From b14315fa94cfd989954e9d0ba50cf8d1ab77fe6a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 3 Oct 2017 11:40:54 -0700 Subject: [PATCH 1/7] revised intro topic --- .../device-guard/device-guard-deployment-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md index 2b460c583b..b88e38310e 100644 --- a/windows/device-security/device-guard/device-guard-deployment-guide.md +++ b/windows/device-security/device-guard/device-guard-deployment-guide.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. +Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, the ability to run malicious executable code is much less likely. With appropriate hardware, Windows Defender Device Guard can use the virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and Windows Server SKUs) to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes: From 224e4060c127e4f8a7f66d63b63ccf0263abc149 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 9 Oct 2017 15:11:41 -0700 Subject: [PATCH 2/7] revised configurable CI policies --- ...n-based-security-and-code-integrity-policies.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index e5593fe7b8..e599163d32 100644 --- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -14,9 +14,11 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*. +With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. -Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware. +Beginning with Windows 10, verwsion 1709, you designate these trusted apps by using Windows Defender Application Control (Windows Defender AC). On previous versions of Windows 10, this is done by creating code integrity policies. + +Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI protects the kernel mode from running unsigned drivers. Beginning with Windows 10 and Windows Server 2016, UMCI is also available to help protect against viruses and malware. To increase the security level offered by code integrity policies, Windows Defender Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats. @@ -28,11 +30,11 @@ The following table lists security threats and describes the corresponding Windo | Security threat in the enterprise | How a Windows Defender Device Guard feature helps protect against the threat | | --------------------------------- | ----------------------------------------------------------- | -| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | -| **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:  Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.

**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. | -| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | +| **Exposure to new malware**, for which the "signature" is not yet known | **Windows Defender Application Control**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than constantly update a list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Windows Defender Application Control (AC), usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

**Specialized hardware required?** No security-related hardware features are required, but Windows Defender AC is strengthened by such features, as described in the next rows. | +| **Exposure to unsigned code** (most malware is unsigned) | **Windows Defender AC plus catalog files as needed**:  Because most malware is unsigned, Windows Defender AC (which in most cases requires signed code) can immediately help protect against a large number of threats. For organizations that use unsigned line-of-business (LOB) applications, you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by Windows Defender AC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.

**Specialized hardware required?** No, but Windows Defender AC and catalogs are strengthened by the hardware features, as described in the next rows. | +| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | | **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:  With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.

**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | -| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.

**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | +| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in the kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.

**Specialized hardware required?** UEFI Secure Boot has firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview). From 842bb4e3ebdb6f296a0960a5861843a885eedbb0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 11 Oct 2017 10:52:14 -0700 Subject: [PATCH 3/7] revised procedures --- ...rd-enable-virtualization-based-security.md | 18 +++++------------- .../device-guard-deployment-guide.md | 4 +++- .../device-guard/images/dg-fig3-enablevbs.png | Bin 30708 -> 32382 bytes ...ed-security-and-code-integrity-policies.md | 4 ++-- 4 files changed, 10 insertions(+), 16 deletions(-) diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md index 7f3deced86..b607eaf180 100644 --- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md @@ -70,22 +70,14 @@ There are multiple ways to configure VBS features for Windows Defender Device Gu Figure 3. Enable VBS -5. Select the **Enabled** button, and then choose a secure boot option, such as **Secure Boot**, from the **Select Platform Security Level** list. +5. Select the **Enabled** button, and for **Select Platform Security Level**, choose a secure boot option. - ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png) + - **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**. + - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have Windows Defender Application Control enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). - Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607) + For **Virtualization Based Protection of Code Integrity**, select an option as follows: - > **Important**  These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). - -6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option. - - > [!WARNING] - > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - - Select an option as follows: - - - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. + - Beginning with Windows 10, version 1607 and Windows Server 2016:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md index b88e38310e..6bda41bc15 100644 --- a/windows/device-security/device-guard/device-guard-deployment-guide.md +++ b/windows/device-security/device-guard/device-guard-deployment-guide.md @@ -15,7 +15,9 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, the ability to run malicious executable code is much less likely. With appropriate hardware, Windows Defender Device Guard can use the virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and Windows Server SKUs) to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. +Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted, it can’t run, period. + +With hardware that meets basic qualifications, Windows Defender Device Guard can also use virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely. This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes: diff --git a/windows/device-security/device-guard/images/dg-fig3-enablevbs.png b/windows/device-security/device-guard/images/dg-fig3-enablevbs.png index d457c0bb969900dd36847291c4ac979467da6357..782c2017ae0aad63ac15766e8a3fbf9f9a7b624a 100644 GIT binary patch literal 32382 zcma%j1z1$u`Zp3%0xBR%stD4kG$SC5bcaX?(#^ooAPo{DAw6_=!_Y|A0McE;&^2^^ z1D<=obK{)*=XrdbSbObvz4?1%PoTW4I35lu4hjki-g^lVMHCdYITVyT>{zJCPijI) zz{vmZ02RfBPzqt>Ysfd~MuIYeC@3Xh+>1{b$oJUR5*k1h6#SN(e|I{pvOlAsxD&n? z5ma{6-l})8`>5i+vsPg^n$Ka@7Z+Qx0(QC#%ZEk?7;gV6l=b`e?#=t^X!hwB)9LRW zTqC$mhSsr!jL*7c^bzH=l?Gj$GE0?r0QZH5?^eBjn0yq}&JLzMdDb=B(n-KnjQzM? z(n_VzYUgqajL81UulU_A{mgw7ywBfwdAIOHKc9LnZQ0;sMX^7fp(20L$I#Z`aas=9B@S!Ta3Sqm*7V75aUR?h5%fR7j!#)8AfONOHNv407D-;d zXP!-UyHEO~94qWO2Ns!EbY7mGk6}Yt@428up^-j!N$ie@xlsz*DurJZ)RJ1r2Jn!6 z5N2K2R-+28S;`FH#O8s|CcOyo4*h1-$Vpv0{OWA}mRn!SQ_YJW7eR1w?P8+u*5WXZ zDg}*)HSi{SG@lL#Pu&Uljy?d4)p9$hF7-_Z~J=wGh2gN1D zKOrIlhBmp&luQvT{TAX+Y|U3z%QTJDckeEwe)e(DD_6Yd#aNr+iKdHJAx5gnL)9AY z33xniWvs;jnj2Eo;F+sBYb6JIUbf3j_}{2G3Q9T!4P5lPVBoZ_jHZS_oXOXcA=qvs zWE|}kBQ#I!_#1jj^%P~Tj+?8cP4(*sgZeDRI&3s|4+uRWztyMb&axG7l1E)z1VVYc zArqP|obloKt;RK#qJtWqdqU7|zG0Hmh2O3~Nyqs8H42K!9T5KQXYW3I`MnC|+oN%q z&fVV&nK;bhX-jNa=%}9Wp5Dho*E8|nO3-=FN&re=5c<7D-mZHXHdkAk{KxfQ6u+4Q z=IWf-z+WXFY}JW~XVa}Miaxs($GTZxT&J!8O6)UqQvTLfg3!l^jf-2Xxgcsd*Etz# z0k$`uBXq3oP5#)5h(rf)y^1K|Dg^Pd*s z$$3;d^&4p>LPt+};qk|=SH1$*JZjN*e{<%Y&0Z;@AusLv*g>b-VCmDW_G6vPb+yLx znVmDNn#PNeU_1fq-3Ed4)17+jYG0*O4RU~h^8wwIll%aXt;MS0bY*;eJVn^w&)*-) z8~VfHT5T*rd2g3cEf3^o`-|kscYzVM68QXX`%Kc~Y$S*MB`PRd3;NSpPh=>JYYR zWCet@S0FMi1f+?sK<+2I3lnSoi|CghTwDNrsOWgrxAfzBTmgwkD52;k)Vvm1K9lh{?Gv|b+&C|3=DW3yWtnFHf#X0&;hw75lM6p@??%Mrqq?(pW&Zpf55&c%h3y7vjYy_gVrTM zwod_0^Z=WM5jEWUNAvlP`f>8eKyv3 z@s%NzX3Y)G>HkCgWY{waLItb0+ovW3^Si8`YbHUfjxarr2Udza8n+ulzyf1e2!Wgn z?eq8@8-km2zjKNhgY|cFmAh^jjad?zCZ1llC~;B5H>|B5>`=vB)T?z^y?u4C(XVs) zU5jLl3cA1C5ek&MU%CrVbO}YboT{`CxL6=aaz9(EcR8*sFCW<2o~cc8UZvkwBU*!3uj@4-a3DtSeSW<2LqGJyq5pdG!7&BTw zE$>)S{1}7l;RH`?RVjjXc3<3X>gcCjmHBi_iHRI2_1e3CGLiS=D*mH}^Tw+zOqF52 zQ;kcdG0GXIt!Ao^E>*zrOl{Mhy30@*htY)dkf}t)wvre1JJT!jCs=_U9@Ddc7{D~( z#J1ym$CRA!X2S4AWs%46#Aw<_yc@2_AGJm>>*Fl`Gpfp?>oE?kW6C=9CYZ-T8r8_~@V6F=nVQ3r4$5=SmZPny`1p7(i^+ov zL_eJH;K%;hwW@{XiLPZbj|22{HE-@@Wi@HeW#MRx)t!&)B$aGSu5kITOef5vJgbfE z;e?Z!*+y@=>(BoKtb61e8=~dsDKhegu4_cw;Pq*&+4W^8_-ZN>ajmiyt3pucv2%sM*mUhrT8uc)XvJUo1{ zn7;ID87y$cJ%iMokm=Cr%Vta}Wh{VY|*pR z;IukB?XO8kzxZP%Eb)wI%T;K|;nV!=dDX5MdEn;7e6u%OM3Q2!EDlE!73Db9Hu0sSajfe@Zb|(eQ8;@oz#@;MV zILPT-4i#B`ybK{}ROQ$m$tCdEsI>S<;qNjhEJF3wX^N-h5~?OZ-gkL0Q&>aAcMX}O z`UZ)JyKdI;Seoz#UVM0UYg5n%R&Wx2vh&6EmU!Nm5`9*@Z!R|kAXfs~aVI(-#ICYD zE;c9mnPV>-~eB%Vx92nw{8+*zL2;)4qu- znX)%xe4DPWt`}DE_}2=D8;%Y z+WEknAFjCs&JQcBuG)2|t}7bd5o466zpU~w8%kEjuU#zZR)`Off%0q$lv{1JQDMd9 z;k>gVM|Y~X!P;PZjL^w@a*~J1dIh(?jT=x_&MWn%K|y@i>XnU&Q`T(ygXEP9P@Xp`el8#3}ZfsaG?a z0-}RTNo$4iLohbdjC51iy&--@AWlUN(s{Gi?V{$K_MUuS3-pZLlVa0{8+E`gFMbvl zU2SqT01ItrIvjQqXSLa!cfjpjBZ;-Zz7kgJ_#23$=~1rH#>J_1c^-1@takamy*|l( z!*fOldYsYdxVorDS-rcADR2VOY-|~^sXo5!|8PB%RJWfe&O)gizb%}io(v(B>94Fu zG{ZfvS5*(=lOtmjV-=KcR1f7{*cdF(vw5%RV!rQOR`%NJ{LOKF#4}uQ$d$)(e>1kt z>OjglVqkJo($xK6Re`keWHD&^eoFBL#PzUQ$x3C*-S#k)LML&vkW4^RN}GRZ=+%T4 zz@}1G%wlD88pO}byWRkjjYoGnJ?@_otuj>#>x3O|O>yyE?e$j6Bi2f;VoMrgrH^Z) zlP==NJTCJDYLRg;;H24TgNn-ao9pGY_2L-J>ZHY#*h9@Dqx8sDw6973oc}VbQc4H9 zQ_m{kcqO;9alW*305gHRb{t$@2B~>SS;YAZ@x5V39^I&HVynOLY#TG_dPZ30Gu-2< z57X&4KIbMX1up*Nc(yv{;;;$m@Rw-iseRSi>9HS?M9yRDbN5u6Lk%f-LJIM6Ki3iYYT)!!aFhq^?ZDeu77l4JXhsdF(Wl zTkb0k4Rql#1c&AIHAjHE#|LWk@wkj#wE$8cU+k?Q%0H)GG$qTFkhc~Ua`)3T=kDa&gJIT&cPlICj<;f5z*KFR(7)o$DiRk z@OAF#bIMerBFObnj{r4b=VZ4`c*p)4Zncnhej5h$c99wuu@FcyTi;2ByR?>-bff@G zExw>|&-@v3G(&7rJ4)%O*VnL>cWeoDbGWns2_0>n6c)Yt<8rW^gH?=ckB{ z3dE@|7{Zzm&Z159)5GVMdp$wQQ%-?TtF#?&-=fIdjl=qX=bR`}q?HK4-yi>vk_PG~ z`R%$d&QcrU7UW>vs;PQIUoqjuYOn%QMGs}FW`u5vf>rTN6HJnkm> zZL-_C*il-AnAP9tI485EwxFF%`Ur3=Wgzn1tSbno@>Th6k$}pGS7~mQjR6Y%ogMFa zSJ<6Sp0+ux`$Q6$6WbVQZm)wTr?1CNZ4Z{1k7GK`;BGQpkLh>JO!t2Rf1Z-XojIa0 z;f|Nqr#u?xxy`Wy+Q96SPMq<}VYG3t4;oeC$@pW)jA2@qkE%YyiM(0;ygoz7gnB#5 zKf!wlDmR~+jTJ5{pqpw`LmCgy*amexxov-Sq`dhfVJFNfLu4UgG}YAtRc2O}6CgV6 zwSffK5g;)~HUdq#gi2|0vv4i*N21wF*?dAs$hm0)qIb+}K2EtY&p1{~FfdGs@TIL! zzaJWEe=iy9^!V~2lBw@Z3+K0<4u=oJlCHbl`*l3AIG+C&PK^9)%p*WjZ0xfKNMLmB zM!hQ8r{ZU*5-W9Ff;Z9pNO5=iv~Tf9DDCS%fduXZPxDo;qAaN3Fu`9|?D=K9%+!-A zmF@=y<$(ZU9{haNM}(E;ctKFVGW?rcUV30WAAU>%zO3Y?iPbqfYnBkaIvG56HyLTX z>;^w~O1fVkr*o>UVhrLJboktW>3t&_5skYZ)Uy3%a3v)rv5t=R_TF(fj+u;&UFr$5 zenSD{&crEhsllnkyp~8I>`PA#fbqK5b8rk;d zTeRO=B2p@^7+ZJ@i685^J^^1>7snB1>9`oLL}X<;uhY@iu2m-1xn^d4Dy;=AnnQvo zdo>6EYMIOx33q=DuB*yC=x(WK*myFe?+M9zP-*^NqC+?y$Mn4^{HhW4foX71@-U7S z%U4E{0B@bs?<$R#5_HhrFA(Y*@q{r&CS>)%u#fSWF@_Vk2alQ#zEkLHaV%+7=tCAk zi_$Z#v6Iq97MW?ZLkf_!e9EodE;G1=%w&wOaT!1E>!SR7ozQpZ&Ye)>!f1e@Nt6j{WdN!>NxeU-mHA^?d_H+ZHj#*J{vA=jk{V%Jj(Q37O6>m4l!&z4fZb z6Duc;`e>y1j=dbvf14Zmvqs;{ei(N6KA+2xw2aIih;r7&>2kQ~C~QcDs3j{`43H}h zFkJEq5`HWe#w>nO019*Q;wfOUw9*wV|pGlr+jH$ccSIS<-Di> zUf&o+yJ)9(SJ`r=+p^~Kx&($1vsv&Z=SIbLNCP?L(6%hJZ3ShT+NS+L=?)=1P()z- z4==JkZ&lng1|twqS`$0p{#vPJM)0=8aPDZtrE0pN_No%1QpJC@+cz~j*NVr#T2=go z80}vVE11KvPEKrjdUn9-c9~rB{mBd&bEw(agP+D_Yb$At8&qV|Z{mD^E5++M^&^nB z`S7{&{K{`{Mw0_Mzs3>Ce$65zYd-strM;OekB;o>r`7e>LCYbsb6Au_E&eG>@TirMj17OOzn_8SX8PnuO~7_L=s5CKEZW;|CJrS_dm)ESo+>KJ1L+SN`_SB z_=svW`%w&S`?xiJrQV}GZDWOYv)mUT&JM0sn(~^%fjDF%kfHqDlhg+PAFyT|f95H& zf9kr(Q=t^u56IxLjJ-)7iE-n)r4#|j*Tezx)Tj%7y!tnEAVb6-vEuy}xu?2g_7E|0 zKOQtd)#oD0b(dupE@#c1UiTwTIq&6rH(W#oh%?z{18-KvDm8%k_xEy^m>p^dJ$^N$ zBx;$0ewUc!;vrkddH2*u{|G~^&;5DTZtlmkYzD9I7zH15{Sup$E*F4;c0a4ot&{`z zpeaF@&7yiqeytvt3KxSCNttz2mT{Xb=i7zl|FMg?qk%D;WG;tLk-u1_^}7W$Z^{IC zt)JI52(FseN0!M*k~EbypyNqeznsh155q4UzjeTZK+%Xv4|?66Bfk&2@PM{^_Ng}z zRua}T2s@w4?Zcz$#bbxFa0O|W0>3ts2n&|N@NBS@EY_8(5p;uKkB(c{Q(;3X<(ebua-JUfW)x}QfSq;e$GjY7y++73T$`uLP z1S|`2HEV3A0ywe5^4*%tw9|B4@A1rzQJkI8#x z#`2z*80)e=bP?Z@V26s6O|rXmMHA?TvjA{&R2;RD*}+jXm|{?ub787Y19+j{#rlX}WOA@*wWwZokp%+2pf z{`3B_jYk8$FXdzohZUqjLl%5ar_ypQpB=VZCwQM!#Fk-fPOqnn)qJWGgnbXA8(}9* zk?~I+iyP643IR_4C^aL&-xhrrd%u#;t{i5l3puIddk93gjHaA=Bf}o?UydtV&iBgA zphI1)&rxklJ*yhRt;A)M$vLDEzn0x)r)VtT<|W1g)TG9y?%YigU)hMwB0vh)^{YUmLxK1E$IWV$fM1W(5I&E6l%judnb z256gL({*C^?^26gSI~BMnotaNZLYkS??xXEEWi{mLkKa5fjYic9OoBB{5`WN81lJ# zwvghoK;D5FW6oeE96oQa!(BwECq?CdsTooeggf)PB~N5Wi2M(Phcs_fPslkMK!@`$ zeL6}M+kdVm|G$9pCR@K7h4zGamlK`}yl*(*n5$lIUun9=Mnhp@i)!bFyG>{)BD*o^ z$PjLoZNLK9v8W4ebY&XjINIM7vQazMRI%r-pdI|MP#=J4SmDc5n=BmO7nM50cKAi5 zeBW^LfnPx*;E02(!y_r(D!u*3%xe_gi8A!|C%_4M*H7#%SG(@O8Xoz%*S5v%Xr{OCFr z>Gg~nr#`7QY!>@L3u!4{8u+w|wji1i#RGo!N_SXK*2~&-*v?T$meX!Gmw6jWg0OY? zKu|oy__NUWc>58(H*5EziT7PHPGn7VqQe7}6Rko(wUCxD?T%7RN19VsRqs~4* zk>0pBS&8ye6BWW*PDjKNarL|tozDm@m8|)zmCD+Na{EQEt?oH6^T!zYo)n7Dt)Ebl z9FrMsarkB{mgqT2_DC&wclz&)hC~ z!%3KxELWjxpaHdOK-+-Rwo@b}b3m4dv1&>`3Mbzn>H}pthndNvxr1L^@6N;?E1HZI z=y#lkAGt8iPN2Tyy-~}?%~dI%Cvjc7#O;<$Z;BBH!aF60OP6@iFit{bt()Sl2Ju&( zt!Z~E&Bx`k^T@`&OP71+N6%XY#w`J6ID#HC*qSbGD)nt7)V@}uPTBXQFB3`^rx_QA zv>gs`j)!S5m*;D76*5}tc#2M=*1JToOGzb|0IYDSnVqRjg{XuID_*OU$H@vTPPW9D z`IeiA(L(9oW`5c{mgQSfoNTx9Mg682^@IB`!*d{-LN-vw?M_Wesp2&Ow-M(GYK3tV zEIQGgvnS2#qidF|#A%c21GUQKLd&eaOK<_LxWKF}IFM(vu4wJ<`2qshTlN$DGoGcV z?`=BUI|Qrv6_|ceA@<27C6#AWNmtFrh>sN74jBZIj)4Lw%5h#SCT1 zQSmw3fk07Jh@n5V7Br^AAxife9^-`DTLuVsIw>X9EDzVEsBAh2b~=Uqb~Rh%UxluKL}#uD4sU0thZR8uYH2`Js-xVC)-+i8>AyC`M$w7@RYAI?k|r7E;vE!{6fK$-3rHRQdO-4x*xNWdN+f9co-_a+IkZ}c>JvBPG zpTtUXO**KRZ+&o?59BznESjxdKAJhK+RCpv-1E1Zt-PYO+{FMT{tg;ETW`0$Z6$r3 zLnv?I0~oV1!^W*S_lz`zz5kkksHt|tp0!B#DI7cx zQ{J?5r?XbQv)o#8LC)vQ9?@k@ffTMmz=eBb=_dIXx*IsqGYz8LS@;<fbe{Vr2=%7aI#AB<5VSuV}(tB{w+k3FNc~6uRASD=YcfMV_Q(0A|LwfQ}3YjJ_ zaUrQg1>vi5-s~6zhA^t#Y1COVuH>IplYpti`SK~5L;!voff z^@8h_Xm_3$t5kURK5~2T!(e?}#j90YJh3~+0_$vm@Jd6~lmZ{dN0%!(>?oitslIPWm*9SO+GNd``FT{F|C(k zzFQvwb)0tFAP`P>pqh@Gy`HPNtzN=#f}XSKx^L7GGud&#c)2(a?}#-A;l*9rU-W~= zeW&i%K=K5??=lBTlLc%GQuLe6h}RnPh47(5%4Dav(&48R)+Lk+LIfF9fuZT@{`Eh; z5lGDsb>Irfi+VgJ*>ckGeEH?VT_@`QmV*K(Ps5)dlG|z*mRDAWfl(*l4kyLoCESkJ^&SY?^guqgbJA2R&6)utH5eC_Lb=`A-m(6a0=o4*NrmJs zyTVJ&gT{x@wDBz39fZMMk=}+UB^Ff&nU>{lD|E}|2P}*tZmZkIbx~h=9-iM{)_mrO z)%2DLmbP@Sg@9VdJUc)-5<&R$BgFYO%mc zDEFO~EZa{9u`gxwQQ;Bl>SaDz5QIwgZd%L|OZ5F4yPz2X;q$Os;Zwflj_L{q8@OLw zm}!zG4tlZ71+t)P)eZWZR>!@bLl7 zFhQ{LYqcQJ5jveW?8U$bsck9g?iWG;yg7vsm(DvE(WzlBFAS;YaQ4m_t$JG?0(M;= zZ?Fvg7AOy;PSGwg+K7W$P*TykZJM zly4WImxW*6b7HTG?<&_b@YjWn>>+CF@Lrh%_OE;;)4#$KoEGz*orv-XDDM6CQ0ZqC zK>69a-5R3QFk@*xt#D2fSqX6Y8aiydLuMw3ajCo+R0Jpk+{!VW4I=hG1=WfhX|NS@fA=+- z@h&$5bP3hpmGqO>vMkZavsNTXt*v}QiV=jd_xs?Csep)o9(=ncm698>=kYkL{}*bK zh-npoUVV*LpMcsB@*T}%COQRjT(1Bjn@p-L_g%78+7{-KuOcGh1Ro5Olmp#Bzxbqt z;89Qa#TaWw&|&rC_N~eDQ#)Ak%b&R)Ook3Kitv6L_yxGjQh6-?Vl!&?p1@O|*^mUh zI-3IHKQPj_4@elp#rsy;tMJM&=)T<^ryb4eq80R8vJ##e8%!3ES#Ojegd_F6!-I=P?aSz| zGPyPj#9yAB6bJbCxIQ@(2-f3`fs`Q&z%)>C$}q`E-(RlgwKLyZ3(IWp_Y*7lfo9#z zg+ax>L~kA3%c|=KvY)%S11mj-@`DF|fMku(lL$aWJW0dcN9?vnGC|F>qPPTYyfwpx zYs%ae!DZFX3V{!&X|XLxr_YI=+TCkzV>ay0!G4j3$r_$uzY>J{2Tsdb?s}O-{)CcN zP|c&vfQjvF39iGjW3J#O%kiZ8BF2`bztSh8DsmWgGY526k2HFPENiLpN zjMsNV10#}cb>%z=PvbeU%e`&O=@RW{wyvNb@YmSe5`>BN?arrf#VM;wU&K9>so_4# z>AH4>1`Wo98Jx){P~}xWx6?g}naR-Wz~AQMK+H-FO5Epts27T4)J1WpxU7*LrP%Rn zhXwX#wgx#p^PhzzCp80IDhEpT(zUfpZsa8!`9#B7jN*VD-V2GN$+8Io(o#4lO!0st zU*oZGAfX<0 z3{gNZnoM`_jE?cpeXXz96yDwpRhWg{3C?WzEHF$eO^p|Spi#O9uBtSi0FJ)CK5AiM z>K5U3;)CAR0LP%96F!AQoHK50WH7bYTR9!cYWya+7T{+3)wKd$H>@-7NpkSk#eo?? zpX>gxvK&R*XRevii0J+Uc4^R7JFy$%GX}p)ldwEiU%<`ImPiW7AFlUuWX=s0!On`=8$O zC2UwGA*au7)R5Qo4aG<-Y<;jWt`0=mKuJ1h*E*EwtoJ#cV?Wi_k-013eQjo$+-sc5 zz|vJA^zSvN1DWs2*R}2+g?M}FW7);NcX^uP91%?EYHnbo+p%|3+)WnQ)%cFSJ)Dp5 z&LfOC$dhx$TbkNTy?;JTbZUzIj$R=e*Y^n{vdlwzdFAvD+^@;iZAw(pkZJB7wm6-P~kW=9q}^$tB-wHsDb8ulAY1aoy3mon4HV%#S8 zZF4pfi$5>C34+iYIqtt{JL>U>PE7L9G5#w(aM6=gFtYU*5Q&NG4xs((wWKv5DgcP- z=xB8?&92A(;iL$%N7!nMgFFr9ziz`J*=l5%xdsA({4C2RG=NjHv$9nmaRB1ToefBk z%?148CC8gawEXjvd`VOX)742nK0eVZ1wju)AJ^I_u^s8{+%ylye^L?G;!iNN3`k0D zJX_DRlkzJ3Y9g&LkyFX!CVnnNqY9F?)z&Y8GN;m zF5Q`hnqYYU1^I?9-89Mt1Lw;au%~lU%#MeDq0hK4s99x9Whd)!dn8)Qln}OEand%N z$6=hu3+xfvWh^;IeCBKHge`p`$)e#*u=fci5`|EAtQ1aPm;i0u?^>s+gYW8@2)_lp zB~|Nu^i7&b71$})EpZoPCTH9WX4d>4-FPOme-p*}$X-{VP0b}&<3W$zxloWJV^36w z%j#&|4d*sRY#KwbDF|GT50!tudqSb;8RbO2yI9`pS1U_D8Yw6+<%;BjVcCg7KD9WL zMJId@DtEp)p?DI@e1>Q+e)&`Kt$xoa%mrLPwPV#8QXXsUVY@Zol`G$C0EdYi&|Vq$ zV7QWJj$1U$@&iwE5#2>r!)Wfc+0?1RU&vCRzw>YbI(`9 zg+3*Q4QMCmm+8O8dOOyqXOoE-YLe5Txz0gRn4UM9aH5WNnoWaOp4TCq^3s~tOl1k6 zw(}c5ShBfVYC$jyqtVc|cS#90MvlF_jC4eQ*M>^{29aW`qVkv<8~)sHNflmGWK@q# zTTw|nJbW5otUVCZIKgT2te+zIGkcIITq1gBujJm0rHP}TrMDN$?5Yq)ZcMvu^&Ez9 z{5F^9@f7sRQpVP>PwuXp!@Z5T!ELXQIg<8#&_Z1S&D1 z_KEbZr2(si>-c*87MFEX0eoR^8(F3?`o=2(aL{abXV=;_M`^F{4T|`S5*QZs^xL9Q z=dj_Ad>e2k+($$;RJaZszD3BgQ0=As8}xs8xh%iJ86?KG%NuqTYVazY9W6D8s8-n# z;cEMRVng!ydm#n^JAKbEGj^7JNd}t@t=8$KH5z8$>VHD}DqpKf71>kA4C8j(v2*#D zQHcFHzgh(JGLw8MEdG%qxx4jqGe05DuW4Vko~^vZEDL>d{-VNU!57%*ND%otCF0YS zLM3SSA2YCzLVIMO1k3Mc6hDr?{i&2R217^|><)HIUgp-gx@n~b*{}Fz(wY@6yrHjP zXAKjL91M79RuA$z*3C>kR~^?51j^|VP+wtLwAWKNdzWZBv(?0D$inV!+rIv^b0pk# zAL-?OyXQC(ZAVX*xhM3i$jBbJx2yRvTa0*U99ykUDE{;p6DVJ(uF&v%^bg5T3t~8H z%X?N|`^Lz)DqVuFbmxZwMR!QdZQ2E!Wz69#&4CjTtV8#BT~GY(lX2*W7o%-yu_x3? zZ1f;O0f}tQ?}9}5ishf=qncnr@BVtsWXh>d2#02bEfid-(j69~!q0%A($^ks1KG0f zM%DN2TD^0b*T*H1twtWeWVe6x%FFC-W~xK${jtXq>%xS6oF+TQiNZ--n=|foPrM-B z51WltzAbft=UjH`?RusJtCfVuwg(qJ)u?!s(a_ysWjaBmh|ybnNMD4sZPa1}GqaCA zs|m(X6r8>e47C_`Ugu7t?-?U=C})>{&gjZMyp2z;!aTefYLe_=WWZJV(8h0|on9~pxWi;YochS=4ZZ9r~D}CpdarRyEJW92~Bve%*tBLfpBZao$GZCK2 z#qG9)~+u6|0$FhTML2W?hHEPMXrvL}{ZK2)=#fUfe4ue}@ zK}~^`n3+YJk2i9k?Br5x5dGIFQyF(aH2&IG*6Y5gZw7wsN}q$9cv)YGBjqfu@xsJb z4{99S6jMrD9ty?POUQZyVz3pLcDiUrS6za9mE;I6U?TlP%UfVlNGSYJt#7CPSeqjN zhu6W>)XZ#cUrT);2WicZJ!3oq94ceDnyFXt$DN+|Ik)>lJmB>zbAXcdM!Wno|3Z~H z0YYA`hd!zIwl3$Lsd%(RU%Td-mZv$Fr}%P9l|2MnnoAD8%M*j+4lx9=zO zt49o72+fpSCT$fchkP=i%_=oFIC0U`OGaJ)<&SQy`B!z@5(m0=DzhWKceu+uZESRJ zoX^19t&eqJQEM&zv_usHyFBbVY%%BE#*Yn!`}Hc{ceIXe{e~7VUpyC9*kffd2%b=Z zOE2A3qHV8<*+xKB$XEd4aMf;~nKr0u32lGjq*L<~57OD49{8~Gfqaq6X(>?mDXXh0 z#)vCor7to?v*O7^yY1nD3YVE0d*E!G9=e`(%4`IovksnK=od)zr);B-<4((rc~@7f zxmMRgSiGCAlz-i8-hZYHI6!;1etVK{Nf5F~o1kFQ_fig9(-hSb%&Mdoa|_Jjp~C*@ z)AxL=HKk}fJALJFKREDa%5p0`EDMMU58{qJd5srY)HC8U1XSG0K3;~YRO0^f?ays) z{uamhQ4p@&3L|{buu6SDK=JNo-92Hxr5~`y{np$@CvB`V2f5DZ{+29%E4uE1|J&@* zQ-Z~jz2}WTwOnr_9y>CcyzjDj&ajLewjyO_taxR++<>|@QApDxSS&51^dSz7H37jm zT~gE+gjFXd+ZwtQULHCVrirru!)Rnaxzt*%k63KLi3~X>$CUIB4xW1CKlIW*{puKm zoXce59dxKkC%tt;%)XF~s?6RwSR3wm`aJS!R{Z_ttr#tdY3e|V4w_H!u7xtmNhjq# zV#xs~{ZGiIfV%XfL70avwFk+g>G4h3oQaLbax2%3hLFbmyPg^%uaWFH80O;Q+L@{< z%F8n|Ha0di^y?4&wHtwRQ(?coX-i9duDizeB~W6=3eo#~PMKXs;6bX2o3KhgX_Z7EP5 zbel9I1wr}SS$%@z3Sk@nXY=?1)BxlVaP(rGz9!9bbKJUOeX&^_pxx&>h9%_iqVB$c zA|uwVIyCh>k!j4AM^@$_YG21me z2Gg>ywBk<@ko9s{=S{R>Bu*}lqg z2xKP$kP3wf()RnUJo2cMe_4+^9fwBDK|ci3rDS{{kU>sn=GvssysL1Y%B>g&eYinq z15Fwqq-sAhAgc%dNbn_OM3iLeF3;zHR1SjQuI%?|{^vw5O$iX1(-!*xNBVoWPl)A) zwnBcN)`Ou!Y?631YjEq6p>KhaYu?|hf1hcT90_=Cr2JQBaz3l@H{^FR&CLqcD~-3@ z=;|?YCZ(-4dkGuu%I-@ztOTaP6c$F`Y|@o%hdk=2FcTuR;GA)_Gbq!{>g9>-EJeMs z%6y(bK&9Ycoa;bj3T;RY6l^~d>@X5)|8**m&7RQ6lnqi58yY7qZl77^T%On74>K`O z_z>Ju$!P9)xX$``i?d!R)w|7Ri&Vj4hOZdQNXDU;Qd%;kpl%7m{Os=!cJ_A-Vg>{F z%*;$~k04edt#Os2aLx^RQX|1jjgsu~d|@sL#@zTaxtf0ahZIP_v$;q!3!Q%Dnx#OL8a zOTTi>U_))H#n>d8T>eCr+uSilugdB~-(*CjiCy6?x)K~RILhzu-| zSpP;B?xw3?u_x_XV69ahHFL%q<@O?c)Oje|6ucgmw<@p^4qTrf)DtLGsntJA7zM*p^U@r79^Z*QyHoEhFlwN*S zAu1)^chR}n4{av>8#2irf+UQ=DTT(FC?##$i~+SDCfdn@THaDU58>9spyDzMrLx0F zew8#N3QR+OzGH5mI*He;ax>Y#`O{sOeO(JwP;_UF-7 zToEJP3D#eaZ!uQ7ot?PF1c^)#xn6zhCw_(+0 zSLsnjo!BCsC;Hi64DNpNVpt>nloQasanU=z73YHS3@&r?n;zI|)^r~ejB_qpnOowP zFtzUF(CnGP#q8S1l!?wp>>$v>5{0q0I5%B+1wk2G-(9cL{O=KwZxDuUCyyqfB2fxr z)RJC!EAQT6|JmielqrJLq88kAcxUPn4i#27im!&c_DxQG;0>T|cLd_^;wN#grHSU$S(VkGS=wK74ws-Y12j zT2^=+R|2qBwehokVF(f8V{Q)(64&hg{4o|tg36Y>I`E_|D~?LJAA*dh5taY~6Nmgy z;_K!=3cy>;X1Z|E^u|okbL_-p{REB)kk( z=S{~!gZ`WFD0Jj6maL6hn(25)$;Z7JwF^0_xgwL{EgQsGa)Fds1w}+MXQDO&eH9!~HRw<5=U@Jl(h zgIAy1HQ1|hk@LuJEH#XZ&~JW5#efLvFw*;n0(nBDpcQFNc>~+z4~*Jhzc=En(RD3i zJF>8eKpo7|QNzse{(KfH)3YuKn@UBeGCJkYz~CoGLK`}3T%9F^#SkFd|V`6 z5#eM1*E4@u8}b=;lse1GRc~n{7hwv&P3tJUYQITkG5V`gM zq>t^$Ead^oZooJ3%_wg@;XnBiq{l)=1rpD{?eid?WD*|0_a!tXFJix<43lavFfhk` zFeuMOxczhL2>fhPZ#IJtICigyYF0IPVKDYkAjC%c#U4SUz&A+uZgB_XcA&0fTBaP*6gXQhr|NnKjeZM~ksM~YlzkBmX zP&=7|o|yTpv%Y+k+PTA>wVdE~mqZPCB=;8fJ`61LPU;O%fF1Yc7Fg{5pRE`Paggxh zp8mq9mwmbvwG(HWxkv-tm2cHQw*x9`6QMTCrO*_l}xC(6o} zl^Nk=@6nM}$*4&7c4T+#Jr6RnIrd&rI`+s)sNd%pmFHW})6buHea3xX_ch+v`+9$p zg1@P`#@vz}9mk2m;UEoX_eEgu+q`M4B{@&~%Ap-APtRQtLU37VU z4K%uJVi0s%_ZTtQe8<-Kq53k=~BsBo~B`k;$ePg^zI* z)MA)pd1rlavrIDz%G9}?s@l&wIQ8H`tG4t7oPj1oigF!+wN?|cd_3lctJhgOk_n#t z;`@NYau^N7B?-)Ls)%t`t1+jz8)QCb8+Fhu?fvwvNh36w#-)>I19joLhx00Zs7gKdvz!pPf6O_$E#45PD1 z8z5bTJicypCrg`}n!12)?A!K#^1bj0GsZD8wt-_N5~F|vqU@YcjB+Oqs4Z|GY1#EVKO59=%6a8|LR%;MUGyi)wXmu9#JB9SWW8O<0(x~W^7(-{=`@^q8?xku_+_wy5} z;^$Jw#1GDkA8^GO2+lwdHHdZbf8{_!1EHXu5;^W9@8tYi@^0e3VHtP>yCiycqY*5! z&n;MRK}&&0`06{Qa@i^xw?#TK(fF_<2WqSYa^|>gNTg&&W!SF#KFnV@0Med`C z_Y$Tl6eiGiD-?I2nd25?N0wSdX(Jidg{T4t`WznP<4xTycFdCu!t9)SJ9pxYG!#4f ztLxG?b^lMwj>HUBOCHjDE?2U2GZhizLT)!+fCUl70w#`kx0dL|-e5gfBlwSrt_g@u z5kKn~k96w12Gg{$CjMYfH&5K8uap2=RcNVYjKtMKS7lfu*(lFx7U-Yapk@y9};z_@H6_N-ft$oX(o+3j`unV zpN!y5CiY1A<=JF$UH(@sSrEhkxyJA{ zmg7$dg#f^7IjT=kY?u?*Zbvl8By4C^-O9#~-kWZ-MvJiWghjrUB5wx4?MRAtdEj== zZ<@vwV4DhxPN+M%tbKPwK6{<+l-pG|$9797D1{<%>9x5>!8kfi;3_fK4_r}3X0@^EN351NNU zr&@sa0}2k9Hbj2THPloWd@TNMPl$lLrc>Rt>q};Q=EUg&@Wsf6mAIIL|%MrKCxPJ z*&+E*r*5533z6r%dkl>LEm*>`BOnO}D2-mayU#yt8@Jh@DYu20M#kuEi!Vortn`|g z?(VaqNALsSH>w!_WQbhGUjbq59I#yuVe*3%_IC(`<2MFHpZ$jlYbr7MG!feGCHQ7k zrvfpE8>Xm7@WQUdT_Ei!eRc_(vJ=}IU^)P3Qk(l?Tv%LFn0K7l!(;sVI70_C%g$Y) z8DgDoEg9=yDk}e;-~VwI$h^2!x)1^5J%TBND%eALQ592|&ZqShzGD_nL1lPLTdLF2 z>ZA>?*j;DC2ViFuyaZIIPfHk-u%DbdxtRVpe~$>4UseDHuNg@P*3qu9zZr?K$y=`w z%wuPifJeFI?)-Y?3DlPT^SP@9G8`p#9V1KZ?%K3^uwczc9EfJQ-UF2;S$+O&Y%P2B zwwKUk6QP#3-r-u>@(z| zm3Bu|1J(?S}) z`<>Qtsk4^&rO0cF+t(Df2X3ou^qE#HgbbCd=n3JAE^0jA!(DsJO>Sp2*P`T0`ij>+ z-~ahMo7w4GkOp;O_*Jk=d&G51F6kqS{y~^RnGhhAW4rRz*LZL=Zc~zvdC3q~{3+G3 zGWc0d{)>4>u7117+q-}mr~aA$4gs42L7Ek8%-&qj9&M|AD1rHiM|Z({a3Q&;t#r0j zbrllfI3kF`3G63_26q5o{y27JkQ{!2bjwh-!Nrj~yf@^xiq_rvOHjh;6cEr~;o?bhAMxxBMs1w( z{W=qMx*kRXH;A{+eg{cm{OtKazGbBjEp}3N-OIl_kr9oEi!nJt>ye0bT_wgE(|Z^e z?dkLfv*{m$qh@298INAa` zJ#Nv*I#o|%42P(2wtT;+1&riMy&sPpP}H{|7cLj`;dUq%diYs|j6%mbYYOFY5540r z490`h)6$54XG!m}m`PR`+?7*PO;T^wB_W(M z+SV_EnKoRV;?^w|NO(V&ULCKllr6-xmfR*Rr3uYfOB&3g5M7+bHb;#zA4idYp1B6b z0biuX{fy_q>%i&y!~e|~BLN}0wgrr3LZCQ1_Z$A>Z`{Wf3XtZCq-X4370AD{3tbQv z&Yy5?$KCE&?|p{O%GV2I-)?r{FPl2$q+FO&ICm7He%G)apX!edl@ho0UJR_!GWokBqI>j@@)zb|@@k1iiWB&P~LyFow@$R$rHk zgY)2#+pD=$b=7`fDCyIGxy+xNhuKE4mF{A93EO*Vzw`()(i!DuDn^FVFOHblE1Jb> z;!!CK|IVKR`fmJ+R>W~nJ3eG&M>|OFkjC`a zsXe&LMn3@~dVR|L#cZjzd3R+TvGp67mvrlhIujNXbhlnCHOP^Fmo-Dqhc8NX0n)bx z&yMrP_r*u(-@hsK-04E#=B!!pm#klQi}*}se?OXEu-63IDz`9MGNR#-I20RSomkMb zXI7KfA4zd^1PDjVGm%CxMe=;8`C3G< zW+{TlsRbiUIdvSt4^QY1zbS7767Zv>pF~Tabubcz*tkx!df}*Evt^VyeKPg?k&s7t zqe`}BBg%!k``wLcUKsgIOIhH3kS!x1Rh=4(j-qq{(+$V@*G~@*m=>-WlGrcn@|_YN zo%i)u24eue^2c1i7@pJ4e%5c=mboil@j@I84r$^)66c>@7ij#Yd&=c1oIC~C9=zw@Tm&=okiKLfP2=KF+jaPYMq)=SuV!l+lwm1mo={yz5yBD{fd z-ErMOGK#p}ckl5&mGj*dY$tutAOqp@=i>G4$;Xd3=lf|qHVAAxF@TG2Q0v~9m<*yY z=k5OXaili%PGYkya_fV@x!rQHX)o`+8&b{gPgqzue&fC4rAh#~{Y~aRjyDF#1~9-C z`}Pz?H2gPjPLUsxCi=Rw8KAfj{_c_h2$4N=TI99~vZ!`-6l}&JFqM<0n)sCX)!PJs zBlzbUKsl>H{?j_@1k)Wk$%ZzBZt`PRd;PM@lKKCSj$|JU1EToR33~bSg8LSuf7@SekHKnF-iK z0k?mUnXAf$>WT=s1gi|WQy`t*=y~6I3BzlBWTr_gbo9cXfMs*hX?3HZAWcDHenw!# zJQBTrXOv^z>V=mM6izUP%^g_9t|b5Sj~dw@km;4@W`oquSl>Pkj6j~)Nz zExL{CUtG)8@xF z;!NR?y;iT$AXM{&5@uvv4I!7i;!K3YdOw#wY>L=Og8?RHi|Hn%Ve(1vn%gOd%dbhq z!&*A|`az`6=_b-#K&ov~5nPXgBOSJyck{vI-1ZAyHPi%`EuV5g*eXfigbr#H28J%FJq0gW$W!~<B6jA;` zNQd%a=ciL=)r1E1#lhq}iI7r#tD$H7w*I^%+l*b8fsa-AV;?(o?aD!fSnHF&=mmPQ zb-l9V)p*xZJg(l{iXlctYB{T#hksPrGUPdCy5zLa-Bmt~(f!i;rCNQItEbHRZ4As- z6@OR7*hb=P*2`(vHD9qgHaQlRHG8aIIERgT!m<4EvEV2F^l{5e?jb zwE_)1)=SHSaMNLB?TfvAwlf^uHfBE+accSzrr)@f!U&Z=-j;D84KEjy#L{w&E2Ngh zSpj|AWSde~`yU~S)blS`L-zIJvNp)CBHRX3M=8-7P>PjNfdf?c3z9?W!%|tT80jxI zqUljNH6{{^k8=)4dx1N{XX2>cO3IAI(6DYswcfXk>ghiFet`;4a^>eIDXQT+)QY<*vy%W0hvd_sv^pVGI_^t2>$Y{0zh=%B15) z=I>yOfBdbz4RJb(;t#3F383LHO<}z3wy8YH=3L%A>T0@GSn5K~Zu-aD=%4v79igK% zff_O~|BdR#=JqL4g)z|J(j&j3i*$RXct|>P4>Y66td$+SN1X*uKj1$(3#6$St4gQf zpF;Jt<8|CETbc@*h83^u*PTto9a7c&o6@0#%ax9=6&{wZ#Fy8pGQ*)d`td9I`$Ipg*C0Fe8ivmLgT74aB zs>Z0-lBIR zDbBi1WyWB8(I~jJH6dOtr=Vx|Y6SJslD90z`F_Q)A?Jz9r;(24GUOTLzjn(>EsOM8 z*DUr_SZ1~fJLczPg>*^AhG~TcC7oJ!QmvZ?CE%?NZ`1oY`LpSfqnve;trK`Y$D*?P5o^LMARAzt(GV7Lo+JIb&Bh9l9D7UCntd8=W#$ zJ})jy4@9@)Dk>_$-w8VhMO{ygL%+Dok73a&Qc_fZSoopxSVOhqN3!2BnW$E*vb%`y z(iQV Af0M$cj=(GGp;8_FLFUMiAhMlRAnjC9hzFMd%=I&$8Nq+U5TJ<{01Y~>j! z6Vr%A8j^keg67DN#OL6&#FK_N0PQEylFOhWaqM`|TkSD@GxcDRw?d!H{FG>jtzU z!RE1q(dVwDj1>i$s5UBrEPaCl>g2$h%?s7bL(J&|h6IoA6+2DMXqc=9aG< zD1&f31dzG{zMnXb9h z)9T*;T{FXRKT5^iYk{oig9XeZVl#V|HIu1yrc2n8aQ$Q^nA+(a=B^b!a$4J{BfSPF z?8WCoW8+%PiteaNHM2-HUb4JjpkiCGdzM%V!o+J;Trx%(2ZDsov#_xyIZ(5z`FPU7 zDHO++6%f<~y=H+UeL{sVnz>2meY{;fLG-eO$iE$ezjhP9A74VAx?pk>EU zunCC9qLhL#IKLxNR=hnnnOF)jX~k{stW6H8A9A0c!ig2=185hR$-X_8q{Klv**&?Z z7YIG=Rb;Ctv5hy-xY;C~!Gy%bujXPJmZESrr;U0So0AsGW1bWF1hy{Mkx5h22r)j^ zyz`#YXL-}LY|JB->ZEsfSyOkM{@2MIjHR*nav2Z}(8>_MZMnW>qY>@nJL;NO+JzC5 zGWHQhSf=W?O5g2i!0N2+ksZ}z=s{R%{;=NmvYn!O)Y=2Be@&*3<=hTM=qBd|T57IQX7{9NyL%yLZ*|gC^O%p_5bc>8AEe*Zq>;%T;cV zUzW~+F0dM|R-9+Qgo0@gZg~QvO_?rs1mvbAD_xgI%9oOGH+zJ&1P?%2)XJV{rpN|B zpJjmt5a9Wm%HP-32XB4y@^y#?T0T+%3?VL70GPk}A7Zz^d2K^vtw5>d#IQpX)%9}% zTy(%yy44YkC&t>HuW77BWuNw!y`=>J6qf$=DYX{lkS4}oDQI?}ts zE9!5zdgUoWAMeDt=CcdmqyuqfjhmF*)Se=a;C44$ z|3xU_7vSd4w3T4uT)s&0PIE5cC2Ia>eGelqUDqE*X;&e9A2$P`w&)l@8&GF5*v6~7b6-B0|!WLyrb84`0)aos!f^rY|H zJ>S6@@1dSdf0}dZ$=bE&llYgh)7nMUq4uWez)PM`Y4`!Z{X6yYq@)P|`dyYn2Plc| ziGM3(OVxB@6Z6I{QByC^&AIH%L^>~z4Udf}Y+-6#-C*x^RO}QKSpiZ~cS43Y?n{(m z#3<2?wm8UyPX2sFqy7Y~89a#}m=)H$Dspe*^SZ8`*fTMBNtXvJ=9IL&!M0io6kp11 zPyT3_ti}OsWwls;;fDJ{cB#w=phvU~&Pz%(jgGf;ZRCwU53nkQ4%ARSJzBauSH@IE zOovcJ8rbU?*$)sD=n_46MHvfsumyv=H^!8+q?5lKg%5TCK%~*v*H>oH)z!74qC&XV z&o|!KHD`|O4N@ewL83NQzBFdMp8{~X^iop({PAe1S$S+$6Gg6ezCqc-! zIA66r%3vZWfOlrFh*mIp_%JF3H_K{Po0@_m85r+#2AsNM4Qkhb50T`=hhmQehlq2- zU}ZM_835Mu7SRV1ylYu>h_>8ZY^VJv+H&i|Mo-tAp&)p$Bl0R)d12S1cdk=<(wb-A z90)uFUEmLgrD(;a56QAc&7k3&9kb?*U(acvgxxp_X>GWwd{6HNM4e`%+LX*>hIT%2 zshu=9Q0YTG*2AH4JHF&+BRwytx@#WZ%R=*Q#4Z)#Q|>a6ISU35lgy}VE!w8~^rq2W zM2VVdkI_Sgxt>)#l}~A(*Tw12-8-m-I40;|c@c>p8Tx3*PZD<$WZp#(1a+CU%x>Jc6imZ^U}Q8 zdt}@-->~>93gdW0F&ji-A5OyjVV*mctgxW>iU3Cu#kR_eVgFkPst2_~4`mmFcNzMH zt@iQkt3JzE8SZ%sVVpZk+D|2%e{U-Q$XL+RycV8tD5cn!UZ$8IPBj^<3W6JV?iLLX zKYH8x#26PPO*3tb6z|QkvF3|S zZe`KsVUp=L@tu>TLrv-zjTTeYJDH$^ec)`o#KX{Rqw)ukqcQz%oOfCH;{mcm(t)Zb z_MlJVRb@kbAcq&6W;|(^oea94G8~=ZQ_7gD&QXB0(H~3S6rDM>dlq*9IqRdjm^GpW zWqFUtLwg%U)be<~bQNXQLpwUer&!Qi2N8ebh+Z5PO1<>R^f@d&t5VD+({+s#f43xf zmAu+=o}4$ri;43=1U_7?*+zSyv3xcD3`)$FS}%@=Jl|&Z>c&?-FvOOm5LyeD_-&2md_P|=uMd#=bEX*$qO!V-(FvVox8dT;XpWzZ zTbkr!13Te?1iVwazNEss)6zpXaygxSv3oByD3tTtsM7dc$_Ne`c<)fq4)Mkt4R-*w z777N8p~20ZW}V2!NQ4p|Z`KLmJ0L{Pz8FmE zD9S4X`X~S0GOa32(#BW)MIYjQ zU2@4Hi>iEw^wELwkgXxk?9T6%BkK6K$BH|WF z29cDb0q(zfMZnf3|E*&>vt8|I{7jsB#+Q2~NK)q+Q3p5Im#cKUiV|F0-N!wS3 z6&~s?=@vCOcgy5jhOC7n%HB)dp8*MSj!DhBh_xrP9@rM)h>PV%E=&@-FWVANt1Of% zwMQIl@58rfD-61w2^eajdgp#Ix*ovj-u~$mC(7#0oa<%`Eay;R-TxUBj)>{HmkwyE z?PW{##_a|A6X`*daY#H!rI`1n&3?LHmV2NZdkU!(OK`RkNVdr8yBLpA&6RP7-DTiQ ze;VUoztjuZ>OQ_GKol&xzh$1Mb+BBi#g0w2=33n{->+!j=0rA-_Rc2XbR*SkAi87gJKeis*}M_h(}hZZZK zvUIl9GjOU1j>CmyXK9lh&{!b%QEP#{gq4QhW&9q!`^vw-54+W4W?_efAUjy1;9Re9 z1W%jttz-voy(>R;%bvXTtVPte`l8Y!*>5A|z}K|Zm1c>GG@?{7I$G%BuYNa!@>LlL z!S(MmNcCwrls03MrcmJ*ykcsoQSc#HkUX1X@~mJe%Q8?B_noryy!swp1*@G*lK(}| zhK_m6Dzw1lUvGEQW6}reMU02C;gB%|Jvh-9@AOL8oiLTsk*NOcc#Zn&Y_V~%PFuCW zG{EJSgK2;X&ZYOu0GX#UL+5tH8NVf^9Z`A7R*tr}GP6PN(lUr0j9O0l;Kl22$$GMgOmY$w*S6MYpSoyVE58m;&KgrrZS`sp)j_W+xU%Qv z1(){efZ3ShmTIvxMf7|ZJ~O~x_S{jX_5n=B=8PY|5>GXo)K4Rm5da3b!w+6W^$dvA z>r!wZ3(f=hS#ZcQ-5OgaiY7lt&Wby}U8Jr)OPa->L>pwk4YT7(iix<2Vf3cb(0QIA z`h85L%m#wzYtTF4U^gPph_aTU9HOIQ92IPxfSd#M6NIgi{q_6l@-w#sBvc&}P`{Fu LQj*LOH+cGgv1Ln= literal 30708 zcmYg%bzB?G_ciXW#Y*r7FBEqV-iFYYV1;6(xVt;F1T7AQ01aBacxiEWcXxMv)93s9 zHVse!;Mm)09I&sffkDH^D@H$8`YdIisKuwg1~tlemcJP*B_>RTbqR9<%#~ zPxcgBsf-It4p+|FMU-zcp@zYggn0?Vg^fD75HYsqbxxIx!5=1viN%5W)?iVukjZI$ zwy!H-Oh(k093Op9;x7%cs1-7&$k9zI5-hRj4lhG7pr#VSj}5h3Sy#S`SDEe>Q)>$s zWzCIelC-f)o?Drz3zjlx{enYxJ})mx2jr-;{GrAKHGdh7`e-u(T5s1SE!$BY^U8KT zOdQgRRrtI4eKMT7u-$Ez;vODwb;S6UUJ;|L*hjn|J{6t#&|dxc%D50>*?>ulc+Xux zs8s`J=>g`hid~%Q?|txHYl+6M9?F(E(js14EH7_zxfzT6%~Z}P)$F#nSJRIue{`}Q zkP!JkGBHu(b^x8f+WS~Mv~P>@{EJgiRsx6i^IE;okvzIv>CCX2`_ixi zL-ViUg}Nagx;D&tC{r84_n_;8ZDUza62z+RBzb1@Ss11__uuLnoW9j3gF?bd_PLGK z58oI*pFD3II1v?U9v@#?D!0EpcKxi4YWaSlXEI2qu6&=DynyqIj#9$Wp@c)u+9acx z^1i`R`U*}Q2Tp)6b*!DkpRSGleT{>8Uy%0wXBEU?v8d~6dt^@}ZjYYALW-@2V3kDX z!mLBOgf08$6snRADI;+-y`V~YU###RYR82jvC#9j6KeHtppS&{;^Eu7_+XvX#)G_f zwY}MYOy}LBwjh?4mh6I|)ZVd2L1A+o!V+Mcz)tTn`r&VDI+ukVMiY5bEsW{jsR_#j zLxmmK9@2)~g=*ec_3;w5yI3T*~5aR~&_2 zY7QB#q%{QXGR6JI5F%9V{M4i_HJ^34ic9{)j{##^yL3 zejbkMc}F3?7K6CUiyTk1-2R($bhzu@q*8=V2*Ol!!@!D+{dKs$gst%3!O5>FIU@CM zCTM0 zI6_ByU~B_R8wUQvP(2_|4BUK*w0_=hn>EK^?fj8!9UQ_pEY zr)kP@f_wnC9T>l@m%$8e@$vK^sidmNr0JKI);kI%v4k2r~IfeEs& zVwpr8N=Mo98TbEiO2QE7NlpoT-WM1-6BdTGO7SKzLyeUzko4K~SI6$EG4!j$1qqL1 zK(+tvCS%J@fBo;}^>mKiDZ4Urt%q$EsyYAr>yyh%xA~Kf%u5Y>GKHz^y9tpvow2pL zTIu(}8Mk!@{`bWklL~7F{v66J=)OK5VWxA<({Ae&9kt{G55j`t*Nr>hpL7kA3GAtz zdARKiF{(a-ihOu#lW@mPqa&O}YJg)qYVg6;+yYhKm_s z6?H@zEy z9J9+G^e!#w`VV_Mgi)K2z1m=s#WMLRlZBVdc6RO}R}~SiI6Rh8K$^dYm4;<8p5Z^7 zpEcc=P~&7%P8(_1+*#0AEoB=yw7aPiWO-?)qRmkjLPs$jip*}vU>5c^>ARY0s6*%I zE(0i(f$HuO0KGqAx==hPPTgmPoZVkreq}%j>K^7Z{+Qu%|JBP$U+U5iYJg0 zoyaQH<)$p${8~_oqOn2H8--VZ(epc3_TC1>o*&^<^y_yn+X@A(1(S(tTDiU%?`TKM zUCaHsX8g9Dv|~5k!ceaG;XL5C)Sug{dpzg%*!~Z4AFIYKqt0#Zd#M zMNG_#LcHG6YL_%i>z#j0Zpn}z5Y(S&ueFS-c9M z$L}$8j&F){;x@x>m?beDd_r|& z$oLl+KF^aWeHBoD-%wSJ^3KKtc3>?#X z-u&v1TC6i3{g&%4yAa6G zm${z?JN3BHLE}4Pg_Z>^RttU~jHiegz{D~Osq-QzSTQPDWK$EwQ+(qR>vm!;m!XU` z!$%Mu@NWJ$BfN8sMK417$hKU+B40LnYeg1J#OCH^|8Y|PFs9Wu40>WVRz>G`<-X)C z@z{<(9gJNzGmN+QyGEMMbw`ESFe(DjQAo>c+_FC?nZoc?0ws7l-YJYcRkyEBDLe%T zU3P3VH~Poj1cNq%-+bZ^=G_{$7l>3!q0BL>TGI2=wkC(ll z3qhpqlSa8HKNx%d+MosV9QJ&e!4Dco=oGSZa1;~@4*xcBke8G(AjT)CoW`HSN9%-h zzGg#N|3Q-C!%y|R-SGOv0nXCoqp5@YVXDHWaMVwo6t63r=elPiFYH}a#YniKuSB1~ z#1#)dya=LZI}TzjvCLRmk-SOB!~Q;$x%?ZU#kAT_XKKs~GI^El(&jza{6Oo`)@v^@gq@5Jlef3#xIfysk>GMAR30 zl8+=WQ;J5CzTp_qS~(koRu$y7hUmWUFf($!_+p0RiOVy_?aSt8{1D9zgdgs^sMu_L z9EdNOZAeSfnXmP9589xbC zN0}gWXK?3%xez50i{5jcKOqqUs_GDP{mS<0N~zu4zIY(!F#mUUf9q#p$ziEwrath~ zu3=j5*B72_B0e7r=9Ay8*Q%Aa2lr;mJPd>1hs7p$a!_sZ6%i`?EHyvG}?;BM@dMZ7f3BGkr_y-#EA*NFVI@(P2JK^e}qB1A_2N< zFlHT&H#CesEZN3beTDjvRPi7RIZkZDY7sf$#9-b#>;VX( zP(^@!qB5)?ghC=kE!M--h#HLB05O?Jz&<_A9kJqud5N#Xy22TGb5?x=xaT3-i2gyf@OW&3(c1Z?vkB&3`S3IT(Kz$#x-*_3MNi3|9Vqcdm%iM z+mknG+-tMl+ zGa1f6{5cX1LfNRypG21(Uv60+&UGJ`=@@s=fk}@CJr0pzdQ`P-j>ueICB^Dt70!x) zAKb9qs3t`SZ~6~f0NdDge$Jp`uMCmk!%8{_L3BmaTuPXJ;Vbotfh&16x=AaX3=7cn zKJa2YRSJF9k0`*zhxKmzkmKL+?890c;tV;g^juDSjfy1{H)xUDZ6c7<_5wu=Aal_8 z{P}B@qc3-5E!@ZG43Zu&zogl~@u|t|?yK;l{S<0&RVu2xmxGNBx5NI_J0mpehy#Y; z6`0q<_D*K2Xw9dsz$4pfAHnt0pMX`AqA{ z*V4rW5g;0tE?%d5#??wKoEDJrL05a#3yV+V-@OMfq{cxw)*L4oIi7xzr*1z4Hy&n zQHjehb)pmR{kF=*n=R}2HJ1@zDh&%Pi9iR^P3~9UHQ3kif2|=%URrX6;LkM`JQoJg zFe}cTFwVEZOr^R4|9lb0?MlucZJjlGq+%7(ChOrVxdFfGIq2L$}+S{OvZ z{kv`QxqQNXjXsTnI4M}F)I5YjrXCw{C!)R3Qt7=lm^qQJPHM_|+xE^7bswJf&KRZf zr0{9Md8|3{QTAP_6WHT`sgIWrULcq{GeeW2+Mg;DVFhHWNhQB*xj$7mzKIqwo*#em z&(3f+FYqJ)J_rHq_x>Z z#BIk`{1Tcs zQ5x9l-?f;30}qwRpzVGA+Uo__3>n|_2_BTQnY1@M(ogg@13vnBC^6 z^}v7VXKb$m^}id3rc4 zoD>frS2HS&>6KY5Mwn9OWd>%TFR@>=G_?jbEE5yauy!PO8IL`Bg~!g0&!wjP!>Xj` zaYVCRmn674e<&Z1S}qLGx>ZThut~ig2lKaGnfB?)1PoeSBrH{YHgzTNINkIN=nfDK_M@m>K%H@DF8)n(TP0rg4KEO~Tpa4Z86mG$sPBtm6+>|Hw#0G`?SjGu9`dKe&`8MZ<+Gh`bTtPf9{JQUdVDbu4XaK3siBiOI5L@)t6%aj*-lSs2khB$QZbX_63sNmPuEgCz&#)sKuC>Z zq8?};qKgjX_s-p@y6eXZLe^B0x2DR?u&`+F{AS-+XNCfueohwH@u+4vzejemG#bdeXChvg*T| zbj>5tz~;wJmD>;hgop?nMVYZ@ptDnXChUpmkWjV=;i!EeZ{6;8^uUoKmG5k zox-uVE$0px2#_pi-+0gH2fS>J;jsbX8FmmU{FFt&m6smub-g%Wv#0uv8AOQ(JfzY1 zr_H3Uss4^5@Car&2|AP7_@|MoH0i9cw}q!FKwQ$g^KIGpVRn!b8dy$;qg*#cub`=a zc3$wk`Gr}q22CArri|`%qhvBA>#82*`!pv>{Tc=9PmwMNsQ0l_I1X5GMA)@#O%YZk z1Y%gFFx_n@adkvR#PIoSrT{2$fk|WIxYj~a*Z<~+RF@V0dw<6LFq}@C42}cNXU^(O zD8&@xmRFvjC3p+1%WpAvq<%ee8AT+%STU>si(-a%mf2 ze!Ka42d#*bA#p>zZ8NfC1{c}*NO0^wfmB? zSn8S?4>3bG2T0h0ly_GWi<59$ZMpcsOgCRoSJ!WbJo^)qSwOq)$@VMdXTm?Z7&t)A zosCRl4*zSqf#QvlJaUzxxFO^kbVbj(=H=`5X}bE2XHd;(szDhP*I#N8-Q?J(6Gn&x zlN5}q!;!|t^QI2uQtu@Ojp$n~a?f#TbV4Z)3?8J zXrgncFnA4HhYD-kJgbapj0)laDXFUgA($GOR_luG?+fxfezMF|+H$2AT7$};355YD zd$5i5BLAU`O)A3gJ;^*UL=3ugk0E)Bj;pZuzS&5Y9* zXgPna6MOT6;XxSvYbFNpU%)^rzg*6Maik$q@P%TYysrAsQplJFWl~a9RD_S6ZuC+6 z#V2jn@k&0OqkZFN+W1P`km}eXyLOgvH#x?qqNpg3hr{hBHW!KqtY)U-LyF#17`aBNa4*&E&~mo7?=4ggr&yT%$Xp$XmDphn~MAlkf@5%Mb7UnqI>F zvuR3^RUdl>BEj~!$lF`dEJ;%8Z&ZaFf3JI1cLiB*W+qZFWCUOB?j|_i^h|_bW#dVk z$QwZJrjJW;dle^?!m_ED;iqESzhK~1pn+B>K9D_qzD?(snQ!kej>uozCUv~jMlZ|> zTJRME*hd^#d(ndX;(oEi<6WIZB3NwAGUF#p214Iux*5I?h6ffOpI!4Yz+zUR(w=Z% z%xu`Gc7D6n@<(#gk-f$E=EH;O76s#|2Uy2^4`3~-<>?KzI!Sv(gthV=3l#||sctxI zw)twftQiQk`W~7b1@%cAN1i5q6Z$3vX3cLp`?iQJbBg9;Mc8l9ljmsxBv@2Zw|`_e zx5F2onK{>*4BXUacl2yfWRORAl;>s5R~o`w&uQ_6_;{zTJ%R*x9-fy+@0&zl$qrWk zj7=bl6Kx?b|GKe+=AKVWaC;LOQKS!=;G{&%AiIo%F(Y4iT`j;cu`q~k7-i)2NPLglg0a!po=$hlexH8vzqftN=D!O;@<9Em;i~3>qkphT zs{)xTQ)DKU#yVYj`1PQ=x2dxyICMF`?RhWTaM%A-<$l=qhW>^jyXZd2zwFeQ(;psR z^aA+gth=?=Bxbvyw8bhd;Rfz>qi1YyTjiX+##F9l67JkIQEkLh;yy*k493TYT?2{~D6797a|gMjpqaODze#dL_!g@mQD!g4WdE)l;j{ zK?lE;%-)=JeeOUTxqM#QR{5n-ed@?(;OeCRU9#lOJ)Pu=Pf(7TY}7KauJ*32a|Jv7 zuUIzWJ$&^xJF$9T;Ux3D?cXp$Ha0e{w%!nN_{&)$dPf!GgF!@lx?# zmG{4k!|l4p+6OZwsJY)S8(3W5?tY&niw~Pqledggu#9GAnpj%W1}G(G)`@2=I{V8c z@xUib^{I(m!xY*oH|UZ}3|;O|@6NQPoK|<+tTY^D8WQ0%ePwYd(CFUS$Gy)Ct$yp~ z`0(zQN9Um>5u+j&E)1~E(M$U)-b>C2LKO#ExnZdQ2^Pz~Tl=OiK zlPtgY8HJoq$wYLR50yGBM7al5yKZEKgHB_vGixR_-EcjZ1`^>`+hHD;SH0&wo$e<; z>m7S23|zW)4>b?E?dmADrs@JAhNzz9KY4p&6S+241+d_`ku3>O7!YRtu2s`c&ju9Q z&{A474c2|rTxRNgJ(=YoY7-jmnQ2h>XWolF0;WlCE!oxHn3LUn%T?W9=Iq*&=2}Gt z)hzX`G)u59CYMt_Z?9IF<(drnQ@F~WH$akj^pKA_jgqcwmHT&T^Nz{nR1uYL(B&G9*@m z1Hc50M5ku*+kiSA=P1`VcNu&54P195~Az@MsO zpZ|tku*!25L7N`j#@_@TctEj^v)cXxcr zS+1t0CfAS0eLj)<^_B#EX~v>ODMtZhmPzBUhI|8q>Sf=qc!hq|=h$Zf-LzFAdz&13 zRpKL10Unl}TI(5`+O033YSP%`yqThLi(j8KL~Ib6-qofyD!HU;Has^l<|8I#YW{w} z_~GLEdb+*+`r`9cw|7L-I~O3^X^edJNmtp6z68Hp6P+;E6#6c!Sb-eTY$7F3B9<=C zFfXzj4i4>w9set)j^k>N6VouxvfbTX4x>`P{roRW8IPyqJqm&3*jhf#Pwgk{E1$it zL)(bRJCfV*GiiNvhVx|Ds|;YPsXR18SXc+S9sc7N0eJB8y&c& zrY89N>x<5XIq8R>rVT-1Dt0ku_&6^XVP1=hw;955#=}ciZfyjW^wXN9_Oqbd9V<_I z6K7DUC2iB&brWj$-ba&eVPf5wvRy1`F&rwfGkJd^mdExCmirINHbPGtM6H<%N9kIy z%87dCtwrdrajU1h^BJ{}e(_YPzQW-hnSlIKseh?U346~c*T$`@ySqEP@Y_3V1$2er zV3xlMtX(T^Lo3@Of){1Ls5uo=iHmN)8#2lTa}GoMs~j_VJY;~AD>8mtRtmOjX4;)(&7X1Wc?sRgB?jiuQz6_=qsm8;^#RZarY{^(RwO#DfL|c6% zuNSXxC|8Jy&n2FP})Me3Do$(!#h-@lK<#W{E+ zt}Dt%8Q*iO7%0p4%HvhmRL#BMv)fQN8hKGQ^nw2K64>KJsnK^NDcQFmi^TD5d{TFx zy~S_H2glH{I*ZgyRH2!y$>MkAU!OK6HZ2f!S0X)XJ+K`IT$MR50tWxM{t$}9XK+x! z*yCIs_U)}a`hx-!r7kOWo%c%}OZRb2Jt9Omy8L5ie}B|0pSiey+CqJ&tMm*>>o1Dux3v?cZnpl)Vi$`Kke62z@L zsotve(4oKuMlhM;bvQPZf=fGsEu+Kdn!Z=Dc6yG;ey(^Q&?OnUidOXNQ#)ELtqa>I zj}BQj73a9VT8=K93(=FBAn9O+*@Fj28i4ht%t^^|CQz&s(>pd|gHXW%6a-rV5Nr7& zvA;nFXyC{nXI$mGTb_9tqCR9>z|GxHyBNOeL7qxVtp`z4X9+hZk$h+xH^rU-kWD$x z?61X!ivj9R7nhSB=wBzSPxVY>ITdWcrC-$9c}X~iHdsR?7U>R-LuZ>U9zC}A67edC zPquMt`Bb5cNf&}LmpP`cckq`e+x7~q%97i$J&6QS*2L7qq#*T@6gEaG(`*Hu-4pEckgo1`r1~Z@rB2*HZF=aHQ zqdEiU-XXDa)-D38wzF6(=T)NNl^j1LJfSwbri!m;LzqvdzgHR)$Q9Nh#Qb+lE9{=h z0a1ancrdk*xJ29kTDz@bIPW%f(bSjGDAs2etcxyiYy@P41aJ?g*;IU;Q^ugw+_$q% zn?ieMog&!4RI5CRiXix@`ZAqdBx4TvyW~x~f$m4Y&2M2oNjQ`Fgg^H*ShHTL5CaD}mGn8hm4TCl^awF(}urIKgGTwiOir=t|2 zY;=n;KhrcbV;cuRb{7wUb?!g>vfjP3Cd&S%#xvIcBbh~-qjA#}Az|GcCZtxOm40YK z#kFIkp@<7Yav&W7{R+1s+*+ZdR48R*C9ETr8Co5l$pwL4qMSsIQ$Co`J1TSBo2t)! z8aq0KxBNpFWd01kZ%FbXAqWL1%b8@0^c@T&MhHTL;-;lYV!uav0K`H;jj&I3$*89e zYpdEHc(iz%w&cF#D`Gc~0+0WGy=7VFx;(zfD12wOcy=@M4^oQgepLuLA^2QVs=QCh zc-FZhB?G$L2yaTH#zmxy*rS1aNHWBj<_}lgh=u>r3=NKgP{g#SJ6of@Ys=N`bE$m<)lO&Aq84M!T$>(Rh* zqT(%d;}xL=%n93e`4W~ZpsLy?wDabA#$>t zHVHs-uiq*Z)j0OFW3H~(XTTl0yz>}ZUN^qumX+kX8P&{lPkUGGkO|GvS|CnP(frWP zJMr4jOpZrpWm)}0RafHz^M^>QFp)(VppNg4N7{li zL(!UNJzb%5l$*!6|CvmN_ndoFQnGy5rM~1TV+gF68M07%3yypawwuTv8`@WU?tAF! zOv4jXI5*wvqj;lnSTu&d0N>*B0%2*I;uleBWS1#Z0x;$DP!S2IxowlHZB-qAZ5N02 zR(JJY4I{&sR0nw=b|8-PwV52wFERa;r``Yx1p-0XS?Y{XtXrD|WJL2c%8uQV)s)Ty zf0msGRzVl$jMK{u$}dOx2kU>k!x~cwXR=r|YqnFBldhOcvTVZ^A+*Ac1=%eu9!zAF zUOZ5T%jUXYdX#CV{ld?JF1!(7*e%7D<&-Cd*-huG!`kOrn}BSj^O$48NB^b@S_#IW z!vQb207)%q$m1E)#K_3W-wr;OOtHJeIFSE;-D#DuoCa^XOeasx-Y&fS}#L*vRhCkNMR2j}$QGOfRlK2l_b8Mi#u+6GiBqur%L@%V@cRIl+y7{qAiPOh$)3OZ%{!3XNm#0vC@Qa4J#7PfJ7(4AjP@{@U%N%g2~k#gTf+Yq8Yy+qXBsYuuSg){;8z>U7{XDa}r?RRjNHZ$l`$Z zk6fRkXi{~28oC(&R?ti%RP|S2rim+Vj!FP>;>+C58-iQ0ZVKmLCRb(!SN|X8|3V4U zRT`$$rc=krWOM|4()K9@7uo-_{tNp?e~*Dk>IO*2!Gk6?f+--1@(%efPg3@>(kg!$l4*zp+3wJy|?cOw{={lLHAP3Zgm` zGM8HW`{Z|AunKKDt$SbN$(aHPK#4Uqi60I!Y|+2~hrCwvh$wg-Kbickj3+%%5Cs{1 zNj2Qj5FR)i7(ju5+>l!%ng$Sf=M+36f68kPg$6fN`Uuv+%(ivSxMF2VDw7U zT?JL`PUn68MWD@k=uX+$c(UdCNCBRwE2(l5a8y2PQNLm?-hl-0q8Q-1Rp(8w{Zfq5 z6}z2C=>$%uw(}_l4fsV-GMuCx4Jf5UhxgKfB#57tM8E;$c)al@=sKiALu-&A&s+_- z_)Az^Cn?V<=ADVLRQYS}WR<>cmC0Fca(GAqK@7B!P;SPfk-GJ;Y{eiH5*x*lZ&`P` z=7taV5p=>s>cBB9+7LdM7mySc5!Kb7>Slq^FrzbiR6!@!MK7bTskEVVixWt z0&+Osna{3~)B7s8z0Xwg3fJh~I765gZ$@pOoUg%3cZg zX1@mrdFl_ba#1a|1&(w{AgO773W|E)+mQ(POct1^t>yz;O?c%^j?6AFi#p3A%jHOr z)F;6(7lrpuO#qmfnDU_lfC+p#l0>h6?EJR{9iqXln^4yjTGpeAn*&6aHk_<1$)x(q z-*9cI?6 zlVFt_3I_^ZN7*PBE%e+s-zuX~IDaQQ%12EJwS>04#t9mw1g92Z*qZ&bAL%mxrCk0U zhsPDHKUfjqBA09vqvNq~VY_)z#3{8MaPU(lp*%^*Tr&pK#Mqc18*JA8Z9ngWjaMGq zN_coqb@;f*H$R{5IuVNpy()`|si`h>#AlH*X;)TzHGmN5;oGtIbpn&l*T*Zqcb8)B zr-egV(EF2tf;A?kH^So=l;zE1d6#X;Uh$9i3I~-F6Zmf-Ek8XrN~V@NdNAaAg2#7` z{8HS1TumKKB3s_vw20G*)2MfR?EYTLHz@viT($H#7HzA|H(xd{T{nq_5ZvO8+_@2X z7gt^BQ^N!ARB3e4T1dlL`sMl1>nT^UN;h30<#D^3h6o$ykd% zbQXQ#Ytn%(III&(&^ZXmy^aT5sHsntU!FfXt6x)Ju=uxB+-bk_J8rB-;m$vKgrdDl_&3pZn$Bz1!;E{Ge2{zV6=4g zLei&e*WDLoa~wp*<Zp!|ZR%6k ziwv_qtqp!h6_fAOrCCE}e-&d|l3}nBgO`jBI6u)nMQ8rCXCNN1-|8!UUUb zj}H$IPf!1HKQclqDJWpCBqIb{(tT^vy&3i|Nf#c5(jR)*SO2B9zJdZMbD3exeT7%^ zL(7=(ACo&8?6TWnzd=sk^Q$I5Gvc|@B;(`Y^Dn6kX8KbD9d8R(>0!v9KU-v-*^*L8&V zZTS^4v7!*QeScBL(M#Np4vc$U3quOJl>?nV(5}P-uij-AbXGligsFp)5S)ijt$a79 ze5V!W-AZt^&$##ar#_)Rmg>Q7q@$23>**Uct-nOwMcX&1EmH@D4E*u^oX@7(lwf&N z@E9_pp~A_ikoq2{_XX%-;g)FYUmyg8QpYg;FXAD^Pmll=xUb0%v!Ra}JC)vr-Wn(B zDIOJGV6<-DX>~&n&dkh2re%}TI25AJd$GWVhKA&M553np0*f-Fhr8DW8)G%)K@!M_ z0?NmOw>;kNMOFkB3C$Hv+AuJ-G&ybbj&<$E>~U{jbt5xWHvYa|tnQNED)di9U#$Wr zrHk!2W*A>J^iG;LC$GP4%~70su>{tvphV$))y3bFaIbrfK&7N3?|T;INvkS*Trf=l}A=~pj4 z<}h(Pq`zzj1$jm$Cp=KrdaOfDW7vF-luj zCBLj7@k}*WObZY~{q!iF=-0R=+{{~#_Zkya5m&1?L>Q>{G_*MLIQ?e9-3M|(Y&9YC z{fC-ybySE8S1d&;H8PiVS^#{TR;J@VdI>H2K5^&u~168rxpTGWII+JZ|h^fw!75XSf)tp{I>we zv-#~gDM~_BDpn@*f%v8rYqo;!Qy#&EmM1VvRv={fm?xthMwUJr@gZ)O43oH(R8&77 z9#kos7|jB-RC1b&uk+4wZlsIv%Xg>!*taw`h@kT56p=g?>~cz&7^T{x@_lhaY)J6gU6YsR|@dr%~ueIvS@ zql}eIuOiL`Izr|;FWb}KYc==@fANmh^(>N+v!u?Pq=7sHS_0Bn>;QIXWI#g48K=LlSzALM> z!ux87P}3&nSz*41yL^lV;o7wg3UvNWD28{7Z#xj9{Wc*yg==9p`7oYH@~ zF3+C#97@fUa5Izbb%H{hesZVv=;1C|%qGypTF$B@r8iN+*>{V~I$D}PSlIRvBWCud zw(R;BGt$YKCjOMdba>&+YbkB+XeYO(!{DuauM3W&AW}y$qn~zioOd;WVO5FDEz|tE z7QK3iX1W9X0BL$1r=&QhvNz#|wjL&}zjKJQAMg~b1<6MOT0Rt(wI8PPsZUmYwMW=p zjfRkkJFR!$RYh}XH=SHYejKR#`f5r1e)6e_J?)1EYTurf1Wy9&bOW<)WU%hjNv{5# zmDv%*?Zj;0RQr$i^P-s9WJd5*>+S9ew)_0Am&M}ZluWvKU_aU=($&mpxoZWeE#I>i zcqDZA;$*7Ih;EnvhQYPmwA(3td+fzu8hPF;GP%w zeEuMQ6_9zA$I zfE*qnI`}GooEi@O+elWl8QU4~meZOg1}eP4h+GN7`JI^|FF=OP$Cvhge&x>wn{Rzj zE?TIA`i`Ut;o|bUm!$**1P5V(a=U*;*n_m66H5DX|C;r3Uu>r~dR$7(fj`EqBuerHfOQh;&OemdN?PS3nw)Ffvppx}TK4_*RqCP= zw4L5G({|ct=hYz@w4(5R89z!I%&kAq%z}wtPQI@OcW7*UPJ7v*XzQknTkwNahdpMq zWWa%H#8J=GkTZVvL-rMRMsG(a2i429g5S>6g0MnA*QQQqsx%!1z6Y(vil)EA7wZYy zX=Ch;0c7NJ^l>9L30`L%cf8rZj0xT?K2}_3h@Bh>avT<}_&kFN6sGyMRkI*mM9<~} zBTVaI@%WtLtg^=@FzD;9&sY(v{e~`_6p0jU1HPsfF@Q-*Y8(MT(lt7{Ygtb#J{H)* zea2g&f_RQGjx>aV_V6If=GP~5#E;*B``*0H;%VfsY>vgZAaq~f!=j+=ykR-GGKG0c z{WlEj?WXe9#kqKz31ih6TV>Zm?zX2vr~C)LsMkKAU>s0z%iCf~lyfs|a?!4Da5|BumBmBkMDOcD`McCx=SU zXYDM`+4@t#(7>6@2nREp+pn97-31l=@o3;YOrYEk!$vnAZf;gfgGKUNNf|#@0Uy7g zdcQ_XXDYUS4<4~O*(mS4ay@*tz*Si3Vd3^CYrENS1GjjuI-?~aL~!sz=)=?t7^fra z#Ch5+7mRiQq(;Iyfar*ppbj0XVw=xO-yG6f^l={zg@hC~`D8Hz-zk{!kPXKpqBH2z z?M{V5pEq7zW;Es4N&l2{q!+3OLi+;e;o?Q0!cd*+X)?$u5 z?V8-I=K~=u2Ic3@7F%Z&1f(QyvUljyg^fp>>yS6{nWv^u#4zD%IEWF?25k6k{X)9L zQ^ct!ZSmG)=@M@@?=xj-e&iGcKxSwM@ewN<=;&ZsJP;){7zdPu2hL*$ga%L`(aOUC z_GcgqP!Xnesx>0c!e(PNm#FJf=6jQ{R1-o5hdM7=YYHYI20fBAa`J)Hm*tZ!)t6i- zh)U$0Qb9}gg2YqZBYVdz1i@5((!`jf$E;m{h!8|iOsY};-PqLU4;TG*4I!A|iIBt( z32`Bbf*q5JJb!cs=+MC%(ePVAXT0ALa_wMKoY@B6gF%mv;g-E$5GCL3%3B${EUuaZ zU9qs?YV@kA!g{dy>@hUuF(JZIsO_KJiE58nWr`FmaDEsBThMZzT3?}gIsT|2W+ChA zU!6czbdKT4*L7o;L{e475?aVVZ-IJ4A+zpkbl@6lfCPIA! zMLk1F`@Lp8^bR;ne&QFQ640};j)1586F9A{n+nm>?pldaSQl)3WBJfKMTGS!H#>?< zm7SydbCe3%K+N*ntA)Z{&B@!yfIV1*WdDe7>i=MA#Ia$_9ZpIfgUR<`0m zup`$a2#^AX?*vw!Ha+o{eiVkOAfJ_#@ZL`UBnd(9{V__}_sb>5zuyjHFQL}4T6K54 zi8C;0MSkPmQuw%*^Y;MzrD#FQaZRGawNw2((fX5D9&Qau-}J0$hbeC(&ubCX!&(z! zLD)E*29`ns{Xs~hj-gb-fZJ-@r4TaPDtx5O1L|Ed?kF*4J<(W^j_GylB+ZWW`WpJUQuPQk z5vLk81$$*aVJ9U6*#ZXmhV3fV!2HOt)Oe-%pQ1D%B^`ALxar%9np9cqnaSF#ZVdE- z|2*>7^315qUvsyq?~g|#kpfCK$a_Hc0`n5e7HDaD05L%T*76?m1rNW|M4y-$(duc< zo#${OR@lj*2A|nO6|@je+9wB zei7HUWE3UlDKu6#9aok5pES(fhAQYku-3HWkNJ>W6cDAup%tjK!~+6~AT%}`>dPb{ z-DbyB?J#Hk;VPp(#aFF6+K-EUcN>!+_TnSODHT$vatenMP~LmkI*9$OO|Z861L7ab zk;3RuY$AMGhL#w~*02|12~DA-UiOU1^OY@-$J&dv9ot99|L0>0C6@HI5CG!>-WNKg zH$QUcr|58 QYpkEr?}bPSG8>@-Sm^5qCH^SNUdSS43#Z^y+g>-{G~Z2q8*MlCnAal}C@QeO|>s0)KnHLiyEeR^jkXYWvy zm~co2(Zz!%i@$gZ8YOLh4`XK;ZA=k7SV&LrQabv{$?2p1eAuFtXYK3PZld^DIx0vs z4a!!mR0LHo;wFNiEqDd5ORFH*iFH3ALma--Y=cHf4#wmdkJa{;E*pG(*9*s1ud8Zki@;%t4)3u9GWapr6~5 zi0s>Dl9w$I?Hd?y{`2jXlar<&w-NZrVl_&~r6U%W_2CF%8V@060gV>pr%{9u`#g2) zfgzi6^~~;Uwg*$iQpsBd!*YED+{V<0Z0^G4ZQVhmRYqp7pvicEcCfnJsC!t}v4C`O zz?pdu5v>RP+kHBZuW=wO_$cD+!v7ui#ly>)Fh|_!E$y2g_u1!4*Q6Bip@g~w(4>

46yLPj@q!9cW72eXkH87>`A0e+q4kZKjPn`@GPw=^`Y}){IU|N-CkO!b)Iy-9EeO zBjBa41+w;gi~ULq2M$CvYq^+;c+t7^=dx-kD0z{}!!*G$$npVI3AbTy4F$d^FQiI! z$u5^uz*8+-@6fJ5_suQf{)EtjOs90I%l8kRkoTnrqQ^C(CE#&rVO?HIT4{E^sK()% zoz9Wk7PT|a$2`$Ctc`i`Wy1$~i(I`0dRF&t0}^gS-PV|2NNc@5nr=RtYM(0x^y;Zp zP0+ytbAu4zLwwXE*0ZwqmVL+$e)vCWT9ThOWnvUk-rZ}uli z(v0C)y-udf7F?{ovIUJP6;|}kp%Oow+w^+hD!O+&*^CPrif-!Vbxww$L8B4TnW-v6 zb1ywsGvZ5h)_M=HGhG&l#}l`DxT}w8jl)0QhN9V8ze4QpBKc7liZ(kb>(5pmWkQI* z+RGJuNYTlXo7-XcHBADC`inML6QCR@t=&o1kEi(Yc=7~KqTJJm^fmxm77(C;oU!d? zg?LXTpI{fyT|Ls!xgJ7zLsM)7ao; zm!5vEUJ>q#ZYPu9h;MV00k!Q|ue)Mz(HjiYxTVBuU4!#`auStld@#20TUD*ygbqp} z`xHf$)AkWphp#9E8;A+y=;wkqXP#PdHeMR{c|s!PUx0a%Eo#_8KoO< zz5rF#)+Rr#Qn2ptT~3+FkFAqs70*i;VQ;{>Aq+*xWYwGTmKJ$e<#4Al!8n@&my~(c zzR_+Gjb|F9;P`xP>wV6Jjj1TDSSLLkT-Y;?BhS zeB_Mgt|4Fk@esY}L#LB_J=i;2h-FV0jNDpt=2m^`&Upr-YAB9?rc0n&;y@6>YNS%) znP=k{EcooB@hLjD)N4E0ivBUK>awN{lW*dF+1x_mHNxbTFspW0>C_1OLkBHludSnrxwQkUeY%da5!TxhZ+{l}!93yf05w7@e1a0zj-Vy_1 zsUf6ez3aauSAKzRIH3y#r2S7B-3O5RpwO=QFp-znY%q0HIcO7Z#r$zwPPy0EVttE5h ze*Tc#<0+FF{!9Mt<9FwA{(zW`DI|AWArKLf%!5EDdjm|;QF<;^2QQ=B* z6?4&xH|t2HIC}U42s<5W(ph&AVzuKa&lhs9KreFShptlv=BGY+SkTC5F40$aP?gN- zVrVrV^pm>B*yy-p<io76>)Q0<6x%|(=h~?g+T*Z2k3iq)A z)dy~RW7bpqle0dis0JEzZ}G-~HY*mp0t3*f-w`G|x|6c?=L1pZi+2BWuNmLf<)76- zu=40u`_OX!lCn=dskVs`%qdC(BhUVL4Ha8-_qZABPzc)yF-fI;UfWu9IZrhC>W!03 z+lh*7H+Gqt@oKmg(dd$ni!OQaX>9dExsz=rv7&}MFV54K9&lO^tQ{A8U(oc-_Bu2^ z?J?4ClJ>K6z(rYSS|=HC9!6lNW2Nztjj%G`nil(oEa6vs0w@>XeF(KBDCUNm+L^3C zn!oY>{~owqK*Are6b*Uy35d&(d-5OuJ>=gF8aYf(K$VFMBJDIsmaknC>1dN%5~4M{ zjGxWMy#ixM+P%uWTg{zUd!}~&{$wTr+7gmJf*a*V)_l}b^w_8<-KGt0N$ytkmS?8&=3`&=-x!_oZL)SZ)B`m&)%65uren`ofG*;I?_B4D2yCN42 zZ5ubLe3|$ATcMP54UzTsTO0j%*6oV=fV#ic?m)e_S$*2dYnVsG{H)P#cj7b7$-5%snT~p4`TGHnf}B9v_}4RcH^>7`Ue3Kz0DJC5YW;V4$Rh*o~UD` z06pga9N6d~mlW9VgdR|FBb4XXpQqn@uD5_Eu*_lgp$f&{S&cseKk}JJ!bWk?CxOho zRv`F|Ulc*33ZSD|&gQw}p7kJypNV|NWo1fAvGqT=JCJ+-de| zrB#Ce%Ca-3Z|brCrE?6~y3l{`tPAqEm|hFKYMj}OF~fAknA3I9_^nCI-47Z$JKCHI z(UCIElWF=pn0sYW6D zM1PS@uXe^2(y=(ON%W$E)MXZDI4qC!!=O9QeSJBzus@&X7j1_Q7Ye{(PqT-FdEC zXcgj(kwKr>bi;{8-xD6X$!f=`&x{fbWZ^WLDRr7&B9`_1%Yjo+1ZF+*py2w=7^ZV> z$t=}>ReyI(s%(DA+~kVe?H>n`Pt~a>M{@T4=Y`M1*a5Z(?QA~?o=51np^XD}Nt;hn z=Y}^=OpaqrN90un`!bJFrcoCIX9v>T1K_6Ww;JP%(I3`I--hH|od%}Onhg022%aCw z^+2bJ$KDPnkxI2*WK{S=d1sBzXH$p7>zEs>-nP^4uJoBV1!<3z3eL{xjDKXK3q9v}S)DU7M?OOfZL1W<7#_1pS zYlE7(8Sl#7><1gWPM1w!0eJn|xUR*r1Dyd(2#(qN(r5?Fr7p`NwHoU$a=eZkW2d}! zmo^WvNU*8XmP|BV?>`A#KhxH2MYnItWF}QeFMS9WogLsLJo;yM)v-YG{c8#=3c~QS zsnNiPXqgYOoi607S+meZAAK;%bd@xG#gKz4}~WMRD6-x9&A4Yu?uh4 z71(JsRt+@|<=(4_`g7bRt2Q#Z{~^7mmYu$5Z6!eQ9{2Y8xY~)(yln`uOb<$lQuH`F zl4(5dx~Q0*)30C6e0%?;h4NHRT5tQw*2F%DqutI_s5mD z!SdihNonBSv;FDqI+HblIj>)mjCHTKy@R?us@7hg1fxB)eXVXb_gHCg{Ndu!U`x~qJ3@6`xEYAv6LQnH$+**H!moj0xC!~LYgqH>x zp3e3(C&v079pyA`@;EzIm3qMyj=svmv-G}MGqML;c=-P)hD5N*WfE2M`D*> zA01-|Py~1Gj3Xwr%pUr^S+K{24)kMi!dbByVG+b$aJj)3tm8&UP$i(Hr!@cRA}jhX zwINsG__~g-U}NK^vQdTV-5N`YffcaU9tTv*~VXN5Ck|UOFY3 zqwl}(x>CRPOHax)?po31xR=zBytvO#mKn8pSlD=bmCEIS=+VseukpJUtMq3e>T&aJ zu>0X*4L#4MneXFkOdW}6g8qUwmMOXSAnXQDmY?sJ-uJ^U@C3c5GBdghECmH#a3K7E z7cO>XDDct{fE&f>f0RWjL*_gji1BfQWZNW#JIIzcz(Hn>Gg`UE7iL)ON%OMiS$fcJR1ap%Nrrq&7bS>r&YSaZB7%Y!<1B3O-Q zEA>xdnG_o=;jXX6_=6=~D7|o{?z%^}sL;_TAM&n(hofc`>RCx+e~z}!@N;{r@29Z( z@%NKqt$X|4Q5Y;&fJWOnET7eSef(}SzP3*9Wqw#UaIP%TrLK8V;;dh4=3iXexqI@) zbUQmcd_G6W8WwLGm#t6xb0a0v)=_u09wzu^hf;m?b^mh?HTE~f%6Za30^6Z>3&B=z zKCwYOic(*t=`zxp>-I^S71&Hz7j0{n8Y<89Xq<{x`mGRCK5}8oBHw>VoI7EY)UV=GvpOc3y?YP3$Q;5w3W47#37H@N#-g6 zQimk_o`-UTc=Jz1!vpV2C#}hWRfBDjcSd=(v11%BMD#Rr2>em`w-HC= zyyHBP|A(= zH4xDb%EVLl0>2)j`ZHzBwYA}yna$4?8oYLo-${Z9ZCx=C_GfQo zx!KPL%I|}zV=>+jU4f)8EIBlGdPR;7OnK^ zZ*Mz(!RLAfQu<~6;tvTnK@``1pjyb|Ggfn`Hmz>9t-RD-W8TNKI$rdbo|Y?LRS*QM zBu!7O=KA{<3MFcCaBATx>Fc81?oXAogn2wa-cEi8XBD}W{(OL`-E(0kY7Ru=W0LM_ zWk`Z+k59~Q-DIJ`V8o=WPHTvcwwKq*LTk9{HFsPnYiq*}fAf+vkAoKzW-W8>&*tCp z^ks77JbnLP>Z2yXK9%N+tT^vJt*E2g2-~78<+zm39F>1zIN<$kSm}7HiuSa@)YEIlOmT!8fnWXMB1+E2aO~|CGyj|H9G&q#hQSG zrKOvI{h^DBcm=2$^kTmXh58lnd+p9PhGcd{VrKnMOa&e-$()@GTrHQXUvKq?jjx%T zl)1dztDm}^ro6U1Yb!mYUG2!TRQYDKTSu7N>!|XD@|^uOZZ38Fq;cN9UEceZ|V;4%fGdeTV8knc6pV%~vCPT6WRb`@@tnNSD(?bl8B* zoW*hQtDoIEBpf5sli%&qG=`x3+0@@SoB?$i-!K_tJw1Jcz28(i!3{ zL!LSREp%z~RqA`#=9iP$nrbnIs_;!RrhmkWcl$W%g;=|bC6f*<81GbXFEQ+XbC)`=eYyPha~jdN z3*$0YZ{}Vrc3k@KjlL6)nXf6)CkaxiY$4{2M z?)<6{P6+Xze7m6U7Ru=b3~4w2`A5t zNdd_%1|}Nj?fb|AE*X&2_zMffY{r*+=6WdcRast<~O7!aG_9>akHkQQ_ea8DMF3 zD$dOy;|tXt@b%GT$))qqVBPM?)z#7;Zya>nhmn}bdxXG1gHTx@7-pl8+u%zpW090) z?RNHi!a=EW^m}Rid{oNiU8Eh95!F=_!a%fqLfOmWZOlv?aqv+AJ468ii|EIYk})g$ zt)qUe4#s z`YW@O(cOlQl#((6t;}QMBK|POSIH-!aMcM;)%#WxH^{EjM*Ae}g>626Y58Q>_613t z@tsbnkSo`U2CY^yuWtW3Fe7>|3IC~_-0@P*t%;vG%{H%_=2U||PvTcm&HX|Bf*88) zJ4n_3_FB@}_40ls$!M88;K6_3U(-7rD>0Vw;G>DYZ$@1d)ny33z&S163F98H1zABi z8FYCZFgPIn!F%o)L^f;bbo|?%yO6@C_kn|l-Dj_Di6f zb`r80o5xP{L_#Z`G?0OgLj@R|SYjEY#vI;&+EpB6UXQ!ay*eF{ zjR!WCOxF~6RK02`M)Lz~!ODJ@q#7b#U@NO8H3$-J!ABEspSKe)m|>Lc0}83(Eb5Sm z_H~Sv_v3A)mZkkM)yT~nb(gA_<4^v+NDj&8QM^|zPv1H3B=PNwHjgz?f$8f2a~_U} z6|o|11R+$xWpDs03RScm-(=J)+O7V1@?`Nf{!_zeY2yjjzhCI=*Zb@EjB-BKFY#@1 z7#(KEXi?b=Ov8_UPxjuyp}|2L1W}d6#4&B(cXPXyH|?|@o0*(0fCnw_h3mqJ`4ZZD z5D$3`sGd^|rcf)uEk^Xz;ZVQhWeJtDBVb7 z)#^l}jtZCu(MD&{>Pc0RX%J81>mU1}+yNk6b7wq=h8}$A)F}<)Y9yw7FP;o2mfQm= zO^dN3S)Gu$nso@V(Einr$sqxpBJZhW)kvYaO^?bpRX*ZCq&H~SP_0R_~}gN5(5-d_CQ#0 zpo2X2oLaLE*DfyAZ3fy((>YSq#fp0o4{dwwgXIb)M5Nx*rDkyYbAKjm{W9c;g9a9{ zG+nEfSl&U8jp;4&_qijXTt=K)701X`QkmCsFFM*eze!^gNH9o=%f7zY5QFx?rv(G5 zbAy2m>Zop^%gY56kP(yJ@ktD1^4-k-^jc;ML$t_*KOVU`s#h74#~Fulu7z43xWU$A zxZsI;R6V*AmxnL`F|A1k2nOo3Xu+@4d_tehA~}(taiBP0TY(@1SLwL1p`q&Ag5qKg zK`-j!_&f$PLg>Rk@3=dZ>?zj6qHO-KM-eBnX+Zzz&>oOfsMXVg`I3s@&9)CGEWL{? zs~-aO)i_{xkvqTv{mu$yv9OHZh(Xybsq#_wZ~uO$D41xVtQlTOg^@tka}1E$#aDr0@z}Slo8Bg(}K9@2RZ>l5D*=nQi z0|X$Bb;gtB5CBbJ#*72~jUYgCk&3f-OC%S{2#rTW<_H97VBw<+Oa2C1tEPBY@exa(j{EoJThC zL_?Z1jW(4|GYW0j{U^`2t z4UoBFqrZRua6w)hlqd3+02XK9LfCIXNZSvnpSH*ZVGKOi_T{5ipT|bgUr4jVC7~6$n>dSu78e&U7-stb|IM z_pGd}!o;v?B$xczQ8{gjVNSJ-jjjEkyg1Wf4oKN7&Fg+TM4pBiwlepIT_XhG7iOh3 zz%#dbn6Yu1^$s_X78z~2|5}EP)_!fwb0L}(e-zJ@LBN5f?Z3%@7CaLLLuh7D)#jgp zLpe95jO^>)&?SEPAZ;)BoY7=hU;$h7hDA+IhXU1m5*r-9W_kZ6a+pz{sR#Pe8^qE5 z{LsAOj1G6)DOVMYII@s0uSt zTB5AVzw6&66V!c1sX*EFQJ~6_5W4R@GMW*B;ReFT9!eaBwNhSLO_Q@8Cu^CKC@24R z>$@D`SX|ICn|vgwJzwO;47nHduFz`S1@PWZY5I55764A66glo{i{QwoeGtQ&#F_ep z{Wo0jhmhx_hFZ9*#ckP}7>BD#!6`C3a$wFb*gKYUyM!U{N^m90AtrYOEbp@WA!ypZ z!Pnz+Q#h-h&_>U~82{_yTPPvKJq68Y;*a8@RU6b}Qx#iSmuNk^C590xdC|Yesam-H zFTuhntWjAa%P?sx5-}6|3Dcq3w0-@0F0);Wv0j~OY?qA96}Q1$;#fjze0$kN1RMb_ zS)zc*_;2p{S7Yo$JZx?P8f{!pHTcd{mkHst)*~BnA2dZ%*)1s_%?ABK^(x`pEqa>p z!4bxNIC2Fu{6F}=kvx)x_Ts7{i>@F{8O-}#Sq>=y8LVtC9x2`akn*7OFmFN-t^)~z z%R^XD1E|&j=-U>Ss{VYB6`||zN|54=ElJ;Dq~P?u495oW%69i)Z6KhM6Sew!KM3g?278tz$S^-~ zt(Nk(JP%F*B?OD6HB2zDcnP$%Ya?k80R2zr;0grZPTIj*`&l~C>3xO5jbR|Tf9ZK|7@=A*G}DRtw}~_U%3gt z7BA}f`nx=_H7$T27Liy2S8G=mhHCLj8__y9QCDtB1?%@~PP<2~$1i;MgACS94R#(i zsI0J;{T!gb3nHx!uc#2&ZIJru;|8uM`M-Om1b}QF(wIJ}#1m6F&z-3iU#@4Io^W8M zoln^;K8)smTtrWARKuDe?x>&I_wb}0<9$lhGAz=$#;*l91Mns~-YqH!*`T3u-(iQz zKG0zNSM19H^U!a$=8--*LO&{M%tp83uMFOvwg_;F2V%+>ReZbcmgu`$o|_1%J8w3g z2ZpBnqJ-iAf?k8x6j)F=_W+vw_f4ML0<`vl5Z$~=2*wE+Nq^QDgoK46sIgyOTwGw> z+|@S;@x)b3=T2<<#6$l5q0Pz3$*j@G!`r*=?4UD-xsb0=W{R&+e^?=xxr;XH%d}K4 zdCqgD@L}N(v?((W(VdNp?ASYceT~jr8^{cQk>C*mn8Xs-7>n4`?r{%ZF|d|8^Wc@4 z#FK^0*l7a)fx2^kvfJ9g2xwetd&yPzsX#Qm!nHmZ@H}9MjvK(yK?^E*VjL{LaYC@4 zLPo$(yLBM9K&TK{0uhI|({!i7hj{`_`<2(X(%sLc;`#5qE&`bAyd_v}zlW#BC~$g< z#KOtcYUAO=vrhzr7YKJ<|EkbnD=&n@oH&%t;46Ca3+7HzXJ1cy{xBybua(22U+D7Spsh(HAQIY1^!*bc( zTbDKV{r*?`R)_Z^nZ1`6L#c4&?L9vWbjJ%|?+C>Af8HpdI@qZC*Zgz(F50W1=^syW z_Ze5bxN8|NzZKrQv8=W^2su%PyG~Tz{MKunNVxrrR&&)I0FU%+(q&!^2FM-L)z$mU z^4tdXMwy(+A85&R{y1ego!UGl&wle!*(Z0G2kXfSw<16eyobELh!lO%aTPqsAD+u_ zWoQ)3ZKe>YexC9lJ;mS^8bvFv6UH(T1g4&Ae;Sj|trNc1Z10#8pCH{&ZQeO}l})@c zs07zcc-Kkp`aipYksMEaHyMsA3nZ2Qz7e6(54*tFTgw;pDB_8er|5hCaL@nxDkD2@ z`?6_azC@?L^oAT5v3H=gg#+%BK19#u8+q=ts)nI8F-cUt;0?q57@olo5)Zh;Io*yu zNy5MgPMB3(j<v=VtA3zxV!Aj@%0H#c5f(1sf*6^=gRz58RU zL?Gjyu0bqaZB(NSWYr=B>l0}*hOUWCgw(38HK$u{!^(rq;JWnf4tE^uZ>$NKm4;W( zmV&z5nnzgU-2RexVAZ5*ho7Y$G{-dO;E7*fj5n0V zL}8)8m;+lFjgl|(9(If>JsI2IYG?LE^)Nr~KbFi2+}fT!dV~3JsCgslDoKz6dW0ul zc=mcm^nre-DfhD>U#w^Zd{Pj#amRJ+NX1zE=W$`=QTAvUM__9Bw)FZW%=O(VS>J)R zq5Zk!_qf`KV7^WE%AJwO86`)}n-G?_&x98+ch${Bz?>#*(`4lcg*$U4$cvvT#Zu8g zDWEgnlQpECB>e3W04QpZZAPpP`VxVdeXGAr=qpz3cl5*j5h7{zvJpd^70!V=SB}1X zl~dQOCYzI6?k=%mu(w?kkq@wtu%nJi&}Tu&!u0FQxq*N;T3B*(eU_2EAvskZ1bbZF z0#>plk}Y3g)_1S0vA9NL0Bu4ki<%2-boX)^g94i*=MFxuGA4}=`<;!Vs~`N97VEf8 zf=zHA_OC9_YnCQK3}xVMMM{$+$px+)MCb+i0wQ#M#|@(<4A@7wQD)5nQmHzC zHJfTVeCU_wN3NG#|75PdYS5}5iD$?F{@{{@!O1sqtJ3mvTEwwVz439*+t&xuGgWIP zDp*aK@}1|JfZZ92T{l|8$#eVx7w7@|AHAr{L626CmQ2a`-T>(k%96mL>2}DvUblnX zW`9&ARH?NW9M8{S)cG&Hi*5)I4qKo>JN7%=E)>1QCHlpNg;EK^o;TrWAoHgGU6ViGyD+X_Sz3HI5vv^-1G|*fyw1>&$EtIK;=fRiz_3FH9H8IRT`|BDkF4Mc=M>>9 zZzWlLy&sPXZWum!cpK64)V-I5$=B|`X zc#1~mSMihugS-pBf&!x+%`1~fIwE&Ef{3xaj($zL%#aGN6O$Pz0fmM;Xi+(S8Y>*~ z;c;|=@>DFHe($p*!n($f!4YI*CvP2iXyv!5v+Mo6^RE{{IG$vKRnfb8Ygf5YaB92D z7c5PbT4nnsIIt%EPp@XrP2h^X9|B(Bs)i??w)EL8sRoXV!y;TpN!OJk?&&8#()1N* zB@5A5bqBh7`XVrT3m)wB-ufF(A}M;P9SD_s&^uyZgOCb5(52UcY044Saz}SuJ07rM zTQSZf2wXiA;>BP2W~>N^id39j`t>!iCbNfx%D=f Date: Wed, 11 Oct 2017 15:58:37 -0700 Subject: [PATCH 4/7] revised vbs steps --- ...iles-to-support-code-integrity-policies.md | 1 + ...ty-policies-policy-rules-and-file-rules.md | 1 + .../deploy-code-integrity-policies-steps.md | 1 + ...ce-guard-deploy-code-integrity-policies.md | 1 + ...rd-enable-virtualization-based-security.md | 227 ++++++++---------- ...ploy-managed-installer-for-device-guard.md | 1 + .../device-guard-deployment-guide.md | 1 + .../images/dg-fig7-enablevbsofkmci.png | Bin 33488 -> 38468 bytes ...ed-security-and-code-integrity-policies.md | 1 + ...certificate-for-code-integrity-policies.md | 1 + ...-on-the-device-guard-deployment-process.md | 1 + ...nt-planning-guidelines-for-device-guard.md | 1 + 12 files changed, 110 insertions(+), 127 deletions(-) diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md index 198770fcb7..f37226da6a 100644 --- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft +ms.date: 10/11/2017 --- # Deploy catalog files to support code integrity policies diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md index 71f007b12c..178a8f9855 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft +ms.date: 10/11/2017 --- # Deploy code integrity policies: policy rules and file rules diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index cef4895ba6..ab0c065444 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft +ms.date: 10/11/2017 --- # Deploy code integrity policies: steps diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md index 886d093664..4b645887c8 100644 --- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft +ms.date: 10/11/2017 --- # Deploy Windows Defender Device Guard: deploy code integrity policies diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md index b607eaf180..11452fddd2 100644 --- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft +ms.date: 10/11/2017 --- # Deploy Windows Defender Device Guard: enable virtualization-based security @@ -14,70 +15,61 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Windows Defender Device Guard security offerings. VBS reinforces the most important feature of Windows Defender Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Windows Defender Device Guard: +Hardware-based security features, also called virtualization-based security or VBS, reinforce Windows Defender Application Control. There are a few steps to configure virtualization-based security: -1. **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic. +1. **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable VBS, you can use [the Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or follow the procedures in this topic. -2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). +2. **Verify that hardware and firmware requirements are met**. Verify that your client computers have the hardware and firmware to run VBS. For a list of requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). -3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). +3. **Enable the necessary Windows features**. You can use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or see [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). -4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. - -For information about enabling Windows Defender Credential Guard, see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). +4. **Enable additional features as desired**. You can use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard). ## Windows feature requirements for virtualization-based security and Windows Defender Device Guard -In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: +Make sure these operating system features are enabled before you can enable VBS: - Beginning with Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed. - With an earlier version of Windows 10:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). - -> **Note**  You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.   ![Turn Windows features on or off](images/dg-fig1-enableos.png) **Figure 1. Enable operating system features for VBS, Windows 10, version 1511** +> [!NOTE] +> You can configure these features by using Group Policy or Dism.exe, or manually by using Windows PowerShell or the Windows Features dialog box. + ## Enable Virtualization Based Security (VBS) and Windows Defender Device Guard -There are multiple ways to configure VBS features for Windows Defender Device Guard: - -- You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic. -- You can use Group Policy, as described in the procedure that follows. -- You can configure VBS manually, as described in [Use registry keys to enable VBS and Windows Defender Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic. - -> **Note**  We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail. +If you don't want to use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), you can use Group Policy or the Registry to enable VBS. ### Use Group Policy to enable VBS and Windows Defender Device Guard -1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**. +1. To create a new GPO, right-click the OU where you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**. ![Group Policy Management, create a GPO](images/dg-fig2-createou.png) Figure 2. Create a new OU-linked GPO -2. Give the new GPO a name, for example, **Contoso VBS settings GPO Test**, or any name you prefer. Ideally, the name will align with your existing GPO naming convention. +2. Give the new GPO a name, then right-click the new GPO, and click **Edit**. -3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. - -4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. +4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png) Figure 3. Enable VBS -5. Select the **Enabled** button, and for **Select Platform Security Level**, choose a secure boot option. +5. Select the **Enabled** button. For **Select Platform Security Level**: - **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**. - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have Windows Defender Application Control enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). - For **Virtualization Based Protection of Code Integrity**, select an option as follows: + For **Virtualization Based Protection of Code Integrity**: - - Beginning with Windows 10, version 1607 and Windows Server 2016:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. + - Beginning with Windows 10, version 1607 and Windows Server 2016:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. @@ -87,23 +79,16 @@ There are multiple ways to configure VBS features for Windows Defender Device Gu 7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart. -8. Check the test computer’s event log for Windows Defender Device Guard GPOs. - - Processed Windows Defender Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. - ->**Note**  Events will be logged in this event channel only when Group Policy is used to enable Windows Defender Device Guard features, not through other methods. If other methods such as registry keys are used, Windows Defender Device Guard features will be enabled but the events won’t be logged in this event channel. +8. Check Device Guard logs in Event Viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational** for Event ID 7000, which contains the selected settings within a GPO that has been successfully processed. This event is logged only when Group Policy is used. ### Use registry keys to enable VBS and Windows Defender Device Guard Set the following registry keys to enable VBS and Windows Defender Device Guard. This provides exactly the same set of configuration options provided by Group Policy. -> [!WARNING] -> Virtualization-based protection of code integrity (controlled through the registry key **HypervisorEnforcedCodeIntegrity**) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - -> **Important**   -> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+> [!IMPORTANT] +> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. #### For Windows 1607 and above @@ -204,104 +189,92 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG ### Validate enabled Windows Defender Device Guard hardware-based security features -Windows 10 and Windows Server 2016 and later have a WMI class for Windows Defender Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: +Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: ` Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard` -> **Note**  The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. +> [!NOTE] +> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. -The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1. +The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. -Table 1. Win32\_DeviceGuard properties +#### AvailableSecurityProperties - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PropertiesDescriptionValid values
AvailableSecurityPropertiesThis field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
    -

  • 0. If present, no relevant properties exist on the device.

    • -

  • 1. If present, hypervisor support is available.

    • -

  • 2. If present, Secure Boot is available.

    • -

  • 3. If present, DMA protection is available.

    • -

  • 4. If present, Secure Memory Overwrite is available.

    • -

  • 5. If present, NX protections are available.

    • -

  • 6. If present, SMM mitigations are available.

    • -
-

Note: 4, 5, and 6 were added as of Windows 10, version 1607.

-
InstanceIdentifierA string that is unique to a particular device.Determined by WMI.
RequiredSecurityPropertiesThis field describes the required security properties to enable virtualization-based security.
    -

  • 0. Nothing is required.

    • -

  • 1. If present, hypervisor support is needed.

    • -

  • 2. If present, Secure Boot is needed.

    • -

  • 3. If present, DMA protection is needed.

    • -

  • 4. If present, Secure Memory Overwrite is needed.

    • -

  • 5. If present, NX protections are needed.

    • -

  • 6. If present, SMM mitigations are needed.

    • -
-

Note: 4, 5, and 6 were added as of Windows 10, version 1607.

-
SecurityServicesConfiguredThis field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
    -

  • 0. No services configured.

    • -

  • 1. If present, Windows Defender Credential Guard is configured.

    • -

  • 2. If present, HVCI is configured.

    • -
SecurityServicesRunningThis field indicates whether the Windows Defender Credential Guard or HVCI service is running.
    -

  • 0. No services running.

    • -

  • 1. If present, Windows Defender Credential Guard is running.

    • -

  • 2. If present, HVCI is running.

    • -
VersionThis field lists the version of this WMI class.The only valid value now is 1.0.
VirtualizationBasedSecurityStatusThis field indicates whether VBS is enabled and running.
    -

  • 0. VBS is not enabled.

    • -

  • 1. VBS is enabled but not running.

    • -

  • 2. VBS is enabled and running.

    • -
PSComputerNameThis field lists the computer name.All valid values for computer name.
+This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard. + +| Value | Description | +|--------|-------------| +| **0.** | If present, no relevant properties exist on the device. | +| **1.** | If present, hypervisor support is available. | +| **2.** | If present, Secure Boot is available. | +| **3.** | If present, DMA protection is available. | +| **4.** | If present, Secure Memory Overwrite is available. | +| **5.** | If present, NX protections are available. | +| **6.** | If present, SMM mitigations are available. | + +> [!NOTE] +> 4, 5, and 6 were added as of Windows 10, version 1607. + +#### InstanceIdentifier + +A string that is unique to a particular device. Valid values are determined by WMI. + +#### RequiredSecurityProperties + +This field describes the required security properties to enable virtualization-based security. + +| Value | Description | +|--------|-------------| +| **0.** | Nothing is required. | +| **1.** | If present, hypervisor support is needed. | +| **2.** | If present, Secure Boot is needed. | +| **3.** | If present, DMA protection is needed. | +| **4.** | If present, Secure Memory Overwrite is needed. | +| **5.** | If present, NX protections are needed. | +| **6.** | If present, SMM mitigations are needed. | + +> [!NOTE] +> 4, 5, and 6 were added as of Windows 10, version 1607. + +#### SecurityServicesConfigured + +This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured. + +| Value | Description | +|--------|-------------| +| **0.** | No services configured. | +| **1.** | If present, Windows Defender Credential Guard is configured. | +| **2.** | If present, HVCI is configured. | + +#### SecurityServicesRunning + +This field indicates whether the Windows Defender Credential Guard or HVCI service is running. + +| Value | Description | +|--------|-------------| +| **0.** | No services running. | +| **1.** | If present, Windows Defender Credential Guard is running. | +| **2.** | If present, HVCI is running. | + + +#### Version + +This field lists the version of this WMI class. The only valid value now is **1.0**. + +#### VirtualizationBasedSecurityStatus + +This field indicates whether VBS is enabled and running. + +| Value | Description | +|--------|-------------| +| **0.** | VBS is not enabled. | +| **1.** | VBS is enabled but not running. | +| **2.** | VBS is enabled and running. | + + +#### PSComputerName + +This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6. diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md index 53d92d3c77..d21bd16a25 100644 --- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: mdsakibMSFT +ms.date: 10/11/2017 --- # Deploy Managed Installer for Windows Defender Device Guard diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md index 6bda41bc15..b322bd2f63 100644 --- a/windows/device-security/device-guard/device-guard-deployment-guide.md +++ b/windows/device-security/device-guard/device-guard-deployment-guide.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft +ms.date: 10/11/2017 --- # Windows Defender Device Guard deployment guide diff --git a/windows/device-security/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/device-security/device-guard/images/dg-fig7-enablevbsofkmci.png index 34c1565f670a443e2bbae834bbef63ec49523b9b..25f73eb1908c9d0dbbd5dd6d11367eebb9e6503e 100644 GIT binary patch literal 38468 zcmeFZ2UJtt+AbPIMWv}IAXP*_0qN30QBV-+Qk5=Eq(o|@1`8t6q}PB*lMVtwYEVFW z3rGtj(rbux2qd`+bnpNB_CEKFbN=(+GwwL!j9~_gMdn&_zV&&Z`A$Q0v{Y%&u$%#b zK(uQ2?mPg2jt7E3$NEkk1Mb+zrZxgUDBK^YDuIf7*cO3bj@#eXybS`CMN%JFodAA6 z{p{XDcMyoK>F`6*3i)IM0>zE0-MOv*+#E-AF13B=KMysOwj0~%ul+51d?~#Y6Ve%{f+cG<;>=l&`ranqe@>5+_>D<{ zNre&=c=K`~MWdi3l}Ni8#JiK0j1?w*GYQx-g6;LI!fjra{FHb) zq0QH&0UUM`1aiCuq6~aUbFy?k9Y%^o?kbX3Sg{9Eu-zA&#D32D^8L``2`c{YbKVs$-o&U!k7a{A!s4D-O8#@x6Lh5k@WnFNS1pQ zyiM>JGl&iQb3Rg$+ygvq8SnQ4ON5d8=t)1xIK_P=xpjxsY(}od0&m&hBu^tr8^Zp$ zAjMr2HS9p!Vz)!ee0M|-_!C1FY(t8ZcHm>Ec#)GC7|F0|7JXg5ET`+5O2^h{3pKQ- z1ZS^TcHnYCxH5doHr{?LnDFC)H(dV4mF;Z;Wg|s9tHqO>DlY6Vj~9_=ktAfaMN{Pf zF7@8FHXwxQ0ddbK@uUMZ_Mj<6aidj=lT z_kV66_W^-ytT8G4%45Q~E(*giRb?*t#`q;33Zx>*C;U|LT5 z`w4lO!r#qNy5&+Pdp&!5nDfS;ON=N%+YlKF4Sm;wnsLTMn-OJhY#?qLHSDGZlV^r{ z{TA#4c7sV9NJ9ESZpp3`dEI1{P=(op9Hc93_4N|Vs}#23Qe*;>@B`~ZnzSHoXv?o< zSnO9;1v^v{(~6ugJWGyfc%10uVADazs?ZZFWHNvDCfxrbhsUoIAWQquGnQ9^iU&_g zAyog^f+CS%1e@n1Ng?;eVasNUYZeN-7Q{;Of+7h|owju~uaX zFkMQ0V&Bm?o-b*+kSNheH)PmXz)fo==xW_@eJ|g_tYx6NaB^yD)AhtSzmC2uAvzo@^!ld3>-WsOt_URjEMKZTSNSw0}8zQN4|H z+7k54&u5jk8yc?p9&;H+E25)~EKk-ON2HH&?~%*X@_ zzx7~purQX4B@S?sIMe;x>HSGDkyt{u#X*ZmQM?u=tzN@f{$;DVbFlaq$qfh7_S0BK zJ)echR^nucUH*93PS)tetw+|MaHER`O);HMStp_p;#z&J9q^{!+0~OjZk!Y7#J6;h z;FDeNFn<)7ujeTSm-HL9fg`#S$A^N}yT%;|T`V|m3TgJp$TP3#v@wL=E1OvZmQ-r) zlTX+ET`%4H0DmwKo8=>=!)B5DFKS_HIDFl*u)N2xSqb33Qp6H+J(fUE8lxf;9jnNZ zFx)h3PtlLe$4PD!KKN$xEj3xjM8G#`Y@#P0Hy+|35L3K%MVC48d#Hrdlhs=$$+vG# zL=1=44S&6!W2Ru1ieXJk;(&9YQS4bAb~&|OHkbDEJq$y}?@Sm}y&SC@nAnTevfw)o z1|=rcwFenm&kRk<^;BIx*4VMQCnKSb^f(;JhF7LC)!k3#4kX0aKWRext^1t>qy8md^A_9>&g{8mANlsy_TfL~t;J2+u^N#(&%TaohfI;N@` zI79nyb6?*^lMmL)@x)zi(wvdv+M=S*R1y=AI$+y9kz_JQ^;R62#H6^_$BOyYr(9C& zI^B)k{Vw&bPjq(l(Za)V8SpY389b(vZ~1W~E5z-yFkztdvEQ}ysmKIqfq_2VX-~L> znu991r8qigevEe_vGy*yTs_;Q+s#|w@9VnKRtz2SY{cdIDd!-sq`|U9Yxa}hr+kta zj|D!guFAdrJ4NigjQ3bYFeKeQjJ~V~2W!(vLI`XZQ$pHqB`@~YlO5@i`1HCpC~}h? zL!=_7TaYvNVY}q525j|S53~Vy15)ieujQ&mwXJlFd5;=I7Y;fJDrcs#Snu}$eYw7KiEloOdvMO zKQXvjaet^P{rNh5z?)r1|aMeKh{Oze)RzZ-VZi|Ie~M z@KPC7{)-37lH3yv)M4tgP=V)3&Ld3LoRJ?7LK%dPO=MQ3(|;^48Rk^q(Q@Lhdm3&s zqVoKQ$bHPf?|7a=hi}$BW640K9(a@W{4+g^w8rs7pVuYZeWA?l+xru^LuiOSE(eWx+cMjnVS;EXLPPU$poxF-@`Js-X-@dHZ|LBI#cnwu+cI{5RJ!$TP)Z zqX#$M`pTI?l~iIF3GXz+dPf70wQ`eb<`*}vF<69jCoB0LoT8IHIFrag;Us%(#Qba{ z?-d|)2!1~{LVwUqZ$OscAt7T)`vbjXdJ`%UUqr7n`&wy$Fx<4Ze?3%>v%`1ZW6|AK zg^y8h;9H(HYXGJ2eQZCUGNCrkkomj-qi2?t%BjV?+_o>b9CH@y$4D-zXTdR#OJ zx9Qr~*of03n!;mxj#v zCjiTA&7H^m(qbbrrL@KRQ>^^3vZeE^=i3z#JiaeJ?+pfA4rR>cjI_Q;5$7O4ZUAS{m zwwnigo!*S(%N#g|XNL{zb5bRn`F)K$i^t2E@qpmF2Z&Y)F` z7BtwuWW2QQoI$WBpmU@oRlQzRas_Itg3#2*M((VWG!H}4z=r#CzKE-V^=o|O$z0Me zhIH>qN^NS8!#E^0$aD{^qv$Z+3wMcI4Q z%jW)%n1V1Z57Uw`Nbtq!jl0k)H?Y_DsCrp17yEbYEGaqa&BqSsnSY}OEtdaKYXNs5 zy+h13$KFx$V4U_Mn+b0fu4^1oFJ?GKGBTw-Ub=Y7()ad14YyR0u)x=_2H@ocZNIH{ zCYR+;Fj6=ZX}1Zv(;rFL+&XZ_9$=si1STx$K)7ztzKYt?=bYA*j}51MtdY3<;{C;M z!*7)(HS|%$k4#DK{w#)JQcSWLV?~nRoU4~poZ0m<63dJE3D_T<@Fa z)SCXJzCbNw7m=cm@n3nNf0bs%=$dbZ&Vr~Ej(Y}y`_WJ6ZFZv?iU3KnQ#c8qvSc`_ zf{38)tr9;?RKmeda}1KaU4#5bOwLgliH&C+X&2?uvqK+!=;IvaDvGvtPVVzcS?e^My!Jag2(z zSP}fOk=j6LQjUORC}P-O^g-MgQz7)jHto(JS;f~)g(#tDLbAb0^LotmZnafdPk~pU z0V|y)r}xB8t>TrXeT$u_zS`_6_=M;1DEeEAt%E28OHLt?@eg~?)Q~2hnj8*u=PdDbRasifgFnUNWar? zFxsm?tjzt!-l-)Ry3m!^iGK}}JStB6=`CUFeAr)AihKL%F`HYX+OQ=lc(r0=!NH*8ZM7g@ntFPbp9-qko`dDoYBU~2FTax=V;%hT!9M&=JYwCWyS zhyn-D4!@mVA8ti;sX{P*%Lpu%8Ho1LijlyQq!r}pUqh$v9UF-}Xp0=L-stZ2n+sAT zw8DfaRx*VT2#|nHO(_WGpc_h_0|(%S0~Qkk7BwT~)-e|3^i!4~$>a--SJPkT@W%C3 zthLW3|0=k@^EiQ*2Rv5k9Au{wY1kjDf8)xOAQ)Ytr^n*jAVKt~m8wsFH$=zO*swjg zFYHp+c~>MvS}3rc{j{{UKMuT}_p_7J4V$$awNt+#rLZ3-T;sIa0%^Eh&OvV82aKh2 zbs)%`Cw+gn*7W}R*F3%a#NEYl(q^slfxDWzN{6gi3+#oK-na=QpvT`m(*yH77hP@g znDsD^MDhc;CPF)sWfCq8XiSRKiCn9KZK^8nevO2!agqf%8!?;iifg?{LUAtg*8q06 zNh*Mtw~>C(4k$Gk^Xqd${Y%hE%kd|mfvU^)mj{hmOs33|SX5d##I;{9*f8int+k~R ze~${PG`6Q~k!5xICg(%1zEsErTs;oq3b5-LY*GFJ} zmXTicmMo^p6ew>mulU;O-N&UK1h1!??~<|y(LJa*y7*Ac$(5@ETHP3;j?nhan=zDB zBGo=vFl^e4Yj0s^Up_fNBAD9@Qok1^9H8LGl(BTYbVo6n)E+xY(|L|AH5-+iF$V8xM#ir`_iIs?Ob;S%ut&lZ*01m$vmz z7rk?bK_TLIP@sDaeGHNY9UJioK4s}RjWp;-&vsh8{1bTrTJV|i-!u84xCMc)A1|#3 z(#Jmv2R6okf~g~P39JCn&fhXB@V;Q4jAH{qMnzmlKWH=mtP=#vJwms@qe0K!{r~r7 z{1l!7M0dHaUGn!FN50AJ{R-W*{>brMa1(w?hUc|n94Jtp3xLP2lxe^6OKW^%rMy>R_vfn}ER5WpB84Pvl_>6vyRR2iWUCU=z2}ld=n{q^ zWmw`LR5f40dhNB{aTTVtpIT z*l50$Z&VLF5=PpaZ~Ar5hr?%qtD5z@?P?dN)~dNeJEYZM9g)U4*CD6L1iqozVxFnC zu~9SoiNjzd>jti3aO{X*WY zYR|lx&Hp1U-`=XT5f2oyKYcB0PPf6Xd>E9|J6?BwwxB#6#OQkk9fyX$pi%+AvFjwx zO)N)HeoEvY;+yXdiUq#LBnhn1jXR*_{`8Be%1jTg-O--NIN?i5# zo~*h0`^`Szff6&k77q~REWgIxdnep`<*hv4Yc0D4XwyP-hMl75))$NA*QtnL&6`> z9xCs=k>}!XXX!Qu)%x#m6L+xWdc41I*bO!0IF5MXPK?^-(p|34PrTHsu8vl?^2KOv zbo&nkumw4!U`7TPbA+|&Z)$pr*BTEl4u9o1bTvSR9%Ek)2^|AwYRjpcCEnf2^zss$ zNJ?I4(-)0n_oLJ#N-u=)yfrH;KP~3+kqPgalTvCkmLnzQetV-y{K0%E$MX*x7e%;? zqLA34SDoB}6pdegdC4Sc9C`nf2mnpX_sVT_y`oomP6lRN=e@C*n;rnT@{Ey#dgNy3 zgoul6$J-#=!!41&jC49>i2*FW!~z+BuiwD{x&)jw1ur+wH=(Ef#ovLzBiQh)Qtt1b zlI(vn#a0}9zbygD_^OhwGtD|uRT3!E_FmYT&@Q`Ra^qThHru7E&Ci`EO{{QKuk}fp5 zU>p1aLrkcf;Q?Y_koQe|vdBsHX{V#m0~Ovln}u;&#p8+z2lC!OOnM*lEVxKN!sqZ}i#{2}&O%B8un;_I|Kwc(x(+QT7cvUSCw zKMwunFXDfqbq0uL{sAWnogJT^c~>~w%wIM@W9U`_W&?Plzu8&8Gy^7tbr^6J?~NQ9 z0vx*sKU?<^OTuB}1FFH3*uc?GHpdLuY-`5u{HV{fxn(as6!v!u7iT;&3cx>McwcOc zYxEZq!GgRD+bSU$?ET0UUQDQE2srbRRy)IaDrR#xM^fY3Mz^#PU#zY3v2wk#NB^b- zUh|FQVY$sdWo0th(oHI?Q-YaC=wi#+><1>|F&mAP8R`&uHolZ6wt9v?n+(lEIKR2_ z{ELf8Ab~P1%|6Y0?kg2%9htNb!PM<-4ru>JzMgeqrZQ#uyB6$}K^uSU+ZWJbn(u0q zMfQZ>yw!(UmPrngcYj~E@~v5>!0k zR&z=A-=u${{*fRRTto7m|0J|Gpltv;EdkJpxY4V~`9>AB(Wgw`J|QCHyFSU}(7o`Y zRf%j(pBSnu_L+SI=hVI=?6cec?1kqauelU7crnOa`FC)ZxEl2DaOujiY6*n%l`Dbp zYkz`(N}D-A>-;mp*RRKw)P4DKiqdyxb!&OJY2ib}t>mvc{<8vq8Izsy*Acq_(%Bxh zZ)!{fG8zHni>J+e#d|C$BKCtsl=rHv#rM~V4Imvq2l@(t`d zy;_T>%RC8iEbhQRZDw|-GnTw+ai}{?xo)fcxufe1+8f3zsL9zSWBPxKU*I;QMhW3K zE;T(p9h)0`@u6_L(rDj_Nn@_Re>FTO@i3$Y5D5V6Z31v#?HV>vO@aS>?DT`g+K8&V zZ2g-06DjxAE1Sxc{>_~a&0rsoBm)GmIkQPL5LHNeXL*EL{C-^J8@8H?i3q>c`9=&I zHsGmrsm$pxBuM_-GyXj!(A&zmw;a#D)V{HU+M=YNIY(%cP=Z7l=3Lq*3 zZ@$Ssr6_y}RBAM-i8##tz|K+pRWd|F7zfiLv~wQ_n|5C3I>2IP*qy znENngWKd`;hr<11G0h3_Y@T%>Mj;R=n;pYtdxSUNfDp_vO?@1PF!zSn^WfOub-=L^ zw*{%ojMrOp(#E|q)LLb^6g|O2qaQCva=AH&R+;LrO>D$%Sc*$}w1x2o(q7O;pMq~+ zS2=u2Gadf@?~*E$YW9~_*j|vvK!{K^Ze5c(!+Chc^J$rcg{;2`ehky|s9{)3m{+E$ zMY(0rULf*N6mS1IGZjq0X-oA?QQoVcE||HQtiI{H`WRYLzOWqG#f187^Q6QEQT<%z z@yjScZwXk>;ZE#1p_A>O@V+>P$*J|M)Q9DQt9bdfF?>qRRN78XmQCqic6D7gl10hl zy<21th2gO|(M>uTrQe>s8F(HOQpToGH!>K5p0FHT7G%(Y+B96FqP~QU?~-JK@VkgH zH_q6Q{e@wBJEN~Wc8r%D~Z0ESKs(Yfw=R-^;Uc%mG)MUXNtTXIzJuB~fk4cBi`8^xWP1$h^|5 zdCdfaHkCuz+Q@je>3}xo_t#^w@&*=jpC(cq<74MKEd3~Ax^@4Nv zMwuHm+=Gb}orC_t7phz)&J?}*4UYkPQ5M%c%b>pG(@#m?%$)i4JMjXo?fD1j#Tss~ z*aSW01D|((su-P};Ac+PIM4~SmTL#8z5Q-qBBr>|qOCrcOe5Od-JI^RE1wvMZiu4W zLQGP9`R>|-t$|kwfSayp2{v`5)G}xZ{rRa zi6v_Y$e3)I^Y@EzDEEOVM_q&Df**Y-UMQ|T5u}LAHF-43M#8=G(paKVHjAqfR}9C# z+4HJRK+5?g@%K|8=GjZajUKg3pgLv+YXvNnmd3gxBk+Bd@w-otKe*w-YgC>>F;wIe z>@NFNaGWR3o=o2@sTc?`!{U+QoO;fK-_ir~>e$ie3`yBoY?gY_W z0^H+a)M^U5*v>NZa>PIb((2IrrjRN% zrypcUVi$u2haz1wB9V_lSG=tcQPtYwSHU_4@Wk}P6%W^p9H+OPA%JP3#+ zm;EW5mc_FReMsH7Ura5exYMu{lm-8WR8M7PyM-tys!kcu1h9{Dl?fA4&wozF&CcDw zrQYMcczxMJ#t?32h*M|1N9^%Fqt+b18?YEboF=UQ9WvPSG>A_dBMty)pgGWv8sD78 zdxarQU$%Oy*BxjG2z}v@g)35Tm+S&!76HvTv%HQ^j;UEf+TH~QMgpL&{K>IIaAi`7 zTJ^IFTCUp>6=()ar==|YE8!B9p@?a)^wneRTNYt{W(Q^)C<`G637FNMz{$%;NKlqS zVW{s6ZUByJwNd>(5kT(($2TUE{c0iWdrz{)05Y(1T_JjmOxY_Gs z__z$xYq)X)T#R$Ivk3&H@tpm@c8{7jLs>*jcw8w|&a?$Fk z9=7@3Ve9#yoA_IkP_|1Wil7A43hpwjqR_vd1-$HHIaO?j^~2r+`R;XEa6J0QhL1@3 zjbkIXdtL;CO;?}Q)HmC`dv?WBXxu@X_z3lF>6b~s8SEF)B1LRtu z8UV?*00#$k0kuk(6EGvHuS-`KBHl1X%j-8}J2b1yWG$`R-@ma?T|M{Vq0xf=1u-u3 zc=yWTEvFF^OrU^-?YllJdwUcUlacH-(@x^}x-IGgcMgCPB5?yqZ&-mjXvX4s4Yl?KBN%gY`$tl%V=+m{IE2jKe zZg(l-iouRlTkKNV-dpR@Rt>C%9^3BK zf4Q`8CLVE0*<-e@s@Ze?=GYnU)~HJ{=o+20B(P@s!%V*{>B8!B7d@x?){KOmFS`^x zpDlPJX(lkt^1OO(_+;t(8q?J?Mg26q!iN+{gtp=YL24=hRO@M``YAzSJ-g2+`rI%i zXxpV>vrWB;#V)ShwrNFuHKSrL5BlM5)o8Zdh`Ay1fa+9mr7g&PJgN^)*ZsBM?1{bf zJyle;JU7*VJ{MyDqEE2SBDCJ;Y5gzU$jvf0XrePD@$u`pfs=PwsvY9;Z*+f1c4=L{ z8}N`SHxZ$rF4|{z0r=umF&2otP#EKRQ8 zuynrvX&uT1w$PoWowFNLQPC^p7mP_Zu9oUTNNJRfk8x4?ILzc2IDtzNIdY6tlN~Iq z^)$frdS$mDHg>*K2R&|+SNsAyg7ig8&3LHwYA@!ek$R-O-qc?JpINfnO0Np>ZEHeZ z@iMNNh=@eV8LT{&si6?8I4t7@-`5f8s7lpTcW^yB_5G3#S=+`BeId28xg)Tav5JeQ zEOP-@_HuR6e!qI}nrhQ?$*$mg1DCSa)MWL>nzC_)->F)v2m3iTx`XZQ7YkSz1fapA z+quxVRn$H<< z;ntQHvj}qwoJAiVc5Mxom}63%(OO9Ly;lzy^=3sBOPOO6LVP;28|rMuMe(xX;!sMQ zgL$z;z_~FH;>MwqKb8nw9If9YL5GV=0p_wZPSd5sR@vA*D=uC~lj z(JO`MqF|npD}mL@R_`P0_w3bQD@^u;y^y)=Tg=VQgG)kH6rB0tB#`dfx!v5cYVM?+ z`Zzf59qn6*&xu!<%JggAca}@@7AGhxnek~p80*(6E67^he)u@D-lRglR=?(lV1nvi z?o*2jIlG16XUEHK+_3eJ!lQ|mP<_s3E zaxMvrLy#+N1Z2AW zvcT+RU)4H%P-Eezp;>;D)>m=Yt=3qp#=ln4>%*dk_Yy+2^EHQiInt->W7rUkHy(VY zy3ADRbHDq&pm99y5rxu z9c%sWYMmq>MA0v z5d9A&G#zq=t*2_lN~>t>4w326I$}8nh^(Tj^+{*LwAd+V8tINCcf7QEA|IA^MT_yMPLzh0*A~OE zro_U`!Dq~LSl^@tv>r?UI}atlAHH%+Iq#YNSV?dR8FB>KVaJx6jchB0+^cB13Y zOHmsQFm4VSOP>dk8I!L{0=7h_-m58iZRK@ssyi%?a4;o(8>+C7cono5YhS(Ju)kzw zURa*9HQc-IlIHc;}BLot#+d= zemlEQIDA_0B?qafBmqrvzEkqmt2(MnuAv6YPwIUZ5lR!b+wthJXTp^*CWibEn!Wq&d>F4PDtY?L5=VnPJh zojJ|i8wOXwuk%g6IN?`BZd#Qmgor<%0_kqRm*fq3MjPKK^KO& z3Js3e^-MDc4JgAEuXechrk$_`_}!eID1?2k5v{gR0j13mKH8*71}g(SUDdU>J=L2# z)_q;Yw`=X#&b|3E0I5p}Qg#&__}3Fov)oBmd1mxt)(78{`E?C$xTvQDDCu>)H5lk* z3J7(~u6`sm?D%NzM-P0jGPXfl`C}v}pHyX(%a01J%)y?n)0)p@O!WL?-C7%m>(>rlAU#&4Xm@(z88W%V6%|q$!WA4tB*>;g=~O3gQ)k)AJV;j_X5ZNFmbF%XKNGMP$s^TJ)+wOFYs8)P<3Aq zbo%tji9YtsIB7;(kC`ihK#Xzz3Wx(@DYNLw6!0lhw&wd?(P2#%Um@Y0-O-#k?1e2A z`Uex&o<=Z=n(!~TU54t?L}=K} zA0op-3GdIj@@eM6UDTj`PP~=bmT6-{c|NEGpBhsma9L2NnXj0b+D@0-Y$~FG)v^uO zBWCCK6jEqf5qZP5)P-<9m#Ohve_tvIRo2UK#u?3aG8?^mLDJNM2Gc|KHlyKXE0Hyw+FSRu*^u~ z5p6Cd^-=or;%YO3N?oSrlDh>}$~BwNO#!JAuhk0re6%Fi?>VoqhT!~S;K$bDg(MDk zXA2WE3DcRon)W(FGX{X{Vv^MT+S+;t4+2am3%?$4=jslfQH-#Yl2Req>T;70N z(NJ3%mo8=#<~|7yUDV~cUSubp2X`6kDO_p4sfSE~abHv;qCU+ygK>|(dCXPDj(anx#n;^T<|h&V4g)`rz0Bj&{3JO<_qOXJ zYGoyVCoBo05#v`W$9wV8r^3u1jr5Zuo;WcCyMP3^T)^jUWRJkkb=dtSrL9*+Hz#o0 zR+SY%cT(CX{)?~k0?h6I7{zAHtD^)WWzJ5I_0fm&xynQtsjhnnh|Uw_>STwE^v;V5 zG7YU|SQg6QzU8{LqiL)Y|nfIZ4=AEYKV()u(fyGqzw30oC zA#{fGq%p@V_^w>}W7xr)9uefHORcl%z4cWv3ok?RQ65UzJ1&oMNXsvIvRKKyyTyp~7a zN_eHUR(LZ|K?Pw-V%wQa@CeQY0|%V-R9}sold@JEA-+d^3k!{9Go-#E(1x4r3{ZQg%-i}Ows2>7rNPzG!OF{D zW$z8|J!993p1XCa)dH*t0jCJxG>}^PDp6^cS=F9XK2g*cwdxu+Me$O{rtsy2-^M+- zeJa7D>=xFz*2U8#8Fc7o3E@E7yRB?67ydqnh^0(xBS3YSof@(xP(KyL3IFID$qC z5c|>P0|jsR5`G|RxSj1&bprhUn@NA6!y7_<#JQn*b^kD4ouGL7muoZ*vRj`Ld*kc^ z@fxoDT59&c^7XLHA5BZ--z8_eqrH~y*0&GJd_f~}Y-Od4-sZ!rdX3}VYQRaT#pNs` z@Yt7NTFJPTPx14L<8<_J;`9$0D~v(tEcdy2EU?UJKgm!A#D1Yp8)^~zP!Y;xxJU%{<> z`jZ%|a9J!O<{7-1HKHOgBA;%Qew0!;NRo;}IRTod2G4E@T9UZz6W3E#{ zcM5-af49?Fx|UvSc8w;ia_jR*c}za->Q_dlRj*=eykuqmgDqmdTUNOf3^<5J-|~P* z7|H93V*@YCIz*!)yxy7dXjb)J^j(?wh#SpD71>qG@z({|Wf0W%xY$5}L{zWPA45Zf z5RI=a^J?1-R{S6{4%5{f(uZwGhqY4TC5n~&YKDd)TIs{?oqyaqvxaR|Irw&TmiIUN z3moA(`%fJ zO7DWeyGa{Qg2((5t;)UH+2gVM5%a|7?5nOh`U+#^P^RQB1S=`E!#a_L-g5g>GF>Zh zL^g7PN!gr$+QdB(%Ss1lU3}C0?k>AS;yERsrR!oseaQ|!B?u%dUvp2^h~c=C3C|9V z=ZyTKKokdBywcr7YR*EU-f2i<>l;(r*u~B?w>n11o6-7+I^N8bvdr!)K|SwsUih zQSr1RH>ZYP0*CE@)y*wN)sY@oNzYMPt9&DiouMAh>W3>=E=uw3^l)r`g}Yt9m>?dS zR~P!cQ>cjAuru+rH@#gd+&tn`Cqf|EN{u5unb?714$zcz;r*P_Q8VD2E5rfDHGcG| z$<0I;%}qK-tv<@JwcmME_OZxM5Pe+a936D6(4OuklYMbEWruP)K#-$E#NBfj#T}b- zhT#R8!>HPTI<%vnOqFw!zNn_Nnrd~OYo8GSAc1OQI}1K}r9^V@;n1>r)3{s1{o(|Z zxmnGzdCl*gyg3DaseLPoT2JYKoW3s!0Y{lF_!IQ|(o+c`HTx^gLrn8jK>w88pauXHV zmv+-UIwk!o`xRe1q!zo(gnK|n&*a?bzKqLwc+C@Go1M#?CVbTT1`wcP2dry-y1neW zvwmY7Hr+Bq<|E~W@~2ySq(2+A_TV(il&uFmLW~;$0q9rWg_@|`>^xnM+tAbF?b&qF zEWw@2x&Kfkyk~;dkVf|6{^8T^33~*Bka(I9jty>5q|yt5?o9 zqHaqa*j324Top03`k4AJs(0^6uv_4O)h--|9(cAs9+sH5{>uU9?h2I!Hn6v<7@t;1 zr$+*{-;2jwtzE7$9kpI@T~0aIt`Rffs+&fIj>+%JMoXMdGCJE&+tDma)b66Vhy6#M z<~Zh#K3eUHQFrUbe(s#}a;dyqNUN#bicy`C+cxkA+?^zE%u*{@^Y8_BC z1UJi#bI|J5$_X#&uCElz6NcPzY#H*4G^~&ayj7j$2Xq;c%I{|W^^i;P)XTd%BEuX@ zY}W))-5=dp(#NVl(-l(BwSNWTM6t!HT!eruT2^@=B`U9^TvXhAm5#&}_Nr#Tu(GO) zKMziLXV&5h=Mw`q1lC@8Joj`jISLUB0MzZBqjXegV4OFW>PRhPCyG){N-sk~fu7Zh z8ZDN|wu+;qD{PlsJR&$|KK9{WD^8zBD52AfaecszYhRi7EofSoCL;O@BMW;Q->-sj0 z_NMM3PFb!xF}+rHk)Az~Ax>Wa?&<0JD#}jl4yFlf*%G@EJ6c^&`@?cnUokx_Kh zldlqGnEMS;_?5{Y3yf=B?}%%xvQ2(@4}}(*Ps>0?Zs)K=MSqENOyNp*+HGTcdOQ>N zxp?^NuUhfcOM0Hnk-|lVkFNRX23(M1A8=_e#B}9DMhza+A`9%e#H-A7U1Sf=(t&Oz z1VjU*SrY|~F;hydWHPr~9OATPD=%OB(%D)bcda1TMW*exxdZ89T%|0>A2ea4xyMta zd9|=R70JlfxT=rcsG>Y(JiH{<;>X!4f527u`AGQ3MNDZ)=ri>p7Nm7-g*4I8Hu!TJ zXbxGlw9aR7Y~+VXXRE6P>{Q9&f1yh)i%GS9Wc}YRbc4g*>%qTU7jvELXpf=J+0dfk_T_;mM8ECVSUl)TDWO zCb(_cU50u*`mp^p4%IvQ2TLhZ2*xmY%8HG7ITG5Y7wldpV@^^s&{ z?^%$rhK9+)J^0-t+7X(tntVh%B032Be*RwN6~puVhpi_7{T-O3NpI;BKxc7TtkqCP z!LbA%Wsy1P%@yoskmjBnK1f;5WJGu1W>9-cUU~wvzOx>X>_0{aXKYnR9whU3-oVCu z-%mU6ZI1xb^*xuUZfK` zp$gbQDI&cF1S!&cAcUp}NEH%#2uLSDKzfI}6O{M;P8sLiJI)>B{E40=6EO$~G^kuxSTqFkI$cm<;0yE8wp+p`gz_C|S(M*49h!q=J3;`JNm z`O1C>v2Roc)yC<@2hOB|+c^3E(RKD@hPLPsO9 z*TiW;j_-kHh!o7Gz!va+IyZry&=zmoNrYRdxy@M#-dk&PK&SxN*@U8*o(yAr#YdQR zEnHU6dT5M9Ipd?K@8=TFF*G>9NlHywwXHFJD24nxtm{g1U~-!I_wQS}QHdc^<*?ux zlI$pJrrq`KE5!w6F6eTUkCsG#Sc5a>z7iE$$>lvU4aVY72Lo-W7^`o+diflP{aUQM z88+8?+yP2st`J)$-`Eojh9AYCQaYY4DkQP~Ub$ayTXz~suE&=xk~kB}014;ssc73L zr-@JZwm^g?_K*Y&FWxn4%GzjZZTvorF|#}y|C3w!)TTF5fp!kF-qhBLU$g0~2T9qx z#}wy&JNlY!+!rilQrP-gq3@=>p5tvoNXfRpHa7Y;7qnq+3?i|s17?M>$=SoYMU({c zyKKv{%d_5%`=LFrrn_*?MJ1B3xw3HF6leSrSCGil!Fbk8Uz~zd&xYbBHHZb;nNDy} z!WaY2yNaRXpoR$g{7Nzk;g1H_xf&d-%eyJhG-cf(`wY+0W`PT8at+yg)OhoKM23oq zhA#9iVew*(Vn<<=PCo&8;JHF*&ROHdS*zOZUki7ill5!~m)LmI$trwGrihoa;$u&C zkj98Jj3~^j7(?@r)=VmuEcOVM?6h-r^gr1 z-`kP_T0*1F88@EogLjZT4GVnqBceCESc2c45!adZP$)^pq-3p`DKFLw)fJB0?i;uW z>0arwB~#2-7hkI=cl}~|NvbWrv-7sw>y-?VOV=04M+vwP9it>%v~fixNo@RbVc2dl z1^Wow4Cmsy{KC(X`{R#SrG%8q_eyVqValgwhCkA|v z(`f+s;~d|?8av!@{!d2ZYW)VFbw48iWMfan&3n3Sb$)YI^?LQ|d64};sMaWcXPgJD zT<6vmJUVdQTYug3Y5X;^XsWXQ&F_Uz=kl~Ff;Y}>D6&{Q%XdxCECdI19>N(DhxaMpMit_(s>)@ccc`}LMaLkubQ$0mFo6WrosU0a7gJ^x-s zuB^Xrl{oxKU=eXd6Z-sf^eqsoj`O{KM=_N5QaWD52mDHYE{}G|HDAAND$b)nGSR6K z`3A|_F#dSd#HPvyfyCNdDguZwg?B}Mq+U2v;l9bQaSfV0Wk7olH#%7aTbS2@=0;i= zSkQr|7w7K@&JnhfpCBs{3ljY$GX(OOHk;=zcAdjGwYf|n+M_lr?hZBA>u)N`ECIuj z$)+B)PnHV;%IRuhx6{8sH46=7Zs0iKlsiLeEmp7+boa9RrthQg5gF(E{7rIwV?AY zc;9*HX}?Rq8MjI@ZBIp&qOHT_bFS39NNcSSalGy4l`a0%I*Ly^W*_DD&{milhHD1A zLa5z?Zr2C25GHr3yeW)FFONDeH-xo~-6HZeh~XL9 zZOB2QdP(9iH27w`t_iiJz^J<{mcdCta5!czufU^O%+b@a{Y#F8|YeC!BD%b zEGvv@-B3(^+G&x0t}5e)yFroxg?;*PD7ZS+2B8z8DnQD|TT!lVHD`a{HNeX}%OO6& z09U}l$OMN>_1_9lbW&d(A1KjaZfTsiT(D!-yg*@xcAUE1o1N=aIs%^sQ39$ z^x|f@fN$lMt06vNBN62NbQ3`^I?FqLqFlWPmoJ)=s$79OcRYEJ8~yRDF@*rs>GE=|qkc0^&-t7(pPJu7PvqPiheW4|-mjd^j9S=y zA(c2C1VnWGE7h! z!?or|N~n~8#N3cn>61CTw#?YaR4%>OxF4yjJk_JZEf%p4q|lKoej4sxISOdN(LgHT zqVa5VaDYied<-2BvG^nL0?AP|E2xUBnh6l)-RqH z8~rI5K%2F zx~2fw=1i;f_TA+7G|!z9bk_41QBF^`AGt~Lo7f}MhF$Li_Jh#%9N4!YYf?QbYxe=l z^Zi~=+j|dq%$1MU^p@}cT+?l}lH*?4&$NVVnY_93Ge{d3Oz?ySNFFA(K)T_k|CRc+ zT*22}h`fzPLRy4C#SkE_Eh?h^+e=Bzz8$7mZVAH8+VJ?3Fn?vDTxeiB#RKw|BK*u8 z84pMn`0t33as)vBGj4ANpufdHMqi}Xx_#j-$%0S|z*r#~7ZUlbc5R?(KS%gEqs~?a9JxN%WD?Rr=)9zv zp4Uqc8t{{(#oJpdiQ#GlS61FWPSir0R`cu#XV9#4UUW>ksC7)9XaY%n^wAR35OmC^ zv~If75c-&sPHs;bf4*kB_5zUab3krIi0m?(71B65P3vMs7`t@_fH5I#@3#sot?j;OBKJy7L4T*Sr zbycSG*8LM18&53bCenhJ_{U_H+_PrLv-DVTzzo3q&buSCp$U@Zj z5;9uA<0?XCo&7|j|MfnJlGU$YkCdF^o8&zkEW&ygq0?TCVa;!0?l9PTCPsQfqRK5| z5et92q_CZ<&5zH1?%1y}TH*47gTQU#$jG8Pl+iy`)J5ADvW;Tq?zI^Kfa1-o_6DN` z??WmY+$0yPu-X+f8DT#1Sswr8F*?{ZnO2B1+C=>5iAV4>DU#TUmruV zV9ftxa+cJ1j5vn9)HWQx?Vd4SZqLtJo?yz(b@3T`J*dr7oF#unL?MbaOh&WLx2BbS zBVKSSj?=kwG2E)5eG!kam42zrq0;TGp{BqF4GU6uuhsskK#{`_OYc3QeJ_(MlDUp6j1|^TbcG;p9=V! z0A4Kyoj8&%eD#R@&Z6wu6+*}_gAQ_Lsv6@X#ZYVxMsa75RXcg`A1K;4Pk zmXfC2yGq2IUbya;&{xv&DLu zA+d^n!*WOrM0DaNloQ=4m0{ijqS37RrCBU@59_wM@j(PrzE_zG1mC~8?&7mRMxWhZ zzAK_~ijP3Ya0Kx+FN{~`udR(F*LSF+7d5QU(ZYk|Vm0apa+(F~-#CDJE^IA!s_g8Z z?{N0X1I9#_{+5vWq;T<>jl`;w-wU*x^|8rZHJ zk=il>JqfP_&$fVh(f#M|ib2zzGhQ)$qu?xxr8~loGyD_*@iaIw`-{_%hf?zy6h2Q& z5=soh3gXXYl?>@A-`llIY}`_B458qaImE@_mRp}%csVtfA+abq(GSp}2eYMg?W>|; zG*b@)a6Q?noHe!Cp(BjL9pU8#{Kx&?bRzB-AtnaMuo|+9^`m`e@L1n7fjE9iPoCs9 zmj>X*5%71WaI`90MNX4Xbmz`QzrECLN$OSzA0~{O(YtenfD6EazCiki%3DqW=ep z@!z6A|JePIS^%@;f3^hu3v~3~JqZoO+k*!EolCFDZ}eMIa{~eiP3RJP%xM144EPO2 z%N3>FCw010?B1S@_Xjb7O}{R6XXgZ;0{7b)rNx8{qRG!nWD~9)y-kBUJ2L#T%>!tNy&}hKZ+O6NiNa)46nI6WCMcf9W|x2z{hgOD5bZfq zF<3+o_XT)&>%Z}u@gz5S18q$E!whr(B|w8wx~CnO(GevQJl#3Y(#o8xR`Pkt+C6cT zBA`rK#MT}DUiH}*t8wCAB0fFU&oH3e(gcx`{L!K1eI*B51}&} z-mVNb-cYaJUz5B{?_i5^7#h~uZBh3CLl;SB_g8ZL((&nN_H)SKFa3AJt$O?&Jqit& zo1XfJ7@Al>(vSk??>@o?SKt2*4A}h}(Qt9sO_gHs5bAsm4q9zEDfR0oCAzN^`kyEX z_BA5P8fy>2SftBhDwq{7t7Ww7s3#@xZzyp4p(}nf9L;w;99`s@& z_f}@<-8+KAjXy!X8T=?B;(BLe=7lH^t0{Qvj zhyA`ctQxvC<31I;?jE=rIcTCG4fNT~nFDbC@v>@X_h+VFYRf&bvE=E@??0cj4l`0^ z)esb&KZl9Wy0lcy-fdUFxP$?-$C}?)z2|C2fA_2EL;9S{xiGg# zfBET+x?S>!>DKCSvg+zr*P4?dboIj~eaXtZS=xvv+dX*hALG~EZ(Z9?*Xx&$jDnVd z7uc=63LqCJr|r8p7SwQ>rTUChDXm=UlDJHOL=**s!I~p(%bzr%UWd1PfPLospG`zX zV6|yc-bs~`xVeMN@7MH`LsY_g2W9R|2NK4z^5+TeV8};evolgw0LuO5=b4p95-p=% z&vNzoE*l42c$}-?pdKv*#6q%rvkQmL+;8n&xVwvNhjIfO2Sxlzaz72)1wUp13{cAn zcBPs&V*Umza(-nX=tq6@;$aEROv$P&Lz&RUKu`dOYF%1%?P7U&dO7ZuDls^=;rCxx zT^rhc>wDw-8;VVq8>|_; z2j8$bN~d$DU49eWrQPbD`E_xqM?nx3v=5t)s{G;AqOVVuIF8=X%zHa=(|;_8cCWU{ z#P{5??N#Dl*VlB-;T!&`!%w9G*3B*l*)6_0#!WLV+JTEMn_mZw5-en{T=n6T)0oqP zR~IZmv(6LR`lS z0)H-`Ea-gtBWd;mdR}EEKIvyL+wzmqiyR6wa2#i1_H1)h?Z?tu!^H zeqBF6Fw}~7$jwZS4!4Bo0dFRDGHs>4ltjRmqAFfFi#ol>cRwUG>^NOD%o@KdZSplaEYzg_loF^Z%AurQMxVSLfw}t|LlVH#ymY7+KWztsa?T!8L^ ze*Id#4096T+jXoLBu_J1A8&i|PyN8aLi^^Km8rr=U}y2Wi<5TX=<9C3q=adY8+7T!3T zrfIeb(=_0Vj_+RsUDF^#lEPN)2469;2;%I2IwFTsSDZ3k8OGh>Y#jnUVjc%oEVCC@ zE|p)}xl1rs`Wquo{D^$ffVT;31=Ns0#9&fT!!WKBVZYp!ZL~Lp>94JRB@z5bAwk%d z1F0{ASwYoz9?YRmqZ(6D&25==vmbEXgYnjFUFw4Zoedq;soKrh(p}d%^Ihqc6%!Zx zfuDSE^TaIhP&{|Tg8E}%Z|szi^{InBlQX}5k*6v@{8P3;KLsY>9Hr0Ag&Hc~p_@;hpXR$wZ&%I8~UIOWmS}^eiz>*V!sW{G{SudELpWNF3=GEPCvydZGp^WYwL;&Wg;<~N zbrm(_-t)3?46>f@45n#}45-x~W%C-R>_4Yw&R4LTMrEFvXDTANSdC1JA0N;#^){PI z!`mfCRI2Q^CL?<7-5e1EBRo@o9W_24Ai#v3F2brkb|3#{gXFZa#8*R>coS8*5P@$9 zrOMT^~yE^R>Jp*|0hiCG&|U;{9sA~F?f zcu!-lH{3$k*DlC<#)SRaY-l?mWE<7t(m(I}E%*gmvlwRn5OGi9LAiJ%dvQ&%b2s$9 zs=R5|UUH_=FhP3he3=-b66`nJ3@lb#ST=cHxdR0yQq9$2KnIFE0#P_iEHIuns|zVq z3C5Pd#d~NvQ@w6>kc!plLDz%QB{;|QEKDVEnNHIH(WPg|4GQIiMFT0hKKQDaC(N~O zzy!m?x>C#r=L{9%EF5NtpN;B@&P;#miFhC~TpmwlMF>fhby&D3Fm&#QRFL~xVViii z=r-QOtXl~5f=pJd6n@y=+o$y*F*b*i8yC#zDZn9OG2pT@Gm=A7H64>v1 z$n9%pw&2toEN!k!uddl;ILcfnlU-_vWn>j_6izpA1)*p z8L`x@hhu&AjUf@CF<2QWcHc$H#hu+W2N5hLs)0_C<%LUOrCNgzXzgLezx3jD{lb#@z z2k5n6f`AVcvvuBN{Pq1@zfY)+1cMdc%#7Qe^9fJ^cF!ID$uX_2Ri4<+wR=@X9h&%U~xqC zj7~|^m!nj`e9mbe;UX8)x<_Y>gNfK9YGHzyW^mrKatU9$i&ml2LW%Wq%{lCH$H?#2 z(s}yO+F7m-O{Jmq?AX@IGa|Z0%(Ix?^-tthQU4%P^noE+1&FQ=?%&m?I$6|6425xQ zEp=Cn?)zs*blj+&8V_WOZIGw61hC)tfR6f2e!PVn#`A1x#<24y zMy+L9WGacLR?l|qmY3U6m-L=92EBhx3~%rGn{&wxJP046l^i~ER;E_gq2-h~HYo^MOYhUQ3s$beu*aFpo<@(g~>{gJhMl9#KyqrjOmAHqNI+bK9<7spR% zhv?LLLb(oSHskCU%mIL|HrdsvYB#>JCESF}t6eHeyi4;E5tsa(eJzK8MC+LAh6?+) zl0Be3Ym}28DMSllDVs7e@8ovLcu`Zq^UPa}6_)X1mDVVV?HiErPF-EuN7-}}Mr3-j zB~gPf>X^9hX3slp1%xOjDuvq4P+PBSe;P@p(-c#`S#gsA!#OL`aDO;-Z*ruG1Y8m2 zPB9&}lvQE8z$UR+uKtB{HfsZ_?Q;@CU9|h8F{prb(dcvrP0h{Jpg9TYn&C&pTVLY~ zIbI_nO!aFOjyzG3rnA2+Wv%1%l(R&&GgU^rEbN3+Eo_+@*JGFpD3tliQNQ4Fj9LZe zO;al9nHkCs-Rfw~b9IepQ6=O%hSpOW8J}s}KgG42<*q|qVSq|YmyGM*{vtcI zTOm%-;3pk53&g$grZKhD)AR}&+fGZbC>Ttk z=Y1Z?oa?Tcr1niblDWpK`*~2OGdaO?7a;6#AB0v4&yffP5ajd1hUpU%_F3(zpQh?- z_9-u|uKY~+EfK(4`g?xiK^Sf|s-PS=! zY})17VvhtLuZlzE`1WO5-*e-JL2dc`_b$leb4uCM#B0i%<}14!e{iuaoi2Fxw6*rM zRId7)s)mSEWVV57cPKSW=J`9auG9+8ce;Rdla1y2JpzHvTH;#%lN(gDccMkA@XKr? z={Lt3bi|BzDTj14jEI8RD8_qxboT(JcjJ3N^%pWGrn828m2TGg!7F{u0Gq;Z{8Gkr zX-Htc0216b>$;&V?JP>k7dZZxvU9sG#oSg~^#xHDbg$CpFG_TQyAaP^RDv0^8FL7Q zCs}6`2}K1Z*_3`x#jxtvC&i!RMW@V6V$ZcwDf3+)HW_409EWIpYX`QPwkt-VjlXpU ze=-=#AgOfONzV68&h3W39_|GFl$PNAo6BWKw&O;=Y94aoR=zS*2t#QsG;L$|C z$_p3ZQUM^%V^SA{qJEfU`KC`~EWI3h(|gLy?BE)YpE1@(L1c0+uapm03++hGnJ2Y* zDmEhTf~~Hq91iutdNpWh35+Zl8)IgUSX)1*P-6iqOZe)9{t=u0j`D{4r=f|lw*9t( zm%WEgm$%avC-@7SkCeJ4+ZAHu^cEJ#rbd4 zqrKH;^GR*5t4aMN_3xfJiU<1tA-5q<1d?;16#p_=jKT1eo98Ke<@v{E_1W9U<+1$hiURhT2!b%IEE`7e#I8`(<9NLJv5DS2A z3U;bPP}+EJa^73NHapg!X7V$dfRWeGtbH3vj)Aln>Skk5_}ZzC(`w#Q;Ukn7d-v$F zu%FTUYI59FnConeGwbf=qW^&AjIJFGnt&CDZvdEjZTF&aBf<^ChMMPE`0n_Uv$OaG zL(IAO&d^5S_wj6+@9?3~!Eic52As<&>+Nt01xvc8Gn($$FE-8%1|eMic==#T4iO+a zv26af;Ss(_Y{7+L4rIm$L*RL7inY%#wL;-UjxEIuRVj7ApH~I`1C)8e<+XZb=4%RD ziRz*7gF9Z(KH;}>!(EsZWN~Ho<=M)TELs8rM{T}#W5KN|g*q=YcC~avQ=r%g;#z^t zT3p+T7pbbjiJoR+b-PH71H>^f!;Y3U3m>H`fN}B0Msf|dNzMroeH#k&Lhj8Ww4QDC zdphi)SslUun`k6dT64O{vFZF;5280}QI4g5?7Uu=$s#MwXOFrh4BKMPS(iH(AH8!l z+PX-HL5uJM1;H#%z7o$cIBcl&dj3e&tKOmTWc|}7_8`|L>F27P` zjINn1We&nDnFgASooHZ&FFOk!-IGk`MCsT*V(`7ooy$Y8LFsZY~+O->c zR|RR0Z*@Ne;IRM$?=J8i&|M(8{a>0YZ7|f2*R`SinotMKG1iARxsscXGVX2*9r}j5 zLb2P;&X|sT**2i0>w#f|HbF)+6mS=Y#|2Vs7-FhB4}4FIn;e`cR7c5JizJ2yB&9;? zpm{oksD#tfg0rmQ5C+e#j+c!y600#-`+f^PuW5HFHoxp8DxFy<%cRkyKj z^G^lPtfDuDOXRta=nAhbM7ZJ%K$pJt*$&C!^bex}s}yqLrifq5 z@?r)>vhW;E9pD;?xy4YdYEvbzvh%b46do8`|@783$b>9e<9g6>`ak&QDCNUKJ@#m|F~}RoC7bpNPw}oWmf7 z)<`@2i(V*c$~APHLp)B_$wNVoaEcP2mj^_gg6Ybt5A3DA6w8h{}v05kNFN71{sUP$3=w}RXFY`&G~>YRdo$fYNcA5F`iVNl6r zd`skhx~YwE^X3r#^tpmbX?Mj$b_}!z?9%o=)?%n_fD+x=pnkWDE`BgssIFAM@{FI{ zf9Q8Kbo$S0YL^R|es2eq=N;eXW|&!fq7D0H$4r0SEozBA(F)^PK!;1jhQCueYhbNF zTW*5L!S{-*eWJfXI{x;Hvb|4`O>cF#m5-0%BTG#|{8lwde_xn|fVR4AIRsqPjQ?`6 zhyr8t)sCZAWpmv^0DFIY;_W{`iMV8SvGu8`6S%j`Igf@W`qA?19jhMJ{hv<@1S67n zdfO69AsC$d;65o2QSM6cYO_OvrZ0tVf1Br$mS|dk?}b|Xw4%yj#oF{#cep*2w1cf@ zm~$w3L++_0>!Rz5GwG>vR;A0^+YAg{dD?wAG3mS+)=84=$2B7X%T8Nem&UB1pIswr z-nZ+D2x{`-I|DA%*lvEfJ!AuocD)g6>7=C3?AJ5*59#48B@W==Iq-_d9ciQV=BVpZsU-T27&K6i273HHi%CeYs@ z-~vjMu70s+ROubs86gS!vzYLm7|6)K=fCY>%j^rw6W=2_ruiEnK&O9RC%zGc9Og0J zPGHOb3#JS=03jVEza{vIoJxS61jP_){Sc#OxGiWk zoE>FFRk+@4^V){ z<(Aquu`-k;8Y5o1eq@aJD~xtw;uF`LR<6D|cj3V8z^&35rnGDY;?C9G?P!X;C+;uZ z%T_Ax`rejQJ7MvnmtM*nBwbu(F8{&`iQRY*9X_}7af!ZH3q&+R0>$k7#9$~vg}Fns3G z*y3rWK`1Lh(Ayg3k1N!7>z~%dSL+w3 zImpkv7U31E$mzH)a{EHjt8&6}-e6ZWXnKcEBiC+Igq%++!9wM-R|0h@PENc=QiZ@O zkl8x}7yY4khNFz*+Ob^aRbk73#n2bxOZQw4NJRVvs8y48CmT)Juk^}}LLYRupyAg|JG)o&(U(A=osUY4SRZ9Y!pX?bheZs|B7&kU+ zb(UBBrW0^--uo9q-=O94X=ctxm;A9r{L#f=Es6~5s}_n!(y3QG&bwPjEofF}+jPa` zZ9&rJ^whGak-b6zYSc5wY{*0!%r*<88tA<{_N}ZG5V}OB9ZL22Z-o&P$z6jcc=AZd zT%6YDoE9ZNov0G#HI*mtT_?ZhYbyPiG}L`aVUsiS>cGdD$tte_&6HU*wH6U&uunvB-<&#V}$$ z-KF^&i|3mFF$#eMknvl|aObE^!l&pWRR1xSNF`eza zt|@FFL*1xRnl@KBl4y?^>B9Dm2tB~HPJb_i4u-JuVJq~f6Rjt^)(k}*>VH=z$I$;f zWh|iXgDj;zYkprQd>a+7Tl~u_eU?`viK&fhtFp{)55YOJ?Imr?&3lTJ50FtdW00uwn?sgP~q?q#5Go4UW? zTTJ3vSC3_djBqKmx2WpTviwy{fZ#Y&jQ@0R4=j?SvD&}m$QXrTgsVs7*9MpUbL zdo)+5GF6Dl!+5w;6^I(Ygz4%z)#+9|$Vkzr3|H>MF z3DPt#rytuJjH`hf&!v+i#DbXvGn=6a5f#@Ub@2~ahxDwU-DAlUt6Z)0*)A>(J+3mo z^vmjx^$WL!;b&izGGP6}CMqf##`1h0+GwF?QO#DnZd>A{a6~|KSp7Y)c0mDOnAsdf z{+`#1@W8rASYZG*Am9XG=Y5jLA6PJK|10?9pW-?Ihiq4EOy1#6&D{IMMnmD-v~hro zp*|>t->!bV!S>8!eW&mz4NQE& z(YD}d0ar1~NN}c)x(7Uo;uc25{O%|+v9(~wGU`Dt{@U5K@LeKjhd7zt^bein-i*G- z9rhO1-}z(Ji6<;ip(VU~v$FJ4yW=oF?%m!8xSSWri5WZ=Nz((bhb4hIZM}jdQ7v5)Wzh@>t@Epb z8FC|~d$bvyJL{X7p>`>=SBcMX$Fu(To|d{khxysZz&gi|Xo_T}C{b)Sw_DRyYD@Eb zh^fH&$7rQ|{%X#M=4jh^Cj@$JTUZ)B-`SgKi^J-3hxR~gmR3%^bF&le52*{o=Ws@c zj3}2s6CSe{Wcnd=??ORK=vLVjnMmI|Dt)kCrn+6`J&}9E^nTIf?Vr&`m*mY(V^DH6 zLl;-e<8`-dZKu4a!*n8+G`Us4!V$?Hx!WJV*Qnp%oXnZ}YF^&K+~NQ0aV*gYC8ELz zcxSTkC$yhWyR`ZWPvNA+ophLClu4AxqUFzHoVM^;`ZLkXP>Ia1Y7^m5Lclue6`Qno2?nb zPd;&4?x&mo=GnMl?27O;M{{M#6(ZwwUA`75W!vo) z6wbT~0*qNvCs1b++4_1GccSb$vaB=tVq1Nlf<@kQlPNkF1Fxj{>lMloYjf{u7Ui2~R`jW_vczHwZw9~VZwTrC(vcgb2Pv*(DmA@hSf~?% z>n|g%!i({vlB?V1G7+}d7Bo9ucd?fg7{%06^WjeE{By#wf4^T`{%74c&ZDdWXpS^F zdDAC$``sz1mr#Khuh&95ZBYEG!-w0#y_d!Yo-`X>!~9wph9Z2Y(y-nST{*k`UYklY z2*Yzt9iv3uyzbb}206t*vhve!QA`Ktyym*`s?~eSVs0kL01-ixLY8>W+U*^4ZQY1! zaoR{89QRt@Iw02On)K-*eCaolMBg*bnXT_sird^y2MV~6(&a!Hf#*yti_3tG+g)$XpBSM3~6nOb-KTbz7?L;kXcIK42;hHR@3Q-I?)~|Nl?_D@>9i{gz%?;D#(e)}Yw|B)E-<6D z?{PQnDDKnI+pR{WHI|K2K9rQuHuk!(vcP=EDe<0IvS3nDh_c(D~^Kal#8I-%G z_IfQTa7jsNGhOh^*w+idmPuOd5?}9{=xlYIjA>Y|;azt0_{Wl$8#|2K0t&G8IcT@x z7vJn}AqzcMdYLnp3yh!U+$$>{zmgLgy3~w?NGR279?e_0(W7}wpUa=+z;4OQnU8Vn z72sFLGuq?v;ZIK4`sPtiIl*!BnRe2wsFJc4r+WnkC{YE6Seh=u-JCgACdwtxGxl(P zhAHFA$S{n_i{2g2jXC}iC{*c#6j^TClu zF!-%IM=HH-LG`~A$)fb?c9y)lSqrX{?-h+T+-+BzP-ieS7(FrSB8KB3^MxQ&;`ynE zqH3Oc{h=uy`C?=1p-6QVP6RK=lnmQ;(5Hl3B=kaNSlVNp+prFbEQ#|`E?>9o^VKRo zLId7OTe8OtNuiOk_!R*kX9;!2b2gPdJ1N8VgrGiY=oUUp-cb}0RgnOD!|#aV6KFaMFjFmN63Nk9shSZ z;)KjRp%ygJG9Nhqv7EuvSq4I+eEh|az^C606Hx%e0jLmh)E^)y4`uzgs5KU#;e?vY zM|}Wfy#aynKR!4{Qvc)o%K<*N7(2WO{|W)khW{8J>o8>{v|IY3F$nb2m2md|qcu3L zyY!E4f7RIM7BiWEX=!(+Nd zu`ohk*I!T3`0BZl^OwH{@Kyg$gp;nH7>Ird%KdZ8*QG#6-ZREj!0SZt?FX5iG1fXw zl1GR!2nj);?!!Xs(dmTV2Zh}5H=sFLM5qQvr~u)AkL-dmlP7j_9$DnR0q@GijviKp zrNe8=nSi?G)7cv}%M~z#w8=5jI0?_4?+~0?*nPr4AWu*Es{yEm{n4osqzUVr0x_!o z6!w>&DInXq7f5cbVd#UI-$3q~lks?Nm6jS1oqoZ@>jj=OPEgMwb#FCD?WQSVB_lT` zlfTlGMjAI=Sb?vW2AW7}d;)M8U7L2?mM;j|$c$Q4sp@#Uwr! zxan8GiS5FokrWm4F04xx^5>8X+uq+_oY3A(jmix9c#Z~v?Gz}Ds=bc?$Vm^7jv2G< zrXLH8(9n5*HzLdcH}})80X57)p;D)KgbfqHm60mL(@KV6gJDvqiaMnbS#KZSvo9NZp4OYtc+JcD6IIk z*w*0uMtB`CvWgx9?Yr($3A)X1`gr*PrdAw3YptUh7W^}tz{B^H@rtc|mp z`%5S)pp~FLdqpo)0E^R*pW9wC2nZ`j=?`}X zt`S=LfY4IHn4dmlOqh!5PY@>G|7w(l97O6B@K+X?I)Fd^ zgzP==w>}(r1AybF9MJo~;dl#p0Kg$cpt%Fb|3CfzcO79I{GSe+@i){5hZE(tf{JWH Rbc7$0msWXP@W}Y({{pIDBnSWi literal 33488 zcmdRV1yr2Nwq_GF5G28!KnNia2qBGIh(LlRxVr}n?oJ49!GZ_Z#@&LuySuy7w9HS= zIrpA>XWqP#HM7=ZtzPv1ch#<{T~+)0_O4w4AEm``u_>@YAQ0|*@i(#{&>aZyalyI+ zyb&!pJO%!t*vN{Bf{F&Hwt)vUqgPU|K%kN^9GDI|@O;-wT*U?idSH9|L0K@Qbp(OD z4c@OR#VPl(a8OvkXrZM z^&^9gI=Uj&tiSZ0Zwziy2VFuVR$V|uGwCWOoi9P;;JVv=_2=3TX+%BU?nX4Hg@ikj zG0`if&g%7XY{cmaP0V~QY`73|fxwZ`wu8!gp_8hcbG*pSM7Kd+RG^=K`?Dgxeen0+ z0ljj&{l@c19usTlwovoKG(M4!w6`zu?vA5)Lu;K@c0FJGe~kCn2N>#NqY z#cbh=co~ng(G+NdjK>K>3KC`nrns$k<9RD}J{-%jm2#lh!x9$44I4OwO$c7rpD(x^ zUeDhgx^40wdK|h)3&Febn@(HYC~$##o^B#`o~ez2M#)YaL0ZtNCi_mHVe~3k-yp0n zp3@=a8YgxDmMQGI%&zH%G=em)Gbnl7jErj`o5!^pH@9U3&vaxleqaEiSg{0I`G-;q zMfPc2k6txch1<+LTE?T_$-g>~lbOG%tkZ&(Av;e!_Bs)pO_xou`CX6WK9BPvP7k;o za#zOnau}isZ%J2bx;iX!zur|6hIU;FpATg^)UVP=1tn6MxUJ6E#M+rlsc(CMnHhpI zcGIKsV+S?(2S1j;%Dq2_L^DFqiuo?glWK=nIH>x$1W+ZTdyzc_X~e0j_|2Yc!e>t@LUO`u{s2E-E?9^i&mAh$cSj%~z z+kJU_v2lL@c_f24?4*UZVY=T`xyy}y2n<=!`qAGpJY2DyKlIBvMS&DkD zxY5tSjAngeR34s=JFd^wKIG$(&-Gz(IDM#nT30Pu_$)u^a^1SymN(E@cAm}ONwn-I z{v?aqB=LvXglE%c`iHx{>gv3FV#EcB1^K`@veC??O%={q&A(&%;3>;t6X&y#3-#B{CLsj80ikzf>S!cDv*c)^(_Dj|RP{Oqx_6NfvK}@U#ELE+K<(Nm@1hg_#_~jCl7BwU--#$+CA5E9CXn$JQ zXBD5yg~)wb`$m*rX1rkOEB;F++LiBoc`rbqCEGM9>DxWjf4mgaBzH6xoxN~_8MX+O zv8*}&+H`f|agNh;HUNRa0PFDEGP#|MyiU0q0zONxQye{QLCDLSLl3|(eO3)v+zNQ; z|7w(kE!Ifd`i$uTk@J2{)JDl<^lYhI=f~#~4#)a4scy^z(mIl?LxGZxGJTfiqd3kE zni#Rri?V}^b$qsgwBaz@>c?|?i<(>GK1RAvb9H?UKysc?couic1gp)EcTWJC5M zvJqe4sHh6QE3w$PyL{NNyy^iZ6h^XKE_xhlI5b@MTSAi-5lM^C{zd0iN{?0CN9aP( z;lL_^6w5$T4Vt!7vstJj|i2Bzkz9DSEz$K5nP{LUN}N(b1tj*rpwCj z(wHT|0YjvWMg~~O3I~rpg~O|!PT_NZe8Dg0U|Kjn@CsRXx)O_QrxgA&%cA8pYtAn0 zfjHMfLMOrHVXo;+SK3%q)D?I>Y_mGViEL!w#XBW8s)|`PduLTxGfZl*qofN;Lm4^t za^ze|C1fh*KkX`VsvQ-Y<(kI+TtSrx>EYjZCQj3psW19i#nG8}S%J~9;%X8COu78s zSve+(a^jqMpF+8m#L>rh9S8t>$qpOn^f;f_a+>T!%zs`)j?XUMh&j|B4r?_Y;vgqy z5l0)OurZfKo8^PLMc7yF#3ol>{+FOQbXima0OyKLZUHa}wCopSEw0yH5Z8n7xn0dmRp=qErK8(rFFGi$$Dm#x0GUd!Tbz5=c)ouq zaCSthX}4+Fbartnd?^7zUMnG>V#0`}Q5oUFUQl1K>kW$P?=Dhl1cqF=bJS6UmgN@0o@mYt$qEi&Dk~m*>o?mtvoO2T=Civ1Y4O z3_}!CZMxf8+C-5 z9$gpbJdP@!C2=gY0zW09sVz^`KivlqYtLlPIw;CTeUPnL2o?OCD#uI3lY;EqK?5)o zNNwWp;3|sZ*2h%14`i~?FTkxh!L?*KztcJ3pp%u3d{40Tp7JYLld5U_2NI z{RT|>LKAcxB7~%DLJV9Y4>plo=`zCb1~KG*I<3c`o5KR47ch{`m_kQhmkoz*hwhhk zi`N4V$%%>e@O{h4a<&n~f{m#1n^@``DzxakjSFwyC0U^1^sbD)b(tZ!e>Y;E&(?rk zArL>rFqxXt*^=g0bxGG5Bg5Vbql03d!dH^g7K9=WPZX+>Jl55V?u#$o_6x=rk|-Cr zIbO>mxP5oVnni5!Nyj$nz*e34?&nb+N5?W+@MeZV*n+}J?x8xoRU+kT%OB!?xVY;f zgY4#9gwJdWpDwY(TG)+MN!^jOHll0xp0e07c_RsASek*5*3v86;l!Ajbk28`J6Ch> zfWBqf+%NIG+_*2vp{tyglSlol*FI*`KsRgYv!eJxAU2BD<7pwz=>>@r{oWL9@_*`( z{)Nb=6rZtXTKBb8EhLN-0e`LKbhX2%i0W~2p05QPI&@oOphr)xISDxwK92_YwN2A8 zREshj<4QCPT}aqj<{P~nT`aYoEW_6Vas4j0dAoz~l48~c4J%QOXOy*)`MMK!>LK=l zVc)V`=zlR+vag$aS?hi<8#T)o_bT|*yzZOfdX7*l_=Zu*vPQ#}K~uG5`EYuncNjL} zy#~6$`?tj|j_bPLtHsDHf)qSEI&4~hW_i75Bn0nsXuM9tciW23Zh}K67tWztE~mR5 z`%*Fo^IBnQVue_^DY8 zmzRdVMSD^xeXPMM*lSy4Y*;zuN~XwIDPcev^5_|{X?@_3U2Z}gWM|~~Otp%khN9J} z9Zegut%yqNevR*se}BVY3!!r!y4EjdG(gp$!am^_bXRXP-Y6JY5cpb-qt~aG^;(d) z%f%=y886c(mbFJZ=eRzclNL>Pa=g5@FzZr8gyd)3LA+q7LG^&Z5*5NZ|P;oWhe#nW({(j;5CNo+1Az zQ)K_qMyx{@3g3lXc$txooaqwm8sGguVrS{}YRyKeNoNxNvK%$GeiN<*#qe0a+R;n7 z?pxJzd!r;E#KGPY|9V#D&R@1h92a&>>mgX50C8Wr6qb-(;!J_A@zc~fTQ9dMM~6Xj3>_p5dG!Nz=TJv4@nOlV9uw-OfzS0)CH$BrD+<|1Nf-O9Kw zU8TuNYfLV=fV?*YfG%+n}skpMTl?xcbWQd;xyvz`@v+fjn>-nm+I9= zStW~KKLVEOCv6m96f-b1uUbeo8(|?b9?%_HM8aVt#Z}jMRl_O+q|R!&h5x{%Q^V42 z*AlT|*?2I(zX-4NKnH_B%H4Ee5&z5|u4Z}LgC|y9J1N11Z%Juqh4`i#MWctk^9c+H z=?$;Vj1u0z>tm7|ft%G^yp`a}#%P3g-N+0qQl5d5s$Ss^VJB6Fxt=p4oROHVmk)$s z3w4W#cygfeWZ-qr)n4ZTu2^N_N{Fn=N_HeX_eMU*S1*M= z7eBKrmQ7i?lB>XP8>obDKi=rXbLe41{7Rq|1#YDW#Z3==JK; zOjG%@Y5~!~FCK{r)HC)pUH7;*bVE=|g$B6FDh}MHB^eXsQ6Hg74|p5}J;IU4oibW( z(V)HIN*d0<>}m|FXwG9l8C@P^x^NLb5K1EzWlq^L<7^LCA_#{sbSjs0UDCZlalLBM zxOCl^{fJ8WMz|RLoL3xo40a}iJPU(Qg;7&e3nH%vn~pmuJz$+4Fe8r(Baag%Efio< zwv2`*F&-2WPCRUU_mQR`)6Ku0QezlHIXX<<{NABWWqgR;fkC5gXkvdJijdZJ*>Tve z6IIwMnpi}vkb#F}*s&0pK-=$liaR4?GZ&(19Z>WwzOi^FrQs-Rt@kl4CV(1mFrEN` z6VLwV8n{Qys_5ZSLhSDk$WqXwAjm`hUv%2P66;6jn^0 zit!cTNjM)-Q9u2`vAIzH72R%ono5XwPb@_hJ;_R&2RbIg{vQzY|63OQKj8ZR*CMTE zU{ruxft#9O=65@0Z868Ii`_Fpn~j*8aR<5~|2+kO+n3z|7ki*FhQDlvS1lrne`Evy z&D26gfT)LvaIFU3SJ_mIi_ra)Cb!#H%|&Um>)KBYq`_9(BblqKt46{%(?)~InZn(V z!-~9Ww)osB7x}T$&itXeZFVOWz6b@ak2}{_YqC#*R-QRT{Y~t~CsY}s>op0@lgI?i z#_JY89Icy~$s+X{QIAL|niJvUHbM%_i7dB`lWubhzVvoHe>o`zJ;IxnPh5xJMS&O<5Meu;*3J#;h&tz*WE5i`G(e^IaYf8fD zO1qJvT4D#mo292*eG3ZCtIO7GUDFG7)Tw}*ok}~;hWVPAGsjB;@P`ha2BYr&7&5(n zhWZKh0H&FXA+333v@;6Dfw+<+t;g6Q_aTTD!bK7nEcw%~NRF~knsHG9^9F)%+4GWph<}A!zx9@#kC!(Bki2tzT=EWQ+0*qL4naiF!VP$v zm~ygTt_;chmCX>a72-D|qGKyz!z#>LFILHDDYnsuL4=K?-(F$i>p`m2>G5IiStQ*wRL%Aog(91-K^UQHg{<;Z|q8Df^okkuNaP*gLl} z*feTwPy4w&kT;9553##s^3R)?k1!ummrQCnBvI{~DQWF6nSw>aIU6FE0@xF8m^NwL zuN3+ZiSEgxYU=n7Ue$c3^$EKk8lF7n#Odd|b;tf#ji~3-P0V1C`m;>-hW*OfTK5G| zp=shLx7xmJvvVka3y~+^d_ESswES6H;i!K;N@-!L$9W2`#~He?iif%9k<@w+IUvvN zFL}V~KF#rBN_K235=PMP$fzVpx8cfg>Fdw*&B z*GKFz&=lw2y6_QId+={kL~uO?QU426w#mD-3)Hl0d%=If@R6~IcM9hO1OYjTjuWqey_i?`b|NZ z$BuwE4o}<^*aY_68PoJi#`umJMijnbj@N6? zVpv!hSQU^<_^+~)&kKwMuh*jFcXYE@6IxoX45c8Kx4paI!phJHyB`%?8b6omy3dLARmFXChK)2_~w62mkh%!-l!3bo{eZLRj# zi66__DgWBtKen?-#lmUwWe)bY`dy7fdf`Gm$9YfTs`+i2^u&Cjg@mAc=r3D-0b!QE zTW0lI+wF}6O9bMwNoIZP3h9qLqD2hh!wKNbvYxPVzNJN?t0;AIhnOfaNv=du0?rL< zQO${7load>l7Fss!1Q@KZUav8ta+6kydFh$yc#WKn?)qsJxeoV)u7`3r>iK59>PZ>hh`-z|)Y;bO(M95Pn} z)_pKpP{L#7lF0L43drGtiqZe;@3{Yop?G0+yz;h!zQSL2LmoAjO@mKJ$o--$#qDBG z1sY{`vPA*n{EbQg@RFyNEz%;}Gev&ez7*FJMs}y}eqehpxA;Na_CG5Xsiy(_2md<7 zapi6ZsZTG(h1 zp49n@B3Ljv4Fiwp&ow0BkL?vhM0Z>G=qG8z*4o;e$Ht=hot>Q&h2J+haJ+T22)~Ko zQa$-gIIo7RXX ze6;rjMXN9FGyLduv58ogwd0w3{g>+hLBr-*j24x4+>CVCCpEp(C*i_Os?1!j_(jV76cWHuQHr9TQKz zo^}1uShSW1Tv9^K<4!sq2=3}mQ3af-n|rrAv2Q@YbSZ!-xj5zR)vYRT&3D@%Jz9dN zkUl`U`a&&AiEllLb8BW;viB~e3Gv(By35@90mX;^J4XWl;wCJW4|`w(YerkqHmdOV z$-&;8ZA_N^nZb|FjyS>-0Yduc{surBad&gP+**;})-C5fZWPx%Z|;Y|&17)5fGh{k z#Jl{D#+qqfTVM*+=m0%_;EH-3EO?39yx~Q`Be3@9T+FI8A=|b$p0=~U%Qga&kVq?5vVcuf zLH%tuMXKB~re*CmCj9Z-9DI`ZfojcKS(&Fy7SS)lklpeDvuBRUJaezvUE+m(HyMem z)QUHClaFjIYP(Yo^DU=(2 z?(Jq6eVD{nx+Fs7eZ1~B-kvTM;bcmxVJb5473OPv(6wteTBtr5*_WXC4%s^#KKSBW zO<1@bPvnY*+^*vr#X}+o`ywjKSX#)+LC$Fr$`p-;>C#Gjkg0+Q?jD0{^V8$2my>o? za}NgPg$!DILF5kVlLJekSK?}uApRbP6>(Is*4yfzj^&dIs9z4HT%Mcv-RE~Bb9nU8 ziYCH(BtkE=$a_Ne9zQ|-LzG{RD(BH_Q;!P9%c9rSe-U&n5K-%)1=@!AzKF@6w9*{E;Ij8IQ_-;P0l7Iiyi%v>VV$|4j&zl(dniS04{n3X(9iO~hJc!ww_o{P zpRy$KGRu}tCy-`fy!kd-SCNU4X3E#`L|*nabs?ojk@QQKRTkEnCdvZEW{v6(G0KF5 z_NT`WOlod!6?Bf5D@ylM6A0^g^Rj}M9CQ{I>`1fVJmv!tTWdUG0(Z|w+N&S*dw*Gs z6<&RA@u>G?d)WR<{Aki6Ri1YzUmRnnhTD((yXhZ_1a0ABOesh*x}EoF5FajoR7(va z(pMmNSca=ehO)MUa`$#dz2gjd>Jl0FG&rA8F?0%RJ`?#qFG~oj6f1e1hlWKjQuu*D z1eZ0=M;5jGkfe)?$^jX?)fa~L*r`-QFcH0Uh&5-~*4vo3cJ0toEyLj2miyh)>Ew|5 zWl_=f#0?q;gPMoT3r-<1W85^t(HG)=O6_8@Umy5CJ^@!P_4Tn~UGu{n^}Oc#%7B4O zfm2DxGXXAe5%!hhTY{_a<$f_!EDnlIWCZ&xHt7?Vue*k?M5VFSR(cMWj;P&&dBHE` znUl6H^zU81-Ak|-ky*mUJ4&w8B!N_aP+sYAib?tK;iHDIt7W~2P%lAsT6Lf!t*Hca zEjr|2WmO?ZmFls=X)CB$!4#aT2v~GhFIC*Jo1*>h`dz{=5WH%u&>$A51GcZNlmkmbiz=!ro@j7uZEWm7xfVi+^SVbwRo_RqZ)elDl(Lu6Cm%obW$WCy zmRz&L>m|}k=W6{lFz6?T+k4zSuwiV78m5$Luo?EN|0AeUug{zud$y5HDE z1BiR|n^6G<%hLyR3sug*FPMK2vHynx)21G>Yu4u|W?TRb!+*n-bI!P@Fd|3-==>h- z@6NxL!zJ+B2Z-$r=5J#7@i6=;3jL1VKdTrYgg-@7mGuPr{AZb=ir4nlhJ^8|DO-C*KfI4t>m0_ zle3Zy@>zNd3dkq5DPnRSQLIU@ZifK}w=If-noZBX1BZv&%uDt^qL~CPXh2-Ih_CH_ z8))QI#vxLBe>mXNfaw`>>m0<<-X4SpPe_Y47N7fqp|7!Y?1|~sU*uym)|Q^}g$lCx zVuJkNLnykCcr{I}(~CUk%MdaU-OmJ{)JAa|$hU!F$QH+deaYpcs46Cw*U}{#wU_Ps z7;3~I+$&3YFT~qp4}&wyD0rr|$EtV#V?-bdh`u!b$qr}WDz6Bo_>sZq%6uNnm#6d` zBQEJupDQ6KpqcMRj{RofniyG$Pi>l5{+qlzYIoE&} ze5eBk?}w#zmLJ>>uBVA?y5gpeB=LeYB;@4Js-?V7b|`)KUw}O4F+FrpKyJ4@i5ts| z4YYUv3I_+Y_4+og@Rha=igsADmNH0$_P)FKW zpYNF_DIYdilqcKlaLN(t?u87(?r)jQThFR+J~x{MS}T6?E(c|SWmVekHYE}7D|wa2 zpl_jlhb=CBF@MX^bPS8y?Z*|) zzeDsuXXSK#DWQl>3EXfZg0ou6+noq_2Rw|o{fQ1VXWo-zvL$$75)k(87hZb{BPA6nk!aEEc@K6- zAR1#^uRv_WuQJ`rmm*JIKJr^CPG>l2-?)dl4K8Go=ur-AWp!;VyP&Z-0y#*NTf+;-9&N>WZEv zyYDPB)$cNok4iiP3;RaXsusD;KX+CQ`^;pVheCYk{<%HD0sBuO0Gy-)I7~f|#%^->g#=$6TpPmZ-^48#xJR;IMcq%q_ z{`CF2Z1nee1011-=V-O8$r79+{Cc7n2@hfJHv8)X0<@AIDt=q$ot8}9^467wSQX=IkH0U2jWSc5l zwPOB=!vFGtTF{Z2gVmOuG{8Bp)VjP|zHPPjie8c+sXw8=WwiZZC==uCXKlgo4e{9I zoWoUWh0oeb(tf(hoX%*VeW&Kml+pwwLU1*p|6c8G1=&Rx;3N4ln~GFItXYB^ued(B z$o_;Zad*-u>s0ME-#z&hXtt|QoAk{m7DLg(&&lO&Ak&%RCwk?zJhlaC>U~31yRPyY zsBB_VOPq2lar{wo+@f(dDHN}Vl0!v%o-r-AAKNcm@cKjcK%`X0cb)al*=BOtIPkGf zrFy3rYgl*I4D}CFk-{!XQ|%$%7YD^AZ*TMl_Zmyx&DC!n_Gy*qD`NsNJRM(Pe{WWm z6$=jw5p(C2r}Jj(9)C5ra?d^;px5l?>IS*YU1EiX?wvMxMJMPi9LRJp-Sm08-M4W` z;5?%$7OETwdRxmqcRd`tV*Wx`b!RU4WnyPw0(*sA*L{XS(Y*-wM0vIgcVlLSvL)se zO^Sip1!lPs%nzEu-K~$F<9sluFSOr~V5n<*S&YBxUH2`>5x(fFEY0=hagE^bx9EJJzA0@lH~mrW)I{(dkV$br zlU*Uy4+mdkg8P%h;D)e}y_VmSv;D8Dz=#5qn24WcWTH1*yIvaFz7$ye-y<)U&Q^HN z@9Ut-%~?D{^WXpM?qg&BDXr@w1DCrBQxWg;FiqS_t92;~R#2bp7JW=9POU&7M~N0+ zNe^F4TXFhrCd&Mx#M#w&ABiiATHZ|NlbU>JT4r34(*36;BI%;@9aP)f5xs#-YN&c& z8q41WkU@su5X(zPtMb%23+d!S6IQG-1=$vN&!z##=ge$at~2GywrxIMLb-ghFvra5 z3%PgHaV;>_QYTqquPObwSo44lWxKLz3X^q>1ePVeNDbRb=V!f}IMLZO>CzBA)|>;7 zy$^?Js$o?n69_|;wi=fM)KP2zrW*=)AVY$m!ggGo8@m#iy`HZ3A!-lSe@DaM%Qb!X zfJA2*gnCwoWC&pLRiPV&*JWJOLTu9ml>Hr_G-{qqv<9(hJiTc1)IbMlG1XZBkC55q zhWwa_KqUo}gsp;vt>}2?$6aI7L|>KZYU7$l@zMrvV)IV>IO0;pw=XUF7vGe+8J0H0 z>UPHn+qkxifH596+M8rXW7yvXIJJ0}(%SJWepEGiRMN10vb6MoK_d4k+E4aVV-g`t z8^iL{F2NY4TIV_2L67)9i&>P+mQWjNcWF%0u%**fO&uiLWf;4gys~~{tYaYeURa3B zf#I=z{*D*5jvxSNJRkKvuG+|KjRJ02!sLR(mD#5~y0lit2d)RkEV1=WVcnsb8yp4( zg=o~yC4nruUxM2W;b!yG=5l1#lMCt7F&z**$ye0#ywbWngHWD1vXHD8+00mu5_a^; z8Be*}aQJgC^E{MdbgK`vd;snCybCySIM6X_-KFB&m@)va+8kY%cTOzjJX>#x`g0V( zjFX_>(#1PKc~)%Tu^A1(BxRyMs{?2WJc0=S7ohs~v;=5B$EyxyiuNqs-tu>o+7hNq z9H5KahMIMNfQra%F{?NLhr@62p6W5s(4*TX{O~Uco%;>d|}tStSTFX8dZe|%ZMS4`^R%GwHcN`5W?=*N?Wkot;_)Q5sC3m^C2pvnyz zK7EZdk#z4vEXYz^{mAFSCQCui;3W~fw*Q$UF*EbLa~3pCeWftr9@c!y7Psd-^(v;?T->D zGyB$Tg(exA7)cH7$=7uCi}OBYooV7D=b>+Dp809jsSd51#zuM>fY*<-@ab;B~ zt%UflQ7kiuqjdVlXtjfqna%fQAQoF}-#g6Mk9^DzW#!Rb+8M$GPJkq&%TWGa3zF44A7GW*EF6oB{(H>JT=!-0}KVT*j-g~|r8fRAPaPQ*uQ__oGdJO-!d*Vjfni&=v1NAghGT5&^N}#MP zje#sVD>JbxF|Vmjqm%6O|Ga^~H4(eAN7T`Fr?AWSvJLi*zaiD_A^tagFS}UZEG`zJ z<>nYNyFUbXk#~`KsmoADDH7pvEIuwQH6(W9a-(6Cml-POW~vJvF_8 z(xr3ZV-8xPC*qa)%RV(^v4NJ&;3WnVU`2X{X^vyuw=U@n zHUCB1ZOCt=@#vE;I=|(s`(Gk^wnu*@>v^X#qkn6aL#>smDeStSYkKW8yDzy$(o}e= z8*zYJ6>y&Em=GKn!^h2lyIHcbA+b+n-S+J#flCH0Q*_YgO6K7wG=+ZeY*%L!9!r;O zNhe!<`GI&~y~q6!XWrMcA+Jm@s8GeWICl3tRd|Bgx8S zC9-i$jlQ{Tj5Mps)y&8m$Xx?hh`W`2pbFTPcaX=xtS^fPb7p5_>>c$FYG+;Oi%?N4YV&1>#}`p@w{#Z@2ymWx0wyJhjpkVsiWb-LHp|-Sq1^ z)Uc+UV3NW?{=4i;g%b)D&N4f&6++SDxxZda=1ln;vf6YV6T_?QIG{5utr$Pz8jm&#sE!eq+&E5Jk(T30b6P^%yVzQ6*2Rd!&VOG^|h}X{_PBqQV4v+rCr{G00InRgL zw#?rmKz?hUZcNzs8pDM6XSpb#3v_tSyjm(otx0G(yUhU?;1Zr*CjKBiu;6Ewa!ryN zn|oN920)&gUN8k#o$Pgj+BCU4f!frNQ>@Y+-~L%`Va@!r4hI-d%}V$a5*V9_{d3jV ziUZE7-VFPjJhKXD{)Q%<;e%LK08oAlcQ z=a9v1gNIc;Et%TB5N@hNcW7k7h+4=}SGlK_!YkKcjIN&R86?RyDbGn;y3Lx6D_x>4 z73NS>K=4p&a?Lr6Sy=YvgIUr`>CK>!L~>*G>;mlwrdkR+)m!ey3s#2ndE=HU(=7k>PpXl`q|phm;6P2SXhvLpV`sg5DsMMI z_E&y z`Ck_N1T<Qy?Z7RGQ|zPUgD zNBi%72*~K0%D6;EOBcN%J;|=6a^oz>AynFJd&m5B9-3_Wz;v}r&*=Bfu2RB30u*^( z)z32F`BPM@MH}2a3p1grP4(b*n`)a2OZPANwt}*e5;D6<(o%zo6LYig?hk3D`TlI7 zVA^<+R?Ow20(Jjaf?{oJ&`CXIEt#kIbQH{JDdW%5Se zZnzHjNDAOOK^L1ANd7y|iS+>EmKO#Bu5d#oi$#&e4MWQW@zIUaQP%ua=1~^YaKF-h zXaP|oSV`<+);$4Or5oi`CQ+ZAgkRGXmwNy7`=*@#B}^fl*YH}SL$S~XLn{%hH#bzP z(3Ci{=lrL&Z(03fOR3{C!)RY0#QqfjZL~T_w}4{mmj-h-@0zBh5T$L^aX5;$+;7DI z@o@~d7$=b)%tVUYj$!9`p+D5J_(}qr{bSj_1ENWu0L}dGqDjpcW6kZWoPgtxC*Zt^ z3wVrAYH*M*3xGSbyTPxxe^v<(7Ct|*I-_5zBa)!hEpiBXZTT~A$HGFn6M8*%FCe}T zgJwW7SPqqGyeU|f7GZd4;+pRQZ%lBcaLaIS!-M5}B{_jR1ZYL=`ClJ={(QM$_OkfK z(0?wOLVUAgs7{Hr1eGj><5~8rT0)_*4PN@4>{S81nc#-b_~iGLPc@qcuPxLEgBfa2osvIz|Afe0zPah{M<;B@(OBuJTAmb)49{*dH)wTtAg{FlN%OB z;_HR;E@i{b2MN^HL8f$zTsKua$NYQW1)Z|o=H`3CUz-xxJv<~IHrx{&IFpF%AI_Fmwbog$)EG=0n zwu@fdw$6yZdOu~3Q)FN21Z0D|s+^ZQLz$iCIWE_L8-m!UWfuZb3p%dlpCgC2wmw{K z$}N5u#o1;iPS4V*O_oe2oeYrSAM4wpqOF5WSqat_->>Wf)RG`kQFp|Y>+P1OS`CZQ z=b~KpN0t4?Q&U~K!hH&zn*a^3x_?Vx*ReOWB{iGV@hp}7lzCsRnvZF_j-h=$a(Zj& z!3QSBH-UK(L}@5#8t{ARH z`mS-_N6ji{rYMp!=7MVecNCmm^Mp<;k1K8Z<6gd1KPjxy8SY@rAXiV68DuCopC9%k zXI|*DH+WH-(%qv&@1FC9bDqD($rjpNP+R!LR?rk167brN+GeEg!kkkG(-rOMb}EX z%~1DGLa0fJgR`IUAupEo(lG?;9)c+SYO`LIZg^wgcOZSZt4tJ((GXHHK-4wNFT3id z#OjCbleJ@_kCE`}Lj}*AB6qX>xX2v){9_Y-%pW~wd5Na-=%N*D85%m+|M5!!YPWg~Nl~_g@l4LeRqh3>y z3yB%lU5#<`JVc9SfxBAh0NHfjstqNx(90hKZ`N8PW;b2do=c59nI)~cy9>v z7)^^pH;$^UHDoL2<P&0hJ_MLGsrZlMf@uW=g$LvR6@x_bLFm)V1};_O`MfIQ*cKkhY&SWog!J#jl8c zdGmexdZYbD6_#X4{6L!zXx?JhxX9=VU#SJNO`qA_TC zKR53kTh)Phke5LNaAgeM8sr(B*m0f0`3~2Na%Lis+U}9XC|YO*?OqIT|K)0U1+7i< zb(D)s+05U}2)-~|Fka=yuJ~Dkm9F=d_O5%>YA!EsjHS3PT`LFPB@a69Es5j(rji1t zbgyRX_O%v@$Z2Y*e_+aSWV|g-=`zAYLA*2OmO)z8(<#uDZQeM2ea_|1+UQ;lpH3cp z*|Bgq<#-#rx;?sj^Mi9uTBvHhTF=8NG=d#2^6)Eu-Nj%9qwBii?&DSlzmj9U?%ly_ z*Q}DygGSxIIm}mJbM>9e8CCg@Xbxx|52f6O z*;M*)shmv49Xk4SG}4h(Q()UXH0)(U$dS*c==8zE3Ulluy}0~u4%EFpZT{IW=Y z6`J2|<@$|C7`}~37}g%d)X;x7qHuAo4u3HF^8gvK;6W#P?LqfIaHDtjA6%=NVu|`a zR|+9CLx$UGCf57Yp_XoENL0V>rYiaNou0*qN^2Mi3x?FtQ9V}6g3_(e6n;_ZuYW?f zrSj54$!KXqs;HP>gfvU{8r3<78|~uOe)z!Im|yC0WFJd0={HVPt=^~a@l=Fm=iBj4 zH!J4b4x#wU7? z$uI^o*U&j!e)dhsM329=)V!A~hfPhHnB2bSP369QM?w{QQtSwL-5*D5^hx44{GFIa zn`ryMCexFVV(_HJdN|cm>iRoMQp<~;9u@tQ$|Dst#;(kKf`thUR{1^aqk8Kk%{5yz z9^;zf4u^n03h}91*#v*riztNlkJm0SmoS2l$UxMAQk5j}1Id65rdSh(L#FgpGDC&B=+_h6$}XjB!(lkEd?w-PRBRI$$2r4=o(;&`87sGCjU~ zQN+b^n9}X(9k`&0iCy^hAfyV5{h}lEzw_R&Vo?0_rELHGCZm*0bOEH3UnAzSY*q_x zbd$qEJ2M!|k!fjn4Tp2zg3Yq+sNf^wsJi}~Q_GPmg`J-3>80uDFNUa+qtK2$)nG;1eO zJkZW(Xf@2;k|rP4Kk1CkP3RPL85xyb^ldb5M7`0@GZ-J&nq2uheNSUQv5e!9*mK#u zFFv)>-&))2R#+^AXF_yMB1HnH+D`9667*I+Bv;uCb{_pIzSk+YDXYz@(>b2!14zv| zO2fC8Nnq60JNR?X{b%pe$<%BJITM9GqMqKS{lzus=6IQisd9eNt}u~un^-IHv-`?D zk*FgE%mL|boB;@vJ0Gb;b&^bwFDTo5m0N1OIgso9#FK`x0US;Mk#LQVsK0FT-BEu{ zbmebV5sFS-t3mEIl5ON2D_!|r!Tq=Hj+bS9C-FJK-Xq3`lXDnN&vTm-o5j9R*H6d$ zG#A85jJVTW_rS$Kt9$_#s-DZXf5ehtlI; zF%<(0)RA=+4l1{vfEuOsyNfRyk#e6V2uH&rJ# z=CH5-iuIX@gs^?t^s8yNM%XM__w0hn)p)IRDgA>%ciaW1-$6p)hOcHS#$%4j2FZLq zmEB;DM-D}^>hJ$-NeY&D^TLKU`zJ=A&9F;izgPxcGHV1|O8{At>l;4f5CIj(TJ4pm zESS*X6myAU?UeD-Q=9nuY4M$W3GxOzYa`E9h)F}+mspNhL*MV9jWySc;7aNixx_1W zmQIlWx8A-wE~;-|n-EY06dAgtrMp9Z%Fx~2IUpTU5>k?qA|XiUICLZ3A>AO|T?(S_ zoz?mx;V@1fQ1^qwUlpymlhjh?i$!R z6)>@!&i9l}=QB2*@(b!o>-~4lmtKl>>cNH~GoETEmNbQ**euQ_d()A1?>T2W9*R)k zO@UL4lHZL$GOwE2*EG($vz)YV=Ct;^p(D;ezT4O<<-op@YnNUT+jRyOr|lV6zLK%` zRf8JxmEO3D&}9TtgU&-&)<3nr5W#!>$Vb>!Sa@e7Ov z7W$75B$St~AT2&VPr~tsp1qM{$VHSTA9XBunmS$`;?BR!_VEii;$BrZfR+LxCHi`c)Zmgwj3b3Lh+$-pV! zU%4vYR&6;?Qmt-rqZ+dah}nl=!$t)g!XHVM;Q+cGgRPK%X=gH{ScX z>KT~}P>$D6)sqW(c;UM?$xNs4>%>s&Mx&uEoQB=Kz&wLx~9U2W!Tc>7{= zTBu0oaLZQ@dA#psK7&r!KG2BuD1)?T z)kd&5ueljysUEAb9pKJ}7Dwk7lG_9j>e9FX6IBi+;h=QzGsQQlXFTybJ6+st#`^Gz z`@|pOJ`%+2g0#77nHHz-rF-ZK@!F`|Sd31NQR{%@z5R$U2rGI%bkW|+1PX}_|CBN> zSVvdID2uDF(4pSe#ds=jVq9MxvZ|Uu3F)S)kmp* zYLH#$CZ&s2;)QRr&;*Op9ziG4$oT+cDwy(#T`xCMyMUK%5x$6s7k0QdS2OBLL3ReZ zI1wR_f5xs>GP}Bm%Z)MaUo~)n|o3fe*l)vW?h1YQ!2t8Y{Ssj`7F58#lNC0N# zjX1K4qcq%plLC@&B>&RCQ;`t$O+>-86Tp&WzFlfe^(k2`&0or18)0y4XrQE~~GWA!2|p*}DB3m=~6AMg)BQ0>O47DnwsflHk00^U8TT|L1bY;43#4 z&xDu6F>A>Oud>pf!UipAew5UI$w|r5=pNA@3_k*wSiHEQ)#x8pK|_LBBdWAO-cR}R zyNujs?o)D$*z_HR-Jj;X!mObc<7xXnTW-i#5lbmRpMHVmDmFIB%6Vu^9Pt<|*9jTzCA@ zfM?#4HLb*}95qsaX9JxCn`YiW#IeuC+lw{|MKYeb1uqK%9H(<%Cw@HTqIk9Kf3{gR zV*v1>HVXt6Wcqgp&s=e>Cpm%PV_^gAieEOMjGGhW{bxv1#-Gco7opG!UGWtd#)Iy*rhFhh@JSe>rpkj1bK?ih zy_OU^^XbJKRoRGX!^Xi zH6eh)OQbG7J50pUR{3&ub>-{XW#f)Axzm>7(+n+hzIXW^dg#Jg=-n zD4>gQ7a7UB72sR>RmYWjqv2ix*d$IYK<8~i0&Sa27$9?H!Vwz$PeK%%XGbgY;0m@mITE8=0ZD{U!# z#1Y{T{aDKT)O4schcB~LzN(mbqfIH;d!op3iKxY$!%T5umjg}=kT-re;lKawK>hfw z@Z7pt_*3+_7a!U3*`BeF^98DFwmb*q{p zbu{v3Op|xP8AR*%y1+L=q7NP)bkXh$P7JJ?oe#(<*1vt~@`Qy!@|%wp|H2|MMwp8L zVf?d-oI9QMjAY==a$`+4K07vwhj7DjZ|^n9-B2`#y&scl0kv&k4l<%Ov0aGW1!~o@ z*tP&RP?|YiM1m8=flY8Ji+2Qw-|7Y6lRGPD?A|^XxRw=6$Zcw_OD{14ww&_j#4~eucA~eqf(2zMDSQ6#bOqQSV*g zehRC{&=wgPzZb}V?rutYTkkFW$j5#tZ+nH*2`ff-;4jc$cRYFIA${O--;f!*N~1EO zo}Xx71HR0vMAHI)H#3&;pBA+2THLj1>LQC@kpasEgvLWf0r$qOjsjj|I0L#Z1bq{x zzr}4P5_8Kc31BS@pt3%5%|yrg9_YJkduY6kI1GjjoIVW)?%~Xo|66Lwe}}6QQXCMU z%{}#@p@i^`0cE;=lh48IylA5KE8SLr0x@|H(HT>7(ISbVI(%l47pLxxq=tPS*1pcu zERyi|+vKVhZ#G?|5!VI`WomV>kRNJyhBhZ-v$At^kF)<+Z8%B9Ec#>FrN9)o&9hED zC59&fYoC1%<}(=t%+d< zx($a>7BL-hY~n;yAXS0O3^u& ziRKgYDRivIZ99X`bAWybr$Lrr$|<@TyP!}4riA!>+{)(*oG$psP&1wPcZ<`9a~zUc zlH2W)(pIHJb7~1Mz=cMR!|@CvR?~rKA}>0yz7N5`^T{yLaXz; z6vnFM7d2Klwl7E6^p3WJslHguW}psAA4cBuA)?Ly7qvQCvgb}3GRHR1w{b<43^hVS zlhM$)(a6IhvL<`c(Zo0p8tbYPG@;b+cwaZ2Cid4!qhUil{cXF{jBJPND{*7rX&Jcx zLPgBU6W)h4ul!IdtH-JM-pj@wtbV87?@4DI+K77Ef0yu|%5!jng*#z8J&W$8;^N+x zDoV3MrIzNR z!u*@qoXP1Tt2cCi24LRI&V2cI9Ed1pI0xd!0BdvL{^+yXEi7Y*(j?t1GqaVuv0L~E zQJ{_HV=JbI#crUx9YZ>{73mcSbW?Glzx=QJh#LctYj=ZRj3?o~NsiY%b)62ojoLZh z?fZwmjEnR%dAUP_((Rrlwck~RgUL9vo^()bcgu8|X0tD+Gd6jjWJ&Pq6SH5u?ely; z!H5$b)f)6OH4uskDI1QODw6x6x-h%frUNojD%SE#e>lj_+7l5FURoR=b=dfq*)ZS@ zmpGoBh6qzmM8xWg9N0<8mE!YnzUPj=_7d92_$kiv?!?R9(U(t`Y+yhexK7Q_D%CaW z^~R&PkKajg((esR%)0*@LPGxQzY`MT8cu+IiU#LQ&uBdO=ws*>%JQ~A>)LFK_>?#D znt5yAT3K@3gq_5k0ezSCC7p8Rf~FZ3D?OE4tRw(=u5po~@=O;2c2i48lWkFO=k30L zLc_Me=6zk2&SQ_`m(dk4&R<>+g1Xbd`8>oIXDvgVx_}+=fGHC>HO9mHTJ`cxw4`kI zPmZ^Q;LLdabbB!GcIrK2?F179hyyFj!{__VD9lvb93tQRXR=7FDcSd$;-7+X7%aY- z3qE{qV?YkVR~qADNr;Z!P!(Xj0~5CB!l?!ol7&AVj9*|&KIqvvI=wF%#nV0c+?s_> zk(mr?z^Vs}-tQHp8`7zk?-ZQIr{vR{#I*x30+_PU=bJB4IpX)ROuZqQtNvfjByPl> z;XD@e&gw_mg~9SLaNo1h2$yxJm&n$w^}GB+@(xFf~5uc>o>gVibh93ZC1?cTds(|KY9?r13b7CzHrg9vn62quuy zDWbBooVJKOC3nwMW-(N=d77d&vs`rSGgH(^yMGQdxZepBR&`~mMymTl}*BW$} zS`wV`bjRXwFqm%$`}q%}i3>3AjW3U_CEIztI#NkWBEIO*kb|}h;m~esj7_XMx1QC> zjs&o^VIx$UQTZI$+ry-RrB+dO&?8AaICRsK=0c#e0Bn2e&;fcdAR#TL_Lfc?3X+ z|K(4j&GO?M$tUpD%Re5EWB%RAad5zExGMPn7m;!c{8YJx?ACey4S@tOE(Blm77tv8 zd|i|NHA@0GJ+k@b(#?}PTiZ<*JE${dskfc56xZB-he;lwi-;8b@Vu8E5^au0Y2&JQ z{7Io>iLpk+#g&@Sw&K|8?(b}l7>Z8a$yV`Eq5Iv!x8~~b4W!gm$g}nR9G;mD7lG0l zJ|}i`{7=JI<4y;Qq)miCW`oE_fhI`)|Kd=|idv!X{U{Z_8sgJiO&ot9OhA2p&o3%I z>^=cr^Ecw2%lf_y!6%~5u4{IfReh}j`4Kjm+6*P%1yL>L++)WLL+_iUUuwTAJ%~23 zsvoywZtEIRk;fC5b#vm=3D4k|q@qy}4@wrHGe|Vh&znq|xKd#@sqzs33uk%JpFa=( zFnJA~2~J=B7>v2TW^-p>*<(N-?6W0s{Qe9(9-~_b{Ki=wC&FWPq&`t~n3v|yMG6A^ zzWC_@4{9&w=)h6R)z`$_rE+8R?QX>-Fn-;nuRA$xZbc@?RPypr+o3k&cvfdn;+@Ty zJoc5MsXfS82^&L)+2 z;0Z6|<>zeQhUd911;`CN!X%CO)fYK!lx%p7pLzSe8rE}!Hu_Oe+8f>$hA}XM2~AL= zhwAN|Jl-VBhOp^bESdT%xL@MR*SE4epZ^z~|-Im$s$HDd8(E98M9b zh7BEcrEu>7%Kp=G9o~m;)0y_8W7mc~hQ%vNYV;I~%$ivqbHL;_#Jy}kw>fz)yt?olP4auusZuDOmm zdQt4Sq`Ld{Nlv5jJ`}0h;eTis)foOtm?|j!^LfhG2oorYU$9Zwl3&;dWl>vM8_p-6 zT5gL(NejMXnyv1P?O?v0hn=iCK2MSpXTcPnYq0<`wa#PSDbx^SD=w`vXG$5>r9y{S z+yQ@qG;wy=+l2NTPfn%Ty7^jl$f(=RXi2?Xg*4WRnVv|aIs0)0Uc-ErT^dy<{WEK4 zJzOnT{T#dEF7|@G)Gws}tS*>V6HO~h=cDO+NdI{ZP#0V@-4E+pE6brBCoeA3Z)6s` zdS4>X$;Du>r6CB>61KX`wF~+m#Gkv014IM(r4~+Fe^wk2wIZgzZ(G)8GG!+j+}d3}p@@r>h&7xxJEDsyo5& zemV!fxT_siNr&`#;>^Uy7?_tsG;lI1aJr{X63LU#x|m5oW7naw;{SInR|jw~Fgisr zHf>wsh7y0pcNQ#MSJ{ZrcU#miS7)|e%+P82%QSA7o^@qZ&-A83Ajr@SlB(2M$c}di ztz>pWS&MgRjJ`Ol}nl~f9lUs)L5?0-9Ix(ZktBmcQz zbcyNzafzKmHO-Xo!V87Mv+uI{^!-W0mny0nzHrUf#8aiFR%9Lr$FByLL4!Z%gA@`L zz7&uGP7&c4xKy$A<<`6j1m6UZ&cImNp9Hvy8;W_@e?b<@5$HTC2ryYKwKOMxs$T0M zmse~&%$3Z}HI+UDcKHzS{37VZ79YQg`}1u3hksx`ZQi%9UPg&GpQ$-%a+&w9p29Xe z4lJdeC_FX+7079)h>+B;{>W;Me&gmIeGehRK~Hp?8NBL`bMq22*irR=0Z||V5j2}< zsp~(>|0S;};zYBWtuK>r?`rwfj19ce&3!G5vv(eG${NNnkanZ1eIh}7n<%vn_hb`! z;xyxs@7bg1Ox=Glk%-3mWGI9u`&jRF@xABT?rP|)V1a5K4gt4F*xLhrZDJ1B9G<9+ z%i%Eyk?72IQwLK}NZf1+hxdcY2QW`Ho$jx1PSxI8REAsQ=XnxZG>`*XI6w^~-B=vG)puQbvwr)|ksur#v8t(+LLu?eOtIdfIevgt7R z;^Fn2V0X%C?mWWVN#)XSlyJw-sR0*p2|P~bbnTI*k{{Sh*F)5QoDU;NWY*qJ*BUU@ zk&N-FWl7z8v*Kb2>vy*GIXfWGQ$T$f^pLUbSe3>93^Cj4p zma&NKVCgh7#2m8QECJX^r6uj|dBv`k&H%u}!@M0;H?s@onJ6kAHssI$eP7Ndm3 zNaRsdP<9b6b4pklB*BY9Jj!MWUC*V^yl707t7w|xAGC2#~ zoK(21$!<1js%qG+WKd22RMinq2G5zXwMb8XXE7CI;gvNT$M(Ge%gw?{P2Mwg&?FM7 zQBeV6Gop|zMnR8GXzMA`n{y_oEEAzmWeQCSB!lhMt0yg%YvtTs4S)NNJ;h_hx+WWu z_tO^!80QV+3=SJE^p55wrR}-IayC(el!UW@EK4VRERIe$Y$mwkN!tg_Pd|mIguIU} znu~(sbQphO)z^c9Q%oeMie@Y@AACq8dh}L`hxC1ngD%Uvo}m@rHBI~rbzssgz0i!iv%6L%Ob0Yg5=0o%25|Yxxe3 z@>UCg=OpdGaiyK}IHlUEE$1Z4Qfy;HVsxzwX$``iGwVU*Cb-ZULSpPFn$bG}iO8r@ z;eW}{9;?1&q{NG;pQk#!za-l$ETp!b#!+*v8l(c&XDcnXJu-?)2WkrdVj+p`fA?^T z=E7$7)Z?X=(cPCldIrpnEyj5upYp3eVs5%}KKQc`?E7c8B-)QjBJ zXtn_|J66&(;Q=I15Nwi26;zWNk}F$1i%YUZQ(-o%;0*b9H<8~VH3Q+@`2EfgNFkUCWlK=e)qguKwHz>JFoy0HGqc>ki8d*Y(f{Xm@l{;I89^DTqXR$=PGa=4H{cY;MQFaPYstDjQwQN7=T*3^p*Pdvty#i5E#D&tQa6nAJWj6|G2<4%9oKd*MtBJjWmMfZz>8>gQ$Sy_Ce|4~(%9|HFJkWuh1 zyu%&1(NvFxBWZf6sfd-WMsgQ-LYw@Tsbdjoci6k;Xp=4?U>>)$q7sNWzesRRiwfhQ zbO_Y#`QTUBktz#4bh9pMy4OtYRCb!@MR|W&i?zY&klf6bAm7^iPE=uKa?m)KqzQdI zw%;!D_moOvr;${$R=a~g=c2$)5x|It&-5WC;PhF-MU_!2L#rS70@#Go(dJeAQ)A($ zdmivEk_4Uh#mL`_Y^U;oOwc{!N*IHA`xk5pAF)^)N`Z7+7%r#--u8c=?1tA(i2pDY z^V_ZX*|iBfJgafxmpW9Rqps{LdW0DbmWP12CVpE|9Q##Q* z5I!T%EeCUoPJN}e5*k8}1`94u4Ah2yuoc3GCj(6;n} znOml~HuhS^!%l zxBhvh)Km;DAxv)`X7XR7k>J0Vi3A~FShg7;UA(e)hFtq%JuVhy_Phu?u5rj zFuVL1HAg%iW8R0=k+psTYOwtr8*9hu_HcvzX!f)+Tn2_)6js()mea>V&zW&Q&?IV+ zfH_=lI5ZMle}v^R)LYNb!a&r^&j-@_9t_de$iSyJY9zP9gfcgP>){s_C|M@a(RaqD7x~k;>n^rUQ-0W2MbRBho0YH# z89sj5_r2RbP$^$I=37&%jA}FH$bj@c!L;E`2sut<=>@G&>Sa@<0$^AGCH#AaygPES z6Hsa$ug6|Oe23J*Y<*N(i{OH^%ykhu7?T(&mBAgZ7*cUv^-WKLrSe^55uwP8-tdwl z{pmj5H5r#2jl?Dc#hoM{k@tLZMgTNNgm)jf zy+yoJ(*3h%Po+;Jd^=prBV@5MsAO$fNi{+M7xhwD!YI6^H_WEcg?rSIg4w=#T#-sD z@(E^{)RmKJ-AgvZD+;jk1k205{C6Rz)gFBbgAe@wLO5}NTs6}=dO^zerZT_sf}D$v zsmZQLF;Yc;e!WY)hOQpanomCm(=jLt)f!0sbzzMXd+@XcS);pAah1(fR7M(EGi$Gg zS}eq)DIAvacA3_X+^I=`U(?0i%oyX-6*0?*)~Uf>AX|*7{9f#$tp&N9>9k7zH@2jM z%@~T$DKmi%7IGR5Abd*MKLR)JBDdiBD8bP&ns@k0)wg@}NFtOTKqcLs^7B3W(0z|I zY!crc9i*fdAxb2;#RK#qRWo|L;u)?7#gWJ^utf|+R}mm)d2ykF-J_N95e+AaSPbaJ z1W2AE)PTh3wm6TdK>mwXB=>%a-CMFp|N8Y$NKt~;^}{=-$+t`t$rvADV`Cx4Mh>N}7Y&U?lFGio|HNnr+LY!Ih5&Z;D*t4ey=lU-Q z(jz2)I86j_b}HDgbT%TrHJ2u#y&IbhRqy+j#XzT;TbHka-SeGd*+tB-#_xTJ!553u zchE^RK$Heo*a33^5DSoy0NCa~pxy$<{P#8C|DD3!|H^=piLftl_%uoD(Enx}(lXi(<@PeO$Kh~fy02%1 zjkQ-BSGR)|G&@6c=^o@WlxT!6pX>uD0`D6MO^VUJXxWrI3qlu-_j6)L5ygwdLouBR~%w7tc!q#)XsJXq$qE<9i?S)i%W! zn;R6%X9R?@ia;YQ8cU8jWb{>X8hx<>QoG78%fn5`$jp$%l38;#Lb3Rbd9#wDKn7i+ zR&BSHNc9I5&dK@b%WL(tsZrl3N*I)AtV8R~Hkeiny34t6HH9-|mN?uv5SNDo)b%j= zEasdzPjoyOz`To5D}10IXM6|df=SYnWd0QhhGN8OuKD!U3M3VjMtHcrwSVAxTz@WI z5nUt5;5EZ07psz>&SJVgO$@UASOx<-4#j$ul@&3g2B0;_8pdr5UQ%;jU4rE``D|+KtgKhFZ zbxTt9LYnNR4VR5G>v+AgJ~nQB`hqAwrhT>$1?|d%^v0Qy+&ex?)}Kn!W&$P{i4m40 zsxZK`eTVu}(j)Gt4HoJMHXoXcr!wY2576KupaIxH_G8|8xxn z$b3T8Z{w&J+-VN2tn*iFT~3GSl6DiTxg%Tvei&_7dqij4?e#7?li_(dd-y>reyvWfSfCE559QO!Xfd1nW`5sxMu zE#QIpriErcz_Q!*-KnPq;DN!fk|h(p3(hV9{@nksLgjyGu(3Mfe~qE^{Ij>%8tFbL`qq;7c={c7W>BvnatS3NeN* zydZ5b$G9n#!j^0meXt8UbP~p@YgKp}R4Qt|RPcHGsK@h`_N9Vaf=2KAQ_S2Ui>Ls( zNxL&L_ac^xzjiwmRu#HOdd^QyAqX@U1o8!3NTw84&?n-%jMPFE86!#55vrAbZy4;% zXV?wslq8<*ATrw@9pd4!gCkRdQul1&xLDif%@&xzf=NtUA)xPYFZ7lOC0~T2&`V=JYUV z@r|p;^1ftX9Jk$H8b^R6^L}a( zz#E3@vO=VS)^~1*@mOnv2v!z04!5)!H1E>uLDhL!L-5?neld0qNVgk>Xv^m-gm}(O z`tS|P?zYO>9<&cg7k9Q7GD-E|y({v-EY(4?1r_DCc~(utvWXvBv;KaL;&sSq&QD(m z`rvw0ZQUm%+wKXsF|4+tn-lzdvh3O#%xh_{>CTs*;~nt=eKK;{T-&6xJHeJ&bCqT# z>uT=qf?75f-OIL@8uzG+{nyb7y`}_|jurtJp=kl+)$#JV|l_~lh&;6)@-do=9-xvZ?hTvRa+$o1Yqm4EgjkQVf&+SmgA(y$2^fM~SS1f@+09Ah%pI9}4-! za$U=7&$!P__O270-WuX!6!BHZi~%AalCB*X9^>mBCV+s;fL1ecWjOjGCdO=Bd|La* zy^p{0{F`>&-Wq2yt3*IgV6XCu|%ljs}$XBJTb61lJaow=y;x&}e&~ATbw}Mwc8~VQ-c_HXH1+RLQIxt0L|+U-uEvM08U8DO){u%{B!p}@{}9@=NpkD?@_a6 zx4|Wy5A)U_Guz4I&I*H=izrkM283lfA8)Co$$u{Zo2|?fvptz^6KW@Q`*8&^9=t{| zCW9XWgzm8=+>I*T&u=$VKwy)g%4nVw_0OLZ8^b@iQk9%XI8CgvyWT&x1_<_6Eh@TL zeatW|5x7n8{k&JD0W;`xjExeKaFQdS#I($1sz>j)|43Bg_W`Ecl!`TmA7NX7+V;-8QrDy zbHd2l2;|lj-~=k(Pn-XGhFEAoe`qS80{<^R{AYb4{|jdeEU5oJ|Dui>gc+cr>W}D!evJcc^2DD6o}~MW zWugLVz~yqaobr-_|2^5d=f^{L?io7IK; z`6?MadPN#&4;lBLJHxBI!7vg)UzCqCUTDvZz%C5fP~h}gW9)qMZck{+g7XK*PA0CM zI(DT!Bmda(;$dVLmMMUnAR$?rszLlOygX>{*j;;INDy;BNL59RO2zcRRjPXVWv2Jt zo@7ysDhYJiP8Iu$v7nG8AI$sng<$XVq#t!a4G3iq9c0Pc`VN<5U3#$Oeb5+~DleK;JQm~fb_F9!uBTO8|kxGYY(BU@0 zm>yV`?Eq>2JD=PyEgVTWZyM Date: Fri, 13 Oct 2017 15:33:24 -0700 Subject: [PATCH 5/7] edits --- ...n-based-security-and-code-integrity-policies.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index d948e2c391..14f89fa9e5 100644 --- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -15,15 +15,11 @@ ms.date: 10/11/2017 - Windows 10 - Windows Server 2016 -With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. +With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*. -Beginning with Windows 10, version 1709, you designate these trusted apps by using Windows Defender Application Control (Windows Defender AC). On previous versions of Windows 10, this is done by creating code integrity policies. +On hardware that includes CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT), Windows Defender Device Guard can also use Virtualization Based Security (VBS) to run the Code Integrity service alongside the kernel in a Windows hypervisor-protected container, which increases the security of code integrity policies. On hardware that includes input/output memory management units (IOMMUs), Windows Defender Device Guard can also help protect against DMA attacks. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats. -Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI protects the kernel mode from running unsigned drivers. Beginning with Windows 10 and Windows Server 2016, UMCI is also available to help protect against viruses and malware. - -To increase the security level offered by code integrity policies, Windows Defender Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats. - -For an overview of the process of deploying Windows Defender Device Guard features, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +When configurable code integrity policies and hardware-based security features are combined, Windows Defender Device Guard provides a locked-down configuration for computers. But they can also be deployed independently. To help distinguish the value of each offering, beginning with Windows 10 version 1709, configurable code integrity policies are known as Windows Defender Application Control. The virtualization-based security of code integrity policies is part of Windows Defender Exploit Guard. Windows Defender Device Guard is the locked-down configuration you can achieve by using Windows Defender Application Control, Windows Defender Exploit Guard, and other Hardware and BIOS configuration options. ## How Windows Defender Device Guard features help protect against threats @@ -34,13 +30,15 @@ The following table lists security threats and describes the corresponding Windo | **Exposure to new malware**, for which the "signature" is not yet known | **Windows Defender Application Control**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than constantly update a list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Windows Defender Application Control (AC), usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

**Specialized hardware required?** No security-related hardware features are required, but Windows Defender AC is strengthened by such features, as described in the next rows. | | **Exposure to unsigned code** (most malware is unsigned) | **Windows Defender AC plus catalog files as needed**:  Because most malware is unsigned, Windows Defender AC (which in most cases requires signed code) can immediately help protect against a large number of threats. For organizations that use unsigned line-of-business (LOB) applications, you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by Windows Defender AC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.

**Specialized hardware required?** No, but Windows Defender AC and catalogs are strengthened by the hardware features, as described in the next rows. | | **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | -| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:  With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.

**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | +| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:  With this type of VBS protection, when the DMA-based attack makes a memory request, IOMMUs will evaluate the request and deny access.

**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | | **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in the kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.

**Specialized hardware required?** UEFI Secure Boot has firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview). ## New and changed functionality +As of Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application Control. + As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). ## Tools for managing Windows Defender Device Guard features From 39a794daefe5c4ef3a71f1339a519f02b3571c56 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 20 Oct 2017 13:33:13 -0700 Subject: [PATCH 6/7] added Windows 10 app control --- .../device-guard/device-guard-deployment-guide.md | 3 +++ ...ization-based-security-and-code-integrity-policies.md | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md index b322bd2f63..f26d463253 100644 --- a/windows/device-security/device-guard/device-guard-deployment-guide.md +++ b/windows/device-security/device-guard/device-guard-deployment-guide.md @@ -18,6 +18,9 @@ ms.date: 10/11/2017 Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted, it can’t run, period. +> [!NOTE] +> Beginning with Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application Control. + With hardware that meets basic qualifications, Windows Defender Device Guard can also use virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely. This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes: diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 14f89fa9e5..7489625b93 100644 --- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -17,9 +17,12 @@ ms.date: 10/11/2017 With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*. +> [!NOTE] +> Beginning with Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application Control. + On hardware that includes CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT), Windows Defender Device Guard can also use Virtualization Based Security (VBS) to run the Code Integrity service alongside the kernel in a Windows hypervisor-protected container, which increases the security of code integrity policies. On hardware that includes input/output memory management units (IOMMUs), Windows Defender Device Guard can also help protect against DMA attacks. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats. -When configurable code integrity policies and hardware-based security features are combined, Windows Defender Device Guard provides a locked-down configuration for computers. But they can also be deployed independently. To help distinguish the value of each offering, beginning with Windows 10 version 1709, configurable code integrity policies are known as Windows Defender Application Control. The virtualization-based security of code integrity policies is part of Windows Defender Exploit Guard. Windows Defender Device Guard is the locked-down configuration you can achieve by using Windows Defender Application Control, Windows Defender Exploit Guard, and other Hardware and BIOS configuration options. +When Windows Defender Application Control and hardware-based security features are combined, Windows Defender Device Guard provides a locked-down configuration for computers. ## How Windows Defender Device Guard features help protect against threats @@ -37,9 +40,9 @@ In this guide, you learn about the individual features found within Windows Defe ## New and changed functionality -As of Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application Control. +Beginning with Windows 10, version 1709, configurable code integrity policies are known as Windows Defender Application Control. -As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). +Beginning with Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). ## Tools for managing Windows Defender Device Guard features From df69bf5c65aa1ccb26db43d533074b7f1b026818 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 20 Oct 2017 14:20:39 -0700 Subject: [PATCH 7/7] revised app control --- .../deploy-catalog-files-to-support-code-integrity-policies.md | 2 +- ...eploy-code-integrity-policies-policy-rules-and-file-rules.md | 2 +- .../device-guard/deploy-code-integrity-policies-steps.md | 2 +- .../deploy-device-guard-deploy-code-integrity-policies.md | 2 +- .../deploy-device-guard-enable-virtualization-based-security.md | 2 +- .../device-guard/deploy-managed-installer-for-device-guard.md | 2 +- .../device-guard/device-guard-deployment-guide.md | 2 +- ...virtualization-based-security-and-code-integrity-policies.md | 2 +- ...te-a-code-signing-certificate-for-code-integrity-policies.md | 2 +- ...nd-getting-started-on-the-device-guard-deployment-process.md | 2 +- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md index f37226da6a..72fe5c9576 100644 --- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Deploy catalog files to support code integrity policies diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md index 178a8f9855..c8016cda8c 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Deploy code integrity policies: policy rules and file rules diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index ab0c065444..47d2848249 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Deploy code integrity policies: steps diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md index 4b645887c8..319f383f40 100644 --- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Deploy Windows Defender Device Guard: deploy code integrity policies diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md index 11452fddd2..a4823e4143 100644 --- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Deploy Windows Defender Device Guard: enable virtualization-based security diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md index d21bd16a25..ae71744549 100644 --- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: mdsakibMSFT -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Deploy Managed Installer for Windows Defender Device Guard diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md index f26d463253..4b9c59e523 100644 --- a/windows/device-security/device-guard/device-guard-deployment-guide.md +++ b/windows/device-security/device-guard/device-guard-deployment-guide.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Windows Defender Device Guard deployment guide diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 7489625b93..8e7f7cbde4 100644 --- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md index 8d61303129..b70de832d1 100644 --- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md +++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Optional: Create a code signing certificate for code integrity policies diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index 40ef2937d0..d3bb26de08 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Planning and getting started on the Windows Defender Device Guard deployment process diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md index 7bb8fca767..a655e65478 100644 --- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 10/11/2017 +ms.date: 10/20/2017 --- # Requirements and deployment planning guidelines for Windows Defender Device Guard