==Phrack Inc.==

                Volume 0x10, Issue 0x47, Phile #0x0D of 0x11

|=-----------------------------------------------------------------------=|
|=-------------=[  A novel page-UAF exploit strategy for  ]=-------------=|
|=-------------=[  privilege escalation in Linux systems. ]=-------------=|
|=-----------------------------------------------------------------------=|
|=---------=[ Jinmeng Zhou, Jiayi Hu, Wenbo Shen, Zhiyun Qian ]=---------=|
|=-----------------------------------------------------------------------=|

0 - Introduction
1 - Exploitation background
  1.0 - Object-level UAF
  1.1 - Previous page-level UAF in cross-cache attacks
2 - General idea
3 - Page-UAF exploitation steps
  3.0 - Page-level UAF construction
  3.1 - Critical object corruption through page-level UAF
4 - Evaluation results
  -- 4.0 - Bridge objects
  -- 4.1 - Real-World Exploitation Experiments
  -- 4.2 - Comparison of our page-UAF with previous methods
5 - References


-- 0 - Introduction

Many critical heap objects are allocated in dedicated slab caches in the 
Linux kernel. Corrupting such objects requires unreliable cross-cache 
corruption methods [1][2][3][4], due to the unstable page-level fengshui. 
To overcome this, we propose a novel page-UAF-based exploit strategy to 
overwrite critical heap objects located in dedicated slab caches. 

This method can achieve local privilege escalation without requiring any 
pre-existing infoleak primitive (i.e., no need to bypass KASLR); it can 
help derive the infoleak primitive and arbitrary write primitive. 

We developed 8 end-to-end exploits (https://github.com/Lotuhu/Page-UAF) 
by using our page-UAF technique.


-- 1 - Exploitation background

-- 1.0 - Object-level UAF

The standard exploitation of object-level UAF leverages the invalid use of 
a freed heap object (vulnerable object) via a dangling pointer. This use 
can corrupt another object (target object) that takes the place of the 
freed slot. For instance, to hijack control flow, we can corrupt a 
function pointer within the target objects using the target value obtained 
from a pre-existing information leakage primitive. The object-level UAF 
exploitation requires the target object to reuse the freed slot 
(previously the vulnerable object). Thus, the vulnerable object and the 
target object must be allocated in the same slab cache (typically in 
standard caches, e.g., kmalloc-192) and require object-level heap fengshui 
to manipulate the memory layout. Dirtycred utilizes a critical-object-UAF 
to achieve privilege escalation, using cred and file objects [4].


-- 1.1 - Previous page-level heap fengshui in cross-cache attacks

Nowadays, many critical target objects are allocated in the dedicated 
caches (e.g., cred), rendering simple object-level heap fengshui 
ineffective. To corrupt these objects, we have to launch cross-cache 
attacks that usually rely on page-level heap fengshui [1][2][6]. The 
page-level heap fengshui of OOB and UAF are different.

For OOB bugs, typically, an attacker would trigger overflows onto a 
subsequent page [1][2]. For instance, after saturating a page (referred 
to as "page 1") with many vulnerable objects, the attacker can allocate 
target objects to make the slab cache request the following page (referred 
to as "page 2"). Consequently, the last vulnerable object on page 1 
becomes adjacent to the first target object on page 2, facilitating 
overflow from the former to the latter. We can't make sure that the 
vulnerable object is the last object on page 1 due to protections such as 
CONFIG_SLAB_FREELIST_RANDOM. This page-level heap fengshui requires the 
manipulation of page allocation in the buddy system, making the exploits 
more unstable.

For UAF bugs, a common strategy is to convert an object-level UAF into 
a page-level UAF. Specifically, the idea is to release many vulnerable 
objects (one or more of which are freed illegally with dangling pointers) 
to force the entire page to be freed. After that, allocate many target 
objects so that the same page will be repurposed for the objects' 
dedicated slab cache. Finally, the dangling pointer can be used to 
overwrite the target object in another cache by page-level UAF.


-- 2 - General idea

Our idea is to induce page-level UAF by causing the free() of specialized
objects (we term them "bridge objects") that correspond to memory pages.
A bridge object is of a type that contains a pointer to the struct page 
and is located in standard slab caches. Among others, struct pipe_buffer 
is such an example with a field named page (and located in kmalloc-192). 
We list the code snippet below:

    struct pipe_buffer {
      struct page *page;
      unsigned int offset, len;
      const struct pipe_buf_operations ops;
      unsigned int flags;
      unsigned long private;
    };

Freeing such bridge objects will automatically cause the corresponding 4KB
page to be freed, effectively leading to a page-level UAF primitive. This 
is because an object of type struct page (which by itself is 64 bytes in 
recent Linux kernels) is used to manage a 4KB physical page in the kernel. 
Through such a bridge object, an attacker can read/write the entire 4KB 
memory, which can be reclaimed for other objects (including those stored 
in dedicated slab caches, e.g., struct cred). This is because the freed 
pages can be returned to the buddy allocator for future slab allocations. 
Finally, attackers can overwrite the critical objects in such slabs to 
achieve privilege escalation (e.g., setting the uid in cred to 0).

A prior work [3] also attempted to corrupt a page pointer (in pipe_buffer) 
to construct page-UAF and achieve privilege escalation. Our technique 
further defines and generalizes such a page-UAF technique. We will discuss 
more differences in detail in Section 4.2, after introducing our exploit 
technique. 


-- 3 - Exploitation steps

The page-UAF exploit strategy consists of two main steps: page-level UAF
construction and critical object corruption, as discussed in the following.


-- 3.0 - Page-level UAF (Use After Free) construction.

Starting from a memory corruption bug that provides an invalid write of
memory, e.g., OOB, UAF, or double free, we can first spray multiple bridge
objects (at least two) that co-locate with the vulnerable object.

Specifically, for bugs with standard OOB or UAF write primitives, we can 
use the write primitive to corrupt the page pointer field in a bridge 
object (e.g., the first field of pipe_buffer) such that it points to 
another 64-byte page object nearby. This effectively causes two pointers 
to point to the same object. A user-space program can trigger free_pages() 
on one of the objects (e.g., by calling close()), which will create a 
dangling pointer to the freed page object and the corresponding physical 
page. In other words, we can read/write the corresponding physical page 
that is now considered freed by the OS kernel. For example, one can write 
to a pipe, which will lead to a write of the physical page via the 
pipe_buffer object.

For bugs that have double-free primitives, which can often be achieved 
from UAF by triggering the free() operation twice, we do the following. 
For the first free, we spray a harmless object (e.g., msg_msg) to take 
the freed slot. The object should take attacker-controlled values from 
the user space. Then, we trigger the kernel code to write the harmless 
object until reaching a certain offset, using the FUSE technique[1] to 
stop the writing right before a planned offset - corresponding to the 
page pointer field of a planned bridge object. Now, we trigger the free 
for a second time to spray the planned bridge object to take the slot. 

The writing process is restarted to continue overwriting the lower bits 
of the page pointer field, which leads to a page UAF. Previously, to 
trigger page-level frees from double frees, one had to release an entire 
slab and then do a cross-cache technique [1][2], whereas no such 
requirement is needed in our exploit method.

For a standard OOB and UAF bug, we use the following figures to 
demonstrate the memory layout better in various exploitation steps. 
To start, we have at least two bridge objects (pipe_buffer1 and 
pipe_buffer2) that contain a field of type struct page. The pointers 
point to two adjacent page objects that correspond to two continuous 
4KB physical pages. Below is the memory layout before triggering the 
OOB/UAF corruption:


               page *               page *
    ----------[---+---------------][---+---------------]---------- 
              [ * | pipe_buffer1  ][ * | pipe_buffer2  ]            
    slab cache[ * |               ][ * |               ]             
              [ * |               ][ * |               ]            
    ----------[-+-+---------------][-+-+---------------]----------  
                |                    |                              
                +---------+          | 
                          |          |
                          v          v                         
    -----------------[---------][---------]-----------------------  
                     [  page1  ][  page2  ]
    page pool        [         ][         ]
                     [         ][         ]
    -----------------[----+----][----+----]-----------------------  
                          |          |                               
                          |          +------------+ 
                          |                       |
                          v                       v      
    ----------+-----------------------+-----------------------+---  
    physical  |      4KB page1        |      4KB page2        |
    page      |                       |                       |
              |                       |                       |
    ----------+-----------------------+-----------------------+---  


Now, we corrupt the page pointer within pipe_buffer1 to cause it to point 
to page2 - this can be achieved by overwriting the lower bits of the 
pointer field, similar to what DirtyCred requires [4]. This makes the 
pointers in both pipe_buffer1 and pipe_buffer2 point to the same page 
object (as shown below). At this point, we can release the page2 object 
(along with its corresponding 4KB physical page) through the pointer in 
pipe_buffer1. As a result, the page pointer within pipe_buffer2 becomes 
a dangling pointer pointing to the freed page. The memory layout after 
triggering corruption is shown in the figure below:


               page *               page * (dangling pointer)
    ----------[---+---------------][---+---------------]---------- 
              [ * | pipe_buffer1  ][ * | pipe_buffer2  ]            
    slab cache[ * |               ][ * |               ]             
              [ * |               ][ * |               ]            
    ----------[-+-+---------------][-+-+---------------]----------  
                |     release        |                              
                +------------------+ | 
                                   | |
                                   v v                         
    -----------------[---------][---------]-----------------------  
                     [  page1  ][..page2..]
    page pool        [         ][.........]
                     [         ][.........]
    -----------------[----+----][----+----]-----------------------  
                          |          |                               
                          |          +------------+ 
                          |                       |
                          v                       v      
    ----------+-----------------------+-----------------------+---  
    physical  |      4KB page1        |......4KB page2........|
    page      |                       |.......................|
              |                       |.......................|
    ----------+-----------------------+-----------------------+--- 


-- 3.1 - Critical object corruption through page-level UAF

Now that we have a freed a physical page and a dangling pointer that can 
read/write to it. It is fairly easy to then allocate and corrupt critical 
heap objects. This is because the critical heap objects are eventually 
allocated through the buddy allocator at the page granularity. Therefore, 
attackers can spray the heap objects into the freed page as long as they 
have already exhausted all existing slab caches. For example, we can 
overwrite the cred object through the dangling pointer, as shown in the 
following figure:


               page *               page * (dangling pointer)
    ----------[---+---------------][---+---------------]---------- 
              [ * | pipe_buffer1  ][ * | pipe_buffer2  ]            
    slab cache[ * |               ][ * |               ]             
              [ * |               ][ * |               ]            
    ----------[-+-+---------------][-+-+---------------]----------  
                |                    |                              
                +------------------+ | 
                                   | |
                                   v v                         
    -----------------[---------][---------]-----------------------  
                     [  page1  ][  page2  ]
    page pool        [         ][         ]
                     [         ][         ]
    -----------------[----+----][----+----]-----------------------  
                          |          |                               
                          |          +------------+ 
                          |                       |
                          v                       v            
    ----------+-----------------------+[------][------]-------+---  
    physical  |      4KB page1        |[ cred ][ cred ]       |
    page      |                       |[      ][      ] ...   |
              |                       |[      ][      ]       |
    ----------+-----------------------+[------][------]-------+---  


-- 4 - Evaluation results

We analyzed the bridge objects in the Linux kernel v5.14. We took a sample 
of  26 recent Linux kernel CVEs that are either OOB, UAF, or double-free 
from 2020 to 2023. This includes 24 vulnerabilities from prior work [4], 
and 2 additional OOB ones missed by the prior work.


-- 4.0 - Bridge objects

We found many objects containing page pointers, which reside in various
standard slab caches of different sizes. The Linux kernel has interfaces 
to read/write the physical pages through the page pointers, such as
copy_page_from_iter and copy_page_to_iter (iter usually represents a user
buffer). We list the the bridge objects followed by the slab caches used 
to allocate them as follows:

    address_space->i_pages (adix_tree_node_cachep)
    configfs_buffer->page (kmalloc-128)
    pipe_buffer->page (variable size)
    st_buffer->reserved_pages (variable size)
    bio_vec->bv_page (variable size)
    wait_page_queue->page (variable size)
    xfrm_state->xfrag->page (kmalloc-1k)
    pipe_inode_info->tmp_page (kmalloc-192)
    lbuf->l_page (kmalloc-128)
    skb_shared_info->frags->bv_page (variable size)
    orangefs_bufmap_desc ->page_array (variable size)
    pgv->buffer (variable size)

We denote some objects as "variable size" whose sizes could be different 
at runtime due to different allocation paths. Some objects are allocated 
as arrays with variable sizes using standard kmalloc caches, such as 
pipe_buffer, which can be general to many bugs causing memory corruption 
in the standard caches (e.g., kmalloc-192).

In addition, certain functions, such as process_vm_rw_core(), allocate 
page pointers into the heap and store them in a page array, which can also 
be used wih the page-UAF strategy.


-- 4.1 - Real-World Exploitation Experiments

We confirm that 18 out of the 26 CVEs we examined are exploitable using 
our proposed technique by manually analyzing the CVE's capabilities. In 
total, we developed 8 end-to-end exploits for 4 CVEs (open source at
https://github.com/Lotuhu/Page-UAF), due to time constraints. The 8
unexploitable CVEs are not suitable because they are not general to heap
objects and can only reach certain objects in specific subsystems, e.g., 
eBPF subsystem.

Specifically, we developed 8 end-to-end exploits against CVE-2023-5345,
CVE-2022-0995, CVE-2022-0185, and CVE-2021-22555. The exploits spray 
bridge objects to construct page UAF; we specifically target 
pipe_buffer->page, configfs_buffer->page, and pgv->buffer. These exploits 
are generally easier and more stable because there is no need for 
infoleaks, cross-cache attacks, and page-level fengshui.

One exploit against CVE-2023-5345 uses another bridge object, i.e.,
configs_buffer, which also has a field pointing to a newly allocated page.
This object is a little different from pipe_buffer; it has a field with 
type char *, but it points to the first byte of a newly allocated physical 
page. 

Specifically, `buffer->page = (char *)__get_free_pages(GFP_KERNEL, 0);`. 

After making a page-UAF by corrupting the lower bits, we can read/write 
the whole physical page's content by triggering the `copy_to_iter` and 
`copy_from_iter` in function `configfs_read_iter` and 
`configfs_write_iter`:


    struct configfs_buffer {
        size_t    count;
        loff_t    pos;
        char      * page;
        ...
    }


-- 4.2 - Comparison of our page-UAF method with previous methods

As we can see, our page-UAF exploit strategy can achieve privilege 
escalation without requiring infoleaks to bypass KASLR. Additionally, it 
offers the capability to leak information via the reading of physical page 
memory. It can also help derive arbitrary write primitives via writing to 
objects that have pointers in the physical page. Overall, the exploit 
strategy reduces the requirements for memory layout manipulation to use 
object-level heap fengshui - only the initial fengshui is required to 
derive the page-level UAF.

To our knowledge, we have yet to see widespread use of bridge objects to
achieve page-level UAF in real-world exploits. The only example we are 
aware of is a CTF competition [3] that uses the struct pipe_buffer as a 
bridge object. There are several differences. 

First, we made the observation that page-UAF is not limited to the 
pipe_buffer object. Instead, any object containing a page pointer can be 
a useful object for spray and corrupt, i.e., bridge objects. In fact, 
pipe_buffer is isolated into a dedicated slab called "kmalloc-cg" after 
Linux kernel v5.14, and will require cross-cache exploit technique to 
operate in the future. 

Second, our work analyzes many potential bridge objects that have a field 
that manages one/multiple physical pages, and further finds feasible paths 
to copy the user buffer from/to the physical pages. Therefore, we make the 
generalized page-UAF technique more usable and future-proof. 

Third, we simplified the exploitation process significantly compared to 
[3]: the prior work triggered the page-pointer write twice to construct 
the two-level nested page-UAF primitive, which we show is unnecessary and 
achieves a lower overall success rate (75% as reported). 

Our exploit requires only one page-UAF and simply sprays critical objects 
into the freed page for corruption, achieving a 90%-100% success rate. 
For example, we spray the  pipe_buffer objects and corrupt one of the 
"flags" fields, which can write a read-only file (/etc/passwd) to achieve 
privilege escalation.

Exploits using our page-UAF strategy are relatively stable due to the 
provided information leaking primitive and avoidance of page-level heap 
fengshui. We ran five end-to-end exploits for vulnerabilities 
CVE-2022-0995 and CVE-2022-0185. Each exploit was run 10 times, achieving 
a 90%-100% success rate without any crashes. This is attributed to the 
fact that the exploits have a built-in feedback mechanism (i.e., read of 
the physical page) that helps make sure the final write is performed on 
the right target. Using this feedback mechanism, we can restart the 
page-level UAF if the expected target is not detected.


-- 5 - References

[1] CVE-2022-27666: Exploit esp6 modules in Linux kernel.
https://etenal.me/archives/1825
[2] Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow 
to Leakless Data-Oriented Kernel Pwnage.
https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html
[3] [D^3CTF 2023] d3kcache: From null-byte cross-cache overflow to infinite
arbitrary read & write in physical memory space.
https://github.com/arttnba3/D3CTF2023_d3kcache
[4] Zhenpeng Lin, Yuhang Wu, and Xinyu Xing. 2022. Dirtycred: escalating
privilege in Linux kernel. In Proceedings of the 2021 ACM SIGSAC Conference 
on Computer and Communications Security
[5] FUSE for Linux exploitation 101.
https://exploiter.dev/blog/2022/FUSE-exploit.html.
[6] Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup
https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606


-- 6 - Source Code

begin 700 Page-UAF.tar.xz
/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4gf/QlxdACgYSOZrHn6LH5JKqOuBL1u0yI8jn3l/4YJfAe
FeddxXmWnllck5WVQbNDCRReRqZ90IwlrMf2MrJzKrBXZRqgdPYinbpAHXJ2xSypAuBYsNr9nLOXwL
7r+Xal9JNkO6LzZXMObgLoTvRyRAoQmlpOXnIW61STjm5A8DZ1f4GtQ8fE0yMGLJL7RQkoswnaVXiA
ZmWQ9dKiVQda5tyFYK3gOLSiC8AeX+DRpc2MJlPuj+4a3zFieb0PIaTpuY/FQOP0lUPayaq7nqqUZ0
p9ND0qjmQNz7S1apb0nVirkQFQ5w0n0Ef5UUsS4/JvBWV16KrmJ/sHiidm8CtEF4a6Nq1wnnWNAwrC
EqhpkEKhhnT9/JEFhkYcXtfpsYftDRd1APsumte3IgwD5tfnMYsdwfePhwhClRR4Z/hBEhHN5iE4SO
KYbVhrv5GvTmw5jR13AmF8TIx81WkXdm5k/rtD8I0CpLTeaMiiPeodUnnkw6ZCOY3tGhGgX5JcwZRJ
pVuGV24wQvNKQAbqlJzhlcm15sQiibshdd6Vopi2Vue7DR2vhtW2Ac9sT/HYyLGkjX0lP9LYr+m0Fn
Z1nU2N4L7ogh3Ihb4GTWVty0Xi0U060kcDyi8TJo5aZiLaDmAdDJAiwyctqRDJfwyJcQWk+/azilkx
J2Z6I7GjSQmxgqpU8kb5xLvT/00UqmlmXryqstNLoVqPqTZtkRFRHyLAgsOFJOH/XQuxHUDzSGncS5
MwArK7F3gIu0rsZAo/89rbfLY3nBp3ZTjzgGzFWiUhPz5r4xmx8FAkQtQnQepP4DbDmODIfhbIvHtK
mmtrCOUPma1kfYUWeRZ0nhBF4inKmoIW1GzjpFD2UWdmK3mQ5gnLC6gzeIbZmy8wPltrYQDD2dCGE3
fCFisasxXOdzgm59Cq7DcIoMmnoPS1Zz8Tmfw5cJm8eNikojY7GqLA+Mx+RFrj3khAzj9+NhW0+IYn
v7jxj6ISD1WtQ4FF3mesMgEwt9w5SPJ5tA26VE7Fw2/ptA4Ka83gWR1e3cL0WEL1GIrs+5ldS0NIp6
NDgMNhhzGs0IhxW8uwDVmlxs8GZMoMmJb/6+hzRnaP8VzsVtQl7ER9VbPcsulkYn9U4qkJ43k8Bekn
Li8ifFk+ai8ObxI9ErxaY49+CnhF5QHvbgYjFGpNsWqdogngCcx7D994YwsMO36SM9kcx0op+W9Sjv
OkBPAqUVe34gXicZ0dpKfhM/GZkDF+h+v20rYN53Xt0Tl7YTo5fNJ5RXOSGzcuIFfqSJp4EFB9SAxF
guhzwMee/i7ZYpwdpzd7RjVKxBOmafdLWnt2gnGm8iHoENWYHXjDi+KZrkPyTbyByoq+cG6bBi8SII
I6g5XbMdHpa2ZKxy9Z+UkgWOXP8ndAPqWrxWXoutzfqHsSVPXuIkvOVpOIHM2qBXe980aRhlDR2YgP
+eqn34h2oqazn9egCIcN3U9wNS53DhB53mn8TNaOilce6I8UWfsZAVLdwEdoFUDkVPgWkgP8jVmpxj
sgKwE6fPpR7IP3DcXZjWPhm/shUQNJRUWm8VFxdWOsHBttvnBS+zJlfqj5bj65KGwCrhd7bQ/Z3FNW
GilV7PEKEbvLKbyEP74PpqaxiPrd5pefnrd/VCTRN9f/ml/LbdTsOEGcTutgEXoG5SctgHoHTNAF1b
NbfnIn0RZjE1K2fO4IqDZcjQ8UbUUjWXTxa/uZUpuKXJ5X8SGS1kVpTwWjISehFJ0KAxHY1do+Bgnr
f5U52o8bKGiv0fHvSl+slVXwOlDyjhD8UN9wx5CXLz537s8m50Y3GBL5tBz5SqTDEScuXwgwJFixvW
CbYfNI4imClK0ftAN5kVOKHzKfz5BiDwUf8b2EvQiTsl3iaB0fQsQt/b9gE5lxqUZI6oElSWZjSovo
LHIxphq8hgasyww1EngpQm2v+huQrjecyjWTwj+y1PbzOOUV1Elpkhs7TpeLToMB8UwjylpZn8ePgM
LJr6pmWizdyj+iIn+RnDtaHenDGWXd+7AH+b3PCeNoyEA5XCUoWVoW+aN2aDT+dBtAv8XfUIyOU2js
yTeoI6HPIPEPwWmdK+BmWcUVrG8Kx6stmummUJpTCRp47g+qBejbTSt/2WEByhpdev5u9StbD0QyqD
c82/7QJUVAMI/HbZwoVvDMebiM5Y5iI9DPF7hgQElM/uGjKg8f57yXhdnPL2ksq2xCw/JABWwkCwZQ
a/HgDv3WMx6aErqFhnA0IAZxfYr38t7XIj5Ce8A7bK703lilVlGpb+xDf9RX1wHyUgGSNiefH6yIe4
w0TT1FG2ivFxITPUlVBYcJzzI8yXNXrq0qsnkdrKmIdIQQDiO5Feqb55WpGV1bZf1MvhsdvJEBCgwh
bG2cX8SRabzqCh6Z32QPbhBQzYEcR7ankfBP+LTjcLepWwiSFZTi+gw7+eFGEZjSgPUGPoEH/3PnJX
djwgL+okLyUP1GQcE91egpS/iuX2PCw2+QnRZwfdowoMbFoxlBePpkjVsCGafPvBUZiRit/YpALFHH
jnvwAFkpK0cj0vCJEuI+r2+kzLiPBpTyld+4E9axrQiZr9t7JRe1seKHB9a78T3j2mZUqw8QAMV0tq
Z1rLGPVJMIJJI9lt8qrgcSc4F2XFEw1ALqz/sAtMzchBFBZj89pfLZS1o/EIzdRiYfnJDpixiIfZ/D
2VtASfinv/kBSW8SN/5TmgS5nt4oiIouLYYSn0aojLmlmlwnthoWhLQUjR+NuXOwc2uIiRSB02GHr3
eftxrz8uC+tEKw0x/4x8MRolTCm67tF1ztaR0/m8PFKG0qTIf5j+rxN03fD7Hgd3n7F0Mz5TktFBfI
v8rf7/ui5RUBZQSEuGaENQMeMbfOdO6be8xLwhpaiFN9eQ/LSF9SIEF5JFsM7dc/NRaltKHGdhhulY
gLjicBSasFFWtGi9LPOkZOyzfK+AaqWKmcMY4QDcHjq6n1NFzImQvFlGlIBioJYjjj8aGl7lzwIz04
UXQCAAOQc6EX2yWmY7QH4lglNgYWmIGOvQDrEOwv39tqBfZpge5Kr6xz5owJcyd0JIMqkPD7NQSrCI
Q92U4S2GvQUmuKmt3a1x7VaEX5YzQDLKLTI620x28l2WCshHIUdTyypFlZGy1zfXCNAy1i116dijve
1SKpNpxf6Tsvx7GFTEpjAeeJVTn9VyZX0TcUpluhq4mqZOy8yI/2ct90341+7/pc4JUIVfK1+clUup
dQd6ChAGF3nnJpSiAU9qBdZEyxMDoWUil0W7OZUhHb9KGuApu49pTsQ46fgDua8fsbWrIlKPziUaCx
d+6wqzfedguhLXXhV+MHEbvzBwFCkbczpfKNYx0GqzO/NApwSlEHvxJLPqXoc37KmRfEcrwRqRWeXd
PCD08VcR45pOE21CJXMskH3ynWkYoNW0FKW+phNog7XBs3bF8WqYVlBpG7HnPtLo+h0NowQ1RpGL4R
dKrdG8yLWIrOtQ5l3Kyw2nxtUfY/mEViA2Ta8SptL9Ojrsp7Kdr8g7RHWNXhUHUtc2YUiywVebjulp
559juhFYimLx5awRkwIH3h5+liePAZayvEOB99rOUa8YhBZBswwj+tUhCQCDIiBeiCp25CpFgLTl5X
SOalQK3/H28GBYeaEppKbroZ3kA//MnjfpJuoB0ih2iDAtbntrejxXnxbA7MMJ8u32GQz4whMyT5sj
tESxqzD0Nvoxj+ByHbAzRlmvMnO2UI+ryQfApyyPuFKKNmo5mqUK2/0xYcoH2uGUAZ6shW3JJucfpb
om+DxnTYBTdYPtd7q0L6QKsOeEwZAba0VRGzUIJXBRJkLNeXEwMvvsMb1mArVBYzH2kqKT/44zrFyk
Yjn8c/JFbsJXkEErXjsR5rFPbSgT+02jPdtXRXoWikdZbhxhovCNgUcBRO0E/SlvEJuiOeuRDqN92u
roolFTuY1o3sPYg0lPnZrqPulf9yyRs8WK+nLqKKZA8VN99PJlBkkmxPcNT2fumHWK2/jSfK7P/4Jr
mZ9eAoqiaIlfoBhbz/x56mO+ELJ9b7+95veuS+oNifnfoUFpSfjMaFEp1VSoz1X3IQRnLQ05BW7NJy
opcHlmAZfdFfi5bxLfn1ZN76iMSPFWuQHQ34Z32mkBYNIJVBo1h9TpTybL0vyiXPFnLVdV/GkZ8VrS
z6WpX+okgQsH1XwVMumOYtxf+JMEnOMny+Qr609Inh1I0o6Buv9AlGDjB3LNeUAaHRWA47of0/tEYA
CNHfR61PjTHEqAMx3K+Gdqdv8/TnXiNwS5v8EgQS4zyiII3RYuncetnleAxheR/Tv/fObMXdOUn4zu
jXwWFuUVffgAcQf/HTBMgs9m/Idd1uYtUqPA7opZQSl7DpMMvcQaQMf0i6CFS/Vz6oBmdKTgbwFoEi
FLxvnS+0tAnmO9k1xykxqoDEvYJvP5G7Fcgc0a/nvK4mpQMdcb6IZfs9ghkIgtwDossEoKweU315yJ
iawcYRJ7AhgUgSQxRNhWBZDhH4TcdWpHhWNTMuSwVKQHihaiFaefh6dq0PVvQDaXnW/bvYTa6WTlvF
9FpV7UgjTjUzPRRtNqcTbxJV3felNRaq/FWFrrgYZCtQdTOMiyWeiXurkrfHzjsNdo8CN/BQiVg4ly
3pr3E2GGMGDo62hlzH6Ol555dshK30+Oa++JuzZXUvHWCT4ZcSQCGx6j1avFID3DDg8yz5xPvgKrHv
pmV2XTiM8NIqFSVM16Aa1zzZExywBJRXS6cbmeVO2Eth/L6s0J//G2lEVNu5JNnMFbGHnvTtVS/6nJ
YAem8cHNcbl8Unns/GQ8YYNhw34gBhX++pcOfGGnNXh+JW+VdIjj7dAq32TZfju1JDn/KTRjNIJFmw
CxtNW7u2idczTXO2yCG6764MusxnOs9/udrnBEXPuhUyRtY9wTMEdzVgFWKlrNnS4toS3F7RPjXlPL
UlfdUaLg/b8YJ54K4FhvvKY++aml7nskVOCBihm8QUQ6WhZMuSpk4HOIjQ7M+9uMpzYSMFIlD9oUUn
24t2DVjBYXz7h1e2lnJ8ihojZEaj2UZeQRCWC2BEF08wssZxXLPTGbaIjFP5DUqklB+gGDTqHS4zt6
l28YKAFvbtBHC1lLFcuwWfChsaYOC/zh5iw75Oqv9KclK0JuK9vnJyuFD6e8/BmbDBaJ92XF3Eq/r6
qQ5qKlIpFvEOUVaUOyX/NdGNGEicweRS/DTT6I65rrUvgK/ukYOCixKsvJcYFL1P1dAQlSAnfdCq2d
fhxYSdbOsvb2eUlespVeuopuiu3CDfSHH2E3vGRGBU1mtQD/2MU2gAJHVyo3e7TJjUSY9RNY8ESfky
GZjMDN7g8WlS7bqeLWiBHtKCR07wEQL8K3CANXJPXZc0/j6fiMkEGJS9gW/+wOi3/1Ufe+4YVWl7zR
/4Dzu21p2SZHHo1ISZJiC8wfAd40bwnuzz8yo/bEkxrRoVdli2qHiB7gH46tV+3TMprII7MXr+CGpl
aFbUtf9DpVGdM8WQUv3YZvMskLO+Trx2oiesLqyxrP/GU1EdeSc8aTM4c4Pbi6dhsG5kUcuXYqGcFZ
SyTq1YHFiljrOdK5kW+LkPWbkgRO3gm3DrWUK/klRkNYxYcPoXqNi1I+VzbGrt//Fegjd83XnXXXW+
c5pelxHTo8dPqgU6knfGaQcmMj35E2xk1E4Uyj7D86cvfX06tR7hMBq8eoySPE58s/4YAgddZU0UMB
RnyOV2tmfmUuLhjXmEbVHg0LPh2bsO9hjq6Jn18orE9qIYCMGOt9qXUrrQFvaYKQwS+2tfxhVPDQrD
itXmr7jBgJuU2abTOmHSrAUnIaOwyZvU7PB35dDBR4bgb4hBkwNuHuB2FXxwEHKjqd7mu3c9pdPSXe
UNL9gBgoCqqpkLFAh5ABFaXFBOXXDCDk+4nH2B/XVhIBTtcVBZ+FBkucYXHA0qHGbLEmOVRYwV92lJ
lmSqsoUN8IP62NbiOqVyJhLvDrqBVrOiR+vSbI10oKdwsuwo0sK1D6FxCrwtbedaWhkGh0AUPFAARl
cfecKLazZbXo/Y/So/f3zNG7BFD4OQk6Ve2nim3t9gGW8v2JYJShCYJTByM2cQIitNv3yUEFONimVb
u19uiMl9J5Bv3aWcABik2F0aQy31ySOQCRM70sXX7C+w4evHmUg01BsdyEVXZ1h8hUHlhGEjrruwqY
vo+TAusI73GPIzVbY2uc7ygjoxFRKTtFlkkL9M4YDqZYyQgaPu3wVGL4C7LaxLypOFPlB6i8NQxYeV
v16x2m24u+Lph13cDB5zaYsmbkh/wmxYt/uaoJTfnIoDuyAuT4zLWFInUIR2EV355HrqYm/aoIqAJG
AmDhmNNT/avQXqunWMGhkq0MyigSPb/5mB/YJPhfjJmn4IAwq6lbeGPzuCRKqsbE3iJIk25FUiArK6
FsKvx9n4+8Dt3MYbtj8vOxOmmezcLpBjoAnHzsDF9TRKQLGDByu7sBQx0Avl3NeHRTiik+9Unx4+7N
tpC6mP7ijyUZzH2usDfnAGX5+fP3IpD5JGAUpuiCuPbv6OdilMXUWwVm2XbqA2sa3miT7dP5wDv9+D
o0Z4gZNV46mYpjaylhZC2mY/se+vm7ebKtZNIHLyOBryh+VO4HoeX5lvsD/sy50DolaN7W4jDf/AbO
u7OCSFRAhyugdRz6wPgmndsMiKLCYoLT0cA+shPetbGGnGZK8AOsFSbaFys4ILenDD6VTyfiGYE1D7
sDnuQ3TIsG3RvN+ANGwqE+F93EPUC6cp+IwxHqrK45gfnrZNxXqfmiTts2vZRUKJPQhYSDiL+HBp6C
kHiM9pT0WYaNw1BhLic+KJMOayyJm+lvOAHjyV9AWYb2fyIEB41IH8xTYclI2CusVOnos0vcozGP7X
ufqU1c5R9VsM3ZbBkzInHzjnF7HtbWIJzfZ/UMZNuiLWfjDRG9AQdCTgeQAjgO5p9Idn1Ig6JQdotP
JDTWGaIADcQPz67473mLiv5UbARuPkLBrykpwgXzjT+zXBxXZEpXqhcvPyYv49HmKhE2A2jk3vV+K0
PyseE2Jupz8V3FG1m/N5ONey6EQU3/UMFBwH2C9JcNNWAbmSLENNUouI9TnYePsP4E0NUHh+Z3t843
iBHoSFqj3DfKZq0umiCRfXHa7AbokPFG6vLGv8+wGRpQuEqyNGPEXSEvTu6F4U9u4ITAhDZhz2//+q
yRKlvRM/HmHDNnjP7swC/bVjxGrgIxhiKnWT2nOXtUzYdYBdMCK8I4YfugP5SHmMUok6nlfrVvneXP
kwsptozSNjgBLjeCNrYj3+8v3aMxLhKDfev52BEpVZzb6bRwfbmqT6Jf70iLDV0RVSRQqYOaFoVTFK
Bj+hkXBRfCC5//yute3HEsPv4i1EewCG3xU5rT643xb/92NE80PaXRurd7wX76OrwrLNNtYioQ0x62
Grvm1v1iCVkCH6xoYjDhytM5Kx2BJ40Mxz9dYBPEO7NCvnq6ZDp00mwitKTyl7EwgTYVnbIxHJFwaH
oVNkqSmvU1URsEY6uuu9TRVVHeT1TxM62UpTCP10wcKkf7JEpbBMls+6qyCGJuzK9Yh08hFtLlDYZV
6UfcOJut2WNUyuKB/iPVrOckS9lryFdhRmZUsQemEBgTDvWb/6fpL+FvovKkbRDDwzBbt35G5/6YfU
mQClrkSZabR8tSnhoafDkhTDF6YqHjtspuGaJSfJSHe5vb2349UXefTLLxgrkSbJ7rwont7Z7iHQJc
j8HyXO58cWsehpWuTa6YkZS3c5ebtFmGu3vQR1zv8XBFnbijmV93YXRyBvrEU9Q8C25BOH1HVGxV3V
+lMF491WYLmT3jPUWUzRT4j4b8KafZv39ejTZLaFOj5h0xtizTIpRx+ys/Qf69q5ScMir6qnH5hK7X
v9crwBZEu2n7UXpCh73usrxXBIRUdy3Q86VqW+6VGJcXQ6jfZCRDg0PehAZE0LyKXrWxNfETX00QpJ
CPR6s8Y/vxtZF0/ltVu5RkGDn90trzqyIyd/QeIe//WrtIKh2xXv73TcjOLHBQUYh25amTiZbRPpkg
lXV9Ip+tsN2hI4fOi0CQRlsHTmqSSu6mOOhwe3nyv85IHJSrPhf2hRJ9005pMsJdvffTHNlKMbn7YR
tXOA3I6CLf7m6F2zlL799mQarYbZvFUw5UiIEwLc5LZwE0DGfz35jOpsdbtdO2PZ+hcX/JR72Uqeuo
pqbFseicSZ+rJIvqC2t2VoO0zITL/hmJ9O5+IQH9JuPR6fcWMbbCxKKjryCWdIGtzyEydoB3YoUemM
60fi54e5MlY0coPFtvoJvDC6pLcNtZ9WRoUP5YpI2Q9g0GeNrIzRoYjRNVjtBOQ8vrG4uhnFoNOMaA
Dxnr0aK3YPco2P6WY3sj57x3KMrvFw/pYDThB6Hp5h4YKP+I+F5v2r76oIMqxELRhHrruraJDCxN77
P+NPfBV8FJFfih51iI+Dvwipmae02VksBNRpuPNn0qbjpsqJearJu3GhdkX018k9Q2GURYngwityNK
sDd5Yp/GWKpSZ9EIXAVcDYvgGCFQt0kZRRpsHaW8zA+2uCONYfGqHqEHvJZvz4KxpcKa2Y2n15tSyY
F4CM9QtU5hqOKK48OWomCcOzARoLsRc36jClmjy2ZS14bGLtIv+WbOSLD/+h9JvATId16Wh1aWG84O
uU1uZq7VawEgA/CLSX/mUrT09jBbwenqEWER858kQ0SFfNpxJkGUpbhVMAwOFaG7pKQkm7RqkmFdp9
uQWesRkhy+5jCKheKvc91O3mbth+PG66LTy74yieOS2luld70OFS7zS7eCCCVXKFfarNrLIN86vboQ
H0Kh/FTe1I0l/fcxCqWs85FKfdJ1yYmGO+rdtcVYXIi+qv8Md4N0YgWgp2WwHfhbVJ7OXJWos48DQl
U0Nm9nKdn8DAoTTDqHTpwgFNuZJxK9Uy7aTfuT8YOTqCYZeWjtv3zpbM68FSA+wyhT+hh9Lw1RbAmA
b8bMRLl+4nbYr3rWng/SLl6zD7jY1DFDY8R1QiByUIjwQoJNfpm8oOS6z9+YMfULvSFZwdIMZ73er8
fCS+crWYYu0+wxcGauGxOiV5akjkfRHBTyOOmco47EkRIvmxe197F1k6SRznwE8CSqSQfQovEUv6Xs
UnWDjObgeDJzWA4rPAY/mrhDk/eOkjthF7ZsPFPIKmgOhMPRdqsnrRVHAeQnCEYY3Ssg6LQ7bzSRk5
RT4KFS3KJA7ccN3w9xb3Vzs7BeCi+1gqfcYljA+TY8vdzhcibSwzATRmTrn54A2Cn9kijUg8hvP3+H
Zm1nEz6JADVb2OEz0R4GbJzLLkwBTW1TBPkoebRGQB9/UmgOJU6fCgqYwYbseO6u3MmWyJXIMfzIkN
+M5GGqRODPHiHjqqOzlhB6+9nZwwYQNg0zVVI1f/qZQp1DDZuQUS32i+UzaQdonYtIfv0PkpFtbs+6
DC/gLptdxYHuncFGURKqBW5w9qgvS1neiCFd7y8X8mUVVZDc/BSAZGWFmfbFOxoy5wITAa4K9nokYW
Nem//tCbo602xKk96bsYlSsrLNdYRc+XydKOf9tK0dIwa41rm7fTiL4BJSxzzw5/8YFURomnqIHuv/
F9BxqWMGs6y669pNK7JGbV+/Ij/0dVnD6NBllrSHtvIpuhVDVytKtpu3oiY4auZWXKQQp/1Lk9x0OB
Cz2h1mRLmFde1iCliaZQhPy483aAOmrsVGc8AwnUA7+CpycOpIt8+2QxGNEsR8c4+aEV7kJ+5B2pcN
WN8HUlqJhVVme7qoSI0gOpaAhGVwWnBw5JPbxABGq6R7NCBswJW2jYGSBQEOsZoFB4nNq/4VyrbNdq
ZcaHqiSxfh3FkkL4xbLIwHILriiyUIHQKMpJaerWq6tGuPAgzYVIQGksOi1x/JKnUBahDr49IAUFYU
rsqnGpPlM+C1I0pCxFoXdHTg86tkKZr+flgi++Ab1NcGprU9tVQ7ZdkMCTZnoYCh81fYfUOGBgS2Qy
/z+k3BGaBhus4FGOSg7oeBvkoRhjcXiTf+xbE1rMNww+RvK0+/GQbwPZNFasLfi1v+o4sL66Rc29f0
zpfIIT69kKGklPu3Tsro2D7oyAT/ND8V+KeZCcZ5gtlKqc9qnKDijiWeVjcdwcCq1qxwxr4M74Cteg
oa5XmJjU+N1OoChA5kx6S0JcP06ywCApvMKq6LLyk6tO6rIUXafkcz7ZM5lyVzEHz9d3lHoEeYSst4
bJ0NDAdttdNxN3M6dqCVOfEPv1R6r3dlWU33PFsLyunTIJyd+iJLLh2eo8JCu2Nep+8HWfKfl/+BOv
IndElVx9YSypkHNQYpnmtUY5nsGeRdlIL4K7HKX1Q57AOENbForNBxrvb7wX4IhRq+i2cJ4+KzlbM1
4Nmmt00iPQTUlh/JrSEtVVXQwBSeRUBrYFzHXYajIVRYpV33xe5LbAYhycHCl2AwPvyKOO1WzY397M
MRFC5uofgHCIPsZUGXKokHwpFC9DpU3bN1eWwpOV/tODHBSbRpuyjcfLxOBuKnlnoQtCsy7wWVhb9C
mUq/DKIdowXhiI5PF4urcZOdFIdnIkKvjoXfY0h2Xpv4+M+POyU70JAhBLKNXcS1gBT80BgXGZbrjS
4KpCQZyme5f7cAziMvfw0iu9NyPCl9laAQtziV2Xur14sHbjrHX2OlmNeUlBWEVl2E6P3ETxs3jIJw
I2P/Hf0hIPBCPoxI1vHDHYzUIAJYgxVfQbj/mP3Juok+gh46askRgJaJgA7nqozr07oYQvLaLocuc6
w7alcBbMB8Oknt98js/YpJMkoGSUnvOhlZdXi8sWFaBXNjoYPC7OX5ugeGPz4XK+ManaUzczUEzFts
ytw0hFG/gdlan3H64MfBwAOa9FSX5jK5sZJKYMMhAxM7xcMkANxL8OzpxG2WBRzX7uLG2f62cxHBxo
gILI+xHJKNuUIa5WAYC7L3cj1tPFPXSbkXuz1/VXE4YswGqZdfJn2vXM4ReiAMlSRiqE/AWbSZ8Ksb
6vydgCKAz9QvNWpsfbkgKO9yKknT+YJdnOh3V58n0mGEDRMN1WC0mAll6pn5ZkJ1vpgXSETCNt+wXF
4p61gvhaKJ/RIwNgWgaxl90RxJYWjYx0yxNM5WanL5AJ6q5bQ4A/OeSUz0UsW3sjweo4VPQy9tOZO5
1ejeqUE5DTbYqXRUt24V+UmKt9X6qhG27+SS9q9vcnFw5yptVhKt6Pfe3pHNAanapEIjecAvjps4fq
3za+dDLT2lMBGaHY1HJqhWT8qMdtRDtqKu+08zBqsmmTOk/3568lq/cG9j1rlCummyqU4uF+Dxtbzg
C5sH0U2S/q4iG8+Fmm7ZewEQo6pcItgMmZyqKt6SIgEAJwVJXRKiv7FCfXALlFIvJeqXlDzZz5OyMm
LjLg9kiSFX/u1+i2TBFxrdeaA5IscGS/eX6fXwfgDLWzlgQs8nTQYwAEbzub7g64756ZBl8WoZnFn9
0wUWD9gnKe7JbmIIzbekUVXlTbP6WzSdlax3bBpqTH6PDD7/GXGFDK4YjMbvqVLggQAesW94Acw6gE
jvx/eG0mkvMPtE3zKFulbpdP520tpbd+//eotMHypKz3YdA1+rzPnbB5YS0toAxU1RmojqeN/p14Wl
2DmEPRHSOOTGL5jkJjRchTR/P5Fb1LYnz2PkqbUDK3G2s8ZM2qj0DNsaxhxHbHTot3O4kMPYHAwYtJ
JtflQK8+fJD+7tkdyBD9L4Sl4v3+cMxYQvbRlJuEbH55SWycNly4PAJ3Ev8mm7uRQIxPe3mhDah4b3
KE22BDPJ7k7VBbXNo+CE/VbxIvc4lC4UoTSKAd78dVseEdDANBEWQymxkpOOom/p8YHc7uVTG41JHT
f3oOguR44Egcw0Xk2DNC4unAM6mSpY05IwULs43F2I6KnsW/h70vptHHOfdFf4ao7eRpKV6wuq9+Zs
Cq/EoRjhOJalQD2J5SP+PtnKiGo6DkIq4ZFstmRJauvOzF9cXBRsGi/M+eriFGjJ7ya739cX7dM0s8
0O+hU4tcT949AtHH2lJ0h4FQ50YHatTJ2LnLrAMKFkES210xwzxDH6uXCTekrepRBX5zFvWmGI/yL2
5icfrTfB3Sq1+8KfKG8s6ixJfYhvBc6EFywZJo/LKjWLeZcQtqIUfISkerwB3va64j6tUXoC3jKam3
b2XmF5E2ZmuQTBl78MvipgzQYqRqxtzH07OsUODpolM9FMjcJLFgAD1sKzBOASjsMZzcMbpm0o/xYo
9wuyw9s0l1f5I4+F3EQGdsVCA+rauOTkGDg28Y5ca2RBJAUW5FrKo+auwCAR4F4hErHxX9Eaoe0l2e
8GxfM41hu9e19xVUbA8vDjM8o7BIHeBuSoulKKPC2+45PyGscSaSw8i6ssDad6QC5jG1V8vivhvDLW
7/fBeA+uAYnDmkT8ip2QlEhv0M4Wxiw3SR5jKmvhD9BM5ssI5viaQPlb1FIjdgQsaVk0Cr08HR4PSX
HiG32oF8g74/HMIrr/GJCdilaTCH0wEe0vSC94ut2ucqTcxeEXE67O1OwwJbogEnFXfSFGJh65B6sZ
FDFgv5Vvzon2K7tRmXn/F0FhLm1TvEVR+X9luSLpWMvihksTeIMjySX7KeoO3rWo5K11vACeDz02l3
qEdfCrrjpTEKpzh9Wx8g+h7kUCsNznRBWlikX03/GOi9wV4OdWqeYq+q57OiunvaBCA2p3bWIQacFK
v4TAIt8Y5YaqR7he2S8MV/pcCpo6r2B1ngp2c9LmVyNoatJ24XSb8Du2UT/zx4cG6ze8r0Dsb0Ny4T
5jPfK3MDZjUNMUmyIsUvVkGnoXTVZWry/7wHuwJjseUMPH6XNuyfYn3hYBUbHoNJuZisr8/sYzdYZN
eYrp9SViZRMspfxL3fAqWLd2nU0q0HeKkaXj80dfAdLTmExveOLDVLmTG48TdcDETszpnlKMROK1Qn
wsHizfsffH7gDi7ovDyQaKRJ4QppQFf3IhG2H4e64+wzhC7zGQNEDK4CQdjj9Zx2bQLZ/pZZaE5Oou
Q5nqO0qASOEKAsHM3hEefb1mz6jupeNXKpoUkEJbSw7eNlx4OwKvU67HVd8cH1qpKSZ1ZJLR+VC87I
el10WuDZc07jhL7GwvDO/isL5V/ZAlYbIVXfg7aZdwkGSvSNVbj3HjdtuzqjChGcsowthI1nvqlQk4
NUO3C/T5FQ+pdsSwz0rj7luu7RfAoAvRrXnk0wUNDaUonNy2OIRe4q1uank1T+xn0sfxoyH6DikOi+
wa1L6svd7XDKt6f5FNIl3CZ9A0i1hqSijeowcnIXHPwbIJLqq4XEj+oXr4aFfi2geETikK3x4smgsS
rgFdym+FwbcnRhdBrO06hSWXroWYOAfAQQo49B091IXnnYjjBOclQfxnp2kRyblFMsChslMFuHorK1
H3zya8sE/ej2VhiV4yprDkKgOKU4g7fGeXRcN2QIB99KQ8WuhFUmVzrUiGuZavzD/6w4wD1vPfP33t
AUt7hCtw9HT7ZOrEKsrKpwNj41xWkLcqpOE6YQ35na2STLQ8tYLzJpXcV1JlkUhQT3HXWxJjvScw+j
s79/BF6mxeKQYAz63GVY95IvDMo+Y/XXIYVNUliLl64AjMSLh2pS3d7raqwmpqfEH82pj4Dd7i92W+
Z4YuvcWRQRdDG+UqZLYmfHXhiue84Qte8UqPEKIF4QNSlXV2KmbB76o1UGVDpSyK7ngU+64cTaoD97
1pEuUDIHa4IAQ2dLG51+tmQURbhQZwPftf1syiI7nn1J1KZMx+3OCeTz973XPAIdNdyv9lb8ueHtSI
7WIwCfbVxCRMwPLqkGzundiy98s5SPE8DniH3XQrg27+nUwrLKTtIPSyZ8VtApLjXWrlIBOAtltJYc
cyMRj1RgqEDtsBP44D9IljwQXzFaat+GWakqNMtK75wArw7VhLbPEiUUzKDbDAfjux95TKjTXT6Gb9
xC4xFIpukkC0bDs7bvRsusicrqaD9sVQjN/ypLqRJwTS6hZk/U824fd9ab2hLPIll0NSeH0lPXOTOx
QeK5kcRahNmA2MxrsYtY06HcfS3iwpp6FtnhuBqRS21QbzbOQd9wwIy+Q84RR0ShfAkThb846MvCnB
McUtxWOAwvkX54MrwA6eHmWlJ6v7r2+qlCa6I4CHARmWA18+68nbMzfjOj1dXYN0nQvhTuFXi2WpNe
77tsRfW/edIi4dMfDp4SWA4IvpsVLRhcYQCYPTmW1+JVJO6puZkkvpFmETNg7jSw/OY50oRFfOo24p
0ZsVIhcYhVQ8ZVT2fWWacaBNNRvBTZJ7l2eTVE4rGRrGtUnxY0XH/fA+mz33AB8qmNWKLE/rm/Z6C+
7AQkGzWbR61Kg9i/OFnTNqy5iWh+2/fk4a3XfCVxz1WeRhdWi8xgJPF/5N4I2ciwjqcpNxz+5qceOS
p0RNd+GzZ0iUtmyFb25I5BTtpPp8APbygkteJx4qWaWUQrU9aw1pUpXSz6jmxkN2IDE0ElDOneYrdj
VoxssnVSvgswtx9Gp1WEGWq6otZArudorHLg0IhEOsIE/nIpofWhdBZiY1Pb8NY5vcT5104zgV+3kW
aqJ4zDW6U4FUsgxrqZlwDJ/xmsOZazW+qqmi/RzpsZQOSFB0rM2X9e6QTT+nPSw9cPI26AXt9HdmEV
Hg3ygrh9RDbwF2YY4u4pS54pRpv9TPGFYASM93+w1D827vT428oMJGURHCYipUwTRyaPDTD1sHfTR0
/oBszZGnwnLbXgOVe0vbGRwVL98br1X9H8pe8q8Fqz3E2Zy3r6V9dNQl3oY664lOfRFs3cR0WXiKDa
dkDycdQ7L8c39FHcgVLONyYBRWDUGOGnWEbOX+IKaC2GACtTM9JvvPN6QqQ6Dgrny2YN+UnNMNb4vA
9wn2vPMxMcJMjHe6EnUd8EtEqYGcvzcfIpCXJzgP5jpR3Y2F3GEwSOZECOVzyi7SHmlUNAyhR42vAG
QWXtNleKHpDS05lRmRPqgFLUiBxLuLcIlRQG0uWOKCOYG1kW937YpudCOCS+aMgpyHqBBq4imZ0LIz
JDTPgeP5zcEsAc6qUa95wnU3C69zt3jC+SDRyCFpEmFBHCH/xQFp9R5JzWiTmiCIJJF8iyvAfNXo89
EIOl5JtXAQUy7JSdKRq5DFXa9Qj1srN1SWYxkipW6QgmsALYANfYSFmoBsdBOzCt3Qqw35pH9cdOBZ
T5ZD81RwVp3AsEESxmOcQxOw2YeFFLSvzluoLsmDF5UbTzhgLCOfi50Cygh3st0FYJrAeZGZKiF17T
lsqsMZO/8CS7j+0DlAV2eyaF3bkEUohqcK/sUgx6vL6ay0cCDT+ujq+g8BVhr46TsYxZ24964edbA0
2BmgYR0hZEMKpFFcveKySHZ9FhkVf84XzRiuxBCvJC5kk9HYQwxjW+H12LHzWlw/4CGx4I/zNKI4FD
YJIXlodjua1X1OaZ51RST4jg53EBaMmaFcYXQluSEK2/1qIt2DIgkOLM6AQtK0ra0vGyKR+WBYtYG6
boMyrsLG8G0nAmZCUtJKIv9Pce4Z5rKoUKtiBzybTKcFldBMAIXe2k9cqGOJe+6bhkxzejRRd4gBnz
JhpZSrIdSLf+bR7OjwItn7mZWOzJbp0lendIqRmHAef38iRSZcvlvPk8ED1jDBON9Xs03G2w2+nvcs
f6AIUsXThy0SH5E5kQ3VawP+UKAnI1znwt7s/1sgExgpuHrGqBs6K81YKCGn4miigCCBsYV2kdSTSP
ySmvkTKYB+kjcnm8aBRgB0bvkvJRLK1fIs0lfoYkAk37xuw9tGLAo48L0wsPYJHF/kiInVCJsj9iCL
MpbtIPPdVbCZ3UVuOGc8oN+9EM2yXVHL3fb5Oa7yfUNDo8BaaLy5v68CCVCPnaZJkxW9nYvYe3MKSw
BhuTyTon/AJbS2xVcafwVbYGVmfntVSZWCU3gp0ti54HuNtmFH+y/Vpb/51LMBwrNqH+u9EE0G9n1u
lFhHJvA8j+I+cnRQhuwlP588W4hLmrUIRMOVcvwg2cV0ZtKTAdCKhCtV4Qi8KlEh5w9p69RhT48Noh
SExed74vXld37d4AhyLdo4puzxKfVeAf+YcUjg0xH+UaFMPju76mwPfnkN+MvPqGy/zNUvjb3I0HQL
ev861QiBMkTxrAlyoc6yRJI/1NBFTUEatBuy5GIYB9bczMA7zjQ/sQuoFng4Augltr81TzIT7IuUhq
BGj0zW+bdAAgJFASqL9VIuIP3z7l0IaRECjhhROy6vurXtHSROnfogx6xphw+qn6jlhm8soNFNreW8
HBbGWcY5mpcizNTjeJxe4Z3UyislM8OUtSSVCXcboHp4xDdz/hWlpTkjRlYkL+wG7f+QGMMXwTDMpu
//knx7IyUgbSNTyTIwgbjwg8E0gXjZYyyw0LF9IucF8AXP1fFdeT/8Avqer7uBlRiUjP1vLlrE2Fao
auoiqXGVcBRZCgskbjrm2pqC2x9FZ9bL8PHkRnYQMlY0U5O/UQKqL8DNKGBsuGnzYdAMmFicoUn7vs
6gF8T3VKxPqH/c+floqOiG1Hp4gIr2VOWAzzD5qeqLkjkHN9YvPvXewEVA9QgXozEU7iZF4tP9j4ZF
BogCaXq0lODF2FDGF3puwlhBS02W5mOweKq5aJIhS0ptsPTHvE5e56LlPm1jWpOPUzsLJqZWtfHrSI
MwYa+XgowRbhLEwS9HOmIfoZ8Rv6NOMfCC6KBdLo7GZ4jE+eF1YMJF1y27N7suY9SWZASaW7U4Ca84
gYP74Vx96+OKc9jMojKF5gKAietUjlwGWM5DTzxBVYhYQmCP4tH+DBoC2HNLppk5rzbW5CPRXNFekf
KT9x1Igbz6a9o7lYv73S12ht1KCVPwawz4I8ylg037cGStoRuPS/jI81b+wZMfpNe50coveVoab7vl
wX0uiDju2WZ481M7ZqDWl1QW/V04cPv9fwS7NQdqt5HNg29ZJXUdvaHI/5zVNMisgB4Qz4wgP8vjst
/zepRgosf71WztjuGxGP6hqkD+qCN9k4akGD7daiiJr2D52/G26Ncgs9xqEOklde8/s+TlSRGL5Vyo
7WM+OkyfFGKLP3kID75021Ql5VvoPna7k2spP/2TzJ2AuR6A+s/gC7C9Jzgjn4XyPIggOOpG+vs6cw
SQHB9b0SprtKCN57ef6P4wic29upbr6DlJK1F3yrbielwpdcvQHPj2avDGiN7tv1taOUsLuMi7WxJP
yIzYjLduiG9sPW2AEv4jJCLEAWI3rchmXgh2LmA5YK0UVMTyV0kyGiqNCV/hYzBRfQSnZEQzI5qt1j
JhTFhwgwHMvmVOoOI1jJJveA5QG3rtKfHcjvl/YVkb8SdIvRwGh+X4C+EZmozP2/8FbUTbhdgQJOM0
C+Ij5CuJG1wCF1jbI3kHW7KLb0EolvlGliL247rRdtnG4ihFLQ0hIbuVAjD2xehngZinKW3eT9vmUD
H2Vgg0PcTyyztkgarzjeSmJVF/cNqVWEd97x1j+ShyvjerXZc8gp+1AG4wNp83PXiStWbaL+Vofx1L
APlHGOcMwcAY860e5DOMTYqEgLCaMK103eUu637ZlYSH+7whRJCf9DoQ71zMLAnbCWHl4svp5VLXN5
lyJBsjIYS21I3R4wiJakEm015dgMm4J2fJq3S2Mit0XYoplgQafDOUUSHpynOOOAz5iuWKE2/9NbSO
Dt/ZWhrxwODEZ1A356ulSrrOgs7riANCrD35LD9H6n3bn3Wgrm0up8SczNVW/7etTq64w7A3KaqXiJ
tAbdfBPeeI5gGMT4V7cJs6jALgDOwNp1p8Dbe2FgSE2DHUpy3/uJxYiYxU19c5Q0MZNFT7A+f55b/S
oh1uvafCji1+rDvSCTL6PIUXpeMVTzbMT43Yh/IL33N1TyD6/JDp0s5+OMkxjczoi5doJrkW59npxP
HHTYN1HR7Xu0PvyhSSTcIhARONgdsq+txs1AvQJL5SQduyg8ONWOojI2sa5ugL/Vob/wXL2N7QA1l9
9t5oFcFPBEUD7nW7ynPWwLj5Z3KnpcS0RPlHRWX0KX70Hg+poIqoCSdSYpEKDVB6cPW9/0Vwl+PojP
gKLRHBIYVSooToRzEoWSihq0Km4ycFX7wR7pqo0KmVqUiDkm+JyulK8VwpkqaHyniuNxAvUvmAE7E0
Va+U+Pi+NnIUf5M8xsr11SRrmzsPbKKfvvM5U4hhqbBcnXlDbBcWThPCmtgPP6HMbtAyV+cRa8JbDc
LwQHRQMEPr7ev1pw2JPG7B6rn9nrdlGdfF5APIihjN246vJGLk7QqMsaQhk5oJWsq02//Ukq+7Rzmd
H7/CPrNFwXwA3fqV7VgnQRVLv0/iI0QXYmcG+UEGb8wogtTDuvMnwYTPx6Bbai8vEwBZejpLt5uORs
8MTYJ2p2REobpv10a91sc+vTDVRWfWGeHy+HWJ/QK0q2OYVci6tsdDw/TxZ/uaeSL3b2x99i+hZjT7
m5Miez9qSyel+BRFPwXaDxpScb8sukCzW49EvYP2jelxr0mPaaxUgfHxQwxf29sXoLcGsbyIQJJgDT
uea8lpixI2spGDmMIzCOQ98cdMy2Y0GqO/XXke8sbKbOMikZDQ94/JtbuxOLPVf+WVfXLVppVQJ7qP
OOA+jlgqTfQ+NvftO9TAt4MqmxwHAa9/9KTxaL4raEMUKSHDJwcse7IGcjPnDOyjq23nu75qZvW2PL
g45nszQwIE4uXwyFLwPQpdR/C5emwxGTQJgD40ZCR7PpDSZ3GpZJrHN8nX7Cedg6vPsYkoGoteH90q
amZRxidNbRCtkCrvCW7LAeup/qbDdJvi2XjjmdiM8ANLrHkRNw8OFZEfnWN9fJNLu4I9JurScpiqGy
KLznVQdz9R2sI11Cd/ppdwm7UpJUBJAKilPF+/ASUZ/f90/F/cqCYpb0uvjXedWyll/ypex4W+wIOJ
RYVB0Z1qY7Kcymry2YPFyRyzEb/4tKkRg3BiFziUMA6XuLAVhQwtXeUuZICmjr2MJu13J1hL53d5NO
kh3tUNlemJWN/bxDB3WuApNMU9N3Z4DALF2uIsE+TATrB7EY9MIoK3+UmzKX2Bns5Ntb+AYDgnCNJY
hj2RUDNeR39XpE3iHoKaZf97L+N/fX+2Lw1kpDp0XjIn+erI7s+HmHjdff6hhX+Kjm37kjhaf5KM4X
TtMTfnp8iQGMyhU8WvL2sVwNTFp06UI2cdCyQ5Qpy34mqh8G+Oq2D5u6fY3FFdj/2B7wxGYHm/aE98
48OflqnY5wcK3uUUJ17WnT7c9Wf5OhID4EXbb+Htn+NBwVLhWHg3uRSPXyVw/aOBTLjKJJ/SfAwQpf
M9+bq5a3SPgnYhN0JzgyO39xOYYUBAJCPo+9PaR6cMLhY8/A6vdRjJ0Pc8kyakR+bvJbN/Fxifqefw
fpfSEI+S9xkWY2u7PG0Zq5PscYHym6KEkCCPFNAmG9pcGJ/ZSZbu/Z4ZP1hIJZLyfHdPHNF1I0rSOE
6MyVqgVVBJf8ARg6B1evKwOw6eu6l4jusczQjmHhzcYFDXVaTEKJyBU/6MXI2Uy9cJVdMH4d+j/P5G
tI9t22iLpgjqGY09VYN+4577JcCQJukoITWZmOLjVzY3ce/wXYQV/+KeD4eibMj5vWh67472bBHm6X
JTpWxD+4UgTJRl//7mZYVE8CrQ5QcKWYlMOA4+6ls52MBHIJCQNhJT9EsJlmlKD1CBmphlfP6T9TkD
A7oFQXRj6r9nBK0kYEyWoxbqdd5sZDhMEN0tZO9l3P/XX0FraLCPJCNbwPG4Cp0+S1QTS89d77HV7N
FAonEwIU01Zw5r/pKXwBX+n8teut+/EevbgfNa41pKr6HslEij5zyYRFnrOt11YaZEVRiXjH61SSh+
U2rX7SFUX1hkqWhri5xgnfJ0Tqd96HOPNXqSPG03GfVrO2ZJCq67BCbEkaiPKcxfdWxjIMRGaRdSrw
IhFWDMUR3JkAtoRbpL9wIf2POoejgWBXw51JR0iES4GIY5tPTuF0jo5lFYzV83A3CSRit9ZFoV3/wS
9XBwkukJ0peUopjAYMw2hE+AY43rKP3N4OWpaOYIUaKChGt4gg4OcSHf/nM55EA0k4azpyPH5uTQ6j
3CpPgjCz/LlnCuMnNF96pJhipqZHmfflbeitJHx20dAnMA0h1QXZUSHdmi7hc1zcWNZg745QdMlBYN
nB2FK4tyu7VwDuGes6pH1d1dZzJ6+phINZhlSIc3nma99aZqBmcy0qX5VNc8/g5raPa9aMgioba3un
p4vNZX9aaxCpQAJZd8CMo/5ntyHKgESSWg1DcL2vZOV3EFMs7Qt6r7Up4G7OLcTRXiuIAdLy5zwv4b
A9hXbsPx3NIZI7kaWWYTdUaRRnjHFmmaSnA/TcjgDBvGx+1vjknyvbEvdn0q1pMXml9L6l1olZ1A8P
rwgARyfBom08GjpesD9LpdZ+cr1aF6A0juSq5R/N9PlOPVg4AiQyd+NwFcVFDm/Q3avhCge2skkHNY
hoFeTgN+ZqA2+80yz4ByaD0nTLVAFaHuVBw8h8yMY34cR83CZToInOIJfVDYXpXd2R8TdX23vRtppV
ME3pR2kFXIApTb9MZQiuv/Et3oFHsfFS5r0whAgg9CkJnpqQ0Tvm4pZWVXVHnh1B303xKd/vX0BK13
jEP6j3Fk9TRyHMli1oBlAqfLJVp8lb/PWIW7PthJYSlyJVu6rAyIeFT/37tU3JVviWlBtqVSrTa0Ee
uvazGvrMQcuwNORWSONDukQnJNjJfM9ynABdT/jsC28+fwqA2MD5nr14Icc+JBCdJgdxPA/FfVCgPv
BdBI3pkiOMnp/L/2denpkj2IRyczRi09B3CmsM/lecsF8EFMyfVfbtVhX6n18tVqpH6Lz7TEBYd34h
gGFuOlFL2j/YwRiOE/mN3fQ+t7qGW3T5L3cpsaL/500JwnaOPcZchrIuWjvNTaRR0fk3/mM1CLE1Pn
jugtZStJZRlLxr7B0vxrqBj2ZWS5NqjD37eWoHudIK8DV8llHjvZK1i5kx0LsNt71ON3DlUccc085d
PciQzLLrRMwBP4CdvHoODp+RUVeZyI+PfDH4bpdM3xz+VfpFLshmM2H7CJeFi7XDlvgIs0IXIdWpZd
BvxUQkAJSZCzHFp5zcI1uEbSZRi1qtHGMj/S2wwxIXyN1LhgrUyMCTMot6VLwe5SQcmG/ISRxGT7X4
MFLhu+aUeNE+N7d/FO0VjwcVbbHbEAHUw5NldNGECdkik4Ka1TkJZiVmql/dq09FY5prCWpa769uhq
f8D2c9Xf+pG5tR/rk5MFNl6T/ag6l1RgwGmr+5pZQ4VHMIwIfDnmBJDI9EdLRc+kS79G8fCEx0+4BU
/k/F4dga1lx4GSgYpSmrBqT6k38NzRH199ui8J3iWN1U5gOKaCC4VvyKBLO9q5yk9yCIcVMeWwAIB7
y/ze7nvgKep0GhS8eolug8YhxH61clxNTjqSRVBUYxj3OiFM06UVaw7xh4xvM5qPrrEjqv6fUJNI3v
2AA/tLcHXJB2bV4N6DqmHG7yY8Wkf8fC1T6QaoQdMqrulnj2KDbNaRqJTG9P4rtnqHgVBCTz17Bz7F
H9ePj81FB9bXuoZJlK8fLx3fQF5T7iErm0tNQ5PCE713Fi82PSk/O5B6fkGKUSNRxPHOwb9wnWL1wZ
jk68X8K2zBS2ZN7GwpzTMuzyl2adDWWF7swG72q2XuJ97LjozXpNubMVmOdIQdbNlP0KWs7oZyUDIc
VPsMObls6J2xiw1Ria0ELMux2fMNmDCB19rY8cGJNBLSNaNbq0rwv2bQARw3jUOTmj6YgmT3cF3uY7
Gx1AF9/4mIfoqR/v1SLlfL8etcyqE/wpCTewwnIvDmnNUCSkgwG//I66p/qvFEcougziVcbcAvaUw/
rOEiY5j5EnWfIVjRAYqL56eg9g6AjMgKCBUW0Vv4jxNqsGt4RaSUnq237ylF1J1o2xegmwPOO6pSUI
cvnYWKBxC54ZOSCVPV7o0s38c96aEe9omiNKvz7WVhEkT4wuR8Vh8o9w7Pn2yhLarGs26eqDKlIHJy
pRIAVVSApOikuAAg+N2SJS5jwoVqJBXsWKH4V5oj2RDwW0LvP6+fhVIqQNQLcGXXtvoQCc/dZthnF2
T1d6geDNkXsk40UnwjAGq0UWSI77OQbI7gS6sbRqXIQmCOjhhSDO6aLFokf+dWH4XzBVnvD3qBCXEX
RpfbHw+zRecgpJehv1mX6xCLyEj4p3rjzqw0cOEB1zt/7J87b0Q19WaSLhiwHjFFpojiBcSJSVA1hJ
4axqwUKCAx/D/+aTleAW+1XdOqsZ0JVdSU1izEAtgv44y9RlVLexz/hfaMchEka/EQ0Gu20GHHl9qd
dbkdsgmnOOERtD8PKb0nJO6nfYh7326uM5KvZpkif1MdCIvGh+eymwK5WhzKEKnegS4m90Jijmd0OA
HQWyPGYc7FrWUjlKkXATMhwXsbwUa+iqfVvGgcAhxE4tI/PqsTlDRDzbG1pu3m+6fU3nmJ6HJqWTw4
irtLgSMFm9TS0nMIjbLEolKCa5NTKWG0DZdj6n1PS7nnDV0CPTXxB9jBSBTKHzt+T12V6R1aADokIm
nM7ezlAAH4hAGAkAg2J+FYscRn+wIAAAAABFla

|=[ EOF ]=---------------------------------------------------------------=|