From f022dfc2445bd54127caeb735545a18509ee55f7 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:33:48 -0400 Subject: [PATCH 01/55] new ocsf mappings! --- .../processor/outputs/ocsf_v1_1_0_output.py | 68 ++- .../processor/outputs/ocsf_v1_4_0_output.py | 418 ++++++++++++++++++ 2 files changed, 469 insertions(+), 17 deletions(-) create mode 100644 eeauditor/processor/outputs/ocsf_v1_4_0_output.py diff --git a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py index 356b2785..341eb743 100644 --- a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py @@ -61,7 +61,7 @@ "CIS Microsoft Azure Foundations Benchmark V2.0.0" ] -class AsffOcsfNormalizedMapping(NamedTuple): +class SeverityAccountTypeComplianceMapping(NamedTuple): severityId: int severity: str cloudAccountTypeId: int @@ -69,6 +69,14 @@ class AsffOcsfNormalizedMapping(NamedTuple): complianceStatusId: int complianceStatus: str +class ActivityStatusTypeMapping(NamedTuple): + activityId: int + activityName: str + statusId: int + status: str + typeUid: int + typeName: str + here = path.abspath(path.dirname(__file__)) with open(f"{here}/mapped_compliance_controls.json") as jsonfile: CONTROLS_CROSSWALK = json.load(jsonfile) @@ -149,7 +157,7 @@ def nist_csf_v_1_1_controls_crosswalk(self, nistCsfSubcategory): except KeyError: return [] - def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> AsffOcsfNormalizedMapping: + def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> SeverityAccountTypeComplianceMapping: """ Normalizes the following ASFF Severity, Cloud Account Provider, and Compliance values into OCSF """ @@ -213,7 +221,31 @@ def iso8061_to_epochseconds(self, iso8061: str) -> int: Converts ISO 8061 datetime into Epochseconds timestamp """ return int(datetime.fromisoformat(iso8061).timestamp()) + + def record_state_to_status(self, recordState: str) -> ActivityStatusTypeMapping: + """ + Maps ElectricEye RecordState to OCSF Status + """ + if recordState == "ACTIVE": + return ActivityStatusTypeMapping( + activityId=1, + activityName="Create", + statusId=1, + status="New", + typeUid=200301, + typeName="Compliance Finding: Create" + ) + if recordState == "ARCHIVED": + return ActivityStatusTypeMapping( + activityId=3, + activityName="Close", + statusId=4, + status="Resolved", + typeUid=200303, + typeName="Compliance Finding: Close" + ) + def ocsf_compliance_finding_mapping(self, findings: list) -> list: """ Takes ElectricEye ASFF and outputs to OCSF v1.1.0 Compliance Finding (2003), returns a list of new findings @@ -239,6 +271,7 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: complianceStatusLabel=finding["Compliance"]["Status"] ) + # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none partition = finding["Resources"][0]["Partition"] region = finding["ProductFields"]["AssetRegion"] accountId = finding["ProductFields"]["ProviderAccountId"] @@ -252,27 +285,28 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: if partition == "AWS" and accountId == "000000000000": accountId = None - # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none depending on the dummy data - #region = "us-placeholder-1" - #account = "000000000000" - #partition = "not-aws" + eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) + + recordState = finding["RecordState"] + recordStateMapping = self.record_state_to_status(recordState) ocsf = { # Base Event data - "activity_id": 1, - "activity_name": "Create", + "activity_id": recordStateMapping.activityId, + "activity_name": recordStateMapping.activityName, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2003, "confidence_score": finding["Confidence"], - "severity": asffToOcsf[1], - "severity_id": asffToOcsf[0], - "status": "New", - "status_id": 1, - "time": self.iso8061_to_epochseconds(finding["CreatedAt"]), - "type_name": "Compliance Finding: Create", - "type_uid": 200301, + "severity": asffToOcsf.severity, + "severity_id": asffToOcsf.severityId, + "status": recordStateMapping.status, + "status_id": recordStateMapping.status, + "start_time": eventTime, + "time": eventTime, + "type_name": recordStateMapping.typeName, + "type_uid": recordStateMapping.typeUid, # Profiles / Metadata "metadata": { "uid": finding["Id"], @@ -293,8 +327,8 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "region": region, "account": { "uid": accountId, - "type": asffToOcsf[3], - "type_uid": asffToOcsf[2] + "type": asffToOcsf.cloudAccountType, + "type_uid": asffToOcsf.cloudAccountTypeId } }, # Observables diff --git a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py new file mode 100644 index 00000000..2f4a6133 --- /dev/null +++ b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py @@ -0,0 +1,418 @@ +#This file is part of ElectricEye. +#SPDX-License-Identifier: Apache-2.0 + +#Licensed to the Apache Software Foundation (ASF) under one +#or more contributor license agreements. See the NOTICE file +#distributed with this work for additional information +#regarding copyright ownership. The ASF licenses this file +#to you under the Apache License, Version 2.0 (the +#"License"); you may not use this file except in compliance +#with the License. You may obtain a copy of the License at + +#http://www.apache.org/licenses/LICENSE-2.0 + +#Unless required by applicable law or agreed to in writing, +#software distributed under the License is distributed on an +#"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +#KIND, either express or implied. See the License for the +#specific language governing permissions and limitations +#under the License. + +import logging +import sys +from typing import NamedTuple +from os import path +from processor.outputs.output_base import ElectricEyeOutput +import json +from base64 import b64decode +from datetime import datetime + +logger = logging.getLogger("OCSF_V1.4.0_Output") + +# NOTE TO SELF: Updated this and FAQ.md as new standards are added +SUPPORTED_FRAMEWORKS = [ + "NIST CSF V1.1", + "NIST SP 800-53 Rev. 4", + "AICPA TSC", + "ISO 27001:2013", + "CIS Critical Security Controls V8", + "NIST SP 800-53 Rev. 5", + "NIST SP 800-171 Rev. 2", + "CSA Cloud Controls Matrix V4.0", + "CMMC 2.0", + "UK NCSC Cyber Essentials V2.2", + "HIPAA Security Rule 45 CFR Part 164 Subpart C", + "FFIEC Cybersecurity Assessment Tool", + "NERC Critical Infrastructure Protection", + "NYDFS 23 NYCRR Part 500", + "UK NCSC Cyber Assessment Framework V3.1", + "PCI-DSS V4.0", + "NZISM V3.5", + "ISO 27001:2022", + "Critical Risk Profile V1.2", + "ECB CROE", + "Equifax SCF V1.0", + "FBI CJIS Security Policy V5.9", + "CIS Amazon Web Services Foundations Benchmark V1.5", + "CIS Amazon Web Services Foundations Benchmark V2.0", + "CIS Amazon Web Services Foundations Benchmark V3.0", + "MITRE ATT&CK", + "CIS AWS Database Services Benchmark V1.0", + "CIS Microsoft Azure Foundations Benchmark V2.0.0" +] + +class SeverityAccountTypeComplianceMapping(NamedTuple): + severityId: int + severity: str + cloudAccountTypeId: int + cloudAccountType: str + complianceStatusId: int + complianceStatus: str + +class ActivityStatusTypeMapping(NamedTuple): + activityId: int + activityName: str + statusId: int + status: str + typeUid: int + typeName: str + +here = path.abspath(path.dirname(__file__)) +with open(f"{here}/mapped_compliance_controls.json") as jsonfile: + CONTROLS_CROSSWALK = json.load(jsonfile) + +@ElectricEyeOutput +class OcsfV140Output(object): + __provider__ = "ocsf_v1_4_0" + + def write_findings(self, findings: list, output_file: str, **kwargs): + if len(findings) == 0: + logger.error("There are not any findings to write to file!") + sys.exit(0) + + logger.info( + "Converting %s findings into OCSF v1.4.0 events", + len(findings) + ) + + decodedFindings = [ + {**d, "ProductFields": {**d["ProductFields"], + "AssetDetails": json.loads(b64decode(d["ProductFields"]["AssetDetails"]).decode("utf-8")) + if d["ProductFields"]["AssetDetails"] is not None + else None + }} if "AssetDetails" in d["ProductFields"] + else d + for d in findings + ] + + del findings + + # Map in the new compliance controls + for finding in decodedFindings: + complianceRelatedRequirements = list(finding["Compliance"]["RelatedRequirements"]) + newControls = [] + nistCsfControls = [control for control in complianceRelatedRequirements if control.startswith("NIST CSF V1.1")] + for control in nistCsfControls: + crosswalkedControls = self.nist_csf_v_1_1_controls_crosswalk(control) + # Not every single NIST CSF Control maps across to other frameworks + if crosswalkedControls: + for crosswalk in crosswalkedControls: + if crosswalk not in newControls: + newControls.append(crosswalk) + else: + continue + + complianceRelatedRequirements.extend(newControls) + + del finding["Compliance"]["RelatedRequirements"] + finding["Compliance"]["RelatedRequirements"] = complianceRelatedRequirements + + ocsfFindings = self.ocsf_compliance_finding_mapping(decodedFindings) + + del decodedFindings + + # create output file based on inputs + jsonfile = f"{output_file}_ocsf_v1-4-0_events.json" + logger.info(f"Output file named: {jsonfile}") + + with open(jsonfile, "w") as jsonfile: + json.dump( + ocsfFindings, + jsonfile, + indent=4, + default=str + ) + + return True + + def nist_csf_v_1_1_controls_crosswalk(self, nistCsfSubcategory): + """ + This function returns a list of additional control framework control IDs that mapped into a provided + NIST CSF V1.1 Subcategory (control) + """ + + # Not every single NIST CSF Control maps across to other frameworks + try: + return CONTROLS_CROSSWALK[nistCsfSubcategory] + except KeyError: + return [] + + def compliance_finding_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> SeverityAccountTypeComplianceMapping: + """ + Normalizes the following ASFF Severity, Cloud Account Provider, and Compliance values into OCSF + """ + + # map Severity.Label -> base_event.severity_id, base_event.severity + if severityLabel == "INFORMATIONAL": + severityId = 1 + severity = severityLabel.lower().capitalize() + if severityLabel == "LOW": + severityId = 2 + severity = severityLabel.lower().capitalize() + if severityLabel == "MEDIUM": + severityId = 3 + severity = severityLabel.lower().capitalize() + if severityLabel == "HIGH": + severityId = 4 + severity = severityLabel.lower().capitalize() + if severityLabel == "CRITICAL": + severityId = 5 + severity = severityLabel.lower().capitalize() + else: + severityId = 99 + severity = severityLabel.lower().capitalize() + + # map ProductFields.Provider -> cloud.account.type_id, cloud.account.type + if cloudProvider == "AWS": + acctTypeId = 10 + acctType = "AWS Account" + elif cloudProvider == "GCP": + acctTypeId = 11 + acctType = "GCP Project" + elif cloudProvider == "OCI": + acctTypeId = 12 + acctType = "OCI Compartment" + elif cloudProvider == "Azure": + acctTypeId = 13 + acctType = "Azure Subscription" + elif cloudProvider == "Salesforce": + acctTypeId = 14 + acctType = "Salesforce Account" + elif cloudProvider == "Google Workspace": + acctTypeId = 15 + acctType = "Google Workspace" + elif cloudProvider == "ServiceNow": + acctTypeId = 16 + acctType = "ServiceNow Instance" + elif cloudProvider == "M365": + acctTypeId = 17 + acctType = "M365 Tenant" + else: + acctTypeId = 99 + acctType = cloudProvider + + # map Compliance.Status -> compliance.status_id, compliance.status + if complianceStatusLabel == "PASSED": + complianceStatusId = 1 + complianceStatus = "Pass" + elif complianceStatusLabel == "WARNING": + complianceStatusId = 2 + complianceStatus = "Warning" + elif complianceStatusLabel == "FAILED": + complianceStatusId = 3 + complianceStatus = "Fail" + else: + complianceStatusId = 99 + complianceStatus = complianceStatusLabel.lower().capitalize() + + return ( + severityId, + severity, + acctTypeId, + acctType, + complianceStatusId, + complianceStatus + ) + + def iso8061_to_epochseconds(self, iso8061: str) -> int: + """ + Converts ISO 8061 datetime into Epochseconds timestamp + """ + return int(datetime.fromisoformat(iso8061).timestamp()) + + def record_state_to_status(self, recordState: str) -> ActivityStatusTypeMapping: + """ + Maps ElectricEye RecordState to OCSF Status + """ + if recordState == "ACTIVE": + return ActivityStatusTypeMapping( + activityId=1, + activityName="Create", + statusId=1, + status="New", + typeUid=200301, + typeName="Compliance Finding: Create" + ) + + if recordState == "ARCHIVED": + return ActivityStatusTypeMapping( + activityId=3, + activityName="Close", + statusId=4, + status="Resolved", + typeUid=200303, + typeName="Compliance Finding: Close" + ) + + def ocsf_compliance_finding_mapping(self, findings: list) -> list: + """ + Takes ElectricEye ASFF and outputs to OCSF v1.1.0 Compliance Finding (2003), returns a list of new findings + """ + + ocsfFindings = [] + + logger.info("Mapping ASFF to OCSF") + + for finding in findings: + # Generate metadata.processed_time + timeNow = datetime.now().isoformat() + procssedTime = self.iso8061_to_epochseconds(timeNow) + + # check if the compliance.requirements start with the control frameworks and append the unique ones into a list for compliance.stnadards + standard = [] + requirements = finding["Compliance"]["RelatedRequirements"] + for control in requirements: + for framework in SUPPORTED_FRAMEWORKS: + if str(control).startswith(framework) and framework not in standard: + standard.append(framework) + + asffToOcsf = self.compliance_finding_ocsf_normalization( + severityLabel=finding["Severity"]["Label"], + cloudProvider=finding["ProductFields"]["Provider"], + complianceStatusLabel=finding["Compliance"]["Status"] + ) + + # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + partition = finding["Resources"][0]["Partition"] + region = finding["ProductFields"]["AssetRegion"] + accountId = finding["ProductFields"]["ProviderAccountId"] + + if partition != "AWS" or partition == "not-aws": + partition = None + + if partition == "AWS" and region == "us-placeholder-1": + region = None + + if partition == "AWS" and accountId == "000000000000": + accountId = None + + eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) + + recordState = finding["RecordState"] + recordStateMapping = self.record_state_to_status(recordState) + + ocsf = { + # Base Event data + "activity_id": recordStateMapping.activityId, + "activity_name": recordStateMapping.activityName, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "confidence_score": finding["Confidence"], + "severity": asffToOcsf.severity, + "severity_id": asffToOcsf.severityId, + "status": recordStateMapping.status, + "status_id": recordStateMapping.status, + "start_time": eventTime, + "time": eventTime, + "type_name": recordStateMapping.typeName, + "type_uid": recordStateMapping.typeUid, + # Profiles / Metadata + "metadata": { + "uid": finding["Id"], + "correlation_uid": finding["GeneratorId"], + "log_provider": "ElectricEye", + "logged_time": eventTime, + "original_time": finding["CreatedAt"], + "processed_time": procssedTime, + "version":"1.4.0", + "profiles":["cloud"], + "product": { + "name":"ElectricEye", + "version":"3.0", + "url_string":"https://github.com/jonrau1/ElectricEye", + "vendor_name":"ElectricEye" + }, + }, + "cloud": { + "provider": finding["ProductFields"]["Provider"], + "region": region, + "account": { + "uid": accountId, + "type": asffToOcsf.cloudAccountType, + "type_uid": asffToOcsf.cloudAccountTypeId + } + }, + # Observables + "observables": [ + # Cloud Account (Project) UID + { + "name": "cloud.account.uid", + "type": "Account UID", + "type_id": 35, + "value": accountId + }, + # Resource UID + { + "name": "resource.uid", + "type": "Resource UID", + "type_id": 10, + "value": finding["Resources"][0]["Id"] + } + ], + # Compliance Finding Class Info + "compliance": { + "requirements": sorted(requirements), + "control": str(finding["Title"]).split("] ")[0].replace("[",""), + "standards": sorted(standard), + "status": asffToOcsf[5], + "status_id": asffToOcsf[4] + }, + "finding_info": { + "created_time": eventTime, + "desc": finding["Description"], + "first_seen_time": self.iso8061_to_epochseconds(finding["FirstObservedAt"]), + "modified_time": self.iso8061_to_epochseconds(finding["UpdatedAt"]), + "product_uid": finding["ProductArn"], + "title": finding["Title"], + "types": finding["Types"], + "uid": finding["Id"] + }, + "remediation": { + "desc": finding["Remediation"]["Recommendation"]["Text"], + "references": [finding["Remediation"]["Recommendation"]["Url"]] + }, + "resources": [ + { + "data": finding["ProductFields"]["AssetDetails"], + "cloud_partition": partition, + "region": region, + "type": finding["ProductFields"]["AssetService"], + "uid": finding["Resources"][0]["Id"] + } + ], + "unmapped": { + "provider_type": finding["ProductFields"]["ProviderType"], + "asset_class": finding["ProductFields"]["AssetClass"], + "asset_component": finding["ProductFields"]["AssetComponent"], + "workflow_status": finding["Workflow"]["Status"], + "record_state": finding["RecordState"] + } + } + ocsfFindings.append(ocsf) + + del standard + del requirements + + return ocsfFindings \ No newline at end of file From bb21138344a1aed64ab74388baebf1353135a3f5 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:37:10 -0400 Subject: [PATCH 02/55] bump ocsf stdout to 1.4.0 --- eeauditor/processor/outputs/ocsf_stdout.py | 136 ++++++++++++------ .../processor/outputs/ocsf_v1_4_0_output.py | 14 +- 2 files changed, 102 insertions(+), 48 deletions(-) diff --git a/eeauditor/processor/outputs/ocsf_stdout.py b/eeauditor/processor/outputs/ocsf_stdout.py index 65ad6e50..568764fb 100644 --- a/eeauditor/processor/outputs/ocsf_stdout.py +++ b/eeauditor/processor/outputs/ocsf_stdout.py @@ -61,7 +61,7 @@ "CIS Microsoft Azure Foundations Benchmark V2.0.0" ] -class AsffOcsfNormalizedMapping(NamedTuple): +class SeverityAccountTypeComplianceMapping(NamedTuple): severityId: int severity: str cloudAccountTypeId: int @@ -69,6 +69,14 @@ class AsffOcsfNormalizedMapping(NamedTuple): complianceStatusId: int complianceStatus: str +class ActivityStatusTypeMapping(NamedTuple): + activityId: int + activityName: str + statusId: int + status: str + typeUid: int + typeName: str + here = path.abspath(path.dirname(__file__)) with open(f"{here}/mapped_compliance_controls.json") as jsonfile: CONTROLS_CROSSWALK = json.load(jsonfile) @@ -146,7 +154,7 @@ def nist_csf_v_1_1_controls_crosswalk(self, nistCsfSubcategory): except KeyError: return [] - def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> AsffOcsfNormalizedMapping: + def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> SeverityAccountTypeComplianceMapping: """ Normalizes the following ASFF Severity, Cloud Account Provider, and Compliance values into OCSF """ @@ -196,13 +204,13 @@ def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, com complianceStatusId = 99 complianceStatus = complianceStatusLabel.lower().capitalize() - return AsffOcsfNormalizedMapping ( - severityId, - severity, - acctTypeId, - acctType, - complianceStatusId, - complianceStatus + return SeverityAccountTypeComplianceMapping( + severityId=severityId, + severity=severity, + cloudAccountTypeId=acctTypeId, + cloudAccountType=acctType, + complianceStatusId=complianceStatusId, + complianceStatus=complianceStatus ) def iso8061_to_epochseconds(self, iso8061: str) -> int: @@ -210,7 +218,31 @@ def iso8061_to_epochseconds(self, iso8061: str) -> int: Converts ISO 8061 datetime into Epochseconds timestamp """ return int(datetime.fromisoformat(iso8061).timestamp()) + + def record_state_to_status(self, recordState: str) -> ActivityStatusTypeMapping: + """ + Maps ElectricEye RecordState to OCSF Status + """ + if recordState == "ACTIVE": + return ActivityStatusTypeMapping( + activityId=1, + activityName="Create", + statusId=1, + status="New", + typeUid=200301, + typeName="Compliance Finding: Create" + ) + if recordState == "ARCHIVED": + return ActivityStatusTypeMapping( + activityId=3, + activityName="Close", + statusId=4, + status="Resolved", + typeUid=200303, + typeName="Compliance Finding: Close" + ) + def ocsf_compliance_finding_mapping(self, findings: list) -> list: """ Takes ElectricEye ASFF and outputs to OCSF v1.1.0 Compliance Finding (2003), returns a list of new findings @@ -221,6 +253,9 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: logger.info("Mapping ASFF to OCSF") for finding in findings: + # Generate metadata.processed_time + timeNow = datetime.now().isoformat() + procssedTime = self.iso8061_to_epochseconds(timeNow) # check if the compliance.requirements start with the control frameworks and append the unique ones into a list for compliance.stnadards standard = [] @@ -230,55 +265,72 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: if str(control).startswith(framework) and framework not in standard: standard.append(framework) - asffToOcsf = self.asff_to_ocsf_normalization( + asffToOcsf = self.compliance_finding_ocsf_normalization( severityLabel=finding["Severity"]["Label"], cloudProvider=finding["ProductFields"]["Provider"], complianceStatusLabel=finding["Compliance"]["Status"] ) - if finding["ProductFields"]["Provider"] == "AWS": - partition = finding["Resources"][0]["Partition"] - else: + # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + partition = finding["Resources"][0]["Partition"] + region = finding["ProductFields"]["AssetRegion"] + accountId = finding["ProductFields"]["ProviderAccountId"] + + if partition != "AWS" or partition == "not-aws": partition = None + + if partition == "AWS" and region == "us-placeholder-1": + region = None + + if partition == "AWS" and accountId == "000000000000": + accountId = None + + eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) + + recordState = finding["RecordState"] + recordStateMapping = self.record_state_to_status(recordState) ocsf = { # Base Event data - "activity_id": 1, - "activity_name": "Create", + "activity_id": recordStateMapping.activityId, + "activity_name": recordStateMapping.activityName, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2003, "confidence_score": finding["Confidence"], - "severity": asffToOcsf[1], - "severity_id": asffToOcsf[0], - "status": "New", - "status_id": 1, - "time": self.iso8061_to_epochseconds(finding["CreatedAt"]), - "type_name": "Compliance Finding: Create", - "type_uid": 200301, + "severity": asffToOcsf.severity, + "severity_id": asffToOcsf.severityId, + "status": recordStateMapping.status, + "status_id": recordStateMapping.status, + "start_time": eventTime, + "time": eventTime, + "type_name": recordStateMapping.typeName, + "type_uid": recordStateMapping.typeUid, # Profiles / Metadata "metadata": { "uid": finding["Id"], "correlation_uid": finding["GeneratorId"], - "version":"1.1.0", + "log_provider": "ElectricEye", + "logged_time": eventTime, + "original_time": finding["CreatedAt"], + "processed_time": procssedTime, + "version":"1.4.0", + "profiles":["cloud"], "product": { "name":"ElectricEye", "version":"3.0", "url_string":"https://github.com/jonrau1/ElectricEye", "vendor_name":"ElectricEye" }, - "profiles":[ - "cloud" - ] }, "cloud": { "provider": finding["ProductFields"]["Provider"], - "region": finding["ProductFields"]["AssetRegion"], + "region": region, "account": { - "uid": finding["ProductFields"]["ProviderAccountId"], - "type": asffToOcsf[3], - "type_uid": asffToOcsf[2] + "uid": accountId, + "type": asffToOcsf.cloudAccountType, + "type_uid": asffToOcsf.cloudAccountTypeId } }, # Observables @@ -286,9 +338,9 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: # Cloud Account (Project) UID { "name": "cloud.account.uid", - "type": "Resource UID", - "type_id": 10, - "value": finding["ProductFields"]["ProviderAccountId"] + "type": "Account UID", + "type_id": 35, + "value": accountId }, # Resource UID { @@ -307,7 +359,7 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "status_id": asffToOcsf[4] }, "finding_info": { - "created_time": self.iso8061_to_epochseconds(finding["CreatedAt"]), + "created_time": eventTime, "desc": finding["Description"], "first_seen_time": self.iso8061_to_epochseconds(finding["FirstObservedAt"]), "modified_time": self.iso8061_to_epochseconds(finding["UpdatedAt"]), @@ -320,13 +372,15 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "desc": finding["Remediation"]["Recommendation"]["Text"], "references": [finding["Remediation"]["Recommendation"]["Url"]] }, - "resource": { - "data": finding["ProductFields"]["AssetDetails"], - "cloud_partition": partition, - "region": finding["ProductFields"]["AssetRegion"], - "type": finding["ProductFields"]["AssetService"], - "uid": finding["Resources"][0]["Id"] - }, + "resources": [ + { + "data": finding["ProductFields"]["AssetDetails"], + "cloud_partition": partition, + "region": region, + "type": finding["ProductFields"]["AssetService"], + "uid": finding["Resources"][0]["Id"] + } + ], "unmapped": { "provider_type": finding["ProductFields"]["ProviderType"], "asset_class": finding["ProductFields"]["AssetClass"], diff --git a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py index 2f4a6133..ab158d65 100644 --- a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py @@ -225,13 +225,13 @@ def compliance_finding_ocsf_normalization(self, severityLabel: str, cloudProvide complianceStatusId = 99 complianceStatus = complianceStatusLabel.lower().capitalize() - return ( - severityId, - severity, - acctTypeId, - acctType, - complianceStatusId, - complianceStatus + return SeverityAccountTypeComplianceMapping( + severityId=severityId, + severity=severity, + cloudAccountTypeId=acctTypeId, + cloudAccountType=acctType, + complianceStatusId=complianceStatusId, + complianceStatus=complianceStatus ) def iso8061_to_epochseconds(self, iso8061: str) -> int: From 7cdd454f8cc47d59706dcef8eb8146ca89b03582 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:50:09 -0400 Subject: [PATCH 03/55] add Snowflake to TOML, bump SQS batches --- eeauditor/external_providers.toml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/eeauditor/external_providers.toml b/eeauditor/external_providers.toml index 0e174258..aa54be6c 100644 --- a/eeauditor/external_providers.toml +++ b/eeauditor/external_providers.toml @@ -232,6 +232,26 @@ title = "ElectricEye Configuration" salesforce_api_version = "v58.0" + [credentials.snowflake] + + # Username for your Snowflake Account, this should be a user with the ability to read all tables and views in the default schemas + + snowflake_username = "" + + # The location (or actual contents) of the Password for the User specified in `snowflake_account_id` + # this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then + # the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter + + snowflake_password_value = "" + + # The Account ID for your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., VULEDAR-MR69420 + + snowflake_account_id = "" + + # The Region of your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., us-east-1 + + snowflake_region = "" + [outputs] # ***IMPORTANT*** @@ -345,7 +365,7 @@ title = "ElectricEye Configuration" # Batch Size - amazon_sqs_batch_size = 10 # This must be an integer + amazon_sqs_batch_size = 1000 # This must be an integer # Queue Region From 8dc025d2f2d5464b1f1f1d6898472592e32d4c6d Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:54:45 -0400 Subject: [PATCH 04/55] only use `boto3` when needed --- eeauditor/cloud_utils.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 3631b790..f339a8c8 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -31,12 +31,6 @@ logger = logging.getLogger("CloudUtils") -# Boto3 Clients -sts = boto3.client("sts") -ssm = boto3.client("ssm") -asm = boto3.client("secretsmanager") -org = boto3.client("organizations") - # These Constants define legitimate values for certain parameters within the external_providers.toml file AWS_MULTI_ACCOUNT_TARGET_TYPE_CHOICES = ["Accounts", "OU", "Organization"] CREDENTIALS_LOCATION_CHOICES = ["AWS_SSM", "AWS_SECRETS_MANAGER", "CONFIG_FILE"] @@ -77,6 +71,7 @@ def __init__(self, assessmentTarget, tomlPath): # AWS if assessmentTarget == "AWS": + sts = boto3.client("sts") # Process ["aws_account_targets"] awsAccountTargets = data["regions_and_accounts"]["aws"]["aws_account_targets"] if self.awsMultiAccountTargetType == "Accounts": @@ -520,6 +515,8 @@ def get_credential_from_aws_ssm(self, value, configurationName): Retrieves a TOML variable from AWS Systems Manager Parameter Store and returns it """ + ssm = boto3.client("ssm") + if value is None or value == "": logger.error( "A value for %s was not provided. Fix the TOML file and run ElectricEye again.", @@ -546,6 +543,8 @@ def get_credential_from_aws_secrets_manager(self, value, configurationName): """ Retrieves a TOML variable from AWS Secrets Manager and returns it """ + asm = boto3.client("secretsmanager") + if value is None or value == "": logger.error( "A value for %s was not provided. Fix the TOML file and run ElectricEye again.", @@ -568,6 +567,8 @@ def get_aws_accounts_from_organization(self): """ Uses Organizations ListAccounts API to get a list of "ACTIVE" AWS Accounts in the entire Organization """ + org = boto3.client("organizations") + try: accounts = [account["Id"] for account in org.list_accounts()["Accounts"] if account["Status"] == "ACTIVE"] except ClientError as e: @@ -582,6 +583,9 @@ def get_aws_accounts_from_organizational_units(self, targets): """ Uses Organizations ListAccountsForParent API to get a list of "ACTIVE" AWS Accounts for specified OUs """ + sts = boto3.client("sts") + org = boto3.client("organizations") + accounts = [sts.get_caller_identity()["Account"]] # Caller account is added directly. for parent in targets: @@ -605,6 +609,8 @@ def create_aws_session(account: str, partition: str, region: str, roleName: str) """ crossAccountRoleArn = f"arn:{partition}:iam::{account}:role/{roleName}" + sts = boto3.client("sts") + try: memberAcct = sts.assume_role( RoleArn=crossAccountRoleArn, From 649eab31e81ec297e8fb903bf367d6a42c7d60a4 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:56:14 -0400 Subject: [PATCH 05/55] fix missing func --- eeauditor/processor/outputs/ocsf_stdout.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eeauditor/processor/outputs/ocsf_stdout.py b/eeauditor/processor/outputs/ocsf_stdout.py index 568764fb..7402c0c7 100644 --- a/eeauditor/processor/outputs/ocsf_stdout.py +++ b/eeauditor/processor/outputs/ocsf_stdout.py @@ -154,7 +154,7 @@ def nist_csf_v_1_1_controls_crosswalk(self, nistCsfSubcategory): except KeyError: return [] - def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> SeverityAccountTypeComplianceMapping: + def compliance_finding_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> SeverityAccountTypeComplianceMapping: """ Normalizes the following ASFF Severity, Cloud Account Provider, and Compliance values into OCSF """ From 23323405fe3cf0147ae7a7215a372370680bde3f Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:13:24 -0400 Subject: [PATCH 06/55] wireframe Snowflake in `CloudUtils` --- eeauditor/cloud_utils.py | 40 ++++++++++++++++++++++++++++++- eeauditor/external_providers.toml | 6 ++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index f339a8c8..5f241414 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -489,7 +489,45 @@ def __init__(self, assessmentTarget, tomlPath): # Snowflake elif assessmentTarget == "Snowflake": - logger.info("Coming soon!") + # Process data["credentials"]["snowflake"] - values need to be assigned to self + snowflakeTomlValues = data["credentials"]["snowflake"] + + snowflakeUsername = snowflakeTomlValues["snowflake_username"] + snowflakePasswordValue = snowflakeTomlValues["snowflake_password_value"] + snowflakeAccountId = snowflakeTomlValues["snowflake_account_id"] + snowflakeWarehouseName = snowflakeTomlValues["snowflake_warehouse_name"] + snowflakeRegion = snowflakeTomlValues["snowflake_region"] + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + snowflakeUsername, snowflakePasswordValue, snowflakeAccountId, snowflakeWarehouseName, snowflakeRegion + ] + ): + logger.error(f"One of your Salesforce TOML entries in [credentials.salesforce] is empty!") + sys.exit(2) + + # Parse non-confidential values to environ + self.snowflakeUsername = snowflakeUsername + self.snowflakeAccountId = snowflakeAccountId + self.snowflakeWarehouseName = snowflakeWarehouseName + self.snowflakeRegion = snowflakeRegion + + # Retrieve value for Snowflake Password from the TOML, AWS SSM or AWS Secrets Manager + if self.credentialsLocation == "CONFIG_FILE": + self.snowflakePasswordValue = snowflakePasswordValue + # SSM + elif self.credentialsLocation == "AWS_SSM": + self.snowflakePasswordValue = self.get_credential_from_aws_ssm( + snowflakePasswordValue, + "snowflake_password_value" + ) + # AWS Secrets Manager + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + self.snowflakePasswordValue = self.get_credential_from_aws_secrets_manager( + snowflakePasswordValue, + "snowflake_password_value" + ) def get_aws_regions(self): """ diff --git a/eeauditor/external_providers.toml b/eeauditor/external_providers.toml index aa54be6c..f3c7883f 100644 --- a/eeauditor/external_providers.toml +++ b/eeauditor/external_providers.toml @@ -232,7 +232,7 @@ title = "ElectricEye Configuration" salesforce_api_version = "v58.0" - [credentials.snowflake] + [credentials.snowflake] # Username for your Snowflake Account, this should be a user with the ability to read all tables and views in the default schemas @@ -248,6 +248,10 @@ title = "ElectricEye Configuration" snowflake_account_id = "" + # The name of the warehouse you use for querying data in Snowflake, this should be a warehouse that has the ability to run queries + + snowflake_warehouse_name = "" + # The Region of your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., us-east-1 snowflake_region = "" From f57eadd20b7ab41184a11b7edea6fc5c6f5b8a42 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:20:47 -0400 Subject: [PATCH 07/55] build snowflake cursor/connector --- eeauditor/cloud_utils.py | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 5f241414..90ef9c8e 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -28,6 +28,7 @@ from botocore.exceptions import ClientError from azure.identity import ClientSecretCredential from azure.mgmt.resource.subscriptions import SubscriptionClient +import snowflake.connector as snowconn logger = logging.getLogger("CloudUtils") @@ -515,20 +516,26 @@ def __init__(self, assessmentTarget, tomlPath): # Retrieve value for Snowflake Password from the TOML, AWS SSM or AWS Secrets Manager if self.credentialsLocation == "CONFIG_FILE": - self.snowflakePasswordValue = snowflakePasswordValue + self.snowflakePassowrd = snowflakePasswordValue # SSM elif self.credentialsLocation == "AWS_SSM": - self.snowflakePasswordValue = self.get_credential_from_aws_ssm( + self.snowflakePassowrd = self.get_credential_from_aws_ssm( snowflakePasswordValue, "snowflake_password_value" ) # AWS Secrets Manager elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - self.snowflakePasswordValue = self.get_credential_from_aws_secrets_manager( + self.snowflakePassowrd = self.get_credential_from_aws_secrets_manager( snowflakePasswordValue, "snowflake_password_value" ) + # Retrieve cursor and connector + snowflakeCursorConn = self.connectToSnowflake() + + self.snowflakeConnection = snowflakeCursorConn[0] + self.snowflakeCursor = snowflakeCursorConn[1] + def get_aws_regions(self): """ Uses EC2 DescribeRegions API to get a list of opted-in AWS Regions @@ -815,5 +822,23 @@ def retrieve_azure_subscriptions_for_service_principal(self, azureCredentials: C sys.exit(2) return azureSubscriptionIds - + + def connectToSnowflake(self) -> tuple[snowconn.connection.SnowflakeConnection, snowconn.cursor.SnowflakeCursor]: + """ + Returns a Snowflake cursor object for a given warehouse + """ + try: + conn = snowconn.connect( + user=self.snowflakeUsername, + password=self.snowflakePassowrd, + account=self.snowflakeAccountId, + warehouse=self.snowflakeWarehouseName + ) + except Exception as e: + raise e + + cur = conn.cursor() + + return conn, cur + ## EOF \ No newline at end of file From 3bbf9c3a36b75cdbbd8b56b3614318060c4a8303 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:24:52 -0400 Subject: [PATCH 08/55] wire up snowflake to eeauditor --- eeauditor/eeauditor.py | 55 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 12bc0761..d35ad00c 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -107,6 +107,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): if assessmentTarget == "Salesforce": searchPath = "./auditors/salesforce" utils = CloudConfig(assessmentTarget, tomlPath) + # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.salesforceAppClientId = utils.salesforceAppClientId self.salesforceAppClientSecret = utils.salesforceAppClientSecret self.salesforceApiUsername = utils.salesforceApiUsername @@ -117,6 +118,11 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): if assessmentTarget == "Snowflake": searchPath = "./auditors/snowflake" utils = CloudConfig(assessmentTarget, tomlPath) + # parse specific values for Assessment Target - these should match 1:1 with CloudConfig + self.snowflakeAccountId = utils.snowflakeAccountId + self.snowflakeRegion = utils.snowflakeRegion + self.snowflakeCursor = utils.snowflakeCursor + self.snowflakeConnection = utils.snowflakeConnection # Google Workspace if assessmentTarget == "GoogleWorkspace": searchPath = "./auditors/google_workspace" @@ -551,6 +557,55 @@ def run_salesforce_checks(self, pluginName=None, delay=0): # optional sleep if specified - defaults to 0 seconds sleep(delay) + # Called from eeauditor/controller.py run_auditor() + def run_snowflake_checks(self, pluginName=None, delay=0): + """ + Runs Snowflake Auditors using Username and Password for a given Warehouse + """ + # hardcode the region and account for non-AWS checks + region = "us-placeholder-1" + account = "000000000000" + partition = "not-aws" + + for serviceName, checkList in self.registry.checks.items(): + # Pass the Cache at the "serviceName" level aka Plugin + auditorCache = {} + for checkName, check in checkList.items(): + # if a specific check is requested, only run that one check + if ( + not pluginName + or pluginName + and pluginName == checkName + ): + try: + logger.info( + "Executing Check %s for M365", + checkName + ) + for finding in check( + cache=auditorCache, + awsAccountId=account, + awsRegion=region, + awsPartition=partition, + snowflakeAccountId=self.snowflakeAccountId, + snowflakeRegion=self.snowflakeRegion, + snowflakeCursor=self.snowflakeCursor, + snowflakeConnection=self.snowflakeConnection + ): + if finding is not None: + yield finding + except Exception: + logger.warn( + "Failed to execute check %s with traceback %s", + checkName, format_exc() + ) + # optional sleep if specified - defaults to 0 seconds + sleep(delay) + + # close the connection to the Snowflake Warehouse + self.snowflakeCursor.close() + self.snowflakeConnection.close() + # Called from eeauditor/controller.py run_auditor() def run_non_aws_checks(self, pluginName=None, delay=0): """ From 45918a2d0ea6f8e9fa159b3fa90cc79b36842a1f Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:25:52 -0400 Subject: [PATCH 09/55] add `snowflake-connector-python>=3.12.1` to reqs --- requirements-docker.txt | 3 ++- requirements.txt | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/requirements-docker.txt b/requirements-docker.txt index 23d76080..a7a34419 100644 --- a/requirements-docker.txt +++ b/requirements-docker.txt @@ -10,4 +10,5 @@ pymongo>=4.6.1 pysnow>=0.7.17 python3-nmap>=1.6.0 tomli>=2.0.1 -vt-py>=0.18.0 \ No newline at end of file +vt-py>=0.18.0 +snowflake-connector-python>=3.12.1 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 64cf54cc..107a8531 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12,4 +12,5 @@ pymongo>=4.6.1 pysnow<=0.7.17 python3-nmap>=1.6.0 tomli>=2.0.1 -vt-py>=0.18.0 \ No newline at end of file +vt-py>=0.18.0 +snowflake-connector-python>=3.12.1 \ No newline at end of file From ffac7dd50d3d65e2f263e3e6b354ccfaf33f6a32 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:45:10 -0400 Subject: [PATCH 10/55] override aws-global for OCSF --- eeauditor/processor/outputs/ocsf_stdout.py | 3 +++ eeauditor/processor/outputs/ocsf_v1_1_0_output.py | 3 +++ eeauditor/processor/outputs/ocsf_v1_4_0_output.py | 3 +++ 3 files changed, 9 insertions(+) diff --git a/eeauditor/processor/outputs/ocsf_stdout.py b/eeauditor/processor/outputs/ocsf_stdout.py index 7402c0c7..3947e892 100644 --- a/eeauditor/processor/outputs/ocsf_stdout.py +++ b/eeauditor/processor/outputs/ocsf_stdout.py @@ -282,6 +282,9 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: if partition == "AWS" and region == "us-placeholder-1": region = None + if region == "aws-global": + region = "us-east-1" + if partition == "AWS" and accountId == "000000000000": accountId = None diff --git a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py index 341eb743..f052d098 100644 --- a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py @@ -282,6 +282,9 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: if partition == "AWS" and region == "us-placeholder-1": region = None + if region == "aws-global": + region = "us-east-1" + if partition == "AWS" and accountId == "000000000000": accountId = None diff --git a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py index ab158d65..b35b7695 100644 --- a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py @@ -303,6 +303,9 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: if partition == "AWS" and region == "us-placeholder-1": region = None + if region == "aws-global": + region = "us-east-1" + if partition == "AWS" and accountId == "000000000000": accountId = None From f5b0ae036628c74d3359b69aad3d670231fdcf5c Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:47:05 -0400 Subject: [PATCH 11/55] bump OCSF KDF to 1.4.0 changes --- .../outputs/ocsf_to_firehose_output.py | 182 +++++++++++++----- 1 file changed, 134 insertions(+), 48 deletions(-) diff --git a/eeauditor/processor/outputs/ocsf_to_firehose_output.py b/eeauditor/processor/outputs/ocsf_to_firehose_output.py index 2c13c5e7..63284374 100644 --- a/eeauditor/processor/outputs/ocsf_to_firehose_output.py +++ b/eeauditor/processor/outputs/ocsf_to_firehose_output.py @@ -64,7 +64,7 @@ "CIS Microsoft Azure Foundations Benchmark V2.0.0" ] -class AsffOcsfNormalizedMapping(NamedTuple): +class SeverityAccountTypeComplianceMapping(NamedTuple): severityId: int severity: str cloudAccountTypeId: int @@ -72,6 +72,14 @@ class AsffOcsfNormalizedMapping(NamedTuple): complianceStatusId: int complianceStatus: str +class ActivityStatusTypeMapping(NamedTuple): + activityId: int + activityName: str + statusId: int + status: str + typeUid: int + typeName: str + here = path.abspath(path.dirname(__file__)) with open(f"{here}/mapped_compliance_controls.json") as jsonfile: CONTROLS_CROSSWALK = json.load(jsonfile) @@ -81,7 +89,7 @@ class OcsfFirehoseOutput(object): __provider__ = "ocsf_kdf" def __init__(self): - print("Preparing to send OCSF V1.1.0 Compliance Findings to Amazon Kinesis Data Firehose.") + print("Preparing to send OCSF V1.4.0 Compliance Findings to Amazon Kinesis Data Firehose.") if environ["TOML_FILE_PATH"] == "None": # Get the absolute path of the current directory @@ -214,7 +222,7 @@ def nist_csf_v_1_1_controls_crosswalk(self, nistCsfSubcategory): except KeyError: return [] - def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> AsffOcsfNormalizedMapping: + def compliance_finding_ocsf_normalization(self, severityLabel: str, cloudProvider: str, complianceStatusLabel: str) -> SeverityAccountTypeComplianceMapping: """ Normalizes the following ASFF Severity, Cloud Account Provider, and Compliance values into OCSF """ @@ -244,8 +252,26 @@ def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, com acctTypeId = 10 acctType = "AWS Account" elif cloudProvider == "GCP": - acctTypeId = 5 - acctType = "GCP Account" + acctTypeId = 11 + acctType = "GCP Project" + elif cloudProvider == "OCI": + acctTypeId = 12 + acctType = "OCI Compartment" + elif cloudProvider == "Azure": + acctTypeId = 13 + acctType = "Azure Subscription" + elif cloudProvider == "Salesforce": + acctTypeId = 14 + acctType = "Salesforce Account" + elif cloudProvider == "Google Workspace": + acctTypeId = 15 + acctType = "Google Workspace" + elif cloudProvider == "ServiceNow": + acctTypeId = 16 + acctType = "ServiceNow Instance" + elif cloudProvider == "M365": + acctTypeId = 17 + acctType = "M365 Tenant" else: acctTypeId = 99 acctType = cloudProvider @@ -264,13 +290,13 @@ def asff_to_ocsf_normalization(self, severityLabel: str, cloudProvider: str, com complianceStatusId = 99 complianceStatus = complianceStatusLabel.lower().capitalize() - return ( - severityId, - severity, - acctTypeId, - acctType, - complianceStatusId, - complianceStatus + return SeverityAccountTypeComplianceMapping( + severityId=severityId, + severity=severity, + cloudAccountTypeId=acctTypeId, + cloudAccountType=acctType, + complianceStatusId=complianceStatusId, + complianceStatus=complianceStatus ) def iso8061_to_epochseconds(self, iso8061: str) -> int: @@ -278,7 +304,31 @@ def iso8061_to_epochseconds(self, iso8061: str) -> int: Converts ISO 8061 datetime into Epochseconds timestamp """ return int(datetime.fromisoformat(iso8061).timestamp()) + + def record_state_to_status(self, recordState: str) -> ActivityStatusTypeMapping: + """ + Maps ElectricEye RecordState to OCSF Status + """ + if recordState == "ACTIVE": + return ActivityStatusTypeMapping( + activityId=1, + activityName="Create", + statusId=1, + status="New", + typeUid=200301, + typeName="Compliance Finding: Create" + ) + if recordState == "ARCHIVED": + return ActivityStatusTypeMapping( + activityId=3, + activityName="Close", + statusId=4, + status="Resolved", + typeUid=200303, + typeName="Compliance Finding: Close" + ) + def ocsf_compliance_finding_mapping(self, findings: list) -> list: """ Takes ElectricEye ASFF and outputs to OCSF v1.1.0 Compliance Finding (2003), returns a list of new findings @@ -289,62 +339,97 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: logger.info("Mapping ASFF to OCSF") for finding in findings: - - asffToOcsf = self.asff_to_ocsf_normalization( + # Generate metadata.processed_time + timeNow = datetime.now().isoformat() + procssedTime = self.iso8061_to_epochseconds(timeNow) + + # check if the compliance.requirements start with the control frameworks and append the unique ones into a list for compliance.stnadards + standard = [] + requirements = finding["Compliance"]["RelatedRequirements"] + for control in requirements: + for framework in SUPPORTED_FRAMEWORKS: + if str(control).startswith(framework) and framework not in standard: + standard.append(framework) + + asffToOcsf = self.compliance_finding_ocsf_normalization( severityLabel=finding["Severity"]["Label"], cloudProvider=finding["ProductFields"]["Provider"], complianceStatusLabel=finding["Compliance"]["Status"] ) + + # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + partition = finding["Resources"][0]["Partition"] + region = finding["ProductFields"]["AssetRegion"] + accountId = finding["ProductFields"]["ProviderAccountId"] + + if partition != "AWS" or partition == "not-aws": + partition = None + + if partition == "AWS" and region == "us-placeholder-1": + region = None + + if region == "aws-global": + region = "us-east-1" + + if partition == "AWS" and accountId == "000000000000": + accountId = None + + eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) + + recordState = finding["RecordState"] + recordStateMapping = self.record_state_to_status(recordState) ocsf = { # Base Event data - "activity_id": 1, - "activity_name": "Create", + "activity_id": recordStateMapping.activityId, + "activity_name": recordStateMapping.activityName, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2003, "confidence_score": finding["Confidence"], - "severity": asffToOcsf[1], - "severity_id": asffToOcsf[0], - "status": "New", - "status_id": 1, - "time": self.iso8061_to_epochseconds(finding["CreatedAt"]), - "type_name": "Compliance Finding: Create", - "type_uid": 200301, + "severity": asffToOcsf.severity, + "severity_id": asffToOcsf.severityId, + "status": recordStateMapping.status, + "status_id": recordStateMapping.status, + "start_time": eventTime, + "time": eventTime, + "type_name": recordStateMapping.typeName, + "type_uid": recordStateMapping.typeUid, # Profiles / Metadata "metadata": { "uid": finding["Id"], "correlation_uid": finding["GeneratorId"], - "version":"1.1.0", + "log_provider": "ElectricEye", + "logged_time": eventTime, + "original_time": finding["CreatedAt"], + "processed_time": procssedTime, + "version":"1.4.0", + "profiles":["cloud"], "product": { "name":"ElectricEye", "version":"3.0", "url_string":"https://github.com/jonrau1/ElectricEye", "vendor_name":"ElectricEye" }, - "profiles":[ - "cloud" - ] }, "cloud": { "provider": finding["ProductFields"]["Provider"], - "project_uid": finding["ProductFields"]["ProviderAccountId"], - "region": finding["ProductFields"]["AssetRegion"], + "region": region, "account": { - "uid": finding["ProductFields"]["ProviderAccountId"], - "type": asffToOcsf[3], - "type_uid": asffToOcsf[2] + "uid": accountId, + "type": asffToOcsf.cloudAccountType, + "type_uid": asffToOcsf.cloudAccountTypeId } }, # Observables "observables": [ # Cloud Account (Project) UID { - "name": "cloud.project_uid", - "type": "Resource UID", - "type_id": 10, - "value": finding["ProductFields"]["ProviderAccountId"] + "name": "cloud.account.uid", + "type": "Account UID", + "type_id": 35, + "value": accountId }, # Resource UID { @@ -356,14 +441,14 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: ], # Compliance Finding Class Info "compliance": { - "requirements": finding["Compliance"]["RelatedRequirements"], + "requirements": sorted(requirements), "control": str(finding["Title"]).split("] ")[0].replace("[",""), - "standards": SUPPORTED_FRAMEWORKS, + "standards": sorted(standard), "status": asffToOcsf[5], "status_id": asffToOcsf[4] }, "finding_info": { - "created_time": self.iso8061_to_epochseconds(finding["CreatedAt"]), + "created_time": eventTime, "desc": finding["Description"], "first_seen_time": self.iso8061_to_epochseconds(finding["FirstObservedAt"]), "modified_time": self.iso8061_to_epochseconds(finding["UpdatedAt"]), @@ -376,17 +461,18 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "desc": finding["Remediation"]["Recommendation"]["Text"], "references": [finding["Remediation"]["Recommendation"]["Url"]] }, - "resource": { - "data": finding["ProductFields"]["AssetDetails"], - "cloud_partition": finding["Resources"][0]["Partition"], - "region": finding["ProductFields"]["AssetRegion"], - "type": finding["ProductFields"]["AssetService"], - "uid": finding["Resources"][0]["Id"] - }, + "resources": [ + { + "data": finding["ProductFields"]["AssetDetails"], + "cloud_partition": partition, + "region": region, + "type": finding["ProductFields"]["AssetService"], + "uid": finding["Resources"][0]["Id"] + } + ], "unmapped": { - "provide_type": finding["ProductFields"]["ProviderType"], + "provider_type": finding["ProductFields"]["ProviderType"], "asset_class": finding["ProductFields"]["AssetClass"], - "asset_service": finding["ProductFields"]["AssetService"], "asset_component": finding["ProductFields"]["AssetComponent"], "workflow_status": finding["Workflow"]["Status"], "record_state": finding["RecordState"] From f897f5abc38c1b40fb90722aa9d72d734ac87731 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:49:00 -0400 Subject: [PATCH 12/55] fix OCSF `status_id` mapping --- eeauditor/processor/outputs/ocsf_to_firehose_output.py | 2 +- eeauditor/processor/outputs/ocsf_v1_1_0_output.py | 2 +- eeauditor/processor/outputs/ocsf_v1_4_0_output.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eeauditor/processor/outputs/ocsf_to_firehose_output.py b/eeauditor/processor/outputs/ocsf_to_firehose_output.py index 63284374..1ef1ffa6 100644 --- a/eeauditor/processor/outputs/ocsf_to_firehose_output.py +++ b/eeauditor/processor/outputs/ocsf_to_firehose_output.py @@ -391,7 +391,7 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "severity": asffToOcsf.severity, "severity_id": asffToOcsf.severityId, "status": recordStateMapping.status, - "status_id": recordStateMapping.status, + "status_id": recordStateMapping.statusId, "start_time": eventTime, "time": eventTime, "type_name": recordStateMapping.typeName, diff --git a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py index f052d098..6553f6d6 100644 --- a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py @@ -305,7 +305,7 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "severity": asffToOcsf.severity, "severity_id": asffToOcsf.severityId, "status": recordStateMapping.status, - "status_id": recordStateMapping.status, + "status_id": recordStateMapping.statusId, "start_time": eventTime, "time": eventTime, "type_name": recordStateMapping.typeName, diff --git a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py index b35b7695..1f9510dd 100644 --- a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py @@ -326,7 +326,7 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: "severity": asffToOcsf.severity, "severity_id": asffToOcsf.severityId, "status": recordStateMapping.status, - "status_id": recordStateMapping.status, + "status_id": recordStateMapping.statusId, "start_time": eventTime, "time": eventTime, "type_name": recordStateMapping.typeName, From 3ac247779af994302e576212bc0d2d3fc79a2cfc Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:50:32 -0400 Subject: [PATCH 13/55] Update output_base.py --- eeauditor/processor/outputs/output_base.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/eeauditor/processor/outputs/output_base.py b/eeauditor/processor/outputs/output_base.py index 2061b2fe..a226901c 100644 --- a/eeauditor/processor/outputs/output_base.py +++ b/eeauditor/processor/outputs/output_base.py @@ -18,6 +18,11 @@ #specific language governing permissions and limitations #under the License. +import logging +from sys import exit as sysexit + +logger = logging.getLogger("OutputBase") + class ElectricEyeOutput(object): """Class to be used as a decorator to register all output providers""" @@ -33,8 +38,10 @@ def get_provider(cls, provider): try: return cls._outputs[provider] except KeyError as ke: - print(f"Designated output provider {provider} does not exist") - raise ke + logger.warning( + "Designated output provider %s does not exist", provider + ) + sysexit(2) @classmethod def get_all_providers(cls): From b27f0e3c31d6fe2b5c159877fbc927f510d1c452 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:52:58 -0400 Subject: [PATCH 14/55] Update output_base.py --- eeauditor/processor/outputs/output_base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eeauditor/processor/outputs/output_base.py b/eeauditor/processor/outputs/output_base.py index a226901c..b2737a6a 100644 --- a/eeauditor/processor/outputs/output_base.py +++ b/eeauditor/processor/outputs/output_base.py @@ -37,7 +37,7 @@ def get_provider(cls, provider): """Returns the class to process the findings""" try: return cls._outputs[provider] - except KeyError as ke: + except KeyError: logger.warning( "Designated output provider %s does not exist", provider ) From b4314723d6e3dbd9b2aa968d72ef17804d2f126b Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 19:44:36 -0400 Subject: [PATCH 15/55] fix up formatting of control objectives --- .../processor/outputs/control_objectives.json | 604 +++++++++--------- 1 file changed, 286 insertions(+), 318 deletions(-) diff --git a/eeauditor/processor/outputs/control_objectives.json b/eeauditor/processor/outputs/control_objectives.json index 04446e78..19f8c456 100644 --- a/eeauditor/processor/outputs/control_objectives.json +++ b/eeauditor/processor/outputs/control_objectives.json @@ -409,7 +409,7 @@ }, { "ControlTitle":"CIS Critical Security Controls V8 13.5", - "ControlDescription":"Manage Access Control for Remote Assets: Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date.\t " + "ControlDescription":"Manage Access Control for Remote Assets: Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date.\t" }, { "ControlTitle":"CIS Critical Security Controls V8 13.6", @@ -937,7 +937,7 @@ }, { "ControlTitle":"NIST SP 800-53 Rev. 5 RA-5", - "ControlDescription":"Vulnerability Monitoring and Scanning: a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;, b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:, 1. Enumerating platforms, software flaws, and improper configurations;, 2. Formatting checklists and test procedures; and, 3. Measuring vulnerability impact; " + "ControlDescription":"Vulnerability Monitoring and Scanning: a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;, b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:, 1. Enumerating platforms, software flaws, and improper configurations;, 2. Formatting checklists and test procedures; and, 3. Measuring vulnerability impact;" }, { "ControlTitle":"NIST SP 800-53 Rev. 5 RA-7", @@ -1881,7 +1881,7 @@ }, { "ControlTitle":"CSA Cloud Controls Matrix V4.0 13.5", - "ControlDescription":"Manage Access Control for Remote Assets: Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date.\t " + "ControlDescription":"Manage Access Control for Remote Assets: Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date.\t" }, { "ControlTitle":"CSA Cloud Controls Matrix V4.0 13.6", @@ -2405,7 +2405,7 @@ }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A6.2.1", - "ControlDescription":"Please list all internet browsers you use so that the assessor can understand your setup and verify that they are in support. For example: Chrome Version 89; Safari Version 14 " + "ControlDescription":"Please list all internet browsers you use so that the assessor can understand your setup and verify that they are in support. For example: Chrome Version 89; Safari Version 14" }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A6.2.2", @@ -2465,11 +2465,11 @@ }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A5.10", - "ControlDescription":"Device locking mechanisms such as biometric, password or PIN, need to be enabled to prevent unauthorised access to devices accessing organisational data or services., This a new requirement in Cyber Essentials. More information can be found in the 'Cyber Essentials requirement for Infrastructure v3.0' document. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure-3-0.pdf " + "ControlDescription":"Device locking mechanisms such as biometric, password or PIN, need to be enabled to prevent unauthorised access to devices accessing organisational data or services., This a new requirement in Cyber Essentials. More information can be found in the 'Cyber Essentials requirement for Infrastructure v3.0' document. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure-3-0.pdf" }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A4.11", - "ControlDescription":"Your software firewall needs be configured and enabled at all times, even when sitting behind a physical/virtual boundary firewall in an office location. You can check this setting on Macs in the Security & Privacy section of System Preferences. On Windows laptops you can check this by going to Settings and searching for 'Windows firewall'. On Linux try 'ufw status'. " + "ControlDescription":"Your software firewall needs be configured and enabled at all times, even when sitting behind a physical/virtual boundary firewall in an office location. You can check this setting on Macs in the Security & Privacy section of System Preferences. On Windows laptops you can check this by going to Settings and searching for 'Windows firewall'. On Linux try 'ufw status'. " }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A4.5", @@ -2485,7 +2485,7 @@ }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A4.1", - "ControlDescription":"You must have firewalls in place between your office network and the internet. " + "ControlDescription":"You must have firewalls in place between your office network and the internet. " }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A4.1.1", @@ -2569,7 +2569,7 @@ }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A6.5.2", - "ControlDescription":"Please indicate how updates are applied when auto updates has not been configured. " + "ControlDescription":"Please indicate how updates are applied when auto updates has not been configured. " }, { "ControlTitle":"UK NCSC Cyber Essentials V2.2 A6.4.1", @@ -4493,7 +4493,7 @@ }, { "ControlTitle":"NZISM V3.5 17.5.6. Using SSH (CID:2647)", - "ControlDescription":"The table below outlines the settings that SHOULD be implemented when using SSH., Configuration description, Configuration directive Disallow the use of SSH version 1, Protocol 2, On machines with multiple interfaces, configure the SSH daemon to listen only on the required interfaces, ListenAddress xxx.xxx.xxx.xxx, Disable connection forwarding, AllowTCPForwarding no, Disable gateway ports, Gatewayports no, Disable the ability to login directly as root, PermitRootLogin no, Disable host-based authentication, HostbasedAuthentication no, Disable rhosts-based authentication, RhostsAuthentication noIgnoreRhosts yes, Do not allow empty passwords, PermitEmptyPasswords no, Configure a suitable login banner, Banner/directory/filename, Configure a login authentication timeout of no more than 60 seconds, LoginGraceTime xx, Disable X forwarding , X11Forwarding no " + "ControlDescription":"The table below outlines the settings that SHOULD be implemented when using SSH., Configuration description, Configuration directive Disallow the use of SSH version 1, Protocol 2, On machines with multiple interfaces, configure the SSH daemon to listen only on the required interfaces, ListenAddress xxx.xxx.xxx.xxx, Disable connection forwarding, AllowTCPForwarding no, Disable gateway ports, Gatewayports no, Disable the ability to login directly as root, PermitRootLogin no, Disable host-based authentication, HostbasedAuthentication no, Disable rhosts-based authentication, RhostsAuthentication noIgnoreRhosts yes, Do not allow empty passwords, PermitEmptyPasswords no, Configure a suitable login banner, Banner/directory/filename, Configure a login authentication timeout of no more than 60 seconds, LoginGraceTime xx, Disable X forwarding , X11Forwarding no" }, { "ControlTitle":"NZISM V3.5 17.8.10. Mode of operation (CID:2842)", @@ -5977,23 +5977,23 @@ }, { "ControlTitle":"ECB CROE 2.1.2.1-13", - "ControlDescription":"The FMI should ensure that, as part of its formal process to review and update its cyber resilience strategy and framework (including all policies, procedures and controls), a number of factors are considered, such as: " + "ControlDescription":"The FMI should ensure that, as part of its formal process to review and update its cyber resilience strategy and framework (including all policies, procedures and controls), a number of factors are considered, such as:" }, { "ControlTitle":"ECB CROE 2.1.2.1-13.a", - "ControlDescription":"(a) the current and evolving cyber threats (e.g. those associated with the supply chain, use of cloud services, social networking, mobile applications and the internet of things, etc.); " + "ControlDescription":"(a) the current and evolving cyber threats (e.g. those associated with the supply chain, use of cloud services, social networking, mobile applications and the internet of things, etc.);" }, { "ControlTitle":"ECB CROE 2.1.2.1-13.b", - "ControlDescription":"(b) threat intelligence on threat actors and new tactics, techniques and procedures which may specifically impact the FMI; " + "ControlDescription":"(b) threat intelligence on threat actors and new tactics, techniques and procedures which may specifically impact the FMI;" }, { "ControlTitle":"ECB CROE 2.1.2.1-13.c", - "ControlDescription":"(c) the results of risk assessments of the FMI's critical functions, key roles, processes, information assets, third-party service providers and interconnections; " + "ControlDescription":"(c) the results of risk assessments of the FMI's critical functions, key roles, processes, information assets, third-party service providers and interconnections;" }, { "ControlTitle":"ECB CROE 2.1.2.1-13.d", - "ControlDescription":"(d) actual cyber incidents that have impacted the FMI directly or external cyber incidents from the ecosystem; " + "ControlDescription":"(d) actual cyber incidents that have impacted the FMI directly or external cyber incidents from the ecosystem;" }, { "ControlTitle":"ECB CROE 2.1.2.1-13.e", @@ -6193,7 +6193,7 @@ }, { "ControlTitle":"ECB CROE 2.3.2.1-1", - "ControlDescription":"The FMI should implement a comprehensive and appropriate set of security controls that will allow it to achieve the security objectives needed to meet its business requirements. The FMI should implement these controls based on the identification of its critical functions, key roles, processes, information assets, third-party service providers and interconnections, as per the risk assessment in the identification phase. The security objectives may include ensuring: " + "ControlDescription":"The FMI should implement a comprehensive and appropriate set of security controls that will allow it to achieve the security objectives needed to meet its business requirements. The FMI should implement these controls based on the identification of its critical functions, key roles, processes, information assets, third-party service providers and interconnections, as per the risk assessment in the identification phase. The security objectives may include ensuring:" }, { "ControlTitle":"ECB CROE 2.3.2.1-1.a", @@ -6201,11 +6201,11 @@ }, { "ControlTitle":"ECB CROE 2.3.2.1-1.b", - "ControlDescription":"(b) the integrity of the information stored in its information systems, while both in use and transit; " + "ControlDescription":"(b) the integrity of the information stored in its information systems, while both in use and transit;" }, { "ControlTitle":"ECB CROE 2.3.2.1-1.c", - "ControlDescription":"(c) the protection, integrity, confidentiality and availability of data while at rest, in use and in transit; " + "ControlDescription":"(c) the protection, integrity, confidentiality and availability of data while at rest, in use and in transit;" }, { "ControlTitle":"ECB CROE 2.3.2.1-1.d", @@ -9273,7 +9273,7 @@ }, { "ControlTitle":"AICPA TSC CC1.1", - "ControlDescription":"COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity's expected standards of conduct. Addresses Deviations in a Timely Manner—Deviations from the entity's expected standards of conduct are identified and remedied in a timely and consistent manner. Considers Contractors and Vendor Employees in Demonstrating Its Commitment—Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner. " + "ControlDescription":"COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity's expected standards of conduct. Addresses Deviations in a Timely Manner—Deviations from the entity's expected standards of conduct are identified and remedied in a timely and consistent manner. Considers Contractors and Vendor Employees in Demonstrating Its Commitment—Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner." }, { "ControlTitle":"AICPA TSC CC1.2", @@ -9313,7 +9313,7 @@ }, { "ControlTitle":"AICPA TSC CC3.3", - "ControlDescription":"COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. Assesses Incentives and Pressures—The assessment of fraud risks considers incentives and pressures. Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity's reporting records, or committing other inappropriate acts. Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. Considers the Risks Related to the Use of IT and Access to Information—The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information. " + "ControlDescription":"COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. Assesses Incentives and Pressures—The assessment of fraud risks considers incentives and pressures. Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity's reporting records, or committing other inappropriate acts. Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. Considers the Risks Related to the Use of IT and Access to Information—The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information." }, { "ControlTitle":"AICPA TSC CC3.4", @@ -9393,7 +9393,7 @@ }, { "ControlTitle":"AICPA TSC CC8.1", - "ControlDescription":"The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. Manages Changes Throughout the System Lifecycle—A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. Authorizes Changes—A process is in place to authorize system changes prior to development. Designs and Develops Changes—A process is in place to design and develop system changes. Documents Changes—A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. Tracks System Changes—A process is in place to track system changes prior to implementation. Configures Software—A process is in place to select and implement the configuration parameters used to control the functionality of software. Tests System Changes—A process is in place to test system changes prior to implementation. Approves System Changes—A process is in place to approve system changes prior to implementation. Deploys System Changes—A process is in place to implement system changes. Identifies and Evaluates System Changes—Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents—Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. Creates Baseline Configuration of IT Technology—A baseline configuration of IT and control systems is created and maintained. Provides for Changes Necessary in Emergency Situations —A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). Protects Confidential Information—The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity's objectives related to confidentiality. Protects Personal Information—The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity's objectives related to privacy. " + "ControlDescription":"The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. Manages Changes Throughout the System Lifecycle—A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. Authorizes Changes—A process is in place to authorize system changes prior to development. Designs and Develops Changes—A process is in place to design and develop system changes. Documents Changes—A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. Tracks System Changes—A process is in place to track system changes prior to implementation. Configures Software—A process is in place to select and implement the configuration parameters used to control the functionality of software. Tests System Changes—A process is in place to test system changes prior to implementation. Approves System Changes—A process is in place to approve system changes prior to implementation. Deploys System Changes—A process is in place to implement system changes. Identifies and Evaluates System Changes—Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents—Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. Creates Baseline Configuration of IT Technology—A baseline configuration of IT and control systems is created and maintained. Provides for Changes Necessary in Emergency Situations —A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). Protects Confidential Information—The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity's objectives related to confidentiality. Protects Personal Information—The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity's objectives related to privacy." }, { "ControlTitle":"AICPA TSC CC9.1", @@ -9433,7 +9433,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 AM-CS-3", - "ControlDescription":"Assets are securely disposed of, if no longer required. " + "ControlDescription":"Assets are securely disposed of, if no longer required. " }, { "ControlTitle":"Equifax SCF V1.0 AM-CS-4", @@ -9465,7 +9465,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 RP-CS-2", - "ControlDescription":"The Company executes contingency plans, including business continuity and disaster recovery, during or after an event as deemed necessary for plan activation. " + "ControlDescription":"The Company executes contingency plans, including business continuity and disaster recovery, during or after an event as deemed necessary for plan activation." }, { "ControlTitle":"Equifax SCF V1.0 RP-CS-3", @@ -9509,11 +9509,11 @@ }, { "ControlTitle":"Equifax SCF V1.0 TC-CS-1", - "ControlDescription":"The Company maintains a Change Management Policy that identifies requirements for changes, roles, responsibilities, and management commitment. " + "ControlDescription":"The Company maintains a Change Management Policy that identifies requirements for changes, roles, responsibilities, and management commitment." }, { "ControlTitle":"Equifax SCF V1.0 TC-CS-2", - "ControlDescription":"The Company reviews proposed changes to systems and approves or disapproves changes after consideration for change type, business need, impact, and risk. " + "ControlDescription":"The Company reviews proposed changes to systems and approves or disapproves changes after consideration for change type, business need, impact, and risk." }, { "ControlTitle":"Equifax SCF V1.0 TC-CS-3", @@ -9529,7 +9529,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 SC-CS-1", - "ControlDescription":"The Company reviews, responds, and incorporates legislative, statutory, and regulatory requirements regarding cybersecurity if determined to be applicable to The Company. " + "ControlDescription":"The Company reviews, responds, and incorporates legislative, statutory, and regulatory requirements regarding cybersecurity if determined to be applicable to The Company." }, { "ControlTitle":"Equifax SCF V1.0 SC-CS-2", @@ -9625,7 +9625,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 GV-CS-14", - "ControlDescription":"For The Company systems deployed in its FedRAMP boundaries, a system security plan is established, maintained, and updated on a [INSERT TIME FRAME] basis. " + "ControlDescription":"For The Company systems deployed in its FedRAMP boundaries, a system security plan is established, maintained, and updated on a [INSERT TIME FRAME] basis." }, { "ControlTitle":"Equifax SCF V1.0 GV-CS-15", @@ -9681,7 +9681,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 HR-CS-5", - "ControlDescription":"For The Company systems deployed, The Company maintains a Sanctions Process that is a two-tier administrative process and is designed to evaluate allegations. " + "ControlDescription":"For The Company systems deployed, The Company maintains a Sanctions Process that is a two-tier administrative process and is designed to evaluate allegations." }, { "ControlTitle":"Equifax SCF V1.0 AC-CS-1", @@ -9857,7 +9857,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 NI-CS-3", - "ControlDescription":"The Company restricts unnecessary network services, ports, and protocols, and monitors communications at external network boundaries and between internal networks. " + "ControlDescription":"The Company restricts unnecessary network services, ports, and protocols, and monitors communications at external network boundaries and between internal networks." }, { "ControlTitle":"Equifax SCF V1.0 NI-CS-4", @@ -9869,7 +9869,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 NI-CS-6", - "ControlDescription":"The Company regularly reviews and revises its segmentation strategy, policies, and methods on a [INSERT TIME FRAME] basis. " + "ControlDescription":"The Company regularly reviews and revises its segmentation strategy, policies, and methods on a [INSERT TIME FRAME] basis." }, { "ControlTitle":"Equifax SCF V1.0 NI-CS-7", @@ -9877,7 +9877,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 NI-CS-8", - "ControlDescription":"The Company separates its network by function with the user network segmented from production, non-production and internet-facing networks. Network design and implementation considers the principles of least privilege. " + "ControlDescription":"The Company separates its network by function with the user network segmented from production, non-production and internet-facing networks. Network design and implementation considers the principles of least privilege." }, { "ControlTitle":"Equifax SCF V1.0 NI-CS-9", @@ -10009,7 +10009,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 RM-CS-11", - "ControlDescription":"For The Company systems deployed in its FedRAMP boundaries, The Company performs a FIPS 199 analysis and categorization on an annual basis. " + "ControlDescription":"For The Company systems deployed in its FedRAMP boundaries, The Company performs a FIPS 199 analysis and categorization on an annual basis." }, { "ControlTitle":"Equifax SCF V1.0 RM-CS-2", @@ -10017,7 +10017,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 RM-CS-3", - "ControlDescription":"The Company performs an Enterprise Security Risk Assessment to assess internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and documents those risks that are material. " + "ControlDescription":"The Company performs an Enterprise Security Risk Assessment to assess internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and documents those risks that are material." }, { "ControlTitle":"Equifax SCF V1.0 RM-CS-4", @@ -10081,7 +10081,7 @@ }, { "ControlTitle":"Equifax SCF V1.0 TD-CS-2", - "ControlDescription":"The Threat Intelligence team sources and provides actionable threat information, such as indicators of compromise, to relevant parties to enable monitoring for cyber threats. " + "ControlDescription":"The Threat Intelligence team sources and provides actionable threat information, such as indicators of compromise, to relevant parties to enable monitoring for cyber threats." }, { "ControlTitle":"Equifax SCF V1.0 TD-CS-3", @@ -10917,7 +10917,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1495", - "ControlDescription":"Firmware Corruption Mitigation : Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. " + "ControlDescription":"Firmware Corruption Mitigation : Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities." }, { "ControlTitle":"MITRE ATT&CK T1188", @@ -10985,7 +10985,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1501", - "ControlDescription":"Systemd Service Mitigation : The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services. " + "ControlDescription":"Systemd Service Mitigation : The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services." }, { "ControlTitle":"MITRE ATT&CK T1158", @@ -11281,7 +11281,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1078", - "ControlDescription":"Valid Accounts Mitigation : Take measures to detect or prevent techniques such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access) Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured. " + "ControlDescription":"Valid Accounts Mitigation : Take measures to detect or prevent techniques such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access) Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured." }, { "ControlTitle":"MITRE ATT&CK T1133", @@ -11417,7 +11417,7 @@ }, { "ControlTitle":"MITRE ATT&CK TA0002", - "ControlDescription":"Execution : The adversary is trying to run malicious code.Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. " + "ControlDescription":"Execution : The adversary is trying to run malicious code.Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery." }, { "ControlTitle":"MITRE ATT&CK TA0040", @@ -11425,19 +11425,19 @@ }, { "ControlTitle":"MITRE ATT&CK TA0003", - "ControlDescription":"Persistence : The adversary is trying to maintain their foothold.Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. " + "ControlDescription":"Persistence : The adversary is trying to maintain their foothold.Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code." }, { "ControlTitle":"MITRE ATT&CK TA0004", - "ControlDescription":"Privilege Escalation : The adversary is trying to gain higher-level permissions.Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level\n* local administrator\n* user account with admin-like access \n* user accounts with access to specific system or perform specific functionThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. " + "ControlDescription":"Privilege Escalation : The adversary is trying to gain higher-level permissions.Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level\n* local administrator\n* user account with admin-like access \n* user accounts with access to specific system or perform specific functionThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. " }, { "ControlTitle":"MITRE ATT&CK TA0008", - "ControlDescription":"Lateral Movement : The adversary is trying to move through your environment.Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. " + "ControlDescription":"Lateral Movement : The adversary is trying to move through your environment.Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier." }, { "ControlTitle":"MITRE ATT&CK TA0005", - "ControlDescription":"Defense Evasion : The adversary is trying to avoid being detected.Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses. " + "ControlDescription":"Defense Evasion : The adversary is trying to avoid being detected.Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses." }, { "ControlTitle":"MITRE ATT&CK TA0010", @@ -11445,7 +11445,7 @@ }, { "ControlTitle":"MITRE ATT&CK TA0007", - "ControlDescription":"Discovery : The adversary is trying to figure out your environment.Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. " + "ControlDescription":"Discovery : The adversary is trying to figure out your environment.Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective." }, { "ControlTitle":"MITRE ATT&CK TA0009", @@ -11469,11 +11469,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.011", - "ControlDescription":"Extra Window Memory Injection : Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM.Execution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Extra Window Memory Injection : Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM.Execution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1053.005", - "ControlDescription":"Scheduled Task : Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)Adversaries may also create 'hidden' scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) " + "ControlDescription":"Scheduled Task : Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)Adversaries may also create 'hidden' scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)" }, { "ControlTitle":"MITRE ATT&CK T1205.002", @@ -11505,7 +11505,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1027.011", - "ControlDescription":"Fileless Storage : Adversaries may store data in 'fileless' formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%/System32/Wbem/Repository`) or Registry (e.g., `%SystemRoot%/System32/Config`) physical files.(Citation: Microsoft Fileless) " + "ControlDescription":"Fileless Storage : Adversaries may store data in 'fileless' formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%/System32/Wbem/Repository`) or Registry (e.g., `%SystemRoot%/System32/Config`) physical files.(Citation: Microsoft Fileless)" }, { "ControlTitle":"MITRE ATT&CK T1067", @@ -11529,11 +11529,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1218.011", - "ControlDescription":"Rundll32 : Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:'/../mshtml,RunHTMLApplication ';document.write();GetObject('script:https[:]//www[.]example[.]com/malicious.sct')' This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) " + "ControlDescription":"Rundll32 : Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:'/../mshtml,RunHTMLApplication ';document.write();GetObject('script:https[:]//www[.]example[.]com/malicious.sct')' This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)" }, { "ControlTitle":"MITRE ATT&CK T1613", - "ControlDescription":"Container and Resource Discovery : Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment's configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary's next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. " + "ControlDescription":"Container and Resource Discovery : Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment's configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary's next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution." }, { "ControlTitle":"MITRE ATT&CK T1583.007", @@ -11581,11 +11581,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1056.001", - "ControlDescription":"Keylogging : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) " + "ControlDescription":"Keylogging : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)" }, { "ControlTitle":"MITRE ATT&CK T1222.002", - "ControlDescription":"Linux and Mac File and Directory Permissions Modification : Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform's permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) " + "ControlDescription":"Linux and Mac File and Directory Permissions Modification : Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform's permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques)" }, { "ControlTitle":"MITRE ATT&CK T1110.001", @@ -11689,7 +11689,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1543", - "ControlDescription":"Create or Modify System Process : Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection) " + "ControlDescription":"Create or Modify System Process : Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection) " }, { "ControlTitle":"MITRE ATT&CK T1133", @@ -11745,7 +11745,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1583.008", - "ControlDescription":"Malvertising : Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network's capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary's efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising)Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising) " + "ControlDescription":"Malvertising : Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network's capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary's efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising)Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising)" }, { "ControlTitle":"MITRE ATT&CK T1069", @@ -11753,7 +11753,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1114", - "ControlDescription":"Email Collection : Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. " + "ControlDescription":"Email Collection : Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients." }, { "ControlTitle":"MITRE ATT&CK T1003.002", @@ -11793,7 +11793,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1195.001", - "ControlDescription":"Compromise Software Dependencies and Development Tools : Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. " + "ControlDescription":"Compromise Software Dependencies and Development Tools : Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims." }, { "ControlTitle":"MITRE ATT&CK T1588.004", @@ -11809,7 +11809,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1071.004", - "ControlDescription":"DNS : Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) " + "ControlDescription":"DNS : Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)" }, { "ControlTitle":"MITRE ATT&CK T1552.005", @@ -11881,7 +11881,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1555.001", - "ControlDescription":"Keychain : Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple's iCloud service. Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user's password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) " + "ControlDescription":"Keychain : Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple's iCloud service. Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user's password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) " }, { "ControlTitle":"MITRE ATT&CK T1547", @@ -11933,7 +11933,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1087.002", - "ControlDescription":"Domain Account : Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. " + "ControlDescription":"Domain Account : Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. " }, { "ControlTitle":"MITRE ATT&CK T1547.014", @@ -11969,7 +11969,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1484.002", - "ControlDescription":"Domain Trust Modification : Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) " + "ControlDescription":"Domain Trust Modification : Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain)" }, { "ControlTitle":"MITRE ATT&CK T1573.001", @@ -12017,7 +12017,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1053.003", - "ControlDescription":"Cron : Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). " + "ControlDescription":"Cron : Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003)." }, { "ControlTitle":"MITRE ATT&CK T1069.002", @@ -12041,7 +12041,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1499.004", - "ControlDescription":"Application or System Exploitation : Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Firmware Corruption](https://attack.mitre.org/techniques/T1495), [Service Stop](https://attack.mitre.org/techniques/T1489) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems. " + "ControlDescription":"Application or System Exploitation : Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Firmware Corruption](https://attack.mitre.org/techniques/T1495), [Service Stop](https://attack.mitre.org/techniques/T1489) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems." }, { "ControlTitle":"MITRE ATT&CK T1137", @@ -12077,7 +12077,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1566.001", - "ControlDescription":"Spearphishing Attachment : Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. " + "ControlDescription":"Spearphishing Attachment : Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one." }, { "ControlTitle":"MITRE ATT&CK T1214", @@ -12141,7 +12141,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1553.002", - "ControlDescription":"Code Signing : Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)Code signing certificates may be used to bypass security policies that require signed code to execute on a system. " + "ControlDescription":"Code Signing : Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)Code signing certificates may be used to bypass security policies that require signed code to execute on a system." }, { "ControlTitle":"MITRE ATT&CK T1530", @@ -12165,7 +12165,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1036.009", - "ControlDescription":"Break Process Trees : An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the 'parent-child' relationship for detection, breaking this relationship could result in the adversary's behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) On Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.Another example is using the 'daemon' syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) " + "ControlDescription":"Break Process Trees : An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the 'parent-child' relationship for detection, breaking this relationship could result in the adversary's behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) On Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.Another example is using the 'daemon' syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022)" }, { "ControlTitle":"MITRE ATT&CK T1590.004", @@ -12181,11 +12181,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1137.006", - "ControlDescription":"Add-ins : Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. " + "ControlDescription":"Add-ins : Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts." }, { "ControlTitle":"MITRE ATT&CK T1505.002", - "ControlDescription":"Transport Agent : Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. " + "ControlDescription":"Transport Agent : Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary." }, { "ControlTitle":"MITRE ATT&CK T1082", @@ -12193,7 +12193,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1071", - "ControlDescription":"Application Layer Protocol : Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. " + "ControlDescription":"Application Layer Protocol : Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP." }, { "ControlTitle":"MITRE ATT&CK T1074.002", @@ -12353,7 +12353,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.003", - "ControlDescription":"Thread Execution Hijacking : Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Thread Execution Hijacking : Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1079", @@ -12381,7 +12381,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1037.002", - "ControlDescription":"Login Hook : Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) " + "ControlDescription":"Login Hook : Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)" }, { "ControlTitle":"MITRE ATT&CK T1659", @@ -12389,7 +12389,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055", - "ControlDescription":"Process Injection : Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. " + "ControlDescription":"Process Injection : Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel." }, { "ControlTitle":"MITRE ATT&CK T1567.004", @@ -12501,7 +12501,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1572", - "ControlDescription":"Protocol Tunneling : Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. " + "ControlDescription":"Protocol Tunneling : Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure." }, { "ControlTitle":"MITRE ATT&CK T1218.002", @@ -12545,7 +12545,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1602.002", - "ControlDescription":"Network Device Configuration Dump : Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. " + "ControlDescription":"Network Device Configuration Dump : Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis." }, { "ControlTitle":"MITRE ATT&CK T1589", @@ -12589,7 +12589,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1071.003", - "ControlDescription":"Mail Protocols : Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. " + "ControlDescription":"Mail Protocols : Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic." }, { "ControlTitle":"MITRE ATT&CK T1556.007", @@ -12601,7 +12601,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1059.009", - "ControlDescription":"Cloud API : Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. " + "ControlDescription":"Cloud API : Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. " }, { "ControlTitle":"MITRE ATT&CK T1596", @@ -12661,7 +12661,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1557.003", - "ControlDescription":"DHCP Spoofing : Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows: 1. The client broadcasts a `DISCOVER` message.2. The server responds with an `OFFER` message, which includes an available network address. 3. The client broadcasts a `REQUEST` message, which includes the network address offered. 4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.DHCPv6 clients can receive network configuration information without being assigned an IP address by sending a INFORMATION-REQUEST (code 11) message to the All_DHCP_Relay_Agents_and_Servers multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network's DHCP allocation pool. " + "ControlDescription":"DHCP Spoofing : Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows: 1. The client broadcasts a `DISCOVER` message.2. The server responds with an `OFFER` message, which includes an available network address. 3. The client broadcasts a `REQUEST` message, which includes the network address offered. 4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.DHCPv6 clients can receive network configuration information without being assigned an IP address by sending a INFORMATION-REQUEST (code 11) message to the All_DHCP_Relay_Agents_and_Servers multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network's DHCP allocation pool." }, { "ControlTitle":"MITRE ATT&CK T1155", @@ -12673,7 +12673,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1027.001", - "ControlDescription":"Binary Padding : Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) " + "ControlDescription":"Binary Padding : Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)" }, { "ControlTitle":"MITRE ATT&CK T1505.003", @@ -12729,7 +12729,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1574.006", - "ControlDescription":"Dynamic Linker Hijacking : Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python's os.environ.On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) " + "ControlDescription":"Dynamic Linker Hijacking : Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python's os.environ.On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass)" }, { "ControlTitle":"MITRE ATT&CK T1136.001", @@ -12753,7 +12753,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1222", - "ControlDescription":"File and Directory Permissions Modification : Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory's existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) " + "ControlDescription":"File and Directory Permissions Modification : Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory's existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior)" }, { "ControlTitle":"MITRE ATT&CK T1003.001", @@ -12829,7 +12829,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1054", - "ControlDescription":"Indicator Blocking : An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations.In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. " + "ControlDescription":"Indicator Blocking : An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations.In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products." }, { "ControlTitle":"MITRE ATT&CK T1598.004", @@ -12901,11 +12901,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.013", - "ControlDescription":"Process Doppelg\u00e4nging : Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelg\u00e4nging is a method of executing arbitrary code in the address space of a separate live process. Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelg\u00e4nging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelg\u00e4nging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)Process Doppelg\u00e4nging is implemented in 4 steps (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017):* Transact Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load Create a shared section of memory and load the malicious executable.\n* Rollback Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate Create a process from the tainted section of memory and initiate execution.This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelg\u00e4nging may evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Process Doppelg\u00e4nging : Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelg\u00e4nging is a method of executing arbitrary code in the address space of a separate live process. Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelg\u00e4nging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelg\u00e4nging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)Process Doppelg\u00e4nging is implemented in 4 steps (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017):* Transact Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load Create a shared section of memory and load the malicious executable.\n* Rollback Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate Create a process from the tainted section of memory and initiate execution.This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelg\u00e4nging may evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1016", - "ControlDescription":"System Network Configuration Discovery : Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. " + "ControlDescription":"System Network Configuration Discovery : Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next." }, { "ControlTitle":"MITRE ATT&CK T1578.003", @@ -12913,7 +12913,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1593.003", - "ControlDescription":"Code Repositories : Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories. " + "ControlDescription":"Code Repositories : Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories." }, { "ControlTitle":"MITRE ATT&CK T1574.005", @@ -12997,7 +12997,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1048.001", - "ControlDescription":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol : Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP). " + "ControlDescription":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol : Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP)." }, { "ControlTitle":"MITRE ATT&CK T1137.001", @@ -13033,7 +13033,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.004", - "ControlDescription":"Asynchronous Procedure Call : Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). A variation of APC injection, dubbed 'Early Bird injection', involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Asynchronous Procedure Call : Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). A variation of APC injection, dubbed 'Early Bird injection', involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1020.001", @@ -13049,7 +13049,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1546.009", - "ControlDescription":"AppCert DLLs : Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Session Manager/ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity. " + "ControlDescription":"AppCert DLLs : Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Session Manager/ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity." }, { "ControlTitle":"MITRE ATT&CK T1191", @@ -13061,7 +13061,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1114.003", - "ControlDescription":"Email Forwarding Rule : Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives. " + "ControlDescription":"Email Forwarding Rule : Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives." }, { "ControlTitle":"MITRE ATT&CK T1074", @@ -13101,7 +13101,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1612", - "ControlDescription":"Build Image on Host : Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it's a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. " + "ControlDescription":"Build Image on Host : Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it's a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment." }, { "ControlTitle":"MITRE ATT&CK T1051", @@ -13109,11 +13109,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.002", - "ControlDescription":"Portable Executable Injection : Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Portable Executable Injection : Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1218.012", - "ControlDescription":"Verclsid : Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) " + "ControlDescription":"Verclsid : Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub)" }, { "ControlTitle":"MITRE ATT&CK T1586", @@ -13189,7 +13189,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1619", - "ControlDescription":"Cloud Storage Object Discovery : Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) " + "ControlDescription":"Cloud Storage Object Discovery : Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs)" }, { "ControlTitle":"MITRE ATT&CK T1606.001", @@ -13205,11 +13205,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1567.001", - "ControlDescription":"Exfiltration to Code Repository : Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. " + "ControlDescription":"Exfiltration to Code Repository : Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network." }, { "ControlTitle":"MITRE ATT&CK T1021.007", - "ControlDescription":"Cloud Services : Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password. " + "ControlDescription":"Cloud Services : Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password." }, { "ControlTitle":"MITRE ATT&CK T1205.001", @@ -13225,7 +13225,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1528", - "ControlDescription":"Steal Application Access Token : Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container's token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. " + "ControlDescription":"Steal Application Access Token : Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container's token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. " }, { "ControlTitle":"MITRE ATT&CK T1598.002", @@ -13261,7 +13261,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1048.002", - "ControlDescription":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol : Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. " + "ControlDescription":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol : Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol." }, { "ControlTitle":"MITRE ATT&CK T1087.004", @@ -13293,7 +13293,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1497.002", - "ControlDescription":"User Activity Based Checks : Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) " + "ControlDescription":"User Activity Based Checks : Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017)" }, { "ControlTitle":"MITRE ATT&CK T1141", @@ -13301,7 +13301,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1585.003", - "ControlDescription":"Cloud Accounts : Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)Creating [Cloud Accounts](https://attack.mitre.org/techniques/T1585/003) may also require adversaries to establish [Email Accounts](https://attack.mitre.org/techniques/T1585/002) to register with the cloud provider. " + "ControlDescription":"Cloud Accounts : Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)Creating [Cloud Accounts](https://attack.mitre.org/techniques/T1585/003) may also require adversaries to establish [Email Accounts](https://attack.mitre.org/techniques/T1585/002) to register with the cloud provider." }, { "ControlTitle":"MITRE ATT&CK T1072", @@ -13325,7 +13325,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1606", - "ControlDescription":"Forge Web Credentials : Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) " + "ControlDescription":"Forge Web Credentials : Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) " }, { "ControlTitle":"MITRE ATT&CK T1621", @@ -13353,7 +13353,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.014", - "ControlDescription":"VDSO Hijacking : Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"VDSO Hijacking : Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. " }, { "ControlTitle":"MITRE ATT&CK T1026", @@ -13361,7 +13361,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1071.002", - "ControlDescription":"File Transfer Protocols : Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. " + "ControlDescription":"File Transfer Protocols : Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic." }, { "ControlTitle":"MITRE ATT&CK T1122", @@ -13453,7 +13453,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1056.002", - "ControlDescription":"GUI Input Capture : Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) " + "ControlDescription":"GUI Input Capture : Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)" }, { "ControlTitle":"MITRE ATT&CK T1097", @@ -13533,7 +13533,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1001", - "ControlDescription":"Data Obfuscation : Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. " + "ControlDescription":"Data Obfuscation : Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols." }, { "ControlTitle":"MITRE ATT&CK T1039", @@ -13577,7 +13577,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.012", - "ControlDescription":"Process Hollowing : Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)This is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Process Hollowing : Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)This is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1068", @@ -13589,7 +13589,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1531", - "ControlDescription":"Account Access Removal : Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. " + "ControlDescription":"Account Access Removal : Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective." }, { "ControlTitle":"MITRE ATT&CK T1110.004", @@ -13601,11 +13601,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1027", - "ControlDescription":"Obfuscated Files or Information : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) " + "ControlDescription":"Obfuscated Files or Information : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)" }, { "ControlTitle":"MITRE ATT&CK T1556.006", - "ControlDescription":"Multi-Factor Authentication : Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)For example, modifying the Windows hosts file (`C:/windows/system32/drivers/etc/hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a 'fail open' policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) " + "ControlDescription":"Multi-Factor Authentication : Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)For example, modifying the Windows hosts file (`C:/windows/system32/drivers/etc/hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a 'fail open' policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022)" }, { "ControlTitle":"MITRE ATT&CK T1114.002", @@ -13633,7 +13633,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1546", - "ControlDescription":"Event Triggered Execution : Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. " + "ControlDescription":"Event Triggered Execution : Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges." }, { "ControlTitle":"MITRE ATT&CK T1546.004", @@ -13661,7 +13661,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1553", - "ControlDescription":"Subvert Trust Controls : Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) " + "ControlDescription":"Subvert Trust Controls : Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)" }, { "ControlTitle":"MITRE ATT&CK T1548.004", @@ -13725,15 +13725,15 @@ }, { "ControlTitle":"MITRE ATT&CK T1546.015", - "ControlDescription":"Component Object Model Hijacking : Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. " + "ControlDescription":"Component Object Model Hijacking : Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection." }, { "ControlTitle":"MITRE ATT&CK T1589.001", - "ControlDescription":"Credentials : Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). " + "ControlDescription":"Credentials : Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078))." }, { "ControlTitle":"MITRE ATT&CK T1195.002", - "ControlDescription":"Compromise Software Supply Chain : Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) " + "ControlDescription":"Compromise Software Supply Chain : Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) " }, { "ControlTitle":"MITRE ATT&CK T1036.003", @@ -13741,7 +13741,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1102.002", - "ControlDescription":"Bidirectional Communication : Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. " + "ControlDescription":"Bidirectional Communication : Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection." }, { "ControlTitle":"MITRE ATT&CK T1203", @@ -13749,7 +13749,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1595.003", - "ControlDescription":"Wordlist Scanning : Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website's pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [Brute Force](https://attack.mitre.org/techniques/T1110)). As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally. " + "ControlDescription":"Wordlist Scanning : Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website's pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [Brute Force](https://attack.mitre.org/techniques/T1110)). As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally." }, { "ControlTitle":"MITRE ATT&CK T1562.011", @@ -13765,7 +13765,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1567.002", - "ControlDescription":"Exfiltration to Cloud Storage : Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. " + "ControlDescription":"Exfiltration to Cloud Storage : Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service." }, { "ControlTitle":"MITRE ATT&CK T1570", @@ -13817,7 +13817,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1027.003", - "ControlDescription":"Steganography : Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) By the end of 2017, a threat group used\u202fInvoke-PSImage\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) " + "ControlDescription":"Steganography : Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) By the end of 2017, a threat group used\u202fInvoke-PSImage\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) " }, { "ControlTitle":"MITRE ATT&CK T1584.002", @@ -13825,7 +13825,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1001.003", - "ControlDescription":"Protocol Impersonation : Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. " + "ControlDescription":"Protocol Impersonation : Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity." }, { "ControlTitle":"MITRE ATT&CK T1012", @@ -13857,7 +13857,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1506", - "ControlDescription":"Web Session Cookie : Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary then imports the cookie into a browser they control and is able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019) " + "ControlDescription":"Web Session Cookie : Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary then imports the cookie into a browser they control and is able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)" }, { "ControlTitle":"MITRE ATT&CK T1553.004", @@ -14001,7 +14001,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1543.001", - "ControlDescription":"Launch Agent : Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) " + "ControlDescription":"Launch Agent : Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)" }, { "ControlTitle":"MITRE ATT&CK T1569", @@ -14013,7 +14013,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.009", - "ControlDescription":"Proc Memory : Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes' stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes' memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) Other techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Proc Memory : Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes' stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes' memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) Other techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1223", @@ -14025,7 +14025,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1601.001", - "ControlDescription":"Patch System Image : Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary's purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. " + "ControlDescription":"Patch System Image : Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary's purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence." }, { "ControlTitle":"MITRE ATT&CK T1558.002", @@ -14069,7 +14069,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1132.002", - "ControlDescription":"Non-Standard Encoding : Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) " + "ControlDescription":"Non-Standard Encoding : Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)" }, { "ControlTitle":"MITRE ATT&CK T1556.001", @@ -14077,7 +14077,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1537", - "ControlDescription":"Transfer Data to Cloud Account : Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) " + "ControlDescription":"Transfer Data to Cloud Account : Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)" }, { "ControlTitle":"MITRE ATT&CK T1027.006", @@ -14153,7 +14153,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1027.002", - "ControlDescription":"Software Packing : Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing) " + "ControlDescription":"Software Packing : Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing) " }, { "ControlTitle":"MITRE ATT&CK T1584.007", @@ -14161,7 +14161,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1071.001", - "ControlDescription":"Web Protocols : Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. " + "ControlDescription":"Web Protocols : Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic." }, { "ControlTitle":"MITRE ATT&CK T1059.005", @@ -14173,7 +14173,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1543.002", - "ControlDescription":"Systemd Service : Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file's directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) " + "ControlDescription":"Systemd Service : Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file's directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)" }, { "ControlTitle":"MITRE ATT&CK T1563.002", @@ -14221,7 +14221,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.005", - "ControlDescription":"Thread Local Storage : Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Thread Local Storage : Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1622", @@ -14281,7 +14281,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.008", - "ControlDescription":"Ptrace System Calls : Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes' memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Ptrace System Calls : Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes' memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1653", @@ -14297,7 +14297,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1037.001", - "ControlDescription":"Logon Script (Windows) : Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU/Environment/UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. " + "ControlDescription":"Logon Script (Windows) : Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU/Environment/UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary." }, { "ControlTitle":"MITRE ATT&CK T1055.015", @@ -14345,11 +14345,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1602.001", - "ControlDescription":"SNMP (MIB Dump) : Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) " + "ControlDescription":"SNMP (MIB Dump) : Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)" }, { "ControlTitle":"MITRE ATT&CK T1001.002", - "ControlDescription":"Steganography : Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. " + "ControlDescription":"Steganography : Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control." }, { "ControlTitle":"MITRE ATT&CK T1204.001", @@ -14409,7 +14409,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1055.001", - "ControlDescription":"Dynamic-link Library Injection : Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. " + "ControlDescription":"Dynamic-link Library Injection : Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process." }, { "ControlTitle":"MITRE ATT&CK T1086", @@ -14429,7 +14429,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1495", - "ControlDescription":"Firmware Corruption : Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). " + "ControlDescription":"Firmware Corruption : Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485)." }, { "ControlTitle":"MITRE ATT&CK T1490", @@ -14465,7 +14465,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1001.001", - "ControlDescription":"Junk Data : Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. " + "ControlDescription":"Junk Data : Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters." }, { "ControlTitle":"MITRE ATT&CK T1598.001", @@ -14477,7 +14477,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1552.007", - "ControlDescription":"Container API : Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. " + "ControlDescription":"Container API : Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components." }, { "ControlTitle":"MITRE ATT&CK T1584.001", @@ -14485,7 +14485,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1505.001", - "ControlDescription":"SQL Stored Procedures : Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR) " + "ControlDescription":"SQL Stored Procedures : Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)" }, { "ControlTitle":"MITRE ATT&CK T1556.004", @@ -14497,7 +14497,7 @@ }, { "ControlTitle":"MITRE ATT&CK T1048.003", - "ControlDescription":"Exfiltration Over Unencrypted Non-C2 Protocol : Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. " + "ControlDescription":"Exfiltration Over Unencrypted Non-C2 Protocol : Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields." }, { "ControlTitle":"MITRE ATT&CK T1574.004", @@ -14505,11 +14505,11 @@ }, { "ControlTitle":"MITRE ATT&CK T1601.002", - "ControlDescription":"Downgrade System Image : Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). " + "ControlDescription":"Downgrade System Image : Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). " }, { "ControlTitle":"MITRE ATT&CK T1078.003", - "ControlDescription":"Local Accounts : Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. " + "ControlDescription":"Local Accounts : Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement." }, { "ControlTitle":"MITRE ATT&CK T1211", @@ -15561,634 +15561,602 @@ }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.1.2", - "ControlDescription": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users " + "ControlDescription": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.1.3", - "ControlDescription": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users " + "ControlDescription": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.1.4", - "ControlDescription": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled " + "ControlDescription": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2.1", - "ControlDescription": "Ensure Trusted Locations Are Defined " + "ControlDescription": "Ensure Trusted Locations Are Defined" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2.2", - "ControlDescription": "Ensure that an exclusionary Geographic Access Policy is considered " + "ControlDescription": "Ensure that an exclusionary Geographic Access Policy is considered" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2.3", - "ControlDescription": "Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups " + "ControlDescription": "Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2.4", - "ControlDescription": "Ensure that A Multi-factor Authentication Policy Exists for All Users " + "ControlDescription": "Ensure that A Multi-factor Authentication Policy Exists for All Users" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2.5", - "ControlDescription": "Ensure Multi-factor Authentication is Required for Risky Sign-ins " + "ControlDescription": "Ensure Multi-factor Authentication is Required for Risky Sign-ins" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2.6", - "ControlDescription": "Ensure Multi-factor Authentication is Required for Azure Management " + "ControlDescription": "Ensure Multi-factor Authentication is Required for Azure Management" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.4", - "ControlDescription": "Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management " + "ControlDescription": "Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.5", - "ControlDescription": "Ensure Guest Users Are Reviewed on a Regular Basis " + "ControlDescription": "Ensure Guest Users Are Reviewed on a Regular Basis" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.6", - "ControlDescription": "Ensure That 'Number of methods required to reset' is set to '2' " + "ControlDescription": "Ensure That 'Number of methods required to reset' is set to '2'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.7", - "ControlDescription": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization " + "ControlDescription": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.8", - "ControlDescription": "Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' " + "ControlDescription": "Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.9", - "ControlDescription": "Ensure that 'Notify users on password resets?' is set to 'Yes' " + "ControlDescription": "Ensure that 'Notify users on password resets?' is set to 'Yes'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.1", - "ControlDescription": "Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' " + "ControlDescription": "Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.11", - "ControlDescription": "Ensure `User consent for applications` is set to `Do not allow user consent` " + "ControlDescription": "Ensure `User consent for applications` is set to `Do not allow user consent`" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.12", - "ControlDescription": "Ensure \u0081eUser consent for applications\u0081f Is Set To \u0081eAllow for Verified Publishers\u0081f " + "ControlDescription": "Ensure \u0081eUser consent for applications\u0081f Is Set To \u0081eAllow for Verified Publishers\u0081f" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.13", - "ControlDescription": "Ensure that 'Users can add gallery apps to My Apps' is set to 'No' " + "ControlDescription": "Ensure that 'Users can add gallery apps to My Apps' is set to 'No'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.14", - "ControlDescription": "Ensure That \u0081eUsers Can Register Applications\u0081f Is Set to \u0081eNo\u0081f " + "ControlDescription": "Ensure That \u0081eUsers Can Register Applications\u0081f Is Set to \u0081eNo\u0081f" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.15", - "ControlDescription": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' " + "ControlDescription": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.16", - "ControlDescription": "Ensure that 'Guest invite restrictions' is set to \"Only users assigned to specific admin roles can invite guest users\" " + "ControlDescription": "Ensure that 'Guest invite restrictions' is set to \"Only users assigned to specific admin roles can invite guest users\"" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.17", - "ControlDescription": "Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' " + "ControlDescription": "Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.18", - "ControlDescription": "Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' " + "ControlDescription": "Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.19", - "ControlDescription": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' " + "ControlDescription": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.2", - "ControlDescription": "Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' " + "ControlDescription": "Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.21", - "ControlDescription": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' " + "ControlDescription": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.22", - "ControlDescription": "Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' " + "ControlDescription": "Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.23", - "ControlDescription": "Ensure That No Custom Subscription Administrator Roles Exist " + "ControlDescription": "Ensure That No Custom Subscription Administrator Roles Exist" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.24", - "ControlDescription": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks " + "ControlDescription": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 1.25", - "ControlDescription": "Ensure That \u0081eSubscription Entering AAD Directory\u0081f and \u0081eSubscription Leaving AAD Directory\u0081f Is Set To \u0081ePermit No One\u0081f " + "ControlDescription": "Ensure That \u0081eSubscription Entering AAD Directory\u0081f and \u0081eSubscription Leaving AAD Directory\u0081f Is Set To \u0081ePermit No One\u0081f" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.1", - "ControlDescription": "Ensure That Microsoft Defender for Servers Is Set to 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Servers Is Set to 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.2", - "ControlDescription": "Ensure That Microsoft Defender for App Services Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for App Services Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.3", - "ControlDescription": "Ensure That Microsoft Defender for Databases Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Databases Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.4", - "ControlDescription": "Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.5", - "ControlDescription": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.6", - "ControlDescription": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.7", - "ControlDescription": "Ensure That Microsoft Defender for Storage Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Storage Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.8", - "ControlDescription": "Ensure That Microsoft Defender for Containers Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Containers Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.9", - "ControlDescription": "Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.10", - "ControlDescription": "Ensure That Microsoft Defender for Key Vault Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Key Vault Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.11", - "ControlDescription": "Ensure That Microsoft Defender for DNS Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for DNS Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.12", - "ControlDescription": "Ensure That Microsoft Defender for Resource Manager Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for Resource Manager Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.13", - "ControlDescription": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' " + "ControlDescription": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.14", - "ControlDescription": "Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' " + "ControlDescription": "Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.15", - "ControlDescription": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' " + "ControlDescription": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.16", - "ControlDescription": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' " + "ControlDescription": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.17", - "ControlDescription": "Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' " + "ControlDescription": "Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.18", - "ControlDescription": "Ensure That 'All users with the following roles' is set to 'Owner' " + "ControlDescription": "Ensure That 'All users with the following roles' is set to 'Owner'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.19", - "ControlDescription": "Ensure 'Additional email addresses' is Configured with a Security Contact Email " + "ControlDescription": "Ensure 'Additional email addresses' is Configured with a Security Contact Email" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.20", - "ControlDescription": "Ensure That 'Notify about alerts with the following severity' is Set to 'High' " + "ControlDescription": "Ensure That 'Notify about alerts with the following severity' is Set to 'High'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.21", - "ControlDescription": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected " + "ControlDescription": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.22", - "ControlDescription": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected " + "ControlDescription": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.2.1", - "ControlDescription": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On' " + "ControlDescription": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.1", - "ControlDescription": "Ensure that 'Secure transfer required' is set to 'Enabled' " + "ControlDescription": "Ensure that 'Secure transfer required' is set to 'Enabled'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.2", - "ControlDescription": "Ensure that \u0081eEnable Infrastructure Encryption\u0081f for Each Storage Account in Azure Storage is Set to \u0081eenabled\u0081f " + "ControlDescription": "Ensure that \u0081eEnable Infrastructure Encryption\u0081f for Each Storage Account in Azure Storage is Set to \u0081eenabled\u0081f" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.3", - "ControlDescription": "Ensure that 'Enable key rotation reminders' is enabled for each Storage Account " + "ControlDescription": "Ensure that 'Enable key rotation reminders' is enabled for each Storage Account" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.4", - "ControlDescription": "Ensure that Storage Account Access Keys are Periodically Regenerated " + "ControlDescription": "Ensure that Storage Account Access Keys are Periodically Regenerated" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.5", - "ControlDescription": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests " + "ControlDescription": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.6", - "ControlDescription": "Ensure that Shared Access Signature Tokens Expire Within an Hour " + "ControlDescription": "Ensure that Shared Access Signature Tokens Expire Within an Hour" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.7", - "ControlDescription": "Ensure that 'Public access level' is disabled for storage accounts with blob containers " + "ControlDescription": "Ensure that 'Public access level' is disabled for storage accounts with blob containers" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.8", - "ControlDescription": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny " + "ControlDescription": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.9", - "ControlDescription": "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access " + "ControlDescription": "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.1", - "ControlDescription": "Ensure Private Endpoints are used to access Storage Accounts " + "ControlDescription": "Ensure Private Endpoints are used to access Storage Accounts" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.11", - "ControlDescription": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage " + "ControlDescription": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.12", - "ControlDescription": "Ensure Storage for Critical Data are Encrypted with Customer Managed Keys " + "ControlDescription": "Ensure Storage for Critical Data are Encrypted with Customer Managed Keys" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.13", - "ControlDescription": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests " + "ControlDescription": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.14", - "ControlDescription": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests " + "ControlDescription": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 3.15", - "ControlDescription": "Ensure the \"Minimum TLS version\" for storage accounts is set to \"Version 1.2\" " + "ControlDescription": "Ensure the \"Minimum TLS version\" for storage accounts is set to \"Version 1.2\"" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.1.1", - "ControlDescription": "Ensure that 'Auditing' is set to 'On' " + "ControlDescription": "Ensure that 'Auditing' is set to 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.1.2", - "ControlDescription": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) " + "ControlDescription": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.1.3", - "ControlDescription": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key " + "ControlDescription": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.1.4", - "ControlDescription": "Ensure that Azure Active Directory Admin is Configured for SQL Servers " + "ControlDescription": "Ensure that Azure Active Directory Admin is Configured for SQL Servers" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.1.5", - "ControlDescription": "Ensure that 'Data encryption' is set to 'On' on a SQL Database " + "ControlDescription": "Ensure that 'Data encryption' is set to 'On' on a SQL Database" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.1.6", - "ControlDescription": "Ensure that 'Auditing' Retention is 'greater than 90 days' " + "ControlDescription": "Ensure that 'Auditing' Retention is 'greater than 90 days'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.2.1", - "ControlDescription": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers " + "ControlDescription": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.2.2", - "ControlDescription": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account " + "ControlDescription": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.2.3", - "ControlDescription": "Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server " + "ControlDescription": "Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.2.4", - "ControlDescription": "Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server " + "ControlDescription": "Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.2.5", - "ControlDescription": "Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server " + "ControlDescription": "Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.1", - "ControlDescription": "Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server " + "ControlDescription": "Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.2", - "ControlDescription": "Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server " + "ControlDescription": "Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.3", - "ControlDescription": "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server " + "ControlDescription": "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.4", - "ControlDescription": "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server " + "ControlDescription": "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.5", - "ControlDescription": "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server " + "ControlDescription": "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.6", - "ControlDescription": "Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server " + "ControlDescription": "Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.7", - "ControlDescription": "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled " + "ControlDescription": "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.3.8", - "ControlDescription": "Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' " + "ControlDescription": "Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.4.1", - "ControlDescription": "Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server " + "ControlDescription": "Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.4.2", - "ControlDescription": "Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server " + "ControlDescription": "Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.4.3", - "ControlDescription": "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server " + "ControlDescription": "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.4.4", - "ControlDescription": "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server " + "ControlDescription": "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.5.1", - "ControlDescription": "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks " + "ControlDescription": "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.5.2", - "ControlDescription": "Ensure That Private Endpoints Are Used Where Possible " + "ControlDescription": "Ensure That Private Endpoints Are Used Where Possible" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 4.5.3", - "ControlDescription": "Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible. " + "ControlDescription": "Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible." }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.1", - "ControlDescription": "Ensure that a 'Diagnostic Setting' exists " + "ControlDescription": "Ensure that a 'Diagnostic Setting' exists" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.2", - "ControlDescription": "Ensure Diagnostic Setting captures appropriate categories " + "ControlDescription": "Ensure Diagnostic Setting captures appropriate categories" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.3", - "ControlDescription": "Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible " + "ControlDescription": "Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.4", - "ControlDescription": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key " + "ControlDescription": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.5", - "ControlDescription": "Ensure that logging for Azure Key Vault is 'Enabled' " + "ControlDescription": "Ensure that logging for Azure Key Vault is 'Enabled'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.6", - "ControlDescription": "Ensure that Network Security Group Flow logs are captured and sent to Log Analytics " + "ControlDescription": "Ensure that Network Security Group Flow logs are captured and sent to Log Analytics" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.1.7", - "ControlDescription": "Ensure that logging for Azure AppService 'HTTP logs' is enabled " + "ControlDescription": "Ensure that logging for Azure AppService 'HTTP logs' is enabled" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.1", - "ControlDescription": "Ensure that Activity Log Alert exists for Create Policy Assignment " + "ControlDescription": "Ensure that Activity Log Alert exists for Create Policy Assignment" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.2", - "ControlDescription": "Ensure that Activity Log Alert exists for Delete Policy Assignment " + "ControlDescription": "Ensure that Activity Log Alert exists for Delete Policy Assignment" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.3", - "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update Network Security Group " + "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update Network Security Group" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.4", - "ControlDescription": "Ensure that Activity Log Alert exists for Delete Network Security Group " + "ControlDescription": "Ensure that Activity Log Alert exists for Delete Network Security Group" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.5", - "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update Security Solution " + "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update Security Solution" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.6", - "ControlDescription": "Ensure that Activity Log Alert exists for Delete Security Solution " + "ControlDescription": "Ensure that Activity Log Alert exists for Delete Security Solution" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.7", - "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule " + "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.8", - "ControlDescription": "Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule " + "ControlDescription": "Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.9", - "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update Public IP Address rule " + "ControlDescription": "Ensure that Activity Log Alert exists for Create or Update Public IP Address rule" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.2.10", - "ControlDescription": "Ensure that Activity Log Alert exists for Delete Public IP Address rule " + "ControlDescription": "Ensure that Activity Log Alert exists for Delete Public IP Address rule" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.3.1", - "ControlDescription": "Ensure Application Insights are Configured " + "ControlDescription": "Ensure Application Insights are Configured" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.4", - "ControlDescription": "Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it " + "ControlDescription": "Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 5.5", - "ControlDescription": "Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) " + "ControlDescription": "Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.1", - "ControlDescription": "Ensure that RDP access from the Internet is evaluated and restricted " + "ControlDescription": "Ensure that RDP access from the Internet is evaluated and restricted" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.2", - "ControlDescription": "Ensure that SSH access from the Internet is evaluated and restricted " + "ControlDescription": "Ensure that SSH access from the Internet is evaluated and restricted" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.3", - "ControlDescription": "Ensure that UDP access from the Internet is evaluated and restricted " + "ControlDescription": "Ensure that UDP access from the Internet is evaluated and restricted" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.4", - "ControlDescription": "Ensure that HTTP(S) access from the Internet is evaluated and restricted " + "ControlDescription": "Ensure that HTTP(S) access from the Internet is evaluated and restricted" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.5", - "ControlDescription": "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' " + "ControlDescription": "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.6", - "ControlDescription": "Ensure that Network Watcher is 'Enabled' " + "ControlDescription": "Ensure that Network Watcher is 'Enabled'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 6.7", - "ControlDescription": "Ensure that Public IP addresses are Evaluated on a Periodic Basis " + "ControlDescription": "Ensure that Public IP addresses are Evaluated on a Periodic Basis" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.1", - "ControlDescription": "Ensure an Azure Bastion Host Exists " + "ControlDescription": "Ensure an Azure Bastion Host Exists" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.2", - "ControlDescription": "Ensure Virtual Machines are utilizing Managed Disks " + "ControlDescription": "Ensure Virtual Machines are utilizing Managed Disks" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.3", - "ControlDescription": "Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) " + "ControlDescription": "Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.4", - "ControlDescription": "Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) " + "ControlDescription": "Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.5", - "ControlDescription": "Ensure that Only Approved Extensions Are Installed " + "ControlDescription": "Ensure that Only Approved Extensions Are Installed" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.6", - "ControlDescription": "Ensure that Endpoint Protection for all Virtual Machines is installed " + "ControlDescription": "Ensure that Endpoint Protection for all Virtual Machines is installed" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 7.7", - "ControlDescription": "[Legacy] Ensure that VHDs are Encrypted " + "ControlDescription": "[Legacy] Ensure that VHDs are Encrypted" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.1", - "ControlDescription": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults " + "ControlDescription": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.2", - "ControlDescription": "Ensure that the Expiration Date is set for all Keys in Non- RBAC Key Vaults. " + "ControlDescription": "Ensure that the Expiration Date is set for all Keys in Non- RBAC Key Vaults." }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.3", - "ControlDescription": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults " + "ControlDescription": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.4", - "ControlDescription": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults " + "ControlDescription": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.5", - "ControlDescription": "Ensure the Key Vault is Recoverable " + "ControlDescription": "Ensure the Key Vault is Recoverable" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.6", - "ControlDescription": "Enable Role Based Access Control for Azure Key Vault " + "ControlDescription": "Enable Role Based Access Control for Azure Key Vault" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.7", - "ControlDescription": "Ensure that Private Endpoints are Used for Azure Key Vault " + "ControlDescription": "Ensure that Private Endpoints are Used for Azure Key Vault" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 8.8", - "ControlDescription": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services " + "ControlDescription": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.1", - "ControlDescription": "Ensure App Service Authentication is set up for apps in Azure App Service " + "ControlDescription": "Ensure App Service Authentication is set up for apps in Azure App Service" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.2", - "ControlDescription": "Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service " + "ControlDescription": "Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.3", - "ControlDescription": "Ensure Web App is using the latest version of TLS encryption " + "ControlDescription": "Ensure Web App is using the latest version of TLS encryption" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.4", - "ControlDescription": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' " + "ControlDescription": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.5", - "ControlDescription": "Ensure that Register with Azure Active Directory is enabled on App Service " + "ControlDescription": "Ensure that Register with Azure Active Directory is enabled on App Service" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.6", - "ControlDescription": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App " + "ControlDescription": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.7", - "ControlDescription": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App " + "ControlDescription": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.8", - "ControlDescription": "Ensure that 'Java version' is the latest, if used to run the Web App " + "ControlDescription": "Ensure that 'Java version' is the latest, if used to run the Web App" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.9", - "ControlDescription": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App " + "ControlDescription": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.1", - "ControlDescription": "Ensure FTP deployments are Disabled " + "ControlDescription": "Ensure FTP deployments are Disabled" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 9.11", - "ControlDescription": "Ensure Azure Key Vaults are Used to Store Secrets " + "ControlDescription": "Ensure Azure Key Vaults are Used to Store Secrets" }, { "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " + "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources" }, { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " - }, - { - "ControlTitle": "CIS Microsoft Azure Foundations Benchmark V2.0.0 10.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources " + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.1", + "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources" } ] \ No newline at end of file From 738c36a9a46cd8cd4ac54b50166bb1998ab7572a Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 19:51:49 -0400 Subject: [PATCH 16/55] add Snowflake CIS controls --- .../processor/outputs/control_objectives.json | 78 ++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/eeauditor/processor/outputs/control_objectives.json b/eeauditor/processor/outputs/control_objectives.json index 19f8c456..62696086 100644 --- a/eeauditor/processor/outputs/control_objectives.json +++ b/eeauditor/processor/outputs/control_objectives.json @@ -16157,6 +16157,82 @@ }, { "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.1", - "ControlDescription": "Ensure that Resource Locks are set for Mission-Critical Azure Resources" + "ControlDescription": "Ensure single sign-on (SSO) is configured for your account / organization" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.2", + "ControlDescription": "Ensure Snowflake SCIM integration is configured to automatically provision and deprovision users and groups (i.e. roles)" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.4", + "ControlDescription": "Ensure multi-factor authentication (MFA) is turned on for all human users with password-based authentication" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.5", + "ControlDescription": "Ensure minimum password length is set to 14 characters or more" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.6", + "ControlDescription": "Ensure that service accounts use key pair authentication" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.7", + "ControlDescription": "Ensure authentication key pairs are rotated every 180 days" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.8", + "ControlDescription": "Ensure that users who did not log in for 90 days are disabled" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.9", + "ControlDescription": "Ensure that the idle session timeout is set to 15 minutes or less for users with the ACCOUNTADMIN and SECURITYADMIN roles" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.10", + "ControlDescription": "Limit the number of users with ACCOUNTADMIN and SECURITYADMIN" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.11", + "ControlDescription": "Ensure that all users granted the ACCOUNTADMIN role have an email address assigned" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.12", + "ControlDescription": "Ensure that no users have ACCOUNTADMIN or SECURITYADMIN as the default role" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.13", + "ControlDescription": "Ensure that the ACCOUNTADMIN or SECURITYADMIN role is not granted to any custom role" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.14", + "ControlDescription": "Ensure that Snowflake tasks are not owned by the ACCOUNTADMIN or SECURITYADMIN roles" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.15", + "ControlDescription": "Ensure that Snowflake tasks do not run with the ACCOUNTADMIN or SECURITYADMIN role privileges" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.16", + "ControlDescription": "Ensure that Snowflake stored procedures are not owned by the ACCOUNTADMIN or SECURITYADMIN roles" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 1.17", + "ControlDescription": "Ensure Snowflake stored procedures do not run with ACCOUNTADMIN or SECURITYADMIN role privileges" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "ControlDescription": "Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.4", + "ControlDescription": "Ensure monitoring and alerting exist for password sign-in without MFA" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.7", + "ControlDescription": "Ensure monitoring and alerting exist for SCIM token creation" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 3.1", + "ControlDescription": "Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses" } ] \ No newline at end of file From dcca114f3a24d6fbd7c3eced2dc28447fa6503ed Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 19:53:04 -0400 Subject: [PATCH 17/55] lol didnt forget the standard! --- eeauditor/processor/outputs/ocsf_stdout.py | 3 ++- eeauditor/processor/outputs/ocsf_to_firehose_output.py | 3 ++- eeauditor/processor/outputs/ocsf_v1_1_0_output.py | 3 ++- eeauditor/processor/outputs/ocsf_v1_4_0_output.py | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/eeauditor/processor/outputs/ocsf_stdout.py b/eeauditor/processor/outputs/ocsf_stdout.py index 3947e892..a39e7b06 100644 --- a/eeauditor/processor/outputs/ocsf_stdout.py +++ b/eeauditor/processor/outputs/ocsf_stdout.py @@ -58,7 +58,8 @@ "CIS Amazon Web Services Foundations Benchmark V3.0", "MITRE ATT&CK", "CIS AWS Database Services Benchmark V1.0", - "CIS Microsoft Azure Foundations Benchmark V2.0.0" + "CIS Microsoft Azure Foundations Benchmark V2.0.0", + "CIS Snowflake Foundations Benchmark V1.0.0" ] class SeverityAccountTypeComplianceMapping(NamedTuple): diff --git a/eeauditor/processor/outputs/ocsf_to_firehose_output.py b/eeauditor/processor/outputs/ocsf_to_firehose_output.py index 1ef1ffa6..6c51b922 100644 --- a/eeauditor/processor/outputs/ocsf_to_firehose_output.py +++ b/eeauditor/processor/outputs/ocsf_to_firehose_output.py @@ -61,7 +61,8 @@ "CIS Amazon Web Services Foundations Benchmark V3.0", "MITRE ATT&CK", "CIS AWS Database Services Benchmark V1.0", - "CIS Microsoft Azure Foundations Benchmark V2.0.0" + "CIS Microsoft Azure Foundations Benchmark V2.0.0", + "CIS Snowflake Foundations Benchmark V1.0.0" ] class SeverityAccountTypeComplianceMapping(NamedTuple): diff --git a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py index 6553f6d6..823a2499 100644 --- a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py @@ -58,7 +58,8 @@ "CIS Amazon Web Services Foundations Benchmark V3.0", "MITRE ATT&CK", "CIS AWS Database Services Benchmark V1.0", - "CIS Microsoft Azure Foundations Benchmark V2.0.0" + "CIS Microsoft Azure Foundations Benchmark V2.0.0", + "CIS Snowflake Foundations Benchmark V1.0.0" ] class SeverityAccountTypeComplianceMapping(NamedTuple): diff --git a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py index 1f9510dd..363b85df 100644 --- a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py @@ -58,7 +58,8 @@ "CIS Amazon Web Services Foundations Benchmark V3.0", "MITRE ATT&CK", "CIS AWS Database Services Benchmark V1.0", - "CIS Microsoft Azure Foundations Benchmark V2.0.0" + "CIS Microsoft Azure Foundations Benchmark V2.0.0", + "CIS Snowflake Foundations Benchmark V1.0.0" ] class SeverityAccountTypeComplianceMapping(NamedTuple): From 45c011f745b25ac2dc14316ce1dc79a77ac236a3 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 20:00:37 -0400 Subject: [PATCH 18/55] Snowflake types and logging for EEAuditor --- eeauditor/cloud_utils.py | 10 +++++----- eeauditor/eeauditor.py | 12 ++++++++---- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 90ef9c8e..3a074e73 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -493,11 +493,11 @@ def __init__(self, assessmentTarget, tomlPath): # Process data["credentials"]["snowflake"] - values need to be assigned to self snowflakeTomlValues = data["credentials"]["snowflake"] - snowflakeUsername = snowflakeTomlValues["snowflake_username"] - snowflakePasswordValue = snowflakeTomlValues["snowflake_password_value"] - snowflakeAccountId = snowflakeTomlValues["snowflake_account_id"] - snowflakeWarehouseName = snowflakeTomlValues["snowflake_warehouse_name"] - snowflakeRegion = snowflakeTomlValues["snowflake_region"] + snowflakeUsername = str(snowflakeTomlValues["snowflake_username"]) + snowflakePasswordValue = str(snowflakeTomlValues["snowflake_password_value"]) + snowflakeAccountId = str(snowflakeTomlValues["snowflake_account_id"]) + snowflakeWarehouseName = str(snowflakeTomlValues["snowflake_warehouse_name"]) + snowflakeRegion = str(snowflakeTomlValues["snowflake_region"]) if any( # Check to make sure none of the variables pulled from TOML are emtpy diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index d35ad00c..ffca2ead 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -532,7 +532,7 @@ def run_salesforce_checks(self, pluginName=None, delay=0): ): try: logger.info( - "Executing Check %s for Salesforce instance", + "Executing Check %s for Salesforce", checkName ) for finding in check( @@ -579,7 +579,7 @@ def run_snowflake_checks(self, pluginName=None, delay=0): ): try: logger.info( - "Executing Check %s for M365", + "Executing Check %s for Snowflake", checkName ) for finding in check( @@ -603,8 +603,12 @@ def run_snowflake_checks(self, pluginName=None, delay=0): sleep(delay) # close the connection to the Snowflake Warehouse - self.snowflakeCursor.close() - self.snowflakeConnection.close() + curClose = self.snowflakeCursor.close() + connClose = self.snowflakeConnection.close() + + print(curClose, connClose) + + logger.info("Snowflake connection and cursor closed.") # Called from eeauditor/controller.py run_auditor() def run_non_aws_checks(self, pluginName=None, delay=0): From 6e48965174e96c07c8d195f9d880071ae2dfb614 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 20:47:32 -0400 Subject: [PATCH 19/55] wireframe snowflake user auditor --- .../snowflake/Snowflake_Users_Auditor.py | 177 ++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py new file mode 100644 index 00000000..9042d0ae --- /dev/null +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -0,0 +1,177 @@ +#This file is part of ElectricEye. +#SPDX-License-Identifier: Apache-2.0 + +#Licensed to the Apache Software Foundation (ASF) under one +#or more contributor license agreements. See the NOTICE file +#distributed with this work for additional information +#regarding copyright ownership. The ASF licenses this file +#to you under the Apache License, Version 2.0 (the +#"License"); you may not use this file except in compliance +#with the License. You may obtain a copy of the License at + +#http://www.apache.org/licenses/LICENSE-2.0 + +#Unless required by applicable law or agreed to in writing, +#software distributed under the License is distributed on an +#"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +#KIND, either express or implied. See the License for the +#specific language governing permissions and limitations +#under the License. + +from datetime import datetime, timezone, timedelta, UTC +from snowflake.connector import cursor +import snowflake.connector.errors as snowerrors +import os +from check_register import CheckRegister +import base64 +import json + +registry = CheckRegister() + +def timestamp_to_iso(timestampNtz: str | None) -> str | None: + """ + Receives from Snowflake and transforms to ISO 8601 format stringified datetime objects. If the timestamp is None, it returns None. + """ + if timestampNtz is None: + return None + + try: + dt = datetime.strptime(str(timestampNtz), '%Y-%m-%d %H:%M:%S.%f') + except ValueError: + dt = datetime.strptime(str(timestampNtz), '%Y-%m-%d %H:%M:%S') + + dt = dt.replace(tzinfo=timezone.utc).isoformat() + + return str(dt) + +def get_roles_for_user(username: str, snowflakeCursor: cursor.SnowflakeCursor) -> tuple[list[str | None], bool]: + """ + Retrieves the assigned grants (Roles) for a given user + """ + + query = f""" + SHOW GRANTS TO USER "{username}" + """ + + adminRoles = ["ACCOUNTADMIN","ORGADMIN","SECURITYADMIN","SYSADMIN"] + roles = [] + + try: + q = snowflakeCursor.execute(query) + for row in q.fetchall(): + roles.append(row["role"]) + except TypeError: + print(f"no roles for the user: {username}") + except snowerrors.ProgrammingError as spe: + if "does not exist" in str(spe): + print(f"User {username} is inactive or roles are unable to be retrieved.") + except Exception as e: + raise e + + if roles: + if any(adminrole in roles for adminrole in adminRoles): + isAdmin = True + else: + isAdmin = False + else: + isAdmin = False + + return roles, isAdmin + +def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> dict: + """ + Gathers a list of users from the SNOWFLAKE.ACCOUNT_USAGE.USERS table, enriches the data with Snowflake Roles and Snowflake Logon data, and returns a list of dictionaries containing user data. This is written into the ElectricEye cache. + """ + response = cache.get("get_snowflake_users") + if response: + return response + + snowflakeUsers = [] + + # Use the almighty SQL query to get all the users + query = f""" + SELECT DISTINCT + user_id, + name, + to_timestamp_ntz(created_on) as created_on, + to_timestamp_ntz(deleted_on) as deleted_on, + login_name, + display_name, + first_name, + last_name, + email, + must_change_password, + has_password, + comment, + disabled, + snowflake_lock, + default_warehouse, + default_namespace, + default_role, + ext_authn_duo, + ext_authn_uid, + bypass_mfa_until, + to_timestamp_ntz(last_success_login) as last_success_login, + to_timestamp_ntz(expires_at) as expires_at, + to_timestamp_ntz(locked_until_time) as locked_until_time, + has_rsa_public_key, + to_timestamp_ntz(password_last_set_time) as password_last_set_time, + owner, + default_secondary_role + FROM SNOWFLAKE.ACCOUNT_USAGE.USERS + """ + + try: + q = snowflakeCursor.execute(query) + for column in q.fetchall(): + username = column["NAME"] + try: + pwLastSetTime = str(column["PASSWORD_LAST_SET_TIME"]) + except KeyError: + pwLastSetTime = None + + roleData = get_roles_for_user(username, snowflakeCursor) + + logins = check_user_logon_without_mfa(username, snowflakeCursor) + + snowflakeUsers.append( + { + "user_id": column["USER_ID"], + "name": username, + "created_on": timestamp_to_iso(column["CREATED_ON"]), + "deleted_on": timestamp_to_iso(column["DELETED_ON"]), + "login_name": column["LOGIN_NAME"], + "display_name": column["DISPLAY_NAME"], + "first_name": column["FIRST_NAME"], + "last_name": column["LAST_NAME"], + "email": column["EMAIL"], + "assigned_roles": roleData[0], + "is_admin": roleData[1], + "logged_on_without_mfa": logins[0], + "total_logons_without_mfa": logins[1], + "must_change_password": column["MUST_CHANGE_PASSWORD"], + "has_password": column["HAS_PASSWORD"], + "comment": column["COMMENT"], + "disabled": column["DISABLED"], + "snowflake_lock": column["SNOWFLAKE_LOCK"], + "default_warehouse": column["DEFAULT_WAREHOUSE"], + "default_namespace": column["DEFAULT_NAMESPACE"], + "default_role": column["DEFAULT_ROLE"], + "ext_authn_duo": column["EXT_AUTHN_DUO"], + "ext_authn_uid": column["EXT_AUTHN_UID"], + "bypass_mfa_until": timestamp_to_iso(column["BYPASS_MFA_UNTIL"]), + "last_success_login": timestamp_to_iso(column["LAST_SUCCESS_LOGIN"]), + "expires_at": timestamp_to_iso(column["EXPIRES_AT"]), + "locked_until_time": timestamp_to_iso(column["LOCKED_UNTIL_TIME"]), + "has_rsa_public_key": column["HAS_RSA_PUBLIC_KEY"], + "password_last_set_time": timestamp_to_iso(pwLastSetTime), + "owner": column["OWNER"], + "default_secondary_role": column["DEFAULT_SECONDARY_ROLE"] + } + ) + except Exception as e: + raise e + + cache["get_snowflake_users"] = snowflakeUsers + + return cache["get_snowflake_users"] \ No newline at end of file From d3603b6b3641438584e1e9edee9512099a1d4cee Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 20:53:46 -0400 Subject: [PATCH 20/55] better logging in this MF'er! --- eeauditor/auditors/aws/Amazon_EC2_Auditor.py | 13 ++++++++----- .../auditors/snowflake/Snowflake_Users_Auditor.py | 13 ++++++++----- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/eeauditor/auditors/aws/Amazon_EC2_Auditor.py b/eeauditor/auditors/aws/Amazon_EC2_Auditor.py index ea3e5fb6..27d0d751 100644 --- a/eeauditor/auditors/aws/Amazon_EC2_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_EC2_Auditor.py @@ -18,6 +18,7 @@ #specific language governing permissions and limitations #under the License. +import logging import tomli import os import sys @@ -30,6 +31,8 @@ import base64 import json +logger = logging.getLogger("AwsEc2Auditor") + SHODAN_HOSTS_URL = "https://api.shodan.io/shodan/host/" # Adding backoff and retries for SSM - this API gets throttled a lot @@ -175,7 +178,7 @@ def get_shodan_api_key(cache): credLocation = data["global"]["credentials_location"] shodanCredValue = data["global"]["shodan_api_key_value"] if credLocation not in validCredLocations: - print(f"Invalid option for [global.credLocation]. Must be one of {str(validCredLocations)}.") + logger.error("Invalid option for [global.credLocation]. Must be one of %s.", validCredLocations) sys.exit(2) if not shodanCredValue: apiKey = None @@ -197,8 +200,8 @@ def get_shodan_api_key(cache): Name=shodanCredValue, WithDecryption=True )["Parameter"]["Value"] - except ClientError as e: - print(f"Error retrieving API Key from SSM, skipping all Shodan checks, error: {e}") + except ClientError as err: + logger.warning("Error retrieving API Key from AWS Systems Manager Parameter Store, skipping all Shodan checks, error: %s", err) apiKey = None # Retrieve the credential from AWS Secrets Manager @@ -207,8 +210,8 @@ def get_shodan_api_key(cache): apiKey = asm.get_secret_value( SecretId=shodanCredValue, )["SecretString"] - except ClientError as e: - print(f"Error retrieving API Key from ASM, skipping all Shodan checks, error: {e}") + except ClientError as err: + logger.warning("Error retrieving API Key from AWS Secrets Manager, skipping all Shodan checks, error: %s", err) apiKey = None cache["get_shodan_api_key"] = apiKey diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index 9042d0ae..5367ee42 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -18,14 +18,16 @@ #specific language governing permissions and limitations #under the License. +import logging from datetime import datetime, timezone, timedelta, UTC from snowflake.connector import cursor import snowflake.connector.errors as snowerrors -import os from check_register import CheckRegister import base64 import json +logger = logging.getLogger("AwsEc2Auditor") + registry = CheckRegister() def timestamp_to_iso(timestampNtz: str | None) -> str | None: @@ -61,12 +63,13 @@ def get_roles_for_user(username: str, snowflakeCursor: cursor.SnowflakeCursor) - for row in q.fetchall(): roles.append(row["role"]) except TypeError: - print(f"no roles for the user: {username}") + logger.warn(f"no roles for the user: {username}") except snowerrors.ProgrammingError as spe: if "does not exist" in str(spe): - print(f"User {username} is inactive or roles are unable to be retrieved.") + logger.warning("User %s is inactive or roles are unable to be retrieved.", username) except Exception as e: - raise e + logger.warning("Exception encounterd while trying to get roles for user %s: %s", username, e) + return (list(), None) if roles: if any(adminrole in roles for adminrole in adminRoles): @@ -170,7 +173,7 @@ def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> } ) except Exception as e: - raise e + logger.warning("Exception encountered while trying to get users: %s", e) cache["get_snowflake_users"] = snowflakeUsers From 73cbcf40b991dc0e4983deafb46a2a1f292e4443 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 21:20:01 -0400 Subject: [PATCH 21/55] finish staging first snowflake check --- .../snowflake/Snowflake_Users_Auditor.py | 197 +++++++++++++++++- eeauditor/eeauditor.py | 3 +- 2 files changed, 197 insertions(+), 3 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index 5367ee42..e9cd302f 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -81,6 +81,38 @@ def get_roles_for_user(username: str, snowflakeCursor: cursor.SnowflakeCursor) - return roles, isAdmin +def check_user_logon_without_mfa(username: str, snowflakeCursor: cursor.SnowflakeCursor) -> tuple[bool, int]: + """Pulls distinct logs for a user where they did not use MFA, returns True if they did not use MFA along with the amount of times""" + + # Check for specific users that used Password, didn't fail, and didn't use a 2FA factor + query = f""" + SELECT DISTINCT + USER_NAME, + IS_SUCCESS + FIRST_AUTHENTICATION_FACTOR, + SECOND_AUTHENTICATION_FACTOR + FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY + WHERE USER_NAME = '{username}' + AND IS_SUCCESS = 'YES' + AND FIRST_AUTHENTICATION_FACTOR = 'PASSWORD' + AND SECOND_AUTHENTICATION_FACTOR IS NULL + """ + + try: + q = snowflakeCursor.execute(query).fetchall() + except Exception as e: + logger.warning("Exception encountered while trying to get logon history for user %s: %s", username, e) + return (False, 0) + + if q: + loginWithoutMfa = True + logonsWithoutMfaCount = len(q) + else: + loginWithoutMfa = False + logonsWithoutMfaCount = 0 + + return (loginWithoutMfa, logonsWithoutMfaCount) + def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> dict: """ Gathers a list of users from the SNOWFLAKE.ACCOUNT_USAGE.USERS table, enriches the data with Snowflake Roles and Snowflake Logon data, and returns a list of dictionaries containing user data. This is written into the ElectricEye cache. @@ -177,4 +209,167 @@ def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> cache["get_snowflake_users"] = snowflakeUsers - return cache["get_snowflake_users"] \ No newline at end of file + return cache["get_snowflake_users"] + +@registry.register_check("snowflake.users") +def ec2_imdsv2_check( + cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.1] Snowflake users with passwords should have MFA enabled""" + # ISO Time + iso8601Time = datetime.utcnow().replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + # this is a passing check + if user["ext_authn_duo"] is True and user["has_password"] is True: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/password-user-mfa-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.1] Snowflake users with passwords should have MFA enabled", + "Description": f"Snowflake user {username} has a password assigned and has MFA enabled.", + "Remediation": { + "Recommendation": { + "Text": "For information on MFA best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0 1.4" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/password-user-mfa-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[Snowflake.Users.1] Snowflake users with passwords should have MFA enabled", + "Description": f"Snowflake user {username} has a password assigned but does not have MFA enabled. Multi-factor authentication (MFA) is a security control used to add an additional layer of login security. It works by requiring the user to present two or more proofs (factors) of user identity. An MFA example would be requiring a password and a verification code delivered to the user's phone during user sign-in. The MFA feature for Snowflake users is powered by the Duo Security service. This check does not account for SCIM or IdP-managed users with external MFA devices assigned, that criteria should be manually verified. Refer to the remediation section if this behavior is not intended.", + "Remediation": { + "Recommendation": { + "Text": "For information on MFA best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0 1.4" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding \ No newline at end of file diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index ffca2ead..7b9b3b89 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -589,8 +589,7 @@ def run_snowflake_checks(self, pluginName=None, delay=0): awsPartition=partition, snowflakeAccountId=self.snowflakeAccountId, snowflakeRegion=self.snowflakeRegion, - snowflakeCursor=self.snowflakeCursor, - snowflakeConnection=self.snowflakeConnection + snowflakeCursor=self.snowflakeCursor ): if finding is not None: yield finding From 293af007255006358284aceaba0afe9587d5b72d Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 21:23:11 -0400 Subject: [PATCH 22/55] instrument Snowflake you moron --- eeauditor/cloud_utils.py | 18 +++++++++--------- eeauditor/controller.py | 21 ++++++++++++++++----- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 3a074e73..3b38daaa 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -117,7 +117,7 @@ def __init__(self, assessmentTarget, tomlPath): self.electricEyeRoleName = electricEyeRoleName # GCP - elif assessmentTarget == "GCP": + if assessmentTarget == "GCP": # Process ["gcp_project_ids"] gcpProjects = data["regions_and_accounts"]["gcp"]["gcp_project_ids"] if not gcpProjects: @@ -143,7 +143,7 @@ def __init__(self, assessmentTarget, tomlPath): self.setup_gcp_credentials(self.gcpServiceAccountJsonPayloadValue) # Oracle Cloud Infrastructure (OCI) - elif assessmentTarget == "OCI": + if assessmentTarget == "OCI": ociValues = data["regions_and_accounts"]["oci"] # Retrieve the OCIDs for Tenancy & User and the Region ID along with a list of Compartment OCIDs @@ -206,7 +206,7 @@ def __init__(self, assessmentTarget, tomlPath): self.setup_oci_credentials(ociUserApiKeyPemLocation) # Azure - elif assessmentTarget == "Azure": + if assessmentTarget == "Azure": # Process data["credentials"]["azure"] - values need to be assigned to self azureValues = data["credentials"]["azure"] @@ -282,7 +282,7 @@ def __init__(self, assessmentTarget, tomlPath): self.azureCredentials = azureCredentials # Alibaba Cloud - elif assessmentTarget == "Alibaba": + if assessmentTarget == "Alibaba": logger.info("Coming soon!") ################################### @@ -290,7 +290,7 @@ def __init__(self, assessmentTarget, tomlPath): ################################### # ServiceNow - elif assessmentTarget == "Servicenow": + if assessmentTarget == "Servicenow": # Process data["credentials"]["servicenow"] - nothing needs to be assigned to `self` serviceNowValues = data["credentials"]["servicenow"] @@ -330,7 +330,7 @@ def __init__(self, assessmentTarget, tomlPath): environ["SNOW_FAILED_LOGIN_BREACHING_RATE"] = snowUserLoginBreachRate # M365 - elif assessmentTarget == "M365": + if assessmentTarget == "M365": # Process data["credentials"]["m365"] - values need to be assigned to self m365Values = data["credentials"]["m365"] @@ -392,7 +392,7 @@ def __init__(self, assessmentTarget, tomlPath): ) # Salesforce - elif assessmentTarget == "Salesforce": + if assessmentTarget == "Salesforce": # Process data["credentials"]["m365"] - values need to be assigned to self salesforceValues = data["credentials"]["salesforce"] @@ -485,11 +485,11 @@ def __init__(self, assessmentTarget, tomlPath): ) # Google Workspace - elif assessmentTarget == "GoogleWorkspace": + if assessmentTarget == "GoogleWorkspace": logger.info("Coming soon!") # Snowflake - elif assessmentTarget == "Snowflake": + if assessmentTarget == "Snowflake": # Process data["credentials"]["snowflake"] - values need to be assigned to self snowflakeTomlValues = data["credentials"]["snowflake"] diff --git a/eeauditor/controller.py b/eeauditor/controller.py index 7baab1df..c9d386c3 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -47,18 +47,29 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou app.load_plugins(auditorName) # Per-target calls - ensure you use the right run_*_checks*() function + + # Amazon Web Services if assessmentTarget == "AWS": findings = list(app.run_aws_checks(pluginName=pluginName, delay=delay)) - elif assessmentTarget == "GCP": + # Google Cloud Platform + if assessmentTarget == "GCP": findings = list(app.run_gcp_checks(pluginName=pluginName, delay=delay)) - elif assessmentTarget == "OCI": + # Oracle Cloud Infrastructure + if assessmentTarget == "OCI": findings = list(app.run_oci_checks(pluginName=pluginName, delay=delay)) - elif assessmentTarget == "Azure": + # Microsoft Azure + if assessmentTarget == "Azure": findings = list(app.run_azure_checks(pluginName=pluginName, delay=delay)) - elif assessmentTarget == "M365": + # Microsoft 365 + if assessmentTarget == "M365": findings = list(app.run_m365_checks(pluginName=pluginName, delay=delay)) - elif assessmentTarget == "Salesforce": + # Salesforce + if assessmentTarget == "Salesforce": findings = list(app.run_salesforce_checks(pluginName=pluginName, delay=delay)) + # Snowflake + if assessmentTarget == "Snowflake": + findings = list(app.run_snowflake_checks(pluginName=pluginName, delay=delay)) + # ServiceNow, and some other shit, probably else: findings = list(app.run_non_aws_checks(pluginName=pluginName, delay=delay)) From faf416c71a948d9b8e44549d2a6f4bfb48c36bb1 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 21:24:27 -0400 Subject: [PATCH 23/55] fucking hell... --- eeauditor/controller.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eeauditor/controller.py b/eeauditor/controller.py index c9d386c3..1bf2cb24 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -101,11 +101,12 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou "GCP", "Servicenow", "M365", - "Salesforce" + "Salesforce", + "Snowflake" ], case_sensitive=True ), - help="CSP or SaaS Vendor Assessment Target, ensure that any -a or -c arg maps to your target provider e.g., -t AWS -a Amazon_APGIW_Auditor" + help="Public cloud or SaaS assessment target, ensure that any -a or -c arg maps to your target provider to avoid any errors. e.g., -t AWS -a Amazon_APGIW_Auditor" ) # Run Specific Auditor @click.option( From 9a193fb98db3df7748027dd021b6336abdc66954 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Wed, 28 Aug 2024 21:28:06 -0400 Subject: [PATCH 24/55] `DictCursor` and args fix --- .../auditors/snowflake/Snowflake_Users_Auditor.py | 4 ++-- eeauditor/cloud_utils.py | 13 +++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index e9cd302f..54397b64 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -212,8 +212,8 @@ def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> return cache["get_snowflake_users"] @registry.register_check("snowflake.users") -def ec2_imdsv2_check( - cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +def snowflake_password_assigned_user_has_mfa_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor ) -> dict: """[Snowflake.Users.1] Snowflake users with passwords should have MFA enabled""" # ISO Time diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 3b38daaa..41cbe5bd 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -829,15 +829,16 @@ def connectToSnowflake(self) -> tuple[snowconn.connection.SnowflakeConnection, s """ try: conn = snowconn.connect( - user=self.snowflakeUsername, - password=self.snowflakePassowrd, - account=self.snowflakeAccountId, - warehouse=self.snowflakeWarehouseName + user=self.snowflakeUsername, + password=self.snowflakePassowrd, + account=self.snowflakeAccountId, + warehouse=self.snowflakeWarehouseName ) except Exception as e: raise e - - cur = conn.cursor() + + # This allows us to return a dictionary instead of tuples + cur = conn.cursor(snowconn.DictCursor) return conn, cur From e1995b7569d15d07905a68fdb9ae3c53e7b5d194 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Thu, 29 Aug 2024 17:16:13 -0400 Subject: [PATCH 25/55] svc acct rsa keypair check --- .../snowflake/Snowflake_Users_Auditor.py | 176 +++++++++++++++++- 1 file changed, 175 insertions(+), 1 deletion(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index 54397b64..af47207a 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -292,6 +292,8 @@ def snowflake_password_assigned_user_has_mfa_check( "ISO 27001:2013 A.9.3.1", "ISO 27001:2013 A.9.4.2", "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", "CIS Snowflake Foundations Benchmark V1.0 1.4" ] }, @@ -366,10 +368,182 @@ def snowflake_password_assigned_user_has_mfa_check( "ISO 27001:2013 A.9.3.1", "ISO 27001:2013 A.9.4.2", "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", "CIS Snowflake Foundations Benchmark V1.0 1.4" ] }, "Workflow": {"Status": "NEW"}, "RecordState": "ACTIVE" } - yield finding \ No newline at end of file + yield finding + +@registry.register_check("snowflake.users") +def snowflake_service_account_user_uses_keypair_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.2] Snowflake 'service account' users should use RSA key pairs for authentication""" + # ISO Time + iso8601Time = datetime.utcnow().replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + # this is a passing check + if user["has_rsa_public_key"] is True and user["has_password"] is False: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/service-account-user-rsa-keypair-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.2] Snowflake 'service account' users should use RSA key pairs for authentication", + "Description": f"Snowflake 'service account' user {username} uses an RSA key pair for authentication. On the platform level Snowflake does not differentiate between Snowflake users created for and used by humans and Snowflake users created for and used by services. This check assumes that users without a password enabled are service accounts.", + "Remediation": { + "Recommendation": { + "Text": "For information on RSA keypair best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", + "CIS Snowflake Foundations Benchmark V1.0 1.6" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/service-account-user-rsa-keypair-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[Snowflake.Users.2] Snowflake 'service account' users should use RSA key pairs for authentication", + "Description": f"Snowflake 'service account' user {username} does not use an RSA key pair for authentication. On the platform level Snowflake does not differentiate between Snowflake users created for and used by humans and Snowflake users created for and used by services. This check assumes that users without a password enabled are service accounts. Password-based authentication used by humans can be augmented by a second factor (MFA), e.g. a hardware token, or a security code pushed to a mobile device. Services and automation cannot be easily configured to authenticate with a second factor. Instead, for such use cases, Snowflake supports using key pair authentication as a more secure alternative to password-based authentication. Note that password-based authentication for a service account can be enabled along with a key-based authentication. To ensure that only key-based authentication is enabled for a service account, the PASSWORD parameter for that Snowflake user must be set to null. For more information on key pair authentication, refer to the Snowflake documentation.", + "Remediation": { + "Recommendation": { + "Text": "For information on RSA keypair best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", + "CIS Snowflake Foundations Benchmark V1.0 1.6" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +# EOF \ No newline at end of file From 05f44f483d6ecdd3f14de0572ab469a28cc6054d Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Thu, 29 Aug 2024 17:28:23 -0400 Subject: [PATCH 26/55] last 90 day login check --- .../snowflake/Snowflake_Users_Auditor.py | 213 +++++++++++++++++- 1 file changed, 211 insertions(+), 2 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index af47207a..5383eecb 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -217,7 +217,7 @@ def snowflake_password_assigned_user_has_mfa_check( ) -> dict: """[Snowflake.Users.1] Snowflake users with passwords should have MFA enabled""" # ISO Time - iso8601Time = datetime.utcnow().replace(tzinfo=timezone.utc).isoformat() + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() # Get all of the users for user in get_snowflake_users(cache, snowflakeCursor): # B64 encode all of the details for the Asset @@ -384,7 +384,7 @@ def snowflake_service_account_user_uses_keypair_check( ) -> dict: """[Snowflake.Users.2] Snowflake 'service account' users should use RSA key pairs for authentication""" # ISO Time - iso8601Time = datetime.utcnow().replace(tzinfo=timezone.utc).isoformat() + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() # Get all of the users for user in get_snowflake_users(cache, snowflakeCursor): # B64 encode all of the details for the Asset @@ -546,4 +546,213 @@ def snowflake_service_account_user_uses_keypair_check( } yield finding +@registry.register_check("snowflake.users") +def snowflake_disable_users_without_last_90_day_login_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.3] Snowflake users that have not logged in within the last 90 days should be disabled""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + + # determine if there was a successful login in the last 90 days for users that are not disabled and have otherwise logged in + passingCheck = True + if user["last_success_login"] and user["disabled"] is False: + lastLogin = datetime.fromisoformat(user["last_success_login"]) + ninetyDaysAgo = datetime.now(UTC) - timedelta(days=90) + if lastLogin > ninetyDaysAgo: + passingCheck = False + + # this is a passing check + if passingCheck: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/disable-user-without-login-in-last-90-days-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "Snowflake users that have not logged in within the last 90 days should be disabled", + "Description": f"Snowflake user {username} is either disabled or has logged in within the last 90 days.", + "Remediation": { + "Recommendation": { + "Text": "For information on user management best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.AM-3", + "NIST CSF V1.1 DE.AE-1", + "NIST CSF V1.1 DE.AE-3", + "NIST CSF V1.1 DE.CM-1", + "NIST CSF V1.1 DE.CM-7", + "NIST CSF V1.1 PR.PT-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-4", + "NIST SP 800-53 Rev. 4 AU-6", + "NIST SP 800-53 Rev. 4 AU-12", + "NIST SP 800-53 Rev. 4 CA-3", + "NIST SP 800-53 Rev. 4 CA-7", + "NIST SP 800-53 Rev. 4 CA-9", + "NIST SP 800-53 Rev. 4 CM-2", + "NIST SP 800-53 Rev. 4 CM-3", + "NIST SP 800-53 Rev. 4 CM-8", + "NIST SP 800-53 Rev. 4 IR-4", + "NIST SP 800-53 Rev. 4 IR-5", + "NIST SP 800-53 Rev. 4 IR-8", + "NIST SP 800-53 Rev. 4 PE-3", + "NIST SP 800-53 Rev. 4 PE-6", + "NIST SP 800-53 Rev. 4 PE-20", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-7", + "NIST SP 800-53 Rev. 4 SI-4", + "AICPA TSC CC3.2", + "AICPA TSC CC6.1", + "AICPA TSC CC7.2", + "ISO 27001:2013 A.12.1.1", + "ISO 27001:2013 A.12.1.2", + "ISO 27001:2013 A.12.4.1", + "ISO 27001:2013 A.12.4.2", + "ISO 27001:2013 A.12.4.3", + "ISO 27001:2013 A.12.4.4", + "ISO 27001:2013 A.12.7.1", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.2.1", + "ISO 27001:2013 A.13.2.2", + "ISO 27001:2013 A.14.2.7", + "ISO 27001:2013 A.15.2.1", + "ISO 27001:2013 A.16.1.7", + "CIS Snowflake Foundations Benchmark V1.0 1.8" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/disable-user-without-login-in-last-90-days-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "Snowflake users that have not logged in within the last 90 days should be disabled", + "Description": f"Snowflake user {username} has not logged in within the last 90 days and should be considered for disablement. Access grants tend to accumulate over time unless explicitly set to expire. Regularly revoking unused access grants and disabling inactive user accounts is a good countermeasure to this dynamic. If credentials of an inactive user account are leaked or stolen, it may take longer to discover the compromise. In Snowflake an user account can be disabled by users with the ACCOUNTADMIN role. Disabling inactive user accounts supports the principle of least privilege and generally reduces attack surface. For more information on user management best practices refer to the Snowflake documentation.", + "Remediation": { + "Recommendation": { + "Text": "For information on user management best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.AM-3", + "NIST CSF V1.1 DE.AE-1", + "NIST CSF V1.1 DE.AE-3", + "NIST CSF V1.1 DE.CM-1", + "NIST CSF V1.1 DE.CM-7", + "NIST CSF V1.1 PR.PT-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-4", + "NIST SP 800-53 Rev. 4 AU-6", + "NIST SP 800-53 Rev. 4 AU-12", + "NIST SP 800-53 Rev. 4 CA-3", + "NIST SP 800-53 Rev. 4 CA-7", + "NIST SP 800-53 Rev. 4 CA-9", + "NIST SP 800-53 Rev. 4 CM-2", + "NIST SP 800-53 Rev. 4 CM-3", + "NIST SP 800-53 Rev. 4 CM-8", + "NIST SP 800-53 Rev. 4 IR-4", + "NIST SP 800-53 Rev. 4 IR-5", + "NIST SP 800-53 Rev. 4 IR-8", + "NIST SP 800-53 Rev. 4 PE-3", + "NIST SP 800-53 Rev. 4 PE-6", + "NIST SP 800-53 Rev. 4 PE-20", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-7", + "NIST SP 800-53 Rev. 4 SI-4", + "AICPA TSC CC3.2", + "AICPA TSC CC6.1", + "AICPA TSC CC7.2", + "ISO 27001:2013 A.12.1.1", + "ISO 27001:2013 A.12.1.2", + "ISO 27001:2013 A.12.4.1", + "ISO 27001:2013 A.12.4.2", + "ISO 27001:2013 A.12.4.3", + "ISO 27001:2013 A.12.4.4", + "ISO 27001:2013 A.12.7.1", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.2.1", + "ISO 27001:2013 A.13.2.2", + "ISO 27001:2013 A.14.2.7", + "ISO 27001:2013 A.15.2.1", + "ISO 27001:2013 A.16.1.7", + "CIS Snowflake Foundations Benchmark V1.0 1.8" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # EOF \ No newline at end of file From 4fe47a5bb1b0f9890490261736225f8615c2b2c6 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Fri, 30 Aug 2024 22:44:38 -0400 Subject: [PATCH 27/55] Fix logging and Sflake logic --- .gitignore | 1 + .../snowflake/Snowflake_Users_Auditor.py | 14 ++-- eeauditor/cloud_utils.py | 2 + eeauditor/eeauditor.py | 74 +++++++++++-------- 4 files changed, 54 insertions(+), 37 deletions(-) diff --git a/.gitignore b/.gitignore index eaf5a0f9..9173048f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ eeauditor/processor/outputs/*.svg eeauditor/processor/outputs/*.html LOCAL_external_providers.toml +output.json diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index 5383eecb..7d2e561d 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -26,7 +26,8 @@ import base64 import json -logger = logging.getLogger("AwsEc2Auditor") +logging.basicConfig(level=logging.INFO) +logger = logging.getLogger("SnowflakeUserAuditor") registry = CheckRegister() @@ -225,7 +226,7 @@ def snowflake_password_assigned_user_has_mfa_check( assetB64 = base64.b64encode(assetJson) username = user["name"] # this is a passing check - if user["ext_authn_duo"] is True and user["has_password"] is True: + if user["ext_authn_duo"] is True and user["has_password"] is True and user["deleted_on"] is None: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/password-user-mfa-check", @@ -301,7 +302,8 @@ def snowflake_password_assigned_user_has_mfa_check( "RecordState": "ARCHIVED" } yield finding - else: + # this is a failing check + if user["ext_authn_duo"] is False and user["has_password"] is True and user["deleted_on"] is None: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/password-user-mfa-check", @@ -392,7 +394,7 @@ def snowflake_service_account_user_uses_keypair_check( assetB64 = base64.b64encode(assetJson) username = user["name"] # this is a passing check - if user["has_rsa_public_key"] is True and user["has_password"] is False: + if user["has_rsa_public_key"] is True and user["has_password"] is False and user["deleted_on"] is None: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/service-account-user-rsa-keypair-check", @@ -469,7 +471,7 @@ def snowflake_service_account_user_uses_keypair_check( } yield finding # this is a failing check - else: + if user["has_rsa_public_key"] is False and user["has_password"] is False and user["deleted_on"] is None: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/service-account-user-rsa-keypair-check", @@ -562,7 +564,7 @@ def snowflake_disable_users_without_last_90_day_login_check( # determine if there was a successful login in the last 90 days for users that are not disabled and have otherwise logged in passingCheck = True - if user["last_success_login"] and user["disabled"] is False: + if user["last_success_login"] and user["disabled"] is False and user["deleted_on"] is None: lastLogin = datetime.fromisoformat(user["last_success_login"]) ninetyDaysAgo = datetime.now(UTC) - timedelta(days=90) if lastLogin > ninetyDaysAgo: diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 41cbe5bd..a75b3394 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -30,6 +30,7 @@ from azure.mgmt.resource.subscriptions import SubscriptionClient import snowflake.connector as snowconn +logging.basicConfig(level=logging.INFO) logger = logging.getLogger("CloudUtils") # These Constants define legitimate values for certain parameters within the external_providers.toml file @@ -838,6 +839,7 @@ def connectToSnowflake(self) -> tuple[snowconn.connection.SnowflakeConnection, s raise e # This allows us to return a dictionary instead of tuples + logger.info("Connected to Snowflake successfully.") cur = conn.cursor(snowconn.DictCursor) return conn, cur diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 7b9b3b89..59800750 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -31,6 +31,7 @@ from cloud_utils import CloudConfig from pluginbase import PluginBase +logging.basicConfig(level=logging.INFO) logger = logging.getLogger("EEAuditor") here = path.abspath(path.dirname(__file__)) @@ -366,10 +367,10 @@ def run_gcp_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) @@ -384,6 +385,8 @@ def run_oci_checks(self, pluginName=None, delay=0): account = "000000000000" partition = "not-aws" + logger.info("Oracle Cloud Infrastructure assessment has started.") + for serviceName, checkList in self.registry.checks.items(): # Pass the Cache at the "serviceName" level aka Plugin auditorCache = {} @@ -412,10 +415,10 @@ def run_oci_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) @@ -430,6 +433,8 @@ def run_azure_checks(self, pluginName=None, delay=0): account = "000000000000" partition = "not-aws" + logger.info("Microsoft Azure assessment has started.") + for azSubId in self.azureSubscriptions: for serviceName, checkList in self.registry.checks.items(): # Pass the Cache at the "serviceName" level aka Plugin @@ -456,10 +461,10 @@ def run_azure_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) @@ -474,6 +479,8 @@ def run_m365_checks(self, pluginName=None, delay=0): account = "000000000000" partition = "not-aws" + logger.info("M365 assessment has started.") + for serviceName, checkList in self.registry.checks.items(): # Pass the Cache at the "serviceName" level aka Plugin auditorCache = {} @@ -501,10 +508,10 @@ def run_m365_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) @@ -520,6 +527,8 @@ def run_salesforce_checks(self, pluginName=None, delay=0): account = "000000000000" partition = "not-aws" + logger.info("Salesforce assessment has started.") + for serviceName, checkList in self.registry.checks.items(): # Pass the Cache at the "serviceName" level aka Plugin auditorCache = {} @@ -549,10 +558,10 @@ def run_salesforce_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) @@ -567,6 +576,8 @@ def run_snowflake_checks(self, pluginName=None, delay=0): account = "000000000000" partition = "not-aws" + logger.info("Snowflake assessment has started.") + for serviceName, checkList in self.registry.checks.items(): # Pass the Cache at the "serviceName" level aka Plugin auditorCache = {} @@ -593,10 +604,10 @@ def run_snowflake_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) @@ -605,9 +616,10 @@ def run_snowflake_checks(self, pluginName=None, delay=0): curClose = self.snowflakeCursor.close() connClose = self.snowflakeConnection.close() - print(curClose, connClose) - - logger.info("Snowflake connection and cursor closed.") + if curClose is True and connClose is None: + logger.info("Snowflake connection and cursor closed.") + else: + logger.warning("Failed to close Snowflake connection and/or cursor.") # Called from eeauditor/controller.py run_auditor() def run_non_aws_checks(self, pluginName=None, delay=0): @@ -642,10 +654,10 @@ def run_non_aws_checks(self, pluginName=None, delay=0): ): if finding is not None: yield finding - except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", - checkName, format_exc() + except Exception as e: + logger.warning( + "Failed to execute check %s with exception: %s", + checkName, e ) # optional sleep if specified - defaults to 0 seconds sleep(delay) From aa7c3d84b160db3b74432d66c1e2cb337f198fe7 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Fri, 30 Aug 2024 22:54:24 -0400 Subject: [PATCH 28/55] fix placeholder processing, standards --- .gitignore | 1 + .../auditors/snowflake/Snowflake_Users_Auditor.py | 12 ++++++------ eeauditor/processor/outputs/ocsf_stdout.py | 7 ++++--- .../processor/outputs/ocsf_to_firehose_output.py | 7 ++++--- eeauditor/processor/outputs/ocsf_v1_1_0_output.py | 7 ++++--- eeauditor/processor/outputs/ocsf_v1_4_0_output.py | 8 +++++--- 6 files changed, 24 insertions(+), 18 deletions(-) diff --git a/.gitignore b/.gitignore index 9173048f..98366f36 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ eeauditor/processor/outputs/*.svg eeauditor/processor/outputs/*.html LOCAL_external_providers.toml output.json +output_ocsf_v1-4-0_events.json diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index 7d2e561d..a5f5c8f3 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -295,7 +295,7 @@ def snowflake_password_assigned_user_has_mfa_check( "ISO 27001:2013 A.9.4.3", "MITRE ATT&CK T1589", "MITRE ATT&CK T1586", - "CIS Snowflake Foundations Benchmark V1.0 1.4" + "CIS Snowflake Foundations Benchmark V1.0.0 1.4" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -372,7 +372,7 @@ def snowflake_password_assigned_user_has_mfa_check( "ISO 27001:2013 A.9.4.3", "MITRE ATT&CK T1589", "MITRE ATT&CK T1586", - "CIS Snowflake Foundations Benchmark V1.0 1.4" + "CIS Snowflake Foundations Benchmark V1.0.0 1.4" ] }, "Workflow": {"Status": "NEW"}, @@ -463,7 +463,7 @@ def snowflake_service_account_user_uses_keypair_check( "ISO 27001:2013 A.9.4.3", "MITRE ATT&CK T1589", "MITRE ATT&CK T1586", - "CIS Snowflake Foundations Benchmark V1.0 1.6" + "CIS Snowflake Foundations Benchmark V1.0.0 1.6" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -540,7 +540,7 @@ def snowflake_service_account_user_uses_keypair_check( "ISO 27001:2013 A.9.4.3", "MITRE ATT&CK T1589", "MITRE ATT&CK T1586", - "CIS Snowflake Foundations Benchmark V1.0 1.6" + "CIS Snowflake Foundations Benchmark V1.0.0 1.6" ] }, "Workflow": {"Status": "NEW"}, @@ -656,7 +656,7 @@ def snowflake_disable_users_without_last_90_day_login_check( "ISO 27001:2013 A.14.2.7", "ISO 27001:2013 A.15.2.1", "ISO 27001:2013 A.16.1.7", - "CIS Snowflake Foundations Benchmark V1.0 1.8" + "CIS Snowflake Foundations Benchmark V1.0.0 1.8" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -749,7 +749,7 @@ def snowflake_disable_users_without_last_90_day_login_check( "ISO 27001:2013 A.14.2.7", "ISO 27001:2013 A.15.2.1", "ISO 27001:2013 A.16.1.7", - "CIS Snowflake Foundations Benchmark V1.0 1.8" + "CIS Snowflake Foundations Benchmark V1.0.0 1.8" ] }, "Workflow": {"Status": "NEW"}, diff --git a/eeauditor/processor/outputs/ocsf_stdout.py b/eeauditor/processor/outputs/ocsf_stdout.py index a39e7b06..d19fa875 100644 --- a/eeauditor/processor/outputs/ocsf_stdout.py +++ b/eeauditor/processor/outputs/ocsf_stdout.py @@ -273,20 +273,21 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: ) # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + provider = finding["ProductFields"]["Provider"] partition = finding["Resources"][0]["Partition"] region = finding["ProductFields"]["AssetRegion"] accountId = finding["ProductFields"]["ProviderAccountId"] - if partition != "AWS" or partition == "not-aws": + if provider != "AWS" or partition == "not-aws": partition = None - if partition == "AWS" and region == "us-placeholder-1": + if region == "us-placeholder-1": region = None if region == "aws-global": region = "us-east-1" - if partition == "AWS" and accountId == "000000000000": + if accountId == "000000000000": accountId = None eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) diff --git a/eeauditor/processor/outputs/ocsf_to_firehose_output.py b/eeauditor/processor/outputs/ocsf_to_firehose_output.py index 6c51b922..cb1ca2e7 100644 --- a/eeauditor/processor/outputs/ocsf_to_firehose_output.py +++ b/eeauditor/processor/outputs/ocsf_to_firehose_output.py @@ -359,20 +359,21 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: ) # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + provider = finding["ProductFields"]["Provider"] partition = finding["Resources"][0]["Partition"] region = finding["ProductFields"]["AssetRegion"] accountId = finding["ProductFields"]["ProviderAccountId"] - if partition != "AWS" or partition == "not-aws": + if provider != "AWS" or partition == "not-aws": partition = None - if partition == "AWS" and region == "us-placeholder-1": + if region == "us-placeholder-1": region = None if region == "aws-global": region = "us-east-1" - if partition == "AWS" and accountId == "000000000000": + if accountId == "000000000000": accountId = None eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) diff --git a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py index 823a2499..70ac0b48 100644 --- a/eeauditor/processor/outputs/ocsf_v1_1_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_1_0_output.py @@ -273,20 +273,21 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: ) # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + provider = finding["ProductFields"]["Provider"] partition = finding["Resources"][0]["Partition"] region = finding["ProductFields"]["AssetRegion"] accountId = finding["ProductFields"]["ProviderAccountId"] - if partition != "AWS" or partition == "not-aws": + if provider != "AWS" or partition == "not-aws": partition = None - if partition == "AWS" and region == "us-placeholder-1": + if region == "us-placeholder-1": region = None if region == "aws-global": region = "us-east-1" - if partition == "AWS" and accountId == "000000000000": + if accountId == "000000000000": accountId = None eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) diff --git a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py index 363b85df..d74dff55 100644 --- a/eeauditor/processor/outputs/ocsf_v1_4_0_output.py +++ b/eeauditor/processor/outputs/ocsf_v1_4_0_output.py @@ -27,6 +27,7 @@ from base64 import b64decode from datetime import datetime +logging.basicConfig(level=logging.INFO) logger = logging.getLogger("OCSF_V1.4.0_Output") # NOTE TO SELF: Updated this and FAQ.md as new standards are added @@ -294,20 +295,21 @@ def ocsf_compliance_finding_mapping(self, findings: list) -> list: ) # Non-AWS checks have hardcoded "dummy" data for Account, Region, and Partition - set these to none + provider = finding["ProductFields"]["Provider"] partition = finding["Resources"][0]["Partition"] region = finding["ProductFields"]["AssetRegion"] accountId = finding["ProductFields"]["ProviderAccountId"] - if partition != "AWS" or partition == "not-aws": + if provider != "AWS" or partition == "not-aws": partition = None - if partition == "AWS" and region == "us-placeholder-1": + if region == "us-placeholder-1": region = None if region == "aws-global": region = "us-east-1" - if partition == "AWS" and accountId == "000000000000": + if accountId == "000000000000": accountId = None eventTime = self.iso8061_to_epochseconds(finding["CreatedAt"]) From 234aa071eee6e699dbd9bdb15e75e88288c399d8 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Fri, 30 Aug 2024 23:20:59 -0400 Subject: [PATCH 29/55] add 2 more snowflake user checks --- .../snowflake/Snowflake_Users_Auditor.py | 316 +++++++++++++++++- 1 file changed, 314 insertions(+), 2 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index a5f5c8f3..ddb90085 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -564,7 +564,7 @@ def snowflake_disable_users_without_last_90_day_login_check( # determine if there was a successful login in the last 90 days for users that are not disabled and have otherwise logged in passingCheck = True - if user["last_success_login"] and user["disabled"] is False and user["deleted_on"] is None: + if user["last_success_login"] and user["disabled"] is "false" and user["deleted_on"] is None: lastLogin = datetime.fromisoformat(user["last_success_login"]) ninetyDaysAgo = datetime.now(UTC) - timedelta(days=90) if lastLogin > ninetyDaysAgo: @@ -585,7 +585,7 @@ def snowflake_disable_users_without_last_90_day_login_check( "Severity": {"Label": "INFORMATIONAL"}, "Confidence": 99, "Title": "Snowflake users that have not logged in within the last 90 days should be disabled", - "Description": f"Snowflake user {username} is either disabled or has logged in within the last 90 days.", + "Description": f"Snowflake user {username} is either disabled, deleted, or has logged in within the last 90 days.", "Remediation": { "Recommendation": { "Text": "For information on user management best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", @@ -757,4 +757,316 @@ def snowflake_disable_users_without_last_90_day_login_check( } yield finding +@registry.register_check("snowflake.users") +def snowflake_accountadmins_have_email_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.4] Snowflake users assigned the ACCOUNTADMIN role should have an email address assigned""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + # pre-check email, the shit can be properly null or stupid sauce fr fr + hasEmail = True + if user["email"] is None or user["email"] == "": + hasEmail = False + # this is a passing check + if "ACCOUNTADMIN" in user["assigned_roles"] and hasEmail is True and user["has_password"] is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/accountadmin-role-users-have-email-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.4] Snowflake users assigned the ACCOUNTADMIN role should have an email address assigned", + "Description": f"Snowflake user {username} has the ACCOUNTADMIN role assigned and has an email addressed assigned as well. This only checks for the presence of an email for users that also have a password, since 'service accounts' do not have passwords and do not need an email address.", + "Remediation": { + "Recommendation": { + "Text": "For information on assinging emails the the rationale for ACCOUNTADMINS to have emails refer to the Access control considerations section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-considerations" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", + "CIS Snowflake Foundations Benchmark V1.0.0 1.11" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + if "ACCOUNTADMIN" in user["assigned_roles"] and hasEmail is False and user["has_password"] is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/accountadmin-role-users-have-email-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Users.4] Snowflake users assigned the ACCOUNTADMIN role should have an email address assigned", + "Description": f"Snowflake user {username} has the ACCOUNTADMIN role assigned and does not have an email addressed assigned. Every Snowflake user can be assigned an email address. The email addresses are then used by Snowflake features like notification integration, resource monitor and support cases to deliver email notifications to Snowflake users. In trial Snowflake accounts these email addresses are used for password reset functionality. The email addresses assigned to ACCOUNTADMIN users are used by Snowflake to notify administrators about important events related to their accounts. For example, ACCOUNTADMIN users are notified about impending expiration of SAML2 certificates or SCIM access tokens. If users with the ACCOUNTADMIN role are not assigned working email addresses that are being monitored and if SAML2 certificate used in SSO integration is not proactively renewed, expiration of SAML2 certificate may break the SSO authentication flow. Similarly, uncaught expiration of SCIM access token may break the SCIM integration. This only checks for the presence of an email for users that also have a password, since 'service accounts' do not have passwords and do not need an email address. For more information on user management best practices refer to the Snowflake documentation.", + "Remediation": { + "Recommendation": { + "Text": "For information on assinging emails the the rationale for ACCOUNTADMINS to have emails refer to the Access control considerations section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-considerations" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", + "CIS Snowflake Foundations Benchmark V1.0.0 1.11" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.users") +def snowflake_admin_default_role_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.5] Snowflake users should not be assigned the ACCOUNTADMIN or SECURITYADMIN role as the default role""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + # this is a passing check + if user["default_role"] not in ["ACCOUNTADMIN","SECURITYADMIN"] or user["default_role"] is None and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-admin-default-role-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.5] Snowflake users should not be assigned the ACCOUNTADMIN or SECURITYADMIN role as the default role", + "Description": f"Snowflake user {username} does has not have the ACCOUNTADMIN nor the SECURITYADMIN role as their default role.", + "Remediation": { + "Recommendation": { + "Text": "For information on assinging default roles and the rationale for not assigning ACCOUNTADMIN or SECURITYADMIN as the default rolerefer to the Avoid using the ACCOUNTADMIN role to create objects section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-considerations#avoid-using-the-accountadmin-role-to-create-objects" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-3", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-17", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-20", + "NIST SP 800-53 Rev. 4 SC-15", + "AICPA TSC CC6.6", + "ISO 27001:2013 A.6.2.1", + "ISO 27001:2013 A.6.2.2", + "ISO 27001:2013 A.11.2.6", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 1.12" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + if user["default_role"] in ["ACCOUNTADMIN","SECURITYADMIN"] and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-admin-default-role-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "HIGH"}, + "Confidence": 99, + "Title": "[Snowflake.Users.5] Snowflake users should not be assigned the ACCOUNTADMIN or SECURITYADMIN role as the default role", + "Description": f"Snowflake user {username} has either the ACCOUNTADMIN or SECURITYADMIN role as their default role. The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN. Neither of these roles should be used for performing daily non-administrative tasks in a Snowflake account. Instead, users should be assigned custom roles containing only those privileges that are necessary for successfully completing their job responsibilities. When ACCOUNTADMIN is not set as a default user role, it forces account administrators to explicitly change their role to ACCOUNTADMIN each time they log in. This can help make account administrators aware of the purpose of roles in the system, prevent them from inadvertently using the ACCOUNTADMIN role for non-administrative tasks, and encourage them to change to the appropriate role for a given task. Same logic applies to the SECURITYADMIN role. For more information on user management best practices refer to the Snowflake documentation.", + "Remediation": { + "Recommendation": { + "Text": "For information on assinging default roles and the rationale for not assigning ACCOUNTADMIN or SECURITYADMIN as the default rolerefer to the Avoid using the ACCOUNTADMIN role to create objects section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-considerations#avoid-using-the-accountadmin-role-to-create-objects" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-3", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-17", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-20", + "NIST SP 800-53 Rev. 4 SC-15", + "AICPA TSC CC6.6", + "ISO 27001:2013 A.6.2.1", + "ISO 27001:2013 A.6.2.2", + "ISO 27001:2013 A.11.2.6", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 1.12" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # EOF \ No newline at end of file From 1f6c2ee7075ed52adfbce95b6f4eb07e7572897c Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Fri, 30 Aug 2024 23:57:46 -0400 Subject: [PATCH 30/55] guess what...more checks MF'er! --- .../snowflake/Snowflake_Users_Auditor.py | 361 +++++++++++++++++- 1 file changed, 356 insertions(+), 5 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index ddb90085..95740297 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -67,7 +67,7 @@ def get_roles_for_user(username: str, snowflakeCursor: cursor.SnowflakeCursor) - logger.warn(f"no roles for the user: {username}") except snowerrors.ProgrammingError as spe: if "does not exist" in str(spe): - logger.warning("User %s is inactive or roles are unable to be retrieved.", username) + logger.warning("Snowflake User %s is inactive or roles are unable to be retrieved.", username) except Exception as e: logger.warning("Exception encounterd while trying to get roles for user %s: %s", username, e) return (list(), None) @@ -102,7 +102,7 @@ def check_user_logon_without_mfa(username: str, snowflakeCursor: cursor.Snowflak try: q = snowflakeCursor.execute(query).fetchall() except Exception as e: - logger.warning("Exception encountered while trying to get logon history for user %s: %s", username, e) + logger.warning("Exception encountered while trying to get logon history for Snowflake user %s: %s", username, e) return (False, 0) if q: @@ -206,7 +206,7 @@ def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> } ) except Exception as e: - logger.warning("Exception encountered while trying to get users: %s", e) + logger.warning("Exception encountered while trying to get Snowflake users: %s", e) cache["get_snowflake_users"] = snowflakeUsers @@ -656,7 +656,8 @@ def snowflake_disable_users_without_last_90_day_login_check( "ISO 27001:2013 A.14.2.7", "ISO 27001:2013 A.15.2.1", "ISO 27001:2013 A.16.1.7", - "CIS Snowflake Foundations Benchmark V1.0.0 1.8" + "CIS Snowflake Foundations Benchmark V1.0.0 1.8", + "CIS Snowflake Foundations Benchmark V1.0.0 2.3" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -749,7 +750,8 @@ def snowflake_disable_users_without_last_90_day_login_check( "ISO 27001:2013 A.14.2.7", "ISO 27001:2013 A.15.2.1", "ISO 27001:2013 A.16.1.7", - "CIS Snowflake Foundations Benchmark V1.0.0 1.8" + "CIS Snowflake Foundations Benchmark V1.0.0 1.8", + "CIS Snowflake Foundations Benchmark V1.0.0 2.3" ] }, "Workflow": {"Status": "NEW"}, @@ -1069,4 +1071,353 @@ def snowflake_admin_default_role_check( } yield finding +@registry.register_check("snowflake.users") +def snowflake_logins_without_mfa_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.6] Snowflake users should be monitored for logins without MFA""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + + # Hey, we prepoulate the MFA status in the user object so we can just check it here + loggedInWithoutMfa = user["logged_on_without_mfa"] + timesLoggedInWithoutMfa = user["total_logons_without_mfa"] + + # this is a passing check + if loggedInWithoutMfa is False and user["has_password"] is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-logins-without-mfa-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.6] Snowflake users should be monitored for logins without MFA", + "Description": f"Snowflake user {username} has not logged in without MFA. This check does not take into account if users have *never* logged in nor does it take into account if users have MFA enabled. This check relies on data stored in the LOGON_HISTORY view and may not be up-to-date.", + "Remediation": { + "Recommendation": { + "Text": "For information on MFA best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", + "CIS Snowflake Foundations Benchmark V1.0.0 2.4" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + if loggedInWithoutMfa is True and user["has_password"] is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-logins-without-mfa-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Users.6] Snowflake users should be monitored for logins without MFA", + "Description": f"Snowflake user {username} has logged in without MFA {timesLoggedInWithoutMfa} times. This check relies on data stored in the LOGON_HISTORY view and includes at least a year of logins, hence the lower severity level. Multi-factor authentication (MFA) is a security control used to add an additional layer of login security. It works by requiring the user to present two or more proofs (factors) of user identity. An MFA example would be requiring a password and a verification code delivered to the user's phone during user sign-in. MFA mitigates security threats of users creating weak passwords and user passwords being stolen or accidentally leaked. For more information on MFA best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Remediation": { + "Recommendation": { + "Text": "For information on MFA best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586", + "CIS Snowflake Foundations Benchmark V1.0.0 2.4" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.users") +def snowflake_admin_password_users_yearly_password_rotation_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.7] Snowflake users with any admin role assigned should have their password rotated yearly""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + + # Use the "is_admin" field to determine if the user is an admin and the "password_last_set_time" field (ISO-8061) to determine if the password has been rotated in the last year + rotatedInLastYear = True + isAdmin = user["is_admin"] + passwordLastSetTime = datetime.fromisoformat(user["password_last_set_time"]) + currentTime = datetime.now(UTC) + daysAgo = currentTime - timedelta(days=365) + if passwordLastSetTime < daysAgo: + rotatedInLastYear = False + + # this is a passing check + if rotatedInLastYear is True and isAdmin is True and user["has_password"] is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-admins-yearly-passowrd-rotation-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.7] Snowflake users with any admin role assigned should have their password rotated yearly", + "Description": f"Snowflake user {username} has an admin role assigned and has rotated their password in the last year. This check does not account for custom assigned roles, only the built-in Snowflake admin roles: ACCOUNTADMIN, ORGADMIN, SECURITYADMIN, or SYSADMIN. This check also only checks if there is a password set for the user, as 'service accounts' do not have passwords and do not need to be rotated.", + "Remediation": { + "Recommendation": { + "Text": "For information on security best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + if rotatedInLastYear is False and isAdmin is True and user["has_password"] is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-admins-yearly-passowrd-rotation-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Users.7] Snowflake users with any admin role assigned should have their password rotated yearly", + "Description": f"Snowflake user {username} has an admin role assigned and has not rotated their password in the last year. This check does not account for custom assigned roles, only the built-in Snowflake admin roles: ACCOUNTADMIN, ORGADMIN, SECURITYADMIN, or SYSADMIN. This check also only checks if there is a password set for the user, as 'service accounts' do not have passwords and do not need to be rotated. Password rotation is a security best practice that helps prevent unauthorized access to systems and data. For more information on security best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Remediation": { + "Recommendation": { + "Text": "For information on security best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "RESOLVED" + } + yield finding + # EOF \ No newline at end of file From 0fbd4f4d288a4488a59e37519202323f446789fb Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sat, 31 Aug 2024 13:15:17 -0400 Subject: [PATCH 31/55] finish our snowflake user auditor --- .../snowflake/Snowflake_Users_Auditor.py | 176 ++++++++++++++++++ 1 file changed, 176 insertions(+) diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index 95740297..ffed39a0 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -1420,4 +1420,180 @@ def snowflake_admin_password_users_yearly_password_rotation_check( } yield finding +@registry.register_check("snowflake.users") +def snowflake_bypass_mfa_review_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.8] Snowflake users allowed to bypass MFA should be reviewed""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + # Get all of the users + for user in get_snowflake_users(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(user,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + username = user["name"] + + # Use the "bypass_mfa_until" field (ISO-8061) to determine if the user is allowed to bypass MFA by checking if the date is in the future - only perform this check for password users with MFA enabled + mfaBypass = False + if user["ext_authn_duo"] is True and user["has_password"] is True: + if user["bypass_mfa_until"] is not None: + bypassMfaUntil = datetime.fromisoformat(user["bypass_mfa_until"]) + currentTime = datetime.now(UTC) + if bypassMfaUntil > currentTime: + mfaBypass = True + + # this is a passing check + if mfaBypass is False and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-user-mfa-bypass-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.8] Snowflake users allowed to bypass MFA should be reviewed", + "Description": f"Snowflake user {username} is not allowed to bypass MFA or they do not have MFA or a Password enabled.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing MFA and bypass for users in Snowflake refer to the Managing MFA for an account and users section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-mfa" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + if mfaBypass is True and user["deleted_on"] is None: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{username}/snowflake-user-mfa-bypass-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": f"{snowflakeAccountId}/{username}", + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Users.8] Snowflake users allowed to bypass MFA should be reviewed", + "Description": f"Snowflake user {username} has MFA assigned and is allowed to bypass MFA. When MFA is enabled, users are required to provide two or more verification factors to access their account. Allowing users to bypass MFA can increase the risk of unauthorized access to your Snowflake account. While there are some administrative reasons to bypass MFA, these users should be reviewed to ensure that they are not a security risk.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing MFA and bypass for users in Snowflake refer to the Managing MFA for an account and users section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-mfa" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Identity & Access Management", + "AssetService": "Snowflake Users", + "AssetComponent": "User" + }, + "Resources": [ + { + "Type": "SnowflakeUser", + "Id": username, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "MITRE ATT&CK T1589", + "MITRE ATT&CK T1586" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # EOF \ No newline at end of file From 8793080ac2a95fa986b53ed07526ce75dcf5d402 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:42:28 -0400 Subject: [PATCH 32/55] total admin check, minor bug fixes --- .../snowflake/Snowflake_Account_Auditor.py | 32 ++++ .../snowflake/Snowflake_Users_Auditor.py | 162 +++++++++++++++++- 2 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py new file mode 100644 index 00000000..dada6ce6 --- /dev/null +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -0,0 +1,32 @@ +#This file is part of ElectricEye. +#SPDX-License-Identifier: Apache-2.0 + +#Licensed to the Apache Software Foundation (ASF) under one +#or more contributor license agreements. See the NOTICE file +#distributed with this work for additional information +#regarding copyright ownership. The ASF licenses this file +#to you under the Apache License, Version 2.0 (the +#"License"); you may not use this file except in compliance +#with the License. You may obtain a copy of the License at + +#http://www.apache.org/licenses/LICENSE-2.0 + +#Unless required by applicable law or agreed to in writing, +#software distributed under the License is distributed on an +#"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +#KIND, either express or implied. See the License for the +#specific language governing permissions and limitations +#under the License. + +import logging +from datetime import datetime, timezone, timedelta, UTC +from snowflake.connector import cursor +import snowflake.connector.errors as snowerrors +from check_register import CheckRegister +import base64 +import json + +logging.basicConfig(level=logging.INFO) +logger = logging.getLogger("SnowflakeAccountAuditor") + +registry = CheckRegister() \ No newline at end of file diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index ffed39a0..e4611670 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -564,7 +564,7 @@ def snowflake_disable_users_without_last_90_day_login_check( # determine if there was a successful login in the last 90 days for users that are not disabled and have otherwise logged in passingCheck = True - if user["last_success_login"] and user["disabled"] is "false" and user["deleted_on"] is None: + if user["last_success_login"] and user["disabled"] == "false" and user["deleted_on"] is None: lastLogin = datetime.fromisoformat(user["last_success_login"]) ninetyDaysAgo = datetime.now(UTC) - timedelta(days=90) if lastLogin > ninetyDaysAgo: @@ -1416,7 +1416,7 @@ def snowflake_admin_password_users_yearly_password_rotation_check( ] }, "Workflow": {"Status": "NEW"}, - "RecordState": "RESOLVED" + "RecordState": "ACTIVE" } yield finding @@ -1596,4 +1596,162 @@ def snowflake_bypass_mfa_review_check( } yield finding +@registry.register_check("snowflake.users") +def snowflake_limit_admin_users_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Users.9] Snowflake Accounts should have at least two admin users but less than ten""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + # using the "is_admin" field to determine if the user is an admin, create a list comprehension to count the number of admins, if the count is less than 2 or greater than 10 this check will fail by changing the properAmountOfAdmins variable to False + properAmountOfAdmins = True + adminUsers = [user for user in get_snowflake_users(cache, snowflakeCursor) if user["is_admin"] is True and user["deleted_on"] is None] + adminCount = len(adminUsers) + if adminCount < 2 or adminCount > 10: + properAmountOfAdmins = False + + # B64 encode all of the details for the Asset + assetJson = json.dumps(adminUsers,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if properAmountOfAdmins is True: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-limted-admins-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Users.9] Snowflake Accounts should have at least two admin users but less than ten", + "Description": f"Snowflake account {snowflakeAccountId} has more than two users with admin roles and less than ten. ORGADMIN, SECURITYADMIN, ACCOUNTADMIN, and SYSADMIN are the built-in Snowflake admin roles. This check does not account for custom assigned roles, only the built-in Snowflake admin roles. Following the principle of least privilege that prescribes limiting user's privileges to those that are strictly required to do their jobs, the admin roles should be assigned to a limited number of designated users (e.g., less than 10, but at least 2 to ensure that access can be recovered if one ACCOUNTAMIN user is having login difficulties).", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-4", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-5", + "NIST SP 800-53 Rev. 4 AC-6", + "NIST SP 800-53 Rev. 4 AC-16", + "AICPA TSC CC6.3", + "ISO 27001:2013 A.6.1.2", + "ISO 27001:2013 A.9.1.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.4.1", + "ISO 27001:2013 A.9.4.4", + "MITRE ATT&CK T1210", + "MITRE ATT&CK T1570", + "MITRE ATT&CK T1021.007", + "MITRE ATT&CK T1020", + "MITRE ATT&CK T1048", + "MITRE ATT&CK T1567", + "CIS Snowflake Foundations Benchmark V1.0.0 1.10" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-limted-admins-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Users.9] Snowflake Accounts should have at least two admin users but less than ten", + "Description": f"Snowflake account {snowflakeAccountId} either has less than two admins or more than ten. ORGADMIN, SECURITYADMIN, ACCOUNTADMIN, and SYSADMIN are the built-in Snowflake admin roles. This check does not account for custom assigned roles, only the built-in Snowflake admin roles. Following the principle of least privilege that prescribes limiting user's privileges to those that are strictly required to do their jobs, the admin roles should be assigned to a limited number of designated users (e.g., less than 10, but at least 2 to ensure that access can be recovered if one ACCOUNTAMIN user is having login difficulties).", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for users in Snowflake refer to the community post Snowflake Security Overview and Best Practices in the Snowflake Community Portal.", + "Url": "https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices?mkt_tok=MjUyLVJGTy0yMjcAAAGTVPcnsobib0St0CwRwVZ4sfwHPicq12DnL_MX_bz-yG4OgkADmIh6ll3PcRhIqFeezBwdFSNL-ipp9vJHUV6hRiKUK2b-0f5_HGpkwz7pTG2_w6cO9Q" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-4", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-5", + "NIST SP 800-53 Rev. 4 AC-6", + "NIST SP 800-53 Rev. 4 AC-16", + "AICPA TSC CC6.3", + "ISO 27001:2013 A.6.1.2", + "ISO 27001:2013 A.9.1.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.4.1", + "ISO 27001:2013 A.9.4.4", + "MITRE ATT&CK T1210", + "MITRE ATT&CK T1570", + "MITRE ATT&CK T1021.007", + "MITRE ATT&CK T1020", + "MITRE ATT&CK T1048", + "MITRE ATT&CK T1567", + "CIS Snowflake Foundations Benchmark V1.0.0 1.10" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # EOF \ No newline at end of file From 606250b8a6b02f507cf8c00338811029aece6ba3 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sat, 31 Aug 2024 20:02:58 -0400 Subject: [PATCH 33/55] Stage SNOW Acct auditor --- .../auditors/aws/AWS_Accounts_Auditor.py | 7 +- .../snowflake/Snowflake_Account_Auditor.py | 174 +++++++++++++++++- 2 files changed, 179 insertions(+), 2 deletions(-) diff --git a/eeauditor/auditors/aws/AWS_Accounts_Auditor.py b/eeauditor/auditors/aws/AWS_Accounts_Auditor.py index bb1fa566..e11c1305 100644 --- a/eeauditor/auditors/aws/AWS_Accounts_Auditor.py +++ b/eeauditor/auditors/aws/AWS_Accounts_Auditor.py @@ -18,10 +18,14 @@ #specific language governing permissions and limitations #under the License. +import logging from check_register import CheckRegister import datetime import botocore +logging.basicConfig(level=logging.INFO) +logger = logging.getLogger("AwsAccountAuditor") + registry = CheckRegister() def global_region_generator(awsPartition): @@ -63,7 +67,8 @@ def get_account_alternate_contacts(cache, session): accountAlternateContacts.append("SECURITY") cache["get_account_alternate_contacts"] = accountAlternateContacts return cache["get_account_alternate_contacts"] - except botocore.exceptions.ClientError as error: + except botocore.exceptions.ClientError as err: + logger.warning("Could not get account alternate contacts: %s", err) return {} @registry.register_check("account") diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index dada6ce6..69010792 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -29,4 +29,176 @@ logging.basicConfig(level=logging.INFO) logger = logging.getLogger("SnowflakeAccountAuditor") -registry = CheckRegister() \ No newline at end of file +registry = CheckRegister() + +def get_snowflake_password_policy(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> dict: + """ + Get the Snowflake password policy for the account from the ACCOUNT_USAGE.PASSWORD_POLICIES view. + """ + response = cache.get("get_snowflake_password_policy") + if response: + return response + + query = "SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.PASSWORD_POLICIES" + + cache["get_snowflake_password_policy"] = snowflakeCursor.execute(query).fetchall() + + return cache["get_snowflake_password_policy"] + +@registry.register_check("snowflake.account") +def snowflake_account_enable_sso_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.1] Snowflake Accounts have Single Sign-On (SSO) enabled""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + # Get the SSO configuration for the account by retrieving all INTEGRATIONS and filtering for the types for OAuth and SAML + query = "SHOW INTEGRATIONS" + try: + q = snowflakeCursor.execute(query).fetchall() + except snowerrors.ProgrammingError as e: + logger.warning(f"An error occurred when executing the query: {e}") + q = [] + + ssoCheck = [integ for integ in q if "saml" in str(integ["type"]).lower() or "oauth" in str(integ["type"]).lower()] + + # B64 encode all of the details for the Asset + assetJson = json.dumps(ssoCheck,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if ssoCheck: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-sso-enabled-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.1] Snowflake Accounts have Single Sign-On (SSO) enabled", + "Description": f"Snowflake account {snowflakeAccountId} has Single Sign-On (SSO) enabled either via SAML or External OAUTH.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up federated authentication or SSO in Snowflake refer to the Overview of federated authentication and SSO section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-overview" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-6", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-16", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-24", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 PE-2", + "NIST SP 800-53 Rev. 4 PS-3", + "AICPA TSC CC6.1", + "ISO 27001:2013 A.7.1.1", + "ISO 27001:2013 A.9.2.1" + "CIS Snowflake Foundations Benchmark V1.0.0 1.1" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-sso-enabled-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[Snowflake.Account.1] Snowflake Accounts have Single Sign-On (SSO) enabled", + "Description": f"Snowflake account {snowflakeAccountId} does not have Single Sign-On (SSO) enabled neither via SAML nor External OAUTH. Federated authentication enables users to connect to Snowflake using secure SSO (single sign-on). With SSO enabled, users authenticate through an external (SAML 2.0-compliant or OAuth 2.0) identity provider (IdP). Once authenticated by an IdP, users can access their Snowflake account for the duration of their IdP session without having to authenticate to Snowflake again. Users can choose to initiate their sessions from within the interface provided by the IdP or directly in Snowflake. Configuring your Snowflake authentication so that users can log in using SSO reduces the attack surface for your organization because users only log in once across multiple applications and do not have to manage a separate set of credentials for their Snowflake account.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up federated authentication or SSO in Snowflake refer to the Overview of federated authentication and SSO section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-overview" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-6", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-16", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-24", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 PE-2", + "NIST SP 800-53 Rev. 4 PS-3", + "AICPA TSC CC6.1", + "ISO 27001:2013 A.7.1.1", + "ISO 27001:2013 A.9.2.1" + "CIS Snowflake Foundations Benchmark V1.0.0 1.1" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding \ No newline at end of file From 210f857b46feaa4ec6acef2d45f373afbee250b0 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sat, 31 Aug 2024 21:11:30 -0400 Subject: [PATCH 34/55] add more snowflake account checs --- .../snowflake/Snowflake_Account_Auditor.py | 508 +++++++++++++++++- 1 file changed, 495 insertions(+), 13 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index 69010792..12d0e55c 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -19,7 +19,7 @@ #under the License. import logging -from datetime import datetime, timezone, timedelta, UTC +from datetime import datetime, timezone, UTC from snowflake.connector import cursor import snowflake.connector.errors as snowerrors from check_register import CheckRegister @@ -31,6 +31,20 @@ registry = CheckRegister() +def get_snowflake_security_integrations(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> dict: + """ + Get the Snowflake security integrations for the account from the SHOW INTEGRATIONS query. + """ + response = cache.get("get_snowflake_security_integrations") + if response: + return response + + query = "SHOW INTEGRATIONS" + + cache["get_snowflake_security_integrations"] = snowflakeCursor.execute(query).fetchall() + + return cache["get_snowflake_security_integrations"] + def get_snowflake_password_policy(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> dict: """ Get the Snowflake password policy for the account from the ACCOUNT_USAGE.PASSWORD_POLICIES view. @@ -46,22 +60,16 @@ def get_snowflake_password_policy(cache: dict, snowflakeCursor: cursor.Snowflake return cache["get_snowflake_password_policy"] @registry.register_check("snowflake.account") -def snowflake_account_enable_sso_check( +def snowflake_account_sso_enabled_check( cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor ) -> dict: """[Snowflake.Account.1] Snowflake Accounts have Single Sign-On (SSO) enabled""" # ISO Time iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() - # Get the SSO configuration for the account by retrieving all INTEGRATIONS and filtering for the types for OAuth and SAML - query = "SHOW INTEGRATIONS" - try: - q = snowflakeCursor.execute(query).fetchall() - except snowerrors.ProgrammingError as e: - logger.warning(f"An error occurred when executing the query: {e}") - q = [] + payload = cache.get("get_snowflake_security_integrations") - ssoCheck = [integ for integ in q if "saml" in str(integ["type"]).lower() or "oauth" in str(integ["type"]).lower()] + ssoCheck = [integ for integ in payload if "saml" in str(integ["type"]).lower() or "oauth" in str(integ["type"]).lower()] # B64 encode all of the details for the Asset assetJson = json.dumps(ssoCheck,default=str).encode("utf-8") @@ -127,7 +135,7 @@ def snowflake_account_enable_sso_check( "NIST SP 800-53 Rev. 4 PS-3", "AICPA TSC CC6.1", "ISO 27001:2013 A.7.1.1", - "ISO 27001:2013 A.9.2.1" + "ISO 27001:2013 A.9.2.1", "CIS Snowflake Foundations Benchmark V1.0.0 1.1" ] }, @@ -194,11 +202,485 @@ def snowflake_account_enable_sso_check( "NIST SP 800-53 Rev. 4 PS-3", "AICPA TSC CC6.1", "ISO 27001:2013 A.7.1.1", - "ISO 27001:2013 A.9.2.1" + "ISO 27001:2013 A.9.2.1", "CIS Snowflake Foundations Benchmark V1.0.0 1.1" ] }, "Workflow": {"Status": "NEW"}, "RecordState": "ACTIVE" } - yield finding \ No newline at end of file + yield finding + +@registry.register_check("snowflake.account") +def snowflake_account_scim_enabled_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.2] Snowflake Accounts have SCIM enabled""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + payload = cache.get("get_snowflake_security_integrations") + + scimCheck = [integ for integ in payload if str(integ["type"]).lower() == "scim"] + + # B64 encode all of the details for the Asset + assetJson = json.dumps(scimCheck,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if scimCheck: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-scim-enabled-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.2] Snowflake Accounts have SCIM enabled", + "Description": f"Snowflake account {snowflakeAccountId} has System for Cross-domain Identity Management (SCIM) enabled.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up federated authentication or SSO in Snowflake refer to the Overview of federated authentication and SSO section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-overview" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.BE-5", + "NIST CSF V1.1 PR.DS-4", + "NIST CSF V1.1 PR.PT-5", + "NIST SP 800-53 Rev. 4 AU-4", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 CP-7", + "NIST SP 800-53 Rev. 4 CP-8", + "NIST SP 800-53 Rev. 4 CP-11", + "NIST SP 800-53 Rev. 4 CP-13", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SA-14", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-6", + "AICPA TSC CC3.1", + "AICPA TSC A1.1", + "AICPA TSC A1.2", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.12.3.1", + "ISO 27001:2013 A.17.1.1", + "ISO 27001:2013 A.17.1.2", + "ISO 27001:2013 A.17.2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 1.2" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-scim-enabled-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.2] Snowflake Accounts have SCIM enabled", + "Description": f"Snowflake account {snowflakeAccountId} does not have System for Cross-domain Identity Management (SCIM) enabled. SCIM is an open specification designed to help facilitate the automated management of user identities and groups (i.e. roles) in cloud applications using RESTful APIs. Snowflake supports SCIM 2.0 integration with Okta, Microsoft Azure AD and custom identity providers. Users and groups from the identity provider can be provisioned into Snowflake, which functions as the service provider. While SSO enables seamless authentication with a federated identity to the Snowflake application, user accounts still need to be created, managed, and deprovisioned. Operations like adding and deleting users, changing permissions, and adding new types of accounts usually take up valuable admin time and when done manually may be error-prone. With SCIM, user identities can be created either directly in your identity provider, or imported from external systems like HR software or Active Directory. SCIM enables IT departments to automate the user provisioning and deprovisioning process while also having a single system to manage permissions and groups. Since data is transferred automatically, risk of error is reduced.", + "Remediation": { + "Recommendation": { + "Text": "For information on setting up SCIM in Snowflake refer to the CREATE SECURITY INTEGRATION (SCIM) section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-scim#examples" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.BE-5", + "NIST CSF V1.1 PR.DS-4", + "NIST CSF V1.1 PR.PT-5", + "NIST SP 800-53 Rev. 4 AU-4", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 CP-7", + "NIST SP 800-53 Rev. 4 CP-8", + "NIST SP 800-53 Rev. 4 CP-11", + "NIST SP 800-53 Rev. 4 CP-13", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SA-14", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-6", + "AICPA TSC CC3.1", + "AICPA TSC A1.1", + "AICPA TSC A1.2", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.12.3.1", + "ISO 27001:2013 A.17.1.1", + "ISO 27001:2013 A.17.1.2", + "ISO 27001:2013 A.17.2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 1.2" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_admin_15min_session_timeout_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.3] Snowflake Accounts should ensure that admins roles have a 15 minute session timeout""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + WITH PRIV_USERS AS ( SELECT DISTINCT GRANTEE_NAME FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS WHERE DELETED_ON IS NULL AND ROLE IN ('ACCOUNTADMIN','SECURITYADMIN') AND DELETED_ON IS NULL ), POLICY_REFS AS ( SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.POLICY_REFERENCES AS A LEFT JOIN SNOWFLAKE.ACCOUNT_USAGE.SESSION_POLICIES AS B ON A.POLICY_ID = B.ID WHERE A.POLICY_KIND = 'SESSION_POLICY' AND A.POLICY_STATUS = 'ACTIVE' AND A.REF_ENTITY_DOMAIN = 'USER' AND B.DELETED IS NULL AND B.SESSION_IDLE_TIMEOUT_MINS <= 15 ) SELECT A.*, B.POLICY_ID, B.POLICY_KIND, B.POLICY_STATUS, B.SESSION_IDLE_TIMEOUT_MINS FROM PRIV_USERS AS A LEFT JOIN POLICY_REFS AS B ON A.GRANTEE_NAME = B.REF_ENTITY_NAME WHERE B.POLICY_ID IS NULL; + """ + + # execute the CIS query, works pretty well actually...this SHOULDN'T return anything for it to pass + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-admin-session-timeout-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.3] Snowflake Accounts should ensure that admins roles have a 15 minute session timeout", + "Description": f"Snowflake account {snowflakeAccountId} configures session timeouts to 15 minutes or less for all users with SECURITYADMIN and/or ACCOUNTADMIN roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up federated authentication or SSO in Snowflake refer to the Overview of federated authentication and SSO section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-overview" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.IP-7", + "NIST CSF V1.1 RS.AN-1", + "NIST SP 800-53 Rev. 4 CA-2", + "NIST SP 800-53 Rev. 4 CA-7", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 IR-8", + "NIST SP 800-53 Rev. 4 PL-2", + "NIST SP 800-53 Rev. 4 PM-6", + "NIST SP 800-53 Rev. 4 AU-6", + "NIST SP 800-53 Rev. 4 IR-4", + "NIST SP 800-53 Rev. 4 IR-5", + "NIST SP 800-53 Rev. 4 PE-6", + "NIST SP 800-53 Rev. 4 SI-4", + "AICPA TSC CC4.2", + "AICPA TSC CC5.1", + "AICPA TSC CC5.3", + "AICPA TSC CC7.3", + "ISO 27001:2013 A.12.4.1", + "ISO 27001:2013 A.12.4.3", + "ISO 27001:2013 A.16.1.5", + "CIS Snowflake Foundations Benchmark V1.0.0 1.9" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-admin-session-timeout-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDUIM"}, + "Confidence": 99, + "Title": "[Snowflake.Account.3] Snowflake Accounts should ensure that admins roles have a 15 minute session timeout", + "Description": f"Snowflake account {snowflakeAccountId} does not configure session timeouts to 15 minutes or less for all users with SECURITYADMIN and/or ACCOUNTADMIN roles. A session begins when a user connects to Snowflake and authenticates successfully using a Snowflake programmatic client, Snowsight, or the classic web interface. A session is maintained indefinitely with continued user activity. After a period of inactivity in the session, known as the idle session timeout, the user must authenticate to Snowflake again. Session policies can be used to modify the idle session timeout period. The idle session timeout has a maximum value of four hours. Tightening up the idle session timeout reduces sensitive data exposure risk when users forget to sign out of Snowflake and an unauthorized person gains access to their device. For more information on session policies in Snowflake refer to the Session Policies section of the Snowflake Documentation Portal.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up session policies in Snowflake refer to the Snowflake Sessions & Session Policies section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/session-policies" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.IP-7", + "NIST CSF V1.1 RS.AN-1", + "NIST SP 800-53 Rev. 4 CA-2", + "NIST SP 800-53 Rev. 4 CA-7", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 IR-8", + "NIST SP 800-53 Rev. 4 PL-2", + "NIST SP 800-53 Rev. 4 PM-6", + "NIST SP 800-53 Rev. 4 AU-6", + "NIST SP 800-53 Rev. 4 IR-4", + "NIST SP 800-53 Rev. 4 IR-5", + "NIST SP 800-53 Rev. 4 PE-6", + "NIST SP 800-53 Rev. 4 SI-4", + "AICPA TSC CC4.2", + "AICPA TSC CC5.1", + "AICPA TSC CC5.3", + "AICPA TSC CC7.3", + "ISO 27001:2013 A.12.4.1", + "ISO 27001:2013 A.12.4.3", + "ISO 27001:2013 A.16.1.5", + "CIS Snowflake Foundations Benchmark V1.0.0 1.9" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_built_in_admin_roles_not_in_custom_role_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.4] Snowflake custom roles should not use built-in admin roles""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + SELECT GRANTEE_NAME AS CUSTOM_ROLE, PRIVILEGE AS GRANTED_PRIVILEGE, NAME AS GRANTED_ROLE FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES WHERE GRANTED_ON = 'ROLE' AND NAME IN ('ACCOUNTADMIN','SECURITYADMIN') AND DELETED_ON IS NULL + """ + + q = snowflakeCursor.execute(query).fetchall() + # execute the CIS query, works pretty well for this too, the query should only return a single row: [{'CUSTOM_ROLE': 'ACCOUNTADMIN', 'GRANTED_PRIVILEGE': 'USAGE', 'GRANTED_ROLE': 'SECURITYADMIN'}]. If there is more than one entry in the returned list, or the entry does not match this, it's a fail + builtInAdminNotUsedInCustomRole = False + if len(q) == 1: + if q[0]["CUSTOM_ROLE"] == "ACCOUNTADMIN" and q[0]["GRANTED_PRIVILEGE"] == "USAGE" and q[0]["GRANTED_ROLE"] == "SECURITYADMIN": + builtInAdminNotUsedInCustomRole = True + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if builtInAdminNotUsedInCustomRole is True: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-admin-session-timeout-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.4] Snowflake custom roles should not use built-in admin roles", + "Description": f"Snowflake account {snowflakeAccountId} does not use SECURITYADMIN and/or ACCOUNTADMIN roles within custom roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up custom roles and general access control in Snowflake refer to the Overview of Access Control of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-overview" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-4", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-5", + "NIST SP 800-53 Rev. 4 AC-6", + "NIST SP 800-53 Rev. 4 AC-16", + "AICPA TSC CC6.3", + "ISO 27001:2013 A.6.1.2", + "ISO 27001:2013 A.9.1.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.4.1", + "ISO 27001:2013 A.9.4.4", + "CIS Snowflake Foundations Benchmark V1.0.0 1.13" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-admin-session-timeout-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.4] Snowflake custom roles should not use built-in admin roles", + "Description": f"Snowflake account {snowflakeAccountId} uses SECURITYADMIN and/or ACCOUNTADMIN roles within custom roles. The principle of least privilege requires that every identity is only given privileges that are necessary to complete its tasks. The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN. Neither of these roles should be used for performing daily non-administrative tasks in a Snowflake account. Granting ACCOUNTADMIN role to any custom role effectively elevates privileges of that role to the ACCOUNTADMIN role privileges. Roles that include the ACCOUNTADMIN role can then be mistakenly used in access grants that do not require ACCOUNTADMIN privileges thus violating the principle of least privilege and increasing the attack surface. The same logic applies to the SECURITYADMIN role. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for setting up custom roles and general access control in Snowflake refer to the Overview of Access Control of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-overview" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-4", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-5", + "NIST SP 800-53 Rev. 4 AC-6", + "NIST SP 800-53 Rev. 4 AC-16", + "AICPA TSC CC6.3", + "ISO 27001:2013 A.6.1.2", + "ISO 27001:2013 A.9.1.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.4.1", + "ISO 27001:2013 A.9.4.4", + "CIS Snowflake Foundations Benchmark V1.0.0 1.13" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +# EOF \ No newline at end of file From 3262b7c179c55139c637bf58a3e99525c46b23d2 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 11:39:11 -0400 Subject: [PATCH 35/55] add task/stored proc admin owner checks --- .../snowflake/Snowflake_Account_Auditor.py | 729 +++++++++++++++++- 1 file changed, 718 insertions(+), 11 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index 12d0e55c..26d48810 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -21,7 +21,6 @@ import logging from datetime import datetime, timezone, UTC from snowflake.connector import cursor -import snowflake.connector.errors as snowerrors from check_register import CheckRegister import base64 import json @@ -136,7 +135,9 @@ def snowflake_account_sso_enabled_check( "AICPA TSC CC6.1", "ISO 27001:2013 A.7.1.1", "ISO 27001:2013 A.9.2.1", - "CIS Snowflake Foundations Benchmark V1.0.0 1.1" + "CIS Snowflake Foundations Benchmark V1.0.0 1.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.3", + "CIS Snowflake Foundations Benchmark V1.0.0 2.5" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -203,7 +204,9 @@ def snowflake_account_sso_enabled_check( "AICPA TSC CC6.1", "ISO 27001:2013 A.7.1.1", "ISO 27001:2013 A.9.2.1", - "CIS Snowflake Foundations Benchmark V1.0.0 1.1" + "CIS Snowflake Foundations Benchmark V1.0.0 1.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.3", + "CIS Snowflake Foundations Benchmark V1.0.0 2.5" ] }, "Workflow": {"Status": "NEW"}, @@ -292,7 +295,10 @@ def snowflake_account_scim_enabled_check( "ISO 27001:2013 A.17.1.1", "ISO 27001:2013 A.17.1.2", "ISO 27001:2013 A.17.2.1", - "CIS Snowflake Foundations Benchmark V1.0.0 1.2" + "CIS Snowflake Foundations Benchmark V1.0.0 1.2", + "CIS Snowflake Foundations Benchmark V1.0.0 2.3", + "CIS Snowflake Foundations Benchmark V1.0.0 2.5", + "CIS Snowflake Foundations Benchmark V1.0.0 2.7" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -364,7 +370,10 @@ def snowflake_account_scim_enabled_check( "ISO 27001:2013 A.17.1.1", "ISO 27001:2013 A.17.1.2", "ISO 27001:2013 A.17.2.1", - "CIS Snowflake Foundations Benchmark V1.0.0 1.2" + "CIS Snowflake Foundations Benchmark V1.0.0 1.2", + "CIS Snowflake Foundations Benchmark V1.0.0 2.3", + "CIS Snowflake Foundations Benchmark V1.0.0 2.5", + "CIS Snowflake Foundations Benchmark V1.0.0 2.7" ] }, "Workflow": {"Status": "NEW"}, @@ -455,7 +464,8 @@ def snowflake_admin_15min_session_timeout_check( "ISO 27001:2013 A.12.4.1", "ISO 27001:2013 A.12.4.3", "ISO 27001:2013 A.16.1.5", - "CIS Snowflake Foundations Benchmark V1.0.0 1.9" + "CIS Snowflake Foundations Benchmark V1.0.0 1.9", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -525,7 +535,8 @@ def snowflake_admin_15min_session_timeout_check( "ISO 27001:2013 A.12.4.1", "ISO 27001:2013 A.12.4.3", "ISO 27001:2013 A.16.1.5", - "CIS Snowflake Foundations Benchmark V1.0.0 1.9" + "CIS Snowflake Foundations Benchmark V1.0.0 1.9", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1" ] }, "Workflow": {"Status": "NEW"}, @@ -574,7 +585,7 @@ def snowflake_built_in_admin_roles_not_in_custom_role_check( "Description": f"Snowflake account {snowflakeAccountId} does not use SECURITYADMIN and/or ACCOUNTADMIN roles within custom roles.", "Remediation": { "Recommendation": { - "Text": "For information on best practices for setting up custom roles and general access control in Snowflake refer to the Overview of Access Control of the Snowflake Documentation Portal.", + "Text": "For information on best practices for setting up custom roles and general access control in Snowflake refer to the Overview of Access Control section of the Snowflake Documentation Portal.", "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-overview" } }, @@ -612,7 +623,9 @@ def snowflake_built_in_admin_roles_not_in_custom_role_check( "ISO 27001:2013 A.9.2.3", "ISO 27001:2013 A.9.4.1", "ISO 27001:2013 A.9.4.4", - "CIS Snowflake Foundations Benchmark V1.0.0 1.13" + "CIS Snowflake Foundations Benchmark V1.0.0 1.13", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -637,7 +650,7 @@ def snowflake_built_in_admin_roles_not_in_custom_role_check( "Description": f"Snowflake account {snowflakeAccountId} uses SECURITYADMIN and/or ACCOUNTADMIN roles within custom roles. The principle of least privilege requires that every identity is only given privileges that are necessary to complete its tasks. The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN. Neither of these roles should be used for performing daily non-administrative tasks in a Snowflake account. Granting ACCOUNTADMIN role to any custom role effectively elevates privileges of that role to the ACCOUNTADMIN role privileges. Roles that include the ACCOUNTADMIN role can then be mistakenly used in access grants that do not require ACCOUNTADMIN privileges thus violating the principle of least privilege and increasing the attack surface. The same logic applies to the SECURITYADMIN role. For more information refer to the remediation section.", "Remediation": { "Recommendation": { - "Text": "For information on best practices for setting up custom roles and general access control in Snowflake refer to the Overview of Access Control of the Snowflake Documentation Portal.", + "Text": "For information on best practices for setting up custom roles and general access control in Snowflake refer to the Overview of Access Control section of the Snowflake Documentation Portal.", "Url": "https://docs.snowflake.com/en/user-guide/security-access-control-overview" } }, @@ -675,7 +688,701 @@ def snowflake_built_in_admin_roles_not_in_custom_role_check( "ISO 27001:2013 A.9.2.3", "ISO 27001:2013 A.9.4.1", "ISO 27001:2013 A.9.4.4", - "CIS Snowflake Foundations Benchmark V1.0.0 1.13" + "CIS Snowflake Foundations Benchmark V1.0.0 1.13", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_tasks_not_owned_by_admins_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.5] Snowflake tasks should not be owned by ACCOUNTADMIN or SECURITYADMIN roles""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + SELECT NAME AS STORED_PROCEDURE_NAME, GRANTED_TO, GRANTEE_NAME AS ROLE_NAME, PRIVILEGE FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES WHERE GRANTED_ON = 'TASK' AND DELETED_ON IS NULL AND GRANTED_TO = 'ROLE' AND PRIVILEGE = 'OWNERSHIP' AND GRANTEE_NAME IN ('ACCOUNTADMIN' , 'SECURITYADMIN') + """ + # as long as this returns an empty list, it's a pass + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-tasks-owned-by-default-admin-roles-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.5] Snowflake tasks should not be owned by ACCOUNTADMIN or SECURITYADMIN roles", + "Description": f"Snowflake account {snowflakeAccountId} does not have any tasks owned by SECURITYADMIN and/or ACCOUNTADMIN roles. This check does not take into account tasks owned by custom roles using the ACCOUNTADMIN or SECURITYADMIN roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Task ownership and general security best practices in Snowflake refer to the Manage task graph ownership section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/tasks-graphs#label-task-dag-ownership" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.14", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-tasks-owned-by-default-admin-roles-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.5] Snowflake tasks should not be owned by ACCOUNTADMIN or SECURITYADMIN roles", + "Description": f"Snowflake account {snowflakeAccountId} has at least one task owned by SECURITYADMIN and/or ACCOUNTADMIN roles. The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN. Neither of these roles should be used for running Snowflake tasks. A task should be running using a custom role containing only those privileges that are necessary for successful execution of the task. Snowflake executes tasks with the privileges of the task owner. The role that has OWNERSHIP privilege on the task owns the task. To avoid granting a task inappropriate privileges, the OWNERSHIP privilege on the task run as owner should be assigned to a custom role containing only those privileges that are necessary for successful execution of the task. This check does not take into account tasks owned by custom roles using the ACCOUNTADMIN or SECURITYADMIN roles. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Task ownership and general security best practices in Snowflake refer to the Manage task graph ownership section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/tasks-graphs#label-task-dag-ownership" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.14", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_tasks_not_running_with_admin_privs_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.6] Snowflake tasks should not run with ACCOUNTADMIN or SECURITYADMIN role privileges""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + SELECT NAME AS STORED_PROCEDURE_NAME, GRANTED_TO, GRANTEE_NAME AS ROLE_NAME, PRIVILEGE FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES WHERE GRANTED_ON = 'TASK' AND DELETED_ON IS NULL AND GRANTED_TO = 'ROLE' AND GRANTEE_NAME IN ('ACCOUNTADMIN' , 'SECURITYADMIN') + """ + # as usual, as long as this returns an empty list, it's a pass + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-tasks-run-with-admin-privileges-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.6] Snowflake tasks should not run with ACCOUNTADMIN or SECURITYADMIN role privileges", + "Description": f"Snowflake account {snowflakeAccountId} does not have any tasks that run with ACCOUNTADMIN or SECURITYADMIN role privileges. This check does not take into account tasks running with custom roles using the ACCOUNTADMIN or SECURITYADMIN roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Task ownership and general security best practices in Snowflake refer to the Manage task graph ownership section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/tasks-graphs#label-task-dag-ownership" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.15", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-tasks-run-with-admin-privileges-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.6] Snowflake tasks should not run with ACCOUNTADMIN or SECURITYADMIN role privileges", + "Description": f"Snowflake account {snowflakeAccountId} has at least one task that runs with ACCOUNTADMIN or SECURITYADMIN role privileges. The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN. Neither of these roles should be used for running Snowflake tasks. A task should be running using a custom role containing only those privileges that are necessary for successful execution of the task. If a threat actor finds a way to influence or hijack the task execution flow, they may be able to exploit privileges given to the task. In the case of an ACCOUNTADMIN or SECURITYADMIN roles, that may lead to a full account takeover. Additionally, a mistake in the task implementation coupled with excessive privileges may lead to a reliability incident, e.g. accidentally dropping database objects. This check does not take into account tasks running with custom roles using the ACCOUNTADMIN or SECURITYADMIN roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Task ownership and general security best practices in Snowflake refer to the Manage task graph ownership section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/tasks-graphs#label-task-dag-ownership" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.15", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_stored_procs_not_owned_by_admins_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.7] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.PROCEDURES WHERE DELETED IS NULL AND PROCEDURE_OWNER IN ('ACCOUNTADMIN','SECURITYADMIN') + """ + # as usual, as long as this returns an empty list, it's a pass + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-stored-procs-owned-by-default-admin-roles-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.7] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges", + "Description": f"Snowflake account {snowflakeAccountId} does not have any stored procedures that are owned by ACCOUNTADMIN or SECURITYADMIN roles. This check does not take into account tasks running with custom roles using the ACCOUNTADMIN or SECURITYADMIN roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Stored Procedure ownership and general security best practices in Snowflake refer to the Understanding caller's rights and owner's rights stored procedures section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/developer-guide/stored-procedure/stored-procedures-rights" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.16", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-stored-procs-owned-by-default-admin-roles-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.7] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges", + "Description": f"Snowflake account {snowflakeAccountId} does not have any stored procedures that are owned by ACCOUNTADMIN or SECURITYADMIN roles. Snowflake executes stored procedures with the privileges of the stored procedure owner or the caller. Role that has OWNERSHIP privilege on the stored procedure owns it. To avoid granting a stored procedure inappropriate privileges, the OWNERSHIP privilege on the stored procedure run as owner should be assigned to a custom role containing only those privileges that are necessary for successful execution of the stored procedure. If a threat actor finds a way to influence or hijack the stored procedure execution flow, they may be able to exploit privileges given to the stored procedure. In the case of an ACCOUNTADMIN or SECURITYADMIN roles, that may lead to a full account takeover. Additionally, a mistake in the stored procedure implementation coupled with excessive privileges may lead to a reliability incident, e.g. accidentally dropping database objects. This check does not take into account tasks running with custom roles using the ACCOUNTADMIN or SECURITYADMIN roles. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Stored Procedure ownership and general security best practices in Snowflake refer to the Understanding caller's rights and owner's rights stored procedures section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/developer-guide/stored-procedure/stored-procedures-rights" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.16", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_stored_procs_not_running_with_admin_privs_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.8] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + SELECT NAME AS STORED_PROCEDURE_NAME, GRANTED_TO, GRANTEE_NAME AS ROLE_NAME FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES WHERE GRANTED_ON = 'PROCEDURE' AND DELETED_ON IS NULL AND GRANTED_TO = 'ROLE' AND GRANTEE_NAME IN ('ACCOUNTADMIN' , 'SECURITYADMIN'); + """ + # as usual, as long as this returns an empty list, it's a pass + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-stored-procs-run-with-admin-privileges-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.8] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges", + "Description": f"Snowflake account {snowflakeAccountId} does not have any stored procedures that run with ACCOUNTADMIN or SECURITYADMIN role privileges. This check does not take into account stored procedures running with custom roles using the ACCOUNTADMIN or SECURITYADMIN roles.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Stored Procedure ownership and general security best practices in Snowflake refer to the Understanding caller's rights and owner's rights stored procedures section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/developer-guide/stored-procedure/stored-procedures-rights" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.17", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-stored-procs-run-with-admin-privileges-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.8] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges", + "Description": f"Snowflake account {snowflakeAccountId} has at least one stored procedure that runs with ACCOUNTADMIN or SECURITYADMIN role privileges. Snowflake stored procedures should not run with the ACCOUNTADMIN or SECURITYADMIN roles. Instead, stored procedures should be run using a custom role containing only those privileges that are necessary for successful execution of the stored procedure. If a threat actor finds a way to influence or hijack the stored procedure execution flow, they may be able to exploit privileges given to the stored procedure. In the case of an ACCOUNTADMIN or SECURITYADMIN roles, that may lead to a full account takeover. Additionally, a mistake in the stored procedure implementation coupled with excessive privileges may lead to a reliability incident, e.g. accidentally dropping database objects. This check does not take into account stored procedures running with custom roles using the ACCOUNTADMIN or SECURITYADMIN roles. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on managing Snowflake Stored Procedure ownership and general security best practices in Snowflake refer to the Understanding caller's rights and owner's rights stored procedures section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/developer-guide/stored-procedure/stored-procedures-rights" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.17", + "CIS Snowflake Foundations Benchmark V1.0.0 2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 2.2" ] }, "Workflow": {"Status": "NEW"}, From 2ae87fb08871513590929ce26e4f1c77afff2ae3 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 11:58:32 -0400 Subject: [PATCH 36/55] add final password policy checks --- .../snowflake/Snowflake_Account_Auditor.py | 337 +++++++++++++++++- 1 file changed, 335 insertions(+), 2 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index 26d48810..85f9ab3d 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -66,7 +66,7 @@ def snowflake_account_sso_enabled_check( # ISO Time iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() - payload = cache.get("get_snowflake_security_integrations") + payload = get_snowflake_security_integrations(cache, snowflakeCursor) ssoCheck = [integ for integ in payload if "saml" in str(integ["type"]).lower() or "oauth" in str(integ["type"]).lower()] @@ -222,7 +222,7 @@ def snowflake_account_scim_enabled_check( # ISO Time iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() - payload = cache.get("get_snowflake_security_integrations") + payload = get_snowflake_security_integrations(cache, snowflakeCursor) scimCheck = [integ for integ in payload if str(integ["type"]).lower() == "scim"] @@ -1390,4 +1390,337 @@ def snowflake_stored_procs_not_running_with_admin_privs_check( } yield finding +@registry.register_check("snowflake.account") +def snowflake_account_password_policy_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.9] Snowflake Accounts should configure a password policy""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + payload = get_snowflake_password_policy(cache, snowflakeCursor) + + # B64 encode all of the details for the Asset + assetJson = json.dumps(payload,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if payload: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-password-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.9] Snowflake Accounts should configure a password policy", + "Description": f"Snowflake account {snowflakeAccountId} has at least one password policy configured.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for user management and password policies in Snowflake refer to the User management section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-user-management" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-password-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.9] Snowflake Accounts should configure a password policy", + "Description": f"Snowflake account {snowflakeAccountId} does not have a password policy configured. A password policy specifies the requirements that must be met to create and reset a password to authenticate to Snowflake. Beyond a strong password policy, Snowflake also supports multi-factor authentication (MFA) for additional security. A password policy should be configured to enforce strong password requirements, such as minimum length, complexity, and expiration. For more information on password policies in Snowflake refer to the User management section of the Snowflake Documentation Portal.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for user management and password policies in Snowflake refer to the User management section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-user-management" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_account_password_length_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.10] Snowflake password policies should enforce a minimum password length of at least 14 characters""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + for policy in get_snowflake_password_policy(cache, snowflakeCursor): + # B64 encode all of the details for the Asset + assetJson = json.dumps(policy,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + pwPolicyName = policy.get("NAME") + + # Evaluate min length only from "PASSWORD_MIN_LENGTH" key to set policy passing + pwPolicyPasses = False + if policy.get("PASSWORD_MIN_LENGTH") >= 14: + pwPolicyPasses = True + + # this is a passing check + if pwPolicyPasses is True: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{pwPolicyName}/snowflake-account-password-length-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.10] Snowflake password policies should enforce a minimum password length of at least 14 characters", + "Description": f"Snowflake password policy {pwPolicyName} requires at least 14 characters for the minimum password length.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for user management and password policies in Snowflake refer to the User management section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-user-management" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Password Policy", + "AssetComponent": "Policy" + }, + "Resources": [ + { + "Type": "SnowflakePasswordPolicy", + "Id": pwPolicyName, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.5" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/{pwPolicyName}/snowflake-account-password-length-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.10] Snowflake password policies should enforce a minimum password length of at least 14 characters", + "Description": f"Snowflake password policy {pwPolicyName} does not require at least 14 characters for the minimum password length. Snowflake supports setting a password policy for your Snowflake account and for individual users. Only one password policy can be set at any given time for your Snowflake account or a user. If a password policy exists for the Snowflake account and another password policy is set for a user in the same Snowflake account, the user-level password policy takes precedence over the account-level password policy. While Snowflake recommends configuring SSO authentication for users and ensuring that SSO users do not have a password set, there may be exceptions when users still need to log in with a password (e.g., setting up a break-glass user with password login to recover from SSO outages). For those few users that still need to have a password, setting a password policy can help ensure that, throughout subsequent password changes, the passwords used remain complex and therefore harder to guess or brute-force. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for user management and password policies in Snowflake refer to the User management section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/admin-user-management" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Password Policy", + "AssetComponent": "Policy" + }, + "Resources": [ + { + "Type": "SnowflakePasswordPolicy", + "Id": pwPolicyName, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-1", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 IA-1", + "NIST SP 800-53 Rev. 4 IA-2", + "NIST SP 800-53 Rev. 4 IA-3", + "NIST SP 800-53 Rev. 4 IA-4", + "NIST SP 800-53 Rev. 4 IA-5", + "NIST SP 800-53 Rev. 4 IA-6", + "NIST SP 800-53 Rev. 4 IA-7", + "NIST SP 800-53 Rev. 4 IA-8", + "NIST SP 800-53 Rev. 4 IA-9", + "NIST SP 800-53 Rev. 4 IA-10", + "NIST SP 800-53 Rev. 4 IA-11", + "AICPA TSC CC6.1", + "AICPA TSC CC6.2", + "ISO 27001:2013 A.9.2.1", + "ISO 27001:2013 A.9.2.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.2.4", + "ISO 27001:2013 A.9.2.6", + "ISO 27001:2013 A.9.3.1", + "ISO 27001:2013 A.9.4.2", + "ISO 27001:2013 A.9.4.3", + "CIS Snowflake Foundations Benchmark V1.0.0 1.5" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # EOF \ No newline at end of file From b2dcc56ac0555486eb99142a374809d433ffcd68 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 13:07:09 -0400 Subject: [PATCH 37/55] add final checks to snowflake acct auditor --- .../snowflake/Snowflake_Account_Auditor.py | 309 ++++++++++++++++++ 1 file changed, 309 insertions(+) diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index 85f9ab3d..0ce7cee6 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -1723,4 +1723,313 @@ def snowflake_account_password_length_check( } yield finding +@registry.register_check("snowflake.account") +def snowflake_monitor_session_keep_alive_commands_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.11] Snowflake Accounts should be monitored for users extending their sessions""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = """ + SELECT DISTINCT session_id FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY + WHERE query_type = 'ALTER_SESSION' + AND query_text ilike '%CLIENT_SESSION_KEEP_ALIVE%TRUE%' + AND query_text not ilike '%CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY%' + """ + + # execute the CIS query, works pretty well actually...this SHOULDN'T return anything for it to pass + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-session-timeout-keep-alive-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.11] Snowflake Accounts should be monitored for users extending their sessions", + "Description": f"Snowflake account {snowflakeAccountId} does not have any users extending their sessions.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices on sessions in Snowflake refer to the Snowflake Sessions & Session Policies section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/session-policies#considerations" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.BE-5", + "NIST CSF V1.1 PR.DS-4", + "NIST CSF V1.1 PR.PT-5", + "NIST SP 800-53 Rev. 4 AU-4", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 CP-7", + "NIST SP 800-53 Rev. 4 CP-8", + "NIST SP 800-53 Rev. 4 CP-11", + "NIST SP 800-53 Rev. 4 CP-13", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SA-14", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-6", + "AICPA TSC CC3.1", + "AICPA TSC A1.1", + "AICPA TSC A1.2", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.12.3.1", + "ISO 27001:2013 A.17.1.1", + "ISO 27001:2013 A.17.1.2", + "ISO 27001:2013 A.17.2.1" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-session-timeout-keep-alive-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.11] Snowflake Accounts should be monitored for users extending their sessions", + "Description": f"Snowflake account {snowflakeAccountId} has at least one user extending their session. If a client supports the CLIENT_SESSION_KEEP_ALIVE option and the option is set to TRUE, the client preserves the Snowflake session indefinitely as long as the connection to Snowflake is active. Otherwise, if the option is set to FALSE, the session ends after 4 hours. When possible, avoid using this option since it can result in many open sessions and place a greater demand on resources which can lead to a performance degradation. In rarer cases, this can become a security risk if a session is hijacked due to a further downstream vulnerability. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices on sessions in Snowflake refer to the Snowflake Sessions & Session Policies section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/session-policies#considerations" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "RESOLVED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.BE-5", + "NIST CSF V1.1 PR.DS-4", + "NIST CSF V1.1 PR.PT-5", + "NIST SP 800-53 Rev. 4 AU-4", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 CP-7", + "NIST SP 800-53 Rev. 4 CP-8", + "NIST SP 800-53 Rev. 4 CP-11", + "NIST SP 800-53 Rev. 4 CP-13", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SA-14", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-6", + "AICPA TSC CC3.1", + "AICPA TSC A1.1", + "AICPA TSC A1.2", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.12.3.1", + "ISO 27001:2013 A.17.1.1", + "ISO 27001:2013 A.17.1.2", + "ISO 27001:2013 A.17.2.1" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + +@registry.register_check("snowflake.account") +def snowflake_monitor_session_keep_alive_commands_check( + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor +) -> dict: + """[Snowflake.Account.12] Snowflake Accounts should have a network policy enabled""" + # ISO Time + iso8601Time = datetime.now(UTC).replace(tzinfo=timezone.utc).isoformat() + + query = "SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.NETWORK_POLICIES" + + # if this is empty it is a failing check + q = snowflakeCursor.execute(query).fetchall() + + # B64 encode all of the details for the Asset + assetJson = json.dumps(q,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + # this is a passing check + if not q: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-network-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Snowflake.Account.12] Snowflake Accounts should have a network policy enabled", + "Description": f"Snowflake account {snowflakeAccountId} has at least one network policy. This check does not evaluate the actual contents of the network policy, only that one exists.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for network security and creating Network Policies in Snowflake refer to the Controlling network traffic with network policies section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/network-policies" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-3", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-17", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-20", + "NIST SP 800-53 Rev. 4 SC-15", + "AICPA TSC CC6.6", + "ISO 27001:2013 A.6.2.1", + "ISO 27001:2013 A.6.2.2", + "ISO 27001:2013 A.11.2.6", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 3.1" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{snowflakeAccountId}/snowflake-account-network-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": snowflakeAccountId, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Snowflake.Account.12] Snowflake Accounts should have a network policy enabled", + "Description": f"Snowflake account {snowflakeAccountId} does not have a network policy. This check does not evaluate the actual contents of the network policy, only that one exists. Snowflake network policies are used to control network traffic to and from your Snowflake account. Network policies are defined using a set of rules that specify the conditions under which network traffic is allowed or denied. For more information refer to the remediation section.", + "Remediation": { + "Recommendation": { + "Text": "For information on best practices for network security and creating Network Policies in Snowflake refer to the Controlling network traffic with network policies section of the Snowflake Documentation Portal.", + "Url": "https://docs.snowflake.com/en/user-guide/network-policies" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "Snowflake", + "ProviderType": "SaaS", + "ProviderAccountId": snowflakeAccountId, + "AssetRegion": snowflakeRegion, + "AssetDetails": assetB64, + "AssetClass": "Management & Governance", + "AssetService": "Snowflake Account", + "AssetComponent": "Account" + }, + "Resources": [ + { + "Type": "SnowflakeAccount", + "Id": snowflakeAccountId, + "Partition": awsPartition, + "Region": awsRegion + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-3", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-17", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-20", + "NIST SP 800-53 Rev. 4 SC-15", + "AICPA TSC CC6.6", + "ISO 27001:2013 A.6.2.1", + "ISO 27001:2013 A.6.2.2", + "ISO 27001:2013 A.11.2.6", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.2.1", + "CIS Snowflake Foundations Benchmark V1.0.0 3.1" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # EOF \ No newline at end of file From 59b6427df1c214cc19381ed1f7d5c701e75de044 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 13:31:05 -0400 Subject: [PATCH 38/55] typing changes, doc start --- docs/setup/Setup_OCI.md | 2 +- docs/setup/Setup_Snowflake.md | 124 +++++++++++++++++++++++++++++++++- eeauditor/cloud_utils.py | 16 ++--- eeauditor/eeauditor.py | 1 - 4 files changed, 132 insertions(+), 11 deletions(-) diff --git a/docs/setup/Setup_OCI.md b/docs/setup/Setup_OCI.md index 2c7f688d..b091f491 100644 --- a/docs/setup/Setup_OCI.md +++ b/docs/setup/Setup_OCI.md @@ -256,7 +256,7 @@ python3 eeauditor/controller.py -t AWS -a ElectricEye_AttackSurface_OCI_Auditor ## Oracle Cloud Infrastructure Checks & Services -These are the following services and checks perform by each Auditor, there are currently **221 Checks** across **18 Auditors** that support the secure configuration of **25 services/components** +These are the following services and checks performed by each Auditor, there are currently **221 Checks** across **18 Auditors** that support the secure configuration of **25 services/components** | Auditor File Name | Scanned Resource Name | Auditor Scan Description | |---|---|---| diff --git a/docs/setup/Setup_Snowflake.md b/docs/setup/Setup_Snowflake.md index 8aec0e8b..c289f828 100644 --- a/docs/setup/Setup_Snowflake.md +++ b/docs/setup/Setup_Snowflake.md @@ -2,4 +2,126 @@ This documentation is dedicated to using ElectricEye for evaluation of Snowflake enterprise data warehouses using SSPM capabilities. -*Coming Soon!* \ No newline at end of file +## Table of Contents + +## Setting up Snowflake Permissions + +Snowflake's principal identity construct is a User - these can represent regular Users, those created using Single Sign-On (SSO) and SCIM, and can also represent 'service accounts' meant for machine-to-machine connectivity. + +ElectricEye supports both Password-based and X509-based authentication - either using a password for a 'service account' or a RSA private key and passphrase - the former is much easier, the latter does require saving the certificate to a local file (it will be generated). You can decided to use whichever option you want in the TOML configuration file. + +The steps are largely the same for both. + +1. In your Snowflake Account, navigate to ... create user + +2. Assign a Password, Admin accounts should use Emails so consider that if you'll simply give this use ACCOUNTADMIN... + +3. To create an RSA Private Key for you + +## Configuring TOML + +This section explains how to configure ElectricEye using a TOML configuration file. The configuration file contains settings for credentials, regions, accounts, and global settings and is located [here](../../eeauditor/external_providers.toml). + +To configure the TOML file, you need to modify the values of the variables in the `[global]`, `[regions_and_accounts.oci]`, and `[credentials.oci]` sections of the file. Here's an overview of the key variables you need to configure: + +- `credentials_location`: Set this variable to specify the location of where credentials are stored and will be retrieved from. You can choose from AWS Systems Manager Parameter Store (`AWS_SSM`), AWS Secrets Manager (`AWS_SECRETS_MANAGER`), or from the TOML file itself (`CONFIG_FILE`) which is **NOT** recommended. + +**NOTE** When retrieving from SSM or Secrets Manager, your current Profile / Boto3 Session is used and *NOT* the ElectricEye Role that is specified in `aws_electric_eye_iam_role_name`. Ensure you have `ssm:GetParameter`, `secretsmanager:GetSecretValue`, and relevant `kms` permissions as needed to retrieve your stored secrets. + +- `snowflake_username`: Username for your Snowflake Account, this should be a user with the ability to read all tables and views in the default schemas. + +- `snowflake_password_value`: The location (or actual contents) of the Password for the User specified in `snowflake_account_id` this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter. + +- `snowflake_account_id`: The Account ID for your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., VULEDAR-MR69420. + +- `snowflake_warehouse_name`: The name of the warehouse you use for querying data in Snowflake, this should be a warehouse that has the ability to run queries + +- `snowflake_region`: The Region of your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., us-east-1 + +> It's important to note that this setting is a sensitive credential, and as such, its value should be stored in a secure manner that matches the location specified in the `[global]` section's `credentials_location` setting. For example, if `credentials_location` is set to `"AWS_SSM"`, then the Snowflake_service_account_json_payload_value should be the name of an AWS Systems Manager Parameter Store SecureString parameter that contains the contents of the Snowflake service account key JSON file. + +## Use ElectricEye for Snowflake + +1. With >=Python 3.9 installed, install and upgrade `pip3` and setup `virtualenv`. + +```bash +sudo apt install -y python3-pip +pip3 install --upgrade pip +pip3 install virtualenv --user +virtualenv .venv +``` + +2. This will create a virtualenv directory called `.venv` which needs to be activated. + +```bash +#For macOS and Linux +. .venv/bin/activate + +#For Windows +.venv\scripts\activate +``` + +3. Clone the repo and install all dependencies. + +```bash +git clone https://github.com/jonrau1/ElectricEye.git +cd ElectricEye +pip3 install -r requirements.txt + +# if using AWS CloudShell +pip3 install --user -r requirements.txt +``` + +4. Use the Controller to conduct different kinds of Assessments. + + - 3A. Retrieve all options for the Controller. + + ```bash + python3 eeauditor/controller.py --help + ``` + + - 3B. Evaluate your entire Snowflake Account. + + ```bash + python3 eeauditor/controller.py -t Snowflake + ``` + + - 3C. Evaluate your Snowflake environment against a specifc Auditor (runs all Checks within the Auditor). + + ```bash + python3 eeauditor/controller.py -t Snowflake -a Snowflake_Account_Auditor + ``` + + - 3D. Evaluate your Snowflake environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the "[Snowflake.Account.9] Snowflake Accounts should configure a password policy" check. + + ```bash + python3 eeauditor/controller.py -t Snowflake -c snowflake_account_password_policy_check + ``` + +## Snowflake Checks & Services + +These are the following services and checks performed by each Auditor, there are currently **21 Checks** across **2 Auditors** that support the secure configuration of **3 services/components** + +| Auditor File Name | Scanned Resource Name | Auditor Scan Description | +|---|---|---| +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Users_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake password policy | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | +| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | \ No newline at end of file diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index a75b3394..1bd9535c 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -43,7 +43,7 @@ class CloudConfig(object): for use in EEAuditor when running ElectricEye Auditors and Check """ - def __init__(self, assessmentTarget, tomlPath): + def __init__(self, assessmentTarget: str, tomlPath: str | None): if tomlPath is None: here = path.abspath(path.dirname(__file__)) tomlFile = f"{here}/external_providers.toml" @@ -120,7 +120,7 @@ def __init__(self, assessmentTarget, tomlPath): # GCP if assessmentTarget == "GCP": # Process ["gcp_project_ids"] - gcpProjects = data["regions_and_accounts"]["gcp"]["gcp_project_ids"] + gcpProjects = list(data["regions_and_accounts"]["gcp"]["gcp_project_ids"]) if not gcpProjects: logger.error("No GCP Projects were provided in [regions_and_accounts.gcp.gcp_project_ids].") sys.exit(2) @@ -148,10 +148,10 @@ def __init__(self, assessmentTarget, tomlPath): ociValues = data["regions_and_accounts"]["oci"] # Retrieve the OCIDs for Tenancy & User and the Region ID along with a list of Compartment OCIDs - ociTenancyId = ociValues["oci_tenancy_ocid"] - ociUserId = ociValues["oci_user_ocid"] - ociRegionName = ociValues["oci_region_name"] - ociCompartments = ociValues["oci_compartment_ocids"] + ociTenancyId = str(ociValues["oci_tenancy_ocid"]) + ociUserId = str(ociValues["oci_user_ocid"]) + ociRegionName = str(ociValues["oci_region_name"]) + ociCompartments = list(ociValues["oci_compartment_ocids"]) # Process the [credentials.oci] ociUserApiKeyFingerprint = data["credentials"]["oci"]["oci_user_api_key_fingerprint_value"] ociUserApiKeyPemValue = data["credentials"]["oci"]["oci_user_api_key_private_key_pem_contents_value"] @@ -532,7 +532,7 @@ def __init__(self, assessmentTarget, tomlPath): ) # Retrieve cursor and connector - snowflakeCursorConn = self.connectToSnowflake() + snowflakeCursorConn = self.create_snowflake_cursor() self.snowflakeConnection = snowflakeCursorConn[0] self.snowflakeCursor = snowflakeCursorConn[1] @@ -824,7 +824,7 @@ def retrieve_azure_subscriptions_for_service_principal(self, azureCredentials: C return azureSubscriptionIds - def connectToSnowflake(self) -> tuple[snowconn.connection.SnowflakeConnection, snowconn.cursor.SnowflakeCursor]: + def create_snowflake_cursor(self) -> tuple[snowconn.connection.SnowflakeConnection, snowconn.cursor.SnowflakeCursor]: """ Returns a Snowflake cursor object for a given warehouse """ diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 59800750..5d14cb6f 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -22,7 +22,6 @@ from os import path from functools import partial from inspect import getfile -import sys from time import sleep from traceback import format_exc import json From 2730058808a32d6ce5820052e982d514e4696d56 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 13:44:05 -0400 Subject: [PATCH 39/55] doc updates, retire Firemon output --- README.md | 46 ++-- docs/outputs/OUTPUTS.md | 213 +----------------- docs/setup/Setup_Snowflake.md | 49 ++-- .../snowflake/Snowflake_Account_Auditor.py | 2 +- 4 files changed, 64 insertions(+), 246 deletions(-) diff --git a/README.md b/README.md index 8c5530aa..28efd60c 100644 --- a/README.md +++ b/README.md @@ -74,30 +74,30 @@ python3 eeauditor/controller.py --help Usage: controller.py [OPTIONS] Options: - -t, --target-provider [AWS|Azure|OCI|GCP|Servicenow|M365|Salesforce] - CSP or SaaS Vendor Assessment Target, ensure - that any -a or -c arg maps to your target - provider e.g., -t AWS -a - Amazon_APGIW_Auditor - -a, --auditor-name TEXT Specify which Auditor you want to run by - using its name NOT INCLUDING .py. Defaults + -t, --target-provider [AWS|Azure|OCI|GCP|Servicenow|M365|Salesforce|Snowflake] + Public cloud or SaaS assessment target, + ensure that any -a or -c arg maps to your + target provider to avoid any errors. e.g., + -t AWS -a Amazon_APGIW_Auditor + -a, --auditor-name TEXT Specify which Auditor you want to run by + using its name NOT INCLUDING .py. Defaults to ALL Auditors - -c, --check-name TEXT A specific Check in a specific Auditor you + -c, --check-name TEXT A specific Check in a specific Auditor you want to run, this correlates to the function name. Defaults to ALL Checks - -d, --delay INTEGER Time in seconds to sleep between Auditors + -d, --delay INTEGER Time in seconds to sleep between Auditors being ran, defaults to 0 - -o, --outputs TEXT A list of Outputs (files, APIs, databases, - ChatOps) to send ElectricEye Findings, - specify multiple with additional arguments: - -o csv -o postgresql -o slack [default: - stdout] - --output-file TEXT For file outputs such as JSON and CSV, the - name of the file, DO NOT SPECIFY .file_type + -o, --outputs TEXT A list of Outputs (files, APIs, databases, + ChatOps) to send ElectricEye Findings, + specify multiple with additional arguments: + -o csv -o postgresql -o slack [default: + ocsf_stdout] + --output-file TEXT For file outputs such as JSON and CSV, the + name of the file, DO NOT SPECIFY .file_type [default: output] --list-options Lists all valid Output options - --list-checks Prints a table of Auditors, Checks, and - Check descriptions to stdout - use this for + --list-checks Prints a table of Auditors, Checks, and + Check descriptions to stdout - use this for -a or -c args --create-insights Create AWS Security Hub Insights for ElectricEye. This only needs to be done once @@ -135,11 +135,11 @@ The following Cloud Service Providers are on the Roadmap - [For ServiceNow](./docs/setup/Setup_ServiceNow.md) - [For Microsoft M365](./docs/setup/Setup_M365.md) - [For Salesforce](./docs/setup/Setup_Salesforce.md) +- [For Snowflake](./docs/setup/Setup_Snowflake.md) The following SaaS Providers are on the Roadmap - [For Google Workspaces (*Coming Soon*)](./docs/setup/Setup_Google_Workspaces.md) -- [For Snowflake (*Coming Soon*)](./docs/setup/Setup_Snowflake.md) ## Cloud Asset Management (CAM) @@ -150,10 +150,10 @@ For more information on ElectricEye's CAM concept of operations and schema, refe In total there are: - **4** Supported Public CSPs: `AWS`, `GCP`, `OCI`, and `Azure` -- **3** Supported SaaS Providers: `ServiceNow`, `M365`, and `Salesforce` -- **1172** ElectricEye Checks -- **174** Supported CSP & SaaS Asset Components across all Services -- **131** ElectricEye Auditors +- **4** Supported SaaS Providers: `ServiceNow`, `M365`, `Salesforce`, and `Snowflake` +- **1193** ElectricEye Checks +- **177** Supported CSP & SaaS Asset Components across all Services +- **133** ElectricEye Auditors The tables of supported Services and Checks have been migrated to the respective per-Provider setup documentation linked above in [Configuring ElectricEye](#configuring-electriceye). diff --git a/docs/outputs/OUTPUTS.md b/docs/outputs/OUTPUTS.md index 0b0a8635..7d5145f3 100644 --- a/docs/outputs/OUTPUTS.md +++ b/docs/outputs/OUTPUTS.md @@ -13,13 +13,13 @@ This documentation is all about Outputs supported by ElectricEye and how to conf - [Normalized JSON Output](#json-normalized-output) - [Cloud Asset Management JSON Output](#json-cloud-asset-management-cam-output) - [Open Cyber Security Format (OCSF) V1.1.0 Output](#open-cyber-security-format-ocsf-v110-output) +- [Open Cyber Security Format (OCSF) V1.4.0 Output](#open-cyber-security-format-ocsf-v140-output) - [CSV Output](#csv-output) - [AWS Security Hub Output](#aws-security-hub-output) - [MongoDB & AWS DocumentDB Output](#mongodb--aws-documentdb-output) - [Cloud Asset Management MongoDB & AWS DocumentDB Output](#mongodb--aws-documentdb-cloud-asset-management-cam-output) - [PostgreSQL Output](#postgresql-output) - [Cloud Asset Management PostgreSQL Output](#postgresql-cloud-asset-management-cam-output) -- [Firemon Cloud Defense (DisruptOps) Output](#firemon-cloud-defense-disruptops-output) - [Amazon Simple Queue Service (SQS) Output](#amazon-simple-queue-service-sqs-output) - [Slack Output](#slack-output) - [Open Cybersecurity Format (OCSF) -> Amazon Kinesis Data Firehose](#open-cybersecurity-format-ocsf---amazon-kinesis-data-firehose) @@ -34,7 +34,7 @@ To review the list of possible Output providers, use the following ElectricEye c ```bash $ python3 eeauditor/controller.py --list-options -['amazon_sqs', 'cam_json', 'cam_mongodb', 'cam_postgresql', 'csv', 'firemon_cloud_defense', 'html', 'html_compliance', 'json', 'json_normalized', 'mongodb', 'ocsf_kdf', 'ocsf_stdout', 'ocsf_v1_1_0', 'postgresql', 'sechub', 'slack', 'stdout'] +['amazon_sqs', 'cam_json', 'cam_mongodb', 'cam_postgresql', 'csv', 'html', 'html_compliance', 'json', 'json_normalized', 'mongodb', 'ocsf_kdf', 'ocsf_stdout', 'ocsf_v1_1_0', 'ocsf_v1_4_0', 'postgresql', 'sechub', 'slack', 'stdout'] ``` #### IMPORTANT NOTE!! You can specify multiple Outputs by providing the `-o` or `--outputs` argument multiple times, for instance: `python3 eeauditor/controller.py -t AWS -o json -o csv -o postgresql` @@ -104,193 +104,12 @@ For example, if you just want to have a "pretty-printed" JSON output you could u $ python3 eeauditor/controller.py -t AWS -c ebs_volume_encryption_check -o ocsf_stdout | grep 'SchemaVersion' | jq . -r ``` -The OCSF V1.1.0 Output selection will convert all ElectricEye findings into the OCSF format (in JSON) which is a normalized and standardized security-centric data model, well-suited to ingestion in Data Lakes and Data Lake Houses built upon Amazon Security Lake, AWS Glue Data Catalog, Snowflake, Apache Iceberg, Google BigQuery, and more. The Event Class used for this finding is [`compliance_finding [2003]`](https://schema.ocsf.io/1.1.0/classes/compliance_finding?extensions=) +The OCSF V1.4.0 Output selection will convert all ElectricEye findings into the OCSF format (in JSON) which is a normalized and standardized security-centric data model, well-suited to ingestion in Data Lakes and Data Lake Houses built upon Amazon Security Lake, AWS Glue Data Catalog, Snowflake, Apache Iceberg, Google BigQuery, and more. The Event Class used for this finding is [`compliance_finding [2003]`](https://schema.ocsf.io/1.4.0/classes/compliance_finding?extensions=) This Output will provide the `ProductFields.AssetDetails` information. To use this Output include the following arguments in your ElectricEye CLI: `python3 eeauditor/controller.py {..args..} -o ocsf_stdout` you can also choose to *not* specify `-o` at all as it is the default Output. -### OCSF `stdout` Output - -```json -{ - "activity_id": 1, - "activity_name": "Create", - "category_name": "Findings", - "category_uid": 2, - "class_name": "Compliance Finding", - "class_uid": 2003, - "confidence_score": 99, - "severity": "Medium", - "severity_id": 99, - "status": "New", - "status_id": 1, - "time": 1709090374, - "type_name": "Compliance Finding: Create", - "type_uid": 200301, - "metadata": { - "uid": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/Databases/azure-defender-for-cloud-databases-plan-enabled-check", - "correlation_uid": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/Databases/azure-defender-for-cloud-databases-plan-enabled-check", - "version": "1.1.0", - "product": { - "name": "ElectricEye", - "version": "3.0", - "url_string": "https://github.com/jonrau1/ElectricEye", - "vendor_name": "ElectricEye" - }, - "profiles": [ - "cloud" - ] - }, - "cloud": { - "provider": "Azure", - "region": "azure-global", - "account": { - "uid": "0000aaa-1234-bbb-dddd-example123", - "type": "Azure", - "type_uid": 99 - } - }, - "observables": [ - { - "name": "cloud.account.uid", - "type": "Resource UID", - "type_id": 10, - "value": "0000aaa-1234-bbb-dddd-example123" - }, - { - "name": "resource.uid", - "type": "Resource UID", - "type_id": 10, - "value": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/Databases" - } - ], - "compliance": { - "requirements": [ - "AICPA TSC CC7.2", - "CIS Critical Security Controls V8 8.11", - "CIS Microsoft Azure Foundations Benchmark V2.0.0 2.1.3", - "CMMC 2.0 AU.L2-3.3.5", - "CSA Cloud Controls Matrix V4.0 LOG-05", - "CSA Cloud Controls Matrix V4.0 LOG-13", - "Equifax SCF V1.0 CM-CS-14", - "FBI CJIS Security Policy V5.9 5.3.2.1", - "FBI CJIS Security Policy V5.9 5.3.2.2", - "FBI CJIS Security Policy V5.9 5.3.4", - "FBI CJIS Security Policy V5.9 5.4.1", - "FBI CJIS Security Policy V5.9 5.4.3", - "HIPAA Security Rule 45 CFR Part 164 Subpart C 164.308(a)(1)(ii)(D)", - "HIPAA Security Rule 45 CFR Part 164 Subpart C 164.312(b)", - "ISO 27001:2013 A.12.4.1", - "ISO 27001:2013 A.16.1.1", - "ISO 27001:2013 A.16.1.4", - "ISO 27001:2022 A5.25", - "MITRE ATT&CK T1210", - "NERC Critical Infrastructure Protection CIP-007-6, Requirement R4 Part 4.4", - "NIST CSF V1.1 DE.AE-2", - "NIST SP 800-171 Rev. 2 3.3.3", - "NIST SP 800-171 Rev. 2 3.3.5", - "NIST SP 800-53 Rev. 4 AU-6", - "NIST SP 800-53 Rev. 4 CA-7", - "NIST SP 800-53 Rev. 4 IR-4", - "NIST SP 800-53 Rev. 4 SI-4", - "NIST SP 800-53 Rev. 5 AU-6", - "NIST SP 800-53 Rev. 5 AU-6(1)", - "NZISM V3.5 16.6.14. Event log auditing (CID:2034)", - "PCI-DSS V4.0 10.4.1", - "PCI-DSS V4.0 10.4.1.1", - "PCI-DSS V4.0 10.4.2", - "PCI-DSS V4.0 10.4.3", - "UK NCSC Cyber Assessment Framework V3.1 C1.c" - ], - "control": "Azure.DefenderForCloud.3", - "standards": [ - "AICPA TSC", - "CIS Critical Security Controls V8", - "CMMC 2.0", - "CSA Cloud Controls Matrix V4.0", - "Equifax SCF V1.0", - "FBI CJIS Security Policy V5.9", - "HIPAA Security Rule 45 CFR Part 164 Subpart C", - "ISO 27001:2013", - "ISO 27001:2022", - "MITRE ATT&CK", - "NERC Critical Infrastructure Protection", - "NIST CSF V1.1", - "NIST SP 800-171 Rev. 2", - "NIST SP 800-53 Rev. 4", - "NIST SP 800-53 Rev. 5", - "NZISM V3.5", - "PCI-DSS V4.0", - "UK NCSC Cyber Assessment Framework V3.1" - ], - "status": "Fail", - "status_id": 3 - }, - "finding_info": { - "created_time": 1709090374, - "desc": "Microsoft Defender for Databases plan is not enabled in Subscription 0000aaa-1234-bbb-dddd-example123 because at least one of the four plans is on free tier. Defender for Databases in Microsoft Defender for Cloud allows you to protect your entire database estate with attack detection and threat response for the most popular database types in Azure. Defender for Cloud provides protection for the database engines and for data types, according to their attack surface and security risks: Defender for Azure SQL, SQL Server Machines, Open Source Relational DBs, and Azure Cosmos DBs. Refer to the remediation instructions if this configuration is not intended.", - "first_seen_time": 1709090374, - "modified_time": 1709090374, - "product_uid": "arn:aws:securityhub:us-gov-east-1:123456789012:product/123456789012/default", - "title": "[Azure.DefenderForCloud.3] Microsoft Defender for Databases plan should be enabled on your subscription", - "types": [ - "Software and Configuration Checks" - ], - "uid": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/Databases/azure-defender-for-cloud-databases-plan-enabled-check" - }, - "remediation": { - "desc": "For more information on the Defender for Databases plan and deployments refer to the Protect your databases with Defender for Databases section of the Azure Security Microsoft Defender for Cloud documentation.", - "references": [ - "https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-databases-plan" - ] - }, - "resource": { - "data": [ - { - "id": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/SqlServers", - "name": "SqlServers", - "type": "Microsoft.Security/pricings", - "pricing_tier": "Free", - "free_trial_remaining_time": "P30D" - }, - { - "id": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/SqlServerVirtualMachines", - "name": "SqlServerVirtualMachines", - "type": "Microsoft.Security/pricings", - "pricing_tier": "Free", - "free_trial_remaining_time": "P30D" - }, - { - "id": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/OpenSourceRelationalDatabases", - "name": "OpenSourceRelationalDatabases", - "type": "Microsoft.Security/pricings", - "pricing_tier": "Free", - "free_trial_remaining_time": "P30D" - }, - { - "id": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/CosmosDbs", - "name": "CosmosDbs", - "type": "Microsoft.Security/pricings", - "pricing_tier": "Free", - "free_trial_remaining_time": "P30D" - } - ], - "cloud_partition": null, - "region": "azure-global", - "type": "Microsoft Defender for Cloud", - "uid": "/subscriptions/0000aaa-1234-bbb-dddd-example123/providers/Microsoft.Security/pricings/Databases" - }, - "unmapped": { - "provider_type": "CSP", - "asset_class": "Security Services", - "asset_component": "Microsoft Defender for Databases", - "workflow_status": "NEW", - "record_state": "ACTIVE" - } -} -``` - ## HTML Output The HTML Output selection writes a selective cross-section of ElectricEye findings to an HTML file for viewing in a browser and conversion to PDF and other reporting medium. An "executive report" format is created and forward text is dynamically generated to provide high-level statistics such as a failing percentage, passing and failing checks, number of unique resources, total resources, a breakdown of severity, and the amount of Accounts, Regions, `AssetService`, and `AssetComponents` scanned. @@ -883,6 +702,14 @@ To use this Output include the following arguments in your ElectricEye CLI: `pyt } ``` +## Open Cyber Security Format (OCSF) V1.4.0 Output + +The OCSF V1.4.0 Output selection will convert all ElectricEye findings into the OCSF format (in JSON) which is a normalized and standardized security-centric data model, well-suited to ingestion in Data Lakes and Data Lake Houses built upon Amazon Security Lake, AWS Glue Data Catalog, Snowflake, Apache Iceberg, Google BigQuery, and more. The Event Class used for this finding is [`compliance_finding [2003]`](https://schema.ocsf.io/1.4.0/classes/compliance_finding?extensions=) + +This Output will provide the `ProductFields.AssetDetails` information, it is mapped within `resources.[].data`. + +To use this Output include the following arguments in your ElectricEye CLI: `python3 eeauditor/controller.py {..args..} -o ocsf_v1_4_0` + ## MongoDB & AWS DocumentDB Output The MongoDB Output selection will write all ElectricEye findings to a MongoDB database or to an AWS DocumentDB Instance/Cluster along with the `ProductFields.AssetDetails` using `pymongo`. To facilitate mutable records being written to a Collection, ElectricEye will duplicate the ASFF `Id` (the finding's GUID) into the MongoDB `_id` field and write all records sequentially using the `update_one(upsert=True)` method within `pymongo`. This is written with a filter to replace the entire record where and existing `_id` is located. @@ -1217,22 +1044,6 @@ Note that the TOML configurations are exactly the same as the normal [PostgreSQL ) ``` -## Firemon Cloud Defense (DisruptOps) Output - -The Firemon Cloud Defense Output selection will all ElectricEye findings to a Cloud Defense (DisruptOps) endpoint using `requests`, the `AssetDetails` will be stripped off. A Pro license for Cloud Defense is required for API Access, best effort is made to respect throttling limitations and `4xx` HTTP Codes. ElectricEye will sleep on `429` and will raise an `Exception` on other `4xx` codes. - -This Output *will not* provide the `ProductFields.AssetDetails` information. - -To use this Output include the following arguments in your ElectricEye CLI: `python3 eeauditor/controller.py {..args..} -o postgresql` - -#### NOTE! This Output used to be `-o dops` which has been replaced fully with `-o firemon_cloud_defense` - -Additionally, values within the `[outputs.postgresql]` section of the TOML file *must be provided* for this integration to work. - -- **`firemon_cloud_defense_client_id_value`**: This variable should be set to the Client ID for your FireMon Cloud Defense tenant. This ID is used to authenticate with the FireMon Cloud Defense API. The location where these credentials are stored should match the value of the `global.credentials_location` variable, which specifies the location of the credentials for all integrations. - -- **`firemon_cloud_defense_api_key_value`**: This variable should be set to the API Key for your FireMon Cloud Defense tenant. This key is used to authenticate with the FireMon Cloud Defense API. The location where these credentials are stored should match the value of the `global.credentials_location` variable, which specifies the location of the credentials for all integrations. - ## Amazon Simple Queue Service (SQS) Output **IMPORTANT NOTE**: This requires `sqs:SendMessage` IAM permissions! @@ -1334,7 +1145,7 @@ An example of the "Findings" output. ![SlackFindings](../../screenshots/outputs/slack_findings_output.jpg) -## Open Cybersecurity Format (OCSF) -> Amazon Kinesis Data Firehose +## Open Cybersecurity Format (OCSF) -> Amazon Data Data Firehose **IMPORTANT NOTE**: This requires `firehose:PutRecordBatch` IAM permissions! diff --git a/docs/setup/Setup_Snowflake.md b/docs/setup/Setup_Snowflake.md index c289f828..2a56f380 100644 --- a/docs/setup/Setup_Snowflake.md +++ b/docs/setup/Setup_Snowflake.md @@ -4,6 +4,11 @@ This documentation is dedicated to using ElectricEye for evaluation of Snowflake ## Table of Contents +- [Setting up Snowflake Permissions](#setting-up-snowflake-permissions) +- [Configuring TOML](#configuring-toml) +- [Use ElectricEye for Snowflake](#use-electriceye-for-snowflake) +- [Snowflake Checks & Services](#snowflake-checks--services) + ## Setting up Snowflake Permissions Snowflake's principal identity construct is a User - these can represent regular Users, those created using Single Sign-On (SSO) and SCIM, and can also represent 'service accounts' meant for machine-to-machine connectivity. @@ -104,24 +109,26 @@ These are the following services and checks performed by each Auditor, there are | Auditor File Name | Scanned Resource Name | Auditor Scan Description | |---|---|---| -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake user | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Users_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake password policy | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | -| Snowflake_Account_Auditor | Snowflake account | XXXXXXXXXXXXXXXXXXX | \ No newline at end of file +| Snowflake_Users_Auditor | Snowflake user | Password assigned users should use MFA | +| Snowflake_Users_Auditor | Snowflake user | Service account users (without a password) should have an RSA Private Key | +| Snowflake_Users_Auditor | Snowflake user | Snowflake users who have not logged in within 90 days should be disabled | +| Snowflake_Users_Auditor | Snowflake user | Snowflake admin users should have an email | +| Snowflake_Users_Auditor | Snowflake user | Snowflake users should not have built-in admin roles as their default role | +| Snowflake_Users_Auditor | Snowflake user | Snowflake password users should be monitored for logging in without MFA | +| Snowflake_Users_Auditor | Snowflake user | Snowflake admin users should rotate their passwords yearly | +| Snowflake_Users_Auditor | Snowflake user | Snowflake users allowed to bypass MFA should be reviewed | +| Snowflake_Users_Auditor | Snowflake account | Snowflake accounts should have at least 2, but less than 10, admins | +| Snowflake_Account_Auditor | Snowflake account | Snowflake accounts should be configured to use SSO | +| Snowflake_Account_Auditor | Snowflake account | Snowflake accounts should be configured to use SCIM | +| Snowflake_Account_Auditor | Snowflake account | Snowflake accounts should have 15 minute or less session timeouts set for admins | +| Snowflake_Account_Auditor | Snowflake account | Snowflake custom roles should not use built-in admin roles | +| Snowflake_Account_Auditor | Snowflake account | Snowflake tasks shouldn't be owned by admins | +| Snowflake_Account_Auditor | Snowflake account | Snowflake tasks shouldn't run with admin privileges | +| Snowflake_Account_Auditor | Snowflake account | Snowflake stored procedures shouldn't be owned by admins | +| Snowflake_Account_Auditor | Snowflake account | Snowflake stored procedures shouldn't run with admin privileges | +| Snowflake_Account_Auditor | Snowflake account | Snowflake accounts should have a password policy | +| Snowflake_Account_Auditor | Snowflake password policy | Snowflake password policies should require 14 character minimum length for passwords | +| Snowflake_Account_Auditor | Snowflake account | Snowflake users should be monitored for altering their session timeouts | +| Snowflake_Account_Auditor | Snowflake account | Snowflake accounts should use a network policy | + +Continue to check this section for information on active, retired, and renamed checks or using the `--list-checks` command in the CLI! \ No newline at end of file diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index 0ce7cee6..0abf9820 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -1889,7 +1889,7 @@ def snowflake_monitor_session_keep_alive_commands_check( yield finding @registry.register_check("snowflake.account") -def snowflake_monitor_session_keep_alive_commands_check( +def snowflake_network_policy_check( cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor ) -> dict: """[Snowflake.Account.12] Snowflake Accounts should have a network policy enabled""" From 2c7ffefa1b53efddde5a2603f3346c96bac41f25 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 13:45:32 -0400 Subject: [PATCH 40/55] retire firemon output --- eeauditor/external_providers.toml | 14 -- .../outputs/firemon_cloud_defense_output.py | 168 ------------------ 2 files changed, 182 deletions(-) delete mode 100644 eeauditor/processor/outputs/firemon_cloud_defense_output.py diff --git a/eeauditor/external_providers.toml b/eeauditor/external_providers.toml index f3c7883f..97cf2aa8 100644 --- a/eeauditor/external_providers.toml +++ b/eeauditor/external_providers.toml @@ -296,20 +296,6 @@ title = "ElectricEye Configuration" postgresql_port = 5432 - [outputs.firemon_cloud_defense] # This takes place of the former DisruptOps ("dops") values, but the integration is largely the same - - # Client ID for your Firemon Cloud Defense (formerly known as DisruptOps (dops)) tenant - this location must match - # the value of `global. credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable - # should be the name of the AWS Systems Manager Parameter Store SecureString Parameter - - firemon_cloud_defense_client_id_value = "" - - # API Key for your Firemon Cloud Defense (formerly known as DisruptOps (dops)) tenant - this location must match - # the value of `global. credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable - # should be the name of the AWS Systems Manager Parameter Store SecureString Parameter - - firemon_cloud_defense_api_key_value = "" - [outputs.mongodb] # This unifies the old "docdb" output to account for local MongoDB and AWS DocumentDB # This value indicates whether or not you are using a password for your MongoDB deployment (which you should). If diff --git a/eeauditor/processor/outputs/firemon_cloud_defense_output.py b/eeauditor/processor/outputs/firemon_cloud_defense_output.py deleted file mode 100644 index 4b0bf5c9..00000000 --- a/eeauditor/processor/outputs/firemon_cloud_defense_output.py +++ /dev/null @@ -1,168 +0,0 @@ -#This file is part of ElectricEye. -#SPDX-License-Identifier: Apache-2.0 - -#Licensed to the Apache Software Foundation (ASF) under one -#or more contributor license agreements. See the NOTICE file -#distributed with this work for additional information -#regarding copyright ownership. The ASF licenses this file -#to you under the Apache License, Version 2.0 (the -#"License"); you may not use this file except in compliance -#with the License. You may obtain a copy of the License at - -#http://www.apache.org/licenses/LICENSE-2.0 - -#Unless required by applicable law or agreed to in writing, -#software distributed under the License is distributed on an -#"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -#KIND, either express or implied. See the License for the -#specific language governing permissions and limitations -#under the License. - -import tomli -import boto3 -import sys -import json -import os -import requests -from time import sleep -from botocore.exceptions import ClientError -from processor.outputs.output_base import ElectricEyeOutput - -# Boto3 Clients -ssm = boto3.client("ssm") -asm = boto3.client("secretsmanager") - -# These Constants define legitimate values for certain parameters within the external_providers.toml file -CREDENTIALS_LOCATION_CHOICES = ["AWS_SSM", "AWS_SECRETS_MANAGER", "CONFIG_FILE"] - -@ElectricEyeOutput -class FiremonCloudDefenseProvider(object): - __provider__ = "firemon_cloud_defense" - - def __init__(self): - print("Preparing Firemon Cloud Defense (DisruptOps) credentials.") - - if os.environ["TOML_FILE_PATH"] == "None": - # Get the absolute path of the current directory - currentDir = os.path.abspath(os.path.dirname(__file__)) - # Go two directories back to /eeauditor/ - twoBack = os.path.abspath(os.path.join(currentDir, "../../")) - # TOML is located in /eeauditor/ directory - tomlFile = f"{twoBack}/external_providers.toml" - else: - tomlFile = os.environ["TOML_FILE_PATH"] - - with open(tomlFile, "rb") as f: - data = tomli.load(f) - - # Parse from [global] to determine credential location of PostgreSQL Password - if data["global"]["credentials_location"] not in CREDENTIALS_LOCATION_CHOICES: - print(f"Invalid option for [global.credentials_location]. Must be one of {str(CREDENTIALS_LOCATION_CHOICES)}.") - sys.exit(2) - self.credentials_location = data["global"]["credentials_location"] - - # Variable for the entire [outputs.firemon_cloud_defense] section - fcdDetails = data["outputs"]["firemon_cloud_defense"] - - # Parse Client ID - if self.credentials_location == "CONFIG_FILE": - clientId = fcdDetails["firemon_cloud_defense_client_id_value"] - elif self.credentials_location == "AWS_SSM": - clientId = self.get_credential_from_aws_ssm( - fcdDetails["firemon_cloud_defense_client_id_value"], - "firemon_cloud_defense_client_id_value" - ) - elif self.credentials_location == "AWS_SECRETS_MANAGER": - clientId = self.get_credential_from_aws_secrets_manager( - fcdDetails["firemon_cloud_defense_client_id_value"], - "firemon_cloud_defense_client_id_value" - ) - # Parse API Key - if self.credentials_location == "CONFIG_FILE": - apiKey = fcdDetails["firemon_cloud_defense_api_key_value"] - elif self.credentials_location == "AWS_SSM": - apiKey = self.get_credential_from_aws_ssm( - fcdDetails["firemon_cloud_defense_api_key_value"], - "firemon_cloud_defense_api_key_value" - ) - elif self.credentials_location == "AWS_SECRETS_MANAGER": - apiKey = self.get_credential_from_aws_secrets_manager( - fcdDetails["firemon_cloud_defense_api_key_value"], - "firemon_cloud_defense_api_key_value" - ) - - # Ensure that values are provided for all variable - use all() and a list comprehension to check the vars - # empty strings will trigger `if not` - if not all(s for s in [clientId, apiKey]): - print("An empty value was detected in '[outputs.firemon_cloud_defense]'. Review the TOML file and try again!") - sys.exit(2) - - self.url = "https://collector.prod.disruptops.com/event" - self.clientId = clientId - self.apiKey = apiKey - - def write_findings(self, findings: list, **kwargs): - if len(findings) == 0: - print("There are not any findings to write!") - exit(0) - # Use another list comprehension to remove `ProductFields.AssetDetails` from non-Asset reporting outputs - noDetails = [ - {**d, "ProductFields": {k: v for k, v in d["ProductFields"].items() if k != "AssetDetails"}} for d in findings - ] - del findings - - print(f"Writing {len(noDetails)} results to Firemon Cloud Defense (DisruptOps).") - - for finding in noDetails: - r = requests.post( - self.url, - data=json.dumps(finding), - auth=(self.clientId, self.apiKey) - ) - if r.status_code == 429: - sleep(0.5) - elif r.status_code == (400, 401, 403, 404): - raise r.json() - - def get_credential_from_aws_ssm(self, value, configurationName): - """ - Retrieves a TOML variable from AWS Systems Manager Parameter Store and returns it - """ - - # Check that a value was provided - if value == (None or ""): - print(f"A value for {configurationName} was not provided. Fix the TOML file and run ElectricEye again.") - sys.exit(2) - - # Retrieve the credential from SSM Parameter Store - try: - credential = ssm.get_parameter( - Name=value, - WithDecryption=True - )["Parameter"]["Value"] - except ClientError as e: - raise e - - return credential - - def get_credential_from_aws_secrets_manager(self, value, configurationName): - """ - Retrieves a TOML variable from AWS Secrets Manager and returns it - """ - - # Check that a value was provided - if value == (None or ""): - print(f"A value for {configurationName} was not provided. Fix the TOML file and run ElectricEye again.") - sys.exit(2) - - # Retrieve the credential from AWS Secrets Manager - try: - credential = asm.get_secret_value( - SecretId=value, - )["SecretString"] - except ClientError as e: - raise e - - return credential - - # EOF \ No newline at end of file From d377b07ee6ab924126ea543c249b745520938e15 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 13:59:29 -0400 Subject: [PATCH 41/55] icons and control objective updates --- .../processor/outputs/control_objectives.json | 16 ++++++++++++++++ eeauditor/processor/outputs/iconography.yaml | 11 ++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/eeauditor/processor/outputs/control_objectives.json b/eeauditor/processor/outputs/control_objectives.json index 62696086..61c933e0 100644 --- a/eeauditor/processor/outputs/control_objectives.json +++ b/eeauditor/processor/outputs/control_objectives.json @@ -16223,10 +16223,26 @@ "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.1", "ControlDescription": "Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants" }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.2", + "ControlDescription": "Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.3", + "ControlDescription": "Ensure monitoring and alerting exist for password sign-ins of SSO users" + }, { "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.4", "ControlDescription": "Ensure monitoring and alerting exist for password sign-in without MFA" }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.5", + "ControlDescription": "Ensure monitoring and alerting exist for creation, update and deletion of security integrations" + }, + { + "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.6", + "ControlDescription": "Ensure monitoring and alerting exist for changes to network policies and associated objects" + }, { "ControlTitle": "CIS Snowflake Foundations Benchmark V1.0.0 2.7", "ControlDescription": "Ensure monitoring and alerting exist for SCIM token creation" diff --git a/eeauditor/processor/outputs/iconography.yaml b/eeauditor/processor/outputs/iconography.yaml index 351b029c..4f36f8d8 100644 --- a/eeauditor/processor/outputs/iconography.yaml +++ b/eeauditor/processor/outputs/iconography.yaml @@ -282,4 +282,13 @@ - AssetService: Microsoft Defender for Cloud ImageTag: - AssetService: Azure Application Insights - ImageTag: \ No newline at end of file + ImageTag: +############# +# SNOWFLAKE # +############# +- AssetService: Snowflake Users + ImageTag: +- AssetService: Snowflake Account + ImageTag: +- AssetService: Snowflake Password Policy + ImageTag: \ No newline at end of file From d8881de7896e054d2044791c671e74670795c77e Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Sun, 1 Sep 2024 15:44:14 -0400 Subject: [PATCH 42/55] architecture update --- README.md | 2 +- screenshots/ElectricEye2024Architecture.svg | 1 - screenshots/ElectricEyeAnimated.gif | Bin 268767 -> 0 bytes .../architecture-for-github-thumbnail.jpg | Bin 141685 -> 0 bytes screenshots/electrice_eye_architecture.jpg | Bin 0 -> 142840 bytes screenshots/extras/ElectricEye.pptx | Bin 791426 -> 857877 bytes 6 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 screenshots/ElectricEye2024Architecture.svg delete mode 100644 screenshots/ElectricEyeAnimated.gif delete mode 100644 screenshots/architecture-for-github-thumbnail.jpg create mode 100644 screenshots/electrice_eye_architecture.jpg diff --git a/README.md b/README.md index 28efd60c..b47e5190 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, S ## Workflow -![Architecture](./screenshots/ElectricEyeAnimated.gif) +![Architecture](./screenshots/electrice_eye_architecture.jpg) ## Quick Run Down :running: :running: diff --git a/screenshots/ElectricEye2024Architecture.svg b/screenshots/ElectricEye2024Architecture.svg deleted file mode 100644 index bf52b916..00000000 --- a/screenshots/ElectricEye2024Architecture.svg +++ /dev/null @@ -1 +0,0 @@ -EVALUATECLOUD SECURITY POSTUREMANAGEMENT (CSPM)SAAS SECURITY POSTUREMANAGEMENT (SSPM)ENRICHREPORTATTACK SURFACEMONITORING (ASM)COMINGSOON!AWS SecurityHubJSON, CSV,HTMLAmazonDocumentDBMongoDBFiremonCloudDefenseSlackAmazonSQSAWS KinesisFirehoseSUPPORTED OUTPUTS(OCSF, File, DB, Queue, SaaS)PostgreSQLOCSF v1.1.0COMINGSOON!COMINGSOON!COMINGSOON! \ No newline at end of file diff --git a/screenshots/ElectricEyeAnimated.gif b/screenshots/ElectricEyeAnimated.gif deleted file mode 100644 index 50515765ca51f9f0e979773220de86884e2368d5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 268767 zcmWhzcRbbK8~@zt+SeY5Ywta>U0ht($llq>ERhJ+wRage#Eolj*&*uMGYKJCWosZr zebxQ-`|F(7d7X2f=Xsy^Ij?6NBV$8VH4j_JIw%+b_$jpJ1~%6Ex)ufsGI9_Q@NeiB z6b1(aw4e3%_ENTq>Nv_gKmU}Tytuj^5{XR5QPkDd`NhQn z;;MMm(DuOr03gI04)hSX)z#IZp`lehJs@BR0RZWQ^z8r~5L(gR-e85maRCTQFF=`3 z*Yi3M7neUHgvJxM0bD4*c*9vkl$BQif=hl|Ui~cIX-HmOFMViUJb+6)l%I=>xXQ&J zT0xnLpCTfOM6OkFaU>U)y45_T{r}>LtGHDHF^V|EgyV7tli@8W6a%e+D{Lw5PB3u1>XEsi*f&Sy|z{kgK7DcqE{X+g=@-Kj7!L;tvho z=0Dix9|~2akGZR5PSxOywpaZ@-h zajxF^ZLfoE`2a5d1FnM#u6Sg-*U+}tKP!;iNW#Ab>Ns4((0qV==<0!dfP94>Av6FH z6^g9j+K%GdmS5ej2w25!5BQePZ`MZ#sYsbnAtDTpItn@fk%I2HYuN1Mw=9;5VA zd5l}i$8yB1YhA`#Dkk#eyvB*ft(9*IRYUie$6Bl27Ng^6F5}v&-<4r=B(9CO)y!5| zl;NJ?+H2p}Ikft(jJMYRy=>A^|Dn})w)WaYN5jV#!5ibxOkOmuyo@;BUzvFE zeC;(JLd$E~+4N~3nMKldva@+(Bva6&$h50vYa(AU0J}Qb)w=VRq@TuX*4?%@TWwwE z`lh@6%R-aaM3LFcj&C13L%*!PdHLdCjT}eIXWr9!v@x0^={D8Vb-XiOW>Re4+kN_F zu{D6QHr4y`EY8uPsR{k6=hyM>Y@OTNSH1t89d1k%Uwy5WX4w4d%Lqf90YFQEA=dF= zcI4E$1XF_=>8+Xv7(%au(jd_Cxgq!k<%m#P!@$uw?(a%AR9rbm5D&cxe84}9pp zcMWfGZB#vNnXH*8visdKDId3_@J4PY{dh`6mRr1rSDEhHz^m;j`C1wd>GgL}B0+)G zR~gNkW()*-L*`5rO_b(suiOu7H4M;F9{5n|!gGn*=vh#EfY*O*9YIN7f|fV?|4>vu zhQGWly&CmJ`sPYB<6hvnVWX6rE`g;8$%|^TyrJv8F{4n^yZxs6jq-gt zH)Ku*O3rHUZB&SwbdY>lc8YgVk9q#vYkoNSYnR3AmHc}=S zM|bh9Bj+sZ?ZV9*J-hv%l7OP~t(fA}11{4UV;GejLdjfue+v$u_#dF-PZ& z@Yyrfhc$I!10}@d-$E)?G139Gmp)Rzyj$0#OCM+#T0-ZQ+|LzhmZ)6LPirhj>1Px$ z4=D=p06v4jKn5uWdGT1Ix(Wn#k_C>%$mxb;G_6H*4Ey0K4Y(pEVv`K!&Nl+=kdIlE z{L+uG>%YyXhh)LK4@0Jl;4Kb#X~TChFisGDbP;{@3=OO4E@k851auo8XGXV?XW?$+-o}GQeVMC74FnbBDz0o5vmABK0L(3se_DMHf*1N*{vdOo z^%R}nG9bVW!byz#sG9{$VR%^p@NXt$hjUi_9d6jDgRijeP2wp&Sk`XpL z>2dstwZKC;?I>pKBX6N{f>I<_%fA{h;Q8XPryd91yLsKzIirq!qIU7C0%1t9h^M-G zM9>Kz>r8+M%RePId)_VM4jvJFMx(7Oqe$B13c@E+4?q2pB2Wjkl(Rf+H)j(IL&uhr zctMf^E8Hw)Ca@SyHABmQ1O*4mYoV3*Kd$S5-zZUypteCb))^-Kv6rq(x!wJ9W-iRo zg1@i1#-Thesy0bzSIAh?dC__G^%5>>ch>*BvDW!G^&R-&{*Jb7t?k3_tuf}ra&wKP zSN$|k{1QUNyf~Ii0oB~xE`rmLQ@*(o_=Ggq9-zC0*YW&(3wkQ~`QiS;jO5+6rUjNG z{{MDHLEZY%=@(Vbwuhs@*XQ|(b9`7@$06Uw(|l!fd4D$HHG6^j&eBNUMtJ+Op$oJ_fZMLi|-rDq=5e?LY=X}jhM&Xga>g>Kt#r~wYb$&|~e6n~i(D)s_` zQ1X;!HWq?H3Z`V;!?x-jwhayPveoU_^9SsfuUmf`glzVPh!|%s)rBgArGJ#DJYJOC zku+-$azW_l-eb^~IHu&bwe);HDngA~Fz#@3!7N8^kuFA$*)(h)s~y$}1qp|e!M<&U%Fj<_R<=2KJMB}YWsqmu zpF1P65H(V3``3od? z`d+8t2UOx3wosJPPplF-?ER_H`PW?P@9{Wg6NJ}3;np*F$jt6Lz-+NMXQ_sA_n#AD zQ@LtI<;D8KJgeN3T~(0H$1`oj@=hE0yO01u8Fl4u$j(nbOK*>vQ?D1LVAkD-UEqk) zoLiTVZVZ&E@4^N36;Y!zabK&ntxCa>3jFAElx8(pAOvM#D8J>QfcPwAtswksCLXkY z0}6g%o9`d>!X%-Jn~e=0R~0Tv(D2NU@=kvE@Q1tVSvWP70t(Q+d)=OIm*I}6SixPC z<)Evn_uac}?k!YN>y?fe?*!RO%Xdl-+_v1L&aXvUt`UF?%t2Y^!o*xv`A->_Vgm4*WN$@S8_*zhNmWX--DN!rh1 zENoflB#_Qw_8}T7Yy4Ew?@xRrjOUa~8tUimPn(ml>`(A#g z+EdJQh3oGMckW8h{R%#02}qqYW+WXqZcK?`JjV+e)vDw8Q1KBPr)sXJYwk-thA_4By=6o#Lw^(5n#LU7ZgzJydt{+o!* z4C>6Kr!J45R8G%&Uu@@T`GwLc+X&#QQgYJt$8VKA&F$b$EpE+gqn39^WC-f{ac6>= zCBV|g^#bnoqfYhXk@XX`RlSEG3_wcME#${V2*vXW01!Dc17RA`X_FXdRH(H?k~D@~ z7#IIYX*_+}_@}1v`%>eNUqyWWrA*Z2DYKHcU2&US<*yT~;UDyEyK8L=Olr6@xKoM* zj0@(+!%rosw13yMI}z-=z2EmYebftX_o^$?7yBuqa)Tgyt*Y#^dL4e=kPXr#Y@-U= zEs%;zm)t9+3$Bd4{k$?YBX1TVN2Xr}fITFLiPTCzjhIR)(_Ba|^**nP|3o@OLt^DB z&Hroj^snaS#@+6&)ZbSW>8kAe=Vuqx<9$>nHO){e#X9lVS+}^?yf;}jFkjkl~Al0 zEkT19>8xmO%!^Vht@8>kP2UugG2(eU6B7XN218^`p!BHL7~RtLrCT+I)RoBe+Nm6G5HtjAydO6v2>~a3tTyIr z*R`JQVE@ee&5Op$8dwYH(e_oD!-dH2p~gHu=%btvqbo+-Lw28Ab!Ni)wiZ0nS>mEL z`usmI(O59jSyajgaMtX0xQPjdpsCeqA$pgBRO?y^rW;>su^OB-D6oknLj6OF zo>cnsI=FdHr6t>(R97t^S@zB+Mq#I}r+`p#uRJw1cZIh3b=s{7hh(YwBG^a=CM`lf z#Nev1ZBCk{BHG|9%sz9_Nu^^r4C93OasA7Q&Fp}-|K{CP&#N*?BVSHb>vFMH0?~ol zm=N#bF(pWP;5}EQyAq)z?DOo z)L~`Gj1*^G|F<;G!3n^$ZtQXlJ)gQdjk5NGL>*YYST6d-Q;pZ#f|K=79d0?N&kjx5 zIabI~9s3^in9$gB(^twrjyBgrlleCY* zg{50sFR4KeO+EXvx=&+hK%wXKa6t5eY3}9V z?O}7LO^l!|x6J4Rrn^jIbL5k zlmIc^$-!pdoGmBs4b0Szb$tGv?h*>l4aVe#gFVYF12wgd@$rOH>{k}2pbQK5O6;8g zL(z(buy~!kFyqgiT2E{Y?FY3Vi()6kjQ!yc;wEAV<=By6uy-5ShSf0ljPEIHoQXgY z`O*~Yy8#T)P^ZyA)C{IRhAoqT)$Zpef>aq~`aR%dQ^V2@^{b=8M0yD@#$tl|850Si ze0FRTuW9(O2duvv+h%7PRr%q2hnN3PztZcIf7wSb4=vDBMOi~q-X<`l1F>nzE3dK{etfcsNzO-IXm8g~~U32?Ku}2tp;e zS}9$n_8uuQa%{8f3yHFLsAL0wY?i&{_QcpF_X1jXM}!n}Sc zDj?Kx2e*lluHZ+8yUFi*CnJmz@8^X_r4nr{*nID?Sl?Q}m|H5}0-l7#D*1%oU+7oq zx_D_9ig}dFp}Xc44OZ}JP#1d(>A|Gk5*&TJIQs^Ds{KS+JNL$i>2yb9W?KYcHXm5YM_^fr0NiMUyBfYYscL>Tt zyN9F=EY-s^7Y33Um@>z~r3tOSO6d(6+oTY{62H!!j5JlJb2dZ8!@aJ+&IeKc$#tH6 zV4a^@TGZuhe!Lps`rFn9_cb{s?idO9ChU0(E|eL5Xx;Xo;I*Ey*El(!%$m1{s%UrU z+23q?W;DhW>NG_~C0%xkHdn?ThwEOHd+pB7o8PfGYWno{(d{p6R{4fo?=#%K=IE4k zC_q-s`-rorf?m5-LNezgyBp>@z&6RbO4IyPGBVV3q}iNS4Xj%_5f!SO`!W{D*o_1%Z8 zo(c+#{kFE5=>)d~zo&*Eh6ikCzELm-YWd0VM)>7%gOrP6}(mua`*8 zjfjHdBXWAG}LrVG!MFg)WM+l-*=Q`iTj;2XS7pZo9E+xh)L3mjGTDPYP zH9;3pZkt_;QXMuW)Q=bt1ZMC|JAvDF-=@~KLA^b>WoJH4^2R*RITrNtDLlX`_8p3r zjx#Xirq_U3UtS^nTZr_R_Qr*}`+xqzc=Bt(OozS*&tU!FcMWc543kV(A-c$HDt0jo z3y9B~W5Y>K)iUzqH;Vp6Vom-0$zXO!dXtg>8Z=vdo&An|cU=M#%$#+wo*(f4P(hI< zCX2R8?z5E8jux#rwe79GX1Y1$;ZbypHY;Jlh3NpZ02~=kX*8Fj@4ge9Ykm02(^dE5 z_qi)CJ}B#~4e517!Yp)}PR4J^{$Nh6u7a{m*2ts@#L9^#1@2etCAomb>u9M4zm%OS zK;JbcBPT5$acx`1=uy9^HPLwqrX#&3u{!KS1h{>1hL^)Pn`I%VAx&s-fImhCiX5lr zgUxg$72atf*Hp>^7WjmER~Jhxf7E7+iELVFR?GlqG|T9v4bV`!c1Z*3&4(!o4R4OXN^HJ-UDw#{tFQ8Yl%FBXcd z3X`>7EHkU7`zhAnZN%DoHfkJ)~L zYbzS^emG~6ja^X=c8SxtlT;Z{^@`acIs3HTuk`+wx}!(fGux%~Zb~ZmvfJbK$Qw@f zxKPoKC?~)1%L5lA4h6Phja$PJLoK%&S5mfkVcdSxV5ZHPyzC%}@|4SXj;i2M2HID~ zw5v^(Q4@%}C(#u~8=lD0-83@4_$oq`{fh9?mBC+O z%QU!0XVkKEDBT6!(l>Y5MZd|Xy}YB4Kk#Q&U{`0gq_FQYy;2{@) z!Czm;qZR3U(Je7UKb;n71Em1mxB<9KR%}tlZa9UbiTTM&rFJfW-Mi1YxidxM zjEy$3MF2QQxvPWidOEIU6|&3UKtuF7lPc=&IYwq35!BvXleqfqmBQLFu_GHMZ&f1z3;hCP-tkpdo8IOUKm6Jli%c*VH2AL5(AkI2=MK0pa z9m1UTrGFVcsdjnqXpV1{O;P|vrjNu+*Ys`$s{X#_komFkvlW9^fNuZ&KI8v>OVCQK zcj{CkgDh-zSZccG`=qwyexi0fk(uus!fvNg zzC^3hHF>?rM*mUU7)R4lg;D2Lfe(+5N?nK9*HgA+}sjge<%L{r%##jA|`gURfEj|hZ^zj)|Zl@TyxO0_pUMljEPdBS~C;6V6T&lnHs6Jrj zhLxPqBTI2k#%!3i7@j#Kvw(+PboE5Q+ChI<;R&WmO&8lJ6lfg^B`Z~ zW4`%X?Av;U>(6gY_}b@t&gW35?TKeOFpe7^-aeeaG(b`}M_ZrDApeLyH+4`_6BEDO zJi25{`L*K1)i52fvhG2*Uop=8VOEJCqddanGo>1@h*W1^Y;vi}omzS+wD3)% zSbuI$L8E))wy%EteU|~c?A^8MFvyT%?Iu&YTNxb-$)!QyGBNl zwv!1T%j+hdH(irG@%_ear0E!lxZWCR`{5-136K2zcI4ua_FeSEy9w`wcT;W|Hm&XQ zKp&YnFqGNvi{Ba>e*c#3nG^Bgh9ISuRN=*KNE-8Eyl zH*UZBV?S0mBa(k}!fmLnwqwsy-iabL>h#3V!N_+96c?@laz1_jf(F`widuT>3Lx?1 zZ(+qzs|TxRy;Oe>?(=beqAEUH%l~s_3UqNxZtZ+%;lBGTa;&WB>)&%P9{g;6{pU;g z!{5Q=2Rx08fA`ZU|ILjQs|qqiRgV@BeBtYRAEP-01(%L;eJJkSnJX98?_puVF#szW zD2H)~ks;*?P#d&UG87hwhI^B-nPlp6GIpH_L?+YCk?A+d3@2p9P4s6-ACpiY^BkFs z#W<^7l$XDdZ@N_7L zuf9q=n)(8yMnF5|4`A~LGzkZj}KV=#s;7^nq? zGZ14Ojp3f_>tX^`3&fs!=~3J@-~6bWNoBW+DxaFEF(=TBu|PX#3U$sCwKb{WVxpYr z7%>vSasj7VkCXGo$8(WE(GbNzeWiGPP4593rD259F!knu?j1uU-QW#^AsU*_F{sP# z(6={X7#Od6b5hqhu#^J^EVZ`WC*!e%{8Q$t z(%rz^g96=kHJAZ)t7xPDa@4H{bxL_sP5A-qaC| zK+{yfE)L{ymDleoL+8~}GF%&p*E!E#p+hTw9R;EXl(z#G>7m!$$i1WupQ%3~fH&c&92i2nGlA-Y5S zY*}%Gy|->d9gVP6(WOsOgQrO5jMl3*Qd3^H#NAQDS#4+KSU=xo+3>m~hGlk425n zR!zSnt-t$V!@)~G$Gx<`)FauRv3ecks*epO$m_-DbHzGFBY}%_$zt?+M{EZFG zpETWNupaVJkOhcs5gxLb$R`KAL3kytWomQn{qENp`e&H0bAu&B(^6`_6oq^rllpI; zXkyx1ua&Agf3PhB-qc|7Ei1A;!f0k$0hzD;zvF>k(3~qO*7pg;PTOIWHxS@4PLrO{ z(^fU1tH;Z^ z2tX2vknBWM|A~>Vo}syJyFWL**E3D~q|eQtvjVTi(MuccD}xJ$e$e}vEBA4GMvc}t z-tZip*4Fw;2!(ZIc24|M0uS2@uEe}+VnfF6)QWlFx14CUo~ zzbHMXF*!k{<-};Z#IOuj%Uq(#a$@6jmGn(?PPf?Eq}WRj+3#&G?Dv?P(rMxih9sYI zSYxSflBw9&;kfEFS*(!tx~tl>Y8P_(KjWlt4IJU_FwuKTY8If5Ot-u1iIMz>m}OV$ z$TitTc*aJj1Io>s1ZBZxCMl<$MCZqM&7KicC!JHxTvA(kY~n$4G;ly_PEUIsU_b%j zb%^#TKKqoEPj4k_Y*X+@N7P{ji-ID61Xy{3yAAmYkg#xl;AJ5BWsk|~w-uzzls4V! zhArq4-ifv;rivbKg@{E>+tj}|rn8-teY3E8&31&q)SBZmD#@=B+_FcDmrVxhqF&w! zmXUm#=OC6XI*=sm-~|mXb*RpEz*2pRrNlU3I}R%1@1P5$@@bnxsMt9-0DO#;STflo zZZALuTFDF#=5#n^{@Au$%n5$5Y!sk4_r@%L>PgnD!5pOwwqmmaiU;%};w;T)jKauw z*rq;}qxt@RVxjY7;Q>{ja!O{#G3`3)aWb;0#)>e2nH^TGR;G6}-w%5C4fg0>lJdc@ zT32ekWz)kSJX1IjCdQ%x#YP`dTHrNIJYbj_(GAC~Ckl3Xsh#J^l9QxJv`lzV7FX6K z_nm`;79(HO=qE8l?Ns&a9H}s1@ghZT7i}g&Lm6BT>smL@b(HN(!Zdtv6N>ki8-S!w z2tD(Fd0)?7{HIkKEDSWsfq5t_kQq zlo+~AWtSZ%Zb^(wPPo)mtlj~@M#14?%#wSl?e3sY-3YbHjh$>S75qls%#LgODlcf> zScOIc6bM7l7bE>*eK^d&GhQ|Pqz;f18y$g75D2lAA!N~A?!o;iUV1&|Gm%_M8M0v% z!b6cUidZ}=62wX-vnD$}Z%bl5yh=w0VTyRe&-qP2HBJ$*SxeYs;sNP&#xjy)8FwMb zCMWs}IP;?4Gj^ZQQ`+(ldmG#LlDVI+KkB>Om-umJ>YFzcv=anN24GD9dnZVth~wZV z{*d>U*nq4G02tvF)R1X6e*)c|Ui74R#BN?Ly75m!OSA_mkB0aSw&wHh2FzzDCCr%W zFD)g|EWvnp&~;bF*k*X%Y=srDu&@Cqn5+hp-FrTHLT@`X0?yF}ig+p}2PzOM7V7&! z3>gDmcbNH`NGBFc7hzDx>WI=_V3tbKKF9M>edjxfyT6FO?E4u>$;6{}_wr=k7=0sZ6jc8(;O7nSn4rauIwp)Pcb@(%{s>m^CHFrqR-*QDAQkpyLFcH<{0ekoJ^0LRiAz6KeNFd53`+(qJN z{#b%kef8LYxod&Z=Q>G^ko%~3&_&Fx#jhRpE4MONt}Moi22*7uk{_*-#j20Yo`-=r z|5d{ipolr>c^pME?)S;wWxl=;;0GV$cdy4u^q8B^=J&FPt;h~O3-hQX=2`YUL(STMV~3U z9Tq8Yjs+yC1>fzm4nzWq=hOka`sP%Ce$Zk3y~80n4@|}3)myvjqjtj#WVPUHh($Y# z_4(x}FvJX{U`rfJ5>XU;34gFw3pf~4DY7jXirCXr(4tbBK0qxz%|Z+lbl zYvw;0Q6cn!2}HP$==Wc*d@&EOn0*u7!?ZztVq{=CMo##(1p7!=jH&*C#>nAkaIV4u z{TF$isMheLAQYprQMj5Rp4{vuCe9qggBo_ZsYgR&iSr8*8=4|yMSnryxxy6Xr_pTo-i zQHL&=Jjr4t-u`zfn8ae`4#ViaCa{hgFp;Rhs&TDfVG*52f=x*RVzD|AK`SCZ8Hq7o z9N&cwkJe@*ct7Q@^{tbs3_;qkuxdnqTjOONG3keLD3@6Mq zH%*VmCP>jsY0@=iuw98}^b#j?pdTgV$+Lm0{fokQfI(1$LpuU|}o{_dEl zlZ@~ENWE%vA&Y;(CUdYozN9Y;!J<-V4Q!5PQHZ)(9@jKjZ~R411t;ng1dyoYWW5r^ z&L~vjMBQ2_b#u|fYnJ`+6NG(PaZ0!7$ippYR45io%@jZQVm)g>;5?R$X5W4e*X}XFsBySF*ImIA4Q$s8HM z1Bozt?--OR!m8iQR8}j5G7uw6Z6g??OQW`V^|yTH+(XPZCI&bYbLX^=j;`1=Z;DA+ zbKnw7Vb3e-M4^SG=5($cnvXJ)) zQ6BEiR*oFv>qXDg(pVC8(Lqq5Ofa2~K| zoU=cG|XK}ZElnjoKJ@Kp#Qf;?{Wv2!;QEv0OQG?kkig+1g#`;l|KccV1ocpJ5UJr&!8Yi6 zZEw-xI@8#elYfZu1iNNna{_=It|3-)tm(|f!{X7%Ne z6>6>nZ~3T&?44z)3Am3HuWQ^D3Yvf8RZU_K!a!^3@vj%(^M;k z6*3Bef|~h3tn)wH8E+bBpQG6M$4eN4F33nk6S>ay$>nHHPv|s1dqcM6BhPoK4vFr| z%3l@vpmHWq41V6KRCLJy+5|cS$m`;^lu>~Ke9PbklTAFp`9}{1$?G_h_~3Hu?D3jMD0n| zV=0_J-{d|Sg2)t?@ug1x?{B{d$4LUR2$3%O{SK!douPahzkARmDpr740usZc1uV#y zKu9!HKSiJ_w=U8lKOLu`WW@Cf$2sWKG|*nCJXeC-ZvDK)VV4{gldg>m`UGkcIKS#6RM|#)y=itfE!oxe9ecOb5gQc`dUj9 z-u1GN-h)aD>Oq{D^9LW1n$wIQyE9ut`0YxVPQS!(+6g97w>?IGmh|ZoXf9ujE7OlP z!d@1vh%^nsiG_X0Tw1V_X=h|5p(jk0@3o3{=2HC^n)dYPXKIT>)D!e|I;jfr`R2310P;VTKuixASSnX z)oNPa4a^h+_E_fx@%lZX&Smu!z3zyU?aDQs(&ZaN7d!d#0~QgU1nHmgZz4K4C|xM# zs9%1;DRmpB4HhcHuqU^)o0hj#&brRgYxD?Z=-x*==$kVtQ3N->B7i8f-*2jES%}PeFo-dx492n7OH7hQlJ* zvfLFGbef!_Gq4(^ z99J}`lKbOZGhO=WM`5Nh@?=36H4+`L}J$B(%0L1gf8cAgT`tM*N0W|+dcTs&1H%b?uKeHmVeKlbL{*2s`cf= zleMR;i*F;?<$9?jzuzxr=w~g<2BS{tpJPO5RO`^^u?jN`I$sBT#QCzO^Y+xS(b6jV zX?foMA{jd!8*cjzg{$QK63P~*LMz;+-pd+9FVTb;I61P5e~GYBeX(uk0REV4#)C!V zsku#G3hy&}7JP+jX(9M(gopASIqRqDQ~0}`Tga{7O7hPWHm}4nMjddsUn1Ggh2r1; zIo103aTP%yW!&VttM7In8+{JvZ_|TftMqY5Uz&4VVQ^zxph-cc>bi$v{Yg#225<50 zr`}&<`4$hJ7}uG>rZPcwZmEcB zUtmksK6bxRef7jPEMwz&;A>3Ce>eL5^LDnO-^$c>G~Nz8zWgI&%`L)6aFw`rXfL+Dg|cv0?!c6@0v(lNVy>S&SxriT$m39pBB6@V3E}KQq0LU8bJc%;LDx1P8GHr`PSj}InHJz$X}Nha?&+w zY-_#aN3%6oCbu5p`Jz3?hYf|qJ+4?syB=dZS_W>!d>$%ju1#)?J^~H5q2a?0`F>rw ziY-{RovDD0@%Z*7H-khP5@?aJQ{LItw^Irx*FKFcUh3g~fXA`&%=%12_C09+DACIl{I{5c8Wa^2F7OADJ#Hp_Y(!vp==@4yePUmSy3R*!3@VU$L^?(Fu z8$a?H@*VGer0~wLk6Sc~L*>fv}RD8p`Y%QhnW`1{T%`$LHiAv(ElHCSR ze+fmol#A+>^}*1F0h<8o?lm=d=}}i1|9Je>ADjJy@#a6?pCDqpU}MYo^~V5oMKW2- zhK3FR%Bbt}BwS3^OF^gph zUW=#;US4uta&qn0FZ1TT8^mi;>7s-agiTR>y;i2|S>}~!&2mIlD7?k@$J>&ov?t~A zv);nvXB#w$D>VIr*TKvm?+e;T*qD_YR*-V(8DL17a-;;cV+Z4Jl=m-bA&Hh0({Ca! z+w5ZbDI3(b^|pYeK_90#nicaeP^nasxAxfQyfnja_R5=QO2|y4QbQ{%I%Avf*)$Aj@S;{2BKe@YovwMxjaM#sBEU{obp@4@E%~p-ZyFY?2 zVV`U}4mlZD@wmE&P3?ts*oJnpXp*fTf8Nb>hg_SFFJ2nFKR;Mp2~k-bq!fe6_jx6N z>8+Bx8%RKxGro_0Ss$t-LGqL+gZrD2Z1C z+Q;QD)MqfPPVj@(>vPbM)l8Ax>agUQ_eqhy#8|QWa%ly+S+xbVh0177hXE=&T}~x( zMR%R~l)Du{EJg`{xDPmZ^V!j$$B=#Ys~Ap9UxLA7E%tFfoH*nYh&Hlwgz*kQfdGkf>5q-y^czGyPvT;1Gu-D~BFY}Cw) z4oJ>Pt?D#{FSFr8uJqCj#Kt$D)y&fy4N!Rl*k4AFxo;2RL2}H%c*8(HxQ=i$aQ&S~ zvpRp^?V4dr@0-H=Y(;@@GipL;$m-reh!r}d5kh6QsxBlN5;-*PAvtA*eyXsy!|V61 zW7?}FFH9uJN!rJ=+oQ$i@=Kp@0-xEC(E!a{K+U)eVt@Bl#}_+Ik0{tEL zPT*;cQp|VcMcI(2)X80`k)qOH*R4Kvt>xY%wiHMuZglv8hvEFDtA^wCZH6(cI2qWq ze#qaLEq~LurG6Uu!-j@^S2W+lvl`D-44#PuMOxlaF13GF%l5CZw6HHTpMqDlk?vK0 z4ys$R5^+K)qqUOB(6xB*Vw|j*9PEZ1m6sia95*6#zu_8L& zbQ)r6{Ff8`*-sHZyZanay-|YEg&$eLpXrCJ%7*w)TW5*$Ma0PE?s5Ex+3J8ymDU%Q zN_y&{_WSobUzK!6k`7el4EySOWaKywzN1cWa*9?AyGjj9#09~>40`P8)f(hY5m*Md z=)<2g6k5PWr9!!VRLsi4?5e)V1Oct@FMlrQ&6R&``K`xOTEOd?pvVwc;BCR#g$hHw zP3FEChTJ!0d9sW*Kvl05OyCW_>V+aFSfNJ*4GR8 z2y*i9cOe#Tl{tNZl&DE$4TnbW z_u1{5=*tvY#i+vv456yl#jkaP)v6S;Fs=C=3L1GgS=W9Le;=_<{CF##m7HBIR2SN= zgjbH17d#I2c~XhyXbXO&$of!LFRAYDOsHy?{TEk3EqleHeeroe1;eVAm+EQYjYeI` zt@-cAMvqVQL{D(JN}3w5{qb@s#h`1~ZM{w_oc1l_Lalj}N!hi+vSH8& zz#6h&Y>0N!SC(*=h@KISes#Jh<_}FiF(dd_d$zkCv{!r9x*dd7em^~mY zS5eS3nK7O@y5=T95TT~`a3xF1J3+yMYxW&Jw>svy6Rv!}bVcqijW5`5txaS@QjYfc z+wT)!pA)~U#Ser4devA2LiWa*%1znU%}pWCGX_6Ohv!b4`Qu6|F$K<-b;2LpLSACcolrezhEDy7rlb;( z=sE0I!~mR-==s2I+&=Y+B^m}n{PG6_k03x4%P4$HF8YdE7Uxg?D~t5*hjYX}1(#n6 zJ!CG_#)JQHbk;#pe_a^=ZU74`u)xx_q=0mnuyi*_BPAsbDj@38-5ugmg3_P@BCwRw z-6iEuKspo<+1Ghz?*I49ojZ5VdCq-4XFv8{&{gg;*}T-Yyj)pG)Kz|FNI{`&K}%af zyKG@sNUk_QY59eN8bmnWR(vG;db|x5boKg36Dy9x(#c`jK4CfKO74Ctxf5E-Mj+;T zm3>DAjDsi$gl4rYn$RA5yigxo=+i2>&++Ov0!@;%92LI|_3~qTDlThgmhmfT27zS; zl}mfurajjDg4j19*Lu#EnWlQlxu6B?>Xbr05V(F#vf)p<)TU}mO}>1LQn`j-2H9E9s%xLIaCN!<2n z9%f6`^L_3~GlSxT1gi?+D$gE1%2JokGd|W_JO?4tzzCV%nFq>?UI}xVWb<1Z^S&MP zvG*2I|IX)jEEL{beBCkc3|jsT;^R_Y{1LNKe{XfXV|DAx>Tt)}{Jpi`&)1Ire*1Ip z->WiX*dcCdeUEPf%{GDap1`@tbx>Qe#TU|=0S802rNNpe6-9DDkb;2`0yxfSw8*Ht z(`JFN9Ry@Ay*~HXPppD)>7A|mFxfF8SOFN57Ws6iU8bArD68S~E-5Zu3IBF#>(}&I zlPHDB%iup^?(+X?a$!XHxuFszCgNdd(-zu|ZiIBuWF2-I?L?=yKc)>6tZA7|eY2P;)pivj}_>>61z z=}zj2bfWwYKxzz%kX$q-NlO`k#Dzf-R0x7nfCLUT15g;(n0PSCEGn%TOh7KHP8iL1 z#y%L!09}Y8cI3tIO4xy`jHqz5SgP38B;v`cNvv|S3Jng#H(YfNy;(pNO}-*tVc5hJdBg%fJ+1(!mUFB zCx&wabH<87&-bQl-M)6d3OyAk9z*CwF|27stL<~!e^x97Q+CLen&NX^?t}dZusACT zkLgP7I|T_4V6QYDl*bF8?vlij)Vz%~av}!5TWCtHje8^J@s8bECoQs^N8+te{%5Kh zp-k5ZfUmIh+OIobCxHY51LcX_%{SUi>tG4lpZv-ezONe|8h5#lyNcKz?%>!6zXQ@A z%YzRgeOi^n?>3H@3=6jHPYnxq!>RQs9NbZ@6g>laBY4S0uW5bhYCZO7@dRF#F(!wG zuLaSJIwm5&WvIA1a7GCUTm_aS)jR-ekw|1^(01w@5{C#94yKJy@9K%z3L4%##%2so zzr}K(dSmgxS9rA@bK+4snY6q!EP4uO82JxF?*i$Me-KY$mD)9IbMS)(v#@ z6x3uciA!iZe)Ez4kJ6}D4Fmd~^|Z#q^%;$fY6<={Es6mk7!i>9;p`atsGh=E@|S8A z*PPXEMZV7`OL}sNrsCJ4b5#TOYH7_bvZht@yEw+)g1!2y(%;C*qwPIa%Dprp95%c`}%2S*6i_JEz6k@u4)V({ShYWJJ{)@L@ljpNJj-~Rr&S}l{>JtKw(DC%Y;83ph*rfu_QCqzW=wXhN> zZYxo$(&$qmmAjCe47UScSxm6qT+w7ca-180K9S&>$1&m0M{M{U4SEQnw#MTPM1=bX zY9tLW#D}uPp=pZz4~l@7u*p##n)aS8feXxZye@tU>ZcNz)V$5Kg)=oY-hCqszTH#* zlV{O+PLM{}qgryfN7*L6_mA-4l9j~Y5KRKF(vTb^xmR_WTe%Xe#2YXia~hY+a}7x_ z8u`jzNk4FbC4a8>2o9;cqcpjS)qd_rb+T8Pe&!__bNy_Y@r;AE08Sd~HHeOA5-TA} zQBQv^o2AV*k%Fisj zf8wsGd~KW_lU2_7x2mQF9Ot%8RUDh-q{!7kotcyMhV$>n-_m?B`f|#=45VFf4k#*o zA>L-p#n!-4s(he7F@|AeR>i}d>U~zZP&KkrO*DfY${x*2Xg$oD$gR_ul3nvqvfA>m z3N`w3W(8jOJ6Kr4e^@GPtL8DwPkqUGt^TNRit}}xoD3RJL||DWBx@dk9xe2cKWT{L zMmx-(SUyK!nzAZ1U3Qf*!=Cq>^9}^uqze~EPaR(+C@Vi8USFJeA=Ui$d(9)8!o|lJ zc9MHL%7k9ak&iDqnzAnre8ZV+hcf0gRpTQ3(hFC<1z_5=Ej1n49xeRP$Zah6`^bT) zeWCX@yOlrDj`*3Gs&tM?wQ;!nyN1wooyl!>%}5d}Y=*MaVs__+;3I2x%H-Tbx&-nG zH8qoU;N=dk^GSyXg#7DZ7ZwX1^lk`XtFa|Elxgc-N|)p5|f;jm0}!bg|7OMb3Y&)roF{OLfWeQ#k+}l5RlrpST(k z2DkkBn}&T4_cOQqR;p*9_B5eU!D?gEU$eu!E=O{OTx9zrk=-%DJ&mOAf@g6Q7WV@K zN|>jOIyi z@NLfzd}7<1I*--mEk~CneE)P`uTK`W95}4^FwLId&%bl8^v8o1u_Z7J%oSIg3zMRZO1VzKs&757|I3qdtAVgaoP367bhU=L zDc(MdwOtEmqEHSdE@p?eJwkX|IBP)=uY>!Ai%*h$fdCdNNAhIlVP1TzYO4VrC?lOa zg#y?94?4vOF(Ga=c{P&O(MnBF7lrzG7P5Ci?N_P9q@j&5RM_Tbmy@6HQaPiu(+xXEw zWfiX`f>y>|iF}>yxV@i*WVh6LUok!)}qi`3R){sn1d+bolY5nqg8bfrJ4Yl zW7xtPLEOh+@dkQ9Kc*FShU`fe2{gmKhVc=ALwY19+ zqc>!PgR{aJS#S@GW|>m#Z|vV>0;M7CX{RNr`=y{T^s zIBH#Uf_wG+2+{{RQ4lO4R`~VzWCU9;MW?3_tgbGW_sMs*5uB;I-(%{BR800$e0#o# zz=cP7LQB9g<76NQ?z@Qy^V2{4q}zlUJW4(qS%z(U8)($vooA=$h|@dKRJ_lpSjpAI z!W_raf4txK>c-7Ts3`RNcK{QflyOp33J&HI_*3ZYmr*l*EdN7sGOGv}6%{$BQ^SkH zUuFRpUMd{Lhm^0zIa0;p;ks;1;=6he6=?dnW3k{k93Rs7WV(|-IH&s^qS3}ChYvNO`3LFXrxmDVXRIL3w`-494uYmjco zd)@9JU6u`sw6vkilkPPRxMj}|D(*cWtTY?doo9xeD}h76Iw5P4)K%I=XQtv0!P7Jf zAa0x$iy+Y+<9nA1kOXkOrU3d%E(Pju_^DT^mB>@jInuiu5o1oxuM#?BUQgXIR_uEgS7zu zD2!%ovQ8veygi+XsJ7z$_X=iI6v;-UUWpcyw-zx4tI9N^5sop;h*^Y^fLzLvP702c zg7=lsanL%lNWsT~W^#__;FPFXagOZ?lA~T$vD)oRoWfur`Q1d-`#yU?2QnLiGh#VY z_8Dh-JwIf`?v$a7zl#{&ebjU_Vdh7rU{`

1|5<;n&!i8_|gZCmeD2VsEXKwNL2! z@V#MW3W&8#`~8zgZ66Wkw0 zPE|e9)zl@_W=%xlBB07_b%qH#b`cFGKaKBLjSDe`bWu(G!QMeI(vIPb=}Wj~Bu-qF zVLTX>Jr!LY>WB5QnEk4qL}&Yxq52(Kf1nu#zskei-9Q#|2j z5-@ujFeX4_)bGQ+n#^t^_6v40C!@AY^%!10e##$kBbKCWy7fXC^3q22rD>VOo}=VY zjwbHy-uZw~#J0*Z#a-QWN}X^h^JTa;hLXPI?n7hzM25hm7%-n9xH_d?d*MfCL>}w_ zrJZ0g!`MKu8fPX9y%(F;J)I~NjN><0D3=E#5rEfh=!|BMgif_Tz`RwHm^*%&x+6<}N*FejBAi9+>)+Q}l+> z>!#?Vv;4TsB1G0s_?MpnPXYP8ESAOHz?+ug+Yn9bc}iE z4>F^|@hK<6i}k#lfwZ*|0}iX4DHlU*c4mgA;4j|n6)^+2T@J-h?`gv884mc&wQPz1 zQ@gY~36hLu;ss^Z^jc{>+%@djPA3?7zsoZyt=T8!`bVS@Lk@Q^9uDB?yTiLSn4B1V zhp7a|Gs=HQ0AzmF&x~_liqd~a125L2S};T(9fgeZY)-`9~wA74XM5bp0O2A-P zU<`$6Y*!D+@?GTKhuCzo;?obWa)P>;$zeC^wSU)N9g$4EcP}>1fD<#M2xo_twCtZV zmi?Oe?^Z7D%*dVklLuacn1!((@2|hoYPz;_Hr1NsmlgrpApw`7;7#qBWERw(L9JKJS93;I$r30xM_H76T(KIX6 z!tPJ=l%YDb#wSm+SuS>5vN~i2I=&}lf(ab`w5TvpW9OLw_$H8#f=I$`n1vAQa?I

V>a#;3fjl1wp+1m6)=MJLw#_kbpeNBkrK_l69-&}9!&#OACkBx~^ov+4A zlcoHNBSH-LI^|9%;I!;velQ7t7NnNC1HcMwV>JK#bqI&@VtuUIEss(uQ5fiFF#*l@ zm4*^kAZZX;nzhnp6+Y9N;3FnV*V4vR#=q=ZBhw};hw0NZGXa-{g0i+4vZPPV@&lKT zg0!C!5FIdFOR@d&u=q%mX@`B&t)FP90BAmww52|G6IV9_@H}7ovDA zj6AJlV(MJAU0L|tC+AZ>~(xw{nAb1?g)`26- z^txA*i7G?c^21bLd(*97DDAX~npK#f)%wT9(;4F|P-IA6V%ytPE1`Is=vR&Tqx_;} z41q!(6@|lfv)sJS8B^w+W)SM{?*agSy}w6JJ7K_`j=3HlRX6@y7YXxEo!;{ zmG?`Rm7{y#@OCS!e|4t*erxOtU@YSJkA>hCyTQatkOCpJHIkQS))H7%$wvbt=y1tb zA2w2x>@x@0 zl8^;*D+N^Iapis^5nsX=VII5p!fRv(`NW;<3>+*{Jmf{Z+DXhh z1*?JoS{z96osLlGJg8;;i(?QI)dTL}b$at)riieda?$D%rcHOJv!|~#125+yf!BW2Y5=y(WzR6xf z8isvi*OonsgImjHA1FfM4%ZzSv^HUMG-UvB+Mh)e@=g%a3_!BJR;Nx=XM0`cxQd9f zA$WlXjAWwA7|%SO*K}^!a!Oaf?1#tQ%z-w?qDhrIiDlwMHk1K4lUx{#5*HJ8b>mTx zC(Hs6Azur&Wgc05O=ssb5ddNP27}(n`1l= zeN|g)hhed+2zL65zf4?ebNo@&3o^Kf<5WQ+uK~`!-WV4q&R`fyf&-H<%8$xi{-}>j z1wbDMK?gpCbNR5xaAYv(7Xdr54O!B2`4-&$8X7SIE-`h=lmb8?n4tRHNta@+)>+U+52tBbI=Bf3D7dE`Md{ziSC%SZEJd z@3(4b1rbv#wuVClh&ORqDs~ZAxAZqO+A#`oNuxp<<~@-6fYI(TnnobXJ&z1;?%o_7 zFXaW&aZdC;>4O;}H~@;mHclMvVHK{Ib~%l3Tk7q<%O}mX9m55MJwHqFso#)7APFxt zGEKe#8RIO=B~Tp8e1(}736-*@i6WDGshu3^`Qmr++u+=Z=K*rFXtQI4q+4;Q=Y^S( z+IpKCHiCS})Z&2^&79>=;@}(#yS$Uv5hP+-Z|xCjMmi53i=ODek#T_WKZrb0%_ECv zxKF@tbBx`i>P>$#$d3(?A4&_VAe_7I!9roX<- zC}S=&nV&GNluQziD{P@jcKy`e1o8-WBebjwOqey7d#t!iLVJu@DQ!>MbbUJzZNEVZ zKNg35yMBLv>Td3M(NfIBlSlK`S`X!ZKcd1cL6wg#L!^Y9hU7Szfx?I05~eI7M(@a( zP*qA+v(%agU>ATPTGzeVo$aE?0ewbo^ncJ?^4EHOncB zm6RT_vxrcdH~x_db@@id+Sw6@mAY8Uyf8DHck6n7xhV}jegUoi(ZaMx0VAabix}&a zligK*+ZUIKTmQmkn%Y zW9C`5nFJl?yip|xVuB6rCebBy#;;cuCqj%qVg%B985Kcc)t(y>C6ELZI3&!MPx+qs(m{t);I}+SLM(mrJytaeY zW(}HZ49d;Q594IKLTj^stf&xORi-Xz<;pKM)lSMQ)fFpuROG@I-MLTj;M4?=G9%V~ zwVnuCNURV%FjwR&7QWXYlSjGz6%XZ^DMcn%Pi&=FB^cy`UWR(O+E47z8G7^HB{EWT z6uDE{)3A;Sz@WiTDLz8Nt&`TJNW$nuf_>R@8!XTG)(x z%nx-guh{=X*6XqFvP;i!eK0HCWw`zP-FS^Qn^P{Rl=vq+;F+apj9fsH{u;(J z!zsJf=p*SJQ(A-Ag<{&-1mHMz<~|81*m4Wc|1_H)*GS@z)}v90k_Az@T0~+-K!^Wm zsxfCo)Osv(&$GLWxyzrRsR!hX`x#ZG#H20yD@oh}BG7r-dVH|unHgj+3^SayIaH2L zgaG=-o7hpxX^n@(*%bJ&qdIbK3WbqO<4%$sfwuDu$yIDj-KuvT8dLB#YuWvfzi+uYAQjR%}nz%m?}?Gc+h172l={&u7H?j z;kh<{I9dJW+OJ~y?D^08b~>7c8N9!kM-o6ByFJYEGQHVO`FYRjIic9xz=bT~{7`2n zDD11}8`>ao8=6EyM_8^MPlQBh_B(hZ!>EhpE0cQzuxxb!ZqR(M&2uWG8gpg+*fz<1 zdI(%Hom?ns8!uM?W3|zbU{2yC;#!}g(rBHrkHHPc{UH&fa!i}Q-#Im)cVEYGW0>vN zITfvjyO(f2Kzw&N)mYHZ6(;rt6|a2g=jzfYqeg@Cw5Lw7nfQW2QaaMWIX*}Qe5J@M zu!dKD)JW_;jwxXjnD@F!=cL7P_&ZB1`msNS4c>Y5YlBEBsatk8G=*CoOvT73%yqk9 zpvat-LKRmIUEi!se@)e5Ep_!-m+R==1MjTgV%(iSW%HQ85+(*4xP<%L0hI$V(!d}c zVU3<}j8a8z2b{25Ag2u1CN6#Kc{OQ%zSTSU3JjE_wy~|2E1i3 z(~aeO1c6o~DBxSgn~~1WMGC5s&j|8gKM39b^KE`ro4`!NjuteVzMrfe!~Wvhl;#E} zcD7Cf=HALTgs!Kwnk)O5qq#~YGbW-HWa15U%|71-)A{6;akti7MF4?1-6BUT>7UMRGoT80z4tB9k3a?MM~3x_DShI{!pj z_XO{sSQlv+`$~3h(EwU?b|EI~kk#*KfQz1A`PCF)@A+W)aDMp@kJ9G@${$QCWN#Y2 zP));;rMM{GtdS2QrUmDb|K&@+$(25xS&YZOm3)aJ^3H$-%9*Hvsb#uzyt~JXu4E^k zy)mbtE#F}mXpw(CGrP+WeM>Y6;yyBh32#u!|1xwf6_VodBgb*0M5#8XJU-2Py3>W- zh}l!ggu}i*(b;&i>j-X{({1|#P0qF?iFnFQFB&&Z5QjmfZ$hGS=_t$S2x4fg(}EMw zk#dh6W`p>X)9LyB?jnyN(dp>qaC9M&mh}nQftqcrzu`?R!WE~5`Y51(>2p3$xcoqc za=VB5d@j@|(Ag@_0~;i%{KgOWG(6NK#%;l`w=%pxmz6M3q%|ju{x_QsDuT#~cI3Cr zqjZ_)yg0O55Ze2o3m!UG`Nh? zJPR=?eR;1to~Y6AH4hKUnAyIGWlzkgC(wB;UE9gxj!R|C;igoxd-#U|7lu3}6ECa3 z%tIcB2XV*Jez6Z4a4_3)6E2*3cNCv1G?M!(au*X2?XFMEV@CXhUz;H0trIMBGO}>e ztkB=4sDvgQLM)e-^0O*MP9%Z&gskl8OGB`s`M^tyI6>+Y_;LyN3fjYcDgk6g<>+SL zRhfA1lt$F%>9vsP6KBZ-BoUdCyo`e-U+9|Nk9{5qlW8y!bO&UP)3cp|DNZ$J)glwt zy%J*M*4*OEk0A&@AacSx#{UH&7stnb1_3{Vqga|FEp7$~F}@Z76~sn02EIIWPrZ>A z#hrq3R*i&#mqv!hdeP-`9I}(1wZ#?M6ZgpSz4}RH82x-W z{)Er^T;$4}&y_1#FFb%ZKEoQ5A=m$0X6L!Ms&#vYJ|QwC!!iE5mX<-Ds4FTf-M>g@8#oe68%7SvTn+LITkMu{jyQSY}i-LpxG{@bvjmaFIV_p9^ zSReGCQB$4UGU6T@?Akzpz(L_owCByJ=(B%ILo&`m&Ru`(V@ByLgE)0mHeI}V14BA* zeC~py`foD120ax7)VS4WBVIy#HwtH*y`&l>6i>yjK|rO!@f?fHbh z%7i0696iGqzZ_%}{}z!lO~NITWpqq_bPOC}OYatt2_BP+zAKfGE0fg85|=9z2ZXb>1jM216>;fTO!(5VNFnS%&u zNw-xB%lVkrKFdN+ddb=6N`YY3X@MXZqBcm7|{t(B83NV(!a)>n;f%WIbnxT_S3EzN2X+atO0mPzyjOeE!xp8p;$alH) zOJ0iHVpUH3s08}#;1@Z(RmVG-Mf7i#Je|d&oFUv)xqHmbzddWRvdf29i9PBfXb5RA z2pSyGO9UZ&0{DlIyjTLraR2rtGRD;r8G{@Vp!0AT3oQNYL$!t4oBK$Uj+h6;PPEaG zMye%PKxobC(~{>N`hwc%3Kg+Ttyec9%Cn)hiutt(i-g(R(ICETXxrOX%evhHR=4?V z5qV4aF%cBw!$}B&9uvV44fqR6tnwppt7|pHI_YO`19i(AAO0E(<(j~P;L!YFzBbbr z#DR!@$c~Qm^HYrbB?*F%biT zAPfya|Dih&1Pmh3lTeBfu?AxK_uYAl{Pcyc#t&`2@Y=se>D?{il_rsrsT^9&cy?tv zqRkQS$dNAdYED*pX7|H`pHYs(@hT3Iuiie!;QUGp5(Amu3AMj#delxP`kvrfE1m({ z@+1ssQvBpe+qooicJ_wKy3I(wlD9HfK08=ei@uyHBm-2M=GLJQLZegyNF&&!0f_W^ zhcp)W*50vYQ-8kK(YdT!|DR3g_q&~&iJj;CUD7z@5)<2Lb;sqit}CX_Z@Tqleh@LB zj!ecV+Rtyxn)SU|d&?u_&Jd0wjG7WhMzRiK#gTz*>K94?D%);KBjgYSSU`YiYk(og zZdL%GO(I)y=w^oZSf1!C_)#pNdnK4bzt=%x0=?olIy5&rbx@#gTS~^Zo2ID8r@2SM zt9{yBb;3BiUbh{={EqUn$;7MQq9$h4lnV5Nr$=1!;a45wgnnJhFQf`z-0(?XBD2B! zR+LP~&17`1J#4#-1-?G^`l@js+WMQh5%z`P&X=bGy1wlnUEu@KUIR#Y!P8!!2(TiJDsHF<%;jkJhY&hqw3TvDBp4tWMZokaz#>p1{Fm{A8Xf=7!|(P7 zkhRo~jTP|jQ5yibT6F)bGfH|e!b?lAG=kWdgI+0&ZBo)+$^L`PAx@HJqSLSPl~a-vSHV+3C_Dr;9^zBdhErx;ljyINe{7sXiX zkAN}Fl=>i@j1kht@qKI1pCY#4VYYoaTAhqpZ~dujO4fsQpAW=<9SFq1GVz2Ac({r{ zg6DbcM&L#j<6%fhbA>AVzhGwOMn;*B5oaR^u){dw)eIT?Y~I1lV9hAM9cZwKjgo9` zN&Lwk!APs6OJy<*^C;+%Ai$h9BTNQ#nwxiQg)FS0 zug3dpmw|=~RrIv3=CUfV0-#p%$N*Revhv+Hc!HdCl!zGsefF-;ypDKLCM&q}RL@$GSXJ(RCuj0qQ z3g+8%ujU?X&yksWv9{;=>pgz8%sJTps)&V;DCU`jNA`ZFe$5EDG%pLu}a2yLHmQS4ZsE zR$T3Oi78jpQ&y*IkxML7PJc(iMiiqX~JaYe%7*OaVQ6{H&{MNi^j?qX^}11inuc6`NaX4yn5C%?V7Mr!V)_O^-ZZvjT1A zvW!uP&d@)Q*81<>PSN3a5Jg1F>BF<*N;%pzpQ&5Vy{n>Q80BQ;(rEM8_PXBwAKMMb zIvQ7lQ~u-$;`#;ABOyAa;p@ZmCuhf3d^7yTGw*A8?|&PK6P){dJ$ALo)(JkOiC;a* z7_6AAdu?8_mRUD7Zdak&FmCF5aME*HGolk?@LP;+%piF_t9T}3cjkQJ0>3gxV6aRq zx-v#K=_Wkh&hpT&j)vS2q(d>;_kz5w^S6!mSK4o$`=778&W`PGkN0)+!KHN@fZzanfuRCyM2Lg}11MDQ zgdmV|cw+?u?txTGcWSU%{HEA2Kkz!|I)y3-3HSkWebr-)oQqJb?z|nQJ>=wYb~*Rx zL0344g4QAi-AWaPJy$5?g5e1pWM(+eEH9qHRF-++*ggdA;lE z(#6k$1q8GKRrxV`kkIX+xJ^{I0c=3(WU>^V7joyTG3VDkM7mkH-fQs-ow)W zu&c?9;$Fua51kH+jc-EEcW3L}zA0|6tjG|5CU+^kST);YTZH#|jAoOAWmgx)LY<;4KQGq=V4%Iu(-I zXQCRbF7L^|FjlwMePMRn_E%)_hfZnIN0$2!Fr~it|H=`cG&#VQi!{;UejFw`#0;?< zcyl0dYM?G+*sE6|+$(XWCoyf7S+22Pb~wsaTW(^&xmz?jCbLmvIxc@T5;&*``kQIM zMNAVku1b2*Y(&2}A%t%p)v^toO6TPeG|>^C4Kg*D?5(U*NbfV5;j3nv{bH&wc=6FZ zdwcmOn&#j$k{=~|)@IY(!&g;+3gEDWk z$E{I~tJ#y@KW1{YeJg73uRIzYom=rK5tvXyiI7D>7F;kSL5?Dy=i7T*hL zCSN!c(ews0R>71r&K%vF|%w}PT zVUzD)CS&3nqC#pm*4>g#ng?oW_o}{fm9@3M`VY{kx`L7h#JNSSnSIg!USKhy|D7gp zE#%>9>5F`+*QA!=_#SG{xlb*xAjh9P-tF!c?9_F<5j-f+{}QOP3U1|7%@(1N)gM_e znSbB@=hq+Knc()52VQ~*#$8H-v_?$GdsdU3Cc&MhU220WzktE?;v(si_>T_7G-Gf4 z9)8kl!D52l%NSd-BrV&4QO8Pexe=S(vY(UlUEqO5oF z(~rF65>ksU2NOG(Y5i!7spg#b+kf9aOVwgsSYqh>&-T%GzV|>BL)4la=8GL&T^Jdb z0((>2Ercdm^ZPdHx`G6tpGsaYV4ie=XAGsyAPy1JGQKlb+uWtiDV^6@xp(Ng_j?yy#HakOAP@*ZA zf+w z$d$Ul%@OaKa2_P|@}g43KJ5EpgtUU_)L0lTYD-~ln|%E-Sz=x@Ah_UO(foHj!HH@8 zKLaB0CQVvVTj6ThLJp47n%oQMPp1C?8Ye#_jQX9=IjI*rOsoIMU}noi9lWT2!d#t- zdQ8iHJCP_7#|c-{+C>y$$?o(8!T7nsI{l8**>8{)s)!h_uxnH7t(l;VXar@7(G2HJ z59}Y+m7{?1-{heP5)&2;ju^@WM;DrEtM8uo<4+PD!z62LKMX=gLhrwSV_y5{;Uk+Z zj{InK4;48Rwp|`RNzxm%=iOmtR{T|AKiP!4!P)GPS=!g$aBo5!wFAHfdoTEJ#+B+& zHxmClvde@J9jsPpK(zHnj^qi|qx2vr#aD60(u1BwAp-xwwMm#5P7gkemZBldn;_Tq zNV2Rrbpc*>a@rYX=EZavqrE>&;#j3^_+ecDwa84N)+TH!`;fB0ANtctn!dt;-|P$l zcS6&=d%*q0a`@R=}|RzAv@{_}gBb1?fp_ zjFKSKMR|N)!Ed@5DfF6!REz`K6Acx)cXeW}$CItR?1VH6yXLLN>TA`^hhVzejf(-z z2m+LMk@RF#&T&*w&~n?0@;fPWQO<0yY9BpOm|~@?2CFz~2`u0U>DADKln!x34mdnv z*n21kpG+US3C<;T1^6V@?L*qI9LXCcJEG-INEP7^6@QxBaq#dg_@%M^SpdygZ-X}P z=kz#vame_yxwBVipMNO*k)?e8pE#DN<3~#hsl|(I>=13C<&qa|T>IO7lBgCj2aQm7 zsBQib@{WeymWG$4>JpeJPhq%Zn&mrFk?^y4HY!6`>4Knh$4EK~!)Z5yuLIp%pLslg zOi~0?J==O-9M^ItBsEvS_94K;TTJie-fe(hLJB&vfb0TiiFnwV-6n%LE-bQg#t5LB2* zWBMFHN3ISe_{M@I^$>QLVQV%lC!PR!c=J4A?-__rL%`fV5$0V&T zdk7AHM?gA{2-$AF5&Qn=eWtoOd3SzH|8edhbXpqIpIGxJ`nA7`u#W}58ODkHip7Jq z?nKo5rN9g4wIbGZBo$R^-DK${d^&Assg-#fM@F!1|GWLi^P}e!k%Z-Hc=0AlIZt4B zY17SfV8O3D2LK>pyv{9NexM8{6=EreE5y3%02%oSi3D=<=LTEXWtYK|f&uhjjbJp& z+V3!c?Qy%NjQHQelU2TLc6{qV@89%)@Hzfm>MCxX@uI|gBt;?5aGfz#pDb}PK@LsN25P+^ z7#L0p;Eh0Q5yfbMj!gld#U|Kpr)>XmbXzrTOmh=lXqcn z$fA^K!>F0JD2dIGhH6rS!(?3rcP&o(T8&>v45m`LbY!qAQzA3wbm?R-L3dDKWdxD( zvAQE%!--kLSwO?-MqT+52(BW+n)c*7e0&)3MUov#=ny#;M-bL37gzOZUqlR;kc(N5 zvCsn2+%e)=#6p%a5&}>L9E8EI_ZKNt8{G~^5j@rcyNNU(k<>d(C`k=>-9XS0w!#p- zK1fnMfo-1=FF&V|)|Cnm?bH1QD&^Bz>2CV0;e#`fJHTQt zk2Z(GCn|=pI{+t*+EDi6Hqqr?BH0N-<$v=HceEMTwHaF@Uc-keaJ)rBV4!${8#h#yX~00%ot%S z(c5$QDSfBg$QZ?2;0_jA*^YQLE%?S6wzH)ng$7B`f3*-Hh&ldmxswsLnmv&ubdV>%G!J*0vZoJ$|1 zOqJs@XcMH*Tzl_vNoszLa#&R?p#z4nfr!0mDii^_TWccFF~#@6gxyO=;5)+S+~5Gw z$%ULoibC!Te1u`-VvK+{XL!KxvkqTb6x`hq5Q#=RG{Iz|YHh?Q;xI}dl7d8f8+k!^ zfpE|&=5dX#lv*V94#W)x4J^}CJl1tjiz(wGqlP z|5uC8nEaHfmV57g8@@;18oL?^qNti%S-!t|1~f{TIx53nx=_?v$5rY$pMYO0$nhBxJz^fRQJY6ArNS8!Jdl-h(PwBCYB}1ASr%a?# z9>!?BB|=ZHa~eMpL#l8s79o}fAZQ{`M&_ex#*V?Q*QEpSWb?@+;|J=ae|97)^HX#= zYD$$^)~fQg5{aON=66M688MMNeMmiLIYFL zidW&2rHz4L6mCHaBYktKO&|QXN|FG&% z;QW2OlCLS{ja6CjF&4-})t024?s8Ly7MS*u5ra$Yn+pE(=1zUYyf}FmYQvIMh$RTP z(`XDLE?^*?s@c}(eL#g}%rDRPC;Fm2YTr>tT7zi4mmad%-7@;%1Pf>)#(xYep4UKV z9UwkYAUgLrIanmOLtGFHdI<%5E<4e|(WGA-NQ>=mKgT28ZB^CH@HNAdT+v*YkYT%+ zc7c}8qzGD^nSy1^*gZ(RoiG=UfNMRfqb!~_dLXt;YrrcU1p^b)8%xL-XI3oCT(lF* z;Bhd4jMdNI;!TSga9GL!)(uKlL<2cZLsVTib~K=I)#?F}Y1Kj^^HUT@kX$$euOP{E zG8;HNo?j%siNkP3VEK`#Oetqlph&GG`_pR<9yyj0S#Hq)7Uebtvhucng&D z3Q>rERb<#|ZPU$k49-QsC7e(u%1=E~)eq()65V^x))b*?x=t9xOzLyFPR9%S@^}7W z@Jb8;m|-0(6dX=Jw&J%FDay+qnic*q7$j{QBd!Gsq9=Sf5ZNM*qe*tv$WqftijGp) z%$Oa46uHupDd+{!d-^l+vM3frhSuIWAR3@Kj3H8Z6!VE`1WNFpUh@d zTt|$pvbLNO$J+b{ku|3&kLl z^VAMiqXz8`oZyLKEUt45*LiPMPT)o=4HHiOkys2BiIjopS3P`5v!S#Dc^qu%wDyo1 z4RU}H1*uAN9yg6=Zv+cOAW@L!rH%aKb{(&Q(kETC1G=UE8I2%gsP7R->;NiRTF3^q zZr%6v<&(%BGDIFxr6fCnDx=`1d={&Jinh(e<4)Q1r!dc5o#i?=ojK__38+$UImMFk+vD~WJV7ew zeMGLX={u1YpGT#9d&LN3>X?pU1b(`C#~5U5cz&J77dyg24Nw;|L?Kv7!SZY8iid2U zQ1c&KdnvF>CrC_7uG40d_Hu%PY*OlSLaJ&+Z3plg8)?uW8WA8I4eFbjUA;EnzMQ~a zH82QL?LY%KobOfkXGB88OUu|xBA*mg?N$#Ca!{D=kXSz`)c(OB6GMZIPI!|X0`RVc zH1H3ZKj5gD%;$Lb7gWk!QutxNOxvCm%xJquYg<8$W;nQrtG$)+d$8+& zRHyw&%%mu?luJ9bYMPI2xUJftT~b`=wfJfB84YLgs|K3Zn9#Z8p`L;)Wf6K)HlsZ< z@ra#Kl9Zuq5VbXfkuSE_BRyHKyCM6Z*MtJiKW$Ew`aQCjGjC=CA5bdam%N|EN_gWa&4ixQ9f{t$@h)Qjl+A4O*w*3{p};j=Md^hUQM zrMt^9x>F^Ul5Q!f|A5gU(jYOqm6AqBH;hh|k`fUF6$>7ocjwKy&iP%}d2zn+x$nzK zZe-NGD*_s1-H`xcx&N3$)i(yYv5^zB>GbLH8}Adt`=0Ga_Q;FX#+Fz6#&^AM){+wG zxFcwQ?zUA`=AR>};n4?e&3shdmKAP=j|5(ZRV9ZP=eMmD^pm1>&F=h|qZpG19rCk0 zR%6~Sb#1II#K>Gut07i?g%06@m&AktQt&=WQc?57&3>O)`qx|{SMV1+4 zlOZNim;Y$t^ZQaq?Uqy;fUW-l)44`K(0~*Zs5GMV^Mn;s_Kh?hp6EQ{rpx)s<3GF~ zCkz>UnKzs!#q*7LxoN*F{YQaHKRr;~vh*=KQL}Rt7kPB}E!Fi&A?)^3|LtTH^@P|~ z36J4S_!O9BFV*D6bx2@}yiH{W(O9gOs?>Sii*{iDc|>HeTsifb=s)pXK&L)<_PK!V^sdMAEKUUY$s&(2is)4Q|9D*u5g z1OoWx$~2P&>~LFZqHxkQRH{Irz*60VN>f+g1vMdhp*CaE&)EhyIZ!1oSAokqSOKbc zv+SARiZG^Lc02)*nXo}2A?sa8BD71G&mgKRWF63AyMVs@}=sFn}Zwl*p;hHul zS8?vz_hpVO*Eu!?Vz(CxZy-xi)PZOF!f;Z1zO7+RE`7#=jSt#4IbWtv4Pxl5N7|s@ zLNxNl6umJs=T{RMJe6t;dEs0-r%U!NLn6juy2<PyeA8-KGG6~1F(D`;>LF?3m4+rMsSwSogvJf6y#+~v`2H%{q>bM&EKw*E zN|&c&n&iwI;Eb`Qff5&b9_pjhat}S_`ytKayj6Ln32RaLj-*;uvNX`clK(co=Wa$$ zKRK`kz|D(y)K4$nY*e{;FfLF3aKu*!ZGTBTh(vRe-q8r8Z$l|@O+ABEBzceCEut?p zMiZUO=YG_By4+=hsc%`Yi_sC*P$wYowyJOJ(3LJV*c?NsA|wD7PmX?SG6-ul{)J~t z8sA1k>-aJu7Rp|zs%gi*SA*m%D4cUlN3nM?GKg}2iLx* zSso$Ly@}_$^>(AciQ2# zxKafPITweLA+C8Dl!ixnJkr1euH;l=xUcXcg(NtEi-~40P!kgI9%sOL7U0py8^_i) zWuGW~5qsw`>k+qez77+)%eT0eCeNq%Z;5w{7o(oA#nl@V`&QV@Y2A5YB=T#o0+Rd7 z7i8+sK9j%BFA*lI^_Q)3kxjvPM&hN2+sG#afy0@lqhS2e$TZW3Q8BJ=zbej-w`|&3 z+_t^v6ay1kW}}iHmC$sH1UQM?{JeRh^9|h+vTcYk6WqQukPc=dO?VvyPvkbmJTKr2 z+Oyw_geSnWc~DQBPo3$fvY%wgL`jq|&d{W)#Y<2gkN_?A;Iwp`J?1gwg#3Vk&$c4vR#K zlQjb@et0b+Z)~}h%N9|)Ixdyv{UPD;(-QkVqK=`EeL`~yFrCB#`SdEG!9@YULLSly zp*JOrFOQYr#YRn7zM|U3+U)hdMOR*rJ0mR_bq*Dnlo;ko?(sUMk$f#LOl$CtqbYw+ zC=cy^-j7#!;m#3aOn7Hg_(1;eTv4ET1|b(%GEZ8kxFL>j%JEwhm@|Z!*>fP-v(1^L z#kF5*!LbHB698HFy(mth z7;*!F6!=~a^r!T=Sh0OZ=JL|3dlU8gKELk>)BZ}-T<%8;T&eHS%gGaKim+z?0p}gw zXkdj-OhZZ+EQcSsHfQ&xWLIC(P+BIcy=e5$;k7NTRlkeM{&!k|n0)T94pmC{OP!Aj z{1BDIJ5I9o~R#L z^e`XI)FmDzX`D>HiZ^*Ylb+yx--9XR5Z-kHl~wW_6C+%jf};kT)S)hZvGoL!&|f4P z?9^;i=n74KetFXb$7u2xvnakOs-^R+imxPJN*$6E%tuUJM997nt(BXax}Q}yeme4e zINqJD5Ff}tG^?$#-m=vQxs%nYWt#l5ZBKeQZ^ZUhqrh2xfp1KxvI&~p$t3gUGYHM* zi{Cb4#y+UuL>FDOdA!+w)-Jh;04qCCD+w%syNb36`Cy)G7uq}mO&3rTz{agj%>(kirA}jJ;c;FjWJq0cy-?DL`exILI*56f1jTPZ6^^uxgA3YqB~} zz04cryKYLbv~i$*cQqv8eV**tu*39vb%Z^rIZo@Z!=0PFQQ^0K$wo>JI}*Y7EwKHGu6^vF zm`LE!<5=3Q?PK6Xn$TL`Cc|$3^yI`v&HAoq`lsSLtu?os@3HWT#bwHl0GUwVD077dd!p^+NH@@lvm$XFXEG=tGB zYZgR7t!IR__FRRJvHe5a$fT!93-ALd9&%~=itjL%oM{Zll*J$Igp0W?0{d-O&M9;l zOTh=)7|~@DCP`0ipjKr-p=Rjw8v!XfazQiBeLHQsCJx#gu%g94CxllhiX`*plI&7_ znz<+T83vo07S?(C{Z-7r&khF()tdao;bYs(`wzbO44(dI9{l&k|3)~FG{dLfC>9(A zq+VLt(U?_C(~{!V5iK09k9y1N*Y00Fc#TU7Q(`B29w|jmi%Sa)?+`fDAnp-3iznCL zqMC+*2)95~k_l)6XA3RGM@^LAt1@DJZRz^QzHv5GrTbsxqD4t{V;|j2uF!g;@?@u?kNABKj0wKe5RWcNRC-ui5zKp_wQ?P$)B#Gyso997TctI|F(Wc zUah>o{*n92@hUIUyl_Jw;G3gW0@2@Z?H6j5D_qb-+HW2Rcai^Q7Xox}^eGS4XA_-)L+3(weGS1a2L1Rn- zHk?vww02}n>Iem6B;>CuVLAxpgo9%N1+iN_6^e=#1nEW6hNwCl-?B^y2+iXF7*ZDd z{Mu$1@oaG6h0Y?~o#tm?GJRmre1`qQ{Z+f*QJFeSE==XlgIERbo?18^_(iu)Vro%4$ z_EPgX6pa<6=k$8?_Fk%``luB8vOAF{J2Y<>32p7^esB|w>ri`7F~r3a=5ZUrqM_u4 zSld+IGqB1zSQJ?(BnAh@a5pT=7^qk=F&@b12eCDwERvpBOzfI(l|K55O1;$J6r*5L z$Js2=$krIx{WW`YxnLU`ZTruRPn-KU2Bpqxein<;`bU=62>@McZ2GWI`i72A(geS4 zndt62kq*1o!rs4`pN5t@uj6YytDc5exdc@iEaOp1#0Jah(AX^c5pIUMef4sjy1B!bn^Y! ztuCm(NcFM*&SO&@^|ye=2==0H>m@o-VlnD%7D+UPKA*~Cs%vIH+9+lGLHP3Bi1op6 zULf+cTKV$ezxlg2=-)1A>O(ZM>jx76VvLLysfm_2j8SmK$Q)u&e6hNG7>D6l_nKIL z*VxdS7*m|Q&|yN(6X9zo528vBQb(zEQ_*9G zA$WI9d|gxV{_)>5$sKbsqFRGI5NXq}#8@<}t^ajXEP2x~fl{ggwqKEz8Gs-Fazw@) z^0KBrF)sm;J$!dYtM9?|#H8=g--G+Rirwx~_QW&MF@p?%f?Yc&Q|m zcXG7wg@2La@$lQk5?=Q*dUx>IKuOTaDD`nklIK{o(D?OHnfviX%Sn}{#^iv|q<@`G zCAVl*m2NvG2v1yljaHpP*I1xQY1M1S1ZvU+py(meMJ?4m927rF4nfx3>S*}B+>qqC zYibK?ch(Vldacmof(ilXkeX&2W_}-sEW|<0y^KIS9wOV-BfMcY9tKU!xN!hS2TlOU zn0?12HgO+?O}Z6oSyeP3I922O1pIu-(u;!T0XB9J0w#>x*c=Uu&MRm|>LVvNb)pfJ zw@blWBp;urY8OBL$nB#4=m_OpJb*s#7rDhsemVB8@ITgjJ1R&r z+xDtv3X`;EHKde4`fLvgqVJ*g#80uWTjhyOv8PB*ogl) ziFE~O@c8hzqt|^mWhK8|ut^Q0r_~hYCnpo9s5=)o(HGOF|5Wg14m` z`4pNo%U$)a=j@~SMQTVyjqpYH;6euE_E;+_@$<{^K_Nb>A;L^y;(tak^RIBwp+VAK zchIK0ehqG&ndA8n2hU%8dP^kNBB{pe=mn|F(tZxbbd-TFj~|n_F;B9A1;3v@Kwb!X z+WmU;@AMwDuhiATqa%&wgC;W`GOasEbR#3Ql}=cxY7Rm zXY38|UTvlcP(fm7_h#KihH za)LUcpZ=6LZKc=W#0DG0SiYMuT+A#U8qL3UW4pK@0$3IM(E40qYAf5KJOPF zRc3D*KfJ*y8q+vTqGTtc9SF!oSrLM_u&aK12tMjTr5YFGT>$e$c9;u2wM3zh6W!8g zQ9j^tOeU_t+4KW+TN<1RiKBiZ1$>@f$=)OnHONNWii<@?Q18P&vEnFkFzEW5Wv0jzFJo5Oi;U}|RJvAvPh+F+w7Kx@r0zn(6o>j&q+u}6q zhtK`}R6_zmv>xZE_(e@&eBIN?c+$0Eq~hRtWnYwL%t4H@naXK_kdU;h&o zMLQ0e=hi7!c!kX_!Z%vmK2T;EkzP}WV)BMDiqBKX0*xMn)Wy>WdUf0OP=P;QQ%8KgV`U}rt= ze*Ss)6~}F(VD1zu6B0V`G?b;GyUM4#nyL#X_AEd&kdNZEp3JWMx^XzJ$U_HG0%_Du zR}aQYpQ4MN?~R-!)>0pR+#!tp_`s7|rgP)35dF{Y!A}2VMLz=Ro{vowqdkBt znvU_`9M``&4>WLsV{T9-ms4K67qR$Sm4f!KiITgZlG?z5+JH|)oloEGJIHAFPSHyq zA}$QuXY`7kbyM}frYi}UB*A~rYy@NYqhK5RIw3IKjW^00Kjsa7-FVZy-G6qL#kv{3 zL&i~7+*A7DThFNX?m@UQ)jv{;ei=sP{l}5}EdSL@XNtM%8% zw^3%XI!Yw?Ry-JDhR}X!1icgc5e8*Q=8d&^xy*ZmG z#5JzY^LtlOZ`!87^>@9JvfZ}=@oJsg)05}wyU3} z9LCAkZCFvHPmkuaKhwW@ z-|hYN#{}6=??Q7Y#w~C6Pv3vKTRM>8AR$~C@JD{om}>! z*~_EFijr*aFI#Jp9176ZHxY^r_p3BbS}J}m1}|k88Hf;iE6Ls8V^a_e=~dnM%K zPN)*V^Y!pu>!Yv5^MB^fIQ(*D|6`8`{r-9FVTz)xX!zUn-QCJb!Ltv4`c8QnH!V3R z8dizKhoCkMI64Th(=y5DftQ$c0DL)GXu*5Z#Kvj{YBvjV`d)&;>FJ`PShN@sZ`u9jcqj~rj<=I;F5`gK1JRFW%cVI~%3ui6*FkLH#wWIP zIq0OIFO_{i_j;&Qu1|J{t-X8NzBc-TSZI(Lpd}%g>d1`K#Wa-5Q_N6RSYJC~MQ+cS z9`@z$Lv@n3%?$U=D>JgR)Q1P9?2p1XQ*|`%@f@4cKNSj8+>ch|V5bQE8?voo#Aion zaDUHR!8Eg?*3SICSI|RJXF5boz90-8^^ys@#0m0^NQibweL{EewX~6 znNL;Fm-L&eEr}3oVgIX!&)xcFZI^7a@1)<~#;Z^2k8szq;Kn=oaeZgC`w8qU;yW#?%mU1vX{jc`Q^Fz3r_Bxn-pMZ=0SlG5?S*hZR;{2Dx@TYh zLcU}3>7;Op4fiw;u`>69tdBA~nJ%$1kS3q|{yS@QD;AhYY*C7@au&0#*xn_1`*hr; z2}!sZJO~eEq5493t{SUc@WA4E@!IG72s*5l{mUg4PH4MtLO2l8r)^Qqw8JFj*8lJh z?k8Pcj#xg+x3yC8yvlnVY9aK?p>G6Zk)MS=J8I8EeOobO`WB?6#4|*B?0u`{P{v+8 zqOXq6ubtBG*^$x^ADBUIdN&Dei%b}z$(?vd@LrFol1iWa2oeQddie%_+n@wJEN~4k z55-VVJg|{y9*OYe<|0r9DLI39=&>P$jH=pk9bkF&R{)|3O&C`lwNHm6L|B#)wRc93 z$8!5mlHoorj}6JxAqna>94NJehQWn)y!yR~ic<-rcuT`%w&o(5YVFYv%}ybNP%B5-D zY6ToZS@O$=?F$UI+`@o+$zg2q#dnOyjZpZJ35AC>I(y3X{+m{94>v21F$k00WSlP& z7&vAR?c^o_<8K_vFR=jOdK8$ZyAo;-8)4)YC$hgRgWl?uK_hllowr0y2(sT+;%wTt zizhagpT-di>4+X^G6-oUciGvKVf#BR6%44q16LQUX=BSU3ml#ZlW_r!QB69tyc!$o zt{16DUP(qv&}M0rT5$z%VH|Z3CmX#^w?*6=!%3&OPf0g*>%!P}7!_(#e^Ho~EEITj z79cw|`D={luH49%&Jgeh-SZlCrnRw11U3JN6nFd6tji>+=A`$00DE@EO+og!t?n0& z`E{oLSNR6lFHC_Ak1=|~{I*7TdIT6&^>6X6+j>pC^R8Tj!sW4|HJp64j`&nkgl|lpR$?w~P1m8MP9nx8 z$+y+V35V%pv>=?}XY8o-uoaa`@1Y&S_DrY8QM}ofRc|%H9RcN_!Ba{#DQ09%pl%w* zBE`I_sT6|n=V}^K0>iYvqvk3E1kgO@=^rKo{Zifa>xhD=sq)>kolfn_Kbhk-$z1K& z?~2tODvfq$!ei6^8oVd5Nzw{#Xmc{>USs3v*k+=Y>$B$8t(;&{rjB9IUGdPq{i}vI zO4CR5MtktHIlN^&(2deITTdb!ey68^`7e3e!%=kn-ptPZ|HzvguEhk=b#%$Cbow`B zGUX%0#r6wr6l>YpYYRMK*kzZUaD?cN{D!{M)>MAFIxn^FYQ&F$92Gqzd?Y>nUWy(pC4V z6}Yuu$^(Pm;o~57{9q4H4bS{A=4R(4kf#MwI2m1zGGQ@Qa-&R`7^w()Q=>>>tMnk< zd`H}8`Ac89j#d>#CbJ^Dtu3iB0U~p(5xFe%23I-8cASzq{NFH>P5h_Vs{JR##)6x`^0sLj|Kp}?xgnV4 zS*E1NgG|YEWeZirR+B03jrpgkmWqrA*X5&2`;B#R0TkdRQzP3XF;(YhVjxO&RnZab zzPJz?T+(nadY7vrc`xS)(m%#@# z`2V>;Jfuc-)tEZNKXpuG?u4;cCvO zcgew9UHmh_PJh1?X*s_i68c@0`c4aJ>Xo1~^-8_i!XW(YBAXyP53jZpmw$YEC2m z+}Gn^#xWVrJd=QTSXrJL^`)p3yrZ|i*xmk+k{n^Bk`J=?LmsZB*r95=8s3#1i2BWa zk{tkYX%{U4$3qQXEC-2CssXiYJwp&7IJBPuCP+@iOFEM%k|DxDsYbwQ48Chj(5|W) zge5|76G`ADu1QW6#;e*sT$zwBBXO1c_BY(j4Gjr<4U`&BBGak<;Hltu z_4lVfg+_^5xse+qNO3^>e%ZbRdfz7YpSLEl&8zGE7#Lf+So;>MlnKy|1UyM-=^X6T z#W~*E(|(S9HGm@ii}`}tg81OcZNyKDRlzN);Aq52)8vVF^Jmw&FI%tZB`X%MVah{- z+`67R+`M(^_;i#*V#q{NK+?Oyrqs;@oKxBPCaCWe%6$lZ9-y19T}384yV|y0^_TCP zGv~lb&8l~5aMk&DFg7WK7y|XFHOCHC)z~A39jfB_65t2|Q-tuCNLk!9ejN6Mj2ROJ zqCvK=gD9xCG9dur{PWHsA{vnW=XOIb+4&nTI2e+FcQKz-aPV_sS|U zZvW}3J#0X)@etOyM)x4F@SA^eI=R-)rf+=WltG~Dv>cJnChK_6lxtwxL~46oCH-t- zLaLwhteMSTf?PD;pLx+6YN4@MhGhqi%tbKumb^#OA4hb$!fTOx`&mzhmckk6ABqKv?`~goR+eB zs*XX>9Z1T~f3d3=6$ss9eB7om`&r?6Gk;yHW^0T>BNtzrpJrm2LP(Z_Cz#I}K~{UA z`PDlioR&`r!M<_fcbXw5TFGaerCWbV^<{vaJOOqHYf;-(-x% z&aB%T{Nf~Ew`V(RWiZAXZ1=MpBN@*wM2xX)5yPX-M;G{qCq0B<(yXDaXLsg49Yj zdy=kh@>E9Dt6d{I#y>DxgHuD$;k8KSQ5#-HJ?RLpH6&in z@d|wC_4G9aQt5gUqo_b~u1Kt&suU1rdaP)^fPcOPqq_q0zmng|lX4|SBjN2`%4 z#qCDV(b$!0X*sG!*PB}$Msbvl{O3&K5<&z-{{ynrhH%EKyKJv#u_U-V}yz{3c~GitoA*z+Nh_yG1~)YO2m45#Za)JMG>oP#+wrXu6F|GPjsBNX zDJJ#P>FY|w!hQlnfQQzK$PU$iYR3Ql`sp!9j~@P!#C0WjqbpAM@A5I9Zn@kZ6PS>$ z?|!=S7P}o1)B>>B0Yv`Kas%^o|69woN07PS!aBNg{N(d|)^c80=6S5;g)tR8dzKd~ zpIellU(HnD)0J1fMo{o9zp^VQOr9)9zA$R-Wov$Z$6CSkvw}DBd8J)N3zoS(&x&H? z*&u7W{K*fPMLyC#3uDgz*nZ*`@zDBPOvcYL6*)`2!x%kA+CVmQNv^Cw{&vHgV9)U! zwf<okaiJ4X9LuOr^Y;(oyE&W$py5lY_TG68Nk^Mws z{#N&Tg*-nn=yfl9R9~UKE=uV!RSrg@^x@P>QgaIPQ8z}+$(99m_3L$BgKkd=r~EC9 z3uRuMCs|OA{YmPKSc$XG4z#%*z-p{`9_L!#?G6;AH!A=B-wUf8$+AapODSZI)qYf} ztBa=?{jMW^*+jO{v@nSMuRDWk-C(fFe!NOV%!H^l?Tf%h%bFqJjFkF=2$BzLl~rV& z_>uLQ5UgSqtW$1XsZdV!@{RSzo5zZrQols@f~|3c0R|5H_PVln^JVE|9z z=boV+pmF?_NT#O#ug&Rx*c*G6?sDtyhXu_C3<0e_JeSv1_HsLlHhP9vGaa9mDGgP; zW9hAC>07Yw+vsTj?x2TUv2Kzn{a)TPz411a1u4f23mNmCKl#(O!h$2P!QJ>b?+!Hk zS&Iy4CNkj~ST;J@*WW(hc$aBa-WO&E4jbSP$H^8BDzg4eGsM7TROYR`ddY{RyWUFL zyg9cXeixP!kES~07;!0NmqUzr6$0LcRQ`pd!JDIDy`vtRqp?b(iAp2)CI>TZ#&6y^ zd(yW@*8e%o2@ydkwpjKK7i~z8k}#588a8Gv*+QgDcIR3xY<-B5x_>}gvFHJMHUt%v2S@Y3%xGP2bcEy%C>pu+P#J2fykw1Ca{M=Q2LXx3 z65hhit?ZVAi&nylR@Cf-HgUw5qSg5KtI2F@&u!N-i`H`AuX3@iKTK<63-5WVcwNAn z_%nLJ#AM)~;-u>Ph3a;2JBh9xGDCb|>520DI{>M7(R-iw%b*B6f%3|Y+Sbe$wvTSM zA1~g2xPv7e834eKwup7En-JIo*H6fTgC#9ZiFdE3c2rBaiDN5_Yxp2E_F0*FvFiPK0jH=q7sgT z-{#{OCEca$5D=~BZ1{x*ZCyh=q&2 z<<HjoQ2{_$zacETRgF0uxlkL1nO29RGfvQ;y|MXca%c%(SKS6GBY_i7Hf~J3A<0 z07C)Q;*Vnh79Kzf(TRphk5@c>_~1RPgn!>F3z z^$3yhxiv~P;V5e%LcKQo{(~OI1{=3S8c4Rqvh9;y@3Bh5&8qs-?pvRQv)kz#-pAGy zDs~uA;Y*}8E$+JOZZj{idIxPHqz7gs5n;0Mi}8>T{DfIh(e!eFi^_QQJjnM*1Go#r zEW6kp8-thrWyneQ>M--Yt6 zH}$uexy$f8CUX|A_OPKl6BlEI<=JcERVU{Msn5p|5XR3!WaDrWVGAD(gYu!dg_I~v zS8VQ6_KbDi@9MM=Th~?ouIiGy^CR2n)8C()p1y1`eQvx1<*@ebSK~5jbpC8Np1d#2;fM@Cb+@x8i{4 z2&F+#t2n|0HR$no4Ka#3hB6_BHzVqIpPGiH{j)Nqy(teb57;Nj|2>tRMYnzyCwDn@ z;))_s+jAqsjAe3I;CrOk)SbtpP$>6XPcb9NBEvNn;Il(uNmNBqV-FFpLLexpdNk?F z1jZtBd6L8-;uMr4^BiBTRJ)0|v9CU*a7MmJ@0o<|Dt^Uzj7KxeD-BIvfhdW-SJ1?f zfZ795?VUkE%+0*tOwtD;9bXcH520_*2qC?85UG&)%*ibZW_Q|zGWcB`4o0o{2fr$g z)f*I25Fio^LS2@xD`4xX8y(jZwPH zL)A$ETA`~bnL=dZE#jI;lnd)mG+4-Pe1jurgV4`Pk&rNjn9{nY_rKOfr}J^|vVN2s zi!M-?ufjmWi*~hPZ_g<}v~AcyUDsj+%vkdGyfxV&N_=`Q*6HdnkAB*<>u(-YnfgV! z^tL96OcTfeP3sj~NJ1Wodk5dzCGOma<_HA7u1;#Ec^-JGo3d&q;mSYxDu@pJ@obEw7NVV=&&BjnJC3Ov z_kcIAzYNZEXsv@UQu?hPxGi7%$l4T4e8qJK-A5q%!@b3AhMO$Q4#Yz#-{6#jBhWv$ z^>9!#jJqP#mf1BDlprC|;gg2l5bG3@qvMECNQYJ}$Bbxt2#0`4B3BB6kHmeBvD)-R zfg@p2EoQ)^(0s9MP~GD^uux?x_F+G7cII@;3$7lP}v zQOR%H&#CjYX?|HWr#Rjcg7WfgPyxAcEia5}_W19BM zdYkvDq%8d`TT8Mn!}Bp(skf&|ZYNZk`}x)%-ssTp;qIYQ(9{OCEM}Z*>EQMbx^%>l zf<(S?@f#$Op7EyYvPs$kCrOx|?k7g3ZxsT<$Mzh?XAbx}`Q-bq9q*sr4zdLtC?2*+ zR49HfSYUod!L}|1M~bJq6h5c08>5}gJI4}7*xtL-b6>ulgxms66&}#aulkn%EG`^_ zLgto+1iCN&5kgK?Uc4OpJ3{B>ePdZXu;fg5d$3OVvw9gH;HJDgG zhwWDXtHz+E@%Xg}+D*9R#d^gWP|_^8tB8$fp@d$x{ZexEaNN{Sd_XFz1bnDky-Yy! zH$CaMi|c~8kb&|2G zh`k9h->4q@y|-&xbk3iBIPlHby}i9seoT^%$hYv2UL|?k_&b`gGQp z8O)yqO7SeUtgD=$OoUuP&RzBt=GYNB3UW0AYHF5>^nG)>SRVZpCI}8Pyh^WU=AYHy zmu>IRnw>Y8Qd2x%;G52GV-t3BKu#!tPjVFv+g;2-iwcPS`EYUl^DULiS^T}Q8lk8) zuGx43{erXr01Kr|2#U-V`*$oF^?Rj5(bTIdoX~0|P&zAo0AMYm#dMH3HJ&o4QhyDsq^*5t7=& z$RsPrw53k}lO8_S4c0=ek?ZQH#7BTmsE1v)$J^mViPF%e(FadK_$6uetP0>5j z*N_A^IjmhpZ?9&oGG?Y6M#IPHGUS-D_-Izs%^b1@xEW^tPEdo^Yb((-hOpATp9Y_GTc z3dEv97#wGB@qKRb`XEQz)ga#cslS>ai=V=mv#B-?Q`b6EW7bkX9%fMc=2)4eWxR+v zyl<%=&00^-xcXE|J0@Un5vD3;w+lh(*U~maLo=wI@9_H?@h8LSIg7qM=;X5(&vKp~ z$}{Z0p%@tpnydunQI+YUooxJ$T^CEs*P zZg|CC2QWTdp|NdMp8a{ zipjAG26`)(u&SLGdzC?rCrY%$KG@FtkOdbcrAwEmAvJZ&s^tE!8Ixt1w2Ll=M-`vA z7Dsgi(C=nJ_vL9bcR-zO8kI{%3uDQ`O+go%LOri^QB@bKzQ z4m_Qb<0lqYXDkEqr>l)$YX2AH^P(4*U4@Z- zdQrugHFuBF(Gpu7k&j!_PQNO) z#ATkj)3^s0j&(VNy1Zm(2wwT*8FCi{ygchn-eH&9DG@`$Y3>X;=Ix&CS#F7+o!{TCv=l98@y?G@SAoo$_ASTL8y_Ll^Un<8>2c zR@U{YYkh|<4Z6L4l;7*WTWXJ{qfFe3;B-n(CdWj%%#~+FJ6EqUL+m0Tg6A-@)idbA z?}jX#|Kfz=JSoAw96~X?!8|F=2PPU9lM+>gUL#tTTa1evrlWP2ksD8{D)vfC53Y=F z`>{frNx%WrP+RE~XoRL~COO|3)c@rkWPOp&OGd+=9zK?cU3n7Cq2GsfvTB_E>5uKHo)xX%Twqh&J0L(r>?ji&cU~m8yz2~+Ki)D$NTwsu zvZKzuGGN7X#s%JM*A!{pho++tW=ul?&{)?p?&Dtl7yj(9#`o^6?~_{L$j0w1jWQeW zZmi$^gwZII(NKv|DsL&-iS={|%7qYsfViG?93&k}aFO8Fqz6_-2IW;bwM|0uoQY_J zx})dZU-P{FJ)X2=@7s2zcQ8=lcqCqD#`LWo?x)iftmiek4-8pAgY8_yM#7^y9R^4; zq+U?c*5}N#xKcKORBW0y-hedFLz2853dUuP02JfVDcxX3D|;0udbac1 z&+{ej=#KoUeZ7VfW0m*>rtR{C_wYAuvA&I>v*kGOchmNj z93joBss>udo31*ceTR2P&GVlD4ZxAv5;84gvG_fH;aRE|?rjPmUZQ!@Zf;UU6+W{| z2KPd=E`kF#2~xJYzdq<`fh?;g%cgIUsZK)usoV5{<*y^qO6@V}D7%Mb9vlY3v!3&^ z>U9;l$s$v|K%EwhAFt6A6kP8x;|%wgZ4w`8YOj4UZDGpD?2p2x=r>0bcRS2ok^fN& zzFQlPt_&_{vJG}|Jk>AysNG`DMgyUscRQJ^R($?uLn$30R~_4f9DvYnD!mdMpe0`p zNZH`F+jwQ&!($^q{8IRgxtD%N881BV5;V^~_*(QYn@s}k>n~MBjp4v8Z+CTere?^y z6N0}X0rY%{MV7-~|Bd%Du7`Ki25kggH-V1qI!HpXZl9?ZW1}_yO)zB=>e#ByFpme|=@Ri60m~3NM_?r9zVc zN5)Va0N~$>pM_D}NPN^QU6hb9MH7DVdWr2InOUgxewoV`pia^+NGTL{(W&vdi5w3& z_z1uv{5x`JS66eV<2ere!hSSaJt|zu277nsdjI?=*yYz(@FB_)e6&@?0*gTWp3VF~ zP5PEDv5xlZ7A&w4!x%AFFZHURR&2NXk$Rl^+`y*lx^Z4h()?zCmB&tBz~}1jW0Is? z0lr*HUt)X1X!iK1h@(}qKXLfUzR4?EFR=#mQZvSX&`uo*~tD8vpP*Ty& zt8*azvsM2Vv#Q&#nv+=S`*}5wOn8d>$tyZOSy_dhub7BO2wy%Ei2CKbzp?ai;|VE% z`t&iaF#634R>(heN&pf586?V~l-lW5zm`?8{iPFJoscSt6kl z6*WRpsZ?VZLy|UBvJ~0(C1lUOrBWnOQnE{ua({-BmUBA4^S$qX?(1~D`&@Ib%f)pa zuH$i@uh;WEf@2XoR$9DoA3JVz(_ep*oP6n9VH|R{x$fK%a{kVNUe4Do{`+0{ zRzisYgeg|Uf;s=e$$*|w=eF%Pg~pz2K10onIQEIrjw?EMlf*m}$ZPQoUFu>R@S^Nu z`rO&cu$lL>^q1wX8x%=?pC6o|?A!IZ@7(9X8=pt`I!#x)hsT}|;?iUXEb>cOT+&sU zxS&|GYns8FHgC7yvB}!m5N9)Pn=LA+H%5yj_GRyFzpfu|J7HgZ@L5$bS4p~&d=^S` z?s6WY_6Af?6WZ3bj~RSJeuo+8Lv0r!Ng=hTO{}D*JW(O8s9Kc*e|}vOGM`k zqZLp(A~OR^64T=&32$3)e_C|#dE+&Q4<6aNP#iE64+I%E14-~OmhD1;G5n#xqS@{g z8+i5cUH7lszEm<2a?>11^4+a#_J%f+uhKiPrk=|T;yXI@IXIA|%ItA@%SU9w>|<`xmj!A)BN1r=sub1WMNA{DRn2yXjggnJ z7p4o@6q_PadWrb^vSGYS<7mKY2v$_llHz6*zi&^0nbPwh`Hmtef|1A($tp%WCOU1_ zaA8c_qr3@4Of(p$r@{!G4~b?}J+Bih-&1@bb0%I9Dv%cD6H`Gc8l(6OE(4{yW28f3 zk$5Rx-PMKy}RB9uoCt0VqtAtSRE9~#x4w}ZiU-# zVnGO43!tWU-4d%+Xl5Dg7wyYT-1Elf(quvJ%?CRloOn#hyvOYbGl`W4yR?Ob_p=a1aS%}^ipN`Aa%G>-yqHkS6y${ zEF)9pb=7i$Zsg#C{_^t z<{j2S$P~Fe9IEPp*<-xj#Q(M5B|zB;_k@pPoAaWKNzS!k~PptiDm3dqj^+uTVR&IIa{do0?Daa zLFYy5$_}`~#Y@$9&M%$6Xaw+I(aEH?F6n8S@EXnu1P%*SQ#{bc?lZKy#IiY=qD{c8 z3~$>4J9oU|*)5|URMw7^V|(6RjEeQCx1cy@W9e@bYdb4WqmXG3Pf0SP7s_Ku(Pe#p z)v4YnKWKAI_Ql696Kf1O+J|>Ph<~ooDk1hh(%ggS|3&m!rEpB#^`TjQLu1H{urkiT zS@vi?_Lh-{!u3t5Fdsw9hb(90gwliQ6Hsq0bo`4gf)!(LG97W#<6pAKA_*`iy9Ehw z%F;&KvnBIPjOojlcSoO&P2pk}GqOBjl_kVxXhliV3W|mZko*z*qTS3z;<^GC3L}R} zk5i{t*r&}2#1kk&M-Z>VrT(&TvX3W@O^7eIopjV3w&q%Ov(<2js zBc>NMQxO&q%Wc&UyaGIf368H+x0Qp}26#UV2dezrHU%(y-h_NmE$LzIq~JTH zoo^+=ah|)TYOEBF^q3cF2zgpGCt*28V-&X@*+eAbV4tjbon#fG_Qu9Joj%?-j(AiQ zbYy(TUNwiOjhl0bVVpTz_b0mU(S^`j^b*cD+7G{-DAED?Ea{FjKm1(pl$Is@G=;iN z0)JKuo?=>8`zV?OrP`(kNljBuzW}~{QfVKv#|gT4_VU@}?8$>uCtpQ8&NR&zy!p=P zk^mwuT1{`r=c7|Nyc&S95Fsp8*t%1WCwIc)O-uLUwn#m&?B%Y!U6$r^$Gn5~;-x*d zTHD=)!shm?QRqL?F2V2FJ2Or^t8hi>ZSbK{=TDE6b1~V6(gIE%GIimqJ92-yIxi}t zdW4G!-BjEVF8nmt>`c}hcfA>wz;G{!^w#6tj=ng$YA0B6fPATjTDP@dvIxhDp?GDy zHyprizWzYrqES^V$wr+%V;hb2onRJ#BccRDLc`-AJVLv;y`IQD7j6vAK5x5d8LT|8 zn5A*rC;3GSg|YP#pnJVAMUdwWx62Y>C#!Fm$mOa%{OVH1hyjf>F;u)Hj?ULjTcVe? zBi6Fv(1f@`La$nLNVE_Yd_U6#%M7i_nAGdrp);ZE!fjGkFk!@-SUVM!LCcFGkIS_c zl3eKCnACj$v~L}ZB$&7u^e>8INZIDN4;+|NjdrOn@9!v8zm>RGP8E$1QHBH)AQnT) z0{qpCmPY9>mOm+-z0+NN#CPIZwH@{T3k&jc!=w8RgDO5((&mqw+CUF1tXxOXh2NXh z+1ZnRppO1_5y885-z%Phd)UxB+uBbIr3lER3Y&7Mr-4-(vss4g8-b|sJE4bl)zlAYz0i5oBlYAC zbM%!K%|wm!l{Z{3<0ke_ywXm@FXR`nQ|z1$mbn6iRDT+-4&L=K;K}&N;m#xXhmcA; zyq8Csm9A&olwEZD^!A)ws<>w2@U}Zbu|CpGP7mK_&rc@ELa!t+%$VqFe#YiaemJ$l@mdLZ zPAh*!n;Owoqg17Jn&(Q*bX9bRy$cuh_12>92u<9l3=ETg{mm~|I~0=detvXyd?jnE zEXq+l!xekY>5y=ha%3DTl%Z5ky_9(TE-`r|fNl%|-s*YfJQ|!GAUR`W(k}GtGWH45 zym31JqEz#pwM@ejjT!t}g@gp|06XQ|+%aoK^j1Z~nBajp&E@d3tk9}=b5vNTfGNs* zp4i%pYC4y=v}D|<1QzOKTO7TGU!x{V`c*c95* z7b)N+CVDqP-VZ(;x3z|ql;cF-C`9#n|`5kWLhJpl>cBl_e#(w{^tN2 zYNqB%lOn_|@S5^n%RmO5jBuv-y9NTnd*&pK0xt5fUA*TDzhze+dvcRJ7E5cCJI$&k zPlVd~=<`_UUy{E^>0MszEVFo62G6C74U(Z7g3!V_&i7Gx6ewJEDRfCtxfV~mq|Fr( zAsp}2X!%wsA+e6ir#e};l9t3_A8}QaR5@@`2ac=voVj|s_2zjXA&9G?)U96qfi}CK z49^wP-i++g0uio4ku3=#z=hx=d-V8|h?o?>Zdr4VD;EO3TcS}@kh_i%N^6=rtS;OD|0KZETYb+vg~ga!-uUnWe#PSPi#}IqsA|J{0K`h57x7TEzp{b` zb$wuJhMZqA+nJZf?gT@PKs{H-YkqE5M3`@7*VMT6=^-uzM?PRWC6pui*7#@;p9~f| zMX8mswaGR*#MaJ;G7yS&)5#liOoI{ZT>`C9CkX8NEsNE>t37J7DO>e!9xtn=EfS~TAxC-Xf4{$ z4m3B6=zGm6lnMm3y=fBoRNNv_r(aO9B_jMPpx`VosQdu6UGDmdA|WosH}qA2e&VqLQd7Y-!>wepnH4d_$0-U9ga1Dz{8-GNBx)6E zVH)SyCQccsm)s>9dEN>gnWj=!j4i$uy=lALS*uUnV%OMo(dwDK5E);y0KfKJZmh8# zj19b#H981l-L4Sa@Hp1UZcpt)I&%&NU5rG>tKPg3(&d$xnG%QUWVr&hcq3`WgT=<_ zSwlpb>bWnZ&2+0p`=``3+Hz5=Q$8?nh!(WWtJ!nGe})4;-I$PuoOz|W~xVQ>gEDGr>m;tjY+9%_%W(B;~*pVfMZujs1uVW|j1kHrs;r zcQDi*#RkZZ`O~8)*-+SBSnFMhk5wxlFa$%*cc_~c)V>(dKZxoreVfq}WQv~6TwwMdOeTcY8nLz;^<7#1=l3^@uS595Z1Ua^HWcxF>>%y%)mu;>;_cfb# zX?RMnCFH0tZ71rK;!+*@Mg7&hh-%;+zghip zdv$2TY_MrjsXX^Q5q2pI751q%Y^cEM46_?MY&N~Ld8miAeU<-S*FZwjJl;BpdB~`2 zm|AxT;`&~(cv&kW7n9!-7EyGzz+a5wMaW!fm_QV+8mylj|^+8djIVC5n0HP zMeQ8bq>IWWhq8;hPiN&H9E}c2{7m_9{>h{XR*2LPwo>u%p?3y0r7yi*#nc+A{fr_j zQcHgbavmGx`JfENAm>&|+u3}!2NSlWZF~)7>etLt+r`6oDg^FsYFiiR2@FDnhlW`I zYxO3F_nNg0+f#OQ2TE2<&QS~wY~N}2pijMNoY}lQK;1O(9$y->jtvx%&1_L!yI5{H zRzd6GtGA1W-GTGmfs1-oaHgoM(YTfwW`#3E&B$9C_Y zn!ORcuiATfme4T8dhfBMey};mw z058|ZGz*<#+s>A-?Om0enYFDul?iVy z{i(8pZ01O#-i1$!r71*aCx6z-0V&*G6=fGl*Hf)j8DD0a?I?wqQoBs%i}ll%r`+Kl z56_?6%@Wl2;@RfWGqADN8o^7}dkn7c%QbzVusL_XfwPo(F2SQa!|PsKgF+~KBQx;o zvx~p?U;wiPbTM3AfZ&pmcAmE{#qUb#+5MRYE1Rt@ZzX*g3)|Gh=`)wIyqF;7XiBa{>j=kJnQ7;9VB^81VUN2mpBS~9#WJZ^ zIb2jn)a1S?H<;+%$68xU$VuS|nIz!6CRohW-)A%hM`rL}2=zwN98})zTA7h`Nx>FL zgpTh6TMYLnj)#5YR>&5!!e0F$DcD`~2&`5!ZNeipAZf@u^tn!UJi%SMx2%f<` zp0J&!TB(`Wd07*gcZG7YG~j@bF!W$FW%=?!It&!<>yH0)@ZhCdHiP_Zk6@Zixd(Jl zBEp_kjd7$Ls0pXLPP&S)F6BJ9SrqnohQ~GHXpn3hdx;?3E54>_(xju#v<{2GYpKO) z0f}cUx0%aJrzGz7)=rz8s$mJKz7p;$9|l~k63sfc?>6)B%8ZO|#P zW(8=%s_i0}HMTZ02Stm_sm_^y@JT1$5cRTVYa(jl{Q14Cw^Ap7*IV)9-dh{`>y05T zLyst#85YHk2}D%9p3mchH}0{39=AA*=ZDIM6rO+iR`jt%n+HyuBa&3=v2yddG~cd^jfiJgbaGO1#q5wv~|X!*G#LG{gKk!~O5hen^1N zQG0w?h*FxfFoYZxIfjc4!g@8~5Y&QQ5FGY>^b~@`S9sd$MeZ-4sa>(lP#74 zcIA_8G!zF9vRw?6jSjMPB0ip?I%L{}^F74^U!gP`v_6ZJJB{mo)iyyXy3ENRq#c$q zG7!MGI1#JZno+n=)vXQgZN!nador5u^0HRcaq zLW&F9ygQe=hY5 zMx|ONs-9B3n41kJnrv|JFz;-uk*v9XG{d(1ccO_@9MZnhO+#`Xb;{~;jjviiNZtr! z0~948iDJ*M!3R!!+4HtQq>JIpb*s;BI@ww??Mn_%ynQdxm+O2#MvAZ?`LyuBG}Wr`kUu&-|`7wzKA*@!czjS zLdzXnDmea7?Z|EG9FNbc3-6wmcu!4!K6#|glI;S#9%Ft7X&z>Qkgd**3I zleDhLpS#%fkx0nYE_@0>5}o1vf)KcsE1SkvDg#N2tycKLvR+yajwYWP)6MTg?o%?V zyWnZ8_frrl2LLa_EnGscA8hSZvAJli<9|#rO66^-;5m(@MZsvV-Ir?Qq`)_dlo2f? z!Z-~$we>C-zIiGo5jK*md9z2f1x<(ZCefr*avU!F&+PqV z8_|Rc*^=xN%d$;53x+IN?AL+_IiHdu7G3#=w+D>hd{!B|8KGHz^i(`=&OUT%J=!40Mo8FrWu|rfabew{uiQd9#LR1BX8rf~%12YAfpV4%ak4@0fkcNvM>$JFq<~Yztc{@z9=5 z^rW;l0GonxoP>DPY)Sn%V{?jCV@KG z%U*IJ-1O<_kt$aalH0Wd8Lg9UQbLAu0(qA)aGs)jpWk;1#n0SWw7o1b-F`sFU+rdF zQ*DX&7{H?8RzoR#Ke)MaD4D7|EZ+P2@HvLV*dPOS0hSAP*I;2dsHuB3Yx0;L%G45y zbsA>B25*o$oENdv&zZF~fC1&C3vsCrq3&=qkUK#n(Uyi%KlL?G6vsrl2MMB|7#XNv z@21?lJBgK&#z6Ey-q{d$oCc>?AeUG2`GHah+hvR(defAc8^T{hFR|Y2aQ=ns%R$VeX-QJUbso>pqoA7IsT>pS3DXLRN|z$lvLX40Q?`JR4||zkOaU# zHk3n^Jk2n98qe+!L}EsRxyih+lUi64d#q+;ZwqUV&+^I(KhC5_l6Z3NU0a4Wg8ikh?VDX?xbU=ucG71CklS7YUo7Ep0P z$?l>N+)B-@17nk3mei48gJ*{C;x=}|Mw3(8#qYAZIqi>69{J&cWlbNSr>{B z#3vZ#C9O7C2AcAc@1MiyhI1R|r!-#>wZ7xnod3PS(jKqu{dScV+UiZh=SxIMVDqqR7zzr<^#<(f%J_OrXbb8nxumgGFYN2H|V zH7(73@wLE`H*!B((B!&l*=m7>U^KX)!BY65j}1p)8%0M*3eu0aAHC{!D}6N1 zz4*;&yjP>x>ja-i`(I!49ZeU0ecf;2&FdRPnD|&?5c0s-%`o9RV@V{%w`0lC2I6m0 zVr>t+NxdSt@6MZB2}j?)xt$my{x&V;(t)?>X}9jYU8}L=Hj0mD779E%FrHO9dS^Vl zV&Uz0PBl#8U2Z*+@Gh@OIOAP@o8tJpf?Hh%5)*~Jwi0NdkHTr9c;IN7R53Cr<6y~= zkdxJA)NGe0N?%@In1HZitBFGNrdY(?i96_QTnx$?Udd{QNhls3j?dX2(if8}MNdyX z1%1ui#wj82a)yhB;^GjTmOB{{DoC+gGS4lokD{&_J0Qy~t~3yRSloRKJL{&O;vB)G znOH+Bp}(wHkI?8O#jzG+A;D63q1|+Bw-sJ+b>HUZ31&07K__L;L6Pbl%&yrNgBQ1( zYovO#xj(;1D%0;p@WY#Ve)-Kx@D!NWrhc+1t74aTwLgy1j(flIv$ieJd%@2`4Vg(e3fC zq_}53Dsolc12WS0)O@tOO5#(qNUD#l@3iw#Ub)#lakc7KU^lFy$5lE_&dP|VbDzgQ z%i4DD6;EbiZFtMzWlv3?>;$G!iMJ(Frw`@T^R0Zc>v6vKdH!|I%9rI2Q{WFGJvj2G zHUi%YYnli*O{Cyxs)ngf`y)t+P!XdVTKnk$6mMH1OsT1c@x*i>hW;kp(5RLrZaPTR z^d{}Lrdnh<&vY=Bbd%oIsE(6dWof&~c&w?8cWF8lN1ucU7l*D%1s6pI*CY;NzEeToD)F6FgCc=q68Fk;NQ7&$V+2}CS6akLrCIi*k^U-KhijatLGv0nS z=1N-+nQT!%V#gK5@(ek-#)1=$#uZ=rTAfL`%Uu?Ur`JuV<^wQi7fFTV> zjqeIzng zdjbhO38Nheqj>P3M?27jjsybugeQ!W51K$i0|+#~7(O+tLkv#<66}Elv=|=GFD7P% zx91ll0BCz}LPAj%+KK?aum=Y1y~XUOvIeKJz!zx11$>d9nl-3OKo?C777@T>Uo>T} zIyI;YJ_&=WVuMBGW3QS8o`j;Qgd*^>kv|x%I+dUbKE)D>$Oo;O1@5Py0scW?5d5?W z0DpoNAt4t0x?=VnS%V!}_Euu(j;sW9)*zaIj-48eC4k31cFG<-HHZeEgh8~}U@ZCA zqqD%15IdC+3w{Rj2cywb325*smJmxmXf*h>QU`(51aEvo5ee;$xA%tIPmuc}E4@RqYB&dQ< zctR2RpjAm|D||vM_=MYckOn(Q_EvCo2Ppwf8bssKu^of4c<|WAcG#mk2GQUXKZu48 z#*&XcngpJN*p7r)@H3D<7>({oK!Z4`Y3;gQv(W#D60(kJFQ+UEu2LXH%ItW=E1hI}$^1&0bz(X3HB8?Kj z1AaW5FhwGOPchOc`M?QTa539TRugjAf`C-(9 znsdY((#&toZBNa;TsPB-cJw;z$s<`)LxuM0%4_3}&YX4S@g0KPFJRL!f$@4_6g-WY z%;sB7R+iBcnWa79g1Ln~w368t&$u4iDp{IH_vCg-$~C7eNEc9Pid?_Sx-y@M zy-ycE-dV?dpO7sc=Q&!_{P_!A&fO1hVKZfg7vh)pX#_6kG|s5L>wotq>h#Hdygpvq z6*=)-YLzRJTFZMe@ln}RooBZDi9e9obtM0u>fXPLB4?+cX z=Dj$MPeGk?uC zCxDWnu!l+prS08R8-QxVTvRTlrH}36=70vl)9ax)M?^5DVub)E$2dRm|3PXM{8fB z>Ox+0Wab`L5tAn^_6zw}+B5elwLa-Mu~3l6%8=z|X!5itZlN&EEbG9w)~AokSr>|O zBeUFHP5PfcT_`SX&+<6d%F;i$v`|vbknI&}GBC{fp|r`2Cj0Q^)`8IzVwkVV(f$C!y1&ZglzycjcHWt}We=-)CR{sZM{T^6k zJpBn+WLNzeSYLI8PXHzK8)K3E^e1DHY4vx;`aQ77c={8t$gcW3V1cws1x2+=t2I}F zr~*YrAc0Q$$EYG>>7TgjXHbs~&AeH`ss0bjN{wbKMR@HPqat>aAU9;Ip=;)=I_UR{fQMIamH5 zfKJk~f~8#|uY$s)w?bd)$U`SWDs(S=a!rFcOJ#C* znWkjH1I7uP*B0U;+(5b6MANiJP$DzF zc-r1VrIy#_`p3OYe$j_&0yvhXfiH~jJgQQ2u5X72Rd|%Yn+mUrFPjh^$kq}Zi`qVp zjz5iseOhq%R5sm{?YB>Kq{H*>{OOaG`}pjlPFBpFUfI;dpyXKf(dkR8W`59I_R^;v z6hr5lf`X#`*^rrA&RlxRQbVPQpm@B!n(xu2PrEL)=*u!z*B(J3u2W>`smAN`yE4ZP zL2v7+SM0?grS9V1E81;hy3!Sth>G_L1?hp$@j_-Yw!P&SE6=P;OCmy#BF3^;JsGN?J zxk*9sdxjCf+^PeNxBf2ST9?>wv#r%I3l9b*-?A+NzZe3P7|1Y?Ua46PWQmE%f^iRk zwo(P5@=MMISdpVHFy{i(uC=I370j@}=;|MMY#n2NOuImdfx#9UMBp!h7dgQC2P9kf z*k7exe-(9+qpN=)v2}+1nsb2$10yXo_;2r*sEZt3{R51xOYGO2YmH%KEsGJrYzxe} zT)3G_>Qaxx zt)1oX!aq5bj>Q#AX(4+FIaK2w{qbc(jS_K{f=(6z)hH*Y8ubDK*;LDWHYh&#Q*I!dN??RpFj{L96gF#abzW zFifk^N|#lHR8f;a1iWPWQ9&oh!cqZl_~Ctmw`++XQLa@u)6`q~?kVitLsZVPTwAGW z`_)!d3MmiAGo`3g&5=?$tHtf)RP0*fCzEH*>q^fRwTfYvkmbq>`R7%aV_b(cDnH)QI&+C9EhA@}AO`Yr;lqv7$6q<| zAs{pe1Dwo32}+32F4&ih$2iIM3`&$y;!A^}Y+5Vh9j`wTC5MHzJ|FKg?&N|{OXGse z`AGpHu~u+e<^ayON$k(Mf~gNE*P*P8nQVu4!|iV}`HTgG+I9sprN-)M^yab~NIElI za|_;NKoh3p-heo!tS^CYKD&7yP))I`(-G>9un@1OCT`2w-aAdX9M-_rg-YH0R)@(8 zY6yRXqEmgu4CLk3N=hQA)$J3{on98;qdUKfFuv%&RM;xQcz&JSZ3wn_H%{(0DC{f3 zxYs6kKPv1S!nl4_*gC>Ee;M4ZBMiM^aQEZf4*hj-_v_pa4G!+s74`$dIDVeneMK0@ z#<|@Fgdx}Gc0V8txvsDu5XSzyTuTJ`Ypz8`82eAT)*8ate#o`HB8+WAuC=57`k`vEoh|3|ht}s`mOk7A7;}l#rb855i`6u6^V|TA z%$UC#L;kN+11EiAvfw0=Of>{~2Dvr`1gCW1ND@RE2sV&yVr0C5Q?3T`d@c(OjwC^h zk&ULL*Nc$w>Q+&{lc&=XvDc2#p+aj)LDN^1v8$8i+K|Y@o+Lm4R9VnFKlwG#f}Y zaCQjJCPBIVRe%QOpFa&ILEZgBuz~aA^^xS7)>6Uo=Nj0+!QuZQI{UNMz|d@!YFYn{ zA^+R8`oHd41#F<&zKnyH03W*QVxJQdlO;ptDwAa|FJ%aqkHAE-%TxD9`@=X(b*A78 zEhbZ*OAB;4ZX8f|3K*9Y&a0YB?~t}9ggP^~4zlv;35P3p%+hBwIa%n^*$6*+ovx zcdHPPwNfb0p#mw*5*D4hyPN$WHIAOS@2R*Hu3e?UxDN$UWu;szrsC+zsPW(=SxgBa zoh+34Iic!>eV3mN2R%kYCv_x{742I*fi8!|XTfxAiq9`!tUNLlME&I)?AhcaDJ{-{ zEd0>?TZZF%g%>}c8@lL%lhJxJTwFGc^z%42)=cu)-o*ipQXIQ7w{T+U=p1j}#6=Zm zuOZF3j`C5!i}B-hZ9Gf-yx zdlPEi*?SfmO6L;+!bn zY(i*J_U@W{cl%<+`H2G)4R@VR4>nx%*gHgFUaC(eU#-n-pY9-d1q1)wt;2zTbHwSw z02KzM&832*qXx(7fN)%eE=>=-5#c56ReU8$d~t?Wp(oFH6Wkx>Y#Gqm ztpg1p1!L-`4MlwtrQseny$LeRP@vQAw{XQ?_T&LQvQsew_#cHF}xYk#! zew7*u_hVkR9+#nh+OS%e8fwFa)jyFM>bFt@p@#fv0{JyAW7{}^{1%rXH%uTm#AWQi zi_31a{u-Atu>TU5k)g&Kxj|}Qp~m`y)K;O^#x?{~TdYAu{rx7*J3*Ywc$zQo{lmzaU{SOfw+KS9MkalqJw|~|et7C4ih;&E*bkWEZm=i|TsZr~RP>LuTg%+m zHq6LD964vBvD;t~30yDx!wmHAUALCG zt?ibPjYm$~z~^8r3EVCF!wmFqPzOp3h_xptV0iLM8R$BYd0%t34lptWBec~eGjbyL zmz*0VCv89MnSq=e1x-jEiT)vfBQKfZ(cp#|dAAHs0Qby5%dL$>$r0RNiEiU=+1E+v zpEyS#f#KWN4Kvbz>t+A#(ErOFdfOjdN8X_ypC}oMgI1T0g!GS6aqJ;xmw!nlNXMa^ zru8aNB-~WRR9tfnJo8;E1jhZY-_r}=NXT*J5=zLGYehZ8k?QOiQu0L&i{}Rnqcq z?a}@~&q$Bn1C(F3Jc~5ERq|BQBI@YFE3XYoUs!rac~mq8@uDTp&uOR(rDtS+q;m6~ zJ~qsQl~!|6bD91yK`f~3FZJ>sTpCB!Yx=oJ9P?U~Ox4O+o;_4D_^~TddCQh%c+rPz zif_xF7k}z~S2uyD?up2;d#_U>y?NlxNb!*Yd>v2ma>Nthqmftfr|nW_-uCki3@v=z z3@DE7I;)#7fUsjH(jX{zJ$d>?`gL__Yh!opS^yxATP=p0wh8dH6s6`c+!*D@5Gzmj`{LQFUBvoAW;ga9{H`?v1SbS#_Kn7w3Oe z9crC*KdBDA&bpsfhyG!2e&b#l2YIpV+Z1%e5EPlY=i3x?;}8_}>t5NK>X5(7-?F{f z*7wTR^S7=@o2MkHD?1=*EWp2yV!t@$|Jd&j&Sxb zHZm)Bu>&>vIpA+zpWblz5l>A z14uxyTd*4Hfzcj0<^%CZmR|?>`WyZ_?7^PFZ%YP$k3TTc1G@#Q1O%hK)r@boVE_{F zyZ<`u!JffyO9p@AKTzuALdI&Y2l@|G;JW`n3zBOG9dIzz0~P2($Rcy_CkRdvz{0_L z+W^$$|6;*)0)qY{kXPcspQhC|z*?v`g$GLp-x~)1f`DJ^1*FuXssD1l|3My?5UHgW zoqX8xw6$D|7^Ra}>p2zv+3IC%TW&l1+@*qs!94(7XH<8LCydh$Bi}B>QQ6*_@D zfTXP*A+agesix0`>EIC$;eOMC_9f}|B4-k9K@~r8YV&iK2kp~U7ey8hzep$`whEk; ziE{5*!q z+=2q%{(>l_h{ZWL4iP!3iMCiT90ev?0suRdlw(@83O6Cl1K?F+dD=A2sWkr8)vPFA z96}r`!Jm*wEwQMjmWB=RZ=!`!bO)iIMu#X2&@w{8bdj8mAJ_B_tV`$x&!=B zv$4ARw%iZ}b$(mykPcvbK70#lH)}T~c!jQDkUg_5rY|=y?kYgsu`Iw`;+Ep*go#A? z22&lFF*sdV%edWXQmNci_FvzUvU7OBqrPDkuheRqvAarQk7E8uv##0pynlGD33<=dyM-izK zC+7`hoD-4W^+XAwkBvKM(<40U0WCR;`zD;$M*g|r_0nTHQktxBIOvPbk+FINkMGsV zum0oxsXF;ntjF`UI{702zxj{rH_gd!{^S0kIr&qp$4PEZ{s_Qt{^R_)IQiXw=#^Qys<-Ap)(rss z=0DbT0IvDZJU`|#P1{RhwU5mLH1Izy{y?2@b zc2E;Q5`ql;rb4iQN`@i1dI}a$R|}IHdkhg8xbI-${_~?!<8Pc`WS5~!MUqF`6hpsV~vzs_|~W{;4^- z!EK`=8W3~OV<*CNR%Tg(=gp=lIEcX#eo9)InCO#pbi21@yZVo5Se*D2kJ$<2LPjE; zkhzIFrI8^8beVgccJXx$GUyMnGq*{A?=;B+le|@1p4)XyCMb9km#YwOlZsI5tz$T% z9V~i+3gGLalwS0wqZ^_C&|$lnr&uD!$^@=YfyeeJyE4^eWml6I{ngBp$PsQO? znDG70EQpG4@PPtX6Fb%Z0IUW;ft`=`yq6W<=f2 zwj_=+l)t18f1}f^=*9AsoiO(qT9)M=zm9?KFMgr-ww0a>Y;W5aB`|jPXhH)dd_?_k2s^7sP*>g{e-af=`ODb z{ZTd>w;bRN4T}S?ksf26Q9{G;pX4pvke}Dk2eRFq|Y`P!ap>!V)mnBij)aRkC>36gx-Ows5X9Lb#xu)nc-g$dZL{VK?;j`gj-qMy^rCqYgyF1S(x~Q8a(ba4dx=CJZ z`+b%O&BGi!u<+fTJ%!DCT$deszoa>~4octq?9;!4Dsgd`Lvpfom{H-&;z*6zBUE4YO~Tzt;+yl- zh~s=)69&ttQY_ctdza!L{v_D+Ev{LS6tkCa6xciy#N&X5&%dg4Vm!n zqh(hTB^gWoc~0jrY0YCcsb2BVOq2!A2koJ5u+pKgKZH5eHv+?sh10nMK(-f-zsO35 zvx)-7la@HzVpk40&PLmRd{Ng?YFuRG&jjQ?Yc(Aes<-jjv^%cffZE*^zm*nxf#+SI zR%t+^`E^E)*gdTn?IwSVrSA4CcIUUlq=}Hz@0`8&a?>ejh&FxFpQU)NXEFj*`)>)b zmH?^&p^viWd@-p^m)%pPlAko5)C>*W%VokTc-0W_J%4jS!7bA2F?EMctbb7KSR@L( z6r@2qiSruslyu_RH_c4R{0-foU*4x@=#t^+wcddz^g@_K+t`b98>HR+{cqGH-I7o3 z?k^01(9Z|l&ckqa1c+}<0=G(whp1p4FKF*JTu7JZpd2}WFGn&QQR@YcpYlW0YJp>2j^E+P@pUb5JwN;! zAEFlPH{^#K;zQ)O{P4&45NSlt4}XCp@)tO+x{>WCIIg;p{bPr3N5S&N7bbDEj~S>fbw@`Prihray}>&y^<3#FyrtCs#{A^cgG9!nG&V!C zw^s2>y=mq}ceb^^wY|IaFgJ>=DAUz!+`fP5QE5j}_ObTyou8H-GgmVf=Z2cSbLRTg z*JNItf4QCQ-9EKXPr9Ot3vZiE9B}ybw6CMMn5LwC!sFy!y}#mYWl>Qo`5KrXISXFC z2VTLqdifrB1t0nTz4fbNez<%O4c@;8UcLv47KALwSuhR#f7m zAy+^aRPcc!K5PXaDB^=!_*NQX)>ZJKK?@&L!S_$Ap{*dSj1@#TN}-^L57hBti}*kt zAJoOSQWXQ(ceRKQ4Z8T&6!94XoZSGjQ))|^=thbKEqtJh58J{Ay7-_XzLk=gbuD~o zP{apX_`r>P4a+VGqOBmWjMYRpvMgxf16_RB7Cz9$2Nm(H^uz%6U2Wk*gCaiA!UtG3 zr6?SdLV^5g2iYV6&O%%Zzz=N*Ko%e@kV~-%nC#dMjeILa3+nhlDc_P)(hijJfkr-D z@MS5ZysnN<05tL~*YU03EYubQ1W`x|1%aED^1T(71)L=DoE&G3%Q5 zkf3~Tsd*0q*#HoBNhvCV!O*{P_IJ1NztAoGk8qZ66V6UOoEyrVdbIfE5)%wYGLahw zXE2_w{He~AB?d!&v(A$zKPVjcl=3kBE_rI9#gnzL6BNf`-!Lq&dSYLe{06Rg7P$+Y zN%r}5r-&2k>cwyF`*dEqYoALi;v&&;+eZofX;a**%+CpoD$dt@h< z72oGpotv?r8xNnR!aUd5%}Vz|VQR6hb-N;m1igf}&Zl#Sw&xYI*}Ph8t7ja1c;u}K zpU9UZtT3wl=bW%$dDvet`vML&SfzX;%swyw9Q>O?K^5GQO6=gGtG1^Qqjlwloqopj?SCmECP& zy{yfl6{IER!M?(aFY17;v*1IE{f-c3xejS|nHFDmSn(@4nGXnmSf>I5y1tS)((3V@ z01Xstu$PeOQG!8VIp-KIc^KnxY4|)LD(r!l45RfU%tdxGf{tt7#1s4nc#gP!9yit6 zR)3Sa+tZzq;?&#g_liG!7IA)U(>KY8ETVLUU2Pb@D>_sAb05buqO+VMu%B-A{@bRL zOmmTPUu_XeANJ)^?P5`R_k~w>{C%LSNkv1m7_8c;vfqu93XX6r3?h`2U; z+vtXL0i2QZ)+K@4d`325X&xdzju+n(x++VUe7OZnJ5Q%nJy3@*bLt3i=uYO7qOKGq>pUskeT5}(RPi|3vCEIT6J#|*WQE4y z#+3^3a+HE<-#a`g-6~P@*VB#}4R#~#6UcP1UBYX$P}W~)p>8cKph_4|F$~TU$-LCH zhYx6(wz5Q8siW}+UBE>g4OQ)}XrXJRPzJmg@exflt`}zQMSSTXj@pz+#sV#>dG#W` z<{*y3Q$p$2OQBezoo}VZL$tJbh?Z7! zGttr%rEMfyQV3~_vTEq4@C&SfNP)l#a@c@5Q-HB@4V|ucZ5m?Hbg9B{O=}JWrPydS zFlA=rdZDqIY^u|CAlHioa0oyO1atu80I?MS8xU9lpiW_Xq48enAua`t(2!*lbVOq# zI}oYjx}cXxb$wa1Ar@1YS`62;=0JdoJJfHMSs@3f9aIy&V&cTnDNbx%u7k$rcsBM$ z8)6xCsmpK!o#Hy8A%S(%tsaM_IE{6=2zp6rU2ozv!~*J4h2fgw90*OJunrJ#)u49h z6$dAdOK~#matrj5*t*`qX^5rMr3%9hTndO3;Am`s+G(IdV#_8WrzXy_2|_$T>jVdU zz@nfl9JEG5jfOxs2Y)w!UDuT8;3>xA+@f`r9 zIHeT=PSDu{y)G9SuI+_hZiL3tDO8yQ5ER#%v!*f!LQ`B=2dJwl*#Js^7eW6PSpRl` zm2GPx9iMs(`$-}!W(lJMNQxuU@zQAp_%y8(jC!~IK=n7q#j5Lcgfy5M5&DX@dgck8 znFEU|BfDzgFoGF1Sa3xZqM*5=O_BA_fWI0=NVK;#vGL7LH!=9``y?#&yaKMc|5HW& z6;>ev$tGD^I!yg8t1Dt1v^AF{NeVEOO`Y4$z+foh3y$YugJS#ss?MK{EodSv+LzxT zZ8ahNocdhfZW1&s4lc~&INeSHyWHor2j<%6M8e+Afa%?%vnbJ|M%9G9zE4Xg2J$WAg}omJWzERlP2Qy-v7kpE_P;2OVxD2-2P9)R96xf zXYR#5&)?OfdkKbVWjotb@Xn;RmstalBMFKORCg`J0M*-uE}HY~!f# z@!IM3j-1lH{W4?U;qR_TA4e0Pv4GWMz|wk<4^Pm!kI}JngT>_;M+0`0`6vlredoV@ zq@74o%!Bl&=twYyxhXLQ2rQz-8!^6hgLDo`NG z__Cd3n}Z|2%xOeUFq~61negYQ+bnRE$9&4W{8-sdyEyZdV4i0QNfH>ZEMUY(B2Hg5 zpU@|Hae_d3+gVyxM=nKJ-*zvhtgBq@UI?H;#*DUH7A3;$gjH>aJq-+)fn$*FbrRQf z+X%V)V5EMB3AQV0h0?(>bz@fKCtq-eeHqtB3+>*m+e+eIo5kEPjexbi3*{8a+;LDD z1J`<%YegArC`4^8_VCPPG~GO`W*>FULbOiQIYOddqK1UK9tE65rFZw_l0JDXH+3gV zfKm8Ul;z>=_I#4POFanH7S$1;6 z`b5Hr#Z)B&b1^E%gzbf5X|ts=$3n*n2+^fA^fQc|4~yuO$Szr<98PId@lT`*9($oI z(RWnl#~r#f0r4m~n_Wi>?$f37iR(|xGRYL}r_bP@kwd7plXHbqW~!b^J@DcJLG{u5 ziKaXu&t(%1m?pqbEd0?bU1Xd|EuL2%sr+GlN9{TF9!a-6IS*-VZJDy(!rUD*Oe8ND z{HtotnR_eQdz%$+-(JZ{$oImQtwZqTQwI#u#Q50h;og@G(zK}>Z|uy~_rCO|ks>q* zX0uc8_PC?vT3pJye3{34m}lNnUhSh~!JE2Xy2~?R`*AkNt2lKP4b|h|g;B zipF=B$DZXGm*Y7rFuKH|3~TQ4Yt>a0_AbBaEROT8`M==Ag^vzSLs{usjIYDb@kh;zHKF?b($ZXZ-09|LZeku{=DVG`3K+L zOb3-z3~Nrg)4uxlcCNML(btx#tKYu;1>0U)NkXbM?a92@_xzu+sjhJEX{6y$z|t^^ z9e99@2vC9d8u|r#EXX>eflUGQcB8RjBw#2o1O!C|g?2zZeQk0HNU{Ku1MC1Q1KIW% z5C8!Qp9cCGhztQG)6Ov44ww%NaSJJS0_bc|P$U4p2)+fL(NhB0Ak$KjbYh zoM{Dvi-4^ayP1OZw{9k3pwI$eDh`8V)sW}_P$7vl3{XP@5)J@^DInAY#o3p$>}%Fi z!hwE^9ZbOrxtmEC$g{BkgK-fikYxf?3{+V_#gM%KTSsJwg<+^m63C$ekbQNvmuL^`1DG6eGLGg7El`k zSdP_Zu?*b01p@U)UGCD-pBQX zN{DFJ6J{9-uIk0I)Cd(D>SgZI|V~UvB#YF)jEp%t5Rqh*wN;e7IRJ@U8I?1_$+1ODY!Cxuv zDasW9dcaNoVAt-oFPSWAL(M&L>CroT*`VU~*2RGe!5j}JY^}HgJsx66L`%og?;R-JmR+}P?qI0; zhe|5{v;jEm5Fis`lWSMtWKZs$X@AaauKfiWdM*H_K8i*ftBaKA{_&lx=T9Af`Or+- z`LB%j-%TeU8{e&_A4F@yJ(=U^zfE`AlQm6=L{>YP?0hAPeb5Uj|H6aC@n@ciFLM<_ zS4NsntktVr#Y5Vh|4{xeEhloi%BgNAI81}XlgclaSUcDw2mO&iSyF}iXr985$W33R zipW=~Na_0_*{%-X?nt8eDYN1I-ZT|&=w6-=&b>2f-zLOLHXE_)&wY;UFq!BUQ>T)! zT^g+ZKC$l~)lr73@;k?Vg6$S_gtuRWaj?92O-CyrcDTjFBQ4Ivqz*Wrk?+)c$7_xZ5E6En>^kIk2y}~ z$Oo~+M8OaKIyqv2y5`f9Q+q!MolF#>bC_2my4jyP+ggDT!y!@Ea!5}?8Fe*WzxmM~ zZu8KksW(!7?q`X1_a32rDdeM+aWxgp|uI7MJ=mK(=$nA5q9WhxO-Eo zLw7hDO@_+{YI z!-k0gS15@~+P#iBHJ&K9%}PTaXQv*u!68yel=X-SJ3{n0by5621`?aVDk^aE6C{M90pKW9~z^9 zM*e`q09Yx2rvhs)z)>tf*cE)<4gunWFK0hfkyto z)E^l61Fh*;hXFuX$YFp5>Qxnc-03NV=G|Lp$Q?tvVdZN$p9cMZk}d6!a^B*kirN23a$NR zLxX>iw;+28)GDl0FhM(iVC@g={DEF3thZp9Um;Qk2#e!ah>x*`SujZhL}b9SOQo6+ z#bUSprdk2TLMDT3XyFe#?*~!rvW$zJ_XERzpb;JGFu;QBI+lgV7+UxPL>v3NTJv|c z=6|(X^B-9aTs8>1ykwORzdpO2Ld-l(hXRM(wV3T89F;+v$>;3!d?m zX6|~9nw|I@@^xEaaU+k+JJF{$VxAp~+pc`AKRC`R{anyU zyZ8ah8aCaBqrqxa82??7 zP|Js?V^hjhLQxciho8{6ZZlEkdL^V)S-346MmWiA@)UCq&O++s=G+uj#duiuy~no0 zFT?K8?PlM5wZ#sl#Sa(ZFMe|8c#CgIQwZ(oIcZ+^o##w7Oc=+NN}4~~o7=cX1#|9} zeIg|snSU)MjyLcqNfhl4}xMpO%mA3bYdJeOhy1e5ftxeA*eq0ws|s>0LoFg^GTkPKihkbw-Acn8d!a zAkiMyxSd$p^?uuorR!sJcGnM2?h3t`YL}pv5jR4!**(j!g?pA^3#vt})Ss`TTGYBy%@wMp$CthrqhGCG zT0^yTxca5_`Y!!^10H>sb|rVUs_)XS=B`%sUAj&7S)lKdV(qhu23a37rmY; zA?xb0dledu29OCBqc`9sU`voL2j&1Y#FkLBA3NR*1);FTo>*rjloJP*RvcjhumqM? zTqFy0d*b5!xXcz_n1t4&*YhOgVO_Sd;;0fDklq3;v7P{EJsR4R29-{@K2OL8fE|qn zpMu5c^)LxJR+mkyIHZI|qt{a9vm>a-lXTER$YE_yvlLXOpC z(<+W9p~Yx?NQrd@K-1BHC!toS<>=K4Lqc=W>oF2?tS*~YaWDxjMz7~d0Fx^u348zm zEOCMTe@K$hT=aU91fSy;qnE7!5KKag(d&5<{2cHEU{%qjKF<_2sGc1+aX6#~!dRdv z0K0Fvh9{ww==D4a4NF7hxsEEKt>}$l2^7+$-RKlGuoKieqy{>xKq~7uTiX4$vHlA- zRvmny{>KFDA4>c3(VoOy(@8nygSY%siBZ;$RTZD|$uSSC9N0ZU?`PlH#}jIMa!Th8 z4AwpR;Ws^1L9~017;G`Xe^9=P;tZ7ng6!M3vroUuR){`aG#2wDrsLwSKFC~oyNZlC zE5Y$0>rMfOdi1Pa0fIX+puGzHAaU1|U3`0TT9}^ib4JSUNX{izdQKr3CefDZSj$lP zK)w@^(wtk%+5Rdow7)geiAl+bN`X|L)-|VMmVmXe9p)3b>*dJ{oSr+rChrg4F;dL> z^|^T6o7~4j*8669+-a{@JvmDvD${k)j-8;>mz-|r0EXmkaTi0MahaUJADD{+rsQvn z>-U`4mWxOV3o;+4{WB<^*uP{O&rm*j;ra0#=9lHezG2O~5iA4Sq$bia_pTH@Dgrw* zBa3|+7pEg%eV7|z)bFbs7TA6E@@V@&^V8u6dw=fxV)1dFC&a6SBS07Q$)vO?!zMzYCLg6r*%iAe3o7RT0W}h-XxtaGWgh zyZiGe91p7rwAkO4`aRF#6l~be!6^SDwv?M!pZ!n8WV7Im=LbYMea}~XN(}9nQvB(= zOVzYOu3q8UQwb*DfO|TphhFn1KcWnBp-ws-(ppq>UBo`fed6fIqJ>BG_g(%Tx`iR6 z3VAyz=Y%K^jK{FhqLZ1N&sb;?a`U((7w!FFA9{P1x)gi7z_#j2}!g6gpuZW1FB3l?)fikCdrBL~WW+q>uOB`Yz1eHGZmN6sI zDD6tlGV2zGKy_yhH!oVnzK0IQ*48g2%E4w7Bm{|&?(pZgZQBi6*Yw7bcWE!+> zt8yXaWiVoTYBimi-diJ3y}Fe06tQ`896Fg}96o`4cVFr9pHOlYy<%&cWv!WMxKixI znrS?&hJRTHfF;XT#ZFMK6VvXc#pun6ex@xF{lGVXUOO1QPA+BKOqMvXWL&pyxW>iG zu!V5|wYk>`ap(x<3R$iJOFCRI zYrS)T78lG~=Nur#2D3ifY&q??EN8AzCq$qiFa@sj%hU<*69=9v)CmzN@VJ6Y{TlGx zh@1jyU?vCxPow}qPT)Sp&zmdCB_LDi@(!|5AT6~jUP9mrSyh2^b?N>NsB?pg34tfJ zkQ8@|2at=OH|@X)eib=acoSkzkdOkm_+{P%;JHD?gxC|?Ne_5)OV|WkX>ssX3shALf zVw>h6@Puyht1a@Y$O#eXGIiR48v9itbA>t~0tNN}$T7Q0oq#~?aG9xP>Vyb18(QAR zp5~XpbBQ`3{QM1`zkB8J^~x(hvmMVa9m*KbsrWKBo?D3!n#g;KvYWVHKSo@c-^6Q_ zM$9<)5=e;SYbtT@nv%I&YNwl-VelsF~HnxS(P8j%a7Z zj)Y3JhrKt%2-=w~9*C4M5@qGoz#NUH1knkmA4o0*!-|x9J=;Y(l$h@nmCcIY@j%|b zJpJi~`5(b9&z?y)WIdDehe^L-d4K71rJday5hM%YRcZihang-m@el9!Gurrj4BX5N zEP2z!sWsn^k_;*fpT8P+v^etgfzr^7DK|TJrAyay7RG|fTW=2M9-ft`h`rf5I1x51 zdh}(%&jWk=Daf}|Pt}~xUZ~~Z-+r_>@muS{1fzalU03IB^RhAb9cSU3uP;2-p6H2W zJ213p{xg4mTS}{FcmZL;6Zl0VA}_~H&mXFPfH6XsJ!P9df_wl{%*p`N`Gcql!n zK&>dyG|3F7JsF!55WDNEwz*GVW2d-_JS?qJO%pSHonPZF*@^mUR5<|8fV*x)d{5Zq z$uCPacThS-9b#?>^4=eNbi&>0A$u*-WJV~F`ohUUvaz1CzT$o-3u8!X7&!U~Rb7qg zPbuybbhxkdYNnsTVD^wm5Vf*S__Gr03$=7M{yRd|8JJ&LC#IuYO`?;MeB_G7G1Qtj z1wwnD4=U|+eNP?C>RiKipuNr~qB+<{@~Dt7m8Y+Tsrk))=G?oVmPUlwoBa9OmfP3t zgvv!<_AnPZ3-5#!iL*zAA~FVpi#dnY^lP0DDQfhIs3td^T$qWhWVuVsJNnr4#t0#q zH8D*fX`+S2PNE#`%5BjvIjjuj;F`i*Qc_Q|Qj5$;1780nEmBxwSMKT5&%);w^;yG= zH{s|VdNT&(fjlCMTOGHib+z|U-&L``A{0MfIK&q2TjNSFEB}V&uRVt@Rm<@9y=G{*I&_^zFUEV#oCBJ?&7|)@lsl5-#@@ zPz8(vTo$rjL_Ly8+*d}+h@R=hSO%u#W4yEu8R*8_iX`#8H+UN}rUNsTv+NFzCZ1M4 z9%Et}w`k6$#`|Dl$5#tlBJ(TlbB_#~3(N6W$}@e=#Vl8fZU9e~UljtNw=4u;EZxGf zie5*aYr&IYX;*u-Q507w%D8#a5$9M%tzUFpmNZd#8s$NJ3WcvqsvkwSzEK`0Y0|H0 zlwXxJ={Ge3K;TKcu1f0f$WM{t@>3*RIYI#|LPk(kF6&sR_r zz~>r`bK`Q+TGZUknE*alMa>n?1dwUBbRl1bOmHpV%$ZQ?AG(&Wa3+vBH>2jNuDQaQ z;6iS^%uMAVq5|VT#xUW7g&#)UZ8+gRR1?H#B6VTdu_3bT`v*QV z$st~tjoaVXQfm?^lI6H0Qaph8mK~Zula!M;W<~`omHnInFXn50H92Q836@%s`Y-#YX?iT%?w4 z*e*GXt;;Sq*Ec|0T(e%3xiWvwp?MdKt<68L_+hd5Cyi(QS@&BPW}1bIzgWUPwM)#C z5#-Gc1-N#qC9yce=niG`H;MekGV#Eq$u+Y?aLRu6g?Z$6ntb+zJ6}Qy^jaifAId3p za!VUovvV-+b%lpvPEA*&o^^Us&8e%twx4?^)WkZ|FT^u*B-iU(%isWeq2|2m)V8-J zLzK)Pa^A<^BlpN zmPY$W=gT6#wmr{Vlej1U3cX~qKfc87@x!>(OFzHIJ->OD{m1;sz1$xQ6D3nWzD?Kd z{JA*${Or%~bHlkme=L5T`uURsMv(v`QK=+gn#LeCAlBT7nmabK<_6SMz_KQVmC6&Q zUTu~44^H_jd+%dSMY=!w#NmsqljXSObGA`}(^oN4k>^Gly<^hJ+1NP_J&F%*I?0LN zOp#^mwr);`G=%#Z_PYuR3^@j{&O|VFytpfs?{w(83+h4KXJv80rqfM{r&*5SqQ3HPBAYckMCMaiYnrr>zDJI@!|{Sw{AU^xBxa7CZMLiFyK2B;pcz0P zIL^F_%e)!JFBiqZ_(psOcV?@XX-H?Ra%8U2h^50-^jzh(J*cc|W%rkheP`nGjsI$8ss}9*C(5eQT=4iw!?9I;t=;o4&XwP42AM z&MX2St11c)ME}rnxKlPg8Py*KOCl$;EmK#LO|7BRY>b?9=FlDO%b_8=BQ({3Ddo*8>FQ))O z{>IAt19ib%>Tw!n`R|*eBDmo0(W5M8KWs*V$X-Gz!;~wGSY6Jx6M$3C%ac= zWQLMerst{63Lw$O!ByGWkC;+YqiYS1Bh%l;$iqrQ$GCHoW(Z*j_#D%5P9`cL;T(q9 zUT#=oey?ptt87Zu!FbCAI2pIKTz39*GrP>}q8uhU&Ns631bHRpoDL732}TPX%zP_2 znFqg4byg?-htNdEJa4qkwy}=2Sz7A%5oGlh-8B_v&B>`Bv@XeK5PS>Jg|QP|`4p;{ z)Vv+pB6y{njmflcwrgRg>1^hQKMk*RXBoNNacVc)Noo7ilB?`o?}>Yj#qCxkSKtMX zw4X;`yFO@k^7LS(bjz1^7YXvSeR7js z5>~RUlQ3~uIekN>`R=w0^-tIqG^f4gD9p%R_!PHAWc#2EUr~oxbMT0U_|gcn{FT7Z z5hftys%uXrr2X}&uy`7M5P8q*iaB;`n==9C_Q3-b-Zhef{IL66iOdXxPrF-gg#^K^ z2Uw|ROU=t{Z&H{UwmSDn%Mpy|d^d~C4zQ>v)NIxpl0Ct}+z^lXPEPzoLH{rQ(Rh*S zk0$SFp3(17WmoUbu&B;|$*bBBf5bQ8)Fcy+5aFPVOz&7k@v-;9#IrKtqvDcN1Y94_ zU!*VV(XfbbpesQb68Z4sjExo-4{yXl(Wr~<93 z&AIk8?b)FzQV{L9k8SVACqfwp5=566hh>N7*-Tg|W6A1c_RZU9+43gR9~s&<1B}o*FvXnE0qdr6LWkDVlizHD;%%FZtK^A7e=U=;w zuV|IOhDxAJ;^j)niTV37zFw}}pjEDOVy?)Qf74|gCseLAV}dXgNcP}COKh^|_gTCt zQtWhNtZG4O%WWB#vDXa+_uAs+u92~-6{dA0se}ohY%EOgx~H9_c1Nu!qbF0p!1hgJ zQReep(cv?v3#_{`PBs;1zbbJYXuP9dlJn+)+o!QNO(nU1J;o4{vuTv(y?f$A zD`e7K`Wq^v%x~EYMO&w)55?FQj}F~-tQ8oJb$wvS zrR_Ex!NKhuKhuLFTnO-3h-q)*&4p)6|E|CBV_dDiN4TCWQ; zrPRY`Lw6#2^sUaAzk~6g%<0p=)A+U9^|Xi`CsM*BqSiT6Sh|~&sM7nrfyc?hP#+;y znGyX!L5p{@i60h}^uzeSFHF#RX?~lewF&z6q2lX@Z&Q^dI~S*)GMrsp$CMoSpmH5k z?$}bR#4#nuFSJUWRLQ=27vG>&E=iSakXE?{Dj}v!r1DmI%E|Q6M@54*ktVYKDX;8D zU+sWIx_c@$f`%Xc^qUh=CG|C;?#Dxp27gQRkbbs%*EXL33(0{$`}Jg`5F>UzE(3pt zQ(>B4Y6X3B^6KjMIs79z@aC27w)-%&%Hl*|uvf(q)>ly~-xGEP1WIxvd8Guj(W0R< z_oFK@@2f;KdcEn%?M~zvzE@o+^&~Cn)q5;zp!TJdGkknZuiJ2xO;0$%^tGToqO?a$ zuajnfZa0iix=7eWT0^qO%&YclI-QX%=8rPl$j5Sou=q01AluVJNBfIaZIu0DdMGLh z!qJ}gwq5)&wv2g}Wzh!(M2NEHxc0Wqhbeu?i2U@FB0)64!^uqR+^n$Qhe~uSm9dTv zjMCa&Ii=9)24?$Boiul4rJZhX#S>{xrtKw6xPC&^*%i&YJwdk4+s(Ey^ieRy=mi24 z0gpBpQAtdyS_k2Mr-(lKY@`R$T()b5NSKg=zluhU%JaNI{=EZ%CrH&`{strBu)|6j zZs$=Lnq~!*dQauO8G+-I6T*b*C$H4Nu;B~$3iYkJ>&=tsK^$OP zX`OUUTGjH7%Z!T$5~Xd(7#n5jsDOx(wdD_k`7l{0vFnR@rhB}J0i9sw&b6tY?v2}F z{-UxOh)dTocBUxf7=b(n*K+f$KOK5)6Mgv~O#E>vH6}g2<53KEv`cD6RYo-LgULVA z78>|VI|b)$iue{|JctgID-3zmXr(_sOL1s0Jk~R*B9_m7FEUZ~V@Dt=&EKpv3s%||J6wx!c2}|p2Q){+_Bbvi3c-x+})&IuER_g6^*SiQxI_G zM}Jd_B*r?GTJe~V0oEExOwSn^+U`3Y)VlV9dFr%>jI=}0CmX{zfzyofdUH(#b_1s` z>sN{GeS0)`@|0K4>l-Rx3(bz45;ErMNUE1bIEPMLjc9X_sDqHGWDsv>SMP}yGbRz z1mvk{B~U8YcZi(OxHH#b5Fkrfeq&yvQKeDuI`>lxsdLU68orgLfuSi@kD_4*gD_SD zPaC8@76~Xn%)kBi^6hL%(l)oZ$wmdXQI*eBMJWqiLY!xZHO>!-VY0;~EP4%PxYD(6 zFZ!Eqzcga;OgHm=OVX1z=NrS*sQ1l8dWVl{ zz}vGVD$R%@nbNdM4rNmW^iinEJjtz=)}7RDB6wtY{TOpH26HHaG3DnA(I|Wa9WR}5*JYk&8B}Bv?J@p@ep238Q+8qzbo5f8__Qt*ViO5C2Y?9EX95ptkm(g*Q3>OgYKI#lfm$7 z`3pSl^{B5E`1afx@$R{UId{5c`{i2qtB|KlH2i%Qey^EpEwkUG9et zTJl^?l;Z;Bw9u00hTISBnn9*z%p}DPGQr8VkTF+c<^P(7xt1?CHx&V_1g=XQV*am5 z_iVOYu1k}zxGw*P1bkL3mn-R>-!i7k{lpr7MhV;3_4kwNZn7WpV^PgdZV2Po$uMrn zPx&olUZYaxe|Mcu&-$Ggqh;E=8!YEX-g&d%;P3b0zGdC-%b%Lo?GRBbAW&u~Z6Ijhmyv;+atMLJU`3S8V2DZ(QDvw)@93Zd%CvGjOh=rwGEBb};Yo~| zcBzVFnAWklWnNxO68VRvqeqOHi9xEIUimz)wW@xCCBiLZ-XhGvP{1;RQD5wy6}x@9 zJi?o;{9f!4(NUhLQ_g#=tXNwsFtcZhtU0zR_oq+g{vjoqNI3 z@J!m5w;*ioWN5&fX&Tg?M|_!4U8vSP#+)oeD21XI9&&7(h zb3AyhTG(|%;F4>sdB$b=1XP0mxsLrmU!QBb`&Q!oX`Qxo=LGgFk=>?eUG{x_bLnp2 z*SD9QTE6}T+BE0-t}{5yz4PJAnd=YO{b6n(nCGzQ{9yPAhxzwWRyp%Su@^qz<4dk3 z!2A_oa{Tf(4)Ns<&{(w9Z5%p{a{$lfR=087X?zEsc+XnC+_4<**@7=wS9DB#e963` zV{YclgY~u2Wb=dy979JLe8M8%6-<@5O1pDqc-HE+VgP4O6IH-x-<=@j)EUwqqs-jCs zW;$F<<<}9a=zGdv!AdsL(!)>Cj)*%*#71@2P1D+jowU0hRc{^>8f8*o=;dC6);O*n zCre_CV!ubzs@*D<-knzGp@)bPBu}+9J*sW7t+4vs4TH)=>H%3Ry`nK5%3xY1y_zxo z2(II)qDAR%4egwRGdv`Odvy0kj2pwL2q-aq^iKjZO+pT(P-nS>*RcpYW<(%E^fd0b z*a!&SN`Th`zGU3Oa{1ryHvV5&il@ihNRNLWi5Aa1(!Zr+l45mCck!(jH~&Va{IzEJ zn<@W$hQ`5Z9AG7g@%(1W`n$KDC<5CByU=u z=K%`ok-mSLDG3PJ2Li;N)yILjby8B0Wbe-ru8Uky-dd5SfeUt!mozT;5CFz7^mH2c zVTneW_YS_+?dAw$*^3?#C-fu-g7%u3%10G{yvq~Glo0HJROa*@QiP4DBu6qJ_f*Fg zSlEE(^3p_k0H9oa@!K2RhQp4`JmF5fPdsmhIOD9!9ThCCI~-264#5PcR$NP`~{iQ|vpk$oRKUGHov-4F>b0*j|li zD3KddCu=aw|s)X>CqeH$w^!-%ZeuV=S_Y@dSTq51{S62;P^D2wL-L( z{4@oovd4MCAein1i+JtDnNzt9w@K&kH-7hvy-%##O!mo=#O3yMBV*X&OluU+-cOIH z{q0lB6zgKeAItGAj+SX!A&MG=jVcfK7+*roMxXS4Xi&rGbLPtnviR&TP^bHsSB`Ze z{9j+YK0ovIjoWZGfXc6vTR`PuQQm(7Dgje+LaODjpmK4B{TGHytZ2F8*HAgd{_jF1 z>o1{_b0XG!;{c2_^tMYvWt+Z?Ij2dXqNQUGxs-pUoq>m>u~VBV;39D^d3YL zi0|&d2y=2=6*JMBlJ6jfvs5+9ML$;zmh+ zq`j~?z{jSUBjrrotOk#4$;FITT~$-xgrP2&JM{_MQN6j>$0bjsG$}0v+-2Cq7^`2C zb+)mdfQb<ubJL~odZI_aqsA@7`rp{+>d#)v?Nb19!DrUB6wooQT#}@ z(PZUpiajuTFE7eV_MBAr+r=gVD=<2GRhHjDswZ9cdpeCJ2Y;%`x!vvg7$NtCE-SU! z%%Y>=>Zhr@65=H2vkN_LA!t65g(B#4Oo=gZPcNRRm{C5>RRlvWlCd0^4a@V<#Eot) zZ*HR1H_DdFswKk~*Krj7>p0_9qnjvvvgOwb6h7JV>m$0kmd!gy^myxv=+-8AmV-QW z{WP2F-RZ0}2ADR=mUQ{S-WnTaOX^KUm~`(&Hy2@&K8JM6J!bz=W`w#ev3o!pGCH8} za^=nqc7HaXx;M63t^~mUrlO&Zt(Gh4Z)k*lwIY2r0KPf>z1(WKlK#f&kYMp=ZTkB^ zCq-^7w*0&8l$%?I{%`1z*rd+ymZAT7cFNX`%xH+Hyuo5Qa@U(>hKutc>s9N->*xTt zDnACF(s#bnPDoflw*jo0n6WR43nALc9~Qu~F!CCSvNrVyLYW2+5bq>w=)A!d#F!k` zC=kkxVB$|7^wT^RO%pC8+R#SKso$64tZ35Eh-Tz|*&kpPM^qUlGv;#|fuceWJL#FE z!^w=C%kHVVj77b_h0<>)k-CO@?j2%i+rSeW=tl(eS0jjdPt3(%rI7N(fV4X3wicPK zim91z6*`MQdIZT)6U+1($@IFO)Bj}SSVxL1SO`K~d76=V*4NKbC`@PDgN_@g*kZVl zO#GZ#`44=_xP!Z$pV~$34JEZNuK0XP9#LOyJa=OiLgup7htgKj_I=F-Y=1J^V z?{Acdu4K-AL_JRqi{pAt=y>KzfObw9N!$3;!z$^0w`ovw12-SjkO(^>I+$X2+4p;5 zKGtm~wLhB}A36~eF<71H-0-76-KTD63GYmi)Dw!Shg`|AE_UKSC_)}H@C(j%RMyz@ zc4~a96>;p+{(9p~x9*8EpMfhf`|~s73zMIpn|h0U0cr0uUtU_@`&W>W=bu7G4(y@( zSIGG9>ySJCfeyI?Z_UuE4#~D!GlWlvWM1p1+<=TM>;07Lk&ziXbZ>!-f`AzzWK3o! zQLR^CnhEyNNamyzFH+*QGUjsOcJk@o8L1j7<6Hi+Yd{notCy!?8cPu*q@c{Hexq}D zT(=w#*Tu#+0nWxLk`_Ye2FQ-?YETMX3`jJVZ!pkHrmyMM^EaE1rfkTfSH}#NU7n{h zdZwyzH<~tXL0jF6$3L1JK7>@HN@s1ciH>=-@wnM1jv@`ZpnP3Hnu|9Mb!pt= zt-9EHjeAT@-%Kar$2qiHKY3K+pw)hI=Qavcn6`aqW%7tYG?l!6j9=REc0>l1vs316 z&oPQ{MXGEY{!>H(f;>v})mdUENl#Gpw5KGTyK$mj@GvKF>3-?bA1Ei14sYbux${}7S+EnWQkfC&@HyL>rwggv*J&t4pX>OL?ooyS0dR9l z^D)cIdbsPqw3dTc7#p5mnrYush-BOSRvLr{;7Yei218|K(0N%S#5j-YK3;0f?a0$~fl zBaj_IeJyUfkGjW^v2CaV&`_S9YX6y zBe!UXlEyA}OK!N1Xp{*%IisPY<>G&o;#$s<9xj zzqIQ+ABO8}F&33o|6DkDv3#UV`+nn<_DB=1vS4 zZBJrdTRDp$P1$*FO==TlzrTvZ9u|ZyDA|eTrn;DX)2wlDz?*Z(jr-sk#BNVAuEF#w zq@LNlGp?5=FZG1TFW&IHaLBUmbxC%2~-MbKD3rA)g%dk_8ByfZy(9N9w!r7%B z)j~lrV)hQ~rorRs0##&tvsH3uu2rQL#ySpVr#Rd;Li{wxR3S1AtsPWqm@dhuX2ptS z-ix<=lzE$s5u=^;X!?=b5b|?BGf!pN{<|ZOk(YGseNX}H)ui7|5-gq+pGgp@WvMYb zgW!D1DGaIqK#rMCngXHwf3Jb{P{NPQ|rF36QA1TNJM7a6&cRV zcBt@W&vt6;7M`5#(mpKm`JduOzB-YAN^0Z|{wMC&oGS*&ExB>WKgf2od9NBI@%SUz zS2}~XxL>nvT~7&dBkRU`%5~hx3WdAZ86?;GBbo5zaF)1{WsN~{6E`xhXpI}VF)tan zyK_v`-aYv&s(6=b>x~nLQ1`75k!iumPq?WaPLbrX z)0h^f^MMg(S=XeCwTtRC%t)fNt7w}Qg|q^NP3~4<$P^6<{vaFFLFZM{N-Jrq8U&n* zO%Ev&S5>ugz-Y50X2Bo=oVMOush-Vl83q8NwzUi)7{yg@$7&^pVpt}JJp5VI}Uz`Mw7P)g}*3I zRoc10gNon}jrRyH5&!IGJ<}PCvy2x; zFTXup>YSSHGYUbS0@E5U$zU!o>4?<4MqTaf!qm)iOC=sy#<5eQJ-Io$gt>V%d6tIH zo?W)N-61UR+uIvMA|DpbZYp@v;51lZ%80&%-lCu~%ba0}95-ID8PxG7aZq?IlIke@ z7D?2bF?<$Ddc4)>^y+^tY_3M9!#5>Khi`O;j(ywa(H+{k8nKO|J9PLODrq*Kut~8V zNtV*B_Hu^)y)8z-gt%#ONM-|w2%4d@*TEscLNF%|un^24f(dcJgkT&I2#sJ|5De#l zMRBmj2#tz^EpY*$IL1PA;$T!98W>;GG>Nay9M@(354RY>HYDIru*C=si32!<*2U4# z93!+Y4!{r3g3d~vIj+n6*ISHW83-B@$8L#(EkSZGKb%!xzO;?S1(<`JC@ z3p&5vV#JM>gDpmAOB{eAG%ya9%%M4PFe<)UHi@s)9M@?6i!DZI6MhJgydfABhv>Z( zsxSuwjkxWcjr!u09T?OEgotY~2b73sixEqSYv*$|Z09WXmjeu4-C|tb&Hr=|KGlZBMwC7dcd9mMk(SBobI;qN+ z$#LY}bxvSxl-nMY=7Gfe9Cr>OIeqy$`Kxd8z4b{7QaZ=a;jj4ii|NgS(rEucp{r4Y zM~>#W4TKk*Oz6O6aVXaJh97y6;#Ex2amjNMZWthRnE%550{Cot2q6%DN9&Pa-%f%EyEY zx;vkW6usztDty1%pDEh#)n{i=P9XKZYvB}g>mDo}--yRx}$ zZPMx%k&~`&FnhF9>z}ptg>~!)v!&c-wN8zNFiAiBj7Lyh$AyBwxIu5w6Z!BN8}axW zxwp(`uZd@Ku9W_4$%S0&x+L*)A;&Lj%W-<*j`g+W>$niYLbffr5Q~MZztR&mShv;_ zft<*)feV+ga3&-etT8h2sWzw?&V)uaC-d%ZXwY(>2}__z;Xka}c#J7#COl0eMesyJ zqh9$;L|#COu$5|)VeibX(!0$|t2vz!abw+bgNg*(WX2;4U-rbc_S~~`GBr0ilxn9U zN8rS*&Ju78Eutdlf2Pq>zbJIbPR5kLJ}QBfBTorwd0%TA%>KC016|3Q=oqC_m1b`m zqvG;={PuHzBlNyN@oU7qr{=Sc94EAvQ%_3K*Ow!zWU4|gUd+>K2s=g2s@WYS=}8F_ zP&s-?M_IKX8Qn6HB#;qmE3B+80?$|8rd`#-j-MUFBq@+oS95KX? z=G#nWe6%I$1ytb)nR<@wadJgGw-21>PZ5=}6}~cd@GlEpo0nsfJ&9csyD*-+0}G|> z6{_|Zb+pkcea=eprB0I;^E9~Lpv&T!X{T`=ZYss0a(jmwt)%6Z)M1lRMO z@A^?bDIul|w_^goND=+oIk5AejoA#kemMg8_7@T3mPla!17-H}TXHfWqGyk>0 zod15o8CqO$X5C;8X<_Q_mQk$%9`>!&$bWbL8!#uNLkeJNlL`PN5CDNp2dR+&^#Fwe z9s}43AQO-$Ku|zvOYkXR2*3{j4-P&7c>@0Y55Xq@-SBLHnoIn-7C!$j@&q&p2oMO8 z{};$}Eq4C<%()7j0#txA0dNBH1QI2nO~9Y)`horq;Dl%vx0$mwbFPdv{yV@4z!jQl z1V!fHVY$m3t4982&VQXbMIq)SBRT~!=euR*L{J0o-YCQpDExt~0z!SQga-nqNs$tS0Q z@9`E!9?4~HS{24%oF^Y`ZH7J`yyKQWm$$8-r92XyhpD>r^0n%4EJ`0n5Pzk1UN_jm zL2lr-r)RAvo$&QwzMYJNFZs!ZF;ogk$BbjFb*#_Z4k1vEXv>=g`i?`X@iqw=B20N1 zW0`rqp0+xdZ@~D;jm`Sr-(fU2%_J^xMi8VtMeP+v*0C|$AG?)rDxZR;V6INNaLm)A z==j59(od*Vx-_NuGs6K^Xnwv zmd3~R(8-NAO|tv*%vbu$*_Os~R`YZPOBR12p%6jAD8t7cQVly<macO$*tuN`>guBhM_2%@%rc zt1TK|V%S+aP32|G8whMLa!jQa7NSO^%*Rh1Lh%MG31iAc4Mq+fuiMAF^Q6u_n~#1c zcuIBe#P|xKgu|rz$7m4knEQdp15Q8J2z)G;(n1j~r@=hO5Hmxs)dTC(+0O(=Tn$eo z&q}+K&e4Ie>`0<$cOg8QRy}NECdqXuWI|DIAzDr|iJR>%Qf0THbtsb{7yTQZMB1Kc zrJIt>2W|R}5WE_EqAz)yWYnLyI4@$q&5e$ps9A#@QuL}uV_Gl_84*(@y|ATPm&buL zqh6{mVY=R~PC0&EbTDy_xnNecUifSla>OZp{tBWHQ_I~KS4y)wZF?&r|L4LDFkXKm=R-D(&6f7p8u zsHXEg>N}Lg&=d)TB(xA}NI*nnkWnd8LlF@v5t)E=5Rp+w(Qya@QUW5qN$Nw8x`zL^b1ax<1_q^}(jOTv@jv`0!=*N4%_g-lDdlBU_87$&3 zx4&nUOXhv#?BsVgYw~+;d=V&@VCQDRW#kJ=Hgp`hh-TRg=5Uz9->g6lYw~+`?>n2d z_stq#gjQ{UI}Lf-kgYvH$%a}c7m+HH!3qv@@_R>&E`4XSmcCh=ivSYm$PxJ1 zEOHznLT)w$k6=`W36CRSqUOa5*!aje*uR;pE}ylvft5WDoNeanH*0wj*xJx2&g?D@ z%hMhQf;DsUn|*e%nE3|SMue)%A+3~HOsNK!k-*jlOEz3RZQx^%16!N9`u%x%ads4k zHM=-Y1f`hJA`X|$MI^GA!uT5@|D>Ufh7j@-9}^+n%z$hO(-*U0%9hA$03rFhqNPKS z`BCJSsKH2;Fx#%^Ka$G|Vs+bE^P|_Kjy}-G`yALA?_I7dej4f!djUd{zHkW1j*!Yr zWoJGkq|%~+Y<7f{U%K!IAS9kkS@}GK{8FzZ{!6`*vTS>cTo6)b$-*BQs918rA>?P> zQW`3jTnr&`tUxw5gv7BOLM}ka@LAz<-Noa+l)Hh2bT;=`zhLXN7cB{h4MRNUGlH)E#l)C0GX zc3JbJ40wpN8{{e39u(M#o)ACx(4;n?#%q%Y)eezqteSeTH~XY*G{+uww@X2n0;d~-_GJmS^e7(u_mtbb0O6!sKJ`GDQh?u_Th`FNSQea|Cg zPDlUP)^SzG&lcuFpcgHkUj~HB*73j=qdk;kP(0>iyE;27J=YdJp+z^ z6*U6YaVAVNdkhJv@vlNgEFeWDm9nVu&m$uzFJ@C1fD~EC2-wlzpHU1D4Qwhdg^b*J z5iEDJCcBqL#$w=e17rkL%7AzgfTKV7egJ&G1U3Hq$jH(gkx2i)dGSwf+x#Ic2zU|p zkK>ql<067$OXQJFzR0|hFkff%poI!zSKxbPkpOqvU(nxfd)t7WOEt$OyAVA%kng^qL! z`)yassO#`9N5y-%WqFb9#HlQ42L9>ks0dZ1%s0W0)EbNZ%IT?PI+j^4I;Q9c>2O8& zgs@7C@dx!z(b`jPDVl+yySp*5jwMmjx#=%2KIVCk?^R3-cy&p&wCYtK`P9^_%bFL- zulu!c2fV(b`(Z+LnJg^k=cRDDqoF?c5PCSr6;YGAG?@iC9dF;)2RJq z%IRCPw*$94RE?fjm2Uj?($!q2P=0wIPyJ^HHJ68n+DJ}ZH?V%4cl5+4`m{LD21&uI z;n-w8k=Ga#Gd_8trgEt&T#@NFf|;V*EG)Nm_?Svih6X%*vUUew$kM9t$xl6^Y&6+z zpzghr9NciDB=cZ-sslbYBLr2JQ*VNxbnrTLkCoSjMhH^!c#A@m`JB}0TTfAWtK4r^ zoV+w?=e8xRAw;6e?Sh(4_vB6Cyp%QA1BTllf4FtE{}=eaE0wOl_T6s(@Jp@aA`{){ z+1L?LcvzL9Nn-!fAA6>Z74JNuJxb7yRxNLNz`bQD$ zEs>Dw$Td5I;*y;aTNt-)NDyGgtxxAH7MlK(@F!1P4X_WG%^>#z!5^Da2vH#O>Jcy> z;6Fftfd3%9kO_Z)`2hR@!UGft5RfbXvEUDoAH;uiJ2h|@spA?#yHhCnR*AMxM+4*o=8u)qE0|J-lp9nCXXp#{<}it8ru`hPh2$VW); zkGdA|F;tYG|Iudxq+d4j8${tlX-2VxRE%4U_AR7*v__jxS1cjZ=fMtK;5!9RSVyY@ zLK%OzFkw@l#KR<*_InHiO$+T5#Q7u?!SPNBhOu@%#q#kAeHgEu3QlxGB*tgjFjcND znhr-hxpijj1~JQc^+b$PPE5pfXWs6CSIYTv$#~VgfFJLArdgQAbQa<@D=-4BG)k9# z>&L?K;$6-OB`NYAzLS}lI|7q#a!p~X1xl^MeHA`iwiso%w&c-k+U)40>WFLWjF9N? z=@lpU4G2s*XC#i2$#rLqV#&4kbY8ONKw#SxZHL$NBYlNX(ZJ$=WGazroF@fK^BPmX zbvp6MW8!M=^VEod6nR=kEy5ut#KQX=?2Jl{z6-U(=;yIu>~z=El|%9j4_?t#=fw*p zJtB_`IKAw7WO(W2Mf@@Ht0mx1jYWT71Ai(@$EN4tPw@*)J505ZuylPR1b=d0XxhPl zslHMA;S%+YvP(}J$}Aawk;z;t{vyTPHspThh~qv(1Hm6|em^)n{2iW?3saB^X3tK1 z(`%P>a`IuV{z!>LZxo-_Mi^Z3FzrONvFRD%by8w3PxjqUUbt$`XHkuO7=pb(lt`nHSzJBv+u2gN=!GCLK4@x6%Ooc zdwp`6QTo$HgD|l{yPS%Zk{k3zH4f*XVAu`=0dvhhVW0lo0_T+{CoIT9>rwf+2c5EL zt0_Vr!Ug$Tyy~@W;UZO`mP)~0KBgvnl|+mQmPuMk<_dygI=%*I=do)P{qK(ol^O68 zgG|(IRtq_{8u6d1dt$ZWd%94RL8-Zf;g(gJHwMTz(FEPe%_g+iVx5#VCJ_}5<$gCS z1HH;kwy8N~Ox~=GZ!XjHF>sC+JX%xpOEq&dTat3SZJ2Z2&=PZ}3-^|zYX?;ApyyYF z&vxygxp(cLhq-p`h~v0)?MQI-oKajnXNlUwk2yVO)bhH}h4~j0m(^_X`^yi_mhH@S z?T9&YOwkDF4%Em0Al<&0)W_iqbBKIM?D#0PR6uFcfg10@MSL2T+ft_5sub!3ZevJYVhmEcLw@Y4#s!UYheDIS_)v z#oS?F;Id$pg?+##2D0Bm?0Yei>_3wHf{FzXvqp!DM+~{i*&qtDs8d{=&0X^w7-^=A zG!Ibqz{4!^=3)>-R&q8-z;LyRfkzCS;)R;uz(_J>B$+MC!o?tltmJGEeBo*nv(p~n zyb*u@IfEENy*Zr^q*!KyEF6w7mE{OS3LlXOWm!P(8G68*+-CH+!+2yEBAky*(-C9`fk(#(iRMM=Q9mZY z5%K{~I#XTTGcGLi8Q3Quzbf9T)Lr&~s8KHVK!;K8kMYxwbN1|*?u0w5od%tYcmR5e zy3@ytc~49qFG*}y3QG&<%AgC%(?&f@BjZL5N#QLOex$Mni7tuoz)MDmQ(n`h%Nn}% z($icc@kU5FWGo%oUbBr@T$gNciPSh~BtWjS?elFQhWg^W;DjPkV){SaD{mpIKc4o~ zK0P_vi5y#wE;8_LIh0x+P@(CUwZp8hvi2|`^u3{A9`DCT?fhqcco;`;4RY%guJyhj zCHn2%>F!4>v8yg%ysKXJNdGXk810c3Xnjl3p7Pg~>5Eiy~q7fLTRI*41`9L6zM z2idf~&r)CLY+HBhdGp^D?DiKu2t2E;Lc1d19MWw~q7KFo2k8mw)3DVOuu6klk#cPLTNiMC2dCf24TJPr}sT%=AU znl<+CByay-#q?yTrOI?_mqv@_jeA53%dssC&zL8ft}PQ8uz5f*bitgt`H?~2Y&VDy$QZ*e5dL$=grr3ku=%C z$3GX{-F#ISX(=CSQjRVj2=g1y!Suq=W5)Xk$KuC%iFd@*Tf*t0&f?lD-ILF$?jgyp zeN&j?%!9NYjiK7-q2I&kR$BydLQXLLW*=WmPrt31`+G|8tq7!xp}ix2bLqxM4C~!$ z*9)mMINH3zZdZti5OQC+d5WJG8OB$oAyGm7h2dC;yVa2SOO=l`rjmNQ?^a9O4DNlV zJ;@odZ=u$QzI>-=wpx*`SrN@<53{A6(U*sB%`C#OUl>Yo9kUisRfa7Vn=^$aEBd7&O7~M!W|$rrjHBY zj!AZa=>XXQeGkwd06Nx{A5*o1;Etu;%>dnE-YplPqjJ^m*nkck3C_Rxv%|vVN9M2& zNO^$lz8dSOT*z)7)`2TRjvK&YaPIfH)CTf#xiB4-3)anJI&erh@A~hnv5v}x?B-z| zI3b*O00^L)b@vCJ9p|kd8`;gnI^tqv$BA`->BcE9hyeB$CA-Cr z{@BS5xW5bU{)$0*WR~v$+>KLMd<hB<*L7O|%M z7<77F!7)Nl*@Gz6%usrqzH8`M__yOJg$DBIC+ToW7tk|<^_W&bNIK;eosjzUTKC)X|kFvk-!luFHiY6Wk{c(0wAqgFt zr?RtBn&Oxwy&mh8j7dJ&Ns7TmJ}wSUwJqN+y;su|7SU6hBKfBL%Cd7c7y9&19{I32Jtx)HuRiRYz%yrSy}O-4 z%eJ)JDoa>zH2e11si*MmkKl^77E1Y}C6`B{{aYqV+NMh+3CDQps=Lmv@oz z=lywB`rh%BhKVe{gL}5QbYH2r?GP02?qqDHU8wK!$#RN=q2)1#(wj6Zjq6Y7V0`S8 zjUm0A0^@!EzHaTO0;_-~i#0tdkTKXTtZ$b>SNnLBQsmX|<)Z;Bb4GS=8xt0RkwbX` zOvYCJYsy2<@B!WF<0f={Py}hc=GCj1Nx3A^DALr+6`~&-b5FhuU52RG96@MW6Il>x zq(X^1y3u}3Brng}Pg}Ocy6#yAFcvEU1Qek_Ha-#tEOPRTKg*OAFrGw}*EgJuC&3;gne%f|T*jqQ zTqHd)&KL=bi=ivPGIY<0iO$4$<6vay-=J-LqddpJOI{HI51#;xhnI(6fFHeCoJecU z)Yq)H-ePZMVX)rNQpe0oi?UzS@<&4_x|a2kb;eGbnrmxvY|;|Fi!z+6PHy?RX#I^U z<@*hi&szk{Elf=)wgy(;X=v$^wGGt1u~FUNp|M6!Oja93*vP+36fP`GGaDrE@tNt=T#qxoR8rjW!rrXq)+HTLkKud1`2`QPE3? z?LA-0VeEZ{G#a7xfdQ&4&nP{%-XLLxPuDh+c+GD7CShLUU9X+yBiOX%arY87E&pL^ zaMOwqbWHAwjZSV81;2Z`DQEC`>U2&Ny(#WgC{7=8EHJ=$O+G2ji&UE|D@yg7EH5ho zozqn6YKq>elg!r!{BQ-cCNP?Ld&G>blYXQ}w;dl~WD2Te)O znr=AwKWo0@Rr##t-u|a5&rXd-lAgCdO!a?$dZMKAdD~RW)8}WVdq^+NzPaW9;@rFO z$`|b)-zt6q#h4^USW;_aqL|$0yE?8~o9xoXf-(ylspo5L(u{H>01fkwUuwpK{_7wZWOVraoL)19ys5+P61P0Db)-&ULWKZ1)U27 z2U5jhxXC)5jUVL$LR7m6xX(F^uyVn@KH&n{<|aGumdBKx-h?=|A^d{ISf8b5l<0CS0O<%%a~N_d31TN}@z7?NYy&-s=otsA`v5 zT=Ap6&b))}FVQ)5=}KV8>#R}XQr(Ld1HqZEvnM31O7&*+HsG$Ve{69zWcYOs>Rmtc zw(iJ>*SRo}GJ|E5!7y>$n>?g-nUQ4QV5Huge9^cvV->q25l39~>)k;15Wrt(2+r4x zKn~z|_1l{fB_3_k><53ttX8G}(d^ozd zlMt<30=9ekBJQ}y2DkbcGPIvx*m*o*TW^81q^NHvT$4A$F;e2w^@qnPvONT(q)o1vYHrB#B!^jf5HNteNLq`hy^p6F1M6#s^3`m!K*9-)$mm6WpFGCu>= z^1xs2K29OhL@N<*5#N6l@&ueiP!h|n3B0hK8<2uSCxV!!C)71OsIi%f(u7?e(W=m@O(UCg_ zo~}AXiiuXy|Mby+Is_|dPsmvIO}6XlN7C@t{Ald?tiBDr4|WfUf&$ShenB7N$`;(C$HvZeGQ=_T}{Ug<^k zA|Myx7N5;n;`sl-XGgH@AcVUahJswC$*u}w3hbpBza-ay@>{u;G) zj8Cp(!W;h!kK>K5Lb=~zMaIJ!!XBeI{Jsb){h+v%hP`Vvipxn_d3GsnZ%VTE&@C+l zujdYnmt|lp>`v$n{Z#d)%xXq0lAM!^=Bq^*$P(n{2%-;sKL2M^i_iw|9_`(8Y z$Pq-ponJaKqZUbUJpkjT7D;fbML;Y<@^M3z-b<_n6zrRoT|HKKurYLMV^Mv2fM;`Xkg?ZHF zA+P^26kia9HDxi}{U{|yx?7B9k5fVfxy8vS7JpXtfvf1J2YJ!o8ks5}ze%;-B%qqm zyE);99q$Swt@KjqQMkMyfND2_3>=MhG7a4(MK+&BXCZ8zzKgqs9_c+yskt7 zmyVT;B*&-kJicGqs|z6&4x7koY!WET`?3APaRlD!^rKXBKTRcMw6bZJewv;^7+<;{ z^~rXh8t3y_MKu{-Cv(wnALmxXCjBa_i~4TmhP7YfMVtx@GR%{@L3m2@bq)1GDujoQ z*Z*8$!YfdFR?JeduGbDuzM^r)w?RG3La+;oRb1EAlI$MqPkY-dhwmecE z_UR*P_Zc4@Hid{e;7 zgBv~__@dCH#unh@!f@;er}7ocXAr_Ee$7}e;dA51Vuc@a&p!t^x#c(UA73uLU?Dxa z#Day)AHUDaOkBotWfnc^f-FCoe54td#*dl859#Sh-TwUL+)wy%X}#UbdR$NVaf>#7 z1RY@%N;6C2PDCZYvTJ?bniZBGZ6le7%6u1<<m67YVY{QNS0MHM}Vyt&IJyG(ZHYHG0v^)7O$=)QNO| zpZP@-8rSI~cq&p{g9`Gf6a4 z8Y}Tv)Txh*M(Hf4ibW2vj=H9AxFF4GVM5)FS+F~|5ay!1q|m&~Uq1>*RyA$j;hSg0 zBO?;79mFGimXMCq^fod<5k%_B1y9}EbKRJzR)DL6p?CXTOVm*t{3*OFACqvQTEl>l z7}mo}01l#$e5`Y?JwL&mZmGYMCw<^eDPf`+4=GDTqx|TT7kdfv}@j77r?r?h~@}oCnw(l=mT;bq|{NsMHiIP z95FHilm~=62=QivnlmX)wlgni^_E%D!R+Vwio5+KkM>!7$KL8T*UvFq?DiEG`}6L) zIF7oQ#cm7kx@KG5zT#qk-f7poyDs)tH&7fmzu4_7j`ruBcFnu%Vy8S7;z4A`EOvu( zo7Lc44;)VYXO(VWKHY~F&1U%ylyk6_ZkH_Q_?qjkg{NImG4O0f$KQARZGXC=;}c)U z(d9;WM#II!-i$`TbbD7sNYM= zy&KbCGjO0FTz4piaLmvyQa(=Er9(kT*@;F-Flm3}9&T*<9utQd1U((fACn9blG?sJ zaSjyXSk&4;C(n%7INJ+wC6^!`r2K*RO2}XbH=e9r(dLDWp9+vlxlz{yj3ne0GYyfB z;dMR*d&Mel<)Xuh-idOI3?)XQnsOK);jmhlenFU?U#YLNCOqf67QM%*Ar5pk_nL59 zqw3~QNj?Rw1Ae!}l?F5D>R4O50L0!%T3KzRvt}23pdI%Zx&8Siva^0k`zt|mbAMNL zOMc{`U2YhUbzRFa-BF$CkK-*Js{3Ru$qg-$qcNoCxbfrq*drag+da1l@e1KR3^auX z9sDiTJA_YtV|DQ zJks1q*_Ty174~u4B~&`as4uH@MTDhQI!L6G>sa!t>yF$KS6z@uC%fv8k4v2G%Ub=3 zvwfMR&i2iv7VmWHmHN**-RQHOZrNkG?#3m?&m*bm!Rz|&+tkfQdL%T0F039K<+q8% zCuMY}Dfyx_Ru+v)sG1w9ZK3sTjnmSRMAG5Y_H}L&m9$E=PSVZ?RqEFFL0~w&bK3sW zjyA-OofT+J5oHyh{LASz_islec!be2Xr`OPO8hn66!?d{-c0`f`nYeaZ-Fe&q?rop zv0sUA!Rq%&lgWT9CkDmKf_koN%Zu5^JU?xn^pa&G{HRqwhcNR8STVF&S@xZmz z;BiBRwvIY4!>Z^XLyL6I2}h@{6Y&~~GB$k1Ae#sAij{?;>!bY0KArYry@c|U!1LA4 zqvH%xDijAp9qKc;Rr}$q6wNE0E`;zl1e;cFf28Jkf7szvV2Si-9?9i`-|dE>wYB@6 z`Fq2J;)9Vh8BIwp7hTXn7v}E3zXf<`Zh&`h9If~3=|Rqh4)Ks*&u}z!NPvnC&V~*Y zmvvi-x-c&5wx|Klbz9WCZjOcy@dr50h7K`iL&y7GbDM_5nT;|5Xx_F|`sYP)kfW{* z>h|TR_no`+hw6R70|`P{APX%RCIjThPJ{pu0S*ER1ULwMTvo#`(D7I%F3|nJ-91Qh zj#G>P8glk_Fn7w9fTLF&Urxo3xlqO`ZCgl$P{S`r$?sf%6Ds)y4iJ!WgHXdS zN6GJ8fD!jPuXLIE9yk#x_wF4vM>l ze{^vIuC2{pp#4o3(xc=lkm5(!n;(Vqu{DZS@Ja`bZ8g2_0=n(GV@I{yB<}0$zb(5P zp*|L6C}1|(TbSVMhJ+=^X*u78+q>q`Q`DTGtN-k}VmR7`_{e!hr1_XW)=#&@1DyaX z$x@^l7$No!VO0>c8fSEr<|L*tGi2kf5)wKbWG|y4H7^Na6+?XT+?~riQ_W-r##0;} z1c)9|x^0^0I8sv{jT0e0Tp# zI7ra=F!3i%+b^v|$S!W$LY}QGZaS1pW7}+Do6M3GzcP%aDt@KdPRkYwez*ekVku6k z9-Y|~C&x;}Pocs^%;PfG6BKu&qBFu7S>Ym6+v?mscDc9-Q`$QuR=v9@WJD9Tv9n8T z5|9+snXdk+2nMeWH4*H9Q|{s`Z6gv6}X##0r;6#Q$vOiVJ9V_O9@cUK^??<YR* z>yAF}?i20jC77x8@;vX}f-s989@^$CkKSya2v=_tzpjLBUQ@4WC}c(B-F~kF{hKBa z((f8Cdi~8c>PQm!8pr;45616i{nT;8(OYQ7&1#=rPpO@mx7zlvt@^&$UwA6!_Sqvn zHAh6MXv-{_l^v3^g5LtY4}FE}fj^q-fqyIdN_F55oFPv1!gVrMWrxI-uMTlaa0zja z@}f9*B2-XZb|ScT{GzyY{Gxv2+=)Q;Lmj^t7b|ZYXN!C8M1rBKk#PpZfioKqpvVK9 z+0Ax&ur?l`#3u^^DWJ#$k_B0NVE_VOQ0#!)%Z`Eo|G;DzAi$ZiFyrxmq?)kU#`=>ZicK*_X7dYXQGCFYo7~Zt#K3IA<-x)0( zWbOu*9-IcFlyh`>V~D(?V{z(TQDeyU15Sl;x{)dQ;V8tq%=q=Lnqi3>gMEq|Q5Cv` zgw4T`oheSip>%koQ=JDwiF~Ozbz7i`JA+7B=aG@=EE<-D?gmGH^5F@Fh&%W0@}At& zka08e+o7_OV@KS*42A3f3<@!{V!RP&Ca}DP5!7a-WfZSA#bsz(o>Ho#LyR*YF4<45 zyvQ%10#QI+t8(&(u#8T)WcT~=>K|Ju&O!w8FsU{U@wBqWPHD0XXoE%;RSe3tuKXUc zZ!@xQ3{NWO8U|B@wpBFrih*IU8)6oxiVG_I%7-cYmB`W^4UbYzw*3~^X4|akTh&XM z^soImM7oaG@BzHh2z$&EpMkKj96gkGdH(nhCyCU#Af=PB9r z@}x+okw-F=1lJc|A}8I>Px5b>OM5OB_EfWCcYc>NepQ~m{YTJ6^(ACM76vMQ^Zea| zFN8fy35x~{=5F`oBzG@q{K~!f{nw?8U%4fX-wuTAB5fWsSx=e8jbGsV$}DR9LcXum zLJnlZz$Lodq~^NYe(ePtwQOr)uM)y%GX@1ODY>u2Q>CM`B08T?clSvsd7|QMLd2wF zd6(51W8++RY3bm4&D7Qg#o6zF%HL21CtunJ4*5D<4~00KT%JlloIdz;U88?r4eeAn2NBKY)ztU!fBLp*f1^fp2dDC?&Q%_q1Ua%7jKVi-zU~jr-#F6Sup@o5fZmt7w}VdAiX1>l4^|dnLJJpf#r2&yj1F2bv280t!TP>+-1CFV5NJ zF=377YWrT1s6Fy4rz(iD;Zy}B7R-gQmL5=9oT?zoic=L7Z%E)&1y?dvL90h<+u!#& z4K$>l>KA;Zap?VJ+FNIXuk(!;V?)4G_PU5m{w# zTmcc#A;3@$Km>JeU&V;5zBkq;*b;yUFm4_rvadUQEhaKs-@rf^v-NEOCURYqWilez z1cMk6;N4eaBD3$!pTX*TTY!mwugUf%k-i%^d;0a`!9vSin{$8OH`ajwarxYutQS&V z9~Q)%0-MN-lzIgL;sInR1c;*1D>4rd1XN2}!4y~|a_2GCL<1oKgJCcQX6p&+fsNZ+ z3K<5x(L6EI%6IJ})jshRCRgmpdz89;s0+*>&}@wmSej@_+9vmd_Kc6c=>&ZT*YXly zbb#&SllzBH^CCRFHhE?2chyv}lhJbCnf2{*Dpg!6oYpBAUn6=!P^v1yQ0JygW~X2_ zHP2^@vA94LVF3$77yWO@|;XE4MH2=OH(Bgc*wST>Mt3^e4Ml-oD5&V`aJM~zFGh2AFhO-=@u<=@4Gbaqf*tq<-u zIR1^L_}Y>KW0BGqC-w|l#d?3AWowq07dN2a7Zf1#Id?H^dol(N@E))23i=szxhQo4&b# z;A;(iOji1Eyg**fx^m?O83`$b!S=jp?Y1R^wV(@B5iMVEyAdXWm~4Ld7>`Kel?T$J~-_%=xwd@y6f8-d_z} z-juh@dcsKR!(fz6Q-P$wl?l^tKU_O2^mX~+e-|)`L?R4{1&j&9LL(ADgoN})R{R7M z_$Fgv#o2&5p}Yw&A3--P5FY)ZjWB?d04mvu5-5!jR5A&a>sSO=$?-pfO2D~{MOJ26 z6SE7nM^<+*YhspNc!Wrq8&m?x5#q{4hGtnSvkQdB#h?z?qsO7_!LI1vWaqMVBe@dfJ=`|Y>gDNQB@3D zXB6d*KzrmF9{-j%sK`c2+4o`c88-l!E`Aw20iMz3`G~)RE)gr zyx?yuYS2@d;^d#Hf~4a%W6nkb$Aa^CmhFgA>nkfDXbWwx9o4Gn)R$JQoXV*WIg^;U zJ{7O7URt15TTxo^8xD~Z=4XAf_2bc4L|uoPX7St1H&f}?QZ>VLyL8r1orj;-ktdrN zVOCqN(75|xwc@CeCAlh6Xvgylilr*kiMK}8EXnA-ABgR@TsnL&X=kOqjIYD!8IfU+ zonBvkVBNcdjP}9Dilb@M1OS+6FWV(h_ukz2LY=VMsjn0uzj?0mWdV|@KPrA9dBOxt z!k5M)9;V6f{`7ug$>lKlrI*8i4=uM;co<}dWv3%Fm++zG=2e_<>W@;3`Ov_ImVO!c zA5G2TW~XK^aR6qH)f{2&x;_MNF&5P&#yQs|Th~q)tNc_gNK;FsYHU7FcM^Y{E-h-N zwQkz-`F^N^!UL&+plz2vvz?B=AKHISmX}W9iygz_$uz%Xe^%^VluJ;V( zw;J}++j?|W`lYIzY&9yPCJ4i#Rd zqD}ZHl|QD23S1xRuyi}!^ix8a_D@5woWPYg^2c9M_~gZ`xvtKA{j-hp_)O z2B);zZyOq!egRpT+1~DpwjS(I|Dn&Rh?n+Ve|VBRar@nC>ydoN)zfI}Wd3n?NP7Pk zNmZ`;BbK`jy}14;$xVL*fQjaeoj|D*2~PbH04AEtRU!aP@o)M$mm|dMV>p*1#JLcr z6zb0qrWhw-3j78U=HA_Wi_{lG-NgeV{*)OT8^l~#PBvt0v&?MD%rJ#NFt!=YqedjS zXoQX$fqDs05}Yn zA)_5TK7t-&)&|9k5imoM%(SkPiBy(*4FM%cwD^N(W`hE(Sb!5o=#Y_!WqH_uETQqW z;t?RavPWBh8$IJ&gAfmEiDF;`j8QZ*ed}fsuOR~) z$d#<(VsOp~qAj1PkwTprqZk;$f?*1#Z=H;!vaD<9t`X!~po!m^F$yqe0S+0Vb4I}Z zOamLpl^}-iPyyZpQYl%7j02D?3EXRFgLVLXbf~x(@av33 z32jp_S1DeA9~&62W}Y*GPj@wVm@~95W+cjS@Q#q5%>dEs@oMH#BlrMJKO5+lV9$0Y z;KD2}9tTW3Kmn!2FxcNT`JX14?+J%NG^qpBMg@>$4j1<-yKf@7AK4L!kGzv`Ofm+{ zQ}CU*BOkLqrMF(v7jE&v)ucZTZ>G(9-BLG6dm1pE}H$Vy)}BU?aGID<#u z*2p(MQL{WQS2}YC6&ySUg2tP4zXIa|eMz4| z#iV^=7azfQyTc~Z*1vTYi`?=m=>c5P{B@sz3P#NZi3=5-C=MPX`kKRxv88EVnRs4| zaz_I($fdoUj;lWV#52G2$Q!(VP@CZ63_`0>7^1BH!+xGjdQBcrcE;Pu(X_N%dPQWK z3oT&xPs)JyuKL|5&%*fBb!BaG#aEC994e)X@lLR^Jer?cjme6T_g*AF;mf;_g*BD` zs8KjvzN-0cgOFbxh5-x9X?T+*mG)@zw~98z<{LFl_hN>F0?`L__n6*p`?d`36&ZB( z!f9&(tsa=_lqX^&zDjGKXqa<-2I*pd14HY!@X1~sb~~H&X7H=e8dcK1?yONU{435H z6^{LX{j5=T$+Jd=^#Ay*aagMxi;pfWln}Ag-4&LYJ>FfrNp^}?Kp{14{9*4%Hq2U~ zY+Ihzg*wX6xWr~8y_mOoH6`Sgj{Jcxl4^>DFw#G%WWCZZ8jp~8HlBLd?z}ST)}{Uf zPx;Rz7H`7C%fE9I+Ir!GFib12bh~R_LYI{}GCQ0V;LaA-%)r;aU`#Cyy=)zmiosq$2o+`PP%TJF(U zQ0n~BH3pvB1%B7G)XfO@l(9k zWLa2`H%1}_hhlE^7E4_AT)+KV$qB*h?nS=0J8p)rGQyD({gf7$Q`A(vk=Fm|MXzR4TPbXr#M zkJj7&Qd~815n6}v&@4+ z2p^dzjdM`Q47EVfmRTrd5g`i)SutlQT=b(@|Og1Mge&#}d<}evM7c!$Q z>|6+lkR1o1m@_94GPlX*G{w(Q2x@*7Kp`{Q0tH-Vp%4%uU}*M$3l}b=fKr_i2m}|P zA!vhKfQHPB3p*M@P&*$DfkF(>aIWWum3rYqhd?O?fHb&%*9GNQWOfYg8JzF09V;#3A=?C78eReXqPz7gW38j8_j- z_0E7Q@8!I+|!UoNQ@Vq9RpY3UBh58-aIxQc*H)X>g~llwnBDMwvYJ)lx@uV7fswf2(Egvy*Q!OEOZ znbk%x@ykydF;#cRTdN-RPMu+x_5~U}a`-KC7E+z|^2_R&gp zd2pG3H|T(l?TL!IXrz4{;c*qtWALhmAuIIeTD5@Xt5ko&vp0TSMjuM+H#=72VjaAf zbhA~y;@S~9c2xY*wId`p5>9*$lMY(o3}rxjcRq^G?Cp)C&h4 z%7W5mLC5)aHk+F*^<1UkQ`S`qP;2; zw;?6pytM7dr_Ol{r689r<&;b<*TQSCRT)K>84NqK>@f`4u(3!*#*549l#W-jQp=6m1neFbB4MqoifEj;CS`eCHja>mI=!>nN^I_ePO& zJW75DE^)=^ULcCg+lr9a~uWLn_Q z#5bx}Bq$1BlEX!KU*pFKIr~%t?FaCfA-V|$Fq|uwOIA4UDFS@ttP(x zeC&vQ+rX`+5Wt}%_sq)`G}p|FHKr!`zjf>=!PU+d$8fQ;B{+{A0UV+@BhbfCRu2ga z?QC%nfo4B;WWwP}8t}8{+1Y|DKikG-u^Y(01RLip>II@ARGGuT0%inGB!D>X*a%`X z|21+1LgHVJja;?F{~kO7IT1vo|5|cn$3_-20$p(q8-b!YFB>x_D*la)6)u+=iZ7>W z?(EC9Xe_ysrThKly-SUyS91-H3d&HL%B~ffC#mh|Ybw89YFkJ-NolUQS?Sd1_s_oO z%G@iDF+ssH$Le&$qs!@Q{LM%DPd7fknzt!d*1E0f$@Q|Wm9AIXnxEdT+j%+1 z`b^8Sf3$x8bmYpJQ!oD2aa2go=4|WB2Y>Mmciv4cHVTjq2M}?6IMEUJ?5! z-a)TP35MDGWH^Z$NE|o%F3h(xqf$n|D04$Yv~4Ed2_KeSw&5U8_5ob7vOdOX&@)8e9|QGfY{D6p#@Odkl{KdkAF927jN1MTi*q@oQ4Jf7nQAZG_(8+_ zeqwAG>21U0WZTVKu~TJ)s=4c0QQM5YamYjN`uc3=j!QP#m7Qt4K>_Dt z^6FNV%kFd_pD7%9`n3MF^5G(6S4#l47}L>DYKzFUTGJybtyejaYUulFNaAXC)#=|6 zvD#kMN6skpKO0{6%dJ%PxaLzX$2MdnK6b^wy}Q$r82xtm^AY4yH;~Hj#u#6bkx^K* z;QDjFHU0}3nHTt_GctetF1tiIBIriMb6>pud;=+)IUT+PHOlm!mtCA1r5KA-qkNAR zcWS&<=C_~!cEW7B%Ci@XZvDK)7#&Ga1}+v3er31$xFn<&R5HsdR^n&G8;9rK_ixHGa^)sC>b|5g*H!8 z#MA^Gv%ELPxrBx;<=SnH=F)8qs;$wFE&uglm?J2SUS`E@?N*%2+U;_#L1}R=LFwO6 zpN}Btpiu$}N^?kxVk}9K9U4(KjhVM+jv!|pYJv9y2L>8*tR-gG-2Rxq=JppNB&RRU zLP+S6?f)X>k%f@|zZM_oAtZ>%R3raJ$iHWGziQ3xKS9WiOoSXSdl0|=?ZkuQ1_k ze(7q?;cyty!%ulwIp<&u&5)28IO#+{MEJyO#}Rbhb)*)J-KF z)cNqteJ52j5b@kAh)3TMQ5n!6Dc%<7e!u-Ujh5k&zN^i*hbr4%xLJH$6NY%1vnLYq zYCtL|5hff^{quXhkZHHFc%hd+-?CwNTzJ%Fsd2W@^vr5E1;%>~!H1t>9ydSe65dmz zFx3`JYl_LDBUfG~2VKHupWx|lN^E;gyDugkeD0L1a6Rc^jHVaKQs`Fsbr^C7@e1}Z zBY41hg$^-$!hyJ|2k#^5fA?s{d#{r=k1GucL65Jbrrh3t<#=1jvYK0^VUjuM;mDct zMdh!%a#Z-T@YqXGsr}NGquj&AX53f=iU0Klmws)wdTsm?!XuL)Wfv75nFJ|QAbQMv z(JM#kmoZM9!s84<2Hx)N(ZNvy1B+JNAA6Uh{!h|&Lg9mh!)xpEPFfzH^o_{u-qsL& zjdVOzdvlb-VeL7zIOSWHE+^X%LXr)!%w`LoKN_wZ-zpFwqE2qKB%e;iX(pEu0AzkuZ zKQ_tRq0wq|Dif|9giy+MZ{B)+!dc9T}$ zvYHps03o>$BzoaG3TqriBEBx1lOWOf<*bnP{EYRVBuEq|LE4CO66E`Vl@LKPV>GiV z8bMZ!raj<)piC}?l`Lfv7}@~HxQmnjHD&T|Pa8WhQ{&CP4J&W?3NI)6f(_dDisNrt1=Wsz5XpIad%5rPDH~lb=AWm1O-1g#@)_}@!$BuI^-iKY-_=;H?J@UG zh`NRLsjIr}b0YJ_KYAQ?t%ZFncertAAN6vJb5(`qum3XHO!?uT$lF9-x!S3dw_0MB z%j&dCI^i0}lK-`Lt$xsL=lA1l?^`t0HwSCzS;xjNSl&~B;@MwFXUo6%_lu^zCRD~4Tqo2CQQmM6`tuP$ShIfSb%n756?tp4xMMM5no!X*Ff?PK6^aZZ(GZc&Q^g34uQ72|)$>mX@Av)w>&$WHARMQ2dd&0nT#mBYZ+?8C?BGC^|NIE#X zuc(xcP0*l*&bZcb38xc_>vJRQPIC|-$p`4GVQ4m6t2?8$hFR@pIrSOoyCfvFr5#ag z_T575SaB@R?hya0V0LNIdsk_?b&qa0IWDM-OuX(deJI?}!dY2k_u7Lx_k5qF-sX() zNY~Q4W~HR5J{t2X*Zhr@h#5{aZeMCTQ&#E}nud6KFjZ_oecHVY> zQGY9^oIX)U0+(!+7@1gkcsub3t=aZ3*AGx?^yXa_D{FY(yrewYf?WnH$8xzTGoVtQ6+@>sZM}L741ZLCNd*m$8y#308LN(2>&F%6O_} zVl=?%_zxA!*--Y9bGH$>6`bsq1cDmU}P{mn=-v7=R`of1wZMbe(ie;--m0r@yIl zei4_tY4~JOLd~K47m1Ul^tj|F);QT+rABL=5~?nAROjvSH+h`MC5vFv|QL5nakK3c{d**a8(Im)Yr zl1{cfn#0gV+eOr)aSQ5tLa_Px>z^&JE;5k#RIux>Lrg^_B!?DOhr8U!dG%yI#~{h7OXQ#g1F{^?eXv3fN7(lx+8L+H@EI?t?Ht;*}Z+csh7(wyOtVyg^Z$k{vE1Rr>%cLqvX};@s?Hx3Ssw2z<+TJ z#%P*u3HFbo5tr0P8(gjOj$3(!r&0@N6n25V#r@(t;5~hel8^H|{Dih%I5?@S{DEt+W`eW(%Fw>q3KfE9^bCb5tYF+!$K1J70a<28m5< zWsF4AD*8Jc>Q+I-zFXT~=Lw{nhj1aR{2q6!Z#&}?AGiJwoTs<{?mhIo*0p++QJp{5 zQa;@b&bx9(u3UnZ*m+Zc3$c=C!NGgpy&JonOER0A!V)0d`NKnTCCHHQw1*JbT_iheSG5ErJHy2z9Ia~TOW0ItF@8%%i zyBDaHoO7i=;6s zc$J>+`(YbbeSQ$R>&WMr>!%OJeSSzd-t##&>cUM7^x*2Mp2xI%tPrS}EP5y|cE{^Z8^^R+s366MF1JBSU0L|L~j6tVzk5 z3iPjEozl5anfa4ZBP$p=OCF5(B*w8%J%}T2y~E&Ku5low2r0gw$db`!WYL!`JSLui z6t^=Ou9AvxbFC4HKdFt<7;$tf6KD-iufdGgD%FZp-yWzk9uX_9(0#>OtZ9gj*G5TN z%8V4QUTL^Wb45+T>Y8n>9!}4&_O2Uo>!%$1tE@vVCLv9)Ihmr1dEaI=?W2ZN->lmo z<(qf>RcQdq$IeIjRabd!I!ZDyDhC-PZ28@|MO4PKiTN5q8)rA_Sk!TKzhFdM$Vw;2 zcb8%>`qjq0)OI>)EE-Y0`s3~F{`3!Q4eOuRX-D9{)mQ6$SsNX5H9;echE%)~RxOgaD%v1D2TBb(C zJ>wug-m4#vcaeUy8d0Wid3*JC#q zOX)_*MBGtcAM=JAx1%iO+J}`Vcuj~>C#p8z%8T8p7<2fmcW~2oDF?a)tv^hH)bCzz zV!F}LBW3#Poauu@&W}y~rJyHQ0&nb6jMrPuv*RuDhCmkDcs%iwvmOdN-YavUegjhk{DXIaq1 zPzFuRyI+(*6GOg>F9uDnrQJWE`iHBQ5@>RIE^L=1fhOndBH_HOHYd4zd?9FZENqt~ z87tWrwoAfiaXNCl`i&9 zbJHNDgx$jNK7t0)Nvqbm(U-Pb;1nX`nM#mMrczLcbXK7{oh-ydLrmOcI9WoQ_VLJC z=iE*xusv(lIfmpKNn}k!-6Tcu!Oh>NWZ1qh%=fv;Cq|#h=dwTD)3LU58|qi z-oB08wT$2NKMTfdzqGSom+|a774h41JJkslgOT74r&{q&npymeQ- z71*2XvSX+(aOIt`M)PcI)!sr+&b~}UKyOmtea*TcRG9M0ciUbxQOU3UEF$UjlTe_( z{#3)e=Rqc>wVv$`uq1nZXR44OSk!m zx?^~@4wRX=jww)k2b++xaNe`3q|=7V+xnC}bDH#0Hzb*Tc&_Z@r^GYhxHtbp(3Xdp z%}#Z}*8Jfuim~c%VxDb42#XG>=_|i44Bt?1%{Lh3Rl)k~sFP3a0U>?cWGu7k_6>dG zZ$y3uD(cFn=|b);Vww-+4Yyp@O?q@)LhiB1F6p8}KR$>D_+%Mwv#zvYPQNcDx5Gd` zsYxfu_%%+o*?^~hSf?dlqK-YhZ1gj`uC%*g>s=ULJA#S9I>G*>(Pq%ScTHu}!_>~h zz9(NuuOD@b)yb4fuD(JOrQ&ke@N4K3Dq;X(g<{;g&Af8ljS247FEsy%J5ne=xRVAM z_4p1h-uzYd%dEVwiLL-B`6v_lM24|^d=KgxW1H9j6+{)<%;;ev|5$k zzVxe&8+!$z=IuC{yBI5zFIkY~DLeFQxBSHHWBnjv^kElHBD?c=B#0P2h);?b&dPr# zC}NLu$==)#I)lEMN0w>^p3irA`iqKRUQcAwrYLt}INr7t^07jQGVI>rT0kpjIE2I~ z6NWZ)^jIWUuubJxpv5-X%I2-SUyxiDn9`=W0eMSWws?5>{%{@p!5W2pjT&5W*;}ox z8A_2-I6{VQhaa(_*|cF(asfv3XIQSNrK>h--)$2&h+ zb1)gVwck2hSSUl*b~0l+NQXuhdZ$yT5t=qzYqQ@Uxb;(2hgyu?uY;Fx*|)>0_sdZ8 zzVt6&OG0rQJX;f5n4k(R);GNJ zvuOWTa;l*Cly+Bfjo08~&pQbE1XkuOq+v@zf!2W0m#?39wf3+6qe4@9_!|wAz?q)d zDd(~8r=rf9v>9hlX;f~Jt$BJdvti_8_Akp1eBU4au^RFVvPT(5QE^w!%ka!bcJqH+-Ysih(`^e;bG!2?<+`5y&f;#% zp_A?7wQ6EcM~zQA7O<6CV=AykIO}7CXEl;nD|iYwo&MY-hL0}S*UoyxwMpKrg0V_e z2y;0cN5x%MjW%Sj3%_*5I9!zaMitjyx5Kv`*(7yO8&+?>IUM;2l$5);DeS)Pa7A)_ zH`+2>$?S5VxxVgsT=xn+3%70$;YKa=qi`A~?`PKp;$Hr-<=%PIHrI=l8I2##pP<(x z6uVX6S6o1QA(&D=a5m;VRAAFLbXp&H>qwe6ZHFj>{^F?7lkKJv4MDpA;W(}|PM zgZDCq2aETtIeo}?UE}Zp-JM7LE{)4G8hnj26R3;Zm0kTJ>EzdVE2em}3Zs{4H@_y> zZziK9?=)LdKug}a!R*CiCGWCV@tfG?nk93VFDhS7ti({higQygDz8~atmL97R$?d= zmH!9CN{$(}oQIYii>7d3wB%Scg)>jAY*k!Ftn30k<$qy-d%1B%`25WZHdEjMZqQ0O zO_VVNh=3(m3W4Dia4%LjA^@AEje`T=N>H9n-c+0(!P&l@yn_Q4x8W%quz*9F+Xg#0 za0mHpvS+|t9Xu9RRnFht{*w_L&@~Rm6^-D%8+hy+?|`j$fVXeJ0?u4jCAqwOVNd1! z>Fwp_Zy+#mO&Z0Xzk>rNfWQVfynsX6-3B{2bDfps3iE}9mGjrP|6~M*yt@rA;DG9P zBY5}*%-_s)4%M4u!DC@n<^1*Sf4Qtkj)%jw<)j51b0Y^E2RyJ}f)#9Fg9NV(7POd? zE6ho4LqPppI)VfG%x8Nlmmk3a4d-+7H#VR{l9cJ0Kd$Hin#)O+OB?VnX{Mf%++03e zOu5XmBKUG>a$z|bY;-Wfch%RE+R9^oZ{PgQ?VJCJ=kLEFR{jN|6l&av`;yVT%i&9A z%c1x$S#8IAzhrk@!1d>JUUlft?Y<1+MR|P>*FHpIY>E8^P!7Widg01VF8SY%(=d%A2OMyRxW~`8gy|Y8EAA0m>6nPidncBhl(KDHrujfE&icWI#utZB`o(@ z6)L#y@(&_e&ao;KNZ|V1h*D=wHD`qr{dJs-+5+0~bV z+?s%w*EF*!OlcUoFx56%%6(o&MbknqD6MjBNqiB~A=K$;)5MdeQB4kqs1TG__U3P` zhX!gI+NPpF%HGQ+%(KO0<;AbaN%?lQH~n$=WYmQaR)%)`%689>2a*#JnuAA-$2z?B zJA1X*?yt@LD99h&19kddLGs z+7fji&WRAqq;=#OEJY0tV0v9^5hM`ZX@9ZwBmm6YNWB397a5BUm=2gv*P zrf-xBuCgbqna@GOg`+D0i8;D}X6i!qy_AwnM=x%7@kba$RB3fl1qkQl(`eF61 zyx}V|yNYjyujVMT&|4i%v80kZRDi!GcS5{8s))+*Cf~!0t^pdX_PVagjrVRUUJF`{ z%sb%gz}Km4cYf`wZ9|wHrCQkRHTTQ*5KlVuXiKB*4Bg5N@Ln86=;PXDj>FGx%kbVs zKEc+%dC#%&ZNeS2fh*PPHA$DIHaz>tV-SMeHGGF|?>5yx^ciS3j<~QL3+GYtL9h<8 zQ)lYhZ`3bMibOt-ILLQ6DDQ&rN)7e{Bij!LcU@83W5OO&75Ui+0V&xC;v+?0JPt6* z%ZMmf-SKFp`R>ZBqsG^}I3J7u@wv&7SI$Z2SS*XpD)HnvQJd|TDG_BJKUuA$K$HL| z1!y<56fY}Q@-EXx39jF~l&81hRQU4o9iC<4J4`&3#mZ!FZVIVzI26uJu~%rNG3Grz zg{pF6%m?;`sc^E*l56SmHfSoxP$;7WU6dS4$|$XvxfYdClC?^%g<|EjR>`q=TM^hS zIl#6e?6ZVzmKNhp*XuJLs?ybc-g0XExyo`i=rLgH2CU!Ix6kn>X)|YfdlB94fCrE1 zKJ+>GL=(VB4uDO7oq#z3PXdyJ$rDCUxWjTjf0D@)APt!H2D&CdP(U?+LP6j6>;mIJ zV*7mf97rV0=T88uWCR7AnK{s&31)N16iS-VfeX{6+TrmWI3)!4q|YI!6hS?4b}a{n z&-%pnS^lg~1Q@jdK>=q@7pBjf(1F|1rP{HH;4xj2K8K)E1T6UaG3`s?a{&C_;MGN# zKL_xHMF-jEJln~rXW^-iGslG@Ve5EM-SvpIm+!2)AFzI~QI>+ys|2nslJ z!M-a{}^on4Qg;x0yqRPk^1E8y#%s0P+N@I9&tyuKBaxQh0|%(n!uc z?2N(J19JY2oh|7OYu^3ck(}Syxh!_BdKllI*O%4XpFdcR8z>lk=`c|Ey(@m;$>cXa zZV0088;HP|MQIb!)bdk&F-mZezlDx**JmqUYFi}-8%6f`Ftg_Rqr7!E5z{AN+^_2L$c8I63A z(AQe^V(GBD$wvil`C^`Z8I2MK0^b_BUr8!8ZV+N}ZNhpGGf;e5{27hhksU^Fw^ulc z5#4nQeH-*$Tzxs!IyKyi0#}|XLW<@1)u2OG%Cc5yg5GjCh#KnIGK|`&oa8H-Gpw(Vii{E?Ckm zwMI5hH`EuM-@N}R*DvZQXq&JcTV*lG+eRUdi7=pgihWo+{bes@Yp@x}(M!eY(W(oF zFc0g{Fh=UpDt~8TI&Q_M))+-M)O=6jrGNb~`C1}cD}aHc~+Dm;);ag25EbCx*UCFVTqD8kw3c^ z1X`$x@0uTNJY&gprV`b&B$&Hnn(`^sxMq|Ccbn7HjUE z4}72e{BrnU@3lAdRPs;vK%P43HeBZC<)aOy59upa{z2@@W@@84cXgs=r8ZV^TXbTi zQVDUDi|y+3grUQS2{D%gH?H10K75VH_)tE;u-4j-cjS7d@k7N|G0N^ z`Gv1zym{&)E$#X4T82^S%PshD-ovVX=6E8F1C5>9nl;&dF;Pdk4L+$KP&O*RsD*hQ z65G&qqdMwJRA8D~(cAMX24~_PUG^)vvpQ{M=4swYy|1-`{KJM>0XoX|7%NNJv}~3W z<{o-m-3e<7e;myY)!A{;@O~H17(y-LVW5j&jn?WlFSlR26X>!k!cRs8qq_5r#|Cuk zL*u<0)9+qI$6^{EuMRn~BPwb0;jE4eMJMCxAD(%1xz6&4b|SB+&tv?}?O)Az=DrbG z9f#*zo2j+6>SQ$jjSfA^X4-Qpu*h_|&~qt3;Y2XLG zD202Lwpq@WSz?opFSEC}oQ%ms*>l-};-(z#IfbDR?g5rd425tH$o60;X2#cYEiJPI z*&d1)axO|2@-Ys0(R-$fXgb@&1s1*M!aXz4$pKR*89JkwGau=1?%95eeZ2Y6mdv=_ zbv?WC$6use%1p4M+uUp3I{xwxre&tU9l$o@0xoSQpWNY*907@NzC<>%eBL@OL(E*@KO2v?-9RVAId7T)r=m?;a zM5kcaF$Rx!z=Lm8-vx#oVL%15J+MFu5B9*bJ>W+*f>#`2TAl?|JP=6XsUCQ+2QVru zipGHPMm*3#u@D4aBf)>rNzfD>zd=e=(K+<*lFa{FN#_5O1N*;{Lj{-T(%ylm&=jro zAd!ZfAOfMq`b=n1pRNy<(2Jdyr)Bzx9x7uW;m|Ep*@sWnrt`G-2bD{X+PXq~eW?{l zk=jr+pSe~V7shNb0Ldnl;Z{jAz<9IeFfQ$fnOVf|<5CcFnDZ*wh+Ce+>M{s!qn^lf#0D&yJa;qL0Dz1jxSsyl1RMh)@s z8@Saectj&)Qq6>^P@+U*laE*}*<5t^T3J_Gfo{JOUAG+S*L2-+kyX+*!ik2U4PHqz zv?7C@5HbM{@(eN}=dD(2n|=~pU4brg3mG6zovESsoHBK*6A82m84j}agotXWUkW*> zv@xo+a`xSR8?_~(e9O@i_>P}r??d+wq8X!-&x}9CH~yOFuSl-s@;r61K!&$eaT8-k zDUqcNX|#8xJtF_t=MUV1L_KZxZUhUlm|D@tidw9D3UMy?A~jEKN2>~y&Fma@#nn9s@zl3`j2|M>%C=DRw`p~ti+x%94p6HwB537PeAn%Ge*tyQd_`228YAO2 z&yDBJn`lIpZu%23soiDL*4hjVYN5xdw(~Ywz0xr^NE9}x6{uj%T73p>d(eI)pe|`J z;A{%piRyHJ86RymX=Z!Z$EE@wncaLV4+vAAwY2P1B(BZ;Qi~AdsH_XySjH{-MN7~sg+$G|59}i^f>$}QF_d^<@bkF#W+&MaN0aCgDqG%u3}in-L?y{z(5L*6;ZZwpaw0{raNthQw{`kJcc4 zG&lJ8Gg*#=7H)_O5=2!37H1I2(b^GX6n$QXi`p#5pYh`O)+9g4119c0%t|Rc(}N`s zgfR39^1RxWeF1#{Tlq;Q4tkNM^yY;wIv+A~QP_R|*Ri;e^i}&aPd+a>gQn*9inF1d zITu(4OUYEqM+r;8ZX=ihzs6hB)}>ClA(Iz$8Bwk>x`%Y&h`0{){CW3Yu%5(q=#xDIaX7<&p8>p$u_DKr`Jag8^Ue47iYlw(EQcdO-p@NRyJMT7w1zGtu6G+@N8jbCTV3H8v|y-=hW6|swE+T06?SMZ3=K?+jNDB+A?J(GqkrwbQd6gUnSTH?K z>Qy2k?P8K8VXQexSY1rAB#Z?-OCnjouwN3sB8$)|pRu_TxUJWGaIfTCc49DEdj z>SB^5VXQexYF$jSB#Z?-J4dph3?2x{0A>Nnl6ZC&W&w%@>;FO0DEQ${C&oGzvDzfpr3~YI`IASoqXG4YMSYH7Dt;i(!^TvH)pem<8wx zU^XT*5@0OARY0{s6o-km9u3Q&K+z;MEdkWEaexJC@EQdOu_Rd(Y=_U6U8kvb25HHf zD_~jDwIAN5oI_d?&jPT8krsSgSax-Q6<x1cmNZqqlxImWOIBOKNI3~+;U!A4 z;0p6B31$J+l6aOhOb%Wx{pQ)ld+%Q>A>353h__MgX_7S2yW1qqXb2inoXEn zwM^>{c|8?Reqz0HtfzaufxCBOqxP6LdkH67qC&k+>?Z}3fGg;Z7wD`V(K4nLAQHDk z&>YiYY~5}G2}5BBRH0)^QLApOs=OvoZCVjdv|zXz#V;wt`aG~!W3=JmIhx`Rg5ntn z=)heKFCnPePg_=^a=4mqhmH3>p$SNs>Xks`pb<)7^qx`+LQ5W5(d3Bt`XF@FYNF}1 zJ)|YH>jA$yddjMU0m>p?F2WTC3hTT=l$1-VX#_B-Mum81W#YdR+*GaWY<16&4*0R2XQ$5 zRxMX#M^J;flFd7!MwlWyMC3*c`k-B}=33T%;L1W1*N=MM@jVJTs6~{urKqlX7%m1S zGib@X`Z6eKxOx|xwN^LTsa-_)PzwnQqAuBmFn9W4_#F40e3Qk(`O;6QwwJp1Wq_6? zqZNucm2*$uSwAeYFbvbvOHH%=Th3W1Dk!Vv7O(0cf>EtOL%Wl>e#c6xGo{vttWLdW zU<*X7Z}y{SZWh(&)n^So=<3OTi%RsNl{Vy~Wg`k{*E<%45))URRC`=|RLZ)A8E0)QTx*Dg=Wn@BS9_e-# zc`RJJ_&b8?!Y)yF(Xi`^V%5?4B0DhQtQ*CR!kz^m&A3mm3%ssHjZbfkKESDW<81Gl zTmaRa@|(9A9e&o}Urj~BaPE}-mTjHe*doEJrpiYf{ndAHusI&(Z`9K&QpsVl`QvDoLd+@8P?Apjz{~{^W9-LHsGpYzDzO zBtA-;LDMQLUrXJxDl2vwv*^2DSW3xul2??6LWL5kL5YWQ4k;CnS-L_FkC1Z*P(JNr zD4h1eWuMEqOL3`Jl=Bk>uP7He*iI_uoD*5O7M=FVILkS!vd+U)pwO(<|17?}fLokz5UIh=Jc zCm8@>pDF-fm}uu&1v0@$fmMKPTP4Y}uucnq!tAO#$umHbXUUW5ur^ELTA<3#7inRI zb{cAD`cXC3e^47Kz81Cb7MA}v{=C9kcM6aak#>4seW6YZ%eDivXgj^F4y0NKl2l8gTh`xd?Qa*s;-vk5 zfNr%YsbY9D8qCJTX#BH2?;t(CK4Iv}s9aSOo`gEiA(<$aq zF8QZ4L%3AwG!J108LUouguvXxL;CDzlTr!$YXkv<9W;*|ECG$mJLU#ogy#)N*jYeB*0Jq2dZ; zK-5Lw*S4DaD*TFlN}Eup8Va|*rMc&Hyv6$VW))OG`cK09K!=pE_LQ*1Z<=;b>%Jjf zIGnk<2rQ#2LV*E-C%fvfzdTVXrNv|K2p0R+bRCUI`eB-!{&P*Mdr7hCyOe_Vw$^(U z>>(c?MSMBg%j|mQTi@2)Gn2jElL8E#*h!fapNTdp6QeJm3fBMOZBV2?>@EMU895~c zxvJ1k_K*BT{uqp4=t*^y*O3l%fgswL(A&PR#7mGUt9!nodwos|wfgkc25{CQI;icQ zQ_Dbu!PTEby|Tje1P}SPFO0QfU^1;yX2{R;U z@@Y>}C5r_kYj}#}1Ew$At7MZ*rLt`-)Z~d*8*cX>4ZQzBGw5R$gLi|B-e}MASd{Y$3_m_PSo&VFq5SXO$Lt{?G|&fz^{%p9Vz>b zwKqP;1{uc`biCPe;>~kzB;I<5`|I+{yLNCR9j#8bys5E%x#RwD4YiQT4O!)lFXFNc ztS}a@cidRlvlBBE61wU+_3j|^UFlh_^qL{Xv^vC>S!tC*CW-#$s)u%C4{lC4O)(3_ zA9gXpma7n#6_VXv|ERB z5#EyMmUGUzI;YlhkW2*g@D|W52W%pkkGFtsIe=Wd5O1&5aRRw^A>IPIrG@dfWX&>3 ztjx^JF1&dRY%Z8~#V+C58L76O&}9Tjb{1x*by_mX0{6i*$+BVr)j}fXuyPBal7JK1Pzb&y#YNP%GFdMW8W_1{dg-~<+ zK@@*SNb-|iN5YDv`3G&}HK(W&9z3Nk5|w|-zrj+zxI`gA-s)F-jW&vxcp0SmT|0bf zMMs{yJb8MMFj#i-vG)KtQ?iAighTs^)`|1s64a-FTA!XNtX~~!#-!LFEyku0^9&-k zDbxu{emPH@_NXrOxmJkd$T~K=Fm1&Yo_b$RY)vBO?FBp58nl<#M_;i`s)>9MDgvM0 zWRosKy&mg&A9Q3PqsDs@Xa{|Ixckm&<33qM)gp6fQ~3IFY+UPc$t~?g$hc2B-o5en z`(FyiDLtj_=l*_4n>N$NXDw%5Z}|i=^A+>D;ab`hfTg&Gt353EzA}Vf0A)m2B-cS@Z8;us~jwga?@FQ1FuTNK+Te5Rx zGH#5Xi1k20yCHe#ms=T4cuqRk<%2A|5D_Jt5@1lt>Tl8r(LVG-?5>o@Z6k=T|NcIB zU5+dD-q+{2_aczH(c%yv1g$T9bx|}fDQJs$4R-fRU8tXpp1;v&SG^a)B1{1~AiW71 zmsmfnz#eo$V-ruw$`Xku9YTC9=jd{*OWq$QQmbXWM>QH?ut{>%zkI|5#iTG&arHEl zmAWIA-CUA7Op!SyDB68&73ug;2x}&Rs}R+5Z995Fvb18ic}~r4uMV0g&p$}|r>?2} z#5zEw$S-VG0F~_x_BoW8L!`^fp*^ze`I=K+J`AdK7z_Cku1`5gI_GEfGR#|Vd}<4q zIhP$8epu(GX06>N=z59!1{a|Uj_ynQXxE+Zsy`vL!~P<#S83ZtR)6-wXM&6h>-$pc zeLvK6UtA9fUX#x8V&e<5V0(-0zX3)_I{NNH7w55oZpf{mUl%1?IIzEzM!^`B0=;63p^1pX~pZ z!Mj`yX`(X^9K@nDql8_SX0gk950;xz!cd%1y2L|iofEFR=cH5`g`rp)#mohQSWCrP zu1g?@wM4AtTv8eZ9I;$K>RgxRus9Z5Vu4u8vCw=#@*Z$5wZx7$vn{s7Zl)($Vsj4d z(1IY5A2di5v}idVCR0jG3UGCSgMfskT|i)6LZ%>s1u|M>ER9J7dTZizQVU$~BY{a2 z(C7f{nw5fMS^!RAUu#f)mg?XzjiUHOz@fl60DJ_1Mgf)rXkAWGg=uu!`8orn+d(u7h_hsA z6?O{1M%X!Bb=oWd8DT*j3jiqWdI(E~aT2jJA!oWMGb zr68b1?g#)fD@>+Fzzqw?^mj+V@37XwLeu{Mnf8&$G){#I6>lZ%l5cfrFsWeDs)GfZ zY|59Q5u+g_7w`<0ut2|#R2i)oFF56kN>d#?^+zX2H{)C9pxGa zSPOKDYji8{zRz;*;SrU)Y_$9owurrSN15(7!PBm+)uDP)h>(}B6}Dj=#2pYrxuS#` zqCH=TKJWYXQqWF*^yR*Ddp!?`IciY7@ZNth)9I{B-LX=4p?y3x+d~J3=niwdO?D11 zIh~9XbDXkSbHGNG(fuRG$OVt4^EHVhpU-Iv=$BkBAq>9|*Wcn=^y8A1+83XT0x3;R z(r@$LIlp5pP!Vt3>}`eEAw)#A*qkl=n!jh@=UCfT7Bk2r>}lb*u4~CJ#w>5R{9^wc zAopZHLX8!g{Nq!@`duCIcX$3AjNhmDL_c6f?SNcoD-lYhMSp+26*7~$`$NU#$%^lC zelJGKe^%OQPY4XkA*J83qj+@2hFs`gZ@Ty6SB18^^5AL2_m2G=tqK_-Eo$~j!p`n6 z7Kn8VCM)V3(@`GXguxKz-H)zons3{H9oK_i^xi|oy`qN_{LW&DkhF@49|N%%^O8v9 zT%B?SYNpx+89VxOAnzB6G!-FuDrt8m32!*#O5{(;@maqjT#uQiAnI0SH8#P_NIr>0y^JAmk)lFCP_-TYAf>tmCPaXVs-Uc_OS#Zw;p>E@}$#Z%aM zHTeq@Ta;!#;lvh(vX@}lnNJKQK5gsbq~wj|dfQKGHC@;fz(vtaz&Qp6nHHM~xKjMM zYnL=nanz?=P+inK#X-Rw%SovyfPE>T(vezC32{El;2^-hX&i(-rT_NH9ggEmNr7Aw zAVR=`z)%W@qCgr+1gMd-I2Z}si2w=#c>w+Zzy$oIfD3`q6aXT)(v#2-&hC@*QZrl# zviPLRs9Cwv0UX=^{Ubcgh45*8ej*CyLO6>LU)|^K?I1ffFBJ9H@9n@xIunP2FYPcC z!ufmn*gkh=2fl-Oaj3s|W{3ID2prhqygu1J3PT|r!H19Sb7yuVa8CcX&+I@ho`FJG zmIMe0Ouw*$6hxo^bxnIm0jmM662CyGbZ{U=_Gc1Nb6hxmY=;(b;j~am`Q#29r1R;J zoQopMmEh`57AhTpM*0sG>XzfX~hy0 z8&{QRyheeHk!zi*dl*>W94S|-#&!^tG`sSwGi;TVepcgF_ZFl#PeOaspYNnTji9&C zJ+3Xy9BMLxt31zitRZj6Ql(ziqGK3op8bWViLcSI=+*Ji+p5sP?Ba~)Ta#sSY*vaF zj<(tL;yv3pgyPfR_-t)&;Yc;mPDNI3Ab2(BU%8$2RyL&ldMzKJeza%1lCw(9hEUd= zzM$|kMd+OtKQlh$Dh$=;^lDwJ3#H>0r=GMHGEMmQ{HDvDg5i@R=}MaIu7eY!0cFLq z&${iBe>$~gYaSb&>RkD4s9INbU|nxWzUJ!Dj}=?ZK6jbl89V;4Akh*!ywdCSuF=?n z=pV`6{`q{=nbB$0dSN)m&Ks(N*LfJdz%u8k)h?|^hy#II)Iyy`XuV49GG&O~&*vVa zjbvbg7J{0$@*eYmk1yYGB(-N?v4D9ckD!WA02L&P+W2S#Q)6+^no%pppq4v)#jZi- z@9#0&`G)SJ98nUwP_|n2+3SseP!DT~+6Na^zMAW2{<*p+LRc%>_WXfCmMZ z0O5Qd1lHk2KscWVc^3iUJRam-0)(?X$h!mxXL%62ToY*?&vLy{Jj>~o7|Pdop5-F^ z7`y57`@-uxXTYYV=2EUCkJ$|WoVk>XVpxiEkizae7sY{24hk85jzvHS^B^baB3-hZ z#I__YMc*k34=2^zEvE<0CFK7W00P_ta0f6Dpx-q2kqSdeJP2e!Rsekf3<39vfPhhA zB0vn7{(u3I)W-y5C^80;84v`F00shlfJH)*FgP2PpYCk>XAB6qZw3QFLLRse><{-weLd1i^Pdd$e za!R4%<~>%b5*CY(DRc~WtPCzZa(zZ9?m=&bx|=U9`y#Q|!%9n5U$_# zaLUH2xOMO{q@#Gu6r(4@ZCRMj=wEUxspH%!E8q859NN7OdU4c_b@Q0jCpo`ozf`1o zW+ihm-`%YbN1IQ%6y|;|cwEC$AQTtrL`6nnSEwW&ts1IiGD##;mN_U zpu`jJpPpiM?tg#BA(!^kr4+TVVK1yxdxou3Ci1R(CgV&tQnT>r0M zrEBG)1k2GHa2dMi|0CR*@z4qxj_qgN7T=xM9xI{DIq%`(SHu z4d01DammAbHtnGjrgn4`myjDUpn|lHlDeC&Rn;C+AGy&8GV-y8bNnYb9{`u~pTM69 zg1iEMCJ3tXE-wi3&I7B$T2nEw{^0k{L)Cn5#@m#zo&2bhj*NrV{?3p*46=mGA7Potm< zC=q0EV9EpBHxna=%aO>42R9>;3Xy;yIIZ`QPr-i=^hox^>8uUxO@xI%iqJQ${ryAe zi-B#3^W?ud=$n@R{yWe&E&u%k=p*IE>jCir%7fR3;O--E{v`>2q!>8}jW5S~i$HJI zmH1a!52(NZC&>;)KzuR4968g51g^nk=p$h!$)WgsOsxK_#71I&37JZ9GITEvj5-@qF{OsEj5F z`7cu*jW@R)2%#06el`B;gxW6)UIK;rkYY(ND^F{IxIwNjrjL}`H zOhll>h|i86vbg45M4KS~tLSZ^1YWx;cJRK=vbopR|Je(s##saU`Ep#T1k z!LHO#Yu7rrUv`-MI{E$M;Bev89oIr3aYSnVbJP8Wx$S<$(*rkD@yYp391Y3Ypf_Hl zs-i^h^pD)Ssl=a=xma|9UE$Q1O_orGF;UA3F*PLTyDM6U`sb@F40y=>$~ob)td&=s z_dwLnJcNuWRHkw=gBKCAtBUl;TZD=?3jS-2y>HX zc#{lkbTK*x*QFh3g1^rdPuwWUR!sdeorsD8!53TVkYgT~ImgvPG`xsZnK@#RWq6sE z`s2`~M^tLxeW`S1o5HvHJ&@QNjxexRGcdjL0|VKQdl{P| z_cC{24COoUGT4WqjD1{*M<`$)*FxQITK3~4l_V|dNa7gFTM{bgY9GEiRKsZ>&BL_^e@2j@&?<+@pl1IR}PIXFEHA8tuyK>rDfBb)gCTe=-kD?yn~V%apv zforP~IO4*UK%m_6Kd9l6-F*KI0gudb0OSD9ky#F?cR;!WW0Js~2SARDcK-&>k=uVr z)j!K!Z2`pr*WWD2kqdyNNQYaP;(#UxHhN~8Ef;~@A^~q+x#hCzodcfCa=+btzd`Qr zf!xzMkW)uQ$v`dbxnHu|j`MxW0=wh=Ss$J}meIsywD#u~oxUY|1d8l+=KKC6KGCHk zdac~yH(4PANGGet3r`9YYx;{P`zBoMzua^!LMGZb(iibqHOjj5ACXQi=d~Dgwde72 z^)16TUoNWVun{hEmc8p;RLu>>eK@(TFDhTa$)i!~RG2Sn z<3Jx4Eo{$GgG*}@t-)<8)me?sKP^!6Vw?TCs+JueH@(HmY+Ng&k8;sGtt^}WKH8%i zOJG%Qo@$9!vD<3zTBK>bpP=M|wUJkWkpPn|=kik3L)l+*0D zOrdKN7Fcsgta14Khwn**WaQ*vmTVuD1#8-uSUXg412S9N^$Al=Qc8YG`h;(Nu1%MA z`S%Z}P7UUVJ2>YeR)%8HD*_URic;3{pMKhU#_H$6j1D{^zm0pKaIoXj-PgkdO+Woh)QCam8vc- z_q~ua+FI7~8Po148;o|}fh$o~fx^)?Lft&kIKP~L6|0UKow{Bu*fzMqL+xmYX-;(H zb)HhiyaU17&Cxuu8_I=`N8v3d^?6>QC0LBN(rg}uAgfeb^^Jz1-WfJ@-yj1`qr;&W zBoUB-6?z@-Wg`>FR!GRO%E(-J`11AI2P;&os*Ge#Zf~ zUH%1-*~92Ay+IN<4@MQxXKWRNpuXQiCL0JY@*kl6sO0p*P>!I7B_z#GhLq*7~u zYGiB!v_|&ZEdsV_ryVS~!Byn{aoLR`umNtIv)uh-*^T0@)g8o5W{r3MKzXBxY5)u8 zjCcP)d4uB@`1%>y4L+*^Y$E`J+6=A1)C5++XImN<9$G1gZ-0r_VA*Xxu+7|B!9gA_ zJclR2$@<%DJorDvY%>?v-wBN0351H z$%4Jc-iJ9o=8#SS<~&1NR$JaF-kcu4Fa#QU#o*)eE_khT{&+CTrvRE*JCH{`a9pY{55iUjRef6sNQB)Rqrnp&V zPyX;%%>z$N3tz7iEd4ShJ>_MbLAzpfm&Y^r{f&s{899ZoWv2QZl^ggcy3*bop6y6S z`FVEvHVAuL{h$@j>9Z&ow|8~x!g?f~=)Ac`r19xiyM1y+45kILbPwFWDV8uLx3*?a zru8;dr|v%twtot3ML`>TXPqT*O`4JFh}Dr}onM z2)LIa@7T#vThs01&xbfQRFYBZDMkz*^($meLP8H}S#c*c;r99Zp0)DfN(e-%+YSYv z#i#g-JYYu|copxCVx{IG>M|ytr)5ua^}i-8!sw|MBlv+eK-t@$IY>=HiYNSnQt3I) z>uM4#1O~{IhX$3v!?4OID8wrzngLa$Cue^6^daN>yss*S%T@A*F1q6H^M5j^P=7OY z$*cCh;8U;U9>vgsBaNHi18*wmgA_ zGmQ(WEr54qG zb~o+1!z>v9CtY2+rk8UT4(D)Dj0tm6D!t*N*y+fT_bqdAry~c2oG|B7Y#YmCTcW?w zld+9y+3+hoP`JEMMglXqjfFG{Ge7wX7Gbbp5eCR*0KMRZ!?aKaUq69-L_#mvKu^v# z%+l9i;I6-_lEJFlTGZ#-lT!chY zJ2oD^g#L-UjRJJRFa^@Cq|7T^lRZE73T9uxN68)8|B}0aM-sk!{yR=LQur0-wE6kh znSw#!bR%hHfV)To*}ucDzs+uc$Ly9dhh8o9^u#P^@S{_9>mi(7HfGSKDEA$euq>h7 zywNxR)7AJS*O8J|?ltw4nYTi@$l0i17qQ*7avee& zWOELgi0{pLBLCDvwuDL3vA^?H=41mcdgN3;G5<#Im!8S*Hi+(YZIECGIs+{rp_=s4 zftmep$c*WK(7-ZXiD3WF?(2UwUyT1-1p9wsW{m&02=;$rW{m%x2sY7x;lCBZGF+)( z|7-WvU`sz{u+UccUuNFu|GVys?!SU&SC|={($Cia+I`XeH=r5)f5(23{6|8J@U{N| zwK~+)Boc{0=XrmBKXK>ELYTO~$vLelDX650L?Y7+h)POIR}*1C@tR=d$bX<0079_o zP!nOWwzf7hGP0(r3HXg%4PU3>t{z_oKycMn7M?l6fCWGh`vKxYnx^~JlTh*;7aUi- z0~iEz3O1cLMVem)__9duNGhGj*^fvnX{L=V2>P)I26JA;?ya$K23HZMOxmQ)$ z7q2atyDP0Bi?7V1uLPl-S4n<5#S1KvYsJM?Rh)-aoFfLDRSPVFhX(&?3DOT}A`wjp zgY&BmUPW-Et@W=>cbY4u^-o_3Al#8_!MHdipk%PKHnMQY$!X3R9K6GMxWhRT+=OV7 z)a0B#SCX9Gk&NrNXBpvS*)cE}L7L<2ks~bb2E|AqZRCoH#Iao2A{!W7t);4JXGC(x zoh3LpIBxCG09O_4&bfv}9*&Fv!I5j7S8!S+r{IXDWbg>$sv1@9euu?^oH%<;KNe)w zm5GPuRqRJq)mm^ci(sew;o43d%Z@$E4l;P53J^4BX)^D>y3tjYSloAzR}phKP2?57 zt67Y^>YU8o-LKfgtIAacuSFWHMP4~?`>nB=?MSu=H0c8C+TA39|Gr?6@E9 zNcypG9= zb|lw!s{Garc1EtOR{S^(g8f(w(%h%3aFIaOmC;Kavgz>3CW+;6fhA5e*Z>*qZZK`G zbQN!htXf-0i#)$NPFLSIP;Aa(a7ZLxWgwnkEnCxo({JQZ5P7&Wg0m+c5_dE?4FDu! zp)<0xxL;5bS=D)UA`Lj>MwG6O?_t$~AcDA1)zsfFsB~qsD2YS@(^r@6Je>ZI6W+8S zd6i}c0G&kOKg0Aui2px^=@I`kDi_2ri_s#tA+ zoCrf~V8M)fSDY4K(nbuK-1tT;l@8)l9Idt9r+5$?&q==Yb=Ngy$=f@cjmzGfD?y;7 z)-6S(dCx7C8;&lANkm;ZGWw_4tUp%yxwn~thU>3A_>~?9V1p?1+!6pOyYd`UIl=85 z3myIKC)S>J+qt$ub+__d9t!g1Nqg4Dq))AGmL`aIkyaE1z7+H-W@wvm)wAoSLnTZ9 zV5umLn!KpNNAub3;S(nHYRi+slLF_Yn$IZD3!<#}=``_+Z_SOu$6xb%G(z4`KB z(fYHB#NGP(uE~Q2D!2i+o_{xYeRibK2ajyMgL=+qG5_-F@%>~kgzpbL4)<@J{FmZi z|Aw~cYYRcs@LT&!1HW%=b3ref+NYeZ-G0v6W+oK$k3rcp->K{M_ZMGAzclw9U4=cq zxFvUgM^`sN=u7t1Kv-ZYm{{*U0FXOKR7^{KJsgCj79N$BD-|CQ$ejHp2(;IXjt6KQ zitmm*^rZOSGrG;PSyRw9Rrk8Y`ghxuWbCrk8;RYtlW93|R>3-US&DB%FLxp(>&ciz zH{M0^1^CzApf+xq)#mOGnm3d-lv%Kne-PTP(|}Gt_dgw70f}D% zR<;KJ66HRIy|^yA7WqZ=_G%RI@3*D_xXbOC7fQ;ZVw-VV?J%`*Y0vx#Zb2OzF#W%1P?GZl71ph51k(8m z=YKzsDZ2ZWSzW|8N!J~K!Jqt>HT}OnURyu^XMqJJ97ahqBLVWj7|Yg-2*z*}F^E90 z)Ci0|zMzKBohv-5YX}`GD^B{&BUckG>Q{g5Bk7BK4J{g!{?@@)0@0*FmI&hn*-B1w zeF5SiHJ3?HiJvR*83YE>@zKc34CUGy5ZGQEI1wPE=@8K5rmfM8M{8u@s_5`70+=;l z7qCWV(8>6u9qVoUHkla_2k$)!nkj*|*L8H4+#3e9-hqP3OUQcj3BMU!vVC|mOGdl8iC9wwd6A`U4D;|C#m7M%kn1}}V=v6^ zeGj@GyuIn-Gdcf+HnhQ!{@o-`Uy|yf^B5WXAL}EIU#fRAJuj&lUMUzkWF4n|wx}RO zDQIi@>cN(o*VEb*GWgWUBfBCh$vVzs&qlN|hAyf9ObI03W!xZH+r-1in6STzye(Ms zWoPKgp3H-K>5NgF8E9DH4S41bzBa;oc2=kSJz~F1BgL2`eow{;9*kZda$-EOxe+Ip z85!b##rWFwXBi-4_^Z}PO_VY+t>4Ch#=U84__evEB&y`MOX-fgX93!_h`;ULhk=WO zZGVxuPy0&FZfn1lU%0CiMSY>WdA!Yf%oXmz_+!5TQm{gg~iLrfaK#S(x`ARR6Ek<8Tqv{lkQ>NH^x z2t~(K;@LsMT&t{f6^5{A6-6C0zj!HI;wzrj_djl_gWt%IjG=ZwUK>y%1gSAX7p|C#&oAB#oL}I^l_TD#C3jfS(|M>-ZiP3I;+}D|+Utfz{A#fNE*#yK=6tzhRh82C zIc+9ov*3qS=bSK?t46BpN3kX!b`K)XZC`sYlHs=j5G1n5*sDA&7WV34x=+D2+Li&C zi`B;cVC3-m%$H7GfG-K~1=R~E*t@*_u9wYr{Mucbul0QvREq0${_cA)4r7{o`Z$jS z6DoRpV&WF7d4T9D%hU4(nH_$=btb1DG{_MW!*43q8}1wb@Nd3(d{KX<8hiU7|HbT0 zuhRPKDE|WnG)(kedKLW*;8$K-mPq5xUrC?hZj0SdwoXUVy!L+hN4X9-3?mS)qmq5a z+DI4+aXd-WD%pAv6p}kR>%LyQ=26GUFgruTt_`Q(Ugd_xw_(Uue-NL3=5j-@RA|~q zq3V+*;ay?l&HzV*R_=W&HK7w?Zbw_+_u~@OxGC*^@4Tb~(A2@)P^nv3$p$@(8FQ&L zj%C-7e)yBbXY01NZbN^UkPpmk><<2N{DeW-Dns$8fhT}Bm;mIc{`%a~0H-50jMkNR6F=5xp7XU&bR7NrT>83gl6_tS8U$v2df#H{;g1ao;k? zz58R#ZyX#pl*p^w8-W52vBPg&itB7_v*oO2w|QEXKV0)*QEkV}1*qM3%usWmo*%6X z`}_qGICH<7`vWRrU9X6rI9Oc6chvt=x%;1q$iI_G;uZ+2cFL-${fL&)dx+L_f8IEWf!ytFVoWz~}xk*-~8>0d@gQr{Sm{~{%_&X05P8KD9FKG8Chna`#?3w%Xaxneg zqaJX0dCr~d$6iAfN_%i_Eos#FZ0y$>HS=qu_9N+CY;SV-~y znvDZ(ctODrt@3>%pBu*4ure@UV{5{MamsG_kse8p9{q4pI1eKwkwO7#_iov6>`{gA z3l!c%nGHJ`dEC3l;L=7CxlwJ0@rW0%HhU-Y(0SWg!Xo=v~F z69W#5^lKU^DRUD2wgN`w@x5Nc9eRp&3Bsm1JSBQ^6u)eFE8^&L1Z)H(_1a~tEA@3O z%#33*L%j^qr>W{L)D#5ZCkiY)0Z<-gOZH?-ljca>&ygX`Aq!+KoAdh+uB3M_Ii<$n z`l;>B3)UHTB94L=6BQG8G@c0s>ov-uOa(<~dr&5V53L~&%_dNTCvo6e7w1hB-RCf) z{hU4??pO1vwsb;T`Qlxlm1jOD2ioEKX!9zQ^17w+{)|c_nk!3zpWG_XiwS!|Oi~%h z5hnjEK*x}Efd{D{WgnrT;`#-`J_QumfAjVr$47XFZrE2<6eeIASOR&4u`Iam9Xi6z^)Lb*`NKiNw_eFG|c z1meIFVJCK_r}s;L7L;Bjm;U$#IzoX<^_j=s8)|*X=;SGcu_`-uM<$m6()-yIrqoEG zGGYBP8l^I3`!YJ#GWATgR|;lO`Gl5m57mO)Dcel+o-E6c;(#uF&AOtkf)X}Tp(nwq zmEq;cd%67d0n+8kfAjD?itBSen74J~5j50?VUYFPCSV%+8$|{|R3_0p#># zN7mQmeyG9zu6fj(y}SWc545H6#4ibog!J%7{3@r`%46}78ZA)lOEOpvGME|n#-$MR z--KtTlV&a#IA%Plo|*Hw+{sh*38s*>>g5fkpKjxm+5@?HeZ}8eiAf^dEsR06syZh|?gPCys*)fJhLia5IQ*%Y<0nBGqNQ zus-Bczw}3P^I1Xj-@4}S%gsN2m2mi$(~wps&k0-g#BQ-vzDlTtf6%h(t+y&PtYb}Q zO)lZmFI<=mI};*N`(4**kF)9Zct6y&pFjq)Z9Ip)f*pYH1__Xi??-o&(jBYMde32)fU)y?>kxH)8Ez*T z6g@_jTl;w$J(?Bsyxd&%qDoc8JK1oe_@a}B1_0OtA>xKmN>qEaMtSG*ojM)TYGm5V zG9n#CWk;Yq4}`2K6@$m>JjZbr1_!GBX(pY$%LS z`p~8+lD4t|Zrzt_%QnF`)N%<|yz`8f+HL47#8us|Oi9UIC2xI|dgrxmlE^{{Y^)2D z8ZH^6eS_C3C)G?Et^E~dlR0cJ*EJf7u}A#4_2txZZb;2{>t2f64Y9aa$ET=eq-N`6c;=iPs ze=&S_)Wm)Z!)=A`;#Iqs>IT1cql+lOwY%#$qf?kP?sj5mN8P8*Cj0VsgX4Zk1;KDyk>gINX`uS33KEbW@jV zy%0Yg{;I{$IQ6_x{m6`lcWJQ($+&J zpXC=Kb=KPNrvA!XIHU;ufLNr@7x}jRc^#xYc`+@WWXzrWXu5Q#Cz~%4m2dn42L3t} zfQolAm$^aeF;=E)*I_*n6lwZM#>!tMW3O9^md!)2@P?J;ee9O*&3TJQs=6)-wX@#A zH{9QG9W}C~4|4r_O0P}24?yOW#SCMp?U3YMhF6wA?dcokM*$seihU829Tb5O6lY5r z?Zy#57f)A+!4^ieiW3>;EV<{AgwRL4U*H`VNw73!@V-xHac2=@VkUbBcoGyN;~D&5 zaZs-3@`ZIU=5a2Q#=3hHSjw|WN#HG{50iR_dpu)l?hX1(?TM^fuGfc|G&_A-D+HAq z@AiUVE@#Ml^>;F3p2XeU&*Qp6GS=Ca@jOA=UNEoYO8yU>ozIq@w(rwOWcGHYRafvj6npoN*e*zUv<|Md0zWrA@rFL_N2m)Bg;^*>m&-eT-*tGgLgz#Kj_+%Bi&-1x(~GIB1skZG zT9>BH?T)9q6Ewm0(|$(h(?lKE!8_E*+Pu5|3B=<+*#C`*O;piEl*A7Cg{Hc` z=nYuWgw(!vgo_v2@IPP~UBjnG8Bc z;qL>yYHpTN*Lk-?P9dkBHrCFn%YoWcIu=R7yacdge5g6)*j<$xbAG-;$#Rbmf4W?3 zpK*sLHP)!w{Zc>lw^*rI2V(YM+Rr(ex*KolMTtDhQkyE%z6;H+-O&;(*nsmNFW$U=w_=3MR@alg`tNNx0 zn*D1-^Wh4M(C+}f8n4jy-Q*1DS);LqLHX2cHEL=^Mkd{gh-ceTwR(_)LX?Qd^@qL> zBlTD`S8R#aI&&e1$U3#3GXHvI|BZ`%a>1=MHnpiuR&YC14E{s`Wn5SoIb@qcM9-8{ zGl7)GJ}}R8Lo)^fu?@+m*&Izp3j6Ye2W}*VbE8w{yWho(rwWOdD0F=;FOHFcu+jUp z?@Sk|fG(k|mV2h<>I^cdAJHHPO#7)?Jge1#WxZ9CQfE@z?n11v*8jKYHor zr1A0ly!`VIvg+$2nmrLPQ}ve9$vfgdXj5uypmbApVyRp)68wq&2eq1sj$pwCa+2XM z6=zb=cg;!2DbvR+J7&?Eq;KjC)n9-q@UQUnwg(U{R&N8H>tS21;*hhT7Btw;7b6Bm zPLguKW_uEgLfQy*)#89DHonox(M*psa;wcyJheP4dI&R~rTfAXYWVoKW-5vFoWx+G zag3*TJMc*+i9}|DOiz+?+9_fhybRT(YM&ZxZ^o}tz+B6gSmn~&Uw5&FpD&rhOTJY?`=914)B#ty_m}5Bn9IQv`vL5B+)EoNWDkgM`zNn7F5EBe|oiDCLLlCPiYVCK0P zWDGL7$;Ix8V(Ghc59H}zO1viahn=bWxcMQ{HaoPc&fnm^P){g%SOQ&d%hJRrG#TTlC0J`z3OJ5x`(ln`~7|a@Tpan#g1mYYK+kUcu9dx`8O5HNaI_ z_;7d|Zf1H>QLAq*e}_;nyti5+zTVL7j<7K{eNxaGfdllQuppVx_h$FI5%`i|9v3u0q6VKh#;icr;0nybhF*XJNf4W6j(+! zmPEvS7L(Z9)Xv!ytf^*?-!U>(B4uTHOJ23=X%^qb9?k0QtpSRKR(0`0w!XFMJaMEc zsP#fq1Jx}~dK(79b%W&bxUQN3gid6uJI|&-j8ov_$A2~KVZ`9pmg@orUxYa`d*M3x zy2>Pjk8X()w4J{Sj&nT!tWDBes+gDW=PU%FzAoo6;l_#Sx)R(MDX*L0sVzppOlI+VP6S_HV;cZ^yh)1!t2=_lkR z!rz48<}I#WA$lU6k{(e^->O?g0EpNCo}HrQ-6~Y+eccglhW^u4?U#VY;DZ7EKfi^@ zMK-$CtC0bwmb-Lyy$b^(+Y&!fyKczL_f4U9Q;8CoqyrPhQSa8r1>avg-3&{4eWtHh zbF*@pT)AiJR*9w7RF5|Cf3{O?Qt$iI`vN$p`OM$ivnH9k- znG4UdPIEHJULsQ`g7kxbyZhZvrtNakx6H45flwnGOb{{UVw5mN=kP2c3`}FhgdI0! zQW>;Yt@8vZguNYMkg16(#!i0=U+=IBm2km(UejrxL)?2XkAK8z)4g9a)n9hPH8-a4 zT5QW7=TZSixv$g*Mjt^|od5lP{z_e6H-H#P4JP3oP#Qz+uh-r-`ECn2L{gjL^BfqH*N3-{7OoB9l}ykUXJW{|{LhSRWfTPj zueXjbTM>V)da^Xl_^ocZQXEuGvVNG8!HLO^v3X9*Ez}l^HgS)A?3CHeuFx*-@YY^^ zDN~S*@^{&<3hn=*u;BezcqjCFPwng;O=Jt{2c4{?W69%Rr_;|=Em~l{&5}NOy3*gD zr8-1yus!P@S}Bo8`m1cmbg~GMu|7^EzWDo@At!(M%XDk+_VrI;;`ytBkDsT1Q*{dn zE*e%O3+uf#iVye&Ia-n#`ju#IUuT~DJtjz`dmtvMTrQ-ZQUuL= zTQ|m+)s0*C{-o8*AOGH^gRXn@tl4{eDmkCj{^=q4lpwm38K?5lC0TK2(DECeX?0Im zH^OQv{$pjs>t`)D#ZSGzvFfVW`6F(%M_7G0jeEi-xv&$lG@^D7{rcT&kHvS>&gquz zosxh*bJfDgif35as-f1Q)Y7+?VK2|0KGM}EEBh;!-^hJt;5hF#W@2DJs-B}2yGV1- znCkwd&DxKH7>)D@&aKzZBOUc!`(~2%M3Hg(CqA~i-n*dKFe#A3*|X?eW zi6wjsEsb0|Ts!Y4`FHq$gZUFl>G^v8U-@a!A zFJX^<2NE8#HB!M*ALn`!U05?$FD>4~LIa}# zdIC@hV-g@hD&wJ+X!|56%pVQ+An0WhNGl0?8#EvSfnuIOxkaElB~WjnKSKs+cm`Ue8)jH5O+yQV(Q(8; zO)<>=82u;=>-<0u4XBnY=FDA_=%VuGN6l;sqj_ZI^lY68j%vIk zgVAPoW|`b4SoNCJ1YZ~ODX~$>h6YxZzGsOjGnzM5;Gg(woD^?!`a(MgB7g> z$i~MW%#S^6#IC$hrD>^f+K3G%pb;pnz(uSC3LG9@U&95azlaq;0a$uKEpsGPQVVi9 zB4;$jff$v$j8@LdEJR4cViy+?gK^g&6Zxwuiy;$hZ4jlvELv{pZ`W0);!m^ErR zs5Mbz6LTL5^fuIChLp^sbpPZiSq!U}v!xjQ>FxUj2cfW*Q)tBa_`hT@g-k4k3$PeT z=I?@~s0Ap}z`>WP&MHH|CFpTTv`dH0N?OI*zUIMNxmX7#I0_7FF{twf z8onAJkb3_(0Z=W#m1$IufJh?&DpMxF!w?)YwAP^|YeXPX871YJP;MkVp)eYNrfsE7 z_=*sxMlVN4WsF8EF&LStpt}kKCsU>Q?OGOG1HLN1G&?)8W%`z;zxXm6TNn;7Uv2D7 zL$NMsh6LC%0NLJP_qjpUeWRQJS3_deFS1uD(6V30fv6!_3X_~P^k(IdBF1FrRErR2 zs@XWo6gTbPVNz0z`2rmqUD2p*EBf1~BEQV_hJNrxITsI(*|WU*gpG`Osck5HFs^5W z;s`sJmNFmrwz(3^eC1%524(@x0;_MHZ;eBF2;e?LrhF}g ziNWHD{jDp?!nCx}?iXn}HfCeuaymA4k(67Zo=+&#rJ&1iyp|c@FfQgL0aGZf{8(#03RqrsTMHWEKyc zh#a4*nR$obc=y4QiJfwub8n>H8_OAP45~HbqC{&mn1Y}%({M0*c#OaCjC+SxzsIQH z8%wgksTwO_P2}SMQxL-vJZLF_LjvlBdnu}FWO?)b-q%^mrP1ClNyHE$o&O)PNRty(CP;sJ1ANZN|`FW>5g_s73+R(1dQ?JBu zw19#TfG`pv+>NOH8!cKpOLoiZV18!5Z-)HIfU_@i6;_d{pFGN2%pef@LGxp-#K)ak zMRM;roeOZ550uMW%o-0JbQSB^=CPhpj7oBdQb^K4lI)a|?$BZ7Pq zl%4tglIVo;)N2w|dupR)sui$e<}z89Jp;3ouy=w(n(6Kq(MEK{W`Aq(pwGmJLItZm zB3!^^p+|C?K*G2IH>gb&*WLt7+kZ%(iE=A3Ih`nZXZNbp52~-x%jlKgpWYo+nnoRxMXSae!ucteMHI zZYUvyVfs@gn&aOmItn*BHc;&uvv6iC&7PemGc|)k3?CJk)^^Q&b!J!P{jkTtaG%CC z5l;-gMYZx<22JeYQ>jDV;utg_-R#Lv4!nX1`i+tzdf^5e3EVyIiWhm}ghUZMISm$+ z#gcW+W%n??P1hSW{z*VbEk)@TQwj`Nx=fbXLmTsv5r;QIdp1mR?ZgKXF-;$wdEz`I zh9GILd7iq$JZ@#LeA%7Y!4uc)kN)X3+5$PU!U&jZqoa@{1>nN1Sx?!`w= z)-6EqkjfFLMhTG#*@k9JM|5nPf7qGq1g`D0)Y_Q={%;rm9DIh<3u;2KNl0q zi6fTOJXk0)T3QcFj|9Z`f&1Oy6>J!FZJ(Fg3LV#~ZHs6I}W}xk2yRHUkb(+R|7O8e0+& zDhBHPK>!&I-LRegmp~y9LlLgsKyQaqTcj09RJ*`(kbLJjjD4_#zV7`QNzBBe_V)9{ z-W#NS->v=}`OO}`rV-vkGo9-B;sQ*K1?{u}Q5*25?lln;4vH?2fPaiAR_*iizi zwRcmcEBneKG}61dhtfR)v|bbr1$)9CzYuxw*h~YRSY1svdG@73;R9TcT;~-?XN*Qi zJm($~JNwrRq~NW|0L_D-L`uxnxF&POFu%oBczih=ifEc}sx^aZKko|Xv-pcQZwcmHTa!WC0>bmPvR(zx{~6+toZ zCSu9jbYo#95)3g$XA-TI)6jN{{i!Okl9>zA=m5}OJU9L>#bqp)f?CoSEvEe zqq`nN?7GQMYE%%Ve|$0AlmGj#m)@9%dYA)4jic0It>Os(G>ioADXGeXi2*2TS=}&29W0^MT|kgFngu}<$ld`ezNV1YmJW#Ru5(XMWmG`3L22FMmduxr-L8!=K`q_b_;|{uG`BfL^ZP>9KE^6v3|oD=JN?cwuC>huiRA zxNsP5wzXwuJSJX*QbdKKC7nS&irQU}z=VDrpC`!xuJt+LyNVSI`|)-EgntIFnYdty z0<%+UP|za-QrcsH+e^^!yS_OkSh)4`g((!42(l@rfMQ7hv{TtfdG8(}k9a=x=z04@ z7i#TI@Y{=dKZww*HQ_P6dfB86w854QWFhF}iY$Pw@hoDoMwaVMWqPlF=;^=&EgTmT zm6W7ehS(j4N}VcM@T6=lxw_9W9({r^u1HU7lpMP{2aNN?KuKxhhM#X_4RKw>5Rjad z>N4IHc+n4?e(IB-w9rX0oDXNJ9u0&wE2jFqczABw{HBF%$$FO*}+5u=K?OwHc?Sk zTP7{h@$0rM0?CYdCEX}AkI1}+o|IVk5ylbk|4ILP#JeCS(EwEqa%k`@Y{%{XtR_CF zzmmY?aat@1_h6_*j&Ss&7s$!XiZ##yP@YUMbl^>OG2pOu&w-=$No*a!!))VNm7l=N z!RZ`DGgd#tQcg+z{$>RwrwHyut6qd~91oA18OxA!VADcyE)&d3qfRDt@nFi+9|I2o zb4AfkhhNNdOy|S1P%6w+_<| zFoDv>n+#E-F~+aNN6d+)+@vhF?!bGc%Rq}aTvfP^In63GbludH4x)8=oH&Mhq%w?D zcCBIy3~AgYfF>+3pQ3qTSkcbvSgVU4iQOs`88BWHgY_rF1 z?^0|NTvlYiN^?LZ451k8f_XXri0{qU=yV{jht*6>4hnFrfENw7umJO40YF60Hr?JM znvrt@^%p$BWQ(ql&Nbu(E4n|XGH;HXsLZgqbnm1$%}Ca6wP#Aj0)30vOvxY*fhB!q zVq1{nldKF817D7*0|Eq*DJbSmn)c`4ARp6dJhB9l#{WHpS(8FXGL_RMUXBmi8euPJnJ;IqMnH~v5Y zR7an5H@^;ne{XQBo$XI6Tu*EaZO*a#vwtHS5WE2nFri`uXT?Kj`y^rzm|IcfMk}01 z2&W$E7rh=ksV^u@0#^p_tx=A^a7RyX>7Mj?XP#<}AJ8Q0)3ShRx(7j^q>Z4>p=_Yz zR7xzFR1_bs`R`yOrXb*x*miB5^TNDAKW0!|OPO^R3Kat9!@Y$o31qVOh{m9(3b5G* z1cn{eY{0*fFZxa3>chWpDlBVol7;Zp>$B0~zgh0iJ3PSEPV*|6s5t{(@_F7Sqpdl~ zS#$&K!StPb}g3caBmEP-)>sI zJH2@jyvDPf*gt)j|B=A%hpAZ`{xcjY`b2qVFq@~1;p~gY1DPc@;$NFG-d6ud@`+2o zrECQxmTs8ONIHXQqQR~k%pi83C#1RbZv40G48(hKjixm?CeWq!-kgAGxEoINXWX0c zE+%3RiZ=3>PhfJxrcslr+$ikH9krH~9l7(K_qQo1%Owol|-7`E*OCXxPl zsxaq~*l)f=NZGU?99_+0@i3doXZF@xtVfuBx$ZZLb#B_5QB4zkjIGm2~oWInr6kNzlttBLDz_%^JsNOfyeF2B>2rBoDs|=e?0LI^ zuP@tQJUU%3pkI0$&M47O8u9%>Db*l-MK&09M)?fGN2bt#zKD^UrBeSo$n#PONHk<#E>$gsV}JyK05DQ?H$TGIyaVIag6-{6wzT5p!C7c-OA| z1?G+%zuKiQ!7XRs7o~BhJjU z0lfWI2U2nK{Pbek6o6?n$KWhW0D&0}j0Ts{6AJ_$Yye;Bwz99X+RV2IYs_&l#zX!& zwh$e3x5?Ap7@g;VRFCYG-Cu|C8a(6h~X&Oi=a z$*wS4IFF|4X$%XV@OpsFN^}GKdj&H6#8DOB)=_3ZPzGsZidM0WvNEA?v&ILkBDgqQ zBsuy(T;$CkIdnKq_CFHYXY%gxy{^s1$5K{ZXU+G1 zfX%@GfZNLC z66R#AH`xZuh_dA@Brh!vM>e$?xKQ_QD#FW;dn!05<8J)e8XS%@`SJb~5z_;kSb3l| z0idgr2&$H36aY{`ij}2^KY#EUEf+69rcdL`Dp;N|T)?~0NquvPk$TweFPqcYahg-* z&_8`Tvofq|u?Bc$*=gC{X;7=egZ*9ryJ5AXi~%=nn&j)v3R$-b_XG>NW0E4?ZH~Vl zW@P1k$=9Fu7o9xaBuiK&8|1zPrv3PU+a}!7xKgJIpG!#vLy}b@g-GqXsDGn8eu?r3 zwIv&U<8$0$6v$8BB(-X^0?f1rm_5++n5!3+Y8goj*8}Ejvz*2+J=mssjQOgSRkNbf zcQ~HjB(jv@Pp+4n{j^XQTsls#IDX)%dUsbvlvgP*HamR8x_XEA$AD^}(N6%)oJ8?R zE_-}07I3UejOJQTclPD2WXyE4hp+jHZea$U@9Z$X_1FrQ`p|5(7buH&=i!UW4U*sz$x>{@O-S#?U5DU%xEwg z?oDCoP3n)xJ4dIbUQp6u9-*z4D@Ik|*R?}v6-1$Wb_5G*o2?`66`ZZ5=?E)PFg7%r`b$Sn;M zOTmN(>_WiIcG|m~)FQpW|v7zXRFsu$TOmZD>DWb=84$pvhpxLrgj#%OedUeVR@IEns;J zvdkaQlVspPqq`n{0?e^*;3!D_T1cDK*Si9T$pZ*7M+Y@SNQ~E%c=&@NMkZZ_r_Ip? zQv18?KJU6_+}rX(`2y@kJ>7a;+bplY@chR0nE@FEkj?wmO^P87_Fi^4xVU+EdBVbz?^9wm!bO(HHp%F9{NNYX~8BjK`~B(jShcfJjJmrtyw( zd5@VF+ugPwp=rLtM1KwvdC%`X0~EZTqqHn(0{TH440re{{p^;N903i9!05TQEz zHgjDpiHI!zpAQs&W>L{rHOPN+u*RYEak&m!Zyi&YaA39D>69u|{j<}_tKNy@j!jYg z7ABy~PKu?Hh;`$?r}M%O!qf5|erig5$IWej^M;(KSJymiynM+uW8p47?-;j_9rNIJ ziS^qzGWc}le;)4Zf@iSYN!TM_xq!u=Qidib?Dvcl-qxEssZJ+TFYKYgEst>O9O#79 zvRtHYi_wb$k`)4_z)x~-O)j26@?s6Qbu8xe`6Hq{mZTd?tq{%B9nH~=SsGFomx2(0 zM`=VFpEcb)Su@;k0e+~l7cf5EH$wqv9KH@Hsnqku6EuS zo$?b+Ou-@1^LnJ=LvUPz+e7O~n}_mdXcz?X%NGnhhM*(p#^Kw6k@AXJ^glV}mnf3} z2pdeLk09ltn0r1rZ~E(Dlwy8jPkx4CL0(TmsbXPikE#SfV>`-42ZGo16l8cmdDN4) z`0L?HPsvBc(%t)|n~M0up3*-(Pf9g%z3y}I04fBnr@HrxL~nsgcWk!OjMM0Sd1>!c zgDMH##`)dGSCiJa5QhRB}h%DvD2^twli^9)MODEDhcieq~!uC=QoXZ<%5 zgXxOv$?w-xg#YBp#!+x)u0!!y?Rnf3Q*Q5lU0T(ZUYl-;Os$k^IuT0>l^m}dspNIM z$x4v_hobY2r|SRX__@=y@8#O$+M8=-bGde8M^+TR6d5TJb*~-bnxT|g$d*v(n%P@+ zu9>n|sf?fBKj-iB$9X(H@AG;;KhKw7BOxKp`fh@dGs(-Evt+WvGr_u3z6X}BPGtS( zb|+0wDHF42FiirB0U)F@WOxi<<<__>7M|uqc$%| zhl%uT@|MQbljc#G(}~pP@fWA#1S>2#zBvo_`vnt2|8`$zn2BcbVKsrA<)6vuuTz9kb;E7RUItBE>n*@?Ke1JObu zwD!(h_NdPH7@zF3Y3(b0-dEE)(E5DHO#E;|o4SCYeBAQOSL=7s=ig7Xj$=L_C!O!k zY8JRP))o-9e_wQbf$5RhdukVi)W)^`5K}{Hz6A9jkcVz)P25GJ9|)%%0pmlK;fRpd z2u42r&~6+K7J-JM`!N^@5Qh}CPv9pA!T=U17O3i6Z07@G?ImMTfay~ue{ir-ieSt$ z3utzs2*s=|RqV!oNfwH1sL29CVzN_j+q|=__L%sXe#f@*M(a%*GNF}w-<@f9FoQ0%@N;54DbIZ=t&c#o!Y_|^Z?wnr3M8KV-dXC6mD$*0 z@i2VN_cazf{7y;68C7WZLcjTA;O)sm*ZRa$`v*QV^+zQ*vg?nm)1#E8zl!=e(K_!mIFj7wF)P7dwg&yf&Ud< ze$|_drkjj>ujK4Ru3nZ{G6KNc5{APxU5-}fDH-B2k_9WwloF_E$j>BQ82i(=q7?bs zPkCn)%W(@MsR`@SY=LSvDYJR;3C0j349rwP1)nNvg%RNQrdz7R+z30hnR1Tdxoigz zG(@l8jHmy4-6N@U4GyOeZTb-Q8j9e%XiArZuRyGey={fv{XXyV+qA0iL7#N3N{o4> zwISbXT%pp)fbBxqpDo++wGgpnrzie3axRN*g%e-VO+xItFz`R%65Pd)z0L|}+iLvH?NVL4@cU8C-F0U@;;(kb z`5!Z0n8zN?23L8@4)`OzEdDuU%hUY*I8BU@0^PDWl}Nrb3>t)3JDNblU?-!zlZw zWH{4tLg;!GRPhk`b1vv3oPF!TF!S?!Z{DhUXYCkYpK)o?6|CV8iG9pw$s8$O6-ARk zWzG>ytr3dINOt^B4Q6coxGgrF>n}b=wf_s(qs%Tk9tJ6tWZ(5yq78^boN`!I-%o5e z&9X_dH$SFrV&Ah;FY0!rK@Y*m8T|T`nh+nbVw`1dS-DMunw@7f^}xTacU^ArhrDv^ zdl!COvxgcDx_YIRBSbsSU69|?1g*=&JY7n&y%mAvj6?j0VIpDyfs-CGub_Kx#UT{z zfJHoduq5ZsS%~zeTUDG7j`4cDN}TvN^+%e$$%lncy2b>DQuv^|HIIY3dfwnUSQFCy zRf9PJ3A4)U5Z_{Gq9SJ2t}%rtgZWYuZl|!tWoMaZNLuI7yRYMUI4xr34kf5z9rC&l z2b8w4yiA7Ox|&1KP+`A$~4A+!%ltF`QUGc)#2y=bhss&14-Dxg2`2s|ETd$)n4akwOGll!IO8 zr3clAln4d+NU)|tMomJUJT9M{_#>JL2Ap(^uzANt;Lhj))g^OlZa&1O=UZ(o# z-7nc;K*nB&h&pk&xQo+y&v>Gg6bm;Pd55R+T*8R?5wrra->OprW7i!RXvC3rr|`?4 z{~h^0IpuNzF=mqgmE!^?ZaxFc*pUyBK8)wM+3O>t5v?q1GU4q^a9ZD~&kuO81T7O6 zx*(%CrMkPLulAj+dY*SKpT;qqB)32ND9ft{5X7WONjg9-^bf%|zGs%)E?Y0*r??xg z-R~+S-vD-*8}@l_;&OwKSDWJ$;~9oph22B++B^ICCYewKFTkbjh?u8lWhR))ho#Q4 zQ3)#Iy_Ny(Am2j+>W1oe-rDQtg7*`{(jil4;labu^rKn?H?tqhCXyrT4OZJ2TGBSzF5M1RDJterfK_ zWuh$4maqKvnXJc0??Db8`2EqZTZ7a!FeKD)GeiO<`b%`AZzK=^7Str6<=d2`Tg%yn z0v|c(8urvHtL%qGdU5s%CP4ab9yl+Kl=~DQ&;i%P=n&rQ3a=JYpAi8PPeh-3;(DNO z_wb1D;Z<6l{cuk^-dg~fS9~}=A{VGqT~G!QEJ<1b55QT0Q&V5s_on5XFxUWeIYM-Y z{49L)6LbjKHcM+KZ*$I90g6&OSwy`K?o@Iidx5agT@=qG;DL+XkWBZj*`qXD%yQP3 zVLR?H9@vU4FNrbit!+i#f8Qtfpmy&y>A;ibi;mo;d_Z?h;zMvG%?7mC0ItdePd5A3 zwy630al{Q!Zm{|v;_B&keMOQv_2(7Ukz~&+gr~>GR!PWo>g#{!r0Q)eA z4+~z!04o^$u?dwu1-xbo1m;@VnMgE%(pIDw#wB=0T_MJ#FF(s-N`LH3B^1VDP=5hf zG=|Q5_Z;qzrMi!$>THES&8=iA2lpC$PSb%R+<$$PhTPU24ozH+tpwxlE=LZ-WfIK+ z+)scOAHCgPCN*l$FcQ5xY8{S1l%UaaW0A0cL|6#3Zoo`CZE8F-OFqv zAi9zy#(huya?zB^Q$ty(vG$pzEOa}G#X=TgCwuOej0(rG;$2k0!+;HeH?SID*#!w; z*?Ii9=JME|jqoUt*`@pj`T-hgfTqnDFeJmYuo4X}1^UQ^SFS{WLhvs8qTG9q=Ero+ zP+(lepf)n6`Yps%HP8GW&!X(5S^vtDcQ;kbk8p`gI-PZ*iNI}{1DfjZ-ezK5xdIK_ zsxG;ou`Ay@w#PTk`#HA-U7jH*d^$Srbjm}&0;NBkRsZ>m1VZ>eXZW@!n9Za}9`{zQ zTc-To-}pnRS_ZtA^yM(9YF-IRYpZvKD=mLm6RM2IPpo7$p5w;DB*#W`IN$CM`> z#;>C>OnR_WLw|Hp4cZEI_EQFGk2_;u1Z`Kce3pam%dmR+pL>(x0o80QegFgqo7tC| z9|g@5*^{c-Q>)pZ037qK91e6$-xk5rxh#fDT)8gXOYb-FI7}0uRXu=cGAroaQ!uJk&>EBfhglN!QLWh_->m?5g_}=Btp_vE zC=OC@X%FXD{S{>ZbaA6ISXxFMn$veb*8M(<3x||p=_p8QZRuZt1dWB|=i&;C<+ifo zfO5{(22K9&Vg^{*U4)z*#FGgnzlT{O?K34W_C5okiyE+26y=`gk6O(wdCdhY&7p04 zEXG3Ag{MhWfd(QILPSJkAnS`y5SV5CqLV>0^vKSsIg08-0EOh789)26rrh)d6?i?#OI zdur|=!xuoV;VB;{gH?;QXKXYDat0vE_>4;ejfuI&C5Oi43RguZU$H zC=Tf|9^4Uln|O@Cnck`u9@~PW_Z4RkhK-qK7)(vZq&7FTm+#&aP~#VzwO$6ZbO8Rx z6{)QWW!92VVlPIb zyU`(mLk|>oDMa~l5Ui{f-brM#Alx`*acQUAXvcAfw7UGe@6ryKI7rjM=r7-2TEa+t zcpyK2x$@UBpk6UZV_>HIWSgNbRRcEQ`n+~Sm$G)Uce$RCzC?d!A8GN*??;olnmoOz z&gfdzwtLd>Ul*x=US#T_!}`QfN9DV$DKp7L9xmn$V?(5x!fc=`8|>FwuWXS&~KmuPV$@yEsYFq^IF#P2iK?P2}kL(m3NvCc}n z4D@$NwtG@;m`(m9UyiQ*whA<>bWB3OZ3(xc-RCQgPevINp~v-4j0h-pkc5-PS=YYA z7rFEPeaW#=-RCU6ROSr9E>QR|k2S^~lB@S)l)c<$vCOy$gF!%lgOSe#{jB|z%$tJ8 z{a3dQM$Yd;YHVOUxSc6l*ffI9gA!ejD?3Th6^6sdpW5cb_>~)`9Zg61QQtpSJnBJL z9k%l8SN@^{KjaA9cd1pJs8v$?@b{I`s-+CREnzWo7Zc3@bnty{Ks*df{6~18 zJ4#)dY9aE>qn%E)gHM%uV&fGfxlH;Os}!bgH?DCi2()pDv)X`8#bBFn5$BfRd@OM+ z@K~keL{tTBkWAfA;bP+FxU9m5p>Xw6p6vM&ZlTV%eN{*-*L^5kCi{pRVzMu z2qHDrIijmmC|!f#|TK1O_P{-fY%6=D#fH< z|6`Y$ewS*O>H`iInoWghy}lg4b@;$HX{0!>G}6nu#4OVxJzHPHJf@N##yMH~REk&@ zQV>$S6H+|Lor`P}qJTkV?b#!i1N0&l5a4&H z8DeBLB!K%L)ZRZjWe0%`F%pddc&ER3ch$R);q#O_qQCuH8y8x^;PBVyN8v};if^Fn z+4Sn4eA0)(B9k9x8U(jg@xw?jx<=yzB!ZyJn;a{Oy!^F@eOJg~#U0t7X!1wy{8CDP zbb1T8g(bUXL#=P`Z{>H+M=^F%Wud6qkp2PFKKE;G@|3>zwkE2FeH>EFJtq|)I^3y; zfViA)tjl_)W$D>Hx>&NUs7{JfM=K9EQ_AACcQtL*HK&$;S$Zt-N^_Fe$?u11Mzzxb z_pA(`htkXYcVkcy>3h%L#$jXrbeY*v>Dc)#xZazUlrRAmlxD|>*CQLWW#hS;ADA$U zPQGJDq+v^86=a$9qg3?o3IJeulrI4GnW@OH|u2ZHEcE~XQ8fn zA@3Bvz36+a#t)7_m{SsZ;iKKFTsg(>@&U-@0)Q0?H1ai0 z5;+4t*MiAK}$9=_UN%eW8}yuUg7>B+eqjm(iaLMTK#f<^~ti;(Kp%X17A8b2Qg*;M87-MDO>H^9m}Qw0-^fPLs>7EsrY1=Mxd z5&?&X0x+Y4cfs|<*-%z{p9K=&Ktd)Q4yaY<{j&Em54GYl!iPZ&HG@ooP(YA+j0K+< zfFb!iUwcm!9xXaRW?a);PP%`!?aLbz1=Jo$-Kfs!zZ^3bn8;P^RL_5}AMY#J*qAt_ zPXzzFzlvw`peRuYFijdZs9>7hq`gTfUW@^CSKQY5WZk{}MyQQ;H>-Nu$4&&1$D`fj zGE_g7Pg?FnC#zO5kd>HoWcY%^=*`vRBZHhSlh5u$VLgRZ<9#QZ*7^MJ@LLRyFDW7mbTLu zyE0+FPEk7(Xm>iH2p5MJL#B{(85n4GpK%~8gKZJo*p%na+;^4p>EE`nX9BrXKrgFY zVs5ya19Cs&KiNCccM`LS=fA8|nJ^q~h61QNo0aM}DECtF&k7;hEJqn5xHEK{dp(oT zHG z_`$OSW{fP&bh>6?zh-JXWWs>>|LVDx4yb6E!B`8L0&0o9;&wu+Ii*t&XXhV<4%kfN z=X^|8<1Egd3-0LeK8Gikv?YKeBpjx3a)l8IYTWFEv8O9sQpy>3FnrlC7|5s#oN*`a zLC*AuG^eK=Oi7%-DA0T3illBHB#tcf#4+*?VAyH^=O_Aln@Q-Y7*9Vy=oU3mi#?*r zM=h|{YrC#$CUCM#BJ)J$LnEkDEy1>cAO?aHEG$=sC>T7*6cXf5Wxu znie>XeFc$l@o~Z1si}voG#0-EM{Zo9vy(Xn*)6tmMXY_yXN5luOv3`TfYtTo_@;Ly-kH3^J}Rm zc7{_56FK~a1JvN;BzkW#m{SC2mL)sr?*07~QpbP3KrXfOVXd-5+`5S_AhND8UatNA z+j-D>ob7&7N`Cct;xY7Ey#xP}`J;Og|N4icz^B~+^3K$P{cu%$W15)KJn8HtAEC1A z0(~Fb&d6C1o7T8Vg~oPZaC=>_eLU>lGZQ7QU{yr%V7Q>&SHs9E>%8=?m-!DxeAX7J z%2Z8_fmpIHMy^Q5E`^U?_9^Z%iGho$12ji5)ZRBnqexPDQ;JK-CsXsgI_~+#eCUVp zHQiIsLzl?;7YoKHlP}T4hFMe50E57l0R;g|THnNv9mCRaFY8@R* z=f+KUwJ^>tqVw+r$y;r)n4g-4&Do0o&OMk!0w^lmkcv%kpWAfhZrSHgqqxZP1LR%P z9~c{^N+Zi3IgK;NKFY%2Uk~Wq@;2+5j`)ToU0owv2UDm?<~4sA6h~d6b8o@|*q6@M z^z;)7to}H7$d5F@eCTvg@N2CY&42tsC%EF*KD+-pp)=w5sp2MnQ)|Yjt{}RAoF|g> zY&Vsd7DhdIAMduaCsVu<+x}4hZFD+R#{<;)A@Ual$q%kOk8rDNaEPA~ zD#~Dd&#)SaXI>dlXBTxD$G-ERkv=XMD7ZryLC1IULEyVFcFO9SB>^K(?xt~v;+ zgL@IO%WTs<(t6M0hF`O0aJ*|3yZ~>@OK2XGGat^;5MuNCMZmlIlckh8@paTN&C~Dd z@zBzr3fBfZPgB)*mZ8xELmGbbSfQ77CL&&Z0dDMd-y{eu3F{Isq)VF+r{g^-NANPzSv&!FuJ5|g|2?kf8*n;hrx5IleLBASGm8NoQr__^Fl;~%6q;c zzkK^BP!Vj<*jpJx|LawT28mkwLBv@3CRl#T<-S)m+=8G@|JU6v@~O!$j(dG<5q%u) z;@+Pp)3UTk5Ct`8BZnA20p#e?`vLP`&v4V4N<=9vf-*j6B{{pIJ8GTv<d=uwq|elCZb0 zUOgFA82t!Y{AiI63u(XIGU<1`2xmuN98sY$%&bIw47e(&eI?ZCjn?BJAha9&T*x~l zkFN)izkD-HvI-X;!!C|AC7n~T7`tol7)0tRE2Py6?y?1@iUNCrUJm=nW`ChESLr{6 zYLXt@q`>?11aky?v{!+X(_~!XF9HrloFPUVcz`#e5J6TCwqUdgI6aIW*gEh^>XM#t zu|GbUf#*w1|H=*J)f@TyR#67x(Ij?xb`CrXN4XG(d9o5I7eWzDTr7rU8!{~r9&W`5 zt_gbTPDPH73XRDM%@I6r>csuFyKi4?T*e;1<*MO0m85n#`n_HBV|Q@9GPcMiCKhW~ z7wG0~rxZ(o@F|AF2@uwc<17aA-+L4BVno}opeM>YCVRDN8yZrqLb-<1$sZY!kN(BZn+eR+cx9-{0k4^z4fgHn$@Ds)_^s5LwHM zdzo?HoWr^Hn7J;K=bZ<%vHP~Ug5Hm@NAya><2*6T_tmPqO`PGL|Jw zS~*On;QEJsle36tu_Li_-3GdLvL2)hQK{k2K*>5-nyx7H!#&gwGX0k$?i)pBSN~JX zf9vIEBLjG)``olWnaV0xAYH#snzqOgHoxK-i}(lyp>cX#4MYtb*rN)DBtv0sESq>t zSOg~Qp1#D?4Q#hbn{Y~|B8SYqh`5+o8ze_;W^AIUtLkrhRiudy5^8YlGi{_0&yjZJ zhoh%l66kzAaAz&D;&~Podp6B+97Fo6B}HfvwGw!j>id0?k0ESb@k%r-p=TJgfDNU; z3E$XdHH&`1(U|eyVMgD0f`6k4XTWvmuWSWNd{02Q{;b%MaeJZ|XY?42U~a1UF2l|) zumj}tWz$RTGKkRRi)ZIcd`uO~&KDJj&KX4-9Xz3u_0oSBa+L~2VRFNoGinCfZvDvG z%D+^kTllaDKx2T=VE{h@gkk_Rkd4=df$zPp?YR9X%fiW3@5w5pMH#cXENXKN^O^d2 zf2@A1(aZk#Y`#Bb1uTO{I$rkogeB+YeK!oHZF?JPEX&*>NDD6J5G+Ou6f4*lNDCS* zoligcQ0q8;_4{e`u@UT3 zu$yh%Yo|P3hPN4X_ul+D$ngCW!}B&b;74w&zSSjp@w}UPk6UBsCSxClBr2*rjkPb3 zc%$<<)eN;*+_eZmU~UE0>Dl6!&NE8pXmnl8K>`+_&|NB5GC&VNXvh`x!vGx;{sakI z7H48X!coJQVzET3r_NP>bsc`{va#IR62dr+C{e}dJ|n$p5)Y%df8MW~asm;*z%KfG z7-q4&|FzN` zaM_2_KRxlw@>K|tH|`Dku)%CR16EKzKsMZ=A?qnktp}_(e!~Ne_$B zFSnSRdQkrNh#CI^a`-Y`5? zpgBV2CJhhGg%gDvq$;Zp5a>~UWEu=N)g}n=BTtd(FE~BaCb}q+{x^YM$gvIO$9M_b zCScN561QX9+joxha@UT9{e-y4g&X*MwGM-X4th^@w5zXY zzM2U~$ChP@5gpp&#VzZE&hzV%kHoOApw%Ent`5;V9rl~TirOXru5@{ob>&$@%Y!bo z_V>Si?9$r1NLIcCC47N)qDHfIYD797(lM{K-hV^e9p&9U6Jgd<4az;duL1uMQ^s_Q zwkOr3=WYSDkU7}L{ZU?gmsb-Z(y=E`vbR9p*vh0QK)tu5toN3$x(&UgMnY(Oot|n zU@TNOdT=__7>R#>+;)3Pdbm3v^u zpJgYDrB{-3e$EvNjPP3w3HXl)?hR>cgF88=4WYBdffZK13haRZAJ~&_kvXX^b zwSvy;yqNMeSk~294pe!c=J0qr4c0!J0Wd{)%;*Qc89ZeM0A{1S!9=5u5t!#M>oRbije0d(iiK zU|@FhYsbKlm_G}?jcP(;!MAxnK?>M#8IKMdH@!W#F|U3JSqK>z&!+AbzZyO7SUIpc z{8WmU#bp7FnK{iLYxADlF&eC+4>Zf0i<+mv82T+aXKR~gKg|u{z76~{nJyHYx^M10 zgxsBYIzJM`GnDddN!fIsGiP~cdhVOlz^9jsa@&{ZlE1xC?;9a@^Es(lTp(XlrX4U{)nHxKVEti zN%_t%J;fg8+V^bi{GR3`sY}amCA+?Q|1_>1#3YWZhpm=tKDyEO^ZH5F`$6H5mVU$2 zg^#afU|}0}q0{_+!{o%xo~yP+>YLW;#z&;qUg@o|7W1l?)7ej_$1ApGoozo{>T4X_ zT9n>C``SD3sso(!bGc%BV^HMopjQ%iZ~x%7{1w|?>f6D#Z}HvX z1k*^ceGPw zN=x4ZC$7`ElD?B4s@wgQj|ZV=E9Tm(%t<4Mp*z7_d(I6%7rq^+nQ5G!y~5@!DoM>m z$sLLe6+&^9vnQ`wexVku{U_;$B&~Wkb{o-?r{CGDa&YYhY|g z-RCRe@mPP`*kSIWQ1!&2)Qli%wrOCV?zX=teOF+sanbv__` z9Y-xm07lJD$9zvGl1?WpPp5}YXLnBL8P67E&KAwimVM7wlg_?Zo=KA7&q%Oo;`R%l z?x&3ZT3`0HXffHij@){-??sOU%K?Nc7!C%ahG8#cgn$MJpD$R3(_Yj8IHdPM!z0TE zBtE^zD*_ZV0}vYUYf$dUZ%dYSAAH#(Odfc#4PIYq9Q)5KS1SrGq&n_tQD~4Z?EZ1w z%c|Jy*;12ND-W%=LS3Bo1z;NE%#ZdKa`?J={k_*j#k1)n2~@TB>R^$>@o1Xzztx>2Wbj6PI>5dEx#E9oP1E=O>)t*`FlOAV^}E(Y z!-@Puxxaa1s@naz4JP0A4!rWeowfPd-xs86)W5otsX#(oQK|rM^W4LG>%9f?&z*Dr z9)15>d+T+}{G*@?xb+^}jaN-eZT%2RA8q@_1p^z%`1Z!@GKaZ?t)1@+3+GROCw=*) z8~Ro<&7*X>*lOq%HInwI$t|P~Ohi|@jY_6$7e~i7KCI2il}2i(M{N%4pyW+tI}r4` zs5YR+u$(ySNW0s$Xnl+RRmfrco&hET9nihVdHt?}ptiSvr;wVrWvfWK$!L#QUYVsa zs=S}6PgrX+;EH(b;l8m9qnkk8@3#G9!^>N3j1`KrY4@(GZoFqc=Y3gtvfHU)Blv6x z4muq(Ye�x8eV}RS)Yi(~p~Lb3~y!x@x%l!^d@xd-c`S^xl2oymt_2ZFxnJr9s=bqE>VY9{enHZL>VX^sSYhYYl%KB56`iAJZDPAEX=fk%G+}E}6h;WQrV? z!K&Xf7l$~Q2b>sZ75%%+-?seyGPA;RbbsbfeRJjGPht1rFTcN1IXsjET%(_PF%UM} z1eTp5#vqiOwU@N!uGL>y9vxSKafaT1a^xSh0Bg*5{)8Z22XVX6FADRJaZ|>6G zGFeTef`B}7KQYXM=_}rTvUI#IuHhMSrRJ_kp-1N`f!56hveEZz7H%99T91%$8C+&hQ;D|N@f%ro0D+YlRf++hrhlMYgp3Ag(U#vOb;loI zk!Do3K0{Vt=7M8z=6RU(h3M3d8HUJ%N^RM_YkUszg_erjTf{rKxolVH=E<_qhx~i= zLTy|aA99hK>UJBr=8~Uy{5H_DR(mD$AqH0JI@U1(`^1hc-LKxtzTKDm$FbLm9{0})^$Fs^fPm5u2wFCV|w#dum>0Z3+oWfg$=00fXU#ncWO)*~Rw#9GD z^ng5s28!m}x33Lyv?ng^&^~Q+`49GLubo>WpU|z=NWIEcZ}{^*XJGVsHOEC+6=!ej zIZfU{lO`Nx_4XhPP*OMy?p^mtG}%J{j(=E~Ty(Q6Nm-KxWU97J;obx%yD)(frvS>0~LX_HUp|bs<7p8RfB8-^v0g~=! zF1kobsO##Zf3rDjuIvvnaM|r8dXHd8W3TCUK+de=x}5FDp`5#czrmtKGo!wOo4g$~ zBpse`)6C_6t;o-_Rh;=)pA>lpg$d7Y|7%0BvVx9+ziBku>jp}r=+ejyyI^epQBxH28O5x?MxbDKea07uSJWkEL=sC&NQG z6QbWeN3715^T zSP^+huT{o=YJvKygo6so=8arNz4~gwzPRNz(*<%D=hxPLmWVj74H`KEtjU|KTeAXF zWnPc}7-+MO-&1}3a5~Df5rb8Xtp(9K(l{JjpjdM>c0(~F8LYsh$ z6_`3k6afM9`F@f2ckQMJ5Yb7=q}kcEw0eWHC_iGK)hEIF#=PMV0gYR8=f1w5F7CP4 z*MFKP`UX*ojpEXxbqi8~LyIAU7r$?^L$uBDdjW?nF z#~>~(JXS2jZc?_!EXmw*6ROuBUz~L_FQQsK5DLK1N}Kx|)ZnN+%=1@(SeTSLC7G)! zoQ>Cr=sAM4e|fR6e>jUwpvQd0xo;&aFn)ZvJV0da}KX@Ei zmkIF#dBnx64ppqf)4j7V#kb;%s9*W|C!PwZKUvf|?IX1@v#K0}L@;1&B$YN<_v)Ok z*`}`fiLP0{uJ$o-X%EM=S$K@=v=(I2aRDv|KeHppJg0q{fv0DL09hM|yTMV=sW>>I zt&tM$&fca&0;!Wgf|4yb5;V6Dur!Ym^n>$$Dxaf){}8BIkJsGX=vv%wkv(Zy;ruK| z7nLX%?r$xPw)?UpVX$}5wn8H>;*Wm3@%jAD!$gPhlyO*Y z1@2Z`g(gVAh%bZco_Z(=;)8@r=7Qo2iE)KQ39{j{mF{O{-AV5aNob>ZYsG8cdLO&r zqI7#y^8kP4)WqTlb|}EST&C|5%_PuhONmZwP)Rb3;m1bhavSHNjUOTP8%06V>}~FL z#?prR>Np(^Pon60gy1@)ti#ySFfzSOf9_|O*qnZqx-|9>E(_JdZW44oiI+tqE_)Jv znWI_NpsrJ@Yn-25Jq@bIXhn=Wu(BQXTxCT}Y>&r3pIDKPtaL*q(;@`b#;7Hq{(B#n zs*GPm-s4FAh)*;g2ZAX${$rE#Avc0E()2=TiV_?cQ5c989~j+?8ulhUa_RYOn46kr z%3T78MlB?l$^{ ztLmbW0%&-dI>?g{E$Rn!)m~Z!tp`h#xW^evfEJC1mV-< zYQzxjjSDS~fx8gkRaEqjBOyo-n~w#1*a*vg3wmos_VgtC_ohfRkzss9RTd&bszcx! zFM#Tl1A=3M(K$;&B%SD002_tFR3nrlv$$j#V+j%iae+YF&-a5&Q-k!FuD1$03d%%H zzi8ZXoyQ8KED~W z0{O^&Cv3V#x}U9cjQp`s_vbitfAo8Cdp^2!>a313HG?`6#GlNz>*|F)>5TsB-L*~K z5yVHC>g>C~wP)(r)72R%M!c}r-*%mjIm|kUQQL?f!6P7)AUg>GjAJh*EJbHJsN)ub z{a>uphGo%-<@Ovw$J1Dv9a5$cUK~mgz-r!Kzs6x`C7>K(o=Gq-zU<3=r8L#-UZ3ik zT==;h2{=Jtm=>)+Ld{)q^=r4k9P3)Qm<$`Un5-4orlOuHEr}=ndC}>YsSr=KYcKFf zBHMXJJ~B+6Y(!ET1r!6=kN#YWG~)fRsF3)B?M1S@^1m!qW-KX(*nAUvwV7 zOnsv7lXZn|l`Ws&6g9`z z`AZEPWn~>wa*TiSrv0gHH+=oCr0_Z4yv|3Z8YAu!uuLnp@)7Fw%^40BL*8gF-bS#K zUrphrD@pMtdl37J*1~a-5UnGuJ=B=lD#96)2N(>S0?M-N5kyrN(B)!1c0W*3aRk;b zJkc-)hr0?;qGxF%ZT%L0``qX(8f-EoR!hyw)D6Cs)Uh-S*Yccok2SvWsaMpKsMHzZ zo;xd#n_ScZJL14sGe3S59S+p3e_-9mdSM_X5l(d@&R1;j!yMneAncr9(PAhu`R-mn zoJIUS@_MxAWj}~GY7V+mmGwJI0+PzTs95P|tp47gis5e&b0)FnW@SeM25J6w+gOCH zt-UeeqR@w5I8NyxeELl64HrM(=jlwX(Y&_ll={@q(Y4AyJ5k=|Ju{NG{$e5i#SqV& zve!+PNrYP*ZbY~;)KM=2e~h?`jjGtPx1wlUQKDVOY427ou!(}ISHU$>k^V3+2L&u0 z41z|_`mIOEt`~cx5#579f{xMhhM+)pxO;a*!9fei)Lq^UFP{MOKcs{e_3b#gg9lVq zbe~^S$wpi7z7XSP?GjK~%Ih$6=Fi~vnc}^&#C>J>>D2viHRm@Ico94=T3@9&5o!77 zM{{DnEatA4WS{_!J+W^u40+wIR&D>CYFy&uH%_R3nnEs9rnR`m{evc0v`!)8J0)0; zHTc=Cq6Uf3JV|I4%TeLzs4FLc{&v#JUHnfgLrm@9C+=?QqC~BA$bC`UtFPRcaUd5& zj0^2$fhyTgrY`Q1;b;uxb&AW!s*g$vUr3i*STl`DZ_FCe(dX(gg>^v2(Ev@rm($il z-OK@1I%FnQ$` zzke$EqA6UW!kN;VT*Ee?z|u=9qXe%@OF|D8%??-@&zq5<3`p3p`lFeRbF4NRdex(Q zgjwy{+w?kz2wB*18CNbf3}^gdmw;{{MnCqfc7n%BU)W1~WyulC?U0*Iz40D8Q~N5P zirfT%RW3{fsX!HVm-w$~=)^nXpLayPNhAYdwQ_P6?G`X-06?>7TV!i>y-17wk1M{vN!GVVN$kh_~!O_MYEcGh^eS1w5zaB}^E!bj=8qF_xATV!FgYRrs-wnUGq{AI(*JHLq}Li3cQ<=nqm z1k%`96l`{W$d8rkagI0t1w^k!!>+oSDo5x#!!ZrLf(^!HCjWP-Yhgho`*O?O;(MDb z>`y>`>U|6pt6AZ>=?WiQl>2vdH2=B59BZG~U&%#c7@Ho*La_0b68eaxFw(%A6vnNg^lbI9hX5zY&{F17K&El+?Vjs56~q&m z8@MVjWzI<*xQ5q48(-fh{`_#xpBeF4fn_*)PEXmA=i85O^9`&S4!zUn@l`Qw3<_6I zPBD>_gU&lqhx}2^JF7H9OE8|Kr#geQC`?4E(h(YW^r;hKDjKdU+y&K-_#Z`Q9o6L9 z#_??o*kHg$w*y9lbR!NJ-6<{IAOcbXj_&SsbPGtQBScE+5J4$v5fKrTpS-;PJ%2st zIrq8GdG71Fzt`vUUNTYvNl4v7WF-~h^WQ<*@Gp)7N832B0cNYN%5R@Difi|h3H~(^j?>)FdQQly%n;_HtU4Vh~A&lq|d-irghM% zYSYWG8`oxFR8#N&tu?OeA}=eH{AMezPFiowX-t+~8zuE5K_8+FOyg&?8=j5-b!qJN z=!w=Bz79A(vKRn7nlE`C=)E!EyZdj0|55Y$Z~)o9uoz~ z(~0g*X8!tI^_>0l?o7Pmewb&sFMy0tm*mWiRCZ@gQNd8F#M@(+nP?WQIneftqvD^zAINbI0%SfE$Aw|p~ zU_4qo;{a7aO_E#Ju8mOXH&)V?*ti%LePktqVZWV1DXHjZW{YM+RT&T)V6Ubn8d)kF z6}v2}t}yVCb&i=m4`)Dnd4gBT!F%u}5Y1#QxmNwi`Ssg9Gna-5LUY@)|Gs`m&+zJG za1OSsu6SG@Q=OM#ur2Y`=?-_fO7bHayW?mYyO(NT|J7_2O6YpVkrPF@Ty1ZBu2NC# zH*e0JLc;SKh+r3Xsd@PV#8_*%#5&w9SMAqdBafcCcBBhXeCdZl4cLpdPOs9em5&A;L2ht=&IdDePb{b#^I{ zC@9D`m(}=Q7_dG8jc`Y8Hm3v`9WS1+pS;M&>y+5i!UBQ9; z=Jqn-W1VmET7y>yiPAJ22TZF~>3h_Bp;vDj$a*UB_BIT z2gGOhcZ>W=eF%R6T9Uyk7XhqFw}TQbb^b$@$fFwJN^~r!^@|mTJ%Jj5;}YYAWHmen z+ehmqSn*K5QX;HiOVrcBO>-MPFPD&=)c-c|(^GqMe8tA^P1tJcC=bWlW!R5zy}mn= zLA?jW_lf%-jE&v*E_qN8nDg2Dc~Mcpmg()|gDBD$|0QL16CH4cku?f)95WLzx!#LY z)RrmqLlW|@GT+^FQ&XxBDS6`(fMGspUV1o0FelyLF@mL0olVa0V3>ATn6%Zkz~5Vq z$Q!p~`bG)GyzARS2{FRVS6hsp}e-|=$Q5h%%Fx9I`oR}C88dt=K za^ZljDNPhxkfN2r7Ph@-Z&Y;6;R{8+i*H^a8nxGbi{+3W^ zB$Zj-zS>nAx;c2UH?rbI$w5!*I24&#?D*tt6!5@_oGE)9#r@C_i0CIEBiT}sY$Nsg3BQ=cRzt2Xhg0e z5u|4n@=y!&9eI&iA5`;Bq-p)`5galQasY+VlQ?fPr*c!1T59YTbs7g<(Acs`2aA*m1 zHJyn{I;v(IoANJz7nUHsRFlgF1@uhDKNwLCv?+gI#vJizSrcQ~!qp)w9F_QTcAI8y z2qrw3mHe0^MtanxiD52*@~Q>@;Fnw1+UWNbn4lGaiI}^8c8XPv1?+>DimHjTKd zXy=meVa&OQ_Z4pRfxNr9hJ~oiul!9Xxv3r!6d&6z8?HN`0c$= z=>Dh2f0ya-S1c_rfC8KUQRcrP4*&jQMe8x(A^kAfrBLL5Nss@SF1L|RfjA+N0NPOL zQ6y_?yq5MhRgv^t9-G!g%V~Ss%_u@zY%5_gmcnqA{@xWDo$PS3eeVtZxDvT&hR$@X zD#maGTaG3TDr@Bwh-N~lztf_NjHShF%0nkWWYn4Do}t&Qzwu-FZ*FeCuB>r)4dnw! z`1FBd7uyss;EIG7L(#BxTb3u1%Iu=lTBFcU%e614*nk_J&ly74!4zO}dq zGI(82|Db-!ZvK9`e}V$FLL0BlVma$CpH=LmzIfiHuNEEkmhX=q^~o-`ly)?FJUD*a zs6)?cD0kWvn5H#)1>*2u&*6ZQ$weM1foa)9k-|50SB@OzscKOT5| zW%MgT5|Nnq+GPM8FgugU-dj2Q`nCHt7bGX$?^f-Q&LSgd;7Kj9XGxZ&|7tzx#W)`P zZx)8o2e6(AM?s`*W1qF}5FR73LLqpt!tFJoi|qxR@^dQ3l~R#0*8erTpaMfHn}>1H z2zV1d#&7lS{KA}TMPS%qdVWczW-e% zcyl@Q{lCo7%5j0Mos0LtCLSP8(I^yS0KE%L3&g;mzBsvM^~uL^<$X2^szKKor2j>H zfXBd4ksyQB;d|Y!sjxe=F64GZ7KuzyHQEeFdWA=Ty@zI4Tf`=$ z5D8_}hm_jFK9izl3^VO;PmBR1@r&&lrfTb0F!~;#pFn(censaCjpM2s?xTOPVn3&n z7$%}NedxN3fDnVfXAEF~qwj)EBsc;pW<~Z3JOYg;#YE6S2nlZ#h4ry|5CG7Bf zT9-dID8H6hB`dc@tr6`A%uj8RaV6UGUcT+B+)fz>G6}Oku}v00;nfQaNd**1$I&?x zN@D;tn-3o03}i+{U;cu!EEG{xqKU!|6C{j0$G~m$v z42p943y6a#As!2Mj3Q4znt=->%M}?*T@D;HkruS2b4!!^r3l`(I{?yj7;p0b*?Bk# zRq#Z9??Bj^lyf<6Pnnl1@>P0Glm5A)`0u3jUooQ!tEsIZwY_M(*+Hj@yrYYC5p zSXt&|By*i9iTwZxr56eKzyag8SOixz1Y1Hpi;f)vva}5Ap6}|4ay*saQojL(=VRC% zVGJ0&0WX!*da|beLXG-@VN9f4-V#&Y@%csS&Oooc$t53ggTz!nAv2YOdA}86&(VE z1B%08IflSB2CJ{k&R=61cSyT;fQdH1$?eNW13Q8bN^j?Y^J4OMvfwV2Dc)B{88s0GwVEoVy=f?-KHwJEV6%WYFdL@V?Ku zOW4?c*sx3ZYi`0~g5W>8Q^_r(9^9xFOV2B0Fh)uE?)eU6n;M^0RtJba9f zF+?BiCk+7N&T4SYgYjX}{9V;`biD3Mfglz+EDK=WQ3*f9;XnFYN3A~r&j87)rKZwY zC#J{%p2SZY8gSN9$80+}`8Mrj969q~;vOa1RBEh&N0kzgwu!qAUsH(Hj> zuF72(0tUXtLm)?GW6I>C1mz^|9s=%p7jJVRM=&!i(I`Qg1s3Oy-6&4LO}=$4M%xM0 zTL~PMy#my+x&vopDqmq8)sJu%_=XTZUUpQ|{1JC5wA4GA0f)v2L&mOpu0}{1Dtt zVrm#+V(%okw&gn+-=8|3le(Uhx&C#lA=%ZfAlEIQ3n1jlizgAt_jVhiJi)V`ZB}r(7UVE;|hRGE6ckAtj+PTcmca&jlAi%1z0rj?Dj1Q zHJW_ZgghDRF|7&;T8oE!?s#ZAHPdW3s!M?c{PgKq4FyjS0&G674u?W0?x8u6jcM`6*El;c=Zz{Y(0EN zi!{Lm4Dpj5r)r`^?GPg^HkK^!;qx zi11XUmK@8?ZU{sATjW39VY7nfhjb&tWiXKcYw z$ID4)28nEnp_k;}tRUa08jhxVPa&hq4Mb0SW@AXy1taY}6+bSmGkDXls>^>}6KBr1*9`fCGV#Y1lFU&(GcaK#Ofn$|dz!4I`B>`oq&sp_^-hC^u6aFVX`?}?68 zCgcP=lIMQf-r!FS;4jBdbX$PVr+KmG!y&JU{OY*!L?Jcp`K9N4dX0P|{@Oc-f7)#$ z25rCKPF<5vei30w#GCEtn@M2x%z%#Z@J6yHs_=zV2m}gbsGp*ILgnIqo;pS%Edqh7 zmRkS}`WoMF6HSM=!8Cau>ewTfVr1m3NpJg=`8qlT*2@L@JIc?7=UbH|#^({L0G57Z zS#c#-5MFn3UR3v;!3G|DGaP=A?*6Z}HV93^Oas$bR7WW#j9YHKQtxxW+!k%|(?3(S zytr6>>r_*jP3WGlHEULR#oTD`mX_qShTH7K4RTLBBZ zcje9{9Y%K*;V_~_)*a@-%bmu{d;6p%&mst)DH@Z->oxMb__Ji85&)@=7t6mA!$iT+ zN=4xW-~#~o;&T7hS;RS~axao6fJpG3>Paadxz-qE*J<^93~ucl_sa7&k>zF#2$iPB~up|!MD zv$)VjB$1J{#}i-8G@tkvK?j-wMWDMIHZ+d3mmt3zjz$+2M!?n4;<#=wB!WS|@$F}K zyRQ^VD%;k@6C{|Qzbw%ANv|iDUx_RGJr-{!!ALX`wUU4VX`kMgaee>6>K^c>S5N4> z6_4O7;yN?0e)<(!inM<2mT2B)64%5!Z&iEU+U1nDrYscdJ9NLVEseL$k5}`BFtHd` z^SN}P>NgUf=Uva`y3(+K+7a>-06e{~C+~01cRcDW*yk!(5*E@=9KwYD^OE2XuA&=0 z+U>RCuln!srNtk7E!6sec}rY1m~Lzyv@v{7o}ZD$orlS8ym<8aSTkZ#=TYyQ5n)KR z#Ovq%59=@6A6Y;O<(2#QmHR0MDkui-zCrTf`P)uWbEA;1i@K%dq~BaOSV|%n=Ga2p2M+WbU$mjw zS9;vbWWz%8(MK22x4N>A?b#hdZ$1gJ7bx`Qho5(NoUX^+Xg1%Fm<>sG_ka2Q-6QNXO#il+{*m9@JgKcCM-9v?hwoAhz;SitXwaQK55*jExP92tCZ(de%}V`?L*>< z(23^Isdw_5Bl26{a&B+0N@5s$D{U^pFTj8QCDcpOf7c5o? zTU_b3_71ggA2{TgcR0xCy;&ISpHt>DeVi$?4TxqY^#z&vsLd(?A|OycfqZz`NCccz z(~%x;uXrbVxz#mRZ)FE$aA@R;2U9v}=J1<$`d?EzYZr*QEw=|#xqK*qQl4qrrn%^s zDMg%LX!!HYln6W2U z5-0XMTrMe^Io;^@f4TJSc=Mwen{4focqo1Acv=#Z&Gfk04mu@^(;0K%?fdR+;R8wS ztAfq1sVQtP`fGzZ##6|pI;(lEpSdo!@{3|pS|v`S)43_NZgWD71z^c>Q;Bpd3e~pEPP;`Zj+S4r4CqvxF~;cCpV1A@SJIR{itT;Heeb#PD)R@2{9sMOlYD&&|v5h@8tN5tDj^<$Wxsvzm+wECk+z^e?N96l1F>Uscxq}CqE zsV5_t001I+G!_8njFI&uNa-ADy{c^v5@0#DZjsHup2o-&YF4*s=UXHSvA)lja0>mDQ7hpS1#Q)pgNVQwo0_=Y*#Gud_Cpd^p4MP^s|H ztXXLWSW{=BchRFc(4$c!JtdQ(XCdImc~>}+JJH@Iu`5v-%mWx@aDof8Uh&_s+B0RK2pdi0uvu3;_>C;!m^j$x&%#P zw<)ro$H|8X@P9o;2`af^-3s9ze#Y>Qo| zpiI7HndC?Z@MQzB&pCP5)I;Bjd~4lxHrm2pX;;@(3Z{hb+nV1j&yfRBDZv-~AOD#x zk!Ql@je13MW|KP!bt0yXl&7H0zOn5Y^y$EIX6W5$8Q%fTzFH;{@L&v0L2|2)W8s-a z>LtR7?2;8J9pI`$iC7Q_ZVS6SgOc!}0o2r-1XEVDda~oR%_jUBpC^`A$6q&HG;+pB z79^6dIp@g%wymBlOxdE4`m_Ou4C#={%GLI=n7L!+muwC|RrKBR-~)iOXo`nzbHVYa z&j@)c=sDD+*J(D131ryeg0>Mkz3l+SN*?WvR)bG-AN(g=^e!mY`qQPDvDTO& z;tO;M;FP?Zkyl2mn6WZIlslf*z4~gSKD`EPp%IiL+6TnuH@ZJYX}pff2W~oR^nLja z-kiL6M&bCQLbC}S`+Bbq2KbS5Z`?g*Ni!AG{QbB9U_HuhY4cm)6%1xOUk&)UMHmYw|ji?VAykdYV2-Nc^?*BROG9v?)%YY1OS62F~a(w2Pxi|d&(HCX*A(O+<~qd zPEO3ioA6zJF^MO4`byYX02+pt-vg>7$Ir3IEwNJv)<*>2H2EVM*pDwEhV{m%ULOl&UR7KzZuLn4NyNiy)u?d*|GTnQWp zuZRxr;wG6Q%C9)qw^h*?5%*Sh{tae`c9v28vIrYrz8cV-&k(Gv&Ey#R>k#FOiRLj| zj);P@Q2dSp6x*^gV)M1K$fO}`t2Vj0m-pg+=c|8;H^hl@*6>vEn@1#%Gjk<0!VB!O zv<;nuAN;5X!v_xrzUKr*A&DT9 zK8u2`3g@DR;OIk$UZR)B~DjMD-f zd~6AMxgtpiwfdwQv1UZ>woni!kQm3Y`aQUy-XpGGm(Wd!cXZkk%V}Y|tRZ;lO)e0} zO(~KXvEa?XS@Srf_faxPWV~_Xxee(o!k50hf@Q&@x1Az?$Z35xg1NnBMVRPB!ae72 zH6H6*0~`)ixNvMxM-`nr`I<@{a+dV* zv;^#1;;?v(l3$&f3c>Zt?LUbYvhx!h(IN*Cs6_w*_d4gb0(dEmq2{Im@WHa9K_DfL ze8wNGfK-J1nFfwwAV@{wE8bb$t79<7g=^&rZLH)UjD&?|b>escPhvmF<*6(8GiTz; zL`V{4btPY9>fP|~=UVo?E&5#~kra2eykIqvHX-ePyeWEdmFLa!K_$$-f;`U87q1&o zPuu{nlAKHhp_wp=^NBS&x5>nMnsBlOeX@o`^+AE15Jg^5H<&(>1dnZt1nr7$?g+>H z(NrZCef77Hfc#q;U*{$>%mC1d24E5pHRaaKh;G&&mVzJMUBP6U;BqN{_Wv{UOpj;#^?W8{BPx9_!jI@~{a2eKL>w zNt6G+pP<}%N;b^?^ByD;Ix zB$g-w+vy*iHT(eo6llT^$j{>d0W7V$AYl6yU~dRwBxuJP8F&ZhHwMrf)c{=I#ffWH z650EPV<9FkHM=;U^n-Y_*&0(^qA79U_7<`6W-ayhGe;6%6ioO2SlQ~Rl*PQ@9lg?H z*gVLNrE=SC_s8V$A@|+cdl(0qj02r0ey!f7I1%B2v>ueR-GLt%s24=a?$F$5z@JS5 zzMmv~RAORn6zrK?Ye;Q?gNS0A(5@0HMvFH21Em9xFf)?LxJ`($P2$)-cKciycdS!N zB6w@Pi;-4-{736C-|&D%BH>c>cN|377@#Dq%zrO3Wz<`SN=b$kl&BD;9NETxnN(w_ z%w6|W>f5NUC$Tsqq2lD3#bU|?cCxIjt&}}$ozDmeKk@LSuFK`s)k{FkO z*NN`zW7=)bU!1Z(-|F%y=}yD=DX)BDY^;lQXLSZB?_yM5P^m@u zr;YkZk;K@|iw@s^ubh{yVVA*k!uDeGYzi+#Uv%Go6O+r1za8gA_JULpak0&yXH%D(=R z;?WpAl&-w8vLRT~>OwKJU5!OR?fKE0%%61%mHM(Ev0d~~q#73ug+Zpc!=FWCy=P^` zgwtz^+Bxj7H9MBiZFKrr?X4kJeKh^&HlDjPh$yx&gpH&e2|N8kQ7NttH`1YMC*xWW zWib|$@#Bh4(yIQ2GgY^?t@W0rHZh1KymS_%p~3J<=oy1kV537PZ^fr+h8;)rY_fY* zD?~|XG*T|+8C7*vqvR(HR1LslgSM8pG`2INYPBQ6FCBPb%Vvqu=(_R)%gkSB&MeUl zYB4rr-MM#MV=>*^sy&U*v~0%}Skp5=rkwUbtF*eWhM`qRjg< z5%DFoXh+%_%Gt$OYTrrG$CZ#SiV_oGS<^hGu7ZufHRUecv3&uyBknY7+V)Aa>+cG=#~(pGgs+G77TZEO=`@n4->8@J~>-Ii8DJGkshls&MK?)!B19hZtC zR4+((y3laz`kaTh@gKl=tRQWSMkHnOzK=u)$F#0~DTyf2O7NQ{JM}2o+kZR5`tF~&-)THstgnJJn&<$UoG+@`2@LB@jH`pUiA`6BpH4j56Ap|DF+*3;W)yU~ zCw99xo7#*06wSNBI%%WaGm33o|kc5 z5L{63grTTPrm*Zfuc4NL6l75%eqj z11uA(Y+nAvq9U%aHc6H{`8L2f9~QeY?D}_Auu!cn7Jn6xAKJEOo6=!kXkRLn=f0Zf zerxVu@C?@`ncx*-$I?m`@8S6!gl29{g{ zL{3Fq)FNU4aK?)M#rxC9wNlA3cS~|{AwbOUEe_c&qe7I9E!w1t+T=cQ3U~3$cbR2Z z`AT(VG!@E15Z$#`OgvQ`&k7SaDyAxx5GvP=bxNFhq>dtTZ4W+my!?3W z0`Q}o#{PZrzAsFJJ8pd%KV_?^7^+?p#WMgpj{kODciukl->9(u{O3)K#UPc{ z5Z%q%IYT^^sr&QM$jlKL;lLgW<~CyH5i#bNI4s4%)`&9msM^hl3~uxq3(%E+`^f68 zWihL^{M*OOZ?!_N>DR}e+=i-#gPNnj>H@#h)#P|?{xnO3j%@wWPU`P(?gk}Fz((0% z@i@9d`N@)ENagxu+4|&Lw#f#osh9mz9XC@op_3!Fp^t|lcf^bjR(G>M@81nU*4N)V zZN5)I6YVlnoG{O%Y<~D9Kl6Ki#tHC_prjU2(EdW&ophkD=lT6_Tf-U5ukD8CKK)JP z#Q{H50!bLSSdkFPl7%Srg2Vu!y!GOo)q*mP5M8opWWDsrdPy0_wT>sYwO)28S$5f2 z_F!3gV!h&5vP`(KB6zG89^G75?VI(fDy+C9-m08Hej-hNzQA%KZ9>%+u<&>rsPx~$ z!>~o80YWAG!lBiN!`pR;1@6;5BzT%-W5#-8fn~!I#{~m?-m(6?U-J2Q^)Xk`oi+X9Cs=JFkkG9L5f6c5xYZorT7pm1V^}5M#G0AHY;5+31hY|-Fs?tM*MJJ zA_Pc&?+4Z6A9S}be=xoI@qX)&Eb7iz$-?#Gd|`|A{>yXzhb#cVPl<;=dB6M=yJeOB za>4uMT=^xF=sj*mG}z`b*y{169rDuc%caWZrQPkXkBZ=+mn>GdzaPK6bh!Ox{rLBj z;VY-d*G$;!qA%Ak@BOKG{3qcJu=0T~KaN#kV9h#mXRd!oW#DTR9)gO1;&H_Kr6AN0 zEVPWp0suSsOo{?hXqIg}-CUd*AUwH8tX{IG3_!x@A#CZJ_(%u^pZK`2-AD|G5R|Xp zTK+bPUd(-cytU$88Vg;%CEBo3Ba=g|T;9#lX)2RfD;KQMR{g$6+V5z6qOE4;B|3_P zMYFxuAdwn#%S;H30(}Tnw1|eBBkLE5%`EAG4%IOzVQL5>gx%DWQ20T})sbB#;c^$n zdTIru)M!*O;^)!ER9ExkL83eo)=-1$t&w;teg*CB)}43h99pH?J+GZoXy~oHH!qx* z>b;fQvGbAc=}jKbjf3pt1sUa4lP_k~;?Wcu=^;4YU+4=0X7hJLUJ;MV?quv7>{9vb z-Jhps-6s8extd z#zm#lsp)x742`wmCY;gqE$2mEB&jHIe&pt}u6h4Erh;7z{n&+JG;_egRva>x$K1I{ z5u0Uv>piEE<0=Rq#!%QEw51}Z($Nv*@T+-Er0OO&fmhe{{Iawl8fO(D6Gt+>>uX(nyhh;%|5-~<5hY8M)NG+N;6BPc8>nnxXK#%}% zKsbkTnCgL%B1IE~7iVpTNXW5%`{0m3Q311fV3WjnR$CdWBI{NeoN%45o^0zjre0D_ z%~vCs;+|SpTUdEm-`II{)F7MT$^hdESuS$(bf$@a9(@u2g&<(Q}Ne4GW4pRxSyT4XDb&ikxu&C{A0H5($OP9quIJkXSzICl>x?E$JNTQNV z#g>yX-QRJncIl~)&q2|&>kr8iMgb!joG;+yYOj1I#gWn(p{P5(-6V7<6P7|^5 zZdbgUt-8mnk@uXs3e-@~)%WkGYl|KV z&4!Gha#a86-Cucf`yX>J8KtD|89M$JG+RRD?<-Zb%E|Y%ClQgmlxVZ0M)Ux8=cES^ zF{Gm@KTs)AM7KncUTi|fl&6Ma7qpu^yawcU@XGsYB0L)4+ZQoxMe2igy}nMoB735A zu)y&VR;Ad0du7pVC+&nvs}pd6*$Fatr>xik6*QCs-Moi_a)m~LnuLpqqB<2}n!`Rf zkqE|8`u@q_W((I7(~8hD9!X92lx*Lf4*B2A_dsY7YaE+>HoB~(gF-7=x`>5XV_fM7 z^WvUe6e4Y$fOUKe0T$QOdF7kaI8G!;ev>DZ4*&|$1Ib*`KpxW8-CE%{sx#v0p&91f72@fodz2>_A?N(UXEcIQ?{&l2}D4a%A0sgDD?V93x0l)B2RdX3y4Ht$r7{4r8bgIh^x_M0wWxBFY@1E9wBLVGTlR{ zQR_TIM3T6Kw0g1()`%gB8!1re4KmPD81voR5ML;d6>l2Vv>db}3g1$r96Tcg`%}$` z;K~TKYF(fxyXa@A5!e^k<%p1-#_bzQBXWC;V%F0stB|Dz_|@3&%1Q~j#A)VV66HM0KSKs&{czJ2 zN`~-5-M8`*l_q6yemuw#NrS{Y*7b?yOH9gN2|we=rf8-|y(FZi)YSF_oJfIqP5A05 z(IrDQ&U-@tPsTV15J*g@LhG&6T(oP9#$-mMBJKJqF=r)kz=)iqPXt=Pn;`IDh!+Zs zHEm~?{6G@XRv4f9n0%tLP-hTQo#WK26OmA@`D;Q2)m-&MwyDq$hO7YWF_Fo80~zd-`QE z`d3|An5en)(~M8rV>i-rfmg2ry{6fW&bs@=_F5lm{@H($k;i489(4;50co!4WNOmR zMy$_+t~-ZGC*nb<(5Lz!Y}rCY5EhP#AYN;il++WS-Hl(^G*6`w4q^vBo-gcyJH8)c z_+VHQZlYJk%;Qp;z6OC z9L3TaqUyOPm?khtFNWh;%ixbSqb>kUzMQP?*&WfSpzWoK=AuwoUDJBF@=C~Dgqew} zB>_Y%ZmKalPG#F}uRZgsDUfp_fj?xOW(vNZ^AU?1XxNbpjbkF07Vjb~Id~FfrJeQ) zDkX3GSxar&4kZA0>$Hz;o*mPrPB#kgpQlxp2MU7VK9;9%cR80jW9S#O1nKR#RfFy~ z0iC)>Vze@U8x)t1Nu0))SnekVTi7g4WnXWBNEy)2w8N+Gj85RXOO5 zp2B%v^Ua>v?e&{46O{D>=b_TL%0qQxK;kCA>x~0c>ni+eNa){r*6q#Cy%*ovsQlh7 z8c#eGftTHt(wF#nr~`tu_~M1)I!{T?%`WEWBj>OPlciziig(~n8dEYU&MZpL*dgs* zd-CGNr}UiGmgSVSZQ)UD0Bm}opITrH4$6rQoI4{UjM3-ojudd^mfND3Lx)D1f&q9k zcH$sTfY}@pD8Cw|a5o`EAI*F~AGJcS<8Q@i&?mMIJus&-&ha^?PN2T*5Wbgp9ToZDF60+3eqUXX> zeuN))as?Ot)P}8v2NAQU*Hm79TcqS z9tztLJ@#XfroJEYHbL2r1RLWj@F+0+88L47Hxq;ds=y+SI+;hLMolEngQ7f`@c<8RtCI>&Vbpdb4N~$i`OyKtKLY zBJ{C4Q`!K;?-Kv7C2lF#fuj~0DC}^s8g-VRwZEE`KOV&rOkJu@k8=%@aZ-Xs1?8fG zTZgiBWKe~wJpWMgowex}@0e|*;ckS$WIRN1Hpdp43tOdI14W2tsL3qKK7~;I%#szP z%~pu;#V)0M`AWf614SML%3Q+udNLz}sHABl{T>RIU*l50#it&P=bs#; z%JKqz%&9M==`U9i4w5{e*D-A|G@0)>MAM_y51)|lFo8h&h9l{O2;q<2K6)cOh>VuOYgDi#X{5?q88yRY48TxNdRI#Ew+G>e~dwQ+UP(QkY9de^}#WJ1` zLA2AgtkbprYJhH`I2#ooQu|y!gXCczQR&@hheoB*2gz(#u)sRs`*g)KNZ^O-V(|I|-({_Y1e3vpD6~{tTAu8qdc{N$g^iEbs zDs@PKRZ9tA03N3M-qIJAK~$)C=rUthy&{}56M|f$3tZ>)6NF?-pNAyu*H%583m1$c zJCH=&k0NVrvDr43Qgg1LGstEYd68kHp0a`C4ya(_!_7*vHWvK(JNW#00D>OrSxft0<;xQJ_H&0E|uPMlm2d z4LK833s>g_?GC&n$G?&`_N7jwU_L0s+#y$Zu81kPh;sjFl{IB-d2J|!+V?oJgT$@Wg7+Fou-AOx&hw56pt zwW6V`lRcjc3B}`@(l+nl=7_^ygxL^eRvA>WOrnSfHwlwJzy&-2KzkNRY<@YS&H&Cn zeYYJ`y@a{#HtFpepJ>RVlsqrB1V)>6+%sIK>P3fe#*+b}h#m%m_>qsTi>lS!1+FWx zzMnKw#K*eA54&EkRfV{Ctw|yJ&syR>4Mfn8$wBT!laP$7azXb2DTE(udehfGZC@GN z5%{M6ikco;;)&Pa{Kg|xrw~x^1ER5B6gs&I2qao2NeA@Zv6{`Ihx)ZZf<8XJR8lOm1)|kfs z29plU*d|pHGA8574d&#kUSunH-NxO$B0o~g*Tiacdvtv1?l%A0Gx4alexz9^a){n4MZ_eOg{*G)u4-xu~*Sla8Z-dZH zF*{>IDsw0mh!xfTXe#u$jtDy{OD={mB}^>*n(7b;9qDR$x@H~dW6c}r#cS)^+MCxP zA1@v;fH(qdJ!^c;XjbU+ddAj)cOMV~2M#fq@f}B9dwgJdS`hiPmr;b#a~MKkh`Qln z_7g!qNRP?*NeiJ)!cc-|ruD!F9=wYleqc_nFcAtKtAof+Bte`L0iT%N2L!xpL?-p4 zW!Oq?H793ifQEy|L z%37u~!`48zmI4)GXTBV!3id5AZ_R1}=NJ$&RE>Ru=;80#!`;V(oYP>GXJ22+unS9H z2kAPMygOrZpH+}53@Gu2YogO>o{C|Ees3NbRmJSUvTd~hv#u%i3Io7_96_@iW^Y5f z!JnW2EgxdZ+uX4I6AG`{21a+P7jl9BT7ZXVU6dqczQ+`6PEk76Q~#Lrug|)(pr4rL zmeevzC28oaBZldV+ZmGk($j}&Sciz5iMlOU1Oa`NgIiqM!&KAYtip5&wvpQ39R@4g z^WS8mvO&B)1fse-V!A}^Xd=nM9SNHqX@wn$`*+@U0>{}Mw89PvYjMSfHBAx7QhsLs zW7u_iJ|LYu22Th`2PIy?<~9rY^QjD)9N1~hOuV}&`HGKB(d-q@^(!Vi&~kQ|Oa;8lpn27zJ$)c-Uzk%=S_EyX2XKi^4Jbm^Hc6b-M$gAt-r#kn2RWQ^=qOv0)gRK9FH20 zoANo+$)EKCH}cA%?+@vRHdTKtF+`-FPUxL7VijeZbNHH>b+Fl~NseyLD}pCj_hU-N zeCh5yavx&n`%zqvB4e*tsr%wqwFcK}sk~Ym&2?P^H&;3JAy&m7I9wd2uV7#PegGg} z|2)pmPWVQ{_DL;bpKhz-#66r8)ZbPR7keE#!!Vnd=7 zcsuh0fId;NI|&}Fn`6&8neaAj*#C8nXebPZwm&xO?8dtDljY$>Zy$%A}8a54r3p4#Yl+XW=v3vuUl?H#B55d%y#>rT~DS zP!l~tI4yeraH;#`S4ZlMs;R4}4z8?PYoS}MN20f}xe$$%18zNnXBKLg>wz?JV29YD(C*BCtjL*GrL zIzajV;{O?5Q_TnYz^5O0GnSaOMuK_^xCOVRkj1`lwzoisQ#-b2SpMe7am2SR{ z1fnhJSjn$e$w6aen{gS???3e*^*<;9&__io<3eg6iYc8CB70EQC~m^q4k zfGC(LG8l++2ms;~1W1HXJot9*UMYTqM4~8{$RbH|8yYNi`JLY8R?z%vK(FJP4L z?Yickn>o{j%#_w*$_KK6xOok+k4ktdANlS`C!N&tsj52*FT^lI4L9VFtO~4y4gv}Q zVBk3bKop>Y5-S*p4*?jcK)ViS|D-V?ioVl9f_xkp>W&>Dqs@UrO1p!-kE$wyCIC!f zZM2N?3yUY8c>3ux3R_EI1Hc4&Evj@XJIN%&o&g{QZd?QG%$15fszx{8gfmV#=Tu05 z;{b>efaRE@j)LJ>EQlWF_QQ+;2yWC4Q2=nFXb9`5qi94rCoSv78^38oBaVtlXURLF z5~x#|{!)-MjH)UGvO@eiOiiyOXhTZQgwR1Ntu~6l$5UT2PpL4UsSv?@Tv~~jp_X`N zBTAQLwpnMNC2KhbC@4-^KCa1P6GG>Ajc2|15PR$XqIcK4Q6%j98ug;|wT31kk}sl41+y*t#@dXxWRp)udB$^H9HK-=E6|66b_DoiphE!#z{LsxEi^mh1aQ$(3NQl{ z#TQdfd0tB`!bmHXWID-|2zoU#AC*?pbjcFrgIeK;dJ>|iSbNeB(~?@NZCGBPNl?L& zmT2%yACo$&!Dr+{I&Zx@jKH)Kyxx1e5-nwsf(!)6V7YS%dQ>2sN{k}hEsFa?fSDy_ z+|I^_!#r?jm9`WRF*Rl~OqX=^ORJLnamf^r&*Xw6*#0e0r?DB{Oo&zh(Q%}z8l;dT zkABD4SCE(7F<*@I{}ppU&!2~0H&c+k$e%m#j=nc{1v)fm5C>;bI_hL}k%7Zue9`CO zH~_Jr;o52Z#Qn0T6!g$bs%lh>j*^hRq*y%+7lwzm9f3>}SrM2-{1Y~x^rvA>ky;_{ zKrCcc2mpuqRhS}>f{Ro|6IuxqzvwqY5}qXme*xe#oL54;#P3@}sGN2Vm4W2k2s)0l z698`ZqR9cEa(oyZMVylp>kM&QER>V|?)N%wWTZ(@OF`+1r<6jZ<0*yU2C|kAJN!kY zVY2E^e*htb^9*DvY+KS$e3e3wQLHLoGG6eII7d1*L|ANOT^;qf$L=W6Qaad`CS)TY zmefZe>H(mF|6rme)=cField_krsTk%NQqVy0fbQs;T}!pDki>53cxU8NRVQIU$2qaFpRNlBVgke;-pEnVqX9I7K?PEiOMAi@|3VTOzL6r&Dh zXi!Ob|IT@33Wc@fg+GvYH`ibgF`!~eI7tE%N!|`tRPv7wAjUhN?9YlA@f1f!(ilyo zt)>859V~?!9HO?>t$zH<0pvPYy4KaMcg1U7?W&h=JQJ-Zk)~-XbCd{F?ya?4Yhs^w z*l*AjSSzt!zvQE(3?fFJ)*K1o6w;q$`Uh;Vsw7VU0RdN9EFE{ON=GWo##4eyv1~nT zY~LDJz1G&Yx23CI03j0Aic=s6dPX)Bpa4e6R%x$AF4ANx1cABk8H;pD?4W|M-da;k z*gNJIWf58j%IaZen<_^f89Y;xN|Z|hAybq48{@VYv0k|=KkzEw_|Dh9d-X~ttM**B zkenteDZmc^L;wabkN^yj@P!%l6WjGRI9|pr!+Lg^j->8LKGH2!IG3WteQ$C*BWPE5ht)CHzj6jF*mxKV-&;K9nT<^mpC(2BN_lVuO7 z+`9_xCiiBNBmx2O@~raLI8)Ir5792eI>WHej&UgYC2~UJQB7?LMdgq*K|M{ly44$SHI`%D0!W;boPyG|04T60 z0T5t_FtikM2wt4xB3y{rhOv8f@V065_stW+AbRg`?1zNW&i`2TY-e%D6NyQM*yvpy zt2hktySNtu-^fnP7i`?Pj=R&GuJK$mU1><)73Yh_Ib9b`-%vxOy!ezIO!PNhfK%K#>8bf*&2J*pu0vo>bJDza2@Iwjfn?brTKVJX?CSbqz z`-UidIVprW`168R00aB;H~11V%o8#L6gs(5gag2b9~c2ckc0UGHP4f)p_8kJup5&& zHP+e}(qW3z@e2pQg9{voJ&d&~b2ToYwc{G67ylXvfjdDxNtc26A#UNEMFARt7!E;^ zktDPWZ4-btV2U|ZsI4G0Wa|vS>ptxYElZM>zmgrNGKsFR#FnciGdM5`P%!s^X;Mn+Y)}r2kuzqA(=&sE?0vfN_w4J)Aua!~?3cvVOA^ zgA_{Lz(k55BL(5aRD75y*)F}aDv~Qj2a<)4lahf%41eg4p{z&H@qz^U$rz#g+pn{x<2t1OUt z$u1J44LFmFVJdDYf>C;h*u%-Fqf9RN#re_7%-l*$+^v^9t7m8?eiX3<`mDYCFd_7; zpuo72SRl=W3($dpR!Fe+g8&4B1hm9Lwaf$q^8y`!1hOPBNO;TMY(EN+&5cYnE`+pV z1UI=N1d=31FAO?jtTa1vrHmWAzyIo(fnXjtBaoALhn)PzdwaDOm^s%(Pq+|)^%Q{y zXwUX+fcTWp`J~VHj86twPr<0RQjq}$Xn-5~3R4i!D7pbtD9`~FPy`i_1r?ARxPcUS z&;o_fqXV?9Nzn8}i+TA53UE9#Xg?i*yxWw9vlL57kc2>3%U1Z!vGh#@W61eSFhZ0| zpzF(UvpG2+$>uD;Mr%XPyDOITi?JfL&)ku9%BI>W0hq`pl!#27luRoFgXF}}DaDYe zN{wDwIk@0Bguo?SA_zoMkWZviv9J^fXuPk~0WY{shP+L*Brr)>1{6R6G>`-Wlg&2O z#oN?KUA#iv3ra4;G#_h5Q2!%3Lr|KMM7PTe)Q_}FXiUI{kU)IQFr}c0VM&L_ER$aG z5w?*5sSC$f8;3j_(^2h?B(W~VoRNY77%?SPy`TsPI567O0k3389eB&zBrrMs10#^r z;Kb8fg*-3#hV@%KWvn?KZNnfdz;RQ7aj}%W>_Qv6Ih3rc=A1@`&`-2d9fTq_48jVh za1vD2PY3AKoV+)E8^=~v*WVa5w^0@vF$DpF8|+$FG8H%%WxrspRb32LCTs^I7=s?j zfH6P;0`mnm^@V-S(>(=IND$SI6jaaKF)tj+XRWI>>$OOZzk*l`ChZh`roVMOaoE&9uIZ2mqTR ztWZqnO0QoTtR-ok4S)}naDWHEK+4p&e%sl-#fuWS1C%WRFXdaFy+R7WRWQg7sfE99 zNZ6-cJYL;Z6c~fW>&>E-)hZlT*-Wrm?K0Xbx9D`k15gBQu-Hg51RmhDblcdEyjF*J z%xhG-$l6rGT#(;V50@x{izoz}6i*JcvKGM1!4=-&T`vI$QOEOz^n*E=d%2f;TKQAc zc8~<5{R7!7TJ=+~Dcr@3^i|x$|38h5v}naNd8mTt{915}gNikTHmp`k`$AEx)YQ?K zCSseSI4?0#Onups#UQUueTELCOjpB$Zy??RHsHh(09brTUtK@N{n@95(T99I_45Ma z6xv~J)7*T>?%~4D%e>FMJoyST9Q|4!lPeOYh!Ge=@cmJp;08^kkWt~KXhW8!5xjgL zkB_O4*I0tN8HaPVGBY^fAtqvOdR55lfrnI471hP}OFXBA1cY6@D3-rlWWV>jO%-)h zFzA7|d|0{Mw5>(AOA9(fT}Bm{E3c&peAquo+tEkW2?5X%$jGL^xIux4fNV9At5`FS z0F|fMxTea7cc@H3EaF2(|KvLQj&C@JVZFj6UScM$MJfhbr&Yfwem~z_Vgl=dC`QiU zg$TW()+1Zt6E0yNt5{3n0iE+;l*BQWSfD$;94S!{j)s%%QRONfNXF;f$&&UpeB=mjM?qPXE+nV;E{ZB5{&ra-&N*= zMrh?yBA9#RNXF)~Y|}P9Fl=7pE>Hl zv@mR4h`5m+@DZ(m{|T1R3X7>b#E4x(+5q{Wi6wxVJ8-oYNa&#^>SsA8Mn+2^fCNAg zQMI(ww3LRW_RWZd1V-LMFb?0KQv~xxlo3E*cHRO*_yG&RSQFl8d2RtNNT_-~Qj(~O z3d2WW8Hv{Dr83D`N1_id5bC1l>%Km-wt`h`X6nHPgu!0w!;VN_z-V9u^1dx^k8z|*O?Xi_^>4&(Hw7!6ZatSbDz1NV`j6e_d$R7wn5c|D@z4q(amTe6| zytLFEK%nTt#%OVK+GGMvTzI@Qy`YI+RopSjHby>2XV~N=x%`!B!1@jXDClV>pazz>`~lywPi5R5j_&j%??^co0`5eQS* zn#e$-2^aDqe~Y4wG1{`$;64Bq&<1x9aWNbLLim9=_<@r?aTU;7ar5B1l4mo3?tGJh zl;amI83~PHi78qNdtRtJ8Z}B`x*!evmDf|10>X%U zQZG42^;EAD(1`*$MS%?X0~8nnIi2;xiGp4jf?1b!6i9?`Y4u%~Q+bR_jb=j-zN;T_ z)?|nSDhC}xSi_C&F?s%mw7#;a!vh&eibYZiPOo1vvENjD29=kNt z`w4>{;0t&_0X^;HRzLv?5C;|QfgxaO9f*SA2m^?|%~xk^iLg0H6XS6sI%D)&LXfLL zFk?#@f&HtiyPWe@fNmIn*|-1IpC^L~0q^IQ002KuhtiR-)KmA9Pj&lgb$o|+K#+tm zu*g6V2P4n{K!|k|*d0JXfeKiMc<%wp?c{nN_K1j9)pgVyJF-iIZ%ZKrd627SwUlI_ zE2E#-SFZE~j@ee@$vzy1cR*5~{^w*Fh#D5W{K;9@$QYDYdpK93f?aA9fCosBgfqbH zR_KKuU}_`ic}OsVRycw&5P&df1(}yqoxjX(2IJ7}LJ zy?Ozl_DsjXJ@k55TD=J12Jha_O>~KC1D@1C!nJ38*=~CwFj2d21tVa9!EXgg0E9qj zg+CYrNoWNI@cmv`$B6$71m7otF!*FCCHB!9y>h!WMxPgkr>p1O0u5NZ`hy+_ghT*@SrZ0(nEgNi1QGxU z6o62`YbC@WAR|%!^Z?YORf}Hh1W>GK5dg-F8aHx0Q02e@7I8iv;8(@uNRS6CY_TYS zkjev!RA~DF5+zQOabj}p>C>fv7F@XCxqyeuIHWShjm!7UUp@yZ0BpDephUhq>9{%V z+Vxq!unsmr1?v^8KT|%}vTf`3E!?-R6 z(n&E@A)!nvj9>^Matx=ENED((Qb`wrR2)#PaB;y<<0O~VQg}QdT@ji{ zPHnJVKK_7b)_CAeH6M~mD!C++O*;7`lu-(nS_aFs(1I|%pwI#uXk2Lo5nf&yNDDGB zuw@H@koo^*gAP)3SBb8jG?H$;2^W(hHrN0hg&*ohXN4fqd7@p3K_JvoMd8sL9^=T+ zsC3-{V2WBBgtY`lJ%T45Se=STos^-9Ix4B9ntCd#OQr?^A7dPm0R`*)k-@BEz{}aGK=W zofy{1CqE6780Um?>ULoj7v5PdP+la(g$yh%>Ksyy_E=sCP&rWPSz!rTWRPGLQZLOl z+kAL4&NN*Ip&#bUh~_X|Ew^D5{gLTZ#acyVn`99zOd6M$tJj= zJq%?vi!P2_RM!A35xJ+GmX+1Gn+rcY@x>d@p6AIYyqer21}7-=e&^Pjh$#UIXv9&| z#q&4cKvFgBSG(BM21Pux>C5YS+Q#wiyZ=7?@wcTs{fXV>^s^7M&bqXyM<}T4kQEcA z$wYf|`56RS@s8Qeu3HTZlH_^^v+sOEeipnS1~Ztp`f;!#aEj2~bRsvsDeX=l(U@$S z*BS%LrETAU03^!9z!fcODBy}<0Sw%jM>xu{kAD0kAmjMPyI=zb*zmwTJYYy{B+`%`P(UFMd5=gsvXR(0q#-To zNJSnJ8wyCIBJbixIPx)&f|Mg1?a_c6aDyABXypy+(SRj@4T5G_hCS>d0ygrpm%jX^ z=CFaeuf=v!3?6CqDD3&wcWi%Rm9n&@E`2FX wV=B{`(zK>Fy(vy}s?(kFw5L87{V7m`D%7D8wWvltDpHfG)TJ_&rvU)~J8Z6qn*aa+ diff --git a/screenshots/architecture-for-github-thumbnail.jpg b/screenshots/architecture-for-github-thumbnail.jpg deleted file mode 100644 index 7de3b545e7795db6bd01c16aedca43505abad072..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141685 zcmeFZcUY5Mmo6SeM5I|jIw(aH1VlhOc`XnSffuB=2uK%@-ieBUQl(3mUPGjW&?8-> zcL=?ANT>lqavs0=&iv+k=XcF~Gyj}(u4@uD$(8c#XYI9~wb#1uwL%&v&4I2yS5i>| zk&%&sUIBLyX%h4lM1JAI??2#n5%{CHOhIw+BE=O-%1f7NuF%j>U!kU^rMrHWmhKuI zHTBh-SFhb*U}R*Zp=V;g$-sP_fsx_&LCDB~?_8vyqM)E+prxi|_%Gi`KS0+mU+AX* zk&|(QE?grczeYxC1#y8uWE8;J{yyQq-^eZi=Xi8fLs?YUL?Or`CBfs3!cCrzjl%0w&>`2g!Om-= z@a7q(sp!2#5@@o3IM_@Af#*n|pWxy8Gva#^XwL?=2kF+<8$x5-z=zVXWf2kxrAY$O zyd;5MCK9zspfh(aj6QUgz;!}-nwSCW2NTukiOMITp{JhzRtoSx$akhnO(1~+NuXOK zkk8{b)Sm?Ug9JJe2cPh)2nepv{#!Zz zBI4f{Fz{Tp552}k0^JEAfq4De6#ZrYBFMj$@jN$(2x}sNzQ78-kI%_Tprw9bME%FQ z0#|-V_u;{N^#7wO*#CX1DwXVjmgj#a2uyTfVg@(kxWbb~ii!Qs@DF^p(3=@BZ%{a3S&*A4DjkEg?F8 z%1-i`br&kUhJ1MO+p(OMgQ7{|<>xtZw@PQ9Sq+#bF>OuaIBi-G!QBvXnXV)d zKOBu;=EC-HU5Bk11K0kh6Hyv6S^(>7JN`y&>4B|X&nJ?J?8&u<9{lCJvi~yq=?MJ^ zzVU!-+#7LzL7N2n!AFFA9WVtv9nAoapBU6fNUtJ+7UTZik-){0B=J&S?ArPQG^jmUc#P|$X+OYqu<#s3|b%sNC{wy;>2;p%a30unBfE`f+ApzvE zu~(LIT{~a047@< z)w)voeaLOf$RlhJv)`ywXW}WR6nZ4W<;Bw?G&g%0pAQ)l7QbC={E2TcKW&-9CBWV4 zq-^hShuN(-U2f3t8g_TVen?NZ z_nbc4Ke;4d8a@OjI{Lgw3pE|)-Y0Sy*|uoD*R?)h!F~Mn;8p7fD)!?)d^5_pb7i!@Y)4*Jv;^INQj3R*xujOpXt!@<^j_e&Ak8WqK56Ku+t`de4u zIj62Pesl_MyfE6xYe%F+Vbex4_~75a+CRd49DKva7_8Z;b2h#z-O-@EQRJIl%$BV6 zqq69U287?2molfpZUCJ$_2OspQUB_gS4$ktIKS5q>UeeQ&SD=+n?{v!eW$D+ zy1V7fF{MS$*jA;<{n#Izf}M7U1Pz#u%sDVMp|4rubhVLW6Y+*W@vxKq3>0>T%fH58R89>d5yQ z9cg6nG6jE{Aq&O)T9{PDT~zRIk9HQ@4WX(Q-r8a5m01<=J}|{d+D(%{mCP@*sDNC)tlF zpJN0&{I;;WFK0Ua&9bGx9bPC_5iPg+MoTcF|utf?S!p;d69L072m^M}m zSbRTNnwPe#&p6>S2%3Mf%BCb0${<2zmm$uyDwy#fr>Y|v|2qYTK>sH%{-^Tdk!C-O z-#XI5TaEqJ(a1jH=5HOvhG$o8okW~>TX1YX_u7(Ix%i5F zOwadTkBj#+j$cU*^-tKDL4VU!WZZ{rXDTxMNv6oSuE2p;wQ!xAgx>IqZN=j4)f?h7 zD=!V~m}*g7jMsYbkRG8v@-QZH^$riCDm9}3!qf8gq*J-dqrOL34Qwsw%k#LKg$u<- zu&YKrmp zV=|&EvH|uy!uMz@6aT>J6sSpF^X%v-85f_EYKa@=tOKE-Zgtj#dDG7&C~-If8};* z@rFvqA*<`X5B`i>yf>L}JP5V+l{J`zmwKHuuGg+MP4Z#gNubYiVhf-AR4ns?&9{_26DybF;w&*H?Rn_|2{cR0We~RmS*UMg`~+uDY83gY(|u zL7tcA+-^v{j(;)C3ct9`s+(voA`BpE<*!ZZtCsgBnxu4km0VNJGmycJrY~H2uy0+p zT#W0^Vh7Ls(;H+DEc~j`{waB2SX`XW#59xD8vCDJ)Yn#ohC$H077IY0&f%q zn`(NuUtEt5qqDL?em2W90w8dImIO~2{+kk0CA%SmLDhAwaP!HP1~^sSB&=cxVbOUP;gE9VJt%ajCI(6A5PgiW zd(`FZV0q{3JoFZBg;GFTOWteUxSYUI8`5I>U>M;virH*QyfCAx9p=-mLVo+0hR*d^ zWBv)8a#(vmoDmxAkJ8esD@TqNotoHqPcve?!1H|szVvH2rJD2XBaJQP1SrqX+11yQ zY$#f^Xa8X-S_OY^Uf%WbFft7MDcvz6FG$iAX8uABJ}o6oMIg)4vEb-}C!4+9i?dT% z8}tZIOF<@l-gS38< zz7^l{xD2~fB6KiqH)&cP!qCy4XXU0I zb-InU@G)((0YygZZ@;%_#y!bx6KrE&i%fjtXSZq|ByyO&#r5KI#+$DmGLxOp(fNkl82n!HdIn%R@ezXIh(?IAgPqxt}|WpJ&y5Skb7^I2_0Cgx*Ee zfD@jC-u-r=Ve&{CK(tc;SYwXknuQ8MZat3uNk*s)b88#rg(dV7rns#Hx@t5yAZ0e(qfpHufN(x^Q z>{(gPtGZIoU-cL76+9YJ6CYDb8#X1cJFDIR<5N*|^p)KTXzTvQyz{*?3)*Rl8$v8U!`4qI6 zHF=la^K!Th%25uXSk$n+Jbs+P=_T0$y)O59hQACq8e)-acR^a%tf6LaC+qf;@A^?M z-^oOG7Q6a6^rPp!*9}u0Ng!;b{zTdX69(y9foD?|Qd57dr(STzH2P-cj~5%NpXxWg z{u0M1Fv6bATn({&JyI)V5~D|;|5nd3ze`Jyz>V~UmDW3FLDxNqZV97Rk{66>JU?8h zwAjf=sq*nCG9@1t-@Qo?!Og@!LglRaM8XS&TJIH^-lvZExf9tP#GM zKPUZqCwEn=*!B4SR^^hXq0f%*qp|{<4BCJj8v%^vV{ZtLOYOz7r#kZ`lboDbzr5wj z=1Sy5OFoYD>uWmIsX`(qG1K;H4ZMrooTM8k4?3^{*#= zXwckBfftHvSZIee_;V^N7e&KNI)G2mmouMeXNQAg-tcSfNd5%%h%3Zg>WLFe$p^e(fbFz*Cqe0#tv=QeK%M$Me8k@PWw8umo{ z!G3r)zfECI-97Q`y{dFbK5+ok7F>gqS=m%;Kn)8SVi<22{wmMB?adY!ZP>_-`=|%4 zfQ3{>7qs{72K&X3_6Q#*CVN(;kOjrqmeS}V|97pwezfQQ zh*w(NzuDKbA=rAiC|=^;J%!-I@>8ks7ov<>i2}BFVht;I5jqx_1CFPP_z0|BSF@hs zcI12bI+L1w-A2sGpXwjW&dw?6Ag+6n(zzoNLe%qp&Axq?jqHznR?6VUIf<_8J*!5O zN>^5C2@vYTCF}#S1vhP9A#oA0hY=5+EvAp!4R(1M*8h9LuZ z){<8P6?%UqoA<05D_?Fd`1oPq_}2%BT;$>>JQKoJ#vdcG3z^zKPFhRZ* z^()YMY4JPaR#sw}uBR{HP0gE{%TsqY40k%;?D`4`pH>V9T)?ALu*9;Gbj z%8D~HmTS^$8sD1aP8U%U!+7DYXLu3o1$o2WwpwA7tGgv%T6{vZ^J;z2_s4$zy@A8- zt7A7|bC;vh@ibM*zwwxxmAuix&I9z&eH$FZ(^G3ucw`;P!ZA!UYzxa(s3l`ew z`rB)vW`KyW?|x)h>PEY6+{w-s@}&`2ZD1RE)2&BO8+O%>3tKMk@KVt}q$Us&W#XNh z>6cX^HTmW89H(fT7o0)&dz3)g=Bw`rD%A;T(;1Zj=vPg}yKuV2MFg6I7y z!0m8e;uzfS6hvglIfdTeIaKp~F}SLFc~O5iW<4pf`^yfewy9)!DtmPfZ!qYchDQ5pRPiLeD?J3lc*_ z02X!@4$!dCHY89G^&H}qy&g;g1t95(ilrIbSHN9h0uz|{>;!G5ut@@4h&ss-7=Y@) znuD-<=X9n3Z;3VpfJ5#966gw36ZAmZ3r0M*<06DXj)J(BGlAV``<=|nDi1tn2i-oUI&)4g}z|Y42ycRvaifOc|4cR)r4oTfM7c7e8 zPQNXwekv=Qm+ZSW=qqk5^*p5#-5nZww>0pm$SpX%Jfg54QGIaJqP|Y<5@d5L{9XB|fWm!U8FqG5_$tByJOVkuzev<-D4a2p$Tq zq=Ib(9N~Io|J6}+tTP^Z!s_80+l}b*S1HH}Rs7d9&r4%F0$_E!UI3eaEA;e^&#~QK zLyPJ6B#?JV;ocNL%y1iP;58!GvO>>>PQ>qKg@XS1QROExUsJDE0I!7DZ1k-E!91+j zI7$53C|Zk(^zs9js?mgU@J78zijNEbaM|=R$A$*pVwMfok3x_@b44)Xo%+?JSFsfc zdIA+JY2eUj_9t=0?_ALzpqOcV7oART9+E%=Mhz0E70~owUKu0~{vd(+@US^mLd(V> zI{Li(&I3<&1v>AG?uaY!2$6OfVu+oC+qSFL_bT34TKH6S zCVwF&=Spvm_ehk8XtOE{WTK59e%P39o0n`~a{&HG5X;6}FC<10?qzmoZ`VFHGV zT7QSFW_u@L*3Y5IQF> zXzRQl1#`o^aazeudC|@o5b!GLhg`bz)S#_lZ)T>6f4*8{&CrfV+&zcvCQ|!TJ%iWu(QFpuq$cqQZWbTg*&e^ zXy_y#T%?o7FGjkK5&P5WN9&yzgl@EQat-ac!v)SXK65Ahx)XPgremdJn%S)L$L5;- z50(2W{Jf)$iHjVtr^rVb$C^Uhqot)5drw|vjZ%j9I$Je{Z)I}h&sgI&=P+7P5+|i6 zHE@sVU4Nz}f2M+mHtF~9((}GaJpR^dY^Bl6lCg1rGGqWIKFfoFx4`o4W^UnQE#}n( z9v%r+=(xov5irFR5vjtrx=nc zprmLk;AlMKAx~qfC-=P7Q1v)9Lm0X*AJ!~p?>WmvU~?|Q3y(G5t>|R+k9zLQ`*q9Q zwQl#?x&6}?7(L;S*-Abl>QR!rSvJPblPLx|tu*k&dQ zvCp__mw3Yvopdo~=2y=R3%0m~6OHPe;d-Y9A-my8J62*L%yHVRratBwI8c;PIIh;C z?Bibjip#HhvuNikiCbE$qo+c#@<##&}4##(RA+( zL}PsuvJK>#oQ)TNO^6-(Q!mPRTFu*;_xO6J+#W|CZ@9tN(-@!RvO;^q$nQdJ=jS6> z)MEzj6|2~;#{+u2bG}y!hL)Gd?9-V2%C!{`yU>Y!Xipca`&470qg9O`aNeKm<-KNZ zhUkuE4|4mOJn=>81oHjh{FC_&d+HLWPv}Y`I}}P#!h7N#_UN17!~TpG3Fv)56DTbU zshYB=()L7L847Wxr-_5P%2V<{;`DH)m%S~pNVx#)RlZ`FqJ=* zJoA(dG4TFpfwmBvP_K+PgRL2(6ndsquX|^#PWW}nOjxH;&2}SIzk~=mff4`S88P0M zBSdhXoP>Aa z!ewv!)RCW&wiH<~K0Y;J1f4dTn0}?<#L!*V6PYs1F1e_)HL1R zC*7{z34C#V)@FC=fCT#J(-%&V{nq`)@BWM+HZSw7MRnN&?_Yx;$+zF)7M1P{j{TFLXmkxPDx^tCEncV=;%bu_3(-{^MEahKzLs{j zcEMdb-R6-{+Su{k{46YN6|=CQG`07uEh(yyKgKRzvaj3i4jKL_2cKnV@FG0 z6VK;c!J&8IQEz`o6@tyMH%=#a46VhJtJ=;Q4odOCm2UxOMb z+}orj@@zf7o7H%kSpK&dXA;emB@PZNA?9T4yT&emtl4+j zPc<@aRII_s{LBg_IZ!u~(@NH07=zn9C%O`;asJZ>a&ik*+>tE)hQ<{xq3WGGgB#vJ z@g9+72A|&%i?=cu(})?#WAeNoG|CwMr6)Xm|NXFgK0yO-&)5;5V8UJox@@#DK4rg{2bDtx)4R%1}6^G zx^K^szZf|9bV!}VZmE6SzXk|lUY#?H$sh#x<>C13mGxERvW{LtTn*pOq<5PlT7J1} zPcCY~>Bo8i2R?vSOUOjRo$12pp48kPvFF|&O)4|4WBne7x!8~&HT4$QJ=k?4yLFC* zq>rrjk7Gr{U%xx6jZS}bgm^i?gWYZA5a|fu8mc$0J>RMBD{Oh=w(ii_$Nfc#1@HLG zBAi`hw7N&6RWJPto@?I0aGbHW498aUw0-Vc%k3kcTjw@9cNXn816uNvELIoZYR0yJ>4od5a-m+e@>kAUoWsJx_=a*b`nbeKRUskAqD~FA$5~ofUn-!=={A?HWE9GU#j#jMbS2>EW zLhE~d$xekzI}TEQszU&|o%O3yOaEuW*^jfvfb9ma9-s8+>~Syf;tJZ% zTGfW2me(nq<~-on$t-qPUaUqx>W7{@wql+!exzq7aA6lTqv&Z%Q=aC$ldo_2>W9Ex z3M zJlnD#S5(*7Yis5;^mS8p+?`mpm6vrd=A^=l=HQQ8S$onG7nWmR41J4q+P*oICf76Z z6Tsk&U+t&c*I<#O*=A>QwnDi88`TEjigwTQe(g0O81)|doiTlZkb}2ZO)lBY&`I@Wu&y=-3Ub=2EWHueT>8E(65JBG_z|^0GyD|eQ^-ghY z%bUG>mr~XXar<`iimnk)fB6YiwUHavB+ZW)g6%-eEa$ zeNSWqvpUv4_V->8^u)s~E%MrYd0>u{YvmBJtecz6MAgcE4_}zOV&eME12bV*uA}Udh zTl>`LAQ^=at`Pn)KZEml+Y;LhCj)easgqD-x8lb)>C9oYOE?eeb5luf|q|&G4**`rBA6)G}K!9vfx2VJ91-JGr@|MPPqTYmt z9fgrVQBX42IGxDSy>_ic!Ihcwh_~YJzZCh`}dy}eK| z{FBcr_Z0#u_uxe;g^D6#~6)o(F6QW}NK2S1ByHJZ98u)pkQcyN}bf%(S94al5m!-iSRl`^d#_n5V` zzxYcppcR2*Dwg7uHKbXp$Fdvp9`UO^C~Q`#H3hVBz2 zO7OSqHRkP;rgiy0J{Owo7FbfQi+?*A)e{M1YbDalKXY;sU04$6gI9)0t188n1Khn{ zT^GF%wgy$%?zP0jBcJRq*u^&UowN+-pB7CpJG#{i9I`Uua=L zKk4S{&u1Ca(Z>VIu4t)$9l0p46@dlD%M_pe!6}v3rkvk*(m0@BIwUl)apu)t_uRWPh%&=qJGMEl#~t zh@bqJ&l)d(9^*iWN?M?C_q$1ZUkv#?CY<|BS{Ay5*cVuXQTplOOvOhDmZeh@kDbqc zIxtusaelnx@$G>5PNf8RB0%kqsQbLrb(6^rQNN!k-dh%H9HOW_iQUR1@hju;>G zO4Cm1eYf>lNh?(vv>iJ_tu?6C|H7Zn;f$eCMCvuzHRPt6hGx1AC$nFos@AujUhT45 z2TK78BP;3h_}lK--YI->lVRGFkhxsvH;?Z3u3h)YSD-rb#dY<{<{T}5K8IrMIU%#(Wlzges$V6o;R=Qreik^c@f z+yS76`j+7nN1&iRT9}`}-{GdI=)X=#{taaPvx9LB3KT{z$%~xDuOk2Tc^ugmS7m;9 zX}#cLF}k7%m9)I-dG7KY2S9el$@zr6NTB=(vrmK+qPH`Mq0diF>!(oX?IC!c6Q1mA z1lv<|_kqaYKN=Or zv0k&(ggW$z87rIACKJ~1M!%`jX7CYn1(1|3wy8wvtAiuR=WE^lNuTUDp#MYC*5 zvPu5S^c)&~Iwa6dKR%q(hx>{<6c$o zo))P1eV&dCi<`^n=Yto?Q{_kEnd+)r(fc@v-~cWI96hpuo= zJZ3_cQ}IpL4GjzcDDp`ch!3s6Xs3r%{0s$UPdJ_Dxq@cy;YR9X*OKK>Rk$>`sM}|; zHJ0%U{y{2E*p#+0Q{I%vQBSKKbQ!LzPzf+F(dBR?Jqj zSbfg(Q-yDW&9Xt=pijQD)N>xvrm8_lYoUsJ(9kgGZvVP6W`Rm2d0Ox7pEc5xA#&s$ zue>P=do^7@zwNNtoX-!-WJY?#y*a6jFP(j;@oZKo(LQyw5Q}It6#4WLOp`s^i*LRR&KYdppeyu|e(Y{OXWi{KH&ND1jZ*&BAK#m@HLvP-l*JWk=_l}EL!GGTsk9O5_dHm!7&uHKkqR?TT3Fu!gSF!Ri%0=>1rk` zL0HLlBHy3`QeO6%#S46s3ZlxWIom+Gwa>yU@1yhz+TG4Zt9?h4)4LOlYQN5bdgq;S6biE zEwdBy>flT*rx3zj7^`Uq1^m3Nv?$te!|Bb^j+x5)?R8`zpH6uIm~wgI3S7Jv92QdAQ5mQ%&paPdVlGljb*7F?G$tp5+zC7MI`% zZ+W6G*PQ{=a~zurb_6J4Z+O1303*lXKMZR7@?mp-5sx1JcqsE$e=ataGifmy%et1Y z;O@(%_^!RgT~dOHP1gQ+ecH|=oe3|!NY83}uW$_mp1g08bQ4j<*auYZ1MBjF#^6izUe$aIM7k8B zfi+Dm_2a;DBjHHoN-lz0`tb7nW9f)=#dgALTsV2hglN>1=_g`wtaYJ4 zD^q44UWoo`R%7`vfp4zM#OTj{2?i`@;X~o(S%co6EWEjU^6p~v9$n7?+)i3aGE_dixr#f8Qcm1E*M0ER-J`al&ct|s_J)^{ z4mP0V)Um>nFJj}a1=|;w{LG8jFCSBul@uLU2QbX8Wn6>b3T1<`t?$`dZL}}yr^U=* z*a`5vs{%Fi5Xu0rrZxa-<)j&MBJj@(sZT0m&yUKSi-l67@wz4ni8h{G_aBg7+y>G~ z@0IeSO~t7_v-H80T*_Tnp^=z|45gi_P1J(lrU@d1NQ3WdlX-6EV-+NRB>XU@vaF-t zr@(_Eq?&Pu75%|&bM_LxeO7zGkHgwKZ$kVC=jGqofV9;5p+0``fc-!YXN(S!dpsW% z?jsWHCs{ZP#XGg08mrppPaC;jECF44EAxl}=9wOW$)A)KY;)L`&QI5Ys|>d^{}P$; zSSd#iRT?^YR!wer1E<2)vp`Snm942-6{ywkQIC23|_;QaI+;9-7 z3csO+9KLU5@7ra2Q$P3VukX^Az9Tdywc-`l4j5$q%}7)*!;AjL&@>|WEttrKIe zY1h-3kZa4#p>{dWf2thEgq`FK$;*W9bKz}a!LtXVKx7xu2P7ETL{{iL>YN64!ULc~ z?Hd8bP@+G&CIx8UwuBxq0f`BD)Jb}p-m6h0o5`a^^GnX=LY1F|ML zy6o==pv^Ei5f5M!Pq~Q7QzQ_s7CfIz1nA-pAi0tR6C4vq>;c9Xbu6kX^NSB>UWh&m z0I&EgkJc2-j2r1sL8mn=?K8MB21(gr@*ag!&}MkwqR3SfmACu$wQ&g7%c!)Ry6Et- z@Od`=6;ln$NHwnxf;hUx>697h?p6Y_sfdBUEQMQRq0w(qfcgmgC4`@v2!W1k#iuv1 z7;2Lk=9zD5tZ#Dnwly+7`|af>vbey(3}=L$UIN%6Kz(Nzc+Q@u+)I0bke` zDv=P={IqzMMf`BmYSz|ol7{S4Z@}YsG8VaByZ_m2#KOPXe&TsqtUOK}jg@krE!<9= zQNSq_+6uu}KONfF87NKMPCwOya0aQq8gqOb$YbJ}^`@~G36z#OVN2(&1Rjk!BrwM*V_Jx$N` zET~j1e^i&2d$%#rS&Cs=)o|GTy`#wP4kD=bawe0Qc)B57XbnI4xLypbMU?>bQe{Q~ zg(HqI{502JrqWaw^hZ_j-m`G>VF%h!$D~Cem?F~NLDqPF3B`0(UFItx%TBF{Pf_Z-!b1uCCG}t zW1ND9PL?c~XVa#oHU~4S#*ng7PUfg#$GK3v`8rQpyd$NYGTBLOdd-IYPxOE6Ke9LC z(Z99Cg*lOcA0|Wb>@p5xnFrRN6>jO9_=#YTKe`n-X5TEAA0eQw6!CpsCG&`lXN%&e zeBbs~Vg>vcrT;s7i=?af$Rn;O(hS{cX=_gxNQa|#J3Mwy)6*2aqyA!?e|4qqP#pvb zq%b?x8@1hCO#HA8fEz%JDmGMr05+1pIH?sm=QBeu3zeZMuQw{C8#JP9avC(3{q?`o zIImGEWEDxtJxhz@nzAtZR36GOtz!OdaGQ6w^UlN)K)0-9(yq2CbAJw$FHNC&7^Nh_ zvq(H~Cv3JBtyGkl-~)B*h7l|FVO@o+2Cp4UT37duwzW5R?!G({&(AkhD+=P13(SeJ_*za zOY?`$fls(+_(`DBn;EAM#(uFT5@3DA6QcXdJS^f93B*bQ4c>Co!QVTDZFj=~b~DHI zUrN3Hxjr2(^MDTU-U}r7j7AmUOJ5;85LAD~=AaY+i{+hBcy0-xe|vl_u#W)uIS*E@h^zg>xEK~D zfnPo!1dHj7# zV7|9w@vEgJ(K*ZaEq7Ud@W>1P40zxth?A2{-VHmneG`-uyMw7n@XrZSB#FO3m0XD~jLuli37mUDH@br3hb?z^P>Ly#*I4z@x3;vWn?3*`LJyU=za`=d& zYe$4*TYP+&;cwn+8zpKs(@8y^IweZLC4cm|b_59cTeP3nJJ_OKY^&(HiyE?N{XY>PMZlIde>$E=0iq_V28Md_WN>z&byF8KN%vZj>BGVd+HAPev3#9e+Kdisf z^;Y|>?QAq(z&QzY73f4KAHMR}V!z)thgFh5&7l~v^mtQB891$qF+vSAJff%v9J~h%M-UdTRDxp;Ao7O-om9a zEJ|m@!L768kosQIw`x?{vm=y1PJtu+tqa1 zm?u?uxI_w6o?DuK`6R@3R%$!6jHyG&Vmr~rc%7B@JiZyiJS1GXY_I>(d!mf&qJ^tF zKis8}wskBn_qar5fx}mGgfGH8W^X|?I6~&06+iiU@)(Y?l@`*P&eUJY_SHeF52CBj z$zaCg*zOtA%9-}A)I79NCqH@=dyv7mh;>-bMgK4A-aD-6ZS59~q9Pz7N=Jwaic&?I z0um7c0RaUiG>M8x6A#OI?OnU-h3%ypDW$rvNC9S0FJq1xH`R~as12FlhJft z`E_)H7HvuD^ZIsYa5+k{RPk1&+T>SR`%8u-2?VXYhRBpRJ%ZWOJR9qw*B=|v0v z(!McyRz0yp3Zl~C0`E!NU-P;X?6CNq5j zJOpw)7-My?=wi6xE5G2(qh_*OE3HLa`eq&yw%+OEAz336gB_&u*dM~dHXY2L7VUfU zKsCOED!#^c0JTb#fwp_DOYsor9;<6c$+Dg^YBc_NBz}8Q~h0MihJb5I1|^7Nv7K` z@Oy#C>l8z>7b7FF;CS%W_Y(H3R`1R->KYhz(MEimKUg525w8w}iYwnbTke0iwAAcU zmxjA8k1$4B>xyu)bNFD>1-bvW`(uGnaN_kNtImt55`pnWVI({45@<5Tgskuw%#`R4F+_{zCa>6%284n$9;StQtBm%Nj2 z>rNWCh?v@y6SFy3tyq%asbKTby#VTdiLulxoulThd?Cw)FIgKtXPuT%nxBxDh^~Cl zK%~!flHpyy`|f)Twhl+4rH0Q%UDv^NRH=$SzdX4IkLXgr`zU4PhwJw`H8z9vd(~?j zS|(>{Zp?&;5k7S&t80nKykhlZwueWC=$4yU+y2rurTQ`{uN;Kgpy>zUR_9ZyWb14a zC((M1iRcFl7Ccp6-op~cqJQ98N0q5H%=^0H%P$Z?XW(DpbH#zT7t5QTqM{VKsjPBB zEI06dTuD}5-2H7-kf1Jz&W15<5C2k{OaT+@(a*GZ_(ebl%%SfB@*@EPDh%;x{L}!n zn45M2M#U~;sL`5K#TnA0Ut+eOkQf@s0!7&{5Do>?=zu9SN3|igfG&RnpM&1eg%VaG zhC=8;7&?4gpRVOqk5V5^X0NX&o{qOD%_Y(qi3Hhj2^byz-Jo(-Pp+Fg&`|tv3fRqVX z@SYz9)$1awDEQtk!cloh<%dkw`$@}5=D(By6adRUA3|B&Ohg2pRaqf_m{zXdudJJ4 zyVE~z*}R}C(d+y*@wWi;T=tk#p#)VdIN`tC*muTBR?dIde6T+@+%@P6S@`#$PDVJpO8PbU&Oz^!JS{F2KFQ~@2_s6A@%9= zX7yK(BF7PyPjfegVi^60aUTK7aVPr#W3ZnPy51;o2HTW2c`XjAmXp?eL7i)M%V!Vn z#4fi*?F%9fW;Lsr8x#yj7s4K0uY|k`pg9`&ggL@~`Gj>$u%QXsu=(s(=HHQz&dbP0+br*bmAvufJL9iV?W3G4>iT+GkjA6 zIt;yZOi`4|L4%RzjX+r4eFY@WKkWY>e%J~D1qgJm7+Szt5C~s{|I)es8Mpa0qpLf6 z=|xlM-Q!dEU-co+Fb2O8>zoT1&T26?;?eaRgi))HJ<2^kS))??mKN-cxzZv_p#vYg z*2haT?{vp0duSe2U^?Q)7??|F8Q6r^;Cx_b$`Uh%7x#Q?!rrnt*gE=MPEmc4qjWFf zeBOwYk-LWI1r5<}pj7DQhZNu+3&3L`em33~L*fbfHJ1D??65?CyVL_)mFA`gC0Bj= zMN_Mo1;b`_0N`aJj&a;Uc%#q#zrm~ry@3nNE}IU0&TH-Oe?mL}RR3pa0KA6&2ptk* ze?mTg{|PyO7Iu9E3xmOT!9^`1JN}_PuqaQbf5r2=J2TQ*M7FOV&U_>Jd|$||;;5+r z-|Gw!O)oCmU_Wlb$Rg!yC#E^zW#oJL*YkVUn#2ruwU_N3XXs236z!3Q$4&vo7q=qr z7Fq5xWiiYRiw#xZr|?pr6RuWu<{`z2vd2Wm6Ic#?Rt4IqkY`xIs^a9jX&s+;!eyUB z*E}<>=VgBP|0=tW^ABzx@Gc$786d%kFNf~10&mok?x&=U(KzUP7n%kJb{3m=59{MN z@C3P{?kk8doOIevEc^+1HbEaVlv=gpr&}LEkAlgf+;Gmi{Ezmjb}6_-#9)a6wZj{(@(N5c zd*aY#Bj0}*na(MSt(>L#gB>=3k81>d!a|7HIt8U(Ky#VeV1_3~K;BZP6Sg|8G1h%E z(S7~tPe^Wu%S0wegc7vgs{pRH!c(dIX_(sOvnSuF1p2zlBHFE2lfVeAOK_q$Uj^7$=OcDW4;+y8TcC@YE`RW`Q=zw=* z8z#O!ziGC&3A@``4Qrgv5+%3f1pAyTpnIp)NTC*%8##AN37w<>;y`_khHzP*NT2K0 zQ=JUE=dzKLZV*g@%oa7wcb70SeJ+luR#!GW{hlwRWTdUA>AUkfybhMY0^AsP-1;S@^N(kxP4}vOEwr4T^1r*@MK93Y8Q+G8e;7= z>fXR|CY4)>ZiAsUfnT)_FS_{aePQSV_GnJK;wUKSOc6AZSX@6g82#sOLOSr{LUd>! zru>;EH6#ZOPPrrv2)Js7ty8~7tG|92W+#R_>Duz3xgTVKYCYG!>6kTiDTeyiL5W^_ z2UJxq1qLUEXmwv#%KKGC%ke()clh z?4;V~SfVrn?{jK=Q~a4W`YB4k?MwK3BQPN%AF{nb%DCm5n|*WRIFe%-_QJBFuy;V@ zQ??tw-InI}yiO)jH_=VXCvAhS#e_;9_koJh4;FwpbC4pTkgcsc_5F7||Vy~=%O4LE*-orJa|W+NZ1%^XawsjKw5e-}8-4#C>e*$Zkp5PIog}-HVFg zEy=|OmXC}1bUN6M!u~NH@m2NRZ*XH4@~u{h@0^TXgT7V z%9H{V=NI^WWy0;6!&M}u{7M~UbQL*C**?Awq?mxtBP-tyI`>9~_xAG@BdaS{K!rwe zHBOe6n^WPyUF@wtHRM({lKc{=IRAOFuZgHv>>-C-FX??;__@bo%7fo5eMA@;8NfM% z`2&IYl+U?QRb?TmAw~#(rr~Zt2RA|q`a6wiz47LMN+JH*?|(Us_$wS|?13FYTRIq; zl9?Qc<;KKwVQDsucf$wty4IN#6muo&n$I*bF_dI7IG>Tf40(bBafV+sY5>in!bS!$D;MtmmaJd%JXsjbMF@HalyrL*@c3cZEA+`?_g?|% zP?o-3nqD2JV7SERop$k~hx_?!`!t0q%#cksvZu!y?@x$2988q>XJ}&O5{idDfiB@H zCyLd1yX`d4Os88m;U(qCT;V5`oi2%8Xz;B)gL4A_#Bv6@$Fbc>gE zti6v9hS4(_QRQw`u4U0jiTsR-ejgE!vN}b-jx-`0PDl8ml>3ySGpv%jBIZ4_L&Ewk zm6$4Fhpw)`(}4%zi`X?*=;}*~2J&$=ImVZwwv2=J{fHWQZ0Z>EJmtg@n>Q_{6VIG} zgWk69g4raAOqQ?tQ_hl$ft zfBOQB_(x3l7j3C;DMc97foI#2dZ8jjOI4AyRT!5fbVRs6Etz1k&AC|-ukC-fRzPU9 z*6XzA+2Xnc3wiJ(W+DwLiXHf;aPc3I=Ll_RiJAca%!ck1%GZ_9naY%bGAaY0j<7?y zbf)MO&nk_ck~Ql#V#%KGkHnlC7A(0Ycc@=G6s>I*FwZnO=M^lj(1PeHGWW@Wb#xK3 z(DVf$$8P_??vlBF)%cXr7m{)J3l#?<E! z&X0T*garvoYM%6yYsJ#9APm|mob(P0;RYNJEw66Mix?W-RBvatDzJh`gcL5kxeql!8^wB;^I{JRHEV0bSJT-tVX!F#?6kNm$asn@GGF2euM%= z!dPHHSY=bA)`;b8HSsjlIn}y)QalH?{?Uw&Z7rW*KPmaqA)VfVVS1fh?smx(A4)Z! zu&F-W#u@7TBpdqP~6+bUU z2Re|EcF*)&XPxdMq3H1{{Xh(x8|KaMtM9fU99*&4^W)3#h&j`tX4>w_Es}t~T`|eK zH2XV{*%}2ew+;S&U=<0xOX`!Pjgu>gV^YyUBIUo?l7x2-KYRR;KH!}I1tQx%Y0l1< zZuv}XP@5jN)aNVfW%nSx$)#0=O^u$=Ziie~qe zF-CAMa#6?5ziIS&boEJK!2~HzXvtjGU~4{Yy?#3TQOcawTB>OV=1Fq)UIL*V!9gEo zt(wL~p_iH1=n=`dmSBW8xtTQRFu^Gc5bSMZ{1$Rsoa_h?f226R@x;RN`II!e_3vtZ zdXCsG9J`$I;!5Y61g9Xmhy%<07VLc=z9Y3{&BRN^-W})~!A-@US7qH;;AMOdZ-E_0 zTO+~*4-h2rGxuSnK;pT~X@PSsx>~ClCh7horlP+AgFh@#XwoknzP zDxOiIai*15mJ>O`e9^wbSB%>Z1F-#oSDX4lV65HMP;Y>C z?gWwPQajhDr%0WQA&mh3J`)p<%VHY=6zNHJf9IEj1L>%77;iOV3dZ6orbV{S{bn^S z;H{IdE>g_gc{V0LSNGJuw*)n@qgO^EOegVA@C>!YL^@M(zUTGs8x{D6S!Zqpo|T+= zKl&wXQEMZjtF{155+z!qx)3~6p{(UQrHxoXf$WnEU%51Uwdd>i*sE_mWuhle?&KE1 z-GNg90a%??to$n1wawSjr}?=8?5K!J`{bEmMXJu|q^ZBVMG1Pz&wMPG^@AUi1ds5Mg|F2I(?>m9 zo01{4gdeG~)19?+J#B(FsLlT4}U^3Uzv@lvZKbA zQcI%n`(CG-jA?|MD1UuCn*S|yPW99(|4WF0yT5ilJgTM*{~ERrb&7hK7@L^gNh~%a zW(H_~m2&lcKJ-K;AgsD9{P|q8JrEe2vb;Q9^8>G_ES9NBQK0vuk5YLFA=47;z*~8m z*F+A%+KP-TG;Zu0eMi4`-7)g!z89fCgcV>Z+c7tO#HZ>1wftowu}7DbE2Zmf z4RW3Ji^}r7R^!HfVQf=E;5F4+V}T`YDR(zdvAuq3dV==e@yOHspt&ck{#^mrPVK>a zCs>qy50&yQP7HO~Zj3a)i|V-g>8XHUMAg=kX#%=#{ph(6f!x7nC0R>10Bel3pq>g& z^})S_IR8~7G?SL_ojWqzDyg~i^bT-pIuStj2r8;}QydI6jo}q*zu!t98^9*GckRIt zS30wvl$;dZ)YhVuqr*Wl?=-A5u9hZdKnR-%m8IOwmrGL49n)eyNV#?Pg%YtZ?h0eU zC9y`>lZa5G31;d&mqU3Ql7Tq~!r>M-jx%huXl5`m3WWQ>$4twjt+2M`e5h0hfw{0c zo_Rm37RBTS_!mq`U_DJ_s&@LnS_n)@b6#88#_g-)ujs%Vwz>w&G$O$3N+N=Crj3E&ycWFY>%9bW zF3BB`?9IRvfZ_?dkC*+{%v3M}8rTgz)R?L>!?wmv|IYWJOeW-N$n5T!nc0yl6csr% zGK^D`&s>w%LVIjmuOfxs?BVWR8KGOqaLxkbMa zn_bOMdQ-~6gc4Gl`n)~3&SFE?HrWl3c9M?kFh;3yU3Zx1pg#Kaq%yD>&vKXbQGLU3 zMzJ{8#o@9@+YI>-SMw9HMHi0T&U$c||E9=gWq927eJNkJ?%^dsa;Ply0hJ+zTEKT- zEMvHTFSGSYOsPY&S$g(n(^Qm9yU4qjg*7fq344kNHY$wh9)RQc)bDx|U-VclWAq#u zyUoNNF>)ZUF;G5=*ADwSP$fdVGCk04BfM z?Fr}fndm|Ec3&y6mejL=({@@jV#~tUNE>#0P}qK+$0viG-X;Ei*&SHW1hbSIG-x=Z z+}_F(WDs0B57s7h-Y!)oJ>)<=ym5U0Q3hh@eAUF8V-2!bJ?QMN4?ob7^*_m_d7moT zkf)|yf!Q>Tr_nc6w#0>NR<<@KI={zTbL8tpigc9jq0d_iI3dE{+C;zWi?Bq`H zW%N1F&yo-69_Mj%yC>tDEEXWfuRyuM-XwDu{RiIID6lE%i4-gHCP5JE!rIUu`@}kK zl^FNbbrL1FA^8)6NQ&8^Ml8O$T)D zf0q>#N63Y8BCV{5Cnl4tywX)Y3!7ay&PqNwKj(j8(xq9}@D)}=Prf9HS}Ml*=Hu$7 zsC0JQoQ9;rxR#;!?ry?yglFC6lv7Y((CSn1{AjKHZ9^4LoQtD|L{2);>|LfLgEGf~ zbkH&N>ibI*!-Fpm)=OHP(s_JgEup;!X=P2+`NBtvOf|DeU&FmSE#|=(E6{Rm|NG4r zOdDK*5Yd#dw!QOOSheh+d=TujaJvM)Q?$31-`hi__0~ z3kPj0D!YR`lAMHEkJ6_7R#&50i@!^z?kC(8Yt=zjV>o>={j$eclL}0Hu6hMB*3H8(@ zQ=zz>58fX~k7n4fOv|0ASoa4Ds$9KS{;P`m1xQEqq0^;aK7H&zg>U4+;(DB?uk|$g zi0@h_9WzMGxRJMvcwFR2)2%m|JeR4g?zU|+3r^IiiJ;A( zat*nJqPYc>&Wg4k-PvqUri489acNkpPX9zA|K+Fj-X-OE&gS^j&ao;Pr6>-BCvM?Z zxjwtGvFTFRkSd8+!o2va{0jv?Jr#5K!Rh-x2x8oq32wx4S&#5`JNMN)yZZ z1+4cvii3Ki2l+5VEn`U4hqWomin-14!$$9KAN6{Yy*TR)PK5I|<__zvmxa)I_Ch6v zSP@rVo4UC6E@{RpY9@|nSC-SN^Bot$ZBd++=r9Z+;M0@utEJZcH>}@ZxLuFYuT&`= zq8eB9=hNjpH4tngBV%^cO$br36eF3~r?Y-aMg@t0n61~bEAnzErm$Y~&Ey?TT9KJ9 zfAfG4*MwlQ=l;#S-P*zOJi4giv7^b0>B^e49Ha2K9r+)_G<~+^x1YRx-RGxqpW+mZ zn`E@isA87=$_nzi&L4-h@@rYka$4z;oE2?$L-Z5TP0|($f8<4?>rto5h37hS%jhAs=${a6Ip#Pzvp|k#@eKe!BNxl*2TJWHc+Ey^pWDhW9e(@m`M$yZ zg8a!%DMS%!3YdPM0o%qv5&By@PAMt}aPCLEfla1)OD0a*H}y~-x;doRr{5Q*YXwjG zv4gIEl+7FR1L)p;(Y0!Tn$@TV$yN7p++%V%-FDOrh*Nu6vAo@(@D-&1_ z1o5P49iQTuL}rz4O;BYNs2nHg!S@&FoCuoTM=TOT!&NJMTvn`EZy1>?`cxLR?5@wj zbw<{p?OL-4gm?|g<%uULllvy2tagH@fsv=L$IUKRGIb<(<=y^f=EtmUEv=|G_k z=B*)BC)$2fvc+GP&*~$@QNv6XXsCLyk*g>dUWeF_vzgeYu+c+JA$vP?W)S&^#N?m{ z`M@6P3FI;y(1rU|p})=9VMvESKDFx!PU0WQN!(U|9a$2$5MVcqF(lzZu>DsY-QllO z9%tAq@id>57!q%Ec<17siZ=|xTeAaLq!m%FJm7){7gYV}wd+a(&}+R;1;#UWW|vuhv|WSvL|ZJ)9CpMVrYaFhAyaHTqlvz3 z4et8ZZr0K!4`iCA&8&q29u~TcWU56PqxY-GdM-3tz<#r%i}h}we_9ek8O*nOx9cSC zzIr=G;HL8Cl4161{ECNoZri*GI66X*5%4d7u_a=u2HjP_af_yedjwcK6NKbJb36P~D}_5=$?8*&(i(D>`P&X8YiJfIxyHru!2?ke!$>Lr zDSEu`2j%ZWa&57z13TKwGVa9;&Ew+IU-tioFImzq!m3`;W7hV5K6ZV8oS)-xnN+1W zVC~l^fpntS$gc-0f^%Y&TqwS(w;oYdTb?K{_a6MiJ7 zk`tO%RQo0Jw#Cc_dGs^y=X@1*pu1d|!kjDWnVtp7p7p&*jcC|UMM&b8*d_d3v?KDHdg zB__vhuin}A@Tam&tp`@>*e3IKJ$041n(j3`UUx8vPvgpyQ%AM7uf7m~8x1y;U-Bt{tCP9*B8(};H?^ZAb0}KNK!74Jf9-yp6 zWV@dj;$zP*bL6?gM~QgGDc+1!rLj}bgUssiym-J|43*!mj;kA%XnLE6>U1tJSsaLC ze-OD563-E9ph-B+bn*$Vx_ev6!Ct4h_i6fxp|QHSW7_-n&A1)O_wPIvUb605_^)s=@|RwVF^B$bV#9R;WWHBjy6{_- zeDt>~yLtc0K78MYxJq>gDubybv6P1VlTo$?^bJG4Sn02xr(S+PF_9^^b@q~Rl;`jj z_QzoXyvC2&7uAu?$DYx--w<+Hf-8%4e7 z({2_{JH3y}z5fFc&-jp^DSE1bd^3)XJb-=s(Bl4^56dccvcuJG9>GfmdmgYW$?*5R zIm`Oo?qlOc2){0Gs4#T6b=u?r`sr{4hr7&;&v&@)QOH+-) zmBk!Jr>D#mES+~}s*}d7=s_c(n<{CH^?aJI^Ho|?mtrfe@P-0;VmvAf445YTBP2ZT z;pq!jgX+9BQZ`uJFditGJ`vq!V=Uqa9pdx8~MI}l-+n;>;~%IPspEg?D%`I$%=_h5R3d!0C^S8UAW2H ze@_5RRKf!tB$Y*InUe8tx$S3XOxMbvXWM+_^v7`qNqnBU%wyP@`2|s2PK|}J0UEiP z9^Hy?Gy_9#UdX|Q@8bUUZ_*wgy?T^QXayngUbawlWtE;s%k&qzU{!p_oi+owgh$?7 zg@nhdURmj{zcH~#8Bf`}Kj?~(O%eBB|3*oTVF=xs&sj#Wz|{!!Y~L(h@$%b)v<#k^ z@-wn3k423%MFMD3yV8RvNd>3fSV|8c9Q(qKfA=mPXLQxrrFQ3Jx7>DHWVMrvQqx*R zWcs5#-S#?!>>S&eO)6h$blbc^jnVtH(Fm|6K2Bt;>U4k#6wN+07JxI~>8ZSRo zaKS2U#-3QaY&t@C-ta=AyqQ1R6B5iqOymxIe)u?2^I4JRlTP85@9}8&irsgX2N;?` zwXXj%_j4KUs?X0`IAY_2L=_o2RhMpfzaF*FYpr^9>?b5=M21a@HttEi;9@{WG+?cQ z2X^p&N@(&uDP)5E(vC|@ob>gL_2n6Fn#jqY21)ru!h)tO4)D z4_?7fchP%_c0_H;=f%kWdG6?+1?}B%H%SB5oZq=rY&r9aO)EsLa8u2D|H? zgBh8|6nnxLQ)FF_AlMu!aoPR1$8O!~%O{60uZC)_5m8eM#a)wQ* z06CA?y8i64-CNnrUxvm=AW$bnC1@3Q@%QtFS=sd zzdp-uW<1nnp~XXS7x<>U?^~WJ4U`xADSBErn>sa0*qfCT9NKUP`b&mNR~h7I`g`9N1Joam;O=u;=No+Z{XiAf)k}$FsOw zMbbBu1lbSiJVcHjI)CUI3`}xUmx)jsMbValsAHeEDi^I{?|WG$NpUe~)f|Mp2h!0sFc`^}B^zj~ULSy~ui| z2z{6^Ox{gjQDkg%(AL#AsTgRV4F3ty@6U8f*y!t(HMqdTzz`}45i0cr4(7$4{L>hCxLUEHZDm zeNtJLpR-(6rKM7@MXs2HF;Y+WAjNSfo%omIJYd6n?-Sk@nT=?=s@@BIt&~2fGiT<&$y#INE+PMZutexr+1I-S_^Xd%@Fkh@tW((lc7Q zTCsmqrPwA{=2S)O(nTf#N^( zv}DVbru2A2m&TQQZMUN=sQLD}`LSz5E=p$V`Jd-@=5ZRdPl+B4?H9q~^k;tg#QEMo z8MEQE=01WGwhg3z1hsifIcEzusb0X8-vk{j5(oQ$)p_FYUEv zdFN+(>Gpk2yXR(?%pdJ&whIb?k;#?HOrS2wkWFWdBE6u)ilIO7!MUQC1`n(|0bSq8 zLcLl{5eZOMN?+t6Gk?n%);zR|_RQjss3-^s)-#A*C1CGiQJLrQeL#K{R-xVHj5P7TqW1aXcaBGgq*MQfD> z8uT7f*xxZtYN<2HcUTZ+lbE~nLRIMUSM$x_)s=cTwm=p6!tN)8g75>TUbxSdMZ|*z z*t2P6E6QO)Ow;$;@?MYdJeB9ZJYOUU>@e2~+zzkFu@zfHdMtRp+`e)op;~V!nDGtU z=$g6YHsy26wrqp%36o)s8mofRy`dH>c?Df-mAeH)cQ1%_TJSu-Jdb+=X#|N<`WrCv6xIx!(Bi4)?75H!^Aw#{Q0hVne8xREmW|?n{}JDPP+NMlW(xQ zq|2r}BV%{z)|hFhakzN2%j{_c;^7yNUx$45^NaAqSViFXsysjWw3O2^uIO!T=v5W>zGy{~wGo}sNJ zW(NDMJeBX7Pt4t(ZF^l4N7l5J%jHRH=_AzRr|U259I7^&nc4|2NG&b-tp2&MC(33X zu_kYrD|A1v$`e}E_8{Wj_AY9v9SqJ)NC}@QsiPBS7Q>nk2KZvyM~w}mlq8s{YR)}EFJY9vx^CrHc@V4-JSiwlU9 z2e2{QJ!r>CRj{0cxhB~Uto*UL;Fkp5YuxLx1+zpRA|K-G@Slpkx6y#9QB2NGY?<%OvBKOr|?cEKkzLH{YgRQe}j`+sk+=PN>y1G8n^3uPAH z%$4EtK`G(hw9hx`?XvM|9NI_k9A3_Ea%uGbvpL2K)#_ zy>;gE`k$;<3K&TsbdRjuq1V9?d(ydceDig4z0Q}t-DZcM2YY+vl0+>|Jt=v-v|;G( za6cO;-nCU$0Yd*T9cyqWQY!I9s1V> zhW?jFy3J0MWHzodf!z0(GDVbst}kxms*qeorTZ?rKRS z^dlLq5u#bt!#eo6F15;Wl>OPomJcp<49PYOi%!GG2d0|W!YGzVgTy904^aCBm@2$} zjSEUO9~((;L5NG7X*;%?b@A-x$&>Gc4!Qu15*S8{BWPeM2O%lo_oy-E&2{MEViJmg zs83?JLDXCw$|RRJaLLz+wL9u;hhc>eQ0I`T;nEYOZg|2lqL`5emfr+6_TXYOvisPm zAV66K?1v_L3e?1LWCHjLN2fFsq)2MCc$D%YU64GNLDlO=`lP9+58Lkf#>I#~&oNJV zFCJxu?$+T_y2dp6iL>3)k`9zBDr82BVj^Pz+A0aAGmyvAYVF09m(`_m_^XOm^8wO2 zf*q+xoLgv=dNVFUd`+vCkEu1MB4T4Do+LdkkCLlX!nD z-d3M{F1(a5@+ItO_6+`rXC}pQ;rgY6pOXi3Azk}XPuDMRpVu^yA;8}#E9H<4jW9a> zB_lOL2IUS#Llf7&xAJa@eqlEiJV1UqtskIru9V33YP)KJZN;d02VQo9XOy8&Pci#P z=BXXd?fDomVO{U18m2X-BOj6xV0e-*eBrl#yU19QIJ(Zb7KXm*clP&RlGy$xUN z)W9~(FwGTaJ0-AxdAUXGYx25L)HySyn|-xUq739`A*kCPf-m5BskK0g44L~W?l3Lx zsndGumGGHH#lT_iWy^=BX!d^OZ{S{`WIPd}mRMiuI~NFg3G>$s*eaT7gcf=0v8AO} z)GT}N{ttV%4`RuppiUnQmTNDk?eT0AjoCv>r2gTjaThPz4BMnOyfl7xy-+N2Oc#my zCyNO9V4==BLIB?DOzr_h;D_<|u(cmBV*ZjF>=9w3MigdBD!zk1_hX{NtxIR!XgV%a z?yKgEF9hA@q6;PMK*@bsRJW-gGFV%G`h?I=$aJnfSmG1=5WTR9CY+^Pd!?)l2L!^B zGM2ebT_-lXJ3NB$a%alctG%XmpRd1B&0albf06f1_zVOx7T;oMpNnBl+zF{?3KYm1t zYe_)?9``)&cI|PC8=XQ`$2jk)o(=i}iAH?ar^-dtvh9gu*uXfLRrpI#P3^yP4cd+Q zmklN8dSfaeAydAAm=e4gAyB#!qTPyPAMFCzg8b7K9WYm064dA+BH$&Wii)GjYiPN* zw;8v<(D>&KP(nZK0Bo@c2?KfV6wndFfxuB6g4Ra=%LWid{`u(NPrIZ~Zyx=dw&_Buz^hvW;0jiGrjy%CS6NNe8V!A1K`;OYH~`eMM5*|JT3 zCCf^bswi3F`9hmJozADi<=T$#ixpuIen}n}Kog3pPXm)ZqaZNk^PtH&WWL}HX)jl4 zH%=|>ej}B7k!kG;6+vTf*WPH4KHN7{-~{Z?hrp(+Jk{s{`6qrt4uRQ%c#j~**+>i0 z-yH(<3)UF3y9uqqAVCYX5CUnerXutsfEt<30zElqifxatM4!q7nz9l8rT5OSqXyCc zn~zDZqUfz8xZ`I=Si+=km-gll+yb*rw^fW9lhs)*1C3{@&7ZMnQi6AE4DMcNO7JKo z@T{5_4#rPE&YN9-0Qf(bR~P;Q0_1;(1m79^#~A=|EHRDVo3aJ4f))8O8{JI(30cQ1 zAmHTx=ojVn88Pz+)`Z`BBfyDbMqwx}Vt=>9`8#LyJ9osHn?knx39)#>^;^9B_SGx~ z(cl%>l<^8?b8QdY3UjmhFCV}D7grR;0GfGiSpaPIRy3(%0xrP7&=fMeSWryo46pcQ z!IcjsNKKR=N(Wwy|P|Z zkLL?(MIF+>#-sn*J_CnL=rd|mc4{Qjp6JBs*Qd+qyoXZg-3qV9(ITl@a~hq!j~|I<^K=8@G5zNZ|&f9(#NcjG^# zApcyiUc)juK@Cj*33*;k`p4fdl>X$kj(bVN!e+e_=>VZDreQI;?XBoh8?+xRN>Lix zgvq7W{dM_(g1D)eG`_%w2&UmNHG%e$;nK9{^_LE59cz1$%TNnkW@Y!a-$8t=oCpBR z;UGwrwA5;tT%ez_!nCJDHFm$+bmGl3gzfz1s0=I5Bve}w=aq;KgG3sEjUk1~LiA`{ z9}bz)teXgd9VtNsDqQ*|dVe`tplhb*P`T}Kxz;j=cP1^@vsEQ3k2viM;esxk!J}kNHJVrT)hrh`LpV7b$I(6*UIHyc@})h>(gxkj%FgEp}zM& zqClj?Sgk;an--~;I%ZpGt{7WLJibzg;wQdtfBR&w&Pzh5qA;w0IbPoB-kYqa(k?yD zAK1R}iLL4fV-B4nTTu>tsayz&r1G&!~iZJ@=#!RWp?CzwaO*!O?we4i^ zB<$h3ADxffPV~7WDC=iGahPm*y@n{6ZRsSVes@ElI z9hxA$@21|L78`>#L66`B8z++<(b*IQxa;~!+?7|e-pSCy=X=$qpT$FQUJRDMJ$G4~ zDAB;=Et1BiiH!9T0caMmTFv1KKP6u&Q^G>vnxpmi$VcHfqUL>k<35>ZF+Zl5U6Ovz zYb-wuAzu%sz)9h>WO3X@q$61@2PyM?6$$%@wCH}C;n%5MVw^8aDPa*b)U zCZv5jDg9KT9d(}e4tWr`P0hd>1fWe~QxPvwoc(5c-P`|bK$-AJ3ikt6<#cF-%LwTf<%?OVp5G3oL}mb@B_yd@+r!BAF=5NXDxKIUoIEp-y>b zVjYT!J+^-0hfGp5rQLAs+A`zqiBHhiB{haKXcCwj6WdvCkc~)%2t@0YYpl-FIU~`+ z8|9yQ9|XrE3x9KD^1lY<0ZZaW38=NACln0^9cb@Cj9-T!Y}*Zsj|cmOef? zrlM6N0upi@=Lzp{9>#txC{?|mr^r0%Rhg^Z# zHhOzb0r~lavm3H2^=E`TPZDh6#}CwMzS| z*$F$>D~U%lGbb8~RDI5T)UkhJbkMju@9=>KtFrqxeL1(K)-Z&K`cFXhiwH$BS{@A} zP^Nuf7vyHB+8%!+e(rhU=!mE!2hYTT50g&KJYTl%>(H6-lY?{_a`co&BC)5FSm2); zX1BRE&S`Idc$%N@hD=Dglk}s=$J3WSpK@e;cAM?B4K`KTgd#!K9+`>_1YiTtnbKFy z>NahQl*(F8=zl4nyoYQFxRLlZKqp8zXvUx(a(VPc*4eU3r=gHqMG#RTc&Tax&4why z22-fNoSDv5M=*l3(un5)h6O&c6#*p@|0iPeOXR^k zvPjc#Qb+krzHLc9gBnpYaJqZ8DnL%c*%v1^l2k^7JlFmq{7|*!NB%>~NwQ{h!a{>S zGgXnCuMn*4G&ynwtCy7J=|WNIymynI`%L%jeQlH92nQlFHdGlMjUh;^x^HS0s#fse zcjP@nZk;Kf3ogH^{=Sl7c%%?{sHd+$l53Vp2N3c zSaI41+;zB!Fxs;ckoF6}-R{ND(9t`co7h|`-LJ2(n!hK=h~}fIj9i;8J4q3FqnUUx54e8}y_Y)qjN(pF~^TGo$kr;uoPQ=&36J z3K4^0Q@Q-~mwO`g6A1vd{y*fscUV)~zV{0jPyrDT=|lxZML_8S5|u?4u>n$}q7*3+ z6$lath=9}x2q-Ngy+(Q`(gmcK&;z0Ogc1S?S$C{+?%8|owa@$P^WOK|=Y8*U|L`H< zkvYelbIdV*<@@{m__1+zDKsTu7pnt*!w0*;nQP2&-zi#z|Ml<}{yKnK`)}x#F-|%) zkZ}O_Q@y}^moU+lhWp3E1F!cV&c2%-{QvultAhLEio5$u(zOeFyAO9Rd!6d!*-gEH zZ+87#_nqi_?WC8;o|KbdF~R-3Q)8Sv$DnvQ(X_q0f!`cLZGZ6n)LX~&i9O;ehcMCJ zS9(9&?mP=ZJC{u3{yMFUO;-IubWo!aLlLL}FUmR~ekR7wQZG&}w08TCSyN1&&%80g zni|DD@T|pFY?aX!tWn)ipzW%EZ3z7Hlc)w`rTv3jhIEO4o47Ff9!sD)EQjopIq8Q{ z5rKn}C{^0;IRp&a@9_zvwFYGcToY>&k{OJN4flDDUQBM}#&*OGsvK;Xhq4 zDB+Q+>qi&dn+JO*Jo7G|k6m#qFi(MEWY>lTv;F+<{aA%vzz?8`S?M3tfo$gcCDh_? z+Z$<@OD;@BnoG#+UknhVhV6Ol0G7{I=RYs2|Lr0l;3y@o`^v-k?f3BE3TQ6-?nU>( zvXABnl-9f5{CB!FJxS)}YEc`R?57N?U$I<4Qi7TGB#GKh@b@@Ktt|3B855RAx1Xv| zSgw2h)nb8b#46;aV)|&6sg=}h%H7w(%O&Lv#~q5%l!2aF9;*8!CQzM!XlZXCu%W}u z>y_7oCKpX77ccqQK?l3!U|s*}!{Vr2yP2YQS|(B(94DE#jRKoEhr2YXi%LzNUP>+a zE)fD{HP+Ypvg5ZR1O1nue%te@uyuGI?*{Gha~e7R(p`hBPiaOIyH=KSsSYNAcSDHB zbI3>O&!uLIUzA?G1k?e`&KSWQWt>D_B7@!M z{evd3T11$QBT^do-cw3do^>}J`q=u$*|L>K-u$?znlrPO_gy6P2UJK+f+of2kDDtZ zQH0j{=!y{g9`Ull^P1%Y@{1?MQ-6L))|Xwsb@Js&uEE+j-+Zq3Za{}q3~__fppmL1 z;$5ey2~A1I(^5&-6YJ<(&%(j)DGG8oef&VG4;iJh6=nS?B8OBjIdc2Q<=JXlw zw?#Pb4yd1ASOr_xkvj!~$z{F%GdItVHETX^fWPDwI#;lKvWVR3o8z+cLBrvfnwWgWt?5G zI!THgTRz2*>K*LmcxvFS@p;W4^K*8csKp`uXrwHCGT*!$Hd-~+(Gt9BJy5)U$|1%C zavWaGnTHse>+Dfjy<_ex+WzGU&q82}>MMa8($2Y1Ly z4bXtMEM??_#FhqN{<4mo4|9h!3=irXJZ+Y(eee+#T{_N{$NMt?aL@BVL2&-Mn{{rqOOk?)dJc8e_!IKOMZw2xg*HP2*Py zq;*O*X)tRND@t{5jN=P@^JTi6g!=F%;xHr2`TjY7{}tJGZoP9tsZNpa@=9I}5iEAz zGtME8ec%5~Hzmc^CtV|R`YRAlSlrBd!4N0M0>M|0!cF+;D~}pug>R4SDQ@H# zh{L-_d5ss6V_&~3D6oA}?sM499aGxky9RYc2SZMo=#iO7^TBFLuTzH2;t}e2;a)S1 zW5pr!jz=pM#d8Ykgx#>gc3(Mj00|5=QuPBYB^*?TI>tp(G$90HNDWB3R8kWl8$VFaWFF7gOzNFA8Q@h#pR8(plVlzC*C zYa+6X#9#gDOs+3t`f=swq0k+LhCizq|5H}#|4!8Ge-(vG15V1Z5}FkK%6=S}cP6O% za#9yv3^NKF!N7r_v9fZr8dI~Qtn%s zdH9GK;yQY$$mo7wv4vl%=AjZQZ8DQq0Tz#jRb^&XKRL7H$XuZuQTdRf^F| z6j!YhLVwCJ;%43w2W63Ewy;Fw@+hkM#*{X#(Kf-BcW**6a3fe*=~&iHnbL`}b?;iR zvnO2wQJZRdE?c6r+o&!igD^X0Tgq#T&BBQQ!q-<1z#Zpg1 zYp+e;)V#P`Q}%*!oofAdtN4cYP&ZK2%AlUpK14pM6}lWz8DL^~;>EKoYVSBlJb0-L zRhcZ`xce{eq1a=3tzg*;DDBy6HNqoNE_ZmvQm3TO@eN~Jx1r1z{)=?tP0ly}6a3`= zl}Yng_xsP^|KA4%@K#L14=>@kkd~=bhu?fGUQ{M5!w<+gStO;QpEGeAepR4!#ski2 zR&`A0`F{0tH=W$H*Uy&rnA!F3vC1VwcYc25e3yyE;imd=+YeD26QDFE8~W!jOjMR& z8UROwM5U4T?@Utbj3q!r{?oUwoIVbV@L|LCB?#r{0B(!mVg+(W$3Ze6JLPw#n4RC5 zTusvG7x&+R*YQzF9Wd|aY5JYTRVARugLX7peL}|_g@sqmIkzCKL+8p1`e)7Aj1zdr zQp9V_Z2F%i8_UMDrfh}~-RWT_3a$8sj3C_PXA~)7snF_=Bp^*4G<#vxjiXyu&laNo zJo446>dfD28DJp>blw5rpS64b&Qu9@qksHf+2@Z# zlu(z!EhLlq>Y)dhL@)MM8^DS29Ewnt4M;(}Ztt0$L=(>dw*HOd%xd`7hkx&LVJyF@ zK5qZkr2hX4111T6L+9xMRM(s>?H70LO5jfSOb{KNZ!McXt$wfzEhl-a!` zDh^zvj&%n5?d~4#POX&p4_o3+u)=j)1`l?{*TYj`D3Au}9G$!7Rk4Xz?vx9j1kd+R zlW6M4gXqiW1YaA!xN0~c?qsHC^!!|r+Gd3z^R!DdUw*b#Fe! zIA2-ppP_=R^eB$J`!%uvqj);rflQ(_(WH!jqsicd-e9Kw5(BWkYx2s2wB7pFT4o4{Cbt|7DVc z3HA?@{x0heg@P%_F25sg`75^KAKtKvG*q2bcod4Gn;Jj&Io_>ng`5$H6@(Xa|UB> zuN2UYna<8WyJF=%w=cAezhBed-*6zJAqa>u)nQu7yg_hAk|iho&f~;;WfvDTF0SRK zUQvI4m*sDQ*}w6c|J%^byeqH*96iy!-jF7+0^NFx564@R;6w=h5-ga(Mb4n0C|C+h z7Cg%80@i(pnm!to}2 zRljVSsdCJ3 zs_PG=BM6~VveDB@bTI;aIN!Kw>dDj?dY6w)e=@wGPDP)AKEe7 ztgXXU%DX$(B?u+7LRX+!O%VJT;z5(3X!efivsl5dpu7@(_GgN-T-q6<-yNeH;HR0i z`VxGO3;sEu{jWaP_EI^?)_3}GHmiJ7^FFl~%<1gZwC8#4nN|dX!TCf7;-j{zTZKzk zFK$$)wH?Vgt9ZFO5C_b~`xuN(IAgJ` zCG*4AdvM9~J*Qvt%bj}a{u(H?3iz6Ff{Y%FFuEQSY&Mrn7OV4?FR9iag>ZG^bFAgv z`t*4RvZBt9_xLh3KSVZE<}2HP6o4-xW^)?oSJ*)AXVHCv126xE)U@OKEbiuuJ(UAl z&gW@Fqx&-k;Q~YcOsl87nHl{A7RF&}lv)29_HB@RH&?ij`i>|+S z%4iYzbaApxclX9ba{Ou0v?;)P$_P=1&}Bh36NLBgcTHi?)ndYfu@grs%LU(vp2u;Y z4av-SPLrA`N(??-ahi04e};aIETm6n37RIHctp)H5QGMusf~7J<1G#!c!F_}&N-=9 z@NNF<4L<(SX2~(bX3pWw`Uw@%T*+7D8M0`mJS#wpp?DJ2MU0<0Eh`M9XuACz{vpZx zQ)~2NrqE+@SIF;7C%187I36|4X$%)Xv{a!g<+X}gvQEn6rEdpxk7Z}4h$mcVm55`S zUignxGx#a_58Q9bc69~h+g=7w%k#9+W(5rYQs;O3x0ekzb;U{t?2phQX115!9;Xs< z_Slg=eX5*;V$e5!SD1iKf<|JG=>cUAmw~GHOK%g7*K*Lfsj3ga6ZbQwh7lctO0;@w zpS*tMF5owO#8 zzW~|xvi_-V13)~1P{))CdrlT=i89P?E)%o@J-Kw98_wDvZG1skAvK26T)N{{>ZV>; z7o2G5ow!55C(q59`U_)O9|*yw-r;s-;=8wC!zL6|glz#C|KW*UsAJKhV%Wz~-?lNO z^yA08ITkUw_Pn<;nI0c!I$5%RG-kH=Rkcd8=G)r59ccLLU&}n0r?bJ0P|aS+!hM)A z?>jW#qXFm--n$mZYl z#AeL$VcvxtoGT%Esb<)! zC-^X}`zE}O+bg3$_bc8k2gWw+bRgqga}JmHxgH6&vi|}_NZ(o5>_6br|2P2>j&}pr+y$PXVKQQ&Can)$ntIS>vokqLYv*!Z-D4HDKDo!lj6;%p!fsdb z+?(>)&lipJ9>BSoNt+={i{4|~IXsdg%^{VQ&S?(0k8XNeyNHaZ)gL_@cZxk9bd)xV zqqpv(QO=-FT}rF|hn2;`NB#IP#l>5dDcq-sqA%sbO+t5CSa90aP~s}2NzkA)BW>x5 zrRkXTOoRpJ55J#c)vqn;w|#!`@FiTW#O-X@54`1@=^A=F8{>t-F4odi%PnR?wlS zDHB9I!&eEi(*YsnR2zWgZ9JMbSNjVjMiWSoedb~r+T1)Ki2aelx;6>jJ7@>n>FD~M zNi-juM}#g2!jRBiIp}lFU25$-L%SLEr-PuWMib{jHrJqKe-mbdYPbWsSNe?b?QgyY zCIaxZ{&IrtYVG}l`s;z9NJX>_vPt&pqNC64f1tDGEuczR->qY}b|067tX9oLykv3A zIJkWl_lS8+R>hL3TiTG_R8hC*H8_*HR^z3}yVN!JMm#GKD@du4@AN!;nK}hq| zPme$$Z#OOBq6_l}6QV3|!GK}69t7pA6-ER$O|Q z(K|s_v}fWa_l4iK;FI8_VEY9*J$tGoLd2k!Llbn~&rqs*dJ4AXJg@vdzp1 zuc{KKTMGB^a1WvkKmE>rinlm5ssVc39MlaL(=Mv<0sNTr=py;n5tbRWyvXcl+$9yR zEdR+($;kCA+r>0*Kemn1Yku?A_JcDND7|D3%Yg04{$fayvDAOzx}yquR-n z^zyEg%xj>6n!g%ke(6X9#?R5jL(8aPl>JuVuZ`+)Ou%X_HUI4n2Jd8b&klPQNILYd7|-jle?AZev-F4BT3y8juYHl%hw^Hqn_GPQJftgr zT$UDox9k?5NY0j)KuWp)xu8LvL=Cazw(lS^=yF4tZ}lk9#IO-z`ynbAMr14OgAvV> zb_>;dfEo*=>YYFvl3Hj&Bpq4HLJGw-_xt|2eCTr5JdWle-^(+q0Scyre)@OUqmL>>*@s zMrgQ8RPZnrO|#MsPfsmB z$LXJY0b%F!T@8yTwRp#W^S0`I{e83C`Z@<<7Pp!>eciadX{0%VWMgUGAj(%;UexcZ zqo#eV^2i;_MvfzH^-sRbUZ*O|6Asdiau9x$a*|CvQL8JsT5c+&i*u>Yx4q*~uj414 zo%a!HhE)~kt2Y~J`KUpe$g|Y>9IAQKhAH9|zVWTk0A23zr(5PjEPbkJeJqHsPdX!f zhc0f{G40I*-d%WX3SEurGR-0MTdYZ6wQcszbZz0Cvm^Q%XCD6=(q_N+@m&hjbU+>? z1X3JGKh03-qq9yK9-E-6N@RsN!D}vZ$nz>crlD zL0p%&->z-a`jFEk-j;R~`38uuc_vr+tQd`qQAY28(^gl}K6Zrxi_0I~aYRnr-e#ZA z#Io;Ks!JdYiApQ$xf)Zb6OWd`im})9&Qd@9*ZE*sTAT0L*+)}`w_L&%_B`8JSLkheQ$tue>vjIUZdSq{dNp3^VHmE2did|` z3GWF;*J(~47{`^Xz?1nS?weYGC-VOBYt+V#T0zuMQ95ez@*C!bKQwO06u>1xbUiF2 zyA`A&1>=oLE&l8Im$yakb8^+^zvGE@Ie1It`)5aXv^U2ahUz}{YftrI(sW}I4=Hy- z5+!UIA}MrqJ+f)~Q(~1so5~ttgJPB8COK<(oC+hJPbP&-Ct;`He67!?+F@Kv2Te%7 zPTe~Se=Kx+E%vs+wE8_UJBt$;c-8_c*=2GSJ_T9noe=7mAhoR`3$e-l?Yeon?PtZOk71+_bTLgJr%j7WPj^3z474#{xkh_f}-38 z$>AVT0sFofH4G=#1P0VfEltL(z|kO_Ds@^hd8m>>GDG#Z&Z-5lrLpeKZ%exPUa0JN!;YJ zfYT1ZG36xOF68#rSfKw*&!|zDPQcRq zGh41QGIK%2meF+q115(>RGCt62Gx_bQ59$sl#Ib3M&Os6Y`Pk+Sm;95)xIJ91h4Hf ztlYx26$a?f_Op>Dq%zIeCSw>Is*C~Qcd{)7R8R3Mqr2@YXJA`!sZ`h(%GPSqVPse` zh}s&%3J8HnjZA9X@*}F@eomNe{VB!nkuIhgqzqbKi|Avv=hFeR*EGEPqjhcHh^ zhPMiRApL^-mQN~lu$}88QPa_ZzTRro3{8wi?|NF9VrtiGhdEW}690fZo-9q)#t+`Z z@2GVRHZ^JDJcf1;{;j;@KZ;=-fZIEjDUaJbC2vS)1|_h6*v4N0U1s4C(2KDG=xII_ z4(v`0bXQhkCIi&=_!9rQ(8CIN5ga!`Vx_y_8)_0%qCE%lF&3~5-f9j4B1q_dv?u}O zoz+nr&xAjLgOSu8{B0y|P!2UnmYqsbhx@5UNgs#GzYYK>9{uz|D@bdgp!)&XHR%5s z&v89e7ggXNdu_WD_`D?y$a0O`OR~)o#eptd`2)gCOdb zDye%XHMP{q|KvT(006TB8fxCHj1>q?a@e~c!z;70J=z`uJxYDsxKvp<^bT*r6~O%D z1Jj+kYcmIKunI@qfT-H5TxZmHiNt)dew{g?^D>6=vA9sF=OMSlFkOar9O+4Z&()Dm zzeE-YxEUR}fnUki9=u<&?hQ0^?;;vVv8&#v_7fRGb|?;cRT~GFY?$fgy|m^DrPeB+ zVG+nL_4I1CCRizOS1e#tGFyBE2^=N+Tn`B5+Qw^$28pJJA zBr`~a)o5~i{pF0?)EwgH`UHQ>{YY1+(Z}!54_`T@fsmsFdxRh)^;!ql17|%?xLb-4 zhmiP~2A_LXOvz9$$pn|sl(#s;k~m1~O$0XGjoW3VSL+bLh|A$QMQ+ex*8Swc3c_d( z#e#&b4}<(5@Gyi!XfjNQwS(77!*X(@1{0-!Fkl^mobG1*S^OutGw*7W z$bMWi?(1S@EM44NdsHf=e51CZ%4VCRO#N}E9G;ixN{MY4h7$cr3jpltRK^H4qjhq( zU-^>w_Ip#q7xB1({8|H1H^n@?dw1dsX4?VT1vCfDf$SUy5Y7@=Mk_OJ&aq{`0Y`K4 zOn8O21PPZxsC6tAjiMXk1kZ2x-T z779#d?OzVG(=6b)RsY^}a6p#Pat1dC2gildT)lGOG#UDxh@0vn;W8AP{yb}VYbwjv zev~aCNKjr%euBF;>70OV!SE|4(0Ee8rRCg|hx(%pC4f7J05kLAQS9 zkCU`OcG$q+!AY9HNnW??*Mmj?u3mz_#cZm{X_0;fatH?-eWLmG<~GUbZQ+kTLo+N; zGkw6&3|IP0#E;VXb|FgGm0O_Op#^G867V=oV(G7_LLiD}P2*umphh7hRw#Oso)<@C7A$2Wl6{vsX(t2S77ZDMUrg*?dUU zaFrE!)%RMMXFR-Jw=vkh`I(v0LSvi)#i4MF4qjv51Z zsm!Fd<(zr=ooJv^vm@d#B-o610V9R9vwsjZvk5L6jWMCfbAV2b0njy&#Td;t+7AZD z0@wBl#~6p{+EseZRb-jl@44odmEonu0wxY$-nhEJ#ES=Ow@FB?=*Z}}!`|f>#UiDc zsNA5-o_i}cT4&6MCI`Gwf_;%OA+4y0_6P5kpC;<`B#LK9MP;etG`rl8A8-X1;Jb;y z?sVR8_a=s$9G_}1;a^DOp;T+P>qKR|9L4eTBz!nt77sz#OYvh3T=3L>}M z%ab(5KhI1Ly*c>(K<&DJA;LPlo##W?6i2KUC__L+kSvT6x|sEp9o6#gd)Bto3A>-x zq@`U|TP2coo!8dHFK_5H%|r}s=&D8PV*9c0C-{r@<50F-(qD5#I>JKZ@>2~DuL-!H z+(XA)-Qp!fSFA}`#wn9#bD{W5WQW+zgZC=NWOFAOvz!CFE#Cz90JwpR%*NmX+mDL7 z|LW|hE7oEy`r#%8@x23tSfOGt{YG9sw!4K<~6k) z?EBrI#=yH)JP*oF4F_Tr#@W7-8fj~I=Hg~rBlq!N8EQ1q_iuS%re9`Bzg|W*Tvzo_ zDBB*|WyfC4inSICHrv@WL@ig)?rFY)9s^-KVC}G=iC)V7;gl241Fv0aQ;w8d%RREg ze|}D4XAzLV&?_4Cy2u_YuD0 zq<0nWdiLFIapBa@A~&uba%~WPQ@8O#63Z5x<%bp4lvvjs+uUU55N>CC!1}@D{Qzbc zE5EJ1R1&sbn_+u+Je53d*7;5+-QQ0vOW+V!zhF}Bnf*xbO8~7$4V%I;*Vof-lSQ-O z={Mo3AEh#qjKZEh=;V9-t^p^J=jBP3YigN-G;;9OPe}C5_0IM`i({#-ICJ*h!(;dO zcL-H}32#nE^zGa(gVx)eyq=1=935qtHXhry?wx2j%f9*kH9LlHMU3x0cU5TY!zd>Y zUGeeCt%|@bq#H>(ir6q!g*!3Yke#!8Cl@`NiW#%NT42~u?w-VZ!ldY`q&a_A0NVi; zQ3aulLRni|JCyX5>8(OytnN zPnzs~PO_~>9gV5zS4ZQQmGu9y7{j;#?Y@qImce%iN z*S@Ry8pDm`!UTPsF>Xv!(?v%wo!{)1^Vl=IV7D3@6XHjvTY@*qr4>Q&oO zSdyXnMf>&hy9v>sR7<@vS|uvV8Huwc&-J-nm5rPyIuk7OiTM>~77_0&(jF9=Gh)3v zerFOWG2m&6^Y%q~O09)t>PYoSylS3!u%j2%%~L0Gt;6dJ3=QJ|Dp!snq(vWHCT(o& zMO=Dh>siZ=znC zNb0G*JmR+Ta>Z`hKjpFh8Cdu1t?z%J8~;Z?{|Wrc_m92BbUCbLpMq2rbC1M>TA{ZF?2SC##%wpNCC#F|1#Oe>k`ed)c!^*bEu;% ziy_R6{_L9%)DDDOf}qUBXf7)Uiuy&W>vOEtMf1e_guCCvmtN|Kt0k9RIrnhGlT)wg zE7FoGF{N*sS8OPVVAU>*vnh`eff^P1iboez42k(XntYaYN0Mv|Em4P`PL~W@({OW>KM^6B7z;53WV@#%fSYNZR$QZ%33u>CCC|iz9OjLrXDN z_P<#V>ME9xwNwem(T%|^e7u&Adrn)<%6GP*YP-0|6-RbR+B>c_&J^*qiYG)mlm|`& zlP3gm|3a-eLQy&5*0=LjcDy$xnbbNDd!GdtmrE$&TfIpdHK3j$uBsZ4z0pJw6VpCv z`F3+DQHpArl)RIG%|`2yZ2nSnfo2xn1Gw{c-~PP^1pxM{Kmye-zz))Hky<`Xh^g4^ zrR9I^kul-AUFZa{ETM^f^X|hOEm^%Zde@IA6OczNzp)G&&T%^hqcNXC8_=3n6u5*q{q(R4CBt58~*ra3?aqat^8HV28c;mK@^0)N+kk z++Gzg(i<^XEx2~MaYI)^JZ>@1TMEflFc|-+jEwP-+O{b(*Fc@hdRp}P>`hX+#y7)<0Z8<_uMbI1K6$Z#rcy zxhY)@5D{`H5ZJ+XU`N>)dVxXE6**5}g-+CZ=UYhGerV{+9jJ&zy{$;opxxvFhEUe(kYiiq+p zpJbnjfQ3H%lM>y#z`G43JR}+t^(WEqx5iDHDxra{UVL}_ZdViytXmg5*1uD5mA!IY z;GyEf1Y1_tV0z+zeX5K&L5LYY2%P3H^F=Ees#m%>p>1=#$u?`KF_!yEgPQLn)~6~_ zkq&3!T#Sw#L6O=J=`2#ArQn2dlE}3+`9Ao`&?}t<^L9^FKFT_f>%poL-iHKT4i_jY z{?P&8zczQ>3)S?5JGrE{h_oI2Sa{*IGHZgOLq=b%3i3?P7R^D3^Mm@)!ot$9C+|iG zW<}x35n8;w8dDFMm=5{|)AjzibJa#&45H`RM$dcSIzg;=i9q1tA?gY zc^pd95_Mh>UCT=iEuset`grx&B%Q3em|%EU?E%JJmrG&vMm8%G^W4jeg#Yx-9L+(G z$V?d(bL;)i#9b|Jbh3bJ*{yTz?WGEF8gm@|^L{3v)nZQ7UPn|lsa&<`#YzOL+KcFY z;l5z~UY+x_Qfw7#f~boXU>^Mu!2Zwv@$L}l+^9yA+7nUJb2aIe+L?>q$Kv*eQw`eA zg?J{5m5-$aQ@Lw_3;6CShy+&AbWy|VRlqk8|H|f$DG6K|rRh6irZeh8y4a|-_ZShx zu0y(IU5>9de$%-IT|LTKa~DXRDR;@m-tHg~XFv57K4Xr+=w0feoq~%)>T89*`KS{> zU;|0N?7AtopQjFy7jcgc74}l^yRS_XW&E<@(NGG;z36~G(41+Q>X7Mpy>d(q*H$YG z{&2mJI!`;}-RWG0;a~_Y!+5JrSUcc3)V7-S4!Qi!B;AbW@a|>E7WU-5 z8MiDZ@GpM+`e?OU|7om0pU5e#-Ih5QSc;Lq>2!v2z1+P}$M_Se*=U*jmTD55}_&1reHF@>*UQes?5|tUTu2ZZ8=WPuADKoRld(vvW;0k z)F!v`3Y3>V*-zw)j5?V)z%Fb;>7VAqcqP`l_I5`%FY0oBU|d8VBSV9cwrK*=^5OxO zl8uq|XDX^V&ZacZAMCinFEXDztuW=H-xs%ces8>5t8zvV+bq;^+aacB*g~l52w^q+ z+((^nSC}3(Ps;g%u1G}IhJD+q*dS^7Fe?@zp(|ErG3V!GW%I+vxH?sW8!j~7)Jr?n z>ojpy@1CxyrSvmw-e}>nr{ou6R@FuLIGFWf>KDD1=P;wDWio!y)tx`4QqMho0F@hF ztw4%^U=xOR>pPLK%Z&%Y9@JKORICi894KYaBfCH+g3XAXe+P|wYRl9hd0?(B=a6%M zJTwL>nTGWTym1ioc?p!On^xCqmUZ)-ot^}kuBHcE46u&W88&L6iHD<(;i(X5@L$;+ z>M^7!57-dQ*|2y&W#7ar9%RP|W$MG&j4d1o-H058*wmtioRnJtp`i0oBK;q=*(T-{ z>zm3~7hJ-t@o2rkk}&-2E+)&yw7xw%Q&-YdaV&Slc`&$W&cQ7|H;(`^Q5@6Pp$#~9He*Ej9;(}y#WW%KsYQ%USq)cu|5+mm>nq#D(hPy-cmsz%t34={ zPYvmWl(Km9;?}D-;}v61XNCHZJ;jlpin|q7F@qyX0yc%?2EtdGHx0xN>rCJO)wsoU zTsN=7y5VhCfOx=lYrUG@B%^WuYTs`Y*9)&7{m2;_0p=U zFn24HmgbC;=G^U{$7sa3Sw}YRMLP6=e%Ai0W1ZNqLlE5tW1_UXC6+!9#uLeDmAg^!%VI01xy29t?;UX^#MX?bjz7|9=3Sj#@A z!26}VKbQ~=^7;prKq+Bcx5cex@mI+WVh2C|*n20r9Zzwg;y9bp{v*!Cohe4|y<+eC zqux#3Xl;4izz&^gc|pgAY;@V)vtG} zZ=OeW@chnHPGAg~%vyS9qyE~*M-h7a50>S16AFlJN2UMKe#1H`?02TLZv1-7Dlbg| z)K`X)LPtzK$kROFyr`bF)Z5Ww%IsRluc^H|(t3KkYZCgOaNOe&B{0L|3kb zJKhnDk&a3+wS?kY(@PBAI6S04k3(NzeRXNq5WgYJ8g$eJ{2mNEE*n@MNP0?XaWUTH zkF*v)SaxMUV*J1y*unKsipEJroTS2XA-x>hyz0)Ki5RDsO7cOrND4I3l){5_gr@ z_apE|1Kw)XwB0mW6q~17eb0hUGXE{VjrW1_3Tm96i5*1h&SjcX;l!>+nd5fuzfmD~ zG%H}T2HnG58@s`|Z>5o)84Oc~!j6ZxY{@a@7p_lh5_&^jcZ$RMB1a#V6!k99%dWM* z9IDn*%sX0U7XK=4wpe;5D%5iQ&3H7v#%7?Bh6*ZHAS(rKi(JglzwAH5$y{FIRM^aK zeaXwA(G_@$OALUx8uO7QrqHcTmi%GkA+J%XW zgc$SJY0pNM+lLpuy3o}!9#e2XK+aS%$@aN}o>D!s6|cO(zT+PGieP-XXlCnRH$%O>y1wxmhs(3u&0(^NE4WMLpZGFElQ=|bkjSf88sz2Ks?uD*i8`Z?pqsb$?Z z^-lF3&9;=duwDC{7W2(Jubf`=nmepvNXF>kQXIdU3<-X}q$Fl!sczfO^@v;KN8Qtf z7XzD*xCp;@-xUg%+>EQ;B^mlCNU75-N$SOg!2g(`+#9nmE9(@u+fh{Ss>%`*`h>1z z5)(L3YeU_nU0;G6#hTwO+*IIXzfBEZ2(78OE*1+(d86JEysI{PHY?DtX=-xdx^q&# z3_jOWeH4>S+BtQv*~rvQ_M59?#k1lE1~7OLbPnx>hJcjIv|;bRWyStSl^y@b(D(oB z)$slutTSKox6hxL!MX_Bc&MiPJJXYR!oKMC=C;>C+7ndkU9!Y}035aDiSHVio5ifj zL+c=|BK+uS!vV$xKSTK6`D@U z@}cZyXcBnT-l0!_ayI_zh?J0O{`#wb@=a_fJ)p$!ZtZ<#bD)+e!A40gVGp$ec~f`* zbg`Lp|5V8y>Hw-5n5)O=T~L1PNx-!_V`Vx*H|am$FBM0rm*IHP<>DAtk``({+b!A{ z8cOSLC56<1h@JZ+=ZCkJl{!lKfy5Tt;eG)Ir#xEf$6}S3db9=w+UE?`i4ei?FE-gb z?zI8~c~i!ZzgCS#-_>1^)mE4t!3Vk;vM$}X7o;S*q`fene-={~aq_XYux;j!u*pK_ z@pSd<43ij(fm_mG`DEk$=GGIG*nLE80?q;aw;6Zy% zkoKvo6!lA4ddlntCqwUWd&RlNsXIOsJD%zX6KarF5%%KnGNE0mMY2x8X_r(GAcrR) ziB<|YudM57pCxkv#9+#xKjYLA7)x~2r0|_&avw2aWTLb*NsfH-qnSk~thL z@ADiu(v^Z7jdk5_chDu=+sl%!U$x-hLwNKdKkW(&={B7MFv!JKFm7#^2lMv_#?{e- zEuHSiq~Q5^4W~~0BC}lAF&2ZSAqg~V#aTf7twpUK+mn14#gH(I-S-0NfE2-6_&#>@ zB?19PBp_D9aslui1V&BT-UV4WF5|2F@<>V%_7`(8OGOE!mb z^r~G(;2MMPccx$PeegG<9dSAoypN?2+HFw>q>hFv{xEi_tHMDXxOL(>`Lz$(Tbgja1uq9m0 zGMoBMM!>FefIvx)pGcYB!y}(l7VGbMu^Bg$i<| zGqPZ&H&WW(jVJ@OQu3!|v0lvqGIK><+^5NT3lqlt*1fPfGY=>pONghW)N69oaO5$QD|C4dk*2uMdt zs0qC%ln@|^-}cPhd*+@qXJ+o)x%c`0m_K;fB-vzV=eO5h>s{}9-<5>XoDSS&86TsF z*S_;ZJ)g)ukxDVnQy>N>^)>xxQu*Wu^~_D>PCbFMAEQt-mdIVq)u1@UBJ-l;qPkpj z8WWW?ypPBrbkadOB&%4l$z;#$@p(Tl>fQBsk6uKr>$-II#-h!M-d!vWxT{o`0xGtV z&nlhJzAgDZAYej+vbAQ|BhdWz1DNUE(fcMf_`#|vwdZN*!1$aA+r*GxpTCyp-DTIa zECM@ToGx?AFzj>K{iep?EtrLlv18%)20-+ie=3-P;a_Au=tabE)OX_jPsrud+>Gd? z3IL;=G|f;mIE9?mmLcCE?O*zW`^m8Si{Lulm0rq_1BW9y#Rgu8Z>d2Do0Ry2`zB_k zVYa)oM_KwjC+kF=_dfxr5vd1+Q5Q6wYCysuFaFH4^`5-owKq{%UjDrnojz@E=JI5i z<0~oe2gWyRW7M_Qpv5w$zwS128a;IqV3_ezkpVOOKYXSDrQ-3gb1pWbhar=JZHom^ zAWd$BWC1vrVh@8RPBmutY~>SwLwvkp=j?5~XN|3hF=BaoPC;SAE=BL5VpEM6-+d*g z{mCV-QSXwiQB$^u9kLLMBD1@l`ciiL>-$fpzSP(>gUc@lXKYx=u);bmyr%_v^!G>=pYf;URa_u$Ng3<`^@o|R_*qhGj`XZp#8&e%MZ`#aJt#x7VMTNw_ zk?&(%1k#)=x^i?xOdI%L=QDAf07oH$n)ZC;B=hHt3YEob{EBHwOUT5%h0}JAuMEXR zsXU~7z(1+5LKUGzFah)^hCH${hnm42M`J)k%83=e0jN&SMEW3ZMBGs$GElM;Nie1k zGlJOzfDT|Ok_@~&pNyfO`S$6% z(q!LJ`ji~*Z!4fc08u=8fjnO|0|`bRS_7n~rk3!G5A^k z+W~Cq_7=E8;?I>W8o<6I8}`tBl~3-tKeD#s*M%}zegNubb1Ep~zqhLewB!%Ok?jL; zet;q0qXjVJ7oGPXem-1@;f3>)kkMshWBLZSN~OHAtcX0uVn=>6oqDQ5_W;4e*Bo-V z+piCzTDZOTb7nPlT8l3CCDn))4r_haSeWH*?HMrzGKHhw-zVgntW*Z&K}VfpN?Qa> z7|)-?nAx~YH@nloR5I7rN4#Y)C8Q7rY4GTDo0dAMECbggo|>u|oV#y^Trf&r|YdP^f;*QYg=w=VeEq=-fJOO~w zI?=9gKkdvyqaN#}Mdt7;eyL4%?e-RoMN3e{F78=<`*o3FLzS6{0Kb7SZ|mBZCmRjb zXd*?2%+>RL4%jxEF{elmvW$NfTv^Js-4coX_9^wFY*gqt?(_7AwsQC$si*!WO@x$! zKE)7L)xg->2q;oU#^n!Q9@b_9>Ued2;j_zaX^&IUZxLK%P?XwJAPUz!-dfu1I(s|Q zp<~Wua_(UZr6*nyh8ZORg_I z>bq;2w(RMj|I+dc7TsgdN&m9hFL27*J z0*AWnTz%KDdT}cvDEPtK^@YmTo2xg9-{Dm0c@PJ&Vf;cvnm{EeyLHT)b)@^wYL12x zc>S=l`j58zHHj6fpt$MTWhp6Jp?#O7sUO=gq(rOzXo`*I_nfZFK0|9$b*>xp@UB1j zWflF?zs#@yZW};I|6fYA{!6Wxe{1`%eZ#*q7;OZc0n&*E2W*o-db|rrsxN~7wi}31 z0vdAe>5StHoyBG(9|E%l+?HxZQh-PR%+~&&|46Q*s262u5p`t=^w^a;`r*4&D;#h* zug#s!Ef*qjm#N2AjIaX=Xnv~JicTMXt)fk;{mAjHm3LQIj5ueKn5gf<*EOWzXUTN{ zZPg$hHr14XXWzbWXigNF?Peis3hzCCxSTl*`lrg}Z%c-9GB$_-rX~t+q%xH-0}UHeq*#dz z;Ws;2woHb2M6jXlk$#aS`S08)(fWRoMhCwtvzNMnrj7iUl!txjiXPTmSvo_h@(Y5= zcUSt>QMah3B!)q_kOZI7*t7oCjEW@6!GlCSsq#X-YBR;?OpZ5$;X8E^LmE8P0z#FV z{dB6;`Wjr)+BVBckuU1=>xYL?(yE_+hzoz{pmf2oP2f;$9b1hV2iD&0=;of0`S{2L zTZ^~bg|!%QiuK+p$uhD`tKgv;-dw6pJ%a6lO&C&_+v|JF88psVp1-{rBHIkll2yPNE;mym#Qxd%QB+c2R95-%wf z@p*@@D>#hW-XQDqv#EJpCd7ppTAD`Uy=D@b3!G+87tw&;> z$29x!)?==On^$qxDi_-t-Icz)7$DbRy=?M0tU>$7s_(9SxF|Fwjtrh7!Yw+lHEfVYHe*cNeZd9!3Aq z59nWe3K;45FK`UkhK#}WYj zKdy5SnonI)$0g=Jhx>QWSvl z2Q=|yyHlm^^3ya6vy3EOKHiL{OQJ7~c`w$@+Vfj<2M2c~~^@cu_M(0}x}k@nUH)eC?=C$riuVqIgW;;0Oo8dd9$<7S zn$SDfi{pmfZmeV3_T#n&ZUO!c?A?%+^ar00-m*;MAY_(M1p}@X(<~+AA zxdIt3G@$LFCcEu}BbEb=!BJ%#`}0YE@f|FXrOq@>?5tfyj?E%z#_&W<$j%1PpwtlA z{U*dAlee>tP$Mk_BK5$O10Y&)nb?qlxI^s;^-2fQgc88(kKDqE#K6#dWN>X_%@HVG zqaQ`&eiuNE05JUe#X4#}8I1>AH>_}K%Jk$sb0;AKJiO;y_qWxaxX3ke-UeC}ER}2C z4)A}MYcx2aqI=om(UcZ?(eetXqy8gj^O8%8G~0A!ud@M|vIC|L|CBf7 zkYp7wE?%=)yY3mb@^Ybq@@SBrBfVDOF@??BQ9~&7YSUV`r)aDwn$sZSI*HmwGw_q%Lc3CpyKmz=;r|dUVXlf*YO*sJ04C@dfm@lp_3v~cT0UV(ML+U}34a1II@;4Ln zvp-&oGx?X1&ztr>A)D{FB75Z#l)zMQGl&hf_o?gya6bBg^Wg*uP2&M?U2_y+Onv#Y z578gk=l0%69r5A}pg95w&>*6Skl^ps1Z^C z9dBV4Z_Fn4aXL=a{)qd!WXGlA6b-0=x`9KM=fYOELbLrRr8jw+nu@6dfro+k^N2S6 zzgzOG7b5=P?E3wt`dG46hTxat7NMuo8NJH?#6@HL zlWe(a?`b--^0PfJ=`!)1J{x(Efx&9Bgw7yV=JRLd@BuW0-*Z-w*&i}#oq5TsF zj}fhPAe!8PDC{i2mg>6d$dDM=wv;p`TjpDikE>CJ`;O|xd{dP;q~^gUZ20a4z3(19 z6=?%ya)Oq)MdQv>cl7}PM!<>hSY9#p*=VurQ^ojr$2oe&^B4IC+1|oBJY2_b2$wtI z8KY1(QzEv>Mb2<&>LJx8A1+x=Qi^(ww-g_>Wt9~bPpHBx+8&xQ;rUPz(5)V&bWz)LEJm1Aa(H|QPxQ;}!RAwyS) zQf`filNBWXMsJG=1mk%SA&!@rb}XD%t=Zc!s41qwXT2i|8mgfPDE8^mq^OcE1vKqa zstX1tbJu`vnWEAfi}Z*!Z+%oWQDA;s;yahP?2l(+L7g^ife=7)22GkFwl#vI_m3qY zJ#D4GqzU!c$hrhL%HS0woq6T1Y^vnl5x-Ke(-6Kkqs+wI0CZ!XPKENdMZmeU9IETy zc^C1wB;CUUHl_v6OE&%e{a`B9FUcY1@lP|$j%VXaL9cHg;=ml7q839~sFKZAykyg0 z8j>ZlT(MtX(ty4Ez`*-u9vany+Iry z>$kp#^Scn@`=v#b=1&~KzO2CqZ{TNHMNmn$V_&0{zFsCevTWQj;F^w>8WBY-y%Jxa39lmc5XBn}Mhl3hEe2uckmeO=D7XJR zV5t&PnGO0Cc*K+RDj+qr&YwiW&d5gQ*93plnPqaIc@1lDF?y}Q)YHeQZJ((o5H^_7 z{a)`M-t1u0q~%G6`mIP^u4L`Y5AL%hrH8gob1XAaP*m$Wrp2kFaL+#yfro0S7@@oj zhos#%W%^qBw=9yaJ>|rH6^2<~ky5^)bWGsYG0)c)^QbYs>4jhh=MwY;Mt*};pS0U5 zbb+)>L50HkhUI#M&==_?I@!K{HrI%^p7}mYzLj#ybDJd$;*1Igb0Y20q0r+%VRaUC z*ue*X@y%zLiQ8E-%O7q>GuNcLeoooE_B@UJcy!_V!&V*WA$mGOih65>;y~3WC2Nwk zX;;*po4C1shpj~3bq54k=*){sMO9TrE2nBPpE2Z~yK!jo75Hl3KWlTD<|8_hEIn;V zR2m2AdFcJr0DrMTwEIoLk2gABwtQ1$tbtk7bvCR_p?Zw=I-Z)dBv3u%9Naj!(=8u< zYfwIp#0Vm+}-hUH{E=6<;r_&M)v%S{vw`6UmuLA+NVR$;^aR#AR}HEWPv# z%tQY!$!ff5cCS)oHSNg@ts9feg&l;)YcF&O5WEPGgrOjIsL-jCYQ~=zksMMptVEfU zx?i&MV5kD^%`z!U*m@E~MeX9W;jzb9QPVF_#vqt2n_dF3hYE;?`NE)$h_eG_T|g6J zl^eQ`#H}QlyH@MvA4oT*;6Z5asz-{0Xw{V)^G(gX$z8+|?;vhdloEt1E!<;r- z^iM%ae^8s1@Y}dz*!)2GbZMJNe#NxGkGW^ikzKRF8psU)20Qhj9w#?gBa&5IQs{sa z8kClnK3~z8D5R`kJ!UZXZjY9j!glJ!b(U(XI{7;R8-fEf`uw#cWbCRd$nVNCo{TJ2 z^xhL2EIR*7$T?2?I^=G1MqloX#+_$cTKPZMMRgiH>J3Cdg=45qT z8zuSHI?uk_=;)D)mXB?zUC0R zpdptU@!0H~ZkEf?F|Hp_>8t%~5AIv=w8rJM7`!%zuEqHtXoAAlyfZdpn@_hMd4#xa55y__BHPp8M{PcnaX zJ$_PKnJI(-S{+Vb?q&1=WssUddLrTyRp~DJVQ)ESlDEW*td^h8M3K@rC3q<7CfA>7 zJFU;tBjDmnw6pm#p^8J12&vnyxXYCn=8f94okQMUittS+)55tPzrRWZ+wnvtuRN4xM51su7G;Uv(l=nRH)MC!{_%<3ZP6RbU@d1=i!}FEo6)Jzd%Kf-= zu>^hHGS!GqyKublh3Lnf)vsc49)_DzdHG~1(>|)dbUmGcVqiuzZY%yB-V6~L+ zz`_dfQ8jDf%ZWQO{I%us7873N&gLNZqI)It=VXEm0M65xsn%qc+f;Q>>juXpUe|lZ z^5ydWTaP7Q$+C9aita}ivV2?fJp#$tHv_!n9(KmhU7!%LooY56mIuFsfTVX&tF?R! zt^Sey?cV3@=!16nUwDH{OhPuCj@_`PqpOI+P1BHID-Du(R2c}b%{YA(cWb*}C{TgssUD*ZZZ=JS#PQWdA9+V1U{4wSz(8PcAP;T zyIo`k9ks0bkm@sP#qZbjx;ycopM07^ z@2Y|rnZ2d+^Mox|a|LucTz0hf2;!-cg`2{1+BJHC2HO~Qp`|kuwsByiPX1imbZk zH*>Vl9E*FB8<~=KNNJtYCV!|KZcUG@Bb=+GHsr%ZTK7TWWss1hWD6%goq&cy^Bcob zY%UV*_MF$aL>3%Aea7otZ-rxt;QBx$A*2b-L~VNVec)M0Yy5!K68@3L54Q|#6eTSC zR*fE$RKHb7(vLR`g_WG|oFw@sa^85-KPm^Zxk zq=9F=Fk}AK^d*}Q{WxFxcid$&_&xd;g=CjgYowgu^QcC=s0hE&P%qDB$i)6 zx#R!!8^QsFCC%CK07CVpcqcSz9H9ofyXC_`_kQhISlTos*)CAx8lb7!iPKxSmm1Gv zE-M2!#T#IDL#PK_haSF-jzDwbxTk1x(PIrlT;yF~CXFC9NW{fuR`iO5f-0^(Pw+Y# z`^AMQ{N!eK^V+!ag-N26d<&dM)pljZHIh9g%TfIO zRde;OEj_loE$&qw?sd)w$LR%>o?nbZ$VPYU>N$)j(2N67?!&t(oISCt3?%OaR>OJ; z?exb&d4J(HJzR~WjspRrqFSIl(lwAg_`OZ+_ zWRqlScGL&bEb_NsaGM!)2;wX?oh1w>LDkmhi<^I2Eom{LAIA0ko#YVu;v>_@ltyl^ zAm5iQH#FqG;3})=!DXsFynt4HPYB~OyDzaVxa{3vahU??pe@JJ;Ed!r-ePiZZc?W~ zm^+C16ierp%jh8FDeCZ|h6L4^AO)SVY{3Bh>m|zY(7AJrvs>1sTQkSbyUUDmJC!9y z-7OG^j5F+Ff?H|^CKn@q{voHb9*C_}4@b!C9LNYcpihaBaOnk(`?tpT9%?$7tz8H% zKRy$~zEbn#tFEfwQg4L}1-@DKkJm*%3#yhX5%P`4N-`h+l9ONevjWGC8fXP;q( z0y^aGCw#;Oc#yBR=#63`e+Q`h1Z#sZ^Gv?v8Ypy%87LkZjYu}Wjr*hy7}kiqI>ap` z+$a6QTiI&jOY935UuTgJB|2P3byGN_z{v6wiy(5PLaEF{;@@d4F+yt=gusUj2V3;NtUzxVD4%z{UG0c$D+HFWun}!^KC#M0FilDPd zauS3P4Y&WzbW@$>H`C#Zz$Cc>MT`^aL=3=GLI%|m_H2RIfdP=QNr2kJcsp(UQOKoJDiSnKI)pNB0(3U| zl^g%jkj=mMIN*poMGFCF${sb8ziz)$1?WP5qi})wjQm@Zs+#dqdTR((WKSgHG|h3p z?kA9G{VVq9|5p3?Kl2=>kRbtgpo)+OG^t7~VdVzkMf(N>_g4}n%RZCp-#W9FrX%Eh z+g)tmF97$nuut*2n85@l_R?q2w=(D$qhoBQHKC|ydh`YE+$i-Pm0eBF9wu59qWhA$ zL)7;8F8?bym$6HJCaTU1eG=&;69S+N=(jW@jk6$5SZoX9Jg#&i50-Pkd|>+PSL`SK z+02*Y_ibZtoh&``=E$iG9=90aopKOLG!rU6AaMm1cVIV~s+W0O_J5u>E2Ep_x7!OQu5wU&`5=$19WclzFqR z=6)==%rZCLVenFNHvbay$_5xQ2xixiq{&l@rq}EsT#J{9pir!aN}o5Ypdy~M7Oxm- zG2T3E_~N?Ayf(t%Hg-Ob{BTCQ0UVtq(@?3VpAWPRZ)>oUYC}TGCDp~7hLpfBHg9a1 z^M}a{bWUs?wF@h0kU*>f?PR9F(IUj8&=G1P;6lpXggWKG5GH8{mrF@%_SVR8ym35M z=yjlX!rW*e%vB28E^<1ilBdnG%IzF=lswbuKU@z9nPQ=_a#RJR!(7)FjH`#$bU96i zm6SZs9ld}JH#52PNLKAfbNt$Ci-nGVGQ0e<)-k@ZGp(-xy7xUOOG_GX-JOtt4KU7# zc+Y85Af@z=O{EAr!)_+!MJptt9Hz;6Xq#(yjVm2J3a&@96|Q=NsCVJCsCR5Mw8 zB<-U1$?!(~xo=IvpLu!|woQSx>VkQ-bYSQN2A8Wth+^2V9jWtDS){eN;K&M-VSOj5 zdFz+McQ@P0*fTmKXV1V?wHHzWmk;uR;cYArV72Up%&>%Pc{G=0w)0t;mTt_AW=2&vKm(Y`X<*X*i#B}oR?9v2DU z_yFXDl!j-=Zd}p2uLK7F3x4Mxj_0o1$O7Z8YYxz-@ zqb1oo6M2DQBaPJRq&fMi<0G(GqI&V0bgQnw>82BbcH3d@528 zs|PH!(u!*li8sz1zp3hRT`19W#Pn<~ajvN6O`5GK$n>-j!q2(WE=j*#OV+)7Ms&*e zXK{}VwTV=xL$X6>E;9sbs|V!++Ami4xu%-MJB;Ts<>xlwM}Vwy0LM;~>Z@_F4@43r z$G)>3se0WyT4c%D?tZ==nrM-2x>dZO3q47@Mb#s^vB4a7@`~kGmwTh0-+C_7eT(Nn z;HvV5c&(gSa$_BcAxPD3WQfE*c})u*dd_Ix^u1E3YdL>=>^cu)PR3E%O5Y8c8p`Nx zu7M1G%v!5j3kVpm<5sAZSL@NGnrftzU23@0dq&M%pNAD6Z{Pf-x6T|H^ZE2n0pwJT z(zO0bsk@!pxZ(6+uf1k{xBU7v%eL#!f^SHoYPY<>=G)M44S`B>PDG8^4EXqDFZAa zlai8JOIx-J_PyJY$)2mOYdtc!KO8~>1>`Q7-~@0(GnGm7E9*rH4i9v4EskkE=iyOv zQQKO3#Ncw&5F3Qw*@E5Q=ht@{61ienv%=qf?T{w>X32u65)aqv)TvKB833=kRWZpG zJu|fy@bXO8V8;-lt?ObxY-X5gyH%$kCB?~n!Bv&p=$*ReqiUy)%LO_11ySV@8-X1B zMDaHaJ{ainV41EM`3b(f>}f`Uh5XS`=8N~4Z9b%_I~AdtWY}T$4J!7bHEy|1hN%|w z-v+jWQQemtCR=Y}d4y-8GxDbW6I#c>;nitb7z@YC^Dq^iW2TC4E{PnwZ?T(tJ7C{b z7FZkOG*_zI^Z|yo{U{|X!#qN@OaAAFju0pIDOqOTdz*eN(L0fLdp3SD*^zsp++>l5N%X1`A%hLusQa0L=7QU-p1-!3n2+!5~+M_KW_kZDv{`J(OO zqj#+=lF_x!XQwxs=&HnXd4(2Ea+bH^{ox7j$tK2PgRc&a=R`YKQZ+L$L2xr7=%jN} za8!0ip(8un3+%}y&Z74hd<0k;y5*LZC3c&T%**JbYc#`RYUwK8rPOiL+(Mi3(YNaT zd#(D+oi@0Tzjr~LR#i-3q4zVn6a7*Ck5-f}rmr4!>?;ZFZ`j0=dI0X=u{KgMn422! z;(5)gJSQ$oUW0nwo1#3QJ&a>tqzK88^lPKDe7%7N-`N+iB>e(UKEbLUo^An8>~Q!Z zO@{a!@JO4n4V3BTjL;vAM_UKV9xAJ^+@GwPBCE%C9-NNxl_H5)%~QN;2n z0QpU8%m@GerYzIvLk%p$=W8YW=6>$1KP7+4B|1&IXzdscYj+gKnDiBG1R9mJECJH) zw4;DA$i{J}hcMLI6dr0*7XPb=hPe`qe}1KEB6YOBRkp<-aN6zNIRqr45#>#U6$dYj zUaU&evpyNaas2#=xr*o;%Z>?bsKQy8tq1I)*RX+fR67IVDz+3~ghVzvGlQ~wOy zTW6wVV{(yLmo6alv5NW4#I)>!IDvOCn9-}_>hX2XT!dC*<45E8mQ5NW**lt!-nEY| zR-PVCa4*vc-nFqYDL<6?0MghJzUvwU+hp^eBNXRv(7q2i2y@=pr zYGdrXb=P<{)NLv)B6sL4j7anT*pFZ4#OWg6C5ys}-lmD4mhqbqt$2c4Pb*T|6&iIX zLFyAG6$jP0bC&(-m{6(dt(brkw)n0%leUg@6r0LSda+Uy^5ix!Wi|oJX-$gy6(5h4 za&&Rd&M(`&c3HwFp8rM%7P_9MjToDOwhBTU7?9zzTA`-9UsH+UO20CIrlr2EL*Liu z-5hd3ZA<{n$1biHOB}9`lDW}m_s;FqA~xzu{F%EYHMx4U&dQn0H!(N%49cx}9~m0O z_KlDnhT8@j`!QApQ7S13zWSL19&u~y*{kKXHPQCXQ*2(WQ%q=Xs+=LN>MJ(IV$y6m z{YY<#Fmv1?|8M)G3D|}58cPzkz7B*R(;Y5%@sYA44tHBDN_{9a{t6q5T9sQwO7zzB z_cWqkSLeI~^amc(G%*wBEw~b&jJ2LT+|MO?C|GTK)_eXt^vDuJYG8W|uq@$Q;>&qO z#HxC$7KG07FrS$Fs){Ok%HO-qnW`&>aFN-1{;O>`2jozobpKjh`Q3+68Lp;wS$23V zUTuc(hgutwrcqLLTPch%=yd?9up$%ab3}Kug4>B&qY9&M8 zb?Wsets%yHuS8vyYQSf5)jtO|Md&)|Zr46stgyCo}bToH{rSEiJPMY9b9OHksOnr9u)yVWr5l{^WNYEnUG~h3#02nFsGOk;L&sReRWFk*Oh{3MN*YQb^^}BI;TUyReX0wgtp@LR%*0vn>#UFR3!lu{55pmi zgUyyrcd#y_GA6)e!1qN|(j`n5%bI&8G9SWDyCkx-fI1HI?b@F?kaJsls7KZ|A-hEG zB92AW?+#x*AMe6yNOdMO*B)1v;Q|6A((75c=mwY z`r?(&Z>FV;_n@cFIxU?x_07*52{GP6`=W7UfidQFORMnjnt^wbFF+?pl@i=Y1x@CW zHkrGV+@w_xrK-oE7ZmiUIB+D@>QYZTHEVj?h^}=)5i)SBrZNnAWib0*@ zXC!C#!z9%OyE_!bOw{_{pkje3ietk>fE1})`A;pWK=d?Z^nlQcorZ8YapMJADJ%LF zX@0n08bVrOX32-|vBel1{{FS{?x(8j1J1yh_ki+>X)wR?j>gq5I5KqfHX&;hK|KD< zwPQHpB+^tNITz86;4C#d-)~(Bp5!i-rO66ow3HPbRReT#7Q6uug497rmG>w+|du+P8-X@?=TB45E&hQXZW2SUx0@`os3=I_T& z`bX2evV<9icGpMK-dH%eS9scyq`NZz#DJG>0WQ+yZY(;4u(0{$l=2@r)e#uX@gCY%jFQL##9bTZlV?R;4Z0z@k9`=sK8C7YirpK&C?nGRbg`pWS2N2c8CN_JS)wd0!m4GwaH;IOQlRB`0R=z< zLIw601v^cyRS4Cc&E%i1myg8e6Wbk+URkObFhL1ny%M@H`V;ZDPZaiFVG&q{{GRABtHUd zia#TJPz)_#iG*hyC}O;Uec%5Vz1+9~wyRUt=N@@O9BvpZ~i3!1IxQze-I#sfn*rb zuPfcB)(5sVa)N;m>izCF(`f*TH-sKRnjQVi^n__3X=55!MV7l)gX=GTAsjwr$SO5k z9Qjl0W#ui^=*&kQcO^EJOL&s5o4XeId9;1M&L{bWRQGDf?HueY%%}f4age!Mm-0^H z!;5ZWGxICi5x#`BDbS8gh=#B}*f3_2xb(#=u5dK?wJ4R?ya(HfJ$6-PkXy94?|9O*Ad;A zCt%sFddgSUXpJtBQIwDqom`fcY5|ly%6qKBwyat7>3-v1nm;CDmk@0%nqEG*BZJa3 zRzG5M{J3KUR?m)Hs+9C3See;Xc8g=DbQ=1G4;V3(I<{*vAX*yDYVXkOdq$;QF5gv> z=j6@nI~S5ujK13r0(6T;V+nmRZu{8-0YR?x^hG{Yn74y`*R_7V?|WlTx8B4AET}Q5 z#@26G1Psz46Y}T|_%zG}e5$=@(Ofb4O4nhHB3Q5O;D^Xnk&=xxc74KBP&GEZ=60T=idA{~ zWb*NhB)uQ5cs(CbuVlW!hi=#mXKg0e&Pc0S8ixSw7k5=%d_0x-*B4x; zKe7n#2(>287`#yd;O!bEn_{bWdv_b}ugEVtKl{#Eb_j6s{Mhb+1dADQ;MecS35aQP z@kLDfSh@X}UMyxn-Xy(F<(XVbIv0Dcz?z=!rkD=v{d}+Z^rxID)rR^WrmYqS7;5@r z2EkGRBSSMFz#6d5pR5_Z)?$r^KFl%mOr^aM1Y}EfTs*8C-xwKE!Z%!Y7X5-bP16BS zxbljy=_wYy)74dErBK}uQpO(}FNhwm=l86_io?D0Jq*7E-p?Ni_YynawIXi2sb3eP zvxS%J+W|g_|8R)c*jPlA>FuP=4sh8M$CuD!-@};N#ZCs*FTC0A;*+Vbbu;esqTii) z*yr_pklQs_Ic0TOBRD93~+$Ow{ zXCJR{N98W5DB$8eT%!?W`T#-I(OjPshD#)9YdbTws#z~rrIp(?U?tBHAZqP?d#r@7b5 z(wn?b`Mcu2B9CDdfo33t>`Omf4muz?e*wgVFHFJQ+VI|m5``gpQ4F{Jm8*=nnJH40 zg2CRLU?75zCr3*92^VYCIX&bU<Shf{zIxK-yQo)S$T6yVK~mwr5L!H zw-bos;UfK7pW(b2z)DcLKaq12`t8Gjke%FG>S(_IPU_nv{T!4U&&9sy<<*ZdW!oQ1 zzNXA-tL8e`#I)KV^9cjFmR3KJ(QlfA!Fjr7&(alBjLZoKt~6g<*}NlA6zJ*|8J z$F5aMwV3H_ZynPMF8dbZtBvkH^VC01(}sF5h`C*N`rO=VmMLCRKPPMEM^(n9vWX0- zqLr-G;m;0;vwdo|#3(r;M}{4m6fK?TUbtc+TRa#5TqXpe*Jgau>Y`2y+mDIV#9Tmv z!M<59ajv(}_KvfK$>!uHVQY5umcLfeqghmSM4PCoHEH(jfh2X{e$Rg3tQ>Sq+|!MX z()dih6kq}*5zG|<*2SgZq;*C+S+zY^V#hdX!i1N9O!i0Bj>gWEfsWWRfWb3w39MBo zzFmgKKcpDe*2`R6Wc%eb{ixgy4tmF zKrn}p-qT!wR327G)dY}-RteRJJUF19bgYSh3N?oY3-^1qeEZ&~z^=Q!nQ;D7yUMi7 zd)@bAr5}2?3wx+HYD|F<<2OxEs&TE`hL;Py?WYG}eJ^hy;(NbgY&@!9C2)gU+jEC% zTL`~bGpz8V#*lD2V~M3vd1990Ih8HTj%I3rVbk%R2kHT)oxeJbXn2PBfNlOs)cT+c@>>$r6DX&@ zsXzEjPFDhuqpO#v8vGC6S(|IIcH@;zoj%PMZHn2#L_1H=n2Di4+t6zpD5e9ss_(cr zkv=~~!rTXn0u4ajvPBBgxqJ7|XBlPj+)Z0TYmdT+{Gs(V712bwh8U4D6sB$ndqw!` z5U;7;ujkm*P{SkjDY3oJk-@Oqv|6qq(f6z3L7pdO1FmjR=W(y-FUx%Y^K)-K zqp%$p^IVrTflAxaHzjB}j3Y;3J!|K`EUR4E zXY-|OoWbJRj06i~KoheCdFMk6dM0b0teg%hdX?9nF#sf^+CvLQ4MQFI#u>QyRr)Lp z5Riw)qdx@yDF^}&K_SDq`Pv%n8m;c(q6d1AEhfjWfPL4do^3?N5NDv^B4>`r>GhlRS?X$41=gXD{va^@! zMbV!zn6fGSS;Bml3s)OWbf_ZxX6(`aYMr#7vO_g1(~?>Yw%Qn}Y^7hWiDv#><5!Va zj2G^wos4v{&hpuwTp-9-wuL&_j^vNfAf0w>PyrrG7)w|9&J5`2a@w)M zq0UEP#uL6RSM;luxwC__Y9{usu)ouw*_EEUKM&L1H6DNs85iU5*i zpndH(lP@B77T`4OWz63CL!_u3qbLJo^~rg^nMQ=5bit!A{Q%_Z8(%?ei)8Njt6{z; zeL3onbD5s?ylR76Sy zq=y;>DN+Rllq%9|=tzxp1?eU9kOb)^p$14Y&zSRDYoGOfXPv#*bW5P)-Jy zRNpYgW~H+o{Im;WyOZWJnaXW*O%yZ zyPa(Up+xV4dCK@qBP@F3o}K%R*{*ynPi2M(2)--jw_)8EGuePPJqF2MjOQ}&6n#IG zV${|ooXfdCFE~rxJI*@t&H=}@NE2yw5tmn0Cb}t|&P`t2wqGQK-c`_Z+Pw{n^^j4w zvvvy$v{8H;e4Ye>#OmkqUr%s|p!z@ffgO(b7C{C=VoA{Mw1yC%CComo#@@eZpwl`co}5dU9_ldO{S0e(+zd^=(PX&hUzJu*9VBgnU4*Uy#(}-DJ}rG&E9Q&V1jz6~HC$1m3Vy zTKZIyaA>+NVe6!D)*!Z)+)TdK4RG6l)kWi z?pd$Be0!iI$qtL;g+f=GHsDdc-6>TA?q0I28h=#M1olCFe=!cB@{GlHG+7##c$)O0YEw7W2d$c ztf2LGDnK&Nj;@KkIoFG-GbKqETMod88mBr{DtC~F`nqn;B2F<%+TR!EvVh=XkSs|| z>fvV^g*+TN2z7cL0g)TZxvGl(%ZEb2;M9udHc7)M%(py}2gw z$J5t_K);S!%E#8 z?1vHYBuZ}z_%pPK?FnvKe~2US(znmi1LDy-oBkE}I{k$$MeiYYO*%a*eVFk>jYO%^!hvzKQ)o7QmnvDz<2P<7~| z)<|=f>dV&q-75KYN6}t8^v;QA$J8{jv*s+bd5U`09e65TZ==|nt!zc02NCsNEF zMpMV^Jeq}~H$O;VGw`Bs;xc1B(~e@~s(qJw;)? zB8M$v@m}sBP*aG9o=)V;}w8Mgg~ov3LEjk&~LDiM722^eLpS zc5lOuy%mFRoy;j9ZG5kGB&s#AH`&*wyzb@-{N{6w4ixZ}Xv<<-h&PNhv%N-uhDeqj zFw_xUBMT;V@Q{lvh>0H{9>hEM402D2)1Kx@rqYRQiU{))=_c#7L+g*;T>py>FsjC^z@Tcc54>cuU$1#cF9&j_iCA(vr$H#Nt zJ{_yme>&1vm3(aR5ipS&R<~<3w7yigqJD!kf;VJyaw}N(-ygHkks@keb$8>BF}f!( zm0?m3=56sVSS7CcP_JjHD&coO_!*^|_Rz2b3!{o>x7}tTENG^c8FVVbv6&%Y@30-P zOIb)6wQhi&mRrtPAGlp4`DzogJ0;&+syE;HJ(yr$k|#4z@a{?_6aQ!q^|5Dz@=*yt z7b&?AUW3!_++w&_`K@Z$%a8BbsU3Zqne+$!ryo@K&)hMr8o|)WbknNY4N78H z0arOFO(r{eK7#z7nAtwB2y3Hk#urwoDKhuiw~cNK8hK)euKW_53w~MSXYpCP@HKd@ zEFMHESF`LTY7s{Krs&5-* z%T)bbNIb7Pot_N02w}-5NQ9lg(CC z#-IAvk&p6TEN48s`K{b*LN7?At`KiGN_GNVg&V#jr6}u|!6HMO^n8jEC?7uI5AAm2 za#G2T2o%5$oZs21=f0D@Q*qXi({Glil9P5So5bdq@1`ry=U*RiY@ponE??f&>5-Yg zTt+(d4Nx|#+Wad*1MyL(FuTTHL#MO=(4Jd}WJJ1CDkTKcabbx9^p0Ld3B9>~)%9Ru zP$t|vXq$mD!ymEha8+)v%oOz*_yC*U{=WmgztP`+C$IlM`2WAGj}F7I`Zc0ZO6+2G z$V_l0UoD^A_XY*uHuL@mV64F8`G>j90yGPFf!5c}b)Yas4i$xl!cHU!Vlpdre(9c9 zuBwFiZ;Vw};OaOf?0bFHDk6LJA8(WevnIw?EyWw! zPeGeV5NYt-*@$1+?e$Im>!S~VI#o*ZXSXb`;dTz-pozX3!W{0wp?8?mshPCCD!nV1Iaq0-E!4sD6 zWcHZk+o7W4#B)1%=w-ytfLz4RkGt!BYBXY_D6A|cqj!fP+aCYH>3G zJ(;(9)64U3365?!&ilPWOS=)n(Vb9Mx#$7WiHa7Hyjg|B`YVA2y91rKPbu6s+Y4RD zd`FuZXArG-IFTVD1;j>HBA#_QU)RA=*V-T=JhQ}n;Ca0_m)@qo+ll0hMYiv-l6H2jYIJYWe)$bVc0Z! zyFy$-JMTkFnAJv1Tu;lIT`{(#pV>*bx6C-vAn(ZX4tFCKFXdeWp?qmHE-J$-_QMNC z_u|D+V)ZjVun%zR#SIzxp&2zB>{oL7xy6tZrJ>h}saj%G!hp!3WPA1rw;B{sPXr*S zVB1oWuK4M%#QPXH2P9>Mv{d`XG8c5R+`tL#_zYy8N1K2&T!SMLv9ktf9QIMQw-7^( zh(%yA7Z|h%7I(~-2dp}8fxDYgSp|meL5kRJWK>-tVX^_ovt{*HV-_~L2&1u_a8?u{ z-dXj%eR5oo5;A>bGy4pwbkViEXk(IkmQYcZM~WorcQf%#;FCCG-~mPp%sW3HRBi zRps=)s0!-xhg`9Z&+8S>cs;f7-F(R5;#YuH8g9H(Ya#98>@Z6br|#Y5qPM63{#~6?QO?VR?F#loeZE4 zz{6lXs0l8TgZxso_L9^2)9vRi!Wov^*&EYjih3}dBfOmV5s$8LT2LAp?LA98-7z5< zV-2I#T?>I6bhRlw48Cma;&(l2xjQ}OT<0>U@-ZKLEv;%1!LWv5^ooUcw$Y52lkM@8 zr^l>wjF0aXc8Bi$4Dl%mG4%MQ83-zbhXnYY*Jb38&a4sOl|4iLu?bYBC6M=tLg;We z7jFzR=4ZkDY^CFJ!w>1~LhsFc01yEgG{eROOP(iq%W^#V=+e)4PjJpVs`Tb`->v)r zi~jNst}tFEgv-Sn@0Jdn4OWj{8$OtsIcm6%&NfTZoZR-Zc}`z7QI;=dcrNgx`@Gd~ zoK^sLM3*{G!}up#-3xN~?R9pCzQ+68+6yQALF*zD`|&aU;&pYI<@N7z=`v&Ub637u zr~I`05d3r?TyTGg?JYK&Pd{%+C?6|xpNBKgY^mVVId!0sWWQMN5O<+ot+LqIsQc-b z(94N@SiaBb2*wv3*?;|!RH?z9adroFqx{tl&-5Ddeljs4bg?Z?zg!D*swKF%VQF~` zdHg308h)ZUPW4`dvdh6TL8s!6O42H_MbcdIAj;6jZ!-LkDHyw{v{Pe~;ja@p+$jmF z_dIe{acXaOC|KyN;L(&~SkTwhF?>~v8+g$1(v5VAEf?f#R%0(i9D_Vp-A#Q)m4tb# zJ*#NOM{WGJgEE2f-V{GTDa0=cSpKf`R{TAvcLGY=#TH6u`hzk32kN1>P7#vhCx(Zn zq`zo)mmNA9zgHmp~ny6?r)4I;U`yGn+k-8+6_~ zn|)O!Y+@)}9<+JzlogwQ2AlMa?wqo~{z1i27l;?==i{SlmSjG*&D0exr}K(Kx%V5g zrt{?|6=@UU)}8x%g93z=sJ&OF))+n|-xz z=aTiT&4$9p#gPR0){kOW%Rc?~J+n4WYl3n>L;y}}-aR?qSe}g_0fTpCz7PmT?h@(8 z-A_WFF2Q@wYzzdVSzf}=f77-Y(2!a%)Lg11t468w5QUjVOH-Fk@0=vYd`VA=Zw^?W zjK!Fwq(J62)fE6eL44N&-N^EXueP>2$XfEORHMK##I%eoPN+MISgGXJ%+G*b@$+T5 zW^v=%>(i4AZ{-bBSA;z%@~BOujz~8YD+h~xG7)-T@PnS2ngfl*+?k)auK*Vwia)E) zJTB~ZdCh;I%w2YFdd;0v1pd9>PHfMed@UqsV{ax<^P{O(kx@?%&~emkt+govvQS>4v>IL2LQ2b{2RnFI`Nj4Pi#OP z5dZw}XZ{E5vQvd=2kZYr&0|WGxdA)>SI2*&CFO<}NQtK%DwMdYg8tvOmO6r3n*nU< zUt&V;FqSpllFKU_xHX=9tK@?Z%;Z!qXk-yQBil}u9vj&{;FP;S00+Q|`l^b+n?GKc zfdw|jN&#!V{KcUYo>~x@3xK4%AuIN5SbdSadAxAKNj@`+`~F(dL_U|U_XKn)7yxiP zMhOlSrWt1HMPT6KivF|RK~wvG(qv|Wh^*3xeP&Q=_E!Xg8U!`N}=uDaaheJi%ZfYhUdQkLc&21RWzPtX?qc9 zuhC(T{r>GTOel(?YZp1rT=2qwu!{6&1AvZscE zS6u-Op#w9pf%zhz~ZoAfB^+tPkgOWurBIZi^|YtG3i#%iOq z;Rl-N5GC2-gcI9>872K{ZvN10_cbmmcZ!DQkS#%zZM*wsUP|w8Q_)AY^LlZ+u3Ja1 z0BHB+v;ScUmTjCYO_0N|w73*Hx;KU^f2!TPRMnL$q1{H$(8wl}_|7`NS}{kXK)CGY z6UfIjUB4RIN26|a?_(6$eK~-ptTrtM0(NK`vmLVN4p)};J8uk`eE{IIpfOn-gsh~+ zR$*~Pt*WS=QRyQ)kZksjthe1Z%(l(huM^eC#5_Zw@{Aoi;iQ?<%TuxeR5>E&cp6Z* zHvk&pn;RI??Q{S$$)&Qn{Uty)LZb*4iU6q{`qj$>@ydkyzzaB#Vh3XQLEBQW52B+S zQ0|^r0s3M9(=N^tn8~aF>G4(X9Wpzh?d?LZW?ub!FA$N5kiE|$*$B$aCY1iA64rwoR*wgOZPz;FPQ!byfF=Thh52Z#RkM*;m`4u0ip z{8m)^REL<`(J)))PvRB)8~b|*8uxcw|791`F+q2^5(w|G=ReK z&jT1aqH>cuRZNZq<9M*()f-R`uxy(r=a^Zy#xG|8Wz2X)*# zhuo~VZ7*;`^;4RH0Q&5Ciewq`3LK&b7|uzgmzj45IbAzVyaZIP{0vRi@oC>2E>X#H z%2oWpP42c%iWnH(Fzj^e9VX9wZNfxl(I#P0aq>(oc}`zq-it50BClL5R>$WY(Km{o z=;)e6ee`j_eT!m~sw>o}uKhX#8=$*tWcFWbIR`TD_fVrHFkpMTlqL}MuUdF#)T0G1 z9&YbHeIkW_m zB|+iA>|CZs5eWoG`0R=&6yKbttli+VmItWu`n8WaiFFfBRG=OLUKUCWKR;v+fx$Ea|k= znvQmD%~~tJxSLpmMZA|Ec+@e9?g{4Dl@J;)`=Udi>m(Q=eB}mB!2=%+UK$-i{?8Tp zq93znrknLL?7ZrH{5R}EOjdCMd1V!;@+x~t(XJy+K4xx@+ESWrCJwr|5uKP=e*UEI z+zuh$HVQqzta&cH|GoFNCE86!^^bR#+f$1K>fD1l(>vNOkgnvBlAaLMKjX>`AEPBU z(`+>S@VodpPK&!NO-DW(wh?)AiqR;$Y*td*8hPMJPmd(ikXX>#v#4FJr?&%=EzSqg z>?1|c;H63OEud$sR?eR^d4~tb%g^`&U36@A`|^B_yu6-oZO^W_%z(A~^84S0!WP~M z*B#ZFzDT!5k8C5W?SKM^J6vs7{UXT?bZ`^|7{eEXv9IA^Y9tyUs}dwmff@kBo=A&B z#|3h$^R4nEb+0cDpWk_QjFa5x5~UOF_~Pk0vj7dqQjLc= z_PvdPB)#ayK$^~-Xi;8v-dp$Kwi5qUpE|s7D@vxbOr|(drk7-4RS%o$#EZPxLYp2P zXW74!RH&Lqn5q5Ii*1N@Rnsh3Yl4Iy*rVld3N+VMhR@IVL}|_;YcGEKthGpy95`&1GWKJ7eFU5KC(R82YW7vy30JjiKiid&r052PzP!#q_Hl`gS_CIqh4+- z@ZRrD;&la;dz6&%pS(jtJsEqF?5D$TI2UO-8A45{9Po5KlCB@2v?J>}u_v|E`NRiR z1e1nZV8jOs5*&n*x>5jwFN5paOP<49qGi(KQTw^krEI}A5Q6|)Y9@H`v-Slp`J3R4 zDs0=i$+}o!%;VNmCiJ0ex{THO#m8Ya$^CR@;0|3g&O`ZSRQ;XqOtLytOD*jY=9Oea z0m7Xszuy2D4#1%}j!i6X=&F^?>>BE_e7Ux6wAJX_>Z2nZ1m4W6EsZuU^@kbRY+Q7l3MB<7d1y)hO&O2H@IkXFY)V@M$(1;Rq&g|1*{=CCpuH5*s$S^zmFvPI)TGqc#k zXzc0F{c@{QPh)AB+3DH#YjaDN6=iRpZ``mIICUa}2}kd|cbL~L#q+rBCyRM8&NcOq zBWKTVeY}R%ox9g-4H=kNdSQJbVR=eVIab;9cS=jO`|6C-jH-=m+E~@GrnRZ1$7>&c z^D4mu5fQfK>?`1VN-D+Jg6I$G80o$+xmkVh~G!y3|4YKRmZh)#OcJb~A2V&L$Kf)};aZ42qHo z`VY_jZLWGexYPP*C4$u7jv_=-;wiFQ2uIAHG`H(rW*g>Kc7l@!Ao+nWfsQ?3Ndas7sc!Zj$Y;Ars3A!18k5?q*k z_-_8#LEb1Pzq*k%;~7yEl!_wYK_}(e$Igf&7tnur9$XxnrF|nMuVxoX?KFqHg^ z+G2I!*HYL51t{Yga7~nAV3!F%N>fI%qV}pnDc9SO-Om5w`1h|4fdAMQn**YuACrdf zPeP@B8VH*~?N&6v3G&$F|GE#wfActm7#0P}6NOW;R&FfwPOr1%RL@E+nG5H zG(o+E%=zx()|T%LDdLCF<3U3R)m18@MfmpX!^Ypqjtx=;FFq|dwwS@ z|KXTcU*ZGQt#drD`xX2^-^J3(-CmBW+bICZK~0Hqh&$Q>8f=wcP-%nU@#@&!Y8X=qGw!9e{i1lzEK%yguP?c?q9Q(Hjq=@Y6_7~g&Z4doKIw4 zgiQyZgFiXh>*7};vc=X|W6XuR+p;EM zwzE-vLc#r*^?c{ir=#2shUAzzJ2QPPUXhJc;nW+AZcVC>|6C|!|7*W4m6Ww%_e)Kd z;M=1vHKvu5@91f5(J=pcDef9|qct46Eo&k|@&pdU)rdsiTBe`qFcd3~&#n?IcqE(dc_QK*eli|n+2D^P#;y!xl|p^zu$uBw@@wlS;rkyt-PP?cijUmEY^6Gkm(~LnzD!SU? zmC>cwDvADQw&4{khoMQvm)`IDw>EGk*6B5~Fx3_aR>q!tQoE5zMec_ddfbwc{awNmLHbSqD2zqw_W!x~xbFN3(k8?Ol9Y_92 z1OG$$i8jLW0Lnt*(5oBuGQ0{m?Bei`2>U(p)uIe(5qeMBt#$B>KtiHyi1JfU6NKZB zxj^S^(N2FWHaxN~H@=JelZl6ue}+A+9Ntu~s(gv(d z?}`HzDain=RS>cD2YQPIQF<_sa>Hhfw+WNv@sbQ{@kQ%RyeWq|!G5_Z${IfXuk7A# z!;v{tp{FJqvOh*DgW8O(-=+8?-cVWKlc#ql?1}bm<;u0+>?3|ebtRgl#D1y|4t#Mb z*fun+8J7IHl8OK-Sc=jj6WKa5RmYTc<;LurtB@Cep5g_*3(uRPH_ z$(XAJ>u2X=W3U-4W8cbLM6f%N@_ zXBAc%7fi)A4K1%hQe%2xPs}EE%q(rxw8RC)$N$DLYg`wW>y;`56H+@G+YPy%j7Nvgt z*5$jiFDz@ir6u)tz8fcA)5IwjFM7NFm|522~ z&<z=?JIpxSSZwT*XKg!rR%EHVhKoW zt*s0xi8=gWfcAd2Ubdm5H_d9V*|_UlVR03l0=;Tc3|yi%cRa4?P~k2KtVUU3M|WyHic_{I@0xMH66#-Wmfw6VA<0lN}hpBjy}gE|;p$ z5w7zmO$7u+ewhkIx5zJI{#YP^+96}4Y!kG@yY-owSv6@Dt?8)A8HM8?3-@KE=prA} z`9uHD;|~6P+!`1l8#*JVOW4C{zwsJya55p%H-aK1-LC!US-tGI!D~RBoP0JF<(q$Y z6VIP&Juq7W8H1)4Dd9xry`T6vbSco{r*dVIzQpYKWT*PfQFph^2`*GhKjKcf9B9y=sEJ;F-fWt z>Bh-v*WvJk1}$`#2rR$j*Wl8c#j7pw`yy}V3#1!+So+w-1Jd-OW^>iVwzqJjLh!Yz z{@X^^9)qhrKiG*7k#SwdrB)oGB?|Gi(NL_(M})ka@s^Y`=PNFYakf+XxMPx zco<@VGXQ;WT8Ro|D(NK_ejm}qQdA#RrzzAB&&bL*_5%}rSK*ua8p||8@-<7}o@_Sw zM4Jrh`sP8{c$d%Du`d1>2+H=8zWg5dHCr#o=f%c=mcma%*M(@iy8qjX`H4^Z zku`4N)bdw9NtJMC0A(N*Yh^!AyY1idXXjZFp6eQ_m0@g`J+`W zFC1Q3S$#|BSP*_-&n1Vy+5$}aRsa#shW>B0ob6A-qy`XS#I^=Tz9kbWOz?SM>Uq-J zLU@2>b!&4&WB5d0nZ37XP@AQk0Ava; zs*F##SIGCAZ+rJo-R+q^SAcqdE$E3=bs~1zLggZ1`k(-wWZN()Ut0Qu)ilcN_SrY| z>p_eaB@=6plJqS16nA;kBzmv!nmJM}p4lgJdUF9%?uZTBOu3QuC*mE~q}C5nuI9al zckWq?QRzaDqlg~a~0a$>#J{kb)C_b&T#F~?#I-bCgC*S zG^fD7HfcRgWKIaSFd+mV=^Z(}Gq)wuJqrc})0; z)XF-OUvCf06XsrU{rUIfvNG)jXcB{ZTiasR!50i$?aRb_hgK6&cTGyZ27V!Tg204& z_buz*c(M}=w-F@%G!DLi{CS zY|l6VlH03!1C;1!#O975;gDRQ5dUKgyb^|?5Kv@O|4-bNg#*8~sy2U5hU%)U^5-5EGjca0Msc;*>TJyqRwf^FR66mi0kaZ6E$G&dMv$8pJ zN}T>N_aDtVctL;mbxm7>WY^FYvV2S0N~dMZjMZSy%LnI)eGCRaz8Ck}#h_FE`7}WP zd^GDi^?b{Wq6wpq_DxQ56ti9fYxL|-y>bWPT8PWEpY=YJ9X@15oU9QpMXnn=r*7w{ zO-CM^c$w0M(GH*QnYYgV=hFqk_zMCL0p$?~;s{V66HUuizBx;otXWE13fAh6@a}MF zt}lD1mkv+`5kEZsrcp4KdQ#c7fSg}V;!m0#U@pOxCJ|j5=v#}m-CYxJ+}4m0q~Q&> zo65Fa>7FcnlAJ4+6|Bmlm(Opmx7h`J>0Rnxe}Cy~md7P+$>nPYO4865z$;VOzkBKa zTc2jNF}xzV9e_p}s6TCCw#meF>QewchY9LZ7-zA!DD-3qyFmz zOy!C00qxTa|4Fk8ltVdedfSI)(z_5WEiYy?sR{Wr-)|Q-?unBJW^)a`dvrZT_a<+k zsxjo`Ti{JLKOhm>Sg!PIQ!lu2IoWJ17`hbH7SO4z&Lh@^&W+GBdY9(EI(l#iLgmJH zVfN`q5xf5wX!5=9QL9V<&bb7oinhodfGx##cMfV)fhySNV9*jmFu))6D@dOZeHb!H zy$;7=G~33!PGNr66YmSPQ5K7Stam|L(LIP75pr@r=;YuVP(p=m_ECmHsz@2Vx4o-8 zJyTU7L1poVOv;ZqlGJJbv)uPT&xlXQ{%(FJc9JnE4>MrUYaT}~TLp;eq&elgMwQ4I zAZ~k8c!H-+x=x_&pRsR0(;aLojIvQzek}z%iZ#=QpDc@J@gFWb@!LAZPzS$HcF&L# zTo;1CSC*kMs9N91;G52n%a%5Vc_eT1G6gARt%Lx%ydYeV3iD)3JVtFq6QO~vtbOe@ zAK;BY41i>6~(cw*Ucjn=a}!Ht9&dQ@KP}v?Yza~uzYXVFXMPyhh#Z=^1B;gV@!Bs;-PV-R%PBZ$ z$WRFPtM_K!?{@e@zG`bjELu4EK2Ft=~Lq&osJ?s{v)T7o;$phY~V{1eDZeuql z(>5l64TFX(;Nur<@;=uXsyO(ZehlW&>vT zWev2RupR35DYY-`W_~ZoIvt|vb%9kO_E&(+L{DgB-Sfr68~^~PFG}xCAtR>lDYgHfWaR7pZ{G{ z_>->;T#P;TQ)WXB>@83WbJw!@>iTWY59yA34RCb%90pn`)Y-4JT)Rk9_`u*kef_o4@|rQg6o6?=?nL>f4JRg=W`w-b>T?jkLB4#MYG%Nr{(rbycYF zb;%n623m6l7mGi*@Zkxk^@JrDIvd0+B@Dwr$KY*NiBf7Z#v zYVAY|m=2yhofx1JE>VM@%RKVCL)@~O%m(z~c2QjmYiaydh!@S`2jW`2znbFt&b{u; z4)nyx{~k9vRkEB^{+;slH=V(#8HDV+hemqV4pYTpCz5f6M3@|RI8vrs)%N<$do*_E zA)GX4LT7RasICFSj(UGehQg$8ivP^jriNzi7c0JEb#ED#)mFwv8@X@oYFCw2Dme*f z%D+rJ);6ciU&`(RU6u#2!l4?&uFvZ9@9iC ztYXykrg%m01YNt?9xgB`?CBJ(P_wW67@|`HcEo-dYBcJ__wr;y;eN5R0>4Y2|K-^? zL)e1>zo4s`N_R#wb~l9#+;UyNlT!NPC1s=P zduv*UXE^&KWQ;MZdA)UNYIo&*F7(wr*!+y z`MC0%7AQ2~yqHy|I@^SrT?vz_cKxaSn%0N=%Qsj{WZb{Kd8B#?CO(q;((FlDA)Wct z&^3s60H0nSZ^o4g*QSlinVVlj?|%J)bZW9X>MsEh1J}V$IR}*ma?q8hK93l^{_!VN`(=S=;t0`WKp*M|_ z#C6h!(5O9+It{=_bf6-@v|ibl*8QRFvP4;|L_U@@7pPN<-oZ6yotWA??BRTB>*2qz zpJknu7FOd;eBI>sok<-$1ytZU;(+#K7s+NsXrx4)&cWwCm~S{Iw#nq=gDgu7i#(TIrK*Ek6%6v*AgE% zM<>3PqJuMZf=L>w-LLzJG#l~QAGv;l4TSakhozrsj&ESZ=-%s|j=FfzU>VhDJZd4M z0Jq?=;XCR@k}7euQ=7mKM6>6X!@RK@O!}LkS7{qBYQ$tgGB01=VF+{|Hd~1g~HP%p6XSNu?Iq788R5gE-xc*ryIRbyeG^9zI9gg4d4bI za0K|St9D}k2$t=Awsf zrT_ue3FbmMXP+g3d$=7Adn3HB_#Ku?s++3~qOhl+o2Cs9rJSWH)NXc#Oco_D79*Q`6}Mp(s9?nbK+49oLbqd`PTu@qEJ;Npq|a zb)srO32%AgZAiCjd!1MqLcW3ram8|Ay_TO>a(a| zqU&(VK$;xFR-o|l9PsQ8=%xKw2J>`{@#{qK`QgU6ZJ94$wcXql(=(@`x9jhU55Ih) z?((%QdKCN|!B)7XxwsRWHbIF(MNVFr4f56bFgIgZ*y18){oVZfQ&wdu&RcyaPm@WZ z_?@?HT*Th@WXU`-M>K>`_s-MFOl1$ALd966!2waf@#o>aoxviL=+3H*CWG#o*|nozT0biASu@JGIc0{vr&`QJ ziACnjRirBcx*36Y1Hor;h%mW;OyM9qETwg#Cx`%2=>EGwzZ-2i z6o54PJV5d+b)5DtDIN!kP#2h}9pDbg)c@`)DZVvlC|>M{eo>EcNYv>UlZu1fq~HD| zNW0e&m9nNW|B&YUrSE4Bii-Z>gV`!_=tl4jrCtm4ARrW$+ zVgD_Yp!nmpY^_>+94)`t;0sDji$fV4(LS>i;vK|*(~8Gs+P8omysZ$4Pe~M^B^w4pFbz8a~u|X ztP9uI$K5D)&CPAr`exLin)I4s;4ewczyGoAmj_Nj^(OaEGB}ad!C_=sN=h*8&r=Dw zB2K&OY`XT|?VQ%}I=XS8d#daL{Zovmy|m|O-MiJn)47L1l%f{e3hO|&G@C13Ga6Vs zI~jTpM$NQax_#=Sv`E8FHhtU*`RnX=#P%BIM7dOi$_UVG1<+lRr}Q%bM;M)JrTE&q zWhAUYdk{<)Ob-GX1Qfv%b?tJeeogLbbIt7Op@MutO{H__0!y+yP++<6-phc0n{Isk za=C-gvUOaZ>oF7*`)ZYa2Zsr>RTz=;V;48_7JoEV^a>Tpd#@k!3aBw{IA%M@i|vRao6dJxFp{kjSZ0aGyE@aS3rb z@B%KHJ+)`@a!`Zjq+Mg8e9DaJEuQ0N^+~*?dw(!5bU&qbpsHPyh!I_Fa;Z4_RJjvK z#FSIEy+zhVjH~ML6UM31F>sHV*#_Pe)d8L<#cmg_yaPfDt;37B8}J6y(k`Ck3b=0Nj=@4=u>w68TfJ$Q0~kDwhwRf4H=5iVtTQFt^> zYBK7&lDJ&o%-`xy)Ed>Wn=lCeLW;(TysJfoK@gy=a=Rccw+lU$4=-72+O>%xJXe&U z&^{Emcd@rvtJ(G*M7Jl`PcHRJT?d;(!l#<7paE;El>CX9r)5o92LFVH;_rLDD8=NuOu$lNlYoJ^~Fd!BgfsfjEdjn=)Bsz4lJZ(EqSomO&+!c;Dth*(_CflIA8i3|)kr|X3 zC)WMu*9+dOS*>%(jUwm{}(@jqZ+E6EizSvi4p1>-HgJAxj8_F_<4v z&EC`gj~mdRywlngdc;zq8uI~IcC&3Sit_m!FdiE1hR98Gh*kMRdw5|7#UIF8doJH+ z2;UDVuf>rd=PCO=^(3rR?4#wLyNX z)G|3%k8*FMPCjzT)U9QVfb0y2zXJC;vPm_m8rd(k3ae36{Q9Ke<&$>9l-Sy*LCfEl z3rB;mE^I7ZX_>60Jn321*LQLgs(z5}-^=eyCG`H@rg5EZRw9@5cI>7d)DLCc64Tb-*&m!!urhCYT0C3gU3*m zIs>J!JFRH6uzp02$DyV!3bveb_ef?|Te!W-qNz$K{`|S+#`61%+r>GKzW#A_Mdqsm zOalV|)0JM!DgO;l^J1i_uF{2XvGd=So35YU)Ad#;W!p{;aXs<582H6OQmU?#Z(&m^%p(t-{d^O1ZXZL^sO5o)m5bsn z$8UqI#^v?X-w!(-K8u??$Kg81RCulGWk-ys^*;ElHzWV@OSBx^3;s%A91Tgdplhk$ zxgPI9PH$kK)BA7Uku34 zLM>E=y1Uv46l$pb*Ydb{;m?;oJ6)OkEclicKjiRoMzN+!dGX9lCTQz|2>X_pYO`ZH zI>9RmQg44YTAO*Lk;q+@W&b!u35b49dQr7_4a4 zy5n6}?hufz5{#Z%!VrEHYTY(yBnD^uL{D37LRNc;bO=$B7BG=fs?>z;G;GGZ;dFCv zF`;8$z1o_JZ(;4BWW>Kp2E9eT5!+Q4`Y4oUy0nWbPaaxTXN)y}VZsL8u^Rh4d$I{E z^?~h2e^;&kdjccCi5)2U{Rbo97U5R(p~_Qr5oZgf!GxQjqZ4jyFQVCS_#}%1Fy5Ku zA!|?70-w!7dGYVjgfHq36UFW!raxrVhYhJp6YJT0Y6^e{8o1iqK!RrGol4gX-DLM_ z;OLE)cizwzQ%T6HBp40`r6+CZOd{>ltgMvvf26EmNT`iFbItbvX+V(NI#WP`bn#0! zHdZ$`jU8C^qN*cru*W_5rA4r!y;h+k!V`ezGat&%5_=K&(kY_5%%cbUY~ZG*)!eMZA5PALG6g!me-HII7P`sbBeDr!zwI=l#d6Np0`J7hGBucl}@kk zJMnc73{8*fN@PY~YGa!`PDlgT40-YpVO! zMWdjoAc%;7l&FA6Z_-O_fPjF25Q-215$V!fNCX6=3kWC(ktUsh^cv|+Kzfsw&}%{s zki@e*`~1$?zwg^;pMCZ{&%O6~?)@VKCToSY7ITg{#`})(4ok&$Qcd}i1dFzQS=kzI=O<;_xcTQy*v&{2b#Uh#(!Vv1ew12xEi&wLI*^^KhA*v}YOuh2 zaFpSi_iRh!?egF=qe)nvfeNExr03kZ7s_qk{drUsF2H|>U1*=-9Tzi3OWF+5qRe$e z*umn);zZ4EAyWwou zfmn*Mkt(Xt+@IRI;`+;h`&zzevY01yWl_{^M5Vwd%QqzGH;6YL+d&TE1?U02Zy1}| zFa*y?kw>rey6&z+c`9>Sx9H6qi&sGWozE(14#SFJn#A5rW8z8s@j_zN(%7>yKff1G z@2|ApKGRM*)nRF$OjILKY2)c;uKV9-&kIS3y3Mz zR)|$t=_M@oXpE_^#pzXj{jnEwk=Ub`GXE7&h&2+kSH4vd>ppdUOBhG%kdm}?A^)tK zAO}wI)aREOK;phALYhe1E{_aPymr*mJQEZlRRZ=QkgRv2Qp~|Lg=ECGk)lKHc#aklzu!zmByDCJD|>L+|5NQ}ePW zza4ocCzcS78qLp*XDG{G<*ZF>Ncp-o7+p1R#BR`&b1mV9b_}MU<$M7zYr!j&roDS& z)w{z?&)y6mB2T6VZ`41vGConVxt3>a zJl&)1=uu1btn7GzPin2CT*Al1NNH9Z`bmvig)g$XeKgmK>3|C|g%@QJ6^VTJh%GrH zTtgdAv~0u{)TxdN-*S;$_VvxZ>-K*NSX6CpNoqA^B-eX4)Pdg890K1GBD@{z%v%K!j>^fNbgsEtos)vAn z5PUay?1Rs>q^>-^^#u<}PUt+Km&5Xfc(ZvLu8XDB^>WFTR~@VoVDB-EUj)6_pF1_g zC-t3VtG&53mV_2JzdV~3kqW1~yDS28V z9~#Zl^0E{yUBFaUf~4y2REm3?^y=vZd#p$-PFSJE#5~N_?@V-LFXXD~Cf9Cz{RYwO$(I|5?p3t>&zt=^LBqJg*v1?MO` z+49ysnquFiRJ;pj_UZn71s?w)9w|7T0%NUUZRCgF8G_qW+liE)92JTLBIzD4bfCWQ z6Kjggnhz(7i}1^LW9FkXvsyf?9Uv9%_U~}J#XR5Xj7nCtw-8U<4(p((mEWLp=B0`+ z-Vv&V)CIpfuCJ{=c!(*zV;&z7$|b%L_;WSjYCr7doh<cCQqI&woK8bUni8~?W!;MR!HvluM$)ev0t%3q z8s$}hYo62&qGJ(TvtPWZF+Xx&n_CY=Ev;>Ov6Hops}J6z@X_ka`tVo^+<1(ez|tCXX|~zx z0q>N6*jC$s*JmfG+QGCKd-Nr5P3)Pm)&g)S*R2$-iXlb)Ec;{a^w$qd1k&ru z;|6D}6U@|`9}SdpAe{gbjU8n9gS zO)bCLVDXN@(@615HY2XZ<^)*FlkZZ^vVn5?arRQs`Eyk1{; zqiMlf0&;x{AXekBE6SWCBf>J!bb};8xY!tlk7+u#8F!yHH3%d)l2+9du|C{J*Wiic zp^TR`7B1#U?IZvV6qh%lSac}tQX?&ieGo1~&}=!bECM=+qzW9jD?tpywr`1ip1M={ zDEKb*l4?v&k#|R=GAl{p8!`B5*gPz<*05~8y~H$$pjw)4X97R(QXNvc!ySUP{C?)f z!KR#Iq}$@tCp1&A3eO_E^FbtWb3WA<5_PN`HE%uOu;({bO@b8snx3q`^yqQM*@`H0 z>DOVc=^>=e?@}m2PAiHA^J?}YNlYCfG(~)1f;WishCD%;3`ntA4ew3aD63}LRpNg< zsFf5C(F=9CUUGr0Q7Yq&67FD-xSRp^CU)1x1V671YL@3pu$?EfZ`yt{7A_hN;O4_` zy>z89t8+co$;ANlW!y%UB(*Wnk*<;R6`61htZT?|3dc~?@+2A_X0vlR(R&RZD=61f z8+~QJU*kKG8`n$Q45?6i3%4kM`Ny|Za`A`iR@d*m@K0QKsc&r4TV7l~rG9|E2{bY4 zCVzpv5(N=w51a^N!R2Oto3#ho1kaPUtBEM9>X;uxFTxGf59=*dHAOogxuh9ZjUB|} zJ6fGXFlW=Nhyil|u6^w=sC>np(-6$!eOAfUS>&uf=Vm0fd0{7uvYN&r&y?nc3I?YC zH{>hiq*V)$JA|>WL(!XgFX7sim6EVmYJZGDO>PXmsQY#m@zCoc$MYsG&)l7n9xv`9 zFGkAnEFBBwg7BPZI2a#~Y-7k?5u2D^!%Q5)>OQ%5Jr`W`F}EP&1Qz%?mSvYP5a18h zAq3&tM9Gu;hylbIVs9=(}_I|mpHq1M0k^JK~sG#E2b8j~5oiTeht8p-| zTS8&~WWhl--fQ#JiQ@XzMCe5eY^o;q@$vC1SJOva!U`K{5A_rS;6)1pTL!LPOv7%l z%L8}8jsTK%@EzX~Oi@Pk!7kO`@PwYcPZ=>2Bjd?$o8eSG9HKm% zCDNV(a|uFX=ZQ|?ATmEulYpB;en&?jxhS_MNv7WjO8pU+x6Bw?Dktglt_-sAvD~Q6P-yF>#a#3D>fquY zB)NJNnRGNE=>4ybPWEXErWn3T+DI(@vBInNtGig8HjqW?C?05#>w~920xB0}A*ho6;*k(MTZa!(#D0wzg z-^h#ss1n_0E1%*$5gw=@s7Bs$vzI_@kkhbtp0inxvvMqeV-a$H=?r^p*l35&w)ged zrh`t%Z$7{-M@c!KHt`nNZA}{EVk#fMKFApw%hmGXd%HK^XeOSaO^1afSX*C%4}Iqh zS90-=;A~BFIF;};?#lw#TU1|-iJ(>Zwwsq4VfGyy;*&eQTH7{~+Lu{9-NgiYDWuLr z7~|QITgn)OTNJPO#;skIZ`*Icem=_Zv_yP~W55~h>Ap}C*f1UefLK?`(&3ZpxSg%} zh@Lw+LJNmdKZ#@5oJeIJlU2`|+XPNZopW}2bhknm)wwHg=x3CeRdp1hf+}Ym3Zsji z!)L^+@xtgJUIOn4QE&8~ko>*)L&g%C0D8t@%Zfg zp^xq7O|BrG#1*h$MS+JgK6Ky)X~)kr~3zd?Iu{zyh-CyM1a$b9ig za<>@xCU%K|(x|qpmOh|f?Hew`pbNvUQnENZnlMLTVa$3Y=J=xjd6*KM{W;vnv7c0$ z1gL?a)9sIkn){C~^-vl$cfyWzt{^d@cyuocglw_{((6Xy!T_a^il)4ug<>lZ!+@&D zzcJhl2lP0B3dr@Gb}+~cE=>$7c(vO+Fcp?;D#IOi-BN>bJ)r6EEav9=u@5m8=tG8K zzLQWoR!AD+dd#BB8Gm2L!+FJ(A=_X1K}zA*`cxHfO*O~83Dm{5&+^0|TGm0^r$J6K z6SE$>-%etF*a@yj0LhA~4Dt`Gu@lrryqEpNOqBv|V4gv{lb0fV=6fx7HHV+u+pnve zuw}Re7Sclm$e~op7Lx3RceX~4rH)X2#$O+NT<8{M*GbSg@Y1qfnZ@d5geUg(`QP87 zH8o1}`!sD8e!Jax{J#pjugy%BHK|vy`(APOZOA`T5b8yYh*J+245rTnQH96jBQX9K!RIj>hwYcj`PUO3DcSS-KA! z-jp^j9LKq;Z)qX!KsR+rSJ4zLo95XAIe^((y||AMgnrl1`}{d;YvOp}#x<8Gf!|Dc zCxA3mJ){4X-wgG@>vzPGv-7x#2Q$#R@?G*qtddFkzvzBJzYF9FRjJV?*Cf_(&Lz~hJ^PJ{pQ_W@Bc(`RD>MZ zIM35%aRi=Qv2#?@s~;8Rsl(K!9c(>zPQ$9kPEk<_Y3qQXO|ZXCm%q%t0dfqimIRo7 z;yWLeqlN^{KP{L@pAM~=@u8@!T)qBA$y(Wm}gTt)!)rR@({dR9{-^W z`qNyHk8+diNs3*9CT6SSH_&f#BcqWCxUD2&JRs`_raYQL5^5py*%TfChXoFZlb$6x z#cTlb_&TC(ic*(TZ{nhSed{A&a< zb+)SbnYrl#lT*6oyV#!}?p{IV7DVe9QuY!WkqZ{4tqu+PPQh$7?ic}>Z#*eVG}>G_ z6f4@QxvB9paR_TrQDG@&a;LwSSZcL*v-;X?bZ*WW?F)<(;J20p1M%uGtUX-c5%VWS zIKA^9EX05Ioq4~1BlPR4A+k(#QxH2*uQX4#YUKid8(17fOZ8qI(m!EWSM0j+uqON= zdlHDyNAm?8Td;zfz~DjymBA!dV*eZi8|0lZP4s5@im(SKgI3_l#;i@EF-N`Yucpu2 zPsC;##5-wR=KW<_Fcmr*7=i+HxSsEew=-6z#Z=Q@Z^{(km_VPzm1n~f%^SWp1A1SU zOJkoQ_&Vsb^a`*EjjKHj?Eo?vEYPH&adkl`ln!B{gJETkQC+Pp10yBIwWqqaNGh4OH_EWtB+DC~){ zxoj!@dUWu;Cdf483w_Ul6}}L0o*dQ4J87%TN3aQ`T%Y!y(!p<~=XoO^M@iAzr%QBj zW=YVFf5HmQO0q=Qda<+8p}0pNmKV7Jm?Iial}R!}UM9itGfB4!{IVJYSFQZru7%cC z1`>Zs*5@T2rJbQ4X9J5rgM`2;Mo~Z~N=P_KvGTZgJ8GYSW8Ay3{g^O_y?UZp+O6_q zaa1+-6TK1N4{cXTvyRs7Db2ft!*_5UY=LvwZxH96x|AQcFeYHH*G#y4N^sfWSA@?& zqOe^N=A1C|yX)4kPB*5XPlnZA%u~_r#{yU!%7NGDyQVUqIr7tz^VKFujx*w8#_TY z*9C;$(lNz+6b*-)5n+WSX5uF-go^k^g^W(0uE^SUQV)Opyzt#4>H>a4Hqdr>>~kF_cK zTW-p!_=ic1ih3Dc?0JT2Y;+9NjK81|K$~Q?8MY_*3PThP1tbrPqr*p;?evK}W0~T4 zstGWx3dF$eGmyjKJTH38yayw(00>U&NRdJl0z9yV7_dmUt%R~`9915;v=fz7?=PRN ze3hTz`%POS#rCL7cK+49Jk?|^A8tT0Diur#kcJTHQ1faeZg~j#v;z{)25Bx|K?|KyHZNoSC;D<{5~KFWb!#lW3)wzrj|S1We{0(hR}S1p|}%Lrf1(MVc8c{8fF3Yj(5)>4VXy?Y}|CLa0j+d@jK6laxDG39equhl4QH1$volHU`Sq(0YCeL~+mRC*f2hKyD3H5y2K1*l7*K2u zokd=tuoEFqh}QG=1(*x3l4SI46L&Q4OuCC~wM+4S3SWrxOFr1CFZRh=Jg2Uf0MqaM z;l^tHGjf^z7x8j9nJa$YIZ%z%HAzFc005>~fpQcb{0e6G_A746{Chy_a}T)|g*-ZL zT=IskOM#CLD0>JGU09|e_$*wq5XLSDrdowor9WUd)#BoRVW7nJ{h4acNOzE#2YSP^ zYM>SOeTK1e*U`Em%Bgs7&nxg2Ezg^q)y<_%N3~-p)9b-BJ^D;nC^lw_gb`@)`8x>H z0a#XT)y8bjs{<`RnK$J=g$9}xODG$A|I@iVS6>FXUGL-;dh^-`TZ1MVA{Ztk6$R5J zWPe2`!|4i@?$HJ+Csc4<^NyK^Mx1o!wK8TC240bXS%J9=nKvdvD8X8QSvmvM2oeBo z$uc~Wd?6W3p-l&F+`fRUi~bFQK!5!}j@m(XH_0o1PHg;6JeqU92&}8~6;nM746B|p zE=TMl!i5>pDnAH8As5bd^7vnbBVppn)sz^$XqugBIh`HS> zcDb8S@mfDgGN@uqe>_{)AP}hO(pB+!nf{NB>fe3$8~YA>(+DPJ&zDHA`dqWUY7V&mbY6gV`1y4Vkr9|ZZ0L$6e28syOAC{VTB63fezB}c ze0ZF)Vn!pd{e&n0!r|2Wv!rvtjui>q>p!1c+`rEvM==7VzE%9S^9YN~2Vj!;ETG%X zR}73jgpgjw5UntP9Jmfpz5M+hlGqDg6LBMz0zU+;dFaI4Mwb9FMKp;GfXtMZ6{jjceA!UBvTjO$NHT?v>p6ft`aEHX- zZS`L;-2bI*|G)Y8eLxkmtB?ddkkbAZ$ngU-Gy$4VbOXR6ESMaP0G{9=r|%oZ{Qp{! z$d8}uc|CPAYSDQsBMzx?Hr}bznt6kAgB(o}_BNfL^d8g0r?y^WjOly%>+91PwqKp} zcRQ3b>Mg%YL^fV^Hf4a)4;EZS|JfWfKMRf^B#>S5L?CpuwC<;5$@lsg_@di&j`(1w zksFU|euIWXjlVDm{Hc>d49ZFWrtp~N2b6Sa%rUS1 zcC{LD-=Ad(Zo`B;iz*;RSE@IxyEVXFw?j9@Ckwxe?{W4onorNMn_dLBTyr)+^48^tbu)=u7}04)MdSfgkc&$U$4_Y{>OT)2^=P4e+XSh$ys zyH+S`Y-;pRQ-u=2MGON`rxjBn8neIYwEeVXz(M%uGnid%Yn#v>k(Tkw^+Ucdx;++Q zTlRbRXAc4g6=~9^h?3evH*4cHhZ0$f%hlsd{Y&%H;_;YaRX-KaO;1CW*pcSQ(?9N7UpUWG(p3ZrLtgC5k zvcmahIz~rh4>Pf(bx)Cn9F}iCYVy_>*y~~ojI`S_!-c;Zb$925-0i7Cvc}3Co$=8A zTw*7iEHXM!WY)kwIz4n`GP$GMs{eymNcbVz{%axHI^V^_d`fCe&2JT3+WAf3o0$7^ zHZxy|*!OC~`UQE!JfKY7%6n~bl({NYKT1k={>ka|6qon6IZiFBiGyBK1x(i1k!jDr zJMLv2*@7qdnzv^LEX|fXlVVYqeuJhkln*K}#<3~XUq_bU#uPFGUbIhbg+qq2DoTKK z0q`sAiofv;2|yv^3V`i(3Q1<<^>=}B|7~PQnGM;Qh9>(Xj~_E6^dh4hAclYqM^t+^ z{VU^5^JBJrj1-dyKDZe38>HG}u4Z0yqJ``{vH&QKabQPss95kIxwOshC;{7M1SzJf z36KPA`T56LWhw!_{x9|6P8be=s{J^dJRtlxhmo1i_|>~8?g+VXYjSf4sAhkP`9hV4 zKKG}vX5rHs@_+>(Egm+(p1^NmA~cCWQ_QYkYIO41b#+XU7qOUJA|f;U{XibGXS$zP zMSpt6rV4~R!TQyB0l%t#V4>K(y_<2hkT7XUTMVP3j{WOkz6iZ)x*YNjGPc;YF(XRF z@Uxvr9;AL%du<+wt}_1^U&W4tMBoDXu#gi^z;=Bsm^V2o_}dW0pFl%V{Q$JT0pRh$ zuihWGv7$P=!1)+)Mf@Lw^PhjAbV_PQM8A}k1!|@ggfh0#X&9%5eFu5TeFdzgUR=0i z9nU=#{{leN?*V=*CgXt{j@_!zUh=kA6_fk}N7NkqxfwNAb*`YAc4F7bb=w`=Z)*tZ zuubP1>?rj(L-&uT`V;%qFK%cvICveezAm=rkQtSOB1}(aJ&JZ3`ul7N6m@;}edU)4 zn|*@|n4)cG>7t$CBl_?-?2M^G*z+{LK<|%Pv7On*tQ?o_t=!wx9qV*JL?+v<0RR58 z|BO|c9X4U!%A?x0nX-d(?fs=sa~+>J8D8nXx3>J5A#dfP^Znq*T1Eqz>|GntkIh9w z&b}qchPgHiY+}~8w%p7)@#YxpQmnhy)f0oA-=I-;1+VvfU$JLta0XIEG#bZNrWVb4{iiWZROT#+7ETzz@$8R z0qwMuUPxqtw8Hmr?pDwWUzu2flHh>=kY_$m{ack4BqiiuDvYHZmaZo z36n6SI@9=)txxjvKA$YQe|9Pp_cDSog{w?QuZVvsc`7cH*NIF`3Hn91zvUJ!m>6Ma z=(LSai1Cw*;{WOTR_+Fix58{{_t?<{O!M|+uNg{lK!te*?hVZ+y#SWG2cD18+JhoL z@<`sv--kt_cC;I*0TcDf?KdcozU(fS!5=FL`+}i^Ik!O0#~i-}*8R!{bbmhi6wwA? zerB6d2j|NH{+1u+-wf#}Siwl*yi!CMKZ1;0P(?i@E)Y^H&_dVcxtWn68i5J}fG>?PL3 zVD0&OlY9@)Ii^rddZIdStzHhQqHnK(Oya(qU&6~o)$Rmf$xf+U(J^1`yqr1PrZicN zc>`Hfe+5*iSAE!9c{|4DGp{hdxdAn-svopCd7^7q8t>)Z0;#QvC@h}&;_z(C5`@lZ zyb71A!2>n@aJ9l2P8pq%;>%ZuH@T}}q7R1**t=q?wg#o(RfMYvA@`^can=`}GBXR- zAX{XJm?jU!jl@*j(L{l)J2_S8hYb$sMXzr*k(8g47yI9mVDr=TJ6nP$Q^H*0ysa{~ z+&%mvlJ0Z7ajB}5?e*!kC62XGbtub@Nae<2zj+#Ma=*8Tqki%}P(iwlUhQQ~@5&#FP1Uo(kT!D{Z!DIk; z_C*x(4{Tl*!M91soRO97mp%MC04wGa--iJu<<^*BiXhQp1}GSh$ZyGLuBo4X{!R1c zZ0on1FCu+$tjpQJ`oia8Y;Z$3>n6bKaHia>$INZF3p>wsgr6 z+$vOZ`7Go7RmB(5?i}RH_pbg15L?6M-`T=>U$?ILsF16Y7BNj~VDOLvC9C2JtcDoR5zIUrL47m-xu?^`~#m!>t;HyjndoivxKo zwmqzS4$V$XnSB}Y4dobTX&+v|r89Q{OCp9~JIY4LacKydUD$`ycX?9^C^cOSB?nmn zpZ;wuc8t)$g6uqGp@{A%&(ct~8SVn{tZa_8|rOI?%~xmenMrL!!CgqxH z@ED{+L1Y1TP#b>4@(K6a{RMuronL|fzPhLu@6O?oA5XNitt{GWhk}u8k#e5sUOK#& zq>ooEp-7)d?Ip4p4j4%lmdevrj(G9{NXkyHO-pT6s0iJ)$|Rq!8uS;Y?+)y)b}lu* z+M#;Jq-*tw{An}ya1p;0ou0-_M`Mdf;sjWPqV609Y;5l}8C{TWO7z7(Ld;w1}TQ1uxZ$3D1|2jenh=-`oB+7)n zqr0ji@JNY4DawC-4sveQuvQzTm@GT=LYh#L*3mMGz3&WbTFHLATRPinj#~N?L0I|#zVnk)|H&6sX4F!wE_3Sm zrh#sp`U(g=bPo9v5)3)pczt@>`}DHum{ow{yM0asmMwZCb^Ba2Yje;LA5TCNDAt_q zM1;~087EA6_q2}Au5M8$dqfsc(sk6IfpL&#$XmBDc0?L_lxP!54ma8`Ic)6STq2!# z?oS=fMtirc(;FMYL|ts>I^z5SLcZv_BrB{8QS*o*e zb0gEa--Gzl+v)9x1eYNb8Jx=f?dI~z*Au0PZzey737BzcIQE?rU(QeDQ}CnS3_sy$ zVKiapw^)&4(Z%?z+Y7GLRt+s7?BnO~Bes^}A9HKk<8)#b)tt`dZpGLN=+x6@J|FSbedBjyH(1 zUxIK7&7sQUfMO8cu*z(J-60ux%%|F`H4Hd09gZP58{W%_$Hyp7J_fbAq=6tI^G93u z2?OnY=H2$|=gT*eBPqxWC=Y*~@oJ=UtF`<5=Bl~{@0F2Bx385A=zam{q_(^W8vO;? zlAwGJ`E%$GU2s+!LJCzQ$?4C9k}pC4w!jLoWt|>}I>99UY+}#D%8_!v^7_)x)-SZb z92#;ypr6|{898d57jS)@T&A}9VeNi7vxXDF_iN=VA{B)r5C4D?f_eugiUYXaf;?ot z8$}ISu_XooZ2{TAlm}?cO70y90D{hCK}vN3Ay%_QC=wsC)_8pw0QYWE22NlHo2{2O zP9PJWK8UB{IAy4|!K>03wp(_*L_;Olju=rAf`t5sW4VNVf46j%SRB&c8d(L!;eC=y}^Y(T&~mXEv17c@9QSau^m|x>x-) z^7pMVNpWPIMJ_RH-tu^i)xC=Q3ZhHMA7cx(qGIUOEJ8;#Lf*Sae@Kxr4;@V6&DMC1 z0$LKpJ$nSHWf;0~kHfX&z2HhRel{3rmnqr=W1R6;cR%ley09kG>t$1D()niUtN~qF z9`~CoZnGRVvRu*D*AfJDb9@A}8g1BTPx9BFrc9%GJ>1$m7gZBDw498(>-84&D~gc* z*`gj@g2oUT8;ePukbMl(nn_0s>>VB*wzpqqdIG-GLi1r8Oc|IF8_5{hpF-1m)2e@-Oer|a@8WlTJ%om^2SQUP zufQ3w!pM14+d3??w!HxoR_Gxp-7w_5P4AR0SYPfcLpaTNq#TrUZ+E7LCVbH&Pp+va zQHs}QOa&tuwWo)~>wGhc>=#`&a=4$PtCr?&;bG6SC|q-;Xj?;|XBn8+XT7N?L0mil zWSoMeh^vvrY~Dat#IZW0^Hl&?%)FdK+*T%qRq{J{j}^$^p$4+f2;s-7;V~O<8q$#}YW$TJD=Q1@qFlR(9?T!t9|DDV(?q0>#;nrPmg#aFUxb}u__XD zJHAe)a)0H| zeByY@WYX)DKiI-!QC40X``M$7<+0w|jLEo)cPj;YwqCERRjb}teYn*eHGW@$75Am1 z$ROizTrV;+DYPnOhWQ2=s_k*lb`wqJic~$ZKo(GyZJxYS+wHK+575MvrfWfK$yq;z_em!4 z8u>e%b~uF!Bme-x&d4Lh;Q%69H4R~Wk!aeAecRh?JE*GV5P5Z8V|Zubti z^e14R0yZ4ItDKzZPEO7?5zsZerUfrfZ8TI)fB}`=SDS-$28-$$PS8B&Ya3;=Z`t1% zW%&2aiK#MfUe8ma7wke@ha1%ptRs`@P9pm)Thrt@Kx+O0c$feQ#T|5L-nMZ#K3>#;{w0Ezb8&qhvL8wY7ZDjI>K zm}>qC^Z}7|l;p|m2gCj}O$Req%Zc{$WnWBl4N6nfjHYN5K8h)POjB3VdI0P!VZc`V z(60$XJc|LEMEcxb8X@#Ehc~&kGaR}cyw`xt*qiq5tuj~ErX?SU=X9}6o~%%|AG9MF ze}rN&K_Cyllb1snvb4zt#$NPD7R`%Y-+!ZdO+j)#j@C!h$-4JktSW zF!0Dh@hzpYEU@fzzeS;|tI@(sKee@9n07?#8eL#x7uGy zUhHWcVbzUaHQs~fY|QueTO-I?LRJ4U*qubv3O>4~{~Lq`LV1l(SRCeE1LOy=XOUU~ zRju1!PXA|K4Rr^aL_Z6h^Sf`;Yc54?Ut>VEre18uyh5j)IKMA8e(^*zqJh>F1QVUN z2$`6t-X_c1)sa)?%^znhc{qDeSiMtR_0f{a`>y#PZsYQvwvx`TlYJz=_pe|HZ00u; z&rB9XRIMeYKsA4m*)z%%Ww2(FZIi;4MOo%*{uZz6GLt2b0_6kcFZrA;Uq6XnEI;{RtZ}1$*m1LJ(xgUqiaRJasHqvCr>x8~on4rR8T;uXgd}de$DR}D zR=r2|5N!3c@%{fZmY56p>7vknb}L-x66y zzUl=oPCRoomvDVC?>k2y{2ge!2MK^H;U0#0Oke9a*g=j|{J8N+a*QSy%}nSBblTta zC3;6_$F#sMC~~vaL}-@_MC3^nZ_LY5Rm$%Mbn(C|`DntL27_5EZmUA0qc^`Ue4gnR zpKe&Rcj|BazGTGF!w6;4l^yvkXYHA+o_#h?&5K{ulYf=Aaw~Qd^^I?{)JHU;;#K*y z#9H^v)od2^)P9wmM2=tXdK9L-jA zL(GbAWH?EHC_^v>WD-Ji*LGWORpDS)%*qKXzKZ5AO7CYCigVDZX2#Jx$$niAtwnVG z232%~r?mSnw)#HxeKf?dy%2(w?>5?vxoOx(8~w<7kH?CGG{Z+5+IM?sDYvmga4j*) z=|fQl93wS+;y|y!*5aMqoyxL*&SbTFOH_sb!KWGBB~1J@xTGA)j4#8sM*-KuQtNgk z6AKb4?xy{2_pqJCn!G`#t?^b^L6PMCCl&sL$DeVf)LiGTzrQyZWd0Qz8BN8e!^G>s@*4!g zyZx#)t~52JI`3Koq|kXmcRb5>AbPoIK45{JXcB93Xl?5oAg%9jISIM#bkZ2#>^Iow zgf;^8XoAOJ+VITCtb(5j*nZqIPb#KFEN^gIOQOr_aq;S&g$jHCs7J>-M=0LIMd{pc z9Kx018>Sw@C56A0Cy5ux%E6uK?sGif@dkMvi>eIs0MRDxgrjw7;?lV#KjRRdx8DMF z8`@t3J<)=G@Z-=M*g-RsfwhrQGSn2pT_w@AzG$aB>EbxKs!(0|p>QinwE}8x6JkvC z>zF<5v~LeS=Z%JL>KJ&dVTCYt_p%x zEA4?6`~8ZW4@)9b>!zq9>EBTGD}FA86$-XeZhA|P%_C4a^t;OYC&mP+U%bNBDTg87 zm6;B`IRv))`~+}g%2ySHy?yQ6Umo4?jJNw~=vZA~))=c*o}ygF--nAVT(z|An0#7p zs-9=yn3c(IJ`geE#4pF|^woKzBHz1m_X**x$!Lv8RnCN2p`eQ(3)p_)2ey8-kDD#w7#M0TYtIt2hzy7lIT?&nlXoJpD)pPq`e}k^r$;VCF>leH_rs`cb*O;K` z?`mg_ysUa^?oij^=_t#&Vvfo2p?l(uH( zed(-PUb4^p$SHc*yF=UPzUA?w(dqZ58qAp@PVjkDN-T*7r$o-%B~JFeaw;Nis$rSs3A5x8v5?CD&oqGGOe-nmRk_9bu|f1OTOTT%mk1cZ}op!XG(L3U;JU z-OvoWq5t0NIb%8f=l#xA z>)$~eDwb6=C?R`O+b~guH%>(Ra|Q2L7Vg~oIaq!#G!fxk?d7o<9a3Ev_VDm>C!-a8 zTcxN<*NT9=0PYNDv<5N%tiHV_;ILKc1^CA%I#$=8)<-bg2!IMClcrkBFgO5%bP@VTc;{^b+f9D{JJ5nmiSA zv=NYbz~hdtoKLca`jP}450!NwBf3*wjZ<7zIh8gm0oXht- zVYn2&Pf1|SKGlvT@#r#Emb;qEG51`trGC|dF7~ih ztOyq;tGYQ``(7SsvJF&?UU~dn;9*+|&nL0Fw=w|UOJV+nr@cI}a%W2iB|TyE@eR+U z*A>}cmV3Cqn3>8HU;&)paKydw4j*0U@Zi{VcM7T$%eR~=JB%%*P78L6AG$I+gt)3x z+BlSxl^-i6DE{!-xz>~n2 zm`juKon>Ht>Z!3;+#=8BxTJj<9}gjziA+Xi!`4F{QxQwwO8h=~PG2_~R^t}>(XQz9 z@~J+9!SrF2T7@orF!f>iYR*2{4p!#q+I|U>x8uCY4$xmVt&oFl0KsR3wt5_lZC+_> zq_tm&yeu5{Cl9g!YeM`V9O0Vm|IrvYocx*)_^Yj zp%}ZyuUEqCCS{soW=b2CeCIZ_7R8&ae6}+`VU1Q|-PliXtMSA}GD7bP!Og)Cj(SfbgR{`n0B=nw81B7_zyY~68_gZ(4v+g0JU@BCU9y%E#1S41gNFMFi^@$MOnmM=hydAqEkF$XGiQCm2)LE z1bR4feSCy>Mkg5QBu0L%s&l&*wJ#^^YN=TQ2j3LNE&PL}2VfKdmR_4CO!|KiNL>+x zxj?#svYet)pxJ_Z0&wuqRr$oeJq6i_15SdYTPQGjeGIgjq6hz`wUJoNFzA1<)POl^ z=LSFpSwS4q>--@jk39|hw~t#V&GZ7_N)Sn+MjzI(YPf0j zL!d)Rs3Q;6FDxM+Ws@x!-m&oajPjuT15mL2Pl00p-D?g(!DyCBo6TXhWo?{J$Y5Pw-LMWT#SZT&Jo5g5`3;f0IQ5FRt(EaVi|Gpqyjt1 z@7q&57^6!{d@`MnCsvP3@{eaPGTh*opi~tWAeG1$ze^;a*fuo`yBrtyXU-)rdQ~3(_hj%b@lla9V+4@1|4-sLI{+=9Oj)b^LZD4{DV5a2id zV10M3-+4~Gx{tMfzogMEFKop>lq2JQ%UJ7ZflQCVa%0g(=VPzL1oM3zo$|ht?}z<- z#^n>DP?|(3dL~l~W6)#vvJ$j{dbcMW| zD@F-LPY_>`(4jN1A^Dp-2Lf~pyn2AffU!P);TR;e6&QxP|7TGrzWI<~C>9VcL4#&upJq31w>RH3L#Vf{(7&XH64gRhowPj4}rH z8G?+|_&Z*{T8vS<+Thm-xp`D?A@q#kvKT2fBro8_s#sX!MsZ9YrlY^tsRMiW=vyhq zx(sd0C+N|@kybiCZF;?TDDv%qSyTSlivQmDy@D~Mu;E@mpLcqykFB5ofY4n2&4e*0 zZ^$(e;EZvTXg4A+yx39qa_526cuJjyO@v)I6?BrrQlTKaJuNQH+v(ytAk%W9L`clO zT2oU!Ecr#bxa0GF$dwFoRrS-)$o4zIlgM_!K$qZ#0e9@tE|{45k7qFdjD0qAxE^C$ zR}VK!vq_)#UG2iZ{X|m(NGxgRE(TKWAnD}I@;9dE3&btdtbIK0ULKHQ+6QyfJx)6! z&zDbF9Bnfga2!bDRX2)E%!${FFy*fvlR}D`IR(1haIs`A)^55g2KDb`{E+IEma^&@ zF+Qy4;W;f0tDl~a1?V9If5=k!{*ZZ~FMgtW>nO#zoFL5~336>)*_LvhfL^@->dB5cANK9#)6^k#&HO`E}d z2=O-1z=CBH*lkM0hvh_r_T>>w^0)QAQak%T*GRK{v3~9B_H)I~rhNd>fuxDqg4R#gAD?96Fv#Os}6y94ShckISpzvQ6-) z4$eF49_#VWm*rS#Xu6(!8g%#l^s6s}Ec#1EzVN#zgKGH%`z4Fck0ha5d|+cq@k;6k zT;G(yyG+&(FQ!<{*u441>L-4}oGy?sH9Vq4e1V`nv%?Y=D)L|~@#W>O=FvrC~NEH=yHh(2%#{lUi?6MXvfi8317j%rJ^>z-(A3dP;2W5$SKMgpc(G}aMvC9csE3Bo zBy*(+Nt|e?X#Rupm?JFqh^xp7;0rNtijO2KF6d0$!6H7KfurQTvZ1lY8Cbl;_wMQu z?pH1!>dSb9VjGFasC=0vu`bz+>7a(x#*En+0Yy}z3wyNZuOoxpBXa{MDoH5OJhjea zgHal<6X5360l!0->6+)c$o%XK)}J!9a4Zh+$a3YCGxG#_=IYGBD&FWokQq5N`7pkv zV!rmF*=RYv>QU>;^kUn1%DI*9Mj%s&hFRx2&2tmN@QAK6L}>8Tf-|Gt@YYL@_g4As z9k&#igEF__=C^7gN;pJ^CWOii9Rg>7GMscwyC%)J9!Y#rPS7N3)mzPWv1`j(sgj|P zeUI_^RLT`;nJc3Hb3OIzS@CYR{X#-QlV`*O{&c6fg3u3E`j7H=J31dlRL-R341?X0 z7-7RJZk0e9(xQa^&vVD^*a*|t@X>jiAdB0xju`^Dw%+n}mWYol2KThOy+$r{r{`$y zEme0-j7!T}EFb%QQg`+t|FRNlE4bdg7)0|7LftN5QyP1R-Em+Rm0hNOCNW;~n`m6Wq6pw~hi>~rMtnlz0CK-g5GDl%5SNq?VSmU79z+Eo9Uc2y z#O??1sS<>GQqUhV8X$XIA_M@q;O_vo%@OZ+K|$gKU=Llm69AP4PW*pA+d@bMMTCPa zO{*wPPl3Z(Ol~$o+sqlCwK-mw_DJJwzQDcoYjIAz*t{WLk(`b^YH{Mz-}Fe}Z{Yhy zx7ds;L&Q6nbLxJ-p8Cp>oy8PT>A;MIwUJdEGvyVIMEnK)*2+}+n=;SzyQy!T5kuL( zx@-^2uXReA8Sem>Zm=4J$%eB7Y&qb&#)CNl(FcOVLKx!k5%8rGyMTlj^>G~)aPg)K z!L7Ikd}$8QS@j2!W8fAs7Jw~cvK9aHvB@MBV9;@K19Zyc@wbEnR+b;IJbk>-Ljz>p z`%0u@3@8Qi768@l4F1!n0BQCA;*mMPwT>eAbpyq77(iiI2ZM;NP25?rN9F9qPv=OW z8sXfWzjK;n7IHYAMZm|8Pkp5`? zx#VXKx340dFxT)=_sonOUsM(v698o;1tU)dfSZ#R!Zif(iSq~rh2e%hJ;q62P=faL5u^vP1k3rWz`eLe(g13Vc5wG0cnHz1 zH2_*06Rm>~zxH1wKC35!y3dwKjMeYa>oUNv5dbRT@BWu}X;RCIC4|>@5zlf@G=UqG zX8Q;G0*0hE!HH{Z0Lm++LE>lNQhm(+uWv%XuWf@U`mqYF`_kJZpfxw+mN-Kk)K8bx03_bC^-yWYCLLj2FdjOANS|tVH&-b}!`wG`+P* zie1u~QfoS99D)P*@T)n|(=aL-Ghmn-i_<&0)Uu0DfBXhX{w8Y`fkv{1#l&OP|{idJferlNGkV-Z44VweYTvQ#h{6k!j`7+uMT zPwogAlGKv%u|205bZ#ukexGe?7ULVXOmV7=eW%Er)igPdwgm-SicB=gLDeujC(*@3 zb=;sv%_wHH@_a_USdz=(+!gys&4snAyH)zj)PP2mi$YT>fVP{(9V3?(t`lX(D>x&P z&pL~9{U-o#E{OmN4))=_mFNuqD3>>#FB4WwICrk8uQPJrqg)Gl1K=(!@8b-U9uvZp zMh}@qcl6JOeB@+=qdV%?Y=*-0nxtCVZUhGhLoA?c$1*sY*1cdU%lo5C_=%`JQqT96 zVrXQGzR8>;oMSBW(*skBnY#z{m#mu9G88+M=0bKWK~t=48S)bq4#3buhZVYH5{9u% z#R}hPO>q8+aNGpbQGG4iw$0$9ooO$PfADe+w;Z)}h5Vp5VpmZT>etqEmk|BK(UR#W z-Z(CA=8Y<#lI+ahRNyGpvf3fo_0D~&%|%&>S@$jO@V{%b{9EhbBRxoOBLdjZ1_@iu zZ#mmzZ_ce--YW%Sq)v@~QOqU5=bbBj-`4QUY(Xk;8`ztRaH7n){N{An$2am^F5mqf zg$GihP1b+y|41_2kGvbbPf13jw{wOvIRm!ULtwh#C@pJO=*Yek-MSOcOi8&g8IuW= zoqj^UNZERVpA5q663X{jw}BXt-)mn>*Iyv5oShG@a}f|-Nw1DPpU^HK-G~2bx;iYc zj`1h@m0SbR*0fvFcO(wxvU-l)OTe$LSgCiyL!K@b>wKu2PqfBYV|frK%!% zMoZJHB0cLpH;DIMX^jM3RbxT{lL5zA0-q7;z0aJQF^*J?a#W-pTb=W}mF!VP_sicT zyYrGlDyvSWJh*2tXM^-`*hh=8&3AtTL`4)SvvBhJDkM_wLANVtR`_&@sUEs>~ z*@{Oa*-TBw(~es*CUcFV^eBnF^*YXY?9U(21{ZlP^?Zqh$mnbhww?}Q7a7Msbv3m@ z-|+=4f?VgcXl#Yim^bSoy3FozvaVs_tslKl1>dsK{tlk67Fq#D+cJ<3=xY+1TGHAq zT~Q4N0X$=Q3Cu0iW_`B^=LJ>ru?5>yoH{B$l*>&`EwtQR3TFSZWq?ENpOC}nLxSS3 zddzzF2WFUkd1%X2JEcA3S-G87W!VI-s{@G*?EBl+eCYcM)A^yb^`(ea02Bb z1(GxCb$k&vBXCa0d|=7B3fEd>T4Kmg&zz;8r%YFN?}1}udM_fQettGgZrt5)^*0@M z+^x1$Uk~IpKn6N$Gl%lD>Le_TNo!NhrvH zNzo*AWPnND!LY#8&+d0?{C)9W+cXav?i@#4q%1TmBEsdRqNT$$?E=h`0v_n-A|m8Z zHpRp41O<(vQrCfUkr>^v1hILLzcKZOxii~J!Si9PjBrmlhr=ts+XV_AJ8v+C;4RO zxc;Oby)p-|3*I9q_^fblB#o2z=xsTm8<|T5`C)Ww_Ag6k;OmIXs2{}GcKN4&$liV< zF`lM_fy^vicCgJtBcT622IQc`_Is9h+5MK1d~n>>t}}TD@*2zxpV~?iLI3tf2#D;s z(k_=rsnE%NqwKZJiCS}7#&2~PqI?Lp=jvuqnr8R)WR`~$e!i*gbk80Xxl%K*9(2nn zyzdX>6`!%fZoS$N&^Fe|od9xTGD2GQ=44M7%~!B{E_JVhi?Gzt*$(O#ae&~4PgN!` zE_z^S=r{bPK_4sfKPwdZb~H_DmeO$@-V3^_-o@r&@|GrAQj}r=8jKAKf5Re5OUM*X z3dW2LrgB?57+Z~s_Aw1ydLj>NML)H}aeO;hf(Ez0T}cc@GE_T7LX+HEX>EBv-dA70 zxTRx|cGM3b7j!OdS&|RI{P5)1E2V(J#bQcp>$t+ab_&xM-3LFfNI`14*W?q-#f&i8 zx1%-B=>tpxl43jf5dJwktlX(%+k?ibt)s>IMe7x%VwJlKm9B^z^o`xM+-rUUJT}!Y z4nglgbVoE1O_x|Y3vB7rm;LljYpVy7MSkbM4brCUkFwd%YkUCEbRf=!uot-eFd_w} z@9QC&+R>q!g;eRPA%9TMtks}38#Fn1F0+1h&wH38`qBw`m$UgyC3@g{mDKjcbdINM z#JI|OjLt(HWv}!uCeULJ68Nj&7bp1K=IQGk(rEDyb#F82s*4g>XkfhTOJF8z7@_W^ z-V*qcZ?{(J&~r}ByLfDJ0k8G}TZcnO2v<0pIo~t@m#0Y8gz`k^e$BQ8`;xET%gAeT z9D?(k!Q=>c@;0VLzSl8EO9Vde^3T$G!(le{B8r(^M@}Q|;8v>gQAePk`TRHBLK{nU zgs{AtUzVv>@pSr-<=wWRtCyZ&K5oBcdu2^O^u_kbS>3R;N7dM4E6YW$FfeB#d(+dF z8R$?`>2|dYunnbDR(fdh_oZxfTYs_QO32)SU*uHDEoWI8u=5VJ-YH=pWQ2IuRzp=1bn zyi^w^|DD@fiji#MvW|;FF5T)iXmS-;*K-G`deL~FqY2O1{e=F3*ayT+wqmCuN#RHm_(+GO zo=MZpB6M<2V)rma^8e8S5ZXXpBeLT{3ou#?`)kh+ zTwNc2O97w1X!DYAQg4RcQr|FtS!DhwT*Gl|@(dOkhBsHz_x@QH;Q@yAqk6g?)n8G)~SJd2^jU@y%DW3IGu}2h<#TCNhEeB4YZGLBewnj_v`jadrg5# zPlx85OQF<+VddYt09%SsA-`r4)foIfG=Ai-p+)hz0e|b(zk>JVGI~L0bI<8F5v6KD zM0z~+@fTc72%cfct%2EtotP3*KdVV*#U9;WO2muRD8A;soS{uA({k=h6NaXN(PMAw zBf>K1Vp~&;Mkrotjh^V2p_KQvxPJ1L{Pv9-AvX}mYs+ZHeBXw_7DyT3mjn~e>T(Xq=|Dl~FD`a)4=rLX3e)Z#b}6nE``dT9 zO-Zo^s8=pro~d~pbi(rJ^(p%_+X3=#B?FpQa1@FKFTKO#;*3pACvVMQ8EtS5w0mCf zBKP3QM{e30A)DZ?r{cd;E)2x_JR_h+sttGV3`sO@otj7yPYytrd%Q{>6vsf*gw+k5 zO$0P&tJ9~Wz%IqV3HLu|)4wu$-$MC42UT7Px=DDpWc>a+A-0X<>aa+ImAy~B;fUl~ zQ`Of=(MO3vt33McY%=Dh-4AP?oGl$AE;10Wk-!{^+8a%`$#G+tC{S!Oy;;YbkL_2c zDssCM&LwzaRkfD*WaatZClFibO65;4^#ELQ8&5f8wXP)Wu*xVMb0F*KcH(nC2P2FH z0{@w0w%SrZ{dq?=(BYE@$mR>QVtI)e1tERk^(y#7^k-y?YrpG1J?#wzs(QZhrF)%v z@eLM(|5kv=$p*sB-{I`~`@h3kd3Dzuc^iVpTa=)7Xodm|aPOD_;VgZma%}d^d0yP4 z?dzylY_LW#ZTQoF3js=Xcdee7oo`vr0Q%U@ z99|A98e8Inpn_%tGJr&}s^jAnzmN*f+p}HH);At=TY>xb$HE0)rU#eEfd?dXDJNwq ziFd^iH1IJNaOalWrS_DflMS^<8U1RXPcXRS*X z!Ao^i^1^P*FD~EF7v<$4GWKwW>#51lAL`AEmjl2$ShshOJFq)$_8wSBSO!0Ctazo@ zM9HVv;e^$gBH!3Kq!%}eq&I<#jcAADoxGtl^^hPRA zEBfZd>_6B0zpzeXz8wU9^Qn}HiHoTa0fa1vLLD}k0M4(Ch6-vzyuS#!*)L3}ZWu*Z zxVfQny92`WY5!^vXw6d1w5`K2z9SUi3Ohg)@*dxzpw73DW9g6ESL{~%c4&2es9;iJuq<@0bUY z1=1{{rk6;!fxZ-)m1rn0aEvCH0Co#`fyw7;_Q!5BHlk?6XV~1=&PS<@#wF0U<18Fs zN5AtkyiPmn!-*n4J~uQe#bu>GHiA=Uq|$&+!d=VbP1O#+twm}>>c_UbgT1$eR(tu$ zHwHsMmH9y=s(CFe=T#VQstP`b#F46;;XpL<5Q&xRJK41~cVCnkj{l|kNxX~A=9K4uo#Ocq zYA9q(1tEBJVfYWCC`G^)tBd}Cvt~C}UFFy7nm2v`>7TCBrqIE}@ybP4Lz}dW#nT9+aO^;zxYxEvp;s>j?m`3 z5W};R+caX&@2gyT^^r!Y+Uph>=Nz*vgbL2Od3F+>iUr3Qg?$tOQWAT|+WQjg*Y4dw z1USn3_VBIpak>C4s8Wsu5A2RORxRw|E>D6Qoy^FqxS*CA*uY1{{TS`}`K?w$2)r?2 zq}95hHJ1}JGOgf`PC?A?)NR(8opycPvST)Ks_@V}8B1=IGx4;@z5bSX)ASrvHXgGA zRBSeI2d+md58DOb$LlCT?vO?x75DM|qfLys!!;7^mS0EzFMATm#$bl@wSetyTt;i- z!trr%2ZD;k3}ui)Y){HNxkYvbm0x7cnl0X$R6mYUGw0uK2RA34g6?=wR(LjBan>Ir z5j-mkO*3v6)Xfc?+lF3mS{09RksB9lYg66}0WbeXZg8E5|NNI>s35WUU)L^#LO}1q zV{kPr$2~-&E)co?A(ZGfs;Ih0-zWwY}Lvt{Q{=zV@#>Ut4QPSnGZ7 zH1B~p`dQi!W<00{n(w!|vW1VZyjkQ{yjr>P)A};CPyO^S&61*nRdetWK__i7?PE_UTeBGI{M_o*nfFrAZx@ zyQ6?IET%7u3J^V5$m_<7->~DFys&^I>7=-xcqP^K>}5?^PSnqpe%8~DkxF?QA=cR# zU1>kSJyRxw_=vn+feeK+){Yx~*X=`?QVi-}qQd1e${QQ>J@&5eU1xM3gsE!(xMB&E{c^2P% zYS@hW9Kc{2nde-70^_(W^Eq*Iv-T(8J^?%>e1}^|}B^8}h zS+~1?tE2b;-GgyS97W*YW2`H{^O2B;*SQE!hMZYgKjo~H&@&hP2P`iocA)`bo*q+lHu!~Gq(U;R+bnGlz5-=oRi z4%)O(Di1zp_2=bGiGo+I$ySW}rhM>&b2TPgj?zX7*IIOEGMs;kO;jB>?(=1L<~?7M z9Q9!MIc!x`VM$+NBf~WXCZp-B-&mZjn!w3BO{F=y?hw$;N3jHxIw)xW)))Zr4cHcq z#TWW=(#nGnV$G5iRW%Ct>y1Ouc$_!^9PR+*>hfwO781ruvTr_k9WcDO5StxOff;J% zo%5nIskrR+dp?A#dPTiKtUH^$G96xscogbFWwM|nF@X)({AqiIEx7wZQiG-vFr|!9 zCkp>yQjQ;X1czkYc5g2kIZ*3S>0XjtS7afCI2T#6OOY6ceL}bclk6yLTDTsgRhcR0 zYn*gHOPXdhJ~R|`IJ7r`yaVA35vPiS;pmeafW@IjF8mJ}c#(!k&q>lL$GTm#fet4e z&AS};i~lj5OI;K_rG)|c>MP&@zgvk<4E(2+gRc`f%qDyglYBnUM-)1cb^ykxTxYlW zQ3Yt5y(u9j!W5>KsE1{DTH4l~Ys?(3*r(n9rfu_S`JJCT8Jkzi*^Ji3ClamWTUb&Y zfw$9&+fFKFCBsBpO?SIJc=xeolvM$Yle+M0|QhduK6Bpy6w4N0iO@DP4(|W zo5;!J<|@YMBEpYV$&}-9J$vUG@)cV@xmeHZQD?44sPbMM-LF#jHkIk~rXE)~Ez<6H z_x{wVEGCLQdmUE+>d)e>I@co{iSdwzKXw)Jb+^FwkYd_WzyD?RhS9C7tGPU8R z>bHm=T?#5pHm)<`VHOaHkv5LsVt1R9^y*qA^ zdR?%9Ta@h}u4aua#_2eW_bcAZaCCQRc%h9$cEq=(a6|eE{K8|u3K7ZK#w$LFGaTn^ z;f&z8O#tDJ5j4hngQGwNU}{fWHoTgeq= zovDei_5`AVSspwSJ_xFu2vL-O;FyDW1uZu4+K?8ZNqyg^OmyRzeRS9*xqC!#yD=ea zvCUWorkk2K>*fi?Qu5<#WNzemUXwiYJ7*(}JX;D21uS!WXyxs5RM8HdcP*d&*3O=I za)VM?X?>D2#s2H{7QXN{7(3XFz!`T|rJ2!Slf-%le+Y!^MPwQRX9_?M+^7+gUx7|} z?!?&th~*T8f5&oM^+k9R`phB_LI!R}I{drBWPzH%W&kuY5*7(=N28#_1usi$JOGgM zZ4&zmlfgphw%$ffkEr?B7ZQ9IblzKwRbk835OR+P$S4@^CB#LsxxELmNTR3quzBH2 zKvQUX-L+@y5y znA}gB!XF99h5)0{5S(Zil4$|65W=v#U=-H&mhS_KXd)GtZPu-47f>IWT7Q_LF7-%{ zW#Ap=qxRM+<3iP5OeIY?@(#?4HxaWk)^yK74C-eX;*!6AzZz=&v4MPGw#+45+a%2f znOx}sp+-9hJ7bW+MD@i}Zx_Z65;gu(jM)MWG=e!}VTbmUb#3@!l0a7CQ=wXJ<{L_s zEi7ij0mbhtDFtb_R{GlY0XvUsNn$*Qkg%G z;uxp}H4}gpZAOIE`2{x!aYQpDI+s+{b6HHw4?-=;uT+(j^LAEybJJhvd~&~q>>Z63 z5D9=gaBb%?t_us#_gXX}fc+N3s>Xq0xIv}>V)<~|K*Kn|Uw_x}eWLY^-i>lEms2wR z;*AqXnP?j_3Q*LL$t2J;OGyE_rBC!*{vr||RIbBoq0F>687Z88RN2!rD(bUFUpN?LqPDUE`#^#0^q!cC;_IbMD zXD3rIoO33!6V5zr|C11i8Kfc#Y8JbKZd>$Vi+y5 z!0V!1JZWWzU`{%YUC5i!)JI5~gg^{yG#^%_3FY@g?T%PudPiwf4KG-)=I--um%`t- z7jA(|346z%Vmqf15nRC-NE`Z=lO^|8d-S+OqX^b4S1wX|iZtRO;aeZc-gzY|V8zmp;U%kDprU#LNk02`a z9i&DGI;|&8XE~X+~U1W8>rkF=^(Xws*AuId2-Iia|EiX*p zc>U@jMbfX84l4(1hd!F{pwB$nIzTrnRB`X;#ZNegh2w)w?CROTmV@x?q#X0mmx#J zitO>;i6c_H;xqom*+QQ721^d%!F+MFXkO%=AKVH6^!!44{=4D!zk411$r_Q?$)@_^ zJIw5130Jf{z3;DI?qrNrGQ3UXC_rW{y3T0}R1p^a#$sBs2B)yBGV#5C=VQO5^Cn+_ z1H6b3+yUlzOqbw0trmK>?6EzRZ>Yq^R>o4OIOlH3 zYPQCSCNoZdo~b9(zT9Lgtw1@??mQd)q|!+k#I@>Vn362%J@K`;1ZpWP-gfeOPO3Zv z92ai?>N#8K@JgXaDYevVxUMT(X)sSq-&crA1cdpDmTv1E7 z60p`qI`MIyvo549&uZ~=|6Q>cgIBcO{T|xKJnn?jZ<)H(Z8Lau7jl|KhTantg(Y-q zv5iE`dgg1mIJ{B8c#jG{+%>O|j${!tZ}sgCW9|l7x_c`8NGfz1A1`#lUNI@EzQmA! zO=zX+8pXR6CY!|==2SlV0A0ejoR`XdwrKtRP^#+I_Ag6cS+C1lM;&x{R-a9LB=MRS zH>KwENM`kNn><{)n6gTi?kShCd&|h&^n3C2 zTJNEriYGe;Vn?7R{RO!N6qiynK;K>%X8W&8t3JdhZ;|B$Thd85Fn=NTPxI$@unr2U zut>yrx6t0E`_;ZkMyam_i@UfQ(6#M`uOM;}zR|~g10`b`1LKGHysYjgKZ$UAbEg8S zI_PwvyaS17;>P7wVpu!MCJqC3ST5PIHZ5Cn*S?O;D$Lz$;%Y;K;^jPE zx&n?=f23cUhbuK#hhED#*t1$3V&(1Pb2vYJj9y-$x7Hom^^R8FZQbXhSjic5leZ^u zs|vOqTrHeP3LJLQSjWHt-cgV6IC>|H6dTi|gDO(|r-iZ}^xVqU8P{obJL;4b=#uGonDE~$lL~-kqFo!a-;22tr$g-uHkf58=Z?JlX17I8 z)#S?}ncPG-8mBWehv?*F2b?*RQsUckw>F^j7Olz8b3=z6$C4>mX05J2AH1PWb-5{o z(1P80wwT;ui>r>67~DqCSeSg)()h~`Qn4$eX4TpG;R8E+Anu_kIVA8EkUTPzMOgqHS zUc@XwGG-V&wJwIIPQ5zCCzsy|O$jXnN8uxV{2IS~{o+qh^!(GuuD)(5RC124UByoGw7(ma zyy!a%vNp~V+n?;O)K|uUUwA%xNe8-q+SX;NSef+IGnC;5!tMq=zxOG< zw6E)i+5#}-<9;7PzR4Q!v1Df{gNnhyMt6hTMyxFElM=fU{UG!lGarH%e;%eavBR=E z&ODBx=W*zEzqXmfcKbO9V$O1Sz(zT~A+3o8J7;;W&!_C~HVjhp^aJRe!tYp-jd}qy z6aIzyDA!^08O`Df3pc>uyXoO1QI6o|m)DM%wZ%H!NjP-k78# zOj;odPDxPDR83Akd4zrZy;?UDWvMEcw(qHNz2o<`HKE6!GyDj^@M2g9YMA%w(%RN5 z!d=Oo$K*ddZ-M5_(>t49hrF?5sBo~vN37^oKeVV$Xq=8heBI(JtNKHRFioPQSB7?r znDmC&h&NkNor!ClE5n%**1~Rcx(po0%bj_Y${czPo7r4_*)HpRaW_b z2ZjHC+ObW4H$j605j`W&d_YVZbs@I*8<0L*K>Q0jqTBu#RZh&H z)$7Mex-Z?RMMHJk%MAr4c9RmkyOnHe;73H z)mYWZ^Ng9cwws5Vj$#|A6Oz@JklXFu++SM}qNi_ar7ptGCK8;W*lc%Y#@Gl5^sd06jaB_B9>j{NL7 zB@fP1V`*c_63pUn{Sif`K!!?5Jqkebrkr_`#8bTkw%A8|i=rQ$C+=cwqE-x%`J zLF9!(%s841u?Rd?`+>+ih+XDCWO?-(7bH|O=YLJOYHuyAnEq`7b1vNs*?&OrBehg5 zoC!ED3I5ZevjOH%Ud|pO{wM+g@Sj zK9@?VJ?B}XAtxZPS7Xi~9}gq7UboclyDr_hdseWSKYQExAONtdmstb^ITas_gar|w zakuHyMW)}gpt9^&owfbEW^EIVO4vV=TvOyDOyKWeuLLa^<6SEYPJhw9!KTNt$6or& zW0B4)$~xtoW|4FIS*9ZgS^a1em!sqNt+US*q|Sk-Bfm?YUZFjoU#V?b^p-i3O*D3x z6)+eJ%pchWv9>JQHkZcmaYlJYr8j=2A4MYki>n)xowuyp&~~xY5eti)K@Cc;o2XOG z>S}7ukUOmY@|ENcM(U}KttC{Dla%x&x0xBNeIzY*IA???>@2w;ka*4u6Ts)@&h3zb z-7*Kh5BGfE&^lIrcUkih=Y8^m-s4==7~U!d#nzI@yoK;Q`!CD2uKq@L(5oxFDe0%X z#n~%wMH6?NIg=O}>E_Kf<@e=Be(i9_cY6-BFPAFxaHquNH^p3YE6J`*-H|E~FA}GX z6?+8qGOJW+mUO}WoRyv9#!nzIpnXjr)VURqX)U1=wzg>gX<-|Hd-%U4eI&W!g-EK0 z=>KrH01C{2uI05c2u?E=7&(MOPVW3Ya+nJQ8lx098eKq3d5P>RMY1u8e&5(MJm16$Tp)8q&+*^N;WbE7%I?;o8R@#?;*=>T1)++Ymp{ct4AYG9d;R?2 z4;icnqSNNXrSmu_d0Goj*^8H?_}FKcQl|y#I-DhNEhUyj^6a$*oVsv@VOF9KO0u1u zue~gui`YJ(MSQ@7k>~C0-Pj>Q2|bv;z00#u>o%}&2H$vP`#F7O-q#1SS8ldgm*2ZB zd#kqVl~bSyar*S*P?v{`*s0gdi*HMbG)A`awCdP?%C-y&K;;TaOJG&196loKTsz2o zF-Z3M$99ybA;rT55lZ?qJHZfBk9Nas?rcea$2}gV>7n&QQ@-**o%S(7iOp9SOFCqE z;EMQ=c(j2CzPtrNNtF2p1({DYjTCNFmCjg7=IF?~Kd0okP`x#> zzi1QXNf96wS^N?jsaZYh-B;sQWWG*S8GPFI>M=OgRw*d@4;LsgM~@z^Y<-1J+LD6O|_&) zvM%zt=QGsN#i7R%coF%8NMG>DU850~MxzSXK8sl7FR=zGxh*4iz0?A2N2wjB_|HY7 zuj4)Z##HxD{K^&fIu&mY%LiokXK(qU-~3EWj0)(z-RpVnUeHbd{HP|TEzs=-YirE; z4736fDl4I*TdDBGc*EaWvLW-!$}?6MZZ_KB?hVT^7|)G2hVun8ZWT!d(&Mu83*Qcy%-a|f zN4>{mq}Aol<9)UDz-8%)sF5+=rYAU>_5$wXE?5Zod`fR;*sK}2x|C+UVIEVA zE9pA+Ab^*I{o33lcN@8_9-z~elI9uX45(vLpE2;&>gtePO3WgFn>nc)s4-@PccGpN z@P&4dhbdvBS0K4tsuJG=V+-@FttSXnAJAmFBn}r*)k01L|f_9idr#T|s&~ z5}tYY;AVe&i#ofa37GO*OV=}qJb2x$4H2@3x!`NhU_)oHyERXE3T-fq)PBjiRi91; zYGsP9QHb=B+@IK?I#-y52{e$#hNpIk;$FO?cB`6T`H!@9@%OYPTdFsC#oj6B;%1VSBjxgzfE!;h$QYR2{hO|o z{};UO96+sID*zalT3F=y9TD_lU1t*+3Jr9+Bar*v^8$cNni#O(Y8E+=ALlh)zsMwd z_+SZ&NMEGF7@B3J^E z(Uk$kVC@V9Bf--owe?!nZYM#c~`{KTi2VOl!Erfm4g z@zr~~Xyx#rVA9X`@pI}u3Qh>ZYn{;HzxsXW?~O`Q2)g)a7TfvNm9_NjbAovHuuB<7 zn+OLz&F2+|hg*n&t>3_0pv>czapGUYt9yYiHiz3q=XqyH0gDBIj5t2-Q*7CiJyh}1 zMKW;|-a699b28accjc02tHQ91(O%Ty57JHiTvGBk2M+#`BQ4F&s<-CSDYwe~q`p4T z49K4=Fp68`!-HYt9? zCw_r0sCdQu_=k#YmA@OVWN_n7!uLeEa62JUVLC6rRj7b_yClj)tXwW$(l>LZT##L) z!&$cAl*2HkA}DejM~H2oSkkR4FHi1|=x5-LU;+lotb+Gu=cw<*kd?qWCsEBDFx6uK zf6UUD)m^3#`mIDuxMAk`eVZ52eV?8vcvv21@{`@T)O@+do{JHcan-GWYnUkMxS7@-UA|3vc(W}= zbvs4{{<*pnK~4y6kKUG(kAl%KKoxdJl#l<`p56PTOV^~aRvnKx!++sn?*45W$4 zrUe6bQiuJ4H2AjT>4_#0CcGIcL%&Vx6$He0J9M zUw=M-n0hg9iOvG0%4+~pM~$Lq$LPa?5P(UFKb1KG6X})!^advR0=RaE6Mm2y5W6D7 z49u2bRzfiLEbaHXb*}yeQBb3kB7Npc#`)SAcTS=Lh^>56xIPjVapqi)TG$*NU{r_x4rE+j{9MzkdbRGZZ>Py{ix?b8ZEe@Uqe%d{2N7XKlg81|UHl}BJp}HpQND5F zWopqTTs(WrI*IC2c4u2qQT`_-)Xe^DXOgXwVQ@v#R{0+?kuI!%l7)fjkM%Kd@YJF6 z+1&rr-kC-{OxOV#6&S(uhR(V2fDg z)5a_)=4;>a%`@*9@(Lxe>uGpq7%H<=$6z%EWf?RXTsvtSkabefi2oV+#@aqc0qZ1_ z7itb?r`FC5;H_BdpKuFQFkie-QCPntI7;>37yXpS%k_cvl7Wp1>$x41sA4josP?A2 zlZ8@zt$xPjJ|wtGc2%^M`{W+s3wJ%cBNGx&$jjc~bIPR8HnAnG|2K)y{Px8`JuH8{ zyV>K)tXl~57QQ>%5w=FOXNB)v!S*dYTUThOw`G;zQ$OH7o_bJwEJL_T;9Nc>LX;{4 zGGh%zPzY{94V2vscRt9|6(B~GBKTz$?Ygr;^?vZg{zZ)dyjiQvnjFEC*bwE5{jR+n zF~^qF;P@OW_3hiKUuo>C)tMjbYbD#ODOJe9oWz7FC#a7xU!R_`^Z9r4UcMey^nt-1 z>uw4OxHE^!BN=SB6lExB#Q)^SfU$`ksYV8(uDCR zO*Frx8!`27c%(V)o6}^~+cc*$2`U%MXhp%sK1Q;Fg?P*Xo_WclNlNs}`MkU;V^cwn zn3TkBmOTO58L_%!`GghT zQQ6*F999~V)pYh0?r<$dF{v^FF82AIe)OD7_(;^6Ru^~j=U$tx2X>~Bh-J~!n2(zp zvc6V8%-@=N^!M^MlS1=FtqR>xB(A^H-ZL$PMRh77TeMI(-NG_yAe3sT3#8b}!Ob3E z%*mU8$ukK?OEpjI$-xQgE_lL*A^LUT3=lN{Wur|KHsXr`MYfhoTE6sxB(yMw^s}Xy zxGzDn2$2h}sEm_D?xOtTq)SXF5-C!>N|q=iyU3S8rRW=6^0peCEIX13IFJfRbq)}L zV*{1ozlRfK?r{P3$d~jzxzaS*+3CPtdB?TD51O9i``Lj=!7(!si?SWx;Yiqn#wUWX zl>RLI)F_rI5csc0+U;kB@zZ}Qk-HYH0KvtE$35$k`)WVa&|0e-9hKg){^hY+^+HXr zeRVY_29O#T07XpSy0wCl>cTQj(ee;y4u-U!V5Q=9nC8|ysO5}$43u+J0_U$7a{KGxV7V%9xWyNV4D?p z(^d%@E(DxohA3~M#^JR16{I*Hmmdc2yGZKDt62I~MtZ)p$(?MUCm)S&lsW6%2e#4Y zX=QM!^$_)&fVS@w_x1i3Hq)bi=n4ESe9NJBydmI}_jx<{B;|PGjy1%38r=|09Asx| z_Vi&_Rlh=D&K8zsEx*1sSB7EnIx!Aij&`d1&pn+%(TLr}Yb+Tx)BNPIZ;A%z1N1ZW zM~ppkUKQ+6w_?MY#9u-ziwl3?FSWJZvy9eqU3WIvfA+#@?{tt@EBempe(J)(9sOm`J*#Oh@d@%~qa9N*x!7lH#@zo0szvq~tkrXIVU^v^~v6 zRpeiY2np3~670zhb)e0;5c09;fT8a))jrO31rEg*5S(cbb~~-yiHf(ajJcpR@sNYa zCiAOo1SKvGO@i}|;Z4PqyPq|FsptQr`Kz$#(}8#C>}MBU2#Jd(`Hd4*_>NBUy8s>u zztkRiQm?Q7qm-=s$gWLd$9r<(*b4BceixF92- z-(bGU%Erb<&&0vW&dSNc%EtPiKcS!`KSOo(`qit~SsCaUSpP4#%WeQO&6QtQ0hAPX z09TkPD48iP`v5=yfZ{57wEr3K|JW$5kjHq9n&vt!9r*_24Zsx&O3Eu#l>Zqu`R*|C z?*J<1t1P!=9$vd?`keZX536isS}~2lqx$b`W)nC;xfi}s*J;@~IJvlmghlR(ipeV| zDk-a|YCYE0(bdy8Ft@O@vbM3cbAIXK>gMj@>E|C17z7OtdHXIpCN?fUAw45AD?8`I z$J~W z$0w(Rvw#1=MM1{-Kehh`?0R3CNUrb22i+Hk0D_%n| zDxQbtVRGL74Kn~XZlPl8-N1f~CnmBYAKB)7-|IXSxb@bq2uPGJCx~FJlm7Ct&+Xb7 z7gdjXL%cWS3mrUPU)vB$olXb8-N~Glc~*Ot@6cYG>(tz~>%Hr;+tF;efNSYC)n;3M z#%k)6i0O(JM@PKnr^Yud8JzM9wRR@ivr!17T(h9!FRPa%P&gp#<-Z(N(x!}gX9c&Z zgqwOzvaTzLu;FUDI;2Mn1GHJKO+T1wvjYCRZb!P&GEqykEE~s&t0ikaOxafIL^fuO zWZP&lY{P%26=JtlQ;l$lH!x8=_9P97TZ!6}Cd#21thPGG8K&a*B|qsUwg@)(1}ajx z4m=ofE>dGliD4?VESVPIP?A(JOW6rsM(urF{8Ont^YyJYM6h*-V7~!fVsn1lY=8gJ z##NzgQCo^vWmmMV5f3$7{GWd@)eaf&9)Fu_-6zh(O33REnQmo@B1(Jn{!8vJdtqPg zq$AEMBZ~FAp@Z#KKK_9na29>$-g>;!3jYdeLg@=4Ax-Iy^KdaUxB`v$g~OqzI7;I- zOpWlo3U>b+KDHOc>Y30QHXYd9$&dGFPJMctwEOE!*DJA*_KhAOUFROmsggRWGNodZ zYNjAJ-J^28a&2mN&?>2Fc+z8~p_TS-N!!mW33oqTNf7@{q9F3&PE-B8ISCB|xg952 ztCs*;`(8=RmQ2mEgL<8nGIo&`Ar|h+ImGu>mr;q!Q2G;|4dLQa(gtZv*MGI(A>b+R z;^cW_g@}xZ#AaG+<0(nZ(gXvkE;Ka>bqRRq=NVQ+Vqp^5`-oCHIP84#YD{KzGqT*rXhbi@u2t4Qy!3grft71h0g!4S56 zMb*LG<6^?>-oRUIDht%Hv05NO(s*N;F0)Je@CUs_>BvG#*?axrdzf~W`i#iP1%*Nm zcD&JY=BIR%Wqqg93D2b&WUGCR!{^K_wa}q|1!lI>w3dL$Sr_!_WFcjJDv7GBPl5d7J_kR|auKX69g(HJ#2 zGAA-E)jr+U(nG{24^rN4p`iG2rXveODHC4Yegvm!dGxt8eO}yA#jyhM^=rt1bBTqE z(U_cv^53%st;muD@ky1Q|C-|enr64};p{E=!6bPT#`z&$r4ab8qN%=&8gtp};ym6} zH+8E3F`Z04{Wih63ue>A3{(3C?u3)B)a9!LQ`{JMg%0X$j(4rcI*Q@!R+d5i-uxdH zw5~t)q|W73{3Vz6eGLch7tf$fih2I68=*Z0qY_QvD}d~(lpI%6(UNq3-X z-KW4Cwe2n#CW6i`@ge%mze-x8UtxCcJyz|GnK6Y(K4p??r%6K9G$LcJ(m=}SaEo<; zP_mTX76LB0uij)DBgK-T5AIx$qw5FZ##V4Co|?GiOF+*!Y5CB87li7XUvW9|IXr9A zfVAv1=Wde#Lze(L@Tz7XC|Zs!$E-e;#8N0-rTELAI}yPQ(5KgQe|*ns@|>b!tCqts6Jb4kg5k$B?7p99wm>*8%qYRAqSq*0P4 zAwj=+7N)2B?yv3`4>K()ttnE#~sY~6(Sx$rqNo_T#_^bOw1 zJ_MV??P=?6@+FsrVWYWEqt3XTZtPa z=Fjb^T>@V0BQF8PLcuFZ8uCy&t65FA7J2);w)@iGk3M_KfJ%q%*XjrHh_^{Rcg&TS zdi)Hl7A%m3y95j#(71z;(tV&CAbr0o0#pA`SjBjd+f9iPZxt$oDzweBsviQ%B2f?6 zu)Wehg`(C9L{)S$XIktC;AI(W?_KEtzx$G|r>g65pKAO>#Z^SQpq`|QrDoYnz-rMY z;Lx9+?-GEpU%3!YZ@C0SY23n(rDCO-AL4et&vxFyYxi}vOs`F8Ecld13b}R^_029U+^d)t7S#VAi-pRKQoJ$`3&{CKROU zwx22xCq7;=@)i^HId}kXd0_UC-YD3+XC>Z=8ZXil+7%6CMo9ZR-nsvHJ6AehVh?sw z|DoF2wuGudr#s`_&`i{CqWafNjL6|E+X$)b-eoI?WjXOiLEAf{M(~=7RO1o zv?&kDxeBIo`lg!Ea&zXf&!P4M23Z#)6*)+h%=)RzwK-70ic?Tr>WqcQLQeLmiv9BT zSxDP$1d+ZK8cjE7yAgumj8Uw{E}2+N*2#}JUX|DPdI6Gu##5P@ zm1dp78o<>bs;(7l!ez+JEmb>dAmhKT46|;{og_PoE=ft}3`)~;QFGt*#1N!l;gU7V z$*_7Vd@P(&gW;m+6Mp$EhKZ5@8dTk=ltfl^VC|9767Z5$_!s{GIS#7yhi67W9(cw8 zkP4|u#6|6kgL%&USo`sT8TqJ*5)A{LlH z3&9*OynUoKiJjI&`bRMTUf{`aRxzvl+Na@~6a{tiHL2&_?31P^0&zvr8_l@Ee1$3JDwANAmP>n(OrvPJ?GAS308KyD;uiJ#{fNrM}mNA`y$ z>pFKjJ4~3_qD?DbIoZpvLm)Nl+XtTm_p0|a**ouoHNWx|y=$k#&8lfKdCLB2LKPzG zc<#QELevQ{WJ!vBW3F4iraaC`nIAFlj8V7*^h+;r^w{lJJ6G6xN`w7a_sUU{Ul&zT zqaO>b-wL>;1E?tzY7m4GwDsO?bP@eBbaOyyg|XeQ!~?$-6jZ5~W7af{Nmb*eiF3)w zPwxv5D5P0~G2_L%i>M;pfppNE?<)&-gE4>0nL&%5`rJl=W2wB8y_^I6sMXJMH?!7~ zaMjNQ%q9BJh1?*=EY$?_*Wg?u%`@msS$UMDm_OB-&;(}$A$-kwpg+k3MPBTZncq4s<3EOt5=Fx@4CTMOf&W&8cCJt^qk31%uag2CP!1 zzw)gc*3nSYK2Y9Nz*F}?e93m1wH;WqZ620qJawF?R`an*?#xH<$Jl}e%WDc{K<=re z$jKXAS9BL-Nf-0j&!`$|jQQttQUm1!4Q1a1eqiotrdo@Vd-Gb=+Bh_AAbf@CU9XgG zOjSvy|E8~zf3sXjUGwz#)g*9wxn1tL-ijjxteImx@T%ziCG6oPAbJ#?dIMVH2zfEs z`|n-VEqmqL{f%Y1s-!&*pS#LS`8OCKJ1Y$q91%?~`B|H_HJGONspIZ^OYRD|$nO5R zZi8=pUP@i~0C9^jN_P3NDE@LfD9^xLxV)0tsKU>$Te3F&SJLU-)q7hOvWHOAPeQCG z{9w<*cus(m$B8?Nu>(rK7NOElri(6K{`3BT5T_iow0vTVr7l+wkgnEZiW{m9)$}Uh zcd|Afv(9w;F%9~5wlKM;|D{ygYg>y$>Xk|O=|)FwZfDz{PTeuhMvlI5f_)K3yEaCz z(^12Nm`Kwq5m^5w4WI`5%y{2s?hA~!ae{OeCYs|!NE19=<|3p~Okr@NNe?U2mzAjZ zMsGh8kVy}`OVxyfZfn>h%6B_&!Q==lxY+L`7D6P3XN3Zq(IYbicB|8>=(vE-)G)t; zmfr47{(N7HdE*r+F1D`zoL}0(<&cuN6bw0wmk5BNeaD@K%MjC@)^~$(VzOx!~GPQV2fhYFmB; zkw??*`q%<$+x&`#+8>Ms4DC9eiQWT|_v7|LdRaczmRbhoTeD4q0CLf#eg|J*>GM%GX`}T9VNzA{#KBvLdA^r9GW1-!EQO8jeH0AxbCf@&JOwrZ$R>)6} zO!p^x#Sgf)ub({_yG~tnkzuZtaS}$@FBDAw$HxHwyWW~(WC4C>F8D_F+Un}+d!P3- zKXxqI1+c(qV1rX?-A*SxKI^p4gwN9smK$DZubX3xoU(eLG<55I`o7G-q^_6WH(2=d z*z)*(SBtG*ne|d-_wzGfo(b(%&mW5-;@6Dg73r4jR;Gx z3Z)6RF@~3bxFY6oZo<@H?#rel_uQQ5_n(o%%~>qUr=P4AKZ)Lo5pHilTlbAq z5pvLc<2^<3NQXU=JkGveZeo_RHnBhP?@j2&Y|fd-V2^Nv-!B2z2~MFA z^n@up{AT<{8a>DREjObt%}Ky~z4ZOG#gsff{*HU00@*X!5Y-Pk3f8D)SqsFzqkKo* zM5=V#-KN&_y3=6w$5w1Q1uel|Q(4HS&I9W(^Ja+2r%rVuWR^rruwFeLeCymeNi>XD zU10X98}VTKiCN-Ui;@xhT9WO-702bBQL+4-aQ$2xrqz6r8!ol2j}boijtw7F%#pKQ zsBaEUtn?V8hlcgXpB*LP6YyOqXN+#F#;q+)y4$}LfXyQ%P`d@AF3=r4V&1#+p`)s$ zRLdWyRT?*mk8!6l;Q-h(+;VwUSf1S+c52QDdH6Cyy>ox9GZMIwCCSxaOXN4KK@%}lbBBo9u z(yv0Prmy&j6p8)XzoRn8bb7=%5wZBqM!nA;Ekv6sRZL*Bsoj@=#N3rVZw&Y#ri(Q> zCk{KkDDBl*&IeOmRTWTuh@T4YV0Om-?cEocU4f zBUu!APfe?%Ak%K5%37y6(Tmi|4gkM|J#`@FfV_6^Y%dGo+>)ikg$TNW3oqRq zm-!;L`x)e}eobr<%OixX#D+g;;p&&U`fk(VZLeN0X-$!P+C%HL9OLJ&-fKdIR;2FG6teiO7ruueZ_uMReID$o81-D>@ zUt1QKj%X;ECQ61@pp?=CJ6-zn6h(f(lU5I3-#79|7cKaJPC#r6Fe%3uy1cQf!Jy+!n}=a`WLmTk@Xrsid?j;X!1L%|%_A?L8LfR%uni3nwik&a7R zPtn|Zbnkq>d6u~LmS*GDf`^)v8z0E*3t>?D#b=9^j|K+;6NV#5k~U(#tFMU7%YR`> z6Rq?XQg>X@awLpb4>5Cav@d>2#qU3#Ag?S!b;Ts)?*VG$d$=I*I*AY3h7pbhmk|xa z%#4)GzabCh!kDC4(}SrhR#_SEn-~Muh+KHOZVlOs{J$muaM29~>FCpclI#8b%MQ(7YtV@p0_nB8e`cr=l} z_?+X#m0b(nmJe5{GICop>lGT}UWlU4gt+1QpZzvoucsT$K(u@8G#;0al%w2Dvy`6; z8Cy!_TXw92m(+asbLXtVg}vwYq{(Fof;4`_bV{9$KMy^>-qiSQ8Y%Q8CKRsyQ;h9p zFx!`eVhb@Wr*l5?1<{URUQ9H)6P3wmaCT;r+PG6Mu=Cq~me* zbR+1&UNoMgcZHRt?8$!%*I9f~S!U=4W^o9X)yme(vVo*oeiN8%?TTM%6wYwNL`0G| zVi;lifC&6#y8wDLVMt?(y#&}^mnywgXYqB-Z?@&0iiW`Tx7{XJwWknba!Kp1MM@2) z7Au+Q&5E;Mn+CG#U)NZ*!ZqAQg>!Ngo6fu;|8l|w!+#gb;DS<+2s)_7oX)TIt7XfE zl@HOSWeXz^byJl`u8ZX#Iv1NbBg_%!;!vp(bDVc7>8>}k=hBA5RJ)O;VlC06!IpT79bEX{#?4zpp6FhtlKRNYoA^i zE4`#AQRWjK;=$ilHHxr^SdvKN%x!`<=3};DXjPL@ScN|C$0)0A3Y_8rN@by2r9Z%g z+PK0}%r=nQe>?mD6~0%kFDexP?cT9~&4x5b<)!*c3pdj^Ba<7;av_tSJ+Rqk2lq#G~N5*~Hb z^cT_-fM_7&wy#GQb3hkx$M3PV@mu2w`zKM$PUEkq_NBh;64B5jg1H;#70;&9*l`;IKMqlFzoJPaBjez zlu9K+s(0+rUt=)a|1eMI%_eIix%XC`lkjg;)<{%?;BynwL||@CvOiqH&f}j~YfL$~ z9F_QT`U$O`2b(cngY3QlAbLP-whJpA4Qh;yfyo79i#S(cs`#<^%E9ub<$^no1`Fm1 z>btM++|D-kHDsPnfeNJKK>exIuxo^+GVn50s?{7(3F7XBG}#MF(@%IxZp_$X^^e@S=)_wD_KqtC3N;~7 zZoQ5?t1Ek&__p5nHpyDOO@%CN-%?G!y~h{^vva{>UVZCj9e1FgOWz6yUgWo{VQM0{ zbn$c!(~Tpc(VcIEgUv2I*tGU*lEl`e|K8n014i@Bx5*j$!=?s7 zxgGl*n^T?&`EE>b3$q-Bsn$TNpt+J)v!KX1(r84ZZhWUY%($80fmJgCKE?4jd-!;@ zGIV}q=;(N(XZ!1Wy%s~;J=sC7AGh9kB6eNya{U@i-U*$oQ^>$noe6(FbE}3(I0llF zmT8&iV`c(?m1UhEI4{!G!#)vZ2xsVVWERve5$*=w28!+j zdrgXP5h$5H5F@~YYqvqp&2#E1)xSLs)(k}o)a&RyqRp&t1$a>`ChU&-s`@||6?y2+ zs~=^UnzlPkZQz#2*Ql)d0p63ONz|{qoyXtMcX@y|vRf)noxRu?NDnbUDKbgG}FLobl z@0nwDV!GnV9w;m^xYje=C(!ipw(;wgrQx&F|I@B11o(X^w6}*R1 z$#!xpr1H&vA9v$~y>!lI((SH+_ZJv`cz>&=~m5h%T*IhT5)_dOsfN0=8S$Es(}?*$(=Ew9xPoOl%xtBPO(M zj}|3qWlv?=6xb6JefnH3a`5@=H^c%DNu5N03HTjfc?sB^al=r*AyVL-(M5?Q0jN@c zxKh_lyW;E$$`rbXDFnaEHIbw>;t!@)X9)@Xq2T6#*X{96)ntS*!fdgj2LM7t56aB_ z=#ji_01X12s$s9a{)OiEwoQsXXZNT_j!q$?O$e@1+`QVRQL2!K@ZZuj8Nzr&A8BE-@FeyG0_EUjoYM95?sU&L2Q?(3%4fZ!O$I zB<^UNUGWgionYImFnX>|n^2+8oN!0yGn+N%i@ieV;dly&t^F#d>s7F*Yy<apsfe^w4M@@%b??? zDm&wqH2-~gq&V5J?lS&4j7J{s#DZ|LtSD#4LcI5nmPeeHR5^%Y=g!dH?v)z~zx{ z)5P^vZ2^!eGZ|7|AUm2n;`D|8{6t*2S+pl3a z(JKj!9dy{`NQ~MJLO=(Jr?;MRID575{AR3VQdA5>I-Jz0m*w-w*FemV9v++pt~1<6yjo!lJusU;*A+x3NX1!0ikE#?+pn zY^KO?!uF!q-R^zS>D8N)?F*|+z2~3=5Eo1c9l9a|nxiE08!9!2G#*p%X8lTFJ34#nLzIoDTA49NqtJhf!h=7I+5uuMr|^2yWj`LZsqX8Td~eHKgeyTppav z$>^-}j0qWL2+J%DRXDPCQ! ze6jwJ=e5r3d)KHbG0Ac#A%rwc+c>WYp4t{yW|y=V7KUcpQ=Ma@aFF#zm=jGRuA#MHf9JIU++>_>F78WJF7< z+>W;J=JmVME((?g41U8SS!#%7laEScEv@IM!n{5Mrd+ti#rlYALDumC+G?w^;@wIU z^`HqabP6Mq2)kLk6XAs$NJAKV)rJpU3D!~cHz|0k_S`o1=b*|)C$tWW&54&k;Do)v z7q*l+gdq&46~Kvk;N+yjmyp|H3pUrdsEYw}OrYYmZ>l!Dt;yULGn#=)`o23Zp>T!H z3lnNCE6bWO-yB6Ub!qsA)l@swjq|_L0R3+@LH}?0?g;9EFpl)Ckdx)5+fOelji(h7 z)$Bh6eGN`i|54YL86|t2i;8=ia0x(%Nq^VmZg>0ir>X13r2mC6I20TqQ+9|of1@NL z5nh(z0CcFRPrT~(6SKbla`L!i#W})R+GVfRX(f7$to8XX@x|#uB#@c}gqEU#Da2sx zPSH(W7j#>m&0`Io^hLcLIj{4E+f*^)M6IM_gwnmi$r1O^kRc>=V92pqxFp>PQd$yy z{e{R7-8e-_XD+U}yXf5te_7Y01}ij`Y&a7kaHs7RLwu&Zi)NHI{iZ3H{1_NEsPcP`EWeUjye}VzXyb z71f`wY%tz28nE`jQ)31Ycn)1$MMfyZ<#`1ZY{DIu43AQ+kju$BZM!Lu|LRs`cQ;%A z+&AJAf;W1ciS#pqR^9e_Wmr)k_j><7PmV%Z@}`7u*26FLmffU3TnFaK@R-uL-cWZZ zvy3F5D_VH@5-`G!sF__*WPNV-y86d%dfSn;;gLIT`!3>BxD@mzIh@+ppxKsl4`M0< z^Yee53D^lWY*AkraOL+f+kM0$*R#i;7m{3WLwN2vReHBsEPoc+`7^k1&wFaTUjEN; znT!0SDU$SRaD3X@1TXg#S67XNJMDZ|b=*iqdk9?{82ATLbkA_7l6&ky?}r@E9bk1Lj$Mvi%=yDsbMt&Kp5#!WG53honk382$yfk zDEGc6wy+XjfWC9V_byuWAA~O<;{5&=9d1K9uIr|{uJpTh0YA}LBV1=3Ff=f{`#az|Sz_oLrU=!8!lk$3uluP0o|9{dEpH%+ ztPQgoDnDHzrt*;GQ|;Y%5gr6XoL^6CY;S=*MzhZmY&uE2?E-6c>?n-o^#!dgu`Qd@ z7u~t))bPKaZ%GWhn(3%?p*}^J`A~w2*gQ$ zPo;8?pz~jei(pge@Eq5heI?X1DIdY0eRIVz*v%`0BWLZg)sOF7>b!rcYxv0V={q;8 zy`jUh3`mD#x|4qAknnPhh5J~W=Y0jppLBKMgue#~%X|b|aLHC{S1*DUtc389)AIR5 zh#ECJoO$r${RnXXqX{Kt(KM3`{L8lwm@TpTq|$Xk%-_R^!tqk!awP)?c;%mcvNaC) zc$IB;g(jRH>Su>ztjBX;7@NaNp&~}@jw-h%@7PKo(^WVwTiBBi z1+Dgx81igz)CuZ_-Zl1PX+S1I#h7p|nx{5i9@zHun+n6w304DmGQfv%;%3gQJ#)x> zi7B6NY@b;ksj(|4vMg#iNiGivRjiw zQgHgC!8vsaXpsM~3m3MJP}P4u&eFg)DW@b@c>LY`f4v$${qL;?c7!znd~N{ELyyNW z#eklWbvlXd_k_W5f4x~fYC^r~;WNKnZ1s1Ne~%f<8pBFDIMAm(S@@h@P+X@(?zTOY zC=Lb-`sjR$FUx)QM&>@?>0qj7uUrf*)W05Y%sXL+Knj=g1Q_qnIga!iG`gL~y1AVS z1)Z^X3Wxt92@^gR_kOxxk&I5I@0Uhhi$>>Nt#9y%=p4Q-5vIg)P1Uu%rwtLgLgz}D zz#Bfo!ITm!86N2zz4{mwY+53p^5_)u`L$a9%g9l8nCldYZA-~&7Q`q;w2biamZ%3U zK_elv*8^9@9|%x%3uw&PZLb#&7WYEbM zf;e8&0RPVxtZ^IHlo>Dzw6j-+?>}cwf0-!rxvqzm{+XN4n4a0)6=>_`i79~thdKSO z*rZsfgwLvNEjW!AMy6n(&*XV$v17QD zJ%3KqpKWQ#$SW}X4Dkwr7?~wmD-s{p0#Tq754?9WQQyUd%S zQ3$pCxE}=TY``D&YBH)@qCsyJmu2yF#j6l)bsksTic~r(xvU;?9xd?v&QM$aVHtm) z--sBi2jj1ouPzp$h_Hr2le*NCol{M~cg9zy|L58wlN1^|}@K0Q@IEG&?W z!F{0P9rC*=o0wrr0kNx#i$oGda8u~1Wk-T}@05O+BD`vFeYDC+MdiH+?i2k3D#|e$ ztO$}&k1>e?@gEz4;_T*96jJGSCT+j-!_kRh%=;BB*@BjuZbh%-DJkAK6n?zrk1&_2 zw3md(^i7v4=$_&eOf$=A#$IR1V={cK5}Wn@6r^|_#@t~O9RTMoLY4$kM*0s?D+tlEvafx0ZLx)QNxF=J!LW0b?O84ru?1H_3_Ik#Jm&(k8ICe`ns)a)sdgzb*!=4;UlV$BDF-xmtnba~UM zL(cAWjG)OB9;3VF*MojZ*q^%NI3wVq4|KscUjFZaCgR*yyX zn{q8`9tE@H7Uyt_&$?tDm=!TE^c(+L!I}H8z&dmwwBvwduI)Y#nmUGf^IQ~~5&;VOMh3c3r7mB!{P}4t|;q_wnJSb`X`=FQ3lNGS;+0Zw(#sf z$=;C>hweb&C1827>#t8;uLB`36xV#BP7wd>-lWKYp$w=>lr%e8dd1y)v)(m9>Dv9h z!{ptvDr!y)vjfZrY#J}jek3x&=5=XBrbJa!PtMYRTs~He` z3)Ojb_-*o^)U$m#@-Gz9uhVzz-Ck_=L7v%9)Ho6)K}%}S6^wH$Y2)?Hn|2~RLP6jK z;sM0Sgq=_qfwDg_#RHRw)({WP6c|_a!Xt$mutk)8o9)M^f^84XV|;Z00~2p#`?g_^ zE&=J$=YnJ>%JcXVF!>IlPRPOwba&Daq*iE2Jf1;?!m(zZj=BzbzV%YO^4?qg4o`bl zWUIukFOBmVLnrV#157mAoiY~%2k-!I#krmk*BtNKp%ahT`Ij*+9y+uxI0_Y`?vqhV ziL21VR#q2osena+;W-IMaiJ0K00Y>VjK{02R$9wqg!)ugaZng4>vYEj+$Atsjw_5; z+Ec)v589D37`wo$HNgR7CG($GG2oKY;Uf-0CdBLQHj^iAoHP74@CNC&yJ}r5CRjeq zPq#h3BxY<=FVd>JsP$wwp{}-+Lf>_34E)UmrPh;cvd4#4Gi^0Yy#Z6iH~M*;uDnbx z{m`?01);o`L<+l4Q7t}yv`M7S7LCq zF(bazrgNJZ#26@@(%EWk}e_P)>gy%t-0!bU>8CMDTgt zT{pwo|B&Mq4JoPe=fZDW{H58qeB#TIaY?~9AM4o3ywPw-XVV=?9^5`ku&l=5KE4xe z8OX?yP5Ii0ef6?+9&R=}iaO_aWiibXYZMY!u^Zhho$t&!Z`ANblr|biJOkZG{a5&$ zJpC56c(nBVX?N|v=#^9?BL3X;ovKDg$w*m^3bl8h{7=275#Qvd-u|fF0md!!G+(4E zj9*RMNbIxbmoPGBxQ|WC+by|jwDB}jmPUY!3aeb_5H7UgQ+ymE*XTJFlqtj~U6*cP z^ZY^@F}nH#1CS2%9j?&8o8_Phjqz1kJ6PKTS2@Mq95;$ASDMdDo; z`e%#P+rE~UTlImHA|sRVDa3>RZ(iY2#H+ZRf$Q>ZlG6Rvbp>>G8OHCl*v?Qd_2;Rt zJfTQe&A$KU%Ke~$BDx3xs0R?QW+L9;ZwCZRW{eg1Lw~^4Ke};xkRYt z0-Kx3l?ZWNJG12cs(vZLjL@~p!$J&|1!mf1yi4v+&&l>BRPG+_Gv9i4k1k_MkTJ^~Gq)%5 zNvU7@9lt#8(a;?zNV~DA$f#wdl|4ECew*Hp;_>X?%cayRC$;zf;%Dyt=2hg+#9Aeb zy@&Mo>x7SIYaCg5Aj`7m3jRu!RSlGTW~BS%m;Ci;YN`9XRjFI;jIrJWV;~$D#hTRv zrY#ghYHxwGX_%rkonjg#YMj+KQ&QMGd}Bc0%7NFp&?EwX=lpv%5cf26p7=`s@1%Cp zl_g}r(#ss3QS}TB=x?5uRo-QHtOB&1Bf`a-H6$hja{gPy9{P(T#ghI< zE#vAnJ)oo!Zx@r<>wlfx<#*3%>#K#X>p1L9?juD1tSGiG@ia6Pgru3EERu@U9W1A; z99Dc6j0@7*&L0sfv2(;*&4FDvcIC-cXc~vw=hr%%pL_U$!SVOt5FY@))vg!6+fR$M zQ;y05s;hYi-S@U*iq6%;2vx$DgUehd725YnfmB{e&!YChaLs? zbWv-t+Y*%t&D9Pch|pWJ*ygEKdYDp{IKx7VS3?&?sU_OH$(85_@Bg(<1pUX!*LN$sr(@e?5FzI9*gq7xo30+k9cQI^}?vcfcWLf)G zh?gDYyeV0#)FWJAY+iu*#?wRnr6f0Atk0izfpb0bIf9_V&<64w2KArpCq< zIR@6=v#)!mGo8&$*R0lIsIL8?S9Sl|e0LyB$(>n$LA?T195^C+v-t_F`f>yENo=x-%6Ho;F=WNwBPxT!UGzn#pN zgpaFoyd%=N;F-{;iCBDUq_-5QZ&W_qay_%(kY?S19;b>n5kFjw3KLjG#CN%OX!ZP) zCsUYoE+x=F8fKyN6@#WINe9Gow#R;oi|co)Qi|U%+K(`?edH*KoI>Tx=_!g0%4sE~ zT~uBmYIgob*EgN}qaWSTW>!nT2M`GweXq&CiM3AEV1a=lYW+$pEb3b2_79z@G;s)s zf4rdL9`{vIs{ZJ9&xMCeF~@_r)D-yfq7Hi&Jp>5m5Ir0&7d5J?@%5XGmF^I4GjRAU z>Nwvp6I)+tWnQXbmEM|^J_j#5D4Eg@T`{7KXv~RyMzBA(@i-!cl9|<-;4l~Os)!y@ zg;GbmycW}}_gY*$-2qFDuT8wHn~18o@qtS~LM||_F(O%mBg%wg$^De!q1vwRAfR~hE4sip!C~;! zu;eJ+`o1_2?Utg!4C5vg`_<~>dF=2P`{k8OsG+*?@^KGu@W$glZ`~u|kMlis4=f$~ z(!t&RPk)NL{H+?NzvxgkUC*dg8UN^rW9YcErs*m0Y00=#2^Eb0nA7!xW_ju#{q`7^4ZKn|Wq9|eYZTBY&yu=z#K zgb70Yxhg^WDZ#Cp_?TdbRe@=L+LGj)kq>ja&0hSHFRF(3D!pt(>ovA7qfyi{IIJN- z5;IO!k%L+Cw!?`e7JpnLEgQN{d%Y46glJs>Y+Eoc4GE<@LYQEHaX=>04dNZVQltj& z&grtkjJgG`4vyg|xL*swHpgY#6vvNU^rdq)bBgef3^t^$R zf%%5VcMV7Lq|7`6e8;$0UQ(6)4GgAacfTd$54>%z75wuI)j3Z%!#6t+7 zCR6I#!K({5mEwdN5;p!k`uylSFt@g<#qGs|k(Ykai1?bluGB&91{O*~>>TNA+UnmuYVH$P_iar< zAXQTjn19{n1|nb81eK8HWgLG)UB?GFhFo4s{Q*# zwssM}RS+#%7!Wd-6VCEWIQ=Bd{%Pt+o@qO5|G$Fu?kg0VR6ZFyK`V`wy=1xvY~C!xqVw8U?icY`g6t1zEMvIMqGCj{**&U; z{TFZT)!OSLf$>5w>uQ6B%f*rhELk8^ZBtg6b;RSPy)YAPLIApmTwuy3ugUCw3E+lF zQx#ISPV93J)k%86%csbp@uOdZ{6c2ebbl&$Z&qnUoU6k8@ttqagSd^;o_^$YIb~j8dy8ur1k!Xez@E0u3KEjxP|~T{)c)SfIk(Bp#%AQv zofk@_XBkg+(bl)b>M;5Wy`-@SW_2!S+zv*!cbt32nxCT{Z()VF*20#!EY$v91%hCK z4XSVs77y`S=Sh6FbbrB$tDZFP9g|7sdT48OZfxhfk)w2{u{I<9Ty^JHy_j63XLeRa zo}ba){<6XF+(OAgMPcGO4_WW5i7(nyp|Tt6I{87=s|~O`=W7isTR;u1UHl#x{RRx; zI>;@?RrcFm0`{EoJH}I;cejgh>ClKC+=?gI`NZbga(uH4Y3t@|iTX8}KV?A*eZ;GH z?>8EZr0M^GyZ4T2;``f0qo}Af5s^+*Ksrcofv5-wC=rk%Eg~vSn)DhK0qN3}DqTQ` z2mxt9x`6Z&2sJ@EfrJtQgmC72?>g_gzu)_wbMLzAtaI18e+(;G!|a*a*|X>Kc|Onc zY*hm!II_YG!cqLK`xxb2tjqJe&uPW{ZpO4|!guBV^ZhCnn)Ah-nne4BD;g4Um?Ptd zvaqv@**?cbSgUZGz->;t8Exmej^{%qA3E@|8?x_b&WpYN`^X92_)x35?nQ4eN0okx znmDgK$@NwtjMZp8Ye#$z=Dj{+vo&BmA`hSP?NsfGd9~YT)23NR@$~RY9hl!Km^zLV zH)`>@exX^c@tt|>Ol3y^vUMw572GO~4O~EkUme&Cka)zYzA;hM~}#&e=c z16)gu8T!DhcViJZ$8JgKfqt-9DlD>`mfYoMus(OM@r>f)+s$bId#6Ey-n{1q6x?vd z1kr+ZFsFtDWvbK6IZr9FQO)1(#YHWN`TMQ%?|Ac)TCeeZpo<};@5oGWj^#gj!Ra_s zw2IYFeDpd8!uu-Sz$nVNacs+bOCw9(S-Br<@wHIOx!7yt+ZOWP%(rGbj$d=t^f743 zpqCVQfwOOFf*%4#63VO(i7%dLb8)dh8hiAWRg?XqyOIpjcw9q$?U04wQW^xQ9^Un9 zq%ZSJJ5n+kvNVV?{Q7xmN@7HB?YX_Az%8Dd3ijK-S`N(S2R=wZgh_5K_2XsGNv}Sr z8LGZ6#}1mtt@o`Dbw?P)54zb9&lYr#NX|X7fyS2avBfA@42oSy^znY?*xvX!wV4iE zeFBQDFK*4j8ewqY@K^FvZsCLLk5-ga1;D+vxi2U+amEbVn<3R((Wh{#7Tt*e4RFVLVICC)`d}R%*5nVd%U$4VtqffBZWJmm+T7aC{zOMviXF5L9cImwe0`jB3+lhYkT#3AllO z%l{v06xQufj=c;-Xf2p272CdIyq0g~9LjTC@Zi$T!6`D~*J`cCUfYn>-uK-~Ui7%q zqLY4idCu=)b|C|51;+FM@TssqXKUTnJ`jC4&|wL^IJGuDuDFWp6H~u2IH|p6b7f`N z)u;C`;Vr>RJrI}$@{g`i7RbOa^1hgMX~wMW(4H#L{Ne~sCbW~>j&!oBdbe|vl()eu zT_&CWUFr|i#Zs`HU8a7(-k9u zaqVf)6#ICwjCZli&0-fyc|O2#0vgl-FtFww1gZ3INmQ=36-qEkJxI|wuG5(OGr+)b zGyY0m6OzUy2NaKYS%;uo)H$kC{J$SMuug#=P~wn#fqAj*oPTquJk`%6W3K!Sb7&FMvlzyLppt&n5uS^Z>Xt$ABNNSd=q#v|K>(TkGz=& z;7=1_egewL03QL75>*RK{OTQla8L>KZu|+T-DJDBGN&fOGa|1cp7L0=i%Ok10nK#* z)0+r@^lE-X4D`hxQxUWqaZh|$T$q)>vB8h!>*tT!gyJ5pgLii9 zfUX4w<%fJ4J2P-zs3LTq1dP`xl@}B0)oPjQ?9+(W+;QmgQWuQ|1#~1<%O9vJp18oj zsCvJGgoVqY7X+Uss=XaJmlSOorywBw{7>a!(D z=bW@++lxxW_OVCCTjO(!UO@|5!GQS#<8=}}?Oh1)=~oGG#eHC6EBF#(MHn|ny_j7lJWmn>ts?u!Z^XQ*m zo`RUABihdYBfb5S6M-O#A!u?|yRWGRH)uV)p?MI8wSB;eJmSb(pg=4W8#Xy*Q3Y4PyI4V znbF`nN)KpqhK@C3-aSg1)kNn%njD(@x0@OI&-d$vumfZ*%e~4cp#QkP0B9%68`?FB z@NvR%gLkpj3CQta7Df)Lplp*}XX-e>>l~Z|0XtDU&W0rs8O0_R`nd#LrMyRSO2Fl% z=t-m`^cFxEVJi^Hivs=6x27o^tOd-ZNgQ6l$G0CHYr=@`bw^h}7p>k2nJlwnTr~XT za=&x@Yy-j7j84Nx4Xh(wP&$q-7fftO&hC~%ZkxGwE4pdNtoNq!DFi2O4qV7XM^sV5 zfb1`7)vHM#r-;Jwa2X5`2;%KYHr84bD&Z#E$Nh3~?ksvZnnn;)BSjeBtERk_kMUx% znQ^POwwVq}OC=00R58Z9U1PZ`9?g`|T5;Xh< zaA`3B)kKZK?ZSGR5+=1Q*u|MSOHNCaE2rQM-!+jtEzxUhW$)J>@gcFX`|x1;~^cm@X#znptc%ASDg^7lZ=K zV-Cd&|DW^&z*BK_n`|=!vUth6>fkoj1&Tpy|6q5yuDyI}r)ealQ;skJ^=r3-@Qe3n zJBAiV7KeFr$d5Ri3>D7#EEWd`^0Bs=q^Ot}4lBZz5!(={s0|uxkisZU%yd-CB*(fiM#$gGMGPTN!rTKzMgQu*)9{|p7SF7qPi?{}y zx~JC2;x!%buZ~rB*pfz=*G>(LM~)X87{33T6nJxgck`lbqKhPJpP|Jp7csnPL7!Yn zBu9Q-uPqJNbSbjX^|)p@R`W%ee~;q>M5&AdGYVF-8b*4#+yO~Df3kUQ5e#RACx@XoBHh=~XwZxTH;) z)^tdJfRtHDn3h8h)7pX!H`nl%cJ&B@ZP9TSZTN-oX{a<$?PZTzu5xxj$cCvJtH88k zM=Vw^%Ui@Oz&;fwm0VAKIrZUp%kNiq>_+W|VRc0*RE#y6B=T@0&L?Wc3lU)>PGXMs z_~vNCIqt1~b56tiI6Ft;yVl#JdM%@Tx>1Zq>F_NRqd#4zZg<}-Rd5`A9V3`wxn7I3 zRqhd0ti2qyO1(pD=nP>S9x=i|1S(drUhmH|j>=Dd35)z|J9As*aQtC>_+GHFe)H%? zb;DGX;;&Art!uTu;d6m5FqvPit`NqAq+eg-Zp7XXy#G*n7E_NR*OnM$;two*<-S%V zwZj>yw)4jtJja2p=}VDza%ZE~4M&Pud10M>e!N z1@HxAFS-8zMR*S{%^_-n56W})&zyj!4yk3xF&O1~Jav5F=pBM^3<@dzcdD}4HWEIj zg%I2Q$H?#$0rA70n(U%OYcWEstT?ZW9Vn3>0EN?7AS9a*gB|lR1;2nZWt@PTp!Y&{ zTIROJ;wc3H>&~xu3P@`H!zmAZg*F7;Hm3rwU{@eUgR%Q}1V9OFCm^Btb}$)ucNdV% zGR;<%Vfz6H96W*A3$*yVi;boNa5Wx?7gF3#KmtWsCm*(R16fmIzE95QDneG}vg70%_X%Zil<@W2SZ0 zoC_ln6d-aEsjwTpc>E68g$4c$`oU;$ptG8fJSfW_5IaD43Y?x0p;=5-CrOp(*Ob}k z&RMPYFa+l*o0rg)@P7#mFkxZ(iePngY7=wKI|JVD2wt7%bJoW+UN5v-+14iCm=Sm! z6F=kf=pySx+@}i5F7W9fD4t-zWHBpKuzu-J5>K@E!A}_Zg~kwjGR;$ zS=@ut?;S&=O?#Tm`v+e1i(#_y&3D`Y{MSxEI{Vp4@NDjCk!*>^NW*(~4@Pe)cYV^9 zS%v5B9V~xC{9X(^0l|U3&1ZV;j_j};3MtOV)3=1}rO~hjE%Pb zXQN*0C!=OA;!?{)Bn^GI+G9~eN0C~eLvg7rM0xzj3N)Wz_JAgL`yuu2UfVPZ{p*~bAOo{pe#7;J$ukR>M^27n|Aj z%N_jL2}1toz><;u-brGEB-z@BfZk(`Slq>&kv?-`DGv znH2Md5GeJ$(Ay_9wZ3k}R_v}=p;%mx6J}#Gy*V`%5`eBa&b_J+o-8JN{utdkuKa6l z5PiM3ybAIX`UPv(HG-{+hF+od@pIH$+qAXXXpppab^gR_W40u(eV4>A5|{3NAzurP zyMvUaw2+e8!Q73`!XNg!1){XH!u$J2UBdg%3Kkf~{d%6cCzxc#epNuZ%eGWZw%8y# zIU_5{rS*}at|DPeaq7pAP_Rp5aQ4;M`*kIHj^a{Lt24(~{V0O% z$Gq#UQES7|NF#Q(Wydm`qq)BWcaPEN>wZPxcpFjTpAeyOwzk-_MFc*##jEzWI+t&4 zPVS>!v;51qu%Yfgp5}b5!Urkk^usv-7Geghv+0S+ z{?De89Si=Z5QKuWH!=ElMV{V5QCX^`!&L@b_ZDjtx`Qk*(jgKdJy0fyCtf9F3ZDgq zr)j$Ay*M3M79>}J*PzWr$@=#%j736f34{}numWECaPJ4ez;Ia4q|A}p^hxMwTr)jI zTq~o^<_vLZzY0~Ctn2Bamf6()M|t|S`>AU$>RLd){3;Y2(RqQ++z;6~dxd1_N1h!P zks^2n_WF6vJj6fBElhZusQ&BehSl4*iQ3MXUr$N?E>4`a5oy9(!|(mw&KkKVvzh6N zYt8l#xlZw-N{8F;dNt)W*OfKph&k>y!#_72!6-?lL}ZM{xw)14!p-;~2uD$;)GI0e z3qF5LNr@t4q_n>?1**B&EoZYqVkP@;h$?K)<))%jgInmedGbeNkI$>~44V z#!GC2$p=n4_Jtf~>I#bd{qE%?!2LU$&4;z~FSt#Kr-cEb%@$}p7Ik<& z2n+gPRY7z?TBQ8><<8zRH&*H+;&Qb77Pp{Gi@yhss~p{1^6F8UU^G;w24p4W#}{DN zuc1l>h&y3*B`ajCYXUd|B8)q_W1H_l`u%+S2IqADa;nd@=SR%Nf|NP~Yl|!^Mu9M| z;yX}hsLyaCx1;=)h9lNDxPl z=25_pa@wi@S%tN;*_izDE$iv-I!Lu_1*ceqKP-6Uo?W+xI&Lbz z-d=B(teMgc#2mwnkBfnn7Wqqqi6Uc%i+#P*7VSBI#1ownD`r~r^QTyY;q#R9FSU9v zy(gTVSh$&WWDLj;%_8Kb!vo?Yyq%GZYayb<i_3mz|d$X^E zfp}*KlnNh0i>>A`m+xjculo|0BV2Z)s{*-2{FBObP*dV71}rE|(g?mkfuyEMaj`F) zvT2bHZ&Y#1pUG&~GW)Dr9ccX{`~Ccpaql)i{HtCKpS5b^zP|mRg}yl(Q)F=3Q)Fy& z&7+d~SQNo|ilh-i$#(}Hj5acy9&J}oZiYrF8d2o6#CzrOFA!o&PL0q^vf(~Uq8-kR4VgJ zn%Br>O8xqs!rap{Wo#C8YeZg}M<(=g(69H(GqtsP3)DL#`}<=E$8kz56KZWGqCLSG zZ0~i)^Y6Fb>(;sCt=4QMJN5OXvk7C#><|O~HF>9wn@LsPU@_~aDa#)UD1{to`b= zXZBe)id~y3tnCC8H&^W&Q%z7Do%NF)#&2oYBnsV{veHkzT)IGKOHaqg87ICByA8s}^cpXt7aouTY4#FzS`jD_;#B(&iqGNs>eZKbZoM!3)6IkX!BBjLEmJnMUmQ^X zk^<*_TltHreXqevNnk3x*|t^AC( zflP6%f`7RuTegs2_U}f^E1bLRm4&zP>t@K1elW+bTj*gkVAGKu^0Vxmr|IZ`%s9 zg?-|^jSt(bbLi{@;9+yW)jn#I=ljA`cqq+g+mHlK5ZxD75%nFn0K z9SO$2Y~hU(2QK@=XJv+|>e~y4;4hZ`Y5H zm=z?3R}y!+WPZ8c81@cgbZ4e9pVE=s>SuK9d z@JQ8rGwbUW+0OarijNZBX(Gp%f-=52fiKwu=AG|@xRdZV)4r@)9Io!%i^WYv3WW!H z@=Y)X4SY6u5K517wWQ=pPg(*#+-osR=p;Opu@`^Do|GUts<$mmlSK`3?w+o3w^rjS z(I`d-@f{-};-q~1esl=f(Nt-?J}rVuJ~C<1WWs7Hhhf#f87RpnWPe#kIa!4aA6|ii z6`)~rllw2%b%za*CF_hUHK~t2v}GNrq1U_mp)qDajpi(sP5Rdydq}U1($AYJ5L@TK zqIEV!XaMHb4%Stppg;Qr)X){M3m_vvg06T1;z7m7Loa*38Frji9F>yiQHuQz2vAJK zI(P>2+rJ#PJL<8T1)tJw5Xc39Ro7U%P7H@{GfN1=KM^fk?N4WqimC7KAN20WcqF^D z74y7p`AgRk%uXEXqQmRF-5p?!<#|lpu@T=IQ7A*)*qj;Gj!nHc0G7S1euq8=k5(qm zy$5pcxrwqiUsbaRuO>Epahr>VZbe>{tZj46`%0hIzqbSvJ03rb?c$#^qzyp%eURGJ4~oaK_!Hsu+1_HTc=E%#iP$NAXC?-}G<-bvTO389Z0Ul5%n zh1=Yn0v?A5gl|5)E2*k3*KXm2g?Vj@iaov9<#*;OsS{^oKUVsB$5M06?lUg)I1B4r zQ&Ju%*Rz7O9)sF9yagl?+)`D{WrCOmow1_ro~~jW!fbEOLcGH(<)cnT{*-uo93rB= zA62}9HEqVLWgPXcNaUxxsGgr!TYM}{`~Dqt`L=+%TojDONNRXwDJsq`;%nWPsr9@7 zX?6K+^ty5X*NQ4F3c>>qjbfPZ)4)Lv6jZz@n=d&*0zcB8swZc%6#9TKX)rm?G7!g> z@*?ps6R(;NJFf>S6SAW1gr9HB^Sdi97kTK(i|I)@I>ZXcwT+ZqG)ij{e-g0a&v(Vp zYT2Iz`%idV{(l1HLXvQQUy<5|!9?JUc_x=fBf|LV`K%fFy-c&Z$j zK4hru^G6@{z?Xs^10){oO`%k>vgC9RtmjP3)a}kdw)C~v`kpfXgS@+e-8LOM1V0}8!i@}woTjR~B@v8LWf_jN)N0Naa>Od7NKLj_S zb)SGL>8bL*ZO3*U9EZo_Z_g+_v@ia4Ng~?4=S_o*U2FJtzg;IB^kws86j1Fh?vylZ zu}B%~3}cSILMXM?b(-tZ>2U+w6HR92H5uIT0*oj$6r# zT2jA-oDLSAX8}C5nTx8Ni$rS^&Q#vr5$nCd`mv|r&`0@ZGqd<%5XFj?^tLexV2*rcAkP&Q!yF z4<_~-0>4%e@_vSErCxY+KT)*jN5aQDyB+@0?Q>W)O(OjBi-J#kedg|_!pH48$F+R0 zBXLRsTy|ZxIRe-cW`x7;8*vmPQsEfW|P!ZNNBQa+1G4apmi*8k#fBv6M>P zl5F72mLS!B2oZ7?RV?(7+-p;ukhC?fl%t9ODCBtHQa!`KSY`)ZqUJ5Uzr z{Ff8Z4!}2<0ysBQW?f@sVd@pdI})>J-E-*_zuZOMNpksxj9dRT01$d!m@WPT%&t>3 zY4?($gso$#J3vS`kn;>ES%Ch>n?*J^5sh5nd&VTLIU=nPto>>ORaxu5c#X00{F_A3 znQZ0Ld7iP#b$yeP6T`24EI)ghjl-+$TaXMvY(&(4gxB2rS%GnB7fH!&%%@O=AXEO3o=&5bC_b!T(0$?PYD zeh*m@t7?0CM&*Tavq9=vJc7*$qiPzD>$5Z+ll1i`n<~oo$(t*yB|QEyPkb#Fg1Xyx zr1hd~%%LHEazLwR?^an6DW^T2m3pUk5Qo_V*LLKY7iBy}-}5+7T-`VRYuLbFp0s6d zk(%M34~N-(wSd_L(p^c#E-A*{pYUcZIL%U7-i_v@bWXM9x3l@dtfKFT@jAs9{gL#^ zj$KNbiVqrn?C0v_?X*3&QR}=;MfUkjdyrF;?E<}l=+pDDSq-gkuIhNJW0k5O=$pHS zvCzoMot?25a6Xf5-LZD_dYF~;pN=>mx}=)M+V<>oB;iohc?p2&#Ilyocib8gjxqX? zI{V~G;wcmFGcoUE)uLK~LUeglN$7hFMAF+EFjPuGZ8%D(-yexJt$r!QJ_NW*H%B*e z*t_`x=5fvz?1gPE;lcW_^jQ^VxiI@j7rG#3D%PWGBjx-7Mn={nb?@^<)O4SOT`{W& z;-|pyoEpMG>Ww6hP?R!N;j6Q$Ay2Ha{>LZN`91lr%Mar?`7_^%=Ws+9h8BvUxQ7%| zHfB;b8v8_zQXEA(_;s`bl)B2#iNoTvm4xzv$g9@c26K1G=~r zWJuiau%XxYC4s}eV^2xR{jDjnmHeK>=d)#))0ztA(rZ#Rt~bbgcynye>|jF7Fj+{* zdAq@Cc?B6fgaGv5m(~zfP0P`F#P|;fU*{uWY3vJ^ zC_2_ZNo)?R4)yQT*LnsOQ&WHN!!xyU`_UL`P{pxi@uFcI~Hc9R;7gLueQa? z2G({is%slTLt1bQ1X}6`H_muC?lsjUY#4FcQh$Y?%UD3*^{q1=YvPsL~e$>TlvY_@+v)^ZSy%^u6CedditrrW5l5P6e`j5<)A1_TsS>&hZeRIUR z%vJ`UO$qyksZIKRznrijt1H0&_Az79hPZKu1|3QIZP7dF%YMG5L~89tiz{Oig*A?V z6hbxTE#dLHam<*o&>ynd7&WZ-W?kZ7TV5?yl6cgip|S&z>3E3am3S5bemAo9`&tc~ z0N06PaID>&DkD?Ft)(z6tUNY_9Pe>LWaP_Znit;WQe>jquXyLH+ zRZliN(e$D?7GXaZj=n;oj|lQy$l;L$Cg6z1>n>-I`K!bJo;H1Q$&vaepfmnp8Qz`j z2~pC;_4)nS5dLZB?90QhA$*jI&Nb!u@TKMqqtHih>$`dT>vW8}8E^ku5X8hv%z`ab zuU;t@x|%O4m}w^}I2^F^YQ#mW18y3J3QPN8!kbv{a&yno5jz96M1LR!h~zabeE6TU zp#JYzQvdJvi~no74o~quECKFX<^+^Jc>;2W9XEer8PhvZ>uCOw(+-F+UXwW5<3nea zfD))uYWhrW>Wzc5pU<22o4c-@muT~07GIlspQ!I|Dhm1h{n*OJcqS+by04m^;QRS-4IJNG=&vZU`x zNC*GTpOmI~L=^W{2Sd4CXS&I9PU*Dn)95qAQ`?r7?FHwP&fOEvJP3P3A6j?xl-A{T zWB~VrKN_KGg2PdgLc%rKIKm%vaAQM=4JU5}IA%VQM}a^)ODV*$M2 z69=!y1P`BAWV+P~z`#T#Ik<}AS>P;b_w`N@%t@iw9OSoI$ZWCrC|j>#6O@Ca zQ&{tQyrX6wRJyP6U{r%OWGpQp2+K-o!TDF$ef)J;=4fMm0!r1saIw;bDQ2fZ<6x-? zNe-ld3xGtJQGScwQR(uWgw#HVSrrKBsg~J5;1!t{;l({Zt=kP@A;>Jug$+%$75O#e zQ_FCx*OgUS!o2197Dp;iX?C5i?#c%JhQlrXLZ7=aOgrT8gownlS&-+U{tK618% zvd%md@9>uphjiB%m@F`|zvVhh3^1+OR7c+vzZvWd?`cAquv5#%&*cK75qcD@J7?Pv z1wJ~f3sm!SkKcotxpHebCFQ%qZZc9ue$)MsZrkDvWVIc2kLI%*5U9^qr~`aF12 zj;5!W4}cCO&|NPDGCE^Hp|W-uG9$&)&?mIx=ry9s4ww5g(W7kpvxeo&OSGJ9nv`V2 z)V+|&Hu)JVz|Km4HuVHVT&Hm_ZI+Y7JLM*-S?t`39L-GGutHg>sgi`C&z~U}Ejpf0 zrA$;Z`^$l@YzS(^%f-li+%7Mv*b$qZ>r(F*G{45mhbH%xS8qQW4-7KTHeZZ$xiRZd zp@avkoSCZ5ibt!~ww)@sG2H2+6x_Vfecj zcr)p2+^Q{)w1ZXK6q9ZEMd7^_@ms)(qZze^xMuDk(~*j_yVdB?o3YUrT73A=Ph;^1 z`}qlPRu@wlFF^R~O3k2`AtrJREja7Tvzsb;b=)bn5k@NS-`)Ow^lQF~`RDS@s+$y4 zNuMudY5deur@(d_daNt!_cC&8YMXy|T{_x~Y&gsQBbuOeKH<3JrFR0WKHQh7`AvC4Bmdbs)#VhUNy|^Aq zPwk%z3;Eo@1K?QUSJboJ*C>?RCDD@ZTn=qpW&e%6<1?GTs3IW9Oxt75C*55l&u)u& zO$ACX{IFkND>BeuAmJXU>F##QZi8M~V9_})xbT>ei_=k1yB z$3a=5dU?M4lU~H_2yyZSXlhOzIzlEGM=*Za=xkZ8y2g;gB?AFMeR}1teCZ`I@$#Fr zPF97!l)gsGKOxTte@NlRUhBY}Hu5NSo>zd9JFUCMx$ewXT5Pp;b&fOITAdSDSgU}5jfcTxChz9b?ca?nteo45# zx`e*wNjJf5U%rgmb|t$a_xpW8LdCNh8DA%7JJ}0S*=p}iSDtX*qMy3aWK0e}E`sPD z={a!=Eq~ZOR)QtzMw#bYt5}`8%r5M+1f5|Y9xutZdY&xAzdR1Eno`)OvZ>*(a4?Q& zUUcf_mieu9%KX%dtS;5Li>6>@v)T;WHT)viQCw|W;!bXVcTMInF3OS%sX~Mj4Ds=& zf>_3BS0`5Mtq!l2ljBv_ygl8~?x$)#PWg3lvA@O5#b*lxjzE3x2x&7qoP$?2KP^Ue*Lhc6cPf+@*JR7{4~@)<;BAq!k^yP zl{Au!pRD4vS{TI0;h-O|%b_7R9MMWubvxecJh+e_eLdYbL!SOZFr0oIuc;aB^21T| zZf$iSxCFZ&4^cn5O!1vxZVOb53w)?=d~~+2eOh%YYxYH(U2}#+(BaDps!in}^o8`9 zAUjHKk!)9mU+zMp(9?5M`J7P-#?x;0$;Yt5kmo@`lw&*`E8amyUng-}Ob$3Z)ufWi zr&2|dWuCQp2z%Hi28Ve=*_&TU^H84?x59QGhRi)wv|ub#X6@`E{E!H-Xv9UHd1Fpg zt#N!UH%uNHpA%?fXp9*U_$>JBNmhLozb@4HUpZq_RLyb#bo^mckz-#NVFLfLO8SJe zVtjrYCS0pQ_LP#59LR`3VQFIcnunyLjOm&&b1EtrB@ERv1XDO zA(xWc;0-td#t+Cs3E#B&dWr=dca+?sZ7eNorgnviS!k5=7i<@vp&@YQiP`>$MW^9~ z0Zu;JPw*X6gWG30avp`lnZ4FAHkp4 zFcmPL?nJES@6@iyhNNsG<3fb|BJkQ@1jnS(@7IPb_3(bMQ?EgKZoUp)FFuv{OzuLU zQ*F1PUdPiq_xJ&ZoRWRUEJ)hfVf)K-lE(ZPI~vopDF zwED@Wyz~7SBj@j_a{f=eav)O_@1gslO04Znl=%w{ZDu$`dK};vmJ!RgQ7NpsBnt zE42?ESUyls)je0{nKz@8XKgvT_9~|?eN8~nDfkx@sl2N$jvI)?vP1*x?dj2^^gl}% z36_tRqg8Z{7?rz@1UOgU!eLYyKwl2#=X`~XTEX_(-eXhREOgaa$o>m>DlLyFtk{SQ zRySXE@b%$tXN492e&4;caN+HK3)Cy_3mKX73%~x{dq#D)cJ5&ataMwWS)up)v{{(R z_fPQ=F2MjQ6QB;xUax{OApR?)M#1DJQ7qr>HujBar>vYyD4Y+Yhyb1;v1aLGA-?JB zC!ia8VDdgK?HZtBSRSbS4{GQCmFD^1KTiN@rZ=2{64h%sgi`AhcocWL#M@S_MJycm z#`{{#yF1Id-vUy{4bP6s-V!n#i&G^!t9~@Oh7b<$vpMX)mT`XJ_@PcCQ{2cxIVMHiZ8s{C} z1sjo9OGAASiR7&M@OxIDZNI9EzYZu;V)gM$StQQ|?c4=v7Oh}AM|qz-_NIHfL-@!` ziL9SkKEGDktpF54aBdCepjY)ZBya}{vtN|~DNmD^BaNRmeQKjVwd3NC`&BzUPtUe4 zzr_?mrCSy~TOReUJ-dY-zEs#NBGU15)QNv58a0y?9e`Sy-1YVlt6uNSvN2us+T4q) zhZn6*?82@{gvgR2HkwF^+vjab&`4xnsA;N5yY{Aj;HLz8G3DtyDgre_gCIyPxt`Ji ztj!w}qD*W;*98~(*^D1L%j8X1K@=0Ew)=;*3odX?S5>~sto;JAr-YJ|s!76tLM)=b z$07C$g{Q^$YIo6!&#RlM;(mWkUq6Z3N+HMT^3kiCA1rqwxhJSPfc;xD+iIoN9osUe z%hq@JhD&=&yRO|beabSJzS{l6Y1AXxK01H1GxNZ>>QR%Kh)!wa)8P^4Cu&@Hl1GYY zsqt7hypX`7v@%;f)C`a`J7DY-`j+N%5OJOviOP9YFC%!T(2scE#DHUS zF|xyN0H^>)A1ZZN%i+e*NiM;zG+rVBo#5kUr^O=c?LcmL5qzPA{53=sAOL6xJ0O_8 z?KU`12oW(6lDmObejiGAgiYg}Ym5go!A@P$zx_jU#U{MH)^=tjbL8Tcg8eO;$kx&S z!n#loCFdnskc6W&&iK{pR$88b_}0<b&X7UQfXf;=gvgBa&|2KwtewZx#bzx8(>HHJa=EnPgG128E!&3JfcY^>-G+g43P@2SPfT7%5A0?eAn=-xZFl%I$ zV7TbiJ$v}1bD)AVis91w5e#*83~MR*Dy?w~f$^+4{^UJl*-8_m9ODRb=A*B6t$8%Z zZ;os{Ye;xjlX4ULqw@>yIfx|_6ujQuY~LJ@m_YFEBG`lOW4x`M!~>svn;-M$5*!s8 znH+nkSGxGAG*#GXXXo-M2pdkCa4OG_1-~DMD!0@}HxrAaap=m%@UaBx8?`@^e?C7$ zkfP_DrWejuX>q$0#63*Af$g@(K`*b{&|h_NgQ(UN@+uMJ*k~Wo_s?HEEyJZ|>89>H z_r%h>@?$%$P{<-Pc;)NdeD&CrX;LtMd_@GyxO$IN*1bBxUEi903#o`)>Z1{wWNljx z>zWUgJq;+sPNl{l894J9Zd!~zsEZz`N!w3t{}KA0^VeTI+76kk0FMDP(7;qR5>t2Lw#A&aG?PBM|xj&X9CbDF>uI;^!(Ry&jL~NATL@)EZ6Kkk*B6TFjI<0lV zt44oD-#CN){CLn{*0h~(nRDP1rL~;7lIEj-A`+5PSB8F;>A2du_2t%OGfPKplfRML ze?nLO@T}#bLYQeIIc!1JM_PV1!TO!tS$)~a@~IZj!frK%_!Pm?!mHCclJ2UPWY70| z_W4790gqBZL<>u#1uWW&V!DBq6Y9uN9Q*mUb5cNe|t{?1nZq%Wp1d9mAi(pKy0tR64~Ylz)wu#J2Yrv5%XG zinL%QwJJiMAEYlf;kU-eX9Qis$~lLM@{JQZ%~B7`C2Po4gSGxHB-v$vQ;?U#@XQ+{ z*xVe2-!r-->4G(GqE2d0z&K~mySAn8@yWHK#ghPlpsm<%2XFJ1bp85p+M}8(6lTh_ zaYX9bGtEldBNW6-kk_Ys;3EY={zwe;TfkHK1%~!A;^~6!{&aj1tdbXP1dy}3Ss(p* zl-Vq19;X%)dM=jKfQx7Yynv~|;(?)51^n6XB>qUDm;iJY#2ButV!K#Y@Zv_)C5B}O zUt!+)XN?e3x?A5$hU2*V`CEq{MZ4%Ebl1n3Ss_1*e4W#uDRG?AL!DRA9jy;Kw4Ssf zSG$z&`nqkasUf0la%r4#995YK7KVOkg9KdU& z;V)E&mNC8T*>5wtEzI`nyq$-14+m&lHpDfQtBn6NWq>#ap~E91Y@`Mob=~I62+l{& z4|49*h3zrC1l{Pko-C$3LH`GE+Z&A6S@R}(RVJ6rk7kzcShvbXhkE$xt$*$cu`E+S z2oDf!O&=GE)#xeC6nkZF_G2~!YCEKv*IkZy{6cALV7?XjWz<6f>zed7<6)F%>BHxO z*hEcgzj|=$WEG^`_Fsl6oq5H^D{2%<#JmYK+Y50l-jLhY8st*#LoTvIu-Tz zJw4a6`w+W6R8H*d859Lr&N4!Soj6`nh+X3t_w_NujFfkDv}qrtY?`w_R=a!Fe1tAD zDHC%CzZD0j4-s?BrXLQn1CmV+O_qotsB;nEo8sVU+4Xuv`+Oo)%+z6)ZTkn>u;ur) zcQQ-3AAcTRtX_NO-tV9F7-9wS3 zskY+^EYZzBplvza>xC#N=frxIgE-;_o%-Li)}xB_Tjxdcg)=wT%#&s)N)L{|NKz5F zEc;Hx6)zZFO7>(@o9glhflAA0_s8c`J6WqFK0hkdw69=Mz=uGN3nc`{Ag7A`*xLH? z{DfPSO1_#qVzw{5Y^=LX?^wZUzx0arje(LP%QdEE-k=v0$x;eH@d<#3L7pHM)XGr6 z6zm;6VWu0ta6MWydVg5t>3yT$EZ+~D7E>2Oki4?3g%|28#1q-vjZ+qwp68z#ufSLX zOA}RI3C=Gecw3dM4f|L$RUAn+WKl@*@6imjF(`L+$sP;kZo#-@LDg`hrrS$1*tp>kvhc;O zzfaG>%C+!0(Fg|g4XOvJHWFfqiv?hsw)7)y7vUfE`oWq8FSO2%t9OcCn2J%mM6d4D z+%6r%e`bWnHXWowvCCf{bU2L5<vmxuFt$;c182eROWzA!x$!Gq%a;AEa zq*g?7sq(N1?*cu0@0rYewH<9k%tJTH{IY};r_r^$1^&aaz>*asV=L*C#RuLi!8{}* zC_|9SFcm!CARX^Jcb*`B%s-2(?&G-K=-Zg8)jOl_;kv%WA+VWvyTgCE9Tq*uh$Ahx zx-=%F<8vu9L=3(-lnO1RJ{_dq z_a0!uO6Az&SuXVcH}2jus;RbH8%0r3X(G~vpnxD%K|op}C|y8m=uzoiq(dNB0O?8* zrA4JniAa-{NEZ<4gbqpQHK7Iw@hqQx_V?}gdH3GmyU#f1&-szT7%RzIVXga~_q^wI z&Fi8=`ncz=#W*h>gjpZslAZ?JFGiC%;?V4gT!DT&Qc>7aoSuwW=$X9YA5ya62Gef{ z2ag24#Dy9Z@Y%dE$sbm>cGJlXEs)WPiK|UXc6Gg(S-a_*S(fJ{_H@eaReQT`dh+ww z`Kp5nGr+gatVX?Ry> z&43@W+oqvjOb?2q;&nU|g=D)vP1>F7>b7;@<*lsvimvkuvjuw>5`@IMt#T)H2abTj~vnTmk*ed;Sm}%zk)@HXN9Wapd%A9WVRdpf_T)#Aw$-EkmlJa zA6?eEKVDkPkgrmX7kL6~5PanVd*PHGSB0MI(4v;o%;^b`Bj#NSI)ke(a!yHn$E^ZicyE^P>L?+mT0BfvJ>KMp$TNr*IMlrPDc$A zw-$5GSrq4yytcPD;8W@@RR`_>hVFaezXsC(JCObV`Fm`C$5K#Tb;l+^nU52Yj{wr) zZ^G1>KDw1Wli|t?-VnWSgS$#%p&HFN<=RqDyv5^G15^8ls(h`cbt1Hc8K53Xygw6# z78&9(BbpTzQj~_b8^O)@_dZYkh<~Suba;JY6q>Ggbd5R!ro9HtSv$qH81GBQtMXUE zf76ut2wY8kIDE*X?)tgAEI;g*@M0X|Ji=3~X3L(`*4Pk4+v9fh1YBz#8qgbnX#(^c3Qu#g3gE>on*%;Euc zd~tq^L7IvqCHRoc{p;V&fl|eJ=30~$FwP=cMSokK?`V{{J`vXoD7-EafR%iPX=1!?!qjfotVG% zev;j1j+YMw_OqD)ZjuS2?a!9H4LtcD@icP5zf#cE{$B;%1?&HDLH93HhwK~wk#r0F z8(nI5{2v=XEr!VYnUMA;JBI2$d>^3eDv7PgOUre_d+KHNpbFg}VPiMci7<1y0xQ8{C@ zEPc2c+b#{T@d79hNpGR23*@;r22A^h6M#hYfUZWg??QS~z0TQ?)I7R*R|Xhnov;)}{hw4{*h* z+~l&o3*q;qY)+mC=lChWc6bGr9o#`lfMRw5eU-x-SlD@rX(Pu<&@?}s6J~)}FIciH zj8`i>|M>RA1c)?7p#{~pCR_G+p`3bZQ+E|0-<@JlGdR^~(4fFhJ4lwS4> zFM`!c8sBqs_DZ`(XZo}lQ^%)xJd+16JD)AlW%?zp!OwqYVJNxU4Ac;=j_d}bqRlzM6ekOM+qnp#4PZoBPoE!X>V zaz9puZ6pt&%5S6UWmkK|s4Vpp@%rWhK=aVX^-{ul}|w0^?Te=&Z_81`#aT~AQ8gcyB3a4pE&)wT-p%-X?t7IYwq4-f~h5daqo=r%4U ztQ^r%&olp~k!C)|08PME@K6|ID`-o)7^vtB7#?Ei0K_3F>KLf{=KTQX!2w}S?Z0a3 z{9nh#)<9#Md(K477&P;^Ed+I^9#_aVyR^c`aG##y87%okxm@#NFXBDH+0wSRSzyorRlumF`g! zTRG^LZ?STnsrccRvb&vyTvx{H$Wx3{XXl_F!T=`9IbT4}2*K?qA#k_G4Z&p7#Pl(* zC^e7oUhEHs)+E}J@Qd2tFOO{fbnf6XI5oJCY5i$u-c{lnDr9Ebz@zSUp1b1b zLRryTcAC?@FKjtRsq&4wR*N&c$}usA0yqE;J`q@NO)etz=#1~p;E*pJw>>K3<;=D> zT9c)%S{7;_Uy9&)mo+1Q%D;`I84o@~u4zth2u8HTJAJpk63KgLKOROI>_y1G^s#?yPENJE7llN_adL{|RqqV=?hrqG4NX0qF;J z;v|U8G8kR$PQ*GUx;{r_z%-<~blK_fT_yA`9vKA|Cn`U|L@VDcA%_YJ-W$(HN_=^p z@G+pU7iU3e39b)>ujT+0AAaOofzgrD@jJcvX;?;lJqb|NVVk(D&i%&t<)Fd6jgqn0 zm-w}jd_T4VJ6x!fN&haRWw$oEexMQvkm%=Q)ASx4^b5CnjD??liyK075xrh1dj#%< z@%B|o1aHVr6J6dWS^p?L#uuKWoz5&aib=^6ObNhx*?#|cZ9vzDFXoVa`}odC2yUgo%!{ty8O&1`T8N%Pr#+SY8IVG7t& z`Vn{O%j#)I#r5f&+k2lnfZbn=tonduZ%c6F_{xH6{yT9YMD>Bw#h}};X%7|uMcx(m zYcHM`=GVf2E<7|wc%OOf7p0+W;WS&H8-^M1_z2;Wl0`DCa;s+sKzEHyZf>4OWGx%uC`C|EaGIaYR6?Ti+{N-VQ9|55j}$aZKTIpJ%fru{}% z)!MF=tdF)Kyz9n(rGcZ5iAm(R!#BAFVGbS&M$BcZ{`N#dZ7*lpi~n0l1L#4uCFa+D zGQY3Z=2y5pXw`N_fL}~8TweiSH*c9D#HpjL;Euu+_{g5SHEwlzime=nJVSobj!ksI zP0<@+%lZQvxE*rSB#T!}Pw(3S37xEFC|3PB>OJM0|WJ6Nh^f&Of_< zY1q{>CpWkDZ8f@jheNzJsPv^F@eEF41I@fr`H#yC+Q+`>>ba;SXqM*xw( z|Nd{9t}|)CdNy?8=vX}rSpQo3F)lNQ*O3Qz27c2Va3_+3<=26PNL}VPjR-d&ksW{EoGXLtYwO5u#GBzkHj zGbIVQO$5K~z_sdX(VEH^X4{wpP`$pz+G5_Fkp#ree2#K{({zH|3}FDv;-4--?1x;y zEIkB1A%>vJYwk%39ORGz@j*n{K>+0lIR&C>LH@>{sBBQjOK7&Gx3w34o(%m=C3wA; zYtx%B5y9P|ji7xtUg5S{s5+Q;R%Jkog5b5iU1DQN95+gaPWM!^{jJd>y;#vR&nMTm zBfv#C)tk>B-8cG!pQxe8YE{bH3)W4S0BIQ7f`D44Kr3vA1sF@fi*yUo{DZ`CdKmLx8dmuBUZ%9NCN89EBmjq_DAF(4}(o44By9#t) zBvS7Hk2<;}-p;BKTV{qo^a4Ama(cvIL<9-pO3B98i^O=0azvljivZ4I(W7ifr(uaz zYak*P#*SD5s3l!~1%NOis_4hIj)GU^UMJek!!vCI>oXfz%-`me-Lf(eGq-?|aSO94 zLE7znR?*ntv5>HVZvSoYy(ryKMTh^{+TL|5l-z|13M(N$u`#PG-7u~kysobmh z-eX3@fj$6n5lj#*HgF4I+@XHcTpvMFT+#1I;M4iFLZ~EQ?j=Sho?IwTaag~;yeLJz zM}1RMs5c)u>Es{SQ5qJof;Fs(k@94#Y4+l~(>)cC{Dur&ETAYW?E%l?CE|#g%5J*2 z=ae=d1bJBT>!+RLrZ7N~jw4)#0+WZ)kK{y+#83(>0h!2y5~OtVd|6J>&x6vhR#NZx zD7r~@+imKGbBRI|^&#~h&g($M^V#v$mRml}$r>vp#VDw8(5XZ`vqO{d zh(U|ekG1c{izfM{dBYFamrYl<1O89S%`ct5-Tm6K!Cg&!c4gY zqS}Lw5Ww!xm3&yw{0hbaw;~w>qanq0W*qr&8{9*UXHb$~pP`m=D2z7x417Bzix09f zcuEGwxa6**4+RrPwl1T~plL?UW-eXwjnyN1ySkW%z>d0Gg$P8&KaugjdeMdejpb-^ z6v2kI#nN?Q-=scaL?(g5=VAFCt>Dr5qbNehcUW8vh(lQ*h`8CT5BNSyROOXL2)LSg zpJTAHm@K}}v+$^LgXT4QcWZyGpX7FjEPy|Twgu^V|{9wWSO8#-rKux10L(%ROu8{O*O0Q;E~wZGO`?h&I@D3F6&Zxf+)%Y38vH_!x)mt;^#B z!ZtK^Cb&6-kLyUwXc^}){^NHa$pK~KuB?Hv>cfm1FA(Q7h??|o7Fq;kA`Q0{cueNj zmt$5D4zO|b;4IxsWrv&Ev4G zO+w=o%5Q6bYg_LVs9>K_AKbR`YiXppmlYh~>SsEWJUtWawh&NG@f_SiPIxk2 zlQSaWW*d~}V+@4~p@p;(kaVAZ8sVB$fvzBydU)Cy3J zU3(mu3EFcbEYzp#=J*cOeskJp0Hj!)lqy!!5AW`MIxg`DQwgMRN@t6RpO5c($B|B$ z)Z`W#UWyQ4<{J@8VU~GIgNwRsHrnvKk(+FNja@!R_Uv$&2~yDu18L-#UWzea(q|JL z@=y2ZpiY~)&F5%lQO=T&i{T8zvNC5f?C^}V=HXVZb$t05AL`>+v1ObmTLf7m70xt< z%>e0a)6BS43!hLuIW*4|!K@63Q4PBGe(aX98J%j+{HCc~)M?5&7T%BjylbKXq zVcl~pb)iDFko?xjHJ?yNGS_{ zT0UefU0eS&DO*yLW)!(Clyq;rCoAW&JpN)v!iILt8=FK4#aaL3uH{884(hoJS|=oSRXvtznG{ajh?N zD^0NGRp<7*UbNL^Rx#o98KX-DdW|*l9IwzqVOaEuVP%8QJteL;+EhMGS)bl!aB%_m zwVwF473SEf(&Ir9Lnq_Bnjmq&qUdXy0O9B;$&a-|2)g##T~1=YN%#SgId>DV;{xf- zqIoGUMCKMixu}_Xv%lebp>y`d{zrj)BVvhFGdAUs=9GQOu4kh^YE4ByFv-j);S4%T zAx#0cGX2VTKVn`roW?Ih@Q(^g(59{Tv@8`qdER;BlgW3E_DvkN*OALnfYr?BW27rm zh}mb#x{J-}`e6UoOlql=Q;2-A($eEA`q%aI=7WyLmnI*l)NgLD1P83elf+s930UQz zBDgGRq^6LJX{HJcdYU=QW<=G?ZD|6fkN7#E98qZ81!>il6PF1sdtRf`)C)}%49I=5 zfFF+2WPoop>R;2S#V>no7u+LHKTKfadbKh6oX+s|6M#G8 zNDNCO_S%xYNCKL}RZ{0yf? zujA{`X`g$bP`i*5V*5+XO1`ri>s`uZ-d|*>VCi~TiEjElOL z3eZX8-6>k6w^c;Yo(oy~BU#Mo8*#oPM#5=iH&j#ab&Jo_qvURw?33>z?oTw-o((E2 z%#pW=gcb}P^$J{>7!@g7EXMm($=K!dijSts{7`vMWBQ_tNxT|OVR^C7x1<1XSTlwP zFvV`c@kP%{#acpMl^M4rX^jI?s?k@DOuV&Jop~Lv_>=Z)Z=a{(?2MiznR>Ifn>BZt zWckUTN%jOc--xUAa_Uy`2q|6nHE|t`m(^jrm?nfOO( z;Ps3`9jVxM7uU2j543-r75jsYFem=<`RLoCEjcG{`TW?fiP{Aazcn zB7n#L5G#v=#Uf9DdB{l<9bgV3A`aX3_I-NqUGxyY$F=dtxeWIqVJo$S09*Vw)Jsg| zr7*SzQe*~!mxp>0K}T+@Syl8kdY5MbZ(dcF7#oh}XYIWl=ZL=PaJ%-Q=qzzah}(P5 ztih!{H^m`Hb@SY~l7gg#+~9&<#mM2Xkgcq%o&wk-Gt+b=F~@S#$+w7#37lssBm1ldL+6VXyj)1rWxA5S3r!1$pGti@-#JK$FThi9z= z>@bNJZv|<8nS{w=HHG$)TRM%4L=?M>Oa=5syHW^Ymaf;uwhH|G*ZY2%|1$6KQ3vZv zLWTE|tLA2O*Lqctv#M4%>-=;`Zq&V@anhlf7*p0{9veY)D` zpC=sopL9e3Y6^|+8qinNfx{{h#Mj{zSKY6vkP5HOD!mCejnH3~f$u_Luo_r zeh0R&U=<$QzQNX+udua)oF5YcL&~}V&OeptYW;+FKVzy8e~5zu|C>12@Lv-Lw=ryR z=Yd@W!0wrOR&r%XVi(B6U4f>QDaEVb?+9|Gho>mlgnJ$ z)_|9;WO}0NFpj_8LnCxNvqUq$R;liFOz(RhZlji^R5agA*jL zVm*DE0`?S;`v|uq<%eF*!*nzVmTUFQv=nVJ;?t^pK^p*qEEJLGS}ap5N9q!zb`u$0 z^-eb{zLw)~Vv(*MISnOy!@y*Yz3@RQ55;U`cZ#lQZx2mB;(^p_Bxa^P)kzwwJ8drm zwh9vPU-J{RqhmuA1tRyJ_T%d@eGNPWj}W7DdGkul1=kA`%X@1rk<37%a7FoKP{+0M zj=ABRoOMaX`ky1TnpBPB>3*cR?`^n<51bD(vD zreTXV#20w>_o2iqR6an+_8x$cJWMA{XX!7`SG+Kdh#Z2}zhaN_;$m$2zWPhKU@x+q zoSIKY>eP@^3-wBDuVo|0>XNPVenQP0-Y01-z;;W z*(1*_-Lx9z#XGf&@3}0a_O z5CFtHs|WnIoHuORF%OjWcuCmf(|^F) zXYwG*<3#eK8D2ym4DcUd^#&?zB8MBGgTDX$jX|;x(0lm-u$56#rw$Cj4QB%%C|!TP zaY%CDy#0&4FD^`W1ksWTmIq7>1_4YRuzQi8p+wnur#Pm3+DO#T(lUFVCGXoCE`q`U zzxeMKA*e*E3Y-lKaq^1g-fWqBh5(>=S0RMoBo)fI(X z&QAc(6TtBR_PlO!ot0##Mh?N%mx8-3N0fnDL#UCqKn+avoUq5*t2OEJ8=S_Symb7u z;h)e;qyWlAI($bsMW%=x1tWE|l*(ufK6J|{uC3x(FK^EgBsnFo(Fwjj4etc4;Rr`V ztjlQLp{fwN1^QJLx%H1(A&Ts;E*4bZDeJneNPao5!KI%mrkfzk_BbI(?W8cNkbSmaSU()w+Ir^nDulA*qw0?L}F z10WR7M$K7a3hPVE=# z8Af<09(H!+=|pc)Ai}tIpe(P_(b?8q$T{ov*CJ61rgJm|F4{bwzx1vDXk7p86%1Y5 zCc47|$?siotR;v?=hhdH>wu$-#*75Lo#W0g?^Ww}4W^eF&*952R`O?fLG5e$ZI0V3 zi+)uO-xjO+q&yOHD5iUy8OA|wF^RfIM0S)a8Ijlq56r5A3!*%CmK>8m7$}T}x6Yn; zu6>(J8TyJ$XtKn#AlX;4d9WVn&SIBAPN!I<$lyrhDJ}jNlPuQe$`j`j3YP{v^u)Hh zSYMV_4P-tZN2lquS3Rk6ZqwJca?4N0e0FaEibtagYJbJ;{h264ML{ZU1rCrNEwCp&3A@Q4L^W?_m4t`IKP2BemTQ{C|1U;2yDVt+Rs**V#Lrhw|@WIUk zfYp_{4JzekS&dSN@1#1h5oHfzh8A&V?SQ!2VTP4Q6_aCD4(Y!+_};kMa{b=T!aLtzD|CaJ z8?qafB_-cVU(Aw7$pdBD11bHbU%@GP>UokykVcz7og}w|LN6eH)~Xrm=sE9EFn2yx zQLcF8*ajABzi5S~afiJS8gdEsa{;{ zONBe-jYC(r7E6C{x1$$|pyQ+Wi_8O3eu(X|%l zw}bKbbzQUzi#3cq8j}q58tb_YKN_L_~hm$`R{+c4XN{v1^k>@&Eg8{ zwNc3iTkZf~VdLh%;a;VPvsTX7Y|(*-B)0i>9UTp4%Nv-ByXLp4r8upvNj38y`(F zJ>c-qTC`VutY=yfXU54D_>L&J7~)o^L!m2idArA5?FY;J*`K)p-&3a!<2WDUkG({`ha9z9VDmxkkWK zO5l&DR0KcnOWQXig;wL$_}i+p~Z;z3oX~Y=dRsMD9t1##{6B4kFOXg z6`7E)09cbjD>H?26u{qjLBx5WlVax<pb7wJ)So` zRpHzDK*g#Yt6?HGm`1{JWqGI6b#-Ac11+NlSf62xD#3?l+D3VC94qbI<1v$>>{#_Z@UIoS!EP8Zp*8hTY73*82dVh5=UFQxL$9 z>)9VaE)exDDitvsgWU3+1^|k3>DAvfx+QLV`GD=#UzS@J{+My$>8K3uhy$iSj$2L4 zfMXXwVzwPfEncr~9*WS;GXMSX(m#I{4Ir!kpPUnt37U|ZEsHu*3L6N!@z=_)wy)k# z?U*z8td(RfpW$?Bz3~l;KDQa|`P;NbbL7%cQ($q`1d32=)aCRbkx74y%_to)8-Fv&Kom1On)Aox+lICI+ zim6w0B>lLx{elH>h=1k&b_`JE$#fQVR&ECDE>HD4&d1-rkMtPr@n2~gl78K#p~}l> zW69>MWcniUvvXIZXykQ;2Zgz5j>tJUFzo)Nsn+&9F8SFVg}JAI84{TeNRWwl0k5}L zAo9&}05|)~>g^v#7G~)KbNC+zxPLs{3nPob)-X8Om^?uv76&>zv&x;25rQN8SqP0R z#8|vU`S`Fru#34_<9@weCMjr%Zif{XGefk*94LCxBSzo50c0`k&c zPL%&iU{I%lpZFK=!v84X{LjvdgHbL;?Oi8ou7v=zdh?GRUn@6~A_yCYxKXFRJ-0zR z9ZB{|bww&W^}-ibI5-y}Y*;|nltYQ?j681tO|#dG5ncMPK(GIJoc2)b_&s8-k9r9) z8k-9YUbHBsmaKVnn{tQT_Hl)~<0WoTaBzJyd*p72e>vnGja|4Zfk6Q^1zHpl0Av8JO8D$d)EW`!|gp!_1+mVrBA+y4r5r2xT>smG;%2L@DwkL_BDF^#fwI z4MI+b;3BBE5WQu8q7Q)1!g`A=`%85=TbVfm&|lR=N&Qps)odIPzEExMZbGVwoFOd~^{ z=z+}0BHavQBfF!!9lcZXZQHPLrgQ&VWF_d|)H&gM)Ud6;J%i_cXr`HzV z!@)$ZAhtt`BPD7-_%fifd?~#>4v#eo7j;#c*<>VU!b`y?%n3w z+3r$-R_=FQd1NR1E}@F;%92-%$DyA zK-6FJ>BsEUaUW+MR|)yxQ4AX92amfP=_iDSSP#!r?2eN$bIWK(KuUEn2eIrcdn9}0 ziuf^wLmiR;1Xknx*0$8X3mhY}c>4uaeR~&{4)z1GUqWJMGm!o=e+WD0x~~X|^gZg< zR<6x?3(H|#)in`d6ZHQ?`Ym#*p^=3y6tt2iDh$X7&Yc9F< zD??CIfnG)lTf<*8nYoV28kjc7nU4=ne>VDbIj`J7 zO@?VE+%hNV-ZnMVI2rzehN&41G_^bjuG;y5+)J$+1ty8T><%OnGG{e_SRDWz(?E-i zkDHO?#e+KwiKO`@jGRlqX_bV|pk{gY9(9F>=QanthC})+Azst}@g3U9VGupJ{vHXP z$XAM6x9zYV6m-1TFu1|){5}O2?jUH-y&YszTl%rzFNAydpb3WxSH!mV#vworZnF}e z28rnB|F0~1^=o>cp+{vkGK0FaQg>cq41>JHf--5S>{NUY&49%?S>X7n%2Bh=J48! z061n&vW-)%R;lp!()A7o85}W!mZZqhFVmTkUveZ zeR^CNd#Wt=j$o!k-rH(7zkop-Fs{Gox-F|Es+IZ_;|2njh&be)!Ybs@MmESa7`1K( zj2k^tGPOg+3CL~oQKBf$mH#w>Jv5-6TagbN7=Q3freGSVp_FN$-BBMPj}lp(sVv7I zD%Uk_hD&^HRNOuL%XaBgp7Xa~rIDOtNFGc-NDz7X**@@xs!iR~iT>;aOQ7vKW8!_7 zlPR#sNe?y$Xm(5skl*8!Hcu~clv~3l12tAWjQk$r-iiy}(J;pau(r>-A|k@11|TlX z6JJ#VO#9Z$c5EzlEnv3!qK}lml{mIf@S$*#)_>M~$ue%{ zZkCO#&n=(g9WI{Np6L4;DHuGT#(xu~N^HbF|4rkF86RvJ-%G{oL0Z8y@25jT*1=2G zoh}~AUVLMzPrC&}4vge4$i!tbCv`mX?td$tebuPQ(&SoUrH+M zbA?kZ;f99TOc*=RSzed6u0SH_j8GID{BS+;dc(Of?L6jDW2V<0Fn$xO7B>B1X6@1Q zn5>C|Jp*5)xc4bL6;d7&%ZhQMRqx75BzD}AeGu0ijF8UvPt~Z?`P4&BXwf8{b^$tl zXCg}w&NJim#@|Rxsb2Xj!5Zak5py-=;_{wbMe5PrkGh$jY4^G=^pq!e)D7S8grnQU z#truyKQ)%UE%NfHzSTTnq99;~T?{oIOr_F-Pmx!@16vi2gfv`a9x<^w4Ai%)Yk?oE z;=MYSW>OJIaMBFPe>{+Ry_4Ubpuj~p7i!kJ9Go}*-eY0f>E)Nrs#m?sw!OekC{~Av zTEBwxFt8e0+XBd zKW(^w;Y@&tdnzw-EiuBWhPK%}ywUOQCbLs6<4Ex!oAC-v#ZzpT^G2JRsmP#re%6P^ z)p`^qedgIDc>*xxL4JjOXS{~>8b|GB>5oWs(1uL0aZ&U_5^9eiWDG81JkSTX|DE|< z;GkMf^hH9etwhqm!nR>bp|m#N(aRf>+7IeO9MK`9fW%wJ@_Tk<5a0XHqmyoje5gWO zy+^!VxAqp-l?c)rOmmFks{Ho8WyyGCIGp21hx`fg3e674O@hwp77IRIsbh}y>WSM+ zyDAH1$tqpEK9Tt>F1hy+!7MMj!OqM&MJ4}AeRFQk&sDHhp+2+uOlmb@+glMQ8vL!e z_igsC>l0~KHsERutaTg#az#|;^f5l zH)@fmh?9UNq~GQ^v?={%TAecJlrnqv#Venxwmt;PI#^#wzTOlv*KqD);!KzT5k+$`rb5QqeqjK?;xJw(H;wQc@r;Z>TXHG85r&%^2 zc_;$HFK!G>ghoQ^M!0m6Ub%;#l6z7hd2@)67hIWh-Vb+qJWuDf32tpJ$4owTzGowU z?z2@g-qUQ@?Wd1+t!jg~9mmguRQy_HHA>%RZ;+^>wC6)ENr$XukaXq(#hT?4al2pQ zN*CVR+Ze!G9f@AY%P?H~B%j;++FqUCXq}C7<@f|Jkx~<~|5q>b1HYdrfP?W)5h}?}IKfAVO zBUDs=1=6wQ9Nh+(l1ju3JV%>^Em)@=zK1BF2`dftKum0-c)++nx6`jXTW=t zF}U_ekD`LU=5T3L=4M(hkgZ*83ToOAD%@i{MujV((5!+}=^!Pd z1_y{#pf8g(TP#n3uU4q*GD1R!e=RV$y?>er;-9WQMsD!24_a814ypQ&;ax326{rF;~>m>@SSxBEgPT7Y<_@abB--f*NG-J<6Su({Hz}!ghs(FVoOI4g6t^EsAT?$Ue!H&DT&IYH2;-Avk}g zRMxqj#Xokzc7tS@IaE{&4Gez$U@xX?d~7GUdcS{lsFxHKerxkA`~ul-c4?=co&1at zJ3PGD_^rmEa>7z;+O+bj#=)D*uNOIg4W=K`TOT7SFk6;!~%QZ5Z9^5Hbg+&@0 zayq}RZ{=g&LU6)cZdf-194EbFTbUP+gQeQeUblo1dNzs>C#Vom)blUb{k^ib%!0qMQiu z$PG+d7#FmVoU5(TX83x8EA;DzYLeDLl+MRuAXa8G*Bxh2m?fj~t=%kBd$Ma#)_P7n zdWtsIs8la8woY}u*^jeCZ*y1$s?|oI9m(3@^NFH1{9zDKS37ww{cvx~FNRYx308Uc ziqjPhPU*P)hoXtGXyN7Q+s74aa3jg}^~$r#x^`@h-9Ij#U0a_|kPU6c8QX_c^x3DA z3UTE-j$12RDXAjAP;%()O!3siqpi;aODXV#T9c2r$}ed9$nyAWPyeQQ8go!F13u@P z?)3sN1(jkCgy<2GQIEc)Z!MQ@q#4kAKP;b+aj$l`VrRDWU5Y>Zy(}IKA_ELhdYQdf zWG`T6d=~an`T8*u?+gjSWr?kM`PAX)HWT({;v0P139B}a&q#L7)2zVG?YS#jykW!x z)*>@A*(z)0a&Kf-*V7I<{r+?SOVVxL5Gae?tO^H?WBtS|{Xy6jvO%l=069{uXrW(< zvgAH%(Vx1I5+0)^@#fq51okqPkLR2|Tb@~i(7JF$LD#x)kcf%#R-JW?LETD^t7*!I zoHMni+At3kPgubRiY*z3lcJ&a^N9}_Wa|827CexoLew}Ze&@S$js2sHSe*F3K(5jEs zRC;x+QxBq(?=+zAzO)$r-?gOwtL@{L%%Cw1hWTWvmh^=B66;t!>1Ouqpm$E^Rp_1u zpO}1O%GveQFs9zVONZrY@>lgzs98nd&P3K-!@8KR_Hh|;EbF&>@tT53!RIME#|0R7 zdZ0T@#sFtiH#HFTqg$!ininBU!+ zow+sVoAg)_slJ3>Ob37p3Q+fsNF>FKP&Ys_T0}C(_6C<(%4Id=e&5v2UD#)bT3&G^ zvv|i1Xr}4FQhhLB_%zRz9Rj`GswvT(^-WW%w!R4t6mQd zb!wt}P%#f*beMZ5@raBNJ&?ggwesG@IVIjoWLmwnU?m@_u8ORGkTGr zd}FgJFZ{5l%RwpH0G7VU(juHc5J6tB*Y>1v?)nefp{_09Z-3Pjd~*u8Teb zBMa};T)-TOD}vORRC!;?qF^aq(l0aZOZpF69k|+bB$p%p-JQnh0RZxz_=6;~7*q8# z+8}$^Y!J(S@nJ()e9b={>pNj0yYAo8qNuV^{MkA$8|lLJ)@APY*&NEwCUkW%ar|*0 zntx(E(00Z+X~v)?v#0PZ$2F+omS%GMiB6Ru+JT14tBTF`=9)2Wzq;+~YQ`jH4*1%Q zpIIbGUb?oMQk($95*~ylp*36f^ALfFwDe9!+ z4x%-E6)C^&a%PkpRupmaNm%NdEi=H9hS9H%jHmv3H;z~RQHe>rDdYbbX#BYQW*ue` z=s}So%rI4YFSC0%L;NJ-Mt+zwDcW(itB7r{rGcACvM$DX(XRO`61T>;miJx5`eS>( zW`pw12U^pqfWN|P4yLp*S#P#MO$HMJW>F7b=#oad*HwO~mZ)=T^9z4`qsf5IrO~u? zTYKl2fajc#9x=~-u(b4)OX~;!J{vJ@U7l#$f`h#(DcjL%h^IGUGMW&K4T7G2%}Nox zpb`93Y!qUj7$+B86XikSD6)}WWw)YsEbOG8_+hFt7DVV{)}clxGB$uUH9A8&!(8{nU_Sx~Pn$%$l!Xtz35zT7bRwR{kQ;1jhyfDrR`E z;}*yc)&(Z|r{&B9aRBa(#_TivrWv%!gBRa9{Rct$7wTriU7h|<x1_GozZxaqRQ?bqB9+h8>S{tX9vL)b2M za{Nd1!8(D2>a`S`6Kdu>rvP>lTX(Faa2<*(tM`25RBvYLHXE$p?$6s7*bUGfE~zT! zMBO_2=2a@hrM*7K6sPhE)ea&{z$jVr5tz06RY3Fo>dGPO>`Z&S9S$(Z{8s%|H=YlA za$n!^K+twAr{Y;3l`iI>o=PuJVj1`X5aZG>cqEeDwf%j>xP_l8mdPO^XGjhrDS-v6X9HOMUH!w|=hU#$Kp6Xwo=z!hTgER8+vSRU| zrt$UToL3vA?!wu^qMTwS?p;rUw@$;wK^G3DmvT4Y;8rIx0u1>67gAqrN zKsvCb-~r?Wf6lgpe1@r{OMtr-2PQDWOd|1OD(v_znzwKA$BaD(zb_Wy(NL8A@jC$0 zQXznj*f#)J#qt1t%`Pt0KF?CmZFtXV%v(em{16N(Tn2CsND zDS96ODv}8157dzd(75_6nJFh@fwnl*4OksGrRu=ounB-2`)mv-Ot1w6e~2aWXKx|K z2^q^LOaj)kDlrMqL#1M8_l7x>8m%8*H#MH-^ri2w9BA$VnB|*Qi{CU~yr{!Ehjo~b zfii3`juf@BtDa9AsysIlGT0XFuB-`&D8MlKN95p-i@o*c!6(E%572RS9&oX*Reb(0 z@DrJr1@?fFdh%Ve;cuG9lF7em^2x;un`B`F3h;C;B1T)}sWA!YH-86{fPr&v5a{Ye zv?BLz^Z?jzPASLtABc3B7^R!yqUsc4T&b`i#iaMqK- z&%~EiA{mwrkY^Xx2dWT~$MC6*BesXuy)ArR1ve$L)&WQJc*^G z3nvccm`A>OjUrX+8v7`ABry|>G-DFm9NLOcSL0_M>LgS1%`B{u-Cc^r-fIDyqDKeG3%u0doN{a}Nleq0f{KEO)Tjsu2uMd-EE^CIY0^tXKsrcofv8At(xodc z^w2`2M!JCXCN&UxPbeXf;$5EmFZbR1+~+;_+x>ta@&pssnrqH6#;AZfO-sD;N*}J#<0=5x}i1v!VgCc5q^AV!H?s1$&2} zH#;Gen}Yb1|NcF_Khd-Kd*p!(EW z<4|R-A9Ja?CNNxWBd}Bf1d(_FOe|iqEs0j`FcSAMDA921)Zm_j*#ItnyrWbBJ7cqs zS@bWFvpLv%+k{O*svtFdiNQJJ8<|t1)Z0#KLBq z0N4+TV5q>0a>f_V)O~W?e~e3+w;ZZ$0+~xNss?Q*>~I`lR;b@bd?kwl?8Q0Yku(1U z>|dvwef|v`#TPoRjLS;9ZLO-2Xu%rt$mRa4xVa{^>>U7G?E?4EO2A@8l#Z*H7^XL- zG{Yb_6wg2f(T#N|TuS(1D!V=k`6<`5)L*Jd@tt_U#Q`nBS;<23LlQTcI|8r{2akGk z^0Kex03yk^sc;dA_r{jr;va3ODkkl5MK1iN0r{{HPKe&pU46zPH#Lh)W}hxNsXV_U zC})Rzdr8i~jwUYF;Auj{i7sJ>*o}>S4?8{4-h8zoq}M>UBNLu3PcL@t{L|FQ`5}GO z36nX}UaXnr-1+<)h+KOyXU)}u31q)dci>)$J}hFeg;Ec*ft-Q1t>v*P5bO94%R^e zU0erv?O{UO)GM=HZYP?dBCZM>{GX1UtIn~rcr8ZlcTb6@EyYT43&j@+`aiUTNl?a) z%%|DFZuM2OFpaEjk}s_L3mI6J6$Zf0eJ}v@zI&?jz^U{~4n*No+Xqkg0=FIu#5|%2 zIR*t#K)fBV3WSoL`U5)38gQUzxTz0e>!MP>X;RQ4qf{@z3GqJxx*q%&XDNWKM)N;^ znvNDQTeAx;*PtwsSa4)B53H3rzq_b8xf1wFy)e@EhEUNT>~Rgmx1tki`>vBAAR##0 z=j7o8ZT+acY5%)9>Hc1__Xdl?5~3xmn#+U~%;M%>8VnM^)eJ$60sJFWHmKFGyct#~ zKX+JCK{$YO=Ye?bjl@s8QRGIC&8WEfDME0ekEL)+efpjn&#ojoTJuZF)J01vLS>8UgDy+5l8N_V7c5;6$0?Roe+r z)$CDwa$Pgq78keKZKw8dg5||w1PFf1 zW@{evw8Jf`XCJ*yY8*>tFz9^!kwV+AQh#DFo_$l1=NB-R@GT)`ksJb&?>{~zBmQ$n z<>pDP_}VFjl08s6+u>1!=j>C%(N%}cCnw(Dvfga;ck$s6gWpu{pLBRf7dHKJqKXhf znX&!EHi?sF&R0cfKmTJDD#Nn7B3c`5i4G0|l$nvNh&xy9rv}K+5k{SKf()}?f75u1 z9^4f?;;o&XS2^1cwrIC>ubsY50s> ziSPFV8(Dy~_up?(kw*%F0zNSFW?XZfMX6l^vi7T`tm$L1Lj&DU4u_ce-S%EkB<9LN zEYq*;r=DEXVW+x3cw(Oo3?3Ywut5sY2f}*{f0x!z0Z(*Bs?FcIov+D(`E+L`YT_fD8c z8n~|sSo+lGmmL58Di!Sxx@Ni@MiK>Viy%XEU zE#xqXdtWWXT7{WeEpKIb0z!1(L;#TNHxn+SDgzp>J34nP($^70c>>z4oocSRMkR+@4q{6_^cKlP<~&y?V- zCmMrH-a2;dVpb6^(|CnF-fb#dKk{A+{5YjaC^3A~i4kSSug9gO#k~}Gcb;bclsY6# z;Q;&$Oaq%Q1kRd(Y$n(aD^R;Ps2%G!7Xx)fEN8nS$RIl`WhZsaa1UDg#r?xKJ{p6J3HLmx z@ux#LgU) zsVfg7Rm+3|JM4-~0g946D)eq~hymTSn^!U|a~IviY-tJjbZu{X!K^`M^Wtbx#E&|K z47<6RKIf#VShEv3Gb3>0Iuacu<;Ri57Gb8Vo$2Yjox?JIV(b6#Y|q6#UPkCvUa&xm z>JkA!viUxc`3vn0SOkkzfZ~n*m%U9J0rYzK`p=^av}wav=YK@Ld;W2Ur~kS>qz!09 zr#u+Hd&+oZUs*Q}m|-g=_<5Fgn(1J#cJgS~#mh@w>>TR%?QjKpl>9>5+6k`-Hm~%u zDa`;%LG4MN#+^2RKck@Qz~3)(Yl-7hM3N?_j(1|_!WtrQ%6MHw0i?WD1mOI`HLvUJ zVd2wBcK(urQe>o=PQ$uO^SNkVc7M59+t_R78~bau#!#t-++^D&rMcl`cCAoa8NRGc zyLy9`ZSMB0JEIa!OyWSFz~wl3gvNMr~uO{own(Z!|#kEI34t(JVjGfo470FZzOl(=^h;|UJ6Eph4dDl6}wSixw9IwdnOFn-qVR@|)I&BW(Wq;sMBa2LW%oju8zij9#!pCIZ|Mbs7=%-)Gs zro1CdTjCJqhqF2g{xA2pYf2RO4e#68z)OyOIb7>f!@Gq_OUB!jM-z=V#>=7^W44Z96dqhZ)h%7 zIkJb7B|+`rlZ%tUETb7jqU~y?W}?t|Vd^avGE(iNsu8{*5{1-cbV&IGQD^GntUbKeTIl}m z$`}8M5`zQy8BGRVo{tq(ZlMy$cx`{e3rOlRR_r9zOtVDK4q2XMvkdvKl-@t$2>Q(5 zG!mNBMHtBf$UZz;{V(>d{}f^UOO$nrayRfNde0U{2i{T|h8^7>3*3d=P0$gX0aZs1&rSXA0GM1&>va_| zuKBq9cX#M~=s&5tX%r-Q$r(36@#zJeFU|#u{e#T=w|DsZrjTlyA*uTrkAYdh@d=_2 zBs&y0(&PbVAPWM@8gx`m6LW#o;LMNbBc~EL)beLTo5y6zLo~zdCCm1WjeI~)651k2 zXIZpT8qyxP)|HFbnZ~%u&?2E3b_I2LTd_awhIB&ZmwON{o5Pz2b*nXRnoJh5BJE1; z6z?|SsNoi6K52qAr1Nnl^}WlJnH`zeBEqd`=?5m5QwukfPh4VZSfT3k{t8!2RJ#b7 zIgfB1-WP8<@0kSOvRd|$_tPV>E2%d1DVEqO=jB_GGf}malW9~|XqL7)&;!!}Q|JW` zSStukq2ErY4rM8J#7h4hfG5q>x!knZXG29G9r^@@-|H44jV*v~#1abuQ>?3Bg&=QCqtVI~SL{emh z&1nA76?txhOarT6Ex?R+X%Gs0ikTzqpo;AT)CSrUS_dDlGf>|NuErAiPfe3R#L*K~ zE7+d1!14iPTD`0GL^%68tXi|3by3}C%v#B;{B+cVV?QqB?$gT#Oz%RgOrO&|%crmZnj(+}s241^HR@XtuX zBoXLAK9X4r$v1}@#mkAgUFP?O0=sOOgA*j{OY0(i1D7mf1{oaV%oj)!Wcg7=Ch|F) z^hcx)TzB~32e$r#TM2)!SP-@@r!7w@c@L)pb$!)dA;*O8gmW zbOIJc*+Y{xEOqI_lDTAjbk$8z11#RC0G2rIqI1&HB0{ON)H%o=5V;52V*X8o)M*k2 zNQ>ln&9ksySGs=Fs17%CQ;K2s7*?NEf-k;5s0ex%j|z5lDU~ns%v618G8MhyjqV+} z#n9P2LsS3;*|9Ak!Wm#ZGVD?AsLWLWI&)#vc)z*mAl4!6iEF0*;;;XBD0B6H!#)ln zQMISx0AGI%bHcN^ym7MnpOY?$J3MLmmw1ezqGjg~oO^~Ro{sm9B$O~W1W_0gJV>Ny zfs-l1unnrAHttP`Z9gmLGlB0XA5I~vz;>}Ac6e_>2GQj8h00NR>#yravUzdu%HgYw zsEmzcUq#YfhJ$y7|zN=B=B^%2I^}?|LSsfdSmj;_J z`+)UvfeD_x*$U&8w)^%I=^S}gLPJhN$+wb@Utk6uHAs9uZ%Bl!AqheC$ZySD_9qYU zI??TY%yG(=SE#DT?@af+DweWdNJllF1A>jDqmd%4YY&O9PmzdqoJgPHj@cC1Xg z(%14vzWZ&RXOPd%iyPkTgeqJgU@V;Dp#NzG-Bu>347nI;rRb6TSS^+CK5qZ&FObw2 z$7xsdGX!cc^_l{_h9FMJm^oUlT1G2oO{5WO8!+me&8yNR8xaw)Wn^tbGv>{>jF~?n z3HRnJ&rU3D3&T11$1vM6Xd%~SBZITt$c@U^lS|~rgYHc;c$?;_O#pR4TTJ)Sw)vTL zmKB@&tURcg{^}IDq)cD87A7XvMdK~m1Qrd~^E`E2LZ+$K2da4BE) zFR4eT*=2N7Zf>{^*8%}a<|zvkTkifWq4LIQe32ua{O-(UWgA^yxC^@XUtg}v;dylH z1N`R0@)@hQ`>n%90tsm)swC?0#6+ModcetRWzAZ(Uy|pr*Cg4*ZEniRr44SGOk5QC zK)p${2L;bD*Nh;y-Ns!-!WzwZs#Nc%JY}t|i3?dG!7E-AD=nPB2Nx11w-{?V+N!Cj_={uO6Yu%$(Nxg#Z_tY5T zHhV^vP`v3TYS4%><#^}b_&yQu-c$wu!x;=Q5_hGy6>@`m!9g}9NC?U=9f365K15tR zuAH4zlJLG3BD#O0lO-JVL~>SIY?Fd+g%IQtQ3^x;A#JO z(ZE?1dhh1RViF}^(t*=|aWz)*veX_%yP|HaAfCR&NZ&ADXGW|({w7GvVYv6LPFc*? zOG>JGAMLseM(5KB&D)E-OUL?gE6(fu4!IBU%!&87Ou;jh?t=Tp^_z&EqVn3+tt!1uxqFHAMyLDeWy3>C!##+o-b z7Tdhc?4A0OyCyu`>C2nHtC-Tun1LwPB zmSr{Ubecy?^Q_y&mLDz4LQtc;ZW6=B$^H6{Sn^#apKh1)X%qZ}g2*3Q*4I{DO_!WI z#UZzK(#y0*zSmLoMst#@jpxiqlF+`&GpO2>CS=`)vT5835S5&(IA@Al_s1+-{s_G5 zgCi^BZ;uUx)_^X(x&G16$GP2TD!T5t){5LEpRwQJ1VjXcL@of*0pVuQ6p_>}er%W5 zQrH-8{QX$2cly@Pr6`*GcbvWmIYcoGfPES52pC$ZNsf<8=Ltg_EF5Kk{~?LK`n#CGSgR%M}5A!R)ahJrWfA636ON9V~rsPP8g9DQUba(M4EqynEL6z!8s&(5vL= z*Y|5mASDb_A|WjDj9Jo@^j#>d4Ems!XolTp(F+;vC|K87Pfm-@`*O}Y_%}_Mc)&td zrtkL&ViVToER-IHYMrKtFTjEiF-)6^Ox0=F0Oud-Rwbwvcjw^05*lvI3Ua(Fi76=b zndqv8;eNud%JY{(4MA7Q`t|uANy|;~wqB`XQOUj~6+n&HZBP zCh94v4SaBo8io49+iFZjFJ@*csrtJ=N2b-MD+kGMf?BzjaC-b<6K=^W&W7z%gkOffuWkaKO`mMUHyhbF!qr$-@3P zTJI4ZbGO{v2c`Uh_knLainc-o$to0-S$dZIGTqSdwz%9QPXL1Sp2r2%o#KdkpLU3t z9KZ&~GHhX7v9Z@o0&Ui5Lg(i0a#3FkY0+kzQj=@dEei7 z&lh~Lu4ahMEj9tiHh8$AKT}@kY*qmvyoX zUbwloKM_ql92)V?Kn#sWI*hUEw(AtJzP4uebE;`5vQ5brRATrDI}emH)ZylbwRr0& zw(Jo3Q%9IqK9Vih0%q!F6J@x8`Olvw({gFJMn(5n}k1`}3NOt0}(W zCPHDPW5r{AqElJTd^}nT3E1<d& zd2!NHYJZ?2{%+P;-0lam!F-(%JY=(#0JHqC!3wd9dA8@KJT4c`C+8aTc&nL-+CQ}$ z+BQlRY6+^NZ}$wK+nySblwN!#lB7zeZy2Jot|=-^K+nLTGWe$s>iHY8iqR69 z7T!#^eRl3d-}Q`4vbx8h;6I+dt-Z)_9(s`oFSX^mL9_%m#l9!~tO#MxOrbXsBT#|D zqYLWFpoyaeFaYZ5RPpXi;?sZz3HtU^*FHvrK)$m#vc zk_uj|ThBrfuz0CB>>n}OsE2}nm(j>vXWxxo&2OsMH-;}CT=^Ik)Uwh5jF}BOEbfh$ z2-MU$C=@>dGYcC|>A2ZB^!iGSPjR!2CGwAD+{qPeE43md&4mjdRUImXE`YbT%ZVoQ zUBQjI3y@%A5nyn9!zV(j;aht9$aGUorc;Izn@RV5|Jl(Uq3o2KgmM)^4w2nI2g*AP zY_~*uO`;Pvw>VQ=YuLkR(VxC>N(?`v#P$r!NGEokHVc_*4IE{5B0=VtaI?En60kEq zyDgRK)=b2BcNfb-qw4dztMebNzOz5OyWh#cWq?;-fQ3-m?ew*c$xnyK7FZ+RJ1f0y zLyZJ|+~TsU*IUl;MSBG2!1KivosM4dmG%kO;$k&C!PDezV`*JeF8s%$gW_KasOdVx za2-Q`-QdL@AssVe48Sm3-DX1h9I;l?Z>LPzHsGXipye$yns73t#!LU6E3u)i$c z9=MgV71TuCK;RvzZXK@$SAI=sm-IMy2VMkuQd=N&umzyt6NwPHJy}GIZm-9_*3Avg0Htfr}Gix*@lH}hsv7PFmh%8>19i=zt znEQl9q^0dtFgzr565_u>b=*Tt3C_RB#7}=8ULSU>9p65qQ2=?c!Y_KnP6_#bHh@7J zlB9SWN6lT(a3iUVm04Admgd{qpgz6IWmu65nz`ygC~t;Ps$p-kiAMG8#D=!o@5B;~ z$fH5!M$C6~+wPs%h7Gaiq{A7}tbi8|v|+G@D& zH;p8*Ob(Qhba1pKh%cdD1%uEZ59OlM_`*2#@2oC|Y`qQrC3DQs+;bfEA@9Ql?hg#w z>Kw6`!tXi{{fJ^UdqMZf?Sdlmq*jhr6BL@oRxk{4U!y)JC!C5ZO2Jx$!y6%U^@voG zJCM!=Q-xI>by^XJaJ9W!-;zwsDmt|sMkC3&-(6M4I=f?oit!RPgV8GC#XfOU`fz^U!M2#RneVk(WS53IAly{KMN=;-w3 z+qa}!sNhTS>fGmEYKa*p44!(#IBpO|7R)80HKmNlQyq$pv!D%yLGJ>T{Xnipz-F78 z0^oc-ZadBcAjD zkQd12nuLC2eYj1?qYE=pXZTwV&+2Kp&}-|pk>bttV|P_p2!WUF3xP?=DaexVPjEH3 zP2E@j@q&Z5;FPMBHTkh4+kpa~O68#A>#7mQ`O2Coi(9CuI}G3T?`JbMif|RV!ljUo z!rMp3kqJmOej795bls!7I15xTo9bQ5cg5#b6~EJYHnn?u;Wg>QZzny?MJNMf zTC!l&4EfwY=Y7k@CnbM34gexE5INxa?7(ZWUD-%@ki!sO;brO}dYz16w5cbwAX1_0yc@~1DP;TbNokR zy*hvY3tg%HekF0Iy$JU;X<+XWZxRTMW7J>zU}htBjTt!;nFP?zDl6HctK$ukgIUuu ztT0y)f>?{q{f^tQOVv8*WQyiC*@|B9sPn-k?J;R(CV^{@M|@7a@5 zptBn{P5{7iIaF)x>+S8Wug70e&Oh5J1kMHqKk^E&EXDw|d&I{CcyJ*U;pYGM!TsB- z@477Uticecuq4cU6T^g9W68yY!IS1IH_ZG|v*^tqM1WX>kUwli7e`R_Hctw_Tyg&! zE!hG-3&{`6A}i})7@%4-_g|!V(44tTT`t+@_n7X>r7$kS$#@qWV&WTT{*xvWqC5K? zF_q>13%1^^-u=Irw=q?rRh8f`VzEsE0k!K-9)G1+L}8Bkd}{?tB!SUEqK; z8E`-#N>XL~AO5Bh1do(k&m6eC1E>Mw_MpR6U;++20bI}R;6S~J4VB*De|J>> z?KRM_%2w}h8s1P`F16i^4;ZB54f;X27n;X+1MdKKR1pvg3unM>k|?(-=?D5-=0|B27hwC%O z%5HY5Qu=tsZ0uw+J21Rr(=W=KA}WKg^-;>;GgIQTGvLospYu5GfrQ=H97dY&1J2^* zUjZ|=$z&76m30*3=J3<=#d{_nTyjkepX8zEXgtm%(F<7EW%)W?>Q#!r6H5H zbZF07~J?<{nut+>ja z`Ark>-h3S(jp{Cxc0T0`Iy}DgjnM^#bRw=di1aJ0xe)Kc+YI)leZUZx2j>FD32-0I zGf?vTH9OL5&}{Q+Rp0=O8OpN=kc8Gw3_?A>NoqV*9(G(rqk>J@z4lt?mrfleg>ogW zg3iH~xzUW^t@G%U%g9#%O}XVSD%)hT6qR9OJ2GIGcWzAlux(!tVEX>1;WB}mQ)=a1 z7d7s*5++m|haTKmKTiyMaO=v;q_c^R?o+u*B@N6TTM6<5e*-j6iU3}1|8JT!U=g^Y zDHT8f>GxlUkV!c}a5Rsh#P~^5Q=USqA+>OF^c>r78U!os;1#0t?{7dtYO{iUrb0s{ zlY-MVpIIT}^;j<~2hq%>vUUwO{_K_xNooW*88ZGl~@{_X2ctuW~4-)^M&Mv z(&d@K%I`@R1lF@X?;2=Ie}vNe22KT|q8BTNILU4B86!2%3yB$@6Hir!t+9K_O=Jy0 zc-S&Zl1g&-PCV-@yYCeVVoY}T90IN&o(@4pODT1bc6T2yg4~C3G5f15!Sh?3i@kTV zA4g0A4$~%r0~d(iZN25Fh~0zrf@CMd+>eGcG!@+7pBthX+2(@%Yw&F$mg}fP00v=e zcN=*drPCa}IY-$hay0=24sK-trFJ1;6g7!2fTIh*(m19o0NQUk`IuB0bqs6ROxwHG zbteD1PLYnDP~eBMu*^VnXTV1blD^>w+Zy;y!&BXcCIEJ}e>DXHbhs7(;{gyYUciA! z9C#AFl1{`)f@>*h@Q!W8y}29yW{UjQ-_k(>=cD5uE9RjzEg>10zlnna6kldn1frJ$ zBir~(Inp=zj=BGJ248gjW8Q=7rD9cLao38zIu!(~k!>#!M!I@~fZ&7EN@6{Q* zH6?9(vOBHyOW$j4aPz8%q|0fB0j9?C{!VzyPQ{xzUsOXwE$-sjLHfl-Q>h$h>uAHu zPB&)dVXq|vPB__dR9+Bg(8)HQxyY&85hzscASg8~Z&ILQ>6trc+EY=Kb~i?RdFRuE zjXdQimHiHhxY(|N55~MrSP{leP|b7T>PH?riAsbalWWvr6((P89$(_W(lpOCb7i1oDpxW$P=ZBsghG|T-xcfh}el? z?zqy12$nLgAU?HFw?Ho=t7*8iqS-PS+Kk{~|CtA9^ZL@t_Sv#-qw`=?** z{Azucamrl9c_gpmvmVT=Raz%H!}^&sav5|PW{2U}X~=Xc5R z;Qt@)15;|yjxHgPYt&Pl&1Z33Xi&7g9yaJkx{XEtQ|_t+0ns--F}?3-@5b#y-aw^? zouOdde(Q-D*4Nw1Sg)+6J7e1;STA(tvTxGb=-2lj?K?W^R43QAZ8Jp^ZS=l1tigbT z6&VZ2t2#AF9EaHy;k3r$CIbQh83Hmv?#(z+@xMDV`;0NZj;AMGD3FtUyRA9GKchwPa}OTzGACw>7w$Z~WpmeNHRPP?*;g?aB(vznT30xFK4vaDz*&{mNakW{Y7~iy zFPjz{TGeSoTO%6aw0gRG;lBw%4Tn0feM!Gvcm-_f1@PtHs3||;U-?;+1BZu z?`l@xe6B`{*qTN2m2deQd>WTAwZ0E{0tAH1p!FQ6)}#3Xrj4_D)W^V-z%INJ3t_Pj zydNO5p<5abpX{)(yY5=*+IGn@SWk)P>V&YkjCPi%87KoTd{j zCu#yx6$AWSro$q|ob(h|y-U*D$z(_sv$&{re*D&r??04Jyl-;d3e`YOAaBNZ+GOE(#7gpyfVkeF2~yx%2DuKPn~GyNm8V44f_3m@a&7&``ht9aLbfQ9J%rto=d^IgUyEmJ-(FD`?6>8> z31&6lh`HUWr*{kz!}v?W6izT^-p{_hOp+Ki-xwGK?lE??jeR$WDv{7;9R1VVpkiuz zMs0{+Pxrn$Z@=%cx257(r`{k!lUYr2t)Wv@f&{O=z98WCHm&-xk{@IXgBwsMw&8Qz zvaXKXG}MlG@_tqqiY$KKa4Y_CO;rWQmkkEiG9dJsbx2+VsCpK88$3N>oR}c}nf3Kc zVcaRuJ!R;iR`SAmsialO6>PPm6k}=Om@|IKMf3Pr8esh{^_utU=49Q-H!SM1=>u3E zCFt+?w0k*C37>#}EEiW>1GpEg(QU^P>FLu!Scc2So6-@VZ8TzEJ`2zawEbJH!2hZrK#ax`?_7zsD1o)Ev5ZSi z-0dLMoKA?Cc3*3hhw?VjZFkr%21qB0Rt(-0ZUl=2)HnCgz z%LwT}T;T|)4=y&eEnHZVe)9Ta@5n((deCvHRUmR@?iQt5=)SaY0&cZ4t>H>E@8|I~ z7*oQDfzyBTArk>?zhq&YEFwnJdlBRTMI?u{=7*}-Jdxw>Y(-)aVVs!n-sAxZX1PH_ znG|s|#>F6VMn&uXDIAvUl!L-JLCyVDIU5`aMz z38KoWkR@XQS6V=%4;Y*m0vqlka!0$r;-%uHONvhDKJm7)c*_#9&pJ6ClAy98oICHr zzA+WtceomI*c;i9%4SsHBx~AG*=@OZ$P3&!B;K1sS3g0eFZg3mdB{Lz>jLb0Z)k=B z0hKQSE+Bpiyigi=0XAes1TJ*25^#QTB3xa|{wggLK~qmHDAMN5&fTV9aGK#TD~f*y z;OR@{H}3Ua=yL`$Y)m^MuTDXywN;OKN$Brge3baHOMpq125l%I1K%_@R`y5TgB$PwhMm+4K>5t4fd!BWVZao!6a6~ymX86I zDfaB9AI&$ZP%Wgt=jTgXci%qS5g+wtMRd3j?`pP-(2*r6d5x+?#D?~IaInW@Bagci z=L!nOoFT&BSZ#6Bm-X@M!c}MYV7^MkgeK7e1eh-yDT07XQyVDuyKK+Un&YzDcUeu} zTwKEG^);op?*nOi4(h3A9SiTgyY(yov*?@ScUm-jX+4@DielG};m^{k*LG{py8sVt z>(kqDzn;7tAe1g$Cc22o$jnYe0HncxTw5UQ^Y1sn``TjQ-65#9L#d&Ur4~Bd4DUE> z*q-uf!(G_|B}(1nzH+)JL)6Zf_Mzj|bAF&!81UhMc_Oxc!kMqGCStlL28+=;eTpS9 z;*-Q(#*Uj;FHC_W@5T#$0SfI3A}9m+a*IS*HiW45=h+eY$Gxf9xxv`gHg|8B%;G*@ zGg#&|0E-Koww);E9~=;G37_d@VA=YX@4k@7h2A4>wusV}Ye46hWt1AkQ$>_Pu0Yl9{h>%BEFzZ*UgZ_m^woKT|L zJ7;*c;OWN3V|_(3$ZwwlCa~a^q@NuD0OL2*5KQhb2&$3c}n!pGp1@&q_E9o7)(q5P?5N0CTN}Us z7dm3^dZM|xXjG%)_Xh?~Q4ibB%xKZJ|FMH%{+Ai~zuUZOPHof}B>hKw_5THL#nJwa z%zFT*((~gjTR_*r3tF&N_C*l}B5Dgf4RWBij@@b^0cb#_n|J-Y!v981rZMU9nB$>>*xurc(b59-bdz3HWBxBmH^rXCny70>F!dZiy zxxmqE)W-!vV- z(x8WRWgp1-L;~j!(1GARyS0r-GB5$rlP1s-#7!1MG@;4^Chybj5Tax@(1+$yZva3N zc+CsXLcI*s9N5kHoLC!%<;RD9;2+IPo@gA3>UGeLigxswR*NL!7O+$?ix zPwW4Ry==efl3lowqGJkh^`8hIb0j+o6h~#9em|(M$85)wBc-ZjbgK+P?^A7xQ*3f5 zBf1!k%7e>{clIPXg*Vh4!o2yFC+}SCO?smn^y9TGTTjmC0bn)-?4_7Ldnw>#&&+}$ zdwuKO4d)UX-C3@0#497cJ;hz(?G7(y&c^B()~c3!MSSbmBAR_1_Rn>pG9eg&fNMZB zHSdTf>w$2YJ_*#2%Lc&U%o?~jC5#ax(_>WcqbgtSU%+te<7RvI!2^3VkzE7`w^t$a znFI6OuR*|9_&y0E7Psfbx)>Z|=Gx*FVyYh#8x|3C8}zUo;z+x((q5EMUr32OBaPp? zp7{ygKMyq?4HR)e{DFW7nz-$&$DEkY-_Sji7yk=cVm~oODDf@Y@J?Zi$@dqZnKd`- z8SaxW@5oZ|x?3&IsLm9x%3D07^sM!Nrx|TVQBvh;%K=-@#Ab0Hmo_i(l=0X$A$`gC zc&G#ISiHS2ClDo2xkNz33$8(e0|A^Ln20hg3P*dE7*5+C9i=%K+wGg?n3|r;q`$ey z=l<>#AI&23o~gzQ35X)k+T4-w;(`p+RU3KiEkug_f+U@YX`9*ithP$40f@ps*J^3vqHIUu5 z1c-xEyf#YaH9KW8&vI)augcrXM(q3&BlHEIq#$npoZiJGqY#NuNzlekhE#kk# zW7PJeZtOmMFBPsvp40izW&cT)PVAIqx~uC#_7sTVjz0>&i{lH0vS88Yx}D^u%~`5R z94uNrq~~rb3Gq^uGpY}#qudz8ZLm%^K)<~8amV8x`(>yo{bh;Wn!;~Bf6>VgU6UhN z1#G=e#|d_@NyU+*$(|!3hYsvQ>e{sxCW3O2i7^g2Rdp7OOewdnWqw(dbZhC!aJ@NY zua?u^IqpU@T`%%SAu~*x(+($%^{n~m#883-yS3}8WdTl>ZuAg3Y9H(z`5M+_;QSg@ z8b1-0lS~lBKGPTr4$i3xK27t;`&EzIi^l_lqj;~#1z1crjpuH-taPx)?l~VsE2`pg z$*;9%mKBYt&%vsUjGBo(nvZqIpsuto=dEcXLz^?}c1|y@vt+cgU1~lePLBmjrth!Z1^>8 z+D{cNnM>an&$z?46>1d0_@dt-{IKD+P<%NiwXdF;@x_*jN2%NCa@n+bv|a3F z9~)z$C2j(n656O>w;&hG)aC9{xGrnIRm1dX0s12$=S;}F*EHttIHj~vJJ%;ciKxJp zP-3_dYdKF+H$hg_sYW+`cjtJo`fIU1gH7>2qotKr)9W&Dps&|a@-|+GHzYJV>E(@h zsmgRt*-|_WBjVB#s?$kIk~wpDvgaGVEr&05f%kw8g|omx)~Ntd(0_EtL~iYdtyM=& zsWkWLD;H?vM(GaF@2O{ooShVfH`7#tBoH8<-KV2Hc8V;c*A?oGQw>!gAkRVPbE9($ zu3uslU&*dSgh`<3sl(=1Mh`R9MxKql@=p+2KG?h@x-zB5o*8!L?)&ZyB`^?P!yw@T z91?iz!|V=D+LpjOK?Z3iXUF0Gz$v3%Db9mk)~mazb@Aa3NlfMwPtjjtJ$YXlY*b$6 zjVJL=*-LrZ_h?939eO=z=~j-G%E>#(d;QB9 zwqQMGU%5%Oe)+k>{6^hLiR5JQL!v5I&BPwHM?x z0tX&7qLRlauURC~)TLZgxySxhSs-HiftQuvOUxDIE**80iy2@-&#Ek-K9aeM)}}a4 z#uG|>%-go&I|mn+KJV~qxqVrUZR&ih40FR z3}Xr|5ilg%pttS%vw5pVjyw?7{`R|l1r6fOna_%}^5ORr5jj*lXTY$gl*qEct|3S8 z&+b&bM)b@j>*43e(k8Sj#>!&8NNj4X`f2z+geJ?RLS|n*HuA&X&BFAM2p|jU8O|VR2@oKVUy9iojZKJll1*I}LEbx*Il&+z1b;{7 zpiEi~r@3{MOZ?e($)RL+BhBh$Y78RXcTye%z%yMcM4)IpM~Cyu{$kWuurB>S*n97& zrrK>^7+(t_BGN^HC`DA7G^r955di@~dW(oiZ_)w;qN1P(L_k1k5$QD|gbq2%!33bapPj zb>qjB#ir0FC|5dzgvrGXdf3s1v5P6AD_+aaQ;@8*^(%QTcwmXs`TP4l@&)dz$GRAlNx}FOa@lt?=I@N-%#LQh4ZK`UL88Sy z0+n&~HzMYXLgasVxnYy&g`S-=gwG3S1`xf9zTzu-F)fxlLF>i2!x6JTfAjrTMqKQE zMEe~0UM;wC<%Qm>Nn4DJm%rsO;QQ?YzFz?;rfH0xnnZaZR}Vc!xk|*mnd+Jh6N8zN z#PUYQtaM0e3SnyAS07$eu{yMHOyLK$yigP)p~6PU9J+?i(we9eE-Uf7mwCKJ!9d*4 zCGD`sa(EvBFYyPQZ940%YtUtTB!{xdBvsfbL?l`FZl9~Aw~|7fj47*#t$sHoUf|qK z1-j{k8K^TeJKUzBA97Ot<+fMv)-Z&@Y;es%K)T^a`!$`{4eA%KYR-rEJ|<>~8o~6h zxPE=GQ)scT8)Lp1P*$_*n&@EtXjVwG+Oop6!o>xXQBXMEOGsJx97c8CbN@%c`2Y9s zYfv{kwwg<>D{9Cr8%GtSJ$dq6LomBpm?HqR#1N)Ek3*7Ap(m}XpDs2Fw+49poEJn( z^$?dtMv#+`F606?2q2#=f-XaKP>_1+kOJZ1q3+*`t4|1fVYFuSra*l*#sh>+NDTmN z+oEZQvwkbh9jC>BQt}okgdYk+9Twmrw+xIQyge}Vxk%_)v z^whjln1~V-LC$!^+8jisM99j3SW_zhn&`}9HC80gOP>XLVUA#*kxTb;UMFN}SpK3j zcBx^tH1Fg|=2(a#*VpYk*A3T?9SePc|6|@fPU}s^?nXzhM91Ontg^S&mvgjtV65=7 z*9FUtEvv@ez4&(g=ew_R-C-$q16wL->TdaWXfb8ufCqE9bu&z)fK>JjH+inCq}OYB zrmtEKaTnY3NWa{=Im~b=`qYyDHakLz>=sC3zF%olc)n{ZSw*76(X3`s#Lf1UN5$)z zBIPTmOo$?P5B6_w6h-+V<@y4L5xYZuV^pz#Erly0eL^I+dJIFWXtnf26X{i5a+VQE zuG0X~fW2DZ9o*x) zt`@*d5zWKw3-WOQ_P}*KXnKT^B*|_%nr*LkgCcHet&7vv4s2@d(3RXGLFSyC_Xa+8 zIuI89l7wUxSOPNYqZ+%Box2{)6HnZ&v%|dF0;sb4Z;eJQq#k!1y%$^Z;O{$#Q0ycn zoQkGhh?Azhu-TQKSQ1&!rt!d4!^sbBLw8RBbpB1A9z~Yui)663qfG)L1W5*0dVvxS zo#LK`E?k6qLRA(p9SbyW`0sXQ?2*BM7&h>?a{*WHC}b~Y3qs+%`MdI!HjqULhmlT_ zkXvk!3Utzz@#0A&BjU6_SqUUm$RglBUxRa9Cdwg?!GZkCh&VHiAGMl*`~krJ(*!P{ zw8wJraW6+L0KNJgn3{SdYe|a>M60;V1${T{PDs<}g*%=y---s( zvzP!H=A4=Tj^1MH#}WAE?bp8nhTtD6N}p>14^-!x8a=yFt`=QB5Q6y1dx>96C zmu!PRhV0O_0^jvDlH3L%;#Gi1?xz&M&Up@!RHOvx->wMqf98S)NGT}hP=s~i;&%_Bl#!O7(B8sr|AolXlq%xgxcQDpk|5Lc=KZB9}Tl*Ig zA^>Bkm5DXJ+qvdy^JK{G@>ik#if>e>A%yV3dBVl!YK{DS#z+^h?UBJNR84|aR5rrvMz-&cvjMz9Bjq*$%1hDTz){ZU0YPGKU&hreicNN;v=yc5(3zkNx) zbWL|cWO#N#<^K+)5ucLh?`n$%~tB_@72>(;rJKteTpOp@x#A8{(e(Tp9bZB#DY`C+*8Vm0fPK z=+vz^xXAgn;eM8>iy(Te5a8l^UBAKc{~fP@&`{(ItQ)%ACqbn%di4a3q}@<-qXwvf zL3W~Ji*3(AV;SP+7d^%(^4L9) zS##Uny}r3+`P3+iAdf$XwsyGhchawLTsAsp(bg`Iugn4FqPIC79K^OXCPv~+%edQ; znJnAt8~szx&z0fa4PK4&2M-N!tiRdEO6E>+mD;Mh$<^58`)LBxN~TZ!!zbpk0gyV& zr~M5;ruliENxYNNsP@H|KdQ_f9)w3W<z2qc7KtHex|Wl1`1 z+t;s6NbIZCUkg*gt7TJus3vWe6xPnD9b{!*dD zd+6x9nR(uC%AHeh^V~Qf44`w3n0J2S(E$6xxz}kU8ls7>4VtgK?XVjm>AASLE%$5% zVT}g@bnW+cW-4cKvNh3UkQZAX`BhGaeF@~ud>&id}LB<*g_&z z*ll9QaQ(FrS1m6QNM>_7=*jr*E*{ItZK{@S-2UDmSytllp3bYK=<}Vomeh1n)^^*J zah;UoGZhbFMVwgQKvd9Gu1=rGsZ%YMasaS!Lp|2_GAC~pJi3PeL&!iKVklXT&o0bW zy0$;Cr@|i=oN>bGZow8Xy4^(nRdVeDBR!tu+o6OkAK%AcxLMLNxUcln|S3j9b zVAkTP_HPCt7uhd78;)czKHKFYyz{1+X)5tsK=4$6D|AEF^ZuwR(R11^TxOj0Ty{yD z+0aJ)flkA*Sh2Mr`@+;2`lCKchkq8Iocn^Cw4}&iR}oc@93)cvkjXxlyL(oBP?a6` zUE81O8SHzbmkpk}`NC_I<3}??KOrB}I>3OI8ADF$0V)MPua4ruSH|_$`!)IDw)~wwCc6@({Bt6VAPx4 ztX}C_v~!Vhnky{mH}JnxFo8R^Ok?ar+?;SxH4#fKc|yZm+}&+vEbWxhhMb|#O##Kr zVKDz~bVRLiHv*D1OxCJPV2TedSq;$r+9%6Z7Bv(1ba779{6o^6bRxag_WbxM1eY&~ zz5zBEw|jM-p8GHQ3rZ^*uag;9-XE#EJ?1Tp0eYdaH?QP|3~ z)9z{>EX@|1FF&mc^w&@2Jo-GZv9hw3;IQM6-nY0^>Z_tc#hUvzid_Ot9XTbakn8ZH z0pqJl!?l+j>}a1lkqdjv-$mBkp=%vm&=@#|rVhuDfTw7QZ+`U`$wt290~utq3vr%W z4P<3yu)DTk$^G-55DyA`KPaE}hPX^qGlVWr0}SLLSj*scOMql||B%`>hqSUcvvF!+ zg4}jdFS7Y&`Xz-MVf3o*50R{kbykT8AS&ds-xu|Ao|u=^TV!x`XQ!9lZ8T#qS)1c% z1hq8Fxs217#d5f8G>+?37K!8fogry>v&Ln$QE(M^LABMT-+gKiZx&C*Q{InrAqO69 z{-RUA?#a7C{&%dq|Islx z3MSo7qZya)JO0r`xWBPKJbqg+BD7<7H$UOBtoIW;{Upcl-3gWc(yMME$P)SxiVOQS zefCaSQ93c(x+Xj|xSNPEpgK*h53Wx>fNwUCmbf}3JGORNHBAu3^50oNx%GkZkm2Ts zT=y&$6G*FtY5YT}R^Kn*nrkEkw`T)6b`N&C^#J2%T1AvRypz*~ET&zS{h`mf({=f4 zK-7Ea{&5T+CIjbeDLhLY%Z4sui;>g$&>hFU%-TdoaYspLF8l$@c2YdEcuPEp!d-%% z1Jb14Huwpi>i_o_ed+H|s3BAvEY~kkX z_rv4z6#ka^SZl#){ag*%4gb|NO~TLlg(u@XNX^Kp_HzqXV{>CluLaLpUA`~%HRV(A zQ0+C6dYH1y8kqZqvKGs9W;xz zg2KuQp*eK|%1X7J?7i!$c3Da8bAXR==b+U-Z~S-UN;0%D<$BlF$JkZ=9yznzQqSX} z6?~ugq_=XA_73M`>h`r?M!Upq>c28Pv=_E<29>EkZxuj1H&Iwa5@?L?99W8&9PmOg z7Ti*fzw_uu1f783M2gN;kx{I~K!NPrnQ9#QRi2gQ#cOS{xzggN?nsSz!ccP~YB9DS zV@&eZMSBy&!jlV2dM}pt*P!x$(dl_ewNEDG_UmE0tv263N+V-^H?5vT;6h7=#Y7$S z28Iih-pro!33nC==lMnV0LHaU92#~SdVh_1&IIqte`B!S=Hx9}?2g>)Uv!T_;=s}D zdJpF~+qPEAo71ahwXX%G&}&6^e$e-$GY~d84!dVn(!8zxSYE948NaYc5f!8Jp^}yq zg~W%_P)DNo-VnAop$uIe+n#b}(!%YOCib4KtFQi$$k4LSdha+5l9h}w_(k^tMgbY|8) z_(2)0JQt5rpr?aWm#>Mmfu_TZ#8NS>`qim%cBjL2W2})jCyj&j;^y{kXBwS2?`$X) zT`(39#y+hJU)G8{_lwSak0+}2@&x~=H(cvZW$j3*_NI88Zkw!^;sKtewKyQ*t>dR@mK z)3+)_|Fna8nASeF`S$4MWVYKm%7sT7WV?J;zxjqX5K{wQMJjV0b4aaNAX6>GasRow zxj7n2W93Atcrl1e&hjOa`jd<~FP6AVhhI1t)V?k-Xtp~yyH?y9GEXSDK>3c#| zBJ&EGA_O~*T)5efr?!fKFC)?cBC2Caueksh!gwfw6ool1nTKFW*QAd zU`Z|Y@pq}t_vN`5*MZFGl$>lkGdc0e0EHJi`Q}TO|0F|MNO4l$boaB zqB~i^I(=pqAQ|1w1mb)By*1AsJvC=vv?pH32XYeOD_4)?TL`-N;%H@zb~)RbGZS~y zIlKvv3||u*Ck3LhGKuHf?CzI-`BIv&voqUpfB4(0nJARneZ>UIj@(-vCG<$|Vt1aV z*AhichI+Q2sDc9YOy=OA!#&t!)q8xRJ?5~|c-^?ZyPv}s-)YmnOSDoySEDD-Ev{dgfx@hG=im$8e520})_={@0*7{7gmO~t>pEK1ya*_ zYy9%^NBq*`K=Q_=ABX-i@pG}OA>axdx|BYvKpQ1f``j4_>bq=(8WK5&Q?$j;oM)g0< z=n-SFUOIdzfj@q%+A;b)x~7Aw#2Ath8oZ-JX-Ut9H+f(V zHRke_I$lsP?eI9N^2+mQN5@Uv(1{Im$ji#+*RfI`Qk{|BNr%n#LQ8Va`1&YQ>N&PW zd7TY0&0G={78}EGgzAANJaXwyWz1dTtE5CD$>{4LiZU;sYD{`s1-l(cllji+US3_d zi$AkDv=|)dE>9J)nb1KWLle>Uv|G=2UMKh+rwQ9BKtC1kRFTe9zDvwf+h|f0@q-Az ze|+ZNowH{~noeLHb2RniaIBRY*IBi+nG>pYC)`d45q6uWBu+ZA!R&2!MuzXn8wx)^ z&vV+Jp6;|$_ZD)9{<~uOwI)kTXYq?_5=;%QN1WBKn4g*0U9`Mdgn`?bc1y?%x7p|h zIDHsmc(8i+)ba1@eHA9OKj4S;JNiT{m1Uj^udSz+Kk*!Pcb@n~ccsiM)*e$J+*(;! zo5{Yh;%aW?bRkE(D;g&_>?mMP09E%>i~9#pY~K$*NH-lXt{)wSL8dHubx@W-CDj!sb4kweSo z=o7S~%Se_r{)(t`+8w*hQagsTO?PhFkRzF`Vs|8hDUb}n&<)kl&RX zzCw0>N>VdnHUzT)RhY68ON*^DaTd_er!DN^pc1$?8XK_?J%M8$T-bliFJkUBjGppY zYQ|?`AXZ^I9GKO8eL9`zn(O$FJkFqe9J-CekkmSo34iw2x z?WaDntyWcr1EipydGZ1Eo9Fg7%pnYnIaohbR;}Vdmx*Y5c0j?X?ZUc&)zV<2?=~{- z0Bsr6v1{fQS$itkT%$T&>aW;}(id}gSJ#Z4JMs{b zQp^Hb_Z4!n3->ct9!&?JKhKz|HoJG#l8=IFZ2G(6^cyMrpYA1+~M0Pw)H<0S@sg9WgvTp7RR?&A+#4)sDXBZj{5iG z+9022$&~|V-;-o`Gk9yK%SgVF{G=m3J3jAzykjs@_j6}F4X5)r&h95je$ik-sXf%4 zhuy4~vQXve`~pu_6$$=+X4#5QbXr2Sb&r`wvXvxLULN#Me@y1V$V{PEMxJnLKAp87B^vLtY2)KF+p@j_ak(oG z!k2opL<${{i@G^Exj`dVC$L`-y^p#QdviXO}+RMmRX&R^x zSc(1K?@dyrS)+IQL6lO+S<-~$gGu}#Cm|0SYGKi0i;7+eO$D~r%=^PRT}OV=`F*%V z^IoG}?RZE=AE*jHk6YXtKMpq)>`vQg3L@A(3GZjUwD9<8^tFKElUo@2u5AXHWc~Ji z$aY_`;393~i}ilkF6u1&g+vGpQcw%JR$j}RWabb|c<&hc$5h`UxA-Tfq1zJtHbsU6 zvxT~+0dj;g89!V-W-^ebj-ONM9+t2rJ=Kk&nE7_?)Kp`-X0<_sgQ`4>(ILt;vUNJs zsg757jq8_lEnX>{=x$w_sd~77s+`Ag81;6Xg#!8diw;J%`IMQGfA|-j16)y_UuC$# zDVW@6h^gDfR+d*1=^F!2@p7(&>SC9LwW=7~dr~gqTPvDwp5IV6%R^2xLlB&OCCh2k zRS>p%uXF81*uFbCPBIUlbz0ofu*^TDz*oL#Io5@h-!yn1pHPfy77vYGamQvf-#Hx< zDAby{)wjBYPVCu=@SN%-;a{vH3@3D%$&c!$H6mbU#NPhU)r$e}X2zXtLCLwhWv9s}s>{16rlhdB zK0g=NN5q}%&NjyPUMdL03x#9ZaK@YDx1_`MWtFpKs5?;^LzZHRBTiNq0@S3w#+}GW zjClqGWG*Y7@ppw)Wu3vtn~E3sK^#tCGvjgBW&_z4BJ*f$ZsF)HEoUV0)$d59Ka@PS zY*0&jlBI&p%8bcv7Izg*E9QL5_7L&;Je|(SLt~K5uB#^PQUNatR7lx_#%3fOx2e@) zt#FSEmPwzrYr2pVk)n4r3Fj?p-(6D68yV+ahCaZ_Vo_*#A`bcux2ksKAXm3-Htm z_OWduOU%pn@u~+Xj?hT)m&DB>4NUd^b8n5HV-x{WDN3%v9CF%8McDqrS1fTSeV1R* zSWKuPnz`ImXS7DguTT{@oxEJ?#8pgawfSch`+`}($E`i1*#gW~ld$0Mh{Soe_U$S{5NKv5X%^kN@<-><3 zYYhaBTt0L7`F(Pp5lOfK_M%p-uU5$Z>Y`%YTMwsWud+*%M4vct|7^C;dp>vPv>i3c zn4s6Z4C=>0vuJa-;g$zKTfSDSNE|k1(ia($@cv0z+ShnGuH{%5Z8k!}GgKx|7=ESH!fN z+KYbM})F zz8V5Y4BMqNzHtm7>pqh3)D!#h)IHfYd)Nj~_b0@xrXwj#Iil~ zp+;qO^YdPYXB{ml!{ZrM{^%qB@V_$u@LqPehNGUEN+sZFhlpqriwAmh3L2nt9OT%f zr&0SH+Y$#G0K@*D8&2!~muMZdd4NdLL8thqq4NzvI|zW;pRmJ2wnUa-yEC2txY0kh zrT1^gr$aWVH6aPFsVigw8ap8px?tRcTW?PLhxeG8g|q|J12l?42Z%*)fsc=7IT$3W zQ!b-Ls_%sELLuZs0H);v+!z&s-Qo!p`GJZ&C^dqCSPggapSNmv zKciNe*MgwL!!&+zX&OR(-R?Vtn2GTCMR%(<;}>0!_CIe0uB$A z8UwR#@*a7b_9{?|MghHT|L6OIu`p-}v;xHW-QZ8qlC&wP6uv18lhS7^hfBV{nPudcqkzH9Q> zBV97x<1_v&U2fP_I$k>VC5r>Sgh>^4OtzJHvV-6%d$-Gx*Q?V~N-P71VDc0T5?2F` z4}UE_gRBcWR9q93+B1!tc&g$#a9aH*R2rt)X({7a7gL?)y9}(t?$e~7amL2Ol_%2s zM%o7b#c6Ic|7!zbocebQv^)NZ#;?QZkpEb zvUW&>E}qWTICOnO5nbrifUr3bXoGx&hHPKBH1pQHmiY@)H%WG@mt#EED4?>XBCi`DkpOZuxb`^^Cu)Xn#yMuREcbr?^N|@?9_rvVm z>uC4~>$E7<%lpArw$sdmggTWgn?hl|C5ffYn+5Wg_zJ+8%<%Uj^~|RC;y7r?kNY8( zQyeGaLR4ac*LjUcD=E5fvN86g(3P?&7y8yjP5bRU+h#_tmP@=L-91#1AKTaY4%Eu+ zB?>Nj&{k2XQvK46Nd!R-VAF+y3CZ*us=p(GdJrcT-+d*nbB5a$@}{$5+&;cnJ{vE`IMdFpr%= z?^d8^Gir1{v=TQOvg^8?4kAww(y9TM#zRI{f|+tMVR5X!aqMbonXm{)Q^d*q+ToWi z=$~mtZoyWpm8b{iXjXVvfM+f5#igGj=Nv4a9_eD>Ew$r5A?5$rP=agij~o&g7ny}M%#h1{g?|T)~^EaoT`#Mm%>kFR-#U~ z2;o<;6FIgvf?c|)RTWFEE)#;ZC)JF2BnwEBzupg*^PgQ$DqWm48>&Cs=;j33<$rU- z0QPCV)+w!)Jm?!h3cf?y>sswvzUOq&{DOd=+m3zbG4t%v*%yJ*Fv-L_@Ejp^gH%1s zwOJL*AfG++*8QZC>vIDEnHo^HmWF#@L1=;t5bX@C1qaPEwx_ z8qAHn0^l-A2V!W^+7_75T0sjq@;=GC%cM~n{#Li5d&cPL5fSOUIGFym-R*2Kik~d5 zUW9P$?cKJT_B_s9*D~IvW;T2=?^V@#mEO4)M#J`HInP?(JEm*DSMTa(y|MVOCR z)?J8G!yDbW`yh!FV-D&zx5mVX06#Cuah@(i)%WSz^1N>N7@O(m3)*GY%5UXc2JI6b z^ohHcP-SJ_Dx5j9k`|j`5<>Uw$;@U9p}@!5p+ER3=GySn?$NInL(VZnqm*rhB96-% zm%74?$^yz|yt z{iaeClb|hR%qBD+*Pp@%NW5rDG?MaW&AqJ)GdQN@B;%>^~=IdUMBci zTIW&Z+#&QqAP`pdmZEhDA?K_J)LLMVDq(|U^en}AFLa+&Pf&jYs@8C@ZQT`Mi`Fmpx>RG7+S+-CeS9#x`!-mQ-fa^T&Ezw6=4pHNuO$sU20=5R z(0Cakk*r+GN*xg7N}GT27a1dF9clt}rj+bS8$)g-m>qnrW&86ERe73nAk+wXo9qpG z?B$}jNq`-9738m~rME#udxC!0{x^>FML7&s{$9 z1i&gjH9$_eg-%FP> z3%J5{pWo>S5$XK@2VkMBkU=aaB-c2;bEX>1If6wasBvP)&190RX!Ts^eTC%@n9dyJ zDV5hWDLk^K_xB&Kfu+sSJ-$R@@07zYx@{7K_EKc)DNcUtpLbMO<0rB}YEG3T!KxxE zOvM4}Gf44Sag)pcvkH^{)BBCAY9<2(8g}NGjCIOt!^4BN51kL-OCuI&UP-%rb4Y&r1Pw9d3`i<`ww4YvIL|Zr8d9H ziBp{Jna&7olj$68=xX6_JR4qIL3e0P+Yc9xw1*yttGB*g#SQs7Ma>LS>Q!D zlMy=n{!ce0sz}4@Q0*V(Y0&q*XWiki=73rL7B^Nn-=Keoq$H3hkn`Q>41c24TawaL zV;QRO%rMzgw>v)RUe3XE%1rplgZ^aWqE1MSwWDEyrZh%3TG!iab@QegJCN%Bi;?`t z|E9nH<&1zeCUld1>-G!t*tKNheAX44@P}UWG9ltzxJ2(gs?69c-e;@dk4lR%%DJAV zAh(dpW)!xG3ZW^J?824v+O+ELFAfRr6e!Dej?j;(kDl{P@mn~GIo0TQj~T6ZtX#qf z6anoRCeOyRh3GW0(HIS{jXU7kg*goA`36og@Jz7bGt9}sr0Cr`nov!bm&+k6Ze`fo zFIy83$g-PPBnf(Zy;OaS)C=tHXwdaY-R)qy>=qVbp(A^4&0 zd69U&3zfw7hypTH6=hOZ^O7Jn@>9Uxn47oBZv=YcC)pG*_)=677+cWHLqp^swHT@* z_fucYA)lC(+Me2i2T=qq30Y6$Wb2^flUMYgCTPoY%a^QTWD9J)eZSUb<#bv>KGQlB z8~QnY&Ei9*-`=R`Ih7z$FyA6tfgio@A8fgzqMSrA=v5XIs}`}f%Mx23x~a6`@lO4o zrw-h#WLV!)0{7_Z;Lc$#jw|~9&FUuD{1_*%5{K(PN{S-*>g%M9d6WK<5seVWy_jR84hY7pU3Kt|S&ohj=(7S}R&x1Z1a=)U#&^^n- zKYL4Rm%BHmEY#wECgkbpXtcx%abFv)h>b1mj?5Wq<11G4Fk45tRztz6c5=a((}Nmn z7M@)(;;VKQ;@J^Cy_w4gA*cFIF_X2|9u~cH7-EQ4a@dX82~~S^bBpIx%ID(!8XYSq zV6u*le;nF$7IdsUWwqgAM)2nI-I#S4pRHJUZ~PGc#kBwEuqO zgq*;$YcVN00mhjp}dL&-HP*QmxG*vE$*3=_!G<+X6R(LGBaq4y$)Rmxsa*sKOX@jvILf(_mniM1t8%qoJD#pdl^R~ z>+i!Mw16?>I6&tc!Scy;a{{@y4z4JO{p1Os)-GR}nxF8W4oU3c17AL67ri@yBpC$i;5I_{D-uEGU4}N@ zw}27+^Q{3wY{B53ZH{fyD9p4gsGNST3~Xhg88-zN3K5mJ!$_weE`({x9Ov2 zWt~au3Od>&&dJ%6UOeK?H^-Vsj!FuWT^MrBv&%Ql=zTRJ7uPQJb@&JGU6rXXIhtN2 z2}N^{HddY-8#l|i1go?!Rui|+M=5JwF24KdO|p%HX86iISCx7};{+#2iQKE|>)9H% zIqEs4mUrAcwVg@;;IHPQ6TU<_F`xRfg=Dfb{VH>=U#()XI=h-Ul7?b?{X&icQV@eDM-CyQv+&Zzkr8XqeK(RhB zfV-(}Ug(^PF)im|pl{~VIi)KYWH>o?m6}=&n<7XFRRd<1Gm4)uI}!P+GHM%hE9H-L zEV^osIzDf+_I2$vt+3)xq`tc3Y1ZnF9Zix2Abvbxp@6x<}C z=jqzfma9H-{M)wkpAX`f27BOnQ@(Eyc9MY)3{wo+Z(kY~u-L8(n_c)^rHtyZ@5~5& zk#*;aq$TTD5K9I>{2fVx*WqDhr32XrU3g)4z15)U zk-)|GxFhgKwB|#&IcGez9(UlPiTg_DwwG80G!({Zqc9yfbaFkc+8a$)rzqt(E@aKc z^^GRT?w4MLDz2~oqO%1O3SF0k>x&v`twXW-E_*W1dJKNRU0+r>Hc19~3*vUBp#?U! z`Q}I=ntG$w0S|zPKH?y|Cjm6kD@AJpC-%ToLB8g|J1{DnM!>Pk*qb?23k51`N)c?n z&Kz1olsZnmjvliMu^;1pH<=ct`4#Q%Z`1>K3oSaa<&fjAqq`CHl2kr~WG~o&%^+rQ zMR(oyl0ZD}j-!n}kXX5Oj%H_p90BMjW&2yGm>^9oT0 z3nOu|hS1C8h1TQaSZ2Rg1vILZ1r#q4Iqb}t&c^Z%49ZGH-iW}Z@MI;pUjSy1^KLTH%Te>FB((i@w7ZUni-lp45JHb23UyK_%Q%? zcyc%^vd zs#vPVy#}gjCv4yLWy)%x6e%WkNk0%IdvV+ z*whhu!8)mCeOdRx$EnM?wN3kIW@LRha;X$Kn*;jSl>Flcc0WhWmsfZe_RrVXgZ=|x z<_W-5Bu?UY#wmix0o?Clg&tICnfL1}(xv4Etl|^P)_GP5+~2^}6Y2ldpX(EItWz)2 z7WW)U>_YQaOB1IL+-NL>RSXu{Kv+RLZXgm(?S9c2*2vlY9NrC)vrBroXBcP*O0dg8 z!ORL7oXrDDl^yM%@7VyNBuvrA$23&r@;yF@wvTaqyRR4>H2e)C5l>^V$#P^8fZI$x zDVu7!G?3b}g5c%3CKP(Vn2^nn>wS8Cd7Et~te10Y{06bNyP5B8Hnx}c^^r?~P(;#2 zhYLRz1l`1#iv((dToAX&sf84szI0r#>!?f6YGxuMJGS^`;E&JYh}_((ik{*9WzWBf zYR<)PQ%y)7<@2G4A{q{(dJIYylE*#}$4tAiFUGxX8B?41u>R@hQq#EJyJsq~R=Q*% z0#pNevl9Kq!NKFxcdeaj4X{e#K(2qkd|F5&NLk|J->pO?GgO3 z%V=7uPGKFl=n=n$f;cFCJru(gqMe!QNxs$Z!AW6|9U%)(8NUhQ9cL_{H%jU7itbHp zElmzckCOZOGw^sJ0YApuS#2}PL5`mo=IA`h#o#i<#M<+&GOz`imvXpA^+G#6v5bAp zR7bo^lVFFL#*7GkG>EP?uN-wCJM1QnKZj1BDw!MZitEIZx^CALyNPdVR}(#N`hxj0 z8h5c~1ZNdmB-{H><8~auN&a5wWG1##5$N8}CrmUcNf|a0-tDhM#50`i^A)C)bwy=Wfz9n+4<939_dMD1SQ&%g}vGSwBN}-pRkHwfIe-{&)2j z5x|sb5Z)k{>tM4mo>m>pFEPM^Y8yT2V3`|a?KIO z%7ql%cP@+V0b7|l05GFvXS=mls!e0*+5G3I_Vj77>D|OXDlOzvu+J zp!-w+{ol&2WrDvov1F~UR}6iHWfF59q&DtW?rXdHIFsi(j+#k zK4oayh+}hsLyH|#Ti!Dl+arjEAV`6eQhR#Z=W4IvgDPM->HFd*piUx@G9>|*N&mw!f;j^Sic0C0N@_2oA#Tg$B>AWv`QAHBtgQ!YGMWX zVVnSxytP^BOEkWIHyQKgY-nkwR*P`N>xjdLdAW{$jy8NZ(2k~y-F z=NzAi^npFQp@Ln0By?ofE>LK%fSK?$?97`7>GRr+IbBBmwmLyO!zxaGvQMOUJVO*} zSr>s$>8*HU(TpD6tXAdlEm{1KL(1izT3PriLL%SXej_W|_3RYO`6&1|ZhD@%m~V=5 zs4a&r<`Wk`dZZ6H_=m^KRYw0*PR!;mbKV7-A{fUiY90p8H8mdYEw3z;y=;^a6(*lv zcFw@%d%L^mFS@?`5wkp_`wkTs`^HZ}h=HmO9$_&BPpB4ET zYo#T7=g=ia@k;O$-KJ$v6C&SwbNp;gHkLOM7*^7q)S7@WqnRm(t2XKP4R_FznWfNl``sM-c*&8{B4@!(YbR`#0b%FDMrGIBy&vJ{P>KG z>vhjYkEXo+YHK8x8f4dH_zi#Xs8&e001`XwKv`w4ImNXT*hMi);pud{*yoZ?tXDmc z(lNOatE0n!c)Xdiy~+Vlv%`p+1rGaGF_SK;bqOJ0t&^zIL%-gPzR@J#?$KBCqNr(n zxVZ{ZQ1)Ye67%HiPrb~UAq^E*r<|vG8Eu_jS~~c7yGDt<%eCU5VPNAtEz*BZB)r-ognGLA69{db$)hXkST=*JUCMQ2nD z3A$@gmMK@p{c79r7LF;b`|3PILZW=%r~&zUz+uwP@L|Vd=Ec@nX1`ui%VkUj5!rWpBP!-w*1hfZeRJ?GJ)?EgoE{|`1&e|H&$GUI^}BS<(onoO)B;?cueYodROfg&>kI*G9-yL1v_PGi>JC> z4zoSslS-fCrbC;m4P}09XuWRVNfoL`Xlq@o(=_>bsV9r%Wkhq+p`w4x*<-v&cHcyP zCtpu`^E#PT9aw!Gv$(Iy(4ePum2iMRmshv^Ir(m{Hr{6OD}}(6aLdpglOTyGTNu(< zoX!3%fUpFzI)AN2?~hsm6%;}?+P~-upCYepEG;NAPK%%qk)O*3$VWSUn0|co!rn~* z?%mYF$NeA)CD7KIt;_ME;1;^^Qb~ zA9n6J1DiLK&5bvN;dbl#^)t-v*SQ5|QYK_Pi8#Zf(}gRLM0 zZCK_#D0SJxCiMOb@0vLSseDkRQg9=O_Nc12vD`@@rlyJm&owgj3n>=c5o2WVDqCw*%GRqV;Enw-5bpB6T0Kt#c88DM z!+eKO#b7kFUH#Z@5OS`d8;8vOm*}ma&h>Bhdwc=21Pj1|f>d$Df#y>)dR^{Iin7cM zlj?*DRQ>I~ZC}W+SvbENrXMmWqMb+-5NbG7i3)O0)Y3C^|J{E>%w>Hw!Vk;QB#VDBV?sBHrwF`V(Apa@M$a)tPig z>zWz0fMC!o`BcfE!Hs_I!Rz5xfiFM5X?zFz*C?iFhtm4r&ycAP%0Eoa{r+5SfB*YU z^q_$(A$sJdP}wk-q?ouwNNW&3rcInh_W*1_=l0LTtV(b<>qlL8im!j71G5Sbc5oYe z0q0m*hIu+72A{@1ZDN?{%*1P;QZK+FJfD}9>Z;S=lHEUv(^_Ir#fjUCqci)*VTVDr zkJAK-o$9-^w`bRY!FNT0XSJ?O@8`-3$GMRM3&iBOPc&699|Etc8KCM+!sZJ{hqZfB zUa8zE4WbWSfpR~ANZnn7i_V#3bOh%ZI~eFpSr~W3UBYddb4#P!4(-Gg$;&voHYH!` z8W*i&D3Y}{(@v;LpRP6xA2vmAzD|2NOG=h>C>X(k84{b@c?qLtgPC)lgWZ2ePo!Nr zmon~W^XxYE9H9uqKD3*oxtSOQSx&ctnb0p`VqvypL1~(lbD`n z1Udl8Of$}N*yNqRM)e;Y)K9pUZFu4`3k<}$5q=RHbn%(Xy00C4!x@$nY!_MBKa@YT zMazEETx`X}R#!Mqa`1alZb^JgzZ0$bYB`5l_P_xhpXe|WRB(~3Gq`K83kz6xQZUOk zx44>@R*~wtG1W8$KW|vgAPkn5QGz0}4z!pI@Mr+}>Sbi=A+pBKU4HM!X*&S{&p?*1 z`TUr-1>DzzCIJ?74~WD6Oy>MQ`M;mtxHpUx*{MdC2jhIU7?Xyy7H_=<58HV?7+7fW zQ-zpsyet`2QuOr=qJsHnR2150JF7+-*&vjH+Hnc^!vo;kh0K+L>|#TN+TB8Z-^wwz z`F?WlrF-T}EuV$gd4v)e@9SmgQ5Ws93hC@;?49oX6bh(F({L z$RgK0JE~H*QYmxhV))L3=3Pmka8`HVjVFY*QPQ9Pk$s|~%FcwmoIOt0&=RufDY%-i zF}xVvzj`+O;6(U_;6#|U^h8QiC*jFslAd;i+eA--9PNHYhw*bikYl|k_>F2u(9HqSI#rQ<3_DY9< zvJT1Qs>bwMl+2=)NK4j59`G1Yj&AtgatcS=2fPL=;57u(u}I)FlwiZ@n4xE66ulZa z5xm{+YkQ(l^e*fmNzoNa9 z?6<|ksjcbF`7{ZNa=M0v>Nih)0d+V4SZoS9qTb)hFgjqseLC`po!+555tcrq(5B>z zQrX+dd3^ialn6q;znCEJ01TxH%9`PP3@*@KuJNR>i`=HjLQ($}t0|_W51|`o450&6 zZ#2mTStLBS+NU{>c9-mtVQ-g4#iLUnHt#8jb{bB;OVNulRMi~S9wTH^PGrez)#U5s z;~sq!G==Y3*m+kVRMqRDwk#CB7bz=5#$<>mP+i8~z=NTz-3Vn{&nBCLYH^@FmA5C% zK$xHj&wlv13MzOic@AO|oVA#(%Kpi4oc%8i~qc9R3YbG5$)?4Wq*xX5_t4xnPb&Hjh1ubr znzL{En5kygU>(2rYIN69BI5j~sG>>1%qn~X<0JvfOEqj%6qtTT{CKp^nB17*v$=Dq z{c3mnNtLyB7rBm^6a0I=PZBWvdfA2v(hI)+0*I>OWz;z%J8iT?S~r2_W0_M&AwvMl5R;-k8Rbi%;e*|9?dB*+Qr5D!U)aGpD?93Tinqx z$K>NwPofuqF}(acRdt7FUQJNSmlR8K{Ms9lTj$3MvtC$Jd8)FVPtMqMs&+=K-^)-I?v>_7C7n*yh zfC5*>2`ygg&C-yK8^KK@Wzc`GIWy1Czq6uvzz!m8Y=8$wI`>&b??LNxLDWuJ#N>~+)(6+Fh26jaMo$J%3#{?}hz&YVp zFw-c;UcXSlpNIg$+Xo!SsO*6JB$&qF;{%%EY(O(y5W-M~3xI0I-?vov|Nf2=1+Vl! zqHu-FjF=2qYx*v1FQ*z`Kguy_yXS?l9ZS+lqjg=2BE2wm2)Z|0tT0CX=?H_I8g?Q6 zZy_xI26gy%NW`DEIZ*BDJ)s=^XL|E3OA@@W^CLG!bbf5*4QiB{Huy@6 zww`^uEVf@imPe3>>n-K09_+Y<``sf7jsooMg@SupzZ%AJYQM))>3DcOT{ImNN)y_> zXfhZwPnnkT$7JMSSdubAM7oGp0 z_+<`xYmL7y;L4NzQ{29Hwjyx=%?eNw+6)5Ogc9gQ$Gr4YrEVo=$S*G-1eqC`43g8m zg=FDAnG?^SE@z+>@T1R>`L+a{w$c~fMWo6U6`AvJ7L3W*%kbwQlU}6!zjFHjBi}L4 zvmXGH^i*;fY_5f!&RM)Jx|kw_tZgLRDg54_a-Uz)q#%q7CF>ocHe!5o7@N%C!<8a#^4Qhua;d7m`(3VBeU1MK_yFt z`vd|&122v~q`j>C4HHJ1sy#QNaWY_`C1bm%!q!PAO=p>|JuyDkRDBV~YtJh~2wF$6 zKlbz&`_}(@bFJ#$9OlHqW~Rwwtz{>gA|`hpd_{;*j>fx?yxef1{`*RMif5v)mBEOo zLqb!fnE`f9yt~}Yysx85TFaGP#hrSQgj?S1SvT|{VyDF$@$$Gq-#dpN~4L7 z=EWnaFf#rIIZw`{FC*N_xY{#}L@9Ur+^`q3rPjjQbpJO`qIRqEOj&PQWnrI$T8QxpI6{`ETbQI5j z^yszjTO`NKK79dwCkv81_HoFd;OTKr{OE9vOQhrdTiJgLWBR1lQoLbEJ2An~DI~_x z0ZOw@@PvyI%KYoGVpuYKNqt<>RJ;0(c17g$WB&nZ@$?IlMPIMI9ex(slq^Q%QaE3b zuB~zWxgYy1DU5<-qglq?t?YlY0{A#uOKDZ5-@2XG6RnM<3WU`>OZo0Zgg=tI^6C^b z{%i#+R^I;EKx39hZ)4d`+@^Y$fTd<&`D$B==9Q4m4~^qPl5h?>T^}Rgm)9C29YTDeDMdJ z1w~7T?{=T<6YUeZOyYPXbom*7(vd{fPVMoLFAj%S!c90aS)+4|GvpGCy`4+ih(o?p zj!Av9tIdg5G!`KjHmGV1&kRR~nEQoxb*Z^D#lkGTqmn?E1O1T`WB`%%1I3|5Y2$QN z))c4c5i`-4$1jjPAHO7CTV~1dBksyjRryTccN`4Udb$%)671)N=QnV;escSynfD_jbPRi&%a*G6=Su3^ zEv#7AQeKrBR{-LS?<0F?ut&vnWo$bBV;2vfvi?031^$Lg8oDKM20V%VY>;KhdG5^KCzh}jQi=z6@ znYeWEg1hGVNll}esO4kFZZh5A8SfwVztnXAMsmqQ?fU3YFbSVA-4|R+&c?|1Jg`dD z^z5ASa=)0>dz^~Dxsq=`!5E$R#l%|-i6}a{Go1iiT82?DF^}_cggl+!iW6<4C#14B zlKkb#TYkQGA)DI}KzBEopv(kcTi5}xVChfLj3;ONKp1jiRP?u|g{?C)SMRPMP{wc$ zrv__4Hg~!HID#5TOlF+zMv@h!7-Cq-RP@d^a7%xSY$UdhGrE@0MOh(5)d(-wT{*p? zUL|zVHrnQ+%>Y`QXHfe}z&0;M@jND=jk4NCac$_3eO~gWS!72rkk=vn6xXe8pi^Yh zbc3FbJ>}r@aSHn}bHJ-qy}Y8TGR89KVD#!aZ-JjLa&lNDw3+rLfO5EhXTn)|xk&th% zsqy3$&Us2Inse~&kM8XTejbMV8mnLaTUPl-$L%42Nv1$fA~fh9Hzc|Af;Ff(@~%#A zfmPLm^2COc?oV>od>>mkBX570;g3w)_rRZ*8nvtRb57UPVT>EG|MLeEU8j>?Eu$($ zuWqaOT6>^bPH{=`1V&fwJ?XN{i%Fmx$-*X^Z#9OFcyWFFV@E3C&Q z<;&XeLDO+w^XebeN;0i&S;W?v!}zTc+ku)yp1rulob${(_d$H~*B1AbRzFQHZ;o-g>nX0VDnd=OLNn33WUl}7knm0YFD)(4yu{RW;W7Z@^hGXe9SxKN zmj5IPe%yZaR41`Kfiz>#ml?_T__as(kDL`Dv53W7?&kRkj0WY9Sehtjdg<*JG4+N; z{OmhGxDfDX^$HW<^b?&x)>T9FyDl<@tUyCB1F55=a1`IC4>mmJFKhNaQ`4AoXAeam zbQd^jriqD!ACgfvtmnEpasS=DzP!oOLthV)jP9Ae3c9q14K(%j!b4sZ8ARpF=bp0@ zyY#M7Z3TG1^{7|=W@J2N?R!OJlshrK(_Ma=!trj@>|o5M7XK@MVUgz30nz)P^Xe?I zlAB1X)mP=fk+^jy&a~V|F4qQ|!);k;P)GdF|_`@T4CU;DohPV;Qw)*Z= zP=L=9UkzVxWfuAC#D zI2HyBts5Wm$mnAM7PdN@xcBUwn=&paH)5}kBo zcBB|`YP2ixAmq%h0jOB&LQ*O=!p`q7M7Mt;bG#w+z4fcezws+53<>!$_&@I_+}E7^ z`rwBMom28*#oP3BjH7?n1mpCSJU?b0r*B4pt`kL|-FkU(;X!Wm!1}NWJ|is#)^!Urebd0rmm7Jyo{=mDgky zn7RK;r|o4Z*jF5yL$Ynq57&7>PYDW>dlMq26Ek((CBJn5-3a^gBW*o*t_b8A@BcAU z7H-Ee6*G_HflYoyu!3Bg^vo|NJptRQoEL{SF+cI+1;M+wK^Y53Ig&KxRLkDK? z89$s0|ikTqdK?D;p}K>p=;!q^5X$E)sESE9{wuD!FUj${TOZY8;>`+3)i z$<%@YauZGA{&+C`2<#Y)Y-I(C-@&wqfgVJ5_E4BXVWBLH77TZkt6yQ0qBW!m?Y8no zZ3pHbk!v&&{6du2Fjb!fC1{rS_*Rwr6kSbyD~p!dOM?Wr#T#K8w)+`{1D)bsE~91%Vs zH=+852st>mz#Ez9OQgCRi}X*28NbH3x*or06?VDw$%V!%(cZHx>nGu1V`LK?NFN+V z{)~47!YG8^J>)-tAwR%RVQVEKw*fi)7t_i*oc0uJi>Y?p)H%8ue!zYMSI~WbYO;6- zo(wWFN_Sg|HI$Ou2e;_#LSXLOka1w{&;Mfj=j4|P1Vw!ypZ3q`-y*&V+fX|T5RE&( z0lWI0X`$_bNhG-q3rq@{4rhRO1$6Fb|K(g3czpV+9@{v}67Q<28NQN$@bL*~P{FZ}>d$M; zH*cv|ACFf71S)cFl^r0_MplBZlLI&^5KuGp!ZQK|JV8pN5J{2g+u%2(?Zh$mf>B(c z?x7GSo&}7L`2=j|l=~QsvmH1N;DH{hY(%b~U%*i%K{6sVZC)O;y&*;04+i9O&97~` z<}jMr3K+hfX$8R2l{hni4xIid7(*#)=3r7j8KY@IbQ_TPY~;8UEg;%F(lTrgythAJ z2?wDL#rbov-PM)o=P){YN?QGD1)?S7lXc;VGNwIA2|D}3G?w3Er}@7vx)$lGxV$}O z(Eo89ecX}LW#s2$-i)QZ_yOhWq-ddsZ=cmXdv*g7XbkSek+jxRTQSBsoC!el$Jc}c z>YFd9zEAMKJ9EAuj=_Nn*U@2JK>y>uGQj@u389`^6L589zpr|~pBfmFQ1HbI+^Rx? z_-C+(@x-m3THY@o*L|F@FdKD ziC4MC;DAJ;boNsLEnrv-$vFFBCsK;xrwJf%Ob;zM#Ogpzx?m&TJ9KXO^Nfjrfbg3f~Ka?(Kjt<#( z7fHE@wD)VI+lLd?B!Qen4IZ(-xA*nMQK zh+$yuvLjFo&qBF}jROY+uP4vIwXBpyy+` zX5j}Jm$Xv7p7S^rl}kLTH1)QY_I}b3z|@q4D4*PtnUGmW(@q^`Xfq*y3W7Vm8I5(6 z*u(UebymEoq2bnX`37S%IwUyvLA{NV*Uf<`VJSGH4)oqCf?c`i}ejZ>ZoXvN?}->o-rO4z_a( zV;J)f&W6cJFHil_?up)v9;vfE>GGPTFYC3|5f2&eJK)%TYxEZkUYadcS_w{?R0Ju! z#S_QR3_M8*`#gAXW~y0qZV($xPf;=^4zcQAN|+4vKb{EN+uFHM`v) z$n!ooMc@X@TL-ZPsCyQdEf~Ffl?^9EY40#EVVmc`44J=`M~E@Zp;?2q#hon5sBcBn z@3<$d<}iuRW2hocfD2Y9wHpf5QVN!_`j{NtcpPNa56y;K1~W3VvVw`uC~&SHRs2Gp z%zezMbxZ%9pm|`aG=I|Gkr>xu0*vI$Z{ZNvWAC%?)xk$du@yb>vb1L!x2uPECMi*7 z1!zdz^w6yC;c{!yCB^hMvsh&!EE?+g2!du?+Yc6HRG78k!i!qLL( z@sP>zn2wMIT=;ISz1qn9vo~F;>hc^j7N@&;@fsmgH-pqpk0(nbc{eW9#&$#ftMA_G zhxqn=RKYY3N!`Fk2)yrHLGKF#-hs-?Q8(8`*>1lA{b>M7*>;T1EP3pbJdII@mG(Aj($U`M5> zEG34dQW_@)khK6G5Z~)3dVYxCB{xa-PO6A zTYTvXAXK70!U-Zf;dLu@QMALwCj2SGE(p2K zLK%2MxF94MxD`JMaWpe3tN_79*`JBRG}}q`^?k04$jgvESKF2r&7yGM^pR^-set~y zI>Yev9npeU9}g7~uBKT(Th~?bwNn^J7t7IFA)6b3(d1a;IEr&{-j0PWEr0-)@QSbs z69B9>6)<&5VIZ$=6Za1m$!|5Fan$X9$^rfF{uQ6Y|HLrtq;_3Fkh!rY;HR+50nGmt zF#pJ13v5pSa?&>#`~+@2RKN>9p|&&Yr=S8Ig(;G_L%&C>+}*K$iSDleM0R!^Ca(n} z^17!MBKAZ`L*1vFKv6>B^vTF#y2Qc_{RgI73C@#w=xLPy{H8+A`P35b-x#FfWr`X@ z9Szhqj(dZ^$D+b#8VcTU^A#Yk@e0UmXc9QD(fct}n{8=Pa^YG<*m=xE-4y;C$ZC|! z(u4r(3W1!v9W(b;bH(C5`G6LVb^Q#eo&j(^B4$pv*)$)uFpOfT80qY6vC~C(DXl98 zq`1*!C&;UvtS+i|=dQNjinpT%`b zw?7&E5XB1rp46LER45@}pYtrIJh^2Dr@68!ofbD*pdwdo)g);eY4WaDX>Bv-o#%JR zDWLgl9Fq{*np(8V4B!5^5!-*-3v zFCZ9O@Bt*l7QPF}F@wcK{bd|@FSIt?<`U2Zb8Kw`1$3gTw5}}#JE#&k%EtiVUAM4r z{wcjHPI`U^9D&EMx7B{jKI_e9QJLvphEe6E(sz}+m6THG045LjP%2`K9O0EPLEOxB zDb?y5#%C5q)Eiz$bfN4|StE;ZONRZ(JqUqJQwH9jt?Q{o{))u8?$gnaMMIRHUkwv} z{($_v&2a`dh}^tM)(N1AzE*e%ypJ0{peXzvYA8~Cb_wk@wEMv5P%>hzm%^4dd z(>FY5o_@LJ*zoe=>i&Dm>OyOn&kR;ZGn9)QSIgO{q@Ol0ztf1}iqA1q=eCRZ;KJ|R zchhbEoyn7<*ppNNibd0RICs$)k5@(aTK&R7L}l}gnQ+Fl=!ltVn@J`eMC7Y#5I>>G zdXgHmn(VI;qRt@V9&uQUH(i*@WP&zCX!ByZk~7biEX|g75)@ks34yhf+YX5Lq@*l& zzT#5T0q2FMO&xFn?C}xWNoq{Cm#sJNbf1fhm0R5bU(b$Oe~hEc^nskB=S;L^=s3qhtbC$JUgHc&5~&$1nSqcS0LGMZJ4pST&nGfyqu*k($?R; z;kWmn4v*4593Bet|G?p4$w7$Gvw)U5PuH>==J3KdyhF4P?+1r z@tRuYLQyzDDf{A6FA>+lln?j;CE2rjZX+c=xlY)H)@5h}ICBW#B~e(G1ai&2R4h41 zjf@A6zc6)m682eYvTz9}w7Gq|)BU4k(fsFBe55)wGrA~C@XqHX?uvzz7W#VMkjgQ| zesIq|!0|BQ5B@jK&jvgky{e7f2iAyqV0g2S7Fy_E-|wdje7S0!E1R=ahj{TahXA2c zn#S_Nl+R8sgVhC;6AX}Bfd{$cSow*aFm?=ai4vQX3knZ?GUIuiqj_rMZ}HQ9Xv_$> zRI(_`f4&M4fO~QF3y2zZr@v;gL_6GnLVJ5>|F`fxqG=wORI%z!G)Ve2J9#^E^i>5M zIrW1_ru}$Gd*1sa3UyWMF`prN(X}N*t9ssB`v&)flAJ|7 zK_uMrdqT9>dpg_7 z_tWR%-m7%0TgQ{ca`+M-Er(xuxow!Hddd-b$Yj$u8G1HTh&|)6{fHCYuPF)6Xd4x* z>dXAl6(H)51fWzWQs{qUEQbDJcJFbd2g}oH3_X3@+U1c561z;Dax=5Kf-|q4av& zkg;zhB!A^FjWwEhJ6ZVS+2RgEwVn@oMl*Yjp=(L}K5iJ3?)5~;6YY{uBp(%)=v1CM z&w?IgT9%>wX5q+QtrP1?LX!Ya8Ni()p zGu6C$!Jj`^vN?WpsP;$qbiCWWLlyhcVk^sFDSXrR=+)0^EKh^~AmLvfs%HlE8YMIN zw+^!@Z<{)|QTKxA#41mG#e^z`-N1~}BtZYnvEAP*JX#sR0j)UnEO6re*Aa6g2tjIH zK8=TRz0WPRl+%@6>=)DB57T@=A8NzR8$8z6x-1qjK@BRP+A zu0W%t4EWT@cB}L9b0iA^@^S{L{W)H(YjLVq=34Wl< zlWkLoS_d{I?MVKmhYG%W&iEmIeF1s zv<;+Cd1X0$#R`k6*2+QeT^QK**@WJYQi~na*pb=J-B}J?`rH}ljvc;n5Liq zcHrn3_+>&5`YW8)0pFYf%jd$9yc|QV47uwIej$nw$he9u2=2*Q;uFsr)8lcSKdR!> z)R@of%$evMvUAtTJ9WPEwv@@4vH^>;`=b@E@0JTa6Mc2WTe`9P%k6!Y0y!*Z$@~2T zh;IVPaxt4@tX`GG<=jaLLpc+zuhm~Fnf&IKhL5SQAHeyxi)$Xyi}BG|Gc@Qisx&tx zjYwK%Jk4p_bbuNp3~zrwrh4N?X5Q!aKzFOzBYyX1XqN~DDSmgU2ByJLNN?GA@AP&d zYriS2R`d`3UrhXt2{OG%j&;D0dQ35=`rhb$@~JRby)>wQn&Y{*@m|{S%dK4eFD4`F z>68t7x9as#(0|9h;G5}c)Y3-jg;jly1s`}Fgqe1;Qa1T0#c3lmr>j}Q#G=~j74cNz zo~w5D@+`%6UiZfZD@pCrgnPmIo%v2rk12*a_f6kJR-f4Web=%Yv-CvxzPrtjzJl}w zpV6Uw4`1`gj-Ye)t#-!`R4}82@jxu|U=LC$m&?1CCVP=Z=~XW??K!*e zSaCmjbohml@3`Sx1TfOkcA$auKF~lqE+;=EEA0D&e3j9Q(xuv{GKC8_iu^r6fI$mE zG;iR)8_UwfyIAM|pzB&SOjnVr_V)Y^9M?--YINWz!`C zE}q%*1Pyb^2~md^xviCgdn1dxOJMoW6MD(pP~Ln)>+Cwf#DM$y3K!b}bhg&#Vj?jS z9|DzrSx|IXfzg^}FE(UqP}PX|=6gFJ4i;$TH9;y3feM+6I}no1!;z9DF^`pUuUQLl z2=Tkjdl#TdwgIxaWJ2v$G7m)n_XYt;`7vmsV*hZHAY0gSH!(9L+Bm)GsN#fR@t{B6 z|9Edv=$TH$BchQz?2uP?i(@XN_#DgNQrCdm2k2w8!xy1|A2Luowy*E)?8tPE0H^4?0Qw);#P&D>~!}s1udmK@u&q|TPB~eg;A$Ee=?g*-b;~e3N8MD5GQ^# z(amUe_O#yOx-xvbCN%7{YCoznIlkdJLzyf@6`asY7}Emt7dmBl=HpM%v(iV%qV;u*YUFy37?l&d zO3$<&AmH=hOX7fVpP+uljKO+2yaz9YNas zV%m;JE&;gAfe;t}i>X3qYCCP23SnsQ%h7San9}cTnE*S<#`vPFQMZ{)O-rY0*VTCl zUaa`ioo9LMx@2m^Iiv62;c`z&OyjPD)m)qQbhJBu@K(KDgP<&~7lXK9FNIg0YD1k% z0g+~G^0!V@I`N?O<}tPx&`$NrH+USM@VJbV^8$v zxxFtAe1y7LW>cCxd{p*{=rm~X=9)AkvowDCtG=X#r>6Dj%(R(lNOshC(rTV`_`F=Z ze1mWGkiEt7j@(RtQ;T9%@)3F*%!$vvq(|sYZDaqbsB>25zg{U|`)n$D=sL8e9d72e zu<1y(q1==$@1Qe`VgQ@#+w?2FtxB7fI$tpQV zKH-!@Uz+hn&5|M-JM-n{D`s{3U$m{xNAENV3rTrr_896trSo~NAcb0hB7{`nj#SN9 z7y--E>8?+fWEUy&yg@^Sg z8gwm7q?D9Zm6R0)4U{xZO1I*cL~4VERvC*?1ZMfIJR99CP%6MLp!mLgO84AK=0}LR zPtw`kJ2m>6SNQic3nv(-M31UPK6pHNt2nChAoR7NH#9#T4Qnm`!uxXVNdDlUQ`q^| zlm|8gTP49WEIf_AZ{iZrK^uE=LorJODX=y4uN?8- z2FpUy{!_a_5e34J->0jDs#ryHDIKzT>Mf;a)#opbY*wV6{KaHxgJ+~GwtMUQU>bF{ zMd5pqi+9U^G4%!;gGYbk@0ZbRc-f&~_NE{SOIzKSXKr}GZDmMLhr`}8VI|OCaLf_PQ*395tLR&j$k@-aa%Epc z`LhAtvhXNVPIz&>qM1)6l~8La$gb(c>*Ua!sQZfIzAxmnSK4K=@b*OQ)<{%0R zgThq{))%?%Gp0Ns(NK3FKi%m}zB_lO;IpCG-GDvwehc~iRrbWbfZ7B|q|;=ucGr5o zlu38G*9Y&?DAiVxOqW*KlamV#KDdFdsnJ1E|3uuX5^Txa6(Lt>pX->awb9>BA4F^6 zcP$)E{8KXQ37}4L`H6dk31@Qcpt*m;t<>}Oa$g@!z2$y(qxr|8V9(mszuOA8 zm*QG27pI~?BaUhJiQL$e(g3)T;L+zPp)5NeFTWK)BpVWb`#*99o&Qi3id~=9+ zzc^yjQL-r7E479#(tqp4}(} zzo0`ae6ieu@=s@Q?8l>UcH%?v1s9c=Nr`VllbVIQ=e0W)wKY%JOumCF>cXX<0(F|l z@1M%)4WFsh7sfcnqHMa{6#LIPh;bTN+}Yu#_G~&nyg~IQJwg7w0Z{3s=g6YqhH9<} zmarmIpxRs2<3^X$1PU?EccfOY9J{fP@`?o-Gg)M)4G~ERu2(y`B&wh~=c=uzu{%2; zjk%yw+blX@1mNMV4yzj2pOEEh|K71R3FHug(S_NMne@K~Jl;3Jay&)O9f!6`{ci7v zUjy)?VU1wO-zAb7{wcVbR@`yj6bAuSD`Ob2<*WU&4gj}i3%GmE$hi}WWLzU^qjSfd zUv++wS?q0t&aHrMY)O~D5aM>X+u;kmNLJd_PTO$hDxV~ji|g5_I$@RgAt(u}W)&#B zjI1s|E6Xv$O--@3bYn9VXnGe$$J z@*HM<1Cf0(ztQ}Jq1{&#F$070l?r7-g!@?GFtXM;-{N~)-nlR2^m{i>|JcoUDVi89 zL!I){-fb8}HEGHAVJ8w^I7Bc3$a*a+`YWZd3)SULA&Fa*c zeEHVJ23LeE;eErs_vStD9_7O|yztl1qh67cz6O-`*uu|4x1`U-e;TU(ZtFFm@PX*E z<^i%6L6D;9cjGv=IiCk}1$B~nH)UhbI9^qNjNArfw+fY`&m022+?Vdfd$gSC*pHnf1L8p9rNc?anbDY&@8IR zxv`*xOF%kiY)4UJ=P;40K0>@!mT|VTNU5?^+QFkJ!uV}g3+NKrrZaUoU2$%(GRH? z20P+)v4upMxQ9!$_LPfO6MhyyWwnL#dd9-U+$2MSv$?m6li)zc(TEzx5D?oLB^J;w z=b7`X>|0@c>o;I>dUNB;lc;QFjR=R{g zkUGLH>+Qs5CiZY%ICo^X+wiHBwv8X1&^jnR8-vmW@0xdH5*-dbsTjHFv|50u9^2@# zRot4h=%YB2P~nV2)K#hDvvCv$r~pMUDcUseetgkJ)v>KNGGLKPUqXPHD zOEX-(GsGTy{>{y<^}{?M_CGQ!yR!ei=Tkv%o-su94>ca!MS1SrWN807CV2D+AXT^$ zhh{f4<1(wTkHlc~h-jt)>_8 z)UT5J zcdO&6{{da9|LlD+?sSl^n+CyBsWUy-g2SSHS7Bk$7P!Hz?3jtOk z3$|pf;>w`7*MJ4q1uiOXJF)10dzre6IY{x{fdA#{LlJe{)L{II|4mPgHm+rF#|Xf zG>!;4;wUKAOQP5XEn9!Yj>_s=s*+coP=F9e6Kr*SxbXGKDxcZs+}>EXh{=|{_cKt z5B-o~G(wFYUnNcvZ+Pw%P1-fYk%eX7hH*vYiF^w(@PR-icZz?@JZ56*=30ko)4I%9vkAimaap5|gon>#W zf)pCu$H@IKK+ODxfPoT<)F!|?0t5Mo75Nt9jVL&pCMJQTF4-^54-PMnW+DyK+A@A% zW~*V6NAEMZakX?L@e-wDamI6#*nwOLi-i3|5*f)UZXY!pcu(NkpIxQf5SH`+Fxvg} zNIYL9n_YJWaO?igJ?AdS3{@uX4kXkNqg@`P+0pwLzX_OMVXs9(iSHVqveA8nR$mW- zsbdQFdF|oxNX6-D!mX|+2)Wds_KG$YgZBNGM2d?m?4G!!2I}*yGZ`i!>x^h1Fi&kJ z|7IQ^dIMoxQ=`eC09{oA4ZJe)=dWPo7bng4Wt9Fkj%rlIsP4bD_a zIPIfcAa3z4u&><<^YjP*=2hXqHI5gI9sB+EH>1g;SwzT*S%z58BXUe}QCxxu&G2n{ z>MAANX2N#Qs|tbg4sJoxH(BWE-?sN3Yz|WfCrcm@S+VYh{ZWR4b0s$&R}Cg8=k+=- zZrLMYuHW0OE<87eBRj`ZzrctOz2J->EusHzHa>%e<|Pri!*dn&51WMnzGu-T5WQOH z9|k7DpU<84mrF%0u|a4I6k{K*O*!coQ%vGIFf9`7hk?m#PDlP>G5_^w`9MQnvTg7%w`^CD&*&^})EZ)IB z>DVB?trIbS6LZYcPAe0AE?1v?duMU4OPvY~_FFgze#qyKFz4@32jSZO4ahYG{Zw`z2 zUy*uqWmm{4 zdXi`FP4?Pr-RoZW?W3{Rr2$aDS|v{dLTT~Qj`Qn&tZO!`fM~p0!SdH-|LLNPIhV7{ z_2Q5YVDQ0lTcf~ZULk;C*55R`Te8g}2I|k%w1RIp=u}g$HLRbpaoWsDR~~>w<}g+Z zf-XvZ_s09~ZxE7lj+RFFCQ1-$l;aMCfmn&~0*e*wwcmmq33}u`+(ZXpQ1}2ypl`%F zQ>aD%h}OCJXYf?@-K&aEh)k+qOe}O$6B<6`8q%brdnY>YG5*x!c#u5L2A~f*- z)zA1suhQoWV(DmOh0pu-i032u8_ISU z|LJZzE-8o$li0(g6fad&xSd2g)>K1;WV*D3;|unL(3s9aHc4Gefb2s8vNZ7Lyz;aI zWq-ded+jS(O3y}3!bN%nQq)Q(B)cTpF}hG-T`sUrWNr=;Wm*KhVB l)~C+pz&}M zy1xhmuGbhsmPe)imFybilGFvRSkU&L53Eu8y4FU3eR?z@)Cl6;!e7U+$DY!_4K2%| z^5A}Lg?7jCO6mePOz_tKwZTCwdr=Fp!8>4JX=n9r3)99gJT0gUH48LfA68T7ffJ$@ zYcvk;=|VS5Zfxw_K9&+`fnDS&J1hSju3R3S7om|A*7@pwg7JN6p849=4A<#8;C=)r z{u7%1SN{WJ$(V1kJk+Tt!Dd5VkouL8Waj?;M*iu#h@7Oq%s=_#tgZ#F9E+KI<_}&&KRAE*HWUR7f3%w?dhMb^URsS z9p0EvVX=e6Lx6wOLn8mN)QP6eKka~?H8+~PLBl$c!s<^A0PUZ;0KaJPuAM41z^_aL zraWI>@ZFC+>vhBRG>NT|TdqN8jYN6dnI19(U3x5!v8q4K+2v**CbiU1*uJ=4TebQn zo%-dvpX0Tf^%$uizw{qJXyW~j$?jMxf8_=<&VRYK7IgUq>*#gux%A~9 z3!Hi)C0zw0NcWRNJ%l0Pr*-TyKOKC$bB=hcTm59S8GB&kaK#(QXM42a&{$A z^BX`njR(_k7vpeh2;?71v^@Yr%l19$iKLmG4xS8tL}-vryO1nHuF@`+>c>JkZVmkz z8_%)Rziz%mYc0H=^+n&o{yoh{%>#qZv}u4dnI}q(!SXBht=KoF4&_bhiLAM9cE&B=}*^UPw&QKZ(y2GZ&Ien zrtNe8%<+V(N&HgB2jrq`9l;heM|MX@Z9jN9WU9Btum=V_ziCnY32ZhH6F@qVIea zHFtBn#2DAesbZyRJb2+*{A2Eg^L)&ZKqdF=7@|JO-DZnCAU%SR&vVvyx!PX5!me-< zpB!CqLvQ=5=%tx2-F0vQ-pFsAfkl4dNemD%e_EDG07x*An9P4Yu@y(8S!SkmGfgrh z*_@*bR#c^-96!sBV)F0Lhyz0pP2$JnJej;rx5I9I;>#zZ{%jy0z^`gjk_J1Ncr2z@ z>-&6?*)1};Uoil*i?`=^qRuQolJD+=)G)OlOU6KMN?U7mjO&x=2}{xU3*ojcEm^50 z+4kqVueaZb(VG0i=e~!DZgnR?&aTxfTueb`^9|e9C10vNm7!Ut8qCH(;zfAW`MI-3 z7_}E!*y-9H+6IvvofesEB=$`=$4;+te1H(aWSUSIo1tVo zC+@rNI<}j$&J^K~>U24Kie|BtznrLEC1;`~`;b*w>E-O~NrCrXn&asq?GnZ3SR95ogWe|y+r!CU?koDxy?^xr96zeULDhJ^<2nPm)~EbqT8n?Ms9CDv z%#)`Vdme`R+)j;))!T#ZyXz>+9Bx!16ugASC*cLvJ8!lH;xEm`i=6Fmak}^<;pd@g z3>cxt(G}Ye+sQkFw}I)JYPe>l^?&G6QosFjsluLIi~)~0_~!dd2fzY{78SY@yosmI z$J$ut)9QgYL5633z3q$5V)C*VU8D6ylv+1*sWqfn{Fc^n;xZ^%DPOF5jB5>Xdd2@) zK_nc`@q|mN-65oB zXU^8|f6<*inGak7P`hTG6a8&fAkppwnfzxF5dL@Cmv#SOoiv5KN`<5F-Lym<=ym*5 zPEE>59AJ?%^=}7YKTumEK(%^8LKL&00ACcHZHFQa$s{QczOe5&{`8{^BFC`O6Ef=A z@Qh-6Ne}SD=ny&vFY+} znm@dUDSqU(%Mi{}*oYn^CxyqJi4M#T`~;7JNcqOv&2LBPk5ye>83}ASk*qsnrgf@t z(|$(cQIkPQ*HN`1hdMytYbi7oKv6&V*E?wRTSQ`^JY|vjh$wxaK^x28` z!c&avg&wm!9ToDjZTxi0by=M;;L1L90@L1{g$b+F2rF*Jab5V-xtS-_>~uxfcj3^7 z*rRCq^OMfMeU$75*Z7adq21|69!Io z2Td;Yq3!A{1ka_aq`*1{0l$U~Zh!>m&;i-s0?=`0(+=`&`USd1dirXzllI(O_-|te4eKaU8iJh+Aovy?Ccg=nRK}~#|2p(GMi-^o$acTF78uGPEM{z! zblP1UXqUUg^Jw(l?v&5Lcw4Q*kOHd1TIY!@mlE=tcm1%-;zOqcc8{irJ9dLvjl4u{ z%u7{>#4i)?!LG=|I?UBo=4CdY8o2Z0`pcIR!hWf;2~TJJ0pq^(2*>E!j6fW9pXfJ4 z{u*+T*lM_#y=k7xN#U34ojaFu>xlBA`&bjkyps3V$s}(HGj%?+|IPMO%Rh1Pb7z8I zGyj}7ojJ8Be&`y6+CK<9-om6&u#;>$Qvl-Ox<9pf9R8Lj4U2a0^ah0(toQ#6Xksya zE>Zky#+e7X@uwn#!@*Tgj-%3-ikZ`ah;V;rTM`BUG=9XKCD#KT!M zZqdgWaeV83*HsNS?*S$dF(+4Pm&-a-CFgK0v@_9wYKqOmR7Ye$fmF9STePB@yoP#1 zROh1W-HE?if{lvJT$^>0(MO|5Q0+M3`_5yx&54drnP%0W!i1CW$N!72$u40;Lfx0g z(-c7CSZVo%{dPj3uj6!z>a$HauiX844o>&li{8~eGke~|H-vUShjGU7pu2tlAU!6> zi8Zbf*7IEFrlyJHbZn9)eL`@~+w^fWQ|VvJ&dr`~g)QZ8qvpa4e2i;R(>pka>8$e* zE+y3fKd0g;xLM)YJea|~TOd-PT+HK^Sr16;wN|2Dup4K;Aut$pu7nz@J1&;r237gNX~{5Yl8@=<-d6WfIyf#%Pjn6Ez$la$zEipd&JM5KDas{nMSOqQIOMG9%aY> zqVqbG-3M-H{6iAx*cWKCgq4#Nj$!-Z);SmI_SQbUg>1hPr6yw~BO!!b+J(cPM`+-+ z?v+B#nGXU8m=P)!|EmL4|0|pyc(j%ESPh==Et|9E_qteZQ>D1?dO&KS6XTMD{GCS% zRU5;t^#JxuDz_C{dTfPpVf3f^o271>M2{~upxUkA?X(Zgpi^qbf9)2!&oLccTt*#` z+-Qn6{A&J?Df8G9ngjd32|X>4e+oxLD*>41qiH7EiSB=GaW+yyPtSQljwt|I%!^^p zi`}T`rlIc9dI6AUupq$qM7lc)vdj%&r-X1Ebpu4k^W6imPuEbu%w6c8HXTXI;Iu9k zSiA_RHiHg#V*wYOkpJ#m0VnjiF3|2Zpqkt2Ae{KLsz*TTYe0u5?Z@DAfJR2#s*Ut% zUaQs|j$y{pci+NFCdE>=t@cGlFswZ4#%*3BpA{QRHP)q9_l>JO4KWf9^~Ej>%3@M} zcf0!D0nE6>{~X1v|F>1Tjy|4nQpIQ8f^bZ&_H*SJKHWf4>Kl}Bd$qZgL9JVG$InX~ z;MlYleBapqRy2fY2E+HN4Ag6Azc=mYizkLdh%5`y`m&dqW?p(fY+ob z76(1YBLia6GZr@Qof)@6E0xi9782^SZXh4;->XX% zWUzdJkGp1c?F@9}-ZbGHJ{TDF+`0c$bL?^19D{YuAhSl8J4fkI?i0qgg44>8tVC;( z5*=f6uH0(^mD>V>?3QDJDDkCBh=;It;=jp#tb?=npGF$}HeC z?lf-WvEt@wnEU1FIs@5ve)>eKm-AQ;Ij$p2rvf)MV_%heA-`+Ja+U8+Tdm2ir01Qb zy-NKUR4pV7<$ww^C0xU@b=wjl49izpYkxK)ZuFIE+L`zX`x!^xXpFh%PPG#gayK!A zTk%Tx$9Q8EVtVhD_7Y^p(pzB3SHuMi*U{Ei0xyi6dxvUeVj2?N>hS%4cR&;RL|mwf zp!1AUXotV=ew2m7CyX~(ZD&5RuQB#b_aUceR5qhV35F2^$o1IaIEo{%VhCdjUvA#Y zR}FU}_gZ8$_*vBCWaCBg<+6fArr>xc69JRh_3xA&D0PH#2T$~kSeLTIg&y@+_BT7S zO}>^Pn{9;8n|v(WI?p;=bAL&G;F|mR!2LfwHVQ3;gI5fSMT8YS&?XB%D@IV%D?We6 zueHYNlX)(Ag~<}gp8FL5KIxZ`m8?*HSdeR z(tFgGY~r?F?z~l|bRxm}N*+yU83H#fqie18gB*dGal0%vX{HD$yPJ3A#o?O?KPEF9 z(s{0DXx{V-v-x{#QF^tJC!*mPLK~soq2^M+T2$XTMcx~RR21nlH}HIXM2d@Yh_45W zZ2#iEc~5lek(k+s0o8U!29v;ud_!g~GyA*0qwIwT9o}T7M=baP%>0|j86)2fGo6}@ zYBHRhCZ?>tps3t!R@VL4Z_uE6l}ioODv}_UTv;5ZBwyJOx~u!73x5ZERfP4Y-=8GW z;f<-9*w$-q@Cs|{4v`S$f|NKh2TZ5^UJe&E{dV0AeDTNGB&9@FzP0&qL4?YP(4TL4k@E$@gN?#Ze-yk0-iAlm{4i%1}791ikP?5)zxA*k8GxIs9di^ zU9wspM~V(RP*}6Na=&zYa}z8kwHErsZinodtZNRs@9}Dkq-5V~K25})N65F5jSI6< zqFWtYWQtKF`3<|q?7QbAQy6Ss+CMiA*;E8rw-EAHm#*)eaCht{{ER^Gvjo#RyjXsU zQB9SO)0V7Nmuk+-E1mA|A4i>q4Tr$Ox?Yr9+(f-=8ctCzI+VyTFc^|a*H1t7)AJ4a zB%;oegFW=BPoLOA4jRM!vK=T7pOew0bCou0-xaJEBZ*Fe7rVNSpfZjLj^`h`x>hCx z^}m1Avu4#9s7e7_;ddpc9+DWc*~y=BqFPnO|5lk#POtO_?)!>{Zd|@DHHe`Ty)-EM$4xqy6iHn$3ozz>%|JSR%z@nE2f zB|`Dyf(bQLLYFTbQVuz zVWoflhNb2d|MCvLhtIh$>#@u6RZ?_l&$?$(ryuLwPVY+pLE;HFTMfve`z0yXb{gg#l`^6>i>ThX*QS)ydh2j6SuzI0L7eWoL0_3c_wcZJH0Tod@R)_ z{lTQ^vj$g!z?aVv6LbvOs;s_5LeL)5N8GuSYb9_{R}PaBJ!y-@qQ1Cf4J*+W1D?2J zcUYn>;g4y*Kx)LW*G1|8)`wT_4Q!(dyXW?K8T!zNUw?AO} zDV`){^eb$RJLp60hxFLFgN+Ml#5u~sK|52(_z^U;l|Q%pT4jHY(`PH0;@ja|8jTO~ z*@WG#qF5eit;DoKn2oyw6y&rokEJ|x>gf_uEtpKgu1BWGn7BM>VBJ7|#4!Qr2c0s5;SHmn@J zGtvJ+JfgPE0y8qsF+Ii37MW}Z+>GO|#U6aw7jVz<--k>^zR-QOLsUNT@j3Fh1{lY- zPL74Pp`P-8f|c$L(5=&9GQ=b|y;{}+roiD9TjKNPxs44T@lRJhDk|j9U%$j37qQY~ zAJ#P==jvhyP6RyM4C9h369TfuE zDcY+z=H53)^0%m-x8*sBRpRmfA1w|yYb9FM$_N%ZFwfE%D~o;)eEbvf_G+d1m%T=r z?EFF9IsQj2vzTz4W80G-M^d0GCs*zB;69g_1>*_Y^+DoRn3-g!%^3SP-_Pft`SYr% z(D{&!xwn8QG{0ABIME4qY)Vg9u`g=DR=7vquXDLMo}sQZxM`wdN!AasrxZukN-}+; zSv42#vT4scIK@9o>#p~-fUvfL=-Ub5NMUk+#kRHOio(ZngTZ@e<}WQgxh~h!8TbjU z>r2+(-y+ZC5Y29p`!SJ_8cUNA@!1efd_O{$i>3IbSi$BqQ0gqH6}O*!T1*oHNC?-L zq2zdx;Z{YG$eR)I4E?%07sIpo1yZZ2Cj5+=@=MZ7FL!?V*vI6N6X({8)%1ol^i5qq zCzr0YrH`L7Ml>qO`9CmzeVAC8x4mbB`!ElX$5n1(+OL7Xd1jQlN+8s}v{ychziV(g z?ysnXqRZ8uO5O;X&zq zPwAVDZV30%K{3HYJL}tNECI^OaR!SYgC7QSigE%<8Olw<>9a@y42-? z)ql5MD45YHRwd>aO!c`a8OT3=^S3Y+`?sD0WjOMQB-)hdB!-R1EMyn4@rlsZe0@=Ie7*{v77DQI8(69W#2Tm_u-XG?eUARk1IyB z7j6X5m3`qk>rV&Hqz;u^(E5=qEmT>ecO2qLAj1ndu0xGWwppxYe3;?=Q@VS7Ot^$U zUzPqmBf0mx!!Oac%S*X6GBlq|j4US147K=Z1q}OGTMVO_m83ggl(>#U=ZYh-vXfL)#~^P? z$cZi41Ep~F;?Uc-TeWN42;|0Shtkh%Y0)Q;Gfhho`!x(Ra3y;sf!m-!o1L6H{!_^+ z>rKV@WXkYlX5ziFN)clZe=lvITqvvF8Ko9Q9LW%9&ls0z-E{yaplU+90Ce)cAW;9J z3jh`kb>$WLtuK#OuG6@N3b7|6QGob$e}JFGTntmXd#nt_W2)Mf5VG`ZZxve8{e2A* zm3@CyT-wEa*ZQ2si14_yVx!%T5F5qrU9@{2OFKq2A?O`b>uS!8EhIDTC+ec~^u^&J zgwcqz$-Y9}ShE%PrT*_u76PAHS!Dj;-RZBkGPT9Q_O(v)u(zoZK%r9Ota1mItk1a0 zciVd0XO4ZfO0>VjF0X`JWeeofD%P&_tK7b^LY*b?Wv+;-)}UnvwPS!}pv zBR9Ccn^`Z*T-GbAvZ$&J^D8z5DS~Mq!;5#fhfu&PcX;$>gpMJZZ~pq}3rA=8>@CTo zAGCG1=kTcro@i2w-Ozs>>rpJNubTtRoG8=FJ&*|_dG`lTu9T%b{`ExRv+V0#)?H{= zt02X#8&|W{;YU+&yru=J=M_JujOxklxn%vjxdj7qeb5KEd55<@cUftY4rIC4A_p+9vByjeUA3%(5 zN~}%}_H%BWQ@W)DYD|FHrf>vZ-$FZkDyI>vZA;8dF@Fdd6E3YkIW-shz81=*^PGb;|{{+TM@4@Mbcq>~WMU=5dU-NrmVf@6E5jmkyfRmew~j<`?QPY$-To zy*kVHE(s}M$`ig(SbI?E;)ZRjT!f4JFRf1ymCtq31Sz_>aH%@nh>Oz05<*~Zq1W-v zxX#3kg_j&5Ki*Gpx)WIU&`p)_J~ayKcpRX>jXS#w3f&*6Yeimb9IgB%>00a*Gw0pp zu}(i2a@>LMfz~Sd%YL9q!uzzS0hR5-!F#uvC-Mp5m9L|d1n+G=sT&gN$j@V|6X$*va%xRjLo=qM3(?{7!VX(ztEIs)m&^Kh1lC7%toO&J{U;7DQ`&#f zczz>5e5q6DHKs7P4Qt!{RZBBt33KjGB1rgs0-}BgU&|TTqZmEE!$A(E>m?;f( zFPXkH_fgjyta;4*_|AML(TI-zB^aOpzs|Y5oS-{L;DsGMQ#i#0)oP4Z*7oH#bE0Dq znER-3_3@u7U-mIyO3mlfVCB}$F)IEIA^}yphdpYtBZeXO%zizNVi!f_jjgPBE*%|! z!gGKwA@N^y6R|{%NHM9c8fvgrBTo16&R|^YLd=U288*>I(DXUwRY?xyAJBE$ZAS%k zD9KMM&{Lx|JTGKmN%Morx18qv^$2uD{u!+|D+4fm9VYw$cLgZ$2tkuY(Zws<@DJ!Z z*6K0I%5h@FeML5S{yW285DDH7lV`eT`r&EG4<8mQu}cebHrFpitIr9pmqGlks)nR8 ztT3?h7T#2UIVaKaq~VxN1&qHU7}xLin>rqG)J`f6-$W|We%3>-pBP`L?2h(AF$0@s zy_%W69ltuAN2q`FUgW!N6vMUFGYL61SaNn7S@IDXAF2XqBT{Y2q^08rSF>Jibtrrk zDO+WKAhGDc(k^tH=j}P(Rj|8hRWXNNym98z#mpSh`8t9^unUYkAf;ste7{?4DZ$zF zQ$kxE-i2Eye-#NIf;yZ$q8bz3BA~2D#>svR9AZY1Y4a3sh?x3zK=rM~hK(GEj?RT&)oM-A3vSoYYDk`h=XreWZ_>FR*!1=u zt+<@2gSF};kt~OFYHZTdwkj1Az6KJ@Y|4a6HYZrrW9&p`Z8g%3i|qrzV8YYma&zfG zo3;VjSwcIC5ssM^?$T#oZT6k4%VC*+2+rdJl;aqPea^Mj zf6=k2Fd%<(>3t}&%z~P+2~FwOfzONfOQ8*9zg{Uj^G*26*`~p0t~$&*o(RSTBiYT_ zJ7j-%3P+wiHOLRh>uYnl_4E9ra|~aP50xX&^?V!<=E1YSkKGb&j;r;n{ivL!;-tL6 z-S9f4P1t^{(wTUp{RR5;&vu(j%VJVWM#EpM=3#oou_rORjr0>sPklhx_iy`soAT6M z4`EpRsh0MqDfPbns|NmqxC;X^Jlk~3j}CQ6<27g);kq;o$KvQibtylRkoz%mVRHIy{qnm#6j2ZO9 zNMIwcWsI%fi^z%GhBEc()moKe0~#FV3#EG# zt@1KVJlFRWY|bhT7hg$9w0JQBm<3_$-O4n&YE3In-~h+(3&0(Y0yrScJ5aM3i7l$A z6y2`O7u15(_@9A0M}-_?`=*Pz3Iz7;yDHYrJ6pq3ig7w;Hr~wj!*rjx9^g^pxEnj; zZS16_A4yc(LO7$Rw|M7ZSS^QlX}sE%+Yb~!sdc;L`YHFI`+#wL+34Lh>9@p7eS*ZCMSoCPoA9PTP!5r?;)6(Utu! zx*|j}wznd4%DrJ?XJreOl1pA-JwUbNF06t8n=>l+b221ag%8fuIU`W#qHlmlSO@T! zRzK}Ncs?aor4aTbCnLt}${fzolJ}e$nJEPEWKN$0exnnq+ zjUPC`wqYH9N|_Q+H(Ko|CL_m>cZj?>pH84;bw&8NIFs7f+O`jO?w|B{yEP0lYQC}k z?c05)HFV#n#VrbYk#^_gR^w%%f>$bn0(${PhDNs^vE(m1zHpZFK-2ZL)<>i zJPD+*+232Ux$Q=Mx+^=t`y?9w0^|OP<61X3W^X4tP=<+jueXlKaa_C57jUB2)2F}L z;Buf}wKSH$o_}$s+O)xbWb2=aiao}cdH;#CkN?rVF_qrp0YvuB*a?6H>-Gs?w??4I zAuvA9pjoT$fVJM<0&Owwd)NGx{4=UQ#qssv`7&_luj-$R5>clWrM-zwd2@XMjg6-z zJr=`(jIAoSiH9ko@$of!rz6WF%l^e3v7tE(h=)X6JzR%GI1y@Y$Sgfg1HO1{EOc|g z7m~rxI(IInSi0r-8A6l1)WIuEe64UXfB(=+|Ei@^!`i$SDB)d>pNcnk)oK&p9&yxY zq!-A#)$9C6N)_~UjLtO_mn z`5s2|JI1#4Y9_O>+7xZDl7v?157U@CEJ<@4zIC_&X?d?@e9J=HfoRc#LNf&q?ZFg) z4Q~P^>jzLwJKL_)ei1I8DCe(s(^$3`o$$!-O<(2cs>{?IvM5wHbV{-IrX zrKVU~G=4Ew9FW$La8e(RjEvrZm6wARSDp4&>iXnL)rU-ck41ZyN7`Bk3smS4+Eh34 z9ErW7XB|@~4*qeJ5+bqNf4dI;>%j0CNjdlA<89vuRh+X7X9MuJj|Jezs#H75PJ1># z1?Yh9yGA=UoQ35GY5BMYJ%uJqzmb1)?!!#0f5c3YMrf)24L#3#Garx=Y@ z9Oet|Xh{#H8DQ26=4T7n0#z1cfr*kgTOcRGO^BmpbhcPyRd%=57(%+_uX4qO^J^EE zKhVv&r5ZU1FgG5cWr^5gvh1u$1E>SAo0!DKc(2`^Pthb#EmxbR3ftR1@x1>=;|h0< z*d8a{E{2V2NI{uXA$}Mu$MJDl$%++2C-$>PvhTk3MgPjMeg~-WewXL#YV}JU{4rmTrwTR`^@=o#VHcdFxVv~OgEp=j1~2G2^-L4gr#I^wX3~|{h@ft9M$%w6 zAXl24@&fMAg+IH$WH4fPP5IMug8x8?KU)9SMLoJMKYB=KHUkwz1Tn69IN_MRaiBHN zr>1(rdPA1af@W+6-;HcaG_JqDu`vp-WZeW3%g5Qb$J@uUq=ho`+4;<+;`Pm%#98!{ z4Vo=7p_YkXa^*^;YkZq=1B1xY98E_X2-TgEGJ6n$V5NXM*k>-|Pec|w3#k#j%3HJP zV}C$GX8DH)40QM3pAF8|MB9LKJ`tE`V1!~LxgJ*zOZEqpcDyTL2jg#MW{kDwUjDXx zKU`LJae$EL z3PHG&%Zafck)qT99SX9X)TZBIalW1c!}}wW>vw)}_`TD(Ot>ZR@Pfw}9Acehs z62IO@#{BTH2+bm0V>vL$cwV#p8Y*a?TI=BVyfW@|7^vjdvc;%zWIK|>h8qk(ZK`}4H7B7?sVrRK`FSG0#&`l`Z*Dy|e*zk}uPTyTQxxa`N@UyNR@2N~5KiG3U)%Q3pr3u3gN#29) zD+mGmh(R54KQ>D`acW{iKpi#BZV$cp-gLpwD)H-l>syHB78c0#xrknyQ3BN0+=xscYNstp z>Q%Fsm81*NIle?o>pQTYZUuS`%!%GniVM}R<$IQjEEg=m=}NNd*Nd-sFScc7=8{z` zXDFt@y3Tv?9@YZUHn#He@~SHK4%qrNT#Ak)|4J+fImE|10-g1#oaOi4k3HWmW$1MD z!A;)iS+0rJS<(B+(gN#0t>=9fXi_6MhuAP1kv2*Xh1Nv;S;skfbnt!UODi4;yYKXZ z`}2(UMS(e=M}xBfB3s6z_&6xI-6Tt1Bh6EoZ89-)5-}9-<1#U!g_4dkrZBe+Z1+(j(>Jfo`r+D~QM9rmEE~(TnM3b7@ns9KTYF)0-8A7np&*)V}1^N>ns1q&;Vu~fO9DSifr((_erIm_tK z&%`XJS2qjF7Zwdixd?0p;J}Z&Mi-1Gt?Hep`6^FW+Qi;cr4cGKcSk}a zG7R*YINkjx^#I3n(Kb4ai% z95M9XHT#8$nvI;nr~~VECF@Y?g2Au0-nutmb`wn{#geuvNt1h#kvk9DNj4y}PI)ia z186jMckm1L8uj>_#ld%F6cO5S&3Wrb^3G~_rBnJ|Tf&S6!;gDW@f|r2&(d?yC_NmU zGj)`MAF%*W<_t{)ey$yPd$exa&@5&^vo5lazCP3-PPj+Y_Dqy^_`r%8o7lUH7m?7s z#`1T2SH|pRO`IQOI?D<3*}xlHPLw9M%h9ejrNX7P?js*xESPF_9nB1^PEDcraX8^Hxe>BpcsT8eYgO6t3G6X=-tTS+5ik z{BrQ30gmI<&02xIgt#qS^-?E@0WPUS*$P#9f`-B$=-)8w1mb+Z41Kzba{ilFg?6Wl z_@DF+RxjsDR+Jvj#eRY^AowY!?UT^RJt*rc^3HF;hDe*1k@>oY?3e9*L2`PBXKtsa z3D|?~ax6)2@38_8|A~rdo5gUcRGD0pn#V+=WfCE&Z@p5!34tjsRPtK+anC?Mc}3aH zAz-h;dIR-v<=WM5pa-V%;DnDn7=-1g1|5G_0O%-6e`;~ePm0@4ZdkOOoA0}cQX#&- zc#rP6XAf&Pl$!D#a`7Z!_SAuxU0F&ke(`%#Wh|g<)#u0XI3@UODFe^X@CJ`6pPuP& z9GF{q^@Z^U`64BwDb)!HUYkvliaUYXFvSK}SEK3SJ7zsvLZqgowhgzUX_t`zC?MM3 zrJ%olOi}DGosj}D*P$-d7eBO_p<3uO^>{1%>TgyH@w#)XqGMygJ=^^^oGF^SeUKFW zh^nWoEy;M8T4QZJ2dhlw`Du5?Lr;(X*@uMjDo1qYMGG=lfZu?Kxrp2(c;P0YA~Po~ z3!zbuj}vZjK04i?v8md$9Lt{A4rAHYCO1OE*U{3F7pWP#30h+t8<%#HWk6yjm+7kG zQ5OX~Beq4sHQd34skTcY=(Y);p#xo&Xl2v1B(CaQ1EY}TeZZEKDmiQVY1hSKN1Ga5 zNu8lN3Rp|()C}3QuaAHl@eg%BFSm6#U*?Z8#0vdW!h}KIKtA!^_&SOlB3)x7o$g(Q z+)>*$(bD<93l0opUhB{KmEOcPe3q7Bih{=iA^CY-K1aEQ{_70?`hn00pZJeAjgo3{ zUPtvud~vIE7xXH`af^ZK zisGf#?-0AAca>F?MFUm6!lk)&wJ+@~d^L+%_%DOzf40w^{j+z=iJ6dLX!uI__vBl|l_ zN)yt5Sr~=P%f^2Qmz)0lkjj*Hx4bmIw3pR3tduKGPr|7?-N1D}i8O~D*XqvKH0Y8m zX1~&3G#oj2DCNrQ`%?O{e5G-`3q0f$*p`g(WJ|_l5NW^VvPku1HF23lJ160Q=|eNK$;`40o#cMY{4rdcY+pIi#6oARbNsA~E>v#Wnsei|kwa0$NXa}pP&WaxruaIkPuTG_v^o-Z2Cke2w9 z=Un6GM&4_Fx~x*$aDxuLI)$3&2_ElS{dlssh>Lii#6-*S_GHl)MY(s2hO7N&2!U81 zT-qKeRysB)r`EMq$sJ849TQW+CGw)Z0|jg4y*bcto?dw!q#1VQ(sLE0=YX;wE*x5G zlH@+;7BWPY)N6|TPGI5!tvBwms0_jT?kH9F#oTOqbWf$#;oP^o=w}c{Vo9UAx3HX{ z?qe2M@@2FsOik;!vQu7LSNJtdDNt*=q+p@k`M}2)Z|Q~(cMepei0;e^hqrnMQXYV~ z)*3trKm)?DZ#K0yG-CPhjmF$oyM;UK^GS@46QVLr)d{u2A0!~IYtV4_* zs$o8=WMATF114{U%njj)+_4&d{i8!7%*}(1>Lq6L^9eEE@V|^q>mvGYM`T@zD99Bx zt%UVN%I{@;hMQ<3nZ6bB ztY^{tFmq#Hey-24!tphw-PkkV!adm4D!e;+yTv7-b+UfCsmbkk6DdoxP)=w)X|FAL z+GXLN&|gE$&LvCEVq(OwcN_tbPpwQjqP2eJ2CV}wX;#h3tm_?jRT3ie`wTC*i^h8L zbZl2LHXRhPYboQR?c(?>JrEF*u@L$k^5Ic81Nu3m0zLz8NXC(Pmwx2%Iw3_zD#WCD zpXmA|&+uyT5*dx&ckq`Add3YtSHOdNlDN#mo3z`sKhGch_0~xrItNH`M{gS2TGKX#)0$gjI@4lD6O6&by$`4ha4s{cO;TOp{9eLgJ>l0< zrzt#rxNH|U+bkImjB>Ym{%@gT@bAds7})7&6|QB%4eZ0oNq7iTy<@t4=27KXw&wBU zj#iCbvA($MNBnI*3X&TwbG&w4GX8Hcwz+>#5%=y0wsP-1Mz*38uR$;?Vm z@yI+)>kAqESGMdWWB?k@<#U<%UMLq<0X{b;RCr$H-Z18TXv2G<(_%SL+Jtj7YX&8FFp=0I@K9w4;ak*`dg-C-7W0*nNG2GzWMc!1}Ex9 zy4K1`{RBbxpuWYaX>ru_H>7Hykl6OH(?&Q@ed)qnp&cl0iCS?*U1~%Aq*cCN%^!G}(|%!^cEW<1x2w#}m%cYw-(6m@8LbJg z7zC7LMZhqT?Os#UR{q|@;YpkAnq?0$(IZ@g%SqDkp6~Ffl!{Lt?g^$<7=yU_TS=NY z7(!rC;XueW(S8LjnYBRKJSRA{B7P_bc9kk{>If)&2n!&<&Mlk$D2)bh`d zqQ7`Vvt!1HwMn-A&%-+rM+vjYrb;9p#49C-6n6HR9Ec@us4VWeya@p-qD1KK$ZW?w z((Sx@BPU4{<2-z#Mrt#(X&5=Nrnt?Tl#<8IKl&n>gAME1C>9ApUqQFzyy)-hoX$Rg z#qxISJvhRdl&VVI1($`5KSc3ZYp zWT?XALZp~8Rv-vg`gWt%`r?5_9O=0Z$8%Oa|FgfERMIdCm}Zncfp0bY0-h!Z*ZD!a z6|(gM$vf<=tN%3l(rgx@Z%*ZHf~4sihS*7%C5>oe_PjE!WYqF~uh?V=6ak!^yZyCl76lrVuir7NM$5L&8-d zh6wc9%^H1?C;UHkl8^ro)$e~sNOzb`s8fD`n~`J4opo>BZ71c5x=5OrPvGMS|FMyb z6yn;!#u6@$V$HfMQ&mJj2%naoIOW67efL3%wly?225XOO?jGQd*+^)?m|O2G?!Dvu zPUiueZvCI2&T_w^rf0MME|~*4n8xEvk~9W}t!mc~D^US67B={*o7F2uOVI==w^}z| z#lFHL$HDi@n3_7th{;f(sWU-8J5ck*%!xow(2*#NL(65R=w-R3}GMMU++&imJJ&n6+A=hN!kEDr$xqHE2dVF)>tJ{ zL!_ptxvCljY0VPz9Anh*?&rVP`XBAJ*V@06z4pOAe-5&;^4z)Z>-u~@m&H(^KBTh^ zMlBeOd3Dvw_nUb2(x|MdeS4E9->3uC{dhNubB0XUB|ehbYi|$Y2(vmn`A6s}*9+f0l(D z(Us6=7;h$3i+oLcEyza6&=04bI?!Ob(Apz}Sy4=v+fx{x_S8wEM+K&I=}aBSJLP{U zGM$3&F-3RWIN7DTKpoHw9V*^TJq`O)=mve<#H-?&9l}>tA|t!0-}QGRFssZXO@QGh zA&BOzNLj{+GSIgdN@$iu>oSuF9g_(L+-P4FQCpf0-$cqMCqA=*9gdk~{Zy0s8&~YI zu+TB?Sxw3-$COswZ>g!wy7!L1y6CqdMSR7Ckf&K14xkYpgLEv%%^!9gn}z=r@;=kF z{gQ|G;0{~>S=-DESf)KNgO_T{(;7V2N;`fbM!YS2RT@VjE6#1&n5?^>B32`^2nrNSq7;U z_X2WbP<2(M(Sz=6?89$8sQTetLQ{1pTqV9hEM@>D)oyZ=Z6fyEQ2Jt{u@p9^M9F7s zytKu%2Wp23$C}wUEDOH9)Ygu?UL1s<0UH| z%CG{aeKf7dYm#iNqgMCS1bxFPU{0SEb3d+q|A$@AYoxg0IFdozax;%B3c2DPrkABt z2oY>BPlE8QS3|2+bR(7oKD@}0diS27fxFmQ#Qi4v_PFh=H8`y)zYcHUuTWcCoqZH` zIsMDe>-#%%R$(E*^)#o@LbRCk`d3_xEJLazg`Z_u;a(kUmC;TE##YJKlL{Z7U})RW zhRIPZ&jUMD{xTytWlG`t_?e#RrnU0xPd0LNp30AY!@8mN+gILvJUGQ& zS-51lH90<{dys9W195)5JGW#kb@Ema91@~Xr_iKIn5=m z;ia2$c9W-B-g})93Il->+On=oAyy7w<$TJ>#@u!KF&4pqYA`|%wak#%hLP222E^6v zhF9cHocjxYW&aa(uLN_VUFsICk0}PcI|fpy@6KjadrQ8>i3?E&0rzQgiQT&j)0d)@ z{?a1fY@PAs93WSqzJEcJALMwd-jLgU=5JZtSo!RaS3!7#a-MgQXvUC^J+>JefpK(= ze7m?e$qqTSIH7@??x3WgO?(+BcQ6w50^tcqVc^iVmRkiSH$ zN2eJgcdHxuG|OMy%_$QaOV;+#{wDj8P()TmnY1<6%!KW=M@DZvG@&cQ;D?6OPSI8Y zGW`1yBs-AbvxH`HN7GMybVFb?2TqRa?YvP#& zBGzqRiLF#ZBZ^Dz%9 z#UxF>oq!bj18{+M=R^1uM}@>nk^dzsRlu{6~xvX5JJ z)z0DqE+FwJ7h$#-e4S1yV91N^!L!@#Oix69&r2jMnVkqT;%rZm*S#h;qjuw zdi}aYVbR>Ds+y;~lh+Sn;bFV$BsU7$c>~u*7G!B{lyqVrE@3U`h=h)zOZJK7{tbda7>NqPE}8=0{IOk=8bqp5qcv*GsOORl~K_x!61CE`I9 zzKom72Qr5o?0>%s@-zIGjquz8FehUGBD){u3ph6;x3kT*m>E|!kt#0w_Br0xsAMNy z_27V6a`tbztkfn2YBD%O@(x4YGrVHab-gZ%`B&F2hI&2Mo6_b=fG$w%};$rP-1ir!ZeQa z_d-4BpX=ej16hq%k1|eW3Xt*3oC%%T%g7NO@FC);qx-nqdVBQIqhZ_(N zd(Rr5&Q;J@gdOt?%Ga3qbjW0C%biZ^9&LDLsb`-JsMM|Y=|Eaod>Y6HT%o0kPiW`Z z5Kfy?b3Xr6H0>PQ3oF8a=aL70=epVjE^b~=&;R6VzUsROiT$x{Kid2s<%E?JjtVPO zAhKvhmKO82Qx&P2$#O zAwu8*MyAV>b_Mr?(Y>pI$&SCcY;3GbLk;D(tEx#(YZdiqO2$V*pMj`%q{!hlrimrc zTa@B-az;yhaWbkTR`yHR4-k1w?o3|p=r*3+9DSQ>`c-cpG-o-o{IFmB7`!~<8B^2C zW6>8Fnv_f06~^&>x_eXdQGm!_x1^A3`qA)oChwNnMq#OuVq4x4`ls@pbehs^#sm#v zQjz$eoV(4i=k2(zH$G%${nHk;I6F@rkfHs~yZN8mO#UBy{=~v$HLx~d5yFLrQqh*X z2CHI14yuImkW&XnjR{0r-nIT1)c5!uRrR)i*{ZW*(RRKJh2u+z?98{mexyE>YT!kI zjkBYfob{@+XSvu?2mQqKXu!|sd1Ci;0$ypOOvgIi*5ezkNhloDd(n{=>_3~?kUQxA zEL~9C78_zuPMM+kI&x3UNM{*|1RzHVBbe}ugYCBX zGY-pT8Gpt{0LjugT45kU3X%0EIxB^^>eQyFBK^QS8}q*Y#p!_VFLCIVFH`I-6c=SG z`4VdRs|zRVbO12m$x|BCiV^*ZKl~FuGHIDhp227_EOd8KtZ4eXNpYOia-MjC zRW5;mmdxhq4VkMJ&bU;^H}n26RLh^PMmsN^d~QvR%#>F zTs%P6Csfwr`HPHhT|<54uU_Q^uiJj9XgcnI*rx`bLDuEcv9Ne@sr+oOe0@5Tf*UbD zXECu$CRsqp7?sA9+bmAzGuIc9=WCh;c{B%~GWdPN-6uCECX7a95}7&TiOkp6I>OXG zOhx|gAWS+Z&_m)3s^on2P*8sU=G}P3`R)t%&^gI(XTtM{TTMc=`0s9U?Rs`f)FN=Y zM|aQq<>0ir#M*{xSZ2dpn+_enUE~WabZM{uFnhJSUVnbqgH<%O9-F7f%qS*l?q*CI zoL|@rQ*sqKrfOo%z7~A@$Z@F9GSU>rYY&+aVd)m3jfewldOifigg`jhVP{p>R2VPO z4?=KxsPqaXHN^6Uc7$pQ=2=OV+qP5j+V!cXg$zWIhw9@=4VPey4L{z%Qxq8wbao;d z@TM>W=NaC3mn&B$TWeAwSJ$KQp&2IP`-uxEwDHYGsCCJ7Pe=lT^zA5AvrQr zq9D?rH*g)z9LtX7|FU^duOGP#FU?^Rj~~L7s=-6-IczAlY=&1!?00xyflJOOGbBC& z4sr2Z`*`%GQ>k0o5klgAQwsIN#+!*<2AX8}rbCK1Q>)#Q-&=~vV2w=P-_pB+wm(y} zyDo2doJ``H-4&YLGt?f%dFxp)&$o@luA+{?q(MCjuar<*DW;+Obz}j)^#&$7fwhX6F7uRS<_mvuCyoRWYO!@8cIL?P}m zYdffV@Z#S;s17f6ykZ_hI{PVW>#vn1uFjPM`xq;ibmTofIFKsF zi&j)D(~$wSqt4B`K}!LR9ws1VRkxnaD%XhEVVr1V=tdgD2|l4nW~I_4lty?&E&;?u zIHJ(>63MGi@vgjzDg!ohW<{&Q;HB^41bAb+mu7Of7v*W^-xik8yS>j2-qBqM}2mXZ;tc{b>rOxpMA4;%}ow@V@H2Ee#0Oh zePbiVn)P&utSO}fK;##|muT@HKoNiawb8-@)Z z4vjE!xnFwwJjx1PadqAro8zjH?X8?S44XKzUbbU?hF&Z2RDHJUPK8z5haB=hVR}YE zI9Vob^*PzT?asbkf5!TSsPCyYFsd{ut9tDEK|+PDH2Xo&`NMmx)M?7uh#!&MdZ0%i zj|$pFB{~k4gd^@G%#>p@Z#RB~eLG&%UU!i&!U!T?&YA@+|12z}C*Xy_@aZ7Argk)oAvy^Ua0w%jtx>P?0@o{!dq6E$CPdWBFePx&z-$h zYj`XG@SGp$lmt<6VARlxI|J7#UKd7%z#5wBh?{bfH{rQ-pV?brWC?fIM5A!Lxm??2 zs8(>ashtzrX1+cQ4LPWq^l`OW&QJ$=l-ov_4eu|cd~6IYM++Yn1U+K-gmhhK=0)2F z@gm9=lRor*93A@+C)jiHj&a|u6mme`_)n7-b%{e&mi@tfREWz!km_TgyhfilffV7} z<}BoT+2foaKR<2z#G`d8buhILy=a6~lPvs9yrR}*Vtn7vs?kS;=o_>-{@bf=tQ@hk zAAWauCPfE6>Fl_UZ}M^LBTKN#%=^gt3zD+r`pxSI*RvfMO-kl!?Ky2Epy!Bi@#Dah z0r4OJ2Zx+HBJNnmwK@>_xgRctxIY|iZ8?0K`ugsBK3?YaM8+QSjrchhPnx zAg8_3dJET;ra!*(q|_u84>LuDQBy@UZ6VB{)0h7c(zm1F^mPK_VHqN&6r5gz{$uv;@6Lv!?g%FSpgRp1POs?R3t4 z+oR|P<1XgcmS#}f|8_Zf{)UA?%}P;0eMo$~g|1^yzP$D;8~kc%htcjLi_~1Y-4(S4 z;YFWfdZZ);TE3c)X4V!w?sU?ZGVL!M_(j$>Pk8kv>YS7^yY*dA@=zKOO)%RC>FQBc zrwbLAf>Rk;MwLToRb-mEWcxQ$eDUwkYWxcA;#mKj%>CW?siN1`F=`@zGD>v%sc*lG zckPQN+J^d8e785B(8|=YE?h7^ZMf`#IanHP{yAZU2iZ3C?U?Huw}ueO)o<0L^RC4t z-}(D{+t^t?42Vt;JCr^uDvokt7FT~nt24K5r7k%}S7iT*c^6@I>lM2d?yC4d96G#b zobc!lqcD+`syq$9iV~%uOMxX~&Y=1s?V6R`!t8p>fV^ZG+s9J_=`M?_EQgW>N=f52 zCjYe7N{_@Geu~c#$PHVzEB=jAA(o9_|Ft;c=N}Ukb9?Ukn{V@g;L${S-?g>Le0r^t zfIu*94*X+2HoT`@ue)vP>E{~IBX=iaLo4FT{H)vyGQudpx*Kj24O{9REJX~~+fd!h z)2*G;ZJo!d4VnPr?Z0Q87@Sl?!|X(m>UJ*tv(p?ES^ew_aJsIisFUSU#lxr5OsQ^t zb5#7)TZa3VnxswUeUXhEnl9k|c-W^W+$`+LbSc}_rJO?{mj;HC8mln*OZRe{0g?|? z_IEgqvTd)&3XAr(dlXlu1E57Ylj@r9_w%zp>g&Cg+gcOZcx!Yi0{?v7<rZ*+76E?F6P*?S9JKuSvu))Y)2UB~=Mxgv zpOho1cqKbGN8OTuQO#c8mdH~P3Mk(W9A6_mh!NhPZ@4~x4UU9w6ox;4fSeBywvnm! zImzz!U)z`j;kasAdy3EmiXIuKLy49d^h7MLb4C8$txw7B3M}ROj#IpSRoDDv;#P9h zoSAZWp6QQiYwhg#LVM-xnYnb|a8o35Vb@!+A_W$t;z76oRa2c9`3+fiI$AAQbV?az z1H6y$3H_>m2R-HDUrF42=VrtvEx7I7B#k#8kZ-X4qv4M|`p>RdF!k6geOAfBg$osS zod12nLX_=g6qOA&69#?iQ>}-A3YR>LsOldNm4c#g92H(~LNGi#)Wunyi-E2zQ#~!r zBe;N(%CvjXE9qE;!lQ3r$8L(dGc><1L<*p9cpgZyQd-V?>*`sB(7lLUD(F{dSnO7c zkyq4OzLQQ>19SBeW!If>&Wnn-n5I;?e0ft=Yi(1*@c>VRSKYF znVhC9hcnMV9+92Tw+@f^{Mi>UnHd93Smqk9gjJX{d7~0KL@nDX&kfj*#ZeJV-$qw> zsk31~Nu#xKC9$2ApdrLjYFOTnmP5 zbDwTVh}tSx6@kJu(i!1s3ybg(Wddf^vo;^q{XHNZyEkCj@8qk`PlBkUU0Ie0I^MEP zhZILv@vz>SSeXX74JTg?bt(s1#DXxMZ};0Mf?5#<2_IR|JncR K-xcS-zyAl9s?K5n literal 0 HcmV?d00001 diff --git a/screenshots/extras/ElectricEye.pptx b/screenshots/extras/ElectricEye.pptx index 46808012879f17c3e869eec65eca4fc23067baed..16ee4d74db7552ceb48cbe443cd5c2bca5ae7502 100644 GIT binary patch delta 98347 zcmZttQ%8CD|M{=>O)AOARpzJ~HG`ls z#*|uCEJYbmFf>tmFEPdmQFOC>V#Q^Okp z0~xwH;{e{Umi(}i*J>bd_MF^BRT{(z1>ZZuzwZ=d>(Xy$k0c1IqyRWH(vDhGk(v<4 zKX8@M8x>5IIw&KZ=oleB0&YWOPY@5RnCXo@&G*e3*J*IQ*J$}F_1%JX0k%AgEh@diYs$y`ALsduoz{tYGg`jeyKcRU2 zYw~;Wd*P_FcA~CY0}TA>_J%v{wQid~dK#Mb-_7Ay`WbJ9ufKa`2fOe_nY!_a7CVud zyKM-F7T=*V_@m>`jYDM9NK7;3MxmZF4IW&_Re^7+CYo&^KN+RA3@;(;#a&D-hj54e z#ORWFZF58lf-h}{{6gt& z!cspV>!cBC2w2HX*Nx8G0H=fE%q7UXlt7m^ml?zm#Kuh#xg0*^e+RT8KhscLA?RJz zYcgTE_%0k`v8w4Q>CWQJuB0g2Grj&9Y>VPZQt1OQrQC#rM`#w7RjMq{yjr$WF~{%@ z04UJSu)o+eXHl4SXm9XGHW%PUN(akr#$z*>c^R`DS(SvZU2DtrzBI&8Y))f#%VY92 z@6p-GO>Jn}5Vk;$_6>Z##P5B4CZJSYAp6gK%hCjxTPWWr&Sp6_N%KSn3*)S&I z`ccw*`kac!fb%52y8Lg|LyFPZ=)oA)g}bb;Vs~`SI}JAmlpTZAdDP3@b>x*K0g4YQ zHILFE{PXc`4Kngo%ypD(cz*a}9@N={Q@Wlpw>%ZzOY1G$|Wncz> zpzPs8yO_})q7Q`*@8o%DGxws&qei*+0^S9NAApC@^9ERD&flkj48hDDe}t6YD@ zVh+W|`C-?q9)`NjS;XTkhor{Jbn`>bEP#9#YMQHcS&2uI>@4In1v6I9yL+3HhPPWv z?1hKgbuFEWHG=NI@|Q_Q=?!JCm(C2s$qn_<&){_U!sN&t9w>u?`P>El^@*^Dj!Wh) zE979zXkA+P_ln{cIOO11#J-dV9n8# zxK>FvgFp#gXX40Udr>quW}@kQ{#JdA^Z^;$e7&5u@}Tm^Ty=_DlWrbbkg#j8l;$B1 z8j~5}kC3nlL51QwWi*?wWp&|P6hPAIWwn+qe`@l!6l1XVL664vy3MW1?wXmJY$S>; zrymMk^KbYzMaFECvR$iWY{PH8Lt>+s*0RH*@kx8|qtLl_m(_Raa8g!nf8D6wEa~Ad z*p}XODdBQ}ox+=JIs4-0>)hunl6bqdG`lVtm#)RPruW3am(){ zl*fUg(;#eeCFu6UKC{K+CtY7CuASWGqM0af+!Aa-enTe7G`mFrHSnJL^cYo7JU+kk z6Xrp`WSgv>@0va1=BN3o4u2#M;Q1_?AEddWqSK~M;3>tQ2|(-XF6yxT^w3_$yy-tN-SO>19e?8P^-#%-6CgEvAkobr zmzOE#`q&oJ2=hw%WL_*S)1^9DF9-E!_a1_wNe%w{Tqqle;4KX?r8rOzj^C$E99Sc^ zRu2R{AWUyO%-9H-D71WF)c>cH695q-k=2XK@&*PkFe`{~ zXqqaQQ|p1kDm6h}v$~?bzVgri@sRknkc!nMBc`x(sdM@w5;FB(!Rno+E&%(~qcsUF z{b^8-kII>$s*4tq#-Ceml)eB%zNT=qe=SC+b(VD)C|Q1OCw15up&H&?SRfRhxs_j? zNLkgXn3zn76d)Ute6*65jw*Bv>fh; z-{PcRFP;noi&Xy4KQRnLxJ&tahJq5TfG(VFx6#q%3BYH-5PKll6}x;D@>;IL-vjSV zVjemSlP6%$Mfinzolju7zn23d`sqvKX4l#hfSn4MQz-Q?nRq zFlGv+`v6`YHYR{G>S1l0;NRG)t79>1HD5p!-%~lY^m5H5)R5pi3_;v z*7q~nRc=O8w*u=*0>L{j@SwyTg;7M%nlq_Mq3D<}Y`*TxI4Mrt;uhKKvEDxbEdd7r zKTC8le0YrvUV#X`hg~4?ofOBbx(v=p3<(;x2q0eHL;{v6O)@1K0hSy!lxQQsy%hSS zyCHRDD@`}p2ZI2!QV!&V!F+^Mf~+FwIrWBnx5{ef=HdtO8za+UBgyIKEHkk`e7oyj z}6zXxhtwdnE0%XEF^JS&zWuwJNR(4i3f;Nniu`KpuQ zfA`nIjFZ~`e&DEb;r!NcIP>e8zTmdQTjVoElP5*25fnXu`XdL8!cS?eXiN=sm>u?( z!WacGPUedyCL`0$vwhrAoUqRHkfLg;1E_Elt?kMRx|1T%8Bc{7&Te2u?*qTfE%H~bx3os3xVi~h})tg52%-~^Re?X9eRcP9vVIh&A1IbVt5f_S8 z`!2T5^PCU3#~$nUFz|f4(DT?l7m$?Kx%5Ch3}oV;$Q!mIg_sKwo)4mK{ip$8KJW@!nvN+1eO$~4?&;~saYbm$v`6{anl zM1+f)iwh!lN8C10X9T_t%<2?HhGvbbPn4uak}U$8cM9+uKXZW;bA)joXZLg`DGX#5 z!)CpSh}x4y5>t0VN(*Yo9wmZ4v;Yx%tj|rjyMIVqJ2uj zh$kGUzGeQ!>O`Kj!JsG+g(|6FaoCgof3)|Q{w`No6 zDWqvBtlG6WF8t738ejT61~}MnNnOi-+-|0E05h4vD8~m%bOc zAIm(>Q{9~?p8mKz&POV=+>aN%1@l4qYbEXl4e7$bi_>9H?m0yZW55m>vCe|Q9?s#i zaNbhd&e7d*XFkRvNx9iz!&a88!QBD0PPY%oPq!N+7_P?d;3;uu00}F|;!5SlqLF(M z&RFXUiYRVN8HGiL6;4LJcoKIkiuWoFPnIiAc$m-OuG}6uSKqh4o(_#4yO?QydX-4X zB!Z_TRndslVbpu{(g}0yOG;>ad(B`%2`Xqy{Ea96A^YRiUgVADaT0#bYi7qvx0lwK zc_ZrLb5hYtV=Tm20I38TtN)=kYuEq}Sc+%yP-N3xp z@~(mJ>!3s(eLnX4b5hQQ4<#Mh;|?f zmQ)0%a180ZB}GYGj1=L@hUrFOKI~I62nj?mNZk5mJU;3@i%7*Ffvn{=^YJ&64_`G> zG2X`FkBk8k06)0cD%39|lHD-Yd3x~8C}qdY%Ny)%JIEQS$<5$;^Lp%i-TZy}A2;|S zb5;)G*RtGrM$#rF0mrCYqTJ@8kKBF~0FBtMsn9u&>h7N?w$Wq}BUC(8J=hg<6bJ?m z8uXuuhz`YO69_YZG2(61RySg0Bue_W)a@UOAQxESbd2fn~gq!9u0m5WYg z+5Hv!ho)CynmN|>T(0E%iK0}i2o3*vObqHm?gZIXR3VlM*d z-~*zZL}G>?2<^V0P83sN9aXRf@5M&&zUL;$Qur@Z5gL^^(;8=iF!CTSaO@teN^MY2 z=e2j~`gFPG~zc<@{>sahUUXj1lF@g2a|6TmldljE)f~dgxkt&+yBl{oI!t z0BBhvg`#Cmv9OL^m9{kb_6HUb=nXQ$~~vyqk?hlASr zFM|1%&8^{zG(wUOSvXVam~&pAMPl|z_%V(`TC;s@2R*a6jJ01d+&rh*prfNJgNv<| zshP|FIhd2?;LZU((uY}JgOen_Pb91jn}43JZYM7W#kQe)Ot(Lu+*ATHu(9l=ed7>dBVu|?x_aY+SnBoxh=BGejWeerLTH% zI&iBRxM^zgap^eNxsmHSxH&ul9c3ZF%ZdKj?r{IUQ4VHIk;~e9II11v^;Xq@99vSo zsy*xF{m@CA6C8q;fW{??1&s|#$4OQ!HK|ODXMRWgWKE#hCZ^$ecALx=rDqzl>(x0r z{IY&1%-RL4WG^#P-hu41F|1Yo#EddSYbFzB-+_gOz@iOrNJ#HVl5bd|>;aZs1GqVQ zC)IIRW9+pJl!%*~yplWse|!dcyQIQbGX(H~gH`#q(a^@OmuYJ?w;@-w|6k~ z5k88-&aWCYvQ1ml{xlVNZtEx*Rr*E4!z)rcLZJcFnI7OZB=>3liZ+lZdli9j^A#o0{ocnOAk|3zwA# zV6g7CkHcHN5Z~y!vyRA!Fp39|hW8D|Z*^6Ge^1Fooul2R-=6PjUq$LL4#%r#d!Mg> z6>$L6ihy+bdjCnPcRS1T|uW$=Dx@7X=UtsRbN}hVcSy+a}$?g(2QsS=w|4DO^fy60PUzA_n9{p#jFo zGRkq<8UK}S)2r52E^_7orK%niMn8w=*9OnaX``ntS@Z99Rq!_MR(|+s2dgvhy&f$R zR%v_Y>Z$2TtZ0-gaZGfUMQ94N6_8B_KYyzv@}BI!L_SQuJAT~R0n#z6^ck1qFFvbQ zG-_I|)(HpNMncu{`y4@G%I=hbKmgV+Xi&w>#1J!(O-Go732@zq$%&S1mp z-`NcMD8&+zZ2hA4D3{uOxti59ezq#1_6z#zt7R243*j0vKN#`%ONj#M{s1qn2MLO# zIH8?SRqEP19MSG{xPh)Egl^Zh?(u%vEBUBQk&&cWzj|IObkVAVlHkkzDLF=%+!8Tw z1PzD^Hp@mL@7;<^M(W-j-=?dI@M;X63Hmi!^o&6uS8-NC39#V+Xi1ZO^RNx;LMBfleBCNU;RASbzPZU4@Q0Gp6 zuq^G~7C*sBA@_rvQ;$LYmB)cDEc4;DqR+~$2TCStL+AxoCdmp>q6Eq4h@%b6Y^gsD zb)2P6vaF{~S6b5TjHTu|EjA57m(OG3X3*bRJ}b&QFGHok_KTkGUVv`i+-A_R(!i=e ztsC==_~Y)J&ea5h+hYy(N0jTenphlN_XdI7sTp093o473m`TbWAGCFQPVeA8uScVA z7QfRzzr-z}DP5|3Ph7#tTG+);xd)Pc74a*V#f)&uk)?1AlA)52Kr`ep(NRHsIK^-F zkW|v(>XqWmmB1?}2>@9pVr;^yI1e6Cy8}`l&lwk#=+ti8EpR9Alv76Y0>}8>=ec#l z9L-a1Z}i*(A^#kovA+va-Wlk_Wqikc1?7y|Ohcgz$cxw_=qS;?CXOhR=`@81gH@gS zGLHIsmuVmc%Ein9GARoFa>y?F+mK439OVy{k`f%>wWHK!8vuN4CEdurH)I%7LdAdv zhB;XTi=~}Ga6^}>N!z5i9X%Z3vv}{6jN&+VgCM=5-Az87+20@p-zQp9i&r8%d zf;ElRkdQ?Q6=i%6e}6R~*9pQPQ=YOI|s%CC` zMO4v5IZqF;$H$=t*5ni;F90*5j4{G3A|?$Fq`E9C1>lw@!*moBKP>VG!e22S@2}C4 zVb#p7Jz#Q37y4Efc6q2`SW z5h8$*16F1gdD7EeFgcUg5R)}Cdowdxm#c$cN4wt4c%?ftUOgDva9+dLJ+I!2=GQ*s zp4^`d^wSX`&dv0b^Y`?Q-VM9TIE%=_azpEIg29=cij`z3p-jqUZC%SzD-gjfbRFMQ zIYF@s8+0S+JUAbhI0rY2Gb<7XU)2bp;qFPI078zIgvdoijsEd-KX>Q|8R`wa7A(l7 zqxZUk1~7^Dsv^%t1MLAWEzoB{n=kAJz^FA;sbe7_1wb@GZ766`dGE}?)qUnVp|38& z9p%L08vbTyI#_V0ovGH0_>wu2gnw9?u0C@hT&F>h35x=1wG+lp3!8hsEo-8He5vy5 z05RXWh>B@C5aq4?`ukanuL-M>gRiG`3_nLXIqvj3d80czzd66u{y4pzcRh$a77l<$ zGsZP>P36u0g%7Jki!d^CP9s_&O(}wRZjczU2rT3RQg|{1^i%~<86fV=q|h(&a2bTO z9z5NPH-8HjS~q-P8AQun8Fl`QjCS8g00#d}H@6>Vo@dSz|0CRw2cqozjNFb)IK#)g z$IiLq-S{WRe)qY7S<;W)OHOzf$9uTv8tg;dXC`cE5oxqo2(cI|jGG|RaF3v@I4LIjzsC8b5mY!HyO+))lv%%cS&AM2g*Y(@=P?h8ewjnED}QM%Ltc0LDN6 z8%&SGzrKkGUAF)a2Lebukev`I zWvTw;YNklW=^WUHb|y0_@2a5;KDOa#249%5{9@p4G6az1F~NcW$?_C-&b1AZCsX>d z4Ux9SWMwhjZPSI z#j5-oy1;a0B)ix;{ZhTc7irqcSt`dY;)tVa1F(nxq+;?8Ky zZD@hzy9OHn%CNTygXXlarVxe2r*HwY;Dl@Q+uxs6pXIzSSC95GUx+g_fS7VX*c3>V zAyhmzJc!B{%!Zn=i?Bf$?f%d=PG8|Y29x3L(eM@4-|A3U_{SWkff&$BRRqh zH+)GV(*|1Y4myei2Lg|=z8DCfbZ2F>l?_9!%0NYkOJ#XW_Rua#S5eCh3kJSEc$$~_ z4;iTiI-`>`)_V603#=>_B&SxxK{F_M+1y(B;$ka?ICojuZO^6@RGOSchQXLsu*iLe z6Um(#v2S2vfTQREfKaG_??G-LCa%H!LvW>RJ)Y^(x8-=^F262n!b;{3dQfWRMw0D8 z1GagumBo#25)^oQDdD0r%@8Vmypkq~tgIpFNtndAZ_>_F_&UPcEht=bOCA9>z6E5( z`lkJ75}aWh;PXMUm7|10-Tu(1jyJdXTgZ)91V-mu@2y!4kc9~Vc7S?_+X*wBINgDb z+=qe$DrQ2bgtDdV>Bq9la}3Tvj$C(tm{cBU6q!*aC~sl+g5uM-)@810vjau}gS8Xt z3kp$^RwX~Y+Spr?yqx_ZqfB#Uw*f^Rkz?+#_>*4D7vD)-iS%NS}+p(9m6RZ^o0XY4=N$r zEBl5uPy2?}_++%FIJW~BKAK%kd~jGX&5)~X=U1edeOT%3$7{ED%l+kGh(jwA53qgd zC&e3RjIb^cEqTEeuCi6RP;aoRg4&;Yn38QQw{IZ@aD|w!w=7K`uuKP$&xzQl+R1Fw zGTC7agQ%W>{vV5LkygmlN{60(a&m!VF#oND)uQJ6GOgvpjC&@Qmj?qhHFq1n#!W@1 zu*hCfYt_+pC1)xN$VKD3${9@4#lY_w$E-WAg zV0doX0WL>JWRscsC)1ivgSffq9D}tvq&n7OsRli_n~G_i`2J#Pf7!m*mC>v52!d83 zU!nt80H3!HwYqW<4nqe{;l=g;IRO6SKoXX7a5dR=0J-$Re*rh*n0tQwx|89 zEVx8NouSIdBFjHxCi$!3(Cr_+CVG+rU`N3tt@GZhWs#&t!NuV4bpM%HxkqRMDUcW& zGGZ+rQQDVW1j3w)FFu8q!?v)6;qS^Kvxc=q)rx>Mg|Tq5xi!(l5*JgBkMV4FdMe&& zPP$KL4P<#5F28X?lCh~Fmaq~Mc*H2TYzVXXrRQx$)-TTXjqDa0#NzMdc2J$cYQ0P4uoXs-s^y!d~gD7%j_6fgYU8y{szg-7d zKJnlIDG5@HLAQ!%N_hDJ$dQgHP(n@7&nrH0d?t6Kt_|vi5RobUNoX`!uQ`YF1tBiH z+@nSRHvyZw6}~rKS*o4f%PAf($D&cqJP%)68@ z+YnteT5a_xi;O0?Lfoi>RLwS2AcNKHYxoXK^LCh2i-!r|5!w24FoOgj7x}W|@0w|4 z?$17w{oa$qWIL!j&v$Wr}b%C=^7dZYBr0brtxm`=fH?KCs1}G9QY@ zMKCNBf)*LBHH^Ff!-7V}Doz`DFa}xDpBA^SeDp3H1!l3_qecjj-t#VM zwvt3Pn)m>u=}9JtK%b7g=F0wG#FWLOskfF=(@Wx`Wv;Bh?1z|p7UC&y=8RDn%Y*km zVeh4vl6wmL=(_#ah|H$%qPvdyW|l)Bvynfn+}lw%!SjL?`^(QwH+J!%6GNSc%DTWR zQ~_zA1EZ;MNxXsyK_nmqi8Nh3>>U@i1aWA%%YV}C)L36q$BeKxWc9OBATaJd&%Njb zlF-bm%p*ug)+_7zqvG}R2TZY;MY6N^iYiDnfmBy14C@sXZLk$-nOl%pIx)gz{Erc2 z5aA^zlN;2(dYgEWc)qm@z1GXSn_o0pQo+1Fw0)p@A#DwA^9g`NB4p%(Q~HqkugN$x zFt*g-ibB6-MZ>Torp%4G;TBwUR-h9LqdmmPbYI&aEDq4a|Ib+^Wq;nsz^Bi1znN9S zM#}N#mCLoG^A<)SPKb|H9|yi>Pt1gTFtx{NxJIFhA3-C>rLoac%i8J@<3frn+}FyL z%|Jq0Z1#`OJK_EpK z--N<`Sg&q$k}tALIr~W6*ybprp5<-Jzy4Va@4cFl^M>M|6>&7g58_y8#~^TI;1t;R zM>=!N@t+B9B>>aDjoqB-Ug=n*7OT`EtbYuj0U)SDuwD;<)%c0MF7*@!q8NddqNl5% z8IhqDmw$1j8rK;3Dm z7t>T!10+Poy2>MslrQ#h5aDh*mKf8aWV|TJgz=dOO4OKqfrFhto&$4{dX2g`^vRH_ z(w!`pet0>nJL+<}74gNmjX8&_PoMq2;#R$eaZl~KnqVtZ&vwI&#EbTYiA<&TQ9G!o zJKj!^i;WA7f1GujrQ7sl?lqvhfa30IYK%sA;YZQ$f=6l1s`|i>?Ppl^-cD~hKY-L+ z6%C>Erz1Q{7QTHRWiMR(BERn@!HQHlECZHoukN-1ayju7Oi}Uw*n9{M1D?CXLm@K` zbyW+-=Yy$O`eK-5>B0)7(qlq`3_5V-GdQG2tKp-@v9EQG&^=YXy%sHC^<^y^o(DDZ z>F4U|>5DkFYw;D+;+8?Z-Mc4a#21G$cPdk-I~W2eLFHzKRlyM#4#JdnIWh^T?28~`RJ?K{l`x`yTwS?&3% zp;c+`aK1K82~KGf0lgX1rg(0VB`w7qDt#7MvWESU+5j`)K})+g5W^)+q0k_A`;jPM z#v$_R@;$?(w@?}_*C^8CF4<|I)!?sSjbc6?E^=!bpOU;hwX_AP%Tvf`t94$yX!`~5 z*WbjvU4I*MbAaVMPOJ5g&0ns{)8y90!Dia}+9`q38gRy|l1)`#X z6`*OS6UN`$7l`!^U_(fLM3!d0g}ix|aV~t&s{^#zk7&5q%YhiRhT=9FgurxD5Ge^~ z8uuCZgy7apLu}JqJTUywob zlVpT6x5&hB+d8;N0TGFy${d9&g}@mZwgTR?iEKfl{~-FkT`GG6waLZ!CCU`F4|&r)aCxU zrq}}N%3q84ZzSLi3Ko|L9Sn{i*AOTd6naC?VWcB}J53^t65%)3Ok^%R(BI6zPXHid zdwWWM58%A~3`P+T$>%?yR+eO`FB8tHoDF7-1uNr>ZiUzL8+oQ^?oZTMXmn;#5^f;g zx+cF6-qEw}k(u_Wc&BIEEjj62@=eRURet>coS*TT4y%)oH{-AmAb|S^&+DOqFg2-H zw_2k6WQ(B@CFg$4t`1+Sm#+$R^f+ zwYnuqeM)?`S{PedNJ99RvO$X=6$H7AdZvqg;DQ4na3RHHgf=Xs%)y}7=h#hNVb||< zm~g?KxDi;C+Gt$>Nr`+Y5j6%ak_rY6S`h>;nz$NO0IK1kRsY%q07(b}3SY4x37!N; zIBXO#81Dcj!Y;?rg1kSiO9EH=zZxO8YuI~umC%RG3HrL9z$fDmFjm(txEF--a~BN| zxF--Rx@`Na$1Uw-)C^@^n?K^A5UTWnq%)d|xMH7gsBkPau@V*wGK=_d%e&<)pGLcX zvp0u^6@?1xDZ2uoY-(nU!JAN1gRy@E^Mw1b+fgvgJ9$t-g{Jn2#<++&6 zL~Dm&N!FJ#ra)sO*28j^f+9evs8skuOHTdECK^y#h~A zg6^)nlwmQ)ySVn!OsG)9q8$YL@HR4{cqv>f-bO|7( z(G&dfouhFe*c@uo_v2V9g`_?u{APVEiIRNuu>XMB{h^V&xp`rLr1JtBnjx<%QUGqGIX*Z!Tq z)PLWwLUe`vzF}~Rp-Iu#f2#WokiQH4vN!H-O3F%;aNzp^5!Zp%u6nqGol3qNcxT3$ zR?-IyrZc|DL9cXhmo4PtkTq*`Gu}MgmD`!KabCvvw4xm9+%@uX{?Q>8etq{J9_W`N zi;~Nm%>2AYQFZZCLO4_jiVncv@mx9?ot}r#=F3346$G}9P|W+`#FqQ{n%`MZrPcpt z1-P9Qi)EG0h;dR$;}s|)LV?oc*N!D$ERz6O^o$i4Di1PuG1v63$uKJ4!aG5ZnK7rmg+%<@6G!a=l;C?#Iw?}m47SGn9af=Li`iNijN_9JoWV`C@W$mqK1`TRPu7ba2&$R;B8;H5fx1jR+F5y zWRn=zvhfkum!mSui(a!NQiOslqsmbz=yG~JqRCKB|DIg`nNriq+>0loH55Uf=x#KW zC6j7Tq@uO;M5dO7u$8Sz<9%Uhv!Vb7;93!tjM~-2pwR%mlK_%LsPPAMBFn8IP1DUmhyFGWAjvub>sRy{g z2$^_PhFfJ{b2nz$a`iyji4qp*w$VwmE(;M2dts?84< z_35Mm=!sFLqcaynO(TQmz)b_A{^W#7>P|UxBk{7(bfEN~P63=lW?1hkB|KtLGpioQ zC17)Pw@8Yr{xq4A=Ik&id8x2;BnowAC~nUU%{fV;i6YyRTQbmeIH5S=7RkoZRY zZ^s|O&z;@mEW0NCh-)&sMsIPw#n|EVH2nWy(%o2UjETDD?gD7_XX}nVFLAu`9aBcb zp>~g+7l1*&DEi~NH-nRPgS!RbJWHn^{U0c2D^Mw?C0KPP_0y#0EjHBbH<`%*!2JnB z!}k8%^2zveS^wIb49q+{l?P1u=*m!(6FtPD>&K^Wf45!68=eRTBSM8FlCBV`7P8ua z;8He7zgw7XbRuVLHi%Xqr}WRw^tF^)n^X#KwnOk9HL;Ad=t&!L1|Wg3EhwITkV-TW zMu`i-R4l045%nLb&SM^K!7cV0Nt;+$Rt6UpdiD)jg%8_cjI5A< zxRW}S35A8V~ zwg#dUhUor(LkKxa`zWbiV)T#TGep+UkL{>QyYyNA@7fK_pPYtv#s5$;0dJ&(p#uhV zCC|$LhttTdWS2+^kDSWdTTyc-VKII@QZ(e4a%+rb5+y=#H{Uu$5grMO^6raq`#lBu-aZtxN4Y&j*1@!y42gKGG% zyPM*AY`0_M0-nk$>8Kc*Eaj1~5mi>*<$%!2CXT}vh_r-U&bEGI1=%yF^hX23Sk?}b zj^+Pq&Bw7%G7TwYzMyu43T*H~y0OsvZ~sCmTJ67eUn%*Rz!HBJZNMZ3#KUFVPS5)A z^RI^bV+dDVmx$iCb~bGXbFfU)qsQwL?_La>&;63R(Sq8rPzN;oKqLOA{v4uYD5l~j zx6~(Qk#TJi`#r-3AgG)C0RQhAKxYf@eZl^>;l|wPMJELY*as5Iyi4V(TiqHR{kWB3S4g@>@iiJ5U3PYl zb3T%!f*hU(1h$5&8+O(kQ+V3Om~b@cvLf&v3{oH%%Ohi)lVNz$esPijb9g32IMWSM4k60JMZ2W}McR{em|W~NT@dMs3^10UF$D+ujI z8;J>ADwkq7ZB{ugD#0Qf%g7=!96SvfUAlhlpym)u=y?iIf=YcF!uNEdI7nxXJ&kwOY91vumvqHtbZ5RWkB0RdBL)=#&{ql^``%MZ|w^0F!n zFi6*&+*)cANZ0M$+DdUqS0{zl&oKJ)^N-!RXYY;+(Zhh+-9`A`0-UD?MOwc6F3@cG zi}1d`I%?Y3%c&CfJ{))us%13XonK38Yb}+4%EXB?uRr%VZua!EKa)2Y9T??-*a>f)dbC!8FnSt?Jx#edd&EACfN82DJVAE2@|E(!D~ z9aFIFYd}IB`CUfFEC$o+Op?i-rvBd#b?O^3kP_EO`owq>e&>oeGT{%7+~uW>p`U+UR%ahyU1qko!@*Og7J$6QXl~hFzI_ya258 z6ZS>NPk;-8_WpmkprT0qzh#GYH&8;mv*WH#aJG6`+osjw?ga zrw9**ulk5rC;MN)4!*RC@DxqP9CJp)>K< zJ4fHDe?G;J#8M9%#$Rvq;UB=KXnEa`;M`DUZ&&MTojqHcc_2*=h*2OEiaY;l7Ne!5 z_bLG|w+>IgK=QyFjW|Fa3Su8~8|x%L6_U5Lte<~np5tJ?MeII#>_1QM8k3N8F_LCE znH%5Twm_3+Jz-#2$hS?t!GM57QIZ&S|KnHO3!nf_T|zxe*%$8xWX+Y$2iCOqglG6r zeo?!hYW5vB@u_fcl37&;Eon>H=04?v%M(I)Wuy{DVCY~Xab5&3K|t5e%7$I_-p|^J za+>|h7QhvHx2V0WBvaoFaH5g!HPIiW2d_|GtM07PcBifU|k5oor zK?BtP7T{FN=r!_i5%{!}J!hnoj+sz_G8%)$$15Uz(t;ox=|`YKA&YA8vtUW<;BEU| zA5Wh40^T3q^C%oKeKG)7vudqHQanz$%Gvc;LlKVC`d9%GDg=(ZB&3mA$(|YW@^NE! z*JtCOR%N$8X#Z}hKP{kwl6>90YIyJ_@~Imj1kx?B+5W|?AoVi8U)s}W4eLFvj3$}0r7t+OyU>7h7r}$rj2J8%E1>*G8Pa7 zATh=0pV(!rcA2@j%z8f_zt{D4otgXT=^y#@BtV>5eroY^tSY;+OkVtDvw8T5_NWd8 z(9mb<4k&JEmyGQO-;}oKZX#5Z*J-=xGQ?`lYE)Gk!s^>%uS^I<8oJT<|M=^jB3eIP)X61&B6J;d05ZccP;{^W+$UUbdbF1dmX8qRwKQ5RpoJ!+T`Boeuut2~ zhO*Ba*SCc_?i#{%KHc3Y;%d}ti<8D}Y1Yb6L#)nr==AI5 zRb>}jiWuW`T7<^oj|b#+;~aisJ2@Op1KY|j>}a2}Se|y45D_t{O{e+E@xmCK@{^Nr zT9=AEb1bttk+o8+c{B-17rw*}qtv#f4nZmaO6G!P06H6&a?O=FlFdvz-G=6P^oq2vm{l8G3x}pfZHk3aRRur zgjc&p)|Oxu#iQ2tWXaa5EF$;wyg3w5;f&hIKa6fYguRK!;@T*Wup8mq1epYaet z!E1Oj1l>e`znod9x+NZa3;9?td>03>z`xzL%EzD@FTDZr8%e#j;`{wHpLt3PZuNzW?Tbq`n`c6~`=vpW+w~e&{zIZg2mYf`=z+ zHquqa&7J*d9zJ)VjM6;$S2G^s5Uol8Y=$H(tJQav-dwyw%eu6W68%zCcUa^qImwX= zZiGt`V;G@v(a7Y3YynMA=fg;@Ni$l4TmW|~!Nfve zQ0qdt#InI)VpMVoa+2|8R8GQ>@`>Y=eTwSvla-q>hG{r%5}sqkMGmIQja}Vt63)}_`qXH_z(e z9vE+qryy{soP;P0YFp>HU-3MQUbr6IKe>^y8XtORYb1Ux?H$eWNS~xsa9@rgR(oUp z+TdTx?}&DE`p4VH>Pf}(9>t;xZc*vMXF{Uy{Cpv^ze#;u=rBrTAM+gGKtO`%|L>DI zA%Xw~Xq*eIoP)Z3Dn`Ou$vR+0&DarsJ$eT$iIX>%*j1%;)p7V1dlw-c#P4(6owz_T zk|IMDk%H684-g_yJra6(chi+%fxVt`qgJ{mo%|HZ{a{RgYgT?oUW9U!w7WIb?rxK0 z<5KMlWr}Ljff!#He^V8=;F16v{y&7hbzD@@(+AA5beGbwz*0(=G%Fx1AxJBo(p{2w z6(tpxr9?^uL>eWfkp=~&yBiUuoA;u>=Xrn6Kkw@YxqHu@nN0kroMTcYRZhb!Rn@OL+ng+5_HdI`m>yKe-Lr6$wII6W9 z%GOWyg@@P-pi)qnS28P1pNTqwM!eWDwjaKM$NuKQyh`}WxRF0S!&3r1n!t}+inQis zqG92c2D96B4Z)ZDM}k=j7kfBGF^;QQ?B1jI-51GhvUfW4%{t!J#V^72SKgf9*y30* zi86HXj7)E^HGN|iuVwT<{q-!SspzW($GX=3#PTU}o<9ecE1$jRC*)MJ1d)J5iFP(^s)X!Sq&mL=xFt*0VNZ}P$ljzG0aC(G9Kizqu z_^!o|qHUn8CSc6v_S(W7^CWp?@3|BwDP6g~3V4+~U(68W^B7unNzd~3%$8d#riF#j z8_%eDQYbU;(`9SX;V86NPRi;4LDfln?hP>ki32=i&mSIRkH^9gNvb5Z`jRbd*c!_d z5|s-{1C?(Eb??;_H3nbo4hUK_pPw;LcbIlw@pPHpDY+|CdYgXtIk72nIL^(&YySDm zXJ~6hStCgnvPwTEq?@zq%=CR3U*Aj#-=tIpuWY$)`x_e=1XYy&#=TP~uD*5&^D;4! zp)I4ah5*(P)!Q7HFT=>p&j!v`hh}4D`;%QjDf#8!%ecRSpmzj{g>^{$7rqeva%`aJ z`FQy3R^nCM!XTST(qo)PvBXK(9S?wp@2V^TqMyk*E)?+*kLC&zpe~p4_oYoAA3NW6-BdZ^GrH zy*9I_y$RJ8Vd~SGp7~wNZ2pL2v0wW$v;wE4g9An`+WQj~44Jy)+~dC6Q(K&t%iX-7 z6Et2Sx8a}tcxhdxHn=_|_v4*8rMJFZ!H4O!qti|9zn8Gi^jh6h5WRiEzv#t3)Wrrw z$(3@T@6yDpNJNB&BUYo;PY+ue^nzX#3??r>%DAYRR4l5F_Qqv6Gjwm&F06ryi97Y(949<2mG=;1%E-qw_066P-_^$1HU-c)=PeET`&-hIB!`(qMc11fgP zSh2_f-FY^$bL^IPEpf!kx)=^rdX6j*je)D@7;Gf4k~1~+eXrn7#aEb5=S4=f(b#UU z73c)KjOKaqPL1L5-Ho&HF8{T!AL7Z-Gv0A2Wfqs0+gmAs`Mi&C*oE>`Y1%|_#=Gvt zx0=NImbz@8dZ`kPJf9cxz;pQq8%V~CWv~;vCLv3El^n;aT)6Jv28a*sPnaA8^A(_v zl5KU;;iB)=IF2TqelwaWyv#UHi0%ucBy_<;YuHd3zfRa{j47SDEXlY^xa)a?Q1mIM zXDPUu$R`Mz-U4RarX=VZSCn}!>GCM{A0G`b?!Pm$zlUlX zJ(LW=gygo5drpsgrt#kywLkg&dyR=%H}vAM!Oc!gjhVSoKF4`46McjF7GGJZwkoTD zO}mN;H|CZ`blqZp4&&^r+4PI^p{>>2+n@H9-P1N4>(b-kshw}?kL6&w_ z1BM){S1GFBuP}fAFnSaLcVl?%8gkIJ;$+M7u>LvY6CXTL?fiR>_0qu?+6* zm?lV25#iMY#!Rcz`wEROCnbhf-x=JW;}$BM$U~>dU~8j zlXr=3TNi7o!lqxHGxY@pbH1!>PA%Pezjq{4z9BpLlx2&olQE{B(sM0ng}iK zon^%W&vbvqIENpr`8flgF1UU)dNfKeKF~j)Q65(M2;6&U``Ocha?P;1vtMn}EAN|o z>LHyU%ewKZqly24CWxh%P~;&!GI|46z_emdt|}a56CSA)tUS}A_|;!?`SfcHcj@-) z_D1HLSe?aXPB)jVn%df{D9pUg^I2tb3h(k1IG0T^zoXSNPdk~v%{J!Ha-dLX-PkL` z`MBMi9?+ZAnZm7@rA>R%{wZ=QCX#uGi6Tw+@awmzhq%6e93~d6H{hCuKIU!IPe#0N zX1tD0dsYkCG>+Izt}A*dfo;_*7qT-i+p^$`#Ee* zVfLSeX1OxvOR`7tMDUStE5W=P9d%+v447HIRu|G4Obf>k`b%ZKw z66g%I?VtDurdn_u{QjC?%@tA2@Y5IgIqIHTEwlXN&SB^mp=!uQ#)4C#T2QIhi-4ro zRbGt|r$1!oxcWt}T+sNj?vHm6;_1d@OZ6$AO-^KgKYd2!OE=fpXmz^{UtZHx{8bwP zD{F($^qVo$8E#)oP;8#R9+m zYvk&2WugC;D)d2!4ohmQM$?-T?Q*r$ZMLC5X38s%remHFq`s8$WD@>qePwuMhkhE) zE*Ow*A!vLV%9i+iYE-07_c^Y1p$vc@E$aT#Dx1IVkoqN}z}${jEe#pxKCwqvBQ@#j zX{N#Le)=smJG7#FCxKv8?lB9`yfyWS%VM_2Vyf5|>Zx}NduOg(ld~Rx0On@0R*>63 z{h*%gkxiao)$kDeKxq`T`>}gE0SRE#AdwT%Hy&6(8(@V%D(dAMf*!LRTZ;m{~`mkagzT zfY<(SPO06~q>TWmjd%HgNWAcld+A1ifUm1Py5Oiguu}K9AYH*U=FoMp!QxgzqLV-Q zNQnwVMMNo^*RNAxrvms_O(odPP!0ioI3ei6IVu#a&2WGvQ66rF_>xRpyeJE`bD&gRPbGkZVcRYW_vHUH{OQtH7y_2f#mMt~HbUc_-aB zRN1>LZ!+yeQ*m!Y`7GboQ4K-6~CL7+X7^b;}=m$a88U?39xhZm+Wl#jdAh)5l-m^0?aiMNERoU7a5u z^fjw`(1xU%>uXh%nyAR!ZQ&()goTZy`h2j;@|$||S$oIx=a4-mrrX;-=;@KzpR$@V zW@jJQ>#K*|eX?zqE7WgS?O3COXzsdQmrcGIQo?|O&6Kf1Aj8ky$QWJ~S{G4Qr1ynM zsfMlaaO1||1aKWgkai8wQ8i%6W{a zZN8JJw8_l?x5h&2?t^gAlDOzFUAHY#w-%RoCV(%lFPOMz= zF*3|tUDHoHhH8hZSm|~qbVJndn{ylF1{^L z9nDcC&EDZukkG)SOwKN{zi}FT$odz?>J4e*3=l>;ivPfvA^;`9t0;1DfdZ%DxKW+9 zUEIGB*|RjX^aG&^wu^vOn&?M@gBD(b?j~X7-QxC@!^1VI`H3O!h(*Y%P>aUI~u?Dow5%kbcD__PnkD`T%4u2TU-T%|9Tg`(dXV<_vY0!q0-z7QAjL)Om1X* zQ^d1j-v^uH&z0Fo*#kD9%rQ(}_&4L0w8laoH#ln?e0E9Y2$7&?ns4G$bs2!yS ziwdRup@ZBchoG>qASi-=2BpIjus4_u$1_ z3Yuq%mUxB)M0e?ha9*@fd?2BFresM#)~e!N&UNqE;;%*fz{j&ir<wd8rgr3Lo)%031}y9eD{;*>imjHDtqfC@L8!cr%RfV`_EA#U;uJO(>39w#@jU$s2TOOd>@UgSWDP`_C10V4v!*=`#Ffm&4U>%c6nLy@()*d53D6ge)sZ#l4@|V zF7FsZBk9PXvh*M-AhYH7zdBobEJ>g+$7}d>gX@1)qC?|(L@x+^kCcQ03Ww!Ody$-T z`R7m6iyf9^(=qkDM|v!)=W=VFy$asRM2nH2*>B(JjyG#c-8kY|*XhoQZ04KRz||b> z@}L|4(KizGs3gm9l_)6r__u7i@uP29hP(L&4T^IrBoR+V6AdoDnXcRPsbuePfI2sL z-8!}-R{gjm6W%5yh6@1ubYyKp>a7Z-jyHmNg_**&9xe1qMM;r=e>xX)xl1azD*EWK;0H{Ik1H&`VFL~R{ zQWD{9528kzmLnI0n7%k!cy-p`THY}{!zh3wrrmlm=VW0V1uO^^@17Ine-U);^q>>a zCj!zta(-)&gEk*O;63+z-}FVWvBQJz=Dh{MF3~4?MuD*lLgzc5e+Ru&Rf%#ZZt* z@jN6ne#=@?6R2=GiY$&>;&9Mqr#80|y=FuH~qP!l1?hyDy zX@4A3Nz-O7L8YL0>yo{sy*%aBlX|27B}!@!Z5BPBK=NK{(7uUWjs{281tmm*N0Hw* z967@qUAh^Y{_>IXUb6FF^Z(DW1FNSXlYN4^ZMJOBjF>S}uD!NASx}O)hZ2-$7=6`N z1Q6d>_UZsxk`{L~%-K_I#`^?3z*5g|wfZsg7Mf}%*^j|;HPTXFQp1h4gu1bzR z&3H0u0r&ouA2eK^!kn00)+Kk(Yt^qw&&nqAn6ihV&D?J_iZ%YFXE9V}uRRXg37RXa zWbv;-bpJ*VU6-^6%3|)9x!DtdT~{!?k*U3@8Tp>>(2L^il0DUWyzlPMvlv^@RQ%mf zDM%1uFBsTCPjzjhjbM=k6~F}Qbg_~J)HgVEmRa)~_;wG7&s94eu)-Vl^$#6V z1T-B*b$;f2?`jJAS+OR#zq8Q{p*z&oF%9mceP0=$(ji~%dOE4NUJp68l({i+>c}5L zd&YSofuaNN5Jp4;E*G}iyvO+$r<4a1*W&mL(RnR=W^Z-5SJcvZ0&{MjkDWSW$&YK< z*==BFWf%f*~o{qmygk3!YNFM`e+M&rtuvAcw$4|Jj3lBJFE)*olCAJxwW?5 zV7hYqIK`Sv>Ufx%7U2NwOo9v;}`^1ECOfwem{i4yWMu5SH6ovy2!}95>SZW#FvZ6$HsA z_hO_uB=pjy9&i33zVzVX=A6938W;tDD5OdlT~!Cwem(u$HMAO)<;h|E!ZX#EwB;k2 z4-bo#Nz=S&=lrWJvoS1FZ=YL+KRllbS{zSMsfw9A^=$0B2A4U;{&kArxn@*$S{nL5 zz!?+?`0yDHeKxuZZ*bWd=S91=(`sf_oNpa_G&4-+59Iqa;f$X(5Op}?iF^w zoYn4_3spee3SvETX=a6GheR|VoKrb@e-=33TRWG*S|8lKYzF(QRxYk0HpUbNnxQCx z#+j=)+C~}x_3Pr)@95oe&<|ouI>DnWxnG1rk+-}q2OJLonX6k^Gch^L>VKNk09+JX z;@;JgDWGJ5%5LwSgScZsMfP#y?>duN`e(^s;1?f?cz-k<53Q)Kpui`x+l;7l1s^wa zg(Q5hyTL3fEa2^DFAM&M`8nG8E4n|CV;6!6!K5U>pA)5(+If3`RE~aj7AlS|E*3&U)t9rDK?Z~@R5b>g*iG08gLTvp$rO-6rN&Jg`^bo>_6x7$dsQr~_o~+u1rfcLOrf(I6xaA-x#N{E2cXc#&rC|X6o8yFCye%9!QMeqqI$PjwK3|Q< zx&&6W70$u)HP)u%&3dEe^R}b1-DcqOthwPduK9F{{OY&h)$F+(gX&~@_4$N*bBL?a zuvcSrGKW0dn>&#TZ91seud*OT7T&h?f|CfJT>P49zWU9l`Burn=|XNY zP6_s|(P2;FstahWS_~w3fOBigtO_6nkcH&7&unj4ZY@hjBs>NNSt|Q8y$m0`{LojJ)G73L9wY#cY>Orr^OxWXcFsj_4BmkD@Jo$N>eD z+LD3%!Zjy^Ze#odFFT>S2*M%$*EV_GnQzK7-*$fUGio%1Vm9LrCDmpXpL%Qo-dhr% z_sa7T!Er^Ag=3D0!QD?)gL`nP7ALAHpk(JQsMjG=q`Osp%>lFi!9!A{v9aM}_Pc1C zs-gokpH!x1;NntYF4lpBq^oev88L_vnRu{9d4rYkclz@jf}$7v1is-mBYR>nN2#2M z9Ej4OGzWMvqA(a3LglV}1t?q1_^>y>l(6hlGwM->1ebFlv{c_|KVs9{`3dJM~4c*ir=I*PWFeKSw+plS= zDRdh{@aEujJElTRdxS%B)6ag zoVQsr$!4U0>`{QO4NL`|1t`dl2U=)9=l!df5I=8M24}PDQ+RmOF zQmOh5YuAww5KrkD^Pv1er)NdsS>+E+d|646Z~BSKZah*?a+NS5Ralfr+w=q5)QNmo zGHz*)auM{(jIiD;tcw8Eu^Wj{($cZ3&jS{zht|r;)O_o~*1X$LWK?f$z3 z*9aE)a9WWZNR`+msS#HyEbgK8Yrsj?4=g&Ot7bOox)n2;@#>G3#K<UvFxmn)2y`{tMrJ_7vLIUP7SXum!K zx|0s=WR1|Bc@I(3b3`!MAPS=(YQAaLDncAzLJGM4??C@Qj2yjt^^*AkE&PIJs|Pv_ zY)>Pw_O9ZAqYk6FM&Qzamd0aPw3!4%3OYy!)xA%GWVokDX0_%&cX@FjE;Z0HuI(|o z_YLyj(zhQOhJ-)x!6_DUmBasU*2x?tA!+C0S*pbU)0*az$6RH-PoVf{OZ3}++XxJ1 z+H%_851~}hc>RtiO+kjnj-2epl=J*iiIm{~86wQ3fbucRT^Rdsicrb?vFX&qp}BKM zPpl>Ty&)0J$274t88)--78r8#@C?AGD7(Qio<~-+1#ZR8ze*9m^4&FASiml}b zzNrI07zhz@t6{2aJ^yC_Y1-IP7jM@j3JLrdOC<`|YvzBUZ&a`T`u?E_Ph-UMkGurV zdRblnhqXKUE6wwqoa$kglXdT^%a{K>hXcvKmBt-B?Ian}iPcIx2T{O(X>Bi4Rn;kR zbIoyUAboq-&&0Xt+kX#i-@8e{mUGYD=DYra#MR~D+JD0n_+GC_b^6=r>B-$^H$r@0 znbd3^@9BBtHUq~}*J}_Z)``+jn0jh{fLz1w$|(`gL|yPb7rX?{r%O)tv|OuZO4;fE zcV*I{_xbX_bmok3OjDuV7Q{K@zKl1PJoBn1jJR_9ZyYPq19_G)Ng0jUgDn`NND{4? z5s7oM{}o6L#bhq%dmau~y!bUE18aSg?^Cn-(rTsef9(Rm*|L|cYE=2*x3#t-#}2D< zo5=cfa6~@k^52llwH4HlCEwK2#)T^qEd}&(@{u~EbMqe`fkZ2V3Hemu;oG>fr1AElR>;wB>t|54ao&SyfKu>Pm{_RbNhk1z0JAtNi8PZ1t zOeI?fN?W&-=w~g@pMHt85ZAp@AA%7CNSJP@Vi1IW_sW3 z-_@7iouYQNz+^QN=J~|!-eRUzgSod!09R^`adE)SAIYfw^=XShvhSBibZ9a!0_9v? zt=bX~s@?i^l9FcaIr0Bo0b=}1qSSjVOMCn;N7CKDLQ0zNr0Izx>~Y}zXP*z3nyW5N zHK2opWZb~ao7?EB@9WR=ZgI~WlOk{#cY1x$?cQaCvrf~IShZVxNoQT1?u zPs_E)mOrMny0uP^mUvu0{!he1*392hdTgET)YKUp=rgLYy9CT20fxyJX9Xy%aD!gP0HWa8end8Rr^E`0BaOsnSQZ*MH_{(Ajg2+wY;pO6b?Z!uPC`K&o z)ifEY{KKt)3LR)M0x0j_xElS)eO?t>y`qm;Jo0jzn<5gek)@V4nR_~5hX{l%Eb4?Q z!_MGR4hZ1dxvL$b+Ld2hxrBGGtq(7@4qo1&MH?#&q|4svFC(Rxkc+E*a+M-m`GQa>hE zt+8#G@%jD_6qhwg8xb~k6QR15RGD(1G}+IwRd(p~Bq)mz*!q=GC7$%-t$Nkbf6SVYsBJN>5~A-}CS7ms^E+oaLwn=e)1WO}gIM=PUMOrY>r5atlzR!0+``J-w;0w#@{{ zhL%?MSB+Xd+X8Kozv~$8g|J?k+4hFv4NGoW)!Pe}1Entnt|2>v_)eed#!vSo z@8sWqQDhZFN{YPW)l$f}q}3WlA7J@!GU1y6U!QLTFqN@57JeI*72DO!H;i)&ONDH7 z7C;Rt2mQAIx`R^a*7dgc4mVfbS4G3pH^(KMh1{_qaL{JS#b@Zgh9ZWxSkF?&_4 zT^W_~YUjf3)i~7!hfUEWawG}6z@O3xn^BwprN@PH@ze|fncS07vNa=k#VoV#_RO41 zZPQMiCV*a6UNB;}zsmLdpLJA;P0)*f6S+@;e*L5tEkfrS=2_w!9F*Ke^VM_zo*WFqCm+Mhu)hG&DxH#iNSNvdclo?twl=Rv9P^$yp1PvQT(Og|Y? z^T8-RGd|>K?Ikuq;y;7Z0ebZ7cG;uY7g*n=4|SGh%|6w6(=atx*;s9$mI*`1Obs%{A5Oi$ zc8gL==^S*PwCMD<3EFhkCmsEyA^WL&*)9mL2Xa}Wn+YU;ou`xt?Bl%!zsVC@>6AD! z_5J(Lek4D5BmtAF!_|p>isfzlKhUV+z@JfG06msIq{CB{lboNvb_6BYQ$$N@1r=8( zks?*|jZ*D5%y9nWmuz?ToO?=!y!hgYt5PIs%&5JRU#{Tzp2CY#O`q&gM!WGdq9xyY z$yK%u$`Bgutc%3ZxbXC;Yz6(3O zzH&09B8o*f8KHxp8PK^V4`Oi4@~A@P=^q-&}J-dZcq6 z(xLl-Do~aa?@f)Z|KJxugASHM%HEpo@XNDS@yKNYwfvTW74P)S_0GQ)6OK|AT9g&0 z>xdveJG(6F0w+b-0YH*{&}P6R`$s~6oUP7^`MirgGxrHXn4#(2dfDJA4MtAXM1h>- zv#owjc~Ff1CpBCWB>SJ#!usJQK4vuEa551cT6xjt;>Src8FHBIQ7zAeFf6J)JRtg{ zaOCPh5?t#0QIi;ECqfM+Xo4K&pQ39xz^n3pAN8 zOOqlMdXL9OgA2Bh)Jpn0mw;Inwe-6BP0-+rw)=|VIZa})Z{7UK>_0#Y_emEb)1Dh& zn3N5n_7O@Ldke@){!`@`dyPEJ#91>5jl3Ld%Bs6q$vu8R`K4e$*X zD5krL;$`q37g}?QK6SP||og5H#2rj-bO!^Cmnl0-G z(OuqgUon^&PtDV4rdMDS<0$>eFv{m6$*)oFo_J7L<{DT;85sk@Xhu-OQ6#%=^*xke z^QcWmJOf%fq37j_X?&v)EQ-&5T+8`Dyd)1&pw|qRXljNGY_Dgu>!E$_5lET*bnX;B z5ehX1-8j6y!Z0;MP+1Of0CpoD((YOVM(=P&9F9&=3-WiWPKaAv2~l?oZsNgv zp8KiUx#FRCZ-_2a&y^i8?6dq8yALD0ah^DcVGP8 zfJ{kv@C!a_QYdB_)b~euKQib$DwktotpbDO$DaR=ahAqXMssTs>$dNJ4rn{n1K z`Gk9(1nl6cugaVIPz+1qf!dhf0$XsgX}7pXsQp~$$QwUObS*ZM%Z2}|GO+X7`KwBh zF09#P=x8}=3%Kl*99QlQVN>B}7!v@QVXeA+(8*~7)`Shgrpv7@2~uu0(&5ua2GAw< zzt}4tA)7c~EZUiE`j`%}sVKvb;`bJr+R<2Bern~mI$$@~q#y<(#Rmq8WEeVErpHCf zjkA2na3TyDZ4-p=#&${Pj8jER8aZ^y)#OFAB=U>xu%I1KjY>agNG{Dg+JU5}qpmeJ z1-m2+oy=0PRx%~NKdXR8#gpKdL!yY=w_52c-`YI9p&C8UQ^nVv`_Lx9)`Kn zbq&4#Bt3942gS+zaC;&Rn+n*d>?)GL>m6Mixm;- zJtd0>sl>6bRYl02Fv{&32KlsD9T~D30PZxmT|0xvY=r7w4A2%ZJ@y5o)jB8bJ$iOQ z@V=sJ&8+q*OF><9FDd&cvM?Q&vSQJ|o2MpQ_4})ZC}kz(jN;dR*R``D$@S-!6kLu3Nm8Bq zf*)TrwdK49iA`MMx=q9S}Lca($GQwpv{_ZC}pTY zM3G?4%wjK&4z6Kf21$O&C#wEs>(2<&iZOcry!^mi9fbAUs`%LjqG1Sk>4Xu5q!Fp= zo*^CR`=W2}X^b$Z@di#fG2+5^E*+L;?s|SR&T1EFSO`gF%71yll#J7!G_NI8XlP%F zbLzYGIs@2_Kq-e!JRI`4v1v&&rg@+io^$Y+NG+Hgw86N_(2G>=YZWUtrbx99#v>)w zAs!flx!4Jia{Ix}RXyZ#_1f6Jl1TvDxa+s30zMp!$lG?;w_ArFs!aP;z=GWAk)De;V0kNsb!S2S7+MVI)hoO!JH?K&eCZy6sxwU>OzN->tXneZBBCN6Cr>+W6@ zIZEF#BApXrMdHG|CK^nNbSv8)NP1N`)fjlz5ty*I^2DMM<5u4_vR!F2|D-zhh#qLd zgV&73J`MMs;;$~|$q=9ab5xF5zzHaEvCnLL*G~7fS7~d{VUFQt>{{W-FfD^o?28pc z?#6KzaYvC4B2vcAgIVbn#igtUs$X_ij$|a-!Lhw9gI$=faze77t}wl}EV&&iXcZN; zotk8XO$ohalwK^r5N+Kp*#m2|s{%p@+QQ!*53*M8<38##*s%}VDB!6g8s%QWeAjSb z|Lq|!3?bVc=tlMCI>34tT+@d7(}zs4NOuPurq(bLxn?t3GATuFM}U;|6oRFV@No#H z(CLcmCBYZG9OwDkn#mOhi-&cXt#WxagDQ(hkjnn`z|x0LL;l<~3~BjPasa3m7KU`c zC?Y1f@aRx{1}P9FP%jDBH5gf{>i?kqu*bP-EWT-+@HA`%+z|B*1`;flbsD{`vpn>a zi)LbnQNzMGoHaB025}(lm*B2Oog7rg^FYtwTQNB6La-h_zN=~m9Rq_D=L{WL0Yap} z?anW!@J8LzTKW&+_?Gej$Hh_fGYtbU6&SFjiPQLHz2~_hoIO*lJt%6c%SOZODZFBq z7MKi9>}vGMuNUAqdoJSSsP-C6{YW4(+B4$IawaVijV8BIE^>`Ke6gYu6*uKpSEI>i z?{;rI!dJUQv=>V2SRx@mNsD*42a?f!+jFL^qU{HYO|3?HnEnKySe7-d(%b!VC2Y0! zjF!SAD|aB!K$1ZSzENRppO{c2aBcy`yqJ{wD6cja==-;WVWY;BPF<_CZXN(1AymOo zbIEWsnpq1jIJATo#Z~t6C>V{fE;u9JC8)Wr+iIeYm=QOEh*hEC@C;0oRfbMzC>Y6! zO#K&gN_cN6GV!v3uJU!B}R)NdN~8)ZSM!qCI5r|^#1zwN0!^fkF;vdx7fwEer@ z2*s4!&Ub@k{tSz&OES!hbC&F6e+D@Pj1;O@l@MMx3b^=;>bDL196*)O`Wn?k4IX8L z{$n+#?Wv&zNVun%_i2KCLA9`*0)Wg<1jcrTVy~&)zS;Nl zT3;H~nxWi#+9u9n6_BV{moF(n#oEzUN!MC#nuNt`-pyJE>k2{kP^!U#?eBxnZm4V} zoK_lND|=Ajt0JOWMmtRor4k`zz}OOjU7wu(c5$>u)=|at2F|{ENP|YBmv5jnTc7^~ zs;3SN$yK59eOtyeS_!JkuSIX-!z;PeSngh}mwYdc4$q0B!}O;}JzH{9NR(P}f8wI8&7{JR`qmyN`<9Oj+Ru8l5K`ulg{{ry)EifJCiJU1&F6 z=o8K=)R5lf;)7}y8M2$!E)QW##^nxdCB**ls3cJuyfn6lYgmo&d`X^cOv4_0TjSA7 zRjfT})b>M~MC}YIw5WCWEK~NGyrM-^rIXK=0K^duW!ohvl`heqe7~?RMWQwZ&PQ^~ zcw#o0?-)vKy*iDrwP#a`RCTI+t|Ud?J|mv*>6*FS1g|6<#)jYh79Kb6Gz^^Pu6W_P zOHRhJIi`-%_vrFe^hhML-bCZ^e*Gj5qVT|L$`xFjO>~&|oOHqy6LZUy`|;hrD&8zC zXgn~8=2WgH-RC1!?XpBNID;ZM&(0*ZiILsyYoPq6h?z~L8{$mNF>D(N*Q1M!(0>bX zLNF}11ioO8E0^y9JbZ2zn^wmHxZsM&vz^s)4p2id*zQ(_>c9G`Qm}l=tPRhR?`FU}EU5v29;W@c=qX43dSYal7}`im1V1Eq z#Q&X>aBMOJp~%pG z3QuJZM2avS+}}qp-+QllSBluZ-r<0elnRYUsP0y;7V}|1qZhpGf^EmXdghTSvOdW5 zNC0qo7Y-L-QT}E1HQT*5L&E(7N(|W+*uj4!Bvo^&QTCWXRU>(|Vmh0FAO2Z{_vkyT zBrT~*9|=7gZ^kIaMDip@790F_>W-6|$8T3;R3i}Mr*4gE^>nezH@9AnGD^d;57fLg zo)hvZNm|R49L%uvoG@e%gnW%a^rFBpixH5Akq$zNwW-!WvlMtqGKj&Mi+okFUy6>> zyNcdNF!*>-;Dxi)Op>VXFkoVTl!!z83<{fAY_*4Q;kIaxsS@zD9YyY@c?%B3Y>t2< zM*;Cg{9fV69iK*C=pc-_qw%)?YxVoG_?;3n;915f~x ziSv$fkK{xcz)#Kh)wb53j-e~#N?At2_By3=miQ>I=dG|SsR&8`<;Nr3o$y@OxE`-u^omcGOef9WSI=T9`Bo}X#KEwVq2qym02?d6cYufOPl|SsE zZ9kc67`@`)4Wolmdf|nMgkoQH#U>d^VZe;F&S+iGqGnucOw%9HQoUjU+J0CLqkSHKthO;=S>JNY zKgfYNsz?`xX_NKWF~mG1A9R*vcnNwSA|w-I6!}G(j2o#+h$F)IExBdPfR6UFraQ(6 z>8)B9abpU}+pv#G+#f&oe*m9DAkKrDWYN%WiWzU$)x={{73IX2J|tw;0g3KObL~>H zh=S?R90PzhbPCbctW|feTANiNLN>aW%=CSH<@GD$2HJEcHUiwm#b9y;Ms6Q1tzD~@ zW>pB0B!iUr4x3`^9)<`n0~xY(@5-^%J1^HINRf=bsAx!-UeU#&ggU}Hp!wh==uWSa z+)h&UH7vd)ocT|6toSacZ*UF2Z5 z_jYv?VQm?IsM=5TGKg`dw4?%L9{c#V(Rlkqh!et?x3$}D`$@V%A`>U9HFbx03ea%h zyZTUb(iJA}Vx~(1;%2wVaZ#UflR7I*jB8SYF`I+P9ygcA|DcBs)O-xA^Ki+6p|SVq zpkFQuM<;W+&-0ZJS>_FNFs(^&vGyid8hJTNzp_xwx$OXn`u^k0fUiqzvik55gx45I za0Dr|p}I<2FLymhZy2`|0!3?R8eyi^RB@A)-IgvHI`R$!hC!@$iHeIR zfh1}=ZItPseS2PWelC|UAipk+AwU}QegT!(Q=#HI>s@KrgeeRp%&Txrmz;(1OH_w8znT$WL8 zX8TQ4dker4GM}_2<$SOdAD-(-sQN?DJdi*&tdxDE{WRA`lO9dy14_A1UZh&{m_RLv zyd^y6;vo5I@;fWI?G5Ndq99|^9N8B^OmGsl9fsK01X@uIS8&_x5`#qbaG#=XpCOQL z2k|UoaQfKTFoP8hMp%CV>l=8rfsX-fw}T|}VkQiU>RNZ7*FDg-HBv@2ox|VY zWyaV!l?`4JVk4K$t|YlBha#^V;i~!WU!rYnUyEv=x6O#3Rstl?lGshYQDB}>tYJoI zCb>?f7 zkq)w$YpN52IW8kROgQSHJzQ_!G_kRrkB#@XPTLRIU4z^g2WoqM%xJpAVo{9LyNH~- zO1fFfue@YJwSw~)bc0Vvh=l!DtA$5c`rTY=!G=Q($|5MBDIZKt_$ezfSns_+Y{WkH8S-L%GxNAlgTO zGV@F5bJ;%iWy%{{31H+;a{eostV1(9iO5LRgpAfWmcL zWwybEU{k;n>$b9r@1(7~`aw6#2lOVt!3krr5_&U=_8|$+sZNhzkLxzi@^L^|&x1Y5 z^L~>yq-tl@l5bLMmcYn^4b1JWAW^N;(i{Oe3Hqb<49wYVj;tiAeJfu&KAI+@OXMAo zz{(2XmJu%t?g4A!aMv&c%Cnikg6mM9CB8u35v;tRz{;BJv&*{*p3f%Vvu#L`s7_UZ z(FZzP9xSt1mtRY^%=pp7fEl%toYaoZIZ*rby!${6EUZ8)gNAkqP9woh$^mH{zOYUQ z21|M6yW^Wma%cKr4i8okS*$XEA5sjMRZs9WmQn*Cfhxs&j*OThD3wJ&yGv@AW&4ew z4sg@RV=H*Iux`p*Ly;PG^7K#P2oUIPfUuStDZ)u@lg`;%uI-Zv&vDLWHO_*^MSA2< zEuxh3{Wb2t|FFA$GAj-b`QqWzxPMRZgI(h)5) zsw`G|n-a6DgYfF9kZ{XikUG}- zB^GAWZdF;OI~~M`UQnR$aLfvh8gr$BDq{)6%hDcEN)q>z5=tK$3WCg=-% z^U6fb)%Z)BJg%6~uX*yoXkz34VeL)8vFyIa(WjJ3BueHfN@aXzvnErD$WVj|$vjkM z?n;PE5gH5?B4cJ5lPMG-WX_OT<{{%*_oMgyzTf{`=bY=izVlw!n|tkh@4ePuYwfkx zz4zMtx%Lz~)5w;6cPND`cctu#$3CSVnPBb*44n0yiwmtiXBhQ1QyWt6=E%OI{&Gdf z;BzT8zwEuiDoMVmtTt%cbo|4&EZO67Iwc8{M4snWbDv7w(-G0_-%BRY@!j#A*URgk zwf`l&nZB)NGRF-TxEp?;BOKLbouWPW=bDH`&JruES4e4z>@EU=vKT{Ho~AwUOLLiRVH`=+PXSxDcMV1UJBl@aM$2UE4bxy{bb0G{HV8zP7Y|NJxxB{ zyuL_-)?Fph^C^r6JfCn0ANbNpKN8E$9yqTQHGJdDXRDm?#*)jgI1f;k*0YQsw6C6v zyjDTQGg<8tK2P@DWh9?01E1Z#+WjY8^|ju=J=bfL<8%6l=@H8r*QfF{4DM6m

>rd*u7MD~|3TtDq2f{s_>kf+#zqWt3 z$}7S0)ChJFD`sty%QUqXSe`#jt(y#0+1}KcH(hI=g4fV0Hn2WxJM&63Ex!|X5w`8% z3wNYbNJ?72<*p%jl`+_DUsDcnBB>)C)|XEuTLmsw?lRS<5_FW6xvWL>zWTXf0I{dz zSkivUF$tM{_FUk&LmZ5M4obh#cjl*J=JYHtXV_CN&C!^kFl=j8=vp%TWHDEE^s0y} zGdopoBvrt~4pzORl1Jr_o=P*{UDR;W@Y?o;cO%%Y*zQ00GlhkzT!yfS>^Ya#Lan&^ zY17#uIKt$z>A}wH_FasRhJHHYFbGTZ>g=?pW(#IvG3LI!&9+ARZ6vbmVMsK! z_|fyL%^6LJusf!4vNhj+ z=GXR$+gCpnd&BYuReC@^2emMgHWu~%#<@a$eVbWYH-o81T|?g%8+mv-7wwJ&*GZ=J zg#F&MVG>5-ulc;o;i8i;z`whHdr*Wh?9&(a#%vbpMwV$BVCC( zsMAs36pqzt;x`;~kQ`r~A^|y|5P_51sYUz|s^__0>U}!s`S0Us5 z2eMQ63sOMobRIl$yytJ1JQ>=m9>^%@5)V4Rrm76lG}iG@m$V4IgTZ2Fl-M3T(NV|d)Zb!FNy-T{WZLrxM<1H9ploNt zRrlVd=eGE#%58g|zk1W^Vkjuj_x@y0)V97UpAfKi4bNa5w??XPE;Ncax6n8|H z8lzo`==RF5M)>wf#x8uD(yPW7rg6zAPU*}_T4jgb6}c0eVvx2^$ushz%z%TgWh%Zy zwKD8}O8Qd?h?QWee{B6m2sWyrePvB%<<7}ZTvLZ}ES2HP#Y@wiUgn{k!$qC%J3;oj zkxRu4cMWk07vXxwW<7mSwxDl#8=YM|KC_OP!W0nm)dnEnIAdpPH|=IDdG2 zFU~m!R)0@?AHDL*oijz~a!ed6>_3k3+E?~D=yGd1g%l-+wv~Hb^b$*hz1z_=Hvg5_ zPc6mso(sw^sV)SYgnRwjp#ZiC3(mo}6ZoN?pJfkIb2TTG5vmZ8kZTnOG>>pm z^N%v*q6@##M4r(UupzLUE(6^^`sxWfB`=d3eGYn_>ekSNQ{<)97+(*Z%jD$Vdr^(5sRs8f%d&1V{;(+^Z4a6l4u$W0Np&EU1_)h6Zn$ee>Y4yh zN=Z0iVQEWMLsJe;vgX4lSTZCXa6Dd6mLT$Q@=)c%8uea4cH6d7ID$GZDyLq_rTiYh zJ(vHc-1^s;7w%d{W+yw8$NWp+7>7;5BPBW5;jj1k10Qui*n&y5KP{u4%!4!rC1FK5 zd7GJMD=VT5GCSP%X(wUI@wWVN*l8CqmYQtqU7JiDe>@L+>v7yy)%{>iCjLA`oXY%A z+5HqRnYkl%BW3;8N!??f@8y3mGC-n1j8mRoFI(`T&zOnu7iTNcOpx}52DsXq>oYFV z>jxt%)akwWv3so31u|7wKMZ`dLPZJjk|yx z*jaD6?~XGD<}d=wt#&|i;0ljY%_FG9Wu2p+zHRgZ&A?gQjgttY?;i5roRy;JSSX8m zDtrYvUQwwPH%{PLKQ>j)Py?wI{31_1vR8_^pqZk+Ovo4D>WzUDO+-lIDYCf0j|Xag zOk0*{_qG`ca|b(Z1}NPGK4tU;=Kd{mV@)-N+04joc*-74A?mcy*aqxy6KX|ddz&EI zCB8$)Eo+?>WdnICon8Fp|8EZ;4#Ty`f&(A&MZ284C0ku0A&=69ajN_|(9jWWM2jd9Kj2^q ze94$QKO^z3|AIKAq2;yb+Q~;X{!QY8q|e~R3|TXF>vVmiKkzZT(SZHVy5OK?w3UY} z3T#YuwDEV|XERk=HM?z(j9HuA-T!J1dnvG9w5vKPf@#H^E!g9Gg1M+CPy1?^Kh+cq z0{Me3u(2?&;_P494(G32nziE0T$2CgVGnF`IkXB~7#M5Jf&4e)I;E1_iQP^ z;T>_XqS|3B=jhsY?@lbexNE}jzk~OMfM+y0x;$q3>w237EKc7KpNy-e?KDdrIB;rL z8+rx@IZF%3+iS)4DHfgl`gYrBebUa(Cu9CYTgnX?$ft7`lUoI@JnIHaTy1Q{VUqDS+`EUcvAmj)bGgce`XiI#mUp!CHSz@VkEt%-7(a0 zyKe4Le*Rzd-9E|o1v0|L(RJ7DtoLHA^BDY3&_4aEpqi3XqXTeFwVhrnEQt&H&-2vK zz*f)Sbamhk91nq%GMiqxF9I!9!?)OiwL4bB&b3@4Y$cE?SKfPA+$KP0bZ0!v!Vt~N zJMg|*IL|+CGW{*Eir&ic^l-HDOt@WsQh`(ZD|0=%!BZt@51< z4IZmjb8}{;kfS%9^a|23rw|A3)xRenXqC8sNsGI>+4={jZZlJqUn3)sCQCl;bCAhVwQefM# zLyAJxLF21jRW~6Ht;VK#7@faKr^HG`e2_m&Lm3(^Cg@?l(v2Y-n`TeiwRtjP&Xs(A15VhEPj=RVN2gHw zi`me9i6ry+q*v-8oqckruUT>mXz8cHv9LdLy~yS-E5G3TG=h7m2ZHvq=v6C2st6oZ z%8cTlvehvh7dL6Xw)RAHbJ~4Q{N0#6O3Bo%mCul=XEC?+j>hXxk|H#@vmzAdc=?JM zXRIZgzub-cxs=n7s^jWC@8;j1+?ykJ9g1Xu;3(@nw>KSU%{ZF`@=qeSIJvd-;cRL1 zs6(AV(uJqFs{$vam(DG~R?rKL-~I1YD;@2$(&duv+un?^LhE>GjtrbujAwbbUf4U0 zr|B-EU9l;g9t!tg`Y7^(>OA;g})rrn^&I z^6t5tR*t!Wbd{7cjhiVdeYuP9rSF)PQ;6JEOsWR%Y2e-&7cBG^#G2eRcg($19B;Vb z1ZREgg+gI#H;T0*YEsi6wt2-P2|dj!Y&KuhWIG@Eq%*2vvi8ZCGh1+W%K7j{^Glac zC2qt`$oMZ>3az~BQ(CwReHdsP9X=`EpS#fN_-(=dvD=Q3n1_E_9WS;F5P04p8@Hy? z`R#W0vAi1|T`0ENabxPDX0a+9QGR(ferfRwN8b1Pj6AKgR2gFnY{8mS6W6t1L;v#a z5NWlJ^|5>B#b!l_Es)9mPF1P6q5YKEZUxnlHfQ;ZIF@&dAk~HY-vu~juG{Y=%a^CI zEbv*CEe@&kKJQg|$?mU-p07pRgXE-Mi+jO&7^yq@;9IsPSe)Zn0Gwn+nho zs`358wHu#|ynJhd!g#c)ssES`evsNBc=XCqMVrn*;bfI;8OP_18`;9{*MbqQj+eG3 zJQ@MRb;#;4vMK=Q&b2t#@{pCyj>8sGM}yqZ->AYU%d4JEJALiJMU{x45Gq=lOIB1& zU2ywe7d?7tp8x;h;sY#!B!Y*eeY}JSmU01t5n^m|^R}$C=++-o9`rs0^djrQVr-}07hee@l zQ(5V)e$QWbHnBIvLZ|;;ihxD%1QBs84@pb}%Y(&=i{J@7Bnc6s1kgx%L6$g!#fytb z5OF->SP{Gg0mp+Sh`}Hvc*IE}Bncc^lPn@ZCh|y#iHPH22@?-jDnOSK1Slm#uXr&L zoH!0{d_bE6j3bF)3Gn(nl#mcS51D*M0xu#?Ccq60L=l1*gqS!H92Sq`A>%{{c&s=I z<59A3fCL_Kcpz9@gh8LLx|r z^N^ri30E zE`pN)bXzdg2mXou`<}c76XCuIK#snHnketYNjyX#TMSBp{}Li%VmKZmS%gHSa0}Qb z1~iI^h!H5<1Tm0F6qp3#r-%jau|VI80~`N}36-Dj1uPbL1OgHR4)cghhyY*UUo8HN zIEVx|iHeMj2a$=x_<(4*$pR6-zS0uN9^!b_km1f>F%K|mC6 z?*jK|&mw z;jr)*EeD+e6j&G|+JYcLCZn}rXcFScRx=XHHIUHX=37kEy#Un0BdDPSf$}f#69|(y zgDNJf000rhu}}jr5djClWFQBH|3ZZGpo@SGeM2|{&scP-ppY05q)I|S>~Qx8^g{+3 zNF)&)g-2o%=b;!ye1-^gV#ySMAPyn{7%zc^X#+S3Pzi-WU?|4(ThAy)akL#?0u%+N z0#FDL2@4mO00t5na6m&884)?Zg%d715hI;J-x4V(NMyL^ghH-31tt(trKAi6x+37t zZw-<1dD2nqiRG85e+^AY2L?Va^#f#2nlrQ39 z#4VyxeI-(i6FMHWAy^d(TC^cq97cg6Ccta}m`H?MWl+SR$0!U)P_()iP@4jr1*1kf z1J8Ie4h9Cw2SNc5!Qx+d7l3ay1sOCXIvfYy{=C@}De0z>yODBO7x@C8PR zQbz#mh@eam0~9Dmuw@jc;Kjg1p+kW-z%kHa7$R^NeMZ><26*d@7)&UXJ!D|dKmDLs zC@9XOc!(%gEE(lI77xw^txd#%9HB1~*a-yf4h#MU3Mj6JL&*)uu3pp|_T2xM`qalFLrN|LM*$J+QOau=_ zkumD0pwd6`2iA&#{rXowKon?Wit+&Cv8YYm(kd+K86oJPXdA_6lFtBu7yHK@gJlNd zAbbL0pwS}g1`sf6z(tA!1_KJ(P7(*zK>abr5TkoWMIWcqt%PLPCsUuOQ4o zaiAev zK1E`y6vAXM2N1Hryhh_>ad8p_J04X$P(RcNql9fm$zVi)Y7+VqLBnJcs!lL0Xif=} zp*2VV4UxAv01+~b4o^m{EpUhc3kVpu@lX%c6pFTl2b%@%@tvghCwZC&~}R0XyE0Cb9)a{?GGzyO{A-ouzs zbbkT#%kN)cOB`76zEF(kJ8;=01%;U+j@i2g9;Ok)BgFI zMu~&#_|SU*;i5eS%70s+u>D<26Pd#%4kp$%#>W4A4U58sgtF)_Ow(X65%fkocSY>n zN4r0?wP1flK{*w39{a@hdv8On-t$E4nApyo75DxyRmAkEZ8V`(1w5ev@0qjK3ly~@ zBIqe?%=3!&?%aMZ!X#lk_jWuUy=0Fq?^VL~8!{0uL#UvLfL_MO9J*0(I*%!o%1bQb z*v1YhCQ^#?u5Ik-r;RAl+6hIZyk4!HWV(pt%hUi-F7acIu(qJypEq}z`Uc~6yf~$e z4;1BDTkPt}iP-)NMJln?mE^DONz@VNcz5$eC~fRu&b!aM`~E?iXJ^?30-J#S{oSJ>!s zU)$Z?PYxbVx|&b(S_{K5y*(*V>exJzMl(}6CwFbYMry-*zFW{^M(&B@h2<;#?z-Qv z>Y2q47zZ@tc|?mU_HQeckiBEP@8@tvVyY~g(~Cd9L+B2h8FZKl|I#w4E!Zg{x!4mK zxW|Nw-)}P8U7)IC(KBJpvr5#8c6yh$)MMYLNy6m{+xzTtxMU_hAGKLxI2k{dc^N%eEY;usb*7lOIHreE2*BC))Ju>O`j`|CE&D&RwH23^_C%M9Q5E8r_7=lb538o8TV2`4c)3hkGd zwok4cI{$h=Hq(Sehs<(G3+r^ z0=+^Pu5wYg#WxA1iMr`!>q_TMXBJXD+(Rprrl`TE@d{R+YKNaF58XZ7{B*$dmuT50 zMt|4Bt?Z`9rAgBLZG8=oh;$lrYMIT0MFlx8;3&vW&ZzQ(G(kD_TC5p)JjeMlbjVfi z-D_%#&V#PU-h>?Id(>HTn>EVLv%o(nTe!82LYbuDHbogS2 z&&#*o;r%03pTxt-R`EsI&wV>TGQ1!8z?k>IP2I-%Nd3$HK^pSsG;0IW9`^TLO6<08 z73%lwHjF%=dL_Uhj3@M5n?~E&UK=ShWcl&f^oCAbMmf2h{(z8c=YT zd6Y17w>GZLu2T4m)v*v}23F3n-L!*(pSP!74)r(rD3tZhP3xVZMffIW`l&g?n1c>t z7k1_75#xQDf1+>Qh`veUpsuOjaZgDuJE>h+(<{|IzNK@HKKYFG6~h*nNSZadwijc1 zMn=EBa-{AR%2J5IB|4Pd#N11Xd;ingz~g$96ymudke_F2!T;dur;N^;6Mr%ZNfUkt zO?U0KXJ`3bkJpz?__>K;SQb=h5&bnIbp+|+73B;3qj*A&Q*BNd@lVp>0JTWlu4WNE*byOAp-lCKq=sVxsMmwJ^_Pp}iP-#wy9dwU67GGA@3> zGI88U*jo}FJ#|*V=iw!{bTxu)n<4$eIQ!$vh-n5xaZ_Q1uG3xHAp4PLzL97*n5~t(=Mb}jcs@rG5nODA%8?3 z>df6jI=l<%N*@xIy>eeBD(;xc`muZMbF0R?e4*62J^LRV?8{ASJYs7VEoZWc+3{-q z`GR14PIgIaTAJ>W$TRzj0*6SLoD> zm{-RxHaxZyuI#0E+tDHVXyPs%zMO1uu=$nWEdeCw`)}bMGp6>a?d#FXxJOD_I`)aL zc3yN&|7h6mF+O3)c1L1yYPQv(vs&D@_*9zPCEHjsbEav0*e9ahcV6*s33+0#*6T@R zx~^o;#?b3c%ze4_0O#RqILE}X?Edp}j?58juVw@OUG*`ZhF3aC1bxUM5XS!&nf#fRPU?X8S*`>)DAz) zaF_i;%=@7~+WP_x4dQGYAFDffitA0htI@lHKw*`H(-Yrf{&K`nP~QI2NK zrP)nfq;=pU+o8;m$cntie0M}j;PnhSfZ*!B zw}O1gp|I%bZiTtf+6PFK$BU8D=?ik+YzYq*rWg&)b;Bwvi(}8XzDw-y-y0-mRIeSx zj|;ht^b-H%%$z$z4oL4>xaN;AF|GC{8glPY=`a37m){AB@3NL)90*~C!Y5WYb7-Y9KV#<{43mV6VtsERT{q3 za%J*Phb+f>Z0XNPgjSZ}R>`sNce+(BK5M^nRUgr9U(aiZKBBajKNNHC#B=fCM84^@ z&*?q%9rmnlRI3thC#Tn2;toB&Yvgq4;x~P_LSI_d4f)#ADQ5F%G1Zg0YuqVWG`0_q ziyvvzva+(evxyuJod}ucgcK!uN24 zOKSXxpvCa-7Yr=3Mo$agA7Eas#B!0Z&8LZ$v-M5)lY zHOhQA@7$e> z_Gj!aH?}X+Sn*w)6BU_U*!|l^_Uo_D6PXoE9u2Kr9+v)`4+leZFkCNID_>}b*>OFW zD=#+{TH>}4`|^a93&&66iM8GJ;xb9jYg^YY@e+oan~#4kM3-NjPAMotEFA6R!c&Ee ztUvc2Ln^MtnwnLAalL2pHDPi+sx8|}w`c9H?pkSsTEy885~;t_R&c4&5!0)y(#m&} z%#RN0Rt+6{_TXkmeDky2RF2PNmoUfce)C!f;QNe7``)GTm<{Q7h85+9sfGWTrS7kA z@u#NBRgG8^66RL(9%`EU_@^jjuakh#VT1i=zdU0=Y}0r-?dw854z`#{TlLi#6<&7R zwr}d#4m?xsZ-!Slwu=l&*^(wPg}HmGn%Cdx=BT@#SYc5 zRN|7?P}_vDlmA@Y&em?Gqg{KEeUo+dPVM>jZ*nWN?i??85`@=omT&t~AE`O`raO?v zZ(dK1(Mh{?RWZMLjV%3sRMbpnvf@cN{=}gx&zqeuBAhR1X@7F~ueI>^5T>mb9@=$} z(34)J9wYatvud!L{;v4wmg2&w{JG98Upk0YV?{lz#4v0V^K(2SFC%C!_G@CgLW{IT zAKhv8k%8&qcCJ44fpEg7>SJb^=Wm>3v2^-okIgQ@mlZn?q*Ix*eeH>L?km3|P!#s& zA>Y~eotcPRqS2L;Qid$NZ9JuzolJ82NqMhD%j+82e*cj1my6=kk$2(tkyh)op*M56 z^TOxh(1-8m?ejXKwJ#?q;EwSsmtm3wUayZxh^N?aIRz=saDKs!x?FDV!7&VKGWZ%@ zzAj%&&8s^2bf&#pfT;*e6wqs5JsO){9G^XpwB0y@sA7G{xKb-sZNFn_bC~oGZcM9Z zHhLs=JnyiJ(wP}ZBK!0%>y^JH=9MoeJnBd>=RMAwX*K>{gk69yGIFSdExq?Eeg9(o zt2N$brs=s)QtXu*{L}RjFW>49T*x`}WGeso+J&5}iPCNlgPnFI)A>Z7c$1*kR&ylT zriL%#fG?8Z^>*z0tbtWAqk&b-Hl$nyDLW%K!Z1U%iJ_~ITk|wzS`*El30U%<=$qzx z{?2^ks7dI=;)@HO23?X9QneLKkFPr(sKy*HEGf;*n>-kENVG_;uWr#PhfZWn`ObX4 zz}Jv+kMH!+D%BrvI7>zJlpZbp`7~zMwTEUCldi9bY+{t&CIpmyFKY?sDrlQKFUGQb z<6SkAcSNk-+nAx}_ct-SODBysF=waxcWp3SLS~6}+|1dAfi8%bQAEGo!!@lpx46yZ zRiZ4)GcTVu?da50`u0jlVNJxjY`|~5V`dW*K%`$jm%}2whQu#R5SEqlGKyU9T0Fl; z%cjmFgxs*4WG4;mn6>!TuzX_J_hpsg`!=tfyj%-%$;?jwuX~X_q$P>!#NYI`@=nX= z2-t%LA_0O5IJ;8e9R2K0#dq^8k??CGTuyo9BaU2VQqJdA4C^k<*7fC;mpR3 z#9StOVrHM8z^#rc`ENIiAD-VHe&+Dma@(ECtOI;VYeDI_&;t#1f74?rJwzPphHkz>}j_71s{#t!iF7 zyPlAknz|k2_)B=5A{NVMh~9;X%Y~n!r7Q#=o9SIDESy$A32~gW9l!hGQDfy;>?APt`ymWC8SmDZ4azO$Vf6*U2ADf!5nU_ z&(ulMDPO|AFfP6zE6*Xk`^!k5+4Zg{$#eTur&LIApB%6JK^^C&JIFpa`joYEGp#;- z2>q4nL<^VrCcO^buZOEbKC97usle=$dSdX^0*Q08yHe82>|<r$A))@-?%Lsu)wV^{`uY9E~R4!qZx1 z_0w0vGHE!D_WVi?FJbfM^;n@XNb0|v)Yuw|h%Vppz^*AQyUs}c{QdH0lum`NbqrmQ z?*zi%obAi|{m@{2unLv9eP%?!lOEm-zx%b5RJLh7OMN!g?gzAAbPSwqDrq;BOh(?G z?KFABGP^rs^}|*A2>*L~_*aA0m=37rHRYsxk#fVQb<4OP<>+VVo#pdCVDTn2N0Ev@ zbh#~Oxmu;5a3&E_PlO)tJf*c6@j#dDVXMjxU{;(JzLa--(@gL9aQ`Bb^x z8((26H2BZ6>sy?fzA@fmP-slt`GUO=iS8I@Jj`gKeG+4z99%P0BBooMu-H4J`r+M1 z9pd;xJK;88r|z=ng^**MOb!QjeruqT5Dd&&sGb<@Z=0T)7?>^-ChAG4q%SLGUopvf zu_9$=;(u8@Xy>!*(lh%89+152735vSIrh=Bav{cPZNFZRUYk3YpF*%W+A;-S4Qq|d z_gAqV-vp<7D^_BB-Gog|VwZ1ra8I6ndFc_-b)}N=7wZi?woF6T_)?)6>*wo+$8>(1 zPM&g(GdIj?tJM1}LMSXYu%R8FnA1}^m}h0NSf{=#a!iH%nc4dH>B(Ke7Sr{`WUqKn zk9vR0()bllgVww5qlNF&%KN5#iBeMIR?I4y83je(Mfp^mMOuDT3nqUOquR;it9nLo z9}=m>~=gB(%>yqxD>3IfA~Xklh(W1mpY~H0mo}Tol{y;_+G+m zU})HmTpv~UO^vwItb8K2Qn13W{7Zz;Y8Z7tt#7kn_RfzpBFT_>X8879qLcMOcameN zrY}u7JKxdunxerQVwm3v{{A}jua=Xq7*2E}M?2L+TE9!3zAw>nB!qOkp~x;~8IzuP zbNxk*>!b4;Zl_C~KAZ5gr+;BjQ{8YHi1xg1C@Mt${xw!d}cK6S-uSz|?GIAkibyZ2F?%eaVu;rR+l6AA^zB zsR;M7inQyXdy@X4Pf|~K^Szx1PjVeMw#%WCHNeeQXg<)~>ooHzLpIi8l`yvdtMMXy z#H2Op%L!5`-hBP$iv{<^O-z@Tfh$dx*{Zk&Nv!-J_kJ6`K$f*Q^=l7zc03L$ZKz`t zm5JaKPc!#>m})}DtR*rvkGMCOOCO0w8WO<&-9J;eTK&vivaO;}PwznwM~18Nosql~ zdZl3rpJvZ}bZdC@s5{4ZB=KdChTBxXX#lZwzd3!}xZRcN+wnd6$vH{U#?H?pAw=4B ze}ejUYvLG}+zdxV<~sZg?dZ2>d8$ks>iGwa$5weY#F>+?Y~ z#3Zc#N_U_Nx4m+@#m)#(o zGacDwa>R6~kYmAieq8)Ra(-dDK-anr(jsRj=UF;kA}o8<3F&WpSVX>)C6wo|ztcP< zzSaInm&fOPkvPx$ZA0T<-Q-|4EiA|O1$iPlYTnX119S#5drxKOmMEvc^;6a+xn5Dn zWjv@BsukxPAEps>(JlQlnCEYuHaq1o!iMX|d z9FWG^-`|Z>e$$)%VFGu(dURRm3o@U~TOf zv5J+>!{wcRwCHzpFZe6ViN@+;cM@(fVQ*2LP4|>>xS* zQLvCcvcHAdC-zFBNK9+)?2qLyBHX<7Gg{cEiB)%bCOQLh=3Prk=|k?!@M*qt+j0P` zi20S~Fh5$8|0#32_tJEBYpz(wRo#!%)sH3*2ZX7IDbds_o@(}6CoMl-)%K|6W-Ky! z>lAcx`D1IF1B2p0JH5;LyMOQp@Ce+^kh#1xYUuM_n}8+0Z@zo{T$7{DLf49$_Fnpc zxWs;*_=C-PFFJqASxGyuntFWAMG)!@{*evt^6f@Tw8kBNomY#9f~; zjP<(&n3f~tnFg=fid*JBw9QvKcAA`NU_CWs`cAj_yu6}za#761H-3WoAICQs+|HFQ zOU&TQqe)GZsp&+zeKVrh@``A0I2hc|4Yr#kv@KV@C|af=E%e7 z>m7dg!Wn6!l6LhON-yhhPd^#`!^&lw{@#r|op8Efdi`~@Q;wDHg6^$rO&vPn#8s($ zg-7z=#W*}CA4sIFh~L$CI)2VANh;!46`?rgX>@M(jltFE<1^)p?`L$Xe@*AD@jFOb zUUKr7?Vn|}43WnZGCHcXmZWSCA@xE=ky(tY3Nm{&H!%;qmh;qGY|<~47ntN1lo;FV|JyFn2zUz*pBjZM| zmvdHiElQb-b~*P&sVQdVsU)wuE)@n|VY|>Ml*BwFL;nJqdSVdPC%1e&qJo=hnZCT| zK$DxyD>|}rv*rAH+u^>rmlHG3noif8U^=44(reUJ$o93k!PRs_E0YbDqT)_g+D|)wy)tSmr|PUGp~qB*PX6~ z9wnwZpCaYdB!|o2xw3o`(UZ8VQZV(Qdbw_cMrELZ%V}3d$$=I(iC6LAc?tSvQ%4dy znBE+Crc&S&_OZIXnWj+FB!4*Q$@qNUK%4jc)ZS(Ks*8$)dkj@du$|R=J;vma6DJc~ zw}n=#_T>DDSM|nSt~a}ICAL)dv(b}tPp|7lY3eLHyL1-P9D7sH5GJ~eY@F$^S$C`4 z#Ju)f7swBIn-@+9u9%3|K8e$OQnn^IXH>q4ndNFm#)m}LX?1!XH)KQVRURHv$IA;= zQC;<_O^g|m=0M(YX8AN&d)y{HL=ukK|Jm@Ftciv8|MLSA59gw z(1KG^#Y$G@g;!j>qpC5le?Y#ouUB`@6JP#8|G80OrT*H<4_V)1bKFU|Ozd_WnFq%h zaVCNFF(Mw`X(J_KA6i5weuk=D=KJ8Ul)3j_xB4@GqeMQI@jqO1Sp3=-2H9^QF>dqg1sGZxyvQYMYt#o%s=;TYiPI zwo6#L^d*mSFIzq~Tw!{Mv_lor)frh-rB_UA1fi}4RUn`%7udc1B}m~Y+`8dzT3ont1;We z-21vg_zzMoHZkSKK;gGk@&?sSnR{Kh1sSVitHMg6Z&xB9ik zTp|*g5m~U|a|oBmc7ky+!(7r$I-*;*3x374l&_)a`YNA!uGG+UPr{*iW_1haNAWAv zt0^9Z7L`ScKi6$Okqs2G;=4whOlfZVd)X}M#d_>$`^F`TRdQR`^y7XQBok9B#yR{_v%_Q;78QLqF-E03EQD=n6mJW6eN&YE zjHG>kBbfBQ%k69VHg6AA`c(ID!;rSGwpoL}28(0x76~D83b9ezwas3lIi(A?2RAXk zTtr#ocdPWb#rfYw$x>=|PFK2XIv=PQM>Ef-z2SbeV&Xr?okv*AtmMB5_X9BM9=&)u z?;?x$N}vyaKyMJTN1FVTQ?IPGKt8oH|2txR)Nk_U^T@T--Bi&&!{+M(%dm^OV|4w6 zEQ6Crn?}KONugVFmyqBNm#$ie1&5k>^^d=mR@z>^ycB&&BaNN0DO0)AI8rNh);)-n zb~u_?&3;M6Vo5H>X!cBHw2+V9w~0xkd}kB=fMX%}s4^u12j_Zs8C8oGj{|ES&2Br9 zzT~~TiVGfA9cb|5x8*hpSN~v(>_0VB0*ds&$D_P=*Cxhv6Vu)RKfhSME_c!MVo|HG zRk&-^Y30V$U*4vDdLMp7wy~S89(TiYQ7_+h6!0;11q*%*98QK6+KlGR zAuoz2#q1;T)G{!d?7gXM+y|g0gL!F$^UHwjV zl;hWPw>-Mpygh{*I|Gw0csRk&;k?I%NsS5BJrbPRo}in3!Yj6;h_i!u{g($#}w z7CSFRyl88b$?cXM{$4uWpDoX$(n?aNGt_y23%ctzU1f}&l8_h>7suEuVRX3om}tqOIO~;L?uXQ#^yAabM^v$z zEuEoedV|krWtbM;Ca+34DJr&z3JEk{Zm__Y9j$w()Rm(7a~OFm@Ae@!MOOPYp>?L) znbgCY&`u=4jy&0~kp9=-w?x=GwdcTQALap_4-(<1ch|U_RRLrA!la?5pEK3Lx3-qtEJ1W@bS4xYu7dIY#*QB9?ZQXB?hlelHNXB44=I7 z3BmfC9Q@-)ttL^U-c(|i-b}wNfJ`_}UmEb4m~!qfedNJi(311L&D!#fg_S}-wOHIm z+`T6S={q|^$LG_LZ^*UMc5(%qS4(`UClO4<>`;5EAvqjDI=HS?&%KNFvc1r(iyyXM zE2IiN7k5j_Rng&P>B5}c!DH#Kc<~Ozm=G(n5-plH~gEiDG}K3LM+Vq>o_YilLdDO#U*pU z9xAz{a>her;yRMY}Wc4cbpLgE#QO`?) zxUvn_6?N%i+K0k7Fum71&&aUBCJJPY#0pzTKZ?WCXpIQ>R5Wmeu0h4SL43^J?y5y|lY8?>{{(a5%f4 zHU?W+n?`2xvVGfBP~f0^Y$GaQ;C|Q%*?RNwjXf*ro0y#r-wAKmgXS&hNKS6ahK!dh zIRtrx7_8DT0}>xun7Z9|g^QE=HdrCD;=qfWA+JcfGAgSV*FGVSnttgmovK)xGy~w=$q;J%wX-?mr z`uEZN0K~7V?Aho2$7N25k46Sd`EML;lxH%R%(@*u@yAcI<=8RdU=Zw+M0NRtnE(F2 z&WO%LTdEn`k!tUkR{|S_6W-@~5e0K2>2PY@xb9;QeMDZW!gle8{!$r>_`Kz?{>M^I zuY9f+1+qLne7NRQA`8ZYX~@Vn3#qWTC&rGsm(mVDvwS(e_W&zV%M>{ep#llV@07W^u8l8=d6^@ncnSPhIsl zbWBI4)()`!$)^92e6b}}8tdGzFYl&zcYFEU=ZAh>?CcDwZH(pEzH5h3w8bbr_4vxu zXnsHHWwU-K#+6@uFI4XHGk952@dpYw^V)sO3PHY*E6{ z6dN{mG$ZHxE8nwTCrt%QC3u-hAFA3$#9@NI$OZ>S#m! zZpNPIeSEvOP`vG*9XNaY1aA(6Yfrl8n)A%AikO4aYPb7E4_T0PH$K=WW*PRB{JDDg z;YGE~dvY{+o0z?N@YOdj){FGkuBtNjpBFjBaUQGri>MRPm#1p+yKQbSt5-N*=#zNJ zbHJ=J_rFcBNpdpPwoo$h?&0M9sr9@Z+j)RC1j8Ng#;s3msOV)f(5tgSWDA{zaIX~= zLcKM_POS+(PZ7_1WZS-e4p)9!{o)1J*0Hshg1fxKIhB=r`d}6AWAr0!@Xb?yxQmFJ znCntD>ufpqwF%v)-38QhN^-3tNSP^(SWMs32m9y^PNt4rxRku7I8<%sgveL?LfKuL z-DQ0$DthaZW(#E;CU5r^A(q`yg`R19^z(oIyk?rzR>Pggzv5o)QzW}$l9KDtYf&9W zC^52T;H-AowPSET{UCgK#Vq@RYCl4zX}C9zen{tVyE-FRp(kab@30~T@i?w3dAp)F zA8YOXj#BNf`N_gn*97|#Pee9%zG&4=SZm0A!4+`+g2bsx!%M$Qk%t>Rjf2zf#Zg}~ zLI(aXzP>7|j-Xi=*|@vA26uONcXziS!P!V~2<}dB*WeDpb>r@C!JWf@?z(H;hkMRL z&CEkjb$9i2uc@l9szwNwrV$QVRS*8mjkYoi)0&9#J_nI~2ii~iD$I8ypVghrH0fi5 z4V7Z}_1H%gUK09M9_xdJj;3u*N+|kD;<-iB+-{Q`MGRN_MR6X&Ko& zE{qy^v!E@E0{fqc{@#2$XCXV2sA1CI+14MbwJi*xPC?t@PXp|4(_maUIilE`7QAiz zx6;~{PT^ORFSDt;AluxT^gMOu>MBo>hYYay2RyjIUuE<8+~#{;Mme-nqa53tTh}$s zx%cVp$&-cba;0SN>VS90<@=sUSFv1NePcE}XOrf3_V-+Ia;Yj=nGp1Vh}!DpVh2f03o^VIBrCUI+7ZSocXIvFft zTVnW#BgO|%x~8N=Po@V^;2jcq-st}HTeeDjjqps2EFL*ap^;k3wob_&f=!0wE zQ*3X?9&a22jF;5C7L&2k_I(6|=w>_=gw{iJsX3Sh;B8=!W+o{V&1TAO=*%!qX&#LqR5rkzF{!sT0-!^S(%fmCrz3l`5~H+ zI~)?Iqyr(4_OmKmue9Y|z+Sn-cx+g&8cF>N%DBO)|K*6@4}0Ia?poJcV(SMfQjdnG zQ+ji?@*v}4ldz5=WFLs)@(uqI;Pu#9du0?Jh(CF3;c{8?F9g!QG>j88=1eTpn7g)4 zX9Nq0W{~XVMI6>+CstS0y=U^PRZ)VcP$aSp!hqGIqr0-kBg612QhYVJ^VR3K)aOrU z6!;DBq`jJ&*&g{LtJ-#jeY;yYq8`XYJz3Yiw zrRvJ*Olv3K1lps+A>H5o`Evt@S0t9DQUj)`^+*{6DrAoHBe2Jy>IvN+7@QfiU`uhdw!1gvYgx*%%5lP^_T)i>*E;#Ggh z`~(aCfHNKlpt^4E%1QRj#YxiWY|-!*sDqFxv#{lM)j5zc8~nlr;DTA4u6uYCE%y6%L4mc`|gSw?1!!KO6l>{*~! zGMaNg{{;KHmD6tPYuvs*z1mNoBCmY?`*)B1hVqbV`Wu$NV?Jdf9gFtt37QogeHGxbP~a<*0v%uC*RL;5^?s5tAL@Q%m$Yc(A**L8pP?w^RA(gg_Of0W7v;DuW$k1 z-+S^w{ADL2B;@sLW6vUNoVC?soytkf;fReewkwXH+t2yALf$wIzvscIz|`L!Yn>b4 zZxQv`mBUCR`5@iZCpX`m=S=N-IlU+a$MVbnrA+h*M&4D-b$Rp&mKgjdd0q8zO*Q@V z!n1(RLf>+%G>4*0vFf*r7909%!Kc98_Vsi%KN7N6(?!j-tbeJKp6Oplo5=qqlFya@jyOm|GKZo~6GB0R zPGfw5oNqy~fXcp0gMEP{O?%&f#0?jDfou_Z0USf7-SESarg51=;fB)*z#>N*bGXyA{7R*h^I|BHqGA}<4 zHZU*_wlq?6DD1Rx9cWx+udfUSUa-(#S6&OQxwM@`NDd(DsH}vjhL_PnPB;*A;i30E z3y=tQ+E}17WBsU`C!B)qQ#)5Ai$s=!iB9@6QG^r#3lO{NdffCy!|Z$I-(q*;9%#sN z$S~Q?d2A!e&01N>@Vz{_fVxHL{Vfg5>LC_lLva_J|D3i4eqI=DLkjrajjVs(20g!j zK)M}m<^c~Mu7Jlqo|f+cpUQ5^9}mMJJ$Ee^S3*x`1#SM1-MsFHQM#?BJsCWnu_vkB zGo4#B(;Qdv*gBJZ3X7JX9k#9&&rfM$w`WZUB@P!tZcpc$?}C?)%HmxVPmjXH>GDfg z>5!$&83$`|nYJlw6Gd~)RvNQ%>}C0Lh*^IoVt~22j%sp?>Df_}R+klmRztsjTRr}} zJ)AElI6ST1f>H&xc_N_10ptyQkMArSZ9w4cP7ih<%NvN>`|FIuElBu@@OOl}E#`0~ z?yWdFE=QW=^h-R1$p}1pg_^g^n1i*+>l4jGP#;Jkk+fEIO}6BF$7qS{t2>C2cYxzd zF@C=K>!_~yn=8qp7*Mn0JjH4Iq6^yRXp0NE9;*(YT&ZlC$a78qfGfiRd@^SFKa43# z&L8ilG?cSjP*9&xQ@W3Ez!5bnh?P1#FEKqkKWVSpC8iwriNu{ZUI;F!43lh>Vi=LGKdlLvnUf&qzE0j||e(3G}2k zlMvnJ*VYxE<0@HZeP_LgOmg7#+?mMK*+#=eX$bs5x0^!gsAY+EYDhX6)VSi-w`fJ{ z=kwt$tFt~|fLH;qzH2##J;%z3jU_?TW69$6_{ITA~ch*(J&cQrs#d3{sDfRIto%Y9<&_RY*w2A zG7NBBkl4DpL@dsEzl&~l+_$#*1fuWP1s?-Z7+8kre^khnJ6}Wfky<_79hB5(FBUNc zgQ@Z*h88Ot|Jfkq2QGBc0e`eIu=!11Vpxq8DwbGFwT+EZN1YRzj@p*kzd*1nBQM4B zKdw7JK?=OGB@`SKx=hw=THatgvzGVUq2Xctlw<#ygvqdBC%1T>Ant8|eB|x+{MYbt zjnhRPvjv@3q|O_;%M~9@)PH}QgdgYgV;=fD#Z#+_T&e8sy@i)nLuE|mFy_FeJGpixtjb^MsXHOMq`?D`&UH4*knhE${-GWdVsdY z-Q#boEXRJyQ-ocy>o)op4Qg`pgtU#JqGiwB!dGpWnV-B}6q5Rmd2G{uY&Mx=Bb2|0ujrVb!~$$+$x$CyNc!RGUrOkGbTU?O3TY;FZCH@m9Sjg0b@d64 zkn$cK$Q2n$z5&J_mey0tVu>&uRQu2&=fETHBMq4r2RF9@0iN%vEFNMtfh4ify-%2ZH*duOLh>jvgl|SQs zcl|=MfiTg!OA`A+5pW*LSGz6u{*wHkO1aU#n>Q}-3P9=PHfmQQhSw1AP@mqnuynK- z0lVGYRbn$`A1r9vnr0QU2uRfeWq%8KG;m87k)P-Vr!c?;S{{POJoH%H!7*pJagaF1 zu8;@wE5F#r&6aRXuKCRYQSC-WfsKxL!tywyPm~t(l8|>Cs{BLXK+>`iPxd)T2~8B+ z2_c~<8Cb=s$X|p24x2cnwN-aj^r{Ucr3U!Hwq;_sj5@%Y#Niu1bx6BGhM2>t1I zVv|OSRAEcca8(rng^;3;Qhrh1Lq&jh)4|GcWCCxE&N^ph5NUUBRJIy0sCxI4PuyR4 zKDaUPSXttONvCD0D`^i_?7KXADstMZ!lmz^G;oOC4)FWqGqFd5Sj%B}3eT!7T?kt% z+HtioE!)XEL4_IbY&X9N{nhKS9{+jjsyp;OTAgyx^G#>0|Go6uLcM4<+9( zkrP2f{mXlsqv?_a$eG;j{3XlV!IokxDC<3g$f{(xp?kMvAkBX@W1Q9kFH%*gSizNlNH}YMOkzruL~^x>3%{Q2h~FO{kHd+H zb;(pkBOOzjZT~e4_fZ}%`E!~_axeALE};~>Ut^|Z*m0qQd`x9C5J_J9yAju=*(#&y z`RqO)j3T-sxgAY@4LNUidN-&H6{z5c+1yjEvd{-gyKkf?=Z`2FG=~p0GUFeQ)^gy> z?}02zuHl4pxE2=a+B~Q`(_q(FE<>_3>h{)-@1CJ7o5Oh)4cGIvW>zy60t*-OJ>pJv z;w{P>f>b4I1?@x8kqDvvaotFX?D#1-AoafKj+s^q%qbUz1S7eU?!lzJ2mWmTuw_P_ z=`;_^Xt%HzA=q@^PIgVV;qaZP-%s{F46f`XOESh@K}^f+a@7uOFb|DDdy_HR4d1e= ztX`z}y}tfBz}wciPnOL2I+4pOqr#9t9hf$hv(nnt<0_OJ3MVP!avKDCi2?fz??9g{9g~Ad5k-uW_2Aze&eOPAoTVeRnbF@K?5&`7%z63;I>SEpSUj|e3Losi;Aj9w>d0WzE z&>8^8KmYTUAvSZ_rPX90fR%`jZ(7hi$>=taMUL89?Ysc}UkGRu1~uOwoL?Ixpa;5m zwu{hq!0PdcN|`ri-WuD>cvO*Z13QZ|1z;^wtJ8e>5*Q)4|A`^ODuI@1!Q_3qI^t9* zbbsz_o+dahb~w$@H<(&P_WrrYH!=!{!g)Sz|`%0ge5Gz2%j!@gbNm>BPJI62{;@r{mVc`WoBbT@yyvVR))XVxC;7HkuL*9K%se7v%x3WH$n1$lZ)=6mZpVR~zDhiV zOo+i~^m&mdaQBd{Kw%O##Rt+g_jC^CZAM@W47n7`EJg#82$<{+7y+{Utm2*QLxCvD zL?y?gp~Ve>kvez_DW(Qva(1)HZ*o_i9anb$=O1q8+2(d&E;ti$G72fH*x@bZBP$2Q zq2bGpJ9CcIy2*6NPdEc5(VPjj-kOlEY0&6^e{x;WP~oPtr07U5nOT=j?&GGnQl7vD zM)rja_pN*EzmRAYPp8$sbRphlkyQ5XzgM2VZbbVpKTVcFwV=x63!j}wVG`I^LFy>^ zQ14phT&dWtUV{y2#Gq$E}Cbm7-guj1p;ryH!7P+ah3D$xvd$ONe@XQ15fncuxm;1BXIkG zANMl!h!FuQ@MbFqgsPN&k}gMt>{g3(UEG1pJ|Q;qqYb0UH70ImYz6u8M-zXOa1_OQ z`|n>p_B=^EbvB3WJpm^mbME@}#|Amn0#$OmYKbdYrBF#>o7JvfL@Xz>M<8{rS)&?| z7Eo!s5YX@qy8|b%Iw>SpOL45)KirGV3;;PO!s}s-#0*bak_5FZ!y(^;iI1wV7!lgg z>^qqyR&F!XuG+BUfQ(i(db`x2y#V%Xrk>{X{d1hQd1$O;p)&!h7=l*xlSoh=P23Xl zpDiZ;^8H!AUVSLdv_4LLCvcWsyQ~ev&e@APTf$}&Z1iI*mR1Y-?}t>y$O4oqnOBtx zHvBNXAv*+$2ottmjWcX24xwJ1z_vvx-L&ZGo(34bue1)Q9v2qi7gnk@vxGms;mHeAcYW1DHm9JW19o5en$}k|u`NFetbr6N zvn}9C_DJIu7-4dDOj?MJ6?}lF60CLZQh`S6Ci-(Q%H)z;1(RFfzSCs@91BUAoJSF4 zUCj>ArpF?#GrRKei|edL18E<7h)fkuy0Wl0iGku6keMYyO#)%|EbGJ_N5}r%E=}ln zHRL2+_-Ej1u>?nJpO-D9A{vnbtOco)LLbb`1nXykXiUhL;gGkQeGn>i1@qgUp%>jp zqAU;pVDJ@v-aMbLT6~pQ?bq`GmVc77#k!cIX~hs<;8ZERe$^?^j4};XEnjL3py5b` z4PL60>5gm@XB-@sWYI+nKEcEcoz)T50_2YD*jO9A)2`RauKmR%$vHNbyoFvvfxuI8f1rx$cd5A zFA9;30d-AND4i2Ya|GS`GY^$B7~FyqWv#(liS$F39-yPa5dquGg4Ovz7T|n_f$RbF zFT;x2{zV>=<9CXS#?YhK-=#PjGu-pvMKS$fmyB617sLL?T2$S^K|8S9O%hf73PlP5a4p?zv zfbV^Gck&{m1|-SdxE{HCA8W9eTT}-?S5E2F897>9{gr6U$K-Mi(|-iewxEu|diak( z6_1ppIlDL607g86)4j&^yqS>iAhh|zqeM#{MJVKH;@L09R5N?anf1EI$*qCWflwln zu zm?4Q>eL}j6O=&OV?BCJ)U!%y#dLss6NnCnA+4tO3i&(~=_Id3XR4 z{Wik@7ch;M_{V}#I2{#H1!G)3;gug)O(E>`9x@Qn*!31ArM-+`YnGQPEN;D2;L!qppW{`%gW7bq*|5fCOjB zT6K6$;8qMRTcoSwxDhY8+-a$BYG^u|!X9dSlc-_Q*m9Z}_-}c82TY395}QK6Bx6io z*D7V1zhO%TAX);{ELcD2-LE zayufm$y0ZXbN3Mp3md)YseJNfkXRJ({@^P%(L1hj)koUt>syF`!1f8TGv+d|IZI?2 z*mRGs7c(?&EV~k%Te0zm%Uzm^TzpB>_C0C1a{qwfA&kZNyTdiB4ZKwh$q8*iBO zvL6n!ZhY&~{2cCCVv<7=$b^Cl;O~^tWfFNL;@i>f0V5WEQBb$FQTMW{mUs~B!jtO? zkc#aWHGrj7Q50tpkgk&&FZmWh-Tj)|Bq3j{ZMSE$-YTs6&3Co%)e6xjPe>Keo$!u3z?97;?Qh? zdoa{wUs|p_$xaMfcxW7K1-DLDfWLsNv?f#*(!SAqYS0}>Z&Y4tj8&3O zPtl>)r3@U?EK8Z`v$cvse1I5sJwMmfTQLbTLG+Og?j+dceLP>}|Kbg1SL~!6vdmtw zt_*j3F+)vP@5CY_Wm7&e0B#YT6Vo{QB1YnE7~ z74S2gYSlCIwP)^|ph~Y~Ay`VdMDb~opf65g;E1XVf|*I=F$(ieOPak=0`NpuR>^~; zej2W&P?NnB0$!R+{Zq15Zf%atD1x95OcsoTTJoKQl)yP;5%br-?Rt8?LKlxIE^~=o zsK*GYK8jZoD2LHQ@k~vK^RLZ(Kt9WK2IPVBcmBj)hZg)P5^^sNiFxiXYZ*$qbc(D5 zUk4)25Rd3c^l!{%5juLglAeTb4cr4aMxC&tUvM8|C3#mXgN2b98^Dgy#O_~|ab5wQ znvvG`b_5lGwMlQzBb)jrXLK%d`aPGBeCe-ZVq4k8KHHsmc<%Ymd1`h>Db_L;z`zI> zOoO!AXe5O{(!8}JpbFNcN$cgGnfjjdJ!RFjr>rke}T-f z&??w2y8S;0A9gJa3g17rj&)U4S$DWAp1Q1{=ldKWmvPyNVd3W3c8=<)z;6*rH|2IS zCr=<`a+hv0X;E|yqdiY)3CE=3@{Les=uPB&#Yj4a`&_A+DU~xzt6q$6fWL5dt5k20 z`jo)@lDfYzFtr3INun@@k|L5k?3^pJ79(Cs8*El7_h@D;P;m}b|oQ9 z8xUnqUzHk3`3~kyt?m1TfLd|_+XTVj%c!^DaJI%I#NYkp|2oxc3 z@4(T&Uj><57A!^5+6Z=2s{9>=o;GZj=hWV$7U-Q^pf_-XM}(LCRWb$=z|x4vqEK5~eGIh$>CuC5qf!bZDtGaH9 zAcKW2*8;$&2Q|Cks_n6rT^hpkz>D>$n}Ah*O(=o-ZlRVv1(>ATc{$JMjAgjnDUcK( z3H}=Jn$Wl^DKbgJi#g%e--q#*TOW7@3mqRKo3jt_bk##&O_KXN-1{acS*M17qwyiE zvB6v_=4%FSld8h@d;2)UA?qg;q(|TF(uHPAQL({3L-W9sZx?8ZO_G=o3r~nlhZfT} z3m%$zM*k-)1`uRAlV9GA2t_C$fu9}Grm~I_<-9^OJ)z$y&66kmeb+~n1zKq1WCnmC zk(=+Ls}5a_&kpm7sWq>lK+7iPAj(^snr%*Z;`oRMriIe)5~StGU)UJ77DKPeoI#9U zprB*w#;en#WK675$6x^)Y?=^2hRb>fTIMyCz7B;z2J$t+C#)sOFY#)|jamfr{CVM~ zh=$ye>iOC*i1AUu=n#op*li&#qy3QehB(z*wYek;xaXn>l*moz+WC6dc{S>g7wPT# zQiHoy*6NAvikz~B>)yeIihB-Es>#`AsxuDV$vA$}b)?1Wr*DDiEz&yoF_!#yg0nDM z7eXauK=C(7cPjFwtPdg`NEh^GE)5~;6U2%wiGqI7J??peU{g`boLM^@N)_91Gu12u z@JNkQ8u;A+LUw&#@ZK($L*>eKr@xrB^Q%;+Ho7)Bdq*{klp@&x>}4-DS_a=oqCWDF zlP7cV1Ga?G${T{^<8(U>NmoW}Fe4!k#dZWd;ARCdh#IzLWsiBmr(hEmG5;YB>j1VR z{lQP8c`v~HG683r=3sv=0lKtuHC3pMvy!4NAAo%1=)(ns=Q0*GNNbX&lu>>ug378LIbL2|9_E^O6h zPO62KI&&5twdnY6Vo;dQ6A^PI`77ALY$b*=y}{;phHf*6Vby)6YRgm2vTjMB!nw>7 z0I7oZEOUi|%8x~$s>8*A@be5#I&AD4P+3lC;UC8YCN=Z;7;WNC4*{=wX;R(y=VWk!6vH|;b;B19xocvPHYC>Nx+J&O(r zHvI1HopMs#-c1TRiFb5Gwd4L5a;YvA4&;ymP=yBc8c6ZQ@i9j7)Ke>TP!J#o6bzQw zC-`T5uk;U3CZ%V9T$KD56igp76v%pjnO~<%r|^6wjNS{>jc4SL*nSAJD!_&5We5AG zcT~vppd>YU<`PW(_-Eas$}FxAPtB&cLF1<|zRq#oGFL;LhhGB#1FlS*K)-_EoDh!}Z)K?F-$w+wbYawn+Ao|*Keltl9 z$$b)tYM1eYP_T59k_U`Epuq0$=W>8z9sw>+1vO-p&Gm1jp1f-X@>Ztw7OPrPplf0~pCj#* zFo3_9o{$&;MAuUBD^O{hsAvUsyG??HF?l9kKaPIZg@VN&5B8UErbIQ`A;G8{7>7cM zwOX1%4sQF!%%0-Fr>z$gTBprGz(5_MkK|k=QNB4bW|#wVXsZkk%+DI(Hm6ExgOKEghZ&B>Pl-1&A>o}ipae@FEc|XaA)DZKch#~NOT{nm9qg^6%|B5PlF^%#r0IHx zNom;{#bFTBRKeUA!qsFvK9YJcAEz5M^U{RO!3)rrDHzAHvh1m~gEhm^3-pa85h2{$2kTJFTW$bdNe41-OY-p5I8`x_Da@;3Jt!A~s+ij98cqtsvG*2SM6!Ba@|K)GA2@K>K7TL>S&_U?cF3Hn) zqFbmtU(LGsHZPLQ18@cDRdBoaMpn{ui2PuRW5vzDkKlm11bJ_2CJ)4q&Qrm8*X!iz zZNZK-6YR1%4G`ibAE?+B1%rQrw{4a={#hn$Y(-fGoP;ImiY;1Y!4;DO-8gG2y4T2t z;HMdb!OLPTT+!zoZ#I}rD_2v$K{(=TAs@JsUPtwTGbC4Um8uqdz8u;wNQs9Y;rF?_ z5B-+3Hn;+o@#w)NLKne7Mv2g9(+8?Ny6LcOSQh=|MLD?Wv?1E#Huy7xz5=TcP*X!(_uN;V-ldO?ZnSSPCZ9aX)rY>+HY+*8Vk}T zu=Sg@gPT+j@=>)p(=+iqZPF~g9O{-Gj?}htXKj@U+*{q>kGfa9&pUr5l{TdecB8;3 zEgaHKL%b=IrbB!$iL(EVQLoFIBLm-iD`7?wVA-iwXJ!|B+^vKPzV^pgs*M`OhBJ7? z5^qvCAvSh!-LSszU_0tv4-yp%5*-1%7(x)KL zCZ|A1^jtgpwwn-#$nRd<|7^6+9&5M)^SWjbc5+j~TBljdtOGn}Oos zvQYE5%Cs9grPQCne-3aa>r^{9CUwcTB3u(BObt2sPI8)M!W{(^Nw?C;8Rty#D-dQN zcy+}Q=oQt5-C6TWY}~Lcd>fHZ#vW`HBdCcHF+1b3>*qRG*rhE6i+MVsOk38L+2xOu{NNC$E7zswWp3ps8M)vopP(Fh z+`KZ*XA2lFU_ZQGq30vS$2dRw?tVVHSi-oOss?73e3xIc0ncIC^3}Vo0Z?O%5j_I~ zaf0~8>)M@HRUJb2r!u74Q8nkJFV0yj_gZo>8AOCd-QP1oSH_DFokN4$#qkV$AiCpfrMm)Frm^> zh}E2l>V!;?tQ~$ysb*?mM!+S(1ZjyMHrwbm#il&lK70*p_-4$3nE2U=+C()8@I)85 z=MyefGDEnqj+<2S`c&+1?Ogd#X5&I_Hv}hERp&iW#%M9G$htRQ2)wv&2DFrz`XK6v zA7UdYe3fdtBupMq-kheFc5O~!&oW9>UAUt;g=tWA0axEZJ`R!3`M{neen}s?1-J|9 z3D8zcw*?rlgg`2O0T3nIPKa2?W>tY9KzG8xq&tH-t zUKJ$&Q2e+Nx+!r<#7RUw3F1-_I7$v)AtQB;ryCPLz506x1m|4LWnw03gy z^v~+Gomp&^&yEsimdHXs75z2QCdpOQt`$M~(s1wzf+F$)T^MryB!$E`VEezfO7*ZG z?!#|jw46jj)pD2^rEZ%rkT*>gdDv)I5fi6bhNhdRoRa+az-4Sy3BO~>`v$-8tyiB` ze&RnD63@=17vzVsTF+7iHH4a6ZNx`1^!QcH@|x;V33b>ezd59f(*?bE{fc*285D9q zL4Bb&PDz%+_V^)7(DSl;Hl}$OtwL%cg;FjV{9O|W>+$sm?(xkUQZQLl

=9$qFAK zrA%jG1BVe+Kt$BG$hn}T-oOw9D&ZW`m_f6o(=88=^G_C`-VPN=6ciXlpl9 zb-y2)WjGg^lFACSM;@~}I8Mv8Rk_wC129M0nI%opGD#%$qhK*4WBcXtU3*;>vLf0R0~x0k z8UPYD$nm#->F9VrK6oK#vQFZ=3QnMi1-Gs zT!t_Jpqoj)9#^XwsBgF|_M!V?5Lpq`yTvR#N#iIK!v!`VI_{T<0GCNQJFYOS*4)U8%*=zBs!4Hq@%;=} z+PlV5BaeTo&wT-WXmL(5bZhzmy`tCX-Vg4IQNX+F??&xDkF2p!?1&hH*Bz}~9&n!9 z`7^30T5S$zNq@cp0&Pbh>un3ZAUsF*Imv=D=_-CxBGWRE*aG2_bvcTJSivX3@M~VR zK;xRR!P+paj4SD>xeVBG$zMMDClu?pbBbquZIusYV(9RxW6&bixNmn>fF>D)W@8=x zAdl>qyYL3QC?nW#6E1j1VgN{1kZ?INf8W>}ZJoxqo^V}uwSxlJX5_D@-a~HTi|A5Q zXvz3KR68zOTzKS-dO*h?cxbLXE1Po+;8hfDZ#D!EPi+3RQwDf~HV*1~J~?FlKs+O< z9X8TMlE1Mh)Li{trNDMDWA@;B+w6+Ry5vENs{99xV8ycy>(=uf7k8@-IffvEkJU z777*#g3zlAqc&>Q_=6lwBZ6%&Im}=%Y5fhn&;2yXYKuwZJq7u4Bo;*#k^Jq|%vgpE zR~3s%3r7vH#uO8ibHvk6{;rI(EK}%1ChrLgSoyw&zf%=jjF{{cgfkjQp2j=?b|h-t z>rr+C^dopnrU;VU(GD-*N9;Uslb8t}FA8t|GmTJ5z!(ux+%NtoNtN+Wh-@L$ei|{I zAIx51WoU#`3h>bPHL&;h)4GHz`JKHqcSZe8rwr%Se|{Y_O-Pp8E-+uQu4O1SY9MSM zi;Q0Pe<4#nK*zdxQ~q-LW)7ZQ>}r7DNT6E$ML8UOVK8CVYRU+;KD;1c)THYZzXh!4 zIMTQAu0YM+O%orVBa<)vunKM0$=D5)(TxI#6&V~bz5sSoqzalssc9Fq~$#r=UDum5wd&GPJ}E5kl(w# z&WNz&v;h(|g&WPl4`>2rq&-0%n<%q{4_F+yv7qt|R@u+7eucH-x3?7k#_2N}4F3YG z#avW~Q~ZQtlgr^F5_4+Bly#F$1;M+zfO$>AaU9X{)(g$1QjGL|Fb#uy10fiU-eQPV1$`U|L{&Jkr>3{1regxP$Vy@y8|TfLd1VT zdp}$k`b+L{upV?{7XMJXS8`K9jimq>_p7PSnVeaK6t*?i8r8u{Ssy3Vt8{rT@W+i` z5hE~sWGzNAb0`9Hi+1{S>Fo|T7oozZ4HjTzj+2WWAHH+X>9vH`5kU*MiJhD|1Wh`! z*GM$YAaYW)7c+BwV(GU<;$B@njDlJlai$Eq3zGDBXkFmj+t|-%x#S0Errgz5G41tY z*Td_q3p>ZtR~Alb$vDH=l$nEPV+v+e^f-FoMbGIsN{@lQ`G{&=fo4$TMi+_YdYw=V zaOeIyOvq%&bQ+Nva4^qtDw}jG$0~Kk$jWgO@E{#)Rf}WNv%KM{*>3VTWI4J&?qx-g z?%*GbO$0{u8k|=Vus%5ADthngmQAH|q$J6=aaPDTJ&`!q_)|fhGqX zc_w<-iw{fID$xOHk#AwU_Tv!};#7h^vd`hfxvn*VyzcEU)v_`9{CS~`4KO?b@z1TS zwhd#AiP46%)0)~~5SG78btv{=LN*n7MI@k0l7C z$Ygg>+o9yI5Cr{EocttLI7Y-;hInXi$fM46tjMrdx{iVR$zy)2R9?*|Ca|dkF@=ig zvFUSISH3|4$g-5OfOU}f;@PS1k>Efvn{L8DbKQvzyLi6LARbI`jkg8JPkPvZ6{cMJ zLj=epd-l(bGkgu=Do|_c^{4*%qg$FgjJ&xB&gcnJ^_f8t*o{&&beEBZ5cS>{2)Q!6 z-sdQZX}*0sLxN>Ku4FQ@#oYJ0;^GVZ+?3ZlU+0jLg)@+@I*o4PhT*{Ly%VNlad#p= zO&DyNMA?uKdXu{xu@z}1-kDyq`{acoY0CZlW00`%>^QWJ;T{N=D+~YELXLSYpBfN^ zK9PX4rhs|im^o_L`P`Oo0PIcwghA}|r6*5{@JS0wgv3w#hK7imMr{s-3eNhUVieeE z!Y`2h;jdh~Rh%sXKZ$aI?)i zY0@g`d~-u_@w|K5EjPK#cij7GA|r#{dI~rq%Hwq>5Q=Od%ejVF=xYR9m}n$eHs}^G z)C9cGU-L)Aobmj&(V9@;)5~ef-KSl}IqX2A>jj?R_G zWY}HfGjMN$(}$PQGJ@Kr5y7ZBWlXGxAHa;$%c%0spoBC%I89HvR~i%m`;x^}WUSt` zt5+Aj{Z$@E{p7~WCVm_x2KgGk2&N)br40zJx_?in=U#7zg@0chZuirUxdCp}_;s>m zzKOoV+5n~n-Kty@|QgUMeXJ(&Qw#oGZT(9ecv|7(IU#Gb_>z7Iz zG4Kntcw;6W0yR^*VLemcn5Kc!2JMa^;PvK{YIJdd<$88kcyjAmrX0-;9U~Y2C7V>U z_$nlMqJV637vjP>p{%mC8(vuSe|Fb~cN)jUj~1d?G+mI+4U)~6M^FP81; zabc)au(3aoR#+ikVBTLd*ygRO`ZQ@buB^a*0`@N|lp}N^XY9iv&K~W7%WP6r);6E> z`zW+#9jd`1ceWMNYPrz2j}hu+Qs74b0d=G6?Z-{ax6x|8xPmU2sS0N-Bto(40p_sT zJE%+64~P=L)?W)~BpoG!#9wL`Ezt5no5X4){G3;%N@r{#0l-<{w?0zPjCJH2 z@HJOmZBS1FY6xwI*%r zdmU(+Zj^Z_ZFfc~sP0g*fx#mG56?D0$aW0k5R19z4W8Z2tjq=OJ$ingpZ@S%$;I%3 zYA7U1AD;?pUvGDab-89Ks}&`TN^>e}lhe4VNAm3sUWfkCd@AF) zL!zlEj9PKY`!}aOGLK}S+YTulvL)PR&6hw}NJ2g%46@~eV|m;eVpsk7bzer4_m2o3 zlV(aAcM?p9ShQ!w>Y(7bcK0*n?`$7WzWN*8AL`e9omZU-3O6CDOEKAAf3Cb+AZf(x zTSZn zyHSkef3e>!K4UA^8zVTy2ScA9+A8<4ToVAVE1qabKFX)c}e7}w3n^E$DT@3op{%6Jzi_Bl8{$sv#fc8G}B7&$fHMb0-yo*IH@v0V| zE;8nmC(!as@vS_60i7@v(9!clRKz7e6{Tr&fqJ0$kC418j|`cX*XuSN0$kbd zS~=LEUxxDB><%Er!)w$k$hxqtV}aB>l2K0uSPb>AKR}Vs%C)TAavVwJ9zt6W`Xy4m zfK(TgHTU=paJUNtkLqm+Clbm1{cP(ngEZyIl z3DjZKbE^V5Fe%N6bO7C}neruMH3=a|VMI!%QPo)Wz~^hBt%7k{ar#6KtMwD{*9HC1 zIG=%DlwD6RBB?y@laH}F6{}`oDg9y)W%ksqYM_9ofHPGO$+aD_W$?gpw_SHWBA!HQ zb{QW6HdgK{o~asi0~(pean$nw^SZ{sW}~=H+)Fb+hc4xKhD?V`%9tzA3T^!-+~%$o zy5I8{(rS`x7BY5G#h%_J-IVY_3f_^Ec;0;+xiZFi9 z6{piv;qcs=rD!BHE~#9}+uz0%*fUhrMksR`>rO%G2c`pux*Q>ZPyP=M!*w!+dn{~` zy0h|QF;ZNq5l?V8iycla7W}>5%;pniOFHP;OeC0v**~UO`u)YIvSZ(sK63bRnN@+W zBqb_pWR?=`#Q>TMA=%i3;^R;}!T=YLN#Ij7DRp4#-{LaoC-{vy#+pLbT8z9T| z#)Dk58+U%7``ryf**%ZibYm}y2FaKY)58r2dWEWuEBzkQoDJD4ohu)r`CaytyMxBa zMKxy5L5$6~)V1;BrhylONv`hpZ95PsBwwD~g4gD!I1ldKb*uA2QCC!tOQ8@)aDVeI&N_+fup;wQ^|hTj^v+mD-Bvhs zc#a=8ZXX(5nhcBv&Bm0AnHqTd@fqIHQ@I^ta9POejmQiOY_X*>hxMOmTP%9OiN%h_ zZ7sU?&k?ULKN=g?O*6|adY%ps@6c$t+Q|^N*>gMfYDnG+vt2!3|34RkU@}=_a)en6 zIb?ax5SS_zX-wp8>J8n#^jyeb@v;kT4BGonx6|*flembSD=%&nZFKh&L@^9eMH{8_ zXn#bnlK+dfcM7jFYTHF;Y&K3Bw6W9JP12;XjmBnU&lwwyZQHhO+qRuOzyDk7VC`$K zvwiel@36-+o-v;LK3T3Cy_*|7bI9%87k~s7FQobzz5ip~;=uHLn-jG_9mQFwbu2Sc zPnWGP9~!O7y5>-wA-nHF2vUZ_);+m~ZG(!lXfUda?eKbS>>M_UvTW8XWOu zwp74^Zr!ko`2sKS_XV@Q>qV279Pi0;*v7rUn?&F@fM0`Cv4+HUWsBEuOVipuvOCxe zI|Z7xo3H_=_vhgB7hDRIfjGT5aXu&DLW3PSBv~mZ5te}(dEQc5AfoT7_}_RdUpkHp zDZ=w$#(lU(mKyZ_l9eA~#EPftP;TtOw0G{&iHw`kTrM2l;FatiyIHryZ^|0rU@Fs~Qs3#W~Vd}EfIr`LsDGaBVGU9>P957pLAidcdlLf{>+-LVGG4I?sQ7xlt)LJ5(I<_AE*^umEG0u$2P6sxNve zm_(}uQTO3V6mPqfc;Qa0h-43pfWDPW*!w)K53bPZEbcJozuG}2YE9TU##*@i#MVwZNo6zBEGUU5X?u&)CnX z#S2ltfy&%eo&nChSGE_R9dzbzjGn_@q`tYlC4lC^c`l$!a-9^Bw#ZX<;R1uVrTb?Tun5lNXhkJ%>XbByS%&TiWZ%X>Qr-l2zQKFuGOsspY8C*&j8l zAq<#1@V*%8$5ApsuCZ?#47?G4xtc*?m}gIM>H7$9N7b6@+7XfSLq0H;VJXi3p&jlF zegbEKnz7M;WEc|fZVIbe8;ZUYA>pb_N5<=s?u!%5$J!Y;gx#u_+a>ok;zW`@?c`hD zS@2>#sh%WX?t;5h;f?Yz4%%79_dM8WAIASvPkotn`w|}L%c7(Hc%C*JKn<66l-IM- z49{3G`g^;V<2>3yps5JnTjN20h_dOM%gaE|$PsmgVU@8j)H&6XnBbBKSehK8c>0Rg z9UxZ4;5JRV^oJ7xdeOr)*mF_bE}!x}J*8$B$7Uu(>3Hr&iG2N<9gF+Zi!2zGq|sY- z_**weiJ3ZZdY-~*NZgK8#Tr8-)rHGcs0rK*t_TB|;}4s1+m@uheP2s=+HVuINX8+% zQ3Q!59+PCQW}Q5ie=#4FUPGElja=fHgM^647!fgJsn4e{L zNEe-JB@!NUX)oMX9gcD0ESt8kmxY=t$}nUK(%xIkHF>y9_@BhQ&gncO*LE_#U|#ny^1&jc1k2`14Y!40~Rg&JWl(=80Y^Yaw{Aay@}lRNN|4pnhB)VF+Wu*x+E z&1Dcaj|f>lh6^RO+;9oxO-l)O%#f?Y-?4#W-!&ovG@$KvCps%FsLQ9DQ zvRHc)1ePkjn{VN+Zr%~+lk>o+ zxEnurySqJ6_wui;N-=~3hrMpkRDqy_ufK;|D7Bnbs^Jm_!1OjP%uIR`)S*#u)fDU3 zhsRb{GFfuo$r86}7xkq(s1KS)SF?^5H`mlJRjXLbt7d(3zY3*K4&fHbmk|EZTLS0^ zZ+nN5?V%ZUni>E7@TUqxtSHV23*G|mz&8^6twS`!J4di2Q7nyf?AzgJ$8HJR#jb(b z4q=0;(OQ(ec6|6jiCgy2iT5ZDCzOL1(EeIF^fAWKC!9-9t~YDs1e}&(g~wL02jtV4 zUlyc*l33#u@T&Ult0T_}5=?C6W<`a^w#(UyxZk*bUv18wnKdK)Nu0zo6|w`;cmJ?) zP4Pk@H~sSFx$9l$?C=jWoE}cly+&4!CPSy(I2@etyjH*bbD)>~nU4A$^etf!8$sug zXwBnBckUs-jEhumXX2%T!)CMzE*W0wEnK*ye5R`&n!MoN#>kNx?sqQtC4&19xCgz{ zidYlq$9Wxp*emoigDZ5aKq+8iCHVT1U*!OuUDyo$xV{2X3L3XObr0J2Uvf1YW3rg+ zy11#L1Jlz0Ea8$Ho52+A%UNS`%<{F@)uy6_zPYD;$9&LLr zhKtofB|&zDk8zP~FgL)wzx;VM9G6_0H*pGKKfoJ*U4g>B2^9FKRHGg6J3G`ENn>t% zC(@(+mJ2aThlZxP$l@r#i;GCZ(w^jBCZUXb)!R=f1uJJso34W95XQDXHD3Qu>1 z%D=vv;n zhwSK#k^=%UpZC}JVmwKTcF13$)l~j8(W}_pj_myY$wb~2%#@pLIg?exg!QIkal>@M z0-s(c70N4LJ>+JQWHer{MnlMYRn^IxnwlltFp%S)TF!RSC9MTWNGgUcyrh(pw)w^L~z$2(7-fDV?(#H&akX=b2;qKtrG8egnzWgD-5CWA8V za1yT^*HewSzN z3-77}wJR`)x}gV0Kdppp=vE@a>A%a1^I2_4-ncPnYNd_;+U&iU<_zSnd7H%|{VLie zgzPNG!dXGT{az8fw<5C=6}OTsmV}9Hi7!yEDnuHM?3FOW(i%JIPToXHYM(1%=P&9T z@zX7!Y6*Mp$Zxxbl?FM>q8xVQF#<#pPLRk2#9hG8?$Q*Ra+X3WEFjsJsj7AqT#(Y| zI9KS<9fPGH5umC_*@b5e^tSV+UBN`RC*t|b&#%#%xb|g)LtAxJV~g>9!-FNWluBzx z#2@qq!p)&TrdFLkZ;_p-)}D*g+r7wbe0n4C<`f+Q!TN+&_@eOLm6#!6hJQ>UC6cQH zA-}TM!GG~ZU-;&^g-EMImLz%mWYt3Jy_Mu7jE8y0Nxr|SVHZ)-XymI-m?ai`?8_kq z4W;F}=2_*A$N!-y7fMV_C6;7^;2b2rQ1gUkeT&p!WGJT9nd7bDSyL7(Y<-N6RC8OG zIB;GV5i2G>!P;I`utrh2*Pd~)E?V{kQV>M*fartSfH*P{g0Lvp14YG=sR z3g};-B8XUy@YQ_WKBcm zW?0mx@1_$HKE8lXY=1t@(#Aeu{Aq39oEdg0f0|mfxa}s!-)3Jt>RHfu5jv~44{wX? zs*rNIC~~QZbE&$!krrVBn*)fR{;yYsK&f1Z?OCK^eLui`KV6VwyS%I~3o2<%K19oO zW8^Cze)mbMznrav@p=oLOFpl(y!f-IGJ+lhvtHaejF!BRoRsGxe4r|jdZ$jq&q(D( zlue4xxde`;O>-U@lIA_)8x5i}dH7X^& zz~lS|V9nlrqQi2iF~Tqq^Aty>3mR8rhxbI(9NO|Y9XxUsGu6?W$Z390Oqbk)F&q0j ze&MZ38@46@;zNG~&@B`UJ)&O)c^I5KbKqezdq7Kh5TkvO_o155u6q(rhU_aW&`Cg! zc>~$Yh$~Z5`&%Hqi;;_4qbuBoZhiZw_Y_Cay)uVCm(Sp_>k$nkOioUoL##C(K>3-Z z2Q9;av$e7hw+`L-VMV|B)A`@z44((uy&HkPSpcLHjdP=HY|^CyL1Q@ z;mOeznOFOtb?gp!v;E*ZWSA6u?ITzcWkyeQ4L%vkfE@xl_C@%b$<5C9J)&fpE+-^g zi3D>9F3B+4U8$!iivjaYn$CzUS~S;Z%PjNTP#j(Q0VjPWgxiw8yUD)EDJJtTr|M{7ho1f$N##nNPqUg5^Ws3%yhg& zdz@ZW6BY8M4x`6}^jE>sh+D_)3j@x=N->oKMVLBUz}vz7V|ijloY;piWl{u<`33H%%F7;d$x0#;v^aVnrpbIzo6)Eeie1cTSmHbe9&>S$6P^E02zKArgw)9PeDE z>xkz8?pD!{!ClqT>-@o3<*q`>-6LfUB2ne#Bl~xD0#B|Y*HP_*FLquoUjis9v!na2 z@ne3Ee7zc;QRh*ah;C*-ImQOGUqMCqc2_;ea_4)T^`@ z(V892=>|zps~gPTh7GuXCIpxDMU>-}*ubeWPnga{~HfcsWG8BP3+hheu;s8o}G5&QNSze|y z)2?dAmbDM%7bEFlERNSl5l#fxIQRHLV84=qh`G)H$IHbF6PAWe?hzuD=@JJ^cqlcy z<{F7ZQ6#O4{IDNlK#XZD2xW@gW|&EIGEd`y;?Da7=Y`yq#4Ft;DYnY+&S9EFXxf$n z!?BJl29Y2POL2t~f{*yzZZbVZ^2;~VsZ)j9qw*wCHYyu)dA3CM$&R!h;Q1v@ zUY!gihy00c(Leo8bnb|c$6xU8lhbO)ol(-ve>z(PGI?=wqGvb|xZp9P5)Il-kn%(R z+RpYZaSKi7Ej44gt2S)0#3QcSargGc;wBW>%8Q$)Lcf)TzIyVx=?`a;(EcX_Z&eBi zEp5!I{{Qm>{6ByHfBm~JgBTF$2QPyKi906KQq@yhjMtxX!I>hlR<~?Xx8!^zP?JDs z)lrXsqwXxSG*Od&x7+4UnuEezAI2MKukNdpsdj60p66VLztR^kl_nAO_{5P>lTNgM z>C==Rr;m--Jyb>=_m+Kr$-FeO%9)B&*%{Rn)Xma0%oYY*oYm5qnZLNZf35+W%D&dU zRGw>Zm}o|~1a3&fyL2CTWm5ZX?>qx>x6Mi9)lW{S8eYHGD~`#ytMUDYI-J##XdgKP zZU5qO)!e~ciGHU^Z^D*>8SkH4*sMrfHg-L{m>+<=zGCVMjIGNG{;^!lblcE8OlLkh zf7#btcj?SNwUs-Fc4>8LS(uZcwWBc!Ug7hTO%uZsN_a?&v+AwKHbmpC>y?2^p0TQ# zn*)bw?|sj02n;0HG^ZEFErW|ypDX$mV;i}FjLG=SL{E}y+M3;6R`E1*{5#x3P$E!s z>{Bv+-!n?wTW?XlJl=8LXYm<{f|-gEiUURBk~Lg}xOV-2 zVj}kFTMS%y_4pfCgBxP$nM?=VH4@y;B5GURE`95jMEG^=w0zfMn0-W02Zm>_g$#tk zNN7Cp6w61Wjju&_x^q!vY@9p#LG>>08s5?J@a1dEU*EI%V#m^Y&!>4?*Ek!a;s_H; zM(n6XwNX)|v`I37&f~x(G}YC=L71hp&G(skmxz&5azrpYv=gDhQxk_kC6w24@lEmy zr2Q?2!TtAMImdohGF*qI2P|$eM7u-sa;$RPK*WdFacYcefbJ>Y`j78=7{bl_))UJz zPBxdY!e$?DCyzvoi8DymtVf&l(eb<{HGNVjcW<$@35 zK-s))2~{Ndv|;klA2o?tA|R?`U%@QxdKAo!gM!4(ss+=_yeK9w8ez7y5Nqn!_OYm= zjvGV*|BvCfeJ^15&w>btTzd%6D@Wba&^r4wHw)kxdQ*x5pc*2fAiFfdvHTuV>z$6+79{h)pfI zkp&d=_^8c3@YB%7q}__=MiObIB=^x)*^oKkyxsQ+_u+w<+}-rV72B7ZgV6M>5Cf%V zS1_GSd?j&`du5VeP_O4l-Y_&tVp3WrJaW!_f}kAJM99Ad@<2mk$?5SS#2?2>y%x*4 zVTeJXCFA6m-*OoV=O+!nd+@mMRta^WlB-#$85E5{<7K1Qb43J^Gb4vR?0UrhFZ~EMo1O}itCy7uGbgZxW z{?*5ukk`)36pC+gRmZE#amKJm3s|;oyMIBZgH-kQl$dkXp$QRL`0K502 zX~E5Zo0IRm=aH>xxNnRPE}3k9aWxN=i653qiK(=bn1%M0wFD=^LTlc4I=0Ofr2pn< z+s2zJ|4>895T#?~m`#^eLmGgF9O#7yYQ9DRRY5TNd^|y~neN51A8F*r z!bKB#&0FxC%|*l(B0GpM0D<<*lV>R%%CtTXWcl{uf!S}Hq2K$R>Al10C()Bj(J~ln zn0d#SodNC zB$vphxeO~-R{xv=oNrY(xxb5VL>scv_15vGqj+YZ5YvT|{rIBC;>pz-j%oRUWo&@w zC+c@-7(Sfig|LNAyKM)*%^t2rT4Ut|vEzQbIpV6~!Er8n;h?}Wm#CmG`zmv2FinwV zESwcZ63i5KB%8smRsg$P8S0DJ4h ztz+yPq`RnHG=3xO{}sHza?w+UEzB^|&0<_F7@HJ#3F0yA0^%E}H($^(=p@!DT4=B4z^v zI$I~R{Wc|z9 zruP@}pC@q@&z->3r$h#3TJ3sq4KF+FgOW;q?3;W_Wh2$ zpz?=Ucebo{l>Jpt#Ug)5$)q7#<#JT8PlRQ$M_5EIR-95N-jWD1kl6zm5TE&@vHzpw zL9^N_sFek9<7PuMneL|K`R(?d)H2A7BHfP>4?f7kb@0RP?K;)8k3-#Z6N(s$D%j}| zpYN^v<;RGhe8>T1=cvR+rSj%_5z+P0Uz~F&WLoS5$a$A1gQFl8_L$PV6yy!KQgtEJ z$!HCTULUhzP&hB$8pKH2Bx5r}4-HBF9o(5tEiBg5;Jr64LeI2&>cI;cTWr= zgsULgPKcA}XD~J>Z^~~}@x*D2i^-*xDchmnLiAa|1PxhfS$ChK|n{f&%_D3+7OzJV8UgmfOyaHT%@8|)6TUd8t zCo$g`@opEI67e(fTE@h+DZ7L_h=R|sry=6u-fg+4`0+Bb`TSMyZpH7mh|(4_tI8;p z5zA;9_QnV;yFedvTf$)ZQAIoffR8>OPJqdf@L93wwnPFP+;%N9Dc*+==xN3XL9a2s z8}?C+Q8?CsqR$88)%?GtWn(P8wYPFN$l~gF1<-Zs*YPjn5#?B2N$@u&0uVuk6<=V? zGk#f|FtynkZ>BX20K-P z3_%~O2Q+Kj>J7I)>Wz~Ox-opy@C!yn?=Ih6^bnL%_FU<5UW7{Px z;CRAYp!!pPi$&|9jWMP!*Npx{HME(yya3D_Jfx4zn7W^9zH6*=h3Gd{-VlN8j_lL8 zYuRB5Wep}l{_o0t-hrJeoj^;iE2R2|MjE5G)J>576Ah*Jpx>(0rZ_yVc?*#+j9N)l zAtfVb=TP5x(1~^HM-pQf^IJw?M{9_c3Qb*lkbG0FzF3bU%WiZ)a7Q*l)ZEg1 zF#mmrs`}(s_>D8?6Yfm(@JsBUkJgXdt4uviJu7Rw{I*i)6sXSIqkXGj8t3Ns z^^V$*t24`QYX!f=QQx4p`WgPfA@<8-V z^N*h@NKamiyof`*5)(p(+*?lBu^tes9$q32{2e&~g&ny`twKBSPLlB;-quYeJ0B`P z-pB=L%dHb2)Ss<)hH>XlI0pS|u8zGDE=4cJuiy&Xgwi&5>D;7jA++0}KrH+u7LuBL z3sNKz3u7&kDuGHrlL%WeAU0DL``s+y5|6e>7S~iEN*U(K+YrJ! zBCTKNwq=SY5aM$f@Yr+iXXSF^pm{17K}#UjzdQ#dn+MpOo8|QWo!G1$-}VNxFqAH?q?aro#6}dPUd6GpIcuo*d%8Fm=D} z5J}UqDTcIjmVqosdCqR+Ws63E#pBpKwM=mJ5?VxL46PkyIEH9!v&n;EL9L^;D-$Ye z;lKiRRdEx4k_Ocp7N42>JmI)e@NaE-%Go0l+zKt0v7>CUz-FJU(kD26h1V55zx)$o z8>6HM#c0b|z<}Z0Hfaf8)PWD>+EF;5^84U5%r;hO2J+(Ug1mD~WDoDET_`DV46mz7 zi`5DU|66+YQ1=*6y{jsD@Kg3s(R+8)%P1}mG|g}`%15tx zsSC#j`vdUDZJMhq$xZXX@cTI+I1W^*Ibzm3e_UqCcDH~u3m~>c-}@N|fsSnKK6v?M zlQA(5x-1=58`l7D?e8mVkCd**pbemmckEXa4@_z0QuPKi63D} zGSn5{WTjbi6bipt6P;v%l>`)5`w3;a!SKA@F4Gth2qWmw%}YkjVKO9!2B2hbX^rsl~}R$3TL4U?fktY>TG*(%5cDlfI9A;g{^hOfuv?YuL;pBVSveNC?>6%B4DCehG^lfvcnt@ zwFtOyc@4eh*nQd@VtQ6n5Z;$W?2_2WAc~FwOd2KMT_=5g<4~cHLhRza)H#46Vx&a2 z?*c3>ON0J0&1O^My5Bd*#3?4nKwjM|0=*Y~V*rNz`x(q|3qTbMoP6biJV3aq6?Hj` z;f%i8kb(O{iO_#TpWoP_4#oX7!-Mne*9LWFeH98TdNyvS&i?@}d|3(CM;ws@xyAt$ zpRY5lmR6O9@*7(i$DjA?RdT z3QaFiCn1L(QIJq%?eOnk!*LAefL*d&pXZA`yL~~}ZIu2o2-l27wX-Ln0?^&9>_3AH zMUNT`!aBIMEz4uqDL;M>ZMTcCJqX)O1}f&zOB*H-g*(G^z{-^>twOV5O7%l3&r zX0Uuc=hsN0GAMf}#v!NG$dir(n>n&OcE^F3rqd%Y-VsFjXJKaI^r4Pt=;^OH%2r4( zZ1@Gn0ce#+^Ot!X(=k8G(3 zlCZ(+`2eZ32#0o8a62K>q=8PZ*!B61xMr8UxfkEJz`3sk+S9mPab!KLh3 zsvSdMXZpy?6WgKNR;X{M)-GW6W3&T*i&caqOw7QE%i^n3n=S4pZDJlQGQXRGXzTS} zD;b|Ag2rP(baLICDORV_Cc3;%>iIPc_j5!c+R#*}h^(y^0syB~8_@laUw?FH z+LQ>$=|@(i*{cMmK20$Oy7nE{B#&76&d(- zC+L#5^!VPqzQMdTTAd~`Fw>l5ST_pf9>4#A?3(a;xOW3QbfmSV#xRZ7DuG1iw<*mL zsV>DcddH^%n+s;q{WU!@+d>tn3=8sl4C3`Anv7JMU+q?b!z=Ol)4iGBw_blF&~0to z!V~*#hiUd%+(m#V9|`Zf%Ba_Gr56!y%9|is705sfux`b&EEY^jZ-!#o-r9q!cy>-5 z8i`bBTxbn+r5xYXa0PG4$DBSh%CNYK40=a@wJ4e?-ugDpkFcynD*jExr6v6=4jFd5 z3PoCO21>HZy`>8t@mA8R5alx#6EM%cwPeT^Ugly$Z2r@lGZ~Q{$qLVN3=KudsW&y9 z>K>X`p7+!}D;FpxX7*=P{`HSUC-T1Fu8&PpLOKr^=l^SDL@GPcHqOf>tGEWfOWs9| z6B}nwK~WfzVzWc$n1<%AMCRfV6IB!k3a_NNq+qpihnhto1M&8@xKwM|1vW(l2h8qP z9MZVu-^4{rr?ObO1{d=mIc*2VxFEk;)iaEiSO80Fo*@kKtsvLW{&H=bp{YiDgEN%i zdl(RMZFzav(ALwc47-Y8es)%*UsM!}NQb<;>3LFQ~P(^%&-qv0gyw1Brc%EDXxZyarOWxeTPjNT>IGer{>#3!7uD-aZ=m~=-$N$5%ju#H9v95n#?T){Zs zWaS?|h<$F+p$ctegqndO;D@48aYIWATG>zA&5rz+LOB{Lx-gq+fv5HuO!t>P1VJ3b z-C_xex2GsFx-EV9tqUU~J1*PJHViFx_xl?PlFN>-xPw}S6(#EZ;=vL7wVImkM!;7? z2w`Uv%JymAL~bJ(K4g9AS5&B&Zop})A^cQT7AZS-@}!=5J`6HvC0*T_^uh^B`lxd9 zS7t;FP4}ps-7imQ4D|FlvxQ#N)YM79z?oUrq0v(;7-(ok%hK&9C2eit!^zj#;aFlU zJiK4`V<;8@9adi~VUm+I;^LixGJv&sI2afb#KeE%Qc@TnPAYS9zTMpN4o>1?J4KX~ zloS^fBv@FUy6ezC-B|`b-+On1WdA z-eJ{#5or+gPHZ+-?Yi9TG$j==o6gBMvgA$GEn+qGJWkYon0mSvoa*+gI0Jsmq~dH8 zH0uo9 zs^yw8L1-k|^QDV3XoAxE9Pv9lHrMZ@X_q|#g3B%>IcaHpe>6-cGkzoC&=;^&J>amfk&A�Q5ix-Y$C=vL5c(bYCiaC&wxF%e)BW+{Yb&XaV@q zR!@MqC3f()imhnRW;3;?9#ox@SJ9BrdY1F%nPIffK%e&jF<~4kAc-ti+AnHte(bS^ z&Uke+y<6mO9IZ)Fiw6u?fIdR+vfXHl=df8@LlQ4-_duJ9qnY)fgVMy-ywBi&eKLi| zwt9U?ud~l*b=jV(w_F?^Fd^DM#J!rF+8+sDqKsL6?m?Mw*cXM4DdkNTc~%~lsd zsLq&vs|YPoqzpbc0^54CeJ-X*AFUuN&_(T2(1@QZeGdz68=7!%`FWYQO$+W79Om~v zWygF+eXt(=1la5uM;D>;P$~Kwa+C?X$k!

1?Or~@R47&3a!eJNspWn0z!x{l7#l=iL zrE*yBU!m`k8O__Jw=m$XbbbQh%CwrJhi#XtLQGd=WPo15)S3~cr=M3uLZ@U|2L~nz z;S4*#4UtD42m(zl+SASsv(ry|$vy>oBw?7TsA9ZkVUzc!3R$b^qLll@Sg?V-UNCpS zkJNe5+@9^S`o&&mSTTl`Mpae|#ZSY6e1 zNDM&_C#R4dPzEPF2*ThI0TmP(DceRE#5f;AF^a!u z(ShcF`=`Y*fI@4~ZGU8F$jI(Rum{2m_^f#_^ABdRx)aX^nz~N1>5m8tJ~rm7q3*eQ z9S-x(_29`jArgvV#Te#jpU{}NIQj;&m$r|OM64}+!Z2#Q~JiQ-cenVntQZyL3x<&x1h#;W{V3IhX_ z0yTj)n1P%u?#?^@yixDs-gDGpkjP}MObiUWfAM-_U%af?PnkgXhVd#lL+HF=X59(& zbb9fl)Lp8N@1Jzqz+F7_cP7)a=An6s*t-8JpkDXZ{aA4U09M@pzD>g9L-@bEO~M)a z-wG%(d<4{4yg2@h-XvBV(71!>k$iB%|4@GFkt8s_+pu(Eugmk7$= z-w~9I3cI0yfBO-J()+?gB39^Q%k#buj+q){a(61-hnCz3QPZ$>xW`XkDm`s@9cH+6 zUaomuw8zs@)m+~{T^mYr0qxUXPzXiNy;@Eb|CQRp-+$#uiOl4&wyHmTtiiXlm!yRW zK>6mz?na)SV07x;gfxL ze*ra#QZo+9Jsec@2rPxF$efZ*hXjLZJNR0$ZY2ebW&qAk*5lWJyiU2Ok+f0h_K$lU z+s@2EmKG$$vF(2DQsm!*+!88bp$25?Pl=>$1Dvuu@6M$^*9Wif61~0W@)A4iM0BFP ze0x#;y*(|9+WSGYx;f=0bo<M?d6gy-pm>P2n8}6q|T5&7+ zd7%$l!&9Pug;+2qgR#3?>vyD}3Yz)BID5B@ggmJ7ZMjm5WTpNwYn^NrrV6Pv-ITQ6 zN!bZ8Zs-?~H)*90*-p%aa$lDzOUm3Fi`|qAN{k#XWkh%c%i?eYx>dLVN$+i)CJWaM zHh?Fu&9`UhdsgATh%F4)p(dlw=wu-l%#Y04!0>+brI*0(%YQ~wP+-?qdNX~6;btCm zJdWm$YvZ2Q&4Xr>Z*i%;XH}PtEq5`pP`Nl0E415zl8ZMtTrsowKUz++sK^ZceEp1Z zf8Rto2k*f`+017nIbA-Y@}>)6WA7_#D(=|1UuA{Lrb*@yuc4OnzAPfBlO7V1jV2M1 z>$GtjIWA^EWY6euvc;Uka#65HjEsyFH8m}5E32qT3}VU^LuSYU_FMWJ09caaecyzcwycNp$?oH$nepx!Mmx8cItADCeVY|a5^M@ zFM8bihb7>M6@a$wLU&InpjvS{)!fR5HBui6MAnMXue02omC1JOa+bFSkvX=HD3@?( zxJ)keB%N*M3g+u}805)+CZaB(mLOH>7+GB|HL;5!-UE+8=UJhlh?3i{my_$(w+{kx zkQPN#3uQ-c)&JYuAcK}H^}|Y~&9PY~y}c*^tb9eX27`1-Y1Nw8i`kq?!2zwP;u90E z?+$sq>b-C$ZE+R)?zr!ckyqI%+=(Mnu_XR<>ldt3eZ89e`FOFOdsFj6`L0jKu43!%3aK6_3B8_5K-?HD5O<5?e8UZq-{g6&Qvbn{-Gfbw+7h$ z5)GbV*}+hwL*@ob_9-R-(=N-n zr~dSDP5If=!B^FByX-Pw=l6_W}`YXm}A$ncoqBh1f>ZWg?b&3c5mm4viXL zypZ8OBh5rRlaFO?BP$Anuulw`-9dY6jxURDKAu1st=)V2k5{zXx1(F7Rq0($D|)U5 zA*-H-IiD8kEbxnb-3{%vFoUH=HrXq?ubvHXX5)}zyUOwFiQ()NOtA;Ve|`gXh$NZ5 zuS|h)-taMh&)Mek7w_ME%;cNgJZX-QmY+*Lj15BU*5ebKIIG8MMN6%rw|KsngiljP z)!+e34N)s`R*OX3k>`qkbxe~y!IB&j{h<^1p7R$C1)`k0%PjolMiQS2!}vC`PwC4= zsEmC4F*1SLKp)55WbONq;e2Zy+h0~4I$HFqdgCTMs_M6+W_SNznFyGxUdiWCPdtId zfA0+9OAk^Es@={HoHP@j^1=NA!{*6coBad~*#-j^JK3W(5kKCsWwFEHp#ajyW%dU` z4$HXK&}kqS$}sXvt)ze%xY9a{K=IQFPm#up4UPz4up;{_`nQ{@ee##tH2@URl0TQ* z3+_ctBLxW?3c`V}%#zsGMpt+2Nhjy^tL!IIfgY;cAT)v7YZFg22Ryb51hmBRXm%hJ z-t9=wDyMn(G|HU4xvsfgatF0u1p1VnE#rw0RHJnMIWC$+E(H7r&;kPT@E>2qYCGsp zgncChBuiE#U69grx|V^|xjQ_^*y&q}7l;WQ%^ZYCf}IMPa_JLQuf7m;;P40J(brzG ztQuL52d&sIq#(OL=k&{UQ&!YgT zG`Ek{H&XkQr7`A;WKQ%xQf3_lbi~DfFe)L#wA8l-wv|<>*Qu*Y)0u%<4+>v&2{XrAWOa-zJr-f- z$ZwjOY#)_wC#;udZP%JkT~#5_qv+)Ub=PZuid$iBU;tQ|=*=d;j-E#eTh=AgWy=jm zo6NObhL8jk0QfDnS)0>g!`Ytn8ZO-|%CP)+;dk^L^g*|amqKocy-5r#FSB?@pWr$B zKp#0{>V{IclP?|ytnVBHgE!gwt?E$&sBxOTy|7l@2iy%28NGrZUd3OWw2UTqa9`nd zpP#g(gv}v0dx<-MiK(7)QMAP3Uk|+BFS^$f87ApSJ@PJv>QaHkja{+RWU$4OdzAGz zpBQrVX^VgGH@u#{wr9DPYv|Y9*OE0$UF}Oh8d9ZVLD<{oK%g0suF}o_)7MpiRndI? zz4y{ADIL-RlF|**DW#+m0@B@iuSH0S#EKx8Akv^HNJ)cIiU>#}B^}c7E%3ho*La?9 zVej3U^E+ow%+Ait-QD5;{NUL`nI*>NSeMINZ)mhk1At{m@F1AD^QkA_yj8G3Lg{4} zQWKv}!+~!3_Vs&`d_N54GP<8y^&7U;mj#N)RA9T%BS=Pi*%wGH$Ao{pc`j{~n1$d` z^m!buEMiA(k*Kr7V$L?ZSsFq_M9i(v@B^kEe;3E=DMte3YCcegw&ZS-?hutJ%Z$S}-^z9sJY zDW#h$haN1w8!Ew5{RqNX`sP28jb$JxV)c1W^SSHM){I)D$x}2&$gNNUo`D#@G^*oOkUPc2V|pU-n9pu4*Dt{xAs--9-&Jf8dyG z8GQRml&pjlqpmQrb4oHy;xrEpn^X0^XVb^8d;@*cWsd`16W|_eobvSB_azPn#z-vs zwKzBCn%6d5i{FjfxIZRV=-ImtRme^*V<=ft5nMj6XM_;MbB%ps>sO=)1fT0aF}^2k z9QQGK^$MLYhvJNvHKCX_y|0LfXNk&D_u}PK7i!k>fdD^}eKPZ4lNdqY&W`nWH0~KU zI1JG$8Vk|%cRsqleCVz{i*Y7<0+NZ_no~%|qU!}4&)>VfiLcX&9x^#Q+S0IRvapjG z?Nj?2?}}q@>}9%|V3zHI0JRE7_+~;@WwDCsX|m)pb==Dlz%sv?70do%2fl{1eI1?Ro1$uAsJ_8Cz94G^+v>8d`<53y_Bx${#d+(V_cgdg zbSnru%f?M@x{RQ`S}&&{oY)-?v{1SK?0LB>!HM=(T%qNz*~%*k6Hyd2VtNIe3se@_ zdN?(?Xh~tMurz?$H;GQ*{tkR;&J9`*O8uVwRHsptn~n^}vY z5#7o2xl|Yd3(e<5EWCibdsurerYVHnIJe7aFK%wAj zvbspd-0VSYccTtR-)zSYv3GDQr{~VX`!j75`>w{84 z&W#lw7TP=D9O~=pck9r}c%{p*YnnDfo~N=?0sG=58~Id4zJBAR_oyPYOQRX%@@F7C zR?Bf#1g*i)=+V<|zDgTftKZ*?_pP5N@?ERkdTWw{oIO`*$R(M{6`Ck_M{(TwaaSPR zVTn%e7E}7f#Y>J`sug!uy`;Q&6XHpxcGn)F~W z@9EU5qHXa5*2Ic$hUdRPzqmV6aX8k^CKWJqzfa%lHc?P~M|zC{+Fp9IoWbh70J|H3 z)eBU7ay84?s@^Cf%A8S`gh}SERM!>My);X_U0P*1nX+;B%h@O+PdWos%(;Aewa$Z^ z5wq+4YwJU^r9NWY$c4eu%({q}B+ni?K^LyFWrcZJj~1lIOf8uYT4)x$BKbFg{0-Dra;7O&s&Yp&vyOBf*I;<3j96pZ{?ko1#(3`yIZZ4 zGmRPRDLwS~Av${H`XX7EVMi{)XrAScGb+#LO`GTxW@Yrz;NJ7hQde}jTu2L-=6J;X zSUs)}%Ov?vTC~)iW=r|jIBGs~jRVpLhj7naWDdAPeQ}TG#O}OWA^TtJ< z;n2i>DG#=M@Gd~o{@vU&>v5yP>A+cXf<;-A4sj|g+l~lHL)B0WewBC_IY*fPgQk#m zZh41cgC+4@a(2#IWE63qYAtZnkvwHfP`7bg6DRRO#=&=y)(%WDaHC;ybZp}Lcw;@5 zKe|SOinbI}hZ}F37S>a)W?5Z$aUjh@-Kfz85mT5Tn0M3riT$Uz--w_rbKeVpBi{LU2AH5QH(ykMpq}j3Y(5j{vaC7 z=QT{XytqGdhcU@{c-UA>;4W7VBBdRN|Le!bh>Gwy#%riu{xqU_o`OatOrY4JE?I$NlN@oFd*z7+l`FZfl96?hF&iLzJyF|-V?*) zTFO0e?7Wvl$6wK`P=0->Q6Ax$$jY~PUPpk}N~KRh9?f#QBcrCJqISr$0_~E=GmRil z+sT=Q>~yv-mpo>;$LKAs**_=l))M%f0X|a@y_ugBjM5TP?aun2<47i;Wp){S7aY%G z|2fsW)$8<&S=aW1owc?bP84ry@@^#+w^G%f8)^!RRLp;?d&2Qn- zuP)1`ZT1}2E7-^^JQaLx(gS_P)s9H)%ZJoV;q*dD``OYlv&qZtuSMm0&dkmAU`Y#z zSY7ee!u{VB`DZCk%xh!OY~L@I4)vLoqbc)PWy6B)0qZj?my9pXI$^rP9kfCKr0eb= z!e)f(LjaR@x@Km_eI>Hb_H+MGM}Z^iyOJV>_)fHdsPD#;EdB~Qb~mM090L@tyB`s1 zo$;@MJou4NK=s?Vos$_}(PT5pC%K-_Ui}n%@3;-Z7csTImzt5Uq*FaE9p!Q1OMd>g zu(X|i<(boXVF~BG&==z3Gj%1k53y=V&y>5_>{2cpYA)1&hM}!f?#PZWw%A z&RzAvq&IK3)nION=MxqD$~KDpxd{L(wdUps^yl`i-FIngR4}h}|JCfya#&f$hIaql zW4X0W86>((ZcV|;2*BkT7%Z@BwR;4m?{hwZCNId&U%7(>OuAQAJSzGZrB6~CgI1-( z#||iQIdQ-pA>v~PoNbjlhP<%K72b1JMI(SgZntOo$KD!MwW~sZJIaQ0A3Z@jz(;CljKSY(+phKESi zqG6)Y__60`R6Coc1~W{M(X{I9!$EP@0eiG6Pq^5MMa44iXM{mbD=Qz8It@=}$y;M? zsh-|&gSOT}x$hd#6{geL2URaT&nQZO2*1|HQy9p1D}WVC3O<}(Gr-Ht z;=ysSFkNDr2GKbQThWS1*RKnSd?+$rj2FU8(QLFy>EqmeU|r~P$_~hZlN;MByA>!u z^wmBd$?+UO%&w1Tn_L&$GK+`8r11rl3zPzDTL4UrxH zNf4$5+n7c+CH)Mu--_O4^#ESxb0 z`rMfEXdPvtrhBB9k~to2|8q3q+D;EAa+$U^3qlrMx9@6;+` zJ<5^1P?KMDLx^ExEHEK&EXvSi!n{3UOYA0Va`3A6PVBANWJX1s(15V~=Ebjy zf!ueYPXXK@(`o|xdC0>8*1q@Z^<&^%!E>%D&8r7BraSS^nf*lDJl@`Z|1EQJbk;g% z??Kp3Q6gD2UzZ|+H!#qPtC4icmn*z_e8$1g$Pe#lu#ICmkivC4j9gx;?^0*|*l9wm zj?Cv)*#^=pDS{g75)7xG1H)%OsGT#8yk4r(7cMROOTjj+0~zz1P;cNJ)f z-&9?G1h`GiT4grO;}~#DYfTCC&Fcf3!J$%u(kAk8v1c9|Mbr~KDkyoUPMeoX)2k%K zM;t*}8`Q?!KZt%5Ha-Nv%3KVuU&tfm!MIkYz<20NZHw)Kxjv49;^<>c8q@B*^ql(NR6i*8;oi zv@W){r>zK4Ye`csFz_7jAjb8v$n!m9r{za;6~wDT7a@mDnU_JH7f55d>&MEY1Jk%L zVM)%8^OEO3YChtgr1sB*#m;p0sf9)Q1lC#3eg80ay|z}eWYLl1FywhPAyy+}J$iQKZY z;&W!WV!#;}VZ}ThUQd7#wR=b;ar(yNqak4qQzBP z(6)&)<<>Qa=FGT-=<5#CQVf3&aL*TOwFuHMN9FtD)8e4my%zBjcUGnSCe@7?>UgI4)rU&nSa8rrn2q$L~8}8hT|f^++RtoP2SHG7zil)^zM`TFBE`Xl8o99{!H<)X`#T7*ayYJIc;Kgtexb2BR>Xi{jJ!Wi zDhdEO;%)?RBfJ63`-W9rZeSXT0JFi{nOSJ070u+R#7!#(cseRD^vNXb`M0@)Ly4cAP5%BAHU-QwuW@BLI?E#}4{p>7N z9bH^31qH7PiV89Z6A>_9gVR!Mf`W>0hBPw~K`0S{jKIJAG9K1G4$N>NIugtx!py>A z{9?@KBu~DDg_R@(`9+z9h51F8B_x=|CI0t`K1zt6;}>TZ72*GfO;kktm|aYq`AC)- zE3=J@wYN7c`u|gr^;kby)_)Xa6_A6K^Rt)J(?VfU05||1JS<@WP-S!e8L;CtPyj#% z=Rh~U5R#(}-@APi1gl8;3K+G7m34c-D8;R)ci1r}b-m%EMRv zK{M^_Bf%l@W#XGQ?tSO6dpdfHDq62|^Q8Bb<&PP!?bq8|(Ud0-O5{38oV~TXuoNwk=mBk<1LeA^R=2gvk3j`|ynD-3 z)!&w0>y4z-1ldjSk|&KNe6-1y&G@os-V>syE)*5&+UgNg!+nLw!S*xJKGTQSsZvGH zNBzh(I2xBOON35Zt4aA}WW-l|<>WYZmr9vBDMW9#W%;6#=Q|73gp!Zt_X$jKI7124 z(zK0L$%AeaiY=M*Jw+9p@}rzWnvGh(q1=5i{?R0RdiaO$3dGpr-#wCdBq+ZT6?)iy z4i+%3jeOPi*}#d(($SteqwsQ9ewj<&n9X($;KzPZpZA5`+%0EZp`1$ z(FF9OS>FW4EE*1)SLf&37QN?ua|2fcJG{Cth#$Dq`D)n@2J+9`w7bzVcdwe%YCIq; z{nAv8)h>17dr1n2`zztlo4C(}-x1hK-(MRzz2V*_JcB@A(XA7t2w&3KBhgw?+nmI0 zr-`EDk6~A~7a0~ELeRbOb0h%|s)jHK&C0>yX&LFzcRrOln(jnRn)#~i3|I{)4j+~; zSCxm?qR_fB(U&PJdk9o*2~%Q9=W;LhXgi>UpE?V2y$|Ym#(U~#Brln>Y7V8=i?@st zisc>!I*r|E*$3G9GZtYdP}Ol@y5AHWuX%ma|c2Z1f7ft3j~tvOe+(HaxA74%8!}AeXfprX(|<7{OW

jEc4Z&)nwIuL1l5<%a<-j;+iDjEtJw*MvB^~ZN$Fb{prnsXRVUVB@p7jIk`5w zw%s>0cOg+$qA)L&-LWu}RIog`&4sh|OxjS0Zls#^v##D+_CQqT;7XxoUt2!`!`Wqa zbsBjM%?2m!oKCGi{1HOCQ)h4cN~5o{_?SCID^4z3t&Kj#a!xaxt9sI2T}qOib)*=sEA7sJGQAFT42u-@7R~yH|^VhQB1WA zGql?{&&!B z&$ayN>9~S^v+|WtnB`6LE}+Pof}9L~J_XXOBmm&<4*-el_wRl80Dz{dc@ zAE+Q&0Pyhe5%6|#w6*g-`4Zv}aCOns`dvFAGWOh?&|?HhNgpcl8;_-zoy)(RP&Wdk zWoUUSBm}{h)WBB^=HHZ(lS-`MVTA@@r5I=*7MJV6C>v}5VEPSpN(SOWfae&}6-W07 z;p>o)*wLlv*X@N|Vi+GA#Ek^cB3D%t$Nbr$5%#h7K762&2PgMV227y*0%hl7+5DKJZXt{iyRU1a> z!mj=urK)#~;>Chd`W!pm;;=Oea3p?5bzeM21s|a@W$ZEwU|FuG{zR#n9ib8xG_avg zEZ9RN4?%H~qv=7|J-^Enu{@SXiw(=`D8+000$-jt2>(RguscRM9HI0Frz@_*sCE25 zQ7Mkcs5eI_;p-fp1+WEj@a?_7muTdAjKaZzQFyBll|x|^{$D61Zy3b}nc=|NH+RyI zI>C0{hJD8RYw&=>fMZ$kgJx6=WwTOd4`GxY>7S^a&|?%o3dDhSV1XyW48L(4;RVtE zA`C*ANRSvAbMrW~pOK&_GV#{&G0ZE9d~o~t_y8BAg9zXcvB^;-BD`~a9EF0*?7{~LpnO7*4n-CXK#_zXhk#69YJ4_4pL?|be#$AOo}3u2 zcD9bz0*ng%N;fgzSDqRJbDG;KTdx%%}4IW5wz53$pw*G;*}Ol{q1-Vl*)blKtK`yle#^N+KA&L-<#IE8~aZWDenLkxNhf|Sq}2+~n-X8lDLhgOI{3P_3w1X+K#iY4bS zu*8up7PjAUVF=`(WeN)&OBLYc+;RUR2LMO=?@Y!Te=(gCJZ2IybVX4P!WHjm|DDMa zp1?k8@qV%H+_9h6iC{mw-A6(%h`}=u69F7^4tW&B3a1jADoEi5_}?v35e3N*fDF(e zDO@`s5*P`OQK0v5fT1uVkdE@k1nSQ+goRIBn062KYY>=Nu>L|q-K4Ouxel;Me`yv^ z8~hCvJ#qU0tN@LK<==F%qw1qe3i43ib@`k6Pte4iaeh^Z9{o4+=r;>WsP4!z0a2X4 z^p!kOLz4yXS0|Cl;6R=v;2FmI%JiIZ=iv8Mz&qSv{Ia#`;Uq2w(m*5xa5ZKmh20o) z0|(-VnIOC!)UU!=0&t5RWD zB=?7i1$PjtJ<{#JH@N;;N?jxfp~zs!e{b^m6LLBYgviA3sG!U6igt|uJ#g_SZX_Rs z5Hk2wP$n7NO70SY1dRXtx#_RwNu?1MI*Fu$-`Nk6TKzX9{!{2gH~5#`#{=d+`viXu z4*v`7tu{ zSA@*t*;3dAWOd3s`%2KxX71KWcjjgrdnoA!v^rq~oVPJh8#c i&d<@?(cMkM?V9^Zw+8#@f(q!te;HH&U=19d*Z&9A`xYnw delta 33160 zcmZs?Q*dVA6E6J5b~3@lwrx*r+vdc4qls-o3ik&3>v^ z_A6iu(vCs(75r zeJxXyWI0Jt>JDGrruVF~|CQRSpWZEz}-oCwu$p}Ne0yeUJ@Vd#LPzgGK*j{H%#SVB{~UxeT>!^YtF z+ZeN7-5K?z;ixZ&Jw!}vt=!J`) zQJAyDM@=7ygo_)X)22yG(q)Z<-g4~kyvI}^t}3XT&Y|8JC2{Q^`7{c+n4OKH_v-S0 zSm8siD4eXhu0JFc;0a?8jcL0bEtUcYV9_Jvr2_mCTjG5Ja#6lC{~9-Dno5Juu)L`wbY&AlRxCqLUAFp8W#dK zW7HGl6yL4Uka|EoW88m?kv>r?{WiHgG`|>f)joPqJ9vlfZ;>N4mBqJGUoO8_0}ij( zhCfqL{m#w!OvvX()1k=?Ojc+%8nVx4P3j5fDPmB|te1$38L&(RcZ9w;*r@aaC$Vq4 z`7-|U-QW&01GDaF!9TOx%KU&1dvymwh7D{TmY@$wCZ>j&C$`S2Xg0~sT1+`$WjDdL zlX(>roG98qgv}iWq&7Wj{hj;N;*LyZ5o&vHwXDZ3uLT=mJ5dqcDuNb9eu6&^BZ6|q zA6+=AihvfgTrO4kJ)(X$e#8nSea3@g@ zND@pAtrT!=q17T)gfWgzuv${2Brchx9`gu&gHl!KVJ9 zumN`WNow~6N9GnVdwXJfwv~u>J&u7o56F=9IB!osaxz z$R1dIs%QNDR4+4^L$D^>d>7c8H7Ilx{6+m6?d7zsVV!oAxU;=4A)}`lWhCy@4|p{Z z5Rg!PI5HPf+(Yd|mAHCVp`-HjxU;mEG_I961qS+VJF)$=8Y}&5TYnF+CE$|${hxEf z&JG|W{rVS`w!j-`cMq^VYq&i`2xENTE|OKjfNKMGjhg z;FI9Jd5C8vCYRj&>Szwu-%3IkFPN@ma29h(mUMJ5wH^=1tBb(#IAKssbG6$zFvxO~ zf5aopTL7d00Wz#BiW`=RdYx(0q=u zeMbgr(sJO^Y5hpTvrHdK=0vM|$Vj+!sVGtuh|Fen{bY5t+bK6T>!_a3MHJKim6#BY zOHycCXi=7YqIMA2j6bbS$%*W*iBJ4FkUMFw5H|ehtfv+d`-Rg@o z>T|iRNQx(|`{KLaZg<{x%KAxsglm0_g6UDcKQ%oa0yLezNbUQhKZ{!gUEZ(mgnhI< zxH}n;qA~G%><||cV$_GKJ`oD<`MZI<0o|V_K>QTdch1{(RYNzezg=9qj`q*wdXCSI z_x}57G0}43pLV((zHVhgspG}64j#YNP4M~3E5J;ws9n_`^zlFGBrOQ{f(pQ+kw-v& z2~8qMQ7$m4N=l@Cg!rV7CfLO#`MkCtN)o5M>@;uF-8uTQdCX1OTL)XcplSg9ZqjLN zRlkRg)4*w^kmcM1g!>`FjV?*Z97xe@Sz&GjthfcUGPX@=qR+)Ss%j|XwElLEb@W7b z8RBmh4xCRC#P|u7XWNB`6Ms7-6m`|nRdc()MZenF!!ba8Dh@b5trYQtERB|4r2a#4%PRd^mV=waIi5B=u8+}=z?xznHEwb7) ziguTy6lG#;I^`;i1@BA7$+mMm-N63UO3_ZUrq`IWqB4Ylf4RCFSnq`TNZyjYi${i2 zG7R0jsX1_~F7x}oM;oaH`cu0(Q5{`?!DDRv=)9e zL^_V#FKJL9G*gTR;^4Itgk&iWP37_FfWii7=R)7_B1@!WQt0uvP71g?C|*!mVC4+@ zGh+RjbTE-1j?1MMbR-4}Z_86Y4VXyJTAaqKEmHdzB!ji8`Nk-{>+Z}2n}&2f#aA+@ zZg78(d!VOLRlk)P+18BuXFxdceo&q2N=No8(U?kw5heCIhAAtDp#&L|P=^uSfDS*J z#kB?HwO*PvOS(f2guJjeHtF`2JQiHW+Q?T!^~#CC9>mKmM(F^t))wqAsnwS(Gvxr% z<-d`K-$WEv`cBBJ!lkX)a_qNMve)cYKl!SJXs~a*?kr3C)eNjo`-#fgEz8-pW`n)s?Oh%|Oq*_TleyW~VsA)ghARFrJ_fsnvw1WIm zcBcY>uzA6PD`5jsz>WhC?vX)!m9dNw1i9oaGA$szgSTaZ zdfXRV2L^bq6k=0E`;sI48rg}k`Kq_`eUA=D(-FFt`}XflJxEQ zwVoD5)FSXqF>R8=C*PrXM2DD`2B8MS7-8X8pnno8VktyHs07zJgosbjSE8x8{57X~ zriqn@?xzGAlik4#^+u*a@e3CsN3M*+px}J@gz@(Xx9JK5$X4mE^XDEC^4w0}cNj99 zdl>4$HyB;a`Ka1?Bw}IIf?K9z6{_UNN|1_+{=S5pE{t4N$6eqgPj}LKqAk+FQf`o2 zZ_?;{^fW1`5Bi$ov!=55GFkw%Sn_ss>fz7)1u+3G^e#neU!G{jnDF3oEhFXH9cXa; zPP9>{jr_UwQX_~rA+u$AT6X#vAz8-bldOKz`Vr9Ob!Yt1@O{(;L|N~b(ksV*%M==? zMNsmTcO>0WkvMlz!h$RlRSwoD6fOh|6i}htAD0#O8q8EYEsFGkW0j%#Oim^}- zVwZp;9eDZdj`4WB$6PSt6MF1d0i0dqPFM{JoTJyCCpNKimGXF9ursrSJ=1&#VyC2C zli_;{*>~9rDp*xmd;KY)mQi`IFyh@zoMEPu7>XggOS&~=oHf;t(*6omO4z+c;}ku` zpTx?o}cgC|c8_%?Jxp@wuugM{0lr({v-c9ph$7pGsq( zB^YHr1UhiGM}}bmN3r``S1aqg&3Xp7kLQI+@RlH{hQ09~LPZ3^qqp{C8a+iViOM1eU zdnQm7u53eu5kv0<7pnt5%#H=8(ub=|Qxv}Vt#?3^4_meoji|QV7j9Ub{c;p!O_EuD zw^3Vf@;Up+`_aiLL_#Ey$@s!OitrRA-W|@i$FK1fHnUHN3i!$jKTTItPr^6p*k0zQBgaRIF|{q(Rs3yVK_~K#aMU=e;TJ>hyB0 zgFE-xdS%r3g)O5?n+W$S_+bd?z=Rjhc&7o>3>vEX-?@l%RZt3OdYB*R;DhgVrP;8M z3gt*+BeAufKIOpL&HSNb6$RC+Bo3VBw6=X4)x-eZ=(8)szB5pz6F@q!#dU+4o2k?H z(euIG_xlx0;N7$w59alZ@paYrG!UaFYFpQRJ0z>2rDu&9%Z7xu?9#yUv+=;Q9VQlzBgXl|O&DsVPe@LJiiQT2E(T?EsjhQU`MI>rpAu}S zyH1UB&VBtTIr$lqaBWlHAKa;NOs@f}?O6-_;whIrjbtw--t z-J8r#HyXy|hcHo?_uE2+0+BMwRS+ayl=_Klb4ldMjA?R7w4o_gmLIJ2sWR}k|611c zWd35QFZ-@Q4K$#b^(`WYB|E(E3}p&;z=aA=8$^1h6G>aNrnm^tFe}!O{66nGllN`!*ihyNa}Fn_5)?550g5q#i%N)53&!O@;|!&;08=C@ z^py=={l_xUkJjeCU<${mCXr;#MwiW79hpV0tlN2>(PD}4iC^q7gA3qKkS?~DM zV=tuc`RQTvJYwN~kK^HOL$-az--M6h!?3J`{%#h=`@3 z1VBQyKi^-+i6~#HDa*|)v$89`ZI+}jtz?G(1G(B~hMyLR8s7k$%1IV^p?91HK^_T~ zS*daR7bHR1!e;UGR2z;YYhl4{`;s(hqPSs_;h?cE?`5(T<%JrhTToJvlh`pfcNYJZ z9Jo6?qQT-rc)nmWn(D&8{@c`jR$c6{u_zK&NLuw$lKoZ#p<%m`#jRR0C_qO!*0Ky^ z4+e9TvJ!=yoDtP&punVC(*AA02I}G&Bv@;G1_>diA#m}+w&hb2l5wNQ$D?pPV;+sB z<+fHGUw-~8mphy2Pt_Ow$KUd)h#o%xuHBJ*-273~b(pzI1)`ZU#zW&ljUpJqY>p?*p->I6quTL-JcM{~_Y zWIqy~m>FlvT?M0ZAcJKJfnb5B2kX}(JzY85_b>@TE7$2tr|Kqqg>~}CGnkS#J+SNI z?4!Z0qQUDFp=+!}(KX5Sa#-5+v^F1j5H)Ye9}FtfH;;U?@CDH@@fB3zgVmDo&@52< z%Is?TnbC-4o=|2tyExAL*;wr$QMIvEJd~00D_ogGkp0~t9&uMwv`Haf$qO-0wVBGL zVzp5<$id9RtXNZpLpvT&d@ghK^XRd;m+so+Y6gf&OtvR{R<&I?i+A6+O zxj-x1YPvn4S(}0?Ez8X;tkCD8i*qEErAO0?J*AW(MS7)bomn>nih;?oY_e1EvQ5b} zaewEW;nKB))kav(mSJbM5>rj$++EIYtXlNBQ#&<(gC l5G0XICUhCJ>;|ig#smQ z9|~D8Kh_^=US}ih85)eDLqU?sZfQ{_a*$A&_)eqEw{;#C`sQgWQkJ?JWP4=HrM^~g zxiv8>!^bGDOFAYtUx2LZr*X?AZ8f*|H=Za|+k~c}f+$g7qBf&YWc&$4U=5l0qf*H~ z*%jAQ#Lg|#XqpOC&k35)n24lUnvgxtGE=Ad>dfV2CZg}j z^C&|>2aWN_g|Q1)5{~zM02G_(7?4~|FRd*{>n_GwBEH;TQ$uy3xl#j+yq`j=v9T&y_Z5ly&ohk=UG5XzT7 ziZh{?;p`(m3?{E-TfK~XO>*e(zJ%!_2V~!0?dZI1zTCTMpV7hNqoi1UZa~WLQbdK` zP*F~pAVRHS&-1R4Y$kWqb`2WEz`^ky$#9Iw_vzacg?=vlto^zFmw=GJ61g!^U7)<) z+5{E()ra__eeM$W)yqDNhJco=k~92cmXLmD04oE4jejE=PBt=FW|Et!u)M(%1TGsMUHilLVPa= z7IU7`Xh~g+s4z6D49$Rdbl5!9o{?V9VY?F(Ltzy&vU>ly&r(kB$cKD~;yqYwed7X8 zA6;?hl;`K-yAKeQavr;IQ~wEFC|?4#no=b49VC2LJJbq~5QR)~u-w}6e@#oArIyD}bvwNR4CR1UcY7$*kONzAgjbv8 zHO`W`W+`VM>C3AO#UyilomtoK(*b?gV{$(5oMR$RMx?%hP+haZJP0J+WC0gXwR}ph48nAR%!+_=Pd@n2gIl(YS&;{5@s_@!)n0ciD z5ae4%DR0n}W)~H{<8iDK0n$@!+B(<@%tB=iHJLt#7c}PjT<_y+>eJo7pOXHs zsiLH=<_oxb>x-1W&?@j`6TKA7vyIYcCU-pXx{|k&j}^^gsk7W>PZS!rl|jk)~LoMpFRpWK>S+P7Yrq zqJq;AW;Mx*@_4}3@UxxIfJ1YBy?WJzw`yg%j}?g8sl#Y1`KV)QI#s%{&kpYCo~;Yw zV*5y=nYm*7kD4&)SoXJ{*HgoY(B#SU$p4!4Agfee75uzAw5~bKrZrW zg$$ELYLQRWha9ye=)OccCtdu5316&VeN_Xkf@1bZQR%<_zCS7jv4g`yF%2O}RXf7R z16WTyX(>XgY-ycX`Z_vV6b@K=3kdAcu6?ce&EGVg`+}~~LYr*uWiuU|6(;HlbanOg zMftUL`X15nj9H<>w=HAbBY?m&hUC{2cmc%#>wEL%kh0llNFmG9vj%b3+^6wQAQGDz z3Yg5pdWV4}F8!6tNU)X6K<=24>T@z814amFePeiQYL0AeILRpc(06=$j zqX{LE5Uv9bsf?|4PzN3(qL~MC3d-RJ`g=Ue(kJJ|BI496ezl+SX0N5WQX%m3JR=PA zXn?3zU(ema!-x9d-iYQo&pOFIb~!l<48JcVOfWtp6^qWjax{7MuM&CHiRzv;S=Ru* zP9+I$QC$wbIkT2T7SS1P=`?yx+MoDU2V?c#dOyQPc5e_ytIAwqAs!CnApn*UnwpA3 zt>j045-qn_{BONtGrx18uRb8ne0CNtT2oQi{LDy}Xwqm(HX# zZBu6v`}+=e5~JP{_;83)o6W()qO*M|IOIQ0T-umnQ3aaxNIq~M5WXnRghl~vEuvub z0iCv*LMeladMj8;_!sCpwqh&z$AI4Yz=HUpq}GV6>!_Atg$he8|G@#2l~O!XV-%V( z_u-zK$WLOL4cH6qIJ=v>Z!Pr8+O;wu+J}wX0=X;}3e|BNNg*H&TxJ^0=fqwdyH|3rQ zQ&Dcx>uX}bBQ`@!tX06oMM%hP8ARhXwb_m9pU^K51tbz)33E& zB#zhI(njhRn-@lQH$W*I%vh`KU4_gJG8`Gg|KU=)uP~A~4U&tfEt=({TSR3P$4cHu z86FQkVS8~x#(DWkD+LO&kxy{b#2KGx2Zl8`GjT%&{MDx z4N#%=4l;mY%=m*}R&yBZ&R$KBh@gi6XX=Sg1_XPU1$J_XnxCCgUIa29 zKZRgOgcS%JF{lc$SC#W*myU(7eg!Dw4zCAS^Y6bU{52S(In``Sqs-GlxpGBwA-YbG zXTbo{vuzh0bu51PNKCbyA9_3=KzR7~xO;TE8W|3h7rt|^#J*_7hO)$(?~!2NgAYAH zEd`5f)W$LaSDX-3*|9JZSyUlFn|O{TO>Io9vHfk~4cTZKQC6iSrl|+gmHS6Ue9IWL zbJ4*P$Y`dxS_Ds9dIV3$nT&sk^e?p3YBg zC*(F4hRl(aE1Zgi(x6+IXaqctGBPa`yTEAOyYV=?LZ?ToE2E+@fhyf8qeS`Y@DE$E zEU|plaX1QP%}po&){;p?hP958^1%-)DK_c)kke~XO0h!GI3-vyTGCN^F8`0w9mXFh z(FwLp#_G*-T@iT3o!Q22p5Y71-7rADq7N5E6VvyfRMat6w9ud=mZf0m$k~MW*bsu$ z5E_V)_l&c?qec-BB!abMv{<%qg#{lXYLRze4)v^^meW|t>`;xUJ5mQFNlnDt*bh=+ z1nBk)bEiI%@Gr}xH2w7!CXU7JE}n3+`AC_+b@36-gJb4ldFan3Sxz!}PF#TJ@?B?0 z?+F*s5B0aCbb^T?Yh8~y2!;loFRY-oSsU5MMbwZCt*1zym{Zy#Yc+Zt1g_WN`OXts zvJhw2ZuTC zNlvl8>F-Kng|9puK7Z`LlgNQ?Ztp39$-JOO<_Rl`Q~^tpoDw6sOHuPJvP0v~DaE;i=iY%$m~gFS;*M)1KT{hE7~+ye}J}+5>%`Q(6bJXDn)` ztaMuWIzrNq2Hbj)oAn+W$kg@Z_oN`eh;>u;MYSzFu(PX04Zn(W6E-f2-slr@GjSRcjU*1B2BmNQZD ze=GE`p5NFP*&A>&T_m=(!*1zb*6=eU=}_|Cy?cyycZyMmif2rxK3!qT+qx-3ZmERC z1(ED|t?u`aEWoO=Wx|1Oxd1lNQh6Y56glwA;@U>~M~!cK54Y2NzO3>waVC0Ev_ctF zkUxfkx{1`|SzH=@T?wYDqXAeU4g(a zUk%F&zKoC2VFyvQ$8CRbYziTHBB5lDu=&mdZ^jo0Mpw;ZL+Co@prq;uEuwxx0#lSy zkN#*p4GkEW^L!;@#-&d5l43yc&%85G9bd#j6|L7sQ{0t!(+F2`iNUAGeX_FC&f_>z zWWsY}DzUKeVtSxHu~ZPJrYE;1b5e4VJBeiY>KvF8{pG5%6e^vmG_20H=!9~Ay0T3X zqAwgB4vb;&dPphb#)X0~j`X1;suKP6Z6s>It+ueg9$Rcg!i`Ym}P*1z=;(_#DO)@T!_L%T^X^LE-@j~F&AQ$|*=F z53_78vx>YrZEg2OY7qz?d_PidH{pLkoGXos1}DUF5&@a$-ED2?f1BDkb*2be4KN~$ zJ^$J2v(O(aAazyRGf{^1ua@!z7|P=|HJi|qv9{FYDi~P=(~r~At+T|;tvo+_zOT8h zVUHMeRe+D`n4DN`Ypkg4*?xc2qHBf@vlZVX(m3`JHfOwdJkq$57pL^kAreWe>XZ&L z4eu(JDF6xTIE3CnblaV7jO~ruakbe}-v$~>owG5mI;)A;6VlhJ%LZGmmA*esdwUk2 zLISI9$5u-4bw7&!)cc%e!KT*@X~0ma#ze7gpBH%()MA{uA*R;(`y~fvTKL65w?^0=ST-Fk@L2 zh!C{y#neC1be9f}eeWR>gtX9MBK!ri;Qvi+u{8AXOM(NZ0e@mo5V!6;=v$y;VNG3y zxRP$$)M38h*Tc-blvL~SpI@V660e0g9gWr<>2gSW-GF-<#uuQ7`?F42mckdSULM^u zL}{wQUru6NLDl=-9jiWw$90#GR%Nv@4_HLFou>2WV$Zj8U+?i#3nm@l`l+{$O_`eo zxLiu(LM}k3oy$CoReIVr7<}#hRasihD6p89o3MeD5*=j|* z9IKclr;IZ8ex~1nk_K!00PWiT`^r%8SPxDIkyH>HlY%LgbqT4YSUmYG!yez)=k0Fa z*BQ4|{UtGi_R~uBs^|_ybWb^4QMDikqg}}p?S0@NiJGuZUT9(YsI*8ymW{~{8 zo$lwfyYAsxDe4-Y4~8gWY$CuZ%uI7)uBs*8eG|n*>n6w2cCs3!au__|WlNZ*!+-hW zZyfWlaa^jvAF|47u(KyPT6-2_;v-9_>e98z26RMP!i|FqsFc|e#0>U?Sa(J^_vJ5T z7$-nAuUr__z056Dnp>jt*b~XWBqBjRqeMs{y;*sQH%Mu)Q@*;y9>p$8{a=3cXQ$;5 zeIU9eB^BeVAi6Cj73Fgvx*H3R-FecU?Oz(8wWMV6ro*)LE!_~1rPJ_fdI1-V<|<%$c_Fi>p7@72UgpHWcYVj7Y6x`bRC)$A zQ)-i*dL6xGOP;kM}zQHKO*m*sXJeMxGA)E0;o9^Y=OGo}ZsuQ(j298cM#1$UMMH zBTk0AOc4b-I!^pT(S`E-tiKTyFHUjXHEox+G9 z`g>t|cEMPBO8eB+N%aO*cvLd{H2t2BilnFcK1H6O6p4`E`rL`{^Lf0Ph~=j?M9-l4 znLvox1Y_ZkA=q9wQJww`qANR;5CmWqjj?aQM_Oz}E*{qb>M`Q)jX>NT)%7y8gP8!_ zuHbfh$16gLuCfjC?tokH*Y!Z1y$zwOM?wndp5()Im^*Xf|28~(#fJEvf5P0gK(!6F z1@f*6Um5*^`~-j14*G9D{u3b*=yjvFS3#_F<~lIeZpQS?knBgKy_}`hPFMsxQ~Mkr zFYb2v1^#KLM0{s6mVoa=o^LPLkomQcKVm->znAM$H3P?T3E*-)FuxZj@%f*&R##^E zfu8&M{_|77PucJ304^(hocJ>Nky^|hz;Ss?tau>KXj{>AfgkszS;BmNh2 z${Q2{Y{P5-ELehc_;^BWAS}#JeR;nxZ~#E8fk^rh42Z>`P)ZXurl-ISF72hAeZc!tCHmZ`vQY6f^C9E3Ws}kHGw6LL(SboYNJ$RlNG~7e*xwGG5By`4 zL~-0O7zp|#&=}}aX6;IGY`pN)D2|o@?m=q`5RU|)qQV;Gh!GM`!a0Hx1)PjqK#Eva z6m-<|c)xx;GwAbw--BNnG2GXDww<}MT2e%dgrofk#6qcFg9Af$JOjJ(3L<5SKxJV0 zdy3Llg~#V1aQU#ABmAUm`i&su5I;j-<5D4lP0PBx1BE7AApSImv!_lD^r<>L?*w)< z5L;ewcpH^?l1w_D`i719e7zsP=>KodY|<;xSoR-&3P=h1TEq!{3OKN&np(86>_S=i zehGyNfL85{k|9afN)$2WsmsLqJvpE{qNy4|tFJL7(hm+1ThGb}qF%>34!fWlv@? z59;Gaho#)*`rdJpyqPq6u4i8pq?jZ%)4J6-Oi+-D->kh^cSYBe)$ZJ^9VXs{3~$WA z0n*U*rezg# zkAW*?G}TYzD^A2fRBq+S;Qf+7ZCbVmtqFYc1E%TdrFgQ^$?&rJ!V)zd^*b#O|XenNJa&SL(!R!Me;M;@WKn9f26Xnqx7LQ||q{ErJiBK#ange$~ z$Ujb2T}`HQRMvK<-AUcT6T%X18BbfEANY3MGL!SgC*(3W^>C7wU+qQW7EcPhkw{AE z=n#EF9MIv0|Ke~83a`vbq{N`Saf&E?+9Tu(rW_Yqn;?u06t1S^qRa{^()^>w!mVwI)bfFhYDqbZ_=wOGS+QH5VfX(34wh>2+6Qw$002T5 z{~h=SI8{V&Aj?6of-25#RxUcYh?laC8S#SGNjCp?%*H5bOQUU5;xj}@jEV!gFfKDM z)Rs3QNH8g=VPc`*kR;Y1ktsf@JVR>{df?udj=6A>9qK0VVQibYoj|%tK(R|9gtUcz z`LV+*D1n5GS0VwrLQGIbx3cHYVzx0UfR>d0L0Q5F2%eLD(@m{1g@1s{*C#aK0MEx= z(i>GOrRBp9B5narEYpQNbY?vEXFafZC6OI=Gw*ofSRVL&_qre;u;a{>aw=b4c4o$E z6;e0*i^pxI%1~D| z`IVY~G1IO=Ppb$Fc*4b~lJ<0ytS}A%_Alog5PyHNWAyxUKbe-w^M`;NvfWWQG96*b z#6guclQaJTP5_FOQZFjQqy)O6aL!{YhfznOk;z8RxlZZgRH4_-;xpDfAKhXf{9}H# zlwFrDhdBq}S)XzzHAoV-9b00aRmrb}$bj)qFtj0vaaAWYq{I; z1IH!AKa?E3HO`RhX~{HLoUkALkKRT5?4K35sazu4B)5)gh8%&<&wn6(^Y)z?rN7pU zX1Xk7v<_&TcrmHEF_l&yaKfmznel^Q3t^2!iZe;Exp{`#JN-hq8qVtO*vY@9zF&uK zNAqEC<42=^p@c4zKj|ch#9i~O@Yg?i`A4gBcmO+@NG&IcsMtli$d4%7G3M%KzQ+*1 z|5wPvru20FM1}+aKnVWlgm(I;;6RXc;WAg8xTahc=-?-2uIO|L0#%N}7p%50MLR=P zOOaJ{TwqxM$*LpMh#*FaKlMo)c(pv!O_zcM`YNK)%PR!Ob-L}pnWN#3`H;}7cO|-C z<>nsAh07tPj-G)Ix56+Kh{>yH8i$$Esvfz*4xpwi{S7cAi!gyZP@FOu6hNz)=HFjY zDNHfUIHnoMaQc9C6!6lwP>>W@C{9s>Fy8fG_D<$>HD#^x6W7O-8vU==!}AniPhdyt z#0$k?>v=Jo#fS@;NVbDNT-e*vr8Ht@tRk|KOz1J}$bkQ{9Kx9GWobr-Wl8n)LUA?o zy*zy*)N3WNF5162(DE(`eR8|B)#39baWl`)vviK@f;S6OQKeMkF_so9y2olze1=5W46RG?qq7W8>#(8S)Gzsu=AD#IY=3ri+ zyXF=<>)4y9bRTCx>wjWEFHp|2O=qfbInnn+%DFP`7Z{}@ip~)ynLf z!f%Qp-S68}w`a?4gzd+2OCk?^3huNP=f&h_dQv{?2*-1VqH_F;flMBwc*y)wJU-8V zBDyOc-Z9qEe4Z+UThO0iTy@`{$oa9jeut}p^r*cKXhgVG_N-dRv%Y!CHffbS<;vReL)Aqum%fHwm!xk`;t^5x7HQg2-bMe)aB2#5!sodV-LW4+7A3 z6$gc_Jx?ma=anZm7jU6hriy40o(oL~PFol6=TN-^Iq2@8U_F3Z%A0-AxWof!!edHc zOg?GYyoKu9!3bCg63fGdqKL>nj@l%=AN6U*`4C@0GN$-0+`BUn z19RGBS|HL=8sZSITb_amOGQ`;n;t8T~_)VKD^A6W;1cB=U1SaCk|4?fFwP2Y;Cz|xckgm3Pv)*}HuF}79WtHxB3bj)`PE}{? zrd1@yhrR9=(rABlPmI<;uC11z3?@l2uG0VVE;jcRT*Vhubt#I(+WxpnGOY+dKe zu`XK!XSr$zGCQ+(vf-Y&<*YH_r=qg7K`lS}Z$mN5id5EOpgjXOk&0@K@8#e7r^*G{ z?aFEHicyRu38u7Yfk?*BCcRUm_N9;U#M3#?E!8tv8l$Qh3c`)1x6E=cBf2V^*0jy7 zsUP-k1`T4JV0>(NG928h4LFc)K<+`AbZ{=gNVZUymqdUx6crlxWfBojZFB-2ka z)q; z1n44XJm(G}c%yRb4lEzCC7h_%-Cw#J)pv4XT#tOyz$Vwp+ulmIp<;frAkVJGa2)zC&VCHKRP9D0jx;0X~h?JQ3+aMd?5M7(~+W?iW zxms0%c3r5baTT%f(z%ZNJR}d)B(bNh_$abFVXc}4z3}OIYp^sh(r|}Z148>p+{x8P zXMA=tAX_nO%&BIYnbBM#m$PVgnOK(Qh0;t6$}p40VjUQIkX_J55X;^UBP79xM8uER zw;#V-dGIEw@GnoDkb*r|vgw~f?;@Ki_VHby28o_NAmz{EH%3sq!`J|nr--!cgE)Xh z8>r>2|K8L5l^}wrR|Eglt^d@qXF~)aKnh6U3b^n*(td2M8PA|Qy2Z|wDIm$+jsscm zvZ&$Tm}nbK=WdazLp=nEG!fVz%0EG*D13)WFk9=x-ct~F1sF5^yOZH4Id0eNMmA*@ zId6_rkl99WoEPH0SH4vi^Pw4_h&s3!jNIfi>H8s9b7!4TkS(S)y)?UA(3K5re?(iq z9p-%--;(DVM$GMD(y5}plzS|zEp=MuRV~w|+wQIKvulb&IP1M#y1*+NR-Q2Qc4Ky< z$@#^vppb{S-_gKfWBM{0QdUyph_x#sWDm`?Yn9^xy1Q)0h>F^;3*q%oO*Vw)D|VZr zK(@Q2A;~l1(Mb$pClEQ|-U6bDy>7dfj+j;$*SjQ3IZ|k^u}rCDv^k1iK#Q@4A{#r% z9kRj_8MG0QAwFl`2)IX#A9k4x1-|J=seRgg8UW51{*pMkkF7KyP&Q+`d7E_jhoo{x zygOo%WH@n18b$NrdNTvD4|4NpspHVqC*(SHrRa8>n<~5G6{+UmhJpTfK{9nnG_tEz zc?Qs0Puv319V%(w6FKsA8P*rctWouM#k-m2R-6HWe#5mlFwa7uNb8h4ECgaK+h$DJ zTtQ+2TMkZZ2+{9OX|A=-!_HoM$@s?Y*ECJ$h5QT=IvV!LONYrjS1cI3X>){fi;hvA z>_&0tgwbI!py}YQC%|{oo6#7|P6j89hOG2!t^qzO3*jGz@`9V z7_<=PAAfj5Eh;+~j9j;Q9PSyf8>gV=nq>37p@yF1bZ#fCrmyl;X9Gr zCOtg+ro;rOuWC&HPLyScK4%R~$An(Bs(7I-rKqN1E@zm2e*M^eXycB&4v8H?-WfIY zQy>66YQr)>HKcHC%^-Yw2trb&KfchL?g2K0cqPt(lLn=V!E^GH_&Ep*?JyI(h+cgw zoN&(i|17{pFN&JHQUJdG%YOf{rO(h;`3wsgaG5D1HniMeLf@&+#Uj8 zKr?JkKN;-kxjDOn+cyPFm8_3rf_h~8h%DD4qA#WeGYE^I&B(8T=VDE<|U zslAeXFu6J`D?(|;XsEw@vDV8Dsy?2Z!J^EM8QoZ!H3ans1+X5akF~oWR{(1wEHQ`KxEt7Vf;SPQuD7Ry*w9~nblon^m&ujRBwpmF+AyT zpzM7$h(nKCeO8EVN0h?Lh@~tPBDMF)HI5Ux>fLkPIQ=^l>1JEjokHhSI71$Ywn6tC zdYN|c#EC^&@1(ZZ9lJZAaqFh()~$$JwuDEeB%O6|NZ5`RmnZ*?l=%hsAAk+j!6~2# zfB!80V@Vst!XQCXXu$qarM$o9!O&s*R(NW%0|1)rExQVkF`&RMk|(#> z3to|1>t79vRm5G5>#V^riOftIsntR|JAMv6G*?}iyXJm1c~e(u1#6O>fm!U#7=qxq z;IH*g!{Y4kD+v*kBthwcQ4ej;niR0A)3xzK!{y;hhfNutq;H-%X^HA*G~UE7=FMh5 z-sD87M|0NV5{{g@oDT0W5Bq@oZhVw6y95K|&Hm{t(waI9sU@;82ct0py-rc{xQOGB zzpX>w?Q-r|HogH0*1(x>z(@SA!zGNjFp7R)@Q)|8yPtIIM?2SOB0n-vFNt&lU}9pW zO1}aAW@$+OHpo9EdC9V2lg1eVFH)OF{Yuq_Hv)vr)-NLi#{`;BzkvV}g110zp#3)> zUgD!Wzen*Ku&ek%Z=Ka+x`2vdI`QvoHKkiQLHVIUV9xlBBlk1qQN8JJ$f|Z*78-Ra z6dEmt&20I}HslqfIz1H{%5B%NZB}Y+HV_LlHSR0%x$Q?bYVk5MW(G6zj8x&2-OFP!h?0iwpAABOU6CU=M4v+?6dj zAMCxMm*$5zFy@C-0`j}0cWQdS0WUf~-Wq$>_16RpELI3i?pv>pj4lTDrF3&_M`AKsupH@4ZGr zx`2Qb=~bF^k$}Kfr1v63x=IsiQiIZ@3yAbCCG_4)fB=6y-*=w#KIi?ee{=1Ny)yUA zUYWhK=AM}~YuKaP^;ScHy1*ebxo68c>*vwY7k<~YMb||_=z<&2>E@AcoD~kHHgsn; zL~lTDfNM}wzIjke&(s&5>q|$urf+(>Oc7-ggql0&&_fbO;??sYB3mzUe;cNGam(Eq z9;pWTx@hk5r4^-U?)TWy8NYrlJ*rn1uufj}!wemUy}JUHK~aEGqw)>to`BX32#eze zbPLYi{X$NvGEODv>wdz*URVp#d|iJthqgLXFXOkC=h=8`!JGz{T)5hB6PFr_V1G-$ z(tlSx`&O4>x@JlkYTUW5%!9PBC~?2Yf6im!&^Q5m_#|j zNn8)>uNP0cFIqRA0B%FqMvzT`pzAL!`*b&;L#|Z`>I?JS>iKrbkxqVww0GiA7Ayp^g>SRk>8HPf;LW@ z7s`80b$I9at02iiZ`~&fb8e-tdR?kZ15LijBUxB`slZ4y)~z5T zpypeJ7|^dsfNIg%7wTx@Gaj>8{1U5~{3Fu5aDD3j_vP56k&KHqt*hc-hK-E4+R2H$ ztX8%kY?-?C_RkoRuVa#S41iX~=T~e;O9=^_3Qs z2UWq4Y*P^SfmT!0?XqY7F;AFA>TLmcVMlVYV$)Oz*#N z70U-?9DTM&Y3li8WoQ}g)@UsUR4zRW%!qXw0Z@<|&|O$)Ze4dfS1fnR!-x2^7J>^x za)i*$>ZIy7IcwwZ5m(iUbe*eoLOTwAjlj#iY{fu4)_bu}DZ`c!@;tQN(0o(oK5aWq zW`2}EGFwPFJ1*-t9#^NOcG^bq?0?#kyUNSh0 z@DqklbH-r_$7XS3XUk`T^<()u`_f#t`h(`v3oIqN2a9=0Q|~S{eVxxi-++>~0KMxO z2+8#Thp2WTx_c#AK@e$Syxfbk;!WDwBfs#47I%V)Ye#H9r8P z?{7Vi^Cvi(Pi{azato{v(o+fx0L=o9p>%KDvqah_3yHu@m1SIYb9v(Q}-)+9fLG-UXTMo$%9It%quJw&;0oY=jKfCM7 z2+R1#y6So!N3W2OXV|fZ_0Z?#0dc>5C5~=D+j$ibQWVf>tc2y28RIZ*PlTqF^j5o6 zkeg^4SUS_KeOLNE)otnqw6d3G=xpqXMTS1S0d==P6S`CZv$u;4!RptE$j>Nedn(}* zM@Pru8<4whwaPr+w2LHAmv50jc+V!H4^f};k|R?${ms`%oyU0m>b$d&72vCymSqSM zda>n$&a1GfMWu3XgE>rX#rQo~V|J_+Y20;g9n00~H$5ZLTzQ8fHLGLX-%tv*%TS_}vu;rjeN(MGe4r@;oP+yP^`B8G

zq#;S~_jBb1-B-pPIk;m&;+JMTfht~~%HkR?;<9LxI%!ps z>N=%GcIDCCStQt^_X`fH+XHN2FXWE$TR*@`G%^OX$I6axKvh?13wHgCaTQ;1GD~&o7u?c`h45Y<(zf?~vZ!3bHy$^@MJVjihHaNtnXE^$`t@kX`FF825;FMNt0gW4>29_b zsgjB96AxmPaVs;q8p2J^V3hxEQ)7#)K+YFIh8=|Pdm?Y+-dl;E&KU@jRb8N!PJozH zpnn{22&~G@`|n}s3dDB$den-@t`?ycKH|O-MWL0RA1g_Pt^NRaImDl1`J@}02ym_l z-5wtRcje-=OTW9mFuoldqW4Bna{r}cPEkuIMH0fSOBut~csFdZmwz~W$2vwweKu*#GMl{@Ea zBR#fZu66?cwu?s2)=)b^oUjD zcY)J;ypb3C3@dtsh}fYtbC#^|;_%ufZu}f_uaA46n0g*)rwxSNfIi+|f}(F@sAh>Nk6(YCvVU!Eq(bsGnegQd2MG4yt9wL?(tM{q!9~eH3m05xr zE62CK<}e)jApf}OE&I=TEz7H4KmaO3TGqYR|C5TZ`;Y6;=MYkum_`d?OrTMI!`D?r zIHt_mk^4J2$Kzz=TVEFDyiX?;-7P3SylvBnowzbx%DfV1)8Ie^Db}H?>iyPESXb^P z3)+2b+q$U|Ww1CiBNuvG*~=rppTnDHS@erJd60@Hv(!FWlp_7sp;Is)Fj#?>EA5J5 zpWHOs!R;*-%`X9YsOYIZhGTO(Ul-Ho%=O82_Vu6wvG~bbX^tt~sdf59k^Bib}>gRPu$8nEbRK3s$ zv}oBGG42eNimpv2z25|6-hh-P3Kr+jK`6EBR?IUj5Hl9BfW`pJI7rAP0rdK9zvb0e zf8&$N^NxZ69<3HkV?tem+#}k`5v)%G6RVC&6fasFsufN5$g!=_v0{B62-rq*?W=W* z!Sd9#=CM#Q+irg3nf=3p*w5yq+&N`!YutNRU*>qI1YAwL0j}A*eMQywtJb^9TXoTF zRg8Z~JO9?ZiQ2fAZHTr$)BV)&1lS{WfxTmu5T*P?2G>v0((;$|F#}bXH=qSF<&P+u zgQ^iEQ(YzXFSz7KkDR*(R39Xtk;weG0l6MmSPTQMJ7Pv-&q|Hk;a;^rdkB3z^95IN z6co0;qoKtBET$8oZ{`$CRyFQ!rz?USITn%oybSJOOU74UoBP&8*>(fE?RJt$q}#Uj zsZEyw(@_ewRGA59TWuTF|+e88mh+{ zl`qYmb08D70s?3`U$H6ko@e%EVOY^3=C9*X6-+2#1Ec)nN?ihV9b7W&nWd2(|A(_Z z;t`yy-0|8*3nUPE1S>H~hKAGlQPeJXK2@YmI*VHaH}tJ3_{`NOkh?Uq>}M~Ux&~8J z4wcX1#^8VW$WQtx83)gofDYGja&-9na2}_u*O+euIwF3tbV8)Pk2tCrra56=xjr&0 zxDFscl`q{Nm)N7WVi2HdGotTYP-aDZ8M@<-9fIZdDSyGr(k5LTKfRt|V2GLpoemBg%S#Mo*5t7)}>wzr&Dyr%aR#7`6PZi&+sTst;NhGQ9MEsBYtGr;7=BXFlEl=8 z+Ywq_9h9d4!Xn_35Ab;1%m>TtzJt*AFN4WxB1Y5PWLGC1hef2{e((KLD)9YzK3_4} z+eeCvJ1c=fixuQ($)O#zh+rPFf?{&h^nuF+y?KQ%QzgY!*2m_BV$pnS$<`1KnIArx z90!`ag%&iOa{$BsPf=L>fKub|GyAF>0iC&p()4dRzOZS+{2v_)7BB^B5I zCLRl9bI%mC+-Trm_ynb^x_=d(pV3k0hk#elnYD9xLI4?oBt7}><&$@oll6j6@x4;i zzRMOg$1H&bFE(}W&e8eFhf=-{ku$a_4j#;5855r=p{wbq5GWULtUlb?{;3(oqral` z1r(R(%(ByG$B?P$Rb*M0`N?#))a&8+Vd+PikwEvyZ^A7XmXdxOn2P0*S(>;ER)7~r zj1T=32M2*0kc%$Z)RbRJw#S>&ru|nG@6I&tXM%ySwpfbqt^Kgv9jOC8O;pM!CqL5{ z`4T)fl$jBPec`sDzBq%&$K};+ih>7Z3H&ss8M+ZYzTPJ48Q~dGB1!ihU+Be~zvo}} zcgP1NN`>uv(8GGSy6N+!5JslHZ`$4K`k2#QzNi9*8my5J|9F49o;~f}waHa;iBy}uiawqZB10=@{BpG*Fd5I8Zr3vG1)hEvkrR6^rny@WZC_?2q0H^qofPV{B5PDw z5~2g9(3%Ie-LD%JN}Oy*=SLf6L z72YO%lE8d%oRe%`4-C1#Kk6ng;p>4!o!lAr*d3znLJX-e?y>sfrnwym&&CsV6S}^- zs%>UR`E@empq?NT$S};{;lVaDbEc7(V6KNRQB6EhnHtxK8eyr?PeMp9GkRIw!#w|1 z=@zGo*HAJ{xAq1^g`!;Ci`;(3G1{oBfEw`-5Og?Vm8^3~#*db4ou^z%RGrSc3%z8Z zlZtTh3b6WiCI9Q;1edwSt0EFz37Lw3o*h0j%WK`Dxm@Rc<5T#7)%J{c9gS!L1q^?? z>!5Lmy|x4^f~SWi5sQ6y&8tftFg@43zLmOYA=U+{EzB!*ny7T4cUw&;>H&8Mq&f&E zOw822G{1niO$D=AtXq*PvN~Uj?PsHz?E@V8YbyKke}=qE7AN&INF5;5z=;hky3~VZ zwvAXhH`DH)G#VQ?gSn=C?>(-x)v?CKN-V1Qu;4dPn`I*mixoO8pgWugwETjae48%$ z6eD^)=WNogD>2s2B*WeO+uRJF(_U?PnM0oY)@ONUOdsV9)a=&rOa+4)5;IT))0slc ze00g5l=GhstL|aB0ja}dBN&a-jkOmC&aq%x|FM;#`%ACxn$O z*87qXDcfg^XFUUw*V;9fwJDj}z2?wMFH{Lx68c6kgI-PY!U!RGFW3;VB9iD^XxnFd z4La=IUt;vHj{-lN_|#9dzcq^D{77-SJdaQdbI(f|i0P{8UEeygP@)j63Y*3W5q|13 zk^M>R@Yepobo=A|FXs_mM${>e7l1~zV7 zkvVHv<>?yqE#*n2!n$vEFT{dV<1e12N2J45Gd!G^J^c2j&tovK{7(F+^? zc(auS5@|@7zfc^o>^%W&T?1FNV{r!fD^!znYjwdrP>A^6)Wo9Bhed4zt#4yxRk>a5?p8iS=4MQMqX}5BH~Sxw?Sy)MAulTQI@?kBqU>6APU=*O@r&niy>p z^^dD2`mEqzL$rFNe(XMt%btADMTzc+lNOwH)8Wh6VC#k|ekV>19&OInymA!(~W;fX5}g zOHM3V3&sZ$mC!S(pOxpylh+&GGXy`Ap#3=-?!s#LE%IC2WZ2h3IkyMhp8Ej4 zfl+=1-}-P{>_r{k?18R^g@Y!6DpHLrg3v9S4c_Z%y_mqdRcAnQ;@teG^6iQqA3abD zfAw655G~adB&IQ98?S+UskLPWdn50#AN-ujn~*&|n{Oo{Ot{tSfKoYrm3EiKdHrSI1zJW5Z~H7)@Gtpv(WIK zd;XzyxWz9N7Y@O2V~$X-$tD(V*Svt204Wi;? zYw~9jcw;}#cQQ|(p>=7)=>&nh>L23@Qh$v-z^#VdBQPDs&}*pG4e0${%ozNuWFX9M zzM909t1F1cJA8(zm5zxl89gx{%pmJED&M3zym%->#o=Xob+`hjU3O$=Z!z8JS|uY= zRAJcgLBd{!BC{8YVzZ4IG)g#fdKAn2pdu|uvWXkeI#DsOz>$ko1JJA&H=rvl2_ZCY z3Yzake^H36hS%*_+raN#DP3!8?2oc|hRb*wg=^)mB?Ao)pqEf3Ud$tzkwN_c04H57k!WgDDTFMESb&T)e(zg_}LW zg2eN*>_=?ffR1rTftLN-y89JlnW=;4F9G6BW<9S2;hqs^b9*U2?%>b_O#y*pD?#qv zK(XTU%8x2yEZ(LMS)X3EJD(@?y*W!f_`!9$+_E;mD0D(V)=~$*#(`WvL>K`19;gEmCXI083X7p#GRuV9s( z{FZuG>1jUIq*%QcL-TzyuB?}1YO*Oem>{N6wL)Z0V{ZHpQX4vhlc7R;3Mouj<);RFS`C;8lHH8Z0I)>;2YB8%mk_F`Cbg{Lkdi|Fr9dybT|L zA1>|J&FnXz!7z~dK?OSAbnoiVG+7>fWr<@~%b|>G3ueF-dL8T1Rl0#D9`v3KqtY`a zEgb;AQr zomC~oy(iZi!3!}J5SL-+arkslXb<^Yjbd|u3dSE%aVS=QPmO2XhEF*_uCvD$LY+~C zlg?GJm&mZ?fBS=g=jUWHc9R7{RX3bPI>)Bhk7tL6$Mc~ zi)4(`QyU11K+*jXiE*T4a*PLyqNUQ0gAz9-4y)A4G*Hljiho6zB8Lk=;8B~+Jfkxx zQFCda=6P1vwaSwr`lB?0?=beOzDV|R)&UUJ2<(RiQs(`hBc5_+CNknOj(JKXy*6C0 zK&E41W>i<>C{kKh^M#H*x>5CZ`JImidQV#9vd28fcyxr*4y%ovivWoa$6Rkb5F+Jr>HhE%~EFWo-9XtONL{0ZIX(6t|ID5;Aq1;#C?wK0Ab&eFM zK_qd+GC|ejCF50xc*WF7ck8yaf|Mh0Tv5p1;`*-U@`qp!8)%IrM9Y51}8MUbO zj%n9adIjMtSdDLw_4vJGyUi9zM$5 z6WoR<5$;$4Kr6re{bH2ysStoF`n*1(=21KYOL;D;Rqc|3_g-fH@R+O2|3oy4Nqo9+ z_M5;Zf#(+xb*yNbQ-b)DoSQhb9_h%|cplKs`upjA#98aa*GU#(%_HgAlh1^gL+grA1Li?~H$L?&v`#MF`OOxZUNenT}?bjC;*X z*XB$}#PwaXNwh|ZV1c7x_NTJnZL7av(=se@|9J*JkYQ>SAv;TSe}&3bzC_po!4AcN z+GF(`+~xzFVsEyTJ(ibW&79BZI{nA|%LU0&k9i)S_DypIy9MumjOHOZ(GA1Auj91` z%J)-@Ye)IF1?~V(U*lfJ$bfEp65!;nStOuEa#}DWlK7Zm$v};3YRvmx<%mvxd;_Z3 zXgM`Kvmnz5^3jj(l|dqs@2%L^2Sp_ogru#Ds$$98$1XPOQomc|G0L(%)~&q4O4*Os zjq2lGtR#2Wk9IqPT1Nax3hrR$%Mp@PFd9}r$lmhcfdDzv8QrG>2NH27wLdeOa^Y0H z-DkH?ZIVXHRr&TzYMPumYvSZpJ|?-42utb`UH+uHQ$7cNH>PxkN}kfzs} zAhV;erC#9n=CKB&Y&CFl-}(M1C))`$J`!rU#sW4AH2~zswG3v$alg6gk`|TshLpA&SM%oa&poKeq3c;1Ty43>mC{jnP}N<& z;oa@U!N2%h?JPSLi`}Vfa7P!$v&T)2-26y=91HPBmPA7m;6* zAWy=d-I5*osbeh_EarU4O%B>-XdjFt#L?w7Eiix~TOZzFUhd{U?gvZP+`$8~6Kz-6 z3btF1s#|KD(+J4jNkT*Jw=%{CICi2mD>mT#$`Sg6py}oxvrU^P7$#47CXFA}(k<{;LC`9ki#$P5#09vAD zMUYUNhiK@NT2^p)uLr!d;1zfJkVEOq^t&F(6o8`v|k#MHioTG9(@A<*C%lXCXX@>6SpGTG&UY`&0)(`k8+rD^-KfYxSt=c zx^2g#oDEaW#JetBcVt8;tngSpDUe6&g`1v@@E}+;-lSNLz?XR-*VV$FPIyh z@8*|hw-kB(qR6O8P`Ub03+Bai+tHyeMj3_g5fs}mP3)E4$S;3cQQ!Ebro3~62ql%* zum(1YjwRN~Q9vtwS0%oZ!XI*j5>3QNJ{X3 z)2(i#I8d4~sSbgVZ$@Xl$aWTYwY3kQT2VpZ*w%-pJzWNQrNsMKiCqJOvSWzIM)T>o zEYX?i-#z?EopOA#A;uww_t0Tx`*SG^*#>IEyR}x)@NZ00tJj^S?>ihQt%AaLpqG!=^P6WVryGn}ruwZPQPwP9Ro=KgxrkuaxZ|Kja>oa=ts4 zt`@8V#d1|-9%HHDU1U;1P0yYS;&8+f>EC0Czpseeu;3$#il+l?zbbU?09!>l-JN|* zuZ!bh5ZBAm6vRsT#FpDmSt)Fw(}Us(D(rZowvi?QlDR6W!7e9~bp;L@x&h%XqUQHg zT3f1x5-{~m)BPfc;@h~yk{7*ZxxH|t!2VVkJ3}6OuCf*T_3(VUu_2)X+s2a9x%ec1*dJ)wed+<$-dyg zVx2#XJbamyqw|;q{;GY^3l?@_xL4*eJ*$>sCoJPmstXaC?VCjy_ZK8vjnzU88rcty zPA&Gs;>yZex*BB0iDFyx;|?`gmLi)#~EPR-N?f^NuM2HsNa0OeGOxa?JPHc9=p-`Qfe;vXEXMf3B|k4&ESLCvdDO}ypN_75o87SeI~iU zUtgBAaRPy&SzO!pT{ww0Yl)JDMhc};iBE_89NJ|}GeI|!n=`KbfdY8bc$S!%1@mTSDqgw)a^}D>bXu%~-XjL;q#Jdy8t2P&it&@pd)!p@ zEs{LtKIiWWhH_O;!`Begqh9U`mWw}KAe_NQh6AY%DCx0DS6T zi?yrLPqyNdW57&rd0@v}Zprfsx<){d8xZ+;%G z<>&bG+eBD16cr$2dDJD#8@VVJyvv;>`%1?!td7=el+idDrMr~S38jOD02Auf2l67b z=6lm;cZ`tuqmD9cYymtwR*r!Wnrl+pAvU$C?r~+cBmG{CY#e@x)#RT+3jquEl^3}o zinthFXozX?c3Q3@lbifKPc19!>2K#b7&&W=qzlMdh~;8+rq8iaukbsl^`}Coqi_YV|k@+lE~;YdR9@< z2+p5$p=Zt$m<><&k@so)BC&HGHp4}li93Y;;5~ER%HZi2*i3M#r-Ik=W^b{MwJb&7 zFtWrQPg$7pY_a8Ge?3FQzBIpKpv2wJ`Z3P4rl&0@l^Kf_16d$-Wr+^5qJf-?&DUq6>n0r4$y{z5zU z-`LP(<3JVtRRPceak{j=_x`GosX_8k&9Z){Gk7QpX3i77+iB`=Xi2kT&4_Jt%W@y>!Nw6^f~&|_7s0!pV7>jGWK_D zjS8WUEj02e)dz@9jE5zYbK1CZfNDfhz9>=PtdMs6oH1Zcc%JUhzRJZU*6;OJ@7`ZN zQnuG^(Tzu^Sp<9SaqF)W&MFg*paN zF>QXvmJA2ssbcA+K5Qk4yRq0msC9N?=`{B>e&gU+VjM|vFRw}(WiHv#j}FM98nyE` zGn#S=fV{eFMpMl$dtM8pqKO1*rRC-0@#Y9~=t71UCJBGYaWToj}>$U2g*^d3iL zSh=oT_>H-?NMU+;%%}tC4(I+EQn7rR^H=s~00vxYGCAXFFSld(pFKrYB~G~T4-qt{ zXF%-WRVK#gi4L{4uv0enHgUG^!+dk@sqcf^=4RcvDm1GOB<(-Dut;9S7s(tYOq-p) z8uIPu^&mmXnyiJNhh~(2pu#e;#(t~fUh1uAtH$sc+uMs^yZch#X&xI5@h!BR+#GQM z$cmfL#3yMS4e`oR)k-i#Zx}X)fziC`3JHO%je>ogc9}llrOOKE!$;XDf4pWb5=#Zaqz`<=`8wm)4x$HZS@`htk0m!E!kd+T&jBW@C+|{pgrO%Iv zt9SKORe(+yZ*`+@&q2v5w&Bl&#KBVfW1Qm^(b|A3130g*ZO^6$^H?DP7j|u!*5$LM z3t!Ow4M?pLQT?uCz{lYhK;#u~D~G?}gIc1l@jS{{RbNXJr7GC|ox2Fg2NaA_3S=4W zuy=cq!J8iwn!x>jVM$+3ZcR5=jQ}26+ECq^TFh9Z^g{upiL%0I)(*%q0tdQeK7gjm zks}1$bR%60P1S5{jUPJgEQLNO&K4cbeG4Ms$nBQcgJ1{KpzMG}wfJKw=@wjX{YAhl z^0MU@QCxeP*E^)@I6i^zk9u$zm+h{qBYW-h?z<|;K0i58Ea5?#GHPqqx}5m4-{-1M z9cen&hE}io3pQOoH+9W{v<%O*-DUM9e!yV{?_HDL>|k`PugGX-LZt^nmYC#>Uph9J zc`x+>n3reoo=!ZK#@j zWZ=|J>LeUrv|RGj;jf{1a(4pOam0?=K^s{lq$;=od1a?H3?O!DwfIUDT-v%A{Jy>6 zXX2QAPhbJ8!@BNobm?x=t-9v+flaeYiichLy*m|+CsYs_j>}*1{X>2_5I!#IF`m$I z7%_g1&VVXl9P!c5uK0Pc-{fOlIbDrp{TmQp%+k~DHZ%k!e$PK*&*{zMSjr+5d(8cw z?2B=yrR4rj4!n>nPLb&s^&QT`@{9-JA{4yC>a^Sd2X9=SK$<+bEH;5&V<{KnBsGn9 z1Bwd77oTbRnml)9WR)~F!R~*{4-ePdUwXDH@TC$e9VsB$HLakGEQFU@ntlFk-uF`e zekB#RR=z!7@({-FN75e-Y43;LL5;MUcEx$Qen88*)h4jlDXM?D6i3V-l`{{<)Mg%f)UfoMp>M+svZd0r1 zQeanbw~@=Wh#}N@IUbgu#6~+;@?FLzM^!Gs2YsMt)>ZR?1{Wbyq=ad@r9LZSCPhMW z%{%=seFC-8i1eK@FU4-Fw!X!9-c=2Hs=S1^=0=TM;*8=37>e15LOdfY)yu)z|wnO>lv-6U*TRaP2hFg1jGBi(SUS_ zxbtVlU*e;wU$ZLu-8Wu9RT}M(5K1)N!Lx6^#~N$rJ$LAhlE<$FmhVKJQL~iXrV?CG z70LRr+AIu{YrBBHKIu2^z;<XHV#o0V5wS~U-Fd$Ur%;sW7ctJhuNy3)>)Tn3 zz&6Xcgjty?10lM^zCQ6wTu>8=F~+3Y9?TkjeZ16a2cz7LD)+%bU z35ykEZ6mrIw>(KJ=Bm4Tma#F}iJ6H&l8v_gUu*rxV*h=T-Aw)2SQGx46ig2IMg&4}$Z_&m3kl$7q+s$t3FL6`bR1IzxiSu}5qyi1m?UMSmNI3boEE`OMQlU> zPa_7Cr%cpxRinyx@lzCIXjArjl&bI5!6;K8F_09xW!h?^m`iZV#S#QdA_ZAaQ!TRm z_7;|8b=U4H4VDzVatVhX?p%z;k2u1|Qp$zLVqyPv3oL02_zt2S3;UxQT%r&Ydt#!8 z27ys>5F6_boHZSX5=;26%m_?ob`yBw5)K4gLkvEqga!|6%DB=C<)I8^XlQZQc1 zN;zfqUJo%n+@FD%1+EJtphZ+N5FatXg!J zd@{IuAR!&x5k}C8NO^;wbqvpWhAFvSikJ>D{tVaqHk{s*gbt3mB#-a{a1mYr-p^V% zL>`|7z8^_KgD{fEe@z7^cEM=;Fq4D^{uD;g7J=(ZjKFmzIm3nP1`@Ks!Q~`05#fP^ zn3D(*9(cCtuKSbW2Ehk({Q-biP#9Is$pN`0}IZ490j{NQ12`1zuh0 zCE`3%j4f`s{_S)obh;;J?beoW0oYY5ID6hc%Z)JA0mo%>8u^(zJ*ZQdKvWoi<^r@ICFoh=Q{`vk2~f+9-O# zSdIrG^m`e*pg6OJ8UlO|4=L+c^g@Umxp|!%K_-trw#iq%z3UWFFDZ!bX{GQrF(x6- zIU3ntD}TW3C<$h-!cps*Ix*zs6O0Q>m!LLzynyX79N*{iz$lWsXtam=ZQF_bhoE}l zI;wR5vXgA26dc9*=#C1GDR#8^`}c9erLycY+&)u0CA9*k_XT;V9)+l?Em=O) z82jzk+Q*c*Y6g<4-f{!~T<3!Yv_pff zi>s;Y-+!lkD;%uaNB-G48Pyn?y^q7sP)aqv13dUX=tgNq#Ty})dGq@RFb}A81$sy!Mu3 zaDsyP3#pyoADed(6Cb_~ZcY^=T$U}}`aF}oXb;5R$USEa9?o48E1Cu{VeM%>QgB z3j+Nq`JaOtvphIOL>>Z<#Riiz{%3zw7#4{79}wp114+vLTQqQMEDY+e7`YgW&Pfge zvHTY*hYvo01*U~dV1wxy{}Zkiv*eidzhJfk@Oo^pHg=gr3TqU{pRkVN*wvDMu2X)# zA%Zk7HkO)L5q{2L)g0fxV$KHmO!$=xy-BxSN8F+2_zOwIUD zc*B1KaWPxD`~}3sJjCPwcP;-DCGFq&5|#htgR|g)Ss4El2#oUID142-)d;}DsPRv{ ztA7KJwf_e8`~m(G*y-Ou<;Q;mY4I_@e?l1j8)$6ue}O53&Uo-=_?YVYCrZ!1!L;Uo zgA?8G;0=Gk|3rfLHyF?MZx!$eFe>~L_y7cA`>)5_>i9SCF#-4v<9`v)!a0b*^w{cN@OwmH6YL^yOd3ZDH1e-!&Wl~<^GAl?!eHRJI2d5{bIb>Ve_jY) z?61CmC1Mu6i(|LEfZO0;3h4Cv>$CYkpY_51x|YEOlXLyQ*29B9H2?JthWtVBY6>tn zyavN&sja?%K%Sn@h1?wMoo$4i-E15kM8x4&x4?qfZPjoAV({HRBxOooyE zuv&`${vk?IV5JO}Q^S8?*zF&ROOMk|iv>R+26MtE|42O$EO_xPj1+qdBYhLYg8P$T zBy$ol!|nT6|Gqt(l?qG^&%q>8KKx&alJK7-U?EET|CJyGPXU8j+5THGE?n$?mo5$0 z1B0plaAb0fLHYZ*(ZYsHVRRBIdM3=xYXSoOIq&?P`q%$+o&Qyqh%lTKjCr=fWMDcv zWeW2lL?^FJr@}s4(^C^`|z+x3J+uq!_7{3?s!QQW28TPn&Q80 zQ*1j9JpK<7!>RwL#sjlBa77rw9k?MFQ|ZjNF~wY*Wd-Xzw1R5{+bw5?HE=~k3(pO2M_+EPxPOHvQ6;eYJal!|B<*| z@!|b{B!fRlc~(L=`JZp)Mv0M*B?#dLeI&{l&ME~n1Qi7iDj_@jKFfY!l5n}i} zHJFX*KO7npwT$Aws@#4IV=t+}@;D3=#PA$yFb6#N4(2u}jFfo?EXwp3wZquzY7D*j z@0@qeiQ&w5z-;h-OonG)FNy!s#M|M8vyZcfyN3Hyk3Rv>|7{unLsc-rVlcnw|8d}4 n5rgbK>>hc0c=`z0czXVy+<2HUe;|-D=8qp^CGUYqFw*}Atr^I% From 5f07bbe8f2517cb926fdef052a96ee3b922ddde2 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 11:50:16 -0400 Subject: [PATCH 43/55] finish SNOW docs --- docs/setup/Setup_Snowflake.md | 49 ++++++++++++++++++++------ eeauditor/cloud_utils.py | 11 ++++++ screenshots/setup/snowflake/step1.JPG | Bin 0 -> 92859 bytes screenshots/setup/snowflake/step2.JPG | Bin 0 -> 66414 bytes screenshots/setup/snowflake/step3.JPG | Bin 0 -> 92867 bytes screenshots/setup/snowflake/step5.JPG | Bin 0 -> 87261 bytes screenshots/setup/snowflake/step6.JPG | Bin 0 -> 111058 bytes 7 files changed, 49 insertions(+), 11 deletions(-) create mode 100644 screenshots/setup/snowflake/step1.JPG create mode 100644 screenshots/setup/snowflake/step2.JPG create mode 100644 screenshots/setup/snowflake/step3.JPG create mode 100644 screenshots/setup/snowflake/step5.JPG create mode 100644 screenshots/setup/snowflake/step6.JPG diff --git a/docs/setup/Setup_Snowflake.md b/docs/setup/Setup_Snowflake.md index 2a56f380..d22bd647 100644 --- a/docs/setup/Setup_Snowflake.md +++ b/docs/setup/Setup_Snowflake.md @@ -13,15 +13,42 @@ This documentation is dedicated to using ElectricEye for evaluation of Snowflake Snowflake's principal identity construct is a User - these can represent regular Users, those created using Single Sign-On (SSO) and SCIM, and can also represent 'service accounts' meant for machine-to-machine connectivity. -ElectricEye supports both Password-based and X509-based authentication - either using a password for a 'service account' or a RSA private key and passphrase - the former is much easier, the latter does require saving the certificate to a local file (it will be generated). You can decided to use whichever option you want in the TOML configuration file. +ElectricEye uses Password-based authentication with a 'service account', in the future, RSA private key authentication may be considered. -The steps are largely the same for both. +ElectricEye only queries data in the `SNOWFLAKE` Database and within the `ACCOUNT_USAGE` schema, the following steps will guide you through creating a Custom role, providing `GRANTS` to the required Database and Schema, and creating a new user. -1. In your Snowflake Account, navigate to ... create user +**NOTE** - The following steps should be performed using an `ACCOUNTADMIN` or a similarly permissioned User + Role combo that is allowed to create users, create roles, and manage grants. -2. Assign a Password, Admin accounts should use Emails so consider that if you'll simply give this use ACCOUNTADMIN... +1. From the Snowflake console navigate to **Admin** -> **Users & Roles** -> select the **Roles** tab at the top of the window -> select the **+ Role** option at the top-right of the window as shown below. -3. To create an RSA Private Key for you +![Step 1](../../screenshots/setup/snowflake/step1.JPG) + +2. Enter a **Name** (like `EE_AUDITOR`) and **Comment** while ignoring the **Grant to role** option and select **Create Role** as shown below. + +![Step 2](../../screenshots/setup/snowflake/step2.JPG) + +3. Navigate to **Projects** -> **Worksheets** -> and create a new **SQL Worksheet** from the creation toggle at the top right of the screen as shown below. + +![Step 3](../../screenshots/setup/snowflake/step3.JPG) + +4. Run each of the following SQL commands sequentially within the Worksheet. Do note that the `GRANT IMPORTED PRIVILEGES` grant allows your custom role access to the entire `SNOWFLAKE` database and should be done with care. Ensure you change the name of your Role -- `EE_AUDITOR` is used in this case -- if you used a different name for you role. + +```sql +use role ACCOUNTADMIN +GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE EE_AUDITOR; +GRANT SELECT ON all tables IN SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE EE_AUDITOR; +GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE EE_AUDITOR; +``` + +5. Navigate back to **Admin** -> **Users & Roles** -> select the **Users** tab at the top of the window -> select the **+ User** option at the top-right of the window as shown below. + +![Step 5](../../screenshots/setup/snowflake/step5.JPG) + +6. Provide a **User Name**, **Password**, and an optional **Comment**. As this is a "service account" deselect the option to **Force user to change password on first time login**. Under `Advanced User Options`, assign your custom role as the **Default Role**, select a **Default Warehouse**, and select **Create User** as shown below. + +![Step 6](../../screenshots/setup/snowflake/step6.JPG) + +Now that you have setup your Role, Grants, and new "service account" User - you can proceed to the next step to configure the TOML. ## Configuring TOML @@ -37,14 +64,14 @@ To configure the TOML file, you need to modify the values of the variables in th - `snowflake_password_value`: The location (or actual contents) of the Password for the User specified in `snowflake_account_id` this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter. +> It's important to note that this setting is a sensitive credential, and as such, its value should be stored in a secure manner that matches the location specified in the `[global]` section's `credentials_location` setting. For example, if `credentials_location` is set to `"AWS_SSM"`, then the Snowflake_service_account_json_payload_value should be the name of an AWS Systems Manager Parameter Store SecureString parameter that contains the contents of the Snowflake service account key JSON file. + - `snowflake_account_id`: The Account ID for your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., VULEDAR-MR69420. - `snowflake_warehouse_name`: The name of the warehouse you use for querying data in Snowflake, this should be a warehouse that has the ability to run queries - `snowflake_region`: The Region of your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., us-east-1 -> It's important to note that this setting is a sensitive credential, and as such, its value should be stored in a secure manner that matches the location specified in the `[global]` section's `credentials_location` setting. For example, if `credentials_location` is set to `"AWS_SSM"`, then the Snowflake_service_account_json_payload_value should be the name of an AWS Systems Manager Parameter Store SecureString parameter that contains the contents of the Snowflake service account key JSON file. - ## Use ElectricEye for Snowflake 1. With >=Python 3.9 installed, install and upgrade `pip3` and setup `virtualenv`. @@ -79,25 +106,25 @@ pip3 install --user -r requirements.txt 4. Use the Controller to conduct different kinds of Assessments. - - 3A. Retrieve all options for the Controller. + - 4A. Retrieve all options for the Controller. ```bash python3 eeauditor/controller.py --help ``` - - 3B. Evaluate your entire Snowflake Account. + - 4B. Evaluate your entire Snowflake Account. ```bash python3 eeauditor/controller.py -t Snowflake ``` - - 3C. Evaluate your Snowflake environment against a specifc Auditor (runs all Checks within the Auditor). + - 4C. Evaluate your Snowflake environment against a specifc Auditor (runs all Checks within the Auditor). ```bash python3 eeauditor/controller.py -t Snowflake -a Snowflake_Account_Auditor ``` - - 3D. Evaluate your Snowflake environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the "[Snowflake.Account.9] Snowflake Accounts should configure a password policy" check. + - 4D. Evaluate your Snowflake environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the "[Snowflake.Account.9] Snowflake Accounts should configure a password policy" check. ```bash python3 eeauditor/controller.py -t Snowflake -c snowflake_account_password_policy_check diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 1bd9535c..85315f7e 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -842,6 +842,17 @@ def create_snowflake_cursor(self) -> tuple[snowconn.connection.SnowflakeConnecti logger.info("Connected to Snowflake successfully.") cur = conn.cursor(snowconn.DictCursor) + # Use the warehouse provided, this is a required step if a custom role is used to catch if the custom role was not given a grant to the warehouse + try: + war = cur.execute(f"use warehouse {self.snowflakeWarehouseName}").fetchall() + logger.info("Using warehouse %s. %s", self.snowflakeWarehouseName, war) + except snowconn.errors.ProgrammingError as e: + logger.error( + "Failed to use warehouse %s: %s", + self.snowflakeWarehouseName, e + ) + raise e + return conn, cur ## EOF \ No newline at end of file diff --git a/screenshots/setup/snowflake/step1.JPG b/screenshots/setup/snowflake/step1.JPG new file mode 100644 index 0000000000000000000000000000000000000000..6520711b365d382f076755d43b44312a56589ae7 GIT binary patch literal 92859 zcmeFZ30PCfwl*9`oG^l*EeKITu|C=_ZDYQY?J)I4xD z2mC|L*^8PB&Q-ygUAPBo{+H{hIp^;`nEe)|g+k5!JiHdA0={1c{$JeET-kKf5+NEJ>)#C>NAJ>LU36GHM;_IQTu= zAxh4C%te3yAI!1X%YMc#=Sk<>j9p3IShC9x*zLyKuqYfv{=vo7%guk?IX8EY%N7Rw zBBsGQkMkA=_PdU5JNm-`w~HP}f_>di1Rp!;8tmn2cHRKOt1iKj&B@+Bc)R(#tRs70 zy6k68w%G8cbaQY%dl|a{kMli$!Tk8a!+*U4{AID>uXPCw3^WehX-x8U$8I+>GsAA% zf!(pg2;5=h7j)U*g=}=$Pw%e<9CY(@_4W9{--C2{-E4s_=STtm78?QrJkFb6aJjJS z-1+mnjLy02Ja4pp`*{~5m-9Qf8=c>|^StS1(gA;9<2mv^6c z#kyT`^LD%J?+2u@9lHVhmrDO{y%UJ&Z!i6);sb#w7|I|vT^YzG@{Gc($@ zulXgzJGcB2{)hrS#MwR!2edI z{H2xP;$Kcc@nGyNUc4BG{q39oQ50XUfT0JT``bVTPpa|6LKPi_8!_1hP!@3U2L@maZH$CX7I`=cLamo3)Y zd0e1*&bNNaDt!~qM&WGJzO?LLYuMHQR?Gg@u)nvf1GQ}49MF05)KCygPLrf4Q5#Jw zh$4+bC8~bHPUkYkR*8y9;$me>&ccII!{tTOW^W@lKbdn#>q!X?deWu?7_*@=EY9`@j2eIkKLqsYHEx$wZdW zrE66+*?)MC5_Q8x$Wow`s0m-T5*1~uVEjk5!{rC4hDy{UZ&(bkcX&5|1iTf2=g3ec-JUHQCEhqS(JMC1aS*do;yd z8@>|t6Gpg%j71_g!#(LrRPF5ZZWKdFeVY8NEKuZK`bb3tCk%w9sRfd{?s#87I3ImF zN>55aK^qTL&_$ZF%J0M3pksmdn$D+#^ImV%NGbx;NuQ!b-E>~v^9ugD+|BO@ z>>Y>jEscj82LhXSB#aWd1Qofya4MKriJAY|D;eEl6QR6qLi^bX6tl zJo8op5sl3pFW#BuQ5f||mc+()e?ZD}&q0Dvmej-9Ly4MSBe;5w*-Hd-T0jThinkfePwdJ*GAdbx>3s>e}T!)<71M)fcG)=xHQbfs*r?r)N}J}xa( zJbDqldrL<2u6z-nSP<~7w5W8K(klb5fUxiUMHgXZF+?f8L z8+rh-I6hF@E3=fvJ;RRH3Rks!oarxK$))Mpz{W#LR4!c{Kx-a>*EcIt!uy%HW6L87 zQpmnaRE0yukE>P%u5N8b_or@4zo#Gfx)%HqB96de;hqoF5$opX<0f6!ALOscp3v%IOjF(>Uo{oGJwNbdX!q*G ztTZ3wNk@lDj1~0x;PaCEQpG*y%kbfmR5Do6Uc+Jayi%)9v%L4 z-vQ7;Q8_auaKAaeB;3L8ex!!&X`L&-MH~M*l5l2nrq5Ak|>;DA39q4}7OYy*NpqG1n53 zZzG4AL(xsRHQ>(1Imj-lj%gLt;pZ#~66zhVAALS`%lnc%GZJ^)B;5Z9Pk)cjY0;2V zHPG=95U=_hpyGjI7Ir)m^2#U4&qN7@4c9W$I+%3;!4FH`HTDCTzI$kiohW$!)SGnOz-AMf78Rb&9OPB8I9k zta!?7{#?4F-#^+!?%r!vois8Dpqp-y5~ccxOOpyeLHzej`HwVU`ZQox6aYz7H(>el z`%WHLqU>|{(kXz^ZhokuPhp@EIC@$u?1s{Pj3-QBJ*69G!WGxg0}HXO^?iPyVC*Z~>T?+<>>@nt_|QRNib=)5TEn}p zKDmAwn@{=1b`_P|0ZbcuMc(p{(Dt9f-Tz-+`}&fHO|Nr$BdiYheH>GwMm5vn!SC$f z$4#*-=+d1Q`&{KJ9|UMy4W} zW6*fcyRt$d#!Y8^-$TdbHmXl3|Zi3%r@Wk{GVT8Vm-p+re4L+ib~RIlIv zp)>Ud$IkTloAikfTRf5SGRdi*x0+~P_V^ajsuWh4HRbQ*U?c%z8gp=aj}j$cLRX^h z0M}@FsZgv~h{GsRS5AP58X=32RcKvKdUmGmGy6<=PzFh+S=^`}xH<$M*ha7JZ+^!{ z*4rIaqLTOkvz^^}kfQgGWk8(PZajcv)nNe9ZGn;P#2?`dS<@lYB(bLw#ntSy@6Rh0 zDp6VYq6KuhxvZK!^_2id77&!Es?GnTgML z>&cyrr8yDgubUrzSo7dDNz3)=xkty+-%`%XfRNwUD^Zu}GKb>ZT&6q@tq!-@&BCEw z!TeE3iP~wYD1^s6C$L~LPMpL6jpgFVP^@j1Uk{@hheXg~ZsfWbhV&n8ADcbC3W#34rVi;67Vc2_}o zd8vM*-0aa{@Q-yLtc*lX8)K;a3sX`y|1p*CE+Y{w%gJdrY7AuFXG!v&vXd3xPvr$s z8;1s-2k2TTeks+I>=iXN6fbx}=6%;lG2|{X9qG_Fr;Q^`G}-Od0I*Lq%3`P!kVNYg zw!^Z={pu7!M{dy=U@sed363q`sWxk!$E!oq9FlK z%&)BP6{3HloWa~G)f$dX^>BZxM5S6@9;X}B(8oh1BKw-sMT&>=13iQYt%Td>5LRh( zKzQ=eL)g(6ZucY$-Y!lHG8@>vC4Y|+g-%E(L{F_Xi2F#kZX6IrXS6!I_sMjnz3fF@ zWCmx!cyc@o$A zTvc^>V8(*D`=$h)(ht%6Zu&6$J!7{dOy)jRm*3+sRU`zGt_6L&766ypQT0Ww5enYUhg8VaeR`ncBcR7 zY0uqgl@1fd{`my#`I|}dC36du;M>iSPl7n&2 zK1MK7qWDVG_?8kS>a8QxzGae|UJ+@4d=seU;6UC23~W5@*K`5gy2rHjBciTIEw<`m zU(wZ*gj^5_2dVmnHbv=Dd5s933pbkW-l%J;NTpZ_ReG2=C@L98Nt?nsrh)nGNDgou z{a}UPuSi3g3{NG%(@4Hal;yn;f;&rAlG)Fc&#Qlqb9-72#$0b<=hNZEN|Yv}9qJuY zqMAa($Kh5;WY{5J?U{WMS~gAI+S`=RSCt!-H07PvMehu4AZ)5`SE9Zh>03nI-hD`5 zOqipHV##(NCCa?UAgIH16d0$G2cAwyQ>lTeuFC7|M7B+#1Wt!93^h8!&!bJ1D2zgU zg0MR^FGK!pav1^L8tX})gleWqZICEh63L*pcI({eb#B4!BXO7Vv9>RZ?~Ut4LoItp z;n)3&8Brv}VO*8Ng2ZNdNT$OevbF))==o7loCN0?#GJhaeEA+45)8>F84DVqo|JCT zlT6+06bXTYgg}#JWKdg8(O}j;%Pb+VYpP{VUJ`(6K zjN6R3(*wjx6isn9!1lw7rVQT?GQ!Z>JyDoSu8(fR(sub?;2^)BY2;LjGM^)@)NQot zyVZ|C_c8@tO~~pOjouVls1bBEVUWk=%k0u z5Xn2(2+xi36Hs(wY#*0B@t2Cvw)R z*2gzGD^}Nf4TQ#^~>c&O_RatjSTSj!z^zD=5;e17iHLO#v!GZtld@8v&t8n^%C#j)t~xPR+-ohmi*ft( zq(1zEfrJ>sPI%@6ed1&3Nktm7Cv`}8peIRgD!}|?0^cZAE2h71a>@0Nv0>5QBlBtQ ze5eIxS=UQKKkRB{O`C>FU5OpXe@rU8fH>R7(d&3({d1;Kch z5dc%kq{-_3*>W~3@|f;yl@Tb%qBSDlXe9@_MqN+7EKe(F#xtj_LHu=#jc z9**RS z(ZgH@y(L~}FGMzzu`+C3Grkdr5yV*GSv~g}>#U%W)MR&sAL9!1GNu!QXzOvaXxspS zSgz-LamK-ec|k_%lz*VL3ff2 zVED4*I2GZN)?VEN4sj(JYm;3BFX`N1_1xK^ql=)&LQ2il7n@48mT$*2AQAV+0KO2Gj19jSm}%mPo72 zDfrr=$y#$9axer}!}FiTP)w%t%cB4tT;L?c$fGBz`X>@*dXor9GE0fFasTXqzFxWl zRPg|_=LuaKZvX~Y1DW=gIahAs_2fw$d|p`noM_O|mmJgsOL={Tmtu;;4-0s2iIOd_ zd?mft^v+iNG6|N0j>NA_or!(^JvWEz{OL8cnpmWrDbE8lCJsFYBCHFp2t*k& ztc1qFmSMtXh;K1yNkd?)^XqV1nNtEV;Gt@}Epy+u=OVA=x7G$Urswoe$Vsm!d=acE zo#Rb=1$n~lj{6ijcs#Wdzf5R(&mbJ;s5S){9d5_e$^D@p_)30xm`@lHFzK0ehZlB~xM)cnjw! zT-jq8QEb>FgO`k8=1&bxv8NuK7!%EK3G-K&n+K_l((1w#%xU`6$3hy==4CFW>Rnb` z_DTs+i@zlb`zE zR()r^V?s`&0>yA1VPTe0+++)en1U?I8UcnISj8H%0>Pb)FC^D@yp78^{9nJ$DPXp(}&TegsEplJ+TKyaEXQl zDN%LMj(o@+l5FO^OCYgRnumn^ncw-R`JLIk*Uv9a(u9l?L(E&yg!_+5lxRsKb855Ufb|TCOOW5| zVk)lY@fAy!NMlO2EhtH|^Us?n!SuZ7Tcn6siZYNXBv8ar4zx$-=W zp8{bCIha+k6-v}nf3~Llkf7jJ)|28W*;|aKOntvlkxa-ph?gPO!-i$=e4iiIRLtNjea0C#;`t)dW$+zw; zn_1}~g#3#jDAL>{G?Fml`hnue#i)~=&R#4W$VeZFN7f0tQ+}kWCbakElGPy*LdFNz zeJa%>-x%(+5+ISgs*-eRoKSN<#oV$JX~zw1ssJh+10cv*!^UDru(w=SJ8H=2(g2+A zP!d-1K`!>SRFMlT14C~i75-ktd2-X|W#@9vd@dI)J^14K7->B7d<M#QbVb3C#qcFgqf+`IL+t8k#5xn{w^ELsA502S-%h{a(ZCs0`LqEa$SNyY68m!%Ec9@h>^8FzFPCdZRu|fakgq z`oGZw;vZ_Jao{yxy7QWl_D92oPiO(Tb(7DHle-DBF~i*v%%2i}=IjYE53gtE@W!fL z1qLFrFkvJ(lXdjNFtjE-qf`dIE0xsf6Q=OK94YuU7^x%it& zMZ8c4&(b;;T?GJ7f4abe!aEdP|8e`4?RVS+Rn@F!4rPJWyW_OVjo8Fp`54`iMCJ`| zf5%AIldnEaiDic}!@8_CJ}9P7)~{4J*d5idkKGc*s0eAg*qEC6Eof-$Hz0$D`mc`P zaTuO9Gk_~n<6Dgsr6b`7p_>;@f#*&BseYa2w=ogx8^AI8J_DNa-_^G(yN9Xk$wmiQ zVf{lG*M7X<702bndEjMP2}2Ix?X;yDgUlGt+&^8s;{qEWO>SB#(ujJ zwTuWt1W65KI+UfO&%L!y25=NIAkU&6jg!e+SRus9p;Tq>+ zYP@XYPc_6H20}A*R zq!h3qrJzJz#E55z$ga~EL1VWWh;Q-`t4-|ApQc1@ z3Y{Z^DBGD5+n%}yd%sKk=<%c^mXmWsYmPsR=OB_8W&|8W9hfMFUoam+Y=sWxFxc|+f$ zV@Y??wY$!iBqw#SG8*Np03`ios1SQ~>=Mo;&1>bb-Nn11Ipyc+mw>}5E)LPpDnNAM z9?Z-<35Z6``5sKh>3&#{LtPFcsHMP5xVi~kItjn6mFxwak{L9z2n^jw`;o6;?N>J< zziK#XkS-=v3NeRu*JR+~vCmj!AycZ?3~_kK95COYJCI-%8i6e3IFS8-rc{LC$XsBu zt4H1eNPJ!nkT*S41;oKXh+%fx{=UhXOs<6wRxu9*%#b-Wxiw!E{v=xp07f;KZ5Ai~ zSo0~koF$(J7*_CCaL-nZoLbC4RuRhBQt>BPaF8wcq)E;|Dlm_|58(ZkFqq7sc+;5mYb+dV9g5mlAr9Ap=deKiahQ`{tE( zCB@A4wMkHkY6be~ zdjxd)qzT-ajJiJvH|Aa+KtXH-5fRT?mteA%SvqD*jXc^ zYYe&FBQ0>dw;Zi)qh`J{DK=eyD%SUCYNw5(r)&KoO_9pvcR-=c`NCas2T0-zcSZlX z`R6Z8!JU9C^MxrGW2a;E4X~Ww|GPO(O)t>uiM83lzZnALwPuHW4oI;sKdnTy`hyN1 z3>PkYmuGuu;a?a4n#0MeiU|Bh5H)*{RgfwP?jEr&KKNi0(wa>JJ>kQX8a`9K!nlRZ zcPd%t)sjY#GLPo-x zwr* zCj&};?8!TbgqGM61vz+N1YAHYuMH^ZIKY`Q5&^WYM7hH*if3c&A)=ocA+p^?X zD5ip!14j+ZXTq;fjXBol=3D6r7pCk5H3=C7_@$ z9=il_v>OAgrjqssCZo4EA`X{ml98M&-Bu8fykX{gv!s}H_adWEZYfifuN7df^a{pb zKff3pc+(hXlGrMmW<|(L_V49|u?`}v_I^dI#8jH>wyy_j3whHaE(^&tJu@2`MT}`> zxso`nF~u&%Oa0ib0Ry>Bqu9g4Kw+ZjzaYr9pFo%gj&RqF4Ny!Eh4yo4VKBhu9%yyy zhva4Xg5qQ~TBWY8EVNniGG)L@bXq+~w{e^@VYLBf#1zv-H4;++qny5Ysw<={Fd4L` zW*Q!Cp9;lPq8XMxUO86kBO#BE#01^SIXD|ad}rvwL#5p0WltJu*g6fA{U>8<&c8}o z(i{OCC5r8nAvlL#IktNk`KW4h5~-GH<~61Uu1+#8uH9`Qlm_%^*r&%|IJGT6JN#s8 zw=efaclX+4`V|qC`IL+=7X_Bq_qP^fpB`{e8ww28XLp#Ngom6dx^T4D+@K--kS_h8 zzDa#WKZ$ZmlJu}!QeF|5SbYn@3@74}w=@_C(%UX)>c7f`^DQ?vjStCcdMCvEASiGn zW#ggHqt1Jh0!75u>1;0i?46j0=QkpHlI1quXGRAE$!T6bT%F6Xdgeeux`QJ-g{6OY zFaK%~k5&hy)d$yEOZIyw^>rc)$>zt!TYGUq;YOU=cfmnarxyjx@4zU1W1%-pn*&C- zsnDw&vzXuMEGWsOT^XexZJx@ssesxFR{2RMtVDwtg{uNYH|#;yKrcrDn!j~8nFp;m>Je}#SAo*dwr-olN zMKpz$6|{NfB9`iKVHKV0*tSlIx)l`%8;Al${xXbPgr(NLfejQol;8wiM>bzXv_UA^ zZnC07{L^@`k9#UP!nC;2Jv)Xq%J4#N&zC_zOavu;3DgD%+1KQb8RVrED?B@n_E#lk zI7*X@UEprZQph;h^Xa+Pb-p1y2GXR9%atVb00d&*=`<*I)_>JtKywT+xoT#b))bwd zd^fZfR}$9;Mp*#f*!L>nKYW_?$p1Y4cVzHc@(4sW^!^HGJ^^y>KVF%o>uS7d5Rh(@ z5DdB8x-~C}o-trWu}y15r00(xB0 zhS2-#f-A$v%7uHsmB5%AMslnEw$33|YAU@TT zug;J}*PotML;(s0#{E^n*!3>7V<09nsRp2vWZq-gxEaeJ0nhZ>xh7$F(S}<$c znMl3!J}zzH2M$Z!(}C1E6>1~H5B1309t>NNe6r;wgTVJ%8y9)V_uTfcg1`fG?0Yu) zSRUTY54eiiPe7h09+qg({Qgh*{5d}UoF9Mchd=e>pZ4KT`}ik5_!A%f_wixl#)g3i3mM3u z3BKM^@+G~Z^@R!v=#biU4Y=@@n_m6TBse`ih86(DjXKXmf(Pk(+rE2#gO zSe{t9EVG5H`-|zLmtbVWv-BWQ}?L{l4@iW(-DXNtySH-&-<{6OVTJKRvj4*+h6jakx%6eJq9<^}l zMbjC_&f1_7eZ*n{2DzGkx;!@{oshUzxcKBX!j)gMCW!5^)f4jXgsa1**o(`iHjT8(w(xyC~>P~;!>ET!FPRix;AFQmi zhRgX^sJkWk?g4%rqKYJ?;*$r+PfzcTOC<#AFlDlpeHlB=9JbgLoiQ@jzi~3gOb<2! zq?WUmHYWhp;Op7I!k>BDe?bPPUgc@ua%J~dV`SsejV2dkc&GCZgD9Z>kakOIPEbxz zq(kGAqx)%cy#nGCA1q+#O+nN;88d-^F(7QU>Y**{CQnwbDm+DR?@jK7Sv#dZov9uJ zdzp%zQ6}J~mjR7uDcDZ|53tAKrIMK5(@l9~-SH5w57<%6#VdH(8-$YVo`7M=KG2IM zw^Kh+ye?dJ6-j1~@_JZZ;lHuv#%GS{^t|1!aKs`Tu>8=brj?^F^I&>{)8Y8(M z8t#6NH`?A0mK{k&L7-5;>K-m-jQfS>;oSduks}X_1o6*Y9`1W?ljga?Baqf#Miwzd zA>jxYnkmf3mJ`$u`8;{st=p;>d-|y8h=_pvLLY?zU1Xam-S9Vc17U}2KaL;|!1@b$ zKr{R{PiT-tp|_dy?xmISy3^a}3f0{~$*zEMY~C&;y}_!JZOUeJON{O(blAO4dy*+i z+M|19v?r+V3QpYKpPGCgeQNp#QFt=^b}!%=9RvFmAm+~kJVol4;&6p+Pdw?x^$1Do zZVuAiHE{{K=!>q0Rwv5r#WAP&lEYcdB8&owN)_hi$}&jj;?8_5mbCI@4V4w)15;WDv)w7!C;$Ym_O zEq*zf0zaDors|t#q6^edyurs2yxspn^>7T)5*G3n;n$#RB53 z%hP@Zw(;A!5n@6+OJvhXvF(8+r~Lg_@RZ{I4;QK107u%X+t*4&TQ4t=LM;Y-h?fQd1zrZP zkgEtcX2o$G_l%MlTOT$(JovyES7RWfO`JNJzGvmwa=VDl8JqvB(DIhnaF8@N1HOgEw~na2&6uf%df>2E?YWgu^Gy(iQ;MAeyf zO13pY%W3&!ZHamy&HbK?NmsZh=qDLY+(^x5CJ|yoiyQWBVqt@!gtHpLwRiirXAqJp zyk@%Ki~?JhXgc;f<3LZFKUp8C%LhZ@hK?bE>urXDcz`rWz`EZ9nGz1K-3F2{ zK{p`X8kEzQft?l_0Pn%giM)I%bE)L%#86*UH_WbzXS#h!ELgDNdq^c!qy9vAMjd+O z{gx90NC~=`Kc|iIz2vrRE#e{_N}I4(qb$AbVz zv(Kj{ZiuKAFt+lHBwA*b7Wt7Lz*U8MQdcE!Ok}z9cWKxtWFokZfOVr9b+A9U`0*S+ zY%H1`yLG<~Mjka%c%LhYFF*=j%i?-0LhP9JrAsBT96MT;7ai@-T%vzjq`ND>fns`L zkj^}MxVb0BGFHKqx*NzR75zS#Y`2zdA-2aP*#5>;=>FEX+W|$zmVT_6`jw<~5#Pi@ ze4-Y4Fn?&RUzsjoxXNqf%+L0{*X$<`k@O8sqRV{5jqrHi;}*ngoQBj0fd(Lbl5Fz&r2TZ82uSqDUlP${*+Q*$3IP*|D>=byQD0<)w8`|?CF_p#PU^+> z#n#aj=Y8$()F1L~j7)j=qfIy9D`|f7pM`q=y#D)@;J;gTly+K_Q<7QXi=C-qzqf9a zg+6HI+!tGpxf|7_Fn{K^N7X-|kq`c1bf|yWz;FazU|5vnN*r!oUB3fGt z56seB7WL%{P4AdMUk%wIt7V&_(}z7K^A#l$prAg4FTsP4{L=p#RI6Dw?Kfn+|85TVEdg3HX;Ey`ejDM{pdIx zj*y0EQ9l6(DO$c&AU7qh%15KfNe6_QEtyY=pUXmFpDevpwKrgOj1{j|_d~MNgg(`Y zKC(p=DLXS{rxpIw6kB4QzesN8-eYmXs%2DuueU%37%-$Z+FUAMoHPbE^Jz#Tb-dK! zx38!DwqjeT*u5lvZ-}$LQ*@n2fERxcubuq zKPw6BQTUZ7FBcxfZ=gBmhGb0dwLp))Ak5v{Wll+k6()=@ussH=ioM(rnh_X7i3wKoZKo}9u(U!|zX=E)ZT16R%&W76>T3a04nOjpZ25j4f8D=gWQ06K}C zr-cs9(}bwx?M#7lQhKd$Kb!ON78G`A+}0qb%d}R+&|}Fas~1q6>oph}NzL-tdNSHs zn&t-s>_|r4G(5udn}Sa!AS>8ffR9ZPdy872tK@b{;8J2^E z4vKSdtN9>KO=t|}1-cS_EfJsT&XGOCM9`PJHx=6hik;)>zE*=H`fcMf9IFegABzu= zUYT87d0c31+mC>KLg+mhd!&><0Ud+fJ5^WOC?1rqE$8qTd+BZxIA?Hp^vV@&4gj*Y zi4)kx0My(OJ3HOdhbLI#TL3eQ><6eBeTvfFQRMs&Bv>y*O5b?+{Kb@L&AxU6wslla zrelZAFO6tI3=UAp>=yoyDH?y8rQe&S|0m_)kI@7W^U2?!HE-nM7hdGwHz>4+Y`z1) z{FncTM*Yjbe`ihq^F_R~+Qoj5SI%x@zk%0+)s=AjkV%Q5Wwrz?JQVQxvlYG z6QyVn1E!U3_3Zu(@c{HmtDUcS$xe}xa%2TMR}#Z*AzTM>kq!K1D=ar9l*p^4^>~o6 zXC0l+H!HL39`|dy(^*V-1-TL1p?%HpWw6pxyCMOzJWq*QO}6A91p%o;-P%Wu^mAi^ z_{Dkc^ANsxg%e6z3Al8B#0sBZ{^086W&1Ayq`duGLV-EH=ar=?2O)fT@jgaeBiuyKaC9cevS_CT(~RryvY>D_Pmx$hNhIWVLkhI4dF zY*;RGic}7C#60Wlq(WLppd7B5sjGmqFW;8!fXj9vThB-e4%Uz3w>oz1%Lskqbuy;c zG8<`*szR>^i&ypiq^k*_AiWf1$rXSanB_;I3aYvQNs^fj3M|t-d^cXFU*{DFuU!`G z(!;#Le=3io8+-%6A1q6Z|^isj6p~J6oUocM(74hbeX}T|H@ZVw{rf zM2E&jLG8NpFT*YxS zn!+Lx8Eh=FjtZo&dI`9;q#jk9io0IEy>~{<6mhQa$q; z+CI`)x&>)yq<6~g+g|%t&02&%;4vQ?tq5PMzKFI!^)0Mkt*=KuRVJSq*pWgU3hF3#*OyR})9-bsE8B?1jr5L&z|3C*;0! zkk#SXgO76&_Hvv{+F5cHQOgnH=YzKMa~nm*kZI{)%51#1VC49&Q2q%b+yJIVS2%kZ9tsV%TaiN!8X&0dlfA;1Ghv1QBovibYEt)@ytIdS z?b7Hdf^K6yCu_Bg`!hee$2t{1XdomnZa`y!0J37>=ZwVjlE~*af^ld`K2Lr^2o}=T zdiNQ~LoWetADFX9R$(2ZgIR5!ex*my)smL}*~4xoQ1tEM-M3uzqdP_?L_vrp@S~%* zloabA#ON(_BN{dTg`lhT4t}}Z0&Hl(**k`<)?MA0+C<_sma?8&;*j$sTp(~Ea3YeT zKL{SR?6ELBqsZ*3pI+*Xamp?Tvu#WK`D-8dO*Q)MdY}^V@TQpoSFjja-$8;`RcBXV z+_DQAnK|E+{YOrZ>*XW7j%XZ+L*H^DmGf_QRKI1YS3kdKN_S~Wxzb}*d@Z)me}WCl zX*7L&>d}~43Cy@_y|cf63jbVa`3Cefn_FGhg>iZz2+hjoS{4>HuPj5{N)w)*PUo)! zWZGeQ?QV1Gc(M4qW)nik(jK_N3k-KMv8=Uwo{eLPG0!qTgb>Y}&~1UGv%K6HR#)p? z%xy#;05Z6I=J;^IVlR$aH~&c6EuE@lzQHdtgIU1>!l50j65SD24Xu_#ia3Us8p{L9A!YMpR=ZJH(hml4<#uzEe5S1Ypg8uGeK3E7Q5dccD%pY(rJ zqAZ?kBLs;~Af{kh;--Y&2d?E>XX$T?LL4o;*V&-a7k73_u9_eNz|GhLhVbXOzT_Q> zEJ~12<%mo-^Qni}N=Bp0)T{Q=J_m(B)Vo3SH}r{yhmw21Q1Q6U_wSB$WYGf#jwMk2 z%@0MURZSrfevw`*D9(1v-GcY)j{#&{KscvJF~Ok8G!8K$i=xfp&-r|jib-yDZyR%O z#948ez$YxwOP{glp2E`q|aAoMn6hM_qc}#5IXg^ zngih+V5&H*a1j9#q1&BpLOxi!NB3QVrS3c_7{-@|5Ov7{4)F%_rAj5Jrq;5+Zna!N ziKxiyl7I@rf%4ZYYmmO^s&TsLW2v7oVGIrS_%x?xdq4A}dxlr6EDL;kDd%dpP4yLA zUUav~V{FIHsvloQzb&k;)xC;n5vES#Sfe~J@3cj5FObh>(I*p;pT%u%>)U6fcDRRq zJ>YhzX*pFdhM;klknU+8Z{Ykg%bEl zo8)obH!bWr^-POV1*v;Ee=R_=eKLX)6RwSUdz-v2{uzWAZHUv0fhhq*#FJHd8l_%>eOi8f zGS*}K4x7iG%)ATXoTLyaY{KIuVs^ED)I?`t$kF|KfX2YOH5RK?3BkgqWG9;JU54;N zYdKpJY>DxN8HU4hYVq11Cx^7+Z@G!k(b!_z27j8EG+?PjJszpSxykG$yz0d3kppQN z9usFhf+IXXIh8*?U1rb`JHEGY9|)VtJih%hfoAue3-4>lAM;~1UN(?9iCS9hUaEa2 zD8v)9YsNaQb&mLU&J3Om1o;Mu!ON2LVftDV#$wNIO#yt!h%FP_5^m{(LViT=cxpzNgY-Zk|e}y|B0E1)L8Pil+9^f;t3>sJG z?!5;0_`_Yr0r;+!qpbakRR2({vxFcJSH}l$O5i-Osk{}sFvaCbdbGP<2Wzc|xq%=E z1d=9nLKg^Nj{S{k!WCy!(#cO$?OKkErb_g5-WZZZlw{~141!>pG@TH%&A&)?;%-ZJkX>h(E&J5ag3~agd!yydyXJmFzpfIz8boc<`(ZsJ<6) z${XZ@1mUs7Y{i8ci_~3c_nnRYB_|Fl=&(BgVIy{>%LL5Z`Pj8*iB=(gj5DE((V_W> z!@jvBDM%TDu?+>CHK>NJB!4CG0#fQdZ|)pN!iex0kFC;iwF6Eb9{$O$Z=ygz1F-&A|R#; zNPr}}N)?bo1PUCXBq}0;VpKpBArYBG)CkBd1PBo3Bm|P3WM}&=dhYG*xwoyS_nzPR ze)s$Q18hmMv-cX_wbt{z@AHJ@f!@Yb)JL&!vQAT$dNHI{Ka?>bd2ppsP zh1kY5R9}sau7Ithree2BYRkEWLN;N!d2WhvN~)=GpH!JVVsokGwMPw6Xv3_oeHooOBf+=BT@dp?L&H+-Q_Ma|c#dC$2Am=ME*c zdN7lT!XtwL=G9xU*;ak_6TF33vuGjUQyxs10G0I`$GE;+cQ2^rtN8Kp>6l)Ip)e8B z3@#6xbD>XLqxH>aY?2Aip}S?=%`#<#gTa7;sbx)z0C7ZV*CvU&m0iq?aN>yfmB7U9sxo^gK%)#_P3|eyAN2z< za~`sDp1IH?-oe8Gf4lJF#PC6z)uUADqtu;0XI6XmW`3!=fd*wE^P9^T4!JYZh+KbV z%I((!DRu@P01RZ>m6-d2z$Dz!7Se4s4trdz`so$>I$s}MCF{(QSv@lJPtz|CBS0s* zZ;U!u@PYz>IGJTM8!sI_#ZstXywDT(C{C~3SXB;vIABkWD$!^51Rk=!`U;3W9HjVN zr$BIxZq!H&&G$DqeE^W(izwb7$bV^8;|65VMLzUEp#yz# zkY7+@qIIV$9)-`im7X=cMCLRlx$t#p!{~8qTOA13Pcj;wMPjWDA(vOwWbZsd;!s;l zZ(Sy=PIR)Q^^JfvY&aY6scPpO0Q3xt`)a7M&Fhi!6mNfl_ssWKNbbdb)yEZy&c3o1PBmGIPtqCfoGdIJ-R!qR}Nqp9)efY3_S- zYS#M7%p0>11qG2@r++iXH=@I&L{a6E4T=86^OD;9u+0KA`~|lpt~Y6Fe_+)l2;iRM zn7?Eg^*Gl)H|*}X(T?QVa_0enknzAG&YVJ=I|_JTLLAqUTcWU%=$o(_y$ML|O{EZBNG@Va1XncOF;o{Q5FbcL1W;J= zB)N;Y;pfeuNiFvJRl&nS;;U3vsB(UWX`(&!SFXKNzvCegd=R-Cy29L|Sx|U5$yI*X zu+3jVn2m2Yfcfbg!eEtD=S3-qvRMhLR_-zA$Yo!f5nh+$egKcm1LvOV*||;;LB8Ds zYkG^u@$t5F9AcSAYd`5_Saz?C7gdlBMQV@p25ibo@i;>uaDGNdRmLB|!sYbjiv&(tb91nShln%on0Zp=0>Vo!rK@3?_& zC{}SNUi|g1HnrJpU%1U`=u0EUAd#2pK2>nR%saAT>IZblrEU~muhe?^xHRxxyaMu>I;<6TJ?Fj>at_8XY~gWSn|5T$z#M7wSN$t&MP_cNIs1CF)>b zwJC@zqT)hu)K#4>z|97-xJM!{0UTBK!*JU2TS=G7mHV`grHT&n^syM!fMj-q56(1x z)U}9(IP^T<6sgx%*zYVl5pc^thG68zzT4ycJy$9f?do87$mfA^qNUDs&LQK^1#6oH zXM|s~#zKEyX;<;@==;{{PN9MYN|wrQQs=34I0$ap=oVI&Qq+m7n-Jj3HPlvg_Z7!n zCdW~;FR4ugWa^=Hy?(tMR&VU$8`&3}D$0esad{|PAWsC_eS{}fC-)D$^2 zXv#Ss+>v$gv$AV40SB?<=Rl0}B{8Ln5(6?C;%fDUTOU?5tAP{MAbKBLj6@tn^kw~l z&Q6FgksWr`-wspB=M5P1eR)^>Q3*M+eTCx&sCg@t7JC#3hE&Vo)( z58k~s=*NFHton~bsW_LTqWP>vEYNf_P%|FGSypvNKDSb|V6~v|WoVVmO&6k|^A#3A z!!Bc{JNGYOKk~vq9Eh{EuzPH(xHH;@+cu4X_y}d~*DPO0yaZYP7YX6n?T&I#MVDO2bB=-6e>|^CUmran^C}$~ z%%%=#CNxLxbUiSKLB#3+H*CxR`5hq9E1Xh>`|v1GqAh{MTM=eh4;zQ139Hw&_@~`s z&&yPw+V7u zzPAFK+d#8*pd!wf8hq;rc3Fe&oSZC7{EVsEIqnqT(@zuifn(&85UMg!9)#6mCWthb zzC=iRDZPn?WmSK(*6*b!lPzq>OhCU69v3U@1UmF)c2r+npDqyd(NvWPnyKT^rs1nd zsw~wTamw|(7e4vZsr;d|VB^AE%R&6b0O&QG$d@3Ovye8M?_YW_h;>9<2V+LkBfrp) zpxm}HB~*A!hf3`MOFP=>s}X4Yy!J=RXDTXjW`uRJDhx=W%Df-Q&d)8~_9D=Jwq;4i z>ca^*VQW87S4JnYSFhTYTnv{1-=Mt}3V^tJ37(-(L70sm{`X{@|MKtO%LfeQ{Tk;F z-i)04#(m|L$e-nXZY=Z*ayHi~0eQVB+57yoqQ5Jm8o;X3v2buA?b-v&L-w5iuonJR z4HkREPaw(SVl(gnop)V%Y3{oh-!;O!k??Lhyo(9%0;Bc2)d7?#ziWhdjqtaE_5U|U z!bR&;+uc$TZK^=tb>L^r=@-3>|B@Ki>@=m5`5(?~w^%8c!1?RbIZZNB+$1~7+cNUN z%Mh>4q{cv%+9)Ncv?M`FSp($jB?oPHz4z}h*P>n16TAr9T=Fbgz9PUU4zE1#8#`74 zPWpN^yXzCq9&ALN1n#NMRD>^sZ9=-n8AM2f zjbm8#U5(@BCtDPFSkzW+qJ|y*mXP5cKs|^C*Vj|qu4p}|A0fCZZoB!sW&nP67i)SbYm4*6Hc{RmBO!U!S@cM!CR@iH-3Gz=f;$n;F$*#ANH{2; zz_ZItXaKG+6nr0?vA338uJM%S1q4Bw`y+uc3xIipTyViQw}B-&Vw?AXys9~1scF}KwD#a?jgMU=4mh*Dg*mnHo03~7r9*RFB8meo(q(JMdO>dCo5J)m=73)J;AUnE{JDZ-lLxx?>A1O}m zPjxKKkZ6-YDh<`QgH9D!Kh7goNtEa1^Ge|P#|dzz@cJNs)hh!`u`jq-L{LJ*8=Ood zP@(mfDY+a@vOv2T2~vLlk`W+Jui&heJC?xHCu6h0fV#JS%ftG~=bOfg+RCz=v_g?O zf*`P&sv&W-xUPhoJFr80vOku^iOOik2N)2$(#?FKe2e+w``Wbf!Jz8w8h~9X!$S1X zRXjs5LXL*Rs0C}OHZ*1_c_NlJGKfCkjTvX=V;V8saMy=p}L|nmoA}}DVJ7j*N z3;qD1?kteczn!{^M9UQV5XN^VN#Ug0xFIoxa{|i)_|pkudk5SIj%4c;Mc#;C4`pt9 z%kx}%glB_KBc4-VId+UA8clkHc@CswXhO~ScHnAIoM)pXAP;W>eA)+blP?<{QIr^} ziN^e-+F&ifyYQN)y7_W^1@1l6S;xhU5PU_$!LrNfmvZ<#4R!3HXg(PFG{AuTH8`n1 zh8^oEn!y88m1M*?ErZqU?#hc>@u<8I>R)9uXl$>7J$^5wkqB{=!!0|kxN z!R?~kBx8K4F+s}Th_c1HKGz+d@wJ*pyvmau$eV1%PC@opkO-c0mm1w(yy6Z%YGjOG zM$Ap2C>_E8!V@XPcp#PJYu-_4I>EOm4kA7HxfpIobA@4zU)J-$ETLuiRk?2BbR99w zVk(9WtojbKL2y0Ur}K^n0~SLb+2f4(&)dR+oaA(I1XzTqk>H_u%FZgJ5kP9(U`;n`!1eFdN3i zYG^n+mCA*RAe0kY$<~@oQgy2m^HbHBo+|{)2)97>%#?WW+_RuO))SP`yx$FU!HlM$ ziu)j+aK>XmfLMd|<-KqJuXxjcfl%IN`+Mimp`e>X3l6rHp9l&0c5wQF$H0k`zU{rHV`A2wQDSSL_F;4#C?(M15GWKq(KL}cx@u*T;}01TP68SK zPRO;Pl+d)}nb|L7ULKy0l&U3TT&5XrjO-dPV8iBE*Ox2=P~=8=d>+qle|UeCuef$_ zy~*4sgePNbSRgEvD9Z7Fgy#8kg#j5$c>6{V&qNw-Nw;^-o{(&tHZ?X zou}6@5MpCrOLiN-wjX~H;QiwOo!jE4umb2(P2S!_-X}7%#hUj5fKZPcb3KKV?Pln@lw@dW8ZCZuh zqKX?pvCr=DI5|wLp0M&r*V+_#`kmrsdkF99iN;xAjE1Vv;;N!C%x2hwb+sYqIgv6P z0I*8xw{V#qd}P$BhguFEiC@(11yzJYv4qVb*E(OfB3_dLu^SC$Va_+2i{l-wA(1pr z%zl=HrNKAyY`&wuH_SZ=d~Y)g3A92hCVRLw7PWrj_l^W z1lb)D^f%XmA$e+Vxb@R>*GZf+Hmwo2VrWp!fmgrO znE%6Bz5i~}Gxcxy57hjSd#PsU>FGUo-=SvA>wZnecMlGcb6{Xtx1_oKK=`CfXScINrWY%6Dtcvo>19^|-K@R| zCekJ6g5!u}i*X5HTl#k$VQA$hU2#Q`47@oICT%anY#UgwQVjWQ0bnuOuOnO#1-Q46WeF#C>ayOU&KrQM5fL3d9LEgB3E->|lh zysXOp>hX?+X5u8>*KSEjQh5r$DrSG{!wiQ4b^=Ck9RI_VAu3GruFB z88HwXFgI?8i}h3Hj=_)LOiPV8Km==XyZyFvK-%$d#!tWX@2~OYKQM#Zz4buswvrUb zVc!#$@Z{s~tUxicDArwadbRnBvWW*H$3ac;hODf%p;O>X`7yzX+Y;fT1ELlqkwOC2 zUzTO2_I)kJkV4XmWN-DwhG7WDAm<%b?Z?R}gSWl$36Rn)s$g`j^Y@sz^yb2vKA<1w z8R&sM0-GwXgHS79j{DWMMDJ%Uru}lkAK|a4urNcSLlU!7zH(aA&=D5FArlJ58(=j5 zipRB-S#=z;1zYD1l2p0B^{M!Sr}f$Z0YlU{?TWQOzYK+OCdQkK9_dc@c ze39-n6X;lna#cM$pxZVA$qNOBl1Zx{83n^!)P&KINj9J z`Bih8zxbm&S^E2Ta^atSC#H9QuQ%flzW4i${M{ck^5=ih$p0H2EpOQ<;rPa(&z@Xs z{PR8gu08+reEgRWl~)cAmY?Fhnbx6c6#eO$`QPlne{Ilt_6I@d$nORn)BN9`>ZgBy zs{dc~Xdj?9JovFqk29!D4rgWQxb_rf079&zod7G=2ifv!cj_YI$^e`Zw$$Gn-!$gK zb$w-K8G3GdQM_YJ-<4(f*YO+c3?P8KQGY9%gSFASTd%!eyCo^CJ}i;e30Bi4+V!E| zj^UKmHA~MAZO`l78fHNzYQRD7pm%x~yRE?k36cTP7Ba{L3t*c4s9ZolYrBPgpy&*| zc2gamqB$~_-W%7elW3kQxW7F7eNI8DZKje$>07ABYC@$8V-ln$~;pklk&L=MsEB z#JsuJDR{0)mP#d#w-ZhI@5Q4ZzGNADp)_Po4xQ>PpP40&+g#;tsp0>q`NCsR!%~YA z;g1`zgVp#NoNnDM=WaK25k+iQhMVDzM3fUZ+`m%?$`Cu++Fi2UJ9HV)eNH&pLj@Aw zT%~P#uK9@{@joV;hR*I2BxSZ#<8{glVF}Hog468$ixTcVBQ!%;NdcG+TW6hE(towM zI1L+jPLH|DiHK5|`@(C<=9xDwG9QrIchhUTo6CWflQO6Y4Y`JtyYlNKP1X~!z<_&h zM3~un+`4ZXo&aSZ6$H+04LjJCxWepc5M+D=hK#NC-SrbppDOMm>q{9}<&4)U02m+g|B?ee!w+Lwg zGtTDSOV?{1oj{gqqhs84N1$dQ`iyl$3EkrMGCM-DfQRi%%;G^kW4U>qQE^9^@F4;Q4XPByG=JGv;KVYhZDGF5eA>8{;iOl zEcixeQo&h+=v^DIOIt4a{>UqQ6I4_v7>Tpm572p{8We?$elIdr-X*ClfHnDs<6`Za z-e{hwybALMW5;dzLND9hPtK2ron(UlyZ^Zt}H_0L8D zi|grj-PT3o4*Q7O=?z_Xir|mOLe}hQ{<27(>cjsli=CmR{dS7dES z&jAICZTmT#h}VPe9dWNY-ogwt8lSi&-d^$aLx3!1P6>*=-Mj4Fdw#EtCIa=8?(*ZM z*=?`w&}HHK!q46`lC3D}(OGT1fB!V_|t2 z7d-@djN|{3T6Z2|*sZ)FckA{or|KU)bz;ap<+6Cq@r`S)!Pc9gy5Nhrh^cC>HC9io za%HqiDnhc=A7MH>y+mEINWrRaJ^ZQu?2({il1VYaa0>6*0;W>mX zlyT1;=dA&yW~n<9 zJT^|ry0YS8m_?~d6LS98cJzsuEoq%H!&CS=H(J{UelfS!AwAaNh8?*p&1k&0C>XO1 zA0g1R&Wx>~%+}8hTPm0Qu)bER|0HQJ)Gn<=QIlN^o6eVxlgF9J@DA57cen|xNZ)-u zpzze~Le#jktX2M>wIbR|u!t@qK-U?E3uTixMJ=Bk!hNR%PRQ95NK+lZUFjsyc_xbm z=F5--`NJ+;wX?pt=YVnpQSX(vqeXdm>UW);j`IwLYzwicul7CxpfKw>7rKbk1@naI zyjbs5f`-Xj2eu({CW5-ii^+34JNXgtz2d?bB`?weB#XbOkR}!pc58ProaOh}*IELI zMESKFKAA6)S~rK~b$F7F$aU2&Qtbnfwg1g0n`y(}U``_v*3mc9Jb<&L#!R~xdl61U zKQ+&ioqwSyQy`H*lk6sASIVjI5`zHTab0g(H5UlNZATwo1R~K|EU91<4`pRvT z_vP8&F}}%y{TT1%%k0{uM+EhTBjG03*rtOaGn#~-;T3?`&BkJRwGPxDIBV|7&t>)e zrNp&oJL+`PqBs8=C~?)*#AR=Hk z6pVkZHbaY94Pl@c&g{7+rVZcGIEevl|5#9%4N&p#HiRk;4i-`8pdVkMM^)s1iBa1K z4g>=-q{Tc_sA}_vl<3Z7_vE4q3U2t6@>|2`Osd+&O|ZuVd2Kltd$AUki- z+$oS>@1HZCNGg5>qI0OfCOOfo`UsGz>Hs8F=v39{YV>LU$~V(o zJ@%&NU%&RrHaYPOqP05*bVB;E&p@sC)8@%GGhplgBtiqX0MEEn65Cip>B5=0#qE!gmQY-lcL=IJ0IcS9+ z4s$J+*kpN8Xe(0Rcj_fgrwIVZyFVQo%=*&PVuryg#na3LsYv#MI%kwY&Y^Rf%ANVL zV3v8qt$wESzUI}oOrmBeOx&ucF;XT^oFsiv!t#V4>iX4|`stl1t zvpo^?kM-p~(;h5GiO|2X1yY10p7O!zT3n^0dHSjG=5h z&U3ta5>hEab;3>Fm&j%<-4iuIKEt1zD4jX(=r&TcKL$+u*=tlv1{*K|3O-lxBn$;c zaTr(|8?mwCtUU&?Sn)><*+d#+q{Kt}8Dd;clG7qb8IHM5H|fx$Q~Y(5zYsGm6Ncht zP7YC+}ZmB?{Q9)-|0{GS>ofm`a6{4yZnGSL1jiMigi1imyx=r9oV?x{2aX-LK zw$H=7POksHRP`))SO52$4ui?F>`d`o{h5Pq`%l!^#0EPYw4{92O}8m|0*XJPt+-br z*ZF$O`p(7rnt+R!^XclKK^OWd5V+PWL63m7T}_w#TMz_ zuLO598wvBegm(p~RUobkI@;P@yIq8Rv97u|>?C8#V(lOb4-NN$bRj^o6$)cni|OXW zPWefcSCQ?%=8sQoM8IhbWh67&}eX+2WU9IWQ z@yRN?;cvcHHu9~@wSfzMDG`P{n-YV!6mIXLs1Nm9!ox&e*o+XW0k#Qg7cVWGlIW^3 zUnzG3X$j(HtvItefBG_Jn(t&D#EUu(qhyTTFHyjKryyvR?g`z@|mE4 zqz)c;^6!_lU>+kRIvBDClKWU|fa0x8TWQp`BH!o4wV`59Y-?lT)3B2srOb$%tXgk^ z4lJ$kcaZGtz+HbTXzq46@PT&U5_zkXuWNt!uv%Bmb1M`?_1KL%$v0Q>=QUY2*_7a~ z9Myc;K#$l`*jO01hsp6&w3JBuvR}7a0)fG?Vg9|3BD@cnvP2!&LoUbL2w~N)rosdFyXs=CH9~-+C8{w=8vZp?vdZ*@qiW6-%OtAGr_TyXP0+v%KnZ zE__3zA`~Ung7MggjqSLhU5eVIm3PCDC3ZL4Jp;@?0%>IuLFqYR`MnJq9A^+;6B3La zR)|Q;;95rxRflHno$~-3|Ho&!!OgX(ur>`?rzvj#(GvEjlv&TOs&IeayL-eVJz5Ni z#_z1^z!tPfDv*pTFrc4DQtDJF<_(L~E7$!@YW?O*Kf}^2Ee6{_QuIfdCW3{160pxn z{O;Xn-nGHIaqw;~yo(3#V&c1X;oaK!uiPKhgrwK_v^3ipkTBhUrmtcJ<}@R#ge$!|+gvjqzN+-0nzmmONi?P>^{lUuAwlJBl4#2!%G%(DV;m{i zjqfChn`eq!W0lb)!N z4j_qSWCXW!Oq!S8DQX4BY^^eWO zDbkpJYl$1M9$;I}4h7I2Al~G~t~uikf@H9>A77`b7Cd43)KM>SWzN(y#1E0vGWd}Z zajA@VZn8FSb5Fxy{&P6n>BRC%p3+pI)-NT}Q6U$UqVvcgB_Q$mRcrQ zz|5>Fj*rZHjjY?QT@lp_`%(x?iuUJUJxO>oZG{darD}`ov#htmlqylb+r1K+F67NL zi}9!DHG7q_5#}XCR0)}W+ys=i_OMAv5Kq*~yxV9^thNt}z=MH#5}fq~-lg(~`@k*Q z#N%X_Cj{RSadJu2=)_;3hLH(LQe|3&qNN&Yzf?+DyJfr=eqaiej7)zl<=)R0Vft!g z=WXJ4Oi#_7S+{j@^luETt!JjxkWHq*w%>U5U-dWAg|PqG9k}h5!Ii~sX9z(7IsTm{ z4XEopfhKmYy3=739@ArTS%ANO01zgt9k#lw>e<&%PPmmYs0g#$3fNFfVoI!X;mS>2 z?QG)?Kc4Q#7@98igATH3grUxzgi}G1j8OAgV0;F(wt2e`@;_~|w#^Ho6gExf9e-{U zcnmGIuNrdr%LYnFUsWO{RDzC^`_v~uKJ<>XV9D}tbH*q?s)^?{S8Q4`9|>f)*W2U| zhi69<*3quG4^ecniG3WFm=<3MM&+ff{-~%br!unXTgx^u@K$ zeGkaD-N+rlthkRgHZ2CTM#rF+Up*vCK-|#j62stOt4$FCqsf=v4QUK+b5MVp)gYxs zti%IN`lEsmTljbEVr(Ds7WhlA4uXl{-*D3w>D`WLmcJTwoZ$FeLzc2tu%bSXVXuor z^%w+;Zt22d)@pVY=Tli}bL`THSxd3n{L@PxCeFgaQgbr#sTANkwa~h$s-rblVS9f( z^jsIZZ1Kky{l-><`iodk%nj-%;DyNXW)Jyv?!ppW_jbae>m@IpbnFu*Wz(hp+;N~G zKf3`uKuRJBsJ~5tVd=xGI3wzLpS&=LBD@dEBraV!Kd_o;ETXnnukEC>HjWuSbJ29% zJPC{DPw0N?JrXpr|3zt6EO-9F>h+aPY}=Di>fQEzXT~VnZu2`i|FisY(Cxa5#1)KP z^&cfaPB>nS1JU124@-vw+ z1YdyR;l@tK4AI@1l+MsoCj}P5a%n8Fi zOIWHfC*!czYHjiOoZkhuLFpr0vrBFVtZUv(1Ku^l-z|N#YKD$bTGNE$o$MZ-A(B*) zfRG-s^v=v)&vYK)g`TiX5~NOF;Dnwe=VPs)i}jR?0P4l=E-@z{b~*l_!!7vq$wd)1 z`9sDg*(q9lBrMbxX#ub}P~4t)Si4!`zcR(<6J-&w7rC=?CGQC0r+pvYi4+2PK9YPz zWR_o$AAhMxmmvu_wIS3f9aqbYmYQ;h4N7>Ge1k?7j($bErRmsl+YUEp?h{bWL$P)a z&HHBOw@6I(9>aA<^SEp{$P-AQgcyn6YJG}gqlpHVSHRasx;?w3EJ5&#=aq=t*P;Wjg=Z=ioHp}-Xo8{fQ zok-61_V6wXrG@27N9g9;hpE0BH~+-;la8C30sCtI1G~K-poVX(Dl6T*Y;Thzgg}0Y!{-~(*)(;Drol*8X^L%zr#lBONq0U_|~sc$HRji?bWc!0SG#^yz0{01f$w00$$*T2{in0)RLy)m`bP$3*YR-}$J5|)FpD{KO zeQYAuB*I}+2cd}jWcw7d7OL)z1DNgZT)51cXgds6^Zp$C4;E*JABXaC{QLs1_%)>{ zRXY4UU>Ow2Gb+Me`5C&T>7uU-v6n@6K&r^> zhI0~J+~ywvvbcUq%R zFC_Po``0XTWlRg!WP{G`{)TZNy@I&$!7Cd<(Ry6baL@tEg|9tn@LG^SbtDn)wV$B< zz%9~`K_j#~{Jo*NYe_B&+upjsW77J0J2%<(Mm`z0PH3nF>f7UC32N5iV}HBK7!%utcZ3HC^L|wVjwpH4ZIEd>}ZFD`5YC z*|v)|_XN_kI~@1AVI9EIV(S@bt@cU$JRng<0)$|lp|7U6dmsnluchopoU~ul6+i`e z8jWc>WI#!u&%`Igy%8+VIf1@=`d{`t{Y!QU%j027k}>+ z4HI!Ba^bxPkvs1{d46h_;5Krj48zGgv$AyOAboHD>s-0jb^|&Z)x!Da6;8nJO{CbU zz=W@bI+_#eJ~t}@hCXvEM2i{F%;X$mR6v%8P${@GfSKK?3+(0krk2)M%@T(Z1meW| zY5!?z{c5Vs|1Z@~|0T(0(Eq)yi}rpnMp@+U!K#Pu;>v-2qn#M{SnvT7rW|>G}eG|k5VZY%TR!jYhEo2@5;rRNXR{i*(&Ddp`D4M$W)%xia z!TX=bDAYhGK2z>Zi5`ZA(gAZkIixI-f#jp> z#Fg}-vf_%gO4auhE;w=;P5)?0@x42_l>Aywgi!`spiQ^rN^~8pV|9z}ZdFmi@$ckA zexWqTQ~)yOLZScT90srUuUX@K$=DEOJtpiMOY+q`|B)H+8Y=<0M6y*GMuvklWCdR7 z2FiDr0QSLfR}z>vX9IJYg{#dh?vLA*366k_PBq6XoIR4Nb)q|0b8$pN)Imm#Ds-mm z(Oo9voL|W2)q8dN8w!0O(H6=Y3*On4IhyA3LF^l*rvY9HTYC7EW5iUn6`)!oZfXLy<3f~I@obkURroI zFR!|#t{y5{o(qkE)k>V0=;yr3aq@Crdy>wb(hpecQtm_TiLOM4jE8p2l?zm zg14^_FC~Kh#O`vNY_W&01)!jw=WOgvsBhRNue#&A_yw0aFJnYT3IZErbCn5Bnyp)R zGi~LqIlkL}Ef@T!@+kK&Yg}>OF?|il?p+L=iQl7XkI>W-@CD!HOu0|#^6gLs*jhZ= z2c)rAWi3))JK}-0rek5PK-g^+EMEj4dkzc=My5UvA?Lv^{4=<#<0R8=chnPpQERCk z$l9yvhiB~0mY#mgrGuW$h1=J`LI(()LBW=>M=uH_8C>lBY@m4Ux-v_+6x`$AeHnBQ zjA_m(7@5PJGCAhjJ}UaV+g5qcp-cnquFB+m{>SZPI{v=s@7g}|?*^Ugj+Jle3DUbp$ld*}5tjY`r4f{gZ<#QkXvuGz zvk(3Wap7$tT>X{^yZfyHFy8NN-x2iXAI6@y#c0!pw>0I-{=fd=DnR<5E;IjvM&P_< zp|XB!D@VL_JgNKNvd)aIc*`5!4Tjtw{{@5L-HdQunfZU95!QO`@$+fD3lf9h+jFCi zR50z=K-E8dat5FJ$MJxv_x>pvyGh|pq{toEJ3-|}#E%+7*!n}>OM!ZuUqn#m!|JdT z(--)q8>(2IY^)TcX#BiM-Z?UoIE4G%1atnT5SO6xV&2(F=TQ&mR|Or*n)j>6E}hXM zodG&PnAcuOo?p_g30`!Y@`ipjZXvQ(TuC(`kh-bJ)=B3AkdV(ctLDy3CJbO(0BHY$ z4vsb{zyi77STnaLYLu$awt?=grz}D8tJ3;73D*bhPf`*8>a9gZ&cg?nhM9G7T;5E3 z2v4%8nx|^z`O{xcQUC*leSk!2wSjtnKYq17d=L6+F#Zpf5E;2|}28W0kORnMt zf02&MA_U;_X%*1~%H{T>s)p+6%B0qzdxE3+ua+hdicU9RVa)|d5H^R~!+UR-Zwe55 z-!f<(3ISYvZu#}HfbQV{s~lTx6rW-p%GFst0}zYGkJ7gJf+S}rLz3x^J%{F(ki?XQ zNRl_=m4!Gw7R*CGhN5Y~xOwPi%0hAv8ASkcK4=c#t?q|!f;LM|*V>{)9aj(_Z8I$2 zU~G4~Q23!P(-|aUqIMg2j-6bSGEkC}UlzjOgbLLIiNJy_b(@YKLY;|{*cC)$nI0$_ z{jh9BDls3l7v)zqnQxSNXLU0T%UE;k88cOs z?4$O?pX7s~`p}p}QP)YvD=gGd6a1jBUIpnP2 zfLEv=yPs%O4Br#d`u%`gn^f-!7z1@+2xy+F0(b~s|M4&{7DzK4LrJn?%DMbu&idlI zuVgB8xnc;G{pjcC132L0K(NK!Ge!?Bm}-XcAGor;u;E}h?|bTFY&Jpz$MQ0b3bnjF zpdqFbPKBS#1cLQbiDG{R14lGYTINbQ2g~;2Oi^3ryq-D~mn-ZRETYmgw?}9X_9js{ zgO>4h!^3i{#|1kgR1X3gZe`9MsJRxKmATWiO$i8ZMDHplT!Q-`MA{1V&|)T~XO?KH z?#ME12PEm3fo_LLdt&U?)kszaY^|^L-H*)z{X0Y8M?2T%R=M~dyNvY_LUVk@U0ATF z5r02%T)&h2weps*%jx?rZDaPEMdC${jt{1$A;*qmmwGM&SE;c=+7PxT5McgRZ zhkU~oQY<8D2=HExc8%01k@(b5*B)VAjOkeV;|GF>P%2@cWP?DXX0Qdn# zJ;>)4P@9ANUp4BU^AMaTONhJe7D*&xPq0;T3%c8`JM!#`*^{6Hrfm)k30clhotdE( zE+dKh1Q%BzcHl@%7~-8HE?~?9JU!GpB&?*)TR+d|08%qu=8c>yudv&%O7qY?d_t~o zR$YKZl&S38ln`;TKDwyAr#do(JUCAz3~foBmU zg2@eG4Y$seV{>wP;%rDV-CfiUfgGD7JBMI>>g$12HzQ*cAt4D9Gn-Sj4{*J}95p|_ zK-T~_Qxu;nLu`J|252Ni09UdXvZ{+(P^TMcZW1d!&(V{!?o1E;!~p;p;++lIfFpe( z>Qg6F+f%gnQD8dAv_TCi-K5A6F7VtG)Io(IvBEj@^Y9`UU1kWbZN0O}0ZTyp6JpF7 z0HrIG@RC?YfJ<=(sSC^R%bqpCEuqccM$Lt|1-fhFvwM^Fad%U!2d(cBB0vK0t%z0d ze7MYo|1td})4cB{YLnvyV5WBMijqR^v-`|LXl*tV;7}sqICgNy>sz0VA}ts9<{+36 zF)J3EO$ABj@Dk!|(ZB`+DjnX{P#{1k6S#ZAeh*!4J$Wf#BzU&HH^B@F#RI}gupuOU zUtyE=W$NUK7xFCT+-@6W6{y*I52b@CS+Qmf0Sd@P;PPE`%81`|F!42Kf0#WUHYicE z@p5cz3$Qa%6gD=9Iw|YmoA=?hJ7UJYPO8%nN$0Rsm6rh%w`a-?)oiMcX+|*kulN4f z{QBTeS4a#I4La!i%d3?6^m0&Q?`7U;mo#D=Sno~_!^$5MFjyHO!kC-!ul`6SjIdj7}GzVc(j5?0)-|NC3b95xAEh1Seg*h;X zQYQ;!0&KRhhZ1c;J~uQjc6r6a9pI>3qMSL{_>1bDoQ>weXY@NMmZ`^O+os%HR`&w) zPttkfQbCoJo!W_)&(H~?EalsZR%Bi8JlIx}FsKzh3*90DmJeFaHxWkFqV^$46{y&l z`Jg9n#S5XQ?0J6-Z~%TdSX_Cdy?uBIG>i|c*Nfkh7*VRCK1_NRPhREoBuS9Ypq;mVjfq$fwFpnS(=)64e%;dM;NE+(N) z&;q|Z3_AqIon<%$1o#mn^_6j@0?q0~@^q=a7l|;=QiJQ06p*yThY*Ef&~8Um2Gg;=p@D5 zPlJms*?p;lp1QLRx+}S_Sp5~bS1qA*Tultq@5@F(xSguaz004;dTn3*NH`Y>a*2A( zHQYg6A5ig6RUcjX7S5%u0jN`E_NwvJWJpX1vU@46X zR(XK%&Jum!CEsx8N?CX5-pXBNkn-B)>}4eL>M1t6KkVCO+vU~$WHWkRP;HND=MNBs zF98u?#*E-4xY-QX+=JCYwC>T9bZf(BBxii$CW8l>Ri)*if(c>r=sR9G#O)&1-~DlG>ok?~OS>Us_-jAn$MPdlS$^0Y86)LhIKHyOp<7o% zBSy`5ExoI@)b2~9*h;m6N!H=?sahoJqUQXgR8w@W824eAXkm#}*e!Z`xy-N0cuSjW z13rO7P|}R}p*}@S9=1 zN>yBAD+hs5i^2AW2$2^BKPC=UTO?TM`o0bR`y7Q|WtExfRdUs<%)xH$c2+aSPJEyl zAc6#x8ds2s^8J`#DiNjr)%)jHUekL?y$z4xc)-bg;fRl*f#Gxw(SO2m?l}Gz!hLLu z+Tt{z{gZ^PB>C}}>qk|)A6Bt#^_3CNxz!)MnPwU?gu9(R zD&n!8hzwSHgL-4nMuz@f_};*$LhS>ydYAZUu+<_Ho^u^fx%-w046)au_t6vby;a=B z6JhIZ^j{<%JmBvxNTp>4xgnop1F(T_x3cz&l&2(KZ;=?@#t zB-^nU@t8Y<4HC1!?t(Bp0=K$V^38Q|U11(<&pU*z)j`xT^T1~2^2@+0h*!@jIoLyJ zPRd**bAnu2(>KHZZ$fa1ajg zPpf=3+l+sip{Nl&0rITW*J>hcouBi?%kSe>zIyl*Wj)fa-Gr1YPd3@M>o4)6wiX#z zCQ@6EWmsF>2T3ID6y5v9&>~hj&Hy#JMfEGb7HO8Jss zlU35HzoJ(1>>l41^w9beoa{z{29 z`OEdlB&@;63%0p_LD4!cA@O9i% zRbG`guR3b1a27$k?_xdWGpI}7(={yn!0$yASDrp_Z#r3xJYD)-c0M={nA(BqBFBrTe`&9lZ{#9g8-LRbB6}j z5hVK>tP29aa1N*qi1oORq3iIemLcB!ACSmg{CVQ1NbKVxjp#HQ1~&4ul$kjzin8e8 zRgWped8;A{bm(kT?!(0C6i^(usd3-5E2VptYmg7FVXtrnQBmkeHv(`ir|dKN>V$?- zBNGEMA=(a;K1(`Mp|E-#B5kSe!cw)L(;Xg%XGyB`r@@cEO5LyT+tXq1;QZWNtMkfh z=Jtje?N1~FtVxvs7PcL?4o2NOEpJ?`ToZ*F?sbyU*hC}LUapF$-0SJPWJGXOkmCEu|Am!#w9@SMp3Z@Q~O4y~g_$Y$? z9n?ng?N~GJPO5}{Zw<8eU6V?d5!j<=L23kZb}~!GD%d(0VXvq2Seao6=exry!GM|&SrWC9rkf10uUb7|zo5j*Sc zpq)l!xZk4OsvP#prygKX!a3ET4+#CAswN)a5(Nb)leli#fF~!(pkn9Pf+sR?l!P%&m+cW5`UHJwt@JN3)|?C7 z)xpqKWb6T9+D`g3eyJ)|wN%pX#q8IMw}<{FdFx+mQF}M41t}e-tzSr0W(_5iuxe*M z=c0vmT>x9Vb-*c}vOnF^Nma1+miNrT;ZtAuNB`dW`kUXI4YEH_d?v(nnS=OG6b^d|vg^@5 zb$X8>xX@4Qi-LSj##(msiqo-u%;-Ee<*VH;{! z;*?7;Q!qfqe=$J)#LpoYx#w>dsP-?p$PYGv1k~UfwYl|>pH#*v)6;XBV{2H1Lo(Xe z<<#WlQ6O8_pOTEc*xUt`Ypbgr`IV%ZwB3T5SPE_+?zu4=&0UYccn+l^c1~k8&%n9> z1KjKZkL>{nbZSRfq;$^kW*KVSH6=aw9@`#LLJc*_RY)e~!3Zry?kA0m2%FM}OwThn z8!VYEUC_|#$+NT#ipQzBkUiUr;+&se>y*wMnr3uv$)+3XT{WIi9^}ZdK$*yF`Psg^ zyh^H8p7`UJw3sf8%d_I^6lVtC%t&cl(9ZM`f*_bih4AsC^$+f3eRXKo?)Zq%RoHUr z#;a)?{L-IS-EuY2@k4A~Uc3-v)`9An#<0adLD|}*F}LN|kyqUfuafF|bC^SO0LES2 z4n5rgwC`}~N0QpZoQ--w+4Ax!tUHm)06vZ8C%r4$-crsIorh8Q}Osz&8`6Nx7G z3JM!Wad~S!^+PY;Hc2{g+*!<;pPbRLf|#IaP;Y8MH%bpAS@2ehBLiD2N+RwY{?Ucz zw5jRnD@!9)v%~tJ_I_hVHG|8??v)$_$ji>&33-5|8@DCGIRL6d)(G=+QD)KzOT#M%QSZ_0E{ zhQ@g7$@#GpPd0dPO?=U-D0kGCCv31jZsOLb%Y23*pN|eK^3&Y!&%T!*~gm*_}u(r4v6m z7quFug>0iQ>>?*(JUZQ-$X%{u!VZkJhT0BjJyhE&UY)xWU}OB$adYUfka(*eXdcNY zP8coaSsZG>7TFu!NNerCU%)|4#ir-X(a0o&}908$80uly=}x-N=uX;|R-u8nSZqK*-(ua5B|>-JW+E7*5$3@Yiv{fw4**kqlf zYD(k}OzMRUXH3?yWT!VbmDcZN?g^1mk| zlqYSPKklUTaG?DhVAIU>lSY)aiyzO3G#L+?u4h$K&$XNWm=iq@(WQk?GH<9}@3@gB zxJVKglqF}h&P`|?W2|J)Y9UWc%k)b4eg^x8D8B%c7^pj(Y<8TrGvQxyUqeoXnJYY{ z>@uk+jKG#^p9v**7MkPj)vLZ|dc&y3HaAx~P+|-Tg?rILmsxxh23~9er|w>ujW3KY zN~d(?pY~Arn4SUk5o9_ojI*`ztH!*!c?{i~SqsV@#c@6~jq&z0@a4#%M%Ht+O3fX; zB((bb{~lBgQqNl=ePWE9 z?!Gfxdw3OP6;xy}4Ub2?Z(1?ltdMJj1CCgOE0q8#D9OF8xKfqI>Yk)Q|Q97gIeIHBpf6IQn>Nm)EYLGPXRt zitQV9a1j%mDVnKf?gG;bp);l0ok&@t*>*JnnHp*;^}K_@KT0l{KM|JYE3KBU>kiedU*p@#C}3#iHGqwNqVS@0H>(NeL}Mylu^=4q5{45 zPrZ~GOPO0O=$%uUg3ee*qF49~^r+R3Z+L5Sz zD(!^WX???W^~US{x6rG?mfj#=;Fdj!b=sAQ?raL1vR8q}W+?na_7c`gL#XvWhpui3 z@3J?iZi}{=-`+1HLs~@XK~1#Ut`g*rwjtk@WF6F;KzhSs29l;V7U4SCQM>UINBC1X zU2BlDysfm$t-Vw5BXqpSljwMAp#w!Fq%K2BcMR?SQBy$hom#X?vKCSXCX0JGK)L(e ziHXk9q*6OSK25x886IY+D423SwUDCNq_jNe=O z6MsmJGIN7DGk$oTZ!f|_u*Vs7U+59kB;{BUtgTd_@GTmK;S{z*efGn+anhUr)NG2RL8{|Eu}b ze*fz4XZ`(x|2OURwF~~Mz4*WKZ2kYAHF^KWzj!DATRn#V?Q^`u=3tHt+jES-RY4H@ zd{^)rO4~2J?kE>XvfXcb-JO3U78+0=x*s&Hvq7l;6W4K}{;O%X40&bvmN91q>$>Bu zexCEb&&$4PuE}3+oBh?DmU-LGd|t-R@<${U*dp*whbBPL#{m>IGKw|lAq^HkfS1n( ze|CMD8~L@?R67AvH4W)bWWUy$$GV{E^^U6CopSp7onO^A5lf=vq;z&ul2+AfKl2(z z_(jjgiVf_xJnxE(HtTtAsy)ExJ7Xy&qfl|ekEy8GN;0|(IY$zzzW~|_q(h{49>FJ) zq+E?QNwx((eX;JHTi#{3m*crO4$9C|?|6(?eN;i0!b8>qiV*UHvkvt1YzgVZNR8$)z)C~@JR6QPpDlCCH50ZJia?!Ya zxUoM{MxhC@2&U512ZpgvPFRadP~-_I7o87x+vmi`V}JhFMMpX1!0U%Ia9=}wSi99CB zFWN#`dWd;YO;w#Wi91vayYhGeqh(A!tC4+}eJa=~$|^DVS+jbNw1*Ww|Hp?BVav%12;}MIMu1ngdWK7-I+ETxU@fpqJWE*V7Y6_Dc z+{7Dll&tGSpa}5^YA1kErm82RHJ#i+LkV9H$f?CWYS&S;_})bhI}cdvrwJ6RLMVf|c@Z^g z1_()WnV2)sW>|+Ld~~*1Coi0^PSW!#&+0q z3Q25eM2@8>J@yGtu{%;qrbzHZ%R2D}`4=!-nvA#ZUekP9D8<{|Bq5}2ZBKg3j-l;j zEJv&ag01aNO`=9Dq73V?eME%>r!L;$@`Pzj$=DtRT>$x*_PL5HcZjFc;NUsPO?^oY zWf+7QX~S75=J^VI6boE=5y(;Q1oSiNJQu!a$?B8cc~TQw>MH?_pb$cjH)VG;ly={6 zW_gGClAY8kiu_8v4vGk>NprlQZ4)(Z;B$I-YjeFFZf6Oi7%gZKa=MWQ#Db*sFnS8g zqv&j>(s&i;u_mN4=@Z~YXqS;@QK^rTbngLV{6PaN>%ee>W{Id~7;EkuCpF(|h{xJd zQr5cm{AwwdyV`Lcrjwq6Zfzov{3PP8n@j=alL4azd6JTRL=$0mS{Ny0zFN~-h{Dp# zH~3zBhAFY<>e7bgeNyYvs~3aqR`DLoSqSMYl2cS2a^6XXMs6BkQjYzyAm%WzkDJAh zDKD;eKwY)eH*HTSvA*OpFXt1tyEJRciDr#?eM{YoVyEcEZZbdm)k%=SWw1kIoqRhO zilx@4{pT^X-P~v)<@nZuuwoEGotAd=6Wx7Y2_I#&Ri!(p!vWMxUQi#z94*rvxRm}d zK;uu%dXh0@!#5pe_XUAqv%+L(4AB15E*q`N$t#g^PLDFCKZ=J580yYWT1|*VNSL#a zdR*@s3#xKk2fcqRcY!MD8m{2z@m@#kT@9!=DZjvbrp`iXC@KYd0s0xCexU3ygM0j6X8*j1{*VmCLLNM zsd255a)KoORGy=e40qPqtyq(mCDQqj&fK>?PyN{zu!~oO%EM8nfNSYVTzp*S5U=8) z(GO6B=Q9jgnsa9Je<2H|z2LUHzVvs*Z7Z3_B=jinQrx?2~icT2gBEwT;&(0)M{RA8zGlma1^* zSVKCCSw%QD7OhKBI5|EaZu4@!46Ky4nd-C5q9BqmfsEaISP|4DrjWGCRIn0A0o?Z5&r^262&F=w8kJm6o5<=FEGt z(%i2?oN@TOmxK8aF1CwmKsvW4U4ybxiB?#Pk*>m3z0*5k+EpJzcDO*&Bo7zwKj_XP zrw`a(kn*WpzN4tm-x3sRDyv96*Jgk3i4FP9*qtsmm>*ibU;QcSz?N2~b@l;^%qT6b zHBHk{OPJBZnV_k{8pY5#3#qmqCI#(6I^&3+ZRkX1dh05jw&pd2;sfk%vQ}27vE`wC zF;Du`e2oVTnI8bN9wKGVq1Mob?e@YfzdK&rJyi>$Dp9x(7iu*^4#M;-QV>HSBlw}1(kPe=@R6z<{Y3K)JESesW{Y zof7>pu0B4}a%HXc)`;>jJTJYGb?Ck%EjrKl?ic;|@4j<&rQn~37BjG9(sE#`yQN7c z+nH6A%#<)H9FH5ilOsyQCNzZ-#y;nJ)*qIIbz!TG0@Y5;iLxLyvAUZOYj5J?dOUp^ z8R7uvxed38$M!P+G{A)OnK6Pp?W<@NmFb@{GKihX99jeN*xHD>Da~3LH8B>+2r`y+ z-T>O$w-V&`sjMau{ZZs+HvoIMLH@wD*mEb)kw2U&++&pfClXF;1 zXWNwWRo@J(XhpmhL?nt{t7U3r8 zjqC`)E7qgy()vlQZnF!Tk(|->C3$S7X5;N%N-udq+)W5fpuC0ME81L4uEfkGl+zfF zPotC;a4xKTGFp3#v%C1}o;q{?9|Y>9dcKd&Mg;`I!sbAIg7gD4w=OD(_yPv{_w-RF zq$RmeLn??D>U}CcKuD2(fQ;EZ;%Rc6niTml`@&Ch5E|NB?<4ui`3=3>H}2S zvI-Te5j!Py!8VPHdVEBErrm^}!ajhHESc~Vs*OmEw@b-UMP#Y&Q#*&X5|7hIk$Q_6 z{4pbXBh#-2(3~I>pgDMgIvsIG&JY(VuH01U53iL*KBAs=?$*)7@4xN3u=vIRoNa~c z9a51M0C9@FPdex_#iteDft2y*zEI?2Gw?I8XJUeW%FSq1Zu}ezjGmFIqvkL`<`HFW zENBij6L4pFvU88PndZkmLM9CzyPhYJ(Y)w$Ncl(NzW(ABwlCJ6(BF$RY*ugCgnvf- z32l+apAr+a1yh~YvSnCXN;`LdK#s<31ThEo^2xOs!SX!6F1tgb?L}9gl{A_LfvQFD z8ukz3U1r}8*iGml4OR(!T6YWfM3xqi@G< znkz}-Qc9%Qb=8TyPRht03ky=V1+yk`Xgksd(R;ckhqZ2i%^TGm_T|jbAk^mcQob%W zUBuTx03wi|DS-InRNSTr=Z5=RV(H1v$OAARFV)QB56@``ij2$wx2e)I5AU?^?ekSc ztW)5;iRIbhUC*BNTcoO^05uv-QG0BRkm?V2;VQTj6d}8FB%1cCQsYjtTzqb(TDRF| z<$3;R^ti(0AZFon04U!+eafdwr~-=gwsM3TsAOIXvsTcpza1R0No<b5Q$jakSTc zthDIPA!9mndKKyU-7xl-gc<%xx`4d_WifFn4huOyUVWEx^0MjkN*f4l1LGd2g(E1RP_{I_iY#R@ri8*f3<{xBSE9Fq3_ z&;R%sXxmF8vCW()_TaJr;5m2SJy!5;?#(}MLO<&{8?z6)0nK~%l1Bc#a@d@{QVq^n zm1QGo(99HzI`d$K8WK|^h*GWt2&wC*4rt;ly{y%GzV-NX)97bS3pu}F<-K4WJ}C=$Uhh+#%LrMa^@{W`Z28m`_^>K zav0_aFWX4~_k6z#Rb!ARV&`k4a7xR^fT!Wb3`Y(yb!k4830qQpLz1m*>4VnGm-=nq zbH_G&!m^XsrgiV)zKFmMBI*#xajop!S+nTtoJ_(kdwUbH&$`hIIGsZ+dS`4ZmbRX{ zy?IA!S6b8Jid7{ZC!vv!Tqqk4W8M;i_#;&9zYjI~mvB=M$-V#n+hg!gLARzcOOa1e zd&!tXY&E&DgyX&R<_Stp#ln5xruKZFbZ&Kj1)$E}$~KEmCO^1ykhVG2FLBZRv7-Rl zF&>cY3oNJEE-Tyb+q8dD#>Qp0O=1UQJs0#vtKZ4aqE=(kNFSucV^2U%_Sge`Gt%G% z9I9lzWIuuI-r2YcWMny5y$BD?gZ^JrU#R zMndg;l_6k#?3J{-DeN<6?rn;dZQ*nBjn-7`%b-b2kx*#}k`(HKS_ygZU~=fzXuGeu zoZZ-5$!o21EBi+*KfaltPKZw^OGn3Kq`--YEsVyv64_Ewih9DwJ=K$!!KpMCKqgze zqTPIkmOxEl71A5Te`gpN@74{1zW`ith_}9VshvYbYkRTJO>R2(R;hfoe_@6?BrqGX zpa~03nndfE#E=3(XD*ZZ!dOn1#6Jq*YMGuM71g?9x{RsLBB$Ga+VMR~$mz6^`mZsI zK>m%~Q-|H{B)u87buesKDh!&j`Zq%kCd9z!A3Yk~MVgN32s$(?MZJbk8+L3)l_MJS(c6Qs zwX!W!a%3~me9HZTARI|O1MKHh>cA^KER^$#+D%2*zgpbe^Q-aFduP0UB=}0#?NfYr z6uHkTX_4DulvnPILqmlnT^EFhMg4A~E|S9ZK&#QkF7Lxdekpt!r&JY?)z0ed^Y2Hi z0}E)zn{MeL;SHLwi4(OEdD1UegEE zJ23;h(wuu--|9~K=47o+GkbWAApQmP;AR~OB2sS&Fi4_Z(=St?I z_-yGXPVF1h?(U`B_6+usZ)mD0E}tI66p6PHASv&z^fXm*+g@vB44dT)4CmVn6YKFh z!}QrB9%o-`eKqCiywWjVOz4+&LY@_SsSf;vM~m7&R7XF#S1$Sf(g;wyMc0% zh8b$6wn6t~*AW(H4d`d;>2JtF`-8OO7ZetdP5BsUg?JpZpYS}W0ZKfqfl7br4CW(R z7PKF_`Zr7P2l@oPYt!EU{I-q%zcd~n{1o~Xoc^pXL_Ou_Chr1m^b#@?f*Uu{ue-ee z9JPe#K~DLF!ybiS2OYnbEn%HR-Mu>t(+husa+Tjp`;V&(pk4=+UOKUUQiOk%ocI0~khJD}^`6&SjgUzq#jDvW4}B!_uKqbz=1#Nmo=&>ZY$+7!x=7;8 zIjUiJdrLnYs1$EI(+W`=Ib>%v>1F76`qV(Dm#!Kw&4ouR^40FU*hLb4_~_o15R{*v z@9={~3WL(P&6pAV8O2Bey-i|$SV@O(tI8oe$P#@S#+vYgJR|}nFoj^;g&*Wk)fAQn zN8i4^*EEI{Z#=M~$^_*i4cag2|d#y>iK_+lrtYpV({1!uSuN8eR18e+Ea zU#=fUPsM52mKv2Lcu7g#n&XU?GUhe)iZ0wxDfABnVp;-s7h|VXc){wt;mTM0C2aYj z8^T8tdtsYvkZdDHjREC2D+mROSUWXrblol5V@|nQr{xE&v}nFlUNbAe_fmnUm z7_lfiajr7azS7`k(lhN$FXnx6)TraSJr6IJm0^dnI~pbH)$^HSCl>dh{ljp$C}(0< z-VlT^LTD%y8_nG}H|8Z;lk=MVi*2W_6fdo(bvNoxl+_8_W#rx<2uGI6op2jmH^(tK z8pLV;mTU82F(3FF@8-R~{I?VOKge(Yt-sty{2Zxrl9Dv1e=XAXOD2SVMNJ5Mil2%t z@>ec2=D6=KlPdO>dTl-3hy-B+i6JvWphwEWXR}ghM|#>sDB{;mER8K>-Vk$0b&!rV(Ly z#K(=QxhtaNS@p21UgNW|)z8#8?gS;y#nuq8EQWzA$!B56=pu)K-9&QI`$*KGb z{awsR0+ON#uXGGTErB+gPQlCVWNS^-t4Jy^+TQ>v*<& zWOS}Eb18gLE-6V_cw=50{Rt^Y9)x)S$wlb_eS7LN28MB&JBU8XCCPAJbi{|vKL>-j zRYWw&&t{Yb{DBxY zv*+>$KBibx?KesfYs>rB{#5Jz;!0YGXNa3RxG=OMPGq#!?;f{R}Q*?h%lX!|@;jqmhbhdbw;Z%GGfXN|y0 z;&JNU;LacSyu_y8*7n>`A4tg=AF(Yvk2d08g+Ah-bG7?I=6XK_6pPleSaC{ejxs+VMGJZZ|N3tBh9HQ!I*SV*1RD zaNjL(nuWRmmTrL5d3(f1HBrPLt6&4WCq?b|m*)a>nhwOZ4v+XF+ZrHaNr6fh;gv|< zD@`p~B#qAYp2oO2;AYh{GIV0V`!HTJEktj4zRa4fVypT~?pv@slEcjNq|kQ{%GMI< znFBdIW_kS9{`)(W!4<=)F@@X`h|hWo(HMvp_quwZD~T5&{g@bnDe?iD*NBwu=;M#* z@Yo<hC^Jn@S6heQ0;ARc;IN~>JHqQ6Drb~ zc9nyxk)Z{W{aPz6C?;O9i*C2kg~M5x=F&v!xM8$}msc$wa-3Nf93MG4^)ucE z`p3ed?JmkWER*j@(CCg;6HP{#T$ue!JjmYs`hm#5dER3lq!DdPHl~G?FYfSBExHYl z3U5+%%`%*HEX(Cln01MCHZwd7&$(?M951I#OSDUuyCesB>Jw&ij7w$osxgiU(~c%S zN7QUxU>G&Jd;{I>s?Ux8_SFVv$(M})t*>st@CxAB>uCrY!S!%$3SoF>e`D{ny- zr2_`4in*kYy6f#hefJ%jNUc{`8m($Ez)`5^m+dh9$s-vrP8cs){grs690c#NtdZWjKf#i!O?wR}AA z7DCzR1)?#%{6JsKK7>L;P@G)LydZS-;mDUE|EZL7)E9WPdB=8Uq zhRz-uRqpoi{AQU@5wnKVrKjErhxg~8R&(JS1nJhi0C=3;r6$@irjvLyQ-s&e1N7=D z3=a^6u8Z#W^@B4VN}5WZU1pi0bjpYJ@;xZqvO36Gd1++%B{u#Mdf&F}YJ-%xCb=Z> zjZ23uX(D+j2wxSjP{+Fj0=6h(Gge*_+wNeP654i|~MC*kYYpCkzef(Wm*9^%pA^yUhLrrdaLG=tSrfS-c# z^hsqI8MW)m=YaO^#k7X!o((VBLHgVX3iEp#YU~9UF=4!03RKsYYQDF^e~Zm;Ksu*O zDta${1S(1|UQhy%G)_qn5i%QIiKJ%x4@p17fRLwty`qNAIY>d4lPGk$&YK@+W>Z@^C!95Na$TIqR3HFly?O z-e*8aUwIpZf6pX#GO{VXZk~w98YCi|DJF+yN0PUPv*Slq69dATe!VKQA?iG^mdlS8 z1qohcu%_7ubuuUQsis9OXn5fn*g9HKG1`=QocLru-!vXQPEtJ({qWx5Swrx24w_tcY zvE+0&tXexUQ2ij^xL@5WvmNEOcwp{)Ih;>kyeGaqG|CHQkEDk2MxbmEtJdz{0YW!5 z5=(I3p$KL_UIb%l44N)M+@YKX`4^r)pzuXbU2LeD>mtv0Lv%u3dGJ@_XFb)(X`F=h zL~(2pU;&<)VkMMe&=a0rPrLEH&iy}L=l&&vp0!nbt<(?O%!Qh_C2UHld50C?&NF4Z zLmgpOL*DRBM)CkgwD?;mx*Ec9zn=i|z{cXL_e~At=V+txcDQl9lzu{9Z|`fZS1Z}D zrHqF{SB)nb!6{{put#!(t%oe(VET}Ul|oItuf^<{=)UI8Xx|7wYL%~}j3qyCEUPcH zg*?Jq1A*&J4iIH=XpJq%2O$N(h|l!;wk82P50(c21>d{ zS5%5kkTTFe4HscXMZDa83kxgjK)%eDfD{fBk#?kdbG9S{n{3#{I_;b$&-S^lAZ?fK z>KSSV4vEgx+Dy4Bk{K{Irku$!kfP$ARB4ef?-_K_c@DH>AJn(+mq(&*7%d`TElQt8 zU(yq-Hw0knwJdMaOWpQsQ74MxiTjKVRp1G%Vzg=SO_ph})F6vI|AfK#9h&m9`1D2SEpbJ)!hGB3G zf=Qi=!A(fwD+G0;MI@5-YC3r)%6R4R0F;_KrOdOhwLCB4yVB9kL!oOsN5b2me)?6A zxgdO^Oimn&C2QJWYc1=JtI-HmPwNyyb+Cv(FHFZ7wTpjTf&(w(jK8{(eJ|3{LA?AK z((cnzG5|7rN{lk<3kPVZ28PLzfyyEJFk&b+A3=oq*y<6w$JDCoZ&cByf^NjmPF>2* z=UqT?rYEuLbm&}8ozNHWX5_Hus#7d~Pj-P?+6Du`#99V3cH<>m8MF7$bf;S2rzwa~ z&|8a4X`#gpLa^lJsd7;=`)*-Ky!rwEfKLx}Tn-ig?(IWD2_^hd&GN+^zRMI}VZHPP za84Ua12h#Qw%o`f{N2N<)0Yzut9I4s`M#)>FYYO|wWSzDnZ{!|V@dk}O%Hv5B-=>S zQA_CtdGSrfiq4n%Jr#pv@_c#gKDn-^x}jP|@+J6kCnB<1Q$7{e^Wz=vkT79OIVqU# zRlIWOwN|v95q~Nwz_?ksz!uWO1Z$`5)OLF-c2R5>Wm*3v@-Lsm|FWD^JvgD+z-lH8 zo8`8h$S)K7tM|+h`ICelSV|N|9$P*-`*$xiQ1Wn{vg{vRh;er-HaLusr`Z(MRF*L|VDzg3K!>f=AIT#^-2^zRA16 zd0?}}qWN|m?2Cs<^Q7Q}L`DJPW&GGkxc6%@OE1(3w*QSTih45C7Zujy6ZZ%o1E>yS79 zd~!cFjaJX=6qjGL-cuai<={fH4t{habxpGWrxQ;$MTT9f*|w)^QDv6R_N018(#Fi- zxf?xQEGp|comt$?o3|Ad6ghi|?i4uV!KRcQrctp_STpKjz1LcXDcHPqU@?XTEU5JU zz*Y=}R&5Av?HJVF;!~t4pxRql9+QDHA(=?GhLp{XPDCl?L8I~-DtdyUIEtGBYcU$q z4`E+J?4Osdo)uQm~s~m&YvKYqX6$_tk)7-Lq=CcLit9>p#s-&86s`%4j?^mf3a5K%s`#sXPgn zR7sk3SklThNU(J!_@<?3tQxqkf$3E82nVLVnO4IS>M0vI^R{vJjkdC zERg9^?s1^)1gY7nb~IAO{1zK)r=ow3*9#oav_ph}3mpbzw0Hox`~KPrOvgfn>(N`FqU2j0;}6+`zS+iA^ClAd*%i zm_Vi>f}s^KMTg&At<>e)95h=V1@x**=_U_~kMy(DzWPb4nvdD$&$~aPC9r3`h#Ng7 zmX5pj8`r+~?EgRa>@VPDyHGeQ-uCSOiY@p+q{0nxrBg~v@DjI6otoX0X`XJ{l$U$^ zcW`}t?m%X1@Aj^?I86oC^ zVIn~0ugD9D*b>-^FQ32BMZ5DLx| zg4Qk84X$5IGlN0$q0WYbQM%{WzQBaEB}&Q>+e)VW5^fXmt2nY_PHJU zrKFeaFoN%1{5idUHfLNW+toDz45}k#VedLD!lvYRv&p(!5BVnE&5$hE3 z!Es_l76cg&V~}mmX&GB2UjYES!r7x|j}J46byO;F*o-6|FILumJY24#o+aHwscC)A zXRi-uo*A^*{Y(Ni@BTeqFm?zBQ+`TWBddlgZco+T5crt;dmOhLIMq-iZ;`IWSHq#XBV^kSuoXOoR3KQOyaWM{-_KP-itVNg>!%ZSNNdsBG-c|nV6lcamjlau``aQPP z```UOi|mh#%Y^F+$c`@X0LGc#Ul?a3SM3U}(u@e^y zu)maan{`qri1axTb%LJ)3e}5&6P1gMnMPa7#vo^V5iPh4ZY7K58cNEm8}-4_Nac`- zNhDr9nCZ2fW80=Ac%mhrJ8AnuB_u&6m0UEF8+*{l;v-%Np1XFLz6l z&B`evr(vM9frHcl1g{}mW$!t=B5ZjHYeJKi&kJ0I^Hfe$YTo@i0kgtrQJ(Z*gA#`^ z0w&6~oP{8R4Zd>EP1Pv=6h40?Gu%XxFYspM^t&xnob-}7_azXoz1DJ%RszODlOp7< z8H}|t9B(*24s`Chvq+xPgB4Gfe*>H09xy9^KWO|zGKlXhNdLA98nn8v<5ZBqq_nq+qQsA!(NPlB_d1a-KU0isPEO6n5NqTJcz*}9|Qh{e|x_hokOT??;`1&8nJ_j^e;;;smJ^qom8 z@^LLwR?o<&A!bkW1JqGJWfpYJ4Y2%}_SnCvh~kq*v*ngmb-836d#$ypF#kdRNug|& zU0ga-sAQIIKg`c&pNuT^Ij=toSVp_AeY9KqdBF>MqmvFMK6a&Z?MTfgvG!_)Ww*>k zJxX%A1>Fg1Mw|-5>PguPxPxsHwPUkok-gz)6DOvm#p-Zqf#x#!4o7 zEYkm8s3ZGxec~374S@|c`8Q@}-1NLRHGf-@|GJ6zBj)74`Yf25LNGN>U}|RmVrt%L z`SXscu>@0d|8llO_((+r^eT0NqLNn@NC~{oKI<=h5JwI~mdXE8O`ym6WLfHj@iFtd z3vu4IPNz}#0HY#oLBrjELZ?_q%WX)BBnXFpH7;TsiWEi{S)6MS&0L`>!X2t(AM=^p z*S<(X%wB41C{OEHleH0R_Wl8{Sso%BHVu-K&=ExGaW4xtt6WM7w?Zbj+&$kJB37&) z5e+SzawT?P&H3~5SSv!O^%D@jS~?gvhKS6{Zl#Z&I~}sxNNS1B!j;Ezy{FLJOA$%5 zOP?hGbny4u5RdjfN(|waAf%dTieQ-V6r%VuWldpRfx}7wb9elN`X2P&ACTtaS?|)) zlEzX+M!0hT1?=w4}hzWilpY}#pw7I@? zNtYW0K4TIv7f!Da2n<~6If4IC8#M_`nqBl$XwZ#;_Sw9pdGpk5K7&rXrG5SBL5LTB zLi!J{wde%4vL9NRi){AyvRPOBrPHqr=gl4<mKLkoVd{?U+GN2o1luj=GuVhv|&&XSvbVIQm5CyWV{$z~PX`n=j+i zxTbPCtHpyE0=T@zYj-NE)%F_2%q*ud=$EmIAzm zI@U0zOU_3BGK77%Bd>*7id5O3mw)L2(P{xSqCfj8?BmdR4WYY&x*S4ok4`f8P+QsB z@t$|vH`Gu*8}o=E#Bi`|v&W*OG@HkvaaQR&k_;qZe#66m?UVkYK5D=35C1(s`Tg(z zd*jtdGy}Atqf`%0hc|unpqc~~LZ7qj!Nq?C7W}oE^w+T6PS81q&YDn8#TDT@4VPGI zqol^WMISSaqVDkf8(wW8#}S=pTVqWO9}(DyRCW%^o9O`2d)`G;=UV z8HUIMpPxWj03`1LbxDePY!?C>wpAs36wHXob#(6KZkBK(;Sh5Vira)WsK54F#u1hV zOyC+Ri0k27_cj9~=XRH=&M;#@VyBkZE7YBgs5xO;b%c5HAoEb1cL4sy(vkdzrQJco z;n!Ne6N+Mke4$chPpDeLKS%0FZ8w+te2eb7{*vZXDwis{aF%XG_Z|9Pt<-KAr;JKR zds3O7AsLM7I0gDt**cznY{#T-&$JIp$bu6Yl6mC?morjaJjZqnB)B%8w{N<2Wy+dJLN)nqNE2;%Ih@=`X`$O>GU@Hq={4BLcicp)Lhphf$6r?=E zS_&$QCDiQ_$M`d-X{W||pTnL}``nDZL!j6Z+J}*u-6lz2`@{$?5}wK?FUq{L^O}(R zdHS?X$4}4Nw)U-Z!dtx*cV)QYLD;f~p$VjDrkzEm*JMEH;V|Tk-csRs|MUOsc=+RI z!_K;?IFCJ!e-p@x{JL1^_aO3*Jm3B%*4^X(7i7`Tj^IE0_j`x&Kha^F$DD=yYP!p^ zxaUZ+9dFQq4lK>w1^a*QYxf7mY~Jtf|Ji-|-#G`5g;D_F6W4`PPX-0*Dzj<%VNmL* z+Qb8C&2d1`jjBC6-|y|W^+5g;_v}CWO!JsCN!_Wm2<-7p0B|1PZFn?vGc17fumC1; z-%NMz`|18)G~Lu0NcVLSQ$B+U%Du7K-ril7==X+x*y9y%rr+HB3y71x`lBbud)>1? zX!`z5h?$Rh<#^>HTcPF@gg`%u=HwM209$S^2As%T$n+dM@ZNI&uZbMIX|J^~a&gFC zw(`@eEFUA}i8vGCLFq?j_AL}bAcnIOvSpCE9viuYjP6c=Vx~mU04g(Hq_7^{| SjDPm;_xAcf(_U-8Zuviu7P$)m literal 0 HcmV?d00001 diff --git a/screenshots/setup/snowflake/step2.JPG b/screenshots/setup/snowflake/step2.JPG new file mode 100644 index 0000000000000000000000000000000000000000..4709082183969d0558a19d35894dff79867e2188 GIT binary patch literal 66414 zcmeFa3p`Z&-ao#I(oJ@{sKm5G?1aj#G-hg-gl$iBQHt3@$Yl~TiN7tF=XtoeU+_Sxs0eJ;;=p65Kj^ZcJzQ>&IW>+=16*7y6l zyg%>nhwOu_7y82bkkuh*!GZsyFe5WUVpkgYAW4T7L0(4qy(kQ~@s0RBJ= z_CgE6z9QH=5#x5=aQper{I}3X2wM1YY!jpazFz@;wgwxtX$<@`|Lx}wWKHmM z3G{UF+idR=1jMoEN4Zb(Tm$6xHN@L>kDE3Yqqq!BG$Z<6@O2M#*-Z5H@e42`ns51Z zcQdd*f7oCP27S@(oSFT>L%*H@elp+kYg>YYgY|v&Ue^E`wdW^uQT< z0VKab7owhDfX1&kIOrbWdeQ4bpclb!^ZX56&JuzG&9?*vdAXULb2(>x*3HdW@2rcV zo8HcyZZ3K*ZiYMc+zbufOpSN$-gR#0*)6|5-p%#5r(X!V==15>ZmtIIKJLEmet`i% z8aoZP82q8p|EgyK5&ibizbSsuM{thWfs5`gf$j&vhM9lCdOP;$?bvnfk1t(+_fA8! z!SBvP8_Wyi&l>u#ZTUYXEezVt)y#Fi?SzYec>Ga!|Nq|G_VL2}xk~v%FTue-?10;Y zvA1;TQnbOJKl!gk@#zQ{df>X>1}eC6^Z$d-|K^AMX|lWfff*hQrn0OHIsh$Puwef0 zuOGQZa`T_X^73+v6c#He%x_DUE?>H2$+9I13d*s%=x@U|MjzAp`84p z#h^*cmV*Yy~pgpL5o9{hpnuS9y@-*;p8btS2y=_ z9-dz30|J9C1rtdjkyo!>kGc^Z6Q6K9F^Te1a!OiyM&|vj2M-@TDJ&{3DScX2{-V03 z_GR6x`q#}Z?_1m2KXi2VvHAxFhlWQ+$GE)dnOVL-D4Lt^*8)iH58e8$XTR&$D$uWm z;2p>-%=c@-!eFq;t&(5#<<7;*`|T85{8w+;b$Q8}ujB3&JYT9|XwO-D_F~hrb(%(f zTHN`red^gi*Rd=ArJnuPu|M^z6Ivm+0K7c8RS*`E1f<32zS~o;=j%MiGK$uWx5BWt z*y-googwM1h-1(jItm4em7GY#8k2}fXmg9saIuo4U>Wo{1|E66qVdGoOK;U%lrQS# zX&(c5V`j6AbwWiniFn6~%@9X2Qx!LIbkhInge zz%&0_a&HMG)5_ZeHYw1WWreYQ73R$8$ev?idpLfb>|@+T)XV@)WlyomH?%PX?vKyz zNSsu{rd7&S(-e(R>&8{^-_hS|w*(56Ek)R7O}HnV5noV2=zEK@Y3WV1Eqkv)gOm8d zqk|tU?XBL}S*+Q(Zic=RKi+hhf60_$S0|ACq>j_49Baxq^3t&B+I#bqra0P2-6>RQ zqJb~0QYB`K4Un(#ym16!bW7(txF~+D4En{~63I%c=!it!WHmVCBue%I~jCMqmQY^d<}+O? zgYHUiGQ_mW_iY;mo%!fw7oKJux<({+7K#koH0YTYBa$0=k!&!N)uM&mUa)qJ-M)1?X)#bU zhYBuPLXXxX@JTcecxUr7aqfZVX8AGL(#-ey8nic7JzcI+86;*^l*iowiDg`ax}=R+SMIh%Fr{VT!y=lG z*q}pFKK*)|)iRy5$OFw)UxXcc%pp|6Yfrrm*NV*~(ne0Nk}wQC1T9m?ZyjYhCvp{f zD=uvul*9=mZQxz4-Rig^_!k+(ea-9CF*Gkd#-&7J^epdx=t96Uazv$@r>;;cR!;07TtvTXQXr9_9c)5Ie{`E`cS}!a8`|jA_ z;P}DK(;81>9|%iXDg)|aw3T*D`uokiiJYE>hIp)?r($u;He(&|8oyg(X94}^w{Mah9ls~htNqG1NSWt^E)b3pGOlVFXIx)--!%n}%idp0d;UB(Ke`9_xYRK;MSD!@n zSsMSTv2j$w%=D2#9@R1k4Rl_W4#J2+h;=e3%x=fjs4rUVALY|kcJEbJ>h3wm~D|5aSviPz1OzM?|$wt zfu|cQSL9`U8GUu=V*gjuP39&s=`v{Px2ZB{zaAEmL0Txz?NR!Sa*GUN^Bg)VEKK=~ zJN)BI!c^03`xuJPJuYzTwW_3IEHl^oA6$9tX!h4%3@oEIy9GOMvdJ$ck;RnHU-o#wA@>v?vacznGa=9-&Za0h*lOb7z62u@*Pv;iX$vVtZDpiguPj@&jK6&5qILHYI+vVRf5m%Ag;w(SQ-Lo+hXhZ=o&oMNRO7Tj(Mg zbU$%uNO&Vu{Xn5X7S_kr&SEVut71((oQVOp>h6*Uz(f^TtU0pae{wtSmVGqv(G&ak zD^p^0@)CZYw~POi+mLJa@e^jnO4dW~NB-@j_zyG4;scmQ-%c!y(MkL5pNvmJ|AsPm zbTl5kIw&Sa=kD@PM&@{>>Z!7(;w3}HsjuMK(DA3-gSq*_Li_8}f;m5G^wv69f43k5 z{)pT4Y=%P-3QZ-k=wS6fzuAR*Z=zR4f7}w!n$so@4F49G>(*v>X zVms`3)*RW;-FJ4wPf|Yxs@-YouI7pDdXwj#NSU3c?1M~ASkRRb6m{nKS3KO0V_8SR z>ng=;>db79*64|2XkI}72Td8{_4eu`tI;B(=mT%hX zBv+l{SA1crEy5y)f_Ec_w}9a(TnOhp;=6|)xRv(oCSKmFz~+9JjW5Z6>pe6F{YnOn z@v+Q@TFn#2wtKA~KfP|HjWkjZCZnXzbqT_4R=drBv$5~L>4`6x7xfiuDt|6ysDNX4e{b?KAu2TZOAW_-orknY0tgJtVLcr z8w!hiu{SzrQ@r>)!gPyCv*X?(Y7fhtdT!=m2U0i?0`WpVJuyE*nh5v)jO>x-MW~KZ zw{eCZ_DXdvn`TiHU0H3$Dn%l`rM5s5nLDEJeUo#6_;|$2h&|F<607?kh_4$Nui7?? z58Z)Xg7`Ph_hZSfAodz>3|rNwN>e9RTfg&>&`Z5l9-rJljGYoZ6M4}Q@!b`jx=*F) zSdZ>dK3@3zkx;vakX4`KDMkwl?+lcRTHc7o8i@4530cd=HO5Egl!2uGc@oQjzstY z=du%QTp1LR3%^j!kwNdYkARorkdA!O?SWi2i$WGw?q#izzQ{!$2ISONjSaEJaO^jT zyF+$xry@cjRE;(A+RPDW(Ou$LrpHm*qRh7 zw}EHC!dt^}E zv9qoEXLj5^a?lMYd?)HH4hC%| zBfz{hSPO3=%T=VQIb$fru&;a8x1+JFT-U?!WawLm!;w}AXF3Ka?o8T~OsuBqa|~$~ zey0~)M6S_OV96tT#azY@o4Lj;QotC!b6WbO4?CP%C4+YM=MZjSl`9T#y=&sV)pgp7 z$*abmXeS9$5?i`I`XECB8I%+lx^KrwTFe{ZU)=qVww341s0P6L1)=d{v z=0CdT-}e1q11beBkIsw+t4{j)>A3-&Q>DTiYnN))(&WVN0La-}m0S!8~$>GemLmQPp+k0^tlPFExXQUMH>m+Y4!b6TzH}SU|j3?aaM4)0y~l$nA}oxbSSP$Y-Kp zvb_3PZJu-MT*QePy=3H6 z8}*Hna#|%^O)I=}{UN7k-2Q3V`_1ojXUb-Mr=1+@)L!hDe6gR-AP(HZwu>V0Qo~$^ zs>FzsORQK^@9{Tyc~JI6D)b2vIk)n@#T zTF>5wtA~xcqj?d)|7xd$*Ji8x4%s}uF$b@T-rp-Gua@lNqOQYzDy{m>UA0wV!RjGi zM;pllz=orTarD7V^*2f>I{DVppD-#}HFR|+^P%Vm#7OIR6I5jE1q1Fhzz(Kt@sSSC z0U+g7P`jU z93GwY>`}dG$wl3S`_{+XIGJyEEp9RxrcH1eK|_S_5pE+Vj68@;BaX*XoGE=brMhRh z1j&{vr#y0I=c^RW_M_5R7HODgn$DhwE^@e40Rx1)$2)uYb69pYC~jt=qJ zm=#rgv$VyfoHoH1oOrmk&Xzqyf&&KPEv3WBmcKBrQ&qX@wBGTz9=7pw<_C_oX}q`7 zr|!|;eC6eyChRDUZQ3;P3pYi#9etYf%v$Kh>6RQUxrA&ke%jWHG?bN*`pHKMh}sFR z6F_s4hP2t((Tt!nnA2j(9j?QzB)VF0!l|j=Tkm*h`G?&;ZB0?IFLB1M1 zFnWmQYo}7Oo>!Xw0Suc3==lM${QIQH2&-GoE8tX}0+2RW-{tTJy zY1@Nh%b*s^kbdtSe=nfi^C9nNcvGU015PT!vdgp8a4K`lMt_k3}5%Fmm z#IOQi#>SkxO8eCSS^m-ZybnAg|M{R)@L3?AoR$B}gTbz0d%Se)SD*H;eZhF0&at6S zxq0lR8#G>XsWJQ7oZ#BbQ?|iO*9|=w*kLps*-{j-z+we`tr62yT1jJ1pPs70#jT{;#xc^&4#->LExSuDgjvlRsaj z7>}LQU49d9IJH*>Wye1wcL+TA*qaqy$$H<3RT#Up=jgLEbHaG1@tyXl3XQ&wJc99Q zHG2U=917xtgUB#~wO4<~-By`TyaqV9?|{_>Y6x8B{18s}a@Hy3#->UmvqtHh zTj}-Q0n11i!)Q!I>N8fQ^0>W%p!QZ`GF_KB@|D>E)44KK7%k!oPCl&?-0Tpir_jGo z%r7jBx6-e8meHJ(72DHiVkJ@CMz76X+&KPR;J{y}j*4HtH(yUbkU2xrYZ1rZUN9JF zXR#P0x&I&I01g!fteY}Oo_MAGc=ME7K~*8VYiR;HeG2lyEZt zbOrzM2d_&dN!({yN$i1raW8o!xb8Swm77(Ak!$LI+~VgWxiL)Y6@PnY(Z?h|FfDpX z%~qQefW1iydfl{7?N(_WbFHHgFaCk6vy*y9KZ?c5e&ly5P~Kuw!dU6 z<4;c{AxuHik&}BfZ?CHNmsi>pUCAer2Pbe;Tu;PQnYE5w-n%NJ@pV-?@jRXkIudVw z;H2$&!GvFuK>1s$2Sas2gaH<##cTv)BJnE}Uh50jJ=o$>A=ak_nTy{Bczb&d?G?dW z_MeY?NeckxqQQE4qYnT3OLz`F3^*f8DpIgr+mQyXc&~g@zEggeW-+czj#2oAha3dW zO~k*%Zwx!Ym9rEt&J6GvAR%Eg=v>R)qIe#Fiie5HSPYJaI6CNBKq2Jk^dFKUmNd@< zQckp?_dF!xkCnF;O7uu8|D^<`+{W35j z&*5)utZo0kk5i4W-x@^-<|0;z6=rdo8 zn`L$B8}v_OYUa*snmj(;)zwL79=x`?0SC~4vHrZXG0>>Q65J2bE2MVWx4M;IVZBx~ zZtBI&et}J17|sxle#1r8;=d4<>}f`TBOyMNF3k{c1_)wv2`Lo8&3T;ZUb7&#pP_!9 zt}L;`6y!NuJs2xZMT;p1$!|VT@f^79l+oW${B3$O4;_sC+cDpDdh{SvvOTF8j}jrxoLlLNcA@rty`E%KoN)b1jb?|5!v0A{x1HSyF_vID9&-VuGqt}`0)MGSQ{f^ z_ts<$1ZxO05IESLnAXIKv<-qWOL}=|pgJ5h*moV1OA5{~KUyl5pTTL;{8tNZJ6QyP zo0%^4myeUqz};=^>QTS6iYl=ly|bdh;Z~oOy3y^%SS2 zA;R{qO$=zp3Un5JO6mYq{;L^~l!PpR9a|@BHWgM~ZzOCn-;chT@gbfRZ4bX7Jc3_f z7pL;;G1VSe+Cm>(H(jiRJb41N1kG7UXQ9@3p}wo2PwTmfM{dN45)~wRilO3*iZ+wH z@bVs|FV$9Ih6TE`v`E8@R*W7o>ePEZKlk?;(?$a3;+n&fa&j$dZ4i6IDA2(4is{YF zA+s%-5%YPN`D^~Wsj5FGoXw}LvL9$Z{1c$@5%6v9c(W8bu}`)m?R?uR0tjwW3rpEM z8ZS|)iBZno;!W@y5UTny#g0z{CSKfME{8s@`E$B2zs)Mpn;yVMf7Q1gwVHcEMWgPu zU8VzdO7Saw$AFZ=+is;Xl`YNEpxtDlhrtGbqN&QDt-XMSGa`eoU*yuH3+OyQB}BiR zxjy1OW-|!PZU)&b@tL`F{pHkYVngkhXCDk6^54ASmzf-<(3`9bGh(B_cygCP{fVrW zTK_e@SsMd$TIXhEP${`(XR<;h@%(i4@t3ZoyC0oz3%+F_PQiz?C5DtA0D7S)gAy*l z+(5W`50Qa<&lH&|fI#gu%xPB#u@X&936TKnU8e(@_LQqF5stuuAw06jVN#fYgf~lI zkw&Um_c=VbqAvVBz?JQyWzdSje(anaJn#`EaYAt#oee>X-4wBXE`w^@m=fc`|{9MfH-7^l8PuG31j!$jW;8&Id~*;Co>3(96S4$?X&#L)(4f!AVq%` zPQ-l&ti&6-uG=4#HPRO0Kl-T&kz%k zut2PM+5m9T(vgk*HMHsedjJVbhJ}ObOwgZh127Wel_v5R0g)Q2366rP_}>+=Whv;8 zzy`oA1CgIa{8_|cdVe0ppB2Sl>*CLf;(v`UK1*!qYb*v9dji1keArFw%+?h=+$w$A zEjZb)8ijY9AuAxjrgIf;20mMwGZS=uZc3N5%wqF*d41m+e!1cKOg6p*D`}wdLDIG8 z{Eo5`?-ehTl+>1J88M%Qj-*b_<<)&l>SHfp?cR&3sW7-v(@1pq)+GB?I_dq@AnTt` z3*0&j9lOHGs{rw40yi|B9Gi7h>a_n?5Of6fZz9_-tj%X@bl`YQG5NU8-8ZF!bb&f; zsM~^|sXIhc#{M*V%=7N@h|@C2f8^J5{_#&IFfyqAxEAGYyd@yJl_I56t>gGr%nzsP zmLa?)2+MYv6>#Os=u;<**DMG@#)gko#Cu1@TMdY(W>1Xad*F7n*iR%m#f5(jdwt^0 zsVlmyW(3P1N-$3XyoOhS zYd@_j(M8rSPE?6TTLO<`b;F2J;FZJ53^$4ja1MLdRtrmBs2S9(t|s_CaD1-L_{hwn z_@l%#YtA(})xE%9MRBNSER7{hmliizA2@JH6eVd*4pyDGW%&8V3@_a}^V}Dtq|&dD zygnVdm47#jz2)ZHcq5$1%gI~@MFw`^i%;crUZu2oO~3h3lq3cM-M6WBZHFgQDQDK! z&=yc8vS<(X@kpH7!8){_{EGE5#(VXAtqGV zi7P(M7|g&l?biq_}00FtPP%d|O|S zd4e`uBQW=^YTqpNVdm&FdNEqMA0_xhOJ^3mY;szZ7kU4KC&&4Gf-`)7Z{5PvK8R9( z7E}18(bL&mEmqq6ko}q~X}p&3#Zh}K0;$TJ%94Wg?lT_`Ji=)`%kWZ6iQwHyCt7zM zd;0#)y;jZGx00g5gSe6-=K_q5SDtHARkSDi4#XeUfD=MU7mr&j{yxXQ*k+!~lSKiu zQ%i5(Xm%Ifl`Q%R&@;MZkhjB)_R@$t)bvikm?=ft@|6ITH(=+0bOVqfEuwxV2zc#L zz+L``m+m~qV@A_>_UQdG$VHbX-Pp>f)L}nhpQkXYu>h{U?9)#^(>$ZL+Mb(7t{f1% z-)a%TegMM?(a1>T5^5NtuhhXZhR2Bv0H)r%#0;PN77UAO!Bi$BBYh!>{_m8Xx?5c=Q`KqJ=z1l(>}1 z%UsjyPB^-s1?uzcKPP(1myEw@h0(83I$ChN6a0Yl~aPQ3~+S(XM6r&-RF z-f{d=VV=@b#xAebOliUJl|8+I9mpIECbK5_u!A(o%>6Jgu+ZZyUb0O{VEI}zUap%PzJXR)h-0alij~Kjd%Cf$^bP`E z5bS)0Hjb`Lbf`sf>~-IIyrioXk1H($0WLG_NO{xLB+T*}f?cY9M$W2qP~}Fz1ZD-_w0y5d}Lr420L7BmuEqd|V$`UbFNxJkpwPFD;NkLuWwX zNt34IHNbFw1zsuwg51&VNK`LVWK;o$DgJ^Cn!A|HGP1J>_m^-2cE0Dr*$*@xvcT&- z(|Jd3pgLejc1F%ODeegW_Tozc8HUBt&tKGpv}J~paczQ ze`t}Og<<#8#lmpkwJ#ronBNl*do;$SoyuZsPV30sN-I}XdBN|@iq^mPRP3IYdXB7# z1WUp!PZSv}{$RtZp9y78D(!6~HuVMa_(v3UEduA1uFd3Y=F^1X zw65wDLh_@xLFxta8$&dyHWRV^!*_vRYvZa%uB7l!<(`WVb=r@9WtznX{IRo7JdHkO zGq-`<3PE^y_QqtXXw?Ks4dg{rw7i@=&5pNGw4_%%qvAZwECUmKrcJQi%*7s9i=cM= zO4k_XnV=M$5NLzCd?|V>1H2N8_i8aYd=v&A*30uCKu9ALgG>v%33F5?TKlvMY2HEbW?eqc?xQ1u#h#*8a*hRmI4G zME#fQn`1w@Ro)_XbE*eL&|Gv@cvs-8RM5npK)MN8-I`*7DB`R(2SD?SJ-l-yUKL!m zssi6|-%Wh8vQH&m9)u;JR4_v3BA=VrLEKEq^9`C3NV6rKw}2k$0)AM z?lZV~w3@oRIWI^z^~Ov$mVrp9&NB%@-Q*<1JDb>-Za0- zb~9sYs^ZT(pA$U9b<8KYBCM2qrhBdPyEh*xFOlOvM|&uBxFJpA5a2w`!V`9nh;`zl zwMpgq9ToJ#3F&LBKzC)#kETY1b(z=89y;6j4%a=w=ZAyG~Ba=FpaK5khw}1?ndwBdsPWrt@M0* ziP}*NY4^*yc|0*yY0YWaz0L!6;g5#~Pj8k2Z%7lKIR3PPNO9Ph-E&IB9a|DNVI`sK zDVLS&$lZO+^}TlO&Mb}ZTa#288^0wyTM!3aY=Zj%m;95C^_cOc>U&UcE;o-iJS_z{ z^+b-N&O$+q@i14tz`P%18sNoq>0tfs@7LO__+))?26N?CtQ{}6IQ)gpU6t=Ajl~WD zxUrNV&2>hp0A-ezFMTG1G7m}iA}<`UbH>@~x?Xwo zR?T?$X<`A_5V5wrft}C_kU{B=PiC#)7R@N+R2QA17D_buThMiTrlb zpRU|ixn{xV+gtqGg!3+JcX3J=%Q8w*6NhEF`wCi+l-!WuNwN&uH7o^cW^yCYGuJ4# z3N_)2RHhmp?#rK5)(eUH^Akjy>JUpIj>C{aRvt50zz?p^WGT&wqd>CsHe)^@948M) z{#OIS+^+dK>(SYTAEo;t;2B2{n8Jho$Ct&dXuML*Qf#DnZE?)%aEljA!eua6T5fVI zj@Z*^FsZ||O?dTQ+lsH%P60t#f8yJweX2?7yO5WqRW{4-3iKG4JuOPS1uPI)i?)3K;CrL4)SK9y6TL*Hs|faFN`ekm z*Oqjelr0*(bE_u8(aa|_9~f-695Wp`8)vTScxU*dGn(;Er?Zj-`Z8!-xzO`po9Tf5 zIv2DgGv45t{cnt1OAE;AkNn%fKOJ>!t6I|Pmot#;V}J(AW;7DveQy}iCWEG%apEa* zF*Ah4UTX+%JFp%K#~dF)JxJJVP~8IQI8E?PAc@OOs-m7z;cT(BMg4&#kVem4F5Gio*WBw|CmIISl)EGnGf}o>fLY$Edvb zotS}(9qT<4*yY3lDvlNwy$R+qr0&3C^9V0#9dI43u;!9Mzmn1!uOsJEk%o&2&w~k? z(SnvRCCvyAF=|}bv`^s|#@euOuEwada?_OY&2ge8)i*Y-&X2|-At6sRN1P}b4MMJ{5R5WPlZHbDgU_e zTCaf+$gH?xCkePfOTyNbhNM@F4t71?E4p9?JV@#uEM0vLZ6MYO`} zmYL(VG_Ny@8dt|x5mWrck|Huv?vtO5Y(w6omLpoD$Tm)xv&p-eXZSC|&`n03#y1H{ z_|qeNL7QnyBS&+o0yR!V5YxLWU4`lW>}u4ij&XJ9F?ZmCS9x8v-s%_pD(zI8@={O$ z5H-%SXiPV=rE`wc#d8i)js( z!6bx;E@f7k^CG4PrgeW3W{V-o*FpfzDdA$O5oJZox|BebODEb^XV%0uBIkrAAV6!_ z-2y<5*`O)l0v3_0aq?lh1)SV`vIck49QK71$b%D8f@Uu9&YL>eReZ5kh;0RiKo5+3 z8e^~x8wq=%qDs^^3qv2CA(rf2KOh9|v{DdG``hw_Bb@HGdSIWchLgCGQ6$eY0ZD$R z5H&`7%%}}FU@cDViw;APwie_#GJ>-hC|3T1Y@8uGykLMIBx&J~UmyRw4BNlQy#4)gQ_OncgIK-;zOOg%eb-gm z@B!YL9Dww|{97bKHAi-9!d$Gw3E;Hw}HD}!c|-~$|j zB*hs(RQXR~>7H-68+FpEo+8B0Jm1eG<^R(p%TOY32~vVW%?vKy3K{JLB%i~6qgzhY=HLACaVhUC^6?6G>cArsuu3CqHrx(k_l$P# zEuCW&z>_3h6R_YQt4ne<2DN2*Ag|XJ@!*PRV)J8n-_3%=#>#tbVM^%s6R7hECxfpn zErIJ&G+`J)PMA)Cg`QaJjqYr2rdi;zQ!vQVt#2$ z#8goZM$fzROhSbNjmyPS#l2Plo|Fo!wIiK z_+wV}+G}}HkBD($<^*|e#;VLaZz9|)LS;}Jt`H%$>t;$0wHbLgJWQ*Y)_jk8liGMN zeh*kypckPveyM!07J&By@nc+cnIO$-Q#3L>R}M}2hV8vSmc$*Sca&Uua(<)Y4BIDK z{Ina>p9U||et}yEL(NZcU%OEHpeY1AsRc92<`gHz` zYSeU(8m;aGOBng6mL%Um5{pCekM|*8M@%VA9Z|>-rvGxuKkP8)Eo+3&FEORyyvz%K zp`J-a4J3F-jba~+UMj(uR#b)FLfI52ShjACH7$v3i0xB{4O}xXn3>+1HCTDNPVo+d zvME5CyZWpZ$PSLRJ>(v6Zu>?(Tn0%T_h;^_xhyL6>xgMrN#gL%utRNIczkBP_!+Y_ z>lJMr+|DAu#`kP{11}#@RuQid zIpsiW9SyU4VACg@xnCA6W5va6Ri-cvJHsdd*f`ThM+1aS2d8xmcX_78DE>Z6^!I-LpUWO4 zK7#8&(9Lcy7pC%$06s9eCgu7)Y2|>le8`4uFtN9UaP|Y^C&M55cduQByy`e(m7l?6 zkIEqFlgBT(=Z-JiarMzyJbuM9`0A`7Bb|*pYqIxMMnUr%F`qf0LVMDi!2g@$e}?7#i8j!3jPcF2#7Kg zJz-u8Sbr4wyDP|lb;Ccufzs#eKg;j)`1w44{%`1y*BBMJ-U?8Sq*w0(Ao8Yjx){Xi zZ^}Sc1S>vN9JW_%0KYJ2DPly%4_+0N#rD1|*&Fuu2UWkY>L21LitA$+_Y-(LBN zU&JO4B>Y$57I?NvRgQ$Qej zH&RVSRCl+L9vxe`7a@sv=$)9>M?SZh@KnF`b*$=`9k4g9)9E}3O#}XsdX6y#K;2V= z@6H9+XruJ4bsD-&fsj0qT#r9Vf&vFrPAO2X?2Q^p1@4Rj1v+UAGZq?~TRPcXZm6TJDjnV&$kd>A;=9|5RizZicr zaDAZK*Gh#I@s2(FC>Q2C3StQQDPzK^Hou_B1Cyq>A*;d$F%_SbXrJ_{BI`n%(+=ec zXGOqcuR@$~(p#nikZrm1KVT2VplGLV*CxJ!m0;FKV*s7>ZGZfIJYIw|nX>?8QO&O$4a)`%J?vIA} zT-;kf-I-ZK6Le((D8*;QaGOxzA<^DgmneRPbYU2@H;7sNL;XDJ7|SXX-erY)6AX*I z?B0Fy*yg>q-?qO|wr!Qo;4u(q&v}62en;d3f7`d4N67DkDwB|<#V53UejoMu#9t-w zzgIlUpB8##+XI&pgoo^y>!;vxnv@G_SZu3IC#KqShLfeV2l$hs57QXNUJLq$mzUyx zcAK3wJ`~e);fMYP`F&tP7^zY?nkOn#i zzj(vdmaf=1j40TEl@BM>)<(St+Io5ld(j*>n+kyQyN~F?UHBot-<@d(a5}>p+RP4b zno!LEB*RVy+RdV|5;6H>r1V@Pc4S*VvVtN?{U;u|CLE^()>iZjfIc`?NS<4k4S0Q8 z$hl$3c7`(i?s*>E8%UQNNBzF>$D=GzN2|fwwx`lp*fyVjr}S zxNX3U+ODC`G7w>&ukFH^g!!r+AbH4+nNJ|kfW!AaKU>_-e#ZZLKjUBJDq3!@^8JH{ z`Zv5&P*lR+;ykabeplAiBqDX>R9FSEZkcRIcoS>$pdY|vm)jaCIZUPywkz|sITITi zPW}1-9XRsRYl}U0T6hy<9m-2v{M@Ajf^}7{fWaY^!~v3JVgew@IMwDQ-WA$ZhoC#} zr}{s_}JH2={xq5FUPAj;3y=GLP|AOLZrZGpZU1pfL6$zMJ^K zD^TpIjH4diSFfGyGr(2oGFEx~Bx(}x5sMY7?avG|ECl)e=rGEOjaNf3G;e-sNiwK+ zgbV>D&L}A20SfLm(fgJ*R~S4Xma%7;lR8H57Mo+F9&B7sJ`vx?h$^16Z{yy38fpFB zsBD<$3=5|NVFUKN`QJN{?gcN)Eut?H#`-#6n8}K)kt0f%QWgs&frk0Vg=?PW#gIEjby1nJp1-{A;Ynx zB>MTMv4HfRL>_E+Vwo#gi%~beEG&#~gO$oHhe>ShE)1+Ecz4df=s!^d z^KFE8xbXAo@g5ZpDh9njy-O-?FyAu}ixXh!AoLk;9G_X;e<_lMS|vFtTy7erAE9|t zVorXsF<7!iKwZ&N#pH)u3K2_U|1_F0OLe1-jmS+S^OT+FFP~a%ruN|Unpzs-O&^TU z==KMdkU6M6+DpPZP!Q@eq9<&@32!Y<4Wl`Y? z_Kd1jzp;5}zB;SoesqIFibCw(tAOtxK|ef8i|T>eBJ`cYbii&^$ z@7{(sjVc?IVF->60>*#_=^&9IS+kn8qDMn|3yi`HyrR(WrQ(78@o>qh(VjC&ehKxc z`C6gd`xDr&Xw%Jwas#@#i;;HAQhHJ&cRN9?|H@!5tl#g!{4i@@C2F3^!5ARG4K6ge z7W7u3`Vt1kRfrjG3R1IHHPC0h1y!yD8Dhjrdwu|bg#R{j9XYB~iHun-2`PDBwFV5* z99Us?{bo*E_Wea4!i6p<$J;2VzulKbsCbyDXN}Oskc5tN7&N0I!vF_L+QmT3OCGl8K`RA zrgg@Dn^e$9VT95_g)WV9A5a%f#O;TpI+@kB_RFzfcsX7t2l=0;TsS~dplJSx{Rqzu zYq>g%Mb)6LAuC$ZF06c2;+3xIxuon~kOCq)?$vCYv6{^`H`lf@?KZ!Ss-R7QIYRZ9 z&Iz-TWomu!Qer^=R0 zEj{mO8a2~xJ=S=5dk}a(XTh`^>~|FrP8H9dd)V7;S_7{)3iZx4F~8Ujz=0Ka-xt|_ zB@l&N9R)cn2@Mv+vO!5UQc!50L-id6R^Gi{Sou74>AT4w)EAE9{*1I!ot2f;2S4r? zM>i|=N{8#k<>twlccQIrZ8q6A`sRPd5USzeK@bT!+7UHQmUAlkB`M)`{1X&2N2fCr z((Y&Uk2uN2suZD(9`)gauwC3c?U86~-<<$t^|5#Hot^cQlWe_9mSQO&qK|7N2**tf z7LU-@643r8WtmK19qE*=5H47L` zPKzUZP1|#4I?~F>4He}??H(F;xB&eYU`T8ru2#12SSgJ|mR36VBjyop(R>FUAEpD& z6Bvq-hH+`-Y~k^vHd&n?s{=ISKH}t8vd?qtrooa#Cc6#u@NTsW>+pmgyPr19>mhvE zA8UGdMT%}7U1(!`tu}w|o4C%8nmly7Nj^c-KZ_ZjxQV{f#U!prKO4m-bc6{~Ur7gG zETzyxG6NQxB&HQrSltB)ebWbrsDS~`{TJfo0d}RgYTV@4vKAS|#VLqw92m36i{s=8 zUAAcY={&=G;hi-$t82HulzzPZ-z+HQN3?b*ZkcWPi5_fTb%%$QOiLxJKz_b73oUNLjaWHptqoMO{)dharjM@_)uzkw_^{EU#55evgGM7G8Z<}mH)%W zngS*Xr$!)ybDF|@XQ3q56!?ty}6kwlKtH!TqqudYE+prXE!7B7? z2%ynRr@%K$D%+x^1v#*5k5hP6s8TVuV+vSE>J)7Z2z~rfxilNmb|PY!)o;1WU(!BY z;^%uNp}GR3v{!JqNYxbJb3hJPo)We(k%In!rnaL5{lL$2u^ z_e4`sgh#z2{tMU>MoAnw(%3{6d4n*$X5$GOK&VSXk{+7ZR=^yEkU?}dESmHORa&rO zvp?U5N>zR+zEOeNdZj$?Au4L1TpT(|KMxnwV;KJ*dv6}s)Vc19qgJU}#o1Pbcmza6 zNUJD{Axr8IkIslcGq$lhf?OQ~*{Vc}GXy1#jSeA-xvAm&Nw%AD*_TLE%; z{YujUt2NR6dy>f6Md*?MFugfm)g5?vSYch==xv1*;9fNNv?0nbaOm|?ln2_fe*4LP zpR2!}wq_H&i1u}Y9dY7W)=!|ZIlHA-72j{0v{Q^`C=x)GUTHFVfD(%7)sE?Q4Jn?) z?IzznSzty6ao2AHpCP<{9x|GEmiU{C{q2RjDIPAnnflHh`R$wGPye(3J1}|1YV^;q z`v2v_Dq8kZCa8VT$3Qkof2sD8(OmadMj`mEzI%1rOJexS+iyK){ws0E16@rn#=8Df zh0265wN*rZkSk~`fe^y%n6jjmAnA+WpJ#t7de~M?Wl}kyD5~;ozqXh1iA7WFx37Vp zE2_|JnJ1`KKC8zR5ZXGt-!_iFqK_Y(|A&@)|bzPn~ zQOwFCArOkb7>Zahso4#kTio_}-J(lun`}C}J#5NrS`y0TmMGaB=}RQ#+U}HlEw5Vb z+YVN^_mH)|6|`20WDG-gANp`O?B;pAFWn`f-0y4iT<3eTJrm~t0NZd{$m~O zKUr%2R%`o{zj3Uah^sADr7f*}ZQ1iBq#efdl_@8=!yJQ)J&cwjg6E@>9umt(qz8rD z!w7bj>!eyR$)K^G+iqpb8aBbb@QeJDqU4|SyRa3y$E^BNl>)l(&cKc7ga(NJpJBGN zG_{|X@~-)}<-!WRyH>pw5-vu2IqB!WOs*!&x^caGYPZb$R46vMgPG66J#o9G>Q_cJH{Bz^;!9BtyTt+U*Tzm(S(2NN+xUEM~g|PuFXlM^X%g0jhwJ+w~KG8;WLR zpwok%FA7?ji#4+H1^VCmhS(MbS1EKqB(hU(l6z$$93&yDS*Yb!Hk1kjR~3?zH+cMsBEbS@Ys(@&|q#H~iT!Mde&>6;}zduE)M7cF``rH_2L3lR?u~?gZ{sBR+|yr>aoq1S7^c)p7Z&JgITY3Dyjy znoU87&D%MF zpZQ1}#>3D1a9p*oKhkXHeAQtXhBjG(l8u)dJv?c_SO#6aJO2?+@<0Dvq7{rxQ{ogm zm1guZj!iWyl(=G0R4gb_HOq0Am!SZI9EQ^X&YwFcF z!9yf|w?KshK!v0;YKwslbs(0Yr={}R#XMljl6_eAM#Fhtdec|xu;-a=jg@Uax(enFr)iR9D)Y(_viV0Kz~0z z6|#SE{_J^%z7h`n;@<|^3=A;T+x>wp%;$qQe_m}TOG1rdQkO4MPyY1#MLW5eBGY}= zv9VnL!P3TLj*4--ikfYSL1iKGz=n%K@h*i&&T@+*+r6TpakMB<`^oeh17{Czr*+Df z#qeZJIWlmU2421=rq{B@&*S;6GnF*=K4Q7Bn_CJGqj*9jI4sRSdf#50ECemSh| z%zh!ZD;*V>V3e7I4*N5jV?P_@6R16HhjdHn+`wdNpZTlJ%9=bh5clH0ktZg&C{T2@O+fd)xqpqvCM4712Wf zJ38tGbI(-=25wAoZSJReQmd1wyTmX#(=KXvj24H%7gBlZRa?*!wedt z*n|OoyNaRmmoZ+aZ7@b3GwV;S>0}ib7SnC$*1_2D@k;%uHf2eeQ~#Ayrv8+B)yXbS zdqhJ(g9a!bEN)Hr@>~*~2C3NFFM+@r_@jQpN;n~qH57>Pq*xV7fVOs5Q zi@pBsy2yd`WZ8#+@j2_JH$F(WE4?3m0;*r+_5g;k<~%-tDCq4kV=S_~+fwH0ZBQz0 z=LofO9bfC+t^m#3{@&*O-ijTRgKpvt?Vr?|BAS-2cW!6q*obrm+`$c^(4&@wY!qpid0r9@g!3r@9;erz2{ zb>sFGawPizpL)=BlbPKILVW~Bmfj|J$lHk1v! zZ2^g=F=mS6%<#aI3UV5XKkG#2K1yvb!4ky^yGRR*Hf6=Oow^&9EcNj^N81AS7qX;2 z$fdCi)54CJJ%PJsCen4D{J`twwPb^vSIpsn=p7R^&=2_Q>HqePLHyYTkB}vl$1Yki z+lpR#LCJvSfz{{PShIoJ#BhycNwjnUPKB?rZ7#(Rx#&qN3?s7sqrSWGXv2|);_pZb z;yAia&7`yw+HF?F!6YC8u<``g;zJRs;g5hliiewLX?G{8LN60+JZUK>uPU`R?ch{6xuZCg|J|=B zj>Ec}Fnr<96fIV&I&@MaFakn1RauX^Ead;-*O#3$TJ+d~Ev}-A#XGUjtqhg9zTLYz zhARFx0)HEGdyGG09Dvt9k=8hGRD0l0=7I)u`=3f{tejl3@K2;QZoEIe8qd~%HRIQW zY1G5zY1gI{vdKoM0|W40wJYtdJMzCQh<@7o#w*;EN_1g$xumuxs_2xkn~p-&sr-PB zOI}k@Ri`3-7PNzzlUb;|BuTv|-?GS*HLczKvq2`cw^H@v=7-?nSU~1AaQRFoau2KT zx0fZ6I9PT68;x65niBDT-gNK--qaCj=heiss2CeP1Zi|sDO)Wi^q?VHx!a$qRpE*k zgHIu|Wy6Y_Y8yi6WwE>t`-B;Cp`)*^Q6dpt>-A0DCrWnC16B2eoh`qZbG%R|lyj;d zAS$~OL)B|4rt;#1J{gbY9&Tx;1qIBP;r%f>H5==3%jwBFURI7C15R?XBZ+{X6e;8G zDvtU0@}zcVNdeOrZ~`0D5`uMy7%E*02I^mnFSC9IGEQGI#P-WX@Qa``_i2K%==GH@ z2Y1fJ%mfF}2fPd~#-$;#&9Jt-%e&K2z~6Q|>{X^X8qy!&X>ep%Q( z55_P6Q&xsJ=81K_p1Xyo39Q0Cy<}O`GX{58s)NhQ<`|daZ@NN9zIA-~?G{Md+fo(Y z3D)~SynEI8Jv|Mv1^XN-OAVoI?v)=y5v0ISJi=3cH)(IU!L{C)7u0sEe-6t2J-%>C zdRSkfn|=0Wg?{Wgm!sPCFJww7Y&Tkl(Q+SN=QBN#N0wd^d15-P)7o+87{U@Y8zsB1 zx*eEi5XuhS9r6t54zNW!iw>0Us)HK)1*&y%)N-t$Nv|Dqyfx^i%a*x<{U%9?j7o*OvKGErb89w?)V>ch^GG0I(5%B%BU^F zP$`1$up1u^q!D4c0-HP%l!?^h`K1Gs%~z9SFdDoMtQDecb>AUan5sQFlFp)BuK6Zi~Y=wV=pX=Xr5~T~UCg z^ib!)(#DLFR(B4*8j!E}#;_&#)=un|=WoK^IXma z(QDt5@mAwqHBBFmZLr9g_ZCpEu>h<)=M-|xd3D)Vy27=5(K$0tD5vn~*Vn?BDvHW9bCU*NZp6ujYQOGFys^j4gxy6Ad0HQmGo1r(H%&M0CS{An zE5>6ajL}BkBBeHeLz-akuuVN>cioMg+BK)^9{1bk6~x#k)=l4_Uk{kUIY2SSXTVwg zjPB)04~dx(^L!6w7F#Zz+g>>(^;NXR=cZ)dZNTvWzm8LSw+%6J&V?j91(tTH<%25V zY4QtnugovWW8IJFD2kkw6rk0EKz#mo$Rc4%`5m>t*!498QjcLMeqwrmF;?{;So=G2 z+beDm&mTxku~FGb`)>3GSLtIP(KPx$V^-8 zo@r`s_roIi>&li)BxV&CV9P?v;+AX|-{Oy0;r0CO=zj1JAHa@}1BxnbL+quNhr02z zUO}3aS0Rp5>RF|`HC4KQfS%Y^8f`{;#ULb6*evXN?K92DTFN%KfN5bjhN9hA1Ab4k z;xf5zIVIKK&7;NKrt8y1BO=26e(2a$&i;vDrN9psnO#!GHfMAQJ~(%vz<)*KNWg;% zMwRNZL$WGUKhjJgBq`W3%<3(j zk_MEF7blobeAYv@7NsJ2uqZYqgOugI%6+Lj!TdI?R#QID-A3AQ?F~w{E13**vQUSl|(Q*)Tts_UQv8LTz=NK zw0V1do}pJH_b8th2J|98yDZ+CEM7`e;H7@fhnqNM<*@>p&%Q_gTH=TZRr$A;AHQGJ5x z(MX)*i@4M&my6vp-1b0a9#4FbSzTg6e0f<&5*jMUqqns{?*I1~@gs$u6kjwJ1DGlLB~X=p7$L((yMM?EtQCXcjxv8Xs$5j^$mUk64I5YtiRKL?)cUuDR=QYb4~Q=z|EX z2OUNR6Tw4q=FJD}=>Z1y-VFMD-viEvHIDG`2IIsQDihKjp*CM5BoQUw^w3`f+c1V;iLo>A#A%n#JQ%R5zB_)i;tF$g z)?Rd^M1j+KJx(K0p^9$DT77gxU{V)mHm&pB9=c5T<$KNKf1)fG+if|2P>YwObrw2yd8p) z&E4cj9-5t!(9)Ka;d7Gtt?jB{f3wClR1=f=uJUnfyO^V>Ap~KV2E|Wverxsd``1%` zZed$%@iu0s{rGdt2E)LWe^_$|Cd4DoY@qWxCZU1vqBRNhL|CX_}3Lvdrfsl1>nX6X9JN!3A@PZq! zOwzIrwwjG~-%r#-6=Maal|hZ2s$K4ZMx@9lu4_^Z8M$tVA!;RXf0w*V_@AmzCvEfj zmX@FnezG3OaF5LMe8Jo!G+eKCaXImLiXq=3E>2gKbT~jU zyqa=RvLRn?>ocFWBsSZ-$I>-N5|t`1;aOgPvB$ZbHBHI9Ja-@>jnwnnL6wQ0r!@gU zXCX@!9^Bk%Yo6H`FF&2FBTl&E92hkg5T+O12K9m)v(3XtbE(12=Bec~M`vXPTpk}6 z>Gr!`?=$41+~*0F(oZ&&96BkM2xO92^0~`=w4it722@^JngaCYW-xBOF_O3#_LRqi z81vYXUrVqHTuw!$VxbQ0#{44RuV2Z`qPQfQ*7ec_DlRt~QAM9uOHBM_#@2fqy9)7Y?aRF*aw{~`OB?u@QyX2|u2M+;jsdY_{NSCG;?_tu^)x~9l zGIYX@5@GEiWV zSMF)bac-8+IB4$Twy0q4>n*T%g@uKb!>d$0?*>PzV0?JdIAxB$0BKcLpC!?BUBA(f zv;j58Q!Tx~psCDJIlH-YbqVCI&FG3QVa-fRHZeZ7$o~hwYS$a0o=X&r%{bN=!#9_+#E-HOE;=cIwq)HwoO?70#kZV z`vyicX^~)B=-pQ*DaT6ruW?7~Z$lkS2cZcA+3kSNdVRVqHBU%$p1h4xNha&Lfv)Kow%oe-F8_qh&rk@b4Nc_MjdJE%>?yxJPR~ZJW zx>3~4^A=aSv__3*mvn3zZ^J7*M>!WqGnEpvF!!agJk9Gl62AUfvLPEQCAZs6??$h1 zB;_8&%^rJlL4Kx2;i#fp=jAH4!EZ$WLyv2y^2$0KZgE4G#aD>0=I}{n(h;%yVu#F9 zhWDY#U&P*X97)uttAf}TdN3>vv?R)Prvujo^l}Fm){46Y8$@kZN8?WosvQeUp4`Szg=O+&!b<)#nIaeMx2orJ;LSkvrFakQeE7>G@1wG02GAvAN7Jj02bM z`ms_o-=uz^?KC9EDE9iA^rQD4^^pj;2P9I9A`EGz9|OXnraP+GDg^~y+w5XT#b(D$ z;_&Ez*v~mL^*SQq9tL4OfSJvjd?GL-cXV#Xh)3S446H2mL8ZHgYbx9}Dyxc{t@Z&d zR2u*`p5ST&$+LA}(47YJd7i1Su}_Po;TVqhaBNUiA!1dokOIzS-);t~I?5dl%L*G; z6rkCUdK}6;+;vh)iqJF5wnds|oLs3USFQC8b;&8ZG$d@_$y;-y{&eD+8|7Sn$*LPQ8GWPib&``-cHK_pvu+HTxb_qT zSU2G2cwf=_n9STx1HXwYp-H4dFDnAuLLUOzn~#Guc*Pazm77}^pj(S*p7^Uwr!iR z4w3iUyQ~z9Wq11ruGZNrw7xUGS^uYdBp4}hRqS~C3+u2?eM5H$re>uqRHE)V^)Xgt z^QP%~(T($~ggQEe0(uqT8rLAQu*>DQfAl`fiEHV(A3W10R{c%X548H0Z@J94FYK{- zqw%1{3D_?6Qf`;HM4(NMY_;`3o{37Kee6ixs0XnY?&Y(c67{__`u@KNhyMmyIsX{H zXgk!8NAU%%m4-=CCHD;FC73H0l}^<-vd1p7coPj3<5qL5kX&3<2o`T~5Vpf+`>_gG znMckB#v*Fs>JivrPq0-*8kINmvWhh`97t2D4(X#Oydn@T>@#}pSo{(!E`xN)IG1rc zX6$p&C<<8{u`tuS!{R{m?%?W-9%wgiSRN#LfvJd;P)@mBRO|X5l8%P;r`9C7uz5Tf zRIeo;H`vN=$9X27oagAgRexQDq;_b=UtT4CUncs)`%LQWgIm3+cVEBW3X{~eg*E`# zXA{C$0!-fQJI*J>O+s@=UzcI*`^WODXRQFv!p6>TTC)0$Mz|?!ggWo!0e3J_@gZxf z_!FO>|GmcGjDJ*;G>I-NUu3oxa*~1~D;%cCirJyixfE)UTXcXPsLv1z<;8Ph4!p9{ z-ahSkY{}~FIuS+1RD(ojtOECf9wgIOV}u)kX>2j&Av!mgHPh|f11Kq0kreymPerpq z7^#%olV%|O@phXp@#!Nf!SZ$`b;?tI%S|BrDuas0!kJeY$9)#N81uQ8u`*h^<4Jm; z>&b5|ayJv%w45<0#0}4j(5@(&)fD$5c*AbJyA=s->-lC)tv;9qh>*zpeyg{(Bwd3i z8hai&>nGT=#ov)$)q@QrC+sMMTOzx4$6klK*DJn{A@5dbUSl3nZzLhtU zZ%9MBUIpyw4x4a9axIr8Y=8-6uUnoKOu2I4tnv#+`I@*GC_`4=BatUOM}!#4P*J!{ z1k4!ga;aDSsMk|$&_f2dw}V)#x+;^L9AH^XFi>6dxLtPF>In6Ys&vTx zJMvm`Ox3F}C!GZgN7!H1m73dgz|*2QzgaiH6VQVfml=a|46pY<;<(>9$oQax)Ok(g z`VYsF>)IcI2_#_R>rgI}aPz#_)mfm~WlALQv1_1KA1tqKw@z(QJP1YcFncOsbqb&H zb`I1vd0%KWEm^TpM5rbdWrsUH{6o*U5&+_}z~o>eE9r$Md?lH@e{8;w?YC-G z2rQss-h!FfMQ~L-5DF_ZVMn-__uE5O{{DOuW$+P$C0oOi&3S+H`%!y8Tj0TZ|CIa^ zZT=sL4y);5tYcbI62a`wNnC5Y&nu5x_k~zlLC_Q9tFq8fo~{eABVSpYR{8mQZ@&P@ z4|={hLm{;j%W9LB=TEK;_h7kOwiuinPYZmYi$Et#E$-?M|EeLko5S#`#TR)Q+Al<7 zCN~n1(RfI2o-}zZnAGa4XOBJN>!x^~f%0N9OKHtOc?1dB7*+#q$jb7)q5~}R;>rZK zhcBBX*Oxx(xt*xVBa-ndRL;g@*P9oD!@vz|f%dk%f)@8#hxY0V>`}??N((xtSQ3gk>`WM55zffhOm^^n%C^6sSMRacn!Z;1j!s?EOs!}y z`q&D{HW>!%Tv+u1YF*GcGHt2P5}&xuBUUEHT()Swx zXP{gZ2-;CdhxapZMww{ar*L&DEvCu>5+SW9ZNK{`bo2#(>|k50*l$>=l7S(Mnqb+3 zDH*_RF_iScDOQ^U$uLGOn!g}`!HvPBYGyeR+{e|V7a}yZ?Eyq^ z&f9w*{O&xU`g3u8K=UU?odc{{*o!EK#hUa@~JU4A`$yi8LnM8FVe^5peYn4+k z2hCDlZhl0Z-CT@2)2-U-@-oAlwdkZou2TAZ7)L3d({d_yV}}sR6|oFqUFmXW$~dbv z^kMs2KI;P7c|zUEexbX(UGtvJx-T1kY)*P?@p+Th#2kv{JsXUIZDXd$lW}=|A8ylfTU2Pw>Qeu|*Rb|BM{HQyB*C^8G2erGUEL^Z{xF zrlb7)rMK2cj;{b=b-U}gpkS%RlQP{yp>;l}Rl2Qf$I>yNcNmR491SjsR5 z7ZcStiyt+YuDvuYj*QZmp5|9}m1C6+NSB@a8HPc9pGq0JN=O>U?%hY`f~6n?+fF^{ zH-fE>@I%%;gPi{QEjJD|M#bzyT~%>aGKma_T+dO3S4bliC|v!cX5vN{^s#}MB6Xf~ z@KKIp-wUilp^jl+AZQ;{77x?YU`rp3oP9^!%12MEA;?U9LY?d8Ls_sMk!}rGcgx;= zAL#LOu(2**Jgd7=?_NZ4MG|?8#(0o+SoKY@&7m&FT+}^)QVaqY$-WM_#gDRVJWwp| zi2gVFT=xerf_*_O?14;vz&ljAkmwfRnqfohj5yp}mIQJFah=1h9!BNNLw6iY=&y@{ z2j}<1^rJCVS)S!6f48-}REfGC>U2IbLNw*y^mWl}46yS~YquXk*NuKDN(Hj)Yx=Xu zKm9HKiyv`cg_2Mlx1x)DbxGfYPG|Rrp3r0f zmm895D~(ZXJ%N2fe}RR1wpfk5ex2CK#OQ@I75T zUzKuON_p7a{$WX|;>d{b4kD2`Voz+Yg^8^IPUeQT9uSJyMsuB8qo`8nDk z9R0}V7m5Tisg#VDDsz*Ee371aHPMo;h_%_5o0FCcveLS%=%Lu07{?f!`fH22I^gyX z&(*uAt#X0~D#Nb;|Bx|9`elVviNNQ{OuE*fTsNJ1yQEILij}Ybk|wB}tQVlDE4&_L z>}zLPAkYk%FkapLlsFq}4|LpFm{StCwhIB~&(~IpLcJCt&6`8PYLm335q$C!J6+?t z%&}XI1Z#J(^Sm-!g~5}=j76nRr|I{|Z527La+b`^4xR_Kpxb5Gl7lYWOlSiMF~p8y zi>04!_%3Lfqcpi|Md8x;X<^gSZ@bu6o-rtSF~3r`idllSvrX=BrCR0f#-U~FD!VQh zZ%S^Jes1Au+wfzwNOG>r_44M_1VhH=`%@(T=5|K-QOfM}Zt{GmAs1~C0qL4Gl|YF1 z$WIp2Oce*ATlT0zACwXRN+0xMaf&|99Bk>29$jB`Zx3opARv;Kv7`_(PB}+XO5Kta#x^@gx zN30C#kHroVA=R^!dz`Gq{R%#j{n`qr9G4Bhy>fVV@v37rtbx_3Y7xDpiyiEcCCp1o z+O5*$F6tcL5O}^`uHQVoxX>*ASh=TzWD!5PSI_}OvoZU~(bV9vL>TjE*rPXpWR`*;AGcZdi8m;W* z`3S)=R3;q0CQa`e-O$>Bo+lU`@}ve5lj0omZ}M5!mwL7#m6|HANK+7y_;sTEto&yJ z%6|;m57c)>_x?=2@6a!bfmeQ>VDE+h{w_WDUfl4v;*$T@2srwuURb|5@rc-^sId4x zv?ADSPz2=cJbLcY_aDVnKGX$|M zTTxt0)0r4@qt!ur+TXnz_hg>4Q=lY2M1qc>EMPjgZ}^m>x|XSAFBfWAKyuwg5>?`` zN?Uiw@-u<4T$}tjiDxTE=9#LNkx`4Z#901VKfs;AoJiE2d9AR%Ljh#Bdu67WQ=B$Z z_(h(Sl18aaF<`ay(+_fc%n^ABL*4bBb>&g%%GxfzDk4ASZY%r9X}UOlrUIX9g;Ra) zwX2FBSH9pSVR6^y53>ToOg03DZJ+^e0<_tQnvk`nar{`3Z9#j1oN(s#mwX3VvkRql z1A6xE05aPfKX=eCv$}}1Y=&qH)UOM z*q_oLIx@y!*JX~}5Md-}>M0_L%o+plm55$USZmfzOdo|dUHj9#r3tG`Tm(9G6lu)f zctg>$`$aUk=^frXlJ^GxR`tLUOy-BHHOWcG<7?d3wCNRHS}fAffy=1KD^eKrc%m6X z?u)DkAiXqK-*Ad-q-^~ITBJy+!mckx zgf*SYLZbnEC|7vW4kw-k9O;+0nNi(1i63r4jC@BQKz}#O{$2N7w*UiA_fB+lhre$} zRGkHs&}ksfL1as(9&O5J+}*l3n3n-i4hkkuml-3=)j0FZX{Qd%x9;({L>> zTSkk|XZDq6o0@gEQG1J95uefrTA`fOSA(ZTTb*I4sxgwne_-84nwR^t%#L&U_k}<+AhIVIV|%<)U%ztN z5jW?xr9Pv0o0o97HmmqpGRIL_AgE!S%#PA&AF_^sZ7)#;@CIx`}G+SH@C%*TYg&b*{{6UUKJn4?v@%2LwQ zzQGSyrWqe|v?rc8!cc{#<2c{K%_p)!I1liw0ku9GJ^}WnKrQ&U@of`rY2K_!n zjV#7ehQi>KFTE@dcS`6D6Gv!2VC@7qLVJT9qn;DQJ96Lt5Z zY*>BG)m=)@$+A&gKj}M$h=bIqdz6GRm_JEY+iR#4(?#ljC&De@rqp6ywD;%vZyTRw zZ&g$rV)5ecJIAizDs+su45SY*-;H94?!W&ezFX_pxW>hR9wyxQ0ys+3SlG3lvZgvZ+Ze&kWge^Xw5h-2v(u?b!jFly`a#>~ktJpos^>BGQVQTnmpOg( z8%n)|F2nF*(p_g7`c3gx~b>j-7 z0j$2qq9T^(uJ0yXZe=L1*fmr-1#9!GxQwmY$z4$Fc*iQ`q^@ow!D8Co*fjlk?KaC^ zRr=BCeF%_nr`W141sM&Zb4j%#S zOl~sO;!Gj&H80m$;PyAHw|1P#T;XeivHOcr?yVDWJg2?nAa9N3MLOf*&~hC(%Rha>(|630}u92 zhfjOlJu8)jF7b{*6_cfJG+d-<-8Pz!{0#cTa=Dtro&zkZPjKDlP?9371fwCZ=mFP8 zxParIWJ<|I0x7df(ES)&#-GZ%n(2MV^kc7*1Dl_X?v-ys=wC)6Z51FL10BcPS9qbyGv$Xt>igD{l`m=9!{Xh8&OxYF;y| zuoj;=I#Fd`hm7A@7Q&7)q`QvQSs}ft^5?y1=Sk^0d#PrZmX>vQ)s;*;5H{8fUz6qi zz=)aa8~nsLAVN`V*n$W~qJf2z_1&azycL>Kb|?FiazCw`IZGO|i$SV2Y{-bN@z3i5lM+tUw@dSn}=0J(>fx($jE4^Yn%v{M3dsCVev6RH8XNOWmZ+^ z@Z||GY{WPv7yHR3?G;BoWeN%Kq+nB~b8jJ&w9(~~#V@bz~wIn(n-2PkWXr+#WDjs!> zFoI6PP^DWJdG7F%+t)fNq2k??p;akvTxx>}L8i>zIk$Zy3`KIK;n?sXla9;B1qV2$ zN<~jxa820aSC!plEn?=+x8e7t zWx3$XM~`$OSC4#y{N!y5OJdF#5#>Je?$M8?p`Mt1G0Fu+w@0jdS|ONm!0zDIM;LOy zq1Xr{F(;bCsEOnBbxw74%{)%YT_jedV&kh~s-km)76v^-W+5l=;YkbY1GEJ*ov`Q4 z#5QrOh273zizC*GHM&8nFhW%E*;5Mau$`ko8-8;cs-yghAMt`U&%_j2;^sH2!7sI( z@{!y8!C0U8r_f(k-`aLRR&Gh>8x8#63WR( zn`gl@ergE4z{)SpMg<|AL%y;7W!O?a5~|$ep6SvuK-3MfDQKsQY6jgkuS1WeVq&-% zpm($LW2M?d97(HwOxMK(t}kMpFtQI5ZAntF6)q~quwF=jHqsO%q_=$|?1?;#|gRqlc7Y96)krqA;Y5-F^=HmxTmJ@0?! zt1Jh_Ux-*P&i3aa+0*!o|4lk#4gGFck%`(rYzr7(zY0N>220`DT#*9j|Ed*I&>1IX zy6~j>0RNMsES#jaI#Tq-u;L!8szHt2e&sWncQr)MQ^h*Z%Yi_CT(|czO)ty-H&tv{SI6k+n z>Upy7G`>^wZ~n-)c`K}W@Tcs+eY=A>_=&jLQ7I=K2L0^B-p#x`D`g3z)Eci&Oz1DC z=`5t$*VR4VNk}V}n#_MeY5{-<7YCT*{#_a?Ggk%R(U1Jx^H^gObm@ewTh-6*Z5%~9 z50u<>ayBTr5N+j(L?JZ{RKXa1sfld&il;oL%o#REIUXa(nUZc<|4tCsWDFA(4d-w( zinrc9F^E!cS6XC*^{uF^e-VRC!tR~lBsa3Q=0hX(pigsbejV98HTC*t2!rM&$pQH0 zVp4JiROQ82?9E2J5)tUS(6})>D7-H2vBR~j&=t3u&XSHS#kR7PB6RFj`T^E#?*|J1 z#o=s;Uoat-WgaA$&r|=(OngY*%AWc?89+J;d&oX!lHa3WZQv=4<<*e5QW>8PfY)e`1B7x`<+a*nrxFF zEdjF4$48>wZrAgoH`ZFO%ch;zm~Ca47ts5bNgWHU3lx~tdWyxP=uxhMn@{tXY)0B% zor!og%qccm`LOHE#*=3rSH$m$zm^pnMjZ7%p-Oldxw7&sp?|R*kvZaapv?AGO4TYw zeWIEB=WG2}ZO-#BYg|fJ8X;g|#sUkok620@o3w!S0`2w}Rh=rgZvukX9P59hp~L(F zvdCw^xb_5TPMj+1lIkAOi5a>TeZBRKMqV=_js(`nmZ&!x54+!JRO+(j37vS=f`uqQ zDfNwp5upHE$OuCQD9s3e8UI4UTf=c5j$kJ2C-~(?KpMVOAkk0Hl z>>{+8JQTdqcshX9vO!IK9wJ?e%9g#+*cV{%M&o8M6PpieqrI-zpkkc^{%|wp{g_4- zNYd1TAPgG{bNFF~bP66?a$M5hXw16G8aFAxH0hWbNx5My01ZW4sV*XI!*L)%R!t@W zyN>=wLmxLpy}%mZy&q2M$53VnS--zjq|;s+gI!d?Kxn`vceywI?rLG6o>JtC9pQxV zJZUE@NC+6z!KCjv1N*NKl?^`*3!lM~lJ|lAa+2NeFP8M~-SA6&_iFjC;3s}QjCS~f z7`qpG0&dRubewWFqWl(3E1d^@K$dXI=|iY6=Q)se-n~{>v@g1Lk>!gg*vd)pM29hL ze}A=@_9y6oGgYaDQ=X=e!j=a6Mh_IL;g>{fO_)8V$X7x;Nv8!FJ3ynnd!?s*^Xt17 zmmB5=`r$trrXQN@;1F2s1cL2aW2BNG`2DZ4MDLva-CLdu11kT3j%nhsok#)coD# zWWJxA|G%G{xZls9^+Sx`JxcFRAXPF0VuU`*hfR;r61y#hq;&gKiqa5b$#b^R?;oV( zcjr*azV|czeHi}V5{CbqXZmOLK})0&_(R9}Snds?)rPeK*zPtL_-_585N`0X;dJ*Z z+URM$dTPNF)8l4N*DpUKTn*Ohb{fK3a3+prKcZt$1LO=rC&5Wz+JZXp9XD7Bh~(DH zTLmIw+k@j1MnBMwY^*sG<#PH6*}USe*HCAJ?eP@vl_kvnzCgybBZRe`tGYic4DvK@ zT>Uc5YKQIW6yDif-iV}lZ?g><2j!sgDY6CsMt>>Oy3=1;jOgBKx<@*qCv#f|dU>Q9 zGya);?pMaZU;20dsP+yU@+f&t`?e(ky8fl?by9UTVu!h%CCZoUn6z7Eu{u}g1tTm| zj#eDxJi6*8&ZlW#$v32VyW{0mw01LC2lxB^p|kWKXi?0w|4Bfr_KwC|OcmrBkNc_O7-AAB#=W?~rh+K#OUIm_fr|*4DC`0l2U# zPR^$bUykLrtf%!0PoFNWJmV^QqroI`UC7%%P^@c$^z2?9V>+jmYKwI#z%5 z1VbV$-W9Gfq0)XTx4q|UXTvHiP#Bk7%NRUM$H{f-td!op?Z($kiua@u$bBS(`e%_0 zVSWEy)3Ib1vrzr-I*@hp}YdY`u^68vE*h$a`tla(r7EFO?pZ} z3K051Ke@PI57-I*MJT0GEjM8c)ibE^r`*w5zhIBE;l{su@W1$XlU`J)&8TktqRH*0 z^;VnkFI@0}(X1c)q*{9~*%wz58{M;YfW>=s;^KA^iGz>Ul_WgO%75fD+` zu5?S{i-{}g=`)>)Q)7iSzN5TTNAs?a-B2W8K0D`+fhm1gFJ$w2(kSgV7sm=sPQHE( zxDe?=p9Ay>nQgag?bkZ)m!eWJIHt|_<7+JJjx|-p56z?-i%C6HFBJ#HsXT8xTbqfG zUCHZ%{9*bB@t&&Kel{78GDONZ8bfNO_2KH=>f`;E4Mz&|;;m`jm}%;;!$kjO9$~n$ zShj%%;qi;QTNc;T1xpSdYc>{JQ4N|~_Kh;Nuf`(Q zB9~zDD4gKwsRif*;&t<>oZ`}MScbanr2SZ69rWK^QPLTNR#et~28byT*=D@+My`c@ zf-6Hssw|W{zye5v{|tjL$r$wnHGu7E1O*g2?$rntA(#OgiT1bQl^?U7$wbu!KnyU$ zNz~K!r{s6uF>k;wKT2r^-CUf06$Y!ndQbfky^|%wni1YO1<-+s)-^o*eP|haf0h5! zW7#Ur?$oAE4%pIQny|?*y1lvTRsEbApB<5Bw@gXbZLDc-I5hk;Z)MY^IxFUmEc#>5 zt68OvbY|S)%+ZxKyRRiSo9cIs$kS8Pe!E`pNc~g}>&nka=WkKZ|3hB?iL&os$SnTF zOh)71O`j$mKKNsv%s`|cBNZcYy>+yFD7HWCh9?r1$OT2edhP7<^(-sE)(WOZUQ20t zO*!dsVQ^|@?y5ekuR)?MwYBH`oOcg==iS0V%3RhF_EIIDpD4~oT~pc)4vc+!5*(hM zWGdq~v-r;XTKZv7fBObWph9QTX@sZ#`a`65-tFGAWxnj4t9$oLrh4J#mM(F}&B(KM zv^dMzY(Ft`<@%L#4Xp^z49TD2dTwY2tUYKT4ZATS(mU4R@thZfeots*exb^KqtOR( zt$?9Qc5&oaV7rLlz?U0QR3GOJQSuRG6+;Z0fn4_S8NrK*YXkch}doyZKVUq4btloY&l~8&ZH#jQ6?i>`-wBZPvU#7l%!9 zzDC`8!S~#)O#`(Tt`51%a*3N>$oeszv<_50!#C%R#$<@7-3!n^Tn#4@_B)#4YvSztJePlgHMYj5MubV?jw%-)PKk;3KN31bcuuccX%Eq?41R3BYpd z6@;8joGtC6)w*ZE3wpM$jw92<=${h%qI4Hzv-W+sXNBBV_MIAI^k3P zx;GjJb2g$?^*uaTd-z`(&C-4(v1^|PUV*%f+J1!&R!MBZ9-rDNwsNsh=t0e4XDKXV zrx@}Lt5x%uHQW{)wrjgY6>=01@oc*e;^wc%C~;r?!2i0p|0*DQF8k!x17!(^&-~yX zSI;D#c1RZcR74h|BHb4U;my(fAb|NaTiY&oKEQAa$?FP<|(SuYg5Y?ADBaVfjRjF zh&Yu?XG3hQtt*a!vIZS60PY>5UEZ5k*pP!Xizry-8;u1))1>&P=FH0`Xy=r=V){>H zaTOPj&9mX*Gw}6y3bk$Y;?9z~%q%exDW+9?0gMlZ zB5YpZW>=mrnIWO~p)5+$+G_n$mwplK)c0Dit6F-3tshk(0i9vDC5)o)K2kACK4Am| zP{2dwO3=yxH~v(mxl_{IT1*#pcX$QbfkDo~gB-9=0O8622-3zziK-t*13V9PB6C}$ zu3Pyf6%QTJnH+Y?>vo4nIzOQI=@PyTmdz`MO$VqOijdyK0PDRprZ_O6rv=M7W}6+r zZI*^b%yyv+%g8UOSECLNqSKWm*IQC5P?#PA7`Kg}`j7fA>oS!HRqv5*)vY3*NYVp% zfSU~EGJVnfDrP)N<;hlIb3rW9a2psO92_oFHYp5y_XcwQbncUN3e6i41@yeI^&2%^|g{GiiE`5gm7^{ZW4>NNoQ%^J|1 z9e-xg%sNU8a&sdIv%$@QJop8I{ct;Q)QLPg>qfh8az_oz^$^uyT)4F_FcE2TSxz`> zj<)WsKXz_W!5*%C#rg*o`irOc>7^=j)6!KRWbXL*s`jnYM!M)}BKgSWt1bQKkfi|& z1@rA*j<M|O1wd&5lq_x&YuZlb&f3nA9W77r&h-Y5{@gNZ8# z`PGN~Zw@wbT#}FJ#(5LO=jsU2v@yC8eL$AEDvIRHK5=rNILqOO4MR_Mcq-P?%P>5) zle6g_{S{VH-_N>Sbm`lGGban;Z(q?0*%9(l{DOk`V!r(YUd#(GUrdQnqJVyg6uN}m z3A_Jz7Ah12w|uHM%#Eo2FgXnt>4 zH5Q=BmTxb(oGh>_>lIA<@piSV?zfU4oWHeMUZl-dFb)or02Cm6)K;&eTo*N>7yTlx z3(4EU)>i6WyMdpQ`yhgM9WPgL(3cBUKp8f3I2fSCL3spMhGRUsNhyq{(DEp>rRA~% zTU_X71`(Adr2pKur(e%^?skONm=b)|VgKnZE^2nTCLc(iVm(Cw2#NLg*98?We;r;MP7D(^+D`ce0 z&SQSNPO_fl3^GA?LlO~1_`IgX8%F4dSWPyPyVk2jk3>jyVw5>ip;#9(oc1t{&AmyM z<9~wm29adbQqz&C_Xjz%+T;bC`@Ln=?5YHZw`to*uA3i03!CPztLv|)t^w@>B3uSO>2?vr~(mTAD)GdWC=4I z#c1PD@`a+0)nbuC;fhR)V?b5lvv^t&Q7(m5GHid#s!nCVl6o(6q1@(RkTr7KW^=(0 z^a%cZUSV{x&{GbC4zobKm}cXh`QZJS6hw(E;4(|#jM_}$RV>*k35krY8;tP%Z8y?W zMyY5NoIXkCdWJF+mIk|0Bz~qbLSF6KUeq>YL1_t{5?KcO6;jpt zqX#uKQch|3j}e6|YAB?>Ol5Wo^nSDHypL-VB7@%yQ74_rXGqzd?&*?HQIGzlR5Q57 z9u@L-v;40Te1z5yOrzAV+!)wbE-(Df!>I?;Njl%x`2$rkjVC@Kpe<2geDVdK1_1_mh| z5U31my8K_u0qKwG2w89wMpULV+X))bL=tT;26kJ}5{~dwY5?2;B-KzVg20x+!tivi zST2>t!tvo^qU^f-6HMQ}0g(Xb&4-9GNUE2~lQkbZsfMK(!|j|hn$g+>i-KcWiV=9% zKWeSQD>$9iNeHI$H}7dQr&?rAw?BCfQC7}ns`5!xoe7(csIaOskxs*xiNiKT(Bd72 zo)d=H=aqsxYb11ZrmD#HzcIMIi0_QEbVO+0o{7pHjX*{5VoO)ra<$mp+y%~x85tC#*SANT&^FYI3 zZhX5%$2Bi=UoX<70TYH>Y4^jBUuGkRjIZ@!7hXt+V0&{H3-cQVl%-Z*9~-VW={--q zkFL7~N|8xWY!f)Tj@MI=V~)14yloKKVJqTL9tSYIlsoZ;(>wtneG#e%RRJ<>=)NL> zjS|2yi@_*OE1^&c@l(n@IM6oGCjN~0=oc*Pl}uDV1P+_(^ZE&RZTxscU{6^|bU8v} z$e1rDN?OXiVD*0+S|ULCT(AffkggfS?Fb1`!CUwiP4NcEkx4A&r0tC~<%$VMw(jf=XIY zQBk5IA|gZuM8=3rB4}h55W*-kNeE;hsmj~feQeLU!*}1k_kZtw|2@HqRjFNjueJ7C zYp-dS>Z7U+`flrHht1HWNt2*oz#pV)pN!eleGWm;wr$WV2!f_VQzvOcYT#@V_=6_d zLX*L{1~}Uj?gLHv@;fxi^Y)#IyO1^nP5#us7*YrKXM^jl;D8qQgRhCZ|NKB(Y5wj3 zhu!^`?r;wT`;@QerO{WuoU55xKu~n_U*~_(cGANMa{iOHe=(KW z8Z!%ul+W`mNdv8a)$z-!{FN=S_Bymkivyvrll&%@f&5GHBNB+_l@M~@x#3UFUaKYGOfqz&C}`Ip{p z!1=__gykgS3C}||J2q|pvjw=aTmC03K|w*LLFT5k6W)Zi*4Ea9HD&}eGZWCl&*_WJ-GbO;XOURj(#lg#E~y!dwLMOj(8pQ@((x(sIiu? zobU(G|6OAO5`7)?UnM`l5wx+{c*4s)z-tpYND~umvc}qEjoGfhO}eR>xh0YC5ABGA z31WN$=zlNd{~>CTh@Kuc9uu(BPW&b0=GiDG8 z-;Vq*N%7?uz5|D^Z)W7e+j#nKalVsAj+y{Xd^Uv(xi!he}2@as!e>R zO_`!LRehSe`ouAP#;h6Br_Y?Ou0B&^=FC~M!AE_@9Gu4NITPm-olHDF@f7$sd%F7c zi5CBRAJr>p?(|8YrrlGUv>ci|caqxNNvdK950=`gU^$;y(f|BRnyfZu>NEh-%vqp8 z=63*mHMPkA*r`*%`aLNO+=r&jovOKP?S^UdoZQuyAD?e_>dL+8dOtoZT(F}`sBeDo z#OWC`7ixXKNZVkAq0!1!7MAO*)?3?b++@F*yv1Sb&Rx6rIPcxJ-^0`EkoRF9-;)7> zzXs76!Dr5%J0E@_A~HJW>b2{!H*Vg#pYR~@VbY`I$IsI(Zgy(={2#B}dsa9@&wPh)!NC(%GZ*Sxv>S*fQ2T<} ze+;qH|0&GABK8+vP0(z$NnrBS=0Y%}Jb6FT_=EN9NTa)xBe_rLj=O~2cP_uf;vVfS ze7vEjaob5>Q5l`hrwGa%ItVj-3p8JzUgEN?)*{(-sY9D%g>#m8t_ouHsG#eCZts(J z!bg8fu%Ex{*3|h0MtA9F;eDGM%Nato|& z{1|t7_|GG6@j<`YhY^t34wfy>8sRa`XAVvO|kQ?`KnGK4BqPm<3xgW~hR+sDyKs=AZ11 z>JxvyllYjgf}-KDjyW2_7=ubbuf2nAYj;18dwFe3k;7ieSN>rjxP3D{1v`bv&2gZo z{VGUUJuX#_`@qtE3TDds`+;0_`4^C$7Pt%yL8K0Hry;%OI?|mgsCzS6X~bKAd?2Wx z749miqgMr;ThzfBpQ?hoDq*Fop9(5+9N>%l9so{GhGjW$d*YZtK3a_kYT3$f`^EiV z=(hi1t}uxztiNV5HWnV^H^++0);U@}bNy_}4&(bO=zMGgx2MJdh~o}K6xgKvskW=W zK&_my>V8GgQ9tvu-*4a7X{h_D!S1JKtD=U4*}Ik|?AU7KHlB%OgzSZJM635FZdYg( z$!_m@+-|fh#YbVOQ)+gcI~?Pa`FNXcAo+}w{Q?PDJROMaq@DmL`@@r{E=(R?_%m-N zR*O%+Q}C>vql=UCft=a^aNch@3_XHJ0qaS)d zP+5Cq9_BVr1$mEP7*Fog-N3ivKO>*REP8LzO7M+>;#gg^+O(zU>y16l&7X+Kt3K>G zE*tw4IJOx6Er}YR!m`0AnV1oKQt8c4!n~`=?{~Qu&k8d&+}SxaImW_mK+N3@?G(@MYD9;aQjs zvzfU@q<%J!(P@j!k$D#eQ5$Wzl3h%y6v(#Z!AUv# zT2Xz5%5-^6Fmp(mP1+`EP^TVZ^4+v#dJ1Bw8Q^YOyX!OuC4)ws_b&M-mgHgpW+&$I z#d_Fu6%?d`4h+~zwhFtW(iOHFRnYV~aYFH4*){a83TmovU9qJrW{^8lXc7v59Vys2 z@2blp8`EPdC<_^l8NH30x6*5S>05Keqg9Fw^&zV%SByB%n7F>+&8I{j9g=$;ymP^B z;fCSL#p737b+ajEeBR|wc_&}0Ng4M(z&ocrnt(Nurin`9p3vdf%*FLYt9#qh`n1Lk zVjGEEy+bm*Vk}$&OHpwO>Y0~~va;t;kz4R#`RT~{#*Olg?}Pr+YZVKlG&*TX>?^wfJl+0_IprAq?8L=i(xUQCZh`>4QC7f`blU8F8lL9eY6WO1ds#JaIX zCe*!Wh8709KA9&+`r#-C-V6Ah)`)RJArqdy?`jSXuV4Y*o+{-GfN;)-nZ-t-+gtH1k`emtz--eO#f~jN#k0;Dak2|^m22uOIp-ws`~bd&a(z9~M>IzgBImw%aJq(4vy9yMeAYf) zJAt8ytAZA%8A^&|CVpD4Y^e)sb39)-qt_MGu!$!)LVhI2Qp2hU zTUxiYhDKZ6qW3aO%&*{!F#+n47-lch!Dd){w-aQm!o#tt`}%XbutlON-}yQulXx%4 z9$gOl0x6MeUU@n|1v#rA;=o?_9s|5U^YO-3tX;HZfuyHI1<4E+uzyoQZOOWGWjgLp z{N~BLOMc&g%t>4a`tW=1V2I%em1waF8sTA#hFE3;{7grNlN5`BiYRBbouf$0Tx8pp zM)kGV#A9OSn=T}}4z4TH8+^hpT!4losvxRtt~hZ)jURVvo_jlCNt4WZmoPTcfT|NWUu%vE%H6bO39+2`c9d`qc`9X%2`=d_u2Qj(sgSZ$rC8 zWEjN9PJ8fsk(UJB=#g|o1?kVgI9OxDWja;jDZA2%X!_=mE(@h)+NIC#aj!hyyRX;E zSxY-a1)T`kB%X&g?ODUNdbN9NX!u@T+ojY(4A#qZM*AN)sFDKdk(f{xj#7seCoLe<+)|M5cNkK_6y`{WDL%XOu9 z=Dopit-EWJ%BNH0uS7GAAIf}$v{Jlw;EX{fzMZN`f85_fEN`zG%@%ZBh6{Ql44g#V zqM?v>Bmz$snMORJBfGN{676d-O$W#-2trzS8=qp?2kn;*W{PZIy8(;tY|JiMVCOrl zqBu=t$mPzo;Z~lvR4JvH<`+p$s-V-`Wjx6xl%?D)aw{CWxX;2`AA3_Zuc+qJ0s57> zdh#KvOa(FW;UFCql#+a_`)rc(x6l;(UokcGCP_bZd$b&oLRzM)7vsntjO8}wXw>mP z_F!Fc^SWZt$j?Nlb`$498?^pfnorJo*5f`wcgsG0Q+|F)F0dz9isEE7(ii_`!pHfa zduYtkFwxHvrxAIkl$Q}I$Yd2V7zYo3LinS=o?Ycal~3D`WUHX`a{GWqR}jxe74&N- zrh<}G&|I=)8(ZoR3&s)Ag4V;Z+6wN6L7F8+lTIx%^NslIQ{VJNTy`AziSnf}p2!gI zc{X)E-Ax4*7A(uD&UExKp=C%%dd`6b?9SxccUXBkHdKbHAPTme^(_qh$8a(ap00g6 zGDLXlgCQTencU~xOcOYhRFqyR#wxfxVA2fTfxRUqL%3D{c0ViU+oLhwXfsQJv6c4t z#&t-`ORz}ysi5LrnOQ;=)GkR8IhWp|g$LNuGJSI%VD?W;`|vhL!Y6C|!| zsVOYTm>`nR!I8u(c+@kXX{H%%kW_d)9rZ*8CYI1d@_e@=&+a2nqB-=KR1OMkoyM+5 z0XX@rCKc4+se-Dmv6?4KC6*afeeU6CiUeQr;9K|;@4uK#_=Xlne}D5gJ*@OaY}du1 zx#d{1{Ms|&W`c1?>FvwdbJ$7++1q*5_q;~rCfB)R^#dyChv>XYG5VS-Gf+Vf(ueXa zfjh$m&e+pi`0-!Wk9V-ojE9%OtQ@y9?#r9yxBTV9+IA}F(6*7#v7zf+;Wl_$SUjBJ zr)v})#Zg*w3W{SjkFwG}XB8Ey^y8nqRT@wk3H%WVpp}Xm~Y+Sn96a zSo!D!n;^hjeGa^Fqee>{8Yw9 zxsvI$Wk8W2&g{)Oimhb)O`@)wl)@ek9UIU5`MWpnJLdOm+KM=1G*N8vdk2F$y-+Mpu!<^hUtIMO5aO(F&I8_$6iB-H` zmmS#C;=@rvgc(4bRS@E>%orIMJ|pVvR3GZ=2CnOjfNYYs(k_d#Jj}mGdSVOv6Pc2Y zb>W59np_*d=Dd}_44f*v)}OlhqzJPchngxV0Pe_=H)@aHV*mBdSv*(Nz;=mW*+t zhziFC+)Rq;`#vI<|B9X0sK`=5Z;+Ad-29D_X|iMmp6*TNH z0++kOLt_A^8F8f{LTq-I^V;4k*c>Ao${>(4Q$ zc95LKa96M%G(F9`Q(Cr-Cb=lP7uM0ju#j1rY|ylFTu;oUSIw)~+UeIJVmx?!Fh3(- z1t|hhE0gwd3p1I!bG9VE5pnAqm0sfdo8U^aS}iUIv>ep1-7bWc%e4tjo{kqI))7z8 za)N;ZZA|EBjTJ`slxq6=(N$10rjt{3cVuTJ+J(6?E-$$A)BB8p5T84HL&Ilmy(Ih~ zI~1aVl%^m|0IXUi;a*aS23)eRKu_2b?UVetm!PiPwv;mFV*@KQFpaUdN`EwAnJ6}b zXpTEG+DNo+XRBd?4KISkrdINJZ?-Lv83%pNs{0Qg`s{b=ws(3XtnID@VHsTdyaC(= zuF%QWE=2O15WWy_XI)1_5ea`v1!Y>aTq%>34|6*e80H)af(F{|GLfiew@4$;Y;Uik zy5{E>V7=1)^{L_Yh;%Hw;da&T$oFg4Us!cgPrZmvwCJ>1EAs$;S{8m&KR46xd>5K; z!HxJ;*dI-2z7N^AM0ZM5XICbm4Y1tpjN#WRD1&l3l-5?kRab7T&SYfRhV2;GQ59&i zvf6H=qnIC(B!GVvHJouGOY;3gW*)FRfBX{n`dSt?Im|v#u|1R^qz$5BZSeG7O#d`) zDBpI60Ak#D@Z$a{Rwz5Bit?0JPE z4z815X?VYD&o%QWl$=Y+!uOLGzh^39u@->G8}`QiN`}m%gFnlmjW*xM%?NOy?WS5o zc9HhA^d!kcwi+tKBg3sW-AuF4?ZPS4Ic-9u2vy%6RW`)+ౙPO*cNb^vJren8cU-TO1Ol&8|*fgGead)1ivsw(>h(@xpX->x>~|L|#clwVM^ z^$@?3OpzZNQwaPzP1K8#=}L2j8&AR@6MP8q zq|F5y56{FY4bg{r8yJgk#r~#Lf9#X~~5yf7&bpxy?gX5jV-8s|L{&VSKUf(MojG{!q`gNsaC z9je|zffeL!iusyh3A}AAaSkKm^AQjrKe3zJNRtf65)_LLP~jrMf&+&oIY|P-k=7}> z=`Rs^-?Qp1N*;i}erL)K&8u8a=DXzyyzk4#6~t%oHq6M?mkZX5L&(RhQbaSglhtvS z{oUvmQq4*ASjKT*ak&%#^}xq>1n9*MZrfe<3mR*f+m@=kKxV)2nS=_t$YP6jP!bKE z;QM0alGu?|^v)99H7{%PHnb@o;ij05ABH+*Q>K&Uk+Zm9lg6$mXPMh_ZM~N*QGZ3QV*VnO+%=JH^_1e zAW}ik;O;v|DGP9Zi#VS@gVhd^&vV53k6}G473qrYKD5MM{$fkQ=^CGtN@mQaXVKF4 z6tj`m2Jc}_+_+Eo0|6ejP>hKv%6S(hm(qoJpFC@dhTdCXj0a$b5L-{z;a?Ed)R=@q==puNq)3x<3J9 z;CR~zk);gZ&z}yrJ!UU1m_`pT*1{Hx*o{cLQGS@CQ+k+by`!}$Tk!t(BO`6mAOe+M znHFqm?W%$}7sur>I}Z~E+F^%GN;t{<1Jd@0osPQ@x}mcI#?z6#)s`1Vb);4EeyY>k zRP!JPHCAAUMu93Y6zIoDkJoWNW=Y2Gm&zF^2TGfx)kLrucG$o)#XC(SBT62zF_I%8d4IkmKjqLd?{Fx)uz~$Ten(5 zb(n1UDW-z;W(x_Cdw&KDSS`E!L}`cKE3jd{J?VGLIm*%{#m==YQ-r%1fFI-yy&)Cp z3u$3jN=F!dYJ-4DM!lG>%=d_JyWkT3dD^olZgfJambNebbiZT%=J$SkO;-;aBAp{k zh#4{HOUWL}keb3j)Cqk=WF*pKO5@kmTADZ)2|oMK=2UDM<+3aJlQ(n^#&l8GsP}N^ zllBYU-8(S>w$+=!sK7uZtDMzzk<)}PYQhcO>%2To>LzRN)Db)*YO_x71j^sZN$E7RzcrwFf2ktoSq7gkjUeQSibQGE?i&> ztvDCP1hUmYo|bjMkVE?b>q6GtrcWEYC@1IK@uM-816@fm$JFrxV;=0qX>RD?4tiSd zmW6dNEJ9q}l@-lCslViAy+j0qck~-U$oWZsi0HO8_GU-`oM}3$fnJ4uXW8OphRFE< z{DlVg_ayal^o7)?^N#u!#%kq;K)c$J(Ba=HfX9$l!&nsrV5tW}E-%7nr3$&Ft&`D* zL^zpVQL-Ptgk)K4!rpUVRL}eAWz-Y~$)O7FPT~PwGV02p7UE^Aq-CtePD*NlEN{Pi4+@wvwv513XV`RIBs;-fh(H0 zjLHantTr-vIdcdY-3M)MwT^@@3kZ92+jYLvjxGPg6M2)e{XmAZf+B?_45J5`Ab7W% zqhP6^1pUOcGv>9HSK3*Zu8)(Fk&b3~Cf{e=H7zE@o8c9B{Bzj#>1_@sp=YDv*3A(k z4(ZZ(FMLM*8H0w%)uEJ!+~z#vC;Rp{`2+#C*F>|ve)>8JTHg6F{vcAb4cMhoTe>)e zBnC%9uL+GmK>NIWyUFH;<}>ZgXCk#-@#3<0ova!+{szS+`~v0Ll>GeLzZ-Dg0Ly!I zj~K3X=pKwN&`V;lBw=w~Kz!?ur25o$g)fUum&$qh1&d4E-Gw2A$NEUR4VJt~t#m4{ zA@#}VkgYPwDYD>_G?ounOu+4Atm?W783Eo=v`uxdB5v7wZnF(0ca{?O3+) zs>1v=Mtt#9r2Yy&&5w{!*e3Xn?prU|b^dcbj3CZdPQGBq9UlT2{+2=;h!@S7#`Pgv< zJ}5?!^npL0q~}Z3Mm+q6oQr29@xnmzNW0KIX`9AX5GeP^4B6L3*ZausR~B!Tw?-OY zPvVkJ-aE2WWavU22TjwAU*6X$twu9Zt4P6oYUe@5tA8qZN2t_b%_9)IFLPr(k z;N2_(Ee)8vRgk*{JUWPbz&*s1+v;!>^Ff-lI)jsB+|6(7mlzY83f%SMw2_&4zAzWN ze%rYQ@5||BPe!_~Bn;?@xer=wWidD5abS1ppTsW=)#>0bM8mPUhz{~vM*@~pUlkOw zNlOJC0m0~W0m>r)f0}!(ji1gbf-meZQyLBy&79ABQ=nphD0n)r*O^X(OZBeG1kt_;3*?o4S;z9T&KiY)J@Lsfj{$# zcP5XVi!raVmDBfQA>$i&oLjwa=hh|0*aa+qd}Zxz;Q?oB5dYAipexAlK$e#IbLio} zGPb~mp9GGD8~!|*xcIk@sqem~C=QSS49i>)>A=gxN1!5P`=r0iPwY-{Lf&Y1V!27! z#c0k>vsBRH@PxzhKlNB(nHFoQf^K#bZfJh@r!eCeSyCKIP7E}MX?j%}O-koEG&CTD4g>gmWaJx<|+yl%Zd|GuR z1pJ7v*9l+S3>n>>L->02Uwxu`aJ8i|t|gUo6ED?G8WC`Nb!aLm3{a`0VWYishPk!C zRDqp(p@O8JCWf6PhOR7(x6|jVu*Z0OY!(_aA%E{V*q_q5y;k zk8)8dPH3yn@;x?c-7{S-Z?(X8zJvmpOA8}o0 ztq=4+xUIEQ1^qHmG~64F@Nuq*PpIzcm$gvOh|d!Nk*!CMsIyz>dTu!{`KECUefID! zM0jd|Iyxf{=&``wtGg6y)_=?}36W)lM1Y7*Krs9?koSczm=hQbJiq^Fj+H|F0DyTm zTRH(HYjDX)>^C!nKY{e%qq}p~xz2LKmgsiiBvrbZ1sZgh9aWfqUzXOdS_|t%^4zW~ zzdrtKsAkyzgVOIrWM_$cUGTiSEmvcx!OsSdVaJI{7Db1yb|kJ^u*}IY{aAD~rM#)^ zA>!@xO!k~d-8aSNMf|;^!yeg(o0iTXLazc1AEniitOlMv=15*Io;|s$xRP9(=GW72 zT>h$?aed~kgfo@K)sc;xPedxNM#IP6g$BGe*B&W3wAku2XUEUOI};a`7Yx1C$m-|a zMcP9K*rSWiVCY5=zpnyo8h--MO1!imkF6+R-p|K*#{5qsFk9uih|>N&SQzi` zoCK8QN|0St{{Rc~$9Utj3xW3zWTeA)38iz+vy`T=_|Dx?TY`*-W@wIFTC5B8I>YDa z2J=IRQtbRkwsH}SZGk&XkMU8>8#v`$3NX&>DzJrnKo=Xn2Ml!s=<$2V#Tw&lM-LX8 zjj5NvL5+(CF4w_b=7AWxI9mmw8qZ+aIz)K|FVb4?heZ(8vFS-5euMuRF5S2Mz>CbJ zM`I?_v1>iBPTujv0Y1+1aC=>bq9P?ayyASft^*Q$?&+lR_3s#~cgU%~rst9U7Q1b# zP;fJ7`~&MNQ}7p)e|`w-?9cPbG~lh=`tH}y{;iMtVxzvFY0V@|y6U<20HNOJ=d0bD zXWq{C)>^_i$nk42Onkd*hdt`!_Ys~7^2fgsha-(rp)VQYi7fGd;K;s z{}vaTp9$TMTm`MFrH)K{3Cx&2K>n`BnSU1>>OZs_w9%MI!l{$zwK!-KfD=6IyxU#) zc`gmRViE7HSioxI$`_d+ZOHi4plglcNi%NLK4PHgxy;lq;owWOS&lGob^~1lQd5fL zF^+t;E7HJNl^=+@-DGFnC~)OYq^WX^vdv*o5| z<+#?Q3axA1LtlEH{T0fpzcszTw<}z*Q<-#~l~RNASsVWk*j{xS3w9q`LHHAT)}N3W z%nx(B5#n(1Z@v6&KnMFj=pz4@bg6dwg7m+j=RZgImV5q5CB;8^>7Nq!RZsn&mj}LZ z({?l-iKcMT@t%QuLh|@cF8>d`T$dBMxNO7$WItD>)+YPuBl>J<%i)~{nGRl;d;ieD z?(;#KAQmX~LlN#z#hUtJeK{P;!qR&%n~x6}K4|eDJtY`a+n;a5s26ry!j-+;aQ_L&RRD#F* z2exdwf=tza#uRj;Eff0p!|B(aIne>MRx)0cP={aDRJ5J_HvEm)a73zP=gN(@zAhTn z_2zwcFo54WFh~AS@lFb47&zP45j`d5J^q#%+f~7^9gLB|EHpB!J4vcRnphzY>;43b z-%}KFatv-F2Z=fTq4C|jia@~@up7Bo8Eb&`X$=dy=l{|1|C>)}mf)noj4tSZQb76R zgn=aP%IR|&qpN4k0#Vug)Y6i0biY1=ppoI&JOXRo-lzp@|tF-9ASZMVwjNI2A>};n8gDW)%Ig9ef9w)96_w$mlstQ8M!aT5=LBC ztElt}s0DbNpTMlZbYgaietpL1ywM{IX&XIFt{-i&9n#W1!^7@RUm668(xghB8Kp%Y zFfHjOFcAM7$O)v~^Vs6IutM%u(=?Fj zW6mb=Ivc%m9r+cdqBA;g-oB?;X}#$ashsV7r;QJClL5F|p&d5_l567GmP9S>Nx43zlwq!Q*cOE~Scg`wM@ z9^KQ?-|))E54~fV8GCa@wp~rxlE=%Dnk{@Z$L@wNLmiYi0J`nO6bYDSnF@*rCUsbY zM<=0Cr-NKHaCxOAZMNG6G&}g#(X{fm7<47pg?k3_K86a-BWY38kE~)$OGfM5=3MgK zr^CUVbAze=Ljf(q0}hNHURS6B-<8mKKIs~u)Ls=NE&=A-S7ZWnsDrVhS^GriBxh*t zeQ;(#?ylVY^L~%?SQH0RPy8@;KofapC@_95j2&FiiCd^NZy=-&67)pQ;mS?77Syv& zcDa;kGjzS<#kpm8DLjyLlbr6J3@RP2!%7iFG0c)V;xT#>Ds^=}r-Hmdj=rMwR$2HH z;@U@uuPjWNzeDGyX0%|K!)PB0@a@f~BxxIN$0u^{F%})S(?j;SNx|bz{TYEGU_K z-G07OeoO!+l}83-rg4$+Y~xZd#novKvy>}F5S|h6Il7PU=Ux7ceat~C5kxVTeqbG- z^|Ff`>A)IGq@5Ip(ZLiUt2mKF#+sTT;jzH~2!Yao9TW-)+IFDto> zFV)61f@oO=Ls{$)BMq9~*PR2S=FwIuMI$E_pXpId%CRxr1$Yr@hSE`Jbz#ti`TZw4 zZg)DXQdoywd&FZ%SZvgO>>n=P=5k zkS1PY;#4Em^_KP*Q?pQvt=P3!>6k7YJx11zn078Ok#rvf$w9#WccAMwMQw`S76-2H z_zZ_}2PP7|KlSivC&y)o;vnq;Ur6!Eo0~@8d^peB8^n+}7YS}f3Xi?jrWrRau?SE1!s(7ws}>>ZA)0Ft0BA6{?5Ze7<<9+*@tQc4{H`(t50Mc?@5X+P!9lERakyVRQA~k zMA!=*lr1OQQ{RQ33v}p|(NcLS`c3=@>dw4+B3J@q-V4bJ9#;&4uQoO4EwdGFO~;I6 zdJ-sIcKIz@75YJw4_E_&+i}B3y9hTsu*7QUmGl#j^+nYruAW~J{%Mx5vxO&r1|-D=olY0 zE)jq9)po7tnbZt9s0%t{6wzcwj)-uXuUXTnUZUYrymqfc;)X}?@M^wOJmwg%X{3rM zZv|NkM3K{-Twbob@nI}%5w$1M=!xTm_xR24RR(w0H6G~nco&xq<*_a zF8JoP!}lZ4{4h}xwzCi!F#}0$P*gTLQ($~XNL5|}6@4%|Irr`88f4Ptjc4k)U26kD z{JtxhXnnVpo>jas=jd5dnB<<#hAFm6?%LLbuPxHz+7>1sO$a?AOzrNfm%Ml}{y>vr z!Rs#52Bjdu7VSLJ#_P;3wGLb%enIG}tkXSiRb9_AU&d5KdEPPA6T{j0x|CLD<8I`E za}8DaG;|Uo!LM3kTDCE!lmlNlGE6IIFz6ZQE$_2JWuW*fc8LpD6dRtFM@=Y5wF2rm zOK%%lVS^prQHrhSdyf;?T^kn9P``EE&A+DiX$J& zrd*e5x#%l)z5-bquDn-NA79C9!drk+v;8d0l{=Ie22vWc)Qf_XqVyaug442xy-ea6 z1;M-VXlGW<3x|A+!d1VS-t#zKLssMd_yFC+5X^&Ehv6h3uG0s~0%tcRrslDmVEza(!nBJ$ zfwm#YS_RNq9d2iylyzumV&WpPjLCmJ9w5|TseaR7grOsW$II9i{QV(jICcPc26ez@ zTH@p8X2x|J5-)38K3pZ`#x6P3P#13|x_$;_bvz2(=20khTkx{Zf;)K8ZXKOeh2D;J z5^Rf5@WzlrL)79SNEH{%&Jl%&1L>$K3ew)qjo3MuzVY$i7WuEX`f}ohr7W+cPjbVU z%7n)74ARNi*HRJvXN{w&+>YG_4Iedof)P&R=OaL|9vE1Uloeka!e?kjuBgRk>~HLE z;-4FHJ&9@V>j|jpIZgS*!0TZhd8X-#L+4mydq(_|amr9K*1hw7{N260;V${AE!?`Y z>{Ur|qY3ZEogU3ti4INV75<%k#Q*hsPBn?wAG`Yg-o$Esw-^!RLoQ+?v9XmRxEW)n zPORzp=6b$(3VNY|5S8{}TxDE~ zL-Rqf8{Pw=-y^J{0h)Xq1iHCbLw>NxdrN%#4r_e@5(y~?a0~t#!S1fMo0qQFA+QO> z1>x0kQDwqk!0CR_Aegbt(vh!Vd^>{gwAh>EoBOz5F);dOgiJNZ%7n@%{J+3Jz7EiI z>fgchhkp;xyFQF-A)6c6j!_ij3baQ$!2WBqh=f}lL8_OBH!Ns4Om?!FR>vmDk3WlvhXc{+6Bg|BLDwA!dB|SPhkHF zAnao+H?wT48=$}45nXkz4zk)Oy2F#4WgBomQQAPcM>4SNy-xxM0z_Q}k-a2cr6t&2 znAo{!6lfDPygc27WnL~0`ek{iPPkNjTawm^eJ{Ws5|qGr8M-#|a(HQlFfc4?dD7~v z%m>oZZTLsWxMzv3#d{ar^psJ2>|bQ(CmQuR>gg`*WOq_^yq2s-$dP!|k`}qpsioS?ly(>1f`Z%*o#H#g z`c*i{vn{jE<0Z)U>w_95 z-^|mnG6E)6=P>K_neJ^vCR7705i{@f*k&3hf47 z2mlEC*8v)6oh}o#v45jBMF8=_*qwOUPeiYT{^r5afnF8#eDEkOPnyH#ffP5=t&G#- z?+E=4%_G_gT{;ZQD4MjIu?V6=Y9VsB`9Kp7l*Mh@w%Gw5IvejIU{yADm%G`5oxOlU zJ8{?+L;~Dpz+C+Rt#TaJNd7W&f-f@%i%biaA%D%=Bf4X!;n_S}kzQHfUFDC$JJN9C zFTcAchDQbH4CLBv>=EnEO0FV~#%l<=^Flg7q4zF)hWF4SVgEoId@*lro2^`5;e9DJ z(Ae1LZVuWt!=pPlfv4aR0E~O09X>n9Aw_^uYK#8HQGe0P347^<7b`#kMXU;1j{gV1 zs*htHm|!vBW_K^}II3 z{zgoI?^U!o6qqAtSt5P9YygS3idXekh>w_B#q~e`+?_e< z7t$P%Yu-sODk@mkPV+$X!zFGFaWVX}oQjHf!mWFef~KuWgO6R|UXUvE?a52BdxeCM4w5uafOuzG;j9sKpoeFaT-w z6aI5h8g<{8^)<i$&?5{(|E93&hg zR@tV^c!CqSNAuCqq~v=V-}-5P|0)y9ziQ*BC7lNDtY@YQIt4g+L94U+w@J|6UobW8 zaP?H=&A|aIw|sYhDQF1dJ>voc=d_~lfY%2yum7JN=HL3K|Lx~TuJ#|fs=c85`pXd6 z!}`z-`o`FE2W3WDb$_;Zcf z8eFDqA6mh9S9i9aJK!D-ORFD*|CF7>3funxWD^$UAsAer3GeJ1#Wv#L-Q;9pV@Uivv-4VxEch#`8wuGCNX z<~-HzEPUJU0T2EQQnJME4^F%_ij!>{Wy_T;49NO7r|!5OoR2xrvwHX-E5zj!8LznJ zmXF&dx*lh8wl|C98Lg*`Gv*m<|9)0u<+=Gzd#`?5iM2p~_Y#M>Xq|=n-My}i7ouF` zL|O@IYz+KdmJvK~#}`~QtS_tjPrRO|97)`slLAUfx84isLeAP(XK{s02xZ=BOi^B-t7(M3VWp7 zvmPE|VHcvfc1b@kSRZx&*0vDK9PVCrwd~2ShO^pQ=R92a;GW@SUy;9Q>-)6WZ9ezc z!tGwN80@?T4J@dMpiblw;JMfi%J}z|T;&|F3`cT)keyVRxX`oO@|e~QL`FMT{jgNK zsP}1DLH&4#gW)DI++9CoowKzlNkSLFuXvi&y?*PMVfk@|c*(VRxrKsdM=Wk6fp?bR zdDNX_L|Ca{ePX=^CA0_l*y+chu&^At31T0!2*vEtHGYU}2|)!dAS+jMHIWa6K!djh zaFx3Qu*K-LP^5!3Np`0AdcmT4I6c&A%DfiZ^LT502auM^S;1pV5g0uw@8<(+wUJPY zpT2sCW@^#=&YAqOdMMB*(`DAmuJm-p4#ox6I-ZGsLO&gmOYzyWP_OrJ@2VthHd}t1 z_7CG4Dp!N;z!QKVZASncHbw185tbBnUWX19=NGGsPe)9{w(1y0zvrWJ07k7SR7Z5A zKqqD|b*3zOn{Mm;Twq!ZW@Eg?I4PdVBLLIEpOxGWcF=xecHsw1f#hx24GTe_yb|C# z3ofPtB2Z;Ie-h#E2KQ6y$gB`i()Nbcqq%YGO*6tY2lkH~;$t^{XNs!ez9cYV_Xm)D zXta`YAA65|FS~-VNY^^vIgK{ESnwrp_|hv0T+}?qLmm)D!2xmWlrB|4`%bdPX9B0? zj3MR?qDcQf41w&qTrbW-uzyB9B16Z{c)Q3-x!nIsf9$y3Rp~;BAiXk7kUmi%-IwSt zGjGd^%wsG`eIIvsU|wGqu3H89thhtG{%aq%qE(QN9ysCjCqtb1W)f}!3qM_HuYxvC zn^+>AgIzkikk>qs7CKwI0hZ@>1*5t-Blm_m&E{E`z&c-@YZGYHqPKS z@<}cUWlO3#p(ONro_i-DqF{lr=~rggxtahjp4YS;NStw?@YcucS) z_1(Le=H`AKI7&T0-ubw|MCR8)39px=`?cyeSgaqLA~tcu%7?HI>_M7h^k1KbgUIU& zu)B7)HXl<5s-|Qo+@XAXc^XCESa42D0qsB=BXg6>Z=?r_{k+_0RSC~pc7 zsi4D1_DHA-lDtoll?!RbFjTOdO7|$PKe4wzCqxOh;tUVZQ}lwo7+&#}4VHmo?`$qQ z70|ITS_PT0l&g6Y@|T8u5x<=xd~7)^U-`C|JHl<^PTJQ z@00F;eRp^Ny%(_kw@1PTI(x zp2B>>hK2%D`k|r{=V+gTMR|25ztoxT#9W75u^?cR28RF5-q}x`L-Ydg^iq`FBE4wx zk4+;dwiq;j^xczu+?yVuoWqiKM(5AOFRFllQ=E|$q3lqDHuxNKMeSB^brRv9mJ>~ut(m%1e+0=eA2WJ%tbOWSw<5^!fO3g&7~uj*=)BE zg)QAm9(Dcckthoc9`D)3v<57+k=q^sI7|zqH`;L+VBB-bk9wuRwaWyt)>z5+ohUdU|&@%vOFESg~g-t&PR5IGm+5{6P*G?&=W!2$*N zzrRP!mNLC##d16hHZ!=H0AFgS%i*T73&gb#l)FBRu`cW*6Q;y3ON)~%Kj2E3B zB6*B*l^Vj7&a#M1>QotpEK-jm5G|*j^Xdc}cZU`pPxx4tuRM!3^YB0-_Dw|QuZJqR z4N|URN8iXvgxUh4I+tw0l7tj3%&}{bxUt%8b@q|e`dW=@{R53x3c9j#?f@r0P@OkI z0f}a?Mc$^Ldzkkzp3jXf$Nf|q_TK2ALQ=gGZmbNnS7aH z)^DU$N?3;XejqE_D8yeT9&h_-I&{SJNLm_T6#d#?8BxFh?jQ01TWi_k_jy6s%u|Yu zfRQqALk^*s)~!}Vo$gj=;ks;y+u6E_(rTN82HXKdENeL42Fq5m&gNMsDlPNsNOM7g zI;CCr!Y%(Z$#8_*`mO*9Aymk~1HYREUPO>)<9j09x@Kn!`=!Uki`jm1D6sB3v9F@@ z4!l)#Db~6EyTiZt#yX1{d4AIB@qS!O6Uu9m$9uVn*n=zEjko~7@SM`{jzy-V6|(eV z!o9FlL*64}vpA&nx( #)uUPDrQbNQ-oY>)?`ehN~yOlwGH*y(Lgk`tBtxvi^OlM z8YAa0^cg*wTlD!b5A2C)xY2~Qekc*r$W?GVSe+wTg%|-@NDtYI)uJtN`3>=XL>(BB zu0x(|<+Ppz(xk3}j^fb_QYp6~mw?sQi|~UhK?L%A{Q8K= zHzBhwNO_C>uLDwx#=0jQasuiaKz%`0&f^zpFT5uTag&90YUnaZI{hnGB)1zKNn$B< z>w`vWylSvvP+|h!-e&WeX~6u{3W+vngZ=9GGd4_C$IwZ)%!a`HJ!0n&xm6(?-{+SP zAMYv0o(&kgp#|I*ffSZAER0|v!aU9C62upIgY%5{Rtf=yFzdawlDvW*DOXanHS{)L zhQmIcWIwkWy!jBT<~LE2=}r71*yGO9)9;%%<mpB-xz=neA2?((%28aWii)TYy#d6fPFpEN6;kHC;dnv-8jv5R`q+85%eW-uQ;A z3!TUKU%b6}T$AV4E?nzCtyKh6DhjbOSrOP(28EE+Iz(X86bDeI)H)!bq5_gY$m5Kl z5CM@2k|>CX2oV8MhC~EGM2O4+LLkgT$OIWk^6YQXJ$(D!d;h-ko^!r){?H$UJk$N$ z_gdGw)>_xyFE}^5q~Vn9Cu7gJQCUg3xu7*_%aD`F`C zm>0k-{gr&J-dD<*Gh|Ge_rX31zLmiF(8)pSygks78GsV9nm?iN_QiGdhpz6!dEs?$VesmT}p0*S9 zgAwgPa@mPndDIw;TAJT60Da4jue+iJKY*R`zXXDMncbZVTeUlc76AvjCJ_-PXPk!} zIqJffy+UYOrum-jowML~0_;hJoa^eP{lfV{2A*nD10RDw%Q{dC=Dw!sP~t#AaXS92 z33H}Jj+8xCyTdSsUzU=ip0Qb;tDHDX|q$OW{Rf zPT<22wT`GT9e^6Ut}Y{nGv{gnj=1)7)w=my{x!N$NtW7G<#{!%fuOQ~Gn-d(#dZx{ z5KUxDGmzSwI@}8TI^gr=9owLOV==h&<Oxib5ts|Y#1iQ=pSJSIaoOvG-+b7-; zd9}k-z@g2h+E+=U{nH}C<*6dD+KYpd>M*gOjK`9B-k5r7Tn_d=#e1aFB*h&yiAM=|A*V5Uq<>;M8D5iE8K9Vqv#SQQCzRk(NkH$JAFYq8NbJlf=F8sby4R~ zTV5o(I1S)N^R^iak`bBowu^O9?U{Xoy`c&Jd@8e~P<5a+K&ufYG36~E_Q(*>A@R_v z4pwXssyD6SI-|5p2x{`Pk2 zS+PYmY9=1Jg03cqRMBh!@CSxI`{bF|(xe*ixuP}fT)+~7!EjD<6n?b%;u^pY zU%`m0&5X7YS1Wm44CE6yB`W>-q{Nt~0o$cqR-x+879?e&pJ?k8IYIn9i~b7wHR{1s zU!K~SW-h)xyD5s!y3ksG`Uc}7R2lX z@x5s555cTMic+HPi94mmc@6iBe9lGX48|F|0X~?5F`W${?WO`LcPT`%rXNvTx>eawkXBN-q4Rj;lHFpI znG<9{ie^@qc%6C?6K2L-yI56wS+zq$=o$e28iPtoa5(f0XX*5*9es^y{iGO!s5lbW143l40ME&z-( zD1F7RUNu=2dA}REEX?ehOL?G_iZC8vw!V8_m^k%3(a3=goaG60WgBhdb}Y@P<#cGw zl*!9dXEo=$9!&inn7vR8r5y8t!8@x8@uoH7zfxQD)#J5;?%1*QTTioE_O@ePX4@Y; zrhuX7=`q#}MXn$fb3r>0Q^=VVhCCs=x+>!M!CIXp->$5Z>$EzvXn4jSbjNf|cx#!) z%5wdj+CZkrt(&<@fxIbYRbkeSLTvYxx}9ZyHUH7I_mSF@6@+>z z4(2OO+Zq<7#4v(5nW93vsjixbIQ`mzolR;y=GqK##e`RU0p)R4MS9ivpNM7+bUB_P zL7pO8KIH3KE52VjM-yo)JY5tAL^9rMnFBs%-`mui_6}v^NLPwC2%nDZk!=SkBXDT; zCZwr2v!0MRI^~^|^cj`^Ash1|{Uk}`xl8@sJ#(Is!mc@;iqcW7V zsMfP;1~RKKQ8B1t5fd__LIuZP>uTsx5%b!qF#3%yUi8yqljh!m{e_plGEdNTR>NG? zw#1D9h;*%GiuM^|4uJ>AInn!#_^4i|BBQptBC^b@q;AFrdSyz^(%UkfvDtX;79nR=f$z>^0#X;b z7zV$lVXjH5(2ewJUGIr@wox1K2HQ)Uj-_kq9wop9Jb+T|dha*4%4~8$TBk`B%ICJMscEY3{GuKt>u# zM&1*tZ!3hKtV46t7fm?71h^(+BkHK_pkJIRT7oXl&Y^wuB2-zrx{9634Lqy01;iJh zD^jM^I2oR&M3F7%ynQGuy7X0UWqVo=~`|q9|dVITfC@(HTtI$slB)4=g*m?FHlV}j{*%-zq8W- zc|GCis<}m5`BsGKvyM%vW}fcAp5^Z^Y7OluD2;bIjO$qt(v=Bc)?RNP3hvSpe<@SU zQLl`b)IrR168SLQyp%UcWq_^UqQk*FLoJ%?Y6^xf^i>jE@upbVVCSIwrxW1Su= zk~d9-3O769YT8gj_}pu;hjr-bjsKbx2#b@Bc|mxi5?GB?B8%0Aq6%H7^;LV@P;T~^ z4BRG%kPaY(i$&xB=-2Q6%NMKheGeQwE~-wGYpc;UO#>ZRGoF;;F)|(Qe>4f3M;xIAws_q==x_m=8hpa9R*W)D8(8MLC`>Ul& zd z!B-KxJJ6L}7@o_e+UoTjkV?2p;2%=&7(oIlNLL!~gT#)40ULviDTJGWSBd~=9naCQkvXzT5bwh5Kw%>6dvQ+WE%>2MX1 z_EvCSwPE(PS{b&~ON`T-oo*2{?=wYOGC2R$)glf*`WkSkU_OxkqXCN_YO)0!f0X+P zJ+4VJfw>&-VY{v3<}1+exOcB<5Um*Kr0JrSvv|Qv2|2pTK^EN?Dbyw6WrQn5Jyt4@ zl4kW4Rf;D^GBF$lYb_W!E?=`0)k5<8T4o`>5-$kWKk=6@mQs)KZ}c2-W&}LV<|I|? z*F_Ef2zVo4ZKNF>@hG94IH`h(<@Z8iDH8TirJe0-_-$6z-$h)o{1Z8Ey1{xs0pWxN z-g0J>t9xD9p?Oxf^!MgO;d6;c!S%;K{A+Nym)vY{h;I( zV^!4cbjmhwcXu@o+giL;sDmE@f#*p&O5t!#_p`ayatcS{7p!@CR}%S|^G5)5k0nS@ ztq$Nk&#Pc{QbU6I7Qz=5SEte_8NMe)cx0FcaEi{ z--N~``2JU;Io}mijwHZ+YG&jATE4xp+RLZIUASMY$ zVgG$Ci_Y&`J2%*D=$X#9L#rBE&5@$+S}>ZlG7ENc)i_h4lZKW$o#ijhNny7k`aSJ< zNx*nT8(f7QR8KKMRTb_TFW*~2Ujfqc7Ft>eGEWWG3*m+Bjs2oTlMH&htDr$>i^>8` z^M*Wjm|yG{1#=&}Z3?why2K;TS4pn5=`WX+y}i5t}x zvEj>FIIUd?B%?>s_b``XIORQ_85jOX*Tr;_ro})4M76nW_>%XxTMM1L!rZ+c0F84} zCv&lv{eR@7*;?9=;5H@B&dgS$aSbrG z%a3S*Ob!cPN1Ic4B}QLu+Q<8(?bZ^Ou2)6-p_S8b%RnY0HG3l?Z-lBgA)L-2>^TZj z3EM$*c&n_{B&3_fuf18mdZ4zjpt(HYSWtN2op<8SQDHVstOFYwNOVJ4^ob`TObt^{ zZ6iWoWu0(Hk)2}2tW%j~j0I_RnOs&eXxtx+0d1c1?7(mxn7enWb~K2~2$~FBE#K8? z*#yvZ%_r=_Q%eI9>VkssDFsI1@%Sy1*O}%}w85W{-F%iJyCoV*BaaZ1DtV$@eBtQ_ zXa{j}&iMK}tD@ad(%s>cN_;ydSroToQFae+8O``7>RAvaTV;e5p~)iV8+65`D!(SP zj>K)op_lfI6h}ECcd<$Dz~R&*n=?fmf$^hH)KJBI|DXX!M~s%Y!eTPDf+;H{WOtTT zhO2HoCBFQv`dD(^WK2g-_Zp>xEfa$?tU z1LjFZ2){j7oV`PFghlqRoyA<{Je!#ixYl@dFurr!yl0T1;;Qy#mLq}mdL=%57&-SC z{RmDAcloIT)89~XS?wHrR-P0YZY_MWxviX@_Vep&5c;Nvk>{o?^uqDiFsC1_#sM2r(Z zP!Eg3W7KW~OEFccDQffY5nS4-fp@k7?ft~{ZnLpe^w@2r5_8vFW#mf>Yx0Wxu~p^Y z#}gReug@O$#Nou)h@pI@*spf)r8Nx%!8t+@nxInXKqK5xtpv%EQYHPm$PZKZi+3iyyR=8HWE_praIHA_(Wh1Wguz{eflvqS zOX>rgd&yCPFz)hCyiQVfbxH@z%FdU<3@m=W6ZQ}(>rJFE2oML8fZ?j#ZhKoy5FF;` zdGNej)Z4QHlQgWKUlq3LqWI^W&vbdP8FxTw(rHQ-5SYCm4X*Bm0Fms4ut5{_=lp-J z;)4i1OnsJOwxSmAPJmdeyT;CojNpEAUgYK%raxez`Pqg7B@pjKO;NI z1t33#UxIW1E?3I z0I?FIhjQ82QW5V)Xl|Uv-V!8pWQ_xwY(thBX_!L)`avg_Jdon9Ue-;i$ z#V=@KlXZCLA!UrO(TCbDjG6li;-<8f*g6wc%&rLg$wolA z(navE804Y1g+m;ORe;~2__>QXGB1TMK>4KCv~?o+bz7z$_17jn512=Z-TNcS(|G)c zPq(%g)+5&bLhSo9RgFL6JEVxj>|FIvK(OJqWU%`bmMT;AhC94|^J{9i{)&AE#hB`t z8I4`kZ{6N-26;hQqD}fb&9D+joQ1g6cOzyA`j!KYg;AJ(LC3Y}o{-9>UUK`yn}|o6 zeF90~^6fz;DALF@fvy^SI7l2G(EJ>t_-5q#6&ikGb_i#h!OqY;LzhrDh(_LQwG}Sx zB?r5R7cy8fEf6{ zr2TEU%40bP0p@i@MDdXqs=-ck2=cYmMVg)irJA^zS7C8>YYwqY3RhALe)SNtHp|tLVC>{&Lk$S?L=S5w@KbVAh~AG=x?{ z(=ZN9^0Z)uo9&I@#iZ_@D7v4U>2yz0ttpd%`d}P2AOfg*?{x3A_`OAI9&-G42g}&a zygHSZi|Jyzr8l?lQI`!~a@N5ioV96&#u2P1w1$pZ`)hq|r&)r5;-u|S0Vq)+M|viU z=MrO_%g|^u`C95_(Oj-`xW7WHkBWZRR&H;^2{S8C4GgYe@al=iA5g7aqs_lgHYMeN|_3cn87(HEty>t4W|E+NLd z?eHvZ3f0JnD2UyYl1JMd)fDciM>l6(*0EuN<7olJ4JT1JhnIL zdy;FE3x2ugvS3PDtD-+ws-Qa+_7j@J{2OE;`bAh;>?rnFf0TXI^Megp6YaEh#pOJ? zj$n`uyPyzM$)iR9@vh)VS5OS6P;{L6h(}J0%q2qbaf0V;#4N0j!yH%IYi6B(=VCG{ z%C>9nBoV~5*N~z|i7G;ed1(<+)Jc5gTmho0P@Bdeslw9wco(`3bllCc$_nN?EgNuc zvvd2}iPI^}J4J0s!wb8cCSOY&EZV5YR2zaA--zzX<$5qCD52YZGP|UN&Ls~h%|j); z`d)@V+WHizu7%9L&!Qb?5!1HTcyTE%-HG!VwFxI$L7>>3*?F30;dep4TDI0iJ|$ccFOEW0`j5L+xSbLE<1$HLXg1Lv>XE z_FN*gJZU{;jDAYMs&W?)m0Fpa>Tn?57$gy7k|S;ojk11)jJ4|U$`A4suNr25gB@38 zrPUeaRQtQ!gN@8-5aQ)iFFA?>o_5StR#;OCWv#x4e6JU_ZvN*e?$mno-={0?DU}Na zPQ4*X8D-Y7oJB&Mz9Px(S@IxL^;?^jfI8t>^itWo2e{+UNgrHBt&rot|CTu0#jBo; zYR}3Xw<|rJd1@)da+zE#N_r=WQVe8v-jsA%wBy!7>aL6Nr*tc`LiS~%c*&^sH}Ax? zXT}ytf|ZyLphK|oA|g87y<1eSZ;yW0JQ;SQVVms8Zj)wvLxy(;@SE!FgGH&HCGbbIz2<#Ek6O6_EN@Ga;YtgN7={BDY-}4E20cFEZ+y zs5)<-;yFu;UdXtVT0Ggi6I!ijLvKYjzyckIkM9=D zJ!+5x!A!%PX+VdJJ}lcCE06Q ztp6iwAIhGZxQo_^QmQ#i6>&CBiw3IXy=#h9R6SgV9MiSjL|iilPpb@&3N<|elgbP5 zTJja*{u|m0sK0hh=hW zzh742Z&Z-K-KjU>R}ua$JWV)J@2zxFKLNbst z)E4DORbQjEd>+Bp#7+}+)TS@ma9hc>Rb4wY*PM)^cDrsMQ5nB&hZP1bD!EGA!;vi-Z*V4?UkV{z@YN=@sejay6J2lFS&zEMrDI#(+`^ta#1We8RHAAc zN!+ACNQ&iLd`4M4>tfPDs&TRSKuy+AEk%p@rRhz{+?lM8f;P1m5q%rF3iI4|I465l zZdb~>yX?W^u1{FdJMXT=Fy%&Cp+ua6)4dN|(fKO?+TNA+H8n|TwhxONgnf@5Xyt@Xi3x9xYqAY zemzfU^(0ZkgwgpFS-s&#o@?_UbFzKkc(|@FF=#D)j=$c7syejvD-AtS{RQYZFH?Kl zXB)%g$A{z^hRsf?5#XdD^>hW3^A2<5-oOdg0gl2lgQP$z>mCN_^f>4H@pj9{j)j>d znk-&aEz$ds^g#)2ss}3e$pW5*HMuUW)e`oBFf|nJ zydIVPO4h6#O(7KyeIR``B0f-|PO9`@pw|fXAeF%dy!tu&-n&PhMd@++Ya9GOx6HSQ zM%2_gbm;irDvP&rQhjdg(hnx3QLV6^EcHe*ybu1SY2@`xqC-b^g^CI5H!;hSU^mX- zwBrpDN@(Dsyr;j^uMOEu7^-3T?r;Cib;;JIeey)yY^E%`6QqSl?+B*YQp)YXMGa4# ztx|#@b`SD&~C7n)&l z@NmiHL2!2*iHCjnu+(0d^dVd@*sMC2^pE3L8Z}>t9IjPwtPfTyUIIb1;hzsY z0{8N^mBRt5W3GdCiT++x15Klzf(_B^V-t3m&WMMyZZ+3ZT`?Vmk?165mX=1UV$4$H ziF?o^t*N!@D@XG;$4*r(xzZp#bI` zB_3O)6O*a_8Vi3DOP8*kZqJ!3CIT{;$mm9wFU8@DOcI1DxSta&X1O*0dg!+!&L;;- zr5hSHs~4`W8h^=zhdwPyx?KHR5Mo3(*OVV|_w`h73JRWGXbtq*KYsEf6-G;qqOpx0 zvE!WnBi_iz?~yqbo4^0$bPxagw&8O{o(JH$4Z6{bu0VrzI6mb)%6aUzxoVJLE;8MC z?@F>MnmmSo-Z9yd17V~tzF?Epk%HpF%Yulwf$Y07G9I?lv1rIblVylnhlB2hJySdK z=xDTQB-Z*uX8ecI{vfp$^WG8j=*q^TW#iTgWBJAMA}N)~uQNfN=nD{)sU!3a^xBQrb9V3L?a)H|^V{(>h0$<_bSZ$1!aNi`VxXN>xIqP4;Va{+j* zqhf!J9H^>qSx*C+AXDdpZ(Ey&Qd2aX-w|%hus2Cz8hz>1kvM%nG2xFd>JTAbzT``G zos>i|t8pgr1L&bLr7jqs`<^W}9=vhJJ}A8>XkNvkArj$$`5Rx?KL6?^EbT!0+C*HYr`ngH`*@P8U-)&J4L98N04sFNLqs)gE`uMLKg6D;MX)LIQpt0tXx`J|Y? zWa$#V(_l)8$N3-ZeqZit!}cmXZd_vZW8=K76K^B*uNPsip_|%|x7sdgSjLwO1m886 z<@bF0CG+a7WfztuEA#C!Gizn!)Z0TFUT#o5neD+%6lj90s1{b=i%OOz_5ZMcL)*2D z2QbAs?_TZqH{A4a>T_~YF^h$yo?vC*`$=jGz>QrPblDonU%+De8eSJkErW$BI>S?+ zE5moJ#j6#$kS}AQdz2(a%Gv?+8X2QD#H0JE!d+21|8@vn;rYjBBQK&MQ3Pvb0NRJQ zB1$oQJddQlg;c*B!Ax&?4b>ZCP{EKn5@9j=pN@e|$KVL3BD{L7Jx~;xnzO(Jabr0O zxW&QCsA=t1m{SaxK3V{@lQE7>q@BpW9)qp~Q^8RR9>B%=If^07L_7wi!rFNar#68` z*lo3%Z$x;71EPKmYU;Db|8{_gHTMzslr~&vDKNlbhEGe#ud;14ncgdR+W3 zf*}C|GDK*c_H4rZhl4=JoP|c7Konbp(QSm;0T>(RN<;+buG3Px#-D}e2dp-_j0s)d zxbO@%xV!&)#N2zjib%V6z=f(1@%#VsUhsS$=rmc~hlqesRJuzmfV1joV*cxGd=KxN z`aO46@b`x~@jrT)WY@PCaen{`I9lK^OF~!5-!T6%ngRkMQuP~F|FC$VTUqhUMdEWq7S|4VT1%`iwiNdqFYcMPBe;1+95t_w1t;BDhxJz@WfnQ z0?EU{B&hl1x>RYhIH!a4&=#5=eJAH5Rlh&oUgbN}{g~>MRgo>bD$Twl-zTKl ^z zlJizVLm;kko|oTJG57(foqIG9;l}L@^EDc?o_zEvkrI-ryspB?!_s!`a!9(O>~sE1 zc9kWFnU`=IgN*E&XXwurY1NoO)v1xrUy}qF;7Ujm2MQ>IbvTS-wNxQgci4(^R{NV1 zz2?BW6vmS`m2_@5tzppR&5L`m@9=_q$%E7TWJ!vzWoMk`Lu$5IE1tUMY+p%B7{`nl zEetcej9y*9?1XKQk~GswHFq|Eoe8fhAb9O44$~5v>l6Wi-nE0%Z(1xl9KX$S#*jf` za{TW?X&gixK87o4&4(xZBJefDu9jM+5f;BFnSbiH-Y7dqR*5E+`*YE=c>V+$$+?vv zOwzovXxxzTd;@3^{hLPc|GpmZQsP3;D5wkiqmTWgMR~sVe-$$NSgBrQyG$EA|E;$j zn()MjqTvert26c9Dx|Q^>E4)wN!>8`g!wM?e|#mkgZ9Y$K2o(~+>6wSJPVD|uKJ;S z{QF#ogC zY){{$i%i!)RK=@$i86GLjG%f?T7`a`mEVNwh5%3J?AjpyQi93_G1H>MO7v7+fwQ%# zV_@H>trM3(BqywQse+B_im0ikHJAG}=W1Me0u$G1raWYBqn%6SiELyG&^O^jl|7~a855dh1>1E*6Ctf;te7#@w=9LUx$5xw`W%7!YIuh<#0 z$*g;HRc%r|m>B#l=d)>$7uxLb)C+sQA?rj)46HFVZqcBYfj3@}@CIUc@8TQO%SPuCyGo6TW9c z_q8tTev4Vd!g^=d$?`B&z>0br5xR=4zZ-m6-icOm?l7lY>f^BQ>9x$&R@C5rvdzxs zq9}}8{ESeYrj4(M;MZEw>&BcSJa-s4k@*WOcT!Qw_3|}YisOxKHp+FPaw+#qxA}Fl zIMlxm&z06nL8B*vzFncp35eEgf$oVq!Hj-e-f<2=x@n3jEImp7%NH-1CTRnjo-?6) zWl8g2JX0w1x+aWPbB-1=Cf>;R^>mfLgO#vMsuXfy;2F#*58_R>ai9^lW%_ZLNeLs$ zO8Yx&J3J%?=Tbf#u!{8#Bcs`m4NGEi+a`=Gn@0*?zGxYU=SP0e`wh=4zWk0j0Otua zWYuUqI{1&W`0X!R221C3+lswUk_Cg#E%nf@4LcsAo@-zsX*myYWA$;^mrcyc2wJjH zbdbz-!$~X*iM+B;qYKJCtO{OnN?aX2_?N}R1J z?DRXZ%jl!u2dM83)cn@*OZ;%hc2UJmW*0q=I9Q3F-PQ6i;hm6;$R?PjiaIC?^;@!} zL9a^Q;UOb+J`3FUqr{J(B?o3D1%ySlluL55rIK8j@q%c+(~mebF5%odpIiF4XS35524ClVo%-r;7%iM zujlVgu3dj#R?nx`Xe+!*Qan@q)`&FmSrk0eNyF??*Wrb)2I+8XP5nq*SIU*A>aBNP zMEE2r{Klpx^N$mxc6i=J6tM*5lvhgTbo0xu4T>+Icl|`Y%A2cQ!HDVC*mYC|hneQx z`x8+{!A?thFp)~8Qg_bLov_eY6E9j$M=f&{;1&yP$}~xuOxH`u7TEWzUeha=s2e1n zTDzQnoXk-4JgI%Uog(wae<*(Y7S_DChn;+tDi= zb~rh=05Vy$kLY?aCVHghG`n`tCnz|7?p47e3lRbh3gi1Sa6|Ugk^#p$iTP=9%n%Kwx(Ke3y1@+>xpjgEijW0TSd5 z{&7#BM_Ci>K_*p3s{gnYdP|AsJMZG+UxV zN$R4+@+Yyl+I3OvkdOHO2QwBdoS~~r(~S3;8{P+v8iR3L}J6Q zyJi#v5HtH+Lu+R4SwR6@FvBdF_-1wJ>&IG=@Yp9Li**ONq zMO!A@1BSZ0AtX)yIo1{mN;U#Qdg_9w6zr3SMO^fYEs*U8`x!v!+y~_AqtL*G5gSKt z-*ur+#_YcDneo(3mvRme=AGc39=)e33@-Ymyq5+@-VPBYtqH-Bfo{MReVM3?Lqd>#s!7iu$0JW9C~@;miaX@wpJx7I(d3~u#ks5)y|aN&N44g@lJ6GC zEQgtyhPq(0V);9})hhxQI&7@=V8ae4Hkt235zCA-1|f&qR<%ajmm_J7+m~0 zwqO%!RMnxH@r(O+0`Bi*++TG(R-B&o)P91z+Z{YRI`i3gIv)d%ed{J~rfGt{{M4UW z`!tsVPN|2Sv89RQvL>%(SeC2ic?hQ zwI3Kqb-2TxU`m(3wvj`%8nIVP_Tr0g+@Y^zlbf|F1xP92uxvO}J_v6m;u$SX5}2Jy z4w?gkH*c3VG?N088gwaV!Pl8?IXL%Wa-+K+Xxx6Z@P0Gfa4ls-^PDU2^ZyL{Kv_Kx z@_y6db&A!6FM5zjoZ1&%bNnRo=2!-l16V+tC;>!6ysR}}awH4FFf!&fWTerhzWsDj zPMD)-@wGhyWT@1W{xrW<7{Y8-+!V2)1y)B#NrOYoYr+HD3NzZ9#rQwz%=t^7Y=vjqXj`Zzcu}gFZ zT90mMUB?U6D}kPC4!Gc{-?Y7B%t~71M z0jP(2yK=6O?!WWlp+7WEbPud~@|+y0q8fdd;#N-IQC=Fk$GQjKG?=dUVXm^?X~T`m(uZulG(Ybp zbvBWa51&OgFh|9WW5Xxs{)#P~zc+5B;fik(W8-7L_}Bk3xxy15U7H1*vZx4{L||Cc zeV_Pk0490~Q4Yt?F@sjGyZ>K>tEZ$z$h)uc^1-|(12%J|m4DxLrnp?Mug8^df77N% zYjZekilzi=#~>cUTGw#G~jj6`=M zZLqC$-HJ`-vv)Bze8#d(Xd)W?M zE!Xq$_SwFWPr2m?y0f()g7ddh&OI5CId(e}oy}D%4gX{1rqAEEy!l_<3i*Fo?#aD0 z<$Ym73wkK){I^N_6RX9Z`YYJSYGfKH_F9TtPEHyy%L()EZ`kNMCg_unM2!U-mLgF- z>X$8Omxtd+)`gN4eqp+A2iwExID-jfF?KtS&UdmKaAU{my3tkKA52v7@ys#^9J=ER zGHwVwm;aPAOktkIk7N-_4o@~dqR)giPB_?(MBBRNE_LbR*Qki;eT>yf^@%+#!pt_| zJcagNMGF7=bd%m^jX$w_N)O$O|2ttbprBI7nf>q5~u|0G2 zJaW1*JM8(J5emP(Iw{#i<@?_?*&+Ri(cJgnjpV<+CvMQ@_7<6~{VtS<2j zR!@T-OND0!{7QU*myad5h%_A!Gwv^p^^BgX(E00ctY7pSX7^H9yH*5#31?4gNP6E{ zngL-7wj&d+*tE;w0@SP|{()uwo$;AtfxdsfFX#C$C)~@%d~i8{@K+en%= zlJgV2L#2lkiPnQW_RIH6mRbsDu1^BFQD>|SYeC*T`O6pCp#BAbp~F(9%xJ|mvxc~w z54k*1`Z#A!C^6pj6fsGVEKEa0PdH=n!8$}1`p?I;o2$(uSaTAT12NDi|MwrgBVEjB zO2YnUXnm{s3*K;4`adV3a$}4%mtZRgEFgWzXmT>F({3DG#8V-H2<{CavXK;`OR3{e6eHQQ4eE zQJL}_6)Io2zW`sJ--_q>gGaP5s}-cmUKw>hOdKCTy&a+TMU}@>>?js0)!=2gehUeU zTknlkeRgu8ilT*P+ky5k`vui7LGl+}dH#V$g;yydA@jzNg>XmE-4V=6%rdI8SZhDK z@L9QJ5cu*AWe3sF-~KD=nJv|xSHF#P{*d{fPU35SgEn7LQpv`Yw&t@e2d_0?Ydb^H zV`nhko*b$2EZppPRF>|U-yi?>9e1}+B_F@!vm)f3ijZR7g&Tf9D@VU-`^y)`{&f6A zdo6@SiENwF($opf$!2FrT6e-O?JVV*IVR5U1%7sI^7Lmt_%=}No!DMr_!5qCD=eyD ze`JT?NtHOM=1%WMicL30*Y8nQwjWm8w4%07nqB8N^h=Ld6=GC>{Rjg;Z+tfRS5 zD}i%spW>bZ+kglPH+TQdGUwUvA4zgFFA~JYA~`ZH{O7(9Ojh^diX>M$9-1 z`Dj-K`H~|~nK#+<)A*z}nj_mwQXLP?e1$Cv2ky%7_yLD|gYzA@WOIIDSWzejR*c9Am7jT55}jv#i#o% zp7=Mr^PgUsF-uX8+R=!(AphkU^ty?DTaYu`GX z`TCr~%vxcFCc}&_$8BJ`0geUDI@Kbw@k^fUTUc@o=J*&xw^$^9L%KlI5u0D7&dXHr zk+tLum0P-c$I%q|sx!v5g9o!yR7H$EJep!+IEL!|q`sd#y}Pw|u?=~O-F^oXh!oc1 zxYji83`pLn!(NF-2ADTtH}0OQe$pyMQdPqEV)SGF7-!W!!CLAasl zAX5OR&I?|Henhc~2S!{S1^2B1fA`pWQ#8k^I#f=YFRYf+N$SQqh>z!Lq8*6YQH7oi zVnHMGY|DreR!p$w*g1zsIbp0oeb1B>dwow&x{0&_c9r#U)X2jj_57#SoL$bqN1TvG zjV|3Yni0DQv;n_t#ijzBYXy(6XyrdAp344<5Ekltv80cyoJT;_$;AiR-#{F;0uk1E zAE^0byH`rj3U{wBJfG025&db_1sGcbREFo9-^~gL=Zuj+^gi=p0{H6}k#ayM4wBLh zTW~L)0h>)ye8zxOYP}nV08$SUPqo zdpVj{SR@4GmkidX=;sXX*i1oATwE7#!$iC0knbsr%890Oipn(zS%F&ul`f2RFIr}Z zik%~nDf27Xj8wmA?C@8Uh3HoN2=gwQUo5*dXu-n{m$EL%Nxv$Z`VXa4br@|_;c|lT zGVGtCGTinZQ8Ioq7b}zBw^eBQm5bN~K{){>_N(l>sAEofAFPM!PLIhAzdt;F&g15r zEFAe9CPEz`K3$^P3*ta&U~E#VzsC}?oWmB(axP=N?^ir}&{rf?bEZ9^)ghrya*~eD z5!_Drc5oU+C6g3UNI!B38*smCyvrz=&(a#}jY?K2G6e>Y3PNLy6y_~5${7lrID82F z5_V!l7>g+>c}u*>_`39Cm{6}4m-fWL`Ek|@W>A3HgY{8dr@lRd5trX`O0=tmYoPnF zsw*W1t1|ov+7BMNIkY=A{Ioz7sAKEt7!rV4}yh5c-US@rP_QMM% zIGQUVH4JT0w%Wu>O3t&Mi80?9PjJmO(Nr&Y=0Flgx`Cs)jnfIj7wt|G^>V8WhHj?P zE^FPejXGc(p6L2cx0W0E?K-3<`>t6n4=vOjqpI@JUd~GFuKo&Fmr}85`K=&>aM{m~ z#~vQ6J^RFKQX(Vb6Nd3q5SDz9THH;6yuu(y--fpqjP;JQTCqhh*IjByztzQCt|MCN z{bmlaYMBy0mbHJPX+-{4btkiLBcSn24(cf5q)#=ZXul1bhgf4iMoXbzW2ALy;OBOM z?HcIH#*k3=T_Ne)|D_<}|A&p51Ihm+^mc}}1UzqI2dXtkU{L(7Y4`o`_)J8H`kEDI zqCA;!0G54Ntt#<=APC)|Pnzj<$=!qmmL!0flIP)=nvO#1($Ye4%4_6Xg=v_tHE4V- z-Cgf-S>-ab$#Mot_KYJ*PEhcZNF5a`=LE4Bq-8#D&EJE3(lWY&0HVBfkRgbmitHXo z9nutnqI;0unBU6w=}2U40J>t2O-!-%@<-WOqjFN9)Tq6E9Qka*0K^YG>s^!NAp}D` zb~sB-6*cBQS;uN~IEzyYjQ!Cb<&jZ`@=E!66oyC*I77e7I6MNm}%hPns zK}@PX$^Uoe1h!Pkk|l6NGhn3YE8Y4{O6XM*KTap@1H+f2io}mG?{eyaI}8J;|Hct! z7#5M3Vnp%12p6M{Iml(49@>XvhzZxHF-Fv*ih{#IEOIb%9lIvmD07!Yij&}_7af()V6WmNe**8C=goRml&7sOa}`wOo>E^ zGszM}ZCt{Xf|XhC4hBguqK2jZF1cuA8$#m45X4;FN|*(43ix}}DP+KUX}Xb0V8FUG zs5qsG$tLti*{v2JMVn?YpM%49YG$2>DQILJ`h43)`VE@p3FzF$28d&;JOC63LOX2* z4prM{}om~B1NkVnHxyk{UWk5Fk;{~+9ul=EsI-mzk0-6k z#tt9ApLx}9l{Dvbx}IvZT%xRc-FOowd0+Qp=56=O%29-%ddLOz>uXheMe2}I;bYB{ zt`X1TqL=i@+QPx`cw!&RGNZWl!>q;IQu#G2_DW4^hYF)wHn68Se(7ul>#l#8szNB+ ze_237?s7gzO(cV`p_YdRE$%P#-BC3b`D8Sl)Jd~0P+8WGJA^Vv9Zh;iZ<)|`V%Ad= zJ>R$PlL4^W#w?U;lbhJ~Sid!@BY|Gnh^*Qh&03nbtf^_Cu__I>XM!o(os&ThmfaR( zo7^&MGohAAW*$x~s8hwL{goV z!NDYV0`pxj*fw7MPRTfN)kGJzlvXgzQ}_|Tes>2iy3y_Jtkt!NN2U3{W0phvKI(rL zea@z2FiYgh4;tpHcTx8GZ!HICk^t(fnwH6ojP@p8;jqzr&SSVPmkocmDb^&d%^e-~NLlu@9A(z_vO0=VCVD8iM#_HBT`Uj|}9u zs7Sm1ANJlo9?HD`AMdzoJJ=LTHPc2>!fq)`xKc^7np7yK*^WYGD`LW2TZ*VmNLFHs zstkn?5_eiCna1?Vu{b6H7!ZAI4;WOMeH=Zaqaj zqtfY!GQi5`=6-UL&9q)Qx-HiIWnVh+{U_vX_eIB7=0@n>T%;aBcv7^wRW04_s;pqd zGO2w1yDm469$;V3A3jDN7H$E!D@6$?-*)qu{XXHZJ?E62wh-cv94lu9oE#wN9F4F< z@~^M3)wM{_jG4zQ&+I>od6y2%tAL1zX|&aYM)1pT&%xeOhVd^b-QpXsU0vRtJRyyR z#Dqu@PEq#?5$A6An49)ml3!Ov2w#0K;nCs#-P6<4iAuzl%GvBR!Zd0C&L<+9J?as+ z#zJuUFf{3m9kjw!=B7hp10w3QHE}KTxh0GiB=e2wPk46Z-uJ7c^jx!}R|J3`Vj79N zG%mP|v9SN)>m@$TL2=VK>JTQfrmO@H_}t>n(c^o^=RSq@FlQTg*Rpl>TX(#czSKQI zt%@+95!7FsCSD8D7SCSyJ-+dqx;x|#HpClX$v@wUt#hbQ)4P_1_{d~N4FuU;3#suT z7C|<*7HxkBEcmMZAQUdlf5_~jVpiZAz)!~RvyfW~1H;N-A0|dcZ zfR?^6)dxTGuqHNZ4Jv}%u+Nt&jK^NZj^WcE+4txK507y#IQq609?<*%;@g`BIiBge zu@7`*_Hb7aaiJ6GGl;P8F{W)N+%kxa0K-0HH{f#?B=yI zP8gq>z4*=!X~iv9zDD?f?;!7X-J-F= zykyxC1IT#%??<>d2Zq1Y zw`C8#M0+1mg*}wt4_v$ocQ}eQ?<$6 zZJ|Z77)7Zd5|h^aelXO7dz)zPf>j4&eqd?=2>tIzf-{Q8Y!YbbQP?#m_aL6A|NCJv z)NjF$zd7LX@)SosKN6cTp! zBctE1@8E7QDxN=O@IZH!cII(vPmDzKys>r^S5bM3&YM+!J9Ov!7uJTQYHxgA-aqgI zTB?ZF*ZeZ+1`}(skbWbSS>wgl;A6?{B64yIZGd`L(m^E61Yl>R!^1Zb3$lhMeW4`B zn68jf=6p_|df<;O6@#8lXxOF_pYfr0;Me#48TKOetFk$bR7FgI9x5|L4Xq6)@eC zhyeLcxd>oH%TggxRv8f=7^F{FF`$qMYe`a->Ub_d-&WEf9$rEO5HFEK8)$)dBZ~{q4ri$Qm31@mTjRqZEa3_Ai7Ec zn$l)fVDn{uSfE25_Jt*;|8csN@vx4(um8BeLx3j07PetXBYQN|*ml9GvT-FtY@^=+K4LKfHV!d(u9rjh%X=7cWM}#HEb^ORH zvr@VhTJ+=)W>NcN*v67V$#`^bwQmmI9Oz{ zuIvrRTc0Qw93E%U+>=$M=d+N(0<`amcA}^kvJ417agT}PE3|K4!8SGG$6Aq5r>L=* z6K?NHcBk94zWUbl-MuEMuwv0!yk4hq>Ew$Poz=DjC98*D7J&!5)nFXAfSw-8Tu;;_KDW?lQncOb1 z8G{XIiz?a=I^iG_b4;?wm^onbK1C(6rDvTY-YMHl$PA1;465L$7wXvrg0Gb>!@{nd zcMlEHIm&?KEcj`Bmv=1E3Kpm%xGP5!x2$zv^>A>5ToeBu?ndvol;tFgW3eVrkPv@;#%tBu{K@@Sq6DGTddJ4*e!+)8CmusoxMl>1S6_hP7t>KSJx#qSL#)oea zpnReHo{0%Pm(o_#1Tv~r)&fK5>ziXg5Hi}Z<4K=Qz=-#a3QiLo$$_UDglcSwME z)92}+3`-EPBoE%TrsmArcgl)_au^EC7Sqc-qe+Z%#qbsZNvc!aS1-(sMf5P_7Z)Ve;^*^V!N5*GeVO z_l^|1IxAJlLW68CeY7J{HT3H%RV}C|U}~PcVby8nm}&};OUQ764P3Jxwh&~reB388 z{O|A3@3#l&=n(N@aT4F)1`e4 zNSFEw`*gK?#V7BsY>wD5)+Yy}T!c!D-PNLAU%C`06eKJ+a$?KcUh!{f=S&Stzm%!= z-tF|xX`SD2%C@|3fWmWnM-K+Z)m;y;Rf^m4@mHz2S?S!!viK$SS&uSJU!Zf|@Sk0W zYFMVcXhPCi7=JG}YI**(CgYbvX+PLE+6@)lZEn{R$BtX?JcbLH9Xu7H)gc2g`uD}~ zes@m7KK4hTqsBh`m&K+7^qJ(9MBn(57DBvamnG}g;u`?TjINW6#lm*KdF7W$o4`-Y zE`wZvkEwh(M8aK4`p#13@<`hzdQC}??Zu>-CHlqdl0|%p{UGy^O7NirY5R@|9=P$v z{Q`Y-twj?Ev&D_k@(RugH}syH(|K*Ryr6V(z=rQMB1cTiWUVK{%5BT-1n*gUEYnmqw;RejMsABv_to(Tr}l= zypk!DX<^MDnX{(^yWuo5B?Wz)A!j-*a)AbojLEK2vYgAfnLoP~8uU>x!7$k4d(jEf z{4d4p=Koo7{>OKpAeZ_;?1EVOT?veQC(&{a!P1;`3+U zY`7!Q+4nowm4dMU#GJcQg_CH49j29bNG_nueiY=Nk4&Cv%OWTbZ7IW6gpYitxOT!} zTD!eu1^zJL-rS^q6r=%36Ao3U(3`X*E1-SGqhDp~u-1gbd}XZCqG@%7ASwA*DdA@E z`Oy5?pASiQI{MH?up?WR>h_yhYPOkp{3DF`o)FF`TVVUy;6G%XT5|hh-3I9*NbUI!NG$W*OL>YR=)UCK z!78H*;4f0#NP|SNgHTbq0*r5ga^x?Qww4mt+Sj4ks5D{_xXqW9&=%|fEt*9TtI+qN zn*$a?03$yc@<;~A+r<%2iA}8buq4TL=`jujn7!OG+lw1DeQVw5?^+TxB8;iRVO)ON z_&RJRcurQ$5P@Uj6kcZF+}KdcLgL;1r$u1Z)SOX!C3SKg6*$%t4&Md_;hI4UK_4n! z%!HtF;0wULTfJYpxy~PNl5y^XUdLeON-O;WR9At3urXdi6B!SEX9+_U99qd^K&b)a zI4{Md@%{Y=acgvjMj!Dtn$qawbfnsXCvPr{)#pLaBO&fIv8U_R@{sPxgUK-()KgltZ88elHDtO7eP5G|_B(m)x;yN# z4PWiHJ6Xf<%@;i-y#$_AbaENrv}cqzP(;2&ZlJ2%ed~|sCYQEBkC6^K4lOZD3!s+7 zFMiw6>5U^@zHrN%QT82- zp(7l0n~2cv=c(rIV3L)}y7q;Md%!_{IsS*j8Y!d-yp-tNWa#>0gf>zHl#0^RzNdOl z?I_S5+^Bc~`Ot0Af2ktFbmzh1 z2mU_h0alV9F$Qin$FtOrsN}0q+Hk7x?D*4uddoS@&^nj8k@>DahZrI3Wlw*ZbV%mx zpS!PKsQJ>3zzqHlq97|KruF<8j+k;EHOE3q@j=Jhp<-yQ5xDyZO^KMrQ~Edul`UH8 z>ja*x<;`uu12`bL%2S|XHkOOmsk5lkD3d){6WVtp>$IMDsuS7>ibTz6dkZcD+Yz4% znC$e?9rlJ3Ea4nYdc78U0U6(6j8~#}(O#oNE9qEVj9sW!7K^p{H^=VWS)c%4FM^8B za~F~u&@Mf1h?%tA$&?pSXys4Gc`vZ}@k`?Yt%P=*2Q-y*n$Aaj9!AK2f}qYbu#9yf zm;-eG_-VQ$ChJ{F}dW(7Ks3#YijRQT%JvdA?m50)TG=YC2nc~5K2h(Rv3D4fE9yYX zE*CocBQq&up6u=hk{@nPykkXo@(11^Ln}df^_KRf1e9fZLu4iiaB+}sr@p|? zTiIZ2mU`^miiTK#W3#@{P)f)n)ou;w3&Fj_0K|@bwaUQ2gNr|%23qFLkiW1iqBopQ2$0-&$=Lhj~kdum`$P8meeDEXu{7R4eEl(>w zdiR^1I+ZM@qA%lWEtm0;{thKIb5?f%sU207)7Llouxa;SDhbs}sMh_5dG&VJr=Qat0za^ND^uo+U{}KmM~dbP zAY&kWgpC#Af0?w+!bNo+`tot!-SOZHOrFyb`WTn|{Yz2rpE=@cq-VevnVg2U=*g6# z-T=p2=0O=Bp^oeB7_4NEeTi?UU=b9BGMZSMPn680LDKP2TVMzIqPM_DCM9ILopWv| zN-=XibmCNi_m7yBM`|<`$9)h7+g3@%VuUByY+&yqT+*0xTVkydpXC$kDovdlcvj4Y1mHxQQigh6H}%DPisnvg;4w>Mf}CTQGM>EV4+ zvNGr}uL}fGe!q=a-~E_{xnxY%dDOfA3fvB5)>p65JRQoC0?%;%;?;0sndgET}i1# zCp6{pJa5j7t+L{O2F*vO_nTZ^)sV$ic?p_ zC%KaDGaY3TkDqadptb#EGHFjjW?%FA-pgZFekL2)L&3VBVsx$ZY0pDB^(#aEAU^yed$q?n74!z)JVVQPFomtKL zYp1Qyww*Us2uL(oMA4fT*4wh@iO%fi+{|7PlzD)ZM3j%@C9Z8d#4!}VfBM#QjlRUO z>dMBKI^K%whH{J*m-s9;h0c>klc23R{jI0|Q@{OL8El;&>gO|ZNq2l%`GhgQI?34X ziOgDleDjVaz>3PN3+z)=GIVx3l9obj1<}1HnT8Ywa4Ugb+i54~N+T_@9EV0(S`*NOa9^#T!n_eqijAz6m0Jk*`BW%MABCIBY$g6w zCZ?!M6^ILqV1eMg$wKZ5+RadEVN;K1TCT>!Lh8B1k8<{3j{1VA`{TLk^;1HQB{=+~ z4t1Dg@=~Lpr~gHU^XK2JRHMuxm!zwv>n(^elK#I0$@MQ6g1`p*$K^!cA9G#$9yfb1Q{K8_jZL$t=qp#aYcn9z{6CKeJ@eE1((H+nCqkS&#hT^#>buC@`dqIzjK zf5ieD;y%>m(!Sc^VrGhkqI5KE%&&yW`{wy?C>zHS`mS5l$&C*0w;aH|jI2u4$|@BE zh={J-r!3bXfR}{AJ47KwZ+Gc1+e1Lfc`Ad}I4G~~Aeuo-Nw)U?%9vCyIrH7PcHb46 zND~PeCQlu3Stkjgw*Y}HLQ6DdQC(ynfhmg|b_C;u;nS2;l}4XOZ;y*dY6?ABixn06 z9g->fh(fE$#qsjo=q6S^RHwx)v*vBboMP*Qeo*^S&)+hR(F<)ElM{*t1;B4EoCRMF z>uh$1W9;h<{7oFn6?|1-nQq7_{D(-_%3|njdY$C`vJc7bEu*Wn9s9ALtW>Yt#Wl|m zjyrg6@5;}$;I$1N1reYq=xSPOcUu}LS<)L*186pi*vzNgSrzfBTuM}u`&Ygd&&RJ_ z3zn)g+~bdQI%`CbFfwF6tMlsEP{bWsouyYo%=RfK;5_1&)p^mUdPLi|sZxh--P>qP z&tX7{9^lPtO6Jv{*)y+u)c&5xN?<06V=-WkzOMD3pXGdPd}E={9uf}Tl%1fCaiMI) z4b0s1tURb^-N^_!r+5j&4cMLAd#;PBw2VJ0*{HzRg;0S{&v8_8G!|wwJza45P4C4T zXM=KDAX!tisFN{7Q0Wui!lid<^v`DUYVadQM&x0zk53x)xHYK(weNhX3(A~|*^eO1 z9?pt9#^fywl#P$1U#g*ZeXAfDYqhg8JN2-wPx7N}qAL(G;q<>mVnjYx|%| zfoC94q=|vd*BZRm2WdaEw9F2V-5Mfix1-W%lBdj{82KG74CU<|BS?;brM>&fOM2HF zAZzEkUnZGXI^!!4@#=HQvWK7su5#)k^1jFi0SHdNgf5!q?^eTi{ySia=-|3 zdb(J>kG;TOg_GG>_S#?=n~A;VDuicPCcD`ip#tmpC&n|OqBT;GssZ+@6xEE`XF646 zdw+ne->?#}N?VaFTyJXdou|2+v0PdU)}+qpE`*vT%->HABhwumgSGl+X1wAJs_ulY zXeI-S>#>?1&&X;_c8)lBRJFyAkd8VP(yO?ri>raa`s7Z+@c`FO<}B!_LXPP)+0po{ z*;r^J3buIUH|JzyHOAl%A12l6TXr?cWD%B-oQlQNqsm^#{PiS=)P++KJi64>Z>i#o zRGtR@Sbp8`Sxbow!~$c)lNPC!QH1?`AcG3JR1u45Y%yJ1E8RkC9dKxS0Z#ui z(ROSZcn&G9?|qVgrZQ!1zf5XvEcGJ2s|hYUz3>gyP@q_b|Dun&xNu8aGV}*jt9rKaI9W}p=-B-0q+NGkq6PeBApH`Z-U~WYW(b+3uv|nw{@RWALU-f zDS;z#tpd+jtN|Ui$|81%$P|Oul6owA#DyH^s{&i+l}A=t`p|1JN%#rM?0oa}&&G8M(~UU_nyaHLo# z;nHQN+tfyR|J3hIsKo)#@t2uHrEiQg_7HwajyIKXE4Ay~>d>tHrUozgVFt_mRb8 zg5EIo2#*!VlwgN1kCjSwMd@kMuesB1Wd+NqxWq0avomMhqm}kUkUv&l!e8Z|v);@L;z&-~U65mfi>m(Js$Ve<-2 z+GTb#jja+a1q!+G8#kh+4Jh56-J?MrveX=by~62zhM(5grp3MXIJSc*+CGvgCCXw= zF1RsLE0ghvAVp~n9`2peWlnZT>qMw~Aq6X<1 znLsGt z&*Be9TlR|Gge<1eK#X&Z(PV403RaUJ1UAKIOAd(U;sK;N+sf~R?hBJGRu|Yq4d?vF z4~Ku$e2MOC&2Xsm?ixiiB=z>+KCmw$ziiV8E&)d>rblcw&0eA+a5xLPS32{73tG|0 zAw0CE3P%c6LL1_CZdo^|c%e*%qPYf6+IZcjg3Z?8hgKc<@_od7@dPri;D0{&NU-yz8!djDqUd6H!1f;qTe@O1N z@h=HErmY2{fF$2Aeo1Pl;%vtjQJ@uPU2A{a;-JbAmc+j09`j)%gW?}v zK?k5}>`K9hBE4rWJ0gYek8`1Eo^JtW!V)rSPhAj zN*0p*!5%f^0c~URoh1IPJt9!XGhWFh^dC$S&^or=0i{Dt?xS;;d+bvF{a;y`E7eb4 z3YL#NDSUz4H~3FoX)9rxy$`+S6&BFUbv8x57AEX>H-akbuVbrHk><2fn-nEd@z~M@ zd*rUN|IeS)t;0W&x6Ih8k+A{%eapg?}+TqyW-$&o*E>YKs8^PN>k zjWUObkn{wu1FYmB+V`_Zx2O&?r@h0!rEWvSx~qV*7f>Ti4};%gP_g$xdYcL?br94u zV(0g|zlcT!b2b~&d*eKUg)6NIKaH$z2+V-mTc_;$j2@ouBXO#b5|z>|^3 zBtZTdC5YXe@Fm2S#^;DD=Zhkium1u3)#611<1cbO=2E69?H8SACxaDA9^qChu<;m) zJ~GG}Uv0Q+1%pd<^gSa0&fQ9TK{-!eO|SE2sCN`ajh-vY&CS3U#{0w*M)$(C?=TtC za6J7X)>b@|8~wrxQof0tpMB4isa0HJmbR^UoC8qwCO8Y(2RG~rc&$zDg(tI@$tt3y zO7;~uY<6B)mwfB~`p>jx18EQ_c;u&P9bTT| z*=Cr`$2RKibT6g?yxTd?aSmAc+sd5^ABu^7La5T+xQDV!bnP_g3U;@^tm}I@*z?`1 zdpN>=-HJgRTvO@uTd?8gf6H?R{n=%kgGC_P?pD2U^qqrNy~9oVr$1|Cl;5uC zNvqj*H`POegL{q0Yau>Y_+&0{SNqQ;zfIu(<1haX%}MqGtV1bxo6 z8Dc(gA-b|1z|l1R&W4Z&G@w2{Cbe}~b^bqW=YI#=`OiB3|GSRAvVCCHe_;D+p#499 ztWP<&H!<@*us(SF{oz2_C>SJvWq0&ZnlxWD8w6oXT%M;4G`mpOx$oYd{h?Lkd;3?H z4}Y~Si@i`JMHN$%&@#_gNMG!8 zv>h_nc?xwXC$o4i#1USchuW|P(5W7wC67fL!7ZhxfGIjc2&%FAh7Fe4iS(^a#z5(= zMmi0;@uSx5bk1H>Jhh+xheskEj{ZwQL%IgKmqI2eZ5};428zG%2bK9!9XGJlR7v70 z@RVw(T~)!m@r)TcY?PiO8g%g2yK-Cn_0@E!9!K~qlf(8Kf6Xvm{Arxv&i=!&YM?H+ zrJXI69>a@FJh6>V$z}NWu8txiiMzXHKRs*_wz#>OY4)(On&Na}VBouXH2{r;P*LtL zlTK$dhRnI!O8BKAslHZwYwvK)hg4Jy3_`jq7SlgK*v%N+Y_HP%S6zvIeiagNU_c9` zXDUGh)o+6wp6Od4H^W5nuV=oq&_Xgry0fPE8{fd^k8!xjGPUR+fu;AEANmCW6d~a4 zqJv2HEi@zDL2+mni?LXW&*shzOme?NN1$Ip^OeiD%6c9P3jYbJFQ z*36e35<@5o^l|%L#}J4ml<6(-*Q35Ti&JXQEnIh!qRvb}rvwPM{xWGFw*ta8IHa{= z50(LmfqiRfzY&MwVfwGcfrzIz0v7onr~$GJE}h``U}SwoDJ~Cs0%R$6(uO=c2~#Y4 z-Q1uL^GfE{y4>`Z(ZC^Y6QIhJ1@@xxgmxK|tsytls{L(cxBN+*bynHMT+bkH>$#1) zP~DmL!79$Feh-oRNLdI%vfXou`=f{(g>p2p1B8k-H&KN-a(aa!!8!kQNVFKOj9+(+ z?Z;gc4X|NPwIG<{IUPb}iI8c42V?M`&?9lJjm3E0Wyq_3MHkKgWzsj$^u6^4T4Qhl z_NEOObc*-?wV@=+9LvzRM~KpyzfAfWEj#(&-oBq!$l%E5?K?0F2}Wid%-q3OQV@!7xb3PsViCJWhoUp=WZ z9@`{T6m2eEf-+8MLRqPN=WAP)ZYWmZ1W26S@|vv+dD{*i#cG&Q8cPn`4!dK|cx1Q! zJD1Gu`FqRvx{bu1AiLTrR8)U4xA4?HQ~dL~R8`+s-&{RR^{U@PsEM<9;k=o-R}`5_ z@X$B-%Ch@Jgy!7L%h#98tJr1!L-~YslXSZT*q!SuWIhC$>WTn6RmCB#%@=%ZECXIu zv=^G)CTw{9tzpvklvhQT^=`*+cXieB?6V<(E>m&MC-+u+E>%3M6>aoM(YBJP@yp0- zB1)}u@{5b}V^|lOn-!pd{=?QxXV-ShwL-&_k?t;vT=T0+Mw=*Sk{C-)Zl%ehtg^PtY0W#{wX6Jxdt9U}r8)^W)OAZfpFl7*#>%XOgkrzNWYgmIm zY*jCkSVvX}OaQhQ6&k;qGyB-Ny;R<-JY!Ah>xY@-MD%XqFfXsavagHR<}t_UBW|gG z$bKKe{9}!gO|6cW9zG{Ar?=JdPT_RnQmu8XUe|`M>^Il3o@vUcV9L7jhaqlBk$Wkn zj}nLXx*x?65mb1CM10D$XikyX%Or`r6d$5_7ExFh#h~q;#98e;z6ohbd7*rv%5ly z9~j(_iMkue*6|VgL)tElnddbUHEk?fU^0Cwe< z+iti|zv4K9Tys+1Q`%62hn=G>*!9aK_v7+_SARIM(1j>lhpvqg&_=Jx(dH9(=~#Iv z#%#=sS#qlQ)dfdI?OkDbr~t$_19E2s(uPi7>zI6#^#(47Thksmn)mqgNT;yj0m2Y{ zl(YfkS2tx3+_PuTsswOASj2M15Ut-O*g~2!UO>3tYy^ex>oM^@T?=EDqdz@2-|PNk(ZR^w?~JuOtqrUx><=IM&$P6FkeTY0b@Zm()BX40p7InFa4K#M(=i7x9%1?3VL?h6Q%=IeC>&$(|lZR5d7TfZ(gZLfvvRV7bW=gN@jV*12qCbcwbseq(05Yd9Uyk03ZUU1!_T8s`_+pqIQ= zRa%|svdw4z=C|Eiq zP<_nMj1iD(qSE+FwWuQ+m8g^^f(KDlV-IP*-5>b?JLWx=0+%;ZaK%)F` zQ*T8X%26DPvMM7lsV`iSW_chTu$b*@CggXS-QB#eFwOYZ2T&&5IxW4cmag(Q$wJ)+ zz7h)_qX*GPPMX3RB+RI`f&8V2QA#}`K?9{WhXj?iwTc_9;*m!?p}t^#m$)mra#wYi ze{$lha|5~5KP;Ap05GFI4dJ%1WwPp(w+xV17n zvGSBq39FRT@W}OrWcyf)8)F*lNZy*z0(S~M(%iB~Qt#z1hvEC?x8Thm^U8kuQroHo zQ+ns`nHE6VR+~HLpu{ys;IYv@KhjkaVl!wu|DC^K26}YB;pE*zsVF1&b$Z1qDA2Op zwBT5#=RB!tW8vZyGtYF$ij49mNnUXbM(5I1G;%C-mN|$z~OB9tXSd^(E_rX%T z0^8ePp@#+*OJ$Ky+5Gu3ls&%+6}u8OYb+X8;_ZVG!!ha$q@@(5RE<2Z4^u9z^S1$| zv_#V*v9&My=FI6uWzlcVmZ*Z`sas5TAdjH&+aU>*D$U6{Bq)|80dj6$hg7B6Iw&=u zGj)AleR2bP)N1L<&h1N$>C4fF^k{GBr6R-}&~)1Ez69S829-KI-PrhR4n#hjdY*r- z7ufZ00L_EFHtE#EfoLNnRHHEGiJUXWby?m;bz#iy-lG;T2#Y*aq4%`u^cE-gf_s9z zTXWC*80&fQEKVU*VJi~0L!1No2ftNL6lfhZ{N9ytd%UzG`HHtAz9q5q#HHe-6thG0 zGJE_{tK={fiKbWpWi8$08KN^~P{~L?0!bSx4POn!t2gSdpMxXN1y@4m88g_841L=@ zsUtjs7!j~`P*n}b8lR!TZ5p+|Oga*9W~;M8#r#1v^lIVLbVSj8)qNMRxWwa{+O#p2^plX7Q;XS<#$l+vGSqhUnM;Tl=&mpC{5vA5pYQRT zcJ?zA!kqgr1evF2E(SQxp1VtXVo9eCdE-CaYW4|}FM*qjJQ`@loqLH3NldpI9qZ>y z^mf*=hxZH*__Tgg`uS4#7IYp$$;!o5&oQ6ohKB3*B`QU!Xq4XU7;JlwBa zXy6X}N$G9K2)09LNM0gZ3&1>@(siSI+<@d7b*Y`nEgQ&eY|Fei*U|PbjqJOu7bITp z#^|)%g)ePW`SOTn0y&b*z!@~q-RKuVnbN!L<$>TlR9%*FUuU*vm@2)ivwUY-C3zjI z=@ltFRgr`3Z#3itb_mPoxC%T(!wJ5+jLzv4iaIwdS`r&atZvk)I~*&O+~Wx`wrG&g z3+?p>9lRY8>*+y#)Ot{4L2Ivk0*QkCilSAIQ=)+@8Lyio>yA%iS?iUkc?Vw^IT5G9 zUw_fkST;f>6Z8&R!bag(5r4uIMXlUDrF^u6a4J!{gF_7+9X?xSUDza}X1Kj2EQw4& zs|dM3E7D30RBP|JOAhJIz*ofg&QAN7`wIwjUgwBUJJN+UeG>nkNGhx zfMGqI(h+cIU!5nLt)I@GC0(BT;2qw&2?|x- zL{=2d?*;f%L^?{loDlsg@*Fl2+BaSSTJA~S&k_?InZHv-BXK5K2Q3*9J@-D*fr_^4 z(H@~ejm_4XGO!WK>h@Aa_%6~0GVD|z$*Xj|5}9YkErSw3XOo&ei6E$=p3cs1qN9n& z3hPD*x`ucL+AaaGxF}x00>1!+*3*N}8I<`OC%=OlmaCb?Yotgn-0G4)0hg5OOR%R} z$M;%a@UvVqbh5BgXHW0;E*bL;RZyEL;+GeI=U_OS6JNsGU9XwV)1Qe|3ke!z@=Gj$ z%C9Zno^ZLb`^FJj-^)G8)d2yWlv#t#2Ezy1{jOP9h(hka|KM9`9FjZitUEMK0{Iw`#!=0N(FKE-^7v$7u6;_34TG77kI&UBj!G}Zkt#OF zpFzjV^l1mdHc2SORDw(La_EJ{+4-Deuvup`hO8gFm!F?s?+P8};~@3o-gQfW&E6q; z9NH(qdUJl=`G-)hW2Y7mp zIAf7PCv7hJe9Ibt0x7{=r5Imte8fZGC?t%M42t}(tSR_?`$l)rdX=x(NYo6IqUtJWh81_iJi4^TteR13Lw%sC(2?M!DC#MkYmKaK-@*n=bq2A&bV7b*cxX`)R`XRs9A zroQZ>ZQ(`_MRWB!#)>H$a@rYR?W^dVSzB9fTGeBD%9wh3PKZz=QW8Pt(cG!o7UkC3 zFH}r%`JA2Exa>3shL6YbSPjW$GmL(S&69$f{RDeRNw3Ft39cI#gpLtZurgFxIKj`0jL5*+z0z79WxpQQ6tbAiE*R5mSp60g96AXhaf8f)1|Bi1SegDU4nAG9kpf5hDc-`o(*T^ z{@Gdke>QMGNxEaW{||$iFjCs9b6Kd`j;T>MrRm7WhVJy40FhTS@s?>eW=H6sAMW)x z6Owjg*YyACA5&I@Cf=$3)5+N#I%gJn!gBQSAiKG@6XIg>^|aNx^PgWQ%tlg*YGEuQ z9zF%>L8!#Yc*1eIxmt|70}s5Fy}1=KF({>d6aN^11d+948Fo{vWn(Wubz&+&_Vw<7 z3vc!#jZPL=7hV=;6H3$;8NWiC>1?JDcFd5G042!-Eg_rjD_Y;soBsdQ(pc&Kc*)HmG->o_hRv zCk1WxL^xncj^GO={S@bdhc>R!%L2~Xr>oNk=xx(_hocO%DiC%{{71RT&A(Wa|2$Sc-)SR>-fBVjZ`i4* zek+YOz`4qP1SXkSkehv_%P}?t=}jJyGwigDDXsDZr-=*jx2y3KPDrfJ?P>y6>p_w5 zfyU~Lff;_<5rN)HkB`;Q{44&r?f#{|;DLLlFr!?5l`|b6XXN)5$%Vm33f-agpI<-E z2I(sti=XtqI9>eqC}E-unkf9fC?6xfxprlM9yjSv&)HMOUv2$QPI-l6#{He3o*)~O z7O1KG)v9m$&#%8LCuuhS>tRf6I4OueWFO!@eG5H!W zo(japq0GTZj6Tf7wylKzuHYQ-M0plX@y41W#a^!flHFsrFqA0LjrC=lvOw}Ly z9S-}=uZ}#_Y9^7S8bjOQ%H`l{uWuxBc2Os}o!b_5;DBrAOjd1sW8Is_oQAlB7H}oJ zXsil6{1te2)^tJE2#?GM$=)C5?`Uq=sj0Q&>oMOmeCiH2^szGSq<984VO#Ku~QOCkg=D*PpO!+`-kL9^;}xgSvzW zOWh64P~Pc`sPmcCUS1XvNGn)qe0kUGERV-t;Hv(9qR(d5Ed}W%a7r?>I`adjVw)cW z3|r$VD>;(Qohg4~1^sO*g3En*x$T|b@o0LbEAEtbGOwuFMV;!g_#!p^xtl3tEEb3A z7N6(fLyb*3*;jGKoJfCdj!V*^#3pyBC{Q_@Q<35n5QS~E6jsXnH%Y-r_0=qmO*wA* zoiDk^Cv1k!Sf7TE4-{tfRyY&O!RLT8ti`_bP3vha#jUyEJN7hn*{!9fXe)*h;-D$O zQ8TWv-58nURis&FWHmtLgn2|5|LEwULO=XYUkt6~+v5-l8yoQjN06p$U8K;vXZ@8-AcCOWoX+V8Srlfs#|5tbT0CX8vq;pWh_ zmfbNAeq2{S`Pm}&`4@gH{XI9kE5MhqYWAnRi$DIqx+n4u(E~zPDjV$W?>B$DrtNz@ z%^Q~*OvPRfmy^QYI|$CgmC@x^$VHrqC<E|3!O<;_P{SL);NYKzpZVvws$JvE#rfS1Q9^a zLGNvp{FI0zR|%R8F47+xuV67|NjHbJ3Fd4NwCu1-(bE}8=5IKD!B?Hniah$7+lWXE zwsZY|SXsfVC9Hj%ymLu-@3*PD{jrW7d*TCI22^zf zt&x)2i>x|NQl~P!JG5O3B-=)<+3wLU7T1Mf7%^r5v$*Nq<6ea6*< z7N&DDYxqDg8spjJY&n$;g(D$E7wJ4m2{S<@JKc%OL#E67&b^3B9Q0(FEN563U106y zPER96dwK|*f0^WAm5&j=)u2?#x~PRTJrTXbM;_jFRlKNoXArO0UQjda4ak497^=YQ zZuv3N7)F}m-rh^71A|}Q{&1ZN3{7xt74@5%t=Zz!#}nd{{%Xa}L*d-_zi;3>eg#i9gfleR|6u1@N8>Yr1C#pA7o6omO$>Qc ziw}P)e_PXwp|8F%wTZtIb`Qrgu2pWm8ew!htm5jt+pLA{UJDn#Sat0Fy|+{6RE3d` z?q&ujC%^5s_(98tfAVw^``blIQv3=`+G2D4|(- zV-iyIbm5ZGuJ+!=Id5?!IjuJf24)Gju{V8Z!)p&be|_iLb(NYLeCRp-a?eW>lgj?O zVudA>jB0HxT$>!b7P~)X_ADwnC43?dc`h?@H3Gf$2A&z~Er|7b$Cn|l45 z)2C;^d$pWsjePYO%gb+2SaQhthuhpYe)C4h_q=r4&{`Eyk@6j*qt1}k77#Iz~`^fxoXUn@5s;j z^a02WH+E1u-Pc1J?2hKIqp==Sdl+$ht1(lBidrD*^*iV#mg7a~DH` zjPHe+QcI*szt5kt)>5;HezZ&yK|)O{S4oV{4=*EKQy#%hm7VuL(}^tcz!txI)VgI$ zqdt9(vv1I=mLa+a_WnJ$qDwtdj24E2mCop{k5_^;#{dx2E_vLfOAXN}ZpEuPaanOb zUxWcb!>t5oLO0t|D0W+dZe)vDvJW=`T<+rc-S>4??srffB5^mCJ;ivQWQBCQ=vs=0$~l9;^;PLKMTWrI9H*Egi$}#B zU>8;q1W3akf%hzMlk!4GPv{A(MBy3Gght6hgzTek%cl;7tkoQ^1SzO~lra|XO648T zdI~@v1Ug=1(1B4%q{M-6QS3hMtUkM9oE34cp+U3hx54}?d2CHL~H&nnn1F-;w{M{ z7Dbkqjz18LT~Gn2f?;`M+oDbUYp&R4A#tpA@N8oznAZQNy>E|)a%=n7(XKYLD^ki# zyA-K-Dw4uoyO?BakW$3#b_a*HJQX2k?n)(!3CWJlh=k-6lH(*Hk#Wo^#%UVoIWY$_ zbN8-MyLg^z@ArM5-{*OMpJ)H!V`kR6?|a?Xy4JO>bsfIfFY9`)(w-x#m*%-OUyHcG zE?0(W?vW3hOC%ZY2-y_@%kQG}O5Y(6^F|$`NLawgVzg<)I6pu~Yf%Swb6S$K@Hy~{lAbbrsm6IQwWzZ@1cC9(-b%Kom8-WSP{zCEf<61#CkKjnpA&N z2S8pExV}>C>-pH0dISawkfR2^7~f4aU0@1UhXv0HL{@HvsS*mZOUfyeKR4)n^B6uW z8l|o=q;l$!YBCUAU`Yi-f&jypMfTL;d9WC`BCo}nHynRx?@EiS#EH*VB}gK+6b*y> zfv1AS1EddG1dIKpUlN@+4rr}?Cvz;G6Y3zIQAOK(yKxo7mV)>bY2ZdltFldww(vx- zmb50MwEqses{L{3B`0z6xF&yY&_S(%0`BlY8c6vXpz+|qfeJA33$obAPMzd%|Fc3P6ZQC zPnr=0y_8NV4JVooLZv7Ywv>6WEk`*#LLRMhLM%&1dpSdmz27E#$~}1Be3YqyJ1tWb zPflS~%uhf(fswrzPYpUi>J}BF-a|>FCiv#Rb@`g1xZ{VXvU~IQfbl>{hzXIeBe%y} zeO@`_KT{rSzHz(j(?)8#RQQ4I@`Lc3vZ~A*?kid|bw$f>oH_4s3H$PVqH67<)UT{O z!vo5A>XvU=}|m8W!w9QZS|(&cW{9l330Y*0n4!^`8%pMNNuEPJT&S_c1Q&tl^g29LJa8vuMwl@=l38^?3;9dZ?e~yWFsnKJPXO_Y`1AESB5Sh_1#6<-S|rJm5zC@9)F9FUatld#Nh(oGu&KKvw~Nmrk|dFm@B~7rMS+>7 z+-id#2%xIgx)`sOzI>Qljq9+!3F??D04vDsiyuO=|3%^0f4BJv&ypJ>E$gi1e|xKS z6j1A&o&B9C4&#MPdQ+Y!zJxr-orxB3OPcIwvuCA{E{_fyyEUX_GeXTnhtlZG=6<@6 zT%IYhbCi8GYVE>4+F9?j?P|GI{g^4Vz|;C5O+rp?35-6OF#bY~#4I_D9_6kKMWz)& z9o7rC&oq!iK3mk9+IPj6)di^E$E`V95%*F;w~oCXzrZKNLIE1o*t%xyt=g>&-X79R zoaUaO02{vMQ0Pk&;(2|_==q?4V`oCVocN9+t&tv(->qkgwzN7^iad&oy+8+sqf1h& zz?@amBs1r&07rgOB-I`olk)qHkEn$!x7MfK(ULeAwBhEMu#UP1{c7 zQCCMkK7jnl?>cdT04F-tFV=nN$ZlVCrLo#KrFEdTpN|7h7&Q*sEW{`5eryBRW^Hpe zt{Ljq4C@k(98a(5ZTw}3k_Eu9<#SH1&UHAMS;g(Bgvm$>2uc(Z9VDC54A@u@2wGe; zk5yI(yDU?-zOg)-py_I$D%$mTTrX51#uV&{i0*SfJ8EIH``IK*$@D3ovmZDq*_g%u z*0hMfs6Xk4Q^R(}7F%6C`QKjHlU%;y#?g_8`&2TVwk6p#{HIJ6Bi*XFswDbR`q9Mu z!dtOFx|DV0_|}NyVwRn*Mxn!Ou7_RUl||d=7fLYuRd}#fJvP}AJo^5$Ny!EO{CP=R zzT@JjZ6U-1Bc98bMei)#q4N1Lhc^Rn_P3*3%h9hV?1yE9?S z|8n{d;2W!=LcxCNo|VHekb6)fVeoytL+P{+`Jkr zr6m;p=|yF2JE_8H<%s0uYwX8z0v7;ZO=GxO7&%U*g}2}EN)hTLCX;$utVC?Rb-uJI zVDk=w!?)pAWb)W-P%{u@SAXY{O(=sh_$t8;LTCXO1kAX zSC{N)(9s%xWjs)_+ie$D2lu@=#|`)X_P~`HZz8pLZpHhDcpB(q9)QX%D&f5FmLiNPQS5(B$p|k6cH5;DUD>P?8IoL;5a)euhA$B63`w~M z$V8H4C5l&xmiz2wzrCAk>qMN>q?X4LBgS#_is==ukeDSz#N;8Y=w*FN0|-ui<(QZu(Yl;=707F8gZovfZ(_o6`7be30=Gkj01x2*xg``HIvcY03@Q!K4M7-6Bmjg52G}(4>n&kb{?Mv{G}$3)66$Hrl_ZU zckKwrhq^)k)u zMVuG3o}5pJ##4=B_Q$4pnXC(eE1?bxx@z2r7twa2ujTU)Ndp4F^8-}5D`B8XUJBeE zXLK-9f)&dr*GdsA&1K_=6_$dKCf-ffb-^A`sj}Y3Oob^nz2Ath%nTur2QWw;fhuys z@5YO@>xz^;@n(W6J*cY@<;B~WC_$yE=s*zP8s9=(hl8rfFS5y1A+5cG_USo!^L=twIn3{v++oCM0wdZ$(|0Btf%X9t?tSc zS4If!U~PME6yp*h`tUoMe4(mu6&LbCQVSS8E1z-6RQG^R=w4!0YkkCckg{0O|0 zVu?s=h|K!aou+@CSz|z0Ipl^eddg8>#>f~|OF@~H{yp}>ndW8V-+5}AE74x4$H;a3 zHp)m*a8DltEA)EX_=t3$LK&R{W1L!+N8sjj_GTU`wH|<-{kbuJor*;wQm>o zIvV5{@0Y*p-t`KyxWu%$`f7pc^~+f9X5$cjcyR5nu~`X*hqzB8ZV9_y5L~(;-~q-; zV!$Gs-xs}_l}e7IKJ*MJx2x6CPQ+9N^{a8(M+$&xl~LbI!$?GF#_XKoC7sY5Vk3G( zjoZmrXDu6jyx1sgs6}o82YNIrSmzoS>a#FTj5tWn;xwUg27X$tZEb1wrW>Hj#XA`w zXnXg19qH0MI-u2B-^27>@1wi89h_vF*0DEOYE@pxv#xHi z)_ol5ffS+l!N=uK!Gl6lYL;sozKeXhXpZw%!_Zjg+j+N>I`6T#ZSXULqiW+GBfVaX z1~i;aT^0h%RxATY2@o*RX4+LiL9Y~qgY%Zc^4B_nc+-Y#!UCmB2Ab{beG2>e;CNNU z7!kjUw)44eL@#6KfB+bf(A_`o&I@(_<+k}@r_%{c z!xFdKY5MR0AK{?J&RBbO!L6H0Fxj&Tn@ZX>OAd#c6|gKFbN20=O^WF-(O2pKILuAd zAXySa(mNlRSm3pttr||4_FS*(iS-v&8B#1X0=i0Ixa#H zBhE#2J86rOF`M`ci?<0EO28hojGQ0xgf>r#iArHJt}*q^k#(=#2s>@E8)E9+wNQ?H z-uUJ3Y|3Td;8qUl!fN9JRk&U1>KqGWw=2T-DQmb3hnCy3jU>@Y0I8c{mMM}8EUm9N z`3v(cAxc;5PZ10RDp;cvwu8ktkrtEtJLt+z<<^n5LF9hfK1`&+rSo} z0J1TxVlVtb2fug|z-Nh@)FwZ{4W4q(BwcBAE>D}rtpgVR>A*;KJx-+TD(nX=dJ$Y+ zTEFVL4(8UaY0y{tG%Pfdw1ynaq&IqBfTmns3kV<{%>l~jJz!kxkG8bn?H6Gso05S3 z*<24(O=0m|Km*c{6NM2^L1qCXzS57Jkht4g8e4&LX7WI$-U{TONYTKiPy{pSj?!Sw z|7XoHH$k#{V&A4epnt6I4_~8f;~!A|ul6<0vzS9bicqA?Xi+P<14;e#ERC)2vo??_ zvIyui0!0-Q-pMpAhbULzacZgqtH?M&XNmWalA%3yE6ss#*Z`KxrXeK^w^hpHz|kg6 zUvi#BNk0rzPXZ1kNxA-?+nMQyh2Hvu1o9gZSekCIL;L&gfMFABjbm&?v#LNAV2YSB zJ}%|qbhFG8gYWqnWJko<2fTL8G9F%45RI1@tirCpQbjp0eHiE}ZMG53tdsPod|29s z#b>oTB7R?i((DPqy_u^K;H#Wi6F7tlFtVdxe^~n#pn_kagsdA*7v7fs1j?=+12F;8 zb(SbiS(%mgC9(mG%8f7+NS{tCH~0ij0{nz?gC@rFiJF)eAO@sf&*^a!BcWufO$-E! z{ZD+#b<3ttuiZ}uGG>A_Au+KwI!nGL6~X##sL7ck0Q)9OVo>Y)C)>$C{G(_#lKHE7 zV&P5Mu`am^9k8K0?tG2(4QMm8ne~&IU*2TQccSh9?4z&skXE|-`UK3rLYcgAVW(`7 z4{mvBF9ECbf4)WSxa<1$9dO!T?O)Xp{>}6;QJf8=@+75Xikf3Ct;z7eV=(hsU**65 zUbDHKO<`IG2wLrw53zDH|5G+ig3d#v7?~q5Jv}>;y|d?pUnfP;WIAp$$put`wvi%j zt=N_j{s^a8z~DtnZr_(guNUh*I3(~hWqVxlIWm*m7g2gi|MVL#6g_V%^d`h$EKRk7 z=NDFMG=CSTB4b}w2<}N(@D8JcdFi?7;PiCu)c0Hn-*Y)kBK^(h%0P0HDwzWx&#uN21A=SWMS%~}q zNzusKa2pFKUDo1onmpWmz6l&<%Wa~;Q7y?wLlUQNm*fN=4KdL%Gp_S=U2b~a`-Mtx zU~MfTcE5Yak8R!Ak-_q{%J#D~^%`>DtuKKrGs(ls#3WgMC)@+1Oo z<%^L<_Sqa_3%c2d67B!9-w9GFd#lgoSBF;ie3fkl2?NQQOF%|b;E&&8EQPgR+vsks8;Sc5c*4&jO)nM zjpj!=m|v={ZtWfzVAp-~{T2NRO%g*)uxH z^8}C`OFvqzHcfoGi#($r(WwPSV;xp`Koo%UP#L)=?96LH3s;ihUqi5Oz0Mp+zguH)+p4{N^1d&^I?l5!|-LLvjv$8 zb5@lPV+=u*_^i)a@ua`WdB`uF7VdF4y6|)`|IDT)l`Bj8ZoV}xtEcW4CG?x6tWSBh zs3fPhDAH*9BbB0?kF8L9{nQL7hEWo;RSLG_;@Mja)t%<;b4;S|;-powngPcrOI^AX z>1SX1KaZ0tZ+n05?)5?Ci+fr@J?<2#-QjTZI8spTl)mrALu=Qi+n@Htj8bh}6rP@` zdO1YIM?S92dD35hx4cuGW)^!v@oP!F%g5NQH#R|Aydr#SG*cCO~$0n$Z+wE8Ef+|O^&dk14 zXZCZOeO}$Mf?c@vXg6PGg}sZ&45{ZsSq5c(4z4l%#QChW%blLuX0m|UNd(B78O47m zvn&LdG-3y1<98~%Q8m+yB_z0a$Z!eVT$=#*A9iQx#COsb(FCZ{h*LTD-bljt*N%iB zFJ1iA0K(a?qzsUdWxR;;D0xZM+I@`6F@*LwpJQxjc$R3F4-wSQNfzqwVDYh!nnr51 zmYb}s>1gcbs9^!pq`MzWmWO6xNQR4@Y@loU1`<-Y%h{5BgXzxJhHG)d{)Q&1SYK1z zM(B|bnMeq+rs5T)^ua6pVBBK_V1X&w7{(yS8?&>+QvBK=8fSq4AX^=|i`v!%@V5$} z`~8p6syUYowDuwu*^#0ZWv0~hA&!`2(8)zZJdMJ5LtCm47HT04_SHTej4@U;y9b^o zfO^!Pfn4x}l2%+v%1)8#^P6@i+xl(tuwJU)=|`V;jamsnjbI=0fVeR11=5Po#9aVj z*4qSdc{D1sZZtWWG~e)wyF;8HY-~_(;S273F&_uwKGc{Cp!TK^PgC9tL2xHD&+{y{ zPHe)n#mIIPBEiU&nITRb=nm!Ri)e>%E(PGYJ^&EY$>Ou@gkqK_Y~S#(mnDf}@@_3! zblxuIN?`$l4=>ceOcF6|4m`Jr(mS)z__wYt(Pxbmtmo8yZk-+e-E^l|(ud(F=77^| zet->d$STSxPBGirWGjg;rb2^xa9^&**d`4iEk49!Y*mjQFbh@lgGC|CQlw*Nf_&E0+wUK+ss6qSCXe%S5Z8{6CpHKwa)bl z2iaVNUJk7?&EU1$QtI&aw9##(F($Cgp<|GzVE-U*1Mn(iMB$x!v9X{%$;Y^6$nAbQ z3-OEV=N7gebR0ipV_UK9-syY_zn4?HHZU1(R{Ag=G-+ras7vt#m`G6AqFLKF2_0Bt zF>JvNL~#m+J_tTB^dR%Q_ZUR3z2l)VyPZUgmcUODt7+tt6x&au7==Gpyg2+wvBmt% zw4u`^AC~%D+w9Nx(mSSf{73r!eBGUcWpKE*%gUU67Y|GV>BoE;YS5uYR?BMJ3<}|I z-^pk?(|EJq7jW^5n<(-!f%adyLi6PX`q{SEx7Mh#JO_slP(H%_Pr1{q7K^=|8>+j4 zgSv0{#OKe*BJb?~!eejRg>9(bR^ac<7+`6YW~Wd0_6I(^doO`_af5D)u#5?uJJ1^qvv zK>}_1T#crGuJ}_s^!9ktfq?8!m3~M=C#k{-7$Oul^H=AcZzKBOCxAB4Bp;pcMQ$A@B%_2pU}FE$eKxKoYv@6Y zd$(Ss-V1cE*X8Lj#3F#z z0@l>WONQPm2a4Q)eLq=9Dc}M!e!kC5Ns^dC5fhJN*A@K|*_!g%cdR~=_)5zvx5j<9 z*1D0@b*>LP^g1JyIK4SAGp=brKv%rPW|T#4vvpl0pq8Rn`{LfoSjfjezJN0e*!TWUtV4G^O%R}0;pTmcexdGj?;yzgZ%{JE*f;+Kvn z9uJET^(J!me3mG$iB+*6H{cT?C7);yK)B;=K6@2lN#!udWc;K_pURTJP5%YbPH^(4 zXH4Q&Z@sHudEBix8(gaLJwmn@k1;TNZ$;vkVSZh(WkA*@f6|CQ-EHjfBb63Yr}iA# zE!AseR2!L-#`keDlK7W~V&&l(zGI*=wS}vOhj z87nV>$biA5CC(;xze$6p2P+-_Ve>F`>D8_g1K2`X^KfZ`UhmJJCzj!%SuOhn8E?J~ z?o)3E-rFxJ292&RO*}GwT(m1xL4(5e7cTthJR=T5ms-J9Hjn zV>TEam%5doO#Y-aP1f($T{&mfUPdIR?UAXR-)_8nROPe$U$-uCHoOi|ahjJ1d7fhq zzWCz(uH~-@Hz%?NWbGLjP5YVk9baLuRD%~5Be)%3m>IoehrYPzF8t}~#DijM42d9Q zB4tQ4T{KbI@%gPk!5MOMZ|$c{QiVT?g_!?sgSp*7vm?mkC7?zqLH$o>1pKj?O?~>? zi@?)w3-bq`q+&qrsGBJi(b$`b_|im~WDEF(au1T9fLsrG(3nW+l>?^_yZU!BMitgc zcR=ZsL~Ut&j`VNK`VSe)19R)H8|ShyH&&)+;x-PN7jl;4gnc83jdg}2?UAlu0k#|U zo#SSTf*UkUm20IM)S1P%+x8>JP;|=pK9KnhZ4!v{YEbiHAA@2)B3n>D!haP0&M8Ov zK)mZC+-g^$BZ;qqksJ;N9@%vrPQFH)7bZGq)|}PznLMJu`m^25|M^~tdU0Zf;h)N z{L7xc2O!Q=0h7*WF(dx@_Y~&{Ii7DX;ZZfGe0UC{n6aHL^p}jr*Z?iUvQL-o$R3b$ z@KU)!qQ_HjB8N$mS7YBkPE$CYuNqvg_J%+n)EJZ7-4`1m4ZHlT?PiujU2~5x$Vpc@ zd1EfN_QyAlZyf3J7Nh%gm1q1E)ZBj&tA2(QYjdJ!$C-vR>GTBw>Iq3Z{;;6T#p2QN zxf8bJ=_V9<6xs}H`lPNQ+5!QNH|-bC(+Gtd*XSzi$Xl>V-dgn5>nh_nWZbB4(8B_+ znr4rQspX~5#8LlFdhj0&ORQupcF;G|{gPy7N^twOcWtj!DXgdvkAoS)l;@{q^b+mV zpQ^=(6J=sam7F+?=HDO<8TEVf$`3%6W?Bg%1A{~m*L`nobS|`Subgi=X3yLO0jR1C zWd<8|`m|A62bq9gMEipGuQ6d3PlD)SSZvh$Snmlgm^7q`?|?t3% z=%maQ1d0nW2Maw%9z)@8SL{%Y)CCn#%pw7_%j^?5&+q~@+H>ZOXxVJGe0W?xFYi)Mx@e+YQ$Ym)$@1wlP_lQG0&92;GCgyY2y2gm{(PS(p3ky8v|^ z!?yM})a!$qkqz}@W?NC;;A#DH?t^-0{Lo?Zt;WI3pe^{&dj0gCwjVs)43|IG{Z2@x;WU$* z`ep~RL!X1wwbJl>wy294l-A3ZEonzr;`4VETvR3P^tKLt5ruK6pufgE#WZ_ACF%=~ z#5*F(S$rPkpG}p+r4}b07NkIrRfVd-Xu0+JFOUijLC7=NKW6X#3Ppblg4`&=g<4J( zn!v_~Z`#0WSL8JXie-TUdxJdhoy-X`$_bJOD9&07cDSoD#fy^U< zgaapYc-AXLPQ+J+Ggz)eOmL_`dm2(r>rzwoca1AHMw7a&n;!P!R#suT?NF1LTmbTx zJoekp+3G`UU$Hpo)IR!?to%DJ;@-zkLQu>hNxOAgE&gKk#-;*U(K4TD4G)QH1+HDG zeh%&ra4BuhnUp&Zw?~A(xg-|?wAy^GAud#M+{@#6A=Fu&#G;gA6nj|5-{zuo+43Tz z+VA}=2pc=Lpqr>B?F*3zS3;P3y8feEMapq+T z3I|W_^28MNfI1!)vq$$vm@#{(@Vu4SMZ`Q42;=^)x8M!6IEB0~V!N zl=huix5kB;m4Y$9B+Hg3byJ2Nd%;G;7;hBku6N)<4Dv`{G$xb=F!?hErUxHnoC5MP6cqJmAV!A?psPEl~~HP`G3n}5~D&a&01DkHn`@rsaR zYH!hJ^<1t$W6Zc{kFv84M6^94yRCi2n_>oS$ZezKS*?ZlNlGn8NkhT;!l1|=Ghj!Z zaSy~&<|2=kT5;p;#BeqocXNdt;dxG}v_;vt0F3-G_HEKT znK^Pf0VxhSP5N5ABym>r2nP!?IYvW=I4~7h&|ehIV86{^QOcBEuK~2J)A1*j^$|i! z6*Rc={9utf(uiynWOqSBDtj2%jN0Bj5djFP*n|BWI_zMo7xFTg8H(f`NPqr=KBb9s z$Lc;|Cri|=Tbgza%2^%X6}U&`jHnA1uR?W7@Fl0fXud(h6I?^IeStU8S~h&TYamFr zi5_RCwbs3EE#U!Qo7`_S=j@#N>?fTdWL1q26lcYv!u^ZwpI)_LWO7mc1Tbo?e*Kwx*C>L zaUuvgI^>;vNEN^qO5p$>C5hE{j*IY3k^-lsw^<7^q++keXNh@N@GYLWsU?mpFLrUEcuQ!%y2&Q;R&wKBOb?JZ zHni^T8HwIHHrfYkY;S3!os*q$SO3PiLkDR&cToW9lHMJ|=!92qQ>oYht0ZX5TgX-e*2PXiw0zEpMhR8ST78 z*w+1<(pvH@?}ffiDhB!E^0;L+YyFKhJC-KME~cuA&Lax9z6d1vLDBtF=?#CVDG&NA z0cz0}5aF0|{>7)H?1?--{Si<|QbxnnHtC_(%G{iY-D)}ThSgY3Z{WaI^%=FXlC+}r zHsz0?0BHV7lE}Z?mWgQQ;?X|lY^YSucpG`4r{7_=N+V^Y&c)QiJ9i~O8R|&yi>X>` zT3ocA!opnFZg(}w6=^2NwXc%gYFmKQbb~iwjv^zOjFOEJJ={`DT-=*Ot0T8b0={8tt_KeL+bH); zs;873_N;KR!nPjSOZr;(`fXgV`&_p}Hw`UH9k)voJ$q9y*YS_B&+&mBO5|Pa**UI;kzQ`$9!W0o ztFzk~?8j5SHR|^)gEi9HomMjYryTM3 zJ2zkv)h5hXJ2ZMY?EIZD$Jl@mp*v9uY0gD%mfB}vuf4$f^NJys*ugZQ`zizMGP{qK zfQHxZ$rGN&{4}YjaebuN88e(r1^Hq?1AB#NKaDf8M_Q%ckjgZXnAU^kH8MbG&HFpa z{M9I<{1*`bPyIWHU?UChk|cl=5fqN+b4bJ6KCtaA=i^DnUusgm<(N!s^&oSF?jY$% z9jX7o+d_bg|DSY`@aHd50=sUfWuT(BXfGFmH7QIw<`cQ-*PJb4(_p6#fTYzV5yyS( zvn)eykM@4%r#bl4=l1tW2kII@e3)|+4-&b18#gdPa^@W=`Q_|C(cjLB#p>OVWMhm0 zy+D9FfCRH8e|qw#j{CeeON?ocsOv`Jemz--(n|imE-V zz4v<8de_>e`K;-I7CP;A+zm~eHVyg#{DU;y>F6$s?`a5fae>xB5HuT_IZYSR0%y~} zKWN%EXgWBb56%up`$98*y$((D`sMD_Um+t1n*L>I8Ke#VJ`a3%0td8g2>dto*MEN? zCvw2apfe`}mb;z|2I83cqt>tT)CY2V@#BoYp1(;<`1M@N#u|bW6aRMpH`z{mG$qb| z%l2=RYUBEi)^_W++O6NXe8YM>>n(Phwm|>cwW(=Ih613IP!Mzm{2u@s`+8@IK?aC+vdvfv~*?J;VGxw|bew4)f>YDRz`|=g)Zuom@^icQ)Xn z9mRg-uch08^Qp_Yl@9m|UZ?F`ckcf49pIb&%0IUyBqYQtWRn&7f)8%P)~#D{>o?*y zZnOk}xQ!9n&bgM)p&>`tFNZF9=Y z%f|B5$xU9C8#Z{Iv^?pxX@jNLrcGY9HXF8VJiX!6%0E}{<@wjz&j(*P`)l1^o;dHb z-sijnf-VASY{0F={i)IaQ*{Cn{k78nRQ#Zi;2ygj7rajfdG7>=!_)v+A4amGY-v zf{TAT0mXy4H)qZqJnpwO|3^{$dId~9@Z4V~DtL1F{|BG{&6WIZv3m!A6&?bXvZfQ- z0ZpGaZR+RGAFY{MQ=eHgW@ydSo~5llbnlW=0XwqCAa6`dD(0nbe>7cPQX8`=3776|i%~&*3cg2S7v-I|#)Lt2=zwvUy z{n@79Kd&%wZ4{bqI(6a7oVkk)zgc3mYPI>Awd<^HHrsC5YPVzOuHA$^j!p*-9y;uH zT z+28eR5$M-+Fa|TUr}{N*dI&hQ7R{KsV#6%m?fbP)2I{TcczL$|_X+o(SIjZpAb`rXna5+1eIVyOr&U>$Be=coE z^YT)5|M1}wKQoM1dwNTRv5lLa)sez;X>D$e4z(@k8MA!wF1K!LnWc~Vy|FrX@%zoO zfj2{bc~F>mxNM@M4IdjTW6Mtp6sfQ{O#^kF(LmQtG|-cD4YZb}ep$+xC|s+77_7-} zS(AF>IC%=P5E&q8pyV@%xcT(}GvfF6(|%u+`vu0NQUfK{YoG+o|JG+qYkLWmEcro) zwS~=8j`}{oBZqybFLc|5v68@7tXIGA%Yu9IRI{v@&#PMcZ%gx2`V%Byh+NEKp>$^d z(KmYSjV@MXU#DYb$@jO~M=sbMyN3CL>hqchvCzMd|Aq{hPfKmN>{)VhPj_67|FO+C zp5>W3*2ZSot|H9ey5?nW z@~5^3aJoNb+76w)xAK+=bfS~@?0yjExW@UmGr`w!b8c#J)1cJB>p?kq^jeZI1dSZW zs2163Aft42F|mR(Df84obw{$w zU?L<2zqN;>8?m%CILB~zqtW8#fQN-ew7q+N-e`L3*1aEgtmVhwVgBUbQYX1ayVVhO z^JX3~oT0-bT%XwD^vGyqb=9I}JGb_(iLkOa3VW0q;&SHW{#^zm*wnjjBWev~uGNDm zzsW|%v+R2O%he2|uLqCOK%VnyC@sFosPg64o#TuS61o@1(^lUqrlHAo#}8d%<+D`3 zkg74tCBay=MPgA_r|b9mrMR9h&o_#zx5G@5AN$+x&-_`~-ceSa2D4t+H868wZ{{_Q z5zC7_@0jYiPy8tjEJUXE4}BiFIhCQco76fzHY%ky_)htf0LVWG5WY$!n`7FYz;abpH{DvUh9Kn-6Q6>l1pS*a)nFzI&uv ztiCbgu!dTLTFdVSW_uhP^1vn{FWMjaN<(#L#1l9g=!9)sYihJgUyG|bA0B{0IX!=Nn&4ggiu=q?Nx>=6+GwaM1i<37$ z`P%J=70zdrWFs#Eb(Q94zP)OY3U<(EZzM}%JvUs9ZFyDqDH`i1l1 zwp4MH3qq36yyHDLaG{Y+gaWV#ln7 zZ(xNqUnbcTe<`nvZPPCw9ch{&G3F?f8J~v3NuJVpCUc(@KEjtdm?l4KwhAV+`_Hcy zBiZfqsNMw2?AGUR#8qa2U#KGEX0>-@lF+B>5^EOxL)^t`y0QE+SBB!1X<=1+UAL(z6g{ua7! zwRns27gZ^TOWPo^H*p`~sZ(nLwH4gxZ-0FBvme##_8gWc z>x-J7qJjP}M2s`hPpi;C&)C<3wjSG>o6j;Hx?}~GT0LQp^l;!i|J}O3e0UYOcu{Md zk!yed9Z8(QNGfB*g*R%2oBcTt%-YJMyxLH`DzdVqej91h2d{y|4W_`%7>3o|*Pklq z_-{PZ#^iDqQ?PH09^ILdVpx2b_Bd2_Ta?L}guiB-RHwzDJMxqlr)eOVsPiD!;*S&G z$F8|I{Vzw(8CbjwDCpcl4Rrt0v4VRV=U4q%!L+L+Ae%!w73TCT;WM-tTuoL~mST9;}jD}vbk6;)MM?YYwRJ53{~!=ovd*k~ZtH_l+K9-bK) zi2xx>g*8l-u1T#l`h;gSR+#MJkF+x%38Iv+PshV3CEZ7nuYu^vINrtDxOM7~uW zPn@nc@DdRG(!;A2Q`*p0- z8IRi@QYL@ls4U6)$j3US2I{FKq3dY! zW8G_j?2||U(XO&ohjwsr(IzWI{9C3%Y1F-8quLu*#=S0^E9=H^Wi7wi0PQ&OxtaAw3r~(8kPv zR(Fs>HWDfdsXQF^Q%7bcE5_)ok$sBv_5+!NQF$SaSfJ($IAIY9Dw?ED1L6D9s~FGu zHOwUx2YBHitW$30SB@=;V!Jr8tK8ZaUmyT9v)8K^4=Cu-4b#iWu;7dx6pY+td&_5Ato;Qa^C4y^d#S$M<%i^iuugHK~7 zt-`<(1s+JKKO+4IZ0+=u8t4Zwd&Yx4Npv%32hO*dktmI{9yXO7x7wx`E4;YmfPw3Q zls4DWw1Dmpw^Krz4~H5UWN?j_;0e6A&6RG6TPAcKFApJ3`jn}PmGwL~mEJaKxZGFt zeeLV8%o?Wt8FWM2BD3b4+_R-``?|%u8Ft&hYM^Z5|_Zx@;Y>^l-G6B z1&_FZ5Q?TN-JI#oqu4RB6MyrohDOp(^b7pFKSpUuA##(^xF`NbKcQQiOwd8xW+c7* zt=Z=^Jv6N?ky6-WNW*J$izebORycgyI3BwBEQ{4-URbE+f0^vU7q@0?t&F(Z{A5nm zFMVfn8LyF52kuM;BXM_M@31pq~I({!IrjLrhf^H{Ya;E7M@qoKp( zuk3RdwK~7Jvy^8h5>`2_c@Xv8gV;6DzmIow5p$FRHxD;(AUmK*x$`35UD(AGfTFzi{`eqwTvC>JBN1yig>y_-mrasw%QdUeJE@%6}tcc{_<6<4jMYUN2C2cDLM#159 zp!bQSjcy{`0*g}{Zld&hiI0pK_hAyA4=b)@fC=y&aH|#RlOsbcAHn1nENJ)V8cz+B zvA<30glt5lfdG8IW=Pi$aukP*&)Zx(_bz4-{(Dzo6!AqSx3F$tr5lG}h1;sYLoXj* zquxO(wv;a63H}IAUoJx8OA#Oco}~@&=%r)!^^*yM0~*K6DB zeWSo!Eyu~n=4j;uPKPb!)>}{$2eHb#Zt|JmL#qbFfwyjw4G4sdI{2BFwo15oMn4E|$H8$^)!1 z9389hQBT658YqHrPy?M|#&ypW5#p&PU4E^F*l&P0Ih*lbM2fWx>dPxEx!k3?>9%vy zOblqN%sLfT+$fFQ4txUE0(2F%4$&PKTvwbcH8J>TUD9QJ_Jz{EtXCZ!UTm(Y1?Ci$ z*zM@y3&#DeC?HuljLrd8Nly6DJmul!jG>gakY^9qnx)MCaXYIoNznHBVAY3+699_CEfM52cTWYI`h*ytDSy3bts+q*)}Q?Paya?j5ZPe!c}rK`N7Ak45Z| z@3y~&I=VpQT5oe9fGB%Br1nJ{uDlhkjUh_B3$@eid{=-fGot;*IsZnfm0 z#B$=B%?=u90x60wWxpXUiEtNbkFYxFW^FbkAOZP=(q*_#ipVU?Pl$GB@MsH(Swn8J zl#b-8$)qn0@EtQ6st(;U(wclk{5=fNs1Um=#cNBfL1d0EVvD-et2kVTVRgE72_qI3 zmg2Eo4b)9}BaXx#O>BpIdyf=2ACWyksKiaO3QIS|X6zXHMcBu{!4hRD3xjHj9V+EE zS!d|>av~QS*CFX_h!i4wikrwM)6}Q$2WzLO?`j~h_Ql3-a^>PEVRH}X7S&<^7m%bn zUr_L@X*5ZFn!%E#($JkQ3~5ujZGkA@DR4}4OuA9Ay~VyD`cQ+p1|k$u(B8Mn#u_Nr z#*(<>c~dSsezDsr$+uqDZZ3}wpBG~pg$&|k6Vt=&W)CRK%$f^ zLmWC27*X^Fpg`C376W=$1dm@Y6I9w|!$Mlb#ztOgVRJA|KVnr`Q_#&<55=mIOga(A z*FcZbEO=!3UYi@G*wt5xlljtRDJ1`J46HVB)Ih8k>7Vf4S;HTFpLP4WrR*ONhA!SC z0p4ON5(vLK()eKok$`y?e2Nkf{F2f6lLiv5VeFw+kzUBEX*$$4kEO+|kHNGB?gNJ9 zr|*Y`>Qs<{#;-<-P@gYqj%u9w!*lto9u0Jbq&*tp$je#W>rQ9$P8X^fbI*!<5SY&Z z4ZNL@sbDF5Nrqq0#&Z0t_!=`2BgTwIyklO#c?^$nloQd}a*n&mgdyFgcH386pghnu zxoNMMz-MtH8ImTaj_ZL09YWH4j7kUX+7fsi7xU&+BCd!|1hnezS6XBDkC6W6%e5FNkWF4NBm=!U&%6Y?k1-4 zuf6aR3f11?u*mI(jpb%|^3toaP}7_hj5iiQ9!-upl{W7E{qizS0YHv7$60eO^R_)? ziDr(!OQ#(g`6RiZlw&8R-gKvY~_(q4JKk1-** zh-CvMgg+fQsWeqB7r`T-4KobY53seVtDp1?;Q;_PUhl?^lq?yH2;NgcqhEjdh z`OLSBj;H9{U7|E;Q`2Y==LUUK(WjvBttxp?r~i>}zwJc?#or|elF(vuZZj9BTAV3O zl3NNtv{fF%R67-dFR0+%IeJd~m zq_1|ccEnM5ThhZBU84M9sNA|OXMz-K6n3o6p^O{1$h5_w%Klc;L+ML*Gqs9gUMHDM zBxoQ@i#qr$Ev|cxybj2LA+o;8O#i;Pv8kjB82D#mrB zpmRe+dC~@)qG6@ox{dp=ajFe_;5*A3rHiJdGe}ChG^T%>#cLlTJe+osJ9_O5?$C5 z{>lJ~;Qm?U428N?bx`houS5Q{S9^pb`rc*5=s0c0P`Q!B+Wx>P$FlDE^y8x1JQ>0w zP6Pt`gjuD5I>^#;`Awx4rOHKwsU|N39?!09-%E~#Cy-##WTfV1P104}~ zeCpxItqe!E_Q22%ZV4_%*U{H!?)I4t{VARyq05ko_8tjVJ&CWgu(R2EvJU32&J?Yv zQ?XPrDWaQTHr*&UL@M@`o_HY7+t+MET+}(7(nRv`efhk-)1#!qjDDe#G1Tg!e0M3L zjZXco!<$z=L(Xs&)s9+vX8YU9!g6!6j-T-G=ssba7I<-6#cEkd4z_a#>J%5Pz5>9c zvDvLk>EN+E6RQB8$5w1(=()Y*S)xRMS)YKy9yCFO&8XAf%YdtOCaD+LsV~Xv(j)Xl ze3iawl^yPuwXrL5qjB)O-!c2XHlhi`{73PgnCDov&(AZ7 zfAQ5o6x8oY^e;nBnKEJ{sh$1in5>%I8PzK-%RRIC61=d~{K4up?x-!&fiKc~-~LIk;xW_Wos!L9!XM`Y`%lpS zPCk54U4WYV!$!;H*Ko19%SCaeb9~hq=e%cT-qDsBFEWkOK%)fDWIj#tx;6lGjOs{L`=TH^ig&r!(4c01cBRttw!=| zNA52ux-F?CbHfKmUC9#{POQp#7z2a?X1iVCNfEm$gkucdho?>DCCxKs>5VG~J%sG27Ctxmkt; z_UzF>MT}vK0uf84-`R^)leM}i;Ri(xwbI}|lU;4?**WLNtn`#=jrey1Iq_Ftu|@@| zpWnpm27(1wh=>miGTW1S=`=3;GpUOHjmU;wgNb^%S&?4n-8)}zFYt$0@C2@rbF)@fZ>5F!S zvR|`1hk2|K4wpEBokPiTHpYg(y&bao*@@Z!0pP1wzvDXKRK6m&T8I_~2Uc`+nd9^=_WK=D{ETef(n?IHdhEDj`&4 z4k%gB;dBI_amU?`X7)p{V;>`rgcK!BgjCVrtNV+G&f zl!i^fzR1EpOn$E-3fVVG58bOGa~b+brD?eF2U!XF-dV6=v!nPdBG+aE-h24b0~X8T zB=;C2?+zNi|M6gpH2NKOE@}|5t4#d>U3;uu<*Ho##8aK1zW*2~Ut2$*lif#2K4T%1 z=O+VIj1uL<1U5PwXI(b^4QF3D+EQNla_6g3aRlw91N*Mj{EGyBwJSP0zYFJ9US9Al z?~3wZyR`G?ANGvlHb=yOp3v%_CiD72mu(!nDC3LjN1aEV(?(6Md)^`H*<_+gs>~GC zUXelOA04()e2%w1a)Ec+xs0XCn$WTCIbA&oi#T$8L!#T-$9_^22aveBA&l)-)D$$| zRr+q*i4)7|&f!-t>jDsTQ?gCv#sDbDvSb0tw!qRQf}Y`4zg9_?p)TO60df6Refz5Z zDqi|UVeP@f#-6d1O93;Kf*A=JVMhyJUCu%0m|W84)BvL}V$zmdsJhcttG-fzRnHBZOe{~61E*ni z2vF`n@{(0K5!WHv@OSJs|t!^|;_Fwt#udVYUh5Atbul9Vt7lE&pe3T zec5ABcv1SxN2-a+wmB%g)BcqEQ`k0qyZ*T)T^26Ww@F+chAi>QYkDJ3%v zDWf@+Aiag6`VkEMztda(8!}MP-V`5deWhG=w4>eqxW@_S3}5AnE1S${QFFHJuX{a1 zJ(FU>5OQi1-s851i!m`PiVG8MuLr$I-D;Wu)5h8!$PY-X0qNpd*%6SYfo2OBYKFf- z;T@^E{B*TWiOJD7fxmdQMyqTwY9|de=?Ve{$#a8#@%%nJrR05gIXk>A$NJ+?5Vq5&*CXyxl|SyPXG_Ml^#N8v z&J2Klf~aM|WOV7%URXUlECiiHhUKGyi0}(MVWEM(I%}YU{a~R~X&_e?dXS|&6!{5W zR5WC?hNYU1+?h;Keb1apQhmrmxb`IU@Fj+@i?l=o4eV%U37r9*`Rj@tk^`vx-sCRu zp4{2!w&SGV_U9l{bzTFt01!^bp`Y9UM`c0V22T}^70oHtpNiEIRpw7M(7O-Kf7eXx z-&f{;6Rdx*R-b?f<2sT$izW}iDw2VA1xvr<2~zFU%leAQjWp1D;H?mQn85k}A8I!d zUFl|W={IF({ugEYN6EWHwLE@p++ut9;79UE&|TEOkEdx% zc-l*OYr>5hBUrtpesZ+1up)Mo^vAypLJ&H)DK{T(Ung#rcJMw7Sz7Gl%oF|G_lG+- z-qCk&*B^IdqoLghX8;%*v8>Z3|Ktw)pTl<; z#kQmMFF;a52t%fT(Ur8{RkKEVa&(@bh0pH_hJROQdvyMW$2p9VlC21z2TNs>$;rWf zQbXPEIpPoL?TLh4zDLf~S+ed1_J>}GtOico0S)BcjuRnuq{=wfQ12AO1SB#{P+GB- zDTzoYhzar5NWFgk`vEYR*&2sQFzuYAdm-D>KPfks-A~)4e|Q&AE#DdcC2tV^ZQdZO zuO~tq*vbYVLy&NM{z>->55kC}t3ZMwrkAb!2BZnD18IUFHi(Oi<7MI0#2RCcd&Ji<#3%<;J?JbrAc zg_K>0RN|g?`NFdhv&YOI6AC> zFp=rUY3yFYEzjJc*Qud()*tHNZFS8hL`qwgMLBIOq+QlVZp@aA7vyUK)9U zxKb%lKSdOEn6L#{m~XUP$Q@X_4|U3j}&i$UZfZYmL#C28dJDF?=nsrHF5uaR~JufHrqUPu&$ z#O7-tlOvzaW9gr8Xd`;lEI?E`XfE4K&VBcpLP%4xR0;KjMYi?oUfwZ_37vxl!inhD z;qLb4mB;uu91OltmX2O5%QwP@VHtf9GGZ{CVn-stYHP_F`9)#bIIEq9%=7#B#h<>U zNPf{FL#y-5=FRk_iHPZY0-%yZ@iMS>kv`y6mgl}SOab*xWzVeK!h7`!DFfgSYyd)k zVXOnzpE|#JJiOt6OVRTJ(M)FNIR6gZE1r*fjA#3)m*1=ofej}x?I4z4%V<|HtL}bZ zuiosNbIvm_$$e)@{A}zgmunR|9JFw|7bVCzqWHgA95SCRp~LL z7aCRjm6*ZubwXT)2GUl!%ddsGuOrk> zMt-zvRq@`K!25%T!-9-l5A2Msz}U@D-$l+e9N-G#sa6y> zo)>meIkx>+2j0PiV%9W4TcN5}3YIa39S{&bI*Pt3j>Ktb^TX##-)=?ida1BZTw^9lS+^-pziW#cK zPb(6rpB7TCw^dQUWmMVH7Xs&jbgWf+tb>xYFH+g0l$jj&HABQ~Sqz$o9tC6mU>RL7 zq2ee*)*i~*>qn9b&`v!@j?5IS#IJ9Yn}=cHK}@uVq5QtE{G9C(`CxCHMFqMd(%-G6^ibBSnwrW`-Q6)W znT$T99$~F!t71F|LW1_!C5$Nk>~5z{ZGX`NUXnW9q1!g#exH zZI2Knx=W8*Hym)j3tt(k>c9<9a=*YZ8&wDvCh(E+ZoHI3vKv=QAK}vw!@*I9*K39YDm7k!{LB;5DxE zi~ij=U>K&HK1Pq`uDvgh6jEWmj=^G&jBG!nQbmALX;xC$)VTZ#aRQ@cZ6pF{Y~2lF zF=me))*S2fchC~DV{ccoomvWF1UXhY**zeor8c4OZ1GMMvxyy~=8S2ez~ey4P)+@@ zn2chy{#9YTPPKR}C->YBC51(3zuer>6j91f%qkNVlW#a+ikl<$`gHyg{0<~Cy zs>7pcu=fmk3Xe8>05uf4u&(A7)OS8^c5Mz8$oG`OkB_~kpB}$!+$ZV%4D1nAK4|MO zpL3m#FO`!(mYhf4%jU7nX3l#td6e2n4%9&3b{WI`yJ0rW(X?!ehsy%2j+|UcHE0@- z+#TsS-nqq`&e=z&;G-p~$-abMv2nB41@p1KoI#}tF@pbu%^q7yHwEM+ZULpYN@{47 zd*395=j{GuUpp-4h z(WBib`t(XKI4GF~k<9m!Mex_M{c?tqM2Y4xqXhX&<1DHa0cn)fpzv>()8V{~SjT0v z)4GY1rzZ^TY34;I9H>ada6Y+Rd#8|9L&OZ&@o!n%J0CA>9WQYSuL?IWOtdbhZ|Pdj zK;7$1KvGO-IKH?_{SY~=w%~qXWXYqe9L$<0;!N1pg&rowdCo^i`PC*Z2{8%i0bKfWd~KjNLc|KgFtxv#Dy05{K1qJV5uCUDH%%qPy7ABHllix49NCl z--8^?0k9w73TNIq#8-#(N12IkY0{A*vGpC5kD3V#v`;3p`?_zlh8*hp;gr0337!Rj zd0iViN0#mHpxtIOJU{HiP_45tgBf#{6{u|3&zGo_2PeUjB1qi@Q%P7Z7VFxi{jH;3 z(ST>T>Q-@qB4!iOx~MmpnQhXCzIks6?fglTh(Hw`N$5Y|V2E~`Y?eE75v>8~!hwsQ zRq!YCmh43Fr#__*J#n{?C_%*-4pAJz81BnavkTP-X;Gb^R)MlAgVUu@Q-0a0A@)&u zO6H&|fp=BtwIFq;%;fX~>9ak9Vz_SE1$+!Zi)MHt7zU<gw75d<$)Tk%~BN|Kbuf=mg2=T7<-KJ9%- zkYg`m^$O^pVH6llov&_A4W|;A3I*#?+lcASR2>SgvM^DeW$#>VvZiS?IJ2>NFGU08 zjrtHb*s{@_K8b@%LR&huf%C#6S+qk+ZnLp;c4;vexy6_a!Lwa}O<~nF@`HpAwpSp4 zXx^`UC&I;I4T5nuLyVRVt#7XYG$0z|fB%^JjtRVRwyC(00}P#`CoaW-D1L9HSZ-&( z)HP|xb0L1t%$#diC7tcvXX%bzd|)Twr$U*fxwmZ1%Ra381r@9qD4(sS<5y*)4GQv& z0Bh!^Lq)>FtQnV;GH^?R#Z~{KCEA&EyXi~&V0a0>bt-2rRThD+$Z^P!|ZnDv;Tv-Jls6zkVN^5ZniMcih(l`zaWw zQ=Z;O`l8O-cJr+b79QO<)yl~Wkx%+K%YeBiY05c4{nGJc>GSLC3cB`lAfvl}EB^-6(53vAk_URkH-~@=Z^SES@N3_z0&{l&C$@ zYDOn1a2ycJ5wtK0v`21%`MH|*sI0#%F!G6q-ELudOt7!dc^b%ncX$J^IwV+|orlx` zVF8f7{-qW8qNKV9NTo&3E8Ig6O<5txDK#W@==#0|E)~KQ!y#%7gnO^%u#d6~5I-gR z21f@xqnii(XO%_z7r(VR9*^Qv_Sc36#h8URn$!36s5@D8WTV6T%QBGR?i951-60tG z5gy<$yTp3N9%<$ZZlxkOY;cR)hx7&u^(wfdD@F@J?%|@ z;1_MzCy3V-{&L#RB;|!|9Q_Ut5G5mG*`ApMvpHf|l}9i2aaL!Px^t213iw)(u~To= zZMzdKGQs9#yfnq=s$>$u3zn)tZseZfXP;m)bMa8>Ls?t~#bb_@c}oDNu7Dv+;vB2> z-S%sI*b`9)B@z{UkE=ub`%>gEQ(eT*WV4wQ>hR3ymN16uj{pm&HWuA;bUpaHugCp8 z^IWlD)z`PF0lC|e(3TOgtT8`lX(ehZqUSy89R87VZuH!@`JHz)kWXnj*ucjh0eh;J zo!_g3zh;gNH$-ejUksx~$cU&dRG7lEiN2ctDJUo0rRY<{Cf;n_ZJqwUC_8XzreHZ; z8$4)+Ot96*6M?Dm;O8upI3Y_KEi`UrWHpHNDvM7{Ocdi&ciNd>`}Uk^oYXNdVnBon z-XoK~Gk~i6b;r+fMBIrM!RXCgKxG}2leq|Hi1hiRJgK_l!+os^KSj+?ix(?McVztb z8RAee!iKxeklHCb!mekz208?*0}=J~d^7$42qW4}2fMEpFr`34CS4X{)wed26mG`n z4LH=P=x8~p^m+7N!15LiU(U7&I7oC3(e_(RJhR@hFkNy&x zoRRPc5n-hT0Fp=zr10I}xC?UZXSGYoN%frmvyWA6x3@GtRDVGN*F3oS$52*DCzwn_ zj^5$SQn4edCj2QQ@E7zW9{#I{L@?Rg>Q03b%~0gJiycd&@YC$ zzF=PzQ2F$5LwU-0*=U2+Sp2@-j2D;s= zpkmnmb32punh;;i>Btr#q<$7EZk-^?r=oKFT7Q2j( z&NQEjGW_<=0}uXa6)Hs}0-)k91Cdtm|J}U@2kz<6|5lj(?`}P0w`ThPpQ|-k_5z6f z+rNsuOdt9$sn93lcL8e;s*8eL(FNHs7{zuLmvyTkZozO>>a}diknQ>|vlJ7|r{ygX^-G_? z{Hw^ehf^$O;>+~Cx-@m^#a8B)g0~SaJ+yXho^3TNK9yPJf~g8I?6z*~9@^GrV|5Sk zh7>piX0z&nX`GxUY?k_p*l&n(r=%*nNm0u~q5V&(w+k1H$2)J)6O`8?8#K@tnk-qS z9fh31U1#J8s)40o$_oZNbo-JHiK634yFMaZ1Ns|)$nmwKq=4{;1UfwKxOpWxhcOLp zWMGiff{vu#Ot7s$&Zv}iVB_%inUs{h&(OxGQA3PET<(Zx zO(3P55eF>>9)k1(>-%y%QsIo> zZa4x9iS8oSbrswjhv8M5d>d75H?L0W9I88i_m+`}Xkz#FK7yD4@Cpvy|A!=rN$i>@ z*8d^TGqK6MxG4S`R;U^6YX;%)_!3vk3pMSkqTainK?Xd@z=bh|tO zQ0kJQ^5w#sn%p$<>bm~xLpnvH8i*q{A>z=E!-r@fsAKO_V`M_}zxRdsgp#z^#eMHJ zV-TGnq3!~Xm>>o_XB0#p`sAM6v{$=EVC>urYY!E}x2&CW%=b12<($9?Z07KRUVOTHhlIYihdZhsrc%MoFXd$JRrZPj8o!J=p)VAo zAT1Z&$?hO3KvphMk0#wMzZoo=4$oy???b;N)+-%Xgg-WocP34aB?-jcu+n$m5aUG~ zZJc~#A?4I?RmeiHWtxf1z~N0!RL`b+786+ zP;s%Nq-*i}5n7s9!t<{v1>Sqp-TsMuQGqdc(+UL}zF9WQxE z^-|&+ZZL+;o>-L|4!5%Ak47BpI9IDOO-W(?kfLm^mo(xV7$a_v&@RLvTNNtWSnKkU zM4(j`+b0se&t<@O$jfAo%Vfa%If0h}Ks!79T<$C?siNwt6I5Hdq=m=ZIcKQL+X|Mt zgjFtSa<1QEyj*OR0JoYYyiEg^(#xNIa=;CbUWm?@V=&;g2N+%*b=~%!$ z-|7ab`^P1Ed=Bs(o=y%C7eq`KMc*o4>DR5>obP;-xoE(5TX(x)Pao|q;96@XZOzAI zH2i!nuHyhNGd=)+h#c&nIqOSMXbq2XcP zd^g8tuaf2noOZ{AW8p)@lPEV1>R^vViFB$MphH~q(vO~nAJOX6lwTAX%sYK{p)so) zP#<&$^8ub9a(iu}D<}7k0TPop$Zo|l#7MK#SHy32 zK6a_f_Tz**Mt(?Ro016GH~lY#Qsd#jct>$CKqNNpd)QE zV)B%a^xUEp}r%2j7#YbAL%eSBo%L#?qTrOQkNj zYP-WP6+SmigNR9c>GcRuxUWzqNZZY4t`!nutvgAdnYF103#EZWh4ht8{3{K7V*c@! zX38!-`EYK*7DAdrdHm7(CtELQAd(k1hdN(Q2hzPOyTxnDH4}bF36|DfC}VU0RsrQgqqekyS9_Icbasz->vuzeqYsg%Ar6F6kseO$>emHUfI*t2*<+;-3rJnc@l|}RkJs0R7d|EI= z_?~_|p%~Hn6gG%j-?c>-*WLhLc!5QOrxP$FMha!P{^K62!P~LAG*JAjSP55Xyh#qy zL$m&s7a?f*9F<3AQ!Z909Lhp{`g}c>11aa_hGZ%TKcdGOt2~6{N~~_gZXxT2P25ta zqVhj4uY_jxd{~MU0TN>Pa{*&kX9P)|fEu<>MYZkYWY;-I5~XZc(fpi@>Tte9uP;Ob zUnwEArvtvXit|U{dZ-N3hf}-yQarwG@nN-cn_YEoQhM&1J>P?4Aa%;ZkoFVQ%4N-$ zY56h?ooa}Fpl+5oXLfl|e6|<0Fy8BLNUh7O<}>?F01z{0twOJzr@VbA^2<+5y{`;hbn(VG3W z)+kh@nixYZZ#v1Hm3{<~6>vx#Fm3ovfxYIe_6+~?q%Q=mIx~9sYg#{b?9tr?-cT~} zh8Vo)2>>*@km6zQSxx<>v^l8V*fg~8A;Smck4oV&`2S(=%j255wzjdTIHxKoDiB-H zpjN1gA`m#G79&!OIH4#+i;9Svq97oUqoN|HL_nnuBnl!<5D^e%ipV5RkwHcw%#k?* zgoKVGsasq=ApkaPW0p z8M#DkRUR3@+Ikx0q59}~F#2gNa_{ztw*AB}FoNhO$vRQmQEV-=B?LiwW$ZRxW2ZP} zU56rFt7Bk0&J}_*U~Hd#ZFkd`luy()$|lidY^d8K+a*5)J+`B3TAfeavFBX&lIpmd z3=vjjMU@L$N~J$H8&~@ao@Gx~Uc%g(PN0PB$QWB#3XJ^T**30|Md;<-1-BSSA~&@UZu(d`JLvAJ9(mCuPnMA<`x3uXY*j>I`sgBxpL-c2t|2Qxv_a zEYtKuh~U!2V%U_r#M zI_9M)yOW+tq4xUmWhzr?UJOux8&liEoOsN8PT&OFZvx!?rDMlq&CD+FwNxvjNW9wd z9{!Xz0W*!mpGjm3@}?F9l9cQK5b- z`#Aq@MHpkk31U~*1d9y|?KpRwu9}}pcpX7iK0i%9%fswsG!861j+O^C?p|b1TA%zw zguk0tWKaArY;#6;R%rtdynx$y#bg%)ZV70+JSXP(IEAH4Hq`M9Skry^{Ubui;-z9B z-k31AxiTuOOofF7)L_Oq(YjL!bvvC3*n&4sF*~zuvTyu+91oZ%A0cM+2)w{&_^~6p zH2AJyA#L(k^=BMxep>%$44r@R{g9UdCNf$h@dR$jqzGS}^}N}>3LIvld^?-(gVtU} zyNaBL-%uFKBuiz7h{udFEj@=n@Z8xi+(>T2!@nT?(#-_Fwl*G1PP{0km7CPA2HTKF zA69hR9oH!*Z;5v*jHmH=QhzgY2v&GVfD`5;%E``GxmvprH@ZKR_A76DJ-a|t>MNp6`UBgh2n+vag)o3g`)LP%GCoa4 zE1c{?!0U9Ei3W~D4S-=|o1E{8Dh$vLjC9&} zpUNgT@+Uyx=CPnw_l2kU?tem$@$IbMb|FqooiyuAH-6VsD2@0K(L{ZLG{Yu(sRzQ^)dj^%q)KJK%ma(^RgJA&C6j*YKJsv_%= zV+P92gDwvC0Ndk7p}-^pvh*P%42Aidrd<| zU@l@(56?t#32i$y#mX8a-o8E@+RF(gszo;RcfwwN zMZwdXMc$-5LYFR((4wTsU0!pb5;SwpJ2PQcnUlxTku}8m5_4``_bpvjMz-`w%!s?W zQ5j95HU+}o9kIVTB4r>`{$NbtRl?Aitl7qul14A?#D&HhoS=mvWc#=()SbFT?8gFj zitz!Ifw1un<*msOBHkw}y5v{e42i4B@=V7BD_JaAr znQHMin?5cp_QO*T&MJ2NxUi2;9=!3#wKG`NgPrT+5i&TO1`Wudtsb16KA5`)CyBvH z;^Rr;ddoT9Q~8$r5~PC*G~w^G0ID9VTDbfN79MEPW7$WW^+39xb*Nv^dCFVZ(P;XJ zSJf`a*IOV%uT^6D=_1VwQYL3-2;J}J{?&3RXQ(mG?LW?RMjoQ4th8lOw*#ht-k32F zWC;SC>tzdN*tRhhE7yBWJ&dr2g<9_nk;px{IC$mf&dMLycm;0JR(uOfk4u#U=V&z* z8v!}f$4J7$T($u%#Iw3x zyLP)tQ-s5V;`qL<_9DxITjPR-p^6--Q-5VVQ{n0m-4s3@wx0|k7b%cQ%iz~9#35xYAYoo16xUgB~@sMxyC7lk+x z;Q9r&0DY`PXhI|4Q`_wtiNj=Wn}m8n%1E*~=ZI0NHpMgwN zgBZU@oxU*pRzjt_`O$Lbl}@}k^B7^ig(ZNe{^fC;hsM*KeS?-4HwhCT%#2Ii5XfC| zPccUxbs7ys+M?C=nyiV)lcr5DxM8q&DZVjQMLZ1qNH58}r>YQw${!Nni^ckN9hlq+ zkPB&iJwc)E)dSJznbJE64;(B>QrM-93>WqPnq9(n(^?;5N*Zpy&!EP>Wn-yC%uNRKBw0X*&Op<)8f|s1>PqyNL4>SnyC<7jXA0+ zfY<*1)%AW=-BmGF2W?m^R6u_Q9ekBo3*Pvhbr|x2wfW=c;pL}98ZJV?(LU!1x$Da2 zdIj!tlb*V?K<-($OL4IzbuPn7R$Y-dbzKrMH1%=c+;LAkr+V|M+0T-L6hI;Pu_HX@ zpusuE^!wp0eg+W~i7p>^TI2P5!>JlZ*XN%)Zq{fia8)9Y3n3+n`LDp;`gO0bvmzCC zf0!3DXw@6>6_gLe74BVC)dGQ&=^%<?$(oL+2#5@dz=gejQuO?3OibLR#c4fGB; z1JKI~SMnq}-p{bv%9LHb=+OcCVa9Zs`V!g2hUa7J?De~%s9UbP`@dE51$Ao$&-fWW zs<+my$>%Uirylc^ePK72&@k>+JuvHfa#qImL|v(y`MAHj)33QVzHLJ~%=AP+I{p~CzQ32sh(ZSP@MHWB5g{t)z(Iv)XUS^wE`ApSp)*)<{> zGG^`o4f_foUAhbNK#qIe53p^x(Pv>c*O{CpoWU6gX{u5{$TY|>l}I(+j5`$Z#FT_0 zCF(1uHN%GYv-GV+O9R{A@q zCa@ywpRe*r7}u{bT}i2;OUcKxk%MGP;Xd&CNkH$pld-FPHUIL_4bO%e5;@ zX;x@Tfeey*xL|QD4voPI={LB2bM+B@o-!~Z>#F<#!b$P{hL*(5>);&O>njSFavLHE zboBh|c2WC?5_5r1K))!nLO&e z((P~6=3(5PLTBI(vrn?e;&TIo8#QT~P?^p@@p5dhppWLoIn{1#pWtl3poL30eZ;Mi zJw;Bi-N(rsyG5~9M#(ePGl)P4ZRnWD+|uXLIh^Rw=uKO6p^@2af(Iu!iiYbrlD7&hb9stBGokS@dpt)GpG zy!8;#2*TX}?4Hb)jbdZY zdcU9PtsJIA5*pTL*6g_9B2I8_v_LR zmi3>3(R^^uXC=-1yM_KQKVN+cu3OoB(rxP*Yts^Bhy!p8Xr#CA5e^9>m{%P)1@x~Lr>s~bR?o;P$ifPZn5w7#( zBiW|D!4E;h6QeZDT_j#?f=u!wR)3p061eXQHX?MSZc(`V;<<$^9nsf2??L2I_Cz4? zBzXxGntGdl-X+EbqF4UM+|D|zqO}uHAIoQ)R_f2VD_7yIYkL{GtE$VYeuh*qULaym zJvF%aT~zP&4xYzL?)Dz}Vm7ROr1K$llcTO**E@YSH&yN_(pLb>DW)uZC(w4F8*%5# z%?QV7()o~bW9R;hJQM9(LF;Y(|XI*5<*W#{7KSxpTt(T%)LpQO}?ro5<9ISV~4 z$(bo9r|@xLhNQ}U9vaJLO)fM(j-^g8&%_SklM|nHqo0+c+e$*2%s6rOdxeD$1PfLV1A)pq-9$IE;tHi3tI# z8xs&aVef?&W>DX>ghl(ePo@+gjGetLlrRfiS6nslP0(s{;z5c+ z3u_sb7)B>gxozEWe!3m=o;j(z9+mHD!;|zO!vCqbV_!b;?xHkKz_OQ^X+4eLo4hvr z6;PWJsN=4lrnK}>S%GhGCu?AE*4a*A-g<_vzXl|vH=Yd06g5MZ19B5nWypFUXl1yu zrDNIfg=Ig`m0=lNBO#}E<2n%DwaCg)CTY|-j+uI2e!b&B{ITBPvRdOs=r#1Vcsvn3 zhi@+giWdZs``EQh!WktR2a8>9fbc%Ek$WP*_=d*;`eE-A38r=|Uy@f<>oOsuJ1~U% zj182;YyKTi+8JMb|1X1~R7m%Sc{M3!cn?0br82$3uEr9FZ2T|P`U%BKP zR3wK?9n*;K7(~5mxk*c4L0pdZ=c<$)14D^&Ro}>dcbN54oEE)vB~*PMTPcLdUK`?1 z!8m#wB2=NbHX4o_JU&=IgZ*Q0d<@!$LHjs3Km0G8AFust}0X5|kf$7_lEs9z*_zA0PVqhRsHWCL&P+FdBfUgfA+u07JV2Q8a)+OQ_o5 z;r~Rn{21{_J64tT#}BEjR5`6`jxnKz?_6NuJ@D`qbAb1tT4}9?l@{e!#nN$;P)XNj8Mp3 zWGwP2zzH&sCgjk-%-}{dq+yLagOL7;QRA+6r9p9>%tIba1k9~$Br5x+F9G&WqptbJ zHf*X+%OQ-G84-rbf|tKa?U@vReD~J-nTJ6=0;GxI$(#Z~x2cWBN^zv5Ewy^qjqD_h zuk?K?{Y7^4w!6g5*;fN z7aHsAWRGX(rJpon;^FF*at1>Q@@YKSgnsN@-|M(4pLbz3o^3=|rW95^BGrQa?KOPr zPWA+{r)agk=xFP$n=(lbS9q#gHpS!wCuL(Td3;V1Ur7nqd;U&Bt^kyR11yCb3n$kR zM8Q%QrgtOrn2T9~GIEpI@lx?!_N;qco7#X+8;o*JwS0g-BET zy8`R!<7LTtjES$vTViY8Fs2Kq`npu)T_7FpzWq(F58r@A3D35zBd}qYbuQ8oy%+M@ z&%jI}CH!_O!A`U~Pj9+VDLA;0I66BE-R3=$9arm2dYzhDCAbRFT5q1nXNJC5A4Weh zAmhsQsj3Ad4Muu1^&Z!a&m@lVA|AnsF9YaJ^s%y_B|s!QIdZhj-yuaboW*S2g}=x; z1SuGKu+&78mFco;t!vJSsmXHIQXn_@|a=%_am~&GK=TIVMt{nDy`y^wl0>w_Yqbbh2qNzCE0L z1vbxrBPsm`5qlD}5F7W=`U6)%d3 zUpdN9$LO{3k6r?8bxysZ+OUFGP1$DcRN4(B8dy?SUWiT_%{w_v{pDM=?{<*R0HtWu zd+yXn#IS$+k4UxfQuYbtec6IY|>=PZtWYx__@9v8%39!+nC5ioSy zesQe9srWq$4tj<~t6_%Qzd9EvdD;+$qZo23$$ampt zqWxEzj63HTPw<#Zl3wzRSzm~pW=nFP$w5qa0cUx7MMAa}HcFNh=gV*89>k4zrXxY# zx;}Qn%Z1{Nuifc8*&TRUh#s$Qmp!|;Bs&m9fQP?TOW}8F+zv1iw#LO4Hk~pq3~5|% za_ebXO61B^{Dm0tBOjqUNW!#yiA zv(v@WUCUG|L}#niFUekn8YbF2co{gc0j)A_c*S{$4w2;+uqX6UM^Z)VUB%V8gy3vG zoi5#g1=qD9=ampwy-B4yvW0fMoT#^uskWmU!3?Uy!a{tcPff$#k>v8&Jk-b}j5^@% za@ON!z}K=;1qss^@FT~iMzXXTuK7i z6%svLAr~K+A+l(6xzc1u=(IaUS}Szsuq~roA2(-4>PeHL zOpd`asc&e> zOzaZnAkw*|l-qmLTvGk$Uds=?{AxPBVs+!>UxVk0HZAl)Qux@V_&j696v(+aC*uCj zkCpoW9P;=>qVdlUuTTYOELpT1yLB?cnny~~)*rfG|AJvG_m_?IuQuG}=NHz#IpD?9 zM$Vds_wPR$_;RTu$CDKZAWez`q^T)C^fSpSt4IyY$oSI2^^VReointI=tA;ltHzyzn>yZq(|Ap16`vpJm9d7PjV9})ge5fRxc?P?D@H;)h6w>QUkaZx% zhgP13_5F$8eQ1OF*xb^SZX`={*Tsbau2bU1;{8M)ZRK7u)Q}G7q(ogRl+=oa$zB0m{BOyvWjTj>OGiPxp5(h6m0Ig=7dF zXve_I3HNgTEXd`L-!Dlb%{i2D-K;Qsob?nP@0d`e9=ABCwt!b#V6{oTkMv-m*hceq z@cyCqG?EqGMFqZUM*9y1g&$rf zn9laJvl&v}@W&he+5e?`MsHba-XwbXkkmdF7U?4o`zuSu2d!3GZ1vGEd-*U;6xbwz z=CY{w8afc_WZ2cBWB}N#F03@v@mGxhm93^>2Wxw~vnoUq;MG5Lz(4-aY&qH7Tlk}! zcF##ylZ*Q*H1>SaeC}bl8Of}hYLc?D&j;cN4gdDfkHc5h+~3vm^9WvDfwj)SY5Tz5I~r z;gWGnhc8{MJ>7q*L#}cBxy{L9eY1m&1-?$ce{|5LG@{R?Zio8=d)0LIH-`D3 z<6e8_JYGD|q$@hPT@}@O-O~G~q{n+`_ewL6O#^}&?XG2Z6Rf(`_e?)2U~}{?xdIQ& z!ER5#9CkBQ@y6@Ynum$BpWK>%De~zAi~4!f=k)v$Z~Ux<^7z!CNTSm!Sv!hHL)`1@eyu_2}*=A#H4x zu?$uj%TMwj2Rx*K%8OnophwAd4@B{eQOBCgO?*p6V6$TEuPY;vFRA+SJw3_&tWBss zOXB ziaZ0!BcxG0##reo0<*YPZepVURotx~X^Gyar>{K9&|e?mTTUJly94CeB6pgb&*0a5 zQ@6OYIn_%t0ky>Lmzcrry{Lr6)YFC4--)W{)ZvqXaA?XP1=y95-M1)1Jg>HAk4}{c zk~6Dxq9VDk4*~GuPULZw&U;;Sl&5f#Z(2iE;YkzzaF59@#54-KYgY2J@QFR?q=7=F z@_y5GsrOjRtAu$mS+3HhN|p(ynwZC$9lS|2wlLU)Gg5Y-BhS=vQ8~>caw~!O%SF@p z{*G%RLFfE|Yr*wdt_^$AJVm3Ii}L!{ox48ZBi+`LDZSBZZmyziTJ~hKUxBQfUWtwX z2#?%2{2^C+AzRyd$D-`vuMA#!Db^cxU-7FCvjFKqIta|!lKPSIb*2ZQ7U>~GO|s{0 zU-}Z*vh+^$Me*;?yLQW$<}Z= zF(;`QN9R)`1H51O(xg*lsZADvTY9-e+oK$0jCTLg31RGxdc_+y($mbu&-cW(OW>i4 z-rSfG(zVCHcGa@xQ&<`WqDsAWU2j<1Xs-UpkiF$Zz=FR)JJQiN-s?W%nU@BO#ym-J zu+jhSSF4(&$MiE{{N&_3-~WdlUu0={D87Jg;{eFUp$ps6%ubM&l&kW0KlA~W>%^r- zKPCM2DQ4RHw07L0RYFITsM4Ar?7=nB%`~W=XaTOyl{q}l{pFU86SOAq7c6*~1}cpG z=$2tib@H7chu$#QfS1>y_0SoP5~s4HSBrk8FD8$ zJpFdI!@9R>zZWDO)~|Bj_#uWZzi9p0lk9yq>dad12gQ8wP-feQEuYQ*y_gRkN+ZBV=^atw z^gE)$Ody)Zt#Ty1Cn^kpGK}=3>?;wk0X^7hW#~@R`o^25{wAcM`C{(G$|AbwP@<=l z3S`1rtP!$Q#XM|`Xd4sazb<1tM8xA5LiQPOW*^^^(h-Ps*(xB{2I8l9FsG$@4s8cD zd10ns(;VLMy2a(>B{#@>cRICn4xBBGVf65#u|i0U-7yp7zL~e?dQ*?krlMORUX3wL zM9HVhzVD-{!$KY1Q57G|;WS5fIlBC`%ZqBPbV7Mlxx4ckS}OXe=fqnzO)Gtmsj+PX z$oY8p1Jt7v^Hn!jH8z!rbvm?>djkKoU@qMMI@OTb-0m z5ozQwER_*`%wsG=Q5rUVDllo>8`m$KmC^=x8!9FTAHtY*e&Nc2K3*s>70o49Z=}l7 z8s>1cHu;(t=1q1Y573U&P1?GVdsewaJ-MvYq+eLupNlFU^*Ve*F@5mu05|JJU@ed! zf*OqToY6eSw5YkA*zv^t;!gt~sTqFg#omcP%+_FQ^otz{0?hQB| z-W}lPsbu;Iv#{|<2y)jb7Jr&9!JhYM4DgJoaAx-Sn2?_Yvm{SdG}Kw+$B^}fD2<>J zFWfDpH&*0w4zW{$4>r(4>I_6a!6t#j74})L_Uv|xq?XkA8Zfsd+`>iERjCmkC`_=e zGI~8TSZbvuqBAj4BVmjT-IyNPS%FV3b1j<-VVCqcmug&O5UGgRCGKdfoU=tlGSdd@z1uFJ*Q3JAk)C%Acs)C(W`9(|rDT?_uqZAeIC4R~6+**eA z-dz6wN>lJ3OY=eJ)C-i+-7t=qZpQzsz(y{4$;Vo>fG7A*oG_V=``*@CG5ibcc z6UniGj$KHDEx=KELQXZ(0JHKDH-$b<;44?u^i}0td zegGVK3eekCkhJ=bq4dxBVowC@Sm!p_b4!Fhw_f8vhIhORq^Eb80)#zF1fq8Dvez~z zPR(Hdac6G#jjsTDQwP;<*$hG_+edyn-VN+~#Lg7L0H=y|_j1*; z$sYVw;9m05N1!sEllHL{aRjUT2sHMR2D%cJ{H<~ zG|Tn2vbl1rTtM6OD?tGtbA=_FgJABxWy-;?u zxTC^Kmr;>DT**SVBSU2Vw#B|G_0j5c%zV|H1SDU!w7#i%&jG;-1ucn z{3?{L;0`$U$yl}uJ;vj5eo87kgwxY^YPEfmu%^noxy^|tWnEF}5|2zWEmYjcF{aBt zQDj2}Hk)ulPhZHX>FT4&D1B2pt*QtE8K)xr{5#%2Ba+;@^y_(t*o400doq{A%8c_X zre;p$-Pq}5&@UY*U?vNa_!{R8h?&qdJ+*$kt_n_oQAM`F8&r4$O>Pn&3<>1QfREX4tB5)9&1!a~a$w3nPNIb|!MUMg2|xSO3FrCUXmL!G^~%c&Esn~qQH zTpbwIDW-TUxUYBdN&Tfb?zmCpfsYI!JmMT@O&9iNe;d&rNN8xOI90c`lv_?!m!sPh z(38RW$AVqbAi_T9dxkb2`%a|$Tq%&YFpqV4^?WH?i06|%ixP6KDZ}dn+r*UCT_6vD zW+d)gs!X)f_2uVJ;tEgu)+iQPuCC9OAr58NO1k3}R@Wu+u(0DSSEUl}0YOEj%WGH1 z_UuLd->TV08RPZ?+QrdSA2uXYqvJIL>`@NRoPwSqGP{Qd;!au-L@iwA+&$AJqzA#2 z^irz=$i!QP@Dpce=HB@;t<%{biV&>*U=sIgz?RHUfFwQd_R$SvZrj|hv(d|ca6b&` ze*?HRUBOV`s4>!mok8h*l-Hul4HI$L=m{(_x)eQf3@~i2*g?sKibA5;{rK`PI#r7u zzG|`aln1XjgILqgm&pAfXr}q{;B|xbGT2`R$HSnV7_^^*^TYqDd2{GHobz`dg894q zu<{)!sqDva7nCnI{Lpz&`(JX^d81^%Z~UjWHUcikzdWkf!Djd&V039Xzsql!@2mbk z7#{K)a=uqy0w}C8Q?<4?ivD$NU#^uln{(l*@>9t~Mc+Sb z=KT|l^k!-Y85`9zx5O)AnH8*z z$Pr6J#D1u_Bz;@(B|q-{ZGE9`z`lwWO_R=-MGMdIC=W!$pg#NAWA}Qcr215mdidS? zooEDAYEZQrvsQ*$%?g+N={;*j~T6)LTs*Gr71r?VeZztV*yuyBjyTa$=)9P_xxt){<18^#Lh#}_*5 z@z-SENxjfgA4cunKu)8`v6M(Gj_7!v2oiq@T5tH{(5=J}bW*HH1JlRHlrJ=v*$8|W z{!rCYL^nro2e~TcNF}rX?9%`{nL8(7x+tz9IMe=GQJlwA2G6Rh)*!;Nt(Ei|ItG1% zc+HffziaLN7a|FNHDzZK(?(Qvg3Yv~JW*LQCm69yuS(#zwd$iaIR}i^hpGY1w};qh zI;bq&xvY_`@F$wf;bNhx|L@)30R>HX$x<09!}n(Ip9Awh&RDW{-LDBjbW~P!gsQ;9 zhd*DBGX8lKN0RcwdTSjRRK|^ef{Wp)#LxB+3=SdtMBCsKd8cgozUlx*7Z=; zQ807xu)jXU{)#iI7oW9r9n5X3Q>CO|etoii@EkUrB!^^pvfr`@{cR-pUxz#I0o*b~ z28^{|XG+fs*1MVVI-`s$-p3x#?R0;o!nf-?GL<*bW`Pwk1V1Tgym7_Cr0xS6d@~d80%dT|3k{9`ui67X-3Ey#h+wn_o#Et=(y;Wi$ zTNDJFv2+o-UU~JK$pz!v?q!qlyo{Ih){^e4VWQ5}f}riZd5E8wAvWiOp6kxHYRBdU z{P+_8)~?Co_`9$ zTj`gP+;?~GDtx1HBEX@6R$bcgR_(;?&V|O>I|eM-c~#hwxQ?lgM~yjMeLPF6WfOm5 zG@=7-F2DjEwkF+u40Y@tF(*Q z(}}X~^z^j8@*df}=i2@B^!w<1zia4xTcV=7&wI9F*;1q;R~r(8#I24mGP4`Nf6CHy z*mO;0qQEHq{`2|aD(k*}H8a%mBJ?hy*6b|JA#}xdx?BLAP?i59&q0}Nib;}z$hrmu zNN2}sZIUd2Q+GXwNe`fVp%x+wMec2fnPfkzO7UT{CWh($?I+F%^E>p{chU5>{nQ!z zo{dIp7N9%}1RJKxw%m1|D~M*lOG+|+tzj%{^G3YtBJNiOq2Q3zL=*k!iEr5GNWS1p zpYbIxctC_*4brT!AHDY4<%WV^CV~3x2X99F;C441DCCD}AJvWFhxgN36>53)6DPQo zeBv3APgdlotNK52#;2Pr>r?Og$;t@$zuq2Zt;4tswQ~vi?!v6;&^WU$8|HP>JbQzx>cYodA{zp{xzgr2P9CU+YD(^oq+x`1v z>XQwI zr{?)jp72R$W!9(tCHa5*^!Gp09Ic-5YUa7$-Dm&rV2ykAx1e=IzL*0+>rdm+wl&`G zg4WsCB}WKaR}pCb5ws5JEq(*crZQE4*$f|csxfv+kVjWc^`7WZS3>Q5yShyjUac<*?tXZ70Z$ z4iJ@TKmhUcK&2o@7!kV#_{aeM^m@G#%Cl*dX{^;(T(ImH1MbP;O6LZib}M;agNyOP zCl}VPTM$*Z=}Afa@&Vm`Y*8@8S_*P$zz7(Rihxm+LN*5O^whU%N*Qoj!z!MgaikAK zos&k@1#qw*dvs9V6I3=AJ>Sd!oNFEMxR$KA{$T7!!GGmSb{$c);1VE<$Sm;rQ*pOa zR9LMC@pSC5D2~~HEY%KJZoU+9F`36(wf;t9+=4dWfdbFFAN57^UU(K_SUfDTE97kZ zw`#dNd}(+9jkSGze@zJ!_ zKp;Miz0!cng%!YZ$)jQWnX=skSO)Tr0hNgH^;@;3RLKlY^oAeZJ@Av4)-1toy@QoU zUEit|FK~QzwwK=pt#6Q?i$4N}*PHXVit?K8@8ZsX6zGf`SkdoOU5@cy-bE%Rzc8+6 ze2rI~p(Vvrqt4Anrm+_)u-S#r&N$dGj-Wa!&;}rx-+%sAX5gXS9lYtd{uK-`qG8k4 zTyI#f_FYdH`>c9PTj5Yfzy-t0YKCj8hYwdPyi=s!hn$av;O|CT1KfZOs%&aHuGIb>(SMZ7og0+-dsjM-l>uZv>O z@A^6LP0YbD0Y}jz_2Vm>;>EGol~7k>nk2QdftQQd>0Y!5PV_YcX#zF1dIrj&H6yb} zzRsX7DbmX#fcEMK@ABc2{t_W^K~GTlz)L@ERn=#x7ZE#861MPU>=$8g)vOP}hRi|D zj74VTF@!z)F!@zp+ewBld^h9~h;BA8Tk=OOx_P}}WyEE4q(LMzFH#0A^~Go6jOsgT zGjt9e3^e0OS`Y3I3Y-6JU?EY}ZkN?7l(*gZQwk-}&~OrQQCC&}i+z1XBoWlqJRGI9 zqvrH;u`)+-KU^Daqo#41+u19iyo!It=Z?hEj1Cw7S-qZz)r1WqrI>jg}9q?=wHEjU%)TxXL}(87hdS^a1s zotjI0%8b*-w{a(y;n0(ymCbN=8SXW!s`TVZ9UmBaYKsdMB>hT(8TJryu**7Lu)?g# z>OM*G5W4|mVOU-M{^qWS+EU$FLkjrP1ODhG!jn+LA)|sS_xdmv7ogKMUao3t1u@!T zq{<23VMR!Ys`=smcl5xXI1hT@wRXMv#a%`T*QoO?j`+XP_c|bPDi=~trWyxZ znG|D7u0EGKuU?WBwCe6fH_V@>Ex{w3>Z1A zqMF}N_+po&WHI&t@gbexq>)bup^KKRPd)DyNXV6%JKtQt!99HqK{xBtwB|^BV`hY{ zq7X!=nWP@W1!kd!F+od!V*7|7`!Rd6>=xu9uBjtJZsy5i%`^16ta*@(go0#F=pgV5%wSe%z`S&`2n`npnuoI-zJQfa`#Erb(-imUhe8d1_4r2!Z9 z!^|MVIof5eNJocYO;X+qeyHB$dqPScZ~PnSmK6 z-g-*Kcs$owL8CNUT;zON*lWf%WcK-$#zN7PsdDROV@gR|g)J;aZ+?F0ylgiX+t3Ek3(`ref z)KXF)oY_wW6x;`3@{ZYMZ)#Y?iY#NitR&i2$?a$$F9m(tC7V@hF1rcx8RbN&77URe zp3~+#mZJB9v4{?WVieesnC+ZM9@@O^Fhq)RrKJNCAEENEWbt^`ORSweADHNU!IH{9 zn)0;?upxd9>8nM0&2N3Q573q?JGRZqFed!+uh*;(8+ezv!NL!z0fso{42c^Ol=p~o z5di+#eAwcM?YaZL>nXNUsyaMWq6$jf9gGJ64Z0@{HU!=%b|I1`x3_A6;NDLDZr|YX z!TK5OAA{p#&^`>>$HDnwaDE*05B`pSWIY4K8)~)yE;S8NbU{pAx>XGUlL3c8rFNhH zQbnU4JpAcu*&6loDG~FlDa7jlUTB0kH=yyUd|uE({8urof5_hQE`~MucVcU_<2z#O zxPL`#B?T(JMT_D_U{?paAZ~Hrfpu0 zb<(mvzHCd+zy(Bn5r7L7_O16;?FPta%;GBVWuCw%rG+AIwpPIHw!rdMi-OIiYoafU zH~^kMqT#cXa2^kRGYhRBjWL%fe-^UwBU*?sCLV%oEq!opfBYH~gXN19wgG~O}X1B#Kcn9x`F z2p#wm*hP;*+1QmHA} z4IaL+_%VC*t=jMjknnj8`lwt)QI5F)YJp>BKT6d<-4AztknXo;(TK-mmc1A`rGKG`_{V~4v(M>IakgLW zV|R9Lf0fbWwtQJ!&M!X(eOn~kH|Iw1IipeYBX725mCH8@&Rj?{xtH3L(0MZ5Fedvx zz87}QJ|>s`t#Aa+U8~WIhk9zj&rE7y>d3+bjmK`0LMJG?oH#+fZx&h_=irprc=4eL zwtNLd6j!b7RKD128P9zjK(`4z?+t9~^gFMt)Uhd|)}Y%vFC=hI8sFY53cPFXcOhW1 zBY&&ibt`HgF-P$n-^6lufZJ>YM!0V&X5UB*sqW7kNj4*$Or?&L(d>oQFoJh(nsGu- z_qO0ExW?V2C>^w8b{3mkq(ogrU)~tG1i*m4Cjmh=K$z6PM|#KY$et$hveFTaOG@+& zqLu|%pfMI#J!{&h&b)*FFiyBjGQn3MH-Kb(5U}5|uMtMpgo+$wWVT_zas?%XZ0lW* zj+S|>;FcJVuUFW##(H~8H4pLKqFUraDr6V5Jn~kJ(=l*5@F$&1f=6c@-;nY-vYG5h z++cpn%wVB(u7>n@Dqbm?8y3nUm0eC@=JtmmJ;cZCPA-`R0FW_$fkM;v$rlPqG)T8hXXtIng=4Zrw+wt$cpN@!T7>* z46MgUW*${bKGo&o7V`L_*f+$T5hm&BK8NikyySj&J)SXOGJ@z$J63Gs*7g6`{?k|L zjZSmgs5QCLtwOg>fzJNADMGaH)VOxOBP*xRc-jVQdR%)5@w}uu-5M-n&s(($b9v$& z>A9Dcz*fHeK}R&MDtYneq*Bnv2wt&PfRhG#2L<0p=FE^eR&92C_tW^NdR1vkl<|nfR)1M$Kq~# zOhtkhGDievOGULvaUVAg-4+96}c!n>dye)wrM#2}Yt+WR%w)AJX+G1tH96EP#9Z2!4CUy~;=#I_SU@C{rnInl9@olFW&U`)eS zmNy9bc}#V_@3@K|BE}N)S6_{au-_i$hR%=Rw zV*SK0H7oU0^6etOK%x&V8M(^Xdm1`DpixLGd1PAU_m?khO0L>ly=MA!pu6k*(=WFK zsQS2S%MC~Lmhq>1c{EjwdHX_=fDiJ~H!0iP%sJW3`9sm#-KQh))E>&trOX>00d9FAtF%{cH-sFSe?mYVjeRBY%Ann(q@v!+ zW}s~Qj^m)c3$EPv(>AXJ((VPYJD z9&hgAHX@gqyFns5D&C?z`$hJPbRQlUKzH8e&=QAXZ6WJ=*0p1VbGI6X3+y(;ZK-c# zQO+;x`P`bLBvD#;T%ODn`Y6Y5fI1tB0X>oz8kbIAq7E+4W377RO4XW`jo0M|Pj8Zy z4}$R1u9_b`AX`|Mv|=j#vcb^I;&(c)Hj1~yW27qMJgSG9tS|#+d!?1>>&=ut)*P$d zQ4K*SXzBE6QP7lYY(5Da-R}`Rqf( z%P5!~Kh(0pJUf$v#)v33sw1~9KIP^@G9S2>Tdb^(1@ZiSaSz_KpNa1^G1)M zXT!tT;YZ*dO?@0}yneD@1pO2VO;h4an#Zi1(&c57`sv zB=qDJX0*HTGn<-PsOE9A$=}Ej#@x_8BA7R~d7HHrFxu=n>}A_Bw^h>Bg3t`;=`}V{ zP;jhyg{`L*miL<2=VUU4YkV<}2;1mt$+=Sp;<)gyA7l0Z^yhCj5V?UN&!T%l zCWxT<3Kx9p@UffppZsi@CW$E`OjZg7+|$^O+fC)9Z~ zg=D6W#BX!lDrJShNJ9@%^$tJYUX6$oZb=(wZrl3i4x6KaG*U%X$XeKy1hD@#$(BE) z4agx}h`y#g50yS^f9?S|{%<`1!D|0pVU?aqoY&4LU^BGW@JSF)#8u-h`sYZHuo*wG zq4{g@?houo_7CEf0sS2FP^u(^(_@~bw3AaMsoFBQ@VWd?7|`}yRvzOuGp{zp?kv!cQ%>)d$B+5=mdjE8#So zepZ{cu(b&YLc(LravZzZ3kR&nTt+&EZtB7bSX|sYor{*u!EeG}47qgyn~8sl{khby z?@M2)SG&=QzR)Q*-RW0e@GCWYYF3R_yJ@kgE;A@#Ferv)*G^_4H>(?c~Wlj{=yaYM3>gN0SGif3xjPvBM$L(y#veF35sLh4?zICH3PhN2>`?hukSJ08o{Y$~{S*u4TfqB_brN-j+4wz-r`9hN(* z-@qe=?Mu%i8flh>%#ao)xAp9i&>|K?b4BTl*sjQrYTuA%$-0da=lN%)JW~#CVBL6+l9sGtYO*@+_t;yIY1a88T1%Z!&BP;AwUyb zd>j(vT2)s<&9m63W9?qv8?+YTcBqaNtb%B4%xG{QA0yMiq)f#>uV^2b*v(#CC_NQ% z@L>DQ`}r@$c?@&5zT<2yHWh7LhHFEz)*wD|B>gRDixW*hsb33tm;q}Cq?vc7g*e3& zyE7Z&?(F+g8N6Qd#*RzNuIc;BpeREncji95X!lMhMJpaa>KiTZLHz&Ca6zz~44!t+ z3u_*SEd9*aEpH?_dTaj$b6M4u$T&otU!}o#8XDEUdQ0E@#$oIYU%i1-FMuiM7B9W5 zv;~Jkc4+9UrHK!XPWK%ge(dQ(B&xYr3H?)7$Qc^sl?JC`57WX*eaZwbd06L!}&6_Xpi^dK*v zOK11ERM(a_>v1A&t@V_Jjb*WGIx?F(x!wUXqS9n`mI`~y2jkZHEUXd#?6QA4J-S3) zel~<)5drCHWj(e*(4)%YE)h~-6G+U3{HM{p6F7rg0sAO&P%S;fy|*4|RHCYB4nNXe z)R5tY#DB0|-%ib1x`nW>GzKR~#^wr4cF8t#HWuXOOM|-`6h>HifRpJsd8oAK$-bKz zbt6&LUw(0h4d&hB?#VgdWX7pPZGhI80{oZ1lEPx-ITG3r`TFgyc15ORrMlrF=`DF? z_mv>_0!=83Ch{aB>cytt95rX}9v3IND2hbBTqFmfA2Y462J@Ak8KmmH=I=viAXyeC zTw^u(8cmOgt)KOkhQu(7401-kXVbKqk%fLxk{PWWmqfXswpgoum~Rc1!7m(R+`}Am z>O&XM4?Sy`;OU|XuB;xg$f7K1PzPI^J!hDm2h7LKfou`8?HJ52X*V&FgDE)~Y>7s?qT_JBoS})^k;WY$+e%fx>gsfFo3wblL zPkLu$NyAUjB+Rt9NeP+)6AK{6acMk_b|4e%{C5074)Ry<0|N-BI1@33zh=*us?(W^;Lba{8R|J z{d_Q4x+DQTcn9xq?|#zYB-TFRvF$}DvYVrtTIf5nmin|&od;?1bftegD;%FKNd>Fh zadu^~qu3RdrNSdZwz2{cBAMWK}x zYXxVps=$!iOcn&ONP5`Uxj_r8w?Z4@Q6djj*bjxnc%vJ3BrB=0`f}sRgTg46^eO8vl-yArd0lk3 zQ{v;q@yEB3KLy*W@&Q1oQwb>Rn9;dPri4<08{|+U#U=Hs&^ z4VU@{_s>w@u9)q*W*Y6v#d4p(Kp9wnD`K9i>P%viouWcctBHY&eis)X+~%2nYG7LX z=wp{Tr=p9y^ui-)4<*=zxeT9`U7Z{vn_4lKfqQVuO#-|iRtt;UL1z^Y`aB9XkeW~S z*dI$ul~3SIXT*|N+IZxu$fv>C*Z45m0-HopcXc#YEZgE=9&WBx%;^m+@=tm}^6#ab;}Akk zF(dGAehAUM-Sr5cFA-yN)sbi0jT|jYxxP{SKKFA$`?~HhudHaLi;fc%hZ$%Q)e(P5 zowb-`-9sX{8j*A0-@`GBo2zd4eBWrt_01WaBH}z}GcOKAIa>s2-}sm?w9}c9lpeL> zMAIO|UK>B`e=u?+fA8y)Zjzq%j;(b#f7B5Fv(5`|eDcy*LUZZKv~0b`0jn0PkRM#* zkhb6v?mU&$MMMKf9>`^e56kjuPgc6B>6|@$K36XJ#dsc^e8Wi4|hT$grq zva>PgaR75I+KLK?dDUBZHecL4v&i*BI_H1#di-2&tYz@&tv+U9!hxGG87sNHA>Aw| z`>Nj(q9$NafZAhEYc-cQ{w?hJCH#T!ZQfmuS;&;Dsi3o7puh zSqizM={RMJ5IJ=v=%vyhx+q96!z3&;@l=8%w;AC>eBkImeM|7VQ#49K$RQ~woTwit zc&tA|8C6~q6NhP+n{1@__S|jeypEFiz7mro65YP&9&LB*6-;%D}XKjiW69}hZP||WK4KtG#%Q;QlW|@}t z6fKOiQ-xAB22ZP9u0{p(&!T=4UIe$1ok&G6EA5TJ~oDuG(PQFn-O~4z|LO)gl z+m|81Z*cqE4?apJejj9n<3s!od@vXK*}GPRE>g0)+k;|C*|VcuUaZv24+0S%I!jOu zqZ}>yDaS&cM>|8B-P3B9S$i-m-fvsOoa#2s{CK^No;PHgu3{ScCNksB``UuPbsasU z^Dj3j{YRnxHNO8q(Et41|K2)vk|v-PfC^|&^>T+o0?Qf!lfhl=e&F`nL42AZOj~k4 zHFtyK>JLzt^(pTsFX(!T|1mTEsP4jV&@F0cXr&ia4TO$T>I?VgTv1RZi9=d)iQ65( zG?ti%!&XiQ_&*4uReoN!bhVsbO*GQ7BvtKIRhp73{yh-(1)|DWCgfVIk*Bq6Mzwi# z#!VYf z1^49I>T)VC*3e0na;Mp<7BdvVx0e@Q`ocymn%U46;L}{y)wa+8Y_d|)q}Jtz8?ArHUnSV#XdIopV+CM6qDlf{rL7BDd(-fa}h@&NZ)tv72jVVXZAZ2uD)feha%WZOnFNqWAm{8mw-vhXK9>yzx`)=Y;vjvu19 zBd`Chg0zqS`OlyKUfK6wS_>21BCcw&>68&SBK^G^(MOtuR{TZ6(w?$HM>NR)(01wZ zuWgt9)}OF=>j(V_E&B$Hm2Vq=GW<3u=AuXC^vrQOC%61K_1@8=WWqwNIyW+U9Rn)FlUEB5*8}CMiJh(mpRUmeo zI$l#}`OYw%nfJ19*z;>W!gui&dG}qCB3lJQO=K6IDoQ=8&oW(JgKh9lcUP8_P4=Df zee%vR>iyB$o2`vF-3+Fwa^;qt=}MpTx;WDo)eI8=0wH6|o}7TP*I2Gr4Z!@_^wpXj z5J6m@g|<<($?ecHXHlEAdXW#>2BAnLFUyEo;keLyy2ar*p*{#!Yj zjA@lj7FQ%Q`{rh&JY3q5#4?u>y_QRNhnnS_c*@*j>x?(eMR|?@zgcU~s3+it-r($DTP6k2xSIr(Z};*s->VfxF%{{lh~V}zf@-K9I0JPk=1Gv$8tP+e z=wYSkM(`z>cuf`emybe}C-cYuy!ewx7JtywU^wX`xk>ow?(5NgG{Vr57#w!3nT5~s z`xLF-CU$>5i5|Z07_&5}Ms9JJHUHj2T{@#MUtU@|H ze-)vB`zflmH?E;C^L|XDz# z%{$E38QH#s{%c~BHAjRtZ+H`2+rM0~aINL{9k=sPYyY|m;#9$6q0z+0i`(4;eb-|d z=XHa2i~2PE5q5*5MIZFO4@{Bnz}K-NkY39`aB5;7JS3+e zy03J@OJ;D@B!~7M=xO>I#Lc;kJF@HzHDitt35?7g#k^}`gQ?guGCb*20o51aix zuw<^EL)D`%3$pq-4|&+>?>X|x6z$A;bkC!7kdwK4@P&jt=E8@wr&D8wAItF`MJI08WR){HhgY1sbzEmRK=GKmNEXp3h&SS5GDMJ#iCcc9%F zgk~LPXxFzrnLeMYs|+i5m7w9=taLx<$eB|M`Gl;8QKR$d5YibrDY#b=?XtV_Ld9$* zt4FONmn?IuGvxJVK|U!Po9R!S3CfZ-V$GIl>`aL&3&@31bG=`#t+3=YDx!(&u?Ui+2kxb@icb2j~IXP7C@xy zIQN1tTu9c`h)7dza^1Ll`}QD$Yxo48Y*UL!rX@Z(b<@VW5M6Cp%pkpZoT+PPBp|KM z2%rbR?oj%J^Bj1WP9VSBBT<|-s}ETvc}pRn#Rs(zR(RKlo6I?T=*tPD0)mEN;Arbw;i*l#vUPu~nD-#W`d0S$kTT+mf2Xu%zLal z3apUZTN8id`W_Sare5=H!l4*o}mBbRdI26+Gpz1aT2h-)6m-Xwy6 zdQqhSAK@wA0ElOc(5`P&)=YO>B|7oirqY(JuQn|HYW4PIw~FZFJpsXaf^Jf_0K_LpwU zXBLd=v2OOa_~}EHH$-{D8r4lgBxMEcxOvz7*L>?0vk)%r<+J`RUHs@F9- zxA?tGXhWJO08ilI$^y$0FB>T>eCRc=m2wd1M9pMyFwtF(Hbq=Qh`&Tr64XpOAw;I{ zQbs+ZY@id>-HdyPJ-X_WkWWB;d1B$`Bd9q z@H4Ze%OXUiyRo<6-HXc^!9*<%oY|Wpmy_S=OssF`s0Oa1ZQt^-{Ve6)bO0=P%u(-j zKHUoxjm>Bp!w$n)?X-6~lkGrBb?(^IPkrm3$1CMdRf0D4 z15SqwlK5N8S%?qeG8> zlw;?Sc3ml7J7GVw5_`T<|154*Gq7xB9Mymx)qqY&D8J=83FcP%zhw z#-f2a_2S5Or)gRbBL!rAS@`xOEHh!1_EzW|pucPhcY(iL_R6-RmAT3)iy_2c25I`C zlMm0F!%w09!F_DPb47fa8j0XwU$w3TX8u7+E_(H+YEK1b<8}rW7ao77bKC}%-bDnl z`I`WU9@59g1Eb>n7Bp=;q8)ABBLd%gGV<#-9$x0g{KGu}H`17chfPLH^@UvZj5 z>YAPb|D(h6vEUMVA}P?TW!wk*RyFp_0QaLi+wjrH$EZ7^(U)K2h2RZ+c%!yGoClA- zYRuGjqVm+ge0*xsdfI|Yth@zp@-l#BC)&ZcsMxXHTgidYTA@sgCYOApx z)C1B>daVBgXK-tX4OD*wQ?&$>Bf}>TK8xt$W{n3*+>h_4?!IT-9d*<57bKfzI1_<_Rc1ckwo^0d0h;Ceosx5iOx82ndCeU(%n8;gjT>DV`E zOW?ewS-jKHtq00Uqy{%c%aI{aPZcXs+zy}?KvU69dvI>PhpLA|g@xL`k_>#@^?P|^ zP8Bc&!33q(%xw1q;2-7Pni0cksu+FYD>*2tdt_6sla?KKPNZUSBjI`K6< z<)_va(xlVa&O1GZ2kTl*!6|Z*yne;Km@&JlgJ&Vd2PwmWjU=NYGVZY&T1>E1#uBN^ zS)|i90@y*rsLHIED@elp;S}?*=xi_s0l$6fp5}bA#$IVu#GNqY2rey{P~TYbY2tMD zVgOLHT{+LQYs7%`EN7s*S+oJdbD3q5@`lC;bF5Cqj@;bdNt#`gUO0=Fpo$%SdvkDy z^2U;+NITa!sFDC@cn}tK>){Zr@CiXV5q*lZFFN9}lc!Dj<>uZFC}CS+0bjx$n)gA; zRSN(WIIQ4xG4A{tFtj{%+*)l|K4E4V&v@H@FVlwE)kECV&D8LRFk?_CTTF{`?cyq7 z?J~tFe4WB^*aEIHxlJ$FMY5-KGFezTFxKnU{=6iZ0;qR^5fRYYg=cD6!-3Q3=qFa4 z?^jF_!p%R4OsD4&`I6+HZ>&H&(9Z$b<)6z(4WftaMZ&2whYI|A@u_vQrCW1Tx-a+~ z+wwL&@HW}-E6!Y>TJ04li)g^^w?$WI@|4Bf@{^a_?iwV1dJaAEUaWlI=}fUa3nuy3 z4J-Ue4o6@QM95K3LPhbAzbFqtmEY*a+ z3pGJHHRmyYDu;s++(2qq{_%FS?Mu)QJ^?^+4%EYyV<+&rZZpxBjnkm`uX`j^0aNsw zy9M0n!!zQcHy!nEL&T+s$MbAMg>xldB=QquOv*kx~IWV=N@ zl#yOOZi(2t!gyj7-FVZ7a7=gVZy^8lb=Nk=Unwu!oa_)CxM;bk<@K>gt$l^5m-qdd z1pK3M693iro0VH24sk0%;XHapvYLVA0NChO0qylmc-!lsM%_s2nw2`4N zBVmZMhiwoC0vGHWZ={Lk&x`_SV)^x%1-F0cQ$H3i$g+L$T^DtKgRL`Mt{R5g^dv=V z9H(HVPDrkXrxNeD!i7xukj8OWvo&PGR}jA%n13fCg$GR+b7a=AVcPODOP*J; ztO@4UQ>v`WUZDOIB z`|IxeWkQ}I*)#{=dz14zh${U8wXOtuDZwhd-`4HFKnz|1eG|qthWfz#w z+HmQ_5kJc8t3NDu`Bw^J{`{LiE*gT+8fGzJm-Q#1ueLV6(;=68Tn-#*_$9hc_s5H` zjKuJwl#$Wfb%+ln0PHy<9oisb|G7h3E$DTB1csCBdq2jjt>>UKkm!E=6(})KH1^)O z+cOj3HQZQfvG$a#$UWxt?81vvWhLMFdKpQ@KMtbhwFxQ-1NBz`9sN=@>TP{WP8c(^ ztYL2yWg0!9q|v>5|JG@I4`-SKBW`wB!-Va#>1MCuTAd+`T7O<-9wtwgfg)!r#}SBnjWBn z%OQHe-#M&2x${;hB01ASN6NdjX%||MCQus)!?-^JBjiJU7L)_1F0~Tk+Bn1TdhqMW zx!4;B)XD(d;^zI5ezz+yQCcLHY#Gow*Hf9yM*CAr5I6(p{m^5Ty?xWec425 zN8`!O$54JnOf;d%(|x`-&E|!oq2}vyqmk7QfT+To}tMBIsh@ z!3-^6Q~gJ^fV+eQ@>txb8VvS5$qJRQW*;ZP_axz}e@WIF04 zN<$)LJFqVs7eg7*kc-CBZ!#DAb{RJdiP3~Zo=QZv;2B};-Kbgh@OChGjS5#%#(0$4 zC?m|Orf!AqtPg;09x_j2+T$Tv%VN9*+WqIYE^)vJVQ%E}D5}s}aTeeLNWE&R+q1xU zr=ye$HSz1|{*aE@e(Cp;&<4H`c3tRTX@e-*Nq6f%$o(9~=Um--X2GqInRNfW9{tbv z|7+{x6GGB9mgEkEpgdt4|GEtdb$|hvh!AP+88I~hBUY<}y z0G_V|D$)s)=qd2_iOmpZ)!nb7WoyV94MCi?3kdYzJ%3Y!FQ9YQ;^i8`>A*^=lB|Ht zw94U}6uu2;a54`#l7qFCDXqpzsnBn{kNV)F7@_`jpGSGb0aCmk(1wpRJyylFOhYRa zd>nVPTw_|ZC)nme3=ns)!Y{HKE&jHou1vc+GzJ`qhxlJQw>OMsN%wJmh27!b`0+vwlVqj{OEj*yR3L zX9M*%_W@qu4^=fbZTjJ%P4_5?^b;<1f604^3QS$Jgl#CvsoFZNkYVKwG4qjv!-mu! zIK@!V#jLZN=0PE%6SF>VotdXuQ}Fn9t}&W}cLcfUR$8-E+(9ot{2O7UH5^MoFDqD3 zCtOQ8!yP+B0fg~$^J?3HzVSm$@Ad;TVzy3h&HsLIE`6`PT`!oNLG)hwOeIsZ2>Vi5 zo21k)RZ~x4t8Tw)^=ZZwg{H35z97SrE@$J@5hUK1<~e)~ZwaEJ4Q{54*P^fU%SxsI z#F^gH%b8W}rOHYeiNeTVArUAUMJ-AP?AVsI?-Limy%w zYkAQ6hiuaY+RNgX0jh^9pg6&;$QL=ik*0Ah3@6U`^2vp5Nf(V-CU0QQ?OR6Z?!efR zsxL0R)49aG=YBX`Mqoqt7rx|MeO95BgnJqo(P#B`IS~;*L8`ZV81E^irNx|J4*u(N z{IedeV6_qv`jxOI(c{XS%id-PSrLZw8nQ^)`mb;0XGZBSUFNhn^}wy;Le^6X^8BLt zjhzFN=qMFJ+qtH#wIZCGPKQyI8l;$-$tgaYZWv-KNfrN)iqkAWZ0A%5YV5JOQorMEaW0Z8xe0uFf}lS^xN;#^Femu*5TiGQ_vQe! z7MTzAWPqw}*fAcKfePGA(e7`2pLlQ^0Sy`?Kbh`U&oM>!0LQKq$#iVU7FZF!!|Nq2 zX)#Aq-tZx3z5j||paQQ?;`thfQh(H#1w*6c^h-SsL)uF!y{R_V|bY@#pKmkFESau@;Gy=I)6J>FTHAb(N{-t?|_}xWlau<@YQP zZKiyyP2`G%7#JPzzu8-T&-6Yk$Z?qo2Q;$+2_wUI?*2yOe5bqTI$q74oNq0l4>{VE zvzOHdtf&^cOgMO`d*uqSatFwRJzL6bd zz-1)nWvCeIo4+@ZDk&uTYj2o{vH4z$HJgK|evy8C42*|79VBWY=K}+p9|Jr=#Mc!_ zVuVjpB-}DXlaBIc+ZT2vGM-~v-16i=KaHH7j-O_0+`&6MlXwWFxdjmRKCj+5Rzx)j zq4?f)Z(Y+)nM`ITHKBW(-`q|>uKM|ARt`>4U>8+~U_aD(bCoIW!8_O zf4d;|9He>V>54WANBd12E>`E2-2AHpGgugO4%^Z8n5x&!wvx_I6lfgT>*M_IQs%`M z@^UkPV(}J6JNyG$`X|2g{}jISsjIcZy(|sT)BejW&zUCzxP6>iopQ7rZwel51YGoE zV&4&jwFdP;RV%os3G$`gBb2BkTbl72Q13_3$uMUN0M@j1?I~WnAoFndcVWGM7V-Zn y68}$$#3+BkXfMAq-e*bJP<`J>*-3e0ki-UeLBqJcj$p@u&MoYe&F8)4%@r16lc;I_l?f z^wc`Lqy9h~vu`T>AkXDMZclH{`sMsh)U6-Rm5e`!ps1){&wrKejEB?W{I6_(9aNh? z-)v<1`8LzfH?Q0Dx#^b8rkl4y|LofIu=IgWK}R7!$OHU)3R(x*f$!-KQS{8hdHDIA zHZ?FfbyokVo6pzB^j&>U8c>d&HrS;9xdDWSDW{LRdLQ#!_w_M%&r{~woEHr3b)IhK z+74T6KDRl&>zIe<-k>wb_6L1=z%|I*b(@cvyWLz3j-5Dm z^4KZAvp^b~4AvX`Sn2=NJAsIPdFekDKWHPk$8^`3V@Lgt?FI*7x`XvT-=_EZ<^w-> zy1wz}oACyJxDRhIEsWn(^gmnkza=dK-p$q2b-M08XMTMB{$sxXXT5#Glki)W@?$H( z#UD>V@nG!Dn>P<{@Y^^4qbPp30)`%V?w5fIo?Q3;;Pb!vCBIJgW2e9j4**kH(GKl` zX3m%~{r^uNrP)f;pEJj-rTwK=PE1DUo?OIf`#CtJa4heqJ@j6 z&!-ESeth~V@c+WO%5$gh_}4y)myqgQrRX_XN;B3&GgW6Osm@STKsaD(X9IISZP9=F z%$TV(YxW#arTGiM4f#tz^_7%ng38XG1?=|>D)=3mr8;}*C!2Q6S!R1wdA;xQ%@=Mx zn5(ffr)-5?9aq!v>oZ~V=C54!(Z{Q`HfZa7y3uHhvB}nLrn`1q>>=*8wAz2b{-A^7 zAtzV2W5?Y+JiX5P`JW4*1O{Eaboom7)oT$^(YNo!#D04>E-@)NP37CF@9P^Ho0?lbw6^v1vitf628V`6cznU+lu#s=NT=I115*02S--UG z5A9L~?V1VtV3zW9yJpM`0Ed$5tl6JznzM9=t@2UdW$QOzn7e%Etp_<}^E3?YxGTOs zQ#XI5rcsX;Z@OtewCwLSEbQNE*)I+IwOwt{LZum?^ORH}7?M4brzoJlUThumq56>m z8a{mIwSzZmt$?at%eE_^oLE~0R9~nYktP4~bYeuweeoGVMZnTsM^9?<_awMBXt$kN z?vceVV=O+(;3gEFr7o%nXbxuYMmioQp?S)?c!@t`xm8^EG+wL2V&E} z8EWXY*S1a$*wV(lOntNJ>tYlHY81^bc=l;wej)Ih-mbkak zW6$bI{c`y&1(g2qh@;KXwLYJ1CaS&iu~9($`Y>wp{7G9oYM4g`yU@dpuZig4+$V-~ zB7Z66=hDD;a=rqhT~H9g#jm0M{{e=JWQM-l;4tZhi$X(6&A>ru__dLH}+cAKeQl7x&@5E_@)rIU~UL^a~>nS?O@4cqPu&hM8J`V%K9br3EON>pH=6_PV@>kM48)B z8n8I~>{%h(7;DSG3BC>DeyBZW?6ZcO&2VpvGeCE^uOTl5$U41uB4FS#Q5 ztBnUArA}CXJE$c-+ke=pHM0h3BaiAwV~1K(QJ>u|bDuPay!9(_9e1cpmBwDI7QmzT zP7T4w-s886Vnmy&T(h?G%8XdWd=^SOn4zCPx`1hlsj1lH7f8AW-;!i!Xz4Fkc(G~% zZ>-R2EInC4Q$XhGNm)v5z&f1&<%nv*2&?4M$X|5&d5y#f9ccQ<-WA&;yt8VIqkJ{w zE}ZXH#Fue4O^;QB35NuSXJYFeh2o2-fdV={9D1Z_s-)#xE{6{$Voe&l!CjY&f`_w1 zR`Jwx{1--%JvnGN7%ML%8X1{uy2%m6#H32ZJE=-5^Htzgjwx{fVfnaRP7%8ZdXOl12R9>1!*gIU_msn8fILs;fj4*>zaG;)D4D<+J(`LAo!j8totO18W z)Sg1K%jfNhKk5_cJ3AxB#r0LR#J8$M0Y$zbZ5(~Qdf;~4yK7mVMFqF|%hNmyT#l76 zum%z;vQw@pIGFA2tGPM(R@EBGDbSanjhJ?b9{~TuHDr6!$vD1^m35#3V)rYcW=luE ze521CErgjnXZcK>F(tY@=!NG|40rI>t~P(2@L;XzYWxPGydzivb^G_XImj;SA)`eO zMc$^MyI(I@v!K?v%Q|hH<+@@-a$Es*WTt)Fh|hk_Sfp>{v(_@{gJx{k*MT<`5Yy%k zv4XCWPn+jlxdo$ZECDW>t_4ybN)%9G+$*Gus(>blj<_{>K4U&hcNAg0Xia#H0 zoxkY;Ii0s9-uprjdfQ8B=wTqk3eQSeeO~%$f=@loWO&bgLWFz#WKylv_K`~B-2u7I ze{cL7;z@d!cw;+||5wxg#s8~gMIpBZBL?G8PX(0NmjNcEH*lv)X!1M-RCmVVpo*Bg zsREfp%&@hvZ}#&UkEisYHvQSm0iS1xz7^UQkK0H*noVUKZp@I;4N$mRB4bX)*JnGd zN}^bgyL{IC30B{%fx@>0DJ>jL2^{%ifn#a4&swv-=xUMyn7$cNg-`Bmv}T)Rf2k^- zV;y?S>sEWHpyrmk)%vET&hd|sCOMtMd2IR)RaxTH6=$jHby&lqhn zK^gV!E<~Tx!~Kcc90G~mYV~ma*TUm66HC3)DM}v=9h$W8Uzk?n0vn*{=-rs+fl<=) z_LJ!Ii7299J|BAztf79a5DnCHJf#`gJF;jGFw~?_g z4SJR3-xSfXJ5`76|IveVI)8AmeAqAe$l1_B^sNRdx=*0Na`dyW7j3Yy3gPydKP`W= zPh4FlEpIFDYilplD)Ip?+*54n2>k=RfRk+;NO!;2*9wdz!Ajt)qRJW$3K2GoHt$$8 zD4irpJT0=Xa>k6VWvnlZGIOR)O{+hv3F%-v9vO?R+PZxh)1c7GyL9S%igPX3HMt@8 zjFBP#*R~dC4x}*&XB*3VuEfw7BbI8DsOKy6vm-Su00ebfQcevpELEjKaY$`GNjE*5ZrV9&N~n zv8fw&%`IY8{RCJ)=h6KI=T_Ga#6F@v?c(>Y$(D@K`l}QWwNWbiW{SK#5NUI|(=Un@ z;fK3O`newW7X-a4L9!25Zjtx*Pu@z6p`A6W>TeoVx!N{$g)TIs`Wy&rkvpwF0#A&t z{xM2iANzfDP}7Ud<9v*77Jt3^+8}M>3(kP0+JVILdezzFPA}Dt>cBv)M&yk9J=xn~ zY3fzZ)DYXb8m)fBMz0xR$7~bNe?}fPiA!z8>dyMYt=ND_fG^7T@9jK@F~?d~$2`E} zIs&_`l0evC4qqZEfwfH;7X7aH0 zzPSaRmN{M`p^E4s=!Q=d)D)2O7BBmThsVeR{B$`@bEaB6>ZJy1IqYty`~fW(KKSTaln<=>fPwNH{%Q2oM@Nr&6WtM8jZ zaKS}bx0A4y2MZJsd=ZnS;Mym5{ZDr^{+&BE7miHDvvrg6xo?ukQAP*ee~`?5n$M8P zaH9T=S8{u=%Y&;?`&`l!e-&k%-)(<`ktcL`ysETay zqe_Qj>t>u-%{DUUk%x`N@&j@IQCa+(wVSSkTK2e>0@7AtGtrL#Lbvfpgw8;+6;Ve% zlutw52kyMKYn&OO^KgcR3%5Vao3Jh?H@+s)tU4JWJI^L5k!40cOUQ@HflqX49Y83Dsj*n_33(^3H30q!CADS|s)4&!%$Uag{8q0R%G7gzSXxcCO{!yU+im@&oG1;9>i%{2y>zTlp5aw#4Tj;UE>$GTj(clWLs>qEwn0z1n=BZssjAq#V3_tgzto4W3-wsUkWx}0)Ntpd@c z%PfdTxfjdZn30-wV^exNEsZAWv|#O zn;wA@4}J1mANFsb2Puy|SZa;hg>2bF+Pn?#kir34Df`jrR1%vscB6-J73S_!Q4aZn zdnBJOjJ+t^H7A;VWXn2C`C`Z_XSmygj!onVzY5i@BR{08GP>`!sk|Y5Ltlw$Qu6VE z)FcJ;icE-48A_Pb5XIgX?H*eiz(VsPpEFh=W$Gd3J$kOa53d%9A`J3rDq>swp&rsL zJ*-ukV^ZcnhiO<7`2!9KH`|WAlz||SVV%Y34p;x^nfL;?xg1-HTW*;&y4t@n!Qig; z#hQk}u;y*XJ5XA*2p~9mCN0;HGR?e`OOUcJjoQr(YD&2>pT|TuQM_i^ufUD?T-+nuY{o-69A@KZnz*gZ$q9026pW~umdT4`mWhP*lH zy#0L9` z*|e2iA$xghkvW;n$=Q40kCL^+b!ho+zL&n4;42u8@ad zE49CoS$aQ^nT1szeA<}zVd*yg&)h9Fsa#W-Lm-mCCz)Bv+45`n7|+!WBE z)h8sdFo@>D(vNjL>qj4USR-P{CQ03heDV3srQ``Bv0DCi)EY!=z^}O!)-ryx$~;Q} z-CJ4|oV{54`l-)Cvd571mMr<^GCU*txIA)tbm(Zetu+D94M~tfHUE0?VkWv%Wuy1C zPok7>)oF)W>Io65NaCpmAK+2t==_^quMn5H$-f^i3`Yzy?r+E~zRRiAE z`>Te-mQ)}AS!a{VFq*Gin#$Ij^GZj%_(?FWv#TWO)vyA(f8a{$HUQ(Ec@SfuZlRVyCi&mvn+oyn% zsmv*KBs2S!*k>|O|Kvonyg$m)i!P`~x_n47-yzUGho5VBj={Y!B+PvqyUO$uowo_A zC26~}TGatK$he~w{tDfi!A7aF)0Vz?UXuLrTsF;B65OdKt5iVG{8aW|nXVPiK%|k$ zTJF)jdNKW>gcPVXRq?4Ar?tPbv_PiXeW?kLBaFfX>VD*wi3}Y>=_0aTd0OZMMDxkIZoxc0EodqsS8%|}&;DraX_i2okv>qCPw6O&D2szrS;1v!AMs87IQ7(F5)#8|I z3g`=w90>TCzjt}Usw*wlk!#Yu1GOWAhgcy&9*Z7`tD@7<6)+qOLL6EKK>( zH<3EU!vL`{5PcfcsR>5GGb7yOB7#%_xt$@M8eY4mp@t8pJQ%=h?=Q>-^QFFesWq+| zEgH)6x!T}Fgxl-ccF~w)U;{P*TD>-7E<%%6-k*Ql)?&_uAH7dYq^evjz}~3+>U~;c zU*an1!p}i&@E7m%LQ4oi9Q$~v?aG~_@&{{I9|*8qlav@bu7)8Aw5#yasUzk$z5F4l)Pv)!urx_$jvDAOw@c3%gxze@f4Fufo( z<+7j(Qj!+U@%@cl*!X>T_)- zubpA>?r}e=`);iHA_>{tR6jf}E9&*QU(+GJ!EP;GC%!n&FJG(rCSm7JI=@!;VZONY zD5CaF8#6p}O3&Jwq`!a;gXB~9iorY(8yw|PwRjs+kaSO5mgOUA?(W$}P`;>hZ&;qY=>t>_0yv{jhjz$uh2qaSuA4Xn| zn(Yx^Jn7B0v9>R&&*a>1RO{m(Q9yw{z;s<0{WkHuDd#F{IoxAXKXyWItS>(w*egnc ze?y0*wrtVpt;7hYX{Y%M;EDdkcKDm$527AEa!Yx%s(4GYk9fA%LGqO%ke!7xt=j0^ z8ZS`f!M%Sb?!UM`<9&!0Z&0>T0Y#L4%mc6#mHag8Dc^|b<2IE z%-NqaFSJ8C_{Lnj968nyVmoVPTuohes>7u2c;V6%#L(?SqYrL;=-J26!O%{B|~LB=oO zDoRv(N@*#SP;=Eu1M!~EI3dp`)?p|!cQCpJgY`>Ei8POw=(%!i0l9Y#d4bF^*Joa( zc}sMpVjs$rM1oY))0`=i z_|wZJEn$RB9>&O`$&$sDy_Yjqu6**r3wEdN+Pjq0&4&?fCiXfc)k6LKzdW#hGY}Ut zmQICZ$_HH2yM7Az92<=`Bt~qs`FBcPu#$DgY9k}QpV}5Z?gO;90^&q0tUg#Ea6If& z5VuzolftnF;ev;;q=YrJ$>dwIS^<)A1IYIf!yA#hE1(ctA%GknBBIxjQ~i`>-pQS2 z@eX`#+Jw1F>>KIrf+eQ4YjN(#rllWgM4E$ymzJv>gfGK%Igi-J!tR17Yx#wy{Kps1ijNWt>|?ez zjKd>+Amci3z%qBj2Vp-pacZh!owkS|54KUhE%V)>|dRnTZ+ZuHs z0OkomWn?MD9aE7T4W9^Bq9PFnjlYSBDeBtri1dZY=MkF(lZznZ-0;xtg zP3h#TrYYHXpLz5}2fvNvYDVqhh=d_@t)u@SqNPraTP*WQ8sjPh)Pz|V2&8VS9Q~5O zEw9rhtm1|`jf=oFa`-1*a>AOeXXV(pr%>K;l_#%2BQe+JBgCJ34EK{H_sxoh&zS0! z_T3@Z3PPvUeeQ@nX1+e*8H#Vr^WNH15RB-v1}}6qX-2W+l}Mo@^2Z*4PB@9H?eZgM z9Rfbwu7K9k<} z$YYEgNu5NUbPIccucddea%&z<(LZL5Hiz1jw@ZR$m8~<01F(qY&dNZ3?#7?{^}K=g zV;ld}vJ>^8y`5dVZRo7@`suN8Wc)13q+^b$ywsSf@PBOoZ5suou7J3vv|nl!c_@Tc zvVEzuU$p%D`nr7jSfOU;!n0+k6Ap73vb>BqFkdjc^Tt}uC&u*#t<6;QtuOIq!>K4S z78|TO1oXZh-0|q=rX_m1-3)1*hNgA^#Ax}9Hmsh^KaBzUMozdb;Pa&cK3|IvuuLb!*itWYU*AH^CJbc@hhT*6(0HjlP zhg?oy>~FCAu-Cr!WKTj2O_R%z{s2~Z9IbOUR#z%!aH+y)rH9X%1}FP4hy*9%b!O;f)_V6$4cq{En$m`eha+8UI;;2C4(q$u>jq~z;XO@rnTF(6)zkBz z52fjybisPJel72df@AKa`*)jFlb0gL4BO@D?%&ekiN5>q-y~)q@i256;&oZ~SFVkg zc+jw?R&dX%LQtj;YL5hZ4@y*k_8*#gV+GL8bN%~Db!JF9pzp(k1UGaf7{vaB*wjj+0_ov1mdXh? z0o|c^x(a~(^T;jj@yDNf&F1`spvLxOxDPL{Rz^lBC$prp@v&1<)%p+)K6E#o zz?||qSiFrVvf`E&0x2Ka*t-B((8VH|)1`0OVF40VHB14;;$)MV@Hu5&e=hFzv(k0> z_3^u(M~&_yQt)?|?(J(8VSaMfgaYbMl?gD@`g#z*(^q)KsIR-5F+Ps;tjV{Q)O#n> z#^(Z_QUi8~flhs}=Dm33;B@7Vd*GIV^pry>jaPxHy6V}yQW&s5*%u6quP?|7u|W>L z>eB=hG1^00sen8kk&0e3XXb*k#FQFSi_BC`cacCOzoWjjej7ae9sPv@Iz{WeP9?$IGqCr9thdSHGEyFC&0??k1VV5@fRus zqE7OB3ri0|KaPT4r)4Scht#=Ta~!GB0_+i z#ew_jvPo=yz4&Y|OT`0L-EzJ5435y;qaFEuzfm6pT?>lQR6xf9BDX1^07hRl7UY2V zqkAZ>hj^D8>pMo5c-nbN{gYl{s~WQOrc|D$#-QT?m1}X6wcXJoztAxiO)jn+rLUCP z*U5B!2RsYf9%j#p*8Yypo8Z8)f>gO-wiVYW9Iu-pGvpmiNs*cG9_Bn44kZdBpJ1Ql zM_R*lP9pW1Fp$o#(-7!>E8gFGL%m%1i2E+bM@0ySkINjq&s{T=&|UM<17|`wV3M-4 zkBLpV(M0axOSuD)hbt%1R&}jwfm^yf;sAKp3fLkT`*wVmno3K3Js@rT;>e*}9C_bT(2X|kJ#%vI%go-(EDc)wa(J^i zvpxq#J((!41wf9CF&qo{kA0awH=0%M4~Ht%fg1Uyc?2yed(@6pTboe#VAM#uprJa! z1XRRE_c0GQZjv-=8k(NsEI!p$X;To^g0AGL_7$^Su_Pvu4$yW71_CBc-Xo z`hsC8O-3p<@qawzIpAe#pC^zfGQmW6H{1uuGDHc7X?9+8DBI{HVfa`}F)S}kZIhRd z?iLK9$BIq}2pChN20%?0YXloxDsamwYbpZb21)=%K2K9R@SJ1nc(`osIqBgE%$1Qq z8z9L-$rBCoW0q{@#}w^1(ktn`)|Ys*64o`Z6X0z4OU=xJQ&E9DoheX<*{xt`wp&5z z3TUC6DulIB?{Y8^Z&I(L)~Ip_pkk`;VH%4UyR68ME(?0|2wQjY5Erk0c;&ffORdthr-9lu5eI)}he&9N79@$jI=hNI zV``Ke=ORDH+%HM_92jFoESo3M9wsHl^|2^vWJmePJ173^BYZhgRd4Nt=Vc7pku<;NG~`bgy4{CpDSteGbuwif<6UA%nu$Kq-X>80}fC?N7ReMu7Mou zif^Y=a)0OeC9&ufSDVi2a7reRY9jhZkNoe=@mcJ}IR2b3t4%mQ3EHIPy6=7VznpPg z5xnF5@s=#jy~WSjH}I8l?tJ!*jV#%^SbEz{XWdptn`&Q}8))v0+cR!hcw2P0SNWl9 z?(l_P%Opz>h6R}EKA#yCa^L{-l9GltvsBTL(uRnR@Sdrf+|HdXrXe`j-M6~jhZRS%#|?lMSjAKNDJ9;QwK3*CaDPCKEKNVtrQRkA&~oLKR?t6P zF7q2i;CFHVFO=(lzKlk@!i`lG zYRh&!=c!30u`Nz-lKAV*+9jub1SXu;gX_hyDIQ%qEnBY7D=yq(?Wn!?94wXdI97ty zI+~N5m9ic0k8u-nQapY7+p1<-dd1^J(Z!f+6B1FXQ(sK<@!yh=p28f^T=NMA^gi$$ zVh}#-SYYk))vJn4vf=P8R}FfvbOq|MYIeuLn@uOpgL|)}r^sM#?O>a05q+Qa5XWv% zbgKhQNO65}(LY}vw9)!dNcvR~5}K5F-t36GOMPPVmLpbO3TWKUYYBed{OvqRaD!OX zh~wUBt$ys8y#lB@=V4FfdwqeoB=inoLKFPo*6q04_PWi~D~n<(-Ur;@?eu@fh{DRrL^`RuMc-`8zd(+<~a2r=lL%UO+?4UKmPE^|}C zeXD?8($COT#gXj?>L*(>L#my}&1EH#m|HwSN{|i=-CxAIO3)ywjt2Ke*Mu3_&;jE^ z0b#q-olL%YP*-f=eS*c1qw>e?SkU&V8jwiOY>6;RCol0{HNrnaO`H|hM4-r+(bWK= z7JrceKhtcyAOALv{UxQ75IC(z!k$0gSaM(OHP8){t$ygxN%C9TzNdj|#z=L81ktkR z?a6h2?7XiTx@hMA9b6Oo3(WK1`puEt?ip0EDwfQj zh#aB|>Ojly_L_S!$#r8c2AkKUQ@MD341`3S=74KKz;Y`+-qgHhQCc+6hFX6|6aIY9 z8p20SdWm3J%7V1gYW4fqo}Nr_j~RAI=BYiqAg3+*j^%|_-x~~k78nXLbKO~AM`U{( z51QqIug~cE~Gpk5Wb{x2WduWCnwFV4>X;E z^Zk%~pUd5Wn$KAxLeN6y77%b6nObMhs5QAb8H_GCxpO3#2{ZZoYxqLA3an+~mh`q@ zl}FL%8c!`J9u_0|W15~E{E;=ujfCk0zLSE#fPBw$s#BL0e#*r_r&gRypFi|>TQ7oA! zrjOab$iCXFO4KS|(nXCi|77xmnlLcR45X}Xdm^eCpKZCZ`1lpU@z_*q6mkouOa@=z z+;t+C+gKlHVBdAijkLZbSobVY_Tu^_1$0!Gp1r*u+t_ZA^dY&yD<*fC8@NUcR?Txj#ooEM{UNX`mOK889q|{;-{s4q0f#kS`M&JY2Xp0qYYS*Y*$}+Z zSY?OAu5SChCqXLT-?;cb^g!OenJ3gQ@{_)r#NE;RU;n`J%R9#4jZQi<2d+L?eL@FQ z8SwVrS+B{PQ{aAd!Jb_5modCpO&#~IlD5ubYuD%ak*A`Om+;-J+#b5@HcbW0C#!Y^ zv?p`L!=CW(*hMy&@~QooQ?J$N9DOV^{BFH`Z4`3R%t!2oEJc{YaNy{rfJHQZNV$eM z8bk76R1Pfvnk=?3Moh~Lfw9-v+hP>gCR0ErqE9!-OI=vSsULL&1vQh(^oYF%l{RK? zVoiOn8KHY+%X-jk)x+|{cbkM)ze0JbRie>eeg|=h>*>1JcK5b?O!ng>c_&g|&>KQL zqs7GXk84lRaF<_ypQ-Qs+-k8woN8R|oxLT=*?##9n=b>fk8u@rf&2jg;fE1%Cyx6T z1HmwTTm_gPYX$UXH0Av%f+pp<@MH_7wX4_0)ZCz4`nvRnc~WboFwHH_ymz;m@$xL> zjmu_nA$Oqdd-9S);)}az`)Jg3FH_tHtOdl1qH+PYqH}C(G!|+nLnO=k8Tlb#I^D+y zut;EZ-ui=BlKxPs!@M~RUVOPzO!Tod&rqF)Q~B8vWedWEe(OhI0pSV?5)3kIj|rcP zZ}Il`a9WX`b=Mu=g9UiYYVy(0$e4r>ghi_%CD4w7mhxlSV6ADmFgpw&`^u3h2x$3r ztUtCI#7S3(JZ;b&9*9Uv#!Or)c|JlvaRZmkjy*41^;mq}CK_A$alYxnv=xu3*NO$J zC8zNBde{a6c1qwtuF4y4m5;;>s|LL(=2BvJ=T54j?TZE@QeL~W<*X>pD6?ev1u0rQ zBwT9=f}>AEVcAv0OALm@b_%DI4shdbz`ObDv6G&#x&x~%8z1q%IX`(g{ zF9@$wuVFc&WVp;8zn`bnTM*_~Vhp$>;m-9Z{4WWN(Ca0u%_!OX(V=(WMq@LGPkKob zi8T+bH{XRilp#{3N-A*VB_8zuQ6_ej>Ng5#WvQBTt4;3$c!|g9kp%;7RcRiGt92g8 z2L<;?81r8ON#5Ym<#Q0eoeH-8Py3+3=MSC!k0Wszw%X(kGWjuB2EP{;N5DNvA;5U< z0Q2#p0=k;?!B<-*OA&+q{6wDK&5+Mvmr4;?9+;)S?@FR!}a<4iJSr*i&S%ip)b zJRGQp@5wX;v>w-1x&XXY-Hek8m`yf}|DpRcNPn#6A6oHegZ;mP{;#0_g%RDXQbE2D zS5U6ER2M~Wn0g%l&iR6mM(&)AwX(f)K2K$&z`q~SQ*av_vjj`kE+v7rYIZFqExF(5 z8(&`NcAssVKapDB(y2d~i)B#GCY*lb9mnloXkq$%>mG8+?Gqgxna4i?H2zva!c)~t=%L8q{C7ZGo|&KjPVv<%yRlb zF?j7nem!qO&t+m1Q+=U34CmItrLVduWT&!@r&4VHS4;qODu4^ z6W}p1Tnggw31AscS=H8+E)}O&gf1&;$zv^~grU0tGlV^A_pBi`>K#iisl(^pUmO}C zQkfU}dKJ7R#K09vqC|CBU&F7VvKM^tF?x}{cf7udeWRP`#~+LyM0wamG2z#R(Lb|V z|K|5*8IgI5kAyz9FhEtCeop*nc&%Pp{M)QxWJL5%(vOL~pA&_V5m5Ax8A9TZi9Zkv zYyOxZJmB~DaG#%}oxl24v0UNsZ5=Hw<>#XJ&H6*`(Ozx&jNj)Ti5AfBbC|Yu+n4@6 zhk3y7|4BL1xkvEwpBo7H=>QDZ)?jmf*g;~NpFRP5`bf3{;@vNMv6R>UL{R_3>bXDj zt$)7$S3dSXO&|X2{L<;v+2J~**#cXFuoyT;?0JBi=?MrL9#aPGIP4e`4FtIMmK>1O8{@@> z`!SY>?BrHn-7;=aj^jSTuXrR5sGHoyW~;_41vkOpdxhj*)}V(m96@M{;%_Y=j+nsFOm+!tS2^FgzKi{*HG z&jH>xh<`yQ@Tpa!Se0k^%4IF@b!34zZ-I4VULfI<(Ew>`JK>YE#9?d=u{7E>B`TCJ z-Nu%PBs3f#D19&0C3z?hD~H2gM{qBL!pnjesr0UlP4V=V?Q0oq9?zJ{D=3J3J@v7% zdA)`LdK6_MXWd1Ml6nl<7_SPXNIM>=DtMXG5TdS*HMa>4pdm3*@~sV3-8Otn;a-3k zCm=7f-?ixo&r>BRHH3U+R2aaEr0Iz+PC3dfdmRn(h8aDs@U{E}H)xu4ulx(kJp{nzUl-^6)wx3*IlodC4OTkOBLbFtO7=bPq3quqkhg=tqca3MTmEC)3gAM_-w9X;*Y5MtVR^5i(ygqFk$VL&*QfH&&F z0c5(LLko@x#9Zdnu2IWV9(xwYeEkttt$r)B5)6lDlvq))(6W#E0)!uh{gSDMP~Z+P z3BhsEa^MDL9peqeQhUUcqeD|4=aa9V_KXR|-IFmVm)9?=24j*%4?(~T!H@C>A{yFe zNOgOdH`M1n5tDnIeZjVz}*Q=)~|u5?_y?fTUHRI}g%Fbp?+jbpQ30 z6hGOV&43d6!}6eP%1`8WfZE4_jRyXF0n6XCR{!$a4p6RvBjwBh$Was(UxR(!u@X_! z^J3*R>qk!Qftw_vn-U&~!pa=Gyd}T!3dq8mW$Ms%n zl|Sfl+)sKO>;x19&?+CvHr&r@{Fik`v#&2w7aR&)+T7MVvKIusQ3=P0XHN(V)@WI3 zAQPqzuDv$L!G=N0xbkPQMlnxZoa9-759A%O%Ru-5GO@!6dPVUSfbZ971@PLPWUt`e z@tD)$9l2odjeW;`^M0TopDR)hJE6tBmzCms^062BL_j10v}twRLHqFYtV2D3Z2)(+~0t{SnEr;n?o zeo#Q}%)T#0h7#XOJImU-Bigc!a%5g_KN&#_(C;CQ>9B2 z>Z*Wh3c(H`FuJGsYgo*UmxEwYnDXbQX@~Gzu&S~PsA^!mdWX<25CO;M2M#*Ve>U}# z9s>Y1q_kYjGplue?GSe=<&o$6Bg_RO#yJu|Sf~5em&Uf8!Cm(X8UKrNroJOTK`vy0 z+*dwriKV7Tl&MxD?gg;IE8;V-O8UZ(ZGpm*yIwn`d;`+S8&2+N-Ud(3r)Ml^r5jKm z!V*ydSkMZvf+9i#PKJV5m#u(gN2vQBhk|WYCf86l6!SLZc+akshQ|q;VM7J9?m)ow z26E*#2Ba(e(F$qu$^zWTaq6Dttw8Jh3hks7O09IgzbJZ_H@Z%yU)nHOc>Q(JCGMf= zO`Wz_ll5T{W)*EM|E6@cw`qvTI8?h?|30Xk3wOl$DG`T)U>fImKG?87I}g;CAOv+* zKmhtCP7^BW!H5h|K-aS$`_n%p^|XZRv4KuqG8&W9L9L7v&XqA`7Y=5?Uu7$K#rW3x zWKhB=nxsu?`uC%@!Ti~9hH@_9i{JK+-|y-#y?#heBYY%2Cm3ssjmWqDSQr?u@4vusajJzpb0?NP#3 zzwI}iCk>;H155&_68-y$8Bxez2<#4AAVX3WU_~X z;{j0eB>X_O0ch$q5sc9$m3L`^+6>G7x8qorDe~LVl=$l$-$6c%;Frn&bi(YgfJna+ z!5=33@)_`NOHTT&>>8Kvn+3R5zv(&J?|W^Z?e_n^`VSiFUljPmBfAq0pJI&kJsJsw z*{^USFn8PhW=tEKU$_Y%odb5SGC>OL*MCYY)Rv0?DIRBG$w!#mz~)&5l4KBEv-1G7 z*WX{7=Ff)E1@B1c1T7j1tOCmiz_up`=pb^4#?VJYKkQjH&0PFHJ`&>3@v}&|U&n&l zC!9f8e$%8}@IE~FyL3nb4}M1%bx!kg|CI_R{r_9okBTR>4`!KfT&fuhd@J{O84#yDdhTi9;apdv26IuGj6@~nD&!68irZT1OVE>-p zMf9s9s4m|4!?Z+(Tdv>{R_bL-y*@)ZcL#{>oTY1~SP{01Cg zs{%jd5{mP7?hPY;59qll}wKeRhmzktEl4YiKQ->x|9X&#W(eS|G6C?wS;=r)GE6y|= z(Nn^#w6DUWH?pzD$Hok>T=D4^=97}|kmvcVK@Bja%ykDlNy3)*{-ZQgLC-^){|2T( zNQ>q4Yzx(C1SW*4?DAZYO<3(AvOB>S)%rz+&_%tu!m~!gn}nP7LJOXT9qJG(Ow;=c z)dx#f5Osh(fRxh6NdwfFtTIAwMMeSuXG~fG+WoZjbQ654ME6ib_p@SgaB8PhyZr6( z5=#w$>#wsPVstmY91t^u5Su!PT#MDJ^X< zd&F9YP|d(7KR0gF`4!-fK5g$rjsegB-Op*ovJu``cH9)bz1)VUR(zTzGtVszgP+Hm zMp&*zBr_kgLOYCC0j`~`^m4{Iu-VrkaZK=DHc6zakgi#c8Y^U8k%p#d z6$N^38AuWq8Y89Lz&jw33be;b;ns0R&zu6jp72CCN)-8mmACv?H22Si;m^F{42K9h z+}ea#Aq8X3ZuA@s6##UmmR=CvhV-29BzvLwXuy~TK7AW7Wbqg|XDpe6a2mXr>aD9*JfIQ>@03!XxkNj=GssDxx_kvwu zkX>RMz*ja|fwVlv-P=F-7P$Pcd_=(QZ@V*_gp*NhFd2f{-OtW~6K4JyL+pRLo*Iqe zKLIm^Bv0LUfR9vOf;nK~p$GFfzRrq0>+fz}v#&~XC9vIfa8o0Td!1G7 zI}3JwE|^$Wvm0#9t26V)awHvX{M~+M%D$*IQdKGbc}JSQEcF+(HXrQEUA?R1-^76( z;VciEg9SL#yZ_mbsw^0BN>=yJihp!uhg|$s;6}?3)eH-DVcpbTApLBI`wQFt6_n&J zw*>hQI2%7YEHekLV^4j=%7QJ;At3sTx&_#w=sag+s40tN0e}+|nUW-K7{4fOSCY7$ zSX_wccQs2tP6=7rc71)+>1|t~$+QZKVx#&lCg1$Ch>TAMo_pO{ZEL@-JxKHRop$O{ zbMN0;hs=z${F!wrQUxGbDxAR zN0_C+_Jkb=L)f0%s(&)#W%q;22}_fFOCKAg`xM-j+xG^97p_|FtFLWd&Re|rJ1@SI ze#V-^c|D7q?&bS3Y9xZOIuOLv{t(1e*a|&BxIO^%4Gx6sx6f*d=>G9LZW>6bDV4q z4*TN&u-cD)S8E(k=?qQ!>1kMO49o5c23wOr6XSn~r>`dcRy+>xk$I9@ z5H6_Y<%`@Tj5-O+mYFD^)k$*q3grC?vTU{jx`|XQ`W_xic?pE~0VsWUCjB@K3k6OH z4}^K^X}^CLc?Z}`j|6}jVJX8G zaYmU^>%gR<0umr(S5a{&q=3Q^l&FY^3{e451fmQgB1C2ZArR&{36O#8?0zq{wrZ_C zy|?$=@B4oK;g6Vc@3r2w);m1!^H4BFCn}roftylBcqai+vXCnSFJlhC0kqGeW!6Vv z=5GPAfyXA75HReQ^vEj0>%Wx~_`3_mHPmuhaw*jCh5zJZZmePUG(cu-L4}$)T*;@) z!HBLzjs?{5PJkk?$pKM_Tn-rn@O@;b-}s>bmA5bRZKLTS>*3$ufKeb~f%u&LFd3_i z;X@PPyTZwg*DY@58$UCm_Vz`-ZS2(yit-~!ls}-!RX*7D2fKy^__oQsW!GkJ+BK9F;!vZlOc#GdRl+X5gl8hE($j^Db=lEjk(VSA`^*9ea; z`)Jwjv59J>S#{5!u0y`e<#ksa4fNS>Tvwl*#Y!!{>p!pASe17maapdw?Yo4E^}*&h z4`t2nPkvhO!L~O3K~%hbQ*o%a(%~!+H&b5Ueb#TFT_QZb3Vm~bylcEnyZqtOe3^i7 zdF{M-b9)~T8K2j8xHopv%`Y=PAAb6+ZTc?`_!p5I<0G|*BX_&aU%ESEiTT+(fSjZ1 zvu^2Y*z8HyubdA5J3BG{-8|061t|%h?#>ozo2+JQ5(3}|sNT#Mo~0EW9LL{#cd)Ob zn8L@C7Y5H9gC;2|-zwny5YqVAg`j+*VwUMko;yFl5pdM%gz;EYgpllL>d%r+_sIh(bdYALq~eeNkRuSmWqeYfAZ|9 z0Q1m1*J86nQ%S3LhQxQzd=CAZ(v&*W&Gt+5`rS<58Mxwx>G{ibUCilaNHgJCdzQ^c z>*O7+Eaj{UDGKDaL|omW?uFaBj3~z8J3dsEi|~W(XfgB^xzWoDGRwb{ke__BkYG4p6lfCX4+xIeeXX*Oa!bux{JOIj-V2W3|{&!mQSpY;^C7)~bU>wxpIIkPgkxl+FxDh{`OiK)FJ z?nw4>w|%sz8N|13p^9&~b5Y{Y96gb^}Nua7VaDKEoV z0|UuM+Rck}fv2@8nPSe4^CJAyStn zHDsr>`8TWV?+Hp@HCcS*xw=$-XE+yKVyDi&0tDc|Zi$ryOj8i)h?Pj? zd*Xa<`A|<+u5cccSh_QO z$Bi3@4xYVtHQK2=J1L!{dwRt1?epg?mqi3C>^G-{05*6H_G{Ql}c9|YvJA$Z$w>sb|`{@-#ay|3h){;S^ZTV8>A8EqB% z-*d(&YzIvHzoC0glnJ_je?#TY(8i>#kS%YTUsy* zi~jjDv43Nmrr*B$;;+cXQM6yK1HjltFE5r%9nI=9Mv>P4_JzH=ng86EysC8qqz|%) z2A_+j;E!xz*nvO(kF)h}MPs9|==c45kCXk%+5Q{;jxW(v?&1rf)3A$EOMoT`sqz>& zxn&z{pJu+Q$X3v9BY=k;P)xFdB;yrMWD8ZUj)?R|rgTDRGOq*~8QvtOl%@{_VKaQ1 zx3WYl3JBBKn}xf%EaNPssXp1>x{S{Y?~7a`>b3cibO@0ewvP-GY7-?9_mt7GqP$w5 z&~c>a<=Hyv9&Oj=-?oa&!f68)t#T}z?Fq)2a!#T$m@t6qBD*|3p|c-C_+)BWqC%C8 z6>zj1X_kqd(m}q}>;sl~N|%xIpn;XXA{uGCdM=uXP50bbMe=R(w@`aTa08HD@SL2O zDN1Y0%nG6ro~J0P=%p$O0bwCWdkl+^-P}6pzG~9!`$#3k+ufa~NtJxjYv7x%86q~h zNXiyEG6#2sLOIinvso00&GgA@G=h@o)ZD=b%mvjZoUskGb&*k=ko{MyiMm~SK;l#v zs#i<$N9tMl`D*t4vD$fT;kx^XF5>`v%r+15w#mbW+5yu8d^ViNEWACET)R~I8&%*M zs!5Pq>IX_B-|cmrUV<|UJTU^gZD9m+ex}eVa6)DTT05i8$pNZ;#&iS7Df^BSDV1zw z<$&>@m63c~cq$IvF>0dKiPvPrHJRmm(+%0PsPILr<$RpXO`E2tY(*c0t%evU zDUl`|k|(3CtjV%E;v@$*JKN(J3D=C_ZK=jv{(*)t# zeg4f`Zwbb6MHX2j9zodW@ZE;|yxr}-kxpo+^1>;u()qj?F6Xf~rGP86IVNmp3sk4` z1ja!(u=PUbDdqiS*;*ZQD2RTnf5?1Z%}7SfR}EyUaUur5)uaECoe|J_`6=|NEfg^^ zoj0AAl9M6fFJ9B+pJ0p^r#g?^?LfKhXuWy4hyt@gsq$8vLC>?1`76(fc0P(ylV~Jx z(0%eKhD+CM50b`xvQ=v^(h=X^seG<63d|XIKeZfRpj)4x(d zRii6UFsIOW3Z^Esu+-`0r7hcpygXEmn$qC9zEmQ1W8o_Cq9jM$`1)PrH=28$n-ef`+0ds8eZtz zAvSvec^krpLIcIQR1p!M6n=$11)p)oopvVE=@#@l$5de(_C%>xqP2&YWF3@uDzJO4 zA!hvBh(f+OYXdBgal%HnvmhaBimy zy9Qg#V>uaD#yEm)-FSvJohMHh>9U(0*VeQ|u;#N`R5xH2@ec9F2eOJxk3mzkHqyaX znuX)anjbI?bT7`SrxXU19g$3buim)CwO|W%cC8z(|e~XW-|7VvUfFIi?U@6ccnqw zLYMiqj2mth*~)H;hjYh6pZSFsF|OQ2vEbwQAGqHtjfvx*%Yt%gGZ|(A54HN9qUM25 z`6cnxYxXi`7v7Qsgs4I^gP>HT1Qrm4*7h)H4>RCSFXr64CX3DgqS@zOm6vw1O0RSs z5C*{+SMyMc)4OYekfzuiZP~2ru6NL>xE3Yeb%X3O$vQa?O;&Oh8@;Ub*33cmq|*wy z3~;KJ6klVkhg~bwg}hwo$U4y`q@E^O0=rl;X@eJTAWD)-HQD;1%1FPtR^w2lAG?PD z30xYmVmZ6>g*MN3%S6qzF)~!39uu2H58M#*sJnj4v;ArICCFpymmOk)l5uD?t1S!d zS%}DdLL!r}&8%D}f-F=wF44hND|kr52iMK4FjY&pi$5>1O=tJ}h7O2dQrRXZ6HoGm z8yZv|ji5(|{8?k^f%&?#g)tfA%q{_S78Sj*ra#8ca(uV`A7m+2_5p*Ff(fZ7Q!U-;nL4V8tmp0-9f=>RxGww z^e9xB-aIfFXekWpjU4quNs6n=7t^h@fXBQVrnxDxF5@(bAo8G`$=xdX2V;#FYn@jW zi6>j#B-Tr#&j4rP@tl?T9#9R5 zV!fjlFf=x#dx(#H%wlCIu8onEXYfVtb%Zls+>>=3Cx!!vHa2jgb?4d`L5qm7*Ykn4 ztV1aCZonpd@}wkd-~v$l!N_Y(Qx#La>wqh(19);QcJ3_7=C`t(&jW6YYn!tWuh*Sa z%^WLhdC)jTw)0@~Hj?iRyB^z&Nb={<6E%1>W=}qKF7g8SA%V`Z#B0NN`BRG3 z@Too3XkQS1GUV>*KHwbS%NN!0lsDls(`u$UZYN@AI?bmdeWczgBA-EXvwee?paK*fjH zpK^bplW9)8r-YrfwT=AwZ{3(b%LR=;GetXjW6SO&vl&Io$D5wU^E=H(%&>s%ji6~* z*HKnS_j+Pqj+*YlR7ssGOyy1hr zm!66<0do5F70?*aQLz@ruzVBdC+J6AQx5FyQe?B%yRlX0-x1BLx?me|u&(|JRT3R3 zZUHz$clT)jPWytC`_?jRlhp3@jZWL^ikwwq*j(icHcW7hd2AeJ&aGOc7xe{fx{Fr= zr3;)R<@!|VLaSvXFMsqsfa3%sw51v4U+=c2$z(KX=f~#10*@~Jp!K)$``r7j4q*Dy zw9Q6M`z(88;X--j>b7?IEh%!IbB((TmCu**CDX&9IJ}BRe8d(nLlt-3=%&y%31NC5| z^-I1<`gJDZ$X7+6dWK+WwQV)__7!=94~pw_oqwA{klFfWVr{Q&upI`(=6OH?zrzqV ze0c4DbX=Uyy>()FdvVA8G{#?KXN8<}T?`>6_m=IEg3p-$yp|!ORx+j~Fqi#&XmxPY zJg|s;&iHe*^JLG-6utx;?68s~;6_zbPSZI!^EOSc`3#~ybm*)vc^({av?!oVvO$&0 zm%LWyKPeNFfdhXHY&84Ld#^KGMix>H@F)u9EPJpHDZTm(XbqlF<$Z*XU!DOG`K#h^ z+@B&ZYcs$ktiekYI}=D(A!aPYy>;H3<9T2H=XbAdDmUHTzH(EiE92+ye%Yz<^F^_~ zKswUUi=%BCKVL%Z&sX@8h8-MQi&(7l=Sv*zB8l0E@&ILG{>wG~N4}>BxOYN-Q||R4 zq^n^U;zywfKTGcU^`oOu1nMXh0fcXC=N+j08H!Ltcd}RYf8f~}sVN!RSLwrbKhlp@ z6^VUOX0q#H4OA^{-&R-eVDd=M`rG~!KTk!MfQzPcU}*gw7{CcZj_v}B2@q2GZ8>p0 zs_=XqyvW)`HMSYpn#`P6+u*KsuB39Y9q+&?owLs#L{8rhVv&P2YO8G13~Dd7L9sX6 zY_n+m;EVZ}CH5u6-l>WiPlLPBDcJh*G;M#K1mAIog}$D7syEQ9h*Sz`6b=dGMRcD6 zIyda-`vA>T|65MX_nwx<yLfC6rO*cK{&2zd(jIZxLgzK#UNN>!X$dpMh(0 z4}wys8_YHG>P(LlT#*P4K8NyqQC&G&05B}5QF^Xb{1bVEnp0)YjvE7_JZ{Mw|2fJw z41QPkuuj0|vFO8Z&|BOc{+vKWc*0d|b$~^XaO${6ItEERJrG)xU{8jpuIN~{XnuN# zS;QF< zZqL&YQ5h*a6l33I;R;+$-eDgGe!UaMue+^wk}FIBr)DnS5-(7gNrFb4`2dGdAR?Y| zstNha)4A@PB~MORkxOHC_ELwv-oA(7jE7v=!dT3(hP;55k=LNxO+6XOVV;bnIfs-; z_JVt5Fwio}WXl4c?j=NQ=JFEdiB=iph9|Cz2(waf`!=(s{-Y^9G&EJ|tYGdQ!{8eo zEA!R99EPL?lyu>@uj0k`6liTu$w3K6-qMB-;xbN3jvo5ZmR%T0n9@!Qva{e|hW9JE zUjF>W%S(Rr)t=F+%ts3`G)oMSv5PjEn0m0D@}_|-7V@J~s#w1axtUWa;SU8zV?Z!i z3q-}W&r}KzZnN>89dfg1l!Fib4o!^htq5S1ig$@gJR+0VFu+O9QAZzcr8QsW&eX}# z?UZh0tgLjd44vLn9K!SS^(V9{F;rY3Lwws&-r9~uNYfScTV+s-3>m#!mVPKcps?yt zzBtt($DMz@+gek&TmR9!HTYNbD6h3L(o+Hmx`3#bKH6Ym@yoe&Vr+rAy~WM< zy-nsHR|iY?ex`rM@c{3JFF%Y+;0$KR;u2d;b!#>Wjx-`0`-z$(al_Idk7^9B8S<0SFk5e>} z2+%POjrXDkMTA*3YTv)MTzV2iWuwp;P1Yf9GJeUL`;34 zM4328b_T||hblH2BJ|QyQ5W>8uP3|x`o9zqizQ{RBA_poOY>zn&o-Uj*BHQbff zoYcZSiluwea4F=P`Gi6^krs??WvALmkmW_;j|WNF3dASp)ZY1L9yfdvs*LUTpbnoK zI>r^QA25?>hr_piZf<8~0HpZo8_|Z|K}?DNa<4Uv(J|p5EMv0fQ|{C>f11qJCxO{1 z&DrG>Jx9FMph$5NwtN{R$YDF@nU9fcDvUcI+}WcrEv(~qfXX3HA&7+y;Cid~2`jw} z#moCW_3tdED#CG^a7(1jl~|zS5tM0B$)099Ygm6}CKyj+j8mZ;L4iIVS8MbI9l-C& zR&UR5RIW=__Ol{F-HfL;umj|TLvVfclrm64U^PK=&FAK%FbZrP25jjegHb;4Uv9Y? z`)jMDb8IWpd!L=5jP9)=xWQ5&(*~d{7-G2nYDQ@FEd3DvK&HV+recQm=;DK)e^A9V zKy$MzT7%Y?%~+*SsYlE8#QdlHj$Q~&e;TuQbhp_fQ^P06;Hp9-zu^nmB|M8nGd5&$ zDOT9sUTjD#G2g2MJ%mv$MYS*&SUIE1=MRrG!#EjaDdt&nd)3YGkQ4WAbTKD_d$!&~ zG2RAR055Yc3I^mexBfInt(#Rv`V`Kp0VC*cNfbNB;ALF#_H?#l2UMo?Qs&-A>&$TL zrC^PFk)f5|`L<-ZsktMBCKevXGRx=64F_q8Nt~a?#P9jNh$c9DuK#5f&EL6ee^TE2 zci#VR12(_^tBI9AR?+*P==S_wJiho>(kGe?^D*>V*bH!c=NaIqPv_8rk=D)Nc(FQ( zu>>sA87FH$&fkuutsqk9M%F1BRvl-SFU6id-02>OF-Zc$G! ze!Ld1GsvwJZVGX#-A%iPp0_&WVR7dU-a zJYcbGdbL;%u~m^4;4^#D<5n83_=ha@n|p)F-a1pwYEzZF*x3Fw^sP16bA_$3`^(_$ z+l$#pNr!$K)BbO-xoUpTXk!x+DWGDOQ(;YCez`xKS+(!&#R>in;SqaK-po_<1L-bR zx$gSih%Yzg5&V!}KMo7WeGT4&Ia89l+fVKI%RVAYc zBlC6DL|G$uZuwq&krZL%cBSFM&F?yE+bExH8iAUTgH?p!(33RRE$eJtSY@Pn!pJkX zON}4wy!CwY*{)63FI+9Zz11(9I$s%!wx+rxlDwbBtfV-sf|&D-Bpqkdyr0H|2B--k z0bxaH#o>SN&dR-NzNy*0qQ&a^|5o>ngv|*Eq~xS3OtaW~YZV>TMvCnf5%=7UZ7(3A z=mG|X1HRfznf+8r&(zan=0%o-QLemMGZ}mLWwEGrv{+Ph9Xd=lpUbN`r~o&&=rQ9P zU@8fRT?u3tgW|3O$n2j}Yb?u~g_Ps1)x-*F%!p`)!o1F-5q%)p;Eu*ItQAJ-Bj}!< z=}1Jl{nu>gyLkIZ0?4E+1IPHR5^F#N=su2dh;B@_!>m&?t4$4~ukT8aX`a6Pi_1rh^;6eC?`lVKKA@!r^0E)HD8@;iOVzS8<-*u|pa$g5XfURNoZw0^VujcCF z`&Dv0*=lLp7Jh>p6=)sl%yNVK%3}E;#<@6eVY`kWZ*BAn#Y(g;L?kz3DW80{5w z?GWk0U{2n}wcXZ^Y-jO+5wj+nUmRkBE2`US^7rZDV!EBqHx^4mO=j8 zP^#fR^|CTr8L5m$Uci0#J#!v7>*aAQ)zMv4+u*dlaNLh1q0J{CT1)8P;)pcIwJEd0 zjY=bDGyNZq&91>f6ys2QS=NRtbo+uksoU$_2)jd6LVVESFb`-(^2r6Ek*sCTl0DIz z!>X4xQtr^_ge`|;#u4Qc&VdU4SH9nguR>qtF0ajz;<&2Tf$6@}9^>Bu;nDRT)wRI! z@S8BytF9x;ujI9m=l-SbXg%HJ@1qgcG}*7a2dGWtQN3AuqMiA=<0^KgmV2w+t}puH zeE8##f8HB2BVwc90xU83SAN^HFDmoOldZ$jHb?FWr+J!-u@*vv?MSt~lb74}6qmK@ z&&70$Tx*9b`(WRFlPvyC(rUqi6l$*n7iX*hA^?`006XL~B4l4W-A_SUa~Rs+Gu~oX ze~WzG@Z=TNYhR#(t;~UV=W>bxD7Ztar?r&-<`2Hb3ZF9fG;#}kD!E7vn}D0MzDoG@a5=Rzqa7bi@AGx0bT%MQb#@_gcLIL)>{jJDpX5=3Ik~PKmYvZV-=ck zwQLCXAM6};H$U9_hk5^C^KZyjytM*9toL6x%MW|qhkgG4`7>^@^dv^{7c}hIw_<&C zpJt>sqiE^E{dJcqlgD(9Y1*Q-fb-3#Kg_*6epi~+-ca#pNn7^XxC*|U;d!C{Y~1`8 zar67@J+{_YWhDBg67vuGHd3*vH&$sX!CB4e=D!N3s=X%~`J%%-ToK#L0xCREh{=2@ z+i)9EE`fJ;j)E~N5Jmr}PQ$CmtY2OPj)ae?zdgS6SAgm7d#_5|{WbSb@CroMqjl+P zsI+0U3F*~i!Y*{g8FH|dqb)+eJT80n;{VNWgb=0X=aGEHNWT1c#9qJ8_}h)<_8+{j zdh)K<7XFOF>o)&|(d(~?b-oX|@Y-urqJHTRsy^=gYeL^nJ&ie5>xgX@vDwJ>5k4oq zY{lppdP| z#wkiOarY_G67U;)8(M$_P-4AV6d#CLHiHtFY}j968?u}wB`Bdjd-ujjo+Lo#D%$jj zrZ&V;m4TAdTG?`e+U&0CD3*jjVo_LkmEEBrvK71~1M(P0znarzO__(_IJ+R&%t2<| zj0WA|PQt9?x6%DK-mHizx3Sb!JXRQ0+y_-u-%(v;NqO4X!RpgW16h%G6EdNjkoL`X zY_`m{oiU>l+8%U9z)inuQ6cw`aM+_&&Vxu*1x{j+g(|%wsOFts?=iULL{h{L1>;r&~U9g zcRalCx_tw+?J>Zh_;_pw5Gdj)@iLK+(5(4AW+oUIOFS{;+v|l+L|t8L%xwd`wSx~W z!%j93*_)}0&5l};p|F_B!fVTVA7EvPe%AugSc;o8!YATZqh&{3)-w|7LLG>gws6WV zoSUWJo3hVD(k3I#+hkK~tg~e6W99{XSHDg?3~V}uPaDGr}aysxmoBGC(wqrnP)@y z%FDY4l@15*EAs(#MGd=^*iD>7Uzb-vxXpi%Jwf7eyOX&<)K=;D;xSI+}E~kq3c6Ix^eUj+aMOm6_Kxb5D8osLmCa7WK7eQ7Rd%+YQUPBev&NcsZ;+)HL$k zl)zkw))`hUM&ESv)|CxUNlZr81=!IK`yQgWooXjRN*GH8;KgFP-b!wktU0!U@uiS^ z+>3t#6)k?|ZNG0>U+Y~qkF{$C7t08t^ZNlE$`vuS)lL(14enH7UxIbtuEplEx28vF z6NyjRyA7Y2Jqy=s;GpZfb6 z)$%U_61T3q*!*R+=fA7$sqUAHm)1~nP6&9s%)7O%HeB4Id&sVzrA*kl#0981GXjfa z2#9hgFj;>8kIpMJ?tFej;hUYHzdr>2037%I2B#n)!LmFho!-BjJ7~I~OtKwn^o3GD zzZSIll>p&5?kQ92AKUlWl<2dy?%u+_v4fKthAKgyXy?k4Zjc@1KrVkvq z+aHta2?|;SzA2APjlCaUPPR<`H z{R)~mEjAcz5v^z`49+omVOP?krXdT@FNa#Ns7D!ho#!KgjG*!f`w=ZI10YXzPSHCA zgxRvZZRuqV`nOID+QtZ$`%v$8Wy3e284j#-9*~MnK}PwEohh&X=WFfE_ySNp>{;y2 z@)dY|>S!ehX4f+h$CB9f+T;%QAP&H2@TATv{adI%WNnD!Z|{yV60MHgd0l^!w`ysE zMZV7@m66~sJq*xJkdln?=E(tWF$k(R7%K7deeLl_&u9!+QB1|M592uE<;bTTT)VJI&e$g?A{lD=y2j=tAkQVJC*;(Ka6RAM zBP`_O{s6FN;iatK9)54GCUb0r%Kx!Ig)KgvKNEFRo>7?fvFpN>vAy?6Tsvz_E31pXPAsioJY8h%Xa;L^Eh;%JlX5%7ZIAEDo-!xS9LC?M>v=yS@gCiGch_x)`Z z!nq!Dy>P|3_e_l)wqJCS^L?u@$!VcTpE)ahpv&qyPl6~!+~OM%+?gcm&Ks^7B6^U+ zQ3WMkG5*{WwIm@?+KP4}=i@a2{=UkjU_x$*a zF&vBREVO^Fg&X5@<<)fVai=+~EzVih#I$VV9-A_9t)G~3ISclmM#x-_MZ@tZ+mBwK zgEuCm`g_Y&)IWap+xNZtY~0Mv_!cfUN@UC>C@<>1_IS*P4}KV&KeVgAVmTGY$qe?0 z>uh#+BS8O8FL<3J@T9;u>ms+WYE3dt5eBYd@CwVJ%@C!I>O6=jwS<>a4vfuFAny%ad=%HO7JG=An#hO6cQTXOS~mqB*SA(TIJRQci6C2kmvsQyK(HNzuiG?Au$}oj!S=TD;pk+Q^&#!m9&_n&i4AN3>b z%aF2;m11d?z1qo4kGeUEjc&RWiGgIVVj8IgkhhBAybW9WCQEkr`6~?jra^~O&Sian zGJ0n&5WvT-QlIySUi$lLZhsYg_@4KFSJm_P8p#>!N5%$Z;#gP1RV&T&U`mA;Mb%fnw zq@3GvZ6xo?_md8LgnNu|o8E?3WhoQT)()~B`n&=d>;YZ%u*O%h5ztkoqm3fB;-Pf{ z&{cuIpsNO(dB*{Up()0!l2){J-4XgmaLuhGLFm0L42m!ZBFslox!dEi4%qYBJGf7%^@;pvjY-hdJf&hQsFidd<4vU6oP0f7kIW?qV}BPPyJWDh`z? z3sA!rCOYnKXjMQU&A$eqD?SthMC#=G!W;|YL%%IgX)fVgDh<{&5~LMRYbinGd9_`B zOxC_dW-}go%oaLb<3Yw1o2lTO*-$)thVNo4Z;wPJ7jj66wW-Cm_Wmcxa@Gxo3Ael{ zSX%pnshqA+lp>8XxOASScT4fI{iJ`^??(i_sgLDI6$Tk4%3arih;-`lE=jJtQf>t7K`BhL#Jja6o!;dqW0)y2Rf_7=9{lfS##IuOd~yR zr4Cez7^};#RL-f^(pjO{(^%XaLoJd7C`j4EC;i*E1m&Ii7dLhPel|5s)v~E}pM+y< z9XvnAP>A*+O-r*;hQ|1Yf^q7BDL^?!) zJOEl_o*x?x_V|0j+V{$;OxeF|_-`wny-||MkNnqRIdVQFwV4-)Hh)Vm<*iXrp5rxK zX%6jts@oFfiyu1nn@evb*v-8DB$?t;uvDp$)cK(8?hkphtUn55ncCg{VNS}qw)wH@ zhs$mE8Qux&?%h%5)Bub;kcrwvz&C+z%Wi`35fJQr2{b;?0C>mt2!3}rVGuHq^CF@1 zhI#L&G1Gg%v7Q1=9?5FB9X(jRkN?IeHoWz9JtyE91Ql;b#h-up@P`3=X;vSMWH;f% z!uYV0{5N;cZrU{N9=6OD|0D|#pm%a=B{u9#1tF5_c_W~& zJRWJX=}w7zY=Pu=yyqYD+RS!GHWm-3@@FruUG8r;fcW>mVRNOGgKq|Q#vMAN(GhEMaUMKM zmfI?iJp)+OO>=%-&?BvkAPjX@J&|zzd2XHGvXI8MmW_?OV!zrr;eZM`H;a#JIG;i~ zzpX)p<}`faeGjOqtzE@Zj_P!k-L8qM!@KLO?#RPD)>H%>IMA~`Javojdkp~E?g zoog@Znm%>ikiYqdEtFmH`VnV#T@0qmw#VoLjyuo+pwV5Z3?$_C(8KW)s-93>fyogh z68i=KY0(E*u6!>?rlfA!9r+;-I)Ar6ZBrhU!R{&_V?5=aQlxVs2md5e9>o@>l3>-X zm;lb&5r`ER?3}cf?t{Y?y>#3f7Cj*9QH954MOm9ewsN z1#R-;Vp|Ar&%qXhJmmO@wBV;PGtr$gPaB92vrhG6XT4ahM@WSz8$Tbnmu@E6FRIDc zM$}$(GPScRFNtBoGy-P$+ z#8cB`7K~Zftpt-yI;t++IYHMC5mX_E2d{SG_Fxzet+Cy7R4yglQyD3_fIizo!)6f& zze4`hp05hIy&VGTH2hfvqB{RXX<@!k)ah+hJbGMcJscL&Sh+_Vd_So*C3>^+XwJL> zQEYzWr1BwZ-tE;r-wQh4tR*m8hubB60hIN;5?;L2<7d5Wfs{8n*DB#|l^g zcT#!Cac@+sH0fK~+;pU&111fIRQBV{Xx>qQwHg1G*%eZl{vi}qI-Db?D#kM$g&jvaMDw6#Pc-uK zw^*)N+tt{uwzyO^W{uBy02`xhz z@8`?j4Q>Pui5~<2a~@DN(Qe}Ridv|3Q`YC)5$+E>m_m)aLiPGFlOpl*5leHV@3PP@ zxo>T-*WbRLlE3xjP@6^U+1P%iqbiWakKW;(SysQZBAfHDOlUNdrXMEmUF^jP- zU6!B{sGV!e7XIk49d)&wOdS^?wu6ls1$LlTG^5?uD}bs7+=4CAIZzBqWsOWugkhV9 zJ8S=miTG%6ZxIR%frweN@iW>a2h^=gVwK?Nk$H6aSHMdRgvF>{akv8Cy<5hT*vXDG z)f(7X=V={JitwwW`*{Vh@8{65{6IK8ieay<;*Q*Vw{3X*iEVTa57fE~G=og3GqyL< zcdifVc__VeN9!u0A7;<1f5WrSDoW7mzpC$M1L0PQLH~LGwG&Ri>_o%8U7lU=&$Ie|J1+0^m;= z1Ki?3yl(Fe1a>bjsxWe(oAWkDwJ2=!wI;jO-0`$*1DFl3qlgeH#nF4xcbaA?;ZH`Q zm)i^n1ezNUrU`V-$`$xD-fbnfw2|$iAYxLnnH*rQCSoiz+g&l4VaJvE06K9C_vrAX zp=BnmRbjhgCh6Zz4>gl_!8L!`0tv~E3+VlKSt%@%Ke?76&U1gsdbEz$GA_y@zeXdI z9J$*9k2OtwsPib_3UYIBrf#2K5)GN0i+kxA61^(MDkV$pd&ZY7XZox+XIJZ4yGtvs zhOAjcD^}(Use?tpZlkP2Z?(T`dSW2^`2PKDX|UpB%ub}6khJ|deXVuE(DJKknYGvJ zKsVuF#+-KIGn3vI?|$sfE`X-H1CZqDwH z0biIqy1H$E#z?}rf zY#@1l$H7Mm{FC|W%h6*N5N0x`%NFZRUUqH*H1&L&d`MT39O&X@!M7R4`>8J9gB-u3VF^MTQpSMhDdj`Trtt%S2g1}SZILILghpn&#}Fy&ziJvP_wMD(>6 z=9V2E)~r+j_FkOU8a4@e9=@CK$_YiP_qO0iAxqy>gr0}}`Awe_GCpsbk5iBUd2T4E z31ny@C%ru;xM`S^*}El*+87s7@mC0!q>be(z+7y?Ajy6jZHmbuRWs+hN9axza!whi zCF^!inZ&n`c~mZF^hpm1VBJQEaM?Zzp4=7e_?t+1>~GB!!x zX$=Qp>OHElwNFyiA9$ag{8P3Yo$%rfB_?4uCUpU4iu7*nIZT|SA6}#{I1MVaDcDmU=O?PoSdbtbOca-{ZUpOz@b+x~7G7FE~3=#Lpp!~&O2)tj3 z!Tjgz(07;wrc^K?=ste*A84o7n8!H;_nHmzP?xCuP^iu98eTn;+hKh-O#AwNBWKpY z)uOf{dyNcR%F(hPtYuFode zjK-e;!+liRL&=Hq=gsZrJBLo?$z+LTE_R3{?gyhJra+*!*f)zc?4f)zChy8AwAv~| z8d~-Sx<;p?4?-V0-(M8*r(k@f)^Xek;b)EtnazAu^@E(LEek|vU|`GCSzFmmz6_dB;dAJ)$ zeCit-dz9aK!0PJV>T{Yj&$Ic9If@naJe^$MA8q#HyAEwW5)S#3cWOnB@?8Cgq-^>$ zTDj+^_D(GP*Mt{haHnex%TQ+`(3YDiGa%TWZhPTZsDKkou?#KRQ^xJ%;wQuI4tmHn zYQVRKtUyFSJ}N@| zg$5!~WdW5&v6KBw&dlg4EVHATE7yP>Y*LR5@@(@;oqrlbqqQDQT1!eMtMd82$dDtU zE|NAVf_N;T%6GT#u0~$F?OmpW`T%;9*Qd5au?+UZlFGPh{b$3$n;vFt)%v8!O{%+F zB5Pf#2=hffaXV&z*7Vb3Ms_w6`)FnbN`k;PC}*Cm)W&S1=ux2iwJ!Ygd+EMLy^T{i z$Yb_n>XOId{cA*p^Ze8>QubU10o+9g(;4%=v0ri1*RwWrsVK$&>U$Lr1sm! z7-!%lm@n5`D~p0(IZd2J*KVQap~s|V?3rk@9iOqJoNrUPxBSV7%?c$WY+e=X#~Ayf z`9FTBCd6c@x6@(!s^(Bo@tp7A4rhh=;v6; zPh+yI^r?-$=Y;!a`hRUvAu*GQt}slLDM+({$do79&q|sf>*`I9;21o|tHyz>!KSC- z#e;-?N=~-t15}HlBJ_Ajn2ecS!W_$6E3?dQxcm5pfYUrNZn!a0%h7VS>)40p6upNA zrD3Fla@cHmh}@N?S@t!-TSk-oAX_4=5sW)rEvD-(ADB*Gv7yYnM`^gOYCp-q*=w*+ zU)#u82{a}8u5e~Z(JUaMILni{vnJ5j3T&qL;;=OG z_BgOXU*vo$pp}ikYT+F3Ot!eBgFHlMZkHLf7##C1hGayqIXPn|>V1n;v{Ya8czB4* zBF_O?qo5#s5q*A*z$qw>BH(F(F*wKdcy4$5vP*grXDViaIWvaBEMP@e$(aD!=ltlB z^gv3jM3sltIq$?;T(ODfh6)2 zNj>18cXJ;IJ>9(f41)=3`!!?cqq;5)K%wi#fsawt1*P?2hCs8bQ z&4|j9Y8>oUueF}6`kytoUQSZ zG{fqMU_pazUKBIV`C7N#@!*tODxvcjkJPx-te$<{C>M+;&qK zc{+#CwKcQwMDIS+WJ7yse}Xozp2#9nnEBTO?XAteSoeLjVSp_~#pU;SL5N0<4zm=kpU9oQ2!oAtQelXf zje9`M#Q=iDA~+;gl98D?*u;`TEq*U6fZ?&qwQtNwL|%(QAbEk6!jisLTCkNlD^Nf= zwaM<8caOrJbL)k^X2s(lskihm>V=ts7SlaieWJkZIK#sr&(SQ`$soMo86C;h$W-rB z)KXpBsbh7n3GM0de*ogp#g^r>Z_ z&H>@Q+-?$hn*jYM-^?N^w$Kf%mGR{9J>@;+l*=-t`KhjMb-Q8_FnjpWcH9qcs!e^0 zHkva;10gxz0GqVRtz~il@{I&=3i-`_&S{|)9n^3oxOGXjwp>?k-TjBSo)FD%u+AfYE~B+!D+3=N zEzQdvVPX23kj)N>tXL;{I1W}e(*pKCG395w?czQ!mRu5Y9)OPcoFF?i-Hj_e@1j+e z65UE-?>$=WtIvkc5qtoTvU0THJfePteF6!ib4jk`C8@IL0MQbsTlXu{{P&r6FVkCD z$*dmm?sz!c6%p=bp(9UZ{inw$Cs&b{U0DT3$p%3pZHDZqKO9PK{%4YBYy>@^;$YQ| zm}R6h@fY=2PvsIy8>DL@&ON|iAnEA$I1wYtj$e~`I^pG+H6+h?w`waGFmjpu1lBm{ zL@}qpXjSZaA`dFyrfITBzRh2m=y*J8{71FP@_?At(P$#?ptCOTo_M+3`*C&5Gc|kV zy_^M|>{*B#bp|~=PYRNDcH~PDH_x;yWc$_*Hwj>D;eCO-SU-q(8wC}aSK@fO)bL6mi1Ro8}_g|zJCkS^(&h6m*-!H z+yC0eZmK%z`hSuXEWv1hOtoOy71VeQ|0#tkcLv=|opCv4)YL~k*ScVk>=E>kkYaFt zu*l#=Eo71i_==?DP22BP??E~ajJI(t^F%##wcXWvu>Eu3+{ z=2|@F52tjo&2YQPFI@Rs+(olY2%os#(a@+CTkRhp4S0TRH3;RKC*@pO;1&1jZa=5I1Q!Ke#iR-!EmKS-bwjM0HIzKA9jEs-$4$605?&!Jp zo{I-58?jc5#ZF0kPQN6`hrHOgwaPPlidph80Qpn$S^(Sa9WFqo^9F| z!VZrJ*KscQPJF$XI#&OPtcLwsJN#Eam~&2CoX~qUN>RnK)+;qQ+kSU%^@YuG-&|d& zFWEnRqm_L5wh{k=YIIafmg1Y}Wa%Q5uM?sKVhBRAC`e3qp{K&17Pz|Z$%4UFX8j0&gY=9bQ zwF(^juyOoIJ`EdLfG`$knjqNh4CpeA#nq*`EV=C2Ph*6K_}Jkb?<=g~oztMol#U7w z@EuU4D_#K9%?DscD`9JJ^30PCt7A|$7YBdTf z3PMy+tO&G8K6|hAuYdjjyQlFPz}aozp`}ZXLH!Qi z*op(Ab}}74m30nKa&=>%C%S)lUhGTmvC3`vXo)vjG4_?(_h|m1ACQiy2XO5Pz(i9o zC4X@B=^vg}_49N)ENK_gv6PKLUicJgS+*BHXuAUyZb4-uJJ?bO-Z-S4zY0#O7!}nb zAD$AdesGHRpW_F09A2r7KwsiTGjB78=iLIuc|>vS&)kkFXySC{@C119k0Ap%Y3O#M zQga(#F%^%k7&iJ~;F%wskE|*Lsr-hh90U311C}gUL0lM%ok;@GZpc(;sqDGmn@z+I zCI=Wd+vF_I$hubJ@IO!#Xi{I{Y_4w@f|o+0z^QrY5Xqrp0Nm z|BPe0aPKl>u{3#aoT|Yp=kUO-KaR`}(X3wU44J;x8CvjGXK2ZU@vd&KUz{(8RUagU zT4JFIDx#P2qv}wIRTY45T=1UgxIFgF@3BAsYiNkt+e1U&msI^QK>U0D{;2co(v;FP z(N|?Ea#ttoM+0;frAzg@ig0!j82eLo!CL&M->1C!N0n3ho8SN24y3U_(n&RxBYu+W z`Snne_ZH$l2m3p?muvhOO8(rJwV>hDIoeI4er-)XX(k%j9Q3rmOC_^Fi~x*%m%!#; zMs{eelh^6?h`uj7)ku!?3jY~C&;KjLy&|Ld#X{rF%1qQGHL(*Xorj)Q z;Dw3&G519J1&-(cHjRTDJR=zF#@%^Hq1_}SeWk{Bz+ha?QHr)$KVVd`Zr{m~&r&!; z!Pmw)yL@Q-wT$Cf)qt&Ec%uj}kA{hL)xthBQjVhn2H%W7t=Q^&r7LPn3_dIMm|4Ix zi!RGmTjZN%?!tN87>i*p&^OYx9K4L zEvH%QB!#2oNM)fs>xO7m3;Q%f1N#A;iZsuX7B-{Pr8oHnj;{Bc1H33x=EWauom+je z{VK=_$XUP^>F-`)HU8`a|N1+_i7CvRGzK0u-GbicC~SCWB!Dn|jDc2Vn|n8JbhcYF zscN3kz9G_*BM#!!_nXIa!E~d$k5fCI&&sp8t5_7HCA!0kEfnPyIQpF> zIM8+yw6yfJj*kkGOk_PYtd(%(KL~R5>5jsb$R^stA<9%L+FPpFShB=uI~&tq*<$qU z%g3gA{r~txUOsV%2_YBdZ&k|AcdiBOD10LlXl=K`h4FA}KGI+1Iw-xPE z8Al}y2~N5$0NtJ*-(H(M#;kH5%gq=e!|0L)wMT%|`;m;h`*1o~N(xVr*H#Z!0#g{?3|kYf9$iXvK0Vv(YVd~9j8l{uBrZVOeprV)_lbT51CuH1f66jG~QRyllAJJ+p4Qq_OYo!-QqCu1_MT^&4evcnX zH&wEHO+z^26lhE0@@H1#$-&|~nSQsPah~3_ZtpMOYh2yaezT78+}|Pp{ETZBb;Kt_*ALoi4Z16i zg$B`9)<~r+TES_kWR7K&I654+T1Yod6Rpi`3Yfl7VVBTVgdP@|V;Ww?X4vx>1mXJh zHyx+xT3H(ap`s1zQ|Wqz<_OF4t)_`ahn~ObZcz|@v+Lt<$C}3NmN}0fA@x2)Ams#( zHdSb9ZNn;9k5Z|yHUMfp)wq{Yg^jhjfz?RBDUDmx8ptk&xv007X2~u*XWuRUzC_{O za?W9k$Sg`PXSDno%}1hPJxa@UU%sDe&JJY+=LyDA{lq;H`~kWn@D%gDA0mpr++S5L zKh)exTHJ%|0x+gs#+t{KwXeWW>p(tI9Bw&_q<1nt5$%f`Q`9<;oKEZ0m*I=iArI)G zYK3cZF$_lbP;{uwCYEC1)>47KkSV_E!KR6~w}vCblvGXSY81$`F|4_P51Y{`R8}D? z4gV0)ppsjrF@@E(cSRR6Q@SoxW3z4NEi*_o_iuP3JC)!b&fh!QfPqf?g@p_Eo>wxqkMCW`1|fPamQ|# z1{G>{p#8OZE3-mdR@cmoZmcYSO5&(+!b?KVBT(UK><{qPfu*C;EsfO^5f>9_nSTL* zj)P*uVQxg9Lx*`G5^{$(Eye0{cho`e-`=cF@xJ({~IFctMu=;Qg%tg7>CPhi^Va>n@tWjH@y^FfTup!h!iDcsxk z*uoX~(VgfRg%g`vhE8}Pb;yrw)Q4q;9JeZtJGYG^7w#W0!fh{Qn;CBiST6TEtJ7`X z-+t#cw*Zs~7#BQQ`27l^C=Ey#jM?BC?oP07qD(Bj>4b!$&AOFK#wTb>V%A<}-5=10 ziEzf?yojxsGOv4emhvWH<l_(#KA3sP^;aLcdmXBMx<%>9(L_PWZG&(9?|Z*N?6(98FLU{uM|80WC8 zz(F6jbt%Ww#pVGzsuwitj1cKsx4T(#*UY5t&tZ3{(#1>0a-{l9IZK)LG*%?x7b?sq z6a?QOcU(APH7_%xe@UQyje^t5?E}BF^l%trZXZ7xT&`p6)=d5T8Rmb2iT>XuAEuRL zhR^JfRI@xXnLPo>A%VPT!JzBM1HLvolwM;*xd?}#7v*<>O^{?UU+seFJZp`2^cYpa z-o#%c=)3%3pl3PaQT4V;f?+e1WQcm}_?bL0dmhQOn1%BEGcI?0ipmA4ox^RF1y@B~ ziw%eG`#=xmVJYT6;Alj4C#6{~$a@4`lR8;8PRmhKrP1EDA827uAZWQSE5+6qN)vq~ zc2Wi<&8cuy)S>-8BtF)zOiNiBVtK_dmCEe#b2W(A7Fj%?Fvpl_7{mM;gNUv6OV}lB zHOD@yGC8oYw=Xurt{<<|;)a{mV2S{Q$JPfN5x&@>aAmo-?*t=T@1@VFLt_P(X_pXM zD!w(Lmp;QA3cv&qa!LcF>RWPcS=%fW76BItfL$>zwB#uPt4RC&LvJ((e4MVd!RFpM z*m*~M%QATw45Zqb0TmK#a@o~NV+Xl;@$uy^^p8{Yi$j|c9#1~pWRgvx`NkIQyH)cL zI1q=km)@8eITmZ!y-6G+W2IRxx5+4{^qEz7<82_j$&Gm^)>kPT)}AM?73Q8dJz-4l zK|MoT)Wf^>1WCd;ayhnsAj)VFb1moAExBc7RA&|)bt~0S&a06>gE36voLiJrecE_m z|L%1L8MdKku(VbfyqhtiEuAN)*lpVQMo{D5;Oe#ct1E%-BgAL1+Z3t#z>+K5vp$L0 zZOarR$sYD4D#e8b?hroLr&V&mLyoMK`^;kF91c~?Ug*#0v<{h#p} zzy3)7W*OjZ?w0Skq&0KWoH}P(AogQ&81s%W7?*|Z54alC%!iE6tCRO5Ely2{zMS&hC)5V9 zRHV!B5>~gy(Pi2nj@F;~+bCN)T5e8diO-A1#9f!VLhv{kU|7L+eWkYX_@l3737d(rPR!^`ALW(0I2160{3Q=ePn)|=7p=)YV(~c2AmUL(Tp^G2xs?x8cPY-v?_mIc#tQM5 zZjA+3uKahIHL@~H6@P2br^vN^$;t)ccP#{nCt0?Ps}k1ff;N=7U;Dhaw0>jO_)$mW zgzBBQgaqw+PBtqK+k4eeG1w^TfhpH*v!yhdbH~`H&L=bLxEag-MMpm^n%62rLbGE+ zs%tfSxEn-z=XN$18{3O~5|Kqjd#|nf`%;@)^)yRj{*f%o>7i#kO^uVAn4}8t-SYKlQkWiz6=-ET{sp=p zx)MA*?EUw%YMCCM(FnhP0`z369J0@sZVyhg#Mub<`@7_ZMh-i$eDxbB!L0*GTMRb> zt$CgXb`+iJFI~?pvw}-=A8FTEzUd^91a>;3h+JIz0s(PES(F5G+)!xi|G4H ze7u$|G2XpR>YY%#-DwqeyTz}czplIO=7J)t2IV)Lz3iD7SMM`Xt3~?>&h1>|qUNyz z#Yf&ZR*ue()V#*xP=T)9Nae#NyVhNPVaW|4=mxeV;wLveo0Hcc6b@N`PX+tunsoalYO{th#2@tkokB84*QGV(#5o*(8BtW2y;-V7dER$3aeQERzxX zEiIhJaKc2b;i}5Yfbloe9>WO#=^Ibt{w6X1%f=w<-hc za-~JUHbZ4y5v22`k{B1dEtFPQT&N}2YT6zVHeP9dcF1;2m94jFS;6wN#q34~Mm2U_ z*A%l(!TB6uh|Wv&b}t{X*5qeX!dDugT@84p3vprY{^&YMxLvQxU-#*sjW}>O(56Ui zLPhSZB2n7P(xldkjB~r2@5FlS^~MbspWzjs(`WlBzq8WzB;T&iiTF0`5x zifVRdxn4?k_dibSr$^OK#ORX?@kMxnMl4Y3=o?CNH8HL|I&rW8w@sMbRyh>^4cj=q z+v#k;S$yvdD>7&du@wJ_~ z>bGMG9`}av!%Ow(FJEUV-6||RYBi>lJ+q&>VeC-yfwraSH5V5`v=#UqjN!^Abb+`kO3`>rl63|+M5fcu7REi>|!-kxV122FLWk0&r8o(r2Ev* zvEZI>dxM2xBwl`+HSqikZ2imb&k#pCrK#cYTIEeEGik)i>?*^GbV;dMVVdwlkk<`q z#O~U{f!GE{-*}P?nm3{7Zjq>YSM)%&6D;G~Tg3Fosqx z={u8FJYdlHO05eZjyQ&sBk$SHmw_=Jvj#MaBlg6Qzdx@FoIK@5fG{`47*`_Tb5ZEUVKRx*dw0Xd>Txfcucc81W@N~QWB+k6l*2b zr&o`c=g$~qKFP|+;>{Ew7qL_;nt`$%`Uoql+bpfcvbeO+X;Gv(%Lw`Kkll~1RRz1- z-)z3Wm7lzM{iDdA1^WW>b6|ZsRyn;}`_zdFyEWFAe<#0r^ZtLw&yRkg(`WQr{^}(I zQc*#6B6G468G4e2TP1pN5=L* z=DqzY(@m`+`Sm3*;WK>qg;>H#X1@8(cTTc1(mvOrA@RE!4!@B!+)hk8>bdWyu%W_t zE?Yr2l@Aqo5X!8@0R56(cf?O!Hj!y;3`BALmVy?preATE^LD z1G>5E_z7Kr5B@B3xhFUp3Z#Ss2yED|)OHfz`)i}!3QZa8+XDrveh%munnHW`uc@P_ ze1yFBhQHqaW+4CLL#N@grj2%hLpZd>m%tJ=0Z3 zg!v=Tr96yUuR_?dN6dGAzkKzm;Q)YM?dJ-Ws`=0}|GmE!jQi`Ysv-OL4bw$mt@CYJ z3Q>_=ML$}20udC!=Gieqg{v%5{Nz@_rbZ@#G)Sy2DBwha`N1#Md)#o05>_+&QEJqJo~Uq#{5ou04+u~nPv%)<9FlhJi-WEXaxwr5{ZGP@3=D%9AHJlMQdVjCsD!Om6x);d?@n zc@}XXivnLz&o;iAKJpGn*s_hjBlXUio?d!UQ$#Dt1j-6cI0;gp%sOYWxWWBv&kd22 zR_e$O)_ui%xwfyL0s+jhN%o_Vr#YlO!t;vH-LV;KqBqL@#6JCwb^5X+5>}7po?59Z z7n>}Vc)*fdv&n-(7>-n=XJ%n9U#Tg>vkO8jFRI_Rxm?5R(tKLQJCGY%RbUp}!*TB~ zcjMLMTHJ`Gn%ibYY`T+K78{CW5E#Bc1YU*n@{^dyVtnOrzvq1M4vWog*0xteN^-sg zVE^dVpI9%~0TR|zsSWxr?ZzxyFXwz!`wKiSdtehdeEdF$_xJw$sr6A;!Y^EQ6;^NO zG)=v+o$=E~=85Kgo-mbwiki(;_6oi0kH<4H!aS7|g7SvF^>5O4|3q;{6P_2nNk8f- zCoG^L{6}~R#3Z%8qt!@w1=SYJDdd|j-+<7YIhMl%48e2DZvxMM7?5pw`-papdn@V; zz5!DEcnpX;bf{T+pwKbtAHSZT-#Q$xe@DILU{jhu^OIpM{O@1xo>@fH1%6hEA z5L>hx)E8er!9~tXer#7&;T_hW++J(t=vN0iG8JZ91FSDb1m1&y@e=+3WE~sQZ$))A z5<_&(=w~YVS%$+|Y-0NNn(rL35gK?tcmYf6EA5>(il_Pj;*Xze_pkcfHfp;8ehG1n zUfGUc5Qwa=yau)Z#Ps^pQ*+f^+l@sw8%?QRNj%}WiX_fYpmYY({C&l^n5r!omd&O# z$XJCN?d+|0_uxPT$r#j^6cEX(5+M%k#-WL&E2ddJfMBhR2fWRXODqq!}>7dOd~nhRN6Ie{^hZ~d#!hePgC+PDttIQKu!*#YLtI-aN}s^EkrR0 z1wxLfRICo1g$u9LB$x$z4d_XXgz~cu3dp}M{;#+ElSZt}<=y+DD*yaf^z*#gTz})| z$a~5Jr1jmrI?n;tTeRq@Vl5zwvCx(Ps?w)^RFxj_Q%N4TK^iDVCQ@AsYO$AJ7>GvZ zN?q`hZ_&i{;D5*K@t*VXuF{^N?F1RW!qu%GqMC^2UhO9g7!x3>x=OAkG&CgnC`elZ~&bJ_8VXG%PJ#h40IByWWvC zF*mf1_9pwDZNFRYtvGwm6?a>~>d$+ncCMUYYRnQBoTuK=4onK`671|Z6z+$P;`414 zTLM;y-QwLFXWDLRl=o^|W@~M7A?12p9?)lEQncRT`_eVmvtft&)mHysEX8X7?kqZF zexd<@pei8rKlKk)XqqZ4b+!?-3A2sH=_3;xrezUr(dd&Xy<`BOhu?l#%z?!pJ zP>X*Y^95;=hpT~T6hljxQdT)N>3#_bS*cVtkvH^zc#zy~b{GbD~Jw z!^t^llZbf2B;DAgeZ8{&f*+}^$1hOS!)%p{u>Pcova8C!DL!XY%k%xcSr2)q^`^3j zLi^a19M(5W+S4QGdalI@Na=1~8?gKghwmZnaXTB}={Lznr`@>Hd4o+yBAi8|leENH zo4nA@uou~SXzit?^lypU$oG(*EV=~>BFs9C_J?}&Mc3o_&m11dEMVp9jjN!W?lr3> zQ^FhC`^A(2UMsUT{620PR_m%E^6NbY%+EFE`6OJYD_&R`8ZNO|UR&37L9%gWn_xA% z$ej5U8@rSiR&~@`h{wi4@-<$Ezn6Jxh;rIhokgrPJDa?|cx#F8-9D_QmByN*AAeDP z52>Ps#rJhTL-#@=#9uFsl)FjYnsak*ICVK%T}jM2S&5zTeMtljC0SFn+b}0Qr;jY1 z@0XXXEf?W&MM@Ls{W3^S~%&-C|7##!BB~+@cjoJk@5q$NN zs2ftJnHRH|EM2#R^0Ab%WuQDTX>ym=r2P?6VEULo1yS4YKI(BG3pWIsJ|gQ`&32DE z|MJRB>00iC+W2n>pWdwDL@Fw=i{Erm@tm-`lksh{4w9-UN3Nq|96uYgx;@T+5RpTT`pef<>R`%}%Q>(VkJIegbEZShs?v*)mS60FtazDQ`uneqGg6EBI~p}H&hb)#nyPNraGu<$Db+LzBwj9t0z{tc$KvLiek&XD)Poq zlDc$(Jm12vh6P;O^+Clo94MUV3l}$8C5j}Ewd}PI#5F7RCRkMp1ir?UjW*+#f1xRb zc_?ih7NENjrXEhJpCIk8D-cS!8I9(zHFQM-&SAeaYol=Nx2^e_%UBAxLU9Y6Zvm0DgVod!20f7r{@ z6&JKBvs5#m-Qouwd@V%f-vn)i2rCVy;r4zsalj}=x)qA1Ty$C|)F(NaV9R%3hdsJ; zlBd7#vzR-P+JP-d{Ux3h;1Y_`?II9&yGsa=Z;Un+x}CK$arb}BI)j-|4|NlT!3up| zT}fxHPq?!St=~Ggo5X7+jbhb9(IzEe3-o_a@nmUQ=^MD}h{iCR$*1)u1m!t64BLn8 zrqB-3nJ+B|YV-?7&{*}M&<9QIdjKMJQp3!ix@K~%6aUn`X2A?kho}R=aZ-QzrU1D) zB(rKU~JFH&8+U!IakOfS=$!4KtbJU-m*#=`0k5eEw8 zKeTXmbD3F&J?(tvbY53US7cRI`^hD`{Niw{^>PEU*N*}g~G(-M1)uu2ixObNLh~BJF24;#i0(jyM-G-;soQ}pRR*04|lVA?`8@Q ztAByaRJ_jv>TLWt1Rk2aVSK4y${#X)n@;avGQK_h zQR5c|mA$(&WJp^O2RqCD{3^S4hJ0~(`u#-rj0x6Nc_dH{tD1FesiBY((H>uXxsJ+w ztetNzt`gt&7-rTrh-r+yY=HPgzHOEMdHH@8u93cO>X9@3Sobf983S$-^9mKEcGb;> zx!4s#>B6sx`q`&pgI@>`#}-c&OZCC81?Io!>ics8+nc27ANqME{CdKkxCE{2pEx_@ zQ&|9_swJEA>b%x?vqB6K*5uIUllu z4qg?6fj->mD98ZjPe^hkF)bsjf0o}J5M5O92o3|tJ@`DkD#Y?~z~T~6g(~(Ut1GWI zKH}NRmtTJ-Wb~6FqBD-Z3I-`)e@ZqT6q?7!Dd-D25{5|o=A0GP~yvq$=}+!a1@Ip zzX7F905v1NMnyho-ZCl|JIa%pL+w|~8L8Wj0w5oZjm8gH3qdu1CR86JtY*5ef}_;)@4Cq4By@+-A3lStUdi6DJ8 zbInwkyYGD=@x#;c1{`Vt!%L^2AULLd5LJ##MWl1sAlY?riUVxo?|s(?XQIr2(1I&P zn_&KY2HjsCk6}|^kPm=$2uE=&|Bo)7D6WFDMF6clMg+mHzpnkS`~LslocFcKhXy6v zW@BydRU6A0TsKPQ(}>>5Rt-<5e4Rwvq(0*2j5}ivZ9M6|bkKUeIYsdKV`{+TFFY6L z?^;y9diJQcPuHJYGySpAow{@3HujBYJfGW#%xABV3jbiu|Dz@De*)UP`+DDMRqb0v zKQ%M|d_Tu#eSWE*W~6Zl7Di+7~btJLi3qdL2n$HB(fScn#XR91Ux{aBIs3 z8~iP`Md=MzV_R(!%4!fl-MsjEXrE7w>tbH*n*2<|smK6*xQG^3WTQeiuS?Ix#hqeZ zx$hw!_O5({#C!_`3Ku^n;fvw;p!PL1eI{vj81D(qswUNn2wgO;UTo^s_WVODUnXZy za*B`qPj__D=bf{{1{ffYD)_(xfG%v9;6|$F>HCokA|Qo)`=y^ts+pqqL8mjCCSH z&Xb|Lei(5&X;@AIn+#$uJy3e@27Mt`gmI4-P%>$aZncx6bqLwJy-X!cXK{-9SIQd% zr(|c^QXmrh%`^8tRqMdVF#Gsk<}0;D?aFK*oND(XO&6`^S7hTTqP%To6ce)s2OFu^ zO_$pGIwW%L{rJe#((YEOoBo4ci+=D;+_Wj;<$cB`uYTmJ;%m{Wkp9r61#Pke7Cs$$ zHT{p5?DaQm?Txpulf`%(mT#5beAL-|x7_UeeN5$^O-?_AvSb=pq2u$e$WS5eKqW89 z*fR1~`eb1)?C_(fD=!Rw!IAS z5(qUY=&+hK`qtbv!aK?F826zyZR`# z=C)(ge4sp+2Q-O=zTN@NT`Mgc3hsG+Yn@XzA!e0~H3v-^K>Wz&QXBDM>9UW8o>3{Umgxn6Q2D_Yl1x+r>Bv)#;t&(OF*HzaC_McPh-dld+tTgP zuEt-C`VBPC8JtV$K8Sq4^p)Do*bj!9<_!wCG??@6eO=t2_&Pf*`4=B-SSf$@v09>6wEcdU= z`^WBH&iIx-w&7`HUy<=j5#O*JWhuEKQdnK)#Zg|V?Wn^k z$7##z1xAl{e!gwl&Kn7to6IwBBD;l!%rAnFC(@A6!y%X4^G0udY@MugqTFjuiA-Ws z*5@0|ocFw{rHeEaJ)5*BHtSZ@qnGOr%nl#Rmv?l6b!VU@RR4=aYvY;%&`|Ay2-?Bx zU0LKjmrZ?DFKZO{j2j3!p-k5dA@R{Lh-mE=JC!s`uOvB>lAIJPGD_0P8qNi*TCHhm z4_~@CLeW*#ebq=&wlPkib6Fo%Wrh&c*;M@=q%LY+YAomxt!%GV-Y)9JN?1I|`WY7T zpceB7=rPxkVA|$jdrO#;lG==Fy?8M%XeXcB>p`&g9FQFtxXxWPmJc#)D#s0t`?y+% zM+_aQNbXMG!V#GV8C0Yr!Hl)h;!6RA%xhA{vUW5VR_^Q|3EI^ZgwX&7RVn*LFEOxR z?Beu9w8|i?PAORpODFjNql|Z}Fpqa~7++A_JFlu`odRhVOzh6WDZX-Tv9uJ#M{rl8 z5nN^~^sT#GUC24Cqx#7f@?_ zUYn^5qA9P4(bUGkM5S9qD{}Fb8r`7+5jqsn%{}CsR_?qk-NnlrsOg-x$i;R-d6Di* z`LRl}vC>1lN1P1TG%>9SfOXsk;gCQvfR)O9jx6RVefmo~#5))c zk9V5g>Hq3hQ7h5#f*?(Du)=rvARn!Xu$7XVbIhBK3(h8ZMNz&X>`j*P?9%R3&MMc( ziZhfAiCiCuypH28=|L2mYs4ypxkd^C<;G(|$yThmT&2`0S{uY}=(2DK&bG6Pk1wT~P%r*HZyghPKgkcz`c;F605Exh~j1*I)#(d^+F=q-zF{2q= zg+y!b4BMuhNupwbi+IH2qnJ;9E|ouxp&7`;XkrTMaTe|o`8esFawos--kK(7kn$%KJ2eWpLEE`SyxhOZs@Yr3N{Ja;NqcmbW9O#)TKZv5o*27G~a zbD%yk(7Q)JjhGQC;KoojpAJ|BhE?KgDPnD*`9lgkR$3W3Cc0nJ2K|J+*l|fDNqo*^ z0#U*o)rlnoXr6MOl{T`a)=1#RsWEM09>vT&9qrR5Mvksl%yyiYe9gmkwrJt-hR6h$ z4XjR*r9fa{ZPk8(WdMUYk@3)Vq|m!PpFNeD_{e_PJ2d#_w$3c#DFunYa4@bPDW;lB z;_=shNN+o=kky*P#o}*7!9C?I z<9i(*`X~8s6<_fbYmt^-8eQ)<2@x#af60I;HM*lreWmu&8LX{X%2-z;u;DW-c2z-n zPp(EPbKq0gDVKLng%QR9Aa<8Lyeq7eJO$a$JHwl?i3jJKIEryx)MrOc{zKsFZ7G6a^E zq1+4|7=Z1G2|>k_z$io}%Y;n;Sa2c3n?;MO%+NY^i|aW)PRr|1w>Bfummh3Bbl2Bd zqo9ww(MQe{I|LP5>qB^bu<|aa2?F5hbEL;^P%mXWwRdY5M2^42?CQ_Ic$%Kf;AdL>oL=oa(5v8!k%nt-VDM_R&waVjF?Q)Cp0Ze@f zs-IQAg40>#eC8+8JG}hx zl`S~+PLHddTA%J!AGW+{5Oz&xDUBlGDfbQ63yF#;nk}3>!T7>B560}Y z>YV@HrK#$Vzj;qL{ttgOc@2Ff!0nshp}6H8jGdf7A6Q88GJHl}_2KJGO^8@_aJqX? zGjx?y2lUw(b5-U*oZ+vy#?l$`wbVSZhiJ4ou_?#ia)EqfM!@*^=ncpFmY>E;qL*$6 zCn}~Ui&lxBNiT^aoJ#~l0xee(aGj)X*1K#*3suy*~0xux@klo3Hdfm1`W9D|NMhp9q~KU zB48$2xDooQC(~C{WN&CR9vC{e+a_pD4lVuc3}b=u=05$0270Sxpw^K_r^&xo*h#NY zQs(8fuzTk#tmA4svO<*>RYK?3*UP(-&>5*N0wsa8P$yh>FDPB$@skC3oIq`pby|4J1WxeyKHD|?6hj_h`1IF zIoVD6%e3b%sF2$k+2 zj0`2%w&;+j70pZJ+p_9Nw7p)a-j%dIMvG540;5rkm>><+=ieL9_paPsJq^vv%QbeP zrfsTPVydydJEHr-#%-QUYg5kb_H#>EsXly8NYEo+#7jWUdaJFecvyO4C!aLQ3vycK zR@UROqx|FU#KqM%fU_j)uySho6Ot*mU3M^zX84;IyK#)*G5aiLAZ_QLWou9qw?=HM zGF`fMz`_8X!|0tn895RLbxhsEzQ4Vo+3)y&Wi`C`dNF%#bnrhR8dQsw;rkEj0V^mq z((ZMoIV7c8{4K1|r$rLwH(9T>9=5*i6n~cz_ea0~+bMJRai`G!O#}#gb{bKX+8Kq? z*Dcx~2BQ_bkOo6cOQx3zLEjTTAfsdtsJy!mnbzU4y<9m&9komNlixDzj37dICmj6- zw)vm*SJ*m1P`$Ua!Jyfo>>A_JAb?~M!QZ3xrpnLP9S6O4uZlng=#Wb#KFv(7@!J^d_Y3w*e(`wGu+$L$D5Z?=pP{=WbT{9YlOi=8G zmIcqKeE<91{@;j2HP^IUoyV#xzS^PW2~l18Za!oU!V8|c-X~)s4C~x@Zu_vkIV`S3 zvpqs`5F#kzm2uXl?wR1Fvw@y#J`l)!K5E(GQ0EF#a7~EH zx@*5PbuqCTNyA337Ph#nsBv=HbQ2|RpExnW~XG+ zLJQZEExJawSy>S_RmKOd$#gaR!q*wdmZC|?fKTA<$om-2YR!*jkZQpN7k->F0{d*C{670eD~!#C%^7whFVjP25lPIJ00+vzs5ynDUTfCtVCw^-@(?3c7^r}Lq&;31p6eIs zR%_5t=bAp1nV0s+)aXA;3k~Dmw`MGQE2c4s&&SJ_7@_hpFVK#S)lWo-ykI<*TR1=* zM2>O#4O__akD$77?WwFEkqV=g5bKKLR&Iui`{|KL_%pVRzg_~(!kx6w)!|5w#jR?o zyYyvsUO1_(@!5_u;?re0X@CC0)5SaJ?VF3<^1!a!r1fghtlT1B(xW@y3VU>aHVdj{ z{}a{L4COUWYqJ7Yrri@E(*x_rsV;;rDOwc+mR?41{q3rz|_%51XJJ0_bRfK$s*71h7Fw1kp$o*dr z;N&ME+WT~BcfBce8&XD62b$2M1Uw%%l6rfX6fAUE=|zi`-X4#;LmQ9@a_}2iVCe1; zTuNTgm=_RN-D}*0Xe!i&?4yd6O_b>_+oV zju@P zKu@j8BwL@-qLb{GR}|+}DcqJBykyEnEoi&xWUma|M1<;D>-1rY)TMpmTXv@q|@i=&%aO)RHRZt@_2!QljH z2yTk!Qa=k`-4Je)%Ss7B&Ytr{8Dc8cKb}jwderi4b9^uCtK-`Fg-n9CGDyspZdmAh zmXxZ@EQbE2Y%YtzWfk)v;xB)ClQWv*9*BR0j2~itBrVU=(pw;OP4$lopBob^p0J9T zySg8&-sJ{NCAsMKy6&Qm%eXiN+`G}E(xitWm|a)TFhC zT3ew*XWEKfz5ci_z%@&x7l+2yc4lfxB0BFJ08uD{U~Wz>Y@?~j@r2SfYHvyPxk1vP z_lp&FTut@sKPpf_Kaa; z5sTZOyh~+;Zkac8-8J_vM*U5t_TSria(r7Xp|^~fQGUQwU|7Dtp*7qS)s*+!!ygRXMUEK;FKM{eDoH(IpNj>HFf{i zpY*7=S}@9jg1VyQ&u&qRc7DDk)y~1EZH5!aXan!qkm)zqg}8iN8YJ*tQM$Yua~fG> zHo2$a9M8AlaJuhc66u#NqB0AD{-*DyT5QV-3+cENS$|PE;bP$I&uFLSY!9%bdoHbi z=0^O1U$6BC!(RHqNs*UA(LD9^&#u7$w0~gNdyVtq$h&_yKiJW~Z`b?RY?u}JUojhg z>E0}geXOSkY7(CY#&!CqM4CrT&0Z=NHX5)~=Q7nMJPw@_FbHPMS7#cTdT+?s|5ba@ zT!U+UDVK(C1iMIlNVC5 z%Gri8WDv8Ce~gd=u5$(v(yk&xLC6sI9PjqTIAKsT7R|Rb%?HEH_Txh~>|66vFF)@m zQhWjHFtpZKrm?;aZH^%v);a^uk}g!6{3vfph^~HF*?>(9ub0(FA;ld1qSmMZ@u0le z>?EBmI$rpoc5!#ia*^4E+`!&D(aqfn*mGzm$io5(v3m4A+aODNxJ3uo%S?B-$j1wr zS;U)^+px3WmMFQ1oFy(h`gsD|PI_2AOPbkY4(W=PSLycpZ9oJzjNjH}z4Nda!B6{< z3#oObcuUOy)}O|4M{5!b@V7yoOuv+{^Lo*4--9EZS1zK+E%OhA74;(`Spbj`SLmT@ z0vrlRFE$t8N2jBwvaVkn4y&AiR!oi(H|%dyNmK0VEAXkH&hz&=jprYkMwciYJ%^ zFim_&pO?3ihFCpYv?Y(&no{y3p_hOBDaFd`9g+yyByxRcd0kySBAMJk;4C`2Y}n{> zH8z#XdW31ERxcreKc#KS5J}q4xmO;anU)Rru7QwwV+kpU@mYyaj?qSrkbP$1e%~Su zON*D@CRBcfF4nR_ZiUL-R?KXeT1Jg+;(bFjHO-ufq!y-{r^SX#hm*U$-R4x}i$tcH=g@1`Y&UG=r3ubqda4>8PO%txS<}HB z3p2|VsWTV)HrNp?1C+_}9Y;XBY58;3eHww=#Kg8&JIU8!C1l}QsVf!D%r-UfFAUwE zVQitan#VbvG2slt^&RywtK$|epp3L=HT&5Q;1#6axup8Bi&2Yt?@IYfPkWArK^0P# zw4=ml9UWB<_EGLCRPN65#6iN(m&<2`A#HI^%FDU4q=tOr88Eomy-w7gCwBp;WSp@2 z1>1yfqb?3?t4u615C&%Oz`Ghv0=Ax;9Wj06;919pLD8oU(&)9kVaVQvqwXJSdvs^HJ|QNs#tYhnr9<&2wq~VQ7vD# za44Mwoty%JM z6dAu?B8zch9DIExd~urc%HRz;UIcA&wp9xC8`Q%EW4)ANOMs4IUYX7170w}Of4S1& zTWfViIurxesEF_W)ulkk7qyYjdu&aG{0 z6|F_IZY?Nj3z!N@>J_D8!f0)cfHXx}6p?&ZYuIc=pt6q@6_7#{#8kZ!71_avfK&vc zvNfVab_qftfNVh$0wE!j@jKW}t-W8j``zok{bPRl&4kRn^YSj|Jm)#*F)wf*RIA?r z&uzccgGsK^?ubFMo_L$NL+viLX;M;)QA=hsS+JxUD-EQaB_xS*8Bs|46d5`&4cOQQ z;^gpjCABOr`E>ihg5|!vZ)zVF*AuEv(EHy~6R}*4&|&Z^-kjiBXE8lx8Y9y`gDP8b zIzYo-$o4^H)3pQTWk=We&5x0~_jXlys$tI^XAO)#*vZ54M%#Qn5n(pzQ$3ES% zbSuJ`@fI{QJC?#JM3QS^;VWs6^bO-hj#nncp$g{3dzQmBh`}Sr3y7YVxKS)MBi> zRo7)2j)1n*9Aby-dtMF~?f}R+2p#8^MI{a_1#VdpZ=73JRyX^TR{%d};UNGf11N%< zvT~sTmI`RZI0b6nxUh!icee}#OMd^OH@XS60et8@vv~1C(+l}uKI|UabbF|c25!Mf zRr+4MI`>CXl?@Qwz?h8PDrj|dNpju+N z1PFdDgE%YpYG9uwtUr8r8B=q35FHMVulz~7>espskN@sR2mW6s2l;dvnxC{PGGkvI zf&6;()k1SIYbrmDggIK8Mz_9CHd1gUf~5$Lr}?Z=vnOn4eCO;>v~t|4i3coaiTsZR zzj;pNc`7`TZdH)OyBri1vS39(O!U%5pwE&d_^UffwN(cbP4-Fo|-}R5XKFW5oFppS%$2epyZkbRuGSCT*Aj%MB z=+eOep4%fVWh+A8l}*YTDZe9Mn<|(e>qT2)3Es|76%w1P*zb$x?h4zU)R&;g%d6cz zyox)+?Wl)Sf!Ct03g)W9V;E?}@pTO({i9)_XvOqb>TSzY-oN>>U?sDIfok{o5c|h~Y>YZDVSIWXQHC9GD`&-HN!JiOq zqP}j+`{tx+YgN@NxjCYoN>S&UuJYIbbhv6i16W|~h6JiwQHH~Vg zk2#J|6gf;V^j4ULj!ma2C)vtKCHnfxB}|#gC$+&#&$ZAJmEkrAZY{8`9GKa3K@q#Y zHyd`)`LTt>kCc3|Xu8KdrxW_dvPsbmXCoKX-R)aeVN@=-S~QA{Q0-;K`P{87)PPJ6 zwq4)!xE8}k8d11lRwXq~jl1}Q-rqrGSUc%8Ps_KI(e3fl(eU9_1Z~aXhqrK{R*YCA zNSM;ys>b~x9|%JHSWa@Vzmy$jR-{v*YgClLo{!IJ(wxzpJ_}D^sFh$ATSJLLM;V_W z;{!``g%>yBVj&}wexGjZo!&Q#pH5^44*Cv-WFyTuDB)NaWn#`UrwEKRIWo;Z&ZW3o zq6nBf&-}6#lfWLew5FWZkMBSajlIUxzR&>RMuoJp6#Y!TIJfT1LxV?ze{%DKn zcC0nWUbX-)VtTMgN7>cA(tx>XW`o40T6Lu6+n$L+CZ?CH^ywfS^jfZSc=V|MF7tqD z$%7D&j?$?)8Z?2`C76%)uUM0VJ3FnmB)AtSGMHknM5G1qO8#9xJmMcR3{z}@u^&ScX37z__tQ=iTbJaKde%2SuJGz_-u zyiCkNhD3}+j+g-PsGr>kDtYdd+l^eqSa2N3umlPag>f`D%5STVM3mF#e2{PtsOnw? z{y40dB9{6%45m0~cQ|=g$C4e?di3%z#Tk_h?Cw_UhgqIXY7LlMypv#n58jTUjU>=D z%hD6Hd3S@idP|E}30_emxaq`}%^ri(&vapt$WfM-KplxR#}pD>p)W+UJ!gvgT#2$t zBg1UGkgF>h9Ch$3Du8rQqn;H983rcH{6Zn5^;6-^#k~ujdRj zQWJySW#Qpwh@{25%+)ZvcAtu~>q;FXh63+nRa}Sf+~YNb6^-Z5R;pGwaxqiR8|Y1QeZT^yIz=Mc1GV4UAOmmW0$r~m zg_j7w$a2#vs`P9h(8c>dgc~lqDHk>=U)FhDRqMiJl7E0vRk4Z>-|ZK@u_1&o8t7BvE8{a@(Xgbcx<`8y z`-4bPX1fWlGDaAeyt3T{c|+uRBHym{-j?2Z!d>Ily2q4Ay(AVFh# zw2ksXg<5N~{Ncq}x9faS3JLh6A~nY&Y}Dt`gk}U50cE0?6cNnKv`Y1~Xw6QiTWKAY zyKbYDo<^?9f!S_PJjqhO$AOy93v|9B3^`yl2-E~|AyDHp{GtSE2B$g~HFEMRah+m(o0sOx zAGPJKq+rW*4+R=m{3t5dqn-$M$MOTuRfilG zad={Z{Yf42AN|BNO3G@Rhb^IL-$_M1L&Eu2JyDXR`13ufO;sbfVrfkMjgSM(_8}mz zc-L5uO;b>zvKli4wy8zPu)Tx4a1)CgcHQD$z}{QEuKdBiQ^+nU;n3eMz9atTv#WPV z?jPM`vQOF78!`Of=arT~h5#T5Y2cJDf{F~6S;`&g7=(m|IN+R_u#`UAWdw26g$7*z znoK`&G2)*zoLwJ4*!efAk|0jcQv*LH;#gb0W-6Q>azIquwXmf;%?4Bj7Qw)Av_ub5svs(G z9D-X-@H!>SurI*Vwt!k=;>RrHpIsPldd=ger=q3nrCafXaCS4DgIx;4-w@%+2nKCb zK((o8kSE&lXu>TNQs>eD2R(_eLIn$afQ~Ff$N9<6oY%Q7$KBC3E?$R-4gHruC0Td0 z-QmyZZbBbP_t6A1p41880)p&yGAtJ7;4~c?y7;YUI{2xfW9*LZ;>Kj7l|MGSzj(rp zi%tHXo36;_DcFkmix*^<>C4QrN$i=^-3xQl)%!$%yB9T&_T1U58W2{+pQ!bUIvdAa<- zAMBuK|54NC(PdpPquCG8juF?)ZD>UvR|BKJsWV0CV}myVu6`Ohrr_6Tk7H{=4aa-s zw4)A0{`9>`b4D2DoR~nT>m=bs2c;iVI(jpZTO!gHXyPp6SFp7dhtsmjS51qXa|Ch_ zVB{}w(40iJ4`?Y4NQ=I@qf>Q2jD5o;EA3qhK_ihU9bnBO~ zX_YdLX*JyzGuFi73p`urDP0o`8nEqJ5%{~5`lML*OKXf0IOKU7SH}RkAfQVlh(*TS zH#-t?_LYbZCrqgx#Eq0uWpndg7Z(-h)^a|)Y!ekiS;837?}HV*&>sWp(`bT=U(yD$ z7;*F0o-;zdLBD76p^ROUMc7(T!nUN}5LY&5*qX}ML(=;N{+<4vaqvU5 zaH!*=jpCS+zFW#uFr^E^<5KwPO-gpD^X>sn?o|9FNVd7lAy|RRtKv71+hvC={x0vt zd0bzq_1Id4lS?pC$W-;B*W?FYRTUQ>)x`5U6IuY|9>wn-E;fngbvgo9ht(s1gc*!& z1|g+-8ehL%J;|*>NS6o_?>Cps_vxF}Li2@xPBo?i^s(A4UJ~EQyVQuC5*fj?WWDH(%47 z7n^_C=^Kr-&B<4ky8}{HH&PsK z7+99kQlXfZ5~rqAlkdb`OTiI`U?MOXK+Q9%z1jg=8nS|$(n8;2n|xnDDLQ>4r}LO1 zR6RJJ^*VTjJAl21?sB5+Jt75c74vWOMZavFT3ElU=3yRpF2Qu#Y4$Ow_VulNL3h(* zgcaU=8F!6xt?YGXgzgvT6scLU{kBDFgF9Yy$te1cg#~PzD6Wp~-(c!}xYXtZ;mtF_ z#d$>cGa++2L#N9Yj5JEB#ThCRSAVQ!gtxG(8~qz4PLR_LfrlVticiO`q&77{N0_gm zd}Xe?cpfTrmed#(pF=RIoL7H=GXTLM3R2%dZ?^v*RSK5P#wXnY+H1UqZEk6ewnDU( z_CMzfQ((I$FmrjcJuE&yQB07Vt=dd1uu;Qiuwfr<*|%Yzq5`A?p2+Fz1N^#paX)@McMQifskwLTizIR*WK+2{`RQS&ArG1FTwC>Cy%C?Lx{3~S@pS-tGa5P-;famM zu|2FxnXgu*J&EzAA*w&^HGFlbLtlLtX92Hs_Z7&+1H#zdR-XPCb*sjftqD$1aq3{- zI{_S)g|+at18?|i&Y3#9k3#1M%h=){v~`0@i?%~pwf>EM-NOgrTdT9r5SV^1@#&BL z?xm|TDsGKNB9cXq(T7Zn`^t0U<*-W8ApyRSO&^;dAO2$6;mX%QIL*#+{h!>^FMZmN zQ?k&04lXcq%9v@L?SJALR>gX zy3L*Y%MdfqeHp@-cz2jC%qX?ct|&QqKBu}fu05n~G|*K^(7fG>QZQgmb!)mYdDGT} zd79jjXg!<5&Gu660nGlCYnoq%yH4g78c{)(^S)NEpy?|y0cYpw{%@apv!_6BPTonM zl&Sg|?WnMO<0Wa!#nW7WryHSWESow;U2cAZgo7K&tMDC?_4@C(u7nDLR>c-w!A#jT z2Ozu_>6Gj{A#|B*Nhm7jeJL3T6)aSz#87P`)jU$C=Dv4%{HI=%Jd(OGVvv=9}+r$s>(qvYWj+QW5flk<5> z_heze{##df#`cj16q`jFnp*?k@jRV5q7vd0XBmUq5JfoU8qn89a*D6qB6?R+I

8HLR3L(F6=+?joh-nYlm^vS6M!Xdc1qZkjpEDG>dK$Z1Xm=xSOTyP{Oz?%oQe^B6w9A-)rH%@e zUaT=TG6V**um|?uZvoGQwbhuQxmc+4L(_g5?yM0i>^K~{%8aK13@b8Hrh^|QsI1}P z#=o&yiBGf&5q}yCJIA?jd?PgE7AyGamav{^WIr&ao-?f;O|aj~QNeB#X9GKsj`C~H z3{ao~hvj%GI+Q4Ss+SU<=sqd(oVkwF&riWa&`y9DJHuXp{)(z|APuO$Te3Ey%&jPT zdpxD5hH%7V?GOH&uNpS~{QCi%p{fX8(r2j^)gR5i^DKDuuR7P}M2Lny@e`=02w)WO zH`nLL^l)op1X#Ow*P)u}*5%LYwEaqS@*X(}#N*ynI2!pBM+wyJy2Ohk0wv zt}Eo-x>pmNRAu^bY#k~-{?|?Zi~GbrVH*ub1PlX@iSHaqK7V96l*(DO|4#-0elO(m z(&KqK9el;@Z$hg2N)z2Hp#~^_O(P;PKmdy0v9S)8kmTQ#NbvupY5UIz0RJc5b9XQm uHqJ<~j(Q6Caj*vG+O7V@G7kT!!u<~=9w3R$7evqhllti2{aw&UP5%qK$6>|* literal 0 HcmV?d00001 From 1788e5ea966612a694d5acba67a42e899122fee8 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 12:07:22 -0400 Subject: [PATCH 44/55] Testing svc account exemptions --- .../snowflake/Snowflake_Account_Auditor.py | 24 ++++++++-------- .../snowflake/Snowflake_Users_Auditor.py | 28 +++++++++---------- eeauditor/cloud_utils.py | 2 ++ eeauditor/eeauditor.py | 4 ++- eeauditor/external_providers.toml | 4 +++ 5 files changed, 35 insertions(+), 27 deletions(-) diff --git a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py index 0abf9820..e8cc7a83 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Account_Auditor.py @@ -60,7 +60,7 @@ def get_snowflake_password_policy(cache: dict, snowflakeCursor: cursor.Snowflake @registry.register_check("snowflake.account") def snowflake_account_sso_enabled_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.1] Snowflake Accounts have Single Sign-On (SSO) enabled""" # ISO Time @@ -216,7 +216,7 @@ def snowflake_account_sso_enabled_check( @registry.register_check("snowflake.account") def snowflake_account_scim_enabled_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.2] Snowflake Accounts have SCIM enabled""" # ISO Time @@ -383,7 +383,7 @@ def snowflake_account_scim_enabled_check( @registry.register_check("snowflake.account") def snowflake_admin_15min_session_timeout_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.3] Snowflake Accounts should ensure that admins roles have a 15 minute session timeout""" # ISO Time @@ -546,7 +546,7 @@ def snowflake_admin_15min_session_timeout_check( @registry.register_check("snowflake.account") def snowflake_built_in_admin_roles_not_in_custom_role_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.4] Snowflake custom roles should not use built-in admin roles""" # ISO Time @@ -700,7 +700,7 @@ def snowflake_built_in_admin_roles_not_in_custom_role_check( @registry.register_check("snowflake.account") def snowflake_tasks_not_owned_by_admins_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.5] Snowflake tasks should not be owned by ACCOUNTADMIN or SECURITYADMIN roles""" # ISO Time @@ -873,7 +873,7 @@ def snowflake_tasks_not_owned_by_admins_check( @registry.register_check("snowflake.account") def snowflake_tasks_not_running_with_admin_privs_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.6] Snowflake tasks should not run with ACCOUNTADMIN or SECURITYADMIN role privileges""" # ISO Time @@ -1046,7 +1046,7 @@ def snowflake_tasks_not_running_with_admin_privs_check( @registry.register_check("snowflake.account") def snowflake_stored_procs_not_owned_by_admins_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.7] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges""" # ISO Time @@ -1219,7 +1219,7 @@ def snowflake_stored_procs_not_owned_by_admins_check( @registry.register_check("snowflake.account") def snowflake_stored_procs_not_running_with_admin_privs_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.8] Snowflake stored procedures should not run with ACCOUNTADMIN or SECURITYADMIN role privileges""" # ISO Time @@ -1392,7 +1392,7 @@ def snowflake_stored_procs_not_running_with_admin_privs_check( @registry.register_check("snowflake.account") def snowflake_account_password_policy_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.9] Snowflake Accounts should configure a password policy""" # ISO Time @@ -1555,7 +1555,7 @@ def snowflake_account_password_policy_check( @registry.register_check("snowflake.account") def snowflake_account_password_length_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.10] Snowflake password policies should enforce a minimum password length of at least 14 characters""" # ISO Time @@ -1725,7 +1725,7 @@ def snowflake_account_password_length_check( @registry.register_check("snowflake.account") def snowflake_monitor_session_keep_alive_commands_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.11] Snowflake Accounts should be monitored for users extending their sessions""" # ISO Time @@ -1890,7 +1890,7 @@ def snowflake_monitor_session_keep_alive_commands_check( @registry.register_check("snowflake.account") def snowflake_network_policy_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Account.12] Snowflake Accounts should have a network policy enabled""" # ISO Time diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index e4611670..a46b3221 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -214,7 +214,7 @@ def get_snowflake_users(cache: dict, snowflakeCursor: cursor.SnowflakeCursor) -> @registry.register_check("snowflake.users") def snowflake_password_assigned_user_has_mfa_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.1] Snowflake users with passwords should have MFA enabled""" # ISO Time @@ -303,7 +303,7 @@ def snowflake_password_assigned_user_has_mfa_check( } yield finding # this is a failing check - if user["ext_authn_duo"] is False and user["has_password"] is True and user["deleted_on"] is None: + if user["ext_authn_duo"] is False and user["has_password"] is True and user["deleted_on"] is None and user not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/password-user-mfa-check", @@ -382,7 +382,7 @@ def snowflake_password_assigned_user_has_mfa_check( @registry.register_check("snowflake.users") def snowflake_service_account_user_uses_keypair_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.2] Snowflake 'service account' users should use RSA key pairs for authentication""" # ISO Time @@ -550,7 +550,7 @@ def snowflake_service_account_user_uses_keypair_check( @registry.register_check("snowflake.users") def snowflake_disable_users_without_last_90_day_login_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.3] Snowflake users that have not logged in within the last 90 days should be disabled""" # ISO Time @@ -761,7 +761,7 @@ def snowflake_disable_users_without_last_90_day_login_check( @registry.register_check("snowflake.users") def snowflake_accountadmins_have_email_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.4] Snowflake users assigned the ACCOUNTADMIN role should have an email address assigned""" # ISO Time @@ -854,7 +854,7 @@ def snowflake_accountadmins_have_email_check( } yield finding # this is a failing check - if "ACCOUNTADMIN" in user["assigned_roles"] and hasEmail is False and user["has_password"] is True and user["deleted_on"] is None: + if "ACCOUNTADMIN" in user["assigned_roles"] and hasEmail is False and user["has_password"] is True and user["deleted_on"] is None and user not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/accountadmin-role-users-have-email-check", @@ -933,7 +933,7 @@ def snowflake_accountadmins_have_email_check( @registry.register_check("snowflake.users") def snowflake_admin_default_role_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.5] Snowflake users should not be assigned the ACCOUNTADMIN or SECURITYADMIN role as the default role""" # ISO Time @@ -1008,7 +1008,7 @@ def snowflake_admin_default_role_check( } yield finding # this is a failing check - if user["default_role"] in ["ACCOUNTADMIN","SECURITYADMIN"] and user["deleted_on"] is None: + if user["default_role"] in ["ACCOUNTADMIN","SECURITYADMIN"] and user["deleted_on"] is None and user not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/snowflake-admin-default-role-check", @@ -1073,7 +1073,7 @@ def snowflake_admin_default_role_check( @registry.register_check("snowflake.users") def snowflake_logins_without_mfa_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.6] Snowflake users should be monitored for logins without MFA""" # ISO Time @@ -1167,7 +1167,7 @@ def snowflake_logins_without_mfa_check( } yield finding # this is a failing check - if loggedInWithoutMfa is True and user["has_password"] is True and user["deleted_on"] is None: + if loggedInWithoutMfa is True and user["has_password"] is True and user["deleted_on"] is None and user not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/snowflake-logins-without-mfa-check", @@ -1246,7 +1246,7 @@ def snowflake_logins_without_mfa_check( @registry.register_check("snowflake.users") def snowflake_admin_password_users_yearly_password_rotation_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.7] Snowflake users with any admin role assigned should have their password rotated yearly""" # ISO Time @@ -1422,7 +1422,7 @@ def snowflake_admin_password_users_yearly_password_rotation_check( @registry.register_check("snowflake.users") def snowflake_bypass_mfa_review_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.8] Snowflake users allowed to bypass MFA should be reviewed""" # ISO Time @@ -1520,7 +1520,7 @@ def snowflake_bypass_mfa_review_check( } yield finding # this is a failing check - if mfaBypass is True and user["deleted_on"] is None: + if mfaBypass is True and user["deleted_on"] is None and user not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/snowflake-user-mfa-bypass-check", @@ -1598,7 +1598,7 @@ def snowflake_bypass_mfa_review_check( @registry.register_check("snowflake.users") def snowflake_limit_admin_users_check( - cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor + cache: dict, awsAccountId: str, awsRegion: str, awsPartition: str, snowflakeAccountId: str, snowflakeRegion: str, snowflakeCursor: cursor.SnowflakeCursor, serviceAccountExemptions: list[str] ) -> dict: """[Snowflake.Users.9] Snowflake Accounts should have at least two admin users but less than ten""" # ISO Time diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 85315f7e..c63617b9 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -499,6 +499,7 @@ def __init__(self, assessmentTarget: str, tomlPath: str | None): snowflakeAccountId = str(snowflakeTomlValues["snowflake_account_id"]) snowflakeWarehouseName = str(snowflakeTomlValues["snowflake_warehouse_name"]) snowflakeRegion = str(snowflakeTomlValues["snowflake_region"]) + serviceAccountExemptions = list(snowflakeTomlValues["snowflake_service_account_exemptions"]) if any( # Check to make sure none of the variables pulled from TOML are emtpy @@ -514,6 +515,7 @@ def __init__(self, assessmentTarget: str, tomlPath: str | None): self.snowflakeAccountId = snowflakeAccountId self.snowflakeWarehouseName = snowflakeWarehouseName self.snowflakeRegion = snowflakeRegion + self.serviceAccountExemptions = serviceAccountExemptions # Retrieve value for Snowflake Password from the TOML, AWS SSM or AWS Secrets Manager if self.credentialsLocation == "CONFIG_FILE": diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 5d14cb6f..263720e7 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -123,6 +123,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): self.snowflakeRegion = utils.snowflakeRegion self.snowflakeCursor = utils.snowflakeCursor self.snowflakeConnection = utils.snowflakeConnection + self.serviceAccountExemptions = utils.serviceAccountExemptions # Google Workspace if assessmentTarget == "GoogleWorkspace": searchPath = "./auditors/google_workspace" @@ -599,7 +600,8 @@ def run_snowflake_checks(self, pluginName=None, delay=0): awsPartition=partition, snowflakeAccountId=self.snowflakeAccountId, snowflakeRegion=self.snowflakeRegion, - snowflakeCursor=self.snowflakeCursor + snowflakeCursor=self.snowflakeCursor, + serviceAccountExemptions=self.serviceAccountExemptions ): if finding is not None: yield finding diff --git a/eeauditor/external_providers.toml b/eeauditor/external_providers.toml index 97cf2aa8..7f6e6ef7 100644 --- a/eeauditor/external_providers.toml +++ b/eeauditor/external_providers.toml @@ -256,6 +256,10 @@ title = "ElectricEye Configuration" snowflake_region = "" + # The Usernames of "Service Accounts" created in Snowflake, this will optionally exempt these Usernames from being audited against the following checks: snowflake_password_assigned_user_has_mfa_check, snowflake_accountadmins_have_email_check, snowflake_admin_default_role_check, snowflake_logins_without_mfa_check, snowflake_bypass_mfa_review_check + + snowflake_service_account_usernames = [] + [outputs] # ***IMPORTANT*** From 53796e09748fd06bb2350dd9d7abbb9e76443b2e Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 12:18:35 -0400 Subject: [PATCH 45/55] fix exemption logic, update docs --- docs/setup/Setup_Snowflake.md | 4 +++- .../auditors/snowflake/Snowflake_Users_Auditor.py | 10 +++++----- eeauditor/cloud_utils.py | 2 +- eeauditor/external_providers.toml | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/setup/Setup_Snowflake.md b/docs/setup/Setup_Snowflake.md index d22bd647..e173e148 100644 --- a/docs/setup/Setup_Snowflake.md +++ b/docs/setup/Setup_Snowflake.md @@ -31,7 +31,7 @@ ElectricEye only queries data in the `SNOWFLAKE` Database and within the `ACCOUN ![Step 3](../../screenshots/setup/snowflake/step3.JPG) -4. Run each of the following SQL commands sequentially within the Worksheet. Do note that the `GRANT IMPORTED PRIVILEGES` grant allows your custom role access to the entire `SNOWFLAKE` database and should be done with care. Ensure you change the name of your Role -- `EE_AUDITOR` is used in this case -- if you used a different name for you role. +4. Run each of the following SQL commands sequentially within the Worksheet. Do note that the `GRANT IMPORTED PRIVILEGES` grant allows your custom role access to the entire `SNOWFLAKE` database and should be done with care. Ensure you change the name of your Role -- `EE_AUDITOR` is used in this case -- if you used a different name for you role. Likewise, change to name of the Warehouse -- `COMPUTE_WH` is used in this case -- if you have a different warehouse. ```sql use role ACCOUNTADMIN @@ -72,6 +72,8 @@ To configure the TOML file, you need to modify the values of the variables in th - `snowflake_region`: The Region of your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., us-east-1 +- `snowflake_service_account_usernames`: The Usernames of "Service Accounts" created in Snowflake, this will optionally exempt these Usernames from being audited against the following checks: **snowflake_password_assigned_user_has_mfa_check**, **snowflake_accountadmins_have_email_check**, **snowflake_admin_default_role_check**, **snowflake_logins_without_mfa_check**, and **snowflake_bypass_mfa_review_check** + ## Use ElectricEye for Snowflake 1. With >=Python 3.9 installed, install and upgrade `pip3` and setup `virtualenv`. diff --git a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py index a46b3221..f6c8023d 100644 --- a/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py +++ b/eeauditor/auditors/snowflake/Snowflake_Users_Auditor.py @@ -303,7 +303,7 @@ def snowflake_password_assigned_user_has_mfa_check( } yield finding # this is a failing check - if user["ext_authn_duo"] is False and user["has_password"] is True and user["deleted_on"] is None and user not in serviceAccountExemptions: + if user["ext_authn_duo"] is False and user["has_password"] is True and user["deleted_on"] is None and username not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/password-user-mfa-check", @@ -854,7 +854,7 @@ def snowflake_accountadmins_have_email_check( } yield finding # this is a failing check - if "ACCOUNTADMIN" in user["assigned_roles"] and hasEmail is False and user["has_password"] is True and user["deleted_on"] is None and user not in serviceAccountExemptions: + if "ACCOUNTADMIN" in user["assigned_roles"] and hasEmail is False and user["has_password"] is True and user["deleted_on"] is None and username not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/accountadmin-role-users-have-email-check", @@ -1008,7 +1008,7 @@ def snowflake_admin_default_role_check( } yield finding # this is a failing check - if user["default_role"] in ["ACCOUNTADMIN","SECURITYADMIN"] and user["deleted_on"] is None and user not in serviceAccountExemptions: + if user["default_role"] in ["ACCOUNTADMIN","SECURITYADMIN"] and user["deleted_on"] is None and username not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/snowflake-admin-default-role-check", @@ -1167,7 +1167,7 @@ def snowflake_logins_without_mfa_check( } yield finding # this is a failing check - if loggedInWithoutMfa is True and user["has_password"] is True and user["deleted_on"] is None and user not in serviceAccountExemptions: + if loggedInWithoutMfa is True and user["has_password"] is True and user["deleted_on"] is None and username not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/snowflake-logins-without-mfa-check", @@ -1520,7 +1520,7 @@ def snowflake_bypass_mfa_review_check( } yield finding # this is a failing check - if mfaBypass is True and user["deleted_on"] is None and user not in serviceAccountExemptions: + if mfaBypass is True and user["deleted_on"] is None and username not in serviceAccountExemptions: finding = { "SchemaVersion": "2018-10-08", "Id": f"{snowflakeAccountId}/{username}/snowflake-user-mfa-bypass-check", diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index c63617b9..3294df74 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -499,7 +499,7 @@ def __init__(self, assessmentTarget: str, tomlPath: str | None): snowflakeAccountId = str(snowflakeTomlValues["snowflake_account_id"]) snowflakeWarehouseName = str(snowflakeTomlValues["snowflake_warehouse_name"]) snowflakeRegion = str(snowflakeTomlValues["snowflake_region"]) - serviceAccountExemptions = list(snowflakeTomlValues["snowflake_service_account_exemptions"]) + serviceAccountExemptions = list(snowflakeTomlValues["snowflake_service_account_usernames"]) if any( # Check to make sure none of the variables pulled from TOML are emtpy diff --git a/eeauditor/external_providers.toml b/eeauditor/external_providers.toml index 7f6e6ef7..cfbe1a55 100644 --- a/eeauditor/external_providers.toml +++ b/eeauditor/external_providers.toml @@ -256,7 +256,7 @@ title = "ElectricEye Configuration" snowflake_region = "" - # The Usernames of "Service Accounts" created in Snowflake, this will optionally exempt these Usernames from being audited against the following checks: snowflake_password_assigned_user_has_mfa_check, snowflake_accountadmins_have_email_check, snowflake_admin_default_role_check, snowflake_logins_without_mfa_check, snowflake_bypass_mfa_review_check + # OPTIONAL! The Usernames of "Service Accounts" created in Snowflake, this will optionally exempt these Usernames from being audited against the following checks: snowflake_password_assigned_user_has_mfa_check, snowflake_accountadmins_have_email_check, snowflake_admin_default_role_check, snowflake_logins_without_mfa_check, snowflake_bypass_mfa_review_check snowflake_service_account_usernames = [] From 9e6039ae4e4b7866eced0194f12cc987aae3c4bc Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 12:28:33 -0400 Subject: [PATCH 46/55] deprecate SH insights, fix list controls --- eeauditor/cloud_utils.py | 2 +- eeauditor/controller.py | 19 ++------- eeauditor/insights.py | 86 ---------------------------------------- 3 files changed, 5 insertions(+), 102 deletions(-) delete mode 100644 eeauditor/insights.py diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 3294df74..67833a26 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -507,7 +507,7 @@ def __init__(self, assessmentTarget: str, tomlPath: str | None): snowflakeUsername, snowflakePasswordValue, snowflakeAccountId, snowflakeWarehouseName, snowflakeRegion ] ): - logger.error(f"One of your Salesforce TOML entries in [credentials.salesforce] is empty!") + logger.error(f"One of your Snowflake TOML entries in [credentials.snowflake] is empty!") sys.exit(2) # Parse non-confidential values to environ diff --git a/eeauditor/controller.py b/eeauditor/controller.py index 1bf2cb24..b4a126ce 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -20,13 +20,12 @@ import sys import click -from insights import create_sechub_insights from eeauditor import EEAuditor from processor.main import get_providers, process_findings from os import environ -def print_controls(assessmentTarget, auditorName=None): - app = EEAuditor(assessmentTarget) +def print_controls(assessmentTarget, auditorName=None, tomlPath=None): + app = EEAuditor(assessmentTarget, tomlPath) app.load_plugins(auditorName) @@ -156,12 +155,6 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou is_flag=True, help="Prints a table of Auditors, Checks, and Check descriptions to stdout - use this for -a or -c args" ) -# Insights -@click.option( - "--create-insights", - is_flag=True, - help="Create AWS Security Hub Insights for ElectricEye. This only needs to be done once per Account per Region for Security Hub", -) # Controls (Description) @click.option( "--list-controls", @@ -184,13 +177,13 @@ def main( output_file, list_options, list_checks, - create_insights, list_controls, toml_path ): if list_controls: print_controls( - assessmentTarget=target_provider + assessmentTarget=target_provider, + tomlPath=toml_path ) sys.exit(0) @@ -208,10 +201,6 @@ def main( ) sys.exit(0) - if create_insights: - create_sechub_insights() - sys.exit(0) - run_auditor( assessmentTarget=target_provider, auditorName=auditor_name, diff --git a/eeauditor/insights.py b/eeauditor/insights.py deleted file mode 100644 index 0975845d..00000000 --- a/eeauditor/insights.py +++ /dev/null @@ -1,86 +0,0 @@ -#This file is part of ElectricEye. -#SPDX-License-Identifier: Apache-2.0 - -#Licensed to the Apache Software Foundation (ASF) under one -#or more contributor license agreements. See the NOTICE file -#distributed with this work for additional information -#regarding copyright ownership. The ASF licenses this file -#to you under the Apache License, Version 2.0 (the -#"License"); you may not use this file except in compliance -#with the License. You may obtain a copy of the License at - -#http://www.apache.org/licenses/LICENSE-2.0 - -#Unless required by applicable law or agreed to in writing, -#software distributed under the License is distributed on an -#"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -#KIND, either express or implied. See the License for the -#specific language governing permissions and limitations -#under the License. - -import boto3 - -def create_sechub_insights(): - securityhub = boto3.client("securityhub") - - try: - activeInsight = securityhub.create_insight( - Name="ElectricEye Active Findings", - Filters={ - "ProductFields": [ - {"Key": "ProductName", "Value": "ElectricEye", "Comparison": "EQUALS"}, - ], - "RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}] - }, - GroupByAttribute="ResourceType" - ) - print(activeInsight) - except Exception as e: - print(e) - - try: - remediatedInsight = securityhub.create_insight( - Name="ElectricEye Remediated Findings", - Filters={ - "ProductFields": [ - {"Key": "ProductName", "Value": "ElectricEye", "Comparison": "EQUALS"}, - ], - "RecordState": [{"Value": "ARCHIVED", "Comparison": "EQUALS"}] - }, - GroupByAttribute="ResourceType" - ) - print(remediatedInsight) - except Exception as e: - print(e) - - try: - shodanInsight = securityhub.create_insight( - Name="ElectricEye Shodan Findings", - Filters={ - "ProductFields": [ - {"Key": "ProductName", "Value": "ElectricEye", "Comparison": "EQUALS"}, - ], - "ThreatIntelIndicatorSource": [{"Value": "Shodan.io", "Comparison": "EQUALS"}], - "RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}] - }, - GroupByAttribute="ResourceType" - ) - print(shodanInsight) - except Exception as e: - print(e) - - try: - easmInsight = securityhub.create_insight( - Name="ElectricEye EASM", - Filters={ - "ProductFields": [ - {"Key": "ProductName", "Value": "ElectricEye", "Comparison": "EQUALS"}, - ], - "Title": [{"Value": "[AttackSurface", "Comparison": "CONTAINS"}], - "RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}] - }, - GroupByAttribute="ResourceType" - ) - print(easmInsight) - except Exception as e: - print(e) \ No newline at end of file From d6018e72e772c65a4a2a545bde574c534217ab1b Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 12:32:50 -0400 Subject: [PATCH 47/55] update controller descriptions, add more shorthand --- README.md | 32 +++++++++++++++++--------------- eeauditor/controller.py | 15 ++++++++++----- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index b47e5190..2f50af52 100644 --- a/README.md +++ b/README.md @@ -80,31 +80,33 @@ Options: target provider to avoid any errors. e.g., -t AWS -a Amazon_APGIW_Auditor -a, --auditor-name TEXT Specify which Auditor you want to run by - using its name NOT INCLUDING .py. Defaults - to ALL Auditors + using its name NOT INCLUDING .py. . Use the + --list-checks arg to receive a list. + Defaults to ALL Auditors -c, --check-name TEXT A specific Check in a specific Auditor you want to run, this correlates to the function - name. Defaults to ALL Checks + name. Use the --list-checks arg to receive a + list. Defaults to ALL Checks -d, --delay INTEGER Time in seconds to sleep between Auditors - being ran, defaults to 0 + being ran, defaults to 0. Use this argument + to avoid rate limiting -o, --outputs TEXT A list of Outputs (files, APIs, databases, ChatOps) to send ElectricEye Findings, specify multiple with additional arguments: -o csv -o postgresql -o slack [default: ocsf_stdout] - --output-file TEXT For file outputs such as JSON and CSV, the + -of, --output-file TEXT For file outputs such as JSON and CSV, the name of the file, DO NOT SPECIFY .file_type [default: output] - --list-options Lists all valid Output options - --list-checks Prints a table of Auditors, Checks, and - Check descriptions to stdout - use this for - -a or -c args - --create-insights Create AWS Security Hub Insights for - ElectricEye. This only needs to be done once - per Account per Region for Security Hub - --list-controls Lists all ElectricEye Controls (e.g. Check - Titles) for an Assessment Target - --toml-path TEXT The full path to the TOML file used for + -lo, --list-options Lists all valid Output options + -lch, --list-checks Prints a table of Auditors, Checks, and + Check descriptions to stdout - use this + command for help with populating -a (Auditor + selection) or -c (Check selection) args + -lco, --list-controls Lists all ElectricEye controls - that is to + say: the Check Titles - for an Assessment + Target + -tp, --toml-path TEXT The full path to the TOML file used for configure e.g., ~/path/to/mydir/external_providers.toml. If this value is not provided the default path diff --git a/eeauditor/controller.py b/eeauditor/controller.py index b4a126ce..a97c0a38 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -112,20 +112,20 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou "-a", "--auditor-name", default="", - help="Specify which Auditor you want to run by using its name NOT INCLUDING .py. Defaults to ALL Auditors" + help="Specify which Auditor you want to run by using its name NOT INCLUDING .py. . Use the --list-checks arg to receive a list. Defaults to ALL Auditors" ) # Run Specific Check @click.option( "-c", "--check-name", default="", - help="A specific Check in a specific Auditor you want to run, this correlates to the function name. Defaults to ALL Checks") + help="A specific Check in a specific Auditor you want to run, this correlates to the function name. Use the --list-checks arg to receive a list. Defaults to ALL Checks") # Delay @click.option( "-d", "--delay", default=0, - help="Time in seconds to sleep between Auditors being ran, defaults to 0" + help="Time in seconds to sleep between Auditors being ran, defaults to 0. Use this argument to avoid rate limiting" ) # Outputs @click.option( @@ -138,6 +138,7 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou ) # Output File Name @click.option( + "-of", "--output-file", default="output", show_default=True, @@ -145,24 +146,28 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou ) # List Output Options @click.option( + "-lo", "--list-options", is_flag=True, help="Lists all valid Output options" ) # List Checks @click.option( + "-lch", "--list-checks", is_flag=True, - help="Prints a table of Auditors, Checks, and Check descriptions to stdout - use this for -a or -c args" + help="Prints a table of Auditors, Checks, and Check descriptions to stdout - use this command for help with populating -a (Auditor selection) or -c (Check selection) args" ) # Controls (Description) @click.option( + "-lco", "--list-controls", is_flag=True, - help="Lists all ElectricEye Controls (e.g. Check Titles) for an Assessment Target" + help="Lists all ElectricEye controls - that is to say: the Check Titles - for an Assessment Target" ) # TOML Path @click.option( + "-tp", "--toml-path", default=None, help="The full path to the TOML file used for configure e.g., ~/path/to/mydir/external_providers.toml. If this value is not provided the default path of ElectricEye/eeauditor/external_providers.toml is used." From 4339003e98ed17b5aa4ebf17a6b7b22df4912f31 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 12:42:21 -0400 Subject: [PATCH 48/55] experimenting with use_toml --- eeauditor/cloud_utils.py | 42 +++++++++++++++++++++------------------- eeauditor/controller.py | 30 +++++++++++++++++++--------- eeauditor/eeauditor.py | 24 +++++++++++------------ 3 files changed, 55 insertions(+), 41 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 67833a26..3ddfe235 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -43,29 +43,31 @@ class CloudConfig(object): for use in EEAuditor when running ElectricEye Auditors and Check """ - def __init__(self, assessmentTarget: str, tomlPath: str | None): - if tomlPath is None: - here = path.abspath(path.dirname(__file__)) - tomlFile = f"{here}/external_providers.toml" - else: - tomlFile = tomlPath + def __init__(self, assessmentTarget: str, tomlPath: str | None, useToml: bool): + if useToml is True: + if tomlPath is None: + here = path.abspath(path.dirname(__file__)) + tomlFile = f"{here}/external_providers.toml" + else: + tomlFile = tomlPath - with open(tomlFile, "rb") as f: - data = tomload(f) + with open(tomlFile, "rb") as f: + data = tomload(f) - # From TOML [global] - if data["global"]["aws_multi_account_target_type"] not in AWS_MULTI_ACCOUNT_TARGET_TYPE_CHOICES: - logger.error("Invalid option for [global.aws_multi_account_target_type].") - sys.exit(2) - self.awsMultiAccountTargetType = data["global"]["aws_multi_account_target_type"] + # From TOML [global] + if data["global"]["aws_multi_account_target_type"] not in AWS_MULTI_ACCOUNT_TARGET_TYPE_CHOICES: + logger.error("Invalid option for [global.aws_multi_account_target_type].") + sys.exit(2) + self.awsMultiAccountTargetType = data["global"]["aws_multi_account_target_type"] - if data["global"]["credentials_location"] not in CREDENTIALS_LOCATION_CHOICES: - logger.error( - "Invalid option for [global.credentials_location]. Must be one of %s.", - CREDENTIALS_LOCATION_CHOICES - ) - sys.exit(2) - self.credentialsLocation = data["global"]["credentials_location"] + if data["global"]["credentials_location"] not in CREDENTIALS_LOCATION_CHOICES: + logger.error( + "Invalid option for [global.credentials_location]. Must be one of %s.", + CREDENTIALS_LOCATION_CHOICES + ) + sys.exit(2) + + self.credentialsLocation = data["global"]["credentials_location"] ################################## # PUBLIC CLOUD SERVICE PROVIDERS # diff --git a/eeauditor/controller.py b/eeauditor/controller.py index a97c0a38..a6d9eddc 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -24,25 +24,25 @@ from processor.main import get_providers, process_findings from os import environ -def print_controls(assessmentTarget, auditorName=None, tomlPath=None): +def print_controls(assessmentTarget, auditorName=None, tomlPath=None, useToml=True): app = EEAuditor(assessmentTarget, tomlPath) app.load_plugins(auditorName) app.print_controls_json() -def print_checks(assessmentTarget, auditorName=None): - app = EEAuditor(assessmentTarget) +def print_checks(assessmentTarget, auditorName=None, tomlPath=None, useToml=True): + app = EEAuditor(assessmentTarget, tomlPath) app.load_plugins(auditorName) app.print_checks_md() -def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, outputs=None, outputFile="", tomlPath=None): +def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, outputs=None, outputFile="", tomlPath=None, useToml=True): if not outputs: outputs = ["stdout"] - app = EEAuditor(assessmentTarget, tomlPath) + app = EEAuditor(assessmentTarget, tomlPath, useToml=True) app.load_plugins(auditorName) # Per-target calls - ensure you use the right run_*_checks*() function @@ -172,6 +172,13 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou default=None, help="The full path to the TOML file used for configure e.g., ~/path/to/mydir/external_providers.toml. If this value is not provided the default path of ElectricEye/eeauditor/external_providers.toml is used." ) +# Use TOML +@click.option( + "-ut", + "--use-toml", + default=True, + help="Set to False to disable the use of the TOML file for external providers, defaults to True. THIS IS AN EXPERIMENTAL FEATURE" +) def main( target_provider, @@ -183,12 +190,14 @@ def main( list_options, list_checks, list_controls, - toml_path + toml_path, + use_toml ): if list_controls: print_controls( assessmentTarget=target_provider, - tomlPath=toml_path + tomlPath=toml_path, + useToml=use_toml ) sys.exit(0) @@ -202,7 +211,9 @@ def main( if list_checks: print_checks( - assessmentTarget=target_provider + assessmentTarget=target_provider, + tomlPath=toml_path, + useToml=use_toml ) sys.exit(0) @@ -213,7 +224,8 @@ def main( delay=delay, outputs=outputs, outputFile=output_file, - tomlPath=toml_path + tomlPath=toml_path, + useToml=use_toml ) if __name__ == "__main__": diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 263720e7..6e655615 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -42,7 +42,7 @@ class EEAuditor(object): credentials and cross-boundary configurations, and runs Checks and yields results back to controller.py CLI """ - def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): + def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=True): # each check must be decorated with the @registry.register_check("cache_name") # to be discovered during plugin loading. self.registry = CheckRegister() @@ -54,7 +54,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # AWS if assessmentTarget == "AWS": searchPath = "./auditors/aws" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.awsAccountTargets = utils.awsAccountTargets self.awsRegionsSelection = utils.awsRegionsSelection @@ -62,13 +62,13 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # GCP if assessmentTarget == "GCP": searchPath = "./auditors/gcp" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.gcpProjectIds = utils.gcp_project_ids # OCI if assessmentTarget == "OCI": searchPath = "./auditors/oci" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.ociTenancyId = utils.ociTenancyId self.ociUserId = utils.ociUserId @@ -78,14 +78,14 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # Azure if assessmentTarget == "Azure": searchPath = "./auditors/azure" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.azureSubscriptions = utils.azureSubscriptions self.azureCredentials = utils.azureCredentials # Alibaba if assessmentTarget == "Alibaba": searchPath = "./auditors/alibabacloud" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) ################################### # SOFTWARE-AS-A-SERVICE PROVIDERS # @@ -93,11 +93,11 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # Servicenow if assessmentTarget == "Servicenow": searchPath = "./auditors/servicenow" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # M365 if assessmentTarget == "M365": searchPath = "./auditors/m365" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.m365TenantLocation = utils.m365TenantLocation self.m365ClientId = utils.m365ClientId @@ -106,7 +106,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # Salesforce if assessmentTarget == "Salesforce": searchPath = "./auditors/salesforce" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.salesforceAppClientId = utils.salesforceAppClientId self.salesforceAppClientSecret = utils.salesforceAppClientSecret @@ -117,7 +117,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # Snowflake if assessmentTarget == "Snowflake": searchPath = "./auditors/snowflake" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.snowflakeAccountId = utils.snowflakeAccountId self.snowflakeRegion = utils.snowflakeRegion @@ -127,7 +127,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None): # Google Workspace if assessmentTarget == "GoogleWorkspace": searchPath = "./auditors/google_workspace" - utils = CloudConfig(assessmentTarget, tomlPath) + utils = CloudConfig(assessmentTarget, tomlPath, useToml) # Search path for Auditors self.source = self.plugin_base.make_plugin_source( @@ -701,5 +701,5 @@ def print_controls_json(self): controlPrinter.append(description) print(json.dumps(controlPrinter,indent=4)) - + # EOF \ No newline at end of file From 4f384087089bcde54718580d93aa890d8d017f63 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 13:34:42 -0400 Subject: [PATCH 49/55] setup external args experiment --- eeauditor/cloud_utils.py | 996 +++++++++++++++++++++------------------ eeauditor/controller.py | 41 +- eeauditor/eeauditor.py | 22 +- 3 files changed, 567 insertions(+), 492 deletions(-) diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 3ddfe235..9f753a44 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -43,8 +43,8 @@ class CloudConfig(object): for use in EEAuditor when running ElectricEye Auditors and Check """ - def __init__(self, assessmentTarget: str, tomlPath: str | None, useToml: bool): - if useToml is True: + def __init__(self, assessmentTarget: str, tomlPath: str | None, useToml: str, args: str | None): + if useToml == "True": if tomlPath is None: here = path.abspath(path.dirname(__file__)) tomlFile = f"{here}/external_providers.toml" @@ -68,478 +68,486 @@ def __init__(self, assessmentTarget: str, tomlPath: str | None, useToml: bool): sys.exit(2) self.credentialsLocation = data["global"]["credentials_location"] + # from args + if useToml == "False": + # first turn args from a string into a dictionary + args = json.loads(args) ################################## # PUBLIC CLOUD SERVICE PROVIDERS # ################################## - - # AWS - if assessmentTarget == "AWS": - sts = boto3.client("sts") - # Process ["aws_account_targets"] - awsAccountTargets = data["regions_and_accounts"]["aws"]["aws_account_targets"] - if self.awsMultiAccountTargetType == "Accounts": - if not awsAccountTargets: - self.awsAccountTargets = [sts.get_caller_identity()["Account"]] - else: - self.awsAccountTargets = awsAccountTargets - elif self.awsMultiAccountTargetType == "OU": - if not awsAccountTargets: - logger.error("OU was specified but targets were not specified.") - sys.exit(2) - # Regex to check for Valid OUs - ouIdRegex = compile(r"^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$") - for ou in awsAccountTargets: - if not ouIdRegex.match(ou): - logger.error(f"Invalid Organizational Unit ID {ou}.") + if useToml == "True": + # AWS + if assessmentTarget == "AWS": + sts = boto3.client("sts") + # Process ["aws_account_targets"] + awsAccountTargets = data["regions_and_accounts"]["aws"]["aws_account_targets"] + if self.awsMultiAccountTargetType == "Accounts": + if not awsAccountTargets: + self.awsAccountTargets = [sts.get_caller_identity()["Account"]] + else: + self.awsAccountTargets = awsAccountTargets + elif self.awsMultiAccountTargetType == "OU": + if not awsAccountTargets: + logger.error("OU was specified but targets were not specified.") sys.exit(2) - self.awsAccountTargets = self.get_aws_accounts_from_organizational_units(awsAccountTargets) - elif self.awsMultiAccountTargetType == "Organization": - self.awsAccountTargets = self.get_aws_accounts_from_organization() - - # Process ["aws_regions_selection"] - awsRegions = self.get_aws_regions() - if not data["regions_and_accounts"]["aws"]["aws_regions_selection"]: - self.awsRegionsSelection = [boto3.Session().region_name] - else: - tomlRegions = data["regions_and_accounts"]["aws"]["aws_regions_selection"] - if "All" in tomlRegions: - self.awsRegionsSelection = awsRegions + # Regex to check for Valid OUs + ouIdRegex = compile(r"^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$") + for ou in awsAccountTargets: + if not ouIdRegex.match(ou): + logger.error(f"Invalid Organizational Unit ID {ou}.") + sys.exit(2) + self.awsAccountTargets = self.get_aws_accounts_from_organizational_units(awsAccountTargets) + elif self.awsMultiAccountTargetType == "Organization": + self.awsAccountTargets = self.get_aws_accounts_from_organization() + + # Process ["aws_regions_selection"] + awsRegions = self.get_aws_regions() + if not data["regions_and_accounts"]["aws"]["aws_regions_selection"]: + self.awsRegionsSelection = [boto3.Session().region_name] else: - # Validation check - self.awsRegionsSelection = [a for a in tomlRegions if a in awsRegions] - - # Process ["aws_electric_eye_iam_role_name"] - electricEyeRoleName = data["regions_and_accounts"]["aws"]["aws_electric_eye_iam_role_name"] - if electricEyeRoleName is None or electricEyeRoleName == "": - logger.warning( - "A value for ['aws_electric_eye_iam_role_name'] was not provided. Will attempt to use current session credentials, this will likely fail if you're attempting to assess another AWS account." - ) - electricEyeRoleName = None - - self.electricEyeRoleName = electricEyeRoleName - - # GCP - if assessmentTarget == "GCP": - # Process ["gcp_project_ids"] - gcpProjects = list(data["regions_and_accounts"]["gcp"]["gcp_project_ids"]) - if not gcpProjects: - logger.error("No GCP Projects were provided in [regions_and_accounts.gcp.gcp_project_ids].") - sys.exit(2) - else: - self.gcpProjectIds = gcpProjects + tomlRegions = data["regions_and_accounts"]["aws"]["aws_regions_selection"] + if "All" in tomlRegions: + self.awsRegionsSelection = awsRegions + else: + # Validation check + self.awsRegionsSelection = [a for a in tomlRegions if a in awsRegions] + + # Process ["aws_electric_eye_iam_role_name"] + electricEyeRoleName = data["regions_and_accounts"]["aws"]["aws_electric_eye_iam_role_name"] + if electricEyeRoleName is None or electricEyeRoleName == "": + logger.warning( + "A value for ['aws_electric_eye_iam_role_name'] was not provided. Will attempt to use current session credentials, this will likely fail if you're attempting to assess another AWS account." + ) + electricEyeRoleName = None + + self.electricEyeRoleName = electricEyeRoleName - # Process ["gcp_service_account_json_payload_value"] - gcpCred = data["credentials"]["gcp"]["gcp_service_account_json_payload_value"] - if self.credentialsLocation == "CONFIG_FILE": - self.gcpServiceAccountJsonPayloadValue = gcpCred - elif self.credentialsLocation == "AWS_SSM": - self.gcpServiceAccountJsonPayloadValue = self.get_credential_from_aws_ssm( - gcpCred, - "gcp_service_account_json_payload_value" - ) - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - self.gcpServiceAccountJsonPayloadValue = self.get_credential_from_aws_secrets_manager( - gcpCred, - "gcp_service_account_json_payload_value" - ) - self.setup_gcp_credentials(self.gcpServiceAccountJsonPayloadValue) - - # Oracle Cloud Infrastructure (OCI) - if assessmentTarget == "OCI": - ociValues = data["regions_and_accounts"]["oci"] - - # Retrieve the OCIDs for Tenancy & User and the Region ID along with a list of Compartment OCIDs - ociTenancyId = str(ociValues["oci_tenancy_ocid"]) - ociUserId = str(ociValues["oci_user_ocid"]) - ociRegionName = str(ociValues["oci_region_name"]) - ociCompartments = list(ociValues["oci_compartment_ocids"]) - # Process the [credentials.oci] - ociUserApiKeyFingerprint = data["credentials"]["oci"]["oci_user_api_key_fingerprint_value"] - ociUserApiKeyPemValue = data["credentials"]["oci"]["oci_user_api_key_private_key_pem_contents_value"] - - if any( - # Check to make sure none of the variables pulled from TOML are emtpy - not var for var in [ - ociTenancyId, ociUserId, ociRegionName, ociCompartments, ociUserApiKeyFingerprint, ociUserApiKeyPemValue - ] - ): - logger.error(f"One of your Oracle Cloud TOML entries in [regions_and_accounts.oci] or [credentials.oci] is empty!") - sys.exit(2) - - # Assign ["regions_and_accounts"]["oci"] values to `self` - self.ociTenancyId = ociTenancyId - self.ociUserId = ociUserId - self.ociRegionName = ociRegionName - self.ociCompartments = ociCompartments - - # Process ["oci_user_api_key_fingerprint_value"] - ociUserApiKeyFingerprint = data["credentials"]["oci"]["oci_user_api_key_fingerprint_value"] - if self.credentialsLocation == "CONFIG_FILE": - ociUserApiKeyFingerprint = ociUserApiKeyFingerprint - elif self.credentialsLocation == "AWS_SSM": - ociUserApiKeyFingerprint = self.get_credential_from_aws_ssm( - ociUserApiKeyFingerprint, - "oci_user_api_key_fingerprint_value" - ) - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - ociUserApiKeyFingerprint = self.get_credential_from_aws_secrets_manager( - ociUserApiKeyFingerprint, - "oci_user_api_key_fingerprint_value" - ) - - self.ociUserApiKeyFingerprint = ociUserApiKeyFingerprint - - # Process ["oci_user_api_key_private_key_pem_contents_value"] - ociUserApiKeyPemLocation = data["credentials"]["oci"]["oci_user_api_key_private_key_pem_contents_value"] - if self.credentialsLocation == "CONFIG_FILE": - ociUserApiKeyPemLocation = ociUserApiKeyPemLocation - elif self.credentialsLocation == "AWS_SSM": - ociUserApiKeyPemLocation = self.get_credential_from_aws_ssm( - ociUserApiKeyPemLocation, - "oci_user_api_key_private_key_pem_contents_value" - ) - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - ociUserApiKeyPemLocation = self.get_credential_from_aws_secrets_manager( - ociUserApiKeyPemLocation, - "oci_user_api_key_private_key_pem_contents_value" - ) - - # Create the PEM file and save the location of it to environ - self.setup_oci_credentials(ociUserApiKeyPemLocation) - - # Azure - if assessmentTarget == "Azure": - # Process data["credentials"]["azure"] - values need to be assigned to self - azureValues = data["credentials"]["azure"] - - azureClientId = azureValues["azure_ent_app_client_id_value"] - azureSecretId = azureValues["azure_ent_app_client_secret_id_value"] - azureTenantId = azureValues["azure_ent_app_tenant_id_value"] - azureSubscriptions = data["regions_and_accounts"]["azure"]["azure_subscription_ids"] - - del azureValues - - if any( - # Check to make sure none of the variables pulled from TOML are emtpy - not var for var in [ - azureClientId, azureSecretId, azureTenantId - ] - ): - logger.error("One of your azure TOML entries in [credentials.azure] is empty!") - sys.exit(2) - - # Retrieve the values for the azure Enterprise Application Client ID, Secret Value & Tenant ID - # SSM - if self.credentialsLocation == "AWS_SSM": - # Client ID - azureClientId = self.get_credential_from_aws_ssm( - azureClientId, - "azure_ent_app_client_id_value" - ) - # Secret Value - azureSecretId = self.get_credential_from_aws_ssm( - azureSecretId, - "azure_ent_app_client_secret_id_value" - ) - # Tenant ID - azureTenantId = self.get_credential_from_aws_ssm( - azureTenantId, - "azure_ent_app_tenant_id_value" - ) - # AWS Secrets Manager - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - # Client ID - azureClientId = self.get_credential_from_aws_secrets_manager( - azureClientId, - "azure_ent_app_client_id_value" - ) - # Secret Value - azureSecretId = self.get_credential_from_aws_secrets_manager( - azureSecretId, - "azure_ent_app_client_secret_id_value" - ) - # Tenant ID - azureTenantId = self.get_credential_from_aws_secrets_manager( - azureTenantId, - "azure_ent_app_tenant_id_value" - ) - - # Create Azure Identity credentials from Client ID/Secret Value/Tenant ID - azureCredentials = self.create_azure_identity_credentials_from_client_secret( - clientId=azureClientId, - clientSecret=azureSecretId, - tenantId=azureTenantId - ) - - # If subscriptions aren't supplied, attempt to find which ones you have access to - if not azureSubscriptions: - logger.warning( - "No values provided for [regions_and_accounts.azure.azure_subscription_ids] - attempting to retrieve subscription IDs your Service Principal has access to..." - ) - azureSubscriptions = self.retrieve_azure_subscriptions_for_service_principal( - azureCredentials=azureCredentials - ) - # pass list of subscriptions and the creds off - self.azureSubscriptions = azureSubscriptions - self.azureCredentials = azureCredentials - - # Alibaba Cloud - if assessmentTarget == "Alibaba": - logger.info("Coming soon!") - - ################################### - # SOFTWARE-AS-A-SERVICE PROVIDERS # - ################################### - - # ServiceNow - if assessmentTarget == "Servicenow": - # Process data["credentials"]["servicenow"] - nothing needs to be assigned to `self` - serviceNowValues = data["credentials"]["servicenow"] - - snowInstanceName = serviceNowValues["servicenow_instance_name"] - snowInstanceRegion = serviceNowValues["servicenow_instance_region"] - snowUserName = serviceNowValues["servicenow_sspm_username"] - snowUserLoginBreachRate = serviceNowValues["servicenow_failed_login_breaching_rate"] - - if any( - # Check to make sure none of the variables pulled from TOML are emtpy - not var for var in [ - snowInstanceName, snowInstanceRegion, snowUserName, snowUserLoginBreachRate - ] - ): - logger.error(f"One of your ServiceNow TOML entries in [credentials.servicenow] is empty!") - sys.exit(2) + # GCP + if assessmentTarget == "GCP": + # Process ["gcp_project_ids"] + gcpProjects = list(data["regions_and_accounts"]["gcp"]["gcp_project_ids"]) + if not gcpProjects: + logger.error("No GCP Projects were provided in [regions_and_accounts.gcp.gcp_project_ids].") + sys.exit(2) + else: + self.gcpProjectIds = gcpProjects + + # Process ["gcp_service_account_json_payload_value"] + gcpCred = data["credentials"]["gcp"]["gcp_service_account_json_payload_value"] + if self.credentialsLocation == "CONFIG_FILE": + self.gcpServiceAccountJsonPayloadValue = gcpCred + elif self.credentialsLocation == "AWS_SSM": + self.gcpServiceAccountJsonPayloadValue = self.get_credential_from_aws_ssm( + gcpCred, + "gcp_service_account_json_payload_value" + ) + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + self.gcpServiceAccountJsonPayloadValue = self.get_credential_from_aws_secrets_manager( + gcpCred, + "gcp_service_account_json_payload_value" + ) + self.setup_gcp_credentials(self.gcpServiceAccountJsonPayloadValue) - # Retrieve ServiceNow ElectricEye user password - serviceNowPwVal = serviceNowValues["servicenow_sspm_password_value"] - if self.credentialsLocation == "CONFIG_FILE": - environ["SNOW_SSPM_PASSWORD"] = serviceNowPwVal - elif self.credentialsLocation == "AWS_SSM": - environ["SNOW_SSPM_PASSWORD"] = self.get_credential_from_aws_ssm( - serviceNowPwVal, - "servicenow_sspm_password_value" - ) - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - environ["SNOW_SSPM_PASSWORD"] = self.get_credential_from_aws_secrets_manager( - serviceNowPwVal, - "servicenow_sspm_password_value" - ) - # All other ServiceNow Values are written as environment variables and either provided - # to PySnow Clients or to ProductFields{} within the ASFF per Finding - environ["SNOW_INSTANCE_NAME"] = snowInstanceName - environ["SNOW_INSTANCE_REGION"] = snowInstanceRegion - environ["SNOW_SSPM_USERNAME"] = snowUserName - environ["SNOW_FAILED_LOGIN_BREACHING_RATE"] = snowUserLoginBreachRate - - # M365 - if assessmentTarget == "M365": - # Process data["credentials"]["m365"] - values need to be assigned to self - m365Values = data["credentials"]["m365"] - - m365ClientId = m365Values["m365_ent_app_client_id_value"] - m365SecretId = m365Values["m365_ent_app_client_secret_id_value"] - m365TenantId = m365Values["m365_ent_app_tenant_id_value"] - m365TenantLocation = m365Values["m365_tenant_location"] - - if any( - # Check to make sure none of the variables pulled from TOML are emtpy - not var for var in [ - m365ClientId, m365SecretId, m365TenantId, m365TenantLocation - ] - ): - logger.error(f"One of your M365 TOML entries in [credentials.m365] is empty!") - sys.exit(2) - - # This value (tenant location) will always be in plaintext - self.m365TenantLocation = m365TenantLocation - - # Retrieve the values for the M365 Enterprise Application Client ID, Secret Value & Tenant ID - if self.credentialsLocation == "CONFIG_FILE": - self.m365ClientId = m365ClientId - self.m365SecretId = m365SecretId - self.m365TenantId = m365TenantId - # SSM - elif self.credentialsLocation == "AWS_SSM": - # Client ID - self.m365ClientId = self.get_credential_from_aws_ssm( - m365ClientId, - "m365_ent_app_client_id_value" - ) - # Secret Value - self.m365SecretId = self.get_credential_from_aws_ssm( - m365SecretId, - "m365_ent_app_client_secret_id_value" - ) - # Tenant ID - self.m365TenantId = self.get_credential_from_aws_ssm( - m365TenantId, - "m365_ent_app_tenant_id_value" - ) - # AWS Secrets Manager - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - # Client ID - self.m365ClientId = self.get_credential_from_aws_secrets_manager( - m365ClientId, - "m365_ent_app_client_id_value" - ) - # Secret Value - self.m365SecretId = self.get_credential_from_aws_secrets_manager( - m365SecretId, - "m365_ent_app_client_secret_id_value" - ) - # Tenant ID - self.m365TenantId = self.get_credential_from_aws_secrets_manager( - m365TenantId, - "m365_ent_app_tenant_id_value" - ) - - # Salesforce - if assessmentTarget == "Salesforce": - # Process data["credentials"]["m365"] - values need to be assigned to self - salesforceValues = data["credentials"]["salesforce"] - - salesforceAppClientId = salesforceValues["salesforce_connected_app_client_id_value"] - salesforceAppClientSecret = salesforceValues["salesforce_connected_app_client_secret_value"] - salesforceApiUsername = salesforceValues["salesforce_api_enabled_username_value"] - salesforceApiPassword = salesforceValues["salesforce_api_enabled_password_value"] - salesforceUserSecurityToken = salesforceValues["salesforce_api_enabled_security_token_value"] - salesforceInstanceLocation = salesforceValues["salesforce_instance_location"] - salesforceFailedLoginBreachingRate = salesforceValues["salesforce_failed_login_breaching_rate"] - salesforceApiVersion = salesforceValues["salesforce_api_version"] - - if any( - # Check to make sure none of the variables pulled from TOML are emtpy - not var for var in [ - salesforceAppClientId, salesforceAppClientSecret, salesforceApiUsername, salesforceApiPassword, salesforceUserSecurityToken, salesforceInstanceLocation, salesforceFailedLoginBreachingRate, salesforceApiVersion - ] - ): - logger.error(f"One of your Salesforce TOML entries in [credentials.salesforce] is empty!") - sys.exit(2) - - # The failed login breaching rate and API Version will be in plaintext/env vars - environ["SALESFORCE_FAILED_LOGIN_BREACHING_RATE"] = salesforceFailedLoginBreachingRate - environ["SFDC_API_VERSION"] = salesforceApiVersion - - # Location is parsed from the config directly - self.salesforceInstanceLocation = salesforceInstanceLocation - - # Retrieve the values for the Salesforce Client ID, Client Secret, Username, Password, and Security Token - # Local config file - if self.credentialsLocation == "CONFIG_FILE": - self.salesforceAppClientId = salesforceAppClientId - self.salesforceAppClientSecret = salesforceAppClientSecret - self.salesforceApiUsername = salesforceApiUsername - self.salesforceApiPassword = salesforceApiPassword - self.salesforceUserSecurityToken = salesforceUserSecurityToken - # SSM - elif self.credentialsLocation == "AWS_SSM": - # Client ID - self.salesforceAppClientId = self.get_credential_from_aws_ssm( - salesforceAppClientId, - "salesforce_connected_app_client_id_value" - ) - # Client Secret - self.salesforceAppClientSecret = self.get_credential_from_aws_ssm( - salesforceAppClientSecret, - "salesforce_connected_app_client_secret_value" - ) - # API Username - self.salesforceApiUsername = self.get_credential_from_aws_ssm( - salesforceApiUsername, - "salesforce_api_enabled_username_value" - ) - # API User Password - self.salesforceApiPassword = self.get_credential_from_aws_ssm( - salesforceApiPassword, - "salesforce_api_enabled_password_value" - ) - # API User Security Token - self.salesforceUserSecurityToken = self.get_credential_from_aws_ssm( - salesforceUserSecurityToken, - "salesforce_api_enabled_security_token_value" - ) - # AWS Secrets Manager - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - # Client ID - self.salesforceAppClientId = self.get_credential_from_aws_secrets_manager( - salesforceAppClientId, - "salesforce_connected_app_client_id_value" - ) - # Client Secret - self.salesforceAppClientSecret = self.get_credential_from_aws_secrets_manager( - salesforceAppClientSecret, - "salesforce_connected_app_client_secret_value" - ) - # API Username - self.salesforceApiUsername = self.get_credential_from_aws_secrets_manager( - salesforceApiUsername, - "salesforce_api_enabled_username_value" - ) - # API User Password - self.salesforceApiPassword = self.get_credential_from_aws_secrets_manager( - salesforceApiPassword, - "salesforce_api_enabled_password_value" - ) - # API User Security Token - self.salesforceUserSecurityToken = self.get_credential_from_aws_secrets_manager( - salesforceUserSecurityToken, - "salesforce_api_enabled_security_token_value" - ) - - # Google Workspace - if assessmentTarget == "GoogleWorkspace": - logger.info("Coming soon!") + # Oracle Cloud Infrastructure (OCI) + if assessmentTarget == "OCI": + ociValues = data["regions_and_accounts"]["oci"] + + # Retrieve the OCIDs for Tenancy & User and the Region ID along with a list of Compartment OCIDs + ociTenancyId = str(ociValues["oci_tenancy_ocid"]) + ociUserId = str(ociValues["oci_user_ocid"]) + ociRegionName = str(ociValues["oci_region_name"]) + ociCompartments = list(ociValues["oci_compartment_ocids"]) + # Process the [credentials.oci] + ociUserApiKeyFingerprint = data["credentials"]["oci"]["oci_user_api_key_fingerprint_value"] + ociUserApiKeyPemValue = data["credentials"]["oci"]["oci_user_api_key_private_key_pem_contents_value"] + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + ociTenancyId, ociUserId, ociRegionName, ociCompartments, ociUserApiKeyFingerprint, ociUserApiKeyPemValue + ] + ): + logger.error(f"One of your Oracle Cloud TOML entries in [regions_and_accounts.oci] or [credentials.oci] is empty!") + sys.exit(2) - # Snowflake - if assessmentTarget == "Snowflake": - # Process data["credentials"]["snowflake"] - values need to be assigned to self - snowflakeTomlValues = data["credentials"]["snowflake"] - - snowflakeUsername = str(snowflakeTomlValues["snowflake_username"]) - snowflakePasswordValue = str(snowflakeTomlValues["snowflake_password_value"]) - snowflakeAccountId = str(snowflakeTomlValues["snowflake_account_id"]) - snowflakeWarehouseName = str(snowflakeTomlValues["snowflake_warehouse_name"]) - snowflakeRegion = str(snowflakeTomlValues["snowflake_region"]) - serviceAccountExemptions = list(snowflakeTomlValues["snowflake_service_account_usernames"]) - - if any( - # Check to make sure none of the variables pulled from TOML are emtpy - not var for var in [ - snowflakeUsername, snowflakePasswordValue, snowflakeAccountId, snowflakeWarehouseName, snowflakeRegion - ] - ): - logger.error(f"One of your Snowflake TOML entries in [credentials.snowflake] is empty!") - sys.exit(2) + # Assign ["regions_and_accounts"]["oci"] values to `self` + self.ociTenancyId = ociTenancyId + self.ociUserId = ociUserId + self.ociRegionName = ociRegionName + self.ociCompartments = ociCompartments + + # Process ["oci_user_api_key_fingerprint_value"] + ociUserApiKeyFingerprint = data["credentials"]["oci"]["oci_user_api_key_fingerprint_value"] + if self.credentialsLocation == "CONFIG_FILE": + ociUserApiKeyFingerprint = ociUserApiKeyFingerprint + elif self.credentialsLocation == "AWS_SSM": + ociUserApiKeyFingerprint = self.get_credential_from_aws_ssm( + ociUserApiKeyFingerprint, + "oci_user_api_key_fingerprint_value" + ) + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + ociUserApiKeyFingerprint = self.get_credential_from_aws_secrets_manager( + ociUserApiKeyFingerprint, + "oci_user_api_key_fingerprint_value" + ) + + self.ociUserApiKeyFingerprint = ociUserApiKeyFingerprint + + # Process ["oci_user_api_key_private_key_pem_contents_value"] + ociUserApiKeyPemLocation = data["credentials"]["oci"]["oci_user_api_key_private_key_pem_contents_value"] + if self.credentialsLocation == "CONFIG_FILE": + ociUserApiKeyPemLocation = ociUserApiKeyPemLocation + elif self.credentialsLocation == "AWS_SSM": + ociUserApiKeyPemLocation = self.get_credential_from_aws_ssm( + ociUserApiKeyPemLocation, + "oci_user_api_key_private_key_pem_contents_value" + ) + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + ociUserApiKeyPemLocation = self.get_credential_from_aws_secrets_manager( + ociUserApiKeyPemLocation, + "oci_user_api_key_private_key_pem_contents_value" + ) + + # Create the PEM file and save the location of it to environ + self.setup_oci_credentials(ociUserApiKeyPemLocation) + + # Azure + if assessmentTarget == "Azure": + # Process data["credentials"]["azure"] - values need to be assigned to self + azureValues = data["credentials"]["azure"] + + azureClientId = azureValues["azure_ent_app_client_id_value"] + azureSecretId = azureValues["azure_ent_app_client_secret_id_value"] + azureTenantId = azureValues["azure_ent_app_tenant_id_value"] + azureSubscriptions = data["regions_and_accounts"]["azure"]["azure_subscription_ids"] + + del azureValues + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + azureClientId, azureSecretId, azureTenantId + ] + ): + logger.error("One of your azure TOML entries in [credentials.azure] is empty!") + sys.exit(2) - # Parse non-confidential values to environ - self.snowflakeUsername = snowflakeUsername - self.snowflakeAccountId = snowflakeAccountId - self.snowflakeWarehouseName = snowflakeWarehouseName - self.snowflakeRegion = snowflakeRegion - self.serviceAccountExemptions = serviceAccountExemptions + # Retrieve the values for the azure Enterprise Application Client ID, Secret Value & Tenant ID + # SSM + if self.credentialsLocation == "AWS_SSM": + # Client ID + azureClientId = self.get_credential_from_aws_ssm( + azureClientId, + "azure_ent_app_client_id_value" + ) + # Secret Value + azureSecretId = self.get_credential_from_aws_ssm( + azureSecretId, + "azure_ent_app_client_secret_id_value" + ) + # Tenant ID + azureTenantId = self.get_credential_from_aws_ssm( + azureTenantId, + "azure_ent_app_tenant_id_value" + ) + # AWS Secrets Manager + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + # Client ID + azureClientId = self.get_credential_from_aws_secrets_manager( + azureClientId, + "azure_ent_app_client_id_value" + ) + # Secret Value + azureSecretId = self.get_credential_from_aws_secrets_manager( + azureSecretId, + "azure_ent_app_client_secret_id_value" + ) + # Tenant ID + azureTenantId = self.get_credential_from_aws_secrets_manager( + azureTenantId, + "azure_ent_app_tenant_id_value" + ) + + # Create Azure Identity credentials from Client ID/Secret Value/Tenant ID + azureCredentials = self.create_azure_identity_credentials_from_client_secret( + clientId=azureClientId, + clientSecret=azureSecretId, + tenantId=azureTenantId + ) + + # If subscriptions aren't supplied, attempt to find which ones you have access to + if not azureSubscriptions: + logger.warning( + "No values provided for [regions_and_accounts.azure.azure_subscription_ids] - attempting to retrieve subscription IDs your Service Principal has access to..." + ) + azureSubscriptions = self.retrieve_azure_subscriptions_for_service_principal( + azureCredentials=azureCredentials + ) + # pass list of subscriptions and the creds off + self.azureSubscriptions = azureSubscriptions + self.azureCredentials = azureCredentials + + # Alibaba Cloud + if assessmentTarget == "Alibaba": + logger.info("Coming soon!") + + ################################### + # SOFTWARE-AS-A-SERVICE PROVIDERS # + ################################### + + # ServiceNow + if assessmentTarget == "Servicenow": + # Process data["credentials"]["servicenow"] - nothing needs to be assigned to `self` + serviceNowValues = data["credentials"]["servicenow"] + + snowInstanceName = serviceNowValues["servicenow_instance_name"] + snowInstanceRegion = serviceNowValues["servicenow_instance_region"] + snowUserName = serviceNowValues["servicenow_sspm_username"] + snowUserLoginBreachRate = serviceNowValues["servicenow_failed_login_breaching_rate"] + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + snowInstanceName, snowInstanceRegion, snowUserName, snowUserLoginBreachRate + ] + ): + logger.error(f"One of your ServiceNow TOML entries in [credentials.servicenow] is empty!") + sys.exit(2) + + # Retrieve ServiceNow ElectricEye user password + serviceNowPwVal = serviceNowValues["servicenow_sspm_password_value"] + if self.credentialsLocation == "CONFIG_FILE": + environ["SNOW_SSPM_PASSWORD"] = serviceNowPwVal + elif self.credentialsLocation == "AWS_SSM": + environ["SNOW_SSPM_PASSWORD"] = self.get_credential_from_aws_ssm( + serviceNowPwVal, + "servicenow_sspm_password_value" + ) + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + environ["SNOW_SSPM_PASSWORD"] = self.get_credential_from_aws_secrets_manager( + serviceNowPwVal, + "servicenow_sspm_password_value" + ) + # All other ServiceNow Values are written as environment variables and either provided + # to PySnow Clients or to ProductFields{} within the ASFF per Finding + environ["SNOW_INSTANCE_NAME"] = snowInstanceName + environ["SNOW_INSTANCE_REGION"] = snowInstanceRegion + environ["SNOW_SSPM_USERNAME"] = snowUserName + environ["SNOW_FAILED_LOGIN_BREACHING_RATE"] = snowUserLoginBreachRate + + # M365 + if assessmentTarget == "M365": + # Process data["credentials"]["m365"] - values need to be assigned to self + m365Values = data["credentials"]["m365"] + + m365ClientId = m365Values["m365_ent_app_client_id_value"] + m365SecretId = m365Values["m365_ent_app_client_secret_id_value"] + m365TenantId = m365Values["m365_ent_app_tenant_id_value"] + m365TenantLocation = m365Values["m365_tenant_location"] + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + m365ClientId, m365SecretId, m365TenantId, m365TenantLocation + ] + ): + logger.error(f"One of your M365 TOML entries in [credentials.m365] is empty!") + sys.exit(2) - # Retrieve value for Snowflake Password from the TOML, AWS SSM or AWS Secrets Manager - if self.credentialsLocation == "CONFIG_FILE": - self.snowflakePassowrd = snowflakePasswordValue - # SSM - elif self.credentialsLocation == "AWS_SSM": - self.snowflakePassowrd = self.get_credential_from_aws_ssm( - snowflakePasswordValue, - "snowflake_password_value" - ) - # AWS Secrets Manager - elif self.credentialsLocation == "AWS_SECRETS_MANAGER": - self.snowflakePassowrd = self.get_credential_from_aws_secrets_manager( - snowflakePasswordValue, - "snowflake_password_value" - ) + # This value (tenant location) will always be in plaintext + self.m365TenantLocation = m365TenantLocation + + # Retrieve the values for the M365 Enterprise Application Client ID, Secret Value & Tenant ID + if self.credentialsLocation == "CONFIG_FILE": + self.m365ClientId = m365ClientId + self.m365SecretId = m365SecretId + self.m365TenantId = m365TenantId + # SSM + elif self.credentialsLocation == "AWS_SSM": + # Client ID + self.m365ClientId = self.get_credential_from_aws_ssm( + m365ClientId, + "m365_ent_app_client_id_value" + ) + # Secret Value + self.m365SecretId = self.get_credential_from_aws_ssm( + m365SecretId, + "m365_ent_app_client_secret_id_value" + ) + # Tenant ID + self.m365TenantId = self.get_credential_from_aws_ssm( + m365TenantId, + "m365_ent_app_tenant_id_value" + ) + # AWS Secrets Manager + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + # Client ID + self.m365ClientId = self.get_credential_from_aws_secrets_manager( + m365ClientId, + "m365_ent_app_client_id_value" + ) + # Secret Value + self.m365SecretId = self.get_credential_from_aws_secrets_manager( + m365SecretId, + "m365_ent_app_client_secret_id_value" + ) + # Tenant ID + self.m365TenantId = self.get_credential_from_aws_secrets_manager( + m365TenantId, + "m365_ent_app_tenant_id_value" + ) + + # Salesforce + if assessmentTarget == "Salesforce": + # Process data["credentials"]["m365"] - values need to be assigned to self + salesforceValues = data["credentials"]["salesforce"] + + salesforceAppClientId = salesforceValues["salesforce_connected_app_client_id_value"] + salesforceAppClientSecret = salesforceValues["salesforce_connected_app_client_secret_value"] + salesforceApiUsername = salesforceValues["salesforce_api_enabled_username_value"] + salesforceApiPassword = salesforceValues["salesforce_api_enabled_password_value"] + salesforceUserSecurityToken = salesforceValues["salesforce_api_enabled_security_token_value"] + salesforceInstanceLocation = salesforceValues["salesforce_instance_location"] + salesforceFailedLoginBreachingRate = salesforceValues["salesforce_failed_login_breaching_rate"] + salesforceApiVersion = salesforceValues["salesforce_api_version"] + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + salesforceAppClientId, salesforceAppClientSecret, salesforceApiUsername, salesforceApiPassword, salesforceUserSecurityToken, salesforceInstanceLocation, salesforceFailedLoginBreachingRate, salesforceApiVersion + ] + ): + logger.error(f"One of your Salesforce TOML entries in [credentials.salesforce] is empty!") + sys.exit(2) - # Retrieve cursor and connector - snowflakeCursorConn = self.create_snowflake_cursor() + # The failed login breaching rate and API Version will be in plaintext/env vars + environ["SALESFORCE_FAILED_LOGIN_BREACHING_RATE"] = salesforceFailedLoginBreachingRate + environ["SFDC_API_VERSION"] = salesforceApiVersion + + # Location is parsed from the config directly + self.salesforceInstanceLocation = salesforceInstanceLocation + + # Retrieve the values for the Salesforce Client ID, Client Secret, Username, Password, and Security Token + # Local config file + if self.credentialsLocation == "CONFIG_FILE": + self.salesforceAppClientId = salesforceAppClientId + self.salesforceAppClientSecret = salesforceAppClientSecret + self.salesforceApiUsername = salesforceApiUsername + self.salesforceApiPassword = salesforceApiPassword + self.salesforceUserSecurityToken = salesforceUserSecurityToken + # SSM + elif self.credentialsLocation == "AWS_SSM": + # Client ID + self.salesforceAppClientId = self.get_credential_from_aws_ssm( + salesforceAppClientId, + "salesforce_connected_app_client_id_value" + ) + # Client Secret + self.salesforceAppClientSecret = self.get_credential_from_aws_ssm( + salesforceAppClientSecret, + "salesforce_connected_app_client_secret_value" + ) + # API Username + self.salesforceApiUsername = self.get_credential_from_aws_ssm( + salesforceApiUsername, + "salesforce_api_enabled_username_value" + ) + # API User Password + self.salesforceApiPassword = self.get_credential_from_aws_ssm( + salesforceApiPassword, + "salesforce_api_enabled_password_value" + ) + # API User Security Token + self.salesforceUserSecurityToken = self.get_credential_from_aws_ssm( + salesforceUserSecurityToken, + "salesforce_api_enabled_security_token_value" + ) + # AWS Secrets Manager + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + # Client ID + self.salesforceAppClientId = self.get_credential_from_aws_secrets_manager( + salesforceAppClientId, + "salesforce_connected_app_client_id_value" + ) + # Client Secret + self.salesforceAppClientSecret = self.get_credential_from_aws_secrets_manager( + salesforceAppClientSecret, + "salesforce_connected_app_client_secret_value" + ) + # API Username + self.salesforceApiUsername = self.get_credential_from_aws_secrets_manager( + salesforceApiUsername, + "salesforce_api_enabled_username_value" + ) + # API User Password + self.salesforceApiPassword = self.get_credential_from_aws_secrets_manager( + salesforceApiPassword, + "salesforce_api_enabled_password_value" + ) + # API User Security Token + self.salesforceUserSecurityToken = self.get_credential_from_aws_secrets_manager( + salesforceUserSecurityToken, + "salesforce_api_enabled_security_token_value" + ) + + # Google Workspace + if assessmentTarget == "GoogleWorkspace": + logger.info("Coming soon!") + + # Snowflake + if assessmentTarget == "Snowflake": + # Process data["credentials"]["snowflake"] - values need to be assigned to self + snowflakeTomlValues = data["credentials"]["snowflake"] + + snowflakeUsername = str(snowflakeTomlValues["snowflake_username"]) + snowflakePasswordValue = str(snowflakeTomlValues["snowflake_password_value"]) + snowflakeAccountId = str(snowflakeTomlValues["snowflake_account_id"]) + snowflakeWarehouseName = str(snowflakeTomlValues["snowflake_warehouse_name"]) + snowflakeRegion = str(snowflakeTomlValues["snowflake_region"]) + serviceAccountExemptions = list(snowflakeTomlValues["snowflake_service_account_usernames"]) + + if any( + # Check to make sure none of the variables pulled from TOML are emtpy + not var for var in [ + snowflakeUsername, snowflakePasswordValue, snowflakeAccountId, snowflakeWarehouseName, snowflakeRegion + ] + ): + logger.error(f"One of your Snowflake TOML entries in [credentials.snowflake] is empty!") + sys.exit(2) - self.snowflakeConnection = snowflakeCursorConn[0] - self.snowflakeCursor = snowflakeCursorConn[1] + # Parse non-confidential values to environ + self.snowflakeUsername = snowflakeUsername + self.snowflakeAccountId = snowflakeAccountId + self.snowflakeWarehouseName = snowflakeWarehouseName + self.snowflakeRegion = snowflakeRegion + self.serviceAccountExemptions = serviceAccountExemptions + + # Retrieve value for Snowflake Password from the TOML, AWS SSM or AWS Secrets Manager + if self.credentialsLocation == "CONFIG_FILE": + self.snowflakePassowrd = snowflakePasswordValue + # SSM + elif self.credentialsLocation == "AWS_SSM": + self.snowflakePassowrd = self.get_credential_from_aws_ssm( + snowflakePasswordValue, + "snowflake_password_value" + ) + # AWS Secrets Manager + elif self.credentialsLocation == "AWS_SECRETS_MANAGER": + self.snowflakePassowrd = self.get_credential_from_aws_secrets_manager( + snowflakePasswordValue, + "snowflake_password_value" + ) + + # Retrieve cursor and connector + snowflakeCursorConn = self.create_snowflake_cursor() + + self.snowflakeConnection = snowflakeCursorConn[0] + self.snowflakeCursor = snowflakeCursorConn[1] + + # Non-TOML Args + if useToml == "False": + self.process_non_toml_args(assessmentTarget, args) def get_aws_regions(self): """ @@ -560,7 +568,7 @@ def get_aws_regions(self): return regions - def get_credential_from_aws_ssm(self, value, configurationName): + def get_credential_from_aws_ssm(self, value, configurationName) -> str: """ Retrieves a TOML variable from AWS Systems Manager Parameter Store and returns it """ @@ -589,7 +597,7 @@ def get_credential_from_aws_ssm(self, value, configurationName): return credential - def get_credential_from_aws_secrets_manager(self, value, configurationName): + def get_credential_from_aws_secrets_manager(self, value, configurationName) -> str: """ Retrieves a TOML variable from AWS Secrets Manager and returns it """ @@ -613,7 +621,7 @@ def get_credential_from_aws_secrets_manager(self, value, configurationName): return credential - def get_aws_accounts_from_organization(self): + def get_aws_accounts_from_organization(self) -> list[str]: """ Uses Organizations ListAccounts API to get a list of "ACTIVE" AWS Accounts in the entire Organization """ @@ -629,7 +637,7 @@ def get_aws_accounts_from_organization(self): return accounts - def get_aws_accounts_from_organizational_units(self, targets): + def get_aws_accounts_from_organizational_units(self, targets) -> list[str]: """ Uses Organizations ListAccountsForParent API to get a list of "ACTIVE" AWS Accounts for specified OUs """ @@ -684,7 +692,7 @@ def create_aws_session(account: str, partition: str, region: str, roleName: str) return session # This function is called outside of this Class and from create_aws_session() - def check_aws_partition(region: str): + def check_aws_partition(region: str) -> str: """ Returns the AWS Partition based on the current Region of a Session """ @@ -714,7 +722,7 @@ def check_aws_partition(region: str): return partition # This function is called outside of this Class - def get_aws_support_eligibility(session): + def get_aws_support_eligibility(session) -> bool: support = session.client("support") try: @@ -732,7 +740,7 @@ def get_aws_support_eligibility(session): return supportEligible # This function is called outside of this Class - def get_aws_shield_advanced_eligibility(session): + def get_aws_shield_advanced_eligibility(session) -> bool: shield = session.client("shield") try: @@ -749,7 +757,7 @@ def get_aws_shield_advanced_eligibility(session): return shieldEligible - def setup_gcp_credentials(self, credentialValue): + def setup_gcp_credentials(self, credentialValue) -> None: """ The Python Google Client SDK defaults to checking for credentials in the "GOOGLE_APPLICATION_CREDENTIALS" environment variable. This can be the location of a GCP Service Account (SA) Key which is stored in a JSON file. @@ -777,7 +785,7 @@ def setup_gcp_credentials(self, credentialValue): logger.info("%s saved to environment variable", credentials_file_path) environ["GOOGLE_APPLICATION_CREDENTIALS"] = credentials_file_path - def setup_oci_credentials(self, credentialValue): + def setup_oci_credentials(self, credentialValue) -> None: """ Oracle Cloud Python SDK Config object can be created and requires the path to a PEM file, we can save the PEM contents to a file and save the location to an environment variable to be used @@ -859,4 +867,52 @@ def create_snowflake_cursor(self) -> tuple[snowconn.connection.SnowflakeConnecti return conn, cur + def process_non_toml_args(self, assessmentTarget: str, args: dict) -> None: + """ + Process any additional arguments passed to the script that are not in the TOML file + """ + # First, process out the credentialsLocation arg ["AWS_SSM", "AWS_SECRETS_MANAGER", "CONFIG_FILE"] + try: + self.credentialsLocation = args.get("credentials_location") + except KeyError as ke: + logger.error( + "The credentials_location argument was not provided: %s", ke + ) + sys.exit(2) + + if assessmentTarget == "Snowflake": + try: + self.snowflakeUsername = str(args.get("snowflake_username")) + self.snowflakePasswordValue = str(args.get("snowflake_password_value")) + self.snowflakeAccountId = str(args.get("snowflake_account_id")) + self.snowflakeWarehouseName = str(args.get("snowflake_warehouse_name")) + self.snowflakeRegion = str(args.get("snowflake_region")) + self.serviceAccountExemptions = list(args.get("snowflake_service_account_usernames")) + except KeyError as ke: + logger.error( + "One of the required Snowflake arguments was not provided: %s", ke + ) + sys.exit(2) + + # Retrieve value for Snowflake Password from the TOML, AWS SSM or AWS Secrets Manager + if self.credentialsLocation == "CONFIG_FILE": + self.snowflakePassowrd = self.snowflakePasswordValue + # SSM + if self.credentialsLocation == "AWS_SSM": + self.snowflakePassowrd = self.get_credential_from_aws_ssm( + self.snowflakePasswordValue, + "snowflake_password_value" + ) + # AWS Secrets Manager + if self.credentialsLocation == "AWS_SECRETS_MANAGER": + self.snowflakePassowrd = self.get_credential_from_aws_secrets_manager( + self.snowflakePasswordValue, + "snowflake_password_value" + ) + + # Setup Cursor and Connector + snowflakeCursorConn = self.create_snowflake_cursor() + + self.snowflakeConnection = snowflakeCursorConn[0] + self.snowflakeCursor = snowflakeCursorConn[1] ## EOF \ No newline at end of file diff --git a/eeauditor/controller.py b/eeauditor/controller.py index a6d9eddc..04dff9b0 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -24,25 +24,25 @@ from processor.main import get_providers, process_findings from os import environ -def print_controls(assessmentTarget, auditorName=None, tomlPath=None, useToml=True): - app = EEAuditor(assessmentTarget, tomlPath) +def print_controls(assessmentTarget, args, useToml, auditorName=None, tomlPath=None): + app = EEAuditor(assessmentTarget, args, useToml, tomlPath, ) app.load_plugins(auditorName) app.print_controls_json() -def print_checks(assessmentTarget, auditorName=None, tomlPath=None, useToml=True): - app = EEAuditor(assessmentTarget, tomlPath) +def print_checks(assessmentTarget, args, useToml, auditorName=None, tomlPath=None): + app = EEAuditor(assessmentTarget, args, useToml, tomlPath, ) app.load_plugins(auditorName) app.print_checks_md() -def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, outputs=None, outputFile="", tomlPath=None, useToml=True): +def run_auditor(assessmentTarget, args, useToml, auditorName=None, pluginName=None, delay=0, outputs=None, outputFile="", tomlPath=None): if not outputs: outputs = ["stdout"] - app = EEAuditor(assessmentTarget, tomlPath, useToml=True) + app = EEAuditor(assessmentTarget, args, useToml, tomlPath, ) app.load_plugins(auditorName) # Per-target calls - ensure you use the right run_*_checks*() function @@ -176,9 +176,22 @@ def run_auditor(assessmentTarget, auditorName=None, pluginName=None, delay=0, ou @click.option( "-ut", "--use-toml", - default=True, + default="True", + type=click.Choice( + [ + "True", + "False" + ], + case_sensitive=True + ), help="Set to False to disable the use of the TOML file for external providers, defaults to True. THIS IS AN EXPERIMENTAL FEATURE" ) +# EXPERIMENTAL: Supply arguments in a stringified dictionary format +@click.option( + "--args", + default=None, + help="""Supply arguments in a dictionary format, e.g., '{"credentials_location": "CONFIG_FILE","snowflake_username": "ELECTRIC_EYE"}'. THIS IS AN EXPERIMENTAL FEATURE""" +) def main( target_provider, @@ -191,13 +204,15 @@ def main( list_checks, list_controls, toml_path, - use_toml + use_toml, + args ): if list_controls: print_controls( assessmentTarget=target_provider, + args=args, tomlPath=toml_path, - useToml=use_toml + useToml=use_toml, ) sys.exit(0) @@ -212,13 +227,15 @@ def main( if list_checks: print_checks( assessmentTarget=target_provider, + args=args, tomlPath=toml_path, - useToml=use_toml + useToml=use_toml, ) sys.exit(0) run_auditor( assessmentTarget=target_provider, + args=args, auditorName=auditor_name, pluginName=check_name, delay=delay, @@ -229,4 +246,6 @@ def main( ) if __name__ == "__main__": - main(sys.argv[1:]) \ No newline at end of file + main(sys.argv[1:]) + +# EOF \ No newline at end of file diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 6e655615..4f71e0d4 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -42,7 +42,7 @@ class EEAuditor(object): credentials and cross-boundary configurations, and runs Checks and yields results back to controller.py CLI """ - def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=True): + def __init__(self, assessmentTarget, args, useToml, tomlPath=None, searchPath=None): # each check must be decorated with the @registry.register_check("cache_name") # to be discovered during plugin loading. self.registry = CheckRegister() @@ -54,7 +54,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # AWS if assessmentTarget == "AWS": searchPath = "./auditors/aws" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.awsAccountTargets = utils.awsAccountTargets self.awsRegionsSelection = utils.awsRegionsSelection @@ -62,13 +62,13 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # GCP if assessmentTarget == "GCP": searchPath = "./auditors/gcp" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.gcpProjectIds = utils.gcp_project_ids # OCI if assessmentTarget == "OCI": searchPath = "./auditors/oci" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.ociTenancyId = utils.ociTenancyId self.ociUserId = utils.ociUserId @@ -78,14 +78,14 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # Azure if assessmentTarget == "Azure": searchPath = "./auditors/azure" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.azureSubscriptions = utils.azureSubscriptions self.azureCredentials = utils.azureCredentials # Alibaba if assessmentTarget == "Alibaba": searchPath = "./auditors/alibabacloud" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) ################################### # SOFTWARE-AS-A-SERVICE PROVIDERS # @@ -93,11 +93,11 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # Servicenow if assessmentTarget == "Servicenow": searchPath = "./auditors/servicenow" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # M365 if assessmentTarget == "M365": searchPath = "./auditors/m365" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.m365TenantLocation = utils.m365TenantLocation self.m365ClientId = utils.m365ClientId @@ -106,7 +106,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # Salesforce if assessmentTarget == "Salesforce": searchPath = "./auditors/salesforce" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.salesforceAppClientId = utils.salesforceAppClientId self.salesforceAppClientSecret = utils.salesforceAppClientSecret @@ -117,7 +117,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # Snowflake if assessmentTarget == "Snowflake": searchPath = "./auditors/snowflake" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # parse specific values for Assessment Target - these should match 1:1 with CloudConfig self.snowflakeAccountId = utils.snowflakeAccountId self.snowflakeRegion = utils.snowflakeRegion @@ -127,7 +127,7 @@ def __init__(self, assessmentTarget, tomlPath=None, searchPath=None, useToml=Tru # Google Workspace if assessmentTarget == "GoogleWorkspace": searchPath = "./auditors/google_workspace" - utils = CloudConfig(assessmentTarget, tomlPath, useToml) + utils = CloudConfig(assessmentTarget, tomlPath, useToml, args) # Search path for Auditors self.source = self.plugin_base.make_plugin_source( From 001599db9a539083b967956a11c56f0ae23ad887 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 20:30:11 -0400 Subject: [PATCH 50/55] Support `--args` for AWS, fix old ass bugs --- eeauditor/auditors/aws/AWS_Glue_Auditor.py | 542 ++++++++++---------- eeauditor/auditors/aws/Amazon_S3_Auditor.py | 4 +- eeauditor/cloud_utils.py | 54 ++ eeauditor/controller.py | 14 +- eeauditor/eeauditor.py | 58 ++- 5 files changed, 377 insertions(+), 295 deletions(-) diff --git a/eeauditor/auditors/aws/AWS_Glue_Auditor.py b/eeauditor/auditors/aws/AWS_Glue_Auditor.py index 55eb2117..eceb8a48 100644 --- a/eeauditor/auditors/aws/AWS_Glue_Auditor.py +++ b/eeauditor/auditors/aws/AWS_Glue_Auditor.py @@ -27,12 +27,26 @@ def list_crawlers(cache, session): glue = session.client("glue") + response = cache.get("list_crawlers") + if response: return response + cache["list_crawlers"] = glue.list_crawlers() return cache["list_crawlers"] +def get_data_catalog_encryption_settings(cache, session): + glue = session.client("glue") + + response = cache.get("get_data_catalog_encryption_settings") + + if response: + return response + + cache["get_data_catalog_encryption_settings"] = glue.get_data_catalog_encryption_settings() + return cache["get_data_catalog_encryption_settings"] + @registry.register_check("glue") def crawler_s3_encryption_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: """[Glue.1] AWS Glue crawler security configurations should enable Amazon S3 encryption""" @@ -484,7 +498,7 @@ def crawler_job_bookmark_encryption_check(cache: dict, session, awsAccountId: st "NIST SP 800-53 Rev. 4 SC-12", "NIST SP 800-53 Rev. 4 SC-28", "AICPA TSC CC6.1", - "ISO 27001:2013 A.8.2.3", + "ISO 27001:2013 A.8.2.3" ], }, "Workflow": {"Status": "RESOLVED"}, @@ -495,286 +509,280 @@ def crawler_job_bookmark_encryption_check(cache: dict, session, awsAccountId: st @registry.register_check("glue") def glue_data_catalog_encryption_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: """[Glue.4] AWS Glue data catalogs should be encrypted at rest""" - glue = session.client("glue") + response = get_data_catalog_encryption_settings(cache, session) catalogArn = f"arn:{awsPartition}:glue:{awsRegion}:{awsAccountId}:catalog" # ISO Time iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + # B64 encode all of the details for the Asset + assetJson = json.dumps(response,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + catalogEncrypted = True try: - response = glue.get_data_catalog_encryption_settings() - # B64 encode all of the details for the Asset - assetJson = json.dumps(response,default=str).encode("utf-8") - assetB64 = base64.b64encode(assetJson) - try: - catalogEncryptionCheck = str(response["DataCatalogEncryptionSettings"]["EncryptionAtRest"]["CatalogEncryptionMode"]) - except KeyError: - catalogEncryptionCheck = "DISABLED" - if catalogEncryptionCheck == "DISABLED": - finding = { - "SchemaVersion": "2018-10-08", - "Id": catalogArn + "/glue-data-catalog-encryption-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": catalogArn, - "AwsAccountId": awsAccountId, - "Types": [ - "Software and Configuration Checks/AWS Security Best Practices", - "Effects/Data Exposure", - ], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "HIGH"}, - "Confidence": 99, - "Title": "[Glue.4] AWS Glue data catalogs should be encrypted at rest", - "Description": "The AWS Glue data catalog for account " - + awsAccountId - + " is not encrypted. You can enable or disable encryption settings for the entire Data Catalog. In the process, you specify an AWS KMS key that is automatically used when objects, such as tables, databases, partitions, table versions, connections and/or user-defined functions, are written to the Data Catalog. Refer to the remediation instructions if this configuration is not intended", - "Remediation": { - "Recommendation": { - "Text": "For more information on data catalog encryption refer to the Encrypting Your Data Catalog section of the AWS Glue Developer Guide", - "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Analytics", - "AssetService": "AWS Glue", - "AssetComponent": "Data Catalog" - }, - "Resources": [ - { - "Type": "AwsGlueDataCatalog", - "Id": catalogArn, - "Partition": awsPartition, - "Region": awsRegion, - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST CSF V1.1 PR.DS-1", - "NIST SP 800-53 Rev. 4 MP-8", - "NIST SP 800-53 Rev. 4 SC-12", - "NIST SP 800-53 Rev. 4 SC-28", - "AICPA TSC CC6.1", - "ISO 27001:2013 A.8.2.3", - ], - }, - "Workflow": {"Status": "NEW"}, - "RecordState": "ACTIVE", - } - yield finding - else: - finding = { - "SchemaVersion": "2018-10-08", - "Id": catalogArn + "/glue-data-catalog-encryption-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": catalogArn, - "AwsAccountId": awsAccountId, - "Types": [ - "Software and Configuration Checks/AWS Security Best Practices", - "Effects/Data Exposure", + response["DataCatalogEncryptionSettings"]["EncryptionAtRest"]["CatalogEncryptionMode"] + except KeyError: + catalogEncrypted = False + + # this is a failing check + if catalogEncrypted is False: + finding = { + "SchemaVersion": "2018-10-08", + "Id": catalogArn + "/glue-data-catalog-encryption-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": catalogArn, + "AwsAccountId": awsAccountId, + "Types": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Effects/Data Exposure", + ], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[Glue.4] AWS Glue data catalogs should be encrypted at rest", + "Description": "The AWS Glue data catalog for account " + + awsAccountId + + " is not encrypted. You can enable or disable encryption settings for the entire Data Catalog. In the process, you specify an AWS KMS key that is automatically used when objects, such as tables, databases, partitions, table versions, connections and/or user-defined functions, are written to the Data Catalog. Refer to the remediation instructions if this configuration is not intended", + "Remediation": { + "Recommendation": { + "Text": "For more information on data catalog encryption refer to the Encrypting Your Data Catalog section of the AWS Glue Developer Guide", + "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Analytics", + "AssetService": "AWS Glue", + "AssetComponent": "Data Catalog" + }, + "Resources": [ + { + "Type": "AwsGlueDataCatalog", + "Id": catalogArn, + "Partition": awsPartition, + "Region": awsRegion, + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.DS-1", + "NIST SP 800-53 Rev. 4 MP-8", + "NIST SP 800-53 Rev. 4 SC-12", + "NIST SP 800-53 Rev. 4 SC-28", + "AICPA TSC CC6.1", + "ISO 27001:2013 A.8.2.3", ], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "INFORMATIONAL"}, - "Confidence": 99, - "Title": "[Glue.4] AWS Glue data catalogs should be encrypted at rest", - "Description": "The AWS Glue data catalog for account " - + awsAccountId - + " is encrypted.", - "Remediation": { - "Recommendation": { - "Text": "For more information on data catalog encryption refer to the Encrypting Your Data Catalog section of the AWS Glue Developer Guide", - "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Analytics", - "AssetService": "AWS Glue", - "AssetComponent": "Data Catalog" - }, - "Resources": [ - { - "Type": "AwsGlueDataCatalog", - "Id": catalogArn, - "Partition": awsPartition, - "Region": awsRegion, - } + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE", + } + yield finding + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": catalogArn + "/glue-data-catalog-encryption-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": catalogArn, + "AwsAccountId": awsAccountId, + "Types": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Effects/Data Exposure", + ], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Glue.4] AWS Glue data catalogs should be encrypted at rest", + "Description": "The AWS Glue data catalog for account " + + awsAccountId + + " is encrypted.", + "Remediation": { + "Recommendation": { + "Text": "For more information on data catalog encryption refer to the Encrypting Your Data Catalog section of the AWS Glue Developer Guide", + "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Analytics", + "AssetService": "AWS Glue", + "AssetComponent": "Data Catalog" + }, + "Resources": [ + { + "Type": "AwsGlueDataCatalog", + "Id": catalogArn, + "Partition": awsPartition, + "Region": awsRegion, + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.DS-1", + "NIST SP 800-53 Rev. 4 MP-8", + "NIST SP 800-53 Rev. 4 SC-12", + "NIST SP 800-53 Rev. 4 SC-28", + "AICPA TSC CC6.1", + "ISO 27001:2013 A.8.2.3", ], - "Compliance": { - "Status": "PASSED", - "RelatedRequirements": [ - "NIST CSF V1.1 PR.DS-1", - "NIST SP 800-53 Rev. 4 MP-8", - "NIST SP 800-53 Rev. 4 SC-12", - "NIST SP 800-53 Rev. 4 SC-28", - "AICPA TSC CC6.1", - "ISO 27001:2013 A.8.2.3", - ], - }, - "Workflow": {"Status": "RESOLVED"}, - "RecordState": "ARCHIVED", - } - yield finding - except Exception as e: - if str(e) == '"CrawlerSecurityConfiguration"': - pass - else: - print(e) + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED", + } + yield finding @registry.register_check("glue") def glue_data_catalog_password_encryption_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: """[Glue.5] AWS Glue data catalogs should be configured to encrypt connection passwords""" - glue = session.client("glue") + response = get_data_catalog_encryption_settings(cache, session) catalogArn = f"arn:{awsPartition}:glue:{awsRegion}:{awsAccountId}:catalog" # ISO Time iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + # B64 encode all of the details for the Asset + assetJson = json.dumps(response,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + + passwordEncryptionCheck = True try: - response = glue.get_data_catalog_encryption_settings() - # B64 encode all of the details for the Asset - assetJson = json.dumps(response,default=str).encode("utf-8") - assetB64 = base64.b64encode(assetJson) - try: - passwordEncryptionCheck = str(response["DataCatalogEncryptionSettings"]["ConnectionPasswordEncryption"]["ReturnConnectionPasswordEncrypted"]) - except: - passwordEncryptionCheck = "False" - if passwordEncryptionCheck == "False": - finding = { - "SchemaVersion": "2018-10-08", - "Id": catalogArn + "/glue-data-catalog-password-encryption-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": catalogArn, - "AwsAccountId": awsAccountId, - "Types": [ - "Software and Configuration Checks/AWS Security Best Practices", - "Effects/Data Exposure", - ], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "HIGH"}, - "Confidence": 99, - "Title": "[Glue.5] AWS Glue data catalogs should be configured to encrypt connection passwords", - "Description": "The AWS Glue data catalog for account " - + awsAccountId - + " is not configured to encrypt connection passwords. You can retrieve connection passwords in the AWS Glue Data Catalog by using the GetConnection and GetConnections API operations. These passwords are stored in the Data Catalog connection and are used when AWS Glue connects to a Java Database Connectivity (JDBC) data store. When the connection was created or updated, an option in the Data Catalog settings determined whether the password was encrypted. Refer to the remediation instructions if this configuration is not intended", - "Remediation": { - "Recommendation": { - "Text": "For more information on data catalog connection password encryption refer to the Encrypting Connection Passwords section of the AWS Glue Developer Guide", - "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Analytics", - "AssetService": "AWS Glue", - "AssetComponent": "Data Catalog" - }, - "Resources": [ - { - "Type": "AwsGlueDataCatalog", - "Id": catalogArn, - "Partition": awsPartition, - "Region": awsRegion, - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST CSF V1.1 PR.DS-1", - "NIST SP 800-53 Rev. 4 MP-8", - "NIST SP 800-53 Rev. 4 SC-12", - "NIST SP 800-53 Rev. 4 SC-28", - "AICPA TSC CC6.1", - "ISO 27001:2013 A.8.2.3", - ], - }, - "Workflow": {"Status": "NEW"}, - "RecordState": "ACTIVE", - } - yield finding - else: - finding = { - "SchemaVersion": "2018-10-08", - "Id": catalogArn + "/glue-data-catalog-password-encryption-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": catalogArn, - "AwsAccountId": awsAccountId, - "Types": [ - "Software and Configuration Checks/AWS Security Best Practices", - "Effects/Data Exposure", + response["DataCatalogEncryptionSettings"]["ConnectionPasswordEncryption"]["ReturnConnectionPasswordEncrypted"] + except KeyError: + passwordEncryptionCheck = False + + # this is a failing check + if passwordEncryptionCheck is False: + finding = { + "SchemaVersion": "2018-10-08", + "Id": catalogArn + "/glue-data-catalog-password-encryption-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": catalogArn, + "AwsAccountId": awsAccountId, + "Types": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Effects/Data Exposure", + ], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[Glue.5] AWS Glue data catalogs should be configured to encrypt connection passwords", + "Description": "The AWS Glue data catalog for account " + + awsAccountId + + " is not configured to encrypt connection passwords. You can retrieve connection passwords in the AWS Glue Data Catalog by using the GetConnection and GetConnections API operations. These passwords are stored in the Data Catalog connection and are used when AWS Glue connects to a Java Database Connectivity (JDBC) data store. When the connection was created or updated, an option in the Data Catalog settings determined whether the password was encrypted. Refer to the remediation instructions if this configuration is not intended", + "Remediation": { + "Recommendation": { + "Text": "For more information on data catalog connection password encryption refer to the Encrypting Connection Passwords section of the AWS Glue Developer Guide", + "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Analytics", + "AssetService": "AWS Glue", + "AssetComponent": "Data Catalog" + }, + "Resources": [ + { + "Type": "AwsGlueDataCatalog", + "Id": catalogArn, + "Partition": awsPartition, + "Region": awsRegion, + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.DS-1", + "NIST SP 800-53 Rev. 4 MP-8", + "NIST SP 800-53 Rev. 4 SC-12", + "NIST SP 800-53 Rev. 4 SC-28", + "AICPA TSC CC6.1", + "ISO 27001:2013 A.8.2.3", ], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "INFORMATIONAL"}, - "Confidence": 99, - "Title": "[Glue.5] AWS Glue data catalogs should be configured to encrypt connection passwords", - "Description": "The AWS Glue data catalog for account " - + awsAccountId - + " is configured to encrypt connection passwords.", - "Remediation": { - "Recommendation": { - "Text": "For more information on data catalog connection password encryption refer to the Encrypting Connection Passwords section of the AWS Glue Developer Guide", - "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Analytics", - "AssetService": "AWS Glue", - "AssetComponent": "Data Catalog" - }, - "Resources": [ - { - "Type": "AwsGlueDataCatalog", - "Id": catalogArn, - "Partition": awsPartition, - "Region": awsRegion, - } + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE", + } + yield finding + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": catalogArn + "/glue-data-catalog-password-encryption-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": catalogArn, + "AwsAccountId": awsAccountId, + "Types": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Effects/Data Exposure", + ], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[Glue.5] AWS Glue data catalogs should be configured to encrypt connection passwords", + "Description": "The AWS Glue data catalog for account " + + awsAccountId + + " is configured to encrypt connection passwords.", + "Remediation": { + "Recommendation": { + "Text": "For more information on data catalog connection password encryption refer to the Encrypting Connection Passwords section of the AWS Glue Developer Guide", + "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Analytics", + "AssetService": "AWS Glue", + "AssetComponent": "Data Catalog" + }, + "Resources": [ + { + "Type": "AwsGlueDataCatalog", + "Id": catalogArn, + "Partition": awsPartition, + "Region": awsRegion, + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.DS-1", + "NIST SP 800-53 Rev. 4 MP-8", + "NIST SP 800-53 Rev. 4 SC-12", + "NIST SP 800-53 Rev. 4 SC-28", + "AICPA TSC CC6.1", + "ISO 27001:2013 A.8.2.3", ], - "Compliance": { - "Status": "PASSED", - "RelatedRequirements": [ - "NIST CSF V1.1 PR.DS-1", - "NIST SP 800-53 Rev. 4 MP-8", - "NIST SP 800-53 Rev. 4 SC-12", - "NIST SP 800-53 Rev. 4 SC-28", - "AICPA TSC CC6.1", - "ISO 27001:2013 A.8.2.3", - ], - }, - "Workflow": {"Status": "RESOLVED"}, - "RecordState": "ARCHIVED", - } - yield finding - except Exception as e: - if str(e) == '"CrawlerSecurityConfiguration"': - pass - else: - print(e) + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED", + } + yield finding @registry.register_check("glue") def glue_data_catalog_resource_policy_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: @@ -945,4 +953,6 @@ def glue_data_catalog_resource_policy_check(cache: dict, session, awsAccountId: } yield finding else: - print(e) \ No newline at end of file + print(e) + +# EOF \ No newline at end of file diff --git a/eeauditor/auditors/aws/Amazon_S3_Auditor.py b/eeauditor/auditors/aws/Amazon_S3_Auditor.py index 9d0be48c..ca7affca 100644 --- a/eeauditor/auditors/aws/Amazon_S3_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_S3_Auditor.py @@ -779,12 +779,14 @@ def aws_s3_bucket_policy_check(cache: dict, session, awsAccountId: str, awsRegio assetB64 = base64.b64encode(assetJson) bucketName = buckets["Name"] s3Arn = f"arn:{awsPartition}:s3:::{bucketName}" + + bucketHasPolicy = True # Check to see if there is a policy at all try: s3.get_bucket_policy(Bucket=bucketName) - bucketHasPolicy = True except ClientError: bucketHasPolicy = False + # this is a failing check if bucketHasPolicy is False: finding = { diff --git a/eeauditor/cloud_utils.py b/eeauditor/cloud_utils.py index 9f753a44..db45bdef 100644 --- a/eeauditor/cloud_utils.py +++ b/eeauditor/cloud_utils.py @@ -879,7 +879,61 @@ def process_non_toml_args(self, assessmentTarget: str, args: dict) -> None: "The credentials_location argument was not provided: %s", ke ) sys.exit(2) + + # AWS + if assessmentTarget == "AWS": + sts = boto3.client("sts") + # First process the global "aws_multi_account_target_type" and "aws_account_targets" args + try: + awsMultiAccountTargetType = str(args.get("aws_multi_account_target_type")) + awsAccountTargets = list(args.get("aws_account_targets")) + awsRegionsSelection = list(args.get("aws_regions_selection")) + electricEyeRoleName = args.get("aws_electric_eye_iam_role_name") + except KeyError as ke: + logger.error( + "One of the required global AWS arguments was not provided: %s", ke + ) + sys.exit(2) + # Process account targets based on the multi-account target type + if awsMultiAccountTargetType == "Accounts": + if not awsAccountTargets: + self.awsAccountTargets = [sts.get_caller_identity()["Account"]] + else: + self.awsAccountTargets = awsAccountTargets + if awsMultiAccountTargetType == "OU": + if not awsAccountTargets: + logger.error("OU was specified but targets were not specified.") + sys.exit(2) + # Regex to check for Valid OUs + ouIdRegex = compile(r"^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$") + for ou in awsAccountTargets: + if not ouIdRegex.match(ou): + logger.error(f"Invalid Organizational Unit ID {ou}.") + sys.exit(2) + self.awsAccountTargets = self.get_aws_accounts_from_organizational_units(awsAccountTargets) + if awsMultiAccountTargetType == "Organization": + self.awsAccountTargets = self.get_aws_accounts_from_organization() + + # Process aws_regions_selection + awsRegions = self.get_aws_regions() + if not awsRegionsSelection: + self.awsRegionsSelection = [boto3.Session().region_name] + else: + if "All" in awsRegionsSelection or "all" in awsRegionsSelection: + self.awsRegionsSelection = awsRegions + else: + # Validation check + self.awsRegionsSelection = [a for a in awsRegionsSelection if a in awsRegions] + # Process ["aws_electric_eye_iam_role_name"] + if electricEyeRoleName is None or electricEyeRoleName == "": + logger.warning( + "A value for ['aws_electric_eye_iam_role_name'] was not provided. Will attempt to use current session credentials, this will likely fail if you're attempting to assess another AWS account." + ) + self.electricEyeRoleName = None + + self.electricEyeRoleName = electricEyeRoleName + # Snowflake if assessmentTarget == "Snowflake": try: self.snowflakeUsername = str(args.get("snowflake_username")) diff --git a/eeauditor/controller.py b/eeauditor/controller.py index 04dff9b0..88d698c0 100644 --- a/eeauditor/controller.py +++ b/eeauditor/controller.py @@ -25,14 +25,14 @@ from os import environ def print_controls(assessmentTarget, args, useToml, auditorName=None, tomlPath=None): - app = EEAuditor(assessmentTarget, args, useToml, tomlPath, ) + app = EEAuditor(assessmentTarget, args, useToml, tomlPath) app.load_plugins(auditorName) app.print_controls_json() def print_checks(assessmentTarget, args, useToml, auditorName=None, tomlPath=None): - app = EEAuditor(assessmentTarget, args, useToml, tomlPath, ) + app = EEAuditor(assessmentTarget, args, useToml, tomlPath) app.load_plugins(auditorName) @@ -42,7 +42,7 @@ def run_auditor(assessmentTarget, args, useToml, auditorName=None, pluginName=No if not outputs: outputs = ["stdout"] - app = EEAuditor(assessmentTarget, args, useToml, tomlPath, ) + app = EEAuditor(assessmentTarget, args, useToml, tomlPath) app.load_plugins(auditorName) # Per-target calls - ensure you use the right run_*_checks*() function @@ -68,8 +68,8 @@ def run_auditor(assessmentTarget, args, useToml, auditorName=None, pluginName=No # Snowflake if assessmentTarget == "Snowflake": findings = list(app.run_snowflake_checks(pluginName=pluginName, delay=delay)) - # ServiceNow, and some other shit, probably - else: + # ServiceNow + if assessmentTarget == "ServiceNow": findings = list(app.run_non_aws_checks(pluginName=pluginName, delay=delay)) print(f"Done running Checks for {assessmentTarget}") @@ -184,13 +184,13 @@ def run_auditor(assessmentTarget, args, useToml, auditorName=None, pluginName=No ], case_sensitive=True ), - help="Set to False to disable the use of the TOML file for external providers, defaults to True. THIS IS AN EXPERIMENTAL FEATURE" + help="Set to False to disable the use of the TOML file for external providers, defaults to True. THIS IS AN EXPERIMENTAL FEATURE!" ) # EXPERIMENTAL: Supply arguments in a stringified dictionary format @click.option( "--args", default=None, - help="""Supply arguments in a dictionary format, e.g., '{"credentials_location": "CONFIG_FILE","snowflake_username": "ELECTRIC_EYE"}'. THIS IS AN EXPERIMENTAL FEATURE""" + help="Supply arguments in a stringified dictionary format, e.g., '{\"credentials_location\": \"CONFIG_FILE\", \"snowflake_username\": \"ELECTRIC_EYE\"}'. THIS IS AN EXPERIMENTAL FEATURE!" ) def main( diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 4f71e0d4..3d5469b6 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -23,8 +23,9 @@ from functools import partial from inspect import getfile from time import sleep -from traceback import format_exc import json +import boto3 +from traceback import format_exc from requests import get from check_register import CheckRegister from cloud_utils import CloudConfig @@ -240,28 +241,36 @@ def run_aws_checks(self, pluginName=None, delay=0): ) for account in self.awsAccountTargets: - # This list will contain the "global" services so they're not run multiple times globalAuditorsCompleted = [] for region in self.awsRegionsSelection: + # Dervice the Partition ID from the AWS Region - needed for ASFF & service availability checks + partition = CloudConfig.check_aws_partition(region) + # attempt to use current session creds + if self.electricEyeRoleName is None or self.electricEyeRoleName == "": + session = boto3.Session(region_name=region) + logger.info( + "Using current session credentials for Account %s in region %s", + account, region + ) + # Setup Boto3 Session with STS AssumeRole + else: + session = CloudConfig.create_aws_session( + account, + partition, + region, + self.electricEyeRoleName + ) + logger.info( + "Using STS AssumeRole credentials for Account %s in region %s", + account, region + ) + for serviceName, checkList in self.registry.checks.items(): # Pass the Cache at the "serviceName" level aka Plugin auditorCache = {} - # Dervice the Partition ID from the AWS Region - needed for ASFF & service availability checks - partition = CloudConfig.check_aws_partition(region) - # Setup Boto3 Session with STS AssumeRole - if self.electricEyeRoleName is not None: - session = CloudConfig.create_aws_session( - account, - partition, - region, - self.electricEyeRoleName - ) - # attempt to use current session creds - else: - import boto3 - session = boto3.Session(region_name=region) + # Check service availability, not always accurate if self.check_service_endpoint_availability(endpointData, partition, serviceName, region) is False: logger.info( @@ -310,22 +319,29 @@ def run_aws_checks(self, pluginName=None, delay=0): and pluginName == checkName ): try: + if session is None: + raise ValueError("Session is None, cannot run checks.") + logger.info( "Executing Check %s for Account %s in region %s", checkName, account, region ) - for finding in check( + + checkEval = check( cache=auditorCache, session=session, awsAccountId=account, awsRegion=region, - awsPartition=partition, - ): + awsPartition=partition + ) + for finding in checkEval: if finding is not None: yield finding + else: + continue except Exception: - logger.warn( - "Failed to execute check %s with traceback %s", + logger.warning( + "Failed to execute check %s with exception: %s", checkName, format_exc() ) From e13989148803f4d4ea3ca65994309c365518d5c0 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 20:42:21 -0400 Subject: [PATCH 51/55] fixing some old ass AWS bugs --- eeauditor/auditors/aws/AWS_Glue_Auditor.py | 39 ++++++++++++++------- eeauditor/auditors/aws/Amazon_S3_Auditor.py | 7 ++-- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/eeauditor/auditors/aws/AWS_Glue_Auditor.py b/eeauditor/auditors/aws/AWS_Glue_Auditor.py index eceb8a48..628cf8c9 100644 --- a/eeauditor/auditors/aws/AWS_Glue_Auditor.py +++ b/eeauditor/auditors/aws/AWS_Glue_Auditor.py @@ -18,11 +18,16 @@ #specific language governing permissions and limitations #under the License. +import logging import datetime from check_register import CheckRegister +from botocore.exceptions import ClientError import base64 import json +logging.getLogger().setLevel(logging.INFO) +logger = logging.getLogger("AwsGlueAuditor") + registry = CheckRegister() def list_crawlers(cache, session): @@ -51,23 +56,33 @@ def get_data_catalog_encryption_settings(cache, session): def crawler_s3_encryption_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: """[Glue.1] AWS Glue crawler security configurations should enable Amazon S3 encryption""" glue = session.client("glue") - crawler = list_crawlers(cache, session) - myCrawlers = crawler["CrawlerNames"] - for crawlers in myCrawlers: - crawlerName = str(crawlers) + crawlers = list_crawlers(cache, session)["CrawlerNames"] + # ISO Time + iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + for crawler in crawlers: + crawlerName = crawler crawlerArn = f"arn:{awsPartition}:glue:{awsRegion}:{awsAccountId}:crawler/{crawlerName}" - # ISO Time - iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() - response = glue.get_crawler(Name=crawlerName) + response = glue.get_crawler(Name=crawler) + # B64 encode all of the details for the Asset assetJson = json.dumps(response,default=str).encode("utf-8") assetB64 = base64.b64encode(assetJson) + + crawlerS3Encryption = True try: sec = glue.get_security_configuration(Name=response["Crawler"]["CrawlerSecurityConfiguration"]) - s3EncryptionCheck = str(sec["SecurityConfiguration"]["EncryptionConfiguration"]["S3Encryption"][0]["S3EncryptionMode"]) - except KeyError: - s3EncryptionCheck = "DISABLED" - if s3EncryptionCheck == "DISABLED": + sec["SecurityConfiguration"]["EncryptionConfiguration"]["S3Encryption"][0]["S3EncryptionMode"] + except ClientError as ce: + crawlerS3Encryption = False + logger.warning("Failed to get security configuration for crawler %s: %s", crawler, ce) + except KeyError as ke: + crawlerS3Encryption = False + logger.warning("Failed to get security configuration for crawler %s: %s", crawler, ke) + + + # this is a failing check + if crawlerS3Encryption is False: finding = { "SchemaVersion": "2018-10-08", "Id": crawlerArn + "/glue-crawler-s3-encryption-check", @@ -81,7 +96,7 @@ def crawler_s3_encryption_check(cache: dict, session, awsAccountId: str, awsRegi "FirstObservedAt": iso8601Time, "CreatedAt": iso8601Time, "UpdatedAt": iso8601Time, - "Severity": {"Label": "HIGH"}, + "Severity": {"Label": "MEDIUM"}, "Confidence": 99, "Title": "[Glue.1] AWS Glue crawler security configurations should enable Amazon S3 encryption", "Description": "AWS Glue crawler " diff --git a/eeauditor/auditors/aws/Amazon_S3_Auditor.py b/eeauditor/auditors/aws/Amazon_S3_Auditor.py index ca7affca..48006759 100644 --- a/eeauditor/auditors/aws/Amazon_S3_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_S3_Auditor.py @@ -1015,6 +1015,7 @@ def aws_s3_bucket_access_logging_check(cache: dict, session, awsAccountId: str, assetB64 = base64.b64encode(assetJson) bucketName = buckets["Name"] s3Arn = f"arn:{awsPartition}:s3:::{bucketName}" + # attempt to get server access logging try: s3.get_bucket_logging(Bucket=bucketName)["LoggingEnabled"] @@ -1023,6 +1024,7 @@ def aws_s3_bucket_access_logging_check(cache: dict, session, awsAccountId: str, bucketServerLogging = False except KeyError: bucketServerLogging = False + # this is a passing check if bucketServerLogging is True: finding = { @@ -1224,6 +1226,7 @@ def s3_account_level_block(cache: dict, session, awsAccountId: str, awsRegion: s # B64 encode all of the details for the Asset assetJson = json.dumps(blocker,default=str).encode("utf-8") assetB64 = base64.b64encode(assetJson) + # If they're all True it's good if ( blocker["BlockPublicAcls"] @@ -1234,7 +1237,7 @@ def s3_account_level_block(cache: dict, session, awsAccountId: str, awsRegion: s accountPublicBlock = True else: accountPublicBlock = False - except Exception: + except ClientError or Exception: accountPublicBlock = False assetB64 = None @@ -1486,7 +1489,7 @@ def aws_s3_bucket_deny_http_access_check(cache: dict, session, awsAccountId: str blockHttpObjectAccess = False # This is a failing check - if blockHttpObjectAccess is not True: + if blockHttpObjectAccess is False: finding = { "SchemaVersion": "2018-10-08", "Id": f"{s3Arn}/s3-bucket-block-insecure-http-access-check", From e07afe30dc71350a401650bab9cba702a2e7c813 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 20:51:34 -0400 Subject: [PATCH 52/55] doc experimental --args --- docs/setup/Setup_AWS.md | 10 ++++++---- docs/setup/Setup_Snowflake.md | 12 +++++++----- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/docs/setup/Setup_AWS.md b/docs/setup/Setup_AWS.md index 51ab43eb..60c705ed 100644 --- a/docs/setup/Setup_AWS.md +++ b/docs/setup/Setup_AWS.md @@ -36,6 +36,8 @@ The easiest way to set up this Role and permissions is either creating a StackSe ## Configuring TOML +> **EXPERIMENTAL**: Using the arguments `-ut` False and `--args` you can provide an escaped JSON object containing the below values instead of using the TOML. For example: `python .\eeauditor\controller.py -ut False --args '{\"credentials_location\": \"CONFIG_FILE\",\"aws_multi_account_target_type\": \"Accounts\",\"aws_account_targets\": [],\"aws_regions_selection\": [],\"aws_electric_eye_iam_role_name\": \"\"}'` will evaluate your current Region and Account for AWS. + This section explains how to configure ElectricEye using a TOML configuration file. The configuration file contains settings for credentials, regions, accounts, and global settings and is located [here](../../eeauditor/external_providers.toml). To configure the TOML file, you need to modify the values of the variables in the `[global]` and `[regions_and_accounts.aws]` sections of the file. Here's an overview of the key variables you need to configure: @@ -112,25 +114,25 @@ pip3 install --user -r requirements.txt 5. Use the Controller to conduct different kinds of Assessments. - - 5A. Retrieve all options for the Controller. +- 5A. Retrieve all options for the Controller. ```bash python3 eeauditor/controller.py --help ``` - - 5B. Evaluate your entire AWS environment. +- 5B. Evaluate your entire AWS environment. ```bash python3 eeauditor/controller.py -t AWS ``` - - 5C. Evaluate your AWS environment against a specifc Auditor (runs all Checks within the Auditor). +- 5C. Evaluate your AWS environment against a specifc Auditor (runs all Checks within the Auditor). ```bash python3 eeauditor/controller.py -t AWS -a AWS_IAM_Auditor ``` - - 5D. Evaluate your AWS environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the `[Athena.1] Athena workgroups should be configured to enforce query result encryption` check. +- 5D. Evaluate your AWS environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the `[Athena.1] Athena workgroups should be configured to enforce query result encryption` check. ```bash python3 eeauditor/controller.py -t AWS -c athena_workgroup_encryption_check diff --git a/docs/setup/Setup_Snowflake.md b/docs/setup/Setup_Snowflake.md index e173e148..381af26d 100644 --- a/docs/setup/Setup_Snowflake.md +++ b/docs/setup/Setup_Snowflake.md @@ -52,6 +52,8 @@ Now that you have setup your Role, Grants, and new "service account" User - you ## Configuring TOML +> **EXPERIMENTAL**: Using the arguments `-ut` False and `--args` you can provide an escaped JSON object containing the below values instead of using the TOML. For example: `python .\eeauditor\controller.py -t Snowflake -ut False --args '{\"credentials_location\": \"CONFIG_FILE\",\"snowflake_username\": \"EXAMPLE\",\"snowflake_password_value\" : \"EXAMPLE\",\"snowflake_account_id\": \"EXAMPLE\",\"snowflake_warehouse_name\": \"EXAMPLE\",\"snowflake_region\": \"EXAMPLE\",\"snowflake_service_account_usernames\": [\"EXAMPLE\", \"EXAMPLE\"]}'` + This section explains how to configure ElectricEye using a TOML configuration file. The configuration file contains settings for credentials, regions, accounts, and global settings and is located [here](../../eeauditor/external_providers.toml). To configure the TOML file, you need to modify the values of the variables in the `[global]`, `[regions_and_accounts.oci]`, and `[credentials.oci]` sections of the file. Here's an overview of the key variables you need to configure: @@ -106,27 +108,27 @@ pip3 install -r requirements.txt pip3 install --user -r requirements.txt ``` -4. Use the Controller to conduct different kinds of Assessments. +4. Use the Controller to conduct different kinds of Assessments. Ensure you use the `-tp` / `--toml-path` argument if you have a custom TOML configuration file. - - 4A. Retrieve all options for the Controller. +- 4A. Retrieve all options for the Controller. ```bash python3 eeauditor/controller.py --help ``` - - 4B. Evaluate your entire Snowflake Account. +- 4B. Evaluate your entire Snowflake Account. ```bash python3 eeauditor/controller.py -t Snowflake ``` - - 4C. Evaluate your Snowflake environment against a specifc Auditor (runs all Checks within the Auditor). +- 4C. Evaluate your Snowflake environment against a specifc Auditor (runs all Checks within the Auditor). ```bash python3 eeauditor/controller.py -t Snowflake -a Snowflake_Account_Auditor ``` - - 4D. Evaluate your Snowflake environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the "[Snowflake.Account.9] Snowflake Accounts should configure a password policy" check. +- 4D. Evaluate your Snowflake environment against a specific Check within any Auditor, it is ***not required*** to specify the Auditor name as well. The below examples runs the "[Snowflake.Account.9] Snowflake Accounts should configure a password policy" check. ```bash python3 eeauditor/controller.py -t Snowflake -c snowflake_account_password_policy_check From b67ce72faf998a0c7e165f8e9c54c7cd25c14404 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 21:23:01 -0400 Subject: [PATCH 53/55] architecture changes --- eeauditor/eeauditor.py | 19 ++++++------------- screenshots/electrice_eye_architecture.jpg | Bin 142840 -> 147682 bytes screenshots/extras/ElectricEye.pptx | Bin 857877 -> 751188 bytes 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 3d5469b6..59fbf51c 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -24,8 +24,6 @@ from inspect import getfile from time import sleep import json -import boto3 -from traceback import format_exc from requests import get from check_register import CheckRegister from cloud_utils import CloudConfig @@ -229,6 +227,7 @@ def run_aws_checks(self, pluginName=None, delay=0): """ Runs AWS Auditors across all TOML-specified Accounts and Regions in a specific Partition """ + import boto3 # "Global" Auditors that should only need to be ran once per Account globalAuditors = ["cloudfront", "globalaccelerator", "iam", "health", "support", "account", "s3"] @@ -319,30 +318,24 @@ def run_aws_checks(self, pluginName=None, delay=0): and pluginName == checkName ): try: - if session is None: - raise ValueError("Session is None, cannot run checks.") - logger.info( - "Executing Check %s for Account %s in region %s", + "Executing AWS Check %s for Account %s in region %s", checkName, account, region ) - checkEval = check( + for finding in check( cache=auditorCache, session=session, awsAccountId=account, awsRegion=region, awsPartition=partition - ) - for finding in checkEval: + ): if finding is not None: yield finding - else: - continue - except Exception: + except Exception as e: logger.warning( "Failed to execute check %s with exception: %s", - checkName, format_exc() + checkName, e ) # optional sleep if specified - defaults to 0 seconds diff --git a/screenshots/electrice_eye_architecture.jpg b/screenshots/electrice_eye_architecture.jpg index 5070d9c68ce5792fb378983365fdd5aa49d734bf..20223b5799bb80c67c350372d4f96b7b953b3d4d 100644 GIT binary patch delta 129128 zcmb4~cTkgIwC00|p!D8BrFZEaY=D4(fb77XLy$J|NmrjE8 zmQVwPu-tohc4u~WXYT&-&g8FezWL_7&pGFLe!Yg^|09(pbJkw z^{%mgqE@^8q0{?WVwCpq{{h)q$;_Ncp}+FCB83)U zR_NvKRPb)X3Yf)wYsnvbQ}sZSyBClorBSWyjOXR z^vyL(O?!@Q>&HcdB?+;!COCsDJ&K!W{&{qdzZ`KJ3%mofK!={9ag=LACEzD-EAIGw z=f0cn?;xF_6_-zJ;5s1G{`|G=ze(fW-khfP$R)}kUosz)1e`@O%6@pZ@o$I5M7A;nYEgsR0wm zSA>Q^C^nNSmF&_1&os^Qk-ehghC_+=u7=L@GZQU%?+PlmqFYdhsmEtX5wrT9Xg zz35N9$hSW`7n2OiX=UsM?wNF5gYGC%t~xX&?JH?}2QbwM-qK(rDtGik3|3J zph)7he_eXWQk8s=koX{>Fl8%F_p`Y?&sZ_aU&h2lj_T7Ep+ZETKLf$stikB2NdH`Gg0JB=( zj6qb?i~~aB8bq)SF%K@9+mpIf458Dv{ysvduLipLQF^HgW1nafhOk`qwU!R$U>&+s z-=?+|xAn$8>IWs>xI8vKixKkmOYIVKLK4 z%^OTZ8Aut1EICF`S=&a@=%Y9dvWG#^t;I*E{jO@|H3*m9-+gdNat+#zwN|!HxRk}Vzd%#= zixFdkteY<>;tH3}>t#7C2G%P2nCCuK{`>N2CN_N{!?K!IH?<{0J}|d7rdDhA>Cs7TL&g!*kifM zN`zs{_rN? zX-64J#jr0mL;g@!X;ePux%G9IzD-?@G$UTO@*r?={f35z;1zdx8SMFkOdIr$? zR*yMZ*UEdUxL7GF4#+I4n&dCGQ(UIC*VW@f+US74LHXC9J#%m@_zKb&M zEu_)2#E%7ZE+0erI!)SyFvAC*l+2K=50z=QCmpMuslmMzu)^@Z$4@6>AkYX^g%kUk zrF<`8z2$9AyRVUuW`%LyT(wTQfse~WArDz=gaS~r%Ib{3s9(62yB21{xG=tZtYsEk zgq>NGWi@WMsL4FG7%q5P%VUn^2o^I}&*BdZeC0gTvpxpWC#<;P=8WLe3|=3 zzpMIM%!-A$c*AEZOD~_o)G_V72eET0-2l5`56uG97f-WXIcruUE;yec9zyaa`wPQU zdF6A2E9OR53~-O1;) z5il=oEGza{TpAWQY*ySU?V(*@|BgP7#r9@VKR}1HN90F!(r%xbley=J^wm`69sVL7 zK^lfU^?T(+e>AsTNZhFbI}P{s(ug|JbY0TM4Nmb(uf4cOH+sfrze@pWFRBH-IC zJvqAEk+wZWK~F7>p;7PIXBj%Ny`+2zLynaG5xV*c9ArJbhj z_wXS&Q6*+H3eSg~?=c65N$reM%q#a+q?PB)Ix+YjDTeoqWzxtEKKiRc%-$irZO*e) zzd9=>B^C`Zz-h6$o%Mimf_mKij*Nh3q0Sn9-QwMgKgDDv;^}WPDFG^U`<_^?CME?X zT8`3TLAH>uPG-&+{Hzgly&n_1pZ^m5R<|(SK4Rlmm9#1dcL#lvw1&nORzPc0`7U|m z@}U8{g=Y8g2g9izc5_U)`6t|jUm6gS%qcTHwi`-s?TPujXMw{BZ#LyAZ)OB?KzIKj zNtu0FH&Pm@8~-}hNp{%JW7&!o>?FNoSA}*tgpagWb0lDBpH^3;^|uL3tyfn~i;0Y{ zY)$_;Fm|Nxe6>61@#3GXE|H&GG+Y^4y~=YChQvU&<}$7_P!i5Vh0n-$3LaA{#g*(o z86afW)rC}G0SAmw2mTRO@EUXv&gE>9$x>fEsau?bjUS(?n4bMh&F%TLT~c6(x<0-B zJsAc}bqs`Nl207}!ZD(T4f`@5XvazSW}q*S6p74-XM35_p;dq3X-IfR=wN7zCH)#d-aAjS1s3| zf7?n9$JN)M@fVPBl}Erp7yS1%=#&7xflo}`z>7eZZ?`G!3}HA;FiQwzfa~@&<(}KU z`OSDMJ*lyWxg?^p!dlF)L6)ZjgoWFocEHO1X;7bJ=>CIdhkPj1(N@srr<|LOw4jv3-6a}L?b)JPnR20;-Bqv4g}q{a z^?c{_?TL7ZQN1)CtgH>LN!cSuxe>t(urVv6cckk>l@z`GyxoesiSi_LiiUWRN>#r% z!NOL7AzaQY6za}dF@^r%zj{coF_~E|44}MPYA44va(^Zs24K`vR^4K(C1+|Zvg)=J zLJOsPYx|SO&f_Y7DVpBld`eI;)VoZhBwqp_P$5EFRphQ?Q*@^H5u&@W2;vml^E3-T zt1!hdf{2a$kCTVBVO?vPeIfay#D;qeAUD9 zY$-!sAPY(@@wG^UP*g*Hq|PqY{O%!-%IJdy5}?m0#sNQo z=WImpxB6k6&&ak6`{=tkUzu67Gcf;5h?LoEyPh6vQ~tpgOID@*09^GM6Wcq|{ZK3M= zf_1nQ-Z6ncMAv`u1|m{>drRjv3g)&voXq|2$X$c9BpIAQoR3~xlk6%^at~gc(qJ}w5b=u*>#ncE33qTkg}_cHgRa!Y5MeuUI>_){7ZB8 zw)yM5Li(S93tOH&X}QprJWJ3W@mRr&xj{O*4s7EQF zBj^Jg+%W=%MMRnpmzFf_(25e-pejM;B38K!S*T_r8Dy%fnK`dVJ} z-3->XlPotfeL?+f^)*-TGNJUI28!|vo)cQ#e_=FSld6)9Y&DqHzWm1AP0&o#&q5uV9`Sq_8K&TX29%@_W`3Ahw& zll~jvjQfz~C$UXvH|3$c-M>45;p@(#1dchQ7%uR+r*~^d?=3nteLSbp+_02;V8~zS z8el=VR8<^jm_<31MLKM5FpX*1+w)qq9#j;GKNOUk)nF?(_@mvHMY-6H@>RW!Q}e?Z zAD}3Emm}_ov4Nqi&($j{Cm+NPBs(}MWr@>2t$IN5!EcE0@9S$2(KX0Pl@{iX1rqY1 z#3*M|Y;%|OgSaxH^i=N_kvIDxcFBul^k0if7clYi>n)|HKG^PjnB*i(Ef-oaxT=pf ziG0thGnHM~RcZSQJ^YQM=fh{iiWNhwt~h#^cg zvsnHm*Mg3~+|zjY3g7)l#Q84Y0sG0VsosfX`axX*n}z#xVa*VAP4fi9mNZvc9p}9~ zB!(u@N%OU))zRVs;`K>#s<(nzpn`H(H|1^ogt<>?K{rYWOflp{Qr)cD+z?M%+@ti(h*%VWef+7{SccV{dz;v)cpWJ&0sI8LxaFFX~ z*HJ`{_Fg^Y47moe@8Q&nNt85JN%rikgP(Abeh)s>6#HFbB;Kwn&JIP0V|6Obpbn^% zppyVCw`!+3c%_54r%WFp%Ke>r-Z@Yg#0R3aPUaL!EP2Nitt0B(k)x>}rY zUz+we-N@wO|5K=I9BTvs2X%<8wzk5lxtacJ5Ea(SZt~au%i!2FLJ)}Y{&Wj=wiNc@D&GcchHO@r=|aK&P6q#=zRhBpSM9eTCOIJF8JZ4LujGYz_~nVZZn~gN z>r7}1g0b8PB6|(eqj4R+9I{|H=+_aDo1A(*0j{oCUY!3mi7^Vk2Hm&?&Im>)I4RmY zHquoDvHxHKkn(SpKS;i{tWfho;5_va+%lAqxu5=+jDrQ+jgeeA=z+rJHt+JL6l~Hu zr*hBIq9>@DmnQm@Mt&tnRhL+6b#U-D66q|2rn2+OVbIg9TZ z8Yv{<=ke8w-f@G1tJxzO6f&8zw7N;?(fOxz=4plUI_=&=$sg6zbhkB^3}zOmSoM=w zJW>vn2jrc8$L~PO*8+r3tp?zX&|(3(%()XVzAw?K`QN3+~Q31IYr$)wUk$fw74ig7RbA%#Tsy8cE% z{@~e~`}%rajP-`FxF9-jW8YuaJ3!3I9PeA(lo?lntvWc>#|okUVmVlKRQuqMeg-%g zVCbeR^}N2;EsK&wM|RReJQUVEJEeP}jOLTqAV_R%8_~Fu6GN6%^@sufqH9nQ(2m-S zGdDR(ebk(0OMjc-^F-?SL`wkrVAZ7aW+lKrLlK8p;K)&8BzegfK8+k%JXf_-rC*;L zXmE~{J^Df2cgJsp_WUHQWZGC0KM1}D>$@J>bVBV*%oh<6sEiRqFmQ`4k6y+yQ zsuoQEg@to(w^0Y_e@F14Yueb8*VhG@>lHKX}#guCbzA)WMDC)Nl_d)S=9W%fiR3xv+#7E`6*Yx_MWH4vh%IHOmGntK7|-V|7K_YcY*9llKD@+JTgidvu<)fZ+n;XU&m3LR2%ESVP+)>nZH=u$c9ey|GX_n_YGV&>@?3TLpy86l2@ME3{)1O1F^z z#=V$ob|PP*fC31Age55{dMPhy8nz_8UE}W>i?2};Fa!IyS(Fr-b@rkJ z1#~=jyhY^M6F!z(4_<@5ZvjMjF~~KjrZ5!$0LzJ@HQh0{N(mM9wh~Ctt*>{H@ejx* z;{~{_a>?X2Li#?uki`?>JTN0smn=B#=Bk;sz>TgWr_(v5%;(SNG`I&Vas`fV-MyUc zgZ4t}cdKuNWtl=rZPfxn?aVp*$61B0eZs|JARa7%(i5|_p${LK80cX7Hx(OtGXucn zf8dAO>07vfqH~T1Gom%;QkSX^)sK?pfu!_&qn}i7R@{}WP*rBB42b?ELpF+>`u*`=SOoXc8pk^m!91}gwo1ax z+D-7?lLHDI>s3b0InKrxl|^m|ZGN46`Esg-$mi#_N9V0`;e_fveG-osul`lON4h64 z7cjhbh$y@#8(nI!7ADp#*Ov&mHhQf`YBmea_8Yw&Gj)!1PS003 z_3}Bkx`!G+qQcmKnf{#P)J_9a3s6`d^3Ad6E*W)TzFHVPyc1FnY9!EPI;)U8oxTQr zt?!Dxr1EONDt(FljJ^hSw$s8HvAHO>5G4oHp2e#_e05=l^_VK|6k4Ecv`Qj@>nAr` zMqa|FkM0>@T4*j(c8_2si^v*_=$CB+VH`q_!;iH~^>c=c)Brm9!%Qw_g1bWw?re49 zpA*br0xR}m2wj>RSE3|RYHeT3U03{-=1`Il_taE*)tKO6lDz>UlDZD;(ZH@M9a_W*a`a?T8Jf=jV5Y1UF!%~~r{^Jnhvus%AH z{CxFUmWM_68U_}0J^SO~e^hCe?xGHEriyz?iYvtjfzbEPk47QI*_SV!5Bu!m)$eif z>Xco+`f0g0%JvUF(@w3Vig~tbwBL%1d3LF%89z8q-*D3hqlDuGf6hNF{qSVZeC^z# zccxp|mAwI|mC0vU-X2TzOBh>((Cueb)HTv$R0iplWAyyb%nK{NI?W>zE+YVkQ3jY! zrHj@KGB()d1WY}uFw7U8J5IE=miiU&;Ysk)=c3Z&dBWFD$kBZH3JUI%gpal{U`Bgd zS(df2X%GNKSg3rg|2Tfh{9EdaC4I_YS~XC%n|Uo0x*Q5n!$?tLv%_#UNSneWoC!SV zT;)t_J-bzH{j5}d=Tp2ex6Im#O}M4t37!qX0aM4q+N)Sr- zvaR9s3esIAft8}D5-!oN|CcEP{NG%e zZ|Iw_i);(1a`@6h&s)&lqwuBG#n1lT>G+-G+lPm1pZE*cR0ZB+`XFSYR%|M)+sBVa z=(!@Il8S4g{(f3wsRLT#L7Q`tV}HjB9!wVR@fl#e=B!Un{%LLnumXNd*q~ltpenXA zD|8j;z?hpt`+F}uA?7I&+_jPZNg-Y5J{V@Y-B;x!#QI}`TicNFT}cUA7gRI#(@!mcG+YzT_9{WdnX z%e}QC1I2W_(O%bBEhj`)+2EQU)-u@eg1x(6WJWGCg!Xa_VX$!o+Zr_SG~_ z&(HDw_{LCw65XRp(Grr|`~Rpu?w|YQ1{IY|Sa*RfjSzzA6(d=SZfD7B?p{|@6p%tU zZ_@~)Sm7*%Q_E!iCTuybc{$B^??_o})uB%ZvT_iFzh?#2n%A9xX?U)bis0`j10#xQ zHNgV6m~d0}YD41OqN`seKSyrhmB3D_)Np1T{f%t+^RG^wq@_i1QY~!#DH92xqYaUu zx1^MGbX8Y5l>-sncv3YcJ$jVTgYNdbdtM^X_9iyrbafNnM2BxLc}eD@}(+-~GJ zf!uiZN?a8;J~9c6M>N-61Rn(ygSE@d%{x$z_me$3auvd7BWWI!eQ-}VdUIG9mjAg& zJt_w5q_3-~;;LS<3U{p7ksQ52-Z4#AhgQ;tiVRU^WrCr zTvE!c3)Px% z>R&zCMvR}!6u?^KI7{@dY{7Pxf4-nTO0!R9Yb2`54*bUfxDP`s!m{C`9Ml*WM6^Z^ zyPeg9@IJ%Ea%b-2c*U+~3@_d`ygPhxTl9tMqhG7#dT8y_=yC3=@)OF4C7C8GQoTu< z-AdEE2C6$zZ}m}9!hZ=&6#X3{k-w|vOv^+?Au5)x5~2&s(y z){O~Em4~ml-x@$8i-$5GzcX^D_uglwe%yqf_3B0AC9$o3&P!r5Jkx1<5+e2A$=uIv z!WZuJS~r^@@;}sEhSFHR81yLXi5>Y4uCV!e{GldSJ(%ucohEn6fFrC`E1{TAzPWzt z1{Sg6wMjreY6a-`!8N|!ZWK_;o5g~}twuy~SJwP2)MiqeS?QenXyZ*@8+*8QVMxa* zLZwY1lapG5ocp|_F2&8;Q*me3FRd%O#4tmx#sx^LMAp1&hnoBW*UWSu+{W=>7m*n% zqiU&~q;=m5mz^18&J3gyh~G)N_%TN&>wo@5I9Es=3lxU+OmsEW3lvL30-~&3Yhi=S zF=4vFC5B1Q$2IfMmT|FJjuoY-}e)e-tP=!h11>qy`TIClR`wluL^>*Vm0*s zbJH2X>Eg5Qi-${2)qaN>|FmGg>*znZHOalvU>E8x9qnE%MnR^#I~B*BROWg$Ev!d} z3_m8?>rxe+ChZ;i+%P1qgrJHUq+4%{1(G7W)R~37JZjtI0ygJiy{Nt?lKSh>_+z6< z;cqMA#Gp+13c<*()_bNUx-pJNYWvM8cL&pf#FgDY-v7p|XE2_~<**hpH0jDrgw(L= z?%YiHgGmd+#-ltysaHZ65E3`);D-HhXoK_$Wf8^{#^&u9=X8k+S>=oDmt7^}vTO<9(Hi65ql<5bywB zeDC0dB6A|UGC7h2M)J5EWPR7iwXQ)P+W#yI1$Y>aE#NjcpY9(K{gUHcfA=PwdM6d0 z|HIi=m8zg6=6KPZHKXpQMNIS9gfBO;J$Qp_-O{sjMww-#H1&h~n$PsyX2w+7gayRG z>sTuBwSlkh&i>)e6aB4by4xu=E&)z6?4lPAnxn^9mprrNl|D~uiwCDPJ1jAeEL_e+ z8Z#-mD7n>~I#p=ODV}{fJrpfx)?ZuSPPn|`W-5+AIg$LJoYrcjUgt8&B20X;jR&SN zbpoNhXR%G1XKuPl)pu53&m)^r&i5;_bd)QdL;a3>n<$jF!`%9F4mKAFY($DmD|6~6 zYx{Y*xMb^?cfAI!KaWPneg5Umv=^@f{W|h!N?ebWo_AtxeGS$!VAY=nnO_SK3!vx^ zDQ1CB%|qrc<{|SJ2bF7yhPg58adv8=yH87s2Dp!JwSB=b-rTC7Wg=G*m?B2j0u!3O zs$TyEbur%+XCCDu_3JZ`%;$6-*CD8BNyakI`dz+C=x$!#r+)UErXTdQ z)*x*$rZa^sl{&nL5+~e5wRLo#`-g<6t)rW=t-H^U@INP0xV_hSp z5K^skCn^`}${({f-s3YMskHp?{(CYzK6&~uATCM|dve<9-PLKxxAff19p-(|WynsvD%#`hq>aYlLbeL0fxn z`_$j*N~JJOA5f#;OTQ_H*bdH6JR7FIn=?AKuC_3s{uLS@UZ47Y2^M!wlO-t<@`iQ) z3lnv}7JB;#jopT(p8Q1X9;fQnRT>!2R3A<*4^XNESZh@> z%PkcSOl)X&+&F{^A{=p^FX+ji%Od%jt;+TWO06Mlb_$ ze*Gf-%1tw=(BD|^7VVEP-liNV;Bl4YT@X`&sd4x%{;6>>{f$?zUCLDFM5!S`P@%mZ z%E?@5m=AK2l1(HMTghi00b77u9KLe-{gBd0y*enEE}_SL~v(XE%UR^`#Op(}uVP<=@q7!Sr{#eg2QF#{}69g2r$3FY#l% zNbUVARML2}T%K_F#ab z?Y1S-Q>C#6oVL$ZaYCsMw%u5OWI`y7~E(Qa}LG zO1ry_rLMYh@=lcW+K;dNG>?B}zg@cbPhtNlg@nSi82O%%0Ro8X))_yY%9{wz-yc-j zao4O%+j3a1vA@(c9i%Ja5q-hEpIp52?g^&*6*wlVS~f&Q*xARp5;{I(k?>^7ZSR38 ze4&{%?@I|t7^EL}wZ8XBw%wWXT=5_je6p2&4cc6_w!_q;3WH~mqoH^Pm~!&bD|B6q z&qc^mEkGTr188ABgT?KX^4>^-m>g~sPKY#PR#9icEe@9&P{v*snex+NQk}Z-+~(#> zse!c`iT%X)Z^=F=6O6u}#=fNBrRQ%LPjs569W1;0JJ2035|Fkt#8_f(p-pXEE3fVw z@6oE*yg#*%!!7?l_CE-{5bJT9KkD!9@mY5Hb1auP4OEnkE;g9H33HY$Nw)v>A2CV) z$@085ildbyyI?^yj4ybfIw!1K(s6p!&V_lTBk0|3fyZ6f9}dbw*;A@cBCK6Noou+u z!_Cec^H1mLGdG2YN+O;RZvJ=|vs+&~DjvU)FkvH1?Vg5FUMl|`^)H*pY0sSK$WJZJ zcQbrs1-jwU9lJ66`Bx)!dqW@($6EP=!u{)^YkFyk8#I=mcB z(UGsQF)vL~ohspP^E>h%uu^U{z7V=_{%{SduJ29*M{%;W@F6V@SM}PPuR)sBb<>Xe zEE=!;X^PYXcBWMB!~bSVpqFE6+bN+2?2H;{fIehlS_aR=qTD^!o8m7`5%O!gd!shl>9D^;bPX_j)Nd`+jzQpr zt=yj0OumC$w%_Fq;;tX!s@vj<+)#NjAQCuB+HZa)=}edZy|2LL$yD}$V?MFIz>#7- zK$nqbS(l(Gq^#c?lAg@o7d+`OTu~xxJYfRKJMhLb0Pp;}i(ougxfQAWZzQoWE!+BN z4Hj1?-6{R9qEV0+y;zVp(N)GZ=p8#PN;JscK{gg>a7MU@kpHc67)_)5Sxh#T9xvmWyius4D@kl^8vSxj zT{o&!b4121H8n3mQ!GZnB31CL+Ss4{bxEgTL1KKCaJ=uF<>G~v_3)V@m=wTvU7r5L zYG8P0`d^uE!$r{rDOZj8(0C!!A5GM~SrSXeYOgjQuTW3MdpuoD`#<$h({pt+O!YRL z0bAeAK`^tA^F;v+kCRQBj#EAVn$OO8Lvz18Yt5*7!bh0B>Ppr`9Ie8Fv&J$aRc~W= zdh4x0z%=fGyZb4-rdOjkseiN6vcJHKpM%Ix|GqwIJ!5Y)%vO^A2py#3V-ptgR2QUa zipu4e7j*LEZ)^`yQ(l8eIOJ-&eg^yXAG|0wCBvTmYY z(!Oby_dYE7S*OBtfzBdSiuMs-OG+Q%G3<}`8rIm9N{nJGeONrYn`+a5sNnpv#(?zv z+iA`Vi#MA?^<3km?W%f?5uGiK z@Z`=lNagu26r>#U)=Zs1Jp+cx@Xd zGS=%Q4{MFmrPkI?Nkdeo-}b>L9<4_woXKth_IL;VOGN-?i=o_;FW=6(*Y=Q=-S^pK zP4T?0kPT7e_(p`RI>zrs1BlG-ug@>Jc2bxQ@n==rEUF!yeDm$5jM$jhTLq`$+%hw~ zQ}hnvKLyubH{R=Jjf|%dH_QC*avH#Yff`X0H#87@`SjT|j9xT5mUaPJp{%9I$@{En z;c*f8_xw*-M>NA|t%Go*NvUdy%^I0h$=I1654mAVO$wK0Q4K21iSONsd6Q`v2?8Ru z%|B{U*xG1xqI2Nlr3n7qR9ATU8s`;diY)lsb8;K$>N0Y7a0X$1{J9!6Z;V zZFE?_STtw#SX@dsUa&@WRt2*E$cp>v`n<5-n;wT7P;>pJPjDpP%u6D8E|~uG1At)$ zPF|g$Gm(?V+Ft9hcn?HL{?lzi@y@985hWwcc^amVY1%-&)e@HWnVitCk74}~G-Q96 zAb0-B$cT?^1vC6{W6udQ-8WVCJ_Y~nI;5nA5in|Rh!vDuHqeB5|1u2 z(B1NI$djoFDp=`ZS~PJwZlV4P(0qNF*HCAT- zHC+X(@D2;r#1EjNWPR=8f5YN6%gcTH=E8P!(Hh7eYogG3EsSrp*ZQ!&_BfK6hm%ewmOyPVZVV8rPkpV(axB{ zzz)oKQ+NvmJ+xZbMM><)p@i|C`J`loB(d&VHoy<1=m%c>UbRh(A~O3xtP*_GOe&2| zqIZs^e`?TuWvi>NpV*kYo0D^H;QGOEX`r-pUWZMvw@Wa6ym)t9cgyTZvGmyI7^l-7 z0auyC^TNBEd}_;{*#b>vnF`_ymZoz&^>gXw@<(r9bXaZNrvd%a@AJ?rhURwRxv-Rw zA5aTqN-UlYrtBy+eM)^L2u4E`(pW==a@aizZkBQ>k#l6gaD{>bnm} zwpn8Oa_vyr@ZsXeV*~!2v)|4C5fMGK+ND#sN+V5}Tz%G~0*GR*E?+p}*(PC-Ro3<} z71{B!hZAo5^BM{IwUeu{!AZ}#B{XZ&_d7O;U(S3Nu0wG96%ER{L5vzM`IOHC(!9#% zV|yWdgL7jRx*_4Qk~I^>L+pO#wdX0a0ZrRpc$IN4LQL92bRQ6)$fQN6wcHl?LcCi9CpR zQ8$ylyO!+m^xSrrPJq?qW?ZuNbn!z^bYwBL5cnZoJWZ#hVuTE88mCTT4E{W03lXKC zT?rwGdv$+v*7ixS=Q1ZwKOZ~4Y7%|2$FQ;2q?-*C54*d#uhqcczW1P*CJ6iU39{T_ zPgNZCqmph>%ROJnvo|lRro}{POb!vEY+yyff-P20T$JY@700 zG1hl--kHabG-Zalp_p9O+~}O_T~zBtMP&)ssXvfFA9IS1%iZ_<1N)A#GntVd<=mdJ z<{1NAaH1=*w>BrH@a@3f=cg5YG^bD}ZDi#Vfc7;VM8VC_l9 zbco2j)X;#x*_-!*|3I>b3YW%WdqNo7?p4{|r~_&z;~C=%=T4%GYVae-cLVNw+=+p3 zpH5{x=gk514tc84>tdPwku`b4MBcP`XHmdSt9bEn9;vU{`l5I8^qb?6*0A}QfsRXS z+t5M4ymEiH0%y=o3e8!Kwa0i`HHNyeDk-ehwq?1rVa*blL>p~xuOA6uJze-I24j`P#-V59B!7jx;)NB8fsqbIb`1XwZ8 zVr`BLhum`&XZtf^{v9swE;iy^`HG(g9H&_WkL`RPZ5Xt)@ zQZBT89M6`nL0y_ZEEbFW(?F-|`wNc-^rQ(N2*n+V5l^=kTy_A}?crh+0HP3PIE@o3 z_;ooNCe2APVJJP@-ccQ4(fmU6Pq@nibC#DV~}nq~S$obHUu14~`LFILtry#A(T-96jZ;2WA;YS)8~$cWJ07TSr0 z&B+%?5)VXlgQ;0eqOZ~m`NaI@L`9w^P9?Zr)I0X(#qA=kS&}R!iZAPhq<_cPr7fHB zA%=Wn8L;#SXnXe(@8laaU$6^IALX=q*Tq{j(VH|zk^J|c;=u?1Ztdq0Y$asn!9}1Z zD7|RFewk_Krv6xtUu0v{Kl?g}MwGTNj4dijXmKSo96pjEUs?G)u&=>kbg6=Sg$_+a zkM_3_&ESlRU`ow16*f&ly(|IgDcpGuY5()TR<{Wot2ES8RXK1HXmCetWZUgOO3z9l zO%+vhus_Z-(;_bHm%SgDlleoBsGbkGCUx3=00I3f6;67z;lHP}OyOo-$M73$;nn{i`?j2NjNI9M1v+ zqxW;Y3%6*sF4Ws|U#N_|&_RcW`&JcHR8*7NZ*uOL%e>ka&D1n@zS>5U_cmI~samUAn z^e@T(;xt^;O5a=;_p>dfaE_S_&bb1TG8XdkW&~Zf8~I8<_WRoi2q2fI<*jn}Yi6V` zc$4ck&r^OcUWMR?Zg{!+9>RcksUcs{#(56aao>%-ep`G^y8lUC{mH2G7=9F}>5qWl z$GsR+VTa}nX-ukcK&oWEEwKi@3|yLQ44VNQRb| zqn4z8%(C>HiHVhLN8}QoyI$I70Pg*oAac2e_5Z?2^5R59!x#?q7QZ zp2x`vutV2(o?fJcbARUssMPXEhlaR2Z;5lK<%F;ja~E-+t=O3$iTjjUbtR~<0oUXeGG1bsw;q4C6SoaF-4xo><0h~$(igf%P z3WohC%2_LJz4-ZcKIL=hgAb)M*pEU6J%3DVt;1>!Gq~rY^H~M;4N|y`))SM`O{|Vz zhHIr?rEs6W&v!8ZXsepXMHkIx;gcMUnCRu|gOC%Bm^s$s)%OgYS4>N%qprZeNUp%ddX>{DI@t_)R;l($pDa z6YpUT{(lmEa(_-{m?$>)QU%M})h3Qf&R)3!cUCRpQREK}baUxOTS&gYc+K@0Na0FH zYe=tk3)hlKRW?{d4G_xoynDK@G8&yO_nv+4*Lm<3-09$Nz+$CD|iz<~vNYbje(3 z?&9P;W3=PoOQym&UtU zhaat**V(X{$W}&gyAVTK=@3G)vwIE`x?#mQ8f@8#Feq~ zKWLs1&1Id;?Tb3(@F=VRZN-^ggGiNhC_e)?iy}ntW>HN2&qZnmgs_B^3a2$-eW^ zL`>U-70AA=ENYml+vS5Dm3t|#`Xlz0OgQq{V-p@My54^+w(jy*<&8S2!(5ITP@kR~ z+&#!-W|ZrAsKqMpugNc!ZaX9BtEnhEy;p*Z(=D4Q%2ftjvs{e=T+iyt4%*)VQJMdP zviFQ?s*Bfsu~MWcy`zBA1XOyF2);BC5Tv(&h?LNKUkK8hQk5zKh87~yYos^nCDI}E zo**Sa2xq%Vf?_kWguiC(7H7H9dTYR)2Q%~ zGWDO%>UO6Y)}pO}L9wA9xSGBgzEK6#Pk z^q2B$7tQD29mzR)ZWzeV#DpqH1d1zA2%}941#InVL|vUlnu_lOQw{U~KvNk$uYRV! zvTedunfos}Ky#cuDsNi8#bt#hFr_E;`mOXnm`D;xrS8z}zK{O8Kj67`D$eoJ_DB0B zrF>BOL(kV*rDoAW9^c0dCZI!R*t&Z6(e>hH)d8Odhg(p-^0T1snm{J}b}7F9I21zR zWe!mXBA8C3GW398rbMj}MHkkGIi^B4sLkkEyx(Z4Z^u~%4{X~k#fxFIJ}u6fJ|9&O zeO`>HiS)yW^1D>4Q~Wd)|N8Yy)ZI{-zO%P}k*$!ZU@mOpt|r_UWiYPLyY$BkRtj%A zcpIpKF-KJBq2$uzY%`EwHz5=Rzf#|FC>?(0H8!G90S-tE<`#*hplhDYRMIkxJmz=T zHnXJ8m&oDchrjSDR>{hHp|?@nPbwi$+(#JJSZJuNg3=k(>)~{hK4c{)r6e_~7mQZt zYBe>}2?vkK4t1IiSZn;iSATnMgPbnQu_*Gy-^(}_tEI60;P~Y=yVH4LrhEp@BW!NdO8Rsv)r*Cd~$8Vy#{3D;SgRmxc?ZnI}?prI8Kza zO<#Tfz->jrBcU|zZwL*^x0Xwi%VbLpr(|~xYoHN&lVChSpjpgi!JD*A_nAXFU$x%Y zNhjNV2&1bMh>9ekHClIdX)6wt$NLorYD~gM59<+@brEyr#^rOV-VyqD84P6l6XvTo z0BmoL=q1V5gy>5W0F)G#_17@#A2N=m(=r;ogT^!=$?7?iG!K72zI}{0aYE>$XNTyM zxnJ@;MV|(QNB!Mpaw%2Ad-+1u-+LT16g{t&Gq-MHQ3i&mn2d7Y35-w&+FSq%)1GK9M;5O zM__;Xk_5*v=$qJ{uE5lyVG55?=X}inC`pB!r;Z(KFI`=?toy|KW#6|LK}~A(5)`BZ zmKgI97Iw#zhEKMp_0Hrmz$wRsRi^Wrd3l{%m1S0!qQ6OoX_c#9kaG^NRP8O&L4w>9Y z04oR(#Vp{*3J_voC3uDLlf*M}AR4^xc!(g&wTvS005ewzPYnD226u>lKi8VCpIY(i zmh;GU#97#bqvIZqlo%S!aY^#480?<`kCA?ybnH35hiL%E=d6WmVXJ4I`qWPPdq_N& z^a#{(3Pe8d5#^wGd#}%h*skux0S!siXERyryWt0q$0}rwk>Zda0MNm}%c0%=H6efZ zHQ1XO{ELsJBPRa6sVAk1%lkI|CS`rj|GcT{e{GNIf9tA|i^N25kUj*T&40A;-v(}6 zk}xY=!-p;A9;+VjPG);tz}NjCQwNR9BK=d1-YaH6nVI#|?LnadgvxhL=WKm@k;vMJ zj*%{1{SA!_(RWQ%1dx9y)B2d~c9jwMgN2734ROF8+beL4x=0{iJTrE3w6cfVZFOAv z#nHQ{r&mm&<59Gew!863CpNiCe=1QqK&AGah42m(>qPRs7ESAgm#$C_KCpVFxT}XRjaGohqs)PV;rW#3~ zeUAXG<#|hb19-H&XbE0bmo>Q3S~A<;DgoejizMeJRZ?{T*8Q_+1q}{}_6G!&O8on!TvC{< zS9)Z%%k3{WK8;I|nLs}INM4c%WT%HdBJ1TNVa0T;G0U^pKW4CIvK5j9yJtqjJ88aa zd_%tksU=)Gkc*FoouhH-p%`uhn0?ty%Lq2XTuGo{72f*zllTt^TR+WMIY%v`qCgiCkosE2Gbmzmr-hqE;`u+9B)!%Ej`RW)jW^}>*BQ>V=q~1S@rEnF z6L1|mc-(PGk^r2&rq~Q-yCmt^gab3$7mO1Fh8oxfqN=7GaT?gDDeu`!WQ6~^pm7C* zc*=00{~5#sh5|LkVonHgX$wais53TnIr>we#U;t7q#0r}(3E%q7XW)$k@*-X5q?YPVZ5wc&%7bq`&z zOJEdywxwFcIiLEx-GQsa#NP5p~V{@GjA1Sb4gN@n`e20J9HdCD z%$y*gc@pai40x8MOA=~)%q59Mz4orT!Pb^WO45=_kCcq%ou?|nxZdSB!%sV*26GZR-^wWTXXO<#1PpLU<74ms((&m6l%gB+>Qh z5Pc3Qw$B&HH#irMoAF@1ZurN1C6!yT5$42Ja6OCj$}+Fv+`J%K97VIiRNK%|p$ae1 zTr2y-{Y-V1ezqU;QeSyZCg<12?PMmqYuV=VD%h zt~dzMFJdUVSA0+#L|5t0Gugj)QD%j!J8wP#3~RH?1BaGS3@}a_v{N;LPPcwc!qn$4 zPh-u;{IIMe4#hnh(&iwJb3Hpr1^HnjJ;5Mil0)HdS51pb1w#=9(uYn^zE7sr@e`P5 z#^x=;vVk=z5}v*U zHa?aWw9`41zyOvv0MisF9TxQ1mO_jsX@|k2p=>bxyJ^+&V8pz5|BL*$fyI!=?6>{d zCtY?6T`nS*_diVj?WgSOZ=E)C*KiT+Wus4e^`cJNW^plr%Fma5)OQOocDfPOwEn_k zbil)dUl{tX5Xc_P_+z7D6n$VS8MXknCLPQ93&Pt^=X>C=@psGdI z1aewq2^uHwgxy~ZhA%BpIrv{>DNz5cNv&#pS8ul>^pWK@<159*PoeHtdL&j?jiSc- zf0o?otm|^CT6i*2qJA*9kZzG#9;xymGmVE%>cyU@Cf8q=H9ugXbK!k3+i)Ocai0y( zWQ3X^kYhB$-rf9OR6A)%@yECDkEAWh$7ehKadd;hV_dfmkzo+lK*c30M$Eys=2&Na zjOmH$=lxI_YD`RiX_h7RV~c8>(x^)q@DtoaBwoQMI>BQ^<)6*-){pl7J~n7IrW-IL zl+9FzZM2tU)B^uMpDemGb?t~J=39kP?1)1{T*2t;m10fBg?|=AB{Jq73_7YXiez16 zJp}>WP0uEC^n#0K0$=w6Dd8Fxg&}PZc=~3!!_b5@N?yjMbRj4~jTP8*<`bdlFlPA2 zPpAFuvV6w=|IM>5bD4Rua8A>`K#o{XV~I}>tEyW`o7Yd06yW`u>gw9x+RDyaeeN45 zfwO?)8ap{ftFdc^knr%-taYP=sSLDjDy!|lHD@2UIAFzVbHLT+C`X7b4O5{%y#_bj zHI^)S{qt|boY&7C7Yok81nz8U;rpEFKUdRNpQin9cjX2Q*d!3k`vhQ%|W6-Xp;a2#UPa!Uo~pHB^#f0$6ji*t1yPw z^2^63p^ENgBw4l;{-RUcL@mrx)d`XfF$3o6epl9k5T4HqZsSmw; z-`r?oEza(Ms&F=yl zn&#QDs^Q+{g-^?@_TXPK9cF&f^f!Hq@4jo}yUsHcd~GUF#D$vht_eKN`+j-LNjm-} z_a*LW6Q{lIlLzXSa*u!AV7_{bl2$Cvg=C`^LJxpDvN%pM><;&NXPU)*b2rZotZhRL zWzoFJ(VIf;YmHYXBFxX91PbAx?*q92T>5LANVM0|#$FR$vFVKIRz)W4OOO7$x8c}T zrVuEbq76%LIr|JV&eP51PLx{;A6ZxSs1~F#b!TFAzQl= z$n>x#@)O==>1KRc@b4B8e5}O4!M49jg$umZg*{3*Lq@*2GbQiMf=m}Pb(SHZ^PND6 z_bVja#&UH4jQC8WF~pJm{=Mcg@s0ePwaxs`1uzF@!R~Mak%M|JpKDnLiSL0Ga32qj zmH}`#Q{_2msHKNNC&``-Y#07JxUmRLm8F-6t49D%ki^vW@{S;^+n_-ef1t4O&} zpiz5$2zJrM*Xa_*NgcTaD5T@0mdZ=Z=JD^$6{|9LAsqs@n=9*Y)vMcus2Ff&KWWPP z*q8xt9r}<1RXyt}M*lNe>!2rtVj>3lusjrwqO8sw`XGs76UiUGtB<3qjY@y{=-?a>z8|jj?jT~==tzc? zROatvKSUtAKD)ACfb>N1tzsoQd*v5WS+mxK)BeR8nnx(*hvI^@{E8mZojcR>L&`qL z!n8&^U(tA!jXBQ?JZfBwd{Ys81?=zvk-?KPaz#hdauYdmB zKG`9dqY-<$=)pp#B)i)h(z~_EXMD3IR7Hzs0Ne7+ zRYxf$eSvjwCP_19-(72PnQlNY5esq9PRU@VYMfqe% zI}YmGOxr#z2l!{bPwiO;X7||8~)+*Q~wjY?4M$_6gd&McG{J*r0L@thEl{`p~df?B$j}$CM`gqT5kSgS^Hs z-;!DSbt;ALQ))TZ%vRLZU*ajal) zRb`r*d}dgx&g_z;Pq~E?Tx)2#E~Ex57|yxD$$evk>-hFKAITbNO9gYBKtjfa9_?fZaT|RXYM;t`hcZp@nhsMRrUJXKqpD`Ti7g zpZ-7=>~a00<;_>BeZN*dlCoHR!7eP?evsG1lIq|iLEmiN7o2Z9u4!i}-_FtmTvmjl zmZJC{c>9nry1rNBD+FtpRojtw2wb>#&7g~Tc7H!SP-1EK!G?UsYUvDH@ycsfMb;kr zM!HYGwyqv=*U#N=8v4W4;S}eL8&|zXY}UHI(f{-F(HBj`{_5BII9-yga)J=m+f zm1#D;X{8b`b;F=gys%%&Nq2M-@ZOvVjInrt7sYOOf+1cwFWi=WaPXm*4`{LvFcm1$p|$%6=Ymo1yumJ{NleVK(g1>w*YcN8-Fj6 zFgbJ{3hZ74>!Y{egxlRjnC(R?YLL@!l2n&9Y^G{Wb_UT$N z3svi>N0K_#K}chKt2waqGCLj<9(okL(zVO6Q_!QeUF7URqDE4w+Rh*urx!DeYOY zEvd`7&lcTKyqm?k4YAFg7FEB{%6&!$DsLH*8$>f4;=<7+A5vPZF zcOvBue1gElYXD$ICK7MqA3)!?2wtQ$xwyV`_idXz(VTqX7<^PdwO%zFq@E3)>3kB7 zKp_wmfj&49rC?l~!Mxj73dWk8ip=aJUD&LMze@CDr1Dgw6_27uQ@G2|t|oh{K8F+M zSi9rPMfQU^35+;sd=sCG>*TU|trgjq^nK=K{+UQXOX^x!4{6Mq&=Nd>v?KA_W)2Ul zWbx8kli|X5m;q6FuCXAV?O}9|!dqVdP#TubK({3nIdKG4VHmOJiKO22=j+stm<~)f zSEhg44mgp&*$wZpRKFinl*yLxv?c!{Cs@{=t4h0FPLyeram?spQgii0+z!hw{H3$z zFRKWE#Yl>U^2wDRI_XjiA*FBgzYiOT`rBtk$W@C9@qg9lr^w@%mn2E?Mc_;*sC~gf z6=VZ_KHKD6LBm18U zyhzdv+TyS>+fcd;#Uc9L5uOtfIs~hX9w37(D@aXtL22{4iW~mefRM^R#+ZvNcNlQq zomjld@%9!w~eZr zsLI(~(bfCKkbos?U5;;S8YGs z3{o1YdhrcdslbO3=fIOuj^N*z3qEq>`M|S$f2p>TOZZf*NefCbvg!z0Spro2-)7Ou3E!aGnGZXuMPy0 zo_4_wuYn6gs5M@w_2kZ$!d-l^WcpIoOAX;2SJV2G+!S(_n)h+Xd=ld;Y3pF7SWfqP zA;Xc+uEaTI?gvg%K%3K7v;)AV&1g8jFa(hJb%cteA?+mAf!juAaNM_eUy&KS}*x@*k1lzPScO?Nn@5^iInEqDN^ zWVj^h){ZklhE@xe##3-G3e4y=L_FHR)kQSD!7 zz3>+$0ue`thMl>$Hs;CksTffjJJzhT!PLUJ>MWlVvXZeUf#rWJ9ydMWY-{oQ->!-{ zqQh(cIMb_W2aUVm{#MYsGwokotlJhGn(xprU%POVzX@N{Py2`GUaI=xj;m%cyW!y} zb{)eQyS#gIep#bFaZoKq+oq2EF5qYx+U%ASnTHGz{{5IGNH#f-?fbI#nagSJ{p=O| zLrgWRQA2{Tz(K*N%Tmk9OzjsOBr;GRBN{Qi+z+2Mvp1}$nL@1SUbDu(jc*|GB>X|b ziOj^&45>I)Au31Jysd#>?_3W3w7*rH!>3SJVHNmrY&r-<(F(uVlKjR7tTHFQs=e|~ z`)EaePT^e z5NC7Z`!pumB^KGww!5wuhT0kPq678|6~{Z3ypNiG$`+^$RBLUYJIbzlfx+4|-QPyOWx(42lp?zZ|QmPF$8H zR$NA3sAgua(XM6xZ^gd%iH`YKGl4Il*g^7kTPJVD-#@BhL(I~Gs`9QL8RK{t ztab{c<`-=lg`+JyYlE0FU4ZtrU{0VFRNdCVPwgeiMGZ2sbVnP{?-**_M6slF)9G2bMc9Lx_fQV> z`&`g0>_dW#sX7RoL=vL;ftiIfvwuyOT!oJGita1)fS^V|v=d)~-F@G8aeL}KZ^{Zh z?bqb z&jr3)1$$KUJ^=I7WM8S~SC~f5nPE*Vhh>1F-zZ@Mqv#{7$7kK#}`P;o*4Ig@!UV zwI;P#O=nXUjLjxqHeBy}r~3wajpt0Ef2ATG6!7rF zo0~n+O7qAvC_YTLZd^iRJNpH3sdm82Pe|io{MKMcQcy1<_P;h0`0wpp=SM2(31|t@ zhT1!pRn<%$K6;(x1g{4Sa5syQx9$~h8D>QNtTolp@saCac~(C|>&)jsnZ>{OcH;d1 zwW-U045&2hVG>8`6FS*$cAYq&vO=1I)LlJqB;UrjR8{}m*nl^+-?nYN4@jL) z%JUS9VPcQK)9++VV}81JJGru}=dAw+fG$13~T$~_l< z8%l1dOD4_h8Zf#&4K4xUN2POodNl#UFZv8ZG4n5-6O^TGr1z*^<*B6Vtt9~t8bKUr zZG9w$DaE{|b`iEoe1xuwS0WO-O~)OP)nqF%2V3)dYOD3?)NhTM+3T!(N$;MNoH0d7 zXy4lU;ovV>=u_bE>TRc=wOqTn-wiFaE?Ez+t3REdP!Zk@+uwm=Y*K3={cyOjYi|C{ zuM?F^58+;Ro8uA0eVVUC903mWa9z|xD;K}U`!;jU!p>(5H1;z5ZM%oH01uxkPO@U@ z!ph4@)SzX|OaD#V+2ATBi*9^hmyK`RgejL+-n_^my&)AH<5iliayC)sT)sB`z^`2R z56N)P>d%pnH}#UJWeq{ZsGXKzD&98JWL3%SGC zrvLnxe;dQDVIOo$SV_}~+ z?3-^~J?!i$?FHNL)F?LaJN&a}?o{~6t$O;AcO@mLga7(I=bLVb8gcXt$Tm1$R;#cL z&{Qyuv=g2hH0uUf`DB&^vv`XRajL|i7lRhp98dv0# zA7{6zJWzBkSMir5UH#N+I#E9 z!9mltgaX`Xi^aE6rqp&i1BOk#RDmwyp^SGb(u==OgivY<)$G)u-Rx}B(T%N1xDa*9 z2!g(zQUK%#&{2YUKAx-1f+_cP<8UCC(?iMWnlkUXxqcoY`AkIx6RMIs?rJ24x%gO& zZJaz5{v5tNFNBt8BvZ3PcyXw}qCUP4(KnAGWp^{1^Ve>NPN6WWopU0Z8f`g@b>meV z3;pMBla-xrNxD^A*gjk5r4*1Zo1kpuYgb060M^Wsr{70U3TB-5dSxW%(+-q9Fps^s zxSd*J&V?Cs)c!im;g}Mew3lz0YB&XS_}A1r**$il&JPl9Q+gbC*ZZFDa?A``fdb#( z7A!Rinl~J@%k5|7a1V~^+T&1$=>EEAeOqK+*W*&=j2GxyIJY1afqtcUZNrSoWu4Jg z;Etwna-~wox7t2qy-yJw&&qq=xEhsIjo)YKh4W7jX%tKcm5&bhjv=(3G}v1Vp#vVb zaNx6-xybAf{@5uzM2l;%s6R2;oKBg<$?#lHRUtvkJVeSPc@sv}Rx0J#)A*9q_w1_- z-`b7A1+?y{_xm_Oksf?9>b&z&mERrGfd*lM)O677G1HHljdCX&yOsE6{ghCe(Q5hE z%lmYAj2g5fhi9Vc8TKl-lkS;mGV@cVee1-wAEov9L@Z#8x5~#q*PU>7biRvI_?&^r znCjUX>G*Z~r?c{vdiJaB^YvT(R1}938UgC&s+yjL-ofFWdamihrv_`H;VpOZ0Q}cH zK;Q|!KPeAcUmgIh`m~wf-I_DZwz#tR=ems($nVW94H?G=?-qnRJ0jFMnvJ7-71l~e z%f+V5qlLyPfFODm6q01O5*rMRG*@&rlvxI=^n$*Z|G^|fl}cwSSGqf!mlC0*|Nc6A zsIoPSm6eIKC+2&;7l%mxw+7RL`Tm;D>HM%vlu*DS>NEjzM_zB9rxw6n!Abt`+V;Hj zydkJ+DtnS`>FC!zf{va>R z2vt3C6HayXTQ;eG{Z`Ma&1W?&jeSzN%0Z6|r2G?;0p2J1st+9joskHNAJTWx8W@)d zh5J~S2!b4PTh`@|C-U|`WA@47I59Jox_&>0&hfzZv}-cU5+gEJOZ;8V0z=9H76zJA zKBIecKG^Mj;oZX(CPGp*;Bvm+5q-o1|tmT7b| zCGV1m<}wpg-v#4z#soYHzCRIbxV2yWARA*2RUPx(N;rQx1#tZxP+A2V z-vtdUVgA0(Md^2#cZ5;w3gg>*rZQHIU+-2@{gFnNI@78PuNoB`*x20TooTf1Cgs3w zLSYJrlCf!JN{Mc7*TX_AH({e7&3?P4IGdy(DPUUS)GV^ahLCZTyNX;WC>Ao{u z!seXbHvc~9hrq3A`b6ItyIbAn6V?uS04`$gL8D#%-LP{G z)UHg>QqXg49Az-;cvVWybUP`%1 zQgxyJmrai`K}HsQSlm!x82{~)uGMjahMi)J)A!oFpdi@Ci%(6WZr=i(0Q@&`O^*)r z{MDZ|W4j1Pf~uD|l40dX+203KGKO)F46eUrYTYzxtUErvUH0V&0SF#l=oua$jab1U z^o$dI{s8Dz83%S4_=pJ+EkrChC%$%BniJAAg;H<%d!i{DY>-h-OF7SeFF|`~{$3YF z*C?JKLx8tKr~K227okAGCCSJzdiu;IZnA4Z?XPE@^S*fcK;hWS4gJ6&F>C&%2+SY( zI~n-jeP(qv`%ZVxZ7IjR+(DXN)E`u3+L3rzWPJ@DH!qTmt@v75(FVJ|kH(*8ALe z7x%``I!&f3*6&;0G+NE}Bl%k$W&;brn=}O_i1j<})V>|~q8>+8sVe;8(eJG^0nnSpT(RGlCjU@3$yvxTi)y-CE3wgTXw9+8QnSHJ<%z zp}%F9vod~XVkY4dvwt&D?jIl*9U6w0M1V5|%*k)2ZYHRuzqn&nnKF8nh2 z&p!#`6g0JI%>Inx7bVrr`8->dYwn)+e4NUvw=ewIOn~$b8aB0VT_}aUi6$Z4al6FG z?$(V_GXYvTp=H5^M|=r!Fg7FH_j*jGP`@NLEt0+RrhPehR;DR1Xu4U^CX<$Bz8NOEd|VJ!9`YiLBO?#37ukwu?mc-gaPX zb}ZSKIpa{Di^{7q&zb*0OBzbzTpph$EA=!+>i2R4mHv#ytp0v|0Y85*Ro;b379S04 zoV@dZNqXg1h+e?H+>d%? z28d}=3Y7BNb>E}EVM+S6mk)>J!cVvbd%T5Z zs#Rm;Z(t#&cvI`|n;sh`wbSz3#S;TO3+!v@4bn6 zs<6lM{vL0&S`FmgZ!3?)=Vn76h&-?yDtz>J{QThh0J_X2{H$L}i1*8B*cHMCa9%`usO%Q;h)fUYtDInq>y_03HNvTBpR?oGEL(nJM3Y$ zPZ1^4rZazT8hv}!8B5iX-I<_%3^0rn3@&~&x!{u9TbM>9&V$6K?4Fb@s&fdd7Id=Cg^S1|hsW_^PHo@){Ib8?<>8P09< zKAR{HgMmffBH-%GBZ~+Ye=$QgFW}$ zc_zR6y}0A)=AruDlk%*a>QTS%@0N(DJ#~Qv^`EIy15TaH55I946kH(wLBQr0FhS>t z^FK$4QyQr5H{2H@4VsxzGl+Ew>%mk0$Iw$2g{Md{)6&r>~4Fn@UYrz4!1#B+nJa%_IHehj{o48nOK{))6}a@1Bc@K#VDj5 zIpjGV;LoQ}_KeA9XY)gvKA<&$Kp>~rbw_OLMiAVO)yvzA23FrU-{V;|fLJ_JSVut= zeYIbWNoZ4T*0PFqomoE%y~6pZgr1~sM^y=sd(-j+LKYZ=iI>!-ZAtbBtc9YU$j8{G zaQb}Ua~pD`4xs47x^&Ro36z}R)D+p%(B-0=`b{3ABzdH(zO#pq@AP2XB9AkQQ5HR z7T{Ve;uG3)dvqa4;#8ru=Zt_BX?HWSU@&NVqrg#p;&QQZ7#vXkn;;DKXxJsmZ}0;; zMdwaXF2g^$*jE#JnZHWno3A-sF=g%;FlRWd?SGsc0x_ zJDfNItvL}7K8}40A2GQnm0|8}J8f!=Wf6vEB;~E2cR%_xRhMui%!X?R&U*4YI=T4^WoDb`O#m4!a_2g7IWh$ zkqDRQ7Megdyl|1?Qf@ToJ)ARqS@eO7%Q800;M;(?o_L-^yc; zfB!49{0;DXIM&oJ4lxheKFBOL{u;hsouQ|4YU1j6pM!Q$?CH?*umKI0ir;l5FUcHHOIL`R3kh(O%|eebAX*chdQuhQ=JG& z++5GH$cmp0q56vZvlZ7l$YO4LHq&Ba2$37#*ulD6X3~NFF=y{@rlaBJj??@pQ7e+i z{VFfEDQgeC?fGrQ=_O#)}bQK*4ch_R7_snoizaZh9EZDVV95+CZPXZ$R zf5SMl;q5M@$K&Z%1;$oy+-S>!Ena@UyGL?u9Eajip!D@u+u!*YFK^B0A$!k^e zl9#DO``L?YRxhW(`?}@obrMsK7IWG$>4eYd*4*=34$w1MljIIoN7?S3NUTZQ+U7&2 zy(aB|>*=~dfAk9k&CW?Y@P;CEOmX>w5?gQX-{0NRwVximtuOq|aP5R{ZLSefC0_a> zC1r{E{+@~<+NVFb5mphlgamF9hhUPq-?kORaS zmw!~BmfN( zS-+&XNQ1d^De+>9)R`q4-ZbQyT?&tCGY-hn4wYss{e?{wGCe)l0QL}fp+oz8Q{8IkP)~y?)vQ~O-y(*R%;FmFXcdyFBnyb%4LhZAk zw0FhC!RZTGI_4e1l#r-K06) z?31dy0$8BiHP9Uwfds?OTM$n0ElytFhZ5w%)6%v{_RQ_8J+5${B5Bg%o6V(5ySW{x z=$t2Etz7IaOd^f>s+6D1!B?4#X(HycDR>@vjq_Y#QG5=}?n65K5bH5#Ip*OA4f;9$ zv8EIUWxeM7GQVV9oe6hyhsiT;1_&&wm_@fLt1L5ib-TF+6%?%6{^W)+GY{j-?6UUj z3Edo}nucp;)b~+-cd{GLR`Lpcl3!{jFJW>ZZ)=B z+I~wyaI1i|QnLtp5iU@o^YqY=RL;lpNEX-P(;P&0T;KV3MIU6P$3d$M$$q zaCb%K9VSwHky|)>QQDWmPiS5f{xaX6wd0(V8ei&b+rd={?4&PqkrPyF>oqkx4L^#+ z=I670cKq$ksh;sxn1XSdy7Nu9-7*U|SK>S+jx-ibFP_@iFkvi21m(VL{EMpGS;_66 zwVG+PlpdrOL*M+4ms*-<@8Zl%GTIBF{7nYP8Gg#* zdcDjkKSq!%#D6W5pxUUPN^3U`>8gV6K=BogG&bo~Bc4ttq`R4}avmad;nR2*@jdX*<}nw%tn+DQff*k{~*X=xsu71UG^p>Lf&z38D{% zl|&azq9)ozk2=x2(FH;D-bU{;${38vUiW_YyMNE~><{n$FdwwRTI*`(c^v;^xz8g}!?5qXZ^llhe7pGU+1c3yh6jXNz3v}5Vqa<(aiz*{FNukcqFKvl7127W6Y|m= zpA%#S>jj+0>O6r+K?m=qhrhw(1*$f(l$Ficp4O=7V%3k)U+<>dU6`=aKw!Au6Ooo3 zE9j1Djw47xjKFT)f>|KjlAlcl!#oPKocWup_3uhr^hU9GOk9|Wd9>PSv7}O)ue`Rs z_>BmjG0FEP<~n3bwtJ56w;n$@Vd(EA**)UpcE6^Sn#|1yhEyP+=a>fDZ(DmJ6C#cC z6V59PItcuw%mlnw9V5KJ0V-x0lm_KTUOYHToo3 z%Y{Em+HSd5Ylr{PIR$-hF3=`HS7b`x21*Z%y7F1}p>NzQE#)3QnDTj}<{c_<>0X1y zLOM#eLt-)v3$&%(ctr*ygTww?o4x%n+H6~{C06|{sVw8~0*~k7Gh`_Z-J@og;6Nc? zb=^mwiM-$(33~x%pMgx>d)PSb0jv1|=K*nIL>_`YrOnlU;g)SD%T$A8!7Yh)Le>6_ zc!4CX7k7*txI!<-zEy@z01nX0TM&i{^kiFGGG)sA=2Td)b7m;>#_`icTaxg%o6m6+ z_Zk>Yh^$LsVTPy&p6Tkkf{&CL0rk>^+sRAD!BaPPJB$tZr-ryb&^EipxIvv@Jhv*) zA)p;rAQN`_hGCtX7x$M5>*;y2lwU52>vQH_sGa;(TDI?(Q(wJ$NB7z}JU=8qINd@v zBGt}hJT^{$vQesXyK=?#>)iOLg{Ua6p|r^zf2k2aX+i^eYa8K#$Fy=&14ICAPIPTO zty~M2)>VOsSd4P~C1YrXuN8ZC+d16l;;$~ZbqaPBS8Ft$k>G}h1O9LnKp3zlQNJ1S<`eq5HxdV5iX!f%_lmTlvXa)JJoP*|tLdkme5MCY7$ z=|zx>^$>e+bH|NdjH$@2+p8Ni?F3Lc?FI4^+nS-}1FiFv{}_<;-yvgm$3~@htog=P zhJ#tlLR(8CbmXr;IVlaf>N`M3%jc3`d`Ah-iEJtbZ`xLT&H8++}D$$#Ax z@m%YfGp`Hw**i9u9q=Gkr@-2L22fHe=IoVH@LFgGi$5-XMQ^9T2! zRdFRoalEo#69|ZrT?7FuAEBjmF(gs%8K?BC7+voUI?<|uI6>~_fDFvSGgP@m#K86m z4%z{*LjaOHDkz~I2a7qGti8ps+dlwt;PY3A7|&agDzV1CW&it_kK`LZ=_ad zHj*s-RO$CTqO&@QA1w_id@|ktI-rNBfiIbMTwXjlgLs0K-DYiQ#a^qC*V$85yT#=L zu;O@27nZ-_5_BEA9o_El8#3^t!wXVjk5q!>k;kp+ha?Q;8yFX~q-MpwwRkf8Ww6?F zd>cs1_Swf<7oW*mIe_`w$_wZSg_)L0y5OgqPc6Gp>2Q;agr)U@XLMfD_KEGNOqdjKB{5L!mk%AWPr~ z4fDHKTOD@0i{rLp%4=_QLVXBTOwclh!O5?rv}E2IRxRt}*IrgymwYmr=SW56>*7Og zi_$)p2!(*MB?pO6@E#P4Dk(1hW2W$bdS;_3{mbA`ElNi`adeWX}i_)5~uIUugI*N$_S7*tOIM)hd>F~D_b^XXQ}o+R<;ThD0Fwc|>b+X5l!1ESJNQ3IJ#XSBjPC-* zx)xfc;}z4<5Tml{kvHOuy~$&{{E0%(j!ZNzGi<9{WWG~TCZhgOT<#yxZ^c&sgtzIv(#) z?9?w%JK&y5i6m2eJ4-&o&=Ku*aK+h#DcyMQrvo0+%dPi4_=akI`D}b&1F!j(&uHJ7 zq%o(&C9Y&Awt%b&z!=0%j6{K;3kq;|_>inElLcz(^C5?x(nkr1lz(rYl%YfW{!q-J zG9kVTdne4ABtuZ0++eiR`Y-GUx=6qQbs`#g8$2Nb=K_%p*hU^g1gKu_!UA+>U@d3} zUf3^km@07A2*II$lI_5ET($+jfeRGL<}weFWWfn;7+fH#P^V&r$t6jP7*b5K&p9}} z2A!=w&vJ|Dzdz*$2^XejOCasy(f@t@dy&!V-z1))M``-O8$cV$o(}xM2b+|E!xJPe zyk1Hs@XCCvdhFC&CY(3^-8TZ&ckbqKY)4>==^U<7?wN5s7S)D1ZwS=v8ZGz@H`Ue? zJ1D+YaSYOb_FDDnNm_M0lY~xA`iZ!wHIy%*PwDVHFNxTuA|eb2X#>@IwpvTbGab{e zKHzPTFaT_TLy>|s(CEcYQ#WMMQup_%PHXa`ipMvEE*M`tKIBbZtC2@b>NmxS0a$jec;;1RJA zDgv#7-08u(y3f&)0@V(04$x{=u+Duq+B07a{kkgj#QlYrsc`*S#u9oKEP5{FV`qRI zi);Q}rq1Nuy!q9Hvh`NBH=Q$;QkK)u@w~X-Crem~mU*y<_oeY1Gvzrnp{q8*5`NI^ zvL1k3(6yUEXyJ9|!p@O07(hIw`sMpvK4$WUvi2EcCecy%+~!6y4a{}(7fCL3u7eC z`FRR)z`u$e)Bj8C$Oa%DYPo_<@*SqqAFn=Nqb{OVz3eINV~uAi#1@-4>zj}4Nk?lt zH#x7Iw+%>rxuCJ;uGLIIo&L@wfSK#_>RMG}mk-QS0ZL2K!y|*GPTolIu)vb}qq4t> zdG2V#;HjTKXlGHtXvd#5mX2hOIPb1ikKBp3)bwF0D$9PiOAByug;J%i$rp^6xMgUI z8%Eu9pI1kt-BXu`bhph%yvsT(ey&~L2{q2bYBgyGo?RAah zkG5Geo7L4E>K_%S9QS7wRbBesSLM2=a*zTPugkv|65dvr3Lks#Z{#^ku|6EP>Qh8B z!DOdyC4TfMgaVchV|qj88$&bo7R|r3UO(xc%8qq^#NM4d1CKLp_`M_Lc%(CV=&!|L z5ulu4|Ehq@w^PYZ55;CuJ& z!a4=BcKtvYaK#I(O>p7^t8->I5((+7Wvt^70ba}9e1I%N6c;M~NLYb-`MqT&e{l2T zY5hcoCW4Nc6o%E+ipF*a)}-$JhoYAhMaKX?YbW2Ytf(4q&@6;`j|H*dHf4uq_;}e` zsccwd0J%chc_tgxsw*th?+;5}M~-jS_-m;2nTv0! zXYJNYDrX-d28^n4sP-)s6-fmTguQ7R;m32dxGH_vNWA=>(;q4LcId&?`tB1`_@%X< zYf7@%Vpz-6rx8yY8<4Fta*?fLF2$X&AEImu_|d-&cxdKn7{d~5rP+gl?}=;$+$6<5 z_IiEdMf4{1?=CHkw@?4HW(RABWe%1vv*Il4>|U;`#w9OWO=;SDi~e#qi_uc4h&MK9 zd)hWX(V}r43;mR1=%pevIk^GhRJlV0bgPFeFx*6x?(oiVZ|KnQ^O{J(q_cv^1wjIE zu~bQS2|^Da!;6z1mu#9J4T*PvqPN(U(SS?xeAl}&bJ_k@mOp!L6q)3iK*skJYiTBQ zS8jU#50bCZd2oxuU`K>5ZAma|RGYFU-qpJEL_C@1fa#7>Cs&1kxG1Xgf@Ksi&Z#c^ zMM?SjvphkOXC_HHdAY?-a%1_d>;kx*WnEuinG9d$(e`N287o!xq>KM+j26TY_6=;C zfC)fwg;t$gmpbZJ!|d+N5T;ymq#NGoyMJ$HwCwZ7Fsat+NsOAp6MBQug;!1 zp`2^TLyR}x`>s}}@=@J6Ui(KclscL+zzj1-hSN6s6wc3Vg&Kd^^sua-`O3-(?Gx}` zd>@n=b$uLMV62R~rho|ac5Y=wDUOhQnzqxiRCfE3S`n<$LQ;{Q33z*LQ{6qmE#Z0s z|JBJJ1&GL&YjSz@HI-sA5# z^m#Lj*Z)U77;y)<2?vlS_)E=KBPw+^T>gG>bfYl_a=ow!6p-R+now5?3!zSL9dRFF za%gdD8i8<~pUba^#|m=hppb zre>x##!gc|om}!>rRVy5L-sh{K6O-r9lrGppBGc9&tmoK_vZL*UgLXG=<9jQ6yMMvl4eHxPx07|e}cA7Zr<&%YM zT#dbM2kp}MUx_kfPUki>e$7pO{7w?oqratCCZJ6Q0o(Z~>)SYz`DoI6G)JdH!+QI03-xa5tyb1g zPc(Vitlb}2B7>W55XZZ?6;Lg8`eC~~9W0xBGGD#B9YtS0sP{?zd4ZjaG2KaM)y%SX zO|MaQd%R&JYqz9&eAc>(>jyExq37mt)!-&Ts!t_+1*b>#p`%-}`ePE?Qaf745^r`~ ztmRzd?Jqtvy!1XUy7@>t$$9|Ez$;7jMcMBt2Vl}LPM3}cS>qes{H6$wip(8-240^*(2&@3 zB?&Zqi~wze7{~cjA=JsEp+6KS9Pc2&cXTrk(NA_q@ehSM*kuyr0Q*Y324Lk!<2(;o z&jnU4>42BmiQ=3LdK{Yy{_}TBBMKkIK^$0sfq`rAVKba~4nH}}mmpGm_r6rRp;kQq z^C&sq0+6>pPjoTLj@Vow@=v@Cp5gI`Z0asiqvKCkjz}G=a-FW(Vx=2CiKE0T= z88Y}C`>JPu{e#;37t&r1R)WDvMRZJD+R9{U$Ml#J(Oo6%GL@luoq`JtmLE-lTB*^d z399bKYAz8s@f|jsY zzkkUAG*f)WN}OK(15hkq1>YxGIg_qXzfQUJe|%R5Lbyt?%KGtj5%3VS_zM1!`~h-u z5kkI){Et6o>h@{HS=Nlm&n5}rXE#`ru>J_5Pa9tYtv~Us=a+%~%K%CD6#(Oy-EDNQ zW*zoD5Wd>>#`r{4fa}6c@>gB0=TiynMhTM||Ij>}(G$X?0Q3v+&eRdh!8-#b8x=!{ zqXBxF$p*avc~!ax7BEkYcRlJ-huIYoB?6C0ys3cnNs7h(&Z{$?9D_~Sw^QA)TfYXU zpSa_Sf_ZriYg-DrdA{fR&-n~yI=B0NQ!K`ug&~zQAF0qnfLz%#vbxr!wpS zV^SC0VBr6@xQP+If5m#MAr;w*QHCro&R0N4;4PW}a6lOvQm%v%={}=O_qOGf^;N7| zin3?J*6I^s=#P*?=|2=J3d7)|Y})tgB#~9j>z1B>A)1r0J#5qOVX-G>P)VLQ--9g0iLpPHR5v3a$U?lpv=(Gpery*F%SwlNcAUDCSVx-?5dR&^6xj`pb7)H;;BBT>NzcdBlbxfWQRfrSQZv%PmhawuPQdZpDQZS33FmL*8 zeM{}mS#d!d|Ca;`x}-?r9532}j>99w<%zhxV16fKtQL%wZ+K<1LT_^~3pgqxs<~*j z?&&DXBo)^mkN?J@LLro*f%o9k?Nx*(K9;7dxSfVmaC(XmD7SMh?R;DE!$rU!A1s#M z_@rf93I%SUuad=6X6Y8w%duPfY^pG^*u55=ENo3-r`)TE35$6eA>+#vgd-xAJZzHo!&mnrsRCmJHo;~ zhLMONWOZlNa7R6TKk2?Z{IAb9k< z&fFS>#RV-3zeL&!ZZag6w>6b)iHb9D0$i6B#ki&4deC zi+V#j7U3qIczQVYkuN#*Wty!U2lE5APQSue_Xo67G;Ia8>98`kv2zOHC=#VM4s)4U zcHA6ze-NRWM-NC;)Yp_?2h@JH{0NA-9}w*y?`T_obty-mfnToQ?Za?_`2(j@7}}?* ziz`PXC^JV_YRG-}$cIE*xPWX`L`I_6K&kdD`y1QXmC&rapU|$CA5|>hyh_asc8nx7 zU}ZSX7St8ufi`ix(DAsgc^Gl$^>OkY-^_W1y-z|l=fE7Tnoz6rrZ3u$*l3r9xPwEt zBR~34=U*eH*~9D?iNAA+S#?o5hz`xi2}&`+Nb`N@B$WIFvvUJn+lBynSWkW`wv?z) zn{Z7|RpGwQS^rxC%15^RC@SXrqR?O=m(u9;n$Ldu3aPfqVY!Kg#E4rNZ~Hh90bw{Q zeyk4Q-k1jImsbp8wIq%dqi*)H9F$%}Vqd7X(LU&>Y8Rtg%sKSaAxVyqbiMq2<*JhY z!ZT-E`#tC!H_K3Ddq|(*y_T<%uvG_yRnkSHN?(U$!Zk*Z0D8ErWxDfYjWW*NS09|W z<3t~?20~pgK}6g-d^M1`0}v2$r;Dzp(9DUNU|5|Hamz{cq;S{7T?is&6T)hUW_RXThh4t}XW>!#b&x7Sqf z0QL$#_yqD2b#SnS-R~gXgRWgge1v4j92BvNfVEK;8 z6fg`UoY(xxo~OkQZ<}{r@N3pbYEmC&CnQsmscV;{mlQe%c9@G1-ovZ4tg#5)L8*kA z>d1aYxs}jf%BnBe3!D*pwlALV0xh=+*Y-)?_Tg<{c4!{EUTVtf_p}^4`=1+KpVc?` zefa~PC6CuNa!D(sruXOyiDkh`##epnMx6r_<@RoEU@qC?8n>ISjWsyK&{I1Priqb5 zQ%@vXUKBB8+-`rwUv{!!%PzevO`wZBOxcS7E-Cq9k&ysRu@Vi|nc<}~Alv@gaUgr3 zz_KC5TB(`>;{R1#Qur0-8LL!ecTGdvEhZZJ*H}_j{!U3+ zm24o}IzYWEwbf^YrHiNpKB|Y>Mc$%n8@sDBoxpp~K&mE$$+LwYnTOWF2QBOcA7a83 z1loZx^Qz+S@W%#?0pk8veu6`Uo(-eGaR;&n^|#N}d0eUZ8PXl1QSNiZg=%709zqcX zt`#LmzM@x>n>?#d&F{u?>%eJGblwKK#$T}x+w(&4xOjoI4O`%rm>2r$dLZRUT&KvY zgWoO8Wbo~&C&szq^%d?vND_E=Wo~)*u+JUEsY1EI%{+`?!~ztXvZs5&4KJeV+?@;x=33syFf7Eq zxZYQ@z)bOq``bl7{i!vwy2N`Zf!AzY%d5nkXixAu|9bRsW!^52m`K?4>h$2S4t4#_ z(M$8O%P=dr^UP5X1i;aX&lK|;ckm_brm|EwZP^qUW&uLRSwCZ=Z1%?Cc_-!R_`DWO z5Q=j3V{4NVULtaj zZRnKxLV*08dWH&{S2TjAQ!^!tK|w$J%+K>N_J1h2iE&GW`XVqw$viB)0z%(=i;OCC z^xl!q0y^#rQRZH6kVB=FoQfYG3={Wz%>q z;j&ao;X;{(w~zYV7fLH~!kcYjHs{%C3UO&u6#?yY5!OOZ#Vd2$W0mZ}UhAz%!mE)M zTP4XyN?q+g16j$x>S!a#h35F3dBW^^Gj$z;5{Mm>4B%GVr~6jy*mRvFO?gSV9^dyA9*g2sYzGxv;9ffKNR%vdc(@P zY9KTKq7NP|Cb@Sn3)W}X#XkBj3;Dv#>`|#I@cB#N14j>%z*B)D-fIFw+NQJw-#%Ti}c&hnugpU`u^tcyg56l24xOGCvveP@>u@TQ4Vo3-5l+~E()l(T5o}l2InUptFU~Z= z9LhFjS<0g4-2amNT+Md7R(Cf1=bk09izkX>uM^7cq)=7t%R5=rpB(Vc=63lzE`VNikvu@;6iT`~#7Dyy4SAk)Dkt$QOvr2YYdEdDasFntA@Y~hLaBcul< z8^c;JZ}qw=crEKR@(0K5Pd7z5IB92h21n8h0FO^ZD6^cg>=B($Q)Xc8%d}UB= z5mk^^4t)zIy0JK_$l$`-!72>@nAo8s!j8+w{B;i8TTKG%yvXO$0{qlJTYle55omG0 z(jHkDbo`^_neU00VFe}t=6cp-tmyi>x_0AfgL1IbhT(AKspBq`JlBX!m)^U%IVU() zA{`Ais2i!&2|M6#sEu!kn(X)C*%zq*MclPVsE_Ga$H=#xd;)I|dlpVVSq;!INzKW2 z4;AXyG5}YvKC>|l@S5i%2W_o*90b(f40v#EABY~FxZHMmG*i}joq5@v_KI)T)AKZh zRW|AG-wl`iri`m2yd1JVi_IH^7uU=2sXx5vtrc?CsAtOl6Wx&ivF8C(V=7E-Cbs-z z^oUqtbd{EuIX9o9O@_EVRo$$z)nV=K{J*xzf&ZUAxd4HBq|zBiD5$L;7Z=}?{_43k zU#W}uHC*vdP_fseKFVXm64k~N1VU6<+kgm@MDAPQkcvboe-9|-O7moqEG@Hc(LQK^f`+MIepYgEMN9l)9ysudGQ7ve0Vs|j_&iI zR@Y`X5fCH9Z?($#%8h&|H?YjtaFl7>S|2uD3EVi866%B}!(+@;YYRKJr<)4x^DK^M zh?!dp^GNcjEa~YS-`UO|iu)gt&|{Iv7tcOvTwMsV4)Z#DL^3%0tM`vI#SMXuX&(mU z&UBI2ABvKMwWy8=aQJ9RpRUqvB?1-(8!i^4J&%>mGl>%~AnhLl$X{!57ruHWEhJr_ zNm`h>-~((Fkpbu#f7B)$oJ;w=3^0|mdl=?j}{GLxlxga?ZaLeR@hW$>X&K9?@k{2^qmht z-hUMBY~h#8`1PTD!G1U0;uH%%Z;sT=WPJ|}2=JfQ*#C6Krl~V$+p^6km@ik&t%BvG zNa-}wC&Pz@v*xDXfgk)7C;xf{-1Vk;SnMgnma)Pp%-Y5R9kC8x41h;P`DW@`Z5 zW)?}2ir-I8_>FHX?8D#0z$7D)w)#nN2^N6AMe!bhfm&(yiOiiQtMK6Op%<04q-hw9 z8wb(9>8s5H+FFEzMyS-Tk~X0?;q_Md1Y#5ZO67N0Qij@%H0@2D2$`55k61S|DMNzP zd0yp;<+SzGG}tTa?G2z!YQr!#*e;x_SkO>)B(Fx;3W@QTq~+_nGRC#=8@!YL2wW)z zUK-kvkA0Jev0x4dQ(0Y6&GzGtlTK`Bh{Io zlP5J;!J?+TFyMUlTWnB+bEaOOb#HfBW6}AJ4_JzW^7^!anZdFj0>OgD)xGda=Sw?} zM8T!TXK32@oBajC{TX@X0H@SB{?Xlv$%>6ii%HLu-N0$FtQkdh{?6+szk(N5U)gcM8CF)|R?&53A5mIS2D&$@?(4y#Gk+w~(a7~k=5Z69_^YJ z8%T|$zqcT>5QDI&OJIu{7fnq1$Nh^!%ASdnEnFYol6~_M)%ioPBr<-{T%7rCHcF!; zJSvA3UN701k#Ds*K5RX2rR(qe&@~Z@1s?Oo%oVjSqdZIys#slUM{=AK$6TR*(R^8f z^jOB*gC1iICRTSniUn%C*@(gRLb9VsF>5S2me#(cKEzXnl^Bg3xYQ*K_vqm0e;0dj zcf&7utc6_9_PTac=vj_lg|BdjmbcS7uaN4T_%BQeJm?u-ChJ~Ck&|h1B?%P>Y@Yfg zo1B*4)P0&6S<`txGRioX(Yd}HT}td&nw8M95+CR!^HvNqdyB<$RJN+I=3b_t7owxJnpJq)?AiJLtG<2AEdRVi_GS8Up2-SzpB1vBgZZcQ2#yub{IjQ*jp$Gj(? zI4kvUwgK43i~hH6XvLYeP9XyWyeK%&Bl%Pcg$|z$(uM= z>z`u@LgUGKx>lI2{1qnC-%UK{$p||9UA!kU3~WP6o%^(dOCyIKI@8h-aF}{n$^Y6* z)c3>>=kH-nQ?!2E#0`w@c{XZKZXewcnw!GTsUB$FePCj=d-ZPZ58rgwTk?jP^HOhS z?AX;z{8h}p*E=>AIhxWLMjFNr9_dOS=ML(Dv-7jn|DAFpvH{!*>_yR%S-LZ);nhoA zQzlsjj=wkErZpF}N-lQYdvr2{@G{|U@I>DueqQ9c2zMFl06K4A~e7Y7xt9+&czm~S2>Cu9GiEP;6pP$u~4RX%1S;h zk^GTkoo3IkJD)IlqI?T;bLE=aOmBc%^QTw+*P;qvaa)Vt6wi6Sr->IP zO>1w&QobP>4ma>-6ZecOapHyk#Y7WX1G|9l>MMP~?Wr5DoUNljT{Hf9i&DT!cr#3- zUUzOFNh1MWc{Jz>E8SPo^Do|6JNA}07eqS~<hEFd0~_-ud6TLCjf;HB!B3`i)OpJ`c?t_ANmbq|8Rs zlMK;IWoUO+zUyCgV#W2p4b_*Xsr#gh;()NwO8t-XxM-5xsH=426$0UgvgDazc$aAO zz0s4hVfw}d_?&D@f*X-r<<}~6 zC;^I0j58VBZMP^u>;YDCKZZ`pxCorTr&jY9trU$KYZd0Q*pjh2a?76yInBnsrE*Ux z1}IEd-=MB5N&9gW$yV$-(^G_ZDWnz`0Su45it_W?>4KR9R>>82Q3e&U(%WA)$dy6e-SBu%`auXjFW{An}rV z02p;hL1})TNM-|>inv0|q9xp(%rLNn-q8n}V|lYyzH|B$B=pgK(~NIfz>K|*d~;Vb zGe0Gh=?=1MZvp~(N(>g+T#5o&G*$8g!06M49sg&7C?V11fWp)Z!y{u}!W!{hD`of5 z)@)9IVX?tFvVBwJP#R+g4T)+8CCh?^>1|Kzo5A*71<)o;0+;@bXTU=19+*fq9(P{+ zxSRy}b%H!fp(2%?C7qzspP8<^k|fcs1E%rWBtQ+$X@7IIPm6Kvcv*Ys?ub+H3ZTtT zg@A=5X!(urc0>pECqH?iBRF9Hb)&F!hBX&XC5S32Cpx=eXnMc{cRli)4E8ZC1Ajpe z!QSXTrU2O24SWH#JXN_!WF&YK&%VK37k9yu{8jQtuf>!AHJB?}0fZtI)7b^Jfk~( zZ-R|vHbeSVsSC{p(0b@i$U+)Ww$_FUo8!Y9ceQrbhN%yiNK?I6Qq2##9Vrv=?L04P zi6Ln@J>jnLU6UNt*%|Ur#W^9p9LbXL6*w=P6_r zSl~tCz~Y6afg2Vb_WWHRMP0mZ=x>MCKxe-ivNu0qY~g#wtqSq32(=LIv2M+NJ=B;a zO*V~$hNs`rn87ot6?b0Gg!uS}37TZu(8*LYgrDJdcb1>S3ds??H z>(hIDHu;zF@Xv6t)|h(uopd3y5mf#i5iJ&xALc8=Vi24Qvk%XB+WcH60=w-95%wU} z{e~}eE#YgwwWbo-Uy-9QePEoNdGr?7nnUXs+!0yRSHx zU(hny^DQh~f{Km*#+0!}O1V;Z;cd@sO-hHFrWbmrEuhtw*(!*>>Nk!x(f$5{%i}$G zb@`DV5w-NaB zXR-OO-e*6^R38@brC4&&@OX}*EU5sM7eeRX5C$a<-mFG5a9iUsF`K&g0%u&m7C&c+ zs+d|X$hDLx66}awxkOfz5fc9rTgY)6lKFP|nAp6)_FAT8t~_-ZJ8vrWk#UzZ?t}hS z1S4^HY2ec4-2GuRLI@jh6WDrOg*Qo4@{z$8EwC+naMEYn!Y&4yY=xW@E|-ox@U)A1 zo+O-bVzbCslqT0LuP%s=Ry+`?=I1MHhGU@KvkZ zfBF%j)%)qHfQuWDT-3%O+FErFZm**8BVQ_q=L8UUG0mFxZaSw_OU}6NlxcdtW=~*7 zAMAQVsVfI=1P;xy;KxI}B*Ls2ak*Jp>x^3p8pVr+_o~umgB&Iwve@2t?v3p_n|bvC zb8oyUu&arGNa-OK;O;GQsxtrERE1{5`Gx;haERU4hQ?AL-$quxr8P!Rq$*2pqOsA_ZyG3IifKsws=t;s(#XDZO1nabPu?^iz^LGmx(avmrCgpIAlcNDDQ1#n|Ui#={d#fqi@bsN{r*lCvyzNdWknfu7CL|KZ$-l zVyL%s_#tWjp3my1_=0}7+~T}OAM}!I^XX$k3=wbx(-=JnO*pFHzlSW^^4IG;J^JV= zhnUT{H7xO;A}0peOX>}YM%Z)K_Hpi8Ly*_d8}kTA=tgl!-&(@GVh;QrS2aQ%T%7>#`=h+Z+c|^^pHU90@W3K7*29>7HeGHWoW|6zMUqm;1qf;|9>3`G+ z+6ZiK2n&ygXo>rS3l{BLCzF+x#?$@DIdbrt{?w@FxKwR@hoiF!-!9sJx@S!*hy07o zgwyXtf0TsBaHc_9Aaq5cxpf{oWjbwusErPsTV09z<~6R^te7WgQGD1AWfpw8tu8Un z3m4aXs`dFn-n@g1zO9!7iK2gVt-pDor|oj;nW-*LpmUB2d=Q%M!l{h$eAVff@XkSw z2E?y#tnYArjH79L)LvF%RN5utNf&yPSr# zjY%KAuV?&qU3KM4D!m3xfH=Dv+nnW?M`~=&_KMSIOkFKX)H^P1W_VOY$UiU5a5oy) z&A;a%(lKqtJhwSkSd_aic6+6)L zV^@~zcng%DBZEkGxPztYNCaTJn8NwdpTBg(rfS$ZmeHk8spLh~8^+5nYMtI(!AH$` z2;qQB*s$%we1vRDXF4}7EL@cIL^@uDuTJKZuFK1--daJm<@GC{}ak+Q_s- z#k0ro0Fr)=RiB5et!r*iIS5*_w%oV-rX^F4|L};*9*-8;{E?x_sRl&Zag;R3tm=Or z%`5PC4oDy0_B_*+A55KcTMno;NP3*49|1;LH{C_34BO!Zf=JRYoeQVif3GW;esWpz zwXv$E{?+;PBIpRQ>Pua1)HfnBF3$4=&TvcMepP*1Z=xMMb~3F>ex-9!tm3Ig9|vXg zqhHN8A4Ipuz*hG{sy_japgdZM-^)wMd+fIpAy!AKpMh6Z^5(CucNCXnVH?Vim-0eM zRA+8*Ondp9dLdEv`F!r2wPS2?t8~K;joiP4pS&$8c*4G@CkaQ}O1EL(Camd*7@D+= ztW?f74p8Ng#|X8(A^CbmOr>H7H%ty{apqvhhwuqklFyxy)dAp4n{hmp;rOCb}B^B(~?X)~AlQJ@A2D(DCus)4%I-lF|wqvy;@QmDB+*o?nwM zSYuMkr$8f;*?9_rCu_jJ0G!WTkc;Z3v12;d=Jt#~(f{r6CjMg46N;60?EU_xW@pM^ zQx2X&FeTyU>0s(LVIWxxt7jw!4C{l1bbw=025&IiwUB zIjlqMrV4f4S!w#M^wL>8==+pL$T44mx5_-hf?YYj6m83DrY`|+5Wj1j7Z#iE^J)sp z6fgm_NGH42Ok1$vtxt%G)3m1077H4IfL8~AHPkXwi7rJLQPBNx8 zeK%9vt4b{)d^O=g^h7t!req-eytu*6z8F9})u(YlqG*VcLl8R01y9%8&WZZ&LoRDI z23C9RG!NT&DxSFz?%op zTEw)>a}sU;Djl}4{Nc=TI{bIllgr7$H{XaGP*7%f%Xh+=S9zF}=)S?}o|gU?Y;d$) zQp~yrJE^GmWf_~Y#B;efDJ@3b0-7)Mi>&KUQejPl#K=5b91=)r5uGOpfdX~xIfqE? zkW5Xw+>8{13$F*u^PdK>pxfVwK~&Ew@nz{@j&Of`+WDk<594a2Wtofh*4uLDs;s^M zJwK;3gu3=k?dw`zdVOYdo4r=vdp3}%@$auTcUA1_N?7DC@P%Ib;1PMSH#LooBgSEYj|j;*797x&oE(UGz)_Nt!^aWQ z+39tDxUh2U(mh~!VaGJ^9zx@H1!g)O%KkWi+KHRH5>J`71f8gX6imX7P#0RGOkm`6IS0(YE1G z$ffWO)dL;6%Rq`@;OReBad_l2Ng4 z-ek)39*afgp#>sm;?v_=6Qv8iX}`3TDb_jxnCm5?Yg^N8aD5_)hgA=cqER%=7DqB*c*=4K9(*08ZE5okMA#TU1O*E z@UTOXkck)njHRPSuzl1SeN!p)Mv2oA=AGzsO~m4Fg|6F%-g3KnSJEE`C0qPMxOtD@(l!Za{bSMPQlEw24ifr zY)c^5h}W#mvbkd-eZ|4AHaUZJ#kk+J%aPwZjbfvWr|%g){TQDXE9O*JnI4uqv&j)X zVqzjQ`1N&7S}UKEJYU>z)3v-E<+B%1l0hTOTOH!KtAx(waRLo==)m!Lj$%XNqu?@`T-*N>tL$3^RB#$<<2!l zd9Q$TR_p*!SnNr}*g+;)wiIo~vdSc%%+8S!g4}01f~T66d)tioAH?dG10s)c?SZs2 zGon}abCYAS*2b?>4>Y$En88vl(*{`v*Z&pmXmsuHT#d2@EJRGc{C!IAesx>5*pHNJ5YM;7 z{~9^QE7&h=;Pbc0i79$B6O-T<3pVe*(Shpfg-F!C=bR82z$3Z!heD?aM##l5W5CY> z|M}^6*E7(tDsJ|{J!vb$716`9C%?+|?=-9PtmXM(ph|(mj2-wZbHlBK)6~S%fQD7) zM~`YH>yWWZ>Gx^1wtjLaEUcN0G2U%eG72TJv%Q~(#Ha@jpBxTU2Vydu{Q(Wm#p&4@h#sApyC~C$drh-hJ0ACLPtygUS3wT zt_3$!L5FA?9MC#{od~tA8Y%JY9KT7coV9COE$^nrRKLX@?0Jnmf3sC7Yp<0x(g z)4!=p+D3jMUk{w*s89&zfW}lo9e34eYy?}iE+|t+%Gn*=zNl~jebpxAL*FH;SJrVi zO!M)l9t~Bh8gwwm5%Yn-bDgAa=aZ?v>|p-QJ#muHqNhgm9cuCRhlj(Tty|9c5HHI| z8x&m^8uhd{lAf2%6CkqLziHL-cY6o8-}#vy{tb6t+y^b1##Uyo5DC4eEfeRxrf@R6 zPcDe=i@jI=U|RtbxyK4I|JO=mLhQ6@;i($f2uP5Pi(e2)+Dg431e6m`@P3dW@--Oo zv%u)?M2qc>^C4n4C<(UHR9SvMhfzj=*kRL-(~8sd@&K8PfCs%g5AAW6zHzrjo-z{F z8`4N_i@heZ1c$@_#oC*PL;1J;(#FiYR7`#HY9-}Bt}^ZPyb_c*@)%wZhNa$WEDd7kg{d@ajK z3?6+#^i&SSaul^Zj3E1!bZMULaHS9p8w6|(mnD_@o?dDgLTZbf@pl8|ESsceJ&i?!B|4rFh0koQEvNd<}BPoWf2FXveZ{FVqh1*XIx3 zlR(IZ-xC&ydAYE&TyuO4>CTo1Y}jx~A;d#k;*>dfW-ZK|`Wv^l4>JK0^q`1fUOHFk z;b1-TY0!`PU5V^&ozAIe%x@nsUh{bkoE!DhrxrHxxWm+0H^(Y(JP}wPyKC6*1&Kum z4Z<%=p8uxPy{iL9$mPxT4?dcg^f=QZdEVcuDt$I1R;m_KSZ7!4RBX`>1m;b*hPYkp zG4vAjeYBy8z6mzj+(F*NT7v`#N^!!_QsA(GOnRCu0&)g*hoils%*J)6hO5p;q5I0A z6aR;E5d;-j-z>qB-+s6aQW5dOPnq%V0W5>QEQ6bYC~h}<9muhQW_T3U_Ey z`)+$2N8n+_z7W4YWa@rqX)E$LnQNSg0RWd=_l2+n%@|XDeK=T&?DMeX1f>z9-E;gF)4hW2Z4#bffb(-R12| zAdJ2mtS8FGd+{=Sj)fv(LkK%exms^znN2xsqP_cItNJY?fA{Nhs~diLWL?zXIOx0w zz(6~p34U~ND$R18c#`&F0GPW7r|1X1pbqZkV0wTt=2_Z{bzsi>H=WGUN!$p{IYbkb zK(-)4<0)oeED-^N)7BbJD_3&rv@`;vWRe74j$>gx&@w0`-m0G(3LF%`Mn|bk&F>0G z4WBulvil@06$S(!Wi;^^m~KrRiNe4N=*MrmRMFpbPqEamn4UVSDcCJt0s7c~)78w< ze!`Y)L%K&2jpBp>KnGGTMM(v1AjubeGpP#gaAtHDv>ft`CP#se?PD(DX8Qq;A{{qg ztCO(IkTMd&rQK+#QlHdQ4^jG; zzwRNrY(NMYeL_ZcVD4J#_td1um|d&9gT$sabNOrX3mJbeG={Jikb3_fs0`*8Hy$f` z?5DTEq^G#dbmK@_t9?CizADgs?@E}lZMV&vI$PH6O=x=tcM}QVb-}X)G#`U2Vdy#)j&OHdZ5qS(0P`We`e^ z{Y|$S_7A^6fWoCrbIqi7fL-GjkgIj_31$_309JenUM(QgfGSFh#;knCegY<~X_{ED z#W=o~c`VsL0mvX-q$DpQ9n5e|nBHCO?g}GKl+h8Lk>mnqeBd|T!0C_+ zgoSyApH`~k#)(w!xSyg9v?5S7mkfvD(kRTsTdxc9qZK;T;qo~ z^=CkWj5=EzK}cnPk5afZPGbV^y{JCki_9(o?A0AN0deW~M&o4-v90r$Uqz^J6HW(V zHoz|>s!#Bub*l1$1;Zzd7{-j6h+SN3VgdK#N*1u@EB9px_#0j+N=fqqXFp_4aLTi% zF={vgq3MI((A4My;P{#u7MDoVubu~=f?N3b@_ODz{BOFetpqHsoeZU36dwVZ`T#%$ zOO&b)vpXOc<~XBPGq4lf`ElSdJsr(6i)?KZmnEqGI$fFmmEO8`R{6?(0%Nmq#xr(H zXgSdC#fP#ZG<_;U4&$dgTl@FIXg{iJYj+*%svVj6Q(PT|ZZG=SM6;L;BBO(=tMw^$ z*aS>Pyn?97IAYRJ(%ts9PtvASFOEtfU%%a$$jrXq(;(=a;`SkJ zd$2MMa=}eLHRF8%3oSj6t>4Sf6Tgrw&uwnbcU}{PCqfQ{NL-&$%0z=t4uo;-s)ov; zlDu%o-CJ>A%f%nDX66g>%u-)q7yD_K*t==pp~p(PlYFc8t~d0RcdsUThy>?uX9cZc z0ORY|hcksHebG>$*$B*LWVNfm>850U)9L#s?G%TYfk96j6r|iBfuZL~KUEF~>#3aM ze-4VcaDZZcSO%y|Bm2B4xT`pj+ii9VUT0iskh&JAs@tlvd@Bs}Yn6rHns`)gepblRLPmOz$Y3SwM1Ue6CX`+1C3mBKzkcWd|qFp?WSw1=~!I4YVP|d<7&n~ z^{;G_wWed2&u2fYHQE(G{Kzk{G3QCX74vm}6feOuYU@9ohbHrwd=Zl|6WkbB6L!mX z@t54tlacNg2H_!^e%xUfVMWMEynF&4JF$x&k1H2z)sVjHDKc7nC$G zS~st|sB|BPeYJhX@?o6Id8;d>VmV8yfeeDaTbfoR1^jHJ684pLOoP{ay4w2C^5~~> z0xhaV?{+|va_<-1ce+kTg7Um)ToW@ z))a&=O{{E$;m9;?MgoZ&2m>NlQze5k@-KtVi25y`pns%Z)^)dDuqT z!}#{P-1kI=mN@*CRK1+)Q3qq>k;T^I;BbNY`t1p8{MAo{LOgK4Dz%Niw=F1pXKF_L zrvIx2$A_<<+&dY-P{`x;9O^hrkF+DXA8+G8V-`;3*$3l%J@s`<4#M%|Uw#feK1=$p zGuWZ^z=|ixYITn5ZRXYC@w6Yn$#0mhyjR3;j3c1MB)r(v@}Zm=I^ z54I;oMgU#ac;J|p2-XnenPAZN&)gp&>|&3&Mvu_0NAlotBMK_`58#o@#Qbl%3@{wb zUdhy?^97hT!RKKqc$p>b%uQ=AJY;tevEoINfK$>H!mu0nD?uHhU+c#Tcz^=D#he9x z8c+VF(~>|ffzbo3LK1Tc)zrvj?6GYKT>mYKeIKfc2j)ii;R*k4V%pAp{BLF^;D1U@ z|2Z>d-a=2$vNy;OGuxpoY8*&$(}=dFn-LwHyLOfq&Sn)BWx~4_EFWXuXd%x|bck<2 zV)ghytjU8iQZwZQWFntVv94(vrH$@G(%d$ADrmeD zOVFPMq6N4JkmuW=?MjMi{NJRoNApZw;nDfd*RS5V^VbbR=aMIbiti$92vQz0SV~Ps zLu@*$LHuAvLV#~qwMqXHTmh^=6lfPo4xKZMjilCjk6Y05D0M86WwF(2MCQh84#AV0 zNRwR!p^T6)&D)@Akg5AjkM7uP+Dvs)H5QmtlwZ;B42ITgY_LXW?&zYx3CKh1S?c-y zrP;5Bl=mR01gtISAyi(Gp!oLwBM~)OaLr3>(_RJb%>ERmfoKh|)(B;##lC4EfrYgm zX^vylaNw=#_Gq1y0mqmoMR^ke~o!@%E>kxi$Swo)POE z-E3<>IH=aM(y_h+@taP>rKj>>r419lgB}>emJ7{J$toR2R!lthllXhCSER8<`xcuI zPGcVu3oFd;s69M#0P)`5+tX)QI2`B+5id}3<>{AQwJ5N)0WUNNZ-S-L{ z*J_7iVg1fo0s0-%`q^pTZWSdd64Moc($|4-PPRC4O;HZSFDK#2VGqfsAU|OutP}GW zQoN%sBFq;ansIJKwN~duG*vA(<8DL*^#y?apQlE`dv9Y4fPqBcLf+X>^Q{B2ipbJ-M+- zwb||ae~I&#VIdEFD{!gSu>m{(K_gYlW|pp!kB z4;jVJ)b93))PMx4c+-Lr)=N=D`~{8V3*l3POZQYbK-(#Q`P)J7bP-qedvQbP<1dKW zfWGmg&625U=KQ*ZLaAchRM}+mLA4&5Uzu;VqZ!ZovWdqqtckZ`Smn6}=PeT6D+z=h2|Iwn^6%RrLRCa0Im5+KWWAY88E8drQTtxIkwtt>3FZ zI234zRnzl!tE`N;lCFI*t!%MeZ+h&YE@%^7pF+DzVJ;&?v}e9hYFv5wh)_y&&N*d; z4YN(2A7fmoixfV?baN-$lB0_4?^E%QLW#TcqG4!G%HPDp7bqdZLQDCij*kz^kHTWN z&%r?c)kOd8vPUnhvxBQXn$hSwhiV!jEi^6?oY;zQnIP@z5!IUuEp6PZ$DUT0%ipiQ zcF%J0TatQgJK-amBaE!;KBjco*)QPE&&@#1IS zdYUA|R5W$WUgU}T=bf6ZIP}b(Y8?H%?70T`AZmN<%EGSqd@!|svqAe&m*Zh~V5glr zJ^=X(#fncqi5HDglO)w^$G43gtA4k#OZaRf!xXp;M|h>Vb>C&qbHkUl4%K*Zql796 zoh@*B(#&u>r&8y^Uisvd+t;fTkFUm`%Hr>Qit8~@U+`WK47Kh5mdS^7fs=F=SYHBm zl4C-IzNS(i&M(=BfU_MlOe47ZtGHViTJoomHqv_-uiNb^cJR%caRz7I43l*9l4UCO zJS1*xdstzmG!mH%CtynjNk`VO%97CqbS7Z?qZ*%)hX-&&9$w8>dCyd2z|rAF5O!@C z{0Sj&;VVLfU3>Rk-YaQKjtFj*X8^1BnNNgzJ%U{{S?Cv9ng|IimYas(C%U&gm$hB| zu{`mYhDu??&IxCqOOI;u`5aRRNe($A>x26>V-&YS)Zc{u=msNdx@vM*Hd385dr~&k zB~9hInS&YM+|C_gZ#osvr1=mLz}`0aZlYP4t-lwywtp(ZMz9vy^!-_v5b$HZ_LOIb z4E(y7XVH@3spYRfiZ52a8QVGdP`sYyX+5d8Yi*s83YJlY*0^gw$bsIoIfuKI@wZ6n zL_v!FSaBsgKAwdH>#jZ@lGw`gr0hB2`{YCbAGR-M1w^pYE>N^f2|p6)(>_uz4>mlV zUlR_fZ5%IN8a0~l?@6$d1V-ceCvO-8KaJh(guApLJ=Tq@qW zoM77U^d`OBlew3x^s3$4P&X-Fq|_W&2Vz>e6@C^a^kur=1tGV9IJh!DsBrh49>VcD zpAB>Q>+j$D2K*L5WcVu{g_x%E6i8($@k55}$X@xE)_k~KkN#w7vP9XvxXmkB4>zP< zm}%23GP6$lw54iC18QpUb)Kt*PDMZE!cry1GM^;2Sw4F3O^NLm>nWG0qoQ(FYu+0i zeC{b?7H>zFE6g5#Oy9iv7A@fMI9}s|@kKLB&}i7Od`9wMt?59Op(7c}+QdN#0TstM z2uF@PHia#AhVf1@$2`--*^u zG1?tkc=~Nv_kDG^YMWrp-juWvZNv_QaoxekhhA_CDo)OkhzRwN@ErPq7eTm1SS+43 z=;R-n8?Tr`*$m^UiI34&4KJ3WG!pd^zn! z^!6#r(Xg)915)jJz@bS`ZEeP;)wYH<4@bes%Z;}ls!D~DPP;>$QaSo_{c)+7PAsdd z8vB6nd}`nbMM^a}jaiD#@_b2YS;?LE>ZL2E%AE^optuK1gJ>a2YE+15km%x9gxuL# zXr=MhH$1n&>2VZxuV~%tVHfXsZ_Fqd1dBrVf!b_<3Ergx!-P0wJF`dH3Tr&ru0L?Q z6K6v{Z4aE?!{AKj1tR8VBh}~!&;slJxXcI@`bZxaKZhq}trAn^)Le6z`W?vn$lM2x zD|Mys(UKWgEY;YIAAGsgr@KAvyU;UAS>n+zsZM#HB(|5MZ@->{tV-SfzFnP_l9P}~ zuxh&KeZ%^18+?|JjDWTtM>+kfTLCLrfk_@%=3;#o;d zX5}L{Kp!I;B-V`6IO|A(U93Rk>X@>v_WLB@wou&Zr*JlkUN)T84Pn>|_Au{RfR#3l z3Tzuj;dz4n0wXnqA8tKpO?WM1*^zED{pe}UJ6*BL;2m;zhjf;)ynne)x55x*#z|3| zY4h5!+fHi;|Ktbw(h)CkQ9?z52ujnJlQJFfs=UojSBK@cHgB1O24Kf>|j@P|Pr$lGrT1nQh75;Ruy2NYlQ-M<^g0Vk4H2r4J%l0#) z$8I8l_Avo9LT4z&;anO^cw-K!4A?Jn2(;%tMd&dL4TrQS(w(EgB(KC>O|uA4;FA>_ zvD^7DWFGwjRUT98x#Bz-g({e|*7eSlLXYP!@TVFUZ~BfNG^Nab#}XChoIoeU8$Q1AY+JcV8=ru z1UNEqdTH-G{cI8X?9+E-)2c%fnc1d=rYrx#5a`vC+E-~@1T1(wh=ZKt?C(s4M{%-P z^(>e*mB)TAEpw_>SMR@is^FrhRM<&Ekrd9vymY)t4Y~VZ*h^xcmnq%KO|Y&q$tlWA zqE-CM<>&kKjUVXg&4|9&fq60AA`V66%G+0|dG&r*m$r(zWCHZkY=7wPzrAi?I{$ep z1!Uikin||{?Wn~P7&gcyNYT0RP?R=aDohF1*3W@_GrjF4*`QV0@0R!X&mD)j>BYal z_h@)2HlOl7)5%RXKylR#HgT-N&&zrJg+tvY-oO>EStZBjltptl1F_jr^Ost&NiAhb z416we`>BS^=ppQx2KMYJWanLiOFRnl`1lc=%|@;`o%&j^tyk@AVg7>Ky3VS!oe@zR zANQOv)6v2Uf2AZ9BX=b7)XxpS^d?vj`R&NY_B^M$f!08SgW__{4$k6>^I413Ex9C} z8MPl-o(f4R3d(uiS9?8SU2ldrZ6+^>xrdtKk=})BuB&_Xm9?0VeG02GI8NF(Syul; zpW;i5n_>e(z(dw8+AVDY9PiTEXMFu40+#u+D#+1s$N5n{inMnp8Tz;KxE6%fgu_bq zx_FO4*GilHb-Zg&Bh0nkHdBW-J<9{&Zxc7r=Z9TpvydTOA3hy9Hwc{zIbeMooPtUD zGHj#THl!~bd!tM`AmN9ew4!jPG2$ypnXt7mj|JL_nOZr?FJ=tX2CsnlhTB}r31BCI zfp`V``DRU!qB)C+l@=3>R0Sy7mvZbrM&yq!DL7(J#n*vHO-vY+5KfUwY3F*qF+$Or zw>Ug!JbFtALJ+EL3PY@|7w4`W9BXAF99-C%-4JZ8%(}PlKKSeT9-Ub#4d`4DiElRq z*r64)r9o5zl__No|Ey)WRbvCwxDUt&!ZtYwq6VbRIXB-md259K^W0&ncRm;2kz;AC z5C2k&$j9_#o+klDgxuPYto5-nOLueQ3Yp2Sn?@14{LNcu3wcEpnJS^sb4KmF0>6g-RnZZP%`KCw@|=EN4RY+@tq&J zYYY1xNTryk$N$hh4nE)@jezEN;p)M75lJAF^_6vT>Z%^#W<-`dY&;wDwQ2V6z#JnH~Vdxl40 zFR1vu(Z6;>{z`^q3}PrCCTYM(ljFN@CIGG~4k$P;HTg3y9jB#OjBo0r#eskMB_J|7 zA}?QVW25`px+PpkB;iHDHSQZat8^b35#nuVjzJ1MFHHh*zj9QR3$nL35?&H3UYK8(Y3vPa+FigB)WEQy!!nux$B zN_&wsKXEIz^k0J<^9xenp}FHSE&&lBcck|>UHdo)#njB3==Xa=sS1iX})OG3)25ytJiT)e{Sx*3H+}9Tynp0C7&kNIR~0 z)0*Klt12#kGNm2V_`O(OLh+dT$Ocoqqyp1s?taSb-PXL2pdl`$ex^%q9L^otmR&gV zws^YwDE%T~&$WK|gC|MPPW7fzmfiCc2YR=;c2CrdF6U!URc}f zo==10S=YHwp*cD{(SLzA2>?5P|IQ$wf(|waAsAxMbb^{X!_BFuiq69)-AlzYUj1PR zJMj`8<`FRIzt%A%kxojcORE$)@;BXD$yP<4v1x9>oryfZom<7a9BVyEn#gWhszA(f zW}6-VhzcNDY`dmZT#kd|YU3k!jD#oU1tCrJo*_Y1$oTHFAAm0J2!A?5X z7q8&7^b0*x5BZ^(7jYEFX_9fF;O!`mhVZY30c*8H>cur7q$6@sEAFm{<)w#T`0of* z;K-pn1E1^rL!pe@O;X4f39+fh#+MG?8yn5Ko+}4)iavvW8!y)(GlH;y$KsHvqS)Lm z{^Ach@rOP!G`WTOa@4uAd8KWpMoF0QJ?+6cWPt4V{1695%^t4Gtz@ix6E!}y!uH&6 zfDV-HY)Z?)>4kuzo%YpX0Wu$4p6}7udng|Skz&7068oP7yrvx%!&Pd?tXTaQwkqjc|M9$+Fnh|#eyK0fyNfDo!OByTB$Ps{h> zE>DR}h>!;tqGEq<;0QZsxRJ*C!jB0E0ouJ=^W6tt9~?ZO3`|x#+oQ?nrXw2BKES^~ z9{yts|1%Kcn?ornrUg^grn^nBi}>~4&g^CPY6zTxNwRTrYj%GTbplj=&j`Z9M>YT9 z5d45aktjsdnT>*OaQK0N;o24Av z0JF*9m>ksBH~%pYxrB`A_L6FF?cWWap&RLz_h@n$FU&8nd^fRC)rT&pETgsCGIwsKe5S8s$ ziOM!9nmfw`gU>kNz-RqJ5iV|wt|5@ysQfYO}W!6ozYTZxXf_C)7L|59;e8%QSG|M z(K;E~^uttY26AhWkFB=EMW0$((FfNdrG2p?nXhfCaCl0Z_07j`UX*!v$1r7)fw#7g zuk4&-hzR@^A&~UjNqExtV?4w8Wzw#|x{VzLDIj{+OWFK}sO+8xpj{ykl|DJ&4 z31s(v!ef)RPC$S$=jZSN>}K(Ax+}9FobK1LA(ac>uL-Dwljv$nG@9!-9cB%>XB!B% z4iCYmw5=hlGKdHWfu}6TC+c*HKDRB7Z{bI;{}`K}x0TXHw6R%DuH#<%5C6!^5|jSH zYX3C#8{v5woXge4c#`@->Lb};D+B&c!DW)8kQm|xq|5_gc&kzf`8v}D1kT)`ZF>R{ z&Qt#FsFw~L42t5v9CqrSyvSbfgIil2?2ZE|l)rc(5o(v4i2Mf;2driApV!~)Zoau8 zJt^4PFO*mzCB)FAC1d;xVDXDRCoUeIV$f9DP-A@$Q$b!`d8Rvk;T`1d;i4}G^d-tx z>g6IZwz=OZ;Nfy_WHYO3q}Ws7UiO(wviF5MOkdE;G|v~2qFX?Va}{2nd4SP&{el&4 zy4@`}cm2`*1eIrR9TRRpZC<}6u6gG6v=_KWPuj91i5cfk$-Sws+!%t3t167qtoSk- zKTnffESrY*FEvC@Ubo^-R6G%3Bd|~-r|_x)kjqD!A28|bii9sCTua*A@ln~)wE+%U z4%P1apYSzkF@zlh(YBw0oceo^6mHjbpjW5mb-Z@T@JB;ohn*-${tz4W>+TqDO3yK+ z&HHK!G^@wAB{HfWT@Q8hWZOel$-XA!^KMEXUPoHQFX4!lvE zJ>KP(%whgEwEWV89)l1>IzeiqmGEoc{F9FxzCS+m;yy$8)tX&{FDegu&wJ$FTLO?T z?$xS3NFc%PUOqG6yI{NHMNm~4UaQs~ND=K1VDX+geSmW3F$ zr03WN%(Kuv*mE##qI?113cQ+qNa$N|J8qku+@ys)$+;8T@qI)VJEVs}F8BYy zGnNYtl2n)uOqLJF^?VbGoUWT4W_dtOh-BJXa9ArkK~$jOGmjA!m?Q*PQHeppimGjv z91g6N3^kcy&YbuK66tvWj1MUoWQw@7K~7K3L!)Syb?_`QWXp=Ma8;J=?$=s;eAxwo zr$GKSZ_utCS{V}2yVj9=xgvYSEbF@bO!u{1aPtSrirN{-9*b`!XOwh?8`*6aqrc-k zF>~qgb_g>~(1LQeV$gnfU-|U#((v}?e8>G4j7(g2epv850r{4MC<~QVmUq`xR4_do z!v?nuLmY&&D@JYIIr2?E4yDd|m>3Qgegxa5``clMGXf+y-iv3-ro%%;!zaMY<8eVi z!8bF@?zLWNI@YamGu^$_o(uUK%Nq^TY1LC{N8BB3Z#>04;7i9JoH%~*04*L@wh!z_ z(L$q&T1hLrg9YedTjGk7PxMntSH2fHUtS$2r>VbX`*RNUqb;Vi`?9IaS-Q^8QLjwG zG6_u+l!U74~+N6*#NU!!?WT)N89uVt}>rxB#aPU~}40yVWdc&W0 za%&$not=6}@Jmu!&(Rq+LL}oVh5}%N8)W6jdtwisMkS45#~NQmi8l;Z01?9|p>a7D zJ-d<3rpp?EJZ^ROs+9xkn`X}R0_QszdM4&DwhxRvC8l#edj%lsAE&^|?wnDq zO4RK+2G*!Dq2PJ`<9G2v+BM2Uut6p@m&sz`2Ki~l8dk(oB#(95{k~i8nTk)dpR1+Y z>|k){3vBnpGSc{FDAuIN&qzIk3}x$L1BXi)W+Dz|=Kl5!qGz+mGh@PeObh``dX>%?dRhlYX~p|Xf8cZeRI;~K67yHo z{x*2rqK_pOcGe|Fme|Z%;jCQ`tzLkx%R=vkCM(!hTfIb8TxLLi_ZeBQSF^0>>%Z!f z`u4cc97CM6ZV5-tIGuAe5#|_OO4e4A+W!2!OpGL_-y@^?;l-xRUE)qBakg~AkjcUP zb96ke5xY6+AIJg%dL}x+hjO9%pmwxTViwDW`@Aigg| zI}@7q(|wjucX~gzay6dJ<$}9xDZjFL)S=CP8f`tkW=Oe!neTj|24xlP9=KCOKU>l2a{>al-sXa0Tm%U zVO}p*{Xp~f&K^~4d5(tQh7<=@zk)vQ)nn<+rYI6~OIovZa^>nEZHu&|$rLsA6Cx&+ zvszW>GCMVU$NVXuu`>O|+T12{MOkZ1G;f#wCP8Xt({-C|TQ0n2`!lG&-X!AvPxRS* z@$Zy7WNq}I5=pEISCYg{p(C#lfTKd=hWRan&cEkU)H+_x#qfR8bj z2atx(*AxO?0U(-o9zFrJBLdCXDD$!zqz~wBd0aIqaaTT5e#989)3i;H28(;gO0))S zFApr&9S9nQkTwCiq#f=i=W?qaZ24kR(S9S@SFKgFSHR>Bo|>oP<>v zn0@{Z1kswt2+H5LU|9e+DK>YsBvCRRZ!7P`XfvrDSUlVA!qnq+V#bcArpM{2Jr=CN#$hZmdBN{k}+w02}-Tnd=qqcyAxj^~e^S|lLO~ZJ<(&6rjJ}pT}nP52~ z4CFjf#IPgTJ7z>}{e!0^^`b*GJ>T@}@pMOT7^@f+`6yqcZW{@D$@tpnjx7MXAHwiqX{8v~d@CR49mq)o6+@1=FgFfDV6*LRl zq(R$wB*qT{67tsqbbP$zrs1$EQ$1(C*%N z09qDt zm*seIM0DcxI%Yjlhw@{x8GU+yCa~I_v#Nyh=Zx<4SjzU=Ru-@zr_N%;{;kW2==@^r z=eVNae_X!mW}K&fHvL+D`{U$D0iaMb5Jr)UZ)QEdk;w`wwB?unLw}~#f&wmq&)tMS z8}#g-h4#QbsQ6DK@}IjH;3@o{|Gn}E4Cbf(Nnv<+B)lRed>?v-l%h>EPh)*qT%6r7 zC^g>@Cc>2x;~>Q=eUq7EVDrb5Z-*C85dUF}_YZr&@&7KW&;=E9EWuOau_uJ-|Bat@ z=ujuXkMU1*gzI3u=|Nc#wA)!prVv6nskfCTL1sPZ1c5|fEAL66`>`9=D*e|dJvZZH z7L={|S!!p(k*u7{OfKwfo9G~2x@`1*1zYf@)lk3bEk z4@(M+Xxl#K^NXj@mH&esu?%6yu09=u68`F^i0yAh4woKAv~N!Ug&j?jq~{BnoFwmE zgVNCwm!T~R^r=L%d7Ooi>oOZE&sA)N-zTa!{y>u`nF!u`9)Yy0X^V&%u3_0=`rsFg zH7^SdhEQ0s&Ox!4lcKW# z*TGfV?O_Vk#VL2f8n?EyT5YT^T+fBz)}UiJVaVT&xk(ZSy&U*S;2h+k9LPWLD4a9= zr*8))RA+#6O*IiYhGf(Elnx2k1cjAY;FDyWy zq^A=DH2Ywe|1>V9K!n|6@tu;U5pWf~rr~DJP`_gFVBT%v%|V8OsJxc}WbI90vWlRI z-Gn$zEFGEXd037@vojOMisI(W}}z$3`yuzNOh9n-1t>M@f)aBcRW!(`2p6oNq&N4dODdyiow`>cyz9< z3<0fAkgT-lcHrpfn=6z=MHM}%$wx`MQid|D-x~*nDN1Rq_bJT7B7GaZ9*mlpAku)w zyY_o_TIHR-%8VDD8#8#`-i&gIY`TmP5c?Y5vWT->``W!C5|`$lJP`P&P;~$FU1D*txXfyC@J{<3d|I>?TQxq7Ufq-C+c_|8gD5%ypqHbinTRIhqId5=)RL) z+Izhdd}S>4&IUdoLOa#bp%R~rV-`#S_QbJ8=0yWfQnA&rs+>Rw!7(N4~lB+Oy zs!0p{ywk9sp3dVEqsKSyNOy(tGHia}V}}cpxM*iZ=e?feL@8GQ)&_WyElCL&(pK^X z^_n*eZJK$dmDQ|s=^PVV9far3C2c&Srau<{bUnW}^?0VwYMNcqrH`k;zpgTVghj7| z2ijqXGyEoj|0z}Jq0pM@Sy4B&1x^*>p;_Oz9K^5UW5`#(@&U4uYw> zP%s#rYcR}0Lgu$4EBMdSw#mWmL2-%2ZePEF{;;JDv71r}(z{3cjXEdaEkUO+Z?X6- zC?|CF5m_lZmf@S2PyVTq%z0@1|}Q2P*%szW?1-0h=n!f0`qduSBpo!gNA7QObUJLk<%5 z!7xSP3#;gZ5cXF8LT^H5L#TpyGv9?8m%RH?$0>L(3P|YiWrBdV{|0It z4BLE9#Ar}I18&euD0RYg$tS1JzaS1ff}=wBwzzuAU(nCwZ)HiaUkF#ZFhEc-Z}7?g zb7H&%h;OihSBOPLn+Q9&KKLQ9aWq5*N*x3_XMjOg>-$D1s%k=!%e81o?oq8l7lxLTHvye5ru|m$RTVmf$ zF0U^rBNu*6b7W;QX}{VF-nB(LPtr1+02Eq4$#@kVBCFBx4Y?2#jWq2cij)`Vd@?!- zvL}_=HaKsZ1$NI>tJ8V%{XYUK|D%4&kNs`Pzax*L06>yq-v*0Q>ptu+TpRJX`OKMfa-*5_lP`|{;ZyI#~kB0N{f`_znSaY$x)CnZ#HrdQ;_fhc2?6Kr} z5vF%S5&*eu+G25W*X{z@8rjloMapR69)zp$5}dNp0>j@{XYNhj09B5r`=5MnWZJOf zCgI7qDDr~<{t?Nc#VRv&sYzdV9A4`x;<}U=RB`6w`?!JIa2v-9QN*Vf7GrrYzCR^+ z7!>76MecN%E`KblG}mSPO&2_}k!RFm_H~bE2)Hg$>8`sCCkGz0lB_YV84&8L2Awa6 z)U%|hOAW5EUb)>enx4DVRMl`>tc;eTi0O-;Ck34g^aAl19PdFeDHPK;=fy%&Xt!fR zSQiFkm@Ij3dp>;MBkSFnSQA?mz-BnT_G8OIpU4^OLB2=|ZC$ba8sgO8!vEd>FZ|sd zphaR3HTnwQ;~278(f?dcWJng60Aos3I#4iS>CTfBmyv9q!o|o}eZTyk#od=nU8mS9 z_?)Z0gudkz;?>tNvv_Cq1J0B#A|ZviT^%B4y_v05mYAnyzT`W7FnwJPQ(WW=lh5Fx zz6S?Wys*sXW2sn`fCXOjk?$G8)e7c-Ij75CviAZ`yF6^J7P!;3_S_WZ^@-%L0NeOY zSAa4YL`mh5WZDIIN9-%cie&HMRMplQUtQ?syPLpHFZd8*vm(S*;z^Ms-=|zA$R|K! zWZ|bt+s$LextAz9PdpxDHaeI+6FtOAKB;f2Bqk2ie<4j;6RMlx6Nly`r_UrHx3vQ; zM!cHEF;gD$scUHM;H&zbxNA#-jF-ML2nIY}V0xdm8Bz?5|J5`(L)zRpn*L2!yFtxt zrTz*j?M+Fx4i?at$I3O)JUu9wfi;@guNh{NI3E5Iq>2+JTT@peE8%A*`c>*i^WSvx z8m#e5oMm)zc6cu=dIEM*Wt<-%Ym-3pjKh}MaO}kjmcM#iQtU*m3vCT`h6XyFMV}u8 zCWsQ~n~${ll|CdI{#*JWphBC-kQCUghz~thttxbSTKIF;Jw70>{Yk89T|?WaH#Y;W zJ?iS>F7~F#=>pQ<>{Apfk}Nv{ywOVq6{()xwpuu^bpz3%Zt^k+|E9|oFIaT-91-ubyu`h4y!13vRHR!-G{Yh=uXvzwDjIlY zgoHb23vDGI%O74ouZOJC&bOr(PEx+(X9qkd?m8EN+m}ZUvtdF!sgY)08ev^WWXUGD zmDzlr>g74IPInOXxz^l$l8fY;2- z$g(P?+U~S7 zh$D@jQ!c*3TR6+H&f~Biz}{o}zV}{i+5^>&i_|lGvm1~FJ#MI**4JT*c-Dm5acO-` z)$V6RTCp4_z|C#{BEaLD!;-zXg-fnGYiPzx}0&L5%SD5*|lFDmpvl7J{ z`Ptm|9;$EO8!(+_0JWy(%hlK^&IEJ<*~4(*S@$QB8u>xPg5ys3RWY9=6v^Jev3I*{+`Ewn81*zO~_!9r>_6>t`i0LL~ zQlTEHc)m}(r4-$-bP8aV(@U_&CFQ31sC{yd?RgGxy-EgsT1YA-_<=HB__vk-Zs8DfqBwE-1>r_jpKnvqBO~x zu7@;c4|^Gq!vZ%+Xs*5$FR8e>Fv%=kkkHVz@wdrgKSQ}fu{zTA5kWS+@k0)yUBO|= zUW|QZs{3J5QEKI|e=iebL0pcTROHph@jM_cM9I?g38?!34>S2TTPfNGJ*O#SqnW*y z+8(7lZR_w_P;~0K&B_J_R0M_}fFt};H|U4TVH6j!GeQ ztbN1H3;JH(0dz+$uJOJZxM`!XF)<&@t4`7;4)q(47WtAJwOiL%k{U;QG(|?<1Br`~ z7B4ot@ZN!6+SMCf=iLn?dW@PIt5JtQfL*)slhC}2dj^=LPm{EMkfXYtMdD{|^WeoV zWw!Nmx?3gUe!A7QUjJHF75^k~F*5zs_a8Y=3>X+<_p81q3!AHS}ymqzQ=hmZc~~s&uJQdJ!Tu)I_NwO}c=z(0f7+ki@$@=iK*B z`R)7ezHi^(f3RS!Z_QP{HNP>&9Fu-u+3lCob$k9!a@kkf5@2PG%CX`-{M4dd>77Ql zDU(F?Z5|$&Xrnd=6=94($L|Q(uf8j!)D;u6Zp(XXCi3f+D(Rlg-@#d<5|$kCbu)!X)XJ@Fuz{7FYLq@8xnn{ z{l1dy{M%7JJ~gug*k_lgOoo^w_vL+kb4wMzsut%ee4=JK>JH?}ppkm&fKHb{>1-43 zWP|1GxtosFsSih&Mn4TnX@#w=#~hVwe&wJZPX(`F@JS$Ws?F+*!BT+AIs3xy;_usb zZ>?{1G#MEUA5KnIf8RP38idWLSb<>I;&cod+G?R5(ICqIN-AVve$Zn=yGe+WtyyRO z)|X2L&BoPw~yX72JCdr3c$0-5K;~5WPnD2Pslk|$JD-o{K^3l_QkK}XL2lY_Tyy@O-yfC z1eHPJc!;?(yjj0ZFNwRZfiK&vxOB{8bIL~3lTXbthbxtfH%c;cqjlo-$D(vT-cORhb(a2k z(P<^kLpOMB8tGdq|F+KXaOxYWp*iwdI+nPX*>CwCJ&VBy#Li5eUbPagyL_me>{-x} zk^cpVEJqLSK%@LcUjdJzob-&+5QEnJHasx9=f3@vGhg%$QV+9wzE0_4OoW~B)i021 zPv5CRZwoqZJKE$6U-^KvdFw`nUGSNnE))Ul^>AD;NXh}O=sPyK$jbEoX@B3$%jX7} zA2I@h#g^@D6#gR?JSJ?tY2CP1qG0bS^d}e1<5KR%8m&}8%ihUbp2I@tH0zG^bT{E3 z;rU?=l%L!Ol$x7yTcXRT-BlLqbD_IZ88Zu@bJ3|3u$OcnuyhQ)fv(6W@N5>6FYIu| zt8FG^HV66Bs|t3#AAfl9_^maG4)izB#TcPdMkvWlw$2~z$ZD($j_HJJyeT+Hi+P*A z$Uoeuc>MxC{lmJ=45>Kc2BATqR?m}5?QoR0B=8BaJEFQ;c(7PM8U0NC?hkk$>MZ$e z&NB2o`56z!R4ozM(-ISyn7`WTmPz{5`wpCmD??s@v+n8n%+l&*F0!}KnG~jDOP>gn zHCG;Dkv^@uAiu`tg-hvWlx#NaUY>uNvn~boqu4U@Z5&FbVJVQzE&Fa6PmbbmFjZM- z1OVNp2Q`4WBR*e>H(1XT4U~hXL}+S<#mNAy33-cYsJIDxcTF?<)3dm z&&EmDHP+lEKU94FddcLuKfPyYGsq13#661nj1`XEtvY!3aY&fj!P_N&I)?%7{f_r> z-oU$1yi7|B(@N^0uJ6fLEHdr780Q%AmODA8-L?u&*c}fxFrB>FzvDl3a(NQC+2_#_ zpumG@j2NZ7pO3y%z^Qdfrn~K_x~yzL{n%ompoayYseyhtw$xxRP9taDb0gn73-G}B zd%@kw#v#C2QnYxcRJppPj9!XYx55>^5`HT23fBkU6E=;;BnQxVzB!X^5P8L?sMV9> zEJw`8Wk1EyGX)6eANMlI1tS2%Y^`8pH#cnPdQ2<#X`((?YRPVJ?rt;sHU% zcT{2N$liy3e4nT5NguD?eRh9y-GW)ty%8CmN3iEch^*lq59b3=83k(*OEi1>G9D)% zk<|0xse9BvuyxU)P4`+RM=MIOv_QuEIzP!sblT2P_-6aouVC8d zFd@RNHgr*2w`?-kudG@mPPOQU4kzn>hBgTq-A{kVV%EKwe#>op=J~|xbGgzE-n7O> z%UytHdqqlcFp^os7Vs$)7}#@A6UT|R*7r@0`3j5D?Lom6z#)esn9&5803?c=vPkte zVX2qU5Hz}qOQKW%`k?Ue8SmKz4x_g=-xlftl4&L_$lqxElAbK=|D=g1oaiemD$T z7!1TfeZa(LPzT(oR`R>?{&QL4Vn{FLUI}i;afDAd$SQPj8aBBEE`wmH%8TJvi7s+N z*KYW^!+Fv`S3?-)oXOm>nY?FXTdpT_NzTOyi?8E0Axt70fi#@)CQrLK-go=M))os- zyEFjiHu)=;4|T!z-vZ-H-Xr3thioSq!b*MAJ*K6MWc@V?DqeDhC0#lvPmCHn!f0*= zUf%4Gcs=A{Y0&H)GywJ`lPoT&Z;1HL&fi|jdOSQ@PH03~p!Aosue^6?gLi>2_@PcV zc8XB&6$$R{PRvgZy{Hj)`|)Rb-A11l@g0E6_fu9C%ua~a_Is_3y+7P}tZrBwV}k7^ z?>ZTn$qD|@-}#XHFw*FSu~ktsSaIQaL*CtlJB8rA{@XZK(I*|WB12Q-nyn11@{b-! zZ$@YG!FE@F(&UuEli*9Th2n=+U^$vj0hewr|5_x>3qwWo-gEfXo&->4nSYqZO(ib;_9rY zMj1n-4E6~;Fqs;6^y+l8b7P*U4;;0Ax&mA<7Nn8N?&GLua9rA+|f z9)Tdb-MmknT*f>bwN&4?4gQGCoc%r|c*8aOx?a@%nr=&pWn2iXN_{Nnr8W_?ZMAr% zwfczPP4V0p1&R>(*fc}U4xIL^Nt%bjJ657YSANpmeet?1T7_DE+if9`X^|U`%|)lT z3c3|K+HFHw^g5p&yv$Bk8zz-tWGo)lnWJ@5O~6(}v&vTv&Vu53WIOTl@D9!8tqzWu zO(AAjo={8i3UvIE#nWS(0kTzR*z|U=dK96zJ+N|$5r0?8Iws-J3tjr~VDe?1^*iJ)u_XQe#=g7H|Y=s`Moakv0N9$RwE$)@|>#{x{p%czzCbA_J!l`dB6PMu1jYn``c8NPsm9rSF?+bj`}NAzrl%aJl?Fh&|5=r18dZc+6W;!VV!q{Xf#|i~ zg6`~_{VRm#B5{|?dDm27{(`&M?2?<3TVn#BWZ}%FD0w z$F$wJ6F)S(+z@U}yYp)AK0Ko7NT6y5;9ChpZ?rIxzw*+; zjD6q8>)Qx0ErqaYidOSbevvSY3&%2$b+LT|%~WoZd*Kq6 zQ~hGY%`e*%U*t6u=3IEnV-o%ShV6oobYy1|fIl1Pq((qypB(%>`{rwoR>dc`h+l#~ zE;R>1PGzCV{H?ldM>UkQZyg=@De*w6bv z32v-FM9=<4gob)51S;TF({D8wI3%+OJ=yQQ7#zJatakOcU?cDADqrX9qy_`C_uj4? z8W$^gCus|gskuID6E``EH)8?HquN_EutQEWC5RbpiDWNv@v4rtuVC=l6W88wD_e{7;UR#;%&dqp1>~y<>Sk? zECKXG$6yY?;jtA2>3S8o>hc7?GM72pgz<~Y@|e^St1X@h&b{U1zCH(xgEStS;rjr| zTJ$wyN75cgf{KDx16CZwmorIagyc5ecTSk3{r%Mw?gzs_d1aVU+wD#o_g4LOYa;i& zV3BTlYVve6*pku2uVEw7CT}IO5Y*N8>c+MhZ$2jxdqZ_8_ng6*&vBU9nZy#q;o}2l z5NcDuG6?No8N)EB1K3OeTA|%g2UR}5skQMLibN~)VlXz_hP!lcEO2N&DPF7zF`>@A z^bSydm!9rD9!@NnTkf`ZIDB;&I4EOW(c$cVmM+@fqBxuJ)rBuoga>i222&ej)){Qi z;BV~;G+C5tPzGY`1y{J>`u&({;5zhX9z4i}bG57an2XLy-PFrB8}J^$nL7n4Zw``P_i`oG&Nvk03TZrB?d%$4vH`kE zigk31y+(fcNx<;=%_QVapYax~5CQsH635IoCnLT@a1EkL($ikMK_hMhZH8lib(m0& zot|R$DQ&+EBg9sHa3i^|_lX?nZ105z@y|~@cQ%xsAm@e0@S+Rn6h{_sWv@{}CUi91JlktqCCz>{+<@3l=~TaXv@kuT4|urgBh z%a`^Nqx((i6QFLv8$P^Ofr#yRQ5ex~U1+fhTRJ}uU{cPxK z2*n>*mNc3lTAr#bn;=%S*ijpCJE?-(>_-ivgd2yVU#P0RxH;Dd@LL@ZYFyre)z1As zDt~L<$n*frsvgkBuiv_anU$vvJq8GBnVX_rc!DPRGkqBcqorde0of-F~jg2`q7nu>Up8n{NeHD9&+PN*(B;%)G74g_u6Ie7IB#V!Dj1L#|l_!3?#9Ubo&8qV*H)aQDgyFg?fRCdg50%Q zX@lweHO?h5dLfG82O;4?<%xW%vh6nO&m!}ZwAD=fF1j#k=NwuJpBCK$bI)p}PhhJA zUZBJh+Emvbc5~CEvRitA${~!hck=0cyYDh~pL2HJC9qf!n@EX*Er6s221Y@f7#A!X zxLZQ#l)Ca0=7+>8@j0`d+1qi5!fk^a##bUQd_EO^1eT3Y(UXN|gKdhJ2-;7lwsu*! zKnw&sa)QFB>H|c=9?4}-$%J@%rubPzXy0>oeHW_+!Dp{p3=%6Bb1Ie1MP@%#u-W59 zHLd*6jmSc%tezz#9Lr6L`7E9=Tp5wZ*K?w)KFc+`)R5}g3-^nQtFv2@bkc88G0f%@ zz!pvf{%XJa_%rCxdI_MbBn5z&bm;%gBQIFR5K7OQRtdEy2wAFyKV*<+$Y}B3K}&z* zpz@k|Q~cFIxH5bo1h3^_Z1TuH$LenOdG%R@fxJrz`i6mj&aS2Z9y$f!HGiWZ^-N+uILjp(1ZUcwllLyl8hzDNzBicj#zE z$4w^jRpXlxkK&$pGo7g3yY0Vd&-?6@lGAEbzh6}Vi~yT{OUlM0E;|x^Q2K=Ky?A8V zU1=aS+jlZ2zWz#dh9D?I+GHeakwl$s3daNPk4R-)TtQSE^y~C>GSu)2(cHiC{Hb~_ zQm6&2AW*`ec@QF{R+#|5nJvs7?xl|rDYi<*43di)uxS0F2m6M(7*fif(Rw<2V$Sf$ zH&stNLFQDU;By?;WJESLO1D^T}?UEv`0H~0Www%wH`&R2^yZ9?jXq_SDd zXKm)fcU%2hCvvi%ywUKPxA41=sb2N0zOi@*37OF(ORj2G*(&?nqivm5(TLT7ww8y? zPNrtUTVX&2Wk> z39}_r5TnT6Q=qWBB7Koq^3<)bTR|ZQ==B4D$@@<{IYgGx1X>ogQv1@Lqwuav( zC5J2&3!9Vr;~dv32f0)0%|U#LXS74mIKio@%F4e@M3^@|B5ugkQmO*(pFjNdoc}a4 zDtNcJo8O3pn~C7k?77R_+7RVqCc|ZjzbIk)lLjCZc!(Yfb2F1S0aCXIQW8`=5FvYC zi6SqHy4_Eq+zTff`b`tT#FHidY|VxE3eM==HgKVO;wQ~wZ##-~$rhYE;9vSmteyt1 zba%9g2b6(}U2;RpUe%5M$VEptJ$*NLLR|p451=xi0vTJ?>?T~sCfFz&tw?Np=?u&? zdW??wgtxbz4;!LRkI!KHJ0o#kSz2ws%Mv4~-A-?o+s|pGb<}Tz; zoG)d8`-}yGb7|M_B1%GopX;y#Q|^vaj$&E_xFT6Izhk3-oSsJhO>>N((HkpX1b_rJpMF$*ytuO;XDC4Y`NWp8yYv=w=k zs8XNY463;M4;MOhe~+JNh&w$SDRxv`L+*|~>C2$Mvrw-a0y1w>F(GC@Qj^{cZ$*T$ z4{v_`TIl0_mhxp{e)?H<>Uw~LT@L9xDZ-dAnFb37 zms=?_gPyt&hxjbV!^_zmn^TY{do6eYMGrb>F1!MP#(^&Hq@DLK_z6unqvPekknce;%t|iJ_ zHZ3rhx*BEM^PY7gaBP=~ye)WP))U>7tG0uq}5aTv*>kg zP)LUenZ}eg4x~=Fu&uY*R9$Yra_R|WgC&@bt&@N(%~969|2kB^Ud61 z{L9>ESHYQ}d&mcGWEh^Rx=k@)uS1T3c5dINmT!?lo9nuSPG#rz@~AGna{jV>Z7Vwe zP2ft=P)y}hAa&rdVjw@?yS6oXKGEt}CjU9TBUR_iQ2~N(0s9RHaKUHg7G>q(jfXHU zAIQA{MWI|0rpc^ovT&wzweTjF6zd7NF-G8hxU9ZmP|kT(H!-dLI#=$12bDzS&^#aS z+uv*m?IDr}nJWs+HBPS|*E~J0b@KzQ&5IZ9$7+`5maRaB%-6TEJEppG`04|MDNbqv z?KF1i{%qOb)wPAxycg>{#jbb{SOwQL8d+#b^nFU!xObcGdFUaCyY~AOcdu?d#eK?O z!toqHz5x6OM7$QvZxzj!!_^W8)JNxUV_f6bjG-SVq51nTKWNZWPHJvuhlK8|YbuHA^nc=DzqW9PNiY*KNYVC-&f~5!8A`7A z-V{L%D064B$aab!lGrtj^r8wi_mb-PgqAl-TmzqA5fWrE0t4=XqNPJ_R;(i=!&_Q; z?lyVq^^y|UJAy&l?|OQy+O@K>s>o|WcX$E&Q*=r+=qO3xm=g>1f(u#roujzoo34kM zhZCuir}G!QJ})u4tvD^YUJl@>C0>7-OY(!9*RpwUTHuiQrc-IKapF5hSEavxTST+! zO0ItA0P$c)Su1EZ?9+^x`1@Dx1sUkB#Ib=yk4n#H-bnbj=~HEvwv zVBu%9W5(h-oA2FUtRmFmGSjZ1hce9*H%FImF^ivnT=Qll$!4Yffc8^qbVGoV{ZL#K zEJW}N1nE`+8?fj!*{%{oFzw1H!gEIsE;^+AfhWW!$fdAib z8pk9E-v4?#W&WSH^C!)}zn+gXjyQ^b+!$2UF{42~!c;V0Skp>Jsx`*{lK9dqN)Yz= zs2u|dmd>nbD{dVy&_?rXbp%pE|E=q}U2RVt< zhx*gI?M#pQOrWyj&Qt?m^WWYocwao_|F}U5&+-Y!OxDD1d+M@&sxD}0wmp}2I(u$5 zik!~*XxnN^)j=nxu)ZB|AL`t`sRlO~w>Hz?z^7Ry>rC-1KuIpt!wF&1-z(Ws@J)v7fHQ+!5+h1gwu_z?um2`H=2Pt+vIUfiJ4P4R-VG-;Qru z<*HgZYNj<KMdHIdmdpCU(=Pd;{9klpoi7S^h(f!?lJVcoWzz zwKUM);UML{^P#?l(~{#ZRNK&UIA&v%O1G%Wyc+`oS|t#J?dt>zc}%fA)>Zm(=+YU5 z&=KJsG$S$e6N=48G$2{t0AY$IH#!`oh^^e_Nbvv2yll|YUsy3nQ5V5S7E4q*7|q8Y ziGw*v{DHJDg~?;O&r*FTmqwsG^qVHaDk#a9g|UI(>%a>U`a+wRRVCTIOS1t<1-@*G?Iar@ydbM%;JULsc3$RHJN(!ds&U0@iwX1>0jv+4i5)qQzQ0ez)nG%VpD0 z8U)25GYzPvfFx&r)+W7lYu=6YTxaAW;4x5P=1`&2ZM}k20%4`l;VE@udvhn`qSf+} z@JtQydKAwDuTxWgda#-5@jU!wTWz=Bwizk!iHA1FOh`)3ROL);C6~BIszs2rn4L8y zeQ$ZVk^c)NSNa85EU5GD_A=_?7>ZJ2Bqe-l@A=S&`KlqZwNy1qU|eF-r)Uh2t=?z2 zH=$JApCKQwBO=AV9fX_o@hH~M8=Mssv@+sCQ#s7%NpGQ-cB)5|uYrzNjLC|AnPpka zdwyKqt;N1!E?r$4;mw;jA8V&@287hZ#^GjFM3z?cNk?h%GbPstY%YA2mo=}A_r@Ed z+G-R6ZJGhvoz?1Zo)G{u`3_JQyq;|I@x*s~V%@s?*^j3j!sFh5qJNkEXh2!m@-t`- zfD`e_5%YOAVf%f0&9&;c`%gR+ccixEs(vd|3yMhVc1F zLj%Vi9RvM@l0HkJfJ0L(1(-XM0wp?>L0~7&Y`gbGXRZVGEGZt(br)zJLxh!9`g3Rq zUm41BxN00XZ(|euyL(lP-{vJf5FZM`kGN1rT=&!(2T#{*!#m|F6Bwl3I`+|WBy)EL z*lDC_D{o)>&APzn(K1ijzBJsq^K#^PKUU;|%PX7GkIkjU>-AI)l=}@)$0-M6;6Shp zIWl`58_``&Qkbp}+XkYD4l)c9%dx_~n=w^wL`WF>dV@kf$>Km0HG1e=|M`47(biqbK1=-M&lbT7%rCFP@@+FwzMYWU3$iqV3&GZwd)*3 zwCk@^2IK0mtB6nYs|XO|*^;qG?NaEdk!D{?Tu&46jbPR0z#8mO%xS!kp!IE`6O?5O z{9Rd8{7YGM!|A%5yirXq`Xvk#<&(2)l|lgU(up&)cwvr~BpDeh3z08%)bZ@Y85isC zc;NngjN-))5|sp}4t#R1MYtIcKb?m={uZHC-=pZsdUf>jgyd0Pyp>&r57-Vc7;G_a zM&kJN(Xrg&I@sk#AGEC-ZsKe0`Ye6zroCpCKyN_2l_yhGJZFaBpniXP`ow4w$2o?Z zoL9!{oiWAEyTDM=m+#?b7|sk(0OdHRueS3cx?=Vx%^2$j=`$Mj4^*J1_}fn!`%Crs zjfTHN2eW8JbYnAcj2jdOMY{i+ILIUOJgDo1{spoiW^=>Z)L!kn)G;2ZulL#nMv9e{ z^$zeK`m|ksi%&4qX=fwgW_~~+JI1E;Kb&Nu7N;g?_viQ(;FQ?-7@((KUZA*8--vgS zzgX^LjhTs{So622Y%Z4FiH#{^@Duph6BMfdZN7(QpqOxTd8B%3GYjfaZuM;`3ZG0) zm|_9GKivLFqpsx6d?+P4)7}SdGuhm)!{L(`KrgQnolChSP|V54-vsPkt^_OLI}q=x z4t5FcR88Gi*TC6T*Z~9u<8UfYEnUh2sF$QD>Mlt0oh5@iqXo!ezeK+2z-)sx0rX0g zojlBoJyYj;;E&-p9NoQ%^QWGSwSvw>kG%PjY3kyz_qoAE?!NjnQVPzRqq(m!{fziM6y4`Goq4K+UnA z8!FPZ@6kRKxHpv5Fgt^bQ8b-}2yW{W2Iak8D;4XW+wrE|kKI@Mv6$&^jB5foEXXQ^ z)Rhr0qFI*XE^5 z+u8L<`n#3m#T3weL)@RieGush7#4TED+%03#Ms1Be*YvW-lEZ=qHMmU1xGjMH##X) z`I{R6gZ8C#2x5DfOM^tV6B6=mc361RTA~Xh9yZ3@rtX&M4QVRJUJkfVw2R3L+FESh ztHwfOAN{1!39-mn{bZT5h^`VXHk@UJ`xEm!(c)8$V8 zy*E1K^hXy4I0rH>mq-sLYi)jyln#8}+Nzn5S*|xM?8G}ZA<9wZ?3-I=zi?*$dXq;w?hF-(o5E@z21o|CR)rLE2>SJ?IMzqYhXBgR5ZcGJH%AFxYiO1+$(l zdtghwzY^Y!AdCXL0>C^7=vIQ6@44ikH2R@bL-4zy4K+ZMap90%2@v#s2Y`))$+7=D z&VLT0{Lh`Qw1LFtAsuLy3Z8Ta zRI?8u^)E4~|I@XQ4AjAGQ3YWCWiY^B8qJ>%2KY;(`SZa5|9D{j^%3~{z4`Oe{P|#j z|HZxe^U?hIV1R#qg#T|oXnzn4@PGE&{3W+W>-R%F;3Y!VlsYQCW$~__@ZsYp-CkZ9 zyxQ^6-<(iAjW0jLn88+)$HXY{1@CJ=3ERnZi0@J_jpRQWHfSEoLknbDDTG#7RC5n7 zs}$@TJNVULTvJA-5B2r5Qa>Hc2)wVT3V)8^Jofa=;U1cu6il48B02f+36T{)D8s13cvv3loS8ofPnuZBKyM( zV4nN{`18^H`Cx#*G@3sj4Di3WH-A2wKOYQ0{NsD`k7yc2r+eF6N#>|=D3PD~mD;-n z%&+!rD|UnFxrkWBRLMQUu0wmO*4+q>X1Qv_9g}ozZWFbUfIk0vVWzZ+%tVm+6x*6n z<+&B5B}QK)t|3bUPXn3Mmjt_4GC-RrbltplcJ0vqV)_x*E2dX@$n90$IibS=_6Mg_@6ffeO#>`uU_JQ*M*IZgU9Z790?a=5&_wPsEEnVOIr<+2 zKH1cO!24sclf8{T3uUD%%2ykl8ubrnAJn=YIJw{OI%LSCtMX$aNF-Hw0Wgiu23Q-s zk~m;EV!NqDPM+*7Ra}Xm)FDeI&0v9oz4RK3vsK$hy&5MJN1>3U0tSc z=PEek0v!ah>S9WNl~e$KtE&KiP{xoT*QbK(K#05)L>81acf!D>E`lJfjbrf81HJEY zI{}Hyhuj&yXvZW!mkd|F3CdjYiOa;u%IJ1lRX}(CqF(2%_4TzGu=XT-&h0{@sUNPZ zmI(_kpykSK-v$dK$L%zS!VKP00;{^EI8;UAl)P1wlDgo3vxn$>|lUbZ|X!O zjn4>KU0LSa4|8Ge9r^uOHOL`4l(6fkZp3NLcg+Hp(GGf;R$d%hC=+0+dUnGP?#~iM zy|{wn+icD-P%{{|gql0B1ro*IIBFZrB)u+Kk~!RLrXaPwhMQo@NB0M>Zb_Xrspxv4 zGJXwUocHrHYUj@CN9#Pm87E>%wS3$5O@DvkIK%`_0oB5<}j+MGUbM9c$vr4-w_d{bhs_{4SzEQEvg6}V=Z=2&MrSCq1Rw^Hj3nabdS`czg?Qfk z-yxkheW2peJ&h`4dG>=YHFuqm8xN}Rm_QVnF+ULwrT1(^>3pEDXB9cfmz35*bH^N| zC4^fu2DK!`^VQYZ=(eO>u&*VD`c^iJ=*hGqmVI;Zg%X?+y#))5v^Wb)Fd3T{Eh>81TpaQXu zxejopHSg#W#YbpxLDa?CC5s^Fu80Hpyhv4nZn2YD)b2oKvJ70jS4gbmW{(CxQEJE6 zik;aYAts|+Od@CSVW8MFWb7j3vQPGJeIDH$ZK+oIfcW?)4_D?+_iZTNe#7X^b2+(b z8pq96-7y~3Z{)kaxmqP4n&#a7A&Max0gOfEEH4?(K5-ih7QYZ}k$x%N&C2yie(5lE z3Amtm_x*Q^749n){c!Dmd}UaNK<0+7aK`Pq3#>^0$2BO{0A?btdE&Z~dJ8va{lF8p z7PXo1y6nvGd5!PwePveV@9&OF?qD)YHdpt#wa|#~c~!Wi*UroPne8*KV=Ob1Wq{|N z?qwgRmdjq^3z(L=#anVuT#(Aa!SV_R1-5n;o z4U|gKNQS+C`;1I{+c)0hR#(@5DOz{|?u;Wzpu?H4NC8>BWyz{NnU>81eq}xo>pue| z2Dty*U+r47OwkQ=__Izvss68@q{r2vfsJBT!x-*m!!^Y^8u)uB)pwMTLr0~Ml z9$FBF74FM}l2sLDwnu^O7wQ?NZ8$HXtcIcpq9!8&5>B==5u0ZmAG8V&mL4X&e4_U< z{!4qc{Qd_gH3K8#wEW!ak;4tYT4ys^zm$OZG>iC%1p}}6Ju}DBr06MI4+$)E8F_P1 z(R0=m0AHtZha|C8#PXYNn%KNKRKgp#tvRIBkdLRa?wC*;y`i{t%IUG@E0OukFQzF@ z2!d!-031TT#-5bzRO~qU&`NzP>$>K~(z9FcBqJ2mLHQ=3w?*6Egg}jPE52TpFPttT zT}oS(aAErb30d`FQ$8*_oH*dR0fI9pW|{%n8A3v_nnZlQX>GCgI4Nmf+pK4WTxYrB z&$Z*ko$M7B9(Lu;NxkRF2H)tnV@B(#8p6pG?;4P3j`H$57oG1g?Qd>rX5(Ef9Bcmi z%nz$O`8+&m3nX(VnYJJ8fe4XKN)7%n4A+vJf1g4B@np0tTFOk4pM#Qnh_VxLOabyP zqj|JO4X3hQGGltlF|46f4dtjzI`VaAa;u*QYU?Rd2sDTB0j^p(%^*S!GvkX%{+11W zuBGp&V=1CHGo`OdGBCKG+?m^^cKgjKbK}xxt8oE)6(VWwStaFG&XiFkEzRLbNm#dq;a%7f4!pY&;tDmKNp754=#f zwj{odKppbHHW8$u*(w6I%sKmOrbdlZ*u5atS(-`pGOPudttkziWsaJxAYja^ zE2`u08~&c7uIwAnypIEsMqy7})SD#BZ+#JkeQZ(InL+`vQ8l~0%H`LPN z9e59FOLM=LCd;Vy2`l_>V8i==hk=A=lj)Rb9|E~mb*XK5x%Gv(GqVbD_rDk4*gfG< zQ1DLs`iI^u>_zIp{^fF&T%X3M*4ifZ!We7@%{HCe$inI_I&W?B%AoMW+Ui7pOv>GM zUgtzxo+~dAX-2E4<5*eC0Hr~m0Vz4|+2(;7hMc+aOQ?*%ay9iTUz14oxW#;&&6e`@ z={mr3=BAY?w`qyR<=%mctx=R6SYC0rjCeiSE#J|&!`n_i(Pxf3n~gg(v+7~n;W^Eo zv-PIN{tkVQ!VTq&^~FyY7Pk&b5DLC}JZZ8@OMlO0KNo`iO|gn4MqHy6-_XFB@9 ztg`u0^i%&AR(6OitRSH~Ia2a$H~)i34QJqKnlERum-U9wT%+io4N>hqzIZ}j)m&S8 z%n~lW5O}Z}+L%+X2QY-W!nx&0LvN4*wJMYZsY955w-!L+YPw-M65a=#gl(Y?NZe=XE zA(^)Ns0z~s)+K!3|65HgBK|b+FQpX-DdV1(vr4W_d)~uiYWZ&Ys(}^jP&?RVA48f2!!I-SfK8`Ix@ zdFgeKwiJ;>cC)%V3mMyG2~cM3Kbsk}sV@uFV@EACFWVv{J9xTzG-knY1GtlbV|6>68>m^66jLJ{{h- z)GS;GE2d{0UUtaGpu{Q3EPq}vd?_(`8e}x|YCz`Y5?=){>!38mfx$pkbw z@7-5+aoPvPc!TS^G4y0HQq%{;B-rzHd0JSk>Pr50_Pt?SDtP-IIJq@s~j2SoP_vRt^2J^qx+^J8fy_&G| zyUG`y@b)O1Cy%9I&(U|H=vOZI`0YoSx$_AtrnJ>+wSAK3p%H2ojC^~@8G{7zCEYym;IOO8opj~vPz~fgH=7BCV5rp-Wcb+ZyEFM`1RZm z2zIqCl8oj3XkMo?O_YG@)_YSo&F^)LN+SbF$yRBt+}8%H{6i)HsomzDz!!>;ProCX zo19=<7t>Z?Z%R`|cO7<^yH*ifm(mE-J2=jTXD+&40bD;aM)zFTbZ1Sa&@?OD+%<0+ z>V!XSd2)EI1R#y@ri~!df!ML^Gsz6cm>I$Xs*VcdAxW~9XO}~p6RiNsmO;1sx{bZ=g zcdd;6(?Qz)_~9{1mTBeG@nz~&i`nL}p^zewm&kMw&%qrqs-wGb5tD4n=SYS4ZWdN8 zZ5_`TU{d`Jg^UKSAgzUYgyjB#oBegTCq$LActs|#wn>H%tQ@nswNO0XkF1SJ-J;FEk zqy@U=b?wVr!0fBuw9QF;VUuBe3YTkjAaeo4;lf!_dQ$u6)R0Sv}QD>Hl5L5i1%$TXfS=KA7ZmW??1nS$F{p(bdo_;DW^fkqeeocv`hoEvRe8I z^$|KxUm!R>2Ag^<(nKc`8w1UcuCF8k=Q-~6xh$N;qfRw;Pe#HbFpts>lX0Z7gSqAmd&Y(Hu8>NO9H8(xlpu136olENN{UB->i z^d5ma=za&Mjjtr#|JZcEFiRrtP)sS8W=6>2MZicq2%dbhY}u8|cH7MXTf*#K^@f_= z5O{YinRj;~E}X`)eK=fGfF}0`2;satnf3QAap3~Tw=4dI?oPH6qYVO>Kufa>?jtK~ zbgxcT($>n|;Be*+N#|Pe1Z$QX3cUWkYpq1L%GITSt3}#r3L)3p)L|=g{K|;FXtxcg z6|)1(Ow8Ixf`)6MPti==y=(W%s-K)!`SN3G2BCq(nH@A3PpQKw>-<2 ztv~~#>V*xI`R?+F`TwBpJ;R#nx~@^UEi@Gs=_N`L1px)=C89SVAV!oX2vHFcA|TQs zux)@KML0kWjGHEACSj?*_@sPIn8Gt9HCGEM^f)?pu-7uN6<$K_WCT|a| zyR&tx**7py{H_} zJRzclprEBbO(t!c$Ic@)FO$z*+j(KK zpkvbR$ca#MZ*lL^g{|VJZ`Yw<$0-VCp=Cosr(Wg4Nauu3l&sjLduHz1Z7J_v#N@dR zv>0WZKs+@h?l8}29-ymUI21Nj?Z#y-RURx@ii1+-EZo+V_d4L}>aA18Gl)&1vSa_o8@wAu&#Ju;CGV0&& zML^Nkn;Fs~CXTOs`b|b~Ib-=_6{wNUo8hz3@NF_LnrE7u*H>c7?S(R)i&AO@yb47F zSC!>dwA050_s6`|t(Wkx2>Pm4gq#_DPnnzPhUPE8HvuL@KGJGTv7CajIq?^Hi5fSZ z4J`Wf#yS4BJsfZM*<00d7c_}JYr7pF6 ze7PsL*~Z#XdSt_~3yzEXMREK5r;iK&vtfQfS_BP7S5I}P{ARgl1;hfb4Q`|a8Ma_H zR1zuo13tLX@Lj?G<+-wLisbZ9yOt!C${*G;>m}1TAa+TdnOLxpv`!t61|JXhL}_%e-%^ z+Jwgh*S~t#*hbT8NZ?+?J<}6+St;guwAIt1_a5no1KYQyM}1~aIr7hu;S>Mra!I@O zA6^`CMYH~6d;K?uhC%4TI&jH+3GJvaPEc(Rvp_~(8_?PXQhE1j!o7jvf|^s)hH*Ed zEv>B0ekgm|ras84c`bcS_WWX_bYb88;OWmCiTSRQM9JPJJ{{m9%B*idK5%s!Z3r00nfjheS3)hiOUi<+3ZQ7 zEfz>_rnr;FP8x61kaw#07S7!12*vi`zM~pn*87#WFmx5wm+(bFEHtSFr~B7wrhk>4 z%$auRx#h9Ek$SpQ(V3h3m6KleGPW?5aV*jBC94Fd$8Q#gd)4ro9Vl`51uHRe>ILf~ zwc;7=hp=P5jkbe@34d4A;Zv8T-my&C>E9LjOaF-qO1{kr1c~RH>MDlEy2n;&M>oK5{BN{$?BCox zzfzv(N4qp4ue~pN`EY>SE654U<{S6GC$24R>{z?qq1KOEN7U$KB>#^)UgzKCp-}!X z-uF+uZ@srO!jvZZE>T=4u*~v`x5!JSBM8w>x%M`$5a`yHcow#M{V=8D4k@xVC1W{J zBVa-D$|=qXa{wyabxgsCGgkeBr^pABkK_tP`0XsTB`zDt00hhB+Tp8o`GtA)P?m=R z0UaDt=H3(s$`U2jkKAF&BvOi})mz7mF{MR;5;rh3xhL@`3w+=$vzpqc#-p8^7hEeJ zN-k^)=i$~Gw2DnvgEn7$0@OM){-5E+Q?6i!}dVz+}Ob3R*QHSs8s7G~t z5apn{{gcI&Y$MJu>idH>bHu;Gd3{UPTk2#6YjlGojMuKu{mQn|WfzRPdLzJ6;!ht8 z)tB}%Ei_SEZFsF3N>*Dox@qC~o;d)vyI-LDeh;A2TV{hBgMr#KgwA>>6=J-a0ocM# zLZ>pt2i)cFMC4T1`W*Gf9@qf^l{ugAk1bGF&(E>BhugQ&dLV_as*-ldFyqcSxcva% zn9kUILoeS={U`bIhBItz>IJBEE>L8AuPO=KHoRCGki)LBoLBKE)k%X^H!K zn|*(0x}(W={YjP(O@(&7E?sQh7zSFpYtFAoq$xwdMZz+{cS|ruo7|4DWrEzA}-2D){N~~78uTh4O)Gsfmc6P-k3x62SWLHWJX9b=hNM~*d-wI=}daecW8KXFO%m;9WV(h<&4;6`7!&2{zkJ>g{ zy;F#Zn66@C1yO9-bk)6&7^`=lNdzX09-S_>!Tu|w+$qB*j5p=fxqT%O51tP^kHO>= zD7+TqfrNam7p}ipUD{oSevA&=1&_M?vVTH0jG9!8h?vN&`HUJ@q&Q-W2g*KU zOa@#YPt^?0dnV1FojKMbB}W^4D)0gtI%#+0fF%hTez>KW1iUn+&JM|Inddqm$G+Zb z`<3}Kmdo!$x-X*RsKE{1OM?60s@7Q{?*bQVEfY~-%2eT)U_gmA1lQU5&7u@M1b28( z*PYHUMBJp<=ga52pG}ybFeV?U(fGTMCm}}gU6;^>w&92fLb)&8_(u@Oo>1r;g~#WV z1M>C0eCgYI?~uU7btY>4G%x1^_sR-GS?&+7yU)u$2bt_s!Z-Mlb>+kU8^-XX7yDND ziFNtf1$Ot-_(&h#@<5!hQ#J;!Y{Qmbgl)6#n1$kyhJpL}AhdjBnR@`iKaj8O0&Sz-cE(I3YV^3yl>N)Id zr^z>f(+kF?Z>~*6os~+s3S{}@PJA(qiPb;oJQp3gC3;;>2(mG;7@ya+_xUL%Ju0t~ z`;gP%3F~+5^Qbm7|I8Z~?p7l9b&ab8scBsNhv!KCS!KSB>9FIcl}0#(S#LkM-+Z0p z&=Iwn_atUv_9GpMUM*uEEr7jmEATm2P(630+uy8i0QrYQjKNqvpF1;}_3L+#7S@H{ zw5{62?a?)A$F(0z__4yGp0@RWtCzE($t>bv=xe+S<~1=S(eE%LVq&8n|DO7^~zty=#!B(0bU*-+BosI{ZQ~<+G4c zRO(h)KeRr8q1*a3^J1xuNuUw+ci7HFnpgrJR&%-b+|~qbTlzPPNG|_Q2t*dzD(M3P zDd6)@YZ}7gL+1$07m^D1jQ0>`NTO0xeqVeR6vYeC8jDIZ=^a2nMz(D+ zgK@tLS``1AVI94Z(i0VQ9tED7*Pd(o#1;YZk9Q8@A_prDIMk0WL|j-~x}$u;GA6v) zvc+uYYnZxmwaP0A6Xg$N1B40s2PBK>B^U%qzyJP@0&@U{ zV++Tl6ktwFd9pVqV~H4_@IfqI#9C6ZnIlXp;YO3;xlr#V%*PoP_W{hw^k;S65-zdt7jfM0Rls>>-}*Ww(6VLK zo_P!z3ihHe|M=l%`;GI36L9M3ltJ;9!YNp2 zgv6=0qKaE<5^1odkCxK*;63OrrJp-Y&MW0|M+0@X93h!tK@E;?jdSkiOfVH~;5%h_ zTV0sVd9Hd9?$5aSp`Nlv}V1z$r%d*@#N|t{$gM# z`_vix(mVn5wG(ObsO&ioc$YAq)D;9049uDhC~ozDSpFiQ^`S^TpjL98*rh5kRqcxP z&^`n*yt`)+JUrV72|!}DN<{$XKVb^9#~j43Zz1Wf(UgaHP>A&G6at}|^gm*QD<@31 z>4?oQU}|OqPCXC?0Ja^qWN!Xzl-p?}7eLzi4HiNXx6^#iq5p^P)CshIT^? zL@Qml{fRnqFeuCLN^@X9 zg>^WOz!OKCJ>2q)Wm%m(_VLR(vLAT=Ow~Ou2Fc`?eg!SQqQk+M>pHkY8$;1Yptb_~ z70}-9X@pa+U@hZsu;l^2iCI!K<0vK+#6{6*7}NR(m|BTzfNxz6f`L5-*jn$Q?9BC8 z{IPU-1UpCrIsSMCJRd*x8)BI&gpn$>z@_@cHdSO{)^Fm}+-{ZrKjm!5~Gb zO@jhZp!*Iz%uJ0gKXVq|HDocS-j;hOjFCwP^9xOh*1-vH3Ia=eFvc+wUy(B1egu0B zjfgU%BW5JTmG5M0YCe<09W-5rNgd2-h>EKIbdDPjGLLr5e)ysj<@s-xm%=dSl?{D!Mui1E))ZHs|Jl3&O+H2NB$~#as_5a4hhXr=@_%<8^4}vW26dAXgg)jrAxKx z*_KX4$K9xqR2p&%8y7(Cz0o(=O;DBC?uo4wqNr}4b_NgTA{InDYlE2p-w*NH&hPxRlX2@*F$1tB zJEow$-z=b4^*>f6k_)U#CiZ`>%6FEl&~g-5>6c=db&g?))CATiiBSoxryrdGEA^=Y zb$|5sCU?<&cnU@q{fOd_MOSCGGP_bYpmM))M`DVwu!_B~IaCK3ZEEadiOEcdXqrD@ z94SxY=z}c+Mgk%mb+E$+1Pl_|9%I=nD5cBiZ^d8Ja!~cb&Vwc@+G#Y-H0mT2Xg)bH zjA*bECj|xPjV^2S-9cLEdWkn{o!Y16+;rvwPekhMP!IjW1b`!?0qb${Z#ey7t>%;u zJq`}m#82@aum-ZcOh-BtE5px99V=S6kmmAc*}XR)iJ96!8aLHaR`1~!{)+uhW$(>u zPY#;|;iokSgs4xc)!<@02Md&(1fPncgXpKL?ejm3DSnk%BB`ZuQ13-!YOTVYmMl|X zy&kj0Lx4!)FksU0uV*wA4j=rO%zT~>v&^Dr2Sbgb6eZ>h|8?emua16*33YkW`1LSuf$g}duayAJHy9{=k|O@aQw6d z^&V&PGSy>e;5W+$RptbICm7v|eCDpt7sahwc!gWcO5R3lK>*)Lc0XpCH{i`lErvV5 z*(+=ftU=mC0>3eD?>hc+Mr_@EnS~`fTl{3HLILAxEQC>z!uHV#^q4sg+G$_ys%7g5 z2ABv2?owt;G;xYDcwyncU$87}mb(L{Ezvm)dxm8jv?wGUoxK`3S-z6Hf~Ona#)eUUN$d?X9GSVZ&=$nS)0VhnO!9y_jqm)AJCy=|fHk z2kG`RC`83=CvK-q1%-TPS2?+(J~|KHvyr--C~=d}n;NCNUTSLqj0%g0w9$QUXJgMu z|A?itbM~(YblbT)+IRb@a>>-y_h)zEu!M5jo-4Wz0~N2oNQRM>2*7&=Jk}OGJIW+u zsPh&Q>|L+nl&%0trGx7hGxu7RLkY!T>(?cvUd7MzNr$)61bk0LYkUTQ`1w&_d{Yct zMNC@!bWOk(^*v^Q{+L&N_3(g`N}`KWnD~nDpF-<n2DTI#18kc=RDho4Uaoy{9^4CuY|%sw5h0D}O1Iq@UHe z&HgZPq~lav$HQ|12eoGAdZa6{f`2S@CO;uJp6p|O+nJ!Ah~K<@ zmwo>;gsz>Ayo^9ti%k2%B3;}1GbC}g(L7)JteR{^b$?D7(4l}`<|P#d4k9@T0}n78 zn{!mmD@q!$28MRQ=KL7!H+7%rXSR|5mZw)h|p5uJM{urHsmFTOK zM#dwv=L5y~&r+Kh@goU|B~{_hyK!sd6A;vBEo0N6zD3J*DY_R+oIZVq)R|?g!M@C{ z_0rVx_GY14_4)MhGsl+kg7DcCG{>J^b^%P}i9Y;8j-HXG$6=qtcTR(qwtS_45PyR; zQ4<2t&9+C-Y4TubsFcm65@(@;_ZzEnm2YP!`Bw8&=PQA5pzrjiSzWSmujJ7yTzi)O zF}BUZFK$Zx`q?8L5kBWhq2pC1F2AH42gRA<{y zj-wEAub(K7+1y^fFZP8tUa%||q%wva4@@OovI)~zGfoAW6?*UkQ+$!IA)uu@H7xgC z(-?YpyBw3l8jSwCPLuqxeA73!!?yIxhU>ff?9ARZ^N~~goHXCxJF>8P6`NhNzu&j? z?{a+QfynK=J4btJavj(N*TV@3FNdvK86_MZM!Opp+V)ol<=3o@qq$a)&Se%XOI0t+ zVv4L-Sm9a^p0$3A@CN2$z{YrWd*s!Zn&2%c1^EbW|5ajPQlw=}5`ilLLO9<4HdzmGS6J2OpQ-4Ex&K3XMPFH zhKN=w?}4=HK;GR6oI>zbb+-D1SI2&{APIx>1D}^_5#I5S1}(!#hfkQ^7CsQTf;?b3 zj-yQkV>X3(4NmG<1a9iJ|3OIDNEE5X0`)w)xxPq+W<9iCLV5%X>X6U zE$MJ=%!9602i=-j>T(0y$zjSS^92*Ez4~at;YVs)zAj1Pl`<+4mofEr`t_mj%V1`l zske@AdfjV~WC)Sh83*V}ASH$|TWavr3-t_-N&IWMi-AGL>aInFdZR85XJb_O97Nu# zwsPHtiPF z2@-2JBu&4D4-N05=oIC7c5~O@LWnD$K&$1?_Ek1)`{x?ze@W>4vl|kI#L2%BRh|brW-tFx zGTfi^s^QFolO8-g_2Y_PwLOqS%4ccUa%Hm~>8+H9DMNC~IthgA4Rv1i8-cl~iJE&5 z$>!QnQ7X9*8zkaf8oRMXP05T~ide|k^*HL1gE)D9z4^WqRQl>Si{qg3VaMhq?WoXf z>*QQ)*#gaDZ9n(6j5)dI&drd3=kYpz9f|E-E5p{y$eoq@=4q%=a=Yvx+L5L~NxWig zv(BySF}-$hxli*ej!X7tB(CMj57%>0jXxoAYIA{%&1CJ~_y|xzCa(}ZZx-sgYHO{>#{Ci3V)8K0~4J5Ev!!{|{8DogL$h%9w zN%+RQ`%x)?@cq_uQ2i8erUN1b7@8keBz_TjL`QJcw{K|E3O{g)wEJpn`oIp(n?ujO zPmNFzE7lGd+N>4(xttVV`2NG)%~>m=lTx{qx1;YzWA`Tao`eTj`X1`6oXQ^~>5 z0g8)Gm;D?p;n(A!ou%5_BaoVQh|Dl`NG8kax*A$1%F@*WFJoKfp*bx5d2M_skPCg8 z;xlz?2RcMKrggckeo)I?Nj-7YCXF-W=f{CB^oPA(++!;+F1oB-F-Y1S4CEp{1!z>x zmp+C&Vt9Pt)N3HZwa(lpn@7$*K)5};e23VL50VfTDc80v?q=hKLm~Kw_^_ap1NX{w z_^SH`f1dq1c)?AGDLKnvIh}o_dA@DHK_-4Xvj1tWl;jW?Us7I--B6L&5ql)2(Jzlf zgj)LCw6#u4T5lAJIk<6A)Q(@|T1GFralB^!EL;PhW2n%Ggk8IM*xk+5^Ud3ngK}o+ zHE$w+?%$|vrykW_$$}`wUg;amAUeWZWDg%uOfMU0~pneVR=`H8#Mfz<_B728+~flY7=ajntiS za%6r2&TD(iw>Rj1fF*Mq3YUI9wEOJ3me&+WKuu-c7(x*4rA_KSHDI&)zf2c&IQ(JV z6z>0)%`LZ2=0aLgY#PhOc&bSAF;k%3u~RkJ8k|N}$(rst5n9dn`n%AT6KX`2oynxV zV-Fd_RLh^JQ!XBC74`4ndk0W6=kt9QAq)2tS#9hS`dOdL1FTo_EQiN@^dF=`Y9#5f z8prgXC~9k%j=VF!&zBJnw+9;D@dtO!JD(_YUh3J$Vz$eap!iK8UK7_s!u+Ncf`!U4 zfy(Ikt%$`xkA5JXj%Ma?L^BttC}_@*GJ;(inw zl)H+o$pIY)8uK(Xd?MqGl^%2xT@$&U-IQ4G=IADG><7EFOw_A*gR?0VZmx2DS%|#j z`*Z=>M@LQ#qSWP&UwnAw+}#6@+tb1IM?CIQ^3-YZp6=3j#e_0DnnUBNhp>pVY zl!`cFSI;rLJeoQTA1H#k$h@r!Cwf|UJu0`HvzC=_6TZ>bSEMKP!1#*lb?4bz0R-0V zg@%bTnk!{)`WA2snxGo<`nmXru3hv&yOB?U1lNsmI=rS1uM4)ozcA_a=$UIYralEv z-GejEf`Do({pt_M{v`2B5vv-M`H+}NJw&L-3>`@5|J9G+Uvqj=et=%=ea}tWXV+)O zHLw(UJLnry7(XRMR&H%vvzT#B&acFnI0?TldbXD#)_3MRc-SE#wt)E;Me|w(Bb6?g zK6=|`+{z?VSF#sz)OXhD#MRl{$+`E09ta4otOieF*eJ&4S5S&+-@hAC|4-t zvu*LCELx6HTR1-efAn2WP8^kASyp}3{>7=vvEf?G%*EzQ&&KfrQUbt4-v+TI7uRE?tY3CTULBMn9{&;8dqb_R3la8#=n@6W9IK z&}d3ZxTmw@J4@=G=z#!G&cY`%t>b$WVCYdUX(wL0M*WMv<>+b0c{$jfNe7V>v5!g)R}ro@tny+v4Pi7@mS9M zm&u+?vC!qO0@L?`vqkK$=NW$}OkSoQK+7V%EE{lJe$w=sy`b#rKN4av1~}r#pTr>t z&Z(U^{)P1{1jZA&%_!!y>*&8JN*SX|cKn0~rTq(|Ce;t}5>_hqAH!Tv9i;91hvqkM zRG?WiFk7@WWApx7$av%BQsfB>Klja-se3&gOW|~xd@Ay_vdPh_7uSq_eY<*oddNH4 zhu|bw7=w=G5j35n2XAjoSD93^N;Omh=8EviW2O>#9~ zO3Nfz%IAq!w@0FCW(2YCmmb7q#iabKF78kQ1Fa@fPS>?!Ow}%U4V|vZ%X+{Jkaeck zt>=SkqD-CJoB|Lw$(2b2BPJOXa1jZ_Gg^b3?>KUpX#{wgEXjU`DE~*fg2@$ zjL^QlZAm{q!$g!$CH}c!TLhm=Fl^mP%DovmbqiuU`?iUq;)JA9uwsb%-rM+YjT!GF z{_Zy(>1foE`_v$3KsrzA>JrCU|{3piwiBjuC-xB zD6lif-cW!FAM5tY-tVc8EuOI2L$U~!YC2^Hy`J-*ljG!g;3#r#Hv>==}yKc7Z z>YAc*oTx1!5^CmVsw$0R0*?DOu=){ahL|UCtGkdETJM@Z%&51&YJ^IQR>Lzs)M)$V zn_P(6kiDI~IoCghajC9Q7ihU0>&HSUS@ieqTbn7tg_$(wM5$#6uz$Mi{*(1iB3*Ld zufu+I7<-pNALELu!Qr$or9-$%$*K7JC|?Av^U`#cL$H&biKKh0Naou95p5L&|Khk% zML6_rOm48#uwr#5fBrk->7~i10WlE-i9-72YO)t@C?<0$w%SMqKOA3l+Vrg-#|D

e@Wnin%dTq9WHB0#ab%K`lofH<715XnHw_9 z_<6I!%WrnI7bs$bB08t5Y7y?FuBnPh9INDEC$ad?qXu&tw%@-B&VG%& z{aU;DE%!~?O#>#ERCbE=P7KLB=3S=?o!gQBedB@R0JKs#1NR@8>XU`9<6U~JL-+&& zz?jkp(g8q>ZM6bfJjooS^R<-QzgaHecLB!brW2qFVE9A`-V3?}jK#hFDvCBa)P|xo z{XB0;&-L8Am^t&qg-+GCyB1npdD45eNXrbh{WB6;v*hPU{$!}sKG(eCH_N!=gPFc32uq!I z_``sSF~jlJK$w5Bxy}JX>BjadI$Jzit}cEHxdz~63CCw3(3^p1-i!_*PKhD)ey7sU4f10~k|6Cr<@*LkXGMx-Yz7#x6zO z%&>V=N1u2Tp+Ci;t}JFt`sz{efA{YQ@RS5HBMJg=9YC`UT&E6wMWPdl`5*B zOBYd9B*w4m88;S+%uKU8qQI^qT#OxgtMqne0<82n|Knh-=5GHAH|Mz;TbjO>l2iFO zNB`uPvM*mk+O;8L^WqR&-5T6C%{@+S6+$8revso>RZy_~r=`9Q$A?7QX>5mRU7YAU z1IE&QLnH2;mxufb-~3lDCe5dJ*QXRckb0T8{};UJk{q-xkyM;csklR$YcR<|@l!o> zo_-#m>J7Ry$y82ucb6M%itCavz8GOUYaiQr-B4$*s31`)H{L8?ePCgsyu7rJ0iTRF ziu*h^_6uE4bA~#T!8*mzF4x&(v*G_#HUSnD^nDjpq^@8F`IuIOB{_@X331Yr1oNko zXwK@|E3;19a3pDhc^`;A^)PCv(G41*;b;jGPoogFQJC%P!20^HxF*#d6=NT-L*bJ) z4Z0Sxf{5hL9Ll9L5V!B?^=V`eH+-g z>w9c6oolAc<{P!f(%Ku!&atwo3ETNvMyq(%b5!DKY<7_%>#|a_H%3%TER~mBJaBO( zY#Vln^5RsUlTc(+q^t>7M7)n=?BcLRThCubM2ye5+D75_<)@XKILX=tZ;Y(#${0e= zB_W|y8#C>N53W%s^-ODHUu+v@k+u`VwsuP5B~P9D>O0G0aOfE{_m-uGDKew{J*Zpk zBz_?1w9%%srDfvVM@jF>-zYa4(gw?)X8z?LHHa`^q|2dsNdyBDCYXL9yG`<(n*vVM ze}9#NZ{wjKEkQRv-TiA=ZEGEBK;ja^JZ=5^O$R*ThnH9OJ&;*4wQm0uAsVaCDso)? z`}V=lopVv#FcDrfq>u5Ca2xAS@IiTGC4+33jWGGxKbG=h4>#l6;i5IP z!aK0Gv2G}SWTILSuHK?eqslc;L>B1CIo0v^ZV5c3JYZgX@~!*~xa#2t2j8(q- z%_ZEt8FQtlwAiv& zs$we3O4#f|G?xxn5byjtpXbOT{x)0GP(ADZibG%SnOpG&>ShbxIoR(>)=Mb0)tb4i zs9Vj)mWG04hd%X5ZhGcm9~v7frSyiL;%01yQ?hryyG-zumHuYA;R{4MwzmruEx%8c z^SDwHKf|cdE6|3^_?(;23KMCKlW=$4dFQ32SWZ6-;&KIO#jKtJKv0H7u`H@y%eUte zeEVnxsCnMp+5S_`^?ZP6b1<^OroqqlnGQAe>AH5Dy;p&?))n6xilW6Kub5cv0=C=( z!W-D|>7=?O3VgZ?(KOCRT5Ao7m#;fX*GPc;?)J^jE>pFdKBSq_9XRfqdEmZcBOA4? znfQFz(48y#9vPf5!?v2Ml?jn`Z$9X${?M#FHVfxgHV%|%VG81_-(7J;f>lxA#0Lm$;NV{R)N#wj!m8S#v5pEP zUybQhp|_@SHOk8CFpmMI;WOXsSm=~y%;w7udMjJ@by=?FI?f>-vE?65LTlMSu_k4f zvSO3Nku7GkK^evSEgc}5F4BqG6h{gDW+yaIT6Nk(IT_K7(GLrAlYG2*{R z^;TaTXuk20S4+#hzv`xCqD`ZX+UK#o0>-+WujX%-gDV;e!Jdd?`T@U{u| zboE%1o4)RaEyeZsRW7$2bGoY!CQnx!dv_G6Kf`+yhwM-Ed%OGC)M{=TIC;9652H6zL=kJu$Q1Tzi9YsUmL`w#yJY{TrHL>ceI?FBue)vRB$n0;MGyCM;V3*=g;$ZjeLEkCbEOoV*(^{xP4_H*XOmMMM1s+D_*eA6-y ze5JMW4`paXZeG7&x9&}}tgegP+b-US!b-n{9C}9d$6U(3PeY_)T(G3!`}T9!R$j{R zwKcruE-AGnh-omAn1bjVkwsqcLqC&05S|Qpg0#jj%HVLFmMh%@xj$&c8uz)BrtcfP zCNEwcE*xOvIhpAGLGFWvlC^pKjPGCaVl% z{*0Qy@?Q%A3s7Fv>0lw;qaowiwLyObU zzHi`(##2FWNIuiJ^$<_d>n_*Z1;jtp^_pirA3c8m{-?h#5j~zaa&Ay7@|_7)JGp+j z%a%9omic4LcKLZkYNA@D!t&xb2c-l}+GRS5X$OzQTMIzWp7}kgPLgwD+xI{-YRnvT zrA`|HDMcM*E(IG7+XQ#s9lrAo0MN_a4bkSL1$t6X6PzaU2h+~f*!DB`$A-dZ!B7_H z{Vz;m7^evN?Kv#jU2bx9Ju0fv{-L(Z`g7Xs+hW^4C}Nw4;;PD6Mj>JDMu;aU;rV2t zjq}~ClTo@7;<(R)WdU!_xD+YK70I0{cPZXGRI*Mpe3Dj9$5%^wee2d<5j1lmw&ohJ zUC)yDGc&AS$~GX_WwYn?oj1SP*~)sU?R3JU2Nf|h@j~iH*B-dP;7;QmN8~$6_iX%n zeDD*x5#?Q;d_P=q(Ol3wa4l`GzQsLt8k(EWo~pg%JdL7x2ediHORKEM-#2Sgmd~3vdNHA(K3(tLIU~*|t#eBeGv+zj zYoge8hiw6muQYSlUArKt&yiJ6XDR~~CM0$C*nLy0+2EePKG>uh|M229CxJj&*&~Wj%i5vhN1DuL))i@Q0+NKE#pR(Bq2{$8pBR-riTc+z>Rep1oVX| z{9ksy6*E@}NsH#hHTNTlVns}4Qhe*nz7hRo>yn29cWZ2Q z#bw0KbfP(Qd`Y#t4?MA3n^@lkioPt^V22k1AB1$#4D` z{}nH+kgwNW(&x~bWWQ7WWr4EBLuI*Qr^Q@mA=8pJr;ks&UhQd+?XWwZem>=46Q9@V z(cCn8`Tg!69rr(QeA(-A!s{yX~S59Pnjzn04@Msdbsg;~6-VvlgUhtucC*T#<~Pc4N0QnrB~ zJ)J0)R@iY*EHcaBWE2sVaQ8u!nfR%>c$p{c3j)o7DYUa_)xoVLtd?6optv}UK+YN_ zQSlj0>)sW&-mqWMFwx30DvK3VdUl;fWHxEG>0X*X$LbiK*Q2+=Ugo}x8gWVe^qNab zLdDR+4=+j~fU`gu9QT=2!3ayhQ*8s0IOYHFs@?5X7z?01v-}$}05E|+(7-<-14|0S z6EhW!@D~~)8;DOU*3seE^b2Fo?ym{$00}-fsacXSkqZyj^_W>7Zr_D8$sfg8@_!H$6)IbRi$$c=fMe9D|$m&GaV-_i@o9KwnAg?(?23 zKRMq1(6&eS$j6#!hTW!BclzJO)=^ci<+qzYDKXr!0N7mZ=6e$2pXgodNSrFY1GWSD zmSw1V)E+DfknPg>|Dco@>feYGfIN()ZPI^&K_!ww`af7+L9gk6I}z(R1*7c;NXp_n ztT%Y)z4DKrEt67J>?l;G71tt)AK65I&hBSvq!w37mb0tMHRq@MigTRYLAOr>75 z%|m)tVRPS4WGl0y@$5c{&$_Ky2>#XjnK#E_cLKQ^RbD1k4Jzk*UD6IRxDUyY-jCVj zu&r30I`g&RImK-FBV^fXFcx)6d8}arq79_uH*QV1pl^ey@#2CJ`jo%cy&3OY0^}2K z1y;*eBY0edpKf^VjXWpT=WvMU9O{EVT# zYW-8>!@d|X zgIwEX3|owrQdhx4stiSk4@;7F8>0_XT4p>_GyLDij~3ihx?~Rr?k3 zE7JkF)`sV%??qhU*yC-5tGCTp@!mEv?6%k}$CDO7xFlZu0&Qf6WOM}t)O1~GCqFHT z-aJ!isqaHfY#mYC&h>)vpfB`#!NdUf17r5p&s5B}yI*ps-COG!Rys`_r)5qKuneJ! zs!ju{)noMSf-3^mWtG(**5vI&?B`|pUeU=&Qx#r{^)mWksvg7!1Em&ZPiIGft)U^FByxJgCa z4UORW)^cgxy6O#bJV*$=HON>9`EooWO(9oP?=~^J2E))muOtYM+3}kMR9*B;N^HUK zbWK&uVt9R(j0S?loQL0B{n0KUw{{J7R;4@C|9m$G1P@3ezn?!mBKi$`Epg{voLxnn zKAHdJR^YAr@SJin*fZRhe(%3{KYa+g+bZp@K4xbsQvd$#c}EfG{DgrouCNT>lo02=n_3a5qs~ZA{%429AJ8LvOoY%Lc$OfBxO7y_avk9? zo!uY!df(^)@yaa%yb}l3_J13D1IEIW#Ft5|$DrgL4?N(aTjbcn3wJBj7#8ilAlP@nRt0tJCq0`7f$;MmW9 zKx8whAz%ta6(|GRj&Fc^IW~0193IbT-BuuwFq>33E4CK~`Iz@&@$*6=w8m{VtA#d46u zw4Hb)luJ9CYlC@++3*HiMBO|3-~Wj_R)vQ)N!|p_5a+VVfUEGeWX)N)hqb?WSj@L&>JzEBnIw!D_lxUig zujRC5_$*nfd8aZR#iJ`)+etnBX=uX9YIAPy%?l3OrhO5U0~4enIN;Nl{Fy~+NKD4F z3fSCnlyOTs(%GG*W*#l|chc&%TFR9jZi-W&^AM?PT2$RJLT>Z+azSCv*Qe7qFLWnP zBgSW*vE8$fWP~zd&YT?uND2nY$x+Vi8xm!rMaJMJ>(I-f=|54%_@1Le`F9> zIaYg(i8c6O9E1GfA7m|(O}_vIQ^7ghn@Jh&USDhc2*~feBG4C5RWP(KFKHx(UzCE9 zCY`7qSYj6QZ04x2qN=w*PZr3f6Ql7!Xwq^BRpFz$TdMrBQF1z0zlWAj|HE^?53w8b zG)jk~U8M4{2|H^=<%G-UZ=_V#i+FVf6osb$q`2vQ>GSOHD(f$}Ym7p9cK@8w~d-N>07FDKKrp%Lk`>M^jL+7qG3{IxsMbU}_Hr$x!Npxi?2QAh*HfTWLm- zjCUv8hNbqz^8bTM12q@ab@pId;f-`7nA(y#2T|67z&Y02)}8uux7MVlY7q@OQa|YC zpBtxSQBDdMjVahuhI(@|0v#=#`wn<&dVD;u-TdG&T37GH4OTD~P;b6dK|jaM_1li6 zw=ENz^hDClgBGTu#3Q+j0&eF_4FBq51}!{KYPmUEQU^i@Uhgi{@Qs9L97;0yuXSz; z#!vQvP_w1z1pBWrgRBH(qr1R1dJ7^+F&&?;F3<}Sjq1TQ&Y)cZmHK~&8g57U+(QO0 zcryRx{|)|eLjUW0U_=4<9s@?_fZhkF|7MX@T?7l>N(@A_v_Ha}|A=Jpsk^>NW{8Od z==7xnAHW=DZ#|e?SOm;hV|wFo&))4>2xt1gC!j4yXW^~fd zEy;K8S#|fhe}sJ}gj;T4ga?A{PBwKXo9LKWq=vVlTvk7GTysb<-J(Qi89Y4+6p$%ifibU+0xEtLd@8F>7_{0z zMii?Gr@PkirsKf)7xXd->ZyV}@p~5-{@D%;bWaujUp^U4adHa*x99@c!Xm*wCX5Y! zl))4~;`EzEXX*c<>^-BJ>bieXcu-MMQ0ZL-qzNd!2`T~t(tB3{DKQ{DKwv8fNLQ*- zrG^$F52Ifj)I(l7 zpkxZLmzo8@e-;(ONsa=k)RPoGY}#Su-}BMcbG${3$8OEp0sGLz`nnx6Sl!oUzcQEU z8fLc@5VksOLTmYY)OyDkY8vUi5MBFqE)KH{+{ihWkN^R*_KJpfK8}l(`vDR+@IQH7 z4_vzTu#~=H`M<2&Wqg;lI!T5xy zgA3um@sZlFIG2Sf1a9&ki-ON|)69Xqyincki=w3DfES{YUGlMDh&t5-XaJenG6m2V<(AG_5?Y?XDmB}n#%Qc8m(nzm?wX%1{cjpUU@N1JdSV;P?C8`n~B@TLy$;Me4 zmT*+g0b;7ZPVTD4*s<6+n}AOr0FXgkeHUofDPapnLtyzoj_NBXqP^z>`LpM|OCbpG z(f{-OIVR`pz^?P?Ly99Y`d_Nw*5JiO;Kd@p0ggs+2we%TvnqhZyh~te`B{7fL>|*p zo|Vs^2OFOjg7?WWmFNcB%i@44-aFyc7p&kvmEENH5RKx&fc`gJs3e#CQ;|r2GVmGb z)E)$Pgz^6s)!zUQoW99-`2UY8NRK&~1Vir*);}a>(tmE~;t$@C?)>_+s+;IiI{rN{TIO2XHKu4IYkvAW`S>R;!&_-LcEu7~o5xOhCbD&ST1J zvh%45g_Rst3R4ANM|fIrFyd2e($uW$xv@u_BirnaM_j(#-gc~{JB|Nf!*hujLinRQ z`c++d_!DQBfjz12j;kMP**2uoPm&Is6Bd%d6(p!4{)}K}3Yatk(>pUFLCuj+>)_s*;Y-zW6ba0;PL8zn&*J>{6J&t0s;j~{l z?qp_ck~}X3PlT5=_>6A_!8Y7vmNi6#y)CVMOI84B^GSQw7B_nq3g6jxW%~j$$SVEg z^W68_^|NFvAEPY8qa@K8?G4A*r(a)LJ`JVnma_FrSwM2Of&?j}IG&EDRSEi|?rL+$ z0udJZbXye-Ujuo%Ux`!;&NR_mX}2cwpG>2Yy zP;7P))&XXSpWC4c%d#Z}nvT4u&5l3r0RU-Z6Zv&K{Ox^`&#}U?k`)vyl994fXXK%| zJzKCf_AU7x>0K%4Pp$(ySkci0dUOa5OB;u%DQDb#WHTQbR5EJ5I|?2jUye2k10`0d zEPgxN&Jeqve#xY`p0Ll}y(nGs?5R2|VS%ADP7}A~oyw6YItKWh%O2+(9iS&}h+AR?ka;F(1y@mlUyO}e(2Euurs&BJ-bL0hg-FAo% z5JU#lMYzUyI#zpD7H%yH2|p=0J*kFNnB-xD1;hulm>!I|;uqBiz9F1_5d-Ex9j~yV z{p*n5ATM5x6oY@0Lu~0v1=1g_b`ZSgR>t9~9))cen?76EJ$sOBuux*h{w+aaXzS(z z@73?b>`2n+v#@T5L1I=Ba(V7JrtX?sr|@U`l3(Juvzf^{9odS~*FvvdtbD!~B|8ld zvJN^n{XLzGF{`q+tctg=@EXlhnAMs#g~)iw6*ZjGW*OSMQT$1QJ%F_;Jvn-z3pdXJ zzg^F$?kpbj$|(q8+3FwQo^5qpDg8KB$x)QL4_{{=elDbcF{Cqa8=bC^Q|89fETiUd zhG58IMi06~-`gGT-zv4HZnOFPT%LJ#6fctU;B#lGK~nPKgKIk;$|Z`ZZv-99u6{x z-GP8vl0tC6xruJ>#Lh8PlE2~R{{dy}tJ*kLyXe5pyeHpoj;v--o3bM&c$zfK^+aPI zUa|1~W$`18+y95P_P<$bO#uC!vbaN^cgakp)%Qk|VvWKK>(lt4TGa#FqGfXvQrVZJ z0}y6@(KY=$rokvD_xiKd4{+{r3UwYieFOM}Whum8zgb@R9Ez@^d}CQybV#c6qJ4B4 z7SYXc{f;po(?w%dA%{fTy4Jy9%TrczqCRWLpSk-JZ+`w5b!sFY<^rNt>#6N?SgB9s z=RH?dPY#w;sp0DQGlovNN-|?ROEzc%&?!O2`p>jQdVvlJ znGY>c-g6&?YYL729Mv_HX-pgyB(03<-lPvrQM6i{sfn+*-r2Qfc!2UG`F8;HuE0&&UIW;s-7*Q%-f|1>a4Jsju_sUFsWU`N z(={mg=-MuTo{zXhL#`jSUq1ZspuIq^?jVecL$-}DTAJyKNX)numK!j(09*=CFmKT^nH>S3rY7j%@2>tQD-eUL(|*nn z*3NMWQLtH4<0P|LwwWU-+K`aOz_BgQ8}wc8GN+y-Oz{LbOdk`M&IzBdiaRLCHXTPr zHj*7%m29n8jKkX6XpsK@Qc(jg!(d@XOxOe%L3AT_SO1?i%i4&Jt;4mG!BgQ~g2AVs zRJd=EPk{I-KA1CGtgI!M9Zz(+S2}uQ;M)LJTjXKLkoiiGpcAvx&pL)HSHGrd7a;Te z4b5srpy2*JuXK`gW5nJW&QO)pGsjF$BUKsI6H^l6J!E`-Vo(&*`|n&QZv8O-GU9mg z#RvAM?ib>+cBlT3jOSseI7Hlcavezyhltq`1AOW{eCTFH&8rk+S-(*5OuJv`_`|%C zSF^tRb(!FEoIm++3vA1GhwQDaxXCTsq$VcFBKsvYon|$~R*DdV^-$Nslq3I<2EPzQ zrwqa0o}TiEcPrR=(RY-Dk5ab7TH6O;yx)q&9EaEua$wF%-aB?l7367yv*eJ=6!{pS z^~bcUoj55z6FXFf7p#d63ZuKZ{Dl2on~5+x+s60UTdpeiU?3HYoN`LPelk~eJ$fS% zwp2LS6_;lnT+)@FBl|4&;@lIe6q-Al?0pKaz2DkN!raiW2Gl1EjaK0ptv;nLjTt1u zBcQerAB_kv)G~>kUC9lyRu6i#)7%6!J2QaBnf8&OapIdE!n)+JHQE+hxZZH_Q}oLfh--?gyI;bkIbfv4U-iJ? zw|C!bNGNiL+AYatP7>oGhUQddoas_Lwo=J;Ke}P7fHTZ{O1G;yko}x$$ib%Q_h?DtjT`bChf;V?zH9*G$9QJ6n|{$oB^4mp)r%m_}Qq#JZpw;N2ofD~_007 z4(mZD0DV^Y3sPj*L9n0o{B_sB{gq*T7YEar0q18OA`$Xtd`WXnzZ|OMGCQs)zB4$4 z4+_^h4?dNLwDy6EKkX_piy;XYeq#Z4WR^H31gu%t@^uaO=VH8!j^E+wUk6G>+ zUNAaV0#W-j9JErLxu zBV|rW6Ko@{C-tGzSz?2vnIZVr6ISq%P)tR>H+aYlg@`oB50I8)+NxX?)&36_prG_tW4V~s9{fLN501#iCMC+XnfkSw>iGw zVp2U>tJBhWyd4cfVlyY2p84GWsm~M2bqYLvm7^ziixu^bJ-162j>8_J$R`e zK-Hyn3ITepahhkJ6z$K)i`!QvQOeQ+Y%P%Ca=~FPv_St@5b&^Xb$b^-Q>(SFdRWKj7HTyajINrlnYP+7Guq`!VtV-kjyT48Io*&ceJ_!?+#Am1TP z_XOH+d6Q(%r#q!I18`+Am!-coe*K0tvP^!SFTCf-cvKZjiYBQ>%rmR-!;zN z(Ttqo1+69)qmu%`qlr;2aM^Cx+#}5vd+s4B;GvW)rXJk$KT7|L)$=U2=l!Y|LpXV9 zI$ROt;cga&@(sJY=@Y`+i7eC0Z8yJI+=aSp+El>q)pU^LCKhrd5$qGb+|v0*#Cjk! zBMogxHnHEe&(OJPEPkk4*H>J;2jSE)hj`5g9b>UG$Fk8!^Z#sGSkSGzGmtqKht-Kd36?g$xYxuZ$TrXlZC)?`u%9duWSg z=DGk;A2Wj2{v5SCDJ!!&o7$b6oL8Q2-Sc2w-fbv?p7oreFqD=B(G7uma+GJIh&8wSB2Hj!e${!fRPPUn~PpKgC3 zsSgK=E&r-RWpHv2v-a3p>04jYe0VSV<;~Y}Kc4D9>BPL0XNch)J3!8SdHJU&=48e@RJc}NLRu7N#?}i#JPjkayNp? z{k6rJ*1ca>Pfiyl2%tH0cn(@HW`F*wTESYnv|>lhsr>$0A=EGoPVf{h`4Zz8D=K98 z{$cE-t{gb>T$nWm4%a94>wGqqfGZZR05MU&=r^A8F}wg88+hN&@x!NXs@`sSlqg-N z={tEvqu;KULA)*ng@eLg#kN|~$a_o39WAAekx^r6j&a9g9l~xkL?8%@-9QK5B+fD) ztwvI`@C1iWmUNH!5J3vtcr&N2P{dxxjg1;%kBgQ3ujhfcuf{(=6!BlZ?KqhZTGh-) zhR{(|$<-ve7qz1l!=Sv)o{l-T`uZ#WP!>m8g0_M=G`7$h!R0H{q$1qt#6F@IvJoAd zVdR}AqNjJWO5f52V^wr`*V4VDWF5I(KAy7UI7_LStlaetN&{8Hr#rG~h(J3hfllxA z`a~1%E8u%wLtjNp`S`D}MC5DM65P8-Wwdxf!ox*WObBN%Z?~M4UrUskg~aNp*kVIX zTi^47IHuCdZcR9KE4~>?^4~g=>)N?UxixvaN&15tE7klmE9@XjcSH9;nsZ{Zg z{{fW>TB1}Gr^x=D=9eVs$)mW7f6_%2e5~n2XBCHN8U}oJCkLbQF1(t)V?nRayk<81 zkO>g|(=ndUrk&T)Vw~be7+~!kLqKhOYzroeZnlkP3K~g4HFfzyGOC05R#AB>B6-bG zXYX51ajjpo?c*m zv%LG;g4yz6TtTSHk<9`z2fb2FYB=TTc|mR{w6^85xl%3z;+{{9y8LRl^Xh618aS2u zc{7%c-dz$M?pPh|bhs04vdH7obvla9kq&6;-96n zmT&E^W$`iycQLf5$xKEJ5Nlc4RLqA(5s3Pl26GX1+m(ftBP~mNU!S?sft}626k=Ze zPD}`YOqc!5>djLZ^xyL4Nq)0@t)KCj*<1}#&igJ@%a0W{ya&Bxj(kM4kwQbB%TPi0 zIa^h}u1ph0d=}>F1);p!+y8Ha_A&rM*A>H?zbrob=VTk?tV|lzX1mI!Vq@-BaZx9| zXVC7-t17u@M9=W1+{CGWRC5AAU$1RTh|6J-L9ss})y!)p7~a4S>C;!e>pZAb8F}1~=_bX@h(h{GvDz=Hi)p_dT zg@;NBDd9<-nrX|&k*l}g0nKL$s01Ozr``v@(jVk1Xpa;s>X;G-)#Yltw#$6xHAG+= z$tx>~4T))kwnx*(YMthW_OLMHx(~H&GGjkA{_=^~e0~=k7v#~M5Q7!3TA2SZfXgx_ zC{BLd&*jDk+!CCsV9s-5_oY5o>ra&5w7aMtD6_jEADt|s_b*j_6Ofwf9~0A@m80YK z>Ka%jdnRCO7j|+FSUZD_7Z9Kf3kX|~QRSYeC{CjCVmD5h()qFP6CEEHB9~*ssY8p8 z&%8V_KbkL5o{lj@%qfv@jG3@o}3ykB$T`5~#>Ci_pw?AAhd0p=Po~m0H zexM%k5VxU2cb^dj7-AqP>c6nU(ir{J?FlUf1?hN1d>Yy``EFrQZ3SxBI(Xs{s^y6{0(x}y)nCaRa{lnt&boHqt3)31nJHSiT@-T_8Na; z{wqW4ncQ93HzK`1UpfnTXHV_eAelD@sCDsfuanc07jl6@w4s+PQm!!vm)l!5Fx8!s zlH{>di_1L_3~e+eq7MBlNoFWq&Zm>KgzD=K+BrHke;h`fM{#N*@A>NkI3XVgt_dmc zDw6zhj}jteRR1P)vSf>mOQ3bdJvcOCivL>EC3#3p=$cK1Er-)!uv`i4fy1OM- zoK_=-qlgBSb#~l+A7eK|Z4pT=QS8omEvjTQEnA)pC92{yqbYI=47Y5^r(HbaAKs#T zdqy2c3FU9w1n|$7kEf%X`G6AiQ1Ce3#M!?E*MC=xi{Pja~D5_@W55;{;ZIL@L3LBA-5|VS&cW26k$Ir?>u+u z1Pm%Ax35X+a5=CsZ`j{F&<_QxnNKY^FGCWZRbX9Yj$yaz$}n_T6;afhn%8jOvG{n2_$ z6{>UR^1A(1iuZ!V4H&|J>>p5}fAP19(CF4uodDnI#O{6jMr=SghI(d-FCV_C?(_*q zkrl)$4B3nx2F}W6-J7wibZuw~NYbzLA&m>~VnqfrTClS&=bIKMMyfm%Nuqr#2taGT z@JCs#6jERD6AS<2HaQ^%$UZMzZE28g9l&?6`l68aWd zF=54c|LszpiIGiXlV6Km@OCgjLkjDeyH1Y7*?+LQW_9|6C8kI`r(#Adv-7VzEbNC- z{%>qP^IUle2}0lviBeZ+Ms>Q+}u?qs(O50pKwJb1O}+@S)J~iS%Z+Y z-$y$Upd%{-E?A<+o=#c6)OM4X;h=6Yb)YjH`b7)s{+iFJ_XBa7jfy?wkd?{{!q_!O zM}COYzwRbcNYR{7_DAXP%&KrJsRb*}vC9Q-M*I@^=C}Hhy^m`$-q5zPZ(MP^T4XOl zN>9rR3+1mkn=Znb152Lzl`&o3Po5g+VFi&GLd$GW&Wo-^`v`k(l^Zan$E4MmibiTY z>hjY=mXowYoBCMR31?2G0t=CW_X_)hS$}Q7p(yXoW^SNE!Wy*BO*zl?EVdvQ+gG_6 zFeM(UR!KJXnqItXyTznon?aW}wz%phn$Gp;Df8WN%Uul+WdEQsz~SDs-%&vMbfAJX z=oQ7I=oOB1SwPO8pi4P5X=JZO%_@%0hzto_5^opn2UkkI&{)q-EcD?Ca@eT_FW|bUriF zXxi?ydeIT#gfjMhk*Utw6*4i|G##vzT?JYb2?7iA-5#`?c8nykqc}8@XLs&!_W<4D zup+5bm&&&E`tM(=c*1W`?0ASroZQ}?OK7;{Gbyyh}$ z74Y8VjaQK;>ykvfBk{~Voh`Q@+5{#dncW8wZ*5fCQpYMj_rkRG1LuXMQ-+B>L|6c z>S4;I6vW?Ix$<<&h@F8%)1ysH7i~FZk-5Y6T673;KVM*Q;E)@G5w<+2Ujc%DtNg-G zBQA0lpcajP5#A}u$@jTM0jKGSQ? zCtseYgY)4tc6cAHl&6=UpbsUdtSn25l)v6hiE$T89DILSrAba%7oYHP9!(nxXAZ)* zaLtivy0SSjd?VsWjTqTnW{SaTKP=Yqf}mJdr`O-^OZo%*=Cmg*fcC@KTr1DwLgBp% zy*EopQ3NfW3{-)ouk4ZTdDA`YJ3TQ0DAcKR6X-mlIs8EWwgC2h1<8iE`HT8+#tsL= zh#*^C2CRd5DyU@fz>r-M>WmE!U3G`8@*Osjqi`Uwla~YKyK~Kr7aRB@)$B8}CyC$E zG0HSzirG4p!3`j}iRROO!4ahjjWP>nRb3(I9l{%g=z2w&zS#D`-5SY4C!s!xpfr!| zGKmiFnPyIk7I7u)RGeZ)j62U?f<@ZYk1maFQKC49ELP0C8->+dX?JdBPazYgCh`6s zeNf>c3PjdV%ErZTrN&9Y&=p=L*F!Ix#4l%?0W1=8091L=m1_I#myu@Qy!@M=ag|J) zZT&jfAsJ3HjG=*cUlDR!&{bG;ehC*>qGynjR-YNTk+l=-F-~w;e@+P^4zz)$2_j_1 z$0YiaijDdK*S#lY_7>G>{~hMmHx_xEzn?IQ)tg_8YNg@oLV%N?`EFF$IWsY`li{W< znX?nHyQw9%Pw;xAqH_uFpbj&9ad7d^k%QZFCJ9DQ8O~Wri7sP91K@xAf;!ejShzZGbJ4O{N zQ7xuD{+58E-+CK*>)NM6I$?3GzTPfBmHU4H6)N~slEA-IF*tHkDOuyX#+$~Rb`06i zI^%1>o0)a4wK+444s`fQ>`JqHUTsN|w>I;uPbC~tUUd~ZeRhY5?>tB5CZemcX3sQP z9r5d3T@BOLf;FlB2Mzuk5LoRg-T5tD&GVZdiWwM=d$#PcUDqemrho5t&(7T3bKiJ8&vd zHQihCF0OuVhDN0Lu@_q+Coup6ms0(GMmd~bXBzMn3<&!_>_59X4g{`!@jL3Ff4uk0Ce7`t3)exOtw9W@XZS zjNp`GHHK5~XHD$G`PC~wx4S&!zEU0BYhuLH5(F=OkZ3)Fv?@+!Az|hnpZ~fUpl=m~ zyu8d`o8(peh3y}DjOM#1RFl7fWaDg2jg~4{ePY?bAjxZUkjE@N)~LFkzj}N|hh5$~ zNT_&j+FnQL0J<}C#1Li9OACUdXrGcaz6BMp^YBaz=%UCTx;3g0jG)5ol2mc{;+qbt zf(7SgE+K+4GaeNVR5c|;SA)4ibF4AA7{Xz4Vp|i&6Qh!ImE8oylaKaJ+uXBw^4gm z)>)Q{s2b6H@zMwUK$)e)eW)$IK7uPCg8gQ`S6%B2jpMc0MRxYVz}0Zp1%~#V=o8*p zG*~cM^+ZEojXV6R0Wfz)oT?QAkKad$3jzma9EpCN8JWdgH1=YKR*OHaEH*Gmf-|lB zu9kY4w&IjhSGBvdGb?Mw(nz;w+DR&vbuzb+5rAn=#5SMfCl5uB6P@H6i~ixd8un*+nHNFEVj7d0k;VBV5HS zcYAkEq>rLJx#`58vBqnYXoNOh4r=mnuAiF^ANC@jkwiPPWy#(|h|Y*FZ_PXmcm{c- zCvo@r`LOUqN}UsR^ZK$Dmv8BO^$yUf&pNaXPQP~+?bBj zc}^yf=ng~vG)hin-_CgQN9^{*{hdUM+iD)CQ;U8Nvj!^JoM^(b4@wq?fmqecD#9=j z8>nALn(Wrm6*O*q>9gl~q25F(b3v2#+plL*yG5ACtvznX_HA+V)k|kY?qeGpY^gtDR;iP3#lP zUdy^u?pr9Ql@ku*1m!UaNL6HB^Ei12uOD9%!cAgsi|J^VCO`4H7d>Rl(%yfhSM`2- zcUHN2@3qSZHosmonxrmsGUGx3obFW76-?E0wF|@7V0%C(M?s%Q1-X5jt$D!pileaG zJu~|U^^_iV?EF&|sWTVDw)-ZFmzD)C7mux&yEf?V3eqy=NG>PYiU-b5)t0ZTHwgH{ zrghPi*8AhU?1uI)DK51<56GMq8>%0O+Y*oxQGDi~}h?ZLQ0p2w7@h$?-QZDpVvQ`zaSH#mdeNs@6wUaG) zusUdFB>@8w{UE9@Wns|Uq-qo@vBG*q_0TCDu;%|QcJFt2S(_h!s{6{XoTwbMT+~iE z{0R{>QTZ?Q50V-x_RkQ8>#f$4YkP0^cr+Z%-puw5yNhBhv&AizKg3=9oqMIPZY{Zx zA9G}#WK(O!f6x$@a(s@`GCUk|pLBI?N(|ngwbm5d?Q5uqAv(ddrNJW$Yp*DGS0%&5GgOn0DnP$m|AyKE13N{E z1nQ}1;bh5S0bDgFlxF(6+JnMggm4M+#=r1F-?`;A*k? zDGO!zT>8Kf{d7~VS42dB&eZA8q(F^9R}zP5D<=CMT38D!;l$ZAH;`dc-_lCvh~6yU zFKhXf!y<+r$Pkj&nT1&DSl%ayg`>?9?zdg#w{K;t`RA}(bPY(bN1J~Np(CFflU<1` z+^QWaSO3WVZO-)B4Ej(EsI;wUy>rqKx8~;wpkf@BIbbXAZxqF}zj75G%e2W_9$@RT zbkDyx?cOJ}Sq9~SDk}?IF)a~QS8}PC-mfQAAkxprR6%4AamRoh%o+(MovryDu)kt!uB2%d!lYmHweC6kc|YO%s^3A8B9kneFZb{P~%5& zwt2LQS6Q`oyw@es?-R;8i%^L!|G+m@gMPI+ISD29dZP zKYzwpA5?5B=|1tV@}n!_ffe*#-WgWjS^~c8wSvx$TWE5EU5#C-Y33-}!^vqWd(zAb zq&lcPA~O;@0k{LX5p@ueE&?RCX)ApT0XANj+6Y(JDSvT zm7LV2S{+HCUf8)zKC;QN#^jA5=s5Y`C4Z#hFJ@;3^nd^Okey#0m|V5>tg^aH?+Qqh zX7+_@-7A$n4hWI(8&u#&`btnWC#3YH;Tj6>;y26feS9gJ(A((=~tN8ZrAy?ILlFaA?lVa{jaUZef?t?{NH-7 zEGxy`5_Jtdb9X~R7dB>=|R^}y{Ezl>L*o6l=_ zUnx@^Zhb0`rNYwdQ9n9H`C|YViBCMdXAy5@&XhWhtlSPm1UZyh4X4$T(bmE3_usay zW`4;D-1xnBZJt3pytrK|%c6U31U)(lI0r+Wx7RT%7J+P5i8+l}Ll2yNn%oAwjkse$ z4lW{lbP>rtz~ixlV7Hatdtu%V-pk<7e-FNUy@PN2fZFcq>`rvpZKThxp|8WZVmYjS>^-XfVbbZPz?(=FWO0t#PuBHsb z$aKWW)@BK^If<@&PA;cY#}(&~rt`oZf7kr{;x|I&?b|CCBs{wVCw9WlX(@u_{iAxh z4l$rhQ8iYKz+YcGs%*`S{yhJ7slcl(E|TrEqva`e_s&*zkqfqGtB=$_+{rNw^M4Mc z?6;{Dr9%B){-bgGSo_J_&$JhOhu!}E@nN71=~KCmCRgF0W?<@!J4Z2h=j6MMSkiGT z>3&NtZ=mz<9*(ENeIf%rcewE4WtEFm^5G-50sMU#`Z7!dm_Oj0G@xDOmU3*Yx z%o%C$xSRDuEPZ6>d=&%8HhVkZL4&P;OO@MJR9@_KUQ&dtm}CF;P}@BSbi8`>;22Gm zLEQH>6)`R-?bh+|6E-p2C4+DespukRvrrQUS7EQ}N%QUbVV^UA-lL0`3jSyTMNJV% zGHn`*jHN()xjPTF?mwloeKaHTz&8A2Eca!B%8s~3V-SPfGL=4k2q(#et;y9Y)`t6D zbivivCn^X;EI(Z7xT9{E$^2?Jo-N)lNtfJ4(pHV(t#*npbR0N~bSSf2PdD*A>#B}$ zG8K_}&$b<++F}Q+E<&w_@tQruAUF9!_3?y~{S7;TqsVQi?)%j)gwF`U?fpIn;(H1SVo^1@Dl@_>$a8fS$zuul>1jTyzvlf%=epkKF5LN2vVNgBvS*7); z6`;Kb>|j~6tOLCL6j(U2?sIDzhV1s8h!!3-g_v!_%){WKL5n#oYjfPAp=T{74bejk z4{&M?7cZP%TblfXO>4_}e*(mcpL6Rhq8O)O{S)SuNuA~s6C*AVzq)JX1;@n=5i_Z+ z%B##P|58;YbTnypXDgjg)=uOTyVGzM-F3ylX4Rd~mgWZxy3$H8BfO{=E)2H`}5p5J%y{Ja+7W%c4gH!l2<`YVbC znHFI|d1U{og`x53xft>JFP6zr{CsaSW?3Gab~9At%57S^E3bNP=dhxRL6FMp+1l)z zWE{fnb`FCMPPnK}+>@g}qcJa-GmUTE&d=eRnNEZS8SiY^)$>g!6{Dvu-Y3w1&=?T7 zHmdkwJ6jU*!)MGrE4^t{d$XdfX@~}=+BQ$`W=A!y!UtCyKe*1<=4W13^u!~-J<;Ax zPTl`2et!41=~9*Fm|rPy13*iJC6V=Xty}H*Nixl4*D5=G7#J-(F+<2K3_lV6!JM1T zang{;ySN(Gs6;$6BYTkKI#})Q5}nQ##$ILUCqc(ky8kpJv)IH6Ej{S@efedl=}y#q zRaz)2gwqYU8FGW%?ZF81*M^OnV5*-tHf(Z}siUwB5sL}G--T4q$ zdIJz&;9eD8w4qphA^n-`T4h7&*Rk6#-{mVf*xJVfjx8V@ZK|hzo{=II;9EQ>6Fmn> zfBQRjf>e21{{~=6J8Tgh65+q%b06IM4BSorsKv|Zfrto6suGP=- z(s-PfQS1A6L1Ft9D?1&kmzC)jhdE*X-J*+-{6dJitn4ip@2Lvt;+N0tFG>b7fy*@5 zCRJUsW+B<*Fq*8pIDFw@1K9%~=Qk1j=qH`U3&%@33Xf0ABj2$P)36I@p)Q~0wk$Ql z)j?hf5b+;ZPHmnhto(AOLyDrQ0Ec_ZRt`A4kxdUSK=zM-1%*lepb$bp)L++Xb9tO+ zd66Nkr3&=-2w^5G_4rG|wQ}@HYAWr-`W{7Lyu#)HQ5A-pu#A8?xx3$heU0N z;aZ3l!8RBN$&n)ed`<1Q-vc_klQ%(~fqPCwhVyzi)f4H-foizS)oPdFn^x$RaqY?p zbF(-tb=SE*H@#Ov-G(1;Coac~_iG(9$~NI-o~lN=zIuP{9mkXwav8LV;!Lqr>*Akmz7_pFSoCL#lGtt z>m1b^56--mTA^E9Sbj^VEMryo@0OcuR@>fvEksms3xG>vP|H+2#s)r0qZNr965^`y#r77`|`@Y7V@y<;3$u zIyp-uG@6#_y8fq{?g6W57+6hU;r*bB|1&So>*v1L{plY3^9D7EGKBVJax9C0P>6yPVbcBj_+r{HaM ztm~^9n)jAe9JN-Uw&69`pj_d!@zrZ8tfcTG!Yg6|UKbVry?Tsdi_?`j_0}fwn^ivX z;fqmmYAlb={qv!fuY`Xoyjw7#WvL^C9r!x{V(qHSVs55SBJCL>(+_>`*gZ@)s&^gD zOv%cJHA%a=)r?31Rxp>R%=dDnZ8&wylu86@YC>ZFXOt!9Ly(!BsCKFhio~JkheY-n zumgu5Nt$h_1lGg3OS*C$wWAjQ5wz}mb-inr^q^?mKgHTjr1X6;(>tv`K-r8=9w}sy z`!Ro5Bzx-gfG2w>FaGCpQq>BkZ+D&3+Qh8=iNa9%R(>BENSDK|`%K#U@2cF(Yi=bs z;D#^3!WJjnByK_cWCO*M7Hy^U$7TNBF}z;(g0NS~-d@I?8z1PHl&BjBM8cntatzLL z5kw$L`3@~bgf3_*QC9`nd;Gx%0#$jmB5dTqGsmn((~|fw{(&U2D>M0y6_a`Es(|n= zMXalvA!V7Zdo{64TPicaT5GyCP5*i?$(fm59^nJFB$2(K zf0^%pxXahm4DzUz04&iageR$sBM??$tHHn^{k1Vk%LJ10f{Te^cU68U=uM?d`Gy+y zNjt&Tz1A+Lt z8^8^U1Tmw%ncW5ca531Shv#0RiDP|?wqi)mHH+i%2_q-}p$8hYv@+}2BBX@&VXW~p z;zY@!1i)@fktfw8A-W3ZwXx5zaTWPoaQ@=ExAPY&@BCWjt~LM7WOg9w;a1Xb5uH78 zz1nzYW!$pN%gb`gwXeSUec_~8(f71npKrC zTw4FqTN_wY2~A6VQ=7u^EQ0xs#eihEaa}}!3Xsi;7cE9LJ}H@LJ;kMOSn|ESnIisN zUZuNgtzt&S_L|Bae895sFOBOp)gZWRtJ+=fO!lXS%)?tH7xnu1r$>hd_Eo--7-E`P zLoghwkutm-} zKFvLUc}1BfEOT;*$(&pHgJD|_jXtyCQ;`8Oa6NH(B4b1#pImzs=M=wEx~ZLMlidOd z`Im|XY_on@<54D8%0)HHy8$=$r|q|<3dg%kAk??N_WyF63Cc-k+(|#=jj@UZT3cf0 z?&RR5&*jD&rApmy_NX9mY|@tE&H?SEzao}?b~aRwHw`IF+e;YQntEADrm+7h5iu&{ zd4`|(F**zH*Fv&1RK&6Ouu2ypm<0rbJz9LQG*u<)Q7#*1%Qx|5Mp{e>ItY zTO3DGKnDbYP=qK&kRn5s&L|253<%OB5Cl;OF?1x5z-vLG)R9mGDFV_$$xs3Up*Yf; zqhvsWKthwAgc^o2_nq%u>)zk)TK8G&`5VqYXYcbl7>3qYjX1oS7e+Cu`{0uTMk(vj zdT+~-rGO7$|2!uiB<`H*5PFGJXy@R~M8ZA!K9&uR5xH)jf&-zUqKOl^^10IebQq>- zQ8Q<3h~}bhDqBQI(tS~77!n&9NlXa1x=`O#q_8?sSDV^0=8RSgTQ)HK-2px|ykk4s zT<1B5^XzDkN1o*x?88t;$~ACzuF4dOnX*=R6=+37%K3fjJtttLo(lPWR;e<3w1q)_ z2ArcB%uL6%=`?e?w)5WYjvN-jaD3ug78eHzp_&fML-l9QS_p~Fh`M;(%1*jv-f11O z`>sHFkv7v*H5889|NM{~9q{11`>fq-#i9i}L}>|qqHt1s2`cUfax|~B$ zE~i7jfXtXr$M%UbZ?3OoFoNUOEreq2T`S{7J`J2kwp#y&Qg}bRK3V9`~PL0-5c640a&QJWd z0+hkJIW56!!ihOP!r4nPV%S;cZoHW<#)e5qI&cYRloyP-AnIvEo75u%LYlnhqm+f8 zcav>T$rF3YIc1~@Vzl?OVuY{*`0n6y`g+icyh3ePc4_uq8+O^EGeo#<6_5=W9Vz|k z$#--SE8k%%#9b=IeqnoC zL&O6Ts`PP{uUC(>gNi0lTMI`ZbS77~S@fPSji$z+(`d;IOu%b0WMWu7F-jaC{s%ZR ztkmR1Rc@(Ey#Acg_=JK;kfE#|V>AD(sT>yPe)y(MoNGOBdy{&taLQk6dVEhyBek~Q zO`BTg+-vrStL%WyejQ`;M(Pu~vm%GH?ElAVH=Z@9jO6P|x@8;WF8* zKVo?6*e27l+hBD1xyKiITEKl;!Ny#i!)nq~O3d}%i70l{nU3d3giCl*;B5}?%%r~y zaoSzYzM~d!H+U>u7<=QymXi~YV28j|h8vrkg0?8KPb)T1SNopoJn;Zs6}S?8$@PUp zzS>N6Dr~3DB$H{`nJt|N&7U=w$SlvXD= zZ!OsIE2g}h#ncsM{;S`5$}Gx!(30#E5y4OR&j9bQJbs3~^UU!$lja;=Ypjm-_R{-@ zCt6XDRq0bCQ3}CG&BFu98PAio-plA!t*b_rOrZXrB%3dN9`EV)6f!;U50x-Bs^rp* zJkBA%Dt^@&3Jx16ztO)>v+{P`Ef?rWzh}^Us`Vk)><_b_VxZgvJC1Ax=iw$u!w})fiDf>%v1457XV_K%RCQwE9_Ui(Z z-ka`uTA>|Fo>q&XQxF#hc59W9VFLog_k$l0`#7}`~cNk8yGp+ zW>DDB%|1FMV=fez)(ENhB39E0Q-4%PoIFrK@<$~L{z+WFZ@YpxUzU?{^rRCuy$==O1?a5bx7qzdu zkMjmeT0K}lWxWxvO3OQ$#tH7WKIp$9zJ$_m909_^Sp|a?);hV0b*RHJ&+;YD^X+~@ zVljUjj=n9&=7P&s`}Szw)@-foM%1@9(A;4y%k#=TVy&G087ScZ!vJEVViL-t8#b@8 zH@+=v?rB-h!9U1kfzCb2Y8N0w3Y!Yjyp*Yi1+rFO+Ev^%B6V21jU#tp-lPF~XiF1) zjaAgNnqNogT074CYb-ttD)G$&$u;WA4ju`Y)H#SIO-No=i_|xQ89>d4^%_x(1Xe5* zY~B*psF(u$?J>MB;4`?>tVb;DE2*2u+GH(wx80q0m8+58AZG!K)wi52EybLx?9loo z(n$RLd~Q00im;_4uc%i%)-6uV)$cYg|FAl_-n@khtS-;n-?zqJXZ!ZpL|>gbnM)da zkL|W9s-+z$g%NGeqb2CI^ucoj!n3Kd<$X$$!}whWxogdZk&;q*059&6`R0ViwMc?t zUL>N;xcBWhfN?e`=vRIHuAnp*XQ=Y0+Z|NORM?}ximM8bhPECfR44bcKqOCYV5PcZ z>lj$wNAoQI%qD}KoG(k({~TJ%w=>C(Sq~9fFnvnGMqz%PsOftU?<#%r7wqltv*l$} z6o>e6il1u-ut%6ahA+CRYvlUK+o%|4|LOOr-wXhuK}8*1{!jn+5o)@b6tnP!l-C!M0972&qAIc}sY z8{i?HaY?_CkA4l=|9S;|}sh#aspT zh2Tbk^hLtt{n5H3gM%C3pfxcDasYyebfV4IvQr3KsH$*feAc<%^js_V+9%(S_ou3M zl@-Rp2%m;?W-lYpmD^)lZ3BF^#zT$5>1(l^bd}4OGHMcI>?!T)b_HfW0NrqmvHL3X zCdZq?dcp$tsq(Z+%)P>;Rc}T}C5IHd1R80kEFo}k0+iY3oXC+SwH000G*9ak3- zfi~^7(^AUHl1B4bfY&IGyGM&r&KI2~45~bIB;F}Y&GZduVATeatX_GOY-58qMl~Zm z4o!q2xiuW4PsmG$Suw&`J2sn_rPcpxwiom85lO2w;|9(!7x z>5#4hub;n+o(c)UDHc!V0Uo_oZccN>S6*o}A+}7DxK6Vvgem32T#81V>{X7(*s~IX zheyDO1N@2&cR}`cVppx%o2yd>`sb7FV$K-@iFU%@mouS)l!=1iQnWpt zOkcese^35{U&L8+Wsi?AeRsi9+2c1O9eVxjCX^i9DGH^aZ-D|zhadw(xcA$b$h-An zm0@E_&1A8F=IYOg@I|6&4m%~`NGxVZFKWG!DFm53u;x$>W9czjDvKLSquGAMc~t(e zV(!lDF$=@;l@Isu2B19n{2zI6^shXCHvG3dK--vO|054{F2wl_!=w!cLPzp{DlBFn z0{oY)i|_VV1ZUO<825EA>(x7oz$gI-Q{S-lp8svL(5>6;0j**wMFIFo_76tNAJgL8 z`yGad)5!;RGrc1HyGWuf?li*4mMj|F8&TI_rN9U?#(ez5iRerb^w0m7ngT(W?X@Y6 zgtt@-v_R#q&37I>9G!9jyoQ+_-jPdS=o@7xS0HKe{>NoF+%W`$bg&O{sduPN_;S;7 zlR6-+m*eQ*JYU-uzstf+xBmZvQU6CS3izL3lp9ma-Bd7)bSLd?2}uzL42)my|2qtA zr_O594Nh0RYyrc4Z{Jg?1<}UQh~RP*RHp4>%x5|z&TXXgoSz}@d#SG64Vx2un16V1 z#sS^hO^@ZzybB7Qq8LYV2+UJm8p57SyQYTRKGgf=h(y7>fD4({gis)dkFj}`FD}NB zZY3eH=Bdgx>XzzxVhk_kKL53i2>)wUVH2}{|D#IKwG+b6_!Pidq=M8Azu6=8NLQpA zSBN=Dcxldm>SYyGSEBvyHKn05gSSm>BOZ}6y4c%MPUVMA1{T8p8o4*S9ny*~vG^}h zoKYTkC$+y8C&w0O_^kpHV>TtJFoe?&+|pu@+4(j|{&O?Y?demwFkP<_s#l9 zEjJ(X_;|W*tm17r< I1OJTw7sYo8c>n+a delta 124102 zcma&N_fwN!)b<+`1*M5fFHvdIrB^{kx`6afRHTN0^Zkt!e{ zT|!Mlk)D7+kPu$xd1s!PGjnFn`62fokiGU=*R`(C#)V%a&C!0Lp$3j6XT6q3Bh@7A zNz-0z3s8BCOSGTMRLmHEtYB#L8f39p_{2B7UvaIK+|8pe-fhIq#SC89^;dVa6Wgw^!waSO`@eZIZ+J{+hQfjsG*& zybbz){A?&Un#QWh<|U&zQI$lE$4Q$C?dbZnp-d|chE3$}lzjZAag%DL~+kYj-gOHve5zIo9kADe=>l1b85 z$RcLv>-?W`&8e^NEMff3TO`{x_yUXL^G4f;Pu8voWC~kTd6rz#v_w5tbMkxn#aJ_V zv~%=bwq=hf(``~tZ}4O@Qv_Mk3*i2j*jw_-w$edM^tO~R-uH$UzEkn=2foiy_=Rip z;Zig5E35&d%a4XNq}tCSMNE)#v|eX+`|hF`wYvxv(#s0O!*9gsZpdx-xaQEwfW~%S zqFZC~^ShMoUnklg@%h)^>VQ(U9v~dbX%fnl%GRl;^0HIi%4f@0Cbs)6fP{*{akr(q z=Ii&1T7F)NyZ`A@oak=~6`6-{ob2btPO9t6Zad0YJ_lX5?H0#vNL4M`sn%F1;^(iU zM8cfe2Y9|}Gb(WCOMW7OW$Y>xOpKhs1yi8%1B~sD!$!e0)f8!X|MU7Ow9A+u1Nd2i)#NTV`R9MOy@_3N{bKrz zZC4Gib*jRD+KVwa`|kmM8IG%{Zp#ZqOQa7nES#M zy4kkM?sIyEO31*!D;HHA{`UXYqKI%xhMCiU%T$l9X$A}RcSL%VIY^1VShJSY!yTBo zQ>L4l@Bx1~{~ORY-HnHl8blduQqX7D{G0LLdBIb%_J)}Lp&6k`iPp)MrYp0_%I+7Q!kcUnUwD< z1Zb~l+U10(mycfw_g1tuW#riNt3B#0nQ{-V(s>NNQQhi< zV~GwjBNZ*Awgf|q z9;!ANM@igF(}lLr$4R~L{>flKG0KR96jN5?q` zw>8?%NPg<|u7h0`d~0^(SiTu{yk||N;q9TTdsW3Vp^;{~b#^QXP@%HOXEb-RU@(-Z z7SUczs?{A~ZVsqJ|Mfi0V@@l!k^Wp%v|At=KlW$O`OLC#Q=P`X{RU;2qE3p_ZJb8v zXutofJ;DV|JT{R~VmAjVINP+GJ|v~#(@1&~2Be3}bI>bsx>sgm#r-PiXMWnM2sAbS zgg<-B60qz8r8#NURk=efuz^0`s@%6tK+TVS29V z-+Y{`#(}UUX)MDOEJ!KU@JmJvZqV`tlEsWp_CD9fEo6@qk0axW$45q=ppDFZs43F+ zdaYHi_@W?U*f95Vh++lWKrh!nSio<)SXdsTTzLNpstzbO8O-%S3h+8Fthzm9TN_sa zC-Gh{cuYDuRfqoTi-uy)L2O%D@{%YU>!2`G`+ol$Zt4MgyRiA?{C8>7<%E86?#zzL zIq20c`W#d!5VVw_CJU#tm{xablC{lgc_{h);Iq3Fqr!Vj- zL3|m6a{$!8N9zhfOZGr+Ky-a8NKCy0p=G0iF1N&nyp*W*DzH{BDt_=O3Pn6(!FNmk z6o^>K6IRknpK7upK^LVgy|yL&eIJTDA1klMe5&#l7F81JfV)%978<3`LCXc_pnX4H zo^ue&cIiwowdoubp>~Hjl8l#ReoWZG)=BdsLgqohVwb$#Q(!Be4uO2 z{}0!uvYZ^Fb|q|7ovj`jHiNrbiI=*Q&C+VX3KfM(DX!={W6 zxE0r{L8mm4d%u6NTrI8g=ZRRk09RGt41f(pq`&0!+c3>|T9Uh%YF`Wsu>A8cIR7JY zs9T*G%`}_8)q8O^ezs7_80D*IkADtdW8KzAp?8f}f805FQ|%jd`4hfUK1`G{S#XOi zda6L?Aqr;Tj9sd?D#PTsA}5em&+erIVlVE-e174*AHL`C_%q@W35s2sUFt7jYE?jP zW;c`vRsLS=t#p@91Wj5)j-wRcdI=btffv=*#Nh0`_I1SauBA9g-ClUBD4vNOLQ=3K zcw_;8j{ZH(>cB`1u68D-M{50%UZG!)P(pF$n>F1Z<$AwfZp19)q&aJvA+7|twFlh~ z(W*h~+0-MQX2guz1hkN)_r-%|dP=8lME4IjTb3M_j)Dnh?QEp$1vmU4H%Q=awTCl@ z)`g8TWT@Yl(!ACn`i8+jL+dgTx^u?{+QjAsRR}?&C+i%Llo)?>4*d~qa^+8?>&6FnJpPBwu3mT z{jbu}x`?_?t26EWz!3PAQb&vfJ4qd@PB-d>Ex5S4szlZCyAk_5VjB&t#CHd=H|@t& zQYPFk&y+Eh(l=BMmzpwTR6#X2q*l&AQJ;)G9k2=UWN>FeBhtnFVg1ydwnkb3jd9snGCWpDQmgl zCW5btWJ(m=JkS`&PpYH+0OsFwTxpIP3#b8CFdaPW`_i0Ef7IVnX2`s|E~i1jNHX_$H+x?%23Yst%zWBmhc7mLxgCN1y~JEEyKnNFcxK}hLnNn#Nmq2DA(4%i#aW? zU%NCwNBy{x-$Lls#9S%L6RLp#5?*wB%CV*K7jA3?tsM56p&f@kSgU?fJICoX82;g! z>^bNX*@NJaNLwFoNR-LVnG2!wN64K@a9ra`9mS$3}*h`xLa27aipnuQWhH6QS756y&0f zCiYCdXIgsWpIU(<0~%ehH}>R{CcT+(=X_s#9LWg36R3SLKO#tTUDH`rtdUg^dxIe8 zidLUR(&Sg3Rs9-Tn(L1g*X4*bT`-@E7Ja)FT(xN$nqxR|7_UDZ8w}f_7MNzunx{rZhqfBs3WF@`Vwtr$_|_NeZ_^`8w{|mr8+Y<0BCs4d%ICnjcIb1Cg$F^ z#18+n%+8;yR>b<3#WeYkPpQ$Q++&x{YPX1*Y}>&GZp5W-mwq!j++MGjI5)dY?( zobb3jby0z4XZY?5KB?4z`_v5t_@k4nl@>p+BR)Q*M&Naa>DO@U$+e0jNuj zMp@e#a;l2?J-qmCcjD)VYIZBTU8hZbw>C*)^4HS^4&n9XKXS{8+1o8r4I!L~^QNf_ zfp%7U?c->@aVSO>(;nM!*!CB5`sd{)zR4Ot$Lc^JuJd%j&9sFy=9|J}afqv^bHb>As{do%Y4CLG2|exrh|l zO?faWt}29M#w9b+EVxvJ=3DW6*k>7kYQh5q-@M9XJVUke?dM>Fh+l1OR-Lh3>YLT| zy1?}MRsm1*!JW|8sfJ@#gI4eflcE{9L(8`M*+AP()NK1XNP{x)Zx|H~xa=i0BNtO# zYWf{nbKYcfMr1aoYG!J1q&z;!fIwOP%)NojjfIV#gE%gl9VX3qx}BA*Wv>pI@B;o; z#rl1WD!9_x4EyPp?)prp@Da!6wUb99*JujP(o8kdjzUSh`TVK>co>j>SDUj8%%Ja0 z`QJ)kU0z=P;QfL2$Cg~ z`gr-^Nyc`#S}1yagrwbvtKtHxMpWX9^U7qxc&?mY|H>|Djt8b znExbvCrYrj4r|#nN=?eb@{D#B#3}@4^Zu8ed{mQ+)8}&Z@o*6_pSFtrN&H|$H)3_l zJc4*a=>L8Wx<+yc0q98+HpKPVwG?``4;wB9Um6p@xjL!4Df3A=I=pQULijSLGGWU9 zWyx7$7NyNlyY{keHDk$=E%$+j=F^(vAl0W9ELwR@K^_ws=!W(^%TUusn9-+pRWfXv za-C$keAxfav3{Ja4=m3yd)ExPvHZj>u&qQ$iF_@}bmNHO@JcINd`Y@?s)^8OJj)J~ z*wn=do_a-x^~-0;SkKiqhQyb>Fai|Dx zGiT5Nxu-+Ud4D=^P_d9~{^Php?H2hd;W#P`gm^(%EUgI5v6;b7%ow2eUjwSWGO`8I zmFAsy$UQC%?tCAND^pF5zG;foRCA-~1_#?4n>$3_h3Sd^^(aru^-f)_a;<2w-Uu@q zIXXGXPa}->&L|Wx0qp{mU-=RZUx`4H*lzXTVW~qp9deA2NbGvO&gYM2!i|@ej1bew zo#&wV?4=zq9CR zQT6Jy@J8%R@~gIsWs6D=#jL<_EP8JE~yZ-bDr9+g#)$ zxFkx336K`o25rT~qY@=@+{!;*<+MhOTmNPZhi@{ebq-=sH4EdU^!#gY$cB{_ zR&TV+iIxL$fAwW88U+__jY@qH+5QZ1RlO=Qk7p6ut|O}0k(!8-IEM~=OC<5(DEZFJ zhf(g7(&phy(%}0s=JFBOIP7?JN1#I<6ajdE`tJi1!n5owvbia|(qEuMw|#07HVE8QRU*t;5LXuYCV{%5NwRoI8Gunp;cs{9$&nZOflOH5fAi45EpE_B zmC?!ew}Oqiz~Bi)K^#jsTn+9B)Za8vH8KA}TtB{TemMSbZ=6z&q>Og3)&Q>TWJ@eK z24j(dBso4ETb=paraWO3G3>#MdFmy2>t-c$bFCH)KZ;{z%_v-*U2YTuF(idAgLxkV zW$wz<4&2R?_1|EBNwAKurSB_}f9y}axk@~aRlmdW{RP71$eI+3-HYbEM?}uVpqaM+ z$bqjzHX4vC1Ck%Tg|ccN#Pztitt`{~xc6_T5rw)7=n*e*Lwh$j)n^+T7dhG{c2@TJ zvk?32gMxe(d@4plmy-;%oKm_9W>zDC?%7_`3{lMu_4 z_4fS7^oP(CP1I~hPXUXE-`s*aR^c72=CG{kK#-^!Y+`3`Tlk!s*KamXR#Axhl2P#A zJuc-cBTut$XP%?8*lE2U8)yMbHM@O7xyugG`U9xf3lu~JQ>rcwZ@-=tglHF->EVCy5c+C z^gv0C@7lXgqbr&dC=r>2Rp$bQx?{7Y^wdWA>8}la8MSY!ESiyOuEK&@S@I1hUa)^z zVfJml!f7 zcqLQrdl8&taqRxoU&l&`&pMpP{RUpEEKKRV{3c4pnY)Zy562s*9KlJExSS>K0`OKo zcf4^P3Wea!rW+1it7FZ$+r+T)>6M|vYkJD%T+(AA^t-YeP=H58Q-tcL?vlK4A2ans zDjEzz%XGOvMp$%G5#;wUN^_k`z5YfthGpg=)&ZP;n_+vHu$@X>VF`a^TM06xe)VVl zTA)m#wf4=@n2J(xNYEtVE#Ie>hVKl=Y@bCe zI*h)V*p>LU{r1+*Bpey4&VaoeS!(&a$w$6APeE5)ZuOmR$-h5o!6*3vFU=>@gLeEH z*VX_9)LLjH5sHhdJH0zg((mkGaI7O76-&g!Dz^X|?AIvV=0Du?S(EXqaL%1&#{}YA zr4s+-Y;c1JQma1{f%n_Y_Trg_FT(LJL<%i?hjUp8r==~H(S0X8-4qL z(+^_hKty?d>%Ki|M?aIg5e7cXZB@Zl0UX*yI=jjGp^(V-ci*9(eq_Ckn*Z`}%Y4gd~nB4i>MIoCFW76Q<{5?UF(BJx(WR0Wp9u-kS}9r zwM`E-uKt=JwlVIvbAMlt(RBS?Vw&!tv0h+y+iu(Xgu7g>3lq}JBuj3hIlv-trpR*| z55fU<}dK2Q9QR+aWI7J&t)&PIm_(^P*#J1ed?v?cuB+vz5%c_jA{r z`tDrhysmg&F-Ntp2ip|Xvh+!GlkjunXvroO;U?`2Yh8gL*@mw$t5$I@H(EX4DdB}B z^AKxbso3l3PzSixyk?FvlFhQ$1HKLq8^T4$pw^;7T6V5u#4T*8jT-{Gq9Tu9%7pj7 zoc@NIAM!p)}ymu6`Jbt=l#9ard-7vskjf+R2CSk0wD_TCdaa2Kt}#uzuye0xugUH4BBV);gy>F;ClVm?SrMr7Imc&= zS_sIR6uA|JaUt87LFGQ4{aI=5m4gZKesVAgi3PL4wXrJohv&Ej3 zN$+07WS>1%q}c*gEX=;3Yd=5G!Tdr;V=%uDY|Eto4xPPoNQfA1g2kGHKl zjeZX0l0`b)L^+t3m9pYtUb_d2LkqV7_7jjd5m4~J!&VcC;8_svJ(vBU;ndz?*nM_?|Hdr?w8p1y!@|DW@Y(?f};?J zR7~f=@}{9Fa%v7Q+QJ7UFW;A4U>w4>?N-Y=6LOV31m}LFLc}tCA{S2Ptr|GK>a5=$jj~aH z7Y1-p#=)$Ab=H3UZS(wLZ%b0c_k25LLHw$`ibYa7|wKwsB+1U${aTXoY(&_orCK8W7Xv5U6lj!h+f+DOP4xi_D_*r8g2R_$+Vy;88*v5xrOKQEc3;=Jl z)al3^IHX4ZzPn9*aA{wacX?Z4=_k#;AFn=SG4?PF|4KN(wEALENqb@Jq|?Vli~J(} zHjy0(3;9~}8B$w|;!4k2{47^A7YLfJT)1#vqDXmqm5dr-) zLFqXw|HFZYdDG{h@N*ElvHNr{dPMc%C$a{5!gJT}4=(Acj;Aw3{>ozctJTL`Z?xV# zxJq*wmnd@-OiIDEjB* zC*`2=Incy}{MWF%B6C((IcN$&Gfa@em2b*c+|7xcW>e|`3c5a9P9aFS_A?_I4h!?D z5uYsii_la5&uwGP5Eu5WyUA2$S)Hp?-he%%3&uFqvvjeaF5Y~8R&F>c7q4RbU*OlE z6xAO!E$I=`*Epy-CrRfZY^daSbg(~twk1cvQPOFr*+_kmZTI?d7%kKc|WnX3Xjgj);<}hm#^W!w=AD#39DAmTNFb^>raQ#d!6YpK z?2Hv$JO>T2qN=9n>%y(?P`xIwy(dEYy(WB;IhNWkgC4LZV_WK72`Rc*=lt$eT-_73h;B?n+6P4w|HOgSc&!~yKH-@V(&Ygc@76g+$ zRgT)~stEoKoC7xUg)cz2U%6D8x1UpK8n|!{2VGJetdA=Rx#iGyYKKt&rN)l%n?^ju z<}ht9@GjC>#?6hS+LtbCJ2q=ME4?xjYI|eEVVDm{db~tV=DGleT08Hf+(`Na->&B9?mSzZdXGKSc$|FK3DIodmLJXS16f*NSv00E zxOc_DXCY`K$+uksp+bqQaZ_jFvcI=uoJF9A#K~L?Vcg_NT?+4#U1rQ{^ zCsVrubbd=Q0E=9k`>4*er$EEFEWn_7Yso&y#UqU^YvrlMkMA6++<$4RcrFa!dl!qH zf&G#+Set#SgKqnP;9``S>qv|HLpd1mCskE2?(bgQA`i(LTC~yJ(T%zdRX};mXn21j zMGTwlPd)naVF)aew!L{Lx~;QUyIbWci=ni{|G4 z@e0fK5^Weg+}DP{SW9HXF*b%4!-Wi5?Un9~-?NrHq${&uG_$3cb$tkYz=r~!-7>$x zm;#r3C=5AP1e!QieXlCpkrXf!scb|r8_QK4D+_LU{!NKt;0UhF;oe_D%@lp!)(_ zqR2V?QDdJt2i3{`w~Z9E1psB;H={S}c*bQE`123Hn_iT}|5n7O|F?=@MOl)dr+V-l z>}V8I6yzDgP7F~iD?(h z-n502MWIlBZ>>+UCD||DN&yc+&-;_zyJe!T!~JTBhTLN|D70WPm%riejQvozUcJj{ zw2RBJK;Q{$yI|NaiXiD@VfUwpWr^5i`d&%Q)ktj4mD)NtpndR~Sg69ytIE!;T`j2a zB|2x)7*YQT0ih6I&hSL*!1H5Zka3Z0(vxG@=Qk?3ufvC35zZ477LyGHi)jd>1lb($ z_7bawEWpEI)7Ju)MIZ4|b@Hoey!B2FUhkgz{z8g*kWh~aSVL4j&D&l%9Vmy*)%x?< zwDJm;)X!N~?duP&XJ7p3d)$w+s1m98vTh_&-TwdiVFn=f2nk{qS@gm~dYR4?UJN%= zQ#3JCjLYP`5lhLAN1PCI!G+Cg|JC_cM^O=#0^J&oY;a(i?0A`HGtk|koz0DYC;V+o zF3?j^U!M?tHADL_30vN*hCiEc z=b(3zu=m*ud0%Y@DljA8$!Q@#BJk`4?|2dl|%6n7d`K=yT9juXZ+s!sH&}xm?xnJ^#_0 zi#Bq(zA-2mL0DBqg~G`~gbD1#qCLs9dqOu<9$C@9 zI$YtPr1U|E@QMBr_2m&-ybzjHi!+LV@E+%l~-C4+WS?l-r6Uqk1Nb<+P89amMMTv?FgaWN~TU7V(WbfAW&t_oMEy z2=_sA=3xu`7z5q1zrh{(o9hO|EQ)^C_61=10>X3-+IUoRtDkeNqcH3@z|2qRcrQkF z!d>&{s;J)a{JYkEs**{wbM1!W;(yrxZpfsHEcF^C@m?ba_5n;0ym!WSo$AI^Rh&w{ zS7<2f^ZgEDM6GTyVeW2QGk>6YpjdtU!OWIsC;~%(Ti?~q@ z8d+A(Z*@$XQWIJv^PPR5&_kOUN{dL9Ws}Hle`uB8H+klqi1B*eJ0kqB+8P`q8yp;R z0XB{%sj(oW2+6$=CbuxjDTHMuDgIIBqImG0QR?&}5cG~of)=Z?LLK$$bxJzolVk1- zm?(1*iK;$6l_K9Kb2(|8f=8Vkn78+rsosKc?fGXPRrxNi=gf8~F-L=f8CQLHRJEf( z5wtm+nXSgoi8Su0f-)m45JP8- zWm?O=wgLS!cZUc)=G6@J=1xmk=AT5baA4mR3_b@fj(7a^uIaWT<%AF#k5oybpIsZ| z8E}{VE8@jXjut#QyKmJx$0=L|9`5WXZkJThunX~Jp^3*`$rqiAiXsfZ+#Pmz61`w* zl{BJ*jvu0Fh&E0U8qj%3m7o_pvSGz4_U7tUQ_3x)NHw*yf{W%((~~bTsj5`vCK)RB zFS6#Nz&xwifv0)4s_+M8UQR(3J#u%xDz_G|RqnG|mM;f>`2xB%y7t|`=6s_!`owmu z%APC^Sx|W?XP8}nJyzGWVGD2zfk5ZTdoTkdR#FXsu{|;-f)mJ=FgNui1V`oE6S*p= zS%hti^~dM@Essp2e6&D)V{fH*+aY{5?vQltJX{Y^NnjEM2E? zxd-M8Mw_(TYugcdfYoA~((XIFcF(((q$@gQXb0bTDIq^rVMmU5+HXTiW9)ze%T+=C7ZC3s&nRe7@!$a) zDIMnVZj;HKFv=eG8+?Ou*HyVD8W$uR>Z{!vTNE|2t`lz2SBFJ6M|%U1(9?6NN$Z??Q|z3rW*61=s4gwD=x3 z5@0#j_X^U)tfVeae(q08>T0(`6(fX*Ih`H1!dQVn7dAmnLZbAg;JYS2N!AVT*iv*% zLeQD{+L6?}eNC(z2wJzSiSCUpLPpO{Rx2r@YQLjWa~* z1w@r>hIfi*+p|vV)qGIJ^@hL;$c^NG`7bX@z^s~xm7G29to|3dl#E8jo*KVbR!b`y zDgmmLXuNV{f9gC3zR66y`%%3Gj#=btJWG`uy%N6`-($%uW?;zh5TBB>U3A4@?RmH~ zEguIpUa`h5OkmBs@Gw}W-hCo4U4TcjCRNYE-Zsu=_fW3b;N|?uN)28-J5&WJci6Pq z!KNnYeh&J2r6W?6jxZ+X$Dn1vIcGABCIU_jz0-xNEniDZEqb5{;o%9yB=TPGH;*t0 z@)bf>-!<75amn7wnmjt2G{g5AEGL-Py0bKwo>8SLXFhy;>0w}B0Uh8b$wYGB>UWT6 zBl+TCOoqw&&6A92g5|K!n!EvuRu?E{s^P9u=cuP6UZEF7r%l-FR;O3vLGP?b0kZmy zlQrl(ElCl3t;2BMSN&w>xBZ}l2&&U2ubj>opS8+3r3&xk@ba6J-fnvG8G9zv*_pYu z7mq1QVCA8~W8M|>6D2b(Tu9!`<3Iywpc9~y4Q_0_VDV!*wx%yug}TKk6H>=AmscE^ zQ{6?9ZZVTpIr{zIo+jEktFA&|@e$K2bDhyPAAnU=m!OYdtb`KjY>0ie*wA2oMZT$4 zDX*f3lQYsiapl_wyUcf9JfKUP;AhM*#m(#peNyO^e9tROcrtJg4$-V{C@^SRYGzH$ zeb}P&qi{6y_hK=P(oyw;zr?8rzq#dk)A1IGA|GJAy;@P+m5w;e9ViaQhLf*a-ecOpFeG>9Ng9XBOVY`wT*i#v_DL5P zG!0wp)3vbUcFZ>di1$vvXMzdOLuSdIvVX@l6D}>F{TE(mX$`BUslk79H7#@BN_ZU< z-D7@MaM;1RgwUuZCN%;+lDkQTlHsq$Iq8y>e%JMRUE42C_8!1+M=Em2nc^*zE=1&u zvof@Sulckbyp;`b^12-yl?FTgEo2M-#g=4F|D&35`Kk_B+hzycFxlKr`KyM z1+Hn??TqiDg#Rqbw=Qti)#U}J7-7s33RLaPCoJrieC7=EQd)r1C!})x4EauDK*x=3 z*^75iYWtd}SKAz4y7@w(u@8_iZxFA=wg<1vPqUQ8c5_tOYhqxxdPD&&IS`AYCG9;Y zC0CM~7e${G%--CXw$MYS@s;#srEy>^%NuP@vfC%3u-k;gyPP7qx7(&Go9zaNATHvs z_KGP`dvPPa2LNIsA@?K?eVmT0n)v8?dg2l4iya1cbT9Xw?jg@x)k>Piy@r@J9 z^azCvQHHrDkGc-3VsotVS0jz}Y2d3?2e?i3`c()lfKc>XlF9%E#W*gZl$be%&`8v0XZaS$wtJU=#@{Q-CJ*-SeZgf=J0>y1FXLM2;$}jfxuEj;HHt{C{%R0*i#WXzsbr< z-|w>+i{y?vw;Ic~l4|&G1rrwjPk3~8ngz6>IcT@_A_52-Rc3onrgI`PVUOeS#N==< z2};kfY?%3Kdapk1svSK+8EYiEzZ?NaZE!ig8qG$J6*nYNdD!R7Z!n9b;BDFao zbp~0oS2Up+vSe@_sLzUiL9#uyayuY}T%?9oL7`4w6+oA;T(P}PPLpxQ2MrFcPXC4a zH%1nxE?dSo?&gU7~jYeX(@CC9FuQWUglfle&IU_ zR)Syxu_tGR^?SGIa^}Qu9)CA>WvI02+4C=)|BB7?iL>iJ)-O6pwR|WF#=0b_F(Wuh zg}&9gL@pcR*=}k10%o9Qv~<+X3%d5S$4mP_@Z)S(%_DRBo>XXO@AIFcPJb&#>Cf7f zjaSpkl}10>qd5eD3?;1v+w>NF{bSQS+L`nzBOjAMJzY_?&6(6NU4aE|nhV}A*@2a? z{?^|s8hle#&KqY$?aua!q9l7l9T>pI_2eVp09UglksdKS&mK2Miak{(Nj@jJRFa>P z^zljv%}*QR>{GI#4tH4#U-Lv%abKaA2AZ$3d>M|Qks<(ieUdnCl)5Ynx8P+%5Q;DS zxI$Ufcb@d{vvhb!9NZA$xtY?*0>{yf37&yr4vjdmoNi?_&W@Fz<~6RMg)%X7CBVg%~q z*8V*C{Ny`0ySk#u<<+C1*S?Xc*s7h5@K`Krx11GmpKU& zi1(To=DNmeFu$I0=ZG&qiQg*7@rx*%!ARbw10W(1c&ywjxYAmE`g>IJC@#^$&ZB*715U5S|Jt5vH^;4McwBmS^9F=Eg01P&H>RWlmR2F(Wytl5yjcV)uW{eCH*qb!zXlt-z)F^6rcL1!~~Zo3fc@0{5~YZ2qZ* zNAyi=78raie5yd3RJb2$<)rn-N9Gs#Q0!tl(wawcnnXkiWwN?e4EoLA*{QbGMT27n zUe{Cy4wi}}_L<*=O|(o{q}PxS7j}S9BTbS&w&3E~C5x;&v+FsC6Cp{Rf4O;Vmvf*- z+yhxUap9bw{OacwFuAJzQ?YZsLJc@oM)(oi-<=8|Oq#w-XD$NQ>1h83vIeYgcUkMC zDJ36&CHDTp0dC72 zvCrnNuWl16$4$FOq!KwETN|7j+W4$xDcq~CPD?#i-uhK5B2(_3nNgPGYp}Dss5dw> zSF~4_AAibqLHeo_3wD&K0h^JIqaS3QYJc-np61Y!In2Py+3&vLZ{R?Vz3f6ld9Tem zXvdMbWjN7(f3tv)3J1CfOYTs|BdZsSv5iucjazTTYFDKGlmyE4kgpKE-l{QDCY23Q z;Mf{3Rkrf#fitv!xh~g_VfQ~)PjcpkQ@$vU(2gk8Xe^iaX%Jih{B1R{q?uDw18Jix ztN8(EWf;3Chmd{t%L`i2rQX+Ll`*|I>22xv3$!9WE6?2_tp=L)O-@5YY<2n>Dx%!7 zM9&AMM$9H#c?Y6PM*dq14tt}f6S9!Gz&_>v1dqSN4&53}Bwug8%+ck8lDV@aQIqch zcdvDbv_@DZF4Xn{!KkjiC}nV$Bqjt8M6r(Tsmgd^MVqDvN>#Ekno$~zl-8@lX`>u# ztvUJ^lX!a-yToEk8vH+$y?0Pk(bqN_MMb5Fh#)O0ARVN)KvV<-ln4k&jfhHuB$N;!gnNGP%=^vve&3xtbN>j#OonsL-t2w$TF>*W zXTd+3FBKG8OiS$YF<70u-*84@@!e*W-~H1N0WY3&1M;r8B7#W%I+RmgoHEsE>XfS( z(V*&Q`|_fu`22%bx%WJ|iLKYUKhgowq_iFB3C^)RvzMF>BZaG2y@bbavSB>0)AS7^ zjT*+bytdRc<(!oIq2}KTB%O*pH@T;~~I8Khoga zm!&E35#6;Hb`t!zxvR_B@BD5#Fr6RxC=L@Mxwh1em%=AK`{1VNy4q}8cq*6f_dfJp zAqXGjR(%{>;C&)F=g1l!Q?|z<+eY8vwuW@segR!scZ)^ZSe-yT*OkwUWg^u|0YeXgPEv@!qgk z`qNE*V&JSm*MzfV)VarIEygd;oRL_KEu#NJeMDkw!-f-lX$m!?FkpZY%HCESRNwsx z$SZ4A4hr=-9@JM@#-gcCrBq=`1qrO6W-h`*udHF!qe`az>eTCtCa!(e`rT`Jr$+u*R`RA;8Xa{ZUT~ll3`=}VACstQDP?@c?j_R>Tec4NtnNQK^99=~=sZ06VPsV1Izh=_Qb`f| zyjW9bQdq^IOl`|f!Y0Tw2sOGbO;D*>Uh+1rH>^pO89IL$dc^>#@7MDGi#h;KS+&DC z_R@in8Yoi=wtdBDEzi^`g!?%E;iX%HQ)I&L)f)A^wjs;CAG;MiP2-A-j(Xi?*?)%F z1@)=r7?T6gn!xIuja66sK-A$thXwrN)Y|yC!YZy$RPE;Aq}H1Cm6c%^@7}}scLYnd z0C3yo9bKU;kipS^D571Od1=~qXh-F5etCo>6WU3xN7|W{z1um7O50H7F5^zWF13eh zqRBVR-5YWO)G;Q2zg&!tmZZqaKJ0Yl(FugcQ%q{6g=K?K6Ga*<-ub5j$Ms}`bpb05 z6cCUP;ohQYl!wSBBJ_&&BG=UU0%4;~g6l@B{+8oEEHzv(;ux2ndJWM}7fX2-yIjq8 z;glBx94C-LZ4m8g-T_D@|B54Xv@FpAiE4ogMzNhncRII*B@_ z`$N(d13fEni7?~|%iehbvTK8_aH^IuicIph3pLDG>3^~&rlTsq^gdFQ9Ffd9ye(FS8_md2|!t`MJS|*B37PX=*8a>;oST|v0s!gB*2VPYKOB3GRJn#z?2KL^UVQn;TgTwOs+@$ zlYrrEwbF1@UNi24`gQQ1k7#SAu!DEFRwnY&qiZzA(X)0DVK?=~f~0*;N}=s#g+cq+ zW23F{xkb;w1J+|Umy?PJ-1lFsS?^hU%L{%=Q5P9W4*kxGpEH_*D^ zHD~Bp)92kHrC5!%|JOB#=Khc24E^6D_5^IfDuU%+r4z`1k5JPe-pTTocAX-09DiKz zRb+VraX6SokORvp+hiB9nOY9$ItS-~|4!tNlRHKoH$(kFI_xT)i7SS!&6+Xz$Z&dd9WN z%6d95HH9#^P{|nmZjI%hSQJxwYxxZu_bYZ<`HAjEi~9+){g;zm>Pm~8ooyXIn{ujr zO2{xFH)R#)(*pQxH0_;cdB+;Win|Nf{jHYbzIC!^4bx`klQkeulHAV!xgM*+H5Lv^ zfS1QS34kLP zP*|YK;Cf*_RS}a?8szN6oGGiPR&V$EPtKbmAcN=j{6d-A{LVu@MJ7fo(WnI7Lp1hq zJx^zSVz!*Cj4L)NuSB^-Ov9YGS&C~kv63MudJ8SLhypbG2?(@&y|xQf~Jx627E5C6va8^j|1Vc^Mie{p_V&iF}_^8OpVB_x^V^ZJlwwnZ`Kr+&Ux^ zRfZH7{rzPl7^!~P>+|lp3QP)irWf|Pb1BHa|C3J_XTJO@OwS=pB+tGeCbGdLUnYL^ zl0O$A#?ebq_?`~BuBjALkrFM4uEbd;aT5+)?Patvdloj+NsC(>cRe5b5 zTaQ!o&>UI3uI=^Bq4F+U;t2EFse$o`@gjYL5C0MaZtd@GUX)32mH=4$49sV*5yKi6 z^vD%Na>TdwnvyUL=R$KG_v;2@)nA49_BcMm6iX=x!yr}5VU(xyU5J#^H;abL-_$N> zL*jbkoDtXn$(MbNsIo@76w8M3!T#Jj3wW5i^r$?ynmWjhEcP8Qmdsh0w-x@~9&qu9 zh`+a(r=(=l#p~D<4$MojQPNFnhpPZ)M{ISmQ~kitii#A6+?JN<$bwY*ka&Z=lB=#* zF$wEZ&FSENe@WBgP)+-6rnLoYu4}_vT2&(qHigHTwBeURr{PlEHJ9CMu9dNaB|@0W zv2si+cEo)3vYdJJ0^)N)V)2cXS5qJVwETH(%Wl|i5L#Q93{WvvO(fw*8?oMzE1p2O zwHS#x%Kf{8HRrgO+O0Wtuj8z2@gJJ+66-V#^XNt~>LtUsjSc^Hox0O~t3=*m^i8xt zy2W}8%0{V2M4{$#Ove~Y~t^B~~CBc)kP9hzKIte=5D zF!z!DR-V|7WTe{6AFFd82ehUwMcB%oja)YvDXfX;zIMuN^tAf`d*9ednSPbus*aA2 z{=XiXkg8pxVi| zXbOy6?|^~ie|?}=XhZPrr&RFJa{=QU1iN2{Kb*jJ0ucn_+M#6dxXdS+W|*!jA@=?PcWCQ27M7UUZzSPTUh<>BdDLibW>*x=B&S0Lvgz>3(;TvsGV7vD`|$fWu5=pvm$ML5}rhyBa~ISe7fxBOCKGN^zkjV9Hzp*TFOc zS4^vX7I6ydMzNZOltc@X^PZtgnF4sdnvl7nPm9^@s1P1>DNppNo6K zFG3f0F4h$!{!?gI)$M7J2|IIJO(vKf1?Ii;d58b7T~sl&eQr(7JFl~mvyiDv&quwU zKh1#1=qNo_IfcAxx;**Uj>k*WU}hCu*Lh^gYst!saxXQ_)%R)1QtL&z;OcBJS_6g0 zpnYDdckn45An!Pb6$QLNzU4^sPZ|CidpL{x^wQ*C9Wm&Fh}1u)#U3&=|4p=o!83jI$`U6cLcddeYy-1v(x&2px5-6qT0H$p4j#EdS)a> zemjjs zQ8JVkQer!ltHDX=<6bv^q^4$AfB&d+SpQjpe1q8EFEaK75-r)U@+)=Ol!(d{=|?4{ zXC^uWt&a_K6bM@iQ$L3UgPa?JvaZHFs4doY5R;5tojJzxr5*(U-F?1Mw8q!XyJ;%m z>IZlJWye`|QuyzwV~!_{LtEkRcPBdfLfcv-#|30I4Vll+$L@tJWXD3!HQkmEkEA-| z5bQN^&V-xqH!<1`HQ|p&X9X{EnQ>m@pFRgLcl_bJCh+Rl0G5BDJe?F}LR2rxUp2HJ zvG*5j%2vy{b6v;Q`?bbSh4kAy+&_Gm#~Z}!>7&wmf1ruOkvSLcxmY%oZ40lK)_Kp4 zk9pNuq1T3^P=@Sm%MPX1M|1xM?j1KZ-S91h##xIH{{{<=v$e&XEhO-|E?%{}-MM@l z*qq#Na>?{7+roz6m!ksD&P#=uBf{kCQOq5FI0o+Y(o9heXAk8k*pE9mm<`^vOS-2% z_vnNjk>69giOma^KEYyfcS)Mr?Lqgjv)6|8KEr>``?i*9fwJ zB_#PhpGtDb|CdY<49eQX=-C!}cnL;ks+0^@>Tlg&tcmXqG{;BnP47x<=`oN zCLEcn;jH`ebU?a;xm9WQ07V-L|#+p zpgP5Fb-1sn3s+L&zFAnbspxpnlPy^|jqM)N@h3#poDp7zvG)79m?0TVrOH0GDJ)!! zPlfQLo~{IZL?iV$F;J(}9$rQN{`!cQ-i!*b zh6%d5A$A;xxA+`g`Wg6lQELxAqs%@M=s{A92)<4m#xB420zkd9HE()H*sz3p!0OAI z8Y4H`vo~L1>y1Bh(y=dOGgDtGwt<>Wpq)&V7{zMtDwfhI3<;&+s+Z}nb;`!dT7Mz! z;Dy>)c);rj5%s^|%itY#g?YyX0SaaAkm~B^7d+qD_9|EcA+;a*UG?3qX;Nq5gkN}D zt+gl9PlgdGx~7ljj0*?;xeb4BDqO9_4mYC5EOKUo$L4rocJn|qHasK{idy4i0Ue6Q zxq0Ca2RE(9ujdLp@8{?D6GzMr@c1u<6P{Ioj#M?R(1@B(8Y~giM@5!*OZBci=l2n; z7ZqRB=Kcr>33y{wAasG6q`dj%&fZd2R_bHoa+KT_mw&K-6QE=&M zh^3@2ufJ`-x(XFkZG_equaL1W@z8LX5bo%%O`bjJ&x`GwoYVcwDc;v#95ELOP-^w9 z%rh++`9nR6?!ukm-op)C4su)S4p^U{a)JbN17LDfCg#zX9Zc& z@tun)yMyK9&EeS{Q(|0r*18^tFt1H*Pz%U}zVwFv#iSu=L(ObxC$(1t2Bgl);-~AE z8aPr?F}Lva+VI;?=ft4Zzw^C2^oSe__d)9#Grs_ZRKCWqYt@DhY1N6cNfxCJ^nY`H z0B&s+UEj9SR$-=i#9MRkm{NEMRS18KFmHbU;2DC=x{bH+bKmgO5A=cG8zJ!(Bg!a~ zLhi{|=n}kJ`Oo6+Zh_pL%XC(|)NZuz#=baySRN~WAsG@L)=58a%!870b)vU>(DYAR^+UqdBx=7(_UFWerVt(=q)E|NsJ)p{?mzmpt8$N? z@9PcbCs;u(h|?7k$0dJ!V1lm>crR@FKXdPNENah=$+{Yc`%G~rcHJNK1TF#yZz;5d zhGnwAsJyZ%_nG(bcy>2+&<(UPeUiXWSbM{`9me7XA_Fpd$c+!^|_ll01EF93a z#{IR=Z`i>dHkICNuQy9nPw50;juA%3MPOoy`mN4Hk+#LfyxD1s@|Zv3j!KUaHL3pf zOSInLMe_Mqn!T4k5YA34+{y%wjKC@?({MSdF#ou4FDDe^TCfQ5xV*6(xw0buDBeu<^p=qa%keHOF^ zX$0RNPg2#OINKFWS+_`qH7L90&7`+$ntoBK3b6W_^C#aq0U5|g?dv93fkhfa16m8Yk6VJwvC9%Ww`PSqdJ8mUbdO=04 z8mBCN%9lk)297S5W?0lvjKSiXDJhz)Z%qqO?VXO3VsTOg%oRV#4P2U9@t);He@SU^ zei+3@$Lw9Hu=KqB>a<7JSyzf}n+l@s1QI(}mq2n z<^~VW%9EOa^gQ)49O6oZvpf@v(M_S+s`w`|()U`BvF9a54@Xe(_)Ot87OnoLzQr50 z`9<`?-Fr!?D)pP29gHv4U#%e=sv8m?-D*gzo{2$D){sAdmM~39_WnW<4LZfXs5>Ni z4B4e9-*E>$_Pyd!vU7#9=w~7Lbsk1fJXnOG(MtrhTLH8%ajN|%#ryDl)#|Iew?7p8 z?dHb)WGFhrmLU_;F9y~!k^<&^T6xVHOo>OWvyx*l8!k9G&|36Y_0hR(ei6RsAN3C| z{(B4kwtRiZGWBhf%F~r*hTz-w{%ejLARrzSTHofwX#f23ca%Vkh~)YHO@(5rXhp5n zLyuAbrocW@AoVPROYckP&!lY804*-7&8o?ZvA5)&80$6+TW;>VU}6%Q)76Z~)|4-J zRFuCfC{?43AV*4sfvR5l7Ezo-J$;fh-;Xlgn&m~huc>!7gf(@E|8C&3jdm;Q*0=5}6}vTR zo~YvmK0JRSpR8@>YzF7?Ebc}!@PmF`ws zB)nR_nGJE%TvLd;^CUWKo?6>25O#3Ks&l@ad`lmcinJi7F1O+B+V$eXX9b916~vt` z>EA9lhrI$>0k<5V+cCua%vzTxr@wyEXY$If93XJy(+07~k9I$XQB`8c43Aa3HZ#9n zk?EX&q3}5Vy#{KGDKP!JBlMCTXc+h*kSh^?EA{KD`Qhr${TSR-gkV^J2k!)9;J_FC zhavQ67YjGk0GbSXkaPERwVRddwPN+6ra<0f z6ikeihu@D1hB}xij@PAzQ^`lhEgDQ%4W&@5+IM|LnfR=)%VybZ&D0 z)w<5GKB{<~aiu!t@yE8z1J$PWu6}s5DabvXrLsx=o?{R0wO0IfOBrV46i~R%rU3WH zyxsw@F6#OHStpSCF8^H+n*j4;g%b!jIxY@=+3W4F!>q!nq#UtVZtE~{zKDV=)$91vo3iLvd(aQHN{1T*|6x@4>Q<>X#I_2a|C-u-CzB-1(Mj}$82n!nw~_?>A|Xg$!d9dyawYD}O6Mbno~H2-!RZ(*A?B z@L`T_0o_`ozy`YzEjFy_Cn^zmF>oM^jXQpye*zgA#LQj|zDVqh!DX@;gNm;b3q;xd zeG_kgwG0pTcQ5Ss{|u|V)f2PP^5xk>Mf6=?j`UuMKT5qY9>Y_@gBdr}?XHJhw zoA88&WO0%tQ{C}mESDU&DZq2=?7#jp8?L!7_wz9gKhnv!y%Mj75kj6cyd*kG2(`I6 z`acQg58HfnPeMgaw%yzji}2hQ5q);C%lFJPQYX&ZZmi_Zj)lgW?H63eaVFNMy0|Pr zwr2%pH3qkqi%@ zU`?9ws_93)E8=-+&MN2URTrN~(SH1ZT)xAvCL4)hF_au0S&EFc4gXgAb!t7=UrJ4G zyJ_91|66&bCIxWE!y_5y`_yr;19@dn%H}Ih2>;L2XKG0qECt@sOX^Gxvkb(srQ8Vo ztAwjhhn>~~ln9wofUVGrjd?ydh2=tbT{%%*NeBBFq1d*O;){lUW#dysV?TiYt!<`8yTccwDK$yUsh{N0dv;Jxg$X)^WJakeY%ro)0sbG?dw zbo<9lBhSi(;>W%Wn+_ggmOVwA!D=jmxlPd|#f|g}BLcsO{dJgBgOI3z9|bS?DHcq=ioeuD1a3SebdoilNF8Q>eRxHwysIQAYP=U$~ zA&qH3_X(teo+{_lc5K_hadmLWz|Ir%&htAo2Lzf;dRb-75XUeWdJAxEzj&53~m7IAMy`2y)08 z{)b}tfzVyoGgMs?M|c&JevqB+@Fuoj6*&4}?C?e1^tBY{EGLT%Qib|I{w#ueYa&SW zDQ+b!+UlLvN*9&CFtlffNrCgC>a_ z;_6;7-L)*BEA(^v%qNB0cddU7XbfT+Q33Si4@Ef@_HpaCpSs z$;2L3%|E#JYF<|H5LPtw^mt@r?w$Mu^&UkJcLIsHTHwWPz_cB${mtTSrO;O)N_YiT zdc4Vql1fx;hXc&kdf^|}{FUI6Ij_Sn!dG**AJc5J(0kITRJ)QW8Tlq`5|~%a z35zDYqqXoJG+61-k;NZ|X&vWEDe!T1yD#m~tNQs54cL@@n}_<^=`@EsPS|ax+zjd07RO2bWW-QL_a&~d$C;CB0SO8;$NE}oL) zDd)|ZDx}ZB#D0Ciw{k-6uQ1J&3y&Wpi1hr7|8#e^!%wPx4y&p`M1Fah|9P+Pshf$= zal7_$4KIK=5~IW;W!6=iqhVKTg4r5J(cI^4o+ms#*x+wjj^<(K&r(wEa|~1j`9`Ua z!`gC}fL_KGgIH~4iu%MHOLV>%)UYo*%1Yl!SAxjkoQNrW2Isy5F3IlDy=fa3#BZQ`*Z!&njqiDIZ4OL+>G}Z~x1-&GP z3_pCBT8Ex?uO5D0&B$1py;-scw+?9(Au%@Q+rJ!b99wM8wO~#?*ETWQvHUc=e{2fT z6xCPLjN5^;z~{f7Kz2aReF~IvOqq6#k%g#N6z+=8o^{KiQ}}uhbvM!ZH!61h_W&sE zcxk%$AB=RJqCvZ#1Sf1AOWp;8tAXt2i8ix*fO!@du?e-n`Gg(Tfb3I~|YWpT7CWha5TYT{}9Y69v;5;y&Jq%7 zK!lFKnXW1%1{F|Tu+6D%F-USnAE z09z&T$U91VC^pIdAGNU@>lOPVH81|*QRu7$Z?Mlv!L0B``?EEhwE&Lq4JaBi8S|yj zzyt)NjtC|aGT6?g1;Z4BGv4m^`(*#iytTul4avCF+SC9KYjJulW zCb!y9FNA2SRG8K>{q@?m(SHY}o0+r(q?TIg8(+|S;gMtt`l5Aps)Xg)6=A`rtZi;U zTdX@h^_-Nj3h- z&w1h-(O~qwz9Y?-rDOK>agzg@J$tuH3rX4Sajew4HG??J9<-(-_i17JvnJra`+>sh zzR^E}dcLy6t*7QG>3(@ggzYzTglz!bl@#ofLhOSHFUI`SEEQ$lO`Md@skXd!HeZBg z)Ll^?$GF1365d%cOUYAlfum1+T^zj}x92u$oYtwRKJRIFa!QhIfEO5edOR_$ruEHL z9&dH5QuP9Sa@H{B>X|vSGl2Pk)0r%*j~fibiquO0jtrqkupAiLqn^P z+7Efcsyb$&S4_(T`6viHr@By}S_6qA1g%7s|K?<3z#U_x_sMKJuP4uC`B5wudckOEOO*N{T;#!T`?L!XFYvV(93pSGsIVprKYF+^OJ;?S;@@{KSxm!;X^)>cT# zSKWL0?%(FUAs3ed0R!TGhc&&P4+$FP6>~~b_Fr|ejl_>cUhge~?A8?MHQh!PqdNWE zN4LiIOb;eR4Uz-}own;Omse0hLjYKvdua`*Y+R1YCB}Vpg&`DbnaYwguF6)XO9_5i zVm;F<@+J>Jq_QtuqG((FBC*-C+Sh$ZTk9EANJ;t0opXH+2oraiR*io3qjl-?L)((# zCy2@FtkQz={VA*7;;>R3%^vvGZ{4}oFvNWGCEr`yst8tl^OSd9H@6nTfQrjCle zeXx%Lj`M>#k4xs}XW~L&Ld%Z+aUssGlFn5Uik=ulTM4o6dbLwyv4}=Hq+HHD^hKWr z#~pK16U!0;F#XM@NJ-zy)>&n3BXCF)iGjgOe33@!kH$Tx8ifqPPh04%@Len{K6#b{4rXtPr(sI8$V4Y_xg3cy~e#g`#{&-MESdh`-2l(DSVNBc*GwM*MBT2n0d@ps` z*T;lNt+{A^WlX%F+5wcGt3s?S zVcjR26rpzlIpYVF=Gn=b5FuS$pWlxO=9_kUnss^DC772|-npg}7q--#ZW!|TU0pX% zf33DrH{+e(3j&xJ@mZ)v%GE1Hf>-lI1Tt(z1cv>0UXM6yb|6h+(V?k7jd>F4oNw(p zIACX>7EK>X{=&J93#oTsp7H|3_KaxfZBHQbm9+WnBLJD~byy5Ohx7>~ZSn--hB$8i z$}*;VpxV*=GrJvBq`x6?w8w?aDuRrlV#E``aW!owC*|hB*)Qi!`k%V2oELBNW)@qU z`jDXKXCeaoV)j5sVH4}#(iP}$+Mk9Y+%2J=9nBdImRn()T;24x0DPC*$OGzMJY`$b zSieZ*cgjKs5;OB7hk52+L|7E}nFV+7-TFmooChMgwmKNfY&+A8m$OTzb)H3?A)eZ{ zuxQUepLp)RP{u*%Tl$dNqi3`(*CTzTFY@sSRRbD^mJk%G&cYG?HU%}*2U~OUltZKE zBe>-Ww6l}~981JF0Cys0M|d`0x_8cEgF}bEi*`s?%fcT9*%m9#%hH+q@uqVe1}8@! zr-3O?OBuAqT>U#t%_nEZ+{z)9zzt6ryb&EVd|vh15A8sctyT~oC8Eedl@yPBCkfkc zcMB1Y^1V+XzMBQi=8KQBbn7=E**H4+HP0tIs!sz;_SJ!hqw1`|W2yduSXN34&abNW z)9=Gl2WzVnNQ%~lixtjH(L43(2TP48asUOI4<@IKa$EEcikIiaCHFZ@DbZDxr(6p`^kR>Lts&I8t#+qw924R~Fw6LXPtQ@*5M~E2J5cYH(p?5e|POH(ch$eQ?2Q~ z*sUNZWKSbt%uX#GKbHf#+t8zF-Pzj)Xz0;d9gyPAK{Yq<;#t5ZPCmLLCYZLmtW5bf z$uCZLZeP1kvP!1gbkr7xJ;JA;^?B%|EKL_s$OEx}V)(A7Jh>@-LB6797&arxUEe3T z!j6>vJJF+L^Q)TW%&R6@nN&%M`lnh^MpR({bC}#3Bc57Lemy z=NmY`#>(47?klU>emou!_%!S3VyyGcS^IJY^zgNRr_HWtv8QIwyjzs&Y2XX0FlvWh zE)UdrJ=AN%C<`MF2o#Hbnl%6|8`r`SXbtsWz^QxHs9{L zRFo;%V3z%76hZNP{BiLsuXtAenA0JI#W23m7`S7ZtNoutu*+ZOd8;WW34h=OVy!h^ zK%(m$mL5%QO*2UZ1gBKiQn*gHc&1*wAKOFesrh?hA&(2(1`g%Eg+1GS4T3pc;w@=T zW$?CD_CMIW-m`g&%KQS%v_0lL(!C|}?6$DyRDe{KcyZG;9`?%uPB+v}z1n^!M3)fc zfGuh#k5wI&UaRuGj9pE0_yCy7h{^r!>AW)&_9QSqT z!V!!fH8@$6sjM+1Uz3J`fj7NUSDw_8s94!8S|_V~UvgiA#oyo;gFhv4V{f#PjvKj@ zT8}FrJ5B4ZcB=T5-zS$Xx%WXQv|su54RUwK%k}0;&pr?j2E*$b z;8-ZK0pEPD6{rVuxQo=d<%e@LEv0M{7+CAt{7;QcZOLjdH;9q076DU;t>_$u2`RAo}^Ms9z9UHULK(&8FQnFuEs;NwmOvW(NNPOR2h9$qaY$EmD&dAK#X zovQvc<=b_Q{T*&DE=veBi3txQ1ow)wzW+31skx+c#jXSrY^Wx~EXrfG33%W+s{XmJ zxX^kqb>Ao-$z)ftRfH42^>u+x>3vQzQ+?3_(lWRQ45K_J0QPMeLX<;t>9mnlB;%WVM) zu>p_tjE>IswNI-|WzN2Avu#cn4?KKTPPMKWguj$J6KG4xDU|6d_sv;I5PWuSDvvW# z-e}s@F6kIi5d0!AkaCPiV#PYhO*cqf=92?Xj@2n-@~ITzBx&Gzo4b&^Z9-6}7o5HM zwG=n?1#v5M_fhcNBL#EDQYF^TF2YaoVDkoC#F@8Gi7M3&Z)AtbL*sM&Z43?31N>hE zo||RXRr2Y;jsB;qYKp2+24aFgt;@6R3c`(%KUYbgah8lPP9ubh_feN9jUb*bSaS^c zOVPsijMdp-a1!%>E3ir^K3^%>mZU3CVq`(jnlx`Ke&+A<8*2lDEGX*?489C7u%;jM zL@`rLA5{(IMZ6CD;FWM49+XV~SE$yd7WK7P7QV4&oDeRXoKo)v`jo{D$iNBTwRn4q z1RQo0U8AfmEUKq=g@~C=0NUv*whPZtA24HPx<6vxX>ehHlb7}jde=n0mjHh>v?b|f zb|Xsv!RP*wg;#&yoLBQ0;RSWgTM^mNDwgmv!3?1zq?t8SKJ)2LU^Q>2W<@4Ac^efQ zEa)4K*ZL|jCYko2CU~ib=cBD!HOgc2P0)JLsf6dU7Xlok5?Cy-z}y>Jd|SG^7K3p3 zSTWqmK+JreHebF2(y`>k`chQAq7(; zU29Um`%TkNh3OnXexWwllWa+B!VkxXdqM7{ci(eQS%$LZ&vV$XZ39ofBC zW!0@lFq$xPzE*oFV$^IUxo__L&xAWd^yNXarHd@%f_`IJL1s!HGN5drj;eF6)FXFB zJJ-r$at(N$U7NPXFW?yT8;(-iRTIMvL||E>z>ZwHG)cWLQiTF#qh(FX+DD8^T}S+! ztM8Bqsx(-A3+3Z{jfz~s_S)QMQ`{_YQD4aV2l~(~kI1iB3lCN`U$*!0=4xj}6#e!wb-}__QG}QRV=eTg^AP_F`SA%A) zSHc;9|2GIl-uM<#G|%-8_N_^$jI47Ak{6=@o}v7r%~HpLywf*MAUAcPcw zJW!F^vUQ3Vm;iG>FC+scve#e;t=h-`IQCAlmyK$RXc+FT*Y)W4cb9X%`=^W>oE??9 zEod+nt3q^A`DA<@C+Ioeq4}$7Xm5ZJghyQVO(z$m|2CxLnT5AvGY+k)>dcXPWXlJi z5@z)YA2wC%ysoXALD4>4EY~Q|1%;gXIr{a(@DM5>h4TvQLX60%rlLOzM{rht{4=Y^ zwqM!BR|`^hSUvnwCdp$#D`!E9MKj3OLC!muz45-z5I*8k0_$g%FK?80%TFNfNG^5e zz}I!vBxnZ6NR2hjPggXOzwKQi&m|7W?GvpdT#E;)*%a5Cw386#Dir>;Tw%4 zh3)e;BzOcWH^d}GxLs>gFW_^$ov70EU1k32p+N|&hFnMK0K0ZZ2P+X9n`(m!eXYk2 zouqRoEMW=>lH2{mTKN~QO;=XD&Zzkcu>&X}Ui1eF7I$jPf6GH+a}Lg z2Gdr%e>#r3C)q{iZFXiH7*#%QG!@n^X?Qj~;$)_J4Nr1U7AY|r>qZt3xD{7si-4hK zP_@{BV5iWxG@la>lrFdSb$1Db+PZtV7wC>-IL?|niYMeS{;7R_Df4SR&x?^}N7ra; zQQ}f4alnAMS>}byM0BV_(HL~^G2bh6_TxHffx891#0SRu9Gi;~9liq~FBf&F*kL7$ z8*55*4sxOK5D883-mbQqEHYkzJ-Pm6(1jNAw_p{J6;~Is2bjL^);moI5;5Tty8)HH zA4_(GOyZoXjRrHIj$KlJ{DN~tC%in@c4j29W#bfs{LCB4R#E>$jGz`m&P_BY2}P=( z@vYIRusDJ6t~c>j)Fu9@(qUR0PJUs_diLpJ9cwg11-Q5;_1>SO(+L@4{u-<=Y7(`V zAg>BU84&f0@p5SaAOC4F@pv07U2nVo_E*=)%?5P@woPY@#JDh+O^LN+4mmvpFZNBrtn+VR zn=8*lMj*lY6~j{ZTQ_}wOcYZ5uVAY9X;8S^TNf#nAd@`3Y(Hyg8E>%Y*gbn_);Unl z8Od;I{Rn}+I)=57c%9m?1z7|k=aLj5 z$DN(ar(kS2DZ;5-Ul#m+EV|4>uc?_>6oqT5Xb2mNm%3T=E9uvZGXzO`&S`p~Eaev0 zOMzU&w42y&I~@G-x;6b(XIGd?bpekeL6(j7sp-M_i>IZpsam+IIn9|_cvXCA#}x>g z0~tXp-{$74#->aXgZSdg!&%1FdL%RN*9z?VRPUQhhUZWpkI*D)+Ok>Kyy5JrAU`^l z5_hEU#A~o=KK8ISYM?rGKc)R=$Oq2f|L{$=s2q7@G?ak`rK*yUVKnv?nrO;V$8Et( zS~0$Rp6P5|^#YGU%Xa3B%yjhrs^uII2UDGof=({rHc>^Zrgf$T5m?rD4qTM zc;H~>w5?C6Q-GP`TJ~IV^U;4o5t3q8x?ZNqxazvq<<@0W3kNOZe-T=LLso#l+-te$ zU}oA#Hd~<8k*2S8kX|QOW?vSnY^uehpj%ZwE?JYPVx)UU!xBRd4H;G#1e%*8@q31s zB%HBEjnql42?Xctd6%}dJzm+?Cb2{iC}=D4-N9SGBi*<$ocg%B50$zd;94d^Zf~ zK5u1$?{;lfZ^k?IexA2~`@AKKjLf_skXTW}^J1A@s>=JUVlrBrdGta6o1h{7 zSB6D^(7ld<*h-Oe{&NVOqHxT2e!*qFT5c-^1#BXllDoA`jiVEf*|}caprZeMpuhI~ z0nD}!ogFiK22BCm+l8yM6UU1SuxlLSKHjF75umK2qfP4|dGjgz6V-cXpN`OFBxYdl z;FGSoPhL97c8ZrA_N+boS6>DXPu5 zJirpw{1e`m&9z>DhI3A=SK5mKH|f;=owXWOpx-(#oF|mAx%M=1hNAfJ_^SjJz-8KX z0#`f{bjewhiES#&ANeaRqTHUGPw8Z>6#w$LK*O$_MIIjvJ1!6x7=xWE@?~r5%k>p% zQ7r!U)B&@7;Z;NJWqOBlPP?VotZ(%d6#$m&OwBxjFDViw6i|rcj|_#G0Sl_7Xz*?9 z6*Xb16Si<8N+fE3Soqlk!#^xP4jdO#7J^YcGOYy{>dM6u*xZbg7nok;of$93Sb=Rx zDy{_O6%)KHi`Ry|%^S;)B>Q#@6Q3OgFf`qyx|3=mU>3L-{}V`C+L4yC(9b%(APxPOnrFw=Iz=u_MXO$-S95G` zmx|^)GeTpV4pgSt=B*FfAI9bYe0jx=S+}xo)n|UP;eU!d#(q;$UUMI5^q&8rl%WRXi+~hwvskkbl|lT#7#1U zGXyFRQ=#+qQgJ?W=LvGhe6zT!K8`yLJ`E|Fy)%05F6&Di{F@1PI{cP_c0|-1BaXD( zl6|=wpGSfl6R8A_k6t#peJ|yw&##U5uikE}JKd%l;oK0PhR>nQ5Ha|o5GuTY`fQN; zz-xd7E17MFXSvWzpY8EFe=y@^2Bd@e2nw{6B!`AVd+LRs55}F_@*3ZhlaatZrm7XO*El)6Ui#sB;wmkV?$mERHd{xUka4)VH(Ax@fJ|y zXUryk9qc>ooT^~Au($8@{nHWXh16a7e<*wFfF}QjUl>G11VltSh5~|83IbA_1qcX8 zPI4;UA`OEJ15i>)r6vs$6Dg@pT0o?kjNItn$N^)%*YAFx6VH9#^FHVNv43>MuJ84Y zPfqhcdOF}n*?_`hsrwVVRiI(YJ&V{A9ECUDP$T#OsgWmL?3frb3p64Ew zM8@iP#EU6(=SJ$QyA3Bw{SIUQKm{qwGqU_h>3{OHFw#pZ^S?p`Wa{;? zgm>B8@0bM+&LtwlHR*l_T_c?lt3g7JOenCK9_VY*Q8TwZMfXvvN0ZXK^0s|^SshD( zdIeG9Ie2jJQ3L||kknom<=(6C;x~n`GVNZajU(l|n;+1D7KX8PZs_3R5~%%BM}W43 zW@&1rwq>Z@4puL{>Cn=n^LMD|YyE06SMj+IQkBa$CUsI?{A$i5oVzQ3o=&u!=?6sT zcX=vNE$c#h2j811Mr$KkRvnss8K#0yx{YqjR!p#!F5ohY{)5#%@ig=hX=^c;$-E?= z?76+Yft=KEu0C)BjdDKcL8e5y1KH{0F+b{@4V><9NUf0dV*FU7R-E&$yCr zGE$W;7_9ewXjfG-M6-pUR#)ahG=G+CU~2c|j!>Ivy#&MTG>9CM9!^JMB!>CTNM^-F zRMnB~CTPpUy)TnLV?U~(?BCP>fv4#mU7?La8Loi$lr5mr9_4k>cvb0A*k8JGZ;{LK zPeu;;HC(>*loy2l7GI13h0-39wOe-N_NK-_hF;gB=g_*x(V>|oj(W#$Xo|?&5VCiu ziVMv4Jw&ecVSQb_8RHk~Iv?B7T-4EMROrZ#He;o=0Xs$HNPsFwVUzN&7mD#^4b)N@ zEhPqL>;qSSJOEq=? zk^QW5pti>ZX#eNP+zvn|ByytY{@a66_@L`HrE6x6o(!x_W#Y>f&;}_?||2Lx^XgttCg+f|88RIb?`M8DqFl9&uV_VBFyOdZ-Xpl+4zao_!3U z+@4mjzEfZhGvnN)0}o4}9z=4bF9ORzg^?C+W`QvPRn6PvAISoDm464nPTNNCh7P7_ek!wcqCxJDdgNzbO4#&2R117^ z?#$6*)*qq8d@o|fL4>D~iG)T`84d(9L_vwwV9!R4l0{MM-J-K!uG8_*!5PS4)LbM+^zPO~>z*K-NAK?BZQ#jlZaf+aynzEY@}ENo zRp3;ywDOlk37k#>e$Um(GxZ9i>5CFDSaoU%%;%l@OY5a%gw3DM?t_ten&{Bpz<2`|bbA0MouMwi@q_af7vxH= zeRVY6e|bjV zS6bv=tt)WOy7^poesOZX(EaG2ENux4rC}Gee+Z0j{c`H$H8?r6kYSaxGw&jO1syy+ zW#C@_zDRE%+2dW_(JB}N;1YG%r+b`Ag#{i7O;GYb_q9dT0PMFhKIt7F6W%+DoQj1 zoHe>#17oF{kdlTm^_wj(Udu{#y#JLm*C<)3N!N05dRHwf>QICLlD6~#4OW!m*LB1+%@Try%Qu8+x#AL5mcWLhjyvg%51#_=6Z zhsjShWqbkAoK$$utz2Gh{I#_og=*-_pZy)qC>Ggf=8Db)u_OR|dw=Q1xSRLz|CDGM zuu*dFMXhj1cUwCLHGTH&9@lBMi@Gy>9<*k@v@tAm_O=P=c{H@Ms+Hx4N#T)pez8eCJh?0ERG3Vx4>iiAp$)ShGC zsof~0goumY#}}ZazrK&l_Alxqn9sHbH3T46b3u)aFlw#P=t%YWqh9P3B0aW&492i< zjtgk;eK3AAWN?3@bS(M}ac#7~m$T585aMVuu*+)Eqm5}8tU5-yVP1_*F}rs%FWlk> zjKyDmj~T}Bl04t4xd-fp3iek^2W==!k(^T!tbUdp6N{J_rZP&5qLT7Oll*a>Hb1hj z4C;CdMICZ&|JX}YTC)X!B1$Mf1SF~dnCtrb+KDtp!M;UYuat{q&hpEW$76!ZrOv7F z%o{d4Gu=AGQP^mT<;NEzT?agkNMNF2x1EMzgid4uQEN2bsTT#mg=SpX2haANqIZsH&iJ4k|k|kL^c_m%IAixFA|TR5ez9`R?flpuVr% z;_=V=7sWQigNbq9;keGJGhve12v+QsoCL{stYX3){l}X)BXqY_XYla%ZQt| z4nqIH;uDF$8t%9jq>5+Trb%&tdmzLUjFGCY-)=<7gES|CW4$w7e6qveJA;J|(D8xK zuu;|d_cFnZg-?I!l2~QIy;2c~W9NnrVRwvSTQBoLHM#;_=wCWRL>P>;nxF&0LyL>=7tTA9(neuKRQc>@G9!y_TXQ-1HO1lkkUH1 zH_?#)ODDmH02z%(jGMch6b4Y;rwJAxFBJgu44^=1&ILwTny%VBzSu|o>NX>DtP*;gV< zSRAr}7Sgv75AJtD$~2J1|MsCiKUud(QpA_5m#!Vy$w;942Ug9fVSBvfp<)2X>d_V;RZElrX zTafTZiSVi38qWX8LGX`(Agx5jBi}pErqkb9JlRXg57YnWr!YxVg~PH;un(%6CJoUv z1Z*H67$?$(*kK2+D)=DZ1X_NQxsOi*TPFdkp65FI;;}`@z{W**B7$dZunokq0j*1Na3UqK_dX5O2xASK)=>sI$`k92C53de1cwK5w{ITsN@G_CfE}gMK8m@}Wl+^0PrD8N=I=^lZ7rK{_|2tl>(W%6&)IOke`C7> zzolT?x-EujD(I0s8KwGh@>4yXzy;TBB^uuc4_Btc{ZO z;H+)&6uR9r>7V$40$(hos;TaQm*Wj^#75&XUEFg_oezXPsr>!R)?rf|RO80X3c$gE z%<4;aq(xwD`j3xk6Tngc~=XwBw^v$Rln3S&C#9()Wa`zWkAzHsKFT?@&v&%cp5)d5`Xn zQG$=oLEb5OEeESr(0#4^X|NHo<$tP^hmnU^hoHEkqhULsymwv&RJOz#CN4a-s__+r zI)-p2j02$6Sw=U$@2X*;L4sPX$A%?lYGVp`d1!(UA2Kh?uKS2Do)DH33_Dz3HeKEJ z|F3@9OfO9)cczdY@Lq+olZ2e5S6Vm0`RZ~o8}%ZDW(PR}z;lxe<*S28`?{YWl>dHpQe>@EB|To9{hetks9J;@sJ6Ka?V@F9E!$|ZV6z@;i*O~ zX3pJ8O*Nx>ySmsX;Bm7@os{Tx0s=4ugEnCdC34o9qt(J?Vc(=7Zd5*w+xtny9)sx7 z*`vtW&L4=FS_rqANFZsmMIWprm9EY&4;OJU^I~GLG@mGW$iMKkYJ=`QW_N3UZGh~0 zn<7FyhPMah$8KbojxQ&+=4g5H-PHEKyv}yR@uY-Rd=ket-&XA1!&wtd9njQ}TrN{C z>YSf)FU9|v?hW-W(KJd-E5kc%_!D7UjkAeM?Vr`9k#Qoi1iQM(A*j4;}$=zCof~ z%keH80nr*GtQ)U^vzjC=<_`<4BJvT2+sgbVbL-1dtAITMj~SX_e4}QcyJE(j7CkM| zFo5Y3@JQKjQPdmscv@|+u>}`D8=#CnUBjr@I&TsZqg-)I`+NI(A8>dwzk=#9w1XP=V7;PfMiOh3oPkw77>h9vKaX+?oW21~ zhPMbYHXVNq{iV7wf>A4EEr={iTct{%X-{&jKPdwV&@K&gAEdH{2C8fSRyd~EMW?zGtnEk3c4rEn28p;56UHu)4fLZpD% zpT<{Bd=#rITuQkLXGTIzP%55SSQGcuQqscerfKVv?(*!`CP3`>KV#$36f<* zLH=~QEs>SsahRn`y--2==Y|*#TshB)R#El{<oFL~LITWiML$395HRM?Z zT4a7Wd)tHsS!1J(e=hgJ|LN_u4X6TG?PW=jJ->`Pa}#kP*0D{|z0k&$CY8mef**_D zyc}^0iugzmY-h0J8{{8KJI{(4)8EZkyXUn(q?3_QQ)$(EGkLUPacFYMKBAaYTeETY z8rXK&*mM&+u@3fUc(;eR9~n~blEuLaUQ`5)aa2}KJZJfkwQOxYXF{R0Hq|I%TP)!| zzBe=Xl~-2CjV-+pesH~LAjG!=rzzfgl!k1|Ck624K8L@O>52}}cTyW~u>bvYL7Qe+ ztFEc7tY#Or>)oif_^yR0rZJMwDC3lu-k_~%g${OUD0eN3vl7(c^SxTU)ooTe?)U|( zO9SnzT14)*7_m?shJHlN;7f0*%k_5koJp%w+bqt`(Ec|1?^~e`UFyB=R7p%C!Lu0_ z1Aab-k7*o?yR)<)+7=LX>9Z9`V7oE<6DH4e1MJ#?=*(aQsm>&}Rxq2Ug?3}0@oJG% z)`fwm0Yama@zvAT6%miA`!d}x|NN{oz4rN>{In{;ptB6t>~AAKpmr}C`xY$dUWO5$ z7M5a6+wMQGP|oqV{lPm!h>77t46e@s;B^q;F!Roia6yT&c~4q(b2?rf8rYgnE|YZ( zRw_|ldUi?ws($`_;1Pal;#pF|=JraE|5_|rvJK4AR0}LdDv(EOizwI@n#hocnUg|# zWP{?C76=Q(&WYt-gU6hgyR$+sFx$H4`A3d+zL|=JxJ?ua6LGv3dmynW=1_oT+2Ysq znJU;t17efWz?x(l(RIzIMYc6kTNbql${Hoqk; zmAYzhUS;PV4-^|JTeuunpk37 zXHz7NzLVxVqof^2cSE%F-nV+cI7;k6C_Mim;r3kf?#m(Ng*nPLX|@&1NV|koBSl6i zlt>D`P&Ib`vf{0!K0jR1+myEGY!Z8yuBf8K`+I`F7or8r54O#=0tBIVGqTYZu(##L ztqBkCU|!|BOGhSN5AHY#I$ZK2@7LWrOUKjoZiZ~?#nEBb(ruFIt8_Zi1KM&urq0u` zN8LTRY~9DiWhhobhx0I&*|?f2JQou?#uZRu4-%G}Iiq zm%b?JabMt}4xi-GYfb+7^XGEfVN4{m8Wh6LYv?olMXzY73h=A>-LpBd?N!aGlY~df z8){<}Rzk3|23!IAL@;kb1_>wKn>{i0qd#{%fP1~{X`ov%cORd*_R*)7@Mn)5(Y!NR zh&|&W9~9UQO-Y^&F>VJ)ufWZkN2Df#y(_P)$e^HPrt90ygXB5sN`HR8L!1Hu5sjjU z@>3GVJD~tK35db9r+iB5yN4MTcE5sumdElC7P?Y5>u*E+j(&r!x){pYNRCLK738N~ z02nFlwW}&VMj!Ldku9rg(qkjIVjM6x>~GaQxi&)@7UT2UGi!A2$V;*hytB!K zS5=lVR~%ZYQF5(2p*9z{}%zJo7_}w98G}M4xHg{_1{{;$K@*KdR{4Z zSWqn@aI^GYe8KjK;cHCIAk)^cBQIljqd5^0hBt`xRR!lgc>5t}bYYL;@8d$;V+ryG zAP3HTmO$y#rA3HM1S%dQyEJtTtnA_s;2Ojqsv}yxr+WNv4t##uHpqpLew`x9@Y^I* z0jDLlm)P26Tr8o|ZDcBNmM*!r#&c5341BZzD-Ay5Evvm7bf`dgHE|A-^pGK87Ih+O(~!?SaL<2R4Wxb$*-v zp|9Pe8qRaV5@lvw7q^mp-;l392&IyS+A5>GUUXf%I1`*wXc zVhcFi=O*o|r~&HWt{miwO7PqUdrVmZO$1oR81F!E(8MV{hzML8A2d$pGS0)N*?&(N zwGX%+sXg&@8eyaZ*snCOF;KNBK+dXCVLQkSEEJO&TP>2SM(g7vcjH-I^iH*?yjSFQ zWS6TMJq4$DA)plQy|5t~KhcapJrZx6#f>W%{Rnn)R`FLV;d>QC9pLoEYE{MLL$ zZ5cVy#Q~_j7X!owY=0yFtb4Fgn$qJc?0J{-Uz>(U48t4Vaz%RbvNr!%{jFBG7g0e;E})=v zYAMM@dZjj3vQT67iB|c);AZxp5*{odcB8ay>*6*7*Nu@XqtLT`1d}0*a6oXoUws>g z+G`6^^_&b&qVw%s#O&Pdrl>9N-h1TL+0)kPWR=C%Aje3bz$$~Y0geWIexKa^VVTcY z8>B_chP(xy-{M)d*6 zXe&_)3o?)PC${P(axgpO)b~hw!_=>n^cBF7_YW{d8dMg6dUl#1#lIs6c!y+j&v#8T ztwDPVPVN$W1?2C3D|%iN!*J^9dnVrBOsj|+lSs}{>5YPL&z-SRCA$k9Tj59n5B^+6 z#tDXXlbrdl83_~Hhms(?5w27Q^o>ORD-t}OVjP5{9zO>Dl^1@kDWid-4-i^p)bK}< z3U<*4hhPW?7Cec!8G=}prv;dyUBY$*F1=I@q2Jc8v($f|i#o*3cv3lRJHde^9_cWG zl$a=}1`K~LW0BlsBXYq@x;;}|uQ=9tbB(3kbGBS_J!19{?oOVkonh;rqK z2#;@6APCA?1}Mm$ck#oUme#uUoYhq;xgeixcIn=&F1idyx*c>mR2XQ!Lc5BTAHW&n zz+f^S+YdGOSp0E)QoS(*_!^QtF$1t!eA2$-tv$v&TzuBhJN=ur!Mi1NHuy~kTnJW{>- zYU7Y>&vWZHSAR^X!YI(13{?V?(uY9q6|6B(nx;ltdnGv}!g9QU%t~%mX{o*NcF(nc~?rbfS*BpA{nqE>@&A(pJkt<4eOk86WeSZqs1z97^ z9u0FWV+4n*gBce9=2dmY_3X@G6|T1z3Ttkcci&Q>yqVWw&9hheT1ZwEveyWTq{=I` z^&N8fVyT=HAg%?%c%Lv=fc|t4gqtZ}1d#}w)}D<#Erg~CnCDYFQwMCo3&_$#mZ!a$ z^aSH+{9#m&CaoE9D#vsuP^GdmddL=qyp-pf_OJj@U1zYVYplW63NlnZ8;KYU_$dww z`OHmzJS%D*&ft4cgez3);V$0V<=hAF1ZCq{;FuN01~M|XAt1~KVuJt6)v-Fg_~Rn{ z4w<=GX_^%oLPVTdc`@Es8~_;C4VLFuIXKxo7IVsc|E>6%`8g&=x>;U^eD9r9dNq1( zAPBy;O>#p9P(C>mI7)%1OzR7%b+E5Nb6T3&)?w$j*Q(XWMpFS+CSt{fD&cfbxLxgl z^>Ig4@$agUTavXoYNJtylDfwkq1=>KlgRrdRA-s05t(!7z^o>yFw$dZ$szHxf%2cQ zwi)_Y+P8Ss;BP6j%@){J6xT`?Kh7P%bd@*{@i<1SMg&C|Pd*TSJ;84ESZ$msu4rk{ zT~BhWo8wJc^w|Qbipi|gGbCd9+)5ev*17N1HFJ*BL1F}_Yu~<^V z>iN&E?jYN$+G9|qIHPz_-fsL#-yk1J^`79=*=ikHOv;skyO>&;)HrwD>C`XZvo@a~ zndY8SHot-{&B<(%1%8n0B}diVN$C$r(`yH$)lM^<61s#EwQ|V(-QMT=<<_hBZxr4B z@m{$H($bjKq$VSiB6lGZkWR{nWY~fG+l#-0lJYh3Wr|@<)?k2-b-^VKzfe{RB4k$f z6b0ATKhf!FO9*z7k>MOpNzPBweA^UB7C>#_cpn?1^-CA^&uyIR>#EAcETDeX-8IzF zbK0X~Z|77~FS+O11e9pMZiA=tg}xRWb`J4%hJ2EGl)^s-uVVnzv|of{sH(^5jnYKfS7f9X*}n}Hlz?-m zRkp4EthKVG07J14b)B_~N;Hk!n-UE5ni}{FvyIus`CRQoEG&W=M1B;Z?Z~JW5K0LW z2j!3J46~k8(fT$CzHuG!-}JYJ)>*%^Vq7asW)c&ZZImpY-bkwW>YbOD;J2TB3s&zH z4c3=(n8g$|XrmJiw%kA>d*jCcn+aV8oUwEQa9P&|pO87{J5ZmyeEAU87Fr9s7sVp> zOgC=#+3u*bn4l_Or^9RNU1+*R#JV(14bGJm;H;1AI|#&-nuSM<)! zv%q_YjXGs~ik9`+ndrRlK|w2t4_8_?2;=ydE%CTvTKs{NPFmSy_zno3pT>-xGL zn{c(eCMzAQzeuu_r$8)Zd-XFg(+;Dg!3g2Bn*h*P{t_haFMf%nAzwf zaggSL+V0D4!4!diJ@0=!%_Xb)h!cqz@UgyU*jUrwo|)O0%JFgcr1X4FiW_TV1_PqN z6mBx)zFQ`0jvIJm`F`$<0b=Za}W@N+%rW8m^pcX&o^{oKe^{ z7nO%GEHw!q`v1}evWZz{3%xlH1;=)zAMz?sd*9nILD|Z*8a$rw~bS|BgyEjkn z3%{xDk*@QtzXF2KpXL(rP~6-;Pj^eotKFxo!?_ZpHsG@OF)@NH0$439exY?uZ~07v zy1X^-0qjma-*LuqwU{>%&7%4E;90i=^SIbB$KhG3?QtS@ZW+T0Mw~6?0?R%MM+!$S zz|Tnn`j8Bw)|zLxwq^I7ky!b~Td!#v+q;M~s4qBU&c=8BOB?k$l*wgZ1rp(N)T6Cd zmz#pfWnB~oj`$99TQCweWc{?-^XI>zFSKSEVp}j;6kQd)nLmb>(iaCM!g9N?f86wLEElyBBWeMa>;P&<2;&rzAp{y{H}EcA#}#S@wW$FyHP$GXWi@f@|xG0U(X8 zGtwRgtW+ZsI@Zqp@=o26`mj5f&7kj+A$d4XzE2SPmu@)pQUKxsS)njewoxO044}Ls ztM!D)5VvmDebW9R$*UUoK;-2gTrVECMkW{jfN`q%5)Ix!Z<0Dtxs;Y&1>JE7`{ORD z_Y-gMaxT(=Q>A1U%jcPK_9m|LzGDUxaJ zTQzRay>O7Pc2sDZY_m*8ev)gjH%Q;W@`(DQ`_Xi(sY2o;*+_-xYK{8go8zu^X4mgV zCW!gb1=*#=gmNV-@a>3Z*ypFzxcd4JSwjf}#aC@OEYNMV7g$%wfr{tl7}TEfD(ui& zA<#4ky>1H*7CmwztyA6cFP&}y`Wl*NCG}1?I8F`?XiO_gp@aBGzvT<3z)f|zCdLi@ z8TK@u!->Xz{JCmf%X*~L$6DRZW1xJOIq8*f$7MR1IhMqsw1YT_H(%@me%`UJe=$Cg z6=wljtkTCng*uuN5My#fE&f`aQzDd41l7$`OWYM!h=~Br6?Y@wCxjF!(c7Aj3H}@% zGk^;a9x6Ksb7mX=rtWXrzh1s$ZJ`^R=23XkJ3C5J@j+wT6O$Sdv(4B28 zW{>l>M3ZHGt#p~laIR6bNxq&$vz~Gx+FGbd8qmVt`$c1P+T*KT7o0hkJM5m?*F&|P zZPDHfa#S- ztluST#7%#iS-JNW}56(mSq+-oO=mBb3v_leHR* z-VHGN2XqOioIy*^bVMoOG>vCA{!TuZ>{+l9q*=ikK37{IrR1?ytnserY0tTr+I=ny zy%mX_^&{6kkeGH!yy1RRPE&abQ0(bmbF*d8L|McPw-{nPluToQo}{e)0MC%zajAre zd{TT%D5QT^*PJ+1EqHk>)ub|D)=?|C;Mrit)h=PXS!G_vxe&9q<)HlePwop-j&Hth zR=@3Aw&?@g&7yTk==DnkcLU4ewVe<}&iZXn*^LWlj1{-&>n6hF9tdOs1&xvI9AcgC ze4U^9CWtqDO75S3%q@C8IO=esmUUNPoINu4SFwuEyu%z$K3U^RM*2uT|LRy}Pn*f! z9}8b`4-aRVXkE?mpazIFg|Ri1i>$RKXzxhe{C_$1&1s7uAAiKr+O2fRd(nCz~wuH3g_=PyRh2|H3jpm60)R3(ZUGMUf&Xh)1JX zf;06d4%z`O-<3Ov^T#X3`mtk_xoOS7Iw) z;JTeQ+V7f540#n~er{TAKvUDEUrtcQ!IXN`H^dLtD>zR)dN)&lRJxNPc#@Nssuvtr zcLbwg3E}tvZ^Hf$Hl~1~yS48w%(mG`Ck!rZ8zvRWX$u{_xh|vqs3F(^6HNAxzj>^* zXG?(yefshTm~cH5LKoTSJr(S}xwp8kIxDAnZjLqVjFPgcP3eqeA z@kWDOa|Tzk*dOb;RGt|B@!@X7Nzw$^Qslddhc~CaNv&6doK)k=x^O9{dh2t5g1y!G zINX=^Xvf5@?IH0pRRSy)DR`tr>o?=(vJvy-3ox=&9I6h{8Es!5W`etA8C6KF#9Z9q zk)rV}$3r6E^`pEx32)uPPAWbxl({iHn;%q_d)AjA zfX~-?Z$em`%QaISHU|>mdAy7ubW8}jemYLeBjGyPq9E+M5Y7Ot z)JsUAcgfeq39QiHMd$0S-UDW2Hb8mrreHwgDd zu(vzPWQL#(_JS3!|NPaxH50C`{yTt?Gxz8gs47tKZ|+NPdz>_K^rsJAa z^6MY_wYBW#W8}N!{zDr?@m7WSKYrK9JX_>2 zgs>X=Xw}KUDP%HJ;4dK-+4CVm{)fWy0>w@9Tw}5Qip#ZVid8yIO1X5`13)&89>M=C zwhV_qz6!5CIK)pgS5wihJ8HQdkSeW6s{7}adOck8=E-GtZ4Q~t;LjFKvGWx3LB|Z*v4roEF;)f#)77m9N-Ze)Sp1IcVVU{>Q zu+o&1FjO9k2+?f~_HA|9A3h0Flou{sE-#krIWG zs1@mB$$Dk~;fF?5A{ZHC_fp80K09;dc8|)|FYkmERk+eDY^;)YewulO4@Z@TMWikM z>4)uwMiU`b*1ahV?49$mof)(0^yRaALc?xqhUkD2fZ+KyH?UEj*sInhGnKM!8M-Sb zEu>#&B^RJRs=(qrIqZ z{Mb%V&HljZa347`?B?bfImyH4i=rykF$` zJ(PCH3|Jkbs0dQax|%ZS2oys!I%iw9z4Icz#E?DZd* z7-wwqB}NsCbMsU)HJ3l0y5YXHTr02T&X;6aRIIt7sPp^kR^G;EL}e86n0 zg?d?R??_{o&`2&Yw4QKDY)wj0^$mmE1Lhl|b}`;I24us&ekeGwfal^d=$ zsiUe`^S1Z*PRtFlVWIerV3rr5VaM@QUxFAImOxdWEqgYkH+0iobEqBfV*R_~(}r}{ zG|SVs6TeTe=8A5IfyKva`V3Mnv$zJvDF`^Q`ux93#?o%l6$ji(N=nn{CX4GmRW_`WtjGC@3XH(D53uo5W=i?MY+6cyW!Ik}XY2+e8#g4<)%2rac#Ba1BW;;VF z`S57#%ivNHGOo@f`)0*?ZEppBKkcc%bT6U~DyIP`lS`WCYp^RzmMZ|JM?ytD{hGG5 zT(*&F!0h#;VqD&>#{QD6+0qYL;jB*zL@0y;N@bYk_uf)G!IShE#2dA%$0(u`ESQif zx#sCzPhi}P+nbJU^y!#gwRU((wr!c>08eqRTrg6Nqwa`S`RR!^1xx4qqcgf5w(zM> zz$t(Bgj<5aaCX}nb#4OpI{gguLFgrlL7U$oB|@@zVL+C;gw=T|B(7dtE$G!o+y1-m2E1ex=vNH0g8h={i$wggcr)wD2?4hC(37 z($NNlqy~)%@Cd4|v&^?yIF>Ak#cu+RFQyxhR4-hZ)O_&hVq)0ig+|Z4Zxq`+st9En z?ZkJs$^!bwWBrMr)Kha?_|{h7C2e85#2CA*>U(<;qf!cJym&`YN@j>VP-x|9q{}*A zS|TcUDU{b*`(*HIYsd9=qPs{twu-B;Xep>HuClNxHcfg8^*pid*Vm#af=s-(7+?1W zk3rdIydHDve!7+fQJ+YA5&vzzXv&gkJ;VB_?hd@X6prKj{a7v0grKw3o#R5R8z{Sok~bg#2B#YLLU|pw z^6PG!g*;f~zr9j{+Sv7=CAZTCA=OuE$$f^d%m^iIQViS2n={il=X?^Lsh~8LFpFtT zM;ED}bTK@h95qVYfXF`}QMk7^c+HXo?xOblCwJ~4zS!3ZN}<@KI!m*l20r?%)1?b zL;mMDc&K4^=nU|sG{4o=dnjpDv-P9 z?g+kBKqHd6<=$l2l@1)X+4HvR$SjBdw}^P7M~M-O(g3}Q!n$8;tBU$U$rr2qER-{E ziu2s9Gr82AP5A0!JpNe#MtB?_U^8u;Fl|tq(OYze`wHA}ODnO1zDqrjVX#qPRi(x5 zu~t<3?;gAQ+A-Q^q=}?#4UQ30xkQJPb z^WV7?tVrL)Z!Pb;gbqaae#?U7pAE2LREK^;0<{N|+Stqw+mL31aS^k~N3V6sqdn{D zKkt-k@MsH*XMfOQ!Q|0t*|@HKbciGJ%)c9bocCyH=>_kDpThf`q||jKl1(cC@wT*l z=RspEv&lK5ana~N_^J0CRMGRAK`$i#!0h5<6oYCb-KpHg)^e*{mbA`=oizHNrs`vX zv#@?P9ooBi)<&q77DT6{M0#<488_+D+q6Fb>EkUt|8$#Wqgv&b?_JcGE;@ZFqxRc3 zOP5{X0odWVRj@e2mb&dvFUoWKREQ}^=zaeez-IrK&I@*|FbU#hsf22J4xk2rKxMT^ zK(jP(LG-X`oJZ;@P>$}Z!WUZIS^&+B!0Po{IqkOPRC=a|ze5C(y}Hq>3u?nBwtVrqM*dASI8 zn!%ZQ7oXCENU(K)Edww_Ue3omu zdbYG~ziE=Tz4@1pkv5Wbc2teiz0@@*Nkt|*k+UPqUt9P+eL@ty*tr*M1bo>tw%Wf{ zPiN`Qas6n19K!_u=evXTSu(oMLUK;5g@;KQ>MXhLP(|fElv2~^&F0Z)IoD%0)UZ8} zzb~@uuRBs&UBUyPZytU3EED6^UY|P`qy84%0ij4EsF_OP*tLh%V36PH$|1+hbVsZ$ z0ql1AUX!95D+E8WukUamYO|JG`LdtJ74iUODHC1rPT-Tvq8c2F;|Rg7^+*OGuZR)k3eQBs|YxJ8%ppIqQr@D6<)Q4dY3J}@|J2I1&_ zYXj;z!~!53Y=QdKSA=y$MGJ|O!G)+=QrhECwZzG-an7Xn!B5W{nlEzu)Am;mwDv$O z`@^dFU%IcJv=N=ddTe%pJST!X>2CRDj~9*A9-DwXu2s7`a~yW^hT6N{3%YG` z%ea611TH{R$=vUJP-m8nR)QAtUGtX7$E(qGcV+t>i}!dH77?s~lb$?rI<~wD#jchFZW0_pz^^0210Qc zP}5cT`hB>2@u+jb>hMDDpV1r1`lbpcA!^urJ-Kf?f+dK~Q$|JOhSfNkl+o3c9?M%p*xo{jZc1IC1Jf!@h!7_?L1(_r~*2g|ataTG)P1xV@qcP2LiU zCV-u-0o;3s6n~}8UJF?sgJR3cdjxl_hnFQ)ok`DGRN>BaAL8Nn5~B`{_ckb9#Q2xM z2>{oIIo}Y`16OI!EKFBpmOJqHW##Un%p7ybVN>lQhv7bTI-d)j>mui2uvmbr{vFU2 zx>aHZMD;fx*8`3S2IPIpJ>sSiVhQ98$mNl_>LYR09_xa?LT@{>^D~}w6#4KW>kRtg zaYEzMV#?8;8^s^(s>JI5#m4yte{`fW;B5XP{m;I*he4gfAX0y%$`bJ!Dn8t3%!v2l z9FVy(>^@Zb{y@r3V_!r#L<0#HDdX&DsPy_H_4otx}@acB@J>!rSO_5Fdz zw^RJwezP&#U3mGlxp+kp>4aj*U}b0E=JCkB%{U+IMg6x)Krd_kC=lrSOf>|RN?+mN zB)iiGo+Y=m)xZ_xi7Mn+TxT0L-UD8KBG_ew-OGU&AR(Y-M;nX|r~d;IdMa=M?1TtS z8Cbrd_?IpfD?3c{1LK7LVUYeS0_pmH%6&++UZ+0`H0=|n*Cq*`>`3ltA}kss2DEVI zcNJq&D!{MP104Nmh`jNW|3d@i`3+p!w%1q$M7oggW6EHnp;=7cc(7kl&~@cunmCEM%9kgG#9KBV2Cnl({6KX*_;T_!|uGNJRsljtA8i-$*J`O4HwKi=W_A*m- zk`@*;rHOJ#rROMY(G_~&m&eK_sFy9!$7OEI_Ec4=p-LyYVaIB$&EQ8;UUi_JM&L%Z z4%qe`d-yR@c%oG4hW!Mja_*!(rM8KEo14etj&pm&vGuhGn43j9YWZj`?hUrXTJYad zE*OfBc}pawkbXGX(#0|YouCj3&c+_O0ZNr_0tjV-1wNR}>>5IHwX@1Oo!$#S#OJn^ z1m;^+pkDuOvA(J<`TmMe*#kOSzdq*Ph}Pjwy<_RICC?p%a@tJp_>5xaQ0}9ITv1U@DrQFR;Vg1(P`8tymnz9G%M? ztnC#vn`Bf{Ba^RY;8**OpZsEG+PQPJQF&lYamPIz$2A4=&FA~`8nQDc+?$B!_#4U2k zc+jpz9?GkJEdH`K`dyj2nORO`@Z(j*mXaO!%(SY>@u5RUdb*92Gw)>EE1CH-G3C?K z-(DbLzaxkogvGL~dj{E!M}ZihsT(_t;(kBb{6HjW=Qh zjRrYrHGus#jK-Svot!zr)-!g__xkody82>$e>5jVR!&YMz6Mc)!b6oHUSN_IIOKS9 zW;zcV4Dw`MW3;!?#&>gEG18T|%2UA87%+k}BI`29<9W!kp{j7aMwLOL-au&4aJW% zdP3<*!k{k$I=Z@%IZtMA_Sef1%0y1J+_|u(F}bo(tq7n_y7a)*#24~3u`QB#iB&tb zKJ9^9ZJA`Pd91q}6*3^hA+I)PJMOo`kZzd5N)N(yYk2FhcCGq#quF8>I0?-`iMJ6) zj<72AO%tvrUWqTR>s^`3?8sz@jIg1i8JJ-HTCkOJ<{Deg7NEZ1uSjR6+I5`y<1wzo z=h|(TeKR2Bw#|yK!aD;Z$8*)jKBZ!N<(ym_QYNbA{A>o56_%xA3GOx2U~azX3A94c z=QKO%9f7ea8>Ao{2WWs+K6d1^9pOXa zW3Y*xFtvywf)LmbOSB@ePylXvfp8{Zm+cQlUcK5`Kt6$f;!tHhLz27(#Y4LxLKCUz z4oY6YYX@Q;R0*_znd$Oi0C*e=C*ZJ>{S49u*%#S>9&ON*-wUtB5dT28ZJ`NLpNY5I;LqLCDH?kA}DscP-2b*cm;Udr}jNRT%3SW*F0-Uz0OVS=o z%uztg6R2&yA;EujeTN@)X&x4F+y6E9v-sPsp#!v^m7jD<$U|^5kQ>nTDWyAqC@|mx zY9AKcDP1Cr3Xy-qZX~_C1ZE|b6E=d_jn?FEwHu8PDeuPZF=FE{my8UA2p=%~JL-6f z09JLMNNfe9TSEpXU3SbNiPCi?wNZXS%T}?2^iJ`Xi$p1s!l)7x=`v3C z6H+%{Z}{*Rw(hEXv0$%6Fy?aj0Ma*~B!h}Wg@NqaSA>wC*RM?0cAX!ngLM1~{6%t1 zA{KJKk0xnY>(PX#aLa)#OLa5U0ILrwkTqVX@UpC|n8?>T@;q!GGy(_5@BN`b>NZM( zJyueJ)+Jz)uImql>Tna!c@gji!{)no?1%3UE)2MYM};`KmM9c@Wvc3%O~-8dpnFGd z(|0z_5){FTAg%>+d=U&d!=7bM%G`O7i&sZY51I-O;~dkTK5)x4T$=nJ$G98+A4wvV zNYxEGB*+)u5CDb7<)B*2voB~__t za4Bn|h`N@J@ap4ayy~_>4D@APq`Zcx!fWB1mleLxxG8&V)W$v#w|p&uG@oGOG}O=B z&?~B)b^so#ioPh$?JHUhWKKS^dw#2nR&}Hu9jP;XGGw`@QSJRGjy=E|#|k^BJH@Q9;43Hv?fcm6BCnILDtkaVP22R z0T%wp$+*|w`F7)|TIet5e+suR4JhEIH8HxxgWRlmHMLA?IPBiC$Zyl4-1GmRbeAKjllkD8-dk#^6+>o7Z298g+|(vK z=XgC=^&gqX7dYhfQg3a#4cCBjmpAUJ-u+j! zwLkbC-~O0?>tWff&D(?4VH2Umv|?2vd3a(X$OS#%?7g~ftJ*KkchqZ^V&*D--9Mrob(*bR{~9;Tn&sE^kK;$G#SfDJ>Xu>~}zm;wY} z-^xJJ9deaI)BBD}v|)kkimgv4n7A*m{1CtLc+SFzmnpG-)g`~P&h-4X1T4g^}V_1dPcto!e zdxbsjsnN%8^^7c|_|whQ0wPP56I^-|`ow&Czbg74&0+{qIJ(|e7z_ET?dfxOX$^y8+TCI018!}wK~4ME53hj`|sdwnC3QSR#5#7CRS zNdGAjPlfTO_vi2c+C^vKMR-imeL}Aa$ox&|YO8Fq&09}U)8#1czS@$`nPl*rt`|mmnN5aoS!5%w+L`K&i7SlaisV=aU=#O z>DTHf)!rN~w9P3?aF{W(oSwwCjvUKnsdZcSPaw<2mVz=H>N8VY&+S^_$fn#vUnWC> z-=gak-vmdtGEYUou~kO7oflvBheFi;gh8mBDsk}Qhs1cQHbu#nCYJMfX)!iJR4Y3W z?$s#Pk;n03_dCtn3+FLI!R1>X7g8Lq|GW5=LV*#anw`mpKy6~wb@B71c>30PNj$HN zq?!FYu}`iVIKO3!ESq8H3w+vIm)x(l{AyVd2{6g&Cem*LXZPzm;z+zqzTK`@(k29t z^P+xf+cK=VnJ>F^O2Y2wrkCoBG}oRRjQ&WeGM%>^Nk;oA&!TEl8rS`sOENUzc{1>6qHn8XHoVLdHRdGiZbs8np-# zokW`;(*%InE_v#Z(^AloVA^~t-#c^r_i{8v?t3mjggm0?@60krhhq#?fY}dU*UmHg zHXs6Jg#RUtzVWiATPd^r;&q?vr7PuueIXoi5CdWWRv*XaS`{LDZ(h7IDLHw(GRalc zV7z^FSZm`F?d|%@c%1tm~x!8XT&1=3H_S2sy$qZ7DHTrC|eIeyQ6OqgFj! zLjFmtXPFb`d|w=!SKvF*RRiFD12+@|O9G4`H%Nwcxu1wDjS2SNUzO~4*k5BL%3Aw@ zp2+OCo$n?Xh$g<-%6R@L+&e`9!-_HPu9o8zl%uVCB8T7m)rS`nE4sYoq;Y;h+%-at zoHBRRr-YE6nm^2&`X$uO)KkCK3*>85E7l#|QDZ99oSm&88}9ucnNgpq7$m(8ZuJJ; zH0AO6$~c$AT-rAd%B726cE+kVmQkMpVdwCVMP(Ohe|E~8bSv!b2;yAkp|NRFLDwpu zgTkL!EOONIp0hR0Emn>vF$RyRnY-oRJ}40kx(|NbQM3&r_>p2>skK+}r1_?Xj}>i? z!ZB#`{W3ndmXb62L)sByY5*G)N5746!^Sa~1!kKP^c36dC12L6vhVZ1_^}4CwdX6k zUnt}f_A+8iwz7)N$(6k}mfbVs6J4aLgYj2=3U>1Df90&Mkmgg?5H9E^zY*-+GYTq* z(*UJ|8bp1uR(%{fivI)42Z0c}Z=Qtfh{Es_>G}QKhMi4o+Kk{4=4Nt_5+!aew83DB zo*_VW*x9ujN;g0k#+Q{%-3_qLxQJeQDAXLhQuM1UI@-o)AWbU@sVLCNk|hwkf-yoh zSv)qEXY6~B7=-mtm~-5K&G2BUK9yA~Le+7a6%K`M*cde})=g}`SCZMR>UFmq`sxe` ztfA1`CqW?k?Yf0*uK-)-ch1%Ih4!g% z;pg<9fGc2fLmqB=ScA8XW`~C=P&xxe7G{?J@J6oQ8x3bp{y^pPC7N;z#XRgw)4|RH zCo&Pj%)v=+uO@DT+u`iMl{k*`w4r=^?Sjv@Fa7haV)9G>nE8h^paT=l%{+#Fjhc|! zF&$s(B0s7bk!pO`13Vlmvtp5N`@KoG!sryYcm0O4q@{m8AzN8%(oTQS%&@}3i}Y`* zdLBm-s|fw)?B5J_Zsz#oH*cagz<^5c^`^ zU3pwSLO|Xv_Q`e=6S;qSFQn^M6hbT7avo50Z(L>p;#58j@b?$7nK?~4Q+dWnahV)}_d)&pPhByoK%ClNNe z#U%^NO%FA?Xv?7to5daOn&d>xTphJ!zLHv^>gd~jqktVR4OnU~z5+>9CDGImk=fRj z6ej{M<_E~(pE;`MZaz|qkQZ3}_Xa+ao`LT|gnFOpgQymR6u{~m zvl}*DLQ;xTOm5%-(N9NtgUKwJkfqvk)FLE!NJ5x_qTZoB}2MvLH#%`VE6)E@RUS@NeTn3llLK4*V{Wu%t4 zNtK2CY6}K72eDww>$thSXer>L?_NuVx-AnS!Nb+Mz@+Mm-rB+^n`Vv|ya%21+(vly zMIe;S;b5p^N_sX#vcj71-(Br(8)`T<#4WA3dB5d~SbBrt8hE*ss@u^kDYx1_;Z{_n zhClW)d)rV_+nAmIYspdRpG4G5t#O2|vABn2`W-IgXvck%|%$~a>D z!)N<_zRH}$ZOFY7F_@TM-cSFCoHPf3-NfeA9#2NfD|c0;oCzzO&*EHH2M}S(8Y*&f zxgjI)$8&IY-&?Uh9?;_x`yBYk>g}O>34303Gz$XnM0W3ZCA>O0p;O%B(j9aS;ze$O zQ3H!$x+fMXc4w-P5Yt|<%b8nbqYPb8@d%`z7#TCu7}+_DQ5x^;=leK3&Ig3vN_rdq z?efKSiehQfABwn6bx33uKj3iQ`{R`7j8&|qjWQ%ZG;9jyze#r5M@$PZXlCMPnuj-r zoodE+E^6e#9;^zApKzRqHeU*)*MTJ~-NBKw7d708Dr2QKm7^uO_I9Yx|7O##$_LNh za6B$+f}K|Zui*rfIu1g88&K0sDAtHN8B}h-G^5-0?#9(`N;D-O&5CCQYC2Md1NA8b zr?69K%hoJ`eD7CNy~fgmt&{jUKmr^xNhp6>~^!$0PHyvp;DUPqlX?s^2T%h0cAHVaMa&+b>10OVPXJe3wCEQ>vF z80N7~eo0ECj4n*YT1DhHz~<`^Ux^-nM--|8l_#Axgdto_ulCPmGmG+$th`Lp7^iBS z$}QKj#c6c98ridbans6CEyTd#`4oKE*y*`~#jS~)JvQNQAZ+_(1C)V)%Ss679`Vg5 zxA!8>MJo`~KpF{jll#wC)r$+9oL~R^nS2`+ay>zv=d!-GgmK~^#R~TH>QwfidEN$rFqbI}%BuOp>ar$!*ZU>7cghoR{ zlvY*N<|66m?U>wnoaUHL0&wT$h!;&DOcU8uo!F18i?9oQe04VZqF~F>B?E0&8Xbc+ zVuFQX+@1>SaS-jB0uUylgf091hE_q_z%iar79D+rr&VoiNl%>E4*^91m5M>9SCu19 z3l-JTR<}{ncj=oA@531z#JCIH@@0@tqB|$2QHe-3K|2e=OzmUdGWQ3*WwC4te~BEy zU3WtbEk7}Qb}Va>WQtHVDik!UcRhF{xVS##lYgm^@!5KTtLWm$jzHbdcq>#0yDG2s z`=TqVO3l<>jqN_(ct$Onh&##8vJuK4=1LNdo+VvQd_R2?I4cH4O#g?533MPt{D3aN zgBaqv;K=-7scXi!(KTbQj1(C_P;0kGcA-UU5hnlFyHGvuRB0d-b^>lEBNlTGnmL6U z`oUG2Tg$elNx~z^LXr3chciXCBWQSoe1Wf)X+78vu&YKRJvb}mcID%=-vtA+?EQ!l zt#CM1gCJh{rUmd4BxP_|H+(wv_;yJ5D9$?Gk`;gPSY)Ugq}gqz2C>$SmLUuD`cO5s z@oY8}D~TbT@frSDv{f_yHC=->`$nrvZ}0edqc=3eLyP`^^M1YpkAYw@k~F^Kf*A2w zIujgL#{I(ois1}bt9;O+3q1O$=zu(-TKNtN{I3KtVFE1ipG*yE{r#_Yef57=9Dl+4 z_`Vhe@B#5U@tARpJZT7JHsR2il{b@1gzT=dfdl_KUK2Q(wXDMnvV~!Y^|~ircn-Z< zV;)@WcP6HoiK};??A3-dA0t{YQzxJ?&(N-j`ljjc;z|wW#mE0Pj@=AwIZfQM{0?J^ zSz=``lamwR-X)%SL$!Jp100L1$)Ydl*B%sD(6v(QLCA< zA2o;G`b7YRnFxiWR&-G$*J!^5Qt9+jlxOwsmlRS zs;BDV4>S-pv5i6Nx%p8J`tTFM*1u*!Dt9}503TsFDgLI704;*I(tI8Cin-k`gGC@Lah z=d4_TcZlLVs>Hh_egoa#^H+u+>x{z7pTj80zadDwFsL1ZYAcHa&k|N@@rLQm{v7Z< z=U-)+BIkd%a~=r!b~xUgHC1+ZP?a&nE5Wf-O&lQ1#BNxaGfhy2G5~$&rTMedl5?}r zFEU?pIPXD3J=PsZn(l+vPG#Rg>F-pE8G>#D#ke*6>`KwT*+CQP&sGx_Zd0BbQdI2^3Z&v@*+sjGErPm%SQZj&iNP99zEm*0wf#cJz zi2UO^=0$&XBQ1A#u{&+mP5$B^iog$+8(^ngZ?UBFnLzN->GhwCt|+84VWVEGUvb@) za4)~j=s?yN3UhsMIdJ?q-(+&kRJ zOK~>N{$xB$QO*PXy(yjnw-oMQ&)*SYy@>+5N}=rS?jvubb(>IcunnxKV z#JV11l(YySv!oJiY;n$%gM5cF(kZbb`V^?&O511Xx|n-Yw@}wWBzs%KlkZp<=KiT@A9tR(nAdMBSr5{1`O)ABoZl=kOY z{4JCOZGWaigs#NIKT*m-X<5TEFgSexjBOFk-M0z$Svg*F}QcwTTfUz}9}*Ze!w>);N?P2qAsli$P<+ z?=$?fcpVC=rGI6A|3fhm4LK8WYzJKTs5hI$&l44Vtg=nIfq>5~o+697{oOb5;4IyQ zr^TH9Mv}OL<5PklmOkX2Tm#{Q^P+~;;V3F?ep7&Hs-K6t{X&SDBj8Sddm&JGHir6V z^d;tdwWjWk$va*g&g=cM_gd@Sz3X7<@>=1bkB)-BGv2yW=@!lpRbO9&yEb;1er?HI z=7)=IjB!P$JG1hz_p%XJKFMiRK^SM$$v&RB#HH5}BvR!lEHkWNmZxIvl|66XQ(lN1P(IQeL%T zdAG|dayOQ_<6cjcgZmDZ5Aq~-=16O_W3;Kr3{y5&_lM#uuw!_VB}I6KS8q;JLN1xX zIo9Vz{nM{?ez(2EIBluoGLlpN#Q^YbmDP>OuzlfzT!GL64j9fY?#npmtVX{}mO_nq zOlFgPvETom@j<3}k?EtLYMs8x4t3Fu(@0q}y5LKI5rO6cT^k6WjZq ziZ^}__Budz*d+jpJ7_(#!20=kn;Mi>cW3N)h8Tpc()uN@kADB~=}kvRt?JbJj(w(h zlAXcN`gH&dnaDVh2->Md5UcH5wg*4L*?i)%}@{Ll~wyK#n1~g{4(FN>)ww-EmUT( zW;%7I0s?+g32K5hGYqA+01Cqw;8i!|$iU;v(!t1_JTMPQGx}Y5J!jc6Xz?FPt z@o26re<*i&ZFqP7!DD{rB)DY3F7WWS9k1P5=w;PQ|HfXG&Z3cMUFGcgl)2=X&!((K zw3JX&JC~aHwq>=cU6nSpJ)!|ktE0YG2D&uD0vGo}$SnBMj^D3G+GSrR-<4c8 z$jHj5xv3G!oW#>lY3P94ie2VAi7PvAUduZb7g zhnx5p&%Qz9!mCwv>!lhoa(fOfP`2%F^m$y)-1a^wC<=^_LmN1fZAWv3%p2wm$WOqc z-65g^3uAo~bU#pTQ?DccIYTX6M$iJOct-enAk%T_+>-bVSG7kp*v+K>Dq(d^`^xxjmgZl|XFj*MZ-;51 zCXlzP{Ugc_Kh?%N?TT7oyZ<>ESO9rA=8_z_91!Va z(LlzA+%&Sl!8LF$h^59y6J2MG$6p6%C67fu0H0$HcZC`ao+cGl zV}x9~E$Tg0-(YO+sbr}MPM;sD@H~g%FFkT@YAoo;p4ITl;rktB=jL%s)#j7<p#(1h>2m=u}Eg-KV;|T>oRZIFcij!{=VgUNBiI zvCTB*w~tZz^vtZYb&zv||qko()TswdCi z!L~8D0d+zfKD#aJ#<*R5&4?HO7j==SqL=lz6P{F8mUDjF1nAjH!Ra$>Lkb#T#VS){3H#V+^^P~psD+df}rz~EPNnVp)#a21VFqRaIx!{*wwN6iEuYv)q*Rogd zM;1%2abcGo$gE8$MmOWr?)_*?{0#oEURrAn1j>3WMNL8&WWn^ z?s=o;0(_ho6L%eB%S4me56ce-MV6T3&3c&_K~2Vjni#}^LKeu4YWvHLx(y&k;|O=@ z;;f2+)^*l#nTa3JZ40=4h|LTfwZ_Kj$$aVx%Z1{U(NWx22{14~17s#KHea9>=0ffw z3LNhiUQV5s2}A*@t983Gjgrwz?rQ~k=}~n|YHGjF?Le$o_AyB6;ZFZU@jf05?Mhs% z%7Z@h&+?~?B?M`u9sqZ5G4&M+Erd;=jB|NBX7{`*-b0@)`Y0bHzNCNukyqyZ%)r>)k<%D5b{({8vD zI2L!Dkn7Rt2@7Fmp*Wusb1t*9A_#p$NaCq>xQPF3EfmeXsnfS3c%IW{^N=rTqqbmn zsZlp6`Csnp^q1=^UB9m6jP8?cD^0L2Ci!lV5@3lctD@Npt{j`wA$><{p+~(@^!{v{pa20V#> z01EQe!oRK-SPa$x$CRM29PZ zSF2r&nk0Rm)1X>NsBf=>hImdj@Oe0Mt)c+t3^BomDyv(5Y)@VlthsoE2vi^@vVPSEm;FU5OB}p?PlL_;^|fW3L0@Bf`vGV{?x_Ctl2gIm_qQi=zlgs+ zeXmU+kk+FWswBa1n*So5%&=E|#T9(GTA$sCpM0u6a9pxXOK=sFlbf4}1nG3CO~c?N z^1;E3D zmMGY|2^WFd>d2X%SS&{S0wrrw^)3rzSKIu(VG^syLiJ#&i^%x&>XdX`O;JwKCeggBy8LqrM^&df*I3^G zZlH@>qum?9*OU_>tW+Sa!Z5G$VR`2MvvU*On=Z{49d2iK*1=Nk*(mvxlbcr?G#0ct zd^5eK_B?AvMUI&3)D`bL@{3ixz$;h$-p+TVM7HQ;*xlypY%Fd&cHfw$OLus1!CoXg z;y5Fw=RIf8-G;6Icinxn!=nC!JS{Xa49Ds0vDgQJ63wPNTR|M-o?v*kN5Q7%m9ul_ z`1%@VJh$|n6YdC2+SKLZZnC3HoFD z4~6~dS!|(a$~Y@-ccd)d=hw2(%2$1xePg=3_t5WZ!ab>t!<2jq6meLe?SX~8h>3(Z zOl_ix#j3sY#y9ewZEij>R3bs%9h^gtS#isR4jN+|1^{_guBit3sYXvY9JQc~ckJDFuNig_}r1 zDM&Fd{+mVNQ0EaT=rfDJzmkjp-1a7xL8|%;mNg`ZFKF13W0b^$wSaV(Iw>*M)Fd4I zgO1$4nPh1x9^K&7{J`iL>S5c(S#7Fza7G^m^SQp!KH~rOoL{M?+^jZA{<|~r{ZIZ@ zsiwqHkyz!)_VDvgP~Fms7TP+@C({Vxty>^Bp^Mr;D+f3Woq*bg&OjW=tz)+vi69nS z;dG#o?_6J_BpJQq)v=)GA$Umuv-Z~;_T>Go*cb{{%TtGLgP>*KX6tGDjbb- z1Va+5%Kvs&cCha3nBW6_Kp{QBn}8(=N_O$-*SlTyRuJD4*R9*8~4dheNQ_d78p`z%l3m*mz4VWGH ze#odkH@RI3qw%dW$0;>BmJ(b|Miro?rn~#nT%w!mj^RFn%2Ri5^d`U73;y-$5qr;% zF9RTi0h+&Jz!5cxSSm6zD~9C#vv)6oTV!+>SgC8kD|S#pxQ?sFrz0 z{_NK#SbQ4x&vqphS=m3};v zAc*p5s~vv$;0>CcI^o`ng$zhN4W26KUSdXkVBny}+%z?_sTSl>OHlQ4-a zelszBT66MHo9iz*J7;OpGu)?8){&*+&08hOsLqt2%3n0}{6*_utG8fiFw~#LlgOuS#FTfSju5P4QmW7#SJ7{Nw76_wgLm8i#lPbZBVZg5Vdu-@;mG^AjomZeB| z%cF!maP~)R+hJD*$x>76tmTTUVc0D{1!%$aH-P|;vM~j^zUZuG0O@BEY82TzQk+OXuyKFH*yKyUNGEZOZ7bt~M595nVZ;mm~(~Z>ANB zrbl#^p}^-(1U(4+9``omqe=Ju{q^abae})a;^KK(1I)UJq!!ki#00cxcD~T7&hImv$yq3(byckt@~Q; zV#rbFlUoQ@=1-w_!7}gn9sVMNq!ql9v0BC`b9PaswiXfSJCPSO@LVyYe}eE96hXdG z+k?S-2hli8J3C7lk#5Vh4E;?kTx1FVEdir;5Y4jp@PkZ*8fjklW7nI{s?-vc(&=t) zi|}d4u?PMnf)^(c7Ql){U+#8RkhNs3B66~7_YhyYt0X4KRLrVAoQZa)m$bt=vp^<& z3~{I9p1?sVD%x;GYOlKBr|&=13PTL?$2Ni6uhMbC9qcmkL|Ky8h}e-MhlsjPO}Uw{ zd{k1b*#&&erZUFluriaGAt_H5<6HPL{<_0MS2Ej>WMrG{!aJN2qCjh1Zb5IH2WPR zj_U7-B$Q#k_SG>nYHpi(mbhOidjzB{pdI39eeFyM*5Huj)UXCchei1~rY;ZHf{jOS zwyT*QF9!Td{BbdK!FvY7JAPi$pp)&J_?)1~omgzV8E3sfR5wFb)~d!dG<$GzVXD;Ey^O%4qxdhm80?s?XWYaKB zIsM}7S68uoW2-os;ey%i$85ZGTDroyqnVm)?REOI>>&ose)3al{R;C(xea<#QYk5t zE72b80mB*|%0xd4d53(xksum^V>6y0cKm6Kq_Zfm5j60)0hKa7#bA|8QJc!3a*yM? zvJenC^T6BYoj!&RxkpVNFJo0Ktbt_4IZ{E}1nzQ=y0)21R)e`6=rh{EJ z*_8RBP&+sOeiGsb*}(;rZ@@qo$piXWuSaG z>b2F%4VgvCX5qw)G@u2<0cz&?hDwoh7ndMm4Yb%9he-{)GMIW!HAC>eD)X;_FIryO zGE0eO7^GIa22H!A5bnO=qh%$D@c?LUn?ng9ZT@alL4RDV7?+|@9sh=uAZ0>_d?nQh!H4>HBl{*vdi&vb`8Pwd1*EMp%96CdfwP1N&|}o z9co|TjDnXzRyj#u!og&0LcEh??z#l=**%{Z4kp0xcjXRCWz}$6+b7wC-)+|&i|01e zY|h5!Mt`2p%V=Nz$s?zoe``RxkqFxWNm23GKrL)d6rQP#waz=+*$y}kyds?csQ6Kl z@;dI*`82-u&ioZcLdW@Qwc`d5dy z%$Ol@Nc~WThKgNu$24GmTu?vyRoWZDT2;)Psq)6uobhh)fP%%FGDnr% zS~EB2EuSA2^Jitj3c>)cON9VtZI`KW-tccGeR&(Q$1#O%`TeT?S~C5CL!1X~!f)T% zaTO1c89|v3>v;h%3#QD&g~fxrN znsRlccOGqO1`SYok2H?oHA0)^7B@AT=z3<$d>gARB1;WzfcWko3Oi??R?HOz5iFdV zBs3HxK&WchLC&?$^JmR%du};l?+wqZTF>w1yE&15b|F3fTJCRe74|Jat`iWtI2Je# z(`j^e_zvKjkI&ZPn6$WG{Ke&N>_g6HAF2NmwgyZz7PY3;7bb!gWc`=Uz zgv$N$bVX)R@xA9T@Ldzg^T&BsRCd*lA$lz|gMhuNqM4YLp1+)}?OA8LUkTnsp9iHv zLLYTP7Httyp6@JXK+e_)$k{5zCw9(LooA5rWZR&0qz5=e1a^2aQUqp-7b%{dx75UE zKa70t_26F_B}>ZnD-VC2|17(Y5L03r$eWgd=c_N&3!tj~UgllxeW)+$=bU}fZ7X^l z80Zqa;LEg>ALSAxXb&(e2rr%s7={XGYP}eDvG9_Am?CAuC~T`c0!iiJc=C{9DQy|* zM1RxQx_tt2UFFk}=h)#4%c(&G2>={s(Gn(PK8a{QHJ5T_KlBz2h?T zGp$6k1AkQGj!U|O)vFagwFZk?ms)3MdPHt%8D?xCYyC&$xzp)e5OypD8snY}9(GqN zK2nw1GKw$Fe*OA`DsMrz0JA^ncq%~tkOC0s;ER?G?i<|#zx~~M)_CC(qqt4sSzr+| z46L((1={-!&=I;73ibj9CBX8Fa^$a>&g+5GNOCv)fTyhh;RY5ZfGUVS+QP{f^9ed2 zi-epA8btI$NdT1=E}JL={Dw?Pl5Kpwn0KMLxDDvxb#UP~gTMtf^#42!c-UYfKkz$_ z?nixGL|tHR*s<%BvsDdd)n(uMT82~STgAS&N2}v`>wPVU3TcNH)UoM4=`Tk0-RXo;kJ7w9Q`$)9bphW|pEJk$bW~SR^)h@hBe^)gV}?aSUVhWmn`yUDNlp18^W%(bZ)ib%M}VjbjCR0 z7sRuF_ABE30NL@tnShh&@%eKR|HFqu!sC2+*EYnp-}f6N7dr7Ft(p0Tc-~=3@uS#r z7VYAV+An8gASKSocxe%!3IXrVzy5LLho(enQdi8;G{Sh$`@jtrvUf6d%B}buoML#t z7;(nS%?$Q%6+!fu6CsY5K6qn#v@-%KSS8i@m#iF^p5KIS7gg}m7ZxVzd)sM37<8-C zGL>LyK>XL|Hx2FH>cBj@a3`&Hh>$}NIeh!q%L55%Lth2pr^(fN|LYYT6uC%>K8KU< zq)3uKTAxTRYzprckU4#yMHBS?fu7KXfdq$Q9g;N82e@W$M_vRQ(s(I!%^gxS6w9^* zUFU~-K$X@JgX?5AU-1gi96vS~q`OW2*U7-7>N4as@eo2{0oAAN!{o_)QZx*}U&jN7 zOpsc5#-Y*1b$}+|#yf&M2z?WT!G8@0PbP?y1+Mr8fNg70dh*@4oiyMVi0R%KUHj_3!nSLcRqkmavQ){-RlfduNroSzlc;0?VP)#>><@$VL)L=ah*tw>p5N@Gbk*I za0xQ|x?r1PE%fi2@XxFAe_i{{xc^PHlAvS*zLV$)NJtBe#e$Hcc5Tp_@lxb^bCw9>*Agl7vgV&M=5sZ1*E6fB24THb%UvLx6>bm{U3E`2d? zaKM%p`PNzs{E%q^jk^mWOPVv|tKSYU7uFv6X!S*9<;7+qy~n%B1*uk&ly|9X z!KUQfIn1m-G!-pLIh)!eN$Ds%iO-6o4-2p=+mPu4%LdGVBa_+__d=d~_a9%B<6NNb zLYRuE^2ZHq>Lm;IWS}%LZ*`vE{QX}*f%acDHZ8CbAPiQ9O;X85FNStqtY1&t30Cr* z)i$3yP6r4OZx8TyH>j4B(8M}>9?edjcrWc=DKE6lghs%jU+hj@OuQmWlIlfZvq<7V zMzZIW>;%Lcx&$(i4O<==q>X#`?2WF zWeYoVdKvSxT^D$$a5+LIPjN>haBbBjEIh#{7N$J!4$>RQ0MEgz&AIK}*B_rm+;xvR zqPmh@R*zjxJP*T5wx@jX7MlOHDIS;Hk3W-km)`0$AJVEN^0QR7Yv-Fd^TOxLKx9y7 z7&K42o%%kN@*dzH76vTCMxa~cV&@cwA+LP_^5aLY=l;*Zos)X-kZa&VQ$M^pt|=d< zGU&6IxGs#5f={uUjw;A=&Gn-kt&4hZ#ouRVu{Dnl@uOTgTi`VMRGPW$R8})VnG{OZ z?Q(V58&RqNB^nUis?8jviClUwN12)J7^d0o-oHX44A{I4q*pt7`?jsScZ+T=Za}V! z18(J@?RVX;3?rS8xM6D-$c=J`y}+p`ng==c+91G zoA|Fjn(;4*Pu|QirB36SR%Qb-Q#+eyN#4Z$UG%~l(jU@l;Xct0x;uR+HcoYvpVQ#~ z^sC+saL|j6?JOn_VfM8aK^D$B=+n-ENGy&ja(13P2 zXd>TR>3srbsdwcR!u17c0Ds@XJw1^GRIXclCOmk~os&U*1hCjw`X*wp#NoDHesw-< z3zUUbF8=QD#Bx?0IXkg=z8I zsuqd!g-1)goDAkCA+DtgiVj%BRp0ns&u2l_vFbm+OGr1A*UEEIUjDqi#?`DagpDe8 zWrkb>?P*24O42X;+n23|XV0nv_tV4myM>|#?Pl>h&d#n|qlZCAqe*`)`_tp)x)ro^ zBfJv1)4KtgFCstzNRQBVzJ%#+iM{U)`_lhHoBf>gu~KTGF=z=^i?1R;y=3z%8KM=&L&Tl?nVaZQagUt z%XHC1t?0PLW!C0Qq@$lUj-v|*G#%G)Ym0pFOvIBrNc6mNkIxW#kK& z*^iD$utM{}Es-OC!w6b)MsVMcon0E^E<4q8|GYV7P?~i8By#mD&{$Cm`(7dh9`Ul| zWUn=|uA!>KaC9MA0y8)OlEE|1nD!>~PKx7u_e>bN&4Sp65G1`aWBW6UdW%ijk^48E zHkwQ>&;wR`lSXTXP2uE?r0lC8@#L=W@!vshdlLnQZu)lSDG3d1RL61 z8F%A9p2#iG>zTegX?ARcJRjQw;evG~frcTb-(%HtqTUXr`ka#g4{`4u*3|a3i^4`l zMZ`i?AW9Jx0clbtHb6i?Pob&zu2v61mva;q}W6U|;@s4*yJQXogJys+Bjs!zt82r?5b|1YX ztryPDi|~k7@=e&*H%(T4nJAf}Kpxh;_I`$qfdOm=)9cksUGsJ>a!xY^`NX^a8u??m zeTxjXKIGLgm+PhypGzJw@Rm2Xn%PP_<#b`ZtU1Y`{x2Nizln~l73)UAG6$(TbqVb8 zp(V=!`bB;6JY`W+aZl!FE?B%z(nuq*T5ryd9!B!`kXaiL{c&3tf7WwC$E=1&En}w5 z2b*NpE-62i#y?Rva&+jq{hXLzTG1FcVav~7Xc{K3@4If+tkD|aH!@gd=K5JfN!h4; zs-U<5&Aw5EI5^}RQ&%g7YCK`}Zr&w`J$F#oneY*XtxP@QrtW^U*>e5Gr)6Pc{Y3VI zlv%B%rIiE+ibGo8{6Z5C!%Zux_6{*(Cn^bYeaNS*UGv-%~6)UvSYIQ4K5KD(&rS%OnU zX|YBG>vgw#(6RYC>qI0F%5dN5i+V9j%1!DmynB&C>E(1CPT&5h%e6O>UYhA##_e;| zYOriLj^}VDnd`E~fUIw`);aZIaJieHzThkqc(JS(PsG#Sjq*T0AFTgk(!A`!)g3?f zk~s+C${%+zY94rEU`DF5PKjwSRT|j_-N{d4Z=xx?^MOn6@dhSn=CYP~f*~ zGGMg+KF2Ln%@p>-(k%X-%nzS0Uz=;BL^h|*1G%<#DcuGjJwB;+fjUUZ?t+RL=j6W| za#Om_6$M1SgYWFe2x8K4&Q@a6q>(K6Jhm8`%!5-Lw=-%J*(4pM;W@r{j&3H!b4a$v zgNVi@=o#Px8Eig_XO0A#YeyoPIe-5+0Voyk9#}RrLWA*LSuZNfH`St| z`pvmb3k%<1!VtmWGp0W1hb>fisx3iZshMtj%n_!76F#Y!r%aes#XJhY+Od95B$*=h@r)m?Rmf5*SqZCN{%|!djIqQ*` z5tUaWC#}!jmMKd96g*ISiL4o}>M}koG9vZ{`{C!!?7}pbd^KZoA2y|0IW!V0)SXFi zwpF>PIs9Nh+?;|wdS6LtX^GJMc?^DxZadz4(?k87ib6_&w@GKe^^QRNH)!c2yfOK5 z*T#p~WuYDg$ULXiWB-K;!B2v+8`+S(!>O3M9o-kvE^+IIFO8VD!`FCG8Je@!0i=^- z1vO;h#`w;k3z6eLJ&|nr*Hq&*9$blJ5*8Ut*1IS^jFtMCFaLU~8b^JZYi)JrQk#5^ ztmI)0nIR7ZYGz11#`Z&uX`beV-o)^Tj|C;YXG)1RC@Ak2lYzTT`*=bQ(E!_Rz5eb& zDi!OqZv7|{7g{nXalygh=U_on*z`&72xsvK{$EUY5Il>dfkCH%cb7P3Oz|E5TPM^~z3%%R zeZJCX@*J{9k(8tJ;L=t!rNn!(a7U8Y_5ijwp$uIe+n&rjZs~eh8+*(4v5(<^_`ss~ zYVRlmmiZBR_ZQQ91RePHe(~o8TN7wnJ$xC%Xtw0?v4Nwc;-|bPe=&{NuF>9_q+48t zHP-B_>pEu>+LT}^G{8IU7JR1+QJ#ZGDS;-Mu9owl!CvJ^3mBP~|!eZDbbrFj?aVLKVS@2R|tKl-CNle%8lmc4N4>2(T0erfgjn?Jt0T_1B}lMI}9M!I9sw@4f>6LoOa z(47O-W`b+<*z)s{Plflmd1t9@&Lu$0N5^ze^g7#;g0Pb(O+$WWk}qW*ini&$A?Dic zo{poZs~-1rr1Xt)VA;6`u9n^`ad9(u6^t+hwFdb?xq?_5kco%Z#8TPVcU9N&_dXtd$ofMmy2TFeZdUuy=Iev2<5{jJX{R4(QSI`M`OP-8 zfo4D;rTdwqjw7U2B9Ofn=D73B!omU#XB^{3sd*ldl%5t$BomWNxX+Zh$wCpQcl&iO z3-_CE%}lT4J0%-Ec3wE~ZG2LD=#8;AfNxvdyf68=LRtnm;KBg%@4%M%`0Kz_FS2(H;OUk-bi!dxBg$K${R~ItyVY8;4IK z7C*Bibs!uy0Z`3125_g zJB0L6sD}jSg3dhOTN$HUew>$g>}DF57vX`?D}v*=a5Ppf@noCb?b0t_N)srQ>4w{b z(ASq!Q7HA>$_X@z!fQPh^ic17cdoYQ0!>1Weu79+LjigcM{p2J5BB5rTY?vQED)vf z`f+_XQzGWy>N39MKHUDHd{{YvXq!$`=u+cZG}++@Ij%{p*0iy&jLV*I<^J@Bpk9LX z(>^5<@-ExZBUz6L!xlVd(%{POn|LK0+WO|7s^ji;@;blU_H*3`zIU-A=a~3Igt=A) zrAf7)6&eYVjFSgu7Lp}9;?{4V+=NKNX&H(HjeA`0n1`LZGk*|k*v#fLV?gfj^LDM$ z{c(fyyzz?d3b9jZ2@#(;hx5~H&Rr^vty%2XLIZej_@(e0)Tm{BQMH!dG=yyM)LK$;!wcM%>5#JOBO*1dlI}FcTyOZPVDv2Qs zZlq9QZP!Yl>BeG+Lv`Hwd^yI0>rhf4Jx!p-FE?+FY}N*f#c{s_5;airyPCGoyeKuC(-STe4;{E zo-%!k_UIw*<;3dk>h#E&MN4SZE$T-RpQQIl9KFB5!ki!!KT_=&{SIBzafhzL7Lpzs zOwpsYFP9Fws(X({>vY1-1pQpDn(ziI_dQ?S26A(pYXvH0c?`Pm!ggMOXE!wia|l!R z^%qms^$v#K1a4bk0@wH_<=1`f{_iCoRu-he9Qp@z_R}AL&K?41_mT=r77DLxyXF1r zTS3A1?fZIqL797)7cI~S8G9F@qboucQ73gfwm4)cM$=6iH*BbHIILqSQo%G>Iv^;8 z>U6m@aL+M6TIjmObOB!>KRY3S5-#*VuJAX9OHNBUp+RzVwf=qj$p%3dG(52eRh)V ziJwZwZKqf7S}*iB`fNgRyJ)MRjxBT7H?@a9T4+^=?69e1WpbRfW12p!X|rzf9qULm zt}en>ls=!ixx8ZH+>wiXBf}w_d0Qz5J9j&M>A_?GI%Uf2db3+sUG}=>2kfwz3v7S; zIM{Yw-S~4(gdt{iuDMYrxx~vJ6YA-a^hzsp-9xWM3=i`@h&<-9p(O45YK*igeaz&x zF1=+osS{yA#ZwGBydW8uV>7x!9??Rs$rmVspMt!`N2IBHK@}G3cJ$?EJr}ygmbuZ2 zUsp5@%vlbe=MIcy8DpvqXe2_=yE4}s4JUVA2^|OG}TM-eEpsv z&VintF91d7fmjB9lVeW_C@^YL0Svy^TacZ6o76bfWSU^%@b&QV)jyPvZYNC2!M2&_ zM>m&YjOXX+fp#K}hPUI|U@6no%AY6Rk>v!^1!^bD$Ubj`$a}mg-fzFZJz%Wq=f-x# zm&xBGi%5|EqIDFdeoucEakXB?@;ZO#7vGQ9#e=``LW|adYVSZdkmucq4tnAX*%RBb zNF(Gej6(Bt%1poaNs|7gJiZPR@Xb&v(V^Sj=n+GdKz7$2#vR~Mu{?Bd>ezk}Z=sq} zXi)#Fak1Q;pT5rzn5=3_ywZT(M##4ZHP)UkNi?UvywBc6&j~0mn25C4ck}7P3$>s4 zgC4|FmY~8;-1u=4eQNO-H4<~nO_51Qw6^Xc`%spObn=T`;^c>q{1~|j^wQ8HZtW-2 zmgGc}t>e1*_>8v9BB1ng{!YX~Z>D&G12nInot+ajWPK3(B|%q3r%wuVjj_O&ax*Hi zbY{p+?P&tF%&Jcksh+=ZB7gjjPoTT#k4BAsThIf%V81+CJ*Xnut=+1A#dR-_-@tNJ zm1O8kDth<2*t59#jnVzSW+L6GYfV7}+eZ<^V`t}} zhfks}1r#6Jz_5009+3NJ*uDeX>?;zZ1TNI^p|VDg*(`uLa8ZmompWxI_}( zIfni*(KpX0`H6kthLn&^p%KA+uI@>I0-;RK4_A*F4`gWKXVkg}rEJMh^kZn|K3$ZW zYE0L(uGGYvs$9$A0oo<%{WSK&9WQS}CiROsmM@hKcK=wIs=BvxxSZc;5cPWWC=FKh ziwQxs`IM2I$MTEG!B<&PNNupeDVW-4gsI!YR+d+iSQ`Tm3ve%m>SGthbgJ0edy>!K ze^fMGJ+-E3o(oNKz>wU1C5x$(Rj}jro+sN2v3(lZPIC92c3Ns^S>+v85-gvGtVX)9 zitBgZ#U~V_nk7SHm)x-F%^F8y0!4phZ1gQJpc8vGB0VNL$@u51NTV@*4(fxtNv%kP zIjNTzx_lPmFy=fOpufTPH^T zXf4hd@%LqP#dXYzq>yDG%>p0h>Yxtl>xxlG zq_*dmsLS%~g2NU)A{VpZ=}62`y}XQcgWb-T4|lBsE}J+pLVMgAl{r(-8lbAgKyAu^ zC1Y{b>GAGjfYsVDq%*k*GtqYEW``CC+@v6%d8?rl6lrFVGE?$(Z8AX^(E6rwfpoSlN zn-WdY<|*q3y#puk0oLlvN@cscykP4VcwiD{UoYHx{mPAS05)v_y5N(L&C^yp^uF>-=xDHls0Uk}#GA6XzA_c`c zXAT8?*w{9n&c|#tiHQsjNu4_0-reNXbl*++UZ6M;_sELl7Fn!O(FH4hR^IIXm#WI{ z5+LS{akYskIZ~D-k*qRN7OAD@9w9eBM3Uw`q;~v(dF?q5TqJg-Dl09ox5Cr7W~Zv^ zQh-7uD$H7d8jxp?;*QPtZMBNIRod$;Sq<6bCbkA}D6vTXyu#cM4NQRClN}+#TBxVm zb>elPX5*pC%vW-|A%%h3S1GQ`sw^zywReU0oa1GAcAJ`OOcrZEJg=4Ls};4sIIkS{ z+TCg2%dFC*3y&Q5TAJ;1pUr3-v7;xM5Dc0ZL75n6FJs|4*m|d>wWwN6ip7N8P#hYN z@@k}Wk1)p0C{HXorAGF6ea5}iQ@7W&{^Qs%P_vJ2j8_LsJZTJ8ZSB1i25TeOZI zefHc<*H^@_&-|8Euq?M?lj&4%*3?$PdF{jwiB5jfV(^G{woRH*Fc#);p^OZBl$ z-|}&(&1{8ZTOU)SKncXpGjO_qyzlwQ0F&j1gSA5QILdD!15I6PafIEoUrgSipJ~~R z=rz?w=oNrtR@83A8!R)Qf;LwBQyDt0q44EdAZwY9sS+QD|MSe0ENT+py=k|hABtEz zpAGyNj1dEXC-Hi?;lW07W=JYI^u?y`35^4ka=xPk65I&>o(rpf_u)iO+*}j(tV!m1 zBd$r2?hSw0S;BMpG1g~k1QX8%#qJ`NkN$lPCZ^1H*=cuY6fwBo{SHq4N^suSv>J8)TNyh z;i7F)g6%wq(D!l*ShQW+MvtSO+ET+N7Ih^!U*AS9RupatvCh!+udX;Pm)|e$l$#2d z=8BBWyU%&-sPL7GN^^UW4yn}RrsdSvKI1Md22oQXHk@01OP!z8;j*P1S3FR65Z8T+ z$A$@EaspEI9lp;k1P-=czm*qa2Cby8tTa~oAC4XU@Wd#4@A)`uG>Y(f&60;-gY`gI z>>=TgHzq{obog};b=)498ItCNALN||H}R4 zz5G@US3UhRoq%UBlhEX&?&$Ric!1h|u;+a#JBixi+LYQ|1AyLt9yqP~pJj9~W&t$A z1fLL^gwHkvQIG(NJZOi9ZHO-*wx&A&dO#f6F!&!AV1gRd0r&0|eTgc};3T|(&zbb# zR-04*@*Yz&m%4j>7mcDZK_Kh=8tlE%M|b;4nzVChey9VJ4UNY9^*th>Q;Kzf;Ho-o05(K}##m`LEbVAi)Ce%6@mthM#>+q*1`V{x_|Nyd zBjNB8cm)-(HaMuS$_d+KSk3=x^f@7W$b$^HBe1^?J{WH3Upe?-?4f_<;DfP;{>NPW zYX%>TJ@nuGpx&8(n5?dmE>0QYy}%{S|E9awck6&)~Xrhvfl)uWv8M-6d&bqV*$ z*ZL+#J{w+!i9aM9b!jlwXWL^vNbRHeK$%@u8=qiovk9MJ#_JnMifxl$fenwI%-x9{ zP0g*%7bZrLv8*3k_^|W|Fxqq`TTFLXls-V{lypkr}z2qb4Ac!e9^zc75&@u|98*y z-)Ifczb^#;iopkC5B>W>@c%aW)}bVxaa_2n0$E(Yre{NZQCwY%DqYIoGkT%e+a2xCcJY@6q*{RnSwH#mAyUFq!y_;n-XIlZUJ#O+I!=65eNq}_)KwtSb3DvDP6O|z={U2vkucGB^1J!TSJA%j@25sx zKerQXZ9B=)PpDHnzb+cyTasAXyq>RUg|Dy%!Ug`G6(KPC$RO%K+RPrhk70NIuu62m;L*>&{;g z)0`0IArWngys^t3S%ael0UaTEl+VYAG3F!}unQfxgL)JIF&ot0$!{1mb{c54uB+wn zE-8oWA%emA%H~|@1)nJM#D|q1BnI}P1c^5YCDfNT2Y5JkbAAMfsR`pu1JXy|_16n&_FWuebnCfbTwE3(KqVJeU}z&|B@yhF9jmm`ER{Qma9p-Ca&zii372VSc2(apYoYnV2|NQ{>@skdgPxf>j5Gb|dJ1FD-&`64EhTwqaqD?_Y zY7L~N!ZW2BQLGNL?cHj}?X^5{Uf7e1Rps9{r9UviuSZ#_ZrqvCO9+agB^1^#6-uf` z8auV$jh{d(v^jb*_V#*-qmC@%_-WS0XYAm3;VfJ>^t{aWDQS050phnCu;a+i)!Be zY+$uAtp-^Id2d_%*hxxZ+n=;(rqz=C+P;pzPp77$tf+=kqznfS+L|=-5hyA30C~(# za-TOESV(R@*hk6+Vi?i7mYC355ldg_HrcDov{BagwSGnSl<|{2;C4E?$Rb)p}=I*^JsLySD-Lc(#yVUH&8@jW}93 zf+v-YuLO@_4lD|alda3{2V(kb7Azcg3@tTJRloIM#S&`a^ zMOqA5)t!!0#~WX{c_)b+V*#paHbx{!0PQZxcAhLl)%WS!^1o{M5S!uWbIG3{s#V;` zvkKZF-072iTtb(Zd#%LFyObK6ZW_Y$_0iON3?bk9z5_A%3Fgw^lkVXn%K_(@fnnOF zQX$tlt+QR>#$^FzEGklds-={E1Jd{jun=st02P+DI_pEvh~K&lA@b z8LEMBW9SCe3v{N*L2rW4Wd0&(dR8sF3BuE}OgRJTKl=P#dipx~3JlLkYt)#L*H8qm zN8wIS9ww!9c`FhC)9~;Z6-p`kZaisL?W)F@r21c-K1Uz_7+*Ag& zic!yl-cee7kLk>Y4y(Ol$l#%x-rv8x1eP*KxA+pN?ZXbgm^R5U#tZR{Cpg6oaN^8g z&Qw?9$1)c{@ibZLnA!y~It~ybUve5)^HIy=PotRc#ym~A0U2A@j0XxgP-fUo^vY@@ zB7!!VPX!33lJd3Br=GhyBKf21qgH41M^)04- zr7hOe?vtb%N7&az(0Wc)>a)w-IOWNn$@IWBxz53cu2!MO6A{G~Ow22~ez*w89=_jK z^T+FD+<=c06gAaPt5@>Im3UE)WR!cJJteMh5w zZCQ+dw7!?;@;XrYF;spY4$^#odBuN1GGF~oLFW12KRJlTgl?)&-A+L+r;c2l_o{Le zp81skJ2K9N=fbTAmFe5XJICvHqEcgwvoEJADa?I7ZXCXj3Sp>{?IKij+jQ!0&ku-D z@>LZ&hge56hfjJW`z@P;^_Ax0L1wLkoN}!O8=a)fqhXTAw8!*99#w-62k z20nok2l&U1+r4x{3?%a$yEPni z`HlW&FjH3RQ8Cdy+pf(L*0{sTn|Uj}%P#r`DdhqXUhs4!sXa2E3crprEvtD!kQr(b zwm0DuX!09^A8etT0pd@xS^`@unqy#q8l)aWSLS=-gJJfLNv`dw&A$^x(2u)# zOT!hhu?5|4vIp7(i`CuDS5c3v;lS4)nls^cr-zzHWK|6Ls9%J6bVN+9=Lo{6pM54c zsJbin3ST%39Eetd9JXR8q3RE=Ztx#YPAT50(X(~}#=LLz!@#<;h-2kp>opg1f|sDr z+O)&ybj92|lMhH)YUso$zpkB+-}w6ro^0=jiMQX3DF{Ek6qBqMV3N^elzv`jI*w7M z?54P2_L9r`ITGX4*hGI^5KFWx-0mmqFtlA?!a^#PToFFcI0rTB0@a%kDfos5 zQ5x~dkij2#l=kw?FQ$N8#C?z89Q8QM7{=gOV9~bpL`v?>VKlb?a8AwV#`nka#nEJWG}1 z7t`fc_$omCC$j$e5g73W;IZG)Qt6g}yEAtJa$oc`iH7QL`@$FjBhV1Uzb4>&rD{>tUY;cNO-M-K3f2myp$64*-q+f||exa`hHXqscw z1MK@hIneR>oz`IC`p0L|AyUI~9o_-z>+N?3=>?nTNlRZz|(N zFc`J1&OY>z|1j4S`tP6kk73({ltJe>*usn}sMYG;MOma& z$Nb|H|2}MLnTYM{{|6@ms8#%P{{LGi0{V}c_}5GX^zRSw=D%hlp#N$T|35532bjop zV0O#C(DKvYw)<~$2N3E%jmW_Ieg>l}Xm5`sH+N53@sOL~%&}Z*R8o-q+`!{pyF9aW zsQ2ZNLR`B{(cpK1n`#qZvb8-+5(;M?tSvp-H)@`K7Ex(mtS)Jvhf>u(SA6q9*hd=& z?TDpYkJai$OcI=6B?>RAFK21lW@~1fS!uX+>N=GGpj_QWFJggqaQ5?yRz1lpE3RgL&evkDPih_-Urd{;U5POGN*E%$~^JV8W&F+4EuO1SU&Z@-R#il zaFfS_BK`uL29}}FQ%-}sSQiid4wuNLR6q82r;bQKx^{4R zLw!KJfp&lQuCJ^5`svPz7_)Nz1FX$FdWZEzf{eyTF48|&BPIwkqSb)PJ zSsAs7xt9D#8Wvr(O&^`LSt(jM*yi3Bdvo{fRvgIO0v%`wm0xW{ma4aAj~u+)doNs_ zuyVBQ=FR02Pq?K?m~TC$0#+Sd?{D{|vYK&U6Dn|;X)X}0c-t%&c_B1c<(U42L+t#W zI)luvRRRq+PUv~EvbXi3cbw3s?QF_!{6c?^Z|;Oo7}8EU@QzXP-S!)22Zb#+>%yn! zQmRx@9rm42dg${^jq}o0$BIBG7JTn_AO>D6gQ_aK@{!QhZZ9e7O&Y4yLeqUZFx0zk z;pAiFw?uQhA}=$FRjrWUqX|wQ9YraOM^gyNy6)BE22a3F?aLA?HALU z#xd0NL7L`|yG;*-&%DF!@qNH(X2#7pK)imG+Bl5lhFkruj%gZYc!k`y|f)kaJCt#E~rhT zmnA--iZezb%1dM!BAm>9EQD1qH?$rfcXYa_DxguVETDLS#ARo}ej-+25I57FI}U#a zjoTydl3as>2I(I_$it1bOA9P(Sq~ym!n&knA59OJK|$Utd`&XS#Ca2%BA$_J$1q3J z2N6s`%>Xv=9NhHJ>+;I=b+{&d2-nx!%F#iC zUolegi~}~Aj_ks|HWQD^CR)$_{M@sI6yU!k8hX2!kR^oceR6qm^Ef5EmwRIL3aPid zS@3lhwwF=#z$ITaGU<%N>F;wQt`Z!D!ZkrI$ZOQk1vI_BG+giFVV9s~C?k=L6I=Wu z@Ow%GGAHMvvPT55?Ag}~+B5N+bW^f>`D`e%kb%Qo-v_6PDq`hg1kuk*zR5K3^DZh>z>I zA}haAoMAR#c4`SZ-6QgSi_NT3lXh&>vPbd~3g)0(#2mvD0_kRa_Ml!Px^vSG$PZD) zCQQPD1V-8NS&frBJfnLPf0TXiOU_aLL zwlc64%1vhJxqiBxl~l$#Vx}kArA@HIOk##aKirM3wx}F-pgL?NjXr~qp(;5VZc6IK zlDlry6uU~UL%P)@kE=ewjE3XR)C}RQLks15|Mv8bBDtyG3Y^R(C>4QjL_sl+ zvDg-|5*dHsP@j(&!~D}>KC=o#W#U}Eujvnk-b~lUot~|W@6ma{$q_d{)4m~1filB+ z5Dq5GkX#2Lutysg=)=gNO1H(WO$O8mDvdMFLxVof?ZbG!CVlg1@Kpb^DZ87%_;1>_ zNIawgin1bstI{HbL5p>WX#_u`4Yp>11Td>Bd`DLz@B{f+pVKNc_4xphFPX47cT91T z@6iKACVyhf3}V%j&ND+8DHm08qnwl22F@^J!VSSvg5#7lC4jE^w2=R?}Obs^LNrZUgEXsrv^FiO|3~Uzo}U~(fO{|C}V!!118co6hjFoKaV{WnQ`sXm+!*o8t?hS&51O&Nd#9tU@3;AXALY2l)aCSqGg3e zS5@*y@H4pV@B{j}|PEU2OLt8-if@PActbsVUW-gS%D0 zFDSaTDk{j6ZrJu6rq&;BFuO1alG63qk59^ z80aYL0QX|G0^bm}N)EQk9`F_HBO1RSUTA%2JaNs3=WX`)?~6p(OTbBI^2{CP8IMfQ z`0OMf+tsFIZ+9(^+2)OSn{niUCctP7%It4V$Z&X>`@M@|q%b#_nF@h5O1KHY&(Zp+ zzd2|J5+P~pk7BeWSU6ZPtYP0x5W|bg8bwk$x=K*lxmO718KEu@g^72djv9ns77qa;|Cm)&-K*G`z|A;@+|Dv zGNT`#m^gYW%J(ZDEB{Q)S7im%hQkKO!80G+(|$VmN5m^sMz^RYX7QCdZ-IJzjAIo& z7vsw_F&g2es4AMZXq*rgu9#MK@~+Fbb~le-OnrGn=1{KjZHJ08eWO3B=4ZS$(j4zy zaVNpy*Eyo&F^ZnLr{32$C|akc#TXrgE=JgA~S zt}_PXKy%Pos@7R|j3{W2Kv^FNA!!(OMf@|h(Z(l_CegQ?x13g9l|1Zi(NvZ6@#`el zgOewtNRiNm2pKlQk~Bw5+3e_)&Ev}+jqXjkJJt6gEIr7s%jhe9_d%_wSUxOv(1Eth zS#y|&64*sEPUi1)J=5osMykJl3Z-XyC00-G0P^8_^5!zvB+yMkUd?ydv5pycxn7qL z0@gFBDg*SZ_2?^2itX-wHO~v1MhBa#kojfbR}IE7kBV9hGNuN!)E+x!KLO2}J3V#u z@UwP}QrqWhB|%f0##zQ2{~7Vj|AMp!HcE}-J7KN9t6P=0iTIhi@U!`PzxBEALixa6 zeAg{W5P?4F>1n~K@O z?Ux^~?p_|?7`gUS@zfUIWe%?1&2RkS;;j)$R(-QmKauK|5~h8h#rPx=;A)K1NO%t@ z#(wT1Yk(3K{Zx*qknz614fGc(5_VT7;_IuV!mN1`^~%*P%GX8Ho7C)~DLm%$oMu<; zdC*4F7iC12XbN`9(3Sk`dM@1dp!a9iY*#(TL~SU?E2I0X_MLRmdZez-r8;fX4`+Ka z$)3gxS3NrV`;0xtlWg}@{C5`dke7gydDX6U(TL^k>jxSPR4x*B@h5ZZ7E?an?A68F z%oouJ>GzECY3}?1g{t^TPq{^+zocLAJz3_ZL&a6X^Wf!kjAG zq&S+H`b<7RG1}?<{fJLJ43 zlXABCks?z-!a9K$i6n&vZ#C^a?U5uhOwDMsij!g)m$xxdfXQvqC@A;#qmI#sl=d4( z1)^L~pSYS$67`w&l-ov0h}mseyzPjfVPxieqnW_el-&{B^UK{$Fsye?uHW0axWf4( zf_oy@TO<58ScgpBI9ZGIs;awnFZgWn6csi*Bw_6gtY6riaO^PFoG<6kWQoJaAJEby zVA@tdddFZ9G<4vEU^di0^rJ5DQCvl_A zL0jpLn>R9%hKirICR$I89#^}7)U55z>{8Y8gT}Gg2hi(J1KEXTr3Rgb@?V8VlQs)j z2?`vQCNj9Kq!svwg2{SB2`(b9#K}s*#6_V=`Qce^71v`w)5q2E>QS}s+eyZmG|AON zRu==%!L`Sut(Q5s3;@c+Y|`kYIXEu7G#P4)_}*JP|AbMSH=E5%FoENC>;zJLF~%fX zv*d?dXk@T@jub>-ea5`>{m%KZkUq`hs!?mYGTHg7DI4~ioS zuIAA0SNAkkxCq34t0qM-J-vAF3H6i; zV-yaeECQmPW&s}O9FXl@WkelcS{vQEiTuTMDc*pc`8YJMhf5&*qrp+vN942lmzwVG z0_oMoKfVct=~M|myV4Ag)v{E;v+L=KjZ1|~3b_;oMyBk6O0Pjny|IqTElD|QVYu?J z*671lsMkTlz5|mJ91&OnM{gVcF6Xj{WZ{>3M>WTrx6V}0>JTwB@d>9un_JNP!3Ayw zK~EWuRhEvO=Q8_O4ivof{aT>5&VY*nU;+0r=-Ptb9j}vHfVIosc229UM!y>bYYZ7I z_1RdBaKoiwXA{ze4EPFMQ~%pD*h^3O_0T1i0-Zq8s#&*)OLOLe2tK)0Xdj-w!OM`} z2n@mm=aG4RjRLULO*JA1bZ4L|V)QoVD~x&`4%z@UjP8a&^95ZvDEGg_Nd@&D|MMn7 z|D}h}Q}_em)EAYcu#x+kIcE(!y_S_Pu`tYQ5-L#*H+r`NU_+J>{GOOT7&IWNmpCpU z+<34G72=hsYiQ~9TZH?(`^H+j2i0W8wGp!){RdKytQL$KHXCjElH7Lu(%g5-*;WMN zovtzx*9Y1F7_2FkoXBpYJL8&@Gspa@Pp2_j*Da|9MB^Tb$EwDSp7b+!UktSheEC_V z{T0Y&qL`u`%Nl->O{rW_6Z{Ir#dcgP+F?#r#aQP6A#Ch=xuUbR+F+apv z4fetN^>6%SJD`g2e0aa}CicoFI`E;0P)EBRLVJc zq|cM`G6O9dLZa*E_>AuP$KvDLOCz&;$KY(Bw8Ui+#X${N{sZdXHD;WYRpMK#FE{+T z`qXKDc;Di9a{MQn1~7z|a+=1ddh_sw;*lY}?$6KFZ=pP4nVoMa|T|Dr~7dywq>KV!;T}tXP4VhClCJ{pxXv&M! zXLA$D5{?DKI0%?VTyDojjHWGS-gO>+Cx)I#lRfi!EYQ~NM(r7535H{EH%Et(7y?^K zvw@q_FJj{0k48gMb;xJJ(q#6Pk|cuV7g1Gbu>PMj_*Nc-ItFlKvKOb<&*!9DU4}5x zw|1N>V={FR`inCI@C3pD9<&mh6a%fq2#k1LYa>4E++99ExAqR{-$_t_nQQ;9a^P{_Oo zI`>51+TrY{y+eWaX(>++TH*V^N%M1mo^gn8P-T7xT@k%`YOM3h-d9WyJ6QXmVnh?m zgsvK#ZJ~RmXW2%m&rY@N7}yD4?$?|XA6}e92SY40vph%2i3JsE(7=FEf=af@F=dv(g4H90MX44<-*uvU0qyxc3NssYqw36%$ue=`_W~?@hjbp(yQUw9fOD z9F|L#`}XPkM~6?S2`-WJ2X>8j;lUd&N|w1+)^d5Nl_@@()A(t`S(6$DaiF4{91@wi zuf@EdPa6nDu0SaVN!mNN`2FltcY=f6KzgeA?5LkLBEXw=0jzr7FvtHC$O^O@^Mg;k z>CmJrf(f3(Vp5@p;;kx(@SPU}FN>{zs*mTJtw= zJtw;p6lixM+s&Q?f+Qy*jG_rLcZWu)3fDV418-fC%4di{^L6^gdc~S;5ijodyme}o z=XitWoax)dmXOh}(w=wCJYne87uEB|J{4n`Hu&0HFi5$Nq;k}aQto;J_%B+_K$;UO`-*QTr|<*mz2XZF@3ol#q_)tFg%xz^up3%|}={H8m?W|UbYu80lr{pt&ZD=9$cc^0|;kY>##699nf^`C*ASA{LbVn!I~3 zjic=Wi=_=%EJNwF5LhcqYa{5GK{pbL4jS1lpV)54!6rtx1xx_o32nSWUyc7=_&vK_ z+zUNi-BxxDhA2vNqdQjYkhT}CFQ|F+pU~nI#|`laYHJ$QoKL$zzMQ6Qtx@D-B%p-= z@xE8AUPc~8Azw=+DLC(7Du8ir4nl*-;t&O5osQ0I~LYj_?xGPXZ7fbqNZKj!$-iK{kGKBY4zt$lYWKIxxH9yUJx4CBz5Ba$_DIcDG zPr0om)&ZGJ#e6o5HPO%+(HkXZlaFO8>VC`D&&S>WC}@FTUfhW(5U%d=)?5*e_yf8m zOv0p#Cs5tTUL!))4s;l%(pg~VIoju4osB?t9Hc(iL%+uCc5DBP<+(I6601gji-uI!1?X9+j;TP)k8`~O^* z{%Q9rB=Hx-gdnC9!WjFhF3Ulji>Zy38lUs2cN(5FRq6$&e|^~VcxBT0WEB$1y=&NF z8JVZ2RDhZw*3l1-j#~;ICe>DXac7RJC{^p{%=yPwhW)(NlGb*?+2B#+rDw1VzqY{R zV&4$2{4e;#{G_69l35&YYq|!cjaq;<_4WLIYtfz1aw78Vr>K%C!HjA`BjY$x?F7}N zNm*bfX8hyfdNWc}x<6&-V4GZ5+i~^vHg|>g*<<|7U#Ex|e#2~&1ewKvAOU1Gb_I3D z)J_k5A+?K0^Y`1H??iD8w^zP3zVmS{LFC1-=ArxThc#G^ zHu`@EMirHm;--Ce1RpWOoqSha+gmp;Ar&T2+(=QXlVJM&i9m6qV~!_Nipo1A^9zty zeN-#nino00Z=YO0@50MBW1P*f!uRvvmw`P- z-thfMTU)S^m^c%IaXf0NYv(ZQs$*pQcJ*b)J!zKQ!*p2$;Ahm^_{uV#C2TQR>VHeE zO;(COuRZwYjOC_+8s^-DbN!i5B&xDAMm+FMY2fbkyIbZ^(7@sWOCD_HYyTe~oPO;rE;R$k6IxrAcbY(4pV z^KDj_30c*!T`SWeKQ~{LR)FkQQ1=6$PrM7a*WiBu(M##cQ4Zghqi0aL<|ENn5!%!! zO+E0d^R$iZQ{{1eMsa+Cd^~T-g@*8>)?T;Rm7D}P+KL64TMJF%Aa1>PwNyF*(LfhV z!-Uaki8Ps@hh(J9yT3{^+6AbSgIx^kJR*~5TEzWJ;gF=U0TptWcT6} z=sC3TUir&BbbXz_K3LXy?=)|~&8;^$5XT3r3R6M=1X`*l>6DkoS>{=434M7ABg)Up zr%$-tUQ8D0l|Osz$>WuDv=U+D36%ech|^R3Vz30MPg9|sdvoJpvnGvr0#bY>mt#5~ z-Go>cIQD@FUxv?8!OP__Ix+dZ^Za@awABQb-wWPn>!2564e_OMu+fgLY zD!?RvI=HIJJ{f5PGIVmkdmbr-wB9WWB#L2Agxe(CvihV8{5rO4GfZyu#Q#Ivdq*|(b?d@lLlnhEZz@eGVxbGf1_%fUQlv%& zqzQ<02y8{EQUnB~NThe7^qMGDYNSRw3B4zj5Fm+n`FrpA#(B@V?>u|c7@_DU_C zH9TK563s$Yiz%ts!28>N_Z@3<$620@5&agAHQJZ1zV>z@t3Q*-`s00cnpA{u5D3<= z;>cqjPP*s1$eC*9?82)@{SjP24 z!zb#8UV6_MbDfMKir=Em;=+|orjJ-A?0Kf}y>nT?inHsj9dQ(Bn`Dzf=w*(0do`gs z`l+ILM-4R8%a;Yi)TEhPbtQZ9Bz^n+#LqzeEq|j zb-DnN)r;ac_1WwJ| zWDWnEkrCg~E6v>V&upe=1>!Bjb$!WSt4$uJ7U+0EwOaRLjhwbNU*Pkv*jPui(27Ci zt4p5%v2G-S1iwWeI#GiF`AZl0z8X3J^@CDIR|hGW)k)e#(cUTdrndi^&0U9>Q5}66 z@wmTUfxztUFlJm(hImy=a36Q}#?UDL5y%j|_7wpSN>W9qIW@lTh; zqbM*U_BOFd&U7$4!pfw8ams5sfZ9>-U~YT#HvtPZ?)l0ip0HkMd^GQByiW6tX=mR}9@q*OPlQfcm_zns!@4e#*%kH157+L7>3yi0!1A6v zd9&{>!7*nLGUPLKvLwi(?LtTR&rh*qC&qrbMmavZoBw|lP=8VHsMt29o|&fWmf;g= zAR^tudBMeS)d9_DF*Fgrsxc*Lrql3Vr#5QNE@1e&c-Cdf@^3dkjJ=F%OB2I$C_tA= zvUD_0zw&2YAcT`37V5La2X#X))i4!7oN4zyP9C6YCI`JQP7)ogU7YuyMXe`=i?B@T186DquY!$w;5P}+rK zTj3kAiSu-0d?95fc|xp8sR=SHAtk799y zUnS+M#~<`v926ZCzD8hsDtPTBZ|aE@wO=|@<6j+)uSb}&qjDz}=@*EVD0^Gi%yEZe zrvlUFb~l?dfm9|zR~8kuA6)Zn*unal!AYJ){!iS^G*EorV3}%f;&yns+n<79X|pwpAS0^336xRl6eu zhfy4<^{H35)40udFxv|l{EDAH+pMQ=F2IPE`94Ur|_V89RzIOtrk6}KU1tJYzoU>p8l!*BEXTmP`x6TiiYFLRfV#80-kFlhOSkKPAVfkq358b>cF z#_vc0!5gQcHhs6`Y>pO};V6O9ca$XJI{OkS1Ia$};b-4&3ojSlW0Tpx_yebh@>xI09ZD_W$V?{&tM)kmsp zf!!>{r*d&9Z&c`x;n$9im)>IPdT<#4*7!jy+9!kLfIU1*fSg_PLrkM(1-lRjvY&hb%--RA?Ea$DP*a0| zVeb|Cs1@jPU?g>t5E0Gu<&zDU#T)3yp_l5KvmUHr$fF*7XU(-xQSf6j%Erwcccvf3 zJsd2WsXF%UDB&W=7yOPYSc1sk?H53fyLBWT z$?qu0ydQbP%cm?TnFiI-di}p;D*776iiAUhpXj|A%euxX7&lbE0aTk85`U~SdO%wM ztUKY34TVNPLDh}%CNfO4b6>n*K7cy^3b__NR6o*yBf|lUERjBrAs74X25IOwX}%_GoC9W(AR__~b%L1g% zO>5BMN1xSH4GKf?ugh!RyiX{5ccAMQPj&lG6cEFXYlLmx2>{l8$}1GwbyN?5%?t$q zoA7%ckEC6|6?Wtu9E9+%yw&NUx*#s0o+N>=MH296g4*!{dlz8fKjO`17_|Z=mhoEI zn9d>k4qA9eg@Kx;^;3Y`HWW=UPdojGA>%9&7+sM4uD=T?ZKfN*0R4Y;-T!jg0lI>H z?Xg9OWt(=q$y4PVzYuXCIdU!~=c%rTWN8m5I<~Jl(ba$d249iM;h*Ex5w>iz@klfI8Sg~Bd`9+zlK@~+X?}EmJG#KT>27a|&03+oi>R(-HVnu{#mQ2C@PM(`cWTJPp96N)I|JG?mi2M|NneiO%VaB5LAf*tYsb5O3ZG0OgJ5y*a_% z;Tee7g$Bz9NrThD<^Tjz7r>ISA!5LiS^C59&ziBUQ59H<0^i+=p`)KB(!VgiG>Jz` zBd+(+dH*n2{cW1#0~=LZzp<(l8JTh|vH&v)%l7%~hg;PKHI;3&256O=Xi9gOW)WsN z=>umC4vY}&w5~LMXGS&I=DggI!+$-c4z~#cX|(j(U+Wno99!iF23 zyO?K{KK1qUJe6-FrlwVbOHO^(c=f}Ad{?94bdoB_kP{2*Z2^xdst$Bc8OBh6%8Ri# zmLA0C1yH~;h$J((&1+2EOQatF1*Ih#o(kdOAY=)$n1=10^O&TvcZ02>7YO0hwL)8$ zmLUv95@3d5nM?Ah-EArA;Xe!?UTJ;n(zAe3#n!oiX~`@BtEke24&-VKC%|h-SGNG9 zq8F1?Z2`R&2%8U0Nm1X%T0}hyUj)Rkf1e5)t|^-R_ei&!8{XexV&dF&4e44$N9Y&p zvNP2TjH$`GhoNxIwU6jI-qIDfay?bo59f@AK2IS}JF>fu|F+}KUM)%*R&Gd*6@2pH z<&T#yZwmy0R85d0VY9!ncJg06zU^)bzHM&5toAWE;KBT*l0-UNbcC)h^D^>ZH?pw=!W&S2ZxKDw z&>9C=^Jj1U=Tj6M!~sqaq&@w%{|EX!coycsfT-T2vk62+>mH`O1C40JAo|7Edr?w! ze=U$Yhh|>68>i?Lez7|={gM1Z+>vEcVf|w5{wKVm>0y`T3YU&mTxgJrwN1<8Z_I; zJ5*TDiXQgd@%3N_#m9FS?x5LFwS{=oy@)uvB?9w^h&%_IW2Fx8Uo1XRdGOX&G9?0&Oy4as3 zuT}M?S$hldgzm8iPCm3rdrjx2KBrt)f)i#G0qDGP=JbW(7wO@7BS+_F+eH^g&>^&R zB@^Np;xLYS@F|`=R8g!lp~X?!|Kh&tQ9^O6?{n2B_*H~zIqi~Cg&1{^7Jw}$A z)xGK?8|!IXZur-YuCG%ZRkeI2^m5nOmJ9TNNPeGdg5eF}-K>x)-szSO+eFv>MUiZL%i z3M9^rF6bSvu@+rb%<3{Z&TI32`@_r;26qJ}wqczRlQgFnaH%@obx_qk0U8!7R#exK z*z=^9Spub(xgOZ5u|bvPZ|6S5)IWJ*ZN!7P|4aIjkgv!)n|m8)hGf;#K-PNHrs7shB|Y+F08lU>;D5^y``zo9F%0=ahLCB956 zlT0^$`H6D^{Pp$~drP`zTale__IRO&E8gF6)hPTspWH*wSeZ@+2GRM551gAZQG;XN zZ~|Xi-OB`y59m0kaFuDr>kxu^@Y85!l)8?8VNW^4B9fhD(lbk_HMmrDwX*%lb;X@S zu5b019%_E|Q91v{x!B8DTaB^I%9^(lHpqX@S>V#~b#s}^cc38*QP(K=VzCS`VNw*P zN@LKUo*e~};~)tsVhU>NJ+=di7gXfyiCqcgI4+mJ)>q73KvH1@7Dw<2*s-Sy_J=Tj#4@@S zv?f5GK#*PjFkGQSUjR>RzjrfT)la<%8dh(Cv(-!TWALkHx2sDPO!T!XO`LvvXmGf6 z_(3!U;0RNmVnEw+coU3r4RAyq=L<;ekM3mU8#b$IUg=iuS2W@-k9D}xhCOH8D?n_r zR0exLCKw`uE&Devk!ntXl^{4shjXG)?Y5GGgL!q4McLOy8oM%MnG_zGJ$0+E;xl~M zWE_#TCt4Et`B*tlI@9{)mY%Agt%A}NvOJ}njuRLMm)!)|>M{rzaDliD z7$4vfsD=UT00wfGHi`erUH+8}n2NslS4{B|B)*9KjiTF1?Yn^pVSAI$UtymOh%U_j zVQ_}_Ez$jNp&7prZ~@F#7@s$MT77T9UqMx60;Wjd4Er9d`e4uc4RWX!5dK(o8N8Pt z6Susy5ea8PTbjPy0cElZ=g&q}&?J^`8ycAHB)iNMA?Kn4mdFYPmoh3jLC-D*$oLvb zovwidRl}!!fX`}K>pQ0cUSazUP&FI~s)n_2>^EscD2mPQbx~s3W^MQ-)O6D_$W=;g6!y6R)yy&YDXFgK}l z-H4DlQEHV?hdM~TOoD8qS4WoBdS~Kv?}iLq;d)XDhfgRR3wRxOdua%z#mZ`Ls(Ec~ zJdt3fE~VozqrZ=H6Zo#Ir2?l4)0yR9n@cha)UG`%PVDsK2}uf^fMUFt$lVhoWOU_a z;;-x7FD5?4FvGv64y2ZsN$}Yhyez0m>)69+t#4eqX&!q_`}!JnQ&M4VG!QZ_8p!PK>SO0!PGe@AwCD{en%GkyK>(BZ z>#X@F_U16kLHakG^!<-Gg8lSBr~Qt7?t5~1wb=psZ zhze`~&Nh;$FR8hp#rh5*>H?yWafi($v*p7r=rSi*k#$dtq0DBK0Qu7OM&9^y`TGV&kee|TDdnJ@$>3wghn{U{0DGI zoFPe+0EMYYQa&uBFJU-v1mQQbYTw$ zGG1z^|5E$lXu{s}v*BzsZceZ11Q&D7 z|9)O7XYKM?OGEuqNIAa3AMP~>#79hdL;jO*0R4w^unmtuZs?#70TY`93|s!mGE2i- zhyC?{v(un^gS>%)m&Si_1!C^GrRs_5FI9V0v~J7vF-~iZt@i3Dk&kg z5EL%><|J{s#Bwzz-Q}hJ)STyYtz%M_&yyD5gL|_N@rgd}%X-K34C(Ob1w{RD|8Qvp zqiCilDnqP+j0D(yyOWO#+hG0M6X$+%=?-vjSw+;&=JTMcH-r=O&<>C6cb9xVM@LI* z+wmA9SKK>ImY4XI#f_F;{& z5yLg>iU5pz>L;uy=d@@Ar8%KdvY+9mwP?-xmkP>1TODJD=oc&~ zwIj>-``p_tvU%Vu9k{cXek#4&HKrdL4=r9lPGye8-%Atve6ga(SiS#K(c}38CMuh$ zyuR)z)4r_~$ur%OFC?L-WtF;h=Pt29nww%q>8kr_n^abZD1oyUmbuk+9)B3#(CobV zgNUQ8Bd=qRlt*j!I}2`nzA|IZvSF@P)Xe|;CsRJ#ZYBs;WBYsJ_U}`~es(;Ur8AYi z?|K^ey8+GB5-@`M?_SAEqh`&@`Qp3BAr|FbGnXz3P=qP5DiU8erHG-oQ4>@N(6eW9 z|L-=6R0a`kCkD9yJl%jT#Ns%DpVCxJMZiki0ftU{`QMB}U4KN1bT9u_V7pu;e4IWfQugS6KDlmDvHA zo9%}lnl)bUYTIQTi2KgA1@y=HZjhCU&(rbRN63=4gn+7JCEvV@(WBZAc-0DfQxCYt zq`mU~j(XpX8U6;O*Z{C`qtta#UbGNtBT%NizLvFag^q5}E4oJ794fqid`D&qOq^E{n_>%K#)H?1>0wngl&nIP`#*;M9X;SQc^$t zgl^1c!#O>;<|}^Y{YOyOw|}K$>)9KY$vFUxw4zU7$dTTXkRWN2`tdRHuXA!gjBEn! zm#aW2e<6yaTZz4ljC_BUc32>EDlPmE!yG91se;i^@N2k!X6z5*umw8Q><`1e6Xxp?vi&vz1b(<@F-qIo%QIEjdOw=tuOoC{$2|-&{8jAa zd`dCQWpM5x)Ntm&_x)!LsMQxjk34LC4whsk`%a7&d-_?}L5`p)-Q8}-PZY3ngs?z+ z>S#UCo|3Y}khJjcsn=@yR%ZsF@~rwdIri**_pLZzJU#yUvEP*O2Lv$4v9^Tu{X>?} zLSjL2Xm0p-gJRW*E7z-ZqN^1y-!2dE0?s%!6w$to{ca*l74K!D0W7I^!#GP-s=>$W zJMaOoLcQuVzzG8%)>E%gJVcwtBlR64^(Sxra`$uf%3s21T1ZZdI=n9Itm8irRnb=o zD}I$cK-^W~E;hE#Zvx3vxSyX;g)P9_8hx*%;8U=nD%anXlpj~1cjnrQjhY$Nw<1dY z?!8Tf1zCAd6RJX01TDlJaA_71kYr`N9i&uv)0&S>kk@s|rvyoO{#Le-h-=(Q<0A24 z-XjFke~y@{+CL%VWXn1pq~wIgnq;+|RGj9o7zw}zoE|6-yYLI~6#v)*cFeo4!?94H zLWF5#wRc$klZqYE;j7@=pE4@8EZ;ubKT5MPn@o1P)WG|!N>5+2Z`Qo8SFU1LUkN%X zYbnn*>diz*Xdu$@m@?;gBM78qPrRqns8+nP;k1(5k^)=0KzIOvj@#O(=O;wZ&cm$e zW4huhNgF%Q8U&|V-+8cdc$c=}ciz-rI~*DHCbxJiA)$%p)D`=9KMKj6Fxo%^D|)HaF25psfNi3Ojm(mSa6mlxxnUH(<7M#3-_5 zwuA`)ZT=iW(){3i2B2aqE5P(W$YSP+uSyx^p$s$&{j0KO6FH5NnMKiQYVzd2Qv0>9 z=-H`Tk{OXAkH3G1%Q+JmrrbsvILP)iqz887ZnJF*zbs||g}7`lg;k#IiWW%+K}~{P z*Q-;|S=KM}^1CJMs>wIRxGtW|?$tSd#fO0`WSdO0q+B31;iDrEQaSeMGXq8LA1i{O zr_pz+ZK~47PRhOzodZ2Z+*0RdR;SK?GnBOS(z2eIpEEZL&5xN%-6*;qu_V_m-{RLW zYHzu=CpSOT)}dIRc7m1&bK>!+>=%6B*gAABM#SpUw;Lrad1j)=ZmD#1!_B>y$&M5o z(jD2F0qTus&bAg!di`KI%_;E8Qb=_WsT*;6-^pPp8N13w;3%&SU%TYA>NHMx(!uwP zCsD9k^pNpWVn2C#C_n%q06(skRauPsonF;1qcM9#D1>sTaOcyPDXYBWsa9zP^2z5M z1~W~rXjPU|Sr1-ozhT~V_;uIDQtV!vkf4-LPQS6fGmXb<9TMyS<(X1Jds083$#5K+ z>z9W@#m!4k!k_QoHcDW6sSy_bn)#r84-<=c=h8%Rq2=;O_FQhhg@#|ArDp$_`GZ#* zH+d683XHJ^A8q6=6<%pu;Z!uVdz#;eQt`=(O9Z|nLLBa4+*q-dBucH{4ag;+FF{=b ze+eg}VE0Dl!Hy{#Hz7A1VTncMjDiqSroIv+izk$q_`LFYK5hvP_~F#2{JK?Im*%v{ zRq*&bT>YLZFCU|RHpw#uDjbRkA4)OmU6V+!tgf%DE)O2AY@4~>iCGnH3?AK}uf*UE z%I_4}=;Z>sBrl)h$C_C^k@cL<0v5ih7YpzIFx0xid-$MGvPpXEgnE>L-3)ZMBBu4I z$~$8pmEtTUth44T_nXZV#Umq5;g>qo4Qz&YDnsU(xLW<*Cnh6^tL_K{Mz z8VtA&wJTE2{$Y4#gQaIFcKaCmqFQx#Md1gal?OGTlWB+vO6<#RxMAY0e8$U=w{0}c z-V8`3QkE@Y|SB0%HrgjiomB>EKw0`4IWX;QAz3PYtJo}w2>@;DR)-L^;ib==5$COPTg%d4KY$ic#wn&VgJzWzWtmxAtD`PF-7MnmrFoZgC?jU4QXe61LU{TFhRFRI?seA|E* z$Q_yMqR%5knk&q=gb->Zm$z$5su|)VmUgmxX((4$2a{sehR!k0v*Phy&%$r*h6i&h z6ix_G;`wIUS`>}Lgh>e~{Ad4d>}B^wr;f*6h`PE{oQS55=Z)JPQI`@d);i-I`z^N6 zKXm1G(y@-P@b+Pg@`}-1GXWhF`XDHGF5g$aGm3vy5jo=sNtVZYXZ&CZ{eHUDHT85% z8Y|lpjG2Dj9?5obV70Gt|2A$b>5Q`0y}{E)gx}R2@?x6xFBnIb?#nB;if<+YHQ75Z zA!!2DgD6`RJ+`l+PHD* z_90RrlS=$dxv`FbaC%6y`q@=c1+_&t9evIHh2iU{%c_m-qQj4YsNYVH)eqQz0wb>k z;u-=5CO0LZQ5?M&br>}ha1;1`@4?!4h89n&bV~j0_k!I7h?emW{?NY+tV@vbzxnZV zihFKkK-^5~q>lkIXM=z45wLUb0H4MMT0Emj#I#0l|Jw85Ra;s)DE6U6_wL(1bY*XV zAmU!1`|-=%5HnT!*YgPFdf(J&SGS8XO+ubbR;F9Qa%~VqZK-ljo(*MEz`MPn9P1@ki~s$dHB(y zAKtHg{0BGuoytk?C`msfQg=dG-ss)yB1vCH8@@mH9#;5-cir>^Pl{#mT)lXIZ?$k|eI!c#vob(8+WR41LMSn;?9CpI{N(X^3{ScF4 z?IjnhF7z^K)@ldi{gR2{V4Dm9&f?K6PJjaiqsNqRI-l6y1iplNt;m8`_0T%KbjXO# zIU|3b>_AY`hSDjCc-r=Su*|aG_{H1jV;z~35-vYxk$CNo<5aqeJ(4lbD(mCKVlMV% zNvLpqzt7lNO2@{ZhU*-;z7QX+1>QIJ_zW^a<*Z`Viql33qG58o|GDDMqU9jTkq{k0 zKStS*I=zrca!}zT@u$X`6+KES->yHErC+-$@5%odI?rFT*n)84O=ZO@jN|{d+xgH0#DsWD}F~>B!2-u@9 zy}#4D1s&%C(e8-_+4aL8y`1@dxF!*?Kh?ROugG&2rl|~Vp+Y83fMmBDesp15D=Ehe zb$Xe7{+hWC^3{moggiE2)zXT$yvQjLZ{Op>##!CC+NhXSQZ(Dy+i7+MYdtFOGNP|N zc?fYIwmkZWLGu|ZsBleSL{WS4Fyh`nAMt|ELJAd}17rxI)JS{4#Hs*&1|9(G7Pm14 zYB3QI%7X@SDswgfcyOT=TC!Po?<*{iJO@AzGb=eN(>`|>W4l2gRBXfWJG)j#Obc$Z z%{|xXJT9H+(kfj!#uX<^=&ck$;`?v^nZ>`Z z1c+0^7-AaWf(1*80@6_i;3^bOi|xHgxE@_TXEeGEJ57>0t%ez(eH%`@4x4`LG|?wKqh%Zy+(X=m&6~PXU9F5`&NX5+d1EXjJvvq z+xD^`RkPHn8FBFjGo_>0zZ^h=8xAyw+R2FPfK!5`Cj)%jbng+Jxrxxt3aUaYy_&jR znv;8wcp5uyUmZK(0RpzFTOppG-QT0tFBnU7WQxXq_mF0!9W#zasMC__#Yy5Vue@Uk z`{uneVPB#q=KRk-baW{%^4Xxa{5VuXU~GNq;F4&^#VBl1awA@@o9Vf&eyUhoY=*X{ zZ>moEJ`+_MUE%2coOCj^td)JYXxqqWz+Ayq^2ho0IMH?2?+3pYo(TXb3~R+EORsF##SfRyZGVv4-qmYjM>e9&A+C&ayoY|HA6SdF)lRWu| z&WUNHLHMhro|SnoGQI~|508TVhVb;Xbob9%E!<}?-7lqSHn>%NfS&a^pGe}VW3lb4 z{loCjv>z2N%Z%2g><=gZz{k28WZKdO>3Z7~?9CcZz%C<3J}4dgrf$Srl} z|H@XQcN~*jiKRvxqFP)il5py0xggBS17K46mX~M-|0`xNn8Q@b~lvDpO#HVZ-K}=K$*5iQL)t&`Sxx;}J z@_!rH?gDK=;o1 zC%7j*M-%~kvxjxYu|<4WH*)C?>eMq^?Hr^?p&{|!-pT>jCRG@$JLs=XI_8^rI|M|V zaGih_Xj1_iMbdGoPs{(7Cnu-!0R0T$yMy#$*8Sy15GcWLcbASE8P-)vH8MZ^rjim2 zX|Afsc?UKD{(uZkSF6@+T-N@fS=mPB=|K$FMl4mx_3c)5z-+0PqWOi;VA>kqNmw%=>e_9nXT6$H^kbRwHI8hPYA}t0`*PPT z;+phYRMpBKRZdviuOX9_dtmR8CrgC|j!6ITzc?va5Lz`avgYoXQLfRl$^hsCoaAzyx%%4u6~P+dmmpp_c7Z=Ritm1 zyZ1f=!%MN5S3~z+?GOH(*~#*q=h(jo^5fW0b($Z@kKZ#SDf_4I-)^s)S`TIVkB|JV zB(d|+r(rXWy8n?gHxNh!ayZidZ-0HVFtIo;DItvKxmP#&R4_|6}R`_J8fa3G2`voq!Y6dioT<61rM;qKsLedUO zOHr9p{xC#?-S(sV7DS5OV39D+flY1zYI+7JmT!_d z=m)$1mZ~=9WzwGaKno(bx5F`AekiJ}XaukTTsr17KyyE$gzCqIc9@dwRt#wE|Bz9bw4?0n(`uu6?6cB?0i&?X z?LvvF`NLAJQXD94I5;jH9Cvwo8Wv%k^9}5KzOt4vg>;5Y0E2F4eKFcH!uO1<(}87u_f&F@YITa@DK*wy$c#SB=iDZeG}z zzFg;cgty>;!b5N6!pMwp_0OR#&#uK8UX$USDX&j)9r{VG0JGl2JOA0 za#19wTmmty^)}OmD1L2!!l&nuXj7?)v|hQ(+vcA~ImM%s>TsQd4x9u)L6U8Vvq zeNY_mN?hW}j@WNdqd3`OcoT%Ra@f@!*Q!Ywl9Eb@XUcMhJ3}q{4v#CLi zwvx)_DkzOL)~lTxCEVW~g$SU-12MCod!t2LOt+ZE|n%ST>SIoQh?L=wb5c9 z3okeu3~xd!)CJ=@fpKkzD`BG$UTj~MHq4`h5sa|%^zt(vfcRAu!7Dh75GDFk`CM}C z1I}ZJHql4|v&3|D-6=8ZSJC96yre7LZxV#uN5s$=ICPL#R)AH+h={!k1hJ(4axFMV|J z=1*qOujIM+P%Vl)loax9%Hhn`39}{siw)&Q(3X_j#rf@G-6*IW77E!yp~jOZ(Clqb z@i3N!<80+WYY}HV^Y2?3`H1=$zCT+Xb=8$(B_ZN!^vK(s?}~4f2U;r zHfP>D?dn^a7sVvA`b5rz9Mag3EAr|?yj|CAF-AtK3)x*F?v_9eu!8(EfwpsvB&gsFN@xUUX>Wl{w(T;D91dH9D_*rwQf{FeXa~4XR-aX6Si|8QE*`~4`p(5Qj-*y4^PWn%f6gb=a_sz^ z%u+RPc-20P-cP?sNhgVGP`svZ@|}G|fe6ezV3oWJkQC#TTzPwWql@RK2Q2`YJNFy`Ro67FiOmm6LMV%SMF^OEUJ(7oH7=MEU#qqYGtb- zr7sdv>gIN016B-7?JtW@==lw+)V7Jo$4@X zeQr(v(&oW4X*!}Y+bMA&c-v^@KGt=cPrW}e?P@LUBl-|Rp`K`%{W&qR-quMr7a}OE zT2-fAIw+OMV)?}8p<(bEbQ8d8FyeZvw%4?1TXYa^Lg?*-IO7VOL}sEv**7iwbvg6a z+sG%!T3lb>i8$cc7wj0?s$Xb&4tiPBm#CbxdnH9ruU9r%H<{+6;}slqS?vrGz3X0? zJiH!&HFWezvnAblNG!>pF1B3$p=dGp9&ayvq_uSqE^8NOcj$&QSeT%E^`O-#}ca4*Pm)6>P_MZ5Sc>!Lk5^?D5zBC{kx^p{< zR29P=PCFQ1b`@C;C44HlWF&klh_eHQlWCz^4=FJgQ%c37L%2_7<5w9>??pT2kNNaT zPv0El!@l;Oc3sfnkmoN3ZB`z%O+mDG6)v<(GQR_GljrIoJz@wsFVTXSkV}gz_q zY|KCHGRCt#!J<@LiWudZCeCt1vHsiX9F$_z;}T1USiK#wtT>}YwT~7^F(WODD;1o6 za-v!K*?y{WMJ^r%yE`hd3^ak1yDCW%$FF}sD-cChrxj1bc}LFX+Uq|yyCdBo^Tw#= zgF1Jd(3cNT_%H)Y+HE#3{AA!Z>pRRr>WMsWfmS4|5))zljA>*J+Zj(6dc;#}jT1YwS&gBm0Qx30O%9UxWniS?~uG=_in7j~Hd91xq zvVJZZ-7z*)H|b$Bhq$2XA3~aM^b|Oy#D%{Z>D8LX2$AGkZX!>$WMlKZW$9e}@&@uFz?oz&GV@lB1`0Ru7jT4w7bfnplH}_TVA)g6VB1io46~KbXtrUI^n>ufCqi zF6wF?aptjP3 z{$OSLjkrZ=m;%`>hp6^k2h&vc9iEdz))LphkcC{4zGT?wdwuO^n|Niar{|up1;7-a z+S_G64RKTW{Z{Ex55o!rDn&wS&Ao2fZ&W-CDq5GEF-fnkdKG(b=~YpY!l6?~1!KY& z+igNyXJVY43_v$a=hd6-q5+jO7E<_UUaQibN2Z9xIluK57~^8H=#R-$-pNuYM(y{q zL5W0(dv4U#?{>uR5$!JuksrTF#`?Z9-CZlcQm_)wZm6;j!OHKvf$8{sLxzFT2k;qzmAn<95P>&%e&~oV_ zz)wB304K&??yJ8^xct0dGDWxI;*qe=fs9%s<)e^0bM{Aby-)fpS%K z`cia_oj)YxFE%6((N2a}E6V#`H?-dUSe&u3ZHaj^10Z71Cb;Q@_;Ry>+eC@+K<%99_oH&?__^5Qs57RE54ljEDm}H_JU$VV7{pe; z&-8b?6+z^CuD`4MwX2E>Hd=9s&Eqi7p;8Ua{l&a*oQeXb?)D0HwQB1&rE@rRrHXY1 z8c!J{UPIWBI;SG5!rZkWR_~CO$|m|5KV{_@y}5U9Z@lFa;{sGqbSQGPVHCy;j9U*+}rrftkF&AR54~KooNy9aDJq!=TN$Z{Gai@@I6;*o&WFz$&0&Dpbl3w64WJ6SPtzrQN|en4>TcJ)3=-zd!IQBS#lcesBpZlbr&Q^ODH^RzJSD>@JM4W zLBQW~6M4~hGyzgssmaA9korbaKVB^;zHIo)*Ig6D5e2221C*TbJ=sb6gOl_0w!d)G zZ6o?&5I=oEfPm8v9Ms#Ik>j(nFi^Zg=kCo$Q~M)8$$7V*kLh$2YqD#!Ea}x~sqz$ z$mIUs*SbDyt$}toTaiy3Y>K~e-t}_f+ZGx$F2Ma+nj9JzMZaYi{ zkhs>WB?r2kzLnhsZwUspN_DFLs&sCw(qT(`{#8OtZ^*6(o&XeYOz&6)Ye;z z?7eQ3XQSkohbXDWpnfG~hDo40CveieosksKst}*ioY=8u?(086#^MP%0ej0TNI6Vz zXMq4%^yCS()C>8?wE>_tA~%OvyHRFW`ZTA^RlMaMF;-+g{PjrnlhUhQj$KG}t0={* zx2<-oE9gws6}YS3Y?;0dY-lS@(igO?g1>>ptZl7Ko*&wV=r$xUZ%}i_PrpBmpX@= zi!;fKXU4D`PfZN5{wp3!*T2}w^_j<<<3&s2T&Xb4PJ)V2FrJa93bwwu7k}yXbbQ6bcu&;BM1RXFNfJN%Kf}uhO_=44zc~ww^(fBFwy*{r zw)P$wc^Y{E+bpg-KzMjzF^DCYbnx=V6hY%c_n9cguq{TuzHQ7y{eBrf^lP!-F?(`% zTFxTyoIA4P-4u^Eo?{Q$gn;#HQ#dA*Y0mey^Sgpk`(yR3VOJZ+5x-FhY; z8-@##D-LwWxOB&94!Jml(eJ0*JR&z#s}}Bw!oL^4<8$JsW8Btnse)!FMay2AD-ZQ9 zn`Iz4TkU%0F zbq|Qqnfw9%vXA;wZnKa@>tAe61P7xfLaGf9`?QtD%p&hv|9TkDB?)|+SY7p9J~|ML zDY$x~LZH>vClPexq~y11sp0mGZH5nbhLT$s6HUt$IVBqfXD?{1$#RGN7QA+L+f@}A zMGTS;_0?^S`4&02{N%mm_k!mA4Ima-Rd`PC_39uLSC5K0Xk(-efA|m6B?+ag+pzb@ zdXAb2S;Qov>Yf@WtnjVbFHIT#_tWQk=LTR|8Tap(s&grb@-#OrCg_kvH!3uP?W;%R zbL>&j$`=05!OCuulj)<0e^pVzYM{0OuVLzB>`^DNH0E!Z`q_^L&1)wXz$HX)f*)|5 z_O5v^=VouGtj&JIH#~SJ(f%Ty`D*LA)B;B=IUhroeL%)VfoWbj>I*V)`B;uA@8wpP z>PLx+H7+@sB^S0%vD0G4(i)n+AnzVXzSZ;&SqUYC-Udg>ZziOb?)7n${FWjIT60cINv5rQbt2COl^U zi)o6UzXoiPpj=JRo&$>3gS z)0?|zrIoB*9MvajWaTio#wI;|`*Kn7tAbLwO}P-+=2Y7TloKE^|3Ww0qSQGA1j0W) zuC!4Ib;JxR&Eq=(78q(?yvO+ZT65rZeF5vt6gbCs`A7aEJ>e)diw_MC1Yvvuv}qls z>0EGi?LTy!VCJx4UZeLVc6ktMPO%x|deBA50ePf}(m#w9=e~=7Io~vtz*~>nz!5-g z;bB}hTwO}T-GF%9$zzkkkZ=7Mk6S-3KDfaA&+(x~+=af6gW`NRu6IdWlFi9=L3JNB z^1yByn>W#~GBM)L69{+0jZRbK>F;ffN6S)rW)Auf_Q_#(?6EH)A4B|srKi=J><43p zZ&Mz78^O&=BkIn6H+{b6{1PpEkbG%Sk#C!B<-wr=k(L^ZgyOF$K-<_{1J3wxHWOa* z>vpWwl26#r_sIOh!}1qnwj3wza*gkHO?)A6mnkBKjt4}cKlv)t4PaO|2fokol3$JP zFL~~-{#`>Ap(-8xbZOUoUGlnV(thaaXOA#3*J+Qu-oz7agkFiYJNh3QQ$N)}DfEP; z*L-{U0|>fB4w`>{h>O9>QCs$tCe)P(cuu`yyt|pZ$s^8Y`IRrNOu`H&4X|{rc+c5{ zrXPG0CIe6+$lPxQ^}@(BE+@Shc4GJ_eOA2qPwF;1dAO9J+yI|q2y#PCDRu^YP|8U(a?BfL(e2gy~H?8S`?UfU2N)4_$v^PQ?wax%c(_Z_j-H{(&$6>(}+5ygxymk zfQ9;UX{Zx?ePoaS$TPvM6qu2F{K7{#h`&%8ljXVjNd1z#TZ z+qxc_V@#0^mqz+qhjqTeyQMfgr`L?6SfscO~ej)I&-YerI=s~!IZYcgvj{1M5R8+M~ROaqN8M2~N& z-zd`-X^zb9Z)~OXlxJNlf7bqB`oW;PtG7Lfcp5L^$YOM*wB=!INHeCbXTtjh; z3`xB$9$ZAEZsUN#11tvX@&=!zd;03@^Jd3ZX#4ji zNzlqx_;>j2)7+C#3a9hkb;sLY)W^F@gZz&YaHc5l2=1%Bpv1kMgiu9R{=J{|1n%Ry z#r}{JqrQIQzi5vGGFo zNMqw^S)c7_C`&8&HsLT+G9{(f=yYslY$dp~D=Dgg8GfJ8)&Mgg;!nhy(YfXS)_gHc zOho-13^1J5>Oy`Nhlgre$s7hVeLRd`KaiHybJ^%s4&7sE zyCSQV4*g=r+EN9{l%*tT8c8nWrZXBBm#_(~tOTj8x$Uji_bZp{j93O9OZKgdVOocZ z!1Qo^su!6=D_I`f4ow580xXM!vGJhVVeFTnG|V@QU=Yn9g*-p{oL$Ig}LMwJ`iF!D{^CqGMV z#-!PM=AmmRTGof7Ns>C|3n>TuI6TleOyL-}n!7dr_jxGU&|fP0x3Hu=@ab)6Lg=}9 z2d;U=@G2@mL$x^64Zazds4Mxvf*r0ew7C`Ds_FH=e*MmCzE^Kmb8!Q^R*p)tu%G(z zP@`9$1w^*alhPslSXHP)ZS zot+=~-g~Xfc(XuikB4p-#Yr`z05(+3Ae6o9 zcLjGMvD95mjpf(an$Mp2EhuJPczD1}ckkW#@cbu8M^Hfop7jg_S8F6Uv{gbgf@$2j zKLUC%`Fd{7LXY%(*zVnEMaAVoqMimlDsIHYSfo_nECEm*Ghh65C@WyT9QGPB=P?uD z<85pnn;~av;`3q25@)xHw)30A?SQ*R!J05e5^=d_A+zgXj(1GmquOtX*R8=mQSIE1E@51c){P~t6;ojs*Lej@DNot4zC9IN&G48Ux*g%2eg5enrJHNPt-s)b# z-x9fh0}zQXT)e=ygmwJZ$i?*HWv;NLyX@4gqoQYaY@AnSj%#JnxZ?@>HGbN{5h;1J zj+(|C%~Y-e_h-~YDO{b?xQ%`?sw2QQDvwsOc3_h8takeqMAZ3nolDR&MDpnF`Q-B|S|$?+^rpKgE122#T%`IZp@F21>)ExOQ1)e& zKXf0IJ!mdLV(Ms1bN`Kr!l}UEWWJ7~z*y+)+<)j^*!Uk06@}ef!82oTxzCAG5|%gr zWuoX~JW~ulztIgxJ+~>c09!P-s9Z-ezRRauSo%udO2YEPpHp=SG)-3*C#%j;1yHR9 z4aK`Mrb8fF(sdv2MY?|4`onPZ3F$)FvZktut?upEuZ(hChRq(z`r~5}sR`c-jqcUw z80yPe-sr&wDj0^$pn^&fd#yS6THOjNQ8p6KI`cS{uoXj_LSY#_d!CDvNGa`v$cfv@ zPVaYQ$luwlN&JbhJ;6BMSBIrRa(5+Y7q8kvsZfV#bOiuX265(#pso9shm zPaf=fo*Mg{mY<2k%!vL&ovUyW=hz_w@&GnZA#G-AQ$z=t<#LAHeP;zMn}i=(MUH3( zXN6tPu#1f3jPtyQLH^zI*xFI4oXij^tkl52F!|7&^7WmHWU!$7(GbZh3CsqEdZ=|P z;n~z5729b!UDPC_Jp5ur6gPPk$51I(Ad;2+@(sT75t{Q-`heXLdTe&9DL5R+_w9&<#nNN5At-DAj}~e81#0;ES(of#0LhN7n;fRLx#4?CpuYO+D1B(V~%s`otb3 z=0OxF857QN!JWjjuRy4?61#c(Yk2v?5`iMxU7)WSK7!c<0o@ou>qhKm_IS@=oeNJl z*d?r4qYk&zw7b;}@WMgVG4gVU>fl$B^rMFqNEBR2Ac6Mm{u8V==vfl;Bw;eNL*Zes zxJYimW#sytI?Z|HMPPkjH)}`Ksh+>0u276D2qf4!2tj{%6&azgr}@XLE!MnJ>02(b zTeJmbt1AII*Gd`vmoT}xU&&y*If_-dq5EEnkAp~p;|moP6)mu{3$|gsEz>|&cr{5d zY(#*63^E^pm>2fnPrBGCZ{~LN-b=;&=~qj=^OE;66htno1f{5QQ+N)p%8TE;f=k}7ls6wT@+`&PCyS=z%G~PpGE2ItduxEVH zeA>RjeO3T*x{8r{Lsfu-=kAO}#pak8v+{TcPa6%@GmwLlfc{((3KJ?kUvL9{>oku@ zQEVe5MNgL|`D>WzH;zgBv5$yW$H0M+cb@sCmfDWWCgUy~+X#-4&xGf7wm5 zl9fu|LJ+6-;^KDhcM=^1t-DqHJP#lV*xjKo*sIjz@3sf+8UO*(b=7^VBV%VR2H}>y zhe@5&W$w5epVC!u|2#eS8KsY#XRe-d(2*2H<6O=pU>7>WZjaZ`npr0fJ^||E`so{@ zOp?X>p1e30uOBnGYRxJ2_VVR0$hXGIw|k5e&PtZFr9Sr(?Nz zd7byzN7F?sy`H1F!L^wg$fDDTHK%xt0nlL0-R)s>ts!{Ug%GJ@>W~Ta~kco%sWb^w}O7g|A;0JDo1!e$czvKPQ!~s^2FiML+;%xG=@4a~cx22jN%? z6B-sp$2qo)E!3m)pLh0uP&PU|cl&deh_m1w?q!ATJr3F-Z~~UZ*p8OVS131W`%E?3 zrQ_54HxMdKa8!A*y5DNYT@&MsRShqfkUg}+CUAfCDpN0QF$I=85g-qJzzS189Ji~| zkP-FYb#2!l0i~Fe8@4SM7W&x%FyYejc0;uMoYiL&v`n$%RkzfH1gJE8edHMFOv z`Ru5Wb)TLXu_+z1=~Xi8F%|-$Wvuk58gCp^)Vi#IIeEeB^}wZu()*5cR9j=#K7Z9; z1I^lzenPjZx;6*B^Sy^*tO++ehlmLes74z4vMh(6YaJX&P{e1xA5Q0djEv}?zE7R3 zc17l1wk7k11Pw~qNGMN(7TNJtxdmByaNP!6vUrR8(dp(Hr|BksQ8rxi?>`xW7M zGpyLZvrV+-Yt0CO8~==ljS#Q05Ks4*Gyx&)ZA(3ae@Bu3nnX}6-&%hxto}?}$K~mn zWvcot;xnGr7jjqH8o$a3ZWxS;4M_ROZk}G(=6BR^BtUYa2zP!u>$OdKk2mR!6{F~{ z>AhIc8)%F$Z_7fvJkwEfnQlfvdLT@iu3OAhPk^7=utVrg*wp}QNQP?p#Q+L74fPpz z7XPtMT>Nz2$B16tB_7_V?W7(Vo?5A2L@>)YGc{5&(vuK{H8$2|q!?rOWt3N^bWDsC z^#}I@W?tu=@@j;wcVii;Y82rP)vZqcM>dp8gHd-IvEvG^qti^w%wX%6bgkZLe@cVI zmsWcrQ2P zO8HNY7t!Us$wo46z1b$7`{_gyc2cjm@QF!}aw!)>BRT~7YJYT)HWdc0h0s_mNK8I6 zxvd?a=qPA6lb{N@7H2X121yDk$xvPjnBLaOxo`=T67V6|bX^nRXuU`2oZkozO!5~l zrnOSF3OFVZuiVObQE8i)k$G9+HH%!pk4~O7Eh)R@BMJ2==5>Q>#iAwyhWcx(Wj$A= z71NyD#6xBet*xhXD{>4n2J8wa+AvDRNgia#hckxtIsQ@EJYgR~Ic)I3`s8frcZUmMjro8e-oR0XO;b zOXEZ7(?%TFeagnVPkoAQ2KDr`4KhYd-RcnRbNxi08e5)zwnc*}9SL#h^wA7-7JDic zdV!20y1YLzBYUnBbh|2#H!t__KUm8akKWi!7_Lq$w*vHDLb3`~#F@scSKmR?D6^TJ zkf{A>GZ=mMG_B&;%ma>gvGq`2-M^<(C>g_?mG*=0LgS}K{;NTT9P-;RlP;rr)!JvN zK5tut`0}?1OSpivG`q>p3`x_HuXjpDYl7$Sq1b@7tUbXbg`^J!b)K#2-bgC(n2;GG z^DV(Y6cDXb@#jXqe$4pl!;@%6hG*a~-$9L_wirmAWx6-XD{_P?Yt$6ij%Vc++-Tfm z1CPM^h16^M6WN;{+y%F~T=;$m`BamIP}Zp9FRpB6_>c{naRq4w)z&*kbgSqaiob%Y zhw9Ci6)je}9|Q#A?7WaM?xETg$(?!em{!{RQ{)7B*U>(B+D5>&fBth_RP4&18;xIE zofd_-7SdTBrpD)5>EP?c-^*xvu0vv^5!|h}_nob&{wz20pon6_YVDr7(f86Xjmp&{q(>aPG1 zREBERD*y9+WarsJb@e>ds}Zjv(?@Bx$6La5G6a zXkdIq;(GH?qfVLi!a{1|cib;?tNPgf+p&3!u|;1ct!fh*+y~T3s&FZx*(wq*`4yD6 zONudDNAjUu1iTik!0OF}xrKsIC)EhIBWx^5r)!Oo4riFxEUzVVu3au2=9 zAj~V8SGGfwMYqTr=F}B-ixNScjT+y3|0+Wf;W2wF@@e0a|6%Utz6z<|waWDsrPIQ< z(AGQL(>|s*W4py8q;2;!Ps3pMGt)s*QeS4 zHe}g~eTsblpqCl>j71ffgEJ$y5&4%p3i#c^B*&_x6!;$*24u|f>+us<%-?khmy7x) z4?R=Gf%?*Utz(+>0gV2qg@Zr-2H7JAP8`s_*}A#rT4ThHey-`Wc$$~>$YBld(V)?} z|Cf@HB`JT@gA+4@P&`!V93VG{jd^>wS>8rDSfTTC%z6Azi*@CNw&gvh%Zp5@^ z{T0t@ZcXgYN*YhK0FC~Xqb|aDt>ym`>q8gzQV$#Ozm~hNTfwqND|XxFn`KjI94f~5 zzd+P_00lk$1m<1A-@x9Vo`yxTHn?Ux=N=&@@}C?(>}u8BmFiET%Y~QU1K;+DCl4qn4D;-`_+mlq;KfJ0_p&l9st2u^7~! zspt3;ynzz`xeKrK3Nafgjx3e*F1LkO7#0@;`}H#uHqfP$Bz`JCxxp(zkiAZpz7y8` zc3i|uaWykAomcqDf^5Ka>4m1ACw!ApJsz3_$5ek0XEJfC+vEO=(&u?8G;6}FI>Pf>C-teHI#jR;++-g{} zda#&)x!>(59;&na=pTxcn+%q_m2wM!{L>lw>CyeWlBh8^;c9-Pt4Y(4F5sq2owS-E z6_+L)>#n$uYV1eMtSX=T+a{PS>h z+Ht#f#Yal=s15CLl0Lc@IC?4%4*1sg2-PZ%f-?=PD-ebv@oZpjxN_6kuMfbobqj^% zE2DdJ#ILxftge6hqIGZ5^#;#_Z^0$W=x*8AHhPcOxK_a`SdL>;#!R=zd1A@^~6 z*YPt6J&~lhPIb=jd-ch0|2RFYJ6tpx&rUT|Ty!l3{Zua(8FxUaxR1KoZ~P)j$_v%7FWFjgoMEo{Rx!*$OQNYRefbsv%h|hY z%hrFuOzZXJagvWk32m2B-6K&?Nq@J-MSc%W@r=qL;-Y zr6Bj&G{M?~qESrI7ogtY^JJm}FJ(VDXVJ4?d$IDM&UUwD8>~nbCl`lFxno5>K+E53 z);U~0uuUdDGvI#4VHAA+R}(l3rHX0>obdu{`Im5K$}oeDvs;l{9bx>V{)WbnGZ^Oc z;9Z{>O4v5Vw9tHPR;j%Ti<twg>Y7-jvkWG)`>Zj{Pa|&j4$F z^*7}A4WlJKwkx-oV~X=gXSE3xE9EA|+J?cZ*+Q18%%xc#faJsqPO-H)g)y);V1qW|imnruPot{Zc73cc9|uIEznk~;X>FIB_U&{}L5Pb91vvUUgplYW>AWu0!uu zP_^~4vC~nsy~-5*{9x@DYd1VO)j+27Qhs&Nn@qOV6&I)55%wG`zX7er@OKPn!q$Qu za1&n&XzwKY#8);!*K~MPl@m)5xo) z{>}zD`P)mTX=aOyR6EFk-`oJG#+qA4S~4>wHXTu%ZG^)f?H?B0F@Zp6`mWL@R~ZbV z6Hb782MH8`&Qa>HD)UVqF2Nj;|Sn&mDO;=&;E4`u2~#%sSQ)Fa-?PzC3J z-VF)$uzv|He(XelQLtCM+bCUi452TZnli|tLY&ogMS5C5y`=fmvoRx(saD!fE+0Lo z=%yP81==zJVbU~+rkiubwF$u0C<&-;e4HjD+)Ikr9H)A9E~&!qs{ZKS<%L9zWZhL=6^3GLlR65f1m`oFzS#cmB|ZWdUoAlezR8rc5uaw#OiQ`^;Frba?V@)@ z%$^G7jrj;?M!ywtQ?rFp<5X*Xw{m4MT#L(JK&)B3c)Vt%Gut%pTVZJZEXYQ&c@^~s z9;hAql|oPA*ova*FZ3j_1}VawvxDf@>9! zFeywzcNBa8tBgx;O0_x@9dtZcO~<9bUXR1n2DwSa7T$~;g$Z`)KA@Y6x;~M%+NvW6 zq~w-LdhE=Wx9jyAS-?V4^sQRf*|YBV6VuYfgG7ptu_>Wzym7xS_xG}lb zF|(t987pxjMD-Z)1YM zd^X&J)iYI#!0ass31FrzTCb^;S{Sg#_Vq)qV9pnmTmer{G2`cmN3-UOri!VUZ%qhI z?>h|*wb`e^qG^qT@`rm%Cc%LL%{aTDBKS>*t?vbq!X&|NTK}*X@>Ok=NqQHKwmV9c zPbhkMj-+gco5Y4wU5+ha-_}V1N%ME)XIc6Qn7>u>ugSTpZ^UMPq(G!He1M4A!#~yy zJT*_2ImXU@HRm1Bq`n!uZb24#rms)}PyN+LzpC%{EJS}x{&rr+bY6yDhiCeJHtzlq zW%usqvg1pP)kSMsJNVfNwc~7kRj|X${iQV>!3z)l-N1o&n(knvQTW=eLWiVi1t$O6 zahd0)HZRjZajrcOvA|!Ux*q^NVRuIT_?3krYk?*<-$gtsu{w-R8j*$pGmdjc{yQH9Z^BWZu&hg#C2TAG0#Px;n=de(d`U zClcSce}`~8T=KjU_Cd#j3;ie-3H#Xy$6DvQNUMnKdwLs}v{ri_xdMeDEueh&V&3!# zRjZV?l(0}+2#~dUfWHX7v^qy?FzX&lg6n#bV6PN?U>~4%e#3<=7cMKB!iO)M?+ z=!Q>JxuL$T;hN#8T0Z-=tydMQK0L{-I{=e@$2H20rBMnGOpt$J{f(s(jZjrt0srp0#C(^ zzqxF&6MAn*A<{>sJAdDP>Js_T{fCln|yY} ze-VkZDWUTV=;l<{)sJuYoQ$tqs#j)@)^F@$j!|mx__zY5vw@>U%wA#wiIoo)V)lVY zfZqV<;#A!E{YN!E;tJgkSD5l_{41Ay7TJw;vWqsg$%(?^@pA2Ks#T4!x(C&A61o-i zj87^jxdz)wKZlX*oQJfdriBa|v23s$Q!*+pO8}-WL3F;#-mdfX?awRfK0$6b=~C$W zINDzJ2T5&&DYwgUFU7T^qgR3}nLlW%&ZB@VRh8GGgmnvx7aLo=F%l2A_1CrirTvXe z#thuOm^BrJvdbB^u^vvfHG8Wo1-|j8>1T8_R6}r2mdkCr1O<)*=M{&R{9Jvd{n5x? zC}<{aQBLRKr_l92xbys}-FE?r@e?(qtwv&HsnM`8Q)0YY`0Nu}Kat`z}(&##{yV+P$e8xFjeA2AZ6wk?<_eNUbl6&ITiDgLe{ubJ42<|{G=)|&9mB^(% zDfVkAhD2yw_rz_h_$u#5ca8sC4F{O5G=riCRT=jL!`o;cS{K2De2r>yMwBl_XUw!! z?^U9M*6#R6hT)c1-|nrH^7$jZNDn~ALMN9mK9BK#tMwl`)O$l(ctI$QO&)=H(agHQ zZnpjoCH{6xnT)wJmZ+F6@R%g)5`tWX09#Grl=Hp& zp=0uS?n9j}L_1gp9&TA`em11|+Tu;vj>`}_d@Mh`7k-6G`-PrZlWF!Y-X#NNe;#{7 zZ?;HR(vxYOTLSkZG(w@76t9y6+o9920a{iJFE)eru>z>a4kKsEHdNcuy_duFu1K-g z`fXt+knV*V{zU^M13kd_K$(`zwrI$Y zx0K6MP1ct#{M?(0#8;x(bhiD6gCUP<*k6|48wY9xiG+dWNXF_Mw7 z3L-U+*>B`p;*#3lcyYsS5-+0&1@u!ZK(qKe`H(3;YU{nz^b0fg-8a*`l+$INe(v{p zfy0UHs*ee7-u@UVAcyE565ZsDO_;XKtZhlF+Fj7InX_{QBOaws`13|=U}o)TMyYR( zsNuucvB%+OJY(&)Lz@J$8=iltGbgU70ie$l!*6)oW-wJV7#>HN!|iml4hb1e%+~`8!wqJxNsBx1seCZ$+O8Q4pwT8m6(y zEx*MGS+lHM*5k_b7R;>Pjt7cJ-t!B5+o063y@IIZ6Tb1?nKst7RJd-+;j7w7({;{d zyQ?k9g|mHx#%ZG`YLSY#@%(dCXD6C->I-$2katIJ)$)vKT&zylqgyCLS>#G;-%N|A zvAR_@E!D*2kVrGt@)2mb{9Rl!-<)!;8S0AOSnfZA5_&y<4uXqA0mY@n(WyL$h2QG7 zeA>4Ph{2}UDmd!buGLK2|Hw}ZiaRYrN`Zyp5>zG1BfA=OE#-3Sfuil~#K(uS^;L2a zY&Gu_s8nMrw& zme_7hE!yrcvKc;^=0uT3>!n~tTE-KfS=*(Y(4}u=2;UpK+=WtM6WW041W2aVs)~uR4B5+}=VrQ%*J71O- zTridYzgri*fO9MOT3X!ADwqLoGzK@`*WA3xVIz&I3cPfz-5OVq%fCMo3HuqlCoN0M z4XMqHf?Ifz?ws9*W@lu1y+sehr2Tl<$k%2v=$oY%uQAXikH5XCj-!1M@8kOjaR^Cr zrK)L~x$_Skh9g9LfX5aW;Juj9k~i+{na0j%o)QRHVUrec9(lOr-K37TX>p?o%{R)l zCFCf<&rp$Q7x}5k$4Hu_IK(dT(RAQ_wGS6Q_K;+eCF5_9=+`_F)ZEjzm8Ps%W2+w$zIfBJzy)yl1cAA!+JPW@w8YT$MJc`Ins^7Hh zlmMh|S-WS4erf)2#ka398otpuf3bbY5j2Lq4O{>2NKd`uOIuasOOC4pV#SrZ7546E z-jLtZwioT+L`qzFyYb-9EW?mS<#I5H&&Yz$Qix-1A}8K9C90)=fWM$~VA&Z2@v~4j zC^hW3XXRG89-=Y1ezDzbubM}Yu;Kd;>3wQi8ldm4RfV5A ze@iLY?ulQVAN2%piKL}i#$wCG76-(d(m7y!?}Gd+7OHlm1<3TM5U*ALOuXD z>e|?u6vp3>SiM4C;kW1Jv}c6kDY<;{lu!4&gJr(X15@27yh9u@Fj})l#7iA!#LC*X zA1krk$MqDRo0zo_l3%}r;lRcIbc*g$w~!nwR!np5>)#Tk^&!VMwA5N=v}BoetG?a$ z`2eICtsRVJCz1&o>dQ zGVdBgC^skT6_KFD&eAXOa*hF^W~>NJz=hW*mZqVEwIDXV(ocp;UQq%&H9r(EoCFe3 z4AiY>)TDB1^Bm}5!4%u-q@_M0Rk)}tGnHrBsuXQYNeTzw`iET5-FA81w(380&SUbY zj+1Lkq48(-Zj!Z%6Bl#oV076e*V3q;Zo`F+xfS|8h%h&>qs!m2)6YGUeIQ!^jAr~? zZuB-KR{y3bO_4%iPKMkmN?pdR?t=9s>NNh@j{04=6-)8{mYCLABAQ`wp96oOr94yM zu5L)V(K#Kp2|H6nkE;(c3vzUphqm;60tyiwDxnd9r^7~y%hRovu_k^0kQeI;T8wEA zOh25*?(Q~yTn;wQ#urWtqWE!q;|cY29+VVUa5DvR0}q2fr8IPpsk@a-{Tj3Rs1|+i zT}?#TImUB`Z@tHTX+h7u9jHj~b!sJHQ?~mE6-x`da%G$8Mmel*+s+K#eX-ciCk}u2 z>DSW~xui5^-|WNS*lpbZJ2?ip81JWBRmNhQ*Y{Cj4Qoe`U;o#X!s;~8g}OR(){8!4 zNI4O_(MK#APc^=45Q)B4k-2kzV~wF_fH+9nseii$5*9UCz}p%`P9@p7%}HRX$wYq1X(sO5G!!5NTBLUy?K&*+L`+JW zWI4^Up@h`@=(RehNM7#VnojLFQyTH`*kfg)8h3nJQ|;o7PCdOMO#~EloG#l4yBHQ* zLGRMv@&QXB3kYppsB0(U6mx;w$5I)t&nO-`~~pMmHJVVfkO=BIk}t#@SFGjgiSP9m!jK*r0XBMk5!$ z5{Ke=`DhA%M*)kQYRMKSEYPwA(^S7LBJjX1kLa=ZP|>H9v3IVOGuA+)Q`AT)AVSZ= z4sN#G91I5^*Wf)MX6rz@thjTPd6@p>;Yw0jYfu%O^R&?a1<50@m#d8#ZspGmtz1p` zI#4$A=T|g)|Aogo!w-|NzWK9*y6v+3C(=}_<7coy$5DUjm$bVp{Dv;L7}2?8C^B#{ z+TrE_mBHxhJbP=>>cL&_<-ZNgPPsPyseE zNK$pfJJ@a^Fdk0BSbl1y!7x^1ML-zaye$ufT17|PgexUTF&%Z3PZe0w>xlIA_3 z0np&<+fv@amI@(XNl0QAU-hsaP{#N|F!2NFcn0CO+8hb@KGk?2- z@@7NG2Ik0X84V;SNIC0E+?mmnfa6wzHG8~RPr$=_ckI5;DYj6)HfOjYoip`PdhW1) za?)DjAN|*l4TUdz>@)=RMv6v%W0ei!Vm^mo7X)22eIlMXkxC=-^~r&~{nD~T zj*@c4WKyPf^#oknC)Gfp>xUkqWa=Lo);nE%Dc-pmhx@Vf#h*+gWw?*hOI1h4vKnW5 z4|(Iwg8(n&Pb-5tr3_Wmq7|JhTIYn7n2ify_RN%n37j7<192;2z(*%c{&Q zb_jU4b};uwO}^Y)WT~Y8ZNJi+4&u!d%5@ugMcF{Jv2T8&kon8`(KN@^O{z`l%1~+R zeF`fgEW&baV7weU-fTAZ zstQOmbx1RJm>p|Tph3;v2d41>33a&8y)bms9@o3Qws4@{ikmVA>0o@?OvlX zgI127cVov=y|Bw;ZS{e@L-Z%^G%vyiESP;vATpBg-UFcIBC99Ur@YeFB(4TL$joop3d&ZV% zVJ04)S(BYTx2^AievLC&^#e}+`Wf(B!afs=GUd=EwCP{?QJ0ko1Qu@A^d8-=FkYkc zuMgp08$z(sMhnIGDOG`j?mW9Q>6C3K$*Rhf>e-UVW}U4u?~+&iUKn|<$B>4;tiSxn zy!x}=e8tI)xVWv?RX$?~Ned@iwNl?1g#oX2;8NHfm{)hf)mAsapA^!fp|!Pq-_6I3 zTom%&+Gp99(@dz=T-3n@PT}d2sFd`7GIus!^?gCxkVgR1^X$)oe`jub( zSs?M~o|?gh_?^V?C4Ep|zTPi_sd9E~krgO=VJXckM9;@(W#3%_nPllN<&5Gol98U9 zo&vAioo*Jc+5t&3biKz<+~zcDMr_nUCBG9GuU=oci8o}lauU$lw#KT^y_54!IsKna zUzV~_cZW?9Ig3`17WDr;dqFD?(u*s{+fd^k&B>;dv}-SR5(?Ce%mxV>!BtL+Q2$=kMDmT@Vz1_{9FOp;3_W10@S4T8}4fA zCV@oPdIl+Y3=8$5i3D(0ru`@SQY~${Jq?2Fh0yazJf!H2xrtR_GCLYDE$b^InvNA? zMuR8#L&fDr;A~8ghJ;e+^{6&1@5@fH4mUa`r#+4i*>o5Fh|d}4>1+febusR+xNctK zuA%pu7ti=$VHB@ch+DaXmTzgRsZMo$7d1|fgHh|x{rW^TA~v|Z$_pt!GZWIUSJcpq zPIiuU{ao2YOX^@)(V|9uV?>e9%Ju-!2?|3rJ__H|^DQsONa32Z8<3m$;%4NZ0LerlX~e6!Y}@`JOJ7=r bVOS*W|D#6sTEe;ivsL#0|4WYZ|C#zb diff --git a/screenshots/extras/ElectricEye.pptx b/screenshots/extras/ElectricEye.pptx index 16ee4d74db7552ceb48cbe443cd5c2bca5ae7502..f418adede3399bd37dcc8abea7b9d51f460b6b69 100644 GIT binary patch delta 102963 zcmXtg1yoy2*ER0$P~6=L#ogWA-Q9}>_X2_9?iMsSMT-`9cPTE#wLg8{@6TGvo!p!` zGug-XI`<~2wOsROECi|w&@ear6s$@Wy&pC*-Sn=p{AcFH6gJ3@>SWflAjc zzjp*6Cbw&TQf ziKR|=GOtL*WDOGoi@|eCqbl@2*Y}6Is!)#;^m!b*R=N5GKMT$n|UXaF~DpeUp^EnVU&`6;SC_NRZXXvDx7|jFQPur zmb=!;kRMtoi*aIC-rn^&6f|xKV)u7y%zH3aB$+Vd9YP2_T(#dra})k{O&~V0^G*(v zIAj4sx`jLa-u;R}lsyxBrroR3gLide^Z{=< zWfd=bz~s!89OKj*vr2^iIcy{KkvK81f_mm_w$6Vff_&W7$bDw6= zda2Jhp>K!I6%c(|QO@#Q?YtyVEU2WtgKX=+f67PyTfgn=76{7lC{RxgEk`g>N|Nwn zjZGFQKf0#yz}}}<@)gV2=8~eTn!fvUnl2?&N2B%Kp{Q>mgxzpLF4kLr$zw|6DM4G( zC?*TwUhfnEijJ%dxJQyRrU)1m1aQW5#eOH&13VD|8aC4Sx^SPmLvNihigWW8dg@hg=!P7 z1bJGp8_7a*=(iO-&jUy9V&kh{SZ8hsi#@=;4d6$hB7+|MgXk~Jo3ZN)Gq2VVTm)G#pptbW zBN`bCi}Mg1AQF?^(~B^o+7Mg@EjkBaC+L~6VZ>9Nh351eO1#aCh2{DL5nFux2o%<^ z<6lZ-u@;JIIJYv}KeNg#5)o<4c07O&5r_#JM}5=Ur@fl*V z{+m)LjEjVG6#9CK4gpaWm?DHk3P@h#^?uK<`T^a_B-ns2^+J`Jmp6o-8Qy{#)%{&RtYp{d6(S$%`j9nGH({NbY)-dr3@8EGqJP zxMxYcZn?nB7H4C#?;n6?Iap78Ft`8)Z}li72_sv3>BrBy=~+%qI)hhM04{ld_e5UV zh4R12K&~5&PtMucEO`kDk)c@sJatT->}D(1gWNJoTcEDlvGC$1&^m^v_u?c~jXy9= zJ{;8Z0eFqP9UNE*j~BV~=37c_;Hg{fHAQAk)!rOCs;%B8&6a6>2{X^?T&lVy*8lQ@ zAo2C(rTYF(>Fzb^Hb6V!2B4OlI6MJw;(0iv<(iU^pSwUdy0ZO*9`>!eacs;{w>5MAzeXJ*WZP6 zH+I5j_UY)YL`{yE0eVx_%;b-tYE)S}wK~645rG$vWL2i!@M4$*jNvq@Paa`dzdRMS zcIi_9cRtvD!l1@7CV-)M@(2ro;vX}u$zNm7FJ^qlS53h* zO654!3R(8eT7=AMT-hx}%ZsS7_^Myw?-~w2Sh8xtz{J*Fwq>df5}KX#^Kk4c8L;C)o80qW@%Ja~ER zim(`Zx$El^5?j!nYn^_KvHi$dGX^%z!aG0_HjBk(-UclEJ;>-|3Ul$8{z;v?Z{hp3 zSZv9Td+Y=ktnI{f`rGBV6h@-hxR!9d3wT??*aY4b7BE_M8H%NExE|Ct87#N8zPMzC zxeq31>ordtUKzok?;mB-qAKf?e^*LpW*G{!Mu1l3xAIp@ywF%pkJ8&YN&Q81YMVayW$@Hk1&F0uGIwrK4pE{c*O@#q+tY zccvWFc{)oYgvGLFBmk0S5Mn>Ke367~iE#^_x&?qpZQ82#`7CmLZI4eUO@_tQELf$odKQ1GXp9-FINiIL+$wBr)4b{nI1 zVTQxNuyeSd{Sc`>Pg^?Ot$ZxG4FG(GOr(MhX7zXR62h2Y;xj>>>W?(QiJ=!$4(r=7G^GZqOJYH9R=lgzlK^0OUVi&L zW8G7r{t-4)On`amG(Jcf2)>Z>)IA($#v=K8YMRMQ5i>N`!Y;$M~wYps+P9Tc#s zE?)Z6!Vi0m_s~C_8IxkIQGI}V#1Q4`KeS|43!u(BN+q^XJDv$%0eXCM4wE2L?eLXf zvCAUf0R0J=-l(8IScBAD^h5HLm7ABJcn!Ohd!;;-*Jo zHURDq)}huuk(h0(pv;9Q>KCox(DZ|-HUh}@I~>-+Z(LyQA{aUfb+;lQPCVr>$xLJ% z%nQX>E4w=Fiw%;B#KGO;YZj|ezpkHQz%Syio>ichknXx4k;7$C^?~M7a_w?*ZO~-( z)0vT8`QG+YPuDe>{a--g-@d>Yi7P6GuplnXS^n8*1P9Ex=r|Iu@hb_EvGT)Wjl+q; znYZD?V(k30-IN-baDR-~Ch9&|xi%cQ9DQchkrWsyX3XfHu6c-fG(aJ1?@hI3QDVNY zGSMYvUf*E3)g7%LMVxM({qOw%e`c^{IGbR@e)4hB4$&uQhSCEtiPg{~42a~468N<| zahSO|;-g|LU?onb7Q=s*vGSj=uhjmQVv}c?9x;v1L*0j@=bQ_*GqEtS3wa1mkq;Pm*S>WUm zV#ibeE|6gaQal3qfErOmMSBtRG->j#UPx6BLKViEPgnd`aO5h(Px*~%R}VdJI{Hh; zSLvo->Ru)OzPJ93#Nu?}IQ%SHfZhu|H_@B1I4uTocp2Jy|69jM_3dsjQKSp`1WRAd zFwk2uuty$?xfTER8NpvvDmi8VBh641cZ8<;;}Yr~zC2x~wRENOF?FH5<3(MAG2EQI^LcYa-FKlB-3Rwm z_on%__uqYMuO}UFp{b4Kf#>Bk$-+>CPpL z0-uF>$9iV>u-b>tH3EYllJoq3xo?=5id?4FcV05fkMDoAuF%|O;OmXGb;`DQ)!Hl_ z(>thO@3eRL|JhBr5L4Z@zg7fuLmz4b9yu9_ta91uc++m-LG+EA zpeAL6WUG)*D*u!4$+_7R(_a%Nr^@-XuyfH3Al4JYY^8{6%Yn|g!8(KV&ZN$Ey)IyF0dk2HUz|sJ*dt!qGmh|eM&#S}9F&W!1QjFp7 zbgly=*z`Nvs-HehH%su?`R}$9beIg3w`X|4Zo}lDH}@rN*j`)#H|$ssPrvxA=+Dos zFdOi+J4)=u z>io&}w{FFvMlL+m_+>@85_cETHcL&HN->@r%j0LUWtSY=4W$6ot8lOzMw60U2b<&K z&+5P6TrUJsxK=$6Z*PMQu}{ETs_5?dGMEoNI$559tCk;Et35&1)mgY7CLGx6|-dS=D#Pk+8KXC5VanlGy)+Vp9Z zV!0@5DK{F1ipx(Ans=2WVGz-Rxq~&Rg`!dEhRnpo#nE!f zzuJ=uvFtzMBr=}Sv8uTB<*^w$E!H}r?OhNm2wwA}r|}}!3dZhm(7PAH0sgqcm^sl8 zshv@7bPC2h+dujC@OaZ5URX#aJDmyn7;Zc}iZ;}IL)kGj@xbek#=7X;!5IH*pF4}P ztS``muY-e4j4f)o1+l;q>yIIdi5f`L!QChXInQX?1BG*Ws$#G_Vm3}M6|06KtX!fx z&Mp&7<@@t{b-jy1(F%}f7-0BG>JC#i$fia~G^YCk&z2#5T|W|wm3#M#b#!>I>M|mJ z6>q=xol_6o;(-APwyJ_pV?G_#-A z1DSbFBC2!lkA$|;*pH{D>$@YEoqmi2tu@53GUvDl8v2fWT(X2}o#Wd(B`Qx}-CV6& zKJGhNM>Zp)-8Hm_x0J#_JhYoTP3!!RPNggs1Oz!m`V=H80f2+m*U6F9-OAD9N5+hO z7&}hnCA>fU=o=QcfrE^b%TPgm^^B0{^t|<)q@w;}Yd$*x?x7j}UJuvF=oBBIJI50I za<;l}9%iI$ylj+?@@zyMVQ(G z2VdShwgG@c3DBgQJMIm1S${k{ic%iFcC(eNt47}-D4gZO|LKI%k~^Sy?=>13$nrUj zxVGy_!4)95`b+TXWStNnkSVe3oD+aj5j8ZB?8eHkVelrzihF7Fb09tmiq29BQH@VA zT3=nhDlhNqa5XTCXF1=dN-BE zEGKe~6=$+DZt5+q50qG$7Z{ zzIaQ*S{hc^jq$xd6ri6*U*{%iGeQj zVZBWlFq0q)Bmne%N;#YzW9X8$8~WHtUI+i1-f|qrj;Xn4V6Zb`0jBE&yLmyYB(tv=&DA{H>6z;MHw1 z7bUIS#(QT=q{(I~j&$)Ph|N>VD^1SL)ym;lXkkMfk>3%UTBf)2`o3wdkIEehP2n6w zIsihEYe{Y0?piyf5nE_>6+)QkyhF$>r-U#16rfB|6926Q4_1e7+Z92`EvfI&R9itA zMj^8wU3{A3Ro#YSc^3nnm?Z;Ko(_%Ex}l$@fq5(a%5e?r>q9BsWC#c!)~&fqfTPIfJAFMF8H9Du@4q+7-KyQek&sEx_N4rF@B0U)SS0&0+ zm-v;%bfn~G0Bi6?r04E9=r!xJ@R#|!o_kp;dfK~&zUBDVSP=Ga^yT002q zHlOJig(u0uTJwbmeWDYODpN#Y&M?BxHj9UGU3+5U-B!9|9_<>N^}!kG!3auolue6>t8>}=j{OYA!kr9#{-c#uUImLW96-z@ocQ}UGJh5U5$RnZ@m zvo_v@nE?Ex2sK6uzZ?piXCp-&JpMD}Q$LC+)h8$GRcZCA@H5{Nn3ub;p1=2ZV}S0T zuT`wi<4QJN_Fn7Xil#kw$r~xdv5{58w}|LS0S#EY=EO3Ps& zL#K>7bg3g3N7dx+!6h&m3S49Q3C>-q1E}|7bU4On@2!-CV}S13v+=|8V(rIw7oyY8vR^Ty?6)jsivaCf`E3! zFJz=Ogm%>NarlOIw3}D^fNC^5ch^&Rdgr+iGX!bWQ~oJPg6GJhQ1`2-A3SgFJbDOz zYgH3h6-(m!y)!>bg|d#P_futcy_1#}fF^b3hI5zaWZf|DEq#N~r!Hr0t*D|zj=RbHq2sC$3Pzn5!YOnRCq zpvvLS@PQ*>Czo3?~2a2wt|s2mJIy zJRlCWx9htmr^(XBy*un8)s=(&y!VCQB2VM0qs(fdx8{5qlUb16@D4sh|2L%(wPz;2 zdjn*sryg*z1CyGjbhLz3iXW2v-(O}6*VEAsc05&;Y>?aWF%Djt zf^&$mciFTdx~X=t4$<6v;&>fxjR1r<*!xrAhOp-&6zRM^NqeOG5Ou4{x#R%6{Uh#q zuNV(_zGJ0>FW0#7bR%1&`&hrx-0R@^#2%ZOx0I7au-!id+PA_4Zw)S0l6r(jXeLSa z`|#ZH1vrmBklK^WF{ixdY|x!{KgtnE~SlG0u| z#QE0N(O<|Ms3sd8h>N_~+rnnB%&P`))5z`~KmCLZ_c?0y-e>)OYRBd;Y>JpZPO=PV z`W7@QQi@#kYl@`&{J;0l@Tf@O>ChQSn8M(3BQUYTD>S4jm{3Ik5=s9#iC7T^0zw5n z#YCSnC0LaRiCRyeIq8d7E@^N|iK-|7ljEE5Y)c8Z%gXvXcr(E7{gjQZL(e1~-*bv* z7J|e{q}aoQ#fk?E>edBE-rM}JV0krgn^8rSaC1lv?S|h_a%yiO(M7G%_b_Bj(3{e! zt};b7b|hN-B^G1KooWi`sqF}wT_h>4!3M!|f4y6x9Swxv{F5!BB!L{mfB;TzY%z$DZpJ{d;NgJ;cRlOdC!Ck4p`;9&wdk4%QyPH4G9@*3(5G=qsXAe9 z=o@ZyK9Q~!^mYQQU-|T!Fc*l{Uz2`2@7nN5^W9>!V8whF#wXO z6^f)HUq^-!%7dcKcL(Vw!R!gxXUl4@ZYU7Tg3YVQ4!1s@0Z>JktiIQ^Jo;#&42JOQ z7u0aHf{5s7+s!Cr^x754x?tPFE&=k$}M9)*>9! zzxCz|W}2GoVB923{saP*T*uxgBLXBY(HT(nzlVio|3a#n=67^dN&~YhY z3$5`p>X*LwTq;K7ua*Oks4vMeO-@ZJ4|Q}9loZ*G&HH6CFBwj&T_8Fq7%~?MV6a7V zH}zSZq8M>Tq(Azl({`+XDU_pAwoJ(aK@f<;05U7767-VsTtT2c96z-ro0G4bd}1W`#Qv?UyP<;Y z#V*zbs!k@XV308YD=eWxRheh=Vi!Q9iX7UX3xNYScULQhCc?(L8GaVMz0iS zoNAm6c+vJ%?g3%NycK(o5#Z^s5!ZD&t|@t%Lry1+a*uIKSaf|H{hnTr^S6Wn&kryQ zQap3nHnANS-`3@l>0LFF3kLf5`r{C4H~qGM<|4Bz?gYzrDY}(=TuEH??z^oYKl;=1 z8z1`=S|r}CsCzk3P}~#C5j^f7%=H4pnvot$|B$Wf|0vox&`v3t@hQgP{tbSE;zZMFw5v~&6grre;C`qq1sjd zSo8V^DtbuxRTr*n_Mqj$hw88If=K=I$_ru!p{2B@#%!*w4pj=t=DqmZ+h zlx-k9;pUK;sfkVqd{^>*WczoK94S|T1Q8wX<3pOl6Fw@CziGg4bp!Gqv$t{G-nta`m4|ARCK= zMQ6i{mXU*Rsa+-L8k`*W)`UOP%Nj&qRGuFUKlB8>T)$n~9I<}Q*s}ImxO3c9CXSky z3ni$9hZ^Qa4a7N^muUZul{_H!y)AQBIdN3tBKXQ~{kW6O@Ybj_ziv722yDYGSX!@A zf4bVb)Hgx})M!F_Z2mZP56`JzM>Yq`D{%E553$wNG8%EvWnl>(8(E;UOQ` z-6H;n-L#zs6o4&Q8eWpe!Jg34v;utsH}&>BjJxa}Nu!iy6wLqP(j1}fg!>zb>%L|) zG+)z2P9GL%vQN(n6)GzY^?k4!XQ%Pk4HTzr(O)qa0~)%%x8`yzeH(5Y3lmWfwzw?a z`RrP!j2r7M6A=i~_mW--;z!tEsSq;!=n`rf2tFA<8~}~ncj@X`IuTOdfb>Ee6;AY^ zUOtT^tSE+&)hUhQKLogHNKz?Wj_8!2gNe+Dtb%AEmLXe>vj>e)MRD#O8f|Go4sLZ6Puxje%r}hB`P9qX656b zP5t4UR%QdhH8PJD@yb~%rbu6a7q)pif(Qhj=y22Fsj!w&$kT_Yo7m}={PB%C-wXu) z;{PK7NQHDB#k*JA-e~$2|u)6s!uk%^Sd78+g&C}JDdjc9mPe606yaP=~x9!OuVvv~% zvzm>P@x0D(iVr^GE_QXgU2eIRM%>sS2KY zi_Dx|K8s}PJzJLc{MFiz<0{Smr3?EkpJVv#+FuL}PCojjQbL4lK2c3Bhc}eiU|Iw1 zqBLkZx?h_8k1tX)_mMS1;Wg)y=v*Cl8x*6bc-Cu%?`{owxP(ku{t zYuk}ATCe@19K&}fGzn<-9>4Ad`3#l`(}aHwi(YO%$82CY=v^lr^;+Ivs=A{w6zgxA z#6uMfNr$#s8T0TnLNcn87eu4SzuAIZ{|no-(YOVn*)>zIMb=>i|LvEiRBXje=S?BH zA6BZ={buqvnm^+Db#unCld}%cnb6d+u1TikE_cM^%XglnUuXc_Wn78JdYRVdGvE0< zCG#q!a`n#CrxG!TICSS5pmD;T!`H(IFYQasLXZa+170jMW{(4MBg5#=JH_1o7PwesS~PaZ(rrDSCYI^JBRA zZ#ep3h6;d?2atI~oP9ksxNEEXmCbT^O<15c|lCEUg;y;Rh9OJu;2g$U%AQsa&GaVnXrzZwIM3bX=k-4jPl*B+N?}` z)eBX_8kmp7Xbv0?dR4Cb<4{DFC#65RFuhpZl?Uj!!(O`{5`6x(slqpeR?x#?Si^X( zd{AhY!BdHwH7&8m-;q+n3ml0M~EkxVv1oJprJ&r_G zmY2H`>_~{YAn@(j=lenJEIPAeVf7oq`hN`5%n*did?x5HoX?r43e5!!zejx`lQ`nv z1Yk=&ZFyG=TUA>$dZo#`(HX3Kp3u&2cauCrkm8EQuy9pA;6kD>Z72Ka=Hy(7_{RM@ z=&~FPdp7x|{pS2;3UR`=O6B1@x&%h0Zz1#vuv+T4qgSwN|7-pY`03m+{^09Pn`<>rlsHUryp7d5rf9)CE2gI%! z?zNQIeNW+eI~3ID!6b&^iu6)xLr3ymmWIrKqR)Ez5_dgL!Tfw3ls)FmzMenU6ju5< zZ|$b`mS8H-q*93L&QEW@|0@{8+6v>7U%5RR59d~->@W|;j5CCHQw+eFrmmOR0?>uX z1pU|!%>0>kJ|8fJc_GJ#-H4zeyf=czD=}`vibR6u@)somK;8IJ4YPBOQ%ktxFQ$E; z{ybfpbO*fu7AT49&H(UCRGr%2Dib`j#`s2yk7Es3UyZ{d%4YC>Z=l~7le9R<#RI== zhGa+il{*PX*E%7+@vyhZynxj2*xnCUx-U7V++;H064w*75dpP_=u3_Mxh*a_tJJBR z8&rYST0_JItr*-sH$4xdDI)rKNLiZkUjskVIO2b4931Fj0s~16-tb|EgdvX{bpd1g z*+T>Hs8=cBg+t(x?#kLqa^C&M2lCCbKR2*A7_6XoAAa&H3qUqvhoUDx%Yf8<5X2eE zi(~(iJANHH^3Y%Ydrkf-#1-H|A2qL(^O9-&7j;sIb^Ze8u80x2tZQZd@&e*QP@`Aw z#2^S`aAdG0Q8tNp1f4|BCnO4+?q}YO2=N_Yy9|b}6W`+w-+x~i8%R*36kr)COl$|W zTQqVlfrGV$23qE7h;eyVWTSBE?bKKsOP~7tdVg@!lQ?ZO&%TjV2C7~e$)!g!n?NB!ND49y@M;CN8+%;fG z`<+0Kio?gtz?|F%;mI}nlt#Vn{PkVyW6`RGJ{O1co3Z=ZR6E4 z)R70dWF@AC<&rblrdmt4p+6|E4Y4|p+XYZ!pCQNJxMBnGL`n-!(Z8ow zw`jT$a(%P%d~bw{Wv=7=b60p15qXdlQ8|3mKc2XfDbE#pApY!o!tEh?rKo8+}Q z(}Iyny_gsANOX(AEvtof26VujKTwBW1}*;Wr`I=l>{gvJ6T(IRYw7N>vzD zdOgBNhha1PHANxzS4vVC61X-p9V%rt;$OP~EENL>na=dlg8&Q43_+&v)u1pyedb8N zjz-aIwW&op!%JtxM#V@k6Ng4mN2x_IXeH%E-s32yD1%Rbarq!L9)l?O>1#a560KgY zCcx0552npDyNwp{p0kJ5Y zULX#QmmVPpWdP~Wx+4em4FPZog%Pd~(o@Suk{vGwoivxAl1+e{yiPA2R*+;(MOVd? zL&3@&21mMRp=8|T-#Ew@1{!u!B-r`?^n0NlMshPT0tMY+?U2Wz9q=&ALh~T)!gOGZ z{ZZsEiIRp0lI+z36-`4ecTcSp3x>E1vTq5J5c(Y)`cY&Be#OWX8w0$gI0v(620{NP z%}0Lce!WUL$2;NX++aPv@|j!+JE6XLaLCYHRG)#Q=(im2jr#=_s;mWyEO#YAQe@oH zrdiJ9v@r1{-aKM+Q1?OJ`JnFfvjFMG_M3o^b`d%k7IidZh;7=?vjouUN{qRGyJ}CS z`fLtDJMRK10V|z~Q5JM{s>R8K!1>S^pn^~veTVt6S%34{Ts{#NtBTtmT{ zDU6Vn4_a?Bk|x(KB>w#-r#1%4u+%|pzwf(h*geKR7lQ9d9u472;IUXqxn*G*Rg%Nt zN;u$3vMkYM6~hUKtfK=Glvzlb&jB8gm3KGeqaJ&&fGpR@*Y3q%RLzQTC4}Jc;t-@e zx&NDmDjPqhSOsjEOT+MTEW0fkoOQEt6784yEqLR7I@O%hft`3W9L#0b;_9g|w5A0A zKTt-!6F$>oQ#QgD8|1Y^pW54{`4U=`o(#Hlam32|37OMLN*|-<_{&@V@F`ZuP zU+4bkBb(64eMcO`*|JO_5`ez^V6S=goUjjZ=8M zM!WHj=T7ezJoTmF8XSNm5p9{jMaTAkhD3*qiHSmH2%Gsru%tiSYU8KaM=WDvIrosU z_4|3VxIkN&ydAw8y=(seR&l?3vdx|8zHOpxo2Nm>a11m3ikUx2Zl1E-p_7*cL-?4$22=^Y@t zEo1j^HeH80ST$@bI*Vn!qGs~GNr`Y1 zSLRiJ=oqtCgh7y5Z`piC>o9f(CPKWWux~x1RejBYqh268e@msVB`2o30|<6?w|)~n zBZ;kAvJ+JgOsT%z%*)(MTjjfNiM1uy?lOi>KFJjVF=E6cI5^kj(47Z)iP94IrDxfb z5hZETm2Cb#E8v2mq8mN^K}k;-ulX_;T=Fb>l9G_e-X4)%WY((n3~Vv=zo|$Xzbu_V zm97f37gaZ+sFt6vuAc?N+Pn)^!zm|mlzc-_Xj%a~xnx%l&3x>geDsIS8#-X$4gWY2mTqczFqlsiu93 z96xZSJ>50 zaz5x@C4yZ>^T0dwD;a+Fq+>!yzQ!(zdEn{VmOaYB%R?*i81&Ei22S6C z16>j#JHEwxvXX@UtHN`VgD@F@LBg*>ixV}W0K+w2eF1mSK?RwRGRZd!I(~uLT?cL# zta*Kw45@ByYIVylWbIGZYR&Q;{#^E{e{Ngm8PCs)?NhJsZkm5R!+ZCw!d83l6KGXG z&+O$cRJol=W}DjaAkPiWAO+5Q_am(sQTU(c+?6TmMz^Fns!hy7Y4aBVVrp8jwQF7I zmzMZ#nse(_VI0^jo$9nBb|hH#w4S!ryncv(Cc@UfyP7%KS>%heUu4xi!KIwH#|Nc_ zIN&qCue#zhN1CWsGa-UnbRu{Sc0$P-D-fA%JzCGqDC+gIq?B|q%Wa|_>al8j4|O8+ z#qqe!nhkM_d`oF8)v&bzEj|@i=*TpnG>W*a`ZV~+CuLy%pNXRT`VW}aHOcWNj~3j%*Py*AL#<*e2)HQScWtMG!K*sU*JV&>KjXt~X97Gq+@ zkE=<@7>v;eFx%=PODsMJa3}W7_Tw#pwD}w)`o-Uv(F_c7!K@+NHl7zSU|rLOY(39< z-7yI~-LKhtB=E?iQl&^L>J#d9FI1pWY_K(iy5%JV1Wy38LMy{a;sAwhsNwQ4Y*g3E|_TIJWP=Uya%bz*Q6 zxLL~ddZj2df|i?7D(D*$o{b7#qhiC17@KZpo>+n&SIcck>gCoHhXTF?2-e`0 z&E;K#TlckMkTWh9e1sSW``;wTlusn|AG%IJdZ08sI-AO6^Uy)PPk$z6`xnzf2af@M zUW?3&t4S$f97ng_T@dP%wUcEWBAz~}`ch;7_{)^Gf-SoNOHcbKTYc}YBulO}N8hfa z&-Ok@sd0g$e)YnpIUQVY+qN{xsH<|`#1;1!cF`K4D`|%`t)rJoOln3CygH_*+jQS+ zpZQPDZjiCUw0T@lm&@G%y4jfxVB?fbaSq6V#v5Zs({0LGK+|RMz{68=*)|VdFrE~D zLUu8qHdbBfXLLhK(}?wBGzdt3%r}Os|Ipfzx7x=f$!MTUqdbEJn%HONvu~Ew%^uZT zEyhb_IR`mz@I09|jGLd2s~bdip1p=X*HdW6Xm}DZYt!X5vk%;4Fn$A!#vv^xFANsi zzfsAVVc#VqX^#cr4THv@wb!hH3@FtD3?KVFv#|CEWyH8eeZuh*CGiI(?OK=PG4WO5f~2Kl@1s4y=XIDPhUIwJhOSB!VWUd zDy=2QtHk|ic6(b2RgYz26|0`#0guk(L%Vd1g1%Y1u4BWvJ(ax|67&3xI#2!l=U8RD zj`^eSyAI4Px_oii&Fos1edcjic&(*ga!kzWp^O2eoC^K`1?17vXr0GoD?AyRR~ar^ z+Ab3&Qr>uYGPXr;c>_nq_M$&Gox5GOectleG9sAPw5=e)A*(Ba@3-j7nLMn zR-TDe-Q4kDnW^zpYm_q=^y*!!jn8rT=ET6dHLP9MKxGDdMuX>xqTq=Aer2Fk`M7y= zE4%1PD8L@|iTecq3tvogKWtP@%lJQuqQ-?ty&Sak=i=&m?KabpW^8vn7W?Cm+rA2M zB!-R+fMiaXy05)bu+`@k3(}M7GAyv_`!u-Bi;?OmnN^vk=>Lrfjo+G?UF+3xO2kg| zAyvoN=)3D4umno!|3PKWhJF_^xRMWuVAl9l;t&aimmD{U$7IvIG;8nTCtFK=&6%X7 z>Y=UBQf~qZ9f$+niARD{JIKMfdY3RQt{7AiMT_SRQjdc$aVcQ^#?lS82<=C8mYGAF zTl?mgzXkmagEXlu{~|TR)Xn`vjVs1nsn*+(8?7!FZumY+s%oH8PZ@Xv&;;vZ+2zmy zDNoN~MQVDQTGBUmJ?8CW?iPeSb% zJLD&H^ru+|X_$zatF8nWn7{eSzj0$RG;W5N+Bv$bO;9=&Ey@8*$cQw{N93yXUVS5a zf8C;3e$@w;79bhfLn=@i_;SeNWrxSy3@?09v#AhgpsoCuJ5H@hSjob}ig9h6MiO;$ zI-{6Jd=>iBoP6Vf_u}U`d4-{+6qek5_M>>XpcV(nkW-ahSnvj!qD9Q+Q*bFUyobN{24f!pmxbixa}e%LE4&*~*@u|BD*f zkE)|mPAK=BQ#ma& z*NPq(=Tt0U6iLt47`GX~kC^8D&m)OCi|J*3M)a?_J>`NzKnxAEutDm=SFg2gh=-tiu zNJ6W+1heD+3dzWiLEo6gAA^YhC&gw{V5d8@Q`U21xY|oJaJ@=UuseP{*@N5#w)>|kU>A) zETkmkdfqLYkU_raNO|16lB~hw?&3sOg}D6~{S@V$EcC^poI&W1ELxos@w>UTse&&q zt7b$FU@yP=N}XAwIssMfK@kW4Q9rclkf-+2{;l@Ps(Xu_=F_*E-HePkn$ofPLkYB1 z!0vz#!s9{Js}^T5kgI$^bvu<;YeLaG9sB8xr9EACyevZ8HV>=7UmaN|Fhab5*AP{t%#y3V|Zfr4G>L zQbBcayu^96nxs`f8K(1tHQq~ZwF#G71mN_p@onl8Bi`4?PB)O%(QLLvi7q*(9NF@Fv) ze6i4uk?%)lUb!BA_A8U1V}<5tFGzwJE9;2S&InVUDH( zI7aZ~yctPtv&39ULfbtN0kTB6yn+QIax19kTg5`QvOY!#l;6S~{vf&sK9WpI)GD-X zZjZoE_w{?d+_xjs2ZJdu>66qWz3UUd{-nCfmng5q;W+XhiP<u(0x918S5NV#| zby%2fC4u@m_p&fU!@j*GS&_95P-}SO)-XR0ijt>F)eCI5jv|1hw#jlt7E4FoeE0hx zcwbi^Wj-a5Y0&MAvRlok!Gf6T3TV&yqb~0KS$GCm8ugcAZM8C zIZ2gYD#K8TN=x^6#ISVKGj{8&*ve1rr=_{U?ULeAHHQsaw+Q+N5TNK=yD8n)8&#jC zCVq;sK0ZRiTy9bGG2N%~cW)(y((WrHkOpf|XliOoUmvo0io2X!2qx^X2+w^^c^Fxb zQ3?%Mo40pVV90%=S@#&#CFssPuAHUK3uTtHH1;f_TX!UlJ>s4Y!;^kXcc-B>e1e?f zSFsq$E&*dUjXfOzOCP4kgkK+OXc|gTBK~>@0}NYyBW?36T zF?k3b{OEL;r_>MGL4gtuDv~G{t;5p37Yt}=$oKM#y|Sxgq8kD77TxkUX=#rN)r^s$ zgyq28C%E&(ke#lzx8}WIJ6)?{*2t-qOVSkER*#O>HDZLX*cH&F+b?b=y68>GrGDBl zKc1^Iu+}()&SofVw#zdk6n5_|?3_>3r*G$5B17oy15RIglf& zS@1vg!UKk_+-Z_?xEEJjeBwF8Q8(TI{@tx7TJ~F%Ly{)fXFcl)pXK28PW=~?Edd4m z8rIhNa0fC&g0%ePWIAYQaw_Mm5KMft%{%z~?j90@dCim8oeaWR_t8YdKNe;Q+a}ubADY1H!GxUuQgIds*l(*TRQ+7PR5IHj7yT> ziLdWY=iv3=+rO3O)NCte&7m6;iFzggTkPb*hi>V5{cokEQ9uJam{wZ|rFDN3LVOY) zM{$a)2}CiL>V_+bb|+j_83!OQH0;FCsRF_$B}9XoWTjy0p6q{D3s6Jj+1-0xl=;*w zqf|8!K3pDEKtfYOlbZi=Cg+^*C(JpojWiG}A8B**_{9oKPtR4IG_ud?ki}G34Y3N zrO1oUF;*67tI+CtSW>akrMUNbrB`vULPc50T$7SK*wuexRW>v(LbClMA_;C|LM4l= zNRbCcHH~AREtK9c=)UeTFDBA&bMtG=)z?P8O3lSZbT&Y?ethUlowELJwbPFYOuYj! z0|3+cE2piqv5&`WW<}UT*Vke=x@~*8wu#8PVZmp1o>t#w-;(lYrzGYeHu{t`|FGuF zzJ2wQ+uFb-=RZ45B_YMAz>3s-I(0T5u=EDy^KYQmU&S(VNYtN z1XZvhdC~4vIz^ogNpCTUkGk>|MpMwB0Joq-YE}>o#toCM*-4%-P%|_HL;hmIe0n;H zFsX${e#CaOTNl&U4k1J&iP%{Og(XmPe69V^4{gAIU(^K9kn8?gRK?evS=B$f%B#N{ zjz2frZ{EDShs)^y`IM&*mtAlT@i= z=Bo6G0s@BiX@xt+|Ee?h&i~NxlLn+2sWOBpKFD9)e;1@9?v!GgRO=|;x1)}{u)&r!#bV>H=s)#VR-0*ChC><$G+I+s{e z1c`jm7n|2~v-&&DF+|sRbU~+f*JgWe(c+xo!pwg5<1?UkfzG6h(b3{b}WtG z?03ev1`=bz%zHt#wZ?t&D;Q z=jJr#n+r0s!o=o@8gGqBm4ofEDYtmlo@EX6S=PM#ODURhV5hED<0&7m4>H<^Av1k%$IxM zv#cS@_!>Xuy-+@LqWQ;EqzAeMlW-BN8q4Y;WseaOMDIRMy^Bsee5VrCM5QvGw_=l9 z%{K0qhA5zWBd5z@i(-fBwtvzu)<_d!ip}qRf-+!+7nm*DAlY>I>hcB$wY;QnG! zj@p0ECR}8NH|K%Y+lqHADhg$mEQXlupJlz)RI$WLB`P;|?((Zx+}R0I;m>r@V;e`u zKjV3i^#LjC6&&2D*Oi`e{1=aHF167KS1t)~=e{#wIy>b3)I;6s-|~V}8qt!P{YCuL zsgpJE0^DTo6qxB+eTa2}c9zsz5SKX>1;lR1Tr)Pbow8iE98$a{5^kaSwGZsm$0){d zyCOBt2t29xAb7y6o~}v7eQWz;@V$1>m!!UgAhXySwKca0%9>aDlb??F}G z3L5}%)W@&ydeCOF7(+NOyR+KG->2s^@*nDZ&ix}O=*ouSy zZewUUT&#}&S=$u9EZhHH5_d!UjAj2N$Hj1G56ma}!%Lknz!P?;cAQ8QLZ1PZ{<{C! zl6^bp)E^Zwm`yo{gJ52CQZ<^POqm}jX>R`_$A8|)e#v-`eRo7z&5OT8gVg*;C_R!} zDC57CijplE#lB(YjUToBp$Q5jhj9n0LVEfW1MZeLWABzXPQ$IwueJO&m3c$Y?`8|( zMr5D8$=Gc%*H>F7HSNn!SOmUhn1cW6BnD~%oY_AJN^AV*dsoJ9zf4NS23EpeJTTZn{ zyPM-`Z$C|ZP{j3=2HY>%aFh!G->MHUVA7GNzS#_hT@GE<@TqvcD8V+}u3d|iTrsoF zmt4EMtl`1zr>s)01yVXye=5@2?|(Y!OJXuRbRDz$=j|$$ixTU$m=hR&b|wBBHrIG8Gy^>LIY6WSGJ>u9 zg4G|bL>`ndHXiCZ1o{*Y=IhAh;&8HFT2pNZM!g~iaS!AN8Gu%fpQeGrbdd4jsN;4< zzw^`S58@I-K-Oy`(q6LZ#;*>hbAt_>smaDMpVO$yL?1yuIA&Qv3aAQ46$`9Kcz;`s zz_Vy16{e(gkYPMZNT9R4^)ilEpBcvQh~d_kJTeuC_qyv4|Wv$^uff-{+GQ zXS8R77`5Wir1DmZ)<{=MM^?UfP<#WENuw;Aq^3XP(0Jln_ZNKLKj(41rN@ZV-}Jz0 zU4|Q6IJ)*m(#?}(?twk2c48D3@g#x`=3*W{%aJVe`yqkd51<;aNvF62h#Oj$wJBoa zA-62I{bAx5qYPRpgYQ5uHe-)6{h#`b7o%HoqfGv$JDB#^bkx!p#00mK=uaRj^4L+5 zCtdC2%6$DeMOyY|StFp$ui0aL7%TCM6{^92<+m1?8v=VFrq7~gixjpg@;k`?faI2A z-*ySc6gS)f7PA)cE1z;JJib`ruWBbBqa% zYA@1YmRGJqxs#O2v#(e2BYDvVM7m}dq<^8&7}snmrTqb+1m&CA)nq#JDCitBF^}=RHti21&}tWJR;sqnf*)BR(|?7q2X^vtrq~5Wd*Ijxui@gK z%f;SNo6n-@;hJ3t%e~rWE_!QW)nR}&LgWI#1jer~`cRp?}aBjf_08@6& zFHG!)!C_6!NBOJbYY_%WIjCL`A5)3Bpi>zq43q*uAU`F5t7a`svO(Rz9ee-JQN z&i>ZKZ{B~?5g@5|BUpI}e*uorH9Im$$3B0!cheMrdvgjR zRSq0|d6Ouxs-QIx$R+pnH@CNLf|enW`=AS?ZU73iM5cnf_2b?Kno989qR(R)BwmRO z)IEOqpTFe$q`%4T-Y(q9=I@L%5Z%enAWhD4UKp($1RpXFO>Y``QT(|y_P6+6a$&fouZCvzx_((I$sGl#>3>xD^ij!X;zm`51AQs{ii6a(>&TB0%&{=BTjV z)hm?CvT<0E#?N+<2~D&@AijO{c_^9 zUF z^Ceja5(K(Am2K0f7QBucZm(sRX zjSw=I8j&N0%(cqJy?y_FF!F|&if!y29sF6nL0MRG=sOt&&VcA)AmLB;vXwgn;!SG1 zM#M206|_*_F9nvViPk(X7lyaLnC0t6J!>_jKD)UcYOLxrsO`VZ(R%$lqha+=8*^;n zxEk7h(tw7NZs1`x7GeNp`$~)Im-3vadJxI0ae^OlV6^TYEEktK_RTvlVOLPxjhz#`7tkoB8HKXM5TQLSUga%+a4j z93WsBUsw)5!qdh|J1f(oW7xuu79~O$(9GpRsie(7EBtV)!h_p=wO{N4|Hl%1Z#b^} z9m32nY1*^gSKDr>q@KDu)eM=6Mn%IlTp@TWjw3*e*Y7yZp7I_hEvh`LPI*!JF~7W# z%n#(yXc0m%myta_#;@vNX)hGvJe0zixKS*3;)KvJeJC;>&(~=mH9UTI8@6ZnM}9kH z-gU9oqO)J(Va6?2N(N~2iQm&-oQ|r0)ow7Mh1IOs7f&zP>6P*iU7SRmPk);?^be$( z)Bs?ysJv=MV3#K1vEL>4zH+i-?}j12uijIgjL)+PWxnymjzidJ<;exb2^@_g9(y8| zoV%1#A#q`G;HGx7ZqN9lhq|cgjyVNCq>Z3sbm0!aqF-h27dj3!9zltuJ#}d?DHbR^ z^`X*MaVn@z2OW}L?3+?C-s~(z3%xl#1zueE@s+Z#+Wab}(l8=3TkEPZ(obezKKi1) zm^$1b%UD2>loa;NUFQ>9=P7(_{3BC|rB!v(^~HkS7UsaQ@4&+RD*)%a`#*y($9 z&xN*&F1yuB4%~0id$KUzK1=x?vb&{8Bg(2ZYEL&h#$%>tjIWFPb=#$`5c^&gG@|kY zx*zFtRmwGgVYShB{^pvP8|IU(VESjH`&<2UwazaDnu%^+6n$&baMoQ3FP0|~d}%_9 zaoKO5u_&sT+|M-MeX|(nnY+z60-B_7*r=szv0SL)ILCEm8m3eYkBpT^jOn#)F)Tb(V4 zv%cn3Yr!WWmS=wUmrE6(;@0$V?AlUIQC0fM_uKreolaPwM9(*L64^L!JF5`OY0 zAHz?@mJ#Hr%7@T95AYBaQ{VWtHT;J~ArcCMuU>uZV9Cv88-@VupTQ6XgS9GZXgdVV z3VSgOasP?C4h0h{-NatN&B_g0+OBXIpv;Py{ia3;WeJ3%5N zNYbCqsoQLT|CR0_BKdSr9TzblZ-=jodMKo6S-y~~r)he3Rj}5Y|e`iPSwHv`4=5;InYefhOflJ`tj|(6#GXd{kGT)rdZpz%3m2!NCVKO4lf_!-9_?_9s|L=e}Bt?6O7!I zI6S>FwOg)z3MqjUtl?xC|Hz^lSxbbe{DkHZj6;F)il_1cubE-ALK4WE>{NGe@+2l( z4C9dV!r1CiXUT7h9QqE@{WIy91s28jV}JetKQ#THL>qqcNBqRzaO6U z3In$?QCw#3*7kFu!xU8F&j#tf)?@xa8Z@xi3POjuJP}`|D2RcU!Jm(n!lhQ7Fin;R z@?!dVan8aRe`xnB`CC2J6FiB#nnpDL?X{_BfXiMGfUR~*B}v^-_GsM4Dah6%y;_qA4Yn<{ARrM4t$u8Yu&sfyn zGI%Eo?H{ep%ps=L+6g6^^Q$!`$dE4^CI1;DoYFq*e46jjI2d+CGq4?BKaFp@ENIka z9zudR>#?02HAk%viih(WGro8X+O_C>`hX}#UFeBSh=pyeW!IMI`sQU?ljjbQ;Y%@p zW3~LPDX`rJ!yk=~DzKUsQ!NtzI{j-v*?tAVPAO0IT-tK+ty2eG;(W?!-nLi(OBwjw zhyRV8bs8HMvN~2x2^IOt|K6$Xk!%+<7g3Vp7jN3OiN%%w!Qv7LIKnogx2x%tY1J&+5#nu?g*OAvyGHo9S-~s7ODD98;tB@4f;T(}aw* zz}6L=mG8BAdF;M3qs*(PTHqqz#FNu4S`Gln^vPds;rBr; z?IiAh(ziucwm^;H98;P%R!LXg!kQXU5ID*K^482RVIC1jIZ;-!Pj9aYd7xQa{04K3geisG94*7743Z3RBb>e^d;N54M}~Rrc)9mHES(*M-u@*hp-OJm?rlWiiv&C zHZp5Ru-ZjoMa}N!yx4u|;Mn`Jt4kiMy;^=3IPVsOKigu|hD!_~5MI3FwqjIL@wbRU zyI9ji3XBMC(z{l-OFXJlH1X+W3Zc?>Z63-fKluj{4G|`#K7$y(H&zNzb|+A)#3OV^ z<@b6a$n(?_fVRxV$2r?Sli*p}VZo#IO2QTp6HrUF?3Jg#@gSwRy^fv6zf@UPMq z{`8{jA6?$;Fe){k<1R=wf%{^D-qC)wlU{?FL25&%k1gxBHZC11-ax!0@(@`7qXx*KhXF%k(LaXq1N`+NQt8h@*;q_3U}i6a>i~tB>(_rQV^;bm`zW zueO1*;P$CZ`K$JIrP~7TM3`yDZdrMAOM!BXc8h$GTi;?p=W1H@a^H?#6T#huFRujl z*wBx3aF`n^l}C`E=tl)kovvb$5B5kD9lC{N;#Diitq{j|g5T`mq`Qbj;-%;MHTRB` z;Iju-bzut(b}I%d=9%9=Yflv9^d?kzlb-=>u#N&`Z`elvy#Eqx15YOoR)pJm2MNNGn zzGH#7LZB(^>K$##CMA%T4(^>c436wo0Voy`~r}G_2Hyu0;UCuCdWUZvRic8 zGB+6Yj#T}pty!l3(1PFWV!&!M`ZvjJvd_--0%~1`=|Ln?g?0XfGikAJ?}#>sAVxr4 zUYlz5^r^UsOaQz_`$1Tufir4O8n9u~!;Zo~7!oV7& z>D@06I|*h!B*larXfA(a|7m*PH7VvuC*k+Lwh8mt*d^YSlNwHgbi3nnyZ^x;Yk{av z9W%_YaSSn`+ntWmN3xX&XcR0#A9+56l^c6_!`AB-egq5HkuOQKCX{4EG~z~8H4%y* zIUH=MJf*_Uh2|FrDr5oJ=Nw2(g%CoRU3 z6x_5K6u>mc>I9rVfTiHI|I(6{jH`xfg;f|Nlqc>`KGJ2qG|px9F2%X&)(4@?f7TlX zSwDyB$@qc9k6&Kw=xGTx^1t+guFyQ1zI~QJx#jU6a5g#k$z5z&fzRe+9YhgH?%|F7 z-nD(_Kmu-def8rT6{?2ZiqDojc_)Jgn4b(`&U>3K?7q}igA1ni3lX^wLO2SuotRfn zDZ*G_`ERFkL**17o+00vx`_Om?Q<^OK9Po>tQ_vFOA-d0a`EyF`qAQ_RX^2v?xev_ zjiVw66cNwg<8mHoo&Ut?4tD8?r!HzYnRW4nZfJ6zRQw;`E~OUd6~y2{Slq4 zq_|uOYYnu)G(Z|Le8fJf%f1~GgaLVLd;YgUgHQ}V)IYaKrFkp=BCxakwp-Sh5=JO! zGqNYiT5Xyn-e2e6?}M`-)d+%6ON-(a0GyUZ(I}iil_sW~!dkqo_mm4;Bt#P>vb)q3 zSp*-D7+q_NzbDw0+pTB`NYXzouAe64K$$Sx2diSXa#Q#$JHn#S(@Ta@ zKFQiQdkPR@w8!~cwbb=>tbnPabaMQb$%dzmZD7A$uOi?!#L*}*T^rUoApoQWhK`!$Ps4-+k_`PCn^G6w6J;zm&JI3*T7cN$$yf;`ec z3cM@|>N_c z!C}znozaD&qLTDsc?4U;%!vp6FR{8&cu#bYx;9@`+>r*M`xk`r&C5;cKJ(#y^rC!Q zyGz525JddRvx9MKPyMRg9Jm!h}yZd2Q7OzbDxwTr}jG4xtM1`Y4#>6b0sR1&G7Y){8ODt-Jdr4?yF4fVM7`x-@W{S5<$*m>X|s2U4I?C*KWQVb8|WN!3|U{AfA3z zgfU`41<=P$$eW2+Hpvt8@!yzO-8TBk#vm2MSVqGjJ_nTiYWWM>ZAKKB1X{m7H!|KxY~lslqc<)H*14qV7D)NI zMfDgcqclJ-yN{`@F~!yfsR`>8!M#C7)dOB9ziZB$?w3y4d5DSBz&?=MyOiPdJs@QLO#X6)R{2I$iSAm_uj~q^f+5N z)Vh`U$zU_J2`dwkWi#x66S+^XVtaP-r2f#gEw2bnq&7o#DQosDORgW)4@kYbU%W;$ zW{S_tChDy!Q58*VZs7fT%er4?UXzJiSrGwbM)CO%S_B;Y#jg1V9SE(Vxpi;=Eb zXzAKiHh98O9#{EE$=f*+Q+q@*1yfQPzkgcu)bPVOD0AQ5v47=ox!_ugIO9S9_9@s1 zpTSZqRLxtj@P|?OYncQWK6LPl-vl@O?c^OiqV!6bcnIAo0elN-ZJgj6R5gWmA0C=ly4@0lr6&_J|A!;Tv*@apOlbxncl^ zuX6t*8Ss5>h7U5^#m1)ZhZdX`yXUd;{z`L_BnLRn>mAE5K1K|fW%csQu7ZnKL$f#ry5dO<0t!+;w0q+Aq7 z*VhWQQ=MS?RBW#uH(acV#mY{<#o6&^&7ur9?PGL?dIyO2c34!&jrZj^xEK$XnN8^<%6lpBHlk=Q5H6S*6I58 zq;aC|9@v@11m8uq#fU#NHS#F7eVk_NononP)z1vGaB+0tSycxe9Xihp59$YWE{;Y9 zT?ZNOH+uf=Gd3LeMg5I=aYmwGELpwU#ngNY@t9~GDr3+Fz2+#WK$#PK>3f;;0-F8xR?5OA@B%S-B(RO40oo98K?(o!RAu^TM_ zwkn*p1JRS}z z#=+rwPq9uvRIwqtf0%xXXL5S>nZD`w5y~+*xxcIU9{KIE}q)(zuy$l{A$*W0bYkd!@gnl;-7^exi8Jqu%j^gz5E3YiyS*PwrcX= z6ceTR(Kz+N}9~pX3upSul=1qJQBst~n7%Pg z&x(sfH7oqLY*Mzde1o?2^E=h>R8P}DhU zY9DOsp2RPT0|PhyD+%`}Tj<5{+YCag+ES>;@a0^j@4zxFRujLLQQLtBM7FHJqq#Tg&hV^m~_={*5U z$U&1_7V-U3mOG=UAr1e3FCGJF1;ZPT!Zc;-#v$89ob@(f65zclC_-4+m-uFdy#~0` zUZM94jWHII5*A-3f>t-E#EZ2x*gSSub`G}{4hwDl;v^jZmR+RG2}f4GrRxR|2WNwWc-N0FWRo)fv?U%4&gQWYovnN%}YOk8Daud!ZP7<&+z?!bCQD;e{vfJQ`;AIX!D4 zDGZabEsUxi#F5BW`D>5On7rOF;PXLIHW-LnoUJola{Fy-TY@U{R~$C-J)`cevO~y| zRvSL)V;x~3#-ww#LERv4Pg#Z@XdwHY*kJ@%!LfQ3Sj`G41z+_~&{IRlI1;?a-fMpr z332ZGk#2M!gZY)g-~4;P!DOS7+s%-=&R*sENmhfbS8PSaxWM=>y(e)DeS`m%9LWlB zAS^6~osB;s&YiS)3GS^dw})5}-Y4V}7OH**>BxN;E2<*fNuO8W6GVY=H#WH_^++USovGpw_@2f*V(aTpK_vgpRuT7>BLqS1;3csw?8E|3T z7(F`&vReMZmQa-^b?ALi)D$=wS}%aj;Et81wV|!qZu;LCtIvCk zY%glD)?YBjSt?TGb1NZCRk$ZR`o(@@M8@59RP>9k@IGYo7cB6_F8rbRrS_>5!`r#@ z#ew2|n7E(48T`J!ziHzr?i<%$;A>pqmxJb?S~HeiO>IiKc$ZLCK2A}KY<|p(Qp!Ap zU2u%pKYk?Po^`R?%aj5ITxlJ26+L~N^oA$MN2ixtIr~lR_K|A@=yKq9MA%5yGEv>v zWI+tnaZ=u_Y~N$9WIE3cd+%K>mmHez6()%>^)%i;($7&hupQzsN`N=mZ-=V^B|1^3 z1`(j78FRbBLj+ohP4xaW0UKSTXpI*KA?ea_Qq(Ce!w^$bJ}CnLtF0wagOwychwH3n5Kjrl+-aQz>m>IxAhZ{@fk+Ut z{*l!>djCG|c1kFl@vdXZ!Lx^6^yU0CHNvQBs5RZcq4FdQvNg}kn4{2Rn!eN`P7C}#EZ)YngamV4wLlW5N&|l z@Nt1mAO7O8-erT9S>%>z6b{X{PT3;W*-Z#_HpKpCx+Ur>6uSw)kYc!M$Hmf5kBXiq z6-XUUA2Zh9f6Hp^j|g(+a2njo5PazB>wtMw)^k=V-f3oM1{5>TOTp0e!e5^&3E8ei ziVg}}Pt&`vmk!VX;eM_41d(_4vy$!~z?jEJO*Q!T*z>Q%ag6YqGH z)b^gz)C@<_r}2+ZkR20LN$Jm>Siip=$>|pjOJCtQA^vlPx28a>Hh;Q@dd(QtuToO- zYT7W`C%Tz14MeieiA&naMx2p9-Io3s)7NtlAD4+#zZfbLv=4bPbKF8GryZvvTlT@x zJHG*3`k@4{OV@Z%LOjQ(ZKyD(ppAeSo*=o6EVLhR`E{zn(uOi#{2xqkp>NAoiQQnG^yX)pOBxl6QK=L7Jem#3a21v0gUrVD0Pjn2^4iO_CF(}3yECEcScE#(sn2iX z{(k8ki*j3ctfkGiEQ`m8oH`PcJ|I4h0FsxRn^3$~XFvsaPk*uX3_uu$(|%!U`h`Vk z{DIz(An(A^?q6Bz$V@KG^#AXJK7KT3@)!ef^Q|@fH3@why*TMUy|Q9sivFYBa?JlP zJ-}{!XY^y3L{jbt-wtS~Lk6<9{9Te2kzftJ{JvS1co?mYmcq3BPvEp(UU=8(`_XxH zMz!Q|GwwpfU-aa-^gCiii=qy=lSx&$Mh97smlSnC^XKKvX#^jPr;w;R0ejavKikAG z7h7o3T31?J>u%U|P4fD(oP9pP;OGr4!Z}1@>Fm3R$K(H6e<

VM&W$_XM@NnwYA_ zuhloYHr)Pi-xbXRSWVZs!T1qW%^raFrF>Vek{{fAd#Y7CvIu$c?lY=JG$J=NkK4ZCtGs8iu#E z^?Ye@6%R4SlvTxRq8NCxg9gL1a?;<`t%7O;OR4;#*0sC59_~L&L_i4r5cfX#_wCAF zkI6iMC??9vd1RBGo>s|k<>$h0#%6X%NWxP(yfBvM-Dx{^BI^Aie_ZG#!!@C;5^ISs zRXN(&e!3$$%XEue!U?!%%DNYBKnE8T1z<_K`t6Jw=D*gy;G~(xobD#5&)5UC9t@eJ zt4wMhPnp1Sv8IhiO-NPy^*1bJ0k}=~6e&PTXlZMKHl_G)?(zHXmi}kPIloYqS;rcXK9*?_5h=gBn>_aIGArMu}63HcLiYNt^O6r=A zT&MzNi5ODV5Rqm?Wi>G&qeIXgYTQx?+}Wf^j+?5yA;hm921mUjj2dHr70EFpfb`sy z@g>T;m=+E{@6n6VkB3D>h9jMrGDc@EQzwK5;Z%%^@C*2rM-AHmA1h(nwPDxvj43u)-gZ`Sk zTNTe45W|&cwfMIu;6qZFO0Y5nkj_b3%rEJ3JT#nFV!4lI(&O%Bw;C{P>JmutqGAo{Lx>?>#${pJ}YvFbH~EbMWvQCok4c8D@k20(sI+{Cd*76t-ih z>)T_V>3;bu)`Ys|p2AM*hEH)-I)F$rT>E)9$;WQT;Ms$demwL*nmHLM;Ia_k50h4V zF^<(y95jf3(B_yVb&uMd-Vdm8+)#DAhyAb~TF*T83g*^Rw8i6|anqyRI-p8g_}&)Z zt|^qdg&E~bFi9})LI^YA7^i#Bg(OE91z>7{E?MTYr5I=a-0m2TnNF~XnJ$7EvDnQ6 z{hIwg7}MyLl9L4Dpv(i<4qHxVP#*QgW<8z{oXC?NjUAzkzes!x^M|+vB>8dL9AmA9 zeV}uItr}~uwR0DV+q=%j6nt1uk@t~5XdIAoyQ-YlG`)Z6wbqYJ%peL%6c)d2(8LnB z6xQ@guM?+rpU`zgoR6#~n`SL<69{-EkbVHml_qd#%XomG&>%ocO8@3OJZbKlM2o$& z4hbxnH`gs3x7BC-7=`?v$X+9|&?GgHtTyeACk;w;mn~1Ck4eXE6c^y|l6yNJJRvsk z%X@ZKN0@mdeu3_9uCXEQ4AI73u|uJJP!Bxuo2$4#*t=v+gOUT5ZZ$S&>?fQ5Ug71fE+m|aHcbP_T^7^_oJlR{TO^L#hgP;`f3jd z?78jXY74!m{GcY+2`EPEg84J0KE{S>%CmDWmB0N;0{Er9t#UACeW!K2J|qc)x=sJ8 z-KFk1aOmgpy*3f^F+M_r(T)K`zj!*rrQ2jU@H0zGRckX;qg!gF`&T!e;pR`x!xVM(Jc18mA$<3esc0!<3#lOSbpH|zVtI~$k z%k(!#3-I$^3G_g|s|>BcLMe;oB3i$f*Xh~M)sND>thU<4bV>eg@$~0CuED$(Pzv`~ z_EQtANzM+v6=tTDgsE|U>M1LkOQqQkgMttzoO+LvvvSkd3>PyK(T+f|=lfR!Qj6#P zbu1G_@t9YPWgn~j%+?~(?Re47@@yN4m{0}Pc>}#>T#7C&U8QlDRSF-L`0h}*Ip>TV zGY;XgZ9gZ_ka4iG!Ax<_PVzy0D$t~)Ezkts1nF6?YO?U$t>%V?p{GpB74w`LM&U1Z z%R%Q8)aSz1pG)|x7e+b;3D5oEm(;OAm&XSY?TL@=H4=w@d<`lsdTuS_u3zI`9-&78 z1>7F0Hn8p6AUa6!t%{x+;t=v3tmh>+9h6!K&7Sy}&i@zdIJX~hkyEYrh%gD{I*u^w z|LnY<{#y*n4%ICB)Q$n>hu(UQE%u4l>(}v^f0boB&z=;sI8qe@Cw+A6m~#bg3Fq;e zyvXY%LFPqI^>B-#eX_6_6Vd$_&ojPE0t4TeYu$SFD8?4`hg1fSy7S1T?k+FbrH+Rp z==x62`hARLY+8f5p-3j~XRNR?;^DI4`mIp7ykjG1Mc4Mf7R)po%)lDYva#xXLOdDc66-Bo%9I|dLoDzj7I~!b%-I3WN_z!_<`A1A=(L3lIk966@DleZe>n z-{6O7hdEl2wXBBF!U6G3%91K#gi^w;rHs$*$Ar%CJF5DNSD0w2jZfg|ky`)ro6w_zPuOK4Wmb)&=YzB#zR>bdCp z&YI0|Bh9kOw?c_>;1`?DQMt?kvGl}}dRtKp3lzh<>CQa=6J1h0NF~_PEMR$P>h#Fy zfDwPrtH0~D6u9x$;$XxME=n+ON<^~H5rR2ypMP30$7C5bmKQrOeLBb_+KH}>jzYju zgIE0hY>ann1r+14cz%T3Hhu4Y1XFnsYIMevzOflhr*Pl`xV@E9j3+gb7gn3G2CDy> zhkuJ}heO}$sazM!Vc7C#nE5J|+_vrv&@ug2kIU$B#&Bl3;J%|A%?Y+k$8gq1oX!J^ zW74&FWj~&=7br7~932UU)vJ!W5P5j&av`Zv41%;e)#9PAWjex%RtTQf;Qf*-lDgi# z2$wwU`mzo5pFQF}ISKaqi;(N>cbH*Wa9B1_F&d zFr|eE)EsD_U@>U)?X{;Zu4#%;^+%t1St6aROR5N2+sY8+}rCFjyS__Jkw3q z`FBq%?MVsco-~dv2FJG=pS|3;Bu`0YY`V@U$hrj%8%^Z@(i?xAm7TDRs8!|YO#i~o z2z${x)T&DX#Y~ioUd=K=ikd@;zJ;x!*4cLF?Xh*IMT#tU%zuYzQR&;ux1 z&O6a};K{IJZz&BZ;>LXlgfh6Kbd4`$Ka>PNB>Cw0mFtIr9qA;2EoJt8!J)m&Ia9?%h!M(hxlu1T zF<)V{hQe|v=*dS!Fng#{1{L`C@{;tWEN^)Nl7G`a*I)swCy=y-QX8adR z#7vG(jpFK6g1O9{Lm#azn6xfsG(?T>;O}i4Z0(us?3wVo^`jN2X#db8$p7k!L8S_a zk;2TPKbp=v8m=$e<9crqy#+y(A$ku%^iGUH$mnH)AVeQTNf0$^bP-|(qeeG+?~G1} zE_#cacYp7#_m{;Q_ug~ooW1wi`@25}1^A^VPsaZ=5Geas4dx+0xmQr&1%O~1nn(wD z1jqD|(qYb{2Dk23-uJFcP6>cyNy6KUkC5-=F;EbzBL!W3<5zd8_#I|;oh*e_pmcTn zbDD&A21p6Fz-3&>84CHy|7tv1z9Oa!eZG^22dK&P8?HKYVXyD}x0fzs<5^hF{hqwa zA(gbA0M0X^)A8v}PfH6p<+(vN$Q%uY%_+s@nHa>Ah9S5ia5>+1BYWDjWg-ZfHuK8=OENt3u#}q2t@zwuA846njB2ID^j^Q(i9`yL3f)_%ZQRqsS^q4^{?KeRy<23v7{LB7le*3Gp zhmtk-?0ks09A){@eE$K$xTmC{>aog0ghObplZTKQem4XC0+u$J8TbBU8xLdk4m$K> zxAWfN)^BqUE6<0nDD@t-d9U6*dJ4bn{Z&-Wo(U&tz>(+1d333R%vs%|nfZqwG8+c% zJ{`@i_v3sHv-QIhwYFqKNmgrgWyCmndQ*eC=twJuKd453?*Ss~RrIuvX$}sZ;#)v@ zQ5}(OL{HMthoLQ(o9>(-1$+H_5QzQG(q~uP_YeJXJly|mwtu|!4iIG`x6NzhR3rnY z;4bmzAnWSd4^Tn#EMNA9x(CQjfx_{a!u{58`87%R*-eWo!p-j1D|G(R@j|NN8J6$a z)~_?XH=boLt!0;vq1}tvqSmggkg3+D9&QdzT2jzCh0zO!{)7v2phE8J3((yp;5)t7 zFQp&=sVkEd$erf5vk>fmF*<_+=&8K+~kA$Rrn}{KX63o3r_LV)Zo*t?$Mz0 zA;I^}e-2r_HAutoEOy5DU{f}q(uW^Z%eaU~d``u$U)!2LuT()?lEgc|4hq@fiu9v-k`s_&N=;q046OnZ?>@LV&PSn~NPaAG(8uQV- zWmoDIuVm|Q?f)7n`gFg6>cl0hOA7docHc}*xGnCE5j{lKc>z={!w4gt11i+IV^Z4Q z=&i(gQHAb`{}y67XOhCBgKtRUX;Cj@ zYjpV0z;ow3fCC{w`#?eS_maP}YC) zo@J3K?k{VDg47rXPrAANiB{!BJ}9j=d*a{D{KV=4262lHp7i{_&_vD{DH#aw+x|BV zrv)`2+0z2luS-R*ZQhTLs~tx`LKomnG}OUNN{Ig}mTIoen6g14s6Y1RFv$qJy?@a- z%%nc%v|R9A4(?*RU&BVnSkWhI?H*POlKr6Y?_V5C;~2d5B3Sq>PmfKmRFP z_+IWbScq}|l!x^v(fGYl4Q*jN^5smqRM?y=F8$!!7FbaLnTB#M^-T<(@Epw9w-`zeI8_)uec*UlHve3_Ep;h zR`DV2OL(`tv$wn*pC^U_57y4>#B$2>mnOfw-CsQF6~`KYZop7rYwP#9IBL%Jlo~9( z-vSXYKxlW(soj=J->L(BF13?rpyy{4;IHnhq=9eQQsceh}RF10d%|hEIE% z^tsrs`qgX%(f`*zVpSvk9$=gT=!N<+rDtac?z8d`UdR0~RnDT4r??OffxDW>rKa#` zTgQ*Z_&4?E2T5`J>(3Q#S;8Hs>fe3N>n;ikN4lMVgml*|C01I9`Rp|h z-VKd~vbK7B@qd|m-O7<^*cb7%;mvu`?Ok-`{aOdMOX3dWlmvi+jRsJ#ql{Pg)~>dS zF8zmJ*f8J^-3^K*KCbj2c&piUdli9Tfl%35uvr=HkW&-%>Pw||zRAFfJ|Gs~o#3Ao zD;eWokn0-fpZWRvE4cG7!P-|M(7uDE5_I_8f;Tskv8PhZA`5tVE;({q!v?pSEyOYK zJp*z8s-=7!lN$V^U0E!!?x^@pTRJgf!wux==v)kr7;+>w8}^2uYf+7sJe=&R<+(53 zRV;L{0F)!|}bJl7BU8IWESm#==>)(w`kc`Z?#r%TLk#`<8;ep;4C^dGh-m$+9k zOWad#bZ+K`r10P;G19VTa}yJ^^;4dF=mH_?N}F)?W`(rdS`NEZ9MFA$01ZK{N59Q~ z)G=swZIdh!ChHcJZ;lXzH698PFTAEU%Kf-`x%9yLt2p9W!@JPws!r997zzmT;l1Qj z`k>$2;6I%c^^%Lu+CW7cPzJkntVMxR&6|)kP-l% z)z^_jj{}ZO=^!rEK+;$ouml)+2_HV5_i5p2ewrU=0Uk_}u*;v_JhR>K?$@*~6lO#J z{qzyGOAL0U1h%B*(*G@;u-cXdCeF^N0iJ+?gHI&Eo-eo_dH>?-2B4nD@m}mdI^f>S z4m(;FuIWXqdNvP1nBP&m`xLv3Mp?R;1pOlP4 zqZ@BoN{`f8MPdM8sHD7NgrRETz_jSw)zsS_8-qJ0HgDVi@8Yz`7zq6$mM^L3q6@iyT~&1O=tY6K$A9jNIai zgS4OKof@=60nWS5ooS7mgC8OT zE6&7kH;O{;i^6W&jnZqA+g`UF-tI6nb$ zv5on^#|D6HTWp*Hj+L95-EWta>ZXVVSQ(&8LS3gdLQMq^M_&P?706#n&Qy(ncB#FS z(1;C}!t}rxzQ31oeg9}V|CutJvI0HjWmfRgY3*tMB9iAB4D7jzPaD?Ymza#7-iTae zPUC#d+gjHhmw+Rt-gM1tSA9i|?&pH9@r#&Bq_EJqU-;QGd_C>fV^y;jV87$9f_&s1 znvhOI-V5(O`+aEHV0gd#j1o5ZXgHru{b3!^f;StOFfH6SV%BQJXfPt1GbRx8g&Xh9|m#f8zP_p9;HpxZ@9-0Mmcj6-fP9A9&DL!X0(UgN%DhOuMim z2r6F_Zl}!@?q5xr(xkMP_@rPa10>Vl4$B35Fw2K z0h0^n_f<|M*LNkzOGDenOJ zXAS1hw3Oden6!llubFfL5~qf|qw8MJ>4zKa>F` zA8V6#350qryc-ARkQ?zr%d&bFa8<>j(>?Q45l;c^lrG?<79_Q8I~u9mjlz+Lk-Ix9 z0LKIeHt~ZBn0pY0u1r!=q~u?pq#Nv4i0XdV=$~o;XY7ybL62l50-QNt>Svca2(y+9 z;k}16;3Cawcco%-fEcBtjL7U8@O-sxT1aD9x%S6p=(EMX|v}DLNozxex-Ob%dhEx`e11sIAV@e3E!B?RI zz016I&h1j)e~{g0T2AZ z#QL6*&X|95DcM9v6Y|0Yf&(Uoyhz}64Yq2E4s%SKRTnDLLQ@w&h#}raSF+4CUW8jB z?;Kgdddb||sFMnkhN9fr`j^yhFil=^q^{Z_eo8oZ6t_dY79$vbKo-MCtc|9Y*Hn9Z zvPQDhz!T$b74~8HWdt|W)iBcJ2Lqt|;xEdJEH#mlc=f?U!YGEGBS6Bhb)>Tq!UE#!GsWOMV62J->s$OY3A++CPU2OHe_F03nYKb0f?{JeJ% zMZT(GDtSpX;eyi2NCvA+^9z;L{|-Z$;LsU!X?+Rjh89g=oyO2Jq3R>J;?3rAw2^nu znDytxfML9~QWc9KL$NPz zcrOL>>$7D>l*HfBH{Hj)-y}QbwWO>%j8--MbKC2Q`7lISM+pg|`K>!&`q4;p+t6rh z#yTa$gtu&#<~357#ultFyT%FnYV&oSKFU7(v`k}&fb}Bfy)xYmuLdHJ$IRiF092aZ z-g_;u4v+oTZz7ILuSz7$Q+_o17}ZFeU6^RM{^bXEO|UBd&dWCm+Mmjc`uLVNWW(aA z(+p?~sjr2Dlo;tAzS*#?(qg2Gk>qIxu&ZKb)K4ake7~HEn!F+{1$d3}xu<*sjf zD>l34q4noDczgu)|5^eN3b-{rs9J~<4n20-060a4-GR>&44V7Ba6yW0RAftY{aL^? zj3ESl>M)2klOgWDd9H*`k{;xUdEJerZ3C-GU!ZNUOEbvX|%qGX|}{NMLc{2rSrX3di(s z7O{eT4o28xhs(GKlGe>}f!~CD^yt3YRpM5PCP+Oc;5%sMMR5(Nh&XJ_WthAmgR_Nt z6U@vr6REwq7LtaZ_(o;HfAPspQ)l%*+2t?bIzxzuSr#^Hwx2zF#to$WsN=h`-`|v6l|pfzpx8nfjC^NI{8Bw%OsHn%D?whmH8MtZ~{KVEHp-(Gr3x zw0fg^`3`J7{(Ft~$-hFHx}%!FyxXYs5hD?P&7so}?#;Sr8+a-fs%sJ0BN~#~$wM_+ zE)sAdHbY6mW5yDO9pm_s~9Z#lPj}99N09Rdyl+go{W)_3M%ljlE zAO%ce?n?V7%#IVcHrZch^YD;mIAA>l_hxn1e@kSLryZLf(!5DPoNV&KHC+*PGFrFI zSqX*0H*#G)$W3#GWC06l_9Qw#I^!ueY%p}gWT*a|{XM7$R7V*j$BV6FaC=bGh$%UBURWqcfgmj;(*78Y%C%D)*E(o^pH7| zeDUg&Ua%yJtKhv4qoJKWDp~BQIki?7f-R(yTUZ6^jg2(h5_>;>C@D@=W+Pc`P^HZ0~P4G~GTG4|% zl_F`ziSYc@3lb{lG<99We?Ozu3K(g5tR2x`}ntV`Ah#;|p zh|6W&^6S4j7emti-nHWYY^S!f%|4D0@s zY`YC&(D&a;VXwl5Y)H}agjxQm$zpagAhTiQ-WN?*@@%~3V8THPlXuPKt1Amq4Qqx`rw zTh_-cbg)`^xYm9u6tRxtlJ0Kp#>F_4Dhn0QdiWH6V6T=;DtX+djtzC?8C@HX_FEVI zZyB*ag}O$XS*!sz!KTkUIFx&q*ye=@O033y>;+MZm8zl=pY0hh%MhYUKJ;X zBaOX`3&(dy9(cB{RQ!fho$V2v7*paZbd~d0z5Ru%Bvie8%vaYd;h+R@J6PD*D6EE* zruMm^Tk_RW&Yf^Akzt7VH&Lpn>M#cM%k55;TPz%)a7)-OUOas-uMgi{#PHCAo_o`RsX?I4j{ z?@HV~F161X+t}GiP&@WymIQyNZ zP5W%_2i?>ySRaRU&%y;ve`mI=O_WMUZJ3lSk&r(YF{fp9NMQlz)bN*Zfv^!8P+C)l zlR$94^)ZO{Fp(7b$0mUk^qTcxjE1GrD|7?w#FcIm-VelaU;nduB>cprKS+R>inNU6 z=Xc-&dn|IucrH}d%gMyerC+%p8W=#hud79lM#x@y^f|yq@!y%}gqbm7P^y&e9$%VB z`Khv84`X?c&6LIRB~eVpWMOi-y%OJVKUMeZpX@4CE*sYA*?m<$W%&XOHkZ5JhWCN3 zh|BcK* zqR1Oj!=}@lLO&D3{VF&`4N^an+eTFOTEn(pQp4qm2EV>8^;9#7bJFY)w~`U_6azjh z98;(olHFecaTRP^!X|U(F^knMycZ>1*y!W{3^@>4QeW@pSXtHXfoovPf~I zqc*K{Fw81lKGu~X0=C}S{wbBR;<%U*Cr!hw>Ma#8u*PJ|PymglNu9kJ( zhb7?1KWgxXG_;$kT*fOvvbid>dq~4JCP?Z@TU7@4M<6is#2vIMw$lOoxOKy``!@|o zGJwB%?z@vi=2$J{1G)nid4MP6-folZe@bUJ6cQt*ZZUzQE4}sn&I!dzqBpzv8ulr1Ps8D1T%oZ%xqg456 z{%q;k9dIL|qR4(=KQ<3f@+D6Elbmd_{XH=Eqc$_2_2d9VCnguxDTK z!1qAtrJa~;{D-hAG)1r5Xa^#it>H;w8jXwADjA)kM!M9Pzz6-Fk$2V(aLzLU9_5<3 zUUUSj|*F#;7GNj{nG20 z79O@2NuSY4^3sKe|15dqI{3E&1VX?BIo1JD>@ein{$fz#U7Yb4GuAajR8pgwJ?-;d z$>pQEGm(LC_U=2K9QlE(NJQMer_JGu;4fK_EyIn2Np`j7mA z=}tq!5C@Zr6=O|DuXYvdmBc$r`Gyu%7n(BZ zsM#cJHQ(I{uA6R@7DcX-q*NqjmW=6t*%?X59+Sf9uNOvjSno;v{EXR+f@z_X0ON2{ zjt6o(?qd>I4v{dn!4+|ErM8I4`hNAs!K2c99Ba@b-yy_XYntpZ2&^l?*8Z9yI^BEe-RF! z&jTE7H;T41el9AM4cZQpl_bpKz4-3%`G+5P$PmxLkPYxBE1SLun)ml4(g^bswl$mx!%BmybtzK5C)9kW)<*r%HF)?vmGQUvh{?N1?o||n@2C9e>@){({_Hgo&LG@OE!K3m zc<|hDoo*pMm}Fd-D}n{%B7W`OCa+s_fk`eJYpEv_XyO|3fq*C8PK=$k&T*DJ?BPLd z;^3re!x&KF?`!K$-Zhq;`vzFN*G5c2N4)ZnSg>FnQ#P6^M=eam>GFT=_MYzGI0e_cr z!_UtSv&&c~_m(KDd*GPc?lLMr`@CPjvl=YPAYshk8fXR^r2Fo$My-SJLW}wRAQX$gqgMvpTyJJ z_vj89J7ok_j1njDrzu%{cDBg5hD!>zT~lV(^U^>`MK3AkEk$^p6x9`ibh3GBkxa}s zAw32ys-8&H#ZDLcV@E!8T-SY^s6TYM01Y*9$V@o9nXNYcx3l1Nh z#pLZ8dV0oOGdt=PTZ;QR`mM_cX@Q<@o{=3D-F+;KR<^=#zoFf@tmNtv)gg7^B=b5gc5ifj4ih4R6rMxwYpNuFT}=)wKYxc1cTWfX zxTjRLrXiP8#B^<@dtbH2N@JqzxIAsALMxW!se;^ zz;hC;j{b(;)@So}6x%hEG%~u0##4R(#NEC?>G!Ok1Sp&%QL~sMg`22sC}>Y)>%h`> zvyM?^;S~qkMypR3M|;T2V?Sj!eXrE_cRUj+3od8ZN)k~Kxea!CJqOeUirK3{Sjcw_ zVWIR-+is=vY4K8P7_ z#C!>x!H!g35k(`T0VT#;Gkv2ryTooP(qmaRxaIp{f&;@o>k!!23{%BG@Tr zZ;{X~Jfegb#ko5D?`k;XSyM}DoEPqYNz+%+$4=d_NA|zEPr*aK8+;%`1Up&zw1>Ez zv?N;;89!egAUOO}GEIl*(vOtdLhD3sd|9(FS+60?Ew&F#dT$?I_c@Vg8WevFUo z)6d-&m6RztB||z7K_7eHHyuW#pm?L(75k%>?U zz;nIFu?IsRE~!;tCiYs3^ti!S*U1fXyx04VHg43Wm~lXlJj%5@Jd{^frbKVD50xPR z6bNhb^zdNuw=mP_Q`Buw+=Ib`E=o9oz#2MQ)w+HwdyisneuNn%X-w;B*d5Cql9Jt; z3;!>EtBdW!$7mF8>eAxF11XYX9uTQ>B!x)Bs>XP>UpW2wIm$9=0sj^%F{P2sNoE@# zh`R>llwKGf1fOZZd)?x*fCCAyunr1vF~WLT+q3vlis46d&$a@g-O0j|o6Q@kRwNq- zt<_sixiF|7QRk2B?6+snKB}p*f?1#(foEbr<0LbR#ka&dJ*B+K4i)h#TF9+Epxw5@ zJBN1@L67&FM$$T|;kaNAp1nd+BD-%^Qpau_obMk<M8LR0XFxU*Mo z4BLwQj8t@;M=Z7vgx`||?y9|&X6L6sz93Vso^1Quf258NSrjt1(oAP{2twXe`8yN) zI1@`cdOT@(W;T?*^{tD|Z-@4@Pa1R?r}n;Rz^p>SIO^))4(EkKp&5n1r)z2(Ds%aX zI#_)oOL@B*Tyg+hO#rfZCIgzxQg|y7zGciyWMRRrQ%M?;!3!Fac5j{5%TQyUDOGl} z5|SPvNUa&2mxT5=i_WD+9B7G#q!Q686%~Aa*%t6yP`Cw$_?P|upT{Snx4~Vw&GxU!cxu(Se!F^)Vqby*d`1VMc>aaLpgAVCMhul-B+%)WjONuZQ@p znLMPfE*@-2%n-aY??QT2YB^<0d^OYE9sW%)XaG~6+0XrO<@b?$LNn2%!;Zyf@VKpc z_NUiO%>(ZiK%!%?$ZzelEwn_QYk9Vjl_+Vp*m1Ooji`9V^It-i0rf}DuDnXkv1r0X zp9~D=i}(H$$+u$kMpm!dA>}|DYW~oODq^EMpV@sc)j0}AWI=11UdvQHLmk^+g)x4T z`Mx7cor88D@3l)wStu@&0SW4u9L;iZsVwCU_}pQh)?}|l1)(0|r-1-T2?71b99)Z& zAJVV^#r4a3c;H814wL+{M%`Ey=x6m zmfl{EK(gZIQsryZ%gC&RwO}aVOcB5lC@z|sLVW#xj3VFMt^6pF_*SflC{Qmbx;m$gaZQNfp ziJ+eRNg3t(b-sCROA^!`!N~xXff*i_w19)MTrzLxM%k-~cqO0n?15111mm z4+IxoAjEU_+#~z#&w`3%ZWu6aTV(sFbay6B=fAk-0%r_o3ro_nKVZrwqVR-Rx*_wQ zbYB(TMQo8?qH(HB6EwI*=g?Z;6A!gG9m+uM|Kx4mVPA!5$E3|`I{Aqps=@-roi-WX z0D+_pOjt~9ZXw}DGm+1`-Vjp^44=c!sNrWKVYN%GJ+m$w9v zk`>D$MX!Zylr-Va(REtIB|J`Z|mkPmv=QKYyTi@OXbn>-#P1QnUe7d`U*GGVmV64L;pqVf<>tyxa{?iSWS!atF_wL z2?A1V*k?0@;r1c<^1qO#hTkk-!s&5P>GFG7I0Ct)21u@&l>RI^rmPK;_Y#|>25in; zjck5I;4Kb8Jmj`$^En35Q|FeUzzoqj7!gL8mdn%yJUTm9CUG6J&Rp7A&$0TeRao0G z)#Uz2td>k7k4VuGZUU49-#E~cfJ~qDaPn=Tr$5RuX*TIR$Cm|7R3wp?n*6?ehV{Fe zO82p>h>aN#CRNh7wigJWHf=>wyxL*!7r{|w!;uWxv@ES zjCW82?yJUqKI{`(R1&E z4B^_1Hl^Y`$@d2y-{-!PcWZUHdP3;AQ7rbJz@W=};-(SH_e10;dD4Db>?qpTq1{($ zLW;i1-|hEPTBsw;-Vs#T*&^@N&ZC&THZvUALo=EGnppD?d=dr?Wj7ueJHFkAwnR55 zMV%YZeaM2N*F+FR(2Y@~AYLjWzuoJ~%J)u?h?~7qPrxH8!pA}EpnI3GVe7s<^}?gY zL+4ZOhorZS55D%29W0sJ-(OmO%yXA`1m!5;#!h|s#O?2!wxa1W_mO1{>2eXmpEgf9 z=pjlEC2ETc|78k11bRkRO*Fm%{=t~}Bs3-Zu>(1rqNVMSKY-K*oTIR}h=nk4*f6HH zLZUrQel*v1Mb(zhTv}1YJ@`n9Ex;JLeexsfk)M9K_e)n^Vn%2sETWVArPTLR`0*fB z=I6Cw~P?w@|CG z*;9ghK)H8Z$2I-2DdOH+xVQWkj|_NQg&H1JjX3aPIz@fQ555o|Qswx}`-KvPNdis1 zXq-Lm|N19&1gI3|n$5Hzo?V?yQbqUBnHv2dd)i{-qQVAz4!J?gkb4I`r)I!6bmU52{F&(H?@N6>+qRuc4kS!>D!&*u7?|rUtW%E zKhp zl9zphE&Fcf>7Q2Fqp_du@nC{ki(j6p;V^UosfzFKmP-9Vo|0NSG1wq0#tGqfH26BQ zh>B~Xa+*e}(Wb>DGOj!wE9QozUmWyg5*~awRsKOiyVs5lJCGQ%g#-DJ5vyGm+k!*`r(?vo(MRvhNC$>1isDhVi%|SprL@+eEctt&R?s?XN3|@`D13GFH9rS z%SieSRit6#mE?7@yY)Yw-CZN7EY$W@n7=Y7eIh~*sW|<(NsQ8SskxZ<|0bJJW|d+| zY0iwf);{e5=NC)NG7~xC_6$sa-1<_OIFxFsCQFM0)MI`oo$)6uYE2Yzslz>n83+Eh z4QKz#4L9&q5$SV)pkK@ni3#g_T(8wmlYKM7N+kPRtkQNnJSH)73CpCa7G}MaxBqm^ zP|n2<&phWJk|wd`#$hNm^PJ_0KxBfKi<b*tN(UZ%#82;QVKc$GMYdKe&ELeH?u@m_ z0h&xo$Y~G8uOHWO_Hhl#0IIH%>rVqxq1gYuI8kW@Ql$8L(Eb(q%RYF_B(x}O+#toX zCXT_4t7-SRU4I!XZk24_kRk5*7jXIk4|$ZRHcH&JZ6nT@mOnsZhp$(DBOQTLohDFb zc8v;s2S2xdJC{L}`+3=rBKgyk0uBu%Pkgi7yN%`X9JW8T>;%jgU##F&H9kwo$UaFAk*xD88w>I&F8ESiT`(K`xnF%fBHts6WMVKz$27caPde^KqiVrv zw{hPsoxDs&$)A-sd!IUP$!>>0|nrQvC%G7S5&oB#h}f?Yls z!uja_X^3J7Ao6^${g5d82Un1|1x{@vkHLLv+;e^$Epkkr6VX>#Ku2;t^o#!&tyQL3oM=%?R>gt&t<#>KFPt_5RJZpm!oP}|PvePE|MWIVINkS0 zcPAlAJ0<_>D>jYPEjzDpFdDccPBn=MsoS5v!_Y>ucFgN;Z?ZbpjeUa>oZcCivL$0K zyKf8~$98-2vSCIcl27tWZfd2*N9mV%(G$_Eb|F4O0wTT_-Itl~&-Vm{YDe^)dOft1 zmEf^2&bl_JNvKamjCRHniocSz61K$(%~=+G5D@y7E^_MHJAtC9%Xc%nw%t>Rkudvc z#`nApulLDngkpoD-%_6WMlbW$)PSmyjC#@}O)XEYkNI$iw)*2YoqH@rW}N-BEEb%Y z8YKAXj(D|0a&7mYmcvtF$vF9Ecc1fYs8r#`pYXaKQt2zRjPuim9U*^DD+2J|9qCcW zaW%3z&`V~ah*kZk@jicYBx+y0>k-BQ*O{jcIfmBGPK{uZwvb@M+NXLfdDlgN>KC`~ z6j^fp)4D&m5C!x+kAuk3K=P|QT2DGikV$mDY~Z)hz^F0Zy8~xPw!S^K01n5;A!Yc? z55?c}?XtBMIwX(}CbP~FKDz?(AuIj5RYu$IS-IG&nc|i07~>x8+)SCM43M}F7hPQc zmpJiE(a%rsSpNuS+Tg3UJ`w=p0Q;AmV$Voe^s-%H&lMNOE8U;nPaIeh(N%J}coloO z9SEG5kTr(s!6p}1p4cZar< zFoK7k7-u}1%aoV@+hn9pPd5fL9yikW@E>tI@zm=l>jWf$6xYDYL*ec8?Z zf`fuDA!~L`q8S;AnlaPtm}|bo=WqIcBQuzSEz{j?m>7xg)obS9s)+iw_oBStrWaH^ z+b)9xer@)6uk0J4&FyYQ!X-Gz9t^Mbtk02F+rDnQrX`Z*sBX88Foq)*W58NsZ0PhYKJXHrxC2n6kggmyPF{ zdJLELb8EGf6w$@@WTe73D=#j_FXHlXP0Me$d(YfLxsoj^mE;D>*t>})5LA}t!K)d@ zO|h18=PmJY8IgAc-lD}e$WfaR+EMmK&XEGIJKHfpiFh0IA>gt}?lP|SFw4y~*WJys zO4tqdq0@$>v-`VGWzt(1YpOV^9$>FQ?I{&7LC&m?oe{PDrEr4+$@OCaedxIf9|5c~ zIeqgkh;a48;{+>*JtYUK(6^!uMC16El)-Q7l{cT7YJLgFcy4GEoz!dX!OuL7WahYH z6lw{sBJk|iDtVES)+IAn8Tw?UE@k8rak5GdmMmz`0gs>5mnB5;(Qo^XvAKPeby;EV z>ctKBhp(Z|jPSeZ;-Ck{dc?Q_N#XrJI$cu@S$8H%8g(1{d)ZWf<(>Y10~Ha2RSuF= znHL`f9|aATD`n5Akkku`K(92XOX6hRMB1ugre_iKh7vW=7m_4i(PiX?n(68O6}8=} zi3+u)y-p#ycPy-GI__dN1wsV1FtiQBXC`rK;kJa}9e8)X+#yrr$=Jt+Zs2fSk|K*A zOi!kbX(S5A-%22+M|R$w`rj4kJrZR|{VI5m!L&aMAarjNIQ~N_EJ7)8*5e`jb8RfT z)c{MB*qkaJJ@mKfW?tQbFD-&$c18ZYQ@vdxHV`9QU5}2QG)>Bz7iRjFnU|#lkyYb`)NWRjyoZGCA5uRVUH7^Ukj(cL1J1qt&&jDQhw( z1Ky9ypP2Y=3BG&zoMFG&y7c*`3EG-_Tif4(e#H&Oj4=#0lF{o6a(SuIlMBb5=6T23 z??a0^iZ095_<*V#YI?AiKrPkILzH%Q?@r=y9l~imHmG%5zg|mLtEzf12kH1HP zkcM#rB%*t6Jiv|ljo5YOM~~zQNAP^boW$iByrVwmcl8AEyp;$~OpvOcSW@JbiS+ox zfALR(elD&q!c&^OD%yfBAq$y2=I=+u4_~xK_W$}x0a+M8lB1IxFbyJRGJwl~gY{X1 zjf%d)Z(l<_JZV)anA0OtNgsL%Gycu{(P{pviGNHvAG$r#b#ym9tC`|<@D-2>T>2-a zK;aYA37@#Z9L;zK&=P8)$KeZjCOpwQ(yY=RmaU(~;7JHS0?;kZ?|60|z z61zb>LC;eT8aqAom2bb52I}c>abjb!PN^k%0G*;~pYXhYMw;U%?3nVa?$Mv>k7mjW zG5B;Yn|8`Yyw8cCd@V<7U+*Y`wu-U|U&B`Z=?&&w3N|T-|I8Nt8gHSa{#DTZXYHMz z>DE|hJgD`Ir0QipLo{ML=Vr>^uC9)=-+DN6%UrkPZ1KoZQSRG}XicUGTwc{fbKQG));W6?*@rzuJ@-o{^ELg=~x5UiP9| zmLvOQKyt3hWs~3l59poz@y-svAb(>E4sY&UEG}VoOPJfEc{Sb+#vYo#CnJ3?VH3+D z`iD%ZeH7ks{k1qTk!3s7<0)w5xgFcuppz0mt1bAnzQ!C852>ypK_!LnY^;8D+ZSV4 zq+#naq{Mry_`}l)-d8xB+DH0Sg`rH)VcR!iqxBcm)mkW$DGw@1HaU27Vd#5GbYjp3 zr^~ssyl&Wnx{z#cj;)cj5TO$yZh|;Ft1u7hte8c&)R8>a!G6C|7p}>86qQCwULt#l z0wKkFP1jVn=d3ULJ#hov^g$}m81xlaUiz+4C3-+oBpxR0PeEGidH~SK;BTSuP z8Tul;wIta+mwV12x*isDUp3|D9zq^Afo)c8j%c+AIx?5GI(GY|0V1u!GRK{E_ z>hJEYPlaCAuDZmN*lzR?5$c^epIP2iggL%`VWNq%H1Vu0E1JikHsX~DQ;TQBec%^1 zd-fdV8F-!QZz?lY<~`-T?=sZNZ3)Qd7V~K+ zp7qhqiHc>UgPil(+B{ZIN{@a*p}Fh7R)L9s=QMwNX6A>hoNEu})BmX*OP**DpT!G} zoPkJNdTdK}2d^jV$zia48ph|F{52$Eq#rI9XW$E%0|~}n@_Ef?wLG}{)v@V=$~udI z61NwQzu3Z#aPAJ>vW@n(2fj^Y(0p^|@T?p%*Hhw+cw@?oD<)w4eo1b+(yOi^sC|Ne z)_#CRy)#Vn4LcDsD}sa4!cSD2=D%d^zY)+U)lQsH?n6Y6o{JzR>JdQ&EBg=*seOVo z7o4cu+Oy{vja!WHi8TfL4ls9zM5LR<~-p)2N}fke=x&;X0hH(KvUY@bE&2S|=VMjtjclXS(sJLJC21)#QQ|d?9%)#f|bvfa;OsuiA@#Ch% zPdFONX=HOE8!*DzVG=*PS(+cc);_luVXNP|C&oj9iJ|#T=DKAvwSEqO%2D34g;p#T zu$e;xk1XcSq3{MIJ9K>5tkjqUzTdAh(@v<)(STW`3Y|5B=Bq3xADiCG+lkBxH4Pba zq+zAjvg{#x^dF{*0b!iZ-{0G!8!ys3L1&j_MTf^a()g!|<;;o;#WQj=B=De?itqE5 zH;Dw8chvVsjj)v`>fWprwW>IfkFT}fyeMN{3{w4tSiwV3W@jc8#56F#8}}qt9{&Nk zMPt!@2n9hox`b;ov*PbI8MnxDE2S*tzw~_Gs}9}hj#bckgci4z-pH%L9TpU$48~uU ztE>CdCznqp`0ULy)R@N^YkQ8wY8?h>RM0ZD0)mhP^lyIVS6 z8tFzF>0G+ITaa41r9(kF?|%23d;ftwJM+#n^TaO{BA1qhYMiqci23AI^jS42l!-W6 zQU6gm7(S1PN&tLe>9$tj`RIOafC+WXn!05ETLWqI(C6RS)lh^NGwN4IyhiVHEdKu} zLG=TPxojP%J*p-*It(g&IM4}HME)~Ai^_=FevrI40qDrffE&L5cstiCr>5Fnv&uj) zb!Dm{-8?p8k|Vp}Sn^5ak8@sO3d>Nn)^CjD`WqL%Wa&)$ud5QbgMPKZ(b9>5e0yup zw4uI)^Gdr5XZ0>Q!Q-XHiA2+v^svmZ(;dp2R)hW@@+2S%{GAlWjkvEL#V}jXg*;!B z{z8x$s;pj7=lbP+@exOl@~KZ-idpby{AaOZ&c#e7KvbqfzMyJgGL>) zete^fe_{ty)e%|6RdAaF8LJZNq4X(-w}Lyv-%U+2ju|D8qQJ*3SRi}!S{r^g*nrS^ zmFMcG?O+XrckCG-n|0?np666(s+vctgN$sqHn?w&Bz~(X7mSI`FW=mqniHjSQ)-PN>_bf{Gs z#eTy0@J*K?)vD!2I%Dg%nrydQ)9LnNC@sH%?m=ZG6cA}2r(J~#0)^=qVXnXI8%_3@ zVpbyPMx}*O;J*V@O#;IQm~~b)hkii3EB{^n!cz(MLNkp4qs>yl$#O1>8*Hn|?Is}+ zbeBik46xuyC)d3Xe^v9oO?X{%qO1pX32Y!pDdK@}bmX82yL4yacoN=_7MN)0F6Yq8;LMK!7ai~Hd_QR7u?lehOoU>8-; za9k5Ke)O0fRP$E=t>+gns`|t)YUjF<&FL25c-!c)n{ICvdQ zV~7K+=&HV$fbl<1IVZRv9ccFpBRZ4oKSI2oJc09z?~~7QHz`cR+%;Kh;~zCAg4zbJ z%%u4?e-FpPD#lb3h;{IgEal|}EEzUJTkiwUG!vVJs7qb;|RvR z4UoNa|2q9kLlij@Up&T!pROl5Q0?Q)Bg^$qE`>;aSQgY)=pA4*@#!`Llks9|blO0D zGWy(?knCG?+E>TaA<%%S>(e$mB4jl^*Y2#XBH+19G`yYT%Ld5xT0aMCV=1UPT2cEq zHt<;Y?k;W8!19?kh7~olUlwswUy5w01rX@HB$`qbN6NkL>7cOU_$i6e_-kwQVQh+P zhF>ILkE(*gjv+{Ut(T{)E*S^P*;M*L&dz|jv3rCk98NCFBuS|BI`Tp}5!t9#s9R$`(1DASy>= za%lNfADL|KwicYqxDTRYWKvvq=08uH=hxDuP@w)P#t@WwzY;0 zb%^$kmA*KvYyENcfM zEDMnB#G*W;Qt*z23@HZ2k3p8*)6>f;(`!CKTq}k!R;w6wIj8MzUHLdD)Ew6%uo4EBPsfdiw*F}l+O?jo z5l5sFeBp}Hg=w&~B)iBiMi{b%S(C2+s( ze6xSDmV&co%@wRuBUw)KSC>aX+Z1hd#FEokqR3sY4U6S>qd$-ls92Jz$yAosfLgMy zVAAdT5*2`Ku=Pwp#vkDn7!&r(3m3hhvw!xWr##h+<9C_3T3!19+uO z*}>7VACfNTHlL~{YWjoT{X`CvU(EIhssaRRn$c_28dhf35eQ{EKfm#%tE1_ z>u#n(t^Zpmz<}nKSBqzMX%t;pMtE*nG&W&oE5$`LKmDovsC=<_uw9#CT+)g@WajZay`ST`Is;J} ziQh_pMVktQw3O5gkJ=z|hTl3D9Hw1Q&9hw_K4b=_4Xc4~bX0?{cpjJ*<4F#fv_%>n zZrX}I8RK_6WNyC2u8?TON?TUmaqBhdex-+T!(%56YiG>J3>y411U%`_6eZjMw-7J) z1H59OfOH;4{Nv*nzbAtH;@dL?tkO8@>x{-nX2M-%` zWw)}s%F{!Nd-cch{6RtI5cBr|3NadW-0+i4R--0X7zZCsJmIWD%EkW(z}EJ5+=EA- zunql6n;Uy8JXD=YW{=M8z%jpk*(b7D(?*~=9UE;)AK9#~@sxsD;`T>L@Q}`jY%d*+KzNjoM;OTixPMrRH;U142r*%oHFYq8BWA;txk{G+ zpIG{;c3X>?%}r+Pysit9Egg!mviy*u$l1(}`4o0xObssC*ZOe53o|JAkPmg7WrXqK zx!oe2p$>W#Gg~zeWoX%8^fvdMRA}eYXFGVUV}1z5!7kytWH7`pJqj>k@c&{x1`e6O zdre!qUS#aDyt)0#AIC(8&N9TPjeif=@L#ZK+%ad1-d~?@yGU@R7Z=@)`94l-avjOy zTX79>_Qg22i@N=RncXSpe4M=LCtn>WU%lj<(5dj$#%o#>m}IffN66~?SMahJ=h`v8<|kp#`DArM1~UWd0T&T zl+sn?n(h?-4r|L}t&f%O8aV0Lw67ss?REZT;bPgc{_a~e{j`%RnPouiq$b)1Q2W|zPE8C~N4nUJUh4Ef{Y zZ?~;=?1-75Fegvzpm1e5vC$!zDOQ=lx6wWMIYTvP@RvT4ir;9Yl|sz+{7!El!<)sq zeynY{%^Pk52Id5g4ZqUKQ_JQy))*gUk(*xel?NgXUx8Pv1k>8)kqwLHeX+)-l z3p-7whBdEg;X0)ECwpNB<$6!B1^mGpWvM6gU%T`p?s#_t;+Wi76BV~*EoDA1j#P)( z4Etx?8l>t-Kl~=qvulkeQL{&KUlj>0SaLYw$nMMrSU12w;ROXB*Vd5q^q*LN1}K#V z7S(V4Ae}pwZq^eN`>ff9_rc)E41FTT-p003ZFtH7weDFmMaI$HE|wSUD!IgMVRORA zn>(ASY>O!YCSM_Ov~|m3aWYK#&grx0D_Vh#V~<-@PvvHhUvWk1eOa8`jk_dOXO~vh1hq`>(Ho-? z(j{x*Cma0#roLo~2QTVFmW`>cxm7Dps1>K7P}?19*>IY~-#Xz8_lhAE^c24lh~2iH7(Kk?yQP*uIIo1l=sQC_ zKS~tSpBS*yDN4Q>@bX0>rD%@bs5GBxo@44tlVfT?`ZVp30#toyHm%*lXL5TZv75;; zV^p7@kHSK+2faBzd_0#QC>?NMnu<2%&1u>xPE%c5Bte$rmz_{9KPR#sb)luR(lG;+ zOXf-jHi&lm8IV9Cil>836x4qE1Md28)iATaKgI>(7DVDtQuX(LE+GA=YDi2q9T=6r zpa9QI2_0|Z!b8F!ebGDLw@gU5GJQz+vgk1*7`w#=OzWG>kpH7CeL{h<2T2Lyz%)U_ zn==Bc)PE{IK6#PLzFpkaamMkoxBzA>O+KNvJURM7-(UU1=CBqf&hRlmqm@1*|KKmZ4M9i9T z85O?EtNAX-d?LfN&s{kUR|WKvnD-DmO3o@jKIPszojpXiR&)CoV=wY}Fb!ykYU0haH%brt2tdK!3sEK>m{ z^%2bWF7ZKho&=cL)|T+ho$Sw`rBQnjhXbx3D@`aHO#~ZM*=hU)ta-bX)cxI<=j93= zClA?ID#3Bg41@5*3j~U|OUTi-&(Xpx(u(%*8)jD+M@+XzzUW05f4sYyR*1?&tL(Jh zT3+gfN1v!JH;4~hHKS2An z4@%aQ5@d-IGOFgaIM5ZpL_&mz5)O&#qN^|)HJE_o%-tX;5$zT2L6r_tV%sA6j7dZu zY(ZACLu^sKTr{m}N~F+#zpx%^EWAiXS*}*6MXf>FAP0e-%jMusHvJT9WK*^ek#-&* zuRF;S0O_yIsno#OI&^FHak+Iux}Wx9QML z0;G+@Av$tCcCsp%(caddVL>3liJUm^**0J!9ON=};6SP{w?C|EG$`#MLy_ zEw)DWnE}q;z|rCyUl6BJ2QRDiA9{6R=I{rS?*`D!aJvpFKS86I&Yjn=#rhuPuscnj zQ=?6;p}&1B`h`0O)_tG02%#elf%TmF1JINeHor008hGJeG+#YmT5ZK1yX219Pti7vM z+o`G_tb2#AH(9^KWLB;RDnnHOmVUO5Zuz2@K4&U^?rHJ*NPygfi=$v|mdP#f5j$ye zKT`DBa;L``qnUz8Qy+;GML%vrm+>xra&%(9|EpA;I(|9Li`ILUO}prJ@TywmSTk|d zFZrJyApUXx6H1v3@z#G0fh{@xUw^^ zRs@j5{zSo>zVp(Br|9+PDYm{7d4bRzWhT5bueBlp%=5qEYcStKM4#^lBMvSE+>?a= zTw8FMVCuYUK{G4I6)obIeQCDlixAH+e_`W@eHw`>| z-^_M;{Ly|BmU9GlaMvD#1Ja@|?O0U7R_FLJ|1o1b>Jr%N5CR~c@b>D?rn#v@KYrm$ z;(qMw={1X+$( z>wecoGh@)ni*rN{OX_tAokFR9(0@(~TdkB;4TjZr4X3W-)llC0ze$zR4 zMIKfKJ6%n)6}SUrxw`R+1Oa|)dZLikM@{xGxu-_EL{js!IGRnJ*ND1^-P-H8D&ZeF=+6fV3~NkQwmrdFoKf zPqmMza!H3yboW<+{XDm8$d^@lT=mwXJvk{}nWvsiJt&fyk7I)t3yW%&nH>9Zj}W5v zxmikoy#W3SFq4T!L1XWy9;vw#TId9;U3Ncr-G4ocGM@H-(Z874_?K04?2#L__*88A zMH^#4zON%On9i{Qim8P?bXZGC8#;G(q)n?9i-(Q3~%42c=6E2`4^jM<}Hc; zQ$L`RmNJ;%f$6{tGKB45QWOgzIQjY`K%0cKinwg?>E26O&+}$UJ^t&uS_J)-augRwxgSjj z6%jhq4^)BwvyJaHY`TTUSm_G6W#te z^xC+OJV>>WqhIh}&LAHinttw)%+rQ*7w|yUB)tCXJ|BHZ>mxqxLI9A> zF4IAEbiAT<5+V%}mfaYwMj@Di1}laUl=Q5SKQB1+AE_t`ot>lTX30O*e-?lhOe%f| zpT;9^ex!KXL~bTI6=m9ZD<`X65SaKya8w}gUuPG(d@zR@%Cs-5wP)h7ckH__mutEm zVLzzyDu|I6H0(MiX_jdAsnNvvSQ-F(!!_Gq;+Hu)nHk|7ZOb;{bH-zRQK|kCJIgs_ z;&I6uH?GwPF`EFfI(<)X#>%D7=!Kebkh`sscQNIrap!PzcRRN@XwE-b6{jGj=sVx; zA=Szsj$%&rMIHx)^;i4|lN7+$r?SGFt)Oz0pQ{xAYLbe+6nhl=aaDh7V*?nO_v>7Z z_waOYZQ{p-ZWEUbJ!Ju2>Nb}3xSZ*2TvCL?14BUHoP)EyV59v^q~BemK)W^IeE1rS zMXP_B7k=CQ@A1GV07_ElFXxCyM-5h#g|@RphUhQWxW_hmSkGIEwNW#Z|C%9aZ(;cW znO}d9Q8Eo8f6~A-C>2nb0-m7)u@nE;3f;EVnTdaUwTUCMQ#Ilnhf|+M!RLD(-^THA z>%aBP1`uEAu1uM={&7JL)jG1tdgnd`zq&t9my++m8^7uC@1*e!Qz53wI=a9JGGxaY z_e!{zxbDqrqW8!VPojZ$9hFm$(t*H(G&}6Y0DXZiGKLY;oAV@@fG}-{KnObHG?7;g z<;k`~-w5i<(7w*Vu@j22gCFg@ zFX9Vz94vg>QQ1he@ldq@B)oe=_VYt~I}EtMqx1aF?i(4iA0)7z~FZFOi0KO{eNH$APDDuwW-uC6d?}e<9kNu*kMtWFV0|oYFao@BlVNL48 zY1fYW5Vddlb$wt@b2#j)$e_FV&}WGz$(*Gd@SVYzX>73hq()^u$9InvloN3+&xsC_ zJ6H%`)XLBo3fv?29PCMY`*>$4?)ynQL%zAT@Ow#TiYYOGcmugffW-*I>osCr(Iv&h2FIV9~+8Op*q=(WU zK=w_mG$#BfE;^wDi&W;nHMU1Ft=tin-~SRmBTbdmM>$9zb?%*%KXE`CNH|?*vTHIr zPQ-&^<1sS;9qId2yWZ$4<^>V{W36&zuM5O%a>Ji}8r(>;v{R9V#=wFpH)7KxV{}$w zxm+AX1xn{-O4LP!VU{H+)%4x!sWSDYFf751%G3HBJ*|r+W$NpB9D|LZzxGjyl`Dck z%#Wvr18ueH2ShWmTU_V9`i|RSp6X*AQDFU(hsXrbN3tG_nMR$$(*}Rqt+-;SOr}L7 z{imHW9zbDk4El6#r9`mjHRl?kJ5Cgx6MAJRZuP|SskmXZdXc0;6H99x znMq4qcb-^la`piJqf>|VNyS#^M%=5k^l=WF3oGGlLvtj+?4ofHfm|HWgX(q z@Sq)#(i?4|lpe>See+uue(p&7KT^|01d^9TD3py-r0V&HA0}l|5ia8eZD(kXuUGg7 zBw<31GQuC?0$zuF^Ko?)yPc?EsaBSxGwq&Ol8t5N5liDO|MAQ@$M_)vI}mPNWPv${ zu1SSCC&%w>tw`x0NLf%R2})d+Qk&~z3Im`!X&=I_2(c#yx8Qia?0jyiL+M>nd&$S8m7>na07LXCgi@B*-1OVGJIwzJne3ywYOI! zIIlxu)2g2$X;WNmmGJ1mIMr^Q0?xD9myxStfGW_S>Q>_wR4GdvC;elugNK+WWs zLw*`2<0gh*4MY`RfPJ$*lx(AbqLKrnd^JM9mPF`!rD7C-aqfaQhi&phRfmc8P%Nj|%W@JKO$mXuFws$m57;+R7mQ6*+;JJcbXC-|5?m84hPQ3Ge1 z)Ja+g)^Zk&^Lk`X*7x!94@M?By!Pf46AVaf;5T@w9eW)GT@A{S9+*@S_OY6Asx8?o zf~^)(B9N$Q>=SrVSqv#R`#6KyI25$lStQ0{Hj_uWOikIP$>Gf?UrPj}gij1Aq)L1@ zmH5sWsU&y^JZreq1OAMm@*xZx)S#M*-nxs#`#3}xF@nj-R2AV~9-bn~`B zOiqCyE%L*scfv{_k1+G#WjLvaPg9XoG0X_(%Xpzj!!l<@92y%ms9Pd%ChrJ19H z71=F2X^^ya@_;-GsNZ_NmY+!3`AVVJMVHXS+F@OQz5r}*bsb9MoB(sOmNl3hL_R#( zM>BQuM7Fmv)sCj9jCfeggVngIHpzdtaJ%t!@wd(&?6+&V`_n%Kt>hzc?1E7N91_rJ zXyi7=l*;8f8xH81fdAbXYBj~;3O4FFiDL}7;m@UWKcGk}jKxVZ`!1W*)AQEY!=rZm z0K$ID3GP;0tD1XaxG-R@4#Xr?Z4A|OlC>tA&wfEt@bfsozw3!4O|gX6CNl9q>2?&{ z;9c_#Zbq^K!-E2A=8T#@+!mFYhzQovP@}Zn83*_{Z;WDs#5HAc|0bKLN}Ga7DDn)g zO`qc2{B@^Psm?(b)D8wr1H{wxO%9c&DF^Hp^} zJoJRj_{98Mj~+0}Z5WmH(oXX_-@H*)T7(`|VAgXhU=w(`SY`uw-pUT~YP+KXE=#RV ztgy0uaY-rc=k$=#bpr)SrYw@OSUCH=TC7lq`Ky)5Jqk?)$vz`}mSc3riRoV+yNAbK zo~+6t=_u3O(^UV&^8yQFpU8=2Q^!0LG{UZ|@1H(VD%`ofY^q3T1+V?yM8NxZ=^7b6 zkY+y8d{FmoKreJU85sgiaL?U_WD+VGtY`NBK6c`y!fJD(j?;M9v~f${>!;lGz*PkycZL!mO_w+8ImnV_7Vk1foU`H0}J_ zoHVsSDqNnAI>18 zsR5~iHjE|(xYszni1D+5R4m-s>ei-TUN#1vnn8R|>!fv0f5e|_sKGP6*sh+{REYX7 zkuRt75DXHVL?spb;kJ_kz+K&8bQRJRy#<8C3Y88jy~pBXqQrhMAFJko7rSCwW!JOk znUNJD%R+3NN2f?1{EI0~R$M4vYsBf#^$j1?ng|qaSvi)&@VpG8Fi>sKw@TE=8^jvb zg{zFnwC@7JW&!_bB+J+K{7%y0`6skg8b z$B*1uBIN0oc@lt$Z6*gqsL&i~A&VO96mnp&<|ShcpcC?#pvw^}u+b~QO-VsX#GB@g znAyB2)httbcy;td|GxFFYU`o{03tyMPTVNou|Na@CF&=5^vtxd2So2H841j_NXNy! z^pgarG%6!lD<~~amtT^gJ*}uz>^2>Su|6eKV*rc^11S8`-9+bp6zvhTyRsCDKW*kJBvd_nKqpZe4X65!QJYM)&2o8>4Oi>e0m@EXNe=9wc zL?x`$3w0-y;fvuLKcroh&T6?61ecsFeZM);g6G>pFi$D39zvl~96ea&5UEYeF;?uO z>B~2E04mEp8_%dp&X>v`n^)a1tKY4%iyuceWr+#TJ2zo&`LIn%x|GWi>y>ziOP!3F zaG(MM?c%+QoOTA?Sj-xxmgCl7RFFi@qAfTx@VDza8Y6BfD1@7as#(V@JWZaKBc+)r z;=`!_()ussZjW_sE{9}o^MI!J>7SY2m(_E=0E@x@?aahhgp zpZsa{rjn+y$lk0D&qWW$YNBq%ebCN`7V@N&UPDeeNQz7~-TO%Fx?T$+oAg=+{iSrkh2`X@9rV)jb&z=O9xAkq<5_7&lxcZZw%ax z?ekIa^5m$m2%st5hIky-LBvbQY9IQ7@P8~ABH10ivJL*ST_2924Mjk+fMF)uzw1X4 zyIySV)-hgFm^W%Zfrm*~DWHI;;Yk;DRyu9Zel%f1;mDa#^rCo&G$qI!gpUk>6p`L; zvreO{o(Zz^e|Ds^^MN@tp!5w{_GLA-KR&y1??aPPKl{;{X$u_ZDR;}%pIV;8@nw6S zQB-dTs2hENuF@fR(OWFZWZ->4^#{#F`5XsdraKQYkQ^CD8Ep?s%QObaHg|tru^nxN zqUGQyZ?d2WkH!sk9fzJk#TmGXB+nZr7_}?6Ae*0#Vdq`F%%$v^t-EXM>F6F>R~y>j zp49EV5rd5xz~}Gu5>sJg8Dc-1L}O7u!NDHpuoH81^9|gdt!>qT+!IOUOS{$Jr*}&3 z=-8Dy@JK9eV#tsLFNN&zz%Zxn$_Nq)x(>3EYc+o=;vdx;xM8=)Hv!^^s+|-T`yXTa zID#zpfkOo4q+54?5_`Hj_8W@u@#AseMfq(r06xtlSrG!&UfDHN4Bw3)qdC=p10%?! zYyU1p&>FCH;GnN8w&FeMoczB;va}~aec>s`_ijg@YcS1^!>pBu7=;c zCAHK~t~dv57TtGJBq9gC%IWmc3FD(iKXLg<|zNf;;FjOn|#)sDY9nlLuQIY42DK z&X8hPddlkK60QLHeY7FFY4_dOi5ZJ z5-HkVTIr!zhAmmFfla^FE3zLjt_n%$!W%5kcAWp34Q1@5mBd@N`hvl-`%enQoDm*u z$^h5%Wy|o+7ihhps3|9H*mmEko8@$9DsG*aST;TI*MIgW2$C90!_rd8%;+VA=F zMSk}ib=q-lAH>STFAr+VQ!$0B-1)DG9I=BQf6b!CM{aVJ(jSF>gc>(i=70dNpC~YQ zhr}|8Zag-SW|&Y|@?Pn#^q}l@Z>80aO{5qsq-AHv3>8QgYH@ny%t{Y>E(J75*_FtG>$7 z?UVt*ygo^V+z?@|s*^6&ueuKP{vuB0wN`Y_FXT7M0rV%v=q;-$e``9sK)JL%ay@dsg(n~uv zAj(b|I$JSa<=mvR)XDD_v=d>IzD)J=l6`=@XL<<9)_|8A+&JRyp)4`@`%fS?x?5rp zg6JU0elT77HC%6)UA4OjQGEY3TpPTE*XHR4&|+WLV71^tx~FKKW1HHDLF)K{e*L#| zc&_!6DKx+5O`C4WBm$%4Rn*ca3& z_2;n6bye-%8hhb2wd_v(J`!gT8f@*3l6LtndX_m+*2>N`aJMZtTyGnI_V4l^HBmO8 z^gQYo*=p31Un5Y+na{-IflpI+{|MhrS%ouq@U!R~@ro<-s%fB*)ps~OxT|M40lsYzZ!d{=GbMVdJV(_n{_mbNgvzwd98{{sNUF0m~Qtr{k|?W)7^d%#$|F z4*3L;=cO1MvF$%i?3)+*HG0FxacJL(sP(PJ;IG=zIchNa!%`#i()FuzFq27FO^#`3!Zl7!R2X2~X%beMPp`FORc*z$BjHQCc$-T9 z(6m36r%(hub75eLJ8%$XW9~%*QS80e^+I*(_nrA)h;gI)76x|R0Dh=$A^cQ~?bOx5Z1Ly3R0Ht74cm{XVqD5b*h!;_4y_!Warr55;fCFd{JhU1$!qZM2peC; zS}{FhkGM2QjSNL_Ch>ZxJ!0kk3DwnK8Cc3}#GXXW*ihPHcBglz)xm?n()#MEiyE@M zhs_a;ImuiR=3J>m->xmQ=&ETJ#p0>78j`xx2d~10tDA`PTW5btIFN^!4IMU%dO&}u z77T$Y!5pUG8Jyxw|I_GNO?ORW3&ha^S@$_c`i7hMgd~$kHapS=`YjMh&C10hZizof z)<4T?4UR`rgpAMQpuqz>^nXbwKg}|w{YFmFzOuDS@+asgAg~Be!HFICP3G+n6>vM= zs5h^x^j|O|;n1yTCBm*&o93NhH9ZwVN^ffuYdHxh?Be}CFacXl){NCE@3Q}YSOU1- zuiK3O(*Jw*L&~N!IINy2V00fw$7iUrxC9oWuyew z)ZF-SKO-+!(vY<=)GaFHF&4Gq%F0KrciIV+jlRA-X?4cW;g4z^l;TS0!#d6^b^f#Q zqBx(jK7WW6&VOeohA88CoM4WA&d|4kFdXqWSpx)>=~IGNIMgotSp~V*tb}gF*PMBa z6Am|4V81l9IqmNqp{seijlq4OaWL!LE(cNm(>%KK<`WE(MzKhYkgaSOM(#ePsQ*v! zsGS$L8*f?t`ly+cV9=W11VgpRM0EL2&Q()AK6!g2-MBSbK5e}_<8eZm{JcmiG`gz{ z^HBpa({~xt$-is?XsI?LBRs88NtcwiT|&?Uh#=JwNm!AKZn_V8INmH`ah>iR!3@?g z(~=b{4RZ6y+keBH?+Aq7XLl=On%JtTjd^=e0X=??rlxs!VKY7??})G5H#HDr{DjoP z93>`S*?8Y%N*g5%Q+n8U=(gpR5U|8+taPL5bCX!|by<_cK~j&k3Y;KZN5aOS=PaTC zm}r-#L@{0BLle(H`m*#|2lZwrbugmVZysD_)H1lb)hn$by_WKE=;*l&RGdRB4d2n6RveTsLN;2Cfr`%oI`Aco4?pBB*k7io64CwzcH^XR*Xf%m|As<85CDLkchU!cd|g+<#m7U6}aFH9D5+MU`A$C4%+D# zm3B$!od43iVPaYzCh+Q+O>zF~WEG$w-Qx4t(Q3nAfkUUq$RR!?j+rGv`A;dREYG&A z{NU@UF-wG~VMpr=VQ=5pTggYvT{0?>zX~c*+hOMHJWK9tguWO^ghfDS2Z=PjtIiP7 z+fNk{@}%hjBIIFopwFG`Hs7KBw7=Efi?Y_{s7|vTGcA+9x(6eij>7T#uz%&iqi4X+ zqnW@6G5gP_kJ;SlINy`t@BHga)>ln=-YiEy*_;o^rl;Col343nBr!$Gl6lclWCsx% z9kricOe@qn)I;3o2>7;C&9zJriRP&!?noJ0lg?W*NSG(LfJ$fC=Z9K$KKLj^1Kc_m zDINONZxh)G+`?Bx#E$53d*B*H^Zy+ZKk|}3ve9`h_wd`cHB zNPgKyG|Lkf-L1Re<>U>L;iw6~HOh*_B>1W}NY(wJiDi*A_PvXmi`p%OngD+YQ_0QhB>Iag6(J{)DMn^;6*X*I=8UK$OKp zP|^_#uwY3Ws0j1=R~4ZoeGS{Wi|cQkGml|I?N5W_h0Lz13UJ`a8JEij!Tjt=<@Z*{ zgy(&!4BanE9q*&BjNx@7$fE}*Ydz08rzY!R)32Psck2&`f3N!uz9BTyV&=b=QNt5R z3sS-^{n}+l4lo89TxZg9(=daheKqydEC1nu0DgKjE-u}CTpPO24NU^40;km+3JBFu zv>R3G5OiTnhni#6=-d}Gc4UO*+343#m|8#Y*0EX1?>9)J#Ax#5O-XA|ifI%se}L@X zeGR967m_i=&YJYiL?wFM_J}e<;-h-6zti>WsJ^G++FV_2g`IPe<)~}RE0LjJYNbda zP~mT^5h(7+U%|<91u5o!XRn>HnmRJgX|A(^=3ogoSz>igQWLtX$50w&70+>|meTHe zS5rUQi}Z9icugyLa4!ruU#^ElAktr~9hKm_xBO~-bq9EFX>Y0=%kX5mHv4K89dl=7 zIdzhj60jeNa~c#kz`*Cfr`5QJAD_nu4&B!N!Q^p#UJ$yPNgxN?eb!!aDJ;B5Eh$~m zoVThz{$07ss6jex5%2kWT;{41N<|qg-^aA0sRtRhdcB?N^zhgq&IK*dnVPr*owfjvw162+S?Nw^y!d0*mGb zEuY-9Vwx|!r3U-6I{It<=^hRbU6ZzHqbyIaN;93`EA~w!99-=FoVgD z$@AY0gkFa5*gXY)Li^!zP#q`MOf3+C3)aBaR@VKammbthPjVxE`jI@oQqN1OxwCLp z$4J-&Ox936cXLX1lb84mYG6(WESyPLEwSfOWN95Y}V<_#a%XPL#$Lq|e%5zk#`#g1ZUDs*~Tz5ut(boT5 zGwkbr7yseA@zsTgj`HggTi;4BX&uY-j`UPpt&j*Jf|mGH|I*8z=N#jdE!!7wwAa_x zB22+m#_6iU7qo8U0)X-tkx=TmQN736>_->DU=W%|Iu1p$ieyd$^$m_#&^&cUUU)&@ zb_{U&vII~(UFmFgzW#Imvwo+&7%$PRuX3@v()1@;W63z+8bTU6^Mdr~J6|+Bj!jm@ zu9r$`aV>;r&heVN?Wyz5`{pLSo3OPpR;Bjeu?L0TVd;%95>UEmr6l|Se?*Bp^HrY9 z_;+KUk4%sA_&QBRV2BqMa^TfM6r2BXZuj^6uIq{PZk-mRuUcy*I(|-F-8Um^Pl12u z|DHaX(tiU4oeaYA84K`5?f6ZldfpS5yIkLI4<_*FR|?016L>LCFwK2gzLBmq`d!S* z6gYqRrE5#apbDsrQ6$4{s^V@fEx_F)sUxdkh~AtABU7TSd)kloOlF;uKH9Zn>M_-q zRKdoy$POP*6e)?PySe+8_N~G+LO7i>GH0MIUu_4iEZA!8SNRt1t}hHxAJD5E2-mKf z%Xp8m(uuH~w!D5{AeV0XqL0W>)sKnhj%zYW1?mq?(Ez&^#|#lV9T728mSy*E--!B) z{>I4Wcw>a1XTWCWif3nr*ltRXZhxO4Thv`kRX6cjh*eP%jMgIefnv6rYXeESdCl+o z;(3X%wo@o`#I^9TY4|Q{4W#i4@I`PLYG~A^lv!b>zF2TR+*WPq7%Y}@2`o-p;)$dc z7~7vLWdQVJO>z;TBN&m)sioBG)4F%Lc*N68jgh+VJL z+<&J_jk*+`FAYu7+5Ed1prWz?F$x8%B=G*=i&OP2Y?Su=Ll$tYcGQ3_fd1A$*X&G# z5vIvb2`Nm5iSexBF=`&D(r)8H zE0do!&_QN(Y#aZ|Ai4U%jM#xDSzfvxXp*^>OzI`eXEq}F+j+qPGbLuhc^zpjaA!Cx zosGQmRW6*+G+n`XQ_FRBtY|BIg{pTMA(-&+&UGLoaXTk08jgfLZi@M*_xtboVGq)+ zF{Wg8><9(hdeYFvCdcgN?=bWoY5vaK@^R`a$Sf7&Mq@4nBj~jgE$FgpPyYS@B#4)h zTYb++lY_1I|L{c;HFIDa>M|Xs4dNcCt<`-9PUd6ovV{GHP>ufXvv7*{qwWkQUwdWM zbIz=cK1$u=O*-sL!!*fid%$xra$VB714?tYsyxl}mt7QKqe1-l;9sg5#?X0m39ohX z@@gz1a43=nQYA{)^aqn9l*>V601_dkO=8L)oJLHI1}zR7OeQ?*-5Mc*)cf~jdUxTP z|H3;4rOpagg+DsI>@EY(6v`|0&uB~kXdf6%bX}6t`pvw-*r0JuGIYA)fOG1u#QSr~ zEmNi}tpj{&Q{sI{c~=&0ZRrr0)wNPV*#R8tdN1WomWHmjUtFyj3%-Gi0mzD6 zS@sQhQF6^q!jqTl%J%QKbtsSRmTh%NyTVC;yopxbV;$Maqi%Uf5$|UncQ*4I?TeF+ z-&WrLa7JYO7sY@uV@&crX4*@McVppVh2An4yR~>AQ1P_&Xg9pe{Y&4u*K$?m0nL7Nkb^Am3v6K>XF^xao($VBrs;${+|)^oAw+DE>oY2C`%bp>u3e40DIu&KG&cx^N3YG5C$7KH-8XY5Ruqv($f#S-i=wK;#0{)IqKLYZt zI$!y2UPb4SCn}ZCprzx-nJ;CeR^n}eG`NITTdw_RZ>Q0C>-Xq6pWNw*Gw{`Ayvg6@ z-k(HTYQ6*Bs^QV|#R|!3XLtq+`4~05+gY7E|GAmJ>K% z8U`6WN=%Yx2Ywp5shvggHgbCu%MA-w<5WWYC8S2(?^@<&)Klmkv_M%6 zk%`tS|4f(_vS)nUu|0(uEBHeliqn3OW*gF%vyoDMp+DsxAzko(0J^*0(0xh4%XsLf zUvwN==*h+K&6tN$@WB5J)b;c(AHVOudKY!xzv zQLYJ27qo9~9PnOk=*fK++doWzTEL>p8V>RVJN(c!{P-$Xdd4MvXJxO`d7>$|Bj;88){69X{pr2W4wg?C zhr(C7xU^yX-HoZP=WV&~{tVHZO?3Z8hmAVAfZP$(a?ybezG|a5cb6hw4d6jdLF?`0u5TLnipempe^Dr_ z)=2>>t?+2Hr0LeR`2GfJEk-DFjkE3Oqg6+Y+cl=a@vZ%J8`DZC z&iOjY0g_33Zx$uOs+Su=SDjWOx%D=J0P01%B$s;^5ycZ_Y)&S!weDBDHKmZv!}CJF zg(VS71yp!!>CJxEV?hH&j=N=yjjs|k7{^kk53?VfH-RaFgJ z-m-3S3vMST51PwXaeA9-O z23UnC7TgDnadb7B)vqB@=(V4$1+`d#CzMrNQ8GjwO;kvlO~Wn@Zk#f7^A`mwXRRDp zmRv5QnDK!N_x;0xjH(BOz#{4}pyXUD$qL_V9XxFGK_qo;`i<{)_pOhuE z;~BURT5;TLdFDn4YLQ_z^@%hbyOUeoY<&Ov9B0ewq%&8Sb1st2=E^PWNWdZz6CVaA}*EV-gPJ z|E|8L4I&2fPqbq7&T(8(fn&tE>BpKGKIm`+cGsb?i^2eYuJ^BO*}rPNGRM3`_9oo| zF_w$19%o{VlX$D7TR+FjMC+_1$Fy9Rf7@w|8Borw$gj+Msa4qYp7>V;kZmQgi+(d# zR2gO2SygYI|Aq`!sF&|~o-wengXud&2r5BFAM0U8+U>k`Jj0v!)|#oe;a0A&3hGtb zXZW}pp)K@_4}D+h_v6ihuDIGElmp>>w1-9(X5*B`VU`ok`#|_DJa1KcNz2mxxC1%x z5@&yZ1I=FI-Z0|H^84>^z{j745%*m#@!vft{*Ag>_3um%q4S+mEqAL4tro8hV3<`}paGwS8jE8JmbNKJX3}@sF@jgz zCl94_&$ZC2ktHflT+2IhF7I#CVT%s??T=(^8)+YuYh6@149 zSIrMYwbqM+l_RO26*NSZMl8`9YVDKRj}+*On)A>x3NmGc@HF#)r#}r7EA!55^0}}_ zxSwxQLeM~nre63v-$u}?+ShJ&!i_3QMC=;82+@tA4(IKj>OFEHp2>EWvDLP*gGLA^ zj8?*Q(ruNsBS7to#cID{(^}hk=K3ccX2tlP75L7cKeV*;RD$Rira_GGy2(|9Skffu zX7PUx(icday+tk;GBNa3G_`Nj#$G^9b$j#GMi@<)(?soV(w}xGNqlw3P3w3T9UT4c z1kYNnFG|)wmBBF^TGKSkEc}BF!KbQ?KqG>W4tJ4>R|Vkr&hYO!P1dp6J#EgH#hh9X zi*RO_mz8E&m$v8kkr<;=gI8?f_$ud-xThrBkhKcv%YNp*i>^iAkA?Hak&Z~VjOaD` zoG-XaS$IQ;?uftKlM%MYCI(y8jsPdY&I!9^-b}Ug+t$Fg{*TW0>>Q%jty3uMV?MXU zg)o=St^hz((+Ln{<+8X;wY5VVB!4M7SaLEGWNs&?e#h0{Jnyz!{)rXSUDoo+wOukm zGEcN%ifn2UiLkGY^schszq)bvt1-LsM7r#nRJ07;8fs^uXE9L z#PMk?Wl;BsBfCbeud!sG6=4T7-7;K1&Y4}O$e_S1Q{ol-OK-|RGd}86dwNxVK+TG9 zN*mpl87WOL-m~p3iiE!N8SlO)exvJ+gm@iEhdD;jq!+FjY2%t*J2pys*=?Cjgm3+} zvIV$I>sk8A=Xt;%9=4-kk?#2;%0($o+YIWLAW^ku!bd0+JFr%I$m(90?`ywqIjYC;e<5hh1|Rqqey`ExvF10CP$3kjGv_hylCUs&{?>|j8ckR{2LgAK~>}F)P17>l?`}L#7~Kr{<`o6lxANBTH)(18NnQe*uM= zHWGD{D;8xwgEoP)>aR_gQG3i~@K0?OhmPj`ABLAIxfc|4YXmeA!=tEn=ZMxd?2NlS zCNySu7@XQ)w|7!`jOvR^O!eI@mC7cq<~P;~;?(6G#yLf5>JZA6F=i`@PUM%2#Z?GM z2+)-BsITg$rksBr^XLdw@T}r_Is(g$6w8a}r&2dnCnZ82SDt4E0XuDecgO2BCnkn3 zPbsqu6?kLP_QgGO6+2mW+U>ceGLHO5-Is^x;tTu5i=WAa$}N!?^G8hVDocf1J6<=| zqT>vJ8wDMM=e+=^=SJ-+n?dW*n8F?DQp1&nr;@#8gWr7RZIoN_BDBxd0dOA`FNzNQ zl_7buNlNAQy|IdvtwyB(d>_DH8TnwREr%euJJkoRTx;-72YP7 zv@WVI>ox>jCzdg=t?{WQRQ4rCBaKO{AmL&sepHVsb$BgSe%AO&R>Yl)!V^|N0m|pbq7+T(I;lVC9(}_5U~q(_Z5>!*a`I64d#N$G(UH-S z?V~-LY9ltYdIN5m;H*PtnEkBVm|ng~g`RnM*b$RCSz&#d&!Vrw{u-U$2P;oIj6tHU zr}6`MOa8(<{TYwUC?_2?L)77Zv1cFrrOu5StF{2|S(@E(i~YO>3| z_z{K^UD9wLpeNBauu#Qu{}IzNb#cb2p;0H2#Cz96yvD8qU(LRv7&Gs;Wo(bV=mz#58sdaP-+%aN;tV3W~(36 z@PNVlUT2e+RiDk=lgo;2j7s9>`r%!m8D7ceeqBC-f}wVn5Z&Ac_LXTb-Y-3 zjXR9}qmMzsbl;=-4Zjp(UnTF?rMIOerj><2u?dqho&M%zz&BO>Y%}(Ldx(IN&TAaM zx|%|Th#8zayshKzzr_~7CKYo~2*F@1nj49mE3}~fMP0lnZi+&AWg8pVFjU2RQ^HYo zHpS6f4Obp|mhf$mD&b3gj7;&JdVM@+L2zg!g9e48fOj{xD@JAv0$9O|>wWbA%$!Tk zJ9{mwig(&hfR&@FMPyJ)=Klb#*0ANVks#`3`8^615pbx9}g&oWo685kA-e zW=`DYc(z7#_|qfY4FC(8RQwmwqQ_bGaZV$>6Tk(x^!3F;dB@dm;o(rO&3Jf!d86>o zBK+Lc?np1|XjO&9WGXjlTnM{tjYQBB z3>;b^B#egI9;JbBwAF(-h%Stv#cvI6Bu&W_gJ>i?CdIz#gZmAl!^vnOk~U^ZgOk+| z0K*(UllViPUj)a>5yVa_cy#>EzD~Q*tW(4|v|BG;0F}p{&o6JlNZPZi=h*VVpshnP zHB{I7v#CG|?xZV`OpFRwg-+cdp_MC*Bf&*IlcRG@)_Dy zhQ_)hqafTg9arzd%n936|5-wUD{nXg%FF-5F}IoPYTwzzjoNiqbK~gO5^xzenp$P+ zo0#SV28`+nRgi{eV8AKF>F(iz30H=QVKf@^&t*co&*9$932Y>Hce=xu?{Lp?7N_kL zEWe{sDf>Lv>g6b9)B^KG>NP^rB4N5AETl}C%xYS9`!VY4)bW2TS=tb6T0+2;Q;p7G zk+4n_W=@^>s1F9BVEf0`b~FGMlu!z47hCziWP;w|@|3WWJ39Ry#$e;x%foN*+C_h` zvFHc1SwmB3a#Kja%mvUWdrNZ&yhM62Y#41*$WiS$V%m)uKA5Ox^9u%uxa~o;hEgD zlsG!(D6i0?nC!=Lm7oT7^#EEtZOjBZ_9JsNklgmi-T79Jxi=S+$V6QVn9v>doR>lY z@elZ}qH5rlIz5tcQxvGvT~hf~$<`bAW7_xDM9LV6Ekc>;j2Vc`0W=O(XWx z5w>m9Id z1Tqdx^nLm-?8*q}AL$77=1ZWQ3o*XBkhVRNYL|b`hK*qvVW*t(>T{p4!2(m@TTaJR zSTy?kR;DGukiNkP;gmhewzqvPBO6K|56z_)QrOpV4`51aw~YxP&R1dXvi>G%lmHz& zhT3PrIFRk>pp^g~wZuR4$@a+M{cszO$hm(b)+=>m*qDUl51>t5=!5N0p>J*Zj+w9V zcNX-nz9w(?n<+;I1j`F##f{n3RAd_03JFHAdI39S^VXqDmFP#TQEj_MAayTXCIh>rGA@4H*3q##H={fR z?25?`MQHtTDm}5kMg}!6dCO}s4=Y|`bR8_3%186zO|1!xU|9G{xKwOepnKXoLzV?B zLxAIVS~wAna~M?ynPoFfMPN)FdbO2n_Mu&;Ku}d`4a_&G@$zp5{jClsLe_FdEz;Tl z@xfxT>NpgP>?~olw-BVhRwweCDa-kzL}sx4ere=nvoiYNE`PlD39p5&C}lxRe_M~D z;&L_{A!A&;qP*gR;-XO_Q*~Cqpfv|11-MnSVz3YBYTx~28Q|B~Z+N4ARIz$uQDL;S zuRfhEHC$6z! zEwUmAf<|0c4DzhZ$ad6cb6WFq-HMA=Ic>k+9v2x~_HJ@oUu+GqR_SZZE6w--0m!E8 z1_Ydfcy5VCt({)7q{ccv{;5@C9K6Zuo)T2x?&!A}$BtDQ<1cIKT}JAGS}tcQclXMZPzY=3 z@6BcU%JUe8%KN3y6&9@$hZ$!8G<6cTP6-XHPyq+FkcB7L!%3k7eQ-HO3#;AUG0RkZ>#pUlO}Koz(jE8&AM4V_jY~H%X}$l<$XUV?U#7ri}912601Hwv0=PArenYdM~;#lJRmp z5bW9b2hW6MT;ZIkWQ?DV{!ZR8c+#vlw zQ-I{qz)pePKp`KmL0IvWi&cd)^?Hb2bO(zq&-PFFTfr|g)#f9N7 z*w-E5mIE2y?QTuxzLXZ14&+b9sm%-`g3}khbrTv|dj&PJ8xT#hX{;&;z_pfz@L+rE zIV2Qllbsm}fZl>OlD1rAS;22zz1_cuew7_W^!QT9-M4&Sd(3EWlX7#+6vq&vPN@}5 zZc49}>2@Y-p=AQJK|jjabGG14H#!)yDMz}p`#e8UPwXh_3Jo(iSS64rm90Q-;b_$ezMsd*J2hjx3nHv3@7F zU#0gZDL{1pQFcjZA(aqynymNa(ND?rBGkX*#l<` zoAg86X}SzL-rM=Q666xXspOq7TvEWkS~=zC8O8-aH;~5Tw=VHf(Jkh7M<=ra&*@YG z5rBl(UQcP!82ca#8Cbw+v!jHo@bVtJ*zwTloxItYd~h3@vfC20kJPsBfyyQ#>zLBq z+D*(yvDGgf37Gmv^?1aE=erLVex82(E35dY!CFuNnXaWl+QgG-hNZEzbFd3xx~3c% zdGJR^pX-oiguJE6rhn3G|aWxhLhF$+4e>}Ux z+C0U6>;6CTJ~vm1#sa_78NZ_4;iBqi!Ah~d72oK5H<^DjDm?~XCM@)M6?=ciqYa2x zZBu;HII=udd{QykY}d-b&J93?HFn}R;yfjcgtRhb{wcOZE= z0YMwH;U@1LbNG0oD&wH7lgYzuvN1F(cm{LnZ+*afQbCw2EX3o`3|p+&zI(~Hj=Kh8 zM-kKjnY^FH;1l&}Yc#Mx8eNf=bKX*)CTZCMCK5@_bS*7zj0CoyAZ(nMP4ivjvOa%V zuH3|bxuXxBE8oZY6HUnncANLz0G}7bYWE^*_UZ=`hfEq1Rc49Op z@b0N%*3*k+*+_LxqkMqZV5trZJ5jFB0c!a)qWj~JLz`#SgD+-ci`!}!ytUAq9>e>Z z+a>DM_~lCi-jA`C;D%d8NO|w!yep01R)c$xYV5|P#777o7%Jor-59$=9K-7| zn~gxt?|tW2R0!S^s1C6Jw6#sLd8{m9<`&K7h(9-OcC#Z@TX@ceBZG9UepUBNm@1p{Yp~{4 z`1nKKh0~r)`(2srs$pH-TX9!#C~fIy0h7XaK@=<=OYe1NTLs+30CVC3rA0w0G|G{f zSBt80G_Y6Y&zr_J6FWp|*Q`GV>RKZuceG*+ALPCkJKOB7NzEOzF{14s1oiCijYsJ2 ziB(6;Jo3L&koDP71uw$(k@oA-YK~%*D_R9KcMn_q@8L((wtg*&Ye#EEyAnDi-WYrN z2$m(do^iXo!UYNfWIwz4!W4bW&h5&dH8})nLBpIyP*Y?|PP8ihJmZ2GbY*%$u%J<+ z65Y0?jh5TFg&N+7p-CoGA2OG}7WFT8K;f*(WnIzdjH`d-SC^|Np+~hLi3SEV)zTgd zPi2$Z7*Lhe?l-JRhJQa9#XqzpqR7&{qqpABUni;6z5z6RyY!YP+;ZQcS->ysS^G zkS2m#gyxPV@5anmP1>*TTTd6~xV%x}?TQI7W2U{zfow}XEa(av9#&LwH?GAeR*miI z7Dz2oWz-Vtn(qzXDP&Dx2hHYfDxWr^FJ)mVO2MdGNUQdO;I*;u?_hdxvy5z7cE-Kz zTXOq%&A%oN@5=s8K0YAEgN&GbX=)@!d^Dv(p0wc1N&F=57BzW4(|g|KKVqyeB&!Cn z#*SOFXAgO74pPyMs_lHIxlwjvnYY-{1TRWLB>60JQ03*_6q;F&96ni8d;otP7gPy? z%9l`5+_HAzAxm1?$MuAJx%Y@M6WwOm!IIlEZlto8%ptn|^vrS8%$NU;;zp|Mv`X60 z&`3i=_mIJ`b;#B2g_^}Rt#8Ji@40{vvOh?n>s9va1cqs(hWR|*(=noXl~an3OYE0B z9@w&J2Y2BMtu*pb8*cqp!%+~rRi7*W8vmD_6b?6e$~G zDyPk*B~Eh@xrZi9U23Pa1}JQeH7a4K%NNDE=A+zxCwv~^6@X_Nur{-x9L zMs#ka?8kHY&_sHFqgRNf8W;le?Z*G3J(eAr8{I0O0fcT~v3BOs!<85KVjn({9Pxs; z>J5eHMN+iX6QfD6v|FO<{;WFq2_rxCD3DIc>)l4|{1CwKP8s?|fCpG4W4)_fP53L% zf5JMo5Um*}UYP%DH2<#;E^(8%chtW)16Pdp7xK}tX?MqeCf`laa{Yth(*jiJzZl}c zrh#o*t~zlVQIWd9gGTZ~c*m$3Q<$O3bCRn1pIK#yrVFR|j`p?5EOibbVWl-?9!j_` ztwXTkaoxwH5YTxac0QnWob;?O4Aaw3*!c}BD8K69)^F|aej8DK619n0M@GGAE^@YI zg>*W6y&P#(*pWtEC2V1CnZvRd(%xhLT zY6^W1;b@W6)xmsKsD&wn=`4nN#dgojk&y2Z0bzqOtJO zBjvY?D)tU!4hyVtbrun+gAk#dL@d__@vp!ScAxZU@i*BgrKS^|=?XiE5&V?w^-@iA z8eP4MC+mt0T;PF5neL>Z*=bWIPPx;n=*Z8Y4jRJ<#I*vguc7)G`T zlH>BT1{$#R7B76eUxWoego}+YLlX0?Z{BO!(Ag$Udugh|>>*Z*ampqT>X@So;qQN} zN9JIq%hHk8SlNk~TAm6nBQl2b{MvgZK2{cNv7LIw!5|&ug@E zVS;zKsp?jw{BKVFZ=X1`^Gx5fl z7T=RF0BEEd&yOy)raaz0PpzrXIDHiunaiv8)$|Y=@gfAj@5A`37&IF@m4T4rBtDq^ ztNhsankp?f*e8U*2bo%22NooGGPMSs}E!`&1Ly zfaoHj<7TQqG_oH4iVAy__CAB57d|VQhArkDYW;3yr%nYA!4t;Yg)<)9(5$Eg+ zRtNA#_0;wE%w_p4Km_9Aku*JX#cOX}`VlBZ%(~X*2)gzvR*@PyX2!hE4gdZD>iKgH zOHl@51gHwNRo}YVERc2ihpS0kIZVJ#@DifWjb&P9pDcT*tw*Hk zb?Q5C%ox-ufbZ-H8=H67n2ITE5I+*bwf+y!yY>5EduK5)FzKqH)l@R&`0-BFUfJXT zgbd2j7EQ5>$O|KcvVy&#$yjA&Yn_M0Hg=&kx-qE_c;X}JC3KVF`565`Uc=G8cjx

t%B@`WcaU6iEm#;c_?=$z-q4^5xoZUCOF|ip$N+s_+|| zc<}Uxd75=$)w;TVy)ACYlM9z;lDUYSchgr?n|-Q|5)R|ZqK0Ngp(Sr)xcnq6gCPEY zYG0Y$q8`~vzm=pn>N|g_X!JUrm|)|IhBv3S${UY@9i=lBwg7EDfzOw2j$j(}OMzf)m=AAjU<6oI#-U||=w>^@S#KQ^mbAOP(`ES@gOR= zCEatkdpLUv8$e^O=@M759LJ0L4}^z$LXqI;h8V-^@8MO)mFyERGv{<2y6sg3BH(D; z`&`B26cyqq1ZxO-ZPKKgpS&(`p#~-$gt;j^<&h*;@D_R?d7kf=eanb<23h~6migmBP?Pw*G3d4Ij`F6 zLt2iY=Mz~m$e?WK+}DvOCeC!o$KzlEgqK?AiQm%$+pS5u<|yoWC-G$Ond!WVD{@b^@bGzsp5*tz3f&l4n4p4+z zsTFF&Y{o%%RHX_o3k$an)fK3QvYHkq`k{pJ;f_yx{^rmvp*Dr@YX#}x=%Peq;;>iL zWbPk9vx9+-4KSlm`+uQ=jU9V}zIXhH1{PQ`5Y2;Vk?m=TF{Jm*n$m(+N# zpS4~ogqJpv=dl#m7isg%7jFCFBFYeLfu{2r!EK2rYHq7cl^SCWwlUE5S@EziAnts| zah&ybs`6tQa}&$BCFDH|qm7D*Fd;)&pK?Dm7(P_M=d^`pXU9qJZ2Cw~vFLPS9TtbH zy4!i1QjwbV0OUVNOVxzTo*9xSa6gjitaHk5S}9^#>c9bMa^J~zXh~wd+aG@7*@3eo zafSp|^h@X(`0Df73k?yzPah2jNE$oa1CD;HKx4KlHVFs3)4yYjmJxRQ+Z-OOcj(V= zaJw4Ci5ThP`CLO)dA$|HkhIV<-d?WguCFb>H9sOyMN9;D(7djkJ)X9=l{8i^S{+np zw6bLNjkYLBPpF$L3=%~kpohVX)6VZk&zM$}{0L4KMc!YmrWs+}{3%=wxXD&r#p$~J zhj~KZ9JCidT$m!^Emio?%e8d&utGfXf3-FhjFnkr+f_V@94 zRA^PLdQNXpkP%lMt$Hk>_R}(8a6hPnD!U_ zD7CX7GCN858Wq3))a$|)uw3&3)t!cyHZ~C-iDc?_T3y*#y^A{kG8|Qc)Y| zD~ihZW5pD{xLLH$36>M>G>X}r2|2Gpolb^rpUSggzf2{7>K5&r(gP41a|_Anrz3~u zeGXIE1%pSaYk)je4260sV0ILwR-!ir&5xz)0cnUd=%k# z>!G2aBjP^Wkeb!`@4yD$vDq_cA&204Ic#=yP$6F+fYZLF8m&RoEm81JK5F0KGp>Xd zzN#xVWr*6A-30Eq@{1s$sfFMS;{*|{MgGJ_WwV7%yc|FRVTVUbxu|?fA_#n5{+s`{ z+xZ*^+&+$wFnjay8qE1FDjD*vojm@_$60^zzCTO-QG???dqovNS^Qm%F%apSCUxkS z9|rl3lbP*I9mXX`IyPb4G10sYa}E?f$NKDeAyR=TDh_fomuF%r225;yAo7VrEE87S zK*S;j?5B0qw+oeEnH(2G@1~AT;&98VuEVJWX#Y8G-DB_f%bW1!O;umsUH3Ga1`bpX z7fqGLv7^@TyolN@e>u`0X_kT3L*h){c3dk>vuCD?{&+3OS8=wD&cMV>BlgH~jZyhm zmln+MN1yeZtaucKs~HS_G37=upK&g5IdoAaCVJluH%{VQZ`^Ke;V04Ejb8WoL0YUA zsO>{kwkx;AA}J4)3~J!8szB3+P8+WNVlecB95S7n#ea=0Syj5MsEg!-T=W0HkKtA{ z`3QkwZjm{=1%ObP+{LSVn=*ufO0<8=f(ju4K1>a&<`jHKL*xIK+7+4J1SXMdA@ux4 zXSu3%m)6mat&p_e&iVtf7mMZ;0DZ29rm%d@GuheUrcDhrg$J3-kzYM79Ow0H`Va>EhNa!5;(ec| zo0c1zZhJh&!-4K@jz!uR_%%|lejgoL=1&e!{9-+ryS7#kHOTu)l?CmBoZqF2G_ANL znr4-+NgN4tPYw6)lYyp(h?F5Zqk&IC8y1~lE!I{pNL>Pbs1yePmKqjpZ?oTmY27B2wq1+S}cHGJ;rm7HvKb#6#-HA7; zh5uh?H4chJCk-)f4yV7fpZ$fk)$=v+v=`Q_LtaZ?iHy6kdj|LSu6oG>JT^7q*T2+Z zSPMm;N#7S1-~OS)Rp9!b^|e1TR7`Z)V+YVug7QXH*EHJOp#dHRp7=*AmLBm_3swuF zUh6o2#V~L_E4~YLd1Qrb&mYkyGOqdX;D*mo>m`PGqKG!*kWI_V7qFkG;Ho_SIV#yX za)m9=%2#5G)&7Ui-HaAH{I`ndhJAXwHj}9QKQ45x z*buv!KV*rLaZ2 z(Xi4(7C-nvjdBBY>Y-|i4!R%g{8A$YLy5LIy5)5dQ0gp!GeBy91F*MY#WA>qgAz5c zZ;NQOid%w1hf3-b^{j}b0cO?yz1fFev|1fw$mAnLRVqj-Z6^=3s%YsxCIuHCKr*mv z5*BY^?ms0O8U4YPF%e$BL=yEP+Lm)PxzJ45#e7nheF!L>q|2gHzp&sON2)ydnE6~? zC>T$x+|N2-;z2A3_zra4Sqv7Y3fkF`g0}K*oYvqqKgj&m4Gt#{GiNY$!we>pqqdlK zz%IN(xR7$XptAK{qah^m-v~CkdO$8G9ffws3u}e-M*43!|7!_}-E|M2u`bOR)|b@z zBxxABnc0(hEYq0AOuYR+V}cb5R)~BQdam%ME+CHtDnK>;;9@#9Y75Px33x7x74m92 zh^eH`W>eW&Ek9;4$b%XY8b}G=h034d&&lxAJ9W`NKME1fjX|r{{ykR+@APjhE1poP zAUc5}+Z4(y?6~H?tjYHEfl_+(V6KS@Ya< z0mp<1WCeOjPWF@HpPPhsMR*hriKnwg|d)bsjn8;w3BxHeApGm~ow zyNeb>_@AXu6%vA)xIA`a6^)z@q@&S{Azzl;zWVXdq-9Od6_0 zno9dsNx2XI@2Y!!5!#UYf?kUhEJD;QY|<>kv@xEgS56|67Oi@n!P~6};-v`)A7|wkL2&=9coq7vps&c9xco1^S2WCJ?PIw^H+2h(9KAh4 zHFArEtrV*~bTg@pV!A+cGqDF~YVwf51uXWM4%uSRY*jbMddz4|D@*1sy;9o^iQeAl z)86OtpZ;yF*DsEqCTEy35^4@Xtc@0giL~Hu22_SCv-@{Y>=(@$;WVJx_2|^RzNSv` zZ0YBPleRA(<1+!1a3*do>WFT^35#ZnJa_X(QOp5L1FwClf0IAs| zpU}zl$NgKA_g;;w!5vxmi*wx1Po^>jK4$^z!j{ps+x)UYgi1>@BHt-(lZtHfrNhu@ zKVQlu{2Zikj4Du?{P{VPQX~;EZi_OUELYw_H(ByxA-YZ2lB~u;jesrzS4#QfRxMtv zbBoW}$~sjcvb*mepK}-xq~4ty2sp2ef+`bSGrhj7u=!;^pz0pyF>`FEf=nu=s;Jg^ zo!F9Q3;Ht$W{(Em=jJ{i8TcnROh<5HUMcv-C=r)U5dYTJ{P}d zdE4`jom981+Fjl5#ci&W_WLx2zD8zm?+t-KLiXj&K#QIu+H-)j&a1QE3*sUy@6%kY zgz@OUo9Du>-d#QDjQ~E={H^`N0tzaJ@B{h7U8SCJU?qpDSQ8>lkU21i6G&Dak zT>P}(FnGJ3!|xezGdw#RI%3bak!IY+(dD(3QPW)Om9+BU`}FgogTml`CeOg*+{0sC zPG`G-nR|)oPZJWViwC@Wwy6`YU~fI&sHgV0m!wRa8Q|=L!xqNXA0J@$O3`UYDr(jq zkp4{I8UC!}u?*JdJl)85V@_Df(x-J><#4L{eul!TorBTp8++{bIO)Dqob&qS=b6pN z0O9YXH*{_};2}KbHfjglp}?6~HJ3ruPRX9sKTqagfbxy#o#)5|lS7~8r&-mzng9xZ zzw_t;01&aau$CP)pj=;Nhs^&Oz8U6x2rp;R(Oa>6RMF*t5Tw$XtWuHWGwJIM#m>>e z4liFpmq4b#^~|i;W1ae0XNlyl2k47vPWyM+3B;jjn`61$+euV+c$2UUWoZY;tX)t#TK$2p*!dZkF5D4XBa?S<_=A=g#6`1p8 zG;)JZf`1Tb)Ge@iPk$HE{CX2@Y_BH863688O9HQLpj7wL(gy*2D>}l|7?@#yb?e)= zX%(+kEv@IDrF*Svr`x7wn82hOwxVFf&N#IvL-8}YCj8ntxbWY=hwztAb%=?>L96*F4 z^Rm)yZr_fdMZJ6OU%7CQ#O`{#bNDy`5t>&*Q&|A3;y&SuVc>aa)8tUn_k4fty@god z`O^Gb-^Xm8wMvINFqqxRh!4MtWMqD5Jgng;%rzh-CRAu(>hN&*aOrZ1i3r}bw$LQf z!w#+Kk5UKP)j-{ZlE}^Vh#yk;BjUi%?NHsi*M%%GPLhaGc(duA8BO+lA@LGmxU2!Y z#phC!-n|x>`1?8-CVFkUwY<(Tp3TK-Ks}*jRB~+Itkv^!yL2+lw9ev|`u8KnW3SCb z-;U;)!%si2qi$cW$-a6{C4EA$?95kLIs2kSTPjP1l)8oI0V5Gp>4* ztEpZ@eJs$}_d-sEWCet|h6X?(dix@s&io{-ru|dnoEF#|D5~x!rU$ zmji#CNMSFwzi!}As;}8*MF7~kglGI+<1zU$CB{0?fdBqFo_y`ijRMHCN;no5x0{O zH-wE?VJ{|yE6g>rozwINQO#k8c=Bxyuh!BdFo*wUWdcR$NwJRx*^)VD@8}JhrfDFf=9}7&0xjaWQ(2L$MFdM(= znA?oZkE3jwpuMqf-ptMXosj*srSUB=zww}R|liX}e@WP8NtHonw31cx4bnux0< zE>M9A^jw9Msf3c-dL^E2iGaQ;lGF)8=do2{LAPDt z&HC8+?X*zrb@ct(+wb_huD99Omny$0nrzog)^O$ZU(4Q8M}8t3VuyFRZUXPL^Ju_! zH%g5U#Y->KhCPfrzetrWxI}2qR>hvT!=*7_H)o82gUhDZFDDOYM1#hh^eTk?d@&EU z=DrL34^#hCUV*0-@7IHwb>Ja|4Y*~Ll6SA1f#Xyz)y%JMsH3mrDPGuZ<6b7P_>=QSs~YqRqZ#sN z7bJ>Me#%ebW5cQA4Wp|*&5#mX(7+s2NbnJb5UN;(L2uBHLS#wI$Kma1Q1o(gS_L?m z>w0OsxZIrWW55RlTJJ~HwhGM&-mXg=?sA6wK&FdF7%VlG%b+RRj9|+uz7XLOJDG)A z3`iWH3!M*#XrbkQ!;Q@Y`iA+AmFC%NdoMkE;t2#v0c;^{#^((0k=o+Jo|L8UvZAi7 zB|7rSCWq%g!Y;KvNoU#>CjC+fzAFt`}2h_9Q-|ug{;yjUy zG~RXpc76>!4WJmp2xOms@)7kk0X3Z2Ol)lChzxSVNz{zW@@HevqrqGz%-6CB9>fEV z{QaY)u;nFxeU~yKXfJCdIdak?ZWMn%UJku#qzBW)qrd*^HkTm}Sf32A$Xa;vsR3L# zXN8jXJB#(i3pgAivI=3eV@GRIAs+gSNRU9CkA~l@7o+g8K*RViV<%n&887`slw_er zs(Fmb_Lw^v-wNkcYhpoVd(6?=`Po2lLS^@_5svEG?9G}=m&RIUV~6*t%e_ezJqOxv zie+aW(R&VcXa03>I!dq6W5Exrc?x4a(5opE*27?Br+CYu&Uu`S<>?=SP8!8yna;KR zA~8OE**+axO0I{@L|YO;Ya)Tcg?r^fIWy-@5h z==%;XEUbiA4dn}p%`>Gfl?*%oi4rL3>bd5|7CC}i-R;5moO5vD>m8XGc1efx1H{53 zy7k?el9>W%{&!d^`lTnBKjB;9c8oT1#(s|_-L|M@#3n514b`jdcirFmeqV>oRdyQW0CGs z|0`-EuR#XG3jyaxB{p5kT$JBT>!A>TThHFik6&<-a(>q{a~#Pl0xdW=Ymz+#ndkkI z6@T2tM;W#G;pa3X{IARgajv{kgn9n(UksPBNF~B;P#mSKG9#v?yxNf9)WH zORMDOe{pD@_?ggdhT?*d#)zFSqG*=?Rn&*PnoSp}+1wK70YiV99^4&YFTCEsgO7yH z3|uReNxk%-IwGdz`=bd@Jwn`2->*_{b!-p$5JZOLgS>{ekW7MAU9o1h>J9u~L3AV9 z+>VaU)edQebvgawkdBG->Zfm+s8pt#0t$Gw9;YPKN1|8i7I_Er-SmtPuEt$}3btL4`g3c~AsJh14R@W5Po*Q=k!K4qt& zjL1j?hl0!<_4>@Bb$y(F4eRQgLtsH90t$8z5B20S;_Bv;{GZ1E0=*An{=QGFl3Rao z;>bB-TYdlPq#w*fR;29sd>Yj7n!;X6II3FIV8@{_3lI+TS<~QpYMyek>bZ5PZyupSCa!Lq(Wfq3Lf3!lrMtiS$$NJ%$$`ID z__feU0@}4M)unuB2dD=nv7X-CrX}L|shPheAUVw%4n}$|nl%!?LC{5&75c4zw6&_6 zI$Bo< zucctAJuT(*%BnuJ;|hJ(bbA`p7ik6^=k`CQS7;l2o%$C)M(Rahzw29P`NYduXRYjL zVQ`r04(n!Q=Qk5hjLEJmbIsugQJCT#)!hED`#xBlO(>uv%X8^;iENsZzY*E3=E`IT zJPN5TwqpVcftMja3e_-a3(PswlH;P3G(R4D3uZy$(q$2e>L#7WI0%kD4`fD)LXA>u zb4jc<;HG+MEy2a#vyT;JACFC=PE z9JRa1w!4U=h}*T&bY|81@_Sci8MYiBh&~)sw@q;mEiH(86_|;dT_y${X3T&D87&nw zn7z`6%cn2arZ0@jtX%c7@dem=%FzG>%#!?OiT=}e$0gx5WnAtHFo2J{Q z$)=SSNweL1Xsx3)+GwB;i=TpKie|-JIrm<7%0~-&gBMZCc3~imI?0wa$wwe`280T^ zx0g?|fh1Q{z>lm2dROxOFRs2aDvlsZcL)|NxVr`!LI~~&1lJJU-95;l9o#((!GpWY z;I1J+@Zj$5lVERl-|l(4??=tdnbUo{yXwmK-M&?25ze6FF7p#=t60+7O{1eeJV$Kr zHqGqKWUXnbt$GTjVk&Iz36^ceQo}xgv=U-GFo7#|XM+>^K z%8S2XB5|w1tJgR>g*LsbsZv9Q?kbQBrOkkCd(D!|mU`mq>!(8V2@3KXqL~Kq|GZhOqu!zKQY;+PcsAWw>r^O)A zI}7IMtW6WiSB~E;iMc-4gKGx@E$yHq1ouu{zz6>x0!FeKy9%*CH7054p|Gf10%%79 z>U_ORmr|A)sSAJUE9J5D=$rkQ1BP25ohGl?-fO^pdwz)uDSBieiXyErGBr;3nu19` zl9Rp<>j1|){$nox1oqkOtFznevYOBbHvt@3y+<>jsho|3pm438pPs0iQWTwKEgmoB zd+lrG8*sGvtmHFfZ6}6J)QQ=1`@NUJP2Vl$s}_SoL%@iY-Rt|wA<(%P`o~^&o#7Xv zQkVcq88l(+C?gd8O&AfF0;$68SCFKu2V-y{ZQUUVYHQ9q`_prsz*K!~KX~AL^YYtu z0*|6WM;^~lXhMgbOd}7L?yq-Z%;^JG*JDB2We-W75tnC_POFxf7eRc;(Ht&a37M!_ zn|5sa9*R1%U#08GWQoNbTxxj72znT*14seS~5_SME_NurJp6?Dx=$eyIYJjvbSvA`+1MeOvXHFC_HbTa9U%=IQVbsArKFljdFv4HHA z5N+h(Q1g%GL;+*`sO6qk^d_Yw^~XEl0|k=IkBA5UR;2r{2h%7r94z+-xw@k~4QCEb z0c*%ticQm9osbQZ#$4mz6{^Ns8^&%scOCoct!5M<(jS7*V6QOd&hBrl+`RcehMij6Ur6JUHc z!Td;~b_aBDW{m^&89}c|4BSxCLV)drL>D)LNWF&Ymo9rjzjvwHrp3vxAdFE8og!OB zOX%TTu3ffg^msZmj_ykxEobU3!StIn%W&5b( zUlC8H!g{J^5H=(QkceVwS7X?~FQ?lO{4QeOAT7Dr& zrIw<%piDZufQSE=Sv>hB#MP=N)KkYCBf5yQ>FWTo+_xo()_ zilLhL75{qb_^pe*0&uoR4$W-6)jZ>)SHs7)|w`^Z@Q(5byg4#uBh^`C+H3j;e>Su&E_3S z+`Z%#-%XpCe3}$YN$BH5ivFp|*rZcNfEB{@FryX7ybGqO&|X_$5+1Pnu4d4a7((mB zslyM<)!Pi$rPkOiCRuR^j|5tBSKQn;cYFZ_wMf1xv3fN@>?67*l5y%>O}C zv=-x-Cl1VzZlS2f&Nhq9j_tJ@&J$zYmIo@xRm}nuLUIUt)Wz^Cr;(%PYpN3LF%IY* zu$eKUJtC+ykMS4=W|f%RU6#SM%*&l73$JviGMQPxkA+@YA(}vqJ9JeSQ!4#~Pm~lU zjbzICBAVv0>T%jYrDvprP}_G+ftqIY+%#iE=`vW;cbI;FdQ)SvJ}#Kq|C?;%Dd5Cq zA+Ikv7J~54+@_P{vjigI&aGhs4`x`JMWGfem|$B+44qf$sG*y7RBWeUc-VzFPVo7-H+=u*JQ|GQ?8v$_tyXyKEIahfxM#P7fv+(WTG6 zG|@CC2`3UI5}Qgh)tG$ogy9t>QZWTq#J~cQ-BLJBgM%#jEOcLt%9z`*nL3WVBdK>t z)zE;2oZ_8}V1vQomRJ;IBZx7srseji`5x@Hiyx-AeL6 zrTRv=h)FFpf#fJQ7vV!FMCZxsq-?`kg9>e-Y&tXGf0a@{NiNG5KeMlZ?SxAYQ8wDy zbdIcAB&W_OcMa&rxlR+3<$QFmWm>$4lXcF%T6XR~{S@&$z;4PQB5~kgQ+J7Sbr6E& zyZAPS$o0DMTLTEU$E!HY>6Bi5IyzOvU;5@Nzvk!ihIgpZSBf6PftEhQM8S~A46^<- z$E+InMH!zlWMRFI%Q(Z|Y+8&eJ)fI(A?77r|D1@yO^VSS@jVSCZf7ODrZ{3V@}Wsj zb=L*P5kiQF#N#ka27b`Qn^lv3ZZhp5FfL$bK(($20xUhq6_*90s!eMh3;&TF7_^|8 zls2U>*p6O*YnJ4?!7>iB4v7r4Ni&Ct%|vEca=ExV&|6J@&XAnmjbF*gEECgd*5wUa zfR-or5R94CVyR2pv+1}eIl90MBPgj00&EEe!S%IBc{C>SXRqBl=tX&V^!Qg^rfZ@?fDY2AYrSAiK|HxzR9bg|dWCR}(%SP7NtZ?keFn^0D>yjx z`@ngUQ-s$t*ChBMxI&G&U`}51Je?C6k?;L(pq`R2q8A)`9HLgp=|uA%prqEZUtc)*Rm<|zcFq;CW+R9onMXnF9HBL^`OnBqNws73v4^wJ0|InlwF5O60P^oKabZU zZ5JHJ>DhcbzY@Y%Fi)xXE*iO@OzI$C^sQ21Lk`z*u zqxw?`p#q3NXp6HXmes1lnd?}i6K>a$XLB+vis(wWjEZwQP8K!pyCiG?nLX7FNH72nQ|2XMUxk$3icBJ#GIJi7;lwGI6+G12w4hexXl?$3j1?vk;Cgo*G zRvcef*mdVYxC=~NtAi|Cug4Lf(NSdJ={LL1zd%KFHi)tm@YTaOw+}&G*f+4`2)%Bk@b`~W4a>Z4&I%SsNCR`fle@YXJFLfKN zH7XmwT-{1Sy=UAgz!#rBD$*n3`v%!0S*Y=s>LBJ5%!4En1K6hBB%7dl2K&Eo{_Z@n zeD}&M&qflPrA`jj70P|5Chyk^MvJwf@H=4-%N`23EKYT{d_(XHTIztwlI!TB{f!P4>T<(7d0`B?w(H)<=Dyzf5yK4Maj+?7R7q^~16+c8nA2p|F zF;|_mDmTXxX>C$S1jUMZ{H>GezT0dM))qK5033_%&Z<`RDL+iXI&+49*TeNUeP^=r zr^#OG4Bi*M_c{UNVQ<%?Iv~vip)%28`DuE1b5`hyPN@=gD(1CPaettr_NJ5*I=FhZ zt!Y82l15ISzN@yAEeo@zGC5W|{v)Izbf%}B{bJ62u9ZamjXCGc zJmB_C+rySI9J4TAO;M!O@rTO?NnBA#-LJA{VfA`i8pfA8k?HThaPHNK5I?5`6e~Ph2u`Wu5KpFzJ(T2bQx%6 z2I}!w2YEuJ`RE$Jh9~z^5Qbft58Ngr0hg9gRd(qtY9^tfUmENf+*v=w&)T%&gCDf{ zqNA&cPSbsdnVKx2GFDk!*!Xf2F(uC+d8h^>6eV%0N;hUpTw9$&gwNLF8T6GoJX-q` z5ZF6(KG83rH?W#vZE^?GnkoR-1{J0S<2M@H)8LP6eT`88jj42D_$mE1Xw#Jih!Pa3 zIGve)nJKj-unnFfalakuehso_XyZEOBGwcAxhfEZVFhdI$hJzdgpzH=IkO5aw7g(V zp2pIRvD(v=spa;oOd24- zvbW{RaTZT!fKqTBcXoW*%Q>$E{AB38RkB|&{&mcV2*hbp_e)i_C32{UYC3tBX8h%N7?cTGCg=x2s(PJK;5mI-qy#xc4FZF5P7HD5 zTHM^wPZ;KOe>FRGhK(=)BstpG6h6j5qMwWG-YR9k{WDjD?Dp$;fI@e0KxYZtfXAr^ z6!h-Zd%hH<`#?^*!?`UPTd z_aDAc>VXr+JIzHuSZCZ>u(PsbLfK`{2S+l|Ko&>0+2F}*{a8yso5c{2+=c2?0_?}<;7@|A46#D{_<0oY$~DcrsX&(RbkS$UGruV=aQSigO*>XTFTa zO_D8EQ5HDrwDJ{b(^c7Yov5^iNB7MKkj_ZQ-a%pFN}uaw?wc_14K+K+(8#G{6=`D{ z{}hCMoUJBCsGC-=)z60viEDh=!GN`qv4Nccns4cL%lERpN0CbX*7MF8_#G6*TGfY_7sU$tzYX~BAOGtcX^dkSG2iKDuw9TFkwqr1 zio8T@z~BStGbqUTX+oR{ZoZCVY}hu(+1Q0=1JxeGm`makwl$FjI5D?le?iDkjN^zO zaUhJ{(VNa+pFuCHcPAThJSl;fwij5A0%~y>Th=xBe-kSTKLakh`nv@5C~SR>hLud% z7x!FnX7uBUQbW$l!rMjG>zI<6A_k#T$unkbj`7H&kkQ<~p2 zb9<1yfc{8r9|I2?&Qb!$KQg%QI?JS=ta*toV$r$tqAZlpAH=GPU7fDvs($U09$(6T zlawrLOOXb#2LodPFP=v4jLqQFxf3t|THmxP)USMq^Tlk96Qj8^=K8Wkrb;-3r7AP8 za!te6_~G4I5YSQrtgAkQ%#FM+rq`>(#c3h$I928KbKU17k*m0CEPXvbuoVB?t1i% znuQS|hBDLE$K;)w!TG84rBu9TGluE4R})_!@QdKl(!S-j0_iLkk4x(&Ab+u={AW<8 zX6`=&U~TQG(W9&G8Pxys0XcVV>`k^9Tn|$GR7ZSo z7fr(&@CvK3`5Y~@qM(?Y^I9Qb9EpkD@k4_6rz?vM@7H{HlL||;6U6NDDkJ-TpSEz` z(BeXp?DcsVWbtHVtVUmGQ0*NV7wO?X5K3%#=C1pH>DNvV%ja!sa^(86IpaCuEb;vZ z#;5!d>=wGXmg=#tD0T97$AG@q5KSr%D8`Hi~VVQnl;s)FHhk#z_J&^s~7Aj;m#YJM*n)JRWII2d+-$~ z{l=-=^$TPm#f`aPv|&V!xf{+fI5!Ajh*qnuZEkA3bjnYfQ)Ei>8;UcWk1-fIJf2S;Sw!!!v~(L`Y1-CfKY{ znDfnj&7Tjre*~-F>XouSo_!YI>K3P{ovUv6+b%~r+Js9~n5)i0_}7v0>v7s521o)F z#sqp_YQG-;YK*V9D=JSeANoPva7QtRe)VXr-fttFjYM(N1F?h%Zp5IJD*u#BKU?2Tb?Ao;E*I~Nnr}>FXtUA z4h0fb43m(RyPy-1lY=aj$)4hSwv)Vq@8WH2oAKVCR0_{sc^|{&T7f`6Vj42YWP$NJ z3wp<7Pki!}@H1f{wfx^TM;aazsBmk=sngxY3k$Ei#KBl>?*2B**CKIJN%?U|lpXK4 z#0)5a@DPjSx(&p*`S!ziz1bcg=0}K2<`kvgmIoa}Ut7NsmA5GMOeTsaucUnT15! z-sfxDO;ZgW4yzC|XFT1ukJjmeSe5N&LYIh5U|$^vXD?yB($MaRDBJ(+!AN6OSrlEJ z)}zAi_Q`1oUD}5;K2ns^*27vnXJce1UN!D@OKZ}*<29zl5ys;08fZy!FUiRmk;0@o z*J9dfOLS10e;eN5DLgh0deayY{WUWYzg3x%|6AXD(zE?w%Wh*_?Jy z7Ra15iY$Rl_XBAcit zyPMZX@J5XrbSke(o$2PPH{Cx|s=d&vEZf%Dh4u`p3i+97{>sUH%~8cFinaRv9_D>& zk8y*<$yOmm;6vT{T*_AQ`A%bKyRf;wpF|WSwrntuAc>M?we7`5otx0excx@iBk=J1 ziOWt8x0g217*~|Bw%vGB75l)u)pC`0>60zZeNaySlIG9gp<#LSuRb+@yf@3(-5>pu z^qL-$gj@yFA$m@gs?57flgzsd=cEt3um>WZr$AafiSuQtXV5U;g>mn_D%l!je4G~P zARSu0X{9SZVO#Kr@1(D)uf5`f4$wsED(Zs7cYk!x5ilu#VRqmDMAc;-tu}R9kgBQ} ze%}5wc0+}ey2T;ewvfGR(YZWHi!kDL5$k?7rxT)y<)hQPyi!bbwG~=2)zBK(K6RA z!W_clU)lIE7V|~FbMIazjbQakH7$Hv?HLqOt_Fi$Jf*I0Pj51;4&I#1R#}7I+J5|6 z8(H7ruoOc$Qk^QXUY^b3Odil@L^8LyP_cU7Pr}2?`M|WayhoGYEY^e8?#E0)7R5y> zlafy^xCULUT6D~x`G>6nSVm9dit1-1wZ-#hwHNwx?UeqtJYU*a8+Zm0L;TM~vDR~l zA>q=54US%U`#eUyEJ%vUTM+4L3-2;WYp(Qf_+2yUc%v=S$7Z zS>j{)&PSUJio4c3=aP>LZ@X8+de5IYh{NI-2%~lv_@^IQb5gdNVMu|46Bt_G3P%QP6OHQk z4)$Uvay=O0yAq6oXSR&veRdS#!-D0n$(9-Zqx}-pv;GArR4J7I9An^2u2H9DZ?QNz zV(ZjKn`DgFu6S<>Pwz9F@iW{|rEW|aXs9e*S%I_mkbRZ;7<0<0!4QJZnfR3_(U@ia z8lx0aKS;w2N4_Y56rDI}(PA1?`j>-x_){snX5%f7j3-vS(*j)T+o?qjs9FrC)K_$u z+7z93-Ccl&np2f5X7txyg&F>94+vb#(S9J%PPy3y|H#Ky_0;2Bib2m!>09{AdRL1w z?468;%gYI=6lPWFXAqXpPIZ2BvRrM8&O=?asC?EDhlrdfd#Sao&7YHPynxFf;b+jF zsPQ$m$I1ZWCBqNYW9{kN?B~A%C&NYYAPil~*VVv+*LocskPzv3*8y^MR+jP{-M7D3F?dCkfqJd4Y4|kes>!A0D z4T7s{y4FjKh#L^lrjyVH+SM7a)G_Cf*9LvL)trRyT&NJu!BDkXWThrI&V6dX`os*e zmNkyZX8Tm|2eBr=fd-aE_X{o1D`6xfr#E4QSj6{jMfZ)c2ccan-Q~-D8OJY1N5y|> z)8+wk=GM-nFZp_{qB1;G5~qi$E0r)_mernN1hT*|p&ZuC2Nt{bA=fTy$6D z?S(uj+S(uPzUs_yF*e*B0C>f(nCfB7puXs;W#ES)5#<{0npL5 zBIWAYw7pN5td>x8-t{uQk~b@r=|JpP1>(6_9NPSHK%qRCV_DQcDL2*N=r`&%>77Wn zhMJtY$3&aDW1PzPI=p&0K3*K-d^h!+c1!Fwa^r+lZmL>TqSA4i)4f6NWEU31EB_+_ zRgFBr>g5k~D-@`t{rPGKZQ1AE5#XM$eC^-;SVu!y;n;7ED!A_^r=n_SxZKonMO8H) zaxuvWq$8FJ6mg>`lhx>-wuY^8fnPJZR+I9&{(u^wF7j^vfs1B z4a-Pz_2)!gtBnUrjUa9>9IPEx1UDpWIM70z*lDo~q#I=~&>dU0sKf&|v#fXu5BOU{ zpiLt}_#u1d@=QvE+`mQ7`_Z%Tg|YZl$yq$?Wp@8yWn)u!Mm$*3&VPX0O!}gra&^ZOMZybMEY#dr;OvZEX}+v=KBcb9{;s4Th$ip@Y$U z11(7)FOk&0quj5(5GCv}H$t!ZQ19YJKRTtc%oep=eh5_RF@7n)ruI@0h2Z6W_xiRL z>dyAR*zG&7cMW$u!&9Rinf3KlN&X`&9luD7_Ei@(Lb#?=MAr7U*H-*atK8wF6?`a zC|h-*`fV>A8|BrHga}S0EDT81KXe~mdF*!5BIv%)!>9A1p035>J{pdTuxgsnAB+0N zO!L#yOy!hf6+lUvPLDa%lIqpXRVZ;M2cCJ5}1GEpD?xWjs3vzgL}aRxN|R!!1RN3 z< zPqW|Dzg}ro9OJ(+6*{=j#iznm_t~4K&4NCI>W$)Y`zW75c!167Aw{rlwYNho>B6L( zw+e^#@C7hcWS}vY3GQp zM(g9;3ywiO>xdiN7#v40QzBPc;>OV5u|aac)C(_t!rAzM6u7^%xfG#3j)3~N%GVx% z;Y8_xNez5aA&vp_ld_0+W#`uI^iWQd*YT3|x$~weUwNo(&71a60sf543EWrFN(<%0ctr%D1?=<95LJuEIsY>c(roIlZ;OPYE;q~zeHp|^Hbjorfh|s=nadt|Ks})4ZZoZE zuL?aK(L1@BWKdl?x=lMbJ|Q<Jz6Mj`HtCj>48JR51$My!v50*~`0~`0&0B#GY8(C5yUP z_WIsiwj{=N4(uv;@o5mjiK}wYPBK_~W8~nsDccIN0r#eDa18oz(T5TBWx{##YbI}< zUsQJTlB!OFg2#Dr!s3t0^ksI7E5?-*Ke}vj7e9B?5(K=02TT8MM1Cyx^0ox?+gtP6 zY4MxweWCjlC!GDD4fCUYYzLn3A-L=Ffqp`z_QHLKK3?J1OB~Id6-*F@>{Z3Imvrkq zXb?Hm1R=U@?VcPwKLPQSAAk4W^W%B{EQieXvN#0C#O9MfhzI}pCvfWvH{IwWhs#Rc zt3>7+tdKF-k{qtmimwx1rMzjj!o(1g$TBG(;t0C6Pk#oT@74DD@dNb{syH&m^=c~G z(6%nF&r1PJ0c!w;pY3`4P&RebyoW{SjHpn#&L91WVughEJJvSs*lrQ=+c%QcOxel- zhV%Qchm3=t@Xw9EKIl0lzc|Ic} zwleo%PZzt6{Bv+gQ4vs;epB;Fnz-f4@)?ASpiI69SXKSK>zdoR;10iG?s71REbCj@ zFq%S=phReZ0|a=IT6BK&L(qfVsC$G$4^8QgxCH%Vu_=Uf+b6VW5y7?pOTXIp&0)Uml#p55=mNNd}Cps!fov3RInt>IhM!LJbR zL>Mmj+qR}UZl=t{Y=4&K@~#L{exGli)kT9^GIYv&HPSC+lxi2IcP4(%u8%gqX42dAX-n42P0laf55{0D(21Qo#mega06&9) zy~E3)thPN4AV;aupYR!kZMSwUfcrr547y$XySQu2s0~$eS`c#Z*(l%7fjiVcgCxVB zG@e2C%Kj;Uv&}v2^o>MFbH=@IcFrx=T}vk}haVu;Y5KnfNo>UGKZPM2MbO&QlI#P& zE~3*Aw3HoqEQIO6+veM$OpLn{C{)9hpmjl0-CC>GqK}!f27RKlNk23rT z3%GZrJzubX3dMaWMcik)#75o3BPQ+N&(EL}-v1PU3m->}o*C`=VC6GN%H&ug>xbfYykQ!bN&%YToylr7HysZP}r!%H7l@#$i_BIJ}o`!NNkBbbwmJt z6tG8}zGo0>*JD$w^NXjSt*^s8K6cIVpv~MU~5#!>Ws6;fq>W#C<9(A;}9Fb|?SV$IL2V~%n&=8fdv*wSf&el7}es`U)j=P!vZ{+^RwfuHt={ zEnwc+{#FE<^};ns5c9{X=@kXxSe_yo}phYpOG zHxZeM=)ro@xklfNjm(I&rvBmuG@^hPZ3vCic?P9s1iW5xx%)R{`B*$UvUl+e+HUp# zm-a;495=03pRSETA&13%%&|Wa{tN;dlv4vwwe}4f<`W8{on49Y_#?jS@gBy!MA<|6 z@^5}(6}bpNyZf;9k-gH=4_u{ zv~qkQ|Cme(mZ5%=^KvS|!NP|WBx zuKwWTl(h0{&aqLKe~Hu$ayRO0bdujx#w7GRyLDly&t|rgGg3amVrTzm#g1&A{SIAC zTx#}dcI}nBMELK0Jlk|CAI_~&msIW&lOdaUP>`?1lgGc}i|Jd1$Ls(Chzzy*()w+v zzZc)n{zOHl4gRmXBMhq2biOr!=oay=)iqFSr`b2V)1VIbR7}xZWAP@w;2zSa{Hz#& zz)y@9z~JIwtbg%ePYgRNYwa~>G9{1UL3Ehvuvtgjdd^U#0K&(FU5`4Sd_N&q$NxeR zBPU7V8Mf$}ASd3k$9FUTKxBSv4i`8-yOpcIfPMADDu(;2cg%pXwSfe3(H`vKUmB-w zLSzr+;{Y-9X7? zNc*Y3m0|zvJMx(UnM|vqZ+f;%zSlNaw9yE65)i!g3_^z|EgxxJ85k_BU_pk>>93G_ zNrnX1fkb1n`GdI(;GX|Mc;*>oEfMv^=KNxRgg<8kt5S0ClK7ig$05hpVWse|L>Bn5 z3qxepzx3t=X-gC|&OBvo`}qW;7qqhYP>C&4?$^pqrHQn{Lv*IAI{QlWmQz;gQ!JJ; ztx>1~Qm)S)_*1GMF~0!o2<_bRxSS;()yGoAceblGUmfKEeg&u$)o2QNSNan!IZmJY zDvOweIV%dEwD?QID12KLvPG*r7}FPe_&1$Lmw)Y?oawI*n}hPj-bTKY^vim8sL1L(RdB#Ki3Pf>nJo=h=;$ zwAl6mjMMEjFuhk%j8DI3K2KaajyBC`nZFSroRk$r*#e~xMCt1v;e3o0UR{+l(It?} zHVEDw?CRfkH(zXvPj$65tekL%Jr?qMcap8a{SNM01AesHFD!{D-iDZ|{a_v^qxmvC zL=D*QDLlSKL`bivAplieFkt*Hn*$!cabKx#sO-7>lcj0KiOw8T8krS?vh3WjMZ8Pl z?h*YK>oM8yLy4iDKAcC*x)FHem_B>uZT*uUxT$WNvv>uAI zwH;l}pGgq0R_97MJBO?i!Wr*XAj!SrsmmT{0wlkp!!9!4m$ifQX|3(A_+cGQs`X-` zscfETYC!e+eaUgVX2G%|!vK}nr#6vHRHSgG+v*lSw)>B8Rpqc{1AAz;`a)p^w9@UR zSxG(}@4#Dy;5%8A7@Ecl?LM4W6a8IyywqH3F=Lh?s3mjkAD;CI0WYj(;a3yv0jhg?KeSrw4f z6Z;E7MR>S)q<68=;&O^D@_@5@^7rmIW^#^c5y;kG?c?C%a^40lAl@od)RKPx&&$^gZ{cE*--bYt_XqNW;^I9A&wx8=gBUktX{Z;GMKgM9RVBJi4l?*s)s~9DKK;vh!U0BGLju~EKr$TC=J+J;&8X1Sr#&-wE-O!?&1I5u$ z)N!iGs8p?rmDB|%ggZWwpzu?JBjyqRx!V*7ZitUCBA&Y`KSBNs3zKU+Vso;zWk{%y zr*f+mGRemp0k>08cg3dMIuA%Jly@VxKM9Xw305*KJ-B^0Ml|Bh!|F=2BWSe;L(v}8 z_&hj7we#t<@6nf`F$jR)H=afD<}!L$+n};T+!mGSlRgdJCut(k|7_a(+Q;*i2NcXh zVHvt{v#AacG$%lchs2cuH1#+9-NTyKuOWl^-KW%N5RLHAqfhlyd{mRfhAjm46nxip zciD0z^0(p6Go<*8)Et~xUXC3cM20_u3|H?lwKLrj(y+bKcV;wVnW$+Q0E>aa%*3iW zn@#Ow;@L6#qFkF});)7R6+W*c^%di_Ym<7PUMhVx_yExL^=~=7WQ?Ck|5+m)H?OPd zktkiZ@r{ahZQzhc`DwM~8I-MM3`a(P2H_j!THlL4=v<&+pvH$1Y#R<%lv+9T4QIZ+ zkD;VOj<>rlH9eebD@5mTw)FM+1E=_t?(!*Cp7plvp=x4s4bH-MWkXx5m0PX{F}vz- zje<8Fq5|Q{?>K+v!eGoP`7(kiuU-y`&QHZsVd3LBR%Ew*=5u?0m5 zjnUy(o4AqUtdQ)zek1UlQ{$uC&L^v`4*$z$>6brpEI|Rp&QByTM8MrQMda7ipfDg&p-1O>Tto40)-D<1#(!UNku(KY22RTuqbf4Wg7K&oIZlDi*M)9Q|^L zyA(cvvw5P}JAY+|ZzqsMSd$1yO*L!4&*I{MZxb8gbTLBsdW(De55$GTMAR(8LK4o4^b zzv6of#*M}OtnHTP^JZ(ZE{tsKxOZN}4bV;!0K`C)>+-J|e>|GsS-MbYE z-HWS8JD$xwCLq}QAHSN^PJc8qK>Kj0N2FYcSHv>?-|EyqEY~mCq$c015Rn33rVr&U z!8Z}g9Veb{zQ3x*&Jf_X8*W>)?_*gw7hj^x*Vy1HcbNF~nCOLfO!iQznEj!f-Zw^- z4&mvY-JPcL!uuSdjOlVA^(@vay~lq`wMPKKcBtsvrcR4@t3CGa2&)YPKE~=KC89As zPPToOL;6ZKh`!6`58I?&yxZt3-RO`UTvO-@I)u;&?q24vC%hlWqaBWdCpApitCeE% z?oVW-rvJOMy=G*|*Geus94Nm$+fGL$#X9Bwnf$-{s{d71^`exSR^@F@Qv6Z_*b^}?9}NujzW& zwk>8{_E4VA!^iW-j*1t~xJ>mxd9!+nx(+PgQQiCfi)JL>PM?xui0=Rme%)_#-!p7# znZxA|R9&t8vS^YzHI56wYug?Pam++N`=Co5?%fLci>-b)RY$HAYs#hNA@^+K%p76yoe=`daP!R5^-S29 z`nkv7<&M#}wRs zr9n6wv{$;7H_hiLpx0QRZXDhkS82T?>M~?$R$Fj#3o+l-P#&_^|MeGL!uPRkcYZ5A zVyiK1m9H^Qa4U=}#bT7n4IR_%5rfS63^_RS4F`gTlY00AXsaChl)g3&KUV3&-<8I2 z=foavM84SQ7CIKYJTxg+AdTgax4r1lYCW)*5IdRwh+m0vyi;6!lUwcYYcqF?JvJu6VX>Ou18{tY{BIHlPIfi?{n~1oak6zrAgFnS2+8XN~3`KpH)S^y1%t8 z&5>ix@7P`*0ThZfg0BI_Mw9A6X9AhS3we9&AR$ID^ytbtkt*rc2Rc~->=@M8_f%H7 z$(v1;Or-3N6*#{ZgYE1gze&=`e?`+t$!y-`a~%V)<&akGzP~ z<27YVcF{_RU0`w&q9Z^8WzNovzdjPDuWyHS+>2Dsr!#rPg!d;)v5`-RD7V|Sj1xKT zqrF@QE^zPM!rT1+W}VzUwHyh*R;FxVH7NR{b*a$Mr%<8yLU1t z>n3IljtdR<2@mTZ5THPmUNpxWit!#x*eW-ABhnEC+N<2>R`tb4zZPk4{U18bb%#gy zxR--5hwgionvR1f)RAPb*pm*O8w^I@@c)g|M~yarEvBj$*KsUPA!so}S$}%w+`dst z`f0`|l<1RT7(IgIA^lfFe_lwHMueeMOd>2YSkwTvH8#wf5{rW>RTvisFSSS#84t#r zhHRja{3(q#wIv9RJT-a%TdMw7nkIJg`4(pC-76eC7~(J|tz`O2+86KMrp86QAgR}> zv_(oiBE+IiWw%2JW+1}SMo;B}pwp&0`Mo3$w}zm@tRXM=ky9@wv1wm$3;yR>FxDw- z6QtBhd>o3@vLH0v)II?$vQ#SwdM_+F7%lTUl~xpuE|t;+n-r!ciWW$eie-mImwFz7 zP5Pe)g`?PG!BFh6?@&@z{a(_gDrI1khKKpRL^KRom>;HoDj^XF4fGN*pMW0Zge2S% zi39?1re;iIlLP8KDt&LUI~Xr;Kb`(|`u3{K<7LQtFOqGr?>C5{TE<6L{#Ji6r^Q$t zL6`EAyX>_uJRSBK>5kp`O-0-Jqu+SmPO&?dC3SITzi|@mql+PEQ*~!;mW;B^f$AW*-%2SSi6tlIP${noxo6hZS%35 zvIChokcprI{pQ7Jw~O|rgJ_xy%UsWDc|2cOQn9Fz%$thn?j`WV7ORlqylL$mW~ZW1 z_3S!otP3Jrd)#;!vgPvKVK|qFPl#$j+;hNz9n(Sg&iTrIJc3tYOWn@-+2%ERHb=#L z3V#LXUrkSuT?fSyFr`}G+$-(Mkz=edQk)DFsah}mMH8@*)P2CE`LQv1IkUnXFw(&VaB`4w}M0g^R&gqUS0L9 z2~=obeme6Ld2Dm2EB|SNHKS-ar+GBpam{e>GG&t zX{Piy+OEvJiCPd&ru>4&jCq|*#b<>|9jSqnZv3C2ijM4Y!0BWKVtz2GF;XmfTP`sj zm!R8WsObvj$S2(hBVA{u1x(BjxgnTDdK5SeK4$nzmRzqIM#y#Lm*-vZPkOUgbr*t_ zr?Jxuq*tEsAHR!rHOb->UK(Q1d22-wF+&q3Jdmxb3VThQx?5v~TI+Zg3A2gO1nrU~ zYzJJ&G|zhl%s8h|JI|B!Gh5np6*Ma+Cy z3lvwA!-odGZF5KGC&cy&>VAaTQWZbxir9EGiklIjk`3|Y@n!Wvuacxij z=%jq#V%>rAzb4i?{yxsBcafiuCgzxje{+4u!>NavmEs^<`LAQm4nJ&)yx-u^bVBy= zmCTXan@eJ1eQthrZChl(jjPR8?FC3@CirAiEl& zcsB4{A92pE;K#Rn{S@DLDL%VqRAph9X~fB-J>h$%#ztlqMnBwpM6mAVcIhYAYwKzz zbc!p=b!sH8_x)>1blIVvwjpU`#RZA>uyV|U%{#*@hdx=d<t1$S#IojyO` zG~$>tJlyB>EMxAK#6z2O$UNm=)Q$*wCuS+-&M zkn}X8toHcLvM}Ez%blC=MyN-8H{;k2@o9&r!v`ie=hkU3U0tcr*IjOD3RF8z4i0!S z!PMtc!O1n9A~Kq$*A0A;a5nAUyxt?1R8+bro_cooDV%L?yzY50joF%05#@1x{fP|e zlv^6Z-PkpG=HKSM+AEJ29VicwRiA6IGYkq*$u2%tFTC;M{&2l}Vb@n333>gRC6N(4 zrZ0J)N@wKHIa!aX)I>Kdq~mz*8_KCm=j#1c2Tb_*s3}2e>oy65JnEs6-&@*TFC%34 z7lbHU<3uSo4-t2SSRS=gH9U!q&qdoK9k}1qwr*-?sN_*6@MEa6OI4|zEDUM4_=LE& zW)XW8A?E%;u3%!Q9e>uoiS>}jP$iS&0zWcT!`$s@?z+kyYFVmg{_(Jk1Niv<$z`cC z)6mN@@j`^)^WNOpe14e(KD9y5wx*w-)`H6oL(jUlS(11m({bH+31so9LN)otTGePI zj>U^@OAPXPOEjlP3i`AUYw5E3NB#mr24i&E>YY||df+CYZYsJdWosc?*E_an1qWK) zSRg<*at3v=l?l;Nj89v0UZGav8ICwr(W&tgOGuNXJ@ND5R-%)TD)^-fnlhok5QCXD z>MdZd(g`3@h>_mvp&kqA9H`M)!L@n;6m#IFXww3yw zKs1W{ae4JUAc+I=rdfgSMYJ2Z+0YKm7t?Xh9SUuzACozQ8=E6mi{U8VCvdmL8@W0T z2HVm}%-=IDVCa_?(35!-Z&4H@=gl2|l7JK5oTev(|7qu}dU1~i?=#S14+c4PSBPd4 zVl<}o)6b04Y5VE)+Ju=O^@nkk%E8l-IxF-`Kfrzcp+!u+nd&0wE1^AMKk}Hf#h^Wf z#mgf(`ngepGr85~$^s>nNpSi6>(IziO=1K#K7yTM6sAg1C~JZFQaYGTvEf0nl!h`> z+@M)XhcN6h2&Hr|({chbDD?nmWV4eyGvF_!Jyc&GkM3R*LI`)Z-Eo`!K-2;C^HU(4 z>x(iWi|c25K~)E|GeC}ZD!f^9>^DkSVUON6aMzhVgl!)O-vCP-y3E&H7*^rNBiz|` zt@XlnmT0W5Yv={5S|RJBIf-cZAflyj0EW5xaq zBCwOAq(!SE3UX}P+wmRXZA^OW()--{u1v)ZX>aw=(uezDB2v&GmhqRs76lDqYjIGk zz&){8i3^qnNZ?x~_3dJ*qIiTH#BAKw#O=uva8aT{IVvP(Op{oAnmaR9m#i}+jY^6) zc+b}-w$DrN3Iohdc5Pfb7b78Yh8dA_4aVetTBGrewt!1IBn%IKd=ZGIV_G5q0|e&Y Ak^lez delta 206335 zcmZttQpP|+qSJ)wvAb~tM0$nKKtJLa9+}q-tyL4MoZ5~ zmaphi>sYZAWkA8ufFOXNfPjFAfR;Ilzwd#8fDjNGu}DAwdJfr)XkoV$&jN&d>Vs14 zZr5mw(e}yY*TsvQ1p9-5p3mvF;q1TueJHqI9iir*BxAR95gf&tC92#j?9jZue zh~po)D(KBhrYaqjv2JvX5Fc`*F{nJ|_{SF2jb?pvIRYl?YTWkYv0US!G?=<8^PzjZ zD#m8K>V@x-adR(-1^DJ4$m9&M*!yKo$BJs_qaAqw9{fMvGb&SVJ*kutI~J-RXp_l~ zP1Z*EF=*Vc*_?5*RRnVexz&f==*q%BVMjV}4*{;o(A1c`=_* zy#BQXefa%w)Y-dHSM31?{&f4J-S%3ytsi}jt@`ig@T-H2x5C%o{j$S7c;igHctlIx z$jrSq1Vl^kP?`KO2^Yp8vgstIS#sl0&shc!u9K?3H`PkIaR@?uOqO7)k2`?N@+eEcCz4Rdz6rw1 z3c2c~?L&rSB}nviO=DPuW^^OlHQE+2B!A+5;I zUns5+^q!h^nXo*37Y?yF)r`~(XK`j%Qk0$9e*a9iC2=IFj3JmZZo=VXGz-gWRhDO7 zEnBJB6L<#z6zEo1G&aq76lOiz8~m}&Kk#Cu!<7!>iCN72%sGziD#F*E^_2!+8e%9m zrwO~23HjRh7;S;*=>*c<~lNu9+9j`1*<-iK#Zb3$@VU;O2S#u#;wGZf7si$6{YRD0R>_7V*=@vzgCXb53{S> zAC#XBV;XJ{C8KY^sdxf7U*fCB|5iPu1dWXzjA28#$NDO6SJ%ATaC1o6F-V<9y~15b zUP%(5_@GkzC>_GTkkHX6BVWy2PsxVohd<##ox>NlvRt^6OT*AyRU8LjVlc4rtIm>6 zeH~d2X7C5f9zL{(8SNqFNa*NJo|iUjKZZPNoO?eoKG66*#DX6$BrrbA_+8Y3-=Fg( z8CX$b6eP+gV3Ck*0Wp9T9hQ;{6eft32@nVXPAD@5j`ax`Q{voSprFQ3^oA(8fJ=Xh zi~?u90G2+yca+Mn$e4OIiQJGaw6oE&JD-dHqBj6DI*&_Y^e8q&?xy;B+Me{o zKW*&qc$Dw}xaHoAcY*wLR!f5r??ey83-mz$t3uL!i0z{Cv?IXOAKr_w^fcSW^q)uS zgWAN#F}~;{=e~U)WBr9pJ|IVfad)lbAw~oOa_~r|hrtIpA5FOZbz6&LtP5kmk<&%~JC!|m&iCjC9QjT^e z00BQe^Xzf?eYhTN833~6db3+IyUi2uOfu3*iymHw_y;Q!4U&j|e*B4KI(!Iu!FQj#c zPs0JiUYXrmtzp|sxizcIVuPA!?dN(3nlGiU2f?|{VZdWsX?KfeW+4G_Cf1^8E@;EZ zhwF}}#C1xtnFLDcI#b66J4>Q@u~RJ<3%BYMqz}m0<{K5XRfknS=BhK?nsf`$f`mQ8 zWi$`@(3s2!e}sfh2r3odDP!1tEo+MAqa*=VFKcyd1vAsPWf;SC4|+7V*Bx%vcGt|* zWMffmxr0#Xn$h7q6q$1^%69FNagDzX4oS^kS}P7q#;2XZk3tvPJyzdkqsiHIgZ1Nj zbEHSVVB30s%LrEj>=fQ)E7+GlU*|txk;FT#rP+1KxO6SPHNB@Ur&F&CZ5uSxJ_Z4H zOWS^@p*#)@-3DRPt3kIP_E~KnKN^1=Py_F&&rVSF z#1jg-KVcs9OLxc`_^#PAZ+=>z>hZ_&0iMsI$u5cY1bJp&O7=2_U9+9N{dNUyMyD3f z6e=;d+b-#M@IjiZDmoqN1fEj-S!jTP-r_FXPY>-C%$vbe(_P;I)X69Aeh-zbcmYzg z2NK;(a(S5&u8$otjWDm|Pv)hva$Ty^jS5hIcJC1wnzZ2P=OWoa1aE1G8O5OnaQp#n z;=o$5^#&m5Az^ysQO0J-B%w8=NSiE=(ev`DX;_}X7ujHI1T05Q8!ltNM-jlO=C>!; z-&2`Lr*VC+v{`x;O2_w|jJ90$6*KL4avQ;T>{Qp=pe5<*5cdaUUC|l z1?B`1j!e_!a_c-$Sf!?@Yu8rQH&&bcACHJ%i>O##GGmLnm%IP|i-b(OSFn1gsSm(D z^Jq^-%Xk{rcVCkgqM;8eESRYM)~r1xk@$-%T4eMyP=|7ZwPG zXKv?LCsI~*Dj_CQB9#S%q#UoNXP^q51P;B3L2#1jS}inD9KbD)ifEzsrDG`(X zg_gq|^IMwM>&KH}V38{LX%fRQgu9f#XDBSi3h2S&~PmMWPeJum!p=lcYHDOWS0xCwff) zS^^FLezxdv_~<$ryaEw=AG<)(J1LG=O*x#A7!ovWu{fZig#;{1nq)>a0xTtJB*{jA zdpYz;cT?)hR+?^j00seOwF1ZqgZUVz6j?>kbLI{AZjIH<&BYJmH&&+0Mv~LdS!U{B z^mfm^)~i3{!NN)SEX*&9|GCn%r+L`BP=3_j?W0dtd}-Ncx$;%dUyWSxQOpPP;YX2{ zpPqgxZwdf?jxi-`nAoaLBqFo|H49fHeh<{KX3^(~m*x7(d0rw#V7*w+phF?{!Nr}Z z^Hndy|L(7a883D4{lHP}!uhS?aPHUh_aC<%-V&cFnmj3Dt)S>3)E_x$6n;u$MPq89 zqnxm}RK_TPaSC4yF&UX|zU||#;*@okhZI#yy$XPvXnjvs(47>4&UhxwaBdSTs(|vO zFQS#SKA6~j&NYV;#MWHOS2lmTK!9oF49l3!tHCs)Zx#;=`vZa$tWwhk4GW0`9Y}`K zh`30s#&@ZGf#+h#J?=!ekAdggg`UUexsary-lY%XVJHg+Es9Zm6*6?Vb3hWSG=dbn zMhWnHCVWBJvBB5BgxQX0mGJt<%$an3ubtXp1hR!<-Uywg8P4^*Hn6lfV*~CzY6^L|H(-57Ed~putyuswu^>Vv33D#lvFS9yi zs4#8$G$LHoe0&hGJK~OkIwSCHV0O1CGBj&cLy{yll58>9f>VIs-htLKDsVzS?sH$=u*I2V&hIp!3g ziuNf9Bc6DY_Ldcm)r~xDgGHIVgBn_%_#pE71*+v8R_Kg#*QU?yPqt63+99J*Gk$C8qtM;7pKFZ+;@r*#(*6$Vx0qn zJ(|a5;k>1^ou|9w&U%bPl5(@bhOH`Hhr0u4o$VY=p6xVBFkDUC!BgVSCIVKG#g!_I zMI-kkoUt|*6;a%lGmDB1E1isd@g(k86z^3UpDb6M@GzglUAaASufA`8Jsp}q_At}^ z^s11MNd(VGs$&qT!>IS^r4#4bmzB`=_gle)5>?Qa`I}GuLk=cuyvUo)<0brB*Ue6p zZZEAd^T*W1=cQtlCRm8EqyV!*ajLYS4KBjf2x_9^j}10CIFmaB=(ttOdLU3 zk}Q#kdUKzP-k)eT9SROM2GrZN0cSZKP)o6RT$^&72zv=fCGGvTc=N??@w@aN?TyeR zMzljwu%se5MH5IDZK+D)Vx$OHHcU4P3t^vayu88Qc7mLdTHFk-x2`9?H_YGv zHgSV5F=yu@eyzw&W+rb@5^#*WCCP0a`N$na0nmv3T8f?Kr0x7z1i8p^^Z?c<@cHg7=R8$w;1=y* z|1CPDdG`OczGc`QMT6MkGt+Dk{~iEiVouT$<;tiMJ_j2^lcdF90Ge|>s-^=n+YcD18Kr@iY*3ex)jl2kP?!5 zlJR;+)$Yy}t6E)|x61nu=0S3?JIQAccf`T_V4)5e+YF>gAe#mYz_ro_>NCqCouk{Mw`{=sjg91<;V89^^ZbO_+Sq!Z9xlOYV zN9;!c9ezMmkVwq(1EJj)){9~)Y@iC(;=R}i-uK-ESqeup6{As!Gp%zL3L_8W0>|yc zs?-Jbh0ZOKgwOHM|M-EW=!AAcQ!cE9o`gA1#u`zcE=p{R!X*M>!RQ!)qKB?m^o_nO z+0TEe0RdJdQYqTj6^rWGRcRX{z+!=f8r`;Zph$P{G0|-Gjg4my-!gVgEYUfKVYknNqEVG)#zpD1!c* zE^=inq&IH4P#FzX;5eMA#E61&_a2mpFLK>u_y>3|digg5TJkq)`%+);mB!(!ZCIho zwX<04jsSDFV&l49dKw4l*r;3EH?HI4NE7MGvoL#r!%wI*%kbZ;A*3YAn&1 zvPmeUqycLb8Bqz!t9kyd5ZZhEUpH4R!zW{-$hMV1QA$r!z>BK9u@g<@G@B*NTa24S zK@wm_!}%yQEGqzSxw7KsjY|%{liBM=D$X-DsTjnrNK;0X3%r+%O$;stG>Q2xv~5Pb z$-_bI;updE%I4N^RT?4Lhb)|_Y{EHzz#=KoT*lfj818`Suuz>c zqExWaFh}PIGEJ;5`ZPo!?DI>p{IRD)Zkod@k?l6Yk5fXhBf#5aR2#H{YU{xV{PJd} zq1fu(j~M`1YT+?eFE6$8&*A}UX|Ho|atlBELHr*n4QsSfDn5@71T^CboXh}&4q&GD zw6nd^({jP#O7h=}_(oib+KJ6u4-5UAkMk*)Z}+g3A(`T1Qa~kZB6Z3#Zj4T`oxAUT z@dIp-|2vdZVy8>Qe@m!R#7vm@O30i5^Z(o3Q|7$>{Kr)FrecAIgV!H<(vHyF7f<0%073dq48~xakA6BWy@Kq zuWTCZ3c^OP_at$2YFBKx%TC?I)Kli`-6wsN{WUyI;`>Cx+PL-S>FRd+67cU#>;A}L zDcOnt{59#vP%&@a!StZu?q+Flx_DB;+4bwlAs+K)s;;i-=J>CtaXp&@HR4tDcyToG z^wq-Mj~dgzm@BonkM7Urq083-gSZ|eZ`kAZTY84&_SEv>&xd`_gZs-Rq4Tu=s1iei~bRZ;@;JK`s6BE=3d z4bQXNbdD%J(}-Qa&hgQg^+Qqi-fGSYBjp{)0UN`5)lcj=Gqh$3At2`tEHnfbZFEyY zdS8-!(-LJLu;d@WGtAo~6~2}!fDat3%D01tF7|Uk zF5_dOqw99}g!j0!i=mJ3Q5<%0)u@qU+MfQWrPy;vN5QDdF9sf7kr_$Q)#ts8R@G=BF#n9btYJt1V5fkobBpx zb%5T|O5e`BrrS`oqC5nHb+>a8-tL9?M%SBtOh$xJGK4gGU@&>Bs{;IcMkeYUPC5NTZI%zHf~n|1fJrk zY!ROhFf_1sLFCh6q6Ah3`5sTlOu*fK(Yne!BYz~Q5hG0I!9;>6v5;E8p=d~7zT#E* zWLm+(B3W$(Kn+BK4$`sq3%~TGd!QJ88o}q9Ov|9E!|f;ak&;qM^KpZJ7pjc>lZYr5@uqES;)yVB9N~# z#xd*wfOF0~=K|bYh&?nI4SJs%2oFgS3Xb8qwIYc)&eV!`t3$7@IVhIg_(ods2K9!n zdC4c3Y?*r@t<4ud{QiG(EEpr}2{rS?FcW(|#>txBlMRL5*?x!ks-5ri-ZwA~Dpl2DO*LA&ja!~e4J}OIOEIH1vftLzh zwED0#`0`*zju9rWRLmPe1EP}6vYE(xukwc#k0?yObw93(feG?wrmw00P0CiAMWl%8fcrERLRggFx=I%%15*m8DC} zWMz*J+WLK`cW|HA zp^}h5v*a)_Q9*n-C2#hSRMOz;RpQK5z^kW;vP{I-gw^pLJfe1oq&%LpE+{c+fL_~e za3}B7Ge+}5$ArD-`3=Hc%`TZ1*M}57^bdW;j66OGzR0V%IWEcG%NTpDYiiavm36Af&aq99- zd~7A%$bmOx7*j&UfJTS~;20!ez^Sx!9oF8e$D`^|vaXCY35ft&4k0=vffEK3mPM+N ztXNW`pv(S1Qp(ZiCF&c&y2e^a$dZJLGQNkuznY3mTUhDu#X^PRTsFV8s2_+Efb`a- z*I$&6Zt;fjaSD0Ghp&fP+44ir?LYmVvZuGLr;gC^jhe#990WU)5Ctaz@UK9NLOCR< z1fe}dqOiW)h_k?#U8|n5X9Pbm&atA}Htb>uuC#<)f>1PtrTi%XWa^i(75V;lw{ZWu ztmXZV@x0LUKT#ytFn7Ens%WBIWCYmb<4^-@a*B}`f*Dc98sQcblZFRUU6z;OmZiXS z6_z|K@dv_RF`gW((~@HVltTA0)OXqc-e;fz(Oh%o+z3>KXu9B`L{SDnM;Sv;@ex5Q z_hD$V6o;&z^h{`oqAPde;nmaxqYumS-T#GN6X#Sr=`=E%{3yKidh;?05*JS3G`e$3 zz`4SS^+mTC@oV@(%^w#cL;xdSom1q=$Z)~rOj$=v(ah@4%3@ss)C9kd_q>_$N_S_z zdN6e0yoPUhUcDDDtbfKoxjz}`XCOjcnCYh!?CTxB8}^iQ7L$eLh1TN)gEKpoD9KVn znN-Nyx>lf8B7#}yI=-iIf?^dl>PFCca6T?`4sVrYRVEIA{sloMEDosC zPMkO^YVG^Btc?Qlr7Eb8{mw&FOxJ;^Xdl!+$X7}v!$mA3{LKdg={!pO`yjcA25r3l`+L1M)su#gK$;mHut z(-c5ufVi`gL%+zwWf0Q)@O1yZ`CG8iy5R%MAX@IpsPkuLcKSYI@Za=u`(fsL=05R1 z!u@z4%D&G6IK#-oriDVISf@vtY}LNn^x9 zh{af8+ys$E`vhghNy*6(Sfdd}HtRd)wLYtB{pjI`yV}%PSKW3mlQTXMDfTu@L*cy| zXZ0Fj8b*{ESyL7;n*47tJ&vM%lMs4t0Uizt{-4H2dslk*Qrbx!Wxv&qNOlDNx)gzgFY@;y@zAzI7CBVI82p}mF zf`tK+6{+l;>zg7^rt}k=A|1^s%3|=PAC+OxDEeOWJsssr)`-_mku(o-AH zNG52215N}qmPmpdoiOIgHTiXPfxlIe>|z`A%MA)&r0J{YK}~+ohLBl60#dPXWmr@V zb&4}s&GN;hk?^|2-7%Ou&;l!WjWqsMVQ*6gt?6GaAqq=R;R0sCiPz@0zdvg}EBRlp z9-ZaB5a(!O$^l_BAW?=;5eZSM0mK5xtWit=iy!)A_5QMMJ+Qd82E?(C zm;hi0sE7F7Fw?2CUD(J2C`cec2@^Uclr3f7AeL3WV{j&N7PWD*4gX=Kiwe7>VWoGF zpxxOk7tO&Ck5(=oVEZyiiZ|38VO=O%`hqK5ZL9K6z0s-~>R{$!Mz*=azKxVC#C)S| z`R^gi-yrgN5&JYdnH^dHlO4t=i0Ucm{|UL4XoWnjbm-Zqrx!Vf3*JguEo#3n)7$=; zanHu_@?e0bJA-Mu82CLSSz1GDEvf#UU#2X= zlM_fTOG{vrdrm2X3kyg!ys+#7m!l)H$;$eZWlg6++**7Az+i0+sfn{#u0_x5rDB>S zzW=v;uwviu%IMX63_&YVAkhV^aq3Q&d?DcQ8w8QOc`ju^|JHtC@K}hsr*A%riwsID zbErj}CO|-H?7fIL*VlPo9$c!S&QR@Rk?o&3oAT9o=o6Yk3M9scj95=Vl=dYTfiUOdOGu^Vuq|q1h+bV{*07eSUKOyWFcwZR zwhAF`moGNW(kJ&G6~2g{(-&`S2j~M5c4Ph3)^t{c@D44x> zFNT$CNrJ@^su)=&59TB&1BE^tcIB7-zXtICbNOc+Cd1#=_+o#Txcpv&G2Q)t20t$j zud{PGvF*f%gNmITmefi1;)@hXh++k2G|)ob2P;ORNWMTx&IMnF3NHCj=sg#m%`)%w z>5xx?C~{>E2*2W7sXU#(U58jc@!(Svr5J;5715ON3IdQL9Z{f!T4Dgtt3L63CU>N+ zjp{`Zk*R~pXf#-_xkn3yAuhb!3b*O<(f?~=QY`Bt_= zAhVG_tlZmiFTwMo6#L81O)qu{;K+%g-a}R|f6q3-)s@x+;N7gI*`J?jn^9M|^ghjHu z|B5O|G?7$SDGcis6m7U2X@y&mSUM@fWb%&@WDwycCX*XfQ-e){NCMwF;GbUm<=xFM znk=bc{s7tmP=k=R2DkZ?L=t4=qEp6*`LD?&G%&W*@T$U~Wo6^2Bc{xax#2ckOm?6X z3!^>6*x!MUKUf@~NBN}7uwLGxbZTE=Nlz}S==K2F>gWCzfv~T0KW_wq=mZ-(5 zv!)FoHAy}`6z-s-(UYGld0#S^>%Fr`Z(2U4XOG?2&2@j1@-oWVXE-SoeQ-R4& zikR!c(z9&ZI+zPggOn`{xIU*gG-mspUs9XvbNo)OX#O8a!NlOZ@#q_$wcH7CwSn86 z?F+ax?SoIlX!KLj(st*^q-LCu?|J+}_^3Y%^k@CeJ4IFLbc;$8%sVRN8;9 zRMM{3IO(ZfUmI*i>e*?yne?x7aVkrxa~xm?^>oME4f1dEpGFgB{Z`oy{e*ih=w3;0 z4K+ryyYQpvcj2S7W_3g0$IdgXdVjaKoF71HzM6(m`qL2}B^%#9pRyk=VTs>&i(pl% z0+sCH2ln2nKHytad=}sldXgO2K(Ay1`(sJEq{cm9Z8U3yG z_llN4p)R`SF`T1&B7(RB{&?>bk1-|^T|PrFD+~f0*jLYLQc*aFbDvc*V{;YCgU1ke z=E0PnWa^#jg^Z-?(`mgDFRPGG7r4ADaA~$g@^g&?m0>1a#IV2TZvO%Bp*nFks(vG~ zM!iQ^OUDDr8-$1&NXo&)qG+LFL6vaF?; zOQp{OOV)TWRu^CfJZx$A24c9ZDHIyyZa)?U%s4_`Q?YND{1!^1$w;l)vY1V{UG_fYWaMV-w9)wUVr( zGo!%we7vffs?XGE_NO87CVVufMO%etheDsXBcv}R`jb04k#tHF*gQh!W{Yf1&;z6t zI#Y0ze4a2#$3nOc^WnZE(Fuo6N1=#5y1$8h12eK;<5*pxc~uW!#cB|kb+0nq2u}~h zh@?$}l44nkQC1GFiBp!BOAc~H`ZEwSPIhOwb(Sid#;G*rTyGxL@`^c6P;U=;F->B~ z=iqMM(YF;C1)3_RXvMLh4NiS27j_1YUKwjlE|0VtRxt90%-qPJltD^*7^o=Ja-CGa z6#z4+yE?HTdaeL48kP3`Yh+NT!dN4EaR6qi7=zWAfNUsuapoorl$c}l6M%eJFf25_ z78JL7r3sGrY3({ss7!=Nde}!$0LB73ABc(uR*0sZL6~rFUnt@yc20?&kdKL$poLT@ zD`m!B2xX#u9!7;5#fj#njn)YB32_F#qtOlVNj$)m7;yj?A)EqI0>Orm{D>^edJB2; zEazPOpjX#sKc?YguK;4y8j0U*6av#tMWiI0Z9ZV!7lK`xK4@_^QPpI(;V9*3y9a{wmRAgBG^%$CE(UxfTcVK6h=p`OLk)|IIc4~c zF8{&W3M{;Iw8c8MI`PrP-Xg$SX$CeN^*kErW9@xc9GNth7NU84qyoQW(Z?rR0ZZRN zL_FExZPXMXzYk|!af%esq4*gH@JhqD_(ulKPm&1;X>F5<<+gQjkpdzTL6tcUR|!Ts4KtujJvB^#uKMur@9{o)%U>dxgPhdKnm z^u<)Y&%Nwaain-gQ#5<(2WQE%w`7aaRiF3gnqnKMr(iweztx8~C|Fz~bTBx6TtlEd zQ0UG7_O8de3U<;Z!YC1b^UOr%!vp=z{09U?Y;Vu#?*W{bpTQ{NAqD)0)XI`94duew zRdd0NabV?~G41ereq+xRt%FG#i_Oj~O2UoA+t=j(gm?9<`(*xlRKC-*?UkN(FZ-rv z-6}u+U+^;_%VBN$@n#bC0R(XW;0d@M846RAdUdNKx^E>!wji7vkzhWBj=Dyyf{$%5 zBr^G_JHxKBWu&IGsDc5r_LxncTAx^D2HCXN{f{m;~p z+coSxyjti(<`jLyPvDdB2N zP|_JqMO<;fH&i$dnpg>o1%S*VKHBzfImf5b>EG(jpMi|#Su`>A!lA5+zoLl*CcdZ$NlC~n1mI$q#efwLFqF|`+{BQScn`0^I{7{@wenobVWPD|up}Euolu~$5$j_)Pel=++$}3! z`b@&QtCdm@FC@X)YJ4eD!K%a(&!2P_|DTf5NwUK==*UjmqAjW5q`72 zmPScFdf0!!?ETQl-Q2t|K+<`Ejm(nQ7b}BRCp#v@3032i0+O@KDqK9Q^b$_w#MnW| z;egF39$8!V7mBb{tzTxW+0HinHkeqh@9Ux$F7@9xtq@%yzi$|vBKh(c46|1{9DUpo z+5U##1`yfy{&Y8Qg@F+5q92cJn}1;D)r%bZk~y=?LilWVaG^=n*MF-243NJI z{jxXiZAs2f2S_;Z{eXz;Kx1Fzw5bt zI{tS7LYprW?N$)jIzlo3hZ9@w=WAhiBaK%7n-$=83MdiFE}IqOq>{!fR7QjXr75VJ zNcp!y!lGxaz)*FVwTHQ`e@(UpI2YOTm(fMEm1DhMhXto4Ai3zRjG~@3k6I;5%4ia$ zESf@z0$=r)4p*0pmp6YHk0?JcJwWre1I{G5h%0t-7*QN2kFtk}w zhTz%}m5e$z3PV`arjAHUba#*bkb!Nr4o;2AT&4o>DToYCn04uzKG|fwAkz7hsW5k~ z?PhmeeztXLYs~uXMZ#B)`*2y&gNmEAD07khwnPTqu4fE7mgwUfcXHWF{ib;~HhE-T z;XJoC$HEP9_|L!Je*fn%0)`oxv^w~|yBIR0WLa$7|MNdi?`&r4(v$wzdYBPz{5H5( ztm&C}f`DX#w0VoI93%b?_?!qSx_)SaogGe0u# zB#9=9Y)@{Ho3QkNh7ylz_qiVI=JT%ZL?E)(bO4Xs-Ax5V_NmZKR!X zdyRv@Fcxb=6y6vhCRvgo>5aH)*B`;po!#U-r#9o5YdWS@Z)u~=*x~am{QpqW+gxUh ziMsCY0%-SV>y5i8b-ePOP)5U{c8^&QfI4x1JYXuuS4X0p=pmL|KR$g2 zd+jpc@I){e5h^8-bcIN@kky6+mvcY{-NI~Rk~rgXK(q!prGIYzUQ4NUNTu@TI0Wxg z6U#V@o^~K-CISdMf)eP5sYH`tl(-N~#e!-aQJYA09`kVvZ?PYX7;exgST)X)!!dYE zJH*1WGr6eHb8g5geb|O$Wrh61oz$r$_l{^~q}2~ON$q_0!$j*PJ9g9-ws>b>OK!;I zUz3*o0-LpjHsL5(7R@^PXfN=vH4vpRL=XO3NXS(>NJI7#qkjaSC9-~g>_ko8qtE`| z+aj1hxs9EQ|B++@-b{r{2Mp**nUnvIr?Fef9+6ZYIhFOd;?{1$68r?D7|03b_E^hg zN`&BEz72?CJQ5V;(FKFUIf3y+i^tcxSam}s>r`Y63Q`as8SwMJOSy(itKB!!> zskGf*@GtlIDy!~FKxkD9$59(Z zdSV`D$Dpx-?736Mqk&-@YZpn^%71g`lej0D##Az2P`hCTHh3Z3IOv17rcjD@`)}P> zNi}Ze`GoCbuUS{NcLl&>wT?CrDj!57*kSTq)yiI2EZw{Iez@j(2HX^=sSX;~%#& z>80|D*f>W1A7#uT2mu_hdix~vGihr<*I26@hMi9$2@ zCb`a%v{n^5Bu@Z^DJ@u0SYAal*cD1xU41Mo%=4T-VrEOsPR zYQpZkZb9E4CwqX;j}w7CBY!naztgg2{Z{T9aiw!ECnPQ8p~z5*LWfw?cz`Cf6H{C< zPz7u1b}h31gdP%qY`5Dp&yibdb+WXn$CDZom!LAp3|W>LokaVt^r0I?g4H0Ptd*%- zya5Xp>d*(a_6kC~*+yatm&&CCPMcLui%PKA#xk;)3FT7g_8CThaq+P?|LooMPxL6DZf^;` zzYyoCQIVFfpa(QZ{$Kb&w2qoK_DY(By$=T-glahrclXz_+Im}66(DKq-0ROhj+;IG z+|Tq4Mi+)6p=ljZ!?C}Hn~F3?Z}ZA{mF=9a z_ez)BLzvUM%9IL?hecO?X;?|rIqoVE$>Z%bKr{6GRM@*dc;V)}uX8PtJ@;Co`pf>w zhV7Owz*y>?OYo{C8gS4P;*22F+OqGNfFf5N<^8CSSW^;|>4cNZG)LvBx71|4zv_Mk zg@KP%_W>$f>yk*1(lrCyxeg@MRnTK(%wq6Yok=pq)71a_pHkyz?s)A;LcA^ZdQ3@yJG5}X^V{OxK(t-EhqGasbI z0Wk`MLUH#$&tkl+>|Q0{<<{Zp7f2p>vl$1-LqY6geshE5r&98^j`cHI<~bhbTg2{@ z$Nux|uK5?_zrq(!r?Y{DN#?TnN*1!7O8&LvO&2u%e*iklWf&In9g}Y`ARtkc}Az01bVX?vUcPcIm`k@J(5p z?iNA~dA+uaE<>EwoJMt(A*{YF_Ue>Sq@f%A;E%ta+jmJVkGKwnCZhGzzk0c(PlTQm z4nS5I28s?Afcuo|O^^0+(ee?3ypBeT1+>V7v?sMd3ifHI)ll|%^ZK?($6Z6X-lw-0 zMO=-V@5p-z8xUjcy>9O|-qrr){_nJTN1C-N)DWw?6FTF1Wlh<|mLk?TgBGEA^y2|} z!#J0p*iH^d)4;Z>2Rp{+JdUT6B}7C_YRhS1da@`Mr{eT9oYti>-yF+qUSz!tYXMDy z(uFUn%P6fQ`GJWFfReRnnMf?~z%&#|P?X`x6xGZcV-khO6D1G_43u52?qd}D6Bnl- z__PDgu=^}N4NMt&8L*W*0#s(*{VYjUY0NqWFW`2Dbdm_}EaBCuk-aTgP4TF;GhMp9 zCX2}ZykHImR5YtL)`Zckhp<2OSW*||5q1ngLu1u5l_0k&>zhNmALh(_`0Y{@N!m>m{L0kax&Lki$yakJkT`DgT zQoBJQrZ5yNANX(0Me6%8MsdPY_$i+8@P~f$;r6!46g)ghvze|se*XMN^XRz?Wt`^8 zzlQM$hiFX#U^60NS);zE^ycCfTHd35oaC3Py2~P0#Yv7_cq3ez6w3&Wi$*3NWV`oB z8M(yT*j!#;TN*MwwYM*&U!P(`y%0unO`6#jz4$=W&m^rWHq?^$p1ti;&DxM1!~+hvy9#_VezmEy03% zT_eXt>WXxssJST*<<2P3UsaooS<5~>#ozy70pFIfyz)^B!jK0kXLo`s!iPWw5yT-Z z*Gk|8@a^9n2WId^b@GqO>snCCEO+ zo}4_E1N=X~F7{AWF?VDg@~HlGaX5!BQaYjvBfB|<-4O>>dtkgdo`JxjauT92sBK^1 zekJfQdf|F-|Kvr+X?*CNuao$-b#}ETAbpZj!+kl1SnW>?YJ-0%za!ew>7VSJs3(^! zc$A1LxJ6|Ip9_h;^Yeww{eu2)d#ptEvA_Wi1SE+5zb^nV8xk0BU^5CA7ch7}uUURw zvm$pjC_s^Hb6AI;3K8y~omW!y*Xx$-7k=A2%T`m}(&b>fF9}1612mZuii%lsB_zTT zkSL`TuuKmliIOO^->S+k)U|R{q9dTrrBIo}Lhf{KPAIh`37i)eFgO89G>bAs39E-901((0(W}bYiF^kQ553j4SVo5+&QjbL z4?9`c@c4rr2&IDN-FPXCsb9|$9M+ZBg9a-Cfc+1a}Dz3GVI^ zTsQ7cf=htl?hxDw1PBsbx^Z{c$9L{{cf23Z&K>tx*XXfpSM{p3Yu8$H&ei^}*LR?N zv6m~j%2?aod>XfTW#>%{^MbRX&xS)kekE_wecs7>fU|%zCF3R;V*0mwK;1n-&f7-n z^>`W*+gTGye_A?^@KVn%CjzQP7>D>qY49v{G5ll6!TP7vlDQnPkM!TRK~t^q zc(jn$RZi&Q?2r5_qOf~;gm%smzJ}WL{Oe~~s&`O~watAdo4cYa>L$30B1-;vr96^! z^sZUcOxL4tF28%N)^EtX7e_qadFH=?#6t2 zyzL{=^b0SaN!!-VeQ8~mtZa#KgC}{?a_&>DXr-$T83ldCBZQWqqlF&Z{1W4$yW;~* zOgH`ZqqRCE75uuaiCo>7)mRVu(Vi}&%yy`}!1u?e@vN2-3KP%(Q)4{C^cMCeqDpI| z&<5oc3C92_bf1d89HdfWl68;&ZDheA9Lft6-x0 z$u`r8wxA~jlRB~ty>-<@doRZT?>sSudTaeaW>X3hgVjy5P|u;`E>WPpTe3SRH57}> zeNK%T55-1yKuA(F$I;73J?e_BS$nO{eM9{(2jmW>cTF``1_5hMD||#;fzZD2b3HUj<=(@V-n$6BXZ~bt7zDGu` z5%^;Dgp3savq!r> zSsSjlON@|U1uB43x{u@&;WjG6TOV?-xDJf|q1S?2b=T6OgKAH11ng5)dkqQ9$9ZyH zGq?ZQ*lbYDbmvW6ep5YkSHJvpO~($xf!;dX^_jJ8*~Mxp*&+X1Hh&jM=R}g>7;rPP zV`ssn(-B7M?T)~$S}J4pSpk{9{})cLiT~KpDpIN}7qb$uV9=5?UZMB8%s0DR_(gex z9i&G)MfXpflLS)?jpL?SufnYJ-?Lu&@85RwX_qLhW>qS3RIBmNWaEDR^l?o+nKfr6 zS9d~n2g1w26h|1tq`70dH=%w49Hq*PMMN_U0@Sb>@cv9hI z#A(9NinQmCjx zf~nlTc7?oP9VY@2lWt@O zWCP1Q*?CxSh?zSjDN6z?g&JSGsqrL?M&5X%X1|UfyITQ7j>tsp+>aS+9?4*d;_u!B0S=N=j z+b&+q8Q8*$v*sVrZn{OtkM(A_$MU|l4<2AgE?x-3^CIlv)7nkLz1gzup?_?&QR$hPD;6ygcX`9u}Bijy92Ok>)c^FOI(43RA)#~#4(ymMxY z(DpR{ZD2n~3-n7a#O|AdUyVw*&-cDvX2pMY7Z^tHpDW`Xk`NP|t&InBS3^Zc=f{b_g22YQvs9#c5i1HNuo>=y!)AfYW+qQR z?n)u#>dBE|dEEv0kV25A;^#EgF{3GbXI|{tJU2@-)pp^eZsdr3+NsvJg?v$@lQ$n_ zPeUTeXSR5mq-wT-CJann8Xi5spT(ffJCyGFCAi4#D2YocErwCgTH~oF3NqCZcfM!} zyy_O%n&EEjC^6Dko47{~k1v3Lx67MxF)=E`IhnVPa&5yep$V&L`{Zpt8D3eBxX#&v+5oJ%Tip~_GUu6d&4JGc4@c{y^1D&r zCXM^@95I8~TgRDBW0ur!c3znOs%1$UBWtL?o<0I+jllm%*C1WyN;fKLM#4ceHO^^s zK*Nnp5n(kV>Ds{pL^zJgu=%~P;l7#%8Y*wXR-03G6Pb%?&DF<<##iyen%&_ah@kPX zJpVvd`B9*lPstEvtL%D9Z2LiGuN>*`#oK!Lzeyc3Oui`9z9H;U5ZZZ#_^N-0pIvu2 z^zwr8%3}u8-LQ*AnQfb`$kEA@ZAT_lb@UEIroPJhhWd8k2_W`ry(3mh!)H z^DPI0db#fbt|e9~hAwU6is4sSAOb#m*kXk7T)bc%kC1pOP|RWzFwN$!XLr6LZDS&sTkRK!tC5M!GZk(ZcC$7!7Btk{Rx|I$7w@Y88?l{RuzQ{b*s ztpj&1wt_9=Hqa1Qg{fN)xg=iu%lvz}Y+tq$84b!%}U{mP18MV8tK=Y~!|jQtrk*c}-%=b?7E7$!}PPUCX`OCC%16_FruOJyO@ zs?%QarrjZvHh_M%vuTH5!{32wx>3rC|Ij_DcybrruUUtJ@gtanHULY&Tx zLJN5G1792e$A+nxc3h3z%q!6E4YbB|Gxm2Gp!Hm1hDAC|Bd-ktbh^Fmdq!c>yf+oq z9;NZ;85c&n04Y3W`qKwkqE=^8_)N5P6<$=7bVdhMtj5cxU4(Souc%n*KLX(~VYoS4 z>jU8d=*H@~JCar#QW!~+(D|3v`4{LEa+J1yX4?`uD5w&-R7!h-^j;TK_;iZTu*3ku zdpWY89=<^*JlX_bG@ves>&Q*2?IYK-q&L@>wY&~&)O zk(c-CsftK)M|{p&I7q)Sy3=1H*SebjaemfIB6tmX?i-U_X}C5p|K^A)RB>+-Y@r5 zVt1Kc8_$^*l=c1$kpXeqbX2s;6fyjYyi_RA*&7aNb@;IEttU@7Nwc@XsDbLlUE!%U)wm?I z;Wa^<-z)j^Ch9=;jmrdNm9Bq2L&XK&5qp%#uuX(CxE4V1-a&+@k>4cz9i8v!Z|{50 z71_8WsBU?rFvY>Q% zrb199lR3GE-X6ItN~3K2gcG2uvopFjcvq`K=HVWpIG*(HDfCW+*Ff9YfvU6y?)09? z5^6!QF=Dg%%*J!FWTgmbn#Gc`G}P8NIIa~Ww_Bz9oBs$yL|3uLX0D~)(t zgi=NEuM3V#!21KaT$2$0McA*LNq%f1$YD?YOcwK-#X=DTeUA$_oK*|{{5K)vu}DfC zvv|y1IJU!zU00k+PS4?AZZF`?$&>;A5947 zsHf*CDbF&^Vp;s#XL!Exi_&`&BnfsEkj|-hkY}m1&`u4ZqN4MH-BrR$A4zeg-sB?s zJ%!OGgIyp$j-HX`qe zdZ*$=D4t1pE>J?HuVI7ua<;g4ySa}v&XB^hgkn!f0An8N=mUa|e3{*$A8QWYaHo`F zv5(_`ed#}cxjJ|Zo_(|_#4L>>+zc>MU0~gN&N)MZ3sKN)f?05c2b7B_OI*Nar)do{ zzCq%!<9Uzj9Acj3<{9;wjmGwa5~qf|xNH&^$wyDL#Rs-$O#rjAj!&9OAM%7jJN~4O zsiHLjz@Tb{0*thtr+!zQEk_nF0jElkRYd|3M? za^RCUIdi-er_2J`oYMoG%U&e(ZYTDWh#9Os4rvhvA6Yz~<>rh(IUDK%(RT~4Td@5( zU@wMxxAm6rd~al-bd&M-ay9zQe56chU1nY1kGv4|){CCAUXWATMlYfGJ>!AG)=Bm- zW)G?HM_i@%3Num0;YyJgk0>ge`_olg5E{Q~$8{k9^a)E3%3{}wVhZ0mf`{aSl`$hh zAMr@~$_pAee9!Br*+>$9s~k?*DzNAPrOc$!`^r`~f05kX2dcYqU)Qk$*m??WbQpbc zA0F$diE2d={ckpCH?AEmLOtd}Vf)LPPX&`_@=sJ^CL8-+v67X7jUO;9(h;HCj~#ns z?8h2)yt3i_$`DgXq$o;qnmb<5BjGHF1XObSP0gfdqY6bQCbX7>;X<>L=Mk(d8xnZAm!0Oa zvV8naxrBT-TML``hJLvwCdJ2L!?;(2g-JR>8M)b#=*=_ZpunaR<#}+7)?7iF_jT@{ z;~n(bE8O8)BU|y8G!IfuG#JE$Gr8AlvGBL)J@q58AYpGRT@~j?yv93V1!*~QNr5D5 z-`ql$DEA{j?8C!CUk@a-Z0$O5yOA(rYOYY{r#fnJ!BBKolcHz8Y6LY2Z9JTXKvo>9 z$L6qU2p&xL7a~aIQLx-A;^7p4c=}g1dsZ!x-Mno7&*kls?TuNR8P93-MkFU0v*S=V zX@p@;OYh-9fYP1oV#x&X(6;Lp)bWO2cl?Rt6ZD4m2|K6$%B@3`;! zR*>F95p@8KUFLRo^+AAX$Y`nyuWfVf-1%W+VpyZT`MSE8O$x%J5+mAzEsNX@F%gK> z2_Bc~qhW`FpzfL(J#wBW=0nd1z&A@xg%LYE(gsJqnM%lE{fMvlq z;%m6wKu0k^i%JG0NFoh+P!nxfLT74mt;5p{i^(usmkp(r}70)x3N!;nkh829&MLa*3OPf+A5&)iC+ z)R4t?$~4s$lQ>;Ey=PM_L>-+RLu<7kK8~63!@5?ZN97?%1m$jRs#oNRf7;~gL#!y0 zwq+e8Jgwo7N6LEdV;7CHkw!LNKw0!IyQX}=HP!*URVc*A@k0aZ8A43}=y{bM+~I1W zca0$vhRXyfYf9-hZThf_%elbn*Wu(UiyS!!s(HTC5;`ef;v=q z>Z`2u{8-yt{lfMfK{ZMFkEu%y4!=v5h5I|p^hICF=DwNyBB zV;m0t^`20|5E$!8d$WPkP*GJ$%v=_k6^HBP*`{H7+ zlHnwoMujSwR%iME`gsTx4={(Muby8&_bw>J6zaSQ&0y zZU0&a*3K(O1(!_ox~0B&GHG#H`6;NN`sHw;x4m|iRdMBe zn*G=!mO{)F3UM&A(gpRHyRN^>qA$S;nxb2_)32s`(_KD zersW4AA{lS+d-ycE5#BUPPK&zA8usgR1_f)E2w{4BG7Js5DpHjv50U?o~aCp<{m(6 zl>BzvcC7*adx{dM$f0Y|^`O^;vypK?IYmgu)K3OGPY4vzZ**+JKnx%ivrNdDy0 z-szq_V46a=11^WZ_WyV}X31HMZ*LLxsbm7a#+R~T{8X}fDRBV!>Hj;@+W15PP=zy5#1EteLaMN9+<@w1J zJ@NhRS@r(xA)iizVEpo!6K+=GF3q?+^rc`MBA8htjtCG>yqQXMwCZWeW1XR#9@tG@ zKjH3XBw!EBHvNn+_Ziv#_MKt_Y3E@5n!1gCVVNqP?r`GgFbDdj+7OVagXq^V&^1L3 z9LJV*wFI9HHsD)Jd-9;2{-ppDZbWR{cd1=$>bUv-`}5Il->1Xe$9?j42#=egq)ub6 zT83bjpbylB&~_hizPhnhc(m2#r}W&#CL7vD!#iMI)ub!aOo>Z?l$@TB)c>_+X~lDyc(M~;Vj$FhS_o#C_$@M)6% z6`Y%y6NrrrtBd~0tfPPVs=Y6#ZX}b*uapQ+x$S-K9hK7B=LqN`_S`VH#ZN8EelEMC zsl5xo^Q&$uKdQLFP9w9fTLEJnEgVa?oC|_Q-UwIG@AAGO;8n|uZZeRuP=3$DtVH@1J-MDXlHYdujgc>*O-`u1t)&`lz{mOR^*HOqt#UCzu; z8#$QFD>e9C5jqqf+y~;7dTTN&HTDPCN*cC^3fmv1`E^!_OE(r0px38;>e#7F=nxE_(BCTJ8bc*@YGhf3 zO!f#&33;sWZegF&t66d$+aA=9@JgfRiIo1p62Lph`>BI|A!YQy=(LdpPP3ToKHm#D zB0mkQtpQeDmb5=Ht{3E%B6y>}Ds~VU-4AqtZ=IlTFRcBdH27rqY>cB+9&ZWn_M}}y zBTs9Cb=VhsBm7je6~=ECpMK{s>^pAfPbiMsPtTv|2ynE4?dF`Gkj`&6S}$#xr#6S+ zy0+aut)NDE$Ybzgwfscn?+Z9c3?h8}P-3G3i3WnwPC@!i|u{IIY#B%D8dSI3Lv0e(4bAODt4 zS$9=oCPQCwSRbLmZ~x-9+~14b7O)beogch`U6@Qo_quO%FI5X8$JdLFkwxwThUFKF zRR9_VppzG??&gB#QA=Ut_lw#;LfY$7ef?8k2b-Lx z#*TOvpTLLh4$#;v1yr38UFHYEFDDWaP%o6f#;)ZhG%jinFah-l2>4<6evB<6DFlaZ(bBftj`y72?UYqwI zi8pXPOwtUD7!bkm;ljZt*jBvU&1h_lmLLC@x;ixxU1yQ{0L5a9Hg z$YmTcs3voVar>DkDd>mIz0Qk6`R%#G8EbF)8`1;o1~Ps$b4EtZX2q}TF>g`h{LkgX z)DyOdm4CI=Hv_kA8$RQprz|`!!H0C(b2i9OHz1iov<=|BUg>+Q;0tIbpi3rD@)bLN z4P7>Fd@szsSB@gzmLjb!Y5JmA$p}FT|pB8$9*$6i8e<&FB? zQVQ`Djedj@+K81+a~W+(oE6uE&9PDVo_9jYfgwN5e}qySS+rn>x6XTpD0-hS8P@e^ zk(@`h!1o@N$=e}4JWGRCxi{oq|2-v7E=I50>aHuW3=Pa)NCNw~+I06|QPUA48&@U^$j-;w{j#GIzZ*)?rHJQL zSg6$aU+zxg*UPIWgIEgt8b-67mBug3_K^~A5Uq=>^`pAIpq^R_yWhT82<5?gR!5%s zEafB@3_@0`u#fd)D^>MB?E{}9I4~5_Y;Hnd@=sh2ZQNhQZn6DqL95=(3*FbI=nE?z8YEyL$+3V=U)FDcv=d7HK}ylVvcFRtSKIO)u`ndNRrRPM;9XaPrDE)>NnEAU^d?Jl9M7_=cr z9!=&)R7P2p*vv4S8ukPJ5vIys-M zhS%<6*BLVXBEv`{h6hi@`+Om^$b@!blTAFM*4(|Z%#qBXjJ@}*KTm-gtF&;30w1Ij zu))MJ)J1X(d)tNL5PZ%zJ|1IPZfOn*rg$i_Jsf$De__&sp@?HqwH(J6qMNG zbsJWKm08)zdw~eMk?GH_Ltj)Js$99KHds!rL_IiH0UzyfrciQldSN#h#-ed5G~12h zIS#(qWbrG}1nu820oZuH+0Rsq6r^(|QgWD7M@#6}$C802h^q$8JWVP_xfT^){0l`K7ayB^F(*Ig+&oZH!lW_N$7 z(?CNz0zx{+CS`C_0U)GNYsYN81Pv09%s^)S`dxav9xiT{i?`_uCvjqUj4&u_sGqlY z)zWndOJ!f*-}M;o3@oc+_*(y2&i07T#E}g(9l#xA~)#7{K7Ol!o<;AO< z&M9|2DPLjg_>e}E2_y6PJi~e>bgi3O_jYDzub+QOe&f9I-=5v0(s!qJdHr|JS`)rC z*nQAQil3iY{x!V}Cdy55yg$*ZVTf+c{3)26G^kn?b|ny-=EV`RD0*+c60{zgHpWr} z*lS#O@s>J`;Nbou?xXJDmZtK0cH7Q1P--TN`8(g#6-4KMMh!lDBYLeDL$z`(B-<06 z&rriFGSEmpD{-eac7bg`b&B&d2VsVAT1WfHmU-Y)drm+6zDiBPIwAwb<%dYCa=dU+ zNBrfQ+5gNQ-u30W1D}_ng-HfbcvO1Vu(W?36&G8D1oZAQO8tCmJilimTR1X9^k<(O zGP!oXsakW8VAp>gYcC_k3!Z7+KzI1oa#<5XE~Jz&CX_m*3DaAI@G# zw&t}M4>2)tu!c}TC zwj4Fd5U0?r-n>n$r3y>eNb5sxXqWhu)4fy&#OQ(Z{5o{h>lvviH}SliKf{`pDL$G^YMTi>}_<4XM)axZE;!Qq5HsSO13F+bM98#DYHn&U=qBXyui8 zmEIYFpehJ76nc|Z^jpWTNR9~bsFO#mYw)Ak8tmIAPQdiR+sd5%7i=RWb0yKiwGvZ^ zgPzzzB$OS?3!p}_@sn12xx>b4^&9$gKW77^uZC|VOQeC6OMk{4`|TUgTOUP zXhr5#;$l0O1ti`#KH7t&VBa(9N~9JOvdypP=J9vr=X+~NZ^M|-UK;?S!QF@ZOw`!B z35Hav1!9eWtf4XjVLvS% zA7{Jk(ad*0t^Wi6`};naIv~BdFZX5NA_}bR1P*v2VORW z25;2%29EIRyC#u&f;fPSuE(;CY25QaOOY+2$8c>bzjwfT?c#~AA*NJD6_lIKHOI;R zuWWqal2YRb zRu#H19~_+p_W-Y5y>ayHwB=m-Yp(7rNm#ToHy}9umITa0h4Z^oc5%#Id(& zmY={jp9nT6UOFgR^R5pV#pGK?;(WX_$-#*UCf^TbB#E>sE1E-;ENGyo5H|$-eqQSx zaz@WvtnHh~z-3K{jTIRF`>_=zo!60uZgB9Y4t9a}dj+%*bP3GlC}7|znAbVpzUez@ zp=H`-^Inmr2x-`D-)>Xc5}UdLUSKEXF>en;NvcVC@pNy$D+VqPsIrVo(WzBf#I$0|x(VWA1vRY=G_Q#cNQsj3wcNG=wU9~}x$;*fnYd;=kg_$ada8>h?8G@DAK+YAZ~e4oM-V>9LJ%q1u*@7z&mb7b z$JXFv6e#Mg5&9d*=EQv6TuGYh8Yb&pH0Baqg6j{Y7chVlYV{})HHmqX%ghj-&v7qf3#awl^p*30@$yk zrjDAPsTk^ShuW2$AS~OJHFA!J4sNGyW$&u@)|wN(5Ep&K!R1{9-;*<5YbSUAKd$k5 zRDWHBlB{*@RXo0V#>8;StS$^p>BKyz=nri93oSe3U#O06;`$ZnGcq76-y}@S4_LD} z_&<`l8(eCksTd=ih7X8-sst7B0Hek2V&6{S-i+M9vI;%J+;-u^M6$SPQY^$Jll58YST~d#WIY zw%@*Exz2!BcY3R2%x8Q)s3hu@xk~a`Vyt#rN~j7ZrKzZiV86o$+zkomfWtb@y~=4x zblY)9VG^et4A-!9{ix(n2D;K7P4udM-Tn{F7pxN%BPBMA@Qiw_8hb4~tfQiDvApy0 z;=@Gx-|3#WI!a(QOJ@JY_!#T6YX?vjPSit=44x{u1#}xjg4}6u&D@61{-zGu&_Wa2 ze|6Hqt$@3eL;4j>?Nsr>;$=l~>x%n6<+qP2=>gAdHEV z+0<&C;2s=W{Qsh6{BOYj%`6oBUhxuJzNCpP1Y+z(d`@u1ZIE@X^dB0fg~q0hW%bl% z^BircZfFZ8P*x=!>vGabnCQ?RHruU9y9G+#cN{qBIF9gW`n$Gv^+v6PyoSJv*E*#3 zA^S=lwa=fM-*3Z;ON-G;ZApit-{H>21I+JF!`*1UAX>Ix7RV?zff|TRa~3AAWnUvJ z!3mDc#zG?^8FKYDX`RTYw~0{Buk1gH?DsoxNybO=_hB(8gGl$A7bdOkz?1NS0LM4$ ziDP`tkhMQKloZxzBKDiyi;>Xi6NNKI~En{{hg_AxV6+BK7w$+nc zFQ^;!cn$70X0SUcSdCUFGLJcsIb&=Lteb-hf~x5z)$ttqo5~=HljIr=_fs5(tG^0B zx}OKaH!jKTFYOBaul@}Di_BvJ0*R~Gu#bl#5j_71LDp}agILdOd|Tz+l-=p5wo(+# z49%Wrgi%;4!ifz}AxANyM*IaFU8QPuQAY(;53|?r=8IxeisMMDLa8>8vw;YL4S7D6 z7;vFAYh1{1sKu$h^iw|Z{T@X>@{fkzYhM|#-rz7!?Lrscx zgCCz8)9!!QsUSxY;cLJykolBh0^2vU1`(w!=G3w{?_cZg<3%EBqrSP%JBVSuwk6m? z;+fAO>SDE9BOWV7<94HVYmj8WkoO_>f3Q2EHWi=9t2*kJyO!EQOKJKh@QbjkZ1nR@Z-vPcAV*V+fHOGpUG9SNPlVZkZ#}LDAu);@aNfQG!fap+gjQbvDP-qXE5{Q5PFZ!?wv0) zZy`}CSS585$Ba%5oq+b!bPX?wfc^Gh`{s7T=kEkXkyXn7D}*fIzd_=PgKZ;c2K=>H z6SkM9^pFM(eYW_zC_a3~No;E@_A-RzPZpHMs=sf@!`>tMf3aD{s0;$I+PhR%dhEuv zr`HF`2^+x%9#A)Gl+V#-9e06k4lbj>l37!7P#kBb3@Jw7xq$zhtA$TjlqemAWF1#V z1l-%QUz*-4ct`*@_rAkoect!cSn8GV=CU@cg4-3eQbzT`qXT zio03%=q}Nmj_OBxDm>`{i`14)OHrzMwWhGcsocHLqgPS)gLQBB$t}Q-K14S(q!4ji zOPbrG9+g~3aV+e`8E-$<`xH>i2Yw5uAABT*HlY<-+#MgGJ& zwCbxT#1-RZDvTRb;1(eRb3orPU7tXrJbf2gmy-zbm}=}DPlT4c%~D%5?z=esSgGOe z;~j@^+|}>RSzn&1zYP?|hmuH+Ftr|9Z@ONKM~wkd$Gw^m9g)Ccw@pV;mH_Gr$sK{G zuEq}U;(s(zaC8rX} z!4%W$p~M|(iAc`K96vAMh8seK@xl8uXACC3-Coi8lt1ZWJ+xMzKs3u7*;Nn9zq*G* zl45!Wfu*yKcxs!zm4aRgwh{}Q0Y(NX@uXV{W<7`%3IN6t|5cmTPG?zFYPYbmm;Cyzk z=#L&!vpBMt7xHCI@s7POKhI2ZL^;)v9pu1-7}Y)hu;pvJK>^q@2pwM;&Gz1-7@2CtH&fAObjCk&yNsiwaeb6`^#* zREly_0%CEcpTrs{Uw8bIYdb{iufTn)O`Hm(?Dr4_bH;hL7?sDd0oujLD$O>gz^>b@(iGGS{Mft z4L31{ zc=e#&o#zj{|3L>WjIc>4OMO>^g*WkbkqyJ2X|gfDzX;;>J=EmE z#fI>*loGBR_xP#Q7%llO^|sH|JomO#(4KO&v$$S`AaXg^)h%(Dq~~1np4jcAU0G}M z{>-&*BWPmcBqKs^>Z;&t0QKjFH2zs#oY%BHkk(wf=)hP#q#G#^>_tPB3G2zb@s12|RON z%Du5=cmqg=A5EG0`puEU|F~x2i&|r3G@1#O_Og4!y7VcZ+dBp82hwv`D+sJxUg-*0 zhne9xv$2BEMITV6@6Ac#_I|Emh6`j8pnm+KXzGm5O7k;aC`)e^6v@q_!M09 z6f~g4ZvyX6RbeR+3`_4OzLRN63%~wE@+x6(csSZ{$Ej7%6 z7?fwiLK|D6%(Fxo*=)V*MCHX_L0vGfjS1va8$IOa z8UI{Ua;_gG>(QgCabylCe>RlNN!j+nQ^oa+;=^Acm(VMnK#ySZIh&^<0S%li!Sw9m zx8*rX2=LK}wL$B4)n1S*@7heN^LZ~fE$Q^xFzG*FfVD+2fQJ<`1e4Xa4D(nxI{1U` z1phZri?@5?Im#!VEII!;-ibV&82K48e8omriD4@58y5;hs71g9Tpk;mVF1sDIz2kW z8uFtmB%7Bqqk~79F*b%rJE*ADp|B8ZVD@i{nVPJPL4YU`O^j4;pP{(w{ZbF?;w#$u zA$QqX0F3S%WRu&lEcQcxYuHV-hjuL5l^hWK^^;O5=xNeRyfP(^Q_@xc8osxq*Bz#ktk3BZ{_DQs5z z*p4?=r3g;nK=SHqJ|{GQ&GEus{YG5oH6>m>9L=OIO@bbVRefucyGg(WXHF^*-1!FA zu=Ql#RDYsyKLN3R^0kQMi!j+1IFvxPlfd3zgliQ+kppJXCxJsEB+qgFkDjbZ$+hs2 zHoa&fw-TOVkNhpHD*Cx!*Lp?Xh)-)032ZA1`6?RZ#c8ffY_JNL=4)kMCsb)xUgdeP zc;edH3w8skZxZ^j5?cMI+vuVbr>y!_^~09uGJB6v!Rh~j5k%@P_1fSoCF9Y*lgQBa zVf-Y@6A58u9x_>)U#n#ZMQp=5coLN`Xs0j4u2OI$u52x!nKPcUe)AQHq`?cFlCK6oeVLSt9 znwKtx{i+Xa?f9?js{Mwpm0jtNq82?4uyj-rz;~FVu~Y4!vln=T{5HzwSJA7Kdn2vH z+y&vttiBz*&0GGhY`lO`J9TZjejSzJt5|2E?LYl_>cv~|BN7?a*ziA(~xx3W@XzK*Phh{u&QD@?YCB@+IafndIxP2>`hrq_y zJ}pm1e&Og{9F|HwU1Zg@`)K1lou3DyKSOl~YEZ}8#fC1J9=ip~1>Oc-+hA8h<&QZE z&i#zTS1!n&?T;XSdHk+FX#2y_XV(-1NRAW7Gesw2UfVB>W#TNN`Do&b$ZWR&f06$Q zx%GZ)GiyC=35J8?xioXk-8MZ#S0DW!5NI%|$sDKJ=Lvz;q&>N*Vn}_Qwm{6d76*F^ z)Q)j>huPxKW-#ljLn^`9b3m$R5^LZSQV4b*$*Su>8=Shi4t&GI z!`ywK=7G4-Y;gCrTrVm>IIB~dMLe!t8Z)i3^_@$DrL$7+%IGXkG^PV!m`V;sw1W(Y zW<&EI!I;daoHyd>;PgKgr$dd`zz_h&Xd8WBV3&r+Sd`8Fma@2#LDwp3HLbPnR!1h zIZe0mrdNnHp*o!r+`s4t1*`xNPiHt!N2s>2(Tj!t->#r6I-K8DGu5W3)AB+p^}b1D zj6!-mofABAG+UWJk@;4;)+rOiVM9@CWKUY&b4zaljT@JjSv6nM#v8JbynJ|UDm>~_ z$?8*Ftseiw$-x|sAz;y6E5^9F$nR(AVz&Py<()V5iEEB~TO9gVoGvgaLx^ZTryd8X zRp;?ulSu=4B>Vyw&kx*vJ?^fa<=r!D+gX5Nt&s_Q#UI_x{l8FhOfo^Fv+&Zq=VX6f zus`9R3c-+_K>H>lOe2}qZ|z{Y3L`tb!5<>#+q*Jl(b})1M+`eNSM+IsiQ|)GD;QsE zu6=Ov`~Uz(gAH9;s5F1z=&m5on*Z&C%K~K>lHY&GI1aa@Tq%hGB@?s_%lOEn9Ntcq z519EOD~*#zj8idRBG6e$_dFSP+L!J#n8Nik7Ivx5^nwzWVuQc)>-QjQaZEIm@GZQn z(L~d=FbPTrB4YF&Il3DzS;ji2J!P;jLPvr{Rse8IRp`be-s-S*a3}~4^n=i+3)H!x zFH2BygT8MuUEknH7UJCozW{aiAk{`1h;BA4>Ex-eh{Z8#`lDh3~?S`9|OvJ1sHW6 zAZ3s8DHCPOocL-m7}q87MfII@29424a)&4OS`p8%iHvJ0xuK)x`9mn}mZ#0@S^vKE z8KYro4_)L7nnbggz%Cr^uU$tM)(wKgBOcTxgrgrb7#g9TzHI{=`@rr75sFhqB zKfN$lyN#hh0PLx?F+86rKA{JkTu?a_5LvYPQnOFTA8^a&QIn*0&F)Gzx|f%X-tU4}H`$O+wv8T{wiI(cRTAjU-3@$RfD&?ZED%N>UBcFG=Pg?RhLYU= z58B>3s*NVz8;4S)LMg?)MT-}A(x=6>xCANg?z(jxiaU9V7EQ4PPtg=FUfc=p0fK}# z&-?uDJ?H*$&$+*I&pRiZv&rtvXLojHXXY!PFRxr1dEeOWn)+dLxciN6-N?7PhqZo; zKlw?nE-N%%-Oc51coewm!Di`Aws z$wt?PDnc5mftM|@<2Zapeidm*o|>O70o`Q2(COtKVTgROLQ;XUiy@_P}-n-)X?gCXyE4?gXzsB|@q zevlNYDOi3RW?NI_LVfLqAPkrY`Jg<{q^#jB^;I0n$>9CwFY1Cv#XtVIuD2JQh{bPi zM{`pTasTpO3!D9VbK#*AvK&!Oz7_ybl4eViuKzx!jOhY2e?USgFSZt+?#$oaD7Cg! z77BJ&sW#m%zgWI9O_7z9{`k$^;hVhWIrADE%Xxh|Ei|8=wngrsaL3#54L|Kl)vNGX z5MdRD)bm3sghc%)Ui5Q%4>=!WDs{xQ|IF{-7h@iKEQFtTJSL6>)@Fe_vY4m94<8D1 zM};jNc5hSKc`9;cjjQUJFAg%6ck{5sOA`@;%sWB+#Wor?&R)+iog#0Z^Bl-N80isX z`2?JRs;Nqo^=yQ)PW_B=JwjK3?z6+5p#||AmV8{Gaf<$zKbP3$L)MI{8i>7>9fTY? z<%2Jev)Ac$ZasuvKmKRQO$Kg5C^ z-#`CxskDYT)@g`2xJTtpL{!UdNGJ8?i&6%UJ$-d5PnFy`6aO&RgTZ#-b?uLy)bIxm z@wMl#**oq>3&wDF5LwVcFmlydU5;btI?esh8^xz{|qXElE z5Yw~#+CLpWSe2cCqEmxdOHS4GbG<>;XNLNQQ(4=LMrO~o>{8NxoEsu&FtZ>c_;#`5 z-`{fFUVTfAT|>KOP>PGz0F;VdEke*{>~Z`_r%GB6-=n<^fWZMQh99zxhFw z%6}o32RNBs_VE{vpkK|eiw`l9MqiBOU?^w$VWQO0Y3qfDq)BPC;nF4funohDrS^+* zkgY*>dEf@q9GcFs#%$#o)XT|{lX_+JX{bit+nEAfZ``7a=BAljMUxpT%cN8EZ_6EK zw~=07GkjRTaL~4NX4Ph;w2_+flJ+~+(dS@Mn?#x8OM-d6D z7FpS%v%b;dy);11c>RXvPv|xNTpY_gh##Hno!o@Z=Z%N?$ni}&9ZAVx-avKA)H;=U z+n!Ow>x9+4*E))VUXPi+J#5hYp=ceF_YQn6*03jN{4BSw)kvnx1zE529HyPKZA#6k0Vlhb~JbiYJXNd>m$J?`#1*##mw$RN;i3gm6Msp&b-SFz*Jd87Ly6q6k82nXNFOa& zi;By|+^EOBikC?;E&ILQG^s}W2sZ@%P>+9-lxd}SPc?VTj;QR#ON#7;&Yv4d9h_^G z?J$;f?x=HFG6GiPlVNkxcpBu?OKuMClv1AlTal@H&w*q8U8;bs-UmJJ zJ&&J@hs+HI5}n%F=C+R-s0iSO{T~#IDgDSlr+BhtC#QcR#~Dt4>8wo>hepyr6c~Ic zkSEat#Obj|N7^BMex586=7ms(kDY%g2$U2}$^E`Asu8R@x5XdbYl}SY<80H+&*YK+ z!$Qdev{IN*E7+iOJrQTfpU3?V%-v~lA=zN`2WRM?i#H)_P}#RfRfAW*GFKsYw8kk% zV2tNSOT};W917ZwAB_t%6JU>LKk%D7phXA)db^)q_lHjNByo2BB<h9b{On$xZ`|jQ6!-C2lYKz2fBga{Ec^cZ<1$koMR$n`33Z43J)V%J_?0|~gGB4vVX}Svwp*zs zpnCWjs12?G=FrL8%#bUw&*dIuZB=(9a}rQj`~1uITNoZ5vB5vY1jkKdPx!gq{+ey2 zG!B$HPMu7*1;3N4_9dPjrxopbm`A-h`(QWp5w;gfAXq^d?@D-?&^{5;uk=*> zsabxrkai(vvWu?EOJ<}F{<^|}qM6DHU?E}9K(?fb#V$)bRO0X70EzRb2*Q!Ig=eb# zdTS1YgLe_f3bFn9FTJIq&zg&58i}q`DASk>{lazHqdWU*H1;e?OPyflBdG7q?r6wY zuZDHIfUXCRP#1jBq!Qr0zkmOJoy#t44M#Mh9}-`GiCAtsks7ze$cWq-vRV4Ae^w-x z6L~NEX3jp7fLBGG-!mdP`Z8RK0eh?VjhX?_0m_c$Qf|B=wU4pg{+OGuAh1*a=+?i$Z{yb?fBL zz#EF@#23qsQXPpe+rK>8|8P5bJve?eq%08r~Mk2ubbZ_@7UOnqcehzaK}5 z_6_tXezuv;d7LZI#)t_rdIqkcH>Oosy^eX88DnE*t&*wb8OC>809bP5r*tq|&04 zL64JNQ4hRq{?3#0R6fT;l6?WhR|5m*$QEhta)EU3>rrxxi^VzG<#+7-{r1hvnqWs+ zDG$zaVmA`v=5&I9>jz6`WD!Kx;gq`ZYgxVu9@EkTTh>18i!)a^$L-IDp$x7hfkW6I z867KTtj=88xtrh#*uxX?XWwkze1y>7{TA|UF6FVEMmG6A5XrZ}_dXi|+{d=WET>r# z4VY4bT*!$*ro<@ELTt@91I?TeoGWf@<&HjW;Pi=GoMQ6#7gK{LM3>8t_K410@0__s zaYOSeepo$6()w#>Y)QJK{y$ym zmz=0c6?l-6-+X`%mOxCi*?`DQE&0V|$vdMqhpCLI=TFU_NyoibZ``OdNs%I_xVp5t zUt_OMfT^NeKJHi@pZ4@g$M>PeuT950NoTcex$izS`j$(tbBpOH;>S-7->m*`Dwg#r zm9+Q%ap8VGKRNQMlJ(V>nG02?AH~BdW7%5g%TYxA#HaE=_M?%~HMV{?N4B5&D(Q=& z)=v30=k>HYiMyZkM9uGl&wB(!w0u{8#yS%7eU4&E^jdHDGs1LW(=xB=_X*}H%^;Qtk|$$y3UZ&85%C4b8Q5az!{0sfycyZq0t z4EWy?$o$V>{#z8_f5=nwzl8a3QON&g&^fv#&~@@}1ma!UlC3__-{<1G^q7#x!<&%D z(FIYZ_ln&y!*_;rirs6TO4wU_S zb}E6cAPtmXIBtv)MeWj)BS$bQvP=R7yAE&=6{e0p3(or_B8UD&R zkEv(t;a=yF`(L?lc2MB`X^U9GO2len+)x&H97BG#Gb|pJ)I~V#VqcW zVHraW1scGMTuA``^EVzhuKjWZPY~tk0NJGB5HfH+Q6ZuCabhIftBB-uomy8g?Rb8q*>+4~}JSqf?J;`?E{m%&e$S9CrqJiTI< za(qc|^Ri6!>|K{ahL!7=U#QLTmG)7r1kG1d&~T2d#1Is?=kV*mrBYV6-}WWWxnGk0 z`x}Vuzquygbu|nW(mUaN%XEq2 zyzlRSE5#KhX(RlM75t)UJyYgKRhqw3yX@E{CIoU%f9z%uemdRfRXtQC9j5(W^dqk3rpXL9ByXn>CJxZ+)l>d z($e}hpx&ToTdFPmf1d@r_e*PF#b%{KlDadCK8v{!TL1SAGx~K0iCfsgD6w-*)1S)| zNr@88&*fGjq@*em-apIuR<+ur=z`w<`!w0Ng9bir1u;UIoyrC$WkruQN(>X+KW5@@ z^^_7Al8*-L(4wmdcK&I#`GkdPeoE?Z{R;eYf>S55xFwarzy=SnOSr>EE6qN5nqk?4Fb) zRKZ#wZwGy%u+g*3yOE&0?6@tGN~ZFVRp6*9!e-LuKhGy*=X?$y%j24nl7&wYRWL7j zI52UncFs9-fB`*7QRvI#p?bI9z|rQrN}G_+|31jm$6qr78@>wDx_$Jj^a~A1LsAZS zohpilC1Ap;4&?4TuM;F)EnWRq{|^)+NWvuDp1L;g2X*rry!Oedg+({j#Z?68GDMx2 zop|!5u}Qx7-#abm)W=%%;7_N2M;(ot(|;IEqvA090OxysM}V1dbiY;8HQn6m4&=_z zCLC*Z2mTl+gEEsEg5`YCDt-W|N|uEMT<3FiK$RwD#{+xjukYQ-Q~J&L-$R^au%|Vv z1b0Ac%?=UaZqE(nln9d2UR|NT$b zzCwK&b~YI>5l~y-?5A9Yba^?dD_m*|G@%!p3heBi17LcsMV9D5QWeu7zT_etHx1oP z?w-Cy!PsSZSre3qo!{xSchvJVCvi4+c&{&UJBa>kU4=&4h_jyYU*EBXyK=E-u6&oJ z%PMFyTp1RIHmoltS77MLfZu5En9#eMkWZM&fHxDXqEAb)jt5Y7FT!QoQWUU-ZgsnB zeeg!VRf`~LJKL=2{A_>`K0Z_pH&7s`-bT}Z)j!y^GI;-1!PqBBR(s}V`<=#%V*#-V zd0atSDy_rQe>ssTX(desDZUY=Ej=s2S4F=c=VFqx@_rzp*jYu3W^-#l+t7KIxu~Aa z5UYPR{;sg;m0{|4Bda2Z2iNvNhNL-9ZB$e^`9|!AVXbae^y;|lNY)+Kd~4ld^Es+F zA@!*t5fR2=tx@JKFQ*Bovd3&Zf4O>{TtMaswvIpS?N@+#Cfn2QscsyqAGksRS6l|T z#B>b@E^lX8U1T^DLT~>Wpy0K>cetCyMsr7PmXto9G`$3|F#Q{2@f9+|1JS8+{%9@5`01; z;yZWm5#SDMKgPRr2bYED4iUiv5?sV-JUsk61b4{^pFATXCZQ1ei&f_yrLdLP`&YWw zRBWPR-o76aztz@ph`jboN^T#eX4kh#$sakS71y)un=}@p*c?s*jPyANhPE5)6YDCo9+b5~! zP^4p-UF@~q2ddi{yob1(xkFAsjt9a+Yy2n1zdP`EtoToe07_ep-REl(dq>J!8zZ@> z3us4sPAO7b_~JA@or5vB=s34Es1Q=|Hv5`%@pGV_US(u2uxx|QI4_o`a>-hdh`D<_ zwg|E0#0dk08(J22j8mYFJ((tB2mYF{TRalz&qbj?!N1gQ@t#Zz%D0SIc08-J?2<0m zZltUT)^OhkJO$}xwHgKGE6gIp)4oYNVAMoXj8H@fGJ^=v2jBF#Bimlp;|1#xMA{9V z&_#@#!$oSvb%AaCJ`^#>%ztRWrS%G&CN@{rlQipBH&eqqk1RV^IdSLxDP|@e(91Bk zGZmBoAAxN)6f^0E)YiA+j0&q{KEM2r$^h=fB{sx|6(4MGZ%4fW(Hi~7SFwxhT4A?PLjI{d`#rV!@Dyv zqcyQ=HMOz6rWdD|^r2>lO`mZsTW2F#J+p8Iyr_KqILd2x(M711_ryz>ySF^EeHzeA zgx%MfTpgsIoSb_3YX1q2alTt}IJiZG{-Au#VMQ<4Q!87rin>J3TR>G+ePw1!t64F1 zK9%!T-#gqr(4w4Wkjodsu_7W~UUrg=uO#Npg>&@AQuNodRZnNm86IqKnz_cheo9%E z?D5Po^~$kLj?JG^D$H`KihCiygqQe=0^okiMiaw)&83VHdE!nzO~_Ynjpo^bh?jme z*WYO4204mVp7@?Z?s@WT^It6lF4X6inw(_JR$Q~yg$6*BvXPQ0D+yK!Eyz}WmpQI4 z(?_B;HFi9njS$udb?+?nx|_UOtIhEC0(y_l@rXF8{O`=Mt$hA8nOTg>*r?1f&^~t9 zMt(IOqS4$9(5XMdpM&4;iHhJ0%dmPE8gJ`E5@?228h>kIG7SepH z7MtZ6SFd`n$#4;JVYolMbNJpsY|7zwnVT=1St$PxB5x_h4mul~*gNWV6OMZ$Z?wX& z;DMQ17T1Gwb?R`M;z5(BLL~s}#qdIFOZNHehz)g~t5mH1c?50ABa678boL~F{)X?! zC3DNR^pGA|gE0TR2BER!KrH*v7@`9~7K`@F0ew))W?!p^Usm7fl8U@?Q|gcqf9dL; zs!ECfgW;)uqGn=)t2@J;PoY*%PC{DARtFZ*sgM=&(rqp`h0_CIVilm@%2*MPyRy5n z+PW)8v*y<9er6g*i;?nq()i=v`!`|&~qz)bLnf-6alws~2p~Ng1tZ zu<9Ia?(Kb;di>L4Vk+D8s<1#a>#B|3vZT>PIjfqxP{%+0;G}B-gb%0B7TWEtWu>T1 zYwSSqJWhF9Bw%|!%sC27ZL6yn%?4Vec`$(XSulnP8bvBYlCbMmu@$-t!+Lu-u1wvwrGuTs)Wt7oq0j5on#7<(^lcl`RV z6>}~^B=xY&!ib2Pa?te9i05@vzgxVta!Al?BZu?#uZstM6NKmc9w*xg4=1qW=qcD` zs8~^GW7F{3yilM6X|N^xz)e2{|6uThBT-i;OloI#{c4VR)*>$f@Bz*aB$fBn^U%nu z&R)dHR9)z*qi4MZT}H($AqLS5ny5dlwXwC4R8y z)YaN#Z0bgj>ht|GE~>+iuSU9;^@FBG0O|=pMIUfzS{to$N%7>`OsqeAJN`W4aNzni zS8XT5jZ@x4)J4-EU{TAQmNNxO2`(UJI)XyD5#_5k2Bu+D@rHk<;3B%8^e|h@1s{K2 z22Wi~yScbcx#hF1&lj&BF{^7IZjJfBo?c`i9SfNBdRz0%tmt)>kG`#Oec48i9ZwEy zQ5?mbFt%7Re!)7D)Yi#9$Qicp7`MX|j5IIlFHsgGi(GL5WKYk(K?2BDn1@6X!$i72 z-_J5A(}5XExjWN48+2MU&$w;|o=4bxwkcZW0?EN<-C$cHN2mT~A~9O9bEv>vb=zj< zLd4OA$7SE}5y{cqQCsoY%?&JQsEG~N9D0n_RvGBt;IP`H?eZjQaV)^}@%9AtDg^G8Eg48_qAAd@S}c4zJVMxc@=atrJx1S$icJ%BgNsngRL!+a*> zpef}^S8sAGjr#;AKzrf?bX!@~!P)`QM~|2w5gV|F==J*Wtpx6!hFsZ+^> z=$Q6Maoul)mhF9Sj}QLsEB(tK`w_%zEftx!coPVIjP&(G*luA!u)s)EK$hI4-6FCX zP|mdAIgw3u6RkY;dpqH}?@}=4^SO`L+;*jP;0Ka_>NM!=BrkRW=P#3$BK+O5+JDvA z($_WCa#h^0|CRFj$PD^@NA2->iJ@3d0`}OYA8H9?K2MF`$p=POryse-UT^W2l|kv@ zSN;g$NkqZ@F|1C=^TgK6z}SwZH_>n)>$;q6P>bJ=eM0@jpW;Benma3;+8{^iB?A_)D z-{X=V3%M9Cp}pD}ub8s?##>W6T4spUReO>Xe43==ZEko8g6Mt_IJaCaZut&ufFUst zrMD`i(qLTg?^T6LVMvEMxEe)z_P4!{9mMO_=2{TTm?0@Fz8x|9)xWcMr zK@nrLoHMbj{s#LXDV|0)rm9vp{$P)9j-^cpf5-}nCS09Y{&;?p=$8SGQWJ9pgEw-i zrNq|RlbN~l_#TuptUA!&|YRig9jD61^xm2zpLp4O+((@9G!L1??tu8_{? zeYiMA-VD_W@>0F#SW}A)m3H^n*$}T%ka!E9 ziVi~A{7e}FvpV?hCE$fgL?7XUY_u^%2>i6CFJivTv%wC0k9W+V^JP z1zMX(LA19xgPmGkvH_>2x;p1)G-`Qce{~DgtT4)F0-YgApWM1yl~GhSHBY9X zxFzC4vk|+>(as}u36yKix4A*j}tsiuge4Q#~ zwlZ0`vV8Z_N21k~r+80CIYCPTtk+ET#6W#S8d@X@+(@~il7RTEYt?lLwMWY>YF0;o z)Tl}lGWGTMx@*+5)0egSijxc{i`W~JwD^lSnDT2GI62^Y&+J~}6sq7Tok6peR=azO z;ZD$t^uj&o;lfU4m4#ZCdqM5<#k$=q7g|HnIhWt$u<=y}{lG{0_!Wbj)i1VdJA);; zh%rHcb9A_RQZKt-(6V()U^v?$Fuh7)zs|q&j^T>!1YzTBf}f{mVG;L~WViUGK&77p zuX>V@Ju)PWejyE#V#;Y;JLwjWjz2L;XnX9;Owq7_ct3TE7m2*ZyJSW&3ohqkDiI|d zxW%B$V8Q$C8#cEao6AbMibHhw3&&b6E@q%<3!0v15k}#X<@w2vcCdF}S3O@U81%%^ zFR1(@<80RK-u{e?!f=jqN>IaPJVj}{rBfIzAr>$UTUwMBUGtJztH1AQkPLj9tG}ox za*>yU5on(FJ8ERi90lTo^KIJ4&|LaAU8seNsxctGCp2H-V;5 zvGGQ01Q?8#*Na2X#9LO1fNb`0Ug*pFG_5v)NR_yjjg!lPVc(^#d9>{$*5hKu!(D}I0mn}*HWCjH+%7wi=0SAL|$>d7PGrmT)5i z;H~^u0uke8yzSQ#ufH_hd=?D144;fUhe%{O2Nsv;ggdo#`OUEU&+c2@Yz6q}JEv)q z8}uQfe<>F_FlRdjE9n5}&89rRRVdL`X%P&e7%w!-0-lu7@C~@8h*>{NZO@vUfE0+V zgD`#}Usr23YUvOW7Ir|*dFjr67{|r#4#IBEVk|UAeo;BiLpvfUovmv|C9*j1K&0QJ zwuU>Pbtbz3K~w!#BUf-&_s7#%gFMsIQxrsWZOUBi^7{?N63}F3CKz!tThz$Kshyy? zy1$EoN7}d5>It!clMw8!`>4*TM?Z^S1fp#%R$6BFKhzkipEl|@rg|-)X|ICe+kxj# zj)-cFk|xj6iX_fmOlDYR;j?b*ty_VH4@D!hx@O&Lk6g4VELf^-q8uJ~l!=0skzsyS zru*fmg?~f%0M{?$uq54RC#Vt(cyJLR>&#m`ZsDPRRiAmBxi>Y$1fp9Gyh&N_v;Z4b z>}__nJO&;OV4YYF{tn2K#tuhZFJ9UGJVf1?L6*Oi9K60bk+`vQxcC%0{T(|3TDdW8 zL)_wd!7(G)O?OMio2Ke8y@ z%QK9|M^~=bt-(E5^$Td1^t@Kp94O+%u;J3wi5XofL?JUA7>VhmJ|bU$I2_|_K9@@u zX$}E<1JkZ5Sbcp76>t8ii*AIVX36Fdh-=!h=^?d#t?S5K6FW>YA9Ymp0xl z)LK0=cOrw-yu7MKSY%(SA1oD!NLNgkZ8incJ$9ZIE90qYZQ9jMOAi0x{773DyvSfy5imG=V)b4>Z2jfL7EZL>Qcig~A? z*|s*&OqKn*0_BmtKLK`_Ypt%?DxvNw?b8Z)+HRC!_PPPrMY63ygulrx9xi^pGyrK& z;49TRj_DeTPL;o5(?=OyrNK|&fg0x?AeP+9<3LT?sI84PqzlSWyb^*9(7k53-g-6g zvHjeEn%Kd)t-Az(`*gpzvta;3%8PM1)p)AqXV@b zm(UBFu4}42o;i)Roien|oFOLzlmb~Cwz|tGS0~IV+d1gBqpQeOT}F8=1=>eXf4f813U%9c z0hXrnSOJDt)$TbT{n8Nh9|46JlvtmW9& zPDJMX%~sNnD2uD@Bhw!j?ko?MVO;5ajK*tg?Iq~vEy0j<@R$~cYX=(znw;WcE30X~ zP&|a+U)H8wxi4;R3mE+Ig;jhe&ntQu!!gJqQw$N+oB48nmc1U8(y@B_*|WT)^M~6f zaB*y-OdafRltzL6`hI@VAhU;NZ|KNlwdrLxL>pmLXIV#6-=Pm>5lZV%L#MF2X3x~u zg5C+y6uul&_2LncC(&?FU~d0m`0t+V3eWlp_DLmEkJhluKuNIa`mDlax17O*qCyO_MK?&pXY0{^()& zZ%Uoq>TNcTu!;9VE~Tn(@StGd(le5qud!_D5EWDdC~3w3X%? z({ZD2z-H%Y8dNXUR@tZ7ib#JI`*qTSwMBUKsHs4@rNZ?>i@wj(&BS7~hDPa;!0<U!Sk}MPcz^f#qULW;)OuBO zQAMoLP)ZRM@$<@qG~o|76oP@%3E@y}=XzDnR(j2Fva%O7uQPB0H%eQT_gL=c>NK*) zK$-?CwlbT`)wY$lb#K;ETj>^WNO{buSKx=-VuzWoSTHbuAT%7^(j4Y|7Ih=eUwR;;SL)0RNV&+QbvSeKZ2wpo*#fV`ufa4Q53xJRk3ul(g*fN=7*Vn>?xRK#JwH$(Yq7a0YPzEaLz@lV z@N-QiGK|XMBbqcJR3u#M=r}B9m6UHM&;Uhjp5MsIRx!iolwPoT8n(#OgAKcpqqpoH zcG^ZRHBt?!YV)Que@B?80(~OM>gyzmy$HLDTnXxaQ>P8C)+PlB2;r8nvt%)^E~gFU z$xLWLKcdI3pyiRL$*^FgX?iCkh%00h<@Pnn^eWZka=OB^MK75-DDvRT_|@vk<|$-G zzPPTtxEn;=N6dU@!sqP55VW}s=iB=ca5;8*pnLJ4k`fk@&DG^iH z#umI4wiggN>POG(t#viYDKGEDQ*?`m$ULib11pQ!i^GjGc3RYtXR`=@p#^QKIO70` z%ArRM&>*$2Czc;}F!b87=s%}9Tsp%-Z5p9F1HTPS@Ck_`TT&)(@2*`>p#qD z=F*G&)IBi4>X*Rj;##2PE<)SoNX9-g&(vndVO0jV3O`s0O{8~3qFlmN%6}e%d;$l( zTV1v@w`LKJ9s4zl{pl+p?b@kxER}~{-IWG|@~}HJwR(8}@)rtgmZ0o)%qH36<4DvN6uq&2kLcf|4n7g|f4ToB|;z~4}ok0`0S+;MH@x*G?(krdYS z!NNHNNp0H_tsunm122UvJVv{(mL(#6W=FEv7+KtQvq!-oO8h}^83P%lIUkW@K?2i< z08Yl^S`Q+{NqTy*EEA>8zp=7|w|FKd*k>$a+n_q_3xr`Ubf>El>j%s~yv0LGJV*(Q z=KuynsaL!eu@i>!c9@`QVA88$k5hOQ3wFJNp1I_~Mm9RHM*?$O&NAW=A0O_QG{iqc zTG8EDQ?2~I&KR0*F4E?)B=qIX2^K4!lh_$w+7hMn^E!o91Zi7N%pVOuacp4PsE&3J zYu#Fh3W{U>VPg~*eR=^nKC(|s$3rs8%T1cxvHVeVqi=2hli%_$Q`6p8$2Q6I~^g+``Z1N+C&Li)8N>Jw9_)8=}{6)hM z^*Px*?z*gA4JX3Wt+E{9H`%V};PbC-^9!(-^ti7(pR#VY4-ScwJjiAOHCcpDE$U)u zX3Mfm1V8V0grg2+=?m-K>Tm21Aeo6*8<0g3$=8>hQro>G2d7{Bse0y^IZUTA=~m1+ z_9Vlv6yPUg^@3~Abg-cgzX`C23Oe2+yrwUMh(Yx7Gpi7f+zq0siy_+$hKrW9tVayI z^P3iyb}5pshoz@qD67jY@=}7{U|VV7+pzh^AwLBfzkq0d^}yfMvOO_)9p2_f{mT0T zrp-X&=FZu6rNt-OX?jRE$kC-|NmlXC=!s*RoXbML$HgYyCagIWpB0^OkKq?W3`%KrP ziwCiFyM=wj(=2x}Mu%XZ5(&l~-Y-hbd_iUoMzdZpFwkaeIQAjFkv`h3QQq{#kIv!! z(9LxtcEzqgRZTbTAy6{XF$lM3vly)B{>x*JyIW8p?USJ%S$z;~H4?s4Q!F{eZ+gsV zqaLH}Y<7!B246kqX_E1W|4bn1v+yT9x8kLd4WjSs@ygoJdQqbm8Yem$*XuGiYZ$|p z$|TdjFA{U6+gIy#e6CRu%a$59sBRdl8!MQvywHUOy(cbmwVMl?Gu6gD8O zMMU^wZ2*4XwdXep(iJUs+{){8#l`7x@z&U|BDYIv7G=PZH?ZY3g%kK;^s!Xfx_N3( zn@77=8e}D^=9$2m&9tw|LjF;xl1l59GjeHnOY53mS&e*y59uOiI=0E_p7`7;%POJG*A0U;> z%rwiznD9O!Xsn8@VN@9IH_dFs+WS8t~Tee-`ab&zoic zM&hF;gkw`u_fAqja3n#kB8YbwA7yVR)il*|*Y`cq{q)T)V6-sHO>EFM?7>u1(!>Jw zwdA3@7|>}KuKp{?z}CcIr0fh=<0e{E=|(ZgbKIe3Gg?5~9jy4g@^Xtk ztxw<*r`)^$f-kIQ*IqtcE@N7(bi#UP@42c6kmi|Q;Xpj08ghMEkXksgK5B~D)6z2rzM;G5!X}-xS`rNxBgEzF4_X4Q(%dOlMB-MUygO;3a#Dad zZ&k1I{(L+6yFGoY}^ce=_8N@LZn+L?b|qpj_9U5^PKUdG5+F#S9T zib2KYOYfmTAcbGZ?pQY3S3EDGajMHv+($Kpy@@?=uhK|L*2ZzXn)S?htxnYKVUXsI3!Udd_y^xZO zDNas42Jop`gJ4#ID3I4WprfhOb|fBkur)H2lf%^+C|)tzD&3`_rEV&tTv1}=-8yE_ ze)uhpsKgeMo#L&2}m2BVQ8S)mxVbdM`$+3YD zIqMM@^cJu`=rzeTd}v?k8!Ft~h1;zN6aCJ59OX8JRfdpJPB^hT z)$K7G##bSn0uN|b-@pa1AwowysWnLnsWBRQs^0}wP57_Wbe;Sr(+&zdI|DVhBB+6d zF}`k>sjM+X#rf=^k+`NIj6dXnvcf|?E^#U1!r$RUF z-|2I02Dz`iF&VaT7y@A!Oe&tD>2h^eD`zx4Id8M0u0P+!G>f@OM`gt4jA5Ec-5(}* zxj7cW&Z>oEd}jkw1`iNT^cO=E-++2^G(v=V9>}gWb-G>_Yv>KlyU~?twNDe1JUfZp zIthEQydakRX`45z`PfvvmmFnsdVvi5YuB|(Y`P_L%OpmkNZt|C(8%qf?H1&t3NLBU zbRFfDu3`}(M_7J2ykz6^gpe;)%(#R#hs@e0)V2tOl^lV38e*9xvT4hyfue`fLHsbm zg7{Tl*Rh*iE?Db8W?){qM6>w{7lJRqOSFw_Syp zNOz#GX3lx{qfW;{%LcmKXil z@uEG|1s?^sF}FsSON_4?VB9tBAH?YI!)}v{Q&%~>wYTaYd8t5Io@7+Ifxs;^J&t8|_ zD-hY!Y#5lgOR*wLA)Zk=Yeucf%@4PiP0cA4#1>NSU^9hSpIj&b`^N+EGM{;!U{p3i znY#W4lFC`%#dO_u)WcoB@rU##`gqt1(<{XY>M`a6$w6EIc?_Cb2jvy+m zY&lW9Wzo3kXCXNSlykPIhF*1bKJY|>6F87~loX=rT+zZ9vj1TWK9I*(i1jH+au!7O zjb0_n{_s(MypjW0CY%lPH1ITfm8W-nqw6FfRWGcp>Gf+GQm%qfBq-AQxHbJXsaNoW zX=bED(zK(%+hEM5rl(CdrigkMrVcgfALSi!5`4{kV-z_}c8%wm?XuGNsIRgz9M$XY zH*^mnLzC|v4c@$Tts6RwYbu#m{OYiEf7x(4yK~;p#M&50=Ul!w$hmjEuC2Hu!}}s5 zckZt$rgvFm#>S;3BPDAFBT(z4jMpr5VcoM4*^dM}mmN42%ZzwzxYcQd!2Uuo#zt7M&`?uxpF!J2uO4=me?~Z932!lG;^)@mAUGr zg4MQd3&+2m<*yXBY9zz6e$4uZvC>7iDR)+S3r# zkHj({IUQwzzSl$5SCRl5O^|bY-g~MW8-7Bm)vv)C;U~}4knZqIfGIss#N zZGC|_Z1;Cdh(7!ywf4Q+&Zc|2AM@l*Q)OMtALZqgU^P|6s_Gpf`R^Gn@;w*pD>?E- zQ8-n4Hji1fky>D*discI4vTEMc1#j!VfKbc=FrIV1*-)Au~v7PnH}CvWX~i>Iz16c z7{tY;7@fv*f==96TmbnQ=d!o*n!(useChk8G=>Cc+e--CnwI2T#V z-x%yH+}EziI~qWnlS!uA2Oik?p#1LZ^*|JZKh}~77jdh-Xye{5f7;Ym?G-vC?5s&A zt(Iu=#RhU3v7uFE>M8UsG!18@z#jpKw~afme+&zw$et?EZ7I$4yZW%t5`7fT!7S3X zo~Woc@pUgdl}@TQCia`Tj+QW#WkljTvfnIGQ?*|FnLK%%A5IO5hsS891`HK^%bvdE z-?5|ogY~JR0H&VTCTd`uMjHiLNa~Pl-IAs5Xy`myF&S}jRjPrx%eomGAx{6D$|{(4 ze(7I#y(fZ6j8EM&PN<$4iAwE#!p%<3YY|}YRS`OAGh%}oD%-%Bap|~ryGrg&x|rYi zNAP4-jK`a<^%`GTjIj8sw<@teO^UUlg(^}OP+f2oTClPeD$lit%$&4Vipaxq7ky0( z*drl2lZY=%J@R{k?6_WQOWs zb6fp-wovAF>&vQEo5WrMn_opAJ}^()uE!f+Q|eIf1uGyp3WQo^Evs~vY6Er^sn0fvnK``SzFmmu?yyUc$z;>LP81wSDjT#ZDeb zbXC(U_ba8VUNOBwRC3Tql%JxcuhDGPYf?naAS)4%$zLDoKM2Byw{$0e$vX=_+e^J$ zcwsm>mMbE;bMvS4llpxb`6HmIbf4F)hB?JZ^?P7&W0Gn?{}n!k<3wpy^Y86BT;VH^ zfnAi#Q*v~!m~gjvchlrB9mZ}9(iF6Vd@OpNCDq2vOQ~fAk>=flN^;?cX#<+rLy?!msvtwU=tDHlq?he{?q3qZsbGE$m)QJwIv0nF zN*_dBOGQ_FLobe&9Um?T5MU)WaacN^nc9;lPjqTcrDCF^3(CvcE49lY_>}y}7MEp* z&wB)51vMO4(DfFD|5loQxq99+(kD-z6A=*^)fl((rlqE49^c4?JTHl`y1h93+k-}+ z@j=A7iGR1ru+jGK`JCAY{VO@p^O7*Dz6gBJ{hC&sxdJr$OjD0>VZ`6t;8S}z9D~jTc-Ab_2FUPwfo2CP^I0Dw~@QX@jfSDz9YvS+r zUC-#`g7@ZXG4J<|oYI)OgxIgJFZK36SgEA^g=T8aR)5%w*BCak;y-yBHd|}vYRVuf zGtgwz?6BfE=d7BHKr<^Ft`3ap^hziQedC<=IGH&rp2vvAS3Eo>83S#|WPEzY5wePl zq>49%XGpcjly1F+d#v82e15#HyB2C;eA1pp`Kd8M%e- zRr6C9F=s8{%PmTqp(C>~i7J>@sT=*i@6o57-8jLCZz7#)lj8f_{;1(-Kbb4Ft(%b7 zBm4V^gIDTZr45DVOq`!74YL=ouBHyg5au98EI6j`p1#LMc`tsVEPHOHz$5^Y>Ep9e z@?vcs(c(<~GD|4hsKu$m*{PM4jqS&{=qh)_oO*FSbE5g&TSRibZuy?By2i$djZRK* z`2o31{zjAd`irjJpwuUJ%bKwash=&&e+YoM9at!qD#f3u-cQ@+q^&8~wNb z<=;zRewZ@xSyrG6x+?HXBjKykt0DFxx$IJ$LrCWkFZ^YL81_q3pzH9#Sh+!z6znky z$@MYLFXvPE&5^~+hpN9nrO^Dn1&_IXiP$X53nF#_l)Ux{z2R8GTN*!F?ijDq;Re>V z-zFU2P*f&&Wv5W4Fq5F)>CE8cOoL+`44K(WZv|xB`$fdX&hgGdBaNZFcMo#_ z|AkjMC??JjnuM294@P68uV2OoMAK!f`b;A7AdlXGivsLW1qB7mBY8{9!q!uvpT*Bf z1QJfaE785zFNgkF2{^W2w$jmJs_flHJoB3;u1x;)ZOVFo6)zeTj}u3ozV`%^eJZ8A zKAI>4W-yKi>%5s~#(|4x6|+%Wso80hU(J<;8R})~gEe{LhO)}j`;B%GN(k$JFbU`Fo40^8msGAV!BtE_68 zG^#m9uatVjGGoo|xreEU8;eUyopPO<*&oqg$B4^X(TU=pOfluNNs`8mSBp;e zZU!Jj5^(gML#JW9W|q?P2T6!t_fL;+oo5Xcz@ZQf+@^P^3oaNWKD%Lmdp@JTG0s*s zmM3j?dsqLmLpx_3LnmO~vU1#986PtiC#Em!N_OMe;UF%;ib%~*Vx>NH1#w*%h!aJW zIlEe^%jIkZFWDcSoTTtzR3jUin3!!*Y8G@U@wd{`&MCN-)l~-d6(Tnx`q5dE$lT$D zpfC2`Imx)?zls_X&l&kK3mwtN4rqlPQoVmJSJ1QX_#DiC|G}Fq;I6Zu#a8i9o~Gk! zM>}H!&nG4q<>zDzIB>jV~tenz=Y8f|TQR)vmH*~kteMBt`Ka8aEI7$Q<_o{FR~romVF8{J&yN^v)eVrm5#eGCB}c6UCXhY?TZ>#3CHn7%#O=o?ZVUsWjF>K_lwa*l z|0<;@pP9FG$VGH1v%{0?&_m_-9TI?qaR*e$F>+qp!NRFS)eR)tpZm+zSWN>TwDO79o-$sZg=h+#PXDb{ z*I0C~DnE}Jz>6;6WFDs^CL^RyF-Okp^%D?wXkg-oT=fCu6Z-Ic{cEn#3!cMa^akjj zkN20_P6(&!GJ)cY-S44#wWiLWH>U}?x29i0VrqS;nnxyzTCCE4*yCa9glr(g3QmlO z&;Z_EjejNtm= zyAHd-`6N?$*9Zn?L0ZLt1G?B3WnJo-VEsM@w@Y&X~CThbm2wZvp&(-!IR=AXNi5VfIOcbDc@rK<^;ANA9yAj9dkK?S>}qMGsu&+HcW{N)ZGzVjfewC5i?j>HeoTHE|F(X?a_ zmB?U#?}kLe5HJQI*F(~g0M(!ubcaWZ|we z-V(-2#BM<(=iN=36;U|vx))eoC#n0$91e)az^>|xK?lft2_O-DnDX(` zln@H~^Z@tiXOu}}l6z9lhCNgM73=eVw$yc41n0_o+>=NG&JgVF_bj=Cnq<9;J9&}0 zD!L-QKg})$*_u_#c*PW^?Z>o8l2~ZD3NgZZPtcg_0_xFpr1vextY7c{cq<2lH9+>Y`ge$82v_FPhd6aY1Mf z>_Yhzi0)F_glt=mr9z-L((WvEFU|R<;w120Li3Fl&IZ1^A%Rqy$*OA~%EddQDorn4 zW9-R&vFM8X)1(ZRKY5hRACQketFLW865IE_6)ah932x`7%rRu4pF)ghe{6q(LHMK? z1ZjpasvP1)th~KrT74xK-e)6Ky_R}=y8T)-Q++43ZXI^AujwFaFQDMw z6dSuKcVdxG?D=KLLOoVKK`v#;B|pqGSjl&DV?(~A{;5+brVr(wH_5k%u8(C+(N*OV z9jPv?P;uPCc1k8?;RZ@WEccEK_^g~4U-~(r+gPh5fz{GLb~a+HyYC_^FYvbUI<+MX zf2h#sGjZ^XR6qB=k{*XKGCj0Z)&@RRs?TveL*u0HlZu^Ty7gPyHpAAr{(BsU_Z`CG zEjYqQZ*k8lyF;c1DKszZ!|{|Yl##p3v6>3_L;l#XrTR$6Hx0U%=3I{&!9J6ydbK^| z?GK<6*QyGvl_Ms|SvUg3ShB@*7Tqc>tDa9|)uHD<#by;-cI(6c`8t?Y`0z#i57%O~ zR!ODbtu-aIn=$Op2gE8EP#Hk7Oyy8l=B!-2^wKPo`Jr5J-@8x4J)S4BdtS#{>YCi# zFn)7w1hX-IM9-$yRcQE(xsTR;1O=KAUUl<;2Et}3lNK=)x-Nuy=#e9sInjZjM&XJI za>Yi=l_s?IdNqpcBXFZU`JM)7ZYCmUj_fD=XI}Qi85KOCrVnMd9Y$z^q%ew z^7U^#8FLeP6=NwZUk$9P52?%+Rb2GNh7*nHUNpB*s((Lhhdv>Dd3dv`^m?T}cin(f zh>~6d9EC{h&7AGy>q?uID{d)0cN?S~G@|TT|1jHbf{Rspxh00u_4K-fj z^h8F(Q(ft!wHK~*TsfXJmenQBk1%>{kDW>~3GvoLyy%|B`ZpT?ey>eQOg|M;oQZ@j z$C_9Y4ESTiL)ypzmY>L5Xd@gA;r2chDOu!UcnGW(s6%d}#sL9?2@XgzlbwrjV8w6& z*(ae&t;#L8-2b^@`0wu@Qj_494%xC@lyNI0`hV2va0`1FfSSv(5&@buk*)_s5$APS zzpQ6dxGr1~t{Gj%p2KdWU61$!w!g9raYW1qK7Llq2q754bkybRe7R_sDG>2Qhwa@J zk3OP&@sv^gtVK9=VnL-GS$@Q#ak0@t8)W0vv0Xs$qRUW~_TF)(Z2Mg}aA^5#m4rk= zCxdYl|F_o3`g4?gXitbGCj9qIDkUXFUd6Wo+jf8d;%Ruxo5l=lm4d8hn$*Z5z>0wWij z(L?&)@Nh!!Y}BDoBcEM44v(0C7dcZ9#*KsHVCF6jQ`8X zddcE74-Pc+++At9=D-M6;cH*x{_&-VYd-p ztJ5~(V&BRm|C4Li7ra2CcJwOEP^E4oMu*Li(KTq#`|=5W!G zSorQvJ)mC%YaX-XDei^E`C?_`R(R3xY6(%yCR$Etd(-T?5h?6$6T-s2#m9StM^`k|JT$PmP0sI`DI@11Q^`0I^n~F2tg^@8;YNI4ko`sdVj0d{_Uj z_eI8@nR8X$U3Nc`?aa34adEOHh?`zg=J?%;kNRJgv`jVc##laebT4hfi~MaQOP~_( zuawQj?))0FL}vZ!aQCtNvWZbs=AB#l`xq)$N|yn;1kAoa<)_1p4&s%FD2H5$Y(}g5 zN#8zO=QQV!k(~2Dqsv!dVQTHYIx)||;u$=p0wxdeKyx|Tn_ev=GKl(8K@UTymL}fj zsxW0U99lv}nm~uRPTNc9F<*Rz1`(tTSN(3o*|Np&G67cl>>I_ppjxh=h7vwb2x4lF zyN#c+{xIJ&u^~ICDGfk;q#EzgzPZ{;eO53J#;Srqyao-1-6O$~W=lYY$C3PLWN4_? zgU?3NtDC^f;5F3ppGQ(9L_|&c@7SuwT2Ex9+gd3zw9Rm-3E3A&c{Q4jryOf>ck}VS zIi8)&SWSO0dW4eqM8c`g;-~QRt%x_DrNOEjYV2xA9M!$9F-D+<-6jNxRYjD#x2D03 zRh3m=u8mdy)Ma_7Bed^yVj_=St+;;hgZn|~m<~F0JF>zJJHzse=Fn0ViCg}3)tB!f zZ*8l-kCq=^%}k#(NU*bNN)wR8@RaRL zHnE<){X*p+#bvh!)E-jCjJ4CzAXN|XM^dQ$e(vKBy(>a^7H1~$Xr#&_}BdnsaAj0hU7?3Ba z;)3ZtZsqB6P8UzDqbZTNI78W@-dfC|!SAyA!qG%2aG?C}kVVVG1Jf2`T6>ayXw5gH zOsN_j;fNNQ0?M9%o8M*Q9o5jM-UkMUjm)jjLj4o?N`)X=a^nWyTog6@x!qunG$K%p zurIGQV6;4U%GFh2pTLkvqAS=sKZuzOA{jUFX6-|;BHYUJeOrV$ex7=>Ht(!Rxz5<{ ze*3vJ8UE;Y*VWHIckFtA4z-K3Z#4F@D~^T@ND;7uIEC;&wbwar?9B=JZgs|BvV`BU z&j@t|rC}!w5ZD##S5N|}OX|nXn2Osl-RW$!)?L898R3a;I#AN7X~##+bU#SDeD09? z2_)#^O&HqS($K!j6k2tdTcbr^FHYW~*TK_0_eIP-{*%?z`KGEC&4SF4gy7n*{A5II znh5hnwM#+yA^jqVsFa*NiM}AzNoo`fksc)yfhO`Tvtlmatzpx8K$)O-_#y8P1?=Oa zwy7`L)ef>ZT?{HH%mV9SW3`2`uE?+MdKpB1)6PpVF$79S?)b{iF!4`oyA!L-=uTZ_ zozH1p{j-Q2{6%BaV!W#68#)SA6%`{c5D(NjX)^Zj<}k38(`?{WBG6iAdCvW6 zk1!l87w&AGSpo<UC;9f2{kZlO1ZDJirHkS^guWJ;CUO$so5! zPw<6%AJNaX4|LF>%&+9G_X&jxL}R{Z^?J&vA*Ri-4p-3d;);@(ny+bUvjz>!Ax`N2 z`0U4vuGl?O7$9@H*;v7YwW}~T?@;0b#eT|!qnR;cL2UzWzVzM`QbJyb3;oPKVcIj^ zmb&@cVRlq9FH`&8t&^4*+C~J%a`_g~C)N@Y8M;d9GJua2%CKgRLHUx8a?1`bJ&>MZ zU>S|Sp8(}pEfP-Dt^33Wp?2d-Lc~;Pg|27X_ZD#F1+1;{<%Xdh(qKdWX5d5`F@#4( zjSZI!90$@s6LO?!^EsdRYA--Kdr2*IG`|GX;}Rr(R{~?baJW3>64UkzF0||#vak53 zEYL1}QSq&Dgr87fOG{S$*)=mh6sGY)W!Cw@xWt7kK@?{of)5iqn4#E%=sjc((WHRJ zkC{(L^w}YBAx9K{6T{HV9HgKg>?tO=7YEolSQn!obEM`3t&c?!I$wzFhG|*9A+3_p zAXnPxCU$s4KK#&SSdF7^X%ID5aqT=Clc;EhTe*e;33un8vIG9 z@-kb^j4kI8LjVDEX#$CmGr%W-{EdV_{^o_r(KOVih($iTx!GBBgNnaNZC}>4D`_lH zzX0PygpYdqROc*vdQUOSJcSpBhvyHkYYl{-`|vsj;(uR_-|Q zMv1>t-Ky`yLFhyM8ocz2n=k9_$>V-prqV5h77W4q^_8v8mgNc|Bm@29+SmJW03$N3 zzOK?ek}Q?ejq+po`mmwQ^P23cpFk{IBVFr}(NT{j5B98i$uzA7(~=_+71#>r33`!? zAX#G$YC;n%*H2BHfX4=%un##aA83>OVk*wiE8wS=4<1xW)A`cNDM${EjFLcyMx1{e zpy7Z2rJ3E$^L-s6X0P;N;71Z{ibSxcPSaQ+P2#xohsSEArS3DWKUs$pMYH-Vj?*4j zel~CWVnoOI;_(!vJjB|h?$`N0SFe~)mksv5|2l&ZRnx}?C%o2sGcigL`}Cfemo-$Y z$Kn(Dx}GeyiiMPrTe*9rCyxnhb?NLJ%Gcp5_KCNC2lYdoh+j|w)Xq%xGs`~bgESSJ z9E0-ti#|2Me5Iw1K>y+pI^pqJwlisJSMP`s)YxTGn48|RaKHQc3q)h zn;$e-iSDT)i2LKRzY?OFmEy#sF{GxYbpW{?Em@8ax3-*1W)7v6FNsLgt$Cv`XDrnbE}5pyRJk`1h%lyn)$je()epVwL&@(Of9LSU zy@ShzZ2Baq-8|EAil3;I;rLq1iRw0fyEOO6zUGrqUz1p1)Vk3@H3ojDqRP7B-WQ~& z74Fo*2AI^WvA(Q8S3xr6-8=1qZNFW$hX_`b-Yh3_yhKNEmQW8hPK@w{bz2mUlHoS(C)7DxwWFkY|; zFTz8BRRv#yFW$K+^Gmw9Nte6nh_;$*tS2GLo-gUF#M@FO5z}Y zn#KpVPeV2LWzUPJ~XNI8@N<4Sm8G%dU7zTS}1ffplRl)f=OM=d&?!Ujz$Wdx0fS;Lz9sSZcDu= z=U)*f9BCg1=Cefr(7>WLdvH_}t@vCaW~m*e@I_DSSIRg+%wJQi>DY+n?aJEZusvgmg^GUyWxPtyw}yJv0r@GFS)6!Wp`)n(NVELgup*U zNeF$!*n450^O1#g-vY3~Q&ENz>M_tgc(pxZP+#`_3e{Qe%GIuJ1CkAwKwW`j($_n= z<<8AsY~1iF5huRScx8zu6MB7iSlQr6Z?LT}I%Ty(`i3{hFmL#bTN`PD=#{Fp-$cju z@)KfmsM(|Ew?>!Q2HFFcuyd3fd@RvIBZ8iSX4*TqpjkOkp{nyavL}XAD-q09L1CN% z5tU>qz1tUu>%M3a(;UjZ8Aq@B{vhj+q5YyPp4+pH#H4z?h05-A>kN`gPtKOZCF6_P zpRrF(r`kIcm=?XjPnrh`ROSJWKl~}(c55Qh<&6l$z}TxeTpj|z&2o!zZ@60#z-1jvwWYZ^6JdLjFk1btoevvND8A;3Z-!U}`LtY>~a&2%Si^Gtoq zPh7e-Vz_n>5v{8tdF_E)xdBJtSL6cw5|(JMr>&=-et#D9BxccJ7j>(*Xk5pd+oqpU8DIygA}|f21uMVd$IIbACX5jS~B5Ac|iURCYvirl#x;=X(&Q+L|!$}(}LZe62BG08yA zC_eb^IPMka^{&JjBwLFUMsFy%N;v&|KbT+!e^3n7krq_llO~0$15*$Bz$Irg5Kl_Oxrm{=d@?J zDOar{08CLca0Ixjw^qva=8clGT$)y2@aD(O1~zM_pDgJvEifaefi?W-#{1Z7m_pW zH|~|v{$#Bg&H|Dcd=!+0yCp{Wm~zFnNUIZBg!_w_yj0YRc+I4%rvU*N+ohkqVjt@l zGyTKS062;lp2n;ATEQAx7%Gp8<4BOY!B$%;qOV@&fWH_ZK2&3{Y-T#j`x>Qjx*yx^ zztIU;`l0eEm`Fa7G|CVH%Tn59?k;=-Tkf+`pXblMn-Xhz#LmIDAE_-Nn>y0PFz$E=& ziW|tgyCgS^{ucgZO4q8fz#ylbaxmwOcM!I&F3^+vuFftef3jNFtW7V*3Zw5c_1BKu z?tM{lq<~qr(jJMAO*@g?6$Vyj*ONztGgGoh@D{j;DWrNY`U~K8%G9o%Vy8np@BWP1 z_(w5(43AcApRAg?r^2+xnE7?l(DSX0M2wqnP@~N(OyW~`jiN1W&ZBv~Yc<1G=K7WY zF@uAocYzhl=NHb+z4nA~>pKR31wMJPIN-Yh5gDkX5AT--E>QVXTRez{X$?^-vh2e39@3GW>3|MN{7P znYO(_BK&9oEehFZBl8N`#uN3zL#~-I82;P>o0+?^a?LYGgK@jQrR@!;ZpEtJqM=s3 z9k|RHB?T@!4!cZ^r92*ivmER8hZb;ZSzFQLo{o^CYC?n&Irjd`72U!_X%uS{W zs1E4qTm^(SKIIS}_WLxC2`afl!-8bi==h(0u%t986J~KYW?M&hBSGK^OSrd@pcmX- z+HU?q!H5cSG&EUJx~D>lGy$c!j``U>_JnAwvFlQcqv`Oum77Sx2e&rLh(0>PGK_i# z4#Gu)$|QsQ%yfAS4DBLHcu8mdP2Vu48WLAxxLA>#tUQ;pZk0?k}HQ=fIyY zQ==NsU+`OdTN>j3$a!^td2*4$rwyxnf8+N-J9L?LBEZem`m)YLq?)0s$N6nW? z>?+jCWJQYcHL7L`t{n49t{7s+Im@f<`I(o}!;L?S)DpI*ia`mT;-LdM+^YKy7lj~V z_JJ8&0T(zliL!5jlew}ZIe*t&GZ?Heb2;K@L3fErFG|;}a(660<>AvjC)`M$p4O>f z6MyBm7L3(27hAm?vvGy{Wc1LX|4E|)i|61*&9+3}yEnmTAy-VY(bC!E{h5@c*o44n z+$4CCG8YP*0L0;Hpq4iHqIqpv?k+MTG%xwC**`hJm!#Nw^yz+%QKUGiHjAvA^Uk>%vm)KG*%!3tTuGtxffxd@2~K z2@J+K1uI7o;^zXz>PV(kQSgDjx)YNLt zeAJKqu4@vhGEnH4?Lnc!L5qeM8Oge0<%}>|`OEM8_=(ZwM8Hx*=dp=!A6iGcZq+I zzSf^+b?sOCYb946lT!NCu3*;M&o`A9_XhsK*9=39D1e#u=tLf65(tZ45zn%AmI7&z zrh`TZj;?>Rn*DOH5>(j8Oibz-gM&~()9bN(Tg4+RuJ0)%Zc_P20vsAx6IhFZHhl-Z zOU>g6POJLvu*p6{G|GP3P(k{G{%RTkRfu^$9BjQeUGekM^vwv%kf-UfdobFcqY0@N z3{6Wy*R0s&SBnD%N&L{~r5MS2@?OG}1%Lk)368$f}F(Tu2gnmWx(sas+bDkyxW|swj?*{@my`*MHj5Iyy?x-8nSbgym+B4 zuu8cU#JCj4g!#Rnp*q27FihTvcqRrNO(A>$G+49i+jv$|c^v%Ju|lJqe>hJASnpT6 zu@cE$n1%Oz<0YSVV8#O};t7p!8f}8lwpq`iMIUbO135M`iA{3{d!ZQ6ng!07J)0UO;#M zk#ax?zlJpN9mP_}>hFn01y)kEO75+;KH#sjl4=C5j*#jKx^d7-2q!|tQoN6r>{}`s zYCHeLT%5x!1Ye0UxWVftx5g*CEbz_*@i6I!tq*kOj5WQ|mwA-)LBwdJK=AYdDK#k? zd5#T7bJm=e1+o$Wzmh3@8nA5cG^l7NCL_t(bBk6+Xi4x5d z^)B}-b*mKf0{=u`$9(%0)(h;#@qv<%=S0_MV&uLURP(`yJ1GkRt8_4kvDh^l`=-@| zbi6-mAF9n&oKZdSXTt6BlV%AgLw7>b`UN-qHm{FQ`*08(7g=Q-l_smm*JJSdu2ym3 zwQP^h4?npL>U!=R?cT_)CpDO#@j5)q6?`H4sEZX>d6eMe z`Pn$laUstl@FN7f96#IwpGM=vW5bUqG#V)M*;J@{Kd)3%zELLzTT8x=Q>veq!qm55 z$8|k-)R+OWh73IIjt+l1ovsdYQljSp9w*DdQEapgHG*MN95v8dVQA%3vxcIZ(Cu{bg@FzG_k| zjoBetQM7?^FiU_7yt*ladPe!}VWzwjqm>bf{pWhC+RWTtkm8}v`D3rnWl+VSkTSS@ zP76V)p{!~lx86jKhmo7pyL&rqwAx&)tgb0D)0@xPlFmMEYDY#4;W%4aQLz7^7p<5= z{cEo}3SGg7*fWGCW8R_n%ih75mG*f%C!Xy1tw0aIxpx}@362HNe7LzPdcWy73^TxX z>msS8#Hh)RsHCjSvA2hE6a~l}(~n>yqe4K2d(99<-DEDCgPi=Y@I~8jqNzz|vXoKt zwCoYmD$E!2KX1YXs_d@zllKOcx* zc9SVd!y$-Fb-ko1y!|6xy!{4{*j@jIG1=y&XTAaX02o&%UiXV$=cJcZpUpf!3=#Zo zfOPN;5U%O-moW<#5Q{y=6{ACi!t(q;S?w)(cR9Y#1hK)_C+bvB{Wb6mJbNg=we^0l z2+Y9&>X>S`<4(6yTT?x!((+e9LOCw@eDulwq+Q=fS~xqmxQrqkJc z&}z@_D)xI#V++ucE9QDojHsShyQk$U7!->wUm3m@;lGPl9Ak9A8K#ug=;S3n#&YuQ z2Fo5E_-)+msF|s$lfISZt9h|3vwBd|#>+%1R90;VjX}hU-h+vtt;K;O$mx|E)U>Ac{%P{r;U&)C1jVO;&5=SpUesoh87xKcxUW zcmTjoh72_ZIY?0WKgJG_9+WXe4>l$$)LL@Fde8 z`sAzYjvjh4`a7h@$g{_x>!uhK6@5+ebGCXJy9_ZNL~V^gBBPM-IX^$lPx??Y28X#f z|D=CGY-yv4MG8IG*NG8~DGyrGW&+4ON(TH2`#*z}Aiam1MwW6CqMLL?#Jv z>3iDq;Bz~pK#Ye(Z(}1&L_9LQ^xZWeK7gV)N|U|Tq7iG&P^K4mIn#8VQ49@X5M z`{)k>U#KFfL8rssTO z=ZpO(hZZo3*%uULbL1ZcPRdsVq;T|#j0=49@%pMlF@UL0nYY3fRSWCr;!Me45+Cj5-{AC+ARWjqESRwAokZJ^qM4qvtJkheM>n6L5|8G zsR9UTV3y$_&gV%aMdnLB*9b+o8!f`1XV)f9Wd#2GgNI^ELuWx{Mc=4rYafP@qOvl9 zkyiK4k#Aoy!;KY*dtlSohV;OnPxApoN0`r%Ey~DVR53D=inodHiF-ix;poGF^KqJl zK#~6)L-#60FGAd%!NKOi^Rghk7i)LQ0Nj3ZVsmq5WGH$jHF%94xUC3+9lS)s{kq;) z$|wV{z;$pC6#V}qjK;!tI{-*O$)Upn^NWg0Lx{~?+=4n0!7M;-LStoQa5CT@3Gx3d zN*Vd-zx4khYb+vJdOrUTt#1V#JJm<1lByitEeX(}1o|rvI-muABLUY1FvHcEdybL; zQpx|{gbP-rUF<&=4<;a#xo7ELMfgRDdt^X}vH1Th{r^g~a0Q`%U6kl>(D=tHqy&l! zL$^ynrv!t)LBagQ#Q9>x=FH4+59S_aW#qOpGC2t_o(y2B7X`{2|4)Vf+ob=kr$dhi z;{Sa^sDcS26+uyQOu+tvWB`y7-Kn-FB>2rUtAP5a-SeXxU}YqF`JF!c?maY8@ZwTm zH3k0jj@kOY9;(6}7&CD5ln8_zN;e|^Ig|A;>IP*+_j zNDRnN>D)t1+80wK?PQQO;-s926&AmWF}SN{u%w?DA_tJ&5o61y@PO;8%1>8A?p*b< zcY6vj%(onOxGX@fQ} zXt+2K%7!qlO+ngh4i)kx&c)(#&=mVgV)VeMik@5W3bT}*)*pT?U-9qSm@mF(Jx>>F9uP7N-Ym9xC&WQ|llT1Nvu9Nbr2F<^#FAiitlSjkF26n<9%mws-Zy;CsF7t`Q;6 zj$Z#k6#(U@(-RX&dpo0;t8f`vyKqGMK`v#O?#WcAW9QZ4A!d!mkhpr@Igs8K)pTe! zeSA0Gt<()2(t+x#?Kmm&H-BRhTT?5yrEpV~GQSW&)XWuVjeg;(>gMCuNa~ z=kSFQf^G9hOH%+}WV_ocZO&Z$D!0-!#5b z`%F31y9@L{D_8fQme|0Uj}OB`5#5F|2LY7;in?wC^zCNLew?_jaEDj~13LEQ?R#=+ z>L9!OM=|{rWeWCd`uO_-;d^BYD#LabqYF)$z*52<8haTkk-(rH=KWB<;dfH*-nc1k z`!_OrW;wq#ZFRy9SXPuk?%5j*^ZSO`}U(jX&AxML9CICca3cvCrVTfMS-!H!^K0hsj{$ou8pp)(W#BWCy zUXg8^o~Y3;Z%Z!?huhS3YWGr~ba7vU4m{ZK2Wa}hYc-uOyhD@1e2BaSWXW3pX20KR zd)ykWZ@ceDcxU<9QmKB9F4?rxep5-?V0rL4-)d8GblpSXsX5lJzMSPns}y$S50nmx(-i=_#kp==pW^F-Vi|&A5v4UtOm200Rk`Ob@&-y{--aI#?@? z-{hpfv-in&(pLi~4Q>cNKyf&yI;lN@HWV+*8O%=EIzrmm)Ii+p*VeBN?#AkaaLCr{ zEY%wjXyJg%y~{J^1Tjm7n_$K7jnt{jO8uuoCK^7tUuix1W&ffbelZyw<6@&`r6zo^ z_MgB%k(r^+9Sef21sJaA*5&zNf0j<%6#q2%mZN$}%w@Td$Bwd$1$Q2H(QS8-?gX6j z75utDVm-XMoGfyCGVjBNA#!2Nm*=6kN#R_Nh-e0*8je5Ri$s<6X^-E@QIb{7)&eee zcIz*g;{ZzoGu>BB)2qjK(TEdC1MJo$01LfaF2JyecQ_@Gc7#VgI~kAzUrUMIBfP5q z1hB5S@rKnyHf#)IK3((emmUvr zf*!K@ac315+x*RL0~yS4++~J%jdb#K?(8^x1^=s>UL#+rCU7Wwdkd`CULb(1o_yF!}#T4ydz!$-tYxC{LYEzZWfv!vC|GEB;Ko z6$?H9z=HqJdRtJ0*Teg@B423#b1>K&6<;yIOfU z+qigon4$Qs!9ZDrn}w$xJ&O6IfDkWCKv0BU5XQ?dDu;>*!$kiR6XX}7M@65)g#Hs1 z5)`Eu5abmT7W;2h=zkIS)=^P?{r~6;DXBkRNbayK)Ae=!#l#(tH z20>!zmJ$rQy95kET0y$*8T>ro=lR~>KX=_{t$SUvX1`|d{oe0*z2EzsGc)Iay>L+! z4D}bn&;$sFA^*<(3&qhAXHbG53MPsYCrFkQMZwYFPjz9UNHh$@C{ZcYnP_n&p&KO% zmx2>y!K4UUp+qGRXQGi(1kor_aZn^d4+(;35Q?MK2oO%t;|vmPfFb{S9sDTzh_gu!rvWF#o@??OmPBmqhw{)&>4lsbb*La(GKOdOmH_MX`8k%=YlH`OhADq z0EBKrI3!S@vj`DJiz1MqXfPUQ&XNL60xgsjl|X@$3FLr*_Ja^fh#BE+Fr?rM{BKmw z$bu4;JPQ(16iEm;7&_EH7K?+TKs}@gqCnC}N}a`D3PG3*7nPI%yZ@Je)c!XF-G>&H zB+vuYT8h9e(BtBuA_N=ZD0vVf32p=78F|2H5o{&&68s|xh8SE4geVC$P%SXv00<>O z0>I@#he%2h+$8~OeHK#`D3Smrk$)k9X$Y98I2@q{4u*s5;YJ`p;+=6CLCBUfC_xAl z?9A2RU<9ZY2njJIh>|?(6(`Vyun-J@5iFKMfxHAU94Vy+G62jp5Q18YOUZ)}CGk%b z;h@2wW&gw&E(wMS3?A~YNeH-vnv|%7gd_?{m@6fL<_66N^ALF!HBcfN)CNX?;QMg6 zJX#cnMgo5^I1TJZfcAskVCd0k5Q2H|7otFm(O|}-2oNcXK!NoET$tcm5W>Vkn?MNW z%NeUBB*3{+k_0_KlA};kpjv2gaRP*iq6xH>0K)=001mzag!BO`z*%ttD}xk*;4Vo? zf-D%Q2Phg2iY8<+I9UpG^}mV>__jFcEkd0lkP8eTNG#Ofd1&-m#3Wz@o`GVdKre$4 zJIgz85lKlx^ic?~7a%AB2N@0OcvkPgRp4OygFHX01_T2@YeAZU2A!EF{+D%x$)NFs z(15*Y_+MWj2*i^5o1~y0QJ^&-LKCz?fldImk^=Q5Oa)VhU^)Qi7lP1DpejlY21ffV z3kgLS^wj@iyP-M^WD+6a38LW=+~8<&DMCd9b6Em35sZ=KUkC#$DNF*)JHlW%Sjyx< zgdmU~bO#Fb4hUg{stbTv0zr@@byj9UE+Rk^KKqcWYc@(&BApWvS0?v&RMM$2Jn?NEd z5K6+%CkY*AYH+N1%^}NtQQG@LL|AtLIqk6c7uk3T7h8&6ZQ;Bfo=wQ z1-c4^l3;?u!NKBS@Xw$WTv82O_$+O}$^h?@vKTbvZ)F4_NLM5hgeY)> zI_pIvkzlR^e|ZLuMo9k6ZgAzZ$po?xN&ul!fC@=~bp(XqK1+b0mIPmk6Q~42G?=d- zL=u7ovIqix3{3icQNvx)@lj0zwj!O@^S zXXO_0w+bS_Tm)GIgM+~X`@q5>4?;;o#u02q{iPUTOC!uAL>Me@ge(Uk42@6&sSE~@ zu>XR=K%nJ8j3$&{f|Cj41t*>DuwXGlzzFa^h)OZ(BIRC7wf*A;s>rB*{#($fLe-HTE{JR#o8-Yd;+JsC7GwA=; z1Q(D*5~6n20WJZK1fz78N?;4LPznLA55^1r&k#bkoDBx$opqzQ&szUTKHL7z+Jp=u zY<&cY|Iq{!2rRv4@BT*<_3wFvD)o-PLw$F!I_2sZW37duLb|z zgh_xA`Nt4&Gx%2%%o{M(z~c)PfkOXu0B6dA6F^!Z&x$F?YLIS(NrWSevp~y(2+SG+ zk`M<)z(o<_AXQ+0OB=xf1j>Wn1Y3lC{BN;3JJL8)_^;=|G$tVM7*P_;ynhft*pL2U z&)?>m7%t+3VyZ^pEW_n!9#Yi zp@z~sTB0g#@AbRlHSnLzL@0&)Kbg4G{}Q2Q4InI(xr%l`*N zg1!PFcmVl#&qX2#@ISl^&gK74Yd;XkAD~yM=g*;JLpz19pX(kD!vxDz8X*H>ekv_ncV$^0cB`qy& zw~(H)amDP!XF>L4@uc^7-QT-rs@H;u&zy)40RR4v|Cnq2dfOxg>9ftv&HV0P=+}_J z-i!6q%ZO^!jc4AWsnxj&e+-H&;gdQ};T8d=FGoizt6ldDp6O9%jsye*l>BPUx=Vyo zrjVlMRy=(3!v4l25RE7vFJ&pzX*a%y3#_cvI5@gs7!^cj4{#Xqm_Hp3`au0-{}F#` z1mB3Kc+t+@H1qY#GS8XD9O!a<3)%FlQ@oZ9o|==b?dMX*Y9z2vxzwn@VV#LaMI2m{XIXKx;H%^C#@~>o^>~9ViyO=`*OkTL+1;yO`)hnrbovw5CUScpj|GoD%Jerb?u|WTqj6Gf5 zrRkTP*|w_aAZpWQmCyYO*k_l;kUnNyVjU_&5H3e^wgRb_J`N2)iAuR5bF!wiDt;s2)ho0%(A)_|ktPSI6G#dJ-jfl+t8>C_QZGt@6$L z?mEd3q#y5K%kjf|O`bH@i#`@GWw1i{xJ{HLSzjgpI#fR2#Qx%(W`)c^g7T%g$YvuMkE7he&c+P3czxM0771?UZx7r98Z5I9sp}9E7xu}{Kx4}T8 zs00@xR6mqeZ$;m&GncZE(OEt8#{S?Ef$bQnB1^f~-ZF+lYzs zetZ-(6&Wg>zknM(Uz%#hZ!q$j1yJrlh;U6)JpI{rbBgl#d2Kh2s>uHTrK2MBxxKPj7B3wy7yd|(7Qc!e5p3+d)#y@Axw~UZuY{Ussq3Z z6)+)Lb~x&b?%wqI!{|xknDdBN`E9*zNXATq4A*f8(kR6BPHtAr7eq?S5x(}M0Q2_E zniv2e%Xb>4_oaqjtI^5c_9q?WGIK@!X={%vSh_fg5%!^7bM_>!dwF7-<3)WLa&1kG zkLR~E^!4+Z2t&qur8uguz*8n=pvcg*D^dIIQwAsUcV@)uxyFlc#Ikgajef?f`ro*l zIm`1!!AQAe;-<>%NI_yb4YicLlBZPalc+m>fE1e>$8Ywok=N}7Uym-k*klco(IFwO zxY{S*mnLst`mx9}{lO9Q)2wQ#!9ehKPVLL{=Z7nky(yNjW%N`!Jl!6o!zd8kP*G^e2khJu;f?Hr@3FKS#+W9(oOn`h@6DGvYJlEddyHd=DHDo zp#zQs;wt{b7JGBSA~R1t=4?(XQoo=+N!4TCt$5Dq+BjEWhM_(L<^|jXLU2Kfmid8#sQPGH+rpHaC79I_*1{zsg~ciskX_8Kxf? zA!9NAU}&-UyYY{sIqUSd7zav@&W9zbiay^w+wMMlgb^QlU6&r24r|xM6uUqs&jo5n zv?2V(Z?LH2hwePvm0x?Wppqm)vv!=635524_xoUp%;4}M@tfiH60W8$&n*1*R6`(J zM5{h$-~sC&wM3OXar?q~6x$TlELA|1U<>aZ+`^inU>_@2kl`AZ{c0wW6=V)$*>qY|^ z=_OKz%FSdBJl&RBRWz7fiCA8VAgvc3KFfR;G@8jMlvZhB^rg38dVRH_;Oj@a`lsC_ z&e7c?9_!!0*N30ix#3W@D<0cv{!-v8dzo~*S~FRPvCJap|AXnke>wlZoeunW>i@UP ze+K?5@BP=yuY>2@|L=qM-!BhdbNc^vc{uR@@$z{4==a@nuMeM}i+6cR%xehv(ZiFj z4u8I^YGhHOGk-s2dqI$?3_FBAM`>K=MCU_n~dv)lMXA&K5VUh{Fi+@qM zORn|Kx0ma|x7J1PZmCDytg&W&xh_kTVVTgHRH!>qtqt>!9at4f#JRMDM?BVx9dS$L zy&_k1EwgHBlAF1Pz3TX&l3wWo@U7u}@KSHYDY4v)7VNdswQF*bv%P{xbZffhf|5Ji z+f~Px8?WRh56H2En#$RfrBY}_bbM4@LqHw<8T`tfdCiYh?PoO>r$$cC>1OS6px9q|29ol`v!s6FT^!5J7p=ipeugAo#2)wl zMvq!sy!U80J;e3_qMilswPnBIA#=bznSTjg?eW^8LB>z)fP!`1fuZ8atb2Y)cCGuS zi5Y}7L{u(vhRAxb=vjL23G3^S*0)c!27)d2{r*^Zatv1BV_FrNegT*{qy5NHc76H* zmpn|S{E5lWi+?x~bpytJ0oV1{f;HqWWlHz+4deS+K4s%!u7~v^pGct%L&=LUPw?rG zA}N9NKQ?Z84BV)U)??v(OE@tJluLdRrMOW{Q*+?CZILKVya0C)VoQ*G-mX=;<^Y}v z^#}0_j+UA?O4Oa32Ex~s&fovMU1@UZ;Rx}&r!ncspBi5?e?F|d6c(nW|Lg6~>+c+| zVV0CFqMvY+j-Z#9es1NN_+0<<SiMVksHpx_Rq-xA)-~`Db zCk=H_%G#K$q7lZG2o0$J@=HM}R8nblS!f>d8vLC2Nj=3vu;5@oku8-;p>HnqPQ8Xi0sCP(i!pb`r-uib>DA?H;zv!kI!j$ z=c-?Fpt&F2$`1>T5*!*p4Cm|ZElon99O@60#d{P@nlGQ>Z(`+n1|*5sCT}1-oz%_&pKHlmuo{I7Z=w*6`kcpa$qnl>?w2r&*@*X z9#a@&wSM?kJVI1C_YJ*Mk*qZ9wO>+k%fk-U!8`{J^|F4g+)ssGSnSM8Pp_1Wr9aJG z8R#o8*Z|&ygouAGH?HpJ|h9fgLSlBnmLv zpD~kEh7dP4A=>VaGS7>2E){+g z%;OIHMfL~>=v(VzKv2?7z4{32t~wfTz}#Q+1RKk-qEdaVd4DD>Hg+QMM1GcjH2%a! z-Qa~#r^Y${!^1F`%gTW%L%&bdv0+1Td>VG}eGxzJhmzIvvJ+;9^N+vlon)wX0(Eab zD#^|tug9(Ewfd{Ne|ep>(i^)vwvgcApg3W-5btH7J1cfi2sj>%806{}`0+b-(6n3V z$5MmygG=$JuD5J5m~`SA3hOFuycqUIG&wb0Qtr(sG$`fYqdj~BKBGHfyC=8MXRGtb z-!Nq?G{MVFd18?~!8h^xP)T?A(@snO)@i!=FD!b!$Q|@pZsCvV&g5m)5Joz(`bZ4!4I_IscY)xAt*tgEZ?FT)-|Kl`N`3o zhUwRW<6~LhpB@WFvg<6p;K7)(Xzy2PCCoBwPZUuw{(cRp02U3Bchv<>7v32!K1%@n z^oxHGcS;ZE9yK<0PK^{iQ8&@a-9-8D10FS--3N+-h1ww&CW6#!IwyVemn&Qy<#Rhf zhU(P$>tjM2@v^9#x}hOQshe2~P9Bc$Wpb-$nMVFt>js?e4Ij7}$Yc;Nt5N4|sLPq$ zBVInX!yE%Z2|j$*W2%v~YSvWqM+nQv>sR-;EqZGJ~?qY20N(SwlHGzgVU!Gu^zj^KKrxKsT#!zz$I0zkZ z+C>>?jpkxkg%|mX1g~v{!nSl13@Y&(Y0_2Z>H_()Z*$$>GdDR8Ab!7MtUaM^-yhDs zO+4_)W`5S}{)YzxExlna9x+^f~;d&UvS!Rt?Tr1;>ITmSJzxRXUL?C zQnBRvD5T)EN{w0`gr{;AtY+}%)T@O08WR8=I++kqD38vq3$l}|l}in9ltU}|$9JJU zc8Lepz311RwR)@h=80@+<;GD&oeNB@wiBNWg`c}a+n6S=_@6rrfwE6=@btJlJ8R91 zdNZ!CYJMvgO<2nf!se~+;chIp>A2B7FV@KWP8R9oPlV;eJO)&*?&c;uNEB1c`vrW- zqr68`@M|0!MoWX2veYDdF}6ozIM=l)tXSKqRH>WrVRz z^LC#x4A^5lz2%?qx5I=|&K-wwHI!8=6sgR~s0u0T!ykI|q zE_-9DA2q9zT{-kC?Y4VJG`@?4X`>hIa4)FZ={TZSintzO7beQXxJYz@zcYL>)9F~d znlNLmI}nLxG)>o=sWqs5!x!&wc^_@pmJr~ph#p&v4ls5F(426TuJn)~+=?C^jQCOPqfs(^1y!F;x&DB;WZa zzoPh2Q705vC{54b&)*uhQLYu8CO_SoGvTpYDQM>-gzX=G^%Nh?@oY1AnCPBJ zkEs|Ngju0uLN!jwTWFEFG>y|72EpaYPQ2Xi@Xj`>md`uCSh=wRXo@a&(6?+jY;a+E2HZwArCn}F7vy+& zIDWuX8mDTLU#OZk0dEfJu*j7+U>4{lv+MA6E%m_k%^k7P;Skj&ztTKfzVXo&D#zvo zMEdLd(=l!%57(C)htuhNKPt_U<>A#$F|Mqd%C6G*e&sD-w0K3e1%FZN*`q>Cnv;4) z{*_BTsi7uznx$12$7F;+%;`0{~egp@PKTi?YDt`6+7{j zumxq)xMQkOV3qi5!>9Dj>!eL$_+NUd2T3*wUp{+J85xXv%Kd7g8l)ppnbGMz^jcWkXW927l?5 z!jCLjbWYUZs(vxMP7A_+Cy}h6!$XsU93RJaUny>^%axTYq}*bbnt6fw@V9L9QqnR1 zFZQ)X;|L``o0qFGKg55Wh@y8qJIe|<9$lXsA1rR5S!*7&4f_5jt@#HfDf`#5R?VHa z-N{Y)9B*+zOpT9Kh94&E7(XtF>y+>Ay+$@KJDJu~HW?X7Oa$pXa4e^hYkm0sUV{?*B7*mD z@r`NqomP?=UdE9hkICfNR1#Db-HFmxWEKN&kNTEof3NTA4(!4=Nc5e%5pgwXQODi( zS;~1KH%k>#EvwG9>Iq(@x$orZ^-juYY+Tg~+ZkX|h`jpp={Qcs{<(Yk-K(hV&4G9L zS%~JBG)K)0!&he8Zv#i-i?ePE3HIC$dN10sPoyAyk4z%$V|Rx9PJ62(i&3IKgpJXG zJM#^;buPgJapcSJgUEXY0b&32WKBt3lVWPrmWtUQ{1N<1%TgQf zy(c;VxhUQMhF@IJWcsw-Mzi@~|vpCQ8sT+zlB z;8Vs#vu@|zo5`Uq#N>u);$mH7bQ9J-ej3_i3@w8xIed-l?zU5!e~%E|MHcp{2fF&? zV0@{b>x(r(?~Ijsw>6}-$z7!gChFyYmoQ1!T zZIU-tY>LQ?3&o4GD|~@F=PUGluo&TF!+fH^(n$CckJoG-6yL%qP#3V)+r__K|MTwl zMaUeLVC>|R`-n`kNc{q`)M{Uhf=GcoaYVfsw+}gYCIX$1r%v~^fA2*vgt8*%4otxv z80eFu#^X=BH=4ljD8O468{k1!f2n=z;B=Fy7>C}lx5VS>&i#H3Ug!-n%eR~28LfxlFX565)9Agz8W_c^eZOV|1(&rL{loQtUT-SNv$ zGK8oel^-+w!nyWd$&%{oJnSjC%#b@r3zQn0k)+x9Cg1H$Mt6dj6&P9sWM$soj?ZC6 zi$<{OeTb1j(?*EX$K68hUKn)He_TTxoyLFfgva(HeRo)%!qNyG<^(ELl7o3wiOX@G zYaGvQJ+c{DJkUu{mJQ>(ax+6`-K(6M+nS5?Nux`m%A9KpY%O~y`kv+sW2=gGK4537 zL2^fAapAeMT&jO+>&-BgRZ>{|)i$CW0sApXTRgE>smnrx(WEe`+xlv}hhDCi+6>QE zsbSv5vcOvGn6IszhHO*hfLp{E?Jmi;Z_HU&$YPJ8aTs_4mt}RPB3W7~E$*9_)hxD? zWQPcU;d$7(0|g_9gETjbP|ZueDBw;I_RTWMg_w{V`j&kX=GTeTNRBoGo(fLMqsCu2 zvOpwRHKoo^wCYH7wKVH6*a|+%#Ep+j#sS^1k_4iA0uK{dA9hRJgx?ovYPz^1Fb_{6 zdOeZbz4}Sta&78u^mkj<{1+*W2@9?YJP59AVk*2Jmwthz$R_6umQS!HyGK1~e zW5>7qQyhU_u|d~2C!$R9ZAZ7IQUW@lobj#15KQoHs$_xwYp;>V2brv!cNr54o*aj5 z9lKj+!JNA^K0kq~?#Qo>(Z~XAG`M$+nkUm71fqJ6iJD-)K z=^uA*D!O17ieL8E;X0l2o@k{P!13>HP)St?%E(w@20|Qa#nkX~bHQPkl`y5ionDSl zc|;Y*OstU;UA5EALnSvF9?2$V_m78Z9}SkkUp1y-h_Rlw7v+R>hfRTH?MAAV#HZh{ z^mOe98XD|&ATE`vcK@jz&swD+@x1LT`fXOxyoP?p#hR^c>DC0KJJ3p>*2C>vj$XBD z-mIHdnV+zNo3nj&vs*GH4XQ?qvW+ZJQtOr0E0MwnS^N17GSlvZpL?^2J3lGb_R@Cw zP6%Cl$ohQq+)8o4wENmR5bIF@y=>pNDN@BV7M$Wp#k4{iLCSX01&d5+qFZ@3BJ^dP zuECP*PK&gCze)Ge;kn<36r)NVWZiosx!7xAasZLgr5Ao&))&L%@=N_&$Zlj=V-4+_ zN&0WgiIk5{1%+%8J-nO8A}y>*4N-V}YWcOC+oE!Zxb7lO)B=5_4DeC!Fd_Ng%Q!D7 zp*=>TGx=F~`o*adG6MhD;hd&5gPe+@!Tsyl{5bKKS3N4QNsN7yi7`N7+=9t8U33MatLKedwKR{395IyhIOfRP=W7oMx8XGyS?F z8C_|hSFFa|hfKmsBHAgWc8KTb-8I%nc+ilx9rOFu(xwwy9D2hzn=xT~``EO|qVfk< zLLWXh)#r7DJVpRzF7#89$XLB67g7o=M4gjmi1=yW2+LW1^)#_?e|MwsaeSMCvJc0c zH1ytycYK&fayZF8PY>eZh4cn-?ZVKiBVqH&3ncB$R$tvWYbjBlB#iCNpLcG%Yf8u^ zuC*|6pf1soK|?bp?v^-eMCS2PCP$gC&=U2|$R@1a;i+Z?3dj%*eL!d0s{x4RXt=K# zu_m1r#okS*TX=;mfr33km zBvROH$p`9cw1m zGS-)6Hhp?Jzpd5R?N;2IEM>eEF#6>%tPt5dBI(hW0c*eK(g5s&te`s;x9A&AyOb-U z7ygKe=KqoXN{m_Z&j@=DrBq2s`mpynrqwul>vMx~3;-9DlFcvQf(H-z`nrnY!^HLP z{wjG#f(ZUhDJQYh?ct!y>1<@f@RglS`@?$+#_zsc*w(59#ZNgY?&9HfrF2n|uRCes z)gdX75K~`YIU4=4#9)JMiy=Q%-7=>xe6>jD+IM)a7-X}M9nipC&g&4+v4cYaDi%BX zu(APRpr-v%8Bsz*xethwof%J|QaIH#}Xp3tXHZRlqr2j`p-hi@)e*gAjK zMUo_ZEH^|Tc6w^V19p83@K(;LRQ8*iuN$c1p)VSKOolT~^_;w-iMHmTQd6XQ&Mm&5 z*#n_B_TB_8vCww>uBJg)lRu5lqa9&jX6;)QmpE$8YA9+c&{lvJj zSgQGXf!T;1+>huWf>fE5+5h-FW1Lp!xarpqtvV(Ajgz_YhE4D3)`$FpvNP5i^cT~{oNN2xRBlZ_MW9hYbLyiP9~ z%X%_*V%CHAZ(_2Mkpo}pgZ~H&+ag|%wO^9SQRH<@*Qx8OTZjTHp2 zV|f~tW+N1NY&%85Y!DbW*hcS-neQo%8+h3+QFGi$8h_*gWlX2-pOa0%p&0L_w9FRg z^GB_XS3VXtnu)tQ51#YQ)RNjR7|dsUj(Tm-9N1I9T9w~adu7*`Xo-br$sh{`#}naG z!{_2uhvb6QrBPAGtQb0;GV^O+oj3HLU*}#?5kIoMw3+eLru5tHTI-Lj3s<#{@j$I) zj%}f#(&pv3*7EBdU5?c;ZtdQTQ3{NJ$(6-!feq;Bxrgkb(jxT<6+?3|iYu@R4x3W= zr+PKhTQckmGcRg$%ga6xeUSSu{(~&erd_hZ)&QG-Z-w5D7D{p$vL!ALkIr znmXU`TJF}5>)n_t{=$h`Ivf;7^%%&B3+R+qVNsZ*GJY(3Xc8?4W0=cYNJDB z!bHfj2eB8Y1K&bld^#r9hdkN7QLZR~WgHk7}U(&I#xigO^gee?|0p+D8U~r)!|P+eoT&_uej`U zS^TYKO}kQyfLycRj1kWFqffo6Ms08y4i=J|h;jEzk=xL23BdWb?vfM!$-u1&n5 z?4jv3BKciWAt-gvTVjXW9=)K5d=&@(za9yZt@+L+|9nYYTz~zbI4SpXDsEkZ79i zQ5qHU$R(K1mIxO6Igb{osCUw?a4c5O-`UAtcKsC~dg0x@^9Ae*0y9qKq}~qowVN%z zH7Q*qJ&7EioU8HS4Rg2mjYmhM`JQX%XW2alk~W0=if@bLqd5jJF}p9?vE*qW6q2)DJkt5IVW>WRWc4>F~8_Ip=19uAq$ zcbku6DR*{psH(Xnzg2yDo+dge)-pSFXQzB4t!pYHvvtK5rfkHi9Wfa7$Ra04B305G zLvnERi_M5kIeCDeYj*ml#SjOe9v6f-|ci8Y}6IeQN;`BK#Xo=Rpl)zH^160m5k6PTR)lV5!WC&;Ff zREdini|ah~0Cb`Xh(EMhbS-nFxTxt?ppHa)^@AWPe?Lj93V{9L%|xtCLg?Y zti^VIG4K3hXg1}`-bd=S8gLP(OS~7l#V)NAT*rW8-#1bpg{HYc7-sm|IJZoe zg~ip-@=xXTH~RcZT{ufZM$1gQWIuFHX}0Z5nui=G0rUN=qfQe^Zp4SFE<87dhUp)_ z?p&-o>URtQE3X!!hg}{Um6>U!5{Qy@yr?SsLIS5*hK78kb~b;(BX-BC#ZrhRr6Ws- zIPB`3wn?qDG|bfr;sZ*1mS9JZ{2Cm@N&8(fE5zv+Gr#W0U8`MUWwEgS$m^cE@Vc_Q z`gqPAfTcN=2HLFLmddC3rlXiqea9*vYsdNuB}0nHf_xS$zfCAYHd z3$?I*HJ#1_24+RAr!jqL^i#;47@H@xlFyD~vE)@O?TBAr*P4p+u1578SSW0-4q+7v zK6xW$NOH)X{XbTZ3E_W?vqlwZ(B=_gRV+2x0b%2BT!D;VTI)<~b7X6?H-D&-JQ{ws z9ab+}drFellsF%_q&-j7>|2Mk#DD$JKv|N7unSrsskOaXE$ptco~1KPLJ2RJRK4Y- z>j7;+O9mm6%@?u;X#Fv6);f$39d~n0Qh)opwE*38@Nk9{(VCj#p6q|gsMMZh4YnBx z9J)6-ZqO8b>j+M@vK>x_mGB+L8YZ7(3qKlFA1DtNU_4TIZ}F@z$Dv|3HYVA{LyL8b zI@Q6_!;DY5`^(FHikG!z4knH$g}4W;lxy5V5RKoNt_c|s&hi)J`i}Xj1wZh$9lH(J zbMO^vBuf5T96D~2EH?DNLUgt`IVbGR0X9nW+*%Hc(_&V9YU^(QpVPO2t`*f4M;o0L zidbBl1tw1;p=ur0m29`g1C)E|Iu{wZ;H3i^DS7m_qzQqYX(5`bQ+F*gf$XtS5-#^I<1)&-m$J~0rVR~ zhVsg7w`r;eOG)-D%-O!ex3~Pb`gan`G?-ZCl91i+XC{%6xa(GtE3D+D0_MprAA4wu z9VQ{ekut=xVu#djX-O33BzuYwR|at<$5Ok;t=}wnp8X z=~8^p!q>l>c}Ip{$?i*?p)9df7|>62rRV(UuzOo>&J+}RbMCMKavA5Sa?Vt%pmhN} zogHx6?6P85K#8Z3##_mGJknxRqWH6zq~jJ~fbpUDf}Qt;%01A`Jg+L~tF(9GqR}$8 z0C9Qt3thZvBIjm)KRv4=xR+a)W-M}0tpj`<)cyS!H!9XF)Vel3{<>_=CLnLR66N)w z+BNVu$IS;ssS^_rE7yavs9CXd8=3<_8VQ^{pVQal7WGP&O(XCEfx2rNP1m=QM$&8B z=O7I)+jJgH8K10?GBZ4Tm|jt@P&?J5#`V~<6>IU;ExFC^_9>0pL&UB_TAoHa_z)G$ zg_$SIm3a1%-)S7NY%K*%$b8_Se#o&-Qa;h@{yV8RVOEN6lL<}4Bb51bkJmFWqzKLe zYGH5I>04+APdojqT@h?wPJ^1ACCy2cDjGL$&VOn4{Upe+$+^9!Y55UtET&ZLzCg zed8)d|H#;=FU=Bnl3gTUwk|%$NMA1WK87lJnoYAP2k%w&hQBd*n@7hcZR^p*%)RY- zy6@_mVoD}^YQz{JU7Gu*@phFA7~ImevcL-cA_M0y2uB#rWBSJ#Zo@sQ&0Hj8Vi{vA z)b`ouezxnHLSRUuxhyqmfR}%!G;%HYm)6P?h#=GX2!S+mM%I9~lLvakN?vV5=N*Sa zkSmW$@zp~5HQ{sVY*4SGx}54oXw{aVcB~mqTFJ9M&HWViKV&Q0$;RH!x8~{i)ju}~ z?m)Z0`6gss&Nb%F`eLfHMqhYdMO)#0{$4}&pk%mUUtyGG1#A|?>c_L{?5xzt;+A{$b^ zA&CNW#G_a0Y)rUHFLNaq%@T*ay+U>&b*ht-jM+5YCgUBMhYdiLV4ibo4PNHkizt80 zH{NDbrnc2$m+F;qaqH+n?fGd$`IU<^aVcfmgHKAWb6zQFjmEc~gv_4X?*95V$1Rp< z)B080a8Qn$f(yy!`&2GgITyuJXX56GjmwX-#EVvk3^smOh<-$eqfG&>OzY39&+(m?o*r=coS~c54MrDf$iab>WOhqcOut+~>orOtetrw7hSHF_GL8wvH>_dMujg zkIh@8$&hX>SrCJcWZkbi-O~Xw3cV?=qMw(qwuY^xXz#lMu)8EUcEf14Xnd)|NDb4x z??T)n$IYzIT!N}RV>gsiT#3~g`h$tP6SWf7SrZPqy{|f|(9ESRyrOc1C8geDGcQH9 zCPJ0HhVzztqYBok)xEn5Hi_j&iJvXRcze(_-xzgeX#4U~eBxv6fKCNzl)%)eqRxwG z|9rFcP{xbHC{o~u9+xxyJAim7kpQ#q-zEZ;o-E4sJ8|rw~nQcq9>+af(Y_`3bD=G-cqAV2Y)6u@0xbzj(qiCH%!fq#ysV#A1a zQJo9>b=!&+_{poj8x&zd^w`r)^RDcGXGU0{plZlH2`||eix&}f$qO&r90L?F-ywYI z66vjy%~#(3P9-+CU+5bVX4CIx6pz0`N);Q1x5mk)csFgcCkO>9h}wSnIPS&xmu*0#`U00{gp_jTr#!&rPAQmVZo@d^Nxyj+8}RI$o|{ z(w_Bb@+-5IdAz&u0E!I!l@EQl>}px7A<|I+XeIbB&POH3`IDEf8fb2RAax#Pk8I4Y zBd5aezY4G_vtu`7;?P{;b^kQ)kie0uDbUQ|!c``my7()bRig)gB3Q8@qO*{u#TifP z<;DdtYk6IUuY#F&&ul{BPigekrxQqc zub5GxS?_u1JYbjvXS}CDzaa5y5mVT)WQdVaH|jVXo_`}1<>d>>4(?mbw%}-975wo| zW$S04oUeYx<#H`FOXhcuL;CTl$Th(`q=2Iyl1!L>yn-&tOdh)ua4JS~gP1ne>v_bt zW5!44mS)=Io_MkPsT8gJe6Rfl}LazQ=IFOEg-&$L|o3g4JDk@^#; zIPMm#`zyK^i0yMr-xiYV@TWOy%n8Jy0OjE)MNWLPh}n66Q~mocb7?ooZ87vgmx18E ze8;JV8}$pAiU+s6$WjYD@Z=XfY>GQ?m_&D9k+06*v(d28FO5C6;_t~5^m(P!cn#xk zeVfM4cI2_m%t6+bd&BR(gmzbGlChUK-phn7LKmq=SKnP?lgb`!1j$pgZLfTi$b@y+ z?^9Ru*dMFQwKUOnsf0b3$uspcFq#7?l)g3b)Fz|SIVOpvnEfSX0l|+>}FN( z<^M9IEW4uB^VR}+3@b_`-*S}bkA8qJc||U8sN;^Kz+8U!z(?qTkhc>((+Y5pbw?ub z$iY+&kdS_lgPINQm6QsW{QmVo8k$SGf~mm!B=D8&iD=3W1`mXgF~pOGTZuvecVhX- z+53r)HdTmdQk6?9hC|XUbgpu0cAJUtfsx=uMX1Fz``#p;w0rWHD3awga&1ZWb|A#Q z)aEWjWb8pq|7rSdib4BM1|U@ioe@Auq|%85@~ZH{JAJtZs%Z;B?OcM^o|*Q&ACVId z#%u{sO}gi$r8#Qc^eC)qkj3rG`CdKkd)NRcvf zp7$`@T^QvucfPqn!-TAkYP>!i>(i54rX)vlMMjO;B%{>+bZ_LKEzHn06P3HKz{OLt zs&v=;zR|CFBdEQk3RGD=cX9Y3+lX&n9&5Q8^5)H5>D4b*u)b}BmG!{=Td+<}9qWx? zM_TjRC^h{2p9t1oH$c=mWl>5TdY^_;+rv@~X`NE1{bSU9+d^y^jw_czOwev29@K0< zeB*oLGm9gqi38Zt5eEaC)vjPsRAf#7mY_tCc+P7>TLbx>Znmc+G@d0$GQ(`u)TvfVo+`L` zPBQ?H^!cWBY3C5=cBbod=DPO-=)E0;<^EQ0c9)FP_UMsSqvoZpYt0LS$w60x$TZZH zY?7DgDaOq%j&o7P?TzMUzr@D3w>x#n#iWH_v?*DpioPlDe1h2pP!WVW-_0JSiO;CP!4yD;(+EhM<_ zi<0XSAMoeKerB;5@p7x|wi)j=6Ve+|Tr8-$NmL}=lu%_gOaLR{1q`kHT_ zfQ~oOe9G4^R!4;qM3J#oiYdpT9jv^7`xg#e{kNn`=8DCTF){2pZut`3kx-eH07lJ4 z`qf2Z;qC+*0BO;~N-Kt^GiUu&df#Xf(`03;{%yiro^v)WV^{X#-emVg*$~UHU646CNhJ_@l??j5)X}c2&Nu< z`6MM&L|Ur&co$hUO>H``{60dxt~|%IHAoff5o6n=?4ix8$NZq!pcAf9aj&5{wb87q zI2lm4EjKn_oeaZdiCXnwBR6E8Jc)Qulss$D1Qkv?VwJcsLyWr?-*NvGB2=55v>j!3 z>?mDRsEc(#MF(rWvK@Knq9`J*nH=zc0ct>%zq4vMIj6>Ji_D-)YT~%Mzp-d9ee(Q8 z=6SN9@|)N*qZlWHmaORn;U7>M&&;U))THVSFaS~ye^@oI`3Z61<$fB1Ix8yfXSZMowPaK$zIT1p!qdtNe}ExC`{0f z{ek6pTn;pKC`>!*f))FR(EFNPVPJ{Hnj}=NE6KgCWNcR={y&~Ej@M%v2>!ql4Ky)T z*etTlXVl_zj=2KHa{9930OeDL-wN^xC|nZne;Lnuf`KG{S&67fLJ}jed?A#Ye;|<< z?NjnAfO+G$VE7tuE-z!ha?L-X0FtDDzP2N`y~%xzMT-uqOny8T?!%hOX++OU>`oF8piU!vcW(*6(9j(z ze?Y?PEe``~0+2RyCF=tA2o>lCl>YO;L;f)1@LB3K4SzNW&**jP7Zl|o%JKqxhFVRh z0S$I-1j{&6pFR6XQyxKO-s2OY4ylqx3f4dkD&8hYDlA5mr)$b@0nXB%NPqi^VX7GTj zpDoIBd&at9S$}jwjYp=`6g3_EOTJS;6E&tLLVokPaX=bZ?eP&+9|VxS{qpP|P<7;x zY5}SG*f2`dud;|PGEJNHY?ZNMuAh&F{J$zwN7d52)pC+W@*^5maHK`0r-9~9f3KSU z0hojd_1Kowo$pfzz1#F@N)-<|_f@jYu@>c!F>)iDWk1j$#}2Z~Msrom*sdTjb_*0# z1uz_;rMx$Q98VtBiJVEDDq7O%(q)~iTGrWGzs^@I>!NK=SJP*76IgC#Eb1n(+{rcy z9r>}8KN`AYj#D5sy0L+IaeI@XJ!^(WM0Sx))8(HSt6Q5F_1eEp{fAzOd-{Vl2 z9Du+&*|W(dF7pRoG&a`DgUu^K8SKCLmHUfNx%bI1Pf(b*emTiTPCzI`RSI7CRr1@4 zYG~*tpfy%(v}#R#SjTSiPFwQ2T9}=i$SnKe*-i$>jaRFM*py$5*SW5&!+|N9Svs!L>$2V<&*b!pOtM! z|MY46F?R0dx<=n(<(M#rW6htQ2GmE+={-tw5%@bo=hU$gXtoe$w@q6r)4FFy?Z>8R z_$jsgvZR)$el@%X9NwdrpF#E0In)9W_6({1Fuw40M@+iMERX<4LJHexlq9mrm$w{;w@&pm&;1~?6>|+QReqmWoHrQ0i_(-yxfIH%4{b86p24%iAHTPM`M3y2OasO|WSx~?p#{5rikV*co{GpH4Yf8kPWi_tK)=W4i_-D1O zDz$Y@@olS$=|EAMR`k(4=T(HNkdI=VKE=|gpRC-nq*xRs#yt9ht+7-lX;JZU3yKGn ze*`K%nL>Gz0450)NdS<9mnh2%l;!oJzI*{7!f^_!l*~TKz?AZIS*e87Zx0vr{mHVv zzgbWk*(NO}pbRWmI@Tte?^lG%xUqcA>E;i&R#f(!T!a6&-B^_CnqPTW3Hew2Dmd?# z{W9AwE~d&qdh=JyGKrO)2 zeu6r=rjDo|>OHnf@e4kRWr|!^|6#1wAsRf29CA6J@n3zwvZCobsLeH+|Mm}gADNq> zK8>QF!zkVmR&)3%@I2#~7i@nQKv95;?=zlk{{9A-P)={s4-Ep$5Wo*aE~{_be}ek9 z%&B|Rv^uPsvg}#gc9!=~sr$&Bx=t*p`zWe&0E@MYT(V_YbsGm&za4eiHw+{rYCb-x zI>rWoX*@E9;;`-VgxYRQs}WmPhXt#O2twiB+lLh!P~B;-YR`?5aRBD9`Nt9M%HPtc zlD+M!I!UO%#yNhQR_)DkfEiNhe*rAp_8RLlZ=Q8ktHQcjXu^2$$tKnQ(XY0|F$QO{YkM_p(Yv1=#9k5O5 zK;f(oW4j_fejUXQ9k|JQP0YZ}%)G7GmoA^uQK7^h6r^iSAL~~YO<@1X zm-tw?tdIEs#JNAA0&&0*!+XWpmh~x%`U))Z^NNdI(5IL=)CF)-QJqwyFbhh0JFmo- zb4tQPC;ZKF?4pvfX34;oe@xRS(L`VWUeq^0Nqqn?zt1b>6?P0IN_#%5Oni8{xkp2o z&p@dhseYAxA=DC{8<~CGc>Q9+v+LHP@@c99vWEf0b%8qXQy!InhV4d|;Kpk}~mJX9-u);L$9azv>;ZV>3JUVe zvW6cmYaHu2@s@qbHsjw>n+z0*31tXyh5=^q=92oO=G7lDuil;W8X)xdgw3imY*JkS z(+x14d#2O_Fx|&yfBBq%wErhCn}KE1pc-~~)f537`$yGG@NYags``V&YC=sK$uDhJ z0PkuLm|7IY11O$|Zq*#@R}D6-?u=IrCx=vb%={5l55TmkXj_BI_W;cCKGj?vR`VV6 z=*@&YX9rbg?yB#`hHdo#jk%&#pPAnyL<8UiHTO&52*d_pxMm zfaB_tT;~iR%gR5!sJzoYKv`1p31DK@twed6uu9$W%w}Y;eiwEMV0uuj_D}2Bu~pUI z@Trb-)B;QGA%KZoQB$N}t%q0Det1ot2eD@RQ6*sM-HSp+pfU}*F>O#n` zJx+!>K4?|-v3^w@?o>rYi%NC?%)S;?9`9B4dCqqOb-ISaoWaf=??z>sENJq7UggRq ze>lv2lD$=`#Fm9@&mGr}yczAR1Qh)L&L*QMD*&^iaLg>yPsv7|`%vW}E2=!kt<$I~Zu;@gByeVf#o@2Cq_>_WyYz!3Pe7Ilrx za*O7^Q-ivo7WdoN^egJ|062bk|AfW!L+@EnYBK*!VpRoQ0hRVq18Z^(kzINT+-+-$ zCGWgLh2El4@33NT^Op6_wxo}!$w%Jjf1}N(kJz#3)J4UjDls2t6@#jn+w1EN|{(C?jAFy8!v0`L}M%1Mii&X~%O$V`l zfYW+#4U2<1p%UGD0cH=ioA4iwE!#x_lb4J$b_H8?ea*@;qn7~T3>GUAX!c;qwvkab z`8Bc`b=e9uJ6PWbFl3<73+!{(f2WBTeoaPm9x|Kv6Z@e+L)RBHaCTlp$AIPVy!!S7 z%P!zRReH!UJ=>`rlj@0>LiK>?@RT|aPpadw5Wx2leGsdT6Le{))oigyCd zfp%3#0obKsRbTc3&)`pJI#sf-$+BkVLB^1+pF6ef+mLpAAJz{0gat}?`J#4ad$qG{ zPT|bx5%s7`=?tneti7@1l((JQ$GAUnNc+>qwI9F^mCRwm78O~#h^mlVvdAwfV~YAZ zsgnj4ROKu|{~WMf#EM-;f5xuoFY9`RUpEQrcYyL9Q2tgAG@gKdt6b5es#QI&S<~AF z>{iRVa!{R;{uNaY2jm`ISMl(gvQU@gPO=F5ymhbX6#@94;(%Ve0($3I)_dooKA1uo z-ebYuf0@&V*jat}IIS2|CFaY5;=Z9KSi^L(R8GpQa+0T&`3QYo3H z@~uzR&rkxqfAt>=D!q-OoB--s0iO*eAp+?#bwps!6S2A?I9Ik-Pp2l z?AZ=19WV?SwZO8Co<|{2nb9k&nlKjtjP*Lgww+kEjR3L%FwAJcG2;%h)Lx&)52Gk& z{2Bw;G4j~>13BLU_hz(iohe*mRx=Y+b#C)K%|WpYf% zLG0M!akU?sQ0qRz{7$c$fu(WlfEu?As9_hd>>lKM4XEWPuVKkrPL8S#Xj)DK&>1Y+ zDX$gos|_HByHs_clRSf3gm|nf3aL_lNTrH40?hV$mF;OF*R;!Xiv7=`KooKBO>Q}rF#{|MD9eH_ z=Q0*9>ME*o14X%w)w|cSqPygi`(>;89a#RTS<$mPf119@{2#A%*?QJhImE0vjz1p@ zsBC0axdT|E4r~~Zy#}&ZsL`t;mJ57(Q^~PLaj=x{9E*Af0Po{w^gbF`$R^Q%63gd_ zb1o>wzMw4gPY}{(<;a|sozItMLs<&_iZ8~ZVd)aS1urKjyqHn)vuS-{{Q3fAd4ua@Ng+ouK^yzbSqD(;~o=N9C| zx93yEKvQ^pUPVXeEM+N)Tu}K5^Emvh>TmnhYJf3+F_}j=H&4)-2ROg3sP)N;+OCsv zB7JJywS@OyR!andKZ4g7+i2>xJwy!f1$ak-65Sun|6fjT}FQ81^ zq^_-6*<}nnHoS@K5@rfpwh>6e0A>R!vkkkp%UCvY%Lx?b+@i*>`!sfw*RL$gi@h8= zzNo=NbAU39lA$ICDB$SaiHdBWQ0JC0wQn0!+s;vS?q&VZI2pziz#PDG?HW|mHfmF! ze;T&-^8J8jFTg|&swE0wP8eG@q*j7|(@C#d2=>kAf#xI@>`;%~;ms=BRHqUkF=b#W z3avz40A>RLervUg!+CvgBMS1USlb>_kIS|FWvzB31VPyz-J$TLer+eXZ%_9sJhn@_ zGQHYG6Ys(rMN}^+!ZEGA@q?D4SgL{zf7}0MNC$IFR+-j;;(0}ulT*rkI+{1HBj3jW zWkjcv$5EAOog}ZEMOlm$JD)zM^Vy5K;F#Ctie+7GTh$E|<0cmCHlX}Uv;Rg=|IM?m zhuE*jjefo5wUo|vxd5Yf6gx4#qLztOxkpxHXWQ2fbB_f@sR`(%+mE_X9-u+7e_l5% z>uu4Z-T>&kq&dBdo7NjsiSzo9Ms5M3&yEFs%bJxfYfgoZSrxI((!neSSToq*qf)d@-eXK>1?s#k>Z#Kc|%ZbXh6pCgsOveS1Bx^hdMGxH+YayVJ@7 z7TX7(Tx6kw+jH_frI`usjc-@vfB7BTb#_XQLsQB>GOL24Gb#j>qR2UwVqHoP&#L_B zqTI(9$BmjtS4s)gg#AA9OGoUgTCih{#|Z1rmxXoe%OWRd1x%&HagC+?vxSh7(d@^0hxFf7>ye?UQDCPGmW z3miVnmL-jDUDm`NW6c2N0%~*Bs1$HvFNgOL@V5cVR_xcdDRpl_O*R2a*aS6B;0K&d zW9ryCqR#M9b?@VKKWE!56FH6G|!3pu6rgjY?3cvH<$ zL%=eu)+^Y!E2D&e^B)v@f92lMrqa+_3zp)rDis1saag5FQJ9d;9X@SI1Bxf*+VY@4 zoBt@$_U9fHr3+AowCzK?b^=Pclbn)1rts)?g|mGZ;X2$3_I~ZGTU12$2w@&j-gId1 z`z{^8f*nYo&;dL4t6)x%CaX|K^5=9Ubxg-llw)7VbmHr{l~>HAf8(?1(>lY9eSxOE z2rQS1mvpfiSh|6weMPrx{kjb(cPrKi{HwZOgSrsfACsHRBl{_RE6N{TRl~%Jx~Esw zIt46aYqIyFEWq{-1$7zQwy2nfC8K56ttg=?__r}JUzhaZoln_G!>UN_P*p~oJho2N z*xCv2UHbe8wRyFmuOF6_@(PuCfXeX8O1nIvjO!E1W~R$NJF2X+V@Nj^=NnVW~} z8g`LEzM>ptp{CQzmZ~)GUQnAEsZK0cJ4({c*tru`+3v#vkzD|#7YGKn685(;ZUKZ{ z|I#RyZ0y>KrhlW1!bB1DQKX?wzyTn`8-q1!lqGBlc(7g@fMv_P#`Z61JSw0mGSK){ ztlDXxy!)|Yf13&Op_A$homO|)BsFeTS198K)Fcd0!ba7O%JhV@zG+bHp?zu#8&LCx zUJ5uE8$&w*r%R2S8F%-n|`Mil;` zMY~e^waZ)u>n7L_t_79FHDlSXy&pQY=N-VrqAIB)I*>i7gQ&=%3KXTvuj4>-;@h}R zB#kI4iBL~gIgJ%NL%=_a4Lf7PJ(=Zl#=I^OmM_<>=}PCCt^vwTn(|gfK)2ni`UNX> zuWC)dfAIRR*uX!V$s*lrO2dAYjT2O7*3~_`ruIo@WUo)o!GOMTo{x>|`ls5jm*lIL zttt+(S(O}^QN@9IRqUOS=ir>$?-HEJF5~7&;yk|w3j*rRSyAU}pW3l% ze@*)q)f6$W=7>eLg)aceyxMmxQ;PtCqF|l+0i*{->7xdKU=RofuvY_{{-qJrWt`wX zb(he8FQCbDWS0n~~xNx*Jn!xrn+P>%wB)Ow*RXinZA} ztj)}_o4W$q>OeVOd9Yn&+VWe0w*FbFtuZayj{VyDz5!5rv=dNvrh2slaKe-Nf3&-F zK|4{ST?14n%2F_`i1=Pbd;pf$?b`pbJD5{4#&ys&tHWjF6yQ2sw4fs>&G94@B@snQ z8q-OX<;+(g!Gc-#3mbOPTnWot&=rqgms|aS63{K|(=F8C2KnL+v-oZ7(=UYjUu)O& zTZ6el8PJEmfU?LZ?kOOdU03f6f8&%-Rb&_Y&<}m-T+w?J=ml{71tia~WzWel&rz=z zHbD7iK$+Ex=n4Jvc~Y^?NfrD*guQogTwi|O36kiDoO2{W5@5~=IT9HJ2m&BM1Ogy( z&L9$zb7}yM*gzu#-3{>f)67qnR+eTo^P8ZNE!WoCAkgx8m_%aQjQX@1H-z|NWzv`1xiD#v4XZk+h7$d&?*YUPJL!EsBGd zQF3Jk9|D(9>d)KWT2%9Xf9F%?kEBD4(6;r3?Mo-)ZV1>!llLZ?-MN1*>u7V;q1AOA ztuEqNcB+e`4qY~S^f>D=dgB1IFWG~apJAo?1S_pnhB`L>EZVV0gvEo_%YinGmTS^_ z7vroc6`@fdN~$uW?Iu0vKNc#16|snK=RZi$=)rl|m8G09EAz6vO*el{3g&)}eUC z03X`{)e}A^^2)0*s2JQ8>B9{48mOwaVO_8U8(IjP_e-#=)x&m#szO_1H)Dc*`wr|2 z7HGew;E+54XWB1E<`kEbbvV=4d$iGdeL8|C^MF^G4nFVKe+bDM{HZMd%qjr|R1{jU zAgao>4}?U(!kiNP=@2)WC2mqtZnA;j7pszKzwUP%2@8uB>fs;*{}6#0Jw@z{5wDj` zsHCd&>1j1~*eF=D+eUn5ZmFl@=N1_MzZK-2fFY-7_!Wb z`0_GaoIqtGgZiW6P->vf3(|gqRVcJrNdy*E~dlT(DRO= zEu%eZWJrI_MjvUwObG24^UkEh0b$w0xQeQxIADktwa=`uk2x7%Ybjtk;nu)9#v;SJ zP?sgD!@7bn*t5ZV5g31#53`FKvka}6PEBy+Mk%kXUl58SteHUqWtGqfYqr5Wv_W7u zf*AONf5k`{x8Agl4!h8*_0Y<75-7_S1cvIOp#{@iSmAb=Dnno{EfE+EK_M&zWr}Jt zN$WL9P{elP!W70WCNOqk0;9@Fj62L>lJ;wYmTb(K3Zf|9fP%fcJbMzdh-N77mO>U* z2W80s5e-1;DH4dwc2`C7Px^xX{f}(!6L|~R- z^HB@y{zKT!pTTC{2>VZZIFx8%pE(DY#7Q`$Ps1fg1DB#zIM-~$iGkj&{ZInMvq}%| zA}UI*7QT5a@XudIpa7+C%RFoUVGGxa_0mxBjrJql7&ykQ@l)I$rv0Mj5;^5Thp=FT ze}t;?m?8b)Ann))GYf%=(J(JiRcdsn=qDhvdnPRH(MIS6EJoBWnUKp4B4PFnuNT>K z?)2fm|3RMFCjBzZ+{nK|Ahx2Re=i;ZH}u{m34I3v#be@tyoyNh4F{% zos$o-n8wOvkDezELq5Xny(3KdQAwQlF>bqq3FQtZ<)ZkQVi$9A{{1WuFfZF>e;s0h zin2g(7B325jf(vCT_-SW z0+I21I@5;va2rJUt{z}BfaOW6CV;WprjqHfOm$hhw8rmU;q6tzN_AmIS&&MD zd0Mb}D$6V_*bE_=AuQ7bWr{Une=$yI#xNzHz=YK#Lwf!alx3TcmzYaQTck|xCM1ne zrVT)zI|4;JbIRNqRDF6VizcCpq4j!H2L%JYDzTqIeh8}94E669rLq$9Dn(jaFDgsX zB5Zs1VYl!Fw(}-ff8K*b#hSF7#o^^RoEYkzvKQb~up;FY7m-uig`!Yde;DvRKWxB9 zfRekytg?oH{0&^8vIG@URf@K8y@;SNK!-H%Bc%5jx5sF?Mg%CdU!4Sn_Tga{;h?HK z>NnyEL;aIs*0>2Ts2DGqo!+dTp_UnCaMuXUjtMJz117fUtM_K`s~;Aap^y|q^!{cr zBxN8Jl9l?Z8sA5-(VLY+f0Teoyk3GyD24Q1^XHgB2{XU;Kl{wz2&EBr?UxbwmuLBy z8|_1iST+;6j+{G-$P1dm+so6)513=kqtJg21-=U?^qxbJ=PW+B&!XIC9yM2&(0XqJ zpPp@@KWq;J5eMjb$ZT?%u(&LtUR>wIVVS^Cg&bGV?yyQ_Swp)Gf5EX`Lof5qNQfRY zVTaJr&aJ*-!z`e}q#j}6F|&y;mB*cmVkcJp5)?~D_m9yC%3 zJ4Oq3K@=?$0a|D9Ul&T^dJYQJWt-4!I&({P*<^0nwBX|`F*3HnGH(fpf~sPB!uOtF z%l8P|RG6)6hYbI_f6O^sR3ja;&L%D2I$>Gmc9pOY7-kj;7>0QbRb@fcr8({=i?GZR zl9`K>RGbNh|8WA6I|aE2;UC!ei*;0kMTT|4(yE7|cAeQ{9GB8QLz%(w-nt3d+$rQk zyHJ*EposbeB|%Y!HbW8j3F`C_DBsOP^==kcS(C6XT!y-Qe^VMRw#l1?ZRZYb_C=T&sa7vn_4V!_}dofJB1*iILxON=EofgcK(0DV@`(!V{H;0Pyb`4kF zZ6J`aT$VtgqHzC%%l8mcyNjEj2nxgcU4nA2kJWa9ht0=$)J|Bs&+wR!J^2a?1Nu{D zkI+RU5^2HSf2@B&v;GMG;=5Y>%}-Jx1?{g5U+U>ak1rG>TG~pW2oMAi;&CZ!2>Zmx ze`*Hf?$(m-!p1VXs1T&(e3hOf3FJ==feupg;%Bo`@Hq$0pEg9iB zYJgqc2JEvK;$tV^kT?Omj9ECnTZR*@pIhS&+?w~`A?#QEF1(7?;qzvhplGQqD+pky ze-FyvM9{lUTrCiwY)dos*K780tJ^?GPH<=RgrJykzlDG_2~bY(tc%;;GdvenJR;5sAMzd56NvHN4EM$O#Y6V`R4Wl;r_fVj#C*yIm1XOKfQ9NoShg=2vBlduf~F&Q zIx3d#5>-aJy-(HIF_#34j^M0If3-n%StBfK1Z7o%Ws&Nm;dX%l&lBJ|Sg5YPg6dHT zER%bv5~Gl3jWK^PoLB5Y{brW1Ftj%xLEe1;IUBO_E$=h5D^t4o*bc)yL7C=r&C5_0 z5Q_MIC|@+e>II=mAA`DZ1=g8Uuu30=x@HU36`Qb59fj4~Mc8#xMZ~(Vf2A+5n=rt! zk%}V1e8MQ~lL$*1?H6C?@=*s@<`lQqeYkcW!J~dnOClhKwq(gn;pl5#B>e{A!#_lgL)GlP+6X}eS@b|m4`iNNEzS7FNLN0g;0&J z_UUWm6?NX*f3-={$dv#@e<+9;t@^4iU-Jf^|EYMt8L;0fLnJnuo|da*nQk?%f&_wK_e_87+p*HM%bo{v70Xuhu{Ec+PCe-O%|L$kLQHH4(b zVH%D0^JulFx(HzGwP+_SU4*66R*P;MS~xy7;J$*{=Q~&{V4yB%X2?3m5`+Kj^&L!K z6(OInut81`kV!%_b4e^>+&rJ(*d#1l?6LJ&xKO@WN13d)4yNhK7?eNeJ7%d%;`J}{Hew#eTwcjT`@(R2t!*B+EL zRFu3q$RnB{OY4WC{{RZD3Gx*q6hp_fYg(w{dZ7qwhILqne-!3bBES<2>o$v)!szUp9oxlWt+`?_D#%&= z`_*`ayw4l>f6L#`mf$cqWJ2=ONV9rK_U9Z5DL;tbT_}pMQdA2Ow!e?X-+dpCUsGBB z`bVkw^B=y$_um%bXJ6jq7iaJBfBZNWfBTb2{4GE8*Mvy~_`eshNNU9I{E1mzK(+YI z_d=QYxsq~)^E1zL4uSlu|1KRLx>gXAe}tH_eZ*Dnf8u548WKaNkbHj%DL2QE95jS< zLh>qL7#ThTcui2U#n!7IIUfDUb?e7Fj{&@O9Ym2UfpH$e2d7a~_|Bm9;VM<-1f$8v z=zF$&z}XhUP7ET@*vM8w~e42JCGXp}Dj} z3q)`(>`6nyE6gv_WTQPR;28RA2JHEppl5E`QVB4O&=Zs$LbA)!UpSU(oA24CqUZ_W zHa}~dpSjJ?H`f*++mK+{WVqj8RuQ#+VF?zBf7eq`JpKUH)pW=LlOeyFMFpsVBB>wh zv>_<7C!i|Xfm!(;0!!gh_p ze=%VkE@?B8^%9`CRqJWJ7~~0xSIsWG->t%%pm=93!taexlr>z=qoU-l5fmM+2}o$c zZdB|Nlq1|8KE^$&*1gUX#J6wa4-bl^Q7W@lI?omo5awQA0!D)59F(8G!2k1o0{;D< zCgCstX%T+)d!6{Np#g*zaJgeP9Ro^(Y%T4$< z-@U@W|C7Y?xe=inUqAalfoN7MGmyW_Fu#0;ADtB=Z*U*cwWo+LIYLDBF(PRxqu#6` zCQ5^ZN0UgpF@(gc{Ybgoi&VcJr2F&|7M52xvb=hc<=%sAw_fD1^4$9HmeAz8e+=Ng z%V*>}^`Z949NM0&Vt@^NB>sr`WdqIrvuJb`7L1_SO`*YFT&H9fEjF`gwVov~^XRl9 zEJ_X9W%C#aSjBAQ4zvYSf)7VnN#k+3;FvgC`%d6MFW3Q4ta1k* zkKtHFP%>v=pEwT3_)$0$6z4p#l6Z~QYln(*z%YLdPlDnpmas6)`@C90VAcu(vl;5C zDp#l|*WYg98dc?n0Humyf1dmPVsszheftsk^T+2wToilwpFKZss9zrw4OR5;;rKhM z#J~QdY%Csiaqc0qo=q})e31c z;cDeEf=l<2-#Y{2ZW;c~AG|V89{yZ_DF8JGdHj?rBOaIX3xWBCe>uP4&!6J^vszTm zA0lJih}bqGA}S3CuQ4F9;t)|e>xhn@N7U0P#NHW3{IxzL1bjlGUl$U6yO8SBg*2~D zsWRLfZ6 zc}+93jG@+g1PwNme`pj(_}NaO#d?~+Orc9TjZT@k+Uzt2Jv5jJV|8dFZtc1ovCELZOLf_?BqSFED1?N-=(#mRf3nZ}=F(pju;{tfNo65V zXn`W_6Xbbp;B55rOl}{SQb}GBlw>IHzNJ;FgOUMVEH_c+%tP^h8S=s<$ct#Z*qbZb zm_cZJl+^?%ZA2Q;lIKsDL0S0*$|c&b{$1t~hW~_qSUux+GR&)9jY|`cR+*E`J#5&Hmy4h^9=FxVkPkj?5fw{@R}+@NF3ruB^&0Py9DRr4T2&Rg`l(^ z!M%D1o?^n0isF;5f!}K_0;nnh%qmxeqP*Q8C~FM&dT7?_rO_hu@2Hmn_cz_=lNT+wDZc%po36pW*q;w=5H)XH7_*e>0(&R`Zk22+f`m+sBmqlT$1l z8PTz8ME7Ew1Y^N?^v(Xv5bMoK~xGw5cbkDgv4r4EZl%>iIe} zskBd-`&h|hFi$&z=J5_@{TS*U*Dz(fW`^a$ehc%0B378EzvxY5mhbtSsFM$yX<3S*t35N~0GOCCL0b#m#HXs-Vu~qTCV{q$SXux zf6v!KR=jGqV6v za~9!LvJRIjW)ym&vWS3ehWVUT_`cc1$F6=U7nmF2xrI4b z4RcQ}Zi}8<1nLNUZ!ARd&HbbRRXeiV#4OJ3FG@F)UKZ*eSxnX{eru+c)`s^+^j!9%j6*b?eC{cAb$OBe=&;o z+w%}F_EXxg-@zPhXe|n#9p*3U~)ox>`u>Oo{tIwzd@VCaIRUCzh4SqTtjosm4-Q`bDQs9WSH-Pf9i1~tRgyLl}af2`KmXwlCsE4s3_%|=20+OJnK(~u$}oL zWfVIBO63~tQYPUTIS8k?G4rJ3n+3R(iB-hHdL2rt;#sLTXOy&g_@*y1)NAqZ{WSjF z@25b_bC`p&IdDtMKYk`gnuMyD9~aX3|C3C#t(!2reFps@ZN$+D7W60RST^C^ zB$ch(fG4zdPwTk-f4GZh8Ctvu9mDf`eRvVvg|NV8MEW%$%C`|Q-VKQLu1B0_End3S zAknQBN$&MXaji$H8-a0aLMEZfa%n-fV+(Q|T9Iehh61-9eDobe<1L2v7wZ^^J3xP^ z9<4W)P~$j^3Uwc<)%~ck9$*a;7`|3Df@W5`e3UhYF4Y+Nf8Ay=e02e{VYE+q``9Wy z#qw+BmgjoR1#V!*lQzs|5#twTFljN1X^VNT>tEgGUUtSWkB0fgwG&(}%)Gy=c=J`!i9ay(>~y2sx5 zQTZXBRv#g>=9r%U2w{zf2x~PWvh$RR!tIy|k<10*^QU+*M}-;TV^o=h=~HA$UoFCYY7p&Jg-Fi|M0->tf8MPMFWsxCF4agPG|2=e&7~f%oEq`k zu~CBMjT2SIp#^W5VT!$|95<%X#fCnTa)NH!v8JGDlw0?pLe+~Zt3KMWUNoutxg91f z!)Q|uQ(1<%9YH76rrUl3!+x_^2wTU-`(tc8kv~eSjO6g6|4}R70VT@TCQTla-F$l9h)|U#+6|` zfNBy%Fno5gXR|{^(ZfQ`hNMbn?;e~1rC&4^qz!U0QdQ4}oz9;B&KoxPQON3cprlgB zqFW%p{u;9T`Ba5T$jX>o8uYLt1PTUke|Zi;sb+95(DL=GP}l53*+J!K+l8{2k5MHQ z(XFtm)zWg&j%f{0%p5^gx5eN-4Ru%()K40rj_Rh8%)lz2D)Vw!dd{kz_Us)WOBsbV z_tBQUuASx-HVenF@85@gkrs9dBA<*fr;NctfWrN7qoTM`QJe{iW782{c8}wKfBmDE z((tT#$kx2*P^$Auy{`@PUwxZ_huw#`KVmYk=c0vt{P6%!D|Yd`>O`v0+7rBJ5U`ve ztb^(?K=l|qL(~MV*Zeo!o+4`4C{@hl8IlNh0drZ0j=lYX346wGabRG>K0ZayjsfpA zXDD3U#IL25z-IL@&)A!Xn}5T7fBQQEBKGgsy#4R~C4XTEHC_WuQ$uO<_u*T19XT$G-jG06|FXm7TkdN|tf02o(Aga(t$$BZG z3Cg<#D6=N1Kvc00>#(ZXgH8GbtkTC|TgThOCRnpU*fP*tckaOc?Huf5hhR%k>;*8X zlW={%0#{}ftI89cos^ob(@%w^qMbUQjFako##@Xk{a-(d#k1l?1i#hcR>d}M3KbbL z;K7g)4_l9Qf9+P)Awv1NVM0}CWuh8H1~4Gvvw(t%!T=pPe}Wh)OB59%f{i$0 z!hjg6%4;f3&8iV&%n-VhFW5H<8)n33-M2V9?KHzGm9Se>G-)42CW_{L^MvMq{L^TR zYC7T3a)!(OMqC~wEZjctJ3;=G0X^b6j=Kbr8EA>>(oFmHe~LNfF;(wYr%^f?;GM(; z+zT5aD7|Q#Z~ULWz?vkajg9}(dIT|lD0UWO>wGDNdtT}lw| zTuEiA#7pOLB=dHPV>Qy9YmwntOK9qlWnYgsRGJdsezZMV!C0~pqj87my(N~m3^T|N zpqZJai59Gd7Oc@~0DrBj&uAww9Re2RXSB-sUK#J(3}W=|0+zEGz^e^d%OfbXb@O+0 zn7h7-X%`J9*fXXit@<$&T#x;=F(SLRo%|h{rb}W@P>EjCI zY%nqr)^E{v-FypWbh{Mr<@I`k!GJ9$8ea`VSw;M# z6Pu=8SdWWk_J6cq^xh7Qde|_#2t{#<9fm_ZRVQl^4{GM|ufG#(tiH}{izA{3o{9q@m>hG2&J;M{fG;@{_1-7ap46~pYYAM_vNQNw{`yPlLE;8`UDv2=#~ zW9cmUk@W^d6Qn2+nh8n_Gl@7oYs{z-v4dw4JW=fRV}B=%NM^_{UOB@jv9kE+6#FI< z){cLGzy9NQ+%Exwuz*6@!lcQ>ugZe&W2A+Re{qzGEAdnCFWN*P|Hc8mM)>rb;NNwI zTg-%s1GIO9acbKnjjpX78qvK<+c#`JLB_of6K)sp;CAvHZiNov-rWv7xK@vQft7gZ zSAmBF<$sA!DM2Ygs3*()1HxU45$RrvNY^3)Qz8Kq<5EUoJ|fZSBT}3QjuT;VsKP5k z^U9$bZ|xdU>fDa5TeFym+Qw`uVR@lL|FwC1avMdr-5|Oc?)wPGENe`~`vgQPML*g_ zUFwq#kNspfgsCUX(B|%9t@sGqG(8qVH!=5!nSbT_I>zj&Dhfh!af~%dRUs&ZW|}q2 z+Y1+`s4P=dm1!&!pydmq=AgYak5z)Rc3~bC@}N{GT^>N;au3Rf#gMUQRu*hQ!G@>^ zPKPQW9&({9g;WnVezC+v8D2>{)ejXzw7h&nI=D)H>pc|r2++%JDRU?qs5B)@kiQ;- zDu0{SiJ*wdKqd2xvT_G1+Ad}DF6|fnc;%%fK3{1Gi34fxBGOn>-hEaS?nMFcU_U&~&>)f@rKI&Ktf;x@s! z-E)Emv|SHq^&Z#m<0(OTR(@o@lmv51L@k57xc*9m5z+0mSG}}egW~+fr&JRLXaUU- zYmjO~`xQZ3mN;d^JNEF++eS`|MG_kD6Q{;Uw`;4 zE+@?*pjZe0rUUr)9K)OY>D^3aX+Fi1E)(8R$+}k0u(EfGjRPYF*3a;M>I=e#zu|~v2z4tWFrtbP z!HRMDfEecz#JQ9r!MTi}lq1c#0)KD(>QEBWiK-i2s0;Xnj-U~YK3c+D0+oQ_e(s?T z_Yo? zAKK(CXk&LVD>94k0!FQwX)X+7!eWRPY)FD;+G3RIGKN{I%>sd0l%ScAwtrfJv&^!P zml>fBZ-o4E66E$bp`dao!s}>_G*A>UUqrM(aqSf>Z)8HA&;>CptSniCBB6oyhwsZ7 zr0pUk%qNO4-oKSkrKzM%8iIZ=(RvLZ!nSM;9+?yPJzchR=<9FAl8)cal7F3F5c3V({wfrCRo(DO zorh1_JOT*HWij!Xt;N;XE4ZFbMR}vet-=l5Y&w*d*59WRJnp3Js()ubDc{HQj|}f( zh_(67 ze2~`Hp=W8R*SuWCoR>r%iNL0|8dtJ)xSqU#%Q54)lEm%%4fr-5z(+vRVSq=y5#HRF zYmLlBpU+UaV8Aq0MSr_*#N^fq$~A;|{0ukSP7qYMjjL%3xc=fZZrp9gt?RV}r2_YS zOK{ic1MYhh7O#9f^m>mc9{G6cmXBwy1$g0Bh;UYzP#Bj&M6qI=KG1@dA=A4Wg(1x- zf7*qrh)-yW>_yx2esnz=#^Ccg%tWqZIpF}yQ9IB+-p1nPWq&NW%tEUg!>VE&E9y}! z5Re%v%dm0)y^7E1RP>=!){72{Pxz$l!(hNTrk*cCo4$>u3>{XocCi?_i3u-4a%m7l z7N0R}(T_3Sp0F5TZlMxg9HpuZWA5SzbITYOE{tJ`Wg$x(fV}oQW{?%go-%8=KZU~S zE`xX)6fqsNR)1oao!04j6_i0~P~CpZ`^+b`4BdsZ5-66DHBjVFFoQ72XU{cTS}%3+I+TrjP_XA$HHnqP^U_?4LL6fv4g+Se zRB8$F*pZZn6yk`+@OG#lHAu(ItI~x+F}PEO)H$=TW`9PJ)^}yiNK0L8KOezrMkvxL z!l!5OFTYDO&svLy_H|fST4F9>iIV0Z{@D+5aJ^~?-me$olQ0dRlzI3OmVk5(E~hV2 zRhDs$po9oe^44&RzvFJh9_~^J9y@|}Sb{sgA8^;Z5cj+b@PLrq z_squwg7V1iodnAZ0Si?nlz@c0yhp54FyLM^c4Zyw_A}UI#@JF$VqGzYMb#*#RU;Ty45FVo z<$n{a>rxLoEjsYYwikn!CouI?gN4*hti0A^If*&t78S~Q1br5r7_sQX7=anP$ht&W zE({QsLDm3fs5BOqx3i$WnZ<@lTUGuI8|EyOA(>Fv--W{K1ypx(*q}$DU~i&GABFtx zJ17FcTZiQB*BQP<0WMnhohZU8*G7I5Cp;i8gHgTPO*Os(&9=C9CE`e#Oy^ zPa0tr-2*j4yeek~s+19^^QbnJo3Ns)StrwqRWU;ie~SYB82-ag6kUsLaAyN{XZG@7~PSd#NO5P!4PI)~;L&+%{nC=*2sT7=Nb-DLI&Dc!<#f^scI zgP_=HT;Xr~jQAmX;Il$## zj@GLH$*!fyaj8O~QynT?no#G_friW7Xnxd>&X;WDd1DwXpTZbj#Pr8SXbM-blDmnG z*L&DaKgQn6BkVllZSOVcm2=R`r?IV?#-?hVc5DPwRF?teAU;!F`Upz*r7mma z>EQcI`F(GgEn>U*-4l@WAEjEM8Y~i|)-6J}40U`z6c1{kdfp0UTrX9G$|0;5?V31k zk#)@;tg@zP-6qkx+)Dc-hH-_RdU0;A#8MLBRx|SnA$eA| zhp>u0L{uCgx|&MDUfg_bNS0VM*>^%X2*@y1h1n#jODM`I()y3EyW2u*_)Jm^DKDL` zFcwSa#qlCy|Nr)UM(^AT=**pU?P8h@?V)z~RqCM<#ZD+uK8 z@@1Cttsx-HonEnoj#GVQ7mJGPnV}N(T4*U`|2#g%S zmHW*Ix?YZ}my2-C_bsmbS;++_EY*@~0ml53h!- zni+=hSmn*Lr>ANJWz(vCgd%qqsv@e%+Xbj!)I)vyy>yJbs_H;e6Lr}-)O80?bRI+A zyh9}*P=9Ho5NCl@Hd9^ZO;FQzDW?roiY?gW^Z6HzP(Q4L)w5Qp(`dWIL0^<^G3sSi zyA7x6HLNZc5fHHmkyh#_X74Uk!@P1=*sE~-^W!u;%7C!;^ zgb8@XPZN|mc+qnBQBeX@7Z6BA2_h)hGS>)-mVZH>`GnT%cC{XN22b#4fZ2p<@Pt5w zl^!69VLt5R5u&P25M6mfH91Cn9TkP3By<@G29>4XB&kU<@5eH?^vq3j-=9Lv{Qquk z*w4(%@y*NO#r{9XpMBSdO*ZH;y^(5if`|zd?h@2nREvYRnY;;wBIv z&VNhB&dHbi>PxUanX^3KY{2{74m^vG;9Gkl9n)VzIOcY~V0q7o532;I`-D)@vN7lQ zhxfz(ej@^|mLkwUA3+2pSODTpt4c_MJznD`LAm4h8V}vF5k^Icr3FiOEkllTIm(>t zP~+HyRwwrKF3b>~gBS}Mr8SzxT;>uMYkyV<$r`ldn^>RT!PcN2`nFx{R_()3ZiJzb z6@LhWzYa%Mi#Sv*;y|gvJ{4x0c5G2GghA$%eunx_vQKEg)P_#WCN#;L(5!00=b%B% zglaLDxQ*Eu9ma#E@LADGRcV8T!a4*>>no65dC6cs!4S*_?EZ+oaVM3;084@*XMf{W zdWBISF&18__jgX{ZsxaMo&k~Bd`#tF$JJmRS&2{VL*YQhqr z1W-)^GT8855s+6a2+mr;t=H?gowteG%~X?t6KSIHB^BjEj}bY|v|3b>aDQ5`$jU=R zGtkG;cE!~a6ata*=?w9mMoCQ)`JU?0W&HIYC!gmhp(0}G$$1`;U=cz6IsW(uZJ60R zfnE$1ADb}A0A99qhS-@i?gJH|{s1>=mxHM&!6^&45;=~*f&eg4cYer4P6&SC!I z@A2Vp@yOYL$Gcs4FiQn>8-I{BcPf46(t!~l`M1B_%g|r22amK_ct-TX`$0W?ub03t z;4S=pvIz^z^A)apWZ;^|D})f1JA~wkYYxJwC<*RGc;)&5`Ltc-P7P>rYD2eEFGidO zFzGUi8852AtvP7p*xMJbVzYA-`YEc2_5i!fdpMlh!%@#Mj@r*)sDD3&@tpz2r~5Fu zZNXr@f_?P@PE-q2m>Fc#sh0o%fB;EEK~${EMlit;KOjJ{>_EF^3z{!AqW)q%>MvBI zUEPAAYvY)S-hd`)7gG;41jO+M6m~(7Tl+)qa*tV}mHA-|ihw96?y!O9tU^gj74P+s z-(w>dfH>cQGBAnRWPb>Xw=2?Um*Uw+D19QKxc3fnF{xKW-!GQIKQCqP&MILqU%AUH z!z{x5p}78rcB~uu~aEu;+lQ>phoYO070j@8n;2KXz*!y}C7LiT7lcpt5L`JzxMF~nJ zC>c}~TCZTL$}QTjoBSR3+7EG$pgb8oMkaGYX{QOPb^BBlQB)Ly5<@kKqy37nHz1ME zCwDNTFc(zJZGYmg{wUpS1^=skKd)bg;+rq^$XYr^$%+v}Tc^++o?`Fh1hc!Rs8~5e z!W=_6fxB6KfExt_C6m_c{1GkGWd`yHLc>3%qT&n+kq53Yf4JPmCD+I1#x6#=inbZ52OtlA4P{Uwl+i7O zY5|JIJ@(||P%@jS(>_7SQ;i)KB|E-Zvpbs z6-kv;<$O=mo|H}0%r|1BN*U7v>rAR!`x>mMChAqH$q@5X<1XZxV^9-z)x%mSpEu!Z zK`(x6c=P`Oh-hG8_A-S~9WkGMI3af_p(#7#=7 z;(tYOyc5l!ho0iZxaYk6a;OwIjr%?wm1Z>0L zxPfB@?U!sETg)emv|K~-R_2oi)LT}gT2_IoOCM2VQHpAoh1@q1^2a4m+|Gv5^*$6< zSD;Y&K_PC7A=!i;DhX}T%{R1KBY#j-|ByZMCS;F`q3{kp9};F*kNd>O*_iXRP=wV( zMa!iUR!R)%GAAf2X`SL}f5OD*6+fp&50wb)kxl&WLdfrbphaSDPZF-Fil(6&+<|iK462zE=|C;zhkq5Q1+>o? zBxB3)quo^6C}FGqk;Wx8u%~F)>%oPoZ(ucPfNk3j?D93RiyMJM_-8l>+m$>Hr@TeD zWG}L}oP|rwDAi;fo&?4_-VBOQB5fBlNTt(;!`Q@_N1w*SMco6XtM* zwkz<>3j9B8N#`Z=6?T$;1Mg=&+z!K&Ah|QIIDa^VPc8SCnW;`=#D4%)t8RrEiZ;@( zWFHPx6o;r`xIQ2#!G&-S%!ZdwGQ7MJ;U_@xNP@q65`tJEZppasmWgnew+!+Hc*BhH z(YY4QPR;0JKACXphsJRP>kgyP+s|U(X$gnkD=^&J#7PVrf8icXT_-Tk6OyeHobJ+g z>8L2ot43xqQwvq)HGiLbcz`4C4IEh0dR>~pwrqf*z6%pF0%=)`dRaM2EKBgwl7J}H zz6{~Fpa>=)PpBpVR1E9Okl6+?n_PqHdLk@i*u%$mK^c+(#gj5NJoe;ORFmXUsDiVg zaJWJ1^@8^5JsT`NznD8AO!B*LArDM|;zhNzo=RS~1NmDv=zoYRHvC$sKdw?u^i-g6 zsF^<$x86b-S|^=2Tls-7WKBa!^-|ycK+qWCKW;F<>!h5bZajptg|@3%FP#`dDTa>; zn7We6vS5O0`3uw&$FyC$kmWAm>YEn)$!-c8(SHLF(JTMi3p7nOLDq5%s|h2l=1g!H zK7>up2JEtCV1F0c2ZyjeIK~XaF?9ycIg4<6P1}`76^R~&d%Vag=hiD;3=PjB;3aKW z(mWg7S4CMy2nA9k1SNxN9Pn`$b{Q*hWC!E?s1B|K#VsHc?mjQ!?U?{C_jq`_#}SlR z1h^;Qs()Jw?zyJph3gw6I#W@cDkM;voSUd9otSj)!=l45L7Bu3K{;~J;Mipe$NuXu z-rI&TX%9yJ4rA{jOd0~SK{eSSD4T>tV}OZ&Yg5??ObI7A4$mOpSCZaE z`%?gA){wM>Ma|w``LYKpv99Yjzbmm%Iv7hFxu_P$i9D=;`WZpXotEZKR7L#Ws$D6> ztA8o6YATC3K3*u6I{h=01I#Ui#A;s5ofvSfaRGmNVxC3+uNszA5z+`(<8&)7(jM4U z>R`i$YctM_Lq)QowX@G(l1_GKPe>dHi&*33_-Y=`@0Q_`F-J(o;2tw3DT+t@G%X2x zSuyuONcwPeEm(2Ok#ymnn2$$@ zEIUG8%NqXT8v%%zxA|}U1_JU!eJ!%sc_cIJzic=}V)HSQdTH0h;z+7u)UW}OVz~>$ z|Jx}O?UzX!nOZ+OL(irW83gDK;ksV3hmhPY1Se^5g=%;?a}oahn+FnVagq$b@P8qA z-)e)`gJyU?@1uh9cV{lZt%M=J<^*?|Pmsf2yLbB(!37 zW=5HF9>gjYWygLJhYoYJPzx}+X@6k~*uwF>O`Im`ahksmLmO=uRa8K7N*iX}Fv2i# z3PTgOZwX4+E)Kkwp_h$e`C<<=vKCei6@+jot$ZL?1wgK5{%{C^j4;R}>dmTP6F^9= zL1}*z@_-m=xrscUIm9siy2sL3ox&3w%cWQSf+a=~s zBD;-v(|(N7)+5Pw<_k$*z+nmThwqbqg3r`T9yGONfxS0pX%YUhG@`{CvM+7`rp6-$G@`xrdQB;;_Tyu@XeU~&uQdQDj3h~al z1l3N}Xm@JCpi>uS9Q&YUPT8WW9N5j_#BK>E_De82E#u5<1I7>?OyPQ%^7dhDW2m2{ zvTPf0xZRuHNDp?_2dLT+^xN?I*T`hQt) z2IO{B5!Xv|N7i(g>HboZkOEGr_|W$lV`F!@*)*mpnz}3LPx- zmZ6BOV>XGQEz6W9^OPk7sEMG6+45UCQ05NPhEZXdHN>JvW$+s)Z{$HGZi~D^Ak?pD z#~zeI`LK*I(0^*x@5AN|p{i#7XeK0G2htiabrG`+L9!AHDaVd+b!`hj{sR$m|8YR1 z^;oo68>=PoAh=fS#no+lup+QF)myM-pp~xS$Y5<(rGp(I7fb2w!h7HtF<=hz(&>rV zIMQd~M$08t3;~ImglD|SC{ysGvIM>~gK{}pK*DT7HGjGBia|bW7556a@Su}wBCg>$ zc*1~gKw--XJ`HH`KmQYPq~ZC}l7G1W=YV{3+<;6r{ImuG(rcM9s!T{DBq^0ANUoro zuxA(ZD{=grNbA2on-EFg9@TS-)KQUBOjzAJ#WoeCi`Gjlf4NypMJd`vaP}&$Q3->@ za+};W1b>J*ApRcTdmZq(-3p&OE%3V64$r5wU~&BI@7Cc?OYBidD5_78M8z83At(ee zbA;Bb+z984HG(ngP9ExEp-_54sq%qP5`~)KoR&*&6#$i$7v#=&p?p>& zo$W;Fd>=}JqO!ZjjB*9CYw1*mImm>)5=xWMOI0|7vf>L=(X9;dkx;ljhuS@i@25hD zS%3IKhWj+;7BS)I7Yk*48{`FR5)@WNv`6;}p@?gSs#+{p(M!X#s)rw$kKRE2q)IwQ zT`iyx%U1Zk>RZKBu71dCj-``5sA4*yh~oQSjq4|2A}m!WNGBkv4F8F&q|X1Bs`m`4`^(QfHPZra4&)4%oO8b9oJGz# z=O{n|2_+;XBot9V2qbbw|89q#vEA-<+n#ENu9~gds-5-JZf)(>^z7EG$J1`N?HSwq z>~qdV?b#QW&-WxouzzK7)WZp~`8(w-Fn-ORBYmFtKRm<8+pl=b=(R~k znfrJ`p1D92qf^z+qbv&o|8D5^@iI}atb%N?gC-5EIhh6ms?CH98i4$~`7U)eyFn_vc@G{HG z(J2j%&Z%&A%z&Fi20VC~9CHxvScEkDDwNqbqQ$-k!?q)sv7N>(<1EE;8_x}Q@y@t} zPh^%ahR4{`J;kwh6(>4IG2;iEyKmq)ZWE_9`#8CAfYY}}IQz`&{V7i9xH4kdDBS2C z?ou39N-rpdlc;@QMZvhaW`Dw69MP6FgR4FnbQ8LWHW(@jMMcqAlN+v*5v;wl=pH?E zk!@HH{SelSL{@>Nu%eSFof6r|tDvc1@89-?k1-a-bwTBsFL^^z%lIUE{n5{aaz?vk zzE9h#+@MZutgX(y38h%-8_^1t7;J2P4{f(tSal!j$Q}v!itbHIynjlgKqA`Z=N0Fe z*z~N!hQO~YUBufb4RWTgoQEYhWxL$9Q1FMi*famtj|#E;_9;Pg7bT0I5jg(^4v$Zv zzi|Xz&lc3vhtSS}K~9U20?&}! z0*Pg}Vq*s(oPYeIY^=U{grXU7ru-=?8KWxheut{-=l?%9DH~+$>OMs2@BvEs-h~ul z?rrkU?PKK4oFId*H{U#`C{8i5c7ZoLU-ABkF^o|pcacIFW`A^Q*_Ip?Af~OPK7uJ; zh-3kt5flj{mq*AXJcB3U9x)Bqgn77@J%vld2RPSm!AP;VvzIO;+bvNj%Uk5F$Bc9Q zJdSiJTd{s8aT5CQR_IK{Ft}wv?~(>11!Cu%1Uq)Tj*h8taY%(bh2mwOjv)JN#Mzf4 z*S-!__AO|(?SDeQ-5@3n6H+YqjW@AuSiq{`HeT!RVnhEBpLI{Lr+J10^(sy^f?en? zv7c~Kw~aF)mbF9SAQXnu71lQH&lgMUw$dAE&;mj|eRxQDPO$FOGv(M?-+pLb*|(LA_-a_N`=e_#;`ImDQ=1a0~v zqZhCICAo=&qo{TjKa~P;&RT|BmIdV9bDzO8k0QyVo8-|=3SPmFIX{5WE2Qkbtae4! ztRt0wgVUo?3Fu-+6U)BAm%oSnI$KVY`T6gZVt@9|a}guUx)1i~ol-K0kR@OrAW&z{?9f-#NqD zzU6p`V!B!!|G$AvU*KQ<9)UTl@Jo6CQ}ivEBIkI`!Yh=qD`Wy5LE~@?$fE7pPVCl><})sj9%?jo5;072?g^XUQQX~d; zy0%Wquy-)S!7&L=j>!~^8LkwJ$u1oscDabPEkXukScz>T>g?LlV(3J-u@8gBVNB@9 zF>jd0qJA2WbaQyFyNkD)2iQ_Q#I9nMf`55~Qz!CE%qFfVDFzoOD$_0sHa2t;8%8X0 ziIvLYC|Bt)2HQ}?hV>#TZHamM0j?%=!P+C$QsFWLGkOKXEwTYoj5*$ggyX;>Sf`D# z=RTwh{1$9VA3-SwAMN9yRr@I$;&Gt^oJb!TrhuRJ3avs4LKMrGXJ#4)SVC#}fftX?IoI=4Qz}_(d zb`BJb5Q;+*oO!v~r@+%b6#;hHh_KB^yrBqY+cIPuD^aGeL$$FP^@bL7={qs38^nZe z6t{F!Skla4RdX93l=tvO@kB%{FRCvde%_UEp=~J@bPu|TLLn{z?tfl%6fdZ>f$;aK zM2h(idy5Cqq)x~+BUg1ku+bCXDH2ChJ|fGP5Zw3*hL|=&d?S1QH7OG7W=5TO!nI2Z zl#Ypn|4LZr%}Fj11B}XyNdkN+pZTU7k?xsKhimDu8Dn(NI2>3FB`k>#1=}I4j6Hc@PgTN@gsZYcLZ0$Tp;ta|BVxP^?iYo%pOL@v1vJuhS45^SrU!@gk+_UuKSG9F4dk$-HG{e%}GKIa*{bDzT` z9HmgW3Av>76^1A0Sa_N2QsHk*N2oCqQO0b< z81s-~EJ3c0PNSx&g<4~hk;_Ji zg+j4Xdr4Ojk;{cyFg5Nv;xd<@%Upm}Y%85195!?lYeNw9RCBO-6mdPD;FLE7YZ0FW zLk#~m6n{O(g!u)iT~lGh=UMZYR3`K?CNWxduz`#5j?fyYe1rpy$dPa{{avhJRAln| zq+X~y3FG6td=2>`lWq}EO#$>mC8p9dMk!m~LQOYOMs-0gX84M!^?l@`j9KzZJ5JWb zXu60cVmA}f&@wLL*5%|y@iiOc{05&teLyGMhJRiEK0@aA(emO5kGGHUZtoPgKOdv| z<5xtzKBJSIB53r8*?NmY*??yB3n89D>0XDS;u*ANvI#FE-Nd%&vLsyn8ukLZgC>~kl6DgEuj9t%V#p^G=E4`egC|pB0hKN_<^IF!bi|Oxw`{M#^zPyi0#;1bL zU4P_v@1dyofHCTba88koGj7cu%g9y9C{=y`95wv9c9a*{qJ*P<0T7d?SJUDjb>7aljxkwhmOppz_r zJf%?R-ee!!Yad|9yvGiB0LGwd3MB_dI*JgAk*;E7j$=@Y@-d^A zy%;kQdvFbZBB0-rgP6+tCAmYqf`1KARk|dnv?xV6m{H0`%+Vs0tLQ4K#9=4|n^Zic zixIf^511UQ!>@iU1R>z|pJ(*`^S->|`&9hmC;9NdOX1EQLOHkxRo5;YCJvBz{{+M9 zr+9mKf=%Y}o7-$u8|R35%1pj+f|#j8ICgExvm3QjJJ1eoLDM2CU3XzjS$}|$Zep7y zAbu4NbXCXVXK+fVo6u2QGU+IpLMTt^CS;V%Ros}FlxyTIrCdviSGb5}lRL|27d-M8 z|Edx-^IK>gKSD2i`LbTdq^^AwcJHHDI0GF;2%t)E$UNO-<`@mPFHpC{$aVb`HG>ok z9i@iPsp(@J>!YxS4pBCLj(<`DeDUZ33WZR_gvy>hWc86z__f&PH0#a<8sD7b5rO-| z_LL~NY{Eb96@1f|;Z3*nX;_!rz(c5vQ?zcuXB3iT{JKmnT@+I6~*6WBBz^C}rh9a?+4B`rRC#uS)0rtiy-si%oMQ~Sq6N#k^tkC+x*RKkBxr_p-H}Nmh z$LSV@X zRyOYTE!Ys|1=Ksy38I-%4Rj>MFymFzQ>elS>IKtspDabcMGRu3T@g?VWzrB74dRUV zbtuH<5#$h6c$=I&X~mu?a`Gwur{5@s*pK)B6=!#d6?)<*1AieB5m!XRlNmo9zj@Y) ze>qKo+~hTN05zFO)4vDT*;5oeKgW&jbGh%-#^EVu88!0W6LeQk(X@1q2(cYe=O#2$ zyAt3HjDWiGW$4ZGFr?mwz4^X$5L+<{U-Ozy!p4#Q04@}YYbIky#tI_IZol~b94T74 zN2 zp<7gwOKRBL*Us>H56)3fh_4@|I7WCMU8r{81l4q&3Oa_2UH48=&i5=CIzk~kjJ&p8 z#<@LY_U@3o6!-={a0(9! z(6)qbY`zI&L_3UrWiYsB(oF=Th{%;lH%Yn_NgQk`4m)w#$HLw&mO_c6P+}Rw65wu| zNRcGK+kZA0KE`AOXp#}APiDkYI>Xw^i6U^dToj14wLQfVjS&ALh1aYidCY{E&5UQ%D zux2l%82$~|WH2Tr)%H(@pUiC`|Kx%20T)XSy5O1{>nja)#Xh>?7os9rkLAgLxCjf6){s6gj+Z+{5_|kyilc|Is(X@7 zKyehXF&EJlN(toG`VUaS7*#cKgt~=O)PIvlsuwR%d;dayUB}o}H$qpSK&tyG7BWqx zh+e`?Zl0h>oEbm5i-PtYJ)9pUM_Lp)qRK+eJe+}gJJw|hyU%)l7l0$ZjNd)G_~!@?%=x{O^$x`>ei`F7da z$H37p2F}JfIMG#H4Y6<+Lea;=#M>*vA(S>AaJEZ?murr669rwx%GwDUaz%it7M^Ye zP=1@UC0s;`#EUK>M%}%jwT(b};(slenWgQrZ^1f-amqOw3SA)KJyce@d?TBX#NNO| z%-E$!#OzC zp}m04kTL{iNDb5ttFU1&tr(!26cg|x+ZfxLpr&Ayt*@c#{3u7nHA!Q*N`Ik5x8A_d ze>aakZ;spu!O{S;q-#ikmvJWB;xPO^vvUI0Jrw554%B23^~er%6p4aXZ(xIpeSC)A zPZxM~aE_f5!YhT+NIvO)^%XTs$M7B6hhbm~y0I_hlWl0**I>w5k^paOX7n=Ofq@y^ zq2WF3%2wf$y@b72%~BMW7=I;JJzj22BsZB5QBa6m@P`@ydaDJ|<$Gvm!!2ceGLwmt zD3rA6Bl5)_`WaE0*aMfg@1vxXk*oUvm5f~#1B_Bb78hxtEA~(%!%xrAev7Wc23T`H?-k6JuB74zk(Uvs&mToqI?l^nb_SI6>NjV+!RQ zuXoO|vU!I3+QmeLa)1fh$kQSu&{Q3v>S(TZ~g+?yk{^ZPr@#=1x8bWEDhT^ z3O0$SP=rY0EN?$C*;TH> zZ+I7;j5V6HVOR$g!#lbIzA=5U7Xyp}(zB)+p~Q5Q8&HT1>liOoVhwsi9|67|iugXL zYUw!Q)T?%0`8RRJuMeBcC34?g8L>ofEMnFrtpB5M5h;>X`SpMP-7J)}^~0K+q@)w5 zZXVGU7`b|O$$uut6!{sP7SECTnhk98E8a3*d^$bH><$~8Kyzh`Ake}nH$^Se?^Nl@((@BwJ;XnUgE^=xf zBQXCJ;>zElqJ10H(+9|-iZh~x^LahIg!{~&pnUEW#f*|g{d`YGuDsgM z$f?~#M&oCs(y@~H^Ac_zBlF%lMqZxd`L-zGo}=>q8KU`Ke$`v>&wl~G>=k*?k#EBX zc(cRs5`Tk?6p5&KxkXLGjU9<=@=dtJQ7DD?;K)?q&`zN=@4~no~JD+^mI;T+}kUB#tj91@ixO~H0~BE`be4PMoA=PrO~h1uhqNL5@85}Sb1o}dBInD}spzr4If^C1 zh>fCu{=+PE54J*IdP^Rct)5}rnx&(#M-#;bRrev8=oIe!=V!kDit){Jygxd{tD|#F zZ8ByMVoUFyA$Vv9dj9UZkuNX|ZNskN4S%%xVyBl|@XwvY=jTn9{kkN4i_)`2xR&^5 zVI+Afm3W*i@^F5Hyz&M?Ico?a42KuJreHpiBlb|aaDprfH;F>YnAk_{2xHgS5n3pi z5+RZfI!@Pt90#eQJBX5R?erO1Z&2vusIe7(?mK5_8fWwxrcem-wTxYLY?O7~Cw~Nf z%RuBc0)OeqE}dzQZt?|rRqM#A{e+CVFGy!6l1OpJ-#ACn-E&O7KF8|T3Fh9Nq3re< z!h81NSMdqH6pHV)H!wARgiqN^c!}8MKLRhmVM6=}+!JQulDYtw*eSRqT!%~L6F7Bj zz@drlh{6mX*hk01V=TTq!sxRjWPgbrTN>7(%UXhM{0QuV>tO34ghD=-Ui@aS6DV8{XZ_meE=F>~;huvm^8-X>Ekh+ny(0+K_EDCly>t^DUweqAAw zfG!)Q=$S2IkvpkN9?6vJNPm9$<7|9fE=NGwB(B!HfdE%PsK08G&Ng!>BbT;qlLF+= zWbD#0hkHJ{pinL_`{`V+yLd`hnOOgd=Ev;Wr}p5`{TbQ;M!$hwveFhxhpywtpUd!% zmyt?tU?EID})rhL41GdJCx9! z>#rZ8n5<-8JV6Q}yO`|MF?@txI$&+zHhcaZ6w^%vr&RSblJV~^7^IQU?WH)zAD(0M zF=N+F3Wag2VMvsP$t@IAZP%d`O*NgTYM!x+OjAOKDkKx+S8XDt9QO&5+rm`|EI zqN51lKf}zM3q1L9iaB;11!8|U$F@EAm%M`?qnB^}NBA|Z^Y>bYDR7J;=_jLzlJF$l zlIQ6rvv7_cg)^DMrS=7!`S-J{{s_m~EyVD5YgspRfU}p5fLOg+e!Z#5_Jq;fOUFZiMET=~sW)+U~)B{9RF56QZz0 zDa%F@qJSVonci@r6c#=-w&3pn1)r3y!>?>ju4MFPaxf*_hPTfUyaI;c zA>2enEw%%vxG6Y?4ZxY5t7G#T9O~b}zVt0z>c1eG(XW5w@ev-pJ;cQ7J`zTEV61o# zedc`_WBOt5UnxP}URJq8890$wysU72t8xjUT=Aj+L|NBT>UENlN>s9JtnHzuOE}vn zlR=6o5?emUMV5iJ+F%6uRKwe|&@zupibODp1>Qv&*hb?6wLTEB5yQyNdk5E?JNTY? zfbq!;C0~DUqYs0M7G~$3g@mdn2=Dy_O>`@)BbuO~RVxR+Lea(EHM}0y1SyqE8dPqX za1N|QjCl?rabpxvt{gA14X8nIBH=E&pAOOsRo+dgFCXBsn__)yn{CTo${FZ^Z%cymEh>d?`r2W6U|4&o#%O7Rp|NK`4c(B}t zgxTk~(sPXO4IRR|oiJbd8X5w(nmJiHxev|#ukcv>isENqvH0aXyxRLdKJKsK_fH1# zAAUcdjbB76OJzz#yI(WM%a^zFv zcTse06Zs_{DHJ+NC56&Tp-dhjk#R1S@k@W4h;`?~8D8y>fmSaNNyzuF+l6n*8hmQr z!Mp1VeDa>cJ7@x){zGJwLAZpB!QD(YG0#&Z{cs7VP|8=}()<<<#n0eC2X$-QM$E_& zx}WUh=|}#aj}H*qzYAm82QuFb>>}D=Ybu4EOFA3~?_yxl&OZLKx+O$Hfy9J%BO`zQ zHo^lsp%U;-N3pSTk>D=Gq7>1}-i% zS=kaIvDSLa`C6fY4am!2t|X9(T~n0qX=D;n1`dYOE)06QL{jNpYy9jtYGhegoappxClNcRe=GgUMr&!P zzn%xh`~EAR|95|sgMatKa(vhtM$^gzq)a}Bw(v2omaRfjMega{K*_V0=zD+j5Z_%4 z;un7?4#&yDf0d#Wqv7JcFRx3X2vNv*^+zd?2mFXB`F!rL{wNQvgA;JeT!e%9KHO6t zz&-6DJk5{jCTv7>6H}&elxGM|7jCkKkeru@BE+XxuA_035P$y==G*5;oo5Uj*+*Ub z4o0Vr(ZU8^OxP~xRnf`FB^rPJzzHMOiL7+B-n_urB4gw8b9CK4MeEQ7+WA-mqgPA+ zS2Pgd>nM~u#+*uWPc_9-N;VT`x)(HTA-`0($p_?=zDGI%J)QR_@Hq*ir$`y2J5hko z$tN$i&QL+ogmsG%`7M~Py@qe^XLvV#fGPS0Bi9%_0{h_3=;aaYM zoH_@W#y4;-TZUuKBRH16hFjAvVkZtU{$dYL*7s1exC8f=ZP?Ro?GmTuWJpJ^BF3&{ z3MC#66p9>NWaPS%8MlDA&|YN5FCZ$olW-nriCb2}MVw`IOSp-HZ4`Vw3M7vx8Mmwm z_SSSAKT`<;*hsbFbwYn&yhPj*&@Mz`rS&79Fs^x*p*Z6?{4&^ci`9On9N5r76k^2Q z7!D1in>lA3?YB=5Q8WvsPcGC=o3NosuJRHq1XZrda+->jYX;OVSqMuQXXILhYfyt_ zeF?LrFYPlhVTx|lW|=uGj%5g`hqC%UR1-TC-De5xnsCB08BA})#Lz2fUX757<6 z#+F?jg(xhn0dYujX98bvMo!?FjIL`zReaL}~Lj3a)LSpm=`+c?Iu~Uh)=cOIv0nU1m!7sj`|*#j)C?cw&?KFl+_aI4v*kjN(qy|4?c zg1uV??8JY#i9?cfkt<12CS#XPJA(za;7+MciHe*%JJk;S7L-9P6BU_AJ+pwv71~p%!46KDF zvK3b=o+D!HIeu~`_P`Yl^pXc;qZN*ESy_^|*^r0WNJbGtxvVUS2qY>_qD1>s@w^Nv zEWv*h|0L&3rCXRrI>n_k$@jZ-Eb+Yna5*5DdI{*_M5#3V)$iwFe4?9zUVv@ZUD(&X zfm7uxII^+Sb&la5{xA){_)#`S2AR>5A0xAT11)UWd9|MqlKld~8LJ3p^a{y&fuP(M zD6IL64sucj;W@MJ3({&nAh&iM9c;`)6K8*@Cqq;SH|gNjd4L*zUq`lRq+>KuByHEf zVrJ_wMKZ4DG7jEavuvb2_KFU}*M~Gv9E}vo&;d-f@8K0aO?ZDF zgqP2t6p9|*8pE{0cj z5ySU$E?v{86kM%~5yEFl!J=a$L?F0MJq zPP~oS%w-rU5+!?bEBgp2#DJnP1U9;G_>nuBr?ybozXsc&B3Nh5LDhQ##n^8{agE~g zD}>59g(69pk;^%tnp|=d!Q>Jxe>p49JlF?TBP?YSj^QoPm>IQl=_UkuRn~tbR0AKN z8Qz9Y91$m0Dl!6ULz{6m?>;Ja;#{|)|`>;!x zhar*wZ1Wu$OIOJi3;6p#$hd!WsC4{4zn6=?fl;_7KSB@%QPsAMS~m3f!Z&o27x2#z zZ1NhRIj@ma^bXbSpV8RO2vp0+bL}HCD>hNru}3#KB4_NQieHztGIDjWp_5PQ``GXa z@hyyG&C_&|TNKLjIfn0_po90dvomY$=hb_PmY!2IbsnQ(fU)bwDJp+wj!?l!SK3RF zkPnK>KOw((9XVvw%tFSlhD|vdpVYmND8{}RzE3%M=Ki{+G~B&%hNQt`1k`WCuZN66 zH}PTb?-fQi@e@Mng-7@(JW}T2#uVY~-wC(q3Ah$7!>MQq&dJkoOr3`@|2b?cHV`$q zhv6r?xchDwP4^EF*7JXb{PF^J$uqDIZGs*7_KK2BVbp~nHgte7>lP9tMv)P>h^U}$ z7_>ohe8h4&P$Z02R~fgAVyvV<4kF4Du#KpExzb@05kz=*Vt!Lxj+H1CK2XR}ck+nF z8&@eFM`pd$xH%-|K7$<_rHxn!#q6ihi_IZ|ah2lq@+)P2eT9FzxgB`KG>}6^q2wP; zHTnZ6Yu`X6&Qzqz)f9*|-Ncr{h)9@3MA8)OgKDAh$c5Io7yT6H?_4{3m!S=2gh7OKWqxcO`f|A(k7{h4Ji++R;MzZ}K3h$mI9 z&G_~B$+zc-1}}f3ln~Q5A$)u6vMMGVM!xn^Nb=UQlvWBxI1}&t!BHpD9=t}-^)qCS zZXvAfF&vV}SF!VqRDBeOI9px(JOTGv^7H=X@8w}=Xc&%3%P`Tgvnt=Cflg4wo;xDz zB?8l5NH>YhdV^Rt&f>byXkhHBY}w^=H;`KX0fl6SF7|({17k;M?Ab?I^DeHn?K7So z(H+?6*KG!QP$+F=npVc9W=5_C3Z-uH6t#T3nvt%8 zj|tW(A&cbGNpczeGV>U@Nw24hzSw2WWDv4e;e14>~{P`c+q=~W1?h%SUAj`0_!FtV;g zl`?-wH|c`5{vp)jsJ5O@P#4{klNwb46j#C!uJVswyl@X+HhV95LX3%6=090n<5DD| z;fujLIUW6SZH5$sc-}XM5w8=qBS73c00?LTRB$S}3Zf&Le;6 zCe^d2sF@?k4;`YsYX_x_P6Z{OP(YDn=dK|m=PlC7QAu5&kNFq!(`>DvqUh;cdj(KVhRAJ_$#$RW5E z&`I*{!7+9ePVr+D%n}@mL`nHGispZIF|)dd>(6$OKeYpw%6GV;W{durgiI1X$+&eBabfIzwZWHTC1Nnq!XpCQZS~;@@ol7|L|b@8PMddu(HKf5se`*) zj*MFhg-MD<%;yp!5l&*oTP;Ny8PSKl+;{NJUBXo{QIXssRwycL!=dD@mYjc)S~Np0 zIYwLsdv~$qx9KBP!{3Jutyr1V&*w%-ClPT=<(Uodunr`o-G)y@H>?@ARGx)WFu_R^ za1`SpnbQ=?G_>KZP?z0?ModQR-;$?Ri4w3fpbpCD9>zI>Uf(*ZZY|=s51TEpEd~~) z2-wJfDxf`6I)G)A+XC8h4C8;&5hO#%ICdGWq@aWoSq33xHB5*|i15$M_;)`j#l)-I zNP4@8%C{GI^W_4!-=8Dq&N*zZTLvK?zrT%N{#cxIB3}P3zI}UN%jXaqQ2gRYIhdUs zggSZ!UMWim$XG#6%||qM?jiHq2l%8iZlyg#M8*q5(ODAm-=V1P6WV_nxhfjI&`Gu! zxi%<@&*)~{8kjpl{lW>#=^Qm}hm2xJavY?IZqhm|%D<=Rzj=b``xlsge2$)(6Lj*i z_5li||6Ind<}SKVw{R13&HPtXjh&#POH|HwP{w#yR45|X2X>rmNH3tHG;Sifa|;Re zTZpOMM|9UALHiujug-sE#cTBGsVwDsG6MRLseGE>!xVE9-oAu)Qx7}>2H+Y!3HQ`n zbdwW#52o}i_oDe#U)acuY4;zL-Ly=sy3?_=TBQ|smg^hy*dJ})+jDwgOZ)GP(wzCHX|F4WTtwpeXN+%#+rsWCTVq8%-#bM!J_V z7#g}nBzyf&9+1EoSqktjU`m((JG&=s684r}im zXgrHx8&HL?9%FGF9Ck~()`T}*sb7(0J4Mn0Qzo-irq3+y< zbI%$|Za%;dwyGdu`p*SlTyFj#U|jazBI<~hib5cQM{@8_eG+?&7NYOY1pJ3qp|4~78{CE6)89novt!)+c#3}yJIv!x#6Gz9@K@i&!S|O3 z09^|0pUcGJXJyGTlVAK^78a)aV2D~`Z@L5@^JBypyrEN^u;G6~Xy$VS387FV5t%O$ zoAZi*{{gLRw2f_FkXgBjEV4;q)h9OaJ&Y}|u@lZqXBm^|B(?425;8>-A-=hv(TY*9 z^TrXzZ(V=j#xt_X-S5!Kh}20TwbO0d=_c*n6iSDPY5NqMSQ5e-V80TK6#iZz(q_bByXnmnkP$bquBpxtof+UM%QY7)=gGh@JPBO^n1;YAr&X!;o8M){@8l?|> z$Rr|m31_jfvP^!|^7+C37Li!nShf}t<0ndrQgJyW*fLfU06*Val;*!ja@|{a);@;X zlm&mKj^J(=43#kgI@@?er1YWf<}va*pFr(@4XTEBY)BVS_8mZxKM%D-GSn^t-ZNnB zo&$T|Ylus}fjILV;k{6bMCVXsy3CuA`wyN8-JMbkK*fJul&0dhiJsY zeg2fUf0}~-^=~j_|5ZG z{OS)2WQ_YZ)m_FsAvob;BD#GO$E67WiP7yp{Z1ZA8`&|$K8APF19+!AgkR<|8e4z% z(Mqm}&1dAINWwCnQzWktMTk$#eS=!YnlAorg*ehmHjpb~So0T*O&_55!5J#WrgOb? z0zR*S&LFC0&Ao?c9XUnE+y(jx@v~3PFiAJ*X5{MXwZyLW9uc`1z1Zv5cORi?;smv~ zD3sv?RFZef>0V|0dByn@3FB5~7Gr-G#bTzDB{ps#zU)0>tH@Jyv4o)$v^_q>>+N&g zX6#CxIzj-Q#DDS_9`$6Ch&h=21_ zjxi%}qT4tZy@C^&?TU+S91LuONc(@4+Sc0X&i)!ZUFh?n#f3OMq|hIzTR6B3MSQRT;S= zDU#@{*C@QUiSB-iplN>#>7{J2<%~h~+vpoTz|bN^vUG~d@gr2V9-^j`f*Lx;-25q~ z7mm?;>jd3Xryv=;-`D+ByjF?MG;2Y^&q*tH$?HC6)?{ zqC)vcDUy7;NOtCHq|@P2D?cHnaTf{vEHP#4h^*U1MEfbSr%!*duy%o0pU==rppO_i zM9}pUn1(*f1AcshC*k4S2Y2rtxJ69BJ$(^wQA2R?u7_*Vb-0v2hZFzyPCm7832BFY z+z=cy9^guPmqKZJjNjPY;r6yCQ_aBwJlOMcoW?RGMqJ{)bo~7v=3wc550oVz85lu&l$$9}ZU*F2c-`Kv3 zd`7OE(oe{{_6c1C^+|F`GaFu`D*EI+JW)=|K8k)6GUOf!X2 z@*d{;O{A2sBfj`8BCl;Ayx{;5qPlkPD_(A%Vex}ySIRI(KELTRm?!|Bs5yA~55vo= z8{U5*!|W*NBx0?JZyVf0=paQ8;hH|j?`z>qQ*h+}_KG=d5{bbBaMs08BtEd$`9o*T z+;8K{xaDOLNz4so#4Rvx5#STDighLe+!Zbq zl`lnd4PNeIy@?QsrNX6_lN^2ImZ!p5uJV6=Z?6h8l)PbYbBv5`#+slqSW_e_F{mg+ zVhD!2Um0o#)=@V@K#OUEHKUS(5U3peEy*NeqNA9o(AKOna(#aw zo6yDb??M~a36psOWj8(}e{zF=|34jMa33feq;Tx1g&aU&M{W7 gdz#c6tU|i67$wj&Bt5YcTiIE37KUZNG;TCxkT~z&v(} zsb`0HzIlYv)l;PMGx*O@Bwd>@rQL@qcuYnvlW#xVqp!ouJP(hcKDhdKl1b*_%+ARz zxEoHM6}aN(oR7??8;JGi9om0zI2r=rpbw&x1kp)E%?2(+ zat!6jZ$Vk{3>yD(sGO6bbWfL6E;ZwqUqm+&GVa1JjL-L`SUn42&j=VvoApQ-k-Io* zQb(bV?0~j@1*)k%S>e)_K7cN?6&l}asAKz}D_w@BV;wrOiB_DX8`TGAil=zugA__Y zF_|cY?;#p{(^Kef>_LA=!RaV2ec~hqG5`%w{n zvfm*$?KLvfUn75opFxNuv4~tkUWqPzkFcs8gtnicguFVxc8JI8e1HDDID))5xYSg> z3SYK)lNem|>VQ}1DBblYJfg?oMmKRG4~lZI2Ro}P28Azz-LD}ldLH3k&2Z30!pSxm z4s3`zMF=$30ThZiyj}8<#^;!$rs*Ujj9qsxMdEomkZ6Aq$+tBnmg*Kk*$`%NnahP) zQY7A$@b)O7AbjLxNU=AUn7<{eT4GR9#4RypUhKzOko6GVLL^;ZU>ns0D}FA8k>G9{ zMpp@ChAcu}^9ovT9w9t$+HxW;K~O#X18C~kprS~`QeMF$D#k6rHSVF!NKPYL#f~t- zQLG*Xa14K_K}Z67miRF`#w^qsVm?<7)Mbm%PSQ#GHlZnh%!b_sonJK!p&if^v%#`g z(g=}MJtOS*!-=m+?pa0sy#qv7FF_aBO*bIlR6T(9`Y!a>_n~imBjcGqf{~6+q9YjU zOO~PU+=QW@B5HmMecDYJ>39Y@iERR%hCj;@&E>kQ#ZK>2fE3d%@N>FQshD^ zQC<6+KhDGT%|%4aA0vNc4{>78srcK-D(Jz_79;QvFFbj9;6E&fV4$HHhL|PBj5~~5 z56C4CVPf=3po7#C;IGwfBbM$Foct7F6iPH1B_`t~GK<&IOy_86-y^_pAfxCbS>+Sj zI`@AtOfhsZZr0osn?4-yeU1p^2bdtI%!|p66iN@>WSqVF{K`2d?=y0Zo=br5;{UC? z>jWKipY~S9FS1b+p}Ss;n+zV|8Y5m=&6ebnLW(3W{S7kHULk|-mQuNnq_Pi4On*fo z(@jdY5MH~77%}pH?*w<>onZ0(iQJ&upH6?~+xihcDRh&dF|uzrJpFs%5j!OpX1NA* zz%{S~ZaIrWAYL$1Bw=24$d0*;lOpLnCYWzA3bn{BPt_EjLcFhS1nk^0VXnT9mK%qN&YOWIpBzFE zREf>Bo7SQ7<acmK~scpK+5p?2+x9mme!~0;6Zb6ac-G!lh3xWO595tZ1o%gE&wElNri8ojX5kr+&K*MdZ@76IIoAw!< z=rBVk6v-)O7ATS%=NO(n$1Q&Xyl|8L>!Qka&d!h`>88j!PWiKs(bRq**V8xLI6=+W z5h}$};l>@5@@Ez1yhlOCd*qlYl8o0#6XjqEC7#hRCgmBTbKfC?Q829O5NX3F7~s!& z_URPEuTK!ONH!VSg-_`-n8If0CPVP{?uJLi2;5WV;2tpqH&YX?=xu-8p||mXgE|bc ze%;87ya_M+JUHmW;o%Za1__73It*GX5xW8q>RZQ%bq9%jBRS&E-YLkZ5?8MpF9!=P z>q@Mzx{yhnpw|Q<%)b#@u~tMniKPUrR{6r8;O_4&L?WV=xGrOs5Q`iq@sryN**YgM zdr~CbVvEc@IK?zVsSkgLl5QfV%PSbY#GL+&%6n*M-c8A$r$`<$`(HpUwis&q$hdV4 zTBigl5HS;2L5R2aDMNhfJg-|Y_*X;aQ3Rc-gibOJzoap!QYn;zTZ}v1e821Lwb{E5 zZbQSkqmF2YHlQB*;6|u3*~52IAnl*%TCbo@9*2Qk;-5E%%7=evC>j0$1BIXo>w-Rg zmcUKkSU7;L_alr#G~tX=A)9}$v7E=eJiFy2J5 z=T69cfr8Qx=p>gkGI9xlWR)^wDj`l}=)bQzB~FNm1z3fe7%ffJU%} zoRZ=q*Pdu7gh1~aIb}tq^!@c{yNcpb5!l5Jk2VyDLgx>AIzTawpWRTFrw~l+SE4%8Wx3O7}^ff?=58zIXtA?-n%I z*w}v~8Mh*a<)ulUh8^EuJf@>->Z(^Ml1VxZe+EC7oq3K zwh>PE>3SsAW?$gV);j*vvtax+UE{A`deJ$&=^#G%>*sV4-uE|8DVkM3{QQYOMjQD% zL_dUk{C#*OF2W=3KArRd0>uA0eT4wc$W?!{i%2%Yu%xGmV#A9`eS*c6Iqs~U zVe;O0=o>smf47KTN9gUO+t5imni;v;j?hejG|f;bJ;$gLONFb*CE4T>#;Uy3HROLJ zy+k^Nn^L)fk}Av+9xhHiKh>b4Cw+*D7?j9Z*~jbjBZ*wiB7mh-zOO6_hA?lW!_~OwTy&!BkkQ7Hw9zs zI+Mo|iGd`&S-@NtSnyf%MsQtq*3&&X#?xQ_pisrQVH`+Kwd6#rCNhMdMBIm0&O z40|2+GVHzg-g_4*v57^bM0JT&FQh6(6_S#EyGdRwg1j(b7;u~bNdWJEcfElP`(1zl zK@#uU1`M2>=MI0ne(}YSGeeOg@44rEp8MSU_2SQ`o1@_9u=f5>nA?ATga7MMBn1$N z|FC1FAVTmT9`a*;{`ZVm|L=n^{6~u9|K{ia>7fPx=iMlbw|Bvqyah}0CIb1lHB%r~ z2d|Vnh|YR|CPtf<_CuuP?NB855uYJZ<`GgdpCc>(FW zXUttb!q_UgWJ7i+Qb>PYUkUn0n4u7^ul}TioM3qQ2WGGS!UhNK3Zv;5xnzWqYk258 zh6WhB`sgNI6iMf2w9OLW`86%0UsY+jzV#Do3*T@8eTmYXXDCT~hWxZAaMr#-Mh&^d zL4i>GiTppr6~97U?MFm*enT!sV8a?Q5qawm8}cs49Z#jIeXg)=+Y{$oP@%3yJUveGe)sY5II0NyOok^U{lF0C;a&el5^Vh&C#y#{Xr zu-nK_xKICg@N9er_s|-(r$pl~8?Sg-a@7r65(&e?C9+oH7F13*sX$QNFdVtppiiHG zXVEI72;sbRnS!H}OwviZ-YR$T2q%-++o8##bF@9BlhA)5$R?hJ%g{vhLZ3Q;vbnct zTs?%Xh|k3gbH*NLEMxpy{Q~{$0d)0`;GHrJ@3?Unyi+LN&Cg&M_(-9=cU8DDmK2kC zQ%K&9t8|YC6v__c7C)8+$LY@qn|^^m-HO5Ai&H!ZQX=^~ib6#4_YbWU4Bg{#hKU_2%3q`^4ol}HLR9uox~BCqrn-DD4G*%Wf@Hj+~ABEh+fxQZ8uZWM?oo813K zx8?VEc>>4HBZPMCBP8b*!lLFxAi)rkXf9AB7lOzd@)&}ous#Ltk^UXzlO%+ilMrS} zhRJ_Dm9NL);%~tS_AR79*3?2`yuDv_0z0CIA$v?z-YDZ^&~)!9p71E(z>VyN&M}3&sTb(j{Epai#x}ydmO}Ar*@brb8@v_{8Jk2Tv+#cu zCrKECE^b;KfUP-&cWuWDSLru)TDg!^z_e9#pO$Cv&Y|#fIr|O0z}K5ibc|s9Kf5B3 zU?qybQ-a{f4@3F62!l?t6RN=dKTfT-rkTV=VeYVE?E-E+fEK*T2UE2ldSS5B^Pl zqK%^HB2#t|!iNXHW07K5r<=?(a!pVqOY1+e@!%J(Py}OinlUoT$f=VI_Rvk*zM`l5 z5S>@aH}eGe;X^ca9iW!3Rh3WoV%#bsyyvCtz?u6P*>tsx!WT%7yN%?yTZn&WOpGsl zib%RiG~J|@KhLdK$LdC=l}~;mYWzUmp_l>*gO=_g)hw^`!Ms8#5;Nmf1kxfV)EY^s zPaRC239tvIAjCh7uO-uMI0%0WLRdg03Yc572=}gb`8CAay2u!2Lb~vVtdq#$bYzor z{FqJ>D7X7Hm#FApA)ol*KVYQIx zPO*AW9G>J6H#&+}U@@XOkkhg@5FFDD_n=Y=r2>9Yok+}Bgr9SXz`lPDucRSp^5@|> zvIoyeDa}6T>`sU#xNE{%;Yr8PaAw!^5Zrs|CdJnY_T-P)L8J`qp#8=X9L;y27lFjl z4I1vlYw;_*m%gfgFV&Y7KYn_VP0IN*4}Lf;1HXcnLhxqXl1s(1BB^jafv(^>yiysD z8TDS@?8JZGwczjQ8h?Mc^GC#@Feng#^uL$Scg0x(@E40|NY3H+p=wveBMA11rnBegW$eR!Q4P*-V;Wu13JYAa>y>CQphEAlq40qc2$RVXZvULcXM{H zdy7(XN_EXUy31!=rh|;EQ6v;Z$HZ6kNzWG@Wp0)Obom5V8OML*Ac+M!%KB}JW%~!F zW`1IHh>k*VA7MNbkqmTvM^F0~bWI+ko$qfO|Ayvn{!H~BP+j;Ml{s{itfweSCcN|K z%B*@tE_s2p6ya?)%j6c~FU|9SR+yhJCL2&mc zj3-ESBb~5ax~5juH4X|zxTJO)9t3)g2qe56-Xapm1ib1WFlz0o-HV#)ZFtc&ykdut z*m46McTazi+q=U^HNxkHp{=|H@A=Q<67p5gb9kl8ZOEj8B~>nRN%0M6rTi;S(zgd~ zAw>~0s#fNeQ1aKIYa*BMeO@V7;ZuJHyIZ}$Zh$LdJ(P$QjQ{+A&axv>%k|tp-!A0r zD>tdxfQgW*OT3Px>J>D!&cKkr1AoUlf)X|moq2zYzrz>EEPe`m0%zf@d#I~>k2Vg{ z9113eSwB8?2ab$gq;fzy^Io8-@h#otD_R;qqNHpem6iMGYX6A&DGox4p=;w8IxZ93 zd%vKs=NqQSD3YruSmmTPbM*&i7Jgu5^9NS%|HRCdKT}RJ%D6SsFCr0m|E}DmTbdrP zl1+bRq>x72fp*!yqh)X0v3fcwUtv-dwPgqB4*fjh+od`CiA|f;m zW)5WCg$#-$8s6?PNQ_`4V_tPcjv^y&UNL`(ob@X^5HHG>UFiT8fv8Sj*_~*jixmFj zdsO42h=(H4XCNx9h0Kzv?o%RdDK3Gyu8Z!Ws=4tJ0p3i=Zje&s=n<;M-oq4CtM<7| z)RJR`+zj#R)RdH(b@cL&QCNK&28uH%v;hT9!lytsW1Xid8=idpqcz2Yam$`Cfb4&~ z+k7Nrm`f>?QW(P;k(j;=-()gL>2-LfPr}n$2agoKCvSm+nQUQifj3323GZN3>VsG1 zHY3tIRpC;Le9`^T^7j>5v4PH8KT$IN5+;gC6VtCMX5KTOp}qE0@0ubehRvrYZM8cq~b0k+6)32?#; z_faB;P$%C&Wb!=@e7Z&3XVsn_@3@Dg{@h6!`5EC|5=!W>;>^2!e^UHgfxdyHJmj9_$<$$?)O z?I+0hGIDhup}&=ptBa9qPVOmxf@V5Z6CJFE-@7{d8Ok%CqC906h5XsFvK}L+dLJ1@ z&zO2{ASq%KN%1!km-P_QWR`!(hR?_tqEp>E!kPN)9assqTF&4C>)tA6N#qJ()Z%j& zLl76-hQh>6#0K`lp*@#Mkwg*N9Tdi#5=p$hSGCB?CHq7!oOOxg z0wdNX#UlKef^a8)Sk0B{PC#lQQQgePwKGu;tc$UC!p|p7t+uPZB<_EKj94LX^At9* ztB)^vhEpVkXe@n#zOnBp8e$9yDuSDaA~Cqi!0r@^HZTtvEw|8h{TK48wxOjMEFrZh z%)O7~v<27th;I%>lCM7Yu;js$P7)B&&J4Rvk&MDkw(-jGFkwxMBP;Mp8iQNe8Z>ki zt+gK74gJSmi5=Nvk2d`HdP zN0;cL1}Ku7(9FDtZtW|y_t2YIpWgOE>(O`&7Lf6#x^QyZKee^iFgf2s; z(KBLcn|9PaNW2~M2+Uu=_F5nQ%M)K!(GnKHwlVw!;EwaVFY9x%$xCL9{Eo2ouLwEZp zlvlh)tVEa;#w}iH={v~CdWO>Cm+0?2pa2d~L6|Np-9rOs?D3H=Sh&IgPKR$@mA&kA z1oDl#?sPHOkVwkrG=lk@qm$Q=&$&n_}6-yo~7>+aggb>871|7M zjqUWgQ<0EcgjHf}ZP1^dmg3sB8>AK!3oQlVn>CMGf_vlD_XtRzfp>od-&?i?-S~UxugU#IK2jufj;J9r z48c8?T#|B`;&=yx^r;QfQEKkOK#}NUD3Z7t=#sC%AWp)|m~E0oer>Iv0Dgzcrd6O1e#qhsS3-DH72#-{Jf&igFUcW#?CgLK~5$2x_!^KR#CjlPk?1&0( zMm|A*FD>RW62k{ol}p&6Nw#n^zjJ~yRC@Q?AZrkM_T1h9lhlFH*G6Y5B?&~~t5&`%E)#Ml$-G`i@`k+wUSZ9QTdmN>^tx8YyWdhM z`_MJ+xGGuU{qW12Ma{}PG%g+>FmsL(jE<4H1n)^Y;_??5rYM%YWje(OMKA`V2!SGh z@uq|52i`%)$fc`$1cPi}h#Q9~dI~;qlh8IiguZbX`sAzd&%BEFOBMJZwhItgx{BKI zkE#lk!-z9_Zx8=$sg|x`rF+=$uZQgT6GigZLlnuF9siO}($hW(zq)6zWL#HH5)#YF zu;?k8nfINA&k#W_NlJTwwr0-U4eybED%C9x#DtXlNJ-sg?%zQU<4!k$cuW@gD&D9L z-I}u3=wbX?nPPNewCcR^6FqWL zj&X`)vhNtfbdn*)t=^_X6}kHOb?s6Lrjs;MB=z~PQJwJ&W$8~)M1kZd-bapq^9eHQ z_Fbi5I!S_!6MW1nVjVYeCQ8?j+~~_Nd&WUWVTee)&siC{f=@X_TtpTUIfxmD3X>S2 zf`%EjoUmK65F43^U}FxyE{g(*f%m0wI3h+Uj7`LF_RNTzrIV~8%Gz`)4ui`@ln}@w zXXVfcUl_gOVGpcP`$JqS@qTK5jl}&@AZ$T3h_p7qi*W9C+LCh7-PI~D3yGIBVXC@y zNfsULeduUA1Hv%(eP`&aV4c873MBq0@ z4MLx>#5lDN{pvSprzr$FfpQUn^Vm@i{COC<`TVdfDAH-<)RV*+==mN)>wSrdg?IQmUWG@-S^sUPt_ha<-e8*51 z2mjy^;r%PND3Uok%Ix${Y+V0yTxaCE!ssZvZOOJ>X=)^sxJ%4(od61hj ziK2_d!d({&H?L?ILW)s5`Wl@}N60I<0gW*OfuW5k%%eyWr|2XEcfV}alH%cC0F8ek zyvRjLB-yg3piix~Yl14sJXMHIxk8aJS`{;HB@@&`>nM_8c<0dt68T7h=p=51@sTd1 zsd=Cl6IE4zs(F|1p|Gr7@L|L%zw%Lu#8yDZu#;!97U>dipkF_N?(zZjh3gc6#HkS& zC=`9l9CR%&pdb7IgWPnq>OMs>2UElb`x2Ci0rCcoE0L zb@=zg!T75Y8>3YiA0=9ax*UWN>#s*5@K=mo{|AMC@;~)QqqSxX0kw}|DY}o~gjEDb zuOpURQb+eLr$}N6?zZSHRFn&M9CG4$Mv*XbamG%iNHXarnViAv$suEe_uiIIs4jhj zatfuL!n!g-*O>l}0Y<8x)f4nFE{RCSDS#CY_M41OORK+Qij&~#@(*m?|ACcNie}^o zruvV6F~N8?%J&bGAqE+@`siq#)5mC+&S3sqO|2hLEA24ZFHn(2K5`J=$D; zBTO|odgmvn$w3f* z<4}IyUBo3#QxN14Usw6p%bd^00~j4 zgw7FM4;{tfmA68%j5BJrDL3(E6x2o&#yQ*Tx+xN=ZZ$mMd*wZy@JX3O@$^gdZ2mw@ z*(zgNA9NX<`Rn-p;a4yW(J|7l!Wcb&%*ZvSE(2Y|$S7qTq(DXvV61uoA99G6Tw;ix zfH7_w#*!QGX?zT0)-@QD=b-P{!@KcnC5}H4%KtYPM(-WK=m#HiytA#v4Mc7WkfkB3PO5K)mx-xJwzCxH#dJ5-JHp*DFz3B1(K9> z4{44Ebdo1Xr%K(S4-ua{1#c+<^ZR*`Ni-r5e-TO%Y*GEl7LmjbL1QkV zn^eHS7#JlY$zOwK`5HlgnXW*Qc#}mmIalDFG_IUPE^R2q659h^#Wu8kj5}R>(ARN> zPh`Xk>xPNZtZ4WNx|y{TsyFF8{m|Jc6xknA{}6_H@`ivqnZy_=BA{3jXJKe~OaZ;; z^$CX7XD~2=`9x75k&`em?i!14!Pvy-<@N#bS8%&B2mf}Af*1{d!(WbyDD3zfC6Wk= zf{(*iI*H3c{zP&7+p!S*_nk?|q)P^-uEJdM0D%=d2u|HXaMTLyOcw=3PtaKR0Xez5 zu*Y0SCL>il2WVsUTcjpGKvDwZmg6zfQy6Oq%q4l83>rUh*5|;je2a>rJv8uflnk*r z&Dg}q)xSa~nd5+eCzp&ie!!vYvJk-Y~K8V^;e4!&}NaZVkkM4WJ~CKjV{l#UlY^gIIejOnQe}Sag>TVI>kmy9h;GgqItEUyiZQPhUgVX?;9W4rP#g zlZZ$t5KqN_Byq6Bx1x%$+A?u~pzrpdA+dG~ny@~97{UkW7K}`E3!mm^3e^@4O8KD__REMUoK%gY8Z>NIUqoQ^0{jz~)h(+7s&)|~d)#BM!A34| zQXI{H_2d%H#!<0ba3tSHQ`J5?8$KhG!f+(qL#l&J!kIfebqB>+jJtIrl0&rByh9b? zy`lUKf%^c<6UUgDC3s8RBBV=quZU@8_#3va%6iEOt}g$=mD!)z+Mt`3mu&T@*ioWd=QdxX5$JIGFZh%))<;}jzp_4J)~3Q4w+LtK8Unp45bT{# z7s*4cEf3~P`E;QSzAqYXWExeqq7dY^yRsuOKV=<8IoVwuA0+K3A{1Fnl*>oOGEcgH zf$UiPV^6!Z$IA-5yPE~pfD*(A_XkXoZJ|w92~{6Xn)g75R_Q)$M%(#^?K~AZMCT;-Q+-17ND0GaA zy3lrYdBup6+@eU{61ZPOC%h0j2=53^J_K<`=RVMDcBYfK5&~4`68!-kGjl7l}Hj3?{d)Zqnk{S&Zw0f{{X3p_mD{j$ReBMW;{k)^*b`e z7bTX;f;}{q?xVNJQP^M4?Q6S8meM%dtUbttGtIq&`I%MN*VNkwo6c zncGy+>&HiEPksm6*?DAIXAvLR0OLiQYi0d{EFcQByJD9#HA+>>gR^~qg0+V(vc{;z z8R}dvMrK?b%d12?1KxJ!GE<1rQ!oi~Qtuq{mLflu<}!X9*I)|5f|~$rEoxxp?UQO>bqVeJhBU3h76bq+eHNTc)Em} zkE;V%W8y_F(U_fNlQKla4sgaKn8pm!Ny?!OtfZ4v!&!I(p|Sz0bj?-r<17E zu1OeGRV_nE3$(Tl=qMhEPToC)@oo<2$~$z6Ug)FxD28D;dLE&F@9ytNuVX}_V`%Bd zx~LKLKDp1KF>L|H@DcbjZuwFyMheK({*vJS9zJ9iQ`-xe9CDK2Bur7lEqu&m%xZoP zzmnSsB+zeG7U6G4g*9Ad-hV~0{40v&ZyB}z#ds?2UcZB;wGYS~KS1s90n%!o!yLN+ zOVkyZV-^sYbrXSqHBVuoNJ3-Q5W*`aaSIJK`>3sWNB+3Y3FQW=%idt1{TNxPca=y| z638U7CP602O?!goa)I}+7-;&0^88n*D}Ia4noqbg`VEVdN9ZS)3~l_xP(R~S=P{=H zPp~|DjN5dQYimDndG-WrSAWM%X`SC7%n$NCJ#>^VMz79)?-->(2O1C2U;7cgax$dc zD_%}iY&k$<$v$e*pQ0k^F^Us*ai%`<6ZRf`!_DchNYma&q~{o%vex012pwmCy|kck zkb4VLM_tRC~jk>7$}rWa>S4g z(R2~nh~?=P_7CM>^{5;q+||3K34;ekVkJb^)3W=<5{qp|r7Lc`nOZpwmQJdF~U8W zMD}`ED&b8h(FWHblQG6We*<2{tI)>v@ws~FlSCwoLv@>prm`sFybNy5JmfdF5oWcE?JhDiHat>(1HRJ#QfB;EE zK~%K{LXrH7p?I_m+(qK}7tG)Oh?cc?aE^XK-RNiJ)V_i_afu?ChdFv4!C5z8t$vOG z=N*JbuM*T(5S?%nbya)3_K}p#-($pelovjK#{eO^Ap0qjWA7uC**`t;5#!e*C7cO77u5v!U^QdhK(E<*Lf$PpICk1%lc2t)ik4HMqSIq(I{S0_&>5^@OLWOkO1 zSAOC4-D7NQ{=&?V2#Js{B5D7E2{Oq*BLTkVBl@~Op>yFxo%Gn!LM|zNLne8ON{Zxv zOwy&NSn2qT{ijFhbACkFZ}UhCx`L$8egb!>S{o5@Xq7+&+yhjFOGPct^np4j3KG_l z5xIZ>&uWDFr|&Ys`ZnLuJg8Jm0eDgcPGQRyNAPr zj~<>8hzxH>TkTtPPaUJMg9Fho1MbR666hfDsx8ISKMRR1chR$YgsSS72;_kF@<~TT zbU(`I5|J^zg!UYGQ6yfbY(jjV0(Wo5zPN;GWMyx_Oh(fBm-9J-dvGmM`J8`${&nbz zt`W?8p{0vzlc%7kljsu0p%)e*wCjW0$rqEV;n1u59rV3>${~z)ioquQ(TB{=I~ct4 z3rUp}37x>{VlS^Nk+b) zu>KVSQwZ#Il7Pr7u%vAukW3O>cpqUBw6IA5B zKq^I&9On{A79&@V<0)$MUSq8D5W{U>&_Iz$1Zu7NfVrXXSS6$n&YfU?kjybW^^NXu z#29siC5q(U;xBCQ`74)Curm1rH*Wuq>xB0?vdrbaADHeu!5Eojto18K>*-WgAJNnH z2|ZVi(KhxCO&td+3f5#i#hFy^J17m=$IF{XxU=vLPQS;nT^d4O%r$aFx^j^}dbC`Z zxQGSP$mm)?v@mM*q9AF16R|=3V_YggoV6I~DMhgR6~lC{5SnwzYL(p;wT!BRH!`?E zt+How*3uBP&#R_JR}A}uMJ`KEBajURKtRNzPW)sDQ&(KW1aHc;(M8r*G zrQgQ@;kmAOj}z-dq{Ti!Ci8z*(k`5IlCrF47;5>5i{gx{xsdy2S0S8D2{NUGl9OtJko5-vT)bnQ31+d0Bu@n?jeT|#oe6f*3?FkZ5s zx`>D*z}2U9UN%;l6~s&F*T*vsIWbEFcK#xCEsR%%w9H~!XR&IN*Pi15I+vhaL=ApM zEw>B)j9TMLBr%*pT@@|Yei4aSu2ptfEEM6G)cT2kjoDr!2Ri&$``TsGRWPGY40F8f zCvm?RLS8wITON#d9`YDQHxZG9!emIHg>Rsv;{$qTe@A@L6*@<(tFk2yLXmiQ#&YJZ zL-yoHbj*E5N#Qp9&2$8x93&*ppnw1#EN$(+Iq>$)W8^BNlW-#N%ZE=;HBwR+k&(3u zf2mY|Q6QRtGWgqCkXCRD7S8nEg)Wh3Lz^SKvEiiQ*Vm?qZ4@Q*PrU zkxHT$8O4_|*Po9f4iSrgIK`4Qr*4GlQ}F1kBFKli9#M1l^ z%=IyHb(2flk1*E!1tY>FH3x+E19Sw)Ytir@+u>cU@EU1t4&1O3 z_+Q}QI+sZoAs3vrs0bxd%it9cr(*@qq!k2l1{UT};y7)MS8FBGuXWB<61MncB2ezg zD+`FKsnMSzv8Y>C+k>kR8QKVM4dML4ABR84;-O0yoFBc`*_t4FMjN3YW zf@tRiS%o|z)h$*2m4(Dum=fAhLV)X-KI9*B14cT9madVUav8a~HxR_{Cr;w+o6ESy zn5CSg049ngBXbq$a@47{o-i*_s|L|2!$_~X1OK{*(3Wn&Krq)^+u$WElD7hF>=1Nh z5k0vi+A)vx(gz45BWU7>V2m4ohr!;%sKtoJ%V-}!M%O*%B(ewJM`D1+P-0oPBKa-8LXz0)bSemioV(JI8*9aMt;~D65VcL zy!;SvA0K0+=uj;l#u<8%6UCWJTtpffC2py1-#-K*z%GyE0rx1R*(Z>nxP>r77Xm%X z;D|0Gbd@9ASV`C~qKi1_JW}?R1wxlwgqRCZn0gbbj6OO|IE5pB&;PM-D7z6)_ml8Z zT*pTEHF(AHW9ikBJtXp40QA~uL~+KJ8;yDr&ZVk#@uJH`WJjWueMKN164Ttn5NIxC zrhS6${?Di%`+_h>KQ5A2#7*4v@hWm@_WYlc1`P5Peb7+N|nH=vgs_+ z{z8z~`pNSml43G{N*??eAv3eqk(O}{KGqg^g*C#S+K>FoE68nr44X;CH0eZ4>r; zVWJ>R(TrP_x0FcyDNQU zufD4eboNiU0{{3~_|@&eG;#oQ-X=1OZ=rYWE6V63*0wh&n|+JRo3Bw$k(3O{%{t%1 zmd=P3F^3?DTd^w$cHTv3r5uPrh^I(GBd#Ge?UrJaio(}Oh}q_K1I-n5rrJ-)h`Wch z7`jOOJvgO*|?n36Rr(^$2=KhghCjR&fos;6v;Qt z4}8N0W7R#zt<~idERvegcsRD z4toeS6%p7skxd)*y-)?4sg%G~!dzJavj<(|w_Iq>Ml)&!oJJ{GIrmfDzEb*)vNkFa zh!|XP%e8*u;t^Mc%bSBdhC)!Rp`0W@m478}$p))9dl&qTbSqgrJnh+%?Yklpk5iGz zDf5?qJZhEaldB;B@qmVI& zZc>cwj1A;Ew_v7dWt~LaLn4=!uW9^>D3V6x=iWlHw04AZKs!c|QZ$L0mg~stdID|R z4zyLbp`$4DT`vb|9>o8jTV6uyAjKW-c3x2IHV9KUQ!v^UP!xX>}!TAd6YWGo9^%_A@GkibU z(N18egIFjKKe~*W-_KnAh;H|UE;0v8XksG9p1I!N@A8kyA~#0Ji-ai?y67A#UcXivOXfa6yqWY zyqb8`iXyA+DsIUMDSX{S@d$z4-LAMKJ!t`rRc|oBsFl<52s+s)1VcBuZ*xDB)yKh}n5}VU3-n z8+Exv657o{PiNrY&z}M->f1rTRJTeQ>%u4yx`mX0edXqr6p3FZC#|r5A;l#=;iCwN zokMNy8&uZ3R!$-U@wdzU{CJ5->=Z=w3@pWW5m5gW{^TmDc=@~{do`=0(kd%Fs&^}L*FmgpMz$*U_I!S2Kx^fXaulV>aG*;}P zjv`5pzm4ed8>lOIjls5m@5qk7kBsPt$ckmuij(&AM<{SSMoZy4Op!rGS`N^Z_XaH# zNq@t8T%%}LeN9f4mY`-0tF=%FMB{8jNVDA+gCb+ z)%wVJIYKBB;UV>Zj9bkrYDr~FqL#F;c({cUz!|sXhCz&49v%^JW2`I8yot7YTKnZ+ zNT}T4Ku=ZOzv3VoiqTVA9e#`UsjsN5e2$Q?CV1&HU=FNAA^+$ZY0Ii@ULzt= z;Lgjpgt4oLS-czhC2|+1>(C}oBeHY>wOuRdo7_dt;2Ri!=w2Z$y9jbj(GmJ#%$SEh zXORQFi>}ee$4Q5h+gfanp%8|mFTMttEi{KG~ll0hXD zbLk!UG(UkUbBPWzLIDh^=dBb;ea${n(5J|!g z3KAcqDgP~Iy1rtZGk$a49$E|EqlXN$H1Z8=6NL4DSx)qHh-vc4Y{yqz?mEE+MRIrL z1UCrmi-h&n>0{ix`3oBq)72pgr;`rT{vC^*UvP~P@{A*}1)2P1l{l^<-FyY9+FMwm zeI4xmz-aLSBF^1Fg3lnbA~>sfL@8L;o)u6xD{;8umWV{UeSOv9VX|$QQELkcK{N2X zREETV&?@9+RUyt=1;2~s(5bbN2)c+=wOm5bdPJ(d?D;912qy5l4tNj-IjwA+Ha5Ck zL>3m!{3Z6N$fe$^I)A17>kB_aDx$+WRO`H~vdbEY2VKNnw(P2&tuS>yu!l!D-69;m zJ~^n!-$7^BC$!HT!=B!+ni<{6A)Z>PY$XwY;NxJ5?@)I{Z6E!JvVuGClhzVL8p7;t zC}s?br$gw4Lj>Fvv==Io==@7yOB_R9`3@p-H(|(LLQ3-*XWuQ1UVVYo@plO3znMv) z#4^5^=q84&MZS+0{~yMXX3qXyND(J-ZX=kn$|${Bj8jS|j9W&E#S$}w%CQ&dyZwWI z|IPyZ=oo$yw`7IA{4Pu_PvM(N@z^-%!zdiWx;1tdbv1IB!fPcMKe~&b6496viP=U+ zA=UF_){3Z>Ea|eFfn!OG|lEHP@W(?yosk8vi{I};fk(7CY_D4+#@hM${5 zd**Arx^;}F+h38Uc?$a_vPi@%BK;~TjsUuVMY+j8Y|lL>E9-vnq)6O<^Fg348_w7z zDxHJfs|_LEmB?{a6WA*es;h?aT(JUn_j94RD7y@mQy38%P=vhXRdpbpx7>e3MJ(Zv zQ(>I;Zi$n~qM@vx#BlcXxMXpE@yI2)iKsXVe+KeEe0U%HjA^c>MkNxfI@VMP#8Y~< zTu$QY83Aix4Ri2wb)tCP_z?mk>)sdx*2`9pUxd-Xo% zuD?U##uD(at#&-_BIT%8F=q3Yn1;(Q?4)UfaocXU1=7mQ@2&1r3B(>Fq?DFU8 zV}A-uMC5Ci3YSDLLOkPtRY1{gSZc{3$qR&fe%|yPfrND_1UL(BVQB0NN;(e^T*rvT zm^HQf3VC#rA_}Lj{R0xSC~n&oUbC=%eVu(T|}~kIEtjI=p~v6>p4mH z5f^$LMH#yoZv2XhjOWORyhD)?++*({kMLfc@ECR3uQ1hmh)G_5?M3e>l6~}6y~7g! zmK&o-n3?{DiIpQvUM6GoGD>y-z{>au?k`d(D-;N!eRYEI>-taJxyOP=3gk_&_+%&^Q6jn^LJ^VpE60%1ubhse_m+Mw z5lOHr^Lj}1l1qWRL@k23CJM2UgJ`OJgYNNTl=L$C1Qx@8-78uhZ7Po9O&1Z)2(Q~l z&B8adw7x}_V+jUv3{y6NbAlq_%t&s~`bf+wV8oKrFr$`F5lq1iNX^?sR_#-mi|-?- z;SpM9A7k~#Q%r7sMC|2H2%9)S7DW=CwG2bT2n^T`8aA4mLh_8jY}i}6kT8)|1Wfsz?@BrWD6t1 zhbW~Jht|G8!RTv@ue?C%$ZHh#enPDh$qnTq!Qvu+Hi{%eM8Zi}4u4?W3JY68ROA{e z3SOYA`V*YV_mz{Brai_$-4}K6LVDyqWJTRaZrlSD#63bu(la#VP$Z06Q>|anUi=Pi z1#i()_8wPy53$KuC9CKY*W~D+6U=uL+`EpjHv9v3D3UvC(w0JypQLEkPjLGdxrB_e z-hLu~0%2zNDWQvSVDguiZJnlz%wVYS1D@YF#^cS;NcDV%aQ8`Mhfl%gldl9KXKA?_ z82w!_ivwMwDqDVJ5fl8p9LSAdLjeKIO3)A1x?IGWS_`|O1_ru__qkMfTnJPyA_M>Y zS#JdRIFU_omX2RPgX6S{b-Hk<)<{Gkvg1&H?-C4!5gt?xf6n6anwyB^yi~UQ)Iksu zwPatrMmAIt=0zj|>z?kyBm{PMSLs)(TY5&R9LF*`8s4E}<_Gdxch#DRxQO&^d69WE zgn#d#QX~w#LgO5rgpivUGYKzUDtsu0jFd&>IXQ^hb|1)93lMeT++l`j`p$SMR{DW)}hR zGZc=v#Rwlq5H2DSC#fJ~MNh**jhaqZ}1RhogWce{Q}OxXBb<0i3*CPp!)!|ZSRqh!^uI!K^FWg;}88twcalmXTgEMmrxtZ5tG?%E=_di6U zmohN_{eZX;I63pCwo)V%ii2@v{>~mAJ^6&eTVD`L&WW7*imbMM*s_+Ok7FFlU4=1m z96mwqbhcK)Za0%H?$YV;7&wj&Y<(g5n8W&L~z^~d_#I+ z4jqI!dJ2AwO8&Jw@E4KLMa*)MOCl(e8j7T<;w3_&rc~UrP#_lah{Zm^uOCGq9mT(R z8)iC50GUQ!GgBm%k?#n~*+5qQCI*KNQOUR!R{adweXlUK@EXN`gLD=CUK=|;A*ciBsq-1SYCfWnB8jI+@(AqxwFhV^+~cHv zo5|?{`8u zS!3`gZqJ?I!TO(nVPoZo0{jPLl!teIx+0bzV^g@X3~6EgsNf8kWFCh7+$`oA5AggZ z)wTQu2^a4n+Itc?5tk9mCvm^%M?nO_YA#i$HOh`eiC`X=LgA^LBuF`l2*gd! z+48ih1;uE_mg-#2R>KFVA3x*_H>_IdHQq6FkpxDrWQxTBQ}zr>RD;`RlxE+CRc`S> zPLT%3!rZ%m$Vgs>)|kVHl}#QgQ4XSK?2!aeL~5?2i$!63A?X8 zqka1b{_{tOojpWm!z+ZPUxk63VewOpTm2m59P}LIe)XJx`5Ct?QR4`(4pR&ScTSY{*vka> zH?Hay#bl9t`Pt|cd_5?X@3o0o7`LkKD{v1;SyQ)I4y=BJfUzT3GFFk1dlQ4hUr^Qc zfll%ad3`T1a`ic!z0Xn5`A%(lb>`hipmho%Of6xITpE+Qe5MA)w(+P;Ro z)Q2j6Zk1#`;pDl69P-Cd!y%drUsEJ^;Ea06$^9V;=_Y0IPf?Rf*CMpfbbh5s-lE;P zkG_(3xZLptn~Yiu6v?#g67m20UFbng+!NfJKE|sjU(u3(@D`!JE%3Ej#0Atq$5~jdiKzV|fi5ml zG3!(yXT?Qadq#>9wvj>Gw9qviwt5uhS0g2~hTpRey0f|Jz9Vk@dbKzxJo1}X^=CO9 z8)|LD(@l0JihG#&K8abrj8XDAMIr}2P+0C40$}wobDhR0uV3_0jv-=^vT<}+vucfh z*JOC)6PemduB2Hq1Cu5c;AH6-I7`3jVuJ{>x2<$ZjADHng___<)b>bpkiO^Ck zAq@{udHK6?9B0Zk_*;q@%Tf^;-h-07yGTvC0*xU{Rkm~#hfXmGFWJvRP%q*DifKPU z5J9%>#wR@8|AI$*M=0Mof@%H>9FqrsNT=I`BwvLwnK3J82|lvuNGI_LYJ)Xu2nG4~ zke;><3q@kIcES?Os6{8SSo?VOBer-6;}8B@R1QB!Q1~!k6DApiA7hl6plzw%Rh27o z7k>_Zc`ZC@1`W0QsH=DlYs568n>dLGMPe6YR@elB>{AG;c&NTUAZC`r8COhy5=4;% zFn;Ca+{DnxF)BL_V6T3H(!r+~zVZUe?N1cUH@7oBruqCV`to$*; zo%dl2T|{)~3PrMx{IvV3ge$xLl5JaXM&HM1<1tza_LzRQkwYiRkJ>>=%r43Z?lmb- zFxl`KSLhHuB@{^>orI5<+rMIebLs~c1}T!&ADAY8%=H}8VUDrbcY^K9zwl_8@oN2d zTpvBAgItP(>0A{2FN9Ml;fz~JaBwDy@M=TMrFpFNf5V)Ni*CXPo8_GYLQU z7$pqXZo^X-krotbVmw`47onIu6H%PN$Pu%S2wgwIbv4M(Y(QQ{BkbCLTIkM|Lwn8v zkKd%CC5|BQtyAS&agm&)Rf?tMANGw%f0j!e;wC=oW7noD1AMfx2n#5sAVN=F#N{M% znaCFjjBWuYCj}RzoW<>;#4Hz+xS(CG2vz0M>l09x^AOEd`{a{B?!Envto2{;CFi7!enwgq2U6lBfqf39tOfYm z`rsGPq3-h?7CDNdyvImPyT;j`4ienW=X+od?o$9S!bvGv!{EJtU&!y^EKe~=Wy>Pf ztyqerks=`%iK_&J4ALcr`0o!PGWLJ zfzh)H>Vx?21v8!p&_T1D0`A{Y#YrH7BB>sJ`u}tG9$;}@_qI5;x{&C@^kIf!7+{#8 z_uhN&y$U2G1V}W0feI=JAwU9w8VE^9fVx~`r(WMUFU^iqd}HV4rr2>D*Th}j@_N6$ z&x}fv_x=Cxo$uS6Vdk8D+HdW()@}#&ZIkdRnk0~%L2=O>0!d!ExNRmD*$P+9X6XF4 z!#!mJx|m^jXuAZExNb*6$RSh_NRooa5J1K~ip=`@`~?($#UDe2+kV7)97Me5VI&z3 zAF(*{Y2c^sgYCPCpG z!DW{WOZC#t<;)9qTzmjgfWTjT4J!T=vXgarzqGtL?e_+(v;XyXtnty zx1xzXVhAMUMkwXW3{mueG*y=ny!9#uj$gs)^B1w_*mZc*gHpC#Lg@Ng z_$Lj2LE+m9QDhgyL7fo0l@S;UAyt*a;M}B?f8XsW$UBA9#Bnm#g4|M* z!cfpNWuIMKnQ`9)Rr(mzX~Vo#UPVmeQg{M?Dq<3KP%lzb$FQz>5lN+I;GTUHg-u6L zw`mf_yh$V#okC&p83g+8BB`|*uC805Q+Gg5|GTFghCYhqmaZ3`XJ^OJZ=WniKmHw zSr)N((=}{qTHs8wrRNelYcCNS$NIoeK)T*UeeR^{7+AXO_u^v&k6BEoRoN0T74gf1vH1Q@A(Fv+X|M0@Xo z&b|(wqFf|K7a}GyAMSQ}5G~Ch76~MO!>$qL=%v7CrkxGRWv`x&3EWO4NYO(N!hu2T z!Mn~2t?fcviG-wlH2>Fiv&`Dve6{uwQ2A8AzB95o)$ba;>(= zEH~KD{)|b2yw{TnKZf##1>_J@XncxkUvHtx*WMeBiD65B7Mgd|gcdK_tM zWhQJKLm`&OA}(w<;=@>2Y}4A5x)MtD9WBe z5?z;8-$MH|Ldm=c2S^hIbt7EJ(7U7(i=>V~<<$xmW0{ImaB02-4dtDab`bUT3y8^^ zhI{51N;e!q=|*CboGBy}PV=DSu&3!yRTv|nZ_`G`!RT}U5_~Le#n^)=OYat>A<+uQlrIuh?KL5E%}vT_eLc7 z?}M+LZh&oV>&7)Th4sAX}y3rdu47i5k>#3J^O zfrM?lipwnaozSSrY*E!ljm!cbWImk?e4e78?PXN^s`7BO;XDnYi$h#5?^8z@+67`XiE+uz5NPG3uh1; zx&tEC?L-s~wM#DIBZm;;Po=&riM&WOoCqL}LUqSKE zHO$PjbOjAm>MJ{cuR*(U0nueAU<&Dm)Tfz1vW?c8I6x$-5;EFV2nyMTxR@b$l01@W z7>m?#121EMQB^=ofX{6?iH1Gb;KTNJVTQhr5&jpboNC~o0|NR` zoIOh*8HSd54NWr{Y?4?S0tc(vB0#wqyWo;}2AnINi zHQSIHdKguiXOS8_fk5qU#F<7>mqETJ`Xr*=Nw&I=AfDKTfh5gz7tSi3}lWmZmj(#j4` zSgkRyZ6R9ahcI0qLNpXOPZYsrO**22(-GpE1t~Fq$V#htEVc3geL#Z0qHUc?DhU(L zF_5qhiQzsSh$E?`ljp+9%7)S^?nRgsP;C76E%FCbifkdBiBPbU1mhgE3!rU8YbqRLeAc+khEQa z=lb)A$~yv2|29aCEs#d_LSk$pKT-sVvY6yg4Whz#e_OD9St5ti8W*f@=)lJp!WgAP z^!do4S-Z7jy@hnCT9>wU$ z5p$ZN|Bqm5;v7!TJVWb6jMDkl*R&D6r-F?uS@9$R#aif&!lV}KhGJ*!!Dmn@Og@RC z@;S8bdLAQ`$KgY#Da}wi!#|IWpTmhOe?P*)_uj;_&;A##TzCb?kCNdVCkCFpi21WW z#FfQY(9?UAH!3=a;~*k{I61QyiDvLQdYg7$!OOq=8=n2eyJ(sI9@-|ZVBx|g?3=!Z z2zqd0@;XXJkDj{*HgeS?fDgs?u&m0V)e<1s&PGa!*ckude-@^0%@dgz>7Z9I$0);u#@Hh1l zleBUc(Yv(4oyjdS?w;(OB(6QsYkFWL^B(K7AB(d;!z(|23rB{&hrH+s)Mw72B<3Vy z7)aa?B7vABg?vf6@h}R4j$>2aJhqn2^TzPXsMBajI8DqlkHMCU=x?}yfA+4+*s}d9 zy6Z2&D&EwJK$26^l}u&{CS6PnB3*4jfTj{&qHK7ssX|NU8I1R{aqA0+l1)LsvWa9? zFZAL>K46M{}4$cHa?vV%@u01RxEL( z{gim&Ti>Q*+@buxrsLe=pYPK7@bh5j!_I?_FPz6+eE#_t`1{9y$ICDO3@M4lSkC&C zkteZXlhD}+zQoCn7|^F3btUKVU$4K1yZ2b0?7CQ9!nNJG&DQsDf9LD3`LXZaqu=g* z&99vuo1MqkcfY~?`#^W^VMt_T)}0dwB=J~lAC2Ow-FW}Q&*}QU;aB;^jXPL>{3Q&W zyn?w4SI{&6_tL z+_hi+;(rjI+6QMje@QNv3YfyW(768^@;9F(15T1kT~FSlh8u62$lX{!_&i>H<#+hx z(=TwFuI=9~_wRp$ufDpC4?g?{o_Xfyh)>uBrHt4lpc|Up!*Gq+12H*8f89p7xiTi%LdJan9t09Y zz&?^&oiHf7(c5egVPude$qzh& z*4*>xD8GP)#97qPb`9iBwlI)vxQsqB>swiu6e_H&Soe`AuO?{h!XP2`5U*e?!n}wU zKB^-4yOh9ne`Ol-{SM#&$%_+XizxADZ6aF{s%a;)z7A`b3IJJZ<$#k@XUwO2|Bx$vcehz1!}k7tkL@!vJx6j#X|By;(n>^9$({l{ zA8)_?*GIM#j?MBG^8bd`Uz^wL|9j@&h41fBupcDGe{*v16L_~f>6i=Qc8T${M zevqeS-~WF1D}-)c#35qasqe_#J@K20G%7U;DNV~|SAp;Xn;wl(li8^HR}r;$^C3@TMEd6_C0NxpsOyRYNc zZ7RU-3(tjL7rSrf`zSm!b{~a>UHjLx%@<$XK*y$2P!q^p{W_t}B~KE&2QDs+&;<5E zU3(7N{Auz&P59*RH~8Hb?uhXB)!+OT2?V0-f7}^9RjH?L3$$d|^{P$KlP}Q+?12X{ zk0-4?m7SP9_8*Vz4UFx10sit`Tw1l{UO-9oG$LIG5wAah6g{zs=Qy&AM^F%O6q^Y| z-R1M-NoG(THA`TbK_~q`xbZ5sRb3(`xyk^t0r935=tYSTKag20xj`pNAa*H(W@REG zf0S()Xt;)B!_VH!67n0V$+`H; zU;bj=N(fq3df&c%i_&e}x^;_^u)clke&8C*4tF-*o%Q3gU85&I zq(g1_ZhZXVmwX$_nXfrhJYYy-&fAPx=-TeE>%31aa^K8m>~{f>TQ*;WFPoX&DVD$y z3x!KMW=}uEf8%-clcD{-{sw!myn*b2%Q#LTIWY4S;=8UxT0aN(s*{LJI!N-cf0Ot0 zl|=PGPI=ln6=KKES-P)uPdPvZ(0=;q=LC>LWqA*$#A)*ZNp$h<*h zWbVO#|L$FWbq~&kcK@1~;@+M6{2FfFzRB+&dwySk&F&jJ3O^F=n?W-%`7GQ$HbEV} z589k@xJC>>BdvuddNZKc`#DHT$+$m_Wfz6h&eZ55LII$)CLe{*11%sTTT z^3_HJyH>&7E*(aP3bbTRW3>M=MtkQGEjbR|igk$f-U?4eDw%UBXOMpe$g@wqh?b_U zXx+e42ex$%k{)s_m zP7y#@$3*5mB)o-viIpuee@G$T`O8BFVGp#qeh1>CD#`psBhWvN)(I3;@d)sX!@%~V z`0eX|rUx!ah(|%Q6xdK;wGqMf6XDo9!-)c6{lvO zGUqCQLjdkQ{PF!S;kEHPnhsyX^!!z9IeZ-^@`R%5X?T`RQGNq3k(ZP((;nJQ9$*9h z^yd%E`#%hH29Ww%0*Isxa`GWcbrpexfI_~5wX*k4y@)@(^WlT-**UN~@#T%1_|5

D?hyLzCN z)k7P%4^A};xOs~e7PQ}e#z(^SS~#he%(7q15Q=kWk&`$HJ*)avGA1DwQMbc0YCrS| zhcSKnM~@xz^wf`05`PLYhCu|o3=ne+VMFG5@1oRX3;}TvVYSR)((<`I5JT|QRm+;n4y1-A)AU=kML zX3w6Qr*m+D4aqB;HSPpf4KmXz@z=ky5?0ubNwVDfe-SKy(jCi)b=R);g<76N+xugM zwisS@XOLJki#&SBA;uoq+r^Oa_lHWJNrk~a#D@<+Lh?$XO2p|03?fJ|A-KQ6tvk1| z>-=xvw*E5uPq138E2!CX74Fpwkd#irFJ}yqVcTIaY~mAGA3FU#?y*?N3Rfb8-DjWQ zz`BMBe>z?{ndvGzCV_+iqL8x@i=FuCuig?4&!wQSy#D%M(6(a%imY)s`IC%O)Ice( zhl{*{@~MHE0MJ-|9xr|O_qch(Qph|6=EjX=_NCPXiXpgW9ER3sD_mu@5D`P%B&KDM zupEoQgv&TuKKb%C63b`d6TTNEY(Q7sB>9eZf4Hk!;6Y5{LGs=`YzU{W{?fd!u#D|~ z5otk(P?buBt@kiOlzWikeF)82a|Dtjh|?ZGqHY-J#3Wf>W5_j5pd|1p+K8<>%g&)G z=``wNPmzJ2CHb`oE1hE;1uN^yPDaWm)XXBRx|ab(M?su|0FqgXWl>1<=*5n@OT5vr ze?9*UyjSgqmwf|byh;16^&^x1uM%sZZy%OhiG)s!tfVI+Z6se4Zz6P?2H~=z4E|&) zGm^`Y7+MB*n^HI~$t20<&x4Z%zYPK5p8<0H^2>0vV`JON$S-9wi!lfRB)Q-LK-fdN zeftK2i8aKwL2#3&f=wZ0&Bm>;F(b^3f3H+QB_U=p)ZxPX_Z~aO=bwK`c`JBdFk5EW zm#LAJUW32BW04>vvhLnT=iV2g3#cQe^MoDAO}RKmn4O-Cy(qRHVXceEE1yAO@&x=1 z&2V;%CZGhv-K`YqF(YLDw-A%0V&(yZus|_;Cv$MW`POHMXnhW$9hWdh02w%be+?NO zSD-AOg*0yjA*lxt>f4RPv|aeq+aH+s6wc8CkT1WwgRU(La8cDmsjP$x3wC7%G%j^$ zZ9OI&nuV!3NWcB037{|0E|fA>S1dI+wbn;{m};O5QSX08@wpoN1h;QG~@e}z}v zeuRV{KLw+-8wF8Qs7aeclJOuyR0GKN zKZ53rv&ajaL_9G`GNm*!?^$HrbG;`}8gvvL`RC9>_Ms{96zbznp*d*|e^v@>e?)t2 zq_iIHj`0G6tnlO#OR`iC_1X{wx>i7K9fM$5Bii!M;&A^(jBY!JVB1MzmIlNcy5J>C z=K(r%Q~-$OB6o3sI0${S$jq;%l3w8uiddgMB>NqNx3~?uwPi?(C?k-Rz)w*^z$}F0 zvS`{z&!yAaf5RZpUH>Hoe_<9@ED<^^u3E}WI!UY~0?1z;WssW)^o@ZvmHzI^42Wz@ ze0$bSehur{yHW`|l22M$F1Bo%s`73A|y@rT}c|P-qYvw^jB<{z; z`5%(pVcPzoIfgi9H$#DD}_~P=b8>P)ery+TyRcH{nO6tnT0c8b^

K+@RO*sfn$_PZ_S`HA)_1(O28?XQ7ZT$ToW`Acs|MQn$f!u!=LdmlfXG|j@ z^Z-26t+YrFt>Wdd$+W z=`s&URu~Ydt>E3^-EHzvmo!P*>=I5Lxqx)nlhBdO3e|2x5P6vuR!#(vIpIvr%fPk~ z`rgsp4PM5Be{(IB-Y)hD@KrSeVF>tw<&>;===Zt@Xdw zVm*8PXNV2zc!&t<^B*YLaR0JG9 zv^F2cr=PHDR<;Otd^ve5o7FlFl9fwb1c_w^2-}94f9|avPosFlWrQa8!p1HDwrfpf z@Qv_xtAdnG-oReh5Za2I>|-cOnLhlD{CZkfY-?|=Frj}Jci0&o8D zee?e$f3ZIO0-YUmbiDl((A~r!6~rbrC@2!{t#HM{-;wkGiS)t|D5Uf}2n-r!161zB z0%->cjN~V@O#~8R68fI4wJr^a3fzVI;zj)acOUV5IDb)~|M^dUgQwd@XcV-ap`E1G z7{nn1xWy$FV@u$xn|Jt_@Y(6_n9o+YY9@Pke~o<$a<5**#T-Ie2KfvBJyh6jfKIl7 z6w7xloAYIV|223xb&xISrMM)J#GXKP;u$1(3?W3e3x&Z`Sf4)6JxHSKL8Q11Bg1_Z z*$gDaBo$%D&{?#AE&|EA7zU7)M)Dcui1TVifT9R;Yopnyd+{~v#OSMF{va3fB~d5| ze;LBghD(?pyNr!#v+!8HA4bP|M0jq%8Y?YM9zAWoKw%l^8zO*+IY4ZdQE5yPXANuH zSnf(7h=5{M0c6XIVUm<1GqD`W(G_%om2g^~3kTNAcd3Q|qQLgP$7`{kyY@3A2JePW zkxr$&t+^J<9%;!8AQq1x03^UKhCG5Df7TLP=&58E*|PVRNC+HC0*i!zBIDidH@6H? z>B|^IsG4Pq01!9cJ$}U!gkc28cgRF*GDD`<*zKqQwOuofB0AA`!*sLe^_QN z{S0a{uB!Sg*fV_z11GK{V&f(FHIL9pk!*HyRFiEn<*L zBj1%r;J&&ZamK9>uMWbAsTqEvmSy|4K?+W<4MeN%%g@Ik;*u8TcBSYsfJah(o_DrC=;~4TNunJPge~=SDLHa!(B9d87 zj#TZb2(`HeYO;bBjWFT%%E`rugX`;R{P3fV1-kYt>JU+WbdJ$nVEdoE$!zVF~4 zpWb``q`$uN5j?#b@!A^?+4S>Izd~K@2xQL1hzZ??l&F0$Qo;7-Z!MBk*t@f1no9Z> z)bF^6h86GiyRB;-g(Ro_D z3~NXn*uDsa$nfCvm?@gNIl zE+Hqa6a`roe>~-9mZLDcf>Js1vzk$s-HWoUeaMO3gHW$(tL?MVkTVx2si0WV);j78TlY4rWNVl#13+Z?A_3{b*DN1hsW5^+{L@JF!rz^ko-GmC4_rxHdeTDkEgK%~%fQM@x5+e4Kv>U-k?=eZl7D38YmW)8@ zR1RZAe=h;=Dyp`eg-+cFjhsm>0)(UrZUhcD0*QuXuA0ogmZTN~kgL27ZqjDF`_9J% z5EkC7?c{4rAO8+yyxqX|T z53l~Ef@qoyxkuo3czJcBkXX1R@i@-U3hf{kf6p>_=zGvbAB53w4+0fE@Kg1|SKf_i z29m^C6o(&0jAk!Fr8{|7ll939NK%t&XH4RD09o#bkV8yTXqw_6v2wMGf^uyj2S^N= zbvOH10);0Tb=D_K&lyCv(wln>twS`_%TrJpK0$8(0>+2VqB86R^hI9hvPN8f()Rzj34o_hvybhBdowjm_4fpNO@2ZNs4hFJk1JATun- z`0h{s8=(Zk@Sq*|?Hi9stk1qceeEcuj)jm*i(vF%v7n{*Iv`N!a@-%P-$q3?-dWOcA#Q;4_U{t#cY z>Rt|zdzhYj0do5a0!JgstOm$z$_WE3tpjhi>IYsVr~RA{(2Ux6l|A3y%-|2%SL z-{3>K2kW<-gVw7D0j7QwB%H)^e^&%qYPm0a`>#Uhy%VP7Bk-cNzq||nvM%^iN-*q4 zUD{a`g-s$_xepPty=2BuV|~gwViCq9Lr5nk$>vOQm_Tw2R_;#m6li3BFXie=MAN-h9Hs zVtLq>I{k;q5=HkO1k;~?{|?$3`;e1TLFT=hWL6~{m&d|swTS?7K-kE<@yX*S5aPXo z0Md_0pDsArc=F!EsmV-Y2|@AjnE!XnTW`IG!pv>Xko*0A`uci+bc?|)3!aR@<%bx4UAL~;5A(#d$L z6W?L4X2JQ61zn~AxXim?ML}{7P$T3`)?v3Wen=dmfSm zk{QwaNIpGmv-#w6Vi1y8QeqILyaXyq38I4g_^*~q*3ZBA61nL+f1wnYK`pO>i?SLS z>t@ir_ZkwC2jM2GA+udgiPda1Lz8g`x~wD6x~?aNAqgd~hvVuJ{Q0d9c|R?-uwDfx zr=BN(loLQ22uSN7v907aSM2_=BeNQ<-F@fjxV7-eo`gr!Mfk<+#e0AIhj8}hIQrG= zZzDB#46Ytq2_!r4fAq!I`1h9cAMCpXH^&X|4k7uNG!7rHo$!%%5JKq>?yqxo;}@y8$I`n6|}5Je2;S_XGzI+tZOt6T(tJSj(J%A){b zwODttals&t5KgAwW1 zf!u^)GVGIx3G5^35|7zammfJd;K=wn0%;7y_R;V+7UR{Q|Ms!p+qPaob*FhB^JPB$ z@}Ce{O#UEl0J6BT?XRolP zvSH)Ymos@K_z+f;r6;5Arz(VERRH{)%dswbe-2%R7jbxSme6*Ld`K@$;`Mm?!cX~$ zTAtVo&wK~%Ej{RL>*Hx_>vr^R-GlzlA#7>uMd#-2=x#rVj^-nXGIYV{T#MY48e}F` z!po@=(xqh(TgPBm|Co@g+0>mnIR{&7IYNo`nA8gPY@rffij+hKkcXy|ZO;P#{r5k_ ze+M6Y#MhsEVyOzXbZh{X@_)m+x;BU%bd-+-dQ~=jbR_d^jpS8S93&hd$&Ui$zTk0u zQ?T4hL4YbiYS>|x%Vs57pet+Z55AeJHwp8P?zEWRd@7&9X ztG_^ju@~alon+D<0_4*#zCz>HGZ4GfKq)JNN=nkxr3x><{JJ>{A>X0F1?XIuj4Fkz zw3+}>3IE7m)a|*7^7S+DV%5C_4xLN@iq^k}OD$a}F^{Mc)x`&R&6TA$z>S-?e=s@x z68yDW2|(2Zka|eTgFFt9JJ@~vC8+%S;VvZ*dA37O0MVD6!oH!Wh128LEu7=deV5_p z)r%9;X5VH8&mID?t3x9Uk`@?Tw!kN17(Ov$@NwM+Kj{|EB*BV4};EgH9mTuDyJ~(n>2Q-eAbOqpW#S0hN6m ztVy!4F7nn^Ua+-FfYTFHqOGk#YIrpYa;nJqS3$A70#fTt?Cu}u`B_Sef7$7C@x%Z8h55(=>#@bsxcBm}|BRi-E+D1z3gRngp$hH6FW+S6Dg+kmYEsvA z4q{?27eyJB)+KONlwxA^if}-4K5xJMF?`9_>Ez`EkP1qbv|TM?fAbDt!{F1%$R$}t ze#A{yMc>!))^u&ePPh@1$f)$caN!3euLKFr3aC#%{ffVglTFj(=SF@-Rt@=@at;uS z)MnjOc2E2OE=gnX@achGS_i$U3;O1Z2&g=bXPJU2e z7qGql9CmFw1@9%pa9`boXC44VxR3!d*DI}@VaM7*ma{SHf2=)30Z(NnR8FCMSgyk| z)^Z;Q@zNq_mRBLds|JO+wMYu6g~qxPvXuo?GEABCeHyAdBWKo2y>+z#^4 zq_dv8e#S^L@N2RBNqek#Qm77A$vp7hd#pCf0uqpa_&bX8t7scG-d)CJo5`&V68k^` zh>E_q0OXNsf8^V@2q0Osy^glg!Gi#h5j~2G#Br2ux`=|tS=c*-z<#Zfk`H7K;qca$ z!PzdD7$pM9;ro#jH;fAM63<=}g5PpZR~KGGQs{0fm6IWHh=$$jFl=ob!53c&-8oq4 zEObS=kH3ESB?@+Z4-NY+V(XF12x+>2$jouP@|!=IfAeJRAjBXWk3;O=3AJx4G~z-E z)?%bYcbT_f#}%I2(B1{OO2~*42sC8awFDA3*Jk8yn8to3qqn3E!QWd>KB9c6dtG!zgZn zw{$Z-!yXvp55YHR2>!|*_)E4TNZO51#WqyNoIq{dX{5OyM1*Juiu@+AIeihi`a{T2 z4Z|wRqlF}t39fb#W`L}R+9r&H!_vFgnE)cUe>U-174>4)Zec`rKp!@f57|N>8QC#| zaEEcYE^WoN^Z(0y`T}*bhQd`=V*a`WJ|jG9dw4<&wI~WYDoL$bSB_;aa9SP;$?{yt zmsZ1%C^$d87CA|^@D|lUwW<=kw_Dm*9tDWdi`SV-dq4LI`0AQal(!Lod914mlR(kD zebQ3vt0aP!N3-nMIQ*Zn=c;q+Zyp)WeYg;;_a5He#R8i^st)~RTX<06wdzoa|Fv5M?e|bZr*gggtSqfhM;j8?2R+_TA%&I^a2wbAL zLohYXW8}moWcOc0MCCl*`~&NqE1c_BU*1CJ#%U-G8{rbx3$<GtnUD7v(8h2wi61Qa?TozX*fW>x`n;l&XUn@f;+K@S1S2hRTGQ^ z688l1H#H0B8T&r&ntNTd_+tCAZZ+IXn!lZ!{0Z{ICSX#w5Q!}=&l&SA5SCMBfUsFjRxOng0PMMZOHVEOmxjVe0m2#!S>qsUd1q}WogF*)c9t;{ zY?+-o2bqYx1D%&aQvjoDDap40l7k|oCzm}|i^ay6ga)Qy4I6g6O3&L&Jd|0;h&qhq zs9_W~5M?)U5dEWvR@T}+KTP?`zN1p24V8*!w)_|c^S!m~&Ey?Zy2nb5~Uf54c;l?=GXu@sRx z!&t|L>#jRRexVNTvKoYtY`cEhQaD<80eJD-uMikY;V!9#fy{YU#3*Vr&%=iTnAKeI zIyWvY9@ptRzEaERFpon`A=e7%tNoRRqta!y9 zM2QE`K%i+&KFl{HjBpHv|%gktkop1*o1SH&?(b7gJh(X{FB7Gjo6SZ z*jf|g+8D{yf13yddL)MKKw;7`(#aF3XupP-)LzbXY>HH|Z2(+EN$^w`5Cy8}re2xM$8=29E5FOA%@+=M#yBIiGN8s$-i}>inkMRC`AJIKNfnY;7;#0^Q zq#S{3`FZS_yo~Za=keMfnA{Qa`|Qix=;_-QwxBw-3U;ZywCSSno@K=y81BqdV?FHtQ?t6lI&pMV$1XM=M+`LC_; zC^?VFe}+Z;;&rox{>D6Z^BeY2xW+x(&Lc|SkE-O;NbuQ15^Ft71Q2gA`4LqIOd*5t zjXi`wmtF+Qx;T@BNV<{iF^HxV@=5*^h?5Q=mOM#I(mZ33jbLpdN}~HPH`X(E6QL~! z(iMhB075cr8LP=khM%ekGHWlmS|_3@Z3gYRe+$^z#AdHM1sAJ6oICb-YcP{oj6t}> z;xbEMkTp+=;iTSFR3MiUWek`dZfpa%yMeL;I>OVKTB2L z?95s2L6}rxofX-dcUJs2eX$;65cBvE_L;rYgn>ls;`7KLC?S6~mODC}q!R(!OHC}I ze=R1nttSR4d@TQa_wL}tk<-}Oe*n98j9_5L7g{ek4r4ZAWl?xg&RAFkw$6zS^{hgrAUa@ zM3DsAgv5wOtX>h$13WE$6rrhyAt$XLf7fvVV<+eEC(`MbN*-;w-sJxT^a?wGJ_aI4EE{-$7O6hN)}{G zs$im~8*)(|+>ES2!ilVycXWEzEzik1@h>eXkkYKe?{5kGx3iU7 z{l8sadg&)rIK;qDS4aNB58iG?c;@QQ&A$qHPE9O8M9l6YPC**^6ehPcl5}E`Xg;lx zXf35RB!?Z6pm0h>h;cJgf7#3*$w#0loI}fjc?zUY9vqWZ^EUJ?!a$`ndy`kNX)`o| zU6e>}DJvjbn~nJJc06_EWwW*yg8u*O8ZEVGmgV(d{1H|4$KjrR42GD!&`WCx93++K znR-bY;329ZDZh&V!j2*Ady}5izP@?5+SbxG>o`cbM2a7SA>}ZPcqRBi7hN01+C*EDUn;_!*K|Y`Px? z5J$dVLJSfUm5O)YwXgx3DB&A2-64E17h?-9v1nUs0v2N~e+Cl9Dq=eWrl%}jPK0xR zu)%yqnI@zLNxk z5J>GK=%LmkJC^jbo=SVpBC!Mvmf|R%I7sahpi>kfK5`Ed(+|TX`6x^zNB;c&Lk9Wu z^Dj`>a~|^Wf1QX7-A!hB2fPVXnh*jAtzF5B$ZfM>a;rgq*9`vaks2^z`IcaRv|33o?gf{@+t%smdTfNk(}uA`uDB&pK?FEZX*n|gfy$t|7}TW+wv zSX<`dMgTELnrPc~v~3f-+}dDFI|T3OgXCdIE-5#{f0%Ou-gTF8@dZogP9Y}PvbTQ$ zT4EbdaV-MWttg8-hLV^m1Sz-h-X12BT0YL3;AhwY|MK)$LXp0<{3>GK$ygG zcrae*h3+z?B64o_Toc^2130TGn?`zI2`| zWl)L2;po{`3yse(Np#<*mQc+LG9J@8a#Z-=**0#XE1mM<)79 zy#KdP@xjMm@$njOz4bSAZ5iTT#F?($M1_vCO$f45H{dUPG$0F@yU0%)fHMI^VjDp$ zf0D=>L{lS%pp|ArW*py;n*5h4>IMRe@UY-WE_TvuAO8OfrBvv0Yz_Dk6oP)#}2*z z>Yotj(*sW@28>4X4b1{Th&7CcUU+9r!W6U%M#{rm-wv;`vj|;(8Q*@+;@f~<{rt}; zNF+%mUB_#`yhQZ~*LI*LaESILO}x7zPmJ*oI)|e@WbZXpn%`?^G3r9n%hJt0 zL{{)3WnY_#GFE**Mw0Dhh7~?>nM_Dsc0--Kt<6Ef2uZ~NAtF) z5EfEJED#9CHAeCnzHpT$!;=aMvAsW1qkFKfWEvYP&mc2u3~F%##H`xgHWWsZx7jg= z5X#!FpsE_?iM;w2r_+QY&aD0qqEke;!?YHXU#O0eID2 zL|Ekq3js?nyw=wY%c;_SnU-98F?83YJ&Gp)Fhupl4*eQY=Vyyf9K8c z4;zMm zBZ(DE9;A}YdJ3FZf4Cw*UdqRYY|2{1z`D~|pFIuz6Wb7_CAuOh;Ix9hGFr)Bk-*lL z_lGcG@K+>|FVTpj;4V+XswbW3do=+m2;ybgP%I-YN@goJxdEkl4a917kP)*OWc8%m zYx(;Omp>`AYY6P&@PJ7KFbILq{(tx`5%c=r0E97&<7zi}e~{!6t?|U#^M|9~iv>tdGd6|b{qyX0ue+w8z%$QS2?z01iT#`kB1Mn8H zpkL2f!bl~#uXF>FP5aQ8c@AlQ`-x>Ju*D1<^cxk5Cblhs&09@z8aoP~xKWr$I++|B z;YYwVHe7>u+%UpiHlsdg8XF7e5$n|nA89?EM-2gvwv#p^CwK(a@iU0h^}vVnWydx- zw;({$e}=%g!|)FtLXfnJz_FD}tq2Dy=#8Vyq|<>(yD|`XOR|w*YDa{A12GDl;pE{o zKx~E+y(kV59_x6oUdAA-=Pv^YtLp8mojGA9GscgJ8pYq=xMykW3&wa){2Uh@_Z5fh3TEqY9Z3qloqGhLXI9)RttHT|8$K zIe~-$Md_4?c)x8(%N&Ond(TGMIcynSK*PX1drY?;Y>hrW`$)9$)XB)ySF2| z^CH@JK0~1HBLJ);-$8*bYK9jvhbev(-svQh+`D0N66BK)1*pln9s#mVC}l0$sizU6 z@1fvjzir^jm$ilysC+2-diKIM?Ff7V2Vvqeinb{_1+SWUczbsv(b$WP1?Nzoe|8d~ znhoSRYB@*^jx|)6x1cz35+zYn2v)Wci%@<}8@Sx^C-(4oZSb zQ~CvTmdv5I{sjEj?1R5_3*t=ue-s>U#0V}A7{qp|@Y=RVYqCUC+8R{3^zgm7QMX-6 zthFo=&P&P(5cP=hWB{on!(I!w)s0ZCse-?DJ%82oY7Ph%{LW?;c__7n>R*>0-=#4Vl4$c`;N&gHeC>_5_Y11_fY1LXQ-q=b|+A%I4C$!fB4(Bh%p(X ztaO9zDjiSkGwX^U<-3(LLPo)HRJUJ6SX2*5EFUhjSd!X@5)cZZAo=PlO{bvkMA3Id42HlFTjDN^DNASwGOR7uB> z(!PL!iFpLn&mtoC3cHkdPfn^4o<#VhC3{mWE5m7!& zs(NIS97*&eHjuIE+ENY>FK1#C0*eP3J zIV8cO4#K3^EPPMw;3F1TB3!){waIf7z{e1*=-^ed{$eJ%)^m{fe-bPCvCsZ{;FEa_ zCPNqe95=w|z7;<87vP(BiUYBL}c~(mo``oT>?E3?#LPa_d4>+%$6hh7rhW zwCK40PLwzEBi_5Y9|>{ai9n|g@**7wb?RXZ(kd{>GA}}8HXk?@=EkM~3NhDUnY){i z#8TS?A=JH=ya368e^sovuK=AuV!sJ3IRua_GU~bW=x?4zn9~Sp#8$+Zwn0Uu9;>~2 zoIzMy$U_EUQp=#qrqa)km*#f-SW(0v#pFY35u#j&lH5k*rmW*7f^=Cae5e%jROHk4 zOje1xITxyMEpuc&$|et4M;hffaD=SNM=zXzb3e&0)gA?C1+=Ae+< z#z4v0B$56nIcC~|)PM9bgk~Ivd(kX9Mix-LYXR=*bRMZkp(8b*jwF*Fxf6;0yAVSx z;YmPt4JM$d%84n6MMT6F#3DN95`^owAUAx33ea|vR+YpY{j6n>)D?c*u=e%J#L08${Z=g!RTwR;=Sht)&t zoaT%}%meFaF9Cxw^DfzJ{HdzssD*(Vvi+TOPwK3xBc?$$kZ< zrJrfRZgX&6#eV`-^KkDEXstQJ=jW&v^HiW|-d{imbI5$?HCn1K@prGO-)p9ln6o!v zp)%Rr%p--Tm4dj_j%pT5E~1n5NkP_`L6%UG>{iO5U3p5I%_>f^!Bs)I(v301i|wkw zLfa#(cYnZo=Qp^p{ss;C42B7t@Eeb-9f$(RrwpP(`hRBy(XvPmN5VD~XL=F0KTDkw zpAq3Cu)WATKp#o3DeEC)gv3$2gzWtz9KjZ;B1_8lXqP_Nvs%AwU*-}~8)?40GkPMJZS^$aFX{fMnI|3HwI$dD!zEX)+?vc7f%b?n4-oljA# zV@}8r8?^yz`eE9gbvSa5VAS;(%k3Z0Amtz#ht&wLnph#}(5Wl1l%9aO`2lME*Qhe< z9Dnf-!PNc)<{8<;e-57FEgWL#Uu=61U&%2T`QB>T3~AG_QnC8OdBm?f&gYh?LKo(T-qLx3j3?hI?MX$SZ0gkdM^X2o9j!9 zwUt=O{xle%5h9(Ons?lD?GQ7*-*M9^g zC8iR!B@-B=iZlkUVR-d>OfCIL<#bR%YN-qYNiE80U-eS&#?RWvJlIa(KhpAuit#n! z5f!l`JHDPlxd%NQNn7i$Qbih+dPvKsqKJy*Cx?)q*Z>FfT4xLWb@xkDjJ&~#n;$TF z=6mQ`pP-F{o2haY#qRT{@SKO=N`I?Wca|!0j9KJ3N;wFXr4A|uDNP?mdHM((`gQcy z-$Ik=EbY|{s?sEfOrtt|nl@%0m2CdO$5{LN?^vGu2)o!MS$~jFOeLtR*oC>{2`mi8 zGHRQt6at8XBy}DB;$6&!-m<+xea<$lX#^lmAX)zeiY=9}n5h6Ak6@uHnSWCVjcy0# zv2S1*eh)+bI$A4E;Kdry$_q=GVCc^S}m3-e}o;f3N=~X;nPhP35fTLSu8Dw$l8dbY??uRi6Op51@%$i z6|8lBz*_4MxOnIddQDGJ5r4VG>~M-!XbdR_G<&5k_8C?Xu~>T-`V^a$pJG8pew*rK za`H(^gi+;?>;sc1iCIFEbp_KSE4-y8h+QD4V+>YnC`fg)^QT}hYy46BB_O|sLjy$C zL=u>1V!ld+y<(9nP@p{~c}ar03hmh_Omo4cAEnLfQ`sabs#rB;v451!(g0BkLo2Fg zwwT#;89uZ+zGm>ghqm!&m^$!&Cs;8v=iC%##NxIppzqanJRxz zj^O`$AcX9QQ5DqP<%^gYT0y6G8D)tJ%ppUxSZh?MzE6N?;ar=!`mOfIfQWi%`9pGu zJf_cXR3-Uw2V@3IN>aiKLLfvLYIVb~P)S9_K85vY$$uf5#nJ%L)1LA9SiP#_k}Tq; zbr}l0K%ntD#@2tr$o#j+iL)auMgTD&J=VayLGPc{s`7@rdXo@b$7u6YHH%bDD6``o z1f(7%nQc^&`)H{@kHXYuEsG=v6eN3q=y>0(pGSAw6V!J;L-p_*oWAt|W2Zhq*Zc%Q zso$bf6@ODPO5A7RvhJdtd8F2I66IF5@`I>I8Kj*e90Ez|2(8j0y6o4{ZD%&3zprA4 zGY}M+Es~sQNSURTx`Ea6f5qDIAJJHL7PTqMR0*m8JGfc)h*K3E?Jr=-KcT>Iu*1t@ zom#L<-@>^2IaUZsYuQBwh&`Rp6A)XPrZ)D}Lw~U65sbFS?98`e&E@m7WVYrtwH(SGh=25$*c#>e`EZkL6O? ztRH4r4=RAPz^*BY3hm)pt-a8mN}DCnRDb4oqlXI8&iv3h^9G{_e}t=U4Jo1`v{)H& zMk=bC7H%F{aTZkO^s3pT{=hAagdW3Nvx%Yf8A0@g4=zZr=>o|)BW`B{O z`79~~5bFt)Wla!*AylT05tK2Mr;Mq!hJNR5G#bt+K&n&4W(goO?0gHT%3MU#@^{#} z_!rEKzh}qXU^}RSv2=KI)md2EpTpMh0M;a`0->}-7skm|6-`gcGW(xWs5v6qgk zO;xf#B!hvv!LW=&-QQrf<Qt{PkxQe$Cs6Bz?{e{1n>fHlmFMps5C~~D- zsqB>nIO(iOv~KB<%s^57D2$v(ZRRot+hsOu5w?OAW)qoOoMH}HWydVhF0}K121J6p z0Fn{5St*q6S)~lhVyXJEy^{SL8K>BpE=hBa{H?@%^Ng1R=FrQnFvltchYjjdoH zHy}tGBZn*dTdrY@HfwPFIe*fl2}f)#)u9%taWydN7?2s%a}vzzbL{b6$1rVHCsm{@ zvx5raA`ouq(wfodeSjv*Iq0P5G|`7b0wQ1(B#GT>MsZ3r>U6W{ZhZh}$8%H;eS-@( z-(mdJx6p;2!sWT5rj?6KTPX2eqKceCd)+zu`?Jv7PoUDcp|VJ2s(+}+7;P0>#w2>E zB0ct-aOABKk_kdGqtv4|brD8(Kx6p{OrQN1wod&8z4lu$u;ZDTGsG@gQkX61^(~#x z;i$O+SF#3&E%gW+Z|VPg4Y#n;{0+vPREcC!4SCHL!Pwv}K@nvUa9p=w3q7QwpN1`A z8Fu?sSf_u4qw57qEi{<^PZ55NGV*bR)vh-id6zqtujc!IERCs?{To1 z3bOPDD;+OUd4TFsC{w-12}IE^EY_ERXtP<_96bxwOjc2bM}KwJgb0C3Hc-h0K4($M zH`^Il!32Z4M^^bGXZij{XtS0Hl^u~PsPEaV-)?(=2uv~I*(+(HK-z4U28ehF*s9p$1wL zxt4jNn~-=^9%(QgqYb0Ypq0vF7AZ{hGp7YnL_mrXX%&;2QJU6{2FETsdY+-Y?In7* zzQL8d?@=@S4(0V!7td8x(_R<*&cR6AEbARIt5rpZP=97Qj*5agR3#57i&aAfDNh|m zeeq%R(ZhF`E~@ZbBY>nW!X%xKDpH#~4@ci~9R2zqSe^S0p4=UR!62Nx1xqp&AnzpV zr4zS3hb!|qL$L;lBlRfiQ$;nlF-^-ZkaSdht)8z>;q!#YnX<{(5EcTbtd>|S_f6Px z_*lZK0)Njo_Y)k<6LzZ2OyDjydOxDQ@&e3!UzU_PD%m{m&!VIHJm#q|9aWe3zGwwg zm}dx5^djF&A8hO>y39sIF^8zNkl#@cX?w~MBd~k{ z$Q~rW07TY9L`nEwTs4RIe2QkXd`p*soN#CNby{Qz4&-3+bP;hxu6YJQ7A!70z#+-5-U|>wEi9;dWnW2&1zYb zS5(_4YEYg*DUUV5QZTA6rsFP?YZhwjAPN#$Fcgaw&5%w&JXOokrFhwai(uoIxJHY$ z*8UNvX1>G5;7b@|E~75)+i=7C<0mB9J8W`GENp`h5@K^L~xt^*>`^;tk4j+nC4rS;rcY#qXmy&Ci@Q$^XX+Q_&c@ z2u43g!lB?}!ZW2ZhsO7j zxCIodiG$h1k;VI-yKsc4u(}g)#4p2UzXto<4{&t8AdCmmZ9J#WP?&H(Mt%AkRfKRP z6O_a`LUTj`GVI|0k$H#^Q$>wiZapL&n2;g_h3`&!l8_>IRX`PyoFs#1}>Pb#vfAlh0;KJrp+ zD9>wABd%Iej}TkepjOU{BUbt0En|Fe8GWG@O8E*hzZyhs;W9hWEYxM7C9MC!EY`09 z`E0GefJ0!}3+euKp&uB(|uCR)V4h z_EeeC61yc?gaeJ_lFGbpj{1+$6L^G%;Rl#n`zt)QbplkaY*r=#$zou)=x0#KP+pSJ zpmIi^|2F#lcL~FdPt(1UM~nr77@%#Fiy7%;nm2(qD>0~n!oXgbKv)t2>Y}UNt&ia8 zeu?U_ces4}8-H}Jy+JX5pVN8{uIeMSRL7wAT!6!P0<8ojXg!NE`zch^Y@jNAlwb@o zZ;aDwNt-}J#c>SO-$AhSI02bPE$xeu9nZuLSjRk4m$Ql1#c#2F`JWhXc>-tprUIls zMMC$Mx=cZR*Go8ERJW{?gklFC!r^A~q@92_^CT7I6@OMk-=R%Mh>{5q!Eq&T^HzhT zp7zV7=lgGZf_e@V_VmMWGPgL|pQC>EN7&7m`I62?tht-fk1R}ymu->cXx8=-Ei zILkcp8l6=P{weHRghZ`_6vWpfFV0LrCe*P%0!XeZR{T7Rm7&%_45%;D0MVs56(Dvh z$ic36Sbu3EAQSI#R1ObFxUN=C1(0ICPAwKHKtw&lby)&N7!(QX*@;GW8ky=XRe&TN z&>=m-tBwLHA|RIB6^!(-b+5pZa}e44rC4r;9cW%v&k6vs0>~faklzC2*O16+x;CRF zfaI{F7r;gpi3!`Rz3e1=SrYgsQ&^G+O3#M zbUSa;X0fxj+{X0A&*`Zea&wRip{ec^257aavU{oAE<)l}S)`ciQAAjZ5*qlK^`OOb8NEF(P~Q0(lPBKd z#DA4H&=Z=Px?Qy=!%)42GS_L86N;vq6RJ+j%n)BeaH{gDBD7kfBGt@+M%pZM<~;gs zx6oa8751D})FjO)d!;o|k|osJu44MaKe4m*Gn&hG*&)}p8L8wAj^;<&VQOcB+YX^iMW3h|FSnDp%O?9h!oajN(v_0Dtm5 zj*h&gioAd|=@v{RSS(gWcEcxIB?|I6sB5e0T8GO*W}+uI;u#qSg!a6cxu+s)AkttzE`kLy}{*MuYb`v_Yy^x z^YGg)a6~_dGRFy&d(XjQ*hZV_0)osVRn}9es#sS+y&`oG#w4mq@|c3eUvd;9_4g6f zpP+)wqBcopiRP76F(*sO`6k*XUSaFnKQPz-R+Vws*@0zN$|*Bgg}ZRJa_WWuhP+W)L~X zM@~$vFIhl}0(P6lHTbdZ$I%Xt8>b8!>|_2BxmS3dW`6 zq+CkhmpD2OF^4RoI9o1|llZ@~SbKm-z*qMpw8v!Se9uHu8AN;EO8p{= z)T(-|Zit<@PFXOqS$}(gsPzzaKMaUe_eM)-uRvj%6NCPj=;9X_?7fG%jeo%JIl<4? zf^1seEPmd(@pY)q?M5}>C`@v}#}3==xkgCt)1uvmA$NeUx3dwT%ucjfFQT81>r+|? z1A}@Z^G7^$2o*%fEFzFpq*F!w*U{1c5|zC#u)NC=^)zi(<9`EG8IGa3?lh_^*H9`Y zDD`I$sy>D$s)&_VtHO4i?`2BaER{o&N2wU&ux8Dp+w?VhE!TN}878qz35!1V zwZMBcW)OsAs(%Y1ar4%je2hPH6z;?$aMpYcck^?2s0OYisz@du>w1OysUJBgorRql zc8!X8xcvij%{9~|%)vn=aWIS66K2t4xJ(s!rK}beWCdvl$|=Dvg0TuOM>Sh910W?{ zpxE1!u4NEWkWpH!6+W*`^V)QSn#F4VfbHS;I63o50e@1RBpE~$q&WO9*YGdA!I|st;23$1LfYb>?SCSig)7V*CmGn!!CZM5t>$y^GXquH zPNK5(AORUs)4nwV2%C|a#8+|zgN{20m7ikv2*Z)g3_?(Byfx))pmqEe)-L}GheyAM zBVDst?nDBTxCK`(JG<{8-0d7>b5EFMJHy7-{ zN`M`Fk2V70U~ZapKEk~J74}(*C+YP|Rp|Ct9foYdwG`6xN?4R|9xiv69fev38CMx3 zJ63iXYJjYEz9k?Zu{HP(C#GNWKe&am_@tDb}Qj8p6>+NT#5VUO~vbg6Z*Pv^$oek6l5=fo=kO2sOGfMD3TEtpA;YXr=H1 zg}|X@k=Xs(qM@|(_)=KQW)S;T8no5_Y!%csNOB3a1-9}zTA;SDYRKZJC}nt$h<}>; z6+mQNL}s#N%2z-sXSg0_rg({t#)k+^y~51Of5BKbgiL=jlr6|h%VZhe%nphvlg{!URk+LS%f8#p*L<07QVNs6Mw_@nSWxya*HE3!*tSy zDhzZI61S1+!T#j0yA3x3xi+qgWB!8abYvgq& z2+Ix|bBXReoDGlQ_TQ(n9O3Ue0-xMp{25N;Wxk(PjMZMo&cJt=c0FN+S%E!qUb9*W zlT@o6EP4otsbEA|EIHE0U$Y6>Kvh>TNI*nE$`mA`B(hLgz@X@^oF^a$Icgb@7NLhj zKTHLAkLAz@92t5~K&T+e_kTFz&nN|{q=Nhs5G{**E_>HTtrk zqF$s#7isw;Ty?ysBxx~vwWwz->SrdY(x$X&y#x|%RlQiLi9nJ@tACX)IYib)VoH&h zXlGD=fp+@l(7+Q+ZT=TR?pXO1XOFA9zo0FDd&R#=s>^;`6{2g0UKf#r;4R^viZPpeWJ90La zz|W3NSK`aNpmK&NgaRSu47>@u7%0Ds_0UHwxLzTULS;)n%YWyn6bh1)2qf`$Br?NT z?!X&*0(Z?7c;eToCd@QL-@-Ng0nXfGu*EOoaO*Q{b$mo$=ae% z2KH6ubg4?-%B&UwBKy%-RLO||lF89dsfdE4426kSxGLre$+Bj#7&JXqlUVI~i&bT@ z-r+bE#GXtAiGQ0`vsixwhz5yPk0t8}WjP@fXS%5<5`;5VpsOtPK zwPqoe$;whn4pD(!K+)`$21p6vC{=)D$ht^u1xMyH7=Q3RLsQ!m^sj!z7(d6t6t9{n z5sQ`0!Kf(7gIW$;xp6ks6^|2;v;3J`==a=3yX^|U8xM11J#DZJcHJC$oj1_RU|mSt zRTSsfAfdI=2_&>yy0}Idat6@Z`~c1Uv{@6cu|pMUnSBABT;{A~5qu5MO6Gg-Q#pR{AgjVHQamP;gWyj=-8ZPZhb00a`7GY@JP zK&-L6wco(x@xS88nZK*6m01&HN|qg%khl`q2Wzgv-SHYe_alb&6Dnf_2}m&U3_JfB zG!Tk;=WAN6A23*c2flW|FwBN6*7rC%`W`#o!u4ESJiPdUv$giRJB_Qnd za$WWRAt2K7Qq8C$1aV(wgq1_!kaZE+n1m|y#sT3?axC4WoVEFJPQvqN~Prl45dq`P8d*t)Fg_M(0^_v z3?fu^9D~+7XshB{Emsm93`4d%l{vyo z73p{dpY94R)CqR_T>@|xK{h{u=*Yi@^~Mia^L>lvjEe{)p4FN_l1NBs&4Tg#xw32U zx4eSae3Kw;!<)e{-}e@t8A4J*XnzPvf9)ll9Qrdx>h8iX>oW-pDvvl4XR)s^!Kq~2 zR4_z9WU~~*Sz73ma_p%{I_;D`)dO!8M*-c0I-fV43er%!jJ58!SZe$h$Hw1bXM%tv z-XI_opF;ZY0iun>T0K^BQ~~ta9NjWJs_;((q=*^FLr8{@A3+bByNb~sdVk06RhToE zk$YeoC5Zztm(H;RTM@ZG34c`bzE@`Qd+pb7Xie5cGLf5F3qxTq6=bjEMBbm=N*-Yj zNv>6ZROWUfT@G}Jkd0wq0K%3=rAdnv1<@c$V_26;g~CKP`Wqgjm6@Vt=p`l&{|!y< z^Hd7~#6bHbR?CQrtTuI(uYVlE;$c?opbZ)h+*39yShIt?7zgu)Q$Z4_-a?=27IWnW ztyet(@e&F@0ihC7O?0sVl|^a`r_tZ>6paHf(6jOihtIr(t?LQ&wA;pldGtE2qqKAp zWu6N#8jsLAZ7~C0MJ)lTs67Hh@(2t9N#dY_Lz*RR4*hl4F=)97XMg$<6@(!@afwPX z%Uh~REW^9?3dWd4w$A>HSz1hM+={YU&ZHw$kxjUDv~z9j*bUE=bqXYiGK3*WJV!M- zkEz|I@t(ykbZVq6)LLy5h*sROeu*3 z`Lgt&+6!XQjUp>rpwV$8J4`^{V7cidPE5YT_UJ2^O zzYU4DM-I>6^?tKVf+iQ5sufZ385?--a3DO8d{CR{@E@HFsBi4N%(35u)K|bE7;5ozl zr};W2r!fQQ;x$OcNpFt{@$s-!b@2EG3)3lIgR6eAF$wkiC_lREN+>A z%wwNGkbfIjM=%bu^RMxCiJi{*3qZ1>tB`g;&z#bvPBp15kQ3fDKzcnVvE23!3&9WA z8GDDV;ny(5$x8Yv0g-i(-v>mS$_ z5n5H7r`-Hv3L}@071afMg`C3Cq^5c`7=9a)|9>qY(o$&wD{`BWn`BZsM6KV1LD7P` z4wd;Ggms3mv4m&nKHIEc10qws%4W#`6f4^ZW-uCf0e{0?^vr*UnWewOtQ%vdFd{R$ zMw`uwv%*|7jFMEpvQr)QD`>C3ggzgC#(5pqqG{wtTTvKG6^XW^%XSGpj$5!5&+)N( zLVv*!pWvmn606mq)TA__Q5~by%MQ~p@Cx%so?`Oo6I3@mKzS(#!=f2Aqg7J5pbmGa zBOt9+C(vm)4P(j>2f`jyCiE#lY7#|B2nkiho-vDF%QdP9|NrbITB~U)$UFn^0xh`A z6!Ct}4n_x_;rR03G3$KB4tY@7EN7Brk$)}t^UuJ|j_nIRSJ}cxWe5@wu~`lA=g^dN z8AE0Fa3u62<}A;Zii8p_ppl@2lFliZ8VQL%jXz_(4}a(d0=kRv$8W(~bY7{5d*XX$ zoJ}Z`kQ1rGfzCD{%+Nl_LGKP!kHhJUgZ^{OAn&l)@Erkpjg7(AFh*Zgr%eP6f2<&%SJSgqhmwOEN^_c# z98;vqI$|SaEkrAO&!vJ?@lAL8moYuMf&kS{77H^DbfUiUFv|JfA_R~K$syAI9g_bE zAfNARfCvb(cfKgiNkCH7ddKG(t$$o~c!QLk$R3iSbhm;+`x`Y#z62yS3`j<#v@)df zwv_5T|Cye&$uM>{ix zY<}|9ZegP99md+fMMjKNQybK*qO_6}Kk5obX|t@TU;yu|zo^t>(0>PQ9O)}FIuslQ zRE*N(2J~@M?6O@&RYo@oV_eK3l0UR8ve!zJo6%@Fg`WPmXn!1efn%qiAT;+FmG-Ns z$e)3$WCcxzU6j^tpu&BIgTNZvs!yYhj|m*r3BBPKRuai13B$0ZO<~A-1AV4zsLx<_ zO_|S2L6dj$CL1);ReI=7CcGY@aHm=x4(wZ_ZY#H(^QaM zf^kk$k)(^7ihtaAj0wv_xZ{@vkQ&tFcBvUGu~^2uKIBRrkknsA$pWFM zh+Y9$nD0uVLz zsU2MXYd|ER{~C~#h*||m4g+~v%rcrROPHQmWoKGZi-(!}2WSK4QC&EQgsANBRPVoo z@jnG*Pf7Lwk;jXfbM%=3wRe5bT7A0Z`xX0T(#fpakP6^x7bW3HmZnsMfJDe*p*Gzs zdqlJuEq^_77|6X<>lkf(4NK`91_Mtp)%-nb8Omj&np8HZyeL)Ih2zQw=fqf44(W7U z!2oTRgmqcu&5aV9B`Q*nR?`_mauY873JRhLNW6q~uLcQKL?5p$9$IL_dODvXIKc06 z^EsA|5s-#EC@*7-KrZ=faud0;v;1AE5%CBD^+STD9_ zNCnw}F4gm^YTocgbUqa-{yre_?4WYudw+IhvzpS?M=z^cv+40wr6i&#SrNl97c8oS z)e@p}{|$&=xBnI(zseyB5VpKzE6Q_1Q~;TQ(-h=0DB9r@H3hw}GEc~TZ68cHhwK4D z1^Lvz03?lrP#yEdSi=i=IaqbGvrjk6fy>9K-cl%PP*d+>iH*7a>ayIqu|_zV6MwoK zU!&i93xhs(r1EtX#k#2$HWbimSqmpH=)SK&DUs=2KBtTIdaQJ7Z$HMIA= zMceFioI3Lm*1r2Ft2u?LoM8k?XnksSP;NO+WjU>Y>#RM6<_i8hjw%w@gPM3k65pqq zF@6BG2}5wC&tcel8{LL0s-)Z!KYvN}AS4M=_q3>5ebNesYH#A?(EsD@9s2)6%pmLV zFo$>(w&Bj(g}>ts{H`bL*yl7Ai91h7E+CK~w;Ujf?qa){Dq?z#w&btTqyV`@IM^i6 z6Ov}$HX83C*!l(y`fCL3germz4t{`t?0W)u3BCgd)e8HOt`AsozZO7h;D0P%VmMz_ z8Kg8Vq~O?FJ=a<(1ELZ244~d>djBK`L%R+oX$~xRy;OiqyS~GPL$9<`P5!h2d*Lbq zv{?BG7R_d;?6C*P=Ti4S1SCQZaFC-&8>u1_&@prPE46woIV-C&epM|Z8geFKEFMR4 zY{`E{L4F0vo`Ph?RWhizsec(OZ5le4&xxAQYDsY=gS>1Vww28zKgAsWo3*T^0U}{t zrQ5F+)TA^uKouD!AST+ZCI;~v z=y6@cP~aij%;!;_(oD6mp@<4nlHfo&Gx!|GPCY^U%so^x=$95u!=5*d)|%6(G%$mDE^?issE(JW zfns1&kSG;7uT&&hxQV)0sz^KodpseDUr>P9;^q;`J&q%tKjBc*M}#tu!zC-<@f#|S zc$0VFx7D9I z&2blKyDsvUb}Q#9g5GCn@I7OGIZa4*&`{3bx$rjxf=`)mXzSwEvC;Mh8_Xj6@)N97 zk9Ac(QeQrg;uJ5^!_~WckjNBoVWOF@AxM==C}5{gJ5Y>jj(?`h-7nOk4b$##aBl56 zKZxhh|7jhzqGc+`HVSAvlzJ$Or4=ozJ?Z}q1(D-G6C-H#4g?6o7>c5_)%3~X74!s` zDeJPDK8dQVQQDd*q{hoZax&HX?_m620g)!QP!5;KmUDy^7+*~H%7u1#Tgo7BE1QKb zBN+aBH9%yL(0>5YAW2sTQ%DxkDI1$E3$ZEnYA^Uu@Dbk!T;vjUa#gVWcpEybmzYC1ihA#0z;hSIoBA_Rn1%Mhn2i92Tnqq6I;@+|C9n-w=nKtxHXB5@0- zXLBX4V%+)=rw0Co;p$sd56K}L1Z5Nc*dy>2o`YX%w49I7m~x(hU8Z~4;i(EO@ys1@ zS20}t5Pw^t@3CrshmNFceEce{)>SmeUQsYL$DiYU{*3WHni^iAk(Mo(aGcrZBm!OU z;UE72!P3j{GO+g)p2dlQkJwkv5y(?{2>zNwl=xA0XvY_Dh|SWPbaNLIus3L{tG)*mDwt7^Kph5=75wo{!oPVYa7RM|KcKGpsA+J6@ib^lj@ z#QrG_Re9aa8g&W~70_iRT{cR|tQK#J)7`XKlc>(`{j_^>50JD^fD|hQ-cu5(R*;;R z8Gl`lK+P6L8s5M{K*j>EFx~X6+Mknlpp9yC)OdI#R2b>bOL zpLqaN>s?e-ZKFJ+AEDAMG*ll$wRsyAu7C3caROb&^JuF&2~*0D0;EP1B%udJHVu$| zn3G4*Q*#~zvOt%05Op!4A_B=Y9Px9gj}=H3(NTOB+wFhB2D4Wn^(Yl&T`d|0;GW9tkF$LSyW4geqh$1M9rM&yd%vu57CUdcN!} zF#k$Hq?OWoc{#dm!;s&j4vkCMUkp#p1Qt7AVXgB!EH!?I^Xo6rTJj7<`{t-LTL_wt zv14ebnrNLxvsl`t*!~z0*@q#gtA8gPD5FY=9T> zW{{CogQ&0mGYYZ?h*bIt90><95c8)L7z+EDMJ&oJYhim3Ko4_ zBYdVE^!C0+;}C7u368WA_fTGYmfy<=>T_n$K-DmswoqMv0Tr~nE&6SBDu}0G9+k0e zv|8N+gpHO<;E-lwYb@Bruz&3inu@m>&NT&*=AhLQ1#!g9!kfB=1=kCX-2X(k{t~U! z1|iv0%|{gpmRv?aX0)vL(2>!CWB$yfywZfnleQy^0C_6C7!vinzX2U}$g>(c?&;r$?cfXFpNioy$pa_w|&p-|h9lpf(nZp4UM7?cZoPKbgut-_eH zqyQ;N?p6n_$t9aV*MDP)l6=|r07-?Evi};4--1Nio_fgQU@YOQ%I`)_q6vv#QQh`a z4G+j|IIQo_LQY&YjD*NuKFe&O{|v~d45Ec~fkNdFwY6BTtX0OxOVp*ddtJ9^mmaE1 z;mx#uP%G^Dv9-vFtby$6%qAp7@lFmFvjoJ9;sh6Z>#w1QDt|KIxs74pBa|kG7}o6y z5`Dav9bpSYo(Hh!Pop@J*+hbRbU*>3kM=+x8-PA0z=4L@qU9kvhu&cB(0wef-GknF z73GEVFr@XPwdy!6G;(Fmso5En- zRXU8zyuZM(u79bBJua*w64+zrF;H~{+uc9oP~aWBQkxZj7@jx{5`V@C1YM8N(E1j> zT$!Od6P}?uujLG8kb6voh7eUG`53dv5$uz2?kZn_OHMb*Y=0#jVbusv?`4}ZN&ZtI#zPmwfP9BTo$qmK=_Tq@Zu0}5f{zN~sowlUK>kQUehG*dIR}PO5Wx?z za0O!nOBiU`17r#%Nj>V41lcKdi2Rg6{vu3>yM;g=t$O@8 z%yDC|D@bOkAahDd0_huAZFr9pL;pf+&T07K4zq2-8&8`RyM=&}xq)H5(R5#xl!Rgh z5`X59xQnXuH%DE;WZ4sJ2foLO`5l$xI@;oHqFo@NinPW^CLtivgv$6>sYp}xUH%-c zRwkiqe}~5TpU{wZ9*r>sMBwn%ZZH(iK$j9wvno>lE`Vs$yyeJ_sfMFu9Db@ySz1u7 zs>>I<&~+E9U9U0i{T5sO?{IAP1^?);Ie!{Wz|SvCW^?{0fM`eme6bD^DV?tH7l2sv z1&|etbgrT{Z6ypy9~EQ)*{S9)Li&Fe5Tzi0N<~o`y?bVWe+MnqSCT)p3?du65($g^ zol^QP=MopEI>M6@VL&232X*=URNQ2RoAPj+!pgLhW*dfqV0I-72A7tR)3iS zL`s7q$EhF!haH7cc2uXgE1T76zKE*i zHrgyF0dW!zpHdM82t&IlNrUAS`uM$ejK9LMotp>@+(9{iUq!|MoHwuAP)PKgZ(Q*kO#+YvSbC)n|zKM=NNjNvY*Wf& z)ysye$XQI%LhW?_4GW%^@W!nxNTfW(AG3*I&Mtz%r)X?>gJ3Fydi*Xs{24UINDjHI zAm~iKjScrVIM(0I67p*Ki26a&@Bw2ZN-@y>^m>y#-KQ!P+)BIKkar0>RzgB{+cq0TLw0 z1PyK{!6CR!@L<7R2AALvAh^4`!{9sj-}<-qe!E*+HGNLisjlvxmRI_fC)b#DtNiWx z(00zD`nG~RsqQVQEX2OcuOEr(z&l8F7b+rkN0Oe$twSj5q!znhx?*7VIC(VU1iC2b zO{lHjs?jpeam#%)+!hT%-XcWASOo+|ScPp5Z}729uLh z0l4$fTrnwrwGG2m3^J&D0e%I6zTb}Cgrllp)P{p{`NGTCbrcgi z*c84Ei8CoD8aU)m*ZfFL!L{YfRJb?v+2RGZ@Z&P}?2`%wdCOw)Qz-OpJW9IrA5!JF z4%Gawp+x|lW&xezxKQXNT^cqE?^bhca~Xm|GbAoa2`t;jk)f!d@r4<4&)z?3blvm) z`RKSWA+K%+~;&e!`rnz&1^{$6;*nmd!i6!)Q~( zA6{y*$OOX-2RL8MJ=!9#c`Yv@6=4upnP@qtlgQErw}#f8z>64)2}# zk}?HYs6H3TeG0@L*|B`oR+^G^MpSW-#oSq-C5VHP?WT(ezEH56a%(>q>Kz#4OTiO% z*xb@0UG&;FAECvonKfw+&?41Dj<;J!-P(TJQX0jJlVuxVaMd4t0O0UIDm@kvk@@{8 z#l13jz6m#AXO)|OGjhmrZ%}~O(@Y=+Rb)`%O zX^`qvU8!-<%;6jdx4tU=*Ji_=~S#vMlcc6%ZniDF3sB6y}Lfp zT=}cUmfZThTtChdYa6quCQG6I2`dWatL?NCUs<-S{|*zD4qR@M43?+cF9-~eR5?^s z9~4q5gN}djL!Oz_nM02I=`v?2sFLAwS*1K?IsQb@FZQA)xc(6Rftg7^ehwQsH`M`i zl%CAzyHZJMQam~xC!aX+*LZt5;)o_7up-!G?kb>jyb~?TO8PaKFfnT`)3JV%ka4+3 z!wgYFr%9byb`JA4q8xtzxP@=M~FzovObm{Qofz*=)LQ%8mq_8vPt0;>@5J&7TP|OwZ1T8f1d{)KP`G$<4CK`%2!zX64*Gy&GeFft~p@Y}EcTRU2W8Ti4S=i>HO zl=;h#5sJY(Cn%73mI=`JK zEaY4LpezWC>V)ImQ93l~#=kE?M}PzK24z-sd@McYM&}8FS!|YwjKO>X5=s3H? z?@_WkT(U^CeOet4c(3 zT9rPVo2X;%>I+_dQ}<7&2L$;p8=mbOMsYbkywrnayHznM^DGLvfI4DL$*jb+nH#`5u-qYL3IpWpPL6?InO^rsMu=VI z41RvEeK-TtwqdF~dibem8d+7ZgFH#gU zE6LZ&h`_odT!);4cP7zn9(Ft`lA?Sd@$EaHOywp8hQY8O)~vIbE_d;8NJk;y ztL^vd2P)b-1=oRgD|lq?tMC)O=QtB1qWU(_juUejBhRx)uQ zVI9osYeSMR5oS#hE$FGzB9r1Fb|>0kFqwW)8u-d z3GNu2SOOM1sB9W7MMJ4F-fz)03aF+r4X52IyF4iB6)(|=sT5+@si^EW*}}pDr+VFj zomz-_>UF4XIamHvMHv0MV&WJ_!XT(NiuqYJ68VWXGOf4qT*yNV=#zaB_sTO|{~_Ab zP`n*Cmscml{SM60sHCDv81wa$Oa<%1R99=Yg`a>r@g2gCX{T{~?{qeXV-lY~Y`MmN z+})-mmD6817hIiw30jbHMg%)tp*;fp8nKGMXBRaRKLt`?H04g}SE7PIm8gldU=jpT zh|V_@QeXfC0u3M|!Jp^i}qW6#g~_tH}!k&W9J_SPR{P1qvkF({v54dJ@Pj0 zOSK&i9p5$V+~%xan@9K;fk3G8|A{N}S~yN0bD~rv>Q}z$GjO0i_;Pe4B)W!2k$>}% zG+(<>#KDxlQ6zy~F{36|F1PIqh1z$sgHWJEWrRK@4nqJ#$k+&sr;v!qbukLVV>%R7#%ade3FNiyaKi~By z23ZFA9m3KLJLc{X5XVQCd?wa{illRH%Rcg7u5T7d)5YDn4Dfi-O}A5i`Mm1oDu68W zCHwtBul$uiH_%*!)^{fe>e(-vjt;V=-h!t-_5Fbz5I*B3W*i&D@k_?7>0uM^Ba7n) zIa_WD*O3+%>@Vk&E46z@L{^I(r^sZk6To|;&+=>6eJ)d6apz=F zqgq(fO^|0-;UQ73DKc_LN@tv^$QC+{)>~GE{VsaL93ZYt#;PohCwv0$RYy9{z}ITB z7j(pVLSlj+k8zY6_SRXX69WvdVcnTvsp+L=Pa=t!Y&FV+a;<9Qk>awk~0wVFr<%kFV=yltN7*u!n%HY?86hDvo zpjfa5mkqkee2)0%BU7#ag*9R=>{x&)122Mjta?^{unNoYxfcIT9c#FUp7|p z8c#d~Fj!{9y0fRO7mpx2Zaer$Exi63ev#f2%^ZMs7mnY+_R~e_?$B#M(t_Zh8mq1K z&u1S9Zf@G!H#+pFa_6%d>yR?!vak?^*SVwJ%uG{7Mip^LIc0RQOwF`S<_k%diHbmD zW4BGIt+tgt=R}DbRos&;rK8>`;QRvmt7W@VBqnUr<0VEHY;ZAICz6e=wtI$N?Si7U zTaocufi`PjEWf|m#iBXvbdl1{yE`#^s@N#y*gnNYe6?W4yM_u6s$zZ+@&kq3BAfQ# zU+XX=i+(1F%j+Q;$=0Lqh4<73g46)-!R~vUQ}HWC2Fh-y+LTK@E;P{-0^eR4wrT~M ziZvt}N$=WWQmw06Ey}3;fnv{cK86a96E}?Qt}k;P^&8S=2qa=};`T6_RR&W~BP1~K z-bm@u>l9Lau)dPo_|}u0{T&U_4P8&nRaPt1VHjaRd3l5H^3ky$MdI; zzll*?rvCdT@BKbXX$hsSNBz^(!>?;`@~L)Aq!s*+E>*4ZaTXzoC73f)51L{|`F;LNXvN zdWrd3Uv}2}KYR<)_!Sc`kr|AO$j1ZW?L;7jz70bAMuhQGfs!SL7X*sog(ABnXCVTH z-DZ@{=LWxSJVFcuh`S+J7GS)7Z zrL{rdtA2@D(ccG9AIZVSn#|)J*6|e010{5+Uy)PL^V>C4 zsLl{eV#HamDlpD_FQq?jI*C7rUM;f&0q4^3o*FQt4S(aQ4<>d6n^w`2{B+!{J$MK$ zqEc>FIBUDrMdeZyUTJqH3D^vFW(#(l+wZK0no+pKZdNj4URfhCMIP7rv-B<81Qi|x z^>I63ouP$_|ArxTlE?H>!tBqtQ}u(AYz$ugzE}UfYtgNwDoAd!<^3p)?WZi*-6QbyTlix8 zE1yGj(@-^b7s`A5DLf_qUa`yd-yN3zHV&L6_?{eiiW07+y*qDnHg!ACJmTP)76*wJ z2lEdp0xIr5cWll(9Gk5^XnH&B0N!%=Ji(;ol-ZQoNGz)y8Xss-XA34cD!Bbj>Wn3z zXEiNI!LP75DwK5@b$`8pKtsFnsyprslS!L4+uU6*AXBt!+q#J#9VHSQv+HBwg4nv3 zS~ZhftL7= zP`)^>t44fd0VVvhVQB8JIj4baV1Mp?R0munQf?N)(tn4hZ0z;@5lIntC}^!qjacl& zui9%OfCl>MIC(RVrf+Ov2oF>^nhCw4tXfi`bpEY0`U>4VgHY2b+ANtaQEgUtR$*Y3}WFapom@ zZpN5D2DaJ0WXn-O7(jl}+c#Ywl@Jyq_XIk^RyZfFTL}DY<323dQ?ex3y@#jPQcz}v zSvXs

KQ8Ah{5KRV})dE90D0wVzJE1Ml7@Q?WUYa-S+E51x(nRI4(m{w9lZ_2#fj z6EuAYbQt_%^A*A1q#e(zWIQjr?)b8r^^>Z84NtVyoOj<-c_xs$gjmgpB)DXsCLO_@ z?8II{WzKWw^ies66 zdL`A)D{`ji*BzG6WG|pDUchFI_)+kTrfGxy*q#&U@exePVNk8$aFDo!#{=jXxdzxs zU|m=C9XyA&;;$*5!$DAj4KHmMLR+vqf(2k94e3S7$mc-q9QxzHjBarwNBQL|yg;J$ zhKg}!XNN3l>lYC6ucy>&_JaDl_L+(bW9AHboYt5fAyDbsYmc}g+5JFC@cH4|Y4DMR z)8+#wy0p!hb{g4;9!;jpt`MZV9h$eqU+OpJ7op7$$5zl8L zK4q!$g##+@3|)(Up=f(ocAC!z93GidxQX7JUd(tb_KQTc$yWI3Ip+zJ*4Pvz{}FVV zq8C{fRTNx(mvao94Y$8~-pP3ZeV2ZU_TKH+3T&r>`L7MsOENo#OqwyFji&n?vu&Nn zbg)*|osB8>!9mWKz*aC9}l z>$sRR2KO4IFyOmWYGhaK+!^4+n49H0kN?o|ub4^Gnb;s~-{l1a0Qb`~&%-YuJjOGeFhHQ0Gpn9@`j0Y`aCnqNf!B%xWqfs;ehwot zDj=q@<#4_A8Q&WN>m?^j+rz>ZQO>Hu;E5Xo9ebnjfLlD4`& zz4S$6D#c7si-{e)dylYDJ%SGv!zuewCroApHbYD2#_XRvtsmS9j~U4> znJY?EeU_ybjAxgQfnRw;i_j6_J7RZ9%yswn+*p!&pP7dRk5EwxMcXKo1VJY{;;;0W zmu}jw@-FYk=V2HQjM|snT*uewCr(l$+XF{6J;VWHGc*BTqNszn5)45!X%D?=@aTG) zRO#++8;)CAFwft3avDA+j38cTw6ym^(jf>-Xd>#sX!%LSJzqK8)bj8kq3T{@ z|9Z=~Z-@0~;OB*c$)D&*o~umA&(rK0IgQ&&ctcwU26iS7Yhf28J@!5pZLxd^wh4y37uQhb`lQjgO)At{Sa_Y zS&{jPhfeT+Ss-%lh&u}%gIXG1^-VtI8rSRiXwsO^4*vyOjLoFKie{4-d5O(x#y%k4 z+#kGvZeMFjLKO!RM=*cJJr-DWQ(1|wSv0Yo?w)7G0AC(8(9fnC{@JgX$kAsHse9}yp+3#DW%Z)q@pg6c$&`d5Dybalz zJ+ktOy39wJStfqHgbCmr5084yH@fCF^t^L>(;OemZ!oDi`*$=$e=B!61|#yyM4G_M zVCF%&5tw`wmZ;k2wv#;WiBI8YBQZ*y^wy?M!@^plih7)8S`j#NxDIw%-oq98Rn98B zqC>7rX>-!k=~w1MpgJ(@*C-K7u6wVO+-{!y0$Mw)hE~U3=8Y6pDosm(*Rka&_cqUV z=V{h;Hd6%t^t0O4ytR-a`{MP_mA9^)zpKrA6R1S8rx;nu^Iq?EV`)v!4Q5oRTCDLa zvNVzrHz%W?rRxBp5KEhuKy$dehsS15<|Lz}GieMJeQ3iZwAP()?R?zQ!h(02rrx?j z7qSfA7b@|w!hz30B`i5ld!iy`PBdPz%IDO7`SyL@PplJPrbazU{AuHxM~(UqMG}6&K%5s^DRx*EJhPY9>>zWg(;y>+FrqNz_rcVK znL`_anL{=_kV75ll9%4YKSz22VfRQs2ALB-a@U)Gpi{gIbP)MH1@9dq_?=K+q zj$_LgkizK(+B3c$a3SbIOIl|h;{$|PLN=s>AK&HL(%LDiXM($H-pko6Eb6QL`^BO3 z$mQL&8Tqtu{sM{?#D%HVlW_u%Kmklt0Hy-1ZuNBsr+&kt(4ph7_;O4sw26EH-X4Ro z?M9^cnODt*)I%G<_?(dY8~W>U@V*#reX@5N8b0}5WrF^Y=K(h!Y~QJ4Kg?JCJ9x* z+n4bzow!7)Lb!MITsBXf=%1}~bM?I!P@QnkG0l2K;ki;+aoG?9$!#S`SCrr8=T$lW z4EKS3bElB?M+0_jfJ%Xdc%;Um@XlSDz2C(V2`M^@p!|(`%4~va>B7@#!Nhfk<+*SF z0%@d#@Wzi)T(W(Nl&}r-X{;Nu`ox6~bZi(T5y>h;amrMI*#64DVd*!s6P%~NYR`Zk zR*UwqqgxCK^nO3zAcvjF7@7SK%8x{teUpz0PlfeQ0Xx$izzJ8`kwSc*YOJe?Qb^pb zt|8;xZRI?7Y&K!5%{pylJMDxUw#7=nT64qqT`1&eF*D5@4tkGzqR+ZH83W#NAwC!V znnCw_!NZ=^Nx3~%zvW757bU23S1nU5p^&U`g|FDEY-X@NFJWTYLz=0b-V1WmeJ&W< zQUq)HlO+xY*nilW=(V(*=>+nEq9VwbjEfY}aZDINHVo|=m3xG`=QdFi>St)1+UFVz zOJ!0-?LrR*2!Re6k)ij58-U}7TlT1SJ`=VM;2QN8fqj6236llm5r)2m0WFNbJs=$Mc(W03 zzMqRx`zmRem7SG!Y6U?rC=Th(t}PPSyLIjBcK_435m43fn0fmLc);m;0^b1LJYF#X zI_#s}LSMFx-BYsdFx9wqDCgO`uF*52Sn6B?u~Y|2cu&)bNV0>2d&t;5MK&>;^^A8;X2-(E32#6A)eYC$LJD?@}DQqGLK zXv6DGt4$ObqX@ydiS^1zOo_1BdRV_Y(A;tk3Ac)57!btF$oM{?G`RbCX(nVT7eY*9 zth(AP@pe_D&-!1`uWP4DNS+imEdI=V6MA&HCV0LZQAaJTb#_w>P$+xj6i|0ZWRYN$ zF#c?|wix^rs0Qk}Dwjro9)TZ)v8XFbQ?Trr#o>Zki?QhJUogQtT zb#V%sh^tq^l(lPV?X08Ti^QV*{3LOXvl%E9I;y1TBSM9POHKn=Rm^VZ?0>ve zYb+B0zn(sYOXrW{u=2}C8J(~ZE_2K-Y#7! zE4>yw@_|q0tcE8x$Fkn}_U5&-y(R-(0xfN3PFROWmnP~&PzUhMuntY_v@{q#!6@H0n!7!9BIvjJyASOI1bp`e}rqxcH$1sd`N{Toj)nx5-t zFa5)VghCggDbJ3RVMwcIw4znGBJ1wJDDQ&&gF~0TOGz(Ixsjo%bmCp{5d7-hKl;t! zA2pR*rKxs$GjsEK;M2ZNL^;H5Qk5;Qm%S&l`!9s!AsKZ8D`Jwp4yE&)t8_CK&-{0B zk(VQpzmR8#egsB0B_r_qX|Q$6f(LX`7!_rR`wLcTWPY^#dQm4~W=dS{yXXRQg3#Bo zR+nrTsIutuQ(C=m_*-2+xel)ZYr6T$zmyf4&t98ZLEp`}IfSQvXH1dYOc*wdm9E}5 zT{n3cMvvwR2mOF>R-P(4HQY#8z@?7S&E9s(HVVm%TZcm8Ne948bVYR1CT*;${nkUT zuElw7E5osz7N#!YyX9YEO7cfMp1v{EdrOAqjg?D1l9U*ZCNXvhX9e zV{Dj$TM|MoQUTaU2A5l7lfL6Ry#oBl>?N49fU!cjVkAHO(Ern3Y__Mx#3XQqs@hl8 zZ4b(3(ve*F=R&R1Z!A1~xjtgAC_Pr!?{vc^TCfAp9ykBc#i;*l!HQ{VeMy#;cWMS) zL_+(1g!*-+=zvE0oC;F&l=nVs|KCrjCh@aQBmRH{9?*k7{=I9U!sq6~U+u!TCDqtB zb<55=dDLh*MxEAGwGxa1@ui3?P?0;dAv*OnsZ1UVt_^7tL1=t;4RuG z6wJ6XF9i%Va^(kopWQhe@soz1rfXQDQX?8|x0hJ8#e4;B=J6GhTj*85%ku zsLJOr<>mWDMXK}d>qvmHZqZUFVVzC!@dx2OPa{sPe=ndp-wnf~>%8X?&js9`Rnl%? z-JBe7Fx9YgZkXj8q{616Bn$tSSFs&Hw)Hj2M)1n%Tf5M6Uprw8xw}?GN;`9h#$tZ! zq>}+*R(3N!e&;nyg+K3Ix5I@OEB{pdOHjyI{O&zJd=i5FcrXYUq9tgx{_Pd3 z4eOkl^}tsqaxr;tiay5_O~>M1E&2X--#l!}K!8`UYSR6U+JvX!_0qkc0VXaGonN#; zS3oogO?tS9tKPx*+SvBv#DZap;DdOhQn=z24^_}{ zplHRth`Vmmp_*TbIE1xNpsg$^tD(+f>mlpSdG}4#xnckI8T63}ZifD%=M`|VaY6ni zL6KjedZF*#t++GED2HW6ErF(zB&PlgC@=&D)tPpx)a!1xZftH$SnH`7lH*TML6dp` z6?l{OJK+wmoBAxOH)Gh;dlP7c4<-gnk|B!S5;M1FBr4;k+gsNzj8Ksw=gg@|{Us=& z#B#+Q!YwwqtQPUnO9l!~naiKv4Z;JFzsT8_cCa-s3%mPQ0*974u=)pMa0h8Cn)iC9 zmU1mrz4XENwk5`hLSvkxgmgy|Hw`$AH%nfZhP{FG&?3QbyH^M&{3L&23#(3kxq6yq zSkF&CI{!H#H^@fJtVQPuilR7+4Uf~J33}z*SP(lZLvLVc4TzgGTDaU@ANXV!Nn1am zF7~Xv8t44^2l@*2I!5Jv*)M()tOJ~}BpQ_pJ zxJ*Rd)tgV7`eDP*80wp2G+t;u?S#{QqQ44KpoOM(r_6;5#JPk&)tkeTJNxG+FivcIYIqTyBm-Fq_^e|_v$+C7EB4xXnx?sr))KYe zGd4x305zE3mUVtcSr##p9o|u#9Vq2bFU&nDqnMzDB^GKrGzl~SoC&55fc)jg0l!eW zz{j=L?XTDNw;eFca;@i3b*)EKr}IjbM##YQb|N_(+D}KcmJz zGsOP)Ki2ur;3T0`0LwGHJATGzvO_)i_DGm~0U@M6f(y^MkFpDG({jxKSdfmXHN(g8 z`F?zrpD`z@%wZ1_xF4>{UO@ldqM^>3^a9Y`&NWS_)zJWvZAxwUb2&gm%JPc~v=ER- zbDgmrwe7jM<-A$ylG{Bp^FybhwS*M<)Ka*C;l%~spj4a44Oz4e(KF#cKoeOtjeJIYAGm;n+qxd%ZZDC-V% z+0~y3{MQ`h#?I&))*Ac8U}b&K!r}mG>1jXTSK4^C-+H#4HvPZP=l`|z|34FIaNBqD z80)#{(tiQ$cUrak+Mlq&_#74D zbZe3qfDCu9=6R~b_v~KJq-)yax+eU7jbHri05c2&VBH%|5v^`LV6nPe9vkNdy&C-e z3ocaU;++4P%)LuUQ)H>H`0v|8lZ_=?w?|wFgxO0yS2U5 zmdy_?OpsQ}%QP684B@Wtxc<8J0*as!loFhBsQlg5IK?e2uI1uov^=;NsBV=-dR382 z8-8ycbx8{qxT)!7`n*CEM_~L~`#n^fEc70T31f<0jRjsw2(M9_bj>s?miIPJIlhiO z{+yceSdNaA6}D^t!~%m`E0On~(xmXc0%moa&)Qr3CYLzak$skiJgz+kuXH+3RPJZf z)Ah3SbSo$cCTdg{tuo$~U--ugRWM`;_EYMqgKwp?EidGIvpB*`{v91#HhNo|MzaD5 z{Fz-UEFRvY{*s#D=>WpVfJr};^-@f~e@j0XTC7S2V0@Y*PcG5Q4 z5n1p^+F66!d+spQ(!%BbV$FT3?NmP~_677+%QH$$iAI3ebU$(xU$XcCz%d-oevVjZ zTxXH=4#EaCHz3kcwDk&!7CSr=3n?Eo-5@v6XzFv8?cX=ogdZcj|IoZb;b%15XJK$3kWXEU%Uq{m>~TAxf@0Jad$@gPm{;t=<#VSi> z`fIzt75$p>%A^c(1ZK{cy@l4tnLcAS4pZ!I(_LAv6kCoPU=4Jtjj;0N{wd5|1 zS&^chEC3nu42SN*>U(=8yP2B{dBlMPg^Mj(A;D)B#ypzoCBK#*YR8VgkF<4RVJ88k zt9$KcIo2h=f8L}VyZr%pqpXSUB2l$O2X!Xe?J6g6VJyIr=b7GS*wLx?Mn`x6ZS!>f z)U4x|T(E=E1}aa!Hs81S=1P>s#KWsf;2-d@gMVJQhazOUpd&~SP9rXM=F826Q-B4U zkNua$c_Gdklg9kJu8%E9iE8<_;=alr=^fXXkgPOhHIk(tq30PgC9NEJv^L;NA!u8J zR;}a*$a5O9Hqfy~9?}tY<^8JDBt%s39sz!lXN;XazmxI|TAe>P9&AixWhZ!}6D~`a z)JfyW17JL^l{V9)-0##E?pHVWGjI2J92}3US7~cO1+V9YJfAYv-dn3@!Wq3FwB~5k zz7hB`Q#eUm5BWiN?itfcTBOLXQt3(mT4@*0;c>vPx>*Qvn&2knHCgv z7-<_4`!JuANDksbMuY<$&wbyId=vrZ`g?dAC`~7))~EzranJ`OCD}t@#-M(q!uU)@*2 zl_w8iO5pcX>=hVW$jh(PoZx*g6+0aVzC#6QQ?!$ec-arR9?p+DtbyRkL#D+;AsW2; z+QTDl9pqOPG6q(T;v%E30Y8^zg2MeLRZFp1-(5)*!zE>S2LltiXXI}J-obkI@su&(~_{t^}vZyZ8s)n!oEf87j7NF)3dp1OX{l})9 zB8^ER&iZdiVe#wxP7{}={-`If8>1upx_%Dey^)j^+0Td*k9vMRu1IVzR{J&O=q^%! znw6C^PDhbAzDP%r2=sq1hI@ubv*mUa%>AM1Mls`@g;fn9g6s_$DOt$YfF3^yzzeeT z>rM@DYT2=@0AB*?FQ8az%jY)37m#wV3GG>3tH}#U_F?tm?!$HFJ*jf z=}_4&Ec63}$2T9V>Ul0QN(Ao8q4AZ3Hgg{~QfN|02qFu|&P~idXKN|B(U6{hu3bBn zG>|0hDKF?Rog4fFAitIY;Q1duZMZ;@@%wj2tlu;AgUd>q2Xd#Khj4IDH?GOy5~I_H z7tk0x_ag$Fb%s}J*FI$haCikG2loGoaOK)G(61Hxw53Vr--jK8&|mMXUv&*Ood`;X z*0i;K@x%V2A;Q|1pX6)$Y-qE0`bbD|SBE=Ssy$sU!Rx(Ys^|xpxFdG|P9@paUR+EV z8qcFbL_@aB0`KFZ9^NNqF-4-n>^8gz?zb7!)W0*~hkQX|is783cligU!|5^H(h79! zu_o^(CrcMPx{K>@joJR*du#| zT004bpk2Lxr8{s-18`Ek)AaeOxwtTPDt-!M3(24Wj!QQweQkBo8S5qkl_}O`9*87S zd{%?5OU-c)Ree331gGpMi$dQZhH?}*-y!q4x)z2~(Y&e*dh|X=>&YgP(E7T;O#&7+ zer|Ftsx@C}zx%)ttgTh^O&SCG0>U(b>p)jLtHA2e1E5K;@s>-L>MgJSwxA(o9jXaF znZ3j$4@qH6j4v35dm}xNZu~BED)F*00IOJsu29pjy-V%pT_nUx0MQos(V7a5^{f(` znG8EgwRm&zqL z?ybujJXXQ|$pY<`j`-C59%#s0SCvF?JtP|jM8LOpIB6v2mS+7ZD|+{x-UR@U_`aQL$2qLp|5s;10_p_{ z3H>_2;khSNex-XRppd~ub5i5SkLT`Dc2pEiaI_8O`E?PbgQT?G-cu4-qEh2TJ*UaB z5GkeKK)@Km$wF5c+qW2f8eIFw%t8KZ2^+HQpHa;AJkgqVayo`;vq=t>9ngVIICk2= zqZMmzB*BkK zr?HHY{ppNi%_Q&gfG3B!>y8Llxhyghb3XD!)bEvD~0FEmhybj+Fjc_6a6$YcT)u^ z^kEOIz(}^c9J;-52r!@3^O{K_hHUvrNU{BM*HBw|zU+Q`?_Q8$Ak5c|PKQrr8{=|O zN=OA{WF(M%A3)JC>07~RtZ#zWoV6NE@IEcyCa3ZdAug&PAyg^-rOrRajt@$9Ik)`K zIN^3I?549YHw@`l$)?h7W{2-olO&XvRXwGN>y|MgBr_)P^q_&N2?$(y<8aVKH5lPlt^i*X zacdLtpPUkT$eyex)pyR}hDZTYd!o0WB@abDmQ4DM7nH!Yc>F`Kx3~M7nc%vwFQ7rg zyOgVrhy~`h%vMMR^g_IJSVRk&|3I$uU*3(N-2hRu0wYS|>5G&avIa&4B3udEj}stQ69m5*%zhAp z(JU>^qXu6;g?|dVE`rlGgVe0dfOEG8?h+`<604hP%3rg#Xtt{6^q9K&O1)5X0S^CH zC#rXo_5uofer4VrzB+V<#wpI6XN_BbuP*qDvYRcg`%9E5R)vA6E4w>qJveMR;@D54UHT9&?6P5 zPe@ZsZT z(1#;h^7@wdmNAsRtTX(M49r%R1b@bVjth$}bTma#eQfymJ^`U@5m=2#8+ke+O&~*= z5+;FK=*Qaeb%yA~;OZrqOl6$wR=tlfQhVjPSIz>vzjl1!PQ00#J~{=M91dvM&rUkL z3%bxktc1awNxCL|GQN2<__NMiP9RVT8Vgeff{MhubxN-u(spw13Px2VHDY>>ttf&L zXN0Xym=9Kry^53+;1#pHX%#xm+vvW;>?rqTmyasCEtay~&*`p2-8`0}K710TY=EY?h7a(@KN!s?BI#E~qd=kIs4Pg3)=YFd$VwOrS=d!3I=sAs zUS(n!Lm7MChz}Q z`7Z>G4x$Z@i-I&nqy7o&{fP$c{fT~y46*wHcS7H5!Gj0{p^?_&wq}t*GG&qIAV(0i z|J4SRR1RqaAF{-SLMUnKD9$w`6cogtwfN??s3gu`8XeCVjaLJHzXS zCUxy;&FySRvnoIQD{uHxwr+V>4Dw*o*WoC#J`4t<@jZNVA^*@iYCo%5_5*`b@b@D3 zx>?V2|HaYK(8RN;t6ARA)?4{)$7_ruZ%HYBLJpae|U&OPcxT9;OKCB*$(+**s(oUr@U%9WU?kb97r-RP$+6jm-H04<3hABbD0 zFqEt?Q=)1QOZBJT+9L7ifq7WFd`9y*2(QCA@WD#O#Og(j)FN_C&J`NH-qHj{94VEkLrB0f<)E2SxS3Jq+xb@*vN^#RM8*_2az0l0Z>_m;+y-A6sV>bp z<4XohwpG`lrT-=ua0zRElD`-A_dbj{P@nc-{$^!IPo~B}pT3X!_pN%!%HMD9lwaMf z3+q^n4anAtG;Yd>`Yv7T5*yTwTqIbO9dY>)25{;}`)^U{|ui28{J z$0(s{ZOZHaXyaO-nmW?(O~QL3ghv2Lc!a}CdLS%_AVPR(LBI!W)fH?>fdmrBiv$o` zAOfOnwJObl0V_feTNPzxDY%N~xFW3&s9HHIEMO70mMX5gfYlZh+5aZCkg&scdMZnyD4`<|ib#uP~?tk$CQhG~`NAAKj8H9|>TTHg?W`IDWA% zU|opd{jFQ7Ot)8?J?&uetAaD*UVeJ^)e9BdEdAXYA8zr^U&fzLJf9gF{m&*%L}*)U zy@$B1krB{U(wB2vp;5h^26t2YXa7r&b_JXd8fSEO@3-yfY|QZ$FEyYcJ3N& zRQKIG)pRW-EBVoer@K##mC~0-TzN7aHnHo-y}*&ELjKm&acYHUaf>qhqTk{0tE%gL zZz$)!>T_%UAS1x2SmYMlG32V=W>fr(pf@}8Nj#4Zg(cSNu1y8M&d<28KqajNRj zgNPqR&Qp)&=U*hpr0v-^ax?xbhfU@c@oRI-s|v>Zr|N?r^6?Y<5@n)w%3}n0kKcd%~B| zZfx(F@ZP~M6>eW|5_whb!+nJl;5Y=Sl3bgC8xMo7{isP2Fk! zi#+j^T9a(bJlDS(xp2-M`T+4L*gOMSTHFbBpPPcrYH5i%87SGp*9h*xDuogi7c0bw z$!Z_${Gb+$IVF$T*p`_u~4CKu!%s;cn-HIUOI|+ihFbXYC{44|caMOpsjJ@qb z5I2e_27r&26NEyM&s9m_cU3CgBM?_-Av<=Uwa4iS5X+N65N>*0OF}hCPL7m794$c0 z+1Hx`12Nz(SsUVbVSsbTEHPrRmp8O`B>^ham>^vBxY>r|-I?eQ?4vRFUnAIS0#}jS z&Ej&BhrbXbTYNtgg;A$tHP#{z?3asHQh$xpw)f@2ewHLa9@IDMwH;9c7&J;C+ZsO~ z3!EST34**vGv~mx>ue19TO{JkS;z%93lWoj{rxic4FKB=2GtiMHc1DYCSl2*v;85U zOB5JfAJ)G`2aC=ESYx=b@eFX2+8V;*QgyJyB+ROT9%2R8qDj-}b6d$LVL|L$9cFz4 za6|efGDMUMb&UM8NwL0vc%cknKbsrEYQ;KO2?+}-^UON~((@b)VcVoS*bNe9Hr=qU z1YqV%U~5%67)u1OYu`CCazM#SFq!*e#}V^IT9_sv#RMxv;Do-|hu9@t#$0_hhhQ&(cWM>Qa*2$G56$-@ZT(LAgTNs4%c<#{X>SFXs3D!d{>4%HG^}DrGD}NAC#gfTHP}O_e)VERc(T8 zWGI^EeVl^bx+zSYD+A#|IVeuBtA&&fV)8j?}WGblo zLb`H{mhf2VuaN!D0^d|1Gw!RA2;w1lpRD=}T>iL}K`_3oKz7_^0~azq!PR8dCko{+ zC0d2kRX}83Lwmg)atT@Wi4IGa5{2kyYO0$J`uAB1K~{YtmU<~ssFuio;h!cL&cqEi zSz;7yt%RV13#(2{>+mJRaDSCl*?HmSDnY>NUQ~LMOz^Y<`QQRzK|4@xQmcf;@L%vg zlT&1BI31jZNPd`?58&uxGfY(a%!fBR`R4LD9q-78 zb@{CVS-?SOG54{*(lJHyc8omtIMLp{LdSb0KpY5j#Xjh#8)_7|+Fw=pHmd&5@duJC zY;=pto`2Huv3wLxOCF%((R{?C`47^uO966s)_#9e2%-aaZ+#-0Av$gai0|*;i;!j^ zCoU=-BXmL_&rDLv6)JAJLZRK2aZ~~5Ff&TW_g6!nR2P7SZb6s7!@N!rrLa(}63b=r bvMjlOkyMhDXiV-aL=yZRgH@SMkSXndW&+WG From fb08bf84def816ef8553a753080bba2512275b9d Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 21:35:37 -0400 Subject: [PATCH 54/55] AWS ECR perf improvements --- eeauditor/auditors/aws/Amazon_ECR_Auditor.py | 885 ++++++++++--------- eeauditor/eeauditor.py | 3 +- 2 files changed, 451 insertions(+), 437 deletions(-) diff --git a/eeauditor/auditors/aws/Amazon_ECR_Auditor.py b/eeauditor/auditors/aws/Amazon_ECR_Auditor.py index b4c645ef..14f73338 100644 --- a/eeauditor/auditors/aws/Amazon_ECR_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_ECR_Auditor.py @@ -76,7 +76,7 @@ def ecr_repo_vuln_scan_check(cache: dict, session, awsAccountId: str, awsRegion: enhancedScan = False # If neither scanning is active, this is a failing check - if basicScan and enhancedScan == False: + if basicScan is False and enhancedScan is False: finding = { "SchemaVersion": "2018-10-08", "Id": repoArn + "/ecr-no-scan", @@ -215,17 +215,24 @@ def ecr_repo_vuln_scan_check(cache: dict, session, awsAccountId: str, awsRegion: def ecr_repo_image_lifecycle_policy_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: """[ECR.2] ECR repositories should be have an image lifecycle policy configured""" ecr = session.client("ecr") + # ISO Time + iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() for repo in describe_repositories(cache, session): # B64 encode all of the details for the Asset assetJson = json.dumps(repo,default=str).encode("utf-8") assetB64 = base64.b64encode(assetJson) repoArn = repo["repositoryArn"] repoName = repo["repositoryName"] - # ISO Time - iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + # Evaluate if a lifecycle policy is configured + lifecyclePolicy = True try: - # this is a passing finding ecr.get_lifecycle_policy(repositoryName=repoName) + except botocore.exceptions.ClientError: + lifecyclePolicy = False + + # this is a passing check + if lifecyclePolicy is True: finding = { "SchemaVersion": "2018-10-08", "Id": repoArn + "/ecr-lifecycle-policy-check", @@ -296,94 +303,101 @@ def ecr_repo_image_lifecycle_policy_check(cache: dict, session, awsAccountId: st "RecordState": "ARCHIVED", } yield finding - except botocore.exceptions.ClientError as error: - if error.response["Error"]["Code"] == "LifecyclePolicyNotFoundException": - finding = { - "SchemaVersion": "2018-10-08", - "Id": repoArn + "/ecr-lifecycle-policy-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": repoArn, - "AwsAccountId": awsAccountId, - "Types": ["Software and Configuration Checks/AWS Security Best Practices"], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "MEDIUM"}, - "Confidence": 99, - "Title": "[ECR.2] ECR repositories should be have an image lifecycle policy configured", - "Description": f"ECR repository {repoName} does not have an image lifecycle policy configured. Amazon ECR lifecycle policies provide more control over the lifecycle management of images in a private repository. A lifecycle policy contains one or more rules, where each rule defines an action for Amazon ECR. This provides a way to automate the cleaning up of your container images by expiring images based on age or count. You should expect that images become expired within 24 hours after they meet the expiration criteria per your lifecycle policy. When Amazon ECR performs an action based on a lifecycle policy, this is captured as an event in AWS CloudTrail. When considering the use of lifecycle policies, it's important to use the lifecycle policy preview to confirm which images the lifecycle policy expires before applying it to a repository. Using Lifecycle Policies can help to reduce security exposure by forcefully removing stale images and promoting good image hygeine by having processes to continually scan and rebuild container images. Refer to the remediation instructions if this configuration is not intended", - "Remediation": { - "Recommendation": { - "Text": "If your repository should be configured to have an image lifecycle policy refer to the Amazon ECR Lifecycle Policies section in the Amazon ECR User Guide", - "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Containers", - "AssetService": "Amazon Elastic Container Registry", - "AssetComponent": "Repository" - }, - "Resources": [ - { - "Type": "AwsEcrRepository", - "Id": repoArn, - "Partition": awsPartition, - "Region": awsRegion, - "Details": {"Other": {"RepositoryName": repoName}}, - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST CSF V1.1 ID.BE-5", - "NIST CSF V1.1 PR.DS-4", - "NIST CSF V1.1 PR.PT-5", - "NIST SP 800-53 Rev. 4 AU-4", - "NIST SP 800-53 Rev. 4 CP-2", - "NIST SP 800-53 Rev. 4 CP-7", - "NIST SP 800-53 Rev. 4 CP-8", - "NIST SP 800-53 Rev. 4 CP-11", - "NIST SP 800-53 Rev. 4 CP-13", - "NIST SP 800-53 Rev. 4 PL-8", - "NIST SP 800-53 Rev. 4 SA-14", - "NIST SP 800-53 Rev. 4 SC-5", - "NIST SP 800-53 Rev. 4 SC-6", - "AICPA TSC CC3.1", - "AICPA TSC A1.1", - "AICPA TSC A1.2", - "ISO 27001:2013 A.11.1.4", - "ISO 27001:2013 A.12.3.1", - "ISO 27001:2013 A.17.1.1", - "ISO 27001:2013 A.17.1.2", - "ISO 27001:2013 A.17.2.1" - ] - }, - "Workflow": {"Status": "NEW"}, - "RecordState": "ACTIVE", - } - yield finding + # this is a failing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": repoArn + "/ecr-lifecycle-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": repoArn, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[ECR.2] ECR repositories should be have an image lifecycle policy configured", + "Description": f"ECR repository {repoName} does not have an image lifecycle policy configured. Amazon ECR lifecycle policies provide more control over the lifecycle management of images in a private repository. A lifecycle policy contains one or more rules, where each rule defines an action for Amazon ECR. This provides a way to automate the cleaning up of your container images by expiring images based on age or count. You should expect that images become expired within 24 hours after they meet the expiration criteria per your lifecycle policy. When Amazon ECR performs an action based on a lifecycle policy, this is captured as an event in AWS CloudTrail. When considering the use of lifecycle policies, it's important to use the lifecycle policy preview to confirm which images the lifecycle policy expires before applying it to a repository. Using Lifecycle Policies can help to reduce security exposure by forcefully removing stale images and promoting good image hygeine by having processes to continually scan and rebuild container images. Refer to the remediation instructions if this configuration is not intended", + "Remediation": { + "Recommendation": { + "Text": "If your repository should be configured to have an image lifecycle policy refer to the Amazon ECR Lifecycle Policies section in the Amazon ECR User Guide", + "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Containers", + "AssetService": "Amazon Elastic Container Registry", + "AssetComponent": "Repository" + }, + "Resources": [ + { + "Type": "AwsEcrRepository", + "Id": repoArn, + "Partition": awsPartition, + "Region": awsRegion, + "Details": {"Other": {"RepositoryName": repoName}}, + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.BE-5", + "NIST CSF V1.1 PR.DS-4", + "NIST CSF V1.1 PR.PT-5", + "NIST SP 800-53 Rev. 4 AU-4", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 CP-7", + "NIST SP 800-53 Rev. 4 CP-8", + "NIST SP 800-53 Rev. 4 CP-11", + "NIST SP 800-53 Rev. 4 CP-13", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SA-14", + "NIST SP 800-53 Rev. 4 SC-5", + "NIST SP 800-53 Rev. 4 SC-6", + "AICPA TSC CC3.1", + "AICPA TSC A1.1", + "AICPA TSC A1.2", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.12.3.1", + "ISO 27001:2013 A.17.1.1", + "ISO 27001:2013 A.17.1.2", + "ISO 27001:2013 A.17.2.1" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE", + } + yield finding @registry.register_check("ecr") def ecr_repo_permission_policy_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: """[ECR.3] ECR repositories should be have a repository policy configured""" ecr = session.client("ecr") + # ISO Time + iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() for repo in describe_repositories(cache, session): # B64 encode all of the details for the Asset assetJson = json.dumps(repo,default=str).encode("utf-8") assetB64 = base64.b64encode(assetJson) repoArn = repo["repositoryArn"] repoName = repo["repositoryName"] - # ISO Time - iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + # Evaluate if there is a repository permission policy configured + repoPermissionPolicy = True try: - # this is a passing finding ecr.get_repository_policy(repositoryName=repoName) + except botocore.exceptions.ClientError: + repoPermissionPolicy = False + + # this is a passing finding + if repoPermissionPolicy is True: finding = { "SchemaVersion": "2018-10-08", "Id": repoArn + "/ecr-repo-access-policy-check", @@ -488,112 +502,112 @@ def ecr_repo_permission_policy_check(cache: dict, session, awsAccountId: str, aw "RecordState": "ARCHIVED", } yield finding - except botocore.exceptions.ClientError as error: - if error.response["Error"]["Code"] == "RepositoryPolicyNotFoundException": - finding = { - "SchemaVersion": "2018-10-08", - "Id": repoArn + "/ecr-repo-access-policy-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": repoArn, - "AwsAccountId": awsAccountId, - "Types": ["Software and Configuration Checks/AWS Security Best Practices"], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "MEDIUM"}, - "Confidence": 99, - "Title": "[ECR.3] ECR repositories should be have a repository policy configured", - "Description": "ECR repository " - + repoName - + " does not have a repository policy configured. Refer to the remediation instructions if this configuration is not intended", - "Remediation": { - "Recommendation": { - "Text": "If your repository should be configured to have a repository policy refer to the Amazon ECR Repository Policies section in the Amazon ECR User Guide", - "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Containers", - "AssetService": "Amazon Elastic Container Registry", - "AssetComponent": "Repository" - }, - "Resources": [ - { - "Type": "AwsEcrRepository", - "Id": repoArn, - "Partition": awsPartition, - "Region": awsRegion, - "Details": {"Other": {"RepositoryName": repoName}}, - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST CSF V1.1 PR.AC-3", - "NIST CSF V1.1 PR.AC-4", - "NIST CSF V1.1 PR.DS-5", - "NIST SP 800-53 Rev. 4 AC-1", - "NIST SP 800-53 Rev. 4 AC-2", - "NIST SP 800-53 Rev. 4 AC-3", - "NIST SP 800-53 Rev. 4 AC-4", - "NIST SP 800-53 Rev. 4 AC-5", - "NIST SP 800-53 Rev. 4 AC-6", - "NIST SP 800-53 Rev. 4 AC-14", - "NIST SP 800-53 Rev. 4 AC-16", - "NIST SP 800-53 Rev. 4 AC-17", - "NIST SP 800-53 Rev. 4 AC-19", - "NIST SP 800-53 Rev. 4 AC-20", - "NIST SP 800-53 Rev. 4 AC-24", - "NIST SP 800-53 Rev. 4 PE-19", - "NIST SP 800-53 Rev. 4 PS-3", - "NIST SP 800-53 Rev. 4 PS-6", - "NIST SP 800-53 Rev. 4 SC-7", - "NIST SP 800-53 Rev. 4 SC-8", - "NIST SP 800-53 Rev. 4 SC-13", - "NIST SP 800-53 Rev. 4 SC-15", - "NIST SP 800-53 Rev. 4 SC-31", - "NIST SP 800-53 Rev. 4 SI-4", - "AICPA TSC CC6.3", - "AICPA TSC CC6.6", - "AICPA TSC CC7.2", - "ISO 27001:2013 A.6.1.2", - "ISO 27001:2013 A.6.2.1", - "ISO 27001:2013 A.6.2.2", - "ISO 27001:2013 A.7.1.1", - "ISO 27001:2013 A.7.1.2", - "ISO 27001:2013 A.7.3.1", - "ISO 27001:2013 A.8.2.2", - "ISO 27001:2013 A.8.2.3", - "ISO 27001:2013 A.9.1.1", - "ISO 27001:2013 A.9.1.2", - "ISO 27001:2013 A.9.2.3", - "ISO 27001:2013 A.9.4.1", - "ISO 27001:2013 A.9.4.4", - "ISO 27001:2013 A.9.4.5", - "ISO 27001:2013 A.10.1.1", - "ISO 27001:2013 A.11.1.4", - "ISO 27001:2013 A.11.1.5", - "ISO 27001:2013 A.11.2.1", - "ISO 27001:2013 A.11.2.6", - "ISO 27001:2013 A.13.1.1", - "ISO 27001:2013 A.13.1.3", - "ISO 27001:2013 A.13.2.1", - "ISO 27001:2013 A.13.2.3", - "ISO 27001:2013 A.13.2.4", - "ISO 27001:2013 A.14.1.2", - "ISO 27001:2013 A.14.1.3" - ] - }, - "Workflow": {"Status": "NEW"}, - "RecordState": "ACTIVE", - } - yield finding + # this is a failing finding + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": repoArn + "/ecr-repo-access-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": repoArn, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[ECR.3] ECR repositories should be have a repository policy configured", + "Description": "ECR repository " + + repoName + + " does not have a repository policy configured. Refer to the remediation instructions if this configuration is not intended", + "Remediation": { + "Recommendation": { + "Text": "If your repository should be configured to have a repository policy refer to the Amazon ECR Repository Policies section in the Amazon ECR User Guide", + "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Containers", + "AssetService": "Amazon Elastic Container Registry", + "AssetComponent": "Repository" + }, + "Resources": [ + { + "Type": "AwsEcrRepository", + "Id": repoArn, + "Partition": awsPartition, + "Region": awsRegion, + "Details": {"Other": {"RepositoryName": repoName}}, + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 PR.AC-3", + "NIST CSF V1.1 PR.AC-4", + "NIST CSF V1.1 PR.DS-5", + "NIST SP 800-53 Rev. 4 AC-1", + "NIST SP 800-53 Rev. 4 AC-2", + "NIST SP 800-53 Rev. 4 AC-3", + "NIST SP 800-53 Rev. 4 AC-4", + "NIST SP 800-53 Rev. 4 AC-5", + "NIST SP 800-53 Rev. 4 AC-6", + "NIST SP 800-53 Rev. 4 AC-14", + "NIST SP 800-53 Rev. 4 AC-16", + "NIST SP 800-53 Rev. 4 AC-17", + "NIST SP 800-53 Rev. 4 AC-19", + "NIST SP 800-53 Rev. 4 AC-20", + "NIST SP 800-53 Rev. 4 AC-24", + "NIST SP 800-53 Rev. 4 PE-19", + "NIST SP 800-53 Rev. 4 PS-3", + "NIST SP 800-53 Rev. 4 PS-6", + "NIST SP 800-53 Rev. 4 SC-7", + "NIST SP 800-53 Rev. 4 SC-8", + "NIST SP 800-53 Rev. 4 SC-13", + "NIST SP 800-53 Rev. 4 SC-15", + "NIST SP 800-53 Rev. 4 SC-31", + "NIST SP 800-53 Rev. 4 SI-4", + "AICPA TSC CC6.3", + "AICPA TSC CC6.6", + "AICPA TSC CC7.2", + "ISO 27001:2013 A.6.1.2", + "ISO 27001:2013 A.6.2.1", + "ISO 27001:2013 A.6.2.2", + "ISO 27001:2013 A.7.1.1", + "ISO 27001:2013 A.7.1.2", + "ISO 27001:2013 A.7.3.1", + "ISO 27001:2013 A.8.2.2", + "ISO 27001:2013 A.8.2.3", + "ISO 27001:2013 A.9.1.1", + "ISO 27001:2013 A.9.1.2", + "ISO 27001:2013 A.9.2.3", + "ISO 27001:2013 A.9.4.1", + "ISO 27001:2013 A.9.4.4", + "ISO 27001:2013 A.9.4.5", + "ISO 27001:2013 A.10.1.1", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.11.1.5", + "ISO 27001:2013 A.11.2.1", + "ISO 27001:2013 A.11.2.6", + "ISO 27001:2013 A.13.1.1", + "ISO 27001:2013 A.13.1.3", + "ISO 27001:2013 A.13.2.1", + "ISO 27001:2013 A.13.2.3", + "ISO 27001:2013 A.13.2.4", + "ISO 27001:2013 A.14.1.2", + "ISO 27001:2013 A.14.1.3" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE", + } + yield finding @registry.register_check("ecr") def ecr_latest_image_vuln_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: @@ -604,175 +618,174 @@ def ecr_latest_image_vuln_check(cache: dict, session, awsAccountId: str, awsRegi for repo in describe_repositories(cache, session): # B64 encode all of the details for the Asset repoName = repo["repositoryName"] - if repo["imageScanningConfiguration"]["scanOnPush"] == True: - try: - for images in ecr.describe_images(repositoryName=repoName, filter={"tagStatus": "TAGGED"}, maxResults=1000,)["imageDetails"]: - assetJson = json.dumps(images,default=str).encode("utf-8") - assetB64 = base64.b64encode(assetJson) - imageDigest = str(images["imageDigest"]) - # use the first tag only as we need it to create the canonical ID for the Resource.Id in the ASFF for the Container Resource.Type - imageTag = str(images["imageTags"][0]) - try: - imageVulnCheck = str( - images["imageScanFindingsSummary"]["findingSeverityCounts"] - ) - except KeyError: - imageVulnCheck = "{}" - # Failing check - if imageVulnCheck != "{}": - finding = { - "SchemaVersion": "2018-10-08", - "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}/ecr-latest-image-vuln-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": imageDigest, - "AwsAccountId": awsAccountId, - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE", - "Software and Configuration Checks/AWS Security Best Practices", - ], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "MEDIUM"}, - "Confidence": 99, - "Title": "[ECR.4] The latest image in an ECR Repository should not have any vulnerabilities", - "Description": f"The latest image {imageDigest} in the ECR repository {repoName} has {imageVulnCheck} vulnerabilities reported by ECR Basic Scans. The latest image is likely the last used or is likely active in your environment, while container vulnerabilities can be transient and harder to exploit, it is important for your security hygeine and threat reduction that active images are aggressively patched and minimized. Refer to the remediation instructions as well as your ECR Basic or Full (Inspector) scan results.", - "Remediation": { - "Recommendation": { - "Text": "For more information about scanning images refer to the Image Scanning section of the Amazon ECR User Guide", - "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Containers", - "AssetService": "Amazon Elastic Container Registry", - "AssetComponent": "Image" - }, - "Resources": [ - { - "Type": "Container", - "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}", - "Partition": awsPartition, - "Region": awsRegion, - "Details": { - "Container": { - "Name": f"{repoName}:{imageTag}", - "ImageId": imageDigest - } + if repo["imageScanningConfiguration"]["scanOnPush"] is True: + for image in ecr.describe_images(repositoryName=repoName, filter={"tagStatus": "TAGGED"}, maxResults=1000)["imageDetails"]: + assetJson = json.dumps(image,default=str).encode("utf-8") + assetB64 = base64.b64encode(assetJson) + imageDigest = image["imageDigest"] + # use the first tag only as we need it to create the canonical ID for the Resource.Id in the ASFF for the Container Resource.Type + imageTag = image["imageTags"][0] + + # Evaluate if there are any vulnerabilities + imageHasVulns = False + try: + imageVulnCheck = image["imageScanFindingsSummary"]["findingSeverityCounts"] + imageHasVulns = True + except KeyError: + imageHasVulns = False + + # This is a failing check + if imageHasVulns is True: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}/ecr-latest-image-vuln-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": imageDigest, + "AwsAccountId": awsAccountId, + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE", + "Software and Configuration Checks/AWS Security Best Practices", + ], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "MEDIUM"}, + "Confidence": 99, + "Title": "[ECR.4] The latest image in an ECR Repository should not have any vulnerabilities", + "Description": f"The latest image {imageDigest} in the ECR repository {repoName} has {imageVulnCheck} vulnerabilities reported by ECR Basic Scans. The latest image is likely the last used or is likely active in your environment, while container vulnerabilities can be transient and harder to exploit, it is important for your security hygeine and threat reduction that active images are aggressively patched and minimized. Refer to the remediation instructions as well as your ECR Basic or Full (Inspector) scan results.", + "Remediation": { + "Recommendation": { + "Text": "For more information about scanning images refer to the Image Scanning section of the Amazon ECR User Guide", + "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Containers", + "AssetService": "Amazon Elastic Container Registry", + "AssetComponent": "Image" + }, + "Resources": [ + { + "Type": "Container", + "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}", + "Partition": awsPartition, + "Region": awsRegion, + "Details": { + "Container": { + "Name": f"{repoName}:{imageTag}", + "ImageId": imageDigest } } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST CSF V1.1 DE.CM-8", - "NIST CSF V1.1 ID.RA-1", - "NIST SP 800-53 Rev. 4 CA-2", - "NIST SP 800-53 Rev. 4 CA-7", - "NIST SP 800-53 Rev. 4 CA-8", - "NIST SP 800-53 Rev. 4 RA-3", - "NIST SP 800-53 Rev. 4 RA-5", - "NIST SP 800-53 Rev. 4 SA-5", - "NIST SP 800-53 Rev. 4 SA-11", - "NIST SP 800-53 Rev. 4 SI-2", - "NIST SP 800-53 Rev. 4 SI-4", - "NIST SP 800-53 Rev. 4 SI-5", - "AICPA TSC CC3.2", - "AICPA TSC CC7.1", - "ISO 27001:2013 A.12.6.1", - "ISO 27001:2013 A.12.6.4", - "ISO 27001:2013 A.18.2.3" - ] - }, - "Workflow": {"Status": "NEW"}, - "RecordState": "ACTIVE" - } - yield finding - else: - finding = { - "SchemaVersion": "2018-10-08", - "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}/ecr-latest-image-vuln-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": imageDigest, - "AwsAccountId": awsAccountId, - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE", - "Software and Configuration Checks/AWS Security Best Practices", - ], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "INFORMATIONAL"}, - "Confidence": 99, - "Title": "[ECR.4] The latest image in an ECR Repository should not have any vulnerabilities", - "Description": f"The latest image {imageDigest} in the ECR repository {repoName} does not have any vulnerabilities reported, good job!.", - "Remediation": { - "Recommendation": { - "Text": "For more information about scanning images refer to the Image Scanning section of the Amazon ECR User Guide", - "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Containers", - "AssetService": "Amazon Elastic Container Registry", - "AssetComponent": "Image" - }, - "Resources": [ - { - "Type": "Container", - "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}", - "Partition": awsPartition, - "Region": awsRegion, - "Details": { - "Container": { - "Name": f"{repoName}:{imageTag}", - "ImageId": imageDigest - } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 DE.CM-8", + "NIST CSF V1.1 ID.RA-1", + "NIST SP 800-53 Rev. 4 CA-2", + "NIST SP 800-53 Rev. 4 CA-7", + "NIST SP 800-53 Rev. 4 CA-8", + "NIST SP 800-53 Rev. 4 RA-3", + "NIST SP 800-53 Rev. 4 RA-5", + "NIST SP 800-53 Rev. 4 SA-5", + "NIST SP 800-53 Rev. 4 SA-11", + "NIST SP 800-53 Rev. 4 SI-2", + "NIST SP 800-53 Rev. 4 SI-4", + "NIST SP 800-53 Rev. 4 SI-5", + "AICPA TSC CC3.2", + "AICPA TSC CC7.1", + "ISO 27001:2013 A.12.6.1", + "ISO 27001:2013 A.12.6.4", + "ISO 27001:2013 A.18.2.3" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE" + } + yield finding + # This is a passing check + else: + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}/ecr-latest-image-vuln-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": imageDigest, + "AwsAccountId": awsAccountId, + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE", + "Software and Configuration Checks/AWS Security Best Practices", + ], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "INFORMATIONAL"}, + "Confidence": 99, + "Title": "[ECR.4] The latest image in an ECR Repository should not have any vulnerabilities", + "Description": f"The latest image {imageDigest} in the ECR repository {repoName} does not have any vulnerabilities reported, good job!", + "Remediation": { + "Recommendation": { + "Text": "For more information about scanning images refer to the Image Scanning section of the Amazon ECR User Guide", + "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Containers", + "AssetService": "Amazon Elastic Container Registry", + "AssetComponent": "Image" + }, + "Resources": [ + { + "Type": "Container", + "Id": f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:image/{repoName}:{imageTag}", + "Partition": awsPartition, + "Region": awsRegion, + "Details": { + "Container": { + "Name": f"{repoName}:{imageTag}", + "ImageId": imageDigest } } - ], - "Compliance": { - "Status": "PASSED", - "RelatedRequirements": [ - "NIST CSF V1.1 DE.CM-8", - "NIST CSF V1.1 ID.RA-1", - "NIST SP 800-53 Rev. 4 CA-2", - "NIST SP 800-53 Rev. 4 CA-7", - "NIST SP 800-53 Rev. 4 CA-8", - "NIST SP 800-53 Rev. 4 RA-3", - "NIST SP 800-53 Rev. 4 RA-5", - "NIST SP 800-53 Rev. 4 SA-5", - "NIST SP 800-53 Rev. 4 SA-11", - "NIST SP 800-53 Rev. 4 SI-2", - "NIST SP 800-53 Rev. 4 SI-4", - "NIST SP 800-53 Rev. 4 SI-5", - "AICPA TSC CC3.2", - "AICPA TSC CC7.1", - "ISO 27001:2013 A.12.6.1", - "ISO 27001:2013 A.12.6.4", - "ISO 27001:2013 A.18.2.3" - ] - }, - "Workflow": {"Status": "RESOLVED"}, - "RecordState": "ARCHIVED" - } - yield finding - except Exception as e: - print(e) - else: - pass + } + ], + "Compliance": { + "Status": "PASSED", + "RelatedRequirements": [ + "NIST CSF V1.1 DE.CM-8", + "NIST CSF V1.1 ID.RA-1", + "NIST SP 800-53 Rev. 4 CA-2", + "NIST SP 800-53 Rev. 4 CA-7", + "NIST SP 800-53 Rev. 4 CA-8", + "NIST SP 800-53 Rev. 4 RA-3", + "NIST SP 800-53 Rev. 4 RA-5", + "NIST SP 800-53 Rev. 4 SA-5", + "NIST SP 800-53 Rev. 4 SA-11", + "NIST SP 800-53 Rev. 4 SI-2", + "NIST SP 800-53 Rev. 4 SI-4", + "NIST SP 800-53 Rev. 4 SI-5", + "AICPA TSC CC3.2", + "AICPA TSC CC7.1", + "ISO 27001:2013 A.12.6.1", + "ISO 27001:2013 A.12.6.4", + "ISO 27001:2013 A.18.2.3" + ] + }, + "Workflow": {"Status": "RESOLVED"}, + "RecordState": "ARCHIVED" + } + yield finding @registry.register_check("ecr") def ecr_registry_policy_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: @@ -780,11 +793,19 @@ def ecr_registry_policy_check(cache: dict, session, awsAccountId: str, awsRegion ecr = session.client("ecr") iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() registryArn = f"arn:{awsPartition}:ecr:{awsRegion}:{awsAccountId}:registry" + + # determine if a registry policy is configured + ecrRegistryPolicy = True try: policy = ecr.get_registry_policy() # B64 encode all of the details for the Asset assetJson = json.dumps(policy,default=str).encode("utf-8") assetB64 = base64.b64encode(assetJson) + except botocore.exceptions.ClientError: + ecrRegistryPolicy = False + assetB64 = None + + if ecrRegistryPolicy is True: # This is a passing check finding = { "SchemaVersion": "2018-10-08", @@ -863,91 +884,85 @@ def ecr_registry_policy_check(cache: dict, session, awsAccountId: str, awsRegion "RecordState": "ARCHIVED", } yield finding - except botocore.exceptions.ClientError as error: - if error.response["Error"]["Code"] == "RegistryPolicyNotFoundException": - assetB64 = None - # this is a failing check - finding = { - "SchemaVersion": "2018-10-08", - "Id": f"{registryArn}/ecr-registry-access-policy-check", - "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", - "GeneratorId": awsAccountId + awsRegion, - "AwsAccountId": awsAccountId, - "Types": ["Software and Configuration Checks/AWS Security Best Practices"], - "FirstObservedAt": iso8601Time, - "CreatedAt": iso8601Time, - "UpdatedAt": iso8601Time, - "Severity": {"Label": "LOW"}, - "Confidence": 99, - "Title": "[ECR.5] ECR Registires should be have a registry policy configured to allow for cross-account recovery", - "Description": "ECR Registry " - + awsAccountId - + " in Region " - + awsRegion - + " does not have a registry policy configured. ECR uses a registry policy to grant permissions to an AWS principal, allowing the replication of the repositories from a source registry to your registry. By default, you have permission to configure cross-Region replication within your own registry. You only need to configure the registry policy if you're granting another account permission to replicate contents to your registry. Refer to the remediation instructions if this configuration is not intended", - "Remediation": { - "Recommendation": { - "Text": "If your Registry should be configured to have a Registry policy refer to the Private registry permissions section in the Amazon ECR User Guide", - "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions.html" - } - }, - "ProductFields": { - "ProductName": "ElectricEye", - "Provider": "AWS", - "ProviderType": "CSP", - "ProviderAccountId": awsAccountId, - "AssetRegion": awsRegion, - "AssetDetails": assetB64, - "AssetClass": "Containers", - "AssetService": "Amazon Elastic Container Registry", - "AssetComponent": "Registry" - }, - "Resources": [ - { - "Type": "AwsEcrRegistry", - "Id": registryArn, - "Partition": awsPartition, - "Region": awsRegion, - "Details": {"Other": {"RegistryId": awsAccountId}}, - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST CSF V1.1 ID.BE-5", - "NIST CSF V1.1 PR.IP-4", - "NIST CSF V1.1 PR.PT-5", - "NIST SP 800-53 Rev. 4 CP-2", - "NIST SP 800-53 Rev. 4 CP-4", - "NIST SP 800-53 Rev. 4 CP-6", - "NIST SP 800-53 Rev. 4 CP-7", - "NIST SP 800-53 Rev. 4 CP-8", - "NIST SP 800-53 Rev. 4 CP-9", - "NIST SP 800-53 Rev. 4 CP-11", - "NIST SP 800-53 Rev. 4 CP-13", - "NIST SP 800-53 Rev. 4 PL-8", - "NIST SP 800-53 Rev. 4 SA-14", - "NIST SP 800-53 Rev. 4 SC-6", - "AICPA TSC A1.2", - "AICPA TSC A1.3", - "AICPA TSC CC3.1", - "ISO 27001:2013 A.11.1.4", - "ISO 27001:2013 A.12.3.1", - "ISO 27001:2013 A.17.1.1", - "ISO 27001:2013 A.17.1.2", - "ISO 27001:2013 A.17.1.3", - "ISO 27001:2013 A.17.2.1", - "ISO 27001:2013 A.18.1.3" - ] - }, - "Workflow": {"Status": "NEW"}, - "RecordState": "ACTIVE", - } - yield finding - else: - print(error) - except Exception as e: - print(e) + else: + # this is a failing check + finding = { + "SchemaVersion": "2018-10-08", + "Id": f"{registryArn}/ecr-registry-access-policy-check", + "ProductArn": f"arn:{awsPartition}:securityhub:{awsRegion}:{awsAccountId}:product/{awsAccountId}/default", + "GeneratorId": awsAccountId + awsRegion, + "AwsAccountId": awsAccountId, + "Types": ["Software and Configuration Checks/AWS Security Best Practices"], + "FirstObservedAt": iso8601Time, + "CreatedAt": iso8601Time, + "UpdatedAt": iso8601Time, + "Severity": {"Label": "LOW"}, + "Confidence": 99, + "Title": "[ECR.5] ECR Registires should be have a registry policy configured to allow for cross-account recovery", + "Description": "ECR Registry " + + awsAccountId + + " in Region " + + awsRegion + + " does not have a registry policy configured. ECR uses a registry policy to grant permissions to an AWS principal, allowing the replication of the repositories from a source registry to your registry. By default, you have permission to configure cross-Region replication within your own registry. You only need to configure the registry policy if you're granting another account permission to replicate contents to your registry. Refer to the remediation instructions if this configuration is not intended", + "Remediation": { + "Recommendation": { + "Text": "If your Registry should be configured to have a Registry policy refer to the Private registry permissions section in the Amazon ECR User Guide", + "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions.html" + } + }, + "ProductFields": { + "ProductName": "ElectricEye", + "Provider": "AWS", + "ProviderType": "CSP", + "ProviderAccountId": awsAccountId, + "AssetRegion": awsRegion, + "AssetDetails": assetB64, + "AssetClass": "Containers", + "AssetService": "Amazon Elastic Container Registry", + "AssetComponent": "Registry" + }, + "Resources": [ + { + "Type": "AwsEcrRegistry", + "Id": registryArn, + "Partition": awsPartition, + "Region": awsRegion, + "Details": {"Other": {"RegistryId": awsAccountId}}, + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST CSF V1.1 ID.BE-5", + "NIST CSF V1.1 PR.IP-4", + "NIST CSF V1.1 PR.PT-5", + "NIST SP 800-53 Rev. 4 CP-2", + "NIST SP 800-53 Rev. 4 CP-4", + "NIST SP 800-53 Rev. 4 CP-6", + "NIST SP 800-53 Rev. 4 CP-7", + "NIST SP 800-53 Rev. 4 CP-8", + "NIST SP 800-53 Rev. 4 CP-9", + "NIST SP 800-53 Rev. 4 CP-11", + "NIST SP 800-53 Rev. 4 CP-13", + "NIST SP 800-53 Rev. 4 PL-8", + "NIST SP 800-53 Rev. 4 SA-14", + "NIST SP 800-53 Rev. 4 SC-6", + "AICPA TSC A1.2", + "AICPA TSC A1.3", + "AICPA TSC CC3.1", + "ISO 27001:2013 A.11.1.4", + "ISO 27001:2013 A.12.3.1", + "ISO 27001:2013 A.17.1.1", + "ISO 27001:2013 A.17.1.2", + "ISO 27001:2013 A.17.1.3", + "ISO 27001:2013 A.17.2.1", + "ISO 27001:2013 A.18.1.3" + ] + }, + "Workflow": {"Status": "NEW"}, + "RecordState": "ACTIVE", + } + yield finding @registry.register_check("ecr") def ecr_registry_backup_rules_check(cache: dict, session, awsAccountId: str, awsRegion: str, awsPartition: str) -> dict: diff --git a/eeauditor/eeauditor.py b/eeauditor/eeauditor.py index 59fbf51c..c808a9dc 100644 --- a/eeauditor/eeauditor.py +++ b/eeauditor/eeauditor.py @@ -42,8 +42,7 @@ class EEAuditor(object): """ def __init__(self, assessmentTarget, args, useToml, tomlPath=None, searchPath=None): - # each check must be decorated with the @registry.register_check("cache_name") - # to be discovered during plugin loading. + # each check must be decorated with the @registry.register_check("cache_name") to be discovered during plugin loading. self.registry = CheckRegister() self.name = assessmentTarget self.plugin_base = PluginBase(package="electriceye") From 19ee1c6f580ce1cd964a39a251848f766e43d496 Mon Sep 17 00:00:00 2001 From: jonrau1 <46727149+jonrau1@users.noreply.github.com> Date: Mon, 2 Sep 2024 22:03:21 -0400 Subject: [PATCH 55/55] fuck here we go with dockershit --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6fdb6b8c..2151777e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,7 @@ COPY requirements-docker.txt /tmp/requirements-docker.txt RUN \ apk update && \ apk add --no-cache python3 postgresql-libs && \ - apk add --no-cache --virtual .build-deps gcc zlib-dev python3-dev musl-dev postgresql-dev && \ + apk add --no-cache --virtual .build-deps g++ gcc zlib-dev python3-dev musl-dev postgresql-dev && \ python3 -m venv /opt/venv && \ source /opt/venv/bin/activate && \ python3 -m ensurepip && \