From ef0cd33d1d14e167b360b7cd3fd23d570f554b58 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 17 Aug 2021 10:38:04 -0700 Subject: [PATCH 01/22] AADS query update AADS query update --- .../identity-protection/hello-for-business/hello-faq.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 405b6710ad..3a715535a6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -219,4 +219,7 @@ sections: - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | - Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). \ No newline at end of file + Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). + + question: Does Windows Hello for Business work with AADS clients? + answer: No, AAD DS is seperate on-prem enviornment and device registration with cloud (Azure AD) not available for them via ADConnect. From 3340cf5e13d033e17beb0870569512218639433e Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Wed, 18 Aug 2021 07:45:54 -0700 Subject: [PATCH 02/22] updated AAD DS and expand them updated AAD DS and expand them --- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3a715535a6..65c19ff255 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -221,5 +221,5 @@ sections: answer: | Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - question: Does Windows Hello for Business work with AADS clients? - answer: No, AAD DS is seperate on-prem enviornment and device registration with cloud (Azure AD) not available for them via ADConnect. + question: Does Windows Hello for Business work with Azure AD Domain Services (AAD DS) clients? + answer: No, Azure AD Domain Service is a seperate managed enviornment in Azure and hybrid device registration with cloud (Azure AD) not available for them via ADConnect. Hence they can not perform WHFB with Azure AD. From 5e7f41f67f99d943ec6cd5daced76d2b5092e5c6 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Wed, 18 Aug 2021 07:48:17 -0700 Subject: [PATCH 03/22] - added - added before question --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 65c19ff255..d774f0890f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -221,5 +221,5 @@ sections: answer: | Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - question: Does Windows Hello for Business work with Azure AD Domain Services (AAD DS) clients? + - question: Does Windows Hello for Business work with Azure AD Domain Services (AAD DS) clients? answer: No, Azure AD Domain Service is a seperate managed enviornment in Azure and hybrid device registration with cloud (Azure AD) not available for them via ADConnect. Hence they can not perform WHFB with Azure AD. From 76182769f5889e4a19ed0ad7bebdb9d148d2bd72 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Thu, 19 Aug 2021 17:58:31 -0700 Subject: [PATCH 04/22] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index d774f0890f..7d470d3748 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -222,4 +222,4 @@ sections: Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - question: Does Windows Hello for Business work with Azure AD Domain Services (AAD DS) clients? - answer: No, Azure AD Domain Service is a seperate managed enviornment in Azure and hybrid device registration with cloud (Azure AD) not available for them via ADConnect. Hence they can not perform WHFB with Azure AD. + answer: No, AAD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. From 22099b37d5ee6c1c2dabc123b1390fca29d94dbd Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Thu, 19 Aug 2021 18:01:51 -0700 Subject: [PATCH 05/22] updated as per Matthew's suggestions updated as per Matthew's suggestions --- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 7d470d3748..a6c2533e72 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -221,5 +221,5 @@ sections: answer: | Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - - question: Does Windows Hello for Business work with Azure AD Domain Services (AAD DS) clients? - answer: No, AAD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. + - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? + answer: No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. From 8d5428e1955ced860617b80210a7624c9ffcc0dc Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Mon, 27 Sep 2021 22:55:37 -0700 Subject: [PATCH 06/22] update for win 11 Updates to the documentation for Windows 11. TODO: Add section for attestation flow based on MAA. TODO: Add links to MAA documentation --- .../mdm/healthattestation-csp.md | 225 ++++++++++++++++-- 1 file changed, 211 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index e570b9890d..c18c474d71 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -23,7 +23,204 @@ The following is a list of functions performed by the Device HealthAttestation C - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device - Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data -## Terms +## Windhows 11 Device HealthAttestation + +>Windows 11 introduces an update to the device health attestation feature bringing in support for deeper insights into windows boot security, enhancing zero trust solutions. Device health attestation on windows can be accessed via the HealthAttestation CSP which enables enterprise device managers to assess if a device is booted to a trusted and compliant state and take enterprise policy actions. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service which provides a simplified approach to attestation. +The attested report provides a health assessment of the boot time properties of the device to ensure that the devices are automatically secure from the first power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. + +### Terms +**TPM (Trusted Platform Module)** +

TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

+ +**DHA (Device HealthAttestation) feature** +

The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

+ +**MAA-Session (Microsoft Azure Attestaiton service based device HealthAttestation session)** +

The Microsoft Azure Attestaiton service based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

+ +**MAA-CSP (Microsoft Azure Attestaiton based Configuration Service Provider)** +

The Configuration Service Provider nodes added to Windhows 11 to integrate with Microsoft Azure Attestation Service.

+

The following list of operations is performed by MAA-CSP:

+
    +
  • Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
    • +
  • The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
    • +
  • Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
    • +
  • Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
    • +
+ +### Attestation Flow with Microsoft Azure Attestation Service + + +### Configuration Service Provider Nodes +Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestaiton service. +``` +./Vendor/MSFT +HealthAttestation +----... +----TriggerAttestation +----CurrentProtocolVersion +----PreferredMaxProtocolVersion +----MaxSupportedProtocolVersion +``` + +**./Vendor/MSFT/HealthAttestation** +

The root node for the device HealthAttestation configuration service provider.

+ +**TriggerAttestation** (Required) +

Node type: EXECUTE +This node will trigger attestation flow by launching an attestation process. If a process is already running, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. +

+ +

Templated SyncML Call:

+ + + + + VERIFYHEALTHV2 + + + + ./Vendor/MSFT/HealthAttestation/TriggerAttestation + + + + { + rpID : "rpID", serviceEndpoint : “MAA endpoint”, + nonce : “nonce”, aadToken : “aadToken”, "cv" : "CorrelationVector" + } + + + + + + + +

Data fields:

+
    +
  • rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
    • +
  • serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
    • +
  • nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
    • +
  • aadToken : The AAD token to used for authentication against the Microsoft Azure Attestation service.
    • +
  • cv : This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
    • +
+ +

Sample Data:

+ + + { + "rpid" : "https://www.contoso.com/attestation", + "endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01", + "nonce" : "5468697320697320612054657374204e6f6e6365", + "aadToken" : "dummytokenstring", + "cv" : "testonboarded" + } + + +**AttestStatus** +

Node type: GET +This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step. +The status is always cleared prior to making the attest service call. +

+ +

Templated SyncML Call:

+ + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/AttestStatus + + + + + + + + +

Sample Data:

+ + If Successful: 0 + If Failed: A corresponding HRESULT error code + Example: 0x80072efd, WININET_E_CANNOT_CONNECT + +**GetAttestReport** +

Node type: GET +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. +

+ +

Templated SyncML Call:

+ + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport + + + + + + + + +

Sample data:

+ + If Success: + JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc + If failed: + Previously cached report if available (the token may have already expired per the attestation policy). + OR Sync ML 404 error if not cached report available. + +**GetServiceCorrelationIDs** +

Node type: GET +This node will retrieve the service generated correlation IDs for the given MDM provider. If there are more than one correlation id, they are separated by “;” in the string. +

+

Templated SyncML Call:

+ + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs + + + + + + + + +

Sample data:

+ + If success: + GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM + If Trigger Attestation call failed and no previous data is present. The field remains empty. + Otherwise, the last service correlation id will be returned. + +### MAA CSP Intergation Steps +
    +
  1. Setup a MAA provider instance: +MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
    2. +
  2. Update the provider with an appropriate policy: +The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs +A Sample attestation policy that only checks for secureboot is here: +TODO
    3. +
  3. Call TriggerAttestation with your rpid, AAD token and the attestURI: +Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Azure Attestation) | Microsoft Docs
    4. +
  4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: +The decoded JWT token contains information per the attestation policy. +{ "typ": "JWT", "alg": "RS256", "x5c": [ "MIIDcDCCAligAwIBAgIQOLMUhXOEQ2axV6zXp/KvnzANBgkqhkiG9w0BAQsFADA1MTMwMQYDVQQDEypBdHRlc3RhdGlvblNlcnZpY2UtTG9jYWxUZXN0LVJlcG9ydFNpZ25pbmcwHhcNMjAxMTI5MTExMjUyWhcNMjIxMTI5MTEyMjUyWjA1MTMwMQYDVQQDEypBdHRlc3RhdGlvblNlcnZpY2UtTG9jYWxUZXN0LVJlcG9ydFNpZ25pbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuOlDyU1sYAuAV53n7TrmTU180bOREgfZoTsdOyllMcsKciTUWkTO0vKDa8CFwGEHmSVTAEngDIHw1putio84HKZdcI6nPt2B74kJ/+5ut8KGMWtBm6GFWwS0TXti1rE4Os1mPpCYAsUyKxaEw4lBbEzGa5mGx0SGLdseuUIiw23S695RLVCciDaAvf+q/gBScFgZJm2ZxgkyNF7+MSvnDMU1xv5YLDQeh3j5vZlstSq+rrRbB5SVnuD4cFBjvGW5lXBLxMEjpBXI6yzFmFuw/OjZ7VClk6HSNjvvhSwJu4F1oHuJ0oAuABOtPpRK/898Ru+9qS5ZMm79775nZK75AgMBAAGjfDB6MA4GA1UdDwEB/wQEAwIFoDAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBR/8W25+uWj5sg8lEKKYy1gdCqWUTAdBgNVHQ4EFgQUf/Ftufrlo+bIPJRCimMtYHQqllEwDQYJKoZIhvcNAQELBQADggEBAJGfbRRvF3EpG6ZsOcSmWtu/1LDVZq+fGspjK/7+ImybEY/zC2CsWWpz7pT54KEGYe91q67nV5GZoSz7+O4A4A5QtMDFzOnrFVicDo5Cg2EDU4YQDN4j4DyrbttkQYiEiBFexJImrjIk4bfW2YqZjtzR7XFDsCsOAUHNY8cnnKaZCRbXrLwP/LUYAz/NVkttO4CW4U/8OZygrarfAsVrsCsx5o2mXBlaRYl5xECWfvT2YbCFuIt3gZR9sau65uMWthgyV0XAR7farxycfMEuBkyb+IVPwYW5QGFo5M8a78r/rFPdczGPlv0Qvg7zrBm775xs8O33V4nOmC1tfsxXUgw=" ], "kid": "e5j-rIjIITYTB9RQSgM-OzOWjXM" }.{ "nbf": 1629758941, "exp": 1630104841, "iat": 1629759241, "iss": "https://ulptestwin.eus.test.attest.azure.net", "jti": "e325dad03894f09b12c53f3b5eac5e36824c89ae", "ver": "1.0", "x-ms-ver": "1.0", "rp_data": "AQIDBA", "nonce": "AQIDBA", "cnf": { "jwk": { "kty": "RSA", "n": "vTCRaX0IZMsNHfJPOVyiYSCM2WABZmNo3PSVTOt9mh0vR4Mon080EGHM_V3afjKJ4NxmEZ01XeB-1TsuNM2-19_JMWZF-wiBTrBWEjcUQ84AxzukaWD1sMsH2kiqjaxXBHEUl8Hhq9SRjVEEdT-fKLOzBO070TffvRCKVxZIRI9Ry6E6K8gMEX3CH6Yk9b7clAua0MrUxd28hMxwx4hy1HyCsFSnXb_bIaqxLYjCxisc9mRx2vO6IuEqEVskSYDc-5f8u2G98ld6PuiMkAhvOOEBmaDlEksvUpnA8e9nWO98rg17pjyOms9GLvgKkSgOKbK8wQ-NuUyXutQfaN2MbQ", "e": "AQAB" } }, "x-ms-policy-hash": "BpV0Jxx6oZ2AjkgXx3Gj7JiJ1NpZWGppjdT2OTtBR4g", "AIKPresent": true, "BitlockerStatus": 1, "CodeIntegrityEnabled": true, "SafeMode": false, "SecureBootEnabled": true, "TpmVersion": 2, "VSMEnabled": true, "WinPE": false }.[Signature]
    5. +
+ +## Windhows 10 Device HealthAttestation + +### Terms **TPM (Trusted Platform Module)**

TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

@@ -173,7 +370,7 @@ The following is a list of functions performed by the Device HealthAttestation C -## CSP diagram and node descriptions +### CSP diagram and node descriptions The following shows the Device HealthAttestation configuration service provider in tree format. @@ -243,7 +440,7 @@ HealthAttestation

Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

Value type is integer. The supported operation is Get.

-## **DHA-CSP integration steps** +### **DHA-CSP integration steps** The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): @@ -260,7 +457,7 @@ The following list of validation and development tasks are required for integrat Each step is described in detail in the following sections of this topic. -## **Step 1: Verify HTTPS access** +### **Step 1: Verify HTTPS access** Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). @@ -313,7 +510,7 @@ SSL-Session: ``` -## **Step 2: Assign an enterprise trusted DHA-Service** +### **Step 2: Assign an enterprise trusted DHA-Service** There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) @@ -339,7 +536,7 @@ The following example shows a sample call that instructs a managed device to com ``` -## **Step 3: Instruct client to prepare health data for verification** +### **Step 3: Instruct client to prepare health data for verification** Send a SyncML call to start collection of the DHA-Data. @@ -366,7 +563,7 @@ The following example shows a sample call that triggers collection and verificat ``` -## **Step 4: Take action based on the clients response** +### **Step 4: Take action based on the clients response** After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -394,7 +591,7 @@ Here is a sample alert that is issued by DHA_CSP: ``` - If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -## **Step 5: Instruct the client to forward health attestation data for verification** +### **Step 5: Instruct the client to forward health attestation data for verification** Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. @@ -431,7 +628,7 @@ Here is an example: ``` -## **Step 6: Forward device health attestation data to DHA-service** +### **Step 6: Forward device health attestation data to DHA-service** In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). @@ -455,14 +652,14 @@ When the MDM-Server receives the above data, it must: - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 -## **Step 7: Receive response from the DHA-service** +### **Step 7: Receive response from the DHA-service** When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: - Decrypts the encrypted data it receives. - Validates the data it has received - Creates a report, and shares the evaluation results to the MDM server via SSL in XML format -## **Step 8: Take appropriate policy action based on evaluation results** +### **Step 8: Take appropriate policy action based on evaluation results** After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: @@ -816,7 +1013,7 @@ Each of these are described in further detail in the following sections, along w

In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

-## **Device HealthAttestation CSP status and error codes** +### **Device HealthAttestation CSP status and error codes** @@ -1027,7 +1224,7 @@ Each of these are described in further detail in the following sections, along w
-## DHA-Report V3 schema +### DHA-Report V3 schema ```xml @@ -1131,7 +1328,7 @@ Each of these are described in further detail in the following sections, along w ``` -## DHA-Report example +### DHA-Report example ```xml From 96f9551f2040fbbae5aed97ea35e89d0773c60b3 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 28 Sep 2021 09:24:45 -0700 Subject: [PATCH 07/22] Update healthattestation-csp.md edits (pass 1) --- .../mdm/healthattestation-csp.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index c18c474d71..7c0aef670f 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -8,25 +8,26 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 +author: dansimp +ms.date: --- # Device HealthAttestation CSP -The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. +The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT admins to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: -- Collects device boot logs, TPM audit trails and the TPM certificate (DHA-BootData) from a managed device -- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) +- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device +- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data +- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) -## Windhows 11 Device HealthAttestation +## Windows 11 Device health attestation ->Windows 11 introduces an update to the device health attestation feature bringing in support for deeper insights into windows boot security, enhancing zero trust solutions. Device health attestation on windows can be accessed via the HealthAttestation CSP which enables enterprise device managers to assess if a device is booted to a trusted and compliant state and take enterprise policy actions. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service which provides a simplified approach to attestation. -The attested report provides a health assessment of the boot time properties of the device to ensure that the devices are automatically secure from the first power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. +Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service which provides a simplified approach to attestation. + +The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. ### Terms **TPM (Trusted Platform Module)** From 66deb0fa5a5c8cf167b45489e662c016bafa38d5 Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Thu, 7 Oct 2021 21:06:48 -0700 Subject: [PATCH 08/22] Update healthattestation-csp.md Added policy and response token. TODO: Add image. --- .../mdm/healthattestation-csp.md | 221 +++++++++++++++++- 1 file changed, 212 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7c0aef670f..dd83b691f5 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -51,6 +51,15 @@ The attestation report provides a health assessment of the boot-time properties ### Attestation Flow with Microsoft Azure Attestation Service +#add image +

Attestation flow can be broadly in three main steps: +

    +
  • An instancne of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
    • +
  • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrived.
    • +
  • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
    • +
+The protocol implemented can be found here: Attestation Protocol +

### Configuration Service Provider Nodes Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestaiton service. @@ -206,17 +215,211 @@ This node will retrieve the service generated correlation IDs for the given MDM ### MAA CSP Intergation Steps
    -
  1. Setup a MAA provider instance: -MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
    2. -
  2. Update the provider with an appropriate policy: -The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs -A Sample attestation policy that only checks for secureboot is here: -TODO
    3. -
  3. Call TriggerAttestation with your rpid, AAD token and the attestURI: +
  4. Setup a MAA provider instance:
    +MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
    5. +
  5. Update the provider with an appropriate policy:
    +The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs +
    A Sample attestation policy: + +``` +version=1.2; + +configurationrules{ +}; + +authorizationrules { + => permit(); +}; + +issuancerules{ + +// SecureBoot enabled +c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); +c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); +![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); + +// Retrieve bool properties +c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); +c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); +![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); + +// Bitlocker Boot Status, The first non zero measurement or zero. +c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); +[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); +![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); + +// Elam Driver (windows defender) Loaded +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); +[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); +![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); + +// Boot debugging +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); +c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); +![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); + +// Kernel Debugging +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); +c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); +![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); + +// DEP Policy +c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); +![type=="depPolicy"] => issue(type="depPolicy", value=0); + +// Test Signing +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); +c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); +![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); + +// Flight Signing +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); +c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); +![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); + +// VSM enabled +c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); +c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); +![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); +c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); + +// HVCI +c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); +c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); +![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); + +// IOMMU +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); +c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); +![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); + +// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements +// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 +c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); +c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); +[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); + +// Find the first EVENT_APPLICATION_SVN. +c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); +c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); +c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + +// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN +c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + +// OS Rev List Info +c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); + +// Safe mode +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); +c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); +![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); + +// Win PE +c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); +c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); +![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); + +// CI Policy +c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); + +// Secure Boot Custom Policy +c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); + +// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 +c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); +c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); +[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present + +//Finding the Boot App SVN +// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR +c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); +c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); +c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); + +// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. +c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); +c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); +c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); + +// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. +c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); +c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); +c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + +// Finding the Boot Rev List Info +c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); + +}; +``` +
    6. +
  6. Call TriggerAttestation with your rpid, AAD token and the attestURI:
    Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Azure Attestation) | Microsoft Docs
    7. -
  7. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: +
  8. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
    The decoded JWT token contains information per the attestation policy. -{ "typ": "JWT", "alg": "RS256", "x5c": [ "MIIDcDCCAligAwIBAgIQOLMUhXOEQ2axV6zXp/KvnzANBgkqhkiG9w0BAQsFADA1MTMwMQYDVQQDEypBdHRlc3RhdGlvblNlcnZpY2UtTG9jYWxUZXN0LVJlcG9ydFNpZ25pbmcwHhcNMjAxMTI5MTExMjUyWhcNMjIxMTI5MTEyMjUyWjA1MTMwMQYDVQQDEypBdHRlc3RhdGlvblNlcnZpY2UtTG9jYWxUZXN0LVJlcG9ydFNpZ25pbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuOlDyU1sYAuAV53n7TrmTU180bOREgfZoTsdOyllMcsKciTUWkTO0vKDa8CFwGEHmSVTAEngDIHw1putio84HKZdcI6nPt2B74kJ/+5ut8KGMWtBm6GFWwS0TXti1rE4Os1mPpCYAsUyKxaEw4lBbEzGa5mGx0SGLdseuUIiw23S695RLVCciDaAvf+q/gBScFgZJm2ZxgkyNF7+MSvnDMU1xv5YLDQeh3j5vZlstSq+rrRbB5SVnuD4cFBjvGW5lXBLxMEjpBXI6yzFmFuw/OjZ7VClk6HSNjvvhSwJu4F1oHuJ0oAuABOtPpRK/898Ru+9qS5ZMm79775nZK75AgMBAAGjfDB6MA4GA1UdDwEB/wQEAwIFoDAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBR/8W25+uWj5sg8lEKKYy1gdCqWUTAdBgNVHQ4EFgQUf/Ftufrlo+bIPJRCimMtYHQqllEwDQYJKoZIhvcNAQELBQADggEBAJGfbRRvF3EpG6ZsOcSmWtu/1LDVZq+fGspjK/7+ImybEY/zC2CsWWpz7pT54KEGYe91q67nV5GZoSz7+O4A4A5QtMDFzOnrFVicDo5Cg2EDU4YQDN4j4DyrbttkQYiEiBFexJImrjIk4bfW2YqZjtzR7XFDsCsOAUHNY8cnnKaZCRbXrLwP/LUYAz/NVkttO4CW4U/8OZygrarfAsVrsCsx5o2mXBlaRYl5xECWfvT2YbCFuIt3gZR9sau65uMWthgyV0XAR7farxycfMEuBkyb+IVPwYW5QGFo5M8a78r/rFPdczGPlv0Qvg7zrBm775xs8O33V4nOmC1tfsxXUgw=" ], "kid": "e5j-rIjIITYTB9RQSgM-OzOWjXM" }.{ "nbf": 1629758941, "exp": 1630104841, "iat": 1629759241, "iss": "https://ulptestwin.eus.test.attest.azure.net", "jti": "e325dad03894f09b12c53f3b5eac5e36824c89ae", "ver": "1.0", "x-ms-ver": "1.0", "rp_data": "AQIDBA", "nonce": "AQIDBA", "cnf": { "jwk": { "kty": "RSA", "n": "vTCRaX0IZMsNHfJPOVyiYSCM2WABZmNo3PSVTOt9mh0vR4Mon080EGHM_V3afjKJ4NxmEZ01XeB-1TsuNM2-19_JMWZF-wiBTrBWEjcUQ84AxzukaWD1sMsH2kiqjaxXBHEUl8Hhq9SRjVEEdT-fKLOzBO070TffvRCKVxZIRI9Ry6E6K8gMEX3CH6Yk9b7clAua0MrUxd28hMxwx4hy1HyCsFSnXb_bIaqxLYjCxisc9mRx2vO6IuEqEVskSYDc-5f8u2G98ld6PuiMkAhvOOEBmaDlEksvUpnA8e9nWO98rg17pjyOms9GLvgKkSgOKbK8wQ-NuUyXutQfaN2MbQ", "e": "AQAB" } }, "x-ms-policy-hash": "BpV0Jxx6oZ2AjkgXx3Gj7JiJ1NpZWGppjdT2OTtBR4g", "AIKPresent": true, "BitlockerStatus": 1, "CodeIntegrityEnabled": true, "SafeMode": false, "SecureBootEnabled": true, "TpmVersion": 2, "VSMEnabled": true, "WinPE": false }.[Signature]
    9. +
    + + + { + "typ": "JWT", + "alg": "RS256", + "x5c": [ + "MIIE.....=", + "MIIG.....=", + "MIIF.....=" + ], + "kid": "8FUer20z6wzf1rod044wOAFdjsg" + }.{ + "nbf": 1633664812, + "exp": 1634010712, + "iat": 1633665112, + "iss": "https://contosopolicy.eus.attest.azure.net", + "jti": "2b63663acbcafefa004d20969991c0b1f063c9be", + "ver": "1.0", + "x-ms-ver": "1.0", + "rp_data": "AQIDBA", + "nonce": "AQIDBA", + "cnf": { + "jwk": { + "kty": "RSA", + "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ", + "e": "AQAB" + } + }, + "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0", + "WindowsDefenderElamDriverLoaded": true, + "bitlockerEnabled": true, + "bitlockerEnabledValue": 4, + "bootAppSvn": 1, + "bootDebuggingDisabled": true, + "bootMgrSvn": 1, + "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw", + "codeIntegrityEnabled": true, + "codeIntegrityPolicy": [ + "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", + "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", + "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", + "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", + "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM" + ], + "depPolicy": 0, + "flightSigningNotEnabled": false, + "hvciEnabled": true, + "iommuEnabled": true, + "notSafeMode": true, + "notWinPE": true, + "osKernelDebuggingDisabled": true, + "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA", + "secureBootEnabled": true, + "testSigningDisabled": true, + "vbsEnabled": true + }.[Signature] + +
## Windhows 10 Device HealthAttestation From dd4fca93b1a3a64149dab14802e44d757e1ec500 Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Mon, 11 Oct 2021 15:18:42 -0700 Subject: [PATCH 09/22] Add files via upload adding maa flow image --- .../mdm/images/maa-attestation-flow.png | Bin 0 -> 81911 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/client-management/mdm/images/maa-attestation-flow.png diff --git a/windows/client-management/mdm/images/maa-attestation-flow.png b/windows/client-management/mdm/images/maa-attestation-flow.png new file mode 100644 index 0000000000000000000000000000000000000000..5bd288d0aeb9a5ae32344d19f58903e61da0db4f GIT binary patch literal 81911 zcmc$`2UL^W)-D{&wqZft0)l|pP^uzLs=(eBkYb^ih#(LkM1;_rTLBdTw@8r)$dO(W zY9NFJ1OzDoqyn#5@m#yt=5au73Mi z7Fwjxt@cjEBS-h4u9{Ngd-9?*UtllZZoL)!=no<m*R;^uKq#b8Fdc_m%|Ry5C~U>US@So)PLg9x1&^ zO4D1gT@6T1KAD-QZ@g>oN{*HW^&a>x1NSeJRj3D%=f;b_jR<4Ie|KOmcGuEH z!xJd7Q=wmm;rqsnCdZOKmGZsx+&XDyGklYY!@?cPhSl9SCJGGPg_-EWPKl>tvrCoX zWr;dYd>5SWbk!A|A`O##yCi&DYvH1Zt0;{$KhkkKx#*i+m&Vbg;mZ+2yH9UOVkuNX zJ1EHOiGVNpKba#ZO$Hr#V-Ps7P9tCqM;$G;m_Vn(ra{Ig<;p#Igl_;k|1Yyqnv zGs#;QDHBamIMs9b?1tghsg*P!#({}cINbC?gzLmBN^ycJT$OGwFtop|dfZ2%5P7ZS z{Oupg_X{Qq7lr!BuP;VWt7PsPygOx+RX%$ug}L~c`VYYo|6G4MJ({@OhW)!ty9*jo zGVlN{>URPtY|h_qFjBZEy!&-tnT?F(^bUo%`r1zn{0!r&`?hBr&eS~dO+g;#`#!3G zmD~>0C3vlb(aj!`);9b13JOat9&!;-6L!I^*j|zq?%}z(Azy|1Bl5c^bWy6y{jR$0 zEwhTIT?WgQPw2ay+S#+*5NeaL(FYfefk7s9{D z=>Vg0{`HB{v@bA0*9p2Xx!ou5PYB7CveUD8-}wKs&wGF zw6T`|UxVzwn=HG6Wb>W1 z;o^sHCJQIlU6~BQkcNBS(FA=Bxwp z7Iq@>HTl-@uZqhdqJ=L->AruP^sypK+t(HnV34PTdi)XX*iGWr3tC67-dr2!sJ7;Z*(-s!6=B;7KAtM) z`VNf$8*o=Tvx{)3SMDS8>)*R3ijoem4bq&Z??FFandnkD7xvvv6;1-2-8F$Kn7g?F zZPG&jd+h!1+~WTR&~r(Z65VS8byahHlZ?8^!#Yk-&m|D|h!d&^@7py`ZG}lgJ#QM0 zKOUA+OrSIs!cCdV+$BGNOYD}1FBKb!xKIcmq{EndkoUVjJUQ59K$L;0AjZ4gMo>CV zrk+}qBkBwX0X01CHAVKmJ6uIIR@(OB4{zq!Z;>$H{K4B{U`4C6>{O&KfD4ck&>)lt zRg=cfXAi*z)Mjzdmb8q@lK8e<`30NrFrQ|EWiK!Q*mQuElSe}ViZ0;k(H4I8%nuLR zKx$AT9slYoVacla2bz{u(jvMp`^mteaC_Spf-T5QpW^cp+}fwvC_T6gKVJ62)wX=c zcQ@hyxnzQ>GBpfi+UpA!Ws3>-cn`HTWi2^Uh$ihm4adLQNLcd!6HSrZspnW}nrz?| zC`zTLnxE|P&d9{Ib(|Y%4A{u}+=~Jh2_n-OX9mu5EB)ViaP}jokmh532 zFr;}ZHhhU%z^ax>0BPY>Jxld`-i48B$PZG%b*yx+jw5s-KBCJ&T?JLwJWf2|U2((Xs}@A`oDYYH6yVK|P%7L{jztmPMi^Z#{_{Wp`@9kL+X zySMEA@WZFsY%Xw4dq%}8X+s0*CLatiNjslkr!dnjt{z+mDN=fe?$gCyhYxA(mxIW4 z!t1zmQ53#eP7t~Ku(gNaLdel|Fw)$S+FF6FK2WOWLjQ}V_Z{ipMBWrvQ7E+#dZV=t z?VK62y&qOgBZQt5=%ksBGo0dDPaSzz;*V+Xp}xG)6Pb!$2WAc-J1vgSFK@&} ze_m&lL!WO2O?=bWEX?kyHDwny;Pv&TFeY-;+;eJ!bryphak6|pA?$VKF$)eqWN4pm zNbx>iXg`5r{6yKcJl23+YWe*>s{cCorCaZyx^ZMD7JgHC(kmA(G9k1!ligc$k2vWq zlq=pV(l7rj&VF3UJZ@G+Q}a8NWG6jx48PT~^}}hp?=7I}wP84?lTObVcu@bCczd~S z?t2zEm|fu@czADICgBIkJpB5!`othgx{DYE0kx?Q^X*kCpRS4_}?|69sn zuvxRt+F}N4UW_Z>>yB7(0t^k8o0U2SZLM6#9Ny zNukT37hYd(t~DE9dG$Bxs@%5c-ziN=4kuvVcbIi^ue-5R4+>a~9oWbfaN){1zyWj| zO&2=UVlF?wDbm5{@Ro4B{5@>VjXr$i4f=ayE&oj!`+q;k{+r3vGryG> z;3I4<{#s6mmLmQ&_mSNmc(cU{l}b)9z>OsM-fG95B&`CeQA3M5*6XBpz_XU#%M8s} z$ZkSw#gN|h&r0#4be(LUbP6nR@`d>-5a-0i*-s|f&F}b@%eMew?wIqv<;gOZr2!H0Q%;1#fWVb$TBl6vUyb*7O)2} zLJK9+6a9t7sgiurZqIWy%w|X3HH0tUtPm++(qz!G6|&7@M||t%5hsynCqJxasQ?u% zj%*q*V8EY=T@Y{CtX?I;a=|jL#Yt$b6*Y6!#Lk?ZK*V^3?)lw<#3jB!hhO1%7r55P zI@{EuP6HN(+`c|?qTK0_W>Zk-M5<9aTsmB!>h5zMMmbMrL?UuD12zAG(JZ(mNOYJ|4${#oIw zHHFH4SBTw=VsY4eAvfg@Iu>gmC5x^P`}N%VM1QP*Il%M4W}5s5G(szOb%OGi=j)Qq zs2#aOemM5!?&@_Or*&0a6x^A+7Gf{H5Ahr4uS0yhvZhoBm(h_s;lrBvb(8ImTvyBO zi?6xvkk@;Z<$B-0zOBLWF|a|H#u!`nh*PT*=M*OecCaHDvc+CDCoI1D$5Q*hFI8-_ z^JDXUc@fd83%i|@y#9-j$DDlZK?45#u5P18>bLo~f7-AV&yjVp%8zjecQTGDdaiLl zE{k>FIeTK=7j|cTU;Kwh6tGE(?+(z_0H>l-a-8&7(Xn^=> zcD&869BNLD`u@>X4&U{U%zidh)L#Y7?nWXP{(#*6oAb_EtXskoCvtAxe+(%lbHdq>aV@N5b zMIJc@Is3=2>g0M`&|GA3HR3^(>;yYD1B6bjNz5Y!OGJQ3+9D3`T{WhL#Lv@(sF{2< z#U#~U)Izzlv8d!Y{M4oRSf||3-H|kQ=A0o{6oKIG3()?{QOtDT!j8QuJk|bb`cs1kGBvE z?i|?202ev_;WJ_}t?FYY>+o~qA2a8Cw$T_fgSj8M6P#MGjvZR2CSSYs@Z4(2ByTJ` zig1@qbT6PsWqQT+Xy(L-+%G?fWAns#l2c5gLgo3zE=GN zyF4o2;|>xMwT47SQr`m(AV1raXUDKVunvHUpti=C35cAv*Bk$SPP~A%u;g0SfLvVJ zu?D^nAc{~<*u$|!?DrB2GNb!54uB$2a2@LbbROT@;rx69JOCmt^ZXlDK_FaJFd?_> z?;AxBvB#e{6%8r;!JU0)=s%{Z`4x%SgFVq0^Lidvx_f=utmA7c15DxeuVx1ls{X8J z&?fcYm~Z#9Ut${!wrB;y%q)`Lqr!nb zR4yQ;%{X=r)n)pZo56}!eUE3yk5A9a!B!+sZy0GquD!Z2;SJwYwb?@Z3j06zu>Zs< z1lRK=*r(O}PrUd)nuA>^)CkRbpbJdDZ;zJ$B`;ouj$8{);4Z(N`?n;_cA}U)S#MKw zH&Xt^Oa9k0?QitiMuksJH7HC@1Nr*v?F3&B;pBV%%DOY@fX z9NKHYyWo*YW#(k9>9FU>PF+*E_!Ul@EzQS&j^&U)e2y2I2hR4{blq4fuDrKoDV|mH zRt6tGV5!!7@@WBF;m(A^YBx_v_3|RX)i+-J2d-|UWVtM zRzP|;K&)3&tkG*;#2Zp_6oph&Aam5$oHx^u(sRQ7JWo`Zf#r?NQDmA7_hfgF8f9W6 z2cEu*Y&u|K{c)U%B$zc7Ow!u5Pj|tQ(?qjtwBKD@w+CF<@c?477n2@S7^UiP4mB` zYCtp)|48@Sv<67|S#r(lC>uF`Z{)*!&F|&T_IUUh4a7crif9f}ol_r(>5C1)Tpr%S z)#yW*XiZ|_)7qJ;%RS1cd55L1Ovlo2j!LRpgJt_#T=8Kr7VpZD3~mZtxE@DK(S7cA zjZwEaG37SBubqQF+e$wdth%MyHZ`!b@Bka^b_Z3XY!elBvidpSpw96~z{u*QaCD2) zqU^R4iDnOT?kyf_sABGnWDuYeil_Srcz$OoL{~~IyWcW^(FDWWLtI+qEz;(xJ;v&v zJkZ7uyG!Pa6%JdS%f5M5a0R~gV)Q?A>5Q?@bXIG#Bz>Ei+`!o*{j{Txi%1O0;~I{B zR2y2=NFJuv;`4YeLPnnVkI()jO0qzt&S*nxKm% zIx3NM{_4IonHy+t3j{P*vR&!feD>l`q0q#Ocug7{GM1C$JFG%NKk)Fzpz}*S@Tl^f zd$GS=C3Mu^wojB1xSXc;5#w^9VQ6Y1)rKaB*vI^ODMo8Ro-sK2>nk)MYoDK#&#t2N)GqhSgfM3p&1A7V z9Xdi6EG9h0ElWM()EWH*?u>(zO1yK_V&z+M{gX6@!_e)uHyjMZV#qGRkV{5X#Q8&{Y#2CR)T==gm0k*Ejn>2?{b3G~cS)^_cR$uHj9Ckk7VnxrG@$j6WQ;JlD_w|ASwRJY ziU!g%D4{tVKJiA0_G4~*kTQfNJ*ge6#E&^9;P&qaiN6@&`GlamrpwKLDkEN zqy1!Fa@s2pI*ZZ~Zv5E1n2z-8R#d$>Ged~j^B=ij=AtCxHPS2p+?XgaJ*Lovbl$0J zB($#BKh{7_6ZHgf-zMEnPJP&65B|`^+v`gvsmySu+*9(Kp3WY$ahlk$0#T*pg6=d@ zTgHIPrROriBrd{(kY|9OyKLT_+G=Irtt&iyj<)od6Z&tjLX)nN>e-$wwKSWO!=kr@ zX|2~N#m2pgabIWW)$b}-7ehrSnaL5zXUuAccACrKqWXVPY5a>bQ>Yo@Dmq zKBAMVrk^ooh!z-&$8+sQgwD%6$Khl5t|g8-bl3}IcVtV9w`x)rZ4S-t@eh-Ue_P$+oPi0oz_+UXYMERA^nvB>@tBsy zf|gEMv<>s=+nupfPB8C^_GIN7^?Bv{pX$IVa4iwKP zh-91Y0e3xhIHh$q zx0;w}V*G)zS4MCmcs@qKyiANno%c!;>-T(L!;gVQIf%tOM5$y~xj4%7-Z4qNM6fsy z+4jc|mP)ZJg>hx{gmxM9qdZ8}A&3rSUeo-gJCr?jN8u85Yuth{`D$0S8=X>J;Vjn1 z>-N^UTQAqCQ7dYp8m?d*E~XIY?&GI^H|}N;D{u76k{p&J@=q&f4#q$M)&?PJ9w^&=V^Grp#uipEuB>)T%oETm4HqM;2~WrFn_OCOev&K>!_vDt-v5M=cBDM9L5AQ+RX;A(+od5M?Mjn-)LTzf2zyVu2j+)M+e7< zK_6Fza5wdptO0hAN|To%Vh4UE-g|fvv4NWS3(@*M2PNR81$;?M761y#w7LnY)OlXmJN|T)Ik0 zqB8_Uq9I#4g>RjQ4QEA+etFHduYM6(ze8s4fDD#{nJEbEc*>M(1)>{Fs^rbkzwn}T zVJ?U)1KObkrc;=ZMX*I&f=+cPFsK4t&|!=(6&iPC1bsOS9Bhig|1HwQF|Jj%%lq?})-` zKGt^gb_D{Iq;?Y9J13nR3oD4ICtWt}bYvtlbbt}-5V#ivF)G?5R51L|a`!cg_PoKc zkdq>L)Ea91z9xZDQs=ci;O3HTFf8nZ(x-UBg=v#>ruhsVMT{|}ptY8A7tUQ(^KrDa zMnPFF4jV2ryQlqHx6|_u{B>dGj(%*MfMExtNdZ%=oxe~ua2HqIk8`_ko&q}}dMndm zH4L++H{E_5_*17@OUI`*>(ibRu?lT`b#9AO|9d%}VH5fgYB0#AI|YR*fDLTxdDf$& zG-T!=F|5QD-g7OA4?D?da}0f043Dzf1@HHZyCrIj373vL;@)G1e&RMzL$6#?Pss6O zXm=1ojQ2FztqYQZFg}yU)}A^otKYg zyb2$n&+)qb%h@8)oqipvoJ&&H~DunWXiYCB(g^0^BiqRgY{P!HpF7 zX5}K%Z2H|E7W9TH_^MXH6_wFC9c4X}HJGAUEuYsw8t^twhwQluo9M$3jV}e9cmp=y zzkLSAP73YXB?c`{(kVSkW{>%hp-hfLf>ujjT$9d8{0?UYYw(;7G5Q0g>V++%@_A^4 z`PZ&aVg!oB*u}IfOepphjcY8s?jx4HSPj<*geU6e%Y3zVa_$24Hr1X*>-RHWbQNVw zW@ZQysq@d0MXyTsWSCootE`vA_*A<9cjV59#F@#(#iMk(YS`4~l#|>QT2ET*oW_!3 zQY(Yz%Hrz^vNx-lFEr>MXt*B=aD)yLd`9GVJMB*VM?0`w&z>#h&5Or4=fw<8RiWN)vI538^w3^+oQr&WSpwlzVerE1!t zqo{qc@CDLoa-NZ^!So0NC5;#pQ}6Yf&|I9LXZ+r!!ON!y?VPsILia0qWz{hNJw3Uk z{=T1#zYsLPxYOS$1@HocewP;eZljHq9{Z$gPm34uOBQESdh5WbD+`samO9|-68fI` zp+#7m!drwwq}CKYr?sWEvH*aJ#5IaK33i;b=n|8AsCXe9TrX5`5AFBMcD?Ug)o%sskn6piCYIMI?nHJl z9{$J?3QF?!J1o}olrC1mBJ0yN)h4)H|8(rE;whCNy||~$xlx6$Ynl5y(0iz6Q)Ca$ zA!NwKaDzBBpwF1rWoM?IT4{FAMBco7Ywz(~532EE(i3VzBE|R`t?jf*huicvh~SyM zV3&92Y9!&WbB7?h+cP8QZOn`0_m+3JE9J@Pel@xH-DeRof+&O(sQJ5n)$XL4Z z%q_rBpAT5o-`93)NzFCKWB(yjhr>}?cfT8ftApUYq-WgpXKFvox}8+WV{JZgwD)qy zbZ2_C@1r^qx>8|l?WE)*v58!qMZzTSBm3kCY)_+jHWcr2p6v38jTR3}dqZ1>K4~gp zbg0yxEPpGeUe8k4lkoFe2{-`<&L){#QC1dgv3hNzJhzmKv75nX8`zn8^oxx%MY~(f zs!Hx~{>-b)0={QG-D6p_Bt%h-X@U!d)a+FA8Zr4gkKM59;CnZ@=d*#s$4<0)SBb}x z-kObkWoUd8$LmenG3nK#)=L&ptIz@R+&MuY&!L2ntQtX#dA`hEkY>FIjcTRgSuN;S zZY^Qy2z?+4A2e1G;kRVT&c&QMy=&xr!$ZweuMCH{M75>ikq)C?m!`7a)&kU z5}czuRB1$-+>v3gh_mq;!U_anJFEpMOwNL8Q-kAl=+se45Hsny=v0J8PMQ>$1Q)~c zGFME8fv{e_(og5eSqS-RHpKC}n=tjVhoU-E&}XUDy9Vwm_ZD0TJeRkFxdX0|U{J$f z#r%+=;zyv+QzaU*a{=FfJaaioUU@QEy4aB6iN3pA>9>z~ZGb32ll_mnLD z?9;V;mJHf({sP@h+CX&DBv{q<&_t0wwctV!d@{ER4yuWHQiq7c-3#M3v?GhM0+(4v zEtFs~NI2k&nLU1^6-s=}Let>0PF75>_NKcOg``6GNv8yTN;mMfM;U@zF%G_PJYb59 zjEPide;A#TZQPuNNb?XRQG#R~g~wZUD4ywtnFC=(fo^nABad+ly2lnn6-gauZ}}!n z`VGW}Gtjgl7H3hDR9VTrtWe*|gnT=!tTD5u=5V!xaJ<9UgIJl&YAj49i*}2<2^T?x zG{0c?v5m$+I}2&r7i20dcbL|X@{2R*K!qT)XUQW*liD?6EL6`4xM6k&mdf@QKLh77 zy}0fVp=4|iqmzVt%q(ajF|Kn@r0P?h8vTU_w)bS|TLmuD8<2u@P+m#I8{%mhXw;tP?Uf|Weu5$MRFEJBM*C@{sDW((Q9ref0v@z^3}m(LlItDv z$`|jRrwv^~cJPJd7UZfUGstq9ts=A-mPMsOzpr&9RwAxJQe|1pHy>?m#|=uhlYmK@ zZJR8mF!lf{Nz`vACp(*FP7dH6sRp0p6`jEt=F7m{cdOY&bQI~gH)$(6mu2-2q+_6p zleyLxmXAK8I_?1nM?ByA=Iyd_?<(rawN~~gwPDH%a!vI+rayw*;p*k+ypomIm^m4P zf+Lc<*sT?NJu)6OS83L(F{xm!3{?Z=Ph8e@rC~8&MP*y(z-7y_9;0i(ZWP(s-vT_( zV?Dime;k!4e*>V+s`w)p=z;wew_~7MZkl(F-(q66+Qyus{pGA%YQM9BdBkFFb&Vo< zV6280dtgE`(?eNtgim^Q!nMp&n|ID!@c69(6J%cayhnvf-czP*V`8Muu!>{I92F4i z`N@(3#i2{E=?@|e!t~dVb`7NP>ncwAfG^%v=I)8FyhLiWOy@`hZHx znW+=Fkj!tIW>XXW-fXD7v#32+&c53)Evw%uq28MqK~%F^5%Xt0>%z{ znep?_HbH!yO&*(zuI~Pw{aUeSzM7Ags2~H%w#qvaeIk{@M1hKgO>Z!(z3R0+E~DN3 z-%3z?v`|nOi0KpNtRsI)>cGHsJai8yY%zWGx^8w`N!9M z0zW6`_VZ1J`a+^gzInGyT=KD&hlE_(ku`7>PZVF>D{Pi?Zf?;IM9o+pf#|Ggsrac% zh)Dj^W1! z%f_GBYKJ~ozPC)ySb=vXZbVW7l9RStGuRe^-SmXDqay4LEIZyiWRV{mmIr^@!)I@^ zUf$RbEB|?`g}s~gpKU?cbPkO$oFD(sc2WP|?KZLtj(wvX=rzKwtO>`&;=o(l4H-;Xl@C;u}8{LkkIXYZH~aC$2lQpA63jsJ8~ z4FW0uD`rnFINjy^m_NQnXYIrsu(N-|&-+%Z3r_g43BZ2etombv`xi`Lf5`ez!cnza zRu>blF*f;qUmpw*@Y@fhWDm%3N4Bal(yd0w?Z;_IFwOt@F$MOZ8^=omQhJTL-8KdhKYZ?$Y6@$)%aEL1rTvnbWO&;0&Bx82k+DTafy~<(et)-U3T47(IwK zSGt&?zHo>pJK;BLC2-T%QR;X0;1Gz?wa0s;O^U4M4jT?5ygmhWYexq{ynM7qlxf(P z%hPs=Q^9W+>XtvMFJMJ?MVcCL&GxF?==AQ&3}KF!6z5DdhU{XF7r)6_Ax=MKPAC@@ zufz`?WD3gTJw7kHJY@>*zyxA3^%DdnlIWua&%$4Fi9}@8M$cx~8WMf(qGwdArw2)V z*lR1OJ%P&H#J&=Q%9&T7gkrz6wAnE3?bZdr?drkXI|5S^D_cL(rUnyCBSd{=9<@eu z&-yW6^e-zmojFpQON{-IIF?`YN3?IADcSp5SYWhN}9p$cIBx2` zQn2uC{POpx)~S8^O_JkfbA|6;ncBN7yT!~I5oZSYIL>1<_j0TX8({hUB&5;SYD|LP zLTA*7L&xtT{?2#N_q(1}H1uG^1bn{XA}(j>#+F==kr!z5s^}PKAJ*Z|jyG5O)_gaR zP?TM(KZ~i4^tT*{YH5Ev5vOwgg7xa?kRWi_f-8D5eIz>kkigz7!$DE1g+aGJIX@+A z_UrMo?WyrnNEb#{`tf#-5T+AUzth`xet9fceZkktG^I&r{r<)P%ilM^mg9tvJEKx? zyT$Uwb>??Z8QWrSmfo|<`otSw{r+w}mwC|J5c zYOg_jpnGb0^v^%_88oebx;@J5c28F0Yb6uqGLO%_AJs>~kf>DuyGnAtf98Sq4*RwH zxRC4&HHcQWSW&oe-&xvlp&GEnxm{T(!}<8J{8Rf3FF!qBlr8acZ#d!%L0Bm{UhL%B zFDp-NoW>fm)39s`q)iV(cj+E1%K*OmEv^anAX^iYs?DECyfdYT)K9$6v_nr(tEaph zwWGLJhX}Czg)%l1_LyoqkiTe_`5P1O*K3{H>%a0WeIUIrtIi<2%d2#;zqYa+L`~PF z=|Soa|1(F8?blWk^l|OL*YlpBrFcQ(2uc6DcP)oZn-b)g!eMG-N879%4sB)#cZewM zSuXgbAj_OSSR|0(OLxAWpq6%af?N9t+9ICH>?sVKYRokod|^GZdTtfMb17fQ4PBtP zH@EU8fKqB1eZtUF=;vCV^Y#^*;!fIMeXDq(Bcx z%Tr$n1B=Czztk7*TFLTp00s=z53GCFzEG!~XfRmUH*8fX>u;Lbb$NOaubvPIv~FS4 z=}*l(wbuYD3Xj?(Un|{E#(R8A4B=qv6481%;jN9CyS(SJ8>9W1 zb=~pl-%iX2iAQQd%RDDU<;=?F0ujYdL$5HNIOpdLck&tz zG8;Tu+pw-$gLRr}dDXKL=^bAt0bRxc?Z9mh?ekX^zePtX-=$SrGAU3G46?M=2%i7EL(5$z9Uy5kW)S!D7DbhVi7>D^_=%k$L@j0Qw zr?Rv)ER}pHeg_mKNi|^-3eLP*z108$sl4`>bfZY9Xjt4~IvG*s)8G6sJfS9>w3n*P zssM_2dAcvS-SCTOjp1NDUe@u|vK-%iDF0XCXV9|2@(|#~y#*@J_$`McA8mSrWiCLbLrj51s2tF zR7qL;2r*y5XJ$4K_yGtvglU4LV5dBvf#i62<=$zk(dm`1cY*U&Tt+3BcCQeIJHpN% zK~NML3M+UmuBUb1VEWFyYd@H5d!ltMC~kMIA0ZCJ}ma>o?k#J1QEo zUC;+^In;ItS7!)fVWL>U&{HRmc2Y>`kaCnHYkt&hFopcPjg#lcFMXp2y_T+zHN_|y z5R!^lzC_|ibb}^DblukO?km5saYDbmoI{s}CK)>UzWdVWe~sf$e75a1eiTc9)*e_# z%_8Yz9mTq5GOVMuC~UXB%#jQg6n}|OOf6n{kjj{sBjB zXq$>0YWp~P#geL=IX$Q<2=a2mSkPY9=Z=x{HQ1N;`v$6@vYu&+^Dhg>Q!Hei(-dMc zW7OxFW>M@Lc%*i&Y%$fYYh~YDb9UL#)zO12(ZN^0iQDDd<@Oy>2`qV?IPrcus!lqnI?Yu8w`XwUptr5Js7Z)2?*_HClG{H_F=R z*6Zh*Doag@l3(Dnis!JvzFK?a71N`2jw~+&v1dhH25Av}Be|I_k%O7L2E(BSo!&JZ zwi;tIE`JxsDrtm(bd3i3f!$0UbC(6%@gx{-T>FcyuW?|Mj zM;C6GWWH))eN!;Ff)(wBiRx2nEHWR_9@E_9QU>L!P^1x6O%RzS~sCY7Y<5pAUn{k)~bwv3Vx z%VPs%ZV^>~nB`EIZA0G~=CG~+8ekli@*F>sXKe?8M7&5b?TvJafbaGLskyk9C_l;A8~HfJgsFaO%hDgTzo4S#9q@=#Dk zJV%7(CZGs~ofu_bHiR`CxO0&CF1yt>j7!shvj53(sxHT=uJ(i2UNb_{Sr>aGdd8vl zxtLVGzo(Gl0&6;iIiamsV?5d?oKwG@U9A{Mi2?cl5C&^hS{+g8*mn+Q%t?&KmvzuP zSzkW-EO1Do<=@X58DZl+qAAJQ(7tJl=zTije z%R}q+x;a}8eE}80%_eXBE^=#ZMK4u5Xba@_2joFBa{bCYJL7BbQGd+(;P+eSv=cmW zDK|f4`?xO0(XMuvlrRIp_~y`!Ju?##eLTmk0;ialKn>)1CwkND6o`k8Lv>{_ySGEi zIZ;|3^i|(_ll>_*;q7WeN=j0ou*s~}_nBvbpUVij@r;1SQE?APL&+GW8|HD6zV23* zO@p=fb|+4%FVOpr_ay*YK8kEcO8^dcE*`afQR)Z;qG2boYIXKKVn-vs&A5QOFZ4W# z>SLGb!k-MM4k)|cMNdr+bI(yxT=Lk==xYFhM%72Y=^spWWd$?!AeAI{_-aq%qs`S%lLd*#pg88?h?*Oi5Cg`SbW|orbe!OBl~^it zcrUm!>0`*}5{q~u`v$oZDLyIotyck_XzKMIc?+}6W4*-+a)di@q7Ut6k=yd`^l4jF zky4+rjEWVnKc$XneW(^s&NLhraaYBMK$ynBu7$MmuO&<4!zU{@0gU%LybcjD5ueHx zwtl+)pyOZfP1c-zk@%}_L$y-7<=*~{QCf)F$a8CdG;KUH#!lXSg(AQtp z;&hq#;a%V^IY*TW2VE$eb1AoLKjz;&Qmorr7untPwc_hgi#OD~(_PEtO=m{DEYflI z32kyIKG*uRM*}DzBSd$dcUK*HI6~IW-$nH&C_r(vjP9AI)~7-4PF&aluni%)IxhG3 zvQ6oj6B)a;lYf=|fbWAR6ojX4drA`78j2CU z0@V)M1i8IGw&@#XWsDso(<0)pop$FAkn?Vt?9eG$4dbu<-e~rU?F)<+N340|NwGeI zE|RYR(y$6LKokj>7@qdtw*?}mK7AMj+iLbKFV*s`P%xzUQn1fXmOHW8-y&dTPFftC zrtP2JKip^jH^xW$@U|Q9;^j=qBc$kk%C@6+qsX=_0X)Nl(NfXNl;ukCKf0>Se+l*# zuI8Tr;?6`D`{zA>22RxL1f9%FJnPa2*dtaLPPia*(a``z+yP?rd`iu&%y8|Xzf!7q z4U)6#49C4kZ`qPRolgzZ2PjT8G3@p=U^h#)pat167tZF8&4w6Aq3j8QmYS;y8W4jQDl8XMIA3yaF@N*wl6w0C?_g-rzx-q(mY9to=Y&Zq81A5_XRM&J+u6VMb z09A@*#aHwa-OJ8wlTQf4rF|vJP5x}oBXoEhBtT;IsT2VZxVJYEGLi*uBf8CaamSzw z9RoKuSJ)hiZ{ACF@kOHZln!qzk!5GN_f-u&FtSPhYAlZWEOeq&O?`c&uGLfs?{#Fi z&2oK4YRJP{ikGG%o5F_bgJr+e14qm3b^~n3-2w&5>quaQvXbHnbO^_JcMH8vcdF<6 zEpuX$0v?|M@nJTJj^pRr!FNhesk+qP4XlfM8#u-Pc7Z@OF;6>U5rOgX)JD%R*|TBm6`qRb6IIfFHD+InlY%a^ah%$>Vr6o%GpkX2 ze5JQUJel@F=yqerkXC|xW@Y%keS)T{Kx;(n$5CvC@zKa{k)Kv{ZDlmpXQ94uadvRw z)r7^3ZhzYyiIv0z8Dzm?(q2^s)og(>#{3xcn}=6+yfQLr@vkS9?GzOO6F?rbu~a-z z!b%}gZ()!#78-}Lm<*y37m}<&r?qYM5i|i0qPXPeN}}!r5G_PH)r(Of_i&2X@; zwU)E_pw)u%FuE>!!mGb+vW+H@t=_B@D@yg$Ph5Ix9dr3nIICALX88dUHv&CO(%)N# z)x!-&g0NQcpSs5w0U&PcNFpX!bXYks3Mi$32U*KD3xFIW8;j{SRt)R0!j0?;JEWEQ zLIaSTyfwX*$4;c81=GQuhk5lUt&oX%b08bs(7+b#de`MJ;G$!xxi5P5W#=x%%bAaH;Do^*i1;wb?j$UEB=qKV02J5%W4y96G zi}6FiZM3ToHxS$32O}AB&-FxdJ(kJT0)gq+ooA~pwY32c>Z^*WCoEv;@KGr36-e!D z282Hay+AxC$7+-_lbdd^-nj|Fwf1<)@&maF(BXPDP_~YVB_6ElTednGH z&t_=_1rQI5zV!dr-@hCIBi~gWoh2h&0+eyd+Bj1FPZBrS=CUF-$3l`aV(n7D>pGw;m z=?$z;JxrQlHL!ad9>k@^J>&^b2D>Lma~t!!FBKR@=qr&_p3b-f`_wtqk}>Hs5?t-l zYKjIOzWYexeOhuL!9DI~=L#YJRQRogkHO)8_`j>_8_n<;oIM*%E~R}w_~OiF$ZqL1 z)jsE|*Iuc@1#X#3`ppb>NSz2ON$ANQ%XiO)>imzW{C1SC05{a7c)2hFf%Uk#=6Z@w zL5U8a%pMV)_MYY|>MpR<7|)cv>h@7CKhcf&zsUOTxF)af|5$5jU9?rf1yrq~fMB(X z%vh~OML`8*Cn_Q$OIAW4Lu-*L3ND61hzpRF$leKph%yoZA+iz~A&>w8LJ~sO?>>qB zwBOh7AMy2q=RWtIectEX^T@MSNIOOVD5dfMU^=(55yxI;a1{SXvpnXM-*H@RG-{^q z5CAov`&2e>xSs?3x5<}{cqUOMFlV$Jqp6VZnUS9W6U-X^?73^~U0Sq1+_N|G@fk-_ z6-GSHo5oF+@|9MuBgW>SRhc!PrKd%Dyxd~fTb3$`t1bhriETExJ$j5?`?5mtdz6tC zmWk>uY|E^-OQ8T>081?W^tS#43K;_D&1wbuAJ1?l=yUJt@Q zmDkCB6`J86+B(o3ZwQj((U$Vy?Z;IIiUMF)uWeS3N?d!MFU(ZU4c%-2DP~cJ5%$eA zV7u)8)T_^Lg`Ll5kabbB-D!DdIo`}I0B_7U0@#)*yjCRg%rZMxWfBcMP>2VSA|D5m z(|1|G=B>Ki)E6ZW&w+G~nsw5m5}1Ig3uq929nwTeZ@NcY?27TrXM6%mjgXb$-l1&w zqv*BYx{ex?qT4?XUY>WGoGugtu!gn{sA2g0g=;U~pX>!dhIIy8_;k8t&Z2R#_FsvI z9b*J2564tXed;nffVakd%GW#c~54o7mctJ3k?LXiDgi){M+YoW{{U}+`=LF}uw z?pXsWqMBK7%X5r{nRD^Jm(Jj3PIo$x#%C$A+*bE%C2>|A7R?ZS6aK$w?Js?N=^Na33UEvvA72$i1 zJ?a0Oi$`q~fL=;YN=si@z4|u4I#^=QMFItU;Y%FP&MDN(ssAJqrO#d)3ig?;`n!O&-=FJdPzU`04CVjaufqciAW%2 zP;t=y#y7CBF9!2_4`N>b-0k;1IfKq#j%k)>ydUH}d_b-{U*gj=+|6n3Q`Z4N8tBC4 zyYr!Xfa~Zn_=DTaVIR!DFmDxA8`QGGJUzB2oiTg7-^<&3yCSSZ&+QFJc3tvjIg49H zr&o)8%9R4%;YOU{TL4SGe+7f#HfaQV_lB^{JX6zFtkuqk$MU8h`i?z_(7JJ8o_94V zwpJ4Bc;-k9yF9O{D_0ydGU7&!@ZSA1tghzE*&jtp$0yC+FW{I4@@ODMSPAcD$DaFB zb$8c-h_V`3?EwbS^1f0T;xzbv(*Bmr;SR@MZ~}}AN_G9R{bC~|OE{O4=G5@ABEupw zKl(6rmUf?9cXu88boAtFgm?Y^2ipoa z%ENNHOTITMKv;&ptlEb(-8OJ-Q%T`T{OiZq@o?_(jZr^gdk^*s{yZc4tDq@wi}X=U zQ+Nz3WBGTmU1neG$_1aNSYJanTEPRw%ne~lE#MsAd#0GFyrLMSUx1)Xe#?vQ09pmW;jcuYi=;P(#Pf5SoW=eDm7Lf6&P*kz|R`+xc)Rsx?6`(Y|W&p&7*IzJ%P{R_|+D&zm5l1-I&{ zG4)N?vK7IXT+AL>djT<#<3ZYYz)>>|@5VcT63sf5v(ndFHi|mlAL@$qG^%`I{OYg3 zcPD5u7xvZB#jAP8fW2{O9{Nw;YrQ#nv1+dUI4aa{3jRyv{;k-+i>sB-4 z0jlcCwO8#JUpk!%A?SlK`6Qc1laeE~2S3|9X3HL3SPQ#K{=%&{JUQ#o;BZ}MeP%_n zt_1!HSpSd*WLWXr@R;sc!<=HJX%2I1EG`@12C5SvD?i}+MM%&8illNvcRW3<4pwRl z-PRwi`pWt|h{yNp>WJAX;_Bz_HsL%sP>Tth*ekG{{|kC=!k72fRkc-A3@9AvM z?8*g5#Z1n1#xdww7iLoO9i3*hP3iSSZ9+Xz5!Vq3YXe@*r-^$V%a9>PZttI>!hM?-DSfqn~sA&6cW zA8>NzN@#(f75PkCcVQhAUYloz0CRsHek4 z+B^lG^#lzWkNhI1=R`sfX;4g(ZSO^B!QTCkL}8t22v8<)_V{}>)cOE2SR+Du#F9$^ z*2o1=Yu;nniO>EOFb+V1mPlLpy02hQG}*!dQmuc}>ufTpMzH2T&b2g|6DI%6TiQwa z&VXW-K^qrs2=7#(@=rcq+meFE2DY4l*M!=S^X|mXCT$2a_uiMB=M@GeIzEFfj`laA z-?*Jy@CKOo+*yyStC`{368{p^C>y{5wgrS|n%S0%Wm_gC$2@95)o&7gVx0E#z#>?$ z#^twOH}{fc8s6bZ(yh+q-wpxxCtQ&{j`Rk>J?6wyc{xb5Jk1ya#T0*OOo+GpC$wy9 z?4xP`Ak!33hf4B^3BqS6{RUklS5#1HoNgZaIb+!}SqLHW9DC=M*hhT`&-6-P;PmEfeZ4I7iy)_rqp7kNmb?=R>rCB|uY<$^;My8RZqf!8AQL#gx zuQN#2r*UsT7WV8i+&MB{lJN?_d;X;}8GAr-@T~U}ceR+{7`39c+&DZ_HS_1qKw7}T z+FZ~ju%dDtZ3sx@p&?PkCM*^`e@Rd(?YQ$iwxf-*qqV;%|CNf&J+4<^ivbm;@BL1K zF`p3uCP>6O+r6770m5n%$#a{3{3qo<>s>LWM28;irzADy*Se_&--eUW zZFcl^7`|PK;+-d&h@0#~nX+fg5=~`2C(}?nWug;SDY)5^+#pK%caw)`C#sWGV|~H< zWu;8)$Qr+`hq9|6XdXwE^Fh|)nF3NvkYfYLCAASzA8?jTZk>D--T3CIRwuscMHdts z2fa%n{5-xAc2`3PlM0gj(`*VglG_vVXvGWkPLQ{XTk&Vqt0((p4o!}J{$@|YD{$7|#tP!g`C4(orgoGK_ zT*m>F)8+ZyCLm6T9?adDnP^Mk9pMQcRRGK^3KR^n{8&(mTlHWH2FuoryT;8VB-YHX zVNQ4`>3~p#g~#444&8Y2%FBwlL~2!)vLPfdL$b_(Z0jR)b-JF~=v5!^M0elFF;{Q5 zewDQH$O{~?LSB}5XGaG=~shZzgovb*t@kg^8(R}){ygb5W zZI@q&s`%rsEJM+2iYw!#Lipav+?BL1GJhc-7{F;gi_)d5HVunLUSW^wg+Y$@9YXoXtP9WIH+k0`F*Mm7Wu9b{8y<+kyquq*4;+42V`W`ER_6fi=Z zR04}~Ehk8C@I#)4nADi(ym?JFv0J@@H|y=57^l=ovX*^G^({+Qq9#|8jMY{&#r4Kle;*4P!>JP7rqB{e>ZVE}Lz z@ks?Nw=-$?h7$Nf&Jk$4KAy+m8}ZyL(oY#+jP_wcGXU!JKohOW)Ih^I9wWMKIx@Yl$=G|@+Qr@dBfUFE4(nB=ZKr_ zw=JgmB;LpKSl@{vb^`rEsEU72=3|o{Fo+nT!gn0(@4a;(wgu(jDQ;uf2I?AD; z%QG!R*D>9NxX}72fpkvVg;vlpU1l7z>YPufm<8ZN%n;!^JE=g^*b2-)iii>T!LSy;fV+l z=SrvjbY0>%y_j-ZLyZU(EijO7IJSY;NyWG-G+5NTp_AL=zEjo&%rRlVby9}Oy1J8n zZu=KXx?+!wPA}BgQ)vdEoVX3RJAF-#xx0GwhHps4MdmEr*5*|kB7`=R-eZ`@R`o2) ztuzyx=Lfq=d$IMMJpyuD2-(1j>d%~|AgTeYA7n0Gdl^D^vQG@8uRqhY#`Zkc1g=PU zVf?@2c=A#CRz96}DQh5Zo%A@FmU(ckoXW^Rwuz+UykKKhW_+GN)w(2nd0~n|xYyi7 zRr(75{`6PNGb3YX&1$ajj$C%rV+w(yFh`rMKoAZ~)IbC~YlFBJ!^{aUapl~VGMwV0 zA-#Yq(590Vtnre&Q6G%|njG9QGd(lv-;|QMZ_-1Y&BRAYX-AV+pB)2Pm#Poy+Bvc; zZ#Ww2+X6^e`+v5bTWK4lM`c)IQz8Z#oreY+&kXLjovsADXMLJ{@To7*BzW0r1M z`-dyHg^Tp)mk~=|Sr+^e&aq-cExyNrS#H&Y6WQOfyK4Novv7OubDqr7(rAew!?jkK zXqK;YaLnpLX(h@_AgvYVFr9b7A6#BAT%}y5dxou?nTvdP8hB{c zoFhI^YX2Zp%WV#7qfQ4o^IjnRd!>&E`ivC(c3>8FX}+ptJ=(h=**m(8&Y_injfZ3{ zDRAf6&|(mgEhMk~vYB4{%rg1=!(9?N3zNgYmwB0wvkw{|Oct1@hhxHwU^)d|py|^w z4fGj<7eK*c0>|Dq_N#yFn8~@2>cI&nqBx+3z$yvoDetWBG7-@o(>-x2KLcejKhr~? z>R-}@R(4nBfT0b5d-%S+Rw)W*`M|3{m$1t)9b(>Wrb?Nf^E~HVq?bD728~npRbPD} zOx=$WVE3+pRp)vP%_lvSAAn#{P@cu?AVqAZs3a29yJHpP-sl$vPTh}f42liQSX>xi!Nzp1KQ&?rEL9CJ zT-_u#2)34B(t_QT-5$7TvZFhbKR^pd0R4{Xt#XOYZs#tnM%C71^18S{lf+J%uqs>U z?C0B1!#-#o(dww@RnP%^;r)Ojcj#CHJFEG=)s1(F_|Z(q%F!FeO~5!~Wm(=WDmf4t zT8hr!C?_U95F^5oY~XwIUB)usM+ojMo!F4` zlGIdb?DNH$$n0qegGrx?CD(kNQ4#-T99wbT1)W4G@N;9nqWbe~ z*$^Sn(AHT!f&(Ol{r4?wCz-UMn8^k~_;*a7F#oS20s$a4bL5-=07H>pAga=4V-y9D z4bxNtTA%l1BSPGi8-VUx6^-BUEw`3C2S&fz|LxY2DMt=9>Xb-9vLU=aIFS#g55`gY zdPUU%J>*^z;n&KNMGoOEg(VZEvCTWd>K-5#SNVcSHoyx&0|IaXBZ2bXr5ObBW?f3D z4AiV?zhsbDmS<9_7r~}DUD7l}@`Mg-?Phggkg64;d>89T!bMwd{eELfl^ED4w#bU> z!d6u-%d3RfRy7;@1J*pR=6B0@E9WK7J;trMJf&?J3(N}eazKH$Q7@} zH~QzS%ysOyymtnDGn%|Y`1$dM=xVwJ!C3XHYAESR z6M3LizJU2c<+zVZ;&qM?iFDr zwaF?}*!#t;>;IazBxfHV@WPFQE@f~v1oR|qS8<@8As>ONIsCzn#bDZyI$*LvwUIem z9Su}Wexf4aq(aH?0;2$8<8v#4zdO`5M81M(kgi~#QbKyZptkX{JKQX!uFxH1K3ghB z7F}F%K5D>?@fa8`M8B#IK*du~<~=MOZ@<8U)m>G)`vZyIF%7exryHoI#$P`el;se3 z54bLb1&B^u37xd!C44$g*LLG+)%f8q?6KIRh|Aun*>BD#2XloRy=1* z9)Soz)gD{S4&QiLXn=Gc_>t%MS4Xa74LR=$E|#BIdi|R8Z6utgQK5u7A@LX2Jc8Th9&*1RePBPn0{fcnt z6#y8al6Qsk7Y>f6G?h)o1czOM9U!Rz!Y56=vCKi)-<@9_iVPJUB2?xs7_#Thx&-}% z?Kd-G_#_n@?m`P?&jsG~mUrCxXz?e(4!@I^LKR={g3I74oY<#M#z`~u%O%xH{qj^ZEv_%<{yEHK zGcRYH?9NVGTZl0Sqi`|sTQHZAnT!<>SM=zA86&7J+`)%InOzP zhE-gvR_9k-789tv3v?mom&azRK{s;P(XdolowYj9JCInql)_dPhM&G(pXo8^Q$v%t z5yKbUrYo0TlNzo>kSuALh!9o9^!j(Ee=(t^7kVkwC7cL)Q{D>AYw?Gk%AXI%&h|kW zBe>%re+^ZrKp!Bt8MLT@b{-iE+z|rSE^?yeb7hL?PjFXluXJ{@6jQs^!Wnip;|sYx zVwr;Zd5f-o65_>W5kIrsIguse{Cp4*g_O}lT+vuj?#D{gu4pd!YUZ`q!pCSmY`sgG zJvRsxRqLP{T`tzwu^<>usZhmix`YR<2RWPOyo{`8aG+T~C(`qn3ZuR~;j{=AtpQ_g zP?L9BLMp|;(D(!Ax*8F;Ft3!Hp+(Lf_;G`F!XdQMUqqXbwtuuRYmDX^(ofVT`0>91 zz|($kezUbL0!-(^&Q4mDCAf_R^;53=O*~w#@3`W5b%E=NjnP+rMJn^ABcedT_eq>O zOZwnb&+it=?BLF|Tmx#-o5t(hG(+(jc$vT^CmeYhgj70t5O$hZ?ri%5NJ`v6u^bqf z$Ls$*gxl(Pj?Ak4=_P-Kd5S4i^vw0fI!GTevjl1_ZS@d_Q%*Fb-F&6It?aO zVy=XXMkFDQLxZn%GwPIGY51Q-Zpp_0?avhzo@BiOT_mR|2Pf2^i_IsW*wdz<4!X-u z<2imA6pf1vXxPIdfolBsAD5Zwo3j;NABWwIz!`6}H*7+2?2SP@f){@*{CL(fz$Ta% zC91Di%DTBNw1>;JVXfExIUp`t(NzwA^yYOu!(d}yM)Yy}r++c)cJ+aJQ3a@Qhd~Vm zet|X_>mB?G!sBJ&at~5z@cskrK*|@A2Q~1`5G5~oHy)A5N(G#F{MqM5u2uF*SHd`j zl^Pw`00DWQ3i=9Vw?QpJ&H?=sHiQI&t;$@ewzFES3lHYH{1Hl z^pMDqpa{rm+BX5tlzgiYi{Sv=I93=hQ<-8@B0csKGm~{e?_qGu9Kqqn5}4)B8pU6Q zPzB(k7-_m3w09FVl6N4IXHPk5^Y)zS;NDjsZ-YuE4qU{U@;jk-VnufG$5?<8-&u34 z^1>0=lg0m|F0GrSYO}jPkDif@Tx-i|+TRLo;u#1uhM`ux==L{*AFot-+XRF9#I2i; zs+(pz1xG-EboUpP|Bj+6ol?XJer^{GxhkjpPA7(@f+Whs#dS?H#m)02R+$b(=3ntp zqBl9iU7+L0@NHNofdnd>7rq#W?J^Y;(&n|b=J8nbQoTC7=0u4fy zKsXNY*~NLYNHdBLcOs*)%j(d=r#94}g#70^W=Pp=%J83a~~u zadAye5}KLFEv^&@f%b-$6qeO}c8uUbRwz>G}Xl)r7II_%asi1X+Ur5-YBwMye3wGhMR7E66`W4qu7Cb+Z@{|RtSQ`jGwb9HN%DA7F;Ere)%l1ptuJH+u96q@KWk*v^`gjrd*5+k;&im zF}^LYymJb%I08M(TW~?fjAgufF_lcf&cCL=jUYrVSfFjq(^kMvK2a;yjUANo2yzUA z;p+mPmY|h=SJL{{a`qlTvun9!6fCEAK>?5vf}1nCg=tX3Eqvgbs5rfE1MJBG3z3njG|9K2tOk#V^pGvdcolvibXrq8ieyv_(PZ#SKji1vT4{! zu^nw}`p~&kdYonEvjutO@aVVA_gpU&FM{pXoXL$nyKrM?0b`O75ecoeRie!PvN1w7 zd80HjZDqfRd+OA{PKHecfjd$vVmDu01iSDMYLxx3iz7;=Ur(fN$&2peR>k2>`$zZv zfmv~~?Wl26Fh==QR{yNZ)4{EJ*pcCeW1@YFVX%GMq3>QkIj3mmwsMO&fgru6NSW4S0=v56KfF*7!d#(E_u&Pu4MD*^ zU{hVSmqlYwL#(5i+0VecspECtBx@Y|o~vIm>}qB9zpT)Y8kuzO>a%6ma=HIJyOW?w za)kSeKG`7g^VeRzOqi`XB#GRYRcV>F1lDT9fo$xr$1$~;;j%dL`&<^l$fyR(G@Jey zzMw=a*k%@2n4~`rN0wt-u36cBp*DDP*1vDYa~E@=6Q{>;Szkzvqj*@MW?c2E%uI5h zzhF==b3S2uMqs;`8Zy74azIm+2MGYBkMemzB$A9sSOYlzyylyiW_O<9rPr+BYu9w0 zqF&izNG>2ul+>2P;n0?M{<~%2GJ*UWoh?@&eIr9+up*ePPg}TmRX(B5EaTZkE0{vBoA3@5k;_eZDh@Dzj(~xcZt{rYaM7T3?Z5 zKYwP~%+!mL_)vNYb8z1Wi|f2jLw!mI8XhtoN0{B^XnjSz#7`uch@Ng|Psu;_(X9I4 z?z6+J*i|85g}0=n7gZ_k9IfOh-Oi*4Gr88EEc}BMIEVu&UpT<59dFd8O`S-yJVnR0 zV3U|TLTY?m&n#kOIjXuy5%?ih&A$G!GCw{>t%IzWHQ$VJKPv3-Gt#)JWi7nzX2{y% zL}Ybz;4f(#VWSD^uT`$^rqr-v24?#?SrTQ~nI(*5N4z-EiaSuM6WnS2JJ?=&=a~dN zH@UQ0x!EZ9xx9F>K-oW@XQv_shQU&;G^+54&z>8KL#nb)5Vw1BOKMmIg}o(Bs1z0- zi`pj_v2D65dDlow%l!~VlQnIF7_2p*-Z2MvcLF;lU3eBca{nO-8c~UwYwLLd+lAH~ zc^4-#-T5p{Dy0(=H^zFEZ_15lU|xpL@(SUt+m>9d z1R@F22Vm@~xhX7>z=|;Er+q;*Jy#`pULK*Oc_P*YH&`DAC##v`O>-8bl}DY=*hxoA z`{1)gV>`rSNZ`P)A%o|HkkD0@vs;KXRUED5^3b?2g`n^w8mQU?%b7UVvzl+#vT|fo zG2)wfe8NT`{)njQj3x)9&Flh19pirtMHN9~V`kR+;#(&Iqy6jfi&D`RhV|S5 z==|vo610PdMfACSJ7BGAG_p4lg~3f_IjrW0hATNZ+I^SCPVS%8+R*boDCOw1wQYv^ z4$7ij%gD)31k7)Z>==bFkQ^ZWlM=rNU)6bmw`fFAAq?R673W4(VMi&pJ<^*hVeb_p z_ZPs0i|N#`KD1f>fOPyNAf-Xj$iunEp|I3L{~G6BP9?*_y!M&!CPRMe%sR(JiS+{g z3XZ!MdK}ACqH!YQ?rwvGX0?bZ+67)#;uVnOn*WcDrTvP*4aLn-(KRBp%C&+l1e$js z+yP-DZvQpc(kQRR-SP@Eo8eYD`7!V`EOo>G#HwU`kV#5AMgt@MJ@>_J9kd?Jl@ToS zZf7^C1Y_M-yt#Y(=*Vvw!^4=)i(ttWh7^5IRY$n~@)lm$7iL(@8WbH}bT;^l)o$1Q-)QG)(uPmZc#%pMCelQdl_fxf+>uWn@a^+PJUsW*0scK+5)oOOS=%3tpeXk{)u8w00**nS^c&Zq|c_$aHR?jU#5ohlgrY zF!Z__uAkJ!!Hy5coyI7p{==};*{bN3?D<>tY`DbGJ=WTSFrO{?i*GJaZ@|hmkyyg1 zBO2Uk=7nY8>4%69&UCX={?Fc-ppj;Xo_{bST@*)I$qZrvZN5YgU?$Yaw+5iCe}vxK z{)dByx9TLMC|~G!9OG?Pt{BXOUdgnXXE#KqNdUVa3%zBDfta3NJxDmSN1xJn1n?6t z0L|z>snHBNR+tsXz_viV!^p1~TESQSZ6RkWLrEkDUOJc$zYf!$5 zMl)pf@L)wgK8!jx9b;)&P(aw9wi-5iLt{;|YRD-_i`fNmfZLGG;LArsaOjF)AtVps zh+@H53!)0u6!)yCD&5SM`+ClbLV*A0`R?Kx2g(XswEI$NVH$D(GZCWPoOi!TaL;LiquP>c5xZpB7Z!`DKsv+`6@a_k6H;VLx|IuS`fQgoul{lTgZ66J2=!tB`N=yK8-ECzN|j-K8Ic=)EyG; z2Zr%vi@$NX;&c4UeudvDpd@e$`2p^l0KVYef0Segh0iV1_Im8{ei%J)o%TKX0mP4p zx6SQANHnmK5CQ!3sPH>ARMY>QAJC5ku2|8Ej4*Q33jUP}2Vi3_b>!qV;fFL{EG#2t zUP*s%%;)<4hmQ}LqVOJ@kaxKwGqR*Ugu$2BHS-qsGAtuNM3Exgt0kDMIX^j;2wBE| z`QMTi=X6wW6d*dq6p!T7_~B1e(6LF<0>V1-0~2(a_p9$oO*=vW?LUSBA0x3SkKfOn;V)e@yoV`;nHiOClrow?o-IEFNvF)48$tA#lU)#zgTZi20LPI z{_n1za+dewIQPGnekLW*YHVlYT>k>Q^9zU$in;>y6_cjl?0|tq?++3LvFF+X(DcOq55wj2H%7hlq;JA z?~FJz(n&TP?xl;dZkMJ(VOqikaAupDut-I&pQ{|lWLN`DdeP-$2c3B8-xFiqoy8o@ zN>k76AkMOsG29yvJ1hyLcUk4WU>)!D=+AWB^pfa_L&&wOK_tHLp_b@$CQ<1HMYDPu zhZD$`rYSwW#5Nh;DKSA&599PJ_vSrp;+hjA%!bH&nRK$TPJ^)gF0utsuWG*!r;Ldk zeqF6H(NIrxvr}SVvE@JEW0|O?O?Lg6Kxo15XrxaWC%dg%Sv7L9)b$48H393$ebXg^<0qRJ!i(PjpF_(RpX*6EjM3v} zXw!B=dwi=!u<+7#=cPv;W#40Z7CY%*t@D?$MLXGHpA!;q9FDxp)u+mHIB9~x;>t@&qP)fNIQbjwR`$dh(wSSLAHjCqR>WfZZcw97GKQBK4JW_p=ioHySlt!F|Jxs4s zy|YkF)C~}HfMLiWjIriqWOnMmNz;~Blkzt6!KH@J+r0)JVgS%ZL?-EG7krh&Ak(1ul`%bP2`q)!9cIA)HtwLRdZZh5- zg?LtzJl;mPr3s?@q|0Q`vwy1182}t`BkQ=%29b(qi_wHB7vm=J#p3_vu0MRjv=13~ z1f*2^avPVO^WVOEMGxi_mNg2Z;h}(H^)jvriaGO*72Lv?FB0w_n|i=Zz|DX3F1OtS z9c8at3vRzFTegpIQ5L(5xZTS1G@@m08&r?lbGhx;QI27X00ml_}%);66sXbm8}Xs*9*wi%(ve z?Om{fyw$503A2q*M&}!(xaZ^=fqOp|(?emloG@1=Wc8dGWGjnyppiqES{(NQKBhJ6~T$ zq*zA@kbi8AEUy`>8z9AWH3!8(aMd~up+A%@(_!f(UEN`|?>?eE9WN1;TogSH;mbeW z$+kaqRJNy=(RrVk5}2M=+st343+&-O*an9I!WVf)G)Om)wI=B*=Cu3Tq`x0Dvy73wl{}WJw^GtT>yf_kv;FuK<4?;{q>00O+3lgJ z&L~6&S1qe2QI{9D*6ukIB9oYTR}UXL_1l0k_z%B*4@h(!|Ao7@lql}E#rK)@%A1<( zioZEZL+&^F!SEguUQ{j2uwx~;s(P@>q#UGIKeA(tIS2C-8r&g+~E6wCVedHb&P7a(aRX$K>%mryLgj% zJ^8S!S2d~~*yOv+tUt89Udy~=Jo#5%^9HO}#3tt&$dvcKFAz zXXLJA{py(jt?gt|B#2Q!$fIxTBWWi*Zd(Z(JE*3S&nw|jtie+I*Cr2)K(&u5Eb4ve ze`RE`>y0M=kK?YOd+thT49aM6D{;;$7g5=a;>gVJ`309)nG+pJ4g7Hk=ubN z*a2;gYF`i1-H8_g^Nlw*`bPMB=Fm$ZH^D8J!Dh8=Lmi{i{~+qsBG)Mg^+Mcx9}=5k z;hecrA2te#G6`Kz7ihzlzQSH_0-nda7hco@Dx>O<;OudfSIIOjG377sACqo9ry~`U ze#Ky~(-PG*dN6dof5%JyXROJHd}8%Csm9p?c-UKG$gWxd6exZiFRcPbM0~3YLQ%C~ z&Ke`~OAl(Wp0?uFYlffSv1r`<+J-szN?u>R&)(dLil1!_gn`wUIukEs@2cyM>gt^g zptyMx=3BJk-|KWLX8&9)!HXd*BYUb^)YD_K=;~4pv$g><@i9Ay7A1Us>bF!wBVD_7 zSq!%p{^yM*94B}f%iMa4RqP@U!R_mIs_`9QG?JV36=oA{K3%Kfd=)YS4Fdh6Ag_?o z0afm{>A+qd(Qv9{awxX+$xkLfZ(nP-HjA;pg+IR$3t40Njfsy-F4cCPNvs)tm?V}R^QE1BUK~-v z!_V@V&1nPzmlJPzA=~soK<&lJPp-tOun`(g#+x*V0!FFfbk(s8%orq0{KWJ!)tGUy z`(oH$b<}aT73EbkZ!lamee-wU;qCQv>-ygD<7Ejo%ASdbOD+|-PQuF+NdZkPRixGw zNabJTZA)SqlF6!>qX1d+-WLEn3)9F@aY4$?U{>h+Q7yDr(TDFI+-k5dx>vYmWv5{h zv%T=LZKjZXcTzV*Ib9YHW-y|fzbc`R%Mvo8Ks_L2r(Okr6%qwtIbMngvdt zSQa*CRonymJk$VX-PaQ}QNj%<#Qi_qnlRWA{?I#!_p^ZaU4cVFQw9i{@D^4si#&jE zZlT!vbH+}vt57llT=1cmur8@Ra@Hko%AT^6Fn?QNN89W9HJG=fw*JTK%HnkqMZ@>o zXu50SnjSPa{<8YhaZ>0*=AcE2Z&Twk5QI|`hXJ+EW*t^6Yu-q{8DgcD_;(zfW! zs>P=6SSdYT*I?zcH+M$1`nVkcBLx}TTlmAOpPofzB+csfnR;M@p!L%`#nfRb#obDL z-LODErVpLZQog3ZqZmG_`RVKD7TFx3&ZTQv0W6+t=*S|>5vW*MHEqAA3GBo78tQyV zh}R)(+WtN1;T^_bhcB#>rqN`1`MZ7B%N20BcU1c0cj7xQW-Tq7W+y5x49X`yex3TA zTEYDC^{o_Ld3Nk8&AdWSN6S~r*C(_D__?0ADeV^Sx!IaISpl=#zyc#mVEV;t!PaYl z|L=MuS+mPfh@$z*u$%KQRxf>*B}|Zb-|fmeetnC8W@PPf;sr94SR@)cVb5 z(X@-~Q<9^wwVN~t{ghy@ix1;w#uLevKO6sK=CStZN(3&93-?ApKE8i^|L;xNIUCJh zJ{KCdXe)S4X!HV*K>3Qz;j%3 z-j27;sav`9=slyJM|eVX1j1MPv^<@KnQ`Xu zBhDs?yOA}8txyKdMHE&kKlta_As#4_R={qjs(oQr9XM|J;mjfKgF93fzWvW51rrq& z=uqNp5mNr>Rm~4SJZiF5eZUb{F}vX?UUU0(DuvIVA$mx!v;b$BUF~x+nX3ZT8DyyCO zoBNK_tw7=Gg@z364D=sdDIDYNHum@5C3_kBMt=Cg{}6;@HX)ZO?`Taa`+>Jg1R3~TJ>-G5$?|ky zsi!quI9P4Unkxd^l?ORnkM=zJ18Mv!^I-(ycdq>}NQIMYtZ(Aq@A60E>6n+oHE~md zn(5Cri8vvTXyCXd-#kpY0~{R<0Z8UD{u)?nm}b?}R%YJwg)gH_F2=D5J7Ymiw8`4> zmNY>%L#iLL`~8B>?BO^Ap0#j#ag&`3K>-XOC{{6>kW^HY0SQ1YTMQ{=B&wO$UQ7*8 z-P_rN%!Jk521pkeK=ja3c#FeLkL;=UJ+;XFIEV?#mi_UdTs0-tdmKKZO)uaVzz@x&Zo`Ctn8QmIYF_5J;~HWEgX8)`Ey))i>^wU z-=b?Z06bXZtB)J^HS;gt$*p09jvtIdtS;u?YD}7V_!SJ6dQ8KMMSkAYY2)hCi+Z+L znFUkp&LGSKR&yd3YPs#w=@FCkYHqSF;V8-yfD*?wwZ+z}#io5FB|v=HH{;)%r0mo; z+x`5{@DJN5X}^L!`q{bpocXT)z-hgQ%tdJa*Hlp`7o^L z?l7%yeyCz>$V>pF;VdaE3O2@=SHdUvr6zo+-S{`^?-XCTf1QRXR3vmcdhqmLQdI0)+tZ zW6#Kn@{ENNZ&#CkeVwFOfXRp#rk~8`Kd^#Fg+ohd*@gvFkoXt5Z)ff##QXw?bA_Fl zE?L2N=K!Y3Ud_=kcU`gUR^uv071kfeTw_l}^xRuI0jAAE1u5^M?6Cjuk=T6FyP+n)?D4o_rzPMcaThh=^&gYeFbreL zSVwhHl4MT|?unFk%+&8OI+!>5tdD)Si?V$9aSZ;Kews_M;#ur)(;iEDV>*u0@pNJ} zU{C4}jX0dErnoKiysR_XcIWK?NayL@LM_G;KD-+<@2KB;*^M_pmaTje-a~{B^x$S% z>T#Z1$LC#kkkQ_S^Kb`TLylvM1DGdx^$`HT!H;!i+*`T?4glCp|Gw3Fo?aDLSUmY> zELe4)cDf=3XUFZZ!WV`236MR~T06l*+e*b^^9WO#(9bd;g|vE#k$bdJObi?^)#bjshz>0Si(*|5%tU-2P8r(Hs|@_yK?PC1Bx9SkC_ z>vT2}1mYhoggeuGo9`#sN7OV!D6gtNk~6#K|2(%l#x!~+g@o(sP#L8VPp$scnWU!+ zsFjoM?YgtppSzbm=hCxD3$)-YQM;a!55QF*U&(SC!x_}*oKE8nq*G@dkCugOj2mzT z&y63gygYLs$J|-7%jzRIMS-Sxm~6@CoiOXgi8?aRE%G?BF!0{W6g;Q<96rdFAqW@QQ(2?qiMv z4H8Y^LV4g+jk0Zb#6Gdlg4QBGEmlO14y^13wtblSkvS$-yZ0yzY@p+k;{R-Qg5s<m;?p%arzysBMOWFg^ebw3A=x4BG1vSKW3mqHuPud!+?}T-4Y5M z{or8{fQ*SY%&%o8tsT$7rQ|s9%vrLUdsi7&fD$3>n9145(DsFq7wpa&;g3sDzgU?e z#wIGWhW_RUq_E0VRhh0AtHDgnvs0SK413U%$(glGQ{-A5@^2_a)hCNRN#!Arhifq5 ze%!4v}^0CZ-QR|>1l zgC19>OOsC!0b7{I#4>>B!dn2&w+w)&Xg>QQG8GkRkb9gNr|pcmcM6jkQE z3%NwxEi^Y^PhBGX-V;7BtNIkv@EwDJ`URYIiJGcU^2{TspA9Cf@#CsKKqTZ;H6E~K zTw(*DpiL&xeaR(6KVhBR!B-)!f}$%}=>wC>PZ0-?v{$6= zV{_C6QzT4!}C0Q+WE;fjB)J6U^f`~#qn?GLLf&e4G# z4IfP#eiqex|CSiCqJ2M%E^r(Lv~yB8xVy?hCQoh#OK89w*r6VDXR_**;08xa!mh}4 z+8RUl<^|HCo(i9b^#5840a`Q6zwG!1zU&pAcmn%GOJ9*UAXyzu?J4R$(5W+jHR8-o zXl6#JYR-JX8+MI_Ng}{ih}D(h-5_1XF`M}PTeSt%!BXEIa6c7x_JBq(eu$yCTc1g@*kr1#}=`GqUd_ z>CoR;k1knFp>fRi=Oyb(m1bWY12J&>nJJ$>IL|ONNEYqiovB6XDO&PabTI9Eh!X;} zx4>yV>R`_59a`ILf03u|MU?AnFiyA@m`ld~%YzDbLwXHG{TMAGiw?#sSza>7ms!_# z0M%_Dz!>9x9JV*yybRdeJkbBo>|!TiB-;HLO3cY9aI+tX#8EK)$jO~sh^oOac=gE~ z!@ZUUnId!$3kdOfNOi3aUtV-HU7?0W7r3NbPv+OhWDQH1Sdb{UCX21*OtFPYGkve* zx>A6)Vn4%{wm3H1TQp6c?JuM83d=as^&q&N1e2bzGH?#=B$~;HUf&dKotQOeR=Mvu zNyUNc&Dwx|fCFwu9Ym1!(z?IVBpg_3DdV(i4+tIX=(Tc-1IJPpuQ2AJE{oh|jfVx! zD7ey6L_`}6pyYJBE;I!~Sw4Q)t7#h||=Syu)G z`NUZ9jkMg!658Nla9~-f*m));nPQUxMa3;R`SnSAcB5@z1Jv983`et-(s&C#j6)am zrLUvM>%z+!Kz!Brh(pt!GdpRx3>nAbBgdlm*43F5D&#G6(t7*7X>;D%1s6e40S$Pr zpb@i9Mzqp`Hbjd~7$CgOEW^)tDi)T#x6eHfIxBVMW8HZU!gXRqkFN&SB^% z_f+DV0cdb}Ooi3vsl>;2TGfFO8ZMF1=J4NtJ z;<%8$Um0my>W61WsRc`Qpz*$ng=iBZZaiEB9l4^g2))=s0$Gy+S5<$&76n(RNLg3_ zbh!hbAwgFb1F(glON}RREP^Yadx-AfQp^bs7U*{YL{D(_za!LVL9^?^3QI4xzvo9* z4WX)txBG&8txoGIsU)uwaCn77TO5h;*u7OrI5v3p0HC@0N>z|0$CsooU6}flSRu>F zO>)78HB0?)!<+ECai44Nr8tA#N;^qm?`#}RolUQ}d23mR_ z4ONA%&_%n!lNrUh`Y!^6w(r<^p+<~fnZOr1toZ7}gusxvy|rbupHc0|6LoLpOcSRV ze|lcO|2-ucPD;bGgk>;Pot+8ZlL^vaPWKey7Sg6!+Dg{W?zAgO>7;9r;0Sr5YT&*w*t5S zyea_lBA=C#umd${tu*-;!CiU^or$uXQAcHma}LGa#>LhSp4dS1wzz~|2bN=ARo;UP zT8K^7owpavYm;sA#nz{$-y<|c8ND4MC>#%gws3rS!n}8YdC)0G+KHs2?pIu5vG1ou2M4n9diX>W8KXHYH|Knd^-V^l5lC zo_x=f(cPU)X|7~KSVV|YoN$~gJr^Gq!Jp+F);#@4DQ-x+FMPVcW;`vCs^AwR3TWz) zH+U~Lq%g;yS8B+lcETw>#mnSJwu;y7=JnAg2C)VG1zhN8QIcsam+lp_I>sAed;#v_ za=6KoyIL44zNsKQ#QqXrZvgXR`(xK)ZhQA=j>qPe<2ZNT3{Qbavu4H==5)DEUw?0C zp?F+2MKL~7(yJ|DS;?Pv2tPOe3_QW;x%>EHdVOP9#E$Vwro2IKt({r=MDBEPdL5%p z7(cWLRmDx~e+E$c#w?6uy5%e@eN^FB(G*Jc98N;=qDp?dE3o@0fT>*a=-Tys2tjrOl9 zLqqFC9cRtKmUZ*#oZw(^>)BPJAX$aXu|Q|R=96A_6|HGj{^1N^*&|Dx&>bp?>sBH7 zvxICy>*@oNW`v0XhnJ1ev~gk0ILM~4&j%>$V^p-A78EeN_a$-jEd3!fgB8!ITzo;X z0#0oqSBMe%XeBe6IZdPcn>V*%oVr7atz~s>NlCPn_tcA6@+EhiNvnOgLd}))=34ap zUSIB+=Lz$})W`g_p$?3PD`gQ(7rQ>%s%D%ZF}ujD<$8vHIIp1haiFQ)vVWYY04ADL zmNic)74()~^_-VI$HIVD3;2H&0KJW`95_4Sz&RB%Fs$RQc#SOVKGLsld}AuNyt6b@ z0arPGlvog%*O1qzA9nw?P@76yfLaHQ3mu^|r;u8@da%05s=YR$jHo}<>$vw$?~rGd z(C{^aiEg^>CEok=!#I_BmSA~-;{&@os-8xn^L}H^UN7zQE>D1G&B`}FUulu_ouCLU zrcW^a>lU-9%sR$f$8!I;#y0yHe@4r=sSw$IVUkGY!GM?zeO0Ln5{Uf zl*=c^VYSglG@U?(sNcTj&;f zoKqCm+qJzbcBE|7@Whe%6A1*Z#eVP>>djR$;H@yI@-TIOEGL!2OSWIDc>jpL!29)& z1q@@Qg|_&EuIRd!*4JlBEXSYM;T=@q9GzHwCB{0cb<*ETdr3oW$DOXB)0?mNZ7B_^ zvD0-I^e$*}%5>fuQJ6-tsb3$Hoo(xpu=#l(ej=;I-DSr(MZR8b^q8pO@V+co*TC?C zSHUryip#aSdb0b{qtn^uDAddStLq^YUz~b(BP=eiE{=cprkkFU9^sTZG1Z(jeN>C; zxYs`plcu}>eH|+`abjU>g6wK2u`Z6BtBJYR40O|s&{652h2Kv+-SqgmWdUKE?=i=> z_+y&Utr&tFUcEU<)=RAr&ueW|L)VFt<#ZP$+lLYv=CLY;%dHT49qx3I&({!=rm3|w z``ifm#e|Q=p#nj8LM(o>$G-1S+z(Gz6a!C2?)DAkpxNo%(LVlD`YvwYOpok|v&#cE zx}$1`m7NyyvgysENeW&eFTMEMdsiQx9^O7)&#ah;U`{`@UETaV=De>1D}KFE-!sO= zC(_B$dHwg}_Fgs*rR0z1WaefHbUJUNvGSfcP@_UA#hxp3>XKfUBbSZ!Y?Nrtv)!Dk z9Rw2Y81eX(i!?$CzH!c}Bb3B}ve@{(KORui2R+)Or%5K#ZPl7x~FQ>PbQW zjokoOhI!3*RND^!QPk{PvWPx0qVSS%ETNgS`FXi209kaNc^%JXLUpzkWQ#hsPSl)z z*3s*W3!*}Uteoa+T&R6adCus(tq(0{?X~j)d)pQH^eH(@#SV)FLD*V{2a-9O;GQJ5 zGmi+PuaQ}~x`Yzq52p^fi}h!{zq?s?S14(`aHXa>rG4i(!?N}AhV5A<`ZW5&c&#Y} zd>1|%{SJm~^{{Dpdd9XSbUI(2sx%@UkvyZ;HfvmXR6kq>35ArUV)?lsQx{JE&AAww zm#M3_WOCUSLc;PcFNa8%lhV~=l;;DUIwc~xOU1p(C=P!LEhS?+Ftt z!JFlSRrlQ|);G)%(7q1NEn-yjD_`uE@qD$eRgyM;?oL+s1%WBVe~! z%41y_uK(C@UZT8H#1PNR@z@njBW#U6oekEDls}tIsomjcJYRs!RJ?a20W`bXs}5_E zQ=X_}N*2(e!7S$6Wc8@_XOWX4AyJ_>Dd@bhgOeh2x@6a#F2@#T zYg{tH#bjuI{a$O{kbykG-cYnmoyRLNs$SnDeom#Wj`~Q)U}a(dVu3$EQ4-LA=^jyu zMRcGR>(zdx!W#3ujjSq1Kc8z)(ma2QjLNN?Sc0FA`RG(yPE<9;8*KYCDw0wLtFPAOo^pl$HUJ8{N>XL7ShBHk{AZ z-*oGOo}S)gb4jzx)}*ER(|Uq|FYO);pN=_`8f`fwj;l>5Iu5nfNTa7aOac$M@Hzv6 zF5#J8Xbz)DBu85oqPhIJR-YJHIJH3;yZHy>B-ltGI+)Z znN#T!K$R4|l}0cTMg`k5E#2mSC#n@bvf|==cb}zBHzX$Eg|&3AlrV=mv~A1-tCO01 z4=s3_RX1352c0LFmGHPk*SG1*b++U`8ft46t38}1fdk!WerHQ{$C&h`2rV8ktY{k5 zpkgYN@WcAp2#9$yN*o#7)|EGOl?v?2{fsnY?COEHubaQ7$aUBHHtj(92!?xGfjqcs z(4X`7=#PXnh02k4#A#H;20Y)GN)0B~Hs(GULG<#r>emN)nnVjdtYe60GMC)P+sZNp z1-d!QXB(ffxM?}BC|Ui4uuzH>*J9SFOYsOxP``jQ`n*J>QUNDA?{rjPyctW~g$Zd@ zCqzN24u3S*nWaU>X(q7Bsq@k2YI7*V_gfd<*Jn5%i+U@g>J%$T!;upw3WFmO_u>!p^v3YBTLcex{L~;bvMwjXJpz{b?xjd8v z<_^KyeD|3)EW&KGx!QuUXp5vB79=rptE@|Pj1F83Gl^{2g6k$SB11`xBi-2w^C#-- zMM(WhT5Y@0aVw?i%o7aY2ZEQss=06qRhopJBvJF`%UCP{v};21Tz8>e)PPN!x6D(8 z{!8iCT(x`gV+CV*J=6ILEfu5ElX;xLOM*?go?uM*7nsO19a}*k-A323960M4clk0& zXkj7ma?OP-tLgX(L#E%y8Z@IY0F0Y=wvUtL?FJ$-qY6jU-Fw`5Ztx|_@6xAaJi#ss z%Zx~KKF{)vJyN|dLMTp9m~0cX`FV53gx_UTigC>QxhkPMU4??>n{&-Q==t8G$E_aV z_qoK)$nW-39Kwv7z&sxU^E|(`%zUm6p@POiqme19VSW>|-=3QIvqoo!A3|D$`QJUg zF$haj=B3R`CoA+57xVj-QgxnhIT@_Y3v%{M=W86jLwNxsEN$kD;EGY0y*MD4aI~R* zhsUW{hx%YJ6>T7t}jKcLQit)U->D$ai+x=np>*B2+Sj z)M7j~ftk+(??j-U*koOeehf1uj>zJBf72s2owKiPIN`;9k&{9k{&93ezEDb~s$Ey_ ztX9PYCY&=wf%9j(DCR6_H9HrJX*kGJlk;krr_nXi>STkoE469bhHihprn$q6a=J5T zX}+X&fy6cZ@JM56nU{Xj_|Ya(lR{lvXRn`r5=bJ1CQCy-y*Z!vUYWmMSI_Mt2S!d} z9ZOS{VMuw#h*XN3j2`f0dW8+4?|N3$5TvCX!B}-{^(DyH;6DLyi#2lfzq8JO2>oAP zy!c0e*paBV`o503cAz|mh{1d z-1`9-C{dB2W$~IkN%0dqp>ntQp%nukC!QNz_+D;2Fpk(+CjSul4)yZs#pA)yl6%88 zbOUGxH5jUl-Mwi@yC&5hRN)C(Jq3sjC3ZaR;_+RLiSXLcOHLQ?Rn?&Y=A7AHSeh@B ze-wO$dTAF*<^<&}*3Ul$%LzaY?J}hvL{iwQ1uSU;pjJ~SNQY`BKQySJ1d=bF;@knP zEmdu<_bx*87a*?Y4}cXzi)y=94=Uvq3rIL#vjY;0KHLy2LEqhrO8jumNrG*>*d63^v&> zSMu;iIb+9b;hu)S_Wl!UmHRgH$5Cuz*1=xlDrglYGRUC>Nztn#Z{R;Sz3?j{96TNg z5*{y@_AB3e&~T_ZKQP^?P4n>AwmO77d@tpeYe>X9Wiuc)FBD#6vsDWLl6@=O0T6t6 z;B&I5JNhf-?U=v<&=-p!WEIjf)O-izh;_&UyYGd>43*_5@P-1^5OS(0HAA7h+x`XU z1~+miL~6Aya6C#GId`o05IkwJdAm*kBs5+d*97L~slv|){Vu<`m$FwA*K6}BCRS&C_ zg51V96w=ZO6x2X&LvDxw${<}9LQY5!-7vD?cU@!~c-)W=H!k%Ks=(fUj)to@Ajd%S z44v}u3#;H~v3z8YUI_~stf~Q4>{KZtOaj^67`MoS94Uc;yOrAvt7VOB1Y4UF7Xcgj zJVuU_bpcm`qIt+|Yu3SV2j9rU28`rYHUZszV~l*-l2+8@9V7$WqZ4knYFfBb0E%#9 za0@>8r>!0~IQwS0NKINxC#>bCP3sbF*ucn5{Z-Q!YVa$$?*2$Wk(*F8{1Bh9Z&kB+ zUIxoY9yVcd9pJhg`ogC;89vbQS`5+##Xc#GwR6F*u-p)V?0wHcT_SAe2Z+KW$t@kQ zN+?Cd3wfVJqW%T1_67w?^G^`3n>1C;LWI060IXw z;V*o?gMnk=_Nm*S&N0ivW<0eHcAQwGWQqK0v3w2e6z<>PC>dqjk^2$+Fu#fVD%zVuo+kluwO0IV4Fp%eD2^5xP6O0*smyEq`CrP ztrVC5dDy*E1bPQ}#e;LrK5`V%0Gr1gen;8(1Tud`cbmS>(>o zT@rzh3R!d`26l#kV=mF-0HHFOYxgJ|aRI!Id*&1j*0j61f8gR?2M{ z=VG<6z8c1WT~?;`VWTBJQZ__z^vgX6X+GLVKXG9E5x4{fK|(4_9jA05 zU=24Q!1AesTa|pe1S8AG82-5VU|=@Ff)=)LN7w6rVzR0#q{IstOKesi1=P-pJFE*c zHEIuhq96J2^5S>DQ;#G?zSim%5C9z$w{1OCS+X3GqzTE7(p)nXrNu zKf|>TeU^3!{)}K1*#okuK-{bWpGT_l1Qcw~J%aSo8s^$~GsFVcaLC6i>Nv%$KCyw} zAf^j9KK=^=hbj#?JQ}2t>c;Sa9I?{R#1&}-x87w1S4Ozor|XeFW67qN?KuND+!}%q zazz=#PdN}_)dC(v9sct*A`W5ZszKlY zctl271i)=0B!p~cTEvEZ8a9xfX&=HB7$a3&Frrwgvfc8_V5<&fp75y9umkBAa^Bhk zix4h*gBOQ@lTFB1J<3OG!E4OyF@JTb0o#XgH%->!Y~#ull|oB2ee||bKXiI z&-iPD^!HR-YctP$^HD(}JR^wIrg11Hf-{DvLfDZ2RZ^&VMBtk021#_hAf5l+F7Kcz zXp;`)^8r@V5D0dBY4M7(+(P$JFkOk?fVjEgrgjkY0&i~R`Qe@LpoTJb;7TM1-T@Ns zXd~f)a<%|p0gJDHNK|5*SFZE@h&^Wn;Gxr>gQRNT)$4GJW{B_)1WZ81?1K#`RBGZ9 zryZP+qT(O6KyjeYwmK?KreVY$%K3eSTG3BtVCSLS_gKS%(4Q&rl%a1xg|rUXR352? zU5dKOa~UopLyHqfd=md$9%vp3q?aICqVDL}z-5dU9=|}`YI`oMg~E3Vbmj`8 zxNrW542whVffcj+!C}HzKtqQ-D6>Tcj!G?nXxPt|`ts*JUhtIZ7clk=gHvE&Vj#4~ z3k?4aGKdW$e@p~N5PVFhhJE2_D$3%TKh%oPJdyyTG;U8nsH+BLBDIhhs%ro6D`<2m z7#?IHks6_2F7-a;0DWR7 zD$u2d24MY&PBxu_FT@OJpY^YL3)Doc4}Pio<1>z-npOyRL6b30W`NUPA)8TzvtM7SPYYJ`4~B91^Gd@H7%RwNB)82iF|5n21SvVvcM8cEnqX5s%uY_g4`OTW|HT!52mG4g z4pF=M#Tb{qXrA!p^3vzg8MNV(gQTV4^1o0yb-P3#BO@cqLhU{0HP(Ahhx68g^d8KW>b&4b&gJ@AM2)ZuRY#K-uTS+! zjC%*e%H-)xbwvJ*tIyjRn_c)W@sIUU24ylNZ!uWcsz};F^!?-q7fdAR+g-8?hphAt ziDfd&yU;;UKC!US8MxH0+;7?k7q7=dg8CjOnXN6)uSoJx#DB0hoWgKV zfb%A(Q|4(!EA62C&*v|f&1VEYDc|0mR>!!%+@xY{Cf}U#gpsJ!Z06XQ=C09ZgQ{!w zlJ0fv6^8mzw=%EXSNd>Z-G%LsHI#}TdgpHMJ|f>&;})qNttWU=MbH>4o?W;g;H7c1 zOSjDNBga{&xx-r23o-pp%f*2T$9~Qa$&ML`@_$6+xKSc)7d-t;TE3IOWtXR2`P^CW z@Er!uMF0l$Xllj(fzU&{kK4+RN|ovd5+d4;|T`R}UgL52IAyZz^>flGDDvBlft<>>r3 zm*xVK?2nbq>hSg6ZJ~^}WQ=L2v{;ubpAJqRabXMD>%Z#uY8i+?rHlV2M5J$DSb>y?SjPiDS?m3iB{56D*#;>QzMO3g>l)xSO~;eS|PuFCWCY{0^z zoKGR8zkX9dAE)D?lJ&Y1eLs$GT?_f0lRqG=akkX^ zV2xj3&69%d7Sk182V0~fnZF0V+1fIN(M}QP3kL12lq`RBNH>gG;uT5}^9I~GkUxp6PJpexJ@>V-)oy}hs;GPcxUuRnO)nV{9Pycb zl@mV3=YXf!21GDRmVrp{Y#Ad>{W``hsJV0$JBes}P#-7&?gx0OPUt1J9}iCwSp+g{TyLQW*yy?_T&?t}g?jjiSMff8UUIF3wss?KroOYTZ6 z+hr#J{qU7`dAdSr_bG+Q7-@yHY@GBM(!FxzZ3=j%N;td2ZP>+)lHUqJB%Xkz2^uj2zArCD9V55-ZhI(wM1GR> zsXs~1sp+;0;D%A3k_6}DTKeS^VTs#Bj$Clp}g%N@tTt{YyY(*gL4h5qR>Kik z1KeKn-)VgPFpSBnhNDWh$G~i^Luv|T&NjMpTtJGJ6ZuLg+MKQ(5E z@U#~N3yN_g!>zU2)M+d6I{Vb@dmJATY^lX8UY7Lo_YgrWe|12~NG0z{=xK78Ef)7W z{w3f=cVtwy*7=`QW>4X*4gSN*Tog5DsL`wbloSteP8B8Q{GXb;$RJ7rSem^ga7q}7 zkUOJMZa!oL`0d47%59_~$_cd=xd>9az(ffCT)nDOmZVKjE!RjBvS8KupIUgp*sci} z_tPRn7DO=tOn3KWKRrSEJH75oLdp250-YtOd`Xf_UD5g!B&x$&`T%P9q3`hLhfQPC zql&aTw*y8*;Qr_9*172#M$_C!(0Qm6Zd{3Fv3&H?dfmb0d_QqMlB_IyV=enN_C_1l zjrungE9gr(#bq8e*7UbemK#(`soK#xH#t8u1Wk)kd5HTNuj@83Y~zB2{KtO(Clr0^ zV|(0o&q-*PDNhr2Bx5T2oMo>F->r_eKh}8y8arPro!sPgB1);IJY4%5ih#{#_67vX zHW>=QP|BbLCK)eBKk%5tYWY9ZqXEfKeTsDuTTiDH=N+#-`@HWz^zo4P0^z9}xFJ6o zGA?5${~cglzN`WJRck@Dv5Px6KZH@nck@z1<>y`lKAJOD7L*@m>Pbx`NPIS_n4>>h zw8#|-W#>eg0B39)T5TCv?MrB*ekJ*#~5qH5(y9hram4tTv^w86P*D zsr};{zIN`{#KJ~8EB;gV?o*6_uSCu_sGy1e;ud3fLrm0ae7%z=KZWtpfKB}E#X$*l zUDNx24*&AzTNRjs*Ob)ik<~u4Ic4E5|3V1HnF95L)%qC4CH>)$X9P9`dwM zn1}GghI%$8tv18jU;Bo$?BCOMNT@fur+u!3?lCbSB}wjw?vq3*oL{L*+DDuDb2PNP z7rTku3!L{gzu%@D_c}y9F1P}#nbaiRI9OfyHLtVW$X7i79XD&}Of5~!E_>+LOlGv< zCC8RPLn!0qkNZ=&X)_k-;brBs>Xn3Zpp|;vPKKp(ofsqBrjPH%OgHJ%$X}ja{Cw^B z_l*%iLv4Ps-*Tl%1S?}#0ksgy#s3Guel~gZ)ex35Jw3Gg;fOP#Ecf(esnr; zG4jQs>4n%r%G?Y%EBkQ~EMB4Fg9p|{0uGs(cK3-U^{>k&-u{(LPi!8hr+}yV^Oh3Z zNU|#(?92$C9RkclDDI35fYO;y!!tXILbk>9*Gw_lV64Z=Vk`Q$~ z2#M!5o_eP)4ju#@CFGb$_op9;63{}I^C=n15%p(JQ~BS{bo+gBE|QnvDk&$7)>@xE zXuV9Un=2&L^)q&p1BKAg)+*|kUpznP1TagYY@_d|F{{%1t8;`{cT?)yw1mPF=}gI- zEjTpiTJ4npCv+17#lJ1Tf3AR*G)V%liQ5bB35xj)tP2O0UzXCAKhly%h>BF%SAZx)jkx&a;~8=)7@ZP#+4UDZvB?2Eh7iyk>|3DC5=2) z_h*)rruZ|6th9rWNK9bG#EjU<f$+0 zQ=L#suav(0T$EPFzZ7;i9@OG3=Q~G{3vZbwbh~Lveop!92D+~f;%mMs^y+d&EqM=g zn+D3~09)pH>SK~7eIF*yMu&#iO(ZWWF4hJH;{e4!HG%8Zmn#Jp#8}qzlx)wOvr~y*m^_$|jPxk|BphD<^)jXBwPBYrhgly6?0* z2IT&q6a_b2uZTG{L!JLD5zAT7N=YA;iaR}LC`nfE9ho`RolzZ^PPy@Atlb60m5ZXd z*IMdlCsYAyE?Z?D%cGA#dN!1gdl zEl71CkODUTrra~+$@*xG=ssD9gvE4Ps>8t3`$J|tp6RQQ{mOln-XfCKhD&N)xTq&_ zYl$EQC=6~y`$gqj?z-F5ul+|k#4zy*Bk$CJy04@5iSRZaY>rPL(0KHK74XyUMZMvy z#5I!(#{MX!WD&|wZEzm-*H}H%rmQ$BZ+1}7PEHxV-&K!G(H77E+K9}Nhv!q4l1nH) z8f6}P8nY;^6@pz%ho;MLo{8UviE9nFzek5>i|jcId*<-euBG_oh1UEBk0RRf6a zhD#Ia{SWz%pkc`3`veXNLGTd%Bo5t{g5>tz3L_zMv?&G4Sw#KtCz&#<|2gvtJ_jKC z4iLdNlH)f?BV`!XVZ7P`*6=iR@Ivgnmb1~oaXX@pIe9eNNBUW{EHO7TUDUk5(!XMg7ll?gM+{S|ecgPVQ)7oOX<^XJA?BrJN*f z@}MzT{(#mlbcWsiQ?%^BP)6SgO~n6dS||d1OheYdrF;s6WCJPR7HdQjd2$U11}L9xoHKUv;m{^Byi}V4L8)ygTUt{ z34|nB6+Y6ZdE0s@mVV_GFGpf&#mxA8-V?URzgEkLM+t{kN!MXd%}v)q@lq5NiT#E{ zAtfT$wXCa!jGZw4$XbH2HX@+u;-T#aPxH^+()_Tp_>?;s`do=^9XR(#- zjJpNuQH_~jr$Px2tdN=f;BomxS`s@=fhvABSIZ66+{b@gf8e@~B=%Q(&f9$3ItRLs z+ezpCZT5dA2$`}WIX0W3pa#V_5;%e&d{4W}3RjcHhc7@2TVP2_Eyf;->@Ae-ZNh7l zHuf43RQI!WLO5*_3GaE7B`X!G?+!(fvTgYUn;zDFPR{-ck`V6*gD3e*}938N2mb~2LY?~*sUcEw?nRX9KKX-D_o2b(9Qj4@#H=#wRbmN>^F}LoO=6in51e{>V(%~de;=iOfCLVm znywND&)H|pjebZ^zE(Nk?uB;)V8sJBxW_7+9a#&1XqojNY0j0xu*9k9mk;T>R-R|Q z(p4e17B|__K?;Z;k`P|Y?|nerXrDxU(0>izl2T$~N``}TNFo{Zuzfowj&zmYdtt{#~NK)@~k*nJVezt5ZGpO88kbNw3)Sg|H_51}mqSFJ7=4FeXcIrv3x7PGt3` z(nE!!_IUAv*;2Y~w}QU(<}VSZ8R`bPKhL@b5ZnXe?Rv1xY;`EArkTrX^SD{9Dz#yev&<#&+@3GN#~6J zg%_bk%<~6okHQ4|(#%Eq^9nK4Q8oqP70dbl9HJWz%touQ*B#8KdK|qLF>wPQ4L_$X znt-i`XvS72{=sbS>19d^$%Y3^uke983GmZh3J-e=Lb|0-1z z+_&>>%P=!k->BJ=BA#s0(x?32#sp`|)f{TZJ}|G9J={%#q|HRHg7qg7MWH*DLj1I# zeJ`8t08Jgfy#x(e?GtHm80J@L(hZo(aUufalz~@6BNBw``YLx+(lw(`IM(35p5N`jGY*b8WI;8||+Fh0O0BQ#?cl|ABBh$(lD~bdD1< zH2Wu=@k6?L_!0#geOPtvFa<3Qe{-t}>guO#r7@LNGOkebQ<1|>1zZ1m4Mq>+rc0>p zAF~Q}UoU-4f_3J9h;;`8GDlhOqm4AZjlm^VO%W2W(u}9z9sr9$^lD?4hW=)g{>bL3DYju+BE-76z%zShA4w=EP9c2{3LziPae>%yF zPR4tG9S{FznH_4Loq4;TNJ;)fvle4#_P1>R(_X<}=eTPVsn|@_fR~!JYL<$T{{zJp znLn3O&JLV@G!&8Wj1T)29=~jUvKN29;WBzy-O#0{F(m3rGk8EsioSu&KkrHnulD!F zR2g0GoO$8>q9S!Het*XEqKf?$*+=73DLZ#3P{x1zar?cqC)%9THJiWRlYMvpal`H3 z8-{0G>Y3T|#_*o0*s;eAE`}ZS#~MGK`RUC5F_Q}yPOy};Vn#1pmnnvmMn$E2&#OdmgK%@dp01|6opzcw2Q!&f4Hd|j>H3w!R~LrPVv;5aFWLZ1S#ih(&%W^gs!o?X~*a zVN#S2m-WrB|3Ojf-VY~@sAXFCk{9m_@X0@6wSwSRn4=<#Ah8?BVNn`^YHsDM4dloA zqCp+fle)=qF!Phm3)grjrg|2 zEt|-?tQM&R<+6m;kP_JOP6S0#K03uZ`BLmw8Va{9P30`Rh(=Cupq7u!Hs zuXPrzpt?_%^;6Bcli6Aw1zXZmq{@ic%xJ5al5+ZFNlwbczZ%%mc>`JXU0=M|g|u-4 zJ0-^(w&e*p4;_q^+w!`c?7)tK@-!tr22V~(;NR=XX>VN8^VqVn!Qe%!ssYvAARR~8 z`9e3UTMaiDc6CoRV>Kb?xe1P>Y7Si-8$r(yP ztX>=UZ`Vr;#MPw&2XAO+LbX~wo{_%MsHNl!d*v2s>$DW7p5s9s1zATrA6|3~kiz^G z4qKwZyWSJGV%mXHO$x$zz7Sk@q z`9poK*v2sWW}m+_kMAK$8Bk|a-1Rf<4*kt@_S}IVqQJvejMDA+3iz_uHnhA=}$p26`C3FaGYAa~q2{`MHanz(JO7!R)Y26W;9JjJ4Y*0N76nNz>x zngP}GLKrdpw?}rVmee%s-0q=jwco9IBzL#X*gw+o#xYdG3ViALk6D*@mCG7Xb1<|X zL`28z%|12pQc(VekhLMz^P=FVhPX=u_i|xLanOn^N;h?UU3u808(S7md7b3S&A=&T za$Va60K+YLBklW4hRo3-O({AH+WSI9K4@I>i5a&#=|@o-i!<|mvGD+3w5nTUYWK_W zKbR+Rp4GoG^q_)Op?jvkE9ES=p*$=7J*7C(%=cfLzS{;DRo-CSb|TxdI@#IsO>v=4 z&|#>&Mvmoy!@2gMob9A6&;5$j?x8=_9`DV4iW?(k=@d!RubMRH?X;&Jw<^*_>~|f< zKb93*WmABQK%MmZfTox7bYbr_>RX?szRjQ??UWw7f9vXXT0dO+*_O?vgDO6lsC8)u z6U^uo=4r|5-|Q*Rx>}@HuFCuWe#fk~{bl_mJc_;*P%a*<5HW*0TQ|%@=JE74Xw^kwas6fn0n_B6pz5U9AEI=mFa(R6$Mw z=W@5u?bAv>eqV5=WHx|#B|7X8%JbKQ_Lx?b!FZ+ixKGX+5$2xhsKsPo zEuGyg{CmxqT{H(!ZAO)nqsJ)U+N2iqaq-1&=s}1m3l1kzu+G&Zp?^YK8_?%%7Q)E| z&KuzSlTfG|+rBH%xq33Zwg&DHYV4OY*OJ?Bq)x}ei5m2|LRopTS>4 zJl7?X+D&bf2T7qiq}p7)VLL*E(uxMqms9-&BQe!wMsXt-<&V8AbPuTNb-E?I(EP(b(`V9~P%` zH5?2KP@(^;|28|VOr5+_tj@>BtPXw~E>-yP)iaW(?ZwoI)-i4KZnBpj-%mq93eWR< zZ=^1l`}y4-bhVv@9$W$bEI8D^b2K1IzOTU?5Jgumrjk*+4*Ii@o~~vz-;Q?7TbjQ8GMvD@1_`Y7#Wa3Ncn$om;dbX z2CjEAF5yTf14vWw1%rMJ$xA^_pnHqbX7pK?lpo2Y+)v|lmB#k}%?7VkG`$nu>QU#n zHFNhqw~HgD%s+qaym?Y43+@jp@<&8VX>)^>>m%Wm8t2J%Q_c3>8AZoe2u_jYiV{1R z$-oU?h?2RZ0ndJY7ZbJGXkDM-AUnx)GrLC#bivtWOta=`_SF@mQyAg5^FjQ-CN@A!lAl0;D`G*$K7 zX}wzxQ|3-RoHYy0A6+Z?hVGLc!!Jo(zS3El@&}7NUZxR7j3wDOB_A<&wjf0@6ctwX zz6+cx(R=A^k&{OIIO#Vmt^P#GIRY(~&G4=fT40D=3M&^gFV8cA8PSIq@?Cz%yO|gH zb9ZYUk6)&(6!9*uH=Ig%BSr8GN2>1|GL?N=UT|3w$8x8BokvZ4kH&dDV-n*k-8K607rEy}N@ z(_D8m7am_Uyu~_xa=v>yVXl^S087z~U^Q1-m92O=Do~Ewnax$u(8204E#};?iDJ$o zTH=Re%=ZPq^QeBIUt7J2%x!A-m=#nZdh8fF#m>w9n5kQ#tk(U91@!ZVDGvry-iQ$6 z?GyU{g=79V{Wujp@i6QxE=gJlxxWL&C1iWcc@Y7gZdBhDS`> z{M%IBws?8elYcatx$|uD!wx=a7*KEW=ndE$q&=6td70W z$#7h})rRog_TlXZhsnb;i(b@%$v@J4Da?zn{3q>g;72U zD95VT3ZgozWqBo8MKzB;sq8QB&I_BF<@o`mD$F4Et+)UT#a=3#SwrS%RpuT-q& zhD(zSygV}urL*MBZc!T2CEBb??n?~jkMcSN@ta7FOOS`XlD&GOX1l@zi|+mXd1KKg zo|k(H7|KeMI;hy)lk!>STTi()j=lA2>8#OueRe7g&W+o}sme6^g}dur!>Ie#=FSiGNq9A01Vea+apn4TO z<4<#^-@Xx#E;2MDR{VE^Uz(z|Hv>ZWcz6t ztSZ=G)ZM(WllEr{%X090wbF~qS@rbe!@FffjtGmESgy8MjWhUuv0KU=5CQhdEp#{N zp_p*od6G67pF7w5?)C0IDEKo!F8|s`8z0xqaz}^9QuE%sY{%yASibHQCtJAcQ5IAo z-t^9%VQ*K0bN*ycHGzTwhTO7>4 zE_dAZZ21Jyw!DPw#2(3>`ECHCQ_A5oP3Az@a(u#-lUkWBnXL4U&gFi`J{CZ-qB4u!awLVd+MaT{1QA<^L(G@8~Q;w!(P z1LUUm1>oAeC&~RX*jr_Dw^Du}g?xyLc|Z1X(W*b0|2`$c%1Kj80HDh9-Ar!(e9csp z+4MS=D%k`{tDb=c1)!Q>S(7`uYv1ti9i0A-KgJ}#u9z#)U9uf>U4EysQHwcx9^<&T z@MKedS&8+Ccvr-Wr9O{p&#Cy7E2R#T(Ps;n7K?)8?&5VbO-5DnhdcZ(p}o0EY7(Ok z%k|!(j2!~6{6aT%1jmKkz86Ie2;qF zD3brctqZ}eeI{d9jWv~R=vpcpnRg-jE1UJ|~Z$8l1O7oBucnY|Rq@oE4FJXu$-9ea$z`H}^72h><ZPRQTRpn<>>P zS;NLehy z%lTF7?B*Y5bY=<{Hvx{=f~gOrhYtTC&d0nvaex|{zIC4m`6|#PmlG|^=hrfExglfj z4#-ch8b9X++@fk+&5$i@o2+r?BZJm(L16cFN~z#+rL+Uu)Y7-jf91!e7+{8>Zxg{11CN7L}up(7oOeI&j9>{f}!W zx#c^e*9Th?j=9{|s-5ZWSz)E<@Egqsy=Cw$H&N0|6hwmRMb55cag8-ZtmfL)+&BQN zBPU*_nZNp6*3UzxhB0*WqUeTRb^eZHAP12@wesiXYDUontFzHy4r6#t89d9htSQS>Mu7lqJRRs1+Y=H-I#8{X%p z-lgO%&h_Th=?W#I8T*-ouc)0)I$>!Qg+Lwg@pt$V2|VR@j$6IEdu48IC^w948(BJe z$H6I1Y;Hp3j$+N=8RE!xd}?WnXiI?5Z3?SAc#i)&te#Wfistgdt=#_H*~u`~JCxq^ z)Wz3z!UL0o=m1Ky&8?<)95U*e0!VIs%1tp@D)1e?U|QlJZ*!goR^)bhM})Kpg`}$_ zHCuS&7gKapsViP_)(CH5@hmpT#-MLcA>9Zw$p|rYW$NL(Cuf5%<~DgvCcY5eJ!iLP%WQ-2WM{XENtQx-A!ebgk12eH_|fky$<3}O zuJT^(WbXmt<6A&Hd~`LesXV!@ImbK5doE+D(tH0{>GS~%qcNW`vhGFS*?zvl$%wNR z)7`TC$M3E#S}ZvWI+$!SqTfV23ik5gVJmvCR z%X(+L`QPMqNA?=_D=Mr$@+-`?Np4+e3Z%>g?xF2_e4n9a9?Mgky=lUjqdjJnG${Ae zu<`t?8!?H|rZTX);FH5^&0wkPO-`S8SB~rvthQ(+pCDI5{nZio z)IrLlAHY)%PZ%&S#GNtjnHLhyhXZjI>xCh(P=ryc)>W$!PL5Wz$(h1 z(1Ur~HQje4^W%NlPD8(CmEexBzLT*NvSj<>w2zf-{Szvw0CAv z%yaQ6vbsXnW{nmbn~@tDGlIm5>ei0uAJZP6{S9nt#>*(E#g)@s1}hk010{FGx+cA2 zX#}S-?g=(RdKW>AgEhc{Ls(m+Ox(uqT8(r4NOg$rVoUi!!3z!FSx36lGpTn=JAY9g zW-W<=Gn>X|&ioj}nVd)PMmgR#{LVgZ7-y2$M=hUNB0KHc0wd*qnlq;qzl}KNuwyMd z{YveC5?~+Mu6jO(i`x)i&Tc)G%a6TQm!W(r4FEF;un328d#~tOiw1%Nm$I;!kgVYP zK(I-(=o5g?#miMaa|LKbGY zh7^(&UAK|94d-2oM4j53on)`+fXwIXs#2MGwLY;zH^sJcx&b{Eh z(y@NT#*5lj&b1dmva>SiJ+HW6h>*5tkds6>)VE)}OXMGDRf}O6IBgm#!8hX5 zoDTJ0ZJ&X>^RGe&kS*EUVeef6$wc^eRGb>53boGXkAb+${%P$k6SRP)?v;C;RA$@W zjuX0Q_5FRc!N&TKfozQJ@9{!SyMINjBt+_pfeyzf%KboJbqHQO#T-@iC@aCZ2XRi} z?MpfZ)_4Ovq%vm6vi;?1WiTv+`HYBjpNUOAobAJgtRtv_uuc3o{$LQYbI@L&HCq(M zn&Nd%scZZXCU3|y;hGA@YQ>0i6pBu|Ekz4N1=AjzHfw4y#{(_#{OF6+ApeLj_H|kQ% zl{zg`t$x>45U%596E~qG>jP_9Lpz(~m2#dlCf*WW9^NgAhUrl)MfKKyX6@4fe-s%f za=8S9EOj8(UVYd;4|{Ct{g5uH>UL#62=TUQ5QKxTCkkmW94c{Dn?S3uA7m2WHI1e- zh*!j#@te~tmS+tlkog2#GPSp;w`U!)D+!TNW{-*D?DF!*U{xD;m|P8hl ze;M}UVreaN>XNN?;cd5beNa*PPj{>&RN0E8-FpNoREF*%oBioTy*{uyleXrtRa=xB zB2cVF)xUb)%4YU;th5C(r0MzWcanmnc@GHgl%X9PwwPD9($gQQ;zT3Q4G177?V*JuYbX&??)f8U_foGdMb;9k>5CQE!_K<&d?6;w0z~J zGFh9{wNJkbgS-@i7{#u%NQ+YuWUI-suGjvF-;skf|0<+y#|IepzfIH;8${q&hP$ac z+UUiBF|!6Tvb013LYG&|ZAp{ngPu5@gc3A`^lG=)5hHEiy?$lq3sm($vGk!s!^fCX z$(lhtM&a~tT~DG)K=U#c@%5I%4aljt1YI%lCsRG`hvwx2TNRm1u{JKZ@^~+wLDKvFUtaJUB z{X~5~L7|WSC{A}zia;gY^U(fQrO0UJ zWe;!`=5<^MW!dAM(yUvZCUw+NO<|t|hx6sD6Kz+oIJO}Dl(@;3nH+g5NjcQ9wB~u+ z=hP+TbhR%83m^Ws1IfyauAP1QwBGp8D}46CGebw5Q}NO^d4+Yd*Ll#!w6(OZIH%E~ z95&*o?i2HjhY3Do?S+x-vZ_>%A;LEI08~phU%1EHqd;8WM6{+;D~D2lLB6W?h!gv3 z_I>QUdEzlqagCi>3$Mrb<@{6Z_~m2gH-3hVUx19|(;Y6*kp`$f%W$u4DHYl`|AGNM zTkmjm!3cT4(5#VckBJqJRo#sQzZcFxV&ewXo!2Gx8`bu)YL@Ce=!#dTKOef&W7147#LdS~I z?O$XPZ}1zp;aS{%8qRlOaN}8`ACKt5X+H`Dk}5;M%Iw{kx7G>jR%~i^Uih_Qr}qhW zmj8#zdg@nfRG?PglVO>WHnCs;q!=<1q3wo>_GMD=m<0(l187`_-D@2!Z17%PhUZ_C|14OdMrw5PNsNuPJVw#gZ+R5R93 z=a)eEFNX=6Ur85gf;GikwgP9^pfCFhKmPmvN5t7<?qG6bQ4FZ!My==V4ZmVRw*;(+JiubwvR8RxO zZ=yqTlVLbMp~n|ks;m4H``42^)`BeY2h9chm%mSB%jmrQE4kq`)8=0I)|rOx*i{)R zxi)=12;VXIikqKk%(lJ+g(rmSjOS$21CRzt?!7*!+BzmcQ&@w~lrjTrrRP`)XAS&B zq&uyJCu#zPdarha6G_{%lHP%#y1t@x%fVN*IWVZGMxf#Lb05QZ6wp!ZU1ecHhD8J* zSgC0F;|L6Rue;vu5pkb?=9zE7HrgORgiT>E*?)adGxm*yLo=m>s1A zg+;mdioYXatBtRW|1-O=#`m52_;{>SeNN`HZYxt6Pjsc?th=``sNb2xgYr*xwzYBm zSyM>F%NJAZNs-ighuO@#3ihotRP^ED_)b7AP}+m=iCoiVf=MFUe2*A|vly>EY}^>~ z^nM|2vejzu7n}&U?=E;&h<IXLF|)dPL$`_7Lm>O4 z>k+kAqd|tHL$%~C>jJKclh>^(C?)0eQ@9ce12LyqcwMj{v|}q%VlCg#Ni7RCoXTx{ z;4Xez#t+YmCNEIj(-}-U3aqa++XZOHtCIE8BLBbnz=|rMREP9hMhCo-J_|8ynZbKD zynjFi+KU`AIzg)ntsTF3wV2d!eSC5whvz+D6-Xd!Z**c@jE%O^DGWC|oM*v!Bi*i= z{yi>cn0L;0P67!tnP@2N9uvHJJDFLwkQFF7Wo3GbbtM{g=pKmwc61m(VXBo!w$h?# zn=>p_L&N-V%x)|BGB&sl+o^3(1MhtwI)G9Y9pi4F7-ByT&25_|W~Ui*x`k)bGYclb z=U9gA2e?5EsXb!-gATA;q#^b74A53-u!q98$&YL7PW(Pz->}{7X%OAj4#sJPC1O>X zyh}vOEN@nYBv$;yrNE1I*Jq?V?!vbd5JfaIKg`kV)-Fz;_iWtPx_ySIDQ%HkahOA% zX1jp@d*UrHqt@YCkYsH!gwGHub>M0h>AyOsO1kKBzF)R(I_x6D-}*fIc`Ev$^agPC z7yeO?n;c5=IB8Dc+e=_&UzYWn7|Z(>J(5G-5DE`jepB!d2VBC3=xZA54@1RB=PJ5% zW?H;9=j7ud_h!+Pz}jar*jUvv7E)vUJ7Z(9*@OEzi(R0f%0Olf77m@TJB2vsbWKR* zzTLGA#<5ZRwU`eI%eO3>oG-&4i&7VKex3%&c&im$_eHs=Z0EdRP3y#?DMY!|8E?os zgDjNYoT^we7mRmYtJcW$DT71NB_lQgl4NH7gR4w=XSwMvWZsi1)&*Jfk0X{s8%S|S zgvw+mZt5RVI9Uc~TRH)W*@K>!EG+ENO}MMKBxLtc!$^9GlRXZa0$$BQ*;QyYja?a zhnOw03E=;?yOSGe>u#5yYSiAVQmk|VlZ2)#HI!QoF)U03XV)p60vTeota1Pn{L?VPJJx$CKxKQB*k~>MY0h^Yv_jZmOl8! z$c7Pnu46h#eMVMt82cK9UW@9;%FLt*i;q(rMpy%cP)JxjLD5iym;T^Rkrc=!ch~r? zEOlMcz6mKdvk{w;wxf-Hxsm{bxr{szSAT-3J{v8XAuz4XXCI2dJf)x*l2FUFkIIT4 zcv{l{+fa{fj(eMg6?*u6@IG00)6xZ>u=}xkEL!u)FsBf zQxtpyi|uoG&OZ>jj;L%f$;?kqj7&PETha2o9?S=;d55G$RnzhEzF=dc&BIK&NTx;@ zJ-FBXaY~v2XOAUg)~2btrJe?P8}awsGa-`j(eX_5F#mLBZ3}<@jp(L+)LU8t+HDSS ze}PkA3|TJuQokCe9eya)3#(YmpYW&8+A9aAk~g8;JWB%(`ocDun7dCiO|ovLfKRJ` z8XeB`8UA+^TA2!=X3l@GgMjyGkIpVpAH=ct+F=_(=(eS%6NnUO5n`KHLH#C@=8W9Q z+QU&BG<&9NnuIrlJdeB7d3o|4~T$xxtQ_|~RW(>X}Ub3Cs@;zdz@XJcf-exrSF~%|CT3#um|IMuzOM(GMLye<pKNw?^M3}@-Ci?_3EuHD$*L{m&6mUA+h@=wCb5>Zv=%>191ZZ0fFv>UN0P|S z7G?<$Ll~ycr^5ovPTXMLEIOS52qp26?TkDZWAfc@<9ju@jU1&7(_zGL6e{h-sq)}`rY>R<>fz=(1w9NYHMSe%l(&W35%ONlwlDe0T{5rTLNtKDn z7&qHjcM^QP(>p!i#yKAoS0nLTi4kdgM5qYZX7^mscx!l~ zcR_52^8K?k?KRO_Rce7L5NAMVAdJcU>d(owvGOuS!|+9_TCBYq+%O-goOnYFowtnp z_T%)+gF{cY;v#03(SSrWJ|37^*&PfBI>)%r+yKv8mt~7Fd(mT|=gB-a5kj%n{ zYd8};WOiNWV+8db=C=-TBy~JXj{ddPK-E!<4jXY(%j@Aof%QbgNNwl7UvlX9-*gq+eX#v(E( zt8@x%>F|c0swUCtDs9&6UM}hV17SK$^48j}A>L=A&5l!6R!HNtM%E8!rh-pL?wk{Y z@Fv+_ehb{zZFL}LO6-TrmB1^Ct2!q_iUHrx4(D3FgSaCj>ERm^l!}R}cvnP~yU&NH zD1o)Nj!4`Vir7Xf-oaC`7WoIK6z?TZ;H3csV=pU(z7S-r!Fx8xxw)x^T6pdw=&fnA zp=Bc@Qf=5KFPjsU!25>~#gMxMf+6|?weI9t0idx~vEmVr!uJ|kl$g5Cu>5@5wf2Fv zmm{8Z=$qfwc#Gz>=d|*YlJAE%n_|%)QjfxAFJEyJRu3@7E2VolqexR+$u6=~S6x%suEZDdG-8PFdL4j2YY?I8Dv-3Z%x{} zA+}?Vx#|HmpI!7oh*S4EY_t1rFw?Z?^vI&zLA%Jq0`eQ%Nhe4lVe=T{FGaN3iJPY(G-e&?k&^nJaFF zRQk2BtuG@IJV(~@I}N;(-Vwh4X|GpZYejG0Jb;vkIhdQfR;daJ#7${_fP8@H20AWZ z2yA~N-u(w#W@6;cU4R!`A@2hHOhvGwOG2&_fE$~OPMlAwHGNeSoEUj4wiaNgVKYZM z?a5ZHAfc<#dXl`)rVq6!z2nnDR*$O})JIBAW|VCan3%Zn-DR>7R|5{19Z-Om%OA~( z|Db>9FZXnCShrEY1@!Gm>e5n$AY@EXmw^C|K`$vW=~xcIi-%rHS|v24x<0{*;TR^9 z^`1$(<@W-a@7Je;Yu*~-g3ib6zjVDclxvEgZrh=y43VvPF9xhBAvD0rC4ZQxi0B>J z{GXh(3Y(1El7sN;lg4vH>^O*fp}-~Q?A398_sdZl^f_uuH-C1o_pWvi_kHV*$i3|v zj06^4$l)5vs#`6^C+7aW8Kt_i5AOLW&Z)fY8<->zNr&t(A+_{LHY&PXa!=)};Xh>b z#-VVFKlh0FvCp5VO?-RBdN*vytXXh^dC=r)Yk)Wf2HM9Dohu~u+xdi-CSLzoQ09I) zSf5TA$dp925Geu7Jb|XZ7N3mS;|*f=fi4!2qdKxwV{GYY5|uDnZD?7Y+V|+vF*n&` z2FJtl>6cej`-G_)4y;tNL(BPBdpB0*E7@pm2aJiQmfxH=f_`%4pBDWQ23PA7WuuFo zw@@nTN~{LBndbR*>IYSv|{jd!hhP0D3)kcj&fc0`_ z4=^+jn74o0`}oy<)kYPqg^uqe2O*1RrW0~=5Q^}^wZZ70ksF@NYAm)v9%AJ(MPR=4 zV}K#;f@|r5dN7aRVy|A_tCzjGthj7n#%bL~1Rhhk@V<_Wnr)lS4toeTgbl|x%VfCc zW8oQPlT+n{_v;2{sM9~+0 zS9vQ|7brnXcp=w0puA2~u3_Qzumsq{`In3Xdw{OG>JWU4P^a#8A_eGF=vHj&3VP0c z<=4^W=_Wk>nywe-u+L}S;~SFiw8ke^wWHYSqS1d(dTsSR;z!U@*3G`L(A=Xe#cInJ zSo_tCF&6RSm8;>)YuUCduNi5@X8ijSjNcqT=gOHRu!Vts*GI9(YZ>)s;xUsD+^ zCK;#M<6o8kHaLW&>r@kq(UCN{8r0h(^>DHuueA9lJrlHJ6z*m63VbngA}LuCmypEJ zrytFabqQ!F3fo$@{lYSyU)@taO?M1X4k)aw*h;17`MWuLnthx~AYW2B`@j!rAm{@^^DxA3k<>wp>cq>?HHsE7LsTSw1Zv z<2j@3DdQ-Ef@O2cqY(pSc2qS+`A6 zLf4vZpm+&U@=pZn=!sR-WZn!`t@K7Rkej?F6=m5rWTLa3{`~0|gqaw~7KNskZRcQ! zKRr4E9_h%T1O$@^M7#2B%p1X*JZ(fCdl=w)0^DIr@v?b(>ALtCQc>j({LEyfx@q9< zh%L-*Q73*pq|VJ|+dj7dI1GQr!(+Z@sw?1*lxw0!sPg(g@E9M3z@X# z#L&sFnkU(g0l|X+ijoR#9yMh0O2N)cTJJW|bY@s?kmPM3es#CzPg!X-;U#t~y1!&_ z&CTDv!`n1WnqiZqWq1R zQo$@DMmW%5J>t9eCr$FfH1vg(!iG@WkLBr|%8wf*rh-=`xjBPzVBpasp5SJ&4{HR- zxB3Rbkr(-4n>fUiiv3X{M?jqp!@?&F%h(eNQdGw^3ah2qEY-vKc~cZWe?1}vM)`L{ zGiOp1z_)O3oUsVNoD10chsqRpXHe4y(s6M<&-)O^GP@pDA4so_1we^MU;}-{vSfj} z0Eu<-O8k>F|Ln6r%tw~Vuk8^TQJApVqK?)Drav%yL-IV#p3h@BtHAbklQ-olfy^+p7K)h!^fPaJcb6Uz+5{G-? zcEz##;9m=#Zt-OkvEH6!J+*W0Lz;D{`>qJY^waJFwzv+M#V~MBZN`XPmD3p<93N?1 z^v{p2hBeIU2S8u1E~`33c3#5nZI64hhOC$DNXisF`&MDeP58UicJ4I;p93`gY=$@Z zi^e`#v1XDsuEC8k%9BXsg>oJJtN|B4F>AN}A#$Y$3f@{#Z0;TPul*Zjq=^4N~`yLLj+hduYMnTZaG z;{a^elRm%xCf&zh__xDcaxfH0GB9?XQm|6JaaCYYn|~ZXTbo{0TXh{Ko{%B zi-M6kf<8QpkyNB+c(F9>iK@-D<3FogH+-( zRID~#gAS{iB+4WukOxAuSffqb#12A z#2}2~E1FrP=kd5DoL7I$*MPEJPv9Ko$f|kz$*%a4pnCOaQCRli_a;e^NmhTUa+a&o z`kF6}vG)evxsr3K6erQ%HqeCpCqHBZv{8J_iVPg2XS z;tR$zgm0b{?zWT!spNr-x91q#Z|Lby37$i#a|+OWIU)Fl;{Hg?@bUnGHoD|KdSAfZ zzc73#VGzHhL?OQO)BrrTdjPF_rYV@Vxml*IVhDKueUoV4JAGhuLnX@bQdeEU*7=gj6!r;cGxAW-uo*A z<98Zq+Po@(Vl#|1VsEvD@B}-%TrE-}QTIGnSb<`Ns<6*5r!M^FICw5#qt0LBb|QnL z8SK%q4g7X07^=?Xam=!$?Ec?Ra!`G8K zcnc|i`5L2o#ekyjVWmVSt#m2{d?$sb#>V=KV28%1@N@LjJ&J`4`+-0nuF2I!^7vuy#QGP<#wRu`P8uk%2*tMsYggo}m7E6OBlB zlT>4O)^xYkfWFcv4D-*uCO9M;z3qRjPNhws`+Ua~qPtEjv6gTE%@?wp!gjNpv>3c4 z(7ImkOMs)Z(lNQR>tcTvv7{G>b%~ePvMzfB3kk*C9HMGNGM+t?_OQOA?4Y)!!zS99 zbg}9>GAb-AS3c6zaE_W4KNq`5Re<`q`T~LbuX_Ng(76~`rlIQ_BIU|ZG}_0i!!}!) z2qrPPyt1jfHOM5iMW7Wa&Vj5ApEYGjw}EZu+%6erZ1_izBeBz4bn_S9Qwv4Rru<^a z|0uD7MKoL*ojRTz#~~fJy9K5G=HeA}7#*x={5|7z<*zMd>s1NNE9vH97e`(T*cqvB z!vzca0DN{`7IL(Eh1+wVz7{;`rpuB59!!?&I~pJTqRG8Y{fu`3*tW<<=F!!}ejq*r zg{iZd{3c*`gDi|ow7p&i)lQAh)FW0nxbJY8TpI|EJW~Se@6h~P)34I#^;ro*a47g_ z();q!T~S#4oe*%%h5277EbQPTtrLGOIM7`7R(doXn|}I{Q=N=A(nta{fBMVOD4G&|i@qLz z>~YkFl41VuHU~2(?Lm^)85a+4JQG%97@cPVlF`0&h9LJzZ}2981@`Arq|jI7aakFq zUg>0Z^9~rcckpx2s&*`J1NHzb2sVIdek)DT8$HmCLHvRam>5a$h3L{=ywXVl^ijJQ z;)DHoL`tJM=#^={9V@!q4)%S{sknaB63UXN_Y3coO#;>^eft?|maeOzNx1DiYbqs) z47phgU9dDyYKN3w6?&;TK=V_6I4qalF)wIBFT4glae`HQen9nR=PZfhD&pwqUW71Z$g|C#> zoG-?x$-On8OIF4jV?a1eJz%z%4E;soVwJ_787uspMpjk>^tBBc2JPx~ra-ginna4L zeeS0`v-ZH&cyAVug%b2mU%7B`O!)y=2a$ zBn$I@w}%$zM@au!RsHf+o@6~oHXNNC20q#4Jy&bR{o^A~$@(ODi6l$&^NFqMgA>GD zva)$a@Ud5X4(O&UpxWbxNRJt9$nb7hZ{_i)cqcF0i)q?kxBAJCvAVTOWq)##=CeO%~?cysw(`h)oFDZuao9-!+bw)7|9#IGd40Fd1{NSvZZ$+ ze_^uD+KP5SY`C~ehH`(&p!~yQ$tl$<`MTf;4wo}<^^P5k5vFD^lzkZWw7aQil=_Sy z=7G-m2HgoSIMMzr&DQI06;KN1WAq59g#%Dw)2v#te4i!zj9}y!M33idLXn!zcO>(1 zUjOqc1ZJS^gC6Rp#zj4UDm&~Z#37F{2*Ms7?iIeJe7vC`quy%9I;P%5cJ3}XBI!yQ ztjGkOs(*sFrdNB1(VI_7f=m2$B7~6n7HHrDu$?rx@3Ou9kGOLHa|hTHzN5JJZHm-* zXjoJ#Chp=er*cOj09$)@z(LJCk^58NerH(zawZJ=Xq#bg)c6pG>Ol6?NtoA?P~XDj zFwF*p+f)gSjwC@b%N&pw*v7AGIr;^Uw4_jxm1yTBE z73_J!^JtKbWVH zmEMV`D)Tp++z568R#IGDuzSz3(xAXeiy*PtL5iJC)8`~Nk0P~~^L_+ImXYog!ol|# zmdh%gC7;agPeZR@D`PH)DH8!pOX;P|*DMbE(ot0J$sOHL)z9)iK5v`eXHFj4r2o;X z8UU(@;@nY%DlOVVAohV+++=ssHfZuxZ|rF{}=LvIYmPMz63{LG4*T->Yf7vsMD*0F z%v@bQzK&-4*0$V|ZkNwzfvU6i>m$l{(8U7ZYNh2FWkv2aK^WZ83BUG_pP2vk@pu21 ztt|f$w*Ln^(v`-fOrnuI7oVGytYJ}2gOnrdNDSC0E*()ae@w{uJL_TKh6xJhjUF?$bkK_OIVgCQ$|9=Ai&!51r^LwuuKq_lx Wz5izpeyhiE Date: Mon, 11 Oct 2021 20:50:51 -0700 Subject: [PATCH 10/22] Update healthattestation-csp.md --- windows/client-management/mdm/healthattestation-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index dd83b691f5..5893a45e9a 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -51,7 +51,7 @@ The attestation report provides a health assessment of the boot-time properties ### Attestation Flow with Microsoft Azure Attestation Service -#add image +![Attestation Flow with Microsoft Azure Attestation Service](./media/maa-attestation-flow.png)

Attestation flow can be broadly in three main steps:

  • An instancne of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
    • From d37e40168e91c6923ea297c6b0712d60e9b51299 Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Mon, 11 Oct 2021 21:50:17 -0700 Subject: [PATCH 11/22] Update healthattestation-csp.md --- .../mdm/healthattestation-csp.md | 31 +++++++++++++++++-- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 5893a45e9a..f84f0fae96 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -49,9 +49,17 @@ The attestation report provides a health assessment of the boot-time properties
  • Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
+**MAA endpoint** +Microsoft Azure attestation service is an azure resource, and every intance of the service gets admin configured URL. The URI generated is unique in nature and for the puposes of device health attestation is known as the MAA endpoint. + +**JWT (JSON Web Token)** +JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. + ### Attestation Flow with Microsoft Azure Attestation Service -![Attestation Flow with Microsoft Azure Attestation Service](./media/maa-attestation-flow.png) +![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png) + +

Attestation flow can be broadly in three main steps:

  • An instancne of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
    • @@ -67,12 +75,24 @@ Windows 11 introduces additions to the HealthAttestation CSP node to integrate w ./Vendor/MSFT HealthAttestation ----... -----TriggerAttestation +----TriggerAttestation | +----AttestStatus | Added in Windows 11 +----GetAttestReport | +----GetServiceCorrelationIDs | +----VerifyHealth +----Status +----ForceRetrieve +----Certificate +----Nonce +----CorrelationID +----HASEndpoint +----TpmReadyStatus ----CurrentProtocolVersion ----PreferredMaxProtocolVersion ----MaxSupportedProtocolVersion ``` + **./Vendor/MSFT/HealthAttestation**

    The root node for the device HealthAttestation configuration service provider.

    @@ -360,7 +380,7 @@ c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo"
  • Call TriggerAttestation with your rpid, AAD token and the attestURI:
    Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Azure Attestation) | Microsoft Docs

  • Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
    -The decoded JWT token contains information per the attestation policy. +GetAttestReport return the signed attestation token as a JWT.The JWT can be decoded to parse the information per the attestation policy.
    @@ -422,6 +442,11 @@ The decoded JWT token contains information per the attestation policy.
    • +### Learn More +

    +More information about TPM attestation can be found here. Microsoft Azure Attestation +

    + ## Windhows 10 Device HealthAttestation ### Terms From f6321598c11184393b90ee8f57c0551ef1d4e8dc Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Mon, 11 Oct 2021 21:52:09 -0700 Subject: [PATCH 12/22] Update healthattestation-ddf.md --- .../mdm/healthattestation-ddf.md | 571 +++++++++++++----- 1 file changed, 404 insertions(+), 167 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index d7209b1cf2..651900e2d8 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -22,193 +22,430 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic The XML below is the current version for this CSP. ```xml - -]> - - 1.2 - + + + + + 1.2 + $(runtime.windows)\system32\hascsp.dll + + {9DCCCE22-C057-424E-B8D1-67935988B174} + HealthAttestation ./Vendor/MSFT - - - - - - - - - - - - - - com.microsoft/1.2/MDM/HealthAttestation - + + + + The root node for the device HealthAttestation configuration service provider. + + + + + + + + + + + com.microsoft/1.4/MDM/HealthAttestation + + + 10.0.10586 + 1.0 + + + + + - VerifyHealth - - - - - - - - - - - - - - + VerifyHealth + + + + + Notifies the device to prepare a device health verification request. + + + + + + + + + + + text/plain + + + - Status - - - - - - - - - - - - - - - text/plain - - + Status + + + + + Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes + + + + + + + + + + + text/plain + + - ForceRetrieve - - - - - - False - - - - - - - - - - - text/plain - - + ForceRetrieve + + + + + + False + Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + + + + + + + + + + + text/plain + + + + false + False + + + true + True + + + - Certificate - - - - - - - - - - - - - - - - - + Certificate + + + + + Instructs the DHA-CSP to forward DHA-Data to the MDM server. + + + + + + + + + + + text/plain + + - Nonce - - - - - - \0 - - - - - - - - - - - text/plain - - + Nonce + + + + + + \0 + Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + + + + + + + + + + + text/plain + + + + - CorrelationID - - - - - - - - - - - - - - - text/plain - - + CorrelationID + + + + + Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + + + + + + + + + + + text/plain + + + + - HASEndpoint - - - - - - - - - - - - - text/plain - - + HASEndpoint + + + + + + has.spserv.microsoft.com. + Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + + + + + + + + + + + text/plain + + + + - TpmReadyStatus - - - - - - - - - - - - - - - text/plain - - + TpmReadyStatus + + + + + Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. + + + + + + + + + + + text/plain + + + 10.0.14393 + 1.1 + + - - + + CurrentProtocolVersion + + + + + Provides the current protocol version that the client is using to communicate with the Health Attestation Service. + + + + + + + + + + + text/plain + + + 10.0.16299 + 1.3 + + + + + PreferredMaxProtocolVersion + + + + + + 3 + Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it. + + + + + + + + + + + text/plain + + + 10.0.16299 + 1.3 + + + + + + + MaxSupportedProtocolVersion + + + + + Returns the maximum protocol version that this client can support. + + + + + + + + + + + text/plain + + + 10.0.16299 + 1.3 + + + + + TriggerAttestation + + + + + Notifies the device to trigger an attestation session asynchronously. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.4 + + + + + + + GetAttestReport + + + + + Retrieve attestation session report if exists. + + + + + + + + + + + + + + 99.9.99999 + 1.4 + + + + + AttestStatus + + + + + AttestStatus maintains the success or failure status code for the last attestation session. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.4 + + + + + GetServiceCorrelationIDs + + + + + Retrieve service correlation IDs if exist. + + + + + + + + + + + + + + 99.9.99999 + 1.4 + + + + + + + + ``` From 99fe9c6f5e2856d84c52a0925a5522df3146ad49 Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Mon, 11 Oct 2021 22:06:23 -0700 Subject: [PATCH 13/22] Update healthattestation-csp.md --- windows/client-management/mdm/healthattestation-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index f84f0fae96..d8b7e7ed5a 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -233,6 +233,9 @@ This node will retrieve the service generated correlation IDs for the given MDM If Trigger Attestation call failed and no previous data is present. The field remains empty. Otherwise, the last service correlation id will be returned. +> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. + + ### MAA CSP Intergation Steps
    1. Setup a MAA provider instance:
      From f1ddfcf9944b9df9045b1d0491c5916ca0a3e5ea Mon Sep 17 00:00:00 2001 From: Gitprakhar13 <45089022+Gitprakhar13@users.noreply.github.com> Date: Sun, 17 Oct 2021 11:25:32 -0700 Subject: [PATCH 14/22] Update healthattestation-csp.md Addressed comments. Ready for Signoff --- .../mdm/healthattestation-csp.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index d8b7e7ed5a..5f1347d92d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -14,7 +14,7 @@ ms.date: # Device HealthAttestation CSP -The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT admins to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. +The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT adminstrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: @@ -39,7 +39,7 @@ The attestation report provides a health assessment of the boot-time properties **MAA-Session (Microsoft Azure Attestaiton service based device HealthAttestation session)**

      The Microsoft Azure Attestaiton service based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

      -**MAA-CSP (Microsoft Azure Attestaiton based Configuration Service Provider)** +**MAA-CSP Nodes (Microsoft Azure Attestaiton based Configuration Service Provider)**

      The Configuration Service Provider nodes added to Windhows 11 to integrate with Microsoft Azure Attestation Service.

      The following list of operations is performed by MAA-CSP:

        @@ -50,7 +50,7 @@ The attestation report provides a health assessment of the boot-time properties
      **MAA endpoint** -Microsoft Azure attestation service is an azure resource, and every intance of the service gets admin configured URL. The URI generated is unique in nature and for the puposes of device health attestation is known as the MAA endpoint. +Microsoft Azure attestation service is an azure resource, and every intance of the service gets adminintrator configured URL. The URI generated is unique in nature and for the puposes of device health attestation is known as the MAA endpoint. **JWT (JSON Web Token)** JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. @@ -62,8 +62,8 @@ JSON Web Token (JWT) is an open standard RFC7519 method for securely transmittin

      Attestation flow can be broadly in three main steps:

        -
      • An instancne of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
        • -
      • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrived.
        • +
      • An instance of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
        • +
      • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
      • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
      The protocol implemented can be found here: Attestation Protocol @@ -98,7 +98,7 @@ HealthAttestation **TriggerAttestation** (Required)

      Node type: EXECUTE -This node will trigger attestation flow by launching an attestation process. If a process is already running, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. +This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.

      Templated SyncML Call:

      @@ -231,7 +231,8 @@ This node will retrieve the service generated correlation IDs for the given MDM If success: GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM If Trigger Attestation call failed and no previous data is present. The field remains empty. - Otherwise, the last service correlation id will be returned. + Otherwise, the last service correlation id will be returned. In a successful attestation there are two + calls between client and MAA and for each call the GUID is separated by semicolon. > **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. @@ -450,7 +451,7 @@ GetAttestReport return the signed attestation token as a JWT.The JWT can be deco More information about TPM attestation can be found here. Microsoft Azure Attestation

      -## Windhows 10 Device HealthAttestation +## Windows 10 Device HealthAttestation ### Terms From 8b1ab25bec847805cf2ff3922905b8c02dcc5a4c Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 19 Oct 2021 11:13:13 -0700 Subject: [PATCH 15/22] add new line --- .../identity-protection/hello-for-business/hello-faq.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 48601dc7d6..3a019e09e4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -228,3 +228,4 @@ sections: - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. + From ddb95ff7aa85393337d60e634fc4382885c56e7e Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 19 Oct 2021 11:22:44 -0700 Subject: [PATCH 16/22] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3a019e09e4..213b9c9999 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -227,5 +227,6 @@ sections: Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? - answer: | No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. + answer: | + No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. From 54632cda8321740c86d6ae8abe64bbfb8f18ddff Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 19 Oct 2021 11:50:01 -0700 Subject: [PATCH 17/22] Added white background for dark mode There are other possible solutions to make this figure usable in dark mode, but changing the background from transparent to white was expedient. I also adjusted the border sizes around the figure. --- .../mdm/images/maa-attestation-flow.png | Bin 81911 -> 82960 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/client-management/mdm/images/maa-attestation-flow.png b/windows/client-management/mdm/images/maa-attestation-flow.png index 5bd288d0aeb9a5ae32344d19f58903e61da0db4f..ac91ff242ad81299da2ed826dafd4d2e29728109 100644 GIT binary patch literal 82960 zcmeFZXH-*Lw?7>9D93`RC?H5tL{O>}ksceMbU}KRCS6MC&EpXZQUvK;q(cypme3S1 zAP7<;gn;xC2+}3AckLbJJZIc{|KINY^k(Qtva|MDbIvvAZ??60uCA&;dx-fE0)e2t zt$6b;0zp%WKpf!v^8mQwIwx@oyd8X~sOO462-iXX_wZQg6Tn3px7#YWXvPoGpAcfw zXg*CrAUF`WZ(h^#Oq?Z}yfj?#690jlrLe0LZmJB^qV4UKwc?o$k0M{{s1C1SH9PWh zxe9Jtc7J}$GxH_ED(P^1@UsNsp`5$-jw8MIpLn6Ae{W|09GcJIE0JkG;~z?qWzJQl z_jom~D}8AEzEbNYIAw1YHo225GMO0Hu26i!eOqQpYO)nQ;gdX>pR1kM11N-EfhQ^i z=J!%RBT_Z5JO283=SCAP^&`^e&&oa2k36(z#ee;tadr$60C=T}{yjkbgm@hk&O-ed z*m=xlAN8X;^Z!37RTBR@GBp1CJ`)imC0{ncdi=P! z^iR(=>V_lTweRKi*bd%8xQz_#NS*HvI$A&sQ2Yk(bsh4A%f2Tb+f!XdKWALMV)kU5 zpM^Ks^lQZharFm#9d+Xxby9+t6jIu-M_`^5L&8~j`1Xjuz44Vg1;=qP#rf|+ZU-^2 z(lDJwH`AVMYkWe#FuY_k{c}6rz{6UX_9S7v%gGJ3!@}-&q1T=esUZeW7hc^_br_+D zS$5j_wkivT;xK|T7xEwPI794F$^-1B_6&dIZI`5~DUVpv05a`8X@tS?hFy~K^{-!G zB9L*FfLxwAOvV0zul?~3J|mwLQf$0Z4i`!jvTWgnIQ*_VrmE|Q=o@2q!UI_(-&qlo zb+J3@gO>2m$P0fDAZ-SId>{3SL1c8ycvb?T%4$>XWEzqZL{Jw&zMM=p=MrMlXB969 zrJ4qh@L6&7L!1WWHtZkpT!=$RU`qQwH=l*S9y#~FY(tmhJ@z1OJwz?|8eUz%JCD!G zHAd}RWpy5Rc{$+g^K!sNAs@Te;!LE_-ngewuYd0T7-RXTCToAL-nsRHnqDf8>YQT- zf(Dd}Ah7lQfuZM|l=D{Mj&nX?MLiS6x7{MwpdhFwzw$U` zOkbfz-{1WbG>oriHK}4dt-fg0l}5O5Kg@h;aySc()e?QGTq6u4 zS(x-08I8jl@g}yc5Ak}NgC?IE1Cms#LtA#X+qhBh4^?caE8t7D@``>^l)#p)DBDt@ z?7__@+9L%@+_fw^Lq=0Sw{?bgoDC^vl;Ooj_G$(l|IPMFe1|6gygHT#1aVV9$YM^B|?8YWo{k)V3 zlU3uP*Sn8vQ4x(=zS~0Cs5xWjKKtb@ z158Yyy!?^?fU)oo3IsOcB z8Z(kNn|a2g%}pR{V2uz!xvu51 zmaL(v{|+#C0M?0D&uw;OZRj3+ZICyb(c?_@ueZ3z4%{(c=$RZD`S`r5CGaD*;^8?4 z6F>Cy8~_=z`7huU0I0)5s#(@;A;|e|^GagUo&+D}9;u(K?Oc?F96(AgtoebRO z30+6kKMuoz4Rt3hcWx58g+>_ay;pFmV?eFbyt1 z0s#XKd>YAX|Ltl1%**Yu6`MbYm@zWEdYoN$Cn|K_>8(UPI^j7DL|uMg8F&3J_%}%R zVnl?yO%H7s&H43`~P?B+hkOWw%SpGU*6?ln$lyjIPkrfCxHvDLO1rWbL z)uMe1*^x+%dtS%c0hT(^!9Ml#a@>iJ86a`MTd@IoWZ8RE+NbHEQMTQS{aa5dV3YB` z98>czSK9P9aHSzEY`)U-CsIZARiqz?eLe##&oYW@UO{df?-#T?<`ehPmTdiK8@pM82TxF2!yLr>$9^KgR+E~;eb zq|WxJTSHXKWtXM7%PuXfMdU$29Ev1<u+ams``ao-q#&Xv;8)!V@5`66JBH+J2+?2jilGEM`kAn z2=)%`_{4QP4}Yl*2{TT9QL*fdM!D%Lt!(-@Zx_}a*Jd z7bmg)txW|fO0}T|^L#g1k5~6}wn$R_*76<5CB91VSRTLZkg^mlbqF}5qJR0zp7Map zXsnGZZp~!na7w6{$3TidYx&%BlD~})8MUm{qLN?^oKow*$k#71cgn9`8xEbXT|G>P zix!-pR75Gs-EB`zf#PqzcX0=H{HdV+p0`_FV;kD+;s-#Qfm=@hB<2cc-9 z#N63zb-ltD#3YO4>1TN{=3^5C^RejmPn4~IW1Ql|crR9xy9~eqLXr=w3Z$iKP9Yub z1E)!!*yap=Ih7S)O2;o3FGN=ii`TsJIQ=At^NnsP)#|!Ij7qg07Q-XxPI#3b4S3+;MUvIqsqE z(ms&jp6p#uSHpo!WX$Nm>p}3|0KQKeQ62Bw>tH}9GywRRaiarAUV_|*-VFwGp<}<( zsBY4Q?^oK+yvh3?e9YJ2(hVq#As_F(mZYkBtn$a_l2B@rd`E>F%2KXl0CDET7&iLO zYlkPdhti^nL<}|K<`KaI=Wj`MD_5>;`foV?N_==BcVB?1z?0>=ad%P&s1kwqFHrf< z%150Q!yjJ;!4W`>4WJC@79njq3R5~Ph&$s45xN-va~XkUM9 ziUyLRI`_c6z*pA=y14uaPyAT%f4L;^5{gWY8yZQoGpcT)3?(+yoX6!<6$~rSaEcGH zah4ApCy}>Y49orN)q6VLML%O&Z!EaH7-#Yv<>Q}M_}dHt_h}wx{*toE>m}LSYwgin zn==8)&z0n^GBX-)s2c8&0?q(Se{I7Wyt7ER(9sg9vGtuBpipsiO418xSa2Z-O9Q4J z=5Gx=YPF-vA{&HZLH)QPpNq2F*qmoGJq#Wc4p~Zq-1C|BwfkFJwK2C@83#8BAo|UD zro=v}uaH%$)n3auxiiD!ys{b4NbzBB%m3w+&Vy|Y>IL4xd|@R509uG#znw_4tfHN^56{+xD zP$+DSV&8Fvkr;c}d3|i*-|0@C+?ED#5u1_hnI<@FV>aiTa((pXvc-WYDvF3+fXK=a zaRT0k*LqSUJAGra^$nEYOk1*2#o)~a4Ve-Qs3GBA4p1tWNfj$?AT#MO;IGc-gr`9k zLQadh(o4aFt!q`nsWSZ->gLJ3-}{uTzb?^()A;dA;_0E6bGR|b$9W0jUX7$lo3G+`5w~JruRlhKI87K)=|b!mf~p6|EBZ-iia|*Plstr(1|`?G#pHZ8 zx@lUrH_&q|=J-&RtxHhsVafwJng^#aMzUM-?7WXYe6QFu#TT0_he8jVPcky^RI$Rv z4rCbs9@yiE#!3Y&Peb6eVR-y?7eH6wW!y+)uuymyV`h6putMAFiWs}ZJBg#(Wy>pK zklF>kf&%PfvQn7X|KO6?`&>NO^Y%31K75Y;R_SnqTE+?A15ol3ln6w#<_gV1zRB#| zULnzB%FN^jvm0py0{W@2dp)+L@gBz!E0PDN&z<{~3}n%rx+X#OPQy@*2t*Q>oRWOy zYPRR*t+yrRqo6HX4g;?8?OKgZqOirV=8(4th`=dm_G@devdHbr>k#cfB}P9#x{g`s zuwE3{bD#}4C-Ba}h;_Grp>Wi`ZFarH7lw2+Fs$D$?A7J*x_45#eGz(04$2Z>5@Y}* zXAF?qeq#9EJ>qrTKsXI;4lH;5RE^*yWDCI4p*hIYfr^^^H(D8}`UjlC={@4eq^ugs zdiP^^8H(M#QvHGnqd$<`ZR~!M=tM6O5Fv2R-%b4rYFVKu6K_7K9OrQn@npHTd2N(5 zwC#VX9W|D-q3Oj2C_zX<=_r(e#cc0Dilf{7&=&RP1IXq4^8bzpQ3DS6y64Z1Iqq}g zC`jFSwJ*Ua5^{H`?I3h=o2zyj1W|{YU(0P8#OwOQUDhLwoYtCN=>F2m{ct+d#{vRB zP?nbN-aBpl7a7PX6kF!>vRuvYm>`=3cKOUwR$F7+9LwKCh?>)#&9q3oo69~S#hO*d z`G(Dpm1wreDh7{q^h2uCD+U>3svU@q4ycG<^T_)_c`_|>Ibdd>crq8|H{V}$F-jj+ zu_Whl1fuTiM)l58%fgCNKtN-==HXhCSXuhxMWUZK0hLDO5FZ>|l9hX=KwgMA&|$zm z;Y=fas=7Rj9?SpOo@i_TyWJ6GMb)z)cUF zpsFzf@!|n6=7p?)pLr0|a^(J+BEdqv!^QLcHJ1lvSFTlgj?Id(4t|7`$MoAYBul_Q z(*?*B+~>Z%CXiTQ8s8;`vjn0KR_;mNq3%oy2pwRm#&9SskZ_QpeL zOnflksmhS*s(|3>|RjwfTBrtt>2UmpM~jr@tYhW-fHWl+hy z3vUdf`^0Idu z5&V@7x(fJ2ELy#W5GMT8S@Ajq*b&4nDhHiFbC{5Tt<(op4m!{MzR=|60m+RQSQd4} z5qQgyf)J_M_nNBRchY3FI}<>-Z0DT-Rl>rkyof_p#K3I`$Cd=r3bcXF3VB9cTLqYJ z+%?P(OU@Qd0!-&Rf0L|kU$N-tDhBsj&#`>!1UGLQ#sK#O$aVW=Or75rpQ-&t-e3bN@Zrb-;9CNYEi^s)!G+q!eAN9+x1RbI@x4U?RywP(U=f})u!${ zkY3z_Q+Fc@i=PgR%73>HJBe&$tv zGmkS;rOw^o?yme+>Gv2$1xjm$3p54_I{s5qV^C8CfiTLZ!+JOpjva3)By0hP<%&KA zt{x!d+Lr2n!TyQpTp1Lfcl0K}{^_lFj9M+oeboF&U!Z2rSK}=d*3J;d^=aMci8bxEyC`=F!0Ys2nDv6aE>H8|Zrwf-?@O-v-2UfXWMKC{ZnnhYiNJ@T0#i z>SPQ&g*Lzhp+HEz8}at9*MC{*;w32RI|T3yyh*sg+cOmkj0Rl%2&2sd>TmlwA^QlN zfbBzFovL%C)Ngw+5KZ6dVR7;tH-k*P9uy718kC^7bet_g4dt8D#`hb)lF2`ZG8GxYOWa?1=g$k4C|dK zl8Pz6(!(2dFx3a1z&r#!gLn^wg^H*<1_OIwF@!USy6`R{pa~fVFBbR=CPe)x%!BD^ zSg24h4N(2{E3knu5CXv9pQ;YiiZp;lpnej*A=Ug}unz;$awJT`R6J}Y;f(NH@6N%u zeN}^R<2dyZ(m={JSUPV%!=x8OxClD=k+WpT2xkXsu0e)`gd!O5HUZ0sgP*#tlQ9Sp zpqK=N9vLYzE~c&nK$T}fV1fG#M)Mq|a^Qg`KvRI!2vIK0Z}R&r0JwyPr%Pp_PInBZ z+zpf-z|ALLz{d9e+?Z9Ws3eIU@q*kZH+ZUitB?iMz7dCR!_Mb6e%uHQMj%CKcnwCH zG}i=CE(*S#!+ziGhKy!@0#-~broaqSz^lCk?gcqX-DIjmLP*~Gx3|ChT_#}0@Hf*! z-(T`V@xmSJf7@T(F(LFBaGmMTf64v7xZAh4VNQ;m#LodjnCxLLO--u-M(KTHUAX-n zMtvSZSV}@aVD2ANj~*PMg>~RFRsD}}!B#a+-J76zNUc&0;T=JkK`M^agUSbx9FCuV zJj)oCSe;o917NruaHrs<0!LHo(l7~uSKy@@fe!;eO@+fMGDcnM>ppm?br8XT-|_?D zrD~~5T@->slT^81-@Hj<8;~oHenONgcX*aW5dRah#JiyG1a5752JatK_y^xCX8)g_ zI@Omtr{4$$3Xga}RDww5jk?2SWo32l+CCJwSM)RgoT1f{l9D2)p_)YAy*%Qu zki1>tkn^!wPwqXXol8-72FJtG^qZQ0czu6F6TQ9j?VE0B6yit_1i>JdkCCk8l%4(| zyBmW(! z@*y$ODeA?F;)60d%Tn18V>QO}M+$Rta$@7-ZGZNC zFTw2C65gz0UB30u42+JBI?T(7i{qD_iugo*s#QZ1til{t)-3clZt3-2lt|wEFKoVj5aacksN35;|n4rE43^~v-Wn9W_k?QVW+s_DgpYPk%*t!8-wM;?Cf3kN_( zvhQMZsKPbIIS)LCy9+l~oAX6Ec}rAGtdy^N)`CAGEGK4lrHaL&(9t;WUO^HQJ9`*+ zvgezuA)=)*cR(S+q6H3I(PBbL1H7o8KZcd1P{E(Y#IP|FE8JO`nfCiQ&iS)RqL$(w z{`_I4$u8`^`E#L4iRZOBE|h;`J}PKSL_{RV9XIJ0G8GpW$Hc;-v{k{^FUeKD5ve9y z`DSuoYAL0SOd*r?t;@*(hD@12YYwUX35OefM8o#LlTc)iix2wK+}u3JqeaMbVq)U% zwCbZWTQ)lvOE1L^hB96gM|F%XZbO zR8_~&Yd}kpZBMS&TIrjDuCcMPPUmsgKU3vwlL#ITLrhL76jPg*UN;*yb6ksDH{b}p z?km%`aBNR@Q$OS1Up{?oYi+%marg9#R3CSDcfEJQQc?-#VvYB9ZaFq^C;8d@%ifG>g^v9AL2MREBE7^Uavn32?#Mi9)7m|C`U@+<*Ibh-ASfU&eo zF9g-5JV#b47X3C>8<&^e>P^dgUkOjG&Jh@UY*EuGg4`?wtjB!uj_PR3_xB(7rVcP0 zm8BZ-Xm89q_L|+n0CS4*S36pN@Zp!Y61mcS`;$NMkjLgH#^%X@oit(o9eTY-b#%%6yj<@N|ne9y7^6?)SnKBZLH4OF}a0>gwWpls^Sy!F*AzH z(k%G+X{pFDT}NNvsyu;FP-Aeu_2apyLKL^!tp4=4RK&28F?XP{nwm+;mC}RPs(BVA zEf>me?rY~WeIOsz5(*@8W@}Q-EP{Fi{DRdeieG8aBRC{ic*<$>2u5iayud| zD(C1)js7l$3l}a#KluQ5ns?@|K<9JwFMpAZPx>WoZtYc<2EHL0<)P5fS&FrT;q5W9 z$;f)B#t-j%(PsIan2kGMhQ#72L~-I&byUV#^M?K-oruW3*sPwFN0bFGD06~_4% z0MJNQLp&(mvYSu8o0I?GyzQJAvrGUsAj!5=#@i@m%=NvGT2lVKl2XM{-IftuvO6ut zt6*%>aq)as{Zl&e0d8%KYBM6wgj=UnvQ69Nh{vVML1L9LcF4%asU>P#7TuG$>TT^M zeV$9|l@x2v(4ECU3XQQzfb9)0ezFyF($zk@t45h97Z)Dn<({X+6(X_poxykDnP1;U zA#XMm2LK$-k-?9RStx`hBqml(6n)tS8eZ;;?(6G2RhzZ2uuwM7sppzCk8*ckjh~!f zsV>XqE|{FtUM#g`c8GB-?H6b!^gAp$mfaBCxa;E6&4z!#%DhE#3$R_**PGo}jn;`K zyiFLzbok6KuP_(fcpyoNI!e74NL6g%xWx9y&i*R z*&|5*=Sg?Rn4(0cBex&do(Ue74sCA0;d<&KPwkBaa*fP$xRcE=2Mz zW{z3ao$^-fgb&bwPoF+XlF!G-#n}+nqZ^s6&W5}iw{eW&PVp_y3Pl$c6(wWUfKS8W zIputRKE$!UuXYRQS$(AHh8b{=hthl`7g zp1K>r{LpdQDAD6;it`ZAtim0I|y71)IODG%=?CGAvBc z?|8ByR({lbjZ7r;H1)|7a<;`-_9rA&sixCkwYBSNmQ~Nuy6^3cA@!5iimcjYWMyk+ zg%5lg#C3Ofi_O=TU70Jpg&j?Q1;iV4P1}LUTpiO-675$_l14{TC|-PP#RramS&M-n zZ+3RJSdxUlR4Ldk=a>)4hE!h~(OLVXmt)H_ z-(IP?(KHhXDhjTZr#x+5Q6l|a^XB5BB+y(zLU|~=TylTWAIMdx!U(FV8KxUhnPR(V z?+*|>ctwL&&{y4>kg@6KCl$EdMJ`E8$QDN~q=c}QbV~MD%a;^I6GM5`db`k>6v_DN zc0T+&o#r)N!7p>2m7qG4M=XpiwHJK>fT6=S zVA^tHburn;E6IxRrq5jJH1E)t(f(;%(ZHOK%`$V+_6%vo1Xt z{Bn=2^QWl7%r@X*rWB+ z)6*FO#beoD`dzImgY>?YI}M4keoL~C8S_y|$NJyDe-8K+ss5VgwolJi(|;z!B_`VU zuj3#1NqPa?Vy363XGI05K%nnmAYXUEq*jB*S|y#50)mz3mGe$1U^rIAn-~@W!hm%B zf-8pQV6RID+T&SkLsp~Q7p0?dIGlk$gIK>#7u){iAo&ecHBejKQrmm@Qt|$PggFth zFTkR326QD=cxLm8$Boa|+5>84dBPK8W1j(?3Np!EH3v%XD+qBL(`w@oSK3kov)!E{&ku!UmYRLG z6}W6dsT6<#9lVg*0kb5>1gj5ruR_PqeRi!bkz|XQzZe|;p3weCp1b!*{WE*gA4oYk z(Nwp%PCli0;4abE=9^7j-;@NwZ#ZeQSTc{K>Au9ZR^zw9TodD;Z^q!=C!pts_pr+_ zu@4IiW1MJNP%RH|!7g`R8_G3sIXcjGrey)BRUB$gbxC>iZz^!Oa1+{r{MugC7M zrne9nXkFr;j~tN0$^_{MYgjOiR}WgsvPGoqoBL}mDp6O{>Xu>FwfR&UQ?GAELqwy) zSg3}LWCLZc)O_as)>tWwGWnDm2Z+&Sy>rsM_%@C z#!q$cqm%yHF$$DI%INW!-SW~2n(BD4TOinqO-QhlEc3Rqx&Y$yuF$Qq?YBKKfIvg6|1$ zITzEVPCt;C6kix4t78TCgZqRx?iO|^j#`;mWiIUZ;cQk-egARETMuoE?QJIu4u zV>FbVd@X!pV~Xp&175?RT`ai8gOAY&6y)^25id=Zu~J&R3zZlDPPE#yb4NCPDf-ip zW&Jx<#7UF6e&B4SMkeuO2B<)>#WCiX8rhM$bq3#WFY2D2!d+`B=u&Rfr!d%y)*C<@ zNaT?zZ$ZeAAynOZtpy|_XXN~)Ls_Mw`!^IFv$T^6L;h;ePSb1GJQDn$a`p(DJ zb|#+O3XnE56R|9;UGdDQ*3zsRyVO9h#^+P}Wza`FrNgV`{s!%cDG=Z)&2#ZLBeA{flHj|mtEP?K?iDZ!Qh7@i!O2Ku8 zx2jFVN2=GGK>z~$namEUY(pSSNX$;J(2OA-)rVJdch2fFG9gI{xV|&eJUmkpvDxVd zROKkU>=}r@9p-BP@<*iES^M^lhb832;)|n2hF3y*dGbaT0((sAYX+NZjUoaF=kZw` z2ib2$_f8U03+WN#rFOW?s~~z+NX7(QoJ}^l$_RQkEHpK%MrNRn6V80r<0IIav-|2D z>${)b54*&EzFA-c1P3nDJKR!voze@beJfrdYcY3mDYgmJy%}|9Jbudqq`nupxf6mu z5e*GQC4_6}LEd;-N{aVk#ydlk82{S`=JZr)6}RW^vNW1RO2?%)rF5(W(7kmC?>!j! z;T}6&c|CVu@7r#DkVoXK$Mtl<^DIvqy$nT4dYTsf!!D_fZXNxMQedeL>u3DZEEv}% zy}(gf*o(2|zHs3V>aQE=^h#FN*5=;clE8OrZ#HfMcTqg2e)tQNWwCLWn)(5^o{lG5 z|J2la?7~O)*m$+w;^_nZpkYegE&X}n+y3ZY{~@lO-iwRR*+TrwGmM-x@HzI8eX^k+Si9BaZ`(>XH%p<^*4HYQzHg1@?{V_txO zdK4FC?LTtO#e|;}^Eu>ts_0tC*b+Y3hw6t4r;p8F(G?_NvTW2t$BS?Klf|WM(v1Z< zzih1NiTuf}@Y<#t+cD1^QK(}OIp)oZi)22 z(rpOk5;A>Uw{hS~+2dQYZyiTO!^)h^xhrja5=7U^a^@7gmnu+{maWorC?}`+LKT8S zSA)2cQ+#6||4R>~=Z6Cp=KG4z|8b(fyyFTvU4MljtR`} zO6TAnMfkDnjz*H-2Z8T@Nl?LG8+EG?E6ptQU&#waZ%Frb(>)liuBFF$V9=RbXKrvS zuU&J!RO9(jqVI%s8`oHWsh!T<6!R__v?{tj9$h?MDoxM*R}T>jlKhu8^ePcNzo3uUh&0b}#KR+kOdA8-y z^uxpv3C2B$hZiI3$<0I}y_xtUsC*iz)I1&Tv$MSgR>r?)kHyj7k)=$fGx{N_L2Oa+ zcS*o;LR7*_+*}ckO^V&!guE(n>W$H7x3k~IYi5gl*2p#{)+iK8q>y zI@8oJ7u`~w(rO{g-r^=ZSR&SS{&bchc}RHrM`Ka*g*LOU>UPP~qFI!ymWvw<2##vF zK!-rS8ORZ+ySTEl5;Oa!&-VJH^^px*TicOs)AbgU?ZsQ=rGVs~?(RgoE8GDU#wI3m zlShmD`}+?&n%m;uMP`x>Fh95Nbg_>r?XS+c8l)O)V^~3NA|2~JusYkvSudnzVBk{| zO`%X)WQQ~z2xShrIXRW7pPIvV#x{frI6shB$I#+3+0vWs5_)@k+kP^sdaz%RW9w{e zA9f2cwBj@{ZlTXS{Itwz$bb8C($Bv-fEX}E3D+hdf)5B!FJIcVm zNbF2DZ^ZegWMT%~BKu;=RT2yONxq3$hgaymwpu66ln`yd&VOAK|b_(;pN0AZA|KELSuAGf?Q^>XSoT)mlVIG!@-TpK|DY zvkq%#w8*W|(>|T3cN?A>XWO|+#$|-wtGdvun{rVxKQAw#tp3U?R}Bp6!i7tK{YaIy z#$<~FOCm|_qkU>sCZ93gOCp0?S5I|A^6WR4)-l1qU_v-kvxr82uZN4(rdvk_F zVl7-iW6ANWOl`}U+hsS~Od^fQEgH?QKaYx{;?*%p^?ML;4ldvLwM|HN{mq2eot z`1o?g;z3Y|$So+iXJkaomwlJ?r@Ixs6`4>jI81lVI@eiNR=prEPbpg}yR1yR%%NR( z&6oW~ma>Oo;u%eS9UaEC%Xv9DuN(+A>wA_PM%fF2@o+63Tqy`UT54H=7$Tjh|14xCrV38%idP_19hK`k7ve~mGu_sgD(P=^Zot$K0q^F z`*9#j&a9rR98`USvlyvSt*&*gPFZq3Vl7MK#5fzlm^XHm6RAEBu`+niz(8tr$+c`FmUOwM+shu~J>lYbXSpb`WvQ)f za?-OMM=~p$tj}5V6DVB2*?wc8N=^9+amhS0#bP_*d}L_X-<6vQG>E{;pS@jKvvix& z+lT#YR+e+LVxVIerfjFnlDOs`BZL~aw>AWslai(`I?X6rsKy~&dH@s&PJLI!70txT zX{OLENxWf21RhlDEzM24m>M)ux89-)w*#AK^|0VLud-OetFMSa*UV79lrU7~tC~zS zPNj|(q4?yvPy+Q_!$5uf0HRpi&u=TSY^XLMAmY-Vz*cdwugUOufEKRXYZhp0Iz*kl zaz3GY?Kwd}zuae%k?tMbi4T7Q+FxTYacn+(K!J@z8P+b)C&r%)So982IJM3Ze7%7QyLGgBUbVvL>-1Hug* z?6Da02vkvV>zAJ@`d3r<_Y2y{L>FxKWBc19uC-Hiwt| z+9_#j-vs!%Ul&gPzEF1_Zt@_#LGu>e0bZFO;0_;$4B(x5CFUC3L<^VwJ#XMus)TbC z;La5ob)MSBLC#PcLf}e?+goRKg@ho1Ke2hd!S{^rDZ`!itKbO^>a2=;sph!!c=yU1 zZjye_*OTfuT)%Hx(vc0*`0sJ`W6+{cpjIlP@6qpp4-s&^7tu!TA%Wk{e4-NVwM(Mc zb$Gp2>ghT#M5vv5RH&5=Zlr-L;n%6BG@esCT;NJ40t&(r$JpTp82H2yLiLrgr+04( z3Kcy%^PuY(JW^=??)3@k^qb7PSI)wXF6h`f{Nfm;sKbA6a11F0j?y95+d32^ym z+FS6nf%dziw#dmL5__T=bJ3SBK%o{=es}AN&%m9oaFtytoLR6i%43e-Yy046V(sjQ zB;NNKxi<~)QJL?AA@2Nts{u093~sAi2=7w+^fG+HC~o(8Wh!aH2Y&MxxI`t*ZI?7t zeORCzth=fcOKr4w9^AdDf-2By=4EQ8e^Y`ep>A%g z`0f?g)&Cb;7Su*DH2dv(xKsFWcT*4w)b&+&Rp&d;M`(l2)9;e#MYVwQ`~JD209$}n z@GjAx;Z{6{#%}>4?uNpR%x5uDJrKe|uexrI4JjXjz|0SLqXKV&<7@CMP_z+NSLLU> z^XbD!7wRl_=M&xw>o^h|DWcvK{s>lp+N315JBBwXtE{v#|xI71#w z_KUh*`(|XMmp_wxA7VC;kJ`)!6Lavw+sq-gyJbzb{|WVMAp9}Nz4IPrWOIlY;6a`J zu7x)p%!eBG;jFu>jh%r_+CpG=qa@&SYaC1e+~fs!)|<}kav^jO?zK#VhnuL3A~NB# z1mVflc}btE!T_D{-vs~zOb@^lC_*QxsIOyB|63ltz~igGMjX5kcfbDur#e0vJ$!CZ zW*~F?zDYr!hm(gKs0exyIuOR;vn!0cGewXKs@vR^ao~A)vcQsEuIu)|5c&@oA!w*F zt=t`An*5bWYg$IxXBP5O;Z%s;i%<5A_si}_7bvzyTlT&9G`Le_??ntcF?Vi$B|2saD76wY`dpztK?QPcpZamCD5r9?o8$ z%|37=8k3$WdHrsfrESB*42<&ah@rCa^7O@)PTSfvm%_0U2Zx$Bii9iCw)MH^`1#ks z5X3(sbOYywIF?XrG^n4|XXhk3v$~Q-ncvZt(qs&-?VAgKC1L(Srud#c?tRlUTZfu7 zt|yMfs+yYyyuqdZ_g=kNB<2VlM;_fZ$w1MY-)JqO$sbaWiXXLUAC^rbAIz1pnjv1k zv8O)iZ;jFEdMATR8peCPitn*VJJOWo!_bcq6pYzI)fE3pfT!$$`s6A%~qNZy_ogaoRXgDt|FMQ^o^(+3X9h*io#|JHsQdC)OSbGSgnfm6Aw`e)RgnXK1m-3&X z1>e6Po!L)mDo}c#`G%v%a!(WW$Pv9Vi_<~*ueH4{-?)2=FP|mY!C^@EP1wNQw9l5nxc|c%^ro6I z+G3*nyT6{f8qoJxO6P&nz2{|UUKKM-q_^z@=1%bx2RzC8u_S|wjnFNULqdda8CMG5 zy1fCHm9nLy!G6bPbHy@0fr02F>s6VC0yk=;V>XjrFRyv>WX5tm`FQzBdbE9uc7xE# z_bN~9Z&>5_pIBb9S2T-b7BPCkBgQ&&N?TW)QK>wiw^PB<=nabZ#ofC!fvx|TtKLf# z_EB7^d+79rU`h|K3a7W%SM?N$fMNF_f_-xhN4jPj z{rLq}a;^^X7vi*%!9P4#Id6?=e=%RkQwN|C%uJyV9-e>mX!xD#%HQ4HGMTH%sn?@L zkBM|My#8ci+bSexRdJ?ft+uS;#Z>ft141w3bR@fO&aDiur7|Z(-1A*%cljf|^^pn7 znWH2ejpRxR-ltoLd^dQ`**C>s?^4-){i)*j19mnxMFu*BmwHu5FG{n!^BOa}E(yl% z1eQDTye%7aPMV{gP7>kt#yV*2t3NIlddII!X-`+i!WzvRDH|`o{Dk29lr1A(R6DKG znIZPT)?2%7KqBZJOC@<-9J|u4meM<{5fkqacK>JyY4vmOUfwrPG7HANq8S(}O2=QE zb0DbaqIeIz&+eXV@{de&;>nM6sQ2FJes(mGNqt^XnSV4$l3#OQrh@7dC4WMvnAdR! zgK2!dRE*u|%>AdUe{e+pgJhw=VYsOHv{!7ePm6eOwN@CjT^5@_dK6#GX$5C;hC0v1 zWHdfulc{oj(u?M4ow__A^Z0BvK{B7cwl}>uR3j-g)|NKqa1}qzYWdd}4-ASjhA=j- z$U|jX`)j)MUmg9ANF6anmhbhk4S2de*LQ_A*t7dSSAeKj&Z!<@k<3de865il;c)|~DiuPnBDRhHm0r%*v8raj}s-u+s+FIp|jmtFbx|wu?hOb@|{s@ONlBJ0S96KJgTHb?$ zPg*h52Z^j6X-qWzVg4aI`KNQRu{~Rl5~pM1%gU!;Edfw2@)z*9P1Bd_WKU2UZ)b~c z0BDeL%{EYz#iMW3XG$s;e!T4|T~+K>EuOzoD9|zKZys{Ux0%#Q6Mh;BJE$uv30A*l zH1<5(lK}xDB2a>3RvshSBazANKaelua9ph4)ui0(5o?cFO>7z8(zJ)8NiNG3KE>-% zmDU#0xfmVn^8AM6GUZuLiBj%9Skk%IhpTj9kMEdn^tC8P-*KZZ6wmKya{DAD_>w zayP27z*^{SN^NHbJKJn$N2-CfO4!>Q31x4l#>z)4 zJ!ZdM6Q>5$dO>8zx19l1p4vl$Lpd?>1I$+pT`>ivRyTXRG`8A8Eh*pTS|YU0Ua*@# zjo9Drbe&8G@_&n;qq{%^?R z6{}SLX+ZKvA?oRJN8X*~A^)sPw@>X=)PZ7GoC>2$*RMau<8J<1BC)quB(rcUTTd`4 zWa@#%YEs>#e58Wgm+R%*%i`LXWg~U%Y~Id0dgQjXkr!Z)_R!2IOYm~W5IUk= zsvPZ)n1&LR@7dFP$p_tB;p{z}CDYwQM~5K~lNL3bFWFr+Rs3T*^F2&skXC4uao=!p(Ak^ z(HThs`WztLa|`r3@xg*M*)hi6HvP4B4h}u_baK+Q`=NXt5$IKpa>$X@E4fqVke4Qr zihdLh;%&;Rh_wZwtPGvu%CI2i@2$JDCB?lm@Ju0Tb#`Ctio7Db?ntMJY=tU8JchgI zdaL}Sp#rJ$*LJsRavt^WS$UdKq=zmX`3HLj+aY{VFP`NPIX)f z(A`<7iK2|rXn!6TjxgkkNUQpmXN2d!dyOyGbnP96Gw5RplZov83O9Gr+)NLjQk#2^ z7^2!7s+|zikHM2xft(}LBfALt{bt?dly2{WobN?6#e1N`!3qss zjWUmZJzFh=B0Am%+28HXCQq%M_BG~}Wj!T+?Ge@iHa$!qYj>8@CA^NmQ#HfMF9JNb zZ1Z);@JT(EFK9zAp7?X7m9J(@$T4GI?QgE6J~EP zgG9wT;nBRWq?qq{5W*$z3+Tz;x67qt5m=#nBGxUE%i1%3^xi>JSqN1kY_Av%M7Yg# zU!40^bi=MU|F*vdWGD!Z^o%Z^C50M)Wgl?%6H^?UN-)C){7Ck9^VP!Le@-(1Ttd0m z4N6HExIdZK2 zbJHT5L51bs!mT8t!Vrs#=nsETt@Ldg>|wwAB}C~AK?l7-Q8QSctKY*KdV%esVA;8T z^6$RrU-?Ph#8%cgy3O#TG$`e(;%R3}@Dh_>ng~EFHFVyW1K%@D3=~D=a%Ufd@Cuu+ZomJbE znHzxJdsa6IpEGKGf7~h1Pn<`h6uAY@kUQw*qzV{u)y!h8f0v<}ds)5Aw$`8OOgUn< z9=*H)YAYNz6P^F)=&`~VE^NQ*mwqVe34ZFcEGUSYZd_>C zN9KL`%$?79+DW$Lno`T=QLU$Lu8p003yfp4M7Vu=PG3Hy$}v@DnaydNTTp3|5It#k zv4swC8hUgi{ABagNVIMOwQkYcHulb-^Ojk;{TCbBIk1=Z{Vgo<`~D!_?(CL*v$M9L z;_cX)_v{3VTy@inDfE+06FJ`uhL{uD6A|}pM0@PG8APLjKaFPBoXhI9-$DOgYP1KYhgIyvA30p7{@G$pi2v$ZRRQ5IM!Ols-@Ug~>&!bMS`DA4Jz5 zwE_Ka*b|v_O2%(Lz}}b2bnr6kk@d~!E#Py>mbCbb%Tg9BmpzK}cDrDEDIWQiC>SH} zt$@1q+~8izp)>g>ki`u|ZaUX) z2KWx$aUfKE{cz}&&83)AJPa?h3mk5;YHy~`rw64ydM4T{mQOeM?%Rh$d*DK&scJ+e z!aZKs}2$MPs0%>tw!NpjwLYcL}|;Ou1G)SEPzx;<0QiyHkTOvC$!5Mw@&rlQ?%h9>IAP+0C> za! z9V#0cY>Q62akg-KB1d!P@ZV?hkJTAMfNEtai>b(P9sO$JyKoD)M(tN{Bpt@G_m}De zj$CUB6t<_CuB~xxwsd8ou8wK*Jc@l&7djnO^^DCYRrpa4_EpQ3{7aqY>_+Jce#hfp z1iW*udpP~$S=xNHXYYp@MC+~1rPByRti=`12JY(%wLkwqs;)XNs;z5}C~^gn7o}4L z1nEu*MY=nN6p-$c1{GAKyF;3xV_*h`@ru&jjWi4~0s}}4e8+pQ;CFrk|2VVvUT4L# zp0)PgACdBI0{=>GV*^k-pzc!EFFqN4m^sSkxFkxt--d{Mu+i51{`_Yvq#pio9<~_c zxibNmCpx$x5SXKfCk-59l;!{sEV4*1<0kn{T@q3K2f>qOD!*VfPlWq?^-B4_x}RUW zF}9ZV5!LlVd>7WM(1cJPqyKC3=tA#Jph#L#4sj6qk!&dDc)IIAj{ZfadrzM!_EZ78 z6su96x{EjavFyD>(_qoX?vI;zY}dJ|e+AcnpYK2wFBk}{qtZ=(*#y-gr3sfR-s0>q z=|1-^?_~Jimf?SX&Neb~5EVEAu)zc?V~fK+5n`QYHCZ+`<}SLOIq(J;~-58uCZbxiMLFn zik_+=>~x-D-A!?uhO)Cgs${I3W%fO(Eo`D_-pvR(J0Y zU-H$UA1y#pineJRz2!KZR2r9IoOgQ4<-H!slU#NK3hTNzSR_$p)J=X&3n73l6+*f& zA#A6Zz6D~>HWBC(vqq0%uF`CJVaRC%N7L2;SX9>Y3{z#;)aLogLU|kUG}KY66`Fhg zzPvAn-zf#ZOS^+TsqJ3l^<09B^*9c-&q-h&7-`Ztl~yW5&wfwE$3mmrAg&UkM`|}) z<6myLHQx2@c+dB*mRQv&qGHF#=;0F~WRWk71xLU8T`B!U)2 zIHG5BF(zV^>dxGS@eGfCbG8p^l^ zlj@n^zAC%TE3@0V*FbRw0QHYIl;yOd)hB9fm};pz$I^n8BX z^SKIc(;xtgFwB4?vJVZPQIC_P-)}MH$NaO~9YzBy=|b71c>% z!k*6yt-s40idhKvYw|P7Gt^(!HJwo3Zyd3Lk;t2!dc-p;5tJ1}$*5W53dDrC1|m1f zZMvskz>FgV`Sdb~`1{|JnE#&RBW;xYosecJHlp4#eh_OmSQ2dOB2L@9M_GqgPU z&g~6Uo-`};6MVZ=Ghn@qX{r&u0QIToSue3?%C7jhZ^TxBY8avPY?$1vMclO4=J#A; zaqlNN_Ik^kzsQ&aYO;Lz^Y1v9Rhr<8BOp}AEfN$qXeSzZWEz1j#7yP`tEJz`8M{`h zH3OI^DN$n9d-$$3!F5LQSL1H9!T=m@o5iQ5oJ-1lK6rE;Ep9Qi$^6=PrRQ<^W6|<= zXv2!>26kmnpJ2u@0L}L>{QCWmiqXD{B3iG$5H472N4Pp`EfH-v)0GVsb^*>CB)o9Z zGEgzg<+0(ycy4{~NiDCX7NZW6J8JvGQ*G((ROBLk3 z^-SzjZ}-`anG`)_z?z$}-l}E^t&-3d&o;Fc>5dw1;beTZ7sQnKE6T@8$X6;eNl-{*abX2 z-Zq;3f44^eBMHXQkAw)j+u!IvCr)cP8t)7z)t5O&9eeNVSiwDIiso#??LNCaT0iX2 z4WZR)v9eVO(cVhhde2d5-nk~I{oNY^WTCjYCNQHoj!vkU#220xFSIoHDd`J_9&%I7|=wh9@%+Rk!nGs7P(wsG`d%G-`)D z<=;)||I9A#B|F7v<(&gm#L7p%bdK{B3DFeRp{-ok#46!95t- zeOm8{Ct#-_PApAJ{L3Slzx#4Z+*)w`K{8czWJ&J9TL~YzP=HBQb{aqPPGxAga{Iyg zBCpC!XQAL&VKD`AeGNyWj3WC=qwg+Op9_qU<{{AXzVY3*s*{MXOSMl7SnFRHZZ>FF zq(F5O*Gm&a;cls>Y-FeP#r)@70be1X(HbH1c`F21pw{?3Y9%iJ5TLPlsPyc|Qx3B! zhBmTtrWl4cs+8Uo%5|D3G)=FJR<`BGduEVCjOhd z4;xMBEdGxWL6e)37eUUO^V95v-zG(TlO@ZL=RfUct8#l5x`I<_ooGg~gODfSeHu`87awBxYgkycpd34##)W=OW#?_GNB$Sy_{9(k!32!z#hmeKgcD;72GiuJB z90i4R)xETRio(yl-q1ZVR$nj$hiYGJyn%T9(9aI^r~G(51)>>t}6U5OgU{c5je^#NMR zp(zb))tDa8!G)6fj#aWMdVWyw?jBu%ub|xOJt9iawD9(k-=wx_iGNKbTYS`>Z?O1>=SgFvfWuQsbh+qN6Wk2o40!hJn+ zyFM;~FDO#De%0KfvMC1(yB^MZ&pvZ3WmoW2*k24Uz=glC4Uwn`NJT{-Y?>ZHA+FlK zLW_fqJf~)&FDOch)=JQk!G?ZO8-sYP_5K=xciH4Pc^#&qTE;hkmO%>ih4lM|e~vu@ z`tA06#fuIkO?LF+N$24$4L+^Diw%0Ux?DqXRtCJiu;{Hm%OoqvPCaM9KFkXtVOiX| zq9dHeL&&H9LdL_dx_~R7S@R!4xS&G@hDH5%I5^P8;re~{NG`FR>M2*;?_Pih{m{Az z+Tlp*zZzq++{C{pF%I*4pnFMA#>g8`A5N3jTX7$hzYkp{;q*$S6X)9+(rcM7gX@XK z>$15K{d26zKdSpVBjX8Q8Pr^9N!Gtw8b&%e3nsU_b1&vvPdrYx646Yx(KMv{p!SXN zNhdWzRCrMnNjX0fRuXo*0VS(^aK2Xt@Q|2EKRssHi)Eb4asr5(xiX7FTZ{YrtFL=* zox45k4e2#`=r;oY6Sbp?v0iHO^$$gc7)3Sp$i2scAE)st3-3JNBPl~CcJpI4j3IF* zTs73S|DFd2O!IRF%@c|I3LF1e=@8oCG|lJ=BZFlZ9Z*KqM)-?>C8X0>@{UoN@p(?y z)_R%qW@L)myzm6Xd0Qm&D}F4&FRJUmr&f?EqQv5UzWFfu_`%2W6sR_bOCu{tl~+Y8 zyV<&+qN!%tNYC3_o!NSFG=O_6USl5e#x)WT=TUdHRwC1e5hOm*_L;=_$xO)v0~ z<>{5|o>dP)`zt7cZzm0slb^U|5&8{&?K)=6bneqNp4=HlNWT^>wQaFYsl*Q1OHcqZ z8>2GBv7?FH?+Vi{OaWH4ZleNP9Y+V46}0SqrkYJ9*M-q4yz)~T0=DjDO-$!z)2_=0 zhIEMj`4zu#V1>Sa=FB%;WeD4z&UXs|o%_=cl_tf=;~rn^%h24FYV|ME?TiSj-3|0% z)+iT|*CV8qCFvipi>=i{!;|o>z>BZsLL^{~S!jsHiWJlkSt@UO+9NCO@7Ypu@Ro_8 zdOI)f@ZBEfxp5Q9glWC4;IhmI3O2Capcs9Hv*}vN76a8K6VoRS)&{FDkLuA+<@C=Q zR*3CCbDQ>hHZ5maEU`6uab}f1=S1gLtY|6v=R6$6mqe-8v|l7ULcYGY#dhIXf5eF) zlR(%fo_EiZ!o?*sTn1?4O2%91u-jT3R1|l_v>)(Zc9a2`YNGeFtfwHwyyr*K;k1HK zUX@R`?(5AU9aDkNE7i}EC&_)loxL6g?)R8JF_jcqQFiUHX^#J`AiyfND8^GL=NtEc zl0A4VQP_w$*khl%fnzj#rdE4;|I1#7qRq6|FeE#hVodEQ+Y{hbSiMXCJ(us-x1=&t z)sFH}jHH~o8V4oL52P_kyo2DxL`nE>YNm!gXsR&A`{IM&{oZdn%qFYl+@UCmYj5-9 zfB>L>Qr`kh_J2=I6*P+{^3nhJNMH^+3Bd6XFjNbe6=O|rRN>g-^6Z+`2)76K`q;e0 z=%>DO;c+>svCB3%;Ia|1X=-gX;d3Wt=N`>(uYsN2I59gr2%wXDwnkm(^vf+ra&9Bv z>iL2B3rqrE=!2y{y!TsAqPHWI)*aim92_ir9h)DVu}(mYjXx?I!cu>%XC+g#X}XiF zCn*k8(XvIh)vY=huaxn=ImhhNZ_^()8XOaoU(uH1Nv;0;;tZ4x$6wWd4QH&IRhWic z6r**4`h#@h1Fb)YJs^}L5nS9_)>WoXS`!1LuDr0H=DXEU>M@R^RG`bhv;8S7SEz0F zWOdF949gzYt~3NDjy~Vm z5Cl?wVAB8Zv$vyVEIZYk5y{7e<#9OCc>>oulm&!12P@bJw9P}8<{p_fVhn?nCB+67 z%&g?C{}9xJHw?s)ZIZ_NoC?Ph4HgGL<9#;Vy1=O`npHBSdPM~)cX2XfkhwwUUd5Zw zc4Z+kF@t8xVQlB`ACT22tntv4{U!AX+|p4gc|Krgy!7!aLgjhk9X#Wc9fIvUx?vuF zAcMPiqxA9HVI&ogJC_7kRPU4E#rW;CI92a}O^dB=MR1_`5de1>Y$7S~9hj?JbKY-N z41W7IFR3kWw_t{IlC^^&3gqIGJy~zqK+>jd*1kAb=-M+Nl%1C@HvXgH-^woV!Mk@q zOyRdJ62NAm91Y_uE;68+zZY?RPTmkzjNDY?-*KEW^6`c6<%bnMz+;n!U$&P4FY{KY zMNRL|hc}ZQ*|KA(r82xskk7|CF~y7_PCNI^wUDAC+h#iQLVwC~p}0Uec{!=ON+$+r z#=IX$G>=eDZ;oxOoVW0;zj!WH)YL{(hQIMO6LmSkVE5PNN`F@sxbT;x465bMn+cZQy7Y|MF!l++9Krl<*X6&K zr+0Zyvl)xdQRrrGe6UYv$SVvyv`dz_pw<&Mq8$QGm;5b7N=}*&CHD98cmA$|pS%&B z6|cBQYau#KugPfF&3pSBBf#01cPB0Il13<4@F*=2ccOVL<@cHhS12{J9#4+JT&75C zwZ9AKm@JO&?L9HB9w-8M*T{B~@n(H#&6aFo9H|$9-tBGz9{eSoeXCoXt$7INL)6iZ zNp9ThpRZjlIp=hKPo;yq9B3+YpdJjlCoKwWGWvV)J$tf}@dL29Irt5a*3;IJ#^!LU zwiRb?-W8elsZ|m+6&bloGmv&)(!^XPun`7zWW`;aO1gd6G=M?QDV1^ zl|01Bk8-88+-LcBua<6Gfv`4Wo|g4kM?65xik6+nj8F@BxXlctDB}{&hf;qXG|znh z{c=biOSVqYzJ;j3g&3FCaFd!&?bR%Ke)V8r2liJLL4PP5t-2QuZp z)&oPYXf_$^V0#{Qp3mPfm?x5%1adfA{yNw2zlRa`HI|BEN4wu8z3t1j$j~qWGJN^C zHU{K*K+Re6i(_$_wV?ifwzz(+oKTr=9bNU@q1WG%XH2zD-)99Pqt8oODtXFfOPm^Mh)Uz z*s&+uz&n@~6?w^)6>pWiqKR#~{&vP70w|&U`^1dilxsSW?XDFa+)bO?6fJ9st=)&B zi%E6Y)IW;8GsLK#J{9-g5{t`MFVn`hKoW`|EA&VM3ys$lpvHu7-fS-ib{%Z4`GGR~ z3iq39!{y_uw^?cGmpx4bzl!h@UFzHYP0YOoExmTZNlR52Q1P_9 zvvNG`%-7f=K#%rs4iv?FX>BeCRg`u<{0T^2%-iAdxOepJQf9B?7_mpvk$FSaNx>Bc zdZI+5<}Ft-qegb^`(rGs1GzqW6u8jw)0O#EFHd=&Wbx=R9%(JYjt(J>z9EtScZZ#| zmyNs=*ljw=2xtRknvP*tNCHgVAnbwC+UtiPdAxKsr8-eHQC>SXyRSSoGhX)dVpu?C z;a4)-opbQfb*_7oC!{70+5O>C+MOzpOgskvf`C7~u*#%E8WgoVjcrt?Te6+IHUYuJ zOBra$!Wka=@}y+IN}fl_hx0L6wf1+umBU8uIJ9o;e7PAT&}tVM`YGH%lZ8Z!<;7zM zg(YaNRFAr|K0amGvoNJ4UJ`zaYq!nL8;!%DrU)r61eLlo4MR5`VFPNOc8Gi@``scp z`pR}FH@D2s*KP$-RsK@g)b#N)x zI1Z$_ZSP%V5(oQ;ryhx|txwk8{!G^qEFpVMGeq*-#_Sb)>G?txU{nXVU+mBXsPzq= zUwwE~w^+?msUj#*_>@#a=Rt=%Ped#BCHBwu=fG@U!S~5QH8%f;V&OPE@?`$9PIGG+sZ-QZAgKdx~B06JvNn zBbxfJnEO&?_48su!3pHoLUGg^oOBjWMT(SDJvEM=j*7F~Qp3)Tv%FLx{r;_*xc zyR=@psF&%OneU;+y|#5XLs1W3DQcbSr%mFL=!!-99{V6}+PoPe9n}pvj>%nmYLC0?ctI!(awHF!%yt}V6hHLU6 z)8^C`mXngK_L&iEcqoYJhdzH&s3ZJ1PE&Qd21sV!N ze$EFX{|l~hv(U>-yOS}#LKC>$X1R$8O*zU{cextyQ^V$j7SPtB=b3|EX_j!hZ`pZA z(d%;@EpH8utd|)|jW2q^VmvXU4x&7j81I#+s)9{b5b0txhWV`jZ7g!~_j%<8=KHnT zfZkSk`RN;iAaxK6F~pE;DC)Lp}+%lYp&UqbY<*c`AhY0U8Dt8 zT>#vj3U-l+L_aL|jvk`lXhI56untZ=?p8 z4yPAor5;)6Cuwlokwi@3%WzCSy*LaLOd<(4#Ft^}Op13)R2EiLd6^K=v~RfcBsFT& z&ly|Zcbj%(c9U)_GLvXoTnI!GZ!@7g9rvEKUo?$-tgJm64(&6F*q9ov$CZEgEcY_C zCQ0;oRF2-pf&=Wwvstzo*A6I>97)P+Nh|8CtkcI1V@dhLZ#c@7I*3FiP;}e4F^X5# zoPLI7ijEwGM;TA#MbBWU@h8qs=%tRQW(>;P`|j93t4*Gfrp&`yKf-+O#r-Sn^@8!8 z|3Zm6|D43Bw0IL*1L3u3x^{2?AUXBW0+&Sb?YM<+T{ZbO<>l&$1N`8hMj z>un^bwtZ}WKuA9doqJdBIx0?AfC~!pY|ts?5Y7+5Y_+RWDLH3R9Z8VjhsXU6S>KyN zRh_9BbVhJV%j>Nai>3p~rv<~uCc?F+6(g+qB@&W0dmL;0&>L%*!&GuiNH6l!k;55| z)-0&2FMJiB0ESpv^|nu6qpk|yO(aLIf_yNG(M-xMrza? z9FhX@xYO-@JNl7lAd70JvFw$)<9hBbPEUDmJ>C{QPvDHmN*lL$4sn#RbC`SzQI>6} zB?#jf6?{iZuf!&pc8XclsiZrth$3t*0q$6zpw<=+VYQc`}0)qhgQ5KsYz zkeo;N+%G0SEXrK+tt{`C$PZEVOKKaV7HW1bTU*U^4F7|Yl%!47`c_xJkxe9gI{83p zcQ9h8Q>4t4b7SbIhwAt2&H!@n&nO6t;UOs0s*Ws!r!3R^(D|UOXwY>D3 zQm|VaY_H#6Uqaa;48}R;OAlzl_5KRccpt9aM@~^aEWIVa=KgaxId;DxCB|7`f3%YQE8RW-DJ z7gg;1v-l*e==_P0zc!YEdC%`5U;Ua#{*bO&EE*xMx4;Va>R^%BVd2Rd!+|>~X!710 zKX>Os)Xw;8_2P3tO!E%II5{BTJgWoy5nZJ0-%`Rv8`sR7USG>IntwFJOO>Vn6ZMdV z?n<2A`Fys7QJJIPe~J)BWsQbb4~q(U=(pdT8+o-@Q?v%XE}N+I8sFHFgG_&jQ#K^0 zpww3>7GG&e`f-8QvEN;;h^(Q|K`r0?k)!$JCYvflNLqzXdz>e5S_0fp${L@`SBv{{dB*u1upLFo>t1^8g$Q_S9Ot9@vhfp5I5>})XX~a}%)D3MgrMA7J)PcZ*dco%-L;us&5{GD!{IW5rzyA}{_sCan z&w`G=INJlZgN@>4v!D$9l=PYyoLkJ)3Z2GXvdq_hlBeCH!MoGp8Ghl-Ppvltk=r>@ zEB(O#lNMJhc7r-%lOU*CaxKoUFj~_f&H+}l!us9lSgXQ;A(U2b6UC0p8--Jm7gboS zE2vZKXP|ALtY@nN)|qRe?;-5|=S~Q~`AdB`J?Rco$KW>5a^vew#%g_4`ne-Pz zOd_s^gI;(>4~y@M=cMqmIo6UkFVF2RyV*f-(ay@K;aEq1$yKxtzI%AGi{6;LKL10k zt%<_kPGs+MBAC0U!;7cdAuoI?_>%y1=$78b+dSo5{|jNfk%O zw78!iCh-itbx@%I$9ec_;&+Ym`8_&V2j`*6_zmw?AI$YCc}S}vbnA6bG8&sNA+Xe~ z>7X5^R7!Glj{AH9<+OiM;^rm2*4WG}?^bV);K7%TculONq2kDwoaT`jZk?bC@5-M| zZKo$#FX!vma=XqV`k2zV1_z!Wd`DG&&{eMgiKm88i@ydf;RD1`SOL7cNwr=FJx4%8 zAblAsn6@TD#X}`am?jUkb7}ulQLzK|X^3tQSx0CT53y*A2>77kaR3xjg())A7Tk-< z7}2IQk#FbP;#fZhnMu588#1^zG^tVI#aO=9pQV!?Uo`n6IcCJRalnrk^_BD`=L+=G$)I(t(iuIwij>3Z7h*Bkil0X#jwt4MY^LV}2x zjdnewu>FG%^tNT|12t)M<;6{^iMhU`vS~V$rCR*@c^{Um;x-frzn$>M(u~P3zV3^p z)4rI{P+{B`GcZL3p1rx}^96x}R=9%{MYEBdRm_01~wCNFf ziB>&pA(z0VOaH#5wt?E;;^`=tyfJ~<62kH$d!KEA@S70pC(s9Q<+u@%-T;daPig7= z4c^@hDsDK<)_BObp|QAUhFd5R%)^tQE4uKL77v8K7)LswwKN35yE_%I+BnxxZ9?A! zQK?USip)#AeHn>aEEW{OUhiM~i4L08JDHrD8&5Z@Ku|&}D?E_a$f=n_6Gtb%%As*4 z56loJV(`d#d&f^RD!sE?q$`q^J6zjCkA%8p<_}vPv|`s#~T^_P!003ZdXTC~=+h{RfYBWY7OZ8N>PK zgti0P;!x9Ha8O>T=59UvcuedHmGF5pMW zGeiwaeHkjYvhSJj`FW>sd^z94-pUYp(n31brhOEV@*774^IF}e7etok?T9*pvF|IK zXLszQplNjCHOFcPGar!SL{UL9dAkHHtB)TgF`o3CQBRWqGs#36k>KyG2pI z2ZcrRRJ!x(Mr)d~)^SO)k>!n@^QDi;%W}>IUT!X06dkx*Gh+ydyjaX?S-aIPK}@jb z%Zizoa3aI;I-P0VAlXbMrypWnVmn3$k9FQ9uj941d~(kN5@#)%#-wW`xxtPjgGRYg ztN61sYym&}1PP;=Jbz$P4r!=I-A}pf@9)@{_KY#HUKP zfT&`qR5yw1!u8Un1lM?4oJzx+_K5}bJWps>j0HLTqD!TfFk8FG;gFA9ztlP=?*tX& z1bg}6*H6ojKwES*vG^`ZW?K}nhb7qnCn<)P3j$kDh4Ph(G)1w=c$iJ1@{!DOq16Wg zJ~_Wd3`!`7?4}!NAG@evCpuC!F0N?fKox^4FJSvxqC&m{XklPKi~hU;-+(BxQ{?oB4fmUNjACc`)j(>PoyKmJW3YPnL`(XsbhXlww+q2A=yh$%p$f4-Wh!} zi_{&#J)>`!=g-EHJH> z@1sgVsMY93-4Q zIDrV%`)-9w1gyZWZKu_Fx@IY*AY<>?zd)z(_7P+InBjXFb^P4_$@B4XQONIJ0N@e< zY9Wq`oYGdMvnU>C2$djeD#`KJY+v0s1D~WeO&u^J2g*&?@7UMU>bYcP%ZlY!wHzO& zoG*TeKPEJIc$L6eU(Gk5RIa|{9E z#KT!T9mkyuPD_aprW^{w?udvZtq0z`{dSe?s_&(h>Xt~rd(ad|mS90ZZR9aGxm>vyCuOy?J1Y4A7M8kMc{XX}mC9r#{{GMVFZS-9-qRV(9 z)wx;R)QA4dhxCqiafw~QFLB}?mTc3W98H5g<%BD$#2RXR2k=p_^Sbl#d(4Pide1N4 zM^47EcorC#FC~XgppKGGGP<8_3Aoef6&hKtgFK#Ffpa9N%e%9|iC_=J&&RC9n@&H; zZG=mIM*n6QKq_E^Akolhjth3XWkTI3DGl6?;L+STqgN`r;MDfROF5!hD zrTr7gqvjFxUs)xU`p@HMjJiSGd2m!r;7R~3TqG@N8!i$wt09yhG%22sWtJ0H)_Zk1 zq2x1lMGd+SQL*1VaBmQ>4d71QA8(8^`G|{IK_`y$3tfi&oP3?I z&9kWQso`dk^TZ&K%yRq@=QwnQSU?Pht_|qKw;7*I@uH>K<2EqAG$|>{eLvxb{|Qas z*gy0qrJlw=K0o6HwswD88JBES6p|Un?=_#?yWSa07f>4CQ^J|HgLJ zKcf`}*lJ5Q)yr%?gK>c+EODkhIV*&sjSjgD7B00Pq&Q`1_Z5)Iha%>)D8Riuqo0H; zr=uK38&flot7cz@B+sj!6v7_=c5xskM_z$nqkQf9>31E}W6EN-!FN<|8z7vyKYrWr zDZ=Ze=BZlJxgWtFVn}o+ev-;Qk0u0FaW@!`7jN4`Mwav4&eLX>lFohBg5QE{k>Oe&@e|eSadSKO8yWFu|iGE?|^bHbCs82 zd1wky@LjiV0YXDcS5lYRj3~*Xob#2)r_owI@2>PeHFX90o~HSSw0QMJG&ZXGe%^ZpPR`ju zy7QA4%z={I`@H;`%MV2%PMZ_Ce(zv$gZz&~@l0^M_-yfPzPnhgn+`u*dBQ*zYgBsEI ze6F-h-HS#jkNNPTT9pueAl6mpmF=h5Pj~8vv;cv+J{JlI7?O5661-1{kfqJbTT^uI zbi4BJ2BIQ$a?$8hwA;+g5i>^}kOsA259w{$T|3b%pkUsr!g58WvY8~dWE06Px^MQIgRg48nHJzBeXY@tgBz9ason3lnP(rx`EPn5kyFq~{s~aSQR)J@{IHvuy# zpexIAndlHEXMPu6sV<@OHudaV{cX_kkP*G6zN%__lt|LeuzPgOU0hc(o)i;k)^j2* z{}5n)_Iz-M^bUw6fGzz~xG)TXCbW*YbExtvgXJoSOuX`hQ$x zTbGk9=rMxzde8?x<56}qWqEyD<^v#yy+^>PJ+3p8UXjXCp|Ad&r48oPh+E7__WF`C zP?l;YRkBRzauuHDjrtNYR2rH3JLL#=TQPwFf?{X~IN`@sWru5L7R(;5TXkG(H$m)l z@gE{IML6G>H)%2&88Ug>0_B>2AG2$+i{u_6W9aE)E|rY^?HN$;H-@ARmZZ+@c&DU% zn~p<4^(>yt*)us6ig4V76$x>BX_gBZw`80y{(Ni_PidJh#9p5H;@an+d%JZnQfH#- zS6J0wbSEb3{&&GV2t;PXF0nohlUpPY5Ce`~*nQ7L6ItXgHWmlzaefAJ_~ zxVo3P#M_{t{lnfzh2K?#&z}~@8NH_zYJly)pWPXj6e5{vm{gpy|5sX1BOvtriE5(h zC3p#z`Btg0GdLjwP_q6azm~U7ugGFPDMD}R*ko5~0sD2S-mgb$(9CfwTQG@2n_ZyL zrV5_3mYKG=dXN%rQ(RR^3QDNiPhO;wUp@@H=V2^^lT^y)2A*ox|DC4*1!i`d;vZtq zIu)$$Qtg|kP4^={D}`+K8FdId6$UGSa_X=@zQ6Bdbccj6xYgBhZULgOxKw#X{f;aj z9}SD!?yY<&@{wd`8Py{cm2zZl@_Yv~Pn$6K6rdm7bNBM71YjJJCL1qDrcIXq^m@T} z$^LrF#5auKgjn={eYeK6o&QR_#>I+}4||WKXV3f&=yNoUm{3J*gofK{kjT$l5QYjT z6e}VwedX8HkH4Orw^r#cnQ7q#I+;;Rg#>|p5%H`)MU)hvo_K)W2hY%m@>QIBIN>%h z3f!deyiz=teD(Xh-DSEv$aNEC-Y9w|?}dH?&6(6nUBLP}di$gqL=(A15Li7JW&K#F zj-HNhBF`oGR{!!P1Ru$ez$jT*icO*8B9Fa4E&}RV9kS6pRgJd&x~yxc*F@>4ue0sS z>U@dYq;A<4JM{V@H>-?}J$PH#^;A2>?~V5cW^$I;ajD-0u^2Z2o1!eI`h4=@bci>A zOjeE0rvUS^|G%Yz(8ZC0R)~2|#@6r^^y0MJivOyaq0^&NZ2e$C=q(%&)7EsQ$;e=1 z;&e)FY?3~uXT6?pRyV;fJOAgAx&?uBn7CQ^o+r$Nnm$BW_Gq5FXI_``deQWU?zWtoVDE zkB?>{++fFh+I{DA3it_Z|E$y3!?&Zea8pN?3ZLR8NU_`7ly2ZLb54GzV-e~ma{&k9 z03TP$+j?_I<<7rS0jYn+FRAxBh&XDBT86X7MLt}GcX@q)j#cP-=6e(oUi+-HR9$zz zTX2n5d9|hCFfAqzPe{l&rOWS1upjKpw@1KhS?Rlhmv*H+hp zHTS>v1!gKwE2hloI+m!*a%kiMObs3LKG}ugZ!g7EQQ(zyH|D7mN%iDmq;pBCPXP`{ zzo+ey*2(HetY}JCKzNh%W9-&82VEiS?JN4?D+gq=r)3k`-7>@Sq9XkO<&e28O#`Zu z2M+&{*p8kIU;9Z%9}Aho*CU!6S$5?`U)cbY)4>oSKJF(i@k4$g=&~%2djVyou?0I& z-@)+Ef=G%2m}P-Wlaf82=Vl;ZhAM0@GzdT*YM!_cT)o07ZKpkN44SD>(YPMrjtDSFh2exZ9(yZ+yc19`H;1UIox zvJTympO!=?(WZkbSoqE0Z>wLAZv|{mx=)D^_Z1DU74yjG=-G~uRy838^Ck$xn*wABWx-RO2SI5 za22nEzM(5GR_aXF)ix61Pve&Aoea~da84$S9qAsiJ-O2Kdz;e@win0bMTq`H%kZ+5 zJ5%Pf)vFdLhnf7t6BCYd)DJPuNtkdTP*){dpZHGgyRa^l(8YKbg|Uc8u!{2wIECW8 zycWE8*h5W@naDCnq^3=0O{M2W1s)*SNUFN+L!AE@3{ei&23Kn{RDT?vL&FPgperpc zSi0G{V-4eB_$Zpi%F$NmU6QV+&C(t%+-Xt}@oFpG7mJAxY>#6Usdzb~CP-7Pt=66N zdi7fHi+c3e_br%ZN^wb^hSyEs6i|hvq;MbOH*%e4S4oxCrvj+fY_HJfX#9NYVIa^} z6z-IrzSGnsSwQ6YbKZ(_dj9@LW$%45Pl4Iuwk|L1W(e0Qbz8t%P~qsTf32>diC&d3 zNWDxoBYOZHxSi4>Nv7^_=hWrhGOEo+*3{nx_HN@$%fx--KZU94@a*TsqFx%%!T(ob zJ6q}pr_cR<_`%9yc6y)E(Wqs1oF;0$}czPYnWWI-+n9M zI?l`CT>670^A9u|fvI!Qu&_#x;NMn>D(sS>cN$$_f+P0xN-J%4F(Oi4i3_5?gve21 zv%h8-W0|p0sm4&ks;$;ZXf{ZlD!&ok;-k!UN2w?iMmm$Jt9az4i?ZhOXuW&{(2hFpumN%>jmfIs*lQ%!R7FPV7`fDa&>{N3g5~QveCVTJX zO(p&4J?ml7g&S*_`g$kXaXG$|BYLA14fvweB?hx9)Gsni9zQyvy(an6r&ScmpbTkR zAp=lpuydbL%7`;|mKeLVn;+Fz{T;f3T9sG4*v-qdDrBOtj6 zIujC(8@Sltjz2m7ps=lYBazoVTg}O17!K|lma?sy#3Zv`d8ylzx>836=g-D0 zUT)BYG^cI5H8q`T;p0BU?Zg2E`fU$X1#T;y9@IYB+C@J|DyM`VvfbO|(UA zPkExmP}Cy4*lV>3(JVo@KG@zK>ynRx_N{xT_^~)3|7!Ht;&YUr^#SVm?OX&NzwMTf zr0$#avGUmbz@sJOsR^Cr_Jo4at8dj;>Sc8_Y%yN5W`*^R@C$V(acNfI54bgTLG?cu zM$sCMHqLGS52WtmOou3|l$b7BdZU04bn+18yV!74uyfOdBc=v}&b6cAVx{}!bvLfk z@YLxl|0b`@lM2p=%#6eHlKF-vx5w~>5C>dut6~%C)Ww_XF9D`-EU!O%{5+)5B)!U` z^9K1@3Z%Tw$$#iXYP6h>{YPFxwGd(y!Vxv-9>k>DD*GoP5H_M|Eox#aR=c z8qA!J>YSgU+;P&lA9Nc2T#{R{(c%UUl`0^=Ec5lGLS2v5`fk4_dnQ#J9KjQd%`72(ly9#@U-@mHNTj5tuHgDT+2rzpk*7YsM2;Ss@Pdcs{j>AAM{_d?*?1fbml{|lKQn$x zDek>&uPD|@8O_tyl-QjuxkorVy#F|wj@JEPsJi`$pMz3b{W`2E-Ts=Ct0E&G+(jh! zJooJhP;_())GXrs>fy^>@sSd|rX_ow5`1s93$J01yB@m)S9#U|y@{ch9Lf{e);SLN z!E0`m{LLB!3N`N;37Y&d_783g4x*bsE%J4n&+hjRhLkXMi=Uv6(rg%pXJqatD%kJ~ zu1_vecUyA6AfCuH9OUxk@wNMU7CdqmyLFEiDZj-*T%pDw@Ec)rO(Ci)h7erj9lKRh~W&ZN-PD}@Pm70nqzbguDj9QN% z*mX5%A_~fIk8GM%)Usj5(((6jyKjK_I_0}MSS%uVYbs{~QSbD#nCpWK)hotWawC-- zuqUT_n_)Y?&T9WpUu;VaaycOMX|Uy%E(%?X)(lGbgP@ntpr1~(kq57!M`ECaxR=ZY zy@PcUuzDHErt$zNeQx8GHIt=+btUs#uUD?u4_^T0EO}1g1)MSUjeVtOV^Bqu-(T

      GHxj_O9kbm@QXe!j~1O8ARA-`j`|16 z24_*)Ls#Y$J5_^vBl_e=sVWgtd>bn(o5Un?XLzQgPrpJrDcnzZu#a~IM3(t}vv{_z zm?35mxR(UO*U(@Szzi{1zJ3{o*fqORV>aEWcOEB^8%jOeV2s(8lJ>ISqih6^ge}Fc`#bHcn0}vx~NMwGcHhB6xm0P$``7Ba=F= zS}ASoEbjCgA@k57_o%O~m8BN5_c(?7j_QVXp zi0u{@s;Js3*?gETbWB<#JVfl9UDD+rm>0sFCC~#JY zEE|{&8wFp#1R$Wg`pqR#Nnh>C>_E3R3wE%ZQDz+G-aWtzpRd5$n`Fi#vE--RuG@uX#w)Y>Rf4Lk1%Z8 z-I5l`S}1u2>~SAQ&z=qYj)GY&Q(gOB&lVU?Vl!X!1x5+vpst%a#BQ`ZuYW%p<>3^Q;T2&{whr{OqjD zJ?A*46Oj5mdG?H_MC1*YlzC#jdRJC+hm@e68Z*ri)Ew6whsQHbeyY}Cxi|~sTjrXF zjqG2&Ib6=|QD6N0o$sCC6Jm0a&pK;9e8>xVXpv{aVN@p2(U`7$>4U>Ikl+4t#88Uc zYN_~5i|WM;piFtpdY|wt@^T9u?*#vumPP+KXChF?3V7scWQP?fA9+S`1}7<5t|cK+ zk#;PzgY2s(Mfs!;_HNAH#AEPZ0JhK9Q^exvK0$oyT$7Cg1uQnJ3HE;zPm+u|9VKI4!WZLok#T^r0(fhBRRDSLS2>w))d%S0W z+IriB!yLad7%=X5hdkzYhR|qKzIYYv2;lxDgcDc!o=rDbD208HE_&GVP)0$b5KZyn zFIz~7S6G@;+;3WLBKw^~-qDX#Ue%wMe4_b7o~2(!$Yb)@N`bw}j}^uJ;9Yg@OjSSY z3sBI2v2nuZbCb7MrkYI~Js#%1I`QG)PV{goMFH;;C=fxk1p1X^*zG}3Y&&8?IwIJ@ z7FhL$J8UT_Wh9r>#B*qCfrTY+c$rJ%fx^s*Hj4ZP2x2q4hOS&qV}fvfV6T$8J!7xZ zK}}Ff^|HkajKO9;@)*VyLJFR-P`G&7CpGdE(7FCE7guJF}+BPyA9jV}o?@MpC^P%E>W8^}WY=usrm(T<73aTSt&_7d(6V^Tb6oY+j;a-d1Os$lT@JK!} ze|j-b1)aO;Zo}t^q$bJ0k_DuK)n_Hdud zFf!3t$8_QCw@InDkr9F&q5a|qx4#xUAp&fn?pKu$)&KIvExYOE*eB1UOqAy`GwRmA z)7dApgRqi+TJ^t2mIQHM7uucDDk>%If!LvQM}Q%$l?YKMZwXx}Od`4Td|p9y5W$ww zyP4=u_6tH=kFnl6%qvQpa5SDE^t4b|4!^M#zXT3>abB}R{hZpgEmNaEVzX=rk#n-< zXIiF`PJFohukFW%@3UwbLK?qPf}YJ(^t*qUA=H*Nq33LEb%Toy<+QTK9;0>?!LzM^to>-14&=jLr?#S6a`jCzdWw{ z_9`8#ZPnSZs$q3x8t*mPu1>ts_n2qgL{=!^UF14BACJUjuMmOJ<(JY$(+5vTfF+aA zU+(J5^NC2i@T00){7X+Rn))eBvUD{lZhci6gedb?m=*)7E=M zG}cEzmzPjl@P6$a#$hqRos|^)#GBKmt#1Y^z_c%xp0C{1HpxQGi?&y4 zrkypen(SXE%nbeO|GNp}hTKtK0=>TDR$D&~Dk05lcFXblg*^feid7Y8ZN4q;@SBPv zJ&su)?asqxWe_mq5Ae$4uRY_K)7&Pl;Tu*o4%~Ccd)e-v5|JA_7(RmDl%Km!b@25* z1zGR673J=6Qq}TXl92#)PZ1 zq8{)|vVPTfM1M9;r+HVtwlO4&od8-}4rBj89tKi7>aLDDEzhM_y<{UEuu|!YxNgpC zaXFM!a-P27bi)nHf!ju)BDDCmxAJ9VbbJ2>W(ap0L~NMbKiAh)$ivMhO1=yAUg@jP z4Z_@v5ACc!$eT1;DZ-h{`OxrK$K;Mar3(&i^JM&+{F!?&Cvir9_K@j68?`d^?b%#U z_W@^lWnP!3(G54XSH0dI(_ujeBzI5PjV)Rz6!=bAwVQNKcuImjTX3QC*JCFr`RefH zMXZo%2ZxrQQYujgJawS1cF}8QIrMEFczO#wml`Z;tv-e={AYsjco$CAO)ny@^V4b)H#@f4gN@fQT5&DNy1v((}Dc&0Nm7wKqiI z05g=B^M_8X;`=LV&P5JT%~o~s;E41i`yO-g>uh(}d$ya)Ry2?0<2AIE*0zUbJ9wmR zPggeQ{L5Q3uzPqPL7XktpUFm;a86+97W3niOvf~sv~87&`L2${>gwHlY4(C7h6UTt51Uw`EiVd0r*`?4mX@WJj>nezD4)0!`#j6Vk91kLYq4XRN|M(iS}(m@ zrBI0pt34|B(eagTlxdYWLoE|p#5lEys*BX)c>9_P5_YJG5VPSa^(A-0QrAG}>LP8` zy|2u>DqtK+GzQO(8w$}gko_~`+`zps|9@<7cY%c0qKdgW@L ze`j3O4JI-TJ+Kq*DM-t2b>Nzh8PvQDJU*SdjlPT%z9>_r`##nGtN(p$Lb+Vabk*`m zn+Gj(&M>tM+a7F{Fc9R8*OZQ5>W?E0Wv?_3ga|Ii6Ik@tLxkNqQ}nMpSE5IKKGfrHxnzyZpgmeoku!Pyl*A`Vu5;~=(+ugspQGCliV!9g(u z=FqKxJhF-S&~wuC`+RZRvkrMa3M-!jSI^I?d=H=LM_2gg)-d6=1OEJ+UV3VKIDJGz z6qTLXRg}U90+iu6k^Ut@-OTLA+rcq+`mers8SpzmR#xa|YLjG|I>t?|;`;`IXyUdtaaQ};iU(** zfiG8mRkn%yjn;8p1xOWLCWadftk^eR4}OTK1W)5 z$7_~>HuY1`FJ%lW`KLX}WkiRiZv(;9DjJ7)ku0QteNCN4zRLJhJBPUams7!BRayz? zt;tBYe0hZELCPen#1y+^b5j$lcHk9d%u4yU`44%oXq3-B77XJkr)}WU2SZc&ZD_M2 z3Z`LtRSRuENmckAlvZlbguO|-kF8u07O3baoFd@+rfVqEl?sa)!~4Jx1xYCW1+yx1T7v zV&b9(mxJ2U3Q2`i+;_N+sO7sLE?yuF>F@ikv#*_%i~cp~rc16%1E$M0V4@2^mVV3X z<;%50cgR-p3P#?v=T-+outJrq6@p>UDyi9Z983SL-uf?s2{&HS>xL|#IvNeE(pGPj zlS-z8(Ec-JLxay&XU>F`&@{x!esyuh6b>imRgtDfL#Xz#;q{49@GJHqjPz5}1=pn|(hBMI_3vAz4oqK}shw61 zt#iOny96ts@g4n@-VWa#%eakZ2A1Ad?SRcY+K3;@v0pQ!g0H5_9pdl5U06M+ysA(o zIb$BLjDQUcIAe!POTE#1$twN_;(g6Ti^vxR9Q~)gS3GR}7j$M$4^+rdDw$9_HkL5m zL=G#v*``;y62P-ki`P)BET3Pf|mDR_&sam1TY~GokKm`Zc!EPgS%jvsk||t09-F zs>OZx`w?xbz_VCm&;=oess!-*()#dtyDTgJma%uoat=a&kdZwOzh0B{|L(1*2ke2>qjO%|e)IG5 zrALAzOE_-!wzOzZPEFPH_nYkI=XW!1IxiUN%ma(KNeOwOF~m;gEz)dyO}#>QS-q_wrRb@lg?6Ze*WQBKsX9+Yr*cR#X3 z7#uX4oSsHsX}QI-C2;1GX!b+jtWaX?Mf*ORL_CjKKEOi24$MAxUH$Lh2CE}QUtAzF z_Y7A?n=IF0)S1cm@87w@yn}bYWTPjGG~-a!$j@#h?KG0eDoBZ|`hKTCFN8^Bx;u z5sG=yNJ9zmm&bIml(W_;YKG8gG;VSsfnaQ2m<^Bl+F}`)o~*KR=<@P1n~JV(&Dhvj zz(CQG*Fp&pmlA0-L(KzNUxJ%a|Dq{e4QqemKFp)WYrrO zs;Q|xQ?*Wrk2m4F=HTFjd5x zO1D6x(L+!Xd2&6<3sENhQzQjukc1I$?+~i*jG;l1y+6MGv$rYbFqGrLxaAli$i3pD zENLBzC3JUNC-3hefm#%g7IKQ%g_LgI;;Jf@#nndb_HAu$GvukMv)P?7i>bWD(p3Ky zbm|+@=;+O~Iukt|7b9hNPqQ?@i^p1B3xFTJ)8Cm$Hzr z%;Ut^&Ri3;NnrJ0^71vRmqdNVv5z!d!SqheP9>_9uckpQmA&iWPN+b5FY+X^O!_MA z(B3p4X`5B0y=m3e)eo>0uwZAxmma1kxqEoX&P?~ucEyBR^!Z)X(y~gUrR}m*;-D1W zr=gja^;UFd%9+=R5~mA?M@auaO!MAPysTBa2BIC)8vW}+Q45=$7VurcXn*`JEMTQc&4 zn^2k!U~Zf1maJZ{-0DHc5p9B7;E*I~dU*Io%8_^0hsTw9I+>Iocqx7Jv`eyX>Ac=! zSM~jqDEEpY-dtcy;BhxvN1b=X*=x_N+wpZ2n~z%8t*op@>}M(}Djt|JZ`rbCq~F-v z@7=q-R2NrQ$+?n>DbKhYroFwr&sNBT)qy%w=_LtHBv-Ds{;&fF4#>o3TlfuNG+nS0 z^p~e$97^oZxJ{*Lw-evpa|*M&m!#Kz)b3JyfF*bXbg%GS7+dWY4i53yfj|zyP(nvj z)5R;gQa0T(hM#?NDk}H^o03#id=|c)($6m|;}fr1`rcL7=)$KNT+UTJ_^s94zQ>(H zC3!Xw*Wnf`0$;?&$M<`g!ZuW7DriNCw_fT0_)#6;m*&phbe56JVw$We z3jiVZ_nT7cAG+R;+Xi>Hou zhCLsS=a;$Vxt;Rbsnyp+>c~>oUP`^^i6jNJF-=nF&J^bP8EP~~YADYog(Fews z$UQSNGw%sci1OYCJbm)3UA5!L_0EC?FG6fu6c2>kdYcfRWM9_R1$e9FiWd+RG#$5( zqaK{>y;W&>CYGNlsl#$BUrfc(!^6X3!@~T$yC^=~sdKD64jhy|=cQv>=9FD0Lr5To zdiHD^3MZ%co3_28*|$1J~_&kb80*^szyI=$m^dfh^rtqiry``*hxJZ(^JgV zh_Q~S{O6Jlu`;H;SSlj5Botc`m`c#&E5c%v($e@2pg`H+eSd#{VU7 zE!jN-n)t#IZZEF6fV7FqgP#j3DwO8+BbR{|wGgt9mxR`CI4dIuyPCJOw{PEOp1M7v z-)FJ;QFKaXHgD-9nS61lmvr@$4IBauQc(u?Xo-jIjDxj&hIVjQ%I4(fAD`i|wC~s~ zVzp^Dn)>Y(KHYl05MbD#vd6-=!BeIK^Hi$2zrV`8>cI%1F0G3fuRAzQe>&mWcO}p| zUZ@eqhaLQsj2E^Pc@uPKohCatqMbx4>hy%=q{EQYriSgD;4uQPNRHV$mMv}W-!or^ zhleK{3KdS!5-$XoasjXRtW*M6&Cr)Gs6*9c-3dw46cYYennGDNYncOUDL%%c;=6PR z-($aaij9D2C{L;!3(92hhiCmfP}@(4+K%cUM}Shl`eK!CblBTn!?-Ugp z5P{e1%1Jj7^mK5@4tH}7tTqEy3kM&wUKKzEbMy0E#;khgo|Z{A-W*LA$PZ;2ax-rL z^R4wOF>7zCmK3VD^30t0BvKy#ZhtGXkiu`{UZ8oLwNNh9JyN?pT{gwXpaIyt@xX?3 za;Z%&04JceP5=_6C9)Kb3o3eS1?c1~N?p}0%;^VwCDw48mVb_@7@ZljtH{zimgf^` z!Q1h%)bGLOp8ZI05-O$8W3RyK7OmYLBcD=Uq*2%V)i-A|P^mfjj{t{ezP!C7ivRJ_ z1~@~bk|Tt(x6I$q9^<8!#|{S{0?>G2H8%dnjUO*nBd`|F`(;q!yn6I4r2K~O?+;sd z*b$x{{aT+jK|{3x)2*ACaRS&XeW~J>&#dA@wql@!#Bbjufa?NEdO?M#dM&@FV=nq4 z7-@uR1atib#EJ9YaxZAC7iJ;=1rAWb%Qv}4N_mv!W!S8`dkVT*7-ZD|GwYHni!om! znaS=pk#AZHX_BW~8~ zfKM$7r<5ju9xn7&9NKI!9QEB|3lu4JW^!D4wDp*A@YK}Q1)a@YPJ&@&0`;x}mMxnl ztqiQnJ+t)eeCEWW->wwrpmp)p#gD%hjyU1Hy*}(MeW$l9#|o!7aD2?qEAtX)>S(s% zz?^)rfR3{Ih8aiM*h5>(GA*M%Pu_GedPY6j898R?y6r}0bx#{{znsSLlPDAFY8oH+ z%`mp$XP)w>r%E4xZ4}oloGFhPakG%!9ja7UKWoSm3vyII;)L4%vEi7{#dF5ltfxn$ zQp%;txiW5BIRdMjIv(2JQxCr8@44NWuz}bh#F=2pSMPqb{LP8!V{u}MT*^`rEi;7Az{mJQzb=m7$vrFjWKUC5)B8Q= z_-z~0!?S~FiPF~GWH-`?bg%wwA&97V1U_oCdq{hC!mh(y09!QeR_7HXey4%hbMe-- z*Tq;Yda5WaG_+Qrw>(nwW*b1JQRT8RpHQ~qY_|CrGbdmB1Hd#mL5$WiF=xneBZg`D ztl^RnI#%ugSv{mL++en7v{a-=dhKHe}GQbZo$(Eaa?lusS%ButL4#b;4ZKgn3*_yg`B}rML)A zX5ts5zAUYzr$vv(ipMM(Ui5C*)>gH?$=P10(#@~TksxLK`So{7ijozWs7!xw{kKY{ zpQckEZR62&{Kl<&R>azH{CMe1V|nhdBVS%6VD5ir%EXVrr|j z@$_ufGw;Cxx}1lS$wBKd?9J(EY2&3EA?edFA2!lgC2=CW+?JjGox?61kiH`06rrtc z0o}x5&q_=hgxL?iD^R5` z19@A2&lP{Jmh}l}=!EyLS_#*SgF#p4li)j(f4ejC@~+H^ii64%5XK#;5kM%r04LHD4Z+Q>@Ii_{Z+4D;`&v>;+3v++$mg;OGWizBN z@RPbIu@sxlS}at#^S0?(z#1{`HDTtQYYd%?c{i1k-a(o-08i_|zrj~V`P0^eUz+m7 z($b&5e#L|IjeBZV$kXYne)v`COF1$17 zWt7*H9fT@mL{7N#uj|6qVlxwrbt5o*kn|(QNRqFj9XQtCxi8D7W&czbvdt{lfS1oGa1>VE!Bn-_%n%6J7m>dj~3N1L4R`r7;4ZQlqY5`!Na4q1?pqGSQry<;ZO}wIk;Cvyc_7@I1=eVIhU6GOsUe4gbbqq z$@Nk$zOSbj!YSIiF%V+n0C;x~kg*1i9cn;y5uCh|(p_PvCBGuo6LFV?Z12X z=7|L(G+YiKbNbRT-ZH%H=q@mzoQ;e#t5B8}1|}PeDT>@+_ZAy4Z&((X=kTCi8Rxs; zt^hu~MLE9kR!IJAtqI{q7_cjG6v*jBCqqseuXr7ey!oKfcUL=+Cq{GnKtsPO6;?*~ zaR?SbxQK@bHb9ZcS_Xu;~7v(5Q_6{<0g0i*YDH&bu`YwrPw;07O(IS(3FlUo1E+4OZeFaPkG*dqz~L zcbSR50-ka(=p``?f_lstWLf_(SDflkviJWcTgot3edo2=hFCCWyAODg-|SP4=gLp*F3d1Wz?%w)_`<*(=o9j6g^8<6rhF!GgpP zCpKI@f0SqQURZQ=RDyOebiW{DU>e4YsK*GvB<^dR8Sa3;=>Mtywzr?QzP_VSe+=Ld z?jZvd#4hD~_j))(m|h0I#Lk^RwEoV?GiPr6grMSm2yxuH&q;{#H-t;k3pvopYq1M( zZ|fNTHfjeEJX*=cKqkivbcfbl!45UAWAt$t2FIJvkU^qUNuB+`M+ChbE&3NIc+O7~ zN>351XJbOglYpXQA{o9m>h{bqMBiEfGgu>0tR8qh?ozDI`M8dMpqvK`6P1B+9;PxH zjZpcri@}P~j-RX$O9EQ7g#iO%^mDyIm+XyXJ9zw&fsBSR|AUGC%xbp|?9wt34LSud z61P1Mf!&;$%jc6Y3iWxf)6N4-%z1?j30DhT+Qb}|q8Rq_pnMi9gqh$$(s|ogz)SW4 z4t!Va1YF8t921DE9i!5;BQ4Ivx;dmil?TV5Vm=~@hzZdSJCMEe>a3IwlxfE7fluT#pHWA3?^Ux zlgTF;y_|pj7n6$^o?oouPqHr<4K7doP1c^l}`i@w*|6=+CB)E(g6uZQW)C2UM^@eqo${(OlwJl?|kZdB9+4(^CsMLvMw>89?y3 zke|VAmj=Sr=O9MGJYZCwb=Jm|5Zbm&obn~VrVx~YtNS;}6zi$}*UY(`+5_%!1 zkD>nhuSYzbZGg*iqbG)WX%?-vn+R`iTV?BhmWrr*Ltk5_seR3=HcFf_p4bM`F8%SAW_pZjm8popgrH z(l;@|N+iOt*+k7>gTD8h%{I#;aV9Q=;Z~b>A^_uzGCM;Ty_?n#BKkNs09+3fV*Iyt7+2a|j3djE>TZlvp7^&9(g)D>59Vgai+wp`k z+nPUTTZk-oV|Ic};E&mgMLN;9tLEGW<8%aI`hju{fGotv2>(P==-Jp$@q#yH+zdy= zd-cp3S?N#)Sr*`*VJ5Ew;3OT1z*~%TRxQ(fVWS@B9bbfCS?RAlHL`(SbS< z7k)x*ak&!KkEkcebPPLoYuSSo1}vE~{1$FMh;if@D1>{8xbPEf3=_cFBEXh|Lh`|F zkAG?kWQk-E7?!kOb}ONPARBJoQwz^MAUV7SJQn1Vh=9RJ1BeMA{oROaH>ev#g0SO= zE8QDyf}jpYtUPi8mP`SotbzT!xi}M`85I087S2igGvdbGW-Q+G!T~)*KxU5P{2%-* zDjdNY)Tv)l8kA^(WC@r}451>H1IZ&19meMKpGg%IQ;(={@u@!?9wrn)>qJlm05QaG zo)*ka7TH3HaajvWaoZVrm5Y&;yc&=T)-&XLFSM#Cy1uY+vz#w!ZhHQ{p_lXa+?tz(9jYps<{0_ka)vBlQaWToPp^gT(^;Mj5&l^TQzz)DZ_Pc;vbX zp|2E-4`cn*g15rNfzuK8w3s=tc8)1|t_B+I1C1^-%peIiKincH)8YF1ieijF2?LUN zu*g>A#_(2<^nJM3acM$d{}YgC#Q?TY6cg%O)j_*)crw=-dl*ywSWLEqIcX~ZbCMti znuLNT>5{8_r;CB=$7ljhy2#ie^ZFw48z{gXUDs%9oXXq?FiQkRhLd3Y+pJ7OH34h` zR?#aqIa|ZsT_%RW9+zlPwgFH>=!LN>5x8kg!1Gstsaqk)(S+Zg9^^u`@VwsjeMZLj zy500iCbK>4|8cqiA95~ry196>fd%`$O|{|lItMM!HlDQOus;yHEnJop`>f00=Hi81 zm?a>Ogk=C_!6FLa>uj8w0uKU6$H3Txx{5A40ywRQcImX47z3lkG`jmu0dEMZHTE!_ zt3d$13x<4hfbY!$BTYO$_cWDairEP?18M`=@Cngzd-5|AuQwBy0pqsNfuJE6p!H2n zgGlA~>p&i$1BW|z*a*ET3P4pD*(qudoOeUPC?wx=LDR{?(G%3r$Nx63Q?~QMMba_`mFQ^2>lVHb$Nk%*}>eb(#5wjneGcW;0g$TOv5eWnM zj{KfqL%3Fir0wg!@@pu|iq3G{dQejO4a#um5hmG2{S9SM3NoCot!v1Qi7=-p*cf&& z^tJr@S5cxv|L>XRBMCN26NC+GMGTN#AS~{<^mh>hq9EarzR+)E3$G(&r5^uDb_xOR ztJnS}8;q0_aIAjl(DY&mZ*G{pbUo zt@ke7DxH?p)ZVCl=313r%|+)Q>)8y-9OX?ex>vhcCDCwEW|o%qq+@ zLinO8c}*kdXpvmeQ63^KR}QP>?LIOkNNUKls&MIzdyejZj#tb3$I8+wzM>&sjuJOb zX#@BQbs@X(CGLDz9FPZ@ODt@Aju$H?;Y}TotZAf$5fl1}FpO3hJ4t$l!17Eysl`@0 z6V%tBQ6x-|U{_TQ(?qy;qD{7okuAF zL&o(Z!b>@br`(i|0X0bo@?j+_z%3l zI+FCmlL;N2LLaJcGrb%cwRHmIS5PfdypXU2rP=&$#q0_YZ@)PXerRB$+Y*k)tutKh zCOmA7+w?#UrQx1+06h-^A>2ZHJ%~pE=#7_7P1)n(Qr^JPAnFt{{CP7g?_Mt;cFae_ z*d|ZXxg&(9+?VYIg^-NT&p~4@q(+Q7Lzo*j&b)d7_Is%FvGk&l#BH(qqIG0p^_K@( zVK;>1L=@;=Ggwx{4_s`MG|asEQ3niHOkjfk-m>){@@z%>Eygrlk7b6Lk@QJzcBE%YxGe_Y>D4~3riw%v?6L zx1Ste6_;XNV3_$N6#yzq0Us`iYe?WaZL(C2T(tFSOwkt$+*i!&j0E5T~d62I_ z74&If0@{tW`rB_6764R(EMt$;Hz5Z+wdlTzixXC7_@&nn(#<8nWAYE6L#pZRBAy^c zgYH=v1N{K62h9`fWrZa#sR_sEkO-o)PmsUq^DFFNYlfET){JQd^~Ofa<9qi$`6aedWS`2@ zmu1n4dy6_i@f^ba+eB}kB7&z-){!MOL5&@PHfz$emZ)8H3+@s}hT`W6I#lh!$YLO-W#9jQ$@6&@DjXDt!zR>PR=BXcq=>>^Fr1 zAr)>3siV?-3NS7w_8JOQ2xeBtrmHeZK-m)qt1~21LX~JAX4F z3FNG9)J^)_9xCGLvaip(Yz5n0E?^~q4Q_Yrs{iX~VfE{7Zc8=`QQi__piUT8!o6BN=X_dtoPMcKo5J&)TQRt&=~#}rNfj349S0m)Or-_~qz!o<)$KKp~-;HX8-PkTi~%fETV?Ea54M^6Fv z3SPv`U~I`dob~!fMlAb$D2+4y)JmDq-Ex=bWhJm##X~{o+9dnui?B7{zdLsmCHAe8 z;p#3ptsRE_xWkn>>6YX!x?5-v-h&Px_|c|jIem9xp>5lXCL57Vzv%VaPN6nGdybo`Fs5^8D0Va3vCF5UF7 zH>bX=xK~T?5MkO6z4T6e=~Q=;#K}U#%*kzut^gv_+oKnjJ<2ul1(m5M+@`K+kNuHI3DejjQ`%_kx3hjBiG_e%~_Tn~4dRQ%yFIgfwLKIx}fO~bS<3~RQ(<~Rw zEdylliED_Co?ZwT|TCDPmay|i59m~e{J?8khv0_|AutI zY5@L!0Q@ii9+AC!aWgq0BEqAe5-&6O2DPF%+k85=vQqi8TXyMq+QPVA)vo&b`W^8> z*1WFLIk*r{$%CA6pA9ku9Kv-vsGP6kRg-cH3#+H$rNgvSB076y27D+u3@t$1$E=)2 zm=4veT5O+TR{6%9o0oSic?{)eYj0mWg&h#U_Bmfzns)%tIeL=fl(M~tKRjN*ZBX7i z?L$&XmE9Bm*+D9w+wZxaL1ax&k0Cx`)iPf$_fZ))(BeZA-mF*Znq+o)Qs6C@x~3RS(GmH zU+(l*l9rKy2^JI;U7g=}Dd?n?oYw8S-Ww4!N-Sx65FmYWFz6Hv+9#6r^-Q+Gt@vSG z_cB?juYw=Tp;q|^?Ra~gw_tuQY;_?lu2Jd0VjRb0w#JBYcET!f>+QERr&jhV_SahU z4CtVWzIqBYTDHM4101@z|>6shP#js!Gz=Wq~9} zx6>h0Ha}DEcpH_IOAA{ONBYshXZ#P0l2;-gmF-ogJjc(LPlh=7m|p{x2A$aTT==ig zOa&Y~>y5lj`lpY6^2vD@epW(Mg_M761Frn0B8I1A=3|9U!RauruX#A@ei_(S*{Nb`VDO-` zd_+noemz%Py2)Hx@oeh_bj4&PjU4kGJSE(0gjVu=-_6c@R(m6em!T-W=)Rpm$H1x2 z*%=w{KYjZ2H1)q4x3T1Bwc%RIB@-4}%0F)4x5n07PH+Dtz|^F}dA3^!lGwKfjgwx^ zbYz!spyRB>2H>7S;Hv)QT-y~ou9eWkMof?m124po65o|8@gyTF2emT=hKFIV3XQ}+ z@_s9OfXkg!4&DizR!bKMR|MU;iwM)hP`Yc#$)OXvw2h8FAThwaQGX%~Lb7giiPYWd z>m*iph1`RKD(Eh~tz}Qs+%O}=!vtJK!c!C)1X@zXWkzOnv5CoR+824exa-+zR|!cZ zjCfjjYjawJK^omn^F{P%;2U`Ickes7T(NsoRy^wfAb-jei*5uPxRV&%a zFAAE#BYJ>>l^8PJ{n-GWFG&$1?i3mx-W5`NhM7!|jA;ZphIV>;xjq2!<8Zv>F9h6m zd_K&>g-s=9=Ln8v4^d^$rp%}r4S+epDKv)wve$P>&A2LH0niTN;d@M$NBjEUfN(ph zrFlC@1rJTEc)y@Iu+Wt&N^y_OY_2Z>wNu|5_|vwwW$LLjXPyXaa|X~=MFZpm?zt`m zRQtvS#MWVatE49+3F6a<6*l>J@rKRampK{{qy}Y zvH6|z?oWhUZWV%2Y)mgej4Fz^>Z6TJZ=D?dgdh zv~P!VezU5ae;Ms|$NVFYt}wxrvBwtO%_phzs`IbSsPl+(Zm9SmbqlA|;A`J0Ix0}qt`y3>3W5NxNgsRV$ruB4 zz7dkdK~aZK*>hctC!J1sK}gqC(l}Q+pnLDm?Qy?!o1v-SeMDx3r}vKE)m2X1*J#(@$za=)XuZo4O9Ln9G2tj zx5&Rt?Oo_Ep__4(9T=!;q{V5L&&%t`Cv84$@Le+5%$i0~oThoQ?{E!kbp|?VaJ0dt z%LG4AHU+iIcFEhalBI^#L=dn33?r5 z7Ee^0T)Ec-bck-yC)~hLHxf4%Z!lJFF#NX6^La$Ta%DL~87yO`jaR-nj_|^P{29(g zFt@flAE(~iluFGXaeUg_6(+1c-#!w`)3*^@1lCnWc#3K&jFVdKgVb%CRe}*WLs53_ z8@9~)>Zu&LlSs4k46B#0vf*gGRk&zkZwHbJN=6xd=C6A+xSv_V35PDWyc-^PtY6P17mJ5eyeO_+CJ7CeRwab0IJ+P0bkJtLzVRB(%VQycO zFaW#xa@(hlr2|tQE#S3821g&rprm(&M3BG~_e1I+~0qK7_I5puX{wl;=cfpU{&_MaTtepkmQ@-sJym}nio(Kdj zG;B$p^=7iYHt1Tlb0GivQ|@)NfK?c&pIYx?Dxko*c%tFmzJ`dC;+T-_&QygkZ?5RR zZA1lbpV&-C;P_Lm?YQ#Zg5ov=UK$Uu$xxO3E{&xuf4j4mXq3Hl%yEhwGn6B{pD;vL zt}`|^p7Y@b_llhP(0Gkkk56kCNw#;bhfpaG(~T>PqLgg#@Ux?s z!A&L4MTxAbG{VK5O~igSxXuu@&l`v>q0N3^NVox3s2^Y^_E+BcDqT!ZPdB%AR(qHY zj){P1?ddg{5%5$umOSTcyJd>+VY{jRWY&i%XJB!jFw52eL;=o2-C+rk9Z~|w&Yg6x zn)1>Vl?8kvu3*wa7fx4mWMQ91Y!#0Zu##1|0T&M#RpA0q@8rto5NdJUI9{+(Xn!z|5F3`NL{#b-D3<#8s9zMVyudF@o zySA(N(%RF&BBwtz_MLn3YI561bhbF$0!R}DbA4CPOP;YsK+6`ZTi82=HbQ>9B&})B zbt;}DWbAKZSfAu4kmMJK{DSHMLJeteZ-3K=&tQ2=j7=S|)0~)Kj1r{h&-s=O>+`uZ zw1QE)=uI%5fW><yC(tQtq0rCP@A}fI3hahgBbxY@r3=@qdqZOLwk>5~P!2m?9qeG{P z(zd!<8FWzcw0k>~%E3w<{rUu0p0$}ZrEcd%y**n6l6{p%CtAfd=;aMyz5ra%i!6ks zyKO|<0Ig5O@8d_40B{Ohg(qKS%B0SbRA~3&s+=s4p!e((5GH-S%Rcy01SlSY7hhM#Ow3^ zv#Af<6j*QX!jXU7rwZFr!QfVd$Q~IsvrAB)t#sfm^=F>aRKMymvvp*%&Nv1E10ct{ zW*w0nJ6t(#xoD-aR3wy?3aV(}GQp;2_`+oXM=h~lDpzRz27>yN&9*LK3I_!&H9f0n zyZ3`q8@=KM?mMv$c6ZeoL;=n#9Bmr~JAZ&RmuVZ#9}-OHGa$R(Q2B}Q z$4md&S0#E!wUa_r%?D0`onxSYvuKh!up2H_!q>=SaN}`}bNnqTqXO=8Kl~<1o2OKh zj(%QFwU+-zL2kkrzy@q#Ann?0oZjxv9=<^;u}pJPn-7V2_!gYX8YL&|R5vTvBSM5M z;cmgp-}qa~+Lg#)1UtW0kg+W{H_zp6`$; zWGhs5Fo?3N^^Pq^S)iTkv>Ns;;ilxvtLY&H>y^}>+$=N{^7TXJCJ}tMFGmxwPA&sr zv5-ufT7$h z67FU5@I9E(E;bEijdtm9Y{RfyE%T1o9PEOd@E9|{) zXLtC!qF}GD>uKAG4@gTm`fp<|DFaIrtYw`Y9ZfV!Tv1>r@Bl`urmqp@gGg{fA*{al z)%vDzlIQ1Jg?V*!vY7KO$Yvn$*V?-k64##L_`gJB*xx~@e$KPn^RWK|P>w}v{@~+l z#=a5oF~ZDPZrirUBu~j*A$fJEdtW_G823Z}4v&=Gje;tE@PFL<&4tdTEC0EDg>p23 zPZZw)<-J~1Is*3$rD%f9JtuC!NC-fCjGgW~BrqVMEK+YPAXxwl0BO0aR7_)@8odDz zya`G5-%(3}IU6Sq7ubtII7v`(N5u%MuaB=kJZfp;>K{)lET-APNg%MQYUgfd3FEWc zPnFi;8ZNX+epj6K^aR@*(%XyPRr$S;ZFmWuF}JhJoW^@TOK^ajz*RCPR3PB4X4`*O zoM>@$1dh;G0b-!RzUXZ~WJ`j8miDpC8vAQA(wrtcfI+yjalnOD;% z!8u0YatFJEFv^CR9Ua}hIUE1!TlO8hU>bz2oXd0~xOLVPcAD@x_)%hr`3cLm-R7_g z;7)3sA-XnPX!8Yq?L$ju9AZ-Vwx0eTF-xBIfSH7CodV|VWS6`n`k3~#O3|z=j zQC@5biQD5Ijrk{*fhgjiSr1NU(Ja{= zdU%=wRh9-lzP;VxZQ?gO+Op6bsLbi$)fST?3$G`PAW-LZ zKA=8Cd#~T;f>&bBb^%4OLmG6!1N(v?=2$rw%hwYHy;FxY=ujLC>j=br&3mfww6T@7 zwKZ!S+%@hxoT}p>m3ea&F1$zWaW50UFS!2}9waP0ICK%t?4e+K(Vcmz0l%cNG$g)q z9bZ2%6N-M{3#zSS?DSjM=v&xNd*HqMcL>tD>flQ5{pvuDI=Ia1zdSedILt@bZvyL= zJ~;z-i86yRrTP%4GjGG(FP^RhY-hr3uNY)^xGz&a$Ziovw_!GPoVGYQ}xSe`tRC9>qRZu1jT zNmc#)q58b|XFqyiFzF29NYC(L=x!g_}w?@XW5;LrMR1GWP_Aps&f+@baYpfcqVL ze=Ixb9Kh9oc+>Qy-Sn_(@7`OW3}C^bT|{QPU9qtJaF$v0rTqPxIwx`KCeQ-dgpis` z0mr)!wEUa-Ze%C^fEOsQMJxz3v8e>Z}h_?If)`~0pM(N9vg?_I8u`e3TP52$X zvS--jiol%;cCYF^#I{?7ih6K^#P4_eNSkkM-Bdc}w+gWR6aNkFcXsPp`uqY9Z`nhg z{Qfk(Dy{rY#-}A?_;y_RR_BD{8h1Xh-NA|N+RyVn-Op)biPf{ZLDX&X#~DQ~a1X}w zvN%wN$HE_R`)%{PXNUfk(7CtiZmVQmt0Y7Vw=e*OkG#4lQF=SQ+C0eOMc+Q~E+B!@Yf*tdzbiUWX$uSm)!A}z4 ziI~%%Fq9AQ2m}P62J}gQh297?#1NzuL3hN)#s)a1H~CO-YVYTZZC7j%*Q+l}U+seL z7pX2~M70n|KmMQDBC>o4I{h=J`TupN55EqqzF&5t3@Bcj2W2WKd0|?nLM+Q?>rpwgRwfG7kZ^bjH)LbFh$hL!|ElTL{AgpyFc*O~c$x954zbMDT*$^|6vyZ2se z{nl@_f0K5AkN=NQZ`jT% zsdgcJmvFfqinAN1@8~3XwkMw)A8oPEsPnO8mhA;|ark`kl}I|=mfI?iSAG5O*IA1H zB@-eV7i0S2p+~!~RA`&IlMSsqblRxHjPr|TXP`NkSz6DnFc4)WIA|4#Ny!?-q z1x)e1?*?|YG1abnBQNL9-j185e2<^=5W>dgg0!H(XvAOZZ)U+=l_M#tXkjMp8WpMSgXmjeLL0kR?p@r*-*6xel33_DaL+J z49~9BG98;3klg$1Jh1)Gt2sOB1Q?5pA^PrFUpfh}%N)k>g&}GgnMHmxzkXgb7~mmf z%OF~ZZ49G!fl0bq*g>ADk1sMt&ti4U$nM3n=0&H>c6RlXmsL78S7KwkVKzevMtP%RW`6wD8H^hK1j6FXrJ{;PostM2i zgk1J1;@mQwIZ4=0K3T1bo&E<5KLJSgJE>_rIr}*{b$*I-9K!uWlf25q=KU;|c>^Nk zujupobrFYKDnRqb69WD7?$hF!2FF7F6FQ4jY_FvHofIolPK-v&QE9_`3eB=&PhdsA zDMp}`p5HJV8I5D?%onR{iRA_<9(OG#b&?e?7{~jKyQvUbgT>W1$A#xWJh&vFAD&?MWRLStV{4i|Qy=xw%zV#?Wvg%LMGo-LjLW1`4y?#zjpQG@axIXk4QO&hqG&4^M1+VIi7X9rglkUQtDSRVP7JB z`m5OuJc?+tYx{fQG|R~V|KLsi+7R9Z*{wNez64^Mqs;ZaZ(Z_p8Z+Bwz^{a8g(7j{ zwJ{|fJ5sjFQVY{#Kik_F@htOutDmxgL2t$p;bT)e(Tup*fMOB)ut(xjzJapIZ85g?pRp<7Ps%r&b~HpFx5<}H~@~q zL?-ls_ICriT8x(=HeedB+*07hNfYd?N`ZfU(pRNs4Q6F43?^V=tQ z5hoBp3#y^?zG5mcRB5elym-P8KyZH>{mqEDesL>h0uh(H|H`|)N&PrTHAwY_ypfT_ zk7H`e{MHgXOcs7@)XEnqATi+8b(>_`=>2PRp9Z-4G6{y__aGOD>VZOD;mv+^{Y0Z; zzFh2b&?J@QtOL96jXGE$8fu9PsPZ(QLyjcj)IRa+7r4gtoZ%WjkA6Q#ZYLX-PX($TPt2%s?VV6$h$4Wjo6iw{&l0S-1mCw2(ket^n@+>P9C>khrPaoNIvejX1D30yDMdPT)ri7bLpC;!x7o zHxR^sI@c>8PBFMh_Up1~yLJ<2j-mcfgFimcDb@}pX|&8+hOH2a=S=qy2_qeiGZP

      6 zTaDg`I6&?<$Cme_y)j*oWKS)B?Z-j!F(ltZ{8ZPC;H@BMdS@EX)?j6S^|BB9=4AZp zR+-ph^GRK}qu(CRILF*9LrommW?!Vp;9Uz=PIQfq`3IIx&b{Fhypo-`50!bsU zlC&jm$md_mJ)p;Szn)}AcaaqpeMc}Q#CbjTiewl9Hyti&m`&Dd|9iBt^&+O>@MXio z-~lldFd0B|V4DkeLH=qtqF6JhH&eI5ArS|GR7VwHlN`1(1Nq{Oru<}DVO8(|p&xXOOmwL7SGs@^ir7aX!>3n-CobdExe9AppQBy&V}t;s;Dy((>QX}{*Zkr+X<<)lS1AJ~4pfA;bTobl=vWjKEcW;p5FZ2cP9M zn&pgY;LN|i%2O>sd~mkG9g$4n$z^|%&jx4l{P+2JPrvZ3FQz_WNX7c;0Ii3@1Ec3V zK>Yl6n{eDbkIzD-tTTJoT5&7yFRfrZTzv1ilOh?b5l-RSN;}zqViWQy<`wXKx90{; zI5HuY@wwp#%v;VHdoP0y7B5qq+5Voo$YETA(;9N!@Z{`N-)OS%&%Z5S4FAX0e?I(F z!8=x+3ER-Mfx1d0@j~KOi0xv^mHaI8Nzq1K>~^rNvGo(F^?k#OdMvwyg`}7p%0t*? zt!75;TEoiVaO-j-AmLl+`J69#q3BCeC)4Q-Kj)6wehP$qiQE#_U?c08kQu z#qDFwoaf5KwC_j_O`k3*utMN$X8*wgEfxb_>gDr&(>*sf)6>hjO{!~+5Ygn5#-D>aND(`8bRE`*r zX5Khm!|A@3*l@f(1xnXg!`8;QBm8c|=~%tF<%$zT&^JA)OD~v4jIHBJ1Y$B(-9_Mx zu3R3RS~IU{=&B`3N1QKaBUD>$`ULCT6^{tM^Ix%GHjwSH>k(Yaj|rZAcw{{Z$q5Ks z=MkP8BX9lDQxB(@O$PcqG(gEM7juH_TlnkM8(KGl<>ggUX8e3hF754=kIw5~x^%{oau!fL#ye!u_y@t+cZf4Rsr(O@lK=hT~l zudOebV*GS$?Y;|s*Krt@3UyuvhMwadE5r$=+x&qk<$~tH{1-b zz=CuV*AI=vXtCC$+GcrCsZUbs9*-3}9E$U`H>MDyd(&`^Mx7A?1JvrH?d8Qy+z~K_;{rukbz4D6cLH{O!EmN*8X4BY=4nz!vqJ8HZV6A0xW&$HLj9 z_@p?Xqm`fC%Tq(!b#))|)%MRa#6X+Spn{LNIp0?!97affGN^CJV5hSd@TX2fN}b>3 zObjN6NJa1DYucfYK{l7`I%=^ZMZ5G88|SUB8;*S|^9oYLfq~cZHJxT3V#KX3Z)e6o zF8%yk_d27CiOn&4({24TahAgfM_s&h(f1_i zj`lF;v8Q`7c`M@0k8$w$qx(3vfwr%Q`Xj)POnDje_lSRcP_hj)hLkn_M?FNAKn)#cvs*tw$u4g z^j4KSq(nHRn1(S*q^!SkRhzPV<9wq-4gvK%ovKQHVkm8>8IG0O-;zcrA$*P& zo@hT%3S5Gpq0Tw)&gp2Cj2AYT`n!?)0-HD z{vAt#ZXjQ_XwLn|snR4oO{R(M;JGdO(z z8-UYaXe)7M9%>RYN>|i8tr*%iYoRW>C%e?w$3N&!^hJn7p1@34%bhnP!W%rJ#N4dW zcM6;yED`1RD;|?OF6~^kqq|}-jL;}rmX0=6$J=eBsh%jMSdx>huRa)$<_u3S=V zxb#*|T4b~EbB0FlNPqSRDI^Rz+*($qPfO`khfxdb*42aQSElr_WEQHXks?IcJmH{2KO5Zp}<9>3PyPqU(omM$|ZD@q=1E6}MQX2@w~9>TB+Ro}bldKkH6 zdI!%LvhcdNT*^vHm?y|jId{ZrJPUWdI9qCJ#&mGvq)|s;f6sP}f+>%`XF7}@7zpy= zdq#YdOB@<1NASFRa780NqWk5#nkwW_|NaJ(k!diw64BS3oZih6^6ZWj>LbYuE)H9S^r`&BabYyH3jH9(*98=g6! zO^QAa8$>$)(aNtZkKUR*yr0XGWJqZ**t0L3A5TzrPn55@WNi>g(19-Yyj^&0=3?&T<+0$Zd7r#%+KGI_*K*z7ik*29^SH30H=g9araIzGeaNNT_IdW z8XfxUhab)#55mr-_bkDVj@eIBQ8WBzxPo*VtKa!qXRA_=AEiGSbjDN~9len~>fhSe z8Tarhnp)3(o`SYpA4*ON*@lJR8nd08M<{E!C$wS}imh9N%w|I2`T5JX^%dIE)D+ z{bi;jLZHzq`v&)r4skspUhSmFgy8YU32rw;WTb%RQoG*XGyt_=p~O`tBVyQ{&c~I?52~7&RGJ zDk5Ah52vAQvU?R{ZHi37#yEaGIe41rKQmjiJ$;DDX*yrDsA6nRMOfRh3-qq+?;o~; zcG;Hv?PUb2g0)k9{70gcJDgqZHduzeXNHP#KMgN;wMi|h{hL<<6juVphkrjDdh^16 zJkD`^Q?F{CAc~E*Iegu}ad4Ir) zmq)6^c~Weo%qCSDd-Rgt*s?En&AvctogZH;a0OEJX#gx{mvsCSah=VeAM>#J=23mq zX zd&CM<77cT}{^k17H-~xIT)zJzT|glG*EEj!rT)vK>6itJN;mqk!-yaJi0Ofn+R%rT z!(ns}W%8w@haO_97*wwBYG7*Sd%vs%ZH{|g+?9-z2n%mk5VTABiZV!ik8G`zjPEDc z+MR(vrCnxEx}C$Gwda{_&)757*x5I?XR-^84uc(6ZsWgIA9U#e^T%?}i`~Ap9y=Xl|F9md`XUFZ(dhmteCNBPbV+XDoAtiKKJP?}h+AsNlX(rpl?cJv zz0cP58HmS6!>nL7!_W{oLZX*FaiP}xHVD4+-Lwurs4gD^S`wCZ@*!Lu0L@5{i#=7 zz3^LK)pUvJyV@+Lcis=M=yr&*KMEAU^XYq}3FMtB^YTUAO-6!~M^1%YD9nlTgTyS3$12sh&JoPrX;cnd0%06jM{7R0frh z#&`0u83rrgT_tZmG7RPtFtr*4ol9&x{#l^@3HjKQHWWu}Sa#GFXmWo<&~o&QOmFH; zNkEpU*5Vt$Gu)=uXjF^?fN3d_dCkBeriBkH`ji8pBQ9gZD4Ala!IzOI8J-sO@DF-H_SK~3q7!^8oZ4W(Kg&o&Olkhwv zrwvP7OwjdS|8!PgYmZl-LW0(&=MY`jl@v<>V9uO#-B2T+`U;jtU#aa~@-H9q__%y} z$K=BHu}X!cUCLk&Fo@nK+-L8dp?+!A*)UGyVHy*{{ZE@6P zYWo)ONEU=dE=-4?%{UP6_-Ek(_V{zY)x=*!uBpdUu$pVkk;CjY5lM+GfTuP@AzJX? z4qtBU-qiJR@PB5lFCpg~UfbdW0}xMlRC#xg_8e&h6ud|_BS=|%$Utq%X%ov0ORxJN zaPyKK4J6X)3M{j3Wx1Y+s#d>6ylABI3Bcbpk8q2V{jqn)i{vwjj#E7^8$T1*r<)O~ zS$G4ks7U}8wN1&DAVdV+A5>J1C>cWw%BMr_p{JXW#+RWtF9s&^3SOPR{mEp2wT2O- zZ3nm4pPBqXctI#tm#-Ub>v{85 zb`H%8%K&H7`*Xctb&XWQQ^}&j_sswIOn|hf z*#tqQBuCUISlPU8k=C83yxpZWwLgP9uXHPEFeOL5My~OlnSzz;e|*lA=$L>I=rQN@ z-7{LCO+J-B1lL4V*rvayVJaZjg2GpB*Ikqp8C;(qk9$zX^evcXM0eU2Mm9*eScm5S zq~v7s>a;aT6l%0ILd2ezY6T{yP_96R(}(Q>3;iie%CLQFn6iA{*_U2olujss_`OJG z_gFn12lDAtcyRg`QOjcBa4l~eK74pvAtbZ4{Od`f-y0KY9gLkRl87lC3YC06th4cx zh=gfxi=7)@o|WRiGQ=tv;ZgVu>jS0GU#o|BqAI}YsgyprL|~TznFm7V0I)n%!2qR^D{j8Ux*DAWIz|8icp3?==1@5_l=E)B};hRrg!VpoxIIs-OM?gd;l4ueJCI4nNU*23h*+;X%HLru{@6?z2qGW$8Pn08Ut+(Z<+jScd|$GVBzH2nnI0-7hoB)Qo#J#;vnnCd zWgZt|5sa53+@UBy5mY6Os--{_1<#~KpOWCR^mg1R~n-Pf`D-;#t)4`UjluD`bsSA$vtg8sNLD+dCOPHD!{3=km#8;P*X|wg9KsCB3ty3;Qr zq-)3RQB=J{>rSLdVkn2mZQ0^+MKGd{boCRckBBTq`6d)%Xh(xs;F1rX1~xj-xhDI zeRzv5fHwG0kM&k-Q7_#NeFMZ?iin*_(rvu6+EgJ)meFo!-BOH|&V{@Au~p zvB&9j^ zxWx-+LePF|_-#862Cqe;yNxH9-xTzK3wr)e1=c-rx~|sio>W?#QpiZu`?#;O_n*qW zIqz)%d#YHxO!qT+Qp6ij6vt@El<#+H%$p8%MZUL>=!weW`b1b|kt&FnsOXih@EW&7 zih-nTKdffFkC_g4HI4M^WKx646i0NAYkctZJX70=zCV+B?FlaEURS56yV`NugAs0h zoH~n|TUbl5UQ2*~*8}bAmR1V+T_N98&jbqK?74AgB$_Iw;><&@v zj`AAi3zEFq&mnt59&@smpTx}PE$`j<(H5Y+erI#;t$A8+A$S#~1`BTS$;jG9y|>2( z^WQoCUoL>Jx$ew(E_<+D`B?(qq2=nDjd5$$aUOEy?Bv)u#yKIQ&}QwYzFV+?mPp`} z5!+Il^%V3DI+;0@XPZkYRdQt(K^}ZV3Q~d)rcAasKnfkAABbKswXpm2LW}@W*vo5# zu-nn3{y$ozwj?g~a<)6*zE0DPy6&d$Et);!{>f|sp&1{|tEki-)MQl&x*7=_cKWRG zeHR0NNf_HnOn)15MQuMt&P_ij_j;h7ff-c)|tTDkXE6l+!3Li+3FUYN~aq| zT=v~EQf_g;%r-i@l<=+!_HbQI#yreMsdHtwpA~gKybDfDtvNA4kZn?V`;MwUhabD2Y4+)0-)AO4zW6x--Gon<)`;+JOR( zD1xAj^YKEZ-uWMe4S~7cmQKHvVrl1FREZecCBbdxlLBM!C7b^X#p3D8Yzw(euSShG zyU-UmF{vspKm!Y9^7}Wsba#tlGfwDRNy~KiDK93wnb7M<;beiKXi4v3sSOVx7{LV% z{!bnLz4IqvTtxRH&L;=I-xYJ|3Q_mHvArm^oO@L@C<5@AG1KIj1rXu>UbB6|Ulryr z5SPa`R`h#<1ZTe#u-(1uL>sFlr~adUx%ER+C30S32_tMgZen1fIV!a*QP(u`%?~_y zO&u|mm)A_FL-5_FC2{%N53}NG5>NwR)9vN~Yl52&aqjh`!DA3q8rl7_C&}x4+TJNX z{<89y%G?XkgByKw@Wv$4BPXsVCsn8nO8@$wxvWx;JBNgF&dA-m~IosSR+sd6b0hGvcdif& zIzpRot*?@54+BW`!a)Lz`>BFafv%hqKs%XME5fPEl^;OdHMKH^T9&Z!PX>^$fJtr8L<7dFD=djRx9vMgr39nE*D`RuMaw zrb5XlRjG3D%YcodbE zEH@}KKnQR4><&+|GS76oOWlt;=uQ=Z4@ zK#(y=W|nV)S(;?s_mWpYC>{s57^!27eDxz&zZ0{(m!bDlY4IPlG9H=sm}}J?Iy)p3 zZAUa)i4_%MUjuS$GK+CwVsk#FMzB`)-(^B=sB0*NqI?zdA!4c6A2o5StQlRSwhp?j znS?8VMsgEX35C`QSgMU=vO)sQn5P=@!YGVDpx&_-WuK~2PnfreD7PE@TtiKSDYejY zL;Pto0;9_Ud_#{yW+DIM^?u+J0Arlm=mkmau_!;?x_jOcuK^9X0(DUYWhX+4?CG6s zwSH&Q>TA1t>JWAEgUP!_Ip$`o2NCC!7J6~f=fkGzN~dR#+T;{nfMO9UmAgyc_+X@=5$NuYea_Mys`A-B$6=euF!>6Pg2 z=~uJx-pI8yc7;=+zO=ei*Xy7wx7N)1TobxLm;ro6?#@1}3HyGiJO_ma zC}Y%cwWs49-P;%nF{kla0iZMH2HM4wb2P+fRg@ME6;9e$AKFSgqe z2#wYhN$308$yp4u+rCq#-~`sPGUSqUPg^CS*wE5w?;Pt7KWh7>fenwuv1a0*+!{ox zWyu~>zgya}MD5I8ujd)6;1ZFO_~Nlb%#Y1Ri}Pj}KbTbVwr&q?HLuf}*ci`Ft1kJ- z)+Bwa1`?_RF#};L&S31%s{&q3Szy@i=iOqR;i{CCah|IQ#@3!%nV3g8v}_cp=wfE^ z_>71cMN2n{H|W`I%uC&5-WP}2l56@I>bX{v4V8v7Vczu>EB^85UNKia4OVw_d2XgN zx^-LMaN|%n8KH_0Innx`=(GLvy6;Un09mo{?KOJQ^*hAUN?4_qbteT1+TNnLG&e`;=OqJK`YB8p6m-Cdb;o{HM4Lcx%PTKTdy6mDa}A zs9fd0rI%VB(xt}74Hx-MMKOD1c2;Jm;pn9#IolewZR$1lq_|*SOx&j?3AKFM&-rzP z##pYT>CtM*^*Qp(#U1O*0~ra*aSdFD*eVN$tKpBAt}LIuw_>xZt7Ri{RoY1>9*C7Z z8b2KFcQCws%HZZIRRW&Vf@TVe0a&6Nz1`_z>aOqpVYx1N>8%sg7~u2*rnZjL zLpF9_yV)0uHZ2p!znn%S=_}D`Kp^S!A84Q@#6L?D=*Ib}U6P_(R^1uJqAEZ5y{4F9 z$ohF*`5l4kAsAxkXm&Zh!VV;hfqJ^@l_-&4vk>G5Wsj8Bc*N^e4VS~zrZU;sr};oU z;CyVut2d#QqaAz?#d=tn5}$`H_9jH+CZ{AwQM5$Qmgq^##95fQdI`-az6XDO6RJuP z1M&LX?p8vjby8$DP6pQB%GYW2)UCjq6_7TweJ>8W)2=$b90y19;FaJj+8Ndg#0>SK z^jkZv{E8vZKTXS~fHs0!8`7Qjyt{kG4CCTUl~8>(+&U z*hh2-D;>oWeYsikf7e_NXpZx#psubXo-5^9`bUE3i+R$>$?)N1D0`vP)H~g%7o9Fp zQ~k^0xppc)0KkU=6@Go7M4^0lv1L35i)(1SBf1pn(@@eRLdp|AgRDzyC6pT^i()?OGYbB1H`2N-j`B9uWU`1 zpHiqW5zh4woBH%@cXg{VP8lfR&JA_0=RdB6(%Tc!B>Zg86_D@JHs3QRp`(#BPLf7Y zKyTpx_5l4$)C=r6begbfP7^n*9jFVj<-=BXN1V)jydt;nM)=u48b!^mcqo4XcfhnL zb)pCBqlO2an-Ne=B?L+SX$N{T$U_h})Qrj>hrv|3tVF9%Ga(?B20QZfKs_@%DC`c;Pmjz)VZ$Ws@kg#4AlDhe>KH~HUf?t_F z>_Ki7F*3^O8#qQ>LGnQ!%iYu!2>0{@oG#8nCI^RKc)OCE`EoOtSDd3vFV&~ERwB>b zzz58@j9Wv zi6!O6I(_r94Ob&Oi!Na`;7;SGBeE~Pj*PHS@O&iU0s)x#w`TY9{2Dz!Hl5c;{jgSp z$_P?AADjwBM!lnULRkU9AAR@2Tp;(%AK%6_k>i>=+B@+fhe%{F091+$V37cmw`lQ~ zFG~bM5it@Ju!R~f-icUOzXSPla7AcJ6I4-F4&8gWb_R;qG28a5vWVc6iXzFbtK5a; ztGxVWX7N3aE7B7bB(_o z_cmOHj|6OslV`@t7Uhx_%mP$_5HYQ<4w#m zi{GMHPolA24?5_krh6iah&GIzHX=L;XP@*NS%fQhjekR_!fdUmWn@TODq zUlPr)GzG1I!>SAk+t4(GnZmo@Ot5X|$$q|UYS1^dVOwu=LRoIADVt8wXTDbtq_?Gl zLe7A<|Fh_ta=)(q0@ytt`wZqeezk_6NMGM^g@w<&^{`AY8<*k4{daa zXiUmQ-;L7<#7d6EM$o-9E4$Fs+toASoi3rF_j@Tl0t{@eoEs|fZIBVVeBNzu%bvE6 zY{|+B*sU%fignSmwoz&NhU&UJL8G|SVn1Z|mVQcvbyn+{%>Lg{%j=tfq4VPE3ZRiz9}M zSb;7rhcwV?!*623LqmMZ8ru%~-mNQTSG-6H2#zfQ@)d~|qX-g76R?T|2&4GY;#g`; z_#Kq@&z!etm$tw06ZHffnFcg|uTi}!<4gjxITs?fUj8EATi;avQSVjZQFnyRct^O~ zr5oNhrnx83?IJVpdh!%Nzy181Jji~u58B1XGCJmtA&XFo+w+hcP-ae2~8!}`=#b`RlEOLeaEa|5sIB$Fdw?|1a9 zGLrQvThj@{a7RKvt6WlXFIH5gj&h|1?pa1vck9XWaO1a0LOEm-1VyU*A-UjsmEPl|u9WbdXt_D-6AmNzX3# zZN-D&@5E8lSN6Uls$B}vnPE2+u z)P=Y3S-a4h@M|i|^M!t`#|vFY^p%{Wj`2AsXP+jpu>&oy_rp?{_+#waOXY`LzFzW! zBQUF}(2{n`Qw~(D9ALRb1#~{;2^FQ&3RPtGBk*mia(Tx!3ZWCB^Dfpp_fg9i%Jqf^ zYl@B3vkCa{P|e&>N6QDMJ59Eyi&fQv?n)di%3r%8fk`ZDEUHo>|F;91Zop8sAK8tr z4rm(Q)mA z)c>a4t`(3ntAb0S@SRK|HJU@sl-d-Ro5UTcDPr$ypCy@37Tb*SgPb8*>wl*HEdRij z@Rz8I&hjLw;8(g7zU=KnAKcT@VPX7@(TF0}$ss3yeNw(jvGe=s2!z0yU)fKiiMbkO z8cm^3a5T`dTBg_^^aa=hWmSH&yNn~!!&UqLVC!%A1e0sOE%$MWrMl^3xd%wWIK_a& z>cOo1-O424yx}>5{s@(OrVn z%21lc#=dTH092S(vBn1Qe~IAKqWNLs{9g zoype;Npk=Al`?RenU6b=#t3AiU<9}cg*lHQl`^FUy>o8p*xPg5z?Df#)|rgQu4XZ{t=-P&xXr=}4+Z=)=Hn9L}c}J2b>4wsgrC z;7j)J=n+Zya3Q;8gq${VHLt#2|9x4EjS(UdZCIo(cCZ%o2L z@B~4*#lgCzb=Rh14%c%UArmpw(sdTQH}=Mn#hi1?Tp;jn7VF(bC8^rR^EXlB&hkc+gjdl*|v(sv@`qkw!F0WiQI|44-@nnR@3%x-c@}CHhY@d_cth z4p{tc;3_a&exA-Zyb7`FP_?B@8ral?bDLDT#gXfrJ1#1idj_oa%)8Qi(yet#FY~1IkE!A%UHBi z<5!cpU+eD^le0gvN#i+YHq8Cg@(t(OKE_XQvUca|g&e)-#w!K)2SYlCssw+we1z z>%Q4B@9iy4cF=1f6hhR);BFxK2S{#zx3g?Ie>!BU?7&=<*a`9UHW~=7j^kN?u8|6- z3byAuUz=*274>SAdMu;ewnM)JsYh7+*T?I(Ye3%^#V&b?cuM|2!$M!>VuR0U_8pSa zMq}fwBw4=a$G}nFQ|06WmnnAJ1%TqylAh4)haGM+2p!f`Fz%ljwO6mm<~u68rzY>nY2CKTxe?-x*-aw=@a)F z^o*0m&eW@whKJ(L))KTYS~h(Q*j*eIvVm?oZzG(aPSXzeW5~dkJagPoVisId$9LDOm6E7>Djxt! zCV&E)FpX2$?U0ig=CBQGkz-3b2GkM_x3Nyhs4HxQORYXCL8*ghmwrROJBuxGc;rj#72$!gboBEnf;IGAO#ZD`jjnjcF+q9-zWUH}pk)AX?R#oT2r zv*kA+J_=*Fy2&y+ycK8+m?XUyB-gJ?%INxbalTZUBcWS)KgGR~q6`YsHkc<4` zk;uM zA@FOc=%nY=_E-QgJ3;+xK1S3OyJCXYeY(m-Tt|&B4@D7PORmSc>o}Wa0x5!}?al{F ztgAKUl7EHpM-*V+Ro_Nq5(|L10qLMZ67Xm#$H=Py;z9!H-sI13gpFh=ceR}@F5q6r z6LhQGl6cl^IEdzAY1j~hL;x+A=PCxuwuLj^-&$MI?}dKdfM|RIk6$qd&3~O~vTH6d zM!hc*iWHE2GkPJgrUiCPobJeZe1xkHEDf*vIMs4hEm#KC6(S4po7!ESXU{Gm>RcV` za3W8>R+6eF@f2baHL6w)``kPc?2c;-M*ylw9qNEAIy<{pEilIHZ4vY<$l2xXfp;OW zqciuIQ2o8+^8esb^Q9~9mo0sxK9|Ji*b-B@ z>Li#L0Bbs{ELfuBXOA{(iiZ-U+~XSqAYYA5W%7ZfYJh~r+fvHpz23$knw~OhB{!Jg zOIjvAS6vh6K?Rn7%uB$;dR%iyCseu_JjAE^{wgu5?KhUYX@hT{D&%GSF9QN2deado z4nv#uWtA?YkKYjGOkiKlVfVq~iYH3LmS7;pXsHFjKk!KNr>pb-UB$o0r5pa2xb}Yr z6bdi}7G_W>AQjpS-&8R~CE4}o0J}lV=AJH&pc^P4AXNF2mp;RD>*8DfTREdQuY6$m ze05fgF-#hG8Y;)mz)2IQba^y>eLCY6ci7$o!IyeZRNlPQyCmg^hSU?0?vVSHk&&v( zCW&xO2eKz`yml+RO3=bS(sO3b2QU3($DTEh1jEl|&fKsSxE@s`Spp$B>|z7%wV|J|MuJ!V)iBADm!4UHx3vIVCg!01kTL AApigX literal 81911 zcmc$`2UL^W)-D{&wqZft0)l|pP^uzLs=(eBkYb^ih#(LkM1;_rTLBdTw@8r)$dO(W zY9NFJ1OzDoqyn#5@m#yt=5au73Mi z7Fwjxt@cjEBS-h4u9{Ngd-9?*UtllZZoL)!=no<m*R;^uKq#b8Fdc_m%|Ry5C~U>US@So)PLg9x1&^ zO4D1gT@6T1KAD-QZ@g>oN{*HW^&a>x1NSeJRj3D%=f;b_jR<4Ie|KOmcGuEH z!xJd7Q=wmm;rqsnCdZOKmGZsx+&XDyGklYY!@?cPhSl9SCJGGPg_-EWPKl>tvrCoX zWr;dYd>5SWbk!A|A`O##yCi&DYvH1Zt0;{$KhkkKx#*i+m&Vbg;mZ+2yH9UOVkuNX zJ1EHOiGVNpKba#ZO$Hr#V-Ps7P9tCqM;$G;m_Vn(ra{Ig<;p#Igl_;k|1Yyqnv zGs#;QDHBamIMs9b?1tghsg*P!#({}cINbC?gzLmBN^ycJT$OGwFtop|dfZ2%5P7ZS z{Oupg_X{Qq7lr!BuP;VWt7PsPygOx+RX%$ug}L~c`VYYo|6G4MJ({@OhW)!ty9*jo zGVlN{>URPtY|h_qFjBZEy!&-tnT?F(^bUo%`r1zn{0!r&`?hBr&eS~dO+g;#`#!3G zmD~>0C3vlb(aj!`);9b13JOat9&!;-6L!I^*j|zq?%}z(Azy|1Bl5c^bWy6y{jR$0 zEwhTIT?WgQPw2ay+S#+*5NeaL(FYfefk7s9{D z=>Vg0{`HB{v@bA0*9p2Xx!ou5PYB7CveUD8-}wKs&wGF zw6T`|UxVzwn=HG6Wb>W1 z;o^sHCJQIlU6~BQkcNBS(FA=Bxwp z7Iq@>HTl-@uZqhdqJ=L->AruP^sypK+t(HnV34PTdi)XX*iGWr3tC67-dr2!sJ7;Z*(-s!6=B;7KAtM) z`VNf$8*o=Tvx{)3SMDS8>)*R3ijoem4bq&Z??FFandnkD7xvvv6;1-2-8F$Kn7g?F zZPG&jd+h!1+~WTR&~r(Z65VS8byahHlZ?8^!#Yk-&m|D|h!d&^@7py`ZG}lgJ#QM0 zKOUA+OrSIs!cCdV+$BGNOYD}1FBKb!xKIcmq{EndkoUVjJUQ59K$L;0AjZ4gMo>CV zrk+}qBkBwX0X01CHAVKmJ6uIIR@(OB4{zq!Z;>$H{K4B{U`4C6>{O&KfD4ck&>)lt zRg=cfXAi*z)Mjzdmb8q@lK8e<`30NrFrQ|EWiK!Q*mQuElSe}ViZ0;k(H4I8%nuLR zKx$AT9slYoVacla2bz{u(jvMp`^mteaC_Spf-T5QpW^cp+}fwvC_T6gKVJ62)wX=c zcQ@hyxnzQ>GBpfi+UpA!Ws3>-cn`HTWi2^Uh$ihm4adLQNLcd!6HSrZspnW}nrz?| zC`zTLnxE|P&d9{Ib(|Y%4A{u}+=~Jh2_n-OX9mu5EB)ViaP}jokmh532 zFr;}ZHhhU%z^ax>0BPY>Jxld`-i48B$PZG%b*yx+jw5s-KBCJ&T?JLwJWf2|U2((Xs}@A`oDYYH6yVK|P%7L{jztmPMi^Z#{_{Wp`@9kL+X zySMEA@WZFsY%Xw4dq%}8X+s0*CLatiNjslkr!dnjt{z+mDN=fe?$gCyhYxA(mxIW4 z!t1zmQ53#eP7t~Ku(gNaLdel|Fw)$S+FF6FK2WOWLjQ}V_Z{ipMBWrvQ7E+#dZV=t z?VK62y&qOgBZQt5=%ksBGo0dDPaSzz;*V+Xp}xG)6Pb!$2WAc-J1vgSFK@&} ze_m&lL!WO2O?=bWEX?kyHDwny;Pv&TFeY-;+;eJ!bryphak6|pA?$VKF$)eqWN4pm zNbx>iXg`5r{6yKcJl23+YWe*>s{cCorCaZyx^ZMD7JgHC(kmA(G9k1!ligc$k2vWq zlq=pV(l7rj&VF3UJZ@G+Q}a8NWG6jx48PT~^}}hp?=7I}wP84?lTObVcu@bCczd~S z?t2zEm|fu@czADICgBIkJpB5!`othgx{DYE0kx?Q^X*kCpRS4_}?|69sn zuvxRt+F}N4UW_Z>>yB7(0t^k8o0U2SZLM6#9Ny zNukT37hYd(t~DE9dG$Bxs@%5c-ziN=4kuvVcbIi^ue-5R4+>a~9oWbfaN){1zyWj| zO&2=UVlF?wDbm5{@Ro4B{5@>VjXr$i4f=ayE&oj!`+q;k{+r3vGryG> z;3I4<{#s6mmLmQ&_mSNmc(cU{l}b)9z>OsM-fG95B&`CeQA3M5*6XBpz_XU#%M8s} z$ZkSw#gN|h&r0#4be(LUbP6nR@`d>-5a-0i*-s|f&F}b@%eMew?wIqv<;gOZr2!H0Q%;1#fWVb$TBl6vUyb*7O)2} zLJK9+6a9t7sgiurZqIWy%w|X3HH0tUtPm++(qz!G6|&7@M||t%5hsynCqJxasQ?u% zj%*q*V8EY=T@Y{CtX?I;a=|jL#Yt$b6*Y6!#Lk?ZK*V^3?)lw<#3jB!hhO1%7r55P zI@{EuP6HN(+`c|?qTK0_W>Zk-M5<9aTsmB!>h5zMMmbMrL?UuD12zAG(JZ(mNOYJ|4${#oIw zHHFH4SBTw=VsY4eAvfg@Iu>gmC5x^P`}N%VM1QP*Il%M4W}5s5G(szOb%OGi=j)Qq zs2#aOemM5!?&@_Or*&0a6x^A+7Gf{H5Ahr4uS0yhvZhoBm(h_s;lrBvb(8ImTvyBO zi?6xvkk@;Z<$B-0zOBLWF|a|H#u!`nh*PT*=M*OecCaHDvc+CDCoI1D$5Q*hFI8-_ z^JDXUc@fd83%i|@y#9-j$DDlZK?45#u5P18>bLo~f7-AV&yjVp%8zjecQTGDdaiLl zE{k>FIeTK=7j|cTU;Kwh6tGE(?+(z_0H>l-a-8&7(Xn^=> zcD&869BNLD`u@>X4&U{U%zidh)L#Y7?nWXP{(#*6oAb_EtXskoCvtAxe+(%lbHdq>aV@N5b zMIJc@Is3=2>g0M`&|GA3HR3^(>;yYD1B6bjNz5Y!OGJQ3+9D3`T{WhL#Lv@(sF{2< z#U#~U)Izzlv8d!Y{M4oRSf||3-H|kQ=A0o{6oKIG3()?{QOtDT!j8QuJk|bb`cs1kGBvE z?i|?202ev_;WJ_}t?FYY>+o~qA2a8Cw$T_fgSj8M6P#MGjvZR2CSSYs@Z4(2ByTJ` zig1@qbT6PsWqQT+Xy(L-+%G?fWAns#l2c5gLgo3zE=GN zyF4o2;|>xMwT47SQr`m(AV1raXUDKVunvHUpti=C35cAv*Bk$SPP~A%u;g0SfLvVJ zu?D^nAc{~<*u$|!?DrB2GNb!54uB$2a2@LbbROT@;rx69JOCmt^ZXlDK_FaJFd?_> z?;AxBvB#e{6%8r;!JU0)=s%{Z`4x%SgFVq0^Lidvx_f=utmA7c15DxeuVx1ls{X8J z&?fcYm~Z#9Ut${!wrB;y%q)`Lqr!nb zR4yQ;%{X=r)n)pZo56}!eUE3yk5A9a!B!+sZy0GquD!Z2;SJwYwb?@Z3j06zu>Zs< z1lRK=*r(O}PrUd)nuA>^)CkRbpbJdDZ;zJ$B`;ouj$8{);4Z(N`?n;_cA}U)S#MKw zH&Xt^Oa9k0?QitiMuksJH7HC@1Nr*v?F3&B;pBV%%DOY@fX z9NKHYyWo*YW#(k9>9FU>PF+*E_!Ul@EzQS&j^&U)e2y2I2hR4{blq4fuDrKoDV|mH zRt6tGV5!!7@@WBF;m(A^YBx_v_3|RX)i+-J2d-|UWVtM zRzP|;K&)3&tkG*;#2Zp_6oph&Aam5$oHx^u(sRQ7JWo`Zf#r?NQDmA7_hfgF8f9W6 z2cEu*Y&u|K{c)U%B$zc7Ow!u5Pj|tQ(?qjtwBKD@w+CF<@c?477n2@S7^UiP4mB` zYCtp)|48@Sv<67|S#r(lC>uF`Z{)*!&F|&T_IUUh4a7crif9f}ol_r(>5C1)Tpr%S z)#yW*XiZ|_)7qJ;%RS1cd55L1Ovlo2j!LRpgJt_#T=8Kr7VpZD3~mZtxE@DK(S7cA zjZwEaG37SBubqQF+e$wdth%MyHZ`!b@Bka^b_Z3XY!elBvidpSpw96~z{u*QaCD2) zqU^R4iDnOT?kyf_sABGnWDuYeil_Srcz$OoL{~~IyWcW^(FDWWLtI+qEz;(xJ;v&v zJkZ7uyG!Pa6%JdS%f5M5a0R~gV)Q?A>5Q?@bXIG#Bz>Ei+`!o*{j{Txi%1O0;~I{B zR2y2=NFJuv;`4YeLPnnVkI()jO0qzt&S*nxKm% zIx3NM{_4IonHy+t3j{P*vR&!feD>l`q0q#Ocug7{GM1C$JFG%NKk)Fzpz}*S@Tl^f zd$GS=C3Mu^wojB1xSXc;5#w^9VQ6Y1)rKaB*vI^ODMo8Ro-sK2>nk)MYoDK#&#t2N)GqhSgfM3p&1A7V z9Xdi6EG9h0ElWM()EWH*?u>(zO1yK_V&z+M{gX6@!_e)uHyjMZV#qGRkV{5X#Q8&{Y#2CR)T==gm0k*Ejn>2?{b3G~cS)^_cR$uHj9Ckk7VnxrG@$j6WQ;JlD_w|ASwRJY ziU!g%D4{tVKJiA0_G4~*kTQfNJ*ge6#E&^9;P&qaiN6@&`GlamrpwKLDkEN zqy1!Fa@s2pI*ZZ~Zv5E1n2z-8R#d$>Ged~j^B=ij=AtCxHPS2p+?XgaJ*Lovbl$0J zB($#BKh{7_6ZHgf-zMEnPJP&65B|`^+v`gvsmySu+*9(Kp3WY$ahlk$0#T*pg6=d@ zTgHIPrROriBrd{(kY|9OyKLT_+G=Irtt&iyj<)od6Z&tjLX)nN>e-$wwKSWO!=kr@ zX|2~N#m2pgabIWW)$b}-7ehrSnaL5zXUuAccACrKqWXVPY5a>bQ>Yo@Dmq zKBAMVrk^ooh!z-&$8+sQgwD%6$Khl5t|g8-bl3}IcVtV9w`x)rZ4S-t@eh-Ue_P$+oPi0oz_+UXYMERA^nvB>@tBsy zf|gEMv<>s=+nupfPB8C^_GIN7^?Bv{pX$IVa4iwKP zh-91Y0e3xhIHh$q zx0;w}V*G)zS4MCmcs@qKyiANno%c!;>-T(L!;gVQIf%tOM5$y~xj4%7-Z4qNM6fsy z+4jc|mP)ZJg>hx{gmxM9qdZ8}A&3rSUeo-gJCr?jN8u85Yuth{`D$0S8=X>J;Vjn1 z>-N^UTQAqCQ7dYp8m?d*E~XIY?&GI^H|}N;D{u76k{p&J@=q&f4#q$M)&?PJ9w^&=V^Grp#uipEuB>)T%oETm4HqM;2~WrFn_OCOev&K>!_vDt-v5M=cBDM9L5AQ+RX;A(+od5M?Mjn-)LTzf2zyVu2j+)M+e7< zK_6Fza5wdptO0hAN|To%Vh4UE-g|fvv4NWS3(@*M2PNR81$;?M761y#w7LnY)OlXmJN|T)Ik0 zqB8_Uq9I#4g>RjQ4QEA+etFHduYM6(ze8s4fDD#{nJEbEc*>M(1)>{Fs^rbkzwn}T zVJ?U)1KObkrc;=ZMX*I&f=+cPFsK4t&|!=(6&iPC1bsOS9Bhig|1HwQF|Jj%%lq?})-` zKGt^gb_D{Iq;?Y9J13nR3oD4ICtWt}bYvtlbbt}-5V#ivF)G?5R51L|a`!cg_PoKc zkdq>L)Ea91z9xZDQs=ci;O3HTFf8nZ(x-UBg=v#>ruhsVMT{|}ptY8A7tUQ(^KrDa zMnPFF4jV2ryQlqHx6|_u{B>dGj(%*MfMExtNdZ%=oxe~ua2HqIk8`_ko&q}}dMndm zH4L++H{E_5_*17@OUI`*>(ibRu?lT`b#9AO|9d%}VH5fgYB0#AI|YR*fDLTxdDf$& zG-T!=F|5QD-g7OA4?D?da}0f043Dzf1@HHZyCrIj373vL;@)G1e&RMzL$6#?Pss6O zXm=1ojQ2FztqYQZFg}yU)}A^otKYg zyb2$n&+)qb%h@8)oqipvoJ&&H~DunWXiYCB(g^0^BiqRgY{P!HpF7 zX5}K%Z2H|E7W9TH_^MXH6_wFC9c4X}HJGAUEuYsw8t^twhwQluo9M$3jV}e9cmp=y zzkLSAP73YXB?c`{(kVSkW{>%hp-hfLf>ujjT$9d8{0?UYYw(;7G5Q0g>V++%@_A^4 z`PZ&aVg!oB*u}IfOepphjcY8s?jx4HSPj<*geU6e%Y3zVa_$24Hr1X*>-RHWbQNVw zW@ZQysq@d0MXyTsWSCootE`vA_*A<9cjV59#F@#(#iMk(YS`4~l#|>QT2ET*oW_!3 zQY(Yz%Hrz^vNx-lFEr>MXt*B=aD)yLd`9GVJMB*VM?0`w&z>#h&5Or4=fw<8RiWN)vI538^w3^+oQr&WSpwlzVerE1!t zqo{qc@CDLoa-NZ^!So0NC5;#pQ}6Yf&|I9LXZ+r!!ON!y?VPsILia0qWz{hNJw3Uk z{=T1#zYsLPxYOS$1@HocewP;eZljHq9{Z$gPm34uOBQESdh5WbD+`samO9|-68fI` zp+#7m!drwwq}CKYr?sWEvH*aJ#5IaK33i;b=n|8AsCXe9TrX5`5AFBMcD?Ug)o%sskn6piCYIMI?nHJl z9{$J?3QF?!J1o}olrC1mBJ0yN)h4)H|8(rE;whCNy||~$xlx6$Ynl5y(0iz6Q)Ca$ zA!NwKaDzBBpwF1rWoM?IT4{FAMBco7Ywz(~532EE(i3VzBE|R`t?jf*huicvh~SyM zV3&92Y9!&WbB7?h+cP8QZOn`0_m+3JE9J@Pel@xH-DeRof+&O(sQJ5n)$XL4Z z%q_rBpAT5o-`93)NzFCKWB(yjhr>}?cfT8ftApUYq-WgpXKFvox}8+WV{JZgwD)qy zbZ2_C@1r^qx>8|l?WE)*v58!qMZzTSBm3kCY)_+jHWcr2p6v38jTR3}dqZ1>K4~gp zbg0yxEPpGeUe8k4lkoFe2{-`<&L){#QC1dgv3hNzJhzmKv75nX8`zn8^oxx%MY~(f zs!Hx~{>-b)0={QG-D6p_Bt%h-X@U!d)a+FA8Zr4gkKM59;CnZ@=d*#s$4<0)SBb}x z-kObkWoUd8$LmenG3nK#)=L&ptIz@R+&MuY&!L2ntQtX#dA`hEkY>FIjcTRgSuN;S zZY^Qy2z?+4A2e1G;kRVT&c&QMy=&xr!$ZweuMCH{M75>ikq)C?m!`7a)&kU z5}czuRB1$-+>v3gh_mq;!U_anJFEpMOwNL8Q-kAl=+se45Hsny=v0J8PMQ>$1Q)~c zGFME8fv{e_(og5eSqS-RHpKC}n=tjVhoU-E&}XUDy9Vwm_ZD0TJeRkFxdX0|U{J$f z#r%+=;zyv+QzaU*a{=FfJaaioUU@QEy4aB6iN3pA>9>z~ZGb32ll_mnLD z?9;V;mJHf({sP@h+CX&DBv{q<&_t0wwctV!d@{ER4yuWHQiq7c-3#M3v?GhM0+(4v zEtFs~NI2k&nLU1^6-s=}Let>0PF75>_NKcOg``6GNv8yTN;mMfM;U@zF%G_PJYb59 zjEPide;A#TZQPuNNb?XRQG#R~g~wZUD4ywtnFC=(fo^nABad+ly2lnn6-gauZ}}!n z`VGW}Gtjgl7H3hDR9VTrtWe*|gnT=!tTD5u=5V!xaJ<9UgIJl&YAj49i*}2<2^T?x zG{0c?v5m$+I}2&r7i20dcbL|X@{2R*K!qT)XUQW*liD?6EL6`4xM6k&mdf@QKLh77 zy}0fVp=4|iqmzVt%q(ajF|Kn@r0P?h8vTU_w)bS|TLmuD8<2u@P+m#I8{%mhXw;tP?Uf|Weu5$MRFEJBM*C@{sDW((Q9ref0v@z^3}m(LlItDv z$`|jRrwv^~cJPJd7UZfUGstq9ts=A-mPMsOzpr&9RwAxJQe|1pHy>?m#|=uhlYmK@ zZJR8mF!lf{Nz`vACp(*FP7dH6sRp0p6`jEt=F7m{cdOY&bQI~gH)$(6mu2-2q+_6p zleyLxmXAK8I_?1nM?ByA=Iyd_?<(rawN~~gwPDH%a!vI+rayw*;p*k+ypomIm^m4P zf+Lc<*sT?NJu)6OS83L(F{xm!3{?Z=Ph8e@rC~8&MP*y(z-7y_9;0i(ZWP(s-vT_( zV?Dime;k!4e*>V+s`w)p=z;wew_~7MZkl(F-(q66+Qyus{pGA%YQM9BdBkFFb&Vo< zV6280dtgE`(?eNtgim^Q!nMp&n|ID!@c69(6J%cayhnvf-czP*V`8Muu!>{I92F4i z`N@(3#i2{E=?@|e!t~dVb`7NP>ncwAfG^%v=I)8FyhLiWOy@`hZHx znW+=Fkj!tIW>XXW-fXD7v#32+&c53)Evw%uq28MqK~%F^5%Xt0>%z{ znep?_HbH!yO&*(zuI~Pw{aUeSzM7Ags2~H%w#qvaeIk{@M1hKgO>Z!(z3R0+E~DN3 z-%3z?v`|nOi0KpNtRsI)>cGHsJai8yY%zWGx^8w`N!9M z0zW6`_VZ1J`a+^gzInGyT=KD&hlE_(ku`7>PZVF>D{Pi?Zf?;IM9o+pf#|Ggsrac% zh)Dj^W1! z%f_GBYKJ~ozPC)ySb=vXZbVW7l9RStGuRe^-SmXDqay4LEIZyiWRV{mmIr^@!)I@^ zUf$RbEB|?`g}s~gpKU?cbPkO$oFD(sc2WP|?KZLtj(wvX=rzKwtO>`&;=o(l4H-;Xl@C;u}8{LkkIXYZH~aC$2lQpA63jsJ8~ z4FW0uD`rnFINjy^m_NQnXYIrsu(N-|&-+%Z3r_g43BZ2etombv`xi`Lf5`ez!cnza zRu>blF*f;qUmpw*@Y@fhWDm%3N4Bal(yd0w?Z;_IFwOt@F$MOZ8^=omQhJTL-8KdhKYZ?$Y6@$)%aEL1rTvnbWO&;0&Bx82k+DTafy~<(et)-U3T47(IwK zSGt&?zHo>pJK;BLC2-T%QR;X0;1Gz?wa0s;O^U4M4jT?5ygmhWYexq{ynM7qlxf(P z%hPs=Q^9W+>XtvMFJMJ?MVcCL&GxF?==AQ&3}KF!6z5DdhU{XF7r)6_Ax=MKPAC@@ zufz`?WD3gTJw7kHJY@>*zyxA3^%DdnlIWua&%$4Fi9}@8M$cx~8WMf(qGwdArw2)V z*lR1OJ%P&H#J&=Q%9&T7gkrz6wAnE3?bZdr?drkXI|5S^D_cL(rUnyCBSd{=9<@eu z&-yW6^e-zmojFpQON{-IIF?`YN3?IADcSp5SYWhN}9p$cIBx2` zQn2uC{POpx)~S8^O_JkfbA|6;ncBN7yT!~I5oZSYIL>1<_j0TX8({hUB&5;SYD|LP zLTA*7L&xtT{?2#N_q(1}H1uG^1bn{XA}(j>#+F==kr!z5s^}PKAJ*Z|jyG5O)_gaR zP?TM(KZ~i4^tT*{YH5Ev5vOwgg7xa?kRWi_f-8D5eIz>kkigz7!$DE1g+aGJIX@+A z_UrMo?WyrnNEb#{`tf#-5T+AUzth`xet9fceZkktG^I&r{r<)P%ilM^mg9tvJEKx? zyT$Uwb>??Z8QWrSmfo|<`otSw{r+w}mwC|J5c zYOg_jpnGb0^v^%_88oebx;@J5c28F0Yb6uqGLO%_AJs>~kf>DuyGnAtf98Sq4*RwH zxRC4&HHcQWSW&oe-&xvlp&GEnxm{T(!}<8J{8Rf3FF!qBlr8acZ#d!%L0Bm{UhL%B zFDp-NoW>fm)39s`q)iV(cj+E1%K*OmEv^anAX^iYs?DECyfdYT)K9$6v_nr(tEaph zwWGLJhX}Czg)%l1_LyoqkiTe_`5P1O*K3{H>%a0WeIUIrtIi<2%d2#;zqYa+L`~PF z=|Soa|1(F8?blWk^l|OL*YlpBrFcQ(2uc6DcP)oZn-b)g!eMG-N879%4sB)#cZewM zSuXgbAj_OSSR|0(OLxAWpq6%af?N9t+9ICH>?sVKYRokod|^GZdTtfMb17fQ4PBtP zH@EU8fKqB1eZtUF=;vCV^Y#^*;!fIMeXDq(Bcx z%Tr$n1B=Czztk7*TFLTp00s=z53GCFzEG!~XfRmUH*8fX>u;Lbb$NOaubvPIv~FS4 z=}*l(wbuYD3Xj?(Un|{E#(R8A4B=qv6481%;jN9CyS(SJ8>9W1 zb=~pl-%iX2iAQQd%RDDU<;=?F0ujYdL$5HNIOpdLck&tz zG8;Tu+pw-$gLRr}dDXKL=^bAt0bRxc?Z9mh?ekX^zePtX-=$SrGAU3G46?M=2%i7EL(5$z9Uy5kW)S!D7DbhVi7>D^_=%k$L@j0Qw zr?Rv)ER}pHeg_mKNi|^-3eLP*z108$sl4`>bfZY9Xjt4~IvG*s)8G6sJfS9>w3n*P zssM_2dAcvS-SCTOjp1NDUe@u|vK-%iDF0XCXV9|2@(|#~y#*@J_$`McA8mSrWiCLbLrj51s2tF zR7qL;2r*y5XJ$4K_yGtvglU4LV5dBvf#i62<=$zk(dm`1cY*U&Tt+3BcCQeIJHpN% zK~NML3M+UmuBUb1VEWFyYd@H5d!ltMC~kMIA0ZCJ}ma>o?k#J1QEo zUC;+^In;ItS7!)fVWL>U&{HRmc2Y>`kaCnHYkt&hFopcPjg#lcFMXp2y_T+zHN_|y z5R!^lzC_|ibb}^DblukO?km5saYDbmoI{s}CK)>UzWdVWe~sf$e75a1eiTc9)*e_# z%_8Yz9mTq5GOVMuC~UXB%#jQg6n}|OOf6n{kjj{sBjB zXq$>0YWp~P#geL=IX$Q<2=a2mSkPY9=Z=x{HQ1N;`v$6@vYu&+^Dhg>Q!Hei(-dMc zW7OxFW>M@Lc%*i&Y%$fYYh~YDb9UL#)zO12(ZN^0iQDDd<@Oy>2`qV?IPrcus!lqnI?Yu8w`XwUptr5Js7Z)2?*_HClG{H_F=R z*6Zh*Doag@l3(Dnis!JvzFK?a71N`2jw~+&v1dhH25Av}Be|I_k%O7L2E(BSo!&JZ zwi;tIE`JxsDrtm(bd3i3f!$0UbC(6%@gx{-T>FcyuW?|Mj zM;C6GWWH))eN!;Ff)(wBiRx2nEHWR_9@E_9QU>L!P^1x6O%RzS~sCY7Y<5pAUn{k)~bwv3Vx z%VPs%ZV^>~nB`EIZA0G~=CG~+8ekli@*F>sXKe?8M7&5b?TvJafbaGLskyk9C_l;A8~HfJgsFaO%hDgTzo4S#9q@=#Dk zJV%7(CZGs~ofu_bHiR`CxO0&CF1yt>j7!shvj53(sxHT=uJ(i2UNb_{Sr>aGdd8vl zxtLVGzo(Gl0&6;iIiamsV?5d?oKwG@U9A{Mi2?cl5C&^hS{+g8*mn+Q%t?&KmvzuP zSzkW-EO1Do<=@X58DZl+qAAJQ(7tJl=zTije z%R}q+x;a}8eE}80%_eXBE^=#ZMK4u5Xba@_2joFBa{bCYJL7BbQGd+(;P+eSv=cmW zDK|f4`?xO0(XMuvlrRIp_~y`!Ju?##eLTmk0;ialKn>)1CwkND6o`k8Lv>{_ySGEi zIZ;|3^i|(_ll>_*;q7WeN=j0ou*s~}_nBvbpUVij@r;1SQE?APL&+GW8|HD6zV23* zO@p=fb|+4%FVOpr_ay*YK8kEcO8^dcE*`afQR)Z;qG2boYIXKKVn-vs&A5QOFZ4W# z>SLGb!k-MM4k)|cMNdr+bI(yxT=Lk==xYFhM%72Y=^spWWd$?!AeAI{_-aq%qs`S%lLd*#pg88?h?*Oi5Cg`SbW|orbe!OBl~^it zcrUm!>0`*}5{q~u`v$oZDLyIotyck_XzKMIc?+}6W4*-+a)di@q7Ut6k=yd`^l4jF zky4+rjEWVnKc$XneW(^s&NLhraaYBMK$ynBu7$MmuO&<4!zU{@0gU%LybcjD5ueHx zwtl+)pyOZfP1c-zk@%}_L$y-7<=*~{QCf)F$a8CdG;KUH#!lXSg(AQtp z;&hq#;a%V^IY*TW2VE$eb1AoLKjz;&Qmorr7untPwc_hgi#OD~(_PEtO=m{DEYflI z32kyIKG*uRM*}DzBSd$dcUK*HI6~IW-$nH&C_r(vjP9AI)~7-4PF&aluni%)IxhG3 zvQ6oj6B)a;lYf=|fbWAR6ojX4drA`78j2CU z0@V)M1i8IGw&@#XWsDso(<0)pop$FAkn?Vt?9eG$4dbu<-e~rU?F)<+N340|NwGeI zE|RYR(y$6LKokj>7@qdtw*?}mK7AMj+iLbKFV*s`P%xzUQn1fXmOHW8-y&dTPFftC zrtP2JKip^jH^xW$@U|Q9;^j=qBc$kk%C@6+qsX=_0X)Nl(NfXNl;ukCKf0>Se+l*# zuI8Tr;?6`D`{zA>22RxL1f9%FJnPa2*dtaLPPia*(a``z+yP?rd`iu&%y8|Xzf!7q z4U)6#49C4kZ`qPRolgzZ2PjT8G3@p=U^h#)pat167tZF8&4w6Aq3j8QmYS;y8W4jQDl8XMIA3yaF@N*wl6w0C?_g-rzx-q(mY9to=Y&Zq81A5_XRM&J+u6VMb z09A@*#aHwa-OJ8wlTQf4rF|vJP5x}oBXoEhBtT;IsT2VZxVJYEGLi*uBf8CaamSzw z9RoKuSJ)hiZ{ACF@kOHZln!qzk!5GN_f-u&FtSPhYAlZWEOeq&O?`c&uGLfs?{#Fi z&2oK4YRJP{ikGG%o5F_bgJr+e14qm3b^~n3-2w&5>quaQvXbHnbO^_JcMH8vcdF<6 zEpuX$0v?|M@nJTJj^pRr!FNhesk+qP4XlfM8#u-Pc7Z@OF;6>U5rOgX)JD%R*|TBm6`qRb6IIfFHD+InlY%a^ah%$>Vr6o%GpkX2 ze5JQUJel@F=yqerkXC|xW@Y%keS)T{Kx;(n$5CvC@zKa{k)Kv{ZDlmpXQ94uadvRw z)r7^3ZhzYyiIv0z8Dzm?(q2^s)og(>#{3xcn}=6+yfQLr@vkS9?GzOO6F?rbu~a-z z!b%}gZ()!#78-}Lm<*y37m}<&r?qYM5i|i0qPXPeN}}!r5G_PH)r(Of_i&2X@; zwU)E_pw)u%FuE>!!mGb+vW+H@t=_B@D@yg$Ph5Ix9dr3nIICALX88dUHv&CO(%)N# z)x!-&g0NQcpSs5w0U&PcNFpX!bXYks3Mi$32U*KD3xFIW8;j{SRt)R0!j0?;JEWEQ zLIaSTyfwX*$4;c81=GQuhk5lUt&oX%b08bs(7+b#de`MJ;G$!xxi5P5W#=x%%bAaH;Do^*i1;wb?j$UEB=qKV02J5%W4y96G zi}6FiZM3ToHxS$32O}AB&-FxdJ(kJT0)gq+ooA~pwY32c>Z^*WCoEv;@KGr36-e!D z282Hay+AxC$7+-_lbdd^-nj|Fwf1<)@&maF(BXPDP_~YVB_6ElTednGH z&t_=_1rQI5zV!dr-@hCIBi~gWoh2h&0+eyd+Bj1FPZBrS=CUF-$3l`aV(n7D>pGw;m z=?$z;JxrQlHL!ad9>k@^J>&^b2D>Lma~t!!FBKR@=qr&_p3b-f`_wtqk}>Hs5?t-l zYKjIOzWYexeOhuL!9DI~=L#YJRQRogkHO)8_`j>_8_n<;oIM*%E~R}w_~OiF$ZqL1 z)jsE|*Iuc@1#X#3`ppb>NSz2ON$ANQ%XiO)>imzW{C1SC05{a7c)2hFf%Uk#=6Z@w zL5U8a%pMV)_MYY|>MpR<7|)cv>h@7CKhcf&zsUOTxF)af|5$5jU9?rf1yrq~fMB(X z%vh~OML`8*Cn_Q$OIAW4Lu-*L3ND61hzpRF$leKph%yoZA+iz~A&>w8LJ~sO?>>qB zwBOh7AMy2q=RWtIectEX^T@MSNIOOVD5dfMU^=(55yxI;a1{SXvpnXM-*H@RG-{^q z5CAov`&2e>xSs?3x5<}{cqUOMFlV$Jqp6VZnUS9W6U-X^?73^~U0Sq1+_N|G@fk-_ z6-GSHo5oF+@|9MuBgW>SRhc!PrKd%Dyxd~fTb3$`t1bhriETExJ$j5?`?5mtdz6tC zmWk>uY|E^-OQ8T>081?W^tS#43K;_D&1wbuAJ1?l=yUJt@Q zmDkCB6`J86+B(o3ZwQj((U$Vy?Z;IIiUMF)uWeS3N?d!MFU(ZU4c%-2DP~cJ5%$eA zV7u)8)T_^Lg`Ll5kabbB-D!DdIo`}I0B_7U0@#)*yjCRg%rZMxWfBcMP>2VSA|D5m z(|1|G=B>Ki)E6ZW&w+G~nsw5m5}1Ig3uq929nwTeZ@NcY?27TrXM6%mjgXb$-l1&w zqv*BYx{ex?qT4?XUY>WGoGugtu!gn{sA2g0g=;U~pX>!dhIIy8_;k8t&Z2R#_FsvI z9b*J2564tXed;nffVakd%GW#c~54o7mctJ3k?LXiDgi){M+YoW{{U}+`=LF}uw z?pXsWqMBK7%X5r{nRD^Jm(Jj3PIo$x#%C$A+*bE%C2>|A7R?ZS6aK$w?Js?N=^Na33UEvvA72$i1 zJ?a0Oi$`q~fL=;YN=si@z4|u4I#^=QMFItU;Y%FP&MDN(ssAJqrO#d)3ig?;`n!O&-=FJdPzU`04CVjaufqciAW%2 zP;t=y#y7CBF9!2_4`N>b-0k;1IfKq#j%k)>ydUH}d_b-{U*gj=+|6n3Q`Z4N8tBC4 zyYr!Xfa~Zn_=DTaVIR!DFmDxA8`QGGJUzB2oiTg7-^<&3yCSSZ&+QFJc3tvjIg49H zr&o)8%9R4%;YOU{TL4SGe+7f#HfaQV_lB^{JX6zFtkuqk$MU8h`i?z_(7JJ8o_94V zwpJ4Bc;-k9yF9O{D_0ydGU7&!@ZSA1tghzE*&jtp$0yC+FW{I4@@ODMSPAcD$DaFB zb$8c-h_V`3?EwbS^1f0T;xzbv(*Bmr;SR@MZ~}}AN_G9R{bC~|OE{O4=G5@ABEupw zKl(6rmUf?9cXu88boAtFgm?Y^2ipoa z%ENNHOTITMKv;&ptlEb(-8OJ-Q%T`T{OiZq@o?_(jZr^gdk^*s{yZc4tDq@wi}X=U zQ+Nz3WBGTmU1neG$_1aNSYJanTEPRw%ne~lE#MsAd#0GFyrLMSUx1)Xe#?vQ09pmW;jcuYi=;P(#Pf5SoW=eDm7Lf6&P*kz|R`+xc)Rsx?6`(Y|W&p&7*IzJ%P{R_|+D&zm5l1-I&{ zG4)N?vK7IXT+AL>djT<#<3ZYYz)>>|@5VcT63sf5v(ndFHi|mlAL@$qG^%`I{OYg3 zcPD5u7xvZB#jAP8fW2{O9{Nw;YrQ#nv1+dUI4aa{3jRyv{;k-+i>sB-4 z0jlcCwO8#JUpk!%A?SlK`6Qc1laeE~2S3|9X3HL3SPQ#K{=%&{JUQ#o;BZ}MeP%_n zt_1!HSpSd*WLWXr@R;sc!<=HJX%2I1EG`@12C5SvD?i}+MM%&8illNvcRW3<4pwRl z-PRwi`pWt|h{yNp>WJAX;_Bz_HsL%sP>Tth*ekG{{|kC=!k72fRkc-A3@9AvM z?8*g5#Z1n1#xdww7iLoO9i3*hP3iSSZ9+Xz5!Vq3YXe@*r-^$V%a9>PZttI>!hM?-DSfqn~sA&6cW zA8>NzN@#(f75PkCcVQhAUYloz0CRsHek4 z+B^lG^#lzWkNhI1=R`sfX;4g(ZSO^B!QTCkL}8t22v8<)_V{}>)cOE2SR+Du#F9$^ z*2o1=Yu;nniO>EOFb+V1mPlLpy02hQG}*!dQmuc}>ufTpMzH2T&b2g|6DI%6TiQwa z&VXW-K^qrs2=7#(@=rcq+meFE2DY4l*M!=S^X|mXCT$2a_uiMB=M@GeIzEFfj`laA z-?*Jy@CKOo+*yyStC`{368{p^C>y{5wgrS|n%S0%Wm_gC$2@95)o&7gVx0E#z#>?$ z#^twOH}{fc8s6bZ(yh+q-wpxxCtQ&{j`Rk>J?6wyc{xb5Jk1ya#T0*OOo+GpC$wy9 z?4xP`Ak!33hf4B^3BqS6{RUklS5#1HoNgZaIb+!}SqLHW9DC=M*hhT`&-6-P;PmEfeZ4I7iy)_rqp7kNmb?=R>rCB|uY<$^;My8RZqf!8AQL#gx zuQN#2r*UsT7WV8i+&MB{lJN?_d;X;}8GAr-@T~U}ceR+{7`39c+&DZ_HS_1qKw7}T z+FZ~ju%dDtZ3sx@p&?PkCM*^`e@Rd(?YQ$iwxf-*qqV;%|CNf&J+4<^ivbm;@BL1K zF`p3uCP>6O+r6770m5n%$#a{3{3qo<>s>LWM28;irzADy*Se_&--eUW zZFcl^7`|PK;+-d&h@0#~nX+fg5=~`2C(}?nWug;SDY)5^+#pK%caw)`C#sWGV|~H< zWu;8)$Qr+`hq9|6XdXwE^Fh|)nF3NvkYfYLCAASzA8?jTZk>D--T3CIRwuscMHdts z2fa%n{5-xAc2`3PlM0gj(`*VglG_vVXvGWkPLQ{XTk&Vqt0((p4o!}J{$@|YD{$7|#tP!g`C4(orgoGK_ zT*m>F)8+ZyCLm6T9?adDnP^Mk9pMQcRRGK^3KR^n{8&(mTlHWH2FuoryT;8VB-YHX zVNQ4`>3~p#g~#444&8Y2%FBwlL~2!)vLPfdL$b_(Z0jR)b-JF~=v5!^M0elFF;{Q5 zewDQH$O{~?LSB}5XGaG=~shZzgovb*t@kg^8(R}){ygb5W zZI@q&s`%rsEJM+2iYw!#Lipav+?BL1GJhc-7{F;gi_)d5HVunLUSW^wg+Y$@9YXoXtP9WIH+k0`F*Mm7Wu9b{8y<+kyquq*4;+42V`W`ER_6fi=Z zR04}~Ehk8C@I#)4nADi(ym?JFv0J@@H|y=57^l=ovX*^G^({+Qq9#|8jMY{&#r4Kle;*4P!>JP7rqB{e>ZVE}Lz z@ks?Nw=-$?h7$Nf&Jk$4KAy+m8}ZyL(oY#+jP_wcGXU!JKohOW)Ih^I9wWMKIx@Yl$=G|@+Qr@dBfUFE4(nB=ZKr_ zw=JgmB;LpKSl@{vb^`rEsEU72=3|o{Fo+nT!gn0(@4a;(wgu(jDQ;uf2I?AD; z%QG!R*D>9NxX}72fpkvVg;vlpU1l7z>YPufm<8ZN%n;!^JE=g^*b2-)iii>T!LSy;fV+l z=SrvjbY0>%y_j-ZLyZU(EijO7IJSY;NyWG-G+5NTp_AL=zEjo&%rRlVby9}Oy1J8n zZu=KXx?+!wPA}BgQ)vdEoVX3RJAF-#xx0GwhHps4MdmEr*5*|kB7`=R-eZ`@R`o2) ztuzyx=Lfq=d$IMMJpyuD2-(1j>d%~|AgTeYA7n0Gdl^D^vQG@8uRqhY#`Zkc1g=PU zVf?@2c=A#CRz96}DQh5Zo%A@FmU(ckoXW^Rwuz+UykKKhW_+GN)w(2nd0~n|xYyi7 zRr(75{`6PNGb3YX&1$ajj$C%rV+w(yFh`rMKoAZ~)IbC~YlFBJ!^{aUapl~VGMwV0 zA-#Yq(590Vtnre&Q6G%|njG9QGd(lv-;|QMZ_-1Y&BRAYX-AV+pB)2Pm#Poy+Bvc; zZ#Ww2+X6^e`+v5bTWK4lM`c)IQz8Z#oreY+&kXLjovsADXMLJ{@To7*BzW0r1M z`-dyHg^Tp)mk~=|Sr+^e&aq-cExyNrS#H&Y6WQOfyK4Novv7OubDqr7(rAew!?jkK zXqK;YaLnpLX(h@_AgvYVFr9b7A6#BAT%}y5dxou?nTvdP8hB{c zoFhI^YX2Zp%WV#7qfQ4o^IjnRd!>&E`ivC(c3>8FX}+ptJ=(h=**m(8&Y_injfZ3{ zDRAf6&|(mgEhMk~vYB4{%rg1=!(9?N3zNgYmwB0wvkw{|Oct1@hhxHwU^)d|py|^w z4fGj<7eK*c0>|Dq_N#yFn8~@2>cI&nqBx+3z$yvoDetWBG7-@o(>-x2KLcejKhr~? z>R-}@R(4nBfT0b5d-%S+Rw)W*`M|3{m$1t)9b(>Wrb?Nf^E~HVq?bD728~npRbPD} zOx=$WVE3+pRp)vP%_lvSAAn#{P@cu?AVqAZs3a29yJHpP-sl$vPTh}f42liQSX>xi!Nzp1KQ&?rEL9CJ zT-_u#2)34B(t_QT-5$7TvZFhbKR^pd0R4{Xt#XOYZs#tnM%C71^18S{lf+J%uqs>U z?C0B1!#-#o(dww@RnP%^;r)Ojcj#CHJFEG=)s1(F_|Z(q%F!FeO~5!~Wm(=WDmf4t zT8hr!C?_U95F^5oY~XwIUB)usM+ojMo!F4` zlGIdb?DNH$$n0qegGrx?CD(kNQ4#-T99wbT1)W4G@N;9nqWbe~ z*$^Sn(AHT!f&(Ol{r4?wCz-UMn8^k~_;*a7F#oS20s$a4bL5-=07H>pAga=4V-y9D z4bxNtTA%l1BSPGi8-VUx6^-BUEw`3C2S&fz|LxY2DMt=9>Xb-9vLU=aIFS#g55`gY zdPUU%J>*^z;n&KNMGoOEg(VZEvCTWd>K-5#SNVcSHoyx&0|IaXBZ2bXr5ObBW?f3D z4AiV?zhsbDmS<9_7r~}DUD7l}@`Mg-?Phggkg64;d>89T!bMwd{eELfl^ED4w#bU> z!d6u-%d3RfRy7;@1J*pR=6B0@E9WK7J;trMJf&?J3(N}eazKH$Q7@} zH~QzS%ysOyymtnDGn%|Y`1$dM=xVwJ!C3XHYAESR z6M3LizJU2c<+zVZ;&qM?iFDr zwaF?}*!#t;>;IazBxfHV@WPFQE@f~v1oR|qS8<@8As>ONIsCzn#bDZyI$*LvwUIem z9Su}Wexf4aq(aH?0;2$8<8v#4zdO`5M81M(kgi~#QbKyZptkX{JKQX!uFxH1K3ghB z7F}F%K5D>?@fa8`M8B#IK*du~<~=MOZ@<8U)m>G)`vZyIF%7exryHoI#$P`el;se3 z54bLb1&B^u37xd!C44$g*LLG+)%f8q?6KIRh|Aun*>BD#2XloRy=1* z9)Soz)gD{S4&QiLXn=Gc_>t%MS4Xa74LR=$E|#BIdi|R8Z6utgQK5u7A@LX2Jc8Th9&*1RePBPn0{fcnt z6#y8al6Qsk7Y>f6G?h)o1czOM9U!Rz!Y56=vCKi)-<@9_iVPJUB2?xs7_#Thx&-}% z?Kd-G_#_n@?m`P?&jsG~mUrCxXz?e(4!@I^LKR={g3I74oY<#M#z`~u%O%xH{qj^ZEv_%<{yEHK zGcRYH?9NVGTZl0Sqi`|sTQHZAnT!<>SM=zA86&7J+`)%InOzP zhE-gvR_9k-789tv3v?mom&azRK{s;P(XdolowYj9JCInql)_dPhM&G(pXo8^Q$v%t z5yKbUrYo0TlNzo>kSuALh!9o9^!j(Ee=(t^7kVkwC7cL)Q{D>AYw?Gk%AXI%&h|kW zBe>%re+^ZrKp!Bt8MLT@b{-iE+z|rSE^?yeb7hL?PjFXluXJ{@6jQs^!Wnip;|sYx zVwr;Zd5f-o65_>W5kIrsIguse{Cp4*g_O}lT+vuj?#D{gu4pd!YUZ`q!pCSmY`sgG zJvRsxRqLP{T`tzwu^<>usZhmix`YR<2RWPOyo{`8aG+T~C(`qn3ZuR~;j{=AtpQ_g zP?L9BLMp|;(D(!Ax*8F;Ft3!Hp+(Lf_;G`F!XdQMUqqXbwtuuRYmDX^(ofVT`0>91 zz|($kezUbL0!-(^&Q4mDCAf_R^;53=O*~w#@3`W5b%E=NjnP+rMJn^ABcedT_eq>O zOZwnb&+it=?BLF|Tmx#-o5t(hG(+(jc$vT^CmeYhgj70t5O$hZ?ri%5NJ`v6u^bqf z$Ls$*gxl(Pj?Ak4=_P-Kd5S4i^vw0fI!GTevjl1_ZS@d_Q%*Fb-F&6It?aO zVy=XXMkFDQLxZn%GwPIGY51Q-Zpp_0?avhzo@BiOT_mR|2Pf2^i_IsW*wdz<4!X-u z<2imA6pf1vXxPIdfolBsAD5Zwo3j;NABWwIz!`6}H*7+2?2SP@f){@*{CL(fz$Ta% zC91Di%DTBNw1>;JVXfExIUp`t(NzwA^yYOu!(d}yM)Yy}r++c)cJ+aJQ3a@Qhd~Vm zet|X_>mB?G!sBJ&at~5z@cskrK*|@A2Q~1`5G5~oHy)A5N(G#F{MqM5u2uF*SHd`j zl^Pw`00DWQ3i=9Vw?QpJ&H?=sHiQI&t;$@ewzFES3lHYH{1Hl z^pMDqpa{rm+BX5tlzgiYi{Sv=I93=hQ<-8@B0csKGm~{e?_qGu9Kqqn5}4)B8pU6Q zPzB(k7-_m3w09FVl6N4IXHPk5^Y)zS;NDjsZ-YuE4qU{U@;jk-VnufG$5?<8-&u34 z^1>0=lg0m|F0GrSYO}jPkDif@Tx-i|+TRLo;u#1uhM`ux==L{*AFot-+XRF9#I2i; zs+(pz1xG-EboUpP|Bj+6ol?XJer^{GxhkjpPA7(@f+Whs#dS?H#m)02R+$b(=3ntp zqBl9iU7+L0@NHNofdnd>7rq#W?J^Y;(&n|b=J8nbQoTC7=0u4fy zKsXNY*~NLYNHdBLcOs*)%j(d=r#94}g#70^W=Pp=%J83a~~u zadAye5}KLFEv^&@f%b-$6qeO}c8uUbRwz>G}Xl)r7II_%asi1X+Ur5-YBwMye3wGhMR7E66`W4qu7Cb+Z@{|RtSQ`jGwb9HN%DA7F;Ere)%l1ptuJH+u96q@KWk*v^`gjrd*5+k;&im zF}^LYymJb%I08M(TW~?fjAgufF_lcf&cCL=jUYrVSfFjq(^kMvK2a;yjUANo2yzUA z;p+mPmY|h=SJL{{a`qlTvun9!6fCEAK>?5vf}1nCg=tX3Eqvgbs5rfE1MJBG3z3njG|9K2tOk#V^pGvdcolvibXrq8ieyv_(PZ#SKji1vT4{! zu^nw}`p~&kdYonEvjutO@aVVA_gpU&FM{pXoXL$nyKrM?0b`O75ecoeRie!PvN1w7 zd80HjZDqfRd+OA{PKHecfjd$vVmDu01iSDMYLxx3iz7;=Ur(fN$&2peR>k2>`$zZv zfmv~~?Wl26Fh==QR{yNZ)4{EJ*pcCeW1@YFVX%GMq3>QkIj3mmwsMO&fgru6NSW4S0=v56KfF*7!d#(E_u&Pu4MD*^ zU{hVSmqlYwL#(5i+0VecspECtBx@Y|o~vIm>}qB9zpT)Y8kuzO>a%6ma=HIJyOW?w za)kSeKG`7g^VeRzOqi`XB#GRYRcV>F1lDT9fo$xr$1$~;;j%dL`&<^l$fyR(G@Jey zzMw=a*k%@2n4~`rN0wt-u36cBp*DDP*1vDYa~E@=6Q{>;Szkzvqj*@MW?c2E%uI5h zzhF==b3S2uMqs;`8Zy74azIm+2MGYBkMemzB$A9sSOYlzyylyiW_O<9rPr+BYu9w0 zqF&izNG>2ul+>2P;n0?M{<~%2GJ*UWoh?@&eIr9+up*ePPg}TmRX(B5EaTZkE0{vBoA3@5k;_eZDh@Dzj(~xcZt{rYaM7T3?Z5 zKYwP~%+!mL_)vNYb8z1Wi|f2jLw!mI8XhtoN0{B^XnjSz#7`uch@Ng|Psu;_(X9I4 z?z6+J*i|85g}0=n7gZ_k9IfOh-Oi*4Gr88EEc}BMIEVu&UpT<59dFd8O`S-yJVnR0 zV3U|TLTY?m&n#kOIjXuy5%?ih&A$G!GCw{>t%IzWHQ$VJKPv3-Gt#)JWi7nzX2{y% zL}Ybz;4f(#VWSD^uT`$^rqr-v24?#?SrTQ~nI(*5N4z-EiaSuM6WnS2JJ?=&=a~dN zH@UQ0x!EZ9xx9F>K-oW@XQv_shQU&;G^+54&z>8KL#nb)5Vw1BOKMmIg}o(Bs1z0- zi`pj_v2D65dDlow%l!~VlQnIF7_2p*-Z2MvcLF;lU3eBca{nO-8c~UwYwLLd+lAH~ zc^4-#-T5p{Dy0(=H^zFEZ_15lU|xpL@(SUt+m>9d z1R@F22Vm@~xhX7>z=|;Er+q;*Jy#`pULK*Oc_P*YH&`DAC##v`O>-8bl}DY=*hxoA z`{1)gV>`rSNZ`P)A%o|HkkD0@vs;KXRUED5^3b?2g`n^w8mQU?%b7UVvzl+#vT|fo zG2)wfe8NT`{)njQj3x)9&Flh19pirtMHN9~V`kR+;#(&Iqy6jfi&D`RhV|S5 z==|vo610PdMfACSJ7BGAG_p4lg~3f_IjrW0hATNZ+I^SCPVS%8+R*boDCOw1wQYv^ z4$7ij%gD)31k7)Z>==bFkQ^ZWlM=rNU)6bmw`fFAAq?R673W4(VMi&pJ<^*hVeb_p z_ZPs0i|N#`KD1f>fOPyNAf-Xj$iunEp|I3L{~G6BP9?*_y!M&!CPRMe%sR(JiS+{g z3XZ!MdK}ACqH!YQ?rwvGX0?bZ+67)#;uVnOn*WcDrTvP*4aLn-(KRBp%C&+l1e$js z+yP-DZvQpc(kQRR-SP@Eo8eYD`7!V`EOo>G#HwU`kV#5AMgt@MJ@>_J9kd?Jl@ToS zZf7^C1Y_M-yt#Y(=*Vvw!^4=)i(ttWh7^5IRY$n~@)lm$7iL(@8WbH}bT;^l)o$1Q-)QG)(uPmZc#%pMCelQdl_fxf+>uWn@a^+PJUsW*0scK+5)oOOS=%3tpeXk{)u8w00**nS^c&Zq|c_$aHR?jU#5ohlgrY zF!Z__uAkJ!!Hy5coyI7p{==};*{bN3?D<>tY`DbGJ=WTSFrO{?i*GJaZ@|hmkyyg1 zBO2Uk=7nY8>4%69&UCX={?Fc-ppj;Xo_{bST@*)I$qZrvZN5YgU?$Yaw+5iCe}vxK z{)dByx9TLMC|~G!9OG?Pt{BXOUdgnXXE#KqNdUVa3%zBDfta3NJxDmSN1xJn1n?6t z0L|z>snHBNR+tsXz_viV!^p1~TESQSZ6RkWLrEkDUOJc$zYf!$5 zMl)pf@L)wgK8!jx9b;)&P(aw9wi-5iLt{;|YRD-_i`fNmfZLGG;LArsaOjF)AtVps zh+@H53!)0u6!)yCD&5SM`+ClbLV*A0`R?Kx2g(XswEI$NVH$D(GZCWPoOi!TaL;LiquP>c5xZpB7Z!`DKsv+`6@a_k6H;VLx|IuS`fQgoul{lTgZ66J2=!tB`N=yK8-ECzN|j-K8Ic=)EyG; z2Zr%vi@$NX;&c4UeudvDpd@e$`2p^l0KVYef0Segh0iV1_Im8{ei%J)o%TKX0mP4p zx6SQANHnmK5CQ!3sPH>ARMY>QAJC5ku2|8Ej4*Q33jUP}2Vi3_b>!qV;fFL{EG#2t zUP*s%%;)<4hmQ}LqVOJ@kaxKwGqR*Ugu$2BHS-qsGAtuNM3Exgt0kDMIX^j;2wBE| z`QMTi=X6wW6d*dq6p!T7_~B1e(6LF<0>V1-0~2(a_p9$oO*=vW?LUSBA0x3SkKfOn;V)e@yoV`;nHiOClrow?o-IEFNvF)48$tA#lU)#zgTZi20LPI z{_n1za+dewIQPGnekLW*YHVlYT>k>Q^9zU$in;>y6_cjl?0|tq?++3LvFF+X(DcOq55wj2H%7hlq;JA z?~FJz(n&TP?xl;dZkMJ(VOqikaAupDut-I&pQ{|lWLN`DdeP-$2c3B8-xFiqoy8o@ zN>k76AkMOsG29yvJ1hyLcUk4WU>)!D=+AWB^pfa_L&&wOK_tHLp_b@$CQ<1HMYDPu zhZD$`rYSwW#5Nh;DKSA&599PJ_vSrp;+hjA%!bH&nRK$TPJ^)gF0utsuWG*!r;Ldk zeqF6H(NIrxvr}SVvE@JEW0|O?O?Lg6Kxo15XrxaWC%dg%Sv7L9)b$48H393$ebXg^<0qRJ!i(PjpF_(RpX*6EjM3v} zXw!B=dwi=!u<+7#=cPv;W#40Z7CY%*t@D?$MLXGHpA!;q9FDxp)u+mHIB9~x;>t@&qP)fNIQbjwR`$dh(wSSLAHjCqR>WfZZcw97GKQBK4JW_p=ioHySlt!F|Jxs4s zy|YkF)C~}HfMLiWjIriqWOnMmNz;~Blkzt6!KH@J+r0)JVgS%ZL?-EG7krh&Ak(1ul`%bP2`q)!9cIA)HtwLRdZZh5- zg?LtzJl;mPr3s?@q|0Q`vwy1182}t`BkQ=%29b(qi_wHB7vm=J#p3_vu0MRjv=13~ z1f*2^avPVO^WVOEMGxi_mNg2Z;h}(H^)jvriaGO*72Lv?FB0w_n|i=Zz|DX3F1OtS z9c8at3vRzFTegpIQ5L(5xZTS1G@@m08&r?lbGhx;QI27X00ml_}%);66sXbm8}Xs*9*wi%(ve z?Om{fyw$503A2q*M&}!(xaZ^=fqOp|(?emloG@1=Wc8dGWGjnyppiqES{(NQKBhJ6~T$ zq*zA@kbi8AEUy`>8z9AWH3!8(aMd~up+A%@(_!f(UEN`|?>?eE9WN1;TogSH;mbeW z$+kaqRJNy=(RrVk5}2M=+st343+&-O*an9I!WVf)G)Om)wI=B*=Cu3Tq`x0Dvy73wl{}WJw^GtT>yf_kv;FuK<4?;{q>00O+3lgJ z&L~6&S1qe2QI{9D*6ukIB9oYTR}UXL_1l0k_z%B*4@h(!|Ao7@lql}E#rK)@%A1<( zioZEZL+&^F!SEguUQ{j2uwx~;s(P@>q#UGIKeA(tIS2C-8r&g+~E6wCVedHb&P7a(aRX$K>%mryLgj% zJ^8S!S2d~~*yOv+tUt89Udy~=Jo#5%^9HO}#3tt&$dvcKFAz zXXLJA{py(jt?gt|B#2Q!$fIxTBWWi*Zd(Z(JE*3S&nw|jtie+I*Cr2)K(&u5Eb4ve ze`RE`>y0M=kK?YOd+thT49aM6D{;;$7g5=a;>gVJ`309)nG+pJ4g7Hk=ubN z*a2;gYF`i1-H8_g^Nlw*`bPMB=Fm$ZH^D8J!Dh8=Lmi{i{~+qsBG)Mg^+Mcx9}=5k z;hecrA2te#G6`Kz7ihzlzQSH_0-nda7hco@Dx>O<;OudfSIIOjG377sACqo9ry~`U ze#Ky~(-PG*dN6dof5%JyXROJHd}8%Csm9p?c-UKG$gWxd6exZiFRcPbM0~3YLQ%C~ z&Ke`~OAl(Wp0?uFYlffSv1r`<+J-szN?u>R&)(dLil1!_gn`wUIukEs@2cyM>gt^g zptyMx=3BJk-|KWLX8&9)!HXd*BYUb^)YD_K=;~4pv$g><@i9Ay7A1Us>bF!wBVD_7 zSq!%p{^yM*94B}f%iMa4RqP@U!R_mIs_`9QG?JV36=oA{K3%Kfd=)YS4Fdh6Ag_?o z0afm{>A+qd(Qv9{awxX+$xkLfZ(nP-HjA;pg+IR$3t40Njfsy-F4cCPNvs)tm?V}R^QE1BUK~-v z!_V@V&1nPzmlJPzA=~soK<&lJPp-tOun`(g#+x*V0!FFfbk(s8%orq0{KWJ!)tGUy z`(oH$b<}aT73EbkZ!lamee-wU;qCQv>-ygD<7Ejo%ASdbOD+|-PQuF+NdZkPRixGw zNabJTZA)SqlF6!>qX1d+-WLEn3)9F@aY4$?U{>h+Q7yDr(TDFI+-k5dx>vYmWv5{h zv%T=LZKjZXcTzV*Ib9YHW-y|fzbc`R%Mvo8Ks_L2r(Okr6%qwtIbMngvdt zSQa*CRonymJk$VX-PaQ}QNj%<#Qi_qnlRWA{?I#!_p^ZaU4cVFQw9i{@D^4si#&jE zZlT!vbH+}vt57llT=1cmur8@Ra@Hko%AT^6Fn?QNN89W9HJG=fw*JTK%HnkqMZ@>o zXu50SnjSPa{<8YhaZ>0*=AcE2Z&Twk5QI|`hXJ+EW*t^6Yu-q{8DgcD_;(zfW! zs>P=6SSdYT*I?zcH+M$1`nVkcBLx}TTlmAOpPofzB+csfnR;M@p!L%`#nfRb#obDL z-LODErVpLZQog3ZqZmG_`RVKD7TFx3&ZTQv0W6+t=*S|>5vW*MHEqAA3GBo78tQyV zh}R)(+WtN1;T^_bhcB#>rqN`1`MZ7B%N20BcU1c0cj7xQW-Tq7W+y5x49X`yex3TA zTEYDC^{o_Ld3Nk8&AdWSN6S~r*C(_D__?0ADeV^Sx!IaISpl=#zyc#mVEV;t!PaYl z|L=MuS+mPfh@$z*u$%KQRxf>*B}|Zb-|fmeetnC8W@PPf;sr94SR@)cVb5 z(X@-~Q<9^wwVN~t{ghy@ix1;w#uLevKO6sK=CStZN(3&93-?ApKE8i^|L;xNIUCJh zJ{KCdXe)S4X!HV*K>3Qz;j%3 z-j27;sav`9=slyJM|eVX1j1MPv^<@KnQ`Xu zBhDs?yOA}8txyKdMHE&kKlta_As#4_R={qjs(oQr9XM|J;mjfKgF93fzWvW51rrq& z=uqNp5mNr>Rm~4SJZiF5eZUb{F}vX?UUU0(DuvIVA$mx!v;b$BUF~x+nX3ZT8DyyCO zoBNK_tw7=Gg@z364D=sdDIDYNHum@5C3_kBMt=Cg{}6;@HX)ZO?`Taa`+>Jg1R3~TJ>-G5$?|ky zsi!quI9P4Unkxd^l?ORnkM=zJ18Mv!^I-(ycdq>}NQIMYtZ(Aq@A60E>6n+oHE~md zn(5Cri8vvTXyCXd-#kpY0~{R<0Z8UD{u)?nm}b?}R%YJwg)gH_F2=D5J7Ymiw8`4> zmNY>%L#iLL`~8B>?BO^Ap0#j#ag&`3K>-XOC{{6>kW^HY0SQ1YTMQ{=B&wO$UQ7*8 z-P_rN%!Jk521pkeK=ja3c#FeLkL;=UJ+;XFIEV?#mi_UdTs0-tdmKKZO)uaVzz@x&Zo`Ctn8QmIYF_5J;~HWEgX8)`Ey))i>^wU z-=b?Z06bXZtB)J^HS;gt$*p09jvtIdtS;u?YD}7V_!SJ6dQ8KMMSkAYY2)hCi+Z+L znFUkp&LGSKR&yd3YPs#w=@FCkYHqSF;V8-yfD*?wwZ+z}#io5FB|v=HH{;)%r0mo; z+x`5{@DJN5X}^L!`q{bpocXT)z-hgQ%tdJa*Hlp`7o^L z?l7%yeyCz>$V>pF;VdaE3O2@=SHdUvr6zo+-S{`^?-XCTf1QRXR3vmcdhqmLQdI0)+tZ zW6#Kn@{ENNZ&#CkeVwFOfXRp#rk~8`Kd^#Fg+ohd*@gvFkoXt5Z)ff##QXw?bA_Fl zE?L2N=K!Y3Ud_=kcU`gUR^uv071kfeTw_l}^xRuI0jAAE1u5^M?6Cjuk=T6FyP+n)?D4o_rzPMcaThh=^&gYeFbreL zSVwhHl4MT|?unFk%+&8OI+!>5tdD)Si?V$9aSZ;Kews_M;#ur)(;iEDV>*u0@pNJ} zU{C4}jX0dErnoKiysR_XcIWK?NayL@LM_G;KD-+<@2KB;*^M_pmaTje-a~{B^x$S% z>T#Z1$LC#kkkQ_S^Kb`TLylvM1DGdx^$`HT!H;!i+*`T?4glCp|Gw3Fo?aDLSUmY> zELe4)cDf=3XUFZZ!WV`236MR~T06l*+e*b^^9WO#(9bd;g|vE#k$bdJObi?^)#bjshz>0Si(*|5%tU-2P8r(Hs|@_yK?PC1Bx9SkC_ z>vT2}1mYhoggeuGo9`#sN7OV!D6gtNk~6#K|2(%l#x!~+g@o(sP#L8VPp$scnWU!+ zsFjoM?YgtppSzbm=hCxD3$)-YQM;a!55QF*U&(SC!x_}*oKE8nq*G@dkCugOj2mzT z&y63gygYLs$J|-7%jzRIMS-Sxm~6@CoiOXgi8?aRE%G?BF!0{W6g;Q<96rdFAqW@QQ(2?qiMv z4H8Y^LV4g+jk0Zb#6Gdlg4QBGEmlO14y^13wtblSkvS$-yZ0yzY@p+k;{R-Qg5s<m;?p%arzysBMOWFg^ebw3A=x4BG1vSKW3mqHuPud!+?}T-4Y5M z{or8{fQ*SY%&%o8tsT$7rQ|s9%vrLUdsi7&fD$3>n9145(DsFq7wpa&;g3sDzgU?e z#wIGWhW_RUq_E0VRhh0AtHDgnvs0SK413U%$(glGQ{-A5@^2_a)hCNRN#!Arhifq5 ze%!4v}^0CZ-QR|>1l zgC19>OOsC!0b7{I#4>>B!dn2&w+w)&Xg>QQG8GkRkb9gNr|pcmcM6jkQE z3%NwxEi^Y^PhBGX-V;7BtNIkv@EwDJ`URYIiJGcU^2{TspA9Cf@#CsKKqTZ;H6E~K zTw(*DpiL&xeaR(6KVhBR!B-)!f}$%}=>wC>PZ0-?v{$6= zV{_C6QzT4!}C0Q+WE;fjB)J6U^f`~#qn?GLLf&e4G# z4IfP#eiqex|CSiCqJ2M%E^r(Lv~yB8xVy?hCQoh#OK89w*r6VDXR_**;08xa!mh}4 z+8RUl<^|HCo(i9b^#5840a`Q6zwG!1zU&pAcmn%GOJ9*UAXyzu?J4R$(5W+jHR8-o zXl6#JYR-JX8+MI_Ng}{ih}D(h-5_1XF`M}PTeSt%!BXEIa6c7x_JBq(eu$yCTc1g@*kr1#}=`GqUd_ z>CoR;k1knFp>fRi=Oyb(m1bWY12J&>nJJ$>IL|ONNEYqiovB6XDO&PabTI9Eh!X;} zx4>yV>R`_59a`ILf03u|MU?AnFiyA@m`ld~%YzDbLwXHG{TMAGiw?#sSza>7ms!_# z0M%_Dz!>9x9JV*yybRdeJkbBo>|!TiB-;HLO3cY9aI+tX#8EK)$jO~sh^oOac=gE~ z!@ZUUnId!$3kdOfNOi3aUtV-HU7?0W7r3NbPv+OhWDQH1Sdb{UCX21*OtFPYGkve* zx>A6)Vn4%{wm3H1TQp6c?JuM83d=as^&q&N1e2bzGH?#=B$~;HUf&dKotQOeR=Mvu zNyUNc&Dwx|fCFwu9Ym1!(z?IVBpg_3DdV(i4+tIX=(Tc-1IJPpuQ2AJE{oh|jfVx! zD7ey6L_`}6pyYJBE;I!~Sw4Q)t7#h||=Syu)G z`NUZ9jkMg!658Nla9~-f*m));nPQUxMa3;R`SnSAcB5@z1Jv983`et-(s&C#j6)am zrLUvM>%z+!Kz!Brh(pt!GdpRx3>nAbBgdlm*43F5D&#G6(t7*7X>;D%1s6e40S$Pr zpb@i9Mzqp`Hbjd~7$CgOEW^)tDi)T#x6eHfIxBVMW8HZU!gXRqkFN&SB^% z_f+DV0cdb}Ooi3vsl>;2TGfFO8ZMF1=J4NtJ z;<%8$Um0my>W61WsRc`Qpz*$ng=iBZZaiEB9l4^g2))=s0$Gy+S5<$&76n(RNLg3_ zbh!hbAwgFb1F(glON}RREP^Yadx-AfQp^bs7U*{YL{D(_za!LVL9^?^3QI4xzvo9* z4WX)txBG&8txoGIsU)uwaCn77TO5h;*u7OrI5v3p0HC@0N>z|0$CsooU6}flSRu>F zO>)78HB0?)!<+ECai44Nr8tA#N;^qm?`#}RolUQ}d23mR_ z4ONA%&_%n!lNrUh`Y!^6w(r<^p+<~fnZOr1toZ7}gusxvy|rbupHc0|6LoLpOcSRV ze|lcO|2-ucPD;bGgk>;Pot+8ZlL^vaPWKey7Sg6!+Dg{W?zAgO>7;9r;0Sr5YT&*w*t5S zyea_lBA=C#umd${tu*-;!CiU^or$uXQAcHma}LGa#>LhSp4dS1wzz~|2bN=ARo;UP zT8K^7owpavYm;sA#nz{$-y<|c8ND4MC>#%gws3rS!n}8YdC)0G+KHs2?pIu5vG1ou2M4n9diX>W8KXHYH|Knd^-V^l5lC zo_x=f(cPU)X|7~KSVV|YoN$~gJr^Gq!Jp+F);#@4DQ-x+FMPVcW;`vCs^AwR3TWz) zH+U~Lq%g;yS8B+lcETw>#mnSJwu;y7=JnAg2C)VG1zhN8QIcsam+lp_I>sAed;#v_ za=6KoyIL44zNsKQ#QqXrZvgXR`(xK)ZhQA=j>qPe<2ZNT3{Qbavu4H==5)DEUw?0C zp?F+2MKL~7(yJ|DS;?Pv2tPOe3_QW;x%>EHdVOP9#E$Vwro2IKt({r=MDBEPdL5%p z7(cWLRmDx~e+E$c#w?6uy5%e@eN^FB(G*Jc98N;=qDp?dE3o@0fT>*a=-Tys2tjrOl9 zLqqFC9cRtKmUZ*#oZw(^>)BPJAX$aXu|Q|R=96A_6|HGj{^1N^*&|Dx&>bp?>sBH7 zvxICy>*@oNW`v0XhnJ1ev~gk0ILM~4&j%>$V^p-A78EeN_a$-jEd3!fgB8!ITzo;X z0#0oqSBMe%XeBe6IZdPcn>V*%oVr7atz~s>NlCPn_tcA6@+EhiNvnOgLd}))=34ap zUSIB+=Lz$})W`g_p$?3PD`gQ(7rQ>%s%D%ZF}ujD<$8vHIIp1haiFQ)vVWYY04ADL zmNic)74()~^_-VI$HIVD3;2H&0KJW`95_4Sz&RB%Fs$RQc#SOVKGLsld}AuNyt6b@ z0arPGlvog%*O1qzA9nw?P@76yfLaHQ3mu^|r;u8@da%05s=YR$jHo}<>$vw$?~rGd z(C{^aiEg^>CEok=!#I_BmSA~-;{&@os-8xn^L}H^UN7zQE>D1G&B`}FUulu_ouCLU zrcW^a>lU-9%sR$f$8!I;#y0yHe@4r=sSw$IVUkGY!GM?zeO0Ln5{Uf zl*=c^VYSglG@U?(sNcTj&;f zoKqCm+qJzbcBE|7@Whe%6A1*Z#eVP>>djR$;H@yI@-TIOEGL!2OSWIDc>jpL!29)& z1q@@Qg|_&EuIRd!*4JlBEXSYM;T=@q9GzHwCB{0cb<*ETdr3oW$DOXB)0?mNZ7B_^ zvD0-I^e$*}%5>fuQJ6-tsb3$Hoo(xpu=#l(ej=;I-DSr(MZR8b^q8pO@V+co*TC?C zSHUryip#aSdb0b{qtn^uDAddStLq^YUz~b(BP=eiE{=cprkkFU9^sTZG1Z(jeN>C; zxYs`plcu}>eH|+`abjU>g6wK2u`Z6BtBJYR40O|s&{652h2Kv+-SqgmWdUKE?=i=> z_+y&Utr&tFUcEU<)=RAr&ueW|L)VFt<#ZP$+lLYv=CLY;%dHT49qx3I&({!=rm3|w z``ifm#e|Q=p#nj8LM(o>$G-1S+z(Gz6a!C2?)DAkpxNo%(LVlD`YvwYOpok|v&#cE zx}$1`m7NyyvgysENeW&eFTMEMdsiQx9^O7)&#ah;U`{`@UETaV=De>1D}KFE-!sO= zC(_B$dHwg}_Fgs*rR0z1WaefHbUJUNvGSfcP@_UA#hxp3>XKfUBbSZ!Y?Nrtv)!Dk z9Rw2Y81eX(i!?$CzH!c}Bb3B}ve@{(KORui2R+)Or%5K#ZPl7x~FQ>PbQW zjokoOhI!3*RND^!QPk{PvWPx0qVSS%ETNgS`FXi209kaNc^%JXLUpzkWQ#hsPSl)z z*3s*W3!*}Uteoa+T&R6adCus(tq(0{?X~j)d)pQH^eH(@#SV)FLD*V{2a-9O;GQJ5 zGmi+PuaQ}~x`Yzq52p^fi}h!{zq?s?S14(`aHXa>rG4i(!?N}AhV5A<`ZW5&c&#Y} zd>1|%{SJm~^{{Dpdd9XSbUI(2sx%@UkvyZ;HfvmXR6kq>35ArUV)?lsQx{JE&AAww zm#M3_WOCUSLc;PcFNa8%lhV~=l;;DUIwc~xOU1p(C=P!LEhS?+Ftt z!JFlSRrlQ|);G)%(7q1NEn-yjD_`uE@qD$eRgyM;?oL+s1%WBVe~! z%41y_uK(C@UZT8H#1PNR@z@njBW#U6oekEDls}tIsomjcJYRs!RJ?a20W`bXs}5_E zQ=X_}N*2(e!7S$6Wc8@_XOWX4AyJ_>Dd@bhgOeh2x@6a#F2@#T zYg{tH#bjuI{a$O{kbykG-cYnmoyRLNs$SnDeom#Wj`~Q)U}a(dVu3$EQ4-LA=^jyu zMRcGR>(zdx!W#3ujjSq1Kc8z)(ma2QjLNN?Sc0FA`RG(yPE<9;8*KYCDw0wLtFPAOo^pl$HUJ8{N>XL7ShBHk{AZ z-*oGOo}S)gb4jzx)}*ER(|Uq|FYO);pN=_`8f`fwj;l>5Iu5nfNTa7aOac$M@Hzv6 zF5#J8Xbz)DBu85oqPhIJR-YJHIJH3;yZHy>B-ltGI+)Z znN#T!K$R4|l}0cTMg`k5E#2mSC#n@bvf|==cb}zBHzX$Eg|&3AlrV=mv~A1-tCO01 z4=s3_RX1352c0LFmGHPk*SG1*b++U`8ft46t38}1fdk!WerHQ{$C&h`2rV8ktY{k5 zpkgYN@WcAp2#9$yN*o#7)|EGOl?v?2{fsnY?COEHubaQ7$aUBHHtj(92!?xGfjqcs z(4X`7=#PXnh02k4#A#H;20Y)GN)0B~Hs(GULG<#r>emN)nnVjdtYe60GMC)P+sZNp z1-d!QXB(ffxM?}BC|Ui4uuzH>*J9SFOYsOxP``jQ`n*J>QUNDA?{rjPyctW~g$Zd@ zCqzN24u3S*nWaU>X(q7Bsq@k2YI7*V_gfd<*Jn5%i+U@g>J%$T!;upw3WFmO_u>!p^v3YBTLcex{L~;bvMwjXJpz{b?xjd8v z<_^KyeD|3)EW&KGx!QuUXp5vB79=rptE@|Pj1F83Gl^{2g6k$SB11`xBi-2w^C#-- zMM(WhT5Y@0aVw?i%o7aY2ZEQss=06qRhopJBvJF`%UCP{v};21Tz8>e)PPN!x6D(8 z{!8iCT(x`gV+CV*J=6ILEfu5ElX;xLOM*?go?uM*7nsO19a}*k-A323960M4clk0& zXkj7ma?OP-tLgX(L#E%y8Z@IY0F0Y=wvUtL?FJ$-qY6jU-Fw`5Ztx|_@6xAaJi#ss z%Zx~KKF{)vJyN|dLMTp9m~0cX`FV53gx_UTigC>QxhkPMU4??>n{&-Q==t8G$E_aV z_qoK)$nW-39Kwv7z&sxU^E|(`%zUm6p@POiqme19VSW>|-=3QIvqoo!A3|D$`QJUg zF$haj=B3R`CoA+57xVj-QgxnhIT@_Y3v%{M=W86jLwNxsEN$kD;EGY0y*MD4aI~R* zhsUW{hx%YJ6>T7t}jKcLQit)U->D$ai+x=np>*B2+Sj z)M7j~ftk+(??j-U*koOeehf1uj>zJBf72s2owKiPIN`;9k&{9k{&93ezEDb~s$Ey_ ztX9PYCY&=wf%9j(DCR6_H9HrJX*kGJlk;krr_nXi>STkoE469bhHihprn$q6a=J5T zX}+X&fy6cZ@JM56nU{Xj_|Ya(lR{lvXRn`r5=bJ1CQCy-y*Z!vUYWmMSI_Mt2S!d} z9ZOS{VMuw#h*XN3j2`f0dW8+4?|N3$5TvCX!B}-{^(DyH;6DLyi#2lfzq8JO2>oAP zy!c0e*paBV`o503cAz|mh{1d z-1`9-C{dB2W$~IkN%0dqp>ntQp%nukC!QNz_+D;2Fpk(+CjSul4)yZs#pA)yl6%88 zbOUGxH5jUl-Mwi@yC&5hRN)C(Jq3sjC3ZaR;_+RLiSXLcOHLQ?Rn?&Y=A7AHSeh@B ze-wO$dTAF*<^<&}*3Ul$%LzaY?J}hvL{iwQ1uSU;pjJ~SNQY`BKQySJ1d=bF;@knP zEmdu<_bx*87a*?Y4}cXzi)y=94=Uvq3rIL#vjY;0KHLy2LEqhrO8jumNrG*>*d63^v&> zSMu;iIb+9b;hu)S_Wl!UmHRgH$5Cuz*1=xlDrglYGRUC>Nztn#Z{R;Sz3?j{96TNg z5*{y@_AB3e&~T_ZKQP^?P4n>AwmO77d@tpeYe>X9Wiuc)FBD#6vsDWLl6@=O0T6t6 z;B&I5JNhf-?U=v<&=-p!WEIjf)O-izh;_&UyYGd>43*_5@P-1^5OS(0HAA7h+x`XU z1~+miL~6Aya6C#GId`o05IkwJdAm*kBs5+d*97L~slv|){Vu<`m$FwA*K6}BCRS&C_ zg51V96w=ZO6x2X&LvDxw${<}9LQY5!-7vD?cU@!~c-)W=H!k%Ks=(fUj)to@Ajd%S z44v}u3#;H~v3z8YUI_~stf~Q4>{KZtOaj^67`MoS94Uc;yOrAvt7VOB1Y4UF7Xcgj zJVuU_bpcm`qIt+|Yu3SV2j9rU28`rYHUZszV~l*-l2+8@9V7$WqZ4knYFfBb0E%#9 za0@>8r>!0~IQwS0NKINxC#>bCP3sbF*ucn5{Z-Q!YVa$$?*2$Wk(*F8{1Bh9Z&kB+ zUIxoY9yVcd9pJhg`ogC;89vbQS`5+##Xc#GwR6F*u-p)V?0wHcT_SAe2Z+KW$t@kQ zN+?Cd3wfVJqW%T1_67w?^G^`3n>1C;LWI060IXw z;V*o?gMnk=_Nm*S&N0ivW<0eHcAQwGWQqK0v3w2e6z<>PC>dqjk^2$+Fu#fVD%zVuo+kluwO0IV4Fp%eD2^5xP6O0*smyEq`CrP ztrVC5dDy*E1bPQ}#e;LrK5`V%0Gr1gen;8(1Tud`cbmS>(>o zT@rzh3R!d`26l#kV=mF-0HHFOYxgJ|aRI!Id*&1j*0j61f8gR?2M{ z=VG<6z8c1WT~?;`VWTBJQZ__z^vgX6X+GLVKXG9E5x4{fK|(4_9jA05 zU=24Q!1AesTa|pe1S8AG82-5VU|=@Ff)=)LN7w6rVzR0#q{IstOKesi1=P-pJFE*c zHEIuhq96J2^5S>DQ;#G?zSim%5C9z$w{1OCS+X3GqzTE7(p)nXrNu zKf|>TeU^3!{)}K1*#okuK-{bWpGT_l1Qcw~J%aSo8s^$~GsFVcaLC6i>Nv%$KCyw} zAf^j9KK=^=hbj#?JQ}2t>c;Sa9I?{R#1&}-x87w1S4Ozor|XeFW67qN?KuND+!}%q zazz=#PdN}_)dC(v9sct*A`W5ZszKlY zctl271i)=0B!p~cTEvEZ8a9xfX&=HB7$a3&Frrwgvfc8_V5<&fp75y9umkBAa^Bhk zix4h*gBOQ@lTFB1J<3OG!E4OyF@JTb0o#XgH%->!Y~#ull|oB2ee||bKXiI z&-iPD^!HR-YctP$^HD(}JR^wIrg11Hf-{DvLfDZ2RZ^&VMBtk021#_hAf5l+F7Kcz zXp;`)^8r@V5D0dBY4M7(+(P$JFkOk?fVjEgrgjkY0&i~R`Qe@LpoTJb;7TM1-T@Ns zXd~f)a<%|p0gJDHNK|5*SFZE@h&^Wn;Gxr>gQRNT)$4GJW{B_)1WZ81?1K#`RBGZ9 zryZP+qT(O6KyjeYwmK?KreVY$%K3eSTG3BtVCSLS_gKS%(4Q&rl%a1xg|rUXR352? zU5dKOa~UopLyHqfd=md$9%vp3q?aICqVDL}z-5dU9=|}`YI`oMg~E3Vbmj`8 zxNrW542whVffcj+!C}HzKtqQ-D6>Tcj!G?nXxPt|`ts*JUhtIZ7clk=gHvE&Vj#4~ z3k?4aGKdW$e@p~N5PVFhhJE2_D$3%TKh%oPJdyyTG;U8nsH+BLBDIhhs%ro6D`<2m z7#?IHks6_2F7-a;0DWR7 zD$u2d24MY&PBxu_FT@OJpY^YL3)Doc4}Pio<1>z-npOyRL6b30W`NUPA)8TzvtM7SPYYJ`4~B91^Gd@H7%RwNB)82iF|5n21SvVvcM8cEnqX5s%uY_g4`OTW|HT!52mG4g z4pF=M#Tb{qXrA!p^3vzg8MNV(gQTV4^1o0yb-P3#BO@cqLhU{0HP(Ahhx68g^d8KW>b&4b&gJ@AM2)ZuRY#K-uTS+! zjC%*e%H-)xbwvJ*tIyjRn_c)W@sIUU24ylNZ!uWcsz};F^!?-q7fdAR+g-8?hphAt ziDfd&yU;;UKC!US8MxH0+;7?k7q7=dg8CjOnXN6)uSoJx#DB0hoWgKV zfb%A(Q|4(!EA62C&*v|f&1VEYDc|0mR>!!%+@xY{Cf}U#gpsJ!Z06XQ=C09ZgQ{!w zlJ0fv6^8mzw=%EXSNd>Z-G%LsHI#}TdgpHMJ|f>&;})qNttWU=MbH>4o?W;g;H7c1 zOSjDNBga{&xx-r23o-pp%f*2T$9~Qa$&ML`@_$6+xKSc)7d-t;TE3IOWtXR2`P^CW z@Er!uMF0l$Xllj(fzU&{kK4+RN|ovd5+d4;|T`R}UgL52IAyZz^>flGDDvBlft<>>r3 zm*xVK?2nbq>hSg6ZJ~^}WQ=L2v{;ubpAJqRabXMD>%Z#uY8i+?rHlV2M5J$DSb>y?SjPiDS?m3iB{56D*#;>QzMO3g>l)xSO~;eS|PuFCWCY{0^z zoKGR8zkX9dAE)D?lJ&Y1eLs$GT?_f0lRqG=akkX^ zV2xj3&69%d7Sk182V0~fnZF0V+1fIN(M}QP3kL12lq`RBNH>gG;uT5}^9I~GkUxp6PJpexJ@>V-)oy}hs;GPcxUuRnO)nV{9Pycb zl@mV3=YXf!21GDRmVrp{Y#Ad>{W``hsJV0$JBes}P#-7&?gx0OPUt1J9}iCwSp+g{TyLQW*yy?_T&?t}g?jjiSMff8UUIF3wss?KroOYTZ6 z+hr#J{qU7`dAdSr_bG+Q7-@yHY@GBM(!FxzZ3=j%N;td2ZP>+)lHUqJB%Xkz2^uj2zArCD9V55-ZhI(wM1GR> zsXs~1sp+;0;D%A3k_6}DTKeS^VTs#Bj$Clp}g%N@tTt{YyY(*gL4h5qR>Kik z1KeKn-)VgPFpSBnhNDWh$G~i^Luv|T&NjMpTtJGJ6ZuLg+MKQ(5E z@U#~N3yN_g!>zU2)M+d6I{Vb@dmJATY^lX8UY7Lo_YgrWe|12~NG0z{=xK78Ef)7W z{w3f=cVtwy*7=`QW>4X*4gSN*Tog5DsL`wbloSteP8B8Q{GXb;$RJ7rSem^ga7q}7 zkUOJMZa!oL`0d47%59_~$_cd=xd>9az(ffCT)nDOmZVKjE!RjBvS8KupIUgp*sci} z_tPRn7DO=tOn3KWKRrSEJH75oLdp250-YtOd`Xf_UD5g!B&x$&`T%P9q3`hLhfQPC zql&aTw*y8*;Qr_9*172#M$_C!(0Qm6Zd{3Fv3&H?dfmb0d_QqMlB_IyV=enN_C_1l zjrungE9gr(#bq8e*7UbemK#(`soK#xH#t8u1Wk)kd5HTNuj@83Y~zB2{KtO(Clr0^ zV|(0o&q-*PDNhr2Bx5T2oMo>F->r_eKh}8y8arPro!sPgB1);IJY4%5ih#{#_67vX zHW>=QP|BbLCK)eBKk%5tYWY9ZqXEfKeTsDuTTiDH=N+#-`@HWz^zo4P0^z9}xFJ6o zGA?5${~cglzN`WJRck@Dv5Px6KZH@nck@z1<>y`lKAJOD7L*@m>Pbx`NPIS_n4>>h zw8#|-W#>eg0B39)T5TCv?MrB*ekJ*#~5qH5(y9hram4tTv^w86P*D zsr};{zIN`{#KJ~8EB;gV?o*6_uSCu_sGy1e;ud3fLrm0ae7%z=KZWtpfKB}E#X$*l zUDNx24*&AzTNRjs*Ob)ik<~u4Ic4E5|3V1HnF95L)%qC4CH>)$X9P9`dwM zn1}GghI%$8tv18jU;Bo$?BCOMNT@fur+u!3?lCbSB}wjw?vq3*oL{L*+DDuDb2PNP z7rTku3!L{gzu%@D_c}y9F1P}#nbaiRI9OfyHLtVW$X7i79XD&}Of5~!E_>+LOlGv< zCC8RPLn!0qkNZ=&X)_k-;brBs>Xn3Zpp|;vPKKp(ofsqBrjPH%OgHJ%$X}ja{Cw^B z_l*%iLv4Ps-*Tl%1S?}#0ksgy#s3Guel~gZ)ex35Jw3Gg;fOP#Ecf(esnr; zG4jQs>4n%r%G?Y%EBkQ~EMB4Fg9p|{0uGs(cK3-U^{>k&-u{(LPi!8hr+}yV^Oh3Z zNU|#(?92$C9RkclDDI35fYO;y!!tXILbk>9*Gw_lV64Z=Vk`Q$~ z2#M!5o_eP)4ju#@CFGb$_op9;63{}I^C=n15%p(JQ~BS{bo+gBE|QnvDk&$7)>@xE zXuV9Un=2&L^)q&p1BKAg)+*|kUpznP1TagYY@_d|F{{%1t8;`{cT?)yw1mPF=}gI- zEjTpiTJ4npCv+17#lJ1Tf3AR*G)V%liQ5bB35xj)tP2O0UzXCAKhly%h>BF%SAZx)jkx&a;~8=)7@ZP#+4UDZvB?2Eh7iyk>|3DC5=2) z_h*)rruZ|6th9rWNK9bG#EjU<f$+0 zQ=L#suav(0T$EPFzZ7;i9@OG3=Q~G{3vZbwbh~Lveop!92D+~f;%mMs^y+d&EqM=g zn+D3~09)pH>SK~7eIF*yMu&#iO(ZWWF4hJH;{e4!HG%8Zmn#Jp#8}qzlx)wOvr~y*m^_$|jPxk|BphD<^)jXBwPBYrhgly6?0* z2IT&q6a_b2uZTG{L!JLD5zAT7N=YA;iaR}LC`nfE9ho`RolzZ^PPy@Atlb60m5ZXd z*IMdlCsYAyE?Z?D%cGA#dN!1gdl zEl71CkODUTrra~+$@*xG=ssD9gvE4Ps>8t3`$J|tp6RQQ{mOln-XfCKhD&N)xTq&_ zYl$EQC=6~y`$gqj?z-F5ul+|k#4zy*Bk$CJy04@5iSRZaY>rPL(0KHK74XyUMZMvy z#5I!(#{MX!WD&|wZEzm-*H}H%rmQ$BZ+1}7PEHxV-&K!G(H77E+K9}Nhv!q4l1nH) z8f6}P8nY;^6@pz%ho;MLo{8UviE9nFzek5>i|jcId*<-euBG_oh1UEBk0RRf6a zhD#Ia{SWz%pkc`3`veXNLGTd%Bo5t{g5>tz3L_zMv?&G4Sw#KtCz&#<|2gvtJ_jKC z4iLdNlH)f?BV`!XVZ7P`*6=iR@Ivgnmb1~oaXX@pIe9eNNBUW{EHO7TUDUk5(!XMg7ll?gM+{S|ecgPVQ)7oOX<^XJA?BrJN*f z@}MzT{(#mlbcWsiQ?%^BP)6SgO~n6dS||d1OheYdrF;s6WCJPR7HdQjd2$U11}L9xoHKUv;m{^Byi}V4L8)ygTUt{ z34|nB6+Y6ZdE0s@mVV_GFGpf&#mxA8-V?URzgEkLM+t{kN!MXd%}v)q@lq5NiT#E{ zAtfT$wXCa!jGZw4$XbH2HX@+u;-T#aPxH^+()_Tp_>?;s`do=^9XR(#- zjJpNuQH_~jr$Px2tdN=f;BomxS`s@=fhvABSIZ66+{b@gf8e@~B=%Q(&f9$3ItRLs z+ezpCZT5dA2$`}WIX0W3pa#V_5;%e&d{4W}3RjcHhc7@2TVP2_Eyf;->@Ae-ZNh7l zHuf43RQI!WLO5*_3GaE7B`X!G?+!(fvTgYUn;zDFPR{-ck`V6*gD3e*}938N2mb~2LY?~*sUcEw?nRX9KKX-D_o2b(9Qj4@#H=#wRbmN>^F}LoO=6in51e{>V(%~de;=iOfCLVm znywND&)H|pjebZ^zE(Nk?uB;)V8sJBxW_7+9a#&1XqojNY0j0xu*9k9mk;T>R-R|Q z(p4e17B|__K?;Z;k`P|Y?|nerXrDxU(0>izl2T$~N``}TNFo{Zuzfowj&zmYdtt{#~NK)@~k*nJVezt5ZGpO88kbNw3)Sg|H_51}mqSFJ7=4FeXcIrv3x7PGt3` z(nE!!_IUAv*;2Y~w}QU(<}VSZ8R`bPKhL@b5ZnXe?Rv1xY;`EArkTrX^SD{9Dz#yev&<#&+@3GN#~6J zg%_bk%<~6okHQ4|(#%Eq^9nK4Q8oqP70dbl9HJWz%touQ*B#8KdK|qLF>wPQ4L_$X znt-i`XvS72{=sbS>19d^$%Y3^uke983GmZh3J-e=Lb|0-1z z+_&>>%P=!k->BJ=BA#s0(x?32#sp`|)f{TZJ}|G9J={%#q|HRHg7qg7MWH*DLj1I# zeJ`8t08Jgfy#x(e?GtHm80J@L(hZo(aUufalz~@6BNBw``YLx+(lw(`IM(35p5N`jGY*b8WI;8||+Fh0O0BQ#?cl|ABBh$(lD~bdD1< zH2Wu=@k6?L_!0#geOPtvFa<3Qe{-t}>guO#r7@LNGOkebQ<1|>1zZ1m4Mq>+rc0>p zAF~Q}UoU-4f_3J9h;;`8GDlhOqm4AZjlm^VO%W2W(u}9z9sr9$^lD?4hW=)g{>bL3DYju+BE-76z%zShA4w=EP9c2{3LziPae>%yF zPR4tG9S{FznH_4Loq4;TNJ;)fvle4#_P1>R(_X<}=eTPVsn|@_fR~!JYL<$T{{zJp znLn3O&JLV@G!&8Wj1T)29=~jUvKN29;WBzy-O#0{F(m3rGk8EsioSu&KkrHnulD!F zR2g0GoO$8>q9S!Het*XEqKf?$*+=73DLZ#3P{x1zar?cqC)%9THJiWRlYMvpal`H3 z8-{0G>Y3T|#_*o0*s;eAE`}ZS#~MGK`RUC5F_Q}yPOy};Vn#1pmnnvmMn$E2&#OdmgK%@dp01|6opzcw2Q!&f4Hd|j>H3w!R~LrPVv;5aFWLZ1S#ih(&%W^gs!o?X~*a zVN#S2m-WrB|3Ojf-VY~@sAXFCk{9m_@X0@6wSwSRn4=<#Ah8?BVNn`^YHsDM4dloA zqCp+fle)=qF!Phm3)grjrg|2 zEt|-?tQM&R<+6m;kP_JOP6S0#K03uZ`BLmw8Va{9P30`Rh(=Cupq7u!Hs zuXPrzpt?_%^;6Bcli6Aw1zXZmq{@ic%xJ5al5+ZFNlwbczZ%%mc>`JXU0=M|g|u-4 zJ0-^(w&e*p4;_q^+w!`c?7)tK@-!tr22V~(;NR=XX>VN8^VqVn!Qe%!ssYvAARR~8 z`9e3UTMaiDc6CoRV>Kb?xe1P>Y7Si-8$r(yP ztX>=UZ`Vr;#MPw&2XAO+LbX~wo{_%MsHNl!d*v2s>$DW7p5s9s1zATrA6|3~kiz^G z4qKwZyWSJGV%mXHO$x$zz7Sk@q z`9poK*v2sWW}m+_kMAK$8Bk|a-1Rf<4*kt@_S}IVqQJvejMDA+3iz_uHnhA=}$p26`C3FaGYAa~q2{`MHanz(JO7!R)Y26W;9JjJ4Y*0N76nNz>x zngP}GLKrdpw?}rVmee%s-0q=jwco9IBzL#X*gw+o#xYdG3ViALk6D*@mCG7Xb1<|X zL`28z%|12pQc(VekhLMz^P=FVhPX=u_i|xLanOn^N;h?UU3u808(S7md7b3S&A=&T za$Va60K+YLBklW4hRo3-O({AH+WSI9K4@I>i5a&#=|@o-i!<|mvGD+3w5nTUYWK_W zKbR+Rp4GoG^q_)Op?jvkE9ES=p*$=7J*7C(%=cfLzS{;DRo-CSb|TxdI@#IsO>v=4 z&|#>&Mvmoy!@2gMob9A6&;5$j?x8=_9`DV4iW?(k=@d!RubMRH?X;&Jw<^*_>~|f< zKb93*WmABQK%MmZfTox7bYbr_>RX?szRjQ??UWw7f9vXXT0dO+*_O?vgDO6lsC8)u z6U^uo=4r|5-|Q*Rx>}@HuFCuWe#fk~{bl_mJc_;*P%a*<5HW*0TQ|%@=JE74Xw^kwas6fn0n_B6pz5U9AEI=mFa(R6$Mw z=W@5u?bAv>eqV5=WHx|#B|7X8%JbKQ_Lx?b!FZ+ixKGX+5$2xhsKsPo zEuGyg{CmxqT{H(!ZAO)nqsJ)U+N2iqaq-1&=s}1m3l1kzu+G&Zp?^YK8_?%%7Q)E| z&KuzSlTfG|+rBH%xq33Zwg&DHYV4OY*OJ?Bq)x}ei5m2|LRopTS>4 zJl7?X+D&bf2T7qiq}p7)VLL*E(uxMqms9-&BQe!wMsXt-<&V8AbPuTNb-E?I(EP(b(`V9~P%` zH5?2KP@(^;|28|VOr5+_tj@>BtPXw~E>-yP)iaW(?ZwoI)-i4KZnBpj-%mq93eWR< zZ=^1l`}y4-bhVv@9$W$bEI8D^b2K1IzOTU?5Jgumrjk*+4*Ii@o~~vz-;Q?7TbjQ8GMvD@1_`Y7#Wa3Ncn$om;dbX z2CjEAF5yTf14vWw1%rMJ$xA^_pnHqbX7pK?lpo2Y+)v|lmB#k}%?7VkG`$nu>QU#n zHFNhqw~HgD%s+qaym?Y43+@jp@<&8VX>)^>>m%Wm8t2J%Q_c3>8AZoe2u_jYiV{1R z$-oU?h?2RZ0ndJY7ZbJGXkDM-AUnx)GrLC#bivtWOta=`_SF@mQyAg5^FjQ-CN@A!lAl0;D`G*$K7 zX}wzxQ|3-RoHYy0A6+Z?hVGLc!!Jo(zS3El@&}7NUZxR7j3wDOB_A<&wjf0@6ctwX zz6+cx(R=A^k&{OIIO#Vmt^P#GIRY(~&G4=fT40D=3M&^gFV8cA8PSIq@?Cz%yO|gH zb9ZYUk6)&(6!9*uH=Ig%BSr8GN2>1|GL?N=UT|3w$8x8BokvZ4kH&dDV-n*k-8K607rEy}N@ z(_D8m7am_Uyu~_xa=v>yVXl^S087z~U^Q1-m92O=Do~Ewnax$u(8204E#};?iDJ$o zTH=Re%=ZPq^QeBIUt7J2%x!A-m=#nZdh8fF#m>w9n5kQ#tk(U91@!ZVDGvry-iQ$6 z?GyU{g=79V{Wujp@i6QxE=gJlxxWL&C1iWcc@Y7gZdBhDS`> z{M%IBws?8elYcatx$|uD!wx=a7*KEW=ndE$q&=6td70W z$#7h})rRog_TlXZhsnb;i(b@%$v@J4Da?zn{3q>g;72U zD95VT3ZgozWqBo8MKzB;sq8QB&I_BF<@o`mD$F4Et+)UT#a=3#SwrS%RpuT-q& zhD(zSygV}urL*MBZc!T2CEBb??n?~jkMcSN@ta7FOOS`XlD&GOX1l@zi|+mXd1KKg zo|k(H7|KeMI;hy)lk!>STTi()j=lA2>8#OueRe7g&W+o}sme6^g}dur!>Ie#=FSiGNq9A01Vea+apn4TO z<4<#^-@Xx#E;2MDR{VE^Uz(z|Hv>ZWcz6t ztSZ=G)ZM(WllEr{%X090wbF~qS@rbe!@FffjtGmESgy8MjWhUuv0KU=5CQhdEp#{N zp_p*od6G67pF7w5?)C0IDEKo!F8|s`8z0xqaz}^9QuE%sY{%yASibHQCtJAcQ5IAo z-t^9%VQ*K0bN*ycHGzTwhTO7>4 zE_dAZZ21Jyw!DPw#2(3>`ECHCQ_A5oP3Az@a(u#-lUkWBnXL4U&gFi`J{CZ-qB4u!awLVd+MaT{1QA<^L(G@8~Q;w!(P z1LUUm1>oAeC&~RX*jr_Dw^Du}g?xyLc|Z1X(W*b0|2`$c%1Kj80HDh9-Ar!(e9csp z+4MS=D%k`{tDb=c1)!Q>S(7`uYv1ti9i0A-KgJ}#u9z#)U9uf>U4EysQHwcx9^<&T z@MKedS&8+Ccvr-Wr9O{p&#Cy7E2R#T(Ps;n7K?)8?&5VbO-5DnhdcZ(p}o0EY7(Ok z%k|!(j2!~6{6aT%1jmKkz86Ie2;qF zD3brctqZ}eeI{d9jWv~R=vpcpnRg-jE1UJ|~Z$8l1O7oBucnY|Rq@oE4FJXu$-9ea$z`H}^72h><ZPRQTRpn<>>P zS;NLehy z%lTF7?B*Y5bY=<{Hvx{=f~gOrhYtTC&d0nvaex|{zIC4m`6|#PmlG|^=hrfExglfj z4#-ch8b9X++@fk+&5$i@o2+r?BZJm(L16cFN~z#+rL+Uu)Y7-jf91!e7+{8>Zxg{11CN7L}up(7oOeI&j9>{f}!W zx#c^e*9Th?j=9{|s-5ZWSz)E<@Egqsy=Cw$H&N0|6hwmRMb55cag8-ZtmfL)+&BQN zBPU*_nZNp6*3UzxhB0*WqUeTRb^eZHAP12@wesiXYDUontFzHy4r6#t89d9htSQS>Mu7lqJRRs1+Y=H-I#8{X%p z-lgO%&h_Th=?W#I8T*-ouc)0)I$>!Qg+Lwg@pt$V2|VR@j$6IEdu48IC^w948(BJe z$H6I1Y;Hp3j$+N=8RE!xd}?WnXiI?5Z3?SAc#i)&te#Wfistgdt=#_H*~u`~JCxq^ z)Wz3z!UL0o=m1Ky&8?<)95U*e0!VIs%1tp@D)1e?U|QlJZ*!goR^)bhM})Kpg`}$_ zHCuS&7gKapsViP_)(CH5@hmpT#-MLcA>9Zw$p|rYW$NL(Cuf5%<~DgvCcY5eJ!iLP%WQ-2WM{XENtQx-A!ebgk12eH_|fky$<3}O zuJT^(WbXmt<6A&Hd~`LesXV!@ImbK5doE+D(tH0{>GS~%qcNW`vhGFS*?zvl$%wNR z)7`TC$M3E#S}ZvWI+$!SqTfV23ik5gVJmvCR z%X(+L`QPMqNA?=_D=Mr$@+-`?Np4+e3Z%>g?xF2_e4n9a9?Mgky=lUjqdjJnG${Ae zu<`t?8!?H|rZTX);FH5^&0wkPO-`S8SB~rvthQ(+pCDI5{nZio z)IrLlAHY)%PZ%&S#GNtjnHLhyhXZjI>xCh(P=ryc)>W$!PL5Wz$(h1 z(1Ur~HQje4^W%NlPD8(CmEexBzLT*NvSj<>w2zf-{Szvw0CAv z%yaQ6vbsXnW{nmbn~@tDGlIm5>ei0uAJZP6{S9nt#>*(E#g)@s1}hk010{FGx+cA2 zX#}S-?g=(RdKW>AgEhc{Ls(m+Ox(uqT8(r4NOg$rVoUi!!3z!FSx36lGpTn=JAY9g zW-W<=Gn>X|&ioj}nVd)PMmgR#{LVgZ7-y2$M=hUNB0KHc0wd*qnlq;qzl}KNuwyMd z{YveC5?~+Mu6jO(i`x)i&Tc)G%a6TQm!W(r4FEF;un328d#~tOiw1%Nm$I;!kgVYP zK(I-(=o5g?#miMaa|LKbGY zh7^(&UAK|94d-2oM4j53on)`+fXwIXs#2MGwLY;zH^sJcx&b{Eh z(y@NT#*5lj&b1dmva>SiJ+HW6h>*5tkds6>)VE)}OXMGDRf}O6IBgm#!8hX5 zoDTJ0ZJ&X>^RGe&kS*EUVeef6$wc^eRGb>53boGXkAb+${%P$k6SRP)?v;C;RA$@W zjuX0Q_5FRc!N&TKfozQJ@9{!SyMINjBt+_pfeyzf%KboJbqHQO#T-@iC@aCZ2XRi} z?MpfZ)_4Ovq%vm6vi;?1WiTv+`HYBjpNUOAobAJgtRtv_uuc3o{$LQYbI@L&HCq(M zn&Nd%scZZXCU3|y;hGA@YQ>0i6pBu|Ekz4N1=AjzHfw4y#{(_#{OF6+ApeLj_H|kQ% zl{zg`t$x>45U%596E~qG>jP_9Lpz(~m2#dlCf*WW9^NgAhUrl)MfKKyX6@4fe-s%f za=8S9EOj8(UVYd;4|{Ct{g5uH>UL#62=TUQ5QKxTCkkmW94c{Dn?S3uA7m2WHI1e- zh*!j#@te~tmS+tlkog2#GPSp;w`U!)D+!TNW{-*D?DF!*U{xD;m|P8hl ze;M}UVreaN>XNN?;cd5beNa*PPj{>&RN0E8-FpNoREF*%oBioTy*{uyleXrtRa=xB zB2cVF)xUb)%4YU;th5C(r0MzWcanmnc@GHgl%X9PwwPD9($gQQ;zT3Q4G177?V*JuYbX&??)f8U_foGdMb;9k>5CQE!_K<&d?6;w0z~J zGFh9{wNJkbgS-@i7{#u%NQ+YuWUI-suGjvF-;skf|0<+y#|IepzfIH;8${q&hP$ac z+UUiBF|!6Tvb013LYG&|ZAp{ngPu5@gc3A`^lG=)5hHEiy?$lq3sm($vGk!s!^fCX z$(lhtM&a~tT~DG)K=U#c@%5I%4aljt1YI%lCsRG`hvwx2TNRm1u{JKZ@^~+wLDKvFUtaJUB z{X~5~L7|WSC{A}zia;gY^U(fQrO0UJ zWe;!`=5<^MW!dAM(yUvZCUw+NO<|t|hx6sD6Kz+oIJO}Dl(@;3nH+g5NjcQ9wB~u+ z=hP+TbhR%83m^Ws1IfyauAP1QwBGp8D}46CGebw5Q}NO^d4+Yd*Ll#!w6(OZIH%E~ z95&*o?i2HjhY3Do?S+x-vZ_>%A;LEI08~phU%1EHqd;8WM6{+;D~D2lLB6W?h!gv3 z_I>QUdEzlqagCi>3$Mrb<@{6Z_~m2gH-3hVUx19|(;Y6*kp`$f%W$u4DHYl`|AGNM zTkmjm!3cT4(5#VckBJqJRo#sQzZcFxV&ewXo!2Gx8`bu)YL@Ce=!#dTKOef&W7147#LdS~I z?O$XPZ}1zp;aS{%8qRlOaN}8`ACKt5X+H`Dk}5;M%Iw{kx7G>jR%~i^Uih_Qr}qhW zmj8#zdg@nfRG?PglVO>WHnCs;q!=<1q3wo>_GMD=m<0(l187`_-D@2!Z17%PhUZ_C|14OdMrw5PNsNuPJVw#gZ+R5R93 z=a)eEFNX=6Ur85gf;GikwgP9^pfCFhKmPmvN5t7<?qG6bQ4FZ!My==V4ZmVRw*;(+JiubwvR8RxO zZ=yqTlVLbMp~n|ks;m4H``42^)`BeY2h9chm%mSB%jmrQE4kq`)8=0I)|rOx*i{)R zxi)=12;VXIikqKk%(lJ+g(rmSjOS$21CRzt?!7*!+BzmcQ&@w~lrjTrrRP`)XAS&B zq&uyJCu#zPdarha6G_{%lHP%#y1t@x%fVN*IWVZGMxf#Lb05QZ6wp!ZU1ecHhD8J* zSgC0F;|L6Rue;vu5pkb?=9zE7HrgORgiT>E*?)adGxm*yLo=m>s1A zg+;mdioYXatBtRW|1-O=#`m52_;{>SeNN`HZYxt6Pjsc?th=``sNb2xgYr*xwzYBm zSyM>F%NJAZNs-ighuO@#3ihotRP^ED_)b7AP}+m=iCoiVf=MFUe2*A|vly>EY}^>~ z^nM|2vejzu7n}&U?=E;&h<IXLF|)dPL$`_7Lm>O4 z>k+kAqd|tHL$%~C>jJKclh>^(C?)0eQ@9ce12LyqcwMj{v|}q%VlCg#Ni7RCoXTx{ z;4Xez#t+YmCNEIj(-}-U3aqa++XZOHtCIE8BLBbnz=|rMREP9hMhCo-J_|8ynZbKD zynjFi+KU`AIzg)ntsTF3wV2d!eSC5whvz+D6-Xd!Z**c@jE%O^DGWC|oM*v!Bi*i= z{yi>cn0L;0P67!tnP@2N9uvHJJDFLwkQFF7Wo3GbbtM{g=pKmwc61m(VXBo!w$h?# zn=>p_L&N-V%x)|BGB&sl+o^3(1MhtwI)G9Y9pi4F7-ByT&25_|W~Ui*x`k)bGYclb z=U9gA2e?5EsXb!-gATA;q#^b74A53-u!q98$&YL7PW(Pz->}{7X%OAj4#sJPC1O>X zyh}vOEN@nYBv$;yrNE1I*Jq?V?!vbd5JfaIKg`kV)-Fz;_iWtPx_ySIDQ%HkahOA% zX1jp@d*UrHqt@YCkYsH!gwGHub>M0h>AyOsO1kKBzF)R(I_x6D-}*fIc`Ev$^agPC z7yeO?n;c5=IB8Dc+e=_&UzYWn7|Z(>J(5G-5DE`jepB!d2VBC3=xZA54@1RB=PJ5% zW?H;9=j7ud_h!+Pz}jar*jUvv7E)vUJ7Z(9*@OEzi(R0f%0Olf77m@TJB2vsbWKR* zzTLGA#<5ZRwU`eI%eO3>oG-&4i&7VKex3%&c&im$_eHs=Z0EdRP3y#?DMY!|8E?os zgDjNYoT^we7mRmYtJcW$DT71NB_lQgl4NH7gR4w=XSwMvWZsi1)&*Jfk0X{s8%S|S zgvw+mZt5RVI9Uc~TRH)W*@K>!EG+ENO}MMKBxLtc!$^9GlRXZa0$$BQ*;QyYja?a zhnOw03E=;?yOSGe>u#5yYSiAVQmk|VlZ2)#HI!QoF)U03XV)p60vTeota1Pn{L?VPJJx$CKxKQB*k~>MY0h^Yv_jZmOl8! z$c7Pnu46h#eMVMt82cK9UW@9;%FLt*i;q(rMpy%cP)JxjLD5iym;T^Rkrc=!ch~r? zEOlMcz6mKdvk{w;wxf-Hxsm{bxr{szSAT-3J{v8XAuz4XXCI2dJf)x*l2FUFkIIT4 zcv{l{+fa{fj(eMg6?*u6@IG00)6xZ>u=}xkEL!u)FsBf zQxtpyi|uoG&OZ>jj;L%f$;?kqj7&PETha2o9?S=;d55G$RnzhEzF=dc&BIK&NTx;@ zJ-FBXaY~v2XOAUg)~2btrJe?P8}awsGa-`j(eX_5F#mLBZ3}<@jp(L+)LU8t+HDSS ze}PkA3|TJuQokCe9eya)3#(YmpYW&8+A9aAk~g8;JWB%(`ocDun7dCiO|ovLfKRJ` z8XeB`8UA+^TA2!=X3l@GgMjyGkIpVpAH=ct+F=_(=(eS%6NnUO5n`KHLH#C@=8W9Q z+QU&BG<&9NnuIrlJdeB7d3o|4~T$xxtQ_|~RW(>X}Ub3Cs@;zdz@XJcf-exrSF~%|CT3#um|IMuzOM(GMLye<pKNw?^M3}@-Ci?_3EuHD$*L{m&6mUA+h@=wCb5>Zv=%>191ZZ0fFv>UN0P|S z7G?<$Ll~ycr^5ovPTXMLEIOS52qp26?TkDZWAfc@<9ju@jU1&7(_zGL6e{h-sq)}`rY>R<>fz=(1w9NYHMSe%l(&W35%ONlwlDe0T{5rTLNtKDn z7&qHjcM^QP(>p!i#yKAoS0nLTi4kdgM5qYZX7^mscx!l~ zcR_52^8K?k?KRO_Rce7L5NAMVAdJcU>d(owvGOuS!|+9_TCBYq+%O-goOnYFowtnp z_T%)+gF{cY;v#03(SSrWJ|37^*&PfBI>)%r+yKv8mt~7Fd(mT|=gB-a5kj%n{ zYd8};WOiNWV+8db=C=-TBy~JXj{ddPK-E!<4jXY(%j@Aof%QbgNNwl7UvlX9-*gq+eX#v(E( zt8@x%>F|c0swUCtDs9&6UM}hV17SK$^48j}A>L=A&5l!6R!HNtM%E8!rh-pL?wk{Y z@Fv+_ehb{zZFL}LO6-TrmB1^Ct2!q_iUHrx4(D3FgSaCj>ERm^l!}R}cvnP~yU&NH zD1o)Nj!4`Vir7Xf-oaC`7WoIK6z?TZ;H3csV=pU(z7S-r!Fx8xxw)x^T6pdw=&fnA zp=Bc@Qf=5KFPjsU!25>~#gMxMf+6|?weI9t0idx~vEmVr!uJ|kl$g5Cu>5@5wf2Fv zmm{8Z=$qfwc#Gz>=d|*YlJAE%n_|%)QjfxAFJEyJRu3@7E2VolqexR+$u6=~S6x%suEZDdG-8PFdL4j2YY?I8Dv-3Z%x{} zA+}?Vx#|HmpI!7oh*S4EY_t1rFw?Z?^vI&zLA%Jq0`eQ%Nhe4lVe=T{FGaN3iJPY(G-e&?k&^nJaFF zRQk2BtuG@IJV(~@I}N;(-Vwh4X|GpZYejG0Jb;vkIhdQfR;daJ#7${_fP8@H20AWZ z2yA~N-u(w#W@6;cU4R!`A@2hHOhvGwOG2&_fE$~OPMlAwHGNeSoEUj4wiaNgVKYZM z?a5ZHAfc<#dXl`)rVq6!z2nnDR*$O})JIBAW|VCan3%Zn-DR>7R|5{19Z-Om%OA~( z|Db>9FZXnCShrEY1@!Gm>e5n$AY@EXmw^C|K`$vW=~xcIi-%rHS|v24x<0{*;TR^9 z^`1$(<@W-a@7Je;Yu*~-g3ib6zjVDclxvEgZrh=y43VvPF9xhBAvD0rC4ZQxi0B>J z{GXh(3Y(1El7sN;lg4vH>^O*fp}-~Q?A398_sdZl^f_uuH-C1o_pWvi_kHV*$i3|v zj06^4$l)5vs#`6^C+7aW8Kt_i5AOLW&Z)fY8<->zNr&t(A+_{LHY&PXa!=)};Xh>b z#-VVFKlh0FvCp5VO?-RBdN*vytXXh^dC=r)Yk)Wf2HM9Dohu~u+xdi-CSLzoQ09I) zSf5TA$dp925Geu7Jb|XZ7N3mS;|*f=fi4!2qdKxwV{GYY5|uDnZD?7Y+V|+vF*n&` z2FJtl>6cej`-G_)4y;tNL(BPBdpB0*E7@pm2aJiQmfxH=f_`%4pBDWQ23PA7WuuFo zw@@nTN~{LBndbR*>IYSv|{jd!hhP0D3)kcj&fc0`_ z4=^+jn74o0`}oy<)kYPqg^uqe2O*1RrW0~=5Q^}^wZZ70ksF@NYAm)v9%AJ(MPR=4 zV}K#;f@|r5dN7aRVy|A_tCzjGthj7n#%bL~1Rhhk@V<_Wnr)lS4toeTgbl|x%VfCc zW8oQPlT+n{_v;2{sM9~+0 zS9vQ|7brnXcp=w0puA2~u3_Qzumsq{`In3Xdw{OG>JWU4P^a#8A_eGF=vHj&3VP0c z<=4^W=_Wk>nywe-u+L}S;~SFiw8ke^wWHYSqS1d(dTsSR;z!U@*3G`L(A=Xe#cInJ zSo_tCF&6RSm8;>)YuUCduNi5@X8ijSjNcqT=gOHRu!Vts*GI9(YZ>)s;xUsD+^ zCK;#M<6o8kHaLW&>r@kq(UCN{8r0h(^>DHuueA9lJrlHJ6z*m63VbngA}LuCmypEJ zrytFabqQ!F3fo$@{lYSyU)@taO?M1X4k)aw*h;17`MWuLnthx~AYW2B`@j!rAm{@^^DxA3k<>wp>cq>?HHsE7LsTSw1Zv z<2j@3DdQ-Ef@O2cqY(pSc2qS+`A6 zLf4vZpm+&U@=pZn=!sR-WZn!`t@K7Rkej?F6=m5rWTLa3{`~0|gqaw~7KNskZRcQ! zKRr4E9_h%T1O$@^M7#2B%p1X*JZ(fCdl=w)0^DIr@v?b(>ALtCQc>j({LEyfx@q9< zh%L-*Q73*pq|VJ|+dj7dI1GQr!(+Z@sw?1*lxw0!sPg(g@E9M3z@X# z#L&sFnkU(g0l|X+ijoR#9yMh0O2N)cTJJW|bY@s?kmPM3es#CzPg!X-;U#t~y1!&_ z&CTDv!`n1WnqiZqWq1R zQo$@DMmW%5J>t9eCr$FfH1vg(!iG@WkLBr|%8wf*rh-=`xjBPzVBpasp5SJ&4{HR- zxB3Rbkr(-4n>fUiiv3X{M?jqp!@?&F%h(eNQdGw^3ah2qEY-vKc~cZWe?1}vM)`L{ zGiOp1z_)O3oUsVNoD10chsqRpXHe4y(s6M<&-)O^GP@pDA4so_1we^MU;}-{vSfj} z0Eu<-O8k>F|Ln6r%tw~Vuk8^TQJApVqK?)Drav%yL-IV#p3h@BtHAbklQ-olfy^+p7K)h!^fPaJcb6Uz+5{G-? zcEz##;9m=#Zt-OkvEH6!J+*W0Lz;D{`>qJY^waJFwzv+M#V~MBZN`XPmD3p<93N?1 z^v{p2hBeIU2S8u1E~`33c3#5nZI64hhOC$DNXisF`&MDeP58UicJ4I;p93`gY=$@Z zi^e`#v1XDsuEC8k%9BXsg>oJJtN|B4F>AN}A#$Y$3f@{#Z0;TPul*Zjq=^4N~`yLLj+hduYMnTZaG z;{a^elRm%xCf&zh__xDcaxfH0GB9?XQm|6JaaCYYn|~ZXTbo{0TXh{Ko{%B zi-M6kf<8QpkyNB+c(F9>iK@-D<3FogH+-( zRID~#gAS{iB+4WukOxAuSffqb#12A z#2}2~E1FrP=kd5DoL7I$*MPEJPv9Ko$f|kz$*%a4pnCOaQCRli_a;e^NmhTUa+a&o z`kF6}vG)evxsr3K6erQ%HqeCpCqHBZv{8J_iVPg2XS z;tR$zgm0b{?zWT!spNr-x91q#Z|Lby37$i#a|+OWIU)Fl;{Hg?@bUnGHoD|KdSAfZ zzc73#VGzHhL?OQO)BrrTdjPF_rYV@Vxml*IVhDKueUoV4JAGhuLnX@bQdeEU*7=gj6!r;cGxAW-uo*A z<98Zq+Po@(Vl#|1VsEvD@B}-%TrE-}QTIGnSb<`Ns<6*5r!M^FICw5#qt0LBb|QnL z8SK%q4g7X07^=?Xam=!$?Ec?Ra!`G8K zcnc|i`5L2o#ekyjVWmVSt#m2{d?$sb#>V=KV28%1@N@LjJ&J`4`+-0nuF2I!^7vuy#QGP<#wRu`P8uk%2*tMsYggo}m7E6OBlB zlT>4O)^xYkfWFcv4D-*uCO9M;z3qRjPNhws`+Ua~qPtEjv6gTE%@?wp!gjNpv>3c4 z(7ImkOMs)Z(lNQR>tcTvv7{G>b%~ePvMzfB3kk*C9HMGNGM+t?_OQOA?4Y)!!zS99 zbg}9>GAb-AS3c6zaE_W4KNq`5Re<`q`T~LbuX_Ng(76~`rlIQ_BIU|ZG}_0i!!}!) z2qrPPyt1jfHOM5iMW7Wa&Vj5ApEYGjw}EZu+%6erZ1_izBeBz4bn_S9Qwv4Rru<^a z|0uD7MKoL*ojRTz#~~fJy9K5G=HeA}7#*x={5|7z<*zMd>s1NNE9vH97e`(T*cqvB z!vzca0DN{`7IL(Eh1+wVz7{;`rpuB59!!?&I~pJTqRG8Y{fu`3*tW<<=F!!}ejq*r zg{iZd{3c*`gDi|ow7p&i)lQAh)FW0nxbJY8TpI|EJW~Se@6h~P)34I#^;ro*a47g_ z();q!T~S#4oe*%%h5277EbQPTtrLGOIM7`7R(doXn|}I{Q=N=A(nta{fBMVOD4G&|i@qLz z>~YkFl41VuHU~2(?Lm^)85a+4JQG%97@cPVlF`0&h9LJzZ}2981@`Arq|jI7aakFq zUg>0Z^9~rcckpx2s&*`J1NHzb2sVIdek)DT8$HmCLHvRam>5a$h3L{=ywXVl^ijJQ z;)DHoL`tJM=#^={9V@!q4)%S{sknaB63UXN_Y3coO#;>^eft?|maeOzNx1DiYbqs) z47phgU9dDyYKN3w6?&;TK=V_6I4qalF)wIBFT4glae`HQen9nR=PZfhD&pwqUW71Z$g|C#> zoG-?x$-On8OIF4jV?a1eJz%z%4E;soVwJ_787uspMpjk>^tBBc2JPx~ra-ginna4L zeeS0`v-ZH&cyAVug%b2mU%7B`O!)y=2a$ zBn$I@w}%$zM@au!RsHf+o@6~oHXNNC20q#4Jy&bR{o^A~$@(ODi6l$&^NFqMgA>GD zva)$a@Ud5X4(O&UpxWbxNRJt9$nb7hZ{_i)cqcF0i)q?kxBAJCvAVTOWq)##=CeO%~?cysw(`h)oFDZuao9-!+bw)7|9#IGd40Fd1{NSvZZ$+ ze_^uD+KP5SY`C~ehH`(&p!~yQ$tl$<`MTf;4wo}<^^P5k5vFD^lzkZWw7aQil=_Sy z=7G-m2HgoSIMMzr&DQI06;KN1WAq59g#%Dw)2v#te4i!zj9}y!M33idLXn!zcO>(1 zUjOqc1ZJS^gC6Rp#zj4UDm&~Z#37F{2*Ms7?iIeJe7vC`quy%9I;P%5cJ3}XBI!yQ ztjGkOs(*sFrdNB1(VI_7f=m2$B7~6n7HHrDu$?rx@3Ou9kGOLHa|hTHzN5JJZHm-* zXjoJ#Chp=er*cOj09$)@z(LJCk^58NerH(zawZJ=Xq#bg)c6pG>Ol6?NtoA?P~XDj zFwF*p+f)gSjwC@b%N&pw*v7AGIr;^Uw4_jxm1yTBE z73_J!^JtKbWVH zmEMV`D)Tp++z568R#IGDuzSz3(xAXeiy*PtL5iJC)8`~Nk0P~~^L_+ImXYog!ol|# zmdh%gC7;agPeZR@D`PH)DH8!pOX;P|*DMbE(ot0J$sOHL)z9)iK5v`eXHFj4r2o;X z8UU(@;@nY%DlOVVAohV+++=ssHfZuxZ|rF{}=LvIYmPMz63{LG4*T->Yf7vsMD*0F z%v@bQzK&-4*0$V|ZkNwzfvU6i>m$l{(8U7ZYNh2FWkv2aK^WZ83BUG_pP2vk@pu21 ztt|f$w*Ln^(v`-fOrnuI7oVGytYJ}2gOnrdNDSC0E*()ae@w{uJL_TKh6xJhjUF?$bkK_OIVgCQ$|9=Ai&!51r^LwuuKq_lx Wz5izpeyhiE Date: Tue, 19 Oct 2021 12:09:39 -0700 Subject: [PATCH 18/22] Replace absolute links with site-relative --- .../mdm/healthattestation-csp.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 5f1347d92d..9583426aee 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -60,14 +60,14 @@ JSON Web Token (JWT) is an open standard RFC7519 method for securely transmittin ![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png)
      -

      Attestation flow can be broadly in three main steps: +

      Attestation flow can be broadly in three main steps:

      • An instance of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
      • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
      • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
      -The protocol implemented can be found here: Attestation Protocol -

      + +The protocol implemented can be found here: Attestation Protocol. ### Configuration Service Provider Nodes Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestaiton service. @@ -240,9 +240,9 @@ This node will retrieve the service generated correlation IDs for the given MDM ### MAA CSP Intergation Steps
      1. Setup a MAA provider instance:
        -MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
        2. +MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
      2. Update the provider with an appropriate policy:
        -The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs +The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs
        A Sample attestation policy: ``` @@ -447,9 +447,9 @@ GetAttestReport return the signed attestation token as a JWT.The JWT can be deco
      ### Learn More -

      -More information about TPM attestation can be found here. Microsoft Azure Attestation -

      + +More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/). + ## Windows 10 Device HealthAttestation From 8f62eeb9d24a59ab6d1203e37d90e3bac70f52bb Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 19 Oct 2021 12:24:14 -0700 Subject: [PATCH 19/22] Add backticks to apparent code blocks; label some --- .../mdm/healthattestation-csp.md | 181 ++++++++++-------- 1 file changed, 98 insertions(+), 83 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9583426aee..5e6f472f82 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -103,27 +103,29 @@ This node will trigger attestation flow by launching an attestation process. If

      Templated SyncML Call:

      - - - - VERIFYHEALTHV2 - - - - ./Vendor/MSFT/HealthAttestation/TriggerAttestation - - - - { - rpID : "rpID", serviceEndpoint : “MAA endpoint”, - nonce : “nonce”, aadToken : “aadToken”, "cv" : "CorrelationVector" - } - - - - - - +```xml + + + + VERIFYHEALTHV2 + + + + ./Vendor/MSFT/HealthAttestation/TriggerAttestation + + + + { + rpID : "rpID", serviceEndpoint : “MAA endpoint”, + nonce : “nonce”, aadToken : “aadToken”, "cv" : "CorrelationVector" + } + + + + + + +```

      Data fields:

        @@ -136,15 +138,17 @@ This node will trigger attestation flow by launching an attestation process. If

        Sample Data:

        - - { - "rpid" : "https://www.contoso.com/attestation", - "endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01", - "nonce" : "5468697320697320612054657374204e6f6e6365", - "aadToken" : "dummytokenstring", - "cv" : "testonboarded" - } - +```json + +{ +"rpid" : "https://www.contoso.com/attestation", +"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01", +"nonce" : "5468697320697320612054657374204e6f6e6365", +"aadToken" : "dummytokenstring", +"cv" : "testonboarded" +} + +``` **AttestStatus**

        Node type: GET @@ -154,26 +158,30 @@ The status is always cleared prior to making the attest service call.

        Templated SyncML Call:

        - - - - - - - ./Device/Vendor/MSFT/HealthAttestation/AttestStatus - - - - - - - +```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/AttestStatus + + + + + + + +```

        Sample Data:

        - If Successful: 0 - If Failed: A corresponding HRESULT error code - Example: 0x80072efd, WININET_E_CANNOT_CONNECT +``` +If Successful: 0 +If Failed: A corresponding HRESULT error code +Example: 0x80072efd, WININET_E_CANNOT_CONNECT +``` **GetAttestReport**

        Node type: GET @@ -182,28 +190,32 @@ This node will retrieve the attestation report per the call made by the TriggerA

        Templated SyncML Call:

        - - - - - - - ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport - - - - - - - +```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport + + + + + + + +```

        Sample data:

        - If Success: - JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc - If failed: - Previously cached report if available (the token may have already expired per the attestation policy). - OR Sync ML 404 error if not cached report available. +``` +If Success: +JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc +If failed: +Previously cached report if available (the token may have already expired per the attestation policy). +OR Sync ML 404 error if not cached report available. +``` **GetServiceCorrelationIDs**

        Node type: GET @@ -211,20 +223,22 @@ This node will retrieve the service generated correlation IDs for the given MDM

        Templated SyncML Call:

        - - - - - - - ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs - - - - - - - +```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs + + + + + + + +```

        Sample data:

        @@ -379,7 +393,8 @@ c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); }; -``` +``` +
      • Call TriggerAttestation with your rpid, AAD token and the attestURI:
        Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Azure Attestation) | Microsoft Docs
        • @@ -387,7 +402,7 @@ Use the Attestation URL generated in step 1, and append the appropriate api vers GetAttestReport return the signed attestation token as a JWT.The JWT can be decoded to parse the information per the attestation policy.
        - +```json { "typ": "JWT", "alg": "RS256", @@ -442,7 +457,7 @@ GetAttestReport return the signed attestation token as a JWT.The JWT can be deco "testSigningDisabled": true, "vbsEnabled": true }.[Signature] - +```
    From 9afca2687a9200e47faab4ec9f520a6ed79e7f0f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 19 Oct 2021 12:51:07 -0700 Subject: [PATCH 20/22] Added angle brackets to resolve [Suggestion: code-block-indented] --- windows/client-management/mdm/healthattestation-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 5e6f472f82..7e05d3b90b 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -242,11 +242,11 @@ This node will retrieve the service generated correlation IDs for the given MDM

    Sample data:

    - If success: - GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM - If Trigger Attestation call failed and no previous data is present. The field remains empty. - Otherwise, the last service correlation id will be returned. In a successful attestation there are two - calls between client and MAA and for each call the GUID is separated by semicolon. +> If success: +> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM +> If Trigger Attestation call failed and no previous data is present. The field remains empty. +> Otherwise, the last service correlation id will be returned. In a successful attestation there are two +> calls between client and MAA and for each call the GUID is separated by semicolon. > **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. From f4cca76942a312c2022de2e4fb4c0e9db572e2bc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 19 Oct 2021 13:01:54 -0700 Subject: [PATCH 21/22] Acrolinx: many fixes, mostly spelling --- .../mdm/healthattestation-csp.md | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7e05d3b90b..b6e69dd50e 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -14,7 +14,7 @@ ms.date: # Device HealthAttestation CSP -The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT adminstrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. +The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: @@ -36,11 +36,11 @@ The attestation report provides a health assessment of the boot-time properties **DHA (Device HealthAttestation) feature**

    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

    -**MAA-Session (Microsoft Azure Attestaiton service based device HealthAttestation session)** -

    The Microsoft Azure Attestaiton service based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

    +**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)** +

    The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

    -**MAA-CSP Nodes (Microsoft Azure Attestaiton based Configuration Service Provider)** -

    The Configuration Service Provider nodes added to Windhows 11 to integrate with Microsoft Azure Attestation Service.

    +**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)** +

    The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.

    The following list of operations is performed by MAA-CSP:

    • Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
      • @@ -50,7 +50,7 @@ The attestation report provides a health assessment of the boot-time properties
    **MAA endpoint** -Microsoft Azure attestation service is an azure resource, and every intance of the service gets adminintrator configured URL. The URI generated is unique in nature and for the puposes of device health attestation is known as the MAA endpoint. +Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. **JWT (JSON Web Token)** JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. @@ -62,7 +62,7 @@ JSON Web Token (JWT) is an open standard RFC7519 method for securely transmittin

    Attestation flow can be broadly in three main steps:

      -
    • An instance of the Azure Attestation service is setup with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
      • +
    • An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
    • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
    • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
    @@ -70,7 +70,7 @@ JSON Web Token (JWT) is an open standard RFC7519 method for securely transmittin The protocol implemented can be found here: Attestation Protocol. ### Configuration Service Provider Nodes -Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestaiton service. +Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. ``` ./Vendor/MSFT HealthAttestation @@ -132,7 +132,7 @@ This node will trigger attestation flow by launching an attestation process. If
  • rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
  • serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
  • nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
    • -
  • aadToken : The AAD token to used for authentication against the Microsoft Azure Attestation service.
    • +
  • aadToken : The AAD token to be used for authentication against the Microsoft Azure Attestation service.
  • cv : This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
@@ -219,7 +219,7 @@ OR Sync ML 404 error if not cached report available. **GetServiceCorrelationIDs**

Node type: GET -This node will retrieve the service generated correlation IDs for the given MDM provider. If there are more than one correlation id, they are separated by “;” in the string. +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string.

Templated SyncML Call:

@@ -251,9 +251,9 @@ This node will retrieve the service generated correlation IDs for the given MDM > **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. -### MAA CSP Intergation Steps +### MAA CSP Integration Steps
    -
  1. Setup a MAA provider instance:
    +
  2. Set up a MAA provider instance:
    MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.

  3. Update the provider with an appropriate policy:
    The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs @@ -397,9 +397,9 @@ c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo"

  4. Call TriggerAttestation with your rpid, AAD token and the attestURI:
    -Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Azure Attestation) | Microsoft Docs
    5. +Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs
  5. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
    -GetAttestReport return the signed attestation token as a JWT.The JWT can be decoded to parse the information per the attestation policy. +GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
    ```json @@ -655,7 +655,7 @@ HealthAttestation - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device - 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes -- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up +- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional)

    Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

    @@ -665,7 +665,7 @@ HealthAttestation **Certificate** (Required)

    Instructs the DHA-CSP to forward DHA-Data to the MDM server.

    -

    Value type is b64.The supported operation is Get.

    +

    Value type is b64. The supported operation is Get.

    **Nonce** (Required)

    Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

    @@ -916,7 +916,7 @@ After the MDM server receives the verified data, the information can be used to - Allow the device to access the resources, but flag the device for further investigation. - Prevent a device from accessing resources. -The following list of data points are verified by the DHA-Service in DHA-Report version 3: +The following list of data points is verified by the DHA-Service in DHA-Report version 3: - [Issued](#issued ) - [AIKPresent](#aikpresent) @@ -964,7 +964,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) @@ -989,7 +989,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) @@ -1005,7 +1005,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** @@ -1018,7 +1018,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion**

    This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

    @@ -1030,7 +1030,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled**

    When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

    @@ -1041,11 +1041,11 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -

    Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

    +

    Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

    Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

    @@ -1071,7 +1071,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled**

    When code integrity is enabled, code execution is restricted to integrity verified code.

    @@ -1086,7 +1086,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** @@ -1221,7 +1221,7 @@ Each of these are described in further detail in the following sections, along w

    If SBCPHash is not present, or is an accepted allow-listed value, then allow access. -

    If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

    +

    If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:

    - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. @@ -1407,7 +1407,7 @@ Each of these are described in further detail in the following sections, along w 27 HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE - DHA-CSP failed to create a HTTP request handle. + DHA-CSP failed to create an HTTP request handle. 28 @@ -1442,7 +1442,7 @@ Each of these are described in further detail in the following sections, along w 34 HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE - DHA-CSP received an empty response along with a HTTP error code from DHA-Service. + DHA-CSP received an empty response along with an HTTP error code from DHA-Service. 35 From 887b5a6f3711508e8feca5e311eb2d6733a390cf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 19 Oct 2021 13:06:36 -0700 Subject: [PATCH 22/22] Acrolinx: many fixes, mostly punctuation & grammar --- .../mdm/healthattestation-csp.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index b6e69dd50e..32bdbb1eca 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -25,13 +25,13 @@ The following is a list of functions performed by the Device HealthAttestation C ## Windows 11 Device health attestation -Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service which provides a simplified approach to attestation. +Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. ### Terms **TPM (Trusted Platform Module)** -

    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

    +

    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.

    **DHA (Device HealthAttestation) feature**

    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

    @@ -132,8 +132,8 @@ This node will trigger attestation flow by launching an attestation process. If
  6. rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
  7. serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
  8. nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
    9. -
  9. aadToken : The AAD token to be used for authentication against the Microsoft Azure Attestation service.
    10. -
  10. cv : This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
    11. +
  11. aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
    12. +
  12. cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.

    13. Sample Data:

    @@ -471,7 +471,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes ### Terms **TPM (Trusted Platform Module)** -

    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

    +

    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.

    **DHA (Device HealthAttestation) feature**

    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

    @@ -504,10 +504,10 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes DHA session data (Device HealthAttestation session data)

    The following list of data is produced or consumed in one DHA-Transaction:

      -
    • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
      • +
    • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
    • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
    • DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
      • -
    • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has 2 parts: +
    • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
      • DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
      • DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
        • @@ -541,7 +541,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes DHA-Service (Device HealthAttestation Service)

        Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

        -

        DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

        +

        DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

        The following list of operations is performed by DHA-Service:

        - Receives device boot data (DHA-BootData) from a DHA-Enabled device @@ -650,7 +650,7 @@ HealthAttestation

        The supported operation is Get.

        -

        The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

        +

        The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.

        - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -837,7 +837,7 @@ Here is a sample alert that is issued by DHA_CSP: ``` -- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). +- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). ### **Step 5: Instruct the client to forward health attestation data for verification** @@ -948,7 +948,7 @@ The following list of data points is verified by the DHA-Service in DHA-Report v \* TPM 2.0 only \*\* Reports if BitLocker was enabled during initial boot. -\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports first-party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -1125,11 +1125,11 @@ Each of these are described in further detail in the following sections, along w

        If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

        **ELAMDriverLoaded** (Windows Defender) -

        To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

        +

        To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

        -

        In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

        +

        In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.

        -

        If a device is expected to use a 3rd party antivirus program, ignore the reported state.

        +

        If a device is expected to use a third-party antivirus program, ignore the reported state.

        If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

        @@ -1150,7 +1150,7 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -

        Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

        +

        Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.

        VSM can be enabled by using the following command in WMI or a PowerShell script:

        @@ -1205,7 +1205,7 @@ Each of these are described in further detail in the following sections, along w **PCR0**

        The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

        -

        Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

        +

        Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

        If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

        @@ -1231,7 +1231,7 @@ Each of these are described in further detail in the following sections, along w

        If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

        -

        If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:

        +

        If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:

        - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks.