From c8d363f7f47eb1330e911879d4c3f1df3f07b5d5 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Fri, 25 Aug 2017 16:50:07 -0700 Subject: [PATCH 1/4] Revised/edited Remote Credential Guard topic content including revised/re-branded graphics --- ...ndows-defender-remote-credential-guard.png | Bin 0 -> 15225 bytes ...redential-guard-with-remote-admin-mode.png | Bin 0 -> 25974 bytes .../remote-credential-guard.md | 121 +++++++++++------- 3 files changed, 78 insertions(+), 43 deletions(-) create mode 100644 windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png create mode 100644 windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png diff --git a/windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png new file mode 100644 index 0000000000000000000000000000000000000000..f7767ac5f0dd612bcdac44338ef6dd5ad45c8e45 GIT binary patch literal 15225 zcmd73cTkhh7cU&KAc`Q00@9QYp`#RO7J8Q+st5s*-g{A`H|ZUuONW4zP$C^d6Oi7d zgbtwyAq2?#`2Ajf@BQOeX> zDRmI&DnAHxMeHU4P!r#FpAq;+WG@GC0)a?6{{CG_0FzJym4wdn%F=|3H>nJ5(LnXhztuV>j<%Mz7N8&0tHD4W;lICkaWsX3j_?6nm(5<=+1NmBok7R_ zi3p(X#@}X|md@5t(6`+YRsaZ)ywpog_w=1Pk8~QBl#~6!V$TAvL8aIRe)-2lL5JhP zS00T`>d-zsd6;6q62}3(OUh9djru&mo_NRMcp&yH^#ty9t!qpoq;JKMaPHV+_D?&Q;uDOP>iT5bHiEzz&Lxm&dc-Ge^=iy0D$eol2yG%P z#tDAS8qG8wEj3A*|Jf$g@5`*12eE*RB1NmWJbV}CnNqrv;uxA*7wvF~g@;=e@%Oyk z#9l*IbT50|FEMO1BgN#VV|Y3X@KJy8)J zZMPmuMwa>AV8NuF#UEi5;l5=NCND3TR{_k3?#T!=JdZMt$qkKE)AsDG zO;n&j<{5)apbsQVByB2E-b9J4(Jj0~XcL$>a;>IECg##CJSJKFVz91joqV8rXgCq0 z?BwbVi%jgpfxBBBycENi`k0eQ7iYW0lIrAZ2WHxdCmYD__@Pu;l_XV1#t*TVSRh|k!nmeZ ztw#*CMdg{IuM-_@Z*c4!O0Hqy92L9#yX6?t<+Uv9le@$7t)=r%#R!=y#%}aZDeZ)6l|xCV|QKL zT=i$^sHjttCAZua$VMCZ;_eBE$aPuJE>tZ;aW736X5wkENc^= zPetx$R5a1rkA%+i@}I;%<4%Pxodwl)U<%+O86xf{PR;o zi=QI=bk25QN~`z$JfT4H5HT?z3LBhH zX5|_B;MvubU7Z#eZ2DXfUMcbT`V@l`q}lrzHoz>Wou#SmImGeN8e?N&T(Oqvc8SG6 z&WWSE@5hlcOFo#FY37ck7iUny(}2759j7Py_#1Ue#TxOE)I!{b@TYiM#;npIRS?Mk zOl>T>KgwphrgyX&3fPA@LMRnb&Fa1$?^hq(o&*B9)Bp1z^9AGv2=tpM{%@=QUw-Li z@K3zN;(v3TzroG~{@~qa%>1juFByG2h^C+HfJ+rI^^Y&`ww5@*w7RkHuoqt8+?}VPua?*f)EBF6*bS5lQwcpWR@uvoy zki7g(c1;2nzlUM+kLY^uzKB^$N(QNqKIOU>nun`?d@B-nr9#llu&;f1vrdw?sNv--?!et|U^;r_M5n4V92{M|#ez1d!iv zyu^YA(v!n`}L}{T3j2Got2vhLoSdPfuF;hq8 zbAfn%&+>z&dXH!3mQJ|?2Vx2pQcld?RU1Ft;!?G_>F<1tSO0jkq@vug(G{~hx4gWJ zMT^UReDQX^$;0@hjY36u@$;)Sg1m$wM(wH0mEGU+`>WX_cU~b;fzP!T_RUTPuBiPw zFidRTYr8Fp?NvRPEeh!B?yj?2Xz{@v+j%cj_a$uc}2Hi0juntqo2tUtkN@p$|M%9#dR=tSzp!8SdWM*$Gs>VXyxR zYVH{8)fW31wLzEmSve}JNw00_Ufhfxo~l3*!Yr$TZTw6VCqLB~Sqp0V`UTOkorQR+ zDe~Q)$gIS5sH6%;%xr26IE2ocQXD|}E96mid7PsB-10`5yAJTchchhnM}3nqo!4MU zq$ij#PQLD^r#^_T<2pZY(e;4V?Ck9I<;6u4Ev>5`UzlhRfRywM9$$^q`?L0gmcnr1 zIKeOcoCx&drCMU^RxNrXY#pxH+P+vBLY!eg{byb zp&)+(ju?%LXuIMQDaE6a6fKRbdQSOv!^O0LgEv)*)1NQzL{*^|5R0pdLq9cH@m!1l z=n=5AciL}WBLI{I=-?E#U1|BzPb7OWFR}O)D**+2nC6i1%FeN&t){uw-?A+U@^1q# z1tcFmXrWK%UmiXrDPT#XiQl9OmRjqd#a#y(#Ma&3SDgl5tZBf*F%QwdDeP7~x?Z4O zRt+W&q^Y+YYzJ(D!x-^ayB9WWub53nFFum7M;p27h7P8jZ=F+L%x#ExZvH5~#6lo1 zexC#HA@_KZZobnCs)>oMqn#>>zjXqSAEAr2xK0H&`Wg|ITPpw400quTRg$W0p5QzG z9T+&6^M34^W+IOCEc@>yG6oHW%4Xe1nG0u1`VU;I_uj3w@-%${V!(2aR3yuMB)uJX zPAVtTSWADMTp>t(*tuthRz%A@?j<};P|q&&faTRNYQJ@K;2X4w8G5GiKPh^i(hu*( zr2wY2bX)4Ux=sZ)FeE?18YNvd$1CC?f5Z=^>31$k*{)gj3c)^vEYKVd^G?B?aiJb} zfzbECTCcE$wEY3D9(k#nwMQ!4&ok*8{QLfg{==LI!nT(dM5180m(A9^l%Dwpw#u`z! z-%e(*BG*3>N`b3~)3j|@C_o;GJB7uaM~1honzJMQNqk#{leM_#M8?rTQG78RyvNcLVhZ`$ff2WN!v8mq}Nqjo6yX+;5<7SypqH()xv9$ zsJ)Wg{mdXi%x7u)wDxrh@uvhDntlPiH7k0*tTraIlVxMIWXfhH;}Q#g!TuR9E>fPz zWy6)jfNy5x#t^~k;#u#&5L=oB%_@7(PLt8IVAVs}t;)|XVY|Pc=G`BLGSH9&F+A`^ z!lHX-*51yWH{466hlHd1&Ol#gJRW|Yi8HxwvL9GI!GzlXUb^9+ z9_xKCtPU|xJPwm|o6tGAKz$Bc`9PfCNol*_qU#j6OpzRD_FS12Y>NjYo|*?8oHe7S zbVl=OMxOCWKD*O{SOWLCl3r6@h0`sF{1l?IEdS%P)li$2E;yQ0z&j&E;|P{qA$pdw z#o&M-k9&%bRncXw)mzC$@GD{`nXDbpR>qdH6tMZ!3zphDq2x!T=Uk*LF}}H3e2$)Xb4$H8mR^Y=b5hSYABwN%jX4OB1>2Kew&Hk}U{;;}^#2`#CWSjGZv zY&>|pZvL=f(CO(cPqZBL6JoqSXrDO@Ei?($=X-JbQH67+ z&(MT9uT^)e!~EWw)p&nUZnq}OX1NNAuLPD(YGoJkhcn%%%6T=|jV*e;OHy*eb&e=f z!0Mh~p2v9WGmZ0Ul;8Vi%nN9(*W;7(q~{0edqen*bTN#sg0?vBbh!c(5~A^JD(DV% zI&$EK?fGXjn(-@lwc-!&m>9M+RPB5pB(-R2!K-%%29MLueL3|s4^IQz>5lvvh{OSc zv#^s^zmh^K^V-0thLTV928hi;T120PAve2+8G-wqYPuzD=9_^pm46{qc8P_^GZrxY zgzi3?b?9VG*~TmA(=W5m9^TJ?Q9B4bq2|t^1{-bJQj_?&4A(?}htkw9{G!ukl(q9@ zaMN=oy`Ng&`uX|U*`Yf+J}U;E|jgqbB1HQhOpCH7{`%AixNIJ=$%%qk$ zE@J_W!71+DEKrm+$}zcbi%`jn;jOpFrMGAbx+?V>Fzbr;O1)({hpvkmCGFc zx=kiu>4({kwv~(VRntt{t7U%@v}!&NsJed~k(R@72tWJ9VyFvgZQ|Kt%o?M!g5GzW z5>ZYp43GPnd&E~a$*#20$Qka(wY8vIh`U$OhlWDiae&YDR(?B|cVyo+{}PKN(>qnQ z!$adM-MxM+e<;1u9kY8+sj?L6Ucp&Jf{>J49_JDJqh*#7B(awLWgS8reF{%!cpTvH z(bnw2&A`D)!IEb2nfYbeA7X&@QiS=fFH^Zw)*QyOw4Qv<|( z7q9Xi!&e3oR=S^X&?6URsgIspJ`frB;yufOnLiZidoY9~`EqcQ(OJ8ZBLX%IvVHri z&+3*v5+6Y&z}>hFqY2oatXe+Zsu-#rJHsB@wP06i8gD2V!O;PwEv!l`OiC)_RmzIb zTRV%?urWgnBdsmg(Frp%Y0D(P-?9uI$Ko@pAKL}@mg@S2iuhfey?D$kA(5$7k{c~C zo$u}6%Xl!Hm7H=$gmSUaa4u)4seF6F`j zIX@cNAYZ((#ERe^_o^GwIr~ssCu9iN9{ybrON#!KN5Aa6=PCr6j2pCM&T`(@Xcmky?J3{k{_@|l()?W?kM8s+9A9cIrCz11ZWW*a+~^H{Q# z9_mefnN2fG2ufgC?FKuc=a7#raBvIJChg;PXYtgC=!BTM`fj};-tLUiB{@CxaMxqC za)@RrG-WdNN_knC3*-Ix*me@pZGboLLn)Zwzki>n`OgToUDM)QZIFNOSKW#O`cSFk z?Ws7MlJatHq1cz~BB*!`$0m5`0$TFumqrGX5X9?24uw1nmD+8=?Y6eIvMeZdU1DKP z4TMm&6%|8~@oM})h~Px3{tI#C8i-tBn5H8_iUEj4XlZHnYpti6Je*Wjqaz=em6hoj zd7xsM6;;IcI}-mXFCPDP2V7Z@pnEx|*ZI-JM7bd~4hY^gq)u_TfYz^!``z8$LIB}m zIa)9odwS}rrBwoy;^KF=|4zr_a8+c4ktJYm$CSG6m?|jU)oku8g`~d@2$7!*B|v?A zd^{v{oUTEBD|59b&@Lodv-o@N_sAdV+)4lB{V_NMoS2Bd1 z0hlg(%fWD{oL2GoDA$xY=|Cx%5132!ca)BHKER`YQ0NEy15wAvLD%c`Utyy&o`6^)bpqs`Xa|E z>8aS^2lTFOXJHWDc8d5gp#<#R$CHA|eTMdP>2y`r`T!n7CH32sE(5fKe`$kOVx;x- z(}RA2NXavkwu8Z~@{;D0rLg5Fry}FWZmM>>wmVd!mM?8QAlTxCIv>nZ!|GO@5(fY0 z;I-sBjgXZ2815=c>D5)xwtYTl_@6(2d~q|a6UG(TZ40o9gh;LTpN6%d-Fnlr{3LU6 zY@W6;T4v(Ku8Jglx8t={fhxO>)D4+7?bLWn^SP(z^e7-&?4IE~J_|3>;(J~%C&dKwa;q;J*f0M$E8@6N z25^;LcR@eQmc1d`Ui+N`s^a;-Caf5W<wZAs`(bCEb=}zF?fSeM>H}av_IE<_NB@!z&HJig}z<$ z*!1+~;gp}%=k`T_8zB5k3*56kzgK-a>r`mqGPX|Z77_l(8#lvnkBlfp(`QRx%OV3h zFQ`r0Nw-qS;#4tua*IcjnZ-Iy!Uw*99^#XemX@Xt-nasSIPSxtM?!OdT2GH!Y-ZY8 zzlOwzeha5i#b02`WaS`8DSFm^>t5MtJ(daa-YttUOUE;3OD4sT`&L#kF1At{(s#hx zMTbLEore53+vf741q|E4jn&x;qUPB{DFeQqtPOx3C|89_rt zK>aHF=kd-=BOD$S6!hW4hs~|6XyK)shy_VOLGzH1C&M#(j|k}^qM}+#K5ma)Vu9Oj z#9`1BF&m?WLuo=41qCe76_>5?P&xP%ESwwOldy9IL@w!8aZoXkUZkmw{QZ?7=ht}R z(11N;kn)hBR|XqoH z9#2U=EcGro zJ$i&hA`4Wr{&KrDH8lXuYBN*IT#7L5j#6WL>V8%z$_*;pm18Sa$Mq>?Yr_!Gou1cP?w($6g)LTT$AHJuJ z+u4`e@wd+UK2nr$^WkVN3%DLIv1E{%_ix$`0&i1<$=TW2wH>Tu&3r7@?nZyQ#KN21 z*931#5h4fJOD_)s5DWEMA1tb*!WW-x`YKwIjz7YYEJd_#Khx{cZvE>=)IJPPVt%JS zL({uxPTUbnz9yfXiaZe(OiS2(Z@LZf%1G_5b2k$Z`Dh*RgDfB*fI(eHC#ljKFs2Or zPoKtDih17BtF%-(YYXiP&?qMc`P&R8K@$`c-vocl59gU4;xe~=^Ut)nv z56F;N5~dWi+mBH_Iyz#20sQJ`)NnPjKqVu!QVedk>4b{yX;avwPJSt7)R1 zUiue13mht9e7+t>Qx;%V@i8~t&S(W7?Yc9qg)3YLvMRv%9-yTT$87WjTt+J%NQ*3mFpeCxp}DVs zrX2G*!C9i1uM1}^C=D&eByBFkO_@S}X@HpTjb%;~va_|a3P-G$46W%mxjP(O=K=gA zRe)gDG4^peMeC^G&ynk|q~An|?$)m`0^IrJsy(Ejm|leALkJshIvwN^3&IN?h9DER zu#w^Mi}lfHUsNAn&1NwS?@tZ5+z!W676|NW+T7e+dwcuX*cbp7;IS)|_vWnjr)cQt zU{=%YWc)g(CMVrH$YiDb7`{Yood7n^0mFeG_Uso{OJWZLJeYBkdqb zoQ#Z_{MNiHI?Qc#8`t+EP2oj?KZnd}t&;y0z)@}Afb}b8i#uOp!7J5qxBc#Ug&+9f z4_@Njb%)TdSk!s=>cx-a47=|;Rswh8b66DXF>n4joVCScWRdv~oLoSl$96Q_eGFj? zIbepcZ#Fi#wwMrxkwye2#cdodQg6fil<9TX1)&@LyZ&RH>q<*`rM*jNpZLnX_IXK9 zKPGTlEV?+p@@ME9VAMVRi!dbtVlo%^w=1pPbf<;%zRNuN_|g!ugO2txCofD?ot4k# zdOPg`uEPa^JF+WORrYcC`0ewn&Gz5&qdMA1mYFjCav;^?_v1pp&>}X!i$g2Y3cSnA z*+;J13ytVd+**G+#(S*~ z?J$R6jCrGmyOf58Mm9k8{NM=ggRN!yU8G4i)E>7bx}gGMEOQZFrW&2mNtg`bX`vPb zCbT(;&U;wW2&)=I8J10{AVu6cHJ_2-*hK<#z)X?^4Uf`2A7cI-qKKo(%wiIM!(&TTXp79SPcd90LQpj(ZSH|k}Omd)ZQHg%S7y>p4 z2yQ|C+rkEkW6D{_k$nh*FocV zvBS{5Xo*$b+esV%$jN!Y%4_lwYw;1Awst=(ZE=A1fydgnriaomdKG!Fsgz3_8ofXa zatpaJ#owvc!7DX<$8<3#kkk*86x{5!7mdKY*3#h5ln2fMc~eBZZBw44QU-mX4B~j# z=I@|#Gmr6e3$?_>+IYpIb&5L zeof9N^?*!zyi6a{bKLD(+Nslntuk6076OFdf&GX>%YsV`9@T< zQAeV_xUNFy0pNfdc{FdA(P}kzs>vAb+%BcX?L+Ho`fVL*frg+3eL`EwggScmy#t+v~I zB$;adl zt@*}_xCsO2#U#!fp;;(}hoTCs$As|=q-~EDk_yHN;pg3lh@C=nS z>*RrdDc*gD=XBR)!Ks!JWIF?}I~^TT+0~%*H4JWTAWa7#lE~9ru(9vh-cbg<3-Mho z95g68>z+WIM@u#?A8)2|v{!m6P=R=olat?n_y8O)`yW0R6$Lo8FR9Bq*a`ACn$num z4`Nh(4oWfjnyve+8JrAZIZ`}ajsLGIjQ*nvd~S9vdH<>ck6OY1N)>>7s2n$Tq5rN4 zwyq+8$@G`++|f?}cYU0;#?{)WBJem`Sr_Xq9}SJ!_TZqsODuLNfc5C9H>9Hq3;Bk; z$jqFXnEh^Z>?MkG!+kh2g|_xcO`^(K$;xMMfL;*UpJ}5Q-mT}z4($p>tPk{|{=1m3 zW*-<>tRPAqio4g(iR%S{MA6Q{|2j*=u>{?s=6h z&9GF&rDuCgR4L0Dag7Hih?SMz*B59ZyO?pm#A4K$I<`{9k%z=K*W>;zz1gkzI&cFuuaD2Ql!<#n#f_oIO{tOYtR?Wju*V4QhBat#FPa5|ZVNz2k=Pkf^1T*k|gak(*3`v-wq%f@?% zg|X+bT3nP}`ANr!hLjYUv=sSh`S%ac+~+T`xC&E#?D*m=YdAsN~7tkaOs4`bh6@gxlWFQ?hP9JCRp znTAm|R)wn$)`7%c5bfXp&>Al-b5Ko{w$kDvxU?3Vz&Mk<446IMB4M9H=D+rexbyCL zziLKo6lp&}^OeTHm_g#TV zQ>o!MfrTg_r)*bLlAv&IhWqH2QQRDL9+1kLUR|h?#=-#4-a5ZJ*Jt;py9*ip9Eo`Q zvHBcHswNj*Lx+kq*&5RMN|(JFm&azm;4B3p&s5g>qvoxlnj z8)ssYL0@jKS@dnToQ|!Im3)8knBiKR%iN`0WNdR~p(IoAmWN^~X+ zJ&XPhln-(Gy1Shxg8MzutOsiLyAa)ZbGY87RiB;SdFz%ap;N@{&wmPS;co#|A|i4z zdeHSnZwL#+v$ZT^w^8LQF+?#R6Tq_L73jvb%&&4U%r*~Dz%#T=AxNRO<@~-X9`P|1 zR<*^GE?(D=Gh3MM-4ValBJ3rWhucy1PHR5Xp`(}inZR3MNKj2CO)PEwM}#8w377Av^$MU?studPF*9~qciAb58jh!bRCViFQ~SNSAQ-2ilfTNwogK2?QoOhyqkt%; z`_|I+Nv7j2+1$_9j4}OLVnOBMQuFf`XexW`B^F|^szb#>p-?%tQvA}!c*qGk<5Ajh zj9y0`ivWa9@{YOs17@MBSf|<8ke1*d8xkeVAaG^Et>T)o~P`GODRl zPMuTaxLiEv)yRtM^EQ3*-C(rOC(I=II@KKxc=q^>i2EdE=e(t==N)ZuN%VB#w_RU* z=1Pa-=4IAx3*zL1Nw9y;@>1c<$#~g$UsABN6cgu&&z#Ex#l-lbEIZM+$mu>aIxy-v z(e3KyMptBRa4(tCI~Ghb4eRoFev?mQ=WOX?VLFpbEIJ4s_Z#9iRV6)#mQRO0L+Erpb7V}NF4Wat=+A69k$ zLLwsuG*tHT(p|&EAEXf}ioA*E4vBoKo+!1Nkb>QT3p_MpM?bP{De$n3e`l|iQt(SV zz9@{JPW{e#dxr8D@+x#X!V)Fq2Q^CJIoxqTxGS8K((QzL*EkC}Gm?)#NRgZBcqj7i zeBFePW2fw@LME7^hjIb#vM^;qC}f*{_l@u3oll zis5^;;xASjr*$|o{K#3}l=Y%-A~BE?ASw zKIeA)UHUAJIdCaMiB~=z8=qxZ^*c<|&6!k&SUl%ji~fbl;3AYrWpl@Wkqah(tmPYbz^N&@e`SHx|!wteIH18 zp!egV95=}P2}O((uSbcyp0(h*qzM=tN92zduu(b1k$>qln;C*Mq3G~<(mPsoe%?{d z9TQZm77i&D_YtWHvD{D}({pdXaB;o7&ab70f59B3-vo8F!A+8l%Q;(1 zPk(UX?e_wKQ&YFU-wBKa@6Ha7Q)lYsr~9=1!94Fur1 z0Oxy7Mnvt^|1gTNwnPcnKX9Y=sE^44!6tD?}-TxYR%d=IgT{j=2U1vqlon z-)9kI?=Y^MV>}{gHh2l%OUxv?&>}jAjggTtaF8G+Q|Rp_79fQzeMCpP>(LmpTXOe4 z5qho>({%VJlP>GhXdC@_@AFVHFmX@VWMIW*au4^6I&j z_%w6%J890TPo|`_>rt7E`pQ|(*175^!q*8mZ5(k{^Xf=d9QD;$i z+xh+x=y_65u=~s2c~XZwZ61ltr+9X9PWF)Iq}b%k+o2uHY}_qOk(bak3QtgsgL|qreimoei5?DLoy4Dk?8cl5F*q z$2zk0d+|Y*ez|)_0@>i3ODmqW&W5T+>qW$@Tt?R)Qw%0ScXSN+j(ZsSpOTXo-P<>I zQf`m-C8wgic|PG68Pd}gxdYJLzUN!Yb#trk6Ci^ewy+$wlnF2!+CrFWj|0?T-@DPYd zssFl~6HbGs@UMQzsjCL0{J(W{SY!fe*%-7KG_2>Os7mfw*+y|4KNG4G!{(j3`AzIq z;5qso0S?YP9=K(r!)au&|MPWkU!VDqt-*I>Bptv~g=I7*#a-tm3SJ;ilHe}EHMqNn;DO-o4vV`>2*C;N8YH*`mqmihBEcPkEChGAdw8Cg ze|>M=Ti>nkTGicxIxu@?&Ya&&cTac!I#fYU5*Yy>0R#deOG}9^&U8<`&MNQq(~{pcUnxR!39A z$6HCA!8WEK&I?p{;2ZeIZ12HIZ#+uy~}*c5d35U}%fo2Z?Qjj63O=zK7-4QPAyc$*5?+1eCT zxIab>00EK~6H#$b-(B=bCp66vK0HtsWEUJ4ypVl&Ax-)f?N_utJmvSFI*2snhq0<| z>f%^_rA;)5VI}T4f68C7er`Y$`9c%+nT+f;nm^iy&+qs7*;Ck^!Qsop-DmAW#8>0x;ocAt;a=p^M#yTtHIu|yc75bB(?Sz{%?M5;p8bKR7l>pByd@c1DA~ zlfpJ8ar4(7rj3GF)6_>uM7;S=PmeZj)-&_UMEnYX$vWB>_HDUY{BCo4Yb-a8 zKI}p2xtC+b`y5v(Ud{AgYdf=3OC-{I=5 z{6hpfqnZ{!e_A@n1^p`0dB+q)80chsaaJtso$1Mdr-B<*uT9LxQek8}aXV2CFUY7O zYTnI?myh@c;ijI5(u-QZfLA4@ZzyociMGow7`6~zb5~n3e)bOAdHHzFCUU4;F=b{j zVP3G-nrTlBVL=`d^rn0vT{Zq{MC6X{OD zedj5Vp%M~Ahj@*(#h0Jo_a%vnFKw_E8DdC|Q*@p7hvf>^!&X3&x+h?MljL_=ky0L+ zo@PQNoovH3qCT$1EUmUm4wPVS@$H$o9e-KLp_o$=e9-4$$E*eoUs&Tk@r0k-d`s&2 zOq(Ijm&W3nl~B~T8j%epdQVtPfs>m0ak(lia6@-2$Lo?kGQi6eKIDH375h;WzRP8C z6}jh!kDqFx<;ey{*2Rt=fQBaXf2@(p`tTHwH`)y^o^sRB1=ZKZ^9te<@Nzx-VZaqI!)hlZ%T-EjS2K zHu(raphG+fo$vNtYe)P0P)XYRCoJ~e1u~^5Jv}{xf`S~0&_N(~q)(kwo*>h>@4IdVx(-> z0A)Y2qJWMSY0smhsi~==f`t%BM@Kg>Fz{cGpkPu^_$c%EaUud<;1ce?;P~%W!yppz zCBeSi8xTve!T*WL_>5=#tW3ZPsiiMi4kn6(-=h)KzAmrtSWfzY*J6Wfj{WSV-nI;x z)kT6y#MV5Uz|cFlPv*h~dxBg=F9DnMuTA~PY3ZJdKpU*BL=t)ro^yA^t`?HZdTu{j z`{$n3%+SjdE)?Tx=)aO0gkj!nb3~=%mk3;!?l-5t~ck zCt)&cut}rlsrKN0<#($fggvf!Sg?pbX=m#jHQeY2yn@9Dwyd}bnf7brn(%aMp`O)L zIKeZ4*B@4&x7V2srS5WX@2MW#UY>CIb@zF<&Fpz1qrQ~n=xXEXzH#)S-^lMj-Lv+v z7SFHVpNfU&*-H*<)onN9m}c%1*yVb!`U5za{EJ1nX~ss`cF1B7hTqJ>S+^tOvH{7-S)bYNy;h5*R$N*aRf??8#e!3bdc{(kpC4Pwpfu9)hwR@IMas+# zf4;~tw{T2Xf}|>M?o1k^(}MWAYWwSVLSzLJO-+n`SNsJKaQdRoc!3#2as+O4pEijt zK>Fbm4io;6;`e;qS8f-l$sN)i^XBDFl;Vb4{5naD9|?4Uk||2)`tP{Ba7J9duGG6Y zuk&5aDidity91YL-J~6R5MkWIRNw85xWWrJo<9d3pv($W%_!M}!M3$(+BohHW-9%r z8pG=KHzEhi@6OIpDT8f(NJYk&JcyPgrHyBYF+l~Muuw16h>3G$ukpS*)(Hl|g^N^kN91ju0rVr>`PvAzItRJW0siW=UimF^Q3YB(stPDFBC_Mri*bEvj= z714=fxg6X)snjNRI0B$CfnCFiHa^cRF3uE3RuXiq=1a+>0}FQjIVI@rS+d{!gvBlr>dVp8age) z0l%zlcDvrvWJj} z`ZIjht40?wsg6U!&Xhh*{}P9-r?7M-xoim1G6YE0_s=kq)tq;6Bg>LEONw#urkkE~ zH;KiTNu^}Nyiuq{I;IaA5>%$v1L;U<#bq?Mg-jmC(=4NX9!^#x$-1VRyH(@c_mw|3 zOL-?>h+1m9-G(R0>Ks>92Q4j4rW+Q*Rn%5zg@kC#&O|uk+8wyPxq>g)2EG5dkBPff zm(_Md?jR>-=^e5vO2QzIO}hGRKAxyzo{Fj9TloEW%`xWA#{%_0Xm|o9@$5T`{awrw z?p?uBN@G_5dR@Q!hGiz<(?!V(S_Ges+avSga=q1`eNl>lqx~-y%FCB$C!Cy|DC+nw zA7c2(2L#-n6(otA6f3sFpllJ8By0)KL)!NpElsWq8z375@8#Bo9J1Xbw#Kl?$*IJ$ zjS}&Mwxbw@q>4XE9!y4-z(4#cb)b%l$q4A@-2=aEUadLqKXcJOM;^p8_nDG*h&hHq z-<@@1h>L$rfrL+?CwvoLS`5p@aKybx?o#a``_49~g+zh`i9&F4SM>Y5Fc8qy9eo*< zg5Pv3TvVm!vo~@&r|jw{Ooec>pR!h-stL1rj$nLhx)olfB6e)B7D3*pyTGz*JSbeM zjHnD@5@kL40G-_WOR_U(3`P8=-AZ{cV&^_t?wG=}=V`)Z=K|9qdBS1|W#c*6%g|O1 zEzd)A_6Pd)Co5O0@_l0@6N&&W{G-2!|qQ}M&yuz%k6uDO^Jj9#tOeiWyH z?V}U!$d7ybQ$LYJzfVj!ANK=b(+NeqoqyogC2_~NHjSWtPFjsR5+pcJSO{fQX+K93 zyK>?9N-bg0>$%kMtw(M%O`ZNogYB%|bG==XTCA0`tzGv{emAmAkYoL?U7}O5`?;pu zkUzh4LJ(%?rBoF|x_RhXA$mMfS}srHPz;-hziet;DSPK}EcUjSrQUNi29M|ltl%im z0o7J7inE&I$e!H%wy$9|DUDe?by^NLKRlIm`ztwDF8G4*crU|=_zgRTGx&A6;D-*9KYaVumK`KnMjv{fuz0J@ z)l#*7IX7lp+~H!Hjh;~M?)f?syhGnIt&I2(I~iF6w272P z>FA0|Jgvpu5);$Yn>oq>LpeKto}nK}>E>BRoTC{truz!dDe5r|eEovszw&_`XnfvjHW0EpEh)a9&F-Evi<=2l9A<64m zMUb`)uU5yVK`ZTCSUOh ziw|m$%7mMnjfub^s5;SKzcSwQKX7p&79Yj?x%DmYS7z6G;@|Q&Y`{58hk9m6PP)w}#`&ndz^ucro{9XIksIGqo;%L4vi78<1>U zLtHp-Vrl^&6gat!kF#@dtp97#za%xFjqVJ+aBH5+`N33)eilwokfh7C=t@8PgaxNb zQ|0-9<*}aiF3?8K8ijV(ilj*Y*7XKc8}d+7!VeYs@@uyUIZKaYdftO^F3>O56ubY} z65-w-h)=R0TCRQ&v#af4a<`nWYRGsPd?2;}_GwyC73}t@dZGP@AO8CR zY2yz$^jX3Rr##|8_)H{ea*g`r_|#DFesaY^R-Lz;(QwC>+&&X9oxVA)qxIM>9=Ab; znb2@EF_@RjWjPQ4!22-WA#H={X4IooB9=gf|>GvlhGJ09k(4t8EIzE>V z`ewWz<3YB?MtSm%Q#cWRvUzLJMsrG5O}ihg|FQ(JPlY_Bx7;d`b4R@%a{AN##-xgt zp}ws_>!hv<66-i8{JyhfU&z3NzHva`^9hUIP-v#0myooK6M?8!T9m+>*=0+RBUObh z!Fr_pGDT1Y9dwOo^#x7hjmp)5X3D_0YdcyS>;p72_Abe5E_#d@uL>zhmj4x`{#TV; z3L`^gR;jDHYw)jK47QY3jdB>Dl*o7@;+{}{B4@!j$!4Dg8-#qwU4!n_K8MQNFV;O( zX|5#Qw@GPTrW=DP5Z68O9DjfRp)~FS#w=<%o|UhF!)QQxdCs~UN~CIaADHTscm&a) z8IQidsPs12&p8VneDiHQ5L{nC%3aG4U59byPDz1okCnFbDMq>G&vIT{OweQ`Gx-=%d3hG=+9TE^RW!fSFiWS>xQ@iS2TqKJXYa%w^P65X=PyW zOBcDK^?Ex9nSikDIAz2;zqNHq*J;$kd8yfhii&Dq?KN88vAaZ2FlBS`!ZeFOd!!Kg zA8hCgv<qMi+HB5UZT0*osXjz(qwFM*qp$Ll8`H!!;Xg3RiS~crG)a0~@b_nSRtd7ti!y zZ<0|p<;wkTW}CVn=eix*u(eCM@I{mDTFPI&_vI57>1t_#6>x2EXQerfPMdsmegm`x zq*nfl-S)rR4^>ThHAlcO=hIB-R!323=p2$foH8aW#O1Km6x~ScI98_4!kJH~xs8h{nyQlY z$DHV*!vDrcr?0NQsZ0stHM#$QC6GXCpqF`GdF9{W=wQH>khhnVYe1=98KL02HZ!?P zBUeztcP-HHH++0Ve&Zi+lvFby{1e%Up=&)WW0HAQwvPFBBX(aJ1BRlVT}AHkoUS#X zmPmhpNo}}YLG`m&@$C#k*45P&f_u!v%%T$`|0ni~{!>(3R8%yL+fJ|5yK!7OjE|4c zwh@*HWp2AItsZvtu|)@&d|MYG2jSTqvpRU(olQ?y=x2HIad1q`&-3%}%uG#foW6tKLtN zMD<=AEZbd;U2SGXJqGbe?ciJ@ALEq~AFg;-9T$OUjoYG2W8`CI=osaH7W#~-?QfiO z$;ERR#t3(tPV1k{IvDqw(SvAA78e(_>#TXbFImthCntweIc4nKihXX*_ZA`a zmA*Dl`=Y+2q$EGzYG9GR>d~huSPhKOLXDQANB+Z z+g{HjG7CS1$_R-_>5v)&0`9p}RM>ZbvA2e6n%yaEIXg_}D zS2}}n88o6>?4N;1Uua6{@R)an(xzh?6D%(@xbMBtF5nEZA|Ef1J8N^Hu?J>u*K&q~ zJ_IN-U_7xJw}YjNWxt1(izNbfGg(p5fL41etDQQV`3ZZ?oyq#stY(@f*rY?$gT+Xu zAm%&SWFChc)4QN{>~IuWWvYeM$>&;qyv`|J18Ch!6Y)^zP;iT`iKU}|Lqc6{+im}3?6&)No+vWWCBoUQ#$`tJ z7hbhD1F0qwLIhWZ>0Ax?I&iKgArfWnwJiOD@Wt*#Y-=122KqiB3J49Wm6D0hSd5OM zyx7uDUl^St2gY3PUSM`}{@XS%{@%srsLZEQjKM}Vf^`8EXQA?Lo#x8D-2w;-tjMh9 z*pn;q&GVDEuV!l>v@-Itjg3v*obFh_&@7ORgpZno=-xdECua%fn5GCt;+z*cao^yv3=I8eu@H_)Hc^n^Qsq)*KNL5Hap{J9@9aRal?VjcQ7Alz8FsV1mX;29eb#qa6q0ajXH5o_jJDULv>j>_cE*p%U?NY^2=8 zs-9IE%QMd3xprpx7BSYBkW>TN)Z;MbQ0QFJl&{y(UMDV&8`8x)GkQ0M7N_(6YHjoS z3nn|w8OWc4iw9Y#7SCFQH74$GBd?nSdc;m`H00$6UEM`srI)-8THKa>E*9OE-w+r4 z$EJQ_%o6lE{|b+Z6xbU@B5d3f0sJfL{U>pvgH}0THieB!X5~5Py_vVP4h|#V!OAw( zve(~WK-5Zj%F1_kWAZD5)3}KQY&W~86Yt4%@ZXJLgmKUYlDRn~NjGTFbMCJ;DfZ<9 z8!h53JFvEUMTozNoCaApO2w-U+P|cxrnY!poS&Vks;J0j@J$M^~{Np9DhJS z5h9VFf!+(9m^#{qI1STkq5G_FwzZ@(eQTK;z43;YB`rGkXqxj8wMvGqQ6C<7 z+861w6D8Lo_(xjT&#(KLf~Wv36^(lP*1<3x(_vWVV`p2Vlf$aEzNM)R_p&oPx{p2V z!I`08A$9x>)aVOaqRbfJ@q#`J0Q<9pHqTxz-C^}dOcj-Ii=T!4&xX8Yr*d7<=_m<6 zZGQiA729Bedr7@Vl4IfFQPZ4m@1PCz?Tcu0L)>n@SSnw>pZfXJsy}vr`EGdH^|1@- zmHXbwJq*fk*OsBGnxJnlaul;;(si-7bK8y@>*FJiNu8+gp6yo#n1uH$NAwQ7-Xnq; z4_8^z!!p;`e11pam2KAvbp4mle#%w>1o%-goDvjw2<3g3wMxt^t7>^@;J zO$H1zeCbkHc&wa-pzm(TI*O(^5=(VQua2Ska10Yf72*+7k;M{vxE+x9?kJf0XO5M% zR?|#64Zov`CpAj1=B$G6&$;DPsw_tH%rkl2N5zlS^^ws7E1Df|jiYE|LTof7^=s82 zd0~dO6)>N`!6ZmG9H2%)2%SJ4VSQ~~hYADSa3I8Glll=$yWaLdQW)QBk5jJ8Y}op8 zvf`y?IMHxpqF){{0Nt;`)dNlO?l|h{hvTH;oI^44Mh|v}^2GRv#)Ho;{kB30qxwdo8 zM5(WM^eH@wh7sLsj9Cxf58=!or~cUfrg9lEmwkLy8cJU(rWYk@oIdv_pOSO{MTS96 zmm%!eF_5s*=p-uEpO}~*&TM;qyJ^hawkxf@`$papSmDpjFzwaj)A7?j3TahjbVVPZ z&RD7+)#g!GXB9=QdSoBpVE|uMV$<)cO-IG!$@y|2<=7M5m0Z`d>;u+U0q^#s&bIGq z?j>!33R)#R<~yMq>sd*m4`QQHzRs)FBUSL2bfFlCxKlox{6d9cUM){p)S~?Jh80~@ zDyozABZAxAxbk`}O}nS#%224Bu+MQA_V$k?t_2rddd9ON7vN?ZDWN4IKF=kO(UW0z zX4H`scG#@>oz)`|1VNRneC>mnSUTpWWPVyrUCsTfy09JCW=IW4q=FRQ{9~cJcv#7e zB5d4^I~V<0?6#oLSJ&57qmKj}ECdo%Y@&8v3OU)8biDb?jh=2Rk{P}-RvpX~A(!HZ ze?_4WNSRU?%^5)b?{1P>@4M<6gX>Q1ls`liShXB74XsK?*^lCbKzOyc(mFLV#e^Oo zy55fV9Uk66i5ECrdm~#HS1dGprQ9U7gPF@9d!@TSpRkC{P$4~`AFxPz(USlMfef6F zVG1z=$sgz_@{0wySkTG}N&g3(dh?m8ehxCFoV!@ zI}ueNlI29|^R{5Il0G_2+3ZY(_3nj3)H;L$lO0&`VDGmMiahAF8G9M10!P2g+?Epw z--5xGzMj1&UcI%HK^S)H69JBjoshF%&Wv>S z;H}d4bD?Sx2@;pOX7pBcZjO)&C#aUtrPpN{c+A2Pl>@xPFt0d$PSovfz54i%N_BqE zEW5_DD(zvO9oZDYVuR0O!rxR5C(1v=Fgj&cjexY^o)+;@! zFmMPsbb|!eM-rT7U)NL7(IP)=40ngx`4lD8E_#m-iFNVJ%3A@?1fc;BUBOb~p&sTr z8k3rh%~}%X;L*@g8swdh^uHXXd6X^zeGFWiFR#E4XyQ<4E)4cn*&OIf%C6bSfBKr| z;ZO+VTv)j^RL^Bn`6%aani&>|u3x0%QJ?L#c06IB6cQA?TB4_Ua?8(5$@gk=L^~Qt z>;S|3t%_@~mx~C&%2~>6Z7aKeDieOpfZ zaY6iMc~wr^BNqHy?`sLB?i+UkzaeX*_M*z;^GpAf+osfRGw;!uI`G&@UIz9;G%xT1 za$VAHx@fBrA=H!8OIi<*i_94vNOhd2YT#;rgLj6jdZLWrWKs=7oM(Tt(cDhKtghKm z6+F~vL(N1Dt2$!9QM7*=9vExn7T;lXn0kAEd#TpT+|7*}y`>Fy*S4qE>avj8S<2s9 z-*y7a7qjkC%qS{JXT5=N`{8}=T8ypOIr~qHuYcPY`XwK^wlepi#JZ8PwkaE16c6lW zl9HR8%l6X1;?ZOJd&@`E)K=lAKYp+7+EQnES3Kf(do50#d9qqp`#|GaQc}})Lt;bC zA$R3B?R#|`UXG^fXrgbGqJ($erE}fW9Xl>GST+yC3_?(r={ico)k4A7)Qg;|$}^Qp zUISD=Tu)LL6&K4P#Ps1p>BefP_sqIzkvj)iU3X8s3-$p9S^1$Pitxpur^pAfGsmZWVRL^AciO&yJK|a?Aj!?dMH13~m7S6f zcp9KTnED$HDk_P7cZd&1S%|i&&9!=9^|*pyZQ-$cuklFUn}WM*?Y6Nh96mPG9ylfk zWup|fpx9W(e4PBmzrlh?GL+geQEG$w^^OH;Us**)c#;HfcN@iz_nxy4EbtIC2f9jD- z3LN`PVX+T7kj~ZD>QawhD&)a)c`PXj`Si>*_aEzurPe&X=)V5(xq%dj6ig9+1E8ZMGi`obJMz|PUKTPBTvT1|iMB@ovj+s%ku@O# ziP(*yp0i$zSy{PB5^MnPMiTizI!CJ_WA-EKP#_38Iun#=0=qFgo-gT}3diG!w<<*A z3{{B-N(_Lr;u_$Uu}S2ytri!bUz}NuJ14a@tY)O{&5J^?m9D32yX()pF<3>YR?|>C zX{>IjUDp$XXTih2owqBS+Ct->un2y}Qen56e6lliS(6P|BYMD1M4%@BQQdOlPfgr( zwm%k^DM4NTbKM$+O%zUgVhEy)tgDjoo4_u z(7Q=p(WrYa!Ed?Jaynkr4yCNkfJafsFC># zW1Q;=LS3wH_7#M?&@3X*~h~_zI4Ee5Rt{woP$r6=viD+)}T|e82y>6PU(|%b0#b`M^ z!#?g>m`G)H_>@OF`kojYnre_4}|ai7mC54^Fm@#%Hc zJnvEH%>x<}GA5WGO>w7)muXeKyZ%yITSCt=LZof;qz)d6Gp@GJ7c}uJ)MKJ|K^fAq z6hs->j@jC33P>}z-!L5l?TNhZ;ks^=pX1?|_G!MGo~Y*e>ROYb!+>RNrD=stneZkN zT-2RG6BdfU$Jqr}Xn_7+ACdL1e8K`7P%&tm>B=?a*L@>?UYxr4UbVRwSBcup5LiU@ z@TrMp{52!fr8tvvkHT2Ogb@weUZ zV@=0$j=doH5|$=*UX_*w_b38ij0Djgyl3`t892{fd$AQLZ-Z1@H?Z38o!Vn z7;N;|vEzr-KlZjk8w~_H|BIaegvI|=9yRFyZylppd+>~}l;wqJ@>&5EV~Y*@X>&3h z(O^3~`Gkd2W(LlkElu#V28$055_nS>&47az?Q_Ms8rv^_Vu0*o@W}c56{r*0U~$^E zcDIzV={op+hiG$Q+SW)1xEDbK;6|`QM6rWlMFmCcpJl-c#mT0EL8>pQ`tRL821y6# z3T{O7qLuN=`8+!bORO=9s8o6DkWVEPMrnZ_oCOSCE5N5>vc!*{h*yQs9>%1FrA}_4 z*oxuiGKX!C+pHcSxLW`IcaHi25fBKKYb0@CjSBypM9_nAy7ufkHZhlWgKubW?inxcA%-$^wG07vul~+NJ#)PhBT`@3e`=nK#@NVDz%LX+gDPQo>5l(tK)lzc$B%JzRDd$ zM^3;)W{kqX4NxIA){}EomR^{&E0;u*-ku4&6~h$8yf&cRIZ7Cuol7JT6TavxXI{Mk zwl`^+0AESSSM#gX@VA*wGgq1@dwuc;*eW^H9s}}op2uPC9pAn)Uo8Wp_n9{mI>bn$ zQ##@HyO<{OXj%A5SB2J4!7lDnsF9iK(!O&|8v+88m!SU-l@#>+zo?`%3_|~jga5x) zjPQRbM4v-KSaE(2oD3CiTMrvrMST!&L;<~@y1Q7;+Cdv@IO-vAnsnaYNps4q#W}Ni zo4Jvo)4h?i=)Dy27Q=Z+u>#Q@)1MOHk@^=r(2Yz^dkP)MIAUuH*RNLgqG8~EUN~8M zALUU2o{7=Uf0IZxggOX$4{?RNal~bf1J@hA&HT;?jorX`YwYU7t!{xLs?Y}&g%1H0?IutwmnZsa2&X!yj!;8B-e@!Ae)2MANZPWa2MJ`5PubZCz(1g&I`vU zM9zbRQ=VMjMH{LlmUuNF!#dg90{rLy=(&&y^9$hvg(!V347VSlaG9q|Pgo2`!_Ug^ zvP>|u=j@Zm)|73AsZ*e3mRbxG=|;%sak=lH6>qr06-B6jG8tYZFw_j74isFrh=z}70KFux=e=uJ_+^jr z)i>Msa6xCRTo)Q36eKp_i0x4OCAqsK&t_3E{Fq(fG)*zz%mH>BJVx04&SF~Jy@*ZE z<XY2|qby>&Z(%h|**q8<@T}QJYgW1m@ zpU8xxW=3@;YFJHXJ~>d9FXtmIdqR>3U36M`D-u7G*cUz?^8hmZ1*_kmCoCQht^X;> z8FcXfrCn|IDN$SCp!uX~fgA*~VEOMgJi%e#zXJ(<4Tk(;OAdVG;Lb*r*8%}v(;gk& zW~Y`=b9WznZxAWK?^fVhJ#q)g1OmkJlo*17f23^y3qFW|KJ(Cj-O%w$} z>M^=hW92dCxskLQcneetA@u(G1w!Y%yOBrnwP8i?HmcN-jHjB58lC92cOpV@2iG98 zUrsEK*1bg}K*1JihsSoHir*ov>Sg(w>1o}H*Qhq;t*`ShNz3YoRTN|I1EW5MKH=hF zu`Z0wVeYI?XQ`P82+N;$ETof4>2BSwJz;SY#P<4q{vN|4Nh{ZHa?y;#{u-XO)buhw zjCs?pk?7^#Tnk(f)y7ByZ23#$L9|_T!~2yGF>>JT0OqH-mzJ7Z;=KDhZ;NoGNnlZh zb?0!DwQEXHMm=exG-D+srx_MGKp6E$)d?2s5PL`5XL~_QLprk@z9vl&K_ueggh8>i zW!CVPO1;txdMXd6t@@Mb?_V)7wBi;2#o+OugcR}50!76Ycsf?>RaI3T92^uC6-`Y| zKV#quYwWY{9wQYX>QZW~x|muHv$#LIS|GP^YP~nP$aBQi9y~z}$U_qDj5KJVdJilq z92Fr75b2bE2}>%>k_xom+Y#xJuKo=b8 z#qpsRJE~~aI)~iJGdL0d!L+y{_PAp`B9qhYy~K!xMG=m>CcXC29MX<#^3MkB-Y58G zFQVu53lptOl?vQ-r#a1AryXi;PQlchO=`ub>-I;KVBnykd9u+ zWb5uKS+h|5`9}dA6rsl>0lGwb`Aw*H(jU9Dw6s$WVVYh6L^nc-mtUm@CH_P_on^e3zy zfAp1r^N+4ZPpYfq+G|(Xi%%REiW|zeyO!#tjx0l=Rr2GKPGDZ1zv<<-o60;tKfiv9 z|Jj%g_as_>QQN~Mr-&z6R&GREyZVom#9P44{FjR|X0NAvIu+-6ygBq7t?y1#TtGzt zqi9rcGd@JQG&l-Lxh5z>2ThY$^>II&n=ZWlo^z)(I?`z_uzn3AvGflsNvV2vNOEKdJNSH+2g#()|dIXBXeH*<=>#y5XN~)D%n< z6Z^I&8dU}kMW!ARZggFdMv<@p>Dc=ylciWHLxk5Rd!MjKoVb@b{vGQpFClr50LREz zCSZe$bfnExvs;vn?Y2gf=yg%ESYr)kYh*p>7|+LlwUM-|7UL(%$o(BS$*H=M2so*H zvBvu)Cq%_`B+}{%rkVO7$0x#jgO5|Ta?sW_Ej+a35fhcxAIUFh<&T6!<#*nDr=F=P zY;JkQoFx<@OdX-%ZQ?1I8MPhSvPlnKMM3xmm%J; zJ~6y?zKp!VIMSdooSSuT3eAnqCTUy^HtzNEy+?e5{qX$x(ISDznFg#XP4i5H+{j!% z*D;~YPiyhsvk%f`+TGLndOkRWChzBpP?6Bg($Eag*)xFwSJ?jI2Ne+w-L_l;y| zYwL97N6_Bg1Tj^l2E`-K<0qASUj#q6wgO~t0pf%G{VC#$(^C~dZzd*ss(J`j6S&vY z?@l@o%hFwNBDw8Ka1P4cA}%R9f`xPvgb9>0$G!1MvoMkZw6Vk$3r5DPaL99VFt~PP zT{@RF%mK!yqG|y3r!tRvNG<(Qj4`>Fc5ppm2<=CyY#zn!s9CJ>)HJc zyxz0GyGlc^H8*0tJ;QxA7MAy7pC0ZpIh9zimePzWH54$C7!K@AP_9j~AGtMO$tc@H zzHGKbgp#p!uFm&G@1bdrwDCQP{GV0GZ|VMX)^gki=Zd9=NWmZZ6RRoq23>pDy{?wl z8IbwVJ00{|a>5_o#Z&c&pGY(#AV=oN_YO0z?e1`Cy8f(C=W2AbAPKvg7Ws$tS%7e6 zEV=1j-IAo9b%uueN3mWxI$>vbJW(d!kco)pIl>bzH!^Yr!2Ydk+B`E)cKxG_c|U3P zw(a%tnX{4IItXaaY{ZY>|sYeE)Q>)brqPgKo%K0Wa!Al{Bgb*H9 z{I~h{a&i%S?irKvIaMF;JYiJXQ4zFdjPy+wmfc6SKh|=@#ZHe3Trop2l2|9H*s0@N zn{wA@D!1X|C`=94_A-Tl2e=*HZRr^(JX~3FkD@6uD zUrptQ*1b~a((oGeLB^hoxI-7Z7wxS2pwcR{A6(?Q&9R$+A@78yF2<)j@7}Dx7@A z6hom%bNN*zgj-RFc$%JE`B?!#MP1QlBr#!ZlBGJcvmuj-{JkO}k&cN-yPK7t7%V!F zVg4YW8eJCfz9^u7fFE$@jb6`US4MOH3`AqLd-9 z$mohc)?%<;5A={681Du4KomY~^oTfMTOZ^BH7P#%lLnl&J zt*WN>J@AO@;0mAum+^A!T6x%uLv@XoJ<#*A2A{BScTuY4`}{gL>K_`C>alT`crYzl zamxES&ih_j*h(Rr!1ssZR7D~oA04r@;GGZR(tqtiZ^?8|v+pv)cE-8W8sh zUxHXX*L7EOB9W>y?0y4WXDO=Xd;GJS;wDjXu?ZX*9befWg<-iw+L)PWjFC9>M|oO# zKV#8kA|sH#@!(m~As&%Y>wZT1lMEC?hOA4j=8)XL(g95(PcL3lWa=iR7~4P5IFufu zB8N>?r@nPrp^k!0y9;&N;S0v3Q#5s;NmQVY$0gAw5~^&iX)O&2vDI++?!xj`DS4`N zu;`1gTo7RPL7E;h4L_v{%xMd|-a?@=&7<+5sGGL9nhmN; zLhbHJ#1?FUY_> z;V>zaTKh#B7AYdI*x9M@93FCo;GNe2^r1X^K52Ms#l^@yG+`Z3EATPlm~P7QpQ4OK zzlGVB+kv-dF*y}wwzty>uOE&_#u+h__6<3uNg`?}C!CkrF7XG5O&D$QTobPgg!Uu_ zE2eYw z=-lsq|H`PS7xX=fzm`HrU-Y`qi;B1sL-^1iqBPf>fMX1Je>auk*6UHS1 zRsLheNzKor48jsRAsTn_ziS`LY_*1$HM_4->BDk-kc&Q|6S2#u_`Uta8I`nt*Ys0--((~{bVIU=|IqLY=o;u_cTdRhB?*o!(uS>;b&Qi7Y{)w z)ZnC!p$5Z3Knb@9KUYv}YV|dQU<&UQ9YYe{$5gvz(R>{;mqn?&rt82B10`lny*JBD zub{O^qMw2$hYa5&Q`8X7wFhoLb0i1SPDT-QI|(?A}`L4r5=kFMvqqC!`EM< zg#iXN6jrar9Ql)D&fmm;#{*q5{t86|o$wcnECYDRkz1h+~F(Rr@qomBafOlCt4s!a)5|UOtBh4*fpaFKh$a|7-(&a;{QbW*_3 zCT@lNDH`wCPs}URY()gqC#6?2yyXJ9Bj%ne@Vt8UDx`3083@^1g@@AMgv0oNn7}`! z<$u10H5hpj3@i4HW|ISqr=**%9~R%MZFdF$T5=#MM(FA3DZnAa*#iURnzn2GB)Kap zq#!&h$HWGp0M-~_GK#4X?i3@-t+Ih*FWA|C(f^Ouw9g{>&vOvV+`4rn)Li&xR)NM~ z?J8U0ZxDfPpNpScHT4q~Sfm&z!B&=*mR43VwLls&Fa2A?U>f%UKy}jv$gf=4V}ZH= zi*vbcd6W(jhoP{v)OlKm1Ha{OPWWSFgDGMzyftDjGQiJ~x7TzmPg?)716QY_)p8Oj zds==-VAfYsa)dJ0{|V;7!pnNMWaMX@7-$oF{wms4{mcbFIoPM)W`_j<=IdB)<+M5M zqT+kLJKLuPFtr?_jCR!>J4QJjkHr8_436Pfs0={u%smDOoQJd+eP!MdnBo0T!iZ6Q zB{do6)2+y>s_P=QqK{*0Rw3Ra`(_q`_Dyu~9WGpe$>1fl7p_X9*VyLC*^Plsd zuM5D-Y$E#W&ka`gpRibd-suP-U`XZ;l--dEAT0w?Gs#i+V&UT6V8Oo+y1ksLTiBe1 zk$_98AOo$uXAWA~x)~cru1Cr2An0&vk`!^$DDj&nTFfZZT9X8USvb1g9*Ijkl68ZtEEqpsGWe1;pDG$>M#Zy^o}X2y??`n>3Rm zEFOnN67wL?cDlceVuyd}*_poQqH}lP$f9KaqGRb7+o_D?LDcAi(G12!R(3#eA$6kVkmNABT zPa@tYFpr1X8zl)-4SHuM(4ZCd`tim2k5`FsSnph;zhSBIviZf08#ktFpfv$&=X-;y zi`SpDM>lbitM{b~H?xm?Mm9#&x`Pj2pi}NG;zzOe2{S<*4;9fvtScd#-6H@OJu?(- z`HIq9PbeR)ygrEkJ%Gi+sPs3y+GaUyH_@x$(-X4fI^*83eL@Z-)K^K7lL_iUvv-Sz z!Qs233?|X7{pZKNM^B4haAI1yGuEa3HAFH8_gs%yhxw=Uh{&~m$nC`>o2qRo+KZ$wwrBtA_`FL~?VhpJm{Rh!{ zTf#1w{zycJd8Q|zjh-Hh+X&P&HxvIk&SeIcQ#Hk4TMwbKjP{X zZ>n?KnZmEuaU>d7DgbBj8sWKE{EejI6Ub>)+ACWU|0nI7Puk>f zWz)Sot6dqn5D*-GwJwJDVz~ZScsZ{WwJSPY2tlmU{W*4v&tYljZrPrJus-=;(k74p7pw5&Vx&rxQ{* z?2KZRqJSwOazWkC9x=$Gldaqt@ot6y6hbR3d3ZAD7?lw02kk;%)?H*qRY$>nq?>(g zHFJc9nj0>9w!60cHtqD`I&p>lpOLk_>@%~Q@$Zi=JO}=(gPVk&e+QK(-(O;Snzvq5Ird~rd>At?KV2L{RGSj_Grr4c7P$H295~kz9lQ>uUF|VJSoA zfV!%p#-rs#U;_!DXXD<6o4X^2 zm}$wCE++p?fL#6<5djBh1-0JhA{!bjh4gc%s;KyZ8^0~5Lc6-O=nCoQy_YXHWH&xq zi`F?$SDUm0*u}tcY%RaB=Um&osi?0O$ykhdvS&d{qQhO6%`eYHO|TB2WAF5Ezik$8~*V$iVnuJ_DZV}=&Je- zWRcT!O0p&F#SU*nu_gh_KTZfIQ~u$m)d2+UvjGI6sRXzx3OVpe7+7*rQ|S~@r>B0b zMP^5K7p+Bxmkvg>e>rd=U{|;U*eUGNU)$$7p}5eDpBX~9)+ktNn?3^7iUJy|^%5AbFXd~z+N5P`@P zvl}?uYHkj?IQ`YS6eWcK@bjml6tKQ5xyycu`4Y&9+H8+%WoYDg-#xT_SDL(*fx*np z8z6T+LJ1>wR#u&K5nRish>0)>@pHG4d9&9iCt#D^+dzf-p43h|C0k54P#s3r*B2ER z!vO@}1Fh8?J5r!sj6lql+eCN|=mJRpP8V|-qmyWNaqkkEdgYw?^0-TEP#B0>xQSB{|WK2eT$1-sav0>?`VByQ-DtPnc=h=^mnqPkWjm0`6?}>5%KAFMC z8~n{nJhUk5-AsS%$zIlF`f1OHrxI6Mj7$ULNdUin@c9yR8foV>AQC3@`B2aYB`Zy; zuf8K#e*H6E^92T)6?AIPT2xY!E&#-FV=``I<@S$MPUrFMwBm)*1dx z#l&C~*A(R3iv1uF&Y2%<3JGw`>Lbp%#$pJZcHL`fGXn#!Y3CaIxD3VYpQDE6fgN`Z z$%c9o_@tzyJQ&$Pk%9nk{r?UWX$NbX&7jFxxGHOwPp`CyMg8ggL=Rh?@fgeywtS1r z55}zobLJorf_uc-AW*>a_@5bt`X>*5tOAy*>8U9VCBQo*((u5hCms;IvZiKhx@Iev z`Qnve&W#Y=o-*Jz^<;lLw1cs&5jNSwsJWFMxVt$viD~SGP#+2&uU#oF7Gtt>1;Jepi)>j7tpwP>M$U1VVqVB^Y5Q0I)xe##AxVaf-be9cB} zP0vX{qJV(^i-AMcg{<*e@Vi%oVGz9(;$fD`mz{ytdrN4mV{e^jwm2+Uw z;8d;Kl07^l(HD6->x%G3we;M0dsiTY3-~PxK*}~noYU-iW|-;cIcJL##TmckRuo@)fR6R9x|bMUTtzhfRMdF_ z?QK)fd9Rd(2%rV0!wCWYhq>;F=f74DKzq6r!bd(!pCr(a-w(B>rwVu44y4z)F0=x= z8#Ggy{G)19H_xlt@<^?S)4O7%H@<+56KW@BSW;b;sY6&&f$J`@ifqWpF5@6={+#pS z4bI-p!_$=b{j#tC7ZR2)4?=z zc6rDaxxtkdU+^s2^S51MRsp=;S!SEms?YUVl1RZa0}wg`COFx^ZEM@Fuf)Iyn)`$Y zl*auWn5io1EfwK=9BtnOxG+7Q0?w7mQ`d9fY{4`)e3~JFm@3OzjyDZEl3QU1dq80Eb=2z=s)&)QAmwrAxUC(VT z-`?@(;m@#($^}1)MR;N{LE@^a=uH}g8YCNsU)&Tqf}Oal*1=OzkHg}7D?W^cjG9zv zCA<-Tc%?-j8UM!|6W10zDeujn&4Ku&OioTt>?7u5`)ea$*^@sEO1D9|vC$qTBtm90 zr)yxYI8+l?Chb&%5#&*=o7JU0m}7Bg%&`n(T;8r+H8r5e7L+>WL)Y^{Fq_T1Yq7|h z_t#d%2)25p6YA1S2G{BdtXb3|_?Z=lW@+)>^gmU%^@K3xdmn}+J@DAJ(qcflt~!909? zRum0x2Ul8%>pWh|1FUFAzx2WVUf=58D++^*&`a4lyAgt^+i*F?`tw~SFnDn=m?_}Q zS%dwSVF^plQ?G;fau+;)*gAVYx9>s^w({z*t}48gqWo?{?=8K`RA`6}tZ9pKRr=Gq zht{830ORJM4LhBDh}xG2>!b7%F4CT>KY#zW;HD}nEKGUmIF_Rv@i);lF-hMLzGmUM z;}fO1KjY!pw3m?yanY58o|RqdS$+Rp#H%#wGZQ23C=v};i+V93LOT73t~;jismbv4 z?~8wY0&hSm!j`Q-4jK$NX`>?}0X`xpCnq+RA`)>;9&sG>Tz6Jm;z0U@-FZTIzm-sl zMJ5?`r9~cD=zt{ru-M$oG~0J9bXGq$6YGGOF{x-u_N}u)-t+D{FB+L*w_?$c{>LnE z{{;|-iZopZNv@pXt-i2dJ4SAyZEVz86T*{{qLC|1&-G%xm62?+K-WC$u+a2cFGpBX zdk23KJ#cL;T1`H5JNI^0AG0-lVJm>bCKIOpO_N@;(i;wZO83w~Nv_0`-K9)0du_RP zeq!`5lL!{4NXqU{Qx$jCAma#M+!!Z?&ZdT{0J+$g?c>ba?U)#}P*6-&jU(7dU%z*} zsZ&+u+~pr@PjoY^SIuKDd!r0oVxGmWSD>w5psh*vsl<5n{A4h?vifu?*zw}OIyg|^ z0#PwBQzk_rv5#M4>lDGVDJ(Cuf4=9??7UnzyrY}`YI~R(W-01?KL}Hr|LlR)&vd25V@$kqfR~2N^9dg=@Ak`n22i7jg2Q?!&t-2QSIU zMZ|G){+hBEYjip7Z}AT1&uynP^tdKZ16%ldPi3HtNtn04AO95JFa2;NbK(xkdryJ- zQ;vHZDR;5mx*Ki+LKbKJJ_0mfO@~26W)>QBM^rsdzv)=>dcYEQB!qz$E4F;59 zWZ>E zcBO@hTHMGyi?P2&ir$Mk|8V9&E=Hu4yk5*SX+G`8d%RSUN8xS4)`np(6WgQ{b=MSI zQh;3Z+hh;`oRdbF3XQHuyro2*F!}wkwl-balp4ioLKs7G##4(>h>_-n7sNJ`D7 znzGBBld7R%GIER~YvKl!v`J34(7NyJhQa^sq&Nv9FBW7x`7?Rh z-01)5(_;N1C@yC%yds0W{QEI_ zdii;G)u$?z^TJqJm8mGyDCO0GI_$O@Pdp1eMB_C|o?+r)goxv2$6VLihmK+!yTgG^ zKRb*%P7XCZu$gg2JMBL>S0`2@-Q>HgFt||h_9mq&>~1VhPPF28H!LE%cl;Et&CQ-u z?a@LX*vCru33X@GEL3D<*^vzvuX}Iyn~FsKq4N2*ryI=r7(dPwq;g%hIBe}oi{9%r zwiIt+c(-$oqbH`P%8^IE-L`l}*9hFp=2x<$M_>Qs2)x}HL6N2&7dxz#YK>0H6zA^< za9*y`K!9G-ghQU1FM7T=j>1#C&}HS!;g+-=E%MR!gv$JeCYzcVBzmvu+s^rYsSw&U zmL8{%HV$8n!87oe!?=)g7xD5*ATwo`xo5Q~q$u4YEqkSV&a|lqi{PO%L{F8MS&h7*R}x{RDB9>cqL$wIF)=yPAQs74c=PQ-hO^IG(&H;F z$f4O{-&F~CUCGIP2?dyIAIkZ9uZ}ozNajWEgMNJbwoa*fpH)w=()>m9(x<8KqhP^6 z_i3y%oXhhj>ufgL?0o%;n$xo26eGEjoZ)Nod=JRocOEHO&3K8Sb0EYX4(#~0K84&Hiea>Rt2*98=x9e3P#d7e@>uE5 zGk;m9Lq=({K<~kpvCsItZ)cs+o17SmKK<|B) zZ1i|c;X^!>T5?bkf%We$-RakmA|lTfUHnsGf%U@Tu8mdv*rWbv^0dQxXtrvkWT zSHis3-LTBA{K#DyO!~nEyE=2&hh94vfrYCPMAm@*42@#nB#E1o6%`jHt0ryZ;u_R|ltpJB*oxwZoLBI=>Y5@( zOjVMvwAd0b**80=R5d(bEomD!qp8K=Ld^#P9Z+qgkY}u*?z;5##)EtXUFu&njtv; z+MbK6bPIU72gC0qva$hz%B?1;D9PEL^qEL`^*{z)l7AYX4-W!}Pm-;tDgrw!ZGK(S zNq6i-jiirtFuju7_XK|5HbIfCNED#nM#Bl?a)iZh+h$7c(SN}0xOJ?S^SiKV7)1*o z-DQlgS;3I>z6-2UUin6XA{1L@pSBF1BYN%!zzyF^=-kNJ)d=pp1Y4Fe=ofzFCFHE1 z6?1(PdZh)&aUf2vBxrQy$Sx6+aYJ~j|4)3qJq6UB^p|$QnQ@xv?B{nb#8t4kIMnp3 za*{CTU+A*Z<~%C(>RmBtxj?KpN}>ubF{|S{Qpu&EXE0j9Ui53j?1vFjG^!8I{W8+C8wh4=JPC)+FvX+HitjW+4}dbT4`EksqO#$$CUJc3AT^fWi= zS^4I!*~=>}ioq&8%PH3Ty~Enl@z1RdS%L3h2Nx@n;=(m)gj}T05AA%+aq|g-wncFh zuew#|_>$Me+^5Ufn>M&sob1PKME6QIJ_~k_I2T$fCCBliHa=5^i-SN;J>{CpJ3EIh z#H`dx3piYXz{YfEy5xw*9EOMBJ@Q6|WY8D=9#>5rA{*g0tcrrBssa$lS-k(|=kActoT7EKt>{L+wslKjb?YX*a9Gm2&R&gF*J_!#X;@U(0XK4uwFa>@*kgy3q zSf3wCIQ(^Ciy$+_v&_3Wy$(@xIb3)Hs)ftnMvZFL>u$dXJ1M;IBL-9rvQ&TpS z(zML0Gq1MXKPh?s8Re=$25L<4$?E)tVJHd?)wL#Zeq9QO^)6W9 zZo5`3%?%3z29gi+Ggf%Xk_WTJTFP}d%4-qW~vjtck0t>uGQ$B zkJ+oQpqz8@>y_!zrn>yoJO0iZu&TW$bAhjW^XhzfdUwG+yd;;pHD3fo%bD0g3?zmF z4W(sHK@avVR_9G+mRh@@>F$BQnsE{vyhXevyi}mbJZZK^gCA~yh++)hMD+A&F_o?K z8%jv)M4XY}y_E_a6!1l7;>~xC|IHM-qio``Z;FwNAyw+e5hj#IxOj6<*^3A`OwF}Z zQ{ZpM=5s=^V(}fZ?-q-?p?Dk5AI{zhO&8=6i)dK^f_%Uz-VWTZaUqw-tV2qFczAcI z?vi88`SXF?4AlSkKR1+s2O;-=Xv+Xc3wi>e9R~U#PFDN(RcDsJgBw88@<5jw1gd`X z0}nVj-FWjio0_`Y~~NO^sx&z(~A66?h6# MSJqKNC|JDxKRafg;s5{u literal 0 HcmV?d00001 diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index f57a685f07..55acfe25d1 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -13,43 +13,83 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device. +Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. -You can use Remote Credential Guard in the following ways: +Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. -- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device. - -- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Windows Defender Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware. - -## Comparing Windows Defender Remote Credential Guard with a server protected with Credential Guard - -Use the following diagrams to help understand how Windows Defender Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection. - -![Windows Defender Remote Credential Guard](images/remote-credential-guard.png) +> [!IMPORTANT] +> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article. ## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options -Use the following table to compare different security options for Remote Desktop connections. +The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: -> [!NOTE] -> This table compares different options than are shown in the previous diagram. +![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) -| Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | -|---|---|---| -| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. | -| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | -| NA | Helps prevent:

- **Pass the Hash**
- Usage of a **credential after disconnection** | Prevents:

- **Pass the Hash**
- Usage of **domain identity during connection** | -| Credentials supported from the remote desktop client device:

- **Signed on** credentials
- **Supplied** credentials
- **Saved** credentials | Credentials supported from the remote desktop client device:

- **Signed on** credentials only | Credentials supported from the remote desktop client device:

- **Signed on** credentials
- **Supplied** credentials
- **Saved** credentials | -| Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Administrators only**, that is, only members in administrators group of remote host. | -| Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as remote host’s identity**. | -| Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | No multi-hop: From the remote desktop, you **cannot connect through Remote Desktop to another computer**. | -| Supported authentication protocol: **Any negotiable protocol**. | Supported authentication protocol: **Kerberos only**. | Supported authentication protocol: **Any negotiable protocol**. | +
-## Hardware and software requirements +The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: -To use Windows Defender Remote Credential Guard, the Remote Desktop client and server must meet the following requirements: +![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) -- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703. +
+As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. + +
+
+Use the following table to compare different Remote Desktop connection security options: + +
+
+ +|Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | +|---|---|---|---| +| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. |User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server| +| **Version support** | The remote computer can run any Windows operating system|Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**.|The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). +|**Helps prevent**                    |      N/A         |
  • Pass-the-Hash
  • Use of a credential after disconnection
|
  • Pass-the-Hash
  • Use of domain identity during connection
| +|**Credentials supported from the remote desktop client device**|
  • **Signed on** credentials
  • **Supplied** credentials
  • **Saved** credentials
|
  • **Signed on** credentials only |
    • **Signed on** credentials
    • **Supplied** credentials
    • **Saved** credentials
    +|**Access**|**Users allowed**, that is, members of Remote Desktop Users group of remote host.|**Users allowed**, that is, members of Remote Desktop Users of remote host.|**Administrators only**, that is, only members of Administrators group of remote host. +|**Network identity**|Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. |Remote Desktop session **connects to other resources as remote host’s identity**.| +|**Multi-hop**|From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**.|Not allowed for user as the session is running as a local host account| +|**Supported authentication** |Any negotiable protocol.| Kerberos only.|Any negotiable protocol| +
    + +For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx) +and [How Kerberos works](https://technet.microsoft.com/en-us/library/cc961963.aspx(d=robot)) + +
    + + + +## Remote Desktop connections and helpdesk support scenarios + +For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised server that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects. + +Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf). + +To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/en-us/download/details.aspx?id=46899). + +For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx). + +## Remote Credential Guard requirements + +To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: + +The Remote Desktop client device: + +- Must be running at least Windows 10, version 1703 to be able to supply credentials +- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. +- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. +- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. + +The Remote Desktop remote host: + +- Must be running at least Windows 10, version 1607 or Windows Server 2016 +- Must allow Restricted Admin connections. +- Must allow the client’s domain user to access Remote Desktop connections. +- Must allow delegation of non-exportable credentials + +There are no hardware requirements for Windows Defender Remote Credential Guard. > [!NOTE] > Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain. @@ -60,15 +100,16 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and s ## Enable Windows Defender Remote Credential Guard -You must enable Windows Defender Remote Credential Guard on the target device by using the registry. +You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry. -1. Open Registry Editor. -2. Enable Windows Defender Remote Credential Guard: +1. Open Registry Editor on the remote host. +2. Enable Restricted Admin and Windows Defender Remote Credential Guard: - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. - - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. + - Add a new DWORD value named **DisableRestrictedAdmin**. + - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. 3. Close Registry Editor. -You can add this by running the following from an elevated command prompt: +You can add this by running the following command from an elevated command prompt: ``` reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD @@ -76,7 +117,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 ## Using Windows Defender Remote Credential Guard -You can use Windows Defender Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. +Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device by using Group Policy or by using a parameter with the Remote Desktop Connection. ### Turn on Windows Defender Remote Credential Guard by using Group Policy @@ -104,7 +145,7 @@ You can use Windows Defender Remote Credential Guard on the client device by set ### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection -If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection. +If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection. ``` mstsc.exe /remoteGuard @@ -113,18 +154,12 @@ mstsc.exe /remoteGuard ## Considerations when using Windows Defender Remote Credential Guard -- Windows Defender Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied. +- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied. -- Windows Defender Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory. +- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory. - Remote Desktop Credential Guard only works with the RDP protocol. -- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own. - -- Remote Desktop Gateway is not compatible with Windows Defender Remote Credential Guard. - -- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device. - -- Both the client and the server must be joined to the same domain or the domains must have a trust relationship. +- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own. - The server and client must authenticate using Kerberos. \ No newline at end of file From 151483ab8792913a5c672b04081a609731270e9b Mon Sep 17 00:00:00 2001 From: John Tobin Date: Fri, 25 Aug 2017 17:36:39 -0700 Subject: [PATCH 2/4] Fix non-functional bookmarks/fix bullet syntax for consistency --- .../remote-credential-guard.md | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index 55acfe25d1..02ee7d7bc8 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -20,6 +20,8 @@ Administrator credentials are highly privileged and must be protected. By using > [!IMPORTANT] > For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article. + + ## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: @@ -42,7 +44,7 @@ Use the following table to compare different Remote Desktop connection security

    -|Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | +|**Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** | |---|---|---|---| | **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. |User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server| | **Version support** | The remote computer can run any Windows operating system|Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**.|The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

    For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). @@ -71,30 +73,33 @@ To further harden security, we also recommend that you implement Local Administr For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx). + + + ## Remote Credential Guard requirements To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: The Remote Desktop client device: -- Must be running at least Windows 10, version 1703 to be able to supply credentials +- Must be running at least Windows 10, version 1703 to be able to supply credentials. - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. - Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. The Remote Desktop remote host: -- Must be running at least Windows 10, version 1607 or Windows Server 2016 +- Must be running at least Windows 10, version 1607 or Windows Server 2016. - Must allow Restricted Admin connections. - Must allow the client’s domain user to access Remote Desktop connections. -- Must allow delegation of non-exportable credentials +- Must allow delegation of non-exportable credentials. There are no hardware requirements for Windows Defender Remote Credential Guard. > [!NOTE] > Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain. -- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication +- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication. - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016. - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard. @@ -117,7 +122,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 ## Using Windows Defender Remote Credential Guard -Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device by using Group Policy or by using a parameter with the Remote Desktop Connection. +Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection. ### Turn on Windows Defender Remote Credential Guard by using Group Policy @@ -132,9 +137,9 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic. + - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. 4. Click **OK**. From c0c5c704b5a9b6438d6d82dd53b43fd70d83eae2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 28 Aug 2017 12:18:17 -0700 Subject: [PATCH 3/4] changed server to client --- windows/access-protection/remote-credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index 02ee7d7bc8..c4498dd47b 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -65,7 +65,7 @@ and [How Kerberos works](https://technet.microsoft.com/en-us/library/cc961963.as ## Remote Desktop connections and helpdesk support scenarios -For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised server that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects. +For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects. Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf). From fcc92cee0896cf2fa82da9b7f99a1a5eaf8f8bf0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 30 Aug 2017 14:58:49 -0700 Subject: [PATCH 4/4] updated image --- ...redential-guard-with-remote-admin-mode.png | Bin 25974 -> 26878 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png index 0bbff2aab898a449deb20314b572321b56f700cd..56021d820eb2160a81f3405d3d5ce0efc4ccddab 100644 GIT binary patch literal 26878 zcmcG$2UJu`*EZOQh={@^iGYBTgMehoDnWweoIyY&G&x5V$sjo=iA~Nll5O5h(HJ85l45D2gH<_9B=6^{bw#CDRAm&9JYPen{|uODQ+@pqS` zmeU(&r%$#Hpn}ptX`t(&6VN4L=4j$zVdrFFYXc&}c}@%TKe*`^x3zP3urUAR1S-ZK z6a;$l{_b@!Grk%6%*g_52I4)&#{sV3++0z${pjRs>|h4cx4XU>j{En+EgVg(je(&K zpxV~z2%!7^O}D18gN=oaIjEIlH4x~-{^x#Y2NN^U;k6&~c9^&=7;I+a1UedwZvp!5 z-3(K+aI!W7<)g+JK_Co}jKmu?x74k9_s>tw(oU{N#zl_lVv( z{lKpwG$_KmBZxv|#ZRAv!`5;X3yZ0^6mfP4Tj@r;35BD@jpM?f1V-MpYpX2bFPGh6{X8FA3DDT;ZDP`4i%lZ)SJIB z?UV;AFg}-j&69^BqGg$p@oE(+7a!zvg*F;p+Mv-Nh@=%m-$=ca&BA?iX`zMaj9wQ7 zeWO{HtY6l2k;%C)pdx#^o(HR6{%&mClyW6C?NUZ_@%jvz)*={MehyNi3-OM+59y@8 z#iDdMI)E6?Tus2-1ficDQt_(#dNy7TQze|o{;WjI10K_1y#9hjhi6nA{665hOqt(E zG>3<5e}^679ka2Q2vux1sEQP9L+4#ts87nZtd3ms`S68I+~y%tPji(%31-uwly zBYKGUJmL*}q3&R!z{2VYv}^F1J(Zl7tbXj0l;HE|i$O_2h(xE|J2*rkq6+my8tGob zXmxt=NRE9RKb>Vni_ZbUe@wu==={@x%o2eSSUH@ygdHrv2FlH!Cf!J#zVe*17;9gd zTs~0jR#Q3?L!}MBcRjfbupRbm@$#uGDpIcy_)|JZ3u1AytJ(35tz>JHl7zYw}TqFGn-_Q2iJy=;_q`JK9#e)trDNSSaYx47H3;LGgz+$+*&t&1 zimm+Z-Ypiq$rWB7(S_iL8xX_993kl3z|X*BPxpOq$AXyxK4j9YyN6@irVRQusyTbg{gtn|Wy%E6 z@3$&f3SLK?=}_IT-n3|*iPh)sXKHSOR`8XA2m?FWSD#gghpl7!I0~)#Jw)(Un0aw5 z(?)Z1ATIm-FGM{y8ysT1codUzr=SipAH49BTj&^&_ua_H<|ybL?2q3!vC ziQSIZHniLq(}9NpiX{5@pOs`wPKPwq>l9s{+`QY4+hIu#ie&ufY5!={b{a~lD6JPT zIGmM+mzOs#F3va*6U4+h$Y)#~)b$}PEiKp~>G3TV;(s@NeSJ(!OyhTVfpIzVPuQaO z-+PK34T)r&Q4?$+k+?!Mpx43A!R_l=1FS@5B*yPBKuj{J@Nc78d3kw7MOK>}rShUB zrKNcMRG`;=z`#$++S=NhnhAO-MWv+-0N`$tv)`0+3U3|D^9{ z20Q54>;L0|{*#HgP?8NV4|u?k{Z4YSE$e}lM6Ajie>H1;Rw{q8r1EaDU6(o=qL=kK zzQLbL#BrWA&4)oUcPYiS+8QE^H!V2Bz|S5tC*5Kp+dVo!SN?11n81-8>|Ww)dchXB zfLkV=@>x0OzH0n0%qMLjVC&HBD)X#QCRAj;1CrCB#lTgS=!*nxB~{uDN5TzWq04iQ z8j)-&IC^99<3#FcybKWv%NowLmCQ@mL9pADZQL^Uu6xBUdNaG`bIm=-XjS;o3V7&j zx~a;+6r|rhJ-o3KrN}#RY4pBUFEjlOF>o$R4dcj`m@g-Ly2@C%(7pj5r%d>m~&!hVPW|=m{{Sq_or$^RA@`<^KbV{1G#I6dHJLVi*2Q?=v7^k zTn$v*TvvCqoOt3(&r1q!W|MP7-Me*NCH*QJrzCWrjtrBD%0u4)Q9+wmV#|jkbLFn- z#0LpZ_+l5kY_)SYQ;zi~NzgqG1urz7!VyfKx9e!e03$z{fxTbC*>RA!J@90nu5Hml>|#z9td~rW9%=EuS{#nmsN@1KX?i zL%VClSMmoj0mXhl+S3nZ(0f#5-*umL=nBUX|G+7WyE~TON9|BCXlysb+`;3DtLRNdqzF)Wli~@%N z-K_hOEmC>BbpitN)8iAo?0cTQra6`0_kC&)IruhmhgCasPIbUpaS zFpu|t29FUAFtO$0re5+)xgqWAIR~}(Eji;j8)7diF!XiH`u82ADO6F8%9V|c!qd`9 zZWUU^RaM-lKZ}Y0T~P|?hq=hN#wm8D^B?9>2h$eWi_IH|lz>Ndjhkgwt6dk{pBh42 z{A%4_iZ0;oYqKBcSHe~g3K!vPHC6%Oq$%r#>Vf9fF1-iDBZ$g#YKLb8^%K@txr^fV zIr2JkQ(ro(t`pq6{W}9EJC`PA65g$*k-BJ&%}|sTD3SQYu$`0}nof?}2 zM&I=H?XXm5ZLR0dPpO(u7t^pChzLfny+&iJRww*P`aV^C7)M=uT5j`;UBOzpArdst zX@dKcCCqAwy_oNUUfv;oGt0x1Z+HRD@m9=gmPzweHyw0q@~JEKl)5_lmd+(d$;GQTsDYH4NFP+y;SxwYR10Zamh z#&^5$2|Bl&BU~nZV~D&C^1FAi^MJZKczMifqFR6^i-9WPuUwc|%=Cc+&#!8Wo-bD& zm%+=$ekz4Uu1tJ6j4<=`+G@yWETW}bEZB}VkJ1f&d={pYE62^_!%LVw4@R&tA7Y{` z$&>j|NL*pZ!s6oMq9Qr=Np;PehON#GGKyvTT5T~EkRRQ7Fdi)s6C@385Zw zsYP~dTW+2F&^g~&YM6p{ZWa;JjE!;=GnbL1{T1hK1QX26wVt%nS0z=Lo9Fx4;`p=F zg(?3@WSk0Do&~JiTNiUA6|gq1GH^h@b=NIa-`1kkShA88URjO!nf)$@?KBsZ!9i8nDdZ}vgiA6C9 z@I;#Z)A$}8$s+kmh&%@RB@`R6wrOs$Xn2Sp9K@81?U8$3{ykm>ZZqlhL8(OFXE?|F z3bt1Sf!8R!FPRc+Jp1`2v9u)QBQYEydJ;@+ldP5TKBd2qb)q_0{k)0)_}WHakXZ39 z!3mQ?evu{%xddJ0AT#yxI2I^OCo@mJqvFI55hs#Dq*J6nVESugSq-;Qz zwEq|)xWH?&b=vbiO<7afkgSAVH53K^v#{z9;cvX^@s^e3xCre2M5kg^`+?icYsJi5 z@dN<6RL~b4--KzVeA8*SU z9x7IUh&{n$T&D=-SLv8GohzU4!$;HL7K_3B^N9kY)v#k1RM%Em6 zP)=sMA5O|K+8%I&$11)I%8xoQvnI4PXY+Lj(nUp9FRg446(zh#^y;P)TRUQ*&uFUN zI7l*q*@zWOvQ~_w#Hxgn${RHHzQeu$G)dLyYkdTXtQtx{wJ>191RmZV_=r|*dW|pF zN*KD;lrd#Oamb2~Y!Ti%z;@}|GimX*QB_YGFpd;yh!2OrJp^eh1>bsXvz3;4D+gtZuJ4#|)6s>zR?_h$|+Dvj5A z;;6}G(|>%tnA4o{vDHHc3b2^9slpSCkd@u+epcH3;RI&J{8nLZlW8Rf4rfwqxQDk|LxX0ZvovvuU;GhF) zpQSdt_W>`Et~7DVhx3y1B+A#=VGXqh-Hp_CfrMupkc^{wCZ+mRyrgFQTw_YVCa9H) z0YshwYpm=*_5rt&Xn-W;Vl%;$f)KMPg`-D6nEJ1n9skkhBaVDk4z)+}XSRxk3&Y=5 zc24~q$-k4SM#-_Zz+u;O&2P%wHQmokD;cSWa`o@NIo^T`))su^;TW@Mh|A7WallsC z|NICWk(0Qij6TEY?ZIX+nH@BveM#e=%ttA5S}Y-_7#Nm9C$bGSWF@8K?=}?TU5Tn& zVpRke8%(IpE0J6t88+(s6;#$|UHx1#@Z9G0Eup=?{N9!cZK4ttXuiU11QrnKHLTE+ z>U(()u|m%_6HVwP{>2NI8?0hNPNx&!*qIB{Id&;v^nD)3TW`|RxfFfDpQNI~&3?*V zZ-RUeNmj7VPlYQ9xW1iC-Bai8QGZ`}>d7BSH0BJS5xd1g;K?zux#YEynQse3|1Tzo zJflwo0(Jfw6i7$5z*hMP6`&>*oy{12V-FJo-G|MOm3e}&kxCyhGmP^o2iImF|B>&I`Ac# zF4yc>{CNF5rX$O5=Ql&S!NeUnPpmkP70gP0(FKGNK(CxykvYlZoi&}+hFdH=0u-LC@hu+gF}h4@ zN~O3QHhShQNirGG$7rd?Q7begK^J)e%EX@w}SVLaE1q(dz$m58a&L;PoOek-z=9)^Yn{03DuRFy>f zy+Ab_TE$+-x1!mz^*F;(Ur&{?(-=zxYw*vYPXq;IjEw2Ij~m~~3yP|{xw;P0gU^mv zJQqYvw&JRgJ6f*mN6yzuX}z zqSi?p{ojeWQIrEwh(_Kxjzk7z4oug@W+>n5rRx{y5BcZ_n9WzQCRX z!TDrLw#*6{;h6XW%X}y)9+GVJw;%TXa)bBA57QPE0D(-Int&z$!SO~|r6mj(BdKAU z9PrDd4HE=!b}4#Ycc|tNzr~~cdg>P@)-4vANFls~uA_s8LhAmb*_D-*rKRk3e40QI zudh$(BJtX#%O%_oWb2>_#KA27WT{FEUsZe&a$I29vrDKAfq;q1q2bZ-rG=-fyPA4} zB%uyo&mR%-;GglOZ70Jht!d+|AT{-y=1(d4sTiRl+T0?wTU&<%X`SOBNb=B8yF}Yp zpg#m5j(K61H7iT_bce4F!a5P>T`P=padxw@)p<3(@~r$}m`Zm-wx6kG9fz^bmWOWh zd0jc=Wo^DCc)$iOgx7Hu=QS0sFWzHjdW^vyH4RIR-D^skP4u#+5Jw|JQJwgl0y{qU&ksWu%>F1!Uf@~~Zcd1Px>lM*gUB7vu z7l-s#Lk#i|MQ&4JJUVILI~&QWRvPKRIm$oh;1vfW<%@s0gZZ`G&wAYpVedAr(QJ!{ zWyMdL$sE*v&Eyr8))&^-pH=iwS%JZ9rVU>{Sz78ey6xS>)a96M>nj#*?F9h`5C%lB z0QA$7IAd1-U`Emc%(`>2OWZ!h53-MwZ|D)}oA$}|Os(&wp2@qF&~?7yn=!ll{+YYV zx?>7^!&c=0d&7$a@(&f$*kUJbT7z)K<%J_?t-j+BZ(TJmv0poNz|hp}gK=5oKYMSe zy&tHlM0IYM{6cdsM(ub!csY^TNhY1`uER`WjBCdryS2(fqoS3L*b=9%Wu&wP6S z-eE^=bMFi(NM*F83`K0i?YRMk$2>UF2aq)96{|g#Jf8 zPi>n^g`2YnYnpfiK_wp;Fxumt-M+2bmWo`*&|D6V9Weo|FcP5+7^>%YxkFi_OYU$16$u9BYY z!jfSUio#|)W;1x#?M(`t@mjmOPulT(-PB=^^8}CD#a8BhU=TMQi=S$%xU}lm>GqnI zZ+9$!?V9Kj%GyRLNE~g$*9yFZsdm=adsSb8@!lWYVgY1iVgWT{akx3j(Q;8a)kNjB z+var_6G+HJjA`XiJb5zR;JO3ce~nIPDb}i>p^ES(xIG>aTox3si0G?0%^cF?)i=aO3oV1*yJg(10UlrJYNQZ}Hn!LKj z0_&<2FgzUrj{@;138Qd`7zWctJlntF)R8vtG@t8{H*FRcIfRmfl$_8>d=><`gfy}e z%rzDr-Ja>bzegFVe0uzM=)iB=tY<3C06YtHEe{S4w-=f`7aHC7SBC~FUV@CO`wVAu zY6uBPMrmZBw)0nh*uK@y!)=9qCgww_QMFQEvYlL9N)4KHBvyyhJTLZoLVHW~84XT|EwL9?({YQW$3{s&27x z-7J8F^ybN@SmV~VY{j$Bxo{Nunm^A7X&AwXen)*!miovrvu4 zrDB@RXO@PJIb7sLVfY7lg4;3aps0t>U4eb1iB2__O%ia-3#zWEnR$$QwUh5D;L7e* z76dGKmHR#DwZ(ldAO&SLiX#&wjpnf!Qb&M*^R68sUi?C@IsmSII zb6|Ld_AJp5hD()jXp0&3wG-B8*ZC~bgId=gf11sSB@C7})py(%j}ReNwtU5R&?*;! z65TU8SJL!)XMK_mMRFK&nP|j2rT~tQO1~gMT(dGI!Gyt}bNItP>bC9a3cCAt#J5<` zdYj0}$!*eGE!uO4MK@R2OsYctfu$=&LcYC|xOZ-X&*pt{iqh0*s&`mSS(qCetE8#0 zNvQ62?dlfE+_}CQ^T#C(LB5Cv568|$U#UoOB9DqaXGA~7TYXCsazz0Wl9G}_8zt=k zF3rs~8%pM-aTt?foOx_>(LqVbCRaK%S>j`NBV4mAt!IW{m= zpzZ#KLj-Jkt^V}~cUBi@660>M02v(s z+qC&=qQYeDJBdDpsj>RuV7;M;&&XG-ef&qYM_0{<6bWALqgj$V62XMW8w?GDeTGy^ zCS?<;F*{Pq*1(kffE>%G@YU4RSd=inPqYKpDvtG;?M3mLD+XsZ|bS}!j-M1so}SLngrk7GG93Yz-;xi6E zy{5;PgP2qJBBK;`^nQ+Xt* zlPn$9s$V8Vb^a9N<@i_$xM9zjf29;Ll}IpFtH}CZh8k|4l!<%ZJJNSvIS15bKa(wx z*=EvslP9l}mE|l^4a>@kqW0Mj#Ju#5l9sS4iCy%%$z?@706a1Sd6n0rJ=m z2DlEbL4RFD%zDJL!LR)}v}$**Bd*sCD`<9Cf!BUO`@5PM3f6`5PB|gG97l*0b8N*L zoh+uLYf3#L&E2}basjjjm>Zzp1`JJO5y6_OwQi1{Nu1=fK;u}a}M^* z0muVCgpcPOzZlfY&vIhDYt_~n1J=D~0jsUFw zQ3(y3FnxQ;`IbxFy57j%a_Kthj+&|OO$RC+^WGzbxh~6j4j@njOc@yck6b*nbC*ex zFufpc{>%1LP>_Tqp}hQ(*!8I}FF=4$dU7h8Qoqw;C@4rsgA;Xfbvb{$fV4P%%9xsH z3BdDZKyKFQWHAule31K1T8)k-t6KCRm%~gC#O+F!KnG0HTl8Z*Z*lP`rOUW`bqv4_>)UV?rjKH1&#@F`>{+oaC`VF9|c=bHN z%asG&Argg!43}q9k1|dq9L`UCFQMv<<~~ppDLDU ze4p~NTG!dbsi_w_u~#aWfns{1X0q@hetw@N3JmCd0L_;e2)*1t--zE-zs@oiQu45^N1LSCXeWZBcK+${?5 zWt8gC32mQbR^(G;$=gG8jqgrNOKU{yA)h-LmcB5ksMOhSdy|&^i$_7Mq zEBTTQQk*@{{GNJ78I0xN!t~J-Z;thg+3tXp-U1t24byRYOGrb5?q*ThpLHIoZn^O2 z`2L*iyGwsw9EB^&Vo$9^h2>I|1*JQt8d&Vv7qyWw(S5)LJD|79-k@;YNRZ1{AMq+5X{d*1G>)x<4WHgtZ%3pRda~k{EBv<8n9XX z>lTY>8II!joBV^zmEAEle(b;*kJ8vzVR~U2u4!t|Pa7R0t}T_DlX19+gVp%>c#>e} zh8*5zRz4Jt_w{iCyWUSFy@*)PnHYG}?~^vthel0Otg`ES0vFnub=cTcbyax!sd?e_Y9G4V{@G2W@jR z;i2*A%3+<;#2$2$r={eetD`76o2l*_=f6OoqyI9Uov_b0=^3VEt>^1)FWgLWZt=KC z$HHBuCb!wX^hWZtpQ5uQL#u-b=~3hIk2kO#kc8>u@nI0CF4yMBE9Rc$4l`?4=D|K9 zfE4wQTs&24@tW8XDts-NxReM0G5A%u)}l=tm+JhqV=8TT<|=nv@Nt=kt;s-`_<6>R zvqgvG6kDCb!p~=4rWJUD=au;`PrxE|`8uq*e1a;E5(xR71)^yH12mJ~X20 z-cq(7!wtw;03?5OG$++K>Q?0pJ;!S*APsmMs3|Bo9a?t<-MQjv)c`(_w*;oMH%5?P zbjsVNZ*BDg`D=U|Q_*Q|x6f9=Cb|6^5Fju)e_7Czw4fKvj8i#78eUlT_)^Ytm+us^ zA|R5X8tq*GW8pP3F5uJ=l9bS9)jTE%zt~L?d%C_8DnX-Tm0KOjj{*9u^4L^EUWWD- zi`m%5gUqLW5m{!Vvz#UodRVHxH~Ly;U`^lI8Qr3W_KlN%!B>4zXYO-U1V1}FLr=2< z*QxG$*r?vijkzXZlP!Q2T?_=S4b63}1=O^xP<1Lsf$$_!TszUh6}U#T(8}0KE|TNDEbTmVEH?HC2JP zo7;L6BeiGscAv8eA2n*DluXmptrZ?D-#16^ea5(CFC}9|29Yi9()&=JMk9p)p74)c ze66%`N-n4b4;Qo-?=2IiK>7hdWy`DNbtEL|DjUp>GYqe)2uUJ(riyjVwIN@v2TZLe-q~Q9JB&pr#H72K%}ICG(>Dc#troxe zxSb3RSmx#9Vg!LMaL}>4LHW(71&Dzb6#Wa~vIBRXt2SXRV)fl0!)#En1hm_;N;ZQA z8i%euO@niPq#lb5;A+YWb{L`LH%6YJp#W7iJq5ypuZo@P~zN^`CZ*g z({=++t*?~5xzwV2JiRr&bz~7Jq=6D~hac?t90Y_SPLF7(?8Y!k@pT}{5Blo2)P-@4 zyNCdaBJFFVIypLW?;Xzt&vV~}BiLeaouGHuR~rUT%Gi;o9iB;7y*57M+Qy=u&kIFg_1`1OhEHwK}E{uB@z>r~9mG1|%FH z=8v~l<0fs%;Iob3i~3Ct12lDlp}VAxOl@PEX?6sgLZ~5w`U+uyDuz1gm-JgK_T5qq z&=a@{4tD@y{xZbJeA&HsGI(n4bBeZFJ5Fs}>zgt)yEY#_?F=kCvr{SoB=Q^mPu#zl z2y%&ZB$gW;htJz3uldXe4)D`XVO&;m^e_d=B_sN_T6e6NDcLpt~a$iYyB`>X!An&4=F`U~<>_OpPw=Wy5VO zz(P;dZtN^p%!uch1%Wb-vd%w|ati8tk5ci%_MNUL6$Rie_eMM`BlO`Zi3`dPdaPXO zjXa_jKFKa|#M6+c60%wiYvk2wywidAVD^EPtl+w?(GV5Tk^zY8J;6xN@+Rio0VHg(+`%m8}zyFIr#T z0flJ%hv>C_`(qs|+a1lfL;_t;EjfGcfqDabm=tP1YFxc zVI4RDRYn?Y$eZ%4QDu6H2kg9+5=Uh(R&ydh3q8t)xL|;CS$kF6X=(f}D+1$1FT9Rf ziwyMZcI9ntEG)F6v})yamKr`RrT;qi_1yqWXcw=X45bkl-Wb%3Zd7j2Uf1^e_Z7OQuj5nm&Jt6y=3JwWT2nt$9 ziq6=4a%WU;F{M^RoIs_%)Svf)zgH#$KI~w#@Ds1|B`!YS`>Q zwiwM)r&72HUYJsW4}?v5R1mQ5%A>vbEvFq{u9~IkvT8JB*OpA}0QK<|=O(fx*8blk z+Y-PpX$^{O@f-uD31j;In+;x#vv)Oga*M_PH23`fo&t)NWX_Fcffj~z_96*DMm$Wc zUNO)fxf16um`tXj3Y^PA4}C?3$aRgsVgnxn@qo4JGe`WkVdIyy0I*~JFX6GVqRPs@ zx9AQ8q9^E-xVQ%lg#}>N6chz?AfpK&ZPL$jxtnUg3-xBM;q*3R5qVQ#Q?0RXkm9KZ zJv>=eQ#HJyKT@fL6Rv?2edYcD2lN?4GC-pr5XKyS0Ac4K zgRP4uP`OFak@7EMA3VaoN!am3k5~J z;xZ2%yaAo=Cbs?P)k9OW>BxvxVKdD?jRqSkRS|7CcEESr8?&p3<0{BDYqrO9s=_oy zaNqK9NU(#ae;g|>0R-yexKM3R^HGX-)}W0OCgECq0`8OFoR<+9G8A_&Bm<5Nh`VUg z*dW|KX#4xF$#>txzWH|!kt?EKRpjiGK!BR?oC%-TWbQ){Xz_tBROSVd0@;9_21AQ0 z_xr+!aM@LUcKRyV5@F&LiZoI54E+dYW?e=bdHxFnr1UVv3EIb3TkhR=v}W53cPJb3 zmP17?XBU38H#8YCGXfS&_4ImlAaN?e!Fm9>IA`Txq&1y8tCue5zbsVJH~t&& z(&>N)0Y1o&>Hp3d{vWEJ_zZexdn*^W9Ozd3+==^EOb1f$f;NIDm4K4GFO+B6%M%stCx(cbh~PVf`k zPK_)3;gjzv?#7T0+Sqe~<*2<^hfG$|WF|-p!wQot7t>4YpTv%*(?27iH7)GMT4LL| zR|#0GV+=n`bDF2_WY9YZKF$+!7L=-oya3Ge_l8yDpVmBE2`vjrPW??EV-{wbm!0lc zV|>(Yyv1UEO0YaVojhQ<^SC*{Hc+m9RVA}8CB?Z~ev{wUqw~Tn{9`I1Uh94f$D@I@ zf?2PsfJNd&$Y<||Is|yqmgyb4uTwlpqj~QhMh!6icCKy;XfuTMc32ZBaaESO-t7{c zC$x4)sJl~Qz|mJ(yfXu;Ll}6;5e#>pCe0l`f(GA__yZ3*9UvdNp%SYka@3Sxu_2pP z;uqpilfTw9MtqXLv#;Zbu^@ZQaEFYn1L|OY^7zSP+yUvc0rDEH984+PG#7G<=$$3m zW_;;I1<#+|5AluPt2 z7lPl)uyc$up|-Uk@jQis*lLg+Yb=yx-|+DbDSEVP*~>hJ`$tu}oRu4@M3oaBM|&*M znM;_^`aY|lJQ1?{(1e?e{#a0?D`rUwaZY|DIk<2KqFLo5+$ic2@vHpv)Z;2>bVSPw zQ==&02=f12P6TkzqpSg%iZQSEqCaWCBoFABV&bh#-&7z;3Wm{KUS4{8d()@@X>nCm zB9~X7&xF9PNQG*>a5>psbQ7kE=<)RMxOeYf`}g};?Qv22biS^ptLnkGa&gRRTH_`B z8^;2;$25JS{$&4L^kQ;iTv<97hx48y+^C7PgaK;JOL^hYHA4T1hc zMPkrX(d~=$agM*DGBYzHF&~JdH9jzV)kW}SAAR_RwSJOM2_Fq`OnIpj8yDC0p(1%o zlb)qWG6x{VZUtS~)vv`aHY*(KmN#)|RW=@eR0mR#n^D<2ZgF1L+d38@n z24ti-71R1(p;mo5hjak$SdJK;sgd_qoU?S-b6>8l8r4)3wHqX&LiO7d&fCeB_LiCD zfvSYuL_U)Aam|(;@wZw%gk{^wv5J(Geu7dT>9FfG*9*Gd!jy!W{rPkYhdF<@im}`$ z0Jb4&_U~4ny*uKvlAj+t*Qc_IL4nsS!->dVKE(X%4>m)q;#Y{l^7KmdIVgMg?=Pwv zNA+K9E;uhOb(aGfea928goJEHqYzV_QB@8vCjk?~R;-qrFA3=(v3Ly@X}{t%{5HT| z7h$(KmzK4unND2MRRLIwe`5A6Ozm&fBqukr#D#*SJg0S(^$CXC3^qBy&$yvlid*uC zbl#VcI|if^ddbq9sh=wzJMO5#9>{;_eX@9vf#(KpC(k@|+A1bFLuRWsXb1A7$t0u& z3|LLG8xvo92zt?i??{nC5Lc%2i9Wv^SUxttFw^2fD);12m0_gV9@N^xxELbjU0kVM zAo+8?*a-uzXYhe>_~Me|3NMH{`%4rc{-E7pGtwu2vbjFIgx>|7H2ioB{z4E8xGrAg z1^LFw`W1bTMY zKOL+CwVnx|Cgvc!#e#p~Cy@92FZ_Ifvfut4i2T0&07?dEBZO6cKgM*uzB~@31l*ka zZ!$?YTu^gK9&@6{f9}+#AAE6CZ1}U~zM?!HYtNMKw(cM2dvT~3qj%P<5GyDO&_l3xuMlQv0xBeur zojXQq_H~sm<#B83Txie|qj~#%RUV5NSpEKIAJp{$bdpP$F1)9JzlEP`=fciUr=f)0 zMpO0{i+8btU@7oVV-WLc!)V+%30{foR%Q5e=b!RTrfjPYQ+OR3oetxi5W(>!nX(>> zhVlERv936S!7X2go+w)J>mLDJ(3d_5lugYW?0&XdDG{ai8wz)ew8j|bCzDU+A4MIB z+>pyDr&$!QXhz{=0?4M!PHvvmpDR)N;Q77E%3jr?*{e(H2weJy&-BmObo@j>KN+bD zwo&_kZFmNY>zIty%dw^l+K3o62)ih5q@t!)neQd6S~pm8-G|1AGlYLEX89O9m_Kgz zuFSUn+~{M;kk!=OyL-Etug3B+-(3E&rQP-&UEfXKSIyde+QqR+18!qpeuW8YFmzehhn42F~>^aKEEf(V)m6CUpz(v z1c0dIOc-7W z8_w)|MB;E@xE?U?$4IHF{8(LQAhB>gWUAgT9D_an;v$$r?D9Ln#s{h;W@eJS<|hAU ztE;P%SQDMbSA1J61L!f@5$tuf|DwnAP$!%|fw#MF2SqftjSqgndG7zVJcJgk^SU7D zRxW1iM9G8c^3t9r37&_C*Bo-~G~O`W@lX?i@X6^t48EUdhp0=+J^m50aeF}gS8Yg` z;nfX_->+PPV%1T?zYzS1O0v*x>Q7HKsf<8&{C`oLjleU`h8a2V_#9=2xwlUfcIa5F zZir=o!J|*$lX9*AKQ|o{Yo)}QF=N96%ko9 zV~7$@K{_3V5}}D$ZRk1QWPFBjCR(3+Q=zylRiKoHT$xm)oY!iW$6inJavHrlzlWCo zprLx0#0b+K(6dM7=u(4crbM-rslXQ7z6f_!lo#__X}gx>p%#vyV_`wT#^z@7S*TTv zB2a*WS>R%7CurPthRo5^NZ|63jPnU-FlJ?^2YVWyBU#|v?2xT#m$veA*uM3cqC50a zt5+_U`YRJdh?IVJziR07ReA;67}akI;ut57U4Z(HNVgNuN^{4zRy9`QAEpAr&aFZu zZ?TxF2@<|ek#JWxMG0)ckt{Tfd}=;RZ1Mn2*bS`8?0mFUAAWvLZgpl(ZRKnKW&Gp! zx{J9!M3ZkV;pNe3_*w?c4l?yIG6fLV{{DV|rg?ScLr?&a0lP@*pK9Yj(H?0%tR2nO zfhV9Rs#Q;)>hdthpSRY#(pjl7Q1T00&mM_5AU-XGEdE$2u=*_a93p>a6uM=pa4FXd z4cipWcP);qt}dv5fxg`TuFV4uYmr*QX(}^W$6TAxhz*~qtla^)_25wbN~3lx2rpf= z0{i6YE^Op_4Dnt10Z{KzSV-7bEmCfnj%M%MngHB*r{NhB$)rh)c~BXAc(Tf zW+A~OyVrk507BCU6es?0B2k{D(?K?O*e-K*_;HzPw-D8>zsgwS4wjZwzM^oI!x$QJ&2Syk|BpcNU8~abj|SNLOh}!x?bmVTHEc z%Eg&bM6H;&(1zWM1-_T5&AA28;yht;b;}RVPA=jr7DPoovF~iOYg*cu{w$xIZ7SG$ zK63*W8n~Hqb)KMjiL#>3XWDm97X_+RZeEoJFj|55eLsW8ym#}r-=QI7OHX%bA1khp z2v?bVscU=sUYyvIjCaRgc64rzGiZ!Z8VW#Zk`1z#aOMZ;h`&VOW8x7*%6(-t#UzJB7|BJr+u3$xYJAlrjBeWggpz{lYN?(8ufQhLcuTIfmXkl(TGnjM)FK zL)Xg#boleNH-$Y;rU&w%rLxTSWhv{pO+&-#YlNoZ%yrjk413bvu~~I8y0>X3 z*=HNq^ZIf|1o6tVpPn0FDUCOHJQyvaJ+e7*e4awVsgi(0Z{Gj=+{aG4NWN@*gU*iP=mvY!_1p6Jcty2W}vi3x^VQgg1XSm(D=g{Xe(Aw7Ad+;78CnnR|MTk5NjTwn$ zo7w2;PW(|*Jw(4NFgH(O6C&-ry0Z%KnupLLVhx{k&>L3^i;5iZ{WgI^&7sl}CbIDS zl;Mmszc}oc3-r}naw<&<@aP`Qxj;{uNXke z{$D=0m$N{#q_L7tL2ar_s5?9Yom$~7w0{W@+&0g|is6o%pAvXirnRW``$2$bqWn892zzs`I$sD!8a8@*f=)zwN3 zUv=f~E^1wHoO=Y;c$rHUeG*x|5Emwn`{9tcGLV2x60Ldq^R;_-eOwFqSjIgEmTEA4 zT_Cy9OaC?IFq&Yp&%tAIDH1upul9;okNRrN<|{g9j%|{Z4fjSIDL#f3B?{(wZ6>0@ z`e_#-fG_<|JW>&ln(jXOvUYsX=wYX1rB4<-5i2=+cFL>QXO!M2gHid{KDXQ4z;r2W zMK@~jkK2Q6=@0jevVf{k0R_oeKjDLOliNeCMd)bhzQ8u)7?84 zG5kYl%*+uQ&F!Dx8a&)Bg#g-+iP!Mz*Xi>6=du~# zXluvkWd8KvXl4^vh?!7K9~&f+Yt!jL_w2U;@+=4{MFMFM3~2|w<$pWI5JtC_Axf*r z+w-AfVZnf)0BFTdjmjg^W+^mUh7M;l$*StmK==J{)ED>pDMKQLxSt7}4{5FF7 zi}Ab_6&%n>>&EHElSkj^zm1zf zXtg!4C}?5=<_1pg^R_OWmWJRzN0-p~suPDxDTXD?BJ0wyV>!WVOIcWBt358eTXD|^oy#9Fj zqNHznojBzjzD(r@dc)K=!$1%$As@gY=T7r?P6y0Kx zA5-B8WAOU6sp1H0SC}9C2`_aHHJ*ma>YodcW zlJF-e?lCrV6Gp;@+qT|tOEFDFjdQ0M^%iyKmXG=1t&m44vWRNacG{o3x(qaP<>;zj z>tf3^tS}EAYu;|yDE*rx6r^tHgElG?)ZOXf?B}$;QEAWQ#!S7f<%!k|U*K0Ln@3mZjWohF0>y`_;-~PkZ#<9i; zHgoMBMwAonk^*(drcxjRPAAA*thB&&>RB9JV?iln3Y!gk^$+y5pL(p{CU^1ZV-dL& zp&6$RhJsslv$L}>7!1f+#l*zC;Bc_D^_dGIP**D|ECd+DvX=WxT?Ntap-xCD9YZp( z%Zov0(E()ga8?DVEiVIHZ4GTsUkv=97K{Ku$%_<*S?wPKJ_5!zr zEHLR$TT?HUH-`U=u1P#e37jG5<5WAc{QadzfXcLJ6)+j{T3D<$PuQx7v)%>ZQdz*Znn^S@abfm?=HGmaU_ z0BWoyIwnIHdqMzA6kZn>?}Y z1fj%5<;`?nX9^>bKi60&8SXos$-BwE@u}Da$aV2}206;Gp2T}4vg~j5BenIz&z2pw zrzO#U^2TlBDycVh${njeTKtsxw#k+c5Ci|HNH%CX_ z&8LAM0rfXj&{li=t?B36ygVtjy6|K3X`(LzXnfLF}0K1)pLF@?=1?%f8F$X|&h7ywAy=yny zR1b$A?asGZbi~-(*+IoUAX-{U@FhRY40>o)OUEe5XDNt|o*pXUgKD>Z>q-r06id$J6R;6<_CQfxs@ygND9uyrOzQ#;eJ!V)T0i+)G3=D)|E8d zIKeg^wX`7IdiACEvP`5!>TN0kB1e|e()0BD9<%aYYnz*f&ED{^-VAZfXA0GOalphS zEG%4Rg79DX9S+DWlz66xhY!XOI5$tvIv?DWIJa+r-TodGf%{*?$)7qMe}waL_s!Sk z|E(bc46L&=Z(E8{Jr<1KQ_zbw!e{pD);r_P?=d|D#tdTO4;V~N&vJ}var61%oVE?Z z)zL4dCH(1845(k7p!wl`gv zhdjI(KxQ~k<-W}@aB)LIL&a&hW&=jzmy&UdYHQNC#Q6#eR*547oiN0(&e1GO9H>RJ z2KAjmohJ)OQMkESl+$(xB8U zhh(EELndyMkj4~v;1+da_R{I=`x~|Z!-X;q(5ytY0&X2lL%2~=E4v+$9m1)cbNJ@< zxY!2))bsLc_Q!XqqK)0!lRN^>jwkcUv7!GM)6LfVtgYChj(2p7PI2G#Z+u)xq}Tvg z|BM5o136P04S`b)vB4dGOk)5x)#R@P)lNXxRxeDW#dj-!U<7|oYoErY(S1t^H9j;H z@6B%H+*gWg4}D$}d)~8S-*ZKrpHuAv?!r-h7T1M^NNyae$N^ygeP#4tUg5K_)mwk1 z`)&YMlK24vnXPkLocq_dQHE%F*Y|)-bS)>LIQaYE>gRl%N4KA__Li3lF|qdcl-Sy@ z^aq!Yq3R#{p`vDoKw(lAuL+`|Ssi0NNXDYi?LQ^1josrRUZjg3`<2Mt_pyKR8jH)D zltcfMz#zd3Tkf=o?8}r67%9{`;*rq3Z2eTQrBuK_AmMUxvR9+B+b9a6mBdp{kH>Jv zF<-JVQ9PiNTZ(Qh4pYLJmV9qsyxeZw!0w#S~Cz=c~{=B9h_Koy8l_$-i=LhEtg5QqSvNL1FeuM`k)37k8NJFaCb zyKzN&DX;E=QNQJQ46MY|(}nDs(5D0s{TAju3{O;tSSfpR6ce783eIKM)VSj=PFYzZ z55(r=%sXNj#!LdRwq?!9zGn+ITFbH5SVZywO(U>}`O?@dQY+jWGLRD37$6e;52UBN z7)gHafs7_s4WwYEox{WTK1L4Q$HbIFfEiS2^YP?Nqemq839!^;YHMo)ESjWod$G)M zoj|-6RDKg5l)3K>ha4eKU+ZHqN3+<&X7QEUvQ0e-vJxi$Nfje-I48%A_RX3p$W+z) z*f2xS`QTcV|9LZJ_B@xzkKHT!XvzWM*OSa;MsOP>wJc~q6yKZ9wBGNtbLO&KRCX+= z!12AJ`{aegu}}GVONAmbW;%}MX%3e`%`=0V*S3DRQ#8u4jhHRdcOQTrx0Z=pLtm5| zTw}or$PEM@FwoMT%|#O1#|#%OG!G$qP{1No;UCU1AyGF5_?>j?5Loy^x?P+S#F4h z3~AHh>NW*w4XInZ2Qp;GrV+Q#!vD@nw013e(i!GxUU=te`O(H$WG65bR3-L)N2T;j zVhl^%09~&09a12K|M~wG`(PDOm)Kk)8g9zx_f4NDJs~F`eMlK+5hKd_AR4*2_g8t) zdgbL^AUyc@dc<}8Z$VeU5WR%wm!43(r*b#)RSaq%r?VL-2Whu*ukM=UPvZXWJ6q~h z6TiAdwXGA2sxtj`@gLq3lEuWh z+BzlubDn;^p+3#UqD`y*JYEJ-{m6@3>SG-uGP- z*#We$QM|fa%3Y7q|FEMR>an96DgI^0Mihm!Q{(Dh)|ZU#Mw5<%Zpx)!g@%H! zu}EMR*6k7-NrZu{p2)1I8FBmy6Zn_xgm&bi&n91+bOS&ZHE)lIrW1yFuNS<8&z>Od z@5su&QdD?8^sV*1T#Lb7N#}2$@u5QP@Y2EpW9Pnf2Evh?Bx(14sAo2;Cy38tRKPxu&h0eIDT z909~;iA4DqTjg^Sc@4dk_Fbn1VL@MGzFO3y}-dos}w|u+SwHPimPc+*I2OU zB5>_x?iXWOk~hyw8}|M5tF7f`@uMCp74Z1)MWz^g7lavlEhlB3_P(!y%zTI!&1KBj za5nLGPK)b)YSCDxtku=gMc>K}PT{?){BG+%UkG_f4zS6fLN?(Mqhy2nkrDF#Cw+`0 zhZs2~vJ$v@ukelU!Rm!sS@TT?{mN1$MMdH}O$S%)S2_d|n3ief4t&Emu#aImNK9N( z=kg+#&kr2VTVi2d2K!TTMUKWWaN3}SLA1oxqd;+;fq?;7{C05>kkH>2e&Y1CgRtD! ztdL`0J}9na)gMb_YDr5=TX!^S;Lx;(1n%WlA|61*k`RIxx>Z*!;Tm*}1vtfm<)z9G zk&>G$bQG^%%z@LDjGb9yIiGzSw=MxxbEJ$?h9)Km$V|f_XGr5gZ6$Rl&)R;*uw@D2 zC)*t-Rq{ElxA`i!T6#SmrxO)&m41$4%1Q*{&E9bl0fFjweQ8J}ve^ftFZ~0kYQBWS zoK)lOIZP!T*!7+*(wNo68WqAv9k`Nl@jfe-`v(H~{qOKi$4%NgXJqi?Nv}LlVF9?) zU)qyZc6tMhINoIf>CW+%OKF_Nbf}bOvuTixBeSqQp%ObX>Yn|0`QreZTiC%^|HCO1 zPRJ{1mvU<2O|GV&AJ)iYMi5ZNN!-$i_bu`%rV#X2f@9_yi@3RZG>pH2 z56V_yKQ&oepLf2J?gR5=@;jf;Rc?gTTcJ9nA5PWu<-jaoeR1Nh7h~F>X7sVzwB@px zwf43j-7*(dnDyWpQciRI)u0R$TWyJi%SC}AX?Pw=`}-o#i{Lfyj+F{}co0zNoflnq zMC{j_(6Eg68G?VOi>o1*-8zSJrp`W1`T5wh4Q8hBqYZ<8$=Z#Ub6?HU#32RCnRu9( z<&1L7g{=sjuQ^K4uWQo!3~6|_JVa#Mdp}yt?Q!$|g&S`N-%Iv1F}HOf$~+1Q`6s1U zBvshNeZq?Ie7uA3J{<_3X|B4!e5H3ak)15=E7-0*;y4|m1lg&ZVq|}Ljl~}Fq)>~G zjD`HZbjwBE;`GK_g;7{B!BMdt+NRh_VkFhg!}fc@(xZ`E%T_P@a%i+!kLcbx>n(Oo zzDzOVRR>~^%NX%(Pqa8n&&a4`v-d0CqOHmKWIT&<#4c+~mPIhhQ~zI?Qvyu^m$3H8 zP-A~D-JGVZ`EjkHCvnz#<)%Nre>cpzfV$*K?Y@{uWY=r06ra`~CQ0C0qk2dGx5VK2 zijLv>Ym}rd?Rw|O?`Bw-_q=B8ma?Ak%J)y(8Lu8MA5G`E`e3$=fJqHd*#gvsg*{Ju z`>n&Z;Q^7wC=J}@@wSv$_j>=$lO3r6%jb%$H{xG_U*FcQz85!BNFXPyTf=dU#S8n9 zwuP1}?Ki6BNL9{=eNswJK8lj#f_tws`{Tv`+J1Ow@1i6Q2qM zeQrX$UODpG#_{pS3`|X@PAk4!#W1fsqNOmHMm4;H9>3Whri7ebOKX`GrqxkdCw}4h3kbeV|fM{1H5a@ZXRmL=+*~^8)?TKhY1XKc+sZ?{w3b@C{O)e)T zoy@!2kO5!PN#`fvwEnge=CmkB^_cn){%Ud8WWh2@q?#xvI|coM)D6&spW&R>Sb#cT z?3d+4a->NkR<|2n!dhj?vgxz=dQxa+T@yNMR@5d=1{~T%+wU023h^~9Pxn>M(Es&P z?@y2HZIy@t7bcfcuqL$P%UxM;c5<(Aq=)@DQIH-&M!gNwWNL0|06J~%})Wc}e8Jya*kU)UZ2l^s6 z^hQXI$q2}Qc~99xU1;7yR8+PT**W53#6*;hL;wrMo>^5@Q_){`xdv$5?LoNyn|g*CXPz6E(HAyx+X0yP-Xi z9iA@oV$7gGN=5E;6dsvaW6KR6^ zzAfE=>@whZ^Q2ZDXtw`kj{y$PC6#*mTy^t^*SA+(!srQu=-mo;C(kg#7xEK6)tIal z{fNlv9&{`gnUk%idRGeZ-R-C+p#HMawcS!v74*e#DU*B~CQ$HFJ7WGC3-1mRnLbJ_ zN9@ta(UE9U64T;uNV14sEJar@J*YA<@1OzGz?|0N3Yj=8i|v1#WP|p(w0H^cUacs} zKf~U4wE^4Mtcg*e~a;5})2TWW`*h+xl1nWanHprm8DmCkv{R=xy;rA0`c3K{mX zp;dIbQ2&sPNjd86qh7a+u&3l6x4@5z30lQ8re|)-G;=?>shmuv1`w9HqOB#>Nn?KeoYg8+G0L-FL!chxJNFbxWsz&qkCy(JO_I6UW<;B(p@iEH7QWnfe?Y zw_N3x;Ul&bqJBsAGgD3@q3=r*|59>n>4I#_w|>QWiC552su3^zeo?0xMt5o4WVjYe zT>7l9zOzGCD3)=QxAL)Gg`Vm)7Rlh- zdnBMQHbZ(sa$~6?Y{3j?CyQfCLdTSKt;3{5&lIn* zV54cD+5%9h-q{PMKZxl(`+pUt?@mTxO>u!hP+VI$%5s7 z9x-*~dP;I5DNO=hN-4-JBF5ULxsUr0_xWwtSLp>`K9=(EUMp&x6vX!4SA7fB&>cPk zn<{DP=^w-@9xn)n(=>{bT8VtU4Ri=H@%z40aN=mq@RWO#*Ko9pa)k2n=EQ+nKbrz! z+SA{@jIOaC=195ye`FUj{d!}L2Ic-S_t;go{E?MoHuh42v9UHj?G~VbV1$#q_YyhQ zPNZj9rr9UPw=2&gc5dJ@kGsDiWj+i*o|&| zF;$6k_W^}W(!ZKCu+4phpXu%b$3SI3u_onIt8z{VZ>CP7^IqJx5Bt2a3J6V}YNg@g za?pl2_38-zq>_{`bx@6S#}MUuv2;Wjq@Nc2lJ+p!9URxmEaK$kVOE8%JtOv*#LolA z{5RhTs`vIY%b;K{%x(~kJUnYw$GE<|H3;|-3Xy*zC6K&@yXhhRA zzRr9&FEqhYk3V(5Ai|yBkox`Uq?zu)$qHo8K~Gz?E{fz4T}4Pph;3=Te77zEDZQbV z&!tZ(cAirUE|NlWlJDo#(()+aGV4>lTb2&vgoMj+@u~`sXqFuw?G3=4g@cnqvcURh z8Q1CZe7`@o$^6J5z@Q0u;;g}T&jK>Zo6A+{(Mv?~B5cSXkH&%{DNMftZWAMa|3wnjMjK19{xP*4Ge%Y=nbsm3Czt2tO*-=Q;cf37kwd`bn- zg|2+@E{}4O2O?4zY{-U#C(b03zIOP06$_tj{b*U{_TI_zoi!tbHv7%A#%>53)QBXx zY&j%MMMFF6bx~%BnJ^ycMP8f_iZw|@N5mgIv|>I8}icPWzGoO6 zUtWBF7+FP73$E#-ua*{8>N2F(Sj4GoZN)T_{Ox&71|fsaKY{^dRK$FS7pY7nL{ILV z|MuXg-?&uzZyx+!lpr#5(VVuA`?INa9BhRo`F+=2t4enZq_Rlg=lS@)Hxd+WoeSd9 zW_T+M5NpM)NPxpX0p8!@4p01r`!zP}i!B|&(4SaKli3$folN}J=wMXyNL4;_wO7rTy7w%) z$?arjcOYQM&Ei`X+7*?TOi+q&7|b>Z7jcq*t#&Z63NoF~j^tJk*@F3bvClGo!Ruv5S7b^1?%-xFfd-q z3`Ub)EZqnPaxx%LNanOgt0-EQu;gsd&lckObYK2*E|eiD6e)F9r6B3$1x#wdX?LXy z*t+>tWyL;Lhyz04f8Qf)$PJ;ilHe}EHMqNn;DO-o4vV`>2*C;N8YH*`mqmihBEcPkEChGAdw8Cg ze|>M=Ti>nkTGicxIxu@?&Ya&&cTac!I#fYU5*Yy>0R#deOG}9^&U8<`&MNQq(~{pcUnxR!39A z$6HCA!8WEK&I?p{;2ZeIZ12HIZ#+uy~}*c5d35U}%fo2Z?Qjj63O=zK7-4QPAyc$*5?+1eCT zxIab>00EK~6H#$b-(B=bCp66vK0HtsWEUJ4ypVl&Ax-)f?N_utJmvSFI*2snhq0<| z>f%^_rA;)5VI}T4f68C7er`Y$`9c%+nT+f;nm^iy&+qs7*;Ck^!Qsop-DmAW#8>0x;ocAt;a=p^M#yTtHIu|yc75bB(?Sz{%?M5;p8bKR7l>pByd@c1DA~ zlfpJ8ar4(7rj3GF)6_>uM7;S=PmeZj)-&_UMEnYX$vWB>_HDUY{BCo4Yb-a8 zKI}p2xtC+b`y5v(Ud{AgYdf=3OC-{I=5 z{6hpfqnZ{!e_A@n1^p`0dB+q)80chsaaJtso$1Mdr-B<*uT9LxQek8}aXV2CFUY7O zYTnI?myh@c;ijI5(u-QZfLA4@ZzyociMGow7`6~zb5~n3e)bOAdHHzFCUU4;F=b{j zVP3G-nrTlBVL=`d^rn0vT{Zq{MC6X{OD zedj5Vp%M~Ahj@*(#h0Jo_a%vnFKw_E8DdC|Q*@p7hvf>^!&X3&x+h?MljL_=ky0L+ zo@PQNoovH3qCT$1EUmUm4wPVS@$H$o9e-KLp_o$=e9-4$$E*eoUs&Tk@r0k-d`s&2 zOq(Ijm&W3nl~B~T8j%epdQVtPfs>m0ak(lia6@-2$Lo?kGQi6eKIDH375h;WzRP8C z6}jh!kDqFx<;ey{*2Rt=fQBaXf2@(p`tTHwH`)y^o^sRB1=ZKZ^9te<@Nzx-VZaqI!)hlZ%T-EjS2K zHu(raphG+fo$vNtYe)P0P)XYRCoJ~e1u~^5Jv}{xf`S~0&_N(~q)(kwo*>h>@4IdVx(-> z0A)Y2qJWMSY0smhsi~==f`t%BM@Kg>Fz{cGpkPu^_$c%EaUud<;1ce?;P~%W!yppz zCBeSi8xTve!T*WL_>5=#tW3ZPsiiMi4kn6(-=h)KzAmrtSWfzY*J6Wfj{WSV-nI;x z)kT6y#MV5Uz|cFlPv*h~dxBg=F9DnMuTA~PY3ZJdKpU*BL=t)ro^yA^t`?HZdTu{j z`{$n3%+SjdE)?Tx=)aO0gkj!nb3~=%mk3;!?l-5t~ck zCt)&cut}rlsrKN0<#($fggvf!Sg?pbX=m#jHQeY2yn@9Dwyd}bnf7brn(%aMp`O)L zIKeZ4*B@4&x7V2srS5WX@2MW#UY>CIb@zF<&Fpz1qrQ~n=xXEXzH#)S-^lMj-Lv+v z7SFHVpNfU&*-H*<)onN9m}c%1*yVb!`U5za{EJ1nX~ss`cF1B7hTqJ>S+^tOvH{7-S)bYNy;h5*R$N*aRf??8#e!3bdc{(kpC4Pwpfu9)hwR@IMas+# zf4;~tw{T2Xf}|>M?o1k^(}MWAYWwSVLSzLJO-+n`SNsJKaQdRoc!3#2as+O4pEijt zK>Fbm4io;6;`e;qS8f-l$sN)i^XBDFl;Vb4{5naD9|?4Uk||2)`tP{Ba7J9duGG6Y zuk&5aDidity91YL-J~6R5MkWIRNw85xWWrJo<9d3pv($W%_!M}!M3$(+BohHW-9%r z8pG=KHzEhi@6OIpDT8f(NJYk&JcyPgrHyBYF+l~Muuw16h>3G$ukpS*)(Hl|g^N^kN91ju0rVr>`PvAzItRJW0siW=UimF^Q3YB(stPDFBC_Mri*bEvj= z714=fxg6X)snjNRI0B$CfnCFiHa^cRF3uE3RuXiq=1a+>0}FQjIVI@rS+d{!gvBlr>dVp8age) z0l%zlcDvrvWJj} z`ZIjht40?wsg6U!&Xhh*{}P9-r?7M-xoim1G6YE0_s=kq)tq;6Bg>LEONw#urkkE~ zH;KiTNu^}Nyiuq{I;IaA5>%$v1L;U<#bq?Mg-jmC(=4NX9!^#x$-1VRyH(@c_mw|3 zOL-?>h+1m9-G(R0>Ks>92Q4j4rW+Q*Rn%5zg@kC#&O|uk+8wyPxq>g)2EG5dkBPff zm(_Md?jR>-=^e5vO2QzIO}hGRKAxyzo{Fj9TloEW%`xWA#{%_0Xm|o9@$5T`{awrw z?p?uBN@G_5dR@Q!hGiz<(?!V(S_Ges+avSga=q1`eNl>lqx~-y%FCB$C!Cy|DC+nw zA7c2(2L#-n6(otA6f3sFpllJ8By0)KL)!NpElsWq8z375@8#Bo9J1Xbw#Kl?$*IJ$ zjS}&Mwxbw@q>4XE9!y4-z(4#cb)b%l$q4A@-2=aEUadLqKXcJOM;^p8_nDG*h&hHq z-<@@1h>L$rfrL+?CwvoLS`5p@aKybx?o#a``_49~g+zh`i9&F4SM>Y5Fc8qy9eo*< zg5Pv3TvVm!vo~@&r|jw{Ooec>pR!h-stL1rj$nLhx)olfB6e)B7D3*pyTGz*JSbeM zjHnD@5@kL40G-_WOR_U(3`P8=-AZ{cV&^_t?wG=}=V`)Z=K|9qdBS1|W#c*6%g|O1 zEzd)A_6Pd)Co5O0@_l0@6N&&W{G-2!|qQ}M&yuz%k6uDO^Jj9#tOeiWyH z?V}U!$d7ybQ$LYJzfVj!ANK=b(+NeqoqyogC2_~NHjSWtPFjsR5+pcJSO{fQX+K93 zyK>?9N-bg0>$%kMtw(M%O`ZNogYB%|bG==XTCA0`tzGv{emAmAkYoL?U7}O5`?;pu zkUzh4LJ(%?rBoF|x_RhXA$mMfS}srHPz;-hziet;DSPK}EcUjSrQUNi29M|ltl%im z0o7J7inE&I$e!H%wy$9|DUDe?by^NLKRlIm`ztwDF8G4*crU|=_zgRTGx&A6;D-*9KYaVumK`KnMjv{fuz0J@ z)l#*7IX7lp+~H!Hjh;~M?)f?syhGnIt&I2(I~iF6w272P z>FA0|Jgvpu5);$Yn>oq>LpeKto}nK}>E>BRoTC{truz!dDe5r|eEovszw&_`XnfvjHW0EpEh)a9&F-Evi<=2l9A<64m zMUb`)uU5yVK`ZTCSUOh ziw|m$%7mMnjfub^s5;SKzcSwQKX7p&79Yj?x%DmYS7z6G;@|Q&Y`{58hk9m6PP)w}#`&ndz^ucro{9XIksIGqo;%L4vi78<1>U zLtHp-Vrl^&6gat!kF#@dtp97#za%xFjqVJ+aBH5+`N33)eilwokfh7C=t@8PgaxNb zQ|0-9<*}aiF3?8K8ijV(ilj*Y*7XKc8}d+7!VeYs@@uyUIZKaYdftO^F3>O56ubY} z65-w-h)=R0TCRQ&v#af4a<`nWYRGsPd?2;}_GwyC73}t@dZGP@AO8CR zY2yz$^jX3Rr##|8_)H{ea*g`r_|#DFesaY^R-Lz;(QwC>+&&X9oxVA)qxIM>9=Ab; znb2@EF_@RjWjPQ4!22-WA#H={X4IooB9=gf|>GvlhGJ09k(4t8EIzE>V z`ewWz<3YB?MtSm%Q#cWRvUzLJMsrG5O}ihg|FQ(JPlY_Bx7;d`b4R@%a{AN##-xgt zp}ws_>!hv<66-i8{JyhfU&z3NzHva`^9hUIP-v#0myooK6M?8!T9m+>*=0+RBUObh z!Fr_pGDT1Y9dwOo^#x7hjmp)5X3D_0YdcyS>;p72_Abe5E_#d@uL>zhmj4x`{#TV; z3L`^gR;jDHYw)jK47QY3jdB>Dl*o7@;+{}{B4@!j$!4Dg8-#qwU4!n_K8MQNFV;O( zX|5#Qw@GPTrW=DP5Z68O9DjfRp)~FS#w=<%o|UhF!)QQxdCs~UN~CIaADHTscm&a) z8IQidsPs12&p8VneDiHQ5L{nC%3aG4U59byPDz1okCnFbDMq>G&vIT{OweQ`Gx-=%d3hG=+9TE^RW!fSFiWS>xQ@iS2TqKJXYa%w^P65X=PyW zOBcDK^?Ex9nSikDIAz2;zqNHq*J;$kd8yfhii&Dq?KN88vAaZ2FlBS`!ZeFOd!!Kg zA8hCgv<qMi+HB5UZT0*osXjz(qwFM*qp$Ll8`H!!;Xg3RiS~crG)a0~@b_nSRtd7ti!y zZ<0|p<;wkTW}CVn=eix*u(eCM@I{mDTFPI&_vI57>1t_#6>x2EXQerfPMdsmegm`x zq*nfl-S)rR4^>ThHAlcO=hIB-R!323=p2$foH8aW#O1Km6x~ScI98_4!kJH~xs8h{nyQlY z$DHV*!vDrcr?0NQsZ0stHM#$QC6GXCpqF`GdF9{W=wQH>khhnVYe1=98KL02HZ!?P zBUeztcP-HHH++0Ve&Zi+lvFby{1e%Up=&)WW0HAQwvPFBBX(aJ1BRlVT}AHkoUS#X zmPmhpNo}}YLG`m&@$C#k*45P&f_u!v%%T$`|0ni~{!>(3R8%yL+fJ|5yK!7OjE|4c zwh@*HWp2AItsZvtu|)@&d|MYG2jSTqvpRU(olQ?y=x2HIad1q`&-3%}%uG#foW6tKLtN zMD<=AEZbd;U2SGXJqGbe?ciJ@ALEq~AFg;-9T$OUjoYG2W8`CI=osaH7W#~-?QfiO z$;ERR#t3(tPV1k{IvDqw(SvAA78e(_>#TXbFImthCntweIc4nKihXX*_ZA`a zmA*Dl`=Y+2q$EGzYG9GR>d~huSPhKOLXDQANB+Z z+g{HjG7CS1$_R-_>5v)&0`9p}RM>ZbvA2e6n%yaEIXg_}D zS2}}n88o6>?4N;1Uua6{@R)an(xzh?6D%(@xbMBtF5nEZA|Ef1J8N^Hu?J>u*K&q~ zJ_IN-U_7xJw}YjNWxt1(izNbfGg(p5fL41etDQQV`3ZZ?oyq#stY(@f*rY?$gT+Xu zAm%&SWFChc)4QN{>~IuWWvYeM$>&;qyv`|J18Ch!6Y)^zP;iT`iKU}|Lqc6{+im}3?6&)No+vWWCBoUQ#$`tJ z7hbhD1F0qwLIhWZ>0Ax?I&iKgArfWnwJiOD@Wt*#Y-=122KqiB3J49Wm6D0hSd5OM zyx7uDUl^St2gY3PUSM`}{@XS%{@%srsLZEQjKM}Vf^`8EXQA?Lo#x8D-2w;-tjMh9 z*pn;q&GVDEuV!l>v@-Itjg3v*obFh_&@7ORgpZno=-xdECua%fn5GCt;+z*cao^yv3=I8eu@H_)Hc^n^Qsq)*KNL5Hap{J9@9aRal?VjcQ7Alz8FsV1mX;29eb#qa6q0ajXH5o_jJDULv>j>_cE*p%U?NY^2=8 zs-9IE%QMd3xprpx7BSYBkW>TN)Z;MbQ0QFJl&{y(UMDV&8`8x)GkQ0M7N_(6YHjoS z3nn|w8OWc4iw9Y#7SCFQH74$GBd?nSdc;m`H00$6UEM`srI)-8THKa>E*9OE-w+r4 z$EJQ_%o6lE{|b+Z6xbU@B5d3f0sJfL{U>pvgH}0THieB!X5~5Py_vVP4h|#V!OAw( zve(~WK-5Zj%F1_kWAZD5)3}KQY&W~86Yt4%@ZXJLgmKUYlDRn~NjGTFbMCJ;DfZ<9 z8!h53JFvEUMTozNoCaApO2w-U+P|cxrnY!poS&Vks;J0j@J$M^~{Np9DhJS z5h9VFf!+(9m^#{qI1STkq5G_FwzZ@(eQTK;z43;YB`rGkXqxj8wMvGqQ6C<7 z+861w6D8Lo_(xjT&#(KLf~Wv36^(lP*1<3x(_vWVV`p2Vlf$aEzNM)R_p&oPx{p2V z!I`08A$9x>)aVOaqRbfJ@q#`J0Q<9pHqTxz-C^}dOcj-Ii=T!4&xX8Yr*d7<=_m<6 zZGQiA729Bedr7@Vl4IfFQPZ4m@1PCz?Tcu0L)>n@SSnw>pZfXJsy}vr`EGdH^|1@- zmHXbwJq*fk*OsBGnxJnlaul;;(si-7bK8y@>*FJiNu8+gp6yo#n1uH$NAwQ7-Xnq; z4_8^z!!p;`e11pam2KAvbp4mle#%w>1o%-goDvjw2<3g3wMxt^t7>^@;J zO$H1zeCbkHc&wa-pzm(TI*O(^5=(VQua2Ska10Yf72*+7k;M{vxE+x9?kJf0XO5M% zR?|#64Zov`CpAj1=B$G6&$;DPsw_tH%rkl2N5zlS^^ws7E1Df|jiYE|LTof7^=s82 zd0~dO6)>N`!6ZmG9H2%)2%SJ4VSQ~~hYADSa3I8Glll=$yWaLdQW)QBk5jJ8Y}op8 zvf`y?IMHxpqF){{0Nt;`)dNlO?l|h{hvTH;oI^44Mh|v}^2GRv#)Ho;{kB30qxwdo8 zM5(WM^eH@wh7sLsj9Cxf58=!or~cUfrg9lEmwkLy8cJU(rWYk@oIdv_pOSO{MTS96 zmm%!eF_5s*=p-uEpO}~*&TM;qyJ^hawkxf@`$papSmDpjFzwaj)A7?j3TahjbVVPZ z&RD7+)#g!GXB9=QdSoBpVE|uMV$<)cO-IG!$@y|2<=7M5m0Z`d>;u+U0q^#s&bIGq z?j>!33R)#R<~yMq>sd*m4`QQHzRs)FBUSL2bfFlCxKlox{6d9cUM){p)S~?Jh80~@ zDyozABZAxAxbk`}O}nS#%224Bu+MQA_V$k?t_2rddd9ON7vN?ZDWN4IKF=kO(UW0z zX4H`scG#@>oz)`|1VNRneC>mnSUTpWWPVyrUCsTfy09JCW=IW4q=FRQ{9~cJcv#7e zB5d4^I~V<0?6#oLSJ&57qmKj}ECdo%Y@&8v3OU)8biDb?jh=2Rk{P}-RvpX~A(!HZ ze?_4WNSRU?%^5)b?{1P>@4M<6gX>Q1ls`liShXB74XsK?*^lCbKzOyc(mFLV#e^Oo zy55fV9Uk66i5ECrdm~#HS1dGprQ9U7gPF@9d!@TSpRkC{P$4~`AFxPz(USlMfef6F zVG1z=$sgz_@{0wySkTG}N&g3(dh?m8ehxCFoV!@ zI}ueNlI29|^R{5Il0G_2+3ZY(_3nj3)H;L$lO0&`VDGmMiahAF8G9M10!P2g+?Epw z--5xGzMj1&UcI%HK^S)H69JBjoshF%&Wv>S z;H}d4bD?Sx2@;pOX7pBcZjO)&C#aUtrPpN{c+A2Pl>@xPFt0d$PSovfz54i%N_BqE zEW5_DD(zvO9oZDYVuR0O!rxR5C(1v=Fgj&cjexY^o)+;@! zFmMPsbb|!eM-rT7U)NL7(IP)=40ngx`4lD8E_#m-iFNVJ%3A@?1fc;BUBOb~p&sTr z8k3rh%~}%X;L*@g8swdh^uHXXd6X^zeGFWiFR#E4XyQ<4E)4cn*&OIf%C6bSfBKr| z;ZO+VTv)j^RL^Bn`6%aani&>|u3x0%QJ?L#c06IB6cQA?TB4_Ua?8(5$@gk=L^~Qt z>;S|3t%_@~mx~C&%2~>6Z7aKeDieOpfZ zaY6iMc~wr^BNqHy?`sLB?i+UkzaeX*_M*z;^GpAf+osfRGw;!uI`G&@UIz9;G%xT1 za$VAHx@fBrA=H!8OIi<*i_94vNOhd2YT#;rgLj6jdZLWrWKs=7oM(Tt(cDhKtghKm z6+F~vL(N1Dt2$!9QM7*=9vExn7T;lXn0kAEd#TpT+|7*}y`>Fy*S4qE>avj8S<2s9 z-*y7a7qjkC%qS{JXT5=N`{8}=T8ypOIr~qHuYcPY`XwK^wlepi#JZ8PwkaE16c6lW zl9HR8%l6X1;?ZOJd&@`E)K=lAKYp+7+EQnES3Kf(do50#d9qqp`#|GaQc}})Lt;bC zA$R3B?R#|`UXG^fXrgbGqJ($erE}fW9Xl>GST+yC3_?(r={ico)k4A7)Qg;|$}^Qp zUISD=Tu)LL6&K4P#Ps1p>BefP_sqIzkvj)iU3X8s3-$p9S^1$Pitxpur^pAfGsmZWVRL^AciO&yJK|a?Aj!?dMH13~m7S6f zcp9KTnED$HDk_P7cZd&1S%|i&&9!=9^|*pyZQ-$cuklFUn}WM*?Y6Nh96mPG9ylfk zWup|fpx9W(e4PBmzrlh?GL+geQEG$w^^OH;Us**)c#;HfcN@iz_nxy4EbtIC2f9jD- z3LN`PVX+T7kj~ZD>QawhD&)a)c`PXj`Si>*_aEzurPe&X=)V5(xq%dj6ig9+1E8ZMGi`obJMz|PUKTPBTvT1|iMB@ovj+s%ku@O# ziP(*yp0i$zSy{PB5^MnPMiTizI!CJ_WA-EKP#_38Iun#=0=qFgo-gT}3diG!w<<*A z3{{B-N(_Lr;u_$Uu}S2ytri!bUz}NuJ14a@tY)O{&5J^?m9D32yX()pF<3>YR?|>C zX{>IjUDp$XXTih2owqBS+Ct->un2y}Qen56e6lliS(6P|BYMD1M4%@BQQdOlPfgr( zwm%k^DM4NTbKM$+O%zUgVhEy)tgDjoo4_u z(7Q=p(WrYa!Ed?Jaynkr4yCNkfJafsFC># zW1Q;=LS3wH_7#M?&@3X*~h~_zI4Ee5Rt{woP$r6=viD+)}T|e82y>6PU(|%b0#b`M^ z!#?g>m`G)H_>@OF`kojYnre_4}|ai7mC54^Fm@#%Hc zJnvEH%>x<}GA5WGO>w7)muXeKyZ%yITSCt=LZof;qz)d6Gp@GJ7c}uJ)MKJ|K^fAq z6hs->j@jC33P>}z-!L5l?TNhZ;ks^=pX1?|_G!MGo~Y*e>ROYb!+>RNrD=stneZkN zT-2RG6BdfU$Jqr}Xn_7+ACdL1e8K`7P%&tm>B=?a*L@>?UYxr4UbVRwSBcup5LiU@ z@TrMp{52!fr8tvvkHT2Ogb@weUZ zV@=0$j=doH5|$=*UX_*w_b38ij0Djgyl3`t892{fd$AQLZ-Z1@H?Z38o!Vn z7;N;|vEzr-KlZjk8w~_H|BIaegvI|=9yRFyZylppd+>~}l;wqJ@>&5EV~Y*@X>&3h z(O^3~`Gkd2W(LlkElu#V28$055_nS>&47az?Q_Ms8rv^_Vu0*o@W}c56{r*0U~$^E zcDIzV={op+hiG$Q+SW)1xEDbK;6|`QM6rWlMFmCcpJl-c#mT0EL8>pQ`tRL821y6# z3T{O7qLuN=`8+!bORO=9s8o6DkWVEPMrnZ_oCOSCE5N5>vc!*{h*yQs9>%1FrA}_4 z*oxuiGKX!C+pHcSxLW`IcaHi25fBKKYb0@CjSBypM9_nAy7ufkHZhlWgKubW?inxcA%-$^wG07vul~+NJ#)PhBT`@3e`=nK#@NVDz%LX+gDPQo>5l(tK)lzc$B%JzRDd$ zM^3;)W{kqX4NxIA){}EomR^{&E0;u*-ku4&6~h$8yf&cRIZ7Cuol7JT6TavxXI{Mk zwl`^+0AESSSM#gX@VA*wGgq1@dwuc;*eW^H9s}}op2uPC9pAn)Uo8Wp_n9{mI>bn$ zQ##@HyO<{OXj%A5SB2J4!7lDnsF9iK(!O&|8v+88m!SU-l@#>+zo?`%3_|~jga5x) zjPQRbM4v-KSaE(2oD3CiTMrvrMST!&L;<~@y1Q7;+Cdv@IO-vAnsnaYNps4q#W}Ni zo4Jvo)4h?i=)Dy27Q=Z+u>#Q@)1MOHk@^=r(2Yz^dkP)MIAUuH*RNLgqG8~EUN~8M zALUU2o{7=Uf0IZxggOX$4{?RNal~bf1J@hA&HT;?jorX`YwYU7t!{xLs?Y}&g%1H0?IutwmnZsa2&X!yj!;8B-e@!Ae)2MANZPWa2MJ`5PubZCz(1g&I`vU zM9zbRQ=VMjMH{LlmUuNF!#dg90{rLy=(&&y^9$hvg(!V347VSlaG9q|Pgo2`!_Ug^ zvP>|u=j@Zm)|73AsZ*e3mRbxG=|;%sak=lH6>qr06-B6jG8tYZFw_j74isFrh=z}70KFux=e=uJ_+^jr z)i>Msa6xCRTo)Q36eKp_i0x4OCAqsK&t_3E{Fq(fG)*zz%mH>BJVx04&SF~Jy@*ZE z<XY2|qby>&Z(%h|**q8<@T}QJYgW1m@ zpU8xxW=3@;YFJHXJ~>d9FXtmIdqR>3U36M`D-u7G*cUz?^8hmZ1*_kmCoCQht^X;> z8FcXfrCn|IDN$SCp!uX~fgA*~VEOMgJi%e#zXJ(<4Tk(;OAdVG;Lb*r*8%}v(;gk& zW~Y`=b9WznZxAWK?^fVhJ#q)g1OmkJlo*17f23^y3qFW|KJ(Cj-O%w$} z>M^=hW92dCxskLQcneetA@u(G1w!Y%yOBrnwP8i?HmcN-jHjB58lC92cOpV@2iG98 zUrsEK*1bg}K*1JihsSoHir*ov>Sg(w>1o}H*Qhq;t*`ShNz3YoRTN|I1EW5MKH=hF zu`Z0wVeYI?XQ`P82+N;$ETof4>2BSwJz;SY#P<4q{vN|4Nh{ZHa?y;#{u-XO)buhw zjCs?pk?7^#Tnk(f)y7ByZ23#$L9|_T!~2yGF>>JT0OqH-mzJ7Z;=KDhZ;NoGNnlZh zb?0!DwQEXHMm=exG-D+srx_MGKp6E$)d?2s5PL`5XL~_QLprk@z9vl&K_ueggh8>i zW!CVPO1;txdMXd6t@@Mb?_V)7wBi;2#o+OugcR}50!76Ycsf?>RaI3T92^uC6-`Y| zKV#quYwWY{9wQYX>QZW~x|muHv$#LIS|GP^YP~nP$aBQi9y~z}$U_qDj5KJVdJilq z92Fr75b2bE2}>%>k_xom+Y#xJuKo=b8 z#qpsRJE~~aI)~iJGdL0d!L+y{_PAp`B9qhYy~K!xMG=m>CcXC29MX<#^3MkB-Y58G zFQVu53lptOl?vQ-r#a1AryXi;PQlchO=`ub>-I;KVBnykd9u+ zWb5uKS+h|5`9}dA6rsl>0lGwb`Aw*H(jU9Dw6s$WVVYh6L^nc-mtUm@CH_P_on^e3zy zfAp1r^N+4ZPpYfq+G|(Xi%%REiW|zeyO!#tjx0l=Rr2GKPGDZ1zv<<-o60;tKfiv9 z|Jj%g_as_>QQN~Mr-&z6R&GREyZVom#9P44{FjR|X0NAvIu+-6ygBq7t?y1#TtGzt zqi9rcGd@JQG&l-Lxh5z>2ThY$^>II&n=ZWlo^z)(I?`z_uzn3AvGflsNvV2vNOEKdJNSH+2g#()|dIXBXeH*<=>#y5XN~)D%n< z6Z^I&8dU}kMW!ARZggFdMv<@p>Dc=ylciWHLxk5Rd!MjKoVb@b{vGQpFClr50LREz zCSZe$bfnExvs;vn?Y2gf=yg%ESYr)kYh*p>7|+LlwUM-|7UL(%$o(BS$*H=M2so*H zvBvu)Cq%_`B+}{%rkVO7$0x#jgO5|Ta?sW_Ej+a35fhcxAIUFh<&T6!<#*nDr=F=P zY;JkQoFx<@OdX-%ZQ?1I8MPhSvPlnKMM3xmm%J; zJ~6y?zKp!VIMSdooSSuT3eAnqCTUy^HtzNEy+?e5{qX$x(ISDznFg#XP4i5H+{j!% z*D;~YPiyhsvk%f`+TGLndOkRWChzBpP?6Bg($Eag*)xFwSJ?jI2Ne+w-L_l;y| zYwL97N6_Bg1Tj^l2E`-K<0qASUj#q6wgO~t0pf%G{VC#$(^C~dZzd*ss(J`j6S&vY z?@l@o%hFwNBDw8Ka1P4cA}%R9f`xPvgb9>0$G!1MvoMkZw6Vk$3r5DPaL99VFt~PP zT{@RF%mK!yqG|y3r!tRvNG<(Qj4`>Fc5ppm2<=CyY#zn!s9CJ>)HJc zyxz0GyGlc^H8*0tJ;QxA7MAy7pC0ZpIh9zimePzWH54$C7!K@AP_9j~AGtMO$tc@H zzHGKbgp#p!uFm&G@1bdrwDCQP{GV0GZ|VMX)^gki=Zd9=NWmZZ6RRoq23>pDy{?wl z8IbwVJ00{|a>5_o#Z&c&pGY(#AV=oN_YO0z?e1`Cy8f(C=W2AbAPKvg7Ws$tS%7e6 zEV=1j-IAo9b%uueN3mWxI$>vbJW(d!kco)pIl>bzH!^Yr!2Ydk+B`E)cKxG_c|U3P zw(a%tnX{4IItXaaY{ZY>|sYeE)Q>)brqPgKo%K0Wa!Al{Bgb*H9 z{I~h{a&i%S?irKvIaMF;JYiJXQ4zFdjPy+wmfc6SKh|=@#ZHe3Trop2l2|9H*s0@N zn{wA@D!1X|C`=94_A-Tl2e=*HZRr^(JX~3FkD@6uD zUrptQ*1b~a((oGeLB^hoxI-7Z7wxS2pwcR{A6(?Q&9R$+A@78yF2<)j@7}Dx7@A z6hom%bNN*zgj-RFc$%JE`B?!#MP1QlBr#!ZlBGJcvmuj-{JkO}k&cN-yPK7t7%V!F zVg4YW8eJCfz9^u7fFE$@jb6`US4MOH3`AqLd-9 z$mohc)?%<;5A={681Du4KomY~^oTfMTOZ^BH7P#%lLnl&J zt*WN>J@AO@;0mAum+^A!T6x%uLv@XoJ<#*A2A{BScTuY4`}{gL>K_`C>alT`crYzl zamxES&ih_j*h(Rr!1ssZR7D~oA04r@;GGZR(tqtiZ^?8|v+pv)cE-8W8sh zUxHXX*L7EOB9W>y?0y4WXDO=Xd;GJS;wDjXu?ZX*9befWg<-iw+L)PWjFC9>M|oO# zKV#8kA|sH#@!(m~As&%Y>wZT1lMEC?hOA4j=8)XL(g95(PcL3lWa=iR7~4P5IFufu zB8N>?r@nPrp^k!0y9;&N;S0v3Q#5s;NmQVY$0gAw5~^&iX)O&2vDI++?!xj`DS4`N zu;`1gTo7RPL7E;h4L_v{%xMd|-a?@=&7<+5sGGL9nhmN; zLhbHJ#1?FUY_> z;V>zaTKh#B7AYdI*x9M@93FCo;GNe2^r1X^K52Ms#l^@yG+`Z3EATPlm~P7QpQ4OK zzlGVB+kv-dF*y}wwzty>uOE&_#u+h__6<3uNg`?}C!CkrF7XG5O&D$QTobPgg!Uu_ zE2eYw z=-lsq|H`PS7xX=fzm`HrU-Y`qi;B1sL-^1iqBPf>fMX1Je>auk*6UHS1 zRsLheNzKor48jsRAsTn_ziS`LY_*1$HM_4->BDk-kc&Q|6S2#u_`Uta8I`nt*Ys0--((~{bVIU=|IqLY=o;u_cTdRhB?*o!(uS>;b&Qi7Y{)w z)ZnC!p$5Z3Knb@9KUYv}YV|dQU<&UQ9YYe{$5gvz(R>{;mqn?&rt82B10`lny*JBD zub{O^qMw2$hYa5&Q`8X7wFhoLb0i1SPDT-QI|(?A}`L4r5=kFMvqqC!`EM< zg#iXN6jrar9Ql)D&fmm;#{*q5{t86|o$wcnECYDRkz1h+~F(Rr@qomBafOlCt4s!a)5|UOtBh4*fpaFKh$a|7-(&a;{QbW*_3 zCT@lNDH`wCPs}URY()gqC#6?2yyXJ9Bj%ne@Vt8UDx`3083@^1g@@AMgv0oNn7}`! z<$u10H5hpj3@i4HW|ISqr=**%9~R%MZFdF$T5=#MM(FA3DZnAa*#iURnzn2GB)Kap zq#!&h$HWGp0M-~_GK#4X?i3@-t+Ih*FWA|C(f^Ouw9g{>&vOvV+`4rn)Li&xR)NM~ z?J8U0ZxDfPpNpScHT4q~Sfm&z!B&=*mR43VwLls&Fa2A?U>f%UKy}jv$gf=4V}ZH= zi*vbcd6W(jhoP{v)OlKm1Ha{OPWWSFgDGMzyftDjGQiJ~x7TzmPg?)716QY_)p8Oj zds==-VAfYsa)dJ0{|V;7!pnNMWaMX@7-$oF{wms4{mcbFIoPM)W`_j<=IdB)<+M5M zqT+kLJKLuPFtr?_jCR!>J4QJjkHr8_436Pfs0={u%smDOoQJd+eP!MdnBo0T!iZ6Q zB{do6)2+y>s_P=QqK{*0Rw3Ra`(_q`_Dyu~9WGpe$>1fl7p_X9*VyLC*^Plsd zuM5D-Y$E#W&ka`gpRibd-suP-U`XZ;l--dEAT0w?Gs#i+V&UT6V8Oo+y1ksLTiBe1 zk$_98AOo$uXAWA~x)~cru1Cr2An0&vk`!^$DDj&nTFfZZT9X8USvb1g9*Ijkl68ZtEEqpsGWe1;pDG$>M#Zy^o}X2y??`n>3Rm zEFOnN67wL?cDlceVuyd}*_poQqH}lP$f9KaqGRb7+o_D?LDcAi(G12!R(3#eA$6kVkmNABT zPa@tYFpr1X8zl)-4SHuM(4ZCd`tim2k5`FsSnph;zhSBIviZf08#ktFpfv$&=X-;y zi`SpDM>lbitM{b~H?xm?Mm9#&x`Pj2pi}NG;zzOe2{S<*4;9fvtScd#-6H@OJu?(- z`HIq9PbeR)ygrEkJ%Gi+sPs3y+GaUyH_@x$(-X4fI^*83eL@Z-)K^K7lL_iUvv-Sz z!Qs233?|X7{pZKNM^B4haAI1yGuEa3HAFH8_gs%yhxw=Uh{&~m$nC`>o2qRo+KZ$wwrBtA_`FL~?VhpJm{Rh!{ zTf#1w{zycJd8Q|zjh-Hh+X&P&HxvIk&SeIcQ#Hk4TMwbKjP{X zZ>n?KnZmEuaU>d7DgbBj8sWKE{EejI6Ub>)+ACWU|0nI7Puk>f zWz)Sot6dqn5D*-GwJwJDVz~ZScsZ{WwJSPY2tlmU{W*4v&tYljZrPrJus-=;(k74p7pw5&Vx&rxQ{* z?2KZRqJSwOazWkC9x=$Gldaqt@ot6y6hbR3d3ZAD7?lw02kk;%)?H*qRY$>nq?>(g zHFJc9nj0>9w!60cHtqD`I&p>lpOLk_>@%~Q@$Zi=JO}=(gPVk&e+QK(-(O;Snzvq5Ird~rd>At?KV2L{RGSj_Grr4c7P$H295~kz9lQ>uUF|VJSoA zfV!%p#-rs#U;_!DXXD<6o4X^2 zm}$wCE++p?fL#6<5djBh1-0JhA{!bjh4gc%s;KyZ8^0~5Lc6-O=nCoQy_YXHWH&xq zi`F?$SDUm0*u}tcY%RaB=Um&osi?0O$ykhdvS&d{qQhO6%`eYHO|TB2WAF5Ezik$8~*V$iVnuJ_DZV}=&Je- zWRcT!O0p&F#SU*nu_gh_KTZfIQ~u$m)d2+UvjGI6sRXzx3OVpe7+7*rQ|S~@r>B0b zMP^5K7p+Bxmkvg>e>rd=U{|;U*eUGNU)$$7p}5eDpBX~9)+ktNn?3^7iUJy|^%5AbFXd~z+N5P`@P zvl}?uYHkj?IQ`YS6eWcK@bjml6tKQ5xyycu`4Y&9+H8+%WoYDg-#xT_SDL(*fx*np z8z6T+LJ1>wR#u&K5nRish>0)>@pHG4d9&9iCt#D^+dzf-p43h|C0k54P#s3r*B2ER z!vO@}1Fh8?J5r!sj6lql+eCN|=mJRpP8V|-qmyWNaqkkEdgYw?^0-TEP#B0>xQSB{|WK2eT$1-sav0>?`VByQ-DtPnc=h=^mnqPkWjm0`6?}>5%KAFMC z8~n{nJhUk5-AsS%$zIlF`f1OHrxI6Mj7$ULNdUin@c9yR8foV>AQC3@`B2aYB`Zy; zuf8K#e*H6E^92T)6?AIPT2xY!E&#-FV=``I<@S$MPUrFMwBm)*1dx z#l&C~*A(R3iv1uF&Y2%<3JGw`>Lbp%#$pJZcHL`fGXn#!Y3CaIxD3VYpQDE6fgN`Z z$%c9o_@tzyJQ&$Pk%9nk{r?UWX$NbX&7jFxxGHOwPp`CyMg8ggL=Rh?@fgeywtS1r z55}zobLJorf_uc-AW*>a_@5bt`X>*5tOAy*>8U9VCBQo*((u5hCms;IvZiKhx@Iev z`Qnve&W#Y=o-*Jz^<;lLw1cs&5jNSwsJWFMxVt$viD~SGP#+2&uU#oF7Gtt>1;Jepi)>j7tpwP>M$U1VVqVB^Y5Q0I)xe##AxVaf-be9cB} zP0vX{qJV(^i-AMcg{<*e@Vi%oVGz9(;$fD`mz{ytdrN4mV{e^jwm2+Uw z;8d;Kl07^l(HD6->x%G3we;M0dsiTY3-~PxK*}~noYU-iW|-;cIcJL##TmckRuo@)fR6R9x|bMUTtzhfRMdF_ z?QK)fd9Rd(2%rV0!wCWYhq>;F=f74DKzq6r!bd(!pCr(a-w(B>rwVu44y4z)F0=x= z8#Ggy{G)19H_xlt@<^?S)4O7%H@<+56KW@BSW;b;sY6&&f$J`@ifqWpF5@6={+#pS z4bI-p!_$=b{j#tC7ZR2)4?=z zc6rDaxxtkdU+^s2^S51MRsp=;S!SEms?YUVl1RZa0}wg`COFx^ZEM@Fuf)Iyn)`$Y zl*auWn5io1EfwK=9BtnOxG+7Q0?w7mQ`d9fY{4`)e3~JFm@3OzjyDZEl3QU1dq80Eb=2z=s)&)QAmwrAxUC(VT z-`?@(;m@#($^}1)MR;N{LE@^a=uH}g8YCNsU)&Tqf}Oal*1=OzkHg}7D?W^cjG9zv zCA<-Tc%?-j8UM!|6W10zDeujn&4Ku&OioTt>?7u5`)ea$*^@sEO1D9|vC$qTBtm90 zr)yxYI8+l?Chb&%5#&*=o7JU0m}7Bg%&`n(T;8r+H8r5e7L+>WL)Y^{Fq_T1Yq7|h z_t#d%2)25p6YA1S2G{BdtXb3|_?Z=lW@+)>^gmU%^@K3xdmn}+J@DAJ(qcflt~!909? zRum0x2Ul8%>pWh|1FUFAzx2WVUf=58D++^*&`a4lyAgt^+i*F?`tw~SFnDn=m?_}Q zS%dwSVF^plQ?G;fau+;)*gAVYx9>s^w({z*t}48gqWo?{?=8K`RA`6}tZ9pKRr=Gq zht{830ORJM4LhBDh}xG2>!b7%F4CT>KY#zW;HD}nEKGUmIF_Rv@i);lF-hMLzGmUM z;}fO1KjY!pw3m?yanY58o|RqdS$+Rp#H%#wGZQ23C=v};i+V93LOT73t~;jismbv4 z?~8wY0&hSm!j`Q-4jK$NX`>?}0X`xpCnq+RA`)>;9&sG>Tz6Jm;z0U@-FZTIzm-sl zMJ5?`r9~cD=zt{ru-M$oG~0J9bXGq$6YGGOF{x-u_N}u)-t+D{FB+L*w_?$c{>LnE z{{;|-iZopZNv@pXt-i2dJ4SAyZEVz86T*{{qLC|1&-G%xm62?+K-WC$u+a2cFGpBX zdk23KJ#cL;T1`H5JNI^0AG0-lVJm>bCKIOpO_N@;(i;wZO83w~Nv_0`-K9)0du_RP zeq!`5lL!{4NXqU{Qx$jCAma#M+!!Z?&ZdT{0J+$g?c>ba?U)#}P*6-&jU(7dU%z*} zsZ&+u+~pr@PjoY^SIuKDd!r0oVxGmWSD>w5psh*vsl<5n{A4h?vifu?*zw}OIyg|^ z0#PwBQzk_rv5#M4>lDGVDJ(Cuf4=9??7UnzyrY}`YI~R(W-01?KL}Hr|LlR)&vd25V@$kqfR~2N^9dg=@Ak`n22i7jg2Q?!&t-2QSIU zMZ|G){+hBEYjip7Z}AT1&uynP^tdKZ16%ldPi3HtNtn04AO95JFa2;NbK(xkdryJ- zQ;vHZDR;5mx*Ki+LKbKJJ_0mfO@~26W)>QBM^rsdzv)=>dcYEQB!qz$E4F;59 zWZ>E zcBO@hTHMGyi?P2&ir$Mk|8V9&E=Hu4yk5*SX+G`8d%RSUN8xS4)`np(6WgQ{b=MSI zQh;3Z+hh;`oRdbF3XQHuyro2*F!}wkwl-balp4ioLKs7G##4(>h>_-n7sNJ`D7 znzGBBld7R%GIER~YvKl!v`J34(7NyJhQa^sq&Nv9FBW7x`7?Rh z-01)5(_;N1C@yC%yds0W{QEI_ zdii;G)u$?z^TJqJm8mGyDCO0GI_$O@Pdp1eMB_C|o?+r)goxv2$6VLihmK+!yTgG^ zKRb*%P7XCZu$gg2JMBL>S0`2@-Q>HgFt||h_9mq&>~1VhPPF28H!LE%cl;Et&CQ-u z?a@LX*vCru33X@GEL3D<*^vzvuX}Iyn~FsKq4N2*ryI=r7(dPwq;g%hIBe}oi{9%r zwiIt+c(-$oqbH`P%8^IE-L`l}*9hFp=2x<$M_>Qs2)x}HL6N2&7dxz#YK>0H6zA^< za9*y`K!9G-ghQU1FM7T=j>1#C&}HS!;g+-=E%MR!gv$JeCYzcVBzmvu+s^rYsSw&U zmL8{%HV$8n!87oe!?=)g7xD5*ATwo`xo5Q~q$u4YEqkSV&a|lqi{PO%L{F8MS&h7*R}x{RDB9>cqL$wIF)=yPAQs74c=PQ-hO^IG(&H;F z$f4O{-&F~CUCGIP2?dyIAIkZ9uZ}ozNajWEgMNJbwoa*fpH)w=()>m9(x<8KqhP^6 z_i3y%oXhhj>ufgL?0o%;n$xo26eGEjoZ)Nod=JRocOEHO&3K8Sb0EYX4(#~0K84&Hiea>Rt2*98=x9e3P#d7e@>uE5 zGk;m9Lq=({K<~kpvCsItZ)cs+o17SmKK<|B) zZ1i|c;X^!>T5?bkf%We$-RakmA|lTfUHnsGf%U@Tu8mdv*rWbv^0dQxXtrvkWT zSHis3-LTBA{K#DyO!~nEyE=2&hh94vfrYCPMAm@*42@#nB#E1o6%`jHt0ryZ;u_R|ltpJB*oxwZoLBI=>Y5@( zOjVMvwAd0b**80=R5d(bEomD!qp8K=Ld^#P9Z+qgkY}u*?z;5##)EtXUFu&njtv; z+MbK6bPIU72gC0qva$hz%B?1;D9PEL^qEL`^*{z)l7AYX4-W!}Pm-;tDgrw!ZGK(S zNq6i-jiirtFuju7_XK|5HbIfCNED#nM#Bl?a)iZh+h$7c(SN}0xOJ?S^SiKV7)1*o z-DQlgS;3I>z6-2UUin6XA{1L@pSBF1BYN%!zzyF^=-kNJ)d=pp1Y4Fe=ofzFCFHE1 z6?1(PdZh)&aUf2vBxrQy$Sx6+aYJ~j|4)3qJq6UB^p|$QnQ@xv?B{nb#8t4kIMnp3 za*{CTU+A*Z<~%C(>RmBtxj?KpN}>ubF{|S{Qpu&EXE0j9Ui53j?1vFjG^!8I{W8+C8wh4=JPC)+FvX+HitjW+4}dbT4`EksqO#$$CUJc3AT^fWi= zS^4I!*~=>}ioq&8%PH3Ty~Enl@z1RdS%L3h2Nx@n;=(m)gj}T05AA%+aq|g-wncFh zuew#|_>$Me+^5Ufn>M&sob1PKME6QIJ_~k_I2T$fCCBliHa=5^i-SN;J>{CpJ3EIh z#H`dx3piYXz{YfEy5xw*9EOMBJ@Q6|WY8D=9#>5rA{*g0tcrrBssa$lS-k(|=kActoT7EKt>{L+wslKjb?YX*a9Gm2&R&gF*J_!#X;@U(0XK4uwFa>@*kgy3q zSf3wCIQ(^Ciy$+_v&_3Wy$(@xIb3)Hs)ftnMvZFL>u$dXJ1M;IBL-9rvQ&TpS z(zML0Gq1MXKPh?s8Re=$25L<4$?E)tVJHd?)wL#Zeq9QO^)6W9 zZo5`3%?%3z29gi+Ggf%Xk_WTJTFP}d%4-qW~vjtck0t>uGQ$B zkJ+oQpqz8@>y_!zrn>yoJO0iZu&TW$bAhjW^XhzfdUwG+yd;;pHD3fo%bD0g3?zmF z4W(sHK@avVR_9G+mRh@@>F$BQnsE{vyhXevyi}mbJZZK^gCA~yh++)hMD+A&F_o?K z8%jv)M4XY}y_E_a6!1l7;>~xC|IHM-qio``Z;FwNAyw+e5hj#IxOj6<*^3A`OwF}Z zQ{ZpM=5s=^V(}fZ?-q-?p?Dk5AI{zhO&8=6i)dK^f_%Uz-VWTZaUqw-tV2qFczAcI z?vi88`SXF?4AlSkKR1+s2O;-=Xv+Xc3wi>e9R~U#PFDN(RcDsJgBw88@<5jw1gd`X z0}nVj-FWjio0_`Y~~NO^sx&z(~A66?h6# MSJqKNC|JDxKRafg;s5{u