From efc76fd052b29cc0b23f89868384587b7d809ac3 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 22 Feb 2013 02:36:41 -0500 Subject: [PATCH 01/31] Initial groundwork for analyzer actions in file analysis framework. --- src/CMakeLists.txt | 5 +++ src/binpac_bro.h | 2 ++ src/file_analysis.bif | 1 + src/file_analysis/Info.cc | 2 ++ src/file_analysis/analyzers/PE.cc | 34 +++++++++++++++++++++ src/file_analysis/analyzers/PE.h | 31 +++++++++++++++++++ src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++++++ src/file_analysis/analyzers/pe-file.pac | 26 ++++++++++++++++ src/file_analysis/analyzers/pe.pac | 20 ++++++++++++ 9 files changed, 137 insertions(+) create mode 100644 src/file_analysis/analyzers/PE.cc create mode 100644 src/file_analysis/analyzers/PE.h create mode 100644 src/file_analysis/analyzers/pe-analyzer.pac create mode 100644 src/file_analysis/analyzers/pe-file.pac create mode 100644 src/file_analysis/analyzers/pe.pac diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 16de055e11..9f8f4106ec 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -176,6 +176,7 @@ macro(BINPAC_TARGET pacFile) COMMAND ${BinPAC_EXE} ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR} -I ${CMAKE_CURRENT_SOURCE_DIR} + -I ${CMAKE_CURRENT_SOURCE_DIR}/file_analysis/analyzers ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} DEPENDS ${BinPAC_EXE} ${pacFile} ${BINPAC_AUXSRC} ${ARGN} @@ -222,6 +223,9 @@ binpac_target(syslog.pac binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) +binpac_target(file_analysis/analyzers/pe.pac + file_analysis/analyzers/pe-file.pac file_analysis/analyzers/pe-analyzer.pac) + ######################################################################## ## bro target @@ -453,6 +457,7 @@ set(bro_SRCS file_analysis/InfoTimer.cc file_analysis/Action.h file_analysis/Extract.cc + file_analysis/analyzers/PE.cc nb_dns.c digest.h diff --git a/src/binpac_bro.h b/src/binpac_bro.h index dcdbe94f57..1f63808c10 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -7,6 +7,7 @@ class PortVal; #include "util.h" #include "Analyzer.h" +#include "file_analysis/Action.h" #include "Val.h" #include "event.bif.func_h" @@ -15,6 +16,7 @@ class PortVal; namespace binpac { typedef Analyzer* BroAnalyzer; +typedef file_analysis::Action BroFileAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/file_analysis.bif b/src/file_analysis.bif index 546ac5103c..9afa2d96ab 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -57,6 +57,7 @@ enum Trigger %{ enum Action %{ ACTION_EXTRACT, + ACTION_PE_ANALYZER, %} function FileAnalysis::postpone_timeout%(file_id: string%): bool diff --git a/src/file_analysis/Info.cc b/src/file_analysis/Info.cc index 60729cd590..e7d8f7ada0 100644 --- a/src/file_analysis/Info.cc +++ b/src/file_analysis/Info.cc @@ -7,12 +7,14 @@ #include "Action.h" #include "Extract.h" +#include "analyzers/PE.h" using namespace file_analysis; // keep in order w/ declared enum values in file_analysis.bif static ActionInstantiator action_factory[] = { Extract::Instantiate, + PE_Analyzer::Instantiate, }; static TableVal* empty_conn_id_set() diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc new file mode 100644 index 0000000000..66954ffa3e --- /dev/null +++ b/src/file_analysis/analyzers/PE.cc @@ -0,0 +1,34 @@ +#include + +#include "PE.h" +#include "pe_pac.h" +#include "util.h" + +using namespace file_analysis; + +PE_Analyzer::PE_Analyzer(Info* arg_info) + : Action(arg_info) + { + interp = new binpac::PE::File(this); + + // Close the reverse flow. + interp->FlowEOF(false); + } + +PE_Analyzer::~PE_Analyzer() + { + delete interp; + } + +Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) + { + return new PE_Analyzer(info); + } + +void PE_Analyzer::DeliverStream(const u_char* data, uint64 len) + { + Action::DeliverStream(data, len); + + // Data is exclusively sent into the "up" flow. + interp->NewData(true, data, data + len); + } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h new file mode 100644 index 0000000000..34840c0e3b --- /dev/null +++ b/src/file_analysis/analyzers/PE.h @@ -0,0 +1,31 @@ +#ifndef FILE_ANALYSIS_PE_H +#define FILE_ANALYSIS_PE_H + +#include + +#include "Val.h" +#include "../Info.h" +#include "pe_pac.h" + +namespace file_analysis { + +/** + * An action to simply extract files to disk. + */ +class PE_Analyzer : Action { +public: + static Action* Instantiate(const RecordVal* args, Info* info); + + ~PE_Analyzer(); + + virtual void DeliverStream(const u_char* data, uint64 len); + +protected: + + PE_Analyzer(Info* arg_info); + binpac::PE::File* interp; +}; + +} // namespace file_analysis + +#endif diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac new file mode 100644 index 0000000000..1a295f2d30 --- /dev/null +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -0,0 +1,16 @@ + + +refine connection File += { + + function proc_sig(sig: bytestring) : bool + %{ + if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 ) + printf("yep: %s\n", ${sig}.data()); + return true; + %} + +}; + +refine typeattr DOSStub += &let { + proc : bool = $context.connection.proc_sig(signature); +}; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac new file mode 100644 index 0000000000..4cec173ae3 --- /dev/null +++ b/src/file_analysis/analyzers/pe-file.pac @@ -0,0 +1,26 @@ + +type TheFile() = record { + barf: DOSStub; +} &byteorder=bigendian &length=-1; + +type DOSStub() = record { + signature : bytestring &length=2; + UsedBytesInTheLastPage : uint16; + FileSizeInPages : uint16; + NumberOfRelocationItems : uint16; + HeaderSizeInParagraphs : uint16; + MinimumExtraParagraphs : uint16; + MaximumExtraParagraphs : uint16; + InitialRelativeSS : uint16; + InitialSP : uint16; + Checksum : uint16; + InitialIP : uint16; + InitialRelativeCS : uint16; + AddressOfRelocationTable : uint16; + OverlayNumber : uint16; + Reserved : uint16[4]; + OEMid : uint16; + OEMinfo : uint16; + Reserved2 : uint16[10]; + AddressOfNewExeHeader : uint32; +} &byteorder=bigendian; \ No newline at end of file diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac new file mode 100644 index 0000000000..be91643b21 --- /dev/null +++ b/src/file_analysis/analyzers/pe.pac @@ -0,0 +1,20 @@ +%include binpac.pac +%include bro.pac + +analyzer PE withcontext { + connection: File; + flow: Bytes; +}; + +connection File(bro_analyzer: BroFileAnalyzer) { + upflow = Bytes(true); + downflow = Bytes(false); +}; + +%include pe-file.pac + +flow Bytes(is_orig: bool) { + flowunit = TheFile() withcontext(connection, this); +} + +%include pe-analyzer.pac From b1f1b64ddea74d87dec665238ce7d02e58e1e243 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 14 Mar 2013 11:19:39 -0400 Subject: [PATCH 02/31] Checkpoint --- src/file_analysis/analyzers/PE.cc | 6 ++++-- src/file_analysis/analyzers/PE.h | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index 66954ffa3e..622cbb945f 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -7,7 +7,7 @@ using namespace file_analysis; PE_Analyzer::PE_Analyzer(Info* arg_info) - : Action(arg_info) + : Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER) { interp = new binpac::PE::File(this); @@ -25,10 +25,12 @@ Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) return new PE_Analyzer(info); } -void PE_Analyzer::DeliverStream(const u_char* data, uint64 len) +bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) { Action::DeliverStream(data, len); // Data is exclusively sent into the "up" flow. interp->NewData(true, data, data + len); + + return true; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 34840c0e3b..d511f3e9bf 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -18,7 +18,7 @@ public: ~PE_Analyzer(); - virtual void DeliverStream(const u_char* data, uint64 len); + virtual bool DeliverStream(const u_char* data, uint64 len); protected: From cb040b6da4bde97239552955d3a4c3af1e02dd56 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 1 Apr 2013 09:00:07 -0400 Subject: [PATCH 03/31] Checkpoint --- src/file_analysis.bif | 4 +++ src/file_analysis/ActionSet.cc | 4 +++ src/file_analysis/analyzers/PE.cc | 33 ++++++++++++++------- src/file_analysis/analyzers/PE.h | 8 +++-- src/file_analysis/analyzers/pe-analyzer.pac | 18 ++++++++--- src/file_analysis/analyzers/pe-file.pac | 6 ++-- src/file_analysis/analyzers/pe.pac | 14 ++++----- 7 files changed, 60 insertions(+), 27 deletions(-) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index ba62e58855..6ded10b251 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -125,3 +125,7 @@ function FileAnalysis::eof%(source: string%): any file_mgr->EndOfFile(source->CheckString()); return 0; %} + +# Define file analysis framework events. + +event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%); diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc index 51cab26478..dabda1c931 100644 --- a/src/file_analysis/ActionSet.cc +++ b/src/file_analysis/ActionSet.cc @@ -5,6 +5,8 @@ #include "DataEvent.h" #include "Hash.h" +#include "analyzers/PE.h" + using namespace file_analysis; // keep in order w/ declared enum values in file_analysis.bif @@ -14,6 +16,8 @@ static ActionInstantiator action_factory[] = { SHA1::Instantiate, SHA256::Instantiate, DataEvent::Instantiate, + + PE_Analyzer::Instantiate, }; static void action_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index 622cbb945f..e5b924e9fb 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -6,13 +6,11 @@ using namespace file_analysis; -PE_Analyzer::PE_Analyzer(Info* arg_info) - : Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER) +PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize) + : Action(args, info) { - interp = new binpac::PE::File(this); - - // Close the reverse flow. - interp->FlowEOF(false); + conn = new binpac::PE::MockConnection(this); + interp = new binpac::PE::File(conn, fsize); } PE_Analyzer::~PE_Analyzer() @@ -20,17 +18,32 @@ PE_Analyzer::~PE_Analyzer() delete interp; } -Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) +Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info) { - return new PE_Analyzer(info); + using BifType::Record::FileAnalysis::Info; + const char* field = "total_bytes"; + Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); + if ( ! filesize ) + // TODO: this should be a reporter message? or better yet stop relying on the file size. + return 0; + + bro_uint_t fsize = filesize->AsCount(); + return new PE_Analyzer(args, info, fsize); } bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) { Action::DeliverStream(data, len); - // Data is exclusively sent into the "up" flow. - interp->NewData(true, data, data + len); + try + { + interp->NewData(data, data + len); + } + catch ( const binpac::Exception& e ) + { + printf("Binpac exception: %s\n", e.c_msg()); + } + return true; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index d511f3e9bf..95b5083aff 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -14,16 +14,18 @@ namespace file_analysis { */ class PE_Analyzer : Action { public: - static Action* Instantiate(const RecordVal* args, Info* info); + static Action* Instantiate(RecordVal* args, Info* info); ~PE_Analyzer(); virtual bool DeliverStream(const u_char* data, uint64 len); protected: - - PE_Analyzer(Info* arg_info); + PE_Analyzer(RecordVal* args, Info* info, uint64 fsize); binpac::PE::File* interp; + binpac::PE::MockConnection* conn; + + uint64 fsize; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 1a295f2d30..77edfa3434 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -1,16 +1,26 @@ +%extern{ +#include "Event.h" +#include "file_analysis.bif.func_h" +%} -refine connection File += { +refine flow File += { function proc_sig(sig: bytestring) : bool %{ - if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 ) - printf("yep: %s\n", ${sig}.data()); + //val_list* vl = new val_list; + //StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin()); + //vl->append(sigval); + //mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl); + + BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), + (Val *) connection()->bro_analyzer()->GetInfo(), + new StringVal(${sig}.length(), (const char*) ${sig}.begin())); return true; %} }; refine typeattr DOSStub += &let { - proc : bool = $context.connection.proc_sig(signature); + proc : bool = $context.flow.proc_sig(signature); }; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 4cec173ae3..33cd1270f7 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,7 +1,7 @@ -type TheFile() = record { - barf: DOSStub; -} &byteorder=bigendian &length=-1; +type TheFile(fsize: uint64) = record { + dos_stub: DOSStub; +} &byteorder=bigendian &length=fsize; type DOSStub() = record { signature : bytestring &length=2; diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac index be91643b21..9cd4f4f112 100644 --- a/src/file_analysis/analyzers/pe.pac +++ b/src/file_analysis/analyzers/pe.pac @@ -2,19 +2,19 @@ %include bro.pac analyzer PE withcontext { - connection: File; - flow: Bytes; + connection: MockConnection; + flow: File; }; -connection File(bro_analyzer: BroFileAnalyzer) { - upflow = Bytes(true); - downflow = Bytes(false); +connection MockConnection(bro_analyzer: BroFileAnalyzer) { + upflow = File(0); + downflow = File(0); }; %include pe-file.pac -flow Bytes(is_orig: bool) { - flowunit = TheFile() withcontext(connection, this); +flow File(fsize: uint64) { + flowunit = TheFile(fsize) withcontext(connection, this); } %include pe-analyzer.pac From d19b8b0266d6d8581792189d5ab0161ed15bb11b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 3 Apr 2013 00:51:33 -0400 Subject: [PATCH 04/31] Checkpoint for discussion. --- src/file_analysis.bif | 3 ++- src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++---------- src/file_analysis/analyzers/pe-file.pac | 5 +++-- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index 6ded10b251..89845e6f2c 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -128,4 +128,5 @@ function FileAnalysis::eof%(source: string%): any # Define file analysis framework events. -event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%); +#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%); +event FileAnalysis::windows_pe_dosstub%(checksum: count%); diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 77edfa3434..63f722b18c 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -6,21 +6,17 @@ refine flow File += { - function proc_sig(sig: bytestring) : bool + function proc_dosstub(stub: DOSStub) : bool %{ - //val_list* vl = new val_list; - //StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin()); - //vl->append(sigval); - //mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl); - - BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), - (Val *) connection()->bro_analyzer()->GetInfo(), - new StringVal(${sig}.length(), (const char*) ${sig}.begin())); + BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), + //(Val *) connection()->bro_analyzer()->GetInfo(), + //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()), + ${stub.HeaderSizeInParagraphs}); return true; %} }; refine typeattr DOSStub += &let { - proc : bool = $context.flow.proc_sig(signature); + proc : bool = $context.flow.proc_dosstub(this); }; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 33cd1270f7..50647b7275 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,7 +1,8 @@ type TheFile(fsize: uint64) = record { dos_stub: DOSStub; -} &byteorder=bigendian &length=fsize; + blah: bytestring &length=1316134912 &transient; +} &transient &byteorder=littleendian; type DOSStub() = record { signature : bytestring &length=2; @@ -23,4 +24,4 @@ type DOSStub() = record { OEMinfo : uint16; Reserved2 : uint16[10]; AddressOfNewExeHeader : uint32; -} &byteorder=bigendian; \ No newline at end of file +} &byteorder=littleendian &length=64; From 8beb75d985553a6a3cf36b0794f45fd494957e3a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 10 Apr 2013 22:57:54 -0400 Subject: [PATCH 05/31] Checkpoint. --- src/file_analysis.bif | 2 + src/file_analysis/ActionSet.cc | 2 + src/file_analysis/analyzers/PE.cc | 22 +++---- src/file_analysis/analyzers/PE.h | 4 +- src/file_analysis/analyzers/pe-analyzer.pac | 23 +++++-- src/file_analysis/analyzers/pe-file.pac | 73 +++++++++++++++++++-- src/file_analysis/analyzers/pe.pac | 8 +-- 7 files changed, 107 insertions(+), 27 deletions(-) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index df4ed98a53..43aab3bb4f 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -153,3 +153,5 @@ function FileAnalysis::__eof%(source: string%): any #event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%); event FileAnalysis::windows_pe_dosstub%(checksum: count%); +event FileAnalysis::windows_pe_timestamp%(ts: time%); + diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc index 314650a210..d7b1dc9d11 100644 --- a/src/file_analysis/ActionSet.cc +++ b/src/file_analysis/ActionSet.cc @@ -16,6 +16,8 @@ static ActionInstantiator action_factory[] = { file_analysis::SHA1::Instantiate, file_analysis::SHA256::Instantiate, file_analysis::DataEvent::Instantiate, + + PE_Analyzer::Instantiate, }; static void action_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index e5b924e9fb..daf679ce82 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -6,11 +6,11 @@ using namespace file_analysis; -PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize) +PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info) : Action(args, info) { conn = new binpac::PE::MockConnection(this); - interp = new binpac::PE::File(conn, fsize); + interp = new binpac::PE::File(conn); } PE_Analyzer::~PE_Analyzer() @@ -21,14 +21,14 @@ PE_Analyzer::~PE_Analyzer() Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info) { using BifType::Record::FileAnalysis::Info; - const char* field = "total_bytes"; - Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); - if ( ! filesize ) - // TODO: this should be a reporter message? or better yet stop relying on the file size. - return 0; - - bro_uint_t fsize = filesize->AsCount(); - return new PE_Analyzer(args, info, fsize); + //const char* field = "total_bytes"; + //Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); + //if ( ! filesize ) + // // TODO: this should be a reporter message? or better yet stop relying on the file size. + // return 0; +// + //bro_uint_t fsize = filesize->AsCount(); + return new PE_Analyzer(args, info); } bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) @@ -42,8 +42,8 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) catch ( const binpac::Exception& e ) { printf("Binpac exception: %s\n", e.c_msg()); + return false; } - return true; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 95b5083aff..34a76e7e00 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -21,11 +21,9 @@ public: virtual bool DeliverStream(const u_char* data, uint64 len); protected: - PE_Analyzer(RecordVal* args, Info* info, uint64 fsize); + PE_Analyzer(RecordVal* args, Info* info); binpac::PE::File* interp; binpac::PE::MockConnection* conn; - - uint64 fsize; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 63f722b18c..d0407f348a 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -6,17 +6,30 @@ refine flow File += { - function proc_dosstub(stub: DOSStub) : bool + function proc_dos_header(h: DOS_Header) : bool %{ BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), //(Val *) connection()->bro_analyzer()->GetInfo(), - //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()), - ${stub.HeaderSizeInParagraphs}); + //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), + ${h.AddressOfNewExeHeader}-64); return true; %} + function proc_pe_header(h: IMAGE_NT_HEADERS) : bool + %{ + BifEvent::FileAnalysis::generate_windows_pe_timestamp((Analyzer *) connection()->bro_analyzer(), + //(Val *) connection()->bro_analyzer()->GetInfo(), + //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), + ${h.FileHeader.TimeDateStamp}); + return true; + %} }; -refine typeattr DOSStub += &let { - proc : bool = $context.flow.proc_dosstub(this); +refine typeattr DOS_Header += &let { + proc : bool = $context.flow.proc_dos_header(this); }; + +refine typeattr IMAGE_NT_HEADERS += &let { + proc : bool = $context.flow.proc_pe_header(this); +}; + diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 50647b7275..5854fd2bd8 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,10 +1,14 @@ -type TheFile(fsize: uint64) = record { - dos_stub: DOSStub; - blah: bytestring &length=1316134912 &transient; +type TheFile = record { + dos_header : DOS_Header; + dos_code : bytestring &length=(dos_header.AddressOfNewExeHeader - 64); + pe_header : IMAGE_NT_HEADERS; + pad : bytestring &length=1316134912 &transient; +} &let { + dos_code_len: uint32 = (dos_header.AddressOfNewExeHeader - 64); } &transient &byteorder=littleendian; -type DOSStub() = record { +type DOS_Header = record { signature : bytestring &length=2; UsedBytesInTheLastPage : uint16; FileSizeInPages : uint16; @@ -25,3 +29,64 @@ type DOSStub() = record { Reserved2 : uint16[10]; AddressOfNewExeHeader : uint32; } &byteorder=littleendian &length=64; + +type IMAGE_NT_HEADERS = record { + PESignature : uint32; + FileHeader : IMAGE_FILE_HEADER; + OptionalHeader : OPTIONAL_HEADER(FileHeader.SizeOfOptionalHeader); +} &byteorder=littleendian &length=FileHeader.SizeOfOptionalHeader+offsetof(OptionalHeader); + +type IMAGE_FILE_HEADER = record { + Machine : uint16; + NumberOfSections : uint16; + TimeDateStamp : uint32; + PointerToSymbolTable : uint32; + NumberOfSymbols : uint32; + SizeOfOptionalHeader : uint16; + Characteristics : uint16; +}; + +type OPTIONAL_HEADER(len: uint16) = record { + OptionalHeaderMagic : uint16; + Header : case OptionalHeaderMagic of { + 0x0b01 -> OptionalHeader32 : IMAGE_OPTIONAL_HEADER32; + 0x0b02 -> OptionalHeader64 : IMAGE_OPTIONAL_HEADER64; + default -> InvalidPEFile : bytestring &restofdata; + }; +} &length=len; + +type IMAGE_OPTIONAL_HEADER32 = record { + major_linker_version : uint8; + minor_linker_version : uint8; + size_of_code : uint32; + size_of_init_data : uint32; + size_of_uninit_data : uint32; + addr_of_entry_point : uint32; + base_of_code : uint32; + base_of_data : uint32; + image_base : uint32; + section_alignment : uint32; + file_alignment : uint32; + os_version_major : uint16; + os_version_minor : uint16; + major_image_version : uint16; + minor_image_version : uint16; + major_subsys_version : uint16; + minor_subsys_version : uint16; + win32_version : uint32; + size_of_image : uint32; + size_of_headers : uint32; + checksum : uint32; + subsystem : uint16; + dll_characteristics : uint16; + size_of_stack_reserve : uint32; + size_of_stack_commit : uint32; + size_of_heap_reserve : uint32; + size_of_heap_commit : uint32; + loader_flags : uint32; + number_of_rva_and_sizes : uint32; +} &byteorder=littleendian; + +type IMAGE_OPTIONAL_HEADER64 = record { + +} &byteorder=littleendian; diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac index 9cd4f4f112..8a20fa3c62 100644 --- a/src/file_analysis/analyzers/pe.pac +++ b/src/file_analysis/analyzers/pe.pac @@ -7,14 +7,14 @@ analyzer PE withcontext { }; connection MockConnection(bro_analyzer: BroFileAnalyzer) { - upflow = File(0); - downflow = File(0); + upflow = File; + downflow = File; }; %include pe-file.pac -flow File(fsize: uint64) { - flowunit = TheFile(fsize) withcontext(connection, this); +flow File { + flowunit = TheFile withcontext(connection, this); } %include pe-analyzer.pac From 4cc9ca424322be2f53cf950f35eebe78c929f671 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 24 Apr 2013 12:56:20 -0400 Subject: [PATCH 06/31] Checkpoint --- scripts/base/init-bare.bro | 14 ++++ src/event.bif | 6 ++ src/file_analysis.bif | 7 -- src/file_analysis/ActionSet.cc | 2 +- src/file_analysis/analyzers/PE.cc | 33 +++++--- src/file_analysis/analyzers/PE.h | 9 ++- src/file_analysis/analyzers/pe-analyzer.pac | 56 ++++++++++--- src/file_analysis/analyzers/pe-file.pac | 89 +++++++++++++++------ src/types.bif | 5 ++ 9 files changed, 161 insertions(+), 60 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 7f4d29d26b..8a82fb98b3 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2486,6 +2486,20 @@ type irc_join_info: record { ## .. bro:see:: irc_join_message type irc_join_list: set[irc_join_info]; +## Record for Portable Executable (PE) section headers. +type PESectionHeader: record { + name : string; + virtual_size : count; + virtual_addr : count; + size_of_raw_data : count; + ptr_to_raw_data : count; + non_used_ptr_to_relocs : count; + non_used_ptr_to_line_nums : count; + non_used_num_of_relocs : count; + non_used_num_of_line_nums : count; + characteristics : count; +}; + ## Deprecated. ## ## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere diff --git a/src/event.bif b/src/event.bif index 08a2b64a84..fc9ca8df6a 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7026,6 +7026,12 @@ event file_state_remove%(f: fa_file%); ## FileAnalysis::ACTION_SHA1 FileAnalysis::ACTION_SHA256 event file_hash%(f: fa_file, kind: string, hash: string%); + +event file_pe_dosstub%(f: fa_file, checksum: count%); +event file_pe_timestamp%(f: fa_file, ts: time%); +event file_pe_section_header%(f: fa_file, h: PESectionHeader%); + + ## Deprecated. Will be removed. event stp_create_endp%(c: connection, e: int, is_orig: bool%); diff --git a/src/file_analysis.bif b/src/file_analysis.bif index f7fbe14de9..b3e34f93d2 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -97,10 +97,3 @@ function set_file_handle%(handle: string%): any file_mgr->SetHandle(handle->CheckString()); return 0; %} - -# Define file analysis framework events. - -#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%); -event FileAnalysis::windows_pe_dosstub%(checksum: count%); -event FileAnalysis::windows_pe_timestamp%(ts: time%); - diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc index fd7fa883eb..d8d057bec5 100644 --- a/src/file_analysis/ActionSet.cc +++ b/src/file_analysis/ActionSet.cc @@ -17,7 +17,7 @@ static ActionInstantiator action_factory[] = { file_analysis::SHA256::Instantiate, file_analysis::DataEvent::Instantiate, - PE_Analyzer::Instantiate, + file_analysis::PE_Analyzer::Instantiate, }; static void action_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index daf679ce82..c15b6ba739 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -3,14 +3,16 @@ #include "PE.h" #include "pe_pac.h" #include "util.h" +#include "Event.h" using namespace file_analysis; -PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info) - : Action(args, info) +PE_Analyzer::PE_Analyzer(RecordVal* args, File* file) + : Action(args, file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); + done=false; } PE_Analyzer::~PE_Analyzer() @@ -18,23 +20,21 @@ PE_Analyzer::~PE_Analyzer() delete interp; } -Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info) +Action* PE_Analyzer::Instantiate(RecordVal* args, File* file) { - using BifType::Record::FileAnalysis::Info; - //const char* field = "total_bytes"; - //Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); - //if ( ! filesize ) - // // TODO: this should be a reporter message? or better yet stop relying on the file size. - // return 0; -// - //bro_uint_t fsize = filesize->AsCount(); - return new PE_Analyzer(args, info); + return new PE_Analyzer(args, file); } bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) { - Action::DeliverStream(data, len); + printf("deliver stream\n"); + if (done) + { + printf("analyzer done\n"); + return false; + } + Action::DeliverStream(data, len); try { interp->NewData(data, data + len); @@ -47,3 +47,10 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) return true; } + +bool PE_Analyzer::EndOfFile() + { + printf("end of file!\n"); + done=true; + return false; + } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 34a76e7e00..6f25e19723 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -4,7 +4,7 @@ #include #include "Val.h" -#include "../Info.h" +#include "../File.h" #include "pe_pac.h" namespace file_analysis { @@ -14,16 +14,19 @@ namespace file_analysis { */ class PE_Analyzer : Action { public: - static Action* Instantiate(RecordVal* args, Info* info); + static Action* Instantiate(RecordVal* args, File* file); ~PE_Analyzer(); virtual bool DeliverStream(const u_char* data, uint64 len); + virtual bool EndOfFile(); + protected: - PE_Analyzer(RecordVal* args, Info* info); + PE_Analyzer(RecordVal* args, File* file); binpac::PE::File* interp; binpac::PE::MockConnection* conn; + bool done; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index d0407f348a..18efc1d54a 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -1,26 +1,55 @@ %extern{ #include "Event.h" +#include "file_analysis/File.h" #include "file_analysis.bif.func_h" %} refine flow File += { - function proc_dos_header(h: DOS_Header) : bool + function proc_the_file(): bool %{ - BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), - //(Val *) connection()->bro_analyzer()->GetInfo(), - //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), - ${h.AddressOfNewExeHeader}-64); + printf("ending the flow!\n"); + connection()->bro_analyzer()->EndOfFile(); + connection()->FlowEOF(true); + connection()->FlowEOF(false); return true; %} - function proc_pe_header(h: IMAGE_NT_HEADERS) : bool + function proc_dos_header(h: DOS_Header): bool %{ - BifEvent::FileAnalysis::generate_windows_pe_timestamp((Analyzer *) connection()->bro_analyzer(), - //(Val *) connection()->bro_analyzer()->GetInfo(), - //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), - ${h.FileHeader.TimeDateStamp}); + BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + ${h.AddressOfNewExeHeader}-64); + return true; + %} + + function proc_pe_header(h: IMAGE_NT_HEADERS): bool + %{ + BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + ${h.file_header.TimeDateStamp}); + return true; + %} + + + function proc_section_header(h: IMAGE_SECTION_HEADER): bool + %{ + RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader); + section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data())); + section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT)); + section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT)); + section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT)); + section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT)); + section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT)); + section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT)); + section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT)); + section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); + section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT)); + + BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + section_header); return true; %} }; @@ -33,3 +62,10 @@ refine typeattr IMAGE_NT_HEADERS += &let { proc : bool = $context.flow.proc_pe_header(this); }; +refine typeattr IMAGE_SECTION_HEADER += &let { + proc: bool = $context.flow.proc_section_header(this); +}; + +refine typeattr TheFile += &let { + proc: bool = $context.flow.proc_the_file(); +}; \ No newline at end of file diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 5854fd2bd8..bedfb35204 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,12 +1,15 @@ type TheFile = record { - dos_header : DOS_Header; - dos_code : bytestring &length=(dos_header.AddressOfNewExeHeader - 64); - pe_header : IMAGE_NT_HEADERS; - pad : bytestring &length=1316134912 &transient; + dos_header : DOS_Header; + dos_code : bytestring &length=dos_code_len; + pe_header : IMAGE_NT_HEADERS; + sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; + #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); + #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; + #pad : bytestring &restofdata; } &let { - dos_code_len: uint32 = (dos_header.AddressOfNewExeHeader - 64); -} &transient &byteorder=littleendian; + dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; +} &byteorder=littleendian; type DOS_Header = record { signature : bytestring &length=2; @@ -32,9 +35,9 @@ type DOS_Header = record { type IMAGE_NT_HEADERS = record { PESignature : uint32; - FileHeader : IMAGE_FILE_HEADER; - OptionalHeader : OPTIONAL_HEADER(FileHeader.SizeOfOptionalHeader); -} &byteorder=littleendian &length=FileHeader.SizeOfOptionalHeader+offsetof(OptionalHeader); + file_header : IMAGE_FILE_HEADER; + OptionalHeader : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader); +} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(OptionalHeader); type IMAGE_FILE_HEADER = record { Machine : uint16; @@ -46,16 +49,8 @@ type IMAGE_FILE_HEADER = record { Characteristics : uint16; }; -type OPTIONAL_HEADER(len: uint16) = record { - OptionalHeaderMagic : uint16; - Header : case OptionalHeaderMagic of { - 0x0b01 -> OptionalHeader32 : IMAGE_OPTIONAL_HEADER32; - 0x0b02 -> OptionalHeader64 : IMAGE_OPTIONAL_HEADER64; - default -> InvalidPEFile : bytestring &restofdata; - }; -} &length=len; - -type IMAGE_OPTIONAL_HEADER32 = record { +type IMAGE_OPTIONAL_HEADER(len: uint16) = record { + magic : uint16; major_linker_version : uint8; minor_linker_version : uint8; size_of_code : uint32; @@ -79,14 +74,56 @@ type IMAGE_OPTIONAL_HEADER32 = record { checksum : uint32; subsystem : uint16; dll_characteristics : uint16; - size_of_stack_reserve : uint32; - size_of_stack_commit : uint32; - size_of_heap_reserve : uint32; - size_of_heap_commit : uint32; + mem: case magic of { + 0x0b01 -> i32 : MEM_INFO32; + 0x0b02 -> i64 : MEM_INFO64; + default -> InvalidPEFile : bytestring &length=0; + }; loader_flags : uint32; number_of_rva_and_sizes : uint32; -} &byteorder=littleendian; +} &byteorder=littleendian &length=len; -type IMAGE_OPTIONAL_HEADER64 = record { +type MEM_INFO32 = record { + size_of_stack_reserve : uint32; + size_of_stack_commit : uint32; + size_of_heap_reserve : uint32; + size_of_heap_commit : uint32; +} &byteorder=littleendian &length=16; -} &byteorder=littleendian; +type MEM_INFO64 = record { + size_of_stack_reserve : uint64; + size_of_stack_commit : uint64; + size_of_heap_reserve : uint64; + size_of_heap_commit : uint64; +} &byteorder=littleendian &length=32; + +type IMAGE_SECTION_HEADER = record { + name : bytestring &length=8; + virtual_size : uint32; + virtual_addr : uint32; + size_of_raw_data : uint32; + ptr_to_raw_data : uint32; + non_used_ptr_to_relocs : uint32; + non_used_ptr_to_line_nums : uint32; + non_used_num_of_relocs : uint16; + non_used_num_of_line_nums : uint16; + characteristics : uint32; +} &byteorder=littleendian &length=40; + + +type IMAGE_DATA_DIRECTORY = record { + virtual_address : uint32; + size : uint16; +}; + +type IMAGE_IMPORT_DIRECTORY = record { + rva_import_lookup_table : uint32; + time_date_stamp : uint32; + forwarder_chain : uint32; + rva_module_name : uint32; + rva_import_addr_table : uint32; +}; + +type DATA_SECTIONS = record { + blah: bytestring &length=10; +}; \ No newline at end of file diff --git a/src/types.bif b/src/types.bif index b69239487b..4999e221e5 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,6 +163,8 @@ type ModbusHeaders: record; type ModbusCoils: vector; type ModbusRegisters: vector; +type PESectionHeader: record; + module Log; enum Writer %{ @@ -248,6 +250,9 @@ enum Action %{ ## Deliver the file contents to the script-layer in an event. ACTION_DATA_EVENT, + + ## Windows executable analyzer + ACTION_PE_ANALYZER, %} module GLOBAL; From 317252b5aeec2c1e04c46a8bb37af53f6d1e5270 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 25 Apr 2013 13:44:12 -0400 Subject: [PATCH 07/31] Another checkpoint --- scripts/base/init-bare.bro | 35 +++++++++++++++++++++ src/binpac_bro.h | 4 +-- src/file_analysis/AnalyzerSet.cc | 2 ++ src/file_analysis/analyzers/PE.cc | 29 ++++++----------- src/file_analysis/analyzers/PE.h | 9 +++--- src/file_analysis/analyzers/pe-analyzer.pac | 5 +-- src/file_analysis/analyzers/pe-file.pac | 7 ++--- src/types.bif | 4 +++ 8 files changed, 62 insertions(+), 33 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b8993606d3..e99feeef76 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2489,6 +2489,41 @@ type irc_join_info: record { ## .. bro:see:: irc_join_message type irc_join_list: set[irc_join_info]; +type PEHeader: record { +# Machine : count; +# TimeDateStamp : time; +# magic : uint16; +# major_linker_version : uint8; +# minor_linker_version : uint8; +# size_of_code : uint32; +# size_of_init_data : uint32; +# size_of_uninit_data : uint32; +# addr_of_entry_point : uint32; +# base_of_code : uint32; +# base_of_data : uint32; +# image_base : uint32; +# section_alignment : uint32; +# file_alignment : uint32; +# os_version_major : uint16; +# os_version_minor : uint16; +# major_image_version : uint16; +# minor_image_version : uint16; +# major_subsys_version : uint16; +# minor_subsys_version : uint16; +# win32_version : uint32; +# size_of_image : uint32; +# checksum : uint32; +# subsystem : uint16; +# mem: case magic of { +# 0x0b01 -> i32 : MEM_INFO32; +# 0x0b02 -> i64 : MEM_INFO64; +# default -> InvalidPEFile : empty; +# }; +# loader_flags : uint32; +# number_of_rva_and_sizes : uint32; +# +}; + ## Record for Portable Executable (PE) section headers. type PESectionHeader: record { name : string; diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 1f63808c10..03857179f1 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -7,7 +7,7 @@ class PortVal; #include "util.h" #include "Analyzer.h" -#include "file_analysis/Action.h" +#include "file_analysis/Analyzer.h" #include "Val.h" #include "event.bif.func_h" @@ -16,7 +16,7 @@ class PortVal; namespace binpac { typedef Analyzer* BroAnalyzer; -typedef file_analysis::Action BroFileAnalyzer; +typedef file_analysis::Analyzer BroFileAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index bdf23c2446..5959279f61 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -4,6 +4,7 @@ #include "Extract.h" #include "DataEvent.h" #include "Hash.h" +#include "analyzers/PE.h" using namespace file_analysis; @@ -14,6 +15,7 @@ static AnalyzerInstantiator analyzer_factory[] = { file_analysis::SHA1::Instantiate, file_analysis::SHA256::Instantiate, file_analysis::DataEvent::Instantiate, + file_analysis::PE::Instantiate, }; static void analyzer_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index c15b6ba739..662ea1f3e4 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -7,38 +7,29 @@ using namespace file_analysis; -PE_Analyzer::PE_Analyzer(RecordVal* args, File* file) - : Action(args, file) +PE::PE(RecordVal* args, File* file) + : file_analysis::Analyzer(args, file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); done=false; } -PE_Analyzer::~PE_Analyzer() +PE::~PE() { delete interp; } -Action* PE_Analyzer::Instantiate(RecordVal* args, File* file) +bool PE::DeliverStream(const u_char* data, uint64 len) { - return new PE_Analyzer(args, file); - } - -bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) - { - printf("deliver stream\n"); - if (done) - { - printf("analyzer done\n"); - return false; - } - - Action::DeliverStream(data, len); try { interp->NewData(data, data + len); } + catch ( const binpac::HaltParser &e ) + { + return false; + } catch ( const binpac::Exception& e ) { printf("Binpac exception: %s\n", e.c_msg()); @@ -48,9 +39,9 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) return true; } -bool PE_Analyzer::EndOfFile() +bool PE::EndOfFile() { printf("end of file!\n"); - done=true; + //throw binpac::HaltParser(); return false; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 6f25e19723..1fd67c22db 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -12,18 +12,19 @@ namespace file_analysis { /** * An action to simply extract files to disk. */ -class PE_Analyzer : Action { +class PE : public file_analysis::Analyzer { public: - static Action* Instantiate(RecordVal* args, File* file); + ~PE(); - ~PE_Analyzer(); + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) + { return new PE(args, file); } virtual bool DeliverStream(const u_char* data, uint64 len); virtual bool EndOfFile(); protected: - PE_Analyzer(RecordVal* args, File* file); + PE(RecordVal* args, File* file); binpac::PE::File* interp; binpac::PE::MockConnection* conn; bool done; diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 18efc1d54a..fdba29a5bb 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -9,10 +9,7 @@ refine flow File += { function proc_the_file(): bool %{ - printf("ending the flow!\n"); - connection()->bro_analyzer()->EndOfFile(); - connection()->FlowEOF(true); - connection()->FlowEOF(false); + throw binpac::HaltParser(); return true; %} diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index bedfb35204..84b26381b4 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -6,7 +6,6 @@ type TheFile = record { sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; - #pad : bytestring &restofdata; } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; } &byteorder=littleendian; @@ -75,9 +74,9 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record { subsystem : uint16; dll_characteristics : uint16; mem: case magic of { - 0x0b01 -> i32 : MEM_INFO32; - 0x0b02 -> i64 : MEM_INFO64; - default -> InvalidPEFile : bytestring &length=0; + 0x0b01 -> i32 : MEM_INFO32; + 0x0b02 -> i64 : MEM_INFO64; + default -> InvalidPEFile : empty; }; loader_flags : uint32; number_of_rva_and_sizes : uint32; diff --git a/src/types.bif b/src/types.bif index fa9539dcbc..ca84794865 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,6 +163,7 @@ type ModbusHeaders: record; type ModbusCoils: vector; type ModbusRegisters: vector; +type PEHeader: record; type PESectionHeader: record; module Log; @@ -250,6 +251,9 @@ enum Analyzer %{ ## Deliver the file contents to the script-layer in an event. ANALYZER_DATA_EVENT, + + ## Pass the file to the PE analyzer. + ANALYZER_PE, %} module GLOBAL; From d1dd4cb688d1c3f63ddd00fc465a75a4f9999f64 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 15 May 2013 21:33:14 -0400 Subject: [PATCH 08/31] PE analyzer checkpoint --- scripts/base/init-bare.bro | 96 +++++++---- scripts/base/init-default.bro | 2 + src/event.bif | 8 +- src/file_analysis/analyzers/PE.cc | 2 - src/file_analysis/analyzers/pe-analyzer.pac | 168 +++++++++++++++++--- src/file_analysis/analyzers/pe-file.pac | 12 +- src/types.bif | 6 +- 7 files changed, 224 insertions(+), 70 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e99feeef76..3150dfc9e0 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2489,43 +2489,67 @@ type irc_join_info: record { ## .. bro:see:: irc_join_message type irc_join_list: set[irc_join_info]; -type PEHeader: record { -# Machine : count; -# TimeDateStamp : time; -# magic : uint16; -# major_linker_version : uint8; -# minor_linker_version : uint8; -# size_of_code : uint32; -# size_of_init_data : uint32; -# size_of_uninit_data : uint32; -# addr_of_entry_point : uint32; -# base_of_code : uint32; -# base_of_data : uint32; -# image_base : uint32; -# section_alignment : uint32; -# file_alignment : uint32; -# os_version_major : uint16; -# os_version_minor : uint16; -# major_image_version : uint16; -# minor_image_version : uint16; -# major_subsys_version : uint16; -# minor_subsys_version : uint16; -# win32_version : uint32; -# size_of_image : uint32; -# checksum : uint32; -# subsystem : uint16; -# mem: case magic of { -# 0x0b01 -> i32 : MEM_INFO32; -# 0x0b02 -> i64 : MEM_INFO64; -# default -> InvalidPEFile : empty; -# }; -# loader_flags : uint32; -# number_of_rva_and_sizes : uint32; -# +module PE; +export { +type PE::DOSHeader: record { + signature : string; + used_bytes_in_last_page : count; + file_in_pages : count; + num_reloc_items : count; + header_in_paragraphs : count; + min_extra_paragraphs : count; + max_extra_paragraphs : count; + init_relative_ss : count; + init_sp : count; + checksum : count; + init_ip : count; + init_relative_cs : count; + addr_of_reloc_table : count; + overlay_num : count; + oem_id : count; + oem_info : count; + addr_of_new_exe_header : count; +}; + +type PE::FileHeader: record { + machine : count; + ts : time; + sym_table_ptr : count; + num_syms : count; + characteristics : set[count]; +}; + +type PE::OptionalHeader: record { + magic : count; + major_linker_version : count; + minor_linker_version : count; + size_of_code : count; + size_of_init_data : count; + size_of_uninit_data : count; + addr_of_entry_point : count; + base_of_code : count; + base_of_data : count; + image_base : count; + section_alignment : count; + file_alignment : count; + os_version_major : count; + os_version_minor : count; + major_image_version : count; + minor_image_version : count; + major_subsys_version : count; + minor_subsys_version : count; + win32_version : count; + size_of_image : count; + size_of_headers : count; + checksum : count; + subsystem : count; + dll_characteristics : set[count]; + loader_flags : count; + number_of_rva_and_sizes : count; }; ## Record for Portable Executable (PE) section headers. -type PESectionHeader: record { +type PE::SectionHeader: record { name : string; virtual_size : count; virtual_addr : count; @@ -2535,8 +2559,10 @@ type PESectionHeader: record { non_used_ptr_to_line_nums : count; non_used_num_of_relocs : count; non_used_num_of_line_nums : count; - characteristics : count; + characteristics : set[count]; }; +} +module GLOBAL; ## Deprecated. ## diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 8b36899f10..ad66ab469b 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -44,4 +44,6 @@ @load base/protocols/ssl @load base/protocols/syslog +@load base/files/pe + @load base/misc/find-checksum-offloading diff --git a/src/event.bif b/src/event.bif index 7a99c20e37..30b3191734 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7059,10 +7059,10 @@ event file_state_remove%(f: fa_file%); event file_hash%(f: fa_file, kind: string, hash: string%); -event file_pe_dosstub%(f: fa_file, checksum: count%); -event file_pe_timestamp%(f: fa_file, ts: time%); -event file_pe_section_header%(f: fa_file, h: PESectionHeader%); - +event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +event pe_file_header%(f: fa_file, h: PE::FileHeader%); +event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); +event pe_section_header%(f: fa_file, h: PE::SectionHeader%); ## Deprecated. Will be removed. event stp_create_endp%(c: connection, e: int, is_orig: bool%); diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index 662ea1f3e4..51db8fd232 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -41,7 +41,5 @@ bool PE::DeliverStream(const u_char* data, uint64 len) bool PE::EndOfFile() { - printf("end of file!\n"); - //throw binpac::HaltParser(); return false; } diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index fdba29a5bb..e6a39ae1dc 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -13,40 +13,156 @@ refine flow File += { return true; %} + function characteristics_to_bro(c: uint32, len: uint8): TableVal + %{ + uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF; + TableVal* char_set = new TableVal(internal_type("count_set")->AsTableType()); + for ( uint16 i=0; i < len; ++i ) + { + if ( ((c >> i) & 0x1) == 1 ) + { + Val *ch = new Val((1<Assign(ch, 0); + Unref(ch); + } + } + return char_set; + %} + function proc_dos_header(h: DOS_Header): bool %{ - BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - ${h.AddressOfNewExeHeader}-64); + if ( pe_dos_header ) + { + RecordVal* dh = new RecordVal(BifType::Record::PE::DOSHeader); + dh->Assign(0, new StringVal(${h.signature}.length(), (const char*) ${h.signature}.data())); + dh->Assign(1, new Val(${h.UsedBytesInTheLastPage}, TYPE_COUNT)); + dh->Assign(2, new Val(${h.FileSizeInPages}, TYPE_COUNT)); + dh->Assign(3, new Val(${h.NumberOfRelocationItems}, TYPE_COUNT)); + dh->Assign(4, new Val(${h.HeaderSizeInParagraphs}, TYPE_COUNT)); + dh->Assign(5, new Val(${h.MinimumExtraParagraphs}, TYPE_COUNT)); + dh->Assign(6, new Val(${h.MaximumExtraParagraphs}, TYPE_COUNT)); + dh->Assign(7, new Val(${h.InitialRelativeSS}, TYPE_COUNT)); + dh->Assign(8, new Val(${h.InitialSP}, TYPE_COUNT)); + dh->Assign(9, new Val(${h.Checksum}, TYPE_COUNT)); + dh->Assign(10, new Val(${h.InitialIP}, TYPE_COUNT)); + dh->Assign(11, new Val(${h.InitialRelativeCS}, TYPE_COUNT)); + dh->Assign(12, new Val(${h.AddressOfRelocationTable}, TYPE_COUNT)); + dh->Assign(13, new Val(${h.OverlayNumber}, TYPE_COUNT)); + dh->Assign(14, new Val(${h.OEMid}, TYPE_COUNT)); + dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT)); + dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT)); + + BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + dh); + } return true; %} - function proc_pe_header(h: IMAGE_NT_HEADERS): bool + function proc_nt_headers(h: IMAGE_NT_HEADERS): bool %{ - BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - ${h.file_header.TimeDateStamp}); + if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0" + { + return false; + // FileViolation("PE Header signature is incorrect."); + } return true; %} + function proc_file_header(h: IMAGE_FILE_HEADER): bool + %{ + if ( pe_file_header ) + { + RecordVal* fh = new RecordVal(BifType::Record::PE::FileHeader); + fh->Assign(0, new Val(${h.Machine}, TYPE_COUNT)); + fh->Assign(1, new Val(static_cast(${h.TimeDateStamp}), TYPE_TIME)); + fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT)); + fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT)); + fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16)); + BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + fh); + } + + return true; + %} + + function proc_optional_header(h: IMAGE_OPTIONAL_HEADER): bool + %{ + if ( ${h.magic} != 0x10b && // normal pe32 executable + ${h.magic} != 0x107 && // rom image + ${h.magic} != 0x20b ) // pe32+ executable + { + return false; + // FileViolation("PE Optional Header magic is invalid."); + } + + if ( pe_optional_header ) + { + RecordVal* oh = new RecordVal(BifType::Record::PE::OptionalHeader); + + oh->Assign(0, new Val(${h.magic}, TYPE_COUNT)); + oh->Assign(1, new Val(${h.major_linker_version}, TYPE_COUNT)); + oh->Assign(2, new Val(${h.minor_linker_version}, TYPE_COUNT)); + oh->Assign(3, new Val(${h.size_of_code}, TYPE_COUNT)); + oh->Assign(4, new Val(${h.size_of_init_data}, TYPE_COUNT)); + oh->Assign(5, new Val(${h.size_of_uninit_data}, TYPE_COUNT)); + oh->Assign(6, new Val(${h.addr_of_entry_point}, TYPE_COUNT)); + oh->Assign(7, new Val(${h.base_of_code}, TYPE_COUNT)); + oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT)); + oh->Assign(9, new Val(${h.image_base}, TYPE_COUNT)); + oh->Assign(10, new Val(${h.section_alignment}, TYPE_COUNT)); + oh->Assign(11, new Val(${h.file_alignment}, TYPE_COUNT)); + oh->Assign(12, new Val(${h.os_version_major}, TYPE_COUNT)); + oh->Assign(13, new Val(${h.os_version_minor}, TYPE_COUNT)); + oh->Assign(14, new Val(${h.major_image_version}, TYPE_COUNT)); + oh->Assign(15, new Val(${h.minor_image_version}, TYPE_COUNT)); + oh->Assign(16, new Val(${h.minor_subsys_version}, TYPE_COUNT)); + oh->Assign(17, new Val(${h.minor_subsys_version}, TYPE_COUNT)); + oh->Assign(18, new Val(${h.win32_version}, TYPE_COUNT)); + oh->Assign(19, new Val(${h.size_of_image}, TYPE_COUNT)); + oh->Assign(20, new Val(${h.size_of_headers}, TYPE_COUNT)); + oh->Assign(21, new Val(${h.checksum}, TYPE_COUNT)); + oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT)); + oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16)); + oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT)); + oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT)); + BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + oh); + } + return true; + %} function proc_section_header(h: IMAGE_SECTION_HEADER): bool %{ - RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader); - section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data())); - section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT)); - section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT)); - section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT)); - section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT)); - section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT)); - section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT)); - section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT)); - section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); - section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT)); + if ( pe_section_header ) + { + RecordVal* section_header = new RecordVal(BifType::Record::PE::SectionHeader); - BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - section_header); + // Strip null characters from the end of the section name. + u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length()); + uint16 name_len; + if ( first_null == NULL ) + name_len = ${h.name}.length(); + else + name_len = first_null - ${h.name}.data(); + section_header->Assign(0, new StringVal(name_len, (const char*) ${h.name}.data())); + + section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT)); + section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT)); + section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT)); + section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT)); + section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT)); + section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT)); + section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT)); + section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); + section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32)); + + BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + section_header); + } return true; %} }; @@ -56,7 +172,15 @@ refine typeattr DOS_Header += &let { }; refine typeattr IMAGE_NT_HEADERS += &let { - proc : bool = $context.flow.proc_pe_header(this); + proc : bool = $context.flow.proc_nt_headers(this); +}; + +refine typeattr IMAGE_FILE_HEADER += &let { + proc : bool = $context.flow.proc_file_header(this); +}; + +refine typeattr IMAGE_OPTIONAL_HEADER += &let { + proc : bool = $context.flow.proc_optional_header(this); }; refine typeattr IMAGE_SECTION_HEADER += &let { diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 84b26381b4..5c56775538 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -6,8 +6,10 @@ type TheFile = record { sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; + data_sections : DATA_SECTIONS[] &length=data_len; } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; + data_len: uint32 = pe_header.optional_header.size_of_init_data; } &byteorder=littleendian; type DOS_Header = record { @@ -33,10 +35,10 @@ type DOS_Header = record { } &byteorder=littleendian &length=64; type IMAGE_NT_HEADERS = record { - PESignature : uint32; - file_header : IMAGE_FILE_HEADER; - OptionalHeader : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader); -} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(OptionalHeader); + PESignature : uint32; + file_header : IMAGE_FILE_HEADER; + optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader; +} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header); type IMAGE_FILE_HEADER = record { Machine : uint16; @@ -124,5 +126,5 @@ type IMAGE_IMPORT_DIRECTORY = record { }; type DATA_SECTIONS = record { - blah: bytestring &length=10; + blah: uint8; }; \ No newline at end of file diff --git a/src/types.bif b/src/types.bif index ca84794865..f43abf9a81 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,8 +163,10 @@ type ModbusHeaders: record; type ModbusCoils: vector; type ModbusRegisters: vector; -type PEHeader: record; -type PESectionHeader: record; +type PE::DOSHeader: record; +type PE::FileHeader: record; +type PE::OptionalHeader: record; +type PE::SectionHeader: record; module Log; From 7ff8c1ebdd01f69ccd664e347d801beb91ce2a31 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 15 May 2013 23:33:37 -0400 Subject: [PATCH 09/31] Add the PE analyzer back in as a registered file analyzer. --- src/file_analysis.bif | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index cdece0d350..52ede9292e 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -25,6 +25,9 @@ enum Analyzer %{ ## Deliver the file contents to the script-layer in an event. ANALYZER_DATA_EVENT, + + ## Pass the file to the PE analyzer. + ANALYZER_PE, %} ## :bro:see:`FileAnalysis::postpone_timeout`. From a65966c2d1c500a59f05c48647deeff5a2f4391a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 15 May 2013 23:34:01 -0400 Subject: [PATCH 10/31] Make the dos code available in script land. --- src/event.bif | 1 + src/file_analysis/analyzers/pe-analyzer.pac | 15 +++++++++++++++ src/file_analysis/analyzers/pe-file.pac | 6 +++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/event.bif b/src/event.bif index ae8ede439f..e43f979aa5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7060,6 +7060,7 @@ event file_hash%(f: fa_file, kind: string, hash: string%); event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +event pe_dos_code%(f: fa_file, code: string%); event pe_file_header%(f: fa_file, h: PE::FileHeader%); event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); event pe_section_header%(f: fa_file, h: PE::SectionHeader%); diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index e6a39ae1dc..341a3efbec 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -59,6 +59,17 @@ refine flow File += { return true; %} + function proc_dos_code(code: bytestring): bool + %{ + if ( pe_dos_code ) + { + BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + new StringVal(code.length(), (const char*) code.data())); + } + return true; + %} + function proc_nt_headers(h: IMAGE_NT_HEADERS): bool %{ if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0" @@ -171,6 +182,10 @@ refine typeattr DOS_Header += &let { proc : bool = $context.flow.proc_dos_header(this); }; +refine typeattr DOS_Code += &let { + proc : bool = $context.flow.proc_dos_code(code); +}; + refine typeattr IMAGE_NT_HEADERS += &let { proc : bool = $context.flow.proc_nt_headers(this); }; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 5c56775538..041f2bbdb4 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,7 +1,7 @@ type TheFile = record { dos_header : DOS_Header; - dos_code : bytestring &length=dos_code_len; + dos_code : DOS_Code(dos_code_len); pe_header : IMAGE_NT_HEADERS; sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); @@ -34,6 +34,10 @@ type DOS_Header = record { AddressOfNewExeHeader : uint32; } &byteorder=littleendian &length=64; +type DOS_Code(len: uint32) = record { + code : bytestring &length=len; +}; + type IMAGE_NT_HEADERS = record { PESignature : uint32; file_header : IMAGE_FILE_HEADER; From 1e098bae8d6a96bbfee23d5796014bb19fc8d428 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 27 Jul 2013 00:07:47 -0400 Subject: [PATCH 11/31] Moving the PE analyzer to the new plugin structure. --- .../{analyzers => analyzer/pe}/PE.cc | 0 .../{analyzers => analyzer/pe}/PE.h | 0 src/file_analysis/analyzer/pe/events.bif | 5 +++++ .../{analyzers => analyzer/pe}/pe-analyzer.pac | 0 .../{analyzers => analyzer/pe}/pe-file.pac | 16 ++++++++-------- .../{analyzers => analyzer/pe}/pe.pac | 0 6 files changed, 13 insertions(+), 8 deletions(-) rename src/file_analysis/{analyzers => analyzer/pe}/PE.cc (100%) rename src/file_analysis/{analyzers => analyzer/pe}/PE.h (100%) create mode 100644 src/file_analysis/analyzer/pe/events.bif rename src/file_analysis/{analyzers => analyzer/pe}/pe-analyzer.pac (100%) rename src/file_analysis/{analyzers => analyzer/pe}/pe-file.pac (88%) rename src/file_analysis/{analyzers => analyzer/pe}/pe.pac (100%) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzer/pe/PE.cc similarity index 100% rename from src/file_analysis/analyzers/PE.cc rename to src/file_analysis/analyzer/pe/PE.cc diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzer/pe/PE.h similarity index 100% rename from src/file_analysis/analyzers/PE.h rename to src/file_analysis/analyzer/pe/PE.h diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif new file mode 100644 index 0000000000..b6ce808278 --- /dev/null +++ b/src/file_analysis/analyzer/pe/events.bif @@ -0,0 +1,5 @@ +event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +event pe_dos_code%(f: fa_file, code: string%); +event pe_file_header%(f: fa_file, h: PE::FileHeader%); +event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); +event pe_section_header%(f: fa_file, h: PE::SectionHeader%); \ No newline at end of file diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac similarity index 100% rename from src/file_analysis/analyzers/pe-analyzer.pac rename to src/file_analysis/analyzer/pe/pe-analyzer.pac diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac similarity index 88% rename from src/file_analysis/analyzers/pe-file.pac rename to src/file_analysis/analyzer/pe/pe-file.pac index 041f2bbdb4..ab7cdf5f8a 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,12 +1,12 @@ -type TheFile = record { - dos_header : DOS_Header; - dos_code : DOS_Code(dos_code_len); - pe_header : IMAGE_NT_HEADERS; - sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; - #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); - #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; - data_sections : DATA_SECTIONS[] &length=data_len; +type TheFile(part: uint8) = record { + dos_header : DOS_Header; + dos_code : DOS_Code(dos_code_len); + pe_header : IMAGE_NT_HEADERS; + section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers; + #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); + #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; + #data_sections : DATA_SECTIONS[] &length=data_len; } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; data_len: uint32 = pe_header.optional_header.size_of_init_data; diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzer/pe/pe.pac similarity index 100% rename from src/file_analysis/analyzers/pe.pac rename to src/file_analysis/analyzer/pe/pe.pac From 7ba51786e559383e4ad76374d50933c873d99029 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 27 Jul 2013 08:10:08 -0400 Subject: [PATCH 12/31] In progress checkpoint. Things are starting to work. --- scripts/base/files/pe/__load__.bro | 2 + scripts/base/files/pe/consts.bro | 149 ++++++++++++++++++ scripts/base/files/pe/main.bro | 86 ++++++++++ src/file_analysis/analyzer/CMakeLists.txt | 1 + src/file_analysis/analyzer/pe/CMakeLists.txt | 10 ++ src/file_analysis/analyzer/pe/Plugin.cc | 29 ++++ src/file_analysis/analyzer/pe/pe-analyzer.pac | 11 +- src/file_analysis/analyzer/pe/pe-file.pac | 2 +- 8 files changed, 284 insertions(+), 6 deletions(-) create mode 100644 scripts/base/files/pe/__load__.bro create mode 100644 scripts/base/files/pe/consts.bro create mode 100644 scripts/base/files/pe/main.bro create mode 100644 src/file_analysis/analyzer/pe/CMakeLists.txt create mode 100644 src/file_analysis/analyzer/pe/Plugin.cc diff --git a/scripts/base/files/pe/__load__.bro b/scripts/base/files/pe/__load__.bro new file mode 100644 index 0000000000..0098b81a7a --- /dev/null +++ b/scripts/base/files/pe/__load__.bro @@ -0,0 +1,2 @@ +@load ./consts +@load ./main \ No newline at end of file diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro new file mode 100644 index 0000000000..4dc21ec179 --- /dev/null +++ b/scripts/base/files/pe/consts.bro @@ -0,0 +1,149 @@ + +module PE; + +export { + const machine_types: table[count] of string = { + [0x00] = "UNKNOWN", + [0x1d3] = "AM33", + [0x8664] = "AMD64", + [0x1c0] = "ARM", + [0x1c4] = "ARMNT", + [0xaa64] = "ARM64", + [0xebc] = "EBC", + [0x14c] = "I386", + [0x200] = "IA64", + [0x9041] = "M32R", + [0x266] = "MIPS16", + [0x366] = "MIPSFPU", + [0x466] = "MIPSFPU16", + [0x1f0] = "POWERPC", + [0x1f1] = "POWERPCFP", + [0x166] = "R4000", + [0x1a2] = "SH3", + [0x1a3] = "SH3DSP", + [0x1a6] = "SH4", + [0x1a8] = "SH5", + [0x1c2] = "THUMB", + [0x169] = "WCEMIPSV2" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const file_characteristics: table[count] of string = { + [0x1] = "RELOCS_STRIPPED", + [0x2] = "EXECUTABLE_IMAGE", + [0x4] = "LINE_NUMS_STRIPPED", + [0x8] = "LOCAL_SYMS_STRIPPED", + [0x10] = "AGGRESSIVE_WS_TRIM", + [0x20] = "LARGE_ADDRESS_AWARE", + [0x80] = "BYTES_REVERSED_LO", + [0x100] = "32BIT_MACHINE", + [0x200] = "DEBUG_STRIPPED", + [0x400] = "REMOVABLE_RUN_FROM_SWAP", + [0x800] = "NET_RUN_FROM_SWAP", + [0x1000] = "SYSTEM", + [0x2000] = "DLL", + [0x4000] = "UP_SYSTEM_ONLY", + [0x8000] = "BYTES_REVERSED_HI" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const dll_characteristics: table[count] of string = { + [0x40] = "DYNAMIC_BASE", + [0x80] = "FORCE_INTEGRITY", + [0x100] = "NX_COMPAT", + [0x200] = "NO_ISOLATION", + [0x400] = "NO_SEH", + [0x800] = "NO_BIND", + [0x2000] = "WDM_DRIVER", + [0x8000] = "TERMINAL_SERVER_AWARE" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const windows_subsystems: table[count] of string = { + [0] = "UNKNOWN", + [1] = "NATIVE", + [2] = "WINDOWS_GUI", + [3] = "WINDOWS_CUI", + [7] = "POSIX_CUI", + [9] = "WINDOWS_CE_GUI", + [10] = "EFI_APPLICATION", + [11] = "EFI_BOOT_SERVICE_DRIVER", + [12] = "EFI_RUNTIME_
DRIVER", + [13] = "EFI_ROM", + [14] = "XBOX" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const section_characteristics: table[count] of string = { + [0x8] = "TYPE_NO_PAD", + [0x20] = "CNT_CODE", + [0x40] = "CNT_INITIALIZED_DATA", + [0x80] = "CNT_UNINITIALIZED_DATA", + [0x100] = "LNK_OTHER", + [0x200] = "LNK_INFO", + [0x800] = "LNK_REMOVE", + [0x1000] = "LNK_COMDAT", + [0x8000] = "GPREL", + [0x20000] = "MEM_16BIT", + [0x40000] = "MEM_LOCKED", + [0x80000] = "MEM_PRELOAD", + [0x100000] = "ALIGN_1BYTES", + [0x200000] = "ALIGN_2BYTES", + [0x300000] = "ALIGN_4BYTES", + [0x400000] = "ALIGN_8BYTES", + [0x500000] = "ALIGN_16BYTES", + [0x600000] = "ALIGN_32BYTES", + [0x700000] = "ALIGN_64BYTES", + [0x800000] = "ALIGN_128BYTES", + [0x900000] = "ALIGN_256BYTES", + [0xa00000] = "ALIGN_512BYTES", + [0xb00000] = "ALIGN_1024BYTES", + [0xc00000] = "ALIGN_2048BYTES", + [0xd00000] = "ALIGN_4096BYTES", + [0xe00000] = "ALIGN_8192BYTES", + [0x1000000] = "LNK_NRELOC_OVFL", + [0x2000000] = "MEM_DISCARDABLE", + [0x4000000] = "MEM_NOT_CACHED", + [0x8000000] = "MEM_NOT_PAGED", + [0x10000000] = "MEM_SHARED", + [0x20000000] = "MEM_EXECUTE", + [0x40000000] = "MEM_READ", + [0x80000000] = "MEM_WRITE" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const os_versions: table[count, count] of string = { + [6,2] = "Windows 8", + [6,1] = "Windows 7", + [6,0] = "Windows Vista", + [5,2] = "Windows XP 64-Bit Edition", + [5,1] = "Windows XP", + [5,0] = "Windows 2000", + [4,90] = "Windows Me", + [4,1] = "Windows 98", + [4,0] = "Windows NT 4.0", + } &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); }; + + const section_descs: table[string] of string = { + [".bss"] = "Uninitialized data", + [".cormeta"] = "CLR metadata that indicates that the object file contains managed code", + [".data"] = "Initialized data", + [".debug$F"] = "Generated FPO debug information", + [".debug$P"] = "Precompiled debug types", + [".debug$S"] = "Debug symbols", + [".debug$T"] = "Debug types", + [".drective"] = "Linker options", + [".edata"] = "Export tables", + [".idata"] = "Import tables", + [".idlsym"] = "Includes registered SEH to support IDL attributes", + [".pdata"] = "Exception information", + [".rdata"] = "Read-only initialized data", + [".reloc"] = "Image relocations", + [".rsrc"] = "Resource directory", + [".sbss"] = "GP-relative uninitialized data", + [".sdata"] = "GP-relative initialized data", + [".srdata"] = "GP-relative read-only data", + [".sxdata"] = "Registered exception handler data", + [".text"] = "Executable code", + [".tls"] = "Thread-local storage", + [".tls$"] = "Thread-local storage", + [".vsdata"] = "GP-relative initialized data", + [".xdata"] = "Exception information", + } &default=function(i: string):string { return fmt("unknown-%s", i); }; + +} diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro new file mode 100644 index 0000000000..76ba04fc8c --- /dev/null +++ b/scripts/base/files/pe/main.bro @@ -0,0 +1,86 @@ + +module PE; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts: time &log; + fuid: string &log; + machine: string &log &optional; + compile_ts: time &log &optional; + os: string &log &optional; + subsystem: string &log &optional; + characteristics: set[string] &log &optional; + section_names: vector of string &log &optional; + }; + + + global set_file: hook(f: fa_file); +} + +redef record fa_file += { + pe: Info &optional; +}; + +event bro_init() &priority=5 + { + Log::create_stream(LOG, [$columns=Info]); + } + +hook set_file(f: fa_file) &priority=5 + { + if ( ! f?$pe ) + { + local c: set[string] = set(); + f$pe = [$ts=network_time(), $fuid=f$id, $characteristics=c]; + } + } + +event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 + { + hook set_file(f); + } + +event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 + { + hook set_file(f); + f$pe$compile_ts = h$ts; + f$pe$machine = machine_types[h$machine]; + for ( c in h$characteristics ) + add f$pe$characteristics[PE::file_characteristics[c]]; + } + +event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 + { + hook set_file(f); + f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; + f$pe$subsystem = windows_subsystems[h$subsystem]; + } + +event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 + { + hook set_file(f); + + print h; + if ( ! f$pe?$section_names ) + f$pe$section_names = vector(); + f$pe$section_names[|f$pe$section_names|] = h$name; + } + +event file_state_remove(f: fa_file) + { + if ( f?$pe ) + Log::write(LOG, f$pe); + } + +event file_new(f: fa_file) + { + if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) + { + #print "found a windows executable"; + FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_PE]); + #FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, + # $extract_filename=fmt("exe-%d", ++blah_counter)]); + } + } diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index bfafcd2894..67929b77fd 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(data_event) add_subdirectory(extract) add_subdirectory(hash) +add_subdirectory(pe) diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt new file mode 100644 index 0000000000..7fc89bfd51 --- /dev/null +++ b/src/file_analysis/analyzer/pe/CMakeLists.txt @@ -0,0 +1,10 @@ +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro PE) +bro_plugin_cc(PE.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(pe.pac pe-file.pac pe-analyzer.pac) +bro_plugin_end() diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc new file mode 100644 index 0000000000..1cc33b5759 --- /dev/null +++ b/src/file_analysis/analyzer/pe/Plugin.cc @@ -0,0 +1,29 @@ +#include "plugin/Plugin.h" +#include "file_analysis/Component.h" + +#include "PE.h" + +namespace plugin { namespace Bro_PE { + +class Plugin : public plugin::Plugin { +protected: + void InitPreScript() + { + SetName("Bro::PE"); + SetVersion(-1); + SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetDynamicPlugin(false); + + SetDescription("Portable Executable analyzer"); + + AddComponent(new ::file_analysis::Component("PE", + ::file_analysis::PE::Instantiate)); + + extern std::list > __bif_events_init(); + AddBifInitFunction(&__bif_events_init); + } +}; + +Plugin __plugin; + +} } diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 341a3efbec..045f71c479 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -3,6 +3,7 @@ #include "Event.h" #include "file_analysis/File.h" #include "file_analysis.bif.func_h" +#include "events.bif.h" %} refine flow File += { @@ -52,7 +53,7 @@ refine flow File += { dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT)); dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT)); - BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_dos_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), dh); } @@ -63,7 +64,7 @@ refine flow File += { %{ if ( pe_dos_code ) { - BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_dos_code((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), new StringVal(code.length(), (const char*) code.data())); } @@ -90,7 +91,7 @@ refine flow File += { fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT)); fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT)); fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16)); - BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), fh); } @@ -138,7 +139,7 @@ refine flow File += { oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16)); oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT)); oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT)); - BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), oh); } @@ -170,7 +171,7 @@ refine flow File += { section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32)); - BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_section_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), section_header); } diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index ab7cdf5f8a..03a25ce150 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,5 +1,5 @@ -type TheFile(part: uint8) = record { +type TheFile = record { dos_header : DOS_Header; dos_code : DOS_Code(dos_code_len); pe_header : IMAGE_NT_HEADERS; From 8ffa81f3908bd1634c74472b4b519fdfbbd8fe35 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sat, 21 Jun 2014 13:30:14 -0400 Subject: [PATCH 13/31] Updated PE analyzer to work with changes in master. --- scripts/base/files/pe/main.bro | 2 +- src/file_analysis/analyzer/pe/PE.cc | 12 ++---------- src/file_analysis/analyzer/pe/pe-analyzer.pac | 2 -- 3 files changed, 3 insertions(+), 13 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 76ba04fc8c..f9ebc57297 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -79,7 +79,7 @@ event file_new(f: fa_file) if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) { #print "found a windows executable"; - FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_PE]); + Files::add_analyzer(f, Files::ANALYZER_PE); #FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, # $extract_filename=fmt("exe-%d", ++blah_counter)]); } diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 51db8fd232..59fbad91df 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -1,14 +1,10 @@ -#include - #include "PE.h" -#include "pe_pac.h" -#include "util.h" -#include "Event.h" +#include "file_analysis/Manager.h" using namespace file_analysis; PE::PE(RecordVal* args, File* file) - : file_analysis::Analyzer(args, file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), args, file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); @@ -26,10 +22,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len) { interp->NewData(data, data + len); } - catch ( const binpac::HaltParser &e ) - { - return false; - } catch ( const binpac::Exception& e ) { printf("Binpac exception: %s\n", e.c_msg()); diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 045f71c479..619bffad53 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -2,7 +2,6 @@ %extern{ #include "Event.h" #include "file_analysis/File.h" -#include "file_analysis.bif.func_h" #include "events.bif.h" %} @@ -10,7 +9,6 @@ refine flow File += { function proc_the_file(): bool %{ - throw binpac::HaltParser(); return true; %} From d98b5b88b5e110d146ee3982b3d2210b2f1bbc2b Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 22 Jun 2014 07:18:12 -0400 Subject: [PATCH 14/31] Parse PE section headers. --- scripts/base/files/pe/main.bro | 11 ++++++--- src/file_analysis/analyzer/pe/pe-analyzer.pac | 4 +++- src/file_analysis/analyzer/pe/pe-file.pac | 24 +++++++++++++++---- 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index f9ebc57297..091c322990 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -39,11 +39,15 @@ hook set_file(f: fa_file) &priority=5 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 { + print "DOS header"; + print h; hook set_file(f); } event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { + print "File header"; + print h; hook set_file(f); f$pe$compile_ts = h$ts; f$pe$machine = machine_types[h$machine]; @@ -53,6 +57,8 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { + print "Optional header"; + print h; hook set_file(f); f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; @@ -60,6 +66,8 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { + print "Section header"; + print h; hook set_file(f); print h; @@ -78,9 +86,6 @@ event file_new(f: fa_file) { if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) { - #print "found a windows executable"; Files::add_analyzer(f, Files::ANALYZER_PE); - #FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, - # $extract_filename=fmt("exe-%d", ++blah_counter)]); } } diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 619bffad53..2b49cd2c23 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -9,6 +9,7 @@ refine flow File += { function proc_the_file(): bool %{ + printf("Processed\n"); return true; %} @@ -203,4 +204,5 @@ refine typeattr IMAGE_SECTION_HEADER += &let { refine typeattr TheFile += &let { proc: bool = $context.flow.proc_the_file(); -}; \ No newline at end of file +}; + diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 03a25ce150..58278a7ffd 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -3,7 +3,7 @@ type TheFile = record { dos_header : DOS_Header; dos_code : DOS_Code(dos_code_len); pe_header : IMAGE_NT_HEADERS; - section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers; + section_headers : IMAGE_SECTIONS(pe_header.file_header.NumberOfSections); #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; #data_sections : DATA_SECTIONS[] &length=data_len; @@ -41,7 +41,7 @@ type DOS_Code(len: uint32) = record { type IMAGE_NT_HEADERS = record { PESignature : uint32; file_header : IMAGE_FILE_HEADER; - optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader; + optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; } &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header); type IMAGE_FILE_HEADER = record { @@ -54,7 +54,7 @@ type IMAGE_FILE_HEADER = record { Characteristics : uint16; }; -type IMAGE_OPTIONAL_HEADER(len: uint16) = record { +type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record { magic : uint16; major_linker_version : uint8; minor_linker_version : uint8; @@ -80,12 +80,13 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record { subsystem : uint16; dll_characteristics : uint16; mem: case magic of { - 0x0b01 -> i32 : MEM_INFO32; - 0x0b02 -> i64 : MEM_INFO64; + 267 -> i32 : MEM_INFO32; + 268 -> i64 : MEM_INFO64; default -> InvalidPEFile : empty; }; loader_flags : uint32; number_of_rva_and_sizes : uint32; + rvas : IMAGE_RVAS(number_of_rva_and_sizes); } &byteorder=littleendian &length=len; type MEM_INFO32 = record { @@ -102,6 +103,10 @@ type MEM_INFO64 = record { size_of_heap_commit : uint64; } &byteorder=littleendian &length=32; +type IMAGE_SECTIONS(num: uint16) = record { + sections : IMAGE_SECTION_HEADER[num]; +} &length=num*40; + type IMAGE_SECTION_HEADER = record { name : bytestring &length=8; virtual_size : uint32; @@ -129,6 +134,15 @@ type IMAGE_IMPORT_DIRECTORY = record { rva_import_addr_table : uint32; }; +type IMAGE_RVAS(num: uint32) = record { + rvas : IMAGE_RVA[num]; +} &length=num*8; + +type IMAGE_RVA = record { + virtual_address : uint32; + size : uint32; +} &length=8; + type DATA_SECTIONS = record { blah: uint8; }; \ No newline at end of file From b4498a414274239d3064742f4e88098fd76eaf82 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 7 Apr 2015 14:45:15 -0700 Subject: [PATCH 15/31] Some changes to fix PE analyzer on master. --- scripts/base/files/pe/main.bro | 4 +-- src/file_analysis/analyzer/pe/Plugin.cc | 33 +++++++++++-------------- src/types.bif | 16 ------------ 3 files changed, 16 insertions(+), 37 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 091c322990..754b788318 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -82,9 +82,9 @@ event file_state_remove(f: fa_file) Log::write(LOG, f$pe); } -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { - if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) + if ( mime_type == /application\/x-dosexec.*/ ) { Files::add_analyzer(f, Files::ANALYZER_PE); } diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc index 1cc33b5759..8601dedb67 100644 --- a/src/file_analysis/analyzer/pe/Plugin.cc +++ b/src/file_analysis/analyzer/pe/Plugin.cc @@ -1,29 +1,24 @@ +// See the file in the main distribution directory for copyright. + #include "plugin/Plugin.h" -#include "file_analysis/Component.h" #include "PE.h" -namespace plugin { namespace Bro_PE { +namespace plugin { +namespace Bro_PE { class Plugin : public plugin::Plugin { -protected: - void InitPreScript() +public: + plugin::Configuration Configure() { - SetName("Bro::PE"); - SetVersion(-1); - SetAPIVersion(BRO_PLUGIN_API_VERSION); - SetDynamicPlugin(false); + AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate)); - SetDescription("Portable Executable analyzer"); - - AddComponent(new ::file_analysis::Component("PE", - ::file_analysis::PE::Instantiate)); - - extern std::list > __bif_events_init(); - AddBifInitFunction(&__bif_events_init); + plugin::Configuration config; + config.name = "Bro::PE"; + config.description = "Portable Executable analyzer"; + return config; } -}; +} plugin; -Plugin __plugin; - -} } +} +} diff --git a/src/types.bif b/src/types.bif index 70da9e14e0..180112dd8c 100644 --- a/src/types.bif +++ b/src/types.bif @@ -168,22 +168,6 @@ type PE::FileHeader: record; type PE::OptionalHeader: record; type PE::SectionHeader: record; -module Log; - -enum Writer %{ - WRITER_DEFAULT, - WRITER_NONE, - WRITER_ASCII, - WRITER_DATASERIES, - WRITER_SQLITE, - WRITER_ELASTICSEARCH, -%} - -enum ID %{ - Unknown, -%} - - module Tunnel; enum Type %{ NONE, From fa7946ae7d75e6c2aaf6dac5ffa26305bafe4715 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 13 Apr 2015 16:34:18 -0500 Subject: [PATCH 16/31] Checkpoint - Import Address Table being parsed. --- scripts/base/files/pe/main.bro | 17 +- src/file_analysis/analyzer/pe/pe-analyzer.pac | 36 +-- src/file_analysis/analyzer/pe/pe-file.pac | 287 +++++++++++++++--- src/file_analysis/analyzer/pe/pe.pac | 2 +- 4 files changed, 277 insertions(+), 65 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 754b788318..b05f1e3b72 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -39,15 +39,15 @@ hook set_file(f: fa_file) &priority=5 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 { - print "DOS header"; - print h; +# print "DOS header"; +# print h; hook set_file(f); } event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { - print "File header"; - print h; +# print "File header"; +# print h; hook set_file(f); f$pe$compile_ts = h$ts; f$pe$machine = machine_types[h$machine]; @@ -57,8 +57,8 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { - print "Optional header"; - print h; +# print "Optional header"; +# print h; hook set_file(f); f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; @@ -66,11 +66,10 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { - print "Section header"; - print h; +# print "Section header"; +# print h; hook set_file(f); - print h; if ( ! f$pe?$section_names ) f$pe$section_names = vector(); f$pe$section_names[|f$pe$section_names|] = h$name; diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 2b49cd2c23..1d7d0dbbff 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -7,12 +7,6 @@ refine flow File += { - function proc_the_file(): bool - %{ - printf("Processed\n"); - return true; - %} - function characteristics_to_bro(c: uint32, len: uint8): TableVal %{ uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF; @@ -70,7 +64,7 @@ refine flow File += { return true; %} - function proc_nt_headers(h: IMAGE_NT_HEADERS): bool + function proc_nt_headers(h: NT_Headers): bool %{ if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0" { @@ -80,7 +74,7 @@ refine flow File += { return true; %} - function proc_file_header(h: IMAGE_FILE_HEADER): bool + function proc_file_header(h: File_Header): bool %{ if ( pe_file_header ) { @@ -98,7 +92,7 @@ refine flow File += { return true; %} - function proc_optional_header(h: IMAGE_OPTIONAL_HEADER): bool + function proc_optional_header(h: Optional_Header): bool %{ if ( ${h.magic} != 0x10b && // normal pe32 executable ${h.magic} != 0x107 && // rom image @@ -145,7 +139,7 @@ refine flow File += { return true; %} - function proc_section_header(h: IMAGE_SECTION_HEADER): bool + function proc_section_header(h: Section_Header): bool %{ if ( pe_section_header ) { @@ -176,6 +170,14 @@ refine flow File += { } return true; %} + + + function proc_pe_file(): bool + %{ + printf("PE file processed\n"); + return true; + %} + }; refine typeattr DOS_Header += &let { @@ -186,23 +188,23 @@ refine typeattr DOS_Code += &let { proc : bool = $context.flow.proc_dos_code(code); }; -refine typeattr IMAGE_NT_HEADERS += &let { +refine typeattr NT_Headers += &let { proc : bool = $context.flow.proc_nt_headers(this); }; -refine typeattr IMAGE_FILE_HEADER += &let { +refine typeattr File_Header += &let { proc : bool = $context.flow.proc_file_header(this); }; -refine typeattr IMAGE_OPTIONAL_HEADER += &let { +refine typeattr Optional_Header += &let { proc : bool = $context.flow.proc_optional_header(this); }; -refine typeattr IMAGE_SECTION_HEADER += &let { - proc: bool = $context.flow.proc_section_header(this); +refine typeattr Section_Header += &let { + proc2: bool = $context.flow.proc_section_header(this); }; -refine typeattr TheFile += &let { - proc: bool = $context.flow.proc_the_file(); +refine typeattr PE_File += &let { + proc: bool = $context.flow.proc_pe_file(); }; diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 58278a7ffd..ef048079a5 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,17 +1,27 @@ - -type TheFile = record { - dos_header : DOS_Header; - dos_code : DOS_Code(dos_code_len); - pe_header : IMAGE_NT_HEADERS; - section_headers : IMAGE_SECTIONS(pe_header.file_header.NumberOfSections); - #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); - #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; - #data_sections : DATA_SECTIONS[] &length=data_len; +# The base record for a Portable Executable file +type PE_File = record { + headers : Headers; + pad : Padding(iat_loc); + iat : IMPORT_ADDRESS_TABLE &length=$context.connection.get_import_table_len(); } &let { - dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; - data_len: uint32 = pe_header.optional_header.size_of_init_data; + unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length; + iat_loc: uint32 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; + } &byteorder=littleendian; +## Headers + +type Headers = record { + dos_header : DOS_Header; + dos_code : DOS_Code(dos_code_len); + pe_header : NT_Headers; + section_headers : Section_Headers(pe_header.file_header.NumberOfSections); +} &let { + dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0; + length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length; +}; + +# The DOS header gives us the offset of the NT headers type DOS_Header = record { signature : bytestring &length=2; UsedBytesInTheLastPage : uint16; @@ -38,13 +48,17 @@ type DOS_Code(len: uint32) = record { code : bytestring &length=len; }; -type IMAGE_NT_HEADERS = record { +# The NT headers give us the file and the optional headers. +type NT_Headers = record { PESignature : uint32; - file_header : IMAGE_FILE_HEADER; - optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; -} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header); + file_header : File_Header; + optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; +} &let { + length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header); +} &byteorder=littleendian &length=length; -type IMAGE_FILE_HEADER = record { +# The file header is mainly self-describing +type File_Header = record { Machine : uint16; NumberOfSections : uint16; TimeDateStamp : uint32; @@ -54,7 +68,8 @@ type IMAGE_FILE_HEADER = record { Characteristics : uint16; }; -type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record { +# The optional header gives us DLL link information, and some structural information +type Optional_Header(len: uint16, number_of_sections: uint16) = record { magic : uint16; major_linker_version : uint8; minor_linker_version : uint8; @@ -80,34 +95,47 @@ type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record { subsystem : uint16; dll_characteristics : uint16; mem: case magic of { - 267 -> i32 : MEM_INFO32; - 268 -> i64 : MEM_INFO64; + 267 -> i32 : Mem_Info32; + 268 -> i64 : Mem_Info64; default -> InvalidPEFile : empty; }; loader_flags : uint32; number_of_rva_and_sizes : uint32; - rvas : IMAGE_RVAS(number_of_rva_and_sizes); + rvas : RVAS(number_of_rva_and_sizes); } &byteorder=littleendian &length=len; -type MEM_INFO32 = record { +type Mem_Info32 = record { size_of_stack_reserve : uint32; size_of_stack_commit : uint32; size_of_heap_reserve : uint32; size_of_heap_commit : uint32; } &byteorder=littleendian &length=16; -type MEM_INFO64 = record { +type Mem_Info64 = record { size_of_stack_reserve : uint64; size_of_stack_commit : uint64; size_of_heap_reserve : uint64; size_of_heap_commit : uint64; } &byteorder=littleendian &length=32; -type IMAGE_SECTIONS(num: uint16) = record { - sections : IMAGE_SECTION_HEADER[num]; -} &length=num*40; +type RVAS(num: uint32) = record { + rvas : RVA[num]; +}; -type IMAGE_SECTION_HEADER = record { +type RVA = record { + virtual_address : uint32; + size : uint32; +} &let { + proc: bool = $context.connection.proc_rva(this); +} &length=8; + +type Section_Headers(num: uint16) = record { + sections : Section_Header[num]; +} &let { + length: uint32 = num*40; +} &length=length; + +type Section_Header = record { name : bytestring &length=8; virtual_size : uint32; virtual_addr : uint32; @@ -118,31 +146,214 @@ type IMAGE_SECTION_HEADER = record { non_used_num_of_relocs : uint16; non_used_num_of_line_nums : uint16; characteristics : uint32; +} &let { + proc: bool = $context.connection.proc_section(this); } &byteorder=littleendian &length=40; +## The BinPAC padding type doens't work here. -type IMAGE_DATA_DIRECTORY = record { - virtual_address : uint32; - size : uint16; +type Padding(length: uint32) = record { + blah: bytestring &length=length &transient; }; +## Support for parsing the .idata section + type IMAGE_IMPORT_DIRECTORY = record { rva_import_lookup_table : uint32; time_date_stamp : uint32; forwarder_chain : uint32; rva_module_name : uint32; rva_import_addr_table : uint32; +} &let { + is_null: bool = rva_module_name == 0; + proc: bool = $context.connection.proc_image_import_directory(this); +} &length=20; + +type IMPORT_LOOKUP_ATTRS = record { + attrs: uint32; +} &let { + is_null: bool = attrs == 0; +} &length=4; + +type IMPORT_LOOKUP_TABLE = record { + attrs: IMPORT_LOOKUP_ATTRS[] &until($element.is_null); +} &let { + proc: bool = $context.connection.proc_import_lookup_table(this); }; -type IMAGE_RVAS(num: uint32) = record { - rvas : IMAGE_RVA[num]; -} &length=num*8; +#type null_terminated_string = RE/[^\x00]+\x00/; +type null_terminated_string = RE/[A-Za-z0-9.]+\x00/; -type IMAGE_RVA = record { - virtual_address : uint32; - size : uint32; -} &length=8; +type IMPORT_ENTRY(is_module: bool, pad_align: uint8) = case is_module of { + true -> module: IMPORT_MODULE(pad_align); + false -> hint: IMPORT_HINT(pad_align); +}; -type DATA_SECTIONS = record { - blah: uint8; +type IMPORT_MODULE(pad_align: uint8) = record { + pad: bytestring &length=pad_align; + name: null_terminated_string; +} &let { + proc: bool = $context.connection.proc_import_module(this); +}; + +type IMPORT_HINT(pad_align: uint8) = record { + pad: bytestring &length=pad_align; + index: uint16; + name: null_terminated_string; +} &let { + proc: bool = $context.connection.proc_import_hint(this); + last: bool = sizeof(name) == 0; +}; + +type IMPORT_ADDRESS_TABLE = record { + directory_table : IMAGE_IMPORT_DIRECTORY[] &until $element.is_null; + lookup_tables : IMPORT_LOOKUP_TABLE[] &until $context.connection.get_num_imports() <= 0; + hint_table : IMPORT_ENTRY($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done()); +} &let { + proc: bool = $context.connection.proc_iat(this); +}; + +refine connection MockConnection += { + %member{ + uint8 rvas_seen_; + uint8 num_imports_; + uint32 rva_offset_; + + bool has_import_table_; + uint32 import_table_va_; + uint32 import_table_rva_; + uint32 import_table_len_; + vector imports_per_module_; + uint32 next_hint_index_; + uint8 next_hint_align_; + bool next_hint_is_module_; + + bool has_export_table_; + uint32 export_table_va_; + uint32 export_table_rva_; + %} + + %init{ + rvas_seen_ = 0; + rva_offset_ = 0; + num_imports_ = -1; + has_import_table_ = false; + has_export_table_ = false; + + next_hint_is_module_ = true; + next_hint_index_ = 0; + next_hint_align_ = 0; + %} + + function proc_rva(r: RVA): bool + %{ + if ( rvas_seen_ == 1 ) + { + has_import_table_ = ${r.virtual_address} > 0; + if ( has_import_table_ ) { + import_table_rva_ = ${r.virtual_address}; + import_table_len_ = ${r.size}; + } + } + if ( rvas_seen_ == 2 ) + { + has_export_table_ = ${r.virtual_address} > 0; + if ( has_export_table_ ) + export_table_rva_ = ${r.virtual_address}; + } + ++rvas_seen_; + return true; + %} + + function proc_section(h: Section_Header): bool + %{ + if ( has_import_table_ && ${h.virtual_addr} == import_table_rva_ ){ + printf("Found import table %d\n", ${h.ptr_to_raw_data}); + rva_offset_ = ${h.virtual_addr} - ${h.ptr_to_raw_data}; + + import_table_va_ = ${h.ptr_to_raw_data}; + get_import_table_addr(); + } + if ( has_export_table_ && ${h.virtual_addr} == export_table_rva_ ) + export_table_va_ = ${h.ptr_to_raw_data}; + return true; + %} + + function proc_image_import_directory(i: IMAGE_IMPORT_DIRECTORY): bool + %{ + num_imports_++; + return true; + %} + + function proc_iat(i: IMPORT_ADDRESS_TABLE): bool + %{ + printf("IAT processed\n"); + return true; + %} + + function get_import_table_addr(): uint32 + %{ + return has_import_table_ ? import_table_va_ : 0; + %} + + function get_import_table_len(): uint32 + %{ + return has_import_table_ ? import_table_len_ : 0; + %} + + function get_rva_offset(): uint32 + %{ + return rva_offset_; + %} + + function get_num_imports(): uint8 + %{ + return num_imports_; + %} + + function get_next_hint_align(): uint8 + %{ + return next_hint_align_; + %} + + function proc_import_lookup_table(t: IMPORT_LOOKUP_TABLE): bool + %{ + --num_imports_; + imports_per_module_.push_back(${t.attrs}->size()); + return true; + %} + + function get_next_hint_type(): bool + %{ + if ( next_hint_is_module_ ) + { + next_hint_is_module_ = false; + return true; + } + if ( --imports_per_module_[next_hint_index_] == 0) + { + ++next_hint_index_; + return true; + } + return false; + %} + + function imports_done(): bool + %{ + return next_hint_index_ == imports_per_module_.size(); + %} + + function proc_import_hint(h: IMPORT_HINT): bool + %{ + printf(" Imported function '%s'\n", ${h.name}.data()); + next_hint_align_ = ${h.name}.length() % 2; + return true; + %} + + function proc_import_module(m: IMPORT_MODULE): bool + %{ + printf("Imported module '%s'\n", ${m.name}.data()); + next_hint_align_ = ${m.name}.length() % 2; + return true; + %} }; \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe.pac b/src/file_analysis/analyzer/pe/pe.pac index 8a20fa3c62..df7c3011d9 100644 --- a/src/file_analysis/analyzer/pe/pe.pac +++ b/src/file_analysis/analyzer/pe/pe.pac @@ -14,7 +14,7 @@ connection MockConnection(bro_analyzer: BroFileAnalyzer) { %include pe-file.pac flow File { - flowunit = TheFile withcontext(connection, this); + flowunit = PE_File withcontext(connection, this); } %include pe-analyzer.pac From 575e22cfe713b10cf700d2b434edd26af6a15435 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 14 Apr 2015 20:21:43 -0500 Subject: [PATCH 17/31] PE Analyzer cleanup. --- .../analyzer/pe/pe-file-headers.pac | 114 ++++++ .../analyzer/pe/pe-file-idata.pac | 145 +++++++ .../analyzer/pe/pe-file-types.pac | 32 ++ src/file_analysis/analyzer/pe/pe-file.pac | 355 +----------------- 4 files changed, 296 insertions(+), 350 deletions(-) create mode 100644 src/file_analysis/analyzer/pe/pe-file-headers.pac create mode 100644 src/file_analysis/analyzer/pe/pe-file-idata.pac create mode 100644 src/file_analysis/analyzer/pe/pe-file-types.pac diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac new file mode 100644 index 0000000000..7c34277edb --- /dev/null +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -0,0 +1,114 @@ +type Headers = record { + dos_header : DOS_Header; + dos_code : DOS_Code(dos_code_len); + pe_header : NT_Headers; + section_headers : Section_Headers(pe_header.file_header.NumberOfSections); +} &let { + dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0; + length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length; +}; + +# The DOS header gives us the offset of the NT headers +type DOS_Header = record { + signature : bytestring &length=2; + UsedBytesInTheLastPage : uint16; + FileSizeInPages : uint16; + NumberOfRelocationItems : uint16; + HeaderSizeInParagraphs : uint16; + MinimumExtraParagraphs : uint16; + MaximumExtraParagraphs : uint16; + InitialRelativeSS : uint16; + InitialSP : uint16; + Checksum : uint16; + InitialIP : uint16; + InitialRelativeCS : uint16; + AddressOfRelocationTable : uint16; + OverlayNumber : uint16; + Reserved : uint16[4]; + OEMid : uint16; + OEMinfo : uint16; + Reserved2 : uint16[10]; + AddressOfNewExeHeader : uint32; +} &length=64; + +type DOS_Code(len: uint32) = record { + code : bytestring &length=len; +}; + +# The NT headers give us the file and the optional headers. +type NT_Headers = record { + PESignature : uint32; + file_header : File_Header; + optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; +} &let { + length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header); +} &length=length; + +# The file header is mainly self-describing +type File_Header = record { + Machine : uint16; + NumberOfSections : uint16; + TimeDateStamp : uint32; + PointerToSymbolTable : uint32; + NumberOfSymbols : uint32; + SizeOfOptionalHeader : uint16; + Characteristics : uint16; +}; + +# The optional header gives us DLL link information, and some structural information +type Optional_Header(len: uint16, number_of_sections: uint16) = record { + magic : uint16; + major_linker_version : uint8; + minor_linker_version : uint8; + size_of_code : uint32; + size_of_init_data : uint32; + size_of_uninit_data : uint32; + addr_of_entry_point : uint32; + base_of_code : uint32; + base_of_data : uint32; + image_base : uint32; + section_alignment : uint32; + file_alignment : uint32; + os_version_major : uint16; + os_version_minor : uint16; + major_image_version : uint16; + minor_image_version : uint16; + major_subsys_version : uint16; + minor_subsys_version : uint16; + win32_version : uint32; + size_of_image : uint32; + size_of_headers : uint32; + checksum : uint32; + subsystem : uint16; + dll_characteristics : uint16; + mem: case magic of { + 267 -> i32 : Mem_Info32; + 268 -> i64 : Mem_Info64; + default -> InvalidPEFile : empty; + }; + loader_flags : uint32; + number_of_rva_and_sizes : uint32; + rvas : RVAS(number_of_rva_and_sizes); +} &length=len; + +type Section_Headers(num: uint16) = record { + sections : Section_Header[num]; +} &let { + length: uint32 = num*40; +} &length=length; + +type Section_Header = record { + name : bytestring &length=8; + virtual_size : uint32; + virtual_addr : uint32; + size_of_raw_data : uint32; + ptr_to_raw_data : uint32; + non_used_ptr_to_relocs : uint32; + non_used_ptr_to_line_nums : uint32; + non_used_num_of_relocs : uint16; + non_used_num_of_line_nums : uint16; + characteristics : uint32; +} &let { + proc: bool = $context.connection.proc_section(this); +} &length=40; + diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac new file mode 100644 index 0000000000..80200838e5 --- /dev/null +++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac @@ -0,0 +1,145 @@ +## Support for parsing the .idata section + +type import_directory = record { + rva_import_lookup_table : uint32; + time_date_stamp : uint32; + forwarder_chain : uint32; + rva_module_name : uint32; + rva_import_addr_table : uint32; +} &let { + is_null: bool = rva_module_name == 0; + proc: bool = $context.connection.proc_image_import_directory(this); +} &length=20; + +type import_lookup_attrs = record { + attrs: uint32; +} &length=4; + +type import_lookup_table = record { + attrs: import_lookup_attrs[] &until($element.attrs == 0); +} &let { + proc: bool = $context.connection.proc_import_lookup_table(this); +}; + +type import_entry(is_module: bool, pad_align: uint8) = record { + pad: bytestring &length=pad_align; + has_index: case is_module of { + true -> null: empty; + false -> index: uint16; + }; + name: null_terminated_string; +}; + +type idata = record { + directory_table : import_directory[] &until $element.is_null; + lookup_tables : import_lookup_table[] &until $context.connection.get_num_imports() <= 0; + hint_table : import_entry($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done()); +}; + +refine typeattr RVAS += &let { + proc: bool = $context.connection.proc_idata_rva(rvas[1]) &if (num > 1); +}; + +refine connection MockConnection += { + %member{ + uint8 num_imports_; // How many import tables will we have? + + uint32 import_table_rva_; // Used for finding the right section + uint32 import_table_va_; + uint32 import_table_len_; + + // We need to track the number of imports for each, to + // know when we've parsed them all. + vector imports_per_module_; + + // These are to determine the alignment of the import hints + uint32 next_hint_index_; + uint8 next_hint_align_; + bool next_hint_is_module_; + %} + + %init{ + // It ends with a null import entry, so we'll set it to -1. + num_imports_ = -1; + + // First hint is a module name. + next_hint_is_module_ = true; + next_hint_index_ = 0; + next_hint_align_ = 0; + %} + + function proc_idata_rva(r: RVA): bool + %{ + import_table_rva_ = ${r.virtual_address}; + import_table_len_ = ${r.size}; + + return true; + %} + + function proc_section(h: Section_Header): bool + %{ + if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ ) + import_table_va_ = ${h.ptr_to_raw_data}; + return true; + %} + + function proc_image_import_directory(i: import_directory): bool + %{ + num_imports_++; + return true; + %} + + function get_import_table_addr(): uint32 + %{ + return import_table_va_ > 0 ? import_table_va_ : 0; + %} + + function get_import_table_len(): uint32 + %{ + return import_table_va_ > 0 ? import_table_len_ : 0; + %} + + function get_num_imports(): uint8 + %{ + return num_imports_; + %} + + function get_next_hint_align(): uint8 + %{ + return next_hint_align_; + %} + + function proc_import_lookup_table(t: import_lookup_table): bool + %{ + --num_imports_; + imports_per_module_.push_back(${t.attrs}->size()); + return true; + %} + + function get_next_hint_type(): bool + %{ + if ( next_hint_is_module_ ) + { + next_hint_is_module_ = false; + return true; + } + if ( --imports_per_module_[next_hint_index_] == 0) + { + ++next_hint_index_; + return true; + } + return false; + %} + + function imports_done(): bool + %{ + return next_hint_index_ == imports_per_module_.size(); + %} + + function proc_import_hint(hint_name: bytestring): bool + %{ + next_hint_align_ = ${hint_name}.length() % 2; + printf("Import function: %s\n", ${hint_name}.data()); + return true; + %} +}; \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe-file-types.pac b/src/file_analysis/analyzer/pe/pe-file-types.pac new file mode 100644 index 0000000000..27b5a25d07 --- /dev/null +++ b/src/file_analysis/analyzer/pe/pe-file-types.pac @@ -0,0 +1,32 @@ +# Basic PE types + +type Mem_Info32 = record { + size_of_stack_reserve : uint32; + size_of_stack_commit : uint32; + size_of_heap_reserve : uint32; + size_of_heap_commit : uint32; +} &byteorder=littleendian &length=16; + +type Mem_Info64 = record { + size_of_stack_reserve : uint64; + size_of_stack_commit : uint64; + size_of_heap_reserve : uint64; + size_of_heap_commit : uint64; +} &byteorder=littleendian &length=32; + +type RVAS(num: uint32) = record { + rvas : RVA[num]; +}; + +type RVA = record { + virtual_address : uint32; + size : uint32; +} &length=8; + +# The BinPAC padding type doesn't work here. +type Padding(length: uint32) = record { + pad: bytestring &length=length &transient; +}; + +type null_terminated_string = RE/[A-Za-z0-9.]+\x00/; + diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index ef048079a5..1c748f3764 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,359 +1,14 @@ +%include pe-file-types.pac +%include pe-file-headers.pac +%include pe-file-idata.pac + # The base record for a Portable Executable file type PE_File = record { headers : Headers; pad : Padding(iat_loc); - iat : IMPORT_ADDRESS_TABLE &length=$context.connection.get_import_table_len(); + iat : idata &length=$context.connection.get_import_table_len(); } &let { unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length; iat_loc: uint32 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; - } &byteorder=littleendian; -## Headers - -type Headers = record { - dos_header : DOS_Header; - dos_code : DOS_Code(dos_code_len); - pe_header : NT_Headers; - section_headers : Section_Headers(pe_header.file_header.NumberOfSections); -} &let { - dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0; - length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length; -}; - -# The DOS header gives us the offset of the NT headers -type DOS_Header = record { - signature : bytestring &length=2; - UsedBytesInTheLastPage : uint16; - FileSizeInPages : uint16; - NumberOfRelocationItems : uint16; - HeaderSizeInParagraphs : uint16; - MinimumExtraParagraphs : uint16; - MaximumExtraParagraphs : uint16; - InitialRelativeSS : uint16; - InitialSP : uint16; - Checksum : uint16; - InitialIP : uint16; - InitialRelativeCS : uint16; - AddressOfRelocationTable : uint16; - OverlayNumber : uint16; - Reserved : uint16[4]; - OEMid : uint16; - OEMinfo : uint16; - Reserved2 : uint16[10]; - AddressOfNewExeHeader : uint32; -} &byteorder=littleendian &length=64; - -type DOS_Code(len: uint32) = record { - code : bytestring &length=len; -}; - -# The NT headers give us the file and the optional headers. -type NT_Headers = record { - PESignature : uint32; - file_header : File_Header; - optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; -} &let { - length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header); -} &byteorder=littleendian &length=length; - -# The file header is mainly self-describing -type File_Header = record { - Machine : uint16; - NumberOfSections : uint16; - TimeDateStamp : uint32; - PointerToSymbolTable : uint32; - NumberOfSymbols : uint32; - SizeOfOptionalHeader : uint16; - Characteristics : uint16; -}; - -# The optional header gives us DLL link information, and some structural information -type Optional_Header(len: uint16, number_of_sections: uint16) = record { - magic : uint16; - major_linker_version : uint8; - minor_linker_version : uint8; - size_of_code : uint32; - size_of_init_data : uint32; - size_of_uninit_data : uint32; - addr_of_entry_point : uint32; - base_of_code : uint32; - base_of_data : uint32; - image_base : uint32; - section_alignment : uint32; - file_alignment : uint32; - os_version_major : uint16; - os_version_minor : uint16; - major_image_version : uint16; - minor_image_version : uint16; - major_subsys_version : uint16; - minor_subsys_version : uint16; - win32_version : uint32; - size_of_image : uint32; - size_of_headers : uint32; - checksum : uint32; - subsystem : uint16; - dll_characteristics : uint16; - mem: case magic of { - 267 -> i32 : Mem_Info32; - 268 -> i64 : Mem_Info64; - default -> InvalidPEFile : empty; - }; - loader_flags : uint32; - number_of_rva_and_sizes : uint32; - rvas : RVAS(number_of_rva_and_sizes); -} &byteorder=littleendian &length=len; - -type Mem_Info32 = record { - size_of_stack_reserve : uint32; - size_of_stack_commit : uint32; - size_of_heap_reserve : uint32; - size_of_heap_commit : uint32; -} &byteorder=littleendian &length=16; - -type Mem_Info64 = record { - size_of_stack_reserve : uint64; - size_of_stack_commit : uint64; - size_of_heap_reserve : uint64; - size_of_heap_commit : uint64; -} &byteorder=littleendian &length=32; - -type RVAS(num: uint32) = record { - rvas : RVA[num]; -}; - -type RVA = record { - virtual_address : uint32; - size : uint32; -} &let { - proc: bool = $context.connection.proc_rva(this); -} &length=8; - -type Section_Headers(num: uint16) = record { - sections : Section_Header[num]; -} &let { - length: uint32 = num*40; -} &length=length; - -type Section_Header = record { - name : bytestring &length=8; - virtual_size : uint32; - virtual_addr : uint32; - size_of_raw_data : uint32; - ptr_to_raw_data : uint32; - non_used_ptr_to_relocs : uint32; - non_used_ptr_to_line_nums : uint32; - non_used_num_of_relocs : uint16; - non_used_num_of_line_nums : uint16; - characteristics : uint32; -} &let { - proc: bool = $context.connection.proc_section(this); -} &byteorder=littleendian &length=40; - -## The BinPAC padding type doens't work here. - -type Padding(length: uint32) = record { - blah: bytestring &length=length &transient; -}; - -## Support for parsing the .idata section - -type IMAGE_IMPORT_DIRECTORY = record { - rva_import_lookup_table : uint32; - time_date_stamp : uint32; - forwarder_chain : uint32; - rva_module_name : uint32; - rva_import_addr_table : uint32; -} &let { - is_null: bool = rva_module_name == 0; - proc: bool = $context.connection.proc_image_import_directory(this); -} &length=20; - -type IMPORT_LOOKUP_ATTRS = record { - attrs: uint32; -} &let { - is_null: bool = attrs == 0; -} &length=4; - -type IMPORT_LOOKUP_TABLE = record { - attrs: IMPORT_LOOKUP_ATTRS[] &until($element.is_null); -} &let { - proc: bool = $context.connection.proc_import_lookup_table(this); -}; - -#type null_terminated_string = RE/[^\x00]+\x00/; -type null_terminated_string = RE/[A-Za-z0-9.]+\x00/; - -type IMPORT_ENTRY(is_module: bool, pad_align: uint8) = case is_module of { - true -> module: IMPORT_MODULE(pad_align); - false -> hint: IMPORT_HINT(pad_align); -}; - -type IMPORT_MODULE(pad_align: uint8) = record { - pad: bytestring &length=pad_align; - name: null_terminated_string; -} &let { - proc: bool = $context.connection.proc_import_module(this); -}; - -type IMPORT_HINT(pad_align: uint8) = record { - pad: bytestring &length=pad_align; - index: uint16; - name: null_terminated_string; -} &let { - proc: bool = $context.connection.proc_import_hint(this); - last: bool = sizeof(name) == 0; -}; - -type IMPORT_ADDRESS_TABLE = record { - directory_table : IMAGE_IMPORT_DIRECTORY[] &until $element.is_null; - lookup_tables : IMPORT_LOOKUP_TABLE[] &until $context.connection.get_num_imports() <= 0; - hint_table : IMPORT_ENTRY($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done()); -} &let { - proc: bool = $context.connection.proc_iat(this); -}; - -refine connection MockConnection += { - %member{ - uint8 rvas_seen_; - uint8 num_imports_; - uint32 rva_offset_; - - bool has_import_table_; - uint32 import_table_va_; - uint32 import_table_rva_; - uint32 import_table_len_; - vector imports_per_module_; - uint32 next_hint_index_; - uint8 next_hint_align_; - bool next_hint_is_module_; - - bool has_export_table_; - uint32 export_table_va_; - uint32 export_table_rva_; - %} - - %init{ - rvas_seen_ = 0; - rva_offset_ = 0; - num_imports_ = -1; - has_import_table_ = false; - has_export_table_ = false; - - next_hint_is_module_ = true; - next_hint_index_ = 0; - next_hint_align_ = 0; - %} - - function proc_rva(r: RVA): bool - %{ - if ( rvas_seen_ == 1 ) - { - has_import_table_ = ${r.virtual_address} > 0; - if ( has_import_table_ ) { - import_table_rva_ = ${r.virtual_address}; - import_table_len_ = ${r.size}; - } - } - if ( rvas_seen_ == 2 ) - { - has_export_table_ = ${r.virtual_address} > 0; - if ( has_export_table_ ) - export_table_rva_ = ${r.virtual_address}; - } - ++rvas_seen_; - return true; - %} - - function proc_section(h: Section_Header): bool - %{ - if ( has_import_table_ && ${h.virtual_addr} == import_table_rva_ ){ - printf("Found import table %d\n", ${h.ptr_to_raw_data}); - rva_offset_ = ${h.virtual_addr} - ${h.ptr_to_raw_data}; - - import_table_va_ = ${h.ptr_to_raw_data}; - get_import_table_addr(); - } - if ( has_export_table_ && ${h.virtual_addr} == export_table_rva_ ) - export_table_va_ = ${h.ptr_to_raw_data}; - return true; - %} - - function proc_image_import_directory(i: IMAGE_IMPORT_DIRECTORY): bool - %{ - num_imports_++; - return true; - %} - - function proc_iat(i: IMPORT_ADDRESS_TABLE): bool - %{ - printf("IAT processed\n"); - return true; - %} - - function get_import_table_addr(): uint32 - %{ - return has_import_table_ ? import_table_va_ : 0; - %} - - function get_import_table_len(): uint32 - %{ - return has_import_table_ ? import_table_len_ : 0; - %} - - function get_rva_offset(): uint32 - %{ - return rva_offset_; - %} - - function get_num_imports(): uint8 - %{ - return num_imports_; - %} - - function get_next_hint_align(): uint8 - %{ - return next_hint_align_; - %} - - function proc_import_lookup_table(t: IMPORT_LOOKUP_TABLE): bool - %{ - --num_imports_; - imports_per_module_.push_back(${t.attrs}->size()); - return true; - %} - - function get_next_hint_type(): bool - %{ - if ( next_hint_is_module_ ) - { - next_hint_is_module_ = false; - return true; - } - if ( --imports_per_module_[next_hint_index_] == 0) - { - ++next_hint_index_; - return true; - } - return false; - %} - - function imports_done(): bool - %{ - return next_hint_index_ == imports_per_module_.size(); - %} - - function proc_import_hint(h: IMPORT_HINT): bool - %{ - printf(" Imported function '%s'\n", ${h.name}.data()); - next_hint_align_ = ${h.name}.length() % 2; - return true; - %} - - function proc_import_module(m: IMPORT_MODULE): bool - %{ - printf("Imported module '%s'\n", ${m.name}.data()); - next_hint_align_ = ${m.name}.length() % 2; - return true; - %} -}; \ No newline at end of file From 0b5103b41b222af414929097f2e3da7be127884d Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 14 Apr 2015 21:09:16 -0500 Subject: [PATCH 18/31] Fix support for PE32+ files. --- .../analyzer/pe/pe-file-headers.pac | 59 +++++++++++- .../analyzer/pe/pe-file-idata.pac | 95 ++++++++++--------- .../analyzer/pe/pe-file-types.pac | 8 +- src/file_analysis/analyzer/pe/pe-file.pac | 10 +- 4 files changed, 118 insertions(+), 54 deletions(-) diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index 7c34277edb..c732ed4001 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -65,8 +65,14 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record { size_of_uninit_data : uint32; addr_of_entry_point : uint32; base_of_code : uint32; - base_of_data : uint32; - image_base : uint32; + have_base_of_data: case pe_format of { + PE32 -> base_of_data: uint32; + default -> not_present: empty; + }; + is_pe32: case pe_format of { + PE32_PLUS -> image_base_64: uint64; + default -> image_base_32: uint32; + }; section_alignment : uint32; file_alignment : uint32; os_version_major : uint16; @@ -81,14 +87,17 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record { checksum : uint32; subsystem : uint16; dll_characteristics : uint16; - mem: case magic of { - 267 -> i32 : Mem_Info32; - 268 -> i64 : Mem_Info64; + mem: case pe_format of { + PE32 -> i32: Mem_Info32; + PE32_PLUS -> i64: Mem_Info64; default -> InvalidPEFile : empty; }; loader_flags : uint32; number_of_rva_and_sizes : uint32; rvas : RVAS(number_of_rva_and_sizes); +} &let { + pe_format: uint8 = $context.connection.set_pe32_format(magic); + image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32; } &length=len; type Section_Headers(num: uint16) = record { @@ -112,3 +121,43 @@ type Section_Header = record { proc: bool = $context.connection.proc_section(this); } &length=40; +refine connection MockConnection += { + %member{ + uint64 max_file_location_; + uint8 pe32_format_; + %} + + %init{ + max_file_location_ = 0; + pe32_format_ = UNKNOWN_VERSION;; + %} + + function proc_section(h: Section_Header): bool + %{ + if ( ${h.size_of_raw_data} + ${h.ptr_to_raw_data} > max_file_location_ ) + max_file_location_ = ${h.size_of_raw_data} + ${h.ptr_to_raw_data}; + + if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ ) + import_table_va_ = ${h.ptr_to_raw_data}; + return true; + %} + + function set_pe32_format(magic: uint16): uint8 + %{ + if ( ${magic} == 0x10b ) + pe32_format_ = PE32; + if ( ${magic} == 0x20b ) + pe32_format_ = PE32_PLUS; + return pe32_format_; + %} + + function get_max_file_location(): uint64 + %{ + return max_file_location_; + %} + + function get_pe32_format(): uint8 + %{ + return pe32_format_; + %} +}; diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac index 80200838e5..ec87ca6673 100644 --- a/src/file_analysis/analyzer/pe/pe-file-idata.pac +++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac @@ -11,12 +11,17 @@ type import_directory = record { proc: bool = $context.connection.proc_image_import_directory(this); } &length=20; -type import_lookup_attrs = record { - attrs: uint32; -} &length=4; +type import_lookup_attrs(pe32_format: uint8) = record { + is_pe32_plus: case pe32_format of { + PE32_PLUS -> attrs_64: uint64; + default -> attrs_32: uint32; + }; +} &let { + attrs: uint64 = (pe32_format == PE32_PLUS) ? attrs_64 : attrs_32; +} &length=(pe32_format == PE32_PLUS ? 8 : 4); type import_lookup_table = record { - attrs: import_lookup_attrs[] &until($element.attrs == 0); + attrs: import_lookup_attrs($context.connection.get_pe32_format())[] &until($element.attrs == 0); } &let { proc: bool = $context.connection.proc_import_lookup_table(this); }; @@ -28,6 +33,8 @@ type import_entry(is_module: bool, pad_align: uint8) = record { false -> index: uint16; }; name: null_terminated_string; +} &let { + proc: bool = $context.connection.proc_import_hint(name); }; type idata = record { @@ -68,6 +75,8 @@ refine connection MockConnection += { next_hint_align_ = 0; %} + # When we read the section header, store the relative virtual address and + # size of the .idata section, so we know when we get there. function proc_idata_rva(r: RVA): bool %{ import_table_rva_ = ${r.virtual_address}; @@ -76,19 +85,50 @@ refine connection MockConnection += { return true; %} - function proc_section(h: Section_Header): bool - %{ - if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ ) - import_table_va_ = ${h.ptr_to_raw_data}; - return true; - %} - + # Each import directory means another module we're importing from. function proc_image_import_directory(i: import_directory): bool %{ num_imports_++; return true; %} + # Store the number of functions imported in each module lookup table. + function proc_import_lookup_table(t: import_lookup_table): bool + %{ + --num_imports_; + imports_per_module_.push_back(${t.attrs}->size()); + return true; + %} + + # We need to calculate the length of the next padding field + function proc_import_hint(hint_name: bytestring): bool + %{ + next_hint_align_ = ${hint_name}.length() % 2; + printf("Imported %s\n", ${hint_name}.data()); + return true; + %} + + # Functions have an index field, modules don't. Which one is this? + function get_next_hint_type(): bool + %{ + if ( next_hint_is_module_ ) + { + next_hint_is_module_ = false; + return true; + } + if ( --imports_per_module_[next_hint_index_] == 0) + { + ++next_hint_index_; + return true; + } + return false; + %} + + function imports_done(): bool + %{ + return next_hint_index_ == imports_per_module_.size(); + %} + function get_import_table_addr(): uint32 %{ return import_table_va_ > 0 ? import_table_va_ : 0; @@ -109,37 +149,4 @@ refine connection MockConnection += { return next_hint_align_; %} - function proc_import_lookup_table(t: import_lookup_table): bool - %{ - --num_imports_; - imports_per_module_.push_back(${t.attrs}->size()); - return true; - %} - - function get_next_hint_type(): bool - %{ - if ( next_hint_is_module_ ) - { - next_hint_is_module_ = false; - return true; - } - if ( --imports_per_module_[next_hint_index_] == 0) - { - ++next_hint_index_; - return true; - } - return false; - %} - - function imports_done(): bool - %{ - return next_hint_index_ == imports_per_module_.size(); - %} - - function proc_import_hint(hint_name: bytestring): bool - %{ - next_hint_align_ = ${hint_name}.length() % 2; - printf("Import function: %s\n", ${hint_name}.data()); - return true; - %} }; \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe-file-types.pac b/src/file_analysis/analyzer/pe/pe-file-types.pac index 27b5a25d07..57020a88da 100644 --- a/src/file_analysis/analyzer/pe/pe-file-types.pac +++ b/src/file_analysis/analyzer/pe/pe-file-types.pac @@ -1,5 +1,11 @@ # Basic PE types +enum PE_File_Format { + UNKNOWN_VERSION = 0, + PE32 = 1, + PE32_PLUS = 2, +}; + type Mem_Info32 = record { size_of_stack_reserve : uint32; size_of_stack_commit : uint32; @@ -24,7 +30,7 @@ type RVA = record { } &length=8; # The BinPAC padding type doesn't work here. -type Padding(length: uint32) = record { +type Padding(length: uint64) = record { pad: bytestring &length=length &transient; }; diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 1c748f3764..07129b878d 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -4,11 +4,13 @@ # The base record for a Portable Executable file type PE_File = record { - headers : Headers; - pad : Padding(iat_loc); - iat : idata &length=$context.connection.get_import_table_len(); + headers : Headers; + pad1 : Padding(iat_loc); + iat : idata &length=$context.connection.get_import_table_len(); + pad2 : Padding(restofdata); } &let { unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length; - iat_loc: uint32 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; + iat_loc: uint64 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; + restofdata: uint64 = $context.connection.get_max_file_location() - $context.connection.get_import_table_addr() - $context.connection.get_import_table_len(); } &byteorder=littleendian; From 4753e4a3c2b4486367ab19e6544e7e70147c79c4 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 16 Apr 2015 19:44:39 -0500 Subject: [PATCH 19/31] Make base_of_data optional. --- scripts/base/init-bare.bro | 2 +- src/file_analysis/analyzer/pe/pe-analyzer.pac | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d30874a1b2..866b9d5ff9 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2586,7 +2586,7 @@ type PE::OptionalHeader: record { size_of_uninit_data : count; addr_of_entry_point : count; base_of_code : count; - base_of_data : count; + base_of_data : count &optional; image_base : count; section_alignment : count; file_alignment : count; diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 1d7d0dbbff..e227f9af0d 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -114,7 +114,10 @@ refine flow File += { oh->Assign(5, new Val(${h.size_of_uninit_data}, TYPE_COUNT)); oh->Assign(6, new Val(${h.addr_of_entry_point}, TYPE_COUNT)); oh->Assign(7, new Val(${h.base_of_code}, TYPE_COUNT)); - oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT)); + + if ( ${h.pe_format} != PE32_PLUS ) + oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT)); + oh->Assign(9, new Val(${h.image_base}, TYPE_COUNT)); oh->Assign(10, new Val(${h.section_alignment}, TYPE_COUNT)); oh->Assign(11, new Val(${h.file_alignment}, TYPE_COUNT)); From 81bafb6c36c3aa9762ee68fd98957bae2e8c357e Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 16 Apr 2015 22:56:47 -0400 Subject: [PATCH 20/31] PE: Rehash the log a bit. --- scripts/base/files/pe/main.bro | 60 ++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 18 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index b05f1e3b72..cb2004deff 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -5,14 +5,28 @@ export { redef enum Log::ID += { LOG }; type Info: record { - ts: time &log; - fuid: string &log; - machine: string &log &optional; - compile_ts: time &log &optional; - os: string &log &optional; - subsystem: string &log &optional; - characteristics: set[string] &log &optional; - section_names: vector of string &log &optional; + ts: time &log; + fuid: string &log; + machine: string &log &optional; + compile_ts: time &log &optional; + os: string &log &optional; + subsystem: string &log &optional; + + is_exe: bool &log &default=F; + is_dll: bool &log &default=F; + is_64bit: bool &log &default=T; + + uses_aslr: bool &log &default=F; + uses_dep: bool &log &default=F; + uses_code_integrity: bool &log &default=F; + uses_seh: bool &log &default=T; + + has_import_table: bool &log &optional; + has_export_table: bool &log &optional; + has_cert_table: bool &log &optional; + has_debug_data: bool &log &optional; + + section_names: vector of string &log &optional; }; @@ -33,41 +47,51 @@ hook set_file(f: fa_file) &priority=5 if ( ! f?$pe ) { local c: set[string] = set(); - f$pe = [$ts=network_time(), $fuid=f$id, $characteristics=c]; + f$pe = [$ts=network_time(), $fuid=f$id]; } } event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 { -# print "DOS header"; -# print h; hook set_file(f); } event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { -# print "File header"; -# print h; hook set_file(f); f$pe$compile_ts = h$ts; f$pe$machine = machine_types[h$machine]; for ( c in h$characteristics ) - add f$pe$characteristics[PE::file_characteristics[c]]; + { + if ( c == 0x2 ) + f$pe$is_exe = T; + if ( c == 0x100 ) + f$pe$is_64bit = F; + if ( c == 0x2000 ) + f$pe$is_dll = T; + } } event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { -# print "Optional header"; -# print h; hook set_file(f); f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; + for ( c in h$dll_characteristics ) + { + if ( c == 0x40 ) + f$pe$uses_aslr = T; + if ( c == 0x80 ) + f$pe$uses_code_integrity = T; + if ( c == 0x100 ) + f$pe$uses_dep = T; + if ( c == 0x400 ) + f$pe$uses_seh = F; + } } event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { -# print "Section header"; -# print h; hook set_file(f); if ( ! f$pe?$section_names ) From 546cbf50c99a7d6b11154d0f27b7d1faf881fa86 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sat, 18 Apr 2015 19:41:16 -0400 Subject: [PATCH 21/31] Fix a PE analyzer failure where the IAT isn't aligned with a section boundary. --- src/file_analysis/analyzer/pe/PE.cc | 2 ++ src/file_analysis/analyzer/pe/events.bif | 8 ++++- src/file_analysis/analyzer/pe/pe-analyzer.pac | 25 +++++++++++----- .../analyzer/pe/pe-file-headers.pac | 20 ++++++------- .../analyzer/pe/pe-file-idata.pac | 27 ++++++++++++++--- .../analyzer/pe/pe-file-types.pac | 1 - src/file_analysis/analyzer/pe/pe-file.pac | 29 ++++++++++++++++++- 7 files changed, 87 insertions(+), 25 deletions(-) diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 59fbad91df..6df2dc8d99 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -18,6 +18,8 @@ PE::~PE() bool PE::DeliverStream(const u_char* data, uint64 len) { + if ( conn->is_done() ) + return true; try { interp->NewData(data, data + len); diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif index b6ce808278..3e6bbf8faf 100644 --- a/src/file_analysis/analyzer/pe/events.bif +++ b/src/file_analysis/analyzer/pe/events.bif @@ -1,5 +1,11 @@ event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); + event pe_dos_code%(f: fa_file, code: string%); + event pe_file_header%(f: fa_file, h: PE::FileHeader%); + event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); -event pe_section_header%(f: fa_file, h: PE::SectionHeader%); \ No newline at end of file + +event pe_section_header%(f: fa_file, h: PE::SectionHeader%); + +event pe_import_entry%(f: fa_file, m: string, name: string%); \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index e227f9af0d..1baaf93947 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -174,13 +174,23 @@ refine flow File += { return true; %} - - function proc_pe_file(): bool + function proc_import_entry(module_name: bytestring, i: import_entry): bool %{ - printf("PE file processed\n"); + if ( pe_import_entry ) + { + StringVal* name; + if ( ${i.name}.length() > 1 ) + name = new StringVal(${i.name}.length() - 1, (const char*) ${i.name}.begin()); + else + name = new StringVal(0, (const char*) ${i.name}.begin()); + + BifEvent::generate_pe_import_entry((analyzer::Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + bytestring_to_val(${module_name}), + name); + } return true; %} - }; refine typeattr DOS_Header += &let { @@ -204,10 +214,9 @@ refine typeattr Optional_Header += &let { }; refine typeattr Section_Header += &let { - proc2: bool = $context.flow.proc_section_header(this); + proc: bool = $context.flow.proc_section_header(this); }; -refine typeattr PE_File += &let { - proc: bool = $context.flow.proc_pe_file(); +refine typeattr import_entry += &let { + proc: bool = $context.flow.proc_import_entry($context.connection.get_module_name(), this) &if(!is_module); }; - diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index c732ed4001..05628917f4 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -39,7 +39,7 @@ type DOS_Code(len: uint32) = record { type NT_Headers = record { PESignature : uint32; file_header : File_Header; - optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; + optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader; } &let { length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header); } &length=length; @@ -56,7 +56,7 @@ type File_Header = record { }; # The optional header gives us DLL link information, and some structural information -type Optional_Header(len: uint16, number_of_sections: uint16) = record { +type Optional_Header = record { magic : uint16; major_linker_version : uint8; minor_linker_version : uint8; @@ -68,11 +68,11 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record { have_base_of_data: case pe_format of { PE32 -> base_of_data: uint32; default -> not_present: empty; - }; + } &requires(pe_format); is_pe32: case pe_format of { PE32_PLUS -> image_base_64: uint64; default -> image_base_32: uint32; - }; + } &requires(pe_format); section_alignment : uint32; file_alignment : uint32; os_version_major : uint16; @@ -91,14 +91,14 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record { PE32 -> i32: Mem_Info32; PE32_PLUS -> i64: Mem_Info64; default -> InvalidPEFile : empty; - }; + } &requires(pe_format); loader_flags : uint32; number_of_rva_and_sizes : uint32; rvas : RVAS(number_of_rva_and_sizes); } &let { pe_format: uint8 = $context.connection.set_pe32_format(magic); image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32; -} &length=len; +}; type Section_Headers(num: uint16) = record { sections : Section_Header[num]; @@ -118,7 +118,7 @@ type Section_Header = record { non_used_num_of_line_nums : uint16; characteristics : uint32; } &let { - proc: bool = $context.connection.proc_section(this); + add_section: bool = $context.connection.add_section(this); } &length=40; refine connection MockConnection += { @@ -132,13 +132,13 @@ refine connection MockConnection += { pe32_format_ = UNKNOWN_VERSION;; %} - function proc_section(h: Section_Header): bool + function add_section(h: Section_Header): bool %{ if ( ${h.size_of_raw_data} + ${h.ptr_to_raw_data} > max_file_location_ ) max_file_location_ = ${h.size_of_raw_data} + ${h.ptr_to_raw_data}; - if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ ) - import_table_va_ = ${h.ptr_to_raw_data}; + if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} <= import_table_rva_ && ( ${h.virtual_addr} + ${h.virtual_size} ) > import_table_rva_ ) + import_table_va_ = ${h.ptr_to_raw_data} + (import_table_rva_ - ${h.virtual_addr}); return true; %} diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac index ec87ca6673..d3ce2e9ffd 100644 --- a/src/file_analysis/analyzer/pe/pe-file-idata.pac +++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac @@ -29,12 +29,12 @@ type import_lookup_table = record { type import_entry(is_module: bool, pad_align: uint8) = record { pad: bytestring &length=pad_align; has_index: case is_module of { - true -> null: empty; + true -> null: empty; false -> index: uint16; }; name: null_terminated_string; } &let { - proc: bool = $context.connection.proc_import_hint(name); + proc_align: bool = $context.connection.proc_import_hint(name, is_module); }; type idata = record { @@ -63,6 +63,9 @@ refine connection MockConnection += { uint32 next_hint_index_; uint8 next_hint_align_; bool next_hint_is_module_; + + // Track the module name, so we know what each import's for + bytestring module_name_; %} %init{ @@ -73,6 +76,12 @@ refine connection MockConnection += { next_hint_is_module_ = true; next_hint_index_ = 0; next_hint_align_ = 0; + + module_name_ = bytestring(); + %} + + %cleanup{ + module_name_.free(); %} # When we read the section header, store the relative virtual address and @@ -101,10 +110,15 @@ refine connection MockConnection += { %} # We need to calculate the length of the next padding field - function proc_import_hint(hint_name: bytestring): bool + function proc_import_hint(hint_name: bytestring, is_module: bool): bool %{ next_hint_align_ = ${hint_name}.length() % 2; - printf("Imported %s\n", ${hint_name}.data()); + if ( is_module && ${hint_name}.length() > 1 ) + { + module_name_.clear(); + module_name_.init(${hint_name}.data(), ${hint_name}.length() - 1); + } + return true; %} @@ -129,6 +143,11 @@ refine connection MockConnection += { return next_hint_index_ == imports_per_module_.size(); %} + function get_module_name(): bytestring + %{ + return module_name_; + %} + function get_import_table_addr(): uint32 %{ return import_table_va_ > 0 ? import_table_va_ : 0; diff --git a/src/file_analysis/analyzer/pe/pe-file-types.pac b/src/file_analysis/analyzer/pe/pe-file-types.pac index 57020a88da..b2fa934dc4 100644 --- a/src/file_analysis/analyzer/pe/pe-file-types.pac +++ b/src/file_analysis/analyzer/pe/pe-file-types.pac @@ -35,4 +35,3 @@ type Padding(length: uint64) = record { }; type null_terminated_string = RE/[A-Za-z0-9.]+\x00/; - diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 07129b878d..3d69256682 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -3,7 +3,12 @@ %include pe-file-idata.pac # The base record for a Portable Executable file -type PE_File = record { +type PE_File = case $context.connection.is_done() of { + false -> PE : Portable_Executable; + true -> overlay : bytestring &length=1 &transient; +}; + +type Portable_Executable = record { headers : Headers; pad1 : Padding(iat_loc); iat : idata &length=$context.connection.get_import_table_len(); @@ -12,5 +17,27 @@ type PE_File = record { unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length; iat_loc: uint64 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; restofdata: uint64 = $context.connection.get_max_file_location() - $context.connection.get_import_table_addr() - $context.connection.get_import_table_len(); + proc: bool = $context.connection.proc_pe(this); } &byteorder=littleendian; +refine connection MockConnection += { + + %member{ + bool done_; + %} + + %init{ + done_ = false; + %} + + function proc_pe(p: Portable_Executable): bool + %{ + done_ = true; + return true; + %} + + function is_done(): bool + %{ + return done_; + %} +}; From ea36686524b807916c34f0a8ed46fc3b62bdaf00 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 18:15:21 -0400 Subject: [PATCH 22/31] Remove the .idata parsing, as it can be more complicated in some cases. --- scripts/base/files/pe/main.bro | 15 +- src/file_analysis/analyzer/pe/pe-analyzer.pac | 24 +-- .../analyzer/pe/pe-file-headers.pac | 4 +- .../analyzer/pe/pe-file-idata.pac | 171 ------------------ src/file_analysis/analyzer/pe/pe-file.pac | 8 +- 5 files changed, 16 insertions(+), 206 deletions(-) delete mode 100644 src/file_analysis/analyzer/pe/pe-file-idata.pac diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index cb2004deff..bbe0846f04 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -29,10 +29,13 @@ export { section_names: vector of string &log &optional; }; - global set_file: hook(f: fa_file); } +redef record Info += { + confirmed: bool &default=F; +}; + redef record fa_file += { pe: Info &optional; }; @@ -75,6 +78,12 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { hook set_file(f); + + if ( h$magic == 0x10b || h$magic == 0x20b ) + f$pe$confirmed = T; + else + return; + f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; for ( c in h$dll_characteristics ) @@ -99,9 +108,9 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 f$pe$section_names[|f$pe$section_names|] = h$name; } -event file_state_remove(f: fa_file) +event file_state_remove(f: fa_file) &priority=-5 { - if ( f?$pe ) + if ( f?$pe && f$pe$confirmed ) Log::write(LOG, f$pe); } diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 1baaf93947..1c61241684 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -98,8 +98,8 @@ refine flow File += { ${h.magic} != 0x107 && // rom image ${h.magic} != 0x20b ) // pe32+ executable { - return false; // FileViolation("PE Optional Header magic is invalid."); + return false; } if ( pe_optional_header ) @@ -173,24 +173,6 @@ refine flow File += { } return true; %} - - function proc_import_entry(module_name: bytestring, i: import_entry): bool - %{ - if ( pe_import_entry ) - { - StringVal* name; - if ( ${i.name}.length() > 1 ) - name = new StringVal(${i.name}.length() - 1, (const char*) ${i.name}.begin()); - else - name = new StringVal(0, (const char*) ${i.name}.begin()); - - BifEvent::generate_pe_import_entry((analyzer::Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - bytestring_to_val(${module_name}), - name); - } - return true; - %} }; refine typeattr DOS_Header += &let { @@ -216,7 +198,3 @@ refine typeattr Optional_Header += &let { refine typeattr Section_Header += &let { proc: bool = $context.flow.proc_section_header(this); }; - -refine typeattr import_entry += &let { - proc: bool = $context.flow.proc_import_entry($context.connection.get_module_name(), this) &if(!is_module); -}; diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index 05628917f4..adf0ce575d 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -136,9 +136,7 @@ refine connection MockConnection += { %{ if ( ${h.size_of_raw_data} + ${h.ptr_to_raw_data} > max_file_location_ ) max_file_location_ = ${h.size_of_raw_data} + ${h.ptr_to_raw_data}; - - if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} <= import_table_rva_ && ( ${h.virtual_addr} + ${h.virtual_size} ) > import_table_rva_ ) - import_table_va_ = ${h.ptr_to_raw_data} + (import_table_rva_ - ${h.virtual_addr}); + return true; %} diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac deleted file mode 100644 index d3ce2e9ffd..0000000000 --- a/src/file_analysis/analyzer/pe/pe-file-idata.pac +++ /dev/null @@ -1,171 +0,0 @@ -## Support for parsing the .idata section - -type import_directory = record { - rva_import_lookup_table : uint32; - time_date_stamp : uint32; - forwarder_chain : uint32; - rva_module_name : uint32; - rva_import_addr_table : uint32; -} &let { - is_null: bool = rva_module_name == 0; - proc: bool = $context.connection.proc_image_import_directory(this); -} &length=20; - -type import_lookup_attrs(pe32_format: uint8) = record { - is_pe32_plus: case pe32_format of { - PE32_PLUS -> attrs_64: uint64; - default -> attrs_32: uint32; - }; -} &let { - attrs: uint64 = (pe32_format == PE32_PLUS) ? attrs_64 : attrs_32; -} &length=(pe32_format == PE32_PLUS ? 8 : 4); - -type import_lookup_table = record { - attrs: import_lookup_attrs($context.connection.get_pe32_format())[] &until($element.attrs == 0); -} &let { - proc: bool = $context.connection.proc_import_lookup_table(this); -}; - -type import_entry(is_module: bool, pad_align: uint8) = record { - pad: bytestring &length=pad_align; - has_index: case is_module of { - true -> null: empty; - false -> index: uint16; - }; - name: null_terminated_string; -} &let { - proc_align: bool = $context.connection.proc_import_hint(name, is_module); -}; - -type idata = record { - directory_table : import_directory[] &until $element.is_null; - lookup_tables : import_lookup_table[] &until $context.connection.get_num_imports() <= 0; - hint_table : import_entry($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done()); -}; - -refine typeattr RVAS += &let { - proc: bool = $context.connection.proc_idata_rva(rvas[1]) &if (num > 1); -}; - -refine connection MockConnection += { - %member{ - uint8 num_imports_; // How many import tables will we have? - - uint32 import_table_rva_; // Used for finding the right section - uint32 import_table_va_; - uint32 import_table_len_; - - // We need to track the number of imports for each, to - // know when we've parsed them all. - vector imports_per_module_; - - // These are to determine the alignment of the import hints - uint32 next_hint_index_; - uint8 next_hint_align_; - bool next_hint_is_module_; - - // Track the module name, so we know what each import's for - bytestring module_name_; - %} - - %init{ - // It ends with a null import entry, so we'll set it to -1. - num_imports_ = -1; - - // First hint is a module name. - next_hint_is_module_ = true; - next_hint_index_ = 0; - next_hint_align_ = 0; - - module_name_ = bytestring(); - %} - - %cleanup{ - module_name_.free(); - %} - - # When we read the section header, store the relative virtual address and - # size of the .idata section, so we know when we get there. - function proc_idata_rva(r: RVA): bool - %{ - import_table_rva_ = ${r.virtual_address}; - import_table_len_ = ${r.size}; - - return true; - %} - - # Each import directory means another module we're importing from. - function proc_image_import_directory(i: import_directory): bool - %{ - num_imports_++; - return true; - %} - - # Store the number of functions imported in each module lookup table. - function proc_import_lookup_table(t: import_lookup_table): bool - %{ - --num_imports_; - imports_per_module_.push_back(${t.attrs}->size()); - return true; - %} - - # We need to calculate the length of the next padding field - function proc_import_hint(hint_name: bytestring, is_module: bool): bool - %{ - next_hint_align_ = ${hint_name}.length() % 2; - if ( is_module && ${hint_name}.length() > 1 ) - { - module_name_.clear(); - module_name_.init(${hint_name}.data(), ${hint_name}.length() - 1); - } - - return true; - %} - - # Functions have an index field, modules don't. Which one is this? - function get_next_hint_type(): bool - %{ - if ( next_hint_is_module_ ) - { - next_hint_is_module_ = false; - return true; - } - if ( --imports_per_module_[next_hint_index_] == 0) - { - ++next_hint_index_; - return true; - } - return false; - %} - - function imports_done(): bool - %{ - return next_hint_index_ == imports_per_module_.size(); - %} - - function get_module_name(): bytestring - %{ - return module_name_; - %} - - function get_import_table_addr(): uint32 - %{ - return import_table_va_ > 0 ? import_table_va_ : 0; - %} - - function get_import_table_len(): uint32 - %{ - return import_table_va_ > 0 ? import_table_len_ : 0; - %} - - function get_num_imports(): uint8 - %{ - return num_imports_; - %} - - function get_next_hint_align(): uint8 - %{ - return next_hint_align_; - %} - -}; \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 3d69256682..64902e9e9f 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,6 +1,5 @@ %include pe-file-types.pac %include pe-file-headers.pac -%include pe-file-idata.pac # The base record for a Portable Executable file type PE_File = case $context.connection.is_done() of { @@ -10,13 +9,10 @@ type PE_File = case $context.connection.is_done() of { type Portable_Executable = record { headers : Headers; - pad1 : Padding(iat_loc); - iat : idata &length=$context.connection.get_import_table_len(); - pad2 : Padding(restofdata); + pad : Padding(restofdata); } &let { unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length; - iat_loc: uint64 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; - restofdata: uint64 = $context.connection.get_max_file_location() - $context.connection.get_import_table_addr() - $context.connection.get_import_table_len(); + restofdata: uint64 = $context.connection.get_max_file_location() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; proc: bool = $context.connection.proc_pe(this); } &byteorder=littleendian; From a2eff14e0598fd8c7ea88f3d94fbde5b75834a18 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 18:41:32 -0400 Subject: [PATCH 23/31] Add data about which tables are present. --- scripts/base/files/pe/main.bro | 5 +++++ scripts/base/init-bare.bro | 3 ++- src/file_analysis/analyzer/pe/pe-analyzer.pac | 21 +++++++++++++++++-- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index bbe0846f04..db4d9e41d4 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -97,6 +97,11 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 if ( c == 0x400 ) f$pe$uses_seh = F; } + + f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0); + f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0); + f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0); + f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0); } event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 2b8ed021b4..3babb1ded5 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2603,7 +2603,8 @@ type PE::OptionalHeader: record { subsystem : count; dll_characteristics : set[count]; loader_flags : count; - number_of_rva_and_sizes : count; + rvas : vector of count; + }; ## Record for Portable Executable (PE) section headers. diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 1c61241684..fd3ee5b0e2 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -1,10 +1,25 @@ - %extern{ #include "Event.h" #include "file_analysis/File.h" #include "events.bif.h" %} +%header{ +VectorVal* process_rvas(const RVAS* rvas, const uint16 size); +%} + +%code{ +VectorVal* process_rvas(const RVAS* rva_table, const uint16 size) + { + VectorVal* rvas = new VectorVal(internal_type("index_vec")->AsVectorType()); + for ( uint16 i=0; i < size; ++i ) + rvas->Assign(i, new Val((*rva_table->rvas())[i]->size(), TYPE_COUNT)); + + return rvas; + } +%} + + refine flow File += { function characteristics_to_bro(c: uint32, len: uint8): TableVal @@ -134,7 +149,9 @@ refine flow File += { oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT)); oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16)); oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT)); - oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT)); + + oh->Assign(25, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes})); + BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), oh); From d4bd5672c06d1a39cb97d3044556d229b237f4b8 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 20:21:49 -0400 Subject: [PATCH 24/31] Documentation and a bit of overall cleanup. --- scripts/base/files/pe/main.bro | 69 ++++--- scripts/base/init-bare.bro | 99 ++++++++-- src/file_analysis/analyzer/pe/events.bif | 50 ++++- src/file_analysis/analyzer/pe/pe-analyzer.pac | 17 +- .../analyzer/pe/pe-file-headers.pac | 9 +- .../analyzer/pe/pe-file-idata.pac | 183 ++++++++++++++++++ src/file_analysis/analyzer/pe/pe-file.pac | 4 +- 7 files changed, 375 insertions(+), 56 deletions(-) create mode 100644 src/file_analysis/analyzer/pe/pe-file-idata.pac diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index db4d9e41d4..8577d24078 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -1,48 +1,75 @@ - module PE; export { redef enum Log::ID += { LOG }; type Info: record { + ## Current timestamp. ts: time &log; - fuid: string &log; + + ## File id of this portable executable file. + id: string &log; + + ## The target machine that the file was compiled for. machine: string &log &optional; + + ## The time that the file was created at. compile_ts: time &log &optional; + + ## The required operating system. os: string &log &optional; + + ## The subsystem that is required to run this file. subsystem: string &log &optional; - is_exe: bool &log &default=F; - is_dll: bool &log &default=F; + ## Is the file an executable, or just an object file? + is_exe: bool &log &default=T; + + ## Is the file a 64-bit executable? is_64bit: bool &log &default=T; + ## Does the file support Address Space Layout Randomization? uses_aslr: bool &log &default=F; + + ## Does the file support Data Execution Prevention? uses_dep: bool &log &default=F; + + ## Does the file enforce code integrity checks? uses_code_integrity: bool &log &default=F; + + ## Does the file use structured exception handing? uses_seh: bool &log &default=T; + ## Does the file have an import table? has_import_table: bool &log &optional; + + ## Does the file have an export table? has_export_table: bool &log &optional; + + ## Does the file have an attribute certificate table? has_cert_table: bool &log &optional; + + ## Does the file have a debug table? has_debug_data: bool &log &optional; + ## The names of the sections, in order. section_names: vector of string &log &optional; }; + ## Event for accessing logged records. + global log_pe: event(rec: Info); + + ## A hook that gets called when we first see a PE file. global set_file: hook(f: fa_file); } -redef record Info += { - confirmed: bool &default=F; -}; - redef record fa_file += { pe: Info &optional; }; event bro_init() &priority=5 { - Log::create_stream(LOG, [$columns=Info]); + Log::create_stream(LOG, [$columns=Info, $ev=log_pe]); } hook set_file(f: fa_file) &priority=5 @@ -50,7 +77,7 @@ hook set_file(f: fa_file) &priority=5 if ( ! f?$pe ) { local c: set[string] = set(); - f$pe = [$ts=network_time(), $fuid=f$id]; + f$pe = [$ts=network_time(), $id=f$id]; } } @@ -62,26 +89,20 @@ event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { hook set_file(f); + f$pe$is_exe = h$optional_header_size > 0; f$pe$compile_ts = h$ts; f$pe$machine = machine_types[h$machine]; for ( c in h$characteristics ) { - if ( c == 0x2 ) - f$pe$is_exe = T; if ( c == 0x100 ) f$pe$is_64bit = F; - if ( c == 0x2000 ) - f$pe$is_dll = T; } } event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { hook set_file(f); - - if ( h$magic == 0x10b || h$magic == 0x20b ) - f$pe$confirmed = T; - else + if ( ! f$pe$is_exe ) return; f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; @@ -98,15 +119,17 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 f$pe$uses_seh = F; } - f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0); - f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0); - f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0); - f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0); + f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0); + f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0); + f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0); + f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0); } event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { hook set_file(f); + if ( ! f$pe$is_exe ) + return; if ( ! f$pe?$section_names ) f$pe$section_names = vector(); @@ -115,7 +138,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 event file_state_remove(f: fa_file) &priority=-5 { - if ( f?$pe && f$pe$confirmed ) + if ( f?$pe ) Log::write(LOG, f$pe); } diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 3babb1ded5..8034d1ec67 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2550,75 +2550,138 @@ type irc_join_list: set[irc_join_info]; module PE; export { type PE::DOSHeader: record { + ## The magic number of a portable executable file ("MZ"). signature : string; + ## The number of bytes in the last page that are used. used_bytes_in_last_page : count; + ## The number of pages in the file that are part of the PE file itself. file_in_pages : count; + ## Number of relocation entries stored after the header. num_reloc_items : count; + ## Number of paragraphs in the header. header_in_paragraphs : count; + ## Number of paragraps of additional memory that the program will need. min_extra_paragraphs : count; + ## Maximum number of paragraphs of additional memory. max_extra_paragraphs : count; + ## Relative value of the stack segment. init_relative_ss : count; + ## Initial value of the SP register. init_sp : count; + ## Checksum. The 16-bit sum of all words in the file should be 0. Normally not set. checksum : count; + ## Initial value of the IP register. init_ip : count; + ## Initial value of the CS register (relative to the initial segment). init_relative_cs : count; + ## Offset of the first relocation table. addr_of_reloc_table : count; + ## Overlays allow you to append data to the end of the file. If this is the main program, + ## this will be 0. overlay_num : count; + ## OEM identifier. oem_id : count; + ## Additional OEM info, specific to oem_id. oem_info : count; + ## Address of the new EXE header. addr_of_new_exe_header : count; }; type PE::FileHeader: record { - machine : count; - ts : time; - sym_table_ptr : count; - num_syms : count; - characteristics : set[count]; + ## The target machine that the file was compiled for. + machine : count; + ## The time that the file was created at. + ts : time; + ## Pointer to the symbol table. + sym_table_ptr : count; + ## Number of symbols. + num_syms : count; + ## The size of the optional header. + optional_header_size : count; + ## Bit flags that determine if this file is executable, non-relocatable, and/or a DLL. + characteristics : set[count]; }; type PE::OptionalHeader: record { + ## PE32 or PE32+ indicator. magic : count; + ## The major version of the linker used to create the PE. major_linker_version : count; + ## The minor version of the linker used to create the PE. minor_linker_version : count; + ## Size of the .text section. size_of_code : count; + ## Size of the .data section. size_of_init_data : count; + ## Size of the .bss section. size_of_uninit_data : count; + ## The relative virtual address (RVA) of the entry point. addr_of_entry_point : count; + ## The relative virtual address (RVA) of the .text section. base_of_code : count; + ## The relative virtual address (RVA) of the .data section. base_of_data : count &optional; + ## Preferred memory location for the image to be based at. image_base : count; + ## The alignment (in bytes) of sections when they're loaded in memory. section_alignment : count; + ## The alignment (in bytes) of the raw data of sections. file_alignment : count; + ## The major version of the required OS. os_version_major : count; + ## The minor version of the required OS. os_version_minor : count; + ## The major version of this image. major_image_version : count; + ## The minor version of this image. minor_image_version : count; + ## The major version of the subsystem required to run this file. major_subsys_version : count; + ## The minor version of the subsystem required to run this file. minor_subsys_version : count; - win32_version : count; + ## The size (in bytes) of the iamge as the image is loaded in memory. size_of_image : count; + ## The size (in bytes) of the headers, rounded up to file_alignment. size_of_headers : count; + ## The image file checksum. checksum : count; + ## The subsystem that's required to run this image. subsystem : count; + ## Bit flags that determine how to execute or load this file. dll_characteristics : set[count]; - loader_flags : count; - rvas : vector of count; + ## A vector with the sizes of various tables and strings that are + ## defined in the optional header data directories. Examples include + ## the import table, the resource table, and debug information. + table_sizes : vector of count; }; ## Record for Portable Executable (PE) section headers. type PE::SectionHeader: record { - name : string; - virtual_size : count; - virtual_addr : count; - size_of_raw_data : count; - ptr_to_raw_data : count; - non_used_ptr_to_relocs : count; - non_used_ptr_to_line_nums : count; - non_used_num_of_relocs : count; - non_used_num_of_line_nums : count; - characteristics : set[count]; + ## The name of the section + name : string; + ## The total size of the section when loaded into memory. + virtual_size : count; + ## The relative virtual address (RVA) of the section. + virtual_addr : count; + ## The size of the initialized data for the section, as it is + ## in the file on disk. + size_of_raw_data : count; + ## The virtual address of the initialized dat for the section, + ## as it is in the file on disk. + ptr_to_raw_data : count; + ## The file pointer to the beginning of relocation entries for + ## the section. + ptr_to_relocs : count; + ## The file pointer to the beginning of line-number entries for + ## the section. + ptr_to_line_nums : count; + ## The number of relocation entries for the section. + num_of_relocs : count; + ## The number of line-number entrie for the section. + num_of_line_nums : count; + ## Bit-flags that describe the characteristics of the section. + characteristics : set[count]; }; } module GLOBAL; diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif index 3e6bbf8faf..c804937c49 100644 --- a/src/file_analysis/analyzer/pe/events.bif +++ b/src/file_analysis/analyzer/pe/events.bif @@ -1,11 +1,57 @@ +## A :abbr:`PE (Portable Executable)` file DOS header was parsed. +## This is the top-level header and contains information like the +## size of the file, initial value of registers, etc. +## +## f: The file. +## +## h: The parsed DOS header information. +## +## .. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +## A :abbr:`PE (Portable Executable)` file DOS stub was parsed. +## The stub is a valid application that runs under MS-DOS, by default +## to inform the user that the program can't be run in DOS mode. +## +## f: The file. +## +## code: The DOS stub +## +## .. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header event pe_dos_code%(f: fa_file, code: string%); +## A :abbr:`PE (Portable Executable)` file file header was parsed. +## This header contains information like the target machine, +## the timestamp when the file was created, the number of sections, and +## pointers to other parts of the file. +## +## f: The file. +## +## h: The parsed file header information. +## +## .. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header event pe_file_header%(f: fa_file, h: PE::FileHeader%); +## A :abbr:`PE (Portable Executable)` file optional header was parsed. +## This header is required for executable files, but not for object files. +## It contains information like OS requirements to execute the file, the +## original entry point address, and information needed to load the file +## into memory. +## +## f: The file. +## +## h: The parsed optional header information. +## +## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); +## A :abbr:`PE (Portable Executable)` file section header was parsed. +## This header contains information like the section name, size, address, +## and characteristics. +## +## f: The file. +## +## h: The parsed section header information. +## +## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header event pe_section_header%(f: fa_file, h: PE::SectionHeader%); - -event pe_import_entry%(f: fa_file, m: string, name: string%); \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index fd3ee5b0e2..874a142ba8 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -98,7 +98,8 @@ refine flow File += { fh->Assign(1, new Val(static_cast(${h.TimeDateStamp}), TYPE_TIME)); fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT)); fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT)); - fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16)); + fh->Assign(4, new Val(${h.SizeOfOptionalHeader}, TYPE_COUNT)); + fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16)); BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), fh); @@ -142,15 +143,13 @@ refine flow File += { oh->Assign(15, new Val(${h.minor_image_version}, TYPE_COUNT)); oh->Assign(16, new Val(${h.minor_subsys_version}, TYPE_COUNT)); oh->Assign(17, new Val(${h.minor_subsys_version}, TYPE_COUNT)); - oh->Assign(18, new Val(${h.win32_version}, TYPE_COUNT)); - oh->Assign(19, new Val(${h.size_of_image}, TYPE_COUNT)); - oh->Assign(20, new Val(${h.size_of_headers}, TYPE_COUNT)); - oh->Assign(21, new Val(${h.checksum}, TYPE_COUNT)); - oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT)); - oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16)); - oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT)); + oh->Assign(18, new Val(${h.size_of_image}, TYPE_COUNT)); + oh->Assign(19, new Val(${h.size_of_headers}, TYPE_COUNT)); + oh->Assign(20, new Val(${h.checksum}, TYPE_COUNT)); + oh->Assign(21, new Val(${h.subsystem}, TYPE_COUNT)); + oh->Assign(22, characteristics_to_bro(${h.dll_characteristics}, 16)); - oh->Assign(25, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes})); + oh->Assign(23, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes})); BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index adf0ce575d..a3d46dc72e 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -39,9 +39,14 @@ type DOS_Code(len: uint32) = record { type NT_Headers = record { PESignature : uint32; file_header : File_Header; - optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader; + have_opt_header : case file_header.SizeOfOptionalHeader of { + 0 -> none: empty; + default -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader; + }; } &let { - length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header); + length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header); + is_exe: bool = file_header.SizeOfOptionalHeader > 0; + size_of_headers: uint32 = is_exe ? optional_header.size_of_headers : 0; } &length=length; # The file header is mainly self-describing diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac new file mode 100644 index 0000000000..589bcc68ad --- /dev/null +++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac @@ -0,0 +1,183 @@ +## Support for parsing the .idata section + +type import_directory = record { + rva_import_lookup_table : uint32; + time_date_stamp : uint32; + forwarder_chain : uint32; + rva_module_name : uint32; + rva_import_addr_table : uint32; +} &let { + is_null: bool = rva_module_name == 0; + proc: bool = $context.connection.proc_image_import_directory(this); +} &length=20; + +type import_lookup_attrs(pe32_format: uint8) = record { + is_pe32_plus: case pe32_format of { + PE32_PLUS -> attrs_64: uint64; + default -> attrs_32: uint32; + }; +} &let { + import_by_ordinal: bool = (pe32_format == PE32_PLUS) ? (attrs_64 & 0x8000000000000000) > 1: (attrs_32 & 0x80000000) > 1; + attrs: uint64 = (pe32_format == PE32_PLUS) ? attrs_64 : attrs_32; + ordinal: uint16 = attrs & 0xff; + hint_rva: uint32 = attrs & 0xffff; + proc9000: bool = $context.connection.proc_import_lookup_attrs(this); +} &length=(pe32_format == PE32_PLUS ? 8 : 4); + +type import_lookup_table = record { + attrs: import_lookup_attrs($context.connection.get_pe32_format())[] &until($element.attrs == 0); +} &let { + proc: bool = $context.connection.proc_import_lookup_table(this); +}; + +type import_entry(is_module: bool, pad_align: uint8) = record { + pad: bytestring &length=pad_align; + has_index: case is_module of { + true -> null: empty; + false -> index: uint16; + }; + name: null_terminated_string; +} &let { + proc_align: bool = $context.connection.proc_import_hint(name, is_module); +}; + +type idata = record { + directory_table : import_directory[] &until $element.is_null; + lookup_tables : import_lookup_table[] &until $context.connection.get_num_imports() <= 0; + hint_table : import_entry($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done()); +}; + +refine typeattr RVAS += &let { + proc_import_table: bool = $context.connection.proc_idata_rva(rvas[1]) &if (num > 1); +}; + +refine connection MockConnection += { + %member{ + uint8 num_imports_; // How many import tables will we have? + + uint32 import_table_rva_; // Used for finding the right section + uint32 import_table_va_; + uint32 import_table_len_; + + // We need to track the number of imports for each, to + // know when we've parsed them all. + vector imports_per_module_; + + // These are to determine the alignment of the import hints + uint32 next_hint_index_; + uint8 next_hint_align_; + bool next_hint_is_module_; + + // Track the module name, so we know what each import's for + bytestring module_name_; + %} + + %init{ + // It ends with a null import entry, so we'll set it to -1. + num_imports_ = -1; + + // First hint is a module name. + next_hint_is_module_ = true; + next_hint_index_ = 0; + next_hint_align_ = 0; + + module_name_ = bytestring(); + %} + + %cleanup{ + module_name_.free(); + %} + + # When we read the section header, store the relative virtual address and + # size of the .idata section, so we know when we get there. + function proc_idata_rva(r: RVA): bool + %{ + import_table_rva_ = ${r.virtual_address}; + import_table_len_ = ${r.size}; + + return true; + %} + + # Each import directory means another module we're importing from. + function proc_image_import_directory(i: import_directory): bool + %{ + printf("Parsed import directory. name@%x, IAT@%x\n", ${i.rva_module_name}, ${i.rva_import_addr_table}); + num_imports_++; + return true; + %} + + # Store the number of functions imported in each module lookup table. + function proc_import_lookup_table(t: import_lookup_table): bool + %{ + --num_imports_; + imports_per_module_.push_back(${t.attrs}->size()); + return true; + %} + + function proc_import_lookup_attrs(t: import_lookup_attrs): bool + %{ + printf("Parsed import lookup attrs. Hints @%x\n", ${t.hint_rva}); + return true; + %} + + # We need to calculate the length of the next padding field + function proc_import_hint(hint_name: bytestring, is_module: bool): bool + %{ + printf("Parsed import hint\n"); + next_hint_align_ = ${hint_name}.length() % 2; + if ( is_module && ${hint_name}.length() > 1 ) + { + module_name_.clear(); + module_name_.init(${hint_name}.data(), ${hint_name}.length() - 1); + } + + return true; + %} + + # Functions have an index field, modules don't. Which one is this? + function get_next_hint_type(): bool + %{ + if ( next_hint_is_module_ ) + { + next_hint_is_module_ = false; + return true; + } + if ( --imports_per_module_[next_hint_index_] == 0) + { + ++next_hint_index_; + return true; + } + return false; + %} + + function imports_done(): bool + %{ + return next_hint_index_ == imports_per_module_.size(); + %} + + function get_module_name(): bytestring + %{ + return module_name_; + %} + + function get_import_table_addr(): uint32 + %{ + return import_table_va_ > 0 ? import_table_va_ : 0; + %} + + function get_import_table_len(): uint32 + %{ + return import_table_va_ > 0 ? import_table_len_ : 0; + %} + + function get_num_imports(): uint8 + %{ + return num_imports_; + %} + + function get_next_hint_align(): uint8 + %{ + return next_hint_align_; + %} + +}; \ No newline at end of file diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 64902e9e9f..0cb308b17e 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -11,8 +11,8 @@ type Portable_Executable = record { headers : Headers; pad : Padding(restofdata); } &let { - unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length; - restofdata: uint64 = $context.connection.get_max_file_location() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len; + unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length; + restofdata: uint64 = headers.pe_header.is_exe ? $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len : 0; proc: bool = $context.connection.proc_pe(this); } &byteorder=littleendian; From 93b84463f5f34d8958cb3294ac42b5bcd4e1ef3b Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 20:22:42 -0400 Subject: [PATCH 25/31] Add a PE memleak test, and fix a memleak. --- src/file_analysis/analyzer/pe/PE.cc | 1 + testing/btest/Traces/pe/pe.trace | Bin 0 -> 415586 bytes testing/btest/core/leaks/pe.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Traces/pe/pe.trace create mode 100644 testing/btest/core/leaks/pe.test diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 6df2dc8d99..44464a3a5d 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -14,6 +14,7 @@ PE::PE(RecordVal* args, File* file) PE::~PE() { delete interp; + delete conn; } bool PE::DeliverStream(const u_char* data, uint64 len) diff --git a/testing/btest/Traces/pe/pe.trace b/testing/btest/Traces/pe/pe.trace new file mode 100644 index 0000000000000000000000000000000000000000..c70c9e6afe69f5172fd9bfa7afbf81be4244c553 GIT binary patch literal 415586 zcmeEv3tZGy`uCX&!!R=p!!Qt;j+5DBqJ&^3riMB*fFX>4Lv|rAfCG79VFt7{#4v4~ z@XxkwyUyEIu6uFYn{VqD-6>tMZ7Z|3b*pvFTz3f9$P7u5-}`;e?>EB?7~B8>s(`Lzk8C_H%lYS6^8N0q%PH|*xgfOsl`*+8W}i%^+En(|fG zw^5u@E<)b|=nL^pmk3uZgF~N<0s#HlDFm5HV9Dp7`{%UR6ewZElg62CEia4Em2$O4 zGw(N(2|7xOCA?qxRy>;zsB{g(dwRy51bOSxA$YFX2cBHPkywofVd>^o;b(>*F<4 z%KE2A!dthLN_pzT%ix{L@vaEt{RNdo5SQ$WXT`vou3?n0jj1JwkL|lG#8gA_YwMyR zE-A4WTb8d~w|2vtb>4ar=etlsh}Od>GkwiXoHCb&P$m_WscSZ{x|V06DDws3Tn~t- z3crRybgh}mA%1XKh@iFcm(dWjvZh&_t1Fk+S6b?8D_2%mZLoOUm6qD&_4SSG>MGL3 zT3r9!U@eBxY5KLTROWYnHiS-f=rOZEdDFtoFrChYDBt)(JS##i=o$ub-c#!cqOSe2 z5K|4NyX&GMI_H&?Sf)0vs`TWD2*=ITk3{xtPNa)Nh%^gi-!z2mGtnW>odVf2w#eC1 z;7ZppvfsL97KixBWg&v>>rG*@7ZJqFtPD%Rx>eO{E%n}&D=X{ktGug0YbvPyb$J-| zVU(HP-ADz!@!}B5YyzzpgVsrTUxX+#`Ag8ch#>a8Cuey;o33FHXDz>#ATA-)BjuC` zG1ZXty{XXYEW=@i?hLB`2i2T41A}=mqHTg@z^cp~10wn1g z1~GTdY!317mxTx-e{KmAnM2H+cB5rUVg7BF(haqhvn&NOMYON~U=ZzL+G0vq#wA0kIu90w zW)l&;2(Y&TB3;9%F=x#jPK`4|s8Ip>ZYQbwZmi@3f6 z$fPyt8b*eaHFG%`{yc;XYe0sFi3}6&iXww9Gb6)N(pc?T>8@V8%HmmPnP0tjdEExf znspVG5(nPfJrZ$_oS_0w+J{u-VG!pb5GOIOHC&bW5OFS^9*F~YClN%`RhNaBYDoM( zECo^Hrg4anb}o@Lx&M?iFUUgIFw(4Aa|X_BF)d2MUf^xGxH{keXXam zjws`V2B>bRv@8N$ER&{XXHJ(*4(a~qMP1|i zx~cTvg1<~l20iF6bDH>+?lZG2^J?oX)3PnoZkl!DObd|tFK0#GsdbH0>!#9wfa}9mDn|={ zjnS)S)2FSa7JlI6=oWtBZQjC(QARKCTEqvb{euvP@xk;5&Jo0EIYanh7i7#SaF#yr znlK+2LY%c}U?hlVJ|&2U^1~2C83SH@;%z{TJ1cd6bp0^IN|_>D>)|-Q^aMft>XFMp zJj@~P9FAiPAl?r4q-zMLFjlZ;9zo2f0Z$~0o(i$(!`DV}iXk&|hQ$`<$@wmCoYS7BB=5GFz$&V`ZC2J#38t&4=_d$2ZygBmp^eBeP9Yu za8IN@@Vl5nh{Ngo?fC@p=CffOMOjFFU;y-u&(nl)G=^}Dk5!Cd80*Rj;!}q&3o+FY z|9v!zq`5f6LAC4vTo2let|4`2tZEI%G{0j=yA7b-ent}RT}j;&mgrx`Z>pAWf@Z!c zE2Ndvv?EdL-sh-pv%fv0Za@3ywEY>NmM-^5xNb=yYAuadjG&c|$_V1$tYL^R=Kbo_ zpI1)<3Ak2%bki`coJ4UUty}@<-&`x_{p$RSJMIqNfD$slMk^Mfl;H<>x`y?k`_?QVtn+D15yAWWGth^gqdxTbqhc9SA2N}8E~>3uOP1aI z{K9#~OS!>osaWn=4wb!jEi`rYy0w<7b#;-b!0;1w*oqAh@u9Be2Wp=}4bwFQHFeBK zxhn{@nh7D)q^8QCrXtq<92KJKhfrH|yPp9N_py<8tsU?5m&5NP-ULSdn^%{*tLrVbb?a8uEnj1)tNfN10d#CD4WT znAso7&ch&KEUrbznt3??WbsVJOfflZ4{MPeWdqX@8vm~-4i ztRW^zZy1-PuTp(>g<;%hS9}?puQZHXsJvM{E7>q^R`L^Z+pUIi+pQCHRi%b;RizIm z)?R5CS9|5`q?;^;IZ)2Yifx8*%58CGgUT?@pxVQ>8ow34)%c$5XvVj6M>CX6-z;Kv zQmJ6hvA<~{L}Qxe9N&A)6IjOB_xO9OS%>#u^LSNrEDzgh)*>vsnLdKZUpqFLzn@m> z@SeioFDR9GzkDQjH&V$EU*>i#!9`PF-4i(iAu`Y7-nYIuqo_DB)ZjJTxc&y%q=LI zKd&HfUZJhPURYF|?^NX4@|EOtQ{QS|I=^UMu}!^b5xFPqi(*Rh>;(mKLGk7-va1-~ zx3EN}pl{$o_e>exFDPP|nuqR{)A#Kvx<3<3_Y*q0@8Kc$^N^2to;tab#qc~%4W%&i zbWQx8qNR`(S{dVI%imMe_bH7`%2CKuJ;U?0#ZlZ3c#3D#DkkGF8M}_f(p&6U1>Idr zy4UghPx*Z{<%m6W1>J4qWh|bjZb;?n%yj>Vzn{30-gCy$o$-*&EWF3%P%YG;HSRO$ zJ@!$a>kPjSj2kCnf_9uH(kA8{VG{E=rHzsE_xGs=F(y6T_fS1zro_|z8I4k`c}xdk z88hFg5uwGL)yGJ0#sr!4))0PsG(jnq^-Kctsb&(rRY$25)gK75isP%|_^Q?u9aL`E z1H45w)9D-fo$mL$SOmMfsw*njSsajR660IuIrHlo8^f*elG0-PyhTe2oy9Pxi|u*# zc{Y1-7E6kV%(a)=i;IhjC$spw7cIyyE3_>@o>Kb-mV&4vr@hdTkM1~cksUx>`S!AY zmTW7YS7ytf?<_8&I9q;+vtZuRI;NGv0dP?z)AB-W`SS{ja?LCjj8ITiV*ew%Dxz>l zvE81BT!pszOB@b+@r_K+V;2;m)Z8V-b_>(k@=NpV#rcK#r5OOh}~P3JEmrS$N~l7A(a z{8vXy{(l|~N&f4ukCyyYrJ@4c8kQPSbW~fUGb0F7veGJoFzy11tcj(-m6)1{(=(w z;!rwAG5RKI^QF||mN;!_?rYGU^A`-Faf&4l*2p=pz+PHvUrpkf@P0!gvB)kCQ2qLF za`Y1^`C1lF1sB>RTE5BRID!OWEOoSE`=TP3{SQnd;!WLs9McgRAn$y1*}@=|m|y59 zIz;UbI!L_ZC@Nkwuk^DhG^p*TP_m(Q?PYqYDqz%t{M+rdY%DKPL?6vpgw8+6RMXiN z!-4Q#bB^gGNSrrUu@nvm*p%fL+KS3b(0xksiwfn`HGnN){$4l_2hqSxk!9N?MxMk> zA;{<~xsX1b;_FzfM2=6TvP7H#+gVhSUy8EQn2rOKh&-DmNL?z_-aX7P*hz|tNrZgC z5_ukg;j*mMep_j>)C|0Pj1MEto53ALXzF^IOfPl?$CAPYgvMKQe-L{|N0*=JAef3*RmZ){SJ-arPChq zPSJLFV)8s=x~~C{8l@oMahr@krpF6Hx310a(C=Pm#E4xG+GPYr!`krje1hzawpb>I zjX`#moZW*9N<^l{H`Ey0AX<8uX(Rho&hBDlOUc<6cMZ6Q17W+ zlU}_RPB&W}+^co<47c=()vH-ddy3&O(SmOC>tJYycVOUs6^}UstXRWMT?5(WZ z;99=gTS;G(WtPQqZAE(MKfANULyla6Nx<&Rn4XcHG2K4>P71MA)~~Fqt|gnFvHZ35 zp5?1oFJG~`(z0OPnp#-Q_3MCH2t$(mk3#aFg}qDHP@7+QGPfcJHvc`T(USj*W-j?L z9Qo}2Xvr@cY3bl$#;%>7KHUwKEI!kvPgsPUVv9=VEm*|ReHRclEu5s+R!~!-m&0^q z%NwezP$4$Ym5&NnE?+}5gYjQU!=2%w!$TIVURPfUcpP-pt)5R4)Gl9L>G4pC&>xi! z)03%E9+MqUeNt9B?w8bo_}}r=7sKxquZ9;G#m^jbTxJ@7Ivkcd zwm4vNtwXujSn`)aJIj<&C!L z6|7=qHLGY?&MK`+KL6MF`K~9JuMNp z$?5E7HaUGVnjUeJaJNjg(EIfaEezzU(QPf&V&`0o7De2(E5la>-d9K8=nF|0bJkTh zR97~Zc)V3r(I0E5sB1GaD`wH{`sm20Y!Il6(80)4OMF7rh>RVXwzFbF>5m4z&-`AFv_} zsFG0_L}E-t5-GxvzVTmU%;D8GBdMAI|4WLX02I&D$D&0qLvg|Y!5csl!i=LUrH>7@ zC`E++cxrq|1h2&_ho3eesi?#dnxSo*j^Sb z`Tz4cjOG}nz$gVqDKJWb|CbaX$^XldCI2ce`Nu^`{$&c$>w%fhzyEkt^8deVvHv?| z$uT7(%S@PF#$v-Aq@|)I&B!B(0qmuvMwRK1F8l}J}1x6`wISP>E ze`93He-D@ZS4KTqu!p&(RMU!lmep^7^T3!Ck42lKV_uN!3(yK zyI|!@9;s2A|Gz_%kK#B=fl&(le@_9D{M*eV`H%k2_Zh$Q)^Pt(AC9X__+aatu>U9} z-Z=lIa-%wbcA%t{aD5xp-WQ!zi*^b0*q2%lmh>KC@{`E-tyJe6Rw$f zt@XM|*H2EHGBy2%jA@x!({G${)65GOvS;0VarT_Kx8%&5j{~tBxq0~uZ!K6 zTvEEkRd(Cb3%B2K=UwG@FI&E1WkqGxDtC3wJ*(HOUH3`tx9aLW-iF5SuitR*w>O@= zuj%g({AgRt7T-^|K6L+s|FPZw>((9rb938w9{%nl-+T0jKiC=gACGlB{=}2J4($H% zPd0V_Y|qc1`o%AQ_4aS}9(nq=`+oP#v+d74|H6wez5L4YS6|!T-~aoA&6oNQz5a(c z{`lrwrw+gKk9Xhu)BAru`j-zr{OGU82L2ZO_{6{5TtvF$k&z{TEtmYJXvsgr9g_U2 zuf9(5%b0>$EOMN#AY&OguSSM1@zkUsP9%}z%fL@wpfBk>$gk@!aX2f*LItxlX~V~OKm&UkByXI-uIRT670u3U-VK2cfiH8>VkwZKXz1SzeB zm5ni07mk&QwYt`=_O7W^SxagwD=Q3EItwN}JzWA&q_)ywF$hRrux_ojs(O{Tj=rR5 z+huAL9b{Ut&bnsJ^0gI%nH)F9TNkXW4Pnd=LyFGypZKElF)X-pa8V2LKj|TU4BqKX ziQ#{A{uK^1VYlE)Xhs|3V#{#V;=-@_@V^S&4Qx}7JhnMOiNFpE4$HO7>Y1dFtC&7k z@g!3>GsUMb;~17^`fjFhc5jcEJK`QX0Y?xn;`Q@e1mXC2LFh;jgyvYFr@%YT`|80t z7ybMU4535O+>iVO>9}-tpsLN{rNBE~vG^wB`GxQC$5Ej^IxeFbpdg#Ru+q%aJyFocK#9S<`2hw4QoKwYB}2uLuP8gD{E z&(MHq2rMBXIsxm6DgjiE0*H?x0SV%_NO?+2-w9GF5;~|>0{^44O%UHBWkM(;1gXqd zdiDwz>6OaY5>k5s2O;7og7+d)3gCe+@Ho1?fWN&jX!r7GC{#Nb4{*`>hrmY`tss^k z%Kg9d9PEO9o6usne1m@9fquV?B>&D4M-iTw9Lz#5pdVQf=e0w#(Ad39v(Wc`304v3 zwZo%`$4AyB-y(=LNzuAwwjrcTzM3gQ#F&IUQYq9r$EB;|{~&JyB>($&JUqad88v#!E_jY3aU0@j!i4S{U}gm7}a#BMq-ev3yc zA)uDN!v`#F>Pf&i4j$r}5WFci7HPnh^v7cmAHkzI28n@3#Uq}GM-h#ai$eKX4=B)s zuUmRDgfE~hIFBlbM>7BiA^5{5GGyQ;1@OQu9!Iw<{AFY*GWatTsu+wPmVXF*WKjrW z`JvqZJ5Npue*5Z{Z^)znS9Q}jtqVU#lg`*|X)-WxTzfLxiGwk9tk;p)?6LSAhUSx- zoI-BY258HcB&e1uvM$0H^r%UuVMUz(9Dhp9hV+-4Cvhrp%^b~-P$0eINh)t z+$&h%3~HU#t9RcXnV@%IFaaTlV?wRkUaz@zE5(QacmdiDZyXgYW8E=rg34uVwM|2j zj+Oz<#$W7m8Pkr8FMs`wwnH#_%)Ol?l&h@=V_8d+PF8mV?qeIT zZ)sA=8pa7TmKi}vRS6MM%Hz!HAc|{PyM}dt*|xb!*QKbtxur?ZJU99sI-lcQrvqz& zeC2%)IWFKxRG*{2(=h<1YS6n`POIZw3O^lHADlkG!L+rfu&g8e6>VDv+Rl{Wl+-4@ zR`9CPyje%Oy={JKN}a1_V!#1=4-_HHyHB?5aOl!HtUjCE>QmyO!bMMw)knHy_sEjJ zj!S-HwB(=H9+Lb|51xF-CBID#$a-8lTt-|5Tq(FrxW?d0#bw4d7S{w^mNIu$j>;wW zL4EMiOXJJ$=4ZH~o~Y(0sAfx(hIuCX8`Rof&p3afO8dGe1+C;>l~co9IBHfOT!vh) z|3SrgN9S*cCd(L+X}z4230=CZMjl|W<0QItjgxgcj-|3r$8m<+iH4P(j+4u4(>i>P zpwDrt)A6aC`5dRwHh!1d=Q!hY^-$b7pW`g(yu*Qd#bl#9d6oL$@=GmqT}I|rbp4*8 zU)8DFO|0uB=GQxoH-BCaTn%N^FcP2rK)!=@?P6)4x6B1Ucw~-2j`%6M`a#DfhKgzq zqCd3SGSF9tbp7%O-gpxkP@y6T1hL4m6esV6B8uq#>3+vKt>dgm?FZ_vbKTdqZY2<{ zTi+)hVmUl@jz`-b%XW5a+Oj&j742&3ZPXAtc4&&6Q?ebD6sw6Euj}9C1nXqGOpVvo z#bi5-^%kMQBs72#hRKdz`65M^L4Li%c%{pfozh_R#I`t$vP72&f=KJod$iduok#UD zI8@P=)r+HlwGOpMlkHM@VqQR?JnKWyBlbX(-g+HLr3sXcKd9=BW!oJ_WyX)bL^3NAlN%slj#Ax~GP8RO3w$4g*g0~xG0oR- z4ke))R0lB)+AZ)dV4L0PqQLSwdO=fFR!7&(vNosLy^sac5$|)H^tnz64ZUXf3>L`Y zA;*2L6FdY$jO2pP@sZDUOoZF&2&OoN@{>MCpU-tcdl-G^IIEEh4Hv}L^Y=;59-nJK z%tA*cBVK6e6B-6wLiuqt{4F~i16ILf!8HNbSX^eayH=_oFSX@>p{408qiT_)4^>MQ zxDn&A)~)YdNvx>dI!=cOCp4T98jxGZi!Y0~gBbh^$1_Xa%fQ-1K9?)OrwuBI@E9<0_q6i| zS+mFJKS+uyaGQLNk{Ddh+Q9G9q0wB@9`-1Cf0aSO@dSr(L?ZG1G8M@U3zMW{*K^F@ zWb`{s+D^|HJe*)iYUIF05P?gCc-DOsXG!a{4vl9FkRPT7V%qhr`**#LF*471e?yAj zk*YoDRiP@~PqqmSsjeDj;2;+--fq7m#qUZ534N|JewWGDgho7zbE^F=14$4U^>G|; zEw+6~!t|q|g$A&ZS!ft5G>qXy*9RZy<9s+)JR5s2s^u@#YhU+jB&Ckit{1y2b0RU; z2c3PQ){u0?wpbE^I;}ubR6|nKMUww#BTN2zF8LFqC4cU+kmS!vi?;cB%Yu|iW$p?R z%pr-M($}pNg+45|3e)jW;Zh>%W<+@tQAL*% zNe|-O?{*{Wh7i_Sn+r_xtPbi;1YD}`fCzjztcN<0dyBe^dJzFKsCRT)n=4G0NL`b- z6Y(>*-=U`Nqi14oRJ12jhb6Uy63p#CkU&(D=?bv0cAgZt z7KStLbI{J8kao8A+DvlZli%Ztn(NCl_q2I~dhu{COa$~0NQyD%JHZ=Z=a5Fx2cH@c zW9K9?@0gaR0p^X0_Dj)z$AH$+?^TBg=Xdn`T?3NB4dMRLP~0Dn#QlQ$GPo;YX((9t zyKTH8-WafCXIq*3#t8fkBjWEE8UO1phd){^3V*5Xe-IZUy<`{JBPjn24tfevp4&wt z!m4&9>wb@8uk^%FRXWSuQzEc0{!$_mNh@=EnFeK$9TMh3NT$W^>GMLuNguR)iSB|> zp8kc)r_YQ?-*YaUp2QbAceHgkC0q-2z=Iz{8LUN_`-XXtTh1`U{p4JzMIj3TYn&Fa z8d4xyb-XhYs~FLyqVk>Occ{@J=O~zWoFo&&cCU_g9}dYx$SYWNgoV;A)?3WR!x`>r}NYZ zy0w21rklC_8r@~nXGNrca4xu%duKUB74J=DE@ZA@ZsC@+*B84MFZO?hf!pozWn~B{bCs0^niZQ= zgn*nq$5h>l=VU6-(pBdFyj{io<(fB1^8aE)|IzlHB>AWOkKz8KxJlR-!Mx*#`;YdH ztV=vxml&dT$s%<~m%MsMv@V%eXY&8W{|7~(y5(KwKS<F8BZauGhGv zCuQB?85^7ft7uSN2Y-nX5u$>bEUN=)MXeB(;y(n6H!?9cn9MvX(b(D_j2nD+`Fj9f z@8WuG^BFs5)@NLBNW_%|BUY8CX0pDX0o{8r(_${O# z%M`L${9@#<@$AH}|J{J_d-1&&&+d2``#qlL@jQs2FZ(aHy=CH_l=p1uX09W&VMO90OI> zmf4fMpIKY()5*L+Yse!HnEugXa=!Iyxn3dyUiown(qJlnO0hOsk&z(yP79D;2Q zhP&fh8HMGEVR;10|Mj|SoON~*Uzg+2esr-fN zH>Yt(V+ayPo|6xhE3HD~d|a^QAa0lv|9Rlu1zq@=%d8JE0;^J#>mKT;N>FrE-Fy@i zXREd=;L3@}DrRtQcMKp8F97BP2{4rCYv}V8UTC$+V7kon6~gvaR-r5L7Q#DMrSeus zpXdqUpW-m895uEQp6EB7j*l4QEhl(#tiqi(BG;efs5gWwy3)?>7>Ezl5Gv=m7^Mxq^E9}F-X2)yj7i#~ZomsD?z2-j(%x*=1{?(wudcIN#E}YnZ z{u9xJ*S>zAGOM>+>2K&S#Bb7w%PL%i~X+twD%Vl`&=Ic>M+3aIY=i` zWrT(g=r$1S9%wlLo*CdlfuA7}$Z!rwg9Ffznd=n?3_{_ zb1nXDjhP>FH~#H#9EY5-PhuMxM1g(EaRq&*!@o+Ondq0x!%5&|r^qRIQe=j}x<8a6 z@w2CBbOcUf=*^Vqcx?CYhD9RdAP7nhU%UYM@R97QjvV61HnRJPB@dKqAQf{ntp2jh zD)jsV<^7z>I~;0pG$yzD;WtcEI`LFl(`<4l*aftoBV$)}@ZlF9%L5c;IdEqN&rVH% zNF|M&sF)#fd7(Hk=TtR(Hd8NZJr<~(=LO;Q{lLlUkEQTfgeN@kPX>|K)dh-EI53sx zXb9z-Rp&phf?TND zJpsv%A=%`(T_@DL)8TB+z$l~rDfRBmxQEQszatJ*yaQFG%Sj_Fk8#3jXc zs^-TX!@DhRJl-8~7x11Jmnb_>uD5o^%HymL-OUHK)Itx6qsm5%%pkljpeFD~)yd87 zhvhZ!YpsxT@#F8)_9bkIm7VXDF^|RUu0eu(aqX11Ze1_>49#wrn6^9Ze5agw5&=!d z#AvhoetCC7rvtxG6bjfb52Qh0`@Z^j*!ZJ2%0{Q2mA{YAYv8p zM5}8CC3xU300o<2r7N%nZ!Jyz%$wcPbb)!ta$Hh|;KE^bZ$00spLlfh(!*RX@E<~PI<*mr4A%RR>`@t4UWMh!tCD``xR_CPt= z0H`PMo9luxmLD7*{AV93b_K9pS_tf#pb6>>g^0qm~wI6+k&2Wl-cy94ro6FrJ11l)l; z@V5JQ^us&j%7!L-cVh`&P?PRB5CduDE;wYlcM3VnHevTeV z|MTHlXw!O{g|5Cdd=&B0$hxF~>k@smF1hWtkS?+Aiq<8|KtNA|Xu#u*EXy6t-=M=_ ztYt1L>CsZ9U1fnFWNE9TUviwc+Ky&B`ZvODu2vk3nZ$0!$JMQN1P*Mx5@Jfx$pZ&A z>Y(knVJyD;wz%$zovPc=H1J5EmHmYSzQW!dFbfQu3w$;w@GufqwamR86juu7+v9?} z)YKa2qVTbs+h@aN75s_1WiFr)Ubn>s4nr_^$5Atior_uo>vPG{Q!(#CSU;{Bec)NZ zb=BznBJZ95Y>t|3Om_wLIBrqiK~@iZ%O3L%#|3N49JDnoOr0QjH*$nAl~x7y0dt(-_h&;U}v$@-{UJh z<12?CfxidgrJTQWg zK^f-GMIo-!R$pTdlFdhe%@T*Z;~!ew^S09a!Y}B(;Ft7XDA2pJPJ?@KY%D=4B}CCe zBuKcP#5-DmxQE`vQOqG!M{18dp?^U2gBnitUQm7E4o5Gi`aJ9AIn3gn6+9M;ZkR>E zelMuuw`)ia5EWrwqCu#+#O^u=jikBxFim6(e8p|+v0=(YjT`#@rwsVd=>SLsEfzKy7FBkJ2G;+lzcun&9~Uv=6*b+L(Tv+v6d9(vOgfcRZge`a<)XvHR*DW2X&N0S(sVHF=cW*TubAF8?d9C?b5n*? zZe$o1jB(D43={JjSY()(H!|!;mnq{%mnq{%rlDn&)>p1w#VkehZe^v#`8IoDDYN7E zSu58w{66?R{MMzNmD%Z+wF@n_{M>x}7Bs%|OYOJf7fPM>VvDO_K8<2pPHS9cW@zQ< ze0&PW#XyZZ@GIzHZqyCbXab)k(g&t$2WoVI9(*|IRUf#7*W1sZfTR~kku>&dSFU^0 zFk6Y4CYJD~Armvgy{+c$@lcQH*||#ZwUD!TQF$@TdI2wLZxSRlUNl}!NxD!bzXMic ze7a)%=8IbsH@=?Gx{dkFPs_7}9i8o4QeL=A`Q{D2x%=b~sh*KP)S>P4jtRw#mqo{T zin2PM$KcSsPdfqDvJ73k0Ax?~-xR&*wueuO};q{S(mJ>a%o>2Nx7uA`Gju!g^o|$&9DMN9sbdqR@`7cWLj{#Mm@61!3fjplRmy?P=rClmj|he%#M(AeKT z%OufO&N8|r+5*|Vb`kl3j^+buo>{EHUi)V}NUVunstIpQkQMn*8m~03@?L$o(o`C6 zOlo&AX@U9yojTpkE_GvUo$6+XszFwmb>z_^Z|wOG&L4&A_>S_sr8yNq_ZRB4hXBzV zMapqq`L>-uL9n2 z)FkSUd=W0a`$d`Lh|u=He?3WtpkK%WHzBFCu;w+b;~Zl26ti6xSj=N+pzB9WKVr@i zm?l|Z4PtgrH2PAkMntJ58WDGt;vN%=5JzKrcZDqEND<1zw&fpoR8$B+- zoDP^vIm`@1W%8&DBl)(P0Fzd$3NvN^8l@{7md=Yl6e?3pg))%|%XF(6voiUw(dRE% zRGPP>@K!9lx4doxeHN@+ULk$j*HeJ>>*3rx+%k6s7D~poljQFl(SNk4jU<2dk0JSo z>|z*Wp;_pP>xTP}-WXYzY#@j=+Gt%;?F{LXvTsN060DkrcUp&`w|?_L#yqb9OCZSe z?8`O4K>#NidInk&t0wqzr@=XBVa8-M&m^PNb7BPZL?eeJ)}H32-e^N)l#h-QUoIo} zV2T-OMaxc_*+*JTkil;#l|TWP%}j|!55EXOLyJ5)Dp-S{M=k~GL`z2ok^eeSqO%B2 z2m=;f$(rGT5#f+U%o|lruwVa!fsl!dUJXif!oZe_xeRG|Ch8q6bFplb)>abL0VPIU zkTM**OprGtioBE~3_;!ACjh9PV4zT1luFc!TJA2)xEv5YUt=NSp++53)n|lm7{8 zBe1mZ=CW2tGhYb@bn)uDt>Udc<#>TSMP ziPa)41Iqixv|B8#w=17hvb4AS@AxmK#J^n$z46&D4HkOXj9Qz)qixwgc3#U@w{Cp1dy3zd zqP3YkW&w-DJtmF_DwKd#t+o`nwXj0x54vuZ{~)H3vDTUHhp+~;%=L0l940?*#X3=y z1l8a_mc2>o0dc)CCHmlZbu9G31U-1^Sz%~ym5sG=byxy@=c$&ZmqyX zkl2?wWnl1WvDn%oMws1dS)dVXT0-fFZ+SYi`;Z7el<+VM{2U2E*_CGZUNMf4H@gu- zJq&iSxRMK%ka^}}QfOAEvSdxCO}>1UR2`ejR|-p%SI4IDm136y_6%Ul0Co_-5c9kA zXfI!BO80MRE{7Ja9U4n5Wp4iob_IyF2!8ug3+a->BTN2!x#ZVGOa8TeT=L@-Rn4!W zB|kMA>}UuKqCl`3b3O=x#jT-cBRLZM1;W%c<>twFL8*D}R+=UA$6`h@+ivnEWG_ka zYC7$h3hK0{VA#BWY`*v7GJSBDhW2TQb>sebGNN6YuWwB&i2QY}Ih^pPU=fC!D%>3Z z0T{eF&{6pcRwAKBff+Fp$%aVL<_gTkhFhwZw-7ButMlWr*M)hfY{n)GSv|ZFw49G7 zakEP`jVX01Yqm|@sK=DB+UhUWT<_3a>4Gka2C5InhGserflH|Pi&Q)~4Fj7_zM4Kw z*~T|3!Q+ihGAI=5%pg?sa7BD9!V8|b$eTg$a{)Xltl(iWMB{VmL~Ow=1v2dsuZE-B zsOXw2E9Q+z2nEk0IcGJG5h_nzhIz9|GJUXJ(e;!9>u}Xp%s zLSUY8&Cgc|7Ej9d`zr+h->AwDHt%5$3T56;cnH-1Vb%w8Cv|;Sj`sFB21IH61sYjv zQ+cLJJ;Q)?0RB>SwnOh7lkGBK*ueH$I zp)|WRGCv?FIx(wsFs&2&8X$~l23sMft}7B|=wyKyjFZG7`R5=8X&t+DGN7?}fHl`C zy4;r(y*34C!IpRS#8scVA_yHyUDH8N}SEzEPLziB{m%-Xz3neNR1 zB8r0{9V)U>GNqJyRW|d+TeF>VZ>+zw2qJWL2=Rl(&cG#Lm!s$r0ncRKr%14fFu;WR zhLs@TTm74x49jahS9Kle=Lv;cxmCzO`Pc-CE2hgOaBX0ApJjm}k|9_W-eiFn((KmD z1{DR2gZZR1egwgRwJjs`H=+`6(c*saZ8Woh4U`QlaaS#`MceNL+kjD)XlOCJ9gJcR zGm0IIVh5wx4PiFP>Lo^*3C-jgBlgZD|KF&8Mt03pVrM;wju{qZI@U&#|HQQ;ov8Fc zHA((yZwwzrTw6=C&`UuZX)pAZp%azP0OAo4gswx!yG`Hy8=E+8OVb85v#S*ca=%Rw zS6>~iOFU18bjd%kJ|p5pr7O90VQ#;dHn_Ve}&Rk5d3f?h-H+6Aj znONeStnB(8^S`nABFLD!`74mo$jPV^$rwXqlyfSoh>G3S80`pNqW~LA2GKt_+7a%; znsxFI(2VOG%(!Oz4^Ev7dQ3f+;4yZm!NWy3zY6jvux@=@#JAzPP;)>+0tg)Sq1_aG zEMjioi$xZE*rRTB=x7}yRFOXTCv53_<4}RPKasWu!0e>;2b4k?xQKa#R)?Cu{}Lp} z3P;+cc#KpMrif2>IwrHKjl9G@mK|9SL^CVk>R?HPUTet4R9yfjP={~S6?N|GY zjK-Y&U+_C$LK6aQ2%o>hjn<^BMi!K=W80*{pNjFjN)p0(zh%&6F%Fk*v0MVBQr8C@S0Ouz?~A@{{* z30_U<({a3^8oNy^Rz@S36oDWI z7mEQ$jja0t%)p4C9;wK;uFND(v+U9Tm{h>V!WO2h>JBDs54qpQ|V(^Di4=Pj`dlG25PdNg7X;Y-Q z2JR|7mqu=NjwoMPO@=-gxBy|)b|{tBter=K5DyM-E3pm5Ej{9BROHiCziW)xwSW&7 zgb;b|coc#iuE0K3AH0zYfv>>ao|+)ykPybfiZMOBF zn*BXHJ~+^%d(H$N8czcR=xADf6w=XL17~AHDJ`+eRvBd*6FMurVs7|*&~RAA z6<)oy+X#oEXcV{1HOdma@U|GSV1ho>_wf&`?#GA0JLUitn5#E1RY@Q-tJi=Y&J(2a z1gTA-1Qsy?Hn4;f_yOTSxdDn;ul6cl!9IWnjOnoO6wAM`8b`uEw10o29uAkLaoG-4 z6Z)ze=AF0-3>2hySRbX(-Ztg=f5ePu6aT?i%U2+j_WYNo5Cydo1y$g{NqxXW(e(&} zXxyZG#lX5BXv2!UuC+poVDQGilFGX3g|-$U74H_-wTj*?-gDUAz?!b3rEg7FQ;R`+ zVac*sg$8(TGzQkSc%aSa&~z=tl>G2k+k2iQ|5qbR{` zWBG=2Mc1d7_`XXls=tKN^+Dlc*Pky*WCh={CzY@rXPVV46b{jszGde9%L51zz|H7|za16|$lWb{*AJaBpr z=z}vZZf-I`qb=Xulv1(MdpkA~V;F;d)K2O#E%(7=tEP=B@czveOS8h#!eu~Xzi?hG z?+O@=z)4TVl1l~aU1^Eje?*k?)`cu6H0mxc7q*>q+a*9-u$KCpuvV5LglCQo2+w?k z=EZ{9WfEx1(5hTXRZ(+B|Z>=jsRMSGP3v(GpPXcc9s;?!b^e@7+G0;6_S7 zj^RA-WL~6<<|4#@LOHGad`Sup&oUqwnSv|3p*t`~gsmxbih?f|OC;s+htf_WtVeML zI#Fq0>rD!6!vWZU8?=G5lvbSv*5f_TI}4L#K>ikdgjB4@DwP>Ch)TZ{6n1=Lvdk4I z6T!7v;NpG(+t8ZvJdAB?oAG?hBx73`CI$6C2hS=6d>sf+Hi_HlKEac=(PiK{fM*N* z(Fu5JF@Z?i>3sO6?R5Qk(ssH(88D>AcQ3w^@vOymxQPf~XvCxFVww+L-MR$ydr?`7B9K!R>M7|mP4dY%L-&ly%(33=&No(zK zmH98vYi%I|F56$Y8^BI&GZ9?t>v=v(mz8+az?OmW}CxcPbtk zg4fCmH^Y_2)L>*RagLiK-^JAa6gf;OxI}H~Q1aL`Bz8S-agB(sQbL!QA9)((@NAXB zpW+PMj=Pu>PKwf0|7+A`QBPfT#$u_GkI2PJsNFHcDKL$i`k_~`*@zq-FgMClFjS{6 zf9?dUHrL`EFMX4x(`XbwUO`Q_7wO;qN4K^ulzfxL--$KSIuX<+^wY8luy3&3L&O!P zT&cLg;_ijBo zp!D2G4~sXwMvhG^Z~>;^5@)|coJ5U@yZ|!_*eP`owL5k=ZLd;78Lg+H0pXswn;B}Fizx<9L7xr8DV>hetWt-<0X2ceybEHVw^XJju!KtoT8Du` z2BibQkOvH-OSrzm=Y`Cr@`PmLLF%zwHoizAkc%=@?l%++L3ty`IxZ)q zk;Rn8`z&VhFFm<;3Dbo@%cs z1W}YF@D%6I*Tj&)iqjYny9>lU9_IEYau_zLXi(K79?0W!VEByr5|5FiA7k||kzJ6qH4wC4Zn2wo_Nt#KU^c!iC#@fiwsv*jXCYhG9&~aAX32jIZsa$Fy zuaXOMv!ZO@1Y zK;9r z9rqU71nBwFiPWK?XG_O+E3g`YvjnVFz6;3QUK@iRQhu2pvR~>Ue21hsHWz!y1$=~> zy`^caG=j!~R-Ws`5i}79hZ%8`nVPOf7MO4BjP*Ija^L?LY>OSsRS_kTWV=ocGG2q@ zZZIlFQ;nw;B7WXEn-3@<=S1VM`$nudIotJ9Iqn366hs7&+cBQw`;n;CH_JDnDZs<) z7>I_V#{Z;TkoI`PnuDj%7agIog5acWagFi_q!7q8v>Eb~p!=y+98M_U`fS7~(2$6itVqfBH%%sBrucLnWMnMevW61#)qB;s7Efd-b?H4LD)M zoK%`(RVeX*#)Rr@q%?v1a38Gt3K`)=B0CbV@5FI+W5*(_HR0RjVC!h@(H z)&%&|?3ap8Swe3b3yzM#;Sj{poX%0Qc$TK?VfdT5WZ&;e7NI~(mI7dCa6*ViWopx) zeec9!cE$b+ff7z46~t^=;L&eDQgOa74}FTux?YCqJs@e)--Frka{&fG-P6(9+JiW4 z5M2n)nP+$rboNnM;2iGGKq^wTG!5q6gTWwY&s0coq$W>Q4)*kgq$s=u61QC#%5B7F zqAJA+h4YO!!hLAsz5j7+N*8@6oE1S#bV`pFRUa3cIw!#hO%}mz-8X>Gdb={fXT6l2 zoL3RqU(|BBni%3Rwa8)D^Gf+J9-?k0dT9QMovh8&^sJ`B7a~=DLO$2B^3es6&z1}=s4H{SE0Y0{|Ip+iy1`_+Cdh>=?ykZ6nou` z8bC?I6-e026n%p{xZlMbI>$D{K-@0L>QN)t1B>9*B8j^p= zn#CDznr+Mj_eab&@=?TlfH=Y^qM7RwWwb8YaX6$)=Gvll30a&+p)_?`hlWG|ly{^E z&^+Xj=q<_xiBUrw9_lC{090g3JgLYd_hGZMDcU|ti|_Uf3)~!!o_Uww)kjQeJmr)VXvBo7;46IULmqqPP{i+4nf7K_BuB1mXg;J6i~%u8EVk&hb$WIxjmSUS-Z zu2Ne%*VY;QPJ<_(4Fdz)6kL;Wi6d+AoKrgYR2=yZp1#UQv9XKwun(LX!}6I;gzP@n|G7Jv$O z&K6S~rxYh-P-q1p!4}r~K(S1PvDNPYRQMghANV2N#^Z1aL(2gjC<4XNZ{7S-u?(Kd zIJ}g~D(XE62&ATa0NDsDS`%q@o1i{Z-GboGNKuKWQ$k7Scw_hhykwJtyt^R-bnssa zpAlR?mM!>2+DPMFF%*`WNE;gJ_(Y2N?XaYmScqc0BZw5kX+vTNhLhrkU;h#;qM$UG zxECAC{{RT%{~jj{!e=0y6U_er$l?Fq2_hKpEWXm&Sc0nrz5AUo=mJmk{_!Jl1F_0u zoGX5fJGZYlQZ7CaS{*(Cb47TN4qL&=r#v8uO^GnI{Fwc92EK#4SQYxD)4w)$I zOIhry>EZFk&^V;D`9UK&;&7JR7Bvub{b|rh@LQ)jE;wsacsg3siP!B>R-ky(=lny18{!C4hQLyKaVW= zH*?9ah?e}1tPe^4J-ebMKb-?>bl<0lD2Wdl_?Z+q*sIJHUOGS&7LPe5UqSY^_i4G+ z!wRc^+XphMcH2?-CETXex%1#efP3N@&5XpB14i(9GDW!Mn?#ZYF7d+7 zP=5b5Hz8Fe!${u0Z8g2u$UN7he1r?nR?!Wi!m}8w6kqYvB#e@Alt8z!4R%l;29P+( zS%%wb;*Qfo!>3fOO?+k?_7ruiv?JT!+kSjR16<&O;wv6Y_Bl@YTqk*T8%;GB zAoiGmiB0l2e?NS*j;&U-p4K$lj>37US+`vRlp796)k`s@rZ4`^}A zF`kaY-L4l+j|;SEq+X{_IV8O5#AndtW-HlUD&Y~jR6NQtmeXbx?;@gVAuc#6tihWYhE2s~u z@`2QKF?;iY(D0Gaa7<`8&QpRcXh|iO8Ylx_@R@*K3c^0sjTR&WZjI_d5}>3xj-5Zc zGwro^(DOdH-f^sZ8YD-f8WY@#fEDo|6JRCjT=M($wh`76+#0@a4OK8 zvOAeKz919>k#G_*nkWKxxEh0RYU#NE1Fj~Zty>2$TNNlm2n;4lM_kCmRv}Dmf(dvy zeOvnn0tSK*cnU&Wcm|(8=F+>JKE-C3L6Ako#OGwrigwGTL|Q4-%a_uK=cSTg=rmkI zG)`9snjv%e7!eX{P9m}JEG*2On!r5QOqIzzw|B)D+NPQ)yh1jR zO`ug-FG4Ef`>zRnKr*;SiZ=$r_>)e~ItMAP5B{81({}wP0ewtzRqv*pp?wZKHJJp3 zY7Fmoyz2krAvzue%hLSY3W$pr$~+i4!aKANpTfR{;=U`h`zrBecdZd4rB(1eUn2|T zUxD3PZtRAt!Oo9bDDiAr;4TV-@JU%Kh21J;ybWQu!$*ek=oT=Bc1t0SY(@#hB>M{a zESZ2q!}&0N%TbsHk9+{#iqxVJ2J^2J3OAG$6tUAMiAJQx=M0=2--A<qO=1KeyFsoJp0U``Ie zdNNwIb_31`mOQ)YvVa9%h$~bSN;4VTYJ+tqq)MTV+#4~F=w~?D0 zhEy(`I%N|=k{f;wYf>3}qO^JioV*3X)fv!3EDGD!J-2od(dfED(gpxbd7EXw6$2FaI;`IX`@3C$oO_^e~V-^5Ai#}Z+!UE_g& z3MUiltq1PHzy_iME9*QCF2T1zq^6PtUmwW2irOiX1Y%U+z!B}l%tKo7!Kj#8io8aS6{_j)U(!!QEBcNj?@E#NHs%;T^6aO zz=PTZfP_FhD9n+%hKksHpVF4kS5K(sTRf<-T?HyALm0zo!D*dT1&mF4#ZJtRr@U4M zhy(stTRxU!HSr!Lq?@0{I9iNxJV`B0r?G*8pQhHWMHlS~4B!Jy+@N>4H!A{XfDo_= z^y2Aq->(P=Qa~)N^>eo<0x5W*6lOg6fGEr5UatsTCk5ZY(={prGo^qW9$@RV3`!`=INRgfp19x8+bsoBJiLT(1s^J6E4x^zE=_0DFyH1>0qKfB?Uaq z1E7vykOFWnFL1vPm5~C-vJ)W@A|5(O3Foz={@n`H*%e%g6_ZMiqoS*q*Ao5lpMZgi zUOx`?Z*?4pQeTQ!j8Ev*BEHgc`3icaniWz?*ey5;((gE#<~R;>awWuV#Ol~F%V3vCReqVOAZ|XmheF+G z`O{xpWl@{E$h?+;ZD4ePg(^T;YFd}O5sn+kX78B57&Co0N#Ej;z|@XXJaWwCDK>>t zgkeC^??aT+t%o%2( z960~?oVDepld#WXp*rEhF<~$|r%nO=vQN3ml;@dBmfY`UQ`b^ZtGsJj?9_UCeMUJo zmW;Z$lv88q`Je(K&+dI_Jlmh{8t2t$;M!N2w1ZlLy>djld)s2)INrqjkl+mFFY=5#rRLm zXGT6yb1)wqX>hT$+-G8&6kY#|xOV}Js=5}x&&-)jh9o30gct!sM2NgpN|YK=OldL! z3m6fC|5jqP5D^tD%!J+wAviQJIRtans?4=k8*T05_NjtaB>_r;q9R%wfhr=Ui9w7= zlbFQJ_gj0YB)dvls@5ZGb&`@D@r_?3GeIw5#|q^i zoUKt+;1|h^AIXfYDY*CKFSWC*coyd8ROKXuidF^q5$&jqGypxQDo%1s+0P2ol<%G% zH1PsyO#P3J63LEDpxukSLOBwOmw=3sGmJauGeqD{d~Ml9L?O1yIu?L9N-z@GsyHE* zer2p!QWH~$yK_oA*S@cHw@vr7Li^M%FudXSunZ4x>Vp|KrtnfaFR%T`16UQ&6xO~V zwca5%2OZTi2tn^qng<)>7bd2g+I&?|4KcPl`HmKjLvhW3xW48HkJ^1GVZEtpu)>R) zf2dvyP~r;p=8a|4(}Uthv5Jh5g(G43LaPtS6yG;f(S>B{v%2iigMW$D0Hf4GqY%4v z_&&D{-y=a8F#`?1>25hk$`30#B%vQdm?t48sT5ew;c!Z`N`cIu45xId6y}NJ zLe-w`z+i3^`$-F@j8rL*)1~1Q&Ht1zbE86UAIdjxE<=zW^ya9MD4VRXFr)$$%HK3F z3S#t|-Yp(#oZFCT+_QmGHPu&;ytD{32sZ z`{#vVK*eb3sn=AQOde$G9aL8%FcI3RwxbJ*n&UnTBiA;_fkq=a91I%t^q|i#Z26nQ zRv{UW==WeyQK)RDy# z(v;)Ot|E~Yc+@K-_0XapEn}H%{%D15hO7-bg%e7a0^uNHASCo>88)1X8mh(RMr4fD zEO-k8k1?Bdj=P0SEW?417okP(yDU7Bfy?42l=87!ik@0f)D-tI;j){5Zd-@(w4EvV zsIB=mY^32yXziAsvRYMb;64WPfgeJvtybYHE-^Q*{#=_Ir;iyw=8`d!#}tlP#D9-x zJf1NkYfj6R)$W!loNL$ZF}*Rq6LBr$AQ{iMv31z6!p7j4tu5z<-|mi6GN{m7wDQ!@jV5js)Bwr7;m`Hjvh` zNa2~Xdr54%mH~D(-`#<5LyY@pgk>k5X?z%XTuH$c;|xCYj!i~8_xxo;m8&>VZ_dA>n{tzW|jq&wnQWYOZ%>nZ_Efk7a7>SYLvTut0XBJq7n!(jU#x*0N9XUaVy+ zc@}Hg?__Cf+4Ve&wd|?Urtu@LH&X5fuFYIGa(#t*)5w2C8mc#*H`3mpa2 z^tn2KMI6tWJa5BV_X4h$lP=b^cZ@QPQCzW3P={L#Ki9r*35btpz0aK44-`+2^V>x1;Kgr4^PBlN|z5@K!3 z!YgsfPwa_Hp0bA~uo4jb&K9^VHpi&JK&FN43X+#uCCxwh75P4+O40HL@Mv$1{LiK1B zjIPP#VU+7@Q|g_gUD=Z-)D{-8xL7p;J!yGbt*s`D{9|4IDdS!KX%jIQtC>Wwa#zh| zgee!w-!kAX!hUfsyNGASFXA+b)NGeXq`r3LnY)Nj2IeI{k`iwZM)Q(ir-ymT^)E&9 z5?9R?u9_*X5UfxrE=a7ok}h2(pu^s1K}yXu9&_a}mB+N2={)AiV;oWhmv;<`h|$U3 zjC$vlL`e2ey9#hka~(GQ({j0+?iy+Mr=6ZXeMN?U+LgS%$`xcprn!t@ID1fM&sjTa zb^2O#C~Gr4w4z`H0_)Jwv?M)|g_-PFSJt?Kv03LW7*7Mn+g2n4`Wdbox2q=ARg>as zN#d)CoIo+wpGevaS5{krBiC~tN0iwX1pY|u2t-1WwM|W&tN7-ff`QvZKifk$+a-mE z+S*#9yu4fv41m7yf9NI{df+fyc>~4JKV(%m<&wg~SNT3~#VxDmEx+M=gne3O=Jityc7T zjNPayLHMX1w8NHIFKdUb+qi50q~=yz(b6oHp=Ob-={__NT3M+H!h`Ht0}qk2=FSj_ z*kDHt^t7Zb3#E93XuKdPcZX7Lk(9lXvLci+Pg0O~8#Nvq(UxqPrMP-=!PVk=}BW7W(OhL6?P<)xI z+>OX3CTGj3N8(j>D*Q09 zbGRuC+{!P|B&VO8{`F7t_cOi>@Z}?h=iJ~k0kS`01g3DXvSbX9;SnR}#YZXD$8XRx zF8Iu&2BtL&_{Tc+r5N>mP561YdS?F?43;l)d_o)7KWbo7f*m&oB|ai9d16(AZ?gGb z++=Y0k#Cv{OdlM4W)o{2m&SJeYLKJ_;9-XE#Y(cK2cN0bh~1v&$OIC!FmDp(4OZTy z_`FN->gIOdq@4BDMC8hO@P5NHY;NEt)$vUN2hXHHg?jogey#Nn(dh>b&!xgkT$2W} zk@}-gD8J(mXY!I8Zxo4C7JKH?B~n8uaR3{s3dKu$qIt>hYs0+cGHfCGN~A1WYCZUn z(Wh_2=LUYPdQ&HTd*&e{@Mrb-hIB4(Vtn3s0myjlU;2CmK=!Cy3KcyQ6-w&uv4(L% zRo>*nz^IwmIJCF!`uo9vYDQ4t><4CkT7tw2 z-|+V<{(jHjZ;f?}>^;}`7CDm3XT{j?!36&`s*B}=wnt$4e&EEX%Pv$dF!!p*#ilmw zvnB+?<&AA~E=D)lLIg2=7u%jsKy1%}s%Kw!WE2IT1x1cdD{!%kfDP>mJ`1+u%lYi% zM)29kj0~~g8-=N@XUV$N${`^|AdiPgv@-OlW*gUHF4s3YZVX?Do(so!_QbS zyX4&AH7Fc#Y)_F8MsiO&C-8DwsM)+9F^cl<*^@}bgaW&@z=7dJwzwa&@k-6vuvyL& zjYvDJ4UZYt!_XHb6Ct~={Rrhkt*%FnE$vXNpIybBDBY6*((et_H7VTuLciyzWM0LR z@KERjL_d<*L6R?&Feoy%bubr=xGj(#NcNX<#Vp)u|M7`jqS1O@3i1!>+`brektst@E|D%lR8#vDFJ6UXG@W%fW~)37F^PB}fUK)IbTHlt3J|^_!8Xp$wR!Yy>AU;uEFygdjNhvMvUYaXIz)JT_?WZ6M%0Qt?`d9I%2Ol@A9m3PV!)qmAM+mvpfhcI{J2Mto z9h-NIBre}mL-u_3Btx2zWnSjr`ZHtG1~{U-C+6oIs*$j1Cj)Ao%!u85Fy#1N+OzA$ z$CQnv2!r#1^NY}^7mUq2tpmCj-vTW*)moidCYq|*nROr7Gpb&E-LO8Rl*Zl)>ApGA z!iNQ=F}Z}7qz_E_Hz>;gMKtAqZb_K(?@EfM{HosZF{jlFa@7}%#^=@T%=BbvLO4Vt zMxtx&AYS{{rg3abd5QCV!GTVQudNpA$1y$E49c^YFS36juFw`ijjZ`8@jC$UJ+?}> zb963oUh0DN$1>IbS6JjYe_XOI~NodV!tyz<^I94 zG=aaI-}g204ap$d(_e=&crpu@oS&;@AS{ia9@HjQ!?AF&ay%x=7sagAZHdzhB(wPw zqn?t3K?P5s_Q4>AVSDpEJ>_$ppI?(bUsWE1%8g8K(0Fq%=((9gH6GF&HPo3Chgv zEWU&3tHX#wn8o(pVn0Iw1Akd3u?$vYel5f$G1(ihUI`&eH`;d-6H{W>lwap?Jh99M z(9GufHqqbwA6xT6miKp3%-}Y6EYT1&`Unk7Mt>V;m0?TM6Wj_wl=ptshMyZ5h^V0} zi0p-UI8>i7m>dS`^Cm=7^tonO6-}4qz;j8zN>cSc;3}d(Ys0S${oSsgK89?5l_PL7 z`K;Cj>g8{vU+Pt*)vtby3TG`+uAxqHRl*LApS_k}Hz*k@3 zGL5S3<729}zHV%4++52U0iQi3S&7}asW`E@{R^T<^{@cwYH_JM;7x*Wdvc8In7A-z zgc0#NWF$_Tb%Wb?O8`PC;5xCijWcVf;#32Ramih>mkg}5RfgLf*v5osXL|4KJUvUN z3{g%&Vp*tIyB=yLcxN*%=!;aoD4R}FFA(DZ|m2&+-P^_CE-0tKTYPGK@6K(e(J*mFH8 zzU|C1aJs;OYEh+!5Z#4dOYog@rnsalW}288F1ts7FFba&!ZPV!>Gw$kX|vs@h$ia! zp2ew&@f#j7gz^s`a2N5jxkC9rQpZREx=^}*C+v_cZF~JGlpx$9fI6d53};^L(@P!vimpeclaNE+hH{b`uR7! z!&9S!8M@EfaL8euZ2urKL67-29O3Oz2h-E9sKI?Q*JXP4uA4_OZ8Rc4mTGO~x7puk z&E#4;rG7(ljLT@5iFGYC`!}#-dDz7nt6ThAH5DaUyvIsivP9Q2vE@0IhMJ+^B8O9A zej;lovC5&astxv-jKUk5uErk2i7AW37&~pwZgs|3+v8%GguNBgPuCXzoTf1GrsEXW zUeXll=LbUN{ST*8gAhqwPgOw{^fEkdhS4=d0q+s$RltxCaE___JlR&k*!Y4h&xEDZ zgIm*Mf?LyK0_z#F!a$`SIRAzR`QRa0PjLs&c+Bu^e}qtV=lHgR5?=A04PinUquG;( zYn@_yjd*tuUG~iK`31qP>^Cn!ZBQ7Pr4d1;xVbM3d`GABmgwg@X@Iri8Lr71_Mu^@ z-{J>Q!pwRZ9l-oTuW7P`=DAjlR7>0QG(bSdrrLCxBTJKl6i9D!rMq=>CaWE8RZdrZ z0s5zA%K#^hWbk2~!B?E@STHO@uP^l%Loh`X{2qo?G^Jj79$FHWkka%d_jag^^cy;o zTwgE(Wl&NzSfob#6B59|f?-!5H_FUy#|?i$hFLIz1uqmQ({m2mmsJ@Ev!&c4m{dx+ zx-&yrA6MR&9P`#;aAOo*A02~Nzw~}IYDZ;0ZnW?BPlP_d|Wv9Y`!!C^O@7S#Rfhe`sYavQ_@G{HTqoU)qB(3i-q0ka$9;%PK^- zbarr6LU5I`$qTLmT1uG~oHD}|oZ@z2(kme4DOe&R-vF){UH#hQ@lS#E42}zMMR6?9eOi2-`ERZu^#s0k>3br&? z7T)kn1@h_NCj-lL-F(4@}L$xr-YuBu!*p}DNVUVS+^tK#R($x zF6^bdTGiv~Q%{%F6VyFyeut=h#m=0Csa|{b!JLI@5XRXt$^M0DD)N=t{3pZr5>yq1 z`7ep}Jz5C@mM9QaJ^KcZYvW^NL&b*RC0MwZAf#!PdA7>Ym9v5^BdaAODF=h0&u;^O zHzE0y_wKgJlJ?3u9pgW~Uei|z*}B`|kM+5`?LjxH@E*gq`nN3^)!BP;W)CYHQuPyR zp^BY$|8+gzAZhI>4pdj!)}(R_S8)$#x=eW0JXrPo_?V2?&wefA3#bV{Ll_-&M7euuXI@N?)vG^2sr%>%piEqvqcin>`Q`O zCjf)2jW%DsBRHqSyGyEjH^N?5#s|y5JrxB~&T+>Hg38Rgn0-+69;va_D(gfVl~ozD z(ZTVTwvBl~F7}OiJ(Nh%GrdPGLR%p24?gplQMF!{B~^K{TnNkY4dX{cM1t>sFkmzf zu_F&UB?t%@?nNHXNG4!+jhl}%@E+WZEp0NbusYb{V|MZ(n+R#0^?u!lc5`R0)gUJI z^=3V1%nFW(P-sFu@-*vHX=w2&*p}-3=<&5xHwDLkoK=|=Ux)9r4W#%D<@;l3w6ESS zz}VNk-X^$DQ-<0kK-(KRWyi~~*w!^p&~?U`27qbInKfcNMu{McQusfD0 z-HvbM%sIXmGu8xY#GE)zu;s*LS}e!27PU^z8?h#RLf!})0pRmSOis zyJIFY7=kbuiGeepN1=@HlJNsm{z^spJEJLo{ddEZ-}SR-%HJ;%YVCnTFo>Dj8x04` z5KVKELC`D`P&1nI#`m3SRW=NX) z_E=)*TdQ7C8)qoa*^KjrvZwUZUT<8;Ws!4OBv>{9Me00X<5GBi)p}XQ6RTLxSkQq* zrWPfv7`!TGsymLrKym^Ar!(jlDNT*gd3~Ns#x_TW#2v-3N2VuCZmcjm(Hp|%oQgj} z16Pr$e>jFYj#Ej>f}T&c;3-Y1>r!$f#fm`d`{yd^+Naz{Rk^}=2jFB%9~de(Rh2s= zR~jk*QRyRBBG%rh zlQVU4ruRDP)hZ6;HZ%fxI5xJaqT)!aLX&=Elly2$%W+hs=U++7aS2_nyv>|k65F;b z*_&y(he->N8KLq>mIJ2Z8N07X0UXa4za=lUL*0k66Y7pF`{4& z`=^rQT|9_zAG;n!cxM$b9(qU;0JOt1Sj|jS8M0QQ#7yNy8mPZOVmLaGqB38lmdcXY zF@`iFV#E zGPkSu!_<3yrp}dU%n>@$y|FeaM~lux?)E3%|2aoX4X$XFxu8XyzD4 ze#{@t<|c=q!v=_UyOW1UL{g5d;-^k#sw5()B{Brj8}el;XPGf3ORVHgC}&0E!AK{t zv;_}5^@K=}0e9L!C+yub0~e{TNXT@XJHy&xbB}l;5qqxWP@pP>#i%z&_~*2m(w~#& zoOJ)3Q>=Edo?(s%9SPoi6+3=8R|*YcoU=M)zQ*z?eS({X(+C6=Vseg3DAwhn@jXVl zpe~z?IYHph{|phHxPY55JdlAA!P1Pr8{Tka>NIirqiQz1({hzQEHqp1r7( zY3)sj-|tm%;>65{sTS|<=xa64K_Vf$sodt9V+46@9??Pw4ZRxslNgb2p1rZa&*t^Y zXLiqUtV1L!+%rcVxC8QcoWGA8f!z3CkI}CLEktp_q8aiNZoF!DO43`jo5QZ8-MYM4 zXDRQ|_+XHDNBCXhcBvN#XDRXu#N44GiJoioW+>ONbfJFj&?cAXJT*q;v+OC&w<_5r z(D58?{vA35wjc8xW6m*rM+oT1`59#@!X6qnoA*+sUh|H%&~{o65`It)f5IAYewrth zvh4NiQ;2O_zdjWyPjinQ{g(Y>>C#!JL^lU+ZD#+rO3>X8P|MVpc8}Hv`ki|Nc96e|AVP9 zqP0$m0SosUx>a(j5Opm9qeqM2qO*Y=$;@<9j$LXI@0JUcy_ zsrP|m5fpspLA4mug=wViQ$=W#7`!PfOu}^8VHzeZ&@)aEFX1Iq2IM85{!%FaUnN3rOaxo5Rh{F2jxGqN5GWy2YRw{cXu?I}Vj_zYX1%bTC3}sfnR*?8Jx6UW zM6h|2t=eCfstNoGwPU+LEn$X>F=fV*QgM%1j{p;z$}GqXyum6#=#J+K5eB$337SL6 z485k9dUWKNFWR6?v2L6>Aq_%MpEpI$r$|sLf01Yx1e<$0i9%1^(&1d+i_BPWj`SI6 zK7ZH|N8>(XEbOYs;Fgh=HI+#}IBP0LzM-$}(H18?v@9G(lj$$Gtjivz%kCGRtOhX$ zxI$Kgm;+4e3rwIUm`qomi9@I?T??V6XS9MM(XsmGSNx(E_fPwxAK4!V^vZ&OEHTfMMN28o=7TcYaw6h>DF-?68nvjs zU2T`n&($0tv|+k=fS6EaoT#!AkuD;f67I>H3nsvkE@Efs%8Q|1B|QyiQmr~S)T)=mt)eNW zXKtuhrr!P!jc&;~n3OiQz`a%T6l8QeHlNuJ*^|?b;}d8@M0Tsu02xB6T0RVuI=%2i zGgo3OsWf&Y4CL{mrrjK)hy{(gJrs>e3;wgU!fGNVRjnUCh?Rn8bO_x`olVIZN*&_C zYQ&MunM`6E+k%KlRME*|1E};N=P7NEh~=OaPNhj{oN>iCMrnzGd#$7C21LRR743;Q z^B`}rv%cbFmw}V8cnxIwD^7JWp4iez=;*;>gheOcIxOkFmrr$J9T1BDUsW&`mg4SE zc4q2T**B}6YwN1Yw-XI-^A05dZWDoLC(_3$8y!^(5k1CE*_damT8Mm8?(9=`=P?{2 z(L)fo`Bc~1x9L2J8>}#&JJqG8IQGwSUsci8#TM)e{LNYh3ojXwJ&?U^Q=w4)*FQXy zm;7K7yyQdYB@tdSJnR8}AterAZ(F5!NqaOeX}mGaORfn-@si3LJk$aV$U$yy*E+tp) zMlOZWv;oo0l#L^lB)6UMjr!J3C#j^ttwvgO7?=dA+1bvq0NB7XPd`?c^&;i|P;CD1 zzf_uAxO8ct5SGJcR4n`dOd?CiR5HD6Q<@KUuYs#6o%5d5Ch`{~bJlNF#S7BrRPrxa z(xDO#NWyhwt$OaIE*J$CJ;gm!um+;Z-}1I?YIr`^$k?80uX^rO=sRlLOMO+>Hgjx&(_&7lcOQa#h#R`u9Fx}HC7kl;Xc zEeXXx#=)>R1BxmJqPGDS;972I0aWybF*TY(%n zyUluC$({4MM?PvE`^Z+T{{szKW(Uf5kEWj`Q~sf35tT;O`WFC&}H` zW!U@`9XxgO*V$DV7{Z9CF;c+m5v(0UlAy)aT(g5!6+JR6R;w>al&^Kc4r9%*DV2+C z<7=l>&a#jHIKFO5Wx^D{V~T&4y=BmZ+9~M$c%;h(>w;*m8o&)l0oJp_!CDOH5T4VTm%@rw$I!jk zxY%Z_aPh-ou>UC#5if57`z#1-{hCZ`ME%``OKjMu5H=XLwDGkpVj}xzzG`!K5P9Y081&d3Pz~Sf`1-I35A3I0MdfHxH6AR7X;k7C-;r2z zM_q?$HJXjqhV?exlj-fYd9F7`;yKRXY!Iu2IeK36)$Ov z<|XeLVO|nFJv3mfi3M_c8Gts`JOv#<9$$K(T=`W?*77t zu9Ri1WA$&)2PviDWB*f-w5@Sao&EIMD(mcf><#uky|pH*T6g!Y^{H^J5C5-fRdvu& z90joYJ!S2q@*RH|-Sz=Tdm5Q;Rqw98_11*z{V~cES(ITCTdw}f)kR$W%FAo{cc}K~ zue3TG4wuW7kdScBIp?IMrHvRdV$`Tn+WgFSqMhS?NZS2i9g6ds%iBVEwY$-AJmKZ^mHG7Luvc=f4#n`*W2&yl$ z_ZlU8jV*hPy?c!y_d#Pz(AbM&O3I@Ez936>P*sqfon4Zhy(K$)Z+3Q2)yH#5N%oeK z?7bz~K~+7kOSWWh*^<3?OLkDThTJ84v$yQc-n%zDsJ<)-W^V~*?+xPKCJm+Gw3Mc) z`l*vjD3xOPj=a(h68N{Jq-3w^5>@iBWlPE4EhRzKLt3z9Z^_=hB|+6&TC*isvNuSF zq-XS58YLa2+w_2MXc2uCh)@-spghW;Y3h~_w(Q-qC8&T!XQ-Ixy?eI=73}C6b@O^} za7$2u64(Q2KnpAZ8$bdofPsF~S2{;;Xf&VEOj@VvSA|Nc6eD9mcHWb~zn~ftKt>O# zmFFPfQ-jIqF)R!MPzTJw6<9KOKnn-~6277Lj3r&9Px8GqQ-+r2P(Kw?B1Q5k*?Gwm zA5(z7aOJM9uI}cWZ(g-(RYgU`Lk~Ul>Z`B*@sEG}+u#27_rL%B!w*0F=%bH5{q)n0 zj*ehg>*J3SyPr_x(PKjO(5tkStj6VwR(HjBw2YMd>Z^~}-m!Wq* zVZG=3(5(9~&Mf}O+G!T|Y<3=x&8mEub~KvBgeqyus@!0(*=aKI<*EFskvTp%{;1hF zzRf%!ZwTq!YQ6i7tc|g5Uyp0WAJE}jWo>GaaT4BePtYnmRRH^5i7!Y{pDtV+D<>Bo zxJVlf=ow>O7S|UI_IPaFPS_r<-bo+ z{(nVN{tus4lt0~A@wZLUl;4wtRr?g%wb@X$-oc`r7rzIpWK!etn4>Uf?8-YMxf?^dJ9={;U}1 z$#EYj&B7n4CBFE!ZXCE|+8^NxFW}|t~a=+s* zemlqgUa3>Q#sZ4BZ=1!3qB88yaUUs-kqlTvnZ^6f;=>v<70P{NyU3;kvy>nIyK^3RWNeSFHRYrO!c1`LriJQW}Mf~Co zJ}0GSRtgI!dD%jhl7{E%;BpyXL=iV z6+0+D(~z^i(LmAZo!PaoLe>;zgQUs-Lf676IziLAP^NH}a2}zAp-(yv$Bq>GSZ;J5 z_Khr8#jHMTlD5|Pyt6w$&6%J0Sb|@N9CKfXBa;SikkMz~2$)N&bs^L!b za`=D^AIL;T?F}2Aio}B#=|>SnPeiCX5GZ;&eA*T#jIYfy^AoR5wt22!J49mCW?pQf zGQ1eQ-sI+=8r2u46H)78RK{~I{=n{8(2S{VX}9dd>K%iOW?ZeqPjLpviAJ7KwN>;! z*^QR}z)~ypooTe((fi~uS{C*`#TYHuNtB>u(|e)T>x|&L-iBUGLsO(V=gQ9ry|{X{ zS~tjPv?$Z0dVC^U2=XqCbg?5*f@67P55$wz02H({j!tw~*b}(2+V4_YmBW#3f__Vg zco+LgHYYt<8}leuo`@bUPlSq&!|Ej*)>NQgit-_kL*et%vkBhC!G0Xl2l2}CuO`TR zUNV~lA1BGIxj+iA@|;#fdn4)Sb@CiD+MBsmr<@UkE|fuDN+2&e$TbhGt<(oXa$YcY z@bCrks`m_Dur#sC-O8q^8E%o-B$WT_15^HLMfp!fQ~u_{@S6WG=R{NfpT(#U0_^jI z>%NM03iJVBa6)|Kyjo7*mV-d({5%l#l-$$rd2yBQj`2r%NT_sw&LvTGhi>L!=HAi1 ztgU^S1cs%5^Yp1ta#VvH-M|3{0LIVJBl_qD;``@~=DcjHeoT@v@H<}JPdp5-%>!EeP8un{lab|3;u`fuP~L>T zFyv&Y&==~v$w7lIjX&DH?4-Cn^kU9bcbjJnL&{vs6JwbMP%#hhY<_XhhW!X^=;FL# z?e)1Ls=rqbO2aw(9$Yh2P=pm+m;`ZL(AJsF6;UN9h=MvLZRkMc%u&`B1Wd0OCut{0 zZf``?NsvD{AbYg>_75iPm$9+|<#Xnx^=$x%If7KzU5kH0Isi9L8sFonp zc8zm!f^#YmYGTvXBAP}1st`is;Yrc+WXu_)ERO#HjuZtR&C%?>lkm4%*Th$^NG$Xm zhj#}HBEY22-5~sY;AIhxb)aZ*25P<`q5)`zoN1;a^vWE`YQNJNvM@sfb)FI*-V;RK z)E)TobQ%}<3BS#^!}Qo@vsR4b@EqU|H;*e^01LRj2xD1abLQ~<7rx@F%Uo()ANbZq z)XBW!EZa`bD#xF?2mBInVcuDmkciMiqPKM_wABZXR016u0+dDw)I5WGXK2f?YBiU6 zFSx5_b5{FJBlyE2rYF~PX}BA{PTPu6JfwmoFi!Q=maO*G>3ljYYaE}RH!qcw-|F*l z{ZJo?+p{=B6MVQ$di)H~lGu3PL{g}u%M-tLo+1x&(uyn^S$g8A5pa%M8lw)movyx?oTTAcTZJSa zvCtCuTxncYzOAsR>4%{tc%3BKNxDsv$fLfh$~Q@x7f#Z-93*{1l2m1?5=84&cpVw$=BFFr*82=6#FBhix^Fb1Lz|DQ}L3|qIt=QjxaBIc5^f@ z0iDvSZN5$sC+?7jS2Oc}3i%a@XDY7BzWj)=znx^>-Ucz?Ew1~4P3q+-3C;@7<1mIm zC(<_bGJ;c0gc0X%df*r2k|fTL`2h76TTFBZOCC3>D%{~SK=f^5QvrTg*dt&-i-Y&^ zs?F}8StrLvTpCXIIM%&Ut~C`G*oshyG?9-;r!o%$$A&(Yo68oY&|i@k41C0lgp6>8 zi(8hw5AYjl*>iauhd|SYd{bsEq$Z&qx~i9E?1jwcU7}Psn_q$&wasWRAuv#f+CG@> zZrM6q<7Vr?Dh~7U$+aw35s6ON&$}V}Rl2_-mk8p7=V&Arp2+CmNN%q$$0JIn8#TA6 zc^8zjndU`J<=srOzU2q5jFg{MevRQt-t|~+Q0}l>d?UBzBE6T>8X9t1L zslW=xO9rb5%2X8irHo#^e_FLjTv@p!Yc6t1#qN8G_xviVum8)+E^j5 z@2aoO;ItbMO#2GGDp?XTa6@-~<3Zj?=$LDLtFw%?dA`*Xjk0O{I@Vs{Tb*E(P3G6N zcA|CD#JUen^QHvZhFbSI?EYEvtVUcYB+jJuu!q<;h5mVS>+^~dueI{##^)7!Q|t2z zQ)bua&Heht^?CD3xhoPgk$Hw^yzJ!jID=^3Jh}$F&f$rc`}vWMG~XD^re{1!#5DyI z&4EgtzN>EZ(lAV3C&Q0`?gZcJA{?(Nt4Lfu!NNUGEjE-YMqKa8|CynT(7eC z$b8jK5RxZ`JOuK91%b1hpr|YJgthf|h*{h3ciEuE#~GUB0L^#vh%!)04KYtHbaP zH9yNLzbe){*lOo)x1-~mQ{P?vx2dn5p%+xzE>``r9~QeT&QjChlg%|xxHHH}#q4&m zHHwv3GJWd58Y5lpk8ZVRZA_Os+SZ{2U30E-lCyRa%)n~RuC2O)z%;*JY5SFQMr=Sl zgILS+am$<47KUyP)T1cp_6SLDm6i|&TckGmPT8O3OIXhOeD*Bl6q+b8v|0K(Wf`lu z1?+(mbZTG%l(;DHQ|K}hKdXqHhgep!o1M>YRtPjtq|7G{3u-)H*(sw;oPh<7^rkN; z6BQ^21I9sFyA1`x_j8I*dBu1IIqf`%R=FDqDaH zmxIII*yah1D8ghpYk1LEjGbjg@P5AV;SqBSiH_ol3slac>3Nel09>NetEN)HD`W9i zQ5+X)P`>(dv9){M;3kuszZiZGrg&ha(11+#+>o7(c|(1x5dbCnRy#vM>4eeHGJkP5 zig~1B3bF-2mhc97lc7F=huG&81_}gvU~3!f_$9?%J0VQs5{x9OjWba^R|Sz9dccm8 zftzLv`|Xf*TW8>H8ABQ`CflK|!$=DWk9^G>B|U_86$LI(6zp<-l?ky#g%TJ>L((Cw zr*i=c91)*4j5XDL++JzTyGk9R14s!MDRT9;T{h2b)yw6YPI}X|*1;Bdm&O$a-j^oA zW9LCz6?s+1)zA$`({$EP;t+m0tj-Ax=bG2GWMio;xUZjs{jbR$KFehhaTDz@Aj^sgbZspIi=FgE+%!?47v-W}x!)*wLs+QfoglE018dFJjWlb9oxy7QaKZCt=sencmmeF%@iUh~jWc&0h21 zu2MwpRaYn|Y!=T5jT<~Jy- za(3d&SWq6T%4gZSNwlKJpagAYcPneWT&TO+yI{}PBwpsN9CjguMKC-X79qFz!oU+$ zVzH3of4105X~2?JW9bEf1lTF53j)*T$so<)7Y&q)`4F7b=KV!|#mma1s{2Pav7M@~Xy6{sRIv}csMoQS+TUg5`YYb%sgb{T_&dZOR#+8>`NR4O zn=3!oSHOZm@r8&_{1tn<0L=*wo~)uu5pgNjuNvGM*rK*!9f2+E)cGRt1h5l^fwjdCN#HhZ?s_&(2noo+X5hTWJrIYxc=&RiWGe$)AOl|O%ujtYN>bcqU| z!?Q$%KX*o~%Ad{iP@ZqjVPnGe;2aKaCf@^-?8ZY}AEsRau8-VcCknjX_&%BC>AEWfxK1c;+r5kSP+W zqa)AUMO-j2FL_W(yuCG=mjqkGyktAbk+|2WNqwL1_cuu;+ZY<$Bfw8@VYZcc! zxn4WMZY;MkZ0a90B||LF&|J!478! zuX|YwYxC?t$JYZAas>UZ&OAn2RQYt^!}u#_d4N3Vc<@?Viy7x>#X#?^?yn4tEi+udM~X|^!`_5 zC=A>JP3%kW6}>$kCcWw^$XXvemOUDiLw*xvzea#78AY{&D zAl1m_4%KP_s=@;FXa%SWIg`O(fT~aev=*Q$EEuhh3OON6fTu*@B~A!({BfjqaWQbW zW>{TSrL~*(ZEn<~C@1<_v@I0tHGF2Uu!WPMPf>fuYGa*5HZ~HWLv~us9B>NpokAzX zh37Ncg`EEI8-Sq)PMbgLd-+7!L5Q3tdyiPZUXkFri2e7Z)fe!avvxRi z-!%7|J1(ANSPgDo8QyoTx?(Z7opt+4&-CR#FbY>JFS-5B+n3#znRoljyYIZ^KaA-G zb2E*(1=BN)%P+s2pDFx|nKapJjN$)96T|--nPV3HK>a^<%*rv|amLF3Sm{}O*Cn?v zyWLpCkpYWtztu1n=`t@_w4&6wb@_6S(eNvo1&K@UawIOfg}?7Qsw!@jqah0um&|r3 zC;{iAP$*=rOA`aXagcv0n|k%C{RB5p<}E-a)hW8%8CN@vRcTt2`?}+Z;{^X5a&$VJ zG0vFX?x&5G$yM&Bk;%(0V$6WNbhV+i(Y6a-EjS0uAh$te(k zRd7}=*2l_3sk{7#PvbRH9|J9%R9!Wl-2RH9VAF^me~k55QE-Zq{9{>7zKNb#x61yR z{CaF|pN@3%qOZ(pct`k@MfgzPw2c^sC;FyUiha0m+9q4jJDnxql3W`)Vp{45P9bdy zucwf6N(IL$e9fU?qFU+OmE7Bf-ee{RlGi(-DRN%W<4INShaw$g*Ny6j=R^))4I~3J zaBV4IL6{E|T}XBU!{8IE1z?wKb&^4+fo6Qy9xgRfPqfBrnq_F3sx0f#VUE@M4;)7l0)%6QXe2@_R?)Eb z6B3>^0pxRG1E^$Y!c-6V-Hnkoj5;%;=~80##fgabK)kyV$z?DoOZaLIuEfEGLp2sO z-6BU!&G5{e;o(@kc>ZrmU|ZCZQ~ffoK(E`DysUg-RMshy^=cfk@h(VN($M?j{5~&q zxlPw5h$=DUUB!+~n;sLaNY{$SI{u_nw6<$KY{ zBblr@v_IA=YB1|e3>V$|{Y7uHabny$*pJ8^F(qCMjD&l)FMCmsUC>n;(!lTZm+eKs zMPI~vDJ!s%Y;C(TJs)6lvB-lEe6PdvS9PDD@Z@QU3^9iQr27yN?uIubm|ehX>h;j0 z5|%Dl5Q+D01b#?~;OZ-Z`$3)sfq?u{Q8q{=6GC{&r2|v`hZN;M5l#8ybHkMXPn)7C zKh)zRz#YSds;b;CL#zeGE%%NI?n7$cW1ecccTI2~2tBkR77ZU4a-7(JP#tR3Vk-}b7 ziykeJD9T`|b8g=YmL3Y09uO)MEM>;NF6ya>;|bP8MDV`})!=F4nLbC=$zz5$~k-e&V5yQ*BO4dAV9C^2y0V|9nb zm?K|fSrVc`P{)GnwurJutX_5%T*5RXP|^w9GAy?PRFLX1JuN*zPjolv-2UF@8v-}Z z-0D!_Cxp-w{y6Y2u!AQ0i<)}jc&+FU(X5mnvdRu1i%|fPlEU}hl=CMlPm6#~tW*>k z?*&wFPLFp-;E(L7C%BIdFA_jdi?n>y%+FRXfV9I?qtMq`L(~0dRhcHDO^Uq*ili7YuYmW3Q3BIE4k|aJL z+z}-P(tCG@m=F~8Ai{^@vr4T~Yc_w;QDu{m4F@|aXPN6UKv%BYZh_F7-B|U76ePPb z8Ov8H2TH_Kizf{F=3{EsZPstvA!gb|ZGpQI&j31M=zfNKy&hF9{+m%&n9N(keZs%fS$o-m4w zf`O}%p+t}8(ZJ(sS^r0Vd+|Sv_fY6Iq0nUskmwj;F6PTn=(1M~Pt0~KRf&$Xx9$^K zbZqIerHca1Kn8j%m?D-2?pDu*FtsJg7YWxKn*>ggIrO<^vzB~Q>G$+^-DPPvE;yUZzzc#J2^`pcW}&0znXK5FTp? zN7MK4k(W@}?t}^ZwL&}&b^1R+Vge?P?!KYWKj*N&_z0@;U=Ri9ftaxl6ku~nK7_q~ zppeN{7%1XbtYfTJ4nOI$vt(9J*so3Q72gobpFQ9%B5R#c{^~!Sxr_L9x=5tny6DVZ z#1#Ycl7|&9`8b-FBsYb5$Xt82#Y|d+QXZ2Q?L9~kABL`D$ zfwG+)cth+9I*6iCpO=|zw8YC|fo*JFCJIxru_b6ERxP7q;tU{b)(+V(f17qjyDf-* zoKj%LPqC>$iUx@{%5L_T9%rGW>_RbJA(|s2dCGdduGuaYsA>UmfZ%8-quvOm+1&^J za86q@XW1Ymu&s<)=kDH@qWu=8wy%DN(t_?&Ii;so|H>*o&apH$&s4rHIw2Zy6jeRh zd#F>i;P103$?_-R$m?2tGW%fFh7QAOS80xK`np`JPc&~Zt2et(C=1Q;^mJ_1O=A@r zAY&*Oa{wUgFv>}C_CEA|R}R!8?|6uM*Y~^HT6tG%R24X4*lsm~g5~8T+0{p^!{v2Q zUduZw#hzH?9H%Ap$syLqQ8{!%-yElx5mX5rjaYh|Gsv-5kda}m8L~gJBV@>s_FpTW zQYQ(p86GmL6lh>d`Q)sMOuJ(o$^asCP@{$;!7Y509^fZyp<(p1RRZtOy$LcHcV2 zr&5Pn!88Hcs4uEgt%f!h`@IdCDw+ExyhK8hwD6aa782ukWw7}<7W$dA@wa{2_%rUq zfT777;d^H`^Vgwf_TQv`C7s@+H>F9Z_36mz&HPN7*|*&j&JpuNY52o^8(tjLV=vA% z{#Xc>eN*l8DTFXs>##oC+=%p47)Z$0O2q;|l5Nk5kM$H~2PGW9XG+73R(qZua~RCl zMq>hY4r`67nMuShHy*-o_NjwtKV(6!19JajRb1*yJ@NawG)R<e^zi53U9yqVS-ep|PXPMS08b+e+2@j=FDD_XoN%6*h?aRjQ;xB%9zuu>(&Kne;<{$2)*&bJoWk?ZQQwLVxio>rIM1tiFFNE& ziCTC3(^#82F?_vU>x{3mvEL!z_v5tA_<;nwF^cDMo<(>3w{)#5p2_vH5g8(ucUSQz znw|%_hW{j=y#GB^eo^SpV9gi#3%!4YG~p%gfhqqMMfqEzDgTHo!jym6o@mN1rOMwk zeg48N>L%?_=r0wd2>;1@+&!ZHmhc?@llQIkaG-yqDfj=Ye+zuaU7KD-TUTp!Z;Llx z`&w4{Y-jGa1nx?ZNtfKb;UIQ3&y<_BE8Z@dpS1OOiSPJ~?xF=5O+TecE6m{hj*&MP zlXXVP!je}qjj204?p2w%^dFphz%x_*7Fq|aec83`pIMFB`ze`os;vXO+3ESF`n}dV zkiFmHeWA|u?QIZ0V<(>8gv>a&jbDtn_WzknIs4+sLoS*~$;Jv-vSE|SgS_VBBTm5LMEKj4+wYURJE?)>?0kIUc7A}spLMt^<-a%9e2O-*7dFtAjHK=Jhf!!p()Rojy3h_Qe^;o`edF>Qe9bP-pS1F~S@UZ-e>xcS z&p+;8*kmeL`3TcKle^=8&_4bs1VXM^`|1R%&&HL_ePu<~7RtW?VHiUoj zQO8beHqbgsvDfvjmtm0a*&l@Ys)`udJhF>AN3xNue9iuW!UFsT= z&q!eT%Wh|;_pf|KDPG&oO03IcRsMpR-jmn|&wkN*_swR{`IJ{;IdSGEb=N7?*SZFm`PPtsRXWdl6DfaTbaxB*&U;F_3k>rcZTSt-@`a833MenL z(kgdX9_wv4yTg%nA0@}x?!({O^3!bqoc986#zi15c%fl_ z5oO76Ir=~k;8{CpxQ3+~_(Ks;mslCr&bq@w`L7*t7qR4rLiy*saON)J#bl94?YQ*J zUBsM$c}YO=l8>T!$pweQyks^rt*>624(t>-NS__5&$|>#2rA4rKdvr$%KVr4*6>;% z2a2@L^tLWkbEDC=utC8GNPn%`N&^ZJyb6tIpQO{qb6j5nZ&USkL1oY1+ zMz^Y^QQ$vYx2xo-C#5;<`+SGLkOqBndYi4km>-)>wEM|$!y$g;TZmnzOlUQhA)IjF z3=x`kEqc5eX9W!~5dA~FYo_;v%-blKm>*L{1S}3I{nLdzjem!OxrBq2_!cL0m-zD2 zP43dWo2r=pC072hk}92QwMknKCT-mV0~z7_Fcuz?&P)ROX_Y$`Ri^H&d&SkW zv;4!@ul|(fKNnE8M8 zKrUGWF1=eZ+&`xSv!-2ORnon}prz!xCVLVA_<^NAKfPMOW@XUr%AK``O~_hFU5mYP z=jaY@E9-SqT}yKKtwxJ}@|>*<{Xst^^;1R&=aPPO2f;?nHLa%il)ygeM+dFtSk`TLHbs5j;m>c?7#&*SY>ljN`h4En z@#UBrJsx^2l1nx>mawkPcUrUK%!ZdCz{Z5vt)2-TYRw^?XUUo{FaZ%>a>IbUF9QME_sTEb%p$aHl_f{mc??9I(WrOQpp9{YcFk zZ#xxX>@H@fGrhC-UlJVsllRbaZh&RX zPG4jdIm%xzH}{uV2V|9HR*r&CFS61|eDg?eqEMvWF2xb{LXDWj^7V#;r+@DgU{wB0 ze$OnY&&xjLy*N;L|M%LX32r0XkiHBrM0UT8^z2?Xa<3r!OyTcKhc^nN*qQcnCt*x~ zR^v+eBF1$zd+riUm!JuNxX;kW%Zt84+sTHK1Q}Kt)R#at#l;xC$^*j4d`6~WRK92T z88lT!_W-y2t8C=eBzaX?V~j>X5&FPhV=%q=phmpEY2G|x= z%SCbph`J19C|HYHSl>ZZEN8g=JKlA(~2sn*7@k0Rf9E19$^PK&qmO=eByx!`a z=~Ne*>30I$q0#{A^IeS`y$VA=da_6I zM$Pvy`RFs*BN=N9ro1YY`5rFxEK`1F)Rc$oMN0XySs%$*V=(tsbB(X~I-$}gWcb3m+T=dBYRRUB0tc;E zMBbKZdQ&)679sT1`r)+~=4Y54!P#-%XG5#tvBsjxjLP9z8%MekZ+_-^^Gm5`)G8^| zc6M#5;k}I(%76R7l>aA+^8YiM@=tD5l%M#vD?f;){2C1TDe?KE;`1{+Q>=xF)>~}< zId)8>L9ZhBedV(!`|s@sk=_E(_Qi2lgW3vM4N6el^1+vOIy_=}hd$7V`4%U3M@9|l zg=e8ZKT%{>jGv;U&dPn2j<|iL{dfOZ*|}^$E}3uP_i{Y|=Wgv&|vthno70NURl}e`PHH zf3*#x2trFs{@9^liVkJe4k%8Ut@abMuEnf$+ehu#*A&+wK=AE0l@R}6|JYg^0o+$; zVAL9IAQ+8OfRg4R<4ydM_A$UH8UFuiAEbcDAc>K2oSlfEeVU&(N;^fnVAihta3l-s zF}1B=h~vqog0r3JK|v*?tA=I+J(G ziY*#GYNl(zfM8g%^Hx${oamU&hh;=Y|(;=S|EmET*jc=58#F=r;NSX{bz#mdF;@!~r&JSdFy}Z`^BEjMa!43$XtH+;$_B) z#dj~h#iN@M%B-8TV)rSJalOrD(0)C5RC*gb=dN_srZ~5^4E=9x;3GojWh* z&YU^t%sFSyd}ETdB5Bv$xaztU*N0bMd;HFZNDtpl%T`_+3SFBYT()ZY%4?0<6|0ut zSZhD!v&CL|lHti;wsOU?TjX}r}+Ev&k>R#*Dn*Eh2p%Ld{!t@jB_^pIhP z{aHq1c(6DbH_CmsI+;Ap$b+(ZgOk|^sZUhyVIx&=yn`*1Zpk($WNx`YcD;IZd>2K_ zMnd<9OM!{Dse#y~xrth~AhPX>JgG3?5<~AniT&9K9hI=5DyRivW+N3@I6N=y^bML5 zzM!dYvJsxuR5#TKPa`Nh?$(WLbZ@jHDnVL<3mkdD1vwFN2Q%49Ca2-aHhfLi-wI0%WGRWixxkKf zBUOGvvb@C3l=4H9<>i=!AEPE@eY9-HgPIUNc=GG!C4E4GRt)a-H=4`$#H{E{yet|V^E5;8=hg`BUVh0K&_A%qBd zkWi;YnADp;quZkIn6C`^K>bNbTDdRl8dB9ADeH+;^-466No!t8HPMnfYXk(*(FTYi zZ?>{yxU6?(Yt2~Mh0!=`Vkn>AB_aA_){M|l$?Mj`qJkC9Y_0uUbSK$O;?4`~Dw@Lx ziFV4d5mOQpU0(By&v4%t)OtJ9KLkj?8WdELBTaw>6x*yo0I6KOh- zYF{+Slo;lWQ6}+bb5-Wp0}`HG?O~y#Swc8@rG|5@cX+2-)=@~4xT}jRv`>z4VWQR@ywD?i+CxP7#!(jf$koM8Pkp?} zKbW`Ry@bQ`_h$Ng!r6JvHHRd0&yITc|MA~QJIaCsS2Ec?VkRDmmi0EpPg$6jP8gO`s$JI4F%ihCG?kOP;2DHtT@)Pds{W45 zT&tN3_O6qCm`@U+3fV;8Q*9R3_cXPpRjOJ<2<_7YYG6n3(arT;&9xT@lMv8_>ejo7 z%9133gR2oUfie)=!B~6RhqUxNqd|f6(sG*Xtz-xB2rL0m1sazpX_Ai8UwIv`*yBM6 z4}y_&mxD)z#0wPoy+Id8#0Fx&4DfK0tQtAW;KNs%=Q;l=UU4E0%qb0Wy@<=$*ZuE7mf%k5y+EKbzvr) zpOP+QoMdnCJySmS#cujjS6uB3#8&Xg#(zO8wjy@T^yStM?DQW?gwr{(BN28ih_*)S zhDCQ5F3Dy4b<`1EC<_R3dxP6meXFECK-84(|JC}O{;jtQ(8<>4&?)nWn)7pKZmau$ zx7$h4e(hppR#hu!$`nskoffU^4Y*D)ov;#gbwO8&So3L)WPZwiK!o9N?1eMHK!W*(4#2 zghc4_L?~dj*-7bCWhed1PV$fx^#!68mz%yThEzyj?7<=%h@CC7D-e4_&2>g%ox+@Y zf;Az+2x(DPfOn)*7l^W?jqbAyW_mL)0D#nT*< z$fhET7~zMZ3(cGB5}S6-{37gPM~7npqLG}02SZX{RF?XpIk1q_7Y)FoC=Zq!CI#HI zzKCyq->EQPV@!pXxnwBV&XoWqpAx)$+D&+!=RN%F9K_FCX{7C1X*`p)!T-z#{|g)Z zZR`o=w3 (kPU=%_3uy{&pN+jOy0V||LYC@KW*^8vcdn}2LIj- z{?9h}yPk1u@PD+ye*~RI#Q$8xzdhoALq$8d))x+nM z2VWup)l*28>D2@6e_2+>^(CO(qP*ZkOnMQd_0C0wk4#uqT8OloycP$dle+>|?OPJ@ zT@mqJ4!Q_trJpxeWqM(al2*a;p* zeyz23io+FDDGuv3Qkv@WMKtULzZV60HArRVkjaw4&Tu-_n(_6Hl7Y$l+Z`o?oZ%Zt zzrJ5{droMs2=oOBhj`)Q&4d+rjdFVz3|Dk5Gko~Pf#w?$aeHK!Y)TdiHVK2Z^(?MlTX7N&T_dfpI{ z2|78hP;tKROM-C5MX5Ybr1C7$dH$HpvpALKe4Ki8JzI62{p3*~nekt8Gfg`EQN!B6 zI+E{E`>?+U1vebQUrbb^HG((Mxzp43PJrH*?43|IeM;w+HaY4xJRQI}(WpnAV9~2` z`^cSq>z}!^_M@g%y=iOfd-qOQLp&tO8GJ(5`!G3Woni!IrZ@Oam_lW&>kH(=KTMV= zVrfeU;J?65o^9m>6nF6%Hq;xrnITZGHLL+7v)cD}bJEf+0jd0+DGH3|sT{$rWr_+p z*a*Mpq=y7&{d>{GQ5|i^86r`$D{N7 zf&|qBh(E5g6vQ8`iUd+c{+uc@NEdl8Sp@7qOJ%N1WtN@fh%)roN(F+0XI1?uBb?LJ zKqGExgtNCA6g5Q6M{sw=uhkxN&c6_*AV6P{s?=v!nhnyaS}!A^slF$f^V_MMtB&XF zQ8^n_&hBK+C8?a*S^}%4&Tf_SXDTOW#Sn_I2NhXUJ*9~J*atwh+_M!o6V=CzRXwIV z;ajP?J8dY8>g!e2ZXAl~1oAe9b>1sed9POUO*$;7^4`L;J>;QDO%0>_k4jal+;Zwv z9UUB^MZS$`9JDU z`77Fzls|y7ryu24P%KM9u_Fb=O$v&4lc0}DBGgr>y#Gn%U8V9KmS;harKv2hrn>t^ zmF0b&=|Y6(NGY-JdLpIsiAWnMEn}H6Y3=Dl`>dD~`orWq4?U zV!vaW>L911M42#=W4;5i$M>_KMIv-5d`0)FCTjZ#m3ye@V)Yvp+rs(+s@_zW$9Z!U zc_1l7z6A$t_0c^$eXGO>r{qvHybXY3kk^d_^x(?Ajx~Nn|A4c@KK8 zT%vgn(~HkQY|0_}pw(A>$kFOs`Bu7gXzRLFj(PmvgfqQ>y>7Lm@Ri7>I!9#F?ffoz(XDYuDoQlNzloB6w+zkB)n0e=th_apu+a{t8P z8W!2~5KkNux9Mm6J?bD7+x?F_BKJSW-&6cO!QV6dJ<{QZU)!MElt4F1a09kA|s z4rp@OC<9`?jWanIo9XW%yf(*JRrSz=618}cWHZ6Jg^R6w83Bn_f+k2u%`9g@!4p-!*8po!e-YTUAHQ&9;kymd0Bv5&}Od0#}&cM{+Y6jU-t6D(jfP;>3 z7WYfTZtk6-kxg~8i7gbJU)^p-=dWa%IaKIj{q?>owcb)z8PLVgmi|O|`pj+NsmQ^~ zxYF!fMcZdUrCErplxjyH<`JU`j4_?%qgXJS%NjQY2=t$^&>P%FgcJHIX2jw5yldO2 zwML$ee)rh~SWz5xuC#^nt7PWRa4|jByuOCDe)C*uEN7%{OeKlrV4+1&tr6x*^#E^V z`Jd5L-)j)LjbnIsh6W^+{)IN#4!gIEGva5VBMz={3Gk{u>k?|0TUCLOr&2eloH&<7 zn9WzFY)udnx73ZD-`QZzHzd~6y|_9P%|$iH5j$dv;cJ!H;SK)G8NbJ9k!S138Bj2n zQ9nvO&7s@Sxb0D(-PSW9oGI#QiETs-@2}T#CzNDyY&5+ltBC7Qx{B!hxlsPCn@(Is z9Ox2T#CPYWRuOs0{cAUzoR>VRc*)-WyyS|TlDx$8c|Tr~mt)(15YPNwVgJ`ZX1V&9 zqp_wPc1BcyXMR1?957{Z?61c&VUSTL5Mw&*)T5!RpF~N;K-`OCzdgnSBqyxkRf@dQx6`^+Q5VCjUUf0Zg20i|rIE_3Bc;nDrPno=f`V%B zwzCo=TjE^JcoxUr`Bc!5lP*P-X<|9xE$0G27l(pln`xrC^aAkrDM*ND)8#<{2t~Jg zQ4xBB!|4{88yl#KqcKxjQB_kOndy&D|IHKj7|sVE!LvB_UMgV}2?G|#cBB$UlaNlI zq!J29NLw8HSt?;13FhM1J*kB8Bsdqx8dC`qyul1LT3`NK1J(cg#(0DKS)VVCy=%Xo z;tl?t1o@0@c2a)ut#og&)lPkqROzP-zN58t2Aw5lHtv|#vK+WqRd<)2E6*GJrCo5f zU0tTiK8=FVNhvuEZe2QkxuKfT#r<}1UG?-fI#-nM0#%`1P5mwtH!dU)CnZ=0WXsqKx_D#HQl|?A=xZ2XjFXrTkUj)wQ*GnHb-J~K2bY}O@5 zSNgosifo$#9f78nVJ_-C{Py9u&YJH%Yx`M83wLF{8JX{m__C+ecTEX&pH+Y8tUxE{ z4n$jj;dv-@Mj+;v(c#;i;p{-{r-*M%0c1<&rK{85;|$#>??UIJMo@%k3Nj++$5sSl zuXpHzuvsZlBPH6;Zy~!YJOlQc#{7~A|0s???PFU4vFF+;5Qxo`HUhED$>O1HQY7>` z)-n3UNuxJ$)@&?KH0C_GLZ_%I2lc6PDVW78M`#eQ9N_`dey5CaVyY;pJkK7N1+Rx9 zDyx+6lCsj1*|n#Q7s|iZb0RP4o+lcqb+$(n8mSa7Sxk*5v1|XI;wAs=&r6mLOY)LG zT-u+PAS0lPsSGH~q+)JgZegA{Go{C%YVV=`*`(%=l5sl`d<7 zM0IaGW{91Wlv|ZR&3G)Ph{W0VqgcIw7b{$g7A>+?ky_+1n%4$siI$d@zEwX(PUzh%RjWPx+erIbm7P|M#ORyRs?Nf;)85bgpkZF! zw6#aNja%llPw11^I;P96=mX9{EB9;z2*Rfn2M!XUJN2mv>l9{@kOr|yYRZ5JC>Y`l z4d8bUR06eS9}W6GYSPksNtQG0BDm4Wk{o@LE2?fu8Q4@e2g4>d&;NjrN`E&%WJl|9 zNJ7-NG+J?W%8WEsn zh-eQ%70Pp4-yT?8kOVR6TOO^rF4flJKx~{qlx%W&qyj4za;|Rj6`Fi(k8Uzwn!H7t zl)eZLSKdWKQnsxc6>R(~kXuCHmNxCxz_HlLBQmUJfPiTfBA#kb6~sO5et=?0QH4si zAkb-6Dc!0UZfZ0h6O7K=GQ)+-XuY=*3|t^mN(XC#lA)sFT4~mfpI72FYFFu#Y4#R8 zI%ew_|2h71D#rTH`N`Pl_&xsb#jz!~yC`-0U~oNQlq{ErySzL+Ym^Lj@bCk7?b4F< zQu8=h?X;3}X)n~O~j>NDf74{fTOWW@jF7+<*hz<6gZQ6f!F zuPS;}O69qVmdLf*HILt%w4yY5>P>6kA(jd5%-X!79BDI@AvxA%%J1&Xq7KQo*KGe$ z(G+}-SLq*eu)Rq_B;VL;p>N&@* zXUv$Er>1vLFDRZ@Tv5Edcw_P7#V;1WTl{|U-r|m8V}^T1){Gf5E}v07_94)I4SgHNMwdi(Tt(~;k zT9yUk*+ggx7^jAN4@ZT`*~Ew$eH>%rALO)fki=eCaSfUm%#`DlC&yqlVKM`;-!pri zO{+dttSDp(FS-2Wl>aeB`S za@D~+aW$M#S&ciH==lt5IG@`-R?lsQYGh?K@$mJlwY*ByJT2K0&)OZ_r@46MF+G}1 z4W|oA@8S5P45&ld-ds*j?}}AGgFKoTZ~(wwb$|c|0O(-(9CwgKDx#!TT|sfwHxLOr z>Z=eflo@}r$6k*X?uy?%ShdxQ)xi-CYsW+72B(@+Lp_UwH=90kHXU)C_R8VEbNTAD zSDHRLWudiHR=YC7j6bTQmmq1%d*;WCchvuBq5oqsa-&V+9EL*wUhc9)70(GN7%_@Ms z+tJD(jtrbXPTZ{B+7$c~0E)jzj*BJ7?~a0bVp)0WC?^|0Yckf>XSl=`_rs&dJu_Q< zQ*n3*U0jWH&A|$ts0h?>3LfxI1fTfILbeX?Pj_Ub)u+TX^Ykcnb{PE+) zPafaMUuAHpquLq2Inko-%=q>8U3&aV`_3I-tncFIIa>OdGy<`~A0W|cR?24;gomXq zH=^^WbEMiwPV-gsm6_W(y?a}`r=@7Qaho{55CnE=aFycg<#C5yza#!-uRvRJju9GG zTR8r-P{w%o>a)hXYBJi-s8q(@_AKFEp+O2prT4VfveUVGutJ>99gTF}t=&>bNc!=| z^3B2SS^m({+T8KqxW$ZryL-G@GjjZ(&^LSALKnv8caOg`bj5gQXbz7{$D5(6G&K_opL8rhxprBQ^-Ls6jy3LVuQJ zG{q-LpntJ9{;i1C^EeefV{M{q-0Bf)6MHAz!i4s!?9F$1-jiIzCm6=s#4je|!CN&E5&C7eswx@|xMYdajg|@rbsH?Wfh;nl`6UYFJMVh;(Nol8zG_ z1jii>PlV0NTq$SQ_*M=qwZO=dm7nJ{sOHa0nSopk9{%dbPaTSs15RFv*B`J;6 zNQr?YH7=#bldK|su6W5m`ty<-f=OQTbF&{W8OdpFTKZ44?~|`U&B_5lUe*NdF}dF0 zYJbfeG|)K(Vn6#U^jVfq3*VRJ6SPr2*kS#U^=AB?!$NOKj3tJ|A3qw14Ld#ll1f`! z?{Nq0{Z`k52zRD}*}xz5vCD#Wq& zVo`MTs@eZWZn<5nLrq=7`VEyT`{%>m&Hk8h zk-sKt-c>|LC2u78>!q|b62Gy#r8?XCtEym4TD1d>nRIx@mvlIE>m&VQ6?qnXLmF8# zrKxTNn(8f=l6A{u*QT;wFN%Y`3``()@LdS4>er_b6DD&a;B})tC=l(@txf!|t*v5q2V(2&lIQD^s~qhU{zpsoDu0EYf3VI^A}DsA zBnDztU&i+zZV~+Rc;c5FQ+ESA@$;4Z065!a?r&v%dEODpq`e#~!)afMNCX=89IDhx zN*PG2nfjwXf3bf*=Q(_IDC(P6>_5QmU%A!F6)_iKM`D?zi7WWM+}b9^lqagTK*gsW zv8(^_p-O8R(yEeqTU1-%w=@-;l5A>?N4Hb=L)|o=ecd5*>r4g25*r8-7pg=7r}PAH zG-H4bw;8M*THw3R@Vv@ur}c9YmDg=?6#M3fhgWKDkck0QeTUT7+O z7hsBT!nA(-%eW8Uql%!Bq=X}xt~R5WO)3M(DD?F4FV(8@%2wZGhq1P9DI$xzsqShc zbSe)lIy2=VrR9zI*xWM92u-LiZ(d)8y~7)P3Ur$yn9}%SRl*+{B$w+rSd&S=Gqq_|kE5xo*NCrUR-hwl z3iKN7w~3=Jy9Q(LLho#+;`Ze&+I#fveQ)pX`#09#Gd$4SK3A1-qlx-k`>X#wr^DYf zn4G6+&(HRs_w@j6e~`YQBL(N^3i@g?U4eQ*_siL9>xA-Ob5dRseN-raVao};WLf4M z(Ma9GNZUSADPD5@$$81+ikE!YpO@U6o#Z9&wDspDOHqtyfQMBor4s7`{8_A1zbOlm z38KSO-!@i_=UMzZ!s$xPNdv>8NvydZ#WiQMiRQ1r-XVTzr{*ykm9aclimv!4Oj9K# zANfM0Ejnt zr#fOfG(+LZz@*RnA@Z`Kv6q)#MC5@b39A#LZtfhyZT#W1B!q~CDR4yp ze4|ti;mAVOTkUFJ+u{wLr%3g50V*C$V`&xf1^MuQ(hsh9;t(`62!Dw#3Bq6gh%EYY z{JAd~mwtL1HDN~S?HQ&`XSs*zV zaZ*Eanu28J$ss8d*5LpWRRQM%B_SBYd6{gJp~ptV-}@3w8xj9)hb+41oVdfrk=kL? z&eVM=@{7m+`I8fU%&<2 ziSP)-^h9`QAAEUlx-54&l`h%dQb+qN^7e{z5qaH}sDazF|3~Q(}|k}cukqINeXC%lDr4o;pCt;mZ1pR+}sT}8C|x@sFT_H{8vE8*ht zp3jfJ6}JGvvCq)@rBYWaX8|)F{;d5?MzlKK))DosjBoGIUnhv0^RM{Z0vj7VGXk+k zF=Dyn6P(Bl@gI@b6@Q@P_}GbtBS~N~tii>Cc&fL|_-ArjN&LNZpYqpiNmBk0 zA&2|;NR2FY6%?kI7qE%7KrFxe)Wllx7tu&PD69YWt^FbRT7H+S{SA6Xf?m` z`pm`etGVb6o}(twsjs4+IAJEft4F*2@A~QuPI0uqt?w1OMfS!Y<51K7n#^8EiX86s zYKGn+jhu{S5bvi*S+@!9v;C{g#qLr-Rip!bAiLgdD#CnIz5dE}DUAh%{Y~{^Wt6?I z;B!GChaWi5Q!1I9)ehN0E#!#x>N9oCBKSxX^zn8#y~IGO z{h!fv^jT1sqC!L40Uk5w#XUG`WJCj5XUOfX zx3kpa2oKSwZfEciYbi!U9N;A@F9(2STTHq0gg8M`d2K}Qe$G*XS|zgtrHVURS_Ws1 zmd=mdy~PpLrPyR>S80twq?fwZHn>m*i4{a{MHLiZs%}MZ6TeK|qP7w1h`0?8b};`% zh8t(S&D3BpoBjL2aOng&%YD^B&ia#&;RNdaTySyeaPzevHrMR$vw~;)IGYdm7kLf) zIOd)v{{c6p-46f$vAW17Un?Sg)?Dj#kJOts*;9Fd;bA`xH=KluI#G7#q|){=$Ps_r zO#gv315(LN{{1NJJJ<|&Fs*6Tfi&uTS2ts878F?E0_U(6a=bc9NwC;$-7`yJ_z$>{ zz;SwWK(+%2ej1aa9kHKEJOK5AqVvi*k}9@Ik`f#P=|3beP{8BtBBCadC3!sm%QJfm((py@{$L-`tuUHXRrXxOud!wVWu|d&*H;V z-9nE+5aLJs^(>u^;>Ho%h1xsWV+#AIY>@TM^HpWDxJW5+C@HrVGQW9h_P?524tD+_ zX3C5ay(!zWIv{$aTZN#r5h>jsS>Xo8eJXtx}*U8sR+_M@MQeM`PZ9eIpx2j$y7>t1EIJE$1oVZ|9;i zeVC}(6ZP*c^nVDVd|c??Qy%-UyZyQ-E9-J2d``8!S_rl%@{l6i&T0ZxY_py8ee%V6 zmJ>LDDSpqC&@esKL)mh@cS?wpX-hq_x;>>sDBw5;}goLY0CM=P{-<1tfRCpUX{d=5c~481=yGU zsDvCL_q@=V@ei>?c>~o5O(Hj0-+(y=Vk2?abc(>WmG8=!r>XVhtRL}`5ZiPH+u*1? z0YCx)3C${c1ar|&@K{|y3hf3AtAoLecIYf>Rrw2+#jGlom%htWUe4K=voWnLY@veY z&BUQtn7a_ken(2o#}J1_vbX$rGj&LZmDQO#K{bl+!AF4Io{7YRepaPPyd%x&ZLe2x z=4DCrv>6EgdrYwI0=igbNDVhOu?2V>&w`fedUj%59g^ za@A4M&Fc^1CzZ7C&yffn;vOK&yaT{s0`MC3spBwR7uuNT2{4U)M<0ot&3Esd&lX`}2}JJxN}2^Vc*| z?AGldUz()4h;Cv5_4Ah?{F%GLryv1( ziZ~2qKzl~ZOOp+#(@Wowj`SatSP*sFm4Zh1O!fF^Syy4%p@r4s6QS!8q2<-kIsVzd zmDS^$%U;aIpIqc=fh{kXjs&GtWxs*dHSL%I9Tj(&mNvw?%0P9dW%*@vInuKiDk~=Q zgJLpw$4qHh0U=H3Xbv-Xu5m_pmP3UL{fF!a>m#U-O%9@6nO)%lOi^e8bKOpbO3@t| z<&{=0?gs69TQInHVwG33k*0BUQ1h}gjC!co`io@xBXow=Cv|c6$l8R+QblG|#TYy4miH87N31s2aApuD6Nq~1LK50F} zgv3*rIukVq#h5L=9Ao)D<-eS%(tE6CEi`EGciP|D=2oE6A{)Fn|fYb{GQaRPW zsZWWk;O~a4sL%?h!Na7>LT|RF8740xbDgX$al3ahqvS(%JOp-J)t}OQWjgyGaG7LF z11FcCUtHGRa41iAU9_Xp`f?1F2{eptj)JAk0~N4G!)3HAv~Io#Qn{Ttf*qUuhmb}_ z6=as?hldw5)p#VF}m1%?{I(C>&>0$%BVDxD75OihW9 zi$5h8sALXmM*qSp&9E+|Np6$5tMx7qQlu6s%aV&F(tMBF1W~?_=Y0C6z;u~A-Q_rc z*+=s#1W70+g~0U_h6G5GwW=#?%%C%$YCYCo<|h89OsqS~t%E#>10kCqt-pioe9LBk zPeE&%2c+&Qh|G0w+G>A9aQ^^-?D9xGLU@Pu8nBmJyZGHvb%4W+oI0B)nN2lYZe?X8 zGr+UuTaVESp3*4{_jd}8Fam958b>_f$nkOE7+r0b`3iJx^=}=+&vsz;?|V?f1_X9S z+o1H(_jziI1YT|RzvkeBHu^g{ulpiW_CloU#Yp{@NZ|Prk5Qk-(Ue&0JbdLF?AR&W z6)AfwQS*GFW=pi~@O3YwjWkC8hf^QHvFH)2G56DpBmQ?Ifxn6(;r$4w!25|d@L{C> zIZludn_CPAZSIW(K9;IJjg);7ydXbWTh#wt^!=|_87ccsr0Q8JP9(&w^4X?s8BOmP zsd!Y|hP(rXTuz5FSc*a(>BSLfo|@2%5W#)6>fk=z9Nx_l;SAa5ddN^sumQOo!bIBL z*sd90>FdK3=8AMBec#5x*8ApdMjdu6MPRY z=l?h+v=Sh_u^FOk@Kl?`siGQ1j__a*`gjG;qErY0y4q2bQ7seUI7EDmlHCv@MIYl5 zmD`T1W<|f`pmzEj%}gbM(KsQmbQUMQ&nBeCB$MDc+Ep8kL^R;hZcR?eiUK;=I49_t zQ*9JPW>s2KU7IgNQqoz*RW|!_2rl;Ru{4GmQD#13iG+dM4Tr+%OKv%>S8kI*om8&Q z9dknCguJ?-EaF5pl(0oya@0KcKUHn0dv&MFj2FRHXs#{)^07#?wv;Mk1I7koU&49m0Z~%r1xxhk%VSgBc=$fF zbG&siW1y49vAve0an;%O=$gEe6^2LkzEXundpG&JRYv^IBum?u-yH6iR~r}*DgcJy}LmDW4fIr}hbOL{!S2>a&h-|vZQLq!kr20_9x?zC+ zdOrL3*1wVk$u60sdufv0@zQYCtq5FdU>2;j~y*iVTsB9;)YZl7C?xd@TD{d9azvP7zR}p9K6^+!AZ=bk| z*l==Q@=L`_{??zDG+&pO5g%1zH5sr0mC{hiRU zLVw3hfA1PBaHx3YNr<}jEdA0xK_?&`Di252g?LAsenK@Ig2tI!+XuEtQYt}$2~j1^ zrUY3#V9IFyb*8^_O&&G!rqF+oy1T7kGcqRZUuxmEBZ?P;zq7e4#)3^br$#v)8GYe2 zGd=pM(x^ftqhDC=MY5K}0ukL==s!fW$#>Rl-e@OR+EwbUeJHimYH3Y+tG`>sraw3( zAO&g7WgW7T5lAXkjkvDJtfiL@n*L5vk}GmxBiRTeFWS{y)3JHG-EE|&jnav+WRgPL zaZ+gq0>0gkdTArOt;48PZ1iEhu>)jE(vH5gw;(Deh)rAB<9Z!ERy|w>;s%*u1leOo z_FCi6$3X-tk553jtKJ=@K-R_yi2favvU3UDsZQ{P!OV1`Rwa1~UoS-+w}1dXSdlJ9~D>dx+m zze(V|_}Sva+?&Zxbiz*daH6_#Vrxi5LpX8GJ?9jl1!@kK*e4q*%mrwe<8U|3)#3sBca|wBiCK_sqo${jzLnAPUosR!r8Z8Kfe{N$M<8 zXX{ir^JR+l5>U&(xS-W{!H)R?Q9j*N5UE3C^vzDTB_#-ZUl7%`M`$ym+lHiZ-HZWeM2&*5$K?xHh zLO-GWJ#%!JekXHQ)T%YAHbP^I&RO(OLcO6!6#M^Sh3-PjqpZ;MhAevAL^2l3aE>+a za%C}Dz=Z^qSrRbK8T&y(UJtcqAQT~ECC*c?o99ZjZk?khfrQ0?*t(*6B3X_m$RS@8 zy>v$AE1`*6-Lq!8Q9nA$+PYO`S+|GYM$f%*w z%W{h^%VBfmMx)MCJU1Kn#73j|GIzrrb!o+OUA3V^SYRKkVV}gMG7-*6gtKE?St9mG zv`z6TD-`Wsx49Ez7r_j9if!xlH}yK}_L4mpZ=TpaI(xKUHt*w>K_Rk7cSFuU&?drzGH>Ay!MBILA&T7xqlw z=t5sU2D)*Qiem=`_F${OwBJ~t5>8p}n9P@k7$b!pHO8uUs9 zcCvQ__E?6397CdfP`@`FJV+=^9Hb$F3UmA~(? z$5YP;ro+@`UjZ={9MLZ8XUNI{O%rAY+;syR(q{TyM3oNU@8p_U;cggMmp0Sqy2TAK zfuyjnDN?~6(bxq?qw|No9WUG#NsIc1nQ0NsAGJP3G#+YF;d4gybRW(a2TbeYB}zi$H6bg(I8i%lj2o5+ zji5V+i3BaiwcrLLxYMxCr@(*9iGV_EZJ0310I=vR9YAzii(!_tn#{4qY9*=83C+bM^aI z@4b58)rYP|o}IKdR0U5|5q;v52rbTFRL` ztZx+b70w>b^&0?1v)3%Cuxt<8|c`o@T5#47)JL1Jyo8g9g$zztf07vev}d2;@?=12h?q)l>zmZSRe7H&4_qq9N)qiF*Vl3u4?JJ zs`o0_(u}3q{2R)@mvCzs(ejdMv=40|R6a2>Uvd+4rDaN@-Fyl2xBBkba+B?8@e8o~ zNTsZX&NYkF=E#XS7%F2*?0hpmDyb`WM*>1{{ca%q3J9Td32<$h-m5xO@Gj=WpFzpC zU1oeM6Ok_dvJ+oJ74`8>V*6wiFPYB9 zkJ@9=qvA|mHzS%Bz04W^iIe`2bqU);>Yd_Y4c!=;sGSilojyk>M)d`1;M)g)wl1pz zM1@i)rT^2t(LIsU8PThzOL%prwCIN;Mx>lrEWL@+=^8B@))_X$ z9gD|^k1ZeAbtHDY>@u}sgm2MP6OTW8BJ|fthw3j)HDi3JqNc4rXc)`k7A6fs618Uw z<$v&`tBCW?70O?G?8H^X;go|1cV6ApjBU;2ooVau&~0*wEJIJsBnB-68XBpYMJu1?vD>vZOviOB_UHwC-gRm9wW>2*XryoO+l9 zc&x{;5N+?mT+L3fd zy#|6E@l8!uag`FVfK-34M^PLR0K-`URB@q6iO_`DK_U@M#af`kr4&(t+LN9nvF{RA z-5N}vC>Cn>cx*X`1W6Ah`$*L}gJxZ^u`E1A;)(huL@Oqx0-=0U%QV;@A{CPY2)1W- z2CCC^2eqG)1bAcbOy9KdfB=GJwGq3VLw-~%j9eh$-flL{-fqf%w_gia{Pwkm@yJdS zlBr`+lC)Wp+DHn0Rz0jb7bdHHbVd2`$g7h6USe7s7QQzm<7+6!tRKnU8}jOTp0>eh zAK4{OPie~*@ft{8fz?9CZn%ZJN8XhTQC-tP%11loUT;~IrqBmJ5*vV*Qih}lto_ug z7TYiTRxhjd%W+&6a#mZ|JhgOHL z2^p8nT~s!AzRJ{+@NPFlF6w%@X?7bvF=sT*evQjOX(uu5HPia-b;#j7SasaAy2)cS z&E6^AGl^+CP3vBj$}_3Ebm}hCdO@Y~OzIo`YJEf3x{i-bOnbw$%8_JR-Q*$XTe|#P zrWI4=c_#H$o%*V2^{P~!NqtwRz6-NP_tfg<*+|BstRIyZd`9UgqyD^TAiwdAITG@L zf6J@$STCGjNhtrTVH+yZa%W42XLdl4)}pA)6C00`k~lR`_Cp$>0;LYj4+Qg3T`Gp3 zVLi-Cw04;R>$J0wSUTJN@Juf!{>T|*p;H3Ekt#2GO0V^Ml{fTmAUK4|MYFAL&Z2OT-VguXTfV z0>PoQk)5c)aFJvE^cucRdCcT7w?^<<>w%uJ^+0!2Dm~DmEzhL%KxlV3OrhX*ltJfJ zwfgtdyZ!?#3Try1Y()t~Oh}YNKcO5e4Nh&$P95Q>1>jdyjbGCRi8{v{t;x1$rF9cZ zf=E4jRGi_v&H4SzPjGeTWqiEfxYax~4+E`|$30tm3)?AcaRV;8>t3nuOIH z0JOco0psQOgzAxf}i+|B=B46RZ)%vv-(biGo5cuR_B)s785y;SHOC z!&Rc}0!yo;Vy2~MJZ2-C;dYr8mGtJbFnc}K)n6^In-IEl*2tyX$L zF|jkzML)6wSG$bp9`+v`UezsRRnf{;4Te(A1CEZY7Ol^Y*5t@QCwaI%AhD`roqmrj zEPu)xMClH_(Xy1pfe{X28mJQJICOuZ%=hgs&m2#-DXy(Hhqh93)5M*Uu; z_>piO&V|WW!n?}4V_iJ~u-!zz11^cyyE~a7_KzOB-DG+dZ7#`){W+CRTk$g;Ehho5 zEB1Yz`#5-AeZafD=YNCON$fzOM87?`4Eh@-gYN22i5{PnltC}8?@x(h-|F+ho$|ql zQXf1!`C+6-30zo~L3i4C9y>Gj63@#>S=L2r81y8Fx$H{mL{%s3PyB6(5~l3gV32y{`8*eU86H7R!AQjIfX!OL4o^4MAcrdt_q&iQo!XiAL8eE|lcls0A?Js=20CkT0gdiDA>`~s>AvW~n zIGg<0sBEECOvWk?n+9VZz3zO*(ds{h?_59wu=I`dUlYoviH+(Vl zFa;Vm*+Z4F`+GT@rG;aH9frJ>IYY9TP2ca<1pnq6h2g3FGIiWiQ+D{WBq~|2@HOxT zh{ySXa_d?3BtD9TAVQAxdG?%gsV+&kgIkQ?#pzZL8G)qJ`WrVw?FUkI5|ga+OOutB zP${n1!ceI692@xmQsKD*rBqld6;a`}5JX^g$oT?7m8%`ia}&VBmX{PPS_^7Xf}Ddx z*TK=)!}dt3y~~>F4|3M2kl21*^U@LBHNS^a+FkQ)kng`i_puT5r(21YHgsh`B{-g) zlM&Pxy63Zno-fZT(SX-dR0G+VR6Sw6Ug=hWkPvaOV$$}2R&CV zaHFMDdhgR|8(p29Bgxxca6I8@(&B)JV*||AIU=g4?~~1s0jdq*^F}o}k-DLp5wgrs z9EfYm8uRczv)Gp(Dvs8<7vO=LnW)3+)Kmxm8=_*j(baD2ted2(VZ=>4JqvF82qR7a z>nKI>5f;FlMw?&DKv=W#IIF68?&ygB6Cn-Qj@eActUBN@(B3swSH|wd!+|p-pJ$Bb zu;z;R@qyy`eV%{Dm^BIIf42N&agDw)Unu`wu@m(fv&V>rWDd#(+s>MwjBE4)HJ&7{ z(Qg$mdAmO^`Q`2;FS&d`KVFhwzelveerI%UuIvMxi&dec)eZAc2-RWz?v2gFKKZfI zb&Vw3h=@OiTP>8_l$*UxYry05XnhBUb?8Z#i1nWu_20m&2G>Q#Qtc_kjiEPM)*bEY zba^C#JUVGPqtjfF+q5%lK{yT@rwUEz@ZzglEhOEgNLZvaLoZ*v4}UU%olOny;@O`L zSTk3Nc6iTh#qli*!Xe8H^rsNrfb}@#`>uJ$-7M(;7TU>!k9;y9Liu*0XdO_EG&S%6 zNCmshL~VvO0t{&^JLHh}hvZuhK-r~IEqortiBnk$A<%~pOFFJMB9-z&AXb!n&tcUM z4{v4CpjG_TKnL?@rtl}iU1WzPRs({Jb$8BnNjSQnaNV$24T%Ujcg*BF-tC@tRpmrTAg7c#P4Gg#gyki{mREl zbz1&?>^pFx(^wbu&s1YKa^DeJU=yjiv(Wv%iPwg|J1bGv38WV%R1+*F;|Pu!zsl;U5-OY%^VJzzwSn*0+DEO7_NNGIHBsP5`%_A%jl zGd~DTL6^!=z{KnWV@~b#sUFG_?=LuBX|8}~wkhQKha3h>hYAUUZ>xiavA+>N;_scM z6mv(@qiu3NL9SWWQxLh-g(@FUd8g?cCJys9Nr7rQFaYGGez$v=nOC-P|x5VZr5%J;nhCnH^|7-!r1SP5z-> z>^$EkrlXfx&Em>%D6_L6U6!G5w4XyrVs#h&(&XQ^Po3uBjlQ(eu24qC*0AHkONdqc zNu;VX`bDCwySS#i{;cRWbEmlzy*o#%rllEd8NfdO_s(=z$kVhf%RlpQ-51e4CjUg` zUfR&Z#4KQ%s(mI3IU>ndyC5sh0;3H9bvEj()t5}nr@KhGE^hGF3u?lKduoSqNc2z~<<#29Y(-i`{pPBL zZ0tmE>qb#7ZUx1q-i9|5wOQ67w4hQmTt<5n*Jm`XA@<)5(M#RYD>3c%Fppn>baIq0 z&0*GdhfigZR_u3$g_mqSDKGiMI-&f>esv-*x#(8WjZf`3k(cZ^IWKuu@shXt^OD~- zCV9yzz5RK~Ai*aO#ID(BLI4|M4q{2WAT!bMH*^Y#uqQg#jWNY!*RN&J6-qCZ*?wk= zm?+ZQzs0E~ky=mtX)V}TJXR(-B6B_P9eWNbxdME@(!K3prg^1@EiBB>2>bR4#xSV0 z6t13_>z?vTQ@f}5N>6PDt*g75&geGjb*&>7&y6g#t*{$SdA2aWFPQAIbkDXtc+wXCd z=0R~-Ui3iU7Uzj`Ih*!tX7PebA{u zhIKit4?;=TOOz3s(q$!mcbMNeLoLXw)%$oviyQsI2*fvYYklFAtwIN@x}!(mj(_>&EvG#Jsz|Jl{xzs}?KfIWmbc}CD^u3| zZ=xI2*8G7k%;FCbG*kRuCb>$Q1i>CptMzL;|D%rDYzdCpX2|b!2SL|biiS&`dmY&4 zF`NECoJir3n;oo?dEQ_@*E`zlTUtsCQKoEm)aDo6Wvu>=&U#T=QBH!Nyc(hzL8 zzrkwAyF>mx*6>_ITf+gKdK!>G`Z$K(3e$_f<7z=MG-<7~j%liG`&(VHc$}xS*#3R( zpD~k1Tg~<~3hmLsZLo-8n#_jBvMD4xHtQ>}`(?x@PR6}MT$b_kEX^^I32wrs-ciuF zAV(r*4COD!dIX=3_~mR%43#0|i>!a^**J}&L$ZZ^uM+mr{<*Ds5duZd|C9~#oEFTU zf3H!G#Q$n{z}kmjojp0MbHL14$v%w!p_}7Jv8)r7?5p@e7LV54i_m56inBnF=-TRB zo<5!MtvaA#b#?txqUX1UX0mmV@E(=bhpgh;(SS!!51MG+oYu|ci^AOrHk?f)TX8f~ zO7P3Un^ssse7(suX1wZ6l}*gwx0o`~nLggw#a%)<>V`GXHTw`7jO1?FEG_$_qo<>z z810;;Vjs`kM&C^}8*5zzknsi<$95f#pKXf8TvvBgcuDKYDgW;j<$tq3<^RK&B;`MZ zVWp35JpZr&h&Ygq8-b~U-R?{qEpsh`+7}H;r!`|aT~O6YAGkuNq8n{okc4jiVX|1i z!0MvAPe$dCwPKC#K!$$<8!qSLi)2GJKxIpab&D(y8kFRQQ}yez$b@uxPVWrA1FL%C3Y!Y*cChPi?s=Q zH>}eGv7*j+mP13aA1w;Q^K?&2S{wJt#yMl)80H6O-Tms(_)4OkDR{T*oTUn0xKtA2 z!vb)b8&D>11L_U)T^UNXG>dvas_Q9I6ax3{(|57WN8%qG zZ9y}OFE7;XyYTXD@ZL7zy>B#a8=Z$TS)53`u`%69`t3Jk=gyP3yXtG-{VM+BqY5sa zD^_|azN`o8GEc=z6h4A^y?urZlEhth4`W5>QMaDlB$8qKytpHNnW{$t|3XK+6quy! zC~>z*+OgZl$Vv#B7_=&(bV{^H?yhciu~SxDd)V&!AOsTE4BR$w$WU4nPQLfzEQ|`o zm(7mhn;S*j(7mBz%!cJ-H*(_}x6@Z>;QqKmj6e7k2YNPCjNh=lNWGjeC9%^t5u504 znUUb(?!&DF_xEhM?6T*dc%t3C<%uVrzwEMUk@RVD$oaxomgtLb=t}05Zsgn}J&qc2oHzS$OEPLI?|!bo*yrK8iBI*Bw^*Wm288IB(Bn z?*W7Bk|-OAsve1ik<<#g*>pX)Y4)e^v!v|<&6rB4&%`AvJ>mXTPLzl}35rsE>BBKu zYipPJM`CCI9$YILfEbp{vqiZVtCk=oYC9;{&}+R3u+;NNEA@aCKV-CeDW~KjoU9Yx zPcdK9d_75j(e+@HMM-!&^|lgEK*=(H(NavkfScYldq1r$))z08XC&PFO%WOhvWgd* zI`wfpzSU};7?@#-?|9^Z7^hDI;nfI$xRqks-orOXD5>j6c=rPnZ8V(TH2Z)y z(c=7Bbf*BsGrznv{sMm7McN~aaw54EIXDL2Cr?Xws>%_{|LRFs5lzR0@=rPU#8t$C ze9=fv#LoG3jno?_=Oxc6Uh+nNUh?8wNnY~z&-(Kcu=rtt_;w(!%fZ9C5^R42J5lbs zoQD_XMER&<_aQTUUU6=x87_W!2}xBXb(!Ju#kt*PxZvU2Nvb2M#|#fI&h0hBLms}9 zq;(`2aLwXeCwqAkZo=<5ys-(W8NIRHy>{J?95N$RY*+h87f;=$UE?D?JoTD(WsexH z2sQnMo$wMZ2g5ECz@MGz_a^tlWA$rZe=9*iFcU-r*=b{BTNIv;*1zwPtQnc?=$zT? z-xBeAIByX0f?l%|@4D!^7t*8mznC7mU`u4t^NDA-rdzdiN%Iw3rm@~(mbyi*3Gaq1 zW!DQ?%Epe|DcUNxQGW$X28s3}YhOG&nqPbY6&xNh-D)=qs*rJ83pQ3d$8~0IANSd` zNZPc>rOxJBPTq78Fu@spYuwh%wsD=!;ht%ctZ9)72m*Rx4@>j#wjEX8OV!q_oD#)r0Qg`2=DO2TUC&NlmS;i^A`;U)M6_gGgCNah1EivU&X$ z9CDHSHv10>@X-oqWc_b?BM&@_ZmpMG)1qn9aPBK6kufJZl*NZ!Na2Q0+K077(L|Wh zJL#Q!U+mpc)lm>hXS+A+_6}B*9fTE2lpVmEcrzbeuyKL6aht?AdS`Ee$yR*U8M0+r zg2tg7?JS7avdXcxE3({EZp}j-4``}0b{S1CK8M9SJxct4@^<>OIATi~y*o9%LZ_8{ zoPfxRepMBGP-rUwde%!)C-*`(U?1vN*=ykaVrojN^)kt++p0j>C)z>!UOZwzI8hN& z1yc6OYB(2ZH`S2NUOg&UU|O3*&!=JoSbydAI32wPv=k=LV|~iU_d#=w_p0qsle~!u z6-%u+MRdt7+**$Bklqx}Cr?`2JKhl%HOPliv|&0PTVxtBu78?j@3AaOq;}J> zr^aDqa2-dxbzBeCo2uT2E^`=zcy>^a)Hlip98S}*2yKRxUlni|gSiH%ZvfZF$e+XY z;ChEKgzJ`Sr;*8Z2KC;>bqV=T;d+ekbURGPTKZu<&-W}bjk~!%!t(~MZNf|5hVoy) zXUm`Vtq1lY0^Xm-)dW{hC;eOCl(hRPW0^<#yrHJ?Q?3!wVa(wA|8e&|;7t`-|M*SQLZK}wLJ>tY{1xSo zK&Up9YD=5aDuqCy0r^uxn~>Jh*7V+9*adA(qhv!AciCOtEv~ibi!1vst0JiUDd192 zRuO!m3X75D`F+mJO`1^b@B6;b?|Ht@^D9j5oquO$&YU@O=FFM78v)ON zXFi_O@O%ukJp<1X4z2JPJom$&hUf2xX$2bVPZnu~Nq9CR{9ZhdBHu35uM__J;6HGa zR@i}OT}G6Ug6E@i;77dpK$P$%o_lRkf)U}L)IF#q;0jFRH)Y9wlVqnTCEg z;W_&bt*{?(?swC$1J8I|%i<3W*RuG{_eS9=5v}F~>XU+)QQNnyYZ||=a9>DVy@H87wEAX-u>9)*@5%z+&w9V79 za$by$5%$4<{ywcR2k8c3yVZiH0X(J<&uZ|J6?jfJX#^|s9|AqhgMW5rjBpV7J_CI( zf&bN6T44d6Q$Y6%@jM6oF2gg|q!msh-zKCh#Iqc{mfDjJe73+p4$qJAJf9OKe1_*y zJU_?tQ;ZLS`ykRU#q-OVS_W?(;vI-zT7@UV?}Yy$_+PVWg)i{jx?A zcYKZvAO2|99s04~LySR2=YyTDEe9iQMt1)qNn6x_F?g@w{?*_?R8x5(eO z63a&9_5Tq{h(^NvPc_u zV$Be!NLhXkvT!-C8A6$?_9)`~9Ve)AkdXdYc%r%FV-ROAoPRgt{Kq0W|GWAi=YKIP zlJj4Kd6!=kM7`^f=Km(<|DxfTcYULAox_ELLEO8VHLg=a80zne`k$fx4h=)Szl3z_ z|2q=>ze0-jxDA0wF|6s+H2P&E>bUa6yZDL| z68&4i+abK;G7Rr2Z?p0*SghivIXWTv#eMq%fs+?IPGOaI@(XOqpKS789n~54sb~3B zLo;?;P9B2)$2i(CHGGPqy5oN^Ag~kXDUpkIeR0Ba`Q^AXQewxqw8Qd4$G1;h!j`Xp zN$Q8rIGC?tY0*CZJHM_2A11owz0~o=_|9RMs`>@yT+;qH=-a9esv6Ss)Yt*-PTd}! zx?N3;i(v{bdFOon#lW}G0)NNJli!?tf7H3S9}VAm-}inR*Tks;Hr1!rfB|LuV@sA!qUvnU~|CKd&WoVlQomexDKSuD!&HOQlKjQf#hCL2pv7nhB zr4e3L=bR?t$fhANLZUE81I@TlP*QBG&}UYxu5{X}s!A%#g;*gkU!QL+uhQq+oF#V1 zXMKbcgwjec%KX^aVA=}jbODixSgd3Um0AdNW+)%}L2fi7bu}#(%#Q^V1F(MVJjq&C zBCciGCLmisOnhLj<~mdZ*+w9n#Iq5c8IVNcv9W~JhPh_!1Gcq#c4R_tst;yfYdHww{Aa=We|{D5+Ck#{T4&Ey#EPM$k-Bwc&sD_v-sh4x z*k>FfHdk^8e8+JMaf@QBD%oX0mqN-L4eZToJYW-~1`bX5(XIVw7em>5G zP`hWdc0U?yw;e&$?i$|i2WH+?Wh(+sgeYN(FaS{T&s;MX$E<6yrl6oG6o{ZqYk83k zc7(OUXcp`Q01B=sA8RjJB{^-ACQYK)X)G2JGwX1L3;!oaYc{)Qi}x)wQ!G+fq;Gj7Qp}u3V02I;R;X_Ry;&Ff-qFW zVYq@Y2v7WvXc#K38-#X9wStguD=*gPW#;N}RHmeS6;bnQYk6@GN}h^Jyakd0t~kl` z6~<#35W*3`5wH&7fk7;lRge*6U*sLvJqpw!K+1iE!Qm0}ZBtvHr5`s z?!iamoC^JXTT%DGyE$7bE8{d?r60GjJQ!swzGDQV{OS5JQhyZ8M{4;hbiyS4xG`nL zW5(RU^RX29CBLxYrA*S_#eT<)p#=RxAV!Xl0MT~ zDS|BZ#T=|`twIY#ctu+g8ZhaOPy!sFvN@?-iZ3az60K!rD67(0QE79Qt(|nE*;-~3 zMVr0|C5XhF)VA=$R#Zq8(1@%>6;3ChPtuvK7_3teQVk|ntoo;h{39`J*r?&)&^8Qh z5tZo9^0P_0p$yF~v#zSrcjpckcTIn=&d^UWOiBtzzFjIWqQ*=bFjo@w6?Xk<+v*DE z+DSKc_roV2nFj!pt=Ky$3lV*P4R_yoPv_OMif;`OF-w6h4bLE%Bd zAIOj15iiLqsj4iaxr9_02f-7_U3=y$>h)P~5$7+v6v_GjtCDg4n*=Amup7bot!rZ~ zR%ba%7~xx7A?a6J*XnH`Hi??3FQ!5f0%B!D2^9Ei6575Eh$He@fC z?C^kaoz(GbDMXk7|u9XVQwqUSu&Q#yLcK|0nOAP%ZJ))7Gq@_V3mn+fRTdTMQ#Jwgx{ztI!o!-*ts zCEU>yVn(kJm!Bbsix&5UxNZg2F{*D*h*`ZteDoWFc#o+k#K&T(j$LSdRDIx zKORpI&&BqH=vzc}{5GK{#0PqXc&URRzB8jI#NP;1NB=!NAOuMAvShW9Y49RC&c_-A#Tefhy%Xr32__U9Cz+iH}!;iW&zZK zKTnTce;|l&J=+uFYwXU4cQ1tMI4aoJOL~R)$IS$B*z-LhzR6Bq{Cz-Ah|7D0SUi>> z<`3uz@f~J+`(|5Dh%0-AxUY;Lb~g8f_%7Rre|<<#h{e4^{O64X@snG6Li{hb8?)_l zPl&5}g*Zhdi0-DI5Kn)LzHWO7#waT93H8iFy+WLxKoHm8eqD$I6NQ(udP1xSgLv(X zFHD>DHbJa-7!dUYHRmrKd!DqO{uVR7p(asqy58UriE@^&8b69S?v2b-c=Nxf99sLBW8#}NxXWgoXS^L!7^H#KkPAfHq=f!d z5^Y5MJmufspGw+vX9yc_3Q1H7N_!fkv)`;aA#98ZQvSEtI>|x3$@Spv(~ZpxzpJhb zacE+{-#r%z(VUTAz-u}ZDsoJw%=N&DeYJ_iG8D;fW-Bxr)i!+|L_7VsDaNT2rrez}Vaf!<)CqSdPnbI8o;y@*SxS1tR^eW% zgGIikZTo?(L%>$wS=}RMEU>kZ@IU1t+PI+A`gO3C?)i!!PRs~F+?(-n*SY(Cpu{_( z0)f{c6-7nIyspt|V^lgHOL5UreCD1G==Z}k>hq~V&5UpL_(ZzS}Zt2B%JGK=FZ8OznCo!^bne@ zBz2c#JxEJNk}bokq91p6%H5Mw^efkjwyGdym7!)ozxVL|G^*JbbAvTgd&){ZMLcB5 z-y&<4_uwW0>Ji9vu$qAUwHr_ROJ~2m|0swaaNAo0gxCB1W5jOF?0<|{;J^YIYqM2Y zs_NC%(n?!!!IU*OpRb7$68eu;LASY=?A>-D`Rky2$Upt-m*IcNzfgTTzJ8mPBQZi0bA%`MmyRU{JkA8RBB^1XM1)ZW%Fo~U3w|e8gO13z1E4*j;2tk4 z1__YcfBx^tP~JC-P^aUR3}t0e2mZ|8B+<5pc;QkRKU6PjYp4-;$DdvhR!kyN#QU~e z@v{l84;+k>!~fC+p=pw{%2|X!)`lH;p#kz3T-aYas_5*0+O!B^Z{umh^F2Iquu*sz zPYe#BPuyvf7tgWq{|?U->9BB3$T`(MC-X(S-}K! zg^n5>EdKv@&)U)s`TepEx$LEX%YXg-zvUk;Uy&a_e?>OR9Yirg#rMnEvpMdNT+-)| z+<~XAs7d}j{*e616HW4jH=E>#V-Lw)|IsAR`el=RX2>D=yM}{uzm|UYm@xQCr$DK;eh<0=74F&I|JQ#TVtgzkVst`_~0IZ|y}n17(~-UAMpyKKnlQ zhjq)w{(7B$^l#TyR6ff_*t(-e`PbP-Ir*?r9s#HPE=6Aca*A9u&M5DK|L~hBGR>q9 z_s;o~(~0xXiRApN`UN@vq`XMZ|FvU=y!5*i`PO2i{JSEfJX1Gau03y*Uz}x>|DdGE zXXO<6g8@eQyPs0zuS<;bp0g=(2uf-_;TVs^X2ur+b zlry?gWXC?EoLQG5KQ`Ma_gkAHPbe_Tr6-N@R|it$W~7_8WV-y``$l>5=hNk5Lyhvh zW}|%8iE<92oK&NH#+o9xM5oF-;Qj??{5(ZI^jV608qcI(rpUK^ZIq=^MtR?Eqg=2v zMScx+dU#EWeC2N`@{H9f^5?%#k>lP0_WpCaeBdpkynU}xZa4(D)F`*0tecJ)<+~fF zvmWWQvTxP0`F*QaF6ztnO|J(y2-z%@n-Y-9SV0LWQ!AdpgamxprLVcIhrwJ$`9D*Ub#oG9xd7{-(nIE3b*9Zs}@+BF}) zt6)q+Ex9&sHuBh6Ok|#!fG6T#1q>>$&9eZZXgL0=gkL}!b)u{iV9ka%9+rc5E3nE# z1jN~eY=jgcWDcII@uWYykPlxqd_D12g3?P+QaMVYzkK+ua1#78@kV9Yk&jBJ+LSPS zQ+q|EEkVtA8C13zei5ZRuvJ!$dQn}dx5|XI1e(=v9w1ZSQ%VY@e3{H&iTqALD?(fq z9My@(&qW^by0O9h4p!5AGkbtq@Gr}Vi<&+A3<2TyB3 zYH_AulDLf z)FA_PAiUm%5uT5-7r?m9%>49A;bykpA`WmT^IO#L4E8hu2ShRSM`MoK7lcWiWi|d4 zqr6oZr4F>V3}w>awQ<=jXEAU^crH_MBZToCTBig8%0fZY2B!y%R&X{FTj@zSRPek_ zed59X^!QD{HZA=P&|_x-uI3Md<~W?gQ6xIcCRG$cHqM-#pPRMxml;_zQ&J{p+&wWX zB|CfKlqs3n6OD#@?wL4waz@7F$%dKtWK5Z|erYcD94m@o(}1l(!&Cyz{-}OyBtf$d zj@~ozw7}&A6Z|ipZNC*X={G?|g}n3gv+{rX;fa<*w>_8s`>*D`o_*ksHz+*Ffh&tw zMwD<-QoRk^{zK5Xn+m+iA0-MnFK7;&YS_+#*t=^C#S5-66ecV`bd3JI0hkrd!&Q8y zE^}#ugVqksF&B^k*Jfy%W7_Z*5AcDc7J#(7)^|;j^t-7C8jmBYu?0WPF+1?v=XtCy zae<)VzjgOJ{d>r}*PguQwi}j343WXjm2KO1MDs&}V?sB>fG7ra_NaZ(e*y%dn8mh+LsNR#|2}oT5sgpHh0=(Y#fjt65{R7EMQAPp2ZYAOF$oTM-aV(`6ZD{h}#8b!f)GXa-Kr}R^<9?CEFob(e zu^_k^h$|Ix%#OE#JhgXDxjOL)30x!zokS>%VSZOw!186p0oV2}``*K3U)mc8x{kj^uy`qpzu;;fmp?f2`g0yCzjJoSdR2`|9>xwfLz-a55zXm*v(gQVDXr`eD2Fv0|B$o-ANC}j+&!dh08q*<`QMv0{SA0iZdJ` zy$ww5;4NV&EbvOWD$?#90K{0lSG|YDQNYY}hRdb+ya^Fy80x-Ay(&h{n&oXSTpo!q zS6iaX)+yxUe#YcPHq=)D;ocUXsU6?uy&Qq7BqAwq-eqs{QoI7HHi1Ov;gSM1Sp(%H-sn0XYcAE7MggWb z4HtqFHW=>=MGh;~@&XH&FA4QBWBcAb+=G&cYorSOH`u)c?Vd#ZYMZqm*xe_@Arz9D zwCO)Vb)SO(;xS@w^y6Dt{@aldsX7cN?A{?rDt+TR5RK770My*lw_p^7%MQke5s_>C zV4R3fzL1F761NJ2`JD20;#*w-d@Cn#O55zq5^&W?dLZdMQh3`@9PZjfDtt+24o$Pt z&;V|qW}Q@wb{60h)k$ZO)Q=<-MPR50DG~?m8SxDcE5EjFb8xg0@g$w)y;Nj4YB-Vl z*oLQRba{WZ5l?SF*TGoV59v+?d|;$Gki3Zvv@#mF&FC6+thwGv^!X^z?lR(PQwKIF z!RBTl?Ytm)Q(b@wj5*~42wLG2o~vzeenB94FlHQ%6q-{K;q#ce8iJ4$n5U-D5 zBZf2i`HsEaL~<(ikjK=ftJ{wt3u@O+80<{_QCGJeAvB0go#T(B=5^`Zzea#@cqPOl zoJN+qe9^PeJ}Nel6c7G^k6?mwC-W4N1Nnl9FvYNR4o#wv$mE1TQX9%~bw)|)yd7XN z2g53b%-+0q?U8wrGXQSH5p}3PCIRC7>wD+?DU9=zO+gsvmqS{QzPd=xADU+ZQd=NN zLH&AAeQn!Es3has_!ycuZ*V>?JOZXwxxu2VdmePc1cxW^!UP9h-G3twgoi&OM7Qf; zjyNJmOqfV3c%7S4;cE;SnMrlLzgw#jR9ftFPXpbW_tEma0I@ZQ4TYA1-`5bfk}ji` zYSKVbEIPrPMjT{usnEC?qc3t&J#9E@OrYTESejn7^ZXk?ZJRft1CyV@FNz_eV{C*J ztm<5R8q*O~#<30XK_Tmq27Rp-OO;!L5IjUYT6ZF2sMeJT!4%bQ2_%)_H9^p01Te3I zVpv^$?g`XVpBs0}M^1UCY09I}@G0+f`v0gpf2M)A85Iu-FZ2D0+#eKA9)=h*8nwX{ zI(c2_apg5=!y@Gri+6pzp$TT@)$?gO)9o5i`~5eVaK&l0-v=P_iGymtzlt3aQI9)U z&dnACj04;cpY9(Ce>MD^p=$j%lt%dzT!EcWLknk(XQ3ynqS zTjQVTT?h$D0&k`1Q;fHJ`p=x1ogK)Fm)czGUPy>c z;w8zn^&UiDPtpaurbH3aE-R5jLIQ6nBqZ~yAx!Me;d1Z)sl=;hZQY87q<$w&_PH;h zg`ij_^l}gC&ZOR*3Zeo#DFK3*A1)QZI`bj2J77V zP_`hQ$?^Wb*FGBi(oaCTn}ln~dU!WGqA95j5*8}50VqR-xfGy#@)PvL+c}u7^VP%{ zuz-QBVMU z#BSV6vEuRoLn8peXI8qp@Y#62`k?OqKU{sVrIAV|YL$Stu0+toPO4BKsT1#^5tniQ zwIi;!EfI93ipL}v8_pP-?4B)zG2;Any>osew%q41@nh$8BhDsx4&5n z^!WB(0r2l$Fq&a2} zem_Djn`1WOEggbFbIdz<%ek4}j^J$vi+vq$_6-|^#vOQJxOJ}tjWn~igA6dwsRGyV zFhMDhJPk$ihVzNbHHOfHTj5-L32RZ1j#ZXE75WvDU$F#0?Rn)JXu;k%6fpdUyLAAr zHa%7tNrN#c912YvcaW?&ln={9gc`1-9tJ&%edyNWz;Q^K7Dc>7Y=*?hSmn!MgncR2 zBPp%4e9JGuIEY6^vt!0^;CFXi4dy@~a2sHH)3(xYi@(sd{(@N=R8Zj1AUfEn=MmX( z3)+-=Sk(FQ&eL$MM;PEw@|n(qdRho$>U!uI9y6H5ByEO|ziq->0q!k7UjX?YSvM;& z-vGVI8zBjBF*x;{*can-BN8q#N@!aFnzj&9jZ%2cioLe&2-GlaT-seP((({;Ip&kn z`+$?hfn=h1Lz8dsRm6PvN`d_quvErhq?>r8&%Fs8#c?+%*{m!BEAZpm>ZH*~<8!BU z0*&zL;q!L7Fy==3+{F~Qk9Z_VbHfkBlg1(&`sfxU^A9SBjO&j$B&0$hC$RK^q~mB9 z>#m<&_Ocak;c_v_cg>oYvEo4T1hh+q3Tj}rWkm#W-$qr2q<+-I39Xx;YTH%>IT#@J0+qFL46-f8|mIzq))c2Udb#-U(>k1_4o_ZgUbaiw+4nD%8 zdrD;9IQ-7l)pY_xc;G0xFjwq9SDb2SYF&=LGA0u*V{C%42kE8)J_z^#e{>{~tIj<+ zl+>FxnYE8<*FCh^*ldmo4%P7C+dZVahk0=5zfB#-*@P6Aukw!5{&>c{R4xKR$wB<6 zkw$MLu@0=`&|~0X23&itaxY@S#QA^KJLjLyIDc*==YMQ*aHsRJHzPTJKsi2waZ7!0 zhULgP9mXAEl&>+qIcsZu5Peagbb-o<*UyH}JDhk3uO@F6!LeIsUH&(3T~uyDgu>P zNAaG1CI&aLFbE!2^VTOQfW0a)Xed6JNXif;7JBm5hw$!AYeK`37i$D#bFK; z2c-3*N8hw~Jfwq);3qVZhS-x#>f(H2H{w6M$z6#+Li$ViIgg*fDaR&ypNu4dQ>{3B zFSx$xBc{$3$GN_V)zx)C6q>7ZKMDE+Kcq#oI=!;7*xEvp67F1_A4nqp*vdW!rMz?> zYP%OvuE5Q@r|dwYt`5id0eOh7?lNFtZ2X2E;&Q;A3fRG+y8=M?L=UK{I>y@)IBhNn zS3aIbRl-z{r@>B`Rw!vHvV)KpQB~5YYL3Gr&@MK*2wV;0vYRoaXqXK{3M{!0rp#;u zu1T>Lx0xf!oD2%@F8@CpkW%7UP2M>QI0 z#%TQ;fY^=66ff!=^iW(dT5f$7;cAJ}lVPRM`3VnGDcC*9RKj)PzXSOG=P&^71t?rw zAe0VUG9J2u4u)zhA_n3G2>$R#CRcAFw%C$-PFFV)X}xShcN_=9Dt&Oj9!SVj1icNRQN};5ScB!mLmmAYJk!gK@(po}#ff zK)Pg|`v%1M+-IrPJ~j*@v~rBI@!^rm5{a_{Nf!uR3AC++t59Q8V~7l-y9x>{^IG#U zyh@{j%tfI(Ikr;$!j=$F)F7N|5J|0ZB8^0okX9A<46sSSaHT+b^gEi)#Pn;Ylzp+- zFMvR%E+*M@BE=RcD{h9?D!vrx`s;8aVyO?GPzu9020?ZrDnP0O+5@5pRP6V<{Wgd=R}3(5UZyeC+zCU{^8`cM;GdO1dLB4AfLN zd6Rb_ec+Ue`+jWj5Q{e806nRQpaM5s8Gl&plOyKlNUfo1BuGG~b^E2krO}Ih(bc$l z-<8)Dz@7l9WJ{wQ(QGQ9@ex2W(-3oka^wQ!;YKVeFuTOG{sr|0l9Jj{2fvT2v*))S zK&bbyOG!kD;sBS@PghqCyfL+*;fj&1B*l^5v~9>$5IBwh4)7c>HqKGjfupqk3M7dc ze#5uO2OWAq*@n6hAygxTSm7-QEFc0~8peP~>jB*Lz6RqX$D6#BAx=doG(O$Dvvoh# z2B@i&D5f{eAnHEsO-Lu&j!k`ESJ!}8j>kyd@3j+f>zYtP2jzAUsBlg9X$G8wPCX#~ z&67+iJjs-}HI*{2AM8CmkvONWE*V$_<@^gCmlCb3`v@=aKa0mi+6&gzJwmS+8KvPm zB4MHe`#fFUjd)E>-T+BP=e|M&Xd3LziT7eh@W9tm9miegHLi=Ax_28zD9t^|Om&{9 z&N0bsjyZ+vFb*V&6CwlAIZMEZ__R$o0|fYVa;o()aF8np^rB4bP_d6EnIPv!PFq1T zjFexLej$j*MzB%arb0al?iRMsdM&0=nWsUROIrJ|veR{SKY{JL#*mmHw0?_sPMdsx z<#}{`>p291p0HYl&psxgwd0;{Nt2CrrK1ICiV*1jip1XL14<$i>g;JT;Fd2T4cJB! z*a30=KlIM|XE4q`E0Xj3UJi18Peml>R~`hrYxS~v$I=$jpTJF9e+j=UZ349kBZ{hI z8ccPf;ZO)Kq-=dV)%+}5pfGuF7Kfqy8|Z1B-VFe3K^&1r$#r$35S*6IUWd}FnY|{k zoP*7d8$dve=`p-rK}}NAh~-PO0ffp=6JoGenx=`7rn}O{Ax0zVnq%k%BrCMOgB-mo zMOt4#3K$yD2A8q|@;!;6Pf}RxA20~I7pk}x*OX{3rB6~aO$OGviDV%WnlWJPL12<- z7mjVX!3RdwOLA9RJnduBE_Abr7N~e!2CEUo(ZRhbW;+rB0Zv6MrVngIqQw|s0N*q;!Dbai2Kx@=@FX9V@pJ~6_ zO8d*nFY>J1AoB-?`DCc)j%5$yoUuQs)1%6n8E_vlX!KA zouMEj3p}m{j^%;VS>PTua3Bv%Wr5GAfn6BbT-bKhs6nkPh~!a+s0N*4K_uBZR;WRT zSWq!okYkz}L=v!L2EaRRQ9}+=2rc{^vEgZG`RBMim^a`#28hgp9B0*_RV;{%gd9z3 z&;k}jHb9PTYET9XB8wo$Mm1;>3reASmZ?F*5acr*$BKf)fM(P22_V8i(r$1k2qih# z@N+CsleV*w+3uL3`p?7fHC-NWYBM|ZYS=Lr);S)g2aaepY&Xk?z2Rt3P2^^6G1Hgf z3-h!IgQX%87y`IxKf#yx{JheoBy1zdXR5yr^@&=~`uc#h&675oaLVbgUfIG*+uq2C zl2c&4vVjHeXk=u`X|P_YLSQ3NrS1*W>p?24SC%691tLrY?}TcSQCGc!`UPGf(nRnZ zW(TLldSwy?6LBJVm)XH-v0k~6f{8p4yxZ*H)L5?w6ift);5W?B~+udSf&4Zg>gug^y}G*PWdHLuoap`rT==xfgp=Y`t^-8G?aw|XIvwV ziQPo>uwmk4U#~pHqIMJEBb1YVy|Naef#fjKuU7`LAR>KcDW}qZz4ATOpMhj%1INY% z9|ZNvXDpls0W*+OM?$@F6yf_o=`{r^IoC7WIpuE%FHkAIzHuq4syxSnIDywUE}|eW z3*z)$-?)H+)*#5Dj;i`bGX>cYWL#fg*hm9zIT>fv^D#i`&?s0whL44L(0}5-WLzxR z7Za;^yEl0chM;a&6O4;6HgvnRvu0(QGXtmWWMHG?$)rz7++K3@5bda5>7KA^+ZKQ^ z2RArrpEMpY>|V^4BQZC;Cnnj`ZpTLn*ph>`sVAc>|9HcRY;R|_|3*7T;LWu^kb<)6 z2D?X-k%666=w*=~Q_yF2*9d67NEPjKlTHGLKBuvvCMD%7uO^UAGb~W-i!n^#`Wv-Ze9?D@j9uJKXtVUHKgxTkhqVID_%)yy5@F~pRslXT7hxnL z!-^zn8r8eyL%&3(d&QRhR3mR+#B|rlt4oKK$Q0kS>_>BPh4uKB+CbgYFk)@-CKFCe z#|4sCAeXA$BX2QziO^w2x(M%fuV8N^dm!{-;Sy%r1uM$*8<8p=KeWs#X6q{dXWbnP z^T7XCJ33Gl?LQa--otN}0g`8Zm+~~ai=>=!z_z+G)*M5U9sDTh2&(K@gtUD9+{gvG zcPLa4eiBOC`7F`M_EwU}P{DP0K!H*MOxlepy1HY4V%|p^Nd-z3in6?2gAmfDc++U5 ztmhk9V zl4m2%|2gD)dVW%BfJ#MwZSub(IqemK5Qf02ltegQhbGj4RlvoT`T-G}Fe@-<3zR<& zfPfvf2%}8wTiRz4OsUuq3mWoq%U*_A;I$68QVrCUWbk$au#1n79qv=0EPyxxl>3Jx z**YXsk`Pb0C+kMnVSJ@#DpGjc?Z$htML|e_Y^iFBNF7w5;&D8(rKcO$cS-jH$0YM7 z$i1Bn&bx&;f9X(g{@aNAckq+EAO820cj9n1I3{}!=ls~+9Tz+s{KrkbLG+vpBeh7Bl40S0p@NH3Ly4bgY2+=>Nfze!i10%VZ1|ql8$=Ev#(=91EXP~J7 z>2hky1VcpMiTF6TKdLlJiNP@dV%ChRBH17rOhGe5I|3M*Wq{4B4==zE2J2gz8O8Qc z5D0G|xe^H|ko#HmMvxiz+Fiw&xKVfcl1NKYu#I1(-w5NZ4H-8YnwCXa97D>tl->aW za5B*%+t(%AoEXicz&y+;u*pIrIH~|Paj*fyJES%;on%1@wh|G9fkwh4)-uFUJkkX$ zZemfZVdA1Lmh1yIGPX_IE}D6@K~tdq0qquw+WfaoNu?T?n{Ie zD1J=N#Qjf`!sia&UT+#TvAfm4vm*-4&u?TJ>(h=MfL+i?dhkFJaYf^BdS~oVSLXwy z)I+*DH=f32@lt|9iySJW3Lzf0-O(IFdqpq|##6mYKH63ptCuoVNJ*^Bo<(()nq~3 z&|}0P3+WH}_6yWBbsy0(XEW-<)rwxz^W#m=ltwqw83?bbe!OWjRFUaWMRFTaSKcGtDFkmB0D;Rk2Ahn3P!4r^nUuPeu zqlIn!SlC_;-(CTZb~keUU>zFeF}?0H?SWx31CWD|fb=?hr&uPwQ+&`8N}OPEoXJun zSh59_B~0O{?&7c_&@L(|xOqeB=iOxafR4l$ZD!g%!)d3C+Y!UI=kKBBH*#wU+Hs`W z>F>RB{`(l`r+X&CEKi?n2(C+Na9mHdKVqDpn?@*ieg?9G)pFSUsA}kvHlTt5X@@ca z))1});<|x1>p?%>PR0Lk8hF_983AXP8ZaBsOcOE7O#3eqY@&2^ zBzr-^k!Gkcqg9wqDoiHi_;0l+uYw7w*gX3wGBJY`B%=8yCtS9j?^F$%=f#8RN2{ zIH&=DPok2w>*L9G%(D!(K+x1-!o!@Mh0cQ_u`3^Zo2=%^yq?54nBu4YC=T<@(u7tQ zGzoP|@ue`SPe(2+ER2*9_T`Zo+f%=TU7Zhl6adEJ3h8Gcy|s5piwKDMoNF`$(4)m_0jDEViCUDAPi9j~I;mmD$AwN(SJXs-T z8Dj{%7>DJf-mLrr0`noYEHkaxc5gV($^k|(z+*TI zQv=&EAncx@!88iI;Ej~Q0ns@`gM}(byjI2{X$68MiEY04Y=5HbhoulAf0!-~NPWM$ ze{QaB*Fe_~lOzSl8zzZETum`)Gz#Q+NAys188@L~tH5s3t!<+Vhq$T?&`a^z+%5;S z@mOk;ei97djD|2>0TW=M>~#n?5K?9%+}%_M=*oRM`>Z{ABu%jk9F2Z$1&LR zx|S<1j3iDMe)0=PEDG2rmAWSy?UC9Gi1Q!oo%5$N&Yu~{`M2fHJ^|iTV}TfD zDA1RW#VL)GZW|Zu4HkqQ1R;|bvTVGptD`G2fo>uZ3Q5$}-GdNj5rsW5KWc)ybnfQwV=6(gx%t(oB z_$LvEF-q;&2s|f_OFb-&E}g=fxFMp6l^Er0R-gf72!yh;(wUadzXpv3EMB=N$MNpU zou=gYuiOS58;kcv4+C4moW?58;$iZM6hA?D_D_z4bSwUM`h-8bLwd0j?bU;Ly zil|Ot*pq1#l#rpZ>TdC>PxWqjL$}?Ko%ec>l<_@ znJRD=!VFtgTM#K;83CTdGkBOiAUD89d1~=$vB83Jm;#cm2bkzVi@6PKs5)veNF9k7 z#Y)>Kb+~#=7rg6ZJ$swbOnlgE3mM*cw$Mg^XA3jM*}@EUwvZ)G1GSd)XnicLr%_v< zuM(kT*t#9a@b279xptCnE%lHTXHg7L477d|gDL4MQm5-&NAYglvIz;WKE^xW`h?{? z(16(_3m-Y(OIAQwUeL)l6-he)oLd-y6B@DdD2+yuud`4}9oV^*ewkUie~^#a7(Fq|9t)#GX&joL4b zY<6!8Wh6Ay=)&O=p0f2BKrFB*Ylfpb3<8iah?hWRu@XMuX}WHqGz5%Rd4mwh(?PDn zTM)E&3)xX&u4K?8m@^dwm>rfmu#?h2ut#^`!+mNxv$-^m(ZJ*&7{|0~RKur69Bxz2LqrbmkW!ojVRkox|fD zWz2hIl|%iT+9~#hoVWtj263pB4V)sAjaHYIoi=;sncnnAPmUtaf5*U(Mk=H~dKkCW z={`AkxTpT;Pk`8q{wRaZB{L)El9#^?&LtTiM$RR~l{cW9aztB>IMB0&2*|?*U28jp z#9m1Rq@;VCHZ|?F_kHuW&P_HNL|HobPQ3Z%YCS%p;qmQ!Y_|Rhq1VtOQ4#NNz_=Rl z-`ZPz;Hu7T1&jxHj@E^ESEn40oA`%oFO392%(i=Vb~9lrQsIJOzFzsmTTHi-0JTs*6zr&-7zs#`L$l4>0xkk`M$_Or@QJ_Z=3}-U)Ee_i2 zawHLJP{n9$+NeTc7Y4Q^Y+%!o876A88zX}6ok$hlGVdY(U8R$ev`3SkY9=nj<(;tE zfY#0zl-!$e)5vyk+sGXtwpWp;+tml_prk!03KA}S@Ia1*I*FudC>}eZNLm)}J_E^1 zS_*Y3=|ykJ^v`?X0Xhb4_iDu$duktle|svl_qXD=Q%a^7e7#yqgf!KC7}r0HLg4bR zbMjW~m%1!g`ZLyM!M&sKs~K2bwANqq?{auL)bWT9=T8*4c#slQg-7|&oafc ztWCmqr(54chX>bDw3K9K9N{a!APuYlmh($*G6ZH>%pTL(kkV=a!c&{2exCJho@MQr zut9QryQz_#kUlRasQigmyR6)KDAzb##G+5Ef>hZReoFOJe)x?H)Tg*Sq0^IxQ_Wqp zig=-S&OeiJe!8(WOn>y(XM>!7;Tw^h-#^;5z7w`*Sg2nR&4E1nptaN)c_l>N1!&Vz zS6}>Gtg|8KC^08*i~EeY*MB2V;KdnoDV7d*D_P*mSQki8VbcQ9eMZW?5<@2G zdY$_Ph9HuAys9Oex0BhGLl+g(KswsebY{N>O(NI|U!jLs93NdQfI2#=7983Kss*0Vk(v?6ndzbQGr;9t5g=%!g*~i{3}Y^g1nF) z*oNF`Mi^;kXeSi?5LBRYY#&Bm!@dlcRuwPI6?3BlA>Ou!}&lq9aSu)<{$lDG8K!p;vDk8-S=lW#D%d4A4 zW*cIP&(soucCYEec+*+4*K~e7VifBhn008BJ^SzoTK6)8c1Q<3Hr`!rw?KK|zpoU_ zZLAV6pw`hS4;By88d9)t$B*+}2s_S)Lwl5JGg9$4IApWt3&A)du_rFMASq(o~Kp+sS(4;%Tq&fnzY!r zemk~as4uXE#qO7KeE{LT*|eQ)4Xy8NHZ{d->hM`EsQhtjh}N@kx6ia4XgI=+R^`TY79l?F=mwTT} zGTB^`9yyon%m~gU(+@?=C3gUAk9^_~@Bv$OfmV7eYYpgpN$ZQ$=>Oe)Qm)Qh*R67O zj(BvX{|E5BFP-o`4x$EerW*99 z>o8D!l@69Y@>S40KU}#u8k|hsX$2Ri5o0*R7lt@u;$a7dvprkrM2Kh01@^1p7dLDG zc5nfi)Ctex#k3?zeNR_M%ku^YYUQ5>L4B;4>*6Ptz2{2Kuyc=_cM?4BbnU0uv0o-U z2a5EyBSg2W-z?8`-00vPPBNc#fCocaI#%cYJ)i~wvD9{NKYMDduI_tGX!g_`Y=?Zq z-(aUcjlcE5t|5Ozx)0DvNY`IiM+_2g@wz%v>f>#IuC9*WP+RFf-$q`&fxcg8Y6DbZ z&)znwoi71Z@LnxpVcH+Ozok%nbM$&@!C1jFu(gdBmMBgE&>O_@_#G?`$L|mkc2zk; zMF^)kH|yN*Af4e#>s~xcqn5YsWZvx7zu@U;c^ch$(zl0KLgyQ-;l@}VR-De~LLxIu zthOz1 z5}%yxt36WtJ=JUd1YEs<*m>UfOOCRN9`QxzsTJ)4HK^w`11Gh8J$+q&q2ifEuYN#SzCQGNhyi8oRE zq1`olAvHy)JwQ!!HAUBc9}8l7bJ+OzhQv#a;+6_&(F-1EM2RU`SvZH*_ z*`)&B`rrjPN~feeTkEHK&}oKp2^%f2AfJg?2q4||c(}17fg*+@0$KbrzoxGfXC_#NfgD^v zEXha&qPb*y@0>r2asK-vIsaR&LC${;({R{c#2x;VKid`gn9J_wSPR{qMRh%d9wi0n z&!fu!xVL$EVQ>=WSBIJ6C(?EJ;?x}RR@^+p?hJH59$o?QH;}xB_R^Rkf#2L5Lvjz& z3d&S$%tE39&cN`GK(tdwL?fk#?Gh2czdzG#DF1!~qpuYElSsM-WWruZ;=?2sX%94y zuXBCTZyY!u?W>_#oGmZe0*`h&%*p_41E6pEHXOr<_YZ6!scL-8WYlYX%n`iXjl+rL z`9)kFQ@lmIWj_VbQAdWA6)^b}Or8HjHn`E7hm z6MplxF_iV$@du&YGIiqlVdsZ|@gP-7AJ6AL2Gf<6_yPtKNwEM*?~y>gX$)!_gF1eF zPY6H^lVZcq+~KYVXnnh_lMH7t(#RAD^C!;OLNV{zvYq`lvEM!HcL)1@hkl1s=Xr*6 zNsILJ1)*(OMk+!|#4#78b_q^KtCV3_UOMWBVI%7RLLbIDkfr1wKzm zB7s)-*BD_Fq<|Y2@1ujkzP)6Y|J{qvzBw6;spETWKC6{Hj&Ser8svj+kzkwz86`9M zH<`)9EFI2EA_c|l2KNahzfQku%o@b()}uAv&V9!a{^E--mPWnkWwCT)g@|}kD-?j& z4=;wt#|knBPQpId{W{9j)g8s&7p1L3G=&n@?%#gFo;G-oK&a5N; zin{{geIzH8b$AI@iU5I?Iq)b=gsp;auYy<@CiE;jkID|u*Ij|Bh{DwyRIr+Wl}iWJ z(IT%q2QgkB#e0(o1KJ~A_iXqMoYywafWLuO595!+K<%U_fkuTViHP>mKAz$9^d>RN zOCmgLlg1H%gD_hnLZl@0Y#5DDZxXFO##0=PGm4`p8*TX5G3zaD@&w9%ij2T$f(_XxMo|T2qf}`)fIBFiP+~J2a*dd9|wcegcOgo+Q@hKZA4Nuagq9y*6g@* z6ESEm4G&%2D}cqp;7mLnurGfg~Mze08sDBRjE%Ur;a%*b@lje_ zW5BvGcKiWsO(7t#lRALwje-gb=&9Hpb64Kci~XA!1Bnu%unA5~Nav<=FP%FSTABP zEJb?{`?aM%EuxbcIES$q<2EF6GU)?$AT)=Cl$NGgmjcx}%<}sx@tB?b@yc;}#3-5V zWM{w)5NN={+{)j_%mk5Zv?R4{qk}UgwC$u3S2m$`bP*{mW~t+@Ugaw<*VUiIM_pID zaP?p1a@W-#@f?6BoBcT=ad+u*th_fdsyPdsf--}KF9nDY!c1Pg2{}L}OtgHIP!))n zBqYV`rUMG4lg+r{k;~4+d=%#nREsQL(!p;c5mVbnS97b=J->1dd*2Q)Hbc{!ThR#L z-coqzf;9Up+1{&s>c-h#T3H?zW9?}Pf*57E;&Tt>wWj$!^*e9!Q1q@iDL76;qtxdn z*kb?E5rvKg&ItUa5wTEO$qf%H0f+G^FaD8aGDeTq)HSUIW^mnY;*1*SpyTIf)-|p9{(jtv+jn%+j2cOIe@1Fv{JN9w z6LK{ApAO<^A(4T~!sW4fE|U3Q?NxtNvW_@^-tM0IqsJEGT!iqC|KOY-=M6&oqn*9a zCE08)NsF9I4jY4W$QdH?0i6_Kiu; zut&m1_89J9kCN7qD~sEE9-{#a z97qFxnh;(Xe$D{5XRuANn=m2bSiYkS*`ea2GtPsN7K_x$e6bk|!z_};VM?@(iXfdl zsD@H#vY9U$KCoDv?0^wcxWQa)TP!kS@lBJ`QO-uNjfwMqY>QCJH70CDl$7D)cbhA8 z#h<&$n|urq#Q|z);8Y_42!es4V+GaYl=q1HsE5H8hc(o*c@G9~1LmQ6XtTSik;0?_ z%`sF4>H#su-=CYPV(EHZ9jo79C?5@;2RRlP^E!qxBL%$g2z%chd@rqZ>_GX-7XS&% zre!$yQ3C`YN0p(=#=$3hZ5j&Gwb4X(-mmcpXL!}QhPUNLRghy!)I@^<(K)THREFHpSy z-=+N*&okqqIABq^>vft#J<>bIWf!Erkc9@L5a_qiJ9Or3iWmD~vEF{3ycY93g@mBR zi^)*KE4AP@MSO9_N??pTp1;Hy}VTd$UF- zddfy8`ryW&r*o^OPLEA7W9tds0@~$QxwIEIQu0H%t-9EgK(C8wAw5rp7#I_cItOV? z3DOnlO&<(LTeXAu{N;eh9(XoFeZhi+`X0<82|g|7lHsqnc!H{9X9fpf>1dS zU+D`=w-RBXYhkF|o$hgj=}{2PCA)j){IeM6r!PN;?LxozS&;J|!-Xf|`lIta1lIy~1Bh(54Si7JP3v)gu2oN!abz!YDKY@H`-Sz(7MOo+I+Tgn2 z;!%zsZa3cPuM#b$zY8d<1@3*ggK%HNJqPz|xIQS;iRT+|Kfo2k&4ZVt`6?ka9iPa!0m%O2G;_20qzpqRk*>A;M<9CDR5bEX1JAb zYvAhOo`m}Y+)Hq8z#W7;0jI!q!u3bp#=_kVmjyQmZUx*X)QkSwL48-@5`ovx@ua^L zw;<%eEr44A=YabK+(x+P;a-J12zMvk=Wv~H(T@wl&2Z!3?uNS`?m@V6xOH&9f_olr z2-5b4y9%D!26r6quOj>y+*!CbxF6v9gGO$K8wYnUTno~!L*M)gt{!e1+-|tzaG%3n zf{S%wbij>!tH^3AMQNd*Kj|;#iNX&aCgGp4L1{R0h|MF z9o%NPZE(cz55v*ly};WfxcMqwz5pCP4tE%C4V(k+Rk&Zn&460~M}N^o-^gUN|h+ef^RMX5`FwO4Eha%8J|-YSye1T z#5XnfC1QU&%oiuvYAHs@M`hI-!0LNbbqY?Z9KRYLej zL5B&MWvDbO%!Zb(p}MHPEGItX?6e4v2vj*W5D+6iBnmuaI&D_bmM>aGsmg*@SICyg z?~4lGXbP*!X!NGH`P`IdwH5Z@X!|}<& zA{H#vNAc%hg+eQF{31)z*@7t8*2;X{RYfZ;NQ!YTJ3S(sTfNiaClKB{kz-tjwHMvzZ5Ehn~ z6j60Lu7!{RUPfU=bjV>^lOaTWl~xF7W|dW}w3cN%ZD@_80maTHqOj$b+bd9~rBTew zq8IV^j53f7_?EV;3Li4Fl_S+k9<#6c|1TpBwP}*E6R$4 zQPcRC$zh}_9APkvD$z7yC-7q}rh$jWgE}twF#J1DwYstdV}oj(DLI|CatyVKB3o5e zZn5w@g_1X;xY&sxK^Vx=q1RB*?2>W}=KUOs6~kV5pK+K>8ok1QvG?o}XB8Xbh_zB) zDmp_%gH}rTJT^iP25W(LF)B|g%Od)CFW3U0#mZZqU-Ao^@G!xcZLJbjF8HF>;w%vv z4;1duf(*jqeyg>V6x%W#R_B5Wz!gho;)~ouA%`~KrsDrH@JMu;hxUO5q849L84E$Z zSvI>B`4;BRwwAAw5Q&+U$}p7|&$V-m)(Kg*G8?ae1!EmKGcwJPShNevS6eF!N^G*4 zRHC-=IxMINR!ne2GKe{%CaNqxJ3e!*+Sx+?C{BAS*$7(I&&Wjh zjPfo3Z{p2F`*J8G3+yoz^2IeRo}HPSB?wg%3Lw@p%8oUB6dP1#o0C@_Gd~+WAH8k`#jbQ(oog|gcd@#NRwpJrLTZK(@nLD< zDYakct}Mk@-UT5o*e_r_x#h(rPJ~*7GJ=w2t1ba5td&*5Gvw!4fajNZ85pcVDDMlV za%nZq#zgshD4y6(Hs)dYby4}Cr6Lu8fUh_5Su88lBD@hy%cKC&T!CrJFx4WMqX@uU znskMYYMrw(Asw+*#5=un{#?fSr$=)B(^G<+zjJFO=Lgwm5yuh)O!H2Wy+4B%6_e;7 zCYS;t{!$4t~!@dIErpc?Qw(;zO@Ec8Td9}5y1fNT{&1e02 zA_{Riwz5j#Es<&jsU{O_nCN~6q^6RxVxBqMS+Sa7TM(v1l#0i9U!wi2k9Jp#p@(lp=3QTYx?s7y}9 zs+?vKPGXE$^9VMlGT~0l=4Cc(l?{VDodn@4)}V-gm%daXkGmqEXY-6ib@KsL{mUTVgNRMZk{IR4jmi0>*;I zf?X5~g1rHvprWACMUf(c1*NDI5d}d+v7+<;&fRnHP~-3Yz3ub)zo)}Kx3@bxGdnx8 z?e=7O&xI`l&Oqr-7TP$myrgzUmr!A-vad3EjHE>|UOBErM*^zpS+ey|2}W2jMwkPO zIdi0z-%{dexP`66kw&%Arlx4rN{=F3)e4o|K|KDkWkumqm0p=#i>fLV3z=s*gG!_H z#tzi!*rAQdoH^3Ku+l#~iioV*@(-0PfA`XsKP6GI{J&vhhDXwOi?tB`3}^!Q1<(}G4A30#E1(6SB>)F7iQfUO06%ON z8d`v+fEIvGfOddZfNlU@9_#}c02l%o4j2v41&jww2Fw9i0&DOX@k}paP6oeO-hB|VTn8Xz znR7hLox|#wD|Fy^gnVBM;R+|A@$^El;J0h})mpwL$ie^p{r_A7|ECB4o&vDtzgp$| zQG*X``S*4yKYz4!46i~5c*~Ywef}uEYF{#pF=lit?Mu>^DZXUEmH(Z-7$}$iCAZA=4XDCOvyz#&ZYpOkX}irmvQ!a9}^Fg%CmU#c8yFzZ>G)Ask)i zIZKz*%&Z`u%K>r+1ZtPe2Nc#pEfPO91XkmP4--@BlH)@viI1x!KDCng{7T{>mNJ)I zZrw`awJM2kS4n)IO5#UX5D~T7} zC`w%_`6GUaKlFbqa{wqy2 z#67j=TJ1E%2Q~t#t6@tGQC;m`tDA;ElHzN0cMZ`4ckD}UR&Du*_hHN5wY24b)Kaqi zI7M|xK_!;|Ck^3PT%Hh)xQAsdzS=&p{iBJV?x5D)nrKoDs2-Cw9Rbn zzxY%OmpPUP|7cQ7LK}HlY28Lzvuk5+VPk4(XwpPZYbj5_T3Ge9GM*AE zt&1u_v0ys4foLEcIUldn{L#eL%)DcVCT*D%6H{wrD>F-;tNv3}pq5l%ueR!sq?DM$ z0>Q@i$j9^|uN-63S0x(N1L>h6uF^d6Bfiw>kg>_}l}iDuEORZ)TlbgOl&n?!D7lK+ z?ZV6!v#UJ*M{yM=oNqM8%otNJx)!rdp;lcwckgV}rBnM(os5mAw>Ozyrr0^EC5Jzn z{HFGV1gTCvkPtDU4)xXXXO+a)D@Bm)G`9TJJgPcTY1BQo z{4?~+k0SQ$=T+#FD`m@%QAB&?UFbT%cpX-p;Yw=GH(T$Era!J&VqZ%Ptfd(qJAyH0 zjx6mN2~84$#B06sLSW%I)GIFpIlinAWFbQr$`znWU%mhd ze+31|@#PEPI)pBlD?pXLTmdMU)0g8w6<@9ZXo;lD6%-)Fqksh}%>^mY2N^#Xkg8I1 zXiQ0b1qDcWm;D4sQ9_LlofyAaHM;st-&$jr$ccYhT#Ch z60f7&=c&9CJeg#nip`UR5EfnaT(L;S_HIEf6aWief!oS z_i70E9`;KT9ZZ)a@T((`El2&VR8CM6ws0vwS4Y72B_@2Dt$bg?f^@G&fqefk&s_RH zW13t)7SmtK{~Z}!y?PCoIm-X#TlK$?IYCD?p|=_Yx>(N{@V}fDa8SkZGloPGjQ8t;5H?J140Ls6N2&{Y#GHxv!1iIX#xI=^&BM#$fqG|989vL#JrJO2-`eM zNiS=XrKB!3msm<#Fm0)&R5_MQEG3ygtYayugKbTOtf(;U^;5CY(h?!xFA#EdXH7%6 z8kZremz`O?A`M&H*FuI6NWnp5K}{GO9q}9YOO}L4P}4RQ&r|U%pFyLh?Q2bPDBatx z#Z*^%*-f_*8J0ae^pzt{8=4Q&DgVu zo}xbY7_V=eCE~W4irc$p3&LwrS@u5)y5le6H|dI-TlB@PZ4<xoa54Q~z$!-SXvDZ9t|A@JGaB8WTI(dS)>#8eK_l_4C2PcUv4^xqL$W%N#Jy&G9 zn~5W9=LpKVCI0@)N<2EEi!{0-%iTac@t%%WHD6GuouDu~@$$Tlh&wb-gt?guO7aqv z5h}7h^u-gei6U~#2$An&Aa3p+D=5%ZJolX@J_OAY`KL{RW1gVPe+i0QE_SW95cDWo z(93MG^sfcTGgiDftuJ2tO%S0QhoCI%JUowb<2DMq>4LPE1-*YOZf$HVJ_PEC)2n&| z?_}}j!epeKCNjPC1%;!GOS42l;7mbRECJSnq8Eq{F(@;3sh}Hc1*IGm1?NVK3!D3j zYkRfDU60WsVyCvC_!WX~Z4@68oFL!rf|A_?r7>@(1U>Y}Z+Ai2(EXy9pyQ3OozhgK zc@Gwep4uYw`~*=L3E4flBq;Za$ULhpaso$+C!v!>eyqKCc5{=UJUn~%On9yDEV3h} zi<~I%|13tle~~Og_jDKMUAl|H2i_viyPJsg=q64&cNPhLBgNzRh2oZfFR^b;8{zcQLeI1km(TYTCyx9m60TW^0ROHc;kum&3mYmfMT`@-Z?6>R0|$%nC?gRb zH%A=y>nbvHFNlCx6Os8eOoZP4OT^^(iajX~BJ<@vQSdHbcsz6yK~H>zOZo<3nlMpZ zD~J}EuQP;I;%u?>uANw)wpO@2*dcUp=m^t0CZgtzhoW|PifDQ@Lv*}&S5)`7CYrkX zi?-fZ#n8ZeV#&T^!uVv2Sm7NiBJVyF2CH|A!FJokiO59Zb<$sKaX~$xgXrYsB-X51 zBbF~;E*36aD6Fv|a}G8Gn3$Ld0|Nu0qoY%)h55$^Z{NOs^XAn*CQ}l;di%CMvb=rs z`qfJ%uBx!!H_d)&`dj1H{olVYddIn{N(|>x@0;eoHT|V2{&S`V?~976%!Kr}3$2}p zcmB0mlP143Y5G&+)(skPQE%A2mA{ZaBRwN6G3DUFgUHmoWfNpmWqMaWInz^EcsnKS zetP=-q?_*eKcVCAs!TstkU>gsz0KMA;K7u{q>S|Rq&qj=-QBIm|K6-gTlTbNE~HOO zxy$K?n_8~ed@J$ho%_k@_io*cJ9_koiqj{i-Am87pLAxiv9YnYi;3k5C)ewVx9+7U zZ*NeZAcdZkMDLKWz!UyEEevr@<+2X^@S#D`JKp7>b}8wdhwEtf?mqd{sdJ~!dF)&` zm9Mt?!+NoFrPB^(AFFDf;JXO6{BCp0&l4Qd=GDeyCuGa7nkSG>@wWoTDn=2bC1299 zv@a<-srZt4sBd*&q9zLPlztCY?mS*+aPQu|56$h~t=rsHht3^3;px~(m#@C#hP5uq zz%sa-awj$8TF42{H3lcvbno81Ti32#yL6empiQfGef#Jki(cvUg{bqHI(n85kJYrUx?g)K({l)2F1QrN%@A1$lYx*l~R46wWYl z;>eMsMztL>q(_gQdg|n;=yBIEwzu28+w1tHO927LkMG7;oRbdpXC+-F7ghvuDqqHEYMtwquY% z2j2x&yO6%H@ZjRTF23OxaRvG9-n~-E(bmXl%ott$lFC9pDg6u`lVuJLOO`BJMUQo966RQIl1RA=41ZK-6y^LY%DB{bac(ircX-? z4~dM4j5>e*@Zs>iixzQ?`FwS675y#@t-D3^|-0(!6r!%$fDb@%Q;7%m;H0 zsydk)mL-SN&s==uZ1j~YSFc7zMa4vgh8{V>oFhl4^5k&(31jDN+O%cGij5mLYzPhY z2@MU61pDFPzJDw&M-HdoKX%jR&8i%i&oEVBWSPUR!$@DcvgG;-55K`zbaeFDv$1C+ z&gC3`n3R={R9|D~xo+L+bnL=~v(eG9@v*V-SFc_LQAds-ed)@Q@sHi?>dHBsoHlQc zKFfS;+<(RgeEg}aU(Qj1{;}>z@8-G{e_f+5Y}&GE(rWnizGchzFPlUcLj*I&PQ z{57uZueW^t_0z|tnu@&IIKOJkKSr|r9ZFe#=V}ua%WwH>Y0J-K_j{iI-4_p@*Q(X9 z)`L&$e)*+FW?ft$sbRyKnF?R(VQyCTLyYhqJju%Lm7V)MJGWY1joJ^M*Zizr{$urY z#lL^f%|$EDxm&a;TG z8_Qw7G(*MX{F+jHDmKvbbA+0z5Gmw2fu)s%y;bowRiRiarx(5dAym?p4M~-+OsJu{ zFB@vA;>(5#J!Qi>s`O>U#;W+Tp~7EPA14rO_lp8u)tCP68ah(XVohR1VEf6<$Z5EFXI*af%OGJ?4ViCG-nFw`UD8klY z6c~3&ggDv@m&pS}zO$K#vmGw(uAU;!S&bI2588@_Q$~rr^ZSLp(Kul?W4d^>a+J98 z_Y@Jn+C*H~yJ1*1O?5r5u8BaCWx%aOp3Rbj(sj zA21hQYcaR7X^z;j#ulUaA>!Wt!Q%b-N#Jdwco||XUPW&d^Q|pKlyg7v9wYAp-?1Y3 z&8ZYut*89uzL}skJ2y^No&aL}Xyb2sEa(u^#^y50>Rj7e@ z7iA-gqU}ZDl?CG6^>rdQYLj?+^RRewW`u}z?Jtr&hGC{+w8-W1Bh18yCs)KB&jBLC zS6hU;^%cQ8`iLBi-tCM#i)S(Rq9A^ic$2tYyuZI+&;t+g=HUeq?%G56I&~A#hx&@g z0VBlS)5Aqx*hEoyeW`eHYn^zM=qs*!_7IT=yCdu)l1~p14+6Bs%@ae#lL%uGw!fP= z=h9WAT^J}lH+B*k!Mftnl^No0kg<3iHCLpDn~U7*4kGXNX7T=6v`F;rAx>=RDDDPo zi?G{nKZAI9z zwj$w@p?Gj>g*1O;SLG;Tw`BPnWt1O9c)MV=@$kNL8Fv(e5jXEbDB(4+Ba<7Tli#j49cAmI%eWAF0bA`B@>?D%!yNS$4fgG3Z{G-OOAGhy>;E=gXl-NA!mvx9KC|A-X&ThM|M2dkYgQAx zS&SPrXq+u(Q~UQAGiHpAp^W7_rZ4&UigoKRoLY|*NYkoi>(;G%8OR74)V-IL96NKu zh!N{7C;ok8`}Xa&c>ddOf9l9wd|&%s#-nR4JNE84vd(-su8Fg|w(Z=y^=Kox{O>+Z zdfa!&qJl8ZF`Q^Rnb>3H9Ns~|NfQp_N|zpuWxR?V_Vm5Jv)t> zrVr4D|Ou6yUMzufL|xv0JV;Y_dYVrsj{I+;m#vwt176*Oe>2zNb$g zJ$h1ax=k^9%?7n@g`M|ygHi^1Enc*G^{!nz^`;vXqu2bdruGu=@QYEAkypabo%1|& z=+G{`@dgU@nwkwhb=Z97>>2cB&!2ER5p*ul-`8aF7=?OG%|>4xi@J)_TrOXZin@65 z#0gi|MFU2vWY0V_`pV4N(b@Uznc(Q?%NH-64+;v@A6bGP&)e^I^x+k@t7o@v-MYoe zY106mFF2=sHTt&QH~Bu!Z=d+gua>w~`;zn4A>9p2iq~xTRsEXJJ8HjqcIgLEu&h~O z{?<0HUaCFs{dJAco>l+4PC@lAKP#yA%V!fAm_06)4YOjo<1#n{VMml(8zsO zqt44h_2-(uzsc3i$$hDr|8%J4)4Xq9zQ`~2xXPPUbZJ7+OAHZ>0h$0_0#ZQK2@#^E z8t}aWjqzK7-uSJ+Qv6nc@VgA~QkDiitA|2yabKz~KntKDy}g4U6t7B3JRZO~)D(I?L4)5KDf ziQ>f8wPNQ2GqH8ad=b6DOdMS}S)?9cCoV1;B5ti6BU1Lv5|7-iMDjih^gLFIxHZ}$ zcLGM4uPQ&f4PHDNB)z`=dD4nv>${MPIQ6y~UKnL&a5BZExOG5VT-ex01UmHF7aZcn=p*y9bI$ z(46JlM`WEDB(nX7iR5F0MeYS1k#k|3$VX2o{+Paa7(7edi`p$xeEN%PNBW5y=;=i4 z>nrktMu{gO`XV>nKs=3{jh+tPrru~P9-JR6ve2W+xja>5Up5g>Vr)cmz#Q@X`XZ5c zW0gqqMUNwJn8?NYz{|UvM8N}pkrt{a(!-~S2k3=l#r-96?`#&&@9z{Zu%_`g@1l4J z&z%;#N~FeEiU&8Ah$kuAMaHd_BKQ7Q@hHVvB*!ik>FAkcVQt}2`hIce=1!4%e~-AC zutcO}92B?j9~8-H-XbvMthk-+BZ40|iHMxtB0lGoxS1O&uD`k_F1?Htk+0%JzNkHS1&%dZqL!;#SZtaA& z4eQjdSxXhwYx|b<8#X$w?DDA`(S7UYext^jEnEHTA5ym8wyo)_J*4UHzkK!W_wA6R zhx5Wer;O~~r*pk8zv+hio=)S3Po6Yr@W2LNH*SOb{+sl4=S&EDZ&FS42-fyJz5@_lvJpLhPSqvg7;#`67VE^aQurJ9T8E-880KYvq$x(>bXK5}S0 zv71B9L4zDLZ5KFb_88-!sblB>pW#sRyV?#lQ<5F(tXuC;XZ<*bI!IHeWow7Vy$pyn zHQ91wpsd^xe}0RKM-g?!J_FhEtFJ|@tP*3jYK-v=&qy_9fAXsMyOL-6^6JK}v*j^5 zR_&d1CGXU>w0HV?jN+YKEK7SQa9&LXEJ2Nr68C>nB2~F{5OxRH0d@j*0Gt7v0V@Gk zfN2070M}*@KpQ|4KqJ7{0LJkdpeCR?;J<|@F6UzZmgBe17-MX#H}b&PQ6nxRE&^}` z5Cez=1Oa>jo`Bte^#FUobbvm9wUjlq1E3k;JHR)9x`59C|7AQqU8`Ro`#uQ!JqUX? z@(b7Nzt38&UleAq`)bc@okDwqQ3blAM?3)yj{pw<_W(Bm%wGWDB;W{OJ75`L7GOMJ zIDlJWCqP9!eS&zk_b>iq3Wa?qq|krXX6&uVMY^vZJL-RUxj~=#`H%y6wP74RTCM*f z#BS_+x7lOf*-aVs3OqeS`MH3{fDAwq;3^;(a2jwFz`FQ1U^YPEsULoGJ^cV+%kgjV zpiX~5Q2~0b_#_{HnED;gsD7A06n~bAPOhV(U9;%J=J8atUZ38s8B6ci>(SHII&|G` z*avr0?IQ5>8oKu!^yC4u0bEzffLK5XfO+x&xBwOcSm%BMux|Z_+q^pcrguzf{H^hX z-3sLLU^@lpo}3y&p-QR0KFP+BIhfU+CXq_&-->65= zSLx6l+hHG$8xMXDp5Bz#0a&-Vef+1;&tnFbe*x%>$&UaJ&b0LIUo`%v zz649}+LKHAW{SxRpn{io@q0bRJnM};gV+y6uTW2^ z_QOA%ovHoaXq5H~(0dE870?^NZTzEjh`rN>Dt*buM7I1bCYARkAx^xbev@-~U$VJs zU!o`Zk~XD%Ny9gaFZp6qX+?ov(=D_Hjbkkle>I? zOj7`CYli~Zp4JAi&Cvv~Z}@0mr%u01rVGUsL{sLgG_=z)^gp>yba^>ZEDndibC~G< zX>z~)7X@c~K~K)m;Rjo3X|fggnhc)CkQLgC%l*G8=8*?sw-8}h6Cj!n{_^#E(8o5( z8^HGTPrz>g?%6Z|)B}70_!RJuc2u4I;HSallDU(tlIKCE(N=F8OFHh7v4t|?9H}tS zj40R&U1O7dH+kzjgiT=&CNXV|h#R+SHl6 zoI6mUYcINYY!qcIZbjHFSq|=bS$+uIKJ&f%8sm5KO!NytFZV+fJ6Z?7E7T!%`dNQ6 zUq7IjXIJQO)&W|d>L|4V?AW8wQ{BmTXBRrVqX$Lq8cx?;b?Ky2H@dWKC?&c~qB}b# z((UaN2|Gu@$9TH2WgK01(x>=MdUS20E(Na{OxRsXN5}m{k?W@ucA!$~K?{0xY#u#7 zYg3A!!VB|R$Kn9oHa=SZ73n{{$dqLN`kXmk+c$zRgF^l;-O1hgciO)3N7}XVXF9a` zH#)VYD_z*yhr*o)6Z;b9sx801Wcgc{w){WsS1fIhs<~N>d75VM_i6O-=v2b$A3Zp1K<8Y#QH&cja*qy0?b4?6+k2AtmJYOM zV>8;h?q_ma*Ni+jw1eh$qR>tKDQfdj3K-r9bedAs2AKzSUa-GdqCeEdj6M4i09&|* zfa(=_Lyl9|$o1$&aL;LY{4i*u30Wms(B;cBDD|8^B^?`0nVysAvFB8J{3ECDzH5ih^zbCEfWa`swji=ni^u7iLqzX+v1#Y4p@* zD&=__P==Q-`R!{Dz}FNa-zCJ&cprPqvS%2802j>Pzy;i!7o(JfE1CLjD){tJDnMTh~ zPX!+alz-BIE+6Sei5^4giPt2`IX029JtyMxh0veFqv`toK@_&TI|aCQrX$;$(%!9F zbZ~1^I=euNl6ITY9aotLg_ozN{&n3cOFy???oqKvS)aCs{QUaRg_E5q;P|g}!RuFw z_3lAePxPR)lf&u0&oIIsZ%XkRO8GvM=&AQa$~!(0yiA}R&+(M)F%G=w)1xDLlyz8_ zG7pZW2M2U0W^yA~Vp9q3?lYBmVIJNFE>LubM@Vx4RoWe^D8A5SB-6`^TC-Oe}BOO2dBb`0coUrGdBHg=EjC)T?@*GU}P%pX1 z^udcBWxMOr4Dn}6q zFgxGplW&fcA4Od5&NEVLg36B~T&wma<0N0ws$}NWP*whL+~|~J_H%i%`@F7%Wo*XMbG<<|3rH2 zH<4bRoj`@Yr9y8K-TTvZs~;%)xJ0y`FA zfq3Xt_)LmE+mVvb^`Qj+o~Wztbotb86ynp2&L97of{r(%u;VQ$&bu?kp6EpBKK&`p zyFcBxY(#ihN8*9`czr?Eot;aj@~njufJgiF0G0Yxbzaoz=TRHm$Vb z%he?^AJGaQ7`a85Qvztu4$>jIi1ra?ggjHBTNuR!O`s2f(4X@oDeLS&N;%yNd~~9y z<83K^ZDV?Q&XfxMO{w6FDZLMob!YOpF%h8oU(y}sL!EveHM5TjhdzY*_M))xQ4|n5 zgu+6hKNoc)E%C&`zYNhOTVQ5`FCa6M?&_uFv7pN5g!^|OL$L- za-!!^W~3STm;gTXDd2op6?CJp^W7=zTvv*}(3cV}^rz$t0|@UpQBJ@xjIc3+3(}(x z0b?oWuSUSna%cGWbf-f4Q%=kD$E_y}V*t+J1Nx-mgW^|XgueoMwG2FrqwEMC9owRP zz@J6VqnwLVC?{+pr3S-(1q`70^M6RAh&@&MlKD^B^7kEB-j~F$;TfqVuEoBj16zOg zP6w*?CF3Pu@_T7t((;+&OT3qr8kckkJIgldcM3Swj1sprmSoIwrm%lczst&)?YrLv zZP*ORCvE|y-f+MxfvYL!#tM3y0DWOu-(sCvM|9nh5-v@m?5MezEkYZ<3R@JTYQvB< zU4bo%K;Q5(bUz$z_#$*a%%E6DDD>ag@3QpMt2`i<(LSSH@FVLB8@5G$}|eQI9#$z0m1z!EMy>s1@)zfp#GE)GMw%@w?^GqqdsKa znWR6OS3zt5AMIC}Zsk(9k-2fu5vKn>=zic!lyMTX$|uzLI0QcS7xRJl5GngQY|(9% zUfqOV-Ef3%twcM9Z-|3l#X_&HVtf=i2e#FSvK(7Mui)>{r&0OU6QF$p;9s(h714j$ zw-1H-51_EbWfXARp2BV~qOb&nw`?gP5&C|61tlabhi+}5oWxBO9cMw=w?Jgx_{ z(d{jm$wm86=OZ5cT`S=u$FVEqzgVJw$C9a8pnDsDS7biguPU^2s4jn5cc33nE@5^v zl<08~W|sp9@0L`Fy@7IWqONW%rOY_g zA9zTJo=y+850q$6IBNa|^qvA30C@KEld`mZ%)Pq&+43K$+VW43EdOt%Eq_}V#q#^_ zC~f(r8ZEe0A`O;G?iKky2a-{wqzWa8+=B+BqXnkHa&V{sOD5R`+PV$e>O^lM7g52v znUw1^K$6ITl}0&`f(u{};A;R*`}o%{b%`+jF&owp-sh+2`x!F5Og|v=ayUg_iYdhd z(=Wv_?H>tBjn15^dmS`806GFb2Ygg7wJe9_>0e6&tv6GR|9Z3*75y9rUrQq4dy6tJ$t@1&CD1t&6Z*wFj>fIrT}*4t zh7F{>co)_1ilgY`u+2KFb&%jEH$R%@;EW{(>tevU44`571#^Ure7+IK;cK^TsliC(u( z;@NB6R{AtBiRs@2U{CTNZoBGygqZc--8n3oy7|Y^kC&6F)8!1j?St1uwe(aznV>bBJWW1_zbce)uYQMy{uUL2?>HYH4kuP!IjMH9TGpDcH#oM&nCzLMRj{bw=F4+ukp&Rgkeu&E= z<6|)tHNCS`fBfu!>SBIArtIkH*siU*)PE~+|B*12U$sLEL|9W5;zdUJJ;KJSP_}ByR0Fx?&rC*(6G=oLfQIx7KdQby$K#2Bl>l47 z0sva2&;|4dbO!tks0a80z=xCm=e0}wNsb|l=0Ec{>;Lf5^v(}XPwkZIFtGWJ>D?M% z9@F}}fM(x*ei-FB0;~b106sRQ1E3M$YXH-PnwCzDX1a=X8o&SX3UXXj6uI4n63_2@ z_3VmA(fep`%yRAe@b18(_jzllyt!^OB;VJlXXXL@4tJOQ+2m#)t*-)VXja<|#2Wz1 z0DOqUKmg0>H^5hbkES7X#lqKDoVU{ctfSC#=c8>DkJYcNByY)= z_*Cgjj=yEgUz@*IR%X9#`ZAu8ntKo=%HO^$o{{pc+Lug{d?VNP03Oj*skgx^78K$gV@k?TAit;nwC~|wI*_%GydUhM z`&j)-bjOOF*LcGFp_J`E1v3we=`Hpcy}iASp4{CVC_!GA9(jNZPTlJXMh@w-RZ1n?d<9^1m6T%#O+Bf7G41O;v! zOn4WSPC0d@kR5&Kid!FSVH!f2SXs|Unm6H?%?baD?yns9%GG+neai`5ua52WYf#tU zzVrIw+b>*DDz~L60B+BvuCNvMg?Nve@UA7f=Xns`y`&RQ&|k$2%)Jx3*gv9&m25)_ zaKbFo=3#UV`$eKQ=};KG!o(9P973GX`7lQZ+*KlU+yljc3= zMeIJKynPFY-9w>U0S!wPj+>yr=S%W`QJ7E9(MB>~rcr$U6}orHoRU07QJ70V3flE2 z;r&^{d$tt3tsh<5s!dn7j-hK#V<{H2T*VHJORI*EpK(VDcbJSm@ob9QVg_1g5#G6` z_hEJ)P!#JW+mBKg>t6);zl5>$<-!Pxd484B9|scNeWu4=Q|Q6bDU=Dg=++l2;_{A* zD=vfR+_s){+NlfqZtg~BoO;r^wLR$k+;$YbY6?YfGNa3DOt3q|1S@dn6uZYL8-g!lZh3S~_$3$$ZUOb`DkU8Yec;?Wecs z`iodf51UI5v0j%Js!K_MSX;Qz4?Ti@gtyE=Px+}2ILwL;kyT2sV}U}*GJl%Me;i}LbfsVICgy^pk~ zBCIbKMOjl3uaQPr(!Bs^SAaG>4je^k=LS&H*LetV2&PPNf&2lTh1}(b1epIAwuwasp~^2xV{YNQI{+)0?0HQo*hDQ~--Et@FiLQdZ<_x)w5$u46smUKsW%1&^kC zLHHdwgwieyqV&LlbRY6~ND=WeyNmIQ5d$;zA$XZPQqLM zbSG>YWnoSX#v*ga>KCy zUwpM*6eJMvsM`VPwL2`Fd9)aeL;Z_LO%Jg4gHs+TCj#p`5r&i-fxS{8<0)@XPxM%g=zX~T zhe-o}KZ0`DlUFKxrXzUe!onDMbewKM1#zpWAk~AOr+H8z=BVG^J48ji{&DvpWnN!O zdDoZIt6NxqjbBQSV&@Z1i@-XRDW!p~d!g9>b7TM&1zAwKxB2rrpVj0ZdWBYu%T=!6 z)r$+Goi<=^1}revzLHXRQOaFsN=n*9smYruHE|tfC2pkn>kH`a^(B;*u$ms;SdMl1 zrG%3$=s9S4h4^<^|0*~%hTdThfUDiG>%jjfph7FAl+9t_>P3aIo7NFd4xyqvf4nde zPH(Xe@ha;qy?A(>o~0k5-240JCe~8!BrKx`ch*q)t-mSbrURwL+XHMU_1ZkT8!;XG z1$D9K!s>(3@U};RntOE>+8i!dxdK-$D!jIN4ZXSQM!7f6();Wv>_`VZ!K^d?&bthV zqV!Z3dj7xzYYLcYPWQxG6~k_NkM)E%SUW7hzKUn=*dgm`@U-Kv4Hp6bM~yy$Rxf&q zQ)uYTg>|&TdMPdNy+ZHuuhF}VV8SUAgcB<0!}CbONh##Cb1&ia3zU0=3h$htxNu*3 zo`H3aho1E6rYGU_7&@|e;Qh~Qe=-Z@S8DSV-Z>0dy@;Y5*GZ#@b5)KaM(t+HKVwJv zQN*K`JR>#Zs%-i39$@h(BCu*-GDY$w%}e`|LERN!(rtQaU-HP^g)Z*fN4<8Or3n8M zRCMPg9rHRye_*yJ@*38z;w}+R38De}f(R$Y5KiZzi5t9WsUPYPZ3-vx(2Q+|X`GGC z-Rd=J%=lOt`P=Ea`YtdlIAHHcVXIfrpU1;!^NKALZfQvu9hOr6V?pG+YBSwkXiLG% zS5cpReso~lZhE@djt;EfLgNnlV?XX@%64(4!^Z=tj`jLP@k!0GDF1V=gO9la?Yj6G zosOlU*K%oq=ULjgZ~;xitSR1!rvAG<2`7_~k&8DOAMvHu`_7WB!+OGLNo3`In!0#~ z(axn#6u4+HEnT;R>Y6S(sZpaQe}uD2+oVoc?6e;=k2uTCYgmWE(d0H_0~3DB$r_?ZHnR)NO&tw3-5R)?jy zmmn1(KpNHY3{uHy4qCXY{4(m<&SQEfEw3TJe7pVEFF#p;4#y~@?gaP-P^AxKtT>`g7NrgVN^pX&pNJm-_pEuUmU@&1xFjNUF){%U(DSf$*+A;r)HW zyZwZB`w8#%6W;qLoCAO!`XU zAe=2hI8%afegv6}XnPL%i$_>E*MV^60O5QC!kG?)vlR$uGZ4;pAe`+$I17SsJ_X^t z3c}eGWHPcXk5G#*oC!fVzkqN~1GX>>C7jPdIH!Sd{sZCs2f|qpgmWygC1VyP9h~{5 z*^gh1D9(%@I5UE94g%rK2g2D8=v($9ob^CBBZ6=q1mVmG!g&|i(`-pTE63hK7M?XJ zzHr_I;j9J1c@c!OAkZfpMmPfkvk=1w=SmRHogkczK{yYCEOa}&A!8}uh;uIpXE_kg ziNH%))_A#Z3i{xBgtH|GXG{>zry!h*ff1TTQOm~P=oJ^N`hl}K;6GOo&WwU6`4)t;FVGKJK{yA4a8?H4Yz)FV8-#O3 zXy)jSJIm(fdz^7XIA;TWoQvq&_!G{^Ae@^)IAeow1_$A64$3|{@m;H*znM@`ew?X7 zIQxQd&I#c>48j>GgtIXS=b8}C)F7NwLR(f_Jp1I68ht9tf5dS~mhmA!!r2)#6Fvi{ zz|izJYoC+M->%x(KUF-yOu9x|V#$UmdI_a6qN>jK4Xk ziIkk9mh{EJ>PV@&tHmY*38iQJwZTtRDYc|;4c1hp#2wPqQl-?AzB5?6SRQrpZR$ao zw3{PMf-|n>_&%N~rtE8Dn%+iO;mPla;j0>+jS`l4YA)JH|J2j4iDqh>?% zg@HQ=JRzw((?Ytwn0%M}3KP|xe6I&ACc>f=trLqeu=x9<{N~87&MQx7;VYw>%^@QT zP-kE2DI0TqvlLI67i;7#Een0=xu)g-#5b2DFQ?#p9%L%lw|L5R!xWa6_aG@*{o)iX zQLZ^ViPk})qx8H1VsQdJXq*FDjPa{HrXfRnnb$$m!bV+C-yEe`Aq79-i?NN9;!N;+9G)41 zddBrLo(#g1l6sfxP#-0*#&VkPk!CC~F}C@Ty_V>Q-#l%y8Bc~F-5d#<5Pj6{Wu7g8 z$5>hrLULRV&`{P=Ba}HG__QEj3xq69L)3|K)keGqZfc`-p!p&kD|IYtqyBl&SR3Dx z*FaB$XQY;%uIjAxIW7BOTr%vl^1kGmA$&=Ofj2ZuUft-d?6+MBj8&YKK9wgaNQBd$m?5#{Q?7QQ+<7J4yO%#<{14t@`ShRxutkfEkzjC4gS#D59hAaa0Q457i? z5|y?NTOp-mD}4pP9p>dyS+>YmV(Zuv$e4lKLCN!#l;<1dS}v8!!HG>DSnaCGd+j!R0HW( zs-A^w$#VTcx;N1Xm%_3(pDjL1qjKriRPk5~sZz1n)V?~)mhrHE;`Yv$EQh+#+@?s^ z7ipHGuFOFDLZm9DS3{<^4>Woo{>?)=h29bzttA}&BphsG*d|y>^;jOyZxS9WH9RHs z4umds6YcQK0rrCZ82eM%VwnM}xkPzwmG0Dq_3nhBwU(5AG$?0l$$r@oIc19pZ!XCj z^A=LtpQW_Jk(M>h1QyL$B^L=b^jnq-e+zdfXz3`WAAvMhz`$B&Ehki^8;@`3YC(P@ zk&f$qI4GWuvK79C_**L94z&INTK`76WhxAc{0^ybj8fsyK{+$fYD%!kIKovpR#t#x zJkm2Aqg6QAPgxdIq0lfxqG3e^`46e`k5T3Chx|79X94e1mX~l)$Gohn08cHkTKot) zw4`<=dlmKvtal0?2eC|&NjI?yug86k)>d97wZtw7&(A76?Av7jQV|{(2~T4c9`+^9 zepUIBl<7jwe91J)m;6%NmyBz#_>v{)0y0L$m#_*b zHZTa(cYqDl0R61@yhJQt8j_q|sGe75BY{au_nU@{ryADSbZb zX^z-~Qf2#Kg<4u5wK?uDNRzr!x(~=Z8vnXUx*=0mLxp3cMhEzT(V}|=&py#uh$q!W z54C3@T2~wxLv;y_ujnp?+_z#~(*ix*#!L}gm4)L>ayzXFFVz9VdmpI`Zhvxq?vKoe z?i#6So`aUGcU{rSyF>4)!S*U`5j|Fk*P574uBt9Zs-9O?7nYixK$|{n;8gq_h!#5* z-_jlhYNjF_i5`MH76`2V6synhMi{5q)`|U6341eZxT@oyhWxYmZ(KFb!96&+hd%?@ z>N^OPIY*o3>s94}`s2h#qvbkr@R+MS7R7+L9M__}^Iwkq^rJAuW#>(4y+CcVg z&^zxc(ayiRBepyAq6NyZf_An;+*JIwM9Qg%u>l8d5Ze{dLA1wmc5D3Y3TP*7v1ljJ z%JSj9sTD#)=vWEoWqYj-z@{Nt@flJ|WemgI$u?OC576`R@@j+BeNiU&e@d`$@0;73 zwL}$<2zeYM;Qu~H`Lgem{SDKr)H72r*Vss;(S?5T_uB^`=Rj;E7>N9{L^I^)md|~U z`KT8gHEt`a=M$g=C)-0ZJl3-XMI0lKWtDp89t`*7?D3T4IG0rhw6e`AT~^szt-MaT z&&2wy51y=wIV{m+fj$LW30*v8eZ{xD5SC~m`lr=>s#gQQ&CugE2kj-Jk2dgTJeJ{6 z`E<1Ql0H;(#MTE+c`V31QVYn4Ers0E;Cg8RJ#7PQJX&O5a=2>CZ`g-N5lu>4{>h1w zmgetQls)hvHYSSv*zlzQb-tE*&g4th&w0(c%^mzV%5=OYdGRm@eqYKeJ><9<%r z`qPrE9;f9|9?uroKpyg}fjs-b8p&nyc%Svl0`>c;G?ueNEbBtq@f^o;4(?URa~xW@ z8w-753XG-RgKWV|w*8OSMQDOo^^ zc&s4nZ$;F$5j8YqUU^nyri4koJh}c99IPj-*=(O!dt?paSh)nAA7ih{mR6>lsgY-E zw7?zXms}OfJT&Id&X(3LLHP>uuDY68(Y*`w8Vb!^3p#^-(NK@7~ zrjjjJ312LKU6iOLX5$&p(3Hr!EDy{X_aqcPB~HYt{#d7ch>xaU$r_rPMVnPT=%CQ=&aP4;74Huol3&MX0? zm2vv{prJR~d5K?O4PpsdOZCTf#g^ZrYRhjVS^l3(TYjTuN}qq-P-%wk)y_TmZSSRWyXv<`PR}Cy!A$PL^MZEmZs{OIEf_ z+_J}@47neqv?kdr$fe0OV2PUNHpaaoB`?cTt}m9mQfG2Mh3#-z`qVjKi&);)DLobS ze#o%mdM;a^veq&MtV=8jo?~KqWeZ%k55~6PQ`D0}q3oeqhqx_sov{>T-eta&IObE< zHO05KK`*m(%?^Y{${cepMKaou3}cloh?z7us8!rsFKt_R#ft4LdrVogO3EDs3|yni z2u59cibj<5-S+$ow2TJ#Tz}m9)GeJ%O+~hYWx-mYv|pB9iLEu2EWZ~l|H2wVf-9*x z-)y}vn*O+AiG3|GuvU#ZvBr|+-(1@A&ul4K{zk&e3i~J2`}|yjT-$OFgROzwpQxxu zRwA4KEj`37Wmgp|sbsQmxD%mguySlV^GOcZoJBR46p?6M2NgTFJcvSu5LM)~YORoKkM5iicOq zDZd`cyvY3z#X@qgmo2ZN&vIV5?9x_nF4D+-=E}UH!UfNkRL3}0?g!VD{8veD{Hrqe z+)L$gknEM%QZj8dkV+S}rZr~z)n^Hsq1L`aTK+d2>9}8FB8^VDXT{?(zUQZ(12~Rn z)tDb18L|Crg*gc=%*e=o#U4+YACBj_@gb64@TkEYF|`ph3OX`f(igT3tt9WOgI_%A z8HH3la+LF`&%(3<2PM|{OJEp;l18H}UE~`8N%jX-I>w#3IKz!H~!=M7&z<=v_ycFC5Q*Kd_o;nP)O zjF9GYo?b7H@e2=L8|Y_O9^=_6G0t~o8vDAG$N2Rarm@$7@)*xmiP6!KF}Cq4kMXDd zOk;cO!cnbXbWymzRwc$I4H#qh^6#NLHs8zef2tCrNM(#?b<1NkTE=qBEop__6^uVuiSfvA##r}Jd5klqUFca@99L<0 zF~+7nkW zjgKOLQSE)(xkl($7CF=vR)3$BF|rI{(YkZZYy!rKFpUglFk;zf?qJ5KeM`Y8zI}Br zw|)3$%V)NZcfjoQ>aL|Qw&>8Ii(&(Y+!0iZ4_(CB;IosYNxejAY`KdyT4eM6lmR1_$ z=)Pn1WlHN`(S#2a5|oq4^tnSMnVc^plV3pXZI($gM5)$$@6n+{SFM5OHl|i)<}DH=!tBxI7b?VZpefxGTRnns9s-$&oF4K^8xeRZ& zAuT;fOLNeKV%~Zx(rSHG6TKZ?SHmTZM$|lEpVciGV>?ldF{q8XYyF|{RzmnxBl@Wh z)=aC{@YT@N#D}eY(ZxO<|cnyfcgaaBoT(ICd$Bd-kI_Q3uJB=K!*QL!X?DUv9P*A$aL zCqp?&jM)4=WBj#560#=BvTaybGr3V|j5-5#b+q(H*cw`yj)&UMv6x}q#?;PKR;4l5 zH3c+Rf^uT{d#*MYrR`QmmGq!W`K(G$^Gm5xulAkWX^pZpHD^ugr#-T-&IGNwtVkw? zHil?!=H{lxHf9#)TGK78DxgTKMW>FPyL8hsvbQm{R`kpe1XjK;;pq_BM)xE>^|Ht0Dz(rYY{o~JEgaJlo6i`&m(eP4u8N@qY@G^>*K`sK` zfRKwo2nI8#B?=B0!_$~u>{O>rPgZufGBYy;F~Ljaty1xVW;KW@mLV!R|L@w*49oy> zI_G!Z&wJkghtbXRJbSOT_S$Q&z4qF-=jnpy_4kgy(22pXdtm@eKl*|ju9iQKS>e88 z*YMPY6r$Oj|4=xQvqVzvpz9!Et0w@eIEBbfc6s9=&jYxK04l_ayS+qa2OQ2l>?Gk90z<-ql$nvMb^8W^xlR~pWiA;Lg zBb_Y&Yf4AUUv6TSAA^!_{?=~!|EsFBotbtCv`gSGOMookV{QAsY<6v9S4RtYq;b~c zuF=r~rVU7`eI$r8>o6A9pD6*~8vOZ05UvtmPuQFGat+mI%*cnt&b zd4`UgRs?YtL&q(2v3RKw$#;Byc@SrmS-b|ar}gYa}0a{ z1D}Pz25p0dKVbGnW@VPXGK%l(P4VNHr1VafzCn0QA@QZKD4nm|EC;w@zr4(%^Oc&9 z;Xuo+Q$0#^_F129DQU=DETWotx!ojdMUr z5OGF47&MoqHQ$+E0UFUz5{)?mjZFd#y8I;?bBTtfuZq~FX(9X(appM0LJ$EZWk*tu zppp_dBZ3R%r}!$3>Ap%6f?ricR5Y)tHzt`wc}+vPrh(4t7&Y}KO>N@q1YX8#YZHy^ zRU7l-Viz0?Lq4OJ%*L|6Q}Fl5kx2e({#BZz;HBb zrb3DiHIxR0S-j>T!m!`l(l?aRIAZq$JsYJo&in!4dl7!9VP8;+4Xpl_x~LrD;{ zYayfN6H`WH7(d&u8c7a#+Z6*5$k~% zc-NSFQ}54@qf%Oa;7=jc^Abq!DMav!(6FeK=YeTn$ujq}l{?zBp%yVI&?=IA5o1GM zSfVKS6fu0y0z{Y!8AuV(LoFvro=Das*<@k~B)2eYfH`I%CUTLDxlzI{{&p_p5`E%N~{26T4ql=^EKh`+w z@s`}t@>lOi<|r@dhexGUAuo%UP7oKBBQAo=HLP^6?_5+~i38n=Q z5)-Sg3z{mB1Z|L_(E^^UiRE(}3N5;5tGuZqAa7G-Z8%@cB!(JdjqiXg%1ocAK-+^l zcH_0R(P*!fMtbPAl<}ghagR#bN}}0^1mw%--i)@^F{uIaZ&HK8FlYyQH7iH36U`Nr zS|qQL8S2HkJ}D=`n)y+XO(~(fcp(Erg(ap;@4;*2e6TdkT*)|;29(5_E z$E^o%X_AzBps^MM9n>o$_*j{FA&4x93n+<=DdVR~0do^Dq137f#+{!kGd~1@3lIVa z)pudb4rVb-0> zIr*j=7?M*C_qSk~PXJ2=IT3lVXo_13lMt*f|bGE1D=iFi|oNEV2^E9T0H~bRGP(N~3I>$X;F=Pne$oi*eMZ z7twbHR2G!z69Vc?e<%5%T|dthOM2^6_Y&WG_bQ6kz6cj#YW_V^r>qMHI?&_210BAj zOF+p-6KmW|TYL%El<3PT_8ctACy3%A5m*ZP=8P7Z>YEEFU7?UEm;s#78t3_zFGRClcC(n?UcbHTY1oMUB-XQmz^;4TKS}+ zDXx~99jN8FSfg^A2naU&%6b&iOsy<*vk$lk+a;B8oZr!KQ=T_mmryh9f8sk*l3~9R zwk6kjCxa+OPrykk!cqv#{3Z@>A{~U8ehGc0c@yhpWcJxndQA1=PFQ3Set3=`ZHzXB zh)5pAPE#S?+kQ6!Dr+RB>71l4D#GHm2_ojn(!&ru#A}o&6>NGmf5GenQj9Z;?j%Z4 zcu*%ciuiIg)tE9Mz9Q63Txvnmf)v9Q zvCh|U#YqPblw2bIDB5DN=g{e;W@%wbQ78R1zLfR+hI-d*`E;qeNMwzOK&u;v%vR@k z1{~kx3R<`7rthV)=Iv7#b>eGDWB3CveZi9MPDd;{8tBI~q6M-^9Z6}Ry_6~x@12qwE<#eHLtsz&3b(^WUG(NS{(#U86;>`&Q68?@-Ov_Y zBSJ&W7l&X$RbAxN2$PQvz_Pkr0|kdI>bHzo%IReT?+oy~QnfKgUgQoKk}H3wM$F$e z!rVs62rN20#OyZM3f92KD2v>oijxZu8e^2Y5hz=+Ti)%}x`8lbqqR!CZ=q$SYPFLg zSLTxAU99yEDRM8KDJnQ<<$wv>hra{*Zsqz{8rfvxMsX#Oct}x~QW*TBZYT6+v}TvQ z@ep{(0Vj1MG}E%CKSGNnbt|lk&Q(G7aEH?1j%+1eg9j`(+_UH(p&pVNX8yfAlyhY$ z+Fn3OGVdJ0_uK+NleRvfE>v*j4CP|f^&qR2hRAfi(Ih1Y0!x>9!wV%WQ)GRp;I}Yf z{h0-(sUr9eFH)W`R8knK2Vjq)!r(p-Bg6(Qc4s`=Y?76s15#&>43^Ecp!P#18C9S} zVaW3xV;VLgD6rP3ZO9d)L>8HTwn>U@SIk{uS)QUSD`||!T9~#WO%(?7_nwe*;Jw_A zCeJVUZ~VRuDBhy#uWbVgz{?mY{USk#ewC z)X6jt{lcwN2PA`PBnKpZlcAI*{k>f20f`#-iMAV;Ra0TnU)sxBt0e@LZK!uC>azM* zDQexxq`4PZoBfdA0joLW@7ftendDR)Ul!|E%8VRzTr%12xk(vt$M_p&(j1A1f~5>7 zfqlM7h6_P1-3Le6OJhR}F4E23= zau%!qy}C1^11gO%R}nGE7+K3(Ou54Zwv!4D}BKN>OkC zIh%ry8g9ER`v&p2orL?Gn>Akq95l&|rdh#9DSA1gEiO5~8tQ$4rhlEkQS*WT9$*1H ze`cA7NxpZoX(fS61cEug<^}rlnw$Eef%PjpnIdn7n=r0myAKQ6w*2V2vB$;J(ej@g zZd>V`V%^zi-8DDX{0TfwC~{zK!zu~pWO!}8DMG}@TrHP=E=KvP@hL+~VC_mz8xK+D zd|>dA)CdFhghV}AJ;V5jFs4@H(>oSErj`m5dK6{6SVGaMVYTLx4em;NP(Y^2@R}Ht=0jht}IB` z$?)Ue{KK4zs9mj&C9{1vs5$~y#KNLh2jjL_Ja&Y>Q{LmEVR|>iKC$7js@fmXV*~W= zh#abyA+oxUfP;Rr+7q{RWlEj9;m7L$CdyJo84fF}Z=*Dz3^l60Mg=>p1R&~Fr)Dy3 zEWjWXpqWfH_2trSU70|i1}cNs-VB443Xd}XiB6z3c%cH~tXY-YWz~qf?>?vsmX$A1 z>&m58{u+@?_d%k`mZ{a(!F^r1tU1!$`yjb7q+NtmrfQD#;C+xFLgZA)kd)1luHlmm zt%(DpZXksM$x(cJ?BNybN>E!gv!ri;$ORGlu#Dgo+N!Ei6l?5p1@&iDMQ_NOT74Pp zJLVOBA9ybYza8*(t=3cb`{2PjMm{SUUJH@`bh~vyV5ASEX$+}F4{Oh_&3 z>52OwQAaSf`W%?2CLySKqwJ>M2MKTC0n%266x1B4(|wT0@K3GICZzHfYIGLfeQO%w z$&kha$+4E+yAM41!BeZ<0Z(nW)rxxTKB(lNO|3ow?x{fybIfn7J(6PG2T-?04HO#H z%M4LwMI@iUxNXb-7_+R^84tQ3hOEAQB|A~e-_Vx^@D9J*3OAzOu4}zO z-VAj?3*HXi2i}9h`&qLRl%`qzud_#0tn;zAK!W02MLAkgoJdE+a%g5V#rcFG+7zd; za6XQRW%h_dH9t;>sODy@{`iNTR21vH?O7G7dLlzqHb;EN5s|vdMplLDmI2YRx^oZR%;=&RP40WAM+9QFb zI#-M+tfK`sr(lUz1#zVak0WeC@btwBK%XG)7=j$32ST5ILEOvzgSZX@f;bsMD&kHe z{MZ|FO1K6gtOQp&)!!${YVFi13a>u{S5N{SZq(sdon_DgHWp zd&|7NT@d5y?dI(*XNfGmqq|fpRk$m?J9&5Z@RWIbbwQ%syX*QJpx;*5iF69B!Q3zH zTfkGeV8x@s0LB3MSD!)!MnnbFMH}@6M*XRB&GYLMg17^kr!ZBs-KZ}z>epMmwm*Ve zgx{w$7OsRVYBG`cXTpF$dl>`W&@f}M;$xU$Mu#u#&HU=XkfT&PB0jt|$nDsNam5{eGpo1U_=Nr;4fkY5Efxc>t_yHfl1>6h=ia!$4tFq@KY>MO&vs+5({A?!$mp z6of#wrkOM_0#S&WTehFg>S)ihVbM&?NuO<^EkNd6ta%LsS?zw4G|x0;GKNAdV{76s zhP%Fsf;T`HoPx9JrC_yKd#m7}qA&`#2Q;@-)mq#bwDqFuDY)Td_8ViW6nlCYV|E(K zjs_ew+;v%o*`u8`GWtXFkXB~+m@3Q{HGu*!=PV*I0@M5QF_#M~b#h*QSOD8!^Du6B z85;RyqsG%1v%dzb5|=Tn;l#_2O{#I>Ws}GNASto|Q!3i`6sAw1ez#8J7R*W6=mqTh zRc{n*8{d=kwIe5{vSC?>50w^+i!@K+E*Pq_y?QCZwN@HGDu^ro*yf&T%sKODYvnm( zEst6#PiK^e)j<_iE*rqGBH7}=J)-}_SU@P7g35+Ol&Sg`iWLeO*+Avgo~=HCxO{DW z9;&*!oYIdH*S zVEm;pl!+l@2u@X{Dn1KpKtW6!wxbF{`F)|r$SR8$ zO)bG%VCqLvunfm%jG7YECs#cVEHFJF60TMfd{BeQMChPn)K(Q0(tWw6gscz4at0Q7 z78pc-rLDhJszT#b6yW3`SND|?HKy}~4yN$Z6PV}Vr<{;tlA@vJ(Ymjsx_(G-N5UkU z0f}q~D5;qvXdm)ziVLdyN~YTlPz3{xYRAm2Nzqk1Gt@@POM}XADQVTc-d75R_=pE*b$;Z*c?jrAqyLs(mObwIa%0 zvA2Y{H)<+s7B%ILSZk!V?kkn9udUTl!6F+Jdydu&Z34E&sO*6>6^N}-G9Y4|DQ08^ zuc^QafD72uR5bA>18=`^sQ8fIh>15HsC?Pi28Bye)@Y?mL&rW=4sJRsN zOa?Ks0e%HEMn)QwiB#WnRNMUzXgs)@(&EE;)#4(p2P32Z3}mR9Yd$;2F_|)(aPCzy zT_)|8FhH3$EXPB5aimAx8Ixu!_97HgYLDZFeUk7{viuv`w*1-5@^^By{MQEAEdPh7 zB>R2s<{l^q)>7F7+4`DfQdd?0mzFG^W31edQGrD)o1F9UHEZA?^O0K(`+f57DEd>2 zs4{BS>s`w=_;3_HzZ1EYFQkHE23AVdAat1e8N8+{Z&Zl>LBrkna!u8dgdmP&UsZt{ zY8z-K{NG*z%LxJN_hwOjlu40jhBO}@xh=VG`!O;PwR zXc_LHUpuQ<_bl!Mq0z;-qB=!Xe|j-r>bH+n{cLUr>KM;rY3GD7vSc-wVhuL1Oz%X{ zI#*s>Vwxfnq3QG5?SY3C1``YM~W-N|5V1 z>L2}%7EcrvU{Z1z9wtw$R^vjn^{#v=vZnRXv&C8ubZ`ZFlmV0Rrb!m8eS6~}-27Y( zS-P{v!hv{{l#)5RP28*&_;cnpB|(h2yg+TqYFL$$V$H3B5~FsfP70I1vsm*{0oH>J zrD8nrn)d=r`J=1F{4qXex8#J?pV=^g@_o`B6BXFHkbkKFvNCQ^QDor)IR1X6B&*#h z4jv3JqA_yCx?3=IPfP!qQj}_=u z0z&Hs1l&BMvieyDAkz(D05A;FW4xA8Fv_a+G#tTGqxl6IqGK5jt*bC6!K+2C;|R~@ zGk~EcejX%LbY*tgHSywvM2EZt7O!LYL>4zd$j$>SCR=$-1~*5M%%1JJq=e51?<*3I zqM$cwnAts{?8TA0iDwC@& z#atapAKtaDhqaqRFIBENid0U3c@;1YOf(0ey+_p7jR6tw#=b5RD+5Oa3JaQ3c*$s& zIu5Di9M6FSfK8pGwYP0#vpeNbs#Fx_fh&@9pwJCuFXEmQ#LWjl9*9o#X$V&y zA+e?YGSWM2c=r0sQeHudRVQoUim)jURA2r@8YiHa6}Ds`2KH7rT+k-6{QRtA7>FLh zR^v(4B{T}V8f;29hy;ep{9$Stl&{dI(tzY> z^*fHJ!YG3hp0T2$gX?8$05pKkVHpWBAcwi4CXLK&UjarA@~9FpS5Y&&i6yEf#EcWV zFr5z=aUn(&J1T1W+JWJ*i!}}KlWMRcZ%s97X#_!KDHZJ^BLH7PbCTK>uQ}qTIjVQB zQD6hRrUJXy5i2Q*`6&OQ1w%-9o8+s)Tcc*3x6&p5;%amsh!)0irdP>h!~BA779VrO zE#|1cGi~xiHj09k$j5L;re6jplGi+i5kY+@U)q2EQP_Z5H<)*e$+H?K zxTK)Q=81F~llE4SQ321Ba&z=NA7V5yCmd-GkDyZkVdjIF4P&0CBh6y%M+FCUGfk1( z3?*V?S5SkHZPX5Ewqdgp^JN8!4!-QN)+y$HNiKCBs3;06@RyHy&o5>tq`z(#QNF8O zm1&yE9BTg9tuxqmi54$8QzN$yDcDRF^Q+bO^Q(!Mo-L*v&6U&%oOJN6r-QcsV@X-L zGZ8b!H52_nMhN@tv}Wj)40{qtQm=tfE0W^1d4AfG!h?!+JE$DDm8()sVb@EqNGI`U zZdI24D3xGJO^#VpqjvXS;@`e@{D}ET><--R!2b-8(|?SyQ;eMShZUl^{tRwe*XPc( zS^`D~L!Y_>BK;T)q0n3~mg(ADBNb1{;la}WlG~U_aL~-^Gl&sJafN5#Ir7@A5XjRR z(7+&py;jwc0Dj-%wHb5lNor>#cM55DI1; zB!_5n@?GlRVz2`f_U;wG(}8DJiTN{ym8&L6%8ZKp=y>z_`7chjDyM*h5Yood=?_Ac zL7F6n{WYx7rnM$9XRE~i9eIrc3;&|LT5qq{e`vKVG_4)^3c3)<8QKb1g$;6%FBTrh zfLif%Aw)=uOP2p=+m=6vS$=m%%Wvsxv;0f2!`j~R=Tqfqw~W?SbR|Zr*TxRWAzcYcSQTeE+RT@-&*A|sO z1PxC`8;KnZoDu>9b}Ke6;5gO)z8Mdm@H<3g73(5sv;dpEq_ygIwN}4vCgfkV*hSy} zs~VtqstgV~nWk;HHZNH9I!Zja$_ZwF6V@*yxAWQ;XG}LnZZ~RQG-;o@pB)j@N+YM< zlGOm4s=4xA>uLqphRI*C$Hh+m)c9J;zjey%??X9qdsF*U?CCDFzt8^XES3y>{6|{g z-jl71DssDGkE=*qReiDnImMj)oU}gh^lDAPG5tiSa8PTV56wIZU0O2(JI|I&KwWhT zHM5wiVmF~p6|p6WVpqYpgC{e&xhqq|R;{c}tzWD3Z=bN1!ZtT&?8U!I^R1?tmZm<^ zG{qZ-^q5a1kZGXR_B}sL**f$!OItHG9c{*jooQh`&V6TITlWyX z!HZ2kWckz2wKabvIzX2H(~Oq$M@R7PI>nj2BU;WMJqC(x%pWadeMv`$zT{`=*S5ao zgF}veiA@h}UM#J>TL%$w7zo?^a(xG*<|@|Uo16Ksaa7i3;{n05`R{U zdy9MbmPmVdaO&+Wv;7b&{9Ih!yL(iUWCAnVHH2fT2<*id#VLine5oyFD5`B>9ISpyvO=&(z^L8uI z58!9{dJ}oIZk76* z1P>@5KuDMw?mV?CoNt}Eb;@vt;}2nz z_G!v$w%!&O6C1Zr$sLITL6nR!Nd=KNGAV0hQfXyU$(XF*7ox~>eC2?a9jiW8$(TF{ zCVyv4dNL-JjZDg|Ov(f%8EcG58JLu};4qfBYWhW3`SXTon)pM`;BH^Q@tRQNc7J{< zAT-Zs@CU3ji4imIkeDn-=4TZXuJ)WPaLivgg&`b;!`T-Z-vx?eo(d-od+l+8t{+sY zoZFI!{Z#Y^Q@hrgU8o@@cSShY$+nca(;jgX&fSKYjpU9p9ERfgipes+k6Gz=vDD2Oa*@t;+6|_saC1*i46%N01WAQZNyPvoTmGLrOg@ zD`JV%+fZ`PC@L;nAh3n}eOdn0m+0HJ{Fr^f{E^(z^1JG7mVdy*oWm%B=r%9Wf<}Qf z)i9H=l8)cx%A!+tC($~yg)@J;ALogs^g4?DC^4NcQWnxSEWOX3^?>0IfHs?FX`D&t zPt`0)2@jn--8@~e;+Xt%()*^=Cg5aYGRW;&$Pi)Qo2m(i15efXQomr`_a7b|Wu8Z? zlQB1WJx&;TVoeqcuPT-G&s9ha;6ZAy*4xD|x5Fl21gs*idsv z44gm^s-{Re0+E_uDI;?w9a>pXS?)vx^rOH+XTB?z9;}-f1;Qy;34DnF9yPSGF*z<4 z^-o$^9Am+`S}Rghtj1!00-M#34+@^I^T|^(3j7_@evy~M1L_!Xt_}EkJ7C=ztcd;wea1Q{ zA9*v*7>c8_^|8jeQsZ2iF<8mCM{?7?&BjBT)^kZX2S}%{Wy!n~AA-~0%4DOa4l2f+ z1+e#sYK~Ja?A0$#rz#k1q=* z*2GrUbc2I+y@D~@?F`q)P$RABr`XXo;9zm4xOldx^rFn|5Y2xVFBTOOK#h}Phr+16 z8c<1NKx>&MFixyx>R>3B)~p39Z1(~R2gy+WQA)@K(jXB*Q)!@0Y@kH63}+M1O)(Wp zAf+fghbGckn7CM+cBWEMt7iH#j1C(+3LiTNqC<(U#9BNni?7(zEpWxtR@D_r3 zw-wV1u_^2#lXVw5ioz6lF?h)V^;9r0u28I|!q!U*hK2 zmneJM`jQd84t>dZ&fMKjj`~?!mAWv8mSd}gX1aA5LT;3PA)O;@)LFQJ zC|jh@i!$&0C+W@bse?uq{Blozsgj314wlj8dhXXJrM|}Hp2nq07-=JR$Ig{L4VgN; z{DAlae)21kj6{le3n~r2rxTqN?-rzDl5qgvks7lx|BPP7KcR=xxBuED&@O@hqy(rh zDQMgBKh7+_tE1)j`pRbcSEo0#{QpVz+G({*pj`s(5@?see_R4&`HgK`{wJ8_cX71* zJ(k!kf8bmH|F--erwBsdvluVsLiirxJi;}E1_ZnYl=DW|f%~zz&O(@vkdE*a!pjI- z5C$T=2bhz%o<;Z>;Tl3cf;g4qToF7Gd=UB}s1e2>OhTB25QPwnkcOZ`ScOo8upZ%M zge?f$5OyK#M>vjf7U43&RRsH=?W;5xF5`QS9H&Ya0>NNBYKiNFH;^LOo?SZQR2_ot zS&REHgyq)H8jVr)&2~lN_*t2YlT*`^@L8+GY!%08va;~OA$*c&QhavOh+%P>j0Aj@ z$d&7xO&DWTIrtdZAXQ&tp$T_V(&E$%!sfWhjQB;Mrpr`i;^RgtM!IjdYFVldvw2xr z8JWPPe6tqW@=8oX4)hhIOucTYUT5V?;DcyTl9db)mjN#;DV`zNh$Ay(;mW0E5I#7} zrVl6eO;jajCS_;nR7>J@2`MUFN|NfnKO0hJGT`u~qD840@mVXZcwFs2G+@~95hF*9_8Y>D zLpid?K!B6<$@KL%U1p{#dr5qHx=Ovg?{ehEaS3CFWG))AC^IX5(C7g5@R96xNP6m` zA=x_mIvQOD3+!-Bw1xa90KX|t;FjVBWa!h=AL6*_A^1jgMlu&NF@(#A&#;3P@SEd? zFHM-OhoBQO_34Qj{dI!sC8XdhQ%UK9>d|C1eSS)pnUI-I1+d{v&&Y{SPfeuHY@u4& z*S1JevXZj(=^#YvkfdVR_ypdP_zY5fwTk2X5o|P?bUrI7A&EW-_fJW*f}5R`k=Qaf zTOL$4vi$4XoIm{`J|fSJ(=RVh@0Dsxd98a#s) zcw<(`o;_FL`-MdC-}vQW-DiDr5S`-V!Xu_cgetUJv&Yq7{`lyQPbb%&qxgg|3o{oj zY-)GHZO)SH%w*ldMf%kA#D!T&=}9o&3*(nA&0c7;8w;C#)oy7b45{7kNN2kT>#Z4m zjO~|)K2P=tzKCWQcK~r5;#&Lt|EUi?#Kk4VB`r_Yad$Z3I+Kf=o3KJzJ8}#-?hSD=HB@f9IC)tX1P3ojY$e2Xk)T7- zWn#|a0f{bk3DP=HOhO9e<3V@$&vBc?$q;Nd=Snf4nu$1fy3a^hvJ`8-soB{};}ep& z3u5ZcGSNT1M_ho~A7U`Wq9#d}CFnAjfa?jk%ck3G_nK_WgK z{tK#@YY@dDqeT5u?oTc*IUz^KT|vp{x=suzmRoBr<$ouR`jQvhw*0xw^3&Ib*%xTp z_acAp_odD9zjWEr^8fFYqdnJl3A9U~T>|YAXf6S^w*0G^<)^;HZWJ-Jqs{Wqy4!B~|J!T%|0;h{Fy4H|U)}7d;@bYF=Gy)j@^jD^ z|5xSH&Ud>6{#^-><$tGb%b&+Aztqw4kNnhT`TJwZ$L=gNTP6EG5jWBrvF zI4(nMd!n>qc!=U6xH$aPaN)R{&dugR@H`!Vr{bP|UrMjvqx{62Gq=dqrSVED?evr4 zpKXpvh{5Y^k&g)UbX*pfigl{Rpq9#|b4j3_!6kE8q~XZ&f6(Uqk;a!Se-^#@PIxnLVPY(FGf6qdskpbnhd**3jn*&-Ig@`p3UO`8ZW5FGY%6WjEaK0mTl6H%;azjq4LRXX>C) zeP~ldMq)fI%Z}@_A}PDigz>Ip%W&mzoa#`i#Y9s3tI023;1`#iwIe)?buJKp&PL zia9nrDM62A<`uRGinDI!NJMm!cF7J9n&rT!jasvka+1=mG6IC~OQ*cj*R=eRz}@#)z~cIkpd1i-OF+TdvH5Qid+9nvTaXvz?q zs?hGR|JEP%C7-oz`PVSZFLt#2lRGfWkGH6X`#M_w|JIVW^VKeab_ujgpj`rj1jzFL zR@K%UmA=_XmfyUgM zIJx>ciKL=6BgG==rupi*>HxbKg}Sdqgs<5BL-X+*{;7N0 z(Uf`yWF&w6K#<%gedV#d58gYb{PfFbqc^ST;-X$7d0f3lyl9g|EE0>Aqx$}Er#}9} zjW^f-((lvn=YOZ}*vPS{19*#ItV$xKP9EaO2>-5XFDE>>dbnfcml~0}IAfq{dPc%v ze?Rp@lpyiwV@puY!G>B@gf4!`QaWrCk(8B_ilK>W@+_7naTDckSpu z6pzD(1`HoPeDr+v!oQg5F!fL&Q@?+fDRIiq7)=|h&VS9mkfIKpB;UlT^Nr&Cd~W}z zzlD44E?WD@LtSPp7&7yjN1uG=_u+Hq4!?42MC>AMc-XMV_C1l@(^zrt;r(f@bt6x| zsC%aF*$=jTn)AYqw`U}1rVW17?b(o-eotMSJA*&ze7XC;`Ze#&J^l5h-v^cG&zs&Y zU)S^H^jWeE51g;OzW8F+zUlimJ~H;=r9E9-qcD`K9V%PBN%P zhYrpnk#vB%pW4^ju|o}Ga-BFU<|EOvr)jo7@@1>kVsDtk;ozyV-6*N zo_a|KsvlMl*wk;6@7g|A#DuJL2fQJ=?Ce1a@q-bs?m|d?iG*D3YRgn2Q@c~Vg5sqT zu~Uiq0ebEvg-&eoPT-4%N>39o$vn9 zX7T1X*9?*yyz)o7u5ll@ZGPAIPfvBYS5$f9nP)zU>K^oF&9i$(jozjop&Rq!?8_r} zy<|MJVN%a+pOSvZc!=m&z(2ZHXy55y{@ca1v&5schUEtuBC2YtoSrv$UU+}Nsq!~wCY~wpvEa-1M$5h%)n{`6Kcx8On%&O5Crp{> z;{0inkMHi_6I1ePHh+6iyxsHLIptkm&s%tV#rT-4+@h`<2TuOSp@?sC$JISNX6NkZ zxi^-$8e(q8M%?uNBwDew?Cu}$Z`kDC_5A)Wd5;`a_+_k>-l(~`y#KKdUtJrvAola= zLw^fE>)Veo$lCg*?d`VVf+>9J$f39t7s*;VDF@CMRX- zQj@I*W&C@odkXc}#hOeF7}G^U`?WUP0JPL$P0f}b18mLqf5cX-5%sZ`3N_a?A_Z)# z$W=@l_4c8Uw;cIe^`UF7@x3SYwcA5(TqsrST^#@A>xn*RzPNoT;N1eXaqg<8Djz*J zVxwa3v8&5}TlVIv%&~i)`;aWZbK91`kSzbJ7Dvk;_LI%>d%y2!`8)1Pxtad_p)bP+ zy&F94j~(B|#Ptxrc4x?=4{W*h`pa*2uMl5cJuCc2_eZV<`K80Kkh4j>ftiJ_mjzA8si3R) zr{9w?hm>ApUn{sWr_?oL|Glqfocr9l)8G26tQ_C}*aOS2zUF`M#?O7aRqp>}+T@qJ z$8CCG{pHv{uC2V0`|cvq(|>5)&L8a)wROYS9~9+$aBWw|-!E%VZ@QbZ=>yNePo6CO z!fJym)%mCXO&dhoDA*vG+6neTEaKD?DXy1vjCz!M#HL}JhOSlL&k_mRXRmydCo;Q4 zy5F;JTSiIb1S`pm5_Ek_H+5HAi;;N9VU(b{qXzj88XjP;QDmB6`DZ+O`^wyXQ+)i5 zD_-(@VegvvMBn?&`g&XO+>8sdhhC4ZIP{#yFVgUi*QfO#!j0N?`QURQFQ4qQ$m`aG zk-cXx_0PM(k9zVGv-xk_y>BC52=P7scK?vaKlm(u;_nZC^UJ~0vFE<sCI)B0^*rV^2(uBuv zhb3J*@lN0$wa>reclWpClfGwe{qb5xx6vbZAALPX_CTNhzUiZ$>3^wU`UgFVH~-mp z%|NBv{Mfq#%*$qk-MIR7eeIl+nI%6iaeeyqsYFx4$Ad!p*A=?oTk_*WFI_5}wsO$g z)#m7@-(S2hVCXX*s)n~8^n7{AzJi%KDbnvA8yM63PEp5xfA$*mjNdP!NbPS+h7VYC z;q;>mcYJ^Po%}!JzBcSic=c$XhPMMJrGC6_%%{7zZ&bwYzcO$QKj6;@*$d}B6{(Kh ze#85hl51g0M_$~~AvioZbJUeGbNUlg3apKPjc5}j^$P1&nm6Pr)WB5IacZhJw@20n zi`Ld_M9y6$RCS_e$F z8L?pjth?^%F6|=ql>HHAzI$)nxWo}FQ@&lWeCvhJzZ$8|&m)07C|#jmwmD%-{QtPg zSfgCJ>vB)!>4%2x7uuITw zAMX{5AM~yI;=7BXAN2Uc{an@H{IBy~PY<8{j6Sk>SD)XGUzw;c8j=v1`@o#}8|EE4 zJuDv|46l3qQ<&I4;DDX8n%S(o{?A`Xdv;oQx8G-Ga>nPHajgD7YUP9h)@XnKCgZL4 zR}UTCXuNki8gIDoq-8P>*U31yj#KLysqy}u)k=zV_HYTsdZB7!x-Qe!ow|C;g@ril z=x@AwEP=Xt44;y^I8_&)u9`kYWwXPBR9f2_qACIliOb@%l2lQ2K3+JWoio&ym7AxF zHa_doBpocaEh~v*R&9>ne)#R+k()(-W{Y3)d+X=v`_3miXTP*zfw|5(aTbHbzA6l_n8xg6ML3PZ~m0_ z<=Y+C`ppWRaBZSI+2k(YIKcmt!973eyeDH*#WNpWdiIZByYC$}d3ktN&}$>&cl|bd z&}PANS|eHw!Y#8P+a&pd72T@Wl>1d3Chi?klDNEgp zWb&ZYTiqqEb$iy_pi7k)sW#1=^pG-V6EiWEX04cwJRgz_=j(thYa9dwuzT()I#O!*y+gm$Ik7fT*U2!Ej zXV2&jQp#s;Z| zJ9RhYnfh~^UvJnDe$(Z|*^>EPN94Wy>4lc?8GJrdo-(1_3HbXuju&f6c`U(W`@6#c?2+D z&f!UkOENPO{n4M2m2&m)YBETZGqaZBbtAOm?*EXwKc!1N>Dz1KxxM<{dU)%U4)0u*^jf}p<8zAq79Y zQs%t&&9!%Zo<6bnO)pV5u_%MakZxom6y(f_)~Xfsz$Usns3p|snSaRKp-ZcuIJNA% z3maW0Y}|g>eem1YD^r&t*_NrNSgL%$9ovv-(@!@3P39&#n4d*=U3)KBJvpP(8J9Vs zkN$D|g~x7eR7X;Ny`&-PS?U>^f;UZFJH=|{$Wk}%lA$@cAxj@kB|mlu_O>MI6Li@_ z8ug9TiD?sQ5i{hD^R1FKD5vQ1)K3C6tMwjFu8Ny{e(Jiz#b552HgWfnBf4i!eKR_2 z!#}Q0-!IMEYVYumg)H87c+J)y))%s@l9ebomety8Lq&fFuKX~d&xAzBzef;+^)BYHnH(b>9()1_4pEKj`%y*r4 z@6BED?cU+s!Y?*{+pxyiWAvu5zwJ0*@`^^>y-D&KV9uy}CT6T?RDn7Hq$f|Pz|eZ?-n z$-unE-Hx>D&a^RCaAri|^u*kol{h zdo;d#z~8-h{$r8yyziBqi$f;YTs^n4^DtlInE{a>{G<=@_gkE>W9tv^X1hwh`RdBN z3FS2pYd+YzXu%NfrP1$hkIOETUCrzC^fdRUANH7h@foK@kzZJLjeGm;as3n@9Lin9 zdqo^LNKAdDF9(`oShdsXvBO_3KVA z>TKH3FYufBd*$bz4$Qdr{U!Cob|`XxA9eT5-g#ZDCV)*)EFs61wSW8W3KN#n{JepW zDfYbh#~t^*-V_~-YYZLI!& za@>zjL&Tdt_$6Z7@9s6%#yoOiQ|3QTjr2%=t_Mj(wjy!VhiHC0fbfo*$&1*!fV2vMdDyWnH8quSO zT1+~z_2Ud;!yk!86wF+Kq*eJ#(Y`y_K@_A8rfV*1e<4o3DLc zdfnS-nzh{&^zI&|<=tlt)|F0b;XZA8i!0xv7Cy$*(pyyaq?v~&2DS7SRc%sC7ZJso z0WB%^SVI2iQtaik`kz5I|MS5%Dc*jVDDI(mK{oSfdwUU&Y1mBOoMOK=DOz44il4pQ zlH$N5;xVpsONtM*NwF@BD3)AmNpWaL;&I;CmJ|oJNwGmi6uSPiaXpxJ`;)Y{g>phb<`vzfU|)I@FS4@zu6QFY^~tsTZDV zNpTi^gY3r%0~#q#v}w=NZBm?w?^*>p<0OENDwn3?&5(mTx{?K1akDMnrx_`y%y(Pmy_1sjJ=K!;0y~P$c$eXj07n!* z8))NQcxzK~2E2~P^ORiHuw)0`ClQZ}Znec@%s!$xFRPKq&p9uW1SGPXG+%R~k;lol z8vCeT!rp`z4EeUGu`%v(L~-l4ty1(>avL6Wq!>CeB1({ECFo{@B!y;W=eVRLGl}l> zowl-D>uoovXO zLkEr=IdIgdhpZJks-Z1mEzczu#(&nVXmt?QuTaK&npYc(HpM2aS$|4!kbz^Ng|LD; zGgI~ky?{|@f_t@dkIg@E4G7#evBfgs5$s@*cGxbGNIF+PSy(KHv8jBXYRDsq?7yhCKpxskl+yrywV1Qkw!Cc9;aJ6k6~->?0SV z?Bv&s@9Usm47KqZy|+;k8k;0`i=;TtgqI(-Msdpea-!HTrjeqch=OdPHkPJ_&M1a! z=7g(sSQqynjMupe3e-uAkH>&Ig%;9yV#zGZVftp|VBhe6U6V4{i4>>+TLP^Oe;yjX z2HRp(v#qbFoisgUV)#52y@OAM>C$)@0=#}Sfu<{jw~E>rfpP`-!$(prS^?&4YPFz4 zTf&@ngBZ)4>{#@{PQUtpH4JL?r>3d*nF?Xfqv|;_QQF45RPYI+nDUXWsMd-vriv#! z;fXr17Ii)qRXcw@CxOtU2o?*+?ZlOSLF{kaf2xq|-fNdTx83FI-aAFJzV1DT-m!}@ z_u{PhC8`9xr!`ZjT7NDuo!&7EQFgXtH*wNM3O1kXQk}sb$NUqt!M{mfkneZ%q zt>d+4aQ)~Fmun|+o$^%dwRH?meC;%@nXkyMy^m{9VTWsLaScyRNFf@{ISxfvG7IW= z>g1~tloo?f#q|@pi7>Hs6b~v9MRRwe@kfbJg+QgJdjygT{cKlGB^J^UhdcZLM6iul z>m!l%#C@&sUS|lM8}Kc`{fB;49LK)Qc^`6vbxF&0NSj1?5`RanS6pnrO&s^g;3=fk z9QO_#gRDYOS+BU*enB{dHCO=SM9lP~aB51WLN@(^IId)HR(4hbqF7l&kxu!xgrmsz zU%Ld_CGZy|K$ib_+m`=i5Ly0hj+Xz|p*G7u9#+8K^8dw*+rio;&@O>?3A9V#e@Oyl z`M-zd$LBFwXg0i&NiPR~N0vYJEl11$+Zks0F}xW)x83spFI8T9w(SyVm%#s{1jqtb zw(a|V&wO8+#b*;d!mP)w##xWxw;U~C6o11!AG49Bsj`$HZlWc$+-dzqeCm6DAU;U@ zrY{X^=gs2}#Fh~tM)6!7K5;M7IY*hF#nc+5?2~fkBEqT80G+UiNI*tgcF=5sWrq*@ z>rH>XJgb5@exa{7Kh7I>p%KO@zTTD}_(48+O6!0pAIo>45%@6e9+s`XpJj(9LszoD za`sn-zveYE`dY5ixRwAdJA}VY=@I5J0)R#5>kWdqC@o$pWMfz*73q~}oRAUk6v2OE z3H6SPjae`c#lU}jTo&wG^m2<{X4%n1(yRbQKb9Z9n`_j_D>d?SKECD`A*QoEx1sd& z=EYv9+L$8^D5;U8iRQ-alW`=n8px#FX(s?$6`~gSjY1@-Y6}p+h2g3k=!R9E_-OT4 z5PL*4apa{VLZ{N4BP?EWlqUioPPcd|aTm~Gz|e_YsAae>E|%dc`s=kG360X$+_d}v zF>C5AULNHy#avgjME zd|34LL{5KG5OW0Mbvf~>QN|hZootP#ajJ4b?7@9XF08R!#Z<1yXsRV^$$CLcXav3zf8W9}bsEG}DcbT~S_f;faPLs8DDY}6R+WAP$B<6;)1 zaqBzhaa>9#(kaH$QY6IATd(AH9y*IAv0*&a8(%KI9Z<(l^9($oe}F!at@SiclN+Z= z%cqgDa>m(8<7`>=H@G#_Tk9@m08)@HMx^=CF{p8)rZ(_^QQx3*;VaB58t}F4+Rapd z5yrLDZZ=c(@iCspwbXJpQzYE~QBj>!EZc zhXuU$W?XEdu_FLDsz%fzK7bw+I8~;1PD^B_!Gem$e|&9vj;}1%=$VfO6@eBnBiOQN z$y8Zsl{nO#IvTv!2b7GSDx0@TLE!Ryqx?xCwekjO;;2!uQL(al##Q(r_5u(AzN78w z0*JFQ7~W_5rRuOjNlOMdLf}f`!_7o@(#}OjcM#)E=sjX#RAR`8?4Zp&hWJ{yX-vEK1EJfK3`{jm5VCkkwfs2o=gE5;hTAIdXBkkBbO6&z$ z*;6#KN6}5}{YLB!v$99_jIlSNi9NFX7uvS`KQPPxzN6*;vvJmA?t_k&zp=mmfBejRyI8(2$JVv%EG zMmuAP*dh?ize-BTYh|XwT6~5+Ds+9Fc>|UagvXRQ96AE?8{C1mUA}{ka-A0Fc? z6dzVdj)fT`s|vDM^xmxVhV7Pua13h%2f7Jf z9#fBUr&`iB^-xwKq3n((wnI~4%S8lSeGvrysdwio_#3=Ak{kl&z%f5>2X#yK9#w>S z5q#RuwN}H4>)M3m&7SvDUIbz7YJ$;&5xrh;aShhucQ9c6e=~8G=!VNq~V6r23B!C za9`IFS3E18DVQL_U^>DK2O2`7kS8GG$U~;CX=rzH1?88R{b*^Ip7(Fmu5uAURZj&% zBu|$A=e8~XDQ5ZKbFlpV#KNoxRyrq5aQoIuzvs?N4Q^b8l$b4HpfwLa>*fU#c{NEiFx9h zxsIy;N7oVBsbVf8Q`08q>)@3M+DWb=s?w7@OXe5SNP>JvUpwE?&SlbpAoH1G;WWTg z+L=X$`z}lg^#c4<&%%;M*Kw*GR;hfd;5vpVjUlq?FHkh*I)02BX1kFt#=ZIE|3}-` zz(-Y`dCzBZlT0!LBoHt_grI0ZQv*tzL?^<8&=Q;&lVOAe+e(_ws!QQsz%~gJZ_;LR z9c5eF>S}k(V*Aq8-KDEb<3}-JFdv8tNLvulfK<=)Mva;#g9PsTf6krBhalU1cVGBT z?!D)p^PF>@^PJ~AU*}wS8hr{eQCdMb50}tNV!tP2)2@pr<6Ik*x1TN z!tI<;7n7J-!1D!nldP$5T_L!eBu#~D55e6eWcKv3+_CaWnPT~ORH zq-hfbMbb_-(7=u7*bY)vEn3@%kwesh)ISO?SuyxO5E52wUk zc%wu^KS+j=(8G4zNGKZ!xubrNY8BT|o<$CR^E__sdn~i;dsfb}gghqa0V#*>O(BmF z_nCArVA|u}M)wJFhuPU9nwP4*_C3pHS(Qo_vdvojL7mkQ`c85v%hc2$d^g2t5Y3R$ zm9mkxaDKv~4>b2kNo#Xz`(HJ!q^V)#SPDLq{KrrWJ!^+VAyl@@%WT6SHjL@Iko#n% z7YhKZ&4&~U(lE?{E16zNlQ5h+TxapA!`|J-y0!m00921?(m;i3t*TPZy_%H8F7#c{ zJgnNMX&{MDDt+OWj!G<*{rTFGdkTUc3+A(u7O6zdN@uqr>&)fkqZ-6?j>^_N3m-!w zLGWS8*8X!K+&N(X!9U?@Zzknb=_)O?H#gx$}|Nw-V=9ugv+6bIwoEbz|0^YlMg6p3b#h6FGmEdt`lU^#z7a61s4h zQbz>Kc7cufls6Sg@Znck<%1wn?eJSGluj@((4mwJ1$jaK2{!u=n#NaTtz5uWvU*%W z=~&fG9h@{n?tbNyko#%85f@dyLi4*IcWwt2(=zS_G;X5-bAF7N^KP&Sxxb!ryqFq*Ch6Q~ ze~eU0d-DPOmG^y43DrE|SCqi&?9C+Dg6wIu7e2L(^8N(vDHSJ`+FMFMR&@!06!{)r zgQ&~ewZ(&HP_0SZg|TOT$o@MlUx8wext%{0DmAwBHs-br)w`Sn+X{D#KpB5w5P!5q zyF>1F5Bnw91-e{8j2S3J>meX=D2dhUa&3!Dd z3A#Wp&!cBUq?wl|V+>khP`7ql=^l*7px&?F!$xRO@9nly9X!w7byEUJno^fR7hByl zx>)PdaRF}hwk4r8YOcPjt^lt6#&Nh+C+i%Dr2Fq!^m*`w6}B2pF2Ik@BrnHrCVt<> zuMxiu`27&SE%;T1z5}(1?ZPPG@+}DS(0D@MvEkudCQqy2X_!cIzpE0`itHrnKI{vQ$if zBE0_T#Md<7;#^h-Sx23P*IP$lk4kI*h~Xt^4Ytq;g9y{J1B;~2#Yov9&j0C^Ise<7 z^Z$Ax=TEyn&iU`g6c``ll7GTmP?If9uc$i;o>2EZO#OUz*3;Zuh_(~+Bx1EUC*cWv ztp)ul71Ob@x1=Hknl$y0PeG+YfaFfLXl-*g=CWhYOQQioaWV1eGR#v6^ z?S6X&B_pR!<0&74386Si`M8wg0wInj2w1^N{^X|@#9AUh0u-I{G|nRJk2WF2c^=dk zjZ>dud%?LXTe{h+!*^mnp=-e!Na2?QKDI7%z{`oBo~wUW&Ao*BZp5mFKn1tEs0i=3J(ydHvwOSjmDVnX#U}hxy5|Lp}ZeXqgE;T|-lFw5OS|p8kqTj`s9x z6N|=s`VuPCdz$&ho$taTD1B_FyU;wan!yOTMk0Yjm{F=Hg331ZwlF( zT*2}YwO?Ch0{{X&s_>@+yQA*1-^`)z$J}K(XF%JvKssl(whEnzp+ zn!&@@1l@racb;9wor9KYySb5Mw*&K0+fDkLwwvZH`{_rT7IX_9o@Xq*f_d?Rx>#mY zDq%ztjJgh4Vli^{53h_|f212-g``@>L&yLG*ipXJ8-&TyyU)f=AYa8W=muNDz^K8N ztRoYU)p+$dWGx_M6`*7cSs0-r@)HrhXnMl$1dm+I4|WN@W^xY^&oZdJ1p@`gz~!-o zTnrX3pZ7VOo_t1+w@G>>-E-(2Opj_A`1` z-IGp*BYOexf5DUfWuzI$#(&Q}PJ#)%dA7g7HVS)g+;mEu=!>S)aj(fYaoN}NX+B)m z@XAZ;ufG&Hw{<=GrNH&q#28UGnRLmr%dNT`IDdUvlP+F^R4|B`1B4H+@+h@I;U3nI z#h&}-ld$g}j_S@<9S3G^B1SqTQ@hzWAR6LXiR#wlTyAAP49m?5k{Nw^w<$xV5b{|M zN1bmqcjKIYZuvyc z59WE-s|1xp{A~>;M*tstkD>1>|jqnXJ{nq#(Kef*yd9f0#^8dlwO(vDNwfhE6 z6%(x8XW*JA2}?;OE4FUi<~Hn9(zt`I+=iV>T6wUQY}j9B6_44!$JxdI3v2iJzQ4`d z4QkErsAEux_0SDHoC8ZQRtH2@Z2)a|^B@j1&cIee?FQXri2y@^`lm+>O%Q~pLnR-b z8dN;2{g${>dmn^*kM>)d@3@dS=4n5PH0`&<)sRGZ!G+L(3&+gLoFyJsf~kd|6WR%d z%M$(RQ#*gUUVn1wPg(j?YZ`x-raygGe6>6e(HFZ+6JhV7wvu?dX9s1>)`XxobSoF&Uy3E1agr|@kQ}=>9ld9 z%8R!b)2x{dTi&?%1LJ8(k1!909xX(b>>nbU7J76UZehkXvbR5mph^)5Pow@TMkE}a zI$B-(daCDlm|CL|2~=DM8}sb5eSjPotM@k4%WZrJiP(>cFy3?#R+?JTAaZb9g8UXE zqdznw9S@w1=jqwx^(SHP>;pm;F9LS_e+L`op*)ORxBIA>UycQ4LsWI2)&5v#*hWJT zbTchu31z-N=|C93};6o8QX5G)9V$XnAJCU=vD^|>9H0@@yG zq}S{9cs=cuA3mcu4IU3z+yZ1*jyd1up$F5nJ=AKjd>VCJ@~C3tYApHWXP5i4u;wq$ zLLz{N+-Ct%IquQ^2*Ox|N00Vg0L9Tr__C1+I(Irx&d9-&em9>Ad#S8P?NZ$RBzO|% zPyX7KcE>(^GjaY!bYAE9Ez;O({OQ|tO2G~PtaEJ(Fhx1D>ip3rLc^NNpi0VRyah_D6VWiM|v1}e}FiW zp_K&WmG8^TGw?fe*N|&owwQ%PrAKjScUj=xky81)?qzub4K9BeT9!A@B^K6Yn_$D9 zbu}y^QOzf%>EKr838oNo*SYAe;Y;4?QLA^tw2fv>qdBj$ljb@F&a zm6drGZos5geW5ZgyoA0J^@bV+>-dT15YvR!BJ{(2M#O#`po6`%*dxGde4yl3zly)Ctv-(cTEF3dZ* z7Pub^KEjHj6i0!{?qx!hvJ;g;HKXVhQa}G4c!A|uiLzhdPC2F|_=44x-xo@EhHQDt zvb;R!zRgLw;oNRaAk{+LW~ewPS-L}kLR~h}($TmCccIlrj&^gGeNX9vax{r))ZPgw zN}%!h8WlRR<*-s6Z2`WO1oG(9P{+`k?(7!Fu*!?X2Rla)iY781E~ZX2E@$JDjQ;m&mhAHmZuoC07v79<$1h~6U!=8g8Q;T;6h%Rmtzbz z3W%k|_~fknBK1%nP|qNh50BZtMA$FULz=qgE`6E{`ZQNP^44sFI19sTBSQEpI_8Wv z>Vt}5&St-bGqFXJ7Vy%T#W_YX8*`0TVxAPjr-k?6%qHXTi zGlKls$4Q)I$;Nt}hkX+xOh(w-5OLM!9%;3tjOBa;IhQ)$-56H0M?o4}P7r}hlSflH z^|qW4gK!-La?F^RoG>s$i{}><=WMc<28-vntpsrh_Pw2IihVB#MKRu`d2)z0Vw{m? z2D@8tns}9my#`|d+9l2!YtC=sS5o^%>orn4xbG%TTyGIV-ehFPC(fULWzG*m!|vE$ zPShfD4#c&H?|p&ukMcGda@Qzt`+&%GJ-8ibH~A+Ds?(KE{6?bK>Vb7)Iw#p45EXk0 zjRO_K%jjRi?t~=AT`K9$*C^mNkxc_dlT2R$>8rJRgt-wGfUsoK8Vn`;>nH|RxF3Lc z|AX~;S)+)7%Oa(lJAxHp2&=8WiX^Sg69`2#0cc3#5tJmd702nFAV%(_y109(507vr zb-M%zwz#u#UlVzmx?S^WN$PSfz*AnZH0x5kkRNhyOi0J5%8gl2b_pON0#{kEK*s%u zVBYYePz8KpqKse2LUuQBzY>d>fcbYG40)Ac;qhZ*%T8>te~6`PbZA)WxS^T*F0g(8 zuGKFc8mvA2XdlBl7ux91JkNUpeQR`R>e15iL(_2XGDE`v=<-7o=0ii$+TS)b@r8^a zMmD1^Ad`Kbh)G+!2qB$$2CEl)D z*`t^)B-esBokA@W#9CDCl^gRkaSp|qTC~l1SVVsfv6+MrF;zyup+HSix^#;_vCdD} zryxW5O~jIm)c|?};N$i#Wfi0($*z<*;N=LGWFZ0!4zdDx8N_LLag|b%b1rj&NrVtL>NjHhLLTd*$`OPfHHxQ|Zncj%Bd_$T^IW_Ul#==OJqC3XK=?=7 zQHG~qqPu9v9de^!5U&ck0i8p1&g2lW#$RjS1ZYOmMF^;G>J)Uiw z1@%&nV58048C;bUTs1#fvcSH_2$wF&heAdEiK^VN@`;#QDkhdn^Zh2(gunx|VGh~= z)QK4t=p}rCdF(mxIo=;lGRr+0jA}L>=ZSlG((;@=_U29$0%xfa>@CmZR%rz4GM&+l zmfR?sr#a7yH+ntgtP37(KtdO@o#DoZ;N}#~*8$C&GjpTnF0ZGGJ(XL*alpU0F3>saoJXuqi1}kSrNp z#p-86VUuWd4Icv*z3f9BIV1^L(Qzh*BH=P$T2=f}hV=l{h-&VT*JIOp$sXQIrn2Y!fh1L(%Bq#%e#S!T}Jb+35c zE|)l|lUarid`W{J1#W=UX_qwE0jl&H*s}=aM1yV)xd)UtJZu9L4UEPB!X;S|MhMao1}SKi zi=Kd4ZO&y>qR~-`0bHX4bjASA9tSWbCk_x3CTNtV{q0b#I@FRF)LyKj@n-%6eSQHe z**0PVosAg~$AX9;pCAgRk##8G?5sb74h4;vSJZ4iFG1YX1A zSFmLM7Ym}{dhOUrH4Zvh0CzVK8?m=sZv-AIZS4jZI&~&6^!8Op<{mO18gkpRC3D~n zqu;f<*=-YXYeAYICdy?tlYBtHgX0y02|oV>N=f+>5=>$i{u)KAe88ldTxvz;gHk~tIy%BS8g*8sh#1*TtXu}mE zg=F`;)MS62n&8jIYT#I1M>Yh{U8J8*<}AQL#88qaB3iV&WD#B(!1AT*3u@A(d0zJS z;D^qzPfCihM0HZAmAc?Ja(0=8TeQ(4&LQ0ogMk=Q>>MG6>;O0YKDMZE9$by(1&j4x zN!*i5u|34#K_}wzL!)s;S@F=K`N7f!mr8m^Kz3u2UUve)V7H*j*jQ?SuDRKPU3D-6 z{F?G%_&VjS4uf-$R_gvg}IsqaS#Q^WS*tQv1;`j;gc2 zeccB-=O1rBssY3+*pK@7TJp@qwIpvwd@Y$*G`g0oA*gmGp`0dG7Dh%)S&pD+-Z$wD zXyIIK;>(=gb6xnNMTgI&u_;k)whl+MKg^!A2~9 zQ1>&pn4y(or4P&a8N%XKZXz)G~5hzk@Sq=n8EWJ6{E0A6TItD2Gg&-v$0*9_PP&`Nn zl`17U&XW0?Qs^an`BS({?w~!M_zy8RHZLqG9qIxiCfb{6!&U^&<)%T@$?Yulloyw? zb+B0hML+}m-=UvLoifSvdiZef-jxV zm8_b3P+j3{7?d`Ge+TOATAoxVpWjMvS4$}cQ0dF$h7pIj9JkUcRE~i}@Y8qD22!T0 z@lwDToWEt;T^d3_+(K&>ar9W_Pr$FV9JOn9`y&rwB~cf~nhya>Jwkw`=PKCB7%+$W zGA|0#iokVoxgly;1C!Z=C5PLw#9UO>W=Zsn)phMBu%<_WLsU*$D!Pz;Q9UdR79f@k z35f>PO!TceE?I18s?fT1@Zdp;QW8{u=$RaJ)Szg@V!Xqhpc{i|Z!;D*cZg2?QTjwN zzNlTi*l0c^4`})OUAR`i=~`|wj6SRjx5nOrpe<}KG&i4aTaKcS(Y;& zIKZ%`)y^B(=Bq8jAL;&6ZlS!KHtD}{4T_ce#FeFD0TN5S;?*auf%jZcknuX6&7XmQ zv&?J~__EZM{FOh0J&!7J)PU-&^0K|x8VtzoJKpD0bMgFdv1gw;6Q+o&c_f3-mMIJ) z2!}n!Uq^jDQjZv#iA|Vj=gwvbQcT6m6KBHV_SYYRPtf|Twb<~D%`U^vUAXDC?#AC9 zJa${3$DP3M+Htp=vb>C&Fm@W!6!%kvosJT+`nqj$hYc;bPk~+nl$h_^$**n!Oi=me zi1NUQ))!;9t9?JP>vkUm`vgFA=n%Hb1>Hx<`-NvMPs;iM!v<-w&be{j!`_FGV3VN^S zC_sX|HOC;O04*4B_95BYhzPTkzsuIXnaNEYYdE4ncjO!Kg6k<;Y|1)^g0m4Qq_4g} zz6iOTO`$<3bF2zk_7tp?Eg_5CV0D%XjaGV%!zBa_wBsH@A%fFzfGqoE=_SFhC}o*J zqjR}!i^Vyx*~(tK386EVJ?m-!0sTFAQ15Xid3x*mJuVC+h7fLsYN8;J4{=pQ<3R*9 zv=a`15AZ75$s07a6R#ydBQ4M#|HZmN0Ju-X&KjI^8k|QLyvbHp3(5u?8Y zY`pHXUuZc$UQ*%0`3Nu4OF3fMXp{TQ<{oUV@Z1Ib=7dV|dONNM@wok7{CNbw-T2Kt z+?LRq*j8d}U2beEF#&Ara+BO;mb*FdgQLJhE5`EjTt>OeBzK#r3BMf8wOxl-f*i}~ z%_F04Q2s_VA`8EC{A~DH@EbuJ2J!31Pg(Zp+2FFr&f>~&Ww`d^+K=l1t^>FZ;yQ?H z6xS%OBe;%)EFl^r^ME-T$Am^5_TaY`zYX|-Tx-_#hPP91$KUHckENiE6R-hP#Pf#4 zuZ)E13r1r2&l$si>V?mKF@kyz-Hlqb;p4z^0Jne@ACGhTc;wP}979`>gEDVtxF^p4 ztt)B~oBYK2mmau8i@;uE@xMt#-j%zxu4qPG6KWf9( zhO2-pTw#w|a0OQzPdoY;_5mKlFN&Y7avbfHn9=)jw8Ed!+i`S)z9EmEHi5Rr&2ext zxMp*N;eC8A7b>P(jnWOt9pW{&e%&a|OFk>k>|~Bxi%rsWBu={Z>t@LTnNHqkNj@tb zQJ`9fw_nw9xX%>^z3t;1GQG`o2Y^J1QJ`;lA9NstxT{t%$@>WQ5u_d<*u8+=DR-LG zN5(bhpxiH&GAyatl$36sD2%2HP3rTdwg^e8s?ScJ=yN!>$hp}Hl zHiX1-_HP*^1w$2M?;*qJ27^PeOvY>zVBKucuZ6Xt zJETPWhL4qo>jD@A_TU_@!12;jDt1*RgUEL9#>m+=(wp(;#~|UL zbSUJ0260ITk(C_>vV!iXhunvZVgh!X9>rN<$*VCGPghlG89m72VR(r%Ku4AYb)C6q;2e2env45a0!YIM!;)axG-E=WjlIjxeIOBo62h+~*F<;G99gs?D zAOWGQja>Aw#q`Lh&4F_!T1z%une$_$;ENdj5CK1@?waDsan9f5naKI2TWWuWbLYOI zlnBagxd<+4yapy4v?c+Z3k2uvhPGT{+Z7PgaxTDlt0uzqnk~PEy&M8X%>)y;O96Tl zGf@Y5fY?y}2^`|GI2!}lShmBm1O#E(4XJmDQfeFOl*K&o1BX$vd)N&$70LBCbE!Im zQVr6Sp-z*S=3!G}uOw4Sw8Y7Q)j!7zDq+#YPl^ifpem~TIQgMQN^Ccv1!{t`t07V8 z+DUKx77x1_SoQ6sHjugKYQLo_$YHUW6J7}Z8EiF>;$H!E=Q^vbq{o0`vxIl66O%9w4Tm|H7yJHw&k ziv*wFT^PM1Qv;=8lYJ71yD`mg0c8t1B78g$O-ap5gqO}zEcaPP^G)I`gJ-2l0LmwB zHkx%_0G$}koaPsJ&YsKUl>3A*4!R)|OS-ej0Q}nJ@1wBNtqkkv3}tb2cD`>`%!qKY z7{zaU*}J!a5{X6%WsU6Vnn{}KH?bZhLv3R072NooulmF+9F0Qv;0n)U@?kKNwTzRv zQy7fEA9~qUc&nIwf&20-hL#V-q)PS^YNnb2&tbYe?`ayLZYw!tlF%%e1L*`qQs0{T z(_wFf;9ucPrFK_&?earLq;x8uT-x$Bw0sw=`(EV0JZNyhtcP#_DKWnzLTS6QMVsH` zEoW|hjwxme-m?UB&n#9FDgw2uL9l=S12hEsGg*#ru?wA}F+d982O-tf5AC z)Y)C10u3+MZF9OE8{5cihBSK%^fp65gCMT+TUQsj1!?6NigpspA^~L35sjU2YImq? z&`UZ#nIpz30q8;Wh%A5qXDsv6q!~_f(jXM+L+(QOliLnaIv49S_9~537iKGl3ZxYyve?u$ceQyeL;EmX|AcI0Do`41 zINSh%KjOEB_L-z_4DBlwXSTVlg~{Snt;_-K!W_EO*zJxYzoBbco;6uVE|4lY$~j`` zC=`(2t$IiOR-dy|${0giFqPx&HmWfC0H=$^xc9KcTY-rPZP{1MO68!jGK!!s3(*sC ze(}nj|19VHKc6V`m%JF~{Ij2&$oY4H-lFIM94ASE+mj`W&7zue&bN{!LLmc=!`$QS zgek`^zlLnEhO`+9F)IIthr(1br8N=00Y`+EwG{=R%1q>N1(qaB39{Q^Qfs;rQX(gDa%`zeZ{I?=WMV^DS-wp zS+aH|CabV@_-VH_yAy4|T19W*4@bRdKbmBJcsbS()q(L6fyIPfE_Bk=nvjbKzy?Tc z(JRmqvA7DSRiEseHo;UiK#>gZ&khyxNCsk2_Mv580gI~gutza&#G)kI*dVKSf)QqN zKSCBb(plm|WQd2^hBGDdOJPk+Lde__qW^3qkr>kj7_Ti#_)D7>miw0x6Rk6VO4wJY zV`K(=kT3-QRV;$zZhXPTv?6u$re^~&q3=^p=fI{J0j$?@n$}ffP2NFyNYWvN;$v3D3^=g%z5Sw=pE7XU`d3)NZL$s_3;2xZ*>|IR=GpI;4ky!_3!Oh8jy0 zGcBq&x0M-&I*sBDL!E+@f>sXbTx%AVjW>z;o{q1=Axn>v5)_cXwbZiQEr%`6i}f$& zpU^v7cuWf|IwqC1oaidCG)Y$f&}ubV372yBQpaBbxSxh7N-;>&5Wya+#x{=&vbV`m zlavrxWpN?+B5IbBaVw}6{0%IX&ztL?f`JMPgO%welO$qJbusO z_Y8hd;|E>*EOhbzq1}gLLZc2F?t|WrUp9Vm`_2D9yH8*}YSHaJdAR)&yH6|HLY5)q z*!~3W+wtqeFK!FD#HK$CdL!AGXyDqgK2@lhE_A+~Q&OhFMRDb2Q z_vt z;0N0IU$Fa7Ws0^Pf1ki_7k)2OO5A4nKe79aSq0#E2)g@1Zb!Gf{|@j>MAGy@3hKtb z8@RA=fEct_tW#RqS!G}=&ZF!LWEFq8`&mLCb;8{V-C8Yb2TlXj>so3_>1 z@Q1wth;;%z8tCyAJaWSZd49;Ok--ye*fPbPST+U`kg5xN{l;|#MSYN-q)8;4YZ*~6 zDKNZ2T)^%TAPA3jda&puvb4@5MMWy)#sIWoj&5y0$o+_OVB-`eL2sA*k;Ta^6PrG) zsarse%ArQVM}bb%Eun-wO2GPrgq9O)AP=JIAa912LCWzuT|0*L-nI!5#xb~E7WKm# z^Z~iYj5vBv93+a9bVpJe)QAS5ZFXo2VxvdmDvjN~C+rtI%=HzjRkiC%3KF?WLy_^; zwpk_Wp}_ftCss> zkssc{o$@!eB@}KIQwvw~B&?1Gb#}1K0qH}UhK$l={@zl!S`yl7j3rbD^osl=!;<3_ zGho7T7HhnH&u5J`sHaSZ#R`p2*`e!V8=#A!;fQsAO^)QLH^uv!;;mw<$7iioEF0!_ zBkNb~d&3^)CDjIogUBtUGu*65QS?@DN`o8IC0o1=&I6kX2^KZU{_m2*j1zhx7jfkx zGjbn@7VaMG0zpg^ExrzjiV2u9&`oFr)Uu&YOFL1vl!XOax=lW95|f(Xw1<^%OA`h*T5-oq!xTZ5ld$Rqya|GoquT0B%LyK@;+uM9hxp@G)*! zi>lBaVEGbF!6iKAs8{#Wj*-Wo;RB!MVR2!pcy*~5lisHi zw3%FbpJ#%y=pIBuhl&YLH!cL2@|ytYNRB$hYvgFQm?=l|#AG?@l3v0A$Z7`MkSK}} zj@X71)r`>o7Y&Kj91!~41Fvw2sb||_xVBysuXnyF&V)jTGGZaF&>8J54+8DbKscOR za6=PBy#b@AUWY8OAc!+?O~5tDc|c5y+@|NJwIpz5&i_8={QoqO^WT*m=lpL%z#H#{ zCSwKlnkz#Xro90qv~-J8l+>Stj|?B4Tb7QIkZ^W?4dPdln}~}6!$ZcQ{SMKTG7M!{ z;E95ojA)kxe(zw<-e4ec8A0FgN>e7N=4gOHz0GgH;epUw9_a&1A8-zf zlVSDK$jw7rH&He<4ka?#LejMwjWzG?$u0G93-PP*uTRMcqEAA3o(Xfw*ZxMbH`+IpH{HCQFxNAf>{ve$fU}Vj1JDz*b=86UoJoJF()E{3_kauZ%|{`{642)|%>*@hOx;17z_zEe zHSqQ8ffJ;IBW&-U9SnwK!tc~7_8=*^Ege z`929_3m^9g`-`5W+N-cGEItcxT87~?-;YXDzNqi|Vzl%+L@k_h+jxXYdHL~=cnpgE z2skiMwt!gW{W;a)I*M`8n|?LAfpY8srXLFXe6bLN)tZzYa%WNt*v-0`1_Lz*N%H!> zi)g9?zicvbNYwCMSlj_g-k(VYKBkKFR{10fb;ZfN*{9r@6PxDXj{xCeD&{X*)(f^> zhqB!WAVCXJh~327mFe^GFalVhu%o96@f^6rvK}nPZX97vu-MjC<{0X9VB3pZz|!;> zm{QVe3@|LIddiQGB9~fB&9B8%ptw^CGFjqDkLpPRn0-8HyPo7AhqYVqo0K%gBVbm) zCZGAZ^Ry-9z&dPEMWP#tcq5;-96l|d8BRGcA^C6wFXS`lzmVJ+G0%NdK6BxcWGlhH z$dlO=aIxkvc8DWldWFrg%M!m8b|C^+Pqh%|z-`h)Ht-W#qmou5YV`#Qn4Q}xE-E6% zD$XwA0ksHbmgXaiESRBmBPau{zL@eRltKOeLdt7F0h%asWMeDf3&e2&B)f>SU@AR_ zzk5%e5i9Y5+-splii1++UW${(Ls>e!Aa?LEN9Sp4)0x?ZiyFE_uaZ{tic7QQ)9y}`eYPx!=B0%GiPbX5DDJ#Up71GqJr>c{cw7CZYubb3F{l*+j zJLPhnnhj1Fo9;y16<#R+AI$a}cL{66^yX@ZXs=)ofpC2C2g8vAkQYFEQ-|CRi|FuM z*gE~q`N(d(X%5?)kAMN-tzd8N!5xC$iYP}r(I8?y=3?VbE7Gwn6D_XB71E+O9~*L7 zFv*a`cFK5i=7zH_!zt@lct`Qon=Pi}eW$7iPa#P2!Ex{DdpN==YaKGFxKifPd?lCW zqxY1L@{i`5H7=k2YC?Udrpq5(+s)Yg>g;Klo!i-5Jt!u?;DrVpeqgY2$2F{ z#k)x@%v6!HWvE6J{0{bOv<1U?VaScyg2mI3EvERh*^l((k71G1)~&HW-od#oe7)e# z?C0nZ1b+mViItG+s(5@^I^xSPX|cp%l}FGSUs5z_J`aS;4oZDobj^XN%%%W1>3Hmy zJL3yJLfLZw)pyDrMGRxSEQ^4WX#F5H;*>iZ7~}iDu#?{?PHvomHFR4{4xNJ>v4xmc zurRz<+u@;798P%k#WYygii>Ex>pw&&fns_6al8z-K_&ouwD_&+RPauV->9a6q%D4v zny|}=t9fM zhz~O$4j`$ZQh;~Hs21uenw~;cTn|X?(QV+RJ+;mr3AL%yYMaiX&=j0ntZ9ij^cbZ@ ztKYJ^8XizRgsmKv>y%Li>XK~7Kgu6M6CyuBuk(9rhuvuau$}`z`~i+^5=8H4k-bDU zD7GnncG8eL%^^)WyxunCP6=QycA3q1c)hSn{h+pKecH#Gvy*5EeWVCi9^yI#7X+%q zNT}D2rIJGrL9v{oqu8%iJ5NirzcSGD5n%~9173o87+AvLQ>Pj(+Fx;B)SvKh;>_41 zq8cdVQR$gW>*w6EkrZe`w&M@jkYz+KQQlUD_1GvTpIEpZ1A3xbc#4*1$5Ze2=_zR5 zQ+S}&A98)`YgswzQJwUgj6<{D>b_CcCbyrMZCU^UZe)jtrvyBIk#wbsUPCpgTRtJ@$)4P z$ynMp$%Sz4R);jip`F49&4|0Bs~a)(R->o-B%|GR@Ep+=(x`_WUQQ$gL6m$jkRe8} zm!>yN@+Nz4?3E)ZaPkNgF=$!X;3-~5EG)r72huiB{Pr!SsH)nb3{*kE4=pu%@XearP@p5fmjf^#G9M^s|A<=g!3MlR zvm{HGVWF$#L}NOT;l=q5t%8n2_~ToJ{NB3V=;4x7Y7|x6V}7li-FOsiuOS_^D>&r8 z%jiZtK{27JP^qze?IG*%i7w;9V)^`i^^=sa|Gp<{hA$e7O8Cj)i^|(bPUgwU6Os)+ z@>0?29Y;W=az8!;;}x&p(T}=e&dO326E>V-X*uvf-J<5au5@-8@&fl74Qd{SI6aPv z1%%qQ_|^$f>q^Y?EmuwE zD3DW3shg4db0Q!gJcgSs%i*MHm>+AdXc>M-O&EU1`40Rj?^Jl%3S_SE=Xu#a9oy@a zS7WYc3WRN-AxoqoYerLcQonFS#0rdEFqOK?2ijAi54G}16?@-}XdcRjfuo!SJR82m z(waIzg_V2D(Cdn+m-&T~DEP33e7P zHj#a<%Sr=H5%XiVm~X)r6PU-Tl1wsqXB*3=$6u9#eU4_a(IkMsb-j2K{<_5l_**MY z;SuOO?s*1sqZ!rV_}6!M>KUY}lO`m62xgBetHb=HS)8LWgGbO*u{UtIlFL(N9{mU=5cT7bLxU!oqxkTT2Oayw>{+~_b%RRxXd zQaK$4A$?6*JP1N<8L~HDh1WZxc<>t`$T_-T2V_~8E&OO?U^Ed{5I{LcjUgxwf|A0a zSlPE@Z%@SD+FK6e4ms>CJ-AUC210HIYrqIjz#?R3vXQrl-qLYIkbA`GW_DSj0?uvq z&hJ^aZBdpY&O=a^!UhDnvGG3aK~!9}&{m5AihuywI9uDCrQJdzp_97BjYTuGvM9Ms z-O+8QH5^?8NtQh4+xDqBn$(YBLe&+#P<(dKU{aS><5Dz-C;qx(&AHEvcD&Txl0kH;PTsTSu zVjrS!h4Q=DHGhKfiYDWnp#+4%4kZdA;*4>=odNPO9*ttsF4(w-5>5PEGfY;TVMY_v zuhq4m9gUF$ipIrAA{vEaBykqCvPlR^XYp}Kr<5*MV(&tu)wzX;*#YF!=2Qiro?JFS zjkMK~cc8+z;>iCzzDeFIzjV+uFW)$?WO!dY+} zU9_p^X#R;{^+~cltr`iI9fKz3Re@Ty1FG4S* z^eT1)m17~PDp}r&c{ol~1lIb#3~O;B!={pA(2u=YLIp(V_U6CCol=Zd z$leUOhc>u}>K)j)g(Jy~g18JSEc}I=Gg*dkuc~trd#YSd+|a^BqTkLJ4Db_sXvt)aZrB@s&p&+&M1^eVsO6~OA#9Zlgd!_ zpW~&^2U2(y;t9!Fwd|I7K74-5%iQs&QW~8Kdcst44kcK`EPVL}C!Z3S=X5a0;$@bD z5Q=8U-#j_)&3mumjg_qg9ysTi$RbD^0Z)ni2_)kT^`LaAZ-Yx3I4nscoy-$sEkwa=?3_tXm^9}$vMBYXmuMRcyZ-9Cf zdO1+`UqZbbOf|l9BkV+2s9~wuN;9wa0r;9SgJH z;Z7Yob?nr!;~$0jg@sT2{u}7ciGQWPLoFo0xI{tkYGPQw8c$jWfsXL;-pgf9ie*+4 zW4Yhyye!b{zr8p$P2bNF_&vw@wm9tM-f(iS2peuJ5RB+~KMaF?e8VbP4I%ZZNu$Xy zz0lgGfBYJuBxU`u^W)QA9!MrKVr0Q2U|Fig*YL1M$9((&m;mCW!mr0Wj*px?eZ2R0 z-|+z$emaj|ICVTsTalX17)T8`u&p+DcTU3b`*RY)h#JR15DD#&Xbs_$);y3f-;NVj z?y$@wQy!>$V4G+@Wug?hKN-6sv~Bp7V*(zPWcxEcDV?WN@N5a%a!xGBk@qJ9B&g~R z3t2maaWITLAspLVWIn!t){-Z$%=uN$`JbG~`5(NCbAFtn`tM-A<2irMJz+#Yu8>A>*=mM$$_+|I^9T`zYg2Kqkbel*Ox|x01+4vQZS`Oj}~%*Tory8%2BJ7JJJa zFu)g#D5~0E7I?#`3NO%yhvYYKV%R-x%Z;iG?!vJ|hx#u=oi3?C?sch8!0{+; zf>%v`e*~vnHoXx*PW9n-Ivg9(7QU38$VSXvnSDbnEfsH&S&BGWW(ksO=+zF%8F<|l zsle-k>Zo)>EV7{KeeD%ZixkF^r^S=sFu1^q>4X3j6%+H1M5g0D@OmIJ3D>%3&~q#p zh(;IK-(#7DBYeLDhw{@=VQ}81Yu3j}j@)1iuC@d-gR6z$YWUj7zyZU125lihsBQj- z`9nB2;}71(YGo$h%yM3_J6{(whKg;nnCyZw=G<4`uimaKlGPj~>d)@{z{Jjyqh3kX zcahljO)!Ot&I?c|hMj*!e^)uQ;DeUngSOyy&A5u&z~ zMrMMWskM;+mQ6^vFhd|wVA2^%{5BHfE_{272^h`SVs`&A!#m4M@pSt8%;`=2PUw4yYc-hrT`d# zD#t3=Z*U8TI*vSDdL_e%LMP&04d*Y8-H3xL_p(U<2S634bk7~=KK%?iGn*S9>giL{ zfAp?ka2pJZ-akN`|IoKD)gp2ZkQaL7H=|mFFRn$*1H>a{1OMr;bhv;hnD>|V6GZ>+ ziEGKG&*N*!GZ>3;Yl)9Xmk>FCWT(c7A+?H0dOxLou^2SYk99jB*#M_QkE&uDX6Vxq zr$&y*EJzIbR0Mi$=|1Dz2S zHj`Zg#~u*Ii*GPCk!_#UWr-Nfj{H@qIlwd4v2OMqt`@t(&P* zTN9u#XFP(x=EGIa0}UCWMJsX-hZg;3CX(c9pw`&FDh(?JW%1)kD59_s+Sx!4GQg`F zinfnSYNDj-B8n%8=W3>;uNG0zNj#~Al5QyqjZ1o%l5&dR3mVP!eM*{C^g~KQa1qtm zh9r$Q1Y67A!uAGA^wp>Wb-f%Z&;|iKaqEI}ixp0N;h3x*gdIG936@)lPp! z>Mi<8_c+zX*|o`1;E?_rvaP5I*+P_x%?d~o!AY^LZ2Sq$Xrf~1(>tp|ZiTYmPwmDL2iJDxPy*Z&Ia9j44&)X7^(Sqj)9khx7 z#e$gx8VuOVHUhS?xD`uLzSfp-Ygn9ISR@*kS1|(=I$uakFsdwM`8^2^9(E%>(uOS` z&d-92J5U0Ilf-&@X|X9H2uo&*1(jab1wBk*K6l{uB5_V7`}{9-D5o!&z_UL|*}dA$ zEbuaJu;-tWFlSw(Ry@5<%p*O+`bIZ5aJ2{R>;!oVfUbY$^e*` z^E0$iV8cCVfu5gu#zM^SE1a43A(s|^I&p??X^Yzl22t1e89stw8dUpz56&8z#@m75 zg!Izj;&wE4UCqwtanZMu!P*Qd0mrCZjdjsMLRUA(1L?mwsWx~E*8X4vcB{>imbH0| zuE6JW#OrV*(>(j0BSQ~&F2)vY(WV&@1((p~Xq{T(;`e{x_v#z`!4kN}P(lDoT(e$+>@X1^d6*-Z#=$lu9@&nTN>Z|6M-dbC5vmRI!sMkFcijV1+;}R6OPWU z#yR+aw`5WFAz~EkIEC5T+R;)96t{ z%+R$UBs!W%GgODm%Xc`idRJ5`3%7y@apL<42yY;LDPQ{oLPI|j!N({E^;Vs)Wz-{= zg7fO^&3{3P{?3HE2)GiKd856h2{)ihn_k}DybsT{1+$bcG0o+wEy$G4>6cG)yOg2; zz#WcORJbZCJXIAH(2o}3lU>ZIiZ@lV?ho`yxGcvZ&aJ4Z^uVo@gIwC5u+*gC!NH=( zY38kkSsFixbj{Sfuv$TD$V%sVVs7yki-k*OE8UPkmt;!k>CaGZw@YD_>|RvE83b(9 zLuyJT;>17S%S}w!)znG=V}~nOuYm=Ui<^Gp`ntotwrNS(JrcZzg|O?SnmgM{XSAlZ zxvpw0F>*_H`+~_(r+Tp%hFTD~qE&dh`So$21)nPdc&uwP@C5!T=3$d9m|0q&z$sZ;r>ne0pZb$wsDG2YF%b7_5@$jn zps;VFIEDBfdjgOH4I>FY9AwyG25ZUh@EZ!CCD)Ng1cy6<8|pX`c2aPwcr*JEN&v`C z3Z0cw>!Ofu*eoF4ry`Kt1jo|qnY7qQ_INn#{V0z0iY!$JtCrrBw|Z$_9vK$;1<3f7 zBXmL(LQGuz$R&Hr!@x8TP@;XtV6(xcBg!V5@;!mhQ~G+ywpp%!3A@kU@c1j*zOnHWoF{_4qRyYtD|-ulo+)0Ly_o?9Dol-4 zXm9=#5}H1zTJ6oB;BTm9EeJs;Wauh(+9pNr0*+z;|OCeW+W_ z-=2RSIrlt+KIwTpEP|9e2Sn5ulsukq&Q}QXf^{kdc!ziaa@gI>4usKY-1zau&VJA? zW&rI*hpUc^FtNb(B5b=oG~od8p=F1$<8~gV6lMf%^uHH{fRTxNYA5r3=@VkpW8U-a z*ye&m!}`29(`?H`e>+#(wych;x)KHVI<4HVe}jiThRMg3FlnVao2KB5m>Yj`%#A+@ z6H?D`dldxLSd=<>?zvi-6W1iJs$y@>r(ySr(^ZAb{a&^fDd1srs6}{k+<77B~>Vy4vmSXiTr3XSTQEn&Hg*}IdmQ@)8HQ;yaFB)3QMsRdC zBKeX6>n|8u-6LQ&p)xp+X`ezlm+TN^pTS3*e7&aLFpgqLp6jM4MjSnne?;H+-d>8J z7^fg+W0u@ev^$w*iF|I##+mZDoGqF9sKMH3K-}UVRwC=pConm~P3K-l+Q!LE=MLbi z=Mr$YIkpFZ_9M{YBRHBQU&|kQfgj6Z#EiWqw4GLa=e|u@IAnnikmwN9Pp}a=*Vq}w z$qV|X?7MNu$8xzV8#n>l>R(lt?xj*y>^_){Xt45QJDNkb-xFvZC=S8fw<&%6#%7!s zBAEZEvd#~z%Dei}C`8b)tr*@-K=9>ulFNl((WIMWe1Px9lV-`xAUaA#p;Veu;U83m z3jbeKbA^9M%h(N~R}zC+dHEe{zHFm7M|qWgT!nX2<+zh73P;b_NaW{E7{y!UB^ttS zVr*}Aen)PP=vW~NE2JqNs@X#|d&X*(ZFxAN>dR{$o55LM*m^RwtkYr)Svp0tf-^%d zbK(Y(XGIlp{`@spvJ*@aiSz%W1DyX0-p1=UlDBaP<`1do?h?gbI=t9V)YZX-yrA2r=Hr|J9E%-RUi;z(dDYrZN7-N| zWQ(cTu!IdpU%|RS%%=o9=Y>{5O^0*QEvzGun?^z6t4Zsybq{C%U{|GE;G5!A!A9q~ z)6O3~j=rgXrHO(OftvhYZ?J3tn<|@6z>g6uI~0^`_U2WI2E!|GJQ!XyAfuY9lXcvy%iM+FKZOBX*`I2>-nMB*Yu|{3EX-4?xK*TXf3IEH0FpAkK#E8D?j*z2%p9 z4ac4k`I&xWi9D{~7$XX90%aqC$isSyDe@4doWEY0%VRR{Ky$$!P@6rpPS0YYeT&B; z<#Fn;zMeLc1=bKV&!M?@}_wCs68~Bmyc?Zsk~@(tSDr)h>@3DAubG@ zuM=kn&fhOi3Y>@WF=90sk{U)Lr*TCm9Fb%CO?Ko>+yrjBSxOHy8W%}vB_)Bf3jvHn zWDn(7zaMrY;`B1Y9I!=pXj!olU*@21NMKdsTS#$;grRK~Xan0;>4OrZFaC`H?6*Z8 zz?JYC{g(Z)B^Xge;Mzk!0nN+N)%M5wabs_OoYL7+d-D!F0_7XWOfg@C`%GwEwwkB(9lRB z$?f!|245>L8r$)y!-4ZJauqW0o_-Eo&@yuqEOk)4a$E2br)l z*u;P#6>lTQ@VJAPPyq8pevM{GX@T?Kl5UGRNYupzmC;6Xurk`z5Z#H_jXAKoSgX-s z4_o*)U)pfgE%s62grY&dk&|-42dPQWRRn~{VVk8=3diL0iVJh8od_f3e%=e&YZv^i z3idPaPj7lZfKu3Z0OZ0djUAVG<)em>Gl3H5AZB0S_JxuFA~Y^XWnSig5i(#TgL=fi zt*d`Bv)Y?~23Wu#84*jxa+;ydeZYGu(sm<_PuVl*0Z!|^7SC#7Zs*}>?V zk5uU-L2F4z&6U=YGh2xBAAR}KwPf)=vN@~IUAmU^0^$|ck^#P!JU($PX?-}pmb_6u zaVz{TQf&Af~Fz zV>zgdcxzJSh`N|lRVl~|ud;n&QmsO2%|AkK#F;He zwoR``T+*f~!^h+!pw_IZUyA!Ixc8#A72Yi{6R1EAD|OmCuy{FFYA^7$Ymco{lxg z1LVDM9;LiV?vnEbdhLy7bM-+SQH6-g)=c%^0X7#8?m@H)C+rX4i$!IFfr2~T~~2+6+{JlTYFio z8;k`js7T)T+$0JXKEL-q|Ig?B-sgE?GWX7$nLBgt%sEreIaB|20k2957i~GRLkea3 zKQN%AOfO|JB&fd{+E!`$7&X@m`Rot&(#qT5i-5>vbk+nsqCHVITuWmXq-G84%g^fU zjYTo&RcnbrA{L*KC#zaY>YeO6&*HE(z5J~9GL~$W(PyDtEf*O0J~;l&1Lc@>8jfQv zsJl|i++8kZm=&<}0jGqU19up1DB>{m!-j?4pOO48?CrxC46jyX1=4DMtU2Q-U@8P zg=kko_pyo*h@nu*Ldzq=P~+A1#I@B0`Q@0Q6}|TE2eyp~niVJkKYL^?!vw7slT8w7 zn4n>rh6x&%CTRR%_V5gSS1Ouz7lwLp1 zIJU0bptw-~!wF}YBng$Y3-#F`^R;&o5BpFgK@GX$5bY#TdHM=8FyjlesI|qL zA$-(_aADRZ1k&odGZ~;vVpqj9Ga2kj!?sp7w$x%71zxUwg{?|fiW5ilfEY^3(_se^ zT$vy-T8-OndXtRL=H#HetYp>i&1o}K2T{Go>#!~)8)hYknb|%Vy@LF}s|FKvG0|o5L z1(gSjY;#c_U=DHty4nV~T2y=*ZbL^(3gmy>zovzTnR)AO(0U;RZZO?ew)_VVjI!kw z^5Qw`&cavKrUi{c^CJ8bI~iKAhN3kB#TrTqE3(-9vZIYN=U_qRTLwTWmdZRkofeCW zXx7R{kiNr`B29igupv^ZJX+yAMUekgs6G>Sj0cjhnZxl$$uRg=+xSCqO%(v~kq3xS z+jY`7c2W&_sSd5ccm(F{V0BM5QXtRBf6MEqeCs}m8}B|$-Jd7v4;zEZx8l?$`%prK z`uGK%W`G&5>_W2ft;thEl_L5P(IY)VLYMS0Vgdwf95W?=Fh(G@>W!` zPLR>;U(80ck-H4#rg*mG6H#(x#fN2LOzsTXLNHPl2w88c&PbT!e~EFHDZV;L#B^+5e4Lp+~ph*{=u#;E$OC6LEiqXqm zUtiFwr>Uz(@>3h2i>M_n0?J#!XaQ7H3hX2!D-exLT0C)GoQYhdfI$%Q+d0q4MEA?Eryi0 zkiR6ET8*E#^(D3ZrM$j+K^EYlxPeG4$f+w^xLIG8m8h|Saokn^34wX39)NsL<8)fX zYvRRt$>^EKrkS6+?W-%p08Ksk4P+Ia(LJ8Qz)*fA4^-Se17v2Dq)eDaA`|Lb%6eQYi01a#aD3npx{QX@X4j z(O4hN9JULAkT$3kqH1z$BXEBnOI6hU`0A-R1Eic$P2mAE>ZyFy6tHX}goMp$&p>0I zsiyK&{rIYZ1fd$pH)1dLqVM@ z(1z4DGmmMea8!M;K;M`;Bo3AisF1MqM{a54i3m~gHJ&`Svl_Z-ZQ_V@Ksd~M;OuKv zFlYj7uM>d?GcD!|Ksaz3YJ}3jK3QgKOiggHhl$Vf(bEkHG+ioeru7Fo4ttf>D6lPaE#X1Vk zcUEW-K!N5otkC$C!mwB&Nm&F5%xM}23v>X3xf)GB90ART0UKr1N^eHBefKC-kJv%%aO>;WOcPc1t4`iq!0%ZC2Y#>dp6_kI@);cl z1OO0KB^fNQ&tglCU=v#wVe~|u)4MaekZJ&jx*-&b`f^mBIH{#`d5JHO2s_ta@PwM4 zgwc_Lw#XTMw10(Wgey8J4j&f~F-8FBF%A1hVS0&AF_Y>ouP_p7HUb!u1o2@Uxbnkz z@H7T|G7A&tZ9a|%15KFMfbxLKeTH^yf&=rDF*IT^KN%w>45^@Vg(Hqc)!zD%+I>%m zrBBr#2)M(JBa43BVXBjKl|jkj(nZH z%3=-O;DAR}SGs|sqRK@xn_;AkX6{ntgEJpBP!xJ;Q@F^}85ShG`dJ3Q3c)z9Mdcq&&5eVjiu&=rz84m1UtXuM`iN zg;Z$W4anKFW+^Pv>FsIkn^{R^m3?Z*j3i1;lHbMzU2E($yeqiK-ZXp*_a!!8A?fj4K}!HENb)>Ij3pfb zHpoc7w+Loym{R9_m5uYEQP?-qc=P!Xz%iKkAT=~+KT-Z0fyTSY0Z#(q?m8Tiq8W5D z2_c129yJSjeZ4tVUD=y{#Sl>xY1c!Hf)xNUXl2m12~&sC*w=8>raFVKnd<=jstcWu zDzy&SY|bwha1Tk|U{fl!r&@@?m*m8>hHj&Ilk7t<-Pns7pk;v%%V|P2nx`x@=D;#l zHeE`QVWfs#z(A2E!vT{63D)K-QeD-Sl7eXsC^Ned?9)_e<3D8A3VCJvRIuNtkS|Fu zPdRVMrJICpTr&F-FW_3mKD2GB%HWr@L1MP2!6epnm_M*kP8Tqk^Sk4eGFD1Or&W(; zbx2_bs=&ES`NSc=lAHfPz@02oO7xKX!r`9jBnLxU*w|fuiYj5~QEV7@1Vi_}+&Ba} zDx8@M6r=ac%R{wYundjiKH=fK`b36{2K{zOg(92QSM{1;o+`NFFZwX(n{^63*pI_v z2MV7sR4Tuu>P;U)Gn)`EDM}S6-SpV;&*$r&ONtuhwa8cbk|0!eU%qNIzb%fl=Yd!7 zHLQtrSP<)??edQHL}YE%exmGfzGiR(KHKY5b=bE$U%uFK z(zs*@#wAz<2vfUhmJwl)JjZ-bT}bn@W*T1o?D~>|R7*~swgX{uRT;r!G#)rM8^ogo z^q1k5Df%#wls&5HB9gpF^~!O`x-NG?-x=^DZRG;DAp+ryWhf90LJD*^k^2RgEt8y|^0#IpUs9Hu zq2bk&`0!IFkzBJ}iZYJk45c!*^pfhzG>#$(=AgBlpQ{>BF%4Cn$X9jB7NJe(xaTQr#wvV?9HTbHCJ+WvNO&(Y;A%~wR6o=x%RM-TS^tZEEw4voCSy~ zM&fIF@l{;s06Vx5nLP=!rO;|EJKF*t9}+UwrJ>qC5sZywK{)I` z(Lw60+8k7y%Jd{C%GY8w0_&CR`ZcUT4#D6xOa^-*L$MnmGZXM>XTVIrdtCs@b%ELI z0x>)eZ915PV}YLTIT5NpcYv(X9VBhQ7MK2J%&=S3)Ift}cJQ%%B;!ji$*rvmb(Ypg zbX>(rPKz_6WY&^XashJTFgnT%2g#0nT__sP=FEfC4TM!uqELD@nMC+d5@Wf{P!bXC zgqR7$Wd*F_Axfw|@fTZ;;|JJskcnG#D4DI~G})|`*Tz9#I=Y=$F~e~t`$^XR?}v4Fj6)17?;gTAG@e$L4-?K?LpOQi61HuRq@8MWLRTm+U6F!Fl=Qsz&y0YQRC8k^p}?2g|ze@Z)RA0A4;$VGu?ajI@2MSDcL>#D~Jxq)u_^2^h`IHA6M*pFF>>QNzvXL|P znBv7a6&33^qd9m@!6@X7G8Y+4IKjd??37}%#LGt8c78q#YXNs=ie$~aSmhQwYSh@1 zlH0H*BLe9W{1HkW0@RXVc(H-wKRx?VF}^ImK<^)29rPYd3m@m%Mk zVQLpu7nld(^^?CE#aaSF%iOwk>u7e%h72V^p4Nk~^u~ZCAjz<>4Zc9tK@HOR!?7N> zOnm~K7(In41INY|qX6|H(H$&EKXATQc1djsyKSdwdU*VT)*9!(;n>M?^$Dm1Tqp)F zLT%+Y)aftd&4#PXa9mve12f6L(}bvjIv=9qJP{6;fl>GlwuR9P(Fg% z0ev;$9zQGfRWyACI3Bo*p9S{))qZBeJ&c+tzqZC%#NUgF^1oU2`7C0D{RYFdZn$e8+)Q5xy}Q z{e9{BI#_FgkB%l_u%?5sV6B$MR`F&-OY(t!3L(2X+C2!>Pv)}_O>vK18Z=Ul7tFe- zi=2b_lB?<1yGHU~D7mheJ4JNabb{c%(E0<0 zjE10-IR^>U(?u5^V2Dr#ljlUt7=`sSYb=23rC7nldjF7ea7tAj2zcwoa_rIzRGrxN z5Ua(21`NPpJ8K48JOM`O&Q(GajG^ofjetGH8Dl^ogVYaEDSr?hY$>t#hFwwE8vYuv zV-?^fs1|FO7{D~PAw~;DH+4Tjm?ndB)WT)vb#-AzQw(ohujkZ(u7`#2z+aC{HrqI*>d>7-6_bG;`|XB(!S|1(+Xg0ezu z)=Z|s%9x>yq1d{FWHZ$y2#5>U$X|xXiZK$$#%3KH2%xUmupwrHwo5%2NAsg$`e6s* z0rTd#TPMZOXyHL~f?ns1pF;Bi_;rHIr8uxzykj8NFwos%)SeaxVTcmv7q+A>mtVqb zaR&XERNifcd#JQeR0oFqWpyS0%J`bSOfQTm+8m^Yu50Fc9m*!Qk_$LC4{QCT zRvZJpVqJgDUJk&p^rSwXUt*tMY;9cx0BbBa-La;nG11J^U|1sVG4-{4T~q6;8i6eq zScdX4p~s2>ozVS@CSiRh2CHXmvtTv;u~8==(g(#GU)Ma?_vDAE-zeYmQaY4fh2>mq zgPy}NP5$z?>LTpt!io|+5xnC#Sr~?LWfm{CA}J2c_3Z~3BsY-B0vxaQ>_;@-f;EGI zBXlw$8X!-9mL!x+25DfUWR$5{>g@*@W{GC5uSvbFdR*|A;vli@S1ml=N;?Z;%klNJ zdVI(5@OZBF&U(F`Z2?2s^*-!=3HM;S8|H__Jejkf%n1i``N`_}v7&sIe)7b4k*;2$ z1qW?JH#Xi@XBA&Z2NRGwvv~e+OqK>h9l2;5yQd0Mzu-L|WZWJon*;hs*3t z#>lNhwG#)kWDW8g-L$1UfKB$h#q%)JL2uS#Nr9$&u(*opZ4PFhS=prPC3l1!I+$j# zfjqWPPi*wJz-OTWFN(}z^*dOMIH0+bR75r^OUgc7H{(M=s9l&v^FB1f7s9Mix;vlS z29(0hMV6w>bMfr$(4NGti6TO~$QvJk)o~(TVgZB3o+uN!&v!T4RuJXa^!S{Ygzcmi zsbl${^AaI)tYLTKHOoupR_7&KQcS$$K*Q?11YDAdm%8SKAIt-ql<8WIimmjEty@%$ z4`Yd3IO{1&u1J3Z**{u>)dV~xl4LlsOt{-a51lf}A>nLV;8w7>=1Fx=K4$r1tES5! zbkO_TlSZSSw%r^9l8&Tmx3L#-w$8SSZEe6>!=niCfKnWnmCSJ zgxn-#kwUQzL#V6LTa9Fq)z$p)paLvEjO z5w@X=a*7oB;_PfTC#bJPq|}8Z(qtP`c14O3v98#Z8L~P6zG%{YwvB(UZI8Ew7n+mC zGPRYec4su6`r!qd^-c(8G*M3YFvN#K)K|c9z@Lm~U_LUZasG>o)Y<8mf)vR=!A)MbdV%dza+<1Cw{HSDG0)(Xw$ z)u`d4Q347mmFqMa`kV+eysS-*h4QFbk7D`Z91kuE;gA!9qhS#s`&ainRv?Fu&N)=$H? zqKKE&t(o$dv6Np^o$~K!XrlZ@O{-IWWQ!q4J^fh{Ly+05q4yxbJcL5POG(;~bx=L0 z@`2D{R;MdBVFcez5QdH8sX*&htO?td9i?d~9D0D#zzP-~{?IFMdYR!AAiY$>TQD+l+65cv~B(gZ~Gm%kl8$}qN4)yL$} zU$*@(wy9fi&r%CNq^<`I{9o9XeGBcaJsMk+vO^%qSnVJmLyV)U`Z|Y9m}9{RvcAp+ zcL>HE=~Pjku6h14D=bP`QvNvT=`L43(^N)Q!8Z&i>0sR+C-9hq6X<$wR?51BYG=;_ zQB#*|Ut`sr&U}8iz&JQcHwQdMLVcmfC9@9JX0AmxVQLd$^!oA#)x!Ng7jJXskCy;1hOXV+^Mb zU=FyB@*s^nNUl3#Y;C?~8Uj98B*h>In-r9$WEG0Q4rge8!)>I4oX_$sm5&2-tXcD= zY9BFs++#6ciusX)-o6LYK>!$fzLDVknqF9}hlZ|Gg_aM>ONQ=Vs^m974Yb*>Sk&mO z!J5g49qE-ra9R(Ia-2I;48dX%CR|u9G3AOZ5n_j77AYrEZD|mvi9Y$M#Yxr#5xd!< zJ&M6;I6I!t!&bShHqJZY7kW5Q_k|d=zksLlutNlb%uqvY{nHAvinXt0RGCcS5+$sD z+)oa4u9U@6`eYc9U>IpO611I=2;qnr%qn1oU(ZZ-i-$39Sl-v*oRw%;)*yi?S`x#M z7xfB`72}=yt~3bH+bd8Vd^`(Qk>4nr*p9GY1gYGUSONETacL;$RU&m(1z79+XFFWLVUKh;1PQ*@@5c zOCP&66iYp%G3+-Rtg{-LBir;SqmoUoHI1JMWGVZJPajMca#D=b+ zhA7!R$-f4BMI^Y!Yh>siC9pz8-QzHHtf(94aHQ2xqWtx1oJCj{5ar)G@$*^4$YHc1 zRiOKP7SX6?UQ*8Tk~!6R$)ATzykzf$>b!*QyHNdMORXMx&n^9iEC$r!h5-xIfsJ)X z`wqYdVWY_8xZ!iDVP^LVP8jR_+NU;8CUr}96lT#FTOxOy-o$|ZPm^HhdgeTUQ137L zr1u-Q2{gQJ2E2AP;`N4VWHF0ZTNAy}yI!XNXboV|VHfBmsWqU~AB%XL~Ijk0#8Th;gab$|z@!m$mK;yvNlvHIftXnkh1 zDwwb0v)qg%o3Q{4oBFPpC5Ga|1WLhU>#9O{5E7m=Fbt|t>KB^y(hVCzHfWPkst|2F ze#ty=h}MjK9)@39Rfv9x?e%hK#(}q#8USu%mF+I+4X>2ifN=PPD-`EDo|!rHgWe ziZ@~zern0AaICz{T=Ay1oa?LmFP=9lr>U>9+*&w$GAIx*31>E%~0JYW%L#7oD9{i zM0TnnrPFW{r(4E0Lsr79{pd3|np4&Zr*+EO)2W+-6z{x*b5+Pn@y;j1R`D)UIQM(@ zDOxx$1vl{)B}Jf$LGjildGM)}wUDQ9ZYaKtDc^A1BRAp9KLMgXRMHsFc)OcDy8#4S zP6b#X_JdtDtU+;x>1?VVB1&69vL=|`H%LWufr3zlLgxZCA?OTo^*-gmlx~j^730vs z4$)VKECjMw4Y`3mEu0972Ef9-sQ$vstTw`zU+Bobuujz%B9m+fdfi^2NSI~C)~SOq zi-Vhzi+HUecf2*jSffc_e}OQIcE~Ui3)2Ku(zgf@8NP+L@jH^4#whkX3W2kDzAjod zq?jsWPDOZ)B*Hn*+0W%BoL7PyofY98s)%mWYsJ?Z8dQ>t@f0QS*5xbH#f+>Sa@GXF z4uvzV<=H{EZ{{wfQwC`D@s>kNRK!b~*2qgZw~6xq8S*(ViQPggQn^Oy*s8l5Eo$Z^ zZ&+TUuFgyL#hZ8uw!tt;=Ub7)73GR5QCTy|w+b4nEVmM7EdfkP5<<`gOR%#J6~1Di zjKOHJH?=QL275*=&V9&%+BF?ZQ?+>+j(T-u6@PbYWFBWTD}(JAW;%=J0|y4;9#-Bz z%}M&zoY-_{gKz@Y8xS|r3{&+GW?e;j;vI&%`BY4@SETPVpT@29*$47~_T`604A~GI zN=t%>vo-({3-%B{!iE+_J=gf;VL-SZ+t|U{c*shqeePjX?XbWtK$~t>c7^Lx?iNri z=W=}<+yZXMxz0Y0y{QHnE`>%tU5GByU;}c527R?LuGe#E<(yqxcRi1TS<#Of-KgF> zbaX;kq0d=DpRSO`()4oe4GT2YA$jVNht%?;YMTVt(s_|3O9>UdEo57N1&p0Kt!jXlQO5_TAr6OL2z5(nq9y& z7j6xl0?zy&Df1NmJ~#{nm5&^0ftqaTtBVe>8(!>|U5leJGmnKG^|=R)&HHc<;QoWt z!j-^1gww%2f_n`2@IIfB3=}mW{ND686qvhb+?6k z4yn(8iwewvKrSBg|V&xHq% zmR-Teg`Ispz8O9!Y#hJUyQhGO-RoXN+o%Fz?-=YILVg(W_iO7B=v=Q|Ij^XlW*vPJ5b_)Vyh|0hb z+=xs>WMH`bg(irDYR^2T@^Q=vRzZYBUaCpwZ`eRU8?+4p#e&yiZ%Bs{X*WVSk-d3` zn;f5a>HtSY^gC3=jtBPOs1LBq=E!$r0-NIpJ!Zw5uA2V5X)cod6d`SgSztTNPxp-M z4oYM6+)AchL3?ht7Z;{^6;Td6sAC(XNB|F8b1r1>?InP(R%-(s7e%BwP(4(40Zo#| z0DN^J=yo_!R+ulpg3u*IM0m zH9gReu3?z=3;`$eA;W_Ms$m|I;^;?N$zc^iwjv$_M~n)zks1t^T}tJ<<}lY6v7gNHp$^yv>?yM5$}DhANA&{oh1mC&fCh z-4fPLWphS(NZ>Co(^)FTl$Ff~E0LE#S0PVu39k*udx@8{u9@<`WhsA7b;_S_Yoh#R zo2pZO)TFLbk9iwa1KXjnKuNWLITkYDgW)hwZL~XShhU@K$$FpKoiuj~=E+}HH#|vU ztmR2|*@l*El(NP+tgnH75?{M`Ar^@PNu!t7t5X|t0m>Hz4NyQsFdQg4Rl1K$i z9qfVp5{@X(hv>O7zhYppzLPfUrD<|uf&M|34{;v0a>7e9eSlV8r1YsU(?c6A09;SN zOkbYq!#B$#iU4Al(eky=e+s#S#^*+`b~&;^Bs-dBW2fIScy7i}_9@*NC-U*ju5fT% z&z09u;Fe*y_lV6vg$(+K%O8^Y5*dyUyuktWx`7kWVJGDVHj6n-Z$`mk!$!eS{*X$(7Q2%Aq~NeIJi8fs!Cvm|>n255cbyT%y8q!h+Qm?j{%B-s}} z1fDR)o`T!lB8q%~3gMkp|Mtcl`P$|m?i>vHloRManl}QD_aXLeBGsJ2O4++ymnVQ* zWQ4o%A@=--yCMTzEWwRu;Yzi;3}LG&EDT}B`d{h6-e%_aLa!_7;Xx%PkS+i*;b>Pi z7(0R~Cm0b61M>#OFrp>QvZj6-@CcH$CHF?_^#!?Yo&rdRdZ71y3L_}VV_|{`rtoVp z%LxXKTgabBrLCNe9C_x$}oQs6?EkDnnUoys&_OFj=`6ab60ngn*X$Kk766JTU zaTak&O_aZQ^XIdO#6h$owe!X2D^eY6<|Xe~UZSebOOF0!;w75~R_7)7Rwbt(N|39i zg7-$jf$IMcUq8KMnE7zC;HJSP!i|L+1Sf@af!hd2mjwnNFQF}b2kspU zfa`}m%AdjXIAGhr-9p(O!d1YDUNKB_xGr#>aKUh6;1b|6;O4`vhT8^r2<{TxJ-AZ1 z3b=;IkFNd3`qqPAi5B$`?h@Q#xLt6Y;eLXf1(yOB1vdb$CtQ0tF`Njl66JjkR}6O= zZa>_waO>fg!i56n)2ppW$^^q5ag{RTx=5L09i)t~j+7C=eZ1_XiFjTDmtu>#PhBbV zpPiK105{8C%6P+B)r0j8_&edxgL?}1mxGkq-2jKi!d1;bq@k2K1lPKelnI2hbd)j& z;YK!lv#^<{RC%vKi#h|hA~~GV7v@7g7r}+_*%?dR`)<2xM*U~p6nO#eA9pFU)kDfC zJ%NAtcl?0|KPmGET#Qu8T!wpzu<3AgwM>YDlQS)&pn`$)CB9OoAL7~q{s#Q2>E|X$ z8FE$Avzd@e&m+v|LZu8HNJhmoU0mFVaVnYVS&!@7P$_dCZuFEyxK3~`OiW628r3~! zLJ~^CFr#CqBqzz>M@EcI#dAWGAs*2&6dz*#!v!+WUssoPOt~= z6ned{hkt5tN>XHWYHCtS-{=ULJS93fB|0@akqXe?XHcNe09Psk6YcEcLU|G%)@4YU z-{9z?XY$)Bq~tNgOS;s^OCqNbb%4fWvv58We=Z$b_PcmJ@1==J_AP=J(I6dO37oUz)y!Wh2J%XpMihDcn_-P zKHaSAq1a|?uL+O!krJ$4|8zQ=0c}yT*U~(rFE#k3#(1=w(Y^zMJUs@C_Ve)w9v$K{ zz{hK_k2i$}goJtx8eBD;(x%80WpNXt#nCA#NhxB6sg1rhctB7{h#`a?nGpX#-ztxc zcTj+bf8fWELET(B_o!{vK`c*<7@H6+mL-Yf660iX5eacqqs6h&5y@;e48e6LxWpux zI65&&J}y?Anj8@sEsnvv6Oty!RY@2ji%UxUn6BGb)1}IyYDm|W(j}u=iYLXT$m9_T z;uv{iB;_rRj7UgeUqI#R^40uDCnZLw#mPEG$jB4RsEQxT)ya+0eXMsj@Y)W)Q6fhJy{!{p` z0uYd#k~A(QVuDx}oiZUVu{xez*!q0&`$Q)KgGq@K(6^Bv z%Id<_=ZmlrDdXe>m}42X+NNlHzMk%>d& zQt4B9IXjC785`(;xUne_Dd^h_V}(X(3ihFP+sw)eRER3o6HS=;?z``pUZz?mMxb@e z6UQeeO-}5Cu?YQh$T$Gkg0V0Y@qB!I%<1at!UR+1;x;{khg$NP?k+B2!IpRy6YF94 zV`9hPVwmLQG+cZ@FqRCT508&OdSu!#iHw{{z+YQR!n8@0CnVt3H(E9zB30&rW;ZE1 zI4N14%!V1B!{QR7Kw|?yLLjAVLfn9@1(10`GP6_ z3waVR(Z$vzZ`b&HHAW-7@d@U z*&!GCl!wR|mW+GTRkd6=J>ZLNC>ZH_7}J{4kx$<<_LFeRBke2jRL|v~z*AW^8^f-A zrCet}NkjQ)KMA9>rN%HCyAezejPJg5QJwQ{NZBzS!HuZ_?w=}f*)_mvtHAB30j{D7 z+?5*OL^nT{k9qv{dbBaZ(Kl~X1Dq6aRPTO9e{hxj$JCH67I1_kg^})19(ZJk?wBr$ zpI<{fwUcbTBlZjL*^DsyUIe54LOi{L-Z{-!?kr=uslEU#XHVyM}a+jPS3GK6C5i_sgpxot+Vmt$z)0Z2(7?YZZ70EQfsQqWTXo z!iO2*=^Odg0H0h1F1ZG{#YQ;7|I!-Za*gjlZ}e|eNq4q}bT5tYHvdZ5syV}+kAXSQu`W=IcKOUOFDb8?@>jBye^zzMe|e{g@*f&oo${OB@6si{5~ zRx^LGa6ly%D?FG3?2|txYaYygvmwb;LsO1pjMz0iQ{pwK7v`$6$k>nA+F~|1B_c63 z0SS$P472HDSd{{KFg*=5VF&ph%#aYDL8cM@Jm4oGS{5BNHlD@r27(NcVXkKiu`vq) zM5N60>}xDtaC9OwfS^6cdnF~%a!^-5$_51mcV-qdJ_!kN$*IxIDb9en#OT3E40DbX zkTeN*K4~z@#i6emkvI+w)YseJSQsJARjRimpER_j;1G{s|L?p93}7ys4U#1cNt}#X z3+g&3A}%%BCoM8MnP$`wpy>Jx$4cd~zCOcKVB6ylXMVFJ1el?}Q) z6cQSplFH_?m+`?&+tmIiQXI{n*r^^?0l8r*afXJ^G~%MZ)CGcRLKzJVI8lh<-CjwU zI?^${NFO4LGImTRhMp(`%qZ?)<1`oxSB4J9coM{i9!Il?iW+ATr@e^sYfC?$ zMa;NHD^e?$8Yn-cnLf-Sn7A5e5qg%F%&g8!ZVof?lIJa|^AbbBL#ogO52l`(A68!a zrbL4RiP(FO1gs!1{Rl%t5@T6974_lc0V9OKhAiZuXalSx`^1thCXxHqL`*tita`h_ zmw(OB+kHN+8-&PGF#AXEEc;4K7_*og78e!m6&sNNw1M>YW~5!9pzyc#LLKf_Y~tm>5it{F@D9hj8i=$BQbV~78r zEZw)fzG2`S2EJk7|0xDeL+-(Jod}aMeTPYz@S{@Zn(AY?4q>KCS0&ubD=sAx117JJ z(-OvuCIADxmIonV?TF;zynVGM>$>^0}El=Z(0_83YxRi3@+ncd%n-#N<5!}~i~ z8YTuzFgqO$-Y$+1C$TdyaZFrFs;n8}lT(r=Bm+<^hQsq=`5@we;YJS;Q#QUW5WU zetj>(pTqJJvXw5TTmy!d9bDW>yTvq%*pO9?myD`fc1)c=l)YMbOqB?QVO_Oqd{UM8 zs^NxIW91}^Q8hdUqhv!UMzWYErNYe*kTRQ$j@Ip1#D3w&B2#Po5`)S;_=WiJJ5(a3EnIVA+<7Edw z;hvOf3_lirL-Lwd%>>_zYBaJ{Pysv89Tu@hwli# z3490mw(#xXi{Xpl3*htNTf=AI+rulrD`gzvm%^tGr-fe!eldIp_*dZ9gMSu&efUN2 zo5Md0ABz!89(*VG`{5fdlS~Q}IN0k`85Txi1XPH;KlC*P9m!dqC;g(M{#^CyrIa${ zKDqL+D{hpZA$xdqmAZ5IJZ#p(F+736F@&c)76*X9H^}3$unhALhM26w-)0i(k`vJc-{bezq|5b<2WIq0JnE%;d)f{FpAOFn2 zUH&J3ru1T9;Q#Lz2MG8Mj(l=Nuc%LvqdrGI502=WIULbX3pna$mT)XxH2M@q&(!xQ zj_3r@0ScphDJ}U#dnsS)n-oUvp4vP)3U3BS;Si5ypFNDvUdHEO_>^XlF+9ZR)AAeT z9}Y+FPJp9)Ccuf|lHsVYq`*;GsU8HcfTJ>J8vPmYDP9Rj@mX+`59kytrL@xcyaqm% zcRd`vZxbBB?SZ56ora_M%WxF$0HhEum=Y;d3YtZRhg^{eWd|>3;u?IZy5N7f&Y~lAnw$(X3B5LQvUSnl;7$n z6Xh4r`9}HwSAN=Wh5CkpZy5N7fv;eID1WmWXAxbS6Xl;_`}r(lM?;dgo!I*GSwzd4 zc?qB8CDW?&5|O8gm+U<7jhB4obA1c`0tQH)rkKMpi(45Zd1ya4k%DB2NCrm=r-xvZ z0)8e0Zb+_)WR%2k)8R}P$Ba$~B+XgK56+k}qnR;c6uVbVc3fA8Y z`22O()`<<#pZ#W58iJ%o|Ihy+yoV8fH{j2#y|=a@bAPRN?dPgYAM(#w!=@Mrp{;?} zMqLv#qp!tZ>->3nE?l`){04T8GE6By0adu79H1kNtX*g+y@s3KioUL z#G-@YQv9&Ap6On^|3Cx7J@4SLMsvH+{hG%oPd7SrAy6tVUHNCS^XA`s5X}f);^v%K5-j6eF=Vi{=D?Qlj;>I(2|E6h&E=ZG(7SAbB z9P|Ba(PoeRGsh2U?WQS9E}rJO|K{9VZ&tk1Wo#MfwdTR3yC%DauI{+9A> zqPs^9zxCE_`sYQN?smVaOV0R2pDbKpvvJ$%26xx>tsPxoAkUm7pLEPGV5sN4O^e(l zU2}In4hh(Fe`N0?BPHsU3y0}PZY*6R&Kta8PWOm&@72T9S6Yr#y}3Sa%aZaJtq-m( z8hKNZIN;dNKZ)`8M+X^~k0t?$V9B;}W);|J{9-&fT^5e$T1*FD^cK=|A^F z@86$}$f`5>zaG}qo(yedvi#i$nPyqwirBFsb7%Ud%@eD4W>r6^y-xNYp-Uib3JDG{+LU=q-~A7 zWZVLx{6XtJ=Oz2%X+;WFqfKjEqfI;I-_^`ZYO%cJ`|7;J{-KGNEQqVdOGY#AFH3G@ z59K%dU3+)dMy}*&mXD|9?q%}s*T3uOI??fbi|d`A_|G5awsH1>ys&E2>aPxV7r^`6AxUjaNwA@Z0r2!~hxsE^}56wFgKy$)N_rC;81-_#~^T zz&{~%DSL|>T!wTUR{nFx7sAH@rsxadmIyEYLO98hmVY69B*H};DuUrMy_Yyh8}K62 zRW-cFSHk_i5Mj7c#1OKGfZ9N>tVi19}L5zJ&Z7YoGz zyfqQI&}FF@gu6)O7=f^HZ0?j7U*W};Ez%ew0uE)Uw*mVi77qz*xha=gY%WoB%UCIV z@wRCECE`iJSSvh{O3uDd#0*9r^v&oJC_<1!0^VatSsUd~!dobn4ekkt=uNOF7RJKJ z*e6J9D>_kfMx^M1Uj?kVq7MS972}7T6IiKg1z=mj64_YfC`X=R$duC`14R(@FkC!H zQrBS~F#Xx5kB~I_3PC9i-;a72D|e3WO}33|F?RSPUec*%%5TL|{;Aa|f1`ya%D>sS zI^{QmZL=A0+W5&L%6J)?AqckLiJp-8YLVdhZlTg$$1?7uF-Kgz%LcORr87@;= zyDDi-tu_T|#sM>gk2c7!E&R?%>%tHw>EbY4_T2@LMQ?)fDF<&?peGry#99nC0J6Wl z52gATSUt>^>BxRHTgILBt?|~n3L5zaF!fnKh~cq*2xHFrq3Ay(>HZyK2VZ|hU(AU5 z_4V%y)@xA4VD#6K3D?Yw{&Df}Z_YP2=kd&~EG;eg0xN;Q+RECxwvDZ*woM%yYim(G zQJuPW_V)GyVSR^sb`G|7_I8vBhl?~k^IGQSwd`tJ*S7n=ed+UR#O|;;fS=Qp1BeJ`Q;c(4(Tnny+C5NGlW5(q%<`$OxI<|G2)oR|! zV_>FT#6;8-HE9bRu{#$mC+W@^Z`j;(p! zPR%?9+GUouaO!+6BLA8G8YAGMcy+jS@I`)E^480M*`{^Qo!>$@J^z2bvk`L$A5{IFqhR-4Uf>uq*fjJDDs?Xq? zjherAUl&<7@J~AIILlHEr2|{fhN7#idSdn#|ts6DPOMjZEx# zETrLq(2{qJw(pw93I8wplJ(K@sZM>@y0$HvySLWjHQ#l6?m2(mA&YnQvMXM#I{)j! zo$`PmQpLHy9PT>)&wFL#hCS&#VaLU32YfoXyg1n`@Y(Uy#GDq%gZ^zeyZl1R!Oatc z&P`wUWJ%ifvY4Ca-tVb>^uj2MCGuUvZ;sd_h-_AV>X#AYCweqm*j=(>(UW#_Q-3b{ zN!>nj^Xs+O+64ZdvZs9DssN+|jnSHMc@q2rD>B+w) zk8FG7ZAY(BId}O^m$$Z+mv!%O)qLxt!u@VDZ{OihZ}45i4o|YyY%H7T)W*iv;)Wz` z%B7caQ+mvw*CEYyWX{(0uXY|Oc`=y(Pm|s;`Qwi_8sOJq(~3U#HZ=3gIs2l;;_d@` z+pg-I&S~M=x^Bsu)1iOA>v(j;#>$tun;Y)i)xT@<@@4aPmes!Yxa7yAH2>UFIfq2U zN7t$qWjA+IyVtJKt;H zYl1F1|L1FWsnO}76>o1fYOJ`|Q}wne-02VX;_aE6bc+KMy2bTsy8KDtw85d<-*p?h z*{tlXkUMtec)yNo)0f-tGj|Z|(X^jswfSO;1dk?vrdv9!dhyqg1+xODzOw(V?S!bE z&GOA7FPz=Bp8uXZ{@AH*GX~wBzFwpXYdT zEX_-XK!xYi9Q)SHovc~zG^ILsYSz=loxaaB*Dw5qQrfpmpvRk)yOuo}b}skSxB>o>;mtPy5cWbHL z-i{eQ^LIDCGjmg$u0wq9&+2Hsb*bR=D)-Q56>(j6T;y$^v7?vWfsKn(x(*Dic)87X zaCpI)6E{@Lk~;f#GIQ(vy0|PzxK-3;)RclGv-YEQy8Y{W%5}S~j`uXL#q`2fI}XfR z!QFSEV9cMI%}Is5LPm8+=)pM<+UwV_!y6+z_{H?T+;Dr(dm)7#?S^d3_Bv3SGdRdS z!~TYNSo4zLJ}di=zqqvVm6gG*I&Td8r`vzxjZ2RPX1raT)`mOFrGxpIwlB^1_-z?< z=Gn%I$s75b2Tl5U(73K{R>D(%$L_aSv*r)6WoA%e=`R<*k7=U(b<^d#2dpo4^69hn z)~H^`G)?qv7yqg`klFL6-H&JW-nDUcXztDCzXlE8lK#k7diNhcvqPhH-Q2o3{8e}F zmOb}G&OE>2kW;tIR9r01=jrAjP&WO{4^tdZtA5`e{#(DhrI_*>e#9ByTVx8Nu@~{+g4Pl8~1(Y^mP&Uf1Kt4_t{e3R<50H z>iAzPcizd~`p?K6{Tr7S+zE^{Uw=)stVFDOI=}fsUcbGueJU$o_I2qyed)pUd!tn< zwant`@M+_%=hZpf@foa3ge@qXH*U(ZwUS?5a!cp5f2m6KjeEVsZ^D(bGcA4`raTlW zAGbTM>w+I2pM3ZJn7sSyx%S~RXAIrvJ<#*#`suS5%wT+vakZYf9be=0 zPSs)1L+SpXR<*Ca>&ma1w3(OAPF6KseZKw=K6R&^{!h|pLI1Rhzt86WTyWBSywe|c zZI&%CTi0z0bGXGx#;14fP6wi|gm1Zh>BxvX&zHScTAW@fWa9fT%8Y5a`+;}r)(bap z$h2GCZ`bM4)o$CAu_K>5o|<*(+Rwa{n@`+5FQ#0Mys@}nzeJy~W@Fl1eRNGcrP6+N z!}9rYAq$VhG;!_xYWlBr53SU>#k|hk^X}A?MUA|~_Y;NObj0^X; zwuGPUmmU*+D97eeqa71ZHTgN~zI*rgoyXsw=Kpt{^}m&#%IP-AciPg~eGa6xxbv#p zjxN{Uu3Wk9uYjCOaR+yu*>k1bB{XtEYUS81N6rpw-Ds(3+nZh8-k8u*lw*A*@`_9mo z-p72q9-uqK+TA)#=%*UeP7T z&tK@awtr;i*0+*1y$`Q08a{3Qls_V0*q$n0_-f5Xq1E-pJDkJa8Q)qfJf4hgCJuXe zd7}PU>Xg^tmo_gppA-7Xr>xnj=(pRS^v|DI60x)PDWCouwwXm1ToiWF?`*JT-zDz% zl4 z91gyd*W`Wk`NJyuJhR%?@xD5(SM=17%^o4X^G^RZ^ycidY1`Z)I#@q{t*SHTprSnS z-=5ha9p>sE53v3-Wuk}EGTlMd`omprUJA-N9i;9xD|h2xKiL=LTpJ;N@w%ya)NYC0 zor9}x$8CFcee6%$hbOASOEu5FKM5a;0*UxSTc1YxolP|FlJZL!P*HdW@ zzYSe8>fHjT&J{lOA9%F0Jn-V8a?0LxNr#Cy)0X~pC~W7*BmLi(O{)mZ^JrbJSL))AMm+!0|k|RE1n;ORX^JT(< z%uWFXf%QUrG--Znqtvn02*1}o8=Y~n+#7ypr=6Xy=PCEf5Zk=O`CVJ*FTY{6qLE*_ zhBjk<(+|8{XH?h--yQ{50kj#GA>quC=F{d(ewiV93 z((>|8A)}|B>zo~Q>F9`Ej)l`aH_sh#dzfAFuk9D^uD9QNNyottA1>YeXULMlM~3hH zdB`!Z?=Eh=Rl3l&rFYAx8IA1|Ci+aUXtY7;cY4bdUdpRd&m|chZTh+mKjk{rH-2b~ zTGP)AvtE9w(zV^SLn{+zHQ2dl_TouvYuV^JOx_z@|<^VP1w@nPIog7)w_3KnMV9eal2n$x4rki zvph~^Kee-UGoOEbQ?)=Kb?@{Qfp`qZ)z*xYncW*7&X8eSJNzNlv|{ z%JU6Rrw-|0esPS4-)wWaxo6_Ckw4sNobzJG3iBBS_pMv3O=`Vw#;gXjLf77%{e+vm zZAnb#wzIoO{`uPiZ~KY0dSu`4B0OVtaY(q5$ znA6vOnTK7Ey;(sM<7}Etskph}?LV74)-CHdeCHqjeK!3kOJf?Soldn#AG7~fpuO`v zzatYP8)Yp|Q~Gr28XmKyv-@Ce{Mw>c)?J6yzjkQVW&aG$;)EB6oQKRjdA?Q03%89?NyWBpr()Z-ZL?zA zwr$(CQ?YIPR_)vNxu@>i+WrIM!}`$s9Ak}VP9^Q|LWJ2C5=vXu#RsVo-2!=2_w_kl z2zZk3-A9`8;*2Vm9+niwJ{X1OT~6^REGuHe5->b4X^pPgj-eov`+w{t{huzO{`rUe zq0Rs6l0Be5cH-v#Uzf=KXGNRKKNUrU|F`0C*&jQx4g7CKx&OA)_kZl<^0%F+!v3|> z+3(9F{&Zvi_D&FT8ZA3oOU7g*czvCixW_YAr0Oj7$QzfYkNXa9YrRX-5FHhe8$qH2 zopKg$vIui*W#*NpB*DZMl*E^CIWqaDG|qBg`2_Tuz>diY6CybvlP!#pU1}Xy%%yH6 zuNl3SB*ddnPz_wH24Y@XlS#jDa1V{>-QHN4TI-nlB~cVVw^Z%l4Mr46(oV{H#HL1t z>)^2(Uea~p1 zn0y5?Zk_b;CbS)0$;8Of_xS(@e~OL`MaxYR56LZ8hg#4^XJ)f!cs7@_eE`T`p#A2= zG2H1|fw02pO#15cb9{Vq(K>7dEt*jp&)@`0%@IO7q|Ba&A;%I#p#dQUSND+w)Lqd{ zmESlUm0SS9{BwDR?KKQ!iuBXVDtNjL51uPzL=LZw{2SgK+AwFf6Z1-LOc|9F%TCISfm*L@YHYYzR*FQVL%ph-ci>Di+7o8E&-1S?^^CMqFt#ym-Z}X9jca zxWRd~Oo7a@pGR`ZjL^sk8k7+!#{wfd{`~(M*xoH^T z*ig@0sR=Bp)$LB()UsLjDbh)%z1N-@AS_0Qi$_B5Qg)D>i-ax1;X&mBa9ABseV2YK zgSaNpK2Q<%nWJ)pT*IEoQT@OO7qqHpG1sa$E2JAh4GEiS#bUDYj$aGj6lV<7-st_Q z)-vmKHXL(L&6gnR+1KsA=BG(CIP3+6^4goEmt`Yx#VAd&l!6{Fs3M4uw4&w;mEr;S z01l9BnU1rNa6Cv`D$3Zm@q~q@!+oRHD}n$gPCABm?y*s7Y4(55Pw98Ln)><*%`!6c zPKhIGV4MYPX`4=G&ZV#}dDYxwL(ig^^ry8j)AL4<(F*KZCh9Atkho|0l4G?2-61WAop^~2 zXc-}|46rm=)G=qI1=R(ZvPCg)p*pjD_tbop^Sl*jexKzu=0dbL%ht8`_J|q!-s8%Q z+udF?Bu9)&dFn#~D}5nVt?Eb|D8cg1HkVy_%v22*^$e@)U$GB4J?H_yMvv8DDZ^I+ zR`WvMtt|?(VI1mRssoC$hXRc-`gzl51BD5`sqoByEgqQ!X_>)YvofD}Vm3Y^Nr&2v z$d0Tbxn_;>SVJA@*(!lULw%wf%#;bGFHr|SBERKd>*sy^H2oHQ~aiUeEEs$ zHBMjey@Cw(dvAsDS360yAs?lJKxB-llq~gH4_=BU}?asEAZ9%%q^EZEUPm>>dra2o1z}RcrBZ5IG7razr3}L3NQSVvrB13{EsS zo>TTT{@6+BzsV2t5BdMh;r_py7)coz{vrSGTYb0xe}D5ye?$eE_*7nj2I+JCSSXOh z^4cHi2xW!R0ab*XjHXj z+~M-cOUe>liR7G>f}qVmK-xTROgVlago{_PSIs&jRCEi}dOFNmdJJq}+wjh1jHks# zpdz3(<#K*GFP*euEDCLTIvyg8#bwYT64%_jyHl46GHLsx#}tcp=x04|Jz14QQSVH0 zebhFOO!gN#8!lm9w-Sp#)J|42&c+wNZhnp{yZjDLjy$hKxysT)r?c~5STxOTz|Drj zZUwzwja^|i)!Gn0MFvzvyWJ;=1T9$EpxpxZCTbESIRoGzhMR#~4*1-rIMuiVKBZ<8 z@M<=V<>++!qiK7;7V$0D0|cxAi;5PSh-4-DUU5^R!-i^lGn|qHT2bu@%!{?c0VF=3 zR+%f-bJtw~P&xcM<%*+2yLj}<^`YmZVOZ#GLRG1@@g7dEgE+Ej`pOy$DPQBOgLqIW zl|VgjYF0}yS=p{tpEwkVWC2RxuTGZSIwd63c9sX53!G;$(ML7Y84jGPjF$47J(Bql zl0Y*iGtwuU50i%=Ge=D7rnK!Pa*)l{C49rw&s2YgMjMt$Ch0KfM%AbLF4xKcsq)LX zB|QVj1btS#Kn|S9;jTjgYa~ps#i{=0O(Y0)P+#!QZk-*3_F(M#E>OO5Z^&RmBWuFq z^8&2iNc=KlxzTnShp${eC09+%6`V;V1E(J-yIcJJ#4Cd}r+Eh{85I0gia%`wWMal3 z4gpX(wE3*AN}SnN$p(%lh2%q^60d(ag#|SFgt(}?6IJ))m`kl+5}|@5t$^)CLJzcb z=hpW}7rj@3hi|%SUV`~@Yn9zJFF*k?o%90NGL1;OB7grh=|6MB=juFHo<*0tRjJ%EPv00EelG#v$7YK%xgJ@J{c(FHR zj$GVQ(~ab-KmVBZM}H<<*PKzJq9ItnK$tglN>3uv-VhTRIBcW1&kiJy1e5#fU8oMH zS$2whpNDXP{b;r?&$n1>tM8=`4a)q!rP>PUB)?t)*s{=wqr%0r7Fazf@XQ^z zBBOfta~*o)cBI3}mcl#s+SC)wEtQ8IQ`DNj6&L!CE#c)cwH!JEp)n9f0t8sO@(&o+ z!joK-2(;-SY}Dx$bth^1iXRDr9qf5apbeo4D!`Q1FOBjIAnysRDA`Q2{~&B0TtjFb zkBmS7IIJe>|MBamrmfi`H3$yV6T%va*i8P*>B?t|o&%->=LMp`oxs#xP*f_vJmx{s zdBWAfimI~1X@~P_IF>Da3v!hNI475|HgF=xO^*6nEt@aARVdNy^o3eq47oY&Y@*#d z{3^MX94_OAaofn^J$zOURm}&3N*I?V+mM|~ExY|o@CxKfl&&872+m?diG5$HdoqhM zBq`wL%SW=5It4BycHq@F9?jFNg`=h6 zpv^gHbwd2<3I(rG)9OiGdgdJ&|(yoBXW5{yp=D zBmRBn???C^t!K9^*IAwUDs=ru;=jf$kyUiNL5)xIgYMd|)V(?dCg`2IJZhTQBxyl> zOb=Vy0(%5!ns0AulRs5aCky{6vNm(uz^~HrEpq z`e7=+Uot>zPla436mI6A3=q@!;_W>8GI`E73lUQ{<3t&8h>W^M?5mBOS{(I#@Zxid ze_dGw6@M^=D3Q>#eOi@_wyZ|aMHP>$TYt`vP>vF(X6~?GWnKgpx~-qTYyVPUuj|xWhcTPu|Ka^|fExwuyI-(X;l3W5v2T?*gg( z(emB!qlA{3B~G_{mu+_E!Y*cO0m*K60XtT&-tshph;tty*ud3F1jLYnVE}BWiiZzz z&zP|U?$+{h`ISG@5nX9Fds{gnrJQO8d|4tGLY&wJ-sxL>FAkPt5Jh8|eBJ8Jcorg_ z|1nH|<+6pW4l1P&P@5dKx;4dGNW#I)wlp-yqEV3{fILiEO`u$kd_CYJA))78T%#-^ zRzMv_pX54_rs1kGn?2RIk!sR)tqDv6+>_~bkx-|;u$`1A_xf!az4r33%w7?W-rgZ| zEBw#f^1%S)dDpALUq-VF^jLVX0*dQo3&Uk^Y-HkS5Sh2`#ZF7zYTa2TiTxSZq?fd& z=Yk+XglLN{m?HizxlQmjx9_q(&SrD5%Ri`}(cYYu3;El;s^aFtMM;j|6Y;*Hx+;Ut z?Y!XoyWhD%U}N~yhAmtOQnozU{L@#TV#$EfqepCK`1e5i}w@XiE?0h z>2Hopc_qk})6-T>D)sT143M$u1iq)9!nH{sNE1P7 zAWLJs=_)1A0ms%(Mab>))_TI(j&1zRm7YM>bXG6G=|Gg_MC4z?Aw9NW8?~c&gNvVw zOk>r#Dvn+h7x(lBx;2(wHxWB$2Rh~_sgFuQ7{W+bG4ltazi3e% zZUo04t%G7BQYmNL@jAg#BGi}{0;W;EVYddAD5Bca@)ir%U)`F zwgX4JlEcbO?KU&YN^gNsH=8t<@(t!{wOM`7#C_T{8}S1=Sl;Q_8EK{%#;-hI+aKfc z)ezozq%>pgP}EK5haYa@s}Le~Al>NKs_7|NcY)=}DE ze`cK-yS-`LIC~Z>Ye~(Vf-*^)GPL+fBS140_UIT4!h%dutIH;|$CM6hrXy^~8T;*tir=3z(2`QaZxg4tWb6OaV$;euD2pirDh{p!N9PM@7_}M(W zI|YMvLlpf;dohREzVdt4!3!zcsC$XfPWKybA=1>If43ly-~}tIltc*3YLAu08HdiI zx&3h=ZfQ!TVLtP;;#=)XH0AaA3Rm{9o@d-4R5VrR>V5REC1!ncxmW^Z6s#$B z25p|xF68xcU3}1CV7405`ZL0U|6yQdM%~m56bQIHDd?Px@O11_TEKAApbL0|HPI4* z14Wo!Ujm4G@CDik$knA4r-X|C+l`PtI809Owjvm;Gn)81;aP{}m^bQJpI|X|QIPK+ z^6URM`QiQ{zvJKJ=koiP{Fz;UlmE!yU`HeNtRw2%jroG6XfMJ>Xh_PYf%S*-U3y;` zcEl8Vq#(yg>2AK~kQyfZQ7fjsncHfqYCG407S7V4B*pGMlvW+Cq^cqeSE1VRCC#Lf zd%Fi0#Agb+N2(0z7(^s;PpkkpgkpuqL}$Aq>EV)n1fyA}f?)e(-L&CX{m!q7h`92* z>0_pMmX0wh0R44qc2f!`QzSYDu|r-==$~$3v5d+~!?BCcTUUB8wAoQt+?s>^bUMT2 zh7c;rg0F+cvUjXgv!gQoV#z&(9nYvyF}vyht~ke6R-pINEu_*)duq7RY}Jp1$|i8J zo@-n`MuWYTJX0sNaKBAZ$9Q1)dh$v*<)r0%`F?35!8Dc*Tv>|fcT11!D5VY)8Anqc zESS`f8!jyOa;)P9I7Bfje-SQ5n2}47ia%OSue>xT=A)~1#uM?Qb%rJZJb3j3(WlX= zJ4kh&30B2MxxJt>;|Xuwoa`-9qad>kDIWX4?Ck$W1`o=`Q=E^j*u8)o>XItU`Xsero-SYoo(*{U#8T6x(#_Qd10qqN zWE8^J?#2wWSM1~5zQCdVp8vGk&2w*#F-g?&iKhjbbrrNW8xF~sxi!CGxm0!7idPrW zfenzQvT6|0#M!#C-jv3>_T=-|7O-oU@C~5%<+i1%%5w?zyP0) zWA)wW30e532VgjL|R6|3Cq59(^qPLX#ah`nQdIeF{v8Qic@kh7c=chG(FwD}@{D+m7uU^JY(9d*>3- ze9azOoJ8nQjvg>>6yiCdW`lq%S7E}e*|j}z{RfbTJgsphD@pm`sM^R8+t>xU*HN^K z3%D-P8f8#`f;BJ3kVM`BE% zV&9%}sTWw$`h*3LgIRc%O=%e)@vy|NbbJU>q3g|Q^t4(`m>m&QsZE1I|a zq^e%_as{!8=}^UmlXOvUUaUETN2%t?8TS)iACt-Y+}P)%0c!bd**~z93w54^SIDGD zwuthY2!Wq~`M{r;Yr?bmoW+d}Q7t3K6>csffoEc%(xbJuwrR1_fmWO|$q+)eYDah@ zoI8lP?0nfQ0o^avH7@$NhaiMh=5T&_+ge>VQDe?@IaHJbwFCH2!a?i*v@om1L?7bD zBD_+o_Mm=xE-%68DZzd`L zEQtCZld>gP*-yJ$#bWVa1%j_)i##Gg2`a*j{SWRsmY^(`AEEuGL(Ph?W~?KI@D>kB z-Xv;S#W$~wwdvR5E`BxliSO2>(>jEH4eNY-dFrA(i$R3}CUYoyB5MEQ<( ze9c$+(Z|vV>6Q<^p*_L{;w>N)QZDgIKYAj&o)NI6nmL4=$!Gh z2Y$+*H$;YBo9k=Kot*M!-Ek%%N>0~sOSb>&S=2*;UaMY{!0NDPFn#3^0kFucJrv7! zh;^&IQ9xW|uh;tPcZM!a&B1medv5TgHqg?HIL&JHVMMp5yF&d73xhX3gFMe8gp%Ky zJ}=IK5}s!SgffLIx_4ABMgH4|d=!1_!JIP$gmT4z%#;=uH(I%qsaC=OeM!SS3e9M2 zX!+H}Gj5OKYLYS|%8eA7aj**m#DoJ#c$IDk=&wbHA=qoC)GL#rMYlv@)x}$9Bs!9) zrJDXv9ZcM*?Sn~f74Lemwvq9!93q6AjLyt+f!~G?I^&X!j7SjWXznds==4VmYcm5I(=ObvoW5aKi1^%_WqFH^1sQC@DKUz|0cia+`r_f zul$?*@Amu{$&}KqM6z^%1eD!PL3R*K=y&bD@2BERRV z;kV5{x?YOIvtN9CNfkQ>!EJTsiqa2qo-Q=dxdqmd=V&%*>5w@dKTc$}o^1T!B?t!O zyyJ7a{qCP@EEHL(fVGpn1nhU8%qOT94v{F$wtBh4rY8zA;bnfy49D)q=s2C1B$7ym*8V!olld>Z5_kK z3;Oe3K_QCkbzC}o|%ZJ~Qu7y)nPU`mWz zPPyp2dpL0*B(Kk63HR#JTW^aC^#zlgB=N86P6*6|ix?&~(IL7ze2rS?%{OStUa;KN zPsbcB^&-TPG8;+Mn2Y|*6`xfxuAZE3QCe&fhv+#Eb%qt4L*A0u5U zCaB(t4rkJUL8?FL9eqoEA9c&2$!Loo3t>RpmJTriJtS1zPNq7v(IUMT2;&#mEyeBb z=1V6cnVhRj!t$BsE!O-bUo&8bU}l4`I1Q4%{LC;#RQg$t_@-r?yvFwNTBh6if#bWl zgxn=`gLd~MBQi@(%ZJNM$ECDJ^ZmJqPL{6RGgk48ZYS<;HV!s!!>dJa6#FDosZZqC zuKon=90c(O2X_`^P9AMnE8pI0@Dw`K68O7@)uq=cN=F4pDA%)3Suny19lSBEe^wdz zW7)(FKwx}C`^3PWGuDamt-~N?l3C6ifJsD3&5SQKN_^_~2FrOi^ilLB?z1gE5sGo8 zK;d0A>M!tBKK=6TPJ7T|Rw-S31;f(dy z;=BmtaM;2AssL~zr62B*@|t%kuINcFLt8=lZ-%Gy&Z{z7FV;`&ZKT^QcN-VohP^xE zlnxeo+7kK*FE_JtElTt#U+VHnZKltbw=``|?x|T4YD$FqxZI;!=UBL?WQzV~;9q@d z0oG$`2a`rJp%twdVJWlLPr{yoL!iK1fQyW!oMM{;TAmf_OnNVpJHPRe8q}4;=NHQfcVMGwNQv zYzs6sSxF&+1im2$|8VuVs%AL=pI$+FzFA$SKfMeBp`VnmX@ZY-n{0(W8BOKw21D;B z^lx`e9~+}fUdYK|HUWwOSQ(#mIE2@f^rpn$_+}#x+o981dXGGNG=_PI;A$UqA&1^#C{90ZAHf=s= zBlJE%(aEvHj6w8= z{C59Me#C#sZ}&I(rQQD}zt!)g{Qte%(@0_1)cqhHP07$4qq%iCBh@u2rQ1D5K=iHY z)x(HOBnn-HV~90!A4wD`&Na4^Hup6OQS?0nsBoZ0#Rc))%K_vmWzdR`2TK8+RZ;mN zv)a%h*hrdg?QuhaN0u2foubUc`ABtso)PK$B!aE|~JqE0Mtna=9|*zzH_>3dj&74p~HjW3p6fWqA{)E|f9`yBk^P zxnF8%+U6`_*0wsGOd_s2r_GepY|xNf`|fY6yErRGqz}XG{n$`r8a>-I zKHNo?WBsK1YOwEkwb z*>3uaW@xxYdVhDiKI!tp4viIoA~53jXB1HRQVdZpb`kemtkR2R-TK-DFD(C>>6nhHZ3~W&0V!;tVWJGg5i7y|8G7EdHNyu7 zF_bOEw4WxUIQ?cp8$m~6+|1Z9^kja|AnjXy;}WE0b3Xtv--X!y3H>=A=bGheyR7zi zrD@-?PYipd(w!TEcG9y3M~RD{YGZ@~ljZB+WE{#mjvG6gh`q5`5ih=#?oL6$_3(Xi z)g<*h!olu#hUkwbqQgKGclPK~Hu&vltW+9?rY5*+d*D+?L+P*$En_HT3If8`t#V}uDqel6cP!NE5Xg5p$zor+m%1Z%7_}vP&EQxAT$>=5LfQ1eg=?f zu%!vbocqHxd}nE);cld&dY0u3nOovPi&F*nkE;^zY-^Q7e!dEB2(c8hrc?ClcBLY% z$%f8BFv#L7?MCA4(}tWOu&>6bL%UzZ{eP^gnc>z>} znO@ynEB4Ux_{Gk$S7q?#;bRY~Lloc!pesq9apg2v_b$+M62wrltJN>O?Kg-~P1Is(;-yqb>6&Ym>%NW`gufk=@D3^CGQAV&A#C4mVl%_;uF?chNn zeAhubR3LBRy~$Ej#G+Un`>s2^1y?QOBcAfc%l*~zo2=noF@=6!5$Gc#8($9ek6}aN z)^>%NcNwn)7ChJaYDw}x%RT6>dyY7)ay%40;=jKRV!u`;hgua&tK(lM_ zph$XPR@_VRfj@mdWCTOOV0)sQXY+X9X;t2{41B$qWkbP%tF@k zbyRKZxAbK`&LyRsn%X+Kp+$T-f|^6Wyhrv(0e&XT+|}54cYm`vw%#}7pVU@myk1Yz zBB|ff+1Ofp;G?yzTCE9D+83{@CoBDlTTUkRG7M;21U6L65WFI(>9H9QqhQEa5zi=` zgW-v(92V^*J-{F9BM!er9v1ymNaiG^Yo!ZhA)`d7rJd}k0YxX@PflhBZlZ1X=8t=8 zQtDzfj{82S4+_L%@RXSGYaB+CIBYNEDBQg82%h!OsCuXSqI>eptl0W8VaM3?t!)NX z&#@s$2L!a0m4AyOW|O0{c*PwFbOLc{7(aSOx2w&j!yJHzH7-3X3}G&&SsN@ z620~b>?cmyd}AM`wTqUhq7(mI^}tb#gd9ebTx@K0>DEk6J>EtKAH`O6RsSi9O!$<{ zsAb7PGrQ*9-aHEha)d~|c|XM|JZPJ3bKjtFL~Ud=CDkwAs}6oe(XPODT%kqbux>s5 zM!A~DLiL%k-itVDGxgAdVybcl&gyS-mkcnC6VO;4TKK{!9<1Y{rHI4N6m3H+YeC%* z4wCc^z=0O3k)XCQ#)l=Z8ja8 zV-1*?qimf%6!9easTNuF#M(Nq3=_r3HhGqr*r`_<3$w*IPKSa@{`yf>yD*VG9%@4M zd+U;q*{{o3<0_qd%vQ%jAtuV$vD1ac(`-2cPn%(2(9L1VEC5b3oAMag&uIt4(Tzw! zb_pX35H_Fv=#t@m-?}p_^6AJ|q7pFs-as}cZ;N}BDV1vO6Twe%-{1s7#)n`xIjX`p z?yD&$6bd70ZFrnr8%>*(VFW-{#z4icEz?V_(U=Zw5nz{kXh^1a9apQ3*tCi z@IP_qe1wY1I~zp3vhYK|2#t&JK1P$j!WsB@? z)13qv)`wKlo*ifOcD|Fsx%Z2Lt{j43KJj*5b_oFk%B7>?SA%^mfX2d6JS0F?37e3$ zFsX*nQliM2obSq_Ym_Fr z1vy?fH+BjOV@RSXnKw5?6RuGqT`G7Agp81l=@7hs`sDlJr;n(u?C4ZH&zI;Q>rzdcFDe)+dKaYokXzIBVz8wtM+5>t?M3z7a^)$v}Wm39^1#UiJcwD1`r{Is;Qw;TwA~-_ANBpOOJ4H+WDZD&|Bp)y z{-gx{RAl{K@jqOG{Etg){&tDl*uO4`_&X72pv;~z_`$J6A%%X0o&A1j4-(GA~?qVl099C4KFHA_Q)pe? zWidd{1?e^7iNKdw27y1F#q4N6<%lZ-SJ+8yHE%b!PzSX8R#y^Q+k40rmqiWY?OjRi zF<0Ndunq{Nw29Fje!A^5ru1--FRrz2IW3=A2$hjgfE-fZO*PUXmC6mGo!PxVoNwbt zy-`%Nnk*^_)$LbYCFGFQi7q)pa2LJeuF&xMzUU^C9}x#FuPIR$V}%Nvrk64B?N~SJ z)KcS0lA=B5>8dy;(e^!rb7mR;MY1J6tLNBc)9q8NRpfJDEZhEtFP4``DE34Xznu9_ zB@rCEws_5X^Cv`5iC6`d)cBG z6UH-5;g=tUkvSz5$)d>-jt~jNM1ushGV+(T;BHOP8{eY$Kz`;Hs{j?j@dgqTI>URi zn;IJMM}96xad~N+rqEfq`0MD}!<{1*7I+4vxf@9Yg-g#CU*E#){qPSQdcA*7_cYw= z+kN?+rx(pb#Vni9efH+Uo8rc3DqM-P1I}zWGcI4KS9RdIm`(6)Xw{#|Vc{yiy>0H& zJg99ZVh&7u3cxRbNeoK^%7a+LO@aSWYnXC?O`?z|-a)|Xa|BC9#OBh}31^{wcrJ^o z5_e!xdTe^A=yLphPcvZ565zO{rI|d2v$TPpj)SX&M$krnE_rDF7Z;hx_hS`b?~66o$v7aZLn{#PTB~8%TOxQ z8!FHHnedL$_viWG)H;%pjG6GCg3>Xb0h)ZT2*NaYheB;mn&<$(v15ba(!lm;6g0#l zXaOH|HMraP%DqtS;xKC}$Dy^?C`*t$a*;+09|n$rUT1_12BJ3bW)A4i1K5mb;0M4z zW!M(hF%W@ld$(eLyl{n)s_+Fui`#;8rA@kW(R)gs31Ts=TgJK_TqAlVnsFGXT}N2x zxuT{6{#x{P*N`*fjvCCxv^W{voL0pQG~0^!ai@xRsixng;<$t5rCR<&1Y!9dPf7V8 z9|iDf`7IC2y@qdTkPozRs0@*QyRR_A%lKfsaby`je||UVMQHjQjqt>H53rwcquO+x zQf2di-%J9U|HX&i%Xq;PJt7;i%60@uYmyBxSbm&=C^x;4PXSFeGJw1oCs*9Dw-aRF40u05ero?**59i>H=aWkX+hA z{fp3{9^iIMbRW(@wHG*;qsVF(wG6!f^dVixpUwP_=X(X4^X*kD*Yos4vJvC zHaPS{s|g^qz8|$cEw8FMsLfAn*^A8Qy~>*z$pwK3!APNI)5!kPZ3NRBSOp7Jx6>Kg z!{KsEcP+xrfd*2q^w-hSI_c(>>1%}VST??;AXf?Y=N5%^3W_;RdOA1DLO%wM)NNq^ zvev-UyJDQ8P;T)zA9m(vVx+1;NcLBgS<4#;Vh%oM^g5lNR1)m-oab>n;ENFb(eR~< z=TAY5VO+nM5~1&~Dj-L`EdLeAaGOPrJi}qK@bVm;$=7}akB)d zU9Svu6f6Z^i2~yDmK2DCcL9sWLW(aS-1^H@a$Ib~nT@1GX+hKLV`2^dE%0C-U!YYI zXvUO{ouVYN*s_-I7y)thKB*H=Q8)hjC3kka0*UyQwd8;w5lEV4V%hB81y>DAa~sLl z(9qXIhbfnVDSn(v>eQ!avJAe-(Wmh-|Ag*ozSYIZKlK-}iE!N*GUM;%W7bK`GyxM#dX7D_M<&@MNW=&Y z868a`3o|ycPxJWrH^kMm{u}CCwwyF)9Rt1)&r|Hk%Qe&Q!S*=jMWj zd!0gO422ET+T577^+OAMxf<6ArWcD={+t+}Gz>0pnSxb;$a-cb{a(tEmU{8wJxlsq!S)}se!us0y%e{UM z-3vH;U}*{ff>fN#k#eq9Eby<{dxD)*Zt~9Uv=!%j(m#dsAxgGc^73{?MC(FnYxSul zaRMAaqevc1leE*$c^9Jdc>oF7UIfq8A2t>RmCWy}Y7JTp?Wkk9x-Zt0(tUuDW2`OB z9N^^gN<>-p5RvJ*(L5JDx+XT=9|(74Nv%$+j+|@(`uW;&V^>gDfMb57XUxpNs(->O zk(t(+uAUU?C0YVCs6Nrt3WfS8BivSS!10ut#OP@FanLtYF;QrIaF_EX?mEu^+E^?Z zH;!Dd3KLvmbh-*c+|)MJGh?I(4`)e@e!&u4_83OaBe1aDc^8)xheAVA2HAiHYNcD) z6=oS$+}kQ}cA2xeQT{TOct?zUy6*|ynb-(;0H{)-J$go;sVv0#Kt)`aTHk;A z!3IOR0M{`pWe4bqz|ckitiefHD-$~5+2uTuCQBWpOu7Hp&!zx$IkV<%RpnjpQwk6A z2>9n^`>lze#qL=|K?~a7lqo|z;-zozZ4!6g?0PI4`5wZn@Sd(&)K;mb4bQ!4jnX0$ zf*{pm4}t3Q@-5<8P%^0Nl3$dy$w!@LSY?1$V$<7S2 znx`oChD>-<-L7!@ncRzOIj>l5zcpoTH)L0}gUj{`JbF}@B@m>L$pB>mJY{EtoTgX& zK|hDDHM2M~Rdva`;F}7-OlqqEV)st|MaZFomWM@awT8KTJP`Rfn3J=uu4?4rF4g_7 zck8o$N}Zog6X10%`UTZ2Z@CfK)Y!qoJR@yptwc?M#V!tpW-~RasmYOAX}8-1x`(+0 zb9l&G`BNVm!lSXI7vg(_f+JML+4dXpM#xuMqT>o+*DjP|nh<^Tgc3+Q) z5P2P(!;u6XqE=9bS+Gu*$}Xrp|CX(odRqY!s-2k4o2=qp2U~OaOS;7e2Hr#bD2QE) zfHHkkba@~T+zZ!hMIo9$dtxjJZmw1%?l+O6s6rEoE}AzJl6%Pxu7C7M38~lUhA$>8 zW1`XUqh&H25V3w0DfUk@xdp+89n(H3xs$-i7VlNSpuHoQ1Uz;X)OTU1TuxSub7EL* zNz;m6;9zJ5CzKw@5%&e!2?Drka3ac9-5{0??LUe2J&UljP;4$>;qAsj;6p<9MQ4x| z0n53XzFB&I!d2o=CT8&TfTW}HqEoOFd70oiQO*MBxwmSk0ea)A^VXXnZvkH}C^Bj* zjlfnkFUI(PHcgm=MHgE88mLd*PrK}wgQqHNp;K4pxD2Nhn(iHx``GXk4z_;SvMl?+ zJmm)tJ!IbmAXO1v3VO4Os#O&uZnt{8xhGEKte?I&CqETJ^F4vHF3%14+BQknXtHs> zZDcE4UKKzgHL^u;TH)!+OT_Udkb$5e63J^a#!v@pPa%6fd+&nBDS?E2cWAaKkUBcK zY$yX5h&kz+)!ow;27juWxkIh3!mk`ybnCy$82J~OLb_A?`W&qz12|mC)JlsnC1ssJk(TDnF#Lkp z7($>jePL~y(dbUSiGQ%6ch*I<-Qu87)E`U-knyC+pN81EHv%kT=uW6{}SGD8W7- z{%J-jaO9DlWeivg<_9V@f6!;2O84#AAhyS(?0mH66z*23~bKi56Rg5N_geVlUTWC*;q-ZPhUnGi! zL-KI#8Q`|SaVw39V1WyZH1MWZrMu)Ch2FcD5HSVnddjhED@pl=ju_>x={i^aGj#bd zSj9CMQ4G@GwaWC&ZvY@s;*<-&iGdq*9u0wf3+yUN`<*J#AbpO%irR`SCRt?o8s;h! zqvLoS3wg=u)lmTFAC@y^y1D_GI`y@Vcz6lG6pyVRH%A4ZL>n4SU7M+{#zJ=-0&Y21 zh?#j;CZl@dUlsP4K&p-Uq>m_eowsBfc^{12=Bz8+Wn|`<#3>co;EqGM#{#h%V0Xwg z5J>iUCKzhS$V*7XPw;GX?fE>PI0%RCC#{^MGekxJ;nHEpY9GBxH09`Z-O;wA7%*VLcWM_i04c8^FP!wK0{4~OeW**TE9Vc) zgk@2^w5UegS>Mdl3fzT1oQFP3WgMZ~wIh5LzFj7%*qQ3x@@pOvM-Terl92y&iPY5} z@|y|$k4s3urTv*mp-lg;OQQeVC20S+#PV;KnD_nblIP!-?EYVW$_<2|YwdP%%$=R{ zg!>fr#*`$ooMz-|AD0C-@C$d=U3$*5)8LcLqdEnlG)~-0U4xYx_+D|- z!J79<)E8OGle9-Lr2wflNp2y0+s71D*#h9?^?mb6HX1|5m8$`Q&8OjT1>pbT>m8UZ z+tz5?G^^6KZQHhOqtdo*Ta~tL+qP{x^HrUAC*tmVZtOqs#aa<_wYK`0WAtGanwyDx zE9R?PP=6*-Bxq%U9yhhLSlFqmv2bH_b(ej~zLRoMbZ&xWtR%3%1xgBfEIN<=<3Sj8 zJ_*srjLgdj?BS^JjZz=+aHl(wLkbiF+fl#JcGNjg0zZ4B+wNlvRjx9DhH$tKBHs#bjMbgL@=_XUFJ4kq8^s=(*7WB?3knNypl2qnfnW98$;ar z;T?^S=!nd3UEHw3lRa%aj({&XGt$ohid` zZyX9Q%=02(5oGF#iuO(J4ufG6GC+A%#Qw&$t~dmNQu_nsr>&Z5?M0~lb}wbm;*EI1 zj_EFLLZA}7QaQW}wG`CM5P_>y>XSIv(qS$f1c1>PcR1? z6*&h@?Kp`HY?!?-^QbJ4_(uE!m61i4d-ecm8gwp=_7%2Y^iTdezRj1)Cl-cD^&~)F z{B~>ar`JgH<_;<;D%y&O6PZ7EfQrc2*1U%#GEx;ETY-LP25$mouO4syN`X3(15_Fc z)w68!%dy}|#zM15oWO(b)-{a0+z#FKb#a1;UfyG-lb0sm4B}_yB#+^9TC{a3GLC8H z*4ZC z(bwmQ@V21$w1d}ETBa4JUT=tOyMa4NK<|(e-mAaLw@m>3WvPEA+!inS<8?Ce0=<}$Nj!!hBCArb<(%c`-rWWdFM|ly#?9w zPPt~vQ=ib*1}O@!l##jV0^h_ic#HrQCC~mrfj7?SFN8thAXT zuT&vsaqvU;*F{#%wdZX|dTvH#ge*;OCOu)Ann(3RqFXdLAj2m&WTxWjT%RC4OQ_zy zrT+bk`93)^`C&H0wuA5Xw?&~04FX)hNYugG8O}PDq#@0B%%j<)R;54)bdr}u^NJ0= zxAOTKDn!|@jzPY*Tz$y2s|KK3+G)F%HV+R! zja;Qcoj+%BoD;$1Qw$(im!UN|4~PK0N)}WY`PYC3hb-mGokk(PIzPuSbWwQBbwchX z?@$%Lmrh0_ybg7%D4~PmdU6(-R;QI`^UXc-&lXp42IlDZtouEA*{;|su>7=n6324^ zI?9?eccozDNAbgp=VOcd$Jz@*&}C$64}*o?M9yO6ck(xR)SehRVKgJ>iekhuJ8HRC5it|{y$fx{5cD4 z`A_oOTKt#%Jr(~X{}9YqGek&<(Ip7exMDG?YV|Q_L7_rNKE_~n-R0FS5Qd{A z{^eRX{Wav%IDczDjf{xZW@g&mz+IL0!2zAiVjX@ez)V?EZzhm$%6O~`kAbf%H7%V7 zwM;nDEB2>Dqb@4)j+kA7B)^h-k!cv1>jlHa0HDyjV$JDW_&0tLRUm^6AUR6&JWoUPFX<`h{|(n|Yw*no6eM=GhlJ)mBsrd~>Z((YD%slYC_{;4SR6^$Vo7 zsKR@))#Q&D;!f1!+ZLm_My)>PIvU1R@Cdtl=C&eEtxGgczQYg}jMW)3x`8d<=oPYb z8_NgIB1T=?4Y2msT7}&(W|+}cFIu+Om5Q+BcHxs>SSYj$H|45=31D*;K@MgHcJ1Xu zHia@W;agZTYbDHFn0AwI+G~Ys>6X?3DI*AaxmjH)bq+g=U~q`T3}glP2P2390iQ7a zE4AIP8y4D-kcJ2W7O5RD5U4l?wcB!}p7K@>w`g(ssF%8;rV@i*Qr5?exFgY=ceZ9B z6awlXQ&;e8lBOVo9GJ}aDowwyufTkU+;N&;;n&jz14|c|Un$$PIyV=_gs<^AS;^2U zeXzQM>M&U^O3#b{l{@3VbR9G2uoR?m*OJcyOhCn)#pnu>vjWtwA3l_`>B9z;H5tQJ zTSm3k540>al&-)`+BHn|0}E;3i5`(V{Ri6$H^NQWBBwlvV_Ys>dO(MC1IG5oLa=Hu zj~MXcP*`Eysf-A{zAhwN-NtV^URjcyJW}e_@~RWtfMv&_)4W^oXV|+9c^T|NhkK~H z=fQ2>0Q<9lt=y;zOo>*|XzVOV4<|BlFhGIKJ;^(^K`%q>b(X?m(-k2}>-kqrPaAxg z3^*ThQTCX?6p=zZ;4Cf1>73Unr&_?Or ztvjF`*qq-i`VP*~s;l`STZ*n^G446&}0H!J2jJBas>5dq8CqN{NCsPE_x0 zRPUCx#b{+-h16xs$oP_qLU5fIaeG(8|CQhZdQ9YT(l6&JlYVncL!?h1SjTM)eAmAr zcyeomf>J+wRwKQF=D&h5kR3?XZeuZnsq^}a3n*)zA3SrsBVgDs`3#O*baTBQG{i{& z1%*;_X9|Y#>{4$1btMHqYH#wII>`Qk9lT~#ZH#|;@|0s_TpSM8_&gO3@Ig z9qTqDOu!pX8&DW*y{x62L#`hT)d72A>aSKL6)R~(a_CtRb$Ku>!lTV18=yOMB%iFL5?6D1^Q44z=Ce zAH!{@l#S&`XIUCI(wa(3BkpAg6f@~ogq@IbRpOX<#AhJ@wg*9fHkXA+&i!(S|9FWn zMF=+Pi3Zl-BBpB8#rIZ(-c_~|%Y=B{cw;1zj{+Sw_YxLRitK9x+^>KK$sZvU{_}AD zIYxd1#nVw-j%k2+B)Eo}bPC0h?MxlU&YeP?5Ud0;rpjlyUHv{kjf5!3%^dOiMoo6$e_NRh$`{9TcP`*Um8|GgrW_3tjh_>W60{^=5D zg#WsP+u)xrIfjn_^>;1aG|x~k>99)>m_{)j(?Fa|Dw|hK-A+nltq&iN#&P7vPoPK0 z%o0E+&vZ+g+C=7Mk>H9V=tVztdP}my*0$87pnW=7NCBWG)kjaVVc+q6Wa*q%0QDru zCtUtweI8xg&dp!>Whz$L z;@^u<`}>`dSa=;7IuDt!`dG*CV_#@SWuBLZfr_0)O{M@Hc;Kh$1LCmNUzL#UZpyM0@reTipMV_k!9HI(fS}T37 zJwgiG5yl~v^1U37nuWT#pZOM(0qGkNAMP7Y7oc<(WBb1IL|c<&pv3yVaeI6S?$dVw4XOG@P(Ow=_LSo6Kpb}k%R{-fIka>2E+pEd)__idabcUwpr?D+jdq#*5MkzNb z&H#%C5puEE5t)>%_gEa1QaPHyiZ8|t}zg9@iYGCV*le-llV z^N3fNp&OLKlfoO54)NQpWidSjD{+%@9v*v?$2ROn*3pF8^ror!f8$qZ2KSsVItfP>gwhg^(o9F(k&ZF9)`xG%Of?gi^opN zGp*j^AK-(V=)&o!!`e$>NGH~v6bcT-jm*O#*et*T&1IYyOCBuJidC29jZ<6E!HxSi z&Wf`6+fTLgx=AzBX7u2Z1;;y)J~1V{b2enUj)M7vt!XoK?p|EGUCiprYdyG;L{aN4 zc8vbx(Eo&)6&JB+Dp8nt2i5928n5@G>xau_MBw^V0Q&N}%Z6b*S0$e!nqqANW*AiH zPS|4l%22Tj)wO1j@vV&0HOw6-O#udy3m!~~FF1*-URSCRjxp;1FSOp_FJDZxC&OeM zsw+g?Pl{TghGFmIkAlXC(LYRvz#SZ!=hAZZ0`#p%bTd#J#6a);+~oABLRtFLDDZ5T za^ir;R2Ys5CFm-g*tz;?2kncM9oK4?98HEO#f|I}@$!>&i}5lP)BrQe$jn@c`>him zVPH97K3Z&x1if98hhK%l+lzbO_dO&o-|ql1uU(l1qj?NDl343q^kUfre*N`Rh_4zPptlY(nf+UXpx@mz*G%_-)EVIQ;cF~15z7rlUO zl;7vuPivEOZqqVYA^kZlj3}GSpaum+zoBjk+ojVLVEvx zV~6zztxJ5$Q>k@a&3?7*JwF(Z6K`C{4PgM+<3N)0j7bbObL_AL8%V-2WP?K7a=Zjk z@MTp8TF&dib2LT~9Ip%WGnhe$=d;c3(bu_KISoaX%(nKi6|DSsyf=18W1I51fjc z*6H9642pOlsF{8#2EAMh4tKLc!_{M0NxUks@Dd9%A;s-FEal@R3D$(ui2g<&2oW! zJqQ7N)59)kFmote#-NfTr-00LjrQ@TIKQ|O=Z<-7n)RcV9p*x3cXthP)jn_fHtn8R zcKh%EN~0J!#EW6O3{MIs++&T9fJtUcG6wS`8vyU-&DPqQDC;tG$XJ0-8N zYX@#~^Vu4OU&sw*a-+<<@9i53e;x(MUo--^ZPUA?~qvE}-{o3H(oa ztS8y!jUIBoX zR4uoQkJ$|hGd^swPV2ugB4v3*Nn!l?>(&v{W~9dnYz#bp?aA^QEJIaxkjbUpVxH;f6jOmF*qbQM{oExe^EO`SBD z-%TmS@}@m{j8w7^$yzbb`t>^wJUVpwMc)W-uT5{^GoU3)jQu+`03tqGxFT4M_LN z_udua+R&2T9Vi#zvUlRzK6|!0p<8r)@;QBFhqkk8QL_56;838NET?*omALZl>6pkch!r;#h zaDHk6VqF*lwqUljG^nu-!J*)=$Qi&th1Hq9j&_VQs#zXF z#KDQ>Ha}T32noQE?kz%`a~{r>@po8{OXOlM)z7qWCaoz@-E|qto)*X4oJ^ zHTwfaP?ed7+G`D6kWse`DW=45V!t)?Ss-1M!C!Pu871pzpx1y)2 z^AwK3dl?I9Vz+RKjl2tyKF5HJQ3&~GvpdwPFuo^+g70Y)h39cjiP;KEPX?w_M7%}z zek$sy=`#%K!Pg$m_c-o6iKvhXRiqK)ZzGVCFpfd(r|Eh3Gbo!G0M7DE>#y)#_VRx9 ze+ML`{P@nAC%DweMKO`0h%b-w5r1 z-Q!#j`My1S4d?hOkM&;`OGh|Dqol8iXw#zN`m-#3;j5XwG7GgTds%la84=v1U=DHI zH4Rm86rkgcki*iU!m&9pVuaYPY%L({Z+vfv}4lCiFw`$L-%cHWcJMC)&+pQo#&2 zKGJ?d!kUJ{BLmaTaoA({K2oYrfEo>#yJO&-ZzCHpzGsupH?2!!8UNq7?Y0`NAk#@Vkp&T0%&M8{WeIHAy(=|%(v;-5T?+O_8N_)oL6 zX;c5W?d&t)Xd9Tkkd{QrQ9&5*W-EOR#_$z2MT@OuyfMK5^K*^@D!xj5Gc+?ZGQR6dhwLQPxbTyPPp+TSS7%*a4kIz=*WIG`8k76w?drH3?@+=^DJagf)KML}_Mj&!f4t_0N4+XF66sj#doJ$^c)oqx? z=W0e=K(4;eyUCznokFh=i-+7+*O@5#v$-2kb~q65Gk<#+!8URbfitnos`kQ&((y6g z(d${Flf@V3{lLs%_nXH4Xw&(FzV2fv6B`EFXUqu#b zk@c0kh@7X?v@=2o?macc2W~^;53!H1~b zh8V$8ed2!XQmd3%0Wln3f`$T_g+|384$(D7U62g}lkK4_U;2aR=@!#T_y%+j>5AC-^^hW4#2D=f=gXem5VRP9Yc{I;sLYe z#zU92A(93V%(H6Dg9W>Mb$q7vRYYtN^945AZh`}9@{o$<#am=6`Mru* z7+ZtAX6S^s!`n2om{f=!9d=p`O-@QQ=iC7ES6PzT4rP6CoQGY>4;bn*wup zhkC(JFGeQ#+v^qOQg{(HgW5&>8BwiG>zZ@AyJ?ce!pi0jDNnUDT*AZ%zb3I?=J+-| zlx+i=K7FVrUxm%zq%8+QCDBF4u+(6z&uI&4H ze$=?pgJWd~sf_ZUj%@l)ni$y2|GHFte(be>VTclDUSeU2gFO`~rAO5?v{Q(z@x`$T zdCJvJ_;{C6N7*TjiH-3)F!KNnG6d5Uv|J!&vV9w>UTmG<1bB>_vO#L40e*9;7JG?( zX55^KXKJ$J%9l4M+t*e`SHpwRW(oP(;4Fl;dQ`O0cm{2oTZ2> z@q$2HRi?Qh-_h_B8NRG;MIiMv6=&aldZt^Fd!gwm{HBLItc*^TyQzo zq?X&Px>;+2irA$gIpya|K_DH7M-7TH=t%UzbTI~upr7e5XGC%_>F0LfT95(H1zMIF zT;HjSJyb|}(6qooQNh(hA$2;6Fo+6{4l_FJP&wk&!)kr=+g?8$JF3FNUQK48-ZN*M07DUYgqP?O1n)Qt09Mydx?u?)!o z%XSPwi)X)Zx`Ps&GCqu=+L}RcNNItiKmup4Iqs-|429_}yA?&NXK=rOryIO%6Hx&2 zH!81LE0_GpwDlMD_cGy+jpPY^3JX>XMWz1o8$9R6lRas&PM(FQ{7C@Do(N3?<0Dq3N2>l3!)HjBUha@?W)hI(riy$7BSi$+rAKKR*7D-egYnRd(qHNuXYnx z?KrX=2P5E06>(d?k;2#^821znRB1!$W6Rk^71dD15?`p9)3?#GruR>v!5Wmd?rjch z@ZCNqq87S%y#*2MQ&af+8UYZ=BTQ8d)+z-at zwSmWA6LkX;G4dg&);8Hw5)`CrkJ+}|;4|*G=*&x&6a6h;Z#4$rSC@I@`PNr2Tfkni&D}Tq z{*DX@@iC*>Z)9F%6jrO_fR!{r7qE^b^rFsro{tIbuWa3-09}kM*YzJ|6ienV`T& zu@vYe9H9~T4y@faK<=dqvI_*rJxn=DbHml_1kQCliP;uU6E$P-7Nxyb_L`h9@LGk(aYkUw1iW%$>^CWK0ngZYQfL z-HO-goi|$$#J`E$H$;EdML4h9e@2Mg0Je|O4myy#1D{QL0d#HUoD#kLF{7KIg(N(F zXsio*$023B+7^GoxkUm$lWQ0mofj2BX1)Bd1Uc`WGI0W(wL+hx({UA0XR*FFk#_%eXohOI3n6AHJgyN#=J?~gJ(m1H@D6XEuPJlDcA)IL0qTO>8WiFD#ud+!E2_?O$>Ii?i46eqAZIG zpJ+Z_XbwYt-+&MSOS|Lw)nYtJQGL2GHlWpWBRkYbRyp8nA7P=VCvh<0E$K+k1#YI0 zt!ip#QOP@Rc7TNXitoe=!OzEAV}wlj5%m5$J@72|oHkp#M=v?NkDWZ;JMY&@KVn4W z_r2Agn(w9hh)L7*`;V)|U;Qvs;=k!=8ywB)GWCv-Kf?NX7zraE#9hcLcLsMUYT*BuB<89_6hX031&&YeUI?&%xY+S9?gC zo-LaBr4S`Y*h|eCSe}3nor=XZTlH>FG}>XKzH?T$ePWY>VKat=rWX{}S#?R9=0L`a z?D+od1s8k%2;)2jBOdccW!Ic4)hw93i!6I>%U<7w9Xb)fhPp4ruIi^}$o*zu4U@I$ zF^u_?Bk-rAh<5+cmkBm9q@^wc3sl=3djC z+L{zf^bYMC1@~t`BRmR7$!%;)1y1VMPc~0c?lB`D#5E{7Pdlc(m{>E*c98A{o|*Pu ze-D`_nfkTIynJ~_u-QgYMQ-`@j*&m7+k91I@wOgJc^$u$DBv=8`Eb4F`zSY7&Vo{p zjs|9J=wEJL^+=w{(#FPem0#;UtBRMnR0ZsxQO^~F%OFT0Dt$qAX=9!%J;U_?a@T6E?0-qWt zpjV-?090eKv!Md)#SU8gR7KAMiB{iWMrZ4_a9wyVZ{}EKdU{t(P)!0C^*D_n#O&hR zp#nwZslN$-)3O5}x&2sq{Y(C?e@ziUmVe3LF#5kKf`Q>rijchS{NEJO|L-or{f|qG z|LKx=jsLo&B;=ni$#bS4TJ$f8WlJ_Z#5r}+TU2Kdob2#+azvpib>@j=u@$cS31?`w zW_)P}b4s7_#80czC#jqV-hssa{-6O$i2zIX@*{4DJwoggT%!K2ofF+2bV$f z0${hNuq)&KP$!KZ?d(J?)hn6JsC&2KSw(9Rm)F#M?~i?6h2JZAPURZbC5Ne;lOgr@ zskI>vf87OuQ4*qVUS%+z5yB%ym5^6BeT=oF8T0xqpCUJn0d+e!U4JX$7rQ6x`5?O? zpux*Tp`=P-2-y)&u~x=i{PsJ%H+7jr8Lx}2X}I=m1t7D50)d>;AlfLo2~vBB`SAu4JhGe;P@I7+HD9< zc$J$T$E?OCou@_nGyvxOE`FsHibd%WQkOZTYtSpNy6T)v4pltYJmru?kizqW%(m~H zhsj66F#br<(*Qy(spMfQ8l6kHqqmyR_PQtp%{}JN#ZBKZ*$_Dn)(6!c;7;8u&uj2F=cIY%%n?#I`V?OMQI z{XCV!p(Csl7r=w&ahgI%|XjqY&mtTpeTzTAAfT z;}O8(Kp^bY(s}19Rmgw~c}$!wmAo!%jEfTokdUG!cYUC+z5R?#7wnJS1Lya*D`jOs zwpsf(i?+d2(yR8Lwo1np?<3Rw)}Tp~j5L zwJG5)D(R<4622|uA6eb+i-v8`&&I4`v&srjdy7B$ck57flse0y_MMHz5^KSKI>T*5 zM_mPNW=LgvWgO~gj7DAjx%K}1>N_;#cxE4RYIsseJ|iponah?(rC*18%x990R{qcZ z7SN|CZUMBC5fEPxl)h5G#iXJKEcAIzW|isf6eXhZ+Km+rGwzgIw$cM7^O#+4`B*-Y z-dXlI@Yc0SHBR}mHcg;ohb4;_VI;vu4n5JT21`PCWlnOfy2d`O&$nXZBo5(k(@V); zdK6?YIJ|6?ur&`IG)De3{XGsph0G&OOt6@67?mwPvG~Yu)00;fv=)#9cvpPuH_^~z z8qzUt1xoRoZ6Q)*dI#oNMeja;M&+w-_B$DZ-`LIm*f_7d`MfXQ75hX=Qyt#>m5+x@ z0p&f`bo(xg#x=_sw1EdN`!4ac+%OC4>V>wm3Nm8n*wu;sPF{=)S`GVR*b{qBcU#FT zGq_HeNXmC8H_MQO7_AUvz65SbAJag(9?Ep<&mSi7>f0kJP7AS!mzJIdARF2Z^$U^= z^6@I3AZFh)On+)rFFQm;)fjb~X^4~-+NZUGB6`6FNH>www#lW2r* z*0dWTvbf3Vzb+a6ck<)?hx|tWB!4Q2MR7@9~>; z*j`U>n{vce7Jb`4U*$<_6I~>hwF%zIRHjQ8tKFd@jw;0~1Fvw4DgFGtMhDB-^(#XI zcZ4HY@iyWTTw@3*utxe#-naAeM1fzHyqQ8>47)lTOB4&fd0JoVPq%P0(h}wrDTEVJ zbX~kB{Je^Yer60s)_fz;i1Omz1zC|NSl<|$3N3j4?r|Aj-5W8tzOjP9dW1ekL=mzI zDrE-A(I|N-L>WP=ey85t3?Ih%0Nd^Wd(2)!9D&c1$TrDSE3C!@7u|2s7r`HGJp@u^Pw5@D%Z~Q>_~hNMJe=0Xd)M z#)*S%+PE#hI9^5zxhx=v&Gbrt$>6{9ypfN;J9VLwf=JHZ<^!!vn^&#Z!C7!J@{(IO z$0VHQQ&%D#(6!KF8yhV6kwvGbqn6UlC-gzY0Se=Qb8-`F(D6SLs3=-1qA2iG@`_4wlX&=T!)hvHJ;Ev0;Vjoz`p+UiOjoy>S>jW1>Jg@n}xpO(R z@#RF3fImD`uIE(I6`8#Xea(5fE(h>(g@zp-LmZ8w9;0X##g6g3&`uTHZ^IX9``PY$ z(kR6unj0*v8>(hO=wMO9dFdlP8ug8H_S$=`{hpu7&1V4p5;eqN%K*e08B!_fWm6Q( zf_fXSxHj-2tMLY5wgx8=yPwC3?t!iPU02Y)#1|cu>iNz2z+ffE zm!h)wQ#319ilm(v=!^;NdqZkjyA6pP8Xg9oadqIX*X%)xvRhSR_QH}XRqvxwi&HnT zkyu~-ShvSoA#Hc^Pr*?2Y9*g{x>$i4<-Y70(=^qRt~K`{u<`imuPD$gL7y9i`ErEUb`#wG!cYL;k)RY z8o@(c)d8=<^Z?yLP1UR28MJ5hD&+5;;GZ0%(f<(Zg zOK2PW{6u0N0?ty=_ieo|WET0ihUQXFVMRe2#q~$@7n-+q`GAvxx*g*J`W>rh z1pQaVMzkQCugG!{IM$s&f2gu&*&Ag!>Xz;5gH!NGk4-5sz8kQuItp#wxsli}JW5AI z0mU(nC~^vVHR4Sf1(@GP+`lm+{op9MbQfyk78ukq2mpikhug$vmWd#46n89rWMm$y znzMg@UwFg#7+1fogzCwivBk5;VuN0GyV#;l3thQ~b~`ddS8>^DGma2;boqW?ThwnJ zvT#_v8-VP#$uqnz+MS&s60cyLvuC?@9`!=U_iT+5J4RRg0|DpA?B7Q<(I>?6Gv{7`A@nTqy!igGZGwAq!Tzy!@P!*=sg{Iwgtw zsfA0a1s*kTmaVVN!0PYC&V7_ILHPQ6p6f69r~WlXt;);Ql$ebO{7RWhR?J^jJ^b7j2UXNK zd63JYMvE#>SG5vVjKEYA+`&Z|e^9T7E^y=eS?2vEmnXs_Fi3APQo`q62>jT3F>|Dg z(r2wig_s*nIT|p*CSz5ULk}tl%H#&7Ph615m?~1XvI)`uH8K*wK)%}m4m0Dm+!9%J z)Qc>5xd9{{bVUqgcBcMNfvao&|~JY~AR!Nic5N9*Y$_Lpau4Th|5*GsU4jWPtR$sVlQt2?cX z71QNXQ{oRwsyh}}nLkZ!qf5F4MdsttX8BEJSy} z%9;I2t#tH5I>?ehfKt%QITbvHd(~TfjEJZ3$_QK`qmE9R26#6H;M>_Xq3!5tRs;)Z zG6Q(v<>n)~0C7~~Hk81M5aI~&+7N*QeJ4NWTjn@fN91?xUX`?4<1INjfQoF(L%EJ* zns23+BZcfjb-<~}&L8GFQ2Zi{FhCj5O%!ZkU{0;|abci~%Gsh}i_$QHJ(U*;0#W5O z_@WO`ORSzMbjs!UWOuJ%Tmx+LmhcQ#=vA}FUKb0D$&wlczvCz?7+_K#uwqd4b}Zt` z=2=@l^KMIFvO+*cG2xDoGOkIK0P#V#gPkIIqc080=0F1y=w#v&0rJFbeCRJx^waKQ z7d4{wgCGNHwszlAYVh6;N%LVH?`DNl1F>^aLeN60hSanN+R7C8;i|no^APn?`(8Kj z(rLQ_(wrte^-YwE(eBiBB#&N&Y!!rxu=+L2-|(0PIXF-p;9N30GxaX9gR?HNk>2EC zQEz?8^XIAy)r<;q(JO}uMse0~cX>Q>?z`_$!QElYXT-qV{`Mr1L&NDn-8EsOR4ERb zQ45_PM~`*G8z1>U=cDh6k@{fVHQhpxQbX@yl*L?dlmdS^kl>-}7r70Dced5OxvIN? z;ZajROwA7;XS1$q?srTz-LyAgpfbh9RzAH><9EMHf?|zcz$Kf(2~+=`R^1*$Q~~Ne zptHjBY+%wm>Ptw7Q~^u@%K&qgD#k_56LBY?U3?VcD2<~^?f?QXv&piM2=marxa^1S zA3_K(%+0w8#zuU6V=fiVq#R&+m99+b=}#(@nm@7oF=L4rY3wn}Dx9|zLqky)#8_?0 zQZyrW+pC$bh#^bwyG1=|;Cu+=KFfq}=!p1}LtDlKZ3-UH!AI2IzC&_dlrDabwA7Ry zULac|)9oBR*KH_dwakeBuS=Hyo%{sNxjoL?jahX$F4NCWu1y62%_n*h#NOQY^nGNq4Gi@Jy(*;+XT>!UDW&{q>=fr`2;9phV~DKL?-6p^OTFxvwDgKm>t~jA zsPp-;5Y&a1!6^flYQH!-z|3+5%;tV7@iR%G!M6^(?&$a@5=@8rX{h#ja7F?CY@S@R zrN(!YcsY4}Lt1LcOiRPU+y!J~5#7rG{FbCmA@s=H#)niuRzi=rnY~mXUs8|wYlK5* z3ewePn}|+}^^#Mw7}rD9z-Fe+EHSCID={EQytznWdVjF6%9Tyv6TuOB#`}yg>YEvw z&=+*FNronOk|+`Do6UVzUa=%U%tk)7eSW{z?LB?zIPh`J1dw1LL}Nc0na_R-#E=?Y zroEh&A7LwB>Fp4QM0V}tdg&YcH9{VO73WQ74~K99Enw_q+^-0U;wF^rj7KtgHi=R$ zkPnn4G?X8utK3B9)XL>08JtCeE;FPfqA>uM@{Ch3(VvH$&GhaN2_}(b15g$joQM6{ z?vQM(K}@P+-(KrN)aZbRCV^RFusDZuI|puu@#f7nxrdMmIB3%S6wn;B)6)SqsZ%D% zVfWc2D(u*!feb5Zr&*I3k~IVtT|oxkKayQh5HRVI2&#PH%8LWz5gkV58^N+`cMI0< zYqhEt6eD{!SmDdY{e+IgqXpr2uigCM-vY@DHI%6!E z>kmL+Dd*&x6#4Or6T=Jc;#=gd75{#3FK%(>DcGoU7taFXLYJO-P@lZhY(kxG3CZf4 zQH~fbcrPB|>4Dn077leWe%Br9PmY-&QzZnWWp+HeH|c zo{ZB&Z+3&YCAi($x*9cVZ={xmZ#QtsNYIwiGf8SRW@-MCf8$?MgvjV$^4tDBUHyNZ zvHP1M-~dkb{x?PJ{Od&cz`qj$|4hXDJ5^fkxjT`x z9_J?kj{wUQCzH(N0*-6x=D&M}yK->Lj?wZV@ZJNcWfSP-`IxVm>1&p-O zypaoDO_F6?!h!%aJv*gMHZUe}6oroZMu__MVGN1DTUlnAQee^0_@lPFa@Nnok|Wnh z6AL{yDPEF6s4R2mv!*Xm8Jbop#DP@;?HFDjQo)c=#NC7G?&^tN>Xw7u)ve_{0g5$s zhfdFIqcPA3^w0j(r&(-|>rWm>ML0N{DH0Ov`uAZIw z#Kv3!?_S}e_sTwQ7(AKrKSnN0c(R-OJYB1?e-g1OP@wjn)+@hpDy*$F#k>4}y}fl* zRNve8Pe_lnzziu3(kap)F@yqwNH+q4DBU5T^hlRESlHrhN&v*QB*Y$}ytbQF^QdU~K7GDl#g60%1eXI|>N&~*q6DrX~ znG?KJHCt((x_*g{H(}ioX#5#*s;Szh@wv5H@BG(KZ?F4mX9jXD!OSO-yqhm|yF5(E zt^G)m8-~)mWl5#4Jh-H`8jlzZLwroV#R_%(>FBqXh#)5hgo5C=a%zD)B^ObBR?$8w zYDlipWrKXsJA!zVlQ%lXI)_EJX}0eoq0_?NW^>{sb`w<=%|!PG-zhP(oem_u&}+c_ zrl4HM%O2HiP_f;JuS{nIb8WN8Md2g|sv zD6P-92|nj=7A@}3R-6WcnfZV5a0wNLOa$`3RyPZSXD)<2?#|s9LAvCR$qZ9hasw30 ziT-JsQFK9H)6%#kSfgU{3c1KXeZ?N+_nk;emB8YyrCdLUaPRT@f2L=zB+h?fAKCMRW)MVQ=etTq_J3OVzh7z&deW6XH&VMe(XQn zXzDxab-B`xNSX^^DOdHGip)JWE9Z0=k&-7MSLvSp5o(@6U~R38dwlC5d+7}Q7_nCK zlYU`-F4oAncv&S5fwDoP)K2v*X~Vo29w%d!0{8K31th-ebD_8mwSg=;-*n~*hbgv^ zL%y{J(pAZcNADO7dqYR3!f<~E)2`wAR%6>89`I+4)D^a6*m&P0?~T

Dv}uJeya#$sVyh9i45;$rt%}ep?N3hmmJbyhPjwv|F9QXaA3VHzv_Vw2IAy-il6zcG zl{t3J-zZ6)gI6HF3Atn6#zl=WuW0ewS8P3n@5PDv?T&hZhd$zmlCFe>!j(3~5^~#P zl9cG`Yr^9eEDu`w1&8%Bo|+dW9OX_RZxvkZc ze$HSL7-UY9`D6`s;G53)_u4cU%~hmlGj9?Ie{O+S6XeDSI-FxsLT(&%^RHgQSAV1Y zZ~g!D5^csC2OXmN(@XaM?j_9sc!}xnUQ&_sZ*R;}OTqJEGina{C9AIXzfoJ-lqwXWnK&^j{v zIuUsAV#{Fr+P_RVogxr>y?B^|9_CAtI+;+0G2e{-+9EyMa%wRaW(}Db?O-$UJcu3Ef z_q}Gx(k*KZEfqI;brP}{YMg%PA;K%l^Zjlfwc5G>vLwEDuL=I)1mjk=RwH#;+M{&z z5V{A$S_APoV}|$8NS@2S?Qf^51ylQ)utbYjs@n}3-DZMf`n&jZjtlq@s5{w8tSWwq zPBqHP^A4zAeXP(yq#u;ctyFQPW7>4!$vsw+m^n;NrDcK#6%*c56X}%fc3@C=Nw-~g zm_o+%faaToUw4oTGc_Mx)AK4=pRb+y^Y&;j2FGfC_(yeb?OV@ZY27!!#E7G_mPxl` zuW~W=JuxHl=q_MB5xveTgfJ2Z!Gh>)j1Fp!0tKJyH%)_vv^0vzMCSI(@f-N`NE7M^ zE#<#jnAyU=x?fFHe(V`{7j;*2EUv>MR!E{|zPymfEj;~tM@$V;X~U)|@UeiuGvHU1 zZJ%w<>0JU+VhrySYHf#S8BpYOb-d8AU$%n%W=kYvbe~g;;SoQcww`FCo+@hK(R8z+ za3NMU5>pR5Lber|O^&Gi*(CTq3LMxRm)3L?0<~9X@_0rY=37=7l^5w<`O5p1y6)6- zP|}MA{Q{F917`(tVJapnVZNV~o?1&oY3Jgd-)!e92N)lO^Cq0s$!{hyRx#?hbA>cW zdBpEXSVmgxlo#SBw(hKhyyTq52}GiKT`)>7d0P{(8!>rRqmD^AbCI;xImKn^iAXFr zH&3~F@lmuayH}jMr(}UkKsejPFK^_Y^n3*7 z^xK|^UvKOMt~@aIN}nxPd?YJOwr(kTW0C8_Y~cE0KYlN@_(x;Ky4#DR+{d}8Q*?0E zp6?tb2(w<@Jf0eX$v|2jXU2|eBl&OJ)m0LnQ5`CHs%)65drZH zQpF3^p^2c{O){inF7(5cBwcU%J;<4cm{d8mIqD+kSYd};FwK$J^?fR~wwsLAy+bnX z&Ju zLv}1`aWIGdRIR7Up^R8xpZer!ez2lzdzm?CE`{yFs5OkZU;C~51AOF56;v>e#Wq-l z1IoT4t{S!zxvD0}*)+91m_OBBOItnwOKTIWD!NlECQhDlejP;na3a{ez3EKw&Z^rm6J1Va8e+le6_kFSN_pibYfagz=m0?aUknCMF+`L z?LB(!K!EQf3$vHc`|fEjN~_PW!xhdY2CG}l1sJ+LPt@Q1SdwIDNbH1=c5vUviJ{2* zUS{}~wz32G=8u`>I%GT%%rsn?+7~Ke=@54%Blkiv{%k2f`_VJLbQT}W(ZNQ5#}ohX z!>wypl|7f*D7qDqH8T1i4gJba(v5TnjZJ-_Z#7wMH5h#Pp*LP~_IKrH`A7LpepmiF zm4B80aQb)Umne%ONIzp$#BBY(!{nbj&8-s~+Nn6RrsmnRHCR?eiqkRoOUwPFrVBm< zUi7HLw|dD;{>@q0F#MenX`~}zP(zig!cnPc+{MpL12h{moVh-Ku632B!?o!Tn6vNB z?thboE@H zod8f$dM%oQ%qPSrclnYtF8=LZ_<%|a@zp+?342*B6{0G^r|F)_^N@+ z5%1~>=KzsrJtF$*iW;ZVBr=PrepJ_DU5a`6{lNx?@y9X?4V)CRY3bGsuegT zhay?)Jp4~dkE7Cqd5h9Rw(ZxNL}sKGK9r=*B<(0Zgu>rrT1+%i#k9<+RXcruCVKV7 zIyBgf<)dg4(qpWHj&m6ETTXvLuFrBrWb>09G6sdnx&07V(x3 zHHjI_2_(z5+48;F2Dg6=LkMR1dsR(ZANP+fx3DkGXy;-WD&Y`pS;tFZkgr*!oee>A zot=Mt#FOtLaPg}_-VsYNEIztAT1!0~Z6khHL?&)oXr!Ak&}#f;t8f0IX2;3ikC9I2 zf?*J-zR+-7><-pT^yf(2OVxV*OH!t>UzkPJs?<(xRz@n)BT(@HkE`izftSlqF*Fux z`N5vA^@;h{*@DTWuicC%_sa8XKl&ta3}iqY4l5&=le|9Z1#bD_os&DORA?1LH2mUe z`A{p&s?FIBUZs|pC!Gm(FD-dg&vGcN9te!?D+n<@iKggS<$TzklS(#|K67hTtrPno zhWX+=tKXyg{)Rk{d4ccid=dBV_m(Lh^Ut42Pdw{*mZc_?X8(lqYToC5x($?5#}v`~ za-e`)k^g>PrNy*p$LofrqBWkiORl%M`%uRzyTnmH3r@4Syp5i-r^mF1G=rj4_Z*2F zN``kP4~tCQvu`W>D8V@1R9*dOUH>>#vM7ZHBiKJLh7xR?fNL~dZbHV1+d)IaNGfhk zedy2Er)KyL!p%XLtAy$$ymRv5>yIUBu6pZhR-87Nr-L^U5-`n0 z>w~$6Q{h8A(eJRSHSCN$2dcy52wihSm}ynj>*2Lmon zlOh7&60&y5#8QSR4kwHy6Ay@6UtL%C<#|0e`lsgd&R|fZbc<_XQ1HpO$yK^Gh9 z#|&945!A`~RU*Oes`z-KX#vIy*xh;z2Dkn!oJe2~Yyjfaj} zm$O5x3ez;6fQY2|E`4lJ$z9mHpC>jrUp}j|znmL<9i&E*W^{MLYLt7+jS3Lh%h{)s z)UK_^W!NMWXD2VQow-r|%fBl>>p#kG{JZiu9sH~On;pL^KhjSM_Z0HE;QlWNtbwCA zQdrZ!CQ!f1A!y9%UYU~l{q#If9%R8JgHv6Ig*8NnO>V4o*D25NFE>wsuhO_XL#k;_S1JUn|^jby@xFk7IvNv zePM>l_boqFV`r{vF0gAbQ|)y!c1BzTI5H}@7!8V$WSe}tOs?zCJ`F|ANT0v6YzBYEDo(i9+?-c>WSmLy&pG(JTUzKUhx zcjs{iJBs&2NA8Hcx_>rLFLA=v@a|&4yhWpei|rShnEoqocdVt@$=RvHlNhl02V!cC zpXU7bS_k)+c%uj{4r%fBf!^VaI7`6EJNUN9Py0_K4zflc(EA_XbM5hvvtdo_H|lZX zOOtQvkEZKpt#fH-j<@?1YM$Vv9W&=>^lL7`+aV&>KC|>N6#HW2M>z55=^G8d@>V9L zZK7pc@6gw|%`rKTU$sy!$|+cGtt(vBKIUo7A#1okz4cPmys*$+c`KA_Yd)YbdV~e8 zr0UMg?o_{wF*`zB<0p78I=fjx8u!>-$Ke-|U>fosKi|Sw3@u)fE5^;>yXZr z;~3i>U*9)>bS$o=O&p>j-kIVRqaBl)A_{s5Co!_|H;-22#!M@za3*uZpAKTjm^Q#} zMSO7dnkWdMz{S|iUr4j$M<<)h4VWWUCreGFD|ihzXR^lIKdY} zdye{rdWpWI@JRZ#8F@)XPCROb&Nx1DX})%oF>~*RwhBNUZ`Jf?w`$*=Cuv zyGX&c8usYugpaY@MJ}`wFvd(WIKKtbGUbSLbZTBo;RW3zOB|K#-YL^e@+XCwK2R1I}u@q^BffRQjoj) zjt_7!tDAn8s;wK1*p^69TWh#eGuEjVq-C0vtKDp$hYSDqaPfU1@ZX?3d473$_Hg6xXrR(gmSr1+|>0qQt)(hHG5b+8 zxR{RZ(GS;uI61R(#s8HixmNj2TlD81R{3~+x_dl1INblvrE55!J+?EW?j3eyCfG4-xqSSluM8uT6zl7Px1ioez%!TiQ)-U@POxi158qx=|=f1NpC`$zeW zepmjE)PI#Yp_a9DyA!|rc+xIGzOJu!r8Z-b z@r^(`k!D{frczMByy_1Q+D$&}MR92A^-NN(=0eaKorjFfYbN5ap)Xb6VZKpXnh95X zD>mh8K`zMYm}N=6$n)%$1DbnN)Z*@lF;2bsP}8bQTfXUd=6x;rGasHF226S%@%&6V zL~f69=%m2Q7R&yHM9?D{mq%K+c?Ba+`#r(BA8hWpwI)%u8SkCEepD;z>8{OGxTqJI zhR;r?)!YC!PEV&`+zhYW=Jl|l)jw*Y+{0>dQ)8W`#bAoO<_TDK))@Xe$?0=B)46@% zlDO0yko~=nm7-`<*hDbRZ7g`3(D-?G#r(z+4~DSWF!%_P+A2U7l$ z-QYEKZ2BYo&LAm`OSAh34k9%)XXVzeHlnuHjDBwoJt+!e-QJ3@Kix0b%oRS`7mPwx+eW=di`W&LYyyixT3P=3r}}TOMd9Mf0WI2DRYC0nWdODi)_fX znHd+uNL=F9NZqjL6Gn>Lr&dm~TUIi)5B0pCkFoWL3=hsm%bx27DE&BlO&wRzj3aTy z3JFTOICtwkZcEK(JfV~eqW?OS`t0R*G=}X}`;HD0&eF{a(c}&>{{(1{JYkZ^J1x7`Pv88MuXw9wvXtVI-Ht`LRB4X#&^ z+sJPoYCFkTvXIkmFX+GQPMUQbdMd8iO6zf<;2Po^SX04F-+AE6nz~IOe!2m(IVg8!Y8`)>S^&fp)c2`fFCG?rb#4`00}kCywvr5hKR zdeWZzV@~}$L6B*RlV{XQ!4?nHxJ8Fm`Lfotu;P4-a3X{9ZeHzYm+g-!#D{Kp5}HO4 zb#@sm$hnj0tTVb{xr2g{3KDGOrA4lM+=rFS%v|&%v?@}{m{!*LeD~_ebYf0X@XLWp zYK!GLHN0-Cus|l=;_w>Z#nUwzoA8SDx!|MxnTEsp?fhlIcSR0!&|479U)jL38fvw0 zdkq)^4gKJmjK|?s{z_Pm-uFzH)8wnWb4#J;K9--2ixa!+*q=|~e|gKgGw(RpW%vHE z&B{FjwbrHVDQPoX0ZT{YuhmRw_5`}c{xOZwdO{+O%w*1&Hu<%4h6gXSmq|aHEiexi zFyd}xjiE#7aD9p~a!l|~8{0h%=ajCv+0J~H*8AFB{C%w$LS(lVd*(k~Y%H&_?p^ik z4b48Vm0Gl|5zD)k0n)As|1PZ(t8Ff=#%iSTC3-h(iaB+Y0jkIEZN4Rc9QLTUyjW7M zr&WcwSem6eY9Wjw>=^Aevy%z6b!Yw|w2`S7) z)Qwv0Ef~w1v?PQ-zOho>D1Tnu-*#LwC%sXA9Y&P$|F5}s6DQQX_Gs77|5AR`ytd`P z`?gk~h<}-d{^y=xo11y<|1k^QBloYD(9QkkC6*4GdCgA*0#au?$nmJZ{XKX z@uDq1%cURIhO2cgjJ4Rh9zrqH{OVN}EzYbXaa+4#wIPQAc(l|Co9=ifhGmer*&0_r zj(mJh#@cXlFEQ(>)9AQq)*yVOuHA3aLTRi~LbkAA+=mwzn%i@W3lnLh1n zO^kPb>?ieYwZIl|?C}eOjfCDc{p}O%7gts+UV%+VJgnlL3J($`H#tZ(#>F(pxmKmD z<7DLAw2pYPFuU75{Z8w?B+Oj2ughY9(GJdm%@A^7me*!G_V7#iFqEL8Jas+u*#SmV zg+2_c*vVr2ilZsIQAD;r*k2m!dh%c|vZT09_>S;1EMlVj4PhGReuAeUc019f7ud6o zuJfBUMq;AT>y%5}`E6sr2o2719@FT$qE&ZL=CSHn9n^_R3D|s^+6YIg6 z7JKuO`shc4Xp7-Yvd*nnLzq^kBIwp31XPZ(N|QvKmZSp>>YofV)Ym83?#J=#sN`r-gKxhT#Pjpqa7iTiW%_bcBrhR@7gyFQ#sO#TPNyaO% zquo+vQe`u}JSSgg`Y+8f6#4HI<= z16qMzV5cBuT*4>3eNt1J?ekVeWH}xxbyY?)=y(4VJ(vrFFXcOpJQ-@ z(a^M2<(KrYa_xJ=ytz;b8beel_3q&*3y;K8t6)9KivxRGX>}$~bFF>`L&#)Ms zHjWx13uZhZ7igh9=r9b8j-MeBEA|&yN2_S5>RIyWqxYu*RQtQFIg_&!xAk^p3>fv7S|l+X4s2ANn?)4DIX$qH6l;3& zeaF5g6p9L_WY-$fqn#a>hAV$U+}*Fx>>(&OxMK)XF5C@I^dw|vT6C&k_f6b4RUHP4 zrcD{=McvuWBB5#$1-*Frs(NytT|87^RX0i6KJll?e81z1Ljs5QCs}RE;CY%KRj~Gt zS_U>F^c3<7(!yyHcOb3qtCbAL#LbsqZ@nbbeHpyvI6&l-U}rA3lEpUrZv299u%qJH zDdds2(q&qynmBI;QAf7k$|Jc37dt%rbau%J(Eag!ksB|m`MdIS{L_mt_+9x2HvU!q zAJ)GszsQXHNsf0YE(UP^Q<>XC&GUp#LTp>0HTnr9%;M*V#|u0a?Mx&!A?DP#*uv$5+tR?th`@oLl|eSjkoK_%4}(_op?nZTPBL3e|##{kl{!r88{I=I}LTH zXuN)n{(}LX_1^sSF;Me$ddd*G2da9WJQP(bW|W;tL~79_C39X#3u#{`Vq>=WNJCo5 zMqL|)R`URlOMrxbiSw)QbkDo(?$XfoiZmnn;w&5o#rFN~O~)9HEMM?hY4<*&TC8q6_#Bg|{~ZWP_7uCX zj?f7}ZDNOA!O8wMRIvV_^Vy9V6ONFjx1i9{=Ks<>(6JL_Z778mY+!I z;P!Ywe=}ISA70b`Qv1gcA;R1mV1Ns!63!&jVku8-KA0tmZFI^7E|ylU?S7~U^t)Mp zJQB*cXS>zI=@{e_DKpiYmN@!KdDgW{!!5xk|EEsB=^G1Y_3ecZvsKJ)+$zT}OtCRe z8;m8w_s}hN5sG48g8MLDhn-Bgdx~@{?v|3wrnDzWFu|C>FQ4TH?IaPIVrpL85%{)` z^gl#RlySXO$GPpHO%P7_^(m%DPFge~zER}eo-Ic{hJ3zHQ%i`B?Q!3aIMWclGoJ2b zo%rqK3EvewBjoMG+C+`c8Y8zdN;4o6Hw5cd>F3lB(s;hy5e)BgGby0-DIB5-V|{|u z`<(+hx^w-dI4gK9*KhhbA;K1k>fW^k?p{AUNxf5x`l-y~84)wj~yT16_N)%ZgJfxOCFlrurT&x## zY@6-Zcp$@ut8~gra;`a~W*!yTb$9Cr374ZceBOwp8ec3XX4SuOWYoOQ3GCCJBy_Ugj;qpO5*bB3@p11aiHJHAm<<4YHoA4`=;t+ zdkJjy1!GA>spI(El8KlopKGjAWQI~nUrZhZ&CiV^Brkl z^DHLwt#iAs4{9(8R2(nU9=nWnoA%2P>*D*n>DL%M!L?uHSQIpb?T@)k@{p=oMg+P3 zzc5v#J5ZaQ1h}T_RJwa!HzG+=`77B8_#X87*FPk`JSSK=P#U%2-D#C2vrcNwVoD`^ z7M&+HtA9`wlPW6WxKnGA*S(K z?ur@D9h_@)a7*TiO9>nX
0y%uvkjU(gAK0*5=jxp&2cdX(<{HizJeKZ5`Cj>rd2@t{W-o7$Ns%?YVU%>A zQ3yWVVmT<8Bhlz}|1xV%uFMb@s1urcOFzaK9n;5|_1r>Kd}NZGBIlRJ0}L8Jdc&if zMmQ_;PdUzK7?L!ob<3uwb|nH0C8{Y)SDIH%qsrFDE6?NAZj`_Nue}H|!yDz#{r+b!!U}S8|4}RbpS_5tzk3PiKVG8$yO(^9{ntxk ze&4s%(j`B`op@x{R)_AWb50oi*6zDe34&yn;MdPvyC1%@H1m=PU2 z01}K7fb)iU<5c(Z4v-?MV0jA`Z&yo%vgQ@LtuFbPBIQKm$RdlPcX!4=u1kXRhAGty zvQi*dE8#vU!4<@Vr)ge3NmtMYTk6UmL>m7XPR@~6on7wdXy~1Dubr8A6VOsPC9qOo z~~7hQ8IV5P`CYU&3wcwT1DM(TQB2DB@}7W3O1m`FAn&ptqf3-zouhyrGx7r#Iwvwo0# zLULLn{Ea{EDE3gnsdpHZm(CiRBQzN2KRGjt*sb``W4T-y=j;=D@iuUO#V90tZKUJN z49>MtNnO%K!;;i4xV54IIwGHv%qak|U%ss`JbgA+1)cR^lk(cG3Fr(LbyeOUN>4IB zvcCOcSDgm`8iwt0U~T3lDC_uAp!2Pu50-Gjz9L0iLS3F@v{zI;l}D|bXj}QDj{{fD zdKukGJa^bYE~$Fk#GNtc+V$3YcjcByeo01m3lXdgSqT-;{t57T)G;T~Pk@@(tT4F% z?GabHp=RPEYG1at%ZS^|79rnRT8+|V&1n)fL^)zY3eE-(ej$V5VYKh_bk5m(P%cL9{cKmG52{g6edv}KR+vJ#9DIhh z+`&yj2EL5-)L~OS4IUEFj;TPG0&l5OL>7fTkTf(%q=zB`#ix|{;9IoW4$68W-EOMw zU1Z9exbXz{aLyzY+bJmd;3d%}6v^R>G=^}4d><-uDtd@5{WH4e37iS636lxhyOy7* z=^P&(L$&VmcGcjFJ*Y^2h1x<#pk$q+pso7yyVbRYa39}YsOsJJt~i{ahxee( z*$1*4Py=Wow5Ky1Bv?(AC9{_arG@4}M`&>1n)%U?YWit92P!1@6rkh7rcBjEIKPmt>^hwxxG-Ck)B<`54TY{CJ;Dej zo74^9WI;_isTHr`)40x>NN@$*f`rQTmdeNQCb%z&7{4e94OmEpF{T%uh(WJ24p)OP z+0wzWNU`5MZ?W9%ln!>&HheIEhwyT0v;6Ya^Qp)+n z?Gyx*Fw$-Ka@iGmMZ~)76)FSS@Th!csyqlCb%oc%fL5=D*g`MVzKif;(2DF~_mSRc zzjRP5$43?GIL2g)5;GM75R=|Yx0-DC&{05XF;}6dmvC4vJnoi<0LgGds3*jP{;ii~>;>Jpmu;FKA`bbi zTA=0!-~-6-wL-;|o1hoamQH#-0Rr)X(y%La45y&vG~ufbU$2LNG(z*@r22Nvdq4wd zf=foncuk}|Y?qO+Fd~OP0`V&}D^guU)E89)RCpfapz4YUp8h`QbK;Gc;HUj~2P+s?Pu8CD#9rNYSE*e;JXw_m7w8{q7~>5B~KMvj1K&7ezBdjdNMI zFVt{%D?OGWtm|3;y#`3&{c)M_i|Joue$})!8GsuA?>sR%83=~^2Kp5hD zXm_l(y0bzGaCx}H`-;!a?R_HRUM>hYQhU=MiJ>0~mfD0Qt(qX`HiE{ABxFscb^q5%fL zuTzR+ z!VM&uFfwoB8nlhM^_56zDiKKD*o^{gEU}<#r&<^pEMvne6b$z2aiSh*iCQ zgmEC=9I@DhG?)OTKssuXc`4iH4c!0-pur@GXV|>4u*e&>kiQs9Oz4#!_7q`!)SyjT z_YGC9%`Ts@NF9ZZT4Gmq=>_IhX+`sAA09ANCqlo1OGr4<-xxmbK0; z32O&cnhcReHb%O`?OAlW$rfqftbSSPfG(I9u&-2if61c>6If-xgO z_cVcVAPyLiq=g9~i#aQRE7WHhZasj7B1gEdffC>`aKM@Yt4FqRF#vo(9U#DsgzX|< z^MX-CaiB=z5;laa;yDK-08^lV#T@n+iG7z4P(s!8S1t;e3(}3@Cr|)*1I$FLFb`xN z(*Zz>I(yj}Y+;2+DMl$E9DoC7EcGx_q$f)Ozz-M$tX#n`0i-rFD*y&?fDbsUuq5On zTL2&o5Cf^~@~~$}OjdCK3M2uE%=|DLWQbTU5Co(G#asiZ_tNgu1Cqcda7pLY6*v|n zt^?EnW55cG2xPOoi9ZQ*0kJKWiz~tKL8PmnxGrG*Aj*|ab_7fh6n#1&$pn)Gz5b=k zB?0RMou4}rJ%hP{_RrWE24V3agUh=tvM^fE!bLQf80-?%a!pOg-Bm=+e>Dgz18MAw z} z=dl#SU6=w0FRYH`4GaO&4dvjXfqe#TNBH7Kc7>7Cg{#BTKw(4K^trG~kOVS}ff&XC zs{CXw?hZ2tjSZ7XPQ!vgt6jtrF0e@uZ6}DG40Zy7cSp0_fpLRO;LNxMs1}vlBge80 z+Xh)79Oqd_ zyF|+{L(q#4Dh!pd7LakK3yUiZ49d%Za6RlgCZ~z%g9(8y)^qSlP$jQj8(|rNjev|c zd091JZ$SzhnGcL$UqFW2kGLvfEFg!iP4s3|?P~0}i!$sZ2(rk;wcjO4PPfp5Drs?)C$llk6T}+%mG2Xb5cCjM#jX$Y2DL@^i*doK zKvaR_V#Kf>kX=CY^SiJ$&{R+!S1Bs*cyE^YNnui;)sSJX*IfhT8^Iee73Aj|FS+}7 z<>&fG`Jer+{F4j+D*xwS{~3|`NBOY~fg`{Pz#(jc$s?(5T?4E@HbBf}4!eU?#Ayc# z0Zl+paujwO8G|hka07NgKBNH_jpP6a04zWx5YCqdOGRo@Z2@nAVj%N@4vZ3MLtTwJ zLqdQ8$u$@q(i`#}m;fvRZ7wSq53-*Y2518ZfFJWmSP)W%#tL9Uz4zs|3=AK+L7#|v zF9YCVh=O?{mFNsmXEGkpBmNepB%CDlsB@kL809j7fsiobRNxSGL|;xm7%TD{84lnH zTmom3iZBIa2x$|r0lWvqSXW@CNa&qXfB<+0ycJJ^i6hC#Gk_PU@8RUjrlY1iS{D~eBm4NAG#Q0g!!DGl64Y1#mnB}@uABEb(}146(g{|@X0l2Td_r5vNc zPcceZKN45!5vtq(;J_jWTSQj!KSpKq4q(Pg2pdEe@c9E6Kpqe&E`!REtROYO2v7qi zT+%Qmq@Tb9&;n=y%i?Va8_-B~1gr!J2ulHFsJiHVP6}Q{sDqB{cfgLYL?pM62LJ)4 z0Wq#{SS|9iC=)8mSfHI>5T=jR6_G;yKM6cRoi|VrcR%Ly2GrT>-ba52-la|MKbVm{ z-?Cl%8IS_5h|dtGNE41IfD-TmG>I?3@dz2vT(K3ZCaq{{>P5iJz&o1Z>iy1Tq?wsD zzyo{(-XWMkYx_{}5h54#qL>}r0KA|XtOujMF-y}`?b$gFDrho6Xn|^%-N3d84bV_A zA9xl}r_rp}1up@#G~?AkXF3SIts8*^Ne>Z&eGsZ3-Qwq93_yhjR(}az0gh?xs@FQZ zklN^4fDtNp8;Eb9>FF!*HXqo(~zy^(f^>Jq`^0sF~xO@9F92aYoy zAmAXSs3%=rV-9vQ4Wp4+b@vhU3A7Rl?`J^O%o`fVCf9-0>MNj8(HAKzBdy8`orV%Y z79o*L^(uXk`%Ijw>P--RDqyF)|ir210f72WzcLW6O^Yvfyqi4il{;^8-1?n z07QWi`du(DP)oDjwlhHZ76a&UVvep*^gz;WWh&!B9iYJwC?t@HR;2{;p2=8M4AGCQ zFoM(+0=7WdT{);EbOKt4$B)WFGmUmzmD5qQnc_HdYWP~&5o!-LglI!vG7YJ;K^`!v zDu*GGkOxL?H9t{jJvu!(co)^)gWDXO)T0GE`9b%ZC=_jnGMP4&e?jj+y&;N_WTsv< zUC07cl4=N|0LftFUqb=p0_%6(p#D%ss1}|!s&#^C!rLO8o<=Vy@*xAU_LUEzHBc$Y zC)Bi-U{e&pHD&Lag=!l^K%tXYbV_F^$g=H~qQwxt-y3BE=mTinjq;CX{H+&ZOmU<9 zdUSvGBHT!CMx;vrdmX8p>-~Rw5tAt5UwRST|9FY+?_M$={;!v0uKeyLO!|2IYFAJ* z^)6Izmg=qzRM-;-`UT1jPKHDRwo_W@)4&=^#mnJ$n)aQlo6i;VhUPTPl!KuBP*%iu zWTS&Ou#CC}l!EYsqk-EJpW1xsJArQ!ubOm#ms7r0%RnFMy6gen956{UpYWB=1}LN< zNx%iVB!-)|fi#+ggkU;8;317?Lct#0mWomov=J)eH5KNMXgaDF8V++oT{|~*VU0nB z&%^8h6@aPv*1{C8)k5oHj8|P4BLcPN(d!IU>r?>BVZ6uhL^3{sYGevk0=@dwmUO42S7rRm+x zg*D_^p{nBi5rN^K{EsSmN?<6w>#oM~^L($8?c9xE^}|GYUL$Zv(pl*Maf*EhsBzK` z^^`uWw-{q`?6l;c_9JA@4&hLk>b#=vd(1!V3;v zvdlSAOwx$^+XfD=p#jh$)c6WHoDSfD=VR?Sbg9eHMYNlTDykGf2cVeH8A%bvhusk6 zJlw#c*|15;TTV;u%b_VMBG5IcCDcu#xsef0uRMMj1~@jnY+w|1P!Udv8whDa`Kp(B z#G`?oP+s*Xb0koDI(!x zB_t=5_UF2w=TI(a29PHCMRhsHA(#q5%V!33=Dc`lhal&3Z*b3)qjoSnnOaDg?Ldg-)mxLMx!y(8rQj8hG98&w6nahOX26CHuIcT`I;Egd^<& zq0%aZ&|PRWlu3fA&@X3Gt+unu*nB`ZI!*oIVGMBD0Bc|uZGm?xm#ctM)(5Pcu7G(j zhX`?a;3!!c5GIN^hI0$ZWyUXE=>J_k-&DsgV3>b~Qw7-*)R0rVd9spT3JTQ3h<2hBqgDpR;Xph|l5 z&;)4t1JnF|bI(8+d?xA_GE$iUo>Ppbd@;~T4*CPzP! znr5+qrlw{ec^gN|K*)c;0{!QerlMb(ni{eXA3`4~J$v@w|NQ^`{KiY>P|BZ!hW5{+ zZ*G%3ZWfK1HrUS-7fk^dEgs5qqx=pTzbpT$z(2|lMst!r{$2V1zbXMLKs32m1ZX!A zFa6d10_|=h79RN1{Q}Kz#?Z1b{~SYG|0~g3>V_zO{3r1p{*9lea{Y(+{9ixa{wp!D z?uN(^@Fy`=|0YHl{-4DCzY_Uh-4H_%e-e{1Zek1*`jhzcuS6k*8{(VYKZ&_oH!=E= z{z)Xy{M&Vj+29RP=Vr&=|8>7z(b-Lm9uj{NssBoRQguVL2>z2;k#iHH6Z}si!(WMw zFK>ufJ%1AGRBmFl-};lt^jD&G`3=$h-Jisc)SDR12L2?n|CRXlpY}Na^G{-r+)a!I zM}HFOa{g8`;>9;HdPn?8{2Y4|qsGX8h&KPWaOS@ff9~86yA=K;jz74GQRV-RWdDa4 zmiM<9pUmG7EuQ>IoDaW=QTqFDF&f<{#Zdm=h}{i0#6zDyiK}ra;wQ2HTWZ^z@$nnt z*k6fpiZ?{2o&P71gcwaM^FJ~EhdA*+h=1s>5R~_Z=x~W5{*OCKSL0CnyB9!=<`e|{ z7x5-O)b+gWO^kO6ZlUR;^z!EMzldmPY7Xi*MChk~iD-9Dnzs3Sgx=WjU&1 | grep -q mem-leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/pe/pe.trace %INPUT +# @TEST-EXEC: btest-bg-wait 60 + +@load base/protocols/ftp +@load base/files/pe + From 0199ac5ece3a815b338335e3723345f87f5d54e2 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 20:27:24 -0400 Subject: [PATCH 26/31] Add a btest for the PE analyzer. --- .../Baseline/scripts.base.files.pe.basic/pe.log | 13 +++++++++++++ testing/btest/scripts/base/files/pe/basic.test | 5 +++++ 2 files changed, 18 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.files.pe.basic/pe.log create mode 100644 testing/btest/scripts/base/files/pe/basic.test diff --git a/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log new file mode 100644 index 0000000000..5659276fee --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path pe +#open 2015-04-20-00-26-40 +#fields ts id machine compile_ts os subsystem is_exe is_64bit uses_aslr uses_dep uses_code_integrity uses_seh has_import_table has_export_table has_cert_table has_debug_data section_names +#types time string string time string string bool bool bool bool bool bool bool bool bool bool vector[string] +1429466342.201366 Fz2N9x4SAxQiSnI6mk unknown-475 0.000000 - - F T F F F T - - - - - +1429466342.278998 F5fc4q3zhJHmYSvm8a I386 1402852568.000000 Windows NT 4.0 WINDOWS_GUI T F F F F T T T F F .text,.Ddata,.data,.rsrc +1429466342.225653 Fzysjj1zfjAcgWgm22 I386 1171692517.000000 Windows XP 64-Bit Edition WINDOWS_GUI T F F F F T T F F T .text,.data,.rsrc +1429466342.250474 FOuWFKf04xcHH4ck I386 1210911433.000000 Windows NT 4.0 WINDOWS_CUI T F F F F T T F T T .text,.rdata,.data,.rsrc +#close 2015-04-20-00-26-41 diff --git a/testing/btest/scripts/base/files/pe/basic.test b/testing/btest/scripts/base/files/pe/basic.test new file mode 100644 index 0000000000..4ca9ceecef --- /dev/null +++ b/testing/btest/scripts/base/files/pe/basic.test @@ -0,0 +1,5 @@ +# This tests the PE analyzer against a PCAP of 4 PE files being downloaded via FTP. +# The files are a mix of DLL/EXEs, signed/unsigned, and 32/64-bit files. + +# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT +# @TEST-EXEC: btest-diff pe.log From 71230fec81e8e0586a964d8bf651cbf3641b49e0 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 21:16:35 -0400 Subject: [PATCH 27/31] Update baselines. --- scripts/base/files/pe/main.bro | 2 + .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 8 +- .../btest/Baseline/coverage.find-bro-logs/out | 1 + testing/btest/Baseline/plugins.hooks/output | 91 +++++++++++-------- .../all-events.log | 24 ++--- 6 files changed, 79 insertions(+), 52 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 8577d24078..7ab8f64bec 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -1,5 +1,7 @@ module PE; +@load ./consts.bro + export { redef enum Log::ID += { LOG }; diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 65e3c1b9e2..38c1930a99 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2015-04-17-16-40-15 +#open 2015-04-20-00-41-21 #fields name #types string scripts/base/init-bare.bro @@ -110,6 +110,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro + build/scripts/base/bif/plugins/Bro_PE.events.bif.bro build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro build/scripts/base/bif/plugins/Bro_X509.events.bif.bro @@ -125,4 +126,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2015-04-17-16-40-15 +#close 2015-04-20-00-41-21 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 65745fed7d..b705f00202 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2015-04-17-16-46-56 +#open 2015-04-20-01-01-51 #fields name #types string scripts/base/init-bare.bro @@ -110,6 +110,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro + build/scripts/base/bif/plugins/Bro_PE.events.bif.bro build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro build/scripts/base/bif/plugins/Bro_X509.events.bif.bro @@ -254,6 +255,9 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/consts.bro scripts/base/protocols/syslog/main.bro scripts/base/protocols/tunnels/__load__.bro + scripts/base/files/pe/__load__.bro + scripts/base/files/pe/consts.bro + scripts/base/files/pe/main.bro scripts/base/files/extract/__load__.bro scripts/base/files/extract/main.bro scripts/base/files/unified2/__load__.bro @@ -261,4 +265,4 @@ scripts/base/init-default.bro scripts/base/misc/find-checksum-offloading.bro scripts/base/misc/find-filtered-trace.bro scripts/policy/misc/loaded-scripts.bro -#close 2015-04-17-16-46-56 +#close 2015-04-20-01-01-51 diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out index 8feda88d15..961870249d 100644 --- a/testing/btest/Baseline/coverage.find-bro-logs/out +++ b/testing/btest/Baseline/coverage.find-bro-logs/out @@ -25,6 +25,7 @@ mysql notice notice_alarm packet_filter +pe radius rdp reporter diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9d3a9d53ae..1b63a4a702 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -152,6 +152,7 @@ 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=modbus, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=notice_alarm, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=notice, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, , (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=packet_filter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=radius, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rdp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> @@ -184,6 +185,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) -> @@ -201,7 +203,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -217,6 +219,7 @@ 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Modbus::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Notice::ALARM_LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Notice::LOG)) -> +0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (PE::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (PacketFilter::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (RADIUS::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (RDP::LOG)) -> @@ -249,6 +252,7 @@ 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::add_filter, , (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> @@ -281,6 +285,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) -> @@ -298,7 +303,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> @@ -373,6 +378,7 @@ 0.000000 MetaHookPost LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_NetFlow.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(./Bro_PE.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_PIA.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_POP3.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_RADIUS.events.bif.bro) -> -1 @@ -524,6 +530,7 @@ 0.000000 MetaHookPost LoadFile(base<...>/packet-filter) -> -1 0.000000 MetaHookPost LoadFile(base<...>/paths) -> -1 0.000000 MetaHookPost LoadFile(base<...>/patterns) -> -1 +0.000000 MetaHookPost LoadFile(base<...>/pe) -> -1 0.000000 MetaHookPost LoadFile(base<...>/plugins) -> -1 0.000000 MetaHookPost LoadFile(base<...>/pop3) -> -1 0.000000 MetaHookPost LoadFile(base<...>/queue) -> -1 @@ -707,6 +714,7 @@ 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=modbus, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=notice_alarm, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=notice, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, , (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=packet_filter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=radius, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rdp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) @@ -739,6 +747,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) @@ -756,7 +765,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -772,6 +781,7 @@ 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Modbus::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Notice::ALARM_LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Notice::LOG)) +0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (PE::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (PacketFilter::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (RADIUS::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (RDP::LOG)) @@ -804,6 +814,7 @@ 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::add_filter, , (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) @@ -836,6 +847,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) @@ -853,7 +865,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) @@ -928,6 +940,7 @@ 0.000000 MetaHookPre LoadFile(./Bro_NetBIOS.functions.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_NetFlow.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_NoneWriter.none.bif.bro) +0.000000 MetaHookPre LoadFile(./Bro_PE.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_PIA.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_POP3.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_RADIUS.events.bif.bro) @@ -1079,6 +1092,7 @@ 0.000000 MetaHookPre LoadFile(base<...>/packet-filter) 0.000000 MetaHookPre LoadFile(base<...>/paths) 0.000000 MetaHookPre LoadFile(base<...>/patterns) +0.000000 MetaHookPre LoadFile(base<...>/pe) 0.000000 MetaHookPre LoadFile(base<...>/plugins) 0.000000 MetaHookPre LoadFile(base<...>/pop3) 0.000000 MetaHookPre LoadFile(base<...>/queue) @@ -1261,6 +1275,7 @@ 0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=modbus, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=notice_alarm, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=notice, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=packet_filter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=radius, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rdp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) @@ -1293,6 +1308,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus]) 0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm]) 0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=, ev=Notice::log_notice, path=notice]) +0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=, ev=PE::log_pe, path=]) 0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=, ev=, path=packet_filter]) 0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius]) 0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp]) @@ -1310,7 +1326,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1326,6 +1342,7 @@ 0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG) 0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG) +0.000000 | HookCallFunction Log::add_default_filter(PE::LOG) 0.000000 | HookCallFunction Log::add_default_filter(PacketFilter::LOG) 0.000000 | HookCallFunction Log::add_default_filter(RADIUS::LOG) 0.000000 | HookCallFunction Log::add_default_filter(RDP::LOG) @@ -1358,6 +1375,7 @@ 0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) @@ -1390,6 +1408,7 @@ 0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus]) 0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm]) 0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=, ev=Notice::log_notice, path=notice]) +0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=, ev=PE::log_pe, path=]) 0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=, ev=, path=packet_filter]) 0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius]) 0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp]) @@ -1407,7 +1426,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -1616,17 +1635,17 @@ 1362692527.008509 | HookDrainEvents 1362692527.009512 MetaHookPost CallFunction(Files::__enable_reassembly, , (FakNcS1Jfe01uljb3)) -> 1362692527.009512 MetaHookPost CallFunction(Files::__set_reassembly_buffer, , (FakNcS1Jfe01uljb3, 1048576)) -> -1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576)) -> +1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=], 1048576)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::code_in_range, , (200, 100, 199)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> 1362692527.009512 MetaHookPost CallFunction(file_over_new_connection, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692527.009512 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -1645,7 +1664,7 @@ 1362692527.009512 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009512 MetaHookPost CallFunction(split_string_all, , (HTTP, <...>/)) -> 1362692527.009512 MetaHookPost DrainEvents() -> -1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> false +1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> false 1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009512 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009512 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -1662,17 +1681,17 @@ 1362692527.009512 MetaHookPost UpdateNetworkTime(1362692527.009512) -> 1362692527.009512 MetaHookPre CallFunction(Files::__enable_reassembly, , (FakNcS1Jfe01uljb3)) 1362692527.009512 MetaHookPre CallFunction(Files::__set_reassembly_buffer, , (FakNcS1Jfe01uljb3, 1048576)) -1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576)) +1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=], 1048576)) 1362692527.009512 MetaHookPre CallFunction(HTTP::code_in_range, , (200, 100, 199)) 1362692527.009512 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) 1362692527.009512 MetaHookPre CallFunction(file_over_new_connection, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692527.009512 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1691,7 +1710,7 @@ 1362692527.009512 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009512 MetaHookPre CallFunction(split_string_all, , (HTTP, <...>/)) 1362692527.009512 MetaHookPre DrainEvents() -1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) 1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1709,17 +1728,17 @@ 1362692527.009512 | HookUpdateNetworkTime 1362692527.009512 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3) 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 1048576) -1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576) +1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=], 1048576) 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) 1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1738,7 +1757,7 @@ 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/) 1362692527.009512 | HookDrainEvents -1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) 1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1764,8 +1783,8 @@ 1362692527.009765 MetaHookPre UpdateNetworkTime(1362692527.009765) 1362692527.009765 | HookUpdateNetworkTime 1362692527.009765 1362692527.009765 | HookDrainEvents -1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> -1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::code_in_range, , (200, 100, 199)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> @@ -1775,7 +1794,7 @@ 1362692527.009775 MetaHookPost CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> 1362692527.009775 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost CallFunction(file_mime_type, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> -1362692527.009775 MetaHookPost CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692527.009775 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009775 MetaHookPost CallFunction(http_end_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -1784,13 +1803,13 @@ 1362692527.009775 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost DrainEvents() -> 1362692527.009775 MetaHookPost QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false -1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> false +1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false 1362692527.009775 MetaHookPost UpdateNetworkTime(1362692527.009775) -> -1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(HTTP::code_in_range, , (200, 100, 199)) 1362692527.009775 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) @@ -1800,7 +1819,7 @@ 1362692527.009775 MetaHookPre CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) 1362692527.009775 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre CallFunction(file_mime_type, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -1362692527.009775 MetaHookPre CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) +1362692527.009775 MetaHookPre CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692527.009775 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre CallFunction(http_end_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1809,14 +1828,14 @@ 1362692527.009775 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre DrainEvents() 1362692527.009775 MetaHookPre QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) +1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre UpdateNetworkTime(1362692527.009775) 1362692527.009775 | HookUpdateNetworkTime 1362692527.009775 -1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) -1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) @@ -1826,7 +1845,7 @@ 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookCallFunction file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) -1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) +1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1835,7 +1854,7 @@ 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookDrainEvents 1362692527.009775 | HookQueueEvent file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) -1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) +1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]) diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 078f9e61e4..c1fec4181e 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -297,10 +297,10 @@ [2] is_orig: bool = F 1254722770.692743 file_new - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = F @@ -313,11 +313,11 @@ [2] is_orig: bool = T 1254722770.692743 file_mime_type - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] [1] mime_type: string = text/plain 1254722770.692743 file_state_remove - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -341,10 +341,10 @@ [2] is_orig: bool = F 1254722770.692743 file_new - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = F @@ -357,11 +357,11 @@ [2] is_orig: bool = T 1254722770.692804 file_mime_type - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J

^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] [1] mime_type: string = text/html 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=F, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=F, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -402,10 +402,10 @@ [2] is_orig: bool = F 1254722770.692804 file_new - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1254722770.692804 file_over_new_connection - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F @@ -413,7 +413,7 @@ [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722771.494181 file_mime_type - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] [1] mime_type: string = text/plain 1254722771.858334 mime_end_entity @@ -425,7 +425,7 @@ [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=F, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=F, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, pe=, u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP From e3d63bfee8622cf7776383f197000039e8da54c6 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 21:38:34 -0400 Subject: [PATCH 28/31] A bit of final script cleanup. --- scripts/base/files/pe/consts.bro | 19 +++++++++++++++++++ scripts/base/files/pe/main.bro | 32 ++++++++++++++++++-------------- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro index 4dc21ec179..22f246a3e9 100644 --- a/scripts/base/files/pe/consts.bro +++ b/scripts/base/files/pe/consts.bro @@ -70,6 +70,25 @@ export { [14] = "XBOX" } &default=function(i: count):string { return fmt("unknown-%d", i); }; + const directories: table[count] of string = { + [0] = "Export Table", + [1] = "Import Table", + [2] = "Resource Table", + [3] = "Exception Table", + [4] = "Certificate Table", + [5] = "Base Relocation Table", + [6] = "Debug", + [7] = "Architecture", + [8] = "Global Ptr", + [9] = "TLS Table", + [10] = "Load Config Table", + [11] = "Bound Import", + [12] = "IAT", + [13] = "Delay Import Descriptor", + [14] = "CLR Runtime Header", + [15] = "Reserved" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + const section_characteristics: table[count] of string = { [0x8] = "TYPE_NO_PAD", [0x20] = "CNT_CODE", diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 7ab8f64bec..eb2f5a7f67 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -77,10 +77,7 @@ event bro_init() &priority=5 hook set_file(f: fa_file) &priority=5 { if ( ! f?$pe ) - { - local c: set[string] = set(); f$pe = [$ts=network_time(), $id=f$id]; - } } event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 @@ -91,12 +88,14 @@ event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { hook set_file(f); - f$pe$is_exe = h$optional_header_size > 0; - f$pe$compile_ts = h$ts; + f$pe$machine = machine_types[h$machine]; + f$pe$compile_ts = h$ts; + f$pe$is_exe = ( h$optional_header_size > 0 ); + for ( c in h$characteristics ) { - if ( c == 0x100 ) + if ( file_characteristics[c] == "32BIT_MACHINE" ) f$pe$is_64bit = F; } } @@ -104,32 +103,37 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { hook set_file(f); + + # Only EXEs have optional headers if ( ! f$pe$is_exe ) return; - f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; + f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; + for ( c in h$dll_characteristics ) { - if ( c == 0x40 ) + if ( dll_characteristics[c] == "DYNAMIC_BASE" ) f$pe$uses_aslr = T; - if ( c == 0x80 ) + if ( dll_characteristics[c] == "FORCE_INTEGRITY" ) f$pe$uses_code_integrity = T; - if ( c == 0x100 ) + if ( dll_characteristics[c] == "NX_COMPAT" ) f$pe$uses_dep = T; - if ( c == 0x400 ) + if ( dll_characteristics[c] == "NO_SEH" ) f$pe$uses_seh = F; } f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0); f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0); - f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0); - f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0); + f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0); + f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0); } event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { hook set_file(f); + + # Only EXEs have section headers if ( ! f$pe$is_exe ) return; @@ -140,7 +144,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 event file_state_remove(f: fa_file) &priority=-5 { - if ( f?$pe ) + if ( f?$pe && f$pe?$machine ) Log::write(LOG, f$pe); } From 49d54b6a4e6e1d11525d3240a6a9b70758831365 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 19 Apr 2015 21:59:42 -0400 Subject: [PATCH 29/31] A bit of final core-level cleanup. --- src/file_analysis/analyzer/pe/PE.cc | 3 +-- src/file_analysis/analyzer/pe/PE.h | 2 +- src/file_analysis/analyzer/pe/pe-file-headers.pac | 10 ++++++---- src/file_analysis/analyzer/pe/pe-file.pac | 7 ++++--- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 44464a3a5d..9db13291b0 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -8,7 +8,7 @@ PE::PE(RecordVal* args, File* file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); - done=false; + done = false; } PE::~PE() @@ -27,7 +27,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len) } catch ( const binpac::Exception& e ) { - printf("Binpac exception: %s\n", e.c_msg()); return false; } diff --git a/src/file_analysis/analyzer/pe/PE.h b/src/file_analysis/analyzer/pe/PE.h index 1fd67c22db..4bdf7b3969 100644 --- a/src/file_analysis/analyzer/pe/PE.h +++ b/src/file_analysis/analyzer/pe/PE.h @@ -10,7 +10,7 @@ namespace file_analysis { /** - * An action to simply extract files to disk. + * Analyze Portable Executable files */ class PE : public file_analysis::Analyzer { public: diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index a3d46dc72e..f12d76e035 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -39,9 +39,9 @@ type DOS_Code(len: uint32) = record { type NT_Headers = record { PESignature : uint32; file_header : File_Header; - have_opt_header : case file_header.SizeOfOptionalHeader of { - 0 -> none: empty; - default -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader; + have_opt_header : case is_exe of { + true -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader; + false -> none: empty; }; } &let { length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header); @@ -101,7 +101,7 @@ type Optional_Header = record { number_of_rva_and_sizes : uint32; rvas : RVAS(number_of_rva_and_sizes); } &let { - pe_format: uint8 = $context.connection.set_pe32_format(magic); + pe_format : uint8 = $context.connection.set_pe32_format(magic); image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32; }; @@ -149,8 +149,10 @@ refine connection MockConnection += { %{ if ( ${magic} == 0x10b ) pe32_format_ = PE32; + if ( ${magic} == 0x20b ) pe32_format_ = PE32_PLUS; + return pe32_format_; %} diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 0cb308b17e..3eed9ad5bd 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -12,8 +12,9 @@ type Portable_Executable = record { pad : Padding(restofdata); } &let { unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length; - restofdata: uint64 = headers.pe_header.is_exe ? $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len : 0; - proc: bool = $context.connection.proc_pe(this); + data_post_hdrs: uint64 = $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len; + restofdata: uint64 = headers.pe_header.is_exe ? data_post_hdrs : 0; + proc: bool = $context.connection.mark_done(); } &byteorder=littleendian; refine connection MockConnection += { @@ -26,7 +27,7 @@ refine connection MockConnection += { done_ = false; %} - function proc_pe(p: Portable_Executable): bool + function mark_done(): bool %{ done_ = true; return true; From 928f870f58b89dd48162455f811b9bdc76e2f48f Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 20 Apr 2015 11:54:34 -0400 Subject: [PATCH 30/31] Update pe/main.bro to user register_for_mime_types, ensuring it will also work with the upcoming Files framework changes. --- scripts/base/files/pe/main.bro | 10 +++------- testing/btest/Baseline/plugins.hooks/output | 18 ++++++++++++------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index eb2f5a7f67..d324758bf1 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -69,8 +69,11 @@ redef record fa_file += { pe: Info &optional; }; +const pe_mime_types = { "application/x-dosexec" }; + event bro_init() &priority=5 { + Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types); Log::create_stream(LOG, [$columns=Info, $ev=log_pe]); } @@ -148,10 +151,3 @@ event file_state_remove(f: fa_file) &priority=-5 Log::write(LOG, f$pe); } -event file_mime_type(f: fa_file, mime_type: string) - { - if ( mime_type == /application\/x-dosexec.*/ ) - { - Files::add_analyzer(f, Files::ANALYZER_PE); - } - } diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 1b63a4a702..a4b5bd825c 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -131,6 +131,8 @@ 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> @@ -203,7 +205,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -303,7 +305,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> @@ -693,6 +695,8 @@ 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) @@ -765,7 +769,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -865,7 +869,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) @@ -1254,6 +1258,8 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec) +0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec}) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]) @@ -1326,7 +1332,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1426,7 +1432,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) From d0e4d17f31aaaca97a53454d9b8059aeeb914c73 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 20 Apr 2015 12:49:42 -0400 Subject: [PATCH 31/31] Tweak the PE OS versions based on real-world traffic. --- scripts/base/files/pe/consts.bro | 28 +++++++++++++++---- .../scripts.base.files.pe.basic/pe.log | 10 +++---- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro index 22f246a3e9..c2a17f562c 100644 --- a/scripts/base/files/pe/consts.bro +++ b/scripts/base/files/pe/consts.bro @@ -127,15 +127,31 @@ export { } &default=function(i: count):string { return fmt("unknown-%d", i); }; const os_versions: table[count, count] of string = { - [6,2] = "Windows 8", - [6,1] = "Windows 7", - [6,0] = "Windows Vista", - [5,2] = "Windows XP 64-Bit Edition", + [10,0] = "Windows 10", + [6,4] = "Windows 10 Technical Preview", + [6,3] = "Windows 8.1 or Server 2012 R2", + [6,2] = "Windows 8 or Server 2012", + [6,1] = "Windows 7 or Server 2008 R2", + [6,0] = "Windows Vista or Server 2008", + [5,2] = "Windows XP x64 or Server 2003", [5,1] = "Windows XP", [5,0] = "Windows 2000", [4,90] = "Windows Me", - [4,1] = "Windows 98", - [4,0] = "Windows NT 4.0", + [4,10] = "Windows 98", + [4,0] = "Windows 95 or NT 4.0", + [3,51] = "Windows NT 3.51", + [3,50] = "Windows NT 3.5", + [3,2] = "Windows 3.2", + [3,11] = "Windows for Workgroups 3.11", + [3,10] = "Windows 3.1 or NT 3.1", + [3,0] = "Windows 3.0", + [2,11] = "Windows 2.11", + [2,10] = "Windows 2.10", + [2,0] = "Windows 2.0", + [1,4] = "Windows 1.04", + [1,3] = "Windows 1.03", + [1,1] = "Windows 1.01", + [1,0] = "Windows 1.0", } &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); }; const section_descs: table[string] of string = { diff --git a/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log index 5659276fee..f4335adc1d 100644 --- a/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log +++ b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path pe -#open 2015-04-20-00-26-40 +#open 2015-04-20-16-48-55 #fields ts id machine compile_ts os subsystem is_exe is_64bit uses_aslr uses_dep uses_code_integrity uses_seh has_import_table has_export_table has_cert_table has_debug_data section_names #types time string string time string string bool bool bool bool bool bool bool bool bool bool vector[string] 1429466342.201366 Fz2N9x4SAxQiSnI6mk unknown-475 0.000000 - - F T F F F T - - - - - -1429466342.278998 F5fc4q3zhJHmYSvm8a I386 1402852568.000000 Windows NT 4.0 WINDOWS_GUI T F F F F T T T F F .text,.Ddata,.data,.rsrc -1429466342.225653 Fzysjj1zfjAcgWgm22 I386 1171692517.000000 Windows XP 64-Bit Edition WINDOWS_GUI T F F F F T T F F T .text,.data,.rsrc -1429466342.250474 FOuWFKf04xcHH4ck I386 1210911433.000000 Windows NT 4.0 WINDOWS_CUI T F F F F T T F T T .text,.rdata,.data,.rsrc -#close 2015-04-20-00-26-41 +1429466342.278998 F5fc4q3zhJHmYSvm8a I386 1402852568.000000 Windows 95 or NT 4.0 WINDOWS_GUI T F F F F T T T F F .text,.Ddata,.data,.rsrc +1429466342.225653 Fzysjj1zfjAcgWgm22 I386 1171692517.000000 Windows XP x64 or Server 2003 WINDOWS_GUI T F F F F T T F F T .text,.data,.rsrc +1429466342.250474 FOuWFKf04xcHH4ck I386 1210911433.000000 Windows 95 or NT 4.0 WINDOWS_CUI T F F F F T T F T T .text,.rdata,.data,.rsrc +#close 2015-04-20-16-48-55