%Z*N$e?VU`ZuVHW101-$ zDLukipJ#DN9cC#9;OI!m4j&q0H>SScG-T6(EJBm=IBa?m1f>ID6<%nu6}l^)vx!O* zoAW56s3)e8l>@%pq%KLfsnpMzG#P=hk&>WQCKBi^j=?n53auQ-X7y+-6^RI3A&}~R zGFN6;UW~!)`wvC?$g^bG&u(e7vgn2+ zNQS+rR+;k2(KS-8 z^Yhfusq#(s_MBjt-TGEe~sIV7AjxB5DzCjeQJH+G98>=G(6vHHqQP z5s#XUP1c;QTN)NOhIdc`x2^Bqdw(0}u<4MPzfCI`r>TzY?*Vy){KL2i&^&+J8?r>? zTiar~4_sj`47Wn#`w8?B=-C9m-P1UxcV`sTM2>-IaO&7s*pRI%p&D!U#l#fmpT#tW zJiEgszwkK6ylOhQEZYJowV8ZrrklALNuUYI9UQos(kNP$Qp_O@M3<>t|59>I9tAvG zVhzzz_uCI%&^ZbSqdOM{kqJG6^uNDX%j65%N59>j7Kq{B-3W-RBL01A{)+=9o6%J# zIOecuHkvOQ32^4XaCW-T8(?wa#N1!|8==fXcd0@mmV?mH~3tkV0==ybq0tcze8E(c#qGtxCOfGgfZK%U;2UkvjVuukhTc1OiK%5H)L|ND_AC zTY#J(Yie?w@=!p@(vhe?YV?;ViCpk;KBmXEQgEeSjO&W&;a!DO@gUIeg0p2>eQy1T zG6I<_vG&Ov+rXlpVduFgPvdlKjL8J2LX4A-K1C~{kUdnJbN!NQwdF2z7LNScr`}fu4c_(gM9fjU(~b^gmn$lCJfEH1K%|2_`Bvq9#^#dW zXMw-}c|v;^x*79}3*U(x)Jjr}(mb2Cjo-E#)^ei|lJ@;Z-^?xf#N{)R#DnAb5di(5 z^Z@iDWQ{Us2IxU8dQt>B&-LILN*h%z`W)_?95wv&!D;_keXSD7=UknD;z{x8n69z4 zM&@K=COjpvrUZz?CRFS-u({%tmDCNMu8T>! zf+bQ9YiX1sge_hkt=2`_1HS$-x~3ntcU>`9tH>V0JTRbcO)Ya0i^zv1gR_LbI!QPZ z#CfKn5r`~V1{{Sg_RWPK^64kC0pHC&jFaXhKP#}--9^NkgLnDW!K=b7xt}Gp(guL7vueKkg%%{$vd*#Ax}UEw+VZY>oRf9Lmo8o z|2pUyK?rbMS zvj??%>R0bbGVorIBd}V1!;=UeoCN=UD24#HexASW`2if_=j$Q%3~1s0>*ynT*uxQFx%jkfL{)li0O=>Pm86C+{`cqqug3%YhyUMg{=Y%{pOHp$%#3ixfnX68_b1s8+FeDb z)_P9y&Hz>eJ3G6LWb0xoc#sb`DT$PYg+)m{os;EDy^|VXhe*oFfgE8ll0v-?W|;Jg zwbH$)MO5EZWa-tbQvl|R!W4E3v!tXX#(jKkAUFS?2>kEYeRN!BGz+dt0l3;s@)g?rM_CXW}Aa{`Hj0SB3E zJ2ZXd;Sl5CajZrlPwPeq=(LVQx|*QN#Colv9IFNr&#~@Xhs4JHk=TWP(b&d)A*uI z9``Y!g}g{1Qo!pPf2I-M{!NVQ+lv*VUmNcw?D|d*)*_UWnNJQ2E*Udb{IfH3bnblu zG@6TFJAO&foBgHh(I)jXb0>CvZMN^M<1qNYlJ$S2ap1LI@S{)adWK4=WIOr9ZzUNp z2z}kYz4Fe2mnl&PPNpmwjU=J1E~S1OI+a8dt|DL*t4WajbN=FW@@#idStm{oB^g$S2@w*9^q`BbCSyw02lDDeeA^KfYlrKKT8B~;cg5B&&$SvrhGQl z(fx&5HdyQZpB9f_XH%*jq2MX>fA&}Sez4t_9*TD=G4DYbg+Y>D`ven}TE8O22e0C= zUz+8lEYy=c4zXkV|I6JrS+Xx)e8)E&c`Rz-1NS-y#~CmBYFsaReBSBcooO(tyt?L4 zlSo;)G~M#z$-+M0HA8>mp|Fp~n4>V~q~v`YkGf zfz$PAP2xG-MZ*V65uSfKBMMA=CI|R_g)T6qAu+QNAKDj>Iy~Ggn z^eE-*Lj#mai+|nQyVH(&D(b341+emIz>BifQdF7ONF&#Czm1QuKgxMeo&lSi{?}9! zlYu?VQI}SKUio?AlEw6N@2X5kNsMgqrVHceW&U|Kd=*FRk&{O`G8_4ep>_`bzfP6~ z38>RgVZ^;`gUc0Hy(In&o#qh*XBoTESH1oIYq+5E$~%l>6haQ1d?xqcVyd<305u;e zUtEPfI6eTSt7LbsQTzIQkIORfs_2{ZjGmUv-6@26AJ~D-H(73+?m6nkCca^!GR^;= z0|)=F@l(u{t;B;YNbm5K`?%nW@9MZAYF;m9H&{wH*#(*1Zll+_UQilS<-5Y)eh&W2 zgV>Gotel#(3Z@D1EKg(SGZxuqJ{z1efLDI(`KC+hV#=f77?(ug-(dgxej<79b$mpB z`Q|_!nM~rq&%pt6$MY2Z@*MgF88}>ZL~Q@ro!@5szPoVTD>{SEc1l;rwIya=UBdy{ z=dDAN?()r93{w%!uJL@dX%rHFTAs#dhx|>e;Ej4iz%yMtaIoy6m)!?w?Ss_%%6$=a zJ$7OnO@fna3iXxk=9dxpMtNGORv=q!pRL<^T&n(wR``iakyzy~%~bB~ngYk_{lW72 zofO?S|2yS&MtGTUMlvurvNCP=*G@BK17hazyED`8!q%POOkhL8yr=f*eiRJY7qfb` znV#)y8_3P ztvI!QON7n!S1iFI)dl|?PjFwGD!53$5lJcuyn!Ppp`YICM9-T1^Eh*={J!ka<|&T~ zdPMQ&{aOn0=+&Il>2>Qxi6}@=zJI}}UMq1hLgv$-QHS@Cfr>WxQHb7mRh(_HTWcT} zv$DExda6_1{LRNPo$Y!LI{G?l96$IsH+$_v78{+X)HgqklS;iWCZ^3RgDR;Bbsdwf zO7Gx0P$%@M$Z(|l)))haNwrlULpT>umcFS<|GV|{0|YerhP`z(a%d~C8RLJ#zm@+8 z*x|+RBFucw^Wwjq7&Zx7nAU2RA*e7UBKE{_fiB(BcqoO94L|i%A+wEFcF6bJUj0O? zGJ5lAUBtHxU1b-e-cz`rZY8yt&W5vDS^STxNeaCRJB((R-!aQ?Ws2i+Jywa0@7#r! z3czu}7^G`siCvYIk4NNYD4?LT!C0hj8BE}+^@gn0`9_?g$Mg5er{4a}J{q2u!3yyY zP6cl4A$(0Laa=Do*)|t)8?^tmen0+nWmeHeqJHXoG&+h-*fIxKb6Iy?=Q&Lh-#BSr z?dl*qs&Spd zU#kwMaphMTI^j1d(p7f-NymTzOau7S`m9s@d&1#NAr-n7p9726V;>RcohHCOAwETx zX)ji-9CpBm56`u9c=(q944m8B+Y{|@_%^U5=k}a+X$JCCSY=lwybFa9-YKgaRe`e@$)m&4BR=FQ`a3mTy}NRN|U*m=`t;Ew$=dPP7I6(;FT7k& zZikb8%YV7yO-3CBSYzb2e&%u(ezF`K{O!;doR@!KFx~S~zy1Hm+*?Q0l{IgJ!7W&T z5L^QRf&_vEcXxLZNPu8BNN^5LaCZ&v?oMzB?(QMDyUiip{r)=r_P5r|tZ&UX|J`-( zk-c}-uBu)2)N>C}F$=CMcgV6;xD>oC38PI+adZ0bjLOvd8=Fso;c^A1+9fZRQ^N1_ zHPV(Bde?ee1~tzIAUt-hSqwN=cPyIR+QyCM_lfc$ph@;LO=~HbcOB#>x-* z5_t{Nn<I&|!>(IKcQB5*eV(RfGgSaOJ79;?AzvK!Sc@Qt9% z>$azI7&Xd-!KU#7_Mhb+`bVH!T+ZjS+k{Cq`Q`g3FG8b&&l60X7!wA2DrRe`tsUbC}n# zG4hlAQv)EVCSN2BY^du6QyI3&p%aB#2w;a9qcB_psWz#d7#IWxlJMzTH!k}S*i2TN zO_M($%xt#CBm#J9I>98x&sEHivJJXQW+0m6KZk5L*g1@D7HHq;@3&=UfX@@QyKsD3 z!?n6B-0n5jW1AOF2I4$@M4T**D^dyMJ_aRc0$toU8YKR zZ@Lu|%Wdps?cqs4hTLlKh*l8l0!gu5lN9moIuBmCec58Ia89>a40pjK!I9mL#A3=W zr`@dEY^D1dSQJTM1I(Ww!eO9+@Z2NQVxCG}-maL~YU@q&3QL zy}cS~a&dCu6~_9)hhYKz9M3kwb9JfJlUcvzkppPvG6C^0@*}YS6{Ti2nE}ze^|Xaz zDzQd~nmhP6jcK65D2EnHWzMkoT>r#$_3dpJxrgjhsQ~L3;dDQe{XNMd0 zd;c&E!Ovw1ry_r1hZ6ZM^mdAXE>qe&c_b71`z*P?pb zT-rQphS*M(=^NSNh=g2G2hf-u&l+e-*oxHNiZij3(f-i3|LJTyJ?i20mEHBa z;Jf0xU_L2^*bHv&UZ`(n2qaGQA_ z7#ieD>?mI1P^_FAzC>tnpsrqPmANof|DY7OL!A=2J6r8bh;lUp zcJ^_CP#>3D=T#tx-KJZX1I*sClfHYYQ>P4qozwT7VmArwm2(wE2Kers7j2j5-wA&9 z=$GIy4SJ}{{m+TREe7_T>Jnn4q0QylY28P!W7J#A$tIe8>1);6i~HqOPnlKr81$3I z%_=xFL~@fYnM)VG#yD^41;^s)M$Q~?%K=DUDX`36Sh^`jbk{Kil6^pY?HVy&DmTAo zqmxo}1J=Q7{+#|#d4gT?IA>P<>~h=f;hh8Wev%}nc7*naJqY%0y zuzV!A)?XdTC(y0mrNH;;^=?0p1WQAo>U$NK-|sr>srlHth-c+Bx0S=`G9$jPy#(qv z%4~2vMg*b~St_M*z{F<=f)}#Dg?gP!;l4fMqroH~|0#&^T=t=Z4IU1l>RZayyPl~n z6k+GgRMg?2E`h)X`$PptRM*dCbJHXL)W+9??TK*bbj>x;Yh-W)F72aBr!b@!P`?Oa z_Be(14yxlT|*^U9$TB`s1>Mx6?%@r8y*=6b{3O5>U&yp zqu&JKfY=mRL>MNsy|8?k=+wM<(t9|z6GWm{$(R?9pX&{?gD{Raf;wG=EuX-~lIsSU zz!oURK(MF9rvV-|IKQY)a%(Jim0(NDvN7|XIJo7N*%VV!{Tc|14jst^q_(Sw?U$hX z2?#;30SE6;BENmwZzo~?*NE)}Ets@DIrNYnwOS_Eonu9QS43(&-u;-D#Do~kAM!I& z2IR5K>{-x^;L#N{-pJ_6*Ahcdd(yVUX6ns0+2!X`rdJ_!spOr!WXmDqYv{8)#vo7T zJvXk^0)Po6m396VNp>G?Yz)pND0lgQ>!>NuP-6CI0_d(NisWv^kK<1{Lb(h!S{s@5 zZ@66RO^ea(f9UHD63tA;WMEN~?I3JF0$nI3yEYkw^gA4P$@cJ}JdubEF6$YWHVBj2CnbbINA?PNb`7GDZFG@AAqWfV zP}hSa@dTas7fG-c!d4gk*?{}G7})RxgG{K8G>Gd}`plEm25hnTX!-0}co2C3fRKg> z8w{F1S)a4Su_7I=k@vs4S^mdelWM^pd9{=(M42Yp&+Fqc?Iooy)#@Z{Ok#@9>$qL(RS&y#JvD;zhd z^nM~1DX2ME0Ho|f-jRw&S$TQx$ShM!Mw6j-(0;1RG{bgdQW`~g1-l?3=F0ihYvF>R z98B6s=ws~_2z$bo(AilGz2%`oGWT0cV=mZsGvMZs&DYf1D06FZCnUD00S{4X?b$%c z=_#Ee2wUUDC@+%dWMJZ}_!$e8RU$%iTA%7}FTY+aNPvXe24Z1_g>UbgyUys?A(Lqvy zH_|z#(qL-`HLOTcsA8t1i7a9!=SHG6G%{hEFZv`jYFj=t&zTs)@5Drqw#BMwfeo@x?klZ)B?89Nod~ISO&w%f_qY^1OH-qG0P= z6CK!Pw9jba@+dHz?C=$}lGI&0>FVDVqC}GAGc9FggZY6C1B%JYO?4BvQ;gYyNF+fWm|NjYoHY#hXRz=G-0m1yFNEPP z#pD^Dk}+YhFWq`je#PMZyf>HIx971zo#LD(@*J>-w8#g+e-%7<*J_K=>!D34&W-<3 zwyg5Pp80Q%?h%r(_(Q_NBClY5OXq$)_+WBh9Q0Jw_NA-4%#u;l!cjr-d5%bVvNw&N z{061kK%ZgqDs5vl@8+k41MuTKJoQc}DoBvl>`_7+f{J$pzmGrhc`j@WATE7bo|oeh z3ayR)mL@0ILq5ds-XCijnXraR@HuHX>14a3Eo#HMrQ*7M(o3AQ9{P_4fJVCYdgJC| z-#7aFHD%kE;gRINZ4edP_Moqkn*>Sws;h)AfjocG^(Z4mwz<_9nLb7TaXl^3P>3}V z`!NxCR67V>j^UxHSF!H`u4$*YmfOVEs8sr4mnA2iZ!3CL6j`P4-YSW#uTJxAeq?)b z=%0}xo@3J6Ubnm@x@0fDj$k5BrV?NtP+h3{u5TDNxRccDE3~xFjJV!cK}Bgi1LwQ3 zT6XdL_@D|k-{xz|&=&WM{F=R#{2$%o&(|)>FKMTLs;XG9N3KuI0Epx0uEbif7-bK9 zExSm9Ahhp)GXC!Bl%dCak-I9T_u$P?|Boa$_uyl^sJpM zda$}|k4(zFYFIh#i;Eyx5Uq?vV;WtAt-RDyoAVhOYTfIIbv%VGZ^*;k19i=5RIEoc zDq~C?poB)C_0cbP{k+?$sQDa5CqwwLvb;vg`^@6`Y}qGMY7C_vjrv<3FyjkW$(`oUj@15K&FCV;iZ;J%rvXXxEQ2wicHD5 z+dul~B7EqEKTf`qF#dG2o)>7gfu$+Q`TWQCS)f8Y`S#Wz$!h|Ukb??a4U7fbU)Xo* z)7#!1SWIUNzDCmNa-bv=KWF+uM zfdV4{mK&2}!QSbMHegF4At`CaBTD(m1){wq`Mii=#l2SWksozfMy2^yE~ZY%F%f1} z4F^rVDFp+3kL+&|F<3Wv?QRprWzju^zV>6g7)n)CN-x-SD3Po9ybb>V zOw)FQ=~^#a01Z7D&Ao}9VH`)a3>@UnP{6!(qdGw;*PFAz-y|YVN{qNORjbr={WkEV z_NHtHiBJ!?ZcH4>`I<3--0V!+tIB)ShvAdo{?lLJXDil*Hg%yX>sf|xqNN;Dr!a+X zaZv0tY%YPnX8y;-0gM>fXnH*|>y7>x6vm&CJnjaa1=D3N*Jzy8ItgF+%@(SK7833n z12s>w4T*WN6$rR{w4nWv;4()Kjk+sk7(q>ZDu3R9mi%+)^p#PLv`29wa&e8M%CSbK2)%dNqZMos+UWLn1-x1!?wZBH$hsh7q zbwKvcpm-lviGd4-NJMz1_OPNNnC<1{s`N`#*~X>`OAJq+|KYsxLU#~9q;uw=;MnZT zKUQoIOI%7ShOCV@a)GB_3QW_LQ$v<^NL&f&*88F&Mibb2fa3!W{=X^ge>BQ{iu7PZ zPswm`!DZwwv5Jffd&ColerKjp%Lh0OvZ=rLRuU29vjc_xKi29$_da|;a4(##LOJr# zT}V&Jz^2C!52161DSW97)*J7^dSl}nxf-f(1GB*Y>V7`hiu8^zmKpQYh0iNL)2jt) zqYxUKZ=K*VZ|~QRY~GwH7JkH0!(9@1;0<_1xfI>vAC(X5C!$qlOob}tisr}4qI9r;_`}EJi^@rhZp(|5v=|8w)0WY3=pkC zwAVoU$J^X|!MWHYM#wx=qH&OXL7>V{$cBo<1D6BR|8m}VOJwd~5uHK|P0G>H$MAz; z_gA4f;?Lf{o`OxjW&{m~LM5rF7)}XhyP)Bod=tcsZYc#8dBLu8#BFHq*oUc+f-C#& zd1#JTFbHeP8%3^pGhW$JYPnCmUizt9C7t`r!$m~kMP*W{`mG+}iUl?KAHbqG0{V{H zTbj)x{Iy@INJP1W<1XlpEU`>}u!d+s1{Vy5(S6|d6RK<*{520ku$>4In@(5o$rF!_ zHAET+A-6sM$mobwhNoHNUoR2Fd=Z)W5_B#|j_Ts>2F1ONpJHp-1wjnrgJ^L$g-He0 zS6)0N#}xyAJugb)9OGeosP$ul^~62I$QK&4Ki$Eu$4_et57!GTfGR`bf8b#9-+BOk zV+o4*z=uK$Y(4$&-TZ|d)D8u&L8*vVH&8o3f%~!(P9y)R9oP^3l;qC3@qcOu0Vwx| z0Sy2)(h@2-w*`nH-Tyxq3HW`Hz9hEzlDJT=cHJjtx?8RHN`Bl`2I;m@ zGC``AF!sISxb&{TuurR;8R=G41W`sfBV$Y%;pQZP3fE3^0@hTOTsb zXW2$h#*}!rbZ*$o-*2m4g2bHfTRpswzK_cFMCK~J-k7uQiJ5u4v~w!`gh`xA_Dyn;aQV*IH-Kxn7%FDSELYEsK>c7|G`TA*HKC~qoWO@WNgJ&Da5-F(LzQq@unVFO9`G4p%te#gxh z?`ov)wi#gl}HE#Bwj^s55?323Ky>K>A61dfXM(r zvPYv((?l)+8V>pA-tK(88t=sc#idxKhNgqE&DNBJ>&+&$i9;uz)q=w=3>uW>JlI=9 z*GMCxh0cAE`hY%Q*qmV{cZZ?goo&|JYbZ}i1gX$Yb{yi4)Tc?$=kMLX20xR_t$fU~ z&+~7dyAq;W$MPEZ1md517U(tW`U0GZ!)dk1)<1K+AAf0FJ>Q#BKZ%`g660zwO zh4Ei7#_!ED;&@HBkn%>+D~T4}O&-JZC2$;~voezOaalHJhByd0G+{FWy3!vf^XMtW zf|VD*Fu!Tq=kt$&r0wfrltDg57Ndd4SA2KRn1tU?7U@V*UMV|?7=HNBD?yz^InTID z1-1{5?}F^g{Q76t?S3;TIe}Y7zGxd#3FU)m97aC~?ZaC};lC>2+Uylf61|)voDKr1 zXBPk<=SiPxFW5f*G*S*=I@5>yAjf;?HI}2GQ_TWdB8_X-cW*dJi;n>C9zQ!M(PebG zUSI$zpu!k^&|}v7q9vdzEo3?F>_P6Hi_zEOV z{;^xT+1&L(#+fHYO+PeuM?xTIh=hx-=Z)A30Kwiw;b1rjS;}E|0GaCI7nTHuadodg*o0Z$#w$T2vUkWdyK4aO|=i3MrwoYUZZQ@?c*81w9X>XK*^MYUBAHh~coj-Ud9 zPDO3ksuz1XcV|rAwj&aPJ>H7n#86Dea>8DMmB>&QO7$1*D2&AY=AYEST>oX8&$CMb zQgyTGG8Gig+}z4_ki#113ps_TbD?*77qN@*`D|fJsmZD+r_DuZBCv2N`NcT3J#$23 z;=3*@Zpw?0=t5fbuEOfMG}y3}H;aG-NL69&(}csQD|mO_EIX3`FO8P#;JB4becHfZ za|JdsoYv*)Hr7ce@XFlXSch|u-3#QZ6(=vUUbp&^^zJvyMFuD%N`Mq0hF2$enxwVq zmU{gQVB->}6&u(vEG{P(1LA`Fwk^T4b3~m){bzF*Xx|9A4?n)9?yxX318Z3cmc!ds zF4xwlGfjtC38$KD+e98D!JD=n>yq*xpWp7)Y0;_{yx7Piq`DqAq7ZY|Cu zJ_zz_s}tdnzqVZ9I~oP)QGl~Om^%NDC@=?9WL{pO@&;~0g8M`nb{H8i$iKYEd4c%i z3N}Ms08?04d5HRpf2!NNbO1M(Hq~ZRF1vhBy)JJd@m5*S8wde=-(;vaT;CGkC6sK8Y@`Mm2esz2V zV+l(bJK(lSX8Unc_T~1HF+UYx79^luebQ z6jC<@8*S*>&mgHYDm=Kgo%2$w zYVIxA@iR=W(O~b_klyuuecKexlPa_A#Pxh^2m$8EZ@N3gWzN(yZo?ezxpZG7)B;oid0~66hQm%{-}4ujr8}&6K;@YLYj^n|cf=GpY=$0} z#8Tkeyzw*YOtQm=R6?H5-(ew{QZdY}()+rN(jt%d(B}?s$mg6CvhUR!&8p0%KYEn- z5^q@~lfjaj&sKnLlIyuHTAobR77LRGo#X#nR&p(en-#epK%Vy+0lcY^%?v#JD$56F z6L|Ay?Jl>cX4BcDc%mVWJcks|PIxbs7qMZ`9y>4Ma}7AFRpzP4yl)@9y^`>RKka|? zWRySrT%)9kw9;*LR4%*E)g|AO0HU8Kp>j)XW{vGCUlWTcI0uE6$(9pYqqQp^7e1254z_6Go^(;&KhE0x4!KO&wTRi*$WD>$Lw^uq)Xy^tARX%$)H@~4xs2TZmV1y z$8vOa)KV^WIvXytzF+Tgjn;sPDC*c;4SU@o@ZVr&s~)h#N`40Bz-C31Li!>T&j&N7 zj?`gbn_4NGD()m$nq^nQ1FDZq@Qq+<-wiS?FgMKqp*3rru1ffi8m?u z;2b-Ovu>r6`u>)q$2;|gMCq|?B8LgQCCFYjx=Gm8Ux5lss9tocDIJKHIAh^*%|nlF zv$;~@u_|<%xEYt)intK_5G;c1ZxOO^fW79z{SpkziP0884# z)ZZ3-GVK(0JxoM$j`%Z?vkp`J;RIyacSn~uHb7#5Lv5F@?o+raK=f2O9G3=#Qt-s`$u4`Fxe zK(#LMOpCw8eV@bTXYp$_$jyd#>x_Jbz&jxYWtRrdAM~7AqtHz20JIXv0oB4nv|@|< zCKlsk;sP1M1WFU;tInUpiVgO!tU1JR2yq#8BR47qXdLZQ@mqA^x@gQ5-@IFsqJd`u z+0&Ru*@k?VZIf1*B!v>gpG(H>i{c1~=VCY%*o`2gIjc1~+V(%GJ_7|yFHo*FOO-xp z%O4~fLt}1&#KH6hsLp!Fag33cW)#5oF{xPKkz*ujqGXc>4q?uhl4O#da@~B=yZq4z z`Bz>aiD3z=&bt@Rv#}wm@z8YN^f&dTy#-1_=eqEmPO|VWzLz_a5Hs~F*Ke}~Bcmzb zJRb5-xxYKda?rdUByA~~FVH2GsNRx8Y<_M^$%OH-AmF@b=Q$0oZQ6d&8;HKu3P zv>Z(1OQV~kaF#2jY4B_(>-_t{k&cjtJj)&w9Aru67gZhsS9S4zjjd(gQQ%V3u&9@Q z)1;cn113O?5G4tFcXdV>^=!fiKAx$iQhicGEgvfxkAw6RiS#i4)WO|##FJ}f%4R=x z9m65(!Gui$M5O{1t&&Bf6o3p2q?w?CSu0^0iJ2}$ymEI*r0nveE^*_Bi-(^9qTL@qC3c{uu5K#f0^~m>5@=lqY)TqJGKP zKj(*Pt&PkZ?8i@p`1QOk&;j1qjM5Bxa@CmFOgiU^`VHb-^->Q)Zkujtmz<)gM_LsQ zRPcE@$R*VpP-4YmB&_4a>aB43C1#ULk7P&{;M`T{N;vVkwMG$!q|!bF;af>(&x0I) z=%zlBh*WB>U_2t&FU|6?m!+bURx|!;%8!UZbww=aJLSqeVR`9<0ZR{ z$SW6EPsbDX>4x{^x@x#I+8HGbA&%-p)oCvEpCyV$C*YM5OTL@OFw`CS6BA5&KKCfx zq%=Y07|MpFi_&jvYzA_qE*LZ$rY=&gpj*R!Nt6(4!$&j~&Xz{~WTwT(>9w93-nR-G z>6C9zv+}0`oj2c`k7+4rRvEvI_b(dVZXcub(u^%*QG+RekDoZ7-As@}Dk$#h%A%U- zCv_L%O)c|Fnhf+UZf%*CBy!2%-g3J}CSBrB7oMdDnUkEKC^EO7xV7+4%=WuPE3eEmriEihDyrWi z$tp`1XjaY;5=fb^*sE9Jcp7^Vri%qJqY_3~f?o968kRmMmS6uZmkViTD+{d*6Drj8 z+F*(vKJYPO@N9QB;f`p6xilwFJs(E5;ggtNP-hT+oEuDEZC1tGp^%Rlvs<{Pz-!v1 z!u-l-V1_qUIn#&!Ov?%%a{$32*k?$N46Q3>#|#OQ#fCEe9I_N{U+6MpYgyjE+kD7lhM zR?x)Nj#+SnY2*U=J`C_nKkrY- zXl~Cs{^{GG0AzX6d_<(qM@kod3Mqgi6X7i`WmjF z!k`sA_P`PJe~KEdrsp8i(AcOGMcS8i{w_(@Cfj_M_1T)}uV-M_M1i*4B9pB-;Fm4e zR(&)|026aL3)eF}8M|obn|1ad3nt%E z3HJuMUn)sJcRZg}*cm;cY*p!LN2?IC{# zck2&xx}jf#`!#gn&#C@7rWQBP!Qa36PGpOvAaPbq^ymJ8~@ew{D-K2zffD(4a&D~ zQBe2arU6Rq@$V7?evR$_k;wj<_Wu@%0e?v4k5%};C$irs_Wwp=?k{m6i9yIQ<6_l7 zU+1XPI;7pi&%eI2UiiOP)GYwz!f`z^l-oPgHOzmcz@8Q9q(327E%H4y8Z6!_+xKYH z?9WD9a7X(8B4tA!cTo|#zEDSW2?kVNW`n*bP-4=~i46zG*qo3B^A-IFK|4jF9`d`!3;!ljlY=iljgSoxy-`*aI2U-?pp|GysRsPp@5#GAs*G*Uu*b>{{Lw;N^ri^ zLPQuy5TjyIVv;-#2U4`GV(2LsE^iZO78hh6bBxGzp)3Al$Aan@s!eJ&C{b&5VOFPq zBMALG^&O;+x6h42$E@i3tH1m6_v#U1l--QY1zdGHR5wRa?d@I9Yg64%i9>0CW?-WZ zw}<5~ll#ZR_l(_7UHHNn^g<#_=y0DDmn&V0j?~%cIDB4i$1c9zpymx7DEH|ZpZY2N zDt`J@#ldzx+lunWCX0}f0%21(GYY#mNsp>9C1K?)RTUtstA67u+SI#egtfA=zVf3@ zR?VE_4V1F=T0Rj#POO`3@>$eY6R6v}9ceOy@sp}yD7SkV zWBIu-yeKMOs-Jv4L%E4Oe6VX#nahl~QjR!(TDNRdZ{L*sZ1yk-zFuqn=}5XJLG7ni zpMp0HB2<=%F)K30T3N}j=`@rgKt#<;Qh7984jRj%OKn-NvF+IB{!pW^x&_VaP|$ZF?if36uRH`S4NE zYVmvw=mV}2Wlr|JxabY!oaIh_#cHy?P+i?wjq5X~&rFCFrOx}ww#W77X5yX{^3g@` zsr#_+W=`6~Ajx(X#E}^l`$+AQ1MBM`c}eCMAXPiC^U}qDTggg%ROx%te*um-bngUXE+AN=@QplQE^Ei;K8J zy?()U!!`f=1?ARdV`uE};*vn)5h=+nz7P?wp4sgWJ?_U{K&IisH|D(c2rHT&d69JT z(!oByy%qh(nR-drYYffKM}@&kMrK-xD;&LSONig2)O0^iX!YX0eA^kI#O6xvG)NSM zw3{5&*^%F)hbt#h?2z7XKe^y);*!eDOy4nVmuXw)uLb5JgAZjw*w;(<7ecWxjn=(= z(EW@{4$tc104ty)%StY;e%<>y2_muErjBT@TgpOMubp>yOMSiMIVYpkO%Uwm-EwK! z=9sR-r%gi#{xd?Hd@nCpAa2g2v-X5*+ul#KT`ew@{FoX+n*?fZ?`&y4zQ_(N8jlk}ut zE%A4IZ1Y&Jrv;iESKO^6MTfZF>;5>k?~4>P9~xSnzCw>5$!V41jU;glj@V4V?GA?_ zknWkn0xI8#v)jt_kQFvd&!zn3T7MZ*2nm!CG@8?DG&-9zooY*%n4T+e*wV*ryzE5v z=vf+LrsKxQ zhSj1s(y&xBhQVFCvKkCG;p=lVIRP0C3f$S(#zfY#VL{ZNdm?3pq)Xg!$Kb5j!v^ab zD9xMfb@ierAsopSs2seFfEQlEz)X{LSHifV@oMr9?pLf`RUQys2c5jniQ+eDf<=-+HH` z!Z>l;%Q^FP?ySW13q|vuB})wIn%sHKAN$pO)?mRyKV~8?!JFTr!FsmT05}>pR3zSk z*wYptVT(#Czksu1IV1@g-}!*m^oBR0iTB-HKj2D=W2)y5 zaXa77(^kJ`tS@zNFpR;GYhVlk*r_C16ok6M&pO54z8Sz9%}QwsC62QX`C$XJDWB*C zHBu?PL6dc!o@=(i?b(bHTDUe3p0;ZWzP`G{gplkmg;A#%*lrPf=3pcnC( zMOS>M_QD(pdG*8l#Ioy7`Y{Jnm5d3W5lP1P#Q5+Vu2E){4tg-gL4?_N<=2eLGsuGI zGXbxz!oh{fL)AMABdoJ$_M^zk(Rb{fZT`;8cb{?0G-`i5SRzEFe^GNRj|CwmZ56`A zv7V zLP4MUlM=7-ibZLhS(-k=lBkz8a^X$ohNE)>O=}*$GVQA+$l4<# z@DTQU{J(?5fd!c&sD3@xgry3HK--u8S~<4qy}*iEfzy`3=D|9~;mJV>*WI_NGC_SL z2ZPfMzm&M_)>iq#x)O6{|5quEhYCV2VZpd7Fu2m(52 z9XEJcS?ybqv4hnN%=baPK-k@z*+)>m>7TGW0}wgnYY&@<&(|`oB`%m4ZbZ65!BKd` zMxI&!*bE2>jw*?&Pn>3*zlNzun1X;Rr3Owu~erqKU5Nor$ARE?r;%#huguUm_lXE9d*@ z%g0x4FE?+KbAR%Sd}%!1Ea>MeZM@z#8>L&z{16hyi>nGJ7O**JY#FFtK4@Q<(=xbW z+7q$s1A!UG%E4~+G2tlQKDQkwCY<;o-Qvz^GC@lhtL9_EnXcwSB{x~mcNo7kq>$bI zlBY(&b!d~Pv7&4h$Wg7+$H(YxDL_UOL(2}oCC|E|v_|+Xl58=Djo!L28A>~s-bXeS z>Ts-u?vTOZb$pPNO(N%O2{c3)EEe_vJp4NH!c)LkF)ocqq;d#vyF=hLu05g+EjOkPa_)YqLhAcaW@`MpUgufq9hE%*%(IPH(D9)Yw(nxGXtg1{hmF3p6?=kN5 z?#o&Bg-V}i$wwqdCGMl$ZL~oI91LH^IkDBJ1uslg zAZw$v4kwk*m;jI9O4-dcG@kEi*o=i2!ktx{mUcIl;K!On}H6-E3L{qizeqzrOz=@D}{XuK~btSTf9qRZ z*JzPK)aO7QtOszhnshkpCkl{2){B`3&wh^~D>RTnrE`$#?i zNXKOz9hH2@c>GLz7mn~noFKEmXxasdNJFySb5ysX1NgU{>Ph9FRkD97Bfq3!{5Yb~ z-kb{T@Y&62V+mruwiP)hEXZM2+wib0oYM}~PBZ)-=E>45KIi*;R3Zn}P}BJ_7To+1 zEY+#dgpD|u`1(>{Y+CP+tgF7t5!=*Ev6Gsc@ny*0R&2GHm#^Xd6+YS}_2X7$3}tEQ z5&qUH515T5V`t?zB&sQZv$8yo`x(rtEl!jR{>V~CS^0x8j5Lo>2;3d|@n}`Q;U+m} z8BG^IMxo-Z)c^yHMrmAZYA_IJp$f3;L~73aqu!@a+5RX_ z$ZF2msAm}^<5?UW{Qbymm&N}fSgR~vUX?&BNwa30hI}>@h6KVkSAwRSA=Izj>0sIffu zXOOu%ryk3+-*X)N?k}m_#)XFrPfpg4HFmx;yS`B$FLz@wE8X5%4kUSr6}+^AjYBub zzYfo4TIX-Rsvwr#MnfA1Nw-J*&656cx+Fx&$n42srH2zMcLb~o7Hc`jRg|X;Bjrf{ zo{af3$#9?NR^HbRf3Yq*B0sj(gXyqtm6x9biJLO4#*j)#i=+l87P(@^=rko%fBGllO|PUIJU3e}3M3>SAB6wYSI!U8#|N$~=U_i0mqNFA zEp;)*peXPZ*tu4DIEn_?5*d8&udCJ;nznxzqy5Fd0SQ&A_T6l5zAq&@hvT@hQ8b@U zT32Zm15U!GRWY$2RF^8MYzaDa7}`31w=Aj-kDn0 z$u)?G(@#HjQL5ccGozM8$MRU6Q*ja|6z8~hVL@=L(K@-O^ParimhakraO<_tcd zy{1>t;XZ-0|9;A$k-Iv?&1tf0NFR1I;NV{&4~5tJXj zbf*C-Y^&oeYTs<(TL&oBf~S$M2Z`7j$5FPYs?}R`%1%#sP4ueVwMUULNEj_SZ8sBd zzHVTpst^D&QWLKi35vS9q~VkysVkJ3`{F@wetg40<-D^Xj-S@jk3e2o-(MYjJ5Rpk z2J3-*pIA#7qb6IpaM7>)kz28`@TSD5P?o2b%KUVYQB*H{QEsORsVL2dB6*sd5T3BU zq6`Lo;42Dsrs}ell|YD+SiW!p4Xt=5lSs$lY!@s*(1&)nH`c!_`v2tf1!K=OY#~#xF!(`0bWTsR{R@v6U(_?GX^1`K`x|x|Tc}f(> z4T>c56>Zm+ys@lalE3_<2Ubz{@ps?v4MbT<@SW?gKRp^KM{Bw1tQk}$>?q*vT*goC*e#(t=-mD}x13kV!oDa#9e{{|<^+M9|U^s5Ko8G`)P zBA8G)&k}i7PGnYs{~7R z;Ia`s4_2Vj4XG325HgQ&!knA#KB&4?a)MR)S2SmBC_tcZz4Aw@hYXJWu8iL&D+eNi z)s0*i-}0k4PL=2MN=gOC)&XuXLBfX^08yR&i1xYAjMM7%yy^Ey5JeRKH2uEud~WzP z0-^Pt_E&dN1C7Fdq3x|Uzmr`k7YG!UA*!Fb=GEO>=u(n&?tfL-Nm^H>U|T z>jtwb1X$`7#&cLaP2tz;T!TW$yDx4RrN#@;#3Af~2?mbf0=5sW;x?(ypo5<{pu}~s zGKpmBOkZhM9tKSJBXjIce#8va!-VKJ(+U8%&{N=PrKwG$)vLz7w&t>=UAtR-AH$2_ z@}ut;-UY$S9k0({mW$-1ssftC?}rPCpl zovvRA;FwC8`y&%$P(m((+i>L)IF*B;(RMcC`bS^CUjMV0^FQfMyXclhCOl|+5py!n+Rj8JT@t$Z2XafhpVJ{ zls4aTiLCFXMO99U)!_NAZ~;ua9SSY(e2dvi$|XPHKCrA!l(fgEg^$=}oT9xqtdrEt z&YVh40FN0zQ-&)HQI&c<$2HiEYuu>l#0%sHJU=kz%(ZA!nW3wh8uWS}9K5xrT0$J_ zWK62?H<&of{NY}P%27Z}IL*UdDM_hHk}5+bzWn!D0l!SVU9?+_*yl~{($XD79>Wi) z`T{5~&;3i%Y?}13>{EMQT)j>k{yF?b9+mQpS|BGYMSvAvlMeh|@Ua;pb2vL*|8|6y zXApiC5{;v?@K25jg_h+^bFBESCiW9X<#5u#()hrv6Qa#pA!BaGOa7eEal)J##2oA$ z8zDf!X=Cjvl$fIhJfG0t+|3^!yUm~)2*vceE5)kcpM5P~JA7~~Z(a%(d5cJXJGJ)< z2xQ*a#95*vp5}ROB=2?syN)TBLI~1O|CVF^n`Ie5!u}p5cFp`WMlWO+vIjE<^qD+> zjg&r#{fnb6%X5=LAY`|g3uUwR`JkeejQdX=2ZM@gas5l7eeo)@pQ7PS{d}Zy{v_YC z$h@jfZ5nj^1H~uVS4%GHcjs_NPaRyp{1(bRs1?BP&LyU=aehd(ByQRLNeds_3kev;FIfG+F53~{8=3~N)V zu+iSpvF=05r`s!A&Zoq*g9Y&~4*~Wk_ENtmJO4<2u|N%)5i@75lhP!!ciVz^KuCLM zXKxqR)9#VaM&o<_|d;8B~ z^53GlnnM1zZ&4X~>rT%t82~H`!;ID!7?!iNw5l!cp)mQmq-$S>H))NEv_pf8(7PwB zeb;_wGJ)l$A64uLxPa_`DP4^ctaGE4B+@-;u0m?$YeZT`yY*h9tW3kf8JHHeXs) zs0|y2P)LDrA~L{NrQf}z?aFSJ&#r&AyFBY3ktbMWt#(t1dn+T<%4eRPVVGgn7T#E> zq#VAeJ1dF0y{OT+ywD8W;P_ANtzm&Jz-VLp-W{kmvlnhbvQt z>nd!rcl|E|4qjyE1BS_5tGq|F|E-D^50HvNOFqU2NX75Nh8Te*^%|Bvieiud`fX_f zT7zMUg8+viKg1#i2+BV1UH&rq1jnww&=TX{o<)uLZw0`ZsQ)bmKmhCiYyl9M{y$p) z1pd+lumtyiq5$|G{J}2;{{OH57>BZ@lAbgNsD1TYJ3EU4!`84*+f9*lrNc!|rQFuP z?Wd(+Z1u%+tj(iSain@Hvcs!4QI?d2Qj<|exU$lR@qp_J%qF*Ktag7!>A?4*;@*5Z zz9@?2Y|DDvbK1fT`Mn!vliNA$!T0a3H`cs6_KmJCsoFdGI{K~cSAq1uzy!WYMKcf^ z=$s$jYFxtH4cwzP!C=9&eSL<@$*_-#@61_i;nuv$jJru{!FXN`j3CMN%yeEBN{)xQ z+wqaYY{-RfBOM+|9(S$Vui-g}!C-*d)!%kySvZK+xVCGXc7t(6%{uEl(Q zhpu(sx4L}xv-f`XalBvnqI1kSu4`O%{?7A14xUxgDas~97v^Q{~PKG^Y#SzVYhuYxRu9k#8$}uFF&M;>Csr z!?SifZtq!8^T;_XfVJ=wv*%VjQh}qX(cOf!t%;{Y=Jma>6#Aom;T5W_Sxym$haP^r z3T^yy^e>mLn;285I5Rh>RtJ7*U2jdqOe~vB7OS$Nd6SPz3AZQp@0y+IC!8+5-;YqA zcA2X>^ce!zZ#U00-u8BfzvLwk3rl@^H$n?2$-FE+-;>4!WlvG!3#8t6&l)o`Z;#Yo z#5FWp#o%!OS`w>tv>6(FRI#s%CBPl`vWZKs)D(}->v3c@ZSN#|C$e)hzP50@U0mJHb)T6 z@$;y#B~Q{Y&?nQPnw;x-Jzi}lJ@KVUu$kXT?bvb%r4-B?oFttxI8CL&<3n{J60Px& z@MpLa0}w8`m&b=V_M zLbFl@O<f!(ZaTu7+s3}FgBYr}lW8A2D^3VmvgG|@ zJt+B)@hFDb8N$gC*y19~D9jwgtu_-Pg*AZqTK-=)S@V3*1F(3f9dv{i=PHHXq+w0h zw~IcphF?CPN!@$?LWlCoZROj>vp~Xv}M8$OWk==0hl)PMbuEdCT zQWfSsf>9U?L(rN7VUhj-Rrx_1ef*H=J4Cj9-+J9*opgfOlTW{=L7V^qCTs0kf$sCCRoI!Zd7o){?MCN(+CDhVqwD6ug_e; z)=MLqufP#hUp3> z8LxZR1-jE9#o{Dj*l)no*ZK}(?Ks7Wx-DNQ4FJq8j~#8 zx(1&zLq(c>gt&3-#&gD|I8U!PfmE}fVX3a*@nTUlMea55By&OZiUA?fyEQ^MSLK7v zZ@QPREF|8$b+&e;sl=Zg9xs`OB_`4piM;7se}R76MOcHr_Pr}N*C~8JPiwTuPV%T6 zHxWEZsUNgm9iBVuN5bN5XpVH`U z>C^--ANLUN-LQ3DpLyV)o!lH)=7D;8tF6)pG}gZ0Rcoi>D0S4PXFEm>;p6t8QAocJ zd1Eg0CjN$xH{&(L0q%xx!_EJh02?72HJA(nVk}4y##(I(k z(5FZ(zN4a!OF2AcsOTHy2R3-5vafHGub(<~!9E~#CNKk$Bbf_j`eHG;*KLwauZz`J zvVcKo_*3bV7U8EKsun)tl-$s3kARJGF&}IBM&>RzZAB!m$G7q^xx{@ABPUPk-S~sl zHvJn>8YL2zzLu)fq0L7YgywJGrq+bPb71y4>I=hlGCfo&tW#}20${swi!KueiD3mP zBRqs5Wjeh%O;e4N*Af2*5b>8~?*EJ-0{_<#F|FtJs3^D($gs<79st3`f(hQ+0}^Ny zC98&#PF~jyEi}IO$iP>|Oyw3IqGuqXcfI^e7Ns|Kl0M@Tq@xMWkqrfu_`fSl`P6PI z)-;3kaVGhwlhH-i)GW`xq`J-7Tv+r9DMG&~aut&v4o+9leWwW3nOJlgKa^=0;KiOQ zx+3H?=Z(R=zNjZE8_qY^Y{=)wMhrk!0uGpa2tPYDi6mZRh`30(1rdryBC40vb5;2^g#hM zHC(VxH$+Lc6I6#0st_qxsU8mHBe8TOja!As7yA-CG2xlaby0p=ZcrXC;X{CTU+DR{ zbGC1WVcz7SOTW8x`^)VUj-%4_O9&gBloxj4EV^(de>+g3LGWfp{cGZ4gtd;d3tz4` zhsQxBTl__LU;pQ*c-g9jKC@(KUjn=eC)(j`#v@q7Y3@s+3}>-JqzAB6aRa`qnNvcj z>kUOstFe#Pf-a2Ic;P~f3wQjdpYsb>B%0iiL(rto3E@_)Pi}0J*dB$1GrBc?wG|oB3m+=+52ccFY#ff~$p3Y+SZ#hiA`C;#Azy z_?Oo-vARFsG{<8h{D&rb!|>wogk*r)mfHA2fmKOjKA;rvjX^{GrD>vHs16Ei(ZfeJ zEH@5mPxrDwT!k9PJgoT0;9H4;B>1*bYatYibM>rnyK+EpEv7A%^ODavCl92<5t52k zwwK;9qh@|fkByf>Nz@^2reBJ`MK~}YUP`Bhn$l#N(|B#r2on?Z22J0C#WO((3UEn| zfnKO}k;AjR&+)vglTUe<+EB$_Fc3Z4+QqE-k^7ooVaM^Ba7YXpF}iWxFQVBWnRQQaY`~cW;Q}kbHvz#c?RXy~R8pUPze4 zTI=SAFr<8nFJ8J0#p&g;!Z;0TPHgiwETQF~MFV@u#NONXxwe<=HyZ>Rzt@292!Hlu z+75L71^&)j->~CptS1`w)9A(G+|fApUBx`L@y79)24Q zL=_r0R`$eUnq*!~c>!zB+ZzUPa%(bH-*gV^BN z5%Vv*c1SW65FWo2Q}`@uq(eRj%gQmRi)|T#ko1tf&<}eyduCgnzFCMsd^Mk_Irl38DoS8YCo$E(@ZK1}>w zK_Lo8)MW)8(}vny9$wHo89n94FWgiYz^)#5JhkaSjX@N(aS95;v`VvsNo0N1UVV_8 zF}#2gEmbSe1N+PV^RF%pg&P_&_?8gko1xCjIl4EUv`I~E!PG+${tpF4zz0xG z4Qkz6?K@|5v;HTYs?Gf_uK&7W9F_p{noL zO2n~yyrTY4yzgZEm;i)`7w&73ZXz_@NUtK8Ni{tj3f~k>M@I-}UQVRNM7Ix9h~{6_ ziF}aPDM|8`so>wa5xH*k%a{>4k9 zr|Q6zcZO<+lhK9Z)RJS~xKynBiP!^<>XcdQQ$eDkk6JJjd3s%6_rEAvqx?4gf!#TV z1{p7ti8y3$OP2HQZh^1ErHFN zQ4KUKnqlV=xq8|qZiZ|Vq!>vATGq+gd%A#fN5boMITCAPLAlqOc|K{dP@TohKs>_Q zm$x4j3T!y*9(jtRe?kg`LWpFPl0P^)Wt=P9p5K$1!Q1^usGyi!SF=U_qWDoAjyoV7 z`X)7IQ_!%l_8>hJdyj5R&giaAOD9q%79`C*`K_9LgGK$IV}fBamSCJRf>AX~IgiV3 z|8pQ&5jq|mUZZ(sY#r$7Bfr6$WWKI+P6nR>x~oCL;Uh%MzSmvRt(~xVAbDeU{@bB` z$4ruRA!T-T{uWk3pnd)u;3Ro%58n3fsH=#p=QXR^crLMDi39zdn$a!u2<))xBO9`k z+0r+UUK72d+13$=F?+7ZjnIR{fn~lTIx~-y9RxG1w$BTmOX~7`VU)>0z&NZ;h|Ma; z`8QzvWpDfoU(8@w_BjG5`Xu+bxV$Pm(!L+p_g~M|>9fP($=fmxiFd}W@4YMfVf-GO z>q9DK6NL(3eb(-^{xDEG>J>HX2T%z5ZVnbq4LiI5_n&e3Py%-NT-UOtLPvX%j&8)JjpMQbf`N?f6M`BBo8> zh5cK2oDjn*Hq@d5REnV*gyR+vA8GJ%>`&-=zWXw!Z&+@WJ;3*TI_&p}t-RRV65?|} zY=j1a-RWb;wkJ%k5TDIEP}3_1d8QH!%6lC~;d{f&08$N}mt@JXrcv zl|Z~Em&v}5b{ICg0RNyxNk$a_%uBg;BN=0ou+4=ZmYXa%ivTyORsbyTc?+@yTef)zu`m{64ZRmZfUz-u3 z*>YiXTL)Q+K<@$JmjUQ5e^19J#0dbL4qnjG`m-3pwn=6xCa z$;SD=6j~i7vKb-{2lNPY7w{-mRmH3qiVZm&FPK?M)yY+*4P^@=N>m6D!n)7%oKGb6B?}HO&f|Qawp%jQw`G+1j9A-OBP>rv z-uXNfe0lgRW1W2>^TosAHyFHpBrGp%F>G8+r`}}OGhodKkRyJ6QqXN8F&9B#$3oEP zLG*3I3`GgBgjGUvs{feVXm6M3P0GvuCiU+$_P=&W;Oc6SeNQ`7A1e4ehFsOF*e?46 zhTQxohHQfWuQ6oWTOm-(!>*px}_-iLI zkAk5#>e+zEF@$S3J?c$LOe_dbn@Sc?wMEPRixmEsgK1hZO=_0pP;X0c@gq%6y#eGg zAtA%CGi{73!f4$Z{<89Kl<)g7kmyw}TLj<8WN=PS4u~zsN_1lN7d`@qefiyBNXn-s z>i6LcE@kZK`+cj#iW(@9i>`iJ?DGO}q81i~9u4|Fw7m7*{Z_;be?{egS@nFX$v3;a z&G6f&rluT0Gex(FmR8aW?M7M#>m*`Pl8IoyFt&g1pT6_QAD@Q2g6&yFjv3qJA%Uv1 z3yzJAHD`O;-Y*34p+Hqs3)@I-HMZOLpf&oas35>ws;z#2?eaH@!zkulB+Nq7;-RCX@YHsYu z8bWx?|9N}v$ZF9~M_Dkghn*xOUQ)BuPE2u$kYDUn6@4qcO&-DBy^(|z{2HPHD@Sk( zLy#CPTHp8GXDc^=*cwkWX~X@y>3_8RU;cv{4I)Wpo9WHqwX>hiQGY#bl>ZG)e84e% zd3vS>kY<>5W5xCHnH<4 z`#~Fzz+6MTo4We5d4X_7t5%B%8#Cu@Z6ee^@Lz#ZbQ7h@@&|cm;mbqwq|DV|oDhtl zbtCi3MgTC_vPK=O2T%U-1b{u}EpTxyVkp!LwYakpy-?AQ2GyA8WqTYj7;d8N;7*CPR3aLL#hkw2NLv$spIUe%QRt=(Fz_|{ssOI+Yi>IZDB z=G2Ii@+)BCZzt8TGH$5My%D^>oK(gM0})W73AI}8#$gr{%bh9Ky`P%l2NwlrNoE-hsoWVqcj*pT+)I|^+dlV|nqtw3A(&pD#O|;7bw1eT0G&3c)_E0B z2-i4LJFy#s?H3OL1ZF%dHHx?483H#tN6>zO)km0dkv7!O#4 z>Hj@}q#-vm1Ikqdg5Y3#T97GL`dL$Z1G_3v1}OrJot_qAVo6IV#p0!CA9i;09@b~S zx#eVizy4e;%vR{TVGui=;8PT)5x1;G^S@mFqMNA(xBBWXiF7%Ye&#pk$^LwbXR z6Z=vhT23p1j??a(L~OFUmSYlq}hx zM^AdM&MZ8j{V;Y?q^I}jVZG$zJAt|Eoep!9EMBI;Ko}%{>!eqsa8Y6wc|n5aRU3~d*_{<*ii&((qRQWz*AKtrvOym zd^VoU9lIzJT6|!uJRXXcA?1qQRhD3oiUYkYGz}Y`S}wJ zjsjnzUVbE54oF!tsD~$)M6q~It}pv-lW67}D|tZWEt4%+x8kSyAL0p{#Dg+W|1U2A zBFA=!Cg1peks6dJf#=0dI}Af_+S|SOd-oJiJsa&d9X^<@!qqk&jKKp%Z#vK68SH_t zvDKbt&QW|-Ts^|}I?`x124h(Fz`PqsbV=+9-4uKZ-!y$QRg6|1;SCu20V zFI@9IzM1BF6e;626HMua%Ujx94!J5mly8)qXnTH--E*}%tNe7GjjAvj+hu(B&aAd! zG(9Za>Z4HtLNyzgH&CmgiLSyi`Mk8#@2u@izmFa?C>v}5`g`%m+tI7CFcK z9=mdaEFq=5EdZPn^Og{dXh@E)AmczhJQT%zy)T#3%*0ErEsA0QfbtU4J3eQ0k&+SYc z8I-BEMRANX5Q;=LD^285*{KHjjXB1+R$ZG)-9 zrcc2b!ScR31k#kp=R&Dp&c>s(RJE{HfMWwjcCO38np1?Bl@0e5)x+7q_cB6tf_|KC zUgp~mE`@g{ZzbONbJmV(YvB9t=ogjlADw;$?&bK_Sy|-Ht7W$YHP)%N;_#CY5D+jq z?Zk=~!+>Cp>j#aTW(Wu)(2snteG{K&_B1=Dy9SIMNLVLN+Vk?wM(Ki?faoV+r+G8~ zep)((P5Lnyam?lr3w&XsSLAW1rREOrOfR-lF4ed^0L~ZKdcQ>)b692l{61>UBQ}fwH#icoSowuV z{%_+*#YQ=*=WTi3OZ_T0Ql>-Y!p(_;8Fs|Y)&fEJ4hN+f6k@4+b4;m%gyH0kbIh3d zx%bPQ`9PV9@v7#BvL4vMvIsMv)B~rJD|Lx3)|&9SrLXNTy8TE~A|+Kz;`lp& zrL_pv5r-FZ7|qma3Z>`K52SwZ5Er>b@7F0qL`C@m`h9^r@bP)r>pngm8K5{AO)U8= zF%M%MWYVyHfH5_|p%If$7dF-~rex8k9mb4GlaFel2w8S++2mz>aiw^jzarRZR>|B* zMR0NI7_jDt^bT~%n}3K;?VF~Rioa089Vi^7B3f@@H1A}x#9@{VhcsrOGPwolYP{R= zCxRPR|B~dOxek?FGctCKwy1@`zD<1LabuVs!>=bXXkrOiRjeF)#n*383~xWv01!)I z(Qie4E;Ky>yqt$GNDba=Tj$Db#25M?Tt>ZDKY9!1XvUQKV9jAh!j9MON7Q?;emGv?@LY7FH)?}6-KR~Y?q|rizu_a1PvZ^Lu^p|X5?_%`>$yOL?|yu z8fD%3Jn6(C3q?yZ;2_o0*zmaxPqkJjLq5AR(!k@%Xe4Abgj=Eji*X#!m;N4n{44j! z090}R4}*^w{mfyaNfCR_C0~7<*qLu&QOWaho_oR-q@~%eB_;DGDl36gkPXZun>0>J zf<;FSq&G{8g0_{!^AIA!D?q8PAWFR-j$9_LX(4aHxA91D(m!BabWL}M)BW2UO5UnU z(_A)Q5vH2!FNCYHFs9Q1lN<<*Lfe)rC)hxy)6l~&BdWJwh@eAMYzfxUc(k}LMrky< zm7?YWBsHpMY`67k21wnMIDv}*#z8&sk02!Q?oXK>w?+$1eT}XtfpzP!x8vn2Lj)3Vruw;zYOtQ2jL{D0> zWkP*eS)pK77h=1$OWqv#yCzp2cTWYqW$}IvL+apb z=wpjtNl%m3)Rbt2iq~zK2R6K2u5?;$&nFr6U*h{U1PS~|LH-F<{^1Y~3R++YGACBu z_V7({O#Ez7F8xz?6;-~#I)cPm5Jqx>MPZCE`!VZDj9*rR)sPT1>u5*=#7-*yHv1@@ zfi)O1RvZGAVNpiW_)PW#4FTmcJ=bpom+e$D?x5c0L) zC3nU32HGpsiOG5;i|pP;H!^rUP1!y6E8V;QS@iKo@)7uF^wGaPUm}++mJ`owGL9Ft z-Nn~==BXRk8ZDGB=3wG6SJPK-#m}@VmOcoJg(oh!owQT@k$xJ{0SrKru2mvsmO{A=wpbEsYeE!MR#K_u5n)+RAbC_a)BbYA3#03FmFN3Ia972(B zo&Vv*sEEqQsJ=zvL_7GxPCcJ&vg@$?(o_4mo9VUXx(<_bjzTzA)Y6 zGJUL|c?zWRXRo1CKMYci(Bkxvf<#O@bJ!#Ntz&Uj6b%1ODs^+toP)hv6$_qgm`GsG zFB!X8V(jCY_7G+8*4hZUkvJZi zxfl|1Jw@8CZIEZCh~;+Y#OkhN|uWoxqTo#fF)geZkBcm;Dja(^V6l~H8H zJX!fsjwjw@u0qaoY5Er;&k#Aj#KH`#JohvRl#y>?{6dHpO;D|}(U!6a z1{l@`Df;=5Czl9Zu=aEjP40gJkeJU%hn0u8=-N-GL6Z*zu7*-s^U&qWlnKjFMKSOz zLic2(stu1;Q3w_G=T>7&uta`b&yaWlhmq-#0*_oZRKSQI%tJ~2Mg0?~NitB{AG&;R z^Q&&+4Gmy)EkbJ()GHXbca)PJhpWF!H1^Gek*+q%~ot ziW0owN1lAwK@#4Rv_brdNL@e3A17KUr2Cr+1rZQF<_dKLsqVr1?E1ZjH^|Xs_w@^( zWl(vFx^;bZIR+)=oB~d{s>gCv;~W0zrvu%V0Cec_^dm3--xpfS@OWq!PHjPV9nfJ- z$Bde27=}rRPxDppu^k<)0$OpWq?SPxrz%)m;h<}miqj9eje;`F<#M@epA{@-`kWZ` zUwZm~B!3&3G|(zO8C&KOS&ca08R?$&4B`!tvJ&5N{z1%E*M?-lgyPosnJ01zSMV^& z{?SLI`lsw;TS(MtEymM`V(SjQ1LvtahU~4Q>qme14(Ct^P``>z>P!56W%xb3_yQT=M(;vYof^cXfG z+Z!5sDDys)&zlqhF)^XfHD?7BI?$Zm;xcc@*7)hMT;k%HkAOr(^Txq#=fQk|y3iyF z==((8_kQ{VMPnn8Jj&G2KcP^ikcrHGZTj5oUFS9(b&7YZ5Q=+Z&|5rHu2+VdhxGBy zo*~!u`pIoO(&16>VW8a0IBj7c3EYGF=}%9PKzr%o5E0YM$uSe!SNa-aMS#S}bY;|+ zFLGnM7%%8W&9Ovrkh#h7uhJZ&mEq(+gM|NN|3=1u$ z0qEbZ3i8yw!0;%V3WT5={}i&{OkR#|}w1@;(jaryC27ysUN zl*rJStv!+%)Q*{wGb(l(H%@54t1`2)6qP_k4%#l4*RwA1HHIQ(DMZ}D|7hz-3LCRV zHm35Uw+iBZVT)=KFCY;y@x(Qr{4YnhXSMLw+W3C!?neS?822l4wPjN_ScN_df4=6M zM0;%0P^z0QrNKV8_dyTgJ`wO+`^eS94p`ZhPfwbb&LMdA!GzLXIrWTuNQvwdR`*JM z!2R1DeSZeXAE9B;>JJi-JJO6DZ$ZLbAqO3i)&`&RjvgB0+0C)1ct_qDgXa-m$@l(rUF3Cvdk%fNokr7dgqlm%z zlr0~L75JV>P`4>Xgd?q7kCM*sCx+wyI!3=gR5Cu5ue!^vr5iGLCfCrVTuyov>eMX} zO9&Q*FI|gXK;#X$*k1hO7q!Ag0xDK9%O_L8u;^bYHPSWOu}n3=;wNR%vmqKH>`~mG zbVwKpQ7Ix#*4OM7?QLRcr09wGxrGJdG2`5K%$e3(-N}eu zRZlrnh8LAKhL_3eHWJqkdH428E=wMG+{sL&rfAUeEy2$L3}>={BHQ+a2JO|6F@^Bd zY0PAFK`*jB|9~_5;K?TutE*EHpox0WvVw`p@a*#mpQ@z`_q~GE+|jZK*nqbfn@x<@L%LaJ4M`sKK+oXRwDJngRj!@vix{(6a*qk>PH9rC5rZv7rudDc7RPHEw& z7SN1Pzo<70c&q6ZOT%^if#_yWM7qsuva%1*Lp2>%^snL;M#1MI<1f@9V*q1pdm`&o zl@&>&rGC%MS(j^bP1HY`SMYEhSza)kei~b%!bYR6Np*{Gu(t7yLPq?c!&VZ7z)Jp} zR!3ZW6Zo{dB)j3Jr8yBD8MQTTMMa~!{t0|$!Mg!X)9PKXqNlW9K#e7Gw{whFS;MCU5Yz)kh&1}|u;CHf)=zYew z-SNq_NOc^yC)Jc{wyB_WSQ(mRzI5XWx<4kKK>-gGNR@^H>j~}w7B=O1&n2!h# zSh$r>vt2a5W`~Rmo^`!rNR45u!s&iUfg1CX@J5sg)v((bo0lHBx-gPEyMcDi{CvUd zQIp%G^h#~TRhAtv6Duoj=N6=vH(2;E*znqVxM3ERtrVyoW3?OmrV18MRVp@_ldU(k z(d%5>altYD!nA!pYnKtDX=rHJ-McnTzsC?yBDpx$!ye1G)U-$bP=#v~b!y2|wCjR! zmd;(lp54AIvgpHW&0e4h=*QPwvBO-M>P`J%Wv#V#I|mJfOHQSd&t2bU9GlOMm_zi4 zgOm5FmuHwR-)|iwSQj)L9vL&)j_Vg=n5Fm=usha4qF>JNU65Z~FH#t6e=adROmHnW z*v?14>V4$cKlrhfU#c+d=Lyb-bY2n?F;=_Me8l%y79uY~=+&Gtvc(P@H6Y)6xe36m z1nI3f)_3FXLb+%!mAGmkS})oNTJuGM<=1>{^{InMF);2 zLPe?>lFX^NVep_$id}VOKgbGV-962UKlrt>sC@eDX6vwrGhu1YYxO z*J0!l#W$-MeE4w@!Wx&Lz93Cn$I8RcR@Fy*wUPwuu2tDq2NT0Q17D!7MSz{l`qIx+ zuVLIj9TZ<$RBDowQL1HY9W+P|f}=E_Cye3%!q;!$JJWCC)8E=yV(a6Be-<0dL*Cdi zyPQvHQTD>h|5@M%mBD_;`>`oD+24i<6FQ9=6K@*r1Dfe`!WspI9L;*nVfLalpYiTd zb6?hQw1d4In4Tli9@$QD1w4$$H|C^=$VL&2%;o8B+D(wi>hm;YRK*hbB7 zHM*ZM=U(&4yERexy6G-eQZ@He>Mx@_tq=Je&1RX^iu25my8R1=rAK3oW)xX@;}XDXhdr{+)aPd!CE$VJF1r_)TlX&iiMR)I-hivDnba<$C%-9dO zLN{mA8r{F}=uJ4d-uWUd7dl(_?$(`mmww&#IhMr*dQmtmEE4D3nr6k?Iaycs_h|c+ zqP_0}9JB(p3(H4Y&Py^@NTL!i6J(;tx1do9xN5gPsT$1e_SfNA1_epWy4np~?b_pB zhh1DKUeM_!BR|o`=jegM!wMglj!0MJ;^{?6jGyP>hrofEd^q0v92byDQbddR;w z=1p3%R7P0+$?;NDl8&J~k2Z!)BQO$tjU7BcKxEu>wYTkgqe-I#COymS8>I?_EnJmp zXh}ZPn0OBlCD+iYw173XY1qy-8H?IVP{ij4<)FIV}VJ|N{ zwXVyL;T}2M&jOAVm+e3}`J8z;S{I*in1g$Me^qyY_LqI7fHrg!EP&@4qAByWEG);j zmAY4vMd`_>^{wp^@jyKMf0+s5Jo^iV?iwS|(D0Jh&U-sz=rVA-NSS8`W{uL}5i%+_ zNsK?p;~uTB@^Og}W=_Ez;5KW~jF*f?8HHO6N_pV%*6QQC=>sA@E9 zM{v79R|gayxlXJZpujjt^hH%2t=K2e+Q+LnwV7rGOT&~iJ(q11{v_B{jxpMR!sWNq}*=L)rUwsiTTdoep=Ku7-87_c#KiLgf3AVx!AMkF?zFTAE)5!G1C){Dy>eRi{X*pO3 z4_H1>-!tv?Q%Z#aJ1JMOs>UAzcjk-Ywa=+d0a-F>^bsy6{p~+5*%9O`g1( zUx0l9vGrkts&bWJH&=ek+TpQVm^kBrx#go5A}U)1G`vr`E>D!u{eU)IvhfQi?L z;~Yi9owP&EHiT+an>dn>YM1RDpaUnn7Z@>_x+qGAS}%2_t!5o0$>;iI>p%^z?Q%x5 zs=F`N$|^=W-c=EIpzjM6(J0`zbdxn_Ivf}H8gY8qjZ|~*Q6g5PeHl@Ec7>Y#Q2T+o z!|Z6)ZovM&K5v6>Yr>4$xL%2FIY4P~I||M{A0NIzH>^ytZjjk{Qe<*l1W|1ixY@cw?|Z;cT?$2`yA=5Z zzpMGS7rWeS?WJj6OUIJNjqWgK;XzJ~ZE&OfkYbCxbir~_N&CB!l&@u@Se|*U&(FS` z&6<{UFBxm4uAQ5M+RnKU4b?VONyy4JIYz52m#V+#wLq~qsa9vQYe?AcHwn}&)Qi(} z@x%Vj)HZ;iV=lLm(6T2eB-H~f;+qoc8j`^SQq*=7!UwKjly5X0#bVtomx(RypU*eS z7gzbf;qlHk2%;Dnu6{~kV2@)MR;2A(A3A-ZUglMW%xO_JsKIVVe-uO4bK5s{cEKf0 zP6Qn)k&w^(k=+Enh;2NoR+>+fQ4wKMc={Oq6BSUD-vWPfiiKf5eetz?Z$?we1N2Kk zt3mYo1$UmM6lDoi>wJ=Lpu@5mCz=~I)hsA;PYjOcm^co3RFu-S?MU}nr<$-RY$L5=6 z{r1}-)P!4Fr7e~+*pl=`27QTs4E$n+e!uK`sB}?_cP!&nd~~ur49k#gwu($X`p{j3 zXxcT2v=gXJd0AZE4!x-=1|mu1X+|4Enu~9*8OO$Kmgn@|NyC)|1!A+vb*Z=Lb`&O&J8({ES> zmo<58qfRXv^e&o%v7gMZlIF-ssmSM)i!}5X(XAy4{QI@K7Ccy{)qpy^kOxhYb9hJ2 z$^kXWZ$y-%)~)D}c#^!qe2WrC4-ME8h?9Pkal>=%!_s3CMWG$9@8oFbPCFkD>jWLn zv~S2o?HS|#EK5)(Lbr2TQJD&nTjEu%BiN=sfWmdM;h)gZ!?*&v*Mn zkT@5G^YE0mP9oiisVWqK_i z(PE!4G+W&i0Eq>T6+3b{bxuR~BjGevOpT{3>rUCy+VkuL&KP&X;3iVpheB&cea5uM zCJWto&zz#Z`E4lBlPR6%5QcATVQ=o`-K~eT5Bz-U0vjc?NPrXHeiD}gl~5FGHFtA^ zM!#k&QFh2d>Oz(-f{S2RtE5V5nB5MztoSZHd_G>e-A;#C>bq5a7aEYX7}CJZ)w*sk zlPB^!x<(wwsF6=>-7%T?b~3$IOp0@{4eWI7jUC5Zb3oL58WHEG3##3j7EWwr4wB=M z3iKG+G1Y9Ny5{mR^!Ar8d)qLXwIF)E3ZBsgbl{=UL9laLx)-T|=(qXrK9QUoTzZe_ z_XF$l6+af%1(_QgmpoQyNd#}+RZv5iFB@&KcWYB;tSL1deppTOnWI~fCE;_Z&Uk5A zEcdL<$n&ZRsLs-*tFH68Y|c*f*9qT`j--6@PK^D}AyaX@&r#6-0e(LeNpVa>)4g9U|^%Q%*MX#b!jZI}QiNe=- z`!%Bl5v{NSaR|kz%OM#~4jkzC_SNBs9~Z11m|9QtajFz5*7+x8qkbt8-&|%ra=_D6 zuE!gDDVj_&6?uktFyEl*=LD3ybv`RPA18GrG4HXJuX1quyf;*$uF9E)Nrd_NvtjQn z{$VgdSpVzwucdxhv%K{{;({(Fo{DYcoHK?))sPdpdDnsJ(U(Q-^iMTWrCmsTJ8Zhp zD8nY0Gjc+{zONv9&6-&qoxR!Ixkjv;;)admQ<2V+t@%}kGSdoYuBbrr=W?gD)VlgT zjX1rlQe0zD>Ty0A9p<0fOYzPKk(U2zO1tn;uNckXb2*`w_h;XqXF0ILoZ#$KY%23c zx~gc$ON|TMbFF+@cfU1SWkbL&kZ@ZSeEKav;5w}Waoc_{vcgy2WJ;UKu-`*`C}6u0 z*EzBZ_;ec;a+x+$;eyOTZ#_2{;=HqP4QJ`r6I);;DVx|{YMD)KMU%2R!0&5;C0L{h0hEp-fa+FKaCvZcr#0WV_VF^mAzk!J?$5 zzgEU%J*g^|&hPBO@pQ359pP@TjuJ0etJmMgo9cOs-MlyM0-g|WNC&?jO;YB9h=GepQNlRcX&vu9 zfS+f6J(CVC^5iWBsEA-bv8l{e*Ev(|mS#Vo<)q=**7KBl;m9u1K1nyuF~VG2MYP0I zgmob{#R4u2TU8;Z9-s_7=6vo}RsNSg7g^ogJWGsarL;9J=G!Xdabs4aEr5X6cv3_` zQ*9l7?)k~UJLdib+!@Q$s>5U=Ai3jps^-#{q+sv>VkK8Fz!4rnU$Kbg{*YtS?6oob z=^BkO=H_B4({J~(fp!kMi}NtAku!l)4*O<@F>Sn2)z*$wHjx$KPlIw9`Leuco{3IQ(FB}1x#RBvU;Ig+m7r*F15>FoyE;y@OsoF`)eGwq_o~u#@hY`5-I;{+V1L_P@-{7GZg{F?qYWp5@^W! zJkl?Zu0qrIHJ846nlA#L#jBgkQ63jp4@;n3N%VH;sn&M zU3U+<3Go{!$|Q{CGVogg*IWI`wCxlE5P6T7ZNy(%v8$}S3QaYVZdl~?Bz6VOG`@@ z^L$rdUsRc7b9A7&5yC3wa^Y{Q@FM{Mc=j!N)tW5|Vq#+O|8uzPr&&y+GqB(8mm3iD zEJgw(|KJneh;LxwdgHX&C2#T>v)JcLkwQUu>FT&K#zbx<=>1Aa2Kyh)bjh|(MmqU0 ze1Cs`h+CvR;k}W8f!NTk=V9u_UXMSSo2`xc&ocdwd!dBx&u<5MV3O%0awVe4X=w`` z*q&Ae8-izQTeYq-3d7Wf`fc-g!e(l@V$!w1@1ObUw+cXzk`!{P9$4E~D-~gEe0~Vv zyvJE&bPo=qm@f@)oy~qtESeyrIuX+#xoWLL+PteqVe5`gM!qBf(YBDm`_~=(i+}l) zlgKd^Hn6;VA92cxBRLj_rBI;2%1%el!t(88wlpiZK zWwma5TTnznLQ)!~TR=Jmr8{04q@`cFnIH;EHzK8UH_|2D(p}QsUEjpD*V=;X>~Eia z&hZZ~z2-afsWHYqe&acy5d`#&^t~1Bm2c_PDF4>3pKTD7q1rXHEqPj4#>xX;=Off? zXGm;U(299(OTii}8gp#jRl@+pMg}L|WHrQjaNOZIaYmE}&RtYg7YgPMdV$Lr;q?p_ zU1CVx@#&NI)`(!c2>*PCpC%yxXVZHQ0)8>tLY8;%$e2LH7wPv0;``(9ABL(&BArYE zHG9B8>#pn1&-n-c`Nx-)VZC#Yy{*Z1j`rsJ+a0^yn(ESQS3jc;7 zJ>0P}HO9lt1tH=j~7_;b7@9hC%^DC;uSOJgy1+`r-~g1MNr3(812bQ@!Ee zW{rDc^d5!LF|;LixNC>ciFVy}+pA-(_LEXccV!}`DC&`ae=eJ!BWbu$SahO|<(zX% zmk?T+KZh5UXPlx%QP*_!)qnNBf7+j3Mck4(9A9d*D4-yHd?>FORP4M|H8Z5Br+f1q z#Pa$3GV*uYqDoF|?>2+$D6?CV7DesP>t1UnnG?7aBZ=qz(&SRxZwb_5(AV$70zZTxFe;KJ32@Zx z-(x=`*8_>_FJtuT3PJM3W=aKXYUm6`6$i(6&^42<%14Ae2Zcx+;qH8-Nhw8XyFYW3Lgy#cPC+6(ofJw}24%gAl5v zgHFCC`zfSsFVwq0nu&x)o@pQZx&b8<0yff4HE#7?{Dqa0+yzH&2yAS$` z5^f`va)kY1PYYbg9Mdn?%LDn6S1rx-mBi$L9Nl(D;@Fk1VQSJi)Y#Gv-(6i?B+$z? z_h{zdY#)j(4nvp}ToJ^!|J!IVNUZ{S0F_MDE_HNU5*l~Rfw4kwp#SR_x<~2p2F!mt zYoY@UO{bO8g_AB%Ql`of+R1Vu!uazzQUZ}dMy1JFhDKjo9H6+yRmHvUaikT$#_B9f?E1P)e=yR2uCKhZb^EN}(1;Xq#~Wl$f+*_9Qgjnw*MH+NhrK-S-f8g`Y7 zmJe7^0Be&^A|+jh{q1*EbMx53`1<53U6r&`Gr_2(b{`}8180StqrHd6%$617c5UyT z;F@xCILE{cWq8Mo?CF)6?EsDD?)jb@!4I`~>CB8-Lhz&rX$ARC0`&-iwvcXmCv_}S z6*7AXN0qLjt@?9fm;EBdyBlk6>FS5`@*y#CParGICiOZvmt)Uz4?U6Ah&F8f$659< z36>bbX+{r2&2iO-w;j3Sgm8-m)Gsh*{`nlwDP6Thit-3%#He|dbcvzRo7H`GdO`zYhIWGhKW z+0h=k+bFr&!*jW;tN!9kUQlC~z1ogBj%$XkkMf)J$JluuUq)``cwIPx(?Qac}k(o=VkFch8D)=See1y|QOkeYFeSG*N%` zs`-4L4BQPgpRJ4#Qv2h6%qi6GD7O2BP|MHa{4QKbIb8R}{g zn5WMM7%3-z^}BF(QBZ7tucfh5C})52t?LV~=NKXeseaV5!f=`7*p-hx^!sa%;q@G%o3UeOv1;pX=Pk zB@Mx$#%W_{Z;l;$?rhoy(r5*ICwhcraKJuZ@^GHCF5$O!+b-ch-U!97FP1?a!kE884a4)P~{A}A^Y5x@`-3`j!_KE z=(wG^n8S(1T%=0*rn9s3vlLIaYp5{9lGyo_fRk=ELX^Rw3LE%u(ZYWl7CLrTae}d~ zvbnd_BYi5|TqS?u!c)owb-0OU#GNg_5_QFPAlBINsJG^r%BoCio#SKFvRGa~piv9~ z*oaRJv3{Mc`H30+(R!(`r|yGXN--k!b=p(A9&jTtMm4RCyc=8-Wqh6aE^sdKRH=#FE;=02zI zH1DB3D+`%M{f81DcJ5+|S~zEDMpGGF^Re&;A6ls z9%nDMPeg()>HWUQ(*on*p%2RgLITubG|*Epik+45Lx&)1YH!~<=cM-TCgh9u?en4T zD)C9xJ%1V)pkRJah@e5Pc(BLc1%aJ#oo76p+_hxGu%t?nULp5UxCOjM#Yi?q%RoHO z!qm6lkEbN6M;6BZFuU|+~8P@gf zq$xDwK)KwCP#-$3T(f5KhT$YLXd6A=DU;ePlc3@HQPkU*0;7WS5saBc*GJU5p(0j> zs=)l}kH8AO@(GAHkK3!nt9QW4RJPDetj_#)$ZC%B)LbD4A>giR-Ap>Pgc0Z{iR7c1 z(5#uPas>H%WG6x%W5@d%F!1BC*-xWogW_d<7k}{bDcEvP)>n^S$Io!yJq5RHMDgY( z4eWN3RwGP0!M|#s*o-O`+UX;gd0IyZ&8b<|qRJ~L>=uou&?CEe?h7yA1;i%^aid!3U_;stFuSyfr&w3&tH|v<%uG;i7JE^@1dBoe z5+uZ;`)Qr>&OO@0m_aTEyulk!-37V>kbTz)gi0;zq6vb}N?Qv8a zDkl=)f@GfL?N-^3nrv{#4Ny@JitEN49OoIZrJo4C`q#7&v_JkkxbPRZ;yun;1Kwa$sq_1sj=4RCgCQiE6 z`T48zK#gQ^{#V37tGY3#>T!*+#WQ*wQL5t{;{jascn5h^7Sja*6F6>`i2Uf_>S~-()rGKwIKFVSiK11$~@(ImFoZ8P=({&N1+nFW}>a zT-YYPly`y)-`KD2EB^=vWtXM6C_1&#Y#QCv*$TQWnAXj@#WKFNR%w2T4CjUdBkb|w zoz`PesDtbZ7g*9b$+mW)g$l(``!0W!*?{${H!K4Iv#SFp!|5byXQCo>gcqZ7{&EXqT z=6GHsvj&;rtgJ3Zl$uH8vZBd-QTJGdQwWts zBrsJ;v4F`>R!RhSe;pzp2`LinG8&OISUC*=4pWj#hd#Q2Mmick2B{$%Ut<*)`=Snv z@Y`x9yKg(oCvE+-he`)d3BxU~qe^wW5ZO&tGIFholXWK|=$AfL7^!$*zs0-}`w`3K zS2(`6tWfgK<+AzPllT|iLKJO3j#vsPY_)<9WxsnhVnT-xkC-HrfzPws2Zz;C()sJR z$*0*1ms@pm6*SOlSh=Pj*|`v1xm=450uu7AEu571TPxIwwM2d1E8F!b!WD+egC^L`uk7qDgcksU znNOXbu|I!f%ldq@?m<*e;jN6Y+$`NLEIHn17qHBeQc?Rg8KGg%2`BXD-GfT zbTh>wXGfRP`lH)ff))(m_*J=QhJgc^cfLdQb!smEUVP;MX*T%%B7|w z6@qR(v-v6ycyR5YQx(F87R>lrV9FODwR0NqCI>Q_qX+KzXiTU&E^c!efrh10mpXA5 z+%g?EI{{BjL?#cBea$|z|Hxs)27Vw*h$lS@+Zl8Kjg*VOc6?A<;obZquROSM#;kOx zfyiu1WH;Lpp!UOj(&@zTbOIe(lut#?=}*S}tV8jQgz|wWqRd|b+dun%TMj>%dsN~6ki}qROF0h0nq2cdb#5cB0Itf zvQ`eHx2+QhsdTGg$ULc(dXf10gE8jn?uiE;^z|FoQriu85+-he+W{KA(|PW?6FHsq z+dH&a(2nnTdG?`FJB@84R#sK48(usriwp#sb=m_2cJf0$X)8(}Lb{d0FmHs^0-|bX zl!Mi$(X9RT5FU*S|OcslyRWM*Hgaeqc&{+18Ik0=z)bW(DRrI4|~!Bwzmw z3_YSkWX+|1I{j$4!1=(AHL;Gc3&q&=lb;r+BA8#iEO_$T=u2*2aW^9PR*b&Z8DiQg zDGmV)uWlpXE=`-j+4-WWt~T2E%(71eZO?#97SB&rM%#Dd9-oD#CD4F@iO3!>WR?}v z^2Q%D#)CaZn@Mu1s2|row$dJ(-0@%~*1sXVp{#%fo#W7FmG2+qrYWLFH}ICgPkY1T z#}>U5D5wt783-ta1$#fs>gok`*)n+?nIV{KmKFFRZ3Bds6>xZ|PEEyFdNHX3Pl&+! z?{~owUGw}0(U}5s=eZ9s5 zB(xff$Oqri9#>4qktaf`(Uba=*Q`zOKUr@pK!=fx2XNq-di5dWI=L{y8j@>kO&2cn zSppjPkQ#nj6B!MxwoL-Ve(Cw4W6FjvTuD3r$jz0K7H=S2=sgau2u#AD} zEMsAY%Pp?}4zq8XFhEKshMlTdmoE4!^^xXqZ{Bwp?0`VyXIPV^6Nqe z27r@Ah{2`d?$;G^@!27x;h-7n%XQmaEXcETtX0A+wNTmU=db*QX3=I@fFR}A)dyx? z9*VldV?5cdY409=RSvQ|8so@>q-E6!IS;+krmv`lvH%EPNG#r%rcb#OHuZXpkR`VM3}<+^e2xo+m1V**Uqp#{!RN+ z%jWSZJVOM`dz^3f2dc_KlaH>#=-nYazp1Wj8PO;QV4A-Ode8X<3K5WSR%89KOas5T zxMDuF{fO~{k?)k*LK5hLWfgZOo{9**7d+0+XQRp&nKG>?)^g>mP81m{e0Y781Ox41 z1Rk4SykJeq1TXyNXVWchZ6OckwSx9XZ6n}*vj|}2KN}5{@5seR17z&%r8Zza`KTx+ zyX6ul%g(jh$~Q4Azg@p&+F)XS#qOMxlr#zaJv<6wn7{Ln`6eRG2v8cOF89lO{IM9` zd+HJN`4vvzszJIIOUm9|d`MkzTpWEa{kdvN1Kqtm@s?$fJznP@?)+1CWA$ECz@QNl zYC3_X9722i{2qvo)<|D4Uuuj5yM2>@`wNRxzf%4CD^AS9s*zV8-5R zA>C!%J^^FJjD?isw_aZ5lXzb-_A&E8QnU3I|DfU>{-8}i;HJNnOPjrxw}Onwzjhb5I5?IeObpirqgn0=Y(P=RgR=Eg#sY)Gg&*t`*Tr)`zjreK=a>6VI}*7M(FoBN z4tpZryU)IZL)Y&uKmM--gHXHB(D^|r&vV`-0AzxuBPH@VaeHAPkl*>Q$m7*eaz3C; zS1U`=f_DSSAX|hB2|A>6ZDzz(H~?X29# z)bHw}{z>Vs_%A;d)@xN3h$hD_q^4^c6u`PR1@5ih`Mc}Z)D~%XAK9Ya!FSuvXZ+%7Wi3zA5>&jNSZsPN&4}^<{->hdqZ_{cfhhYxA=g|iVY%+|a? zV0+sOfbtpg5<7w?wj?HPXM9R6o_$kc;4GJXsK;UT>-0kz3TvI~DtXt{A&``GvyHdL zS~Z5+^-~Nfo9nK6_2SvN;$^tU<`mUwpS*9Q!T9v)yc+?R*>GX8^1))al-JjFI^Zgy z4|~BaX45=w)!ujfVBPn^MKNy7KwqzIejJU^N8{q+94$SA6wus0?3fr-5rKEP=s;`Uu;dj1%Fx9T347!}cn zYxi9*+Y28Xlg`B6EJE0@nhqd0J9Ofn7Z8{~kY@qCLs)kj>39i`h&_WsUn|= zDi361#WE^Ro(?<4FYY+UbgD*}bI|Nd_+!ChCer^8WBgZ$5mr<`xTM*wvXi9!P_EfW(ApL{j=O=)>e^sl1 z&8+5Gu4PQa`iDq1EH|=xu2`DlCmF32oKmj#+a<>ViB@3UTh!CZKKe*37QE8!A0Ln7 z+cF3&cREzq0MU|@^|`1C>7i0nyZ)xUOR@WJ|&yfYc`-jiQSa5>8*BP8)iK3 z6M)=2a!jgB=7py}g<)XmF6a?4N5|2YNM2ajVb(@mnS~Z77&buJ- zjiY>1k`@P%F6aELT-io@Dk%rR^D?X7aL}uf>7v9)a}yqKm~VU)x6EXPhV#1?wNlY0 z#l*AHyxCnlZvSVmaqL_y%4FNK3knM6=B>>m4uWwhA z%$=cZM)0JUMVBeJ4vOYy&+|>yECgg*mHF(f&v%QKu;o}c7joI=dSUDXq$yS`Q5BX^ zh{oJ~O57B>momyNI*S!_jwODBVu9>Pe*Xiw_;X(Vi!JJ)*noj(OxL6HuH(z#=o-gK zxLYK^zK0c9lYnz#4(ad~ckcEOclO(oZGWDQ*hCbw+zodA99~d_c(i?91{?5wI*7Yj z*j@sMgh=Zs%}|I*0z1=j(^3P$*luFu5!HZt?k3^;oLwN^hPo2FN*}PCyj~*7NdSNo7#!wlJ2ptc z{7L9t(c?U;oik~ovdc@cX4fIN?WCg2iH2473}?@Sjpw^>_50?}5eb6|C#&dAzwA@g z3su1P@|m5{aZTstn_aas3Fcxy5LRDP_*DL<&iK}hS7>+Sq(4^~73lUE<*0%&)4$gt z?hf6Zq|$Y}P;e7hUWD~hf)B8Q@rEO{lLyV>mPt2nsrFL+UPR4JIK1J*?|9v9AGv)e z6r_#nyH8oBLD9^b_quuPMUPy&uPH$7o9qus(1U3%twU*v+PvU$*18--2!DZOy{694 zw}PssIe_5%ehUG2y2xhH%vTZWl3M4}S>=>;SZwYp&HRa1lCyQbe4Q+wJ8YGkc3L@m zUOqnO;|y;grPA}m?Kj-qvvf)WR;j9l)q56hKI%F0&d3G^%yBN7Qxy zs71Us5)@2Ywo`E)fX=+KzN3#9f-bge>^Wv(uA|~f4V#?68_!*QU}U&J-{!WXUenmf zm_+~dt1yVhoGFvBZgpjoaO#q$jWe-Z{ZO}_#pSn=lB;xb6MdIA+&za*u`i+Vr(DsW zLUQDFCV>mvkW(NNzf98*Pq}u+3^cc2BC=;$&Ay!2T&Uu*+8!x|1_V6j!NkXEm;kX6q3NLQ(ar~Ii65-MC;yhF=8kw*H$F_7|M?x!@j zcNIV)JZv?LqT^xDMDv&VdS$)V-jnFr?&}PVv#+Az_EpSc%axr{oN>l0dGLshS_w}0 zcJ}m^Lh0C}1yFV#Zl0^PImr#8rFH|j;YS7yz!WC_L9P8tI77J+DaUQ(Rp8^$(d*y? zTbH74D1qlW0N3m-NEp&=Sd~hLBIk+>Cj2By4NT%NJE)~**fZ!9Fmo0GiS|rYgmjjDE7gM~_qq!-7 zy;k(5(#zt2@b_LlaD-C)ckr=aqsv66+7v<*m32E7yUIr-mGTK64La=gpMbUWTNx_S zF%HNdA_|ypZHmJQ=Qa_{w;>x=`1tR6;%pccuXx5#P0uLR^*QS#9i$$~wtLc>01>N_ zmaP;hPCSH}?#eaJnc)78y`7x}RLmBDaeWjHCtQOQw6bQ83oM{2OY7mRYN5AEpwlN{ zMURy!98cFzhs!+xM>3tkb)c z89vK4sc{g%dr!X7A2EZLEAON^SX&QPPmMbcpdGGkQ|xFkzCEC{XN?$q*A)tstjb#X zvf{0$!pO&$ShQ}`1xE^c*wf!=VuayRQX%-A+{>MJS)*mLs>XTSr4YVh8)TESWwUV| zi?BTfs6rpL$YKjBsfH7nsvAkseMsNVK#5GITC_fUgV-p3QhuIJ!V*mO_h$Jc_%*5;!jBp^E#g%sFCuv@2-@`y;Dlg)Zg=A^1 z3m~hl6%P7;YOmDyE#TWdaIKb-zyIDn5eP{!mR>>{eUXX8N@gC~4e99jI6!4PZ!j0j zG|uyZb4K)G**JSWa=1Z9U3~}N4h9TsEPS>@?;eyR9?PAeoWugdmq8Y*McD(xRh^Au zF{UR%?+*}L|6OGw@ORQgo@S?juIGhbsdj`1f!~0A?{66|v-H|RWKBqoFJ<&rEK3G& zwct)Ff7~wZQW?vYw^0=aYqk7KrK0`Jhj2ef>#ceC54OL;5`g$A+*)066;dDdR%Tc( zEd<8A3X|?x9$Ag0cvnf<@NJW^K*=esPkDoia>LQ2S3<=>_-}*13KebE!V2Hi2h@!n zwGh%z4b1+xgo?nwtyKKK5h?=zwo>u`MyLq<+e*d%8=)fbZz~o5Z-k1#zpYgKL#T-L zL`LJ*EusO@7ta;`ZPB7mu1IWpuFynu#1Bo~ll@ITF{n&X%)}YS;RY}r;|quX@MLA= zetYUFjeOy_*2wAy9g;--A3iwr(|P*o)olY20k&%8pLI7<^x-s7A%8_g{uoD;Rj^^ zBZb1ZN)E6UJsVwf*B#z=)dP#a#LV7jlq4fr{S1aPtUMa*O#r+2_<=0nj!SFD9K3ee zfGVTYeV*p+0xHHjMW4fHiIy?5(O)i9TRila!mbs%$$Jdq&JrjVMn6e&RydB&SB* z_GjiY|4`w$x*Wf5FJ0Tyl#;geEMn{XQ>FV%+9N3R{MvtmuV~mu`;F&Ru}p#C!T}zI zl3H#16-_qzS7#RTWIVf{9~ch^x_uwHb5LdoA{WLYGlr-FgKE-c!2{4bZynVD+Js!e zO-(A{@FPn$7n>>$pcijgdFI;{3zJhjb%x7&c(OLZ3QXxq%;>b!luKMLWvZeyY~nj7 z>(yB+yPOaG6UZ_Yv$|K|&4Jo4_eZA(%Wem>Y~2G3#fo~?!v@$^uvRp*7b@2>3R=`o zf(AA=jbVH1{%9%QfnIEljRTl_XFn{dL6eZ7MJC3pB@4Mx+Kb%))>~ROKf~wKiRuvf zfUdqjFL#OeO014r8<+(;!Dts?Hvi3c%HEXw2{4^^5xlr`)Yr%Q#j?0uE?XxFG!imu z-F08JZ;XtM_}z78=S$l+x{5Bfa)%|OEGH(vtCkw#WdPr*k+v(H`d!qg9~{;0NbC=$ z6YLCIyqzq~jIjF}BuPZSN3Xvydusgr9i1J?S*2s+LwN<-X?D$$e5)sjtYB#n;k(8} zKwxD`+S@zcE$_^n+u=vu!>&66{GZnl<{q$1^=>_3s!V`LnxdVK6S@--LT!4n?zf%@ z_$YGyKmdDxe^%~k=3Gj&LqrT{Pv-HGCzMAg=&WOz#;o8BsRmibL3~}3%y7ZQdw;a) z8SfL&3*vIAQdPkLq6(a6oJ7awwKh=^*)nWRN$a#9SGyIfF?_xqFnKZ(*Gn$u41ymy{gjP#(Rfq+~$Sar%)giCfXroN6bD56%mblknT-e7Zpry(ytUa$P zHrkSqy&7lEaA#nG%dim@M^fOl^z^4)G*is*rtn#|T2+V^?9>qwMXa zYL;zYC2QpYA%#`tcs!p4TL~CUD8_t39@5R=b0ZmQw#Q5Hbyw}eTd>-#5|WYqZ(nc( z1(B-2GlS(28e{F06?AUKzuDmbKK?y*#~2Lcbei->60u$EFGxlFKnKhD@rob3{WYBb zGYsD>@>u~M-y4}AgqauD)-Q7V6$~ao1uM_sqN;_ZGa=&h^@WgPt9?B&(qrWLlBUU| zh9|Ct>w|9l=SKlg%({jCh~@v{W69Xvsm41ALuB{CwZiXnC!wJc7m{#&K4>zeay>=& zDr$dE!Xrg-wN2dBJYsr!x)%qkXJF7a3?xsrHLw)k-bJt){O$V0p3%0EnPdB*K|w*_ z3HaO&GOQaPBJltR6)?ZRQuGG1L**x~y#tEN^(AtnlidbB_ToX6;e?%>$}7wFOrp?A zh->K|r}|$1ELU|NUGZ!}90j!n>!6k=v#A~m|?J?=iU*B3;qVlOSed8d0A z9tHzC^Bz)>A_~cEXjoVfPB4+UvB14PgPnG6IJ7`oQ{$kxBTx&IawvHB#x%%J{0dGg zy-(GvghLI;fcV(Vc<~_#A#H!GdfA8$Rc_I?kk1bykxb1r6`v&AEy)emvd;=Ft-623 zwq7x?QUqLo1(0n${K>XnG>M$z`X`%6Af_v(e~OMk!^K^3vKW@@S85>Kb+1Ra8s5aR zQtp#I4gXS8P*hN#!9{xu$k)2LHiL3APB_|9P@t$c%z(&}Wn6z@8jg42g+~TXPdHW% z86320TW1`LQ;}WmEwVR89Wm-KY+T!e?q?XMJd0r%05uzTL9>ld+e{>zVY1g^w}Qo; z0~8p;zhDFKM|T1hhTM;Zx}GMozwt-I0ePQz({H@by|xF7QWg_m_;l`=_gC8T)9|6h zgS`U=NjR;3W0H4@K={P3{;Wz8Wmyjf&}pC1twdS`Eb@%LJ#c(88p z_^qc0q7aC|$oJ{rB$51|`|scJek=0g#k@-(*HRGuakk|&e@0Sja(H>@qWg`W1lD;3 z31=80O61Nw%@HTXA&0R)QLmHODOT7&f5hz;Q_?LNCcs#Op3WR201H z#gm(h|5YpPpx?WH9}|(aEgUiQ^XD^Xb9|sWUH~3n9pSe(;QyR-9|XTeG~c#=nQ{KW zll))6lt~21rn|q*7&5(JriIuj=8VIy&g4&M`1w27LEe$;-oAFLpYKm;1Rf$=_knW% ze!(k&t3YV}-^f0nfk#5@Ua}KjyWrKmD6e|lm)7B*_r3O)*eCFaXvGtJlz)8EfAs&W z_rg#G6|>*0T$b2t$|a4!3riS>r@57wUzAqS82=G<$(nd@>3 z_8k_uL_EX613&CF&J705M6Xs4Bc->qH;hy8f&$=>!1&~c^!u0nAG8$kUo=%C8gxx^ zjG^yRnbP`4L`%Hrn7*M{LXut*=EQN!?ZL}5lMP%eYe_?=>}St{WI^s1$}G9hdhh$r#id_{3Z4)l z!V1e1i@edZiJ$4sv}{g1E_T7bJ`VY*P$?B^^X-NV%1#P^^P!YUbDzD6fE@w=E#(iTd>q(DlJ8)37stE*r~(X}I=!l|{AVZsLualpSi9&x>y;ZH{!R@N?q9e-D^^w8y06;qYj|1F9}iFQ z=g7EU^N*dOog4Mkn`pY3Ji!RpV6|rTpz<8KhU-~rkBoY0L&r#0-`%UFQ*q*Cut+j z^U!bnu$KWGWhc4XwQ(>o!nK-C|EwVJ^P8{>xVw8sC-ftLQ`x9^v&Z$-vXOoZ2!z8| zY!hzr2kWw;8?%LjiDPXMRa|q0n9Nt6exn=O%aNI@NOK96E6LPlKL49NJ~iZJz>)4s zf_zn%*W!|sYDmj@a?WyPbx2fbu+9agzK>aF`qW-bU?(R5->Q1-N^@eQnix0Eybrt_ zJsdaD3iai46alLnI{^&`xiQRQQdxc6-RB2HY;yD_Q_=#SZ{}M$HhrtAi$Sn=MKZu0 zF20$9<(ePS4ZgfKp|yRjp7t)4g6NZ}LDMo4fxp=8Hu zSp2$1FOELA;?6sX)K)L}ZTwa&m|ozn8x43dSunH_Y<&!eQv&_K@}Sp~@$L870~$L! z>~EByXaR3DKC+Hxq|O7$x!j=w-M;Wn7b#zPu!t~yShdBJ>Z`{3o=Vm`_)p*zp;;qk zqM9F1Ej=RNAq2pFP`;)@LIo4rQ7I4HNoWCf1%q=FKfe=mzq6w45_NA-<);oND6gcv zBPA4xcpY1AC44BJq#=Pm5*hI%bf_aT-?us>OVGRFV0X6oGSm<_lerk!2Db=64ko%# zrre~9q6G!J@4#v`Q;P4$x%OGu=5=2zK9{S~3G4UIq5{*F+d!G+Jg9RlZwp2o1@^*r zzRb@}Xw`&+nx4gg)|A-F3WtKRZm?QZsVH^(*Yn5qEMXij+qPh_&!|T{y98w^ef%FN zm1H62S`5-1gcM*BL}Yzx+MNBy!8x6Ae`It8a_|C6Kxjvn#IgP^HBY=fDH%y8!6c5P zR0s{%ULBo{p{pkU0B@O_9gW7a$von(7rr+wF`?6SZ30UmgD%JQF@A zWy?qPHGFM6o-~)?OhD+6Fm4kg{0ufA2Bv2Q#+#tVb@1$RwBnFGdW9umHgFuREm@sJ zs2P7^TqsT5DymnHnmSV5=Pjuf(o5NTQBF~6dn(c)O6tfDdh9}^^V82>0G1*-hED|+ z9o;mY;~BjPWq*7^A)Q(?-hAkyoDc$YNdgtUHd3cA6^Q4+~^0j8ev=`VVg1BW(oHuA= z9BDn2mE>9fk!Fhdkp#kAD~0Duab(#PgT1RDH8ul7BHm%x5IS!d3$A&?i%Ifq8kUfw z^;Pv++0}9%raVn9!+hII`a|o}w5DEjsTjPWrKYO6otUz@0ftoLtGUie&hj8~I*V9 zJO0@-tOY3cQtoT~miwhAc48-a84nwNZ}CO#LsWE%>+7fXW7Hk@*{{89?eB%8#XA`Z zdf~EUSI9s3Zjc^IEidPa0k0LRQ=C<*O|0yJT5X0k@ldph;uPMqH!dai70#9=iHqxW zNqLZ`!yH)9etP-Vs-!X55>reZJ0-&puDOAC5#TijzWrzxI??*!ii!UPnO%siV^8UW za@w}#>I{?3F@{Q__B)1YO8Gp8a_jCd1Jr{gbGyJp=`xV`|_oR>Y+Nl?ZZBzmKY6AP$w{+rD zv7s@!t!awyI*#mG;cf>Y%N`od3mGjJzYYUp=xBsY_C;+SZ4OYQ#`ic>K)&YJ|G6oE z50id=!J%3xb@7zxApm{bcquD^b}b}xPvokvmI;t)c=jMFLNU6vhUtVqe5lmG)zp$C zjOXg-lTnjmtk93?j~`Z)lR96BNaKFy>b};Waht1Yd`O9R?5pa+Ycfv)g3JkqAxzo@ z6m}mImfBtMrtbiU~{ z`L9;x)|ZixmvcRBK3pUjrIBu91dSQ2v@xLSpd3;yF?Cedad|3s=^EEFNj@}3H%*IG z>?*nQ`sLeqaMkq@OSGrju@E^IIy>{(L#I=|_DGsQ+JTjjJ=g$Wm4uxTdguJIlo)__ zxh9g1r(n^dBKO%~94%OuE5Z!kE#z(NRJn}7E(71)y~g5DaQlgrA1|&AXySInx7^b$ z;S(UCq^sg{m3O9gu}1#viZ$g{vdwm2=hpXPlXZ`x5&9?X3j$s3&S*G)n zaqZ4>-F2bo&GUrW0BTvkyRKX)Oo5nIZS%66Z@;%9?}M6CsxnQi z(6iJk!aj{msSv$S^c7o*&=`hk5uQV4r|fN%y-+RN!>D;KR*_zh3Aq~eFukE{Wx8pH z%P-jK^9^qlV1y%AB$MY9huFtd%4z42vVD}l)I=ZTIjhZ!18b+QXG9~`#|8CVk5Sl9 zhKw=?I4F9}q*Q6Ow6nja)0RY(%NiRi2JXMYi7zGo%*PGZ+xf_Ty&%;+M2{eN{1jG^ zQ@${I8Hu=$huA~JefGlzh$hrVU+R&D!h$35?7}`$RoRp^jx3#3KVd-|Sk~q`yc(o;0vFeZC#|*` zWU--@8SRpGO9v$uIdSv6C3Nc9HH`^?+5H0f$aLk+(3DYZy^@20yhO1NBKcD&ws77o z7Pg%-i`j?`Q_i_aq!NZroyaJ8 zBA`&KjfwHKl5Bp@;&OkQW(k>imS`!r0>}z_r-r7!B$K%3Z*Cu1%8=6XEjtrjDzwci zk9E#ojM$1q`$2resT)a(TbBw$n4P<u3?mdjd+#Xa zCdx}{Ve~OrUeN0bmTPyh;?Pl>8N`~Md^*V6Wia?4<~AW}V4kU6Akt~zioI#qoUDfqh>mn@7?QRJ?fC+pj>`7 zoZYPXtb=NM^W(7oJEQ0%sa~*HcO(Yr49&2yr)Iu>0P}aq*?|55gouQKm#3n`toeiE z%IdyFwATa{i;m26C6h$z!@d#3z(D#-ed@<8EO!>BpUs@vofMRB2% zk`KjXbnAQ8t0p?n`$Wv#%C);8Yzmn|`DQw1kvL<^O|azPe_lNf1B+m^I~6DoNF|v& zJIieDPkKq815+?#ipkR15c5pU)iRxmDdl2ur;5#_i$c=rdx4ipAIYxyT&VB)!AjE} zPXF_xMWnh{&5>Jzl{X9afR!9Tx>G|+);FswM6+V{Z z24*D6_}H$yDX3d1;5pus+RG>(dVy`O$rz->wqDo~QXsnFrG1FgL&d^9?kM~lue=5O z93J1!mueNeb%~|Wvj(rmqn7NRP3Cc4QPv~Z`%2SFH==n38MQCr@Vy>_*5LzH*0_0U zmHp_MFODMxVULkGMPix4d7e>wU30EM|96_q!x!8H0PQpcrR{A4+|G7H?p%LVpXMiQ z-Bwsw4*GU_#^93HS=oF!Qj0p;rz9yioZ%o@*hmcM(Op|oGL;CjY>*5Mwdd5I>Rsjw zTCJ6Y`Qb7Tbtb?n&2`WzY02{E(8x%v2q^@Q>QlFdm+b-uJtItX*E;Sk4;h5FVDF!I zFU7k4L9XJ?s99hHD^DlpMw@`o6bFWmw#G@c`EPW|e|Zk@pPcl+c+Ts8`E>u$jgHv- Y-UmT^xM|{Ufqz6_O1;Ptc=hK00ne&C=>Px# From 5c78ee40530bce21314946c55804a2b6c5f8661a Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 14:27:39 -0600 Subject: [PATCH 64/74] replace jquery file upload with filepond (idaholab/Malcolm#235, work in progress) --- file-upload/site/index.html | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/file-upload/site/index.html b/file-upload/site/index.html index 6119534f0..fa4377939 100644 --- a/file-upload/site/index.html +++ b/file-upload/site/index.html @@ -65,7 +65,7 @@

Network Traffic Artifact Upload


- + @@ -81,6 +81,11 @@

Network Traffic Artifact Upload

window.addEventListener("DOMContentLoaded", function () { + const form_button = document.getElementById("commit_button"); + form_button.disabled = true; + form_button.style.backgroundColor = '#cccccc'; + form_button.style.color = '#666666'; + FilePond.registerPlugin( FilePondPluginFileMetadata, FilePondPluginFileRename, @@ -140,13 +145,35 @@

Network Traffic Artifact Upload

form.addEventListener("submit", setFileTags); function setFileTags(e) { const files = pond.getFiles(); - valid = ((files) && (files.length > 0)); + valid = ((files) && (files.length > 0) && (!form_button.disabled)); if (!valid) { e.preventDefault(); } return valid; } + pond.on('addfilestart', (file) => { + form_button.disabled = true; + form_button.style.backgroundColor = '#cccccc'; + form_button.style.color = '#666666'; + }); + pond.on('processfiles', () => { + form_button.disabled = false; + form_button.style.backgroundColor = '#369763'; + form_button.style.color = '#ffffff'; + }); + function checkSubmitEnabler() { + const files = pond.getFiles(); + const isLoading = files.filter(x=>x.status !== 5).length !== 0; + if ((files.length > 0) && (!isLoading)) { + form_button.disabled = false; + form_button.style.backgroundColor = '#369763'; + form_button.style.color = '#ffffff'; + } + } + setInterval(checkSubmitEnabler, 5000); + + }) From e29a4e0728d4cb7f2707cb0822f8b5838ecaa265 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Aug 2023 15:04:20 -0600 Subject: [PATCH 65/74] update slides --- .../Network Traffic Analysis with Malcolm.odp | Bin 19260329 -> 19202484 bytes .../Network Traffic Analysis with Malcolm.pdf | Bin 7479302 -> 7489923 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/docs/slides/Network Traffic Analysis with Malcolm.odp b/docs/slides/Network Traffic Analysis with Malcolm.odp index cc332a0c60310a594d8cd80d5509074394f0243f..d01655d82b905388574aa8b73d2459d500873949 100644 GIT binary patch delta 216451 zcmZ^~1ymeM+cg^89TH@4w*(08?(XjH8k`R9F2UX19fA``a1Aa&g1gHd&UxSa{c`WD z^{lS$ndz$T>Uw1F-DShy5E=uM5Kt9mprEney@P-Ej_5#= z&kT65A+&gAASMa^dkA9%F%)A332ewHf*rrv>4XBM_~Ntt8Yqa>V)6o)?N^EP&+6gh(haE z-h=H!OZ^INZr#8CR*%68Rgb|38$pYD4CwsfpTjLO;eK}E{}~Zd z`e@tzI`liRy^V+<$FGwTf;e>8j0kLRTN1F5whWt*L2dlo!?+lE=(rdK*eJn91vcuI zaWNVLy?=XRE};2r{%_L~fz~JKe>z3Uru~bA`gR*|6Xs2210mkY27Y6vPz2$#e&%F) z`>=3{d=~r6B>q`U=(Cs@mk1Nrx7-@c4*)dhyLXV8@UZXRy+e^hlzaD%JT5dcBrHVWSD_vf!~b=6gH@cQ2OU&$zMoc1@c;9h9+F&iCg{*K`2VjH{CmF4 z8+hD+?M7nZng6p7;D7D2*J$_u8o~bzsDuwPWP|fKbkg;Ij{RRpY)u_uY4iZ)) z7`b`)Zf-cGRUZXCBw_mcA(gb$f;(4qXXoeom59S@f2hu~iITBXp>}y)i(9YzNlFn; zR#Ha`nvnkiFwoH#0iiC|7Uuun|DLk9&P!n3T{Hp(ON2K9kUpMi1K?hjbaW#5eIGW; zO0tDjRg)H~kAEVuNxuW1;j7utl+C(fA`wN!xB+ZT)gL)GpiX%=H@0!EJ1({f1cHd2G6NmQu1IzXuD0|u7)p$0qgvPPj^Nafw?3EP# zFVAqb?i1`u*n7sW*-c@HH6n(BO;Nrmkobofn3zFlXXv8hqPa^`Ukmk_aan5#gae?I z^z~^M%D-Lbz0YX=Lsrw{A2P&rB`YhM^GDTH0ThxusgIk)EL@G{+&ShY=RDq`;H}ktNSZzx(}}NI-V|mp3mzz}@Mv~Dz5Qm3 zoyYL_!SKi5@IxnS4Y9uslTze=^131leSwl7V`ZHc{u1Z-S2JIvCYi_mWZ-NQ=%3@g z{o`>y_`#_kg(G!u0PF0R#XoCNkoxVivpgK-7LXwcg9RNOYc(7O50wU;p05|SgFomi zI`r^(VVy{Y-tGD=)*2apl}QdRfvCP-8wjYs2Hy|-n$C++E1?^Y06mKbSs@_^78Vvo zb@ko(46AWGSnmn`M+WkO?daTAV8>Q(v%FR>w5h>{wU1SEBr1no~A-dF2& zFnL~>lG;n#)qEQe6QKU|{fVWzZ5RJCGjn$$+^YK@*L21X_5o+?`MX}Q{vX4>a*V(o z!m@L5;psHn3JD7b7!;JN;k-U9d_U_aeo?gRanlaSx(aIMEer>J7S5cR4O8;%W*%N_U{BtNf`v#*2bFn3SCxUPk@T$oE5l$wb;gEQzIwl7$6Z%loI2 zngDK>iUo=9WE@p~K^t}0rw~DU&ieX#CZ{dYSOiqMo$9U|?aRzNecV}+w7bF@m!&(_Xvuy5j-l8wo|we1)GpeqN z8T830;xVA`zCK}`4G(g@L9jPn*fxTXnX&2Y{H_RbBjAZ}80U3i{7)#fi~-N*ugtdqwG{oe1p$>^ z(pz(2c(|fIyvzI6-krzS38G8O;^9Xu@ML24u6zWgVB-vC>&076#PRNQ@vh!X-PvTU z{N9qrAP7UG58Ejho8W>Y9L2oyXh|iaKD|5akeTQiHbz)hHmV4)YTr`69FFWjaa#= z`SmnsftW4fL|IdnHl#o(EH=@(ArB%SIUcjgTV#s-z5|!nHA*+|g?NpFlnpxclSM&W z^MBKffPUcDTL8{oh4;wVm|P&&>gjX>zWiLsxV{|cLCXPN+Q>NfM>bKM1EEZmRhRhq zc#gmhU>~KAOBXe?&W2ei3|?c?d$Y;@4n)D$9dOb0t28xg3)c{juR-$d$F4D8-t03P;Y zGjLdgg>b+EwQsNJewO6CU2!=dq0YG@B=RcgwwNG_A{OW#VVIby4`p%m;oVq@y5{UO(pPyYJrm+ z&!EDa<5SywbR79;So)$x`l)hYPuyHoV5*|d$|9~`CQao1*=&$7Adu2-duvNojZs~P6cs#&cWL$~mgvCSV=hnqwyL?K zQ>-e4dK55fJEYu8?#Efejq9liw7ZMOe*MD6>fDA1;Q4T|+2&O+UZ35v`XvLgzLZmm z8JQgU69^m=Aj1e<5x~9zeKKWPH8NkQf=kks>FzkJpe|li7@fV^An0Lwg2~z=3LWM8 z;%R~2xS+jwKH&slzPU>$83vJMIjHgx!cli(Fh zLKR_FRK#0VD&FchKRYYMmZN>Ns7DilBBdsEK&w_JT<0@Knki6odd|`uy)~s2PP9s{ zIx4N^*41wAVM(HHPa|Rcou0{bpQa`r^aUQ3Zd1~>7L5UDIdbI8Oo|))xd|U2H~L*~M#m?H1zN+W z5OMTCl3F(yMhA5dw>I&_{UP}+#FF$Extq5!-DqUtw7}wz^OZv6HLhDbZOw<=yZJNCuG;RO;)5IRZIOev zExnA;Ig8-$(l-o8hp+z5)LBlEiILs)=Rw6(>9iP67fR8!PDfxllyRumk~!E&rR%zk zvE|0o)}4Joelh|*m7#zOhNgnvo-~KY`%Y0YvHPJMk!hKrk)Ew!hdhT{6iI0yN=(Z$ z8u}0ERtrYh96<$ojw@+MY$k;vCl0|HO`BIhfJl-t1_lP5naQ3PDW{i=my{_VD1Uwt zkeo$r64aF?QBDk|0SCV5!aT*1-bOqka3OAhO@txbF}oS{S8DVrX--q!jz-Ms+VSeN zNo86iU)2jKJgrr;Y?f@tln@}@GoDUr8|4ti13Ww$#T{!EKpfRYM>;a0q@29at3JQ} ziF>Z3;1x0z47=<)N3uZ=?IY$`+x4*I^Vnw8533fT=5XUXN6fP@mvJRQ?2CQ7>TaOo z6~QrrBI3A+hw#b;ekNX+-(T5~O!YPeTG3M=bh&WyaisV@vp)dT_QEapN)apYXh`bk zFYUh+k?}6Kw{dbZ_q+~kF+r*vXJ~UMGTnEKm>mdhQ;Wnxn^1An?xh}fL3xd>@7lPQ z(KTD(Xu}8hfAdMxvIU5y^a|vB(UTJOI@un3C|E8GujE2j?C=W#z?3J%AjrV}P7B^4^li(9mm zfw6!`RY2#+`L|foLjtc4*Q#^&E;jf(Xb1xg&{AmNA6SmA?+C2x^tm;#xLphfPLSpt|s_5WMnh^JFg8~4H4ye+DcDuYSuO@4oM5sXV+=j?{H|bF_MB4>yt+HwPlwVhvdiF6iwjiM z)Y?GiB95&=KQjLDEV7WM5EYz zASplpTv$YvTUem$ zdHH$xu(7ll+W2y4&N$>D8y&wc!AqIkR1CLU*Y%x_d(zf;4zh@rSQU-(0MP1M0A*6L zPG6p+sH(1JGMN9}aI_SWlnXM+$y!(!ciw?kxMlW`iN>T=hf_N=bi2;;(p=ZE7v{&< zm>M+mf|>?+o#>L9`Z@duwg}l^a(S!yEjb{&7bkTHijqN3-sf9`qp>21$jA1ba33ab zyI)@(&(HeN9vS!maE3^PJWl%*2F{^L?>^egVJ3*e<>;lyEiuv`f>aDoPY7vv?=Zzt zWzdxi#KRKMl|Y=eeBSTO$GYS(5WC4ZDua+!I7`?iipN1bMrz6AU(f2I;g`yPrxiHIFYuo!dmAzQHsA95{ zm7gD(eqPmhGF4}aM~atM7o^ToR$L5ANl95QJo@td$ZR%>U3*nURi~%-6CG5I&hnk( zKk&hSv5!Uq2m?%zHeOybGB`2j$@Y8rt0L`)&a`{4qEzp)C!bSPf*Vk5e@Di>YimSl=w+_;uxa^fq2 z8xBIiN;(Zua%?3MatZlQ+PEkJ&YW%>SuF6t@PHl3hD<1A}fWy33xlnE&>%3DY0DKqdX3_ z)3$#qDQT6c;xkW?YPPeZ&rG!I@Dm@X?1YFnQlg={PtKbTj+zl0Y972-a%3f=qQf;{ zv6a)KXCyFbND2C;ze|haIrp0nXuKdvXQK zQpp59>Ypn3E7ern z^8)}8EUqsL12MX2*Dkgtb`RcKud5i3Us3g^$By5wdQ-6a^S~<-21DAJnn~vD;JTCB6oD-w+$}PJoir z?_Ps@`#9HZ?K0uI#f=nU#KQ@5O{vVMFWY525TldHqR0#4)YDBi$8{&o=k1Er+Fba2KQ8Y^vn^*F`cpqM{U=J|gKu7H+gq4uB=En1F_rs>i{_g+I{)Rs zZPow*)t$-B&EDm+ZGr$CDyS!hkf#=0o|#%$RA3X1^U;N;4v8E|HlE{cdZlJ(S7&2Y zFjsTPHfIQ!Jl*DrgsNsVJFHi~WWd(y*4&3q@aGuOIb#Btn6n_$jyn)__-|VupC_vp z^A3E0OK)&dym2K8_H!kBt!e56&`*dE3h*&0lF{=&P*$~Gvi)(^Tf494by~rQCy(l2 z9!K(mzBi-3_c5E!U)m}oliTA80W8oM$L|&B8oiG920rI7^EC#s;Iz41aA7qtV~5#f zsMMP41EA-M5rRT6?;76Be&f?orN;K=I8j_K_ z-xfJ#%zK)Ni;lO3Y$(PP=hQRjR zLM3I@gydoP$CP9qjKpFVF)>+j#sj3ir;t)X#5%h%lT_Z1>H#jHjbhTn_8&!Mr`<54 z(69{>nwNJbpe6M6vk{M0m85C~R@>eBzd}ICqNxo z#R?S5WrPqvZNQ~+yIIdjT&J7dYV%GkeZ>4ouU^>$yj&7j>UU{3MHd$G!0nMs;a1Ol zwiq9{-^-~9!}HBVte?)h$#4PVaQ@?=VAO_tJvE&O51JbUo-EYk^a;7VFS82*HjJEe z&~O~G$Uf`9>oe6~R|&UtA=Zi#NAgMpAgy`nr%P*|X*JjSQatpeK*NkVK*5;~*Rj(1 z{rP6uIE%!Su4o{;_A2-0_v{NA`T!yFOqz5bS@kY7$eX_V0h!lE2IuA|)KINX-` zZ7ut5^^hcue&7+!cFA&1NziNF@Qfl(i7mIL{YL-nwYRRdKf?q2xr8Eo#ImZC#acz-L9z!G$)`^uo8J6F)LnM@Kqv~HqQ^FWXFG=;KjQ7+J4rD zq@#GuE0Aj96kH{Sn%Z`9DCs4MsE5kR)jg;Z0St65JmM-s9RuC3PkO>+miovxt6_?qV) zVG(G`&P~kz>^A9g&G&ZoZp^{2;9^FPR;_aEj5G_||`iom8yfRshET|Xltz=yVi@M%jaV32>aGO(W-3%d^{0;yu0bCj; z>(i%f2(_O5$^#qZQvQ+Rc6#K(MRZ5?(R_~M?hb$&Vu*?pHa0d*5k}5u*eKOW#gU<= z!MVK0CWm!uc-}jrD|u=A#4{I3 zm}Hoo7gP&*6wLY})F~y>#cZ`Gdn*Ak?eG3}e)Gf#sH;?Rj{9y4IL%%tQ_!LMk&+~F zG@igo+g^J4)Y(c3Jd(!k#_9FvzQe=4BQWvRL;QLtQS{ZhD5196&Y|-h*6+4sy$o~j zVTpTH8F*c?O1#dTpSLaN4(m_W(Eoe6x3J2darw_ujC@;)r;F*?;H8M{e}fL%9*S0( zlQf^mu3|s3D*JlT;-+zwl>|;7mq1oER?gfD1>lmIB zL1SZMm9Kjv?K3ypJ<1cp=Dz@FmEj1lf<|@eK3EeGb6PL7POWM5_KMiyfdLN_sXAYj zhtHE?i4iDXWN{mYo;u|}Qpd#xgD&w*q!t|TaIZfXCqqx)HN0PExGT7-5K=XD+qy=N zvg3)}OuUD4T1FX1q;aY<((D4tKqe&urP);}sN*Qbqd`F-q(lVU8P&_ zeM@#-%-fYYKO_co85>pwXIB$IXU9+;Mv0fzgNd72I8(b6J@A8TJc zbut*_K$&jyTDcKD3!!UI&Vig?jxLXo;Pa_4; zL0%%GSLva|ewt-=z#Z)GhutpE+|y|0x&)zlj-ZtvpBEm%u2W;E(5FI9LvXoTEf=PFXR z@*`_F6SU?>jwMoxi~N$2sc9gS4;5Nz8@)Ibg=KNsyau`!V3?s!1EM_j`tHY zr|AHr{a9!TZybu#ch(+}1Cs?)1Jmt$4M zr_5?0)-?EG+6dAPO;udK^J*$)MmhH^5#?DzJ|Qf1%zqhhu{e1X6=Zh5vHn+tJTuOL zU)M<{i2?$5O)EQlcz3){yKW1|G%n>202C|^MW4tvs~IZFDZA6<+vc9x4CY;Wm5((D z?{OqbIZCLB=Gj@$jhfz#`tOZrExYEgMxT^Xak{Rjp^6eC<4;-D3(>Q$s1>#HI8`m| znP;am{U`*G=2)*pNwX;uz_{Ya_Vw(V9MS|nf#<&p85Boe-QGO7))hr#!}Yp{mD`}PW*rR(mLW@)j;$Cjlh-S7DFL4S+Ve|}-MoJ;CmfVN28y|**yB)#q6rc3s`H#iTQAU*^TP^V}&d@XvjLLMHw=IzufDm+$D^R z{g-xPYdkBXP|1Nz>zC$XFgoUgs9Jg&=XHYm&;2h{0sZa#0%tu?biOgk1?h05~E$JNWAiz3iWvR+!}7NnHm$Cz&qeN)hq% z6vN!_w(hxUOwGc?BHwQo#PTZ_JDwy!lq76S5-3X7IJE7&Ka*qP_%V?F-KFKzah9L< zbKjw*uBP+VjDmog8tlu(H{g5e7q5i;>0}&``c?qfGaCP0u9pfx7Z$ziQs~K4f&fdG zFUeUyE$>q7r2~^UHuKz(-G7qYF znKU66?_^=OW9&&GEE)|oc^Du{NXMj`Q-*XpbL0~CuEiWxWJA_9z{74Jq+pk)a?Z43 zmg)9^o}sud(xfY=7zj1KZ`YR1xy{`WhWRm4OqmtFF`2EH845zfKV=8(JEiP3bI`ho zwD(ruB7xbYjB*sPE#|x}A@C4?F*apmE>XQ)70>MRr3M^-z6f+2Kg%=cyrDbX)NfOi zxoz!bhQ6-|y(Hqur1-nlsbHygM${P$Zhf3lt#rPZN~C%t1gtN2BSqi@RE^$vqcTK9 zU@hG%@OYA+6uJGLJrhT~`}O&>Lk=;MEC%HNFmQ|jA)$4mdw6=VaI}Fik z3ALiD{L?25!?5}Donl6I^BlVg%Y)q@T!K2sng_YQ=T0(JFe)$~->ax&QnZ(myka^z zCK#TK4<6dVRT3NhOCUtJO|mm7D=WJ9&3kh89jdFt^=4t&68oSaX!`vAG9SkW15LDK zK+t)GzF!_sxwy~iV?&M?VLcsZs(7QtjLDWiMv-*;%>hQaboT{6#fO7K0!7*~@+ThI z2P_JTp^!1p#Y8>Ih)7LUHFcAdBkUxp>m>X0%{y~FDD$k#uk9aB`$^KCt*Ss(L(xSR zSmb+=Ta>!HGUSLc>UrFMl#z+K>XM}y0F(&qt#ocMx$gE!4!c!brqL^E`}v@vrhKo9 z&!pyb&niOt@<#h{3d5!_`Hvy-{z#qkjX~sq_ZL4u zsafscU?x@XM%{OT(W=R7urf+wfxuFtfaQc>V5`o&oVIP~bk zw0Cj@>Uf#lk;#cUbc5kKtI3sV`Q=7(KKic7xWqE-l0@)SA+ugQUDp7sSLRCwkot!{ zGosUPWyomc0rRvpiHKuk%vV4CyWO<=dx}l@BH`h=zS$?c+8d}Tiu^r)`vR8Vx@~7p zvLL;~N<>V?khBaD=KCmb3IIn$6@K`cL7s#GTZ@z``zfo?ozwbI^m>w{P_(rYtJ-Uu zLV$I1$_ItAO>i)2M)YdAKaCEvQZn>7%?3mJ^3&BmQE+A_{?-2bpxg~X?dbBCNrxnT zf@@g~+EQ#F3X&8m0L;2!&fD@b_#XRb^O31q%bTg8T#QZ(oGCRZ0or8Z#R=LaGSlq` z2;r%G8QDFhc^KtSwwg4xZUzFf=}yr;SEf5M7RrvA;VrvC;u7cxj8(xD(|>dNo$I-{ zxTp(N{do3tqs!fa_2~u~1wudf#H8~<_ZD|=!)o)lC?x+Dg8%q+t^Q@dJ@%-{d$lixW~Q{LrH28nc>Rlt(E7h>pe`A4J4D*9+e zy`C1UlWvStOPEkp%)d^8!@hQ4&P-W(Dg9&&3aL33hkc*N@OI2fL)~%zYrwQyv3%WZ z%_m=|&L-C;D$kNv#Al}!N-kDZIMk!zy5|XF$Myy?03PbHGV?r@_qh-2i6$L#V0%ug zk{0*z<^)4clr$oS5VN~LGz=q!&K})Oj9j=cAA>M4YNOUeON1<*-?A1aA+aLYk*I;8 zQe9#HOMQS;Dii$XCdS>vB{j3JZBZPe8_mZmD9_YX%j$4e2}&!a$bK#yPHj!vzqBae z@=PBdNVHEtO)XI+aIq-LEtH*>-s&5OEdbF5I;2>XX0R|d<=Ah_s@$7zt}|H;D76vI zk;tl)^)B*12h5LVGRHJKl-+XSleH~4(C0@pg5le6=s;((`Z;?b38xSzIur{3$AHUT2H-#k}b+ZTN2{)kI- z#=BZ1=s+QKV7eb(cX0Rio}2pd^Qp_jIrnpa@j7y&B)$oLc5D$2ly6w9cOq>ELdQNB zL@)(~gn90suw12BlSoOGQOinMknCQi{v_dzAcn8G7PsK!>(kn!1$fv5HA*L;3H!;!;^*%dGkt%(MuCH>#A^K2RK8O^G^Ue?U-5 z_-dC%kFo1vAQ_2EYI4o#ZGRBUr9yaKn7ZUR1)TAC8O!_ zr=)jrn(};}ExJbr^COYW`_QsDEYzF>Rt(m+lm3638K<+CZsQj}YcpAj+WWx-Y*h<; zh0MHLd?1`kgGcS)yno<5)VB0xe@afB-*MsM*ars6HADWKT{AE*fHgD#;aiIBHnem# zOS19#ZB8Zw196l*vcBniAqd=$DA*PSXiA~lCuoMuWn@tJR;@puxZlmy__+zAFXE?i z^956$H{1TsM}|~@dy6NPDJ*tNtT={RQcwy%P%1`+w~L0OUYo}Wj;*E>TBLMt?WIPH zZc(f?C^;KPH*b~!2aO%dWf^-`;H9Zg`qd6)`hLCrLH^R>$0}FxaN70{8tj%B9(`GK&{wKami!$+qgavN(aOsKsVaQhb|c680_J zX*gF6D^j;DH>FR#e7;PYF>^~ff^D!;@K)tyk^wv4f4}$waEMBpbjeb}5{8qtpVhb) z3nY*VQJmyIp+!ni=M1N(i`%Z&BchlQ8~=&JO-kWGCm@Wt-l|ffD`V>qy-EN?l3RD4 zH4&(41hI(*o3=VIA{2HlOh)fSum0i$AEbMkF+Gg6i_7vHeh~f<1fn*TXNR@3>zd&t zj#q9Dt{a@ zwFFYY&w)CrRiyg*AO{Dg!c-50k)8|N z&(d8^ULY!&F$hGt?A?gGD3!fn;*rcL2LP&Ci!0_?vtelS2TmfGjwt#a!t-`HQM$!SN8=Ie6WZ=Q_z z8;Zh{GgH#T_{cq(ubVwb=-S2)fU6>d(~eXA9kVT~Ntu-@2aF6X;VUdj1qBVj>-MCo zT;vSoRUJ1uIzB!$p2eef(#j7se)#$cS-u0mH!rY?kmn0cGU_vkwbxMNI)6A7xb&Jo zpE4PmMZ`q$p~Aw%R6W2Q`K<1;u~^S=1*RhBCMvgWQBsaz10F7Izw3Xh{{G@s1nnaB z#hUla=^Dat-M6V0g(PKtRrPt27Gt6z1zweE(zW;gy+4-H!ZUqed*l3oodj6SvhqZ* zUYcAKKH8GDOPUxNld#PbhtsD}T8$z8RiIiOLo7HBg)N3#N)JK8I>%Bf7$GI0eDk7B zo0Lpbof{n^K|8^>Ra%uI|19i>prGU@u)Kwib0M$p2G^Rd*+|g3i-xst_Bl`lGO7H} zWzCJr)sJjR`3QA^k_2*qmlxji9`))3FQhf~ozIgQ`@?ngASYLitST{vGFfwFCH`ZK zd{1NAho5|!H@~r*MaH1T3@bG+V26;GN|w++jmEj@lr#HGe;TM{t(U<7%^QB_lA5TW zr#MqlQJHg3{%9qqHo4g!8lRR{mW^`gk~ikM>M5@03#VOEv>@~h;NdS%BSli>QXsk! zXf=iMYsvmDtYbja!x>yv#q|Y_nFkZL!+hPL#V)0?-wsbfnk)bX1nFtUBwcp zJ9_Yx^8)x?7by4$c#I-nEJW-m*((RIXJBcBiZ>53xm>X8dR+@sP}jZ@_!cuvg$Bb` zt(;w+1^>3vpx_K+uAr|CDn$Kw6yqY};N#YWkBQGpUlfX}B5E1;d#PQJ5;8mntTC2- z&g0Fxl>a90ws1MCw=VB9y9%hM>a>iwBM7WUe^dE^7shEng^sg|t>Iq+!tr@ex#;!khymT)p|l z@F_{yQU(}Bqji1O=j)~4uxqVJiTapo4JtD~6irK^f~wUABy!d^OH&?`!dVK0u!#pK zr2)yLFh^3#pv+uI3gK~bt9ru`2(i>C{3(^DNU&x#8()e8p{LYns@!WdfHIWX+!PIY zOfv3~d%%Q3v%Cu0aA(&e)9vJVdN`3jtMw8mcO-tbgFU}{-z}K@vB6A-d3tyyl86sW zL2=&|2Anp&Tt6t(WY|=pa~2N765 z7D+~0PS@J8jZmTKcyft!c6mmpy7?Bt6-j5T``ru&FUD`*98!PBR8|5EV7`dk@aa4j zSh-@Cc6fQp+8}}G6;zQa_-)Vg~PNnj-SE_hm6B#an@ z*oz*7b6CN2$n$*%xqrIm)&I|3m9X#t;-+HBXm3I)XPipRPKAq-W2N!~VZJ%So zB`sc{=)g-Lj=BWq=JAQAV(3m@t{TI+O(fsCK}mGtjwAt9=i76zu+w0?qDXt;JU z5u8gzEk_6PXDUis%%a9l@vt<-)gKhmQkV7Fj#a z+r=Es?S#mqTFheK!*?g1!GZpnqOKRS`GGNWRj$!Zw$fp}Y|#TuDXF;;@D)GkSI_dR z7w~1h^c=9Qe0^Piea=z#V4YBCSzg<9$*({M!#j>gi*;bxjvd+2QJg3^RiJ=6`3}7L zz3Cb9KZYq!9GV^N++R|U$8?N3etLwq%?R&>3<+hcnPN6feMFsu<@ze&rLF5R4EUO7imWd z$IPF_zFOGGv#$K{`BNX#PHdftI}i{3n4F)xA7j6o?{uXZon(iixTCsl5*PVG228jixCSPQF>8mWFyb#Cs3s)WqXp)sNUK`UasU(3mr%$w%+@TSA$*kk| zNo*(R2DWzEB;{iIwHmxC6x3ywB!e0g7qlDLAXUuQ>5gL@msK09m>FqkfS$ap3HaaS z9te08!WgzZOybhVey>5;spHa)mbO-6<$ z;g#P&1<&y3*r`bWJ(PlHJWsIHxCFUy3p*(!;!wi$i@5v zmb0jfjC?KT1E&?0oI@Ywt*e6UXk!U`y` zxP@2Z7|6}1Lr#Xa@A}9YrJ72kZLid>S5@9!ds{q6!m1^yL@@3gYswdzIs@SMwW<2C#6;?6+$dy5McTHKX=eW`m1T>=R*eHRR|`NqauCV z*|vNkeLCxVNg%=^EixtuN zOkw2NOskb4*?(kLK*}42Me)4%(L_LUUn+aN8Rt1I#s0vvzA%4iQy=USU@cWF?d2ff zK7-{_Ed+qm(6l#@$^u_*=0ji)t#D5wij)nQ_Y}Q*@4nLNH0m)uS1g4ES}A0n3s^%r z<}1bC2#LIHQQ-^jCH953@48l3^HRALaoBy1-k3brt}}))A4{LRx{;@+(cN6|5t*3i z0y8kVy#;PACkNbLfEtbsSsmkdzrN_qFnACG?i^2g!5bv(tWIX!QrStDvzl#vKg+Wx zHLp+C4a(w6$E`lqP5B(T)rw*%Cs4EMxn3W!eGjp3pgQz>TwdSuha<8KKI4^l^tpzo zinc}vkRB#j;YSq15DLg9ImD)wgLHGlEnlXrc^@y#GriU6c4ZaBoXSd>M0IxaYj;LJR^kJpI{1fBG;TEh2=`9m1I)rGqT159>}KzKF?f+wEOf#DK20Dv2>&MF zulaKAg3D2;_=7OvQ}kjzkJ>DmzUB zunMGVxVO#iWS^by;s^QN&L`ma9|aS4-z`t|{AZ5u_tA8WC$vtvrxnX$`7vv_z*4G4 zV!%nGLW>eT3Rs@tJ2~0WWjCAi{c2jK*T$M`)_(bFai$>xrxX14*pc6CrUe*M!-dv< zlcty(ziHKv#d|WKL*1Zc(cri%z$&#SxhyuhV2AO$kQ^M4c5-pclu1_}g_Ll=@-gPR z_QpEzWXU}~4#orb%bSM-Xn>c;^;i3!qD@@3E2#(5xxoET1HnNVZ;qdKa^k*r_@`r8 zJQ`hD4*C#1StBc8JrUn)w#OF2(~*UMi%eJEjKqqkdWZ`>h1RxwfB+H_G#Fsj2io)1TB$jI$--ldZ3YuBis!^<}Y_eqpLVr4A?no z>UB6@RUQyWg>y8%oH9P+@wZVG61@kH$J z8GU0|$mV}~1iNm<^^V=Q$p+8y+iR)ELK8mo;AnB?0kx10CY~T(z%V(J!y50mw&Ah$ zC4Ml8X2@SdEtI+@%QCi;^ZK-h;838wta#8psTf0`^MJMA50+3h$2wg9HZM23(&6J# zS)v2nsD@bkye~$m`TCZ}pDXt)d98YeInvv8^N0xC*`M|NH%Pwt9RB3k$;_DN*s(L3 zTX7G3eF2MilQkl#Cz5%#D{BFP~>mj|ZubO^+}pOev+t#t&k^1@so9#9A( z_iXrYYPRNM28zF8`+8lYn@N;vN0yh{sN#?n_s`DF(QQw4b$mYW?TFpxbh>N#7ELp8eX@ojogt(S0{2+97TwiK@3(29=T>}{?Rt%}PEX?E2B z5`D_^>FY~PiDKHsn{E~s!a|n}sRW?KvY`rm10y~{cUEmoMjMUrrjxOxHj%3>&?3pU zX*OEMFZ)gtNEHh)@deN6>aKqCUHD7OK>N5~5Sv|FcP$Yh(jv7dcgSJsHDe3M+2wDB zk8#~|XwjVYX8s91226+eFWart`ccB3;At zKX51ZbrMvjv35FH;g^(-5^gHY90)5n*%=a#O83d|k^zo1{Z*C2HH5N;Qm+tHG;n7v zj(>@sZ!R!dTQ*7u8jb#30#Mo#%ps8p8H!BB{-S@}G4-5eND`RfQ;v-C2g@V45Vwn0 zDZuN`IUBviSuUN0TLowF1@_nLoe}H&`;CruDG9Y?+!*noh#UzRM4O4eAgN15W#!7X z;^AQ)9GGrS*RsXrNQ2>0p~sE5UFKu+?Qt5}bhmGfs@R}}zP^G6fR6L(;U0|ilw#96 zB*L+t|GAxB>+)VDL!UJ_NLz!Yb51CyDhD<74G>%k-6q>WSCnhYEHAZnznpY~RX(b7 zcrO3GFmyv=2p@BkYr+2}AEtrkMX+54Qzjg}D-25Uc@qwdoHJH*PkbC21njno{17LS zj@MMtb2_*HX9rzT+3CoQ^JS~Yxp5I)t-bAY+D7X^d4;N$o;$@v`-Io8r(Cv{|B4Cl zcx}+ocupSIyi8d~gl_%3gj?||QcjkCBcMiOtkb-LDJs6+)H$4yJSej4;jdv6i7gbj zUv|Ix+5a7Wqt32nJ7f(1KAtsP!ELNl69K~rG52VO7pd@n5NIb!)MSiJ`jah&7Ji~e z0E_}*j({#4IsY9S8P@*+azo1IbrrV$J|iC%YyFgh*-l)gAV9(p&UA_ z8Eqv!&VdS(mjn>Sb<%Vl-9DP4A2BP`@iMh|d6j5*zG!*A=p0#xBU!N|WkPwmG;j{h zo%>^e-#1}^h81$%=a~bv^j#a9*h!KYow_it5-|RMxO>Z{I{N5aFu@_XTW}{>aCbX6 z9GsxR3GQ}+ySs>=P%wmTlx2;Q;cvhV_q;7N-U<` zRb=LMNoyfx_1E)TH+JUhQ?j%je^$>O%lap!sW5-CRmW#C2#KT-rsAJ0Px8(c8zUmo zsa&%DkBH`M`_{X)49#Cnko_h{xQkz3&(MVXJ?B*~>1e?j#D(W9tysnFUB23@kj%wk z^Fbo(NU7*UfRwGnaB#)?CIBK=6YBy2I@GHSkhey=OVT zyHd7*Hl!o%Pk(CG zqQ^vic!9walG;!ZC2f`7%U?Pw32fIB#@^FsoXrf3P?Ep?tQrhC;1Bc|gbbE=ZScl} znXkO$I{_uCH8nL%v2<4y=-2*w=2Lqy#)EgBDi8;r#9Jvb@9N^uTANF<^)RxlvM*B% zUr9gV^i5k`9TG(R`IG&VicwVTQ0X^q%fEBXRzFM;H!Ra(LKyH9JitL?v$XNgp9`cn zHrqQz0wAO^ibD5q@r1xs4}>vOq02q_!|}evP7N$27Y>TbFO~?e8V=5KF#hc6Rivac z1zCdzgH(DpM%;{b(XDs>^q~ot%R7C!SLN(VR<|4;H3Y`pd73%q9VC~$KT7`r5J+Q} zX1O(++JQ!u{)uB_8rJ`GQyGu=2|tZ#Lf;~(K0s3+Yf-h|=i((sZ7?!EP}e-5@XV7? z^~>2EMePvX8jQ4LyDIt(@r7l=U>Nri*7Coc?|QkG&5(jn@;D01(m$JqgP1mq_M#Xj zXPk2Ep4r*ieem&{1UFrykiLv(G$wwK>vTs~8=8)-1IxgZBldf3CEPDU@OeL}L<;}< z%@6!JQ#^sty$Wp_s&r4U`iQCw2yfnvK*u96VIU~_Q@+#XW)i*qJxOg%4W6hFH&!ZD z?T42rsD=5_St&Zl$hMdGh$kz%RIz*+bXGiYHDbBo!b*5K@tTI7U>fg_S;A0Vu5-oT zFEwXq;QD@d0)%BMllK`y|7<2sWtQX9RDZfWU2emuPHeL_0>ahYZ+YpsVb`wNH;o+O z`2++1_}*q^>Z96ZbAeh$q}9duNqn^y83a#$K}myu2ColzzIT13Tm?Ie+I82LV_hCE zfTTa5M6JlPBg#{dCKuGF!q0+mHCCIfZ60Rv|Ab6z$p2l|@E9fhLw!?bc9gUM`k)?e z&B_bU3@j!pp610`%7NKi;}W&bzqOZ*y6_5#k##l)sca@s*#Ii?)rD}E{|Je|70RHD z7COKTlX%IkJFDh)uBDZQ)aMGLxOGaO*p>UOlyTol(gYvq3-KfOc3p>B_+Xbq?7Zwc z@67}N&96RMa62dbl3UgmQZx&M76!grQ=T`0TJY=bD&|*GhM@%&S*6a^^lO&0Uxvo5sf*m0d%@DisGueS`Pj~LVlZF z7!DQSV1- zaUcx0@yw}ED&J!;)*t4q@c@7$6}v(kurMDzkLGdPt;e8t=1A>?lnh{h$-C^iW z)DLtV2zCnUM&o-OkEdQ5s`-y4du)?I5d*Tz7VuFNk?Z`|9}E7dRey}Ba?x@ zrLJTi{f-r@s0#uF=2ehg_q2r_13_{UV$KC7OL|NCnme0~_g|4iQ_Oi``0G%Omh!uXr`3rdj_%b*uj0$5-M0L zq$uwl0OAo9X{AH}C6Pm%B>qBI23W`8N3<`QDhjpJBU|}eW=z~xXMj;2i~85$!K6u} z?H^Vu9@wB!IRZ0zMV0>0yG&!d9*IZ-h;M|t8oq#(v~-R{Z#}6lt#$qhFbb+6xB!Kvx$L_ zsxG6#_jruNCP|Y~+(OoWBcUdHurM)wdv)f}eCrlkIRId3f4a|(&kp?z6{?eh$N31K zjFsE%`Qf@T6uv`yQz~{_1`Gyge4Kqh3<2g)Y`#zK9uYc=W&?;>g*}hJgEl^A-)g>UoP8)gy6uj(D6B#=sQiqQQfZW#|pt)x-EG@Jsn$z%bFazv- z@OB2O{c-#G>?GO@fmTh=a&VaIV4=xGZihLU2D2|}9y=0%^d*4^v^#`IA?!sodDYFR zk2iaUS7%h(;$lfd1L@-psXULq<)*DD5&L!cZ6sA-3&L=|Wno*2RIthGc~$(G`1XSlZFD}8b4T7Fh zY+D%%GOn)$Cc6Y#Il#De86f_jV9l8N_#|H`Dk!M0@}-08F3T;}s2;SZkeBgbB0G11 z?hV1y&_m2#`Tb5g`q%%#gV%Y1J99?Ne<}N>F5!X7wn;pJ(DAr?bXYz-|ASPG%^t&S zYiK?KO!YF%v~S<`um1h-PP@(pEejO`7dJSHh`Y4OiV61dMamvs4UV_`M(je`&ijjk z8DpWPrDf?DnF5Z|b#4-@d|opkPx%&=W$Ogon1!LkL#s$)UR8CMY9bp8SnR!%)g3Wo9B za@@6@?Qn1jnc}ghUxYosEOZL0!4_@}D#T7+tO`IWGjgim&+$q4w-p2S0Ka&uugc8X zjNHS@=@qf20S(&y(DE{?>k?CF(kO!9rjvo!B~gnx2;pMg9SD zEl^tqs+qBKihe5{I5FP%V#IDU)&bu&G0v!g04IoCoQBlf#P7-eM<*SLzld9N{)^j3 zea{1GUAuDptC^<0tgA%!2_9%F6^{46iM1dUJRHgQ_xGu+Mo_3E0{e3rJ|}XH0L7+c zy8Ol7!aGfa!)~>mW(Ld;3Yq{x>^TY~hVL9Rc~^CkjLgTJS^KYWLE}mdpdrN!LEa)2 znap=8MyB5kf=2zhr&u`OM`&)#c!ECp`%~tpgAf``aY9oh0IQ4>azOv9YGaBw(H%Il z7ROnjZ!Z`pV94Jr6*pX+9Od$0kQn|dIaz3!8jY>e^iDwQHH7enJ?=NgT zs>NGWj;pd+QDbS1I)`M$>fzl^rx4Rh>L378f}HcPoHfEe~5}J zrHTXTNIc;$aUYXz<97&5byYS2;UX#_hYZ1Bt2mhjMTW0{YZuzztPh@gIe_frZ9HMy zFzLy{Z{5`PjeYOUz2pC_J_iOkaCOG;;{snW(9_oeeAH2&;S(k%rp|HOYUl-VVb9rk z@<%8DK?hXaJ>Q!C&Xr3031bp3UKB!-)Xnzs47p>LtpsGTG#>cwHkp33VS!`T07E3O zCkFJpwjOVDYM!f1lj;F0M82KTi42u!c0^RTzus7HH0p-|o;H4#y;Oc~~RHdLb|A>0a>U8DbF`?Y0&FaxNU3OiYcVDzn73KG0Ok>I?oP zWyV4Fs?`8?3+vvrLk)AV40LzvkKij)8Dv2}aw{~vSvkT<>-~d)$!>%8Zz!N22}g*- z#pcyv1!8ibi!W%Ol9~n5fkdHy22`})9oR|5R8>`rXn3ypdjF-Cmw#e0TDmCyZ5Ik7 zZEIV3;-Uy4b?l%y7cpQkDF5sE*W=-!$N|t@v`X3oaQb78m=o+a-b5i8H8u1fN6n_qFOfJmkA zQ?!JYvM|35om>5Dhf~=Z{ z8!6mXRB!Qypt9EJ=XB;qis3taIM*N;EEDj^VilKC8IP7~k|AFBZh z5K%1Uve)pv)W#>-32IDYþoePjoPfz$)j?f$DZ`VT~Fzu-z!O4u%FH0WEAcnuCFM@+@#O|V~|2>&`L()WKQ}(jMwo}SP(i(dUCB= zF);C83RW9?ZgS=$$qEcAb)!+0DITnZLZ7MwE-L*6R0dv)eJwq`@}=E_+&vxF8(-{? z?uyf1#)(T3nc`>HOA>nSBjdgBymG^bdB8jw+^76ex*)PD`UaCYJ@aN@=^Fy7K~!r? zC6Hv+nSnCE9*@oG%~B0wj|tUD!{aXA5$9SIS*F;v4(B^ls34=LXsg1|;eGGO`Yicq zai(8!@3rsLEc%t1-6?%}>C*#NkI^-Iu797->hIb5Moi)>(;vd(UN~r#rw6D10C8+_ zsV}~NfZZ#!AvMo&A;p1eH&tybRL|6veEFkDX^Qt7XIMTXGZJ##*YI;4L81fSJ2(i& z=sum89M?E@npP^!BN*{~!~PG2wE@D)$W7$#O+z18;h( zFL$$$q6OQy$jWcJRGBpp!hm#MJ}T;%Lw7zOnv9J_&eIB8#>GeFV|H(qT(5w!DYo>5 z;eX*sZr4gKAfQ&xC(s@U*|2}t?ApHqqfrx6Y`~uKD0)q4Ae(1e&U&g;) z6$x|7S}l9dR0No7kQr((>UVfH@M8Y=fCDpharOCinkJ^F@{e_e%B({VH_LXnBQ%RM zmgAi&Jw5O8%7E7=^FXujbB%@pf##hK4)K-tM%`SR8kj@l@z!>z)ij3UvmQgN3?DH6 zSkZA-B2#(Cc7Qy1=+ZI@2{6l6pOs%k#OxI@aSDazR!rk-ys3grrbO zG0sK)3hSb7_{}roOSniM9|RVyR!>QIY3M4U^(qGFZmqw z@ZO&cC6(CWkj|8#OUPONXZ3Hs&Kmv!g%x@bfxfBPgo7s^FT`j-$%PMi-sC9F+2*ZR za|iE!dZRzw0%XX(Tl@@uKt3S|RmpY4^xm*ZzWk*emAKiDnB6QgUSrvV5mFHr`zEFZ ztj6wT6>`xA7HUkAcrzI_J*_=Q(R|OK+W{jo<~2{?fzM^jAN9j;H5s<_shf=N_yoPL zmeH^(j&NIu<;J zByru2-zOz+gJCPw#X)E)GBI6aLn|k|{H;oV8L-2O3|yZ?Cmn(?u!>b8FkVf@l-gf@ zjNvTlFGtxg2aF?rte@?$15x8uXI9=Ch|mOY5qf8e+lL#$9nmkEjAsG-vH6SpM$qVE zFG!|7N%bd+D7VeRyL910Y;3p_z>y(|fu&UL`QVWwM5?Ip%nr^Q06J(Yn>UeC?0TO7 zWsJ{HCD<}ZF)_buxdICoBiwNls<$05POkQh6viOtP%IGsfI`{U>c6FH5NM-LQ2gUZ zHy4f0bw95!;FS4YDlfZ$+1=9NAodr}%qLu*drZ`SIWZnia9dg`S+NK`p_mC%Rk)Gy4DS9p`rN1=S3)SgULt#- zx3DpF-H5T!ei9;oTp=>WX^=Vi7{2lZvRU>(26*y_2OF_oA(Yli1ifB*K|SJ9#g2{6 z1J#7-wF=-A<*-7OuP&x|m?U7AX8n00FvA%4B_zahD?kOTnir{s=Tk?@DZ18k%iNql za6JVx! ze-_^6bY}Llwxre=>6j%}E7Ge5!2om62Ay9~^DyubCHl`Z0y>O>)+ZG}kqPdSPv=1V zR8ji)ZRopdnUM^u&)r6dFUFmfw>E4LL;~man`XstZ3U_8r##1i5*Yw9b|_J-ozNDf zEtF4#dYEy(5ueNz1jbgUN4HyzM1z~%Mr?36{sERW8SF7eH_r4}x-(?@__q>LZRN$DIZe;c2bEcf1ASm^)MNJ%p7I`}n}ZdAw~ zM1%edw=1H@hl^4I%!DH5IvgL_)!zDnd*uSz^TwtHrUJ0fO2e3#1cHFm@fhu!F1YgT zTw5o!GO`I_yn{ugF^F5CA=1&rDt^mTdD7ot>ndPvyaPtSD1{vhh*vJ(l^k~f4RT1u zyEULN+#Eh61ZXvu45a&3j#`2|T7|Jz_}^0Z59>OgIuvuE<2#`C3> z0nL1TKOmq5m7G(o#_Ah$@K43fFr(Ox}wG>Qp<=CK~zq8(LLQYew z5TSqH>VA`RGH|Rz6W-In9C)Aajc$Gv*>C{37MmkDQ@weu2tQ24B*MeVhBQLySes&J zw|QP$Nm`xV-FCf3MKHGx;DMvvC>*1gfs&{f`!<6?Js7v0;j*^Fy)p4 zS8ik@+hI?ucv$D7j8*-*b{z$~&;jiH(g2Wf)!uecm;p{ld>q~DpD^+A)bx3&zPXW^+3I z2E>iM4AQG*G9$ni&Y`#J?o-v5I?RKBV2+X*E2~TxRM~7TS@S8Y*s(Dbx=Al06Y2gR z`D5fe&d@4!^bB@S*0juB58U{vLSl1pMWc|sd%*s4(meeCc&?d9{#(ztYeNMo`iHLR zqX4oK8babJW8`qZlTt=z01r8qw$>*>J|%!DC@eGvm_Q6}ecL zZlAn)>pm$T}O1Mn3aH&lo#`4Q!6VW>%T8g0ZO1sK_q9~z`1i!RKo-MEa(&7 z5sO4}mife`6QSgya;V#j1AJvOk9a#%Y0&!cKqz^K3PnT?^`S$Qnfn5xMaM z!Rbu=k90Dvx=l*t;|>i1cd1`K^D@*)o+_$e^KZp`McGjI5;w=veBNx9mXcb8p|K!^ zFV&L%Jsb9Py}dfq$?gZ>WLSgF0RPMeeEx&aS4yO_`77v3>g3L&$~vlnlp&fF_BwtK26z*K(m1VFo^k(X;e5Ax+c^(T>ps%vfk*lrY&R zSS2LkOvY*83&$U$Xuq5vv&ZkMto;t1mCNo8+?b6=rP$4xj)sjulOtG`DLKRp_0JpN z*^BfQ8(vY-AV@0jo!ME|jYx zU}!A#G*5xU>T@&;Tq1WTTbsB=X8Gzj{nrfRe_NNbTPHHh(05&`_a&mPQdKZIr za+ae1n@gZ~h6`!gSar#yHW7ZjqelLh!$gxOxjz#@LVV8fb*-U_xC3rASZKtDALc_= zVXf7?|4e5e@<4IAWv@;ZnwW{;?v8DT_Y zv;K!TiVK`i8LxC^@)q66CpgB0gk*t;3SL=BVF)65u}l!7%_dPAx<^C$&u-WVM)BXb z^ATVM^!hro! zc_lG(?c8@x6+aF2+2qET*zmq}rrqMf!Y>!7@s|q`Kc#(i`~mn+29;u#%JD4)#+!)5 zn=RE_hCA05(k~uJYf|teGwBu%eA#tl?|}Bqom0+6@%$FSvz$ZUcFCenDo3k780}PK*~iARww$H z%CYAw`^#`AF*%B3`LD$<*!pmj>x&pxGKVP8`;CP-`#WQmXaTn<{CJWmqky(N9dFj3 z{T9x%yB1@-d(6?bp86mVD5=KcvSFzO7s852js8K{3v*^jLk4mLm`s0X;s@2dim+j} z!H3aGf6pI<`2mOuR81&imuNL!#;2P%?l#NhBeQ%-Kf|GE1m|9TL;Uc;8V3qEPhhSL zbP=xqbrB--Z=Ag^=H&`XK)4lO2V)Wg+E z+F($G=K)e?6rLK`w(HroX_!pGQ5mr(pg>ai@tB>JQ#L_9JJLuuXX?^?zVZvm#keAJ zYogs| zsSo+LGL74XEm`8^UY={#KU17BsRj9Ygu<4R(ER z8Rqz{umI*m8uR37K(e2CLvcwR$J@OriI z;rJv6Ovv6sn$p|GiZ5?EXXmUMEZNm9C(n<3613A=49%w=|9;)>Y_8~- z*&uodXv6&879FTN228#WL(xbx5+NahkW?0iaS<~yG7b<`t;C30Hl&izf=4BKL~w?J z#~iOddh*A|$8WFLMQQsq3|rw0Jv7K+Xup!?Uq_`hf+O~%itkLZHw;KmhN$-n43CQ? z5)=8*KjQeeKYjj+hb-aP|&;VwN*1K6^9vPm+ws1mpQinaABTseTf#Qyh2mzIE_G_)HsTm|hFzwNA$<8^}cg^Q^V@jG-o%aSA-0rgPdu~_g z6iL87SaF5j_{K$znyP`A46)iQu&OhsJlE?QHxyvQG4Sd`p05j=cG_{F$8Sh9dbgvv zSGyIs|K<;)e00{u;XPd`19YBqymx@8?tRzY086?|!0Y6yN4K;}yWJBkCRE_67rZ1k zjHogg1_#zRG@S0ocZ!=;oc>j>dq&*+1?5-@)%*xD8EFyEe;tq}s>D};04K%dj<$|p z)Gcz^^Jq{le;3pKjWKgib`F%K?qKsO2SINzoGdlWG|wgRagapNMgai?i+V3~oc)a0u>X@a&Y2W=yC=@zp;p?gab9smM4opiLktvgvm7?8Tj+ zOM&~jHz-j?MO|_8x;dp1OznS}Nqg?`OLin4$K~@>*7CgU#nkxdj&WS(7be9uIXdAC z14NqPni`7{Ma!x3+D!1C-9jc6b@%{1TD)4V`72_H20bJPQw4QI+JHG3p5#%uM5iI# zAP%0K(Vd1e1c_()2t%Lmj7)sQj-{Z}p%RgxKm7<$!LGP2f3wtwxaO?7Z=o=mWyDIe zIGH}^|CB&ntTqxK*7wz~G>Xpc#z0~sk%OX&{eq~xK3vH@>5w1-gZQ=Q-p$qz6^W@=tM`d=}sAULy%os|7C4SRrDDzKyT=^`<=*FDQwD`d|BHwDal8 zV#r7+4b2~Nd}02v;miOebO6cy=?#pc9-Qk+&RWl1+RR)rc*YhsN&tsqynW0On)gMT zzKU_s-`-{v{t^v^#}>tx#{wkAFpl1zbQ?d-Lg3i{2&Io7Fg2}Ep!a9y(j(-(`+)HC zj2WSxdHk8*X4uWqe#qj$Ui@3q_se3WMP+JmLcHlf;gX{z;GRS%BXZc~C{xY(@A{Hb z8kIhGBk)t^b(&sjY1Xmkh={|JhgU6g2+4Gm(EHiJ-ESdZ2g{kJpQgiGDI(&t!I(2! zhkNv;Ha7l=3~{;|<*SV1(##2S+yYEdgxn~HJy2{={#05tG&B$K9lZh2Kj~mmtLj)7 zgvZFgj9V`^e#@35ueZ&1ITH)~o}i&JT>%+VtPubGz-H@xe{E$;0YA~P zn{Istho1}AxcF`PXb?BwrV7nFS30z(?O$gZ_byEfeRJ?pixEJQf0f@!Mw}dg)r)I0sb5mv+NVz;M?Crq>%ECYI$3p zbeGW1jmZTW$|m`p(WGnVEprR3Ubu(v$_xqSlnXk-K@EjV&vyZM>X;LM9rY`w8Q=$1 zsEMhDlfONh?oAasPEj9Z!~pv*)?R!b^9^&wmbR=8GGn%U9lPSz=Ol5PY>eS}H z7?q-77CX4L!zhX-E0mdIFg4;$C;Y$EdJoW)%v2|E*iFe&lM3ceT>paE6_v=GIC@%CX zC3I)B_Hqnl7unj4X4$hqBcit17Awg%t|S_V3R$c+ZYT9V^AosPFez#08Qbf@U$R>` z8E2WWUTLoR(N8B}gN_6VNPRL4Mwt|TeWEP>$>x4$$Yj%f?2Vjjf&N4K|QzyB|>_9_JP|9uiH+2?}YmS*n*+QsXg_wxw7GtQ{Ey zy>6})I!5aJSP`)pFh-vvO{NBi{t1&eHL)-RAyJRU<;gOfTaZAsTU?un$33F-7VfMH z-sL7*Z42_s8#vej3s*|mwi6nx=SK^7e6}~?!Wc-U!$GX+Ke7By7c=rp%ZjHL4?8=n zeJxACq8=s1Lb*#wz8hVc2-4yg=+}EE{L#bHI9`7`($o&Kb#;PHGN(RkMg(TAf9K0$iFSSfjAhG%3|EdH|AzVvnm{|jvY|UgtpN~I+1?@o3<9T4yL(NxiM!t7 z-o|9(J~}8hjj5UJ*a)yD@U+p=MTqHs5a$6ko5e@lE;ow%KJ4-y%;jccB7l)1wz2r? zO`ZpzYa#z6)V^p-nyyZH@U;hj^*BgivN!yMj>NXhq|5bdG{`64=p(fj-B1~&v>NzM zUNLMkOD>r%Ch|VQZDd1S1}VLm;U~80J^7~dV60l{rPnR>$RLxnGiNeGQbcie($nF+ zho0lmp7N#?^J2$d=)=t~K#XZV<8e#Z*mp`>rJA<@||6k=rTu&8zPeY*%rA7f+sZ1ltz$q3NR zJ{2NCmqrQz#+*h&pN7J_{TwK3C_&%Fj;k*X1AC`haOH=;pO>Duu8#%JGQYQ;Kq(OR zt4x9Xg+Z-mJ#qk)cGI<{avic}K0lLU)$$EvjLcHO|DX}nH_ znLam*d`-|xXvyY%N6jd0E=SzM+f#O+p~eDg?Sf}njaRv`6kT=tQ;#N_<1-bg7M9>dxI`pb&>77(}oL~wDuw+mrUDDS8K7C-&PGvKK=}{o2?IJIx zs9pWDn4|51e1JpqcRP_^Dq-}Qh^R%bw(ukPPNDi*+%EtsWd1Q}DDEBNR|6<)9^n43 zIBip*vq7aX*{8CM$=KfiQB%6V_^^<1r3`1?juv}QYDWOLkPvFPhj-)>^E&3&16G0g z?NB^xRPx754P{sV)`V?xsTb~0#J5}B0UeP`=z9sugd>VXg(4?tn^hsA8cJo|o8aYN z%ijC~J)vLp1qEvJx{azvnpQpK_8^nh;_AH^aVza^P~)P-PRDj9>8{n4^1OS%{xQ{7 z=YyX?-^Ca-gHmFP4R3>=TRN2zf4_?}8QezOS;Cd9ZyKD+8v!W~GmXg7*IJm8&>L*g zlxS4I#V7A8$JToSYc_b~JFy-~(%3J#d0m{-|5TRrb|*GEemV%8Xo%ys%Yi2KxmHc+8%+6$%&__0vw3e^1rwn8~3i`ZoY8&}1c{dkMSvxUU=? zV=J@>*Y`fh@YAK*LOZZ=Kg5jUlYYd@VP5XW!^)wKhTX~Kt6)I_%exi#x)3z?&uH!U zlan@Mp&`n>A9@8fmlM(MupDEzphu328xiA z7C+%-gR6s{jT7e28D@!QC&1Fk(oqI|0?#(puQ9cIBoq*0m}nxqc9j(L;Cc0C3NgA4 zj$2Nyy}V!u1>W2$EzT&O>ZVAoEsaW&+26L?;__8J36Q20{j7E7qunKl>N^>RF~zh9 zRLDWomr~cit(>){&m3X=EqbHa!sG>@-T7?1GaAvI#4XSnt3O#_%GaHOxO~uv*t!Vf z%5>@2@hGGLen)Gfa2hZ;2&GX%p#p;MUDNwj?z@kOvQdUnllwiQXwk~2YX8+`f^U^{ z_T_|1f`|m7L_qiZm=E6MgEV`92=^=r3uULG^BGXR$5GVUZ-`|f&$vRP;phRUf}cUa z2pXiwhx6cF-;Lqk))$i!+rgSRzk!?IhJZvbR1@=0{Uz9&&M^f1SN|oC z6XA|@W4zEbkt5!Sf@>VHA z3*dO4NE#~!AQJBqx}T=@R}W7b%~1*RSPcXIDgr5Uuu7ix62?2gen2umEpib*N)5B{ zXDUBBn)RIzt#yxaH|wk?d7oiG5RKlB#e1{04`OP91>cq%KLgDuOA(9!%^XbhE0-)U zOh!17ZL_FmT#a1);mJ(b2>lE)T|eAPKT7*a7N7~K9Q9Kza4)kfJ%F*whLX181Hx8q zJ79wS5JGbsk!D@TES6ar`tcN5T8s{Qmq4B81rPx$1%+ZnohT%yZ9-C!GVxrXL1=1VL!1Q4fDRL^u zJVev4Z)}GCW9yHLpl#JKsaG6+z~i2oy)ZhKm>wece5tG=mDHm_A$_{yz}F=869j6t z?bBauZ%hAUxgbh*kBqaz#d_Ok&m-1lq(Ai7a^VZS>=l4kl zNWQq4VAL>}&*>ud2*hSs?;JJ(7BmX4`~a%b{YD6BKCoY)vlMINbCjeXv`NF4GaxO} zhzBE25q;pEqN8+l;+an!X;ZHKDtmuWl;eDjx788A-8I~Y4jH4ff07nbtyu^OQ|xrDD+GlwxdbO z?`O}2d$7@C)C-PPdglRakCKo>Msqa)tO@|I*v5pq<(*#0?_OdUrea5xKMat zpulVJV5SH5!#fA7zNLY9Z=14Ao<`6`|4H(pI?^F)B2X?mzo1YNjpxOOitT9CZdMcj zQjxZr|5nk#71@kA;q>>zq&+NZJ!G7ic&ul`H0u2STjpi5^d6Agr}mIRVB%9YBRc8t z4^4lVQO@Uz!~4O9+*6$H=s|}1YrBoOV$4kZwkzlu`GDDopdNQFt41yj#j+E=4EnxVEYcWv?8_Hw!HFCnQ9eiLFDsq_as`_4O)8o zAuxn!2q%P!*X602iu5lX{gA7y-h{YnB^Z@HR#=ppf4m|ggr+DH*WaX-`;P~( zbdZ-qTJcXJl6qC*XcFTqqfLIyd@xD`l=NL0suABXcRw-l2K#mz(5GnUyn~G{7ak%e zN6hE*DD2u``(=WEk!pU7woXRNt8rS{*snUD0^ z51{UO`s15n8c@vl0u(LAH^V!Ib0jBeKg!QdtsSQ-qnE%;Jf0NtG{xOTgJGG!yNqB_ zcw6M8lKEm9h_XHFaadB6Z#`f6P%X2P5tqBO8h$bk1ma3927WH36aiihnE^-0IYXK` z2`3j$XMFjE9oEv;fh)O7Wo&ttTBtw+d(O+*zFPN`lgOfS+a zDp_rq1awV7H^$3oUN?pif3_?H0H}Q4;0__D@i+kP!02ASR33M?|5L85<^^N8MTp35 z#IO+i*Yl|2;hRvWGW@bl#!Di-np8+prt7R?8$pjLu)oFeugiRpURp1e*YQeAT_tv0 z8WI2F5`dMZyg6`n0vwcQuBp_;r=?kIe|3YJwS~Noy7r%m^qzvWdZBHfvJ1ZiFqGGvJUjkSN3mNC40=tT_11HH0{IiJJe_Pdl`6v8xXL1r2pXL1SM?R;Z;8D3+*y!o}8!w7lcdZhq<@HLB?3Z;&iYP-Nk z#mNnb2OHoUNdeL28cQ&N$CdRH;4jcyl%Ut6i@6x&$#pL~BR{Mxp1oW7E_Qm zyQVEu2}|L@u{GdX-T4{8jG4G}eQ0UEM(gu%6~_$3KZ$K2HXlzwhTh zNew~}ONeEp>Oj6FX;10B{!h5K4P=gJ1ol0A6mbDSxcuZWIa{82;y#j-sPDbVj2J62 zM+W41>oH1cQK&Q!88I5_j1g6sUXyLsk8KmGZ~s<1_`ElU<0#2FBe?rz>hVj)3oPLw zM18KnuDd^YkA`4&(Vt3QGX$by!$f z>$rv1hTx)$JrhkBVW7CLe^Qyw zx&xpo;O3Zml@yCj$SsHky!B8&DkSy|A<5NDyHG=NM^%AH4$1gl?671)31ON%wbxF4 zbUT;2~4=D8bxu6}q77csMM> zFxs_QWA)yO;?4*5FKv)r3G(*}rP0Q}LyUd*;-dCC{CrzQ6Bi476v2mqLnX$)(B2*A z8Wq$BWMdECl=4w_6wV=qzkcaDJ0Z72mx4<$YntxOZjS<+}|g#`svpEI#!~ z?$tq)&YDH!S!F0}r|;K)%eC2=ER3E8e;1AnU|20rxwdDkIUjbt9x$IS)=4*h`@&MB zc$_5uI5&Kr*x`7%ts)yL7Y`Lis~(Ej&V}y!vmY_@#ZFc`$q9@|;4peb*|a^JM0buj zkd&$->DZ4G4*?}v@dR$otP(z4yn6b7r6G0aiTcQ|VK>(ykf&fUbE%E;9&M+v?*L7J zd%Yk9H;!Y$d)*@($w-EaNRbrq7b%l0xbkjXUqq|nPkdS2lDhs(2pm6Reh?7)>wj;x z0BL|Kb{w%8@uLWok>$(Ny+1Lk{qkzHQ2^OJBW4#w?A`YsYk0doa!2wJa*0e}Lm>zd z3aWjxkKz{bv?Z>+=kO%yRNH5z73&taz}xi#P8@2IB=B(IGKzcokerR?f0GIB)XTNl z=rt=dZ>s%c{ZQ~2HWutU6|}T9Ft}FUnMD33c)=o449Qu5i}^mD!8JTZ34aCxJ%9F9 z_OR)f^R^AV+5sE!OBQ5~=53JRp07PJx_>`=Id32HAbb0LVnvVv2o$3)VW=`k#fI!X z4tyq!h+hDsUk>>r)_WYpU7$4zy{F%Pm(x=Se1@U3w@1nG3m^f$)h_^)Vr;@e#5pR! zXIyAl)XJQxR^ThdR9YZl>=wmB=cs4{e-q|McMoUI)WO@gE`clbKVdt*ONpyz$AQ7- zX@>isD;0+LXUJ{mZB% zcnvOf1wOmB0OcE{Z-s@OefRhGjsV-U;BXhHck}gH95Id_00Lrx{YEc_C7RF4e3gO3 z63Chon9#)mjjX=e1SFIGEgu7}njk+Y*smk;)T%!v!ocH7X`dzE)^e(KivMyIm8!O0}7^(iroI$SaP>gzkBX@*UvWk;)NkE;2d9oH+%s& z?}RK-S_Z#2@2xojy?wKf(IDOppkgaD-DmS) zhQLOj6{2M9I!*9O1F}SSDQI+7pzGLqyazf~3P95MmtaWrw{EL*$%{w1%_c6h9vu)^ zU4pm(gCVA+{E)vMds)*(N~8uez)I6(0G7{ops#|Grn^ib*+Og@C*-sm24aVIQIX^s zP+FaSl6Vn7B91d3#g+XI^E2QbEF^kA75>H_cmhyho)C$F-1dM{b;;Dwf(;wZA)?e* zg3Z$#;06flMuGcv>RGF{UaVf0T;?YJ35od3+Y^wQ=?y*iV=3J|e-apd&BC$tqfES) zvtFb05Q2@K;mDh9qhDz$?8ac`&6b9uLO%iCUx`QL8VC^oL=o?>cp&zhh!+9G6%K@VugCqDrH}NjIfUe zgzZYd zXt_01_jZTAi~KM4{yHk^uIuB+W#}FnWI(zU5mZ9DLqI@~5NSopAsuoUS_uh}W(ZM1 zBqb$=?hug{hL)6)6!@OG?)$l(`?{aCet-SG|9#h*<(iSn^Eqdqz4!aI_ql;u0Hv1S z)5mIRY786tNl*(Q!cR(fsnY}-Bd;cC%U=9S$Gh0P_AT%qR@1JDlD!i!Vgf@b!976f z4*bg{Ap6|O6O{lizJ&e2VuDp^z^S*C`(mW)H0VBxtezdpglkARjA+Cia`W=4>SjpJ zIYKPB_@0T@NYh0TeR(r>Og^fs<{!(`kbgIMG`Yotd{D#|@nmj-u=OTAySPP+lw^H^ z*2MyIZo+xA4E&B1=>V+0DL*ud~}C?mXEAT*H7XoX>dNua1Yu5VcSoY)-A5 zx>Y>sCvdHEJ_Xt*p?o!EH&ohd%~S1){a}``{GaWR15ZWJBp#o5|8^;7>y$^Ryj8|I zMYlQHZ%b;n6I9d?5usKK6M zJk!XFGlLwZFvArV6oov+=dUmcmkeC109>X?Bs(SCJCm`T2Y8(E;x|D*>;h$ff6BWz`%U^rM1~fLKfHa?hVfzN`5K#iXumGSwVa92CR> z%8xmUnBZ!atVo^&Ro+a6@Ehpn5aM27)4YDOk*JVZx75!WSG)We_^`ZKNk(%*f*Spp z{~n_cN*@dddx_Z*3OHyo6+kru-^73mIMLu&T|63UZ<{UjAZLb^8EJ;j3+K#g+O9bP zAesLlS&?&}^vMkH2W9QS8CwHVn49#2UPVSlNX}_>M5DRiW@TM2lhUM#YWsT6k{g&e zWh!9zz1Gioss-V}YGF3--kkrTBc+`Y8q@re;i^H>@V*e-DkR997-*@Ag%WiG1GwXl zeeoS5h(o#HR(WAM#m?iNIg6h}d301Enp4}n48g=RMVFOV+rdbU9zJ&p_TCuhL<)F4 zqgcU^U-|=KAt2|`z;%i>mxwuHI2r&WOXUB9JIxaU>6$5P0 z(@-d>lY;g5#uTs4#mTzJ>U6C~p%%T1?WGlP*0>?LQb&E!6&Sf9IjhNQABrc-&i(@F zl0`J3H9(x{b=?CwgLojDn{yzQBpdRBe|K+sL^8A8@znTDvt>#G8z2*f(gLXW;4!R@#? z<|4L*%6KD!SR%^HKkYN*V-f5*2C)@yJp~Tc-e%>cT-jd&XXa}2S|Pvmv#N~XL>)ik zI+jt<4x;$B{vIG@qM4X15Y~mSO!>q!_!$N{@n|E(fwPqBtTuiHEb%zty25Z(H|OpW zPx_cG{XjD$^}_O37KE|aAJuh%1D4kdERW_RC0Yemo~0*?l?f;U|Npz;iqzfigY~g{ zO${EGWq8&`kOd2;ZUBJz%^F|}Ou?w@jhH#|8!8-;au%O__Lg_2T$?gE-N9!eKE~)I zI)k?dvs2@Cs@ngbf)hil4>BJ zLQG?wtJ&T`KU|DwPjKlBb#HqFeaj<-%x6d;JwA^S%1Aqj@I`8yc%1j?U=>_Q>jkSR z55s8i8kVsni_J7We^^j?#w8XI(ZP?3m%{9cWK5k}(?X3&+Q>w_0e?omn=08}VA9<@ zw~xh)HxsV&#&KQ@fC+Kmrv^hP2a+5DHjNovgfi&sbw9Z_ZzGwy zu>E-VRHg*rh}!!I3a}}C#`&w8H`~sE8c4v49o#$)XLT8J{npQ9-Zr%0Tz9PWQxzM8 z3F^;u-ptxLy-3>s&i|Op$)AzTjr~HpS_$k2HhlRJY^TtIpPWt+Q-2EW@|cLRx$IsMuA;FHK5`42eePAYFdcf!YDihVF8S z_!Rz7GwTY*V(W!S%8zHuZ0l6()Zx{;U>#PL_=K9L43Sqm-XWyApV~f9hT7v2hK~pA zh#|LYFehbW_@hGN>oxD=CGfJIkyMuU`&@9VQ0(EmGEHf{7T|=w9O5Im_g$%DGuo*G2}yN6HOHNG(RKG+l%DGEsAI2<4j;tl#&pch;nna6WjAG>$3+ngn$j(=sA3}*J?IBLr|_xw!grT-MI_%_y{s*3 z*xud<<*@PFe0|N-AgbtH!Z^UiJ&(xF**q^3#=_AiGOvKMn+9@=k?$s~ERjGIXyL*+ zeoro0TI}QxFgGr8_i?9SM8SE94aa4auG5*kk~>l@veJ{H<}Bdh{~T!uM%?yi(L z3@+apPT-1-qaz4+poTYxPbiUy`)VjWrLctWJQ+eLe8w?4WTN5y6bUv;{_wOZHBz73 z8-LhcAjFLb+iNbQBskEaJ`;pptoMClto*xPS&3&@3scGSs~TVxB^Y zsM>B49HPtS+oRUsmRH?~8Z0e{=!|r(Vt$G4EXSZS7zg~Iwk>zOiy34>`fd(IVQ9Kn z1e7kIX-_B|hXd8p(F?WY)ReZ~O7?#!90_N9t8_sACaR=Lu`dJ)Dd7ipu0~GoNExga zW^UjmB0Kn^fAHebN+v3l_Wf~T4UA+xa$nINh!}pwH>(DmB7$^d+kxuG-uJfihi4+O zQ7gc|4lrG7AcK8)jVIblMH=)43Gyw!pUfIMGu(;}Oogc2xx2<3FAb1Q7ZwV1p1 zfSVVN;qID=^jqbYkuGJ&y2Mt07&jcBQ+djLnSd&qTq(r)13^ek=C?TN*3=?KQYbmS z0G3d*&=yM*?AI@DPeLT;;VW&e%eg4!p^r6rkHHgR?L$qKE!U-T!jD42R`6=D?9IsZ zfcMX%h2fYzib1@GDZ!nTDgqM92qGEQXiiv1<1ZV)9TC&lr%uz(C`EgdMQ*#_(3EZ< zfyD>L*7Z{=edZ`!FpbpH=*wZNTB4WCXyHh>!X4VzAGgv@^{`EpUQ#L0e1`xGwg3+p zY%>0^M_hQcBrzbW!2dKC#Xe()WC>xFY}_ZNl`P%47nLq6&i!uwg)s{M%!ALk?V&V6 zXIu%Qq^T#{Y$%KIfwGmxD|hSHhuwaHbbJ0W7TY&C_x6><4-Knl6u}Xh=vEzUP|$pl zw$;FMI?3rL)2rTBCJRaYJ>L?FpGk;3Pmx6HYP$N0xEmZ92QmOG}mg# zP}a)0O~}S@4O;EmNZ0Fld@>K&9}&GIA2)7Cby_TRYDGdUP-V~9}rHh5aClSI^{JYTf$ zDH}nhn+S@R4j9?f@7pKn*$YIizJJKTARXH3ERza0=xBxO(9kiK)_`a|=^~c;{D_(t zLwvSXVEh?_U7v169LBzfCR&-+e42U{l0tY2KGpO;HjY^$R8=&Ix(1(hUPLk^k7M4v+(|WLhR0_64{F=yb zNOhq&M@H4P}x3w`JF?c2TZEvLS zUYlepC!}h#rDm5IKimPe3~p+gCMB5^s#t~e0r#@5>aY2CnP!);<+0VS2TT@DL2(#cFjm-UOx=!vXs3!2Rzb|bX^mzJRUKQEbM5+! zliIMD5;iCTsx^JN^$9_(cm{;71qmgxdw7ckrr|vSoKV9vrD8^>;!JNW26eLquT;>h zQJ+dY;zP!~h_OnkNB@eql<8iD35_H+-`co+o5>~!%8Eedvw-m=am2c~dd`JCHnuM} zwK?NFd?gy`e(>&20))85IfLC)BhtYyPjZE2kR!4Xu{;s}w)fz~oeTyIX0+1J6!K z%}ahzj8%F_V>h!Vh7`tcSRUwW;xRBp=Zs`;iU!Hxk5f#9i&T0W=p)p#o$YTEW-L5V zC6uDw2rZ0?fWnrw%0U}h?|s zu1)1CVlh*8k)j7`6P6bE_TVEJ4wVJi@6}MzD(5=rnNh5htan#wkiejG8SIud;py+m zr!UHytAtG$V2fc2zbWqXlCA`TIO)!_QfCcaa*@l@6K^YCzN{#u+v0RO$V4*OP8WWV zM6>9kT2ntuzOD^E3a+&F6T-5PqVPQypIBW&b%@JQ&mG&P-^XI?&$G$~>^VjSvo@dN zFaPC%jhHfY>UegXp?s?Mu1FEaf^_W~jJ;}Zmc+i?DpE}&&S}M=MG9<0ru~1>cV;+6 zU^Lab2{>LdbR^o(6O==V((=JtG7vn6r<&++avp90|^PYMcGU0 zBs?A4sw@`VB(FrnMMj{krKUF-Nl~pc&|vcEQD^1rkx1Z9_*u|3Q}vOc@<8_JPCZ8a zhU#?&Tc~(kUhB-rdl1M8QQa*g$Q-yHAG9HJ{XX)*jSEr_W)nxnh-7h-7@;_c$qL7<0>+o=C8t&J z`goB-DxA@HMEZ=@FpVeAC~_&bRHrf^#G@r1bZk8`c`6d2#8Wrq5TaJ+oIKVysYOZ8 zRL5g)HVY}4Wek!4mnE30__5FhR*IBbVu~Dc247y^=7Ov2O0Chq<$%o13fzCfdZzaD zC7aEQK(K`(nwr-;#o>zGrre>ee$?!4F387EfsrXs@VSPIJOLR=^XX=5Ac#B>d{6-E zs_AnB;^z(Gq@8_`nm zkC$nm0YoXH)UHW5BAeiy#%CtdUJ?{OuMsZZH~i5q$q~o^co_g0da6A$_qb8`iNpGx zbF<8)zA_h5D5rQzLd&wGNV=p`d7Mbw0VC#kyS&+);}#(+{GnCrofcVZKSrO_o28JO zwuq0hFF6L*1P7|7+Z2$}Xhu)`+BSX? z`5a~f`WqDVLd+jzqscA!envREKq8J|3mtomFElq3YK~yFl1MCrt=}}FRs!w<@-kho z=IP;_-ikFXP4~AyE1)yNS4i79xNEpc1v^$d7`wGNGlEcif#RD6Sdz!Qd;fQ1-~h>0 z%7rMY8LB(|f^cjUMwYt^QridORmZ4-;NoY=%`)p7Gjp$b+TXDm32*ej|3=<3>s8i# zRXx_`561n^(+V%-4>?hOo zpSgyGWm&6}7=N~!dl|>H^?eMJ&j%a@lwLg2=`yFb(CLU0f}!wPZ8Kc?_ij1APsX6U zUO{h7CAQaIkMm?=7aOoEav{}hzOyVMt;LixT%-GG5!G4m< zNI`wY9Y#K6-z5kL6^N-dMS>lmdVi5B|$0$hP{X3@mzCz}r9SByN#Vf=YWXCV4q zS7irsI20cz?qYb#qQHKPA`Rt+XRB75Q-d|rVBM0g?R34$LN%F&kf&otJK;(?IDYNwbu3R7KJNL$_V@xSUvO1yLso^v7PVmbE(BY zA|8@4J&WYOOh3-_*jT6`hnDoJl5cQh}YouYO*HMC@3>#>blzvq9qQjyYkAS}B|s z=@IVbyi(NcHXxRbT0RBYm0?z&Dd_oQpG$6xT@OagBwEi0TV$&>!X+{%pJCW;7o=}||AVIE*y|MECw-k7xZwO2R`W^e7u!K)0?0_hN#OUN(j$m=W*|MRr-B!VoHqbFg}~ORs?I z`S;D51`zF`-uCW7w z0Wf(f;61O&)WZJ4G;m}CD8(QKA6?#h%_I7+cgXUf|9gY~|BnHuX@Wu;L9A_Og5A>E_wpy3cP6TlO)xos69a=- zdrduXadM&nZKAM90&3heZESMs1U1*dP8X8(E0)2yV!(u_Tkz=gWOr25T zgJPbgo;OJ#tki6V5c0^$$!!d5tDqHcbK)^bZzysAH8opgW2)Lx+cd17! zFPxGGdEOSs8F~#~WL|03p_{_vHSkeb=dwfs04Box^|SusO_;8Vqkur#JFIkc0YnvQZ1I{ zYX04%1ft)A)RP=&nq0uqpo0L%Lx|LXrkt!$XzJHWrAaj0dg`G_7%S^{*kiTS;HEw{ zK+D9$^jQ%}4AZ!Cjm~&5zF?iPtK&@CZY(~)orhO&;{cKS9CAEQ_ZHFEVvwV!SzDwf z`^@4uL@*_;(ONCT_19ivs``_T$*#Vg-O2x4*x-JdD)#4BWZv+vsVi?ECO_o8mxbZA z3n7D5EcYd~s>fpl>=hQd{p)&v;pnTbA<0>qW@d&M6<=qS_Uv)e z|1e>|7NSykNfLzl0u}PZzk-}@!x%)KJ{J)d(<@8 zl;HQPPT75_Z`B8zINF!Qz95%;e@)(OpRS8jYO(U;)|;z^w@E%$Wc(^EZEw?j_J~zf zRKq*rzs91Fl!ur1uKbd}+hFDoy_E&mLpT7O%U~x_47IjgiR7CIbfD$jr1%&u2MBG0bdSUvvP&{2%)s4>X@Z z%p6;DF?MJ-u$-^|GUUguQnp*zh3l_*By453QWisCn7q@gxosSOXCc#IKC6k}j+Z>$)21HMFA} z+?O8JUDnRFg}c-S^Db7Me9C|DLThc1_j^iJ_iiTZ+u8c~^557k!~R*%8HULP>yB{M z-Gh-|`PwL(-6P)2#o%)L-hO#Gex&gO*AMcpdz*<_9q|*yM%N6rh@SiR-4v1Fq+&n_Dln~hXZXqN_K#9xI!QUuz(oplK3E*SE22{^S8Dx_nHot1 zVYv>!_3Jbn3DcFk4BvoC7Ju?8s28g(S$89^Dt_(1 zI^IgKPxp@Bj5z38yuD|aN9!cSa9z0nqj+5IF zEzm;76lcMxZ#C)<5sB|#Y?xft5i0Cg&#&8^e2tfd#Em*{Va)HhE@;GBc=E9>HIO(A zOMk~(KsuxPe+{kg6_lY*9)~7;Nq!(_>B6!fY$h+g?$M%F)its9Y^Ft4 z;5D)mxQeYCuwE(&d{h7O1^;EEA|L-X zfG72SdKTj~l|?@B=07gtvpd7x6?g!ZkwHB3r~FT&cUJwKS~L$@a%&yZ7R{9YJh_9x zu~!El{mn*AztWWL+wTBmt;bP%IebbeVB=fzjL;H!(raS%#w%Kfd28dThxb}|m?f5K;yb~O^ym+;s+ zD*Gf}&y2|leve8T>-M4MVH=e%$*zAIXt)lKq?Mhy*i&z6bwRoyJ$#gW$OE!tkKMk8 z>TQPx6pdA)$U&MB~+wv z!$>Wfd9DXp6mWWQM}=2P$`o{J5(JsDIKVMIWpb((llS+~*8vYU zG$+C;;j+(~D+b3Zqyn$D#FCJVJ`RUziaU*SfJ)eSK;5r!3yo zh;*NPG6275P;S?4C z-K$R6EVyiq2VRRjp-x`lzxPx{7YG}KN~!}_jf}jnOo%8aYscToFT4xd%Kr)fkR9Xu z*r6xJp~6RUX`JOJIUi5Y(8HNH`O)h`>4S|D`}=G+-H*`**DN_}KeQlg8_|_#ThE@E zm$7&_d}|UgkKlz zSD(t~^{w-XgJ60ucqmHUNTc0W=T2e2zox7_x8ZolN=5i_ILYX%+p8Ruz399a3EiFz zox9(kAhTfx9>1#O?tFJfa*kyMyvPbsoqDiNdBK0-r@aA9vNA_*{)yd3OPF0Z_VCWB zyIy?TV?lm0kz~GgZ0s=3O(Y?#6u&}Qa|%kWyQ*7ywWO8ShxLEN3oNVNP4C-^6cnB8wCad-)7i?!`#gMe zS9d99dz_c;trKc~x2T7(-1yNIB_P}EJ53s;89Qcw?B^KkqO252PHVr4T=Qq!CacwK zNJ5(U)LP{=AWj{gy-f)8{@{^6@Jn?uAYi22WgGI86ZT4|+M5nN~~l z?K^+J(R5rclo70@A7fey_4S*5zNN7wcwgbp_Xaa6q4=B%vI#gD?78`n+LjaI)1Ml6 zaNlgXQkr359>H63BLU4|yf`jXSnftJvTQkehA?){7_|_LGPES`7J6G| zjYvE_8etXQN+Mbscw_WMLbLmis$o}8l=}u^mu1gmFl_AZnD3{zQI}ck<M)`yjt9njz8X>%)jjv1je4XPv?l^c)d$))mlvlKv!3APdl zaU11gTaYv8VZxzMe}1x_RlEZlS80ASt9%Pk?-Tz>J}8o7`sl9M8ZU8YnQiA=KxyrQ z#LeBAdY>gE0A(5A)v}MEWFhM)^=zq~I$Z?pKce?bpu?}i2pR0WCvKiHu*oNHU>p-T zenKN`fN7W=|Nfn|yVrQ8K)kfUa|`bwwx&Yyp|Fto#o5h9ou`$#OP`rV-TGlbDo-EV zsYdd+978u=toondcK9}>d;OOO+6tM+a!qCF2}7C{AkeN-tZk>syjNk_$A4h%1EXmA zEqsjVusUNzwtaH#RjAZgSGsRIZfN<={my6DcFOzP!5I`1BQAxsrc{Z*4lf+M){c!?SPYd)r94fN0Gb z(s%`_<|7&ZgF={aUR`|&!3)9NuhEK)){5p&K{O={cap8?r86dhoxa|N(6lqx3zmv+ z8Gv@!BAi0Y=7^tvrgyv)TZa4seI71f747V&b#K2){mR&`Gp8Xzp0k9uF}CMNQ~lEO zmp8Bgqh166V+nC7xs3ti(bZ_-M z)nDqAX=z@*zmqt%GJRCZ7kTvc zQA91Kmpg@1qHDz&ouJx-zxciT4D1J@yXF;Bi>YM|OCn3ZY5RZ}i_lmSNUeSLqU7q? zlq`S6$n4w%M1&=@d|F~Y)9_JPHquj@ccsYebJ0C)P$#}p7>9q+WJULL8G@ka#Xbt; zubd;N!o49mLkEIJbbh+g2dk4jqLbSWBLb%2I0hMTd`v;zi)rd{e`Gq^R=L4@ z(~M0BwH<$S1dbEI`-;!%zuZ!$k02IQnXFIq z;*R;I7c@|*{=HE#h;*32;@I<@^JRh-x|n}lVzCh1!f#H9o`iJLB#|#v7hgGAihw65 zM)BwGVuRw!6nM`(!_%x<)7^IwSZI<_#gc5&dNcaB9w(o`+2o&fVi{hRN?A!4<9z!v zMd#oB3&s7)k%+UxZ%ZyeiV_QZP;E&_3yN9+4tESbB!_WOpp2MP*5VpBLF`m`eL~?# zA&~l?cQo2Yyd4V_dGy7xgc`AIWl^$rSSq5)ud6gpJ&H#_MZ#rK1C;m_a`!A|a${_e zF_F9DhP=1Qn@uwj=K%+<>JM7{?+RZ|Vc;_Ll5yy^e(evVmO>&VEx9d~(I!aNpHm>T zsf-|O;ohicCZSf8qfFEoVJB|kfffh*(`?rvR`ZiRbzcH!pq6S3l%}wS+F}(^+cdVb zfv2Aa?&1M?QKNMIEkKa0pc|J-^q&D~ePA80RcibEDX5LLMB!hXI}X0VXbTN>saxgS zq{LS)*AM-za4Q%?b4>-=-aV9+C}dO^`eg&b{tvtR_JzV5sAN@v`=|TAHiR2GkSsUq zTMn>@rX^*wF1Rn;-{;58^7SscCP-(x@K$2oN)C+V_RFKWUv7=>R}~$1 zkuHk{7NnU;5fKG7v|E=oe^sIad3kxeagEy(A6Wz*FPSYW+)nIHBezyL!j107ZJqN8+W(Oir81 zMW1&MEmtR-Xm@MeYgh=LeMh_0u`f#&`H-JLwKxu>CmnT3@@s+PcSZ&SC6>bw%EGsp zJwhpQ-@~m>t#*3OM8^_D6wKMOPolwf>wa1)Mf$vdN9G@4tp+)Yf=Lo$lyn1s$AE8? zC07jFVG+EYlx#S!YOBF>97lFV!Ga1Q2z25EUGIW1gB3VZLF}$cDx}?0E>v)R`IJGj zhv`~DZ=3Fe7uPM%WW7?y2_EqsP-Wht&7!Y)2MF;h;s}$aD@}a8o~9KNhTDG7{D?op!ys_TmF-{u*hnU`WMt`F$M#yA7Dj-AK{;=0sTfr-bv&a%vUIZMY7ekbzgxt1i z_JZ~VoAYSMTz1kO{(OWG`^PE_)%+_nR9LhWes-}G3txXO34mL=`q?#3mVzFq+#WSv zqXq&a{_~lt;gx)Auw#5?9$xh_3fvFc&piCNXn2v+qvpaO9@KA5Z8X=0&dKfkCe+MJ zdtcX(!3b)A3|i;BM)+MHx+ePD(v1r!(_<-(xp zUkGizZnM5ds2UjXjNE!`(*Xa?1($ih8v-IIqbTRA-mZE!y{iPV9UP%K5bc+f8ncB; z2HGsP{^yfM&wKNe)*MQxs!!X{7}VR3HCyO)rXD!&V$B3?l9Ok$P&I3xn1eIHIkyI&WH(yA>3|>yz!d)x3E!gaf}<7!mvlt!_lART8u*aa0@=!%L5Y#kKp4Je#OI@+ zw!C*6?}Xu41cHo1W2#HTQC&-Bbah= z%tNh*FX`=w3Alzr;Z_xaKFB0r0~KEUN5v`>hI*!T9+@RSbiE#ST^J4!MdK-v_Y_dw zH&UuMqw40o{n9v&;fwf@u3)N(il1vrA>Hb#C-gqPqIEy{a?a^Yy{XZDR)A83T)(9}NP+e+TO^@C-M2jHlZpzJaPh_~6k; z8N2J-eKmuxSH9L~e|w|v$o*6uq41721$6fT_pr z)PBU&gNMY?w8|-!idD%3D%3XuDt{cQ-sJsfda8>Sm&OfxuKeYSuN^63!V3yO>g%*3 z9mfYsg6l9kkUGATx2ysDNgP`K_bnHN%N;X&4(?d~G^hSN&KawwCWvX8E9vj)GaT)RH zN}BY%$0eXz@b3=;cXHzukSYYR_nLlkKlfS}+S%F3>Wn1FmhCt#F`TdEWKZEFh(pk7 znxz{za1^b(HMX`e((&heIk&ZOOlbbY@`HL-zPKXy&flvN3R_=3`e6c>CG)Qh(VR7% zDHc0^Gb3ZVPCp#flq#<#mnp^b)&l`wh9Zt~(>;-4@t>Jjq=ol$52rPXVt%r*`KkR^ zN}QbFU~7t>TP-HOxY|=Y9V5D*Y`OHO&g-qi(oipPuG12E;>itjUM*t^C2EV>UEOD9 zwH7MAUB|H`9Uq?Z3_EfQ5w+|7@8bIF;x<+Izsa}~EI2;0?K zaWVfJ^&J0oW!`XXPaVB5D6}Ijc%LBxF&%;?1)LuCVic9%o;qhL_q5K{BY&dawu(LL zH$S%B^q;6fMr_Wh2zQ%k!JMc|J zC*EJZ9?)vl?08TC6=Ib9MVep)HQO6TV{z)qoNRX3Q|k*9zSz$d>*4e8btPT#%b$s5 z{;Hd25`YnSZ_aRck^A0_I7mnlvDA~x0-IC0Q@d8`&e*lu)sA)9+pztfe?MK&oaCu` z6ld$=%ieUY??OqkqPy4N*_Eaq%RPUZm^9ZN%`}ePAIm-pB1Y5Tit%p*8ABY$J~8ny zI=kz07kIchm%P{1fDoHKs&fj{{uA&r!*WHY_QOtC!c}|SL8b*18YRzx$0Vc1!MjwW zedbYj?NOtW^aI0ULs1?*;Qc)fxH!ib^EiM_)CGJoEHKyXNfy2eQl+nh3CRkzuDWr0 zflvOcF@dt3Jfyq3+Z~JLoTzq1gD%Iaqs5jYNkR`^lZ$*1Io^w~IKByb>RQSBZln}h zG(33l$s&&~p8bx$2`Kx`I(rhv&4=E>^&{YZaS6t=%gDK#ru1_S z=W*iqnpl$4LYa8<*N5QOl5*i%bP-sW3;s(KCjGlG_Fo+aXmC(|@QsOoOV6as07;0K zn)WgJ_tQymJf32T)60K%Q}Dob#DQ(q3;j!~CMCeJlpNaPs_3thKyxOQ0-S>#)pLua ze?6Zh7{@(8`O?vxyg5iR-LN6Waam-z^rzA^^wGH#hJRtq5io1F1?Jcudk_cmH3%CRG{y*k$;N5gIQM z_wxUDe>{?aR7C|V8Ru!jSDeLte@r+o=Ja`2G56`BhL!=rm+p7v_^AI`V|pLnnm@?T zx>e$fqSw~wqf%aB{x5S0EatEVhYqAOw$(3xFoQmzHmu9Jf(58MTW@ z``hu-mp{iRyikpdAV7101{bu*KeQwdu_@&)jr(caNjz-#_$+8Oj3K0MwM+TSKk`k# zpRD?_iR=E;?BS4Lk|%?#!VUJ6F+cPxRzx+i=W3g8?>4*x)b&hW~Keg2c3m!@tAv>pp99z8OJ0N@3_u@_2wMOkdi`H0J; zD&Yzr)0le6`@g8Z6RlGEKfff7mjuE1x1h>P)UVhkhvLk%NZuv9+i|WS3Hj${f|Io) zq1)H~+KJ`TyW4VUat73fwXyM0u5V(Ayo$9vq@B$RP5a;45e42LMEw*c`?&RdGrm^nAt&kZ>7y>acm#?h@#(h$&V&U;M?{@+6&2^ud@U4NN^WBQ-G zk7fI-iSd6t2^C4FA%V(+XZ_h#SYTcHBX;|(iVe+#ztww+vz6z^K!>Bbq9RFo4*zy{ z7-WT0OMR;r^)8yhq?iVkhDdZW$Q)~de5OHwlaP=3?viW*$YNkzQZi_qoBYhG*e2O@ zlku}W{LV%V@(_fpqFZ~VlUaddOzyqdWV_87Vf&1WiOPFDgpUW^oez<-a-5IWDidm8 zQaHhZw5OU;ql>>pdyDCTypq%lh`PXM1b~PC+I#={7m0gd=L}ipg41_DRN&yiiD*P1 zyA8D3F(vgw^2x4h@<3^2fi8-+vF~--AiOYe{#m`I`>z`!uDvhr^9Q7q$ez;r zywxPGt()amlw}ulcM*U`66|43${a)dCC}bxe^a84&5lH%@uoSzWxE57tijNrZ|c7D zyfDmyofiD54YV%2z7lmW?!j%5QESfAShj=&ADMlsJ(} z(6}@-<9_)|C#llA7D%+1f?w=s`Rdw5AoAib$GrJ<&i?TX9a-+Z1hkxL(o3ETb?aic|(mJ0$w(E|)y}Nv6wg)gYZ7jL8Pd94LC)%%eD>KdV z*fW#}@aty9nWn!f+}Tg&7Sycs6E3tAs2;mO)8D(sgLM9*UWL3e$^Dp|@i6Rz`J;w- z&w^P4T)f_@i_qcn#( zPS>E73j9q9yZgL25r>7WsrL3xjZK$?#lKHN1jn39ul-6K>-&~P2$ifWG>1ZOKe;M; zsYSEZz4G-_G3CY-S#y`7ALdIhpCSc?Ph_tVC%!r&po$cZ-^F6WPZfr(eT-hfSPxx| zIi<#WYV!+wDCK3Yl4@C{j%?C_+yPs}ApuM}J7#S+i}v=Lu0!$;t-1Q+rLg7aU8TJD zJ!j%@dgXg(_GD^%iiA|H>8Ams?Zd}^-iY~ZnhV3t%?gTTX6w_Rl-Z1_AEC|5e|Vm5F_0y_rjnQaB|+Rd8uDeo(z(?f&;@BP(ZX~=6!Z8dLtHdMYbqNO5MUdmVPrHc3m|3Os^yjl`pIM zR``2esQUx{dxLJQ@2hhF@>|sI;6bJD0+nCArn=xe8D=;IL2R!Oxa z%{U%s<1i34VRW%n)oD(I9J}`mT7_*N4pggfw?Ms8pxLeF5{#RDNL7zVUapMjGLp_x zUi!OpPW`>h-OkDu@#mXaiN_Bgbg657Kz$c@p!n*m@YjMVn_Nu1aF#xd=RYkT?mmJG zH)YMfy5DL3AWt1DM)-0S{(2O+3?B<6UT?L|Yv2q-`qME z`T;l<;+*RpU?===ZM@EaNI2^!on+dB0w(xI#A{;}izU;qfSqYrRrjJtI4fiXVMO(O z8i8h{t9C7Y`O83_P_^cZwwAQ^l;U4^EtY8T$}r4GB~M_lKFSC#lg2s&Xs2;-cV*xz zUD9(+4it9=G|AX#oV+8=lWXF+a45U=xqd)?Oi%aj#^cP#OIbQ%wyj*kJ=cEJ&U|ZW zR|GRFZyxpc%=-78xFu3BvAQzXFDAZF{}kvcd9{!n3ibUN&c(aWrICz`9i|ryCgBqD zhO#1GLcHl!RaFV4AJFS>+)^ae$0Ht^m8u07qE*1+%aJX6Js~R4ljm;|)XkDn|F2 zacz9)nn4jGT)T0e(^zUJ-x%Ze@LO-blZvLjw9fl5nGz!!^8Jc#qy#v{-G5d5c&kmm z{B-xMUxZi|%l!Ra(}R@^jWVfccFpr<&i5_TG9ErmduH_Nx0O%8YBJv0JPn+ntxcDN zBj^(3fBsR3g_8JUtR1KwE+TeSxt87xX2B`NWYcxNl)g(~yfY$Xs^8(s%#qx9Q~UkH zKR+bDUACoiMot*t@zv4Sv}lfJ!Hf9a6xsDqFTBtHdbhHhV`A2@cwyuIF*fkfgB3pI z8Fgqp;CA8M+{|PwpHC_GzU$THI0PhC>y9dKzGIU>VU9RngPL|;+od@_GrKjK`Yf|lHX#Jb)2VHb5BDQ&%T>kzq875edabxNgmywmq*LZhdP z?wjQ0_fH+hN3*rP$_9zQ1h=MD*FE`wj@FbJWc4brN)NUT&?geF)owI7Ri5`T_p$I> zyf{XHhQ(TU?GI8O{}ebAZWyTongQ>r}kt@&K;lgd-Ws_>7< z8pPdn4Kvw0bXX5&-WnfQocqLYZdIUm=qs*p*$&u$XW^y>Z}-rhQ_ zsxSB#77$PnP!LcW5s_A;TU0uv8>G8Inhhc#-CZipq5Dt=q+8<99l{}{8}3HG;aBf- zpWpl3_kI64&xW(l+H236nKd(?nOW8B_em*rKIw=h1ZCQ95E`>JJxkt-;K>qLa~od; z6ry$19CRQVllfRmd{V-x!({gYEAwqBzc^qq!EY}q6I!dlf|hG;g=dxdXG?`b^OVdG zN~O_gPY*k$)6kb*VLki8s_!IsIVlte1E)(hB7IteFx%-lkm6BmtPR!QXK`^Hz@i}am-R| z^kB9~@QwYc`XmMwiaP_I*|M54`Z9sB!eGih9U=^s+uu`|xXiBT&ki0$uB5V;2Unt3 z=?!-nm-!OoU;ZtnBi3IEF}~q6Yz|ivDW;Z(O_fO!n4x}9jF23NmNa(>P^{6I`MzbK zYf&C;z%wk?R079~^)IJo1BYAYXstnYAu}rF65^08r%N?l>&2i; zF`MZB(uD%~Qnleudu*!3>8R(#3~OlVhFa;D{oB_1J~a(ozl!EHWYrg*o>U(Wy}*w+ zB$5D6s%sD5KEH-^9k?wBe*XBd{csIQqb=p=-7Hhv_*d?6&rszMEegAXN=Zqa!Cs}6p!KH}=e=^p-P=XqRSB+Re1l--ZB zw=S6l5*MCdyL$4k&#w|}Kx(tl=4X^}%YW1LRkAi2)X3Q59V{(bC@tFf(^ zQ)!tm_QW2gGHHi4%piLw97J90^ECZ-v!^HC4bIt7593gci;Ksjx7%@%$+h?6qUZq) zI*BCAKjwXWHTK)w!(R7S^%r_#-%{C(!qQO3l`R?cxNo)hqiOK|N5nk^<-Ax?NqBI! zBI&dEDQIL`=06B#-gv*nz=wEjWGl1#w_02#aHz14*ZUD~($ zB(_4|Qf>&Utr(MY-hv?XaqgU|d$I<}Z;u*B9U!qDRjw^{i;+A-ER+Gnse%+J$c}7l zjLPt}I4`R2vOgE}??v+}Riw~F^3&;_*bC%6+E|lR=2A}$VzAd_XIuip4>%+e1NKY5 zs@l-~hrK|a5u=zw^3!ZiN$Y1ZLBz7SPlejjQS#Gk5-!^k+*riE87%?fh)pDNh?GMO zNI_L@rv5L_-8fT5zK_AlOXIMzD0}>NkVUn~8EPIlMg_VwQF=Bsmk_&eoK;3Sf)_>B zwBfK13XgGVEz*cY*8-L$=Ds5vA>g*EzfGy}?hWyVJKcEmDzS~BEO>w#>J82Ty4H)| zZUdF>63DkDlZ7y-SCUj&gG06VhyN zXO&E%+6etQJRhpi3p)u36_vR6OE)7mph5%ocT6xiLrD4PvZPxw5SXL)|9Rlw0(M&z zB4~-ly|dg`NZy72RRjf_GlYyQ51)7&i8LxXwm%hop&*R+zP{pK?|hKCB?Xb%{1@8n z)x^yO(e-Kmn5`g%3i4G)uiE3h2&yGUxF;1QugS<;or>Lo8A{_%?BZa~~eiZi+VCiKB9*{Qakb zk1#-8^?+YH_`g~Mysz;N#q5m`uzB-8wEIhRyd>{Z%(lODt0($r&VS$Xj!LlM4v9#} zyMIOl{(fToW5I@S|06fH|B4cL<8={GFLH*Ep#Cu&i!AsJ-uAKSAEdky0xC*t5-yBC zM$`Wce)DL47ygrBfM4X{HVG1P2$&3c_mAP)UxMFAHZMbdQx71ga)O-NXtVhEPyX`< zzls0Qr~Joy2wH=T|8AjO7UX;2zb{3B2TBXeozz0%ze)DDY33?&R<;YP(S3YBA$Ts;t=dM`? z;_6O;gO0_HNP~^>nWgQv)^-_zO9nfz7HGSVe}T#Jt3{a;9JB{z@NAsmDL`4*OyVJ}>K zd}?~QaZ3QcE!gQ>f5Ni~IiAI!t7re`b85ez*@^XDf;qQ4LseNzEB$F;HBKF>Oug!>S6~+9<=~o!GCgL6 z`LX;aY)k8qkGbxwBq@N08tnJy3aUjsJ@VLr3<;V|*ONVy__Jx(osG)f#SWU3FtDHc z^`+|ds)I`AtV`hTV=VMTN7%I6n#EYDQRt-Ip>?WAR{%cAML~;v<5Sz_8(@uvaKxJP z+cT%JV!f;&*Hy995$8uK%dC@3Z(sco6N*7lpjd)an14u3`v*^$XHy8&bl=o@rz2|- z@J5$7KUwYqJCW!YNE<=LX4YXm$9%MDjg37Vz|2DeU$?Uknv-E5=d9dYHbNU?*#a>3nJ^nse+b`t)M4r*e7# zBOHZE(gdEHVGrGtOI>!9gqA?oel6OuC zcoJAgDs$@4FkJ$_yGx){X>kwmC2PJVpabhtVS2O=JfsS}jyZA(uB`R;RC1^@R>%iK zJR=}_5j;*}aMh=466$RAHVMoDW84;z2_>e1o$Um6C-6;d-HncmyNBgJ?WlMsOFB7% z+hJ8Sby`_;d%k7L2Dc2Oy_>-8vJQewm$~fRK~31@V=-}3XOz;XLhTPIj*kvyTWZ!+ zFZWhNZH6B{m&f1)&ncC{>Z)j8>Bq@hiHxXIjUP)3<$bW!mAV%4?Cm-pSfr`ud~m;x z=JFocO%-L+8M;=$W3V=C!Lr|kV=zb#h%&ibnkp1Bou6n%R~0T#_ne=Y9VUVG(gV(8 zTepdSZVK^~;En^_Uv;Co`diQ!RSttQ@4=iev6U_LIeT&wa!4QSNNxw=StFG=EC(@U zQ(op>1LvYYqE3-9C zi$=ok3HE{Rmn&0|_2<96fp+ALJ`-)a^dSpfWCsHq2N=a8npAmXd-z?)-+LLX;gEpS zDW+T2Ra>fsEZ-w|$!h$121`NU^vup=rXU$pm={STh1Z$&$oLW1^C=RGnEk{4Ein_i z=E1(RsR`YcFiQW!KD6dx@@C|~I@d!e1r1$pg#F6b=L~m`j}~M!toOdZz^UHFW}Q7U zJGAtd`2fTQ@@VEge`$dg8}P{4Fl439NrqnSz=S+x!m36JC0wXr#vhcX&G=+>uxBmU z=T}0LEjYe;&7J7kH(5t*hN=XXC6vR-B-c%7i9Q1Nc)QKVcBU>Z9c;V6pE_1K<19kJ zaHQq3ayPO1^68I1-#rMEYnVfuaE{O5 z8%lodky3sN@ns&ScZ3zYH6TH%oy6IQik#AT`r*!@G3YSg2ip-$I{WzeKtrvjYgNhI zR_2_jYF?Uh0iI4aXj#Lgc_kq=6hv+*f=(obY^&~=((xp(uri~hR zQFBm93SsbO=yP6yt8_SH%?ZM#RNO_u>N$Z5q*;o!YNumW>1=!X$xWBHy=;;2M<3sVzIh#BTP_n+HF9= z0mP}@Bf)mU=aFthUos6{HrV-SzIrzGj`UJxFft;wRb{1yKS>r^FcDnkD#+K+mDd3i zYK4!D$5}b1TIr~nUh_aC#Z2IdOI^wz_S=g1pWL}~$3N=?tfr{WEQ!Ja&;%Lsb8JaoF*IsSkvdIG=xvm+;+uuHtf6T^ueh>?hnNz6hGhX z8-W{nL_7`UryJzI7-idZKS9`7n#S-k53gm&XGzN)*6wOhhZvo{$jayCJ-IWY*IJ_- z#OC4-?jMnot~WcGdC`A52Nc&p^Z8oX=no5?V(n%+`>UnaM9bkEv{(RP{~nf=?e>x0 zvUX=jLX4@o^U@-q5o{JUHJk5tyu+QW2T82ZLGoi9ahYEfsLT}CDgM8m&1DCo=5i-&=dCv!$A8s3iO3Za&|FxKjghYeRvZ?z6 zH;anB0>zrqvImfzB60l0Ry{=qg2laIeo|CSg0m5k4XBF*N^vDH?M78>6u7a7K-vvL zLuF@c1{cY7ag9W7wQ-JXTGMfw7F6=qNFuhWg6kY>&rB5W50@_OGS`QF_;Sak)|cg5 zaoZwztW(r-s;kz6a>78Gk0s~%=mAoE#cSCgVdPT|bRo{*i3Kv7yk{1AWbVyUyE;Dv zM{rgWbnTJ=F^hW4D<6cy7?~E8B&G4QV`M*$z*#%iJa6K@b=3>V9Wci@?HrFO@(Z_d zWzV#@@`wi}f%T}P`Q(vE0zKyihkiEuU5k{_*F(AdWTd-sXE}q&=AAxLb4486^%YUb z*opj4^;ce7%#U)5MfQsbhsI#wch)o=LuSENiJri%VYH0lnx!s*lBD=)?yNX*jLO!y z6k5XoLQLtYKAe}p+G&PLdnQ$`K?i=f;z1B2skyukgNo=T-iNyVOz6e|&mO(f3J&$&8h7q9MtRUESlGYH-*Gdv|TxrDQElwt$&pZm-O zJtzT};xP+9+=R0%FcK^|E}io#DhhoHjrr-JF;4#9w_Xyl|5*- z?Dq~8tVb2RM`)yQUGc2wO-Bvgx$+!E#Q8YMzE&<~NQgYTf7kV0pkZ}_e_>+@I(-JH zt-418@KX$Q`QSty=zYT?>9zHImEyPh46#^y8VXwMlBLSH=ME;&s5kZG0agZcr%mX# zzdK#T%u996#oijU8U!&xrjwFI@%gmVE~6^cHUra|SDq(t#2c$VU+4>3uZ+NMUh^s+ zQO+PE$Rv4S5zaY4WF0rPgHONs)Z+0f0!Mewdw*)>lhmt?Nix!B!o4F%utRYc_9@-N zO_-Z>?DpPl(d?%>_W3=)oZX@&Giv%^pp7I#ad41) zFcuf*y>q&?R;H_03(+X~PV-RtL*fam%@@pq)pnO26>k-Y&<;aRtw`3yt-%y3rG5q3 z7mS$QCxz|9_cJsD1@Ll7FL#;1?gvptw-5|v= zwb&~#Xa8<}x?G)rNo^4=))C=39)ncgquiiF?=k7#$5-H`FJdv^ytnf7ST2^gJcHeA zD4P<+5~{jm_Dp`D@6t0{UG_TX7-xPo13$D5R_ixpLrjIG~DQRHKMQOYmsnVB7X z=HB2U#+t3IeKBOhk?OXCfGNoqdwGDRQ|U}y3I?G8Y-QKzx{ zLpYTtzF+c02Of<>OA=Q>PPP&Y$i1hg@z0V&6{S_I7wKnjG*5?^ z0LzBKf)cB8MZ;!I>@_0VD|9c|Ejlx0#wyg6i|;#ZxsPX8#+22pJQz{1_tMIe0`a%5 z%ymh4!#X`yFVo-*7KEZCto5YFiB76y=~9K$DDV^UGhHFnQRuWfZJ7~|Sr zu%n4)eDk!*#46s1302QrF#3*lQ}<4l(xl0 zn%VCcP*g^xr#fCfhkIU8Xnjg1x`VgPQ^DTJ5||b{V^BMz5m-~HWS*iT;Fg7=<+@<$ z&ZbswjzGp%?`6yAK|5E%n%6v^ADbbHmhOkE-f=zgQ-6e{)O=87^jl8z}x(QLKy0F8XeqRL~P#6r&|kCcSE zjRh0-HBGTaRX%FxHwN<7{BSaow^#(estc-^Z+HhknRf;A4o87#X|0tVc|o^$<(kvEJ{y|F4D$yh!hjVg8=t%*d8FCYICF>O%y^z>dv`WZSCKtA|3o?tmnd=^5= zT^0Q>&$f9`o3iFh2FGmCG%0v~N32=%c$T9T;-l5t*iRD@#iMBfOislLL@{6uY*~QYCToW`a_s~cxSU%+6w%vp-Eqa}9#eN4niHnCV^}1$C z({N8z^b*}F`58F1egsDEdehlwd_cCN2(v&n=Y9nqO@o`2t3QF+j~5ymI^uDsf4sR& zG@+o4sFaNN-Ui_E^k_{iJXw>|@uyO{-98Q4w_~RlHV1!%6hDIB@S^?k@30N zi^zY!-akP_kWNOwM-q{)m(+nvQUUYPxP}b;KH6>T@3;O8F;)D(@Fw7s}qW^p# zW2gM{xPKniesJ{?7X-FQzmHD=Mw*`e9ZU^Mzvy&d(B8D2v|@4F)U-^2a9(su>7U2^~vdhIXb{yTGu+1dO5{`J?DmpK>+ z3*WG!Bur(=yaQ%&g7ilDeNc-38+!jf*#DW_!2j#?{+mAkko%t{`-d1M8V$wEDrMah zB|-qfmIi$y_U087R3-8I+$q9(P|t&7VKrzpj>|F5=5pCx>DD{Z0_0#B~yyg$4cg5j=x)uZ_m4M4aAdK zuXEPQSSD?!H>XOse{Zq=lP%h{kUv3%^anDUGR!|k0Qb4KC2=^l)SqhdYw!rXAZ+ye z69G8I*ee)QvgC(J_%cxpqJ%szZR_$icCpf5VcOC8o$pGD1>v8U7Fz<*jaD#N_-0q0 z7^wI%dE)#D5*!f5O#qG>zD(~tsb09b-TOnx-huI}JGWk4(dpk8{&97Q`$2$=zRi(5 z3a>`*;haKka|?;x>HAlUv0;;+A~;xtc3u&Le|2+a$rEV^*Ae>P&}|x-=8!zR30QON z=s5R7d3TdpOB6$qo^h@P6RiwZm<&RCQf=se(gG^jov>l6KbT_QcsGcS`c8Rg##-rh z5`=D7J$bHTZp7r^iK#z>iUxtXD&;~wAS2z{Mh*Qqk)Xwd2b^%8YCSXx`Soo8qwRRC`TcHtCA_p{DMwLX2884zA*|zN&$<-bdS~+P|%hZd6w36Wj^w-ppg`w9wYqE=M z-Rj(Cu?^#2E{`4X3FtcVk(cM~zDlW}e3shPu6%rEE~HUQqEbyen~Md|yn&On5WNx; zRWVNJ4fmvy(in4H4%2`xmU;j(?Slf+;VtUQ9aN;2;cTw#UFxuIdqRQ~p3uGQF|~qx zz~A1($oQaMrI+m21?p8pLdKq{WCvaOvjiA7#Y$gW{VQS?5=$rPPN5Lop4?0XiJfFa z|7q>pfl5ns|917S)MhxqGqH-+Givq~^3ilZ`+{K&U>;YxBP!Z%u}N`8yl|XQ+`9yx zVOv}R=7{PjZxq?LZP{vi_eMxux=7;{lUH7RD{>uyik=LwJqCNX#8`1KM&1m}%5cKt zR4SvD?XrBi=_#<2yan#M+;v~8U6+o#Y1T$ZTO$vy-Ta3Ts9Pv3@1#yAew8K9K!7%)@FVdh+ha{l;U4#6Z4g;# z6_IV}Y;PYP5vM+1PDOX@!oz&jb>gm`A=l5cV_lQD__ZTVuI{Dt7=T+Rp{0J}bIaH* zK1seP&Mkdms4})s(uQP-)H;gpwZf*wgtlo^-b!mA9wER0hE&6CVkar{>4qW&u-C)P zvVz|(XlkEk?0a>#m)!+sqK6T5TwvA<;vV^dyF$U~(Velk)}gmdY%)He5z8<*DZ31r zQV}ZG3Ho-sXssi~0Yi3Cw@%JzbL^y}Cf`11M(j4a;{x2z`Jt;eswH~)lYFl4Gz#YY zPG23()0(Ii#7G}k38Q&jq?7pbJyKfTo%*)KvNQtqNJS?e4YhPE4T{_SjJ>Da>9Efu zL660>es-2D6NSd;zE%-CQ9elrg42)eiRmJhyJNtrzxF*dpcT61`rJEO_@wK=DeJlI z@hKJciPL}~lTryhUBd#pwWd4?#qW&NHaq}?)#})vY-=zkIYCdSz_>R-$>{!t!=h&p zg7Y=7{kAhu!2QAC3I8|oPXs0_HX^0;8YV+uRhiqf&RaXvGqgMN_5(FKMzOGJM6Dd8 zIwGFss2pW}x~+mZYVC^) zZ{on|&q%FH^1@KU7V^FO`Fg$nB~HKuUHqs;947lZszV3ztHt1yL-Dpsw6(6C6OXpY zX{0tV(W|-`v52pYa4Jo?Wd-j`&XVfcE|?WHfeEHQHhWxc)qf)BC^P6mouG(WwQU@7 zgL8e3?rzEq))8ZT4OEsxY67FFc)a};*Y+ya z`fEi?4mZVaaaNC*Q%46x#XP+X3JqAjw;c!pQf-+%cl~@$Nr17cJjdj>n+BB@I+Rd@ zO{~6-eezH-T#Rv|D zP~Ou8bjulL`$@+xBN@@U0mZWr8g=EoEiG2yXo7>~H~@VqqSEi-fyP<(*1bcalQuvA zkh;ZbZk{;c;l(f7n3NE4#xuyGNG$@|Hx!d^8On$UL9L&$BB{4z|b>Rn{n z$wpI}`!lmg_o8U(Q`bE%#1CCH7J9TDt?ZGSB&PgoKu8wX^>Ii`vgp~FR&tEZNYJ)N zDk|}4Wj}gfXB=-LpMs2OQy)6(Eb!fd|DcOqE(;hM+If)JscVuJ{aCeO+p-XSX}t0P*J7Z38(!XogXbXDYY!#-<}+C@-(;Al{t_ z>$bkMh^7K6SIto{InRRA%xjH7FvF5Jt8L1|*b0}Qn9!q8PgDlg5A`YS24VXkA;7Ej z7AU0)(;Tdm(XZjgO<&-jdt!AWKz&=CE|y?mSI&>5of7)TL#(1KlkP^2ysMl9gm?cRFg*}Zz1 z2U#f!xUIcBsF?_iAMD}CYZQjLPG~KkXgJYvG9}p89JGFLIOWa3$3NI*E?ewyEwygS zrOA_PW>56p4fD`u-e?3{vfSh}mrgK>#!pl>9JCb%PJM5gk5g?Ybbo?K`^VSm6uadP z0h}Chi#;US?&$A(hq9H15GLb0yDU9kg@#Mjd9i zWsS?EMB#Z-Yn96vpoTOU9|5-eu~F=A9bDp*Y#n;2kX>$)S~y$t&U!Y@aOP$l3>SGW z46@C1462Q7@eM;V;fE9DI2m={!O{o(fR~w7+7viL;XSSo4IKvFc`c@%u56E_TYJ5; zZD~(j`r1#m8M*=6Sbi!3w_jwW^-z4dVJlZ8m!lv<1B#cjG2ZLMEWkcXNl`_w+lUD| zD5YFXc5m3J%)qCb#eDcWNAwpLYn9u&-j{-Ooa2g?4@Wqvh7`@4Qv&R8Ad2KpS)LtR z@3Ib?pKQo%d&i)UH>p8wH%mo=G=j7G@A8hb-feSE$6r{sSq$Qk}yRwqK&NnuH!;P zXSdSw*gTK@Hs9mwjnuBca|ZPGTpSTmDL2)oblt^Uy8($9bL}-c!%h!GnD_ ztMoNl+gNtujXWfIKaMT&^~Sj_N;pj{>0hod@WVT!Xu}w-dMJm!Q+RO}pEq@wH8k{Q z!6x6M2thJ@G&ob$q7=2KV10Lx&Uwx3=}Mpt_we|qK<+(nv-jBet3~Mf@&pzWyA0d+90UUDf?%4i0^>jw zKCu9*TB8mhse5o5FCVA5j^Ck+z+&!2K6m;U)L~J_!tU#S@?1f=7b=N`7EDT-x;g7= z*;Ob87|D zfc1cp{>2IY{BOF{((LY33a36t+~g7y>y*7&c16SMWAj2$9%|#P8i^@tEF4A) zeVegO1671&HX-{M+vV`D+Gn!kVjM!s+Q+KiH_Xab-3#iGvFYPW^oNN2f$_`7^ZT`C zX4mwwtQfkTG?w#7;k4Z45{eNuYzPMRs`R{x8n|Yp&x7G1c*62%0G+%8lS&~sVE}ck z63e$f$}sJR2frrBc_q=lVJ@&>lY}%dM^uKXpjPcGm3?ifh-zh=hGdUon(>54&1gei zy&>tG+4yU~MXUBzUBQ|e=X&as=FE30EzM3?cR|y4o#ZSyH1}>PoTl&&B&Fy8MP`+b z4rV5*#~g!#b)_(C6NAP_d&fyeIY+fT1k&b0@^6_YDxOa$5S!J!VI(}eQkvz)XH1SiVG$3#o-$5b8f7YDy7bKdqkfA`nEH9_}mtS&Yj~71qe}2iZp1!$SHC* z@qmEm&G8rGanI5cvl0uU)sp>tE<}n~3k5FN&Z+rkNG1LD+yqkp^X{ec6mbhNd5@yt zt+G6sm$j*KLn?h}`6R7CQZgBSIIj7J^c?I4%Uq#E&Z}A25Q%*xOh$pY8ZvY$tFMbOt zQFwX+US+KJ_a!BY)0|yw8O|(Bav|AY^`mHR|LOt$kl+h>FTq&<;KwSD#a_tD$b`gE z`N?a(@-fhjoDxzW9};)Qm8NNb$4IY1sH(1%{pz^-q|~Xhy0au1aI}-E_wfbZi#i#{ zsefvAE!86CU|XfbtSpFtYb`ymST{G>cxfiFGrCGyF%*`s5W(RX7bCh6dz|PIK6pa- zSBlHu^lBKR4ijk$shD46*JONFHvz5IUne6iP2t5)oPLph0{t?FnvQ^$8x$0@$A>ds zIOVNh7%B>5hXbodR1@&4P=VYOvk2?`a=)~Gu5Q}nFV_0 zcBM@D(?SGR>eQ#9EoYcLF}CF!9GZL&of~W{&Lt*yvP$VSHEQ_{@m$C97R#y&vR;=uFl{1TG|sXirPBb2gW(^;+NiNL)G)By3)9fwJ${X(jKZtvO3 zhsu_v_`@4htAJK+Y=5!U@dvxb*kqW*vT4uKdnM0BOw3qPzk|*`7ydhH<^7p*D2H|Z zE^diAZ}3T!Y$666(}mq_FYjP+U09M4t>-JOCEzM?Y76@HfYy+h%4=CpD|$2BQ9k?5MyA2$a!L<)Z=dsq{=rELuH8;{S>dD#z`j272q2qG zt}29irUB=@Ec=yKi(wv{0o;Tg%Vvb_uVjPur|Jdv-QJ4r?ktOW@g8e5gpWI3w*^~p zna5Hk9$YUmYdHNY6opy~fZEGEAVBI_@ig(UV^hqn5?VUYQt3qHUVhBPuZ7)4Hn@}e zq6CbqfJx?t1?s?KsZO}PB8d|IPPDWSLaTHiM#s7H{##58{%VIM78kg?kbIZY75Pou ztW$=$1q3K6Mh%Hy(zSGToVZU+N^G@qdnA2Y5S>Vffh>IqoH@KW23hMw@a=Ab^J}Pz zDs2p`C=q{l>O3#EEG}z7`js^OkSjP~eY~R~%qr zYq9gV3MUAEKDcecTQsG47(MQ~0B)mGQMi4ECgWn~Tjj2m>0Gl%vm;O<tYd5D6djZo<}(CjY!j-Dzebce1R9dSYEn{%<%DxVmhJ$N!GaY3`=N$qQ4G zGIt1+QPFN)1P$v;a(})QeTLPXSy3`;u*=``P-PH5-Nv_8U{D)pEYOixV9FVmgs|5; z);J@Fkf|~1E+}Jin!|PzZ!E|9S&m|2yx&5S#Je+?zvps;>>^9(d}eJ*i1zLnWzOW~R1 z*Ky_*wlZm|4rXT87RoEk?@`wPKG?e)%rYgjKBy$au}zuzqkG}1+^l@W7% zua@4~tr-`F8gpQmZxxv^gAY92opA^VV06(by^mp{0?NsiK<;B3=vRxYfw8z$b&v=1 z0O3UOeNEcX{N8HOCRDQ$UH|ClU6oQo$Yc>zvO-g_FpZwD#IFyi5JV1<8$ZfORI-uO zdOE@PdK$?O%pBYdd!3K#4@Wol$CUdkE$Sb4pqI(3C~R_|PKjO>YL=GB_6AdJ)V7d7 zNr6_W7nN*Sf9Ql&Ev=ss-O+@inCYev-+2(2BW8wb#$rn8YeAs@(27NkRhtrveYNIM zIxxJj@G(U19F;_8oc&YqrmNazi8wB%9|5Cxk1{lO{t>N5#(S*#@xy^Z9)-Xel%)u#NVx%o zosi^i{FZh|3pK5%3 z2k91&u3SEBt5?^HOGK0a-U{Ykb)@#!EFM_Vh@K&?ThjjVwu?`^zG_gi6i+3~eKOWR z073Y7RP5|ZT587`-P0ux{icMN2>+Nrx1u?N_o_qm6}-vwswE+)wWUR@yT8d6n3=CM zu)9^q=~VW6#J`;u86FTFiB7D|cn1|jOhrZIz?{XDqYD`uGG7!%buy~sjHqNb*e)pN zTH?1&{+;HFDqaKzrd^)gvEu#6KAKhG;b>{TaVCDW&L1~z<5F6mW!AQ~339^2wN z+{Nt5(HZliW=UnzpTxBk`d1#uU(OP^9rqG=o#{Ad=+24eXn!tY4b7umzWexFX2xP~ z^2Gjh5o4W1v!P4F+)b|aR03O-LD^Ft=}YOao!F4gqHE0;hJP;8I_;ZAAK={Lx$n8f zCtpR2QJDIYuy9i_!yRiUKavzvY)l^B%gyuUv0ZlC;XmHa97)E&*N7aUEJaa}9^-n2Lo!YF~vC#(LlCrci zB|Hdxn}@xMYWw7O^>Dl01(~rgpQodI9OfZ#|-^F_0A$pSo9X=Z)x8`|MLgy)Yc}^nEKWWTKD-8 zAi4+k{i5OMb&{Kxq0tA=@BQySaRn&?`piGX2{AAySMj>zRs@1|%29^)0ltxQfLA%BNVGHVgWl5+qgu5Vo%I~mi zqRXgSz)ba1O0~u#Wnj-b!t6fS%m6%TLyjrP^s%$ua=4G_lY<(^rK*cO(`{Rp&p=PP zi_~(}tbX@dr9of6u?bj}f6H=Oq?3S&8a-s<*nNdp-d1!_zPtBV<_k-^E{Dk}M^x#g zY^{;Lkf5G;5C!_V`p3QdJ5@@>ZAqM;^_XTBm?0ikDw)-{%*JE_7U@@70W5LlSXn#m z3uRP4*tV=fF$)V&vR^JIc6q$qIJMLKuA{_bMkz<3EQoh<^AVT*PPPKGtX9R#t%#8r z4@wjw?MKUZ86J@%IN_~kv|tzpB?PRz?X0snl?aZ&pK`L9pAR(vJ1MbjM)0IZha6sT z7QHA)W*-lBbl->_MyI11lsj`*R?C7cegG3W_1s1eWud_4f{6Y^BOgn8OY{RGbKc@v zO@u5YSVLnU`98~%sdp0p;eL2|r3&N>a)tOupSV>zLnV(L3TBoY$=drjEMxB2X$^T@h(ilJj7%~b zeUeiF*slM;#|*2f1KXMyb!yPAd2ji`U?*U#M0W%&-lK=}(4E=1Xh0MgBimvXWdeZo zm*g_z-7Vr32~iNnL-+Flo=PF-ov!YSK2gXBTDA6y%DDlb4c+khSWj>@SLoB3x^vJK z5+bOXhJ}!XJtak7WuBIH-p-QISDR_mpaq5=VDW7lzxAOHCgNU0JuaJ3i7(reh%fgD zr@vqGNrw=TUqH*1z8~v<{;PdLv3%n?uJsX7B`?_Pa{D^TtG%T|_1GC2M`>Uf^;*-O zkL^WKE%($S+adDg$dOsN(wB*&R;_Oyh0GRK=0l2>=A()QNhg94o&c4jXm;Or|5PbW z=MX)4w4-u&1T%2i82rkr|JuS1ZQ5kuJkCkb@YCg&s0{m8;9WgPGqz7ELeH{wNd0c6X}M*!^Qo zmI(|@5Yjh_L+eH_M;g z3y9{=2H?0&*J==3OsR}B7OG4JWjkNUD#*5i!_b+lW#ub1Eff4K{+|Md!2cLAynIh^ z@E^cX^>mDFpE+i8Jg~{5ztSW+@X$~!n>rwc4qt*Gb;UlB_iW>#GU)&S?jIJtSghvp zuw%l*uByY8=Ql?>@gQea@=c+=z}77XBtHQ^O*N_CROk`zjfb<}*({;!b*^B^&?cL@ zSjK}4JndBi_|ti?1<8`uwPhU4L#~Sw8`UlDjma*{i7!I7U6aHqk!u2Ekq>9H3-!db z7pNc!kuaLR|gX`Z&ONm`1o5bfvP=P_~ zGIikQ+A|$_PV*=7l{!UNv;p-?L-7`=kVri_-3oo~s1i>4+OHgHY`#2*c|?W}DE zGre)jIkg7w71YIP0Sz$!)EUSi%VxsU>8;W?D5vZvv#R$ajY|Di#WozbJ<&+&d)qw5 zgje@M6V$Zy2)t!(~(~*6`n~KKC zHsvs3h)<$zQZyg$s`v>IP3IlBAUNd0e9jOhTCdtrEZvpGuf^AQF5Ad^ymxQGV6T=# zL$Qm`G~R7ZuFhv~B!@3+enIo5(o}n=Ke%$}cE6d{Za05QX4%(zyc7&<2!lZ8r!VOS z+K)V1-X&^BFm2t6{2F#Ub%B{!eV9QJkp0mf#wgRo`iTaF=_;}v*Ee#M?NcvWNjP8W z&c(F73-;V$NG;U-7`18jv0<@cqjej7<6k@ z6kox1c{)h7`4@6=z~Dx=qVcHUCA>?xowzHr2A5(2+`(pDWQUmW@n1J=8=oQ-up%JA z0?BdBEn(^o#{XPDrjP}2;PMXNUOqs5OW z7-oyOOb8A}4R<@u)p}Q~X2QIrTpwyha@oUapO$hk#K<_f^p&fP6~Cg_G#?L)_Hw2J zq26`TgTT1e$nO7yUc>aR8?GH8dhhpDPXqWVJ#@p6*zDQd@8|zlc;X*$;ub!`Pq-p4 z_A@F;YQeE|%5bL#@tSjmshT@XlYVc*2Sx+T7R63pp}Z&#`nzQQs>x+B?FSX}(0$p+EL1-g+)89?l*%X~BO!P{Ix7%{5%M;gxMLrS$pN3ZIBR~g$rKKt zPt(5HshLIaJ(WC_Kl=!V-+3YXnN=rgerGA6ih}0cMe>Q=Zkyi>$D-m#%ICUylaY1# zI3E?Bi6^#7;z`V=44{v>_&qFaD57Y|ELE`^SgILbtIb!RWd4*4>ES4a%jaze8SyY? zP4(rC_1K(K7g5Kp19#bhwV1wEQxu@zn?<kJ(QlRpU3DnEuT|geYk{>}1!df{f7_f^xAnCdI5##P(}A;#s6!`?s# z4P<#uu%Fug9K^-yVtHC2#smONJq%-0*R<3 z?Cq8Ay*ybZ>OC#uN#-ZQ*$0^04*W3{W5A0fndLY6W2G%VkI&1>Osd%V%9|~ETT`c) z{W5HrjTcDP@aN4SpI}F6Ws#Qe3+i`D(e4Zz!+Z7QLS>nTwx=1e>VzSDdHS6fQ$+q( zkfOuocy%FLZSj)@o8(?wg{+k!CeRNWPA@f|izu<&QgW0c2vCt%HcQc?&y|D&&^L9f z8joW%)H>n>`~*G1N6~)`-q>b()>T!&pX4LMM5l#x@n?tC`-M;@t}Nfe&$`Tc8=UO! zz|tmGLB#w=rMy#Outya_ub^5b45knUrZ-MRg_k!6XyYC$QxpLh~skOp+E?>rR zcyl1xX9bkOb$|+3FZ`V&WXF=ll({v($1B)-W9jf2(dKC9#|l+AOsc%N0#m7H%L*o# zQouKJ$z=1iO>PpN%a$4Ju4$^6`%MUYIc=^rp=T{)w z_GLqO?w9-1jbLukSF(ZDr2A96Q}+2otCHpi0s)G^Id~L0f*EnV`GyOLnW zBR7&%>a%^yV-FdBdLHZfq4ov#so=*s-{o0@8dlMLR}ikG7C*&?K8&5rm-v1(VP2;* zatWr?8b6mA-@;A(H9P<|;qmlb=$;xYyH1i~Li_e@3W6?2(dsq;!i=sR9F+e}FV=sG zq%PG=ATsLgq)ot68k8E6zp5%kSfNsGB;Sfd@Sf^A7%0ZGR9W)10LPgQ7CBGGmRERZ zoyK|n*Eje9FCGz!N<_-`mEGk@$f9ZcGUG1y_Wj>k1TmRFbpVExuru;SnuxdEq>s#<%BCLs61jHV=U_}9&TX=^EnwtON0(c1MjHwgN1{=`149< zM<<~fV*F!yZluMyAFr}Mw=3Y58F+n$b?la=Ly82Jn$(cGPH*$Ev4L^_;h06B82-XM zhf+P~q1EOS#_)0GU5@k5m_;cUGUP1S|H;<{gQ(w7&AUzLr7Z{HEQ2-45Q)~!{%9HL zlmMwMO1X0lFjI42Z*rVPS$VO$o#3yW9V$Q3{nGG_)vH)<&SorCLeMvyF8X1UgWd8O zu*=XHFpziV%px(ud@!A`*0+vSX5hk`$T$JE1F&B>4jvtOBWu%btEYnzyj z#erOwLR1u;%APiopL@1MFhPm_soL>cyVu^dHoxEB(Vf3~)P%i4Wk`Aq1}x6X+=JKQ zbV2O+eX+OQkvw)3lH7LNaB0DW0@i_R;38RfL`yU)jcF8{y_knb^^aWxTQ*fa$~kyY zr||9()2S?GZf{B`$;M_L;V#zX zy=)K0;&b!h7xqLZ8wtuYL<7>>!A9o^6Oy_Aysr1y?c$ou5)rOtJg5r=dZ_A_kn=Z_>vdwRCE7y*bo_20DR$%AqUg z!i_*?XLcw`!BbaJiQ;&L2mNkc924^~y(G+zFsGVb4*J~9N+b+ba5z?9JO2g6R@>#) zuA;Gcd@b(rRt~L%+(GgIEWU{H&I8MnfL80=4t0+)sbO|VN;h`0&K6hwRl!wd39^UA zuV7#1^yt0SH*2D)9b#=!2!gAyyQ%ztW{#N+o8wlYqTP~JKb57xse5>Bk7FYH@+nzK z!(%kuTLX;#ePDllptsx=#AN8vbO;!M*deRJ{5@#PY%q)30kUNdk5zYIGZ^wH{}`Ph zDYg82!7Ep3+gDkuHr2(J7M%Dibuqhy%qz93Rcg>lshC6#KfOUB-)(eZPD!cf2R`|q zG=HRz%dZW?1dBf(Pu1~nV>@_?ISCu!uM2Qstc(+ zoe1+%c&8SQd=mm8n+lbUeb`F?Ng{}(>s_Ev-!lyFcmjvNW;1B5aRoC?2<^8!d*}gtTv{8Q|0qX zr2>)6NcZdi;sqX?<`QVUd$O=sy>0;ADEbT8yxQ=gDuOyXKxs(-K{=#|h-h`SpAqK0xd~v<}HS`(7VitFxsDZ!N1{iIbXik3E0Bi8cr!p&8ro+g9)hf$8MY zuM|f0^50`fhcys(M+HSku}Vm5Cx?q!nHNDk=zB}B zi21_cIN5`Rxg|1Js@c#o$FM2Q%@ckVmmVe9=yH)>%{VF~$0U&RMB@5&oUlZ5(ut=x zWOv8dNM-5v)5mXYZu?4VZuCiSK6O*nY>jH&?4y5>puJMiC3vcR&!P|QIcu3yS%>Aj zvVv(e(7|cCTcPudv&fF%k%f$Z@W}SsU!6thKO-&v_Yuj|pzG+2^3=Cy?g%xy9uLoS zLi@%|1s}K^+rdD1qnoMNI2qJY^fr%brsr1lr*Dg*qRsW*i*0_!RmZHWa>6+X(U3P5 z+eAMFJ3B2CPwuX@8n+SOr6)4}2q>HR!7OW}tEkjGwA9r7FmE#BKyZ75Z}XswK2WJS znfZ9;b4s9@niL<<8GUJ_TynYg$D42MXCR+I}woiDOCA)71fr$o+2Ua9~sI|vTH2;dvQ_WcVs7p4!fQ0Ynp>jpd5i;wiX_t4Vea~}D z59!8@zUuFH)OGmCz(89&Zk=FRA_R84kO6z0n*(vs61U^y0>Y6ydE+vR(4Ar~|b9%$}H!b9Qll9d@N+CrhHPyJ9wU7Mz{^R#L+(HV}zOji$8 zI$k9BpX73l>H2|0>8I#-1DMTo0y4;F^qL)1E5Ed5Jc~MF$UA+|wFq-|pVO0(W=t-M zlc%?tSnAh|Jc+e2-sQQBCckWZ%5KJ6XF-r$`HBOYsg36L*L5H^Pk83ZxLp)Ch@HvU zMD>V!g++#3_Zfr!F^MdL6<-Zqm!dL2(o6I=4u9xXScg_dQ7ojjcHtY5PcFTAgU1(0 zb=3pwA^!!bt62P45}#dXvgA4?vVAN+s|a*jOD$i%EAyC=MD!eg*fz<93)fRnp*O$j zmf7*xK46&~n@;p1Egpa1nQ)_x3m(zVW|}c)y_-jT;q`Y-a(s*Xns}9jvZ`aH`6Q3l zUO#=&Z&iuQvhK<0-J)YA^i@FrnbjpL^EO`AS|xDMwKJSMFiv z|NLnA)5G4?A(Dx@xQEwF25O{fb3O3a6&b9R=e8IP)5tOH;U!R+?by@(r)kWN1Nl9- z6=Br{J@)CpkKZ5`oEGU0d2i;p?!;^bZ$9a)RyShi$yXlV_I+Mm;=@7%)c zIuQ{ZD-=Heq2K3{AOJIuJ0%m;8^1_87zYbf5KpD@xr*&=m9!QIy3#&ip);%W;@C}k z8ZQ$iH&btd&T~+1odmo$Hqr%n-Vb$0gpXHo0hnVz>uNh)UmbDM;C*DR`@B5U>p