ࡱ>  HABCDEFGz`!N$E ՒR›ۤ!LxJ[8mKxZolE]ٻ^i!IORDKJ6m)_-P_k m`L$$T>(9@T4фo&$Մ4  uw={w73y3M&yGLd9Xs&脻>* QPgGy+Z VyjḰO!e)܅VѼ-ѼDI#yDw)&W|Ps%!i8V㋾Ǐ+,NO/!0 +ݺ= b)R 2\ bGa64cJ+Ei$sι+-g3lR9Ffy[hӟ\آnB7e3QYD32ZP%{SѾ>1ڼԑUa];ֳҭG6EN p_a{ϏV6=X} pgU;3ngw@8T5gnN#`vXo[}f̭TA_v2@^D,,dfΚnF_ә/P'f|gdp L(u bfjY)3.lbV2-@p@5cdo "D83@μմ揿l8TRsAD;U t^ CҟU=.b>"}g VxHvǺ3bdn "wQ>q1x P-< `' S;J Afƨ83g-r#$ֺt8 FVʠ/̜ʄT 63uX㚘c}IUݵ%*g?|vG/#{4n>f]nFt1iNK0Z_> -tx>k}Xl86gY,Q9/)~^Uw=쾉~Gr:gw.gOZSi{3w\q޷f;~W9g[o>Dn;޷lj[n4ux1p'dsϷ9z"݈o>mm2߷ixevUٽgdۜžYzeR4tG_}4-inB&4܄;JU5s-knYtпȜk֬ח51Ʒw۰mgfލ_>޾-sW]M:\ߓx)Y>gv/NM1W>H>q}v{96L8s[𭞭xxyq:c~tl?LvOnntc׫e;+"wn[vSzYe7ᔛgOoY}-)*#էD0%5jڙl.hFGK%tጱkd M_ڟjg{vO7,p"ɭ_ח51Ʒw۰mgfލ_>޾;/WB]M:㝋փ|>};;6>^}:D.Y.1ZE mAk[MDDfsÆǯ0rb޲6(];mm銖ﳳX\T_ZRޚs!n>ND|>gf'NY8)GGo˕;w&Kˇ_5xl3^86NwNǯ-k4HDi,۷m畺eN[|u~SMyf|o/L6Pm6`ގOv 3]=< 8j{ s/Ef)oGF5Ƹ*1] +Ek"4|iL%NSѯ%,i?"ERĚ;8Mg_mslUz57wѢxo3 hbWRК1{) v_ٟݻM-ۖ>,תӵqoԉ͟yhݴ廝RcsW`]b஽*񥤦U}K6G9ӚHGڟTz_?ܾuubV5X-=s:S󾆜"-KOο>IpǟϙݒSMm|F[)}/fl4^Ab);Sx7yz"݈o`a+X=kNe(VDDD4((7×7?'|8{=Ow'kkǯH{kWoş]1kQWRCGc7`m[x֛/+׼z|n9x׹>ϻb;1 jr~#>Z/&hኞ;{#>O_?ݾ{kF1'<4}ᤤ9/>kȹ~ׅ"mݷڟ?DxZuO^{%)6z[<ޯbbz PRm. (z!O _#d}{?kg5كj YD0 {_ 1:>\G'K{Hӓq2HL(U4a_؟_/; N- ޓH&J5Gm٥f܈cvhQftxraÚ:COzg\|&o=kvItc~Yߖ^˷у[{y Tq.[~]b>iN t潯ޏ<&vWYKU9SUXw<.o~nWv-XSsEqm#nV$/1̴[[ljSV'fU33t:93~5^4gL^z76. #d}L{ VH"QD *44*5<gsk{H~1v6?f}^彆mKfq`ETh5M_ߊpngc[ER-i} >=>Hz;^S^;LwxGt\~hl}\_zs~G\UY=o}9oZGr>;m7^hc_^Dra֔I?zn9' G{=/)hO4K۸7<*ܛMJm6]ů:f{Vq+ȍ!XָdcL6iȔ`ԗ]Zfx-S]lӒL*EyKꥰrI.-gIgZ{}w/pk|Ӌ$_m>c~;Qed~uKE'G)4ٞ1őPW$V+N0Z^\i l6͒KY9Y9Y/Jmi/Աct Ɗ EwpL#]GRj)UT.&~?g~0ٻW_ӇOFɣ^Lbn÷ɚ{86kx}o41-ܮ\9q+|9#s>7{t}-nDcڟTk>]u2ehċଽ"K)zi{m %?J.5vLǽki#ŋlӵ>YŕSpyY"ii񇳏u) ^5Aw55M-̻ KbRF9C(MğC- xnSA*=j5˾]wtuݪ6=˚3~˴Nn͚m->?m~ެk=Xѓ,:%0+RX_yǻGƞ)yF4γ{sMc|3r)_\<#<)oEž6Hife{SڭF4ٙ0ICj)M(oI#W;y f8dx:_b}N m޼x}[mȷVӻ?f?n~{56܌ٮ zkNOH3M=ͼ=~n<j}QxnU 0瞞2{iƾyYs[O4iy~ov+w|ۯtkĵv<u]H u+tSټxX+gV.I=LfJ>F ⨂k5wߏeXx7w8G4lhoqD&ġ\dJb8bLziS87ػx9^ %]2&dEYVuoj]n.\Y1aԊe"fL6ΌYz~?x~<[6.瓍y׸sCm̲ܗ}Nc[,TwU̽uc8o{Z7'ixO[꼧\s p۔n9Dw'BדԻ{ǂҘwW92Ubm>Go=ɊG}w+#p9rx/Wx\:Wnƶz(^V5rU.Mz#/.꫏HJK4% E3h&SSQKV+n}̳wn=5Q.5)xtۑsv~ymn~{%vܜٮ w8 Ӭb'7ثVmmF9oZx>|+5=mxeo:TQ_o3NO5>jKݬkVǛOLg~|۶uAyrPMƹo3O)aL:kyv>hbّ+>O]\Ty|CM[xcߴσwYuX;|ѧM2ŅS|L1m=%֧mEb|=>Ӓb?g:PI.#+C˛MYdК,J41e41eF3 UhaJ56DфdJ *8} j<պoܶˏyr_uvA2,A eg\16]#MA*ua=mvlŸ ܵ:uSO65iOϞ=*,'W[EC&aЈ*1ޑ^p:18k0˾k|o<8 r-Tki"YP%Jd?4~?e~,jšYd"mmhk33-yұ3=FެxY 5iבf\|o=ӛ1cϧ߶^6B.qxa7=#ܤχCc_N!۽ٸVotsO =uۜc>WUs[_yO[ڽnK*N+dk]~d],FWOkFeچTmVN/ͯuc^ ^=a9i%2>z^w;rsL]8. XkҌt 0~Dh!!fpV S7`}vǖa ?[XE|2w.&^?qV"k[կX}A x#ۣ#Ei>^7qɗ4v]Zݿԏ3ެi}1ʳ{:J^+s9;cuFWv~mVODZ»j߷Kۦdt݋b~o7n>[Zx~ӵmux{wS˶R<}>{Ki>$KD;4T@o?H6ۿQ %P2FbUhaJ3WC\dJ456D\dKW { =qŻ}5Q%>yVDId1 it$цhֽxah͘x e-R~WQ:v_> zj؎jdKdJF,;͔F9C*3WML^Q_Ivis HD ICdC Z+*ꂏاo'/v]Ժlq}y4/z5G}++iF-}'m[U|D15J(zo9ew6Flؤz;s]>]o'&1oNMCf?><>>1GF,s?z5t)_Ö.Gmfqn'٧?ѧ h {z8W<Ƈ?DNIHb L1_RhGBLyip4ۋjj/55:͡4t-{=}r෦<;VZ@EtMrԺ,B +}4YT0"*2]CSX͓v1^;rn5.-WF6kΘyұ3=V۪zDzK7~LͶ<]>ow?3{7F3f%% k~r7/Ը+~GսҞYTyW;~nfًuy^&k\"<{~R5˒V=~>~U5ˢ88/'g?3pD~G{۟'8wl:kL휭#doh?OvXcEc6,xu>t߲v{֙{^NVm:e>4$ S6H^.~%>ф aV;Xiɽy3=WCqZ[u$?ߨ%b"TuF2% 6DѮaJa%IEI8fXѿu<_L[O>-XY"*ʨL Fֶi˚:[ZuQB꺱Hٴt?^t賒oM\8%) MP5]X2Pٛ8WPËF2[15̵LH^kFlmclɒ5*JKr4̴ZYyQ59WxX?ty |Hd[ 9kɛ?z_ ߇m,J egek13lUj/*K*4bbIsU@T2,UhaJL6DѮa%saə|qϊSI;{\s:y:Q픰2;U%N=4esn#.MT,2d6ѸJ od}{o:k|uY?oM\..\Ŋa[*ב!NY3Waf7 2+Ip-[Q67C&Z af]9bisR۪ˬUͨzV5U:Dk.on{겷>hPt5s3'3c㒾]}K$eq_zty߾^s:)U`ּ;VGG<6W|cl̛?y>o[2 }s>pc\wd!<{܍>GoӖw;..N_Y\(;0aS ̳m<:yS(MW>]'ó'& R&/W] 2ۦeiҾ]ÏmZEyN| {ִNo6)JgoU8ѓY&ݏ‘>K/:8UU.e)%;b#rɒuߝ[ڙYeG';񼖎E  ;oZ[u$?ߨ%1T"TPb% YīWC\lK͓x^״|7};[H3[A3{rH*E[xOK尿VHs揲jsRL$g rD1_{'5q[㯢Yf5s#pKVԚ"h-{.e`vV͚Kgb%ҸZL%PfHk k4f꺯D6nhiE4UEÑ*`y4c{ֱ!+tMgo7FҨ^jTœmi%|]>^C⿎;?s>;fk:i_V'[Z[wX;~z̋$ ÓxLJ}O?ס_v%?#ͧ_Fmi*q_You?g[_s3fɽgϭ'ݕN_)#rNxd{1*Z|gɔQ[g^?>(Dxg_Fڻ;WBvۏm&h}W E<^ڶ~/Mۏe+yy/ӧt. @z~6|ljgf߆n)Z#" "t7~z۩ nFGLK` (Q$4Ie%J"^}S>s钳}ܶXNJ<7ӧRA Db͌oǧGٗU%J\56ô(QW:[㯢m#෦=v]u21൸4t*G1:ս_}hۦ4))ŖA/ %k-ʲ>lsL&WeMyMUMSv] 겞&uaGiebׇ@ [mTǞ#\Q^$#YVi#W/; $+&-9/6㒾Xw̞+ ^3sغgٕ%z-~ad϶"^/+z;VfC]t?v9>->#}%+ymzhţTqd,xuc>Z|kfc1b#cM3͹_v'_#r|1=U7LG:ǿ+1\/i՗Gcz>s˛DݙYs}2d,mh_cSjҾ;&rEGuSGyiy~>:džf}7+_\ÓNe9.ڼbg>f_hչV݁WT7'e6X)•|o%8ny ECq,$?ߨIsT "ISCPCF%.sR|>}+;\$|DIdF2bޖ'Z:%ؑJEX̶&\\b[6qjMHsr³Ɍ{c4~&κk?j=õrEOf0!Ba >VC*ՅV#نdkoe~弎+s=_*e<oc;<-+ᒾV(=$_y՘'KѬNP3Րό{ajwram>+}q4me.$"XlZeeކnue] X4}w3a=>ۏj<1Oط؇o'zu[ee?;tKp=c0Vi>knCpTU7Y37oY˰c޾z$I|SF "RWKoD&tX^Oi{;YT_} {׬xُ{> ϱ6&fTS mծG%Ҽo-g_Ms 1ᘏL_}]^9OSr=xvz[b{"\L(vK|jp,wφt _Cd,G- :ζ{;K}w'(:+oPZ%5S9}؟So^KߚOVrݾ7~gK?IuG~1Wa8^3oͫ/|Sտͱ+7&y1s9=#7MYvX1(OܯR0}?+NV%$uӑ`3iW-+nlƋ6uS‘}YiuWU T|]0Ҟb<kxfe:$z6|[;ڙYۊG';񼖖8ny J @ (@;oZe=Iw2>bbIsT  2c,Vc,ߣ \%UgRh\<ϻX)Db#XTFx6ЪtI.-37-H>YZ!.I+N+qQ*]ȭzԥiV4d|m=TYjV]{Z/Z"[ɊuqXKYYG.Q>zqΓ}6KWJcG8VW:d\fS< 'KFYijNL[8usQY+9FهA/2R,3ʵ$nT(Qgٽ~'_V1 <kϲx,Q#8-5,읱Eٜe7לVxέ[N˕MqOnfalu'S`inQS޴蛙Nm s_eǏ{>~1>;"WEw/įO^0Ns}9m*4^}s.}a`]N\4)OwƵ/v8Sje1~TUuSY>_N?ߧgsץZ8Tմy'Dncݽ'ìz=uWk6=OΚ}A31j0 GG_:u{4uNs}dGÓaN8jZ}x^MR~] pgǓnbxkoc]]z %ttEx9-Y1b< ߜWckExΌK[jڞojOxޱ,Œv/#'%e7Jy;q9/zGaMWd_8rpGn?\m:jͷ:2~->H{%#ɖb"V{ST[wceWO\7}!b`һ[9ƽ~[ݭ|>e~o{s^UA)Ū+m&?9N?S/4׿sLь1\'ie;^}%Ϸd޳%ϙ~'c3軛֏̯UJX\-MfR^+F?=w~.O+qLm[0"˭叴Κr Q֟#'[iH>ló\:jhtSmg. T_c׫jnů|-NrxRM}.{[OFWUkJ.R^CxDCɚ6ήT*g<v28˜b:5/W#guS?66[qHd|71P (@~'mL nFGLW.y$ *A(C1po\$E y}/y䟠"Ɇ2bE-br'9A_ʕ|_Uu=sΗck̪U"%;}}\[6߹cՋZ[YS{5&'jer#@,Vn yͲ>{͝w}z\_i}c?N(UX^#kn0ojE:TFS xrI+ca'C8'e=Q5]Gu5zWWl^UvY#X"#VH!5$֒JK֦ȅza`Y'pZK}s+^[oN,Wr<})vWkgɈlk;ac1_Y|/&q oXj#y&΢x+nKԗD)^OlE86Th>fq웖ds'=x^kr)>GWj>1= :~:kwu{z}.{rS)czyyXj2ɜypi=8rBTsxξs\'[U}v7#5V^ũ{K1IOE?hq;_37{M>6KX&z:$P#}|6j٨;0OֲLoG u?6↓e>d6dy+TWSBfW_C߾-~cW-ESyg:6|s1p*ut'k 3kk>S޵vo6VRTBL9|TK;_|Z==P.g.kn'sWco6/GyIx# |ܷ>/-G8Ӿ{ԗ3}~ky[Yw#ì>g?}/^G138}Y | mF4_n^VΊxRSQ>}S >=$S#_MH^k\WyVD҄\BZPGI3[cXd;Ffƈ6+nnKY MW-}.|>5?:;t#3,FTjJ5r%u?H-KYxc#m~e;qWC0Y~U_o>juw:aJv}͚4pD&/WY L&Z~XjgS!į1!a0۬0fdM-B1͛b†z2d4Ilj,& 2K(c}$fhg2Ehg[#?Ѹ~ aΒOZ8q,3ijǪ^~T4g->Vm^?GɠѶ7K^}*s_.y>rVCMf瑆]~/J3m#.W3$uM#O]|2u.8믝]`ԫ=g4lmxS>mӂ'}k%xZcw[;Տa ϼ<7UYk )jY~8{/etgw~S˹M= ޅ2]/x]Ly_cTQo__J~6Q_Yclsu~Y:~7zp}elM&:>)ѻ ph[U|nك7c՜6ninϱY%Qc{/hem[qrt)>} =Y_vKܗBZxM=:>V} -}}ymz\=YSa뭼֛}O{P쌵ܡUOɹ#M_֙+{{+f|݊JS˯^38k?oYx}Zf ??gi?z|?Is? vp,l}3{ٷ~Q3b?yIoU֫ׯfqζsk>ZYؙ#c'sW$m'HkfxvﱳZ~Z~5яh9ԯy?ѿ4;ec .;*ZRFQ6?coboefamG.7yR3ʷO෱ٿko/?M62a~q_XaqN>HnUiX[Z3,1hKy%o{oaK(m,ĜTTZ2VzqV7R%׺*>5׺|$V7R#^ܖTI|SFL)F mF+:,D?cM_/cۯuʿrOcM_/;u*>5׺|%Yֵ&.e89+f0#=?$yYm'm5nףֺxٌ1W <)o9KtQ]-T$:alw}_n[OPnOᷱ][IpiP1Ok8;G'[>F9Tɒy?ԧC(G'[>v69|L'cJY#O70K1_%먴cU]_*}\Q-}n^d<8s_9q#\O~GCbokR߿NѽzutD?Sg|얤gk85*+$iԛُnv7 Իs׊KSxZm 6'Kזl?௱nvKg.fgg5ZNJL׫onqNEtsu]=MQmd5ӵ.]eӵٍtDz?RU~w'|můC}sd/⣤97QOY5LR_1dzlzc9x46Wmg{5}gv=*1Re)JrΏ;ZϹkQ GNO$V=L5ūՂ~Sdl6•91g6<= aR8V#5|rȥ 4F:): DBelѓ0P:%GCj쏪ďbsBϟxBGs1dFj54H P@P"@|m~y@~Ϳ R8/G9/䴱.yH J NO2SNw2>bbIsUB*BRIe1p_OGyi>-yt|cdeTYhK\=KZk6KSrW>z}f(ZxyvvB.#OCa'tW8 =2>x;B!UVUTW֏|&LO,p>+>+se{Kc+~;U]cx_Iٻ.yXp;ͫ6Deh%UL4ٚ$ф3b%3rC-W.&[0Z"+6FFJYD(m>~~K v#bXP* i S@  B ֤eMR~t"i23u,)zX?"&_;$}]8Tx,n޷XR\:C8f,R6ytGr^FM!o/B孙cnC g^hD{)q%JIpUL\cȾcvs2(ܫ=7dTgS%"e0s[NGR'i#%ےUB1R.)뮰o܊kuǟ_anu/Z^VS2.]E$oue]<ܫ/89v2|/e߇ΤsKVQ?cVdvzT=>ٮ-5M=+Œo4]_#^kš'eνCJ~Y:w%}˪>d/:w%72;׷cȪN.][V31T\>?;IWrY#-c:Lg$3eo7 `rsz >ok,9~|?S,d^3/Z?J% _$B9'[O9*wf=ӍsˊY4 g8iSfJv{?=MtQm~ ӏz'l[&c}N OOMtentL"e^y؍{Ν|N&nk?;?M(O"Q׽Dߥ?OwTW6]tQGGfrk¯r{^8~if^|vKm_^rO{OMʸ佤cڔ{z.K\5ckA43z;Կ?je;4'F _Y>e;̿eX*ZW^|؋uE±e0F$ZF?3'μˋKHǸCEfzYq)|Kw2ߩ:筴)v%lxK芈dQ0-̊ o~[?4g:vY~{dϿ~HAߧ~n.=ni'Gzkwe~)^{1T./ʘEzACV%(ĨhɈI+ Z2$Qھ;#?3"Ռ, ?a1\FNT$/W Lm#}KDp:T $  vߪ/z d|x瘲BEK(s7%12B* ȒYba-rU|M~yKHU.݌t̸zN m}W{y+EJfgK#d}//xQY$UVV%a^g{.b߮״|8{[];Tܖyom_˞>fk=| 2bȎqeJIX d1ˣMLuJjȠd,+jME4 \ V6|KF~4NWBp2E_I%aUh*$HTŐTYIXdQ;QVc+, U(eaN0%~6:Zߕ_= S^oc--?&_G4:%%D4IXWB*tTcwNhD>,yh2C > (MX.=*H %"K\/W%8gŞ.NRt`wlN9w6.?}#o:1Oi||>x&[4jj4hQDCeWP_5<Ώ/f?Fău/irOKq?iVhDa00&[DqozG+*d%OFϤĺb8g SJrQ\"+YI,+ ?"_oܟ#N.r% oܟ"NZwa.+iY A$הi5hM3q9'coIⱬo?] c[yG,,2zE-&ѯ& 6K5h!K41S{1mF;OY~/'W rZL\[qq_,%{m>zvo vue)ʛo8/rt?%?~waWY2WO~m;(-I. > 4g%9rpƦwJ+Y('-CUON1Λ\W8ǣYEږ1,z cF,7I32ZuWgcXiӵT]n4W+mĶÌ(LfZnZtFs:DZUpMֳ ʿr|~m;,~~ӻ N.-I. > LiŜN,\jkRoEK݃o-9֕S FW9չ朶rxcbmz>v6ߛVErn;pսW˵1^-Ng̭k:Ɩ qEF_dl Ua+݄}' ?%|'ȿ6VT]Zsz5Z^'bV/Y..% xΊOgƾTA©:zQkF5ib%g%bt.W{"_|6e$ۢė% 8oܟ"waM:L4grq˥ٍm<"xN{L+k3T-hhٽd56;o#D0~:ZԸMEZ4IyHչ9+V,NntfDjhz8p_'E"g͚=>ûWJO.Μ{ G6MW/{"5ʻMI9w/ٴi.gXs1MYe4]hV7 oюi#Y+D=>f~^{oZ^[g4N GEʮ`cN.sIko"mYnif+hPs4l/7W usⳓȌ ^nsdlx֨Jye^׳>f^vq#NqCfvk2*Wݍl+JQi%<5"g1M+LF3aWLJS^5kSӧ76WՅDqp֤ w=CιiiQ]Z}l9&}7-"8ǕϺV+fe׍DjmyƢwJ+Jr.<m)o|]m1-ݭn_5F㯕ϷoxhW-OGg5ޖ&'LkY\ f:Du5h٪a7{uӆ6|0Ǖ͎&v$ඞ5uVh!N58E9EQij.,v+3h6VJ𲭊{l!).▘"Z햕&bLqERQm?`JjDMX獑N#)E]VR$)uipn1o%[:K(_YWV ];5JX]p[Ib)3żp{N4,WAl? $Q'&Z$WjW_6/L2tgX6ȗ1*-Y C6/95ǯL=2MF)7KlFN-̻cچ,qįŶKqij"k01-3IQVӺdWúʧ3Mx ٔ˻2oQnMKhj@ l )bctaN~!2Lżp{N4m,WAl? "I-[/r% \,~:mNC^d־Iɨ7&Iqm:+c?_ N1dm%}nN-UKWYXjWkMy4mM-2HF6O٫EMzZDȗ& hW;-qsNM`#'2% }+ ?"_h1N\EK2Z?d я~Ujmx@Ǽp{2['+QU3RZXu^ DƋ ȒR6J/j- + ?"_h+,|Et1]2qiy@WCq- d|x@HP, kj" O}']w6؟M^d' H)XdkNṻ|K7ភf[GC:,r^5ɩrl_oo4ztzFH<~ǽkSjPdDDCE «Uw[iCHzˏ|4=| W_SOCzή%Zcſu9[<򼣡0aӠ!EyCD4N[UuRQJ-uZOnk31ηH1:[Ϳ 'VkTch臠t"ZƙyrX?/;O8zϵUKV:uIEKG=m59&tfەlq~֚?)X4r6]=_9u)BM`δKO)h\<ߗfUYu)QCM4׬mp/ai53jҜu]סWmهnSHԷ;ce_Xο&>/Tr͟OJA%Llm]UI><{S;JMtc&)͹g/_r[y=|;]Jm˛^m| vѸ4rnS"fuwTbe] ,OFu*v6)aO9ړ~9,osu1*/_an4/3c5UekiM=4Mi6e}?,TvӼv1[m$uys:>\D?yhdnQRSqh׌m5ջ="bL7QZyO]s?WүR~i;/͌ןV"ŕnқzhmh˒)^V~W86kyR*i$'|\}Dy?Ώ.Q?ꆞɼ][5Uq7)joFc NkFҹ5;/[]߷ΘFM7=<7b4|.¸Ezv{NosnWxg*Yђ2 rFJ~=-9J[/o6o]ϦӓOcksӦOίr?vGt `#*.|8's}fg$a;^IqYY}_P͆llΫ4Su˫_=j}v,Vkc|g>Mm>g-v!?? S wE䥯6= 1E{=a;xWhFtbrmQKIM>Gy}Nfp_Wk^Vׇ (Q]Rm=$ܴzxYݴ)qn]3^o312lީjN(޺{r5Ix|g{DD;qKW|>Cy]w>;z_U)Kl:FfD!EN3hᮍ5lkD;wk:hF;18J\m5xOkaͯ/bk7qvf\VS.4~? 'c.IogCdZpGZX3w*3ee-t5$׬׷N 9sԚO[XʾUC赥9(j=|ǒ5G%Y_OnwG%\5\}^<^k0tv'TʊޕܓkW .ߵ٘欼{vuxǞanT=8Kf#&מ[-QHz_.ν8> Mz_g3}-4b%=xy2Kv߁Ei>=SyWv! }RXMMm͝nyTb,9Tm)iow;:kc3ߵ ,鞉scAɮ~GϿ? zeroɝ]݇*EIOU^6rlwkوשѼWse>nó)sE=_ؚt<, ]ˋۗ˻R7#MgCde9hK$xԛ:{&fb:$e9f~U>7Cc?>;i.]99|<6kk]w='NΞ}\hKQWO;[[kwͯxv䄱2tMKG\%]թ7;K_M5;L3RO~~^\-ϩaF52tb޺>>xJǝ}jD?WҬ~az-o?-OfUuKф]Ļ~ǘFf"h)VfݮֽZp|k5]qQ3r#ǂI[$G#5?/௢T>D6Kprlz9NOM|Q^YxǴ;S|g:9/_{_/]o?eb~s~SvK"rRXxΗՅ*jIk[p~4={r寐OzZxw)MlsV%$uӗ'.jެXRqONfj$5rr47Ryugyt69A(O]m>#]mٖWW;c]>/W](\7Vt]li?|/ݨxxŕ-A贴E2Me4Ix%v{7WUBTӃo]^u/jtyկ Y=pq40fn1\-dΜX[fs*di1 }%+89tE ,N^_+w̯:V5,=ƾ)lVz}c'F釪=etmYjZͮ5fc_yEzl>fbbӊ2mVg&M5{ rvYv(rV549[;7hvj,Ǫ[\yڦI>3a5{=aR iN鶗Յv y=t:ݛ\-dΜRz-{6T1e+V)(QM⛭}%+{_cWk399zl"Y^uWϞcmLj;oks'\#tSd_Yc5c]Bjf-tdq]n|ySm5Dk./3~iew6mڽzPR8]:V3>_EǶAET8ZsIf-ىUpQ4RH2WtLNܱ e .tqZyPX:ۧmqtSmYD#9T).O.jυU|d櫪pQZ-YB7oUB6Yk E$KuؖLpvW>{gm0MeJK^]tX},U:\$y*I /R1]DW˧ʱ8t1p1^.-p-*&"e锘row{=BRছ#Hzu򳦘TLnֽ3W)*Nr\=5^NӸ[6s'$I=4zxY;)x}n]ˊǩk8wYÓE(5\Ѧsa{,R%>h'('cيALF2*M-dC2艷GiWkUB3於I>]4z"YV:fss)FN\.51%:&aw5U I(IvkMm=2eXͦ&2{7 jDRɚKHã$}?f< eu=UjSH$'~6:DOf'YidCoG%rsZh]0aG_wln#L⎹yp˲Ȩ5ӊkYE7|>[ng;8q^8<R]^nJb&_K݅aJ*?>RRӛ]c|޿NEkY/j#7jztu8syuSfngsG_7> 9iH$lDž=l~̧>~L|^x|gµ>eZ"Kf#48G}0?藉}/s=<=I_ ?NNaG~έ?ʻ#忒O]/S_|]>}go.bS~ENlӧs:yG7'Pz;w{)>N~C y' ݲNο:>\ʟ7fؿ-_FݿKV˷}Q_ Sy{q>G'#vᷭ۟c_S4_@JvW/ܟDg'O}:]#忒䟕oqz :}kK31_ө?"ߧ[?ix9<˛~L^y~6yO.a߄>Lgg6yc}_m6WxkoHݷQh~]ok}{oz%Ypi{^|vr~YIz/TgNc9\FƯkr|V"OC.]>\Ǐ^[uS7΍Y#fI3zn\Z^f-*9qnGqVg_f3? ?}o .A/et$>ϗƜ oJ=0>i3뻯՟SG_L>#kݳZ,wҾ?i~N,Ϡ^}Sϩ{E<}ⷥ>UX}_os~,~\U?ƄeOX=؏CTf{a2~Rg^'G~W@'ʜn(!wkfqb۸zO_B8{{~3nn}oѥTeN,o|͙cxC4}o iƞ_B'_/5dƦoy2~C+#l{s>xs?b!?,LqaWzf~2{N.e~Wkgj=t0de?߸^_Ft߃?Ue FCܗ=}ƨ<4h۪4",,E}͎fһ,~V~ыEl١TzٗQF\XdrWgj9=ٯ0ō:=Z&eS˚ٽw"!7ϸ[@>gX5746W/}7KW\<d|7Lplu{ľB~X{35_׃_deowWp8-Y= OIzّ߮,X?*-{y~3V %wek5ֱDS{|#m,rVRk47#3Ԙ^NηS3.2pr.۬-cK/[FY-Ե33NceJ>V];euY}CoH4nFmOoYW|}-v4qxSɨv-RroFӺkԼzt}m8zSSoo1S:NnչSE7cI˒%[FOWOC=W+xZz;}ʭc5#V:c z<=ju*֞jMtgū1͢gM:U몔RP&֒׺۬v&"4R(U\9`ۓZtq֮ʱmfeǍ|rPi={SiaضΜTSUW ԠRko;UN fcDNʬȝPoX߫M6WHNEM~KWc$RLS&8 _sIKQIs&u,Lۥk^ܷ|׎5UN 5'-8k|2<"g_;I2h{\ΛoΫ%\\x*֭S܊+[Ȝ|rIj֝keHmiwa~&ۥ2E+j~Yv[wӚ;}ףJWkQ{ӧYעu9;.fу+/͖SȕvҡD+9-]e8Vsls`ŭi1waٻś&NgX׸v9îPGLoqFhE;=Ztip~no׹մ_m.2/K&)U$kɟ p1f=1Z&{hNDVcgNGqүw>cNFz*j|$G:k|=iѤiw\~Lfuu{%e~ rs{<;Eȭ˵9鮉NM2p|ݩޙz~:V=1cFζ[5Ѷ~|uՖsNǯW3ߟߓG]/5O4f/D6ǯ.R^_c|>ngoȯ=WO5<1h#FXρ_m>L|^x\gÃ'gsgqMS}:N]xkz9w݌NӉHGiq>?_L>;z%ϛ} v7s=<=I'8Wͧ'0gVݟ]őG.S>e.g'NNa:J_\ܣCxUz|/;~Da_ix99GC- X쒄㦚JQrjr][6k9X ;ͯf˷}O_ Sy{o>G'#vᷭۯc_Sß4Y}N߃#%dsۣ;]P)ꖭ>Clq3:hwϑ1dnƓt*ܗCpmkyiؼ׹:;1߷Xv5{N~ÑGOʷx+Au;='gg.bS~ENlӧs:G7'P|l=U8ӷ zmS xl7Vj/ ͺsm\ 0Wu(N-i\x8;_1뫳i&iv/WŷQux%i#iz?r<5>[g_!}O}0ݿ藀K>RK/i_d}^=xO3}q.O= 8sh; oGQ|5v3 o蕒oF]5[/W鮔D1i[> 8W:l$֏G&a]cV[=}4ѫ|l;[q_Y=nI>)ypvU'go9L9T?}me9VIW8餥.72#oΞm[~d4HxsoYm NYBO#آcc:e[އ)֛d}f9}gǦGcVmѝSKVܟ!e:hFT<|ԝ6J%Z\sK yxۤ[cGuG1[<qӒ[9gKgGskM H9_TvXο?>>?&~/T<>Uss}ه$P6 lZk:i)E˃p4o_lUk]z'ɫv˘hmGpz~?k~U=ot_Q^'"xvO=%p_wۏ*5gr|7w/Ο=O|W_W>q|No?gϖ}?u'Ogrz/[>qg=Pn^>[ vI\ߪy,>g[9ֿ?SmrނW۵xܱZz}ov'!&z6G]3_5^Oy8=Gg~>Q|)iK]CoknZeզቧ4#<w뿳6k)>Kk~U{fT/}w뿳6fkvo!#[addRO4ZΏ=5}a|53~OuF; ~W"&\rqxfkǼڿѹ?!䑶=ƹ=9_l?&\Xd_'S` (#n.-yVΚ} ʸ#_uNq%stV4׿앶]^_Dt=h0iշG71L{ϞjhշCQ;V%tigV{u˫rꜴ׏C;[G7Xxk[rĕT%dHzWYm ;~T֓MTxi::Lv̿6b5E5pDh6( ԺW+NkazvJV.}$Jq-V?93,R\ }ƨ}'~J Z<ռd^r.Mx8MY8u|m~yL>ð-]pt}KM1_ bgj ~+^a~;;W呖&7y\Y61>^q%y~3f^xS7Om`2]1gz_addVM:5^N>`c&'S7d^/il{F|Ā ~'mL nFGLKEP ABEym|?\W߶|w=;kqvz+L#3@uȎ|Kk5fNN=^>իuMqm-`Sr,}ƎYa2_)$>Gt07nDmpl9f"8w}漇3=qRRk>c-Y1C$ 5(t^ki1KEk̼rR?Ebs~3k.I(.ͣӦg& >n֏__S/l?VÙ;}rǓL^Wj&v}KͿ'E73oȯ.V ;^ߵ+#s>E|1η}0lǾɏM?)*3džd'ԢH>Dz:\)EDzש&SHXe> zng]xkx@?gC_L< ?藈]'^agx9 ?NNaG~έ?ʻ}#忒K]/S>i.g೻~}N0~m}OtΏ.nQSz4<OrqX~fsY寔#^tY>7CvsG\L<~-_GQ{. =7m?]sO#}O=$#o޷ }O Ϛ}*o.-ۢvGK'~zq3.:j1kkvswuO;6yο>|1z~ÑG?.̯(кg?]N-uc?WÙο:>\GOꇟ!KꜯL6gN ;Q I_n浙?c|>nf\+GXϷ}0b kGx%i!izML'[꣩L~B[oz%4|^ǰ,޿=o {gwnZo>/[i4cӾs:f|~ <ܿ7kۙJ;!ӋN-gΟ~޷^y__S/o#H|||1䟓?q]MO5{3عߪx|F{̊_Χn?* %{/Oz-/av6̏.[31=O6|7_W>?>a_W#>Y~Ӻ>YA=oSv ?;#~}+z^/[_D>UX}_os~,~liܙ_}SUzI;d>{83_5^Oy8=?g~>Q|)iK]CoknZe۾z%xz߮ݛ[t]>4Q8pzN+?wrN^Tf̽L1w")H}ďyhn}a|53~Oux'@'_/pikǺ $x{ľB~Xqqa[oM35dpq̿6Փ_yojqo}k?eٙfLnft$k3&x~7/.?ըc|CCrt˲SmFq~݈ၒ5Drq|ܶHwرYGN> 7󽍪o 'Ŧ5㎖wZ_@'S` f_Gqqkckz~)==Ž=o?fe1=s HOy:=Z&eS˚ٽw"!7ϸ@orSmFq~{UL% (=&. /)uuQNwy-4ηWlK'剞>,oگ?WP%x:y_FXwepSnChė]͹zQMgTZcnGۨN"]͙QLSZ5E< c&'S7dN/il{F|& (ANE֙ORA+ė<P *Wgn._I{GsK7N܋ce;g_[Lz@vrlZ)s瞇mb;FqV$g mk%;Id%tsw[ٷyPqq) >16;sKk>>^F3ڏv/_t?f|]N-/^_ԫ|_S~'߯w?w/l{|>5:?NύIoXK^(<wgοNnfDu埡9+o${_<4gزO̿a[Osܨs+njԫjēJO|Eiᗫ&ӎ lv\&ӣӊjc^ư{1:KԾ2z{Wcy#揽Y正ߑ_fY9׏\ϬI=Ri$}}zEk^^el6Zc>EXd](pz|$ZcXv|s|sX&^մv_y_l|x(ϱvG̿[c'/vc_j0212(WT닔aK]$+b-^\%/Dw׼{iiʢ*(-.Iۚ8z.If:[ [F]y>HK>k6ɏz~( x|Ǜ.ykq]lnۊۻڟYi؛Wf{F]W9r猫ѴѦ]w/Mmwfk]y_omk^Y-){5 <~y#ړ~(ϱjȮ )im׺#;QF=]p剶]mTdTb&zI--3xV;V"@Y{VzGݷ=2yViϱ?ɇ_?=3QKE.||qZ뮽>>akLpӣyڬt]UjfO"-zj״]ǽ˺a$#5??6lݮ'}᷒=<`N 7cQjЕkF1JkF>qqXf4`+-iׯ{tvh%pQm-<}>m+ٟ${^^yjǵBzCP᷒=yp4f՝u-͛'j;0̗Э,+v¶GyϱcEo${H乻7Ut'Uڢ2^Res+XuקN[._omitx5ex>]u>iִz5]'5ohֱ/W5'&)N/Vgxy NWWCwmmkUϱ?x[7GS¿?}#f?wk3_?#S(-eMNu.;V"Lu{R.+5蘞co1VgìSO+=^_m;V<1g ™&r]M7yws,νꎨ-/nivz? - .GU?fl6r?&?[?exQ̻.Q.%'%5ds3{hV=QdGC'.' 'Fuh定4ԚþurgMfs_lƱzYdKҞyo%}>9>~|R"-t5]K2>uVHɳھY9cG_ѳZb{}~N16WڿY5w.8FK0o͓>u0 J[DNt۶-rִi_WuY7W^-OCg.Oy♟+bXOH{vov8MW9N FoV(YiL8>{<35ӎ^;9¬,hڕT{><ڊƞk9)϶Z:&z1}Ǿ0Э Q^'#G'WgFXDh:V4w{e߷I_\dә8ɵm'6E6]bW=--/V?.PgĽ5<|ڟ.^{՘GpK)9OMx&֋{)]{፶n˥RRm7JZ#Z"VѬ=rȚkCUV+62&6.nڽr0o'+0Qg=t} c|1*b^3mcJI SV:l/2ؔO]uط70\6`rY[!{?ڌ=oX9tY% IU(U'MIΙ"#F6̺-WW|ʱr{ilkc7|{Fr$mk/(Ekm:έ!5_^^<읒Rz%Ηՙw]c+_3睧 ɯ̓|~X[TVi)~)%]7~~>o':Ztji ³cX{N96X4hm0^茱-3Ij?WW~\ILL͚\Zlˏ6(F5o{ҚKdj'xBq$կT/xg%V,Orȯ`rO._-ؖuGnW(>&䈆̷m+Hw+_2.Sx<6/gӹnwFy9U)y^6W|iY4Kߴ}yvMJ6W薚>fKD%2Ƕ4= lӤ+_3ñ+62&6ļiME:~Ek˦^trvfrseF+:N1=>3o 2 Kv plĢػ\yjRdÖRd^Rƻq'JI=ZMPlvM?d'̃/?M8UB4Rnzk6\5v99U;QtMKDJΒZ5z-/Uzkğ_C5xv%޻S[eTU|m(M% 53{;gzᕍw[5P-5\O7FHkJAؒ}!\wY䌣˹S~A K[{qZe=D?ߨIhB( Dtq$<%mǓ?8~ٙ~ͷ֟HP@%zU=<%kq=0񹕾Gyh旟 IXb3Pq;-}jlk*956ukЍ1&߷7mWǚ+{3㇍NϻO[^m1ʅS3Wv1kXяS%k~ΖX-x9ۂPp)qN+_&fc=l1<[tYe8Bj'zvr᩶6knoZgFec{}-hZ^ 3S;˧ 4O_ɴYgq]:ǏnF6VT% E4󶖞1֎&hYp'=:IiӮ6ș1gNxY,l,cۤޯY9~n1^"&-{,Yqhͅ}+m)>F3d+3y5DtnMxC26X􋛂KD8q2+}g}:ͦixZf [orkV7ғ6zٷݹjbGǫYc ePM_F봽| Y-f4<-\MǶ˨תkJԚMնϻǓVWo#ѱ\;5e5jۯM[Ӿmvsh]:;kZp~e~Uӡ-}v~c ʧ\\;M=uמXbqˆw36M:o%9U(9$;־L9泬4v.Gju626v5\rKd}3v\8mrR&4-Xhy5r))Ezm.mɳfJʚRppq]ϏiYDIwn+iՋl灓pp.)qN+_&se4鎶x{n>cÎT.Ƣwk/ӆekYqt:5s퐓Y]dܣպ^=N=Dh,lM"^_:mn昣+W-7Ycb9fs(jgF݆*_N޺W=վzeY:|LXr#Ds!lqZ-{ô~{zρlUOcOacf^(VғkDzL޺V=^5;:k6oas;&Z-mE֗8q2)}g͓uii.FUͅhVҖo_O[^&kv_Z4w{9XQˌ(kO){iKS_F6K^gN7h\,%M|Iy6~o\ۈNwn xǵLJe-hW9ۯM[ӏXtsZȬZp׭[|l%kNx.6LvC 2[kemu^5hScIף%b4|)6l-Ҽ~.n4pxd%kNKˇ˿S㱯fՋt;-{zk[Ltwm|+Ν\[̵upl^iow4rnS^Ɠv Yݷuܷ-]-]z];,2MkYӡ{3jʆl0ʧ[:<:EsiOFm84i1ӫ[t۲޹S|.{w:c>֗׏{F\MigkU+9IrO =h[׋>])fmnqPIe{Ն-oܣfFerwU薝Ԝ;\XlV62rdqtxG=>(8M{qvӹ\٧,uS罯 "MIIA(x1S_KES_8r_6/zvbު|T7++dkUMn41޿e߸qDe'v>M72;#$Ž8t-n0╛kُ+K.ɦzn 4lՊcZc.VR\:1ק{?F~V1+p|NjkKcũLd_NZdv;}(UI(? ɴ-6V35NFߺbcꩯFO}sڕz"Sgp:[{V~.~fֺpo;kx=ɮӇ}u-oJc[kǼˉ٭N͍;u~iEfztc.~Ɠ16Lv[Sָғ96|Y;vɯfסѽϒtt.yQƆl.uUqkcHjMc9ƫmTwS3vo1\O}ngW⽆l[lx]/]zZ;q}5`0q csUs][J^j׺m/fCf=bW<ܪ=Yt"KWѳ=[b2k3rfɽI4 ,\ M"YnZUdx$ŏ=xfc2Ɇ&E"{mv}w+e-y s `Lq1z\w/$"8wg`spp2XҖ9&ZxLm{a{׍a讫fY*wgmv%$挹[^vk;]o5&:u<[ZxZLklvNݷخlǝNqR]kR/tsncøNHWfssƑ>tw |ɢr5-|'kߛ m.8im:\}꛸Ökhv#>""ak3ܻ 2ΎdƯ!\9W:;ұ)u؛N{Ih5κKc[߃G.wfW)Õr=֝X5i^,dQqG&FκK&Ǎ6`]FGlRM*r!H%c >'(ztOC flYʣ!'d&|[ӇOA;3ÓQ ljꩾʡ 4g(l/8_M\WB2||l^4 ΰnΛktE%Qd, }s&*B2JOW\x"JΰǃnzJzZRz>="Zf Tp f+j+koeXΌfm=MU[mN>bJ-K^ӭ0v g>fa^"4+3,;>,|5JsVҗJV&KNc/;踵F۩u*} :fX۵amxdhu\ɥ6Sk{єۣW^1dviWHʪ^sc\,| ke4(ťcZpt"%L7w,uwV8%.o[Di1tgbM 5Ӥb5sʫy7b[^{IV;R0AY<=+qmsˌziKDDan˕f_U+i+kfZDưN9SvckʖD3l\[-{-aiswEvZ˧Q%KDG̷6 >xd~&4Nɦ[]X$h`.6 ;.q^vdc fZ pz"{Lm3Kaal{~Fݗ\UZw˥b#SYՋqt׹"*YGr]#{&#M`tMb-XbUEVz LÃ|w[\}NQZ螆dln6d}2.{үX/B6V+= -3Umqa9EkӢzK(vvj6e7.\lIAs(LN4{pוdX־kCfǹen*S]Ƈm|/|Zi:uZ.gf9y yKgÓٴB6~d2QIwu4e:mܧ(FIIkhR'dYgJzZRz>=%D&] Tp f+j+klsv \sj#>cXm::88ݖ2æѶe7Z7F(N6lxy}EjR|CƲ= Z+V-U.\ijqѳ(NL-jSv5l\bұ8q$DtsrڞVWunyCR&j=׸&+k:ʜ\oUF\Sj+Otqrqiתs=^3F= ln7%|E)V#Me&g^X]͖ s!~.<Õ-RuJt98dp:珃\.;ÛqwNmūL7#ٲ|Rvǃ^N6 μȌJ_r}/|L;q1Y:odsYGGkENx7}q)kTQ;h_۫Pu˿A28y+׫B͒zM{+Slgê놼܋K>uY _YE{l7hƩ%ݟ V2ɸ59eY! yLᶲ(DD2{I41It0K4M._^ϯfSsn>ZJ>F aRL+l_F!/r۔q{:NUY\edc't&b5Ok1hNr,n1~sӆ÷k%{UZu\qlͺ5<73xQƔ䤲i^ ]q8Þ2M{R#:_ܷܿ&6oQ~ Dm?P71ۅ2ӻw[d?/^ϔ|x%4×f prWe<ɥLbS:;+'$Ӯ#WC;?{qYޗ6r~5|\ㄿUeհ[wo&eQUї8J]_>F A^[=^T0+/4Jv?ݾow'Mo^SϯwۄGhpl߳c\]ͯss}>u<~_1m]`ؾ>FK [[nxgٟi,~D(F,I}۷)ǭlb{|kWlENO|φ[wr񥙅bJ26EI-\OS6)ɏc_SŒ1i:{WLrwAj vwՎk.[9gf7aݙ&~Sgl|6s//k~E< V%qr5p:c.hO놝XS.S9t'(=g8wuza.׎[.V[{Ç'5s ȿ-" =qDwhgFgN_N.<7s>c_[O/orަnYW9g^U?}c%1_e̿?jV2f<~~ +o}zlq'o:6?{ӧq}vgk[ʺo}N^eZqyox8Qy.q(˷\U>ysc4Cb kѶOS]qk9n~n\_HyQaaߗܟf^ 1Ī*0MY"'09 q?zf<܆?Ñi:+iވj;W{Wz yO.guؿb޾/(7ߙOdπ$j yz\)MQͺW,$+ йk}#<ѫ1/j^.ĢcM9Di:9 |0vy%mFyYcRR߮z}ɴX֘Զrܱsi䇙pg)1)]UkqYf ^:;T?^YϛK#oջ~b3oaz[8s6S CVOzo=f} 9]E+NNN/)֌yXv޾BτA^2?_H})~jd-5v%sǪd8k6&kԞ}Sނw=ˮ78g\|?PR'4v/jD[pu̼23ad]cӇexegHQH83wN1XuWtP3uaY!5=hw.0>eͯ-o[ٹϳ5BvCIKrjc__'oX;xQ˖;m}-}LtjD'm`[6m^>d(=y2<?֩Jِٕc +^ˬKOXѬD+;=;> Ynopr\skA. OѬ~71 [u'?nQ, c_{3ۗ>,E:s KH>ٕx9?/)x:gϬy,2y.'}f8#)UJt%ge1+\TF3F_u:tao.S9t(=gieXa>yEoochR}s7GDVMo>,~/ػ嘯 '9y}1ŝ]ȏ.cE?혿S~)Ta>#ĶqKdѭ$Z{~e%8PUdxkk2s |Kr .m*yS :5]z[ݕ{53,~[_'oX;Ѯ1rGgM^uckyN#yW[9S^T=n޷ !TsUo4JݏN6jV'O}/ۺ/1^˕7>W7+۷_kj'Q|nFW?Nsr3{R\[ė.3]~=5*(\#ZTγ/nզ{2"Ћw_&:ljٓi1?>rG!FLP'MD8R%G,.]MFɍ!MST8 WV7 zFZ(]vTs.}?;n=p*9GGx ay"w-Y :Yeceс^O[Z={wzcqŵu0J]+Ճm' >J G.ohkqڙ"toIcد?dģ.8Ueu4Nm\Mx3}wluR/1ӣUn/jVbz5p<V>~,'fRV֚.I6:1^yRº{jsu}G/]y18z~gk,w|2Y]ut}r';j-z66Y3]kν~hͣʛ\=Vw?g3h&dvt&'۸S.I54 ?DswǗ1:ɋz<ͼ|c_^EuIN:mjq]-iɋuzfiZToOs$ꕶ%hŹ>lF>][>\ONM0.73V/Tcmrm"ݭ/5N=׳4yU$>n~GקM,̎^gt׏jvɵ/=_}nL816M:ÓO2ر,yVr*/N je7#Ny( VgQ;:|%;#ssKfugo3Zk~?s)Lf Fz)ykxnk7n8ty;mO^ogsr'uYrx/6_Y{Z1acV&Ggbd*!dqi=9ڃog6=2޳Xb#`*L[Nˡ{':ۯVޑM< ՏsmXn<=\}[LZs\8q IK[5kkKiݽ5ng9UueT*Wɸo"#G><zfLshX}wJ'JǾߵ1mYщ겺j!CtrEYۍJ/ֵѦ7nKZgV坷݅D69[i'Jm`\586vcۥVGW[=f<i~ޝ[}X^νZvfN v/u5;gcztlfƝ g[y.xQɣ瓗h֙"g^u k8Ԍ;l6'.9[&]8źg^ 6/ktj+fr2!,ڤ|L|zZnw4bϓZk؟ne8uF˕vrss=4f ޴kyקOk lսf])tjÁmݸFWkj0ǒ-kѧq>2ct . zܨ(7w'*fmף+ktsV ;,,]*f^>*2Di -Ʊl?dģ.8Ueu4N\Mx3mwluR/1ӣMn2ZyOF JOr%g4zM<<ik^4t~w}:z xcZeى':5G-ۘiy}iHֽ^7dܖ\l5KӛVw89N޽vc{WJv45. V=Y覢ZqFxw;\6V/lioY1麉.Nejxn+6k1ZWMbbz[ȯ*zqXs1-}csúY4 f >6'%yyklSy{μ~Y+Zkq=8ÇNq=<}/Ҝ V7deUVkd#ܣ+^D*95du=LZ#&}VżfiuxYŹ0`d(WʭN<:N_]ܒKJu\]Ã6|؉|;1m]ʙy[Yɷ*ڳۤ>^-_qӗ&%5hŏyXipͦ5cfMWyhn4^=ӏykkwXic8ۮ^=P4c*9#򶻧6uLLV7Yi3kLw|ó;L2ύT}W*ZpGn}5v==L;M*k4ﻖkçouϏ[8y{1HcNfojo1^fٝSf};aL=_'S.gI_ѧWϏIffgW+|}kVr9yX},1ivJ^ƶӇy;Cٽ-¼]mU9r˺]odknv4'X`=7 nV=ru}cצ-N]Ltǎ-u:vlZ&N6&v߃SÄ=}]LTH:4h,kcii\ݮm"G%,_qr5w8k1{ݯsNx0e$ӣ^뭋x+kȎK̆3qpS/gv˽]{N6]/̭{=^lSvS<<^"RM]OG8&Lqnպt}h^^tk2vLIQ^L:^->imb֋v㹦=fϟmvQ^Dm̵_7j/773I3fyZEӧw׃kk#NZ׏Y_G.54` ǖ-kѧsۗm٢-Hn[ xmfu%,r}̛5NkLw8jק6ۋdM4sV͖n0ɖD,RZ53O]N}kѦ7k潝:uwݚEYK/>NjH6C?0[Z~JէÇc׳Iׯ_Cg{wN֛umt|nqRHfp;7x2^9is?[o]f 9}Θ_/HŹi;SY:mvE杘Z.~΅*]O/2&˰ی3[NNvfν.ٝ&9;ढ|$vm[,2v˟o^ŦxM[dlH*|ŏ˯6m8hy{i?7z1/}g~Di0*(^wri/88pNȶs5ugm`n/.Nt6Eiׅͤy-p'þ7x-b8yx]ȫ*dnW7ͱxFMcZ2bdg9O#'t+:}l^sɸ;wq_=-شqvj"#Co= lpumUssyϊ՞>aұ4;\6{}'kٞ<4>}{ljdmEY&iZn~nk}4;/vw+v]-wKNNiK]mMu׫eZE"qi9{]t_:ʯ䮸W9;yyN;6{\}cDOwυކxll~mJj~u~#;cuSLz:a96q^O#vw7HY ,qnQSQz.|+,޺#&c^'ѓEMƫ!9%Ӥd6K-{TľѼ`fnxq'/P)-)/T]+~=scׅn+qgsyT+梤|է doV\[Ck7N)dr~#&ѦDN.͸ll2Y)s8ndx'$k52tl,۫ȌTj֏G?pZѦDNٷ m>]K>.g׬Ch7iln"2'SwiZ=dM!"'V=3btdח,d|%f!f&[]F y1:cC&fѧBDKWfdƝf*Y] 'ui$:F[>=y+36[e5%]&vtD4l MqҢtrkSi:]͆Y~V<ӻ\MxKRXi.^-12e=WW~M4ьiuz l_]Yk/'XrFpRץf\]p]Yжte˩Z4cYaܻ3G/tU_/㤋XI7c1 'EǒNejt[Fe2kˢmMuMqMq&Q5hm[[oM(ףVkitnvW")9]8&i:뎜Z5\1nVcFy]FV-z9SIs2ws2ajJP[:xtf&WNf;fV;s˵]4cY[7ouUܡ-U1ՔGFܬ[mYes/TLR"Z[Fn !8ZF6h;ͣN ٗ}YZsQ$y)DL47qǞ<--WmAC1hn}Ū1F7sum tE f% ֺi{޻&sywcُp"-zQb1k4&:t6}\kyݞ] Ũn77;^ 486ӂ5gO[FtNk_6k>Mոq^>i4uzKMWY-n/Q^W+Qsmk_#[w2+\K1&Ji{l74ymYG}=M:9oѫڳi1qWCrOqէ)Mwμ+5 斜]|^ǛK;yt_q&<]Ou柗czݞk瑠T4nSŪK"ϭUv2-?d?G>SGF$º]#c)1MTK $e ,23p*+SIeQ0# #8g i6Cl0̛!FU{[G,*R3Q`@ T*@ nΜߗOzZpaf  N"HDIDPA*{3cnܾſ w_}-{oʯ33XZ~M5m| Ht$ P+u\S8Μ^*W9A!D7U}ѣcC|}[sYom³&feºSPrzj2X|jA4i>:x =M0pepʮrpJm8XҔ{ŴBWVEуݕ&31JJ ҄s4U.w|,]~=sa4Z9>Vf"'CYknnu7Ws\^ZcB'֞ٲܽDž6Nu7L\zvc]YVXPv(j|hyub"VfX\lo[wSQӆMwEcRe+m{|3D:BZNmSVb46vveSSZii3qqv;9dNSȕRQe挿DF3:xvmZpǮ8킒NJ:p׼&"$f/=2~eJpS|]f/;M.Jk3l^N%ګ:>MtZf5tqrk*+Tra~4UXM2ʎT˃\bA-%ʣrWյ~շ8ºUP.U7zzt1E՟rî,8Y]yP-N8tŴBC*h̎Lʌ31JJ}άܷ<{tp+qVKPMƲ0aã/ "X#jc$ik-3Yjx\d[uEˊPO.kc;2'lRpR.c#Bfu2 -piN1vB3Zzj@5kn98n0z<$i+-f[,=-} þgٍtcܷL{*ܻalfW$y_uwƑ3'N{-d9c*VғZ&]k~.fnnȄJ7MMI݆ٳ=Ɲ_KUj|ZG&qΚv02r+J6Na4+sI=V"VX6Zs3sT9RҺ> Ȭj= q˶% 1TZpZcQh:i^=vבMUcԣ.xɶӌF֮. r3s*BF/RzhDDhLV׃vvU8撜쏟(^^k گÎL.Ō&ӮQjv({EIh*umWd]cJY)MJvsjQZz=hu`ى8ʨFJ1m~( y6_,gtq ([(q7Vq]tg] c,_TRuqF e0/v38I>4Ms23:^,!%eɹCJ]xuT`cFEYprҧ yeR #Uw,|:Åו )cJK& UQݕͪg\b,:%HY?uUnXb;#⬗,qkwf5ס#ox]|ǜo%U0YnOmn^RW%:.\R|t.+)c;2'lRpR.c#EջӷSmw]`늜a=gd|=5}+iFů ~ŧWUPɌ9N}$K3lٖv4ξMkϣ]8wf5tգe{*mP]\q}1DƖ4-O.NX% k1lngYF?2FM%WKhHVfv}/Wu'ej}ǾgٍtcCi.o"^DdJ)B4\^c1Dbә^=j'7[JZW\׹%cYY!f6vߑ!fC,sK^ :y>j<}mwNu}hŎӝ `v]ECҫ[Q`חK*-^fS1Dc͞󒖚DN5׆7='nSwMY(dң1bzzzlse޹&&im:#N}Go΄ڳ6qZ\ju-iǢOSF]j'%=y{5c[XgYJj<)qmء捾'&c:GӮ%[w|n f/].3eqc&m֜oHi|Lc6hͻ:Zczl+k ܘMU8F)Bu÷*Z1DuijկgJ'uߋ^vu6RM׺Lu͒vqF}81kVؖF4mPt!8('+OH׻/}vUgͽOs>㏄12ej[ ɩ_.4(K㉎یNw]|;v'M8tqՏ +&ՙE^S\M/.ۭf6Lf&;3h4Z&]crim{:Lq[9mMurpvsVL,o&IɇL}#LO{8eKt׫N^.=u[U#F6HN#6<32R&'zCD}/z.?j*#?ީ?kg)Y?ީ?2~HSdϒPSd 5d3V|k e6K-;әq!Ѭ0.m}pe9tJ2ƚ 4w6ijF*{=vPդ׆Lok=pTO:O'>? %uXcogȟbxF|'ȕ֪/5vJeh$ܹ%ԓQ͸ "zXqԗx^ eH%!h+RZyuDѷLt7z e:(U-]jfɆD6(O/ W%lq;+=hT_h4}?iE6i7>?V] [Mf˼fl忛WWлF3 RjzhhWV6JdFOC;GK&1)hX j&f3 "BhF,E284e=Fu9s/l_%dH@@vzVӓnv=~S{^CynƱ?zkOT-bc+6b}:co_k|VƼ@Ciͦu4‹+n#^I73ZV:Xz675 瑑+,(NqmEqe%ef.$6ڣlp" 9uӵ><t zZsYfتŮTWl-B&픗 44 Is~:r(jޱ[e%ף&bzlGD67aFd-- G8[WV骽pܞn$KoRz.3)գG˶y8+B|Mc&\ k ig07 l{0z"vJkԽʢ84qemTh6iWޜI1,qtq!Ff^y6}rמG(ьKDs6X'˝§*\kL2NLrnJ+*).}yIhHnp2c~=Uk”'/Ν?SUKqO,X%-oMrS7]uգLy6215uZWEh֫YDT<\\klz&ׁK(NѯƺLJꭄ溺lѮF]SbPcVV^%Xι_Z}TyZꞏV: OK[r07 J=(DkOw*c?ݘPȢVWCFغ'di Z8Aŷ, <[UwBsVFϢV[Dh=(TC&.xhBi-d[qV˯zW;ku2gcm9>=(qxhtv~S74VFpy|e :Ɔ"o/qȢU+a%槯Biw4sqvו amЮIe/FO^4 Շ'r6U Vԛp&S]M":rqhǮeո˖oJܬ哔*\E]nY d[<\b5LbuT^XhlGK*̌zkm%SJMp]&4ef ~(_l,VE=th4NヴfN=_mQl,ׄ_M nmx,(ՕnV=W֟Untֺ-cjNFUU'\WYuDj(v(O",hrevFUŻ&=:xLRԎ*w%nV5BSt,q2|"DH]eҰmFV"Es prsRMꞒ-ca.xĦ)ȪTuF!+='#29SUpuo5O\bxΚikӋ-+̢x}ЪUT%'IZڹiXѦDMr-ҳ3x౶xUUeWtۑ9GcZM{Gg;UӦٴ=&ƚbgJtCh9VQ\*ɪɬXZ1&*F(Z51D־'&[qFͫ=ΓM{fo9'IkkwYǻtʞV4\kvKXT6N(lbվZ&zg̛Wb&S֞*۶^N4'L-W$ݲ'g=l"k[D}鞶ZuӄLC)v(ZNY)h?I[3ihU'^5pDZODP1ݵNǞ;#4ijGAϻ;USem~mv: q_v[KMkhv>OKb*ԯƶFa sKM5MmHRDEm:Z'&X3p(szu7lcSjsi6oVoKgEb#pz|-sڸ׋kt:< GWu~g4%UNkLsڴZuLODS4՛XeageW/NF[|qfo3㮽}ּo9-5^{=>g?b=e6dcUԨl!.i4vj;6DOM];ΑX=lׇMwQUȺP-g/=V&αkË 31o]4ӵ5.Ŏ˓D1gQl-zB3յ4bZjͫ'Oq'&z+h{l#*bȺ_u|x;v1:%Oێ>=jV4d3Q_?]8?#8P.ٯs#olRĂɿi3O^Jo}QZƢ*J1~{oY\|3yk3=t;5ڍ5SKf{OmY8cʷ^¼;\_&<ߴggv:2]ׯɇ'6g}𥿆XLr?=Mp\88y`3~弌'q+X{+5iQ(۩y+Ed~&\}4g+w?r|c[GGj>`gxפ\)]i}} Ⱦ>,zN+YeAbl9.3-/Yr-p\cS([yX8k+NIsJDJo؃2{ǵu7ڙ.ie龕+noإGێ~ g¾Qn{qYOÓ_;[r0] ]fh~wkb)꿒?Qv-|51A+/a=VyEt(_fHyXgRr>K^\c\1]^|5KO,7oc閞 '+5,-&z_kSjg:W 5GKN\4Hٚ"H53isRmæGb'|:Пuvw{aϺۋH*Cˣ%z_j~x7}~e+MGXkheyXWdU4Ӌ1hF>VJν9]iK:f5ٵ)$R(*h$TMI.!.꼦R}6yʾY( WaGggrn"lW^cuPR^Y#%"ѫ}alvY:{/?)Z+1d0!G R$@4vG2~fFUK4 Uk >~) e1T N@ (@@H__^RkuS?66[q#}KDpIR|NO2h11^$ E8I|wxg}!OX[U*ޯ~˓^*229.xƞ6ׇO?ڻweaCm|zz+~Sd}?3_,xV}nLXw!d;hXzn%ݻ|!}l}7֝_߫[h_eOFyTs]s,XM;-O#>^kjK#l}?ycZGmOzT_ow|6"TZmVz ^\;~Y96>}?f}}~͎z=f{hn{lܯ}6L7Si6Foawn9oSmWmؕMqD|QµCEޖqqPq\Fc4[B J*O8%z/ƇQ֩( > V($ :Fzts$-1ZVackTUN sƱmZ𵼲Է=vl 5/TOWau2iϱq <>i7םok[>;fDe3FYy->J-\yp_ktcnI>Yl?_cQvNo͞m|l_sPfi^_VcO.~꟒4[=V;S햌vC,~U߭_׊?KR߹LկSS>=2R5^<^)-}P38+`Ϳ)Og|U>^?fmGJ4!i!UgTl-X-yźqUR:}M.>=缮z?jٱ}cz[vtZR4[n#;yjgkiʆ=n,Th-xev^=g-ʧu5wEM3N-[&|Ǵhc<:RODl'ULBkNĵ.0lMkXgO* >_.\rݖxb_TYkW1>FDZ+c \m/:^2tfxWk/7U^~:,uoQ2zYPߝKe{:Kȷ3IIO/g8d<~z_;=q|x9,t> zC@:@ :Wd}S'deTbo;_YOH.yH(kTmnjgf߆n$p^s_h 1PP>'m֙ORBvQK@ J̶Ϸף׹V֘L#GdV%O>^e˽3򾃡U A]EŒƣXK&6eZ~:vϦ73}akݾ,/{C]%ďY╇o!f܆7,}9lr_lu>M;oxǿH\;5Úf8<;W:ah69#8e֚2`hɚF͈-S*!bXJWjqqq"ӣcG앥k4~k|3,l$ T!,#) P QB^+~4:BI2 @0 eEo|^ٓǧ~BJ Tк1T,\{Zd+1vɲk혖Q\ؚmn5Mz~v+Wϲa5SMvrGU92:\{vgU'>nMkR_?Kuͣ 4[G:vbOaͻWmGݲ+u#o1^|u,c&c)ٷuJ$su^<]tΓb[_T9v:+{ܶY {5-8MguW흽m<5cv76lǧOWSs-wKy5=<|e~i=:9Wnx+4j<zljLoڳZn']M>veԯ/l98z_<-4|a z$tEzQ賒حӣhخϗl7$surihTQ8Ou͔$tڒz}L?*tOC@   0 TUY7bBϟxBGhPA( * ʉ: H(__^PLmĎ Nw-:* CpZenh11^+-H4w|`v~9tw?'o=tG=AqO_>/ףƟ T=WdtFc]-S^tqn^t9:UMdSL\ǥ[/ 91cKvk}+qUjc(һ&}&ӿ}eL6׍^J⫔~)qɓݬ˟6/~կY՞xeQ7|p۞lD]-1QL,l;oN[,g =O!WcԱfSo`~p dW5<?y>lrlb駟O[Bݿ_樮1oL|^kiK|tp%sc0_i5剏G_czѾSy>_هhe? M{ :O_<7_Q֓uKYWr̓f鋝 +&a!b&gHy}tsrm kw߅Cm k͟Ŀ~<~U}qnʟWTu}nayŶjѤ]uz+Ŀ nUMռGoy|>{|A$hBGÙdddSjƒʷα:KQnryF;ϙrQn=c5Q6%{}UNg{N8|2(⭄T͎|n \ZfӁ$To_Ljh"+඿2\b"@@|m~y@~Ϳ R82QNw-sȠ@MonSkLԐd|^$ U@A/"8_/qR}xÊמc=qGޟ$uϑ9Y9NoYɹIoi~Îb"#HTŘ:[&'7*`ֵ

}m֙를Swlw6Rz:^W"1V-%Y>?>ba6sL4c4cx?>5×5t^Nf{Q]iDahXe ፳(6̴ei (YGR"P@( P@PPB^GEzH$RE e)WQ*jP $KF[!@_Zd,x 6RT!$Ԗi'G/+{V~tVZjsi+>(vb;~KKḙ_ޢoQm/3qߓmmtL_Ro{5pv 5xy٘} nbNX?dgݵ/G;Kyc._ܮ ~cW:~ ݼO4,_Yb1>ˍݯn8Բ"^7ؽ[|?DWuVݘJNm.1oue7^kiW' 胒םkExaMi{G}IC'zԼM9'ެǟ%=|11nWmpv>ײGe9{O <ܿNi{^ ŷ⯮on1_ݴOegtGCj_Oʩ.z1WG;, 12H D I{, Lm#%d|?<$B|NO- d|x"(v/pÃ>^y[F(S>vkmţ5uϗ. g\.ɯ?!C9sYsLݫ#^@q>\ j4kYG[_t˧Y''F"CsX*-~r~P`L~q7ӹLǹ^|k @*ݱF;+yɎo+ ^9BS'O-oL?Y}s p>{sc ǻYտ`UOۣ+~d5veoˌ]vW9Y]c[]|Ǔ=٦i>M}Nl;G[很I -`KNy=y~orulftEʊ 5S?tvSb;U̿In+^ǵzތ|Coyys> 'ܮڭZ8w[{2Ɏtfs6@%QH/W/)`ljg}f߆n)(';8ny$(oSkKnh11^$@/5_g^qq;=km?guǬܤ,.Kde 5ÎXC[p2Q<ǯӶJ 3j%╛OS zkuB>$8fu|7xŊB!G/~۬Kj~3ٱk,w^0{ΦO]Z|cKޏdyn;xsvoZM3-xߝWk[@ ^C2Rc/7`N:|1,3z&^W㏛Y#KKSacK cp2Ֆ8VZC?3 @ Ϣ>/l ((!/I#WhGZP@c*(TA@Dˢ>/mRz^H@ $ hz@/ǭB2^όōx+a=V\%%@~@Lo\teEb2fv-\^_w߸s7M٫KDc1}_i%qr;jlCpOR)v^nmO~;>~Kvmq'T9riRyL?nt^cpKtom2G=qVYcZ6ۯO %VN5t'~L'lbjbY`( hT^/)`mnjg}f߆n)ZXu*   ;o?H6QK@o8u6: >S;VU|/Sv);GM+>y z~f|כ_~3[\DR:egA Z{/1׻3O_^F}!D #@^s{5i--kxcciDe̓$͒KO9sGx'hG)U\F8Uw$ YGQR(%%?$pJ_T! ( D L#ؔ=>%SP$PAP ,a~yzFKxxKGqZWXՔcOR# ( .%KTix38Ҷ|YJ]3T8rOziz8y]|ӫ}v['W<){]z)6{U^w7ƞ=1+ ^ۻSwz5ʯA~\sNQ?]'|mOMtDt~?{-UuM]]ߔ%׶tcogm_g'7{|+gۤǿmIyݴO)" /W/(~-p^s_ic瘨HIpZ[u$G%E~\ps/F=6ǫy^8#T+')97)7om33_ZV+XұB,ZmdoD00ჇN,8q󤻲|dVqZu_%4z&-HdQ "+7څK=oWOѽ=.>M|w1ю~/S?~y6r!oM?&'6n/Ou4K:5Q.; @Ϣ>/l# JK~1qŕsTg9zcI-"'si?z7 ۵rup=3mx _yilT*@'o=?FgҺOpg٩uZ97ɖ~\o4j6 DhAC]GXȨ 'Ď ^j@% $ F,!&]{lRt BԢ@ \2k621P%,c^ _ʳucscOR# (1MW}q (QՋFʷgX%W~D&:t={qNm#z9^^Spn[v~N$DmQ ļ=}M|dzV k>Cf}v 6ܜ| ʛ_$sϿ"q':OzfZLxb-qk >}u~_5Mz-~5r}߻4Ofԫ鑏_6c綏~#zqƾoE7:ݏkcV ӗ7Bތ~Icc%g|1ln+guS;66[q#}KDpNT(oSkL ?mFGLW-H@ oYEGN>}yO_2^?=?ϋ~(̋eQLVmwZ-aϛrinHFm?a>XɆ-'G[iՌŊ@Akd,\yR 'snvs֝]~mϊ_"#HZugdcoBL藴V&gTjGфTW-)_3kMfzъ@cAVS@gYb"(O8%z/ƋuEP4AN2.e):}G$ 4 hP@kUd-ԝj|de,kB2/6RM9+liLz_ *_D|^Dg{6)umPMs/Qrdtw|/)}G3WE7M־un^E'۫V5=<- en[ݍyPm}%n_m{[=q|3tOc{˞\4wSvoõ1^oy~b'z\̞LS6BTY6 2V'?eq^cbvoN5ULRPSOVwf4M|n>ug#!&"ޏz3OvŬyctoSkL ?mNGLW-,Ʀw7KiϞi7t6eto_dY|ғ້w>s|{u[l\tyh ]ME-z^D8Y4@AsZS^{gN;kcM'Z'K۳46kG.|[ܙK\w)V"RPA"R"&bm$kDFk6f^creC0%7>pA=m4O9;v,ɯՖF7ҽ/T/24 `U}D|^e!R*DJK~1;FoDLIʭ:z#ƿv^M:?SIQQZ޲ڷiGj˭Kםm|}cǹw5O*;Tsyvok13OF9*~dDOWI(ngSN;ȮTχ$sm)%|"Nlwm>vmS\I诪u>k~ۋbz&wOq_˵o\y*w:6"+qopmqʷX}vǖ:GSoSkL!;GIh@W7TǩK|٬~(kx6h{Sx@$#omq̯z/łf6N6Qo~OZ^7YCj˭Kײ_yy/=woewٵxcS_˖o)ϫ=(ܫy?]'Yo[mF*]5W*l^BWnqN+'%n#|3ڏܣs] }u;sVk<q4<y:u7mt-,^n0~e-./>'n֙OS6SK@7.H*%i._Tu{1=3{e&n2Gُv;uwlWހ =ڿwbuLҕ܏9[Y|0|][JXU͒ξ!O%&{8gI%2i:nR4e}.;ŴcFJ.Ǘ53p}:qg)֓Fk?uy[7hw{\c?U!橿bUmZ1!v|/~8"+zqVui=et훜reIӬ x٤Eck&>=Vƚ#9zw߀f!Lukmκ_g}Rrۼ#1QF,]%Z*Au} A >*Ƞ! $%t%?$pJ_T!CDAZ]{e=>%R(4@ sVׅ{eH%֏FFլx*(sSdl_iGjdk1>m 钳_ hlh$>'n֙ORA~Z*pO&.fy\ӘޚGO}r>O;̝~UxyIɹI&mψγ}kA|~bk"km:_2v+؏z|\:ٰbԴPe) M2FFUh.??菋,P(H@ B@P @e$pJ_R("@tGR H  ƽ'[׊e[>2^2/ i5d0mh K? DK菋./x׶*P6^F\;٧= yp$izż0݃s ֬G)nq5uhyY"k=Uo1{zO[n?s+vmlRǷdyY~I|}]Ԛj=^ۻik &4Ҳp1r[NLy[6{Mbg?h:hӿ* ы:=øFxⷶ=ݑ~1<K2<"aIקo&M>蘞&k1:JB@>'nz~kė?:zyKu[mMgޞyW+ɽٯEcޞ{{ud[+|ӛճsf[ͭ:̿TmciZ۰-ܲW x>`Y-:CF=pm/cՉExG,Wg,ίɒoiVF( @$y._XL7e߻>q)p2vR߻Tηtc s-OqRV=ns9j˳Ѻי{LC|s:uđ[~}%~'΂y:[tbP^1斋;Opq4t5Kfy]Lea- PK $d#@@D|^e"@ *@  (JK~1e,= Df2B}+fCcH&=//>/l"B&^l ^k(@8{d{5s<%t#Zs^ɛa/HOۛnKDw8ǒuv՟~]_ӒKls}=}M|=>m^f}qx>lV`Ta٤>VI3ͷ*mi:3{5缷ye'}N ]l,b"Sgی3J'&O6[a qEfΙw揮a|~c?Gէ'!kE޴ߪO|y=D L'L|0ms vmag!"l9=FK{kǢ9wѫkcYk1e[twoo?ZqF:GG{s#)0rb[| 3)w罵o_:puH dS@'@EFp#3}f3~  Ϣ>/l@@]! zO'END PEˢ>/lG~A"@@rk/RuEMYI>gVdmP$'~iNd641~'}{aTL)x^(0db̢%UЍ~5$э&;9Rf݉On\ҫ{}Ϗ>$V|đl#=g{mڏ\i/n۳%WrtYMsſGh4o~ g5&[fpȍq4m;1n5Ob<^*?t~ +{cfju^:q'SN3lz$׃]})pxs{9bM5kq6˳wmѳ "o|nڷᶑ2{^?5^|=e^Hsʏ% Oݿp{u<gTjx @IAM*:FgْfY.ÌyNQ:C$T!%} VIULU("JТ4)454 J@Ϣ>/l^x+~4:hP.AQ(H*B[?ԝjVe)yFQ:05ц#>͕M!ǥ"G@P t2`J_{`T@*$ݻٍJYe]7T[ߪqn6|c_$ϛo0NN$1nl۔n:ƌ#<9Z_=[t㶝eі=y>~_V!Y ӌ(ӟG`y{W^=5~gc {3n}ceeMtg$$)T/r+bW}el|z)cOT@}{`T.&^l ^l @"HVRQkhʵbm4鈈Z}GY_?#[lFMV23Fm,umNj'g_~c膽}Kٵ?>ܙ=wm~>n3nu=yÍ[+O '?"c鮗_GgtycףdӟǺ=5 W/ZIFLVh|ykڥޝT}< M%v7|H\jwڻ,üF >Mc )UXwei,b*  (8d_o㯢ˇv}0[Je谒eU""&)@У'oA$@@wJ@2Ď_A` PA2菋,G~A @P'ܿ/RuO[qH(;!{e6|Fuwc1@O@菋t2`J_{`TE YM. ѝ)zfDF !}YH+Gb pP^}Nj}5_ZI xYݪZk=OnNRÅmϏ6< zhs=k'mHǯW>;MIݲם.<{i>_&f1xO{>gYWpmݻSبlqG.A{=7z^v=k'lvUsƗupӎ\yFZ~W/.~`@@(@,#Ң;L',#CA4 Ip,HYA@(D_:EL',H( VC/UufZ2q2hՉeRR7EsZ +hP,#] L)x^E$1}_L}3[p ϢeK~F &1rz :6# s:Dcr+9gU(OTcjţIa/jN'ۿ݇dNi׋-#[ROQl#=g{mۏAI߱W5n:<]kLZ󽃖q˓7(_vbg{3.fV#ǺU|> -Y0j2j>b_rbcvWmGg5fڏo^nrNlc\/K_z^0q+GϦ:>`]r%R*4"BPHrh˩:bfS# T_v> f*aȚ}蘖J G g@eKH))qfmqō\έ ϢeK~F F.OE넙ў1QZ 3-WB65R]KV&4 ifaMךucKn|z7~M =G|#=gym+]>~>]_>>;GMlPΌxB_Gz|<=L^Yiz:#ҿk?N8ة8GNm,<#[weks?jtv<Vٍ~>~bӧfzsoѯjOW.ijt4|k|WlTR|1 sm[uZ6wׅ^rіP,lBiJ2] 3󶉉V @NQ:QG€_DۺYH@P@K~2ܿGZgм^e O T4"BPH@'ܿ2Ne?H(RutQf4#0t RcU/j>Ʃ O@菋t2`J_{`THrQf I9Im2ZD*b^},u^1wLΒRr1q*>]5Q?J㌓FoZ5~DB%GRP /IȻMp\ִz_*D|^ /Wk c6eࣛ} sv⡃`臽e#zknZ GeKN S?mJ~ӗOrB3K^p~kˆ#KZ;79p۵YN_tZMjz}i55~9fmջ}b2G}gwoVUuǭnS+=+>D2jȏMrMWC^%Xѫ6>&%(EO7h_B! }n蔄$',HJ_R(} JAQFM Prh˩:bK~3)R(T,N2FȝT )XK-sMxp~CmoU&mz,#*H/J^6E׶@$Lf *9\[u`؀'aVJ],vO@=#,2sw>l{p)zht.:Mzӗg?XO1m*_G-V9oq<5+"qn~⶝[?/׏z<{>$?^OWFy7żqcyo9nv߯Njڊs)p}>⽓v.mYiyۯ8m[|=>f.\yO=,y>6 %f/skH<}*k^K?/5~;mKO4CTzy]}1V|Drd,;9m } ("@H@P@ @K~2E:"Agм^ٔA*Dhh@('ܿ2NVe)"  Dfxtz"t&"Y\k~VlZpM>gk$@.&^l ^l UsKa7qeG6lcTŘ FOgFxG smW~Ycz}GJ@@(oBʬEf鲍YPA差v[|F qeӓ5ﴗ$<+]'cgϷnߵ^c)|xݱădc4 K^Ixۉgiӊݯ4=[,vsӳ8^G##cQʃ\~,׏VqL>?kܫk13W<7R</wM?̎'W^SJp}M?UZ&5zZIV <254|>}5mvϢ} bN[|Ksl!+%GRP@ e?g@CT)z}GJUT@~4^TĎ (lPWGPFQiHt25)Y4LK J] L)x^U\&xgUs}3Y(UL&ulA 2ݝ$ ` wՓ/|u'X2tO{}U}2W>_lK[l{=)_MZ ?Q4xy^m:G?\\o"~~qKD;ҋN+i_ }c \ֽ6ӽ=1w1w\7.wzϧ=<;Y8OK|sݎ<-ӥ˂Vu:揇/jm{D9g'tO\#/{]Sh_Dۺ%!@ @!+~:E@L,A("AT( >~13@~ eчYe#ET-0kQda8nte!EKچII.&^lF^5UeNxۆQP]c9%\cjI4@PZ0:;&tgq\U.爲B#? PE ke^,f:OK 6K@@9f-YEs\x,^͸n>+iwY*^W~bVAz<xo}f>`ܱm<^v.ȶNc̴NxykIy?S~ݶǫm%-'wsd=}-k)YqFkX}^cӶccy꽍\o{~it@Pg쯄H@PAHe) ^Qւ(@@%/YH#?!aeR('ܿH&^BO'FVGFqe ^/޿!a,yz0?+,q }f.{r.*Bz~b|x>Q.x|Ru:>a}%~T#DNԯbc|)&zV ^YJNOD 34iKa7e /,"=>BkT|+jJ6y$RBQRZJhΚݗekjrbiOxKط{/w{~^彼}/ou}e+v]{2<5IQr>{sȳێ'Wg2nN~/xt:wZGo]9yf8z\m4̞03rt0r#@T_Dۺ%!@ $tbx%z/GZ(@H %/YH#?!aeS >D2O+(F^Ab1JG»g@WGP ]( /xx%|\kDP %&މj YcOv^ svTZ% 5H_sYH#? U# euJ1#(ZITήHA2WuXZ;ou[ YI-#9, 3>h;>uy_4>j5ݟuGĬz~3=ӊ)eFzkUOx7{cʥjq{ȶH.ɋ߬Xlw;Gko't0;_~̃űN]q^ .~Q4yފ ,/]4yv:Li/  @%GR~1%R(@ e/Rue?$ (+(F^Ab RK#8(-_PxR8ʄPJ@L9xߔ++^'PJRDIcJO_+ *IpK@P/,A("P@MhӋѕ'U{TZxх"i"uiH@!3fXl3}k13 3:Z-X!d%]Sip4SL1Zbu/vgx=f&S'w<^Ż>c6oi?˫滟l;7dvlhp~=/~2>ww|}Ag'طr%R( A Q>zT~1,$пۺYD@!/j TuEp r^ڎ]˵ ӗK Uu(!{GUi*NԬ]"@(#) e?)_: A#)z}GJP*H$}'Ze)E z_PEK_,i>]p}Uh/nUt^GW>;PI^?X4} Mx)S]TK'xOU0JZh7^T)6[Ō_eTZ}Qm:B+ k) @@R @(P,d~'U1dI %GR~1J@ EHO~4^A3#Hw ("/QP($_ /B( /,A("@PD# $nQi:$VPNG  IHDR5؂ZsRGB pHYs+IDATx^Ydg燝-"˝ɝ ClȰ 6dҌi΀ajȂ-̂^gzbLd&ĖdI&qy'qUU@ @v QB @F: @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @h@&B @ @@ Z4  @ @ZDТf @@ @ "M6C @5@ @h* @@ EP!@ ` @ @E-l @ k @-"hd3T@  X @((ҟq+gqUo @@UERQTQ\FEe@3͌ @" ^Џcʬ*8v" @@E(VerD|&@ @CyVK?H_q>DQb @>Tī~{(ǿwrVkO뗣w^u @m&^u\GW+0ǣhf|Tż?H$UQi,2Q׶]'ֿ5R۠9m^u @3#0̝0߿sdI|p~IttUY_Hx5: ˅J A˧?zx䡬M9' @h5M*/^A\մ2c>n;`wf[K Зn1 @ ϊ{YVk" R[>xF_t+7ndP:4m|N?UW-Z<z{^(<(V @).XzO:e$E_ϾOWxT"UX MdS+zG)@vSm@(PPxEO Зx14@ ψ~l:{eٿ.~/Y{ dͧSEVt@ٳz"$-P'+eV,,DT`uY5IZ @RP@}r 2z't_xܠ#ۏ<,q™JQJ^ P!O\Y@=9#~P P-,zy&@ z 28@ OFnKWv+)5^D-x|b+_[e1JҼ-uo{ztCOȣkoON5G0-Ğ$>쒬p;~VIA!/j?V @.K\9TTJOڿK9Smݨ?uIt|C^}+GFkdie$8KŬ77-,yKW%-}sY`ES~]  @P6@uTN,{vo>_ۿJ2Em:wgn;:Z^׏Km%C>RYĒQW 3Z}ۯR+jAW|!Q?Pɀ׿ZB`q#5P8- ^ @ %&P 8N|\OUWJy=ۍ˺wZ!ohG}CGGݥ"YMle-<eJϊ* :+gȅb% 5io|U/i[SӇ K A4= `6%^  @(J*N(~k?ݖ_%K*M0<18ջ'<]NJ%tlNJwUJƾMTE>G'v{VZ:U9M  C |EV%ߎ6U}H)UiS`JGAܻQ>ܹZس4OӃOyjo8~#ھa/(`iDǪ 8M~~s/v0M;j!?Ô+Qbt* ˰لa|3C @0rO9nm^9CM$W|ϋ7~ޕ5+'N[G}ѽCQ*wVJ9Xrk?N8}( nV%G3$I fێ`kV <'B Mg3  @p #X5ZQGy8i^F{T_V ZG^oe;G;t||d*?n~[)@my:~\ ~??rtf(NxƊM֣cW_('NQg,l>_5P @@9=_hoty/RWkYtGN*6 Lgu Y %(tۣB{ʸR}9\TLlw6ɍCO=ls )#~/sT& e:mg=cŷۮaf}NPl־;P3P;7 ".} 1~@ /2e\vedj{ѥO~/V{wFJባL yjwyoOy4 ^ΫYĞkhhϥ𸍿^=v.HIBnO(ڈ-g6I0#oSZ\* @"9͉n]0$(/?ɫsJ~sfzR2S@mwVW6}vq|g~gMڛK)i:N46N`/Uuλ_?i> MCMl4J@뽊IDX@9tA,\k  @_ 椗HF_;ճ?^at꯫%ԧEzFvW<+O/yOk.gQ^$j-xg1Wl>GiA3eQwt`UA@_F8L=<54@}{kf.hys @hTb]7:kh$sH;^,[nj;wegP&gR.2՜GDKE't?z fI@)E&\ ;=!xA |YLnKqj__^&ⵟ&o:J<;VkUdeg N/|㷮=x[y:>޻U*a5[\TOfcj&vf̐_$<]g- z86bٯGq?h7[HFB|ޖ;@HZhNk=Jq-x X[U4o_./{WnǒmdךǾ?ΪNܞΕh}W'Ouݪn +gz&>&&gAM~Zڟ8_Uf\.[z2GcXB}:@` | XNQ,W+gIߖo_L Tf/e(lyeH_{UN @-&|*VP CߍţDCl@xA ay< @dXI f+E6nGfO;zA!]H{T5?Jx));CU7WVzBJڢUruEB(oy_xEuiz@Wn 5%w}?[>]މx1c`qF1h ޙ @ {TU7nt\qLW^w&NѸN0SN,g*#+J!Cf$,TYrlCݥCobwB$Olph$Ҩ;S ?0S"u0:q_}'(%m: CA@O<8Ȣ<OesP@ neQeґڭx_BO?-z{deRtDK8YJ|zޫ|/8L]'} _AƯYixW7B P}*B`*R'4<7gV  Kb!(-ϼ'. yAXcԥZ6pX=6>Τ !@&IAkʕ*5lBk6t)g Ʌףt|g sk*޵tR+VBu!"a;^Ya.f3^@Y"HoOzefO;|ˮ1&v?E&~ҿ1f+R^9C~gEWhʘ56B!ZI T0:߽nT e[JK؜3m͟FI/A6 ?@iKyV}2VϬ8.ey/ov4=xw_=k*/δ Y8_^ p}s8GIgyXYCUs+e/RS 2.B?0\_oD)XIbb"vLs`e @c(ҭ2}nʒT捪U v%{Lʿ_εR~=.s_zGPm."}-?-;64LfΜ!߂IbE;R(scTQ 9|ʱ(JfY3{҂}1fѲ^+)+~'WcތRUaOM WO$ :D#HS%ON|2@ &-\=9@+'{|ϢS?/ݺweǣBt)FBAjrԋzjӣ0@Zi$vڂ~m.46c;ުӬ"amȕ6 0zZ,]{αQx :37{XP l؍l?ܿM"@X}@\+؊MU0Abǟ1[gU '[ g"`y* @h-j,zQɍ W[QpG8*[ndydJv ź!ݺvf3]J O&4 pPe⨧䙻d'p:](zqu|gj[ uqjfn<;is=~8Q3Tɮ嵸@jb6.E-jĀ4&Y@־8 @m#84QݾN~ھ:fnf*LNtB|2tഈʯ1s/SrPDVUඬ鲜&'AL[L W6JjU(Ks umoV֏E.Oc_ní(LȏE=|74Oy;6,rmҿd}72G*뭏(::F&BduAM!@@QeʈՓM]f[Yj-|!zϫw_LL{,cEUnc@ uvm/~^*quM]eM3Cv/%-Ӂj*sqwEwtΘys>o‡BϿZ':(s'"{܏SS.] >V" Al9Ns3=P?vShAu`~6 | ʆ7S*UG U5nR(s9y8\koG{7a_7C>:]oi~٭SIy-Z3 ߍP o@W?‘e';RBwg/[`+ˁ/*;-)T0L\}3%~b@!$SBfV0MGǤ".o| L(9Rp +5 2U ON.GyWߌ8zlISj@hF6p^+3ks<=)Q=1 _e7V5̺Y]d(ޱvadkW~?x@lxi;*&rzQ07^jMS8E<@ eu=v<ʛg뗳z3xde =ըw\Z;tb~MJlo~ckڿ'l $_&h6Wsu*zsZpmN[t;J`ϳ3zc^>뇞Q񭯼}j*%rkW(84 _?O)͗Qe3N@ >B{KK>zw_,o^KfHWǞN2Xo9rt+qvˏ>'z$/%fUQ82`& k!Ae.Qw",atyBupm?eݍNO7ѧvͯk-\y|rQգ^y{a,aYU-}_N]ua#X&5U+%1lP@ /.7+ly-F#v׾'l'hCg._^<{6~GSu.`&Zbeq/o;~$mZin2a?[Ye|p߉4$3ru,DD.7׊}nV㍮_"Û;m2[P>v(nRaBqo%6S7nvڑq[-ŰP{R8ϭOat' PCVKSmڥT8KΑko|t3GdWQoDiA]A&?nc5A=>@|qo\9 @#@`a/ WV~Y\$R/˳/v磟0y A$ [vW76=9ʳZx`(Heڡjyt3kW{e4̬+h*Cv])V 7>{4Ӽ5Y6Yrղ,v>r3Q^FJt>fa}t`bG N4kUm<=}yqy؋uˡUŪк; @n_ֹ2Qї&/o?׃:.)<ʖ 6ڱFK'O.WVG(+m4M( R 姘?W#r~cϬcmes<~9=k?^Oew~TCւ(P"&8:(+5:iͤG'O}:t_IRBݻHd,;\/ted2w4[" U*JzDoƤ[kCn @ ORJdRvhnΥ+?,.4z';D(}Ҽ Wd?{;GN =#'WfWl]׿ٚ&5|/6o?{]ewKVլFZZ>oM |AKD±Uw?R<^m߈#E9Fi2X}rh.":ɋ=z"tr C}:%PE.xY5/@ 7U;U^޸?sGo]z#ڹ+[۲ZR3&eDK['<ъ\n.4KE򣞘JRY EiJwF5J3o8 $&Ee%Wv[urHwø,n_ ;J0OnPq:h{]Nڑw]~WAe/Z$`kWPm@lE3 $+PtpEyu_@FR |XV<拷^o #=Vet儸( pSܺ_y+yo4r5y߲u/~-׎=α[if?݈ z,ŅYVSj V?A)z~+G}e5CR޾mHEZړMR:靆$9i^JDZЋ[<~#7\o+\ѯss楊Xk^ScR-p-͆k> v@ # /j´. @M>yf8Ҍd?񸗏w^_OK窛ZͺQ4ݕΡ7yvFVvtD􄘐8cokožak/3'&3CTˠSO|oܷ"h@{e\ 0L0q8]ͪ^UZCp >xs J)⾥6ySQ=@w5V}caGnrǮj>Wo" B2R&iB?'qiKTKaAI_*Mm= چD\骄;Z^=O; J]!X]LqߟÕ7ݽw" Wt#4gעplּwo ;P H @Iw:e<:8{.V獟Eg//a63U!Tw=uS=Y'H\Rf^e(i]!,-Nػݗ#-,٨Sͫg ,wWr/\-؉M:IMBm`.'nB%q / 7﵌d2ƒ-Mg=i/yT-E'd-{¶XM<}Dk]tW *+ұ7*0 d<=r}`Ve=-zN?Pz$8d?6 0?n1_[H"j~s@e7^Ơ3sm_+zl-,-\-@P|\܍o^,^k^g89mVx/;Kى'.9\{KڬaYe{N590LvϷjj|b_IM0x`&Gϗ`0?*ՆU?yGo#GJOr_[Iy% |P2[K'/]I;\e~n#|Fxf[W8n041:+,xoSògkwQ_Y2]H+|)񋛈3?Rolu7iT]mS+=) tQjCw%k},X0uOGtb, |<>irh,/lw*1QIZvF~tl_/Y|r O3 2޲q/БcO<_|h0¬D[kӌvy|CFI&^$h}jMVXY2lj_o>yEY@Z,k *םsoW5- h&)!*▩ `9e6`7U \A3-ܰKM!ռ95\3G\\bFS'2 O40fQ1.XfgI& ѯi@]\9={HZH @r[#I]UTk+S:z`WY3q9Tx>W=Gc'DvtL{`d_Wxiw|v?n]M]{=ǹ5S? E6@n6am'R%:Ε.$A)0W5'`W<ٞ"|++ɬiZ'm~\N\7p9YZZ;>7ke|T%X~#{m~kCk!_g,C6av-0yaBZ'?$>MTIfE1? @%:%c0.;U5Y5,n\*/]<]N T̼6O2l9zS{ƣW_v<ɗYLfiooñ'k_$nii:wBOdFّns/ 6.H4L똁JRל;&4a[>`][(yO+WӋjfMEQ S>c dn-vT"TɭZobMOOeTh.Bb`rzLC/w8@ `B>\VkN'$:\y+v =&cc75tVoz|*ɥگ[T嫸y8Fjȸ֘uC&q7n-tꦟauҿ*zb уߏ rcܲ=eV]|kg B樊#S~[(ة2u2f=oFjD&rϔة+}+0=m5LVӿW~ܾf[ KUMOjUq@ןybW)dym~=i@Tsp+mNAfMH63޷=[! @m$ Lgǖ;[RݕkW^{R^]^.'ۗ*-:*,:s'=h)q;Hvxs%D`P&šڡ=e]U` *^`AL5Σ=MXed|LLnuvp/$=\Puw}RV(Ϩ'T.[ph\( I`}5G?jiQ)jVX-f[R^GG {rZBŘ!@X<ļfT5Iq1sҕ狋ooy{Zo_gcTK9rbMm~w%wVړKKRKܜȍSܯ3Gg| ӄ\ 8(Bw 7!{2}7|ᛧ{%mDb`]Ϯt+MqP]j$NR ޓӿݹ *R6 Z[PWv4FLyJxd> D$T㳏Xo_^@PXAN]N$~sA~M~j6C Q bbO2vwGO,=M*}CT(\^@@ \3ݳD£PuYh{3+{ǯ$z;w^{^j&,PYgcU˷'7n~r\]Pt|Ξy%M3Ǟ&My78~ <،YOk-g1p('jLHw5m`z#00?ˏ? 5-pXk/ӿMr!DnBKloe=?|4ظ4@C 4Du9epLJ9!Gy_KW+%2rk"u9XۼWj|W IِU0" AW)04Ӈq ew~Ȥ Bś{emƣ O03 Lr32~N\:TD 4ڴP@NiD,aabnWdqR`j; sߔNL~%03=BwNX_f+D }='01Abi@`E4Qcϝ0φ @(\Aspӫn7ߋWw.9ҝkIV7/- T.W6nz|ɋ=zܱ8U-%_X&¤㽴xu.-Íy1z+`7D ^4@m75m?\kpe~Ro4 p!.UZu05zd". PqL Rе4\][S̏Sfb.\xMtR8O`$~8u1J_ @<w(Tw7_ewVKUkQo88򡽕#vRm*WXONǶ <#)ݭcdc{S g9P~woO~0IrOk}@- iUiVӵ-ˍ<XLЂ_T|U,U *' EuvK(hȩn)@<ߺPgX P,X݄A Y7Q3Dl.Y &fk{7?ZV,hnB`B@O-BDcH49t:uҸ@ I@I]fy_e<+/%c`dtxp6fk[gMÐ-+.ߨ;Һwn}fc)^Q 6p{J D $6Ѭq+ܹ桧[sV~>;n]PE}Wz V7ϜѦù! b[ѓ^ eu.Gi!(8,!Q_?g\OF8ʤ5dp) Oɵ/*9$2)/ fP' E>#!yzjN:12 & pv"CN΢\Wu06?u^pRl<` I# ᘖV4 R!cfX`÷ |Vn>gWaBKAr/7wڿ=ѩMνPl]+n֘igYʗˇ'l&[:Ej֊>#.1}ioNeϢW8 ŝlG0*gdAȴŷv+վkC&#䚄fVMXw,ssiJ0{Q*Imojc E3*ʎ-<KŊúzkR;AOpׄ,OQz{a\M]bEšaȉ *5҃pж?/%w0Q+k6sGE/E @$01^֐j,T}Q{.yE>&.Dڹzwb_xf֬1d^ggGv?{diEMxGiI+? +[6Y=^:n<.<ܺ ]O~l] /V*Z>qSxTf=Q{ycğx|:i鍻R"ӝ&o#j?aVݹs>K~OQz:TՄ @->"?VYNK[q7@WޔK8xǬ$b#b\xSx<0^@!Qw)hr}9}7_.ƃlWj'UnOvvxcuwAoՒtҴLR [ʙlFΰT~ P7[$Lr{NfquJ`7*=Në+k_bn`~Tco:b#VEt~Kɚ$B`ۣ  Xߦ']?nz(3;I jQ[Lr hoK3͹j\~ PnLbO!nQ}M Ѓy6 @ږtT.O4Zr\rtG%J>*Iw#_qY.6@qVFQ#ZP)q<FZ)ƶy}a MD7׭ק9~7vq%(VvBȴKN>Ӯ=յ:f$q}g}IJujmml`bGFFoW &?*:+(ku5st [72fZCmTС'DBPeKDqwtu U~{Fmz`k^u8دaa/[d褐9Ap,[$vRZ} _lzau̻sݗh _6 CzD^!Xp, ,(` {@ewo[~1OYf̊=͕`(&ߏo]}:&vt\ytNQ-~V2Pcmm>wH=:;X|9qx&EWuFڮ)#X]bt`֏σ0,&]! 7+o]O\-ݮۏtnvՆv7sLx(qjyx7PKYW?w߱=}ݺZS=4[#   BȒnM@*bP4{7.^޽_798ЯRmƕYBW}Յs;Ǟ]?6^ZtYXZrc$ 9Ynǩd2˽[W; gމͲSBl#gܑv(myrd~G::sǣD5,էSy!}Iudqf5>YLMj~A"-e`Clt"mܩC=epzv[**<8 oդM#$Pb@&hP@Jd߹W;kkeo]|YogysU)JbR% rRz79# |zf44P6y֨fRuJ8Z۹<0Q2 {\}Q3Ҙ@(Rٺ֗f|& C P-찲m'P+.eOJv6+PՆw5A+ @Q͞S` ?޿Ȃvu""(5W0G>O|G  Ou#Zyn{LM821`uUo妊U@*1Zz͋շKoJ/߾ݴdɜ7D 9zewzGJY^xdoc u?K_{S ʳt 7 ^=)\+Qo^YQ*C4]Gy/)@$^Y3g'quŐ u=`\ _{@獀rcӁ!Kh|t!|8ڹ䝗w^+.S`;eVYmD̢Ɋ̱Π:8lxjA]yLUmtڷ^U,/&[aZБqꁟZxv_}X=ăՔu89Ȍ-~dQ <2aWB7p OQzurJF7d#ShU\"N-:6+3:smel@,Ǽx 7 ]|8i ۃ'Kt ;)A< ֊G&}TnoRUQu|~;5r!ftjuç$9gZ/|[98#OG+CaQ oivBy*UWgN#h$gliO0mmG|ӿweµI0y "GmT;o {&lpS=Xy \cޓv;ػLDOxcϱjb 8pSqG,1PS{7?м>Yv-MQ-<Pqj̃K?<  XլuT쏒T Nl]..%z<ȫbd[2dnwY;KKkĿw䑭'╣tuБŔuTָE_G) 2*[<~/h=&Ubn!&g^|{!}>p6юlmՆ##!(kK-ۤyY?Y Ї ?wtŢOo vg@2I"12 Fؕ{BG;~"c=\=8 ,f<߀4/^Py. @lPu}p\ʫo-m_-nH&P!a8$ ʓr:6X9_=:Z9Y)rC~u:%7TM3@b$3_=ش~I4aoC7Cُ4IB&#H?V'gyѢI6\frQ\D蹞S"zẕq=@kӻv"]6c% ѩ?w'm(E`Y4:M >R*~6i!0#L8䠷6\Z.m<<}QiMRCj~(b?@[zkߜ0=->̳Ϟ1d>ɫ??ӗ6;kkfi7k;=OCjSͣwF}9IA6=BpLP 4z+ϼX~4j6 esǓpI/&O9ib:"=-ݤ / ݊U=eiZtYͿ_D{dV۱W+uW(FPNdkṫ"n}O*sm`D?cn!_݌z폭];\ApB+A6&Ũ>M?c#D>gB@n//Q!h VCW".ʪ߽?]<]=]n߬\O{J̄ *Ņ!}fCo>sGxemFD𰗹zsO+3n)nL¦pv9N?Kny,Zj]xKz4+&5G>[iԀ%w;i7~uXkcsj\H8{yn~WhuoC3ڨ%8c{>YL B <*Oi-Zߗu6.ۏo!@ h(@~@,SYw̚Ơ-FDe:x;/஛uPcϧM TkKޗ'Q d-·Pz* z(.@4R({wXfezPF}+$筯" 2H,=O$_{BԍiccJV'Iy]og6m7G5MԼoaD_C h3Qs㛗[WkfWުWݽX}) ܺ+O(sGH׎ 7cw7W62O;P~@bwK/BݶƝ dfO#>ե )8Xפ. -iimTr?.y,i P6v;K[m?;Oّ"s)CgZh@lNF4PD(!vW'sW>Wsav"fS迼I,YjP0C6 T ͇6Ud&>ae+[n5qK h' l^޶Ÿ:/vsvpt.~!ݾc.~4 )E[3NWN>^;_;rSRdqu{ar#6QƧ?}$Rk뤀%~Eaթqgr7nև3Io}W^i |<9ċ5پ}|Uӵ8B_mrV<;Wܕu4| =}7ù\R8UmRֱf,Xջ4EʬHݵ^wM]-G%sB%,U(l̼oZLzn<>g;]q&6czz_}"::RwB!cx! |FŬ-3SI:ַ[[ڮ!cwQVxݝ{˪oKnߨ.߸߹^m(^dy^jͯvC}ꇽy&+k# V[=V-Ա'[ WQBH]RV&VN݃i(Ⱦ&`Az*l ԑ`zƞw=UȰVʷ_Go_,][l-9',ctPʕ;ѓڰW`{o1i[(jv떿Î^?n_dJς퇯GeMn;=@wRA ]ZhMtAޜ4f־{jQNi\a#>ۜ@ĻV;:LwgTO7y{Qܽ]w:7W7._/o^QGP 6raI*ƛ٠ݵ`Ρ'LJ_VӞ2WطmoQ,\UDl#`3INZt=?{08@, ]jƽH@ˎ#GxMKSlŷpπ{f} [ڻ[κ~|2__&Q5ah,to>#.:Z'eэeX3BO AZ2}7b's}| I X[`v72A/@2 IM;}N|tfrZه̓#:+k:ϒQ/믮o~U{Kޑlm HHlw>kc~}Pi[mL:G >:_3[*9胧ލjSe8w_\zF?n}Z$ǴW~z`gI }ё@W O_ၿ?Ph7>zуdN&ewuT fB=rDQ7v #Y zi6fNU/&A>)smYt_܉o{+յ/]:;}=﹣OܲͶ7ןzd0El-6wy}_|!+ҵjK2/l ;u%Qg-iDIj>%k1%*p0tE?U dҷl:S`wѵ@A~|~ 3ygh*+.:,ii3~qT]5L*v ޵jrBw{>)@Aq:n/[^w{ں!,EЪԢHh8LǃPj;:HA# )؝IWMBwyEb411 ~F\X֜!\pG ۘx |*$|~?r>@b)%LyǸ~q@7ݢ;j55f3Vvrs<-FYntJy;ՕN+܉o{hK9eۇY@_5ڑݟg(냕C{<9X_:t༻2,Yb:wɏi'Z/k}jE PZ~R{z}o ^=٢e_N3ME=c^:1ݾnr/]lMOݙ2s ۑXwk7w'y8ɮ A<Ǫվ\d<4a(Fx'W9yvkR-Isf/5t CR|g`w}ne0l.7*XXX;qʦRhE{gJ+7qFW^i+_QYLj<cþ)x?#^@(C?E 8Ss!gTY?{K23v۔K*WrЏo_*ulm&77+\ Kc51}Y=Tny;.+KƉf`qo}}͋M_%&ǜkb<`8tfDq׾F-Ty>0}: t[S +s[3y77 >630֮kyg]uflzJˤ֢"b#fv7*p>%jw7qDzuZ*6O$Wm[\ArvQ4Xzc_;vX:4JBjB69?ݬ7ojDz(]v#_b2|%'v=Ç^@A4'̅bkcf 0v ;VhmWFg oN<ǂ /7Mc>;s-`H $}Ǝbolaߏ/߼4t&s1޾ 󨿧rlr,eE(ˎIǪ=͓^esz~tw|u}[VtWÝj#C.8,!X;e FDV UG/OO(-W$Q~{?F2ۇ CjSqiԦ;Y 4QVYqg;ypNB| yPpy]c頓* Q~GDVIJͼD>Wxw__m.}]/\/9(ICQy,}3&PKvVK-Oݑ(UYO~by)8J|գ'#rPZvW2>3 | ϐ/˝w݊܎]-S|ONh_Hh~}Bbۣ>ߤlsf)g[Jn/KOÏlkk*˴ʑG֎8dq#~Z$ KJ X5?@ QU{b¯w2gGL$,:rD5_ř*^[O^Wy&|=t] m[}y/ QG4<8yG/_\ݻ;|vy5ʏ6aNj҇>(}oAOo+TuC##GK =edEBRor=:`>.BxSƚ}W?ڧ!8X(<%]x7?.y )ay+e@r?y$9K} S+8o K- iB̃~0mk}9y!y%T;w]uyq]@X'򕵃C嵢9W6'OwXa1q2|㞃ydƤ©}^G"0s09l|jAgx M/`q5/ c'S-Pv6w!}۵p &5Yғ,Jo-p&5oC·5:d|k۷]^xdJY -P'8.o3n7cٵ%ˁMPu֖'JsvHS_4کP?SIo/>OvdfZ^c @j&orGҼ[m 3yRU!{zx%XƠ7dTT[͂2t/7VF🪏jիɣ$|i8r.R9'Um?л"@=m7g/&~X"Jm'wFKj\7zo|*q^Avp3hG:ד+T׮$EJyʫ5Mzq;5F+xG.>_d@']>l >~&rjsgE {jv${f?ŽSml7彖!Wws F4w`Mۙ6ܳ\EIv`yqhh\[-ՎB^W @}jMN=vDkyF42teA ƥ ^aa^d].rĒGM[IWrhPq{dvݓ\;z";|Pj|jM&L@XǨٶ8әlG;no,뛣渳K#G,t?W4ez6 S|l.36CC>{w~W<{:{Q"O~@ryXj;/ y^-f9^wXKyXZ_-fnz7YtPF\m?~xj\^~^}ˇ{CE0䉘" ߆EUcΝW44[az (kw0%d' HpA (/BLv)#j=>_^34UD{xFv9,ʁ)3RCFV5m|!~/LX]& jഺo'l/<~29tLV7"m&kKlCͧ#xBLJl12eCz/p@WxtT!7ޜvxmEwjSlݎǷ/T/;;nM2-F]u3Ļ=r.HAܥΰ>n>PY,86ZdkK %>boOg~}:\&zH-9}wv^j$[ Ju5eWQ9@FQ,aPh;~*&c I6B?KF],kϐS-KKʚjdy:XuDE2i6\ݎ5% ݣx E&Pv&WU:ؓM޽VݾܹRݺZ܊~2DUBi{U8tO-tgM:!Jzrumt|fHnCzJ[@ְ>MR*Yyl'xam7]yDa?{"H ^&}CWx68wegk AKySOx~ 7'(,Q7Uy7sd?^_?~ovNXqs5 _e0lM/>fa=}.Iǹ xO^鱭2 ןd{/GQUځꦥ#ߓ}V_ BzbxX As(heୱvDf7帊 [ B2aQJɃj$Uϋ0.h-Ôyخus_W#Eka jOt2،6DhXU~uz~d` QT}i?Uu[8]sM5&Y\ڹYl$34CkA>I^\=||}wL~ϕf? v1F}uʻ+7sA]nTRI7܉oE;w˽vwV7Y>YԇiS۟&Z8]e.Ɖ-o7Rs[/wY)^V, E`cQn[|1mH1?Q9bvqoZPT*W"1OۆbCWzcW~M/o6!V}V%1_}%!5ϓpy^c\""[zUoDj/̳Ϟ?{FV҂gw,d}+yЧW![XX~? Q2NdJz}R7wd8/^p!K7 9[v_[Os)Zocj.En /.j5N(Ǽv j=S=J2;{a* L?ۯ<]` Z}R,xsH!dsSE@Jϖj%q7->ݽw˯}#SO.gQq(Z6~9f{h|l77s^vL›'nv|lf1HPB*rbRڲ$ F`T9^D.O<{CKU 'vkj uX[=wr-GJ%:r,>opdq,>6{kj*iYj ;fJF#+l "͹XB=7of"K7͵es5u_:@0ݴZ7Dy@`!y_k{z]!Ҽ ^_y3QRlwh&^e$Y~$8~ܾsByr~rva$J>23ҧZA]wݘ((hg\mݲVKkCjJ]u\,__TN?=y!%rz߁!]=8_p_$)@:|R-̪=MpiVp}%b~D@vuTY0-Cֻ(V -x=bZu-,^[ǴxpR[Az.GdX&A&׸ï4(]:+Y$TGsa|8  yjmF 1a@f{9'M@}眻:c"f!;)a}-َwhro{ۣH;{;` :Rwt;:'P{{atiCJ94-WWKˣpyspi=ϖΚ}h+27S5k^;Pik-1yp1oY H &.@w_X#%ùsOb{l8p pq\tέlaENH*R-wE'7j[[[̪!߿Ij<꧲?LL^(qL l_uW7?oT 3Vka 1Mb3=C#!l m_xf-{'м$ C Ϗa d< O|+_Wpԛ>|x͓}gl ~0I)~Gy2zM}s,L7T˱,ez c]ɲ ztgh[ʗVEGʀO9νe96§~s>Z{Fه/]wڀo6֗{ l`ACRxN-Ylۈ𧄟苕*{T 53‘onlT_=nhBlUO;'~2:#B`,{bx~}?O˲'.~hǟvcܑ)Ռvw3[zַo -uV(.?,famD=GWvZqJT>5X ׆)n-D"銎-YrGQqG_4҃,.jR:N[RjtM!mr3Km4]وףJRnTK+Zć'khhm%9EX5+w,MN!MS!yk8#֒vQk=^[ݮvӃw[N?`'&~A1*ȵ"==86I}HXe/7#V{u zFٲwVQ˝^gܑJDZMVMrY ?a ]cg|^Q_;j'7vFv{uτ?H=Hg_&rsO:rgͩwU?lǯ2|DB}̤M>e`9irvFO99VmOO>Y9lP繍i7ҕ*}'NTnE'AzPdl0V?o_{7'WVQf &s8~ o-?$(v@ezϫYϦ gctBpoT-3xs+7MR%j/瞯vFVC56[= D9A4IOY-;D4+J0㟋m*h#ԣjdc#^_zK򱸻햕d+"ěZmf2Ͼ Kƿ jЗ{ds+?Is ' 'yXf(\7j4]3mp1M_>3xH,A f9z8ɻ 3{:u՗9s=XG3] ae̮YRͪ!4\J9ے=7Fƣj4,Y'a?܏Q}Wrxv9]u:.V-gU Fz`2oaL6[ƣa n{jŅ5zGfb(SϜ?V_)@2ƴޯta03F7gi o?G鞺Ov}"*V |ϡ]b}Κxḟ)S{}h5S35RV 5cGZOn܄,;x UP Έq2~z[mP-j:+Ӆ &Y~rL_λns[Oko;.s{tå[{v#zh?Y 7Hɽ.d\)/9QU[c}QNQ 3k@kƙfE߆]jڸ,лW߃^g޶.O4Uu|6}d\! 3!: +Rz{/S.ȶ8L(-D{X[8-5pG'몉|jVh|f:ٞ8riU@]T0FCPA"m_Sg֌ʘ<`zuU%(\ވUrI ,$xe]ZVt}]|6Hf[*.J&v`"9)kɳkڢg%0-og}=xÉlH}O'WWnȡH6ǖnagn~ck(]'6 g>AڐYO[ Uɱ> Gs|^n l0)/d[`f3R"f7tfoj 9o5=LL U&3[05g`گtwkT @(m Po[߯vvܻ oV~-l TA[Fڢ>jW>aߝBY?c9 Jv)a'dY$?,&|\(S-$=6#rՏKe͊8Kޒ2x٬T6)}q1O6>sh7pa%L CGeup,r>Zf5ݲO%0ct0Xp%L@!hǢh5R}dǼ}8>WdgJw~Sc%6{\}|<}>w^k˂2(kr/;7wKyQؙM 6Z76*}ru(CJKQ6J;Iqahnc']wplt㱿sk͓UQp'|~\\(oCdnSS!L ˎxi-^u~V.>s+ #6q,?zCHY71J2SXS3H_f`}3,S['e^ !P0ϖ.$wa9Ϲ6LR <A l9ެW@}v6'y0f@*]G:ؼ #Pj~ Aj96jСh4 fH?ք)>l%^7hi0|F詣>Rpecf"ref݈W),+tš:kLue P,RT-sKjdtd~e}Y$]>03a`+ؒB{q[kwJƇ6.MZҳX þ ݸ&sa=^Qs[kRz1Lom"[4zb0f>7^<,i.ż2}k|sEf)x0A\h }a58(Gbφ;Nߍ͎W޶~[Tav귭k%fך]{ZvOsV6w]hTv;Z/$mzju?D,'˫}]m:no㩯뷯_ovL摩Zi"!3u3t߱>&Roff$z|bvh;g"&ڀ0n?o3<} &,N?w_ngjhm~*cm?ݖiԉoUerVINgwя/ܾO.B(}nZj='yv]g{gx#Ixߺ`j w'5b 2ݫk&,tNP^~ɕ^?Sfo̞ l+e^_?>~]qw~U_ޣ&'Y\ߨ! 0f#*g]%'yGYcS XJ )䖀d4wzpm`qHq `iDr8^Z$ k2+tmie#ֺZnwm.Uځa:%r4Y٬P$3J^Y G7q} /t$ol`ZGgdWmI LWYuj<[{zDp;E"[ۿAxca!nzr7o!;f oYWz*E]3}u~/uxo-ekU֫WKElj_pnE; u}1~ x<mS;ww@]+.}S-zu,Tʓ.^cd")vn(C2]' Q-UMpC2'oXo8 m2hewz_?ts/W'|v8._`l}btj >_k2{= -]_ӻO:T O=5!ֳː`v|Rī%fV|7N|@g=ܙFy3}?R 93Kx$| ܋hq6?CzB0.s/G@c۹:\;ܘ{7Wsoa@z&'--{یYV;r}o+FjM>006&P0jKحڟe}!@Cٮ\!>+f0˫幰fmAP@Ӿ,-"؁I03H5yYzu jT.6Pao) <e zijWf㕵ؚd" eYʪ%st;.-%Łr}=rKUǒ!׫!]a۳J_( -˗u!)* ۢ>czÙO{ TnK&Hҟ٘T oNjL;"Ώ(+{+l7פnQ&Գ:BZdS5S\$V> 8=9+EWkAk iNuTN^n_s̝>~:8ȴrӨڦ#Q4m={+zUx uϋJ;x wcŕ!$^[.h,&,aD뼉6Oeۨ]_TKݮ|e6 n)ELR] mzG.]i(8 76fjݡA[v}dyi}|s{t]H(W=ŠyAPX)؍3w Y[0=}~e~A;gz Bd{c<}0P[SOK3 ߯frqkÞ?ؔG~x?:sd>v<%N^艮9f@x|z@ުd|iví}x's]~֐>`N6kjZ|,STbS{7.讥wy~|Go30~ߏ/ sz){_F;szĀ%xq꺲`L)ZfO>Ur̾Yl7Ѵ# \|~oxHH[QX%^(a#`+Wاty==7XS5l߻V0O#Kt*M:(=//jQISrH6Y[db.lX-y``+@-eWSo ̄-˳N&|DFdwU* BHh Ĩa@^3kZ0VwVИnaVFB4=2URK*+]޽\^̬Da SO$2ɥDĂqHؐÝGV /JyxT"!SsAw`ɸ*NINI^G_*m C/{=,jTg;;r̔j6IC9-lR\GJr;I5i_i+ -eBٜeY=yAu~Vb>`21rQ&[YKQc!s#|x.=eQS}ְ{Ͷ8I{W+; JdRfr=/U0+Unv"J *q_ꦙJ`Hmv{XX&'#F·/|pS>"xl驳Fok[pBRE,,Y#FYlU֎! *m+M?[{w!أGNW#Z]<~bНb;^5.=>{_=9ꝻVҰ Z%H&0MrQ鬀F3TB4"9!RUJ po.`V~lǘaG/|=jԤϯ3=GBXqms?Q݅C܀ʡg|~ޕcl=A+SI?ewtQ6W~Wն|O_a#8oC)5 2e9I/(F:!g6ՉݶkޝCZ}'A~dSs  2NܾF|stgi> ݛHZF4V xW!jW/wPnJ}ԩce+ZJwx:tUMI]$G*/wZVI[b8(^B`j^G=&KB7*+6΀`j+l{6LP P JcBu~iW[ 響|M~Ёz܆NUǗnDy2 ,_<+ŭLA<ϊ".:׋EB(ن6& dsTTm0-C=3{.췏' 2yq̦[~Ll9L!} Z $ۄr0|i/F6͸e 5Ub:x^H^8^9~Qei^I2^!DM&<8@zƯ'٠R!/#E$vz;~ `^N?Jҟo+dq~%F‚Qq {  ,ꑪGHOg5w15<p[h2,3aX_wa#..<[rx56l=_UpbޖpBO5@ _sgNcwǘ]xWH=8W|"zÅzOčfSDS*(SZ|%PL )Et;ks'N)kG+졈||xn2K2@n?fj8{ –w\p U1< ϒ~rT vk Pot`;=]P=GYoY' 9.𣃄1⍳oOB L0m -Marm(puKX~P̀˗e/==+oA=\Ө<5ۺv+T߀1PU&H$gIq.IN邑(]|^7ED`[x֤%d0tͻ+\=\p%sE-$tCmBVR8bByq4ꮂ5 R5L3zf1iiJC+d1Sl~&je 76E4u͸ If %>oW77~YK%d;66!˨V-k%d KlTfd=fjRr8[ Zg =v y#Y l;Q'$ò!]~r[IW/xSl )b7ɽHNv͗ݽKkPR~ئM\T  E7''D=SOే&Y -7Xp9o4 }]o!+|:=klq aĽH1KVG+ p43o!]qg' {80 O.&G$)>ܪ[5'd@uljHpsH*}c?о^m4^݈]3ѧB.wW,Ĵ0P/i^Z6hzx+c ɑ}m;}4~%j^6)#[5 j|z :V`).C2)Jki)DZۭ0RD U&ϓG (wTč}TڪTc \& 紉 P* "G=B4c? O '˲\BY5`.?/irJ)>LA/'lO^|uƌԾf<4@$vڭu Q4q\8[)(o&_O3%wwqK1JSrF4GM#6Pv"smY"2yLߦJY"N o \ n{?, @廝εHKgß4Dnqynf.@ Ӡ1\o&Ҧ;YUFMDA'iZAZ06GN?`U]+}:X tu/=7K /*RAy3J(~Y.53Dj~E\DUᱝvw{q%!5l59'9aJd:?w![},5T)ݡ$ ^J@w5)50nYJnBi⿌ h՛gҝ;tkM^ Z&䐺郺爄`> oݶ2!uj$}9Q'#zьd}ǭh͇-w>>D'(`q<#Ns7JxWX,5Bnw{ខp w<RjrIgH:@x_sR`TOSo-Mhbn\PF @r5!N;oj=84YF 2=b4ޒ5߲ ڽp 7ZRJ:HN*T̳=K{X[,IpBPmernVx1P,g[7 ldʝKᖖpRCd0Aya >xjx x%{')) 'N0; g8eGqV[ lb: /m5Cr|:TU}M|ZrFˀ0@VA5z,F崚%wXj{'XOM*ācJj2[T:Ӏbt-0Vihۊ R]oK\ J_i ">>>KE">Y\:T2|+$<&m< A23 ˛ʾF*<QMՠn22.euETN.0v iKcC[YGz;q .lm#zk&B]4hŸh@2^kNӳ7 ]]Sml /Ni&޵>/w*>Ug܅Ov][%S?t>ċֻ.~4fqψiov;nT8xuP ՜z4r: [=9(60+NF"A{bH-`fvB"#Qu($7^1p&.0\HR҃b$0eb87(^Sq*h=.X\ܳ"]%=DžJ 1&.`$ lE(Ry$d{{UFҦtN<ˌ`p -ӳJ{vE+#(Cɐ4k$FCf1PoaND9Ad;(HQaBMw0<, E M.x{_~Qt^FG~XX{]go*_v kQA]GxG;t5a]OCmȓuB:LǚCC; Lo16ŴZ)22@P֎]yYWOѨ a;4/*#!B0P(m9t{@Z MQGL%VR8"TceWt(eOe.16)-i0Jqɡfdp1C|Z$-qJH/2sHa9;~Jlo< X{P*sNw,S*(34C'je 0*n9.ZNZ¨^ڎcH ln4Gμt-kwL&gQoePp?ZEc¸^RG2'1B Fף}ӢyGm UKs螎'2-G.i}^@W @ uKXq^q;]\jrB=*vz\4sW<{:hy@n9<͟l+AN2bDt ͆Oܪd8Om=~zNuv+<,0O8h>F;5b0N8)i2kqM*x˸bι޿bB6^~|}[Kw_]P% JQj92bD@aD,O ygЖW Yˀ_QdKd^BvUcw<{JTW=RҨ$da7OU}h*96V7}$t@/ wT`A&k͛;D ˭RG߉UdBcUbٜ ;8Y89TN-;ȄL >6 g'.XOC<^_8jl;w;4afUA_#jB DCys|]6'j. 1cP)3Ɣ=\jBh){\0 o|@ne?F7SN-?wwHa>OF?z9"0a{R?g{3b‰O{OŒBSػ?{xz\2+],y`&e(?}>ϦON9-4'vRJNszd Pyga?>(~8Gc쿎Ft˳U!OŇn `jXW޵Аo3S6_)oVGꁰ\# wX;.ŐaXuv<R̒ty]$ E`K^YP<8 ~D@BtToܡ1ȭ=BVjeEc(D?,r2i촶;fIZʌEZ!iOz0iBK(*j.v~?䅟#Бm0j-|q_P[гB_<{ە]2'FoIGA&t~ (('))ك+0(5}N$5TQP,]QzZmHT/Ja<B&2H)?  24)yKj2PY^tSǂY,P [-B=`C|N `$׋@)6Qp2ڸ?}^Y9%G)v #)>X{&`Z ǡd^fpUj9S+Wp0O+*ݫD.j~l +9\v <-O`8 zVC9sr'Q*v0 % Lw qtb ٵJ&X=*6o`v(REhRD|miYn $p4_3; 5 0o5=8rC%8rYihb%iX$$)JtUxʃsRB~`p,XlJ֝v3NN_y@OߜkKC1~DR݋M"\xVh!7'5PΓh\O)J2>`\Gte q3g"dL/2R`-L7HJ6(, R%MEsJ !Sj%Lsi:2[L++?C87,_=ViEߢ#NvVĘ0Bd0qhp4Pm8!+ Y+9᧳'LG]鉘өP1!")/ylg~֬EoJ!n((OZ0zp;#)WI #qXBHhQV˖G:]0qG%ha2NIBshFGX64!0 mԬ6f [u{ZŰJ sR~9&2.G׷̚'^P|ZYKO]DW% E['jפ o}jɲMcRA7M} wP3S}mG s6XX4۞lu)HᮏJkga7OŌj m{!8m[Op n (==8[К ݌C_@R9=TnxNcz\oj$O ھACrmpK_|& >C퀻XI{])ҍjY=N즤' JSu160:eSJrRrqЉ4kyW4a<ҶJ=#K?gc2W]=]eFC[1cL( pWJG[aq MVsA[8A;s XM*&Ș$4#bZ|87 Z! ک6hy0ʐ; fR fIa$-Ya,ѐ;ztKH\ #Z_t1Wp`RYبЉvqbKd<$IDAT!w6+(yC}%*&q,IG[豴#ӥ9C4 [7!Ͷ$e?3[S}7ܬos?ɤu,OO.CLzu0ĪI YCe'շ`0 A@2Ӗ۫=(QV,I)f]Hn Qm!>3`foie *)26>0&V۰+E,[)@鶙R11@]37v2Cxӵ@µS2rk궇U`y)R߫ިE5c\i:&NɐI\_v;2R̰ уbH/%7)[O"i:; y!897ې@rwp@_"Νgؤw_[|wS|0Qu݁ `7Fzvl}.;gpR/3@CgO0a`#qUn'8ϡJcE>ѥTaF>$=8&a)6 d;, Ӓۉe3]F,*Q*g;:ctiy7wi`\~ĉcvynw yyKRaߛ]EkL2 H(_ !4SXުiK+;C6jr TEE(BciY+"O!@=úK% ՙ!?qw')ʕVOꍨ~I;/[Q85qV@\F{]ֱ|$ r-NSӇ}Q)2 e0L6,]`gIYɲ6UVU@B!) Ct^WK`Jʫ \˃CHnD (8Z P2=vU(gxM+ZhZk, q< Ïb!Ɲ s?-Cgə,l(kuauDEle 0O <^]D3) ʃRN*`9tpHĂhф.bZʈ*a$UW,\;vW:2H]ErƊӨ!;-2]hh_y;Nt$j>*U9פ`~qS֐oWc7bF-) /w 2K#y$Z:UCQCv'$椼 gx'AأrΩ;mc\i}_o;xM0 fIUSdU5/Cg #ZŤ> <N !F}=_NˬJ(#͸6g\gkȁHU8hʶ֢nj#)$#Q-zjH& ʕ$϶3(mGp;[ k̢ol,T:iP&k{}+⚓FtL+Vw R}:o1.Xrc%^Zc#t~&`;^r(fpFߝxڸњ3GMl j!9'}[7wo͙dԐB; Jتb.D-&'@Vj6b9?rxսxj @(ٍ}ySS';=TZF@KU %0^|t%IY)KHz<~Ν*{-Xh&;r>=B{?mV/}^mPT]š?dm㵨ՕMk/<_݌{o022 .^)F9yC=lm`8Q?+QQcj^!(Z2Ĝ*ʨ֯/].\D8\Y* Y ڼ쐭NSbg}|jGOzoΟx?Șnm^:~xOvkWު$ʺhrd!RQŮNyd>p4`!ɵn^ܑe"l4~m-N?*6ïo6eDAiO kB).봷:Ab֚Ӈ8w 6o?tz)w7q)G`V>r콷,ܽFTՙ/ 4R%;Y:4h)d_8{fgs],`pcHkKKlu+[w: eܿQIӇ>P5d2a'q9a~rTp-<dž g* Z|߁sZL.wPR8+ 8q 6>z{VnttNk4&&*wȷ,E"nFmUCf=&?±'7n^r yn6Jlci]|0{* ֮ў㧉eO+ԩS߂).&~ٷx''{<4wpOc2W&)^f_+}kpU QL =voWc>P\7}~< v)NְM<+Xլvr[-ppO%S=`[K4u[˘'y. #o(\A.?'V^̿񏼘d8d!NOQ.pg~<5 7#?a6![[[E1MrL?;~cf3< qŨv,>Qrwz˟Y xBe耗s]_w{v',OL?/cS7mFh_d|6@[> 3Y{j!,<ȹ%o 3Տhc-)qhaά( 2o]_?xD=nuCg0{ -b@Pԕ*DGr|)-<" /ue/zSorBZTB|"",f.g,#M4IP54p=ͬDC://beP9Ǟߪŕ19nn\˕NHwS 0Ɂ+:R9(( RA $Mݝ;oz KӟC=| X`slc(?̒DfBc`;bFY Vn\?ƩGqO}fg>C*[d3͋K]οQ #[Dbgj$|}!J1JKWν\f-q4JW0~{ob3Fǎ³7,l%Yv(D_|ntPg_y|y;s/dyOjrҷ3x<(Eb{!oo8ҝB98?=Wj. FXsoнh(xwϝygY4PXX9C '1MV^~dcbP;pG4WӼնw Z}-ٚX)O?txF,^/:趾/2"{Q|S*U~SKl"3zo| ko~<:jfۻ~2m=ء#НNwgmi"ӣxvI"s<?'XESAYV4n9 v{cM\$Q%%2ԥyؑw^;U٠rbk[l |9T;;3<8nV3KXce"+ג%ҾC$+/+G0Š͹q2@j}jVkM#\\>F2s'a'Z4f&etRĂ͍hR)P%9]'cR dRVYj9^'v׾r>魠>u`P`K)Uޑ*+~'55xgYY_?~6L}s۽*PUnYigکΕ9[r#ԜEy ?-wnTE4/_NNܠo|٩*O*P)ړj7rPg׿8^ ;Vok)+Ih\>M<^r;_N'j:r@{*HmڮO-V`RSj{ P+1PEg'C@ݦjs\6y_wʳB^Ks96X:_L v7rQeEqt9AeRJťy}iPٟB8<{:frJAc,/\/ʥ<LF^^K[YRS2[?XB["&b-7P7nU  kjB"|ˍBSE^8K3|Ig;hzua9gqO_s1ە t)JP&˵kP/ S Qe:0 UT6(5i2ڜЈUGe Y nE a^pYܤidA׈`T0`Ǧ3.evi!Z;I+KG򠺿_Y` ͪsPTǕqeLe gtL KԖr>r<#,Î'D #qoEzcxGcǞ|i MbN'|hf`xCq3v9b5kG9C,%hg_>%S:&-,|_]Xџ/S?Z?>wg"OOGgb{,flORu1Oiu]YLyGuuTZ.Wg+4btjfi\Nwx0ԁd`AS}jffn~fv5,^VlASX9rgeSֺ$lzu,=e:=/fgO f̾3QRR ǙT@bP&g+kď6y0bOxP#ݪLSSWglsqdgNm>^޿:x~_ϤZ^Zh]mʅHѡgQ'v|Rjd{5YIZ+΍WHU3J`[[ג+/$W_7/dzG*w| /68inI b;%Zcg^W+"X3|z2owebnku?u5n]#9y~fn3{WK/FWN ֯& + Z;]?-ء2^:ӦH [zsKZ7b^s#o]v6V`Fz&~:JrTvU9N/z{_Jaإ@KgPz] B뺟iJs5޹nDžT'U;{d/?߿|=|B]x{(C-=-=,x]ijfԺWݘS[ٹ;^{C?oBdddgG/n݌wVֹ|}20魞ˮ"ػͷ_z>rk vQ;Ȧ"6>qYgkk;ɹod7$,~\tULrNi2hRJдvwJƛS֥x 8lfedˀ,Ij/7덷D7NG`w_ȷE3*zqj@xOa*ftƊzeYecFWŴuԺ.E[*24R߹V*8|!>a|~7ߌ-VXI}T ա,"&I&N?+a]Vs>A'u3޾afs>neξ)r8<4+1n\)㬍Ә"m/)fkfkot[8 mwڛioobQW^Հk+)$t{{kmV]~ʵ "Su @a߅_S3k`km@#mogNLvQ' 9xznaf~IFM~F!kP^|,Vvᎂ+kWP^r+͍+t 5JC%z$[_]ae6n^cw#\Sbe+W/vv6] dՍ*\_l"w6Wqq=Ht\+77 ͵2#׮^|c :v=;;r%)-ƫotfVo07WwU W/_.h7k/]v5@k.&66Y^b ~kׯܵ7ZkksڿʎY*.\_޻oC`fnׯ;p+ ';YVLXmplo!汯hVo;oqEZz}a8-/,fŝudT38ݺ1$6i_WzLko7Ο`3(V^i&xɓ:_N设l\cFv3[(m_H#z巳EG^H1=}/~u{_j s=PW6;BIGHͺ!po ;ͷ;W7Y?˿?8 ?=xW6"&lIjG*V|w,stft:]VPi4ڽs_^_S?;j#QiZh;:!8tv֗؊0_ye{PTuܼ S5R-u; Q [xgQ#˪p85)~(Ju{dsSQZ /Ў&m5c&3+&!ޞFq#|ozdg5xͨĎrDCn GR3}iߍBcIm)\`b Cꮝ$ Ҽ'ėU` wz&WlΆD@|Tt~?`|-e ! e.Jyw$"4*(w# T0ۖsjVV{kunA(h{PTwqx7^_9b)Ѡ(T\Lz/!-l|&X+GD<}Ik]\q-TKۗ DY˞?Kb345~Kئkrt7  wi/e,PQMI"?V\צ\Xܪw}5>&ҝդoU4\2lٷ!A)lT6@{xWjv&NHrr]bωEb@Gr0Z%%!OJ0M0;irȠ'Yw5O\܉EG)b$? X6!hKy#(W+kխ Q> ,;^Ui_oAU p\OYCPN,4[Li&o#ch6Eid^K@#JO: t-9iF BCewD$4 74eS+s Lr'pZ'eLL"}~g=jL:7ô{cл VJ޾Li`E$yiJ"OUHՈ%O0;C26*E9a]!K MegL7;Wm A}_˶JZz$"I|DI($̺1Eb] 7Q O9XHJخFl"_BEi-s :Z ې&vR9 x@_BCuD^)rI67y8")C'JE`z&L Byluk0_pvr2[nDO%1dmHVYD÷݆D@,U^ &I?#8->2k&+E OeS-`=(= e*v-=m;ɼP Ift\Hz--2'|-X X;)3Ň{h kL(`A {,mLa] x\Ěw;F6_ üc`1(~.I82xV,Rh<0yBJZ~jEk6~۱Zh 8XxR~*P|כ @,٢oWӕ)uzB Kް,-ؗxNW {OaJzL[ 5\Jm)3uxKJ!H&<~'')u⧵&Gے1Bq`bf5T_UͨAC*ţIBSivJ$a΢4D -{ɴ:n|T|ۄrb2䊴O[dPzSk6лM czv +C%CQv"aڜҵ#G;QE9h&,fl&> !c# PȎLR&̈yCh6#xRQMV>-$%N~ŋ=Uq-SK{%6͉uK<\D)47HTÈjBTXF~e$@HRgE!Wf Elqsmq[*k3h8Q6I[L.V5Qb-;,nsє1$UXS=ύ}Ä+*^ĔT9Z$|@x9d(V%ZȢ>M+]W&kshdvOrW*!TK~ e FFAZhrIy\bBkTZ7XШӻBDzNrਃRzOѻl MMXdºTrTZtFК#8vZi!PJP8 NBOΘԤu֤s0h2%ؓwT ]Q }zNKQ;l,/h&1.{P">C}m@`{iK6y2xnwC4UPdn3(K$E+OF˅Ij$BVX4b Cd wkdOR${|O͎Ί('%M$RᡇEGDN$?CHvyz P;*eK'jq;$ a 숄UUjF`[YZLJEye?0ߖȡcB)Ԉszɹeۓ$͊ jg^a5AyO>x]}TCâGRAh-ҟ\R?h ʥ">TQyhlEtIpIjaTH6BSEXcTJ" )zKO'$Z~8=CT&V67ih׳?]<&G%K"8bs%44^y/Rj8iv3!V<:v-06yRHy6@6[ <;#&Ja=0ZJKYabn5ſڑi6-E !.,S9oip'RL!N&n7oxMCܣ샵S-S,K`p2A$$5QeO\?Go ƹ:.dNK_kwcA,i0G9:|/C=%#dfC$QV+|`oQM1({B#L!#& B+f&סJwDG K'i(d0{WpKa)4 _t}eP O(1*HhFuc&ʡ[1U &b5×& XAFLz`$uU;5(Ao>|}/ Q qކk o:gEm[ 0zmh8/4=T{Y-ֺުѽ66mW00> PG=[6DrC,.Noo=å1?Ě%c(m[\bRۢ*fm CsbURĈ7BVZ#USȍ,Qs(dxiL )BJ|Slv@`fC^HpjȜs*N@{-p0ZX(2",X1D]o5]EUqbAzwFʠ@w++RbT9O%IG+¸C K2Q}#NZbLZ)B^T Pn*FV,,FYEٚ=1KkSA 6Zr+M棙qN.qBNLUҩxF.6|kv |ێ1^7.APzÛ@mb ]'6# ;} 6xpo{>©vV c=[ }vfbwGa!;zGϷ<60\8')** fCǎ?X77G^>N<|8*%/Is*]U: KGC7z}D.<7:ō989P-.=pj܂X흙g,";񓍩郇MN}q#j&Tqv<0ƍCW)@#, CGH/tqsk&{>~q>A8rѥK),aC jIerZC1Qgh{zg+yybr]#9yON}:W]=nSpgm4[:3?>YO`6{4[ [%GSvZϽVֺhш @y58;F%9>"`ej]j*NOuO>#1չ}0T;6n BsW1P6dYvWMz 94pGP R?0\u k۫M02Tz[2rmʳJ}` כ aUӇx`jDZ<D5+VqPJnu^'fYu$-ODU"`*5#aWe݈ro=,- P YPT bImRk·$iI aqm$4$s^vp# yͭȎ*5HM;H@GX MW vBwTOy_mGyI5wu{`~ӎug9(Ao ?ep ~ۣVw6ClkawH39Fj¿q}j XF]ꓟGNc;\p}yPN۹pK硒x\8m) ~6hPZϟ%{͊\8]ys3Ji2XS2+W\|w/3aŭ4 wD\Jb+BDJwX %޸ \S~wmι~MD@y:퍛/| vοnm\,ьy(`:uooeulml%,?2d=-cx;^7:B| i-mӌtqZLoxZޛU:Y+ۯ9{V ZY0 )~' {|$;FuM!ɷ㊻o_+~?i.,Mw ]9a3 V,8XYǕ4H{.*vj9U0ʕݒ*pP lWHYNW**~UD,HL&=lo e\}\S2>+ZV~&ڪ5^4QZ9v5&3KIs$T=N(OXh?Ɍ(>0 {Ch ( 9 ^.}w]}_B]\>:]m~*yg<>TVuדob_M_mUݾ~ݯ諿{3zij[_(}BϗIbP+>?o|/ .noF_Ͼ˽o}>zFh;Nu\RT*B,[!-e;sҦc Hz=%tѷ|һY7.gUAZײkkUk)):CT<\tVJ-'ٓ{7[kTQ3M7/"ׯvM.?^~5ڼm]J׮Wmyu;Ɗr0jRjҕ7Wǧ>>=ŗ^^sگ2)Jk[_B/3羞?·_*f LDjP .p']yq)E ݕuM?Q@_9Nyx~53llLO A X!va,"Nϔ۽9g*},ڒ n<ӂa[4C}Us{LO<&rߚKDA+gWi?l_Y1{oiUn(!,(W+Ie_V:Kq@YCf^-xMيԀ*'qsY)h1*J5&xfֺNу)S҄7Jӄ ODn2P@OS0KՑb*xuY`ӏvܞ>T 6(閲Ѻozj[U^yP0-rL|5kHb[>[7T\imRSjΟa[2H5D&G64pݒ*7yRT(Vr &RT*n#>7lY>_dNIk̚k8 *]~8oKqӠ4Q;H\:qWM^_ T&$|Z4n*^g7$haƚ9tԻVdGx4(5:k IOD GMDAt; QXU(Cnx8W䔷PklLٛ|}[ A()|/jD=H0i`I <}4 R+T$P/Y!f NHэ7jA++ >=- 27f|S Rwmg%%J۴NHxՔ h5m@*j0yXVG{0ldنU⪬+_$ca(%OԀȩRK)|S҈w5:QB. ^X r*[n%F:>Z8OؙϬB4l0LPs! xgP1fh[ +DXAx%ä3.}g,^2?_T<ݨKg;he1H 0P917є o踀w)͈R`5PR!upÐP(&hFmzBj$¥ 7O3Z~˾EbYZ 4 Qms{( i1-E=dr2Nfg=14@FKͿpyv i0Qο6YqAxr {h=_ĐҿxS-QP14@|3t7vm.s 5A02b&B l_B.ëfa1Q-iuݚ '8Ei'T)$'_ٴ0t&. `TR6wz'ahj 5e9_ށvn>7Ǩmb+j:o2즂eC9TF2b|+,h~*w)P46tq[~ ˥š.&`7d4}!h!2-tkZrM5vQ0-֠|Cګ5).jGOes'%nXuO=16z@:md?T.2M=ѯ,ܗp lRXonuL ;_{WOeӇ_MG4сOGЊʝ|"f~ل{}υNȌU]׍ ם-e~0>3;=խPk+u,-sS~4?TQqsa0.DUw,dNN'}Ok B5`&Q7=A)UuTg.Oc_gl͒HQ S#)FhW#2F!9ܵ KёO?2@'$u/vh,O7B9-SM/M];وC@컼'`So([Ū|X [>@J)ieױrAXѥuazM-u'¾óI~sPx`!_󄠠4iќwH:A/.;T)9[ AS-pXQ1|wֆ"B lxrOW#ްR3*|-2%D(R%IǐrdaZ-|hn^oxZ눣&[>l\rxC,xro "Ѻ[_:xllN݆m=t槌4GM*ܥQs& p!*g zB>Ns1_>?$2W!{iX{ǟҧF$$87؝&ߩl$̑?^zJǟV(z+l(ߧ;n).t-jT\sɧf%|0n#Uqz&ԏDtIg$!L~ğ ?Dd0aۈhõwOj&fMZ\'` Km1L nXYMF _(?Z*Xh2cV=?JEJw 3H{r+=凾[$T g{Mr 7-2:"*Zǣg~$zp-YAR V,/6Fy5Ujh>)O r'V"Q(LSO|#Oh?Od^_7Yo+W+ìҠ[mmZ]0عbT0i&[I (0nwhzxǟӟDѻs Cv]al^[c f(Bړ''~viAqV˼ <Ckx،-;zOC>gs.]?'yϜ8xVye%nkAq,/<=gCH?N sQN>OcO?˦&{;#=|vqi/~|]MdUSSO0:n3joa(T:G8*GiÅzD_̖:`{wI0_7G2Ɣn[ ,·}ت:+hnNց R$k|{+u+)Z}媉b3}p(Y"憉RZVwrBH5\Vv4ox\[2J<Хn5֍q/)6ZA2OQ"<~`.sW:-C&uQu.s̑ywm$Zܘ~e:gD{RR4sDIӂ6`/-<6ycIqvPt>bAmwĕAB[Hզ}ӆ&]Ȓ@dn00Ϊ[l&TI vƛG?Hd\.TL4uX 6ȯ + w_s7QtDT9Xn9ϥ73&8@1i ֛ IҦPZ64 F-yi|.|jzu!I}ʃKzVPL{Y\kޝV|ٝw$.וߦoalC;@]60s1p* FT@' -գ)j=]ZI¿yk:[d̡`ځ`"@Vtïm !CnANn<0"DΗ:ȤΉ$bsw#*#ŏU,Lf*覒 grS5@N=Aq RqhrEw^aS ab @j#O°vKED8WǫV8ECZQyyӾ)fTXw5)PHƺ&{wNtkͤ/UG(_Mo%u@',z J\u6c]h^6Rpk7>{<}-~S">AϚ{{ԗ0 E5K=Q e7>{o 4җOI1 dW(JT\Gg-Aa[1_^jņ_H(bS{PBRZru:2ZhuA~z˽C,~dVS* 6ʰE,ƑH#Qds64V SFL;Sd.2 P䋰+4ڣkVPsfObOJ]*k1JV|$HwT:Ԧ!*E '~3fsԘeiڝ$ \cܦk>A7jv⤯?K؝[{pYPXkL8ϔ)5i&.qutvwo,D֚1v_A}uE(z@LtT#U1E6d'8f1+ 6/^%IQ~AOWO;}ܾ/R%T*ÊE9[oaa@Ioί>pg2C f&#:^uS (@zPAPqX :d06&""t w1H!2(Q(jQLrs 3X< =`@rAc%1g`q]®R6cm!Jfќx yL!IrʐZ 0; ;>B{?o,"$cPd-[_\&tbgSN1}TqUVpg'6:q-uow4d}ёE4l%鑔(-x+^3}z7zKI@ u~S%&Se?%gը4cO=~7}W^Oncv^k\͖8FUtoՀFdz!ѢNLnǫYa7dIQq1jk:G8^(`f4wXF!- I8"%%26C .||K6u |?v*u"WڇzXi2x|t!BʝQ֩Ƿav_όa9/}O&}=Ӑ'uK o1%ƁDblMo =e;d 'KVEz*` tfBn!۾APnwPw2#k9 <'$3 8"PjܔNM-`9ALJ^FDi<դr1crFih2PDR ҏD MhFZCW\%M{e@c]r_=YS=(C uV!\E.@*pGJHreBfb 3`nQ>ByS@|`b2o9@ bU06u#E1oRf}.NE34G-W z9*3Xk<, w=a(G}vզbxwy91%G:FZ'xyk L*G(ώ/j)oEEqyWeõ[-xۿ_ytN/}ɗSϟx '_G2lԵac?| LSgx4Uʹy$?tgz2'4K&}^?jqclabʚy [į́5tN<۠4w(??MSW [frغS_G5沝Krν '/Vލk;.KZdgʌQ}1j,IUCK' ȩ{.n,VjdGgsLՃ%Xʧ ųx4\x0^| Yx0k\S(99l\"iiĠYĨyCq3Jtj0gLA4w<_d{˳Rʙx'CDc05k3˸}1zdԣp2#YZ7_ۃ^GL'g@Zl帖7ESͧ|>{,/^y;^yՌlH7+OKfysv8og\V#Suh26pJeɠSuy#A=aH2@SIm^IRLOerɒwR6ck7g%Ӈ##ɡ'##gj9]O'cD)?\F ͷsaȨeuSFc:2} gfgchiVS_ّ4ƣ>h8G GJ>(ߤFoQJW3D'߉fy#':^6=MۭͫϚy<5Z[>|֘6ޜ5SMC}>=;3Tm7m3yh=)צ疸n7WuVDR-..S x{֦t [BcjQ2T!ԵvZ&5k>5ۘ[X5olru=g7z=TOcY0sӳ KC%*9gsocќ[7}sHO7֮^76'bbiK$*㝭"2"Cz.붷M4rU\e'm4^k/ퟞ[&ס 3-Sdt1,Ks ܾ45-BG+oaiazyeff̨'^<3u ͵M@gJ5ZJf}$Yb0+W/)hɈ|-_>j}X_´ndXpםw_y{~jE(l8(JkqTT* K :6 F]5)5U\,l-iԡq`:\עI*,DpLGx Sn- z^Tەvߦޮ$R}tfyTF2$8%Xد9*Ԕ92u b'fu\&Ii#m\€h4׶I~IӨT+ A%V{W?c:=?gq:^Ia\yԖ(LvlR?;cJyjyG*ck sR i0ٺnoJZ'fӉ u+դA`̃rUSz/d% 2-KOК-)ӸՍR  }\g<>^!!)1-وۦ`%vdYM͗>7GLf(DiCY}3?\Ժ>{Fq߽MAYuv6'>*/%oǒ`ce٫ceҀmGU@$ZcJ~s Uԏ$8> VW).#Ad ,k?w6o;4OD(@6s04<~sY|z0y=?޿D9wcJhE֌/7H\? b{͵5 IGTRiH%@_ `vϿפd,k~4VLd6S__z~5'~|Ѓdۯfyվ EZG~s>8%ȢNj^^3˼ joo/3 >PTOu!]fAeȷC}ޕ ƫf`fhX(a"U ^`d Y_~ҸwbS؜"P{Rys_MĹmDKH+G1)xEƥz7^]_}g,x?7wǺDf]޵ȷQ~5]y " .#|o- z3APn@:d7$0P緺<E-`Y.2yq aw"KL4n ઉk AUjySRgJB۳u,C_Ҝ}jA4KMlY%I5z幬2OqJuUVXM p=Y*Z2۫-aauEUwWvJb(եt`|*yNV[FEϳ۽"FܲH9tЈ 9\7J+FWVdӕ~0GuNS"Jl ^U@z`cUHʼn3{>Ҳ_m|~#͇rYIWz* ye3W8/p_[I=lw&cϚZ'NhB_hf dpKݕ_{&^/|],~2j$XXV_Ft^JSu1lm;<]DAf%,rw/҅];u-sD@F>z{p?uMKѕ*Baeowyy9ȫT?@Jq0|b}sXlpo~-zm+NIfH/Z<ߟH>6^}l3_~~gscvY̮;SDzZT+<p_5ʕr{ky[kn)!r޸|&myࡅ*>w\_;{+ D4tF2Î4i),櫧WttaG,!Ȫt>1P;wnkx؉}TT)m{흵J'=1 6)8~qC_x^#8K$'UbX4+S3k7X*V7N_!Ű & ;tC6Z>>jW;o_: Pvۣ07_{ْmI&OlN͘qjoCHν'<-5g{Zh79z0Ͻ9{BwK8z"3{礙{=SDx뭃-//""<;7&(Wt;mv 2N8L̙rReØ:dK{gnl!3\|Q)HKǪ'{ᄆrm|!mq?ہaT5>!ŋo^91Xѝ܍ֿ(Pf䂟FrKEcdI4NE w_JY˷D##(p-V;u#:zJW.EIzw[mv@)g8`.鳙Qf0 `-v S.H-ź, acbhvwKgC8E/4j:WT > O݁HLjEШc^oX=vQSUӣ`Aޝ2D˦jܥ*hh^gTAt[F[)J>WW%!H1MzUk%9lxxĘ<="u}qsE,6u*xD'!"&=?I49)Z*x1׋fd#xЫٕD{Re%, `%ZtnK/q?d- =*Ie$VFxF[#@0In;ЛӨpUf*'>]{+Zs@&i9yO˷Ve8ӕ[kK[i>~;vV{ 8ԔVvwIO^¶&|bΉh}3'?xeĜ$C嶗 ITD[V?tZT;( RڐR҃di[a$z̍j72 EZy< z`Be,c+oBKmT'zp"^s Ŏ{l}Dq DoRZ;70c AM2<;ӴVQyX0ޡIotZCdy)5}J[guz.Pc~qvawǬ "g` 8+(].L'|ilZ׳K܀/VA@IݠӠM>hE׊mJgMa%9g[%ɹ`!6CKQb㯾~Jw0hjرQ e.XLo-PhϔIާ F(s_M>hgT:4@(:MiN. XY/&q*,M.} w//;@'q7M3δQQ1=wK mC/S4z[J;ʨT+vث=r̖ dBNR*g{ 6Tqqx[H “Q25kU<-2#e'J%#:aHo<,NY6MPBBI gS_dcr.:8(PʆRrG\ >48 DoDQĢtPi$JD5J~)spjЊ!6u25@Qyl5Np<K4nEI/X3@7/%< @X,[l՜@._4w"1`q{ JG _b=D1 ?_n[2 Zdߌ V>@r"DU7I~Pq:V5 ;h#7h tn\uu&ȃ*"ݖq(&pJ- -5\ƠMW{, Eqr9P!*N@(eI&-4(G#sY5F&ȡ|#_4I_)I5J*$Z5ȉd@ܸH:xUv;a݌Api1]h1@\Q[P4F'.Xԭd8(hD= EpQe- &=k*@yPA"1 +=b{JoGZj $*M% "E0dmNڎ XkXLB/>YsQ 8#]0=zFmj#yE 2 '(\ǢLeb3Pvu+X;k{k)az:+\E J*9ٯP;;)UT,i?y){t- dmfwY){_镲^%*dquQJa&rV]Ρi`C3lQ)d&.lzҥ"9q/Kvu$ J +Ѳ0c(;N*EіPM~9+;I iUĦ)U4y-jzSԉ/u"E($~R~͌kOYp*F1khGSQp 3%C(0G7>ר_,W7:f]yy`"h A( 1Sj}jPmAX fȟ1ѠƖg֓Or[dC,j/6H;EnFⱠd"!6 )bڿ!P-:)n9Bqbu9!VHC#HYRɓ=D"V5]܍cp{a%xUU E&Ci\r"^9b*Mê'!y&blM[cN0@E3ށ]V ۧEB֕HT rMh" tY;$LytBۙU"lvޯ׋P\%_&:Y)K3]B %nH)ab*W["'UV]*Ӓ-E6*;QJTA#&U ɓ'" ;E(8Y* f 6dFl: 5gSFk7D.B!"ܣX,e[⡘Hy\!!u &[v#WjGeP1_Ld ' jf3+2$~*whoosh.wav.WAV 10103RIFFWAVEfmt ++data~~~~~~~~~~~~~~~~~~~~~~~~~~~|||~~~~~zvtvxz|~zvrnlrv||vtrpptz~|xvtv|~~zxvvvz|~xrlhntzzvrrpprrx~|j[QU_|bICCYn[ICY~zlnh]_r|]SUSSjz|x__l~v_]drnUb|nfd_]d]5=rrnj]jz~lMldrx[[_f|YQfWK_xh[zx[CIjzxxdSQz|_fI9WӹM;QnvK;OUx~xj]]YS~ɵlM?plM;CGpٵ[)Kh|% %;xtKQS]ɖbGr|lSnvz~nfS[nëx;Az=+AYݻ|=/1r_ ?|潄W5/Czãf)/pvbMQr|O=OtjdhjlG?G_ɊK3לdQCMppW;1SŷAMz/#?bx͖SAM[hvhYp~~zrvt[]ptWOUtxxd]v~vvxzd_xzh_nrSQltbdp~_lrQ_l][tf]W]~hWfp|fWhnhbU[hzlSCWbYbnxpdhjvjM9Ot]GQ[dpp~hhhdpx~xh]Yntnrp]dlvjQMb|vdjpzxzztljr||_[r~~jb_j|z|xpp~~v]Wh||zx|x|zzndhpxr]Yfntzjl|z||~vppnrzphrxz|~|xtrjjtv~~vz|z||xrrv~xrprtz|||vzxvx|xtx~~~~~~~zxxxx|zxz~~~rrz~|xz~~|vtx|zxz|~~~||zx|||~~zz|zz~~~~|~~||~~||zz|~||z~~~~zxzz|~~~~|~~~|~||~~~~~~~~~~~~~|||~~~~~~~~~~~~~||~~||~||~~~~|||~~~~||||~~~~~~||||~~~~~~~~~~~|~~~~|zz~~~~~~~||||~~||~~~~~|||~~~~~|||~|~|~~~~|z|~~~~~~~|||~~~~~~~~||~~~~~~~~    5{3 X>5&?/J  24kkk+52)52       @#"(*% 0.0?2$N$E ՒR›R$nfɁcuךb$i:$VYs AAԔ" @333f@80___PPT10 ___PPT9nyp \Xh$4PNG  IHDR [AsRGBPLTEf3f cmPPJCmp0712|m.tRNS@f,IDATWc`@L`EHD:)a&fy 9J>p|gIENDB`? ,O  =o|~3RAIDE: Rootkit Analysis Identification Elimination 4$$$$$$ $$ $$& Who Are We? $rPeter Silberman Undergraduate College Student (*yuck*) Independent Security Research Author of FUTo, (soon to be released PAIMEIdiff) Contributor to http://www.openRCE.org (VISIT THE SITE) Jamie Butler Currently Un-Employed& . J Software attestation Rootkit detection Author of Rootkits: Subverting the Windows Kernel Co-author of Shadow Walker proof-of-concept memory subversion rootkit Pioneer of Direct Kernel Object Manipulation (DKOM)  '333 333' '  { 333 R N^6 0Agenda$What is going to be covered? Quick Review: Define Rootkits & Hooks Userland Hooks: Import Address Table (IAT) Export Address Table (EAT) Kernel Hooks: KeServiceDescriptorTable Inline Hooks Entry (Index) Overwrite I/O Request Packet (IRP) Interrupt Descriptor Table Model Specific Registers (MSR) Process Hiding: Old School DKOM (FU) New School FUTo Previous Detection Techniques RAIDE DemoZZ(Z6ZZZ%ZSZZCZ Z(6  %SC P2 L*What is a Rootkit?$ Definition might include a set of programs which patch and Trojan existing execution paths within the system Hooks or Modifies existing execution paths of important operating system functions The key point of a rootkit is stealth our definition includes they must make an attempt to hide some action. Rootkits that do not hide themselves are not then using stealth methods and will be visible to administrative or forensic tools (i.e. DeviceTree from OSR) shows all non-hidden drivers.bTSnTSn >T~ )Userland Hooks$IAT hooks Hooking code must run in or alter the address space of the target process If you try to patch a shared DLL such as KERNEL32.DLL or NTDLL.DLL, you will get a private copy of the DLL. Three documented ways to gain execution in the target address space CreateRemoteThread Globally hooking Windows messages Using the Registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs v JlEHV JlEH V,g#" EAT Hooks $User mode DLL s and Kernel drivers both export functions Export Address Table is a table of pointers to functions within a module that are callable by other modules Modifying this table in kernel mode will redirect every to a new function Modifying this table in user mode will redirect every call within that given process space but not system wide. Common Hooks in User mode: GetProcAddress LoadLibrary CreateToolhelp32Snapshot Common Hooks in Kernel mode: Ndis*9Z&ZZ4ZZZ9&4 >z 7Hooking The Kernel$:The operating system is global memory Does not rely on process context Except when portions of a driver are pageable By altering a single piece of code or a single pointer to code, the rootkit subverts every process on the system Kernel Object Hooking (KOH) is a great an example of pointer modification. Modification of function pointers to: Callbacks Driver Unload routines Etc.. KOH introduces a very tough issue of detection since its hard to ascertain in a lot of cases where a pointer is suppose to point Greg H - http://www.rootkit.com/newsread.php?newsid=501 H.&(:H.&(<mEJ. 0 9KeServiceDescriptorTable $ KeServiceDescriptorTable $  (KeServiceDescriptorTable Entry Overwrite))$  %KeServiceDescriptorTable Inline Hook &&$  I/O Manager IRP Hooking$?System calls used to send commands NtDeviceIoControlFile NtWriteFile Etc. Requests are converted to I/O Request Packets (IRPs) IRPs are delivered to lower level drivers Examples of this kind of system modification can be seen in: TCPIRPHook (http://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip) Any and every firewall `#'Y#'Y |# 5c -  0& Interrupt HookingIEach CPU has an IDT IDT contains pointers to Interrupt Service Routines (ISRs) Uses for IDT hooks Take over the virtual memory manager Single step the processor Intercept keystrokes Examples of this kind of system modification can be seen in: OverflowGuard Shadow Walker OneByteHook (http://www.bugcheck.org/code/bytehook.zip) LbT=WbT=WNI  ) 0F Model Specific Reigsters (MSR)$ SYSENETER is the replacement for int 2E which passed control from user mode to kernel mode. NTDLL loads EAX with the system call number (i.e. 0x25) EDX is loaded with the current stack pointer ESP NTDLL executes the SYSENTER instruction SYSENTER passes control to an address in the IA32_SYSENTER_EIP Model Specific Register. IA32_SYSENTER_EIP is readable and writable but is a privileged instruction. Examples of this kind of system modification can be seen in: SysEnterHook (http://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip) X]F]GF! / 0Process Hiding Circa 03$NTRootkit By Greg Hoglund Hooks the following functions to hide processes/files/registery entries: NTCreateFile NTCreateThread NTEnumerateKey NTEnumerateValueKey NTQueryKey NTQueryDirectoryFile NTQuerySystemInformation Quite dated but was the first public rootkit of its kind. Examples of this kind of system modification can be seen in: NTRootkit (https://www.rootkit.com/vault/hoglund/rk_044.zip) zIx=Ix=  7   'L 0 0eProcess Hiding Circa 04$cFU by Jamie Butler FU introduces Direct Kernel Object Manipulation and takes process hiding to the next level. DKOM can be used to: Hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide Add Privileges to Tokens Add Groups to Tokens Manipulate the Token to Fool the Windows Event Viewer Hide Ports Examples of this kind of system modification can be seen in: NTRootkit (https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip)^B^  B4" - 0-bHiding Processes - Windows Process Hiding Currently 06$PHIDE2  by 90210 Remove threads from KiWaitInListHead, KiWaitOutListHead and KiDispatcherReadyListHead and creates its own lists that it swaps in and out when it wants to give its own threads CPU time. FUTo  by Peter Silberman & CHAOS Uninformed Journal Vol. 3 (http://www.uninformed.org) New version 2 of FU. Hence the  To Hides from IceSword and Blacklight Option  pngh bypasses as of (06/26/06): Blacklight (F-Secure) AntiRootkit (BitDefender) Helios DarkSpy does detection FUTo -phng "}(9""}( 9 "'d $1       0 "8FUTo  Modifying PspCidTable$$ @FUTo removes itself from the PspCidTable. PspCidTable Job of PspCidTable is to keep track of all the processes and threads PspCidTable s indexes are the PIDs of processes. Returns the address of the EPROCESS of a process at the location corresponding to the PID. Problems: Relying on a single data structure is not a very robust By altering one data structure much of the OS has no idea the hidden process exists z6F 6F  l   4 Kernel Structures: The Tables$Handle Table: Handles are an index into the Handle Table for a particular object Objects represent processes, threads, tokens, events, ports, etc. The Object Manager must do the translation from a handle to an object The Object Manager consults the Security Reference Monitor to determine access to the object Every process has its own handle table to keep track of the handles it owns 8ttKernel Structures: The Tables$lkd> dt nt!_HANDLE_TABLE +0x000 TableCode : Uint4B +0x004 QuotaProcess : Ptr32 _EPROCESS +0x008 UniqueProcessId : Ptr32 Void +0x00c HandleTableLock : [4] _EX_PUSH_LOCK +0x01c HandleTableList : _LIST_ENTRY +0x024 HandleContentionEvent : _EX_PUSH_LOCK +0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO +0x02c ExtraInfoPages : Int4B +0x030 FirstFree : Uint4B +0x034 LastFree : Uint4B +0x038 NextHandleNeedingPool: Uint4B +0x03c HandleCount : Int4B +0x040 Flags : Uint4B +0x040 StrictFIFO : Pos 0, 1 Bit XZN7/;1  ) .#)% A! ,- \ &Handle Table Translation Handle Table Translation )Detecting Hidden Processes PID Bruteforce**$ >Blacklight Bruteforces PIDs 0x0 - 0x4E1C Calls OpenThread on each PID If Success store valid PID Else Continue Loop Finished looping, take list of known PIDs and compare it to list generated by calling CreateToolhelp32Snapshot Any differences are hidden processes Called Cross-View method or Difference Based Method  4  4Z   `RAIDE /RAIDE: Design Thoughts$ RAIDE was designed to be an all stop shop for most common rootkit detection needs RAIDE uses secure communication methods to prevent people from interfering with our communication RAIDE is not developed with a GUI does not require any runtime dll s/frameworks etc. RAIDE was designed for both advanced users who want the files for research and beginners who just want to be rootkit free. >:1RAIDE$RAIDE can run on: Win XP  SP2 Win 2K SP4 (Hasn t been tested on earlier versions, feel free to donate copies and RAIDE will support all win2k) Win 2k3 pre sp1  Issues were found for post SP1 and support is being worked on. (+RAIDE Communication RAIDE communication designed to thwart Crappy And Stupid Application Specific Attacks (CASASA) RAIDE uses Shared Memory segments to pass information kernel land user land Shared Memory segment is randomly generated Communication uses randomly named events for signaling Uses randomly generated process names RAIDE spawns a user process from a driver to do a Difference Based or Cross-View comparison The spawned process looks like any other process spawned from userland. N 0RAIDE: What it is not$A replacement for common sense!!!! RAIDE will NOT keep you rootkit free nor will it pick up every rootkit, it s a cat and mouse game RAIDE will not find hidden files/directories/registry entries, it was not designed its not a feature in development RAIDE does not restore driver IRPs/IDT/MSR RAIDE will not at the moment identify hidden drivers there are plenty of applications out there to do so. RAIDE will not identify drivers hiding in plain sight as rootkits since they are not HIDDEN nor are they hiding ANYTHING. : ZZZ P; ; RAIDE: Analysis (User Hooks)H$$$$$Analyze User mode: In User mode check all  important loaded modules: Verify each module s IAT Make sure the function pointers point to the correct DLL Make sure the function pointers don t point to .reloc sections Verify each module s EAT Make sure the exported function pointers point within the DLL Make sure the exported function pointers don t point out of the .text section 3x3x      ,RAIDE: Analysis (Kernel Hooks)H$$$$$Find Kernel mode hooks: Verify KiSystemServiceDescriptorTable (SSDT) function pointers Make sure the function pointers point within NTOSKRNL Verify each SSDT function s have not been modified Load ntoskrnl off of disk and and compare the instructions Check the IDT make sure the handlers point to ntoskrnl Check within the preamble of each IDT handler make sure no common inline methods i.e. jmp, ret etc& Check the IA32_SYSENTER_EIP MSR to make sure it points to ntoskrnl Check important driver s for IRPs hooks ?i;7dk?i;  7dkHWE!RAIDE: AnalysisH$$$$$,Analyze the system for DeepDoor like hooks: (,,(RAIDE: Analysis>Goal for Process Detection: Signature that can not be zeroed out Signature that is unique Signature must not have false positives&gg)RAIDE: Analysis>Signature: Locate pointers to  ServiceTable ServiceTable = nt!KeServiceDescriptorTableShadow ServiceTable = nt!KeServiceDescriptorTable Contained in all ETHREAD Hidden Process: Spawn a process with random name Spawned process generates process list sends processes list visible to RAIDE RAIDE compares the two lists finding the differences hidden processes  "\!''5 "\! ''5b  ! -RAIDE: Dumping Process>Dumping Process Allows Security Analysts to reverse the executable or system file and see what it was doing. Does not matter if the file is originally hidden on the HD. Dump file is renamed and put in the working directory. Dumping lets analysts bypass any packer protection. :llRAIDE: AnalysisH$$$$$HForensic Analysis of hooking modules or hidden processes: If a hook is found in kernel and the hooking module was identified, rename it dump it to the current directory. If a hidden process is found, dump the process and all dlls in the user space to the current directory. Feature is in BETA and not included in public release R:7:ih7dRAIDE: IdentificationH$$$$ $Identification of Hooks: After analyzing the system, identify the hook type. Hook Types are as follows: SSDT Overwrite / SSDT Inline Hook IAT Overwrite / IAT Inline Hook EAT Overwrite / EAT Inline / EAT Forward Hook (user and kernel mode) IRP Hook IDT Hook MSR Hook Open Block/ Characteristics Hook After analyzing the system, identify the method being used to hide processes. The current methods identified are: DKOM PspCidTable modification Z4ZZZNZ$ZZ4 N$ *RAIDE: Identification> To detect hidden process methods, we need to know the two methods most commonly used. DKOM PspCidTable If the process is not visible by walking ActiveProcessList in the EPROCESS block then it was hidden using the DKOM method. However for it to be hidden with the DKOM method it has to be visible in the PspCidTable, so RAIDE will walk that as well. If it is hidden in both it uses the FUTo method.XVZZ{ZZV{P[ * G $RAIDE: IdentificationH$$$$ $Whitelisting Firewalls Most firewalls act very similar if not exactly like rootkits. RAIDE whitelists drivers using signatures such as checksums and other values. If the hooking driver matches a signature the user is notified that tampering with the hook could result in system failure. RAIDE does NOT rely on behavioral analysis to identify firewalls, since any rootkit mimicking these behaviors would fool the system. P}}H ? 3'RAIDE: IdentificationH$$$$ $9Currently identified Firewalls: Kaspersky Internet Security 6.0 BitDefender 9 Professional Plus Outpost Firewall Pro v3.5 F-Secure Internet Security 2006 ZoneAlarm 6.5 Kerio Personal Firewall 4.1 Trend Micro PC-Cillin Internet Security 2006 Kerio WinRoute 6.2.1 Identifies 253 hooks installed by these products. P 3 3  O &;RAIDE: Elimination0$$ $Rootkit Elimination Restore Hooks Restore the original value of inlined hooked functions Restore original function pointers in the SSDT Restore original values of drivers whose EAT have been modified Restore Process Options: Process hidden by DKOM: can be relinked to make the reappear in task manager. can be closed If a process is hidden using FUTo methods: It is not safe to close or attempt to relink the process E+: E +:Z9S0%Thanks $Peter  Bugcheck, greg h, pedram, uninformed/research ers Jamie - DDP  &DEMO .DEMO$Our Demo VM will have the following: Hooks: Inline Hooks SSDT Overwrite Hooks IDT Hook Driver EAT Hooks Hidden Process: FU Hidden Process FUTo Hidden Process And& . WinDbg This is all on VMWare& . %<&%<& >/p   0` ` ̙33` 333MMM` ff3333f` f` 3` f>?" dd@(?ddP@!@ F3330@8`@ n?" dd@   @@``PP   @ ` ` p@@ L0 9(   `  s *":$  0 " H RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6 " H T Click to edit Master title style! !  0H "P  D*C   04H "P  H F*C   0H "P H YInsert YOUR company name here G j  RA޽h ?backgrd f  Techy  0L0 @(    6DM "`  M T Click to edit Master title style! !  0HM "`   M W#Click to edit Master subtitle style$ $  0M "P M B*C ,  0M "P  M >*Jamie Butler & Peter Silberman  G 333   0xM "P M D*C   xA6޽h ?technological_awakening_qx f 0 P*(    0ث,  P   ,  X*0    0X,     ,  Z*0  d  c $ ?  ,   0p,   @ ,  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6,  `P  ,  X*0    6p,  `  ,  Z*0  H  0޽h ? ̙3380___PPT10.'@h< 0L0  $(  r  S M@  M r  S M 0  M H  0޽h ? f80___PPT10.H  0L0  0(  x  c $T   T x  c $0T  T H  0޽h ? f80___PPT10.5<  0L0  $(  r  S  HT   T r  S HT  T H  0޽h ? f80___PPT10.pFa<  0L0 0 $(  r  S TT   T r  S xUT  T H  0޽h ? f80___PPT10. V<  0L0 @ $(  r  S hT   T r  S iT  T H  0޽h ? f80___PPT10.@JZ<  0L0  p$(  pr p S  qT   T r p S qT  T H p 0޽h ? f80___PPT10.PV<  0L0 ` $(  r  S  T   T r  S T  T H  0޽h ? f80___PPT10.`ZK  0L0 p  ? g(  r  S lT   T X  00` @f  0f"` @ X  0xT"`0P  :ZwCreateFile: mov eax,0x25 mov edx, 0x7ffe0300 Call [edx] 2;0-Z     0XT I System Call" 0 2  ! 0>H  G USER MODE" 0 2  " 0T P  I KERNEL MODE" 0 2 X # 0f@ pX $ 0P pdB &@ <DԔ  ' 0̤TpW gKiSystemService"0 2dB ) <DԔP  lL  P  3#   ` * 0f P n + 0"` P`n , 0"` `P n - 0"` Pn . 0"` Pn / 0"` P` n 0 0"` ` P n 1 0"` P n 2 0"` P  4 BT@ T @0x25 0XB 7 0DԔ XB 8 0DԔ@ 9 XB 9 0DԔ 9 XB : 0DԔ@ ^ 6 6f 9  ; 6lT  p  d NtCreateFile" 0 2   = 0DT   ]System Service Descriptor Table" 0 2 dB ? <DԔ H  0޽h ? f80___PPT10.0B  0L0 5- $'0 (  x  c $T   T X  00` @f  0f"` @ X  0T"`0P  :ZwCreateFile: mov eax,0x25 mov edx, 0x7ffe0300 Call [edx] 2;0-Z    0T I System Call" 0 2   0|T  G USER MODE" 0 2   0T P  I KERNEL MODE" 0 2 X   0f@ pX   0P pdB  @ <DԔ    0LTpW gKiSystemService"0 2dB   <DԔP   8  9  % 9 f  6f   t  6"`  t  6"`  t  6"`  @t  6"` @  t  6"`  t  6"`  t  6"` @ t  6"` @    BpT  T @0x25 0`B  0DԔ  `B  0DԔ @9 `B  0DԔ 9 `B  0DԔ @ f  6f 9    6xT p  d NtCreateFile" 0 2   ! 0T   ]System Service Descriptor Table" 0 2 X " 0fPX # 00pdB $ <DԔp@ & 0 Tw NKernel or Module"0 2dB '@ <DԔP H  0޽h ? f80___PPT10.0B  0L0 g_  )(  x  c $T `  T X  00` @f  0f"` @ X  0T"`0P  :ZwCreateFile: mov eax,0x25 mov edx, 0x7ffe0300 Call [edx] 2;0-Z    0Db I System Call" 0 2   0\b  G USER MODE" 0 2   0b P  I KERNEL MODE" 0 2 X   0f@ pX   0P pdB  @ <DԔ    0 bpW gKiSystemService"0 2dB   <DԔP  ^  6f  l  6"` l  6"` l  6"` @l  6"`@  l  6"`  l  6"`  l  6"` @ l  6"`@    Bb T @0x25 0  6b   ]System Service Descriptor Table" 0 2 X   0fPX ! 00p # 0lbw NKernel or Module"0 2X $ 0  pB % HDԔ?2  & BL bԔ" p @W  l Some Rootkit" 0 2 dB (@ <DԔ P T ) B*bԔ"  <See http://www.rootkit.com/vault/hoglund/basic_mdl_flags.zip"=0 2="1  0<H  0޽h ? f80___PPT10.0B  0L0 sk !$(  x  c $,%b `  T X  00` @f  0f"` @ X  00b"`0P  :ZwCreateFile: mov eax,0x25 mov edx, 0x7ffe0300 Call [edx] 2;0-Z    0d9b I System Call" 0 2   08=b  G USER MODE" 0 2   0(Ab P  I KERNEL MODE" 0 2 X   0f@ pX   0P pdB   <DԔP  X  0f  f  0"` f  0"` f  0"` @f  0"`@  f  0"`  f  0"`  f  0"` @ f  0"`@    <PHb T @0x25 0  0pLb   ]System Service Descriptor Table" 0 2 X  0fP  0Qb NKernel or Module"0 2X  0p    BLUbԔ"  p  l Some Rootkit" 0 2 dB @ <DԔ P R   <hYb"``[ LNt!NtCreateFile jmp 0008:11223344 [& ] D&00 2$pB  HDԔ?p` ! BabԔ" rp  D[& ] mov edi,edi push ebp mov ebp,esp jmp nt!NtCreateFile+08 G0Gt dB "@ <DԔ0pdB # <DԔ@K $ BnbԔ" 0 3See http://www.rootkit.com/vault/hoglund/migbot.zip"40 24"(  03H  0޽h ? f80___PPT10.0B<  0L0  $(  r  S sb   T r  S tb  b H  0޽h ? f80___PPT10.` pN<  0L0   $(   r   S {b   b r   S `|b  b H   0޽h ? f80___PPT10.t<  0L0  $(  r  S b   b r  S b  b H  0޽h ? f80___PPT10.@!<  0L0 0 $(  r  S xb   b r  S Pb  b H  0޽h ? f80___PPT10.l<  0L0 P $(  r  S ؝b   b r  S b  b H  0޽h ? f80___PPT10.-F   0L0   ,X(  ,~ , s *b   b   PgZ ,# X,$D 0n , 0g "`PBgZh ,B s *"`0P`@hB , s *"` Z ,0 <A ?  \  0 0 b `i  ,#  -{= ,$D 0n  , 0Z"`i n  , 0g "``h  , s *"``` H , 0޽h ? 33___PPT10. 0*+cR/D~'  = @B D9' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*,%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*,%(+<  0L0 `  $(   r   S Hb   b r   S b  b H   0޽h ? f80___PPT10.[<  0L0 p $$(  $r $ S `b   b r $ S 8b  b H $ 0޽h ? f80___PPT10. nӜ<  0L0  4$(  4r 4 S b   b r 4 S \b  b H 4 0޽h ? f80___PPT10.P<  0L0  8$(  8r 8 S b   b r 8 S lb  b H 8 0޽h ? f80___PPT10.`ȣ%  0L0 $$ //<.$(  < <  6Db  S"   b V < Tb/e/e ?"6@ NNN?NzcD<4___PPT9 H&!0PGR < s *f`  < Hj/e/e"`>  test.exe ProcessId 152 { HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, 132); if(hProcess == INVALID_HANDLE) return 0; TerminateProcess(hProcess); }J 2GGG~  R < s * p B < BD)?"0@NNN?NR I < H j/e/ef"`` P  ZwTerminateProcess( hProcess );\  2G G G G $B  < BD)?"0@NNN?NP ~  < Hj/e/ef"` @9 BNtTerminateProcess: PVOID obj = TranslateHandleToObject(hProcess);\C 28G G G G 6   < HjJ?"6@ NNN?N@  B  < <Do?"0@NNN?N@ B  < <Do?"0@NNN?N@ P P B < <Do?"0@NNN?N@ B < <Do?"0@NNN?N@  B < <Do?"0@NNN?N@ `` B < <Do?"0@NNN?N@   B < <Do?"0@NNN?N@  B < <Do?"0@NNN?N@  B < <Do?"0@NNN?N@ `` B < <Do?"0@NNN?N@   B < <Do?"0@NNN?N@  B < <Do?"0@NNN?N@  B < <Do?"0@NNN?N@ ``  < H< j/e/ef"`   {hProcess = 0x036 2G G B <@ BD)?"0@NNN?N@@  < B?"6@ NNN?N@  B < BD)?"0@NNN?N @`p < H&j/e/ef"`0   j*0 1 2 3 .. .. .. .. 80 81 82 83 84 $+ 2+G 4 < H+j/e/ef"`p } :Object: ObjectType = OBJ_PROCESS Object = 0x80142316; 2:G G  ) < HjJ?"6@ NNN?N} = B  < <Do?"0@NNN?N}` ` = B !< <Do?"0@NNN?N} = B "< <Do?"0@NNN?N} = B #< <Do?"0@NNN?N}pp= B $< <Do?"0@NNN?N}00= B %< <Do?"0@NNN?N}= B &< <Do?"0@NNN?N}= B '< <Do?"0@NNN?N}pp= B (< <Do?"0@NNN?N}00= B )< <Do?"0@NNN?N}= B *< <Do?"0@NNN?N}= B +< <Do?"0@NNN?N}pp= B ,< <Do?"0@NNN?N}00=  -< B?"6@ NNN?N} p=  .< H6j/e/ef"`m   J 0 100 152$  2 G  /< H:j/e/ef"`   TranslateHandleToObject Process = PspCidTable[ PsGetCurrentProcessById() ]; if( Process == NULL) return 0; return Process->ObjectTable[hProcess]; 2/G G >G G G G H 5H < 0޽h ? ̙33___PPT10i.1}+D='  = @B +K$  0L0 J#B# -/D"(  D D  6Ij  S"   j V D TPj/e/e ?"6@ NNN?NzcD<4___PPT9 H&!0PGR D s *f`  D HSj/e/e"`>  test.exe ProcessId 152 { HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, 132); if(hProcess == INVALID_HANDLE) return 0; TerminateProcess(hProcess); }J 2GGG~  R D s * p B D BD)?"0@NNN?NR I D H^j/e/ef"`` P  ZwTerminateProcess( hProcess );\  2G G G G $B  D BD)?"0@NNN?NP ~  D H4ej/e/ef"` @9 BNtTerminateProcess: PVOID obj = TranslateHandleToObject(hProcess);\C 28G G G G 6   D HjJ?"6@ NNN?N@  B  D <Do?"0@NNN?N@ B  D <Do?"0@NNN?N@ P P B D <Do?"0@NNN?N@ B D <Do?"0@NNN?N@  B D <Do?"0@NNN?N@ `` B D <Do?"0@NNN?N@   B D <Do?"0@NNN?N@  B D <Do?"0@NNN?N@  B D <Do?"0@NNN?N@ `` B D <Do?"0@NNN?N@   B D <Do?"0@NNN?N@  B D <Do?"0@NNN?N@  B D <Do?"0@NNN?N@ ``  D HXqj/e/ef"`   {hProcess = 0x036 2G G  D B?"6@ NNN?N@   D Hwj/e/ef"`0   j*0 1 2 3 .. .. .. .. 80 81 82 83 84 $+ 2+G 4 D H|j/e/ef"`p } :Object: ObjectType = OBJ_PROCESS Object = 0x80142316; 2:G G  ) D HjJ?"6@ NNN?N} = B  D <Do?"0@NNN?N}` ` = B !D <Do?"0@NNN?N} = B "D <Do?"0@NNN?N} = B #D <Do?"0@NNN?N}pp= B $D <Do?"0@NNN?N}00= B %D <Do?"0@NNN?N}= B &D <Do?"0@NNN?N}= B 'D <Do?"0@NNN?N}pp= B (D <Do?"0@NNN?N}00= B )D <Do?"0@NNN?N}= B *D <Do?"0@NNN?N}= B +D <Do?"0@NNN?N}pp= B ,D <Do?"0@NNN?N}00=  -D B?"6@ NNN?N} p=  .D Hj/e/ef"`m   J 0 100 152$  2 G  /D HTj/e/ef"`   TranslateHandleToObject Process = PspCidTable[ PsGetCurrentProcessById() ]; if( Process == NULL) return 0; return Process->ObjectTable[hProcess]; 2/G G >G G G G H 5H D 0޽h ? ̙33___PPT10i.1}+D='  = @B +<  0L0  H$(  Hr H S lj `  j r H S 0j pP j H H 0޽h ? f80___PPT10.vN< 0L0  L$(  Lr L S Pj`  j r L S (j`   j H L 0޽h ? f80___PPT10.@Z<  0L0 $(  r  S Tj   j r  S ̫j  j H  0޽h ? f80___PPT10.W2lj<  0L0  $(  r  S Բj   j r  S j  j H  0޽h ? f80___PPT10.X`n  0L0 <(  ~  s *j   j ~  s *xj  j H  0޽h ? 33___PPT10i.ܘ+D='  = @B +H  0L0 0(  x  c $;^rEOݶK1@;f ;܎aػx|;- #c  3D C`A!8^=!zA"b@ A!@ f!!!a# FB 1b,8BHDD4B1b"$S BL1B !C̄1bDD2D "" ""B \yYߎ >9|! "wS±*a]xO?\y7pZ+:.c^~NHB%Zw@s'C[ 8}A2x[#p~}qvޭۿZ'YA\PT'$f$*a鲹)qcBDt=;:A*ϰk~oHH +5k6fyHHcC_s؁In9m)\~gFL kNx kENXnkePkoK"6۶r{xܠwwV(,i48#jJ e~?şf/=vx {N}k> |@E"y2l9h5>q{|Vx^\s檝f'`QYmK(֖D'ߎMǸYK q ǥ3e9q9C|\GGpx^\cEGk $PHi#Rp# :Nvo ȒF}-NLtKSl7ulLu.@^?uoӡ:/$B>C){R>z&x^\9=[CP#=??>C:H9jG)1 F1;=ﴷvVmpЯp}-ḻN}>2Jyl񮖎I4ᾫl mdž@h9ڼqڴ9:ۼvlʑeax= HX^b׃]>6;l7-waG2:F~zxd04<::ǺBW[WjkTuacJu~(Sla{x^\Y֫Zy5m([qosNpl#Vkgm;IJ{Ye-wYJ^?1KOu3)[\bixqd;ͱ29ḆX57?%LX{c#ƏI߷z֪351:V?b_n)\ϱ}}2nYϋD1txO?S3 Ƈ2,"|0s>~F/wd_90=D͒UH~vqyx@{ϋDXE |{:)~˸ ?'Hi#=*2/#3?#u9s,eʸ>fI̧?~޻/2ۊ)raJ e EB?N>A{|0X3,l^O,zXFሀ,񩚼ZF'Pjs\DXDos\Aq=2]P׏|?g`Ot\W68IN/#gЗ |r}y% r^|a㰜?c^W~{'u&Y?AAāL 7?Pk'i@;#`3w: m]g ]T hxۋ^Пw~6NhO?>k}㭬^q߽v ;ƨ+yF싘x l4`-Xk jKs]. YT.***Ç1peƍ9 fƍХKuFf1 D^5P;S^=7?6tکф1,)LNI(D~AF0h0ma2+UF+ҕy£fd2$Yɱ6$(n4뛮-fv}.p=tF| SnM[>5~Lh v7ZԉT/؜Qc)фq!,%%S}FywɦDBk4C*hZsWAA Df  G~uߍ_?Lv~آCS1Bg];Ϥ\ b9].6.)[i3鶜b?6rAf-̖Nv!R]vg%\gmFPF\u[B60M븻7gϲ-&6AL. ! -d0m]삽fQjc[&X9ٷwsD9m.]]wgP]]h..lZy5 oWW}zґѲpZO:,dWN. uzw/ seFYsY8,ܥ,Ե,ש+O/OGV wO4ĖS`4iB!hub,s#]P^(^( ebԓMsɎlX庬L:QDZm 9bp%&CdGdN_zl&~\/f3?MfFGFDpF=ѹN]9i!Vw^{+S0VX)Y@ d mBD8+~H O +S\͜\d3$eOk@PNK}B}YmPV91ߨ%3N.eТT{Ip njj[ҥ[zlIln.ݳiG'Wb6{{N=_jj }R; LJ'b͇GGvJvuU5?#tNSuZi[ ~wv'Tnag_ vhyj3~%Ұs;1 Nͩ Ji{E^jYI6 9AQ FZ~}], "@LZCF*b^0ĩn,h.;P{S1`w_Vr- ?pʠҗ݈ޤnT?xԪ+Bjly}M/{OXBQ*/ժʡUxv@0WVakYU`.EV/m; ;[7|(U}TqA& ҌLӼS=ԔkZ?a6yp;(ꪹFn;׉>,xvvTRRéVKzYEVs}ԔKw\fW)B9 VB 8X.xlBAgAÎSm_gI(8v,8/@Vk* $TbVUErܣ LHffؼ lBqlolQnW͍vG.p_{a${F3KHMea ~T@nMj8R19P ݢP1DC.2*Lo2k5d:?\8FFK4d>Z 1B/,&mŮ@ YV솺lvrm)+B8}QxN H^7IH*P`o6Yl%HbrRKc2-cebРe&w0P ٓ@y_1Ѯ|G%_;jΤNb-_2j;Ƞbꛘ:uoX4a{M*z h VeH  8[;mz6TE۽'6nP"RTeB,1#vm)s'MD DbhDB.dC1hR툄B 3\M6Fr7@iV:fh8<:l1?D.GPSii6x9< zv&=  b0gn踰a<6ƍNb±@nݴN4wnZ}ۑ$:4 (Ztb*⴯$} AbT,+=qV MOLU*&*RFAR{;gӿ{ڻnCch i~q #ߟ[wK7o,R@(O}lX%ƙԅ/oc,ٵ?蹖b,^K*HiIN;F=Ѩ$FR@lB^lE-t!"ud,ct{eD:AďFji9dy[`z2' =Y^5'DL‰ E˅qLlHe+}"c4bg9,bwX|^3 l"=qOO> @6oJJE2$޽M̡'l<&98^# / Gݜiδ>4C&`\Q̿O22 @251E,b>|KgnF(ғ3|b̌yF931N3}>Y\"3Sd$ ']'OLUšqs22"ӟ ]W>՞U?F%H/$e&dlh $ V-pȾo|άbw|=J1W*O5Л/7&U0y\}{CM]Nxx8F4K\3'2tPg{'/7H+ [ &Oc7!$f!=,rc\!)r4e-vx޵qx[4Ue/ͅcNF{ގDPqlv &!$(~1yuzsbq%oԋoN--NggYf_.{/f Duu{UPM,ԇrnbi$CƖH/)F 32+[ىcH_# )*}.$\}z0p32H 5R{>W >TʥM|Hk6iu|3/aP.8͠XX&<$<'J |-Rt4t p̪\#.="=/1 4J)\!1IT99+(ⴗ HiT)pZ4gɕDH _ H=jngn8_]\#ڽѼΪغ+s^ Bٟ|UB61OkʐXJ_5߷MW&of<'aKq}U$Nu=ٰ2d3IT8l\8//Ь.nu[ֆD$|MxmזBΥpր ^BїcMHMpml„A~ve߹xiyT^V՜ݗG#!d؂ txx <Dp.y_dL0`y$ș  m42b>8hgJ DJ{4d` ֻWNuY*NR"8Qor 8ܮ'"p4(cjuݗ6=Cpd^,4_¹{Fx1w.ZiUJ]Jauf3ht ,1^Hd߉pLɎd)X9$ºeaPbRtq8 $y?Zu6N=:n&Vo}܊J;1;$(DsݺiznFFB|{ , m$Cl:0-7Q{ yw+1 6zᥐ~ bM'()sxnAIÉLmb~<67: wɠ32b:'qH95h B./قNK!}Dpz͎N X *3Ub8Sʼn*3UbspU g8Qm3Up ڻ-EDHTc1NU9A{p o8*G⑻/IE$ U-lx=@ f(LBg =hvɄ :Y^s6 qKx2>8ATēI;P 3F2M!$haPV@s̰q6 K lKn6kn|\ݑF'h05CÂ]]Ěy_+1]%]#>9"7d vn'|^`k&Ozlև,]tsN" ?,&HmwGdw-$1؍MJ@d{u6mSukKͺIB"b $=^/]]z)_;v;A j@@fǜ莥/7'_n>q\,-XO)t>Rs|be$%JaI>3s}20fĿk|)t"G*H/HAiP g8y3z6«vՁBRҎ;?3?pp~苸8MgLЃ?bqSY g`|/]a/U(t.*,B$"`!w< h4Il]{Cɱ2Ýh7&g(hrm4AW hh [veQ3PjթK0@1c\|^+ʂ6!SC;0&S낲 ` );"x3?T"*KowhFV\%>n7HFS(* náMmhK؋\ڤѷN i2 {*s%]g H"Oʈv0E]>.FXP>TbwswSen>Ԉ DQ)1g HxB2Iد;KOy>US@#[҉ة}ز0 #_2s=>y)s>sz'kv̴z ơCMP0S N43m``Q.Ou.s q<3pCpC`GuwΉ:U)r"}vW.) ~S_eR2PHUވOZD;$/֔EaB'*çn(P&,ؘXM2g>R!pn˸ YXKI2x@nXK88lƩa{l}&obk e#d j5NrvpK JtP&uS〝kO@%*ݗ ƨ\{ g)eP ,[,M~o^]{ʞx5$f̓Ks/ ܰzri$ ]Qh3^-)khZ-Ov.)>?I7[[3P"few1BF|#۾AO$Wb[^7͂o9<(l2ϩ'ɮuc" ۼJ\V﵍&P^ x6r -wF,$,AAt/߷{#e<ݴ·o4C-h?۟9Pp% 嵑Y.Cj|7}㕺n5Wf~νTZTU蕼ӉW ,[nPCPShMD%|"AHehdiS?M㷦M7 ݵ; o5n(4[ -eaB2rx28𰸺n<< %D_Zf!:ZlY4<n #8K oKJ[%">xUt҂lsqSW9^ k{A-]]4;^Dk%ɚҴAb_J7^%x 2Sɮ5D]iMιLyLu$X!T ,ߐVYfiɴNLRQ DYy\,l" H+\` xv="KD{B^p_$MQ-SPdY2rOբQwVJ@LhOEjQG:guZՀ*|5|H,р :y4iLT ͕6OF]{D[Mܙ\{'>Tol=.ԹّW};(ƐnԆmuя+cf8yt#h k\ o@ 1>`1VN܁Xī(b*~!-}!q!2%jp u7J5RJ":Q^wvz@nKZ'!c+{i<rP&ZtlKDuWwЏHFЫ\(<ُ~B2f]d|7FOsHmr*>"dWw_ܴwE ieF @CrlQ.L9Q>BG2* ^Q+Eg{F!i\د(מE.CH)rA2Е$`Ғv9}ɣ#LZ1 ҝI44ٗ$p05%2G#GR"*şzۣԁ0hW/zҧtsNH'$껪mwhڕ0%b[++5dN2hP#kq%<X9ylL/L$Ʀ1%) )8oüCy? ;Nsr~p\ᡗ(wqBZxp /aFӞut5SԜWOkؗ?1gWiwhknkjS4>Mծ֖kamI+u:tlG{C}}ttuut6Hʸ3܁O L 7"+;!3s6 SWO4$W/6]23S^XbGstoxVcL%oF !^NHl(UӰj,\I=1UIϿZr#n ofa` zYD3gnɜshΒ~XOyN'%A՟FiLo:G]4}9`%k#QU T;%gn?ss.Ce*ѩ8(3%ۜ*1ѫ*]礇ɩgR @(? 8~+ⰢffB+bz cmW]~wv)ܔUzry_Q<]i{(rWsgA8M/'dJNnHJnjnD1Fт3zƢBۃ-QHEZ ,8\B0+:ȆV.nc(f:_ '1 ΣY3RDZ88(FK;vO.ڢfnٜF'<,&Ą-p}Y20Kvrce%ϳ|#"Ǿ̜ }/y}#`8 C,$wz|5H85sXrM=hsڢl]#=YnlhuB#TҘ+Ǎ){>Z%wK P-RG=Syo2PX!m7VzU-.s~,8,%rgwV qPHPʻ=ݙji k^,` p\<]28׮#g2dxQ Z0OR߲<2?h[9uSfbC>ZB}K $`?ۤ9֬:qR:MݤiFk.@8#F-Ю.׻jAooZpU[7D餺41p\wXu=y/hU1{f0R?Y?GW:*- yޜtɏ+Kq^VsVۂFQzpT㄄FX'cjFpW ,?ˌbLl ,?*Q?c`/HTWl67:i]cH2~I\n:5*N-\藴 ſpDBjGx(}Czh9@(i+ EБ -y~'.@50M/,BJ#RK:P!SRXZ&=$=f_KW}= :Bt'o/a|0:<݄(a|!,n("+ln>ҡR~3qJKKzT3)P 0MqX(WVT+O~ &FlU>k5\{F/Z:nvZqLnE\4qI|W~o~,_OݚR1E>Qh#BF *a g[F!Uʑ)pUHYKoEJب=fʦyּ&ϳdDUM3/uUHUeS Z *IkO$S%K&KX]O*+LR[#o1J&C_Z2Wƛ)z^[<7p\Io,|oW~_f} ZG&\J3 I~0TU\qYp׵?{}Vn71ңim H4ݰcsЖ9i# UI̍a_sAkV[VW/knϭIH_HO޴OY-.ܣ' `C1!u0*uܭ3T*.։|5upd e>kY6QT?(YSSپ};&9*Ծ'P~$J5S4=YBՊ# LdOp)DLt>p]?G/ñGl;~ +-qC}O,Z'ZF;P/[.dXᜤ<[)@՗= ;]bN-Vyɩ ϊo&-煮u~杳 mKg?ޟ2)Xͭά菋,5>K~}aˉiu]!3 *)ݝ\蹚p;۝#mv\aqw`&zNuXe41mtx=lgWY:ǭiϐ3?Bcٓ'4Oܙo}ʢJ* fs4mH|"BV )mׂs9LU:LΛw%,vc̼\mHH\~ˤdePufR WL$2Q!pݪ2WpNGs48E{0-Ja0xl FӋM`m)Si{=v`ɪ*2E 415 oe[.LV%UY_H/5Jq뫻E/=_aXS}L괌it`Zȸ"=+:RG*L;Tckx?ߑidYߢ``bnjG3CԆcޑw|~PtGv0G;OÞ9zȭ ~1kGq{h2lK=1pkwAr\]ɜCe1 1ǨȞ0!Gm^̤po"/YS tF:D9d#-dkL@tl℅dL}x/ | < KOOttq3ASWJD!ʆ'D/Yt C͛{Cz6MRF$" Bt4Snl'W#*/sEW28IF\N'_A]r"up>ȝ3y D8GygywxOyHs7oHL^+cGwG]KPn1SwL%~tZ#zI<:#*O\.~ n?elU0(!o˕vL]QkthEbl n 2L0_Sm7MԒc,[r]>zwJ^߽`7?3nlLEg}9N`J*sn#}eg>EӲsvӦmf7S V7{l:scO%8lH[U"P7婞NJT77USFp M]/R 4uW} D"C y>zzO)|:盦k2 R]DmL-ؤ{IJ:4L~4u~oȓ +- J4po3 1ƒ#A ;exI:`t;o7py|Dt~bT0ɞlYfC{c1W8}r+p89>f[꾲s^z^68nݳVa0_xUI5_ 6~~5azZ7~ 8a#yrU}Ćq@3_Tgd>*ȯn$@45<9yLa\:bn"c]KƤ?8]W~XZ;6D%a9z ɇcmO<,wWX|QK_C{\gkq}n94ipqm& ^OO%I ipD؛".&[ jI9g-_=ݔCǬr+8:VPȒǍViʿx[Mak5>f:'^&jWi$S[&y*p-ɛ!P#%Kڨt݄K9l&\~BW@*pJ1*k={o x`xW,jln-Uh Q8#V)?^1rd.ݚkUD쬦٪zYWQ$gF؆ repǮ??S} lϻw`U66.\zG_p=N2s*^TƶJIeȭ]AjWmP9Zn()оL rHܰ<\R/(Tw'ӌL\G{UuW9"vn0|rOuevhh= qޯ>(uzK⣢sK/)~uO?#ܧ*ІRxR$-􌉃 bJЬXsLuz:U lUlOx-:hݵZP'8gWrJۡ&[Z*?nxt8'*1ңҳfitܘ勉763x[/kUاM_[RJ_?ʡHcXYYj c͹0 g;ؚ,9Em%Sk$$@s1Fo9oBĢl ` `50_?w7 `7B".'x"$HyGm&bT_ ~kL61ج5p1'*g@!5&3 oͽ̋i>-xj@b^`"&ZʝeK嗤H9Xƻ@8>>(7yaʱrGX&\Y)N䱞pFX9o6ޞrAމ}bc6^@7 )X#" o yNb ~x/qk*"my@AUft1n_Q)lS<)><\V Yue|V |_)깯Q3^iXl5VH8$,Ѯղ\m6S[Z-N@ЅJlꙢ:(zc;AO_0>3tحW eHoUGMk0gYBub %&x ;=;x Dd&Lď%J=]H'q5}}>} <hz2=~ktc¶%(īWG׬n1 :sT|V|U+D5ܣ"Xq޿T=q KY1 a035g7K%z[e}͉g-DDŽG9蕂#JؕM'g Q4}~BXFCIMԁUte7D]恷H }Sx1#lCpFLsqd3.ndk,>7J` JW*Ʈ>~aIp/mc%u.)F?t6{Up)V ]ЏKzҗhkv֗;m{$9WfEQ^)띢R?DŽ /mbGȀ8\gvdXa)Z/Kee)嚻)mD`?9CKYKxU<V824Ry)Blq }."0:$@GYFlhԑ /T--ZmTMO2 nXd*%}\r!/\SR9\̊_5%m1-[{P&yWb{o"dms nǗƖZt1Q\,yB^{>G ߍFݗ\.K9n#kr9iQ@2MxtΚTW a ?dUWM{{\|+ 9MM:!"E4󟄙&B?+'EL/ԛE5sE)jߌ4M+wY%ն4$NL|K:Ɣ=Ǎ؏'%"al:2cOvlB g:$GQ>}ď̫,__U~/UC[ri [Zulcc;;vw Ɇ/Օ7`|^"fʀt)Z< 2 hH{e:L lЍ2}uZDtA۲Tޠݦǵ&ZRۢT&hMP2zvj ZP)@yy0_A%r{)hbbn0Y2N"gF&1"E #ot}Ą9}̤Ź\hggoz}=naRB`yؼz~,6+:oȍ{Bږr{gC fT i vgN$J2a[(ow9GrG;yϜw ĊyEދQu]t]WPb{Q X?Wym;ۼ9 ;r[t9};Dl䂟ۢkUN!\~GAI9W _re 8#,Z!C|Jl#1# bտ*]2<Tu2 &pYaP*`QU'ԱzjӀNauc[h͟xrǬXS?-vV;Q936 m5$  |k(g96%ֻZ5@auZCt2:7T3۬$MU*]@X]O~g?XP {ޫD3]Q]ƣV$]ͬ=9ɜ=t"{.}z@{] u&{H`-t?' ߦM:9>Ź{%WeP5C{Γ}t\ T6.a6rOFXķi{۠GW?{r-/a{{q#1{lƊT y}hwdBlx;![5j ~e==B+swQn,EUr.,X9G}0RI l.kb H""[.$ ¾{{lFXt_Fh:O,}<FV&!\{HvZ/,Oٺ?+PJn&lwYQ |S|-XŽ%reSQѭgg[ۢ>9=1{y̸u2atB>d'SI8mR:HLL/2([F:z'ƧS/6Q5Ij-6t_fU$Wy Lja v5B};H E' l~A1,}š}#bpF|E.{W `FXZ'>q R)-ޔI_K:uLn-wogJTuuN$. Y(a03g]/@8N/·` (wʎSj_J'όN{A ٌvJB"X=iGRݚB_ELA:=^ACDdNrXsV7kH9&v GID\4p8K;7HDx ^0/yټK (6JmnZa9K zz[>$X %⌬AH8=2}68?1Ѭi,`V#hMAOQpm@ѯ!~2~~)TAe 5FG.H,݀>V2YXPOMfpEFq#28>*m07X'#ڢXZ9H FxgX索5]J]ڝVW(ݠK]yjZ;YOi&G-P*EFAݮ~gWUM/-DU_2Zʳ: g*AF1.Շ\Uuj-+T[>>%u݋}{8 h'(9lnpzXx+08VǰF<'|!4%%ĵDI#k'B"p@'cx#2xeX#$ 6Ohǩ@ “i㯋uUsZ¬_9Lb&1VL(Qv{Ey Pt;1Z~`0&RE5mGkGƁR,:g{߬B}N/l+OdcpLDBd]Pp{Ȏm 1AE?41A_ %BQa7w]P0De >K|rYÕ .Nxsb$C([BS.--?:h<]^~Ge2Ǯ[Dͭk,~߱Y~O1XG EҽDŽ@䫵W1!ffc܄D3FAEPDDMM[Gg321mtE//qqS5'K.z77fӾHHdPS]\i57xmם *|! J n_\PPWxIgYWY߳7<>e0.K6E4m6xY;Wԗ~<#ݰ{RDs}tp''##O[Y4Z>M>NDfsj_N szF4}ڀlҙZlq_fxdhA:f1>iɴ/M:%']?rp^YQ:s*N}dQZ'Z&ZeL=S-GmZuOYr\h&Fot_wnW_^y\>O'-)`z!)H+ ȕIK[?`|teV&y/;)7h0ѯ$迳@h[{t[-93!SR|4 R?1(CC>&'>|j,j6k 6d't@ 3b `@O⪓cݗZY09I$v|; Vsbp E(DDž5ՕP`}+5GH|eiDGCwwD ;b~YS][W/q0k`]W/A -G#)3,*N:63Q̔<1 U "|9_6/xj8 Vg>zh9a8S9Bg"g>:[Y'+)N6 G`古|y/^-Qgq0S7]n'ʁ||(K]~Zj~c0"#B UH2>>^HR:M'Oы`'cY٬EHU(Mq^z!1Љ{<* f*/s\ j[j| ?{meڃQ{u!w]w.hrv]E޾BP)' -J=hn+Eۭ/Գza}Mixk{Ybڴ}Zt"j.Fנ[P4=#W=3JǀK i&\Ӷ*4Zulճըj ,NSmjej)ch~=n<2r ,=[CK5_2hpH/ّ}t4z71hR3]FQOTd̩CkpzT+T%eoo))aJ0\9yzzTzX n U2UjС]7FZfI>/58-F .Abo XO*/~s-&8e%~L`7` H v+u\Pbb97kq/e7 ?_p*tˏnzC(Ȳ_Bܽl##(~ٹt#Nw4D^:g!-Y3k"ɟjgn9!#+ޗ}^s}noblCdUPI[xrP:_ϋ&=9ԋ"X\e3yz:!PLrO"j.Fhw[[ڹǍ<O4HX1VOlQ(}la{MtMTT)53rSaQU$x#X֘N(m "NR™E>l./=E #0.̽X.g_q7wr=7 =K`OY&Q?ȯ*+AA4R+c HHTQOW۩AGѦh/A]ݭ3A(.@sfFݵbک:N>EAl-A `3a~+>:W@ KwP? oO'D6=S=b 86=át b? 2X؏5B\ÍCTH }r' Rkuѫ\Lk.헽$3wX3B7g`Ub4:oยN&[ &)`hSlOEz"&,L"v'N\;tbWx!ih[ěyC`w|,pD E9g6g{mAeJTjxWγTT갱%3ʹz*}y K`1GD&}Q@qؗPQ``R.B! g,{a Gtֹ yY&vطc8Z9b ] t#p~} 5[<GX تZT]k+ v6Z׈T`* HV5j+Pk ݇X_/{i` M21>w3q_>Ӧۊ8Gd-vB=- EK&LE)`zZL-u uk:mZu,\>FOK{zeLVBcuk3]i*ULv2lGQh괦A,\:[:ٚZaÌ?osqIԣoA>5i9 ovvk~PK'G8^pZ+`1'ZħXAaEE|5,O+\7U YM^1v0js\;\idXrgs oۊNGgX{ Nsf+3 E3!ᦹYJzמ&GDq=~`7yGؾ4k4c2Uw[@=Ma)k% dDn+ŠZ0囬Los-˭)@7B),;[K?xO*MxKmXY ~UsRUn5 ̲ª [s# H[ݔ'v)y%W+9&yo[Ur5\΅un]jЊD-- Y݊u]K'kC7m5WL'KFUYܵeNu$M+ጶ~znN2q֮cEP#06܅!$6LL<4^iw?[y3f7_#_G1G)'ҕ%!J&]_ Fc f-MdQ2)+=N;NҀ>!wO$=Nr6I]gDuj ;>P, ](7!.ˏ%c` 4&[`M;k:^t7W>* m@}X;gptFQTpTGtoBHl.SHs0}cEY@#be:$1~.`azʜ96h)s7&Mny?3(;)OmLc? Ɯ+U 3CSXpx@Uou$9ZhP|J|T"dWe`>%<@ .$I] *sŎ.=(̫RL /  ; y\"ȺA;&?//}qRivVUg[x5?<B͈^7ppٜtr)Ml9)'߭R'pO- 7j[GkZ Nyvz+,vPP7s0D Q ɟQLKs/nN] + =čui}zc|՜`69':G2B:;DIݪ-&IxJijس9|FP; \M]H(VqNnp[XYmer2hA]1!m&9D]u( ;boɷO;䨦`p{û1]VbӶ/ĩ/-jIΡ_v(^AgAܜa#_7 <|Q>@j-J =wP< ZK7UƧ-(1b=D/y]oS9=E:Èmj"7w\V76).(u%-Y(X.)Yi.9mE*]dƲ ]Hӟ}'$h1JpsGW|bNQq~?4A\)X)0L%0b T_ֿfqGro0O:o~{ܢ3=d;nagKO`ly_vg'z7pYL>Lҳ#ezuvy%%PQ[zD%Qp VFR_VgЮfboܵMOj6 ]OF{Oq ה573)7Y/3~^0  _I5vYf ~j@ z_Ě#2_Sx|{\90 ^:C, a$׆n.DdVSWn_p^~^>2FP/ܜ7 @V t7MaH*/xbD*YM VN\ ]@з[mҀZnzu!k J2trk0.Йz7̀yx2sr( %'/3UBy;XQ KmVm];_rk%,rbv 8sv5֊ϵ1VzOھ ⹆y-ar ;VJt|A %lwrȈGmϒ5& ]\`1~W&YZhiEIb8pj0C6+f2qof8F/6Mǀef9}z<٣kWw"ޝNsO.ʉ5܎|l<$.u^޸Һ>B!w =~UM½BP/Zh](j,D!f @` :$r:'UtA8YNu^F=^;[7Uڋw"T2Ǜ Or7Og;Q2Kddsf쑡20,k 2d W8x*+I@XLO l(菺hSQO4V{G*Tu ⣩h əSSh淋x\wA<@ 1Ar%q_뷞4r>gBw+_U2@BJ& ESr)!Yn=Yq 2GKA&c*Ib׳M zsG\c8$R'ɭcO ojYwnۅ~'~wtN3Yཊ9@SWn= Qz ,w /" ڇYՈGVh`ukPr= ֭-NSW5P"|q!" '%KF1AӇ9wabSL;K,ɾ8`P.T>Wmv oIG~B+JtD-e.)Qm|KC8e3집`p+Ne_bK\ЉPHR\?&.?]'z? /`$+]#|PĿɗ^N>B@bkz=F@ _#WMd1w3iɟ=NZI;V\,~bPB!u$6-_D'd+O_E&dp|\nby%T'E.aԳ, ha8MfMYzft0~m0<0t 2lٟ@=BRz6f=ZXHY0瓌#H}T_ʄ*!#M"M%qɽCF^E%7/p!Ʌ ßL?R(aLAYxNQM֟6JENmD)Z>HCEs"tTow*%O %]JdXٓKAO74Ik_}\ki`N\ԗ $ͺf +r}68Xxj1VNH1H@. k**uҚ ܯ2>(dpPLTV,SHRd(*+A ji[5L3"slXiv@-Um0XcT=cR*_zI@n{t \Po8ƺb4.Q1%^#ba ]/U֪xJBV4Q7:karGP4qfc&8*ێV3^#s< = 8i#΂A#f * 3^:K CIP1Ftwdw( (Ɔ09XR->Ȣ^`Q=7#da2p!Q_*~^ %3dv ̀+}q٩ۡӧٗU3'A3|fuhiNxugYEĔUT$|̋/ bBNΡ!RLP8hIILZ5) \K砓 Z>&Cg &&dhGDAQۺd~e xYҍr 'DP7#8F@!#P(` bIIƹ53tG0y =3WWŕ8/P,*$ݐ3O^I0/XVclĜ F^JC*E*gYomE 20ݘw!3eh#yFwSjѲ0~G75=#W`R4ћpHu2xi/iF֞bG/fM!!bR@|, qZm[w,_ҡX(i9ʿkjѼzD꽾T9@5ҎA)93WEq;<4L`lEhެ}2UjsE(d]X? 2tgkqi!S8Plmct3j1vJ,].bMzׇ/} 8XES^u)i(t?I]~t1r "^(0t^s|8zx0wwON3 +){Wc<8@<󳢮>ϋ+ 9}yn'HyAC0 = }qΡc-txٙӟc\y}.Fr$p`WQp,,h#hi?Nq6!̚LՌqN67?CML}bh2}\ZkK/=l n%ug/D aH?9d)7YLdoوqn2`G1tlٓ5~JUcSL X !椺kw]cCRO\@_;$%X,%`%fd7n1)Y=0a\x7aDS.J`D#v44V=$m2F-46= IUm8Ԅ%s6 oɸk{tN*z c#,RT;eQ1܁&MjB5AR\]sYY}NB,p3q3I;h,HpNE%mh& 1qI a%wԅy"cGW_<׽z*ii1.h Zft7w.̾<ƽ90ۧ*f}567lq 47#YٚEfJ QDŽM⑒:# Ĥ3@@b{}&Gu,h =αYv(摢#wٽseԲgwDF՝ɦ*miz?(&u9uyGJcf&V_.H()»HOX2zCjA|yc*Qa7 /b&s LK9G X}*:\I u'YF&~$Y/6'2HWIIԟ|tMtCd'by'RGz9D/#K$He0ۃ!$cOˈ5J3y(%Hf!]KCEve I 9:;݂yb~tK#-_ bN>a- ~{66X8R]L!a 3gXǝtz"JkxV5򜕖ڭOBFD\]˙͹OJ(WN榖۔ҤKXO"%  d[QT9! /tOϝ'b bTV,mIA,f[p/r׶svĮHio5EV<|x؋;ZGQfǞo /LBFHV۴[Ͱמ+l‡*^,qEQ5wCw=S%$3FHx>FPh+6iI^*ٶ Dm6؀'}?$Rna_НÊ6wFFjQ6sϐRPpP{nmA_< *!b@٫h(v-ٱ7 l0ETء7H: +z]:XGGpE?7lCp&i@gEd0 I44tqp a)y7:! we#bKW6Pp$\. ޿x[)\kaImlxHkVF-xllZY ~ aB*%\*|;v>|wD&E^7EmI0sd$M+ lX4D*t 2y@$% dqelb 7}k_WۙMWܷa|-ס?|%>Iuk\\#~ubqH(>l(<M.-QhD<b{MDZɬ z-YG@N#_&W=K11AsقGaǤ7;j8* AѬcY6Ѭ8;\G='i^76imNrGAi5;@ω?K L}ibs6}} }A_ӵ \LMs}^MZSX[1\:l^5y6D Da 6ӕeT`Kfvs׹Vu6\^W.ZS}VrGL>uO>فh`: Lֹt!Fid~XJ^OqK>Nu\@BVj3۫ SQ&olN\o_R ]וfFNObQgrb9-j⽚S{\18*2Lwι5/\Χz˥Yݫf &L 1{c'J@Rhdđ;j9X9kG_`Rt+XC1 Rί6`Oe0'RK>Na*sl6%Ah걎Y̱.rp4>],Zf>e*ȥ;'p$jua[|qJUˆkJ! Fd;yA~{a5d3chWx;A-;zlWK_Go7Z,;ɻ\T:E6.n2#y ]Ŝ9#Ӌ]huN \\95 Kza Kp'<]k&Xk?4d'@-p@?UJ ?6EVH#&*21xlǩ#~lH?A;Ez87KjyP )s;f]-s/ ޹ZSUU)b8ePL4dω )ȣāaRxMn*("Qٿ~x$gTT>u@ST$$ 8Z`bY5ªcd (0Wi98siR#E20)RiX-E׿> VYP-.sn}:^ 1M&ݱx $QǨ|2fj{E:k40i"l2Cսݮ2{II2)sCmlDhIVZɟvVkRgv.BC 7LX{3{Hz_&Sǖ?")zۆz'3;oT^yȯ1ϰPǖ_ 5  6y~ w;|p(=-ŖSj }297s-(z;JK P޳ЮSz*wF~xu9h s _g8ZI Lˢ͊K@_0s,.p c~ y"g#c@sv=p-BvY2,@Էtd+ yn^'KAB*#MSGhf,e릥݉CRR0Dj9;ÏIl$3O=Vv].< 1wΩ}šB+/ 5)9t0w4){C?q'<"Db߄%4LzҥKp;qZ;qᴲⲛ|_Q=';yui0H6=8.JRG8*uDh}ff  % Ң ,Neg3p=%#qP]_^i Njq1tՑ\oVli'5p)+g:FKaAdјsy D%"A_aۗ.&_ŏQ9I]d|t*38N ?T16WI'*ϵ?T9=- } %+3V> Lg'5i 'EW#rr<67ϊ8N6(6L_ _xYGJME/yh) {ZtF;JAXLk 1<l=RH!>\xf,Hެyy82bHh2}S~*&8c`uY`bgNy?ka8CqXHDwh&4147-.Ŷc> ج e+.r6,t~؝m4=}{ߕǦ:6Ѻ^륁 b:wd|A)7G;,5myTƣ/,/.8^6ە],@=<^b\`oVⲕyoRTwrwH%p+  le'3N<(`h)Nmy j& /ߞyidqY0WpL$>gX#NX 7G,v*YcNBY/VYc}e#9i~W;JzKL1bK.j;yJ"%$"W8uu(`,7\ׇ6L ~'YA1Vll'( B4.nL.bNlrV/ P); dL!7B \=%mQ**`bb"CD/+HLJEcQ/t #oF'l%Z>G FL \ 3oy#%mP2{ڲY9C&s4xfIvvlZ6 טkZ02|A92x bpXnh8Wi `l //J8VMOxB- E((QGtE,#-mJQ%dd;s.,!ɹ}\I]e?dٲKO},~N&e?qxכIxbn|v\`.$j:n6bc$h )" YB~&*|$T-D]E\Rh:Ah+J!QgL[|%/zTyӾss.#^Y fL2dÆ;M'J?q5h%>u4Dh"l'ц[)`+ZώEL,Cy8w?ٛʳ?1L^U`WiJf,8 wW/j8v́Ce@fkő^ILaHm3λ3-BX~~=Z,8x -}:ihnpUdճ# ΐ&! a^="ȳjn|*2=%!|2H%XHJV A-+BCDR@Of?s:0fSilvؙSn Ŗ^߲ \`µpz;sKܪqLxȅ+ŧܝ*'Tt{{u?Q!VJ"@DO!u$cY'ӄovGx{b!S H7*EϦwR ;xzC/县usxA$Ft~AfUq}śwo˟HT1<Ćp1Rٺ?.Hp/MuYZ2P7[{; fxPmPLSL9~nSnw"bxKp'ET8J^%^Q+]T]Tm UTuTJ۶'G">NrtiCh:$Kr )4 .eW d+rx )!䩔@J.SiyG #m7 kIQBߏD/tRxx-Ŋvj\@:c `Мi}N;s#i|̯wneA}ݙmb.` Ee33a9܋9Ǝ7wQz:' ~w`m?rwqø?3kdc,?sjXA@]~P?o Ŗs ~N: %g&:E?WL.NaF _AjPsvt ,*Z;jnyĵ3{W71`8tWT%Dk!3cWO&]벺ivm&":9iNqb )N$QT$*~@ouR]x,ݣlNl`K9q2|ϵst=x\-?tiJX=sI9saq|hR4o\ x4 ߞ֍;]cz"Jprr se:9]AӇ. 3yGg垖^/H $ҁvxº0"pAr`'UINMXc\kwo>O2#I߿ !$0 5|e*fm7HS2X2ZB0$+<ǪW g*>߻(;irv@i/%|lLJ|&HKW g,)[g2!̣ UJRɩK$`)aD7`,}r +CO _5^ p \R\١\]X)Wv.J+W˕ʮp[Ҡ\ٽ\n+{+{+{ rerer% n+MʕʕYҼ\9\i7+++Jr%\i7˕6Jr]/PL E՟* RԣB~b8 IO{gsWqCqK;X"~L=R" uVY=krTAݸP::;/-K ~$'/W^~yun~CA5|V~㙁:0v֍ciE+17k̀ߺᔱ̠ 沺UE J/ WMg_|a&)W-]>ld -Z>̺.}oS% 64PYn[K!zNMaVu`vBbb)V.Z1o*^~{_ LbkQgP a0} gk ߬k | mE({?cڈ:MmeX4J`Fvps66 7ln5<֮_V  op h jÀa] >{'l-GfSW``-tG| P]aBf 0F~daeY~(Ѯ@6?{&Σ95zM@3 j~./yBM NF=PM/4$Cjz]hhxA]Sqaj#?@Mt6yPӫ^3 j}plZKf ,5>8~ j^ 5/?8 jajH)o5>8j28>?Z@5s j}eY>P%j_P $|h@c5g? hFAͭ4;)o()WBwj['}"' c~~z+aйJf EV*M:Cw*ogv ]C>Xz\9Y oj/`BzlsK\ǀuFkkȽz'Bn`t@rmJn!DðHA_sL~UO}L՜M0ZzsK!zOQ0"w`yAR< ur *&F afh4q~>`\ d\* m% (P"l % &(DCe+(\(۠l %(;삲J<=PBe?)>((P$CIr!(rPA9!PRAIr JP@9 kH-0A61P.AtXc \97 7(7E)\v%](CP <B(r(EPC)R R(ePBJ9 썦RJZXosQb-)VF+^~i[û u/?[q}CXC]x_j Xz+~Kw={DXy墱˔޷jnj;jo ~ ;@",|;uouO{Rk #VIa|H]mzpuu---Sӊ|AAQBallo~XYYhCDh\~:eL&"^0U萦-KnB 9-Hk@@@zzz~Hl1 af^[@軍OBז,Z,l)^Y.$6kY6ᅍfןM'Qkr |~_+O o mUs6 mɫ~̯اmב#Grpɇ ^ӧ\2{t޽xe7Lf>vvv={4jt533Kyݻe,eCaaoRo^Eu6K7TnjO&tzǰGz}-۷-̵0e>&mnjroׯ.ٿZ6lؿyU-c!֥KV\ihhh޽ǪyU>WZUݤg7~)`PnE}رcƍ~ _nݺ_]0/6|V>}\nnn>nܸ/%[J_a*Ca6W&t);`Z$k ;vi^?8 s9,žJ _~5>_!ZOsnPimym !M.2S>VoGGFF_e=Y-l&Usׅ /@ڬ6_pY4MkZ' leCիW/dY+jyw oFBM l1 זxm|v/*ks;;_6>U(~K#֗BE3/22Rd'?Z&EE_#Pn{S{~#v-xזbttt*r[ [;5'0泰xU4՗$qfimwlqFk3}Cf]1^Ϝ96]q; -h^%J3YL6ꈑ'\YWo7Ԡ"^> i$$-u{ݷ )cvMPoik "oZ^>1:. ,TQ6ÿ~WQvUoi=lGwȑ0>_|"6_HK|K~m addd;`}ft~evY'`M^o4‘m&4ڿF{|dZG}lv@S/d9x[2ߨںۗ|'oZۀvūyknоxnm ZۀvūNknоx/^/%m6kE^N+כZ [Z+[ۀFׯC[7}0 hy:tomw^k#hNomw^;_Mm@#ס5C>y:||Yׯw^w^y:|S^K4vk6|}S^Ukj_!ƭ:p⵭FS|v'Ot/^ZۀFE~ X wc|kڻwFaJM!ڹsgtc6m@#hk{'-CkThz~>6|ХKvkYk_m@#r USS ^mimA:5 @>}̙cggV&e5Fsuumfe&'U} &|W//A{Oגs|>c㴶:ZۀFАזsEl˼V!-9 ؖy4]h˼fQ^#1Tmu|N~mp=)շׇ>>ܖіym׶k;߿*Mvamv0 Ց-O֖y]4֊kk[o@U hFFFCkqi„On˼>kmG^֭[l2.dɒo\~>f͚5w/e^ob>9q]m=[nJPf$k^_CM13g> m@ݻ&nN8;;°k[_˯L&m~8ꥨszh߯NsЮympևˏ5໺z:ϦZ~fٳ?aX[jk8`~U'|N 2 ZۀѫW/~U11Xݦ@}@np[w6A0~묅WևG65̎~+fo@6qcԄ~}l?~mhާ!whmz[6q|+`4W h-9zS;f9F]v]sUҴ_u5m}p뗒9J}|W_ڭm@prrԶAmmY0 |,{<7 Z ׽Kzݓuw:BAlQo>(x(h@9nC(in^.S^.SS\<}wp6e'p½cNKtu*u/90}g]fI?3cr0Ξu3p~ ֶ&j6z 0t@)+Iɭ.b02MX|~`G=+o;6ϝ )(0le.c1 ( 3  Cv,http://www.openRCE.org.http://www.openrce.org/\http://www.rootkit.com/newsread.php?newsid=501\http://www.rootkit.com/newsrOh+'0T hp     Reliable Windows Heap Exploits Ohorovitz Peter144Microsoft PowerPoint@2L@ж6@P݊L GSg  )'    """)))UUUMMMBBB999|PP3f333f3333f3ffffff3f̙3ff333f333333333f33333333f33f3ff3f3f3f3333f33̙33333f333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffff3ffff̙fff3fffff3fff333f3f3ff3ff33f̙̙3̙ff̙̙̙3f̙3f333f3333f3ffffff3f̙3f3f3f333f3333f3ffffff3f̙3f3ffffffffff!___wwwion\4'A x(xKʦ """)))UUUMMMBBB999|PP3f3333f333ff3fffff3f3f̙f3333f3333333333f3333333f3f33ff3f3f3f3333f3333333f3̙33333f333ff3ffffff3f33f3ff3f3f3ffff3fffffffff3fffffff3f̙ffff3ff333f3ff33fff33f3ff̙3f3f3333f333ff3fffff̙̙3̙f̙̙̙3f̙3f3f3333f333ff3fffff3f3f̙3ffffffffff!___wwwCCCCCCCCCCCCCCCCCCCCCCýSuS2YuMSYYSýýýLtsM,Y2YtutsMSSYSMttsst,,Y2Yýuu,MRttS,YSYSuS2S2Y,MLtttRM,S2Y2YýuuSSSYSYSzS,,S,M,SSYSYSuS2S2YSY2YSYSz2S,22Y2YSYSYuS,SSzYYSYSYSYSzYYYYSYYYSYSYSýLM&,&,,YSYSY2YSY2SSz2Y2Y2S2Y2YSYttt,,,,&MSYSYSYSYSYSzYYSYSYSYSYSYSotst%,&,&,2YSYSY2YSYSY2S2S2Y2SSY2Ytt&M,M,MSYSYSYSYSzSS,M,S,YSYSY2ttnssu&,&,&MSY1S2Y2YSM+RLtL,,S2S2SttsM&M,,,SSYSYSY2SMtstM,Y2Y2ottsst,&,&,,YSY2Y2S+tsssL,2S2SÚtuttL,,M,,2YSYSY,utt,SSY2ttotnsssss+,&,&,2S2Y2,LssstsM,S2Sttttu,,&,,SSYSS,utttM22S2totosssssssssM&,&,,Y2S22+sssL,,S,2ÚttttsoM,,&MSYSY2MLttM,S2S2ýtuuuototntsssssssssssssss%,&,&22S2S,,+tttLM,S1222ÚuuuuSS,M&,&Su&M,,,Y2Y2zS,,M,,,S2S2S2SSMSMSMSSuSuuuuuuuuuuuSuMuMS,S,S,S,S,S,,&,&Msssssssssssst,&,&,2S2SSY2S,,,S2S,2+2zSzSzuzSzSuSuSSSuSSSSSSSuSSSSSSSuSSSS,S,S,S,S,S,SSSSzSSSSSSSSSS2S,,&,MSMMSMSSzYzzzSzSzSzSzSSSRuSuSuSuSuSuSuSuSuSuSuSuSuSuSuSzSuSuRSSS2S+S+S+SRSRuSS2S2SSS2SSS+,&,&Lsst,MMM,YRSSz1S2S1S2S1SMSzuuzuuuuuuzuuzuuzuuzuzuuzSzuzSzuzSzuzSuzuzuzSzSzuzSuMSMMttuMuMS2S2YSS2S22,S22,S,uzuzuzuzuzuzuzuuuzSzuzuuuzSuuzuzuzuzSuSSSuSuSuSuSuuuSzSSSzSSSSSu,M,MMLM,u,22SSS22,,,2+2,2+2zzuzzuuzzuuzuzzuzuuzzSzzzSzzzuzuzSzzuSSuu,uM,M,M2Y2S2S,,,,,2,S,2,tuzRSzuztzuSzzuuuuuuSzSzuztuSz2zuSRuStRzuzuStSuSzSuMMMStssss+,%,&212,,%RLtL,&,+,+2zSzuuuzuzSSuzuzuSSSzuzzuuzzuuzuSuSSzSSuS,zuuuSSz2zuSSSSu,uMu,M,M,S2MMtsttM,S,S,zS2zuSuuuzuSuSuzuuuzSuSuuuuzSzSR2Rz+SzSRuSuuuSuS+zSuMuMMstMMSMSSS+sssL,MSLuzSSSzuzuzSzuzuzuzuzSzuzSSuuuzuzSzuzSzSYuS2zSSSzSzzzSzSuSzSSSuMMMS,u,M,M,S,Sttt,M,S,+S,S+SSSRSSSSSSSRSSSSSSSSSSSMSSSSSMS+,,2,,+2+,+,+,MS+S2S+2+2+2+,%&&,LssssssssssssssssssssssssssL,&,&,+,LststntsM%,+2S,SSSSSSSSSSzSSSSSSSSMSMSMSMSMuuuuuuuuuuuuuuuuuuuuuuuuSuMSMS,S,,&,&tsst,,,,,2,Sttts,,,2,2S+S2S,S,S,SSuMuuuuýututuototntnssssssssssssL,&,&,,,%tsstsL,,,+,S,SMuuuÚuuoutttt,,,,,S,,LtttM&2,,,tutuotntnsssssssssL,%,,,+,,,+totL,&,+,+,Útuttssu,,,,,2,S,,&M,,&,,2,,,tuotntssssssL,&,%,,2+S,,&,,,+,,,+,tttstM,,,,,S,S,S,2,S,2,,,2,tuotntsssssssst+,%,,,+,+S+,+,+,+,+,+2tuttsstLM,,,,,,,S,,,2,,,,,,,,,ÚttotsssstsR%,,,+,,,+2,,%,,,%,,,+,tttstttL,,,,,,2,2,,&,&,,,,2,,,ttLtntL,&,%,,,+,&,%LLtL,&,%,+,uuLM&,,,,,,2,,LtsttM,,,2,u,,&,+,,,%tstntsL,&,+,M,,,&Mtttt,,,,,L,+tntstntnM%,+,uuLtts,,,,,ttLtL,&,+,uM&,,2,L,+,u,/www.rootkit.com/newsread.php?newsid=501\http://www.rootkit.com/newsread.php?newsid=501 hhttp://www.rootkit.com/vault/fuzen_op/TCPIRPHook.ziphhttp://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip phttp://www.rootkit.com/vault/hoglund/basic_mdl_flags.zipphttp://www.rootkit.com/vault/hoglund/basic_mdl_flags.zip ^http://www.rootkit.com/vault/hoglund/migbot.zip^http://www.rootkit.com/vault/hoglund/migbot.zipRhttp://www.bugcheck.org/code/bytehook.zipRhttp://www.bugcheck.org/code/bytehook.ziplhttp://www.rootkit.com/vault/fuzen_op/SysEnterHook.ziplhttp://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip`https://www.rootkit.com/vault/hoglund/rk_044.zip`https://www.rootkit.com/vault/hoglund/rk_044.zipjhttps://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zipjhttps://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip Visio Visio.Drawing.60.Microsoft Visio Drawing2http://www.uninformed.org4http://www.uninformed.org// 0DTimes New RomanTT${ܖ 0ܖDArial BlackmanTT${ܖ 0ܖ" DArialBlackmanTT${ܖ 0ܖ0DWingdingskmanTT${ܖ 0ܖ@DTahomagskmanTT${ܖ 0ܖPDCourier NewmanTT${ܖ 0ܖ1`DTimesr NewmanTT${ܖ 0ܖ C0.  @n?" dd@  @@``_>*whoosh.wav.WAV 10103RIFFWAVEfmt ++data~~~~~~~~~~~~~~~~~~~~~~~~~~~|||~~~~~zvtvxz|~zvrnlrv||vtrpptz~|xvtv|~~zxvvvz|~xrlhntzzvrrpprrx~|j[QU_|bICCYn[ICY~zlnh]_r|]SUSSjz|x__l~v_]drnUb|nfd_]d]5=rrnj]jz~lMldrx[[_f|YQfWK_xh[zx[CIjzxxdSQz|_fI9WӹM;QnvK;OUx~xj]]YS~ɵlM?plM;CGpٵ[)Kh|% %;xtKQS]ɖbGr|lSnvz~nfS[nëx;Az=+AYݻ|=/1r_ ?|潄W5/Czãf)/pvbMQr|O=OtjdhjlG?G_ɊK3לdQCMppW;1SŷAMz/#?bx͖SAM[hvhYp~~zrvt[]ptWOUtxxd]v~vvxzd_xzh_nrSQltbdp~_lrQ_l][tf]W]~hWfp|fWhnhbU[hzlSCWbYbnxpdhjvjM9Ot]GQ[dpp~hhhdpx~xh]Yntnrp]dlvjQMb|vdjpzxzztljr||_[r~~jb_j|z|xpp~~v]Wh||zx|x|zzndhpxr]Yfntzjl|z||~vppnrzphrxz|~|xtrjjtv~~vz|z||xrrv~xrprtz|||vzxvx|xtx~~~~~~~zxxxx|zxz~~~rrz~|xz~~|vtx|zxz|~~~||zx|||~~zz|zz~~~~|~~||~~||zz|~||z~~~~zxzz|~~~~|~~~|~||~~~~~~~~~~~~~|||~~~~~~~~~~~~~||~~||~||~~~~|||~~~~||||~~~~~~||||~~~~~~~~~~~|~~~~|zz~~~~~~~||||~~||~~~~~|||~~~~~|||~|~|~~~~|z|~~~~~~~|||~~~~~~~~||~~~~~~~~    5{3 X>5&?/J  24kkk+52)52       @#"(*% 0.0?2$N$E ՒR›R$nfɁcuךb$i:$VYs AAԔ" @333f@80___PPT10 ___PPT9nyp \  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~J      !"#$%&'()*+,-./023456789:;<=>?@IKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy{|}~Root EntrydO)@@ Pictures+Current User42SummaryInformation(UPowerPoint Document(ƎDocumentSummaryInformation8 ead.php?newsid=501 hhttp://www.rootkit.com/vault/fuzen_op/TCPIRPHook.ziphhttp://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip phttp://www.rootkit.com/vault/hoglund/basic_mdl_flags.zipphttp://www.rootkit.com/vault/hoglund/basic_mdl_flags.zip ^http://www.rootkit.com/vault/hoglund/migbot.zip^http://www.rootkit.com/vault/hoglund/migbot.zipRhttp://www.bugcheck.org/code/bytehook.zipRhttp://www.bugcheck.org/code/bytehook.ziplhttp://www.rootkit.com/vault/fuzen_op/SysEnterHook.ziplhttp://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip`https://www.rootkit.com/vault/hoglund/rk_044.zip`https://www.rootkit.com/vault/hoglund/rk_044.zipjhttps://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zipjhttps://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip Visio Visio.Drawing.60.Microsoft Visio Drawing2http://www.uninformed.org4http://www.uninformed.org// 0DTimes New Romanhhz 0DArial Blackmanhhz 0" DArialBlackmanhhz 00DWingdingskmanhhz 0@DTahomagskmanhhz 0PDCourier Newmanhhz 01`DTimesr Newmanhhz 0 C0.  @n?" dd@  @@``_>*whoosh.wav.WAV 10103RIFFWAVEfmt ++data~~~~~~~~~~~~~~~~~~~~~~~~~~~|||~~~~~zvtvxz|~zvrnlrv||vtrpptz~|xvtv|~~zxvvvz|~xrlhntzzvrrpprrx~|j[QU_|bICCYn[ICY~zlnh]_r|]SUSSjz|x__l~v_]drnUb|nfd_]d]5=rrnj]jz~lMldrx[[_f|YQfWK_xh[zx[CIjzxxdSQz|_fI9WӹM;QnvK;OUx~xj]]YS~ɵlM?plM;CGpٵ[)Kh|% %;xtKQS]ɖbGr|lSnvz~nfS[nëx;Az=+AYݻ|=/1r_ ?|潄W5/Czãf)/pvbMQr|O=OtjdhjlG?G_ɊK3לdQCMppW;1SŷAMz/#?bx͖SAM[hvhYp~~zrvt[]ptWOUtxxd]v~vvxzd_xzh_nrSQltbdp~_lrQ_l][tf]W]~hWfp|fWhnhbU[hzlSCWbYbnxpdhjvjM9Ot]GQ[dpp~hhhdpx~xh]Yntnrp]dlvjQMb|vdjpzxzztljr||_[r~~jb_j|z|xpp~~v]Wh||zx|x|zzndhpxr]Yfntzjl|z||~vppnrzphrxz|~|xtrjjtv~~vz|z||xrrv~xrprtz|||vzxvx|xtx~~~~~~~zxxxx|zxz~~~rrz~|xz~~|vtx|zxz|~~~||zx|||~~zz|zz~~~~|~~||~~||zz|~||z~~~~zxzz|~~~~|~~~|~||~~~~~~~~~~~~~|||~~~~~~~~~~~~~||~~||~||~~~~|||~~~~||||~~~~~~||||~~~~~~~~~~~|~~~~|zz~~~~~~~||||~~||~~~~~|||~~~~~|||~|~|~~~~|z|~~~~~~~|||~~~~~~~~||~~~~~~~~    5{3 X>5&?/J  24kkk+52)52       @#"(*% 0.0?2$N$E ՒR›R$nfɁcuךb$i:$VYs AAԔ" @333f@80___PPT10 ___PPT9nyp \Xh$4PNG  IHDR [AsRGBPLTEf3f cmPPJCmp0712|m.tRNS@f,IDATWc`@L`EHD:)a&fy 9J>p|gIENDB`? ,O  =|~3RAIDE: Rootkit Analysis Identification Elimination 4$$$$$$ $$ $$& Who Are We? $rPeter Silberman Undergraduate College Student (*yuck*) Independent Security Research Author of FUTo, (soon to be released PAIMEIdiff) Contributor to http://www.openRCE.org (VISIT THE SITE) Jamie Butler Currently Un-Employed& . J Software attestation Rootkit detection Author of Rootkits: Subverting the Windows Kernel Co-author of Shadow Walker proof-of-concept memory subversion rootkit Pioneer of Direct Kernel Object Manipulation (DKOM)  '333 333' '  { 333 R N^6 0Agenda$What is going to be covered? Quick Review: Define Rootkits & Hooks Userland Hooks: Import Address Table (IAT) Export Address Table (EAT) Kernel Hooks: KeServiceDescriptorTable Inline Hooks Entry (Index) Overwrite I/O Request Packet (IRP) Interrupt Descriptor Table Model Specific Registers (MSR) Process Hiding: Old School DKOM (FU) New School FUTo Previous Detection Techniques RAIDE DemoZZ(Z6ZZZ%ZSZZCZ Z(6  %SC P2 L*What is a Rootkit?$ Definition might include a set of programs which patch and Trojan existing execution paths within the system Hooks or Modifies existing execution paths of important operating system functions The key point of a rootkit is stealth our definition includes they must make an attempt to hide some action. Rootkits that do not hide themselves are not then using stealth methods and will be visible to administrative or forensic tools (i.e. DeviceTree from OSR) shows all non-hidden drivers.bTSnTSn >T~ )Userland Hooks$IAT hooks Hooking code must run in or alter the address space of the target process If you try to patch a shared DLL such as KERNEL32.DLL or NTDLL.DLL, you will get a private copy of the DLL. Three documented ways to gain execution in the target address space CreateRemoteThread Globally hooking Windows messages Using the Registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs v JlEHV JlEH V,g#" EAT Hooks $User mode DLL s and Kernel drivers both export functions Export Address Table is a table of pointers to functions within a module that are callable by other modules Modifying this table in kernel mode will redirect every modified call to a hooked function Modifying this table in user mode will redirect every call within that given process space but not system wide. Common Hooks in User mode: GetProcAddress LoadLibrary CreateToolhelp32Snapshot Common Hooks in Kernel mode: Ndis*9Z7ZZ4ZZZ974 > 7Hooking The Kernel$:The operating system is global memory Does not rely on process context Except when portions of a driver are pageable By altering a single piece of code or a single pointer to code, the rootkit subverts every process on the system Kernel Object Hooking (KOH) is a great an example of pointer modification. Modification of function pointers to: Callbacks Driver Unload routines Etc.. KOH introduces a very tough issue of detection since its hard to ascertain in a lot of cases where a pointer is suppose to point Greg H - http://www.rootkit.com/newsread.php?newsid=501 H.&(:H.&(<mEJ. 0 9KeServiceDescriptorTable $ KeServiceDescriptorTable $  (KeServiceDescriptorTable Entry Overwrite))$  %KeServiceDescriptorTable Inline Hook &&$  I/O Manager IRP Hooking$?System calls used to send commands NtDeviceIoControlFile NtWriteFile Etc. Requests are converted to I/O Request Packets (IRPs) IRPs are delivered to lower level drivers Examples of this kind of system modification can be seen in: TCPIRPHook (http://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip) Any and every firewall `#'Y#'Y |# 5c -  0& Interrupt HookingIEach CPU has an IDT IDT contains pointers to Interrupt Service Routines (ISRs) Uses for IDT hooks Take over the virtual memory manager Single step the processor Intercept keystrokes Examples of this kind of system modification can be seen in: OverflowGuard Shadow Walker OneByteHook (http://www.bugcheck.org/code/bytehook.zip) LbT=WbT=WNI  ) 0F Model Specific Reigsters (MSR)$ SYSENETER is the replacement for int 2E which passed control from user mode to kernel mode. NTDLL loads EAX with the system call number (i.e. 0x25) EDX is loaded with the current stack pointer ESP NTDLL executes the SYSENTER instruction SYSENTER passes control to an address in the IA32_SYSENTER_EIP Model Specific Register. IA32_SYSENTER_EIP is readable and writable but is a privileged instruction. Examples of this kind of system modification can be seen in: SysEnterHook (http://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip) X]F]GF! / 0Process Hiding Circa 03$NTRootkit By Greg Hoglund Hooks the following functions to hide processes/files/registery entries: NTCreateFile NTCreateThread NTEnumerateKey NTEnumerateValueKey NTQueryKey NTQueryDirectoryFile NTQuerySystemInformation Quite dated but was the first public rootkit of its kind. Examples of this kind of system modification can be seen in: NTRootkit (https://www.rootkit.com/vault/hoglund/rk_044.zip) zIx=Ix=  7   'L 0 0eProcess Hiding Circa 04$cFU by Jamie Butler FU introduces Direct Kernel Object Manipulation and takes process hiding to the next level. DKOM can be used to: Hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide Add Privileges to Tokens Add Groups to Tokens Manipulate the Token to Fool the Windows Event Viewer Hide Ports Examples of this kind of system modification can be seen in: NTRootkit (https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip)^B^  B4" - 0-bHiding Processes - Windows Process Hiding Currently 06$PHIDE2  by 90210 Remove threads from KiWaitInListHead, KiWaitOutListHead and KiDispatcherReadyListHead and creates its own lists that it swaps in and out when it wants to give its own threads CPU time. FUTo  by Peter Silberman & CHAOS Uninformed Journal Vol. 3 (http://www.uninformed.org) New version 2 of FU. Hence the  To Hides from IceSword and Blacklight Option  pngh bypasses as of (06/26/06): Blacklight (F-Secure) AntiRootkit (BitDefender) Helios DarkSpy does detection FUTo -phng "}(9""}( 9 "'d $1       0 "8FUTo  Modifying PspCidTable$$ @FUTo removes itself from the PspCidTable. PspCidTable Job of PspCidTable is to keep track of all the processes and threads PspCidTable s indexes are the PIDs of processes. Returns the address of the EPROCESS of a process at the location corresponding to the PID. Problems: Relying on a single data structure is not a very robust By altering one data structure much of the OS has no idea the hidden process exists z6F 6F  l   4 Kernel Structures: The Tables$Handle Table: Handles are an index into the Handle Table for a particular object Objects represent processes, threads, tokens, events, ports, etc. The Object Manager must do the translation from a handle to an object The Object Manager consults the Security Reference Monitor to determine access to the object Every process has its own handle table to keep track of the handles it owns 8ttKernel Structures: The Tables$lkd> dt nt!_HANDLE_TABLE +0x000 TableCode : Uint4B +0x004 QuotaProcess : Ptr32 _EPROCESS +0x008 UniqueProcessId : Ptr32 Void +0x00c HandleTableLock : [4] _EX_PUSH_LOCK +0x01c HandleTableList : _LIST_ENTRY +0x024 HandleContentionEvent : _EX_PUSH_LOCK +0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO +0x02c ExtraInfoPages : Int4B +0x030 FirstFree : Uint4B +0x034 LastFree : Uint4B +0x038 NextHandleNeedingPool: Uint4B +0x03c HandleCount : Int4B +0x040 Flags : Uint4B +0x040 StrictFIFO : Pos 0, 1 Bit XZN7/;1  ) .#)% A! ,- \ &Handle Table Translation Handle Table Translation 1)Detecting Hidden Processes PID Bruteforce**$ >Blacklight Bruteforces PIDs 0x0 - 0x4E1C Calls OpenThread on each PID If Success store valid PID Else Continue Loop Finished looping, take list of known PIDs and compare it to list generated by calling CreateToolhelp32Snapshot Any differences are hidden processes Called Cross-View method or Difference Based Method  4  4Z   `RAIDE/RAIDE: Design Thoughts$ RAIDE was designed to be an all stop shop for most common rootkit detection needs RAIDE uses secure communication methods to prevent people from interfering with our communication RAIDE is not developed with a GUI does not require any runtime dll s/frameworks etc. RAIDE was designed for both advanced users who want the files for research and beginners who just want to be rootkit free. >:1RAIDE$RAIDE can run on: Win XP  SP2 Win 2K SP4 (Hasn t been tested on earlier versions, feel free to donate copies and RAIDE will support all win2k) Win 2k3 pre sp1  Issues were found for post SP1 and support is being worked on. (+RAIDE Communication RAIDE communication designed to thwart Crappy And Stupid Application Specific Attacks (CASASA) RAIDE uses Shared Memory segments to pass information kernel land user land Shared Memory segment is randomly generated Communication uses randomly named events for signaling Uses randomly generated process names RAIDE spawns a user process from a driver to do a Difference Based or Cross-View comparison The spawned process looks like any other process spawned from userland. N 0RAIDE: What it is not$A replacement for common sense!!!! RAIDE will NOT keep you rootkit free nor will it pick up every rootkit, it s a cat and mouse game RAIDE will not find hidden files/directories/registry entries, it was not designed its not a feature in development RAIDE does not restore driver IRPs/IDT/MSR RAIDE will not at the moment identify hidden drivers there are plenty of applications out there to do so. RAIDE will not identify drivers hiding in plain sight as rootkits since they are not HIDDEN nor are they hiding ANYTHING. : ZZZ P; ; RAIDE: Analysis (User Hooks)H$$$$$Analyze User mode: In User mode check all  important loaded modules: Verify each module s IAT Make sure the function pointers point to the correct DLL Make sure the function pointers don t point to .reloc sections Verify each module s EAT Make sure the exported function pointers point within the DLL Make sure the exported function pointers don t point out of the .text section 3x3x      ,RAIDE: Analysis (Kernel Hooks)H$$$$$Find Kernel mode hooks: Verify KiSystemServiceDescriptorTable (SSDT) function pointers Make sure the function pointers point within NTOSKRNL Verify each SSDT function s have not been modified Load ntoskrnl off of disk and and compare the instructions Check the IDT make sure the handlers point to ntoskrnl Check within the preamble of each IDT handler make sure no common inline methods i.e. jmp, ret etc& Check the IA32_SYSENTER_EIP MSR to make sure it points to ntoskrnl Check important driver s for IRPs hooks ?i;7dk?i;  7dkHWE!RAIDE: AnalysisH$$$$$,Analyze the system for DeepDoor like hooks: (,,(RAIDE: Analysis>Goal for Process Detection: Signature that can not be zeroed out Signature that is unique Signature must not have false positives&gg)RAIDE: Analysis>Signature: Locate pointers to  ServiceTable ServiceTable = nt!KeServiceDescriptorTableShadow ServiceTable = nt!KeServiceDescriptorTable Contained in all ETHREAD Hidden Process: Spawn a process with random name Spawned process generates process list sends processes list visible to RAIDE RAIDE compares the two lists finding the differences hidden processes  "\!''5 "\! ''5b  ! -RAIDE: Dumping Process>Dumping Process Allows Security Analysts to reverse the executable or system file and see what it was doing. Does not matter if the file is originally hidden on the HD. Dump file is renamed and put in the working directory. Dumping lets analysts bypass any packer protection. :llRAIDE: AnalysisH$$$$$HForensic Analysis of hooking modules or hidden processes: If a hook is found in kernel and the hooking module was identified, rename it dump it to the current directory. If a hidden process is found, dump the process and all dlls in the user space to the current directory. Feature is in BETA and not included in public release R:7:ih7dRAIDE: IdentificationH$$$$ $Identification of Hooks: After analyzing the system, identify the hook type. Hook Types are as follows: SSDT Overwrite / SSDT Inline Hook IAT Overwrite / IAT Inline Hook EAT Overwrite / EAT Inline / EAT Forward Hook (user and kernel mode) IRP Hook IDT Hook MSR Hook Open Block/ Characteristics Hook After analyzing the system, identify the method being used to hide processes. The current methods identified are: DKOM PspCidTable modification Z4ZZZNZ$ZZ4 N$ *RAIDE: Identification> To detect hidden process methods, we need to know the two methods most commonly used. DKOM PspCidTable If the process is not visible by walking ActiveProcessList in the EPROCESS block then it was hidden using the DKOM method. However for it to be hidden with the DKOM method it has to be visible in the PspCidTable, so RAIDE will walk that as well. If it is hidden in both it uses the FUTo method.XVZZ{ZZV{P[ * G $RAIDE: IdentificationH$$$$ $Whitelisting Firewalls Most firewalls act very similar if not exactly like rootkits. RAIDE whitelists drivers using signatures such as checksums and other values. If the hooking driver matches a signature the user is notified that tampering with the hook could result in system failure. RAIDE does NOT rely on behavioral analysis to identify firewalls, since any rootkit mimicking these behaviors would fool the system. P}}H ? 3'RAIDE: IdentificationH$$$$ $9Currently identified Firewalls: Kaspersky Internet Security 6.0 BitDefender 9 Professional Plus Outpost Firewall Pro v3.5 F-Secure Internet Security 2006 ZoneAlarm 6.5 Kerio Personal Firewall 4.1 Trend Micro PC-Cillin Internet Security 2006 Kerio WinRoute 6.2.1 Identifies 253 hooks installed by these products. P 3 3  O &;RAIDE: Elimination0$$ $Rootkit Elimination Restore Hooks Restore the original value of inlined hooked functions Restore original function pointers in the SSDT Restore original values of drivers whose EAT have been modified Restore Process Options: Process hidden by DKOM: can be relinked to make the reappear in task manager. can be closed If a process is hidden using FUTo methods: It is not safe to close or attempt to relink the process E+: E +:Z9S0%Thanks $Peter  Bugcheck, greg h, pedram, uninformed/research ers Jamie - DDP  &DEMO.DEMO$Our Demo VM will have the following: Hooks: Inline Hooks SSDT Overwrite Hooks IDT Hook Driver EAT Hooks MSR Hook EAT Hook(s) Hidden Process: FU Hidden Process FUTo Hidden Process And& . WinDbg This is all on VMWare& . %Q&%Q& Zu#/p  0L0  p$(  pr p S    }  r p S x   H p 0޽h ? f___PPT10i.PV+D=' ' = @B +  0L0 $(  r  S x}    }  r  S y}   }  H  0޽h ? f___PPT10i.WP9+D=' ' = @B +r%.(.[*1( 3  Nv,http://www.openRCE.org.http://www.openrce.org/\http:/  !"#$%&'()*+,-./0123՜.+,D՜.+,    On-screen ShowNAIƎ, 5Times New Roman Arial BlackArial WingdingsTahoma Courier NewTimesTechyMicrosoft Visio Drawing4RAIDE: Rootkit Analysis Identification Elimination Who Are We?AgendaWhat is a Rootkit?Userland Hooks EAT HooksHooking The KernelKeServiceDescriptorTable KeServiceDescriptorTable )KeServiceDescriptorTable Entry Overwrite&KeServiceDescriptorTable Inline Hook I/O Manager IRP HookingInterrupt HookingModel Specific Reigsters (MSR)Process Hiding Circa 02Process Hiding Circa 04Hiding Processes - WindowsProcess Hiding 06FUTo Modifying PspCidTableKernel Structures: The TablesKernel Structures: The TablesHandle Table TranslationHandle Table Translation*Detecting Hidden Processes PID BruteforceRAIDERAIDE: Design ThoughtsRAIDERAIDE Communication RAIDE: What it is notRAIDE: Analysis (User Hooks)RAIDE: Analysis (Kernel Hooks)RAIDE: AnalysisRAIDE: AnalysisRAIDE: AnalysisRAIDE: Dumping ProcessRAIDE: AnalysisRAIDE: IdentificationRAIDE: IdentificationRAIDE: IdentificationRAIDE: IdentificationRAIDE: EliminationThanks DEMODEMO  Fonts UsedDesign TemplateEmbedded OLE Servers Slide Titles, 8@ _PID_HLINKSA<http://www.openrce.org//http://www.rootkit.com/newsread.php?newsid=5015http://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip9http://www.rootkit.com/vault/hoglund/basic_mdl_flags.zip0http://www.rootkit.com/vault/hoglund/migbot.zip*http://www.bugcheck.org/code/bytehook.zip7http://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip1https://www.rootkit.com/vault/hoglund/rk_044.zip6https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.ziphttp://www.uninformed.org/_㢎0 Peter PeterXh$4PNG  IHDR [AsRGBPLTEf3f cmPPJCmp0712|m.tRNS@f,IDATWc`@L`EHD:)a&fy 9J>p|gIENDB`? ,O  =<~3RAIDE: Rootkit Analysis Identification Elimination 4$$$$$$ $$ $$& Who Are We? $rPeter Silberman Undergraduate College Student (*yuck*) Independent Security Research Author of FUTo, (soon to be released PAIMEIdiff) Contributor to http://www.openRCE.org (VISIT THE SITE) Jamie Butler Currently Un-Employed& . J Software attestation Rootkit detection Author of Rootkits: Subverting the Windows Kernel Co-author of Shadow Walker proof-of-concept memory subversion rootkit Pioneer of Direct Kernel Object Manipulation (DKOM)  '333 333' '  { 333 R N^6 0Agenda$What is going to be covered? Quick Review: Define Rootkits & Hooks Userland Hooks: Import Address Table (IAT) Export Address Table (EAT) Kernel Hooks: KeServiceDescriptorTable Inline Hooks Entry (Index) Overwrite I/O Request Packet (IRP) Interrupt Descriptor Table Model Specific Registers (MSR) Process Hiding: Old School DKOM (FU) New School FUTo Previous Detection Techniques RAIDE DemoZZ(Z6ZZZ%ZSZZCZ Z(6  %SC P2 L*What is a Rootkit?$ Definition might include a set of programs which patch and Trojan existing execution paths within the system Hooks or Modifies existing execution paths of important operating system functions The key point of a rootkit is stealth our definition includes they must make an attempt to hide some action. Rootkits that do not hide themselves are not then using stealth methods and will be visible to administrative or forensic tools (i.e. DeviceTree from OSR) shows all non-hidden drivers.bTSnTSn >T~ )Userland Hooks$IAT hooks Hooking code must run in or alter the address space of the target process If you try to patch a shared DLL such as KERNEL32.DLL or NTDLL.DLL, you will get a private copy of the DLL. Three documented ways to gain execution in the target address space CreateRemoteThread Globally hooking Windows messages Using the Registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs v JlEHV JlEH V,g#" EAT Hooks $User mode DLL s and Kernel drivers both export functions Export Address Table is a table of pointers to functions within a module that are callable by other modules Modifying this table in kernel mode will redirect every modified call to a hooked function Modifying this table in user mode will redirect every call within that given process space but not system wide. Common Hooks in User mode: GetProcAddress LoadLibrary CreateToolhelp32Snapshot Common Hooks in Kernel mode: Ndis*9Z7ZZ4ZZZ974 > 7Hooking The Kernel$:The operating system is global memory Does not rely on process context Except when portions of a driver are pageable By altering a single piece of code or a single pointer to code, the rootkit subverts every process on the system Kernel Object Hooking (KOH) is a great an example of pointer modification. Modification of function pointers to: Callbacks Driver Unload routines Etc.. KOH introduces a very tough issue of detection since its hard to ascertain in a lot of cases where a pointer is suppose to point Greg H - http://www.rootkit.com/newsread.php?newsid=501 H.&(:H.&(<mEJ. 0 9KeServiceDescriptorTable $ KeServiceDescriptorTable $  (KeServiceDescriptorTable Entry Overwrite))$  %KeServiceDescriptorTable Inline Hook &&$  I/O Manager IRP Hooking$?System calls used to send commands NtDeviceIoControlFile NtWriteFile Etc. Requests are converted to I/O Request Packets (IRPs) IRPs are delivered to lower level drivers Examples of this kind of system modification can be seen in: TCPIRPHook (http://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip) Any and every firewall `#'Y#'Y |# 5c -  0& Interrupt HookingIEach CPU has an IDT IDT contains pointers to Interrupt Service Routines (ISRs) Uses for IDT hooks Take over the virtual memory manager Single step the processor Intercept keystrokes Examples of this kind of system modification can be seen in: OverflowGuard Shadow Walker OneByteHook (http://www.bugcheck.org/code/bytehook.zip) LbT=WbT=WNI  ) 0F Model Specific Reigsters (MSR)$ SYSENETER is the replacement for int 2E which passed control from user mode to kernel mode. NTDLL loads EAX with the system call number (i.e. 0x25) EDX is loaded with the current stack pointer ESP NTDLL executes the SYSENTER instruction SYSENTER passes control to an address in the IA32_SYSENTER_EIP Model Specific Register. IA32_SYSENTER_EIP is readable and writable but is a privileged instruction. Examples of this kind of system modification can be seen in: SysEnterHook (http://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip) X]F]GF! / 0Process Hiding Circa 02$NTRootkit By Greg Hoglund Hooks the following functions to hide processes/files/registery entries: NTCreateFile NTCreateThread NTEnumerateKey NTEnumerateValueKey NTQueryKey NTQueryDirectoryFile NTQuerySystemInformation Quite dated but was the first public rootkit of its kind. Examples of this kind of system modification can be seen in: NTRootkit (https://www.rootkit.com/vault/hoglund/rk_044.zip) zIx=Ix=  7   'L 0 0eProcess Hiding Circa 04$\FU by Jamie Butler FU introduces Direct Kernel Object Manipulation and takes process hiding to the next level. DKOM can be used to: Hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide Add Privileges to Tokens Add Groups to Tokens Manipulate the Token to Fool the Windows Event Viewer Hide Ports Examples of this kind of system modification can be seen in: FU (https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip)^;^  ;"&- 0&[Hiding Processes - Windows Process Hiding 06$PHIDE2  by 90210 Remove threads from KiWaitInListHead, KiWaitOutListHead and KiDispatcherReadyListHead and creates its own lists that it swaps in and out when it wants to give its own threads CPU time. FUTo  by Peter Silberman & CHAOS Uninformed Journal Vol. 3 (http://www.uninformed.org) New version 2 of FU. Hence the  To Hides from IceSword and Blacklight Option  pngh bypasses as of (06/26/06): Blacklight (F-Secure) AntiRootkit (BitDefender) Helios DarkSpy does detection FUTo -phng "}(9""}( 9 "'d $1       0 "8FUTo  Modifying PspCidTable$$ @FUTo removes itself from the PspCidTable. PspCidTable Job of PspCidTable is to keep track of all the processes and threads PspCidTable s indexes are the PIDs of processes. Returns the address of the EPROCESS of a process at the location corresponding to the PID. Problems: Relying on a single data structure is not a very robust By altering one data structure much of the OS has no idea the hidden process exists z6F 6F  l   4 Kernel Structures: The Tables$Handle Table: Handles are an index into the Handle Table for a particular object Objects represent processes, threads, tokens, events, ports, etc. The Object Manager must do the translation from a handle to an object The Object Manager consults the Security Reference Monitor to determine access to the object Every process has its own handle table to keep track of the handles it owns 8ttKernel Structures: The Tables$lkd> dt nt!_HANDLE_TABLE +0x000 TableCode : Uint4B +0x004 QuotaProcess : Ptr32 _EPROCESS +0x008 UniqueProcessId : Ptr32 Void +0x00c HandleTableLock : [4] _EX_PUSH_LOCK +0x01c HandleTableList : _LIST_ENTRY +0x024 HandleContentionEvent : _EX_PUSH_LOCK +0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO +0x02c ExtraInfoPages : Int4B +0x030 FirstFree : Uint4B +0x034 LastFree : Uint4B +0x038 NextHandleNeedingPool: Uint4B +0x03c HandleCount : Int4B +0x040 Flags : Uint4B +0x040 StrictFIFO : Pos 0, 1 Bit XZN7/;1  ) .#)% A! ,- \ &Handle Table Translation Handle Table Translation )Detecting Hidden Processes PID Bruteforce**$ >Blacklight Bruteforces PIDs 0x0 - 0x4E1C Calls OpenThread on each PID If Success store valid PID Else Continue Loop Finished looping, take list of known PIDs and compare it to list generated by calling CreateToolhelp32Snapshot Any differences are hidden processes Called Cross-View method or Difference Based Method  4  4Z   `RAIDE/RAIDE: Design Thoughts$RAIDE was designed to be an all stop shop for most common rootkit detection needs RAIDE uses secure communication methods to prevent people from interfering with our communication RAIDE is not developed with a GUI and does not require any runtime dll s/frameworks etc. RAIDE was designed for both advanced users who want the files for research and beginners who just want to be rootkit free. >:1RAIDE$RAIDE can run on: Win XP  SP2 Win 2K SP4 (Hasn t been tested on earlier versions, feel free to donate copies and RAIDE will support all win2k) Win 2k3 pre sp1  Issues were found for post SP1 and support is currently in development. (+RAIDE Communication RAIDE communication designed to thwart Crappy And Stupid Application Specific Attacks (CASASA) RAIDE uses Shared Memory segments to pass information kernel land user land Shared Memory segment is randomly generated Communication uses randomly named events for signaling Uses randomly generated process names RAIDE spawns a user process from a driver to do a Difference Based or Cross-View comparison The spawned process looks like any other process spawned from userland. N 0RAIDE: What it is not$A replacement for common sense!!!! RAIDE will NOT keep you rootkit free nor will it pick up every rootkit. It s a cat and mouse game RAIDE will not find hidden files/directories/registry entries. There are no plans currently to support this. RAIDE does not restore driver IRPs/IDT/MSR hooks. RAIDE will not at the moment identify hidden drivers, but there are plenty of applications out there to do so. RAIDE will not identify drivers hiding in plain sight as rootkits since they are not HIDDEN nor are they hiding ANYTHING. 4  P; ; RAIDE: Analysis (User Hooks)H$$$$$Analyze User mode: In User mode check all  important loaded modules: Verify each module s IAT Make sure the function pointers point to the correct DLL Make sure the function pointers don t point to .reloc sections Verify each module s EAT Make sure the exported function pointers point within the DLL Make sure the exported function pointers don t point out of the .text section 3x3x      ,RAIDE: Analysis (Kernel Hooks)H$$$$$Find Kernel mode hooks: Verify KiSystemServiceDescriptorTable (SSDT) function pointers Make sure the function pointers point within NTOSKRNL Verify each SSDT function s have not been modified Load ntoskrnl off of disk and and compare the instructions Check the IDT make sure the handlers point to ntoskrnl Check within the preamble of each IDT handler make sure no common inline methods i.e. jmp, ret etc& Check the IA32_SYSENTER_EIP MSR to make sure it points to ntoskrnl Check important driver s for IRPs hooks ?i;7dk?i;  7dkHWE!RAIDE: AnalysisH$$$$$pAnalyze the system for DeepDoor and UAY like hooks: Low level NDIS hooks allow complete stealth command and control channels. Attackers have implemented their own TCP/IP stack in the Windows kernel and bypassed the existing stack. Provides invisibility from personal firewalls. Allows the attacker to communicate on non existent ports or on ports bound to other processes. See Alexander Tereskin s talk on bypassing personal firewalls. T44,f *(RAIDE: Analysis>Goal for Process Detection: Signature that can not be zeroed out Signature that is unique Signature must not have false positives&gg)RAIDE: Analysis>Signature: Locate pointers to  ServiceTable ServiceTable = nt!KeServiceDescriptorTableShadow ServiceTable = nt!KeServiceDescriptorTable Contained in all ETHREAD Hidden Process: Spawn a process with random name Spawned process generates process list sends processes list visible to RAIDE RAIDE compares the two lists finding the differences hidden processes  "\!''5 "\! ''5b  ! -RAIDE: Dumping Process>MDumping Process Allows Security Analysts to reverse the executable or system file and see what it was doing. Does not matter if the file is originally hidden on the HD. Dump file is renamed and put in the working directory. Dumping lets analysts bypass any packer protection. Note: sophisticated attack agents do not require the HD. :RAIDE: AnalysisH$$$$$LForensic Analysis of hooking modules or hidden processes: If a hook is found in kernel and the hooking module was identified, rename it and dump it to the current directory. If a hidden process is found, dump the process and all dlls in the user space to the current directory. Feature is in BETA and not included in public release R:7:mh7dRAIDE: IdentificationH$$$$ $Identification of Hooks: After analyzing the system, identify the hook type. Hook Types are as follows: SSDT Overwrite / SSDT Inline Hook IAT Overwrite / IAT Inline Hook EAT Overwrite / EAT Inline / EAT Forward Hook (user and kernel mode) IRP Hook IDT Hook MSR Hook Open Block/ Characteristics Hook After analyzing the system, identify the method being used to hide processes. The current methods identified are: DKOM PspCidTable modification Z4ZZZNZ$ZZ4 N$ *RAIDE: Identification> To detect hidden process methods, we need to know the two methods most commonly used. DKOM PspCidTable If the process is not visible by walking ActiveProcessList in the EPROCESS block then it was hidden using the DKOM method. However for it to be hidden with the DKOM method it has to be visible in the PspCidTable, so RAIDE will walk that as well. If the process is hidden in both, the rootkit uses the FUTo method.XVZZ{ZZV{b[ * I  $RAIDE: IdentificationH$$$$ $Whitelisting Firewalls Most firewalls act very similar if not exactly like rootkits. RAIDE whitelists drivers using signatures such as checksums and other values. If the hooking driver matches a signature the user is notified that tampering with the hook could result in system failure. RAIDE does NOT rely on behavioral analysis to identify firewalls, since any rootkit mimicking these behaviors would fool the system. P}}H ? 3'RAIDE: IdentificationH$$$$ $9Currently identified Firewalls: Kaspersky Internet Security 6.0 BitDefender 9 Professional Plus Outpost Firewall Pro v3.5 F-Secure Internet Security 2006 ZoneAlarm 6.5 Kerio Personal Firewall 4.1 Trend Micro PC-Cillin Internet Security 2006 Kerio WinRoute 6.2.1 Identifies 253 hooks installed by these products. P 3 3  O &;RAIDE: Elimination0$$ $Rootkit Elimination Restore Hooks Restore the original value of inlined hooked functions Restore original function pointers in the SSDT Restore original values of drivers whose EAT have been modified Restore Process Options: Process hidden by DKOM: can be relinked to make the reappear in task manager. can be closed If a process is hidden using FUTo methods: It is not safe to close or attempt to relink the process E+: E +:Z9S0%Thanks $Peter  Bugcheck, greg h, pedram, uninformed/research ers Jamie  the HBG crew, eEye (liquid dietitians), Lil L, and uninformed.   &DEMO.DEMO$Our Demo VM will have the following: Hooks: Inline Hooks SSDT Overwrite Hooks IDT Hook Driver EAT Hooks MSR Hook EAT Hook(s) Hidden Process: FU Hidden Process FUTo Hidden Process And& . WinDbg This is all on VMWare& . %Q&%Q& Pu$/p<  0L0 0 $(  r  S Ŵ     r  S ƴ     H  0޽h ? f80___PPT10.l<  0L0 P $(  r  S Ҵ     r  S Ҵ     H  0޽h ? f80___PPT10.-F<  0L0 `  $(   r   S \     r   S 4     H   0޽h ? f80___PPT10.[<  0L0 $(  r  S      r  S      H  0޽h ? f80___PPT10.W2lj<  0L0  $(  r  S      r  S      H  0޽h ? f80___PPT10.X`nH  0L0 0(  x  c $}     x  c $   }  H  0޽h ? f80___PPT10.W`C<  0L0  l$(  lr l S |#     r l S $     H l 0޽h ? f80___PPT10.PʑrT  0L0 <(  ~  s *,>     ~  s *?     H  0޽h ? 3380___PPT10.<  0L0 P \$(  \r \ S J     r \ S K     H \ 0޽h ? f80___PPT10.CqT  0L0 <(  ~  s *`     ~  s *a     H  0޽h ? 3380___PPT10.<<  0L0  |$(  |r | S      r | S ܘ     H | 0޽h ? f80___PPT10.p0RrP+02N2 v %*1( 3  Nv,http://www.openRCE.org.http://www.openrce.org/\http://www.rootkit.com/newsread.php?newsid=501\http://www.rootkit.com/newsread.php?newsid=501 hhttp://www.rootkit.com/vault/fuzen_op/TCPIRPHook.ziphhttp://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip phttp://www.rootkit.com/vault/hoglund/basic_mdl_flags.zipphttp://www.rootkit.com/vault/hoglund/basic_mdl_flags.zip ^http://www.rootkit.com/vault/hoglund/migbot.zip^http://www.rootkit.com/vault/hoglund/migbot.zipRhttp://www.bugcheck.org/code/bytehook.zipRhttp://www.bugcheck.org/code/bytehook.ziplhttp://www.rootkit.com/vault/fuzen_op/SysEnterHook.ziplhttp://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip`https://www.rootkit.com/vault/hoglund/rk_044.zip`https://www.rootkit.com/vault/hoglund/rk_044.zipjhttps://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zipjhttps://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip Visio Visio.Drawing.60.Microsoft Visio Drawing2http://www.uninformed.org4http://www.uninformed.org// 0DTimes New RomanTT${ܖ 0ܖDArial BlackmanTT${ܖ 0ܖ" DArialBlackmanTT${ܖ 0ܖ0DWingdingskmanTT${ܖ 0ܖ@DTahomagskmanTT${ܖ 0ܖPDCourier NewmanTT${ܖ 0ܖ1`DTimesr NewmanTT${ܖ 0ܖ C0.  @n?" dd@  @@``_>*whoosh.wav.WAV 10103RIFFWAVEfmt ++data~~~~~~~~~~~~~~~~~~~~~~~~~~~|||~~~~~zvtvxz|~zvrnlrv||vtrpptz~|xvtv|~~zxvvvz|~xrlhntzzvrrpprrx~|j[QU_|bICCYn[ICY~zlnh]_r|]SUSSjz|x__l~v_]drnUb|nfd_]d]5=rrnj]jz~lMldrx[[_f|YQfWK_xh[zx[CIjzxxdSQz|_fI9WӹM;QnvK;OUx~xj]]YS~ɵlM?plM;CGpٵ[)Kh|% %;xtKQS]ɖbGr|lSnvz~nfS[nëx;Az=+AYݻ|=/1r_ ?|潄W5/Czãf)/pvbMQr|O=OtjdhjlG?G_ɊK3לdQCMppW;1SŷAMz/#?bx͖SAM[hvhYp~~zrvt[]ptWOUtxxd]v~vvxzd_xzh_nrSQltbdp~_lrQ_l][tf]W]~hWfp|fWhnhbU[hzlSCWbYbnxpdhjvjM9Ot]GQ[dpp~hhhdpx~xh]Yntnrp]dlvjQMb|vdjpzxzztljr||_[r~~jb_j|z|xpp~~v]Wh||zx|x|zzndhpxr]Yfntzjl|z||~vppnrzphrxz|~|xtrjjtv~~vz|z||xrrv~xrprtz|||vzxvx|xtx~~~~~~~zx      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGxxx|zxz~~~rrz~|xz~~|vtx|zxz|~~~||zx|||~~zz|zz~~~~|~~||~~||zz|~||z~~~~zxzz|~~~~|~~~|~||~~~~~~~~~~~~~|||~~~~~~~~~~~~~||~~||~||~~~~|||~~~~||||~~~~~~||||~~~~~~~~~~~|~~~~|zz~~~~~~~||||~~||~~~~~|||~~~~~|||~|~|~~~~|z|~~~~~~~|||~~~~~~~~||~~~~~~~~    5{3 X>5&?/J  24kkk+52)52       @#"(*% 0.0?2$N$E ՒR›R$nfɁcuךb$i:$VYs AAԔ" @333f@80___PPT10 ___PPT9nyp \Xh$4PNG  IHDR [AsRGBPLTEf3f cmPPJCmp0712|m.tRNS@f,IDATWc`@L`EHD:)a&fy 9J>p|gIENDB`? ,O  =@~3RAIDE: Rootkit Analysis Identification Elimination 4$$$$$$ $$ $$& Who Are We? $rPeter Silberman Undergraduate College Student (*yuck*) Independent Security Research Author of FUTo, (soon to be released PAIMEIdiff) Contributor to http://www.openRCE.org (VISIT THE SITE) Jamie Butler Currently Un-Employed& . J Software attestation Rootkit detection Author of Rootkits: Subverting the Windows Kernel Co-author of Shadow Walker proof-of-concept memory subversion rootkit Pioneer of Direct Kernel Object Manipulation (DKOM)  '333 333' '  { 333 R N^6 0Agenda$What is going to be covered? Quick Review: Define Rootkits & Hooks Userland Hooks: Import Address Table (IAT) Export Address Table (EAT) Kernel Hooks: KeServiceDescriptorTable Inline Hooks Entry (Index) Overwrite I/O Request Packet (IRP) Interrupt Descriptor Table Model Specific Registers (MSR) Process Hiding: Old School DKOM (FU) New School FUTo Previous Detection Techniques RAIDE DemoZZ(Z6ZZZ%ZSZZCZ Z(6  %SC P2 L*What is a Rootkit?$ Definition might include a set of programs which patch and Trojan existing execution paths within the system Hooks or Modifies existing execution paths of important operating system functions The key point of a rootkit is stealth our definition includes they must make an attempt to hide some action. Rootkits that do not hide themselves are not then using stealth methods and will be visible to administrative or forensic tools (i.e. DeviceTree from OSR) shows all non-hidden drivers.bTSnTSn >T~ )Userland Hooks$IAT hooks Hooking code must run in or alter the address space of the target process If you try to patch a shared DLL such as KERNEL32.DLL or NTDLL.DLL, you will get a private copy of the DLL. Three documented ways to gain execution in the target address space CreateRemoteThread Globally hooking Windows messages Using the Registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs v JlEHV JlEH V,g#" EAT Hooks $User mode DLL s and Kernel drivers both export functions Export Address Table is a table of pointers to functions within a module that are callable by other modules Modifying this table in kernel mode will redirect every modified call to a hooked function Modifying this table in user mode will redirect every call within that given process space but not system wide. Common Hooks in User mode: GetProcAddress LoadLibrary CreateToolhelp32Snapshot Common Hooks in Kernel mode: Ndis*9Z7ZZ4ZZZ974 > 7Hooking The Kernel$:The operating system is global memory Does not rely on process context Except when portions of a driver are pageable By altering a single piece of code or a single pointer to code, the rootkit subverts every process on the system Kernel Object Hooking (KOH) is a great an example of pointer modification. Modification of function pointers to: Callbacks Driver Unload routines Etc.. KOH introduces a very tough issue of detection since its hard to ascertain in a lot of cases where a pointer is suppose to point Greg H - http://www.rootkit.com/newsread.php?newsid=501 H.&(:H.&(<mEJ. 0 9KeServiceDescriptorTable $ KeServiceDescriptorTable $  (KeServiceDescriptorTable Entry Overwrite))$  %KeServiceDescriptorTable Inline Hook &&$  I/O Manager IRP Hooking$?System calls used to send commands NtDeviceIoControlFile NtWriteFile Etc. Requests are converted to I/O Request Packets (IRPs) IRPs are delivered to lower level drivers Examples of this kind of system modification can be seen in: TCPIRPHook (http://www.rootkit.com/vault/fuzen_op/TCPIRPHook.zip) Any and every firewall `#'Y#'Y |# 5c -  0& Interrupt HookingIEach CPU has an IDT IDT contains pointers to Interrupt Service Routines (ISRs) Uses for IDT hooks Take over the virtual memory manager Single step the processor Intercept keystrokes Examples of this kind of system modification can be seen in: OverflowGuard Shadow Walker OneByteHook (http://www.bugcheck.org/code/bytehook.zip) LbT=WbT=WNI  ) 0F Model Specific Reigsters (MSR)$ SYSENETER is the replacement for int 2E which passed control from user mode to kernel mode. NTDLL loads EAX with the system call number (i.e. 0x25) EDX is loaded with the current stack pointer ESP NTDLL executes the SYSENTER instruction SYSENTER passes control to an address in the IA32_SYSENTER_EIP Model Specific Register. IA32_SYSENTER_EIP is readable and writable but is a privileged instruction. Examples of this kind of system modification can be seen in: SysEnterHook (http://www.rootkit.com/vault/fuzen_op/SysEnterHook.zip) X]F]GF! / 0Process Hiding Circa 02$NTRootkit By Greg Hoglund Hooks the following functions to hide processes/files/registery entries: NTCreateFile NTCreateThread NTEnumerateKey NTEnumerateValueKey NTQueryKey NTQueryDirectoryFile NTQuerySystemInformation Quite dated but was the first public rootkit of its kind. Examples of this kind of system modification can be seen in: NTRootkit (https://www.rootkit.com/vault/hoglund/rk_044.zip) zIx=Ix=  7   'L 0 0eProcess Hiding Circa 04$\FU by Jamie Butler FU introduces Direct Kernel Object Manipulation and takes process hiding to the next level. DKOM can be used to: Hide a process Locate the EPROCESS block of the process to hide Change the process behind it to point to the process after the process you are hiding Change the process after it to point to the process before the one you are trying to hide Add Privileges to Tokens Add Groups to Tokens Manipulate the Token to Fool the Windows Event Viewer Hide Ports Examples of this kind of system modification can be seen in: FU (https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip)^;^  ;"&- 0&[Hiding Processes - Windows Process Hiding 06$PHIDE2  by 90210 Remove threads from KiWaitInListHead, KiWaitOutListHead and KiDispatcherReadyListHead and creates its own lists that it swaps in and out when it wants to give its own threads CPU time. FUTo  by Peter Silberman & CHAOS Uninformed Journal Vol. 3 (http://www.uninformed.org) New version 2 of FU. Hence the  To Hides from IceSword and Blacklight Option  pngh bypasses as of (06/26/06): Blacklight (F-Secure) AntiRootkit (BitDefender) Helios DarkSpy does detection FUTo -phng "}(9""}( 9 "'d $1       0 "8FUTo  Modifying PspCidTable$$ @FUTo removes itself from the PspCidTable. PspCidTable Job of PspCidTable is to keep track of all the processes and threads PspCidTable s indexes are the PIDs of processes. Returns the address of the EPROCESS of a process at the location corresponding to the PID. Problems: Relying on a single data structure is not a very robust By altering one data structure much of the OS has no idea the hidden process exists z6F 6F  l   4 Kernel Structures: The Tables$Handle Table: Handles are an index into the Handle Table for a particular object Objects represent processes, threads, tokens, events, ports, etc. The Object Manager must do the translation from a handle to an object The Object Manager consults the Security Reference Monitor to determine access to the object Every process has its own handle table to keep track of the handles it owns 8ttKernel Structures: The Tables$lkd> dt nt!_HANDLE_TABLE +0x000 TableCode : Uint4B +0x004 QuotaProcess : Ptr32 _EPROCESS +0x008 UniqueProcessId : Ptr32 Void +0x00c HandleTableLock : [4] _EX_PUSH_LOCK +0x01c HandleTableList : _LIST_ENTRY +0x024 HandleContentionEvent : _EX_PUSH_LOCK +0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO +0x02c ExtraInfoPages : Int4B +0x030 FirstFree : Uint4B +0x034 LastFree : Uint4B +0x038 NextHandleNeedingPool: Uint4B +0x03c HandleCount : Int4B +0x040 Flags : Uint4B +0x040 StrictFIFO : Pos 0, 1 Bit XZN7/;1  ) .#)% A! ,- \ &Handle Table Translation Handle Table Translation )Detecting Hidden Processes PID Bruteforce**$ >Blacklight Bruteforces PIDs 0x0 - 0x4E1C Calls OpenThread on each PID If Success store valid PID Else Continue Loop Finished looping, take list of known PIDs and compare it to list generated by calling CreateToolhelp32Snapshot Any differences are hidden processes Called Cross-View method or Difference Based Method  4  4Z   `RAIDE/RAIDE: Design Thoughts$RAIDE was designed to be an all stop shop for most common rootkit detection needs RAIDE uses secure communication methods to prevent people from interfering with our communication RAIDE is not developed with a GUI and does not require any runtime dll s/frameworks etc. RAIDE was designed for both advanced users who want the files for research and beginners who just want to be rootkit free. >:1RAIDE$RAIDE can run on: Win XP  SP2 Win 2K SP4 (Hasn t been tested on earlier versions, feel free to donate copies and RAIDE will support all win2k) Win 2k3 pre sp1  Issues were found for post SP1 and support is currently in development. (+RAIDE Communication RAIDE communication designed to thwart Crappy And Stupid Application Specific Attacks (CASASA) RAIDE uses Shared Memory segments to pass information kernel land user land Shared Memory segment is randomly generated Communication uses randomly named events for signaling Uses randomly generated process names RAIDE spawns a user process from a driver to do a Difference Based or Cross-View comparison The spawned process looks like any other process spawned from userland. N 0RAIDE: What it is not$A replacement for common sense!!!! RAIDE will NOT keep you rootkit free nor will it pick up every rootkit. It s a cat and mouse game RAIDE will not find hidden files/directories/registry entries. There are no plans currently to support this. RAIDE does not restore driver IRPs/IDT/MSR hooks. RAIDE will not at the moment identify hidden drivers, but there are plenty of applications out there to do so. RAIDE will not identify drivers hiding in plain sight as rootkits since they are not HIDDEN nor are they hiding ANYTHING. 4  P; ; RAIDE: Analysis (User Hooks)H$$$$$Analyze User mode: In User mode check all  important loaded modules: Verify each module s IAT Make sure the function pointers point to the correct DLL Make sure the function pointers don t point to .reloc sections Verify each module s EAT Make sure the exported function pointers point within the DLL Make sure the exported function pointers don t point out of the .text section 3x3x      ,RAIDE: Analysis (Kernel Hooks)H$$$$$Find Kernel mode hooks: Verify KiSystemServiceDescriptorTable (SSDT) function pointers Make sure the function pointers point within NTOSKRNL Verify each SSDT function s have not been modified Load ntoskrnl off of disk and and compare the instructions Check the IDT make sure the handlers point to ntoskrnl Check within the preamble of each IDT handler make sure no common inline methods i.e. jmp, ret etc& Check the IA32_SYSENTER_EIP MSR to make sure it points to ntoskrnl Check important driver s for IRPs hooks ?i;7dk?i;  7dkHWE!RAIDE: AnalysisH$$$$$pAnalyze the system for DeepDoor and UAY like hooks: Low level NDIS hooks allow complete stealth command and control channels. Attackers have implemented their own TCP/IP stack in the Windows kernel and bypassed the existing stack. Provides invisibility from personal firewalls. Allows the attacker to communicate on non existent ports or on ports bound to other processes. See Alexander Tereskin s talk on bypassing personal firewalls. T44,f *(RAIDE: Analysis>Goal for Process Detection: Signature that can not be zeroed out Signature that is unique Signature must not have false positives&gg)RAIDE: Analysis>Signature: Locate pointers to  ServiceTable ServiceTable = nt!KeServiceDescriptorTableShadow ServiceTable = nt!KeServiceDescriptorTable Contained in all ETHREAD Hidden Process: Spawn a process with random name Spawned process generates process list sends processes list visible to RAIDE RAIDE compares the two lists finding the differences hidden processes  "\!''5 "\! ''5b  ! -RAIDE: Dumping Process>MDumping Process Allows Security Analysts to reverse the executable or system file and see what it was doing. Does not matter if the file is originally hidden on the HD. Dump file is renamed and put in the working directory. Dumping lets analysts bypass any packer protection. Note: sophisticated attack agents do not require the HD. :RAIDE: AnalysisH$$$$$LForensic Analysis of hooking modules or hidden processes: If a hook is found in kernel and the hooking module was identified, rename it and dump it to the current directory. If a hidden process is found, dump the process and all dlls in the user space to the current directory. Feature is in BETA and not included in public release R:7:mh7dRAIDE: IdentificationH$$$$ $Identification of Hooks: After analyzing the system, identify the hook type. Hook Types are as follows: SSDT Overwrite / SSDT Inline Hook IAT Overwrite / IAT Inline Hook EAT Overwrite / EAT Inline / EAT Forward Hook (user and kernel mode) IRP Hook IDT Hook MSR Hook Open Block/ Characteristics Hook After analyzing the system, identify the method being used to hide processes. The current methods identified are: DKOM PspCidTable modification Z4ZZZNZ$ZZ4 N$ *RAIDE: Identification> To detect hidden process methods, we need to know the two methods most commonly used. DKOM PspCidTable If the process is not visible by walking ActiveProcessList in the EPROCESS block then it was hidden using the DKOM method. However for it to be hidden with the DKOM method it has to be visible in the PspCidTable, so RAIDE will walk that as well. If the process is hidden in both, the rootkit uses the FUTo method.XVZZ{ZZV{b[ * I  $RAIDE: IdentificationH$$$$ $Whitelisting Firewalls Most firewalls act very similar if not exactly like rootkits. RAIDE whitelists drivers using signatures such as checksums and other values. If the hooking driver matches a signature the user is notified that tampering with the hook could result in system failure. RAIDE does NOT rely on behavioral analysis to identify firewalls, since any rootkit mimicking these behaviors would fool the system. P}}H ? 3'RAIDE: IdentificationH$$$$ $9Currently identified Firewalls: Kaspersky Internet Security 6.0 BitDefender 9 Professional Plus Outpost Firewall Pro v3.5 F-Secure Internet Security 2006 ZoneAlarm 6.5 Kerio Personal Firewall 4.1 Trend Micro PC-Cillin Internet Security 2006 Kerio WinRoute 6.2.1 Identifies 253 hooks installed by these products. P 3 3  O &;RAIDE: Elimination0$$ $Rootkit Elimination Restore Hooks Restore the original value of inlined hooked functions Restore original function pointers in the SSDT Restore original values of drivers whose EAT have been modified Restore Process Options: Process hidden by DKOM: can be relinked to make the reappear in task manager. can be closed If a process is hidden using FUTo methods: It is not safe to close or attempt to relink the process E+: E +:Z9S0%Thanks $Peter  Bugcheck, greg h, pedram, uninformed/research ers Jamie  the HBG crew, eEye (liquid dietitians), Lil L, and uninformed. t &DEMO.DEMO$Our Demo VM will have the following: Hooks: (6 rootkits, no hands) Inline Hooks SSDT Overwrite Hooks Driver EAT Hooks MSR Hook Hidden Process: FU Hidden Process FUTo Hidden Process And& . WinDbg This is all on VMWare& . %<&%<& b/_/p  0L0 $(  r  S y~    ~  r  S z~   ~  H  0޽h ? f___PPT10i.WP9+D=' > = @B +rN.*1