From 1b16d118931f2f61fee0e0700358ceea066c7585 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 6 Jul 2023 09:37:28 +0200 Subject: [PATCH 001/156] Update to policy precedence --- .../hello-manage-in-organization.md | 37 +++---------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 576ffdb0a4..7deb6b5196 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -96,38 +96,13 @@ The following table lists the MDM policy settings that you can configure for Win ## Policy conflicts from multiple policy sources -Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. +Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. -Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. +> [!IMPORTANT] +> Windows Hello for Business policy conflict resolution logic doesn't respect the *ControlPolicyConflict/MDMWinsOverGP* policy in the Policy CSP. -Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source. +Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared. -All PIN complexity policies are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. +## Policy precedence ->[!NOTE] -> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. -> ->Examples -> ->The following are configured using computer Group Policy: -> ->- Use Windows Hello for Business - Enabled ->- User certificate for on-premises authentication - Enabled -> ->The following are configured using device MDM Policy: -> ->- UsePassportForWork - Disabled ->- UseCertificateForOnPremAuth - Disabled ->- MinimumPINLength - 8 ->- Digits - 1 ->- LowercaseLetters - 1 ->- SpecialCharacters - 1 -> ->Enforced policy set: -> ->- Use Windows Hello for Business - Enabled ->- Use certificate for on-premises authentication - Enabled ->- MinimumPINLength - 8 ->- Digits - 1 ->- LowercaseLetters - 1 ->- SpecialCharacters - 1 \ No newline at end of file +Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used. From f66fd7447526eb3326d45e455af8df20e7c7f5c7 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:22:47 -0700 Subject: [PATCH 002/156] Remove callout --- windows/privacy/windows-10-and-privacy-compliance.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index bf79b242af..9fdb2d172d 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -145,15 +145,12 @@ An administrator can disable a user’s ability to delete their device’s diagn #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ -> [!IMPORTANT] -> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). - **Applies to:** - Windows 11 Enterprise, Professional, and Education editions - Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. From 0b61decb88fdff152c7207943dac1ae11be28114 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:45:28 -0700 Subject: [PATCH 003/156] Revise diag data proc config section --- ...s-to-windows-diagnostic-data-collection.md | 60 +++---------------- 1 file changed, 8 insertions(+), 52 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 01ea346024..f78a8739ae 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -70,61 +70,17 @@ For more info, see [Configure Windows diagnostic data in your organization](conf Customers who use services that depend on Windows diagnostic data, such as [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data), may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly. -## Significant changes coming to the Windows diagnostic data processor configuration - -Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level. - -To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on. - -***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.*** - -We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region. - -### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) - -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. - -From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). - -### Devices in Azure AD tenants with a billing address outside of the EU and EFTA - -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: - -- [Update Compliance](/windows/deployment/update/update-compliance-monitor) -- [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) -- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) -- [Microsoft Managed Desktop](/managed-desktop/intro/) -- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview) - -*(Additional licensing requirements may apply to use these services.)* - -If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. +## Significant change to the Windows diagnostic data processor configuration > [!NOTE] -> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. +> The information in this section applies to the following versions of Windows: +> - Windows 10, versions 20H2, 21H2, 22H2, and newer +> - Windows 11, versions 21H2, 22H2, and newer -### Rollout plan for this change +Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration. -This change will rollout in phases, starting with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. +Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. -During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: +We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/). -- Devices can't be enabled for the Windows diagnostic data processor configuration at this time. -- The processor configuration will be disabled in any devices that were previously enabled. -- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -It's recommended Insiders on these devices pause flighting if these changes aren't acceptable. - -For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -For other Windows devices (not in the Dev Channel), the change will rollout with the January 2023 release preview cumulative update for Windows 10 versions 20H2, 21H2 and 22H2, and Windows 11 versions 21H2 and 22H2. - -To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. - -As part of this change, the following policies will no longer be supported to configure the processor option: - - Allow commercial data pipeline - - Allow Desktop Analytics Processing - - Allow Update Compliance Processing - - Allow WUfB Cloud Processing - - Allow Microsoft Managed Desktop Processing - - Configure the Commercial ID +For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). \ No newline at end of file From 67c76cba8d3d0542165dcc3a10a595f9a894b765 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:53:59 -0700 Subject: [PATCH 004/156] Update CSP callouts Re: diagnostic data processor configuration --- .../mdm/policy-csp-admx-datacollection.md | 4 ++-- .../mdm/policy-csp-system.md | 20 +++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index d7d17584e5..d405a52515 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -46,8 +46,8 @@ If you disable or don't configure this policy setting, then Microsoft won't be a -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 37741ff804..fc01c5d7cf 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -130,8 +130,8 @@ See the documentation at for i > [!NOTE] > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -206,8 +206,8 @@ This setting has no effect on devices unless they're properly enrolled in Deskto -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -578,8 +578,8 @@ This setting has no effect on devices unless they're properly enrolled in Micros -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -768,8 +768,8 @@ If you disable or don't configure this policy setting, devices won't appear in U -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -892,8 +892,8 @@ If you disable or don't configure this policy setting, devices enrolled to the W -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). From 5897e36f1d1efa062fc2606fccfc4dcc466b8516 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 1 Aug 2023 14:07:20 -0700 Subject: [PATCH 005/156] Fix broken link URL --- .../mdm/policy-csp-admx-datacollection.md | 2 +- windows/client-management/mdm/policy-csp-system.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index d405a52515..95f1947250 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -47,7 +47,7 @@ If you disable or don't configure this policy setting, then Microsoft won't be a > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index fc01c5d7cf..074ea494a7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -131,7 +131,7 @@ See the documentation at for i > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -207,7 +207,7 @@ This setting has no effect on devices unless they're properly enrolled in Deskto > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -579,7 +579,7 @@ This setting has no effect on devices unless they're properly enrolled in Micros > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -769,7 +769,7 @@ If you disable or don't configure this policy setting, devices won't appear in U > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). @@ -893,7 +893,7 @@ If you disable or don't configure this policy setting, devices enrolled to the W > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](../../privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). From be731733d8c0276ff55eb0ab646ce751a0a813e0 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 1 Aug 2023 14:18:25 -0700 Subject: [PATCH 006/156] Fix link URL issues --- .../mdm/policy-csp-admx-datacollection.md | 2 +- windows/client-management/mdm/policy-csp-system.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 95f1947250..d838717375 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -47,7 +47,7 @@ If you disable or don't configure this policy setting, then Microsoft won't be a > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 074ea494a7..e64a18d355 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -131,7 +131,7 @@ See the documentation at for i > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -207,7 +207,7 @@ This setting has no effect on devices unless they're properly enrolled in Deskto > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -579,7 +579,7 @@ This setting has no effect on devices unless they're properly enrolled in Micros > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -769,7 +769,7 @@ If you disable or don't configure this policy setting, devices won't appear in U > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -893,7 +893,7 @@ If you disable or don't configure this policy setting, devices enrolled to the W > [!NOTE] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). From bf6dcdef5fc89856be566dc2be81b5f9b7fb7522 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 2 Aug 2023 09:55:46 -0700 Subject: [PATCH 007/156] Remove text "Specific services" paragraph Update Compliance section --- windows/privacy/windows-10-and-privacy-compliance.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 9fdb2d172d..337f7b18e1 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -162,8 +162,6 @@ We recommend that IT administrators who have enabled the Windows diagnostic data >[!Note] >Tenant account closure will lead to the deletion of all data associated with that tenant. -Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Windows Update for Business reports, Windows Update for Business, and Microsoft Managed Desktop. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations). - For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr). ## 3. The process for exercising data subject rights @@ -231,10 +229,6 @@ An administrator can configure privacy-related settings, such as choosing to onl [Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services. -### 5.4 Update Compliance - -[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting. - ### 5.5 Windows Update for Business reports [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all its reporting. From 14d816424a391972be789f32e61728d31c1fcbc3 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:09:35 -0700 Subject: [PATCH 008/156] Renumber section --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 337f7b18e1..baa9c0f762 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -229,7 +229,7 @@ An administrator can configure privacy-related settings, such as choosing to onl [Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services. -### 5.5 Windows Update for Business reports +### 5.4 Windows Update for Business reports [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all its reporting. From 21e1aa595a256da633e1332216725e23752957a9 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:04:06 -0700 Subject: [PATCH 009/156] Remove text - Update Compliance - EUDB statement --- .../configure-windows-diagnostic-data-in-your-organization.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 17cd1c6c1d..2e897e81b4 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -342,16 +342,12 @@ Starting with the January 2023 preview cumulative update, how you enable the pro For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. -> [!NOTE] -> The Windows diagnostic data processor configuration has components for which work is in progress to be included in the EU Data Boundary, but completion of this work is delayed beyond January 1, 2023. These components will be included in the EU Data Boundary in the coming months. In the meantime, Microsoft will temporarily transfer data out of the EU Data Boundary as part of service operations to ensure uninterrupted operation of the services customers signed up for. - From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). #### Devices in Azure AD tenants with a billing address outside of the EU and EFTA For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: -- [Update Compliance](/windows/deployment/update/update-compliance-monitor) - [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) - [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) - [Microsoft Managed Desktop](/managed-desktop/intro/) From be142c96ce47beabf66a7d0b0eb445093083426f Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 2 Aug 2023 14:52:15 -0700 Subject: [PATCH 010/156] Add MEA statement --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 2e897e81b4..2bf84b5d5a 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -325,6 +325,8 @@ The diagnostic data setting on the device should be set to Required diagnostic d - settings-win.data.microsoft.com - *.blob.core.windows.net +Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their data will be processed in the EU, but those tenants are not considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). + >[!Note] > - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. > - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. From ec0a101379bdc09c43ebadbde88aa68fd6375295 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 2 Aug 2023 15:01:34 -0700 Subject: [PATCH 011/156] wording change --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 2bf84b5d5a..c91810a6d1 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -325,7 +325,7 @@ The diagnostic data setting on the device should be set to Required diagnostic d - settings-win.data.microsoft.com - *.blob.core.windows.net -Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their data will be processed in the EU, but those tenants are not considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). +Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their diagnostic data is processed in Europe, but those tenants aren't considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). >[!Note] > - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. From 8794acacc4318ed54b9f4008e6d609187efc4d00 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 7 Aug 2023 11:54:00 +0200 Subject: [PATCH 012/156] changed uhfHeaderId --- education/docfx.json | 5 +- education/windows/change-home-to-edu.md | 2 +- education/windows/index.old.yml | 73 +++++++ education/windows/index.yml | 246 ++++++++++++++++-------- windows/security/index.yml | 1 + 5 files changed, 244 insertions(+), 83 deletions(-) create mode 100644 education/windows/index.old.yml diff --git a/education/docfx.json b/education/docfx.json index a9579639a6..29a46f0323 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -41,7 +41,7 @@ "manager": "aaroncz", "ms.localizationpriority": "medium", "breadcrumb_path": "/education/breadcrumb/toc.json", - "uhfHeaderId": "MSDocsHeader-Windows", + "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -76,7 +76,8 @@ "✅ Windows 11 SE", "✅ Windows 10" ] - } + }, + "uhfHeaderId": "MSDocsHeader-Windows" }, "externalReference": [], "template": "op.html", diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index df5e41eb07..e4c9199d7d 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -1,7 +1,7 @@ --- title: Upgrade Windows Home to Windows Education on student-owned devices description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions. -ms.date: 08/10/2022 +ms.date: 08/07/2023 ms.topic: how-to author: scottbreenmsft ms.author: scbree diff --git a/education/windows/index.old.yml b/education/windows/index.old.yml new file mode 100644 index 0000000000..849e1d3e1d --- /dev/null +++ b/education/windows/index.old.yml @@ -0,0 +1,73 @@ + - title: Get started + linkLists: + - linkListType: tutorial + links: + - text: Deploy and manage Windows devices in a school + url: tutorial-school-deployment/index.md + - text: Prepare your tenant + url: tutorial-school-deployment/set-up-azure-ad.md + - text: Configure settings and applications with Microsoft Intune + url: tutorial-school-deployment/configure-devices-overview.md + - text: Manage devices with Microsoft Intune + url: tutorial-school-deployment/manage-overview.md + - text: Management functionalities for Surface devices + url: tutorial-school-deployment/manage-surface-devices.md + + - title: Learn about Windows 11 SE + linkLists: + - linkListType: concept + links: + - text: What is Windows 11 SE? + url: windows-11-se-overview.md + - text: Windows 11 SE settings + url: windows-11-se-settings-list.md + - linkListType: whats-new + links: + - text: Configure federated sign-in + url: federated-sign-in.md + - text: Configure education themes + url: edu-themes.md + - text: Configure Stickers + url: edu-stickers.md + - linkListType: video + links: + - text: Deploy Windows 11 SE using Set up School PCs + url: https://www.youtube.com/watch?v=Ql2fbiOop7c + + - title: Deploy devices with Set up School PCs + linkLists: + - linkListType: concept + links: + - text: What is Set up School PCs? + url: set-up-school-pcs-technical.md + - linkListType: how-to-guide + links: + - text: Use the Set up School PCs app + url: use-set-up-school-pcs-app.md + - linkListType: reference + links: + - text: Provisioning package settings + url: set-up-school-pcs-provisioning-package.md + - linkListType: video + links: + - text: Use the Set up School PCs App + url: https://www.youtube.com/watch?v=2ZLup_-PhkA + + - title: Configure devices + linkLists: + - linkListType: concept + links: + - text: Take tests and assessments in Windows + url: take-tests-in-windows.md + - text: Considerations for shared and guest devices + url: /windows/configuration/shared-devices-concepts?context=/education/context/context + - text: Change Windows editions + url: change-home-to-edu.md + - linkListType: how-to-guide + links: + - text: Configure Take a Test in kiosk mode + url: edu-take-a-test-kiosk-mode.md + - text: Configure Shared PC + url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context + - text: Get and deploy Minecraft Education + url: get-minecraft-for-education.md \ No newline at end of file diff --git a/education/windows/index.yml b/education/windows/index.yml index 691901dcf2..fc06f5531c 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -1,95 +1,181 @@ -### YamlMime:Landing +### YamlMime:Hub title: Windows for Education documentation -summary: Evaluate, plan, deploy, and manage Windows devices in an education environment +summary: Learn how to deploy, secure, and manage Windows clients in an education environment. +brand: windows metadata: - title: Windows for Education documentation - description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune - ms.topic: landing-page + ms.topic: hub-page ms.prod: windows-client ms.technology: itpro-edu ms.collection: - - education - - highpri - - tier1 + - education + - highpri + - tier1 author: paolomatarazzo ms.author: paoloma - ms.date: 03/09/2023 manager: aaroncz + ms.date: 07/28/2023 -landingContent: +highlightedContent: + items: + - title: Get started with Windows 11 + itemType: get-started + url: /windows/whats-new/windows-11-overview + - title: Windows 11, version 22H2 + itemType: whats-new + url: /windows/whats-new/whats-new-windows-11-version-22H2 + - title: Windows 11, version 22H2 group policy settings reference + itemType: download + url: https://www.microsoft.com/en-us/download/details.aspx?id=104594 + - title: Windows release health + itemType: whats-new + url: /windows/release-health + - title: Windows commercial licensing + itemType: overview + url: /windows/whats-new/windows-licensing + - title: Windows 365 documentation + itemType: overview + url: /windows-365 + - title: Explore all Windows trainings and learning paths for IT pros + itemType: learn + url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator + - title: Enroll Windows client devices in Microsoft Intune + itemType: how-to-guide + url: /mem/intune/fundamentals/deployment-guide-enrollment-windows - - title: Get started - linkLists: - - linkListType: tutorial - links: - - text: Deploy and manage Windows devices in a school - url: tutorial-school-deployment/index.md - - text: Prepare your tenant - url: tutorial-school-deployment/set-up-azure-ad.md - - text: Configure settings and applications with Microsoft Intune - url: tutorial-school-deployment/configure-devices-overview.md - - text: Manage devices with Microsoft Intune - url: tutorial-school-deployment/manage-overview.md - - text: Management functionalities for Surface devices - url: tutorial-school-deployment/manage-surface-devices.md +productDirectory: + title: Get started + items: - - title: Learn about Windows 11 SE - linkLists: - - linkListType: concept - links: - - text: What is Windows 11 SE? - url: windows-11-se-overview.md - - text: Windows 11 SE settings - url: windows-11-se-settings-list.md - - linkListType: whats-new - links: - - text: Configure federated sign-in - url: federated-sign-in.md - - text: Configure education themes - url: edu-themes.md - - text: Configure Stickers - url: edu-stickers.md - - linkListType: video - links: - - text: Deploy Windows 11 SE using Set up School PCs - url: https://www.youtube.com/watch?v=Ql2fbiOop7c + - title: Hardware security + imageSrc: /media/common/i_usb.svg + links: + - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview + text: Trusted Platform Module + - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor + text: Microsoft Pluton + - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + text: Windows Defender System Guard + - url: /windows-hardware/design/device-experiences/oem-vbs + text: Virtualization-based security (VBS) + - url: /windows-hardware/design/device-experiences/oem-highly-secure-11 + text: Secured-core PC + - url: /windows/security/hardware-security + text: Learn more about hardware security > - - title: Deploy devices with Set up School PCs - linkLists: - - linkListType: concept - links: - - text: What is Set up School PCs? - url: set-up-school-pcs-technical.md - - linkListType: how-to-guide - links: - - text: Use the Set up School PCs app - url: use-set-up-school-pcs-app.md - - linkListType: reference - links: - - text: Provisioning package settings - url: set-up-school-pcs-provisioning-package.md - - linkListType: video - links: - - text: Use the Set up School PCs App - url: https://www.youtube.com/watch?v=2ZLup_-PhkA + - title: OS security + imageSrc: /media/common/i_threat-protection.svg + links: + - url: /windows/security/operating-system-security + text: Trusted boot + - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center + text: Windows security settings + - url: /windows/security/operating-system-security/data-protection/bitlocker/ + text: BitLocker + - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines + text: Windows security baselines + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ + text: MMicrosoft Defender SmartScreen + - url: /windows/security/operating-system-security + text: Learn more about OS security > - - title: Configure devices - linkLists: - - linkListType: concept - links: - - text: Take tests and assessments in Windows - url: take-tests-in-windows.md - - text: Considerations for shared and guest devices - url: /windows/configuration/shared-devices-concepts?context=/education/context/context - - text: Change Windows editions - url: change-home-to-edu.md - - linkListType: how-to-guide - links: - - text: Configure Take a Test in kiosk mode - url: edu-take-a-test-kiosk-mode.md - - text: Configure Shared PC - url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - - text: Get and deploy Minecraft Education - url: get-minecraft-for-education.md \ No newline at end of file + - title: Identity protection + imageSrc: /media/common/i_identity-protection.svg + links: + - url: /windows/security/identity-protection/hello-for-business + text: Windows Hello for Business + - url: /windows/security/identity-protection/credential-guard + text: Windows Defender Credential Guard + - url: /windows-server/identity/laps/laps-overview + text: Windows LAPS (Local Administrator Password Solution) + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection + text: Enhanced phishing protection with SmartScreen + - url: /education/windows/federated-sign-in + text: Federated sign-in (EDU) + - url: /windows/security/identity-protection + text: Learn more about identity protection > + + - title: Application security + imageSrc: /media/common/i_queries.svg + links: + - url: /windows/security/application-security/application-control/windows-defender-application-control/ + text: Windows Defender Application Control (WDAC) + - url: /windows/security/application-security/application-control/user-account-control + text: User Account Control (UAC) + - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules + text: Microsoft vulnerable driver blocklist + - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + text: Microsoft Defender Application Guard (MDAG) + - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview + text: Windows Sandbox + - url: /windows/security/application-security + text: Learn more about application security > + + - title: Security foundations + imageSrc: /media/common/i_build.svg + links: + - url: /windows/security/security-foundations/certification/fips-140-validation + text: FIPS 140-2 validation + - url: /windows/security/security-foundations/certification/windows-platform-common-criteria + text: Common Criteria Certifications + - url: /windows/security/security-foundations/msft-security-dev-lifecycle + text: Microsoft Security Development Lifecycle (SDL) + - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview + text: Microsoft Windows Insider Preview bounty program + - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ + text: OneFuzz service + - url: /windows/security/security-foundations + text: Learn more about security foundations > + + - title: Cloud security + imageSrc: /media/common/i_cloud-security.svg + links: + - url: /mem/intune/protect/security-baselines + text: Security baselines with Intune + - url: /windows/deployment/windows-autopatch + text: Windows Autopatch + - url: /windows/deployment/windows-autopilot + text: Windows Autopilot + - url: /universal-print + text: Universal Print + - url: /windows/client-management/mdm/remotewipe-csp + text: Remote wipe + - url: /windows/security/cloud-security + text: Learn more about cloud security > + +additionalContent: + sections: + - title: More Windows resources + items: + + - title: Windows Server + links: + - text: Windows Server documentation + url: /windows-server + - text: What's new in Windows Server 2022? + url: /windows-server/get-started/whats-new-in-windows-server-2022 + - text: Windows Server blog + url: https://cloudblogs.microsoft.com/windowsserver/ + + - title: Windows product site and blogs + links: + - text: Find out how Windows enables your business to do more + url: https://www.microsoft.com/microsoft-365/windows + - text: Windows blogs + url: https://blogs.windows.com/ + - text: Windows IT Pro blog + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog + - text: Microsoft Intune blog + url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog + - text: "Windows help & learning: end-user documentation" + url: https://support.microsoft.com/windows + + - title: Participate in the community + links: + - text: Windows community + url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10 + - text: Microsoft Intune community + url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune + - text: Microsoft Support community + url: https://answers.microsoft.com/windows/forum \ No newline at end of file diff --git a/windows/security/index.yml b/windows/security/index.yml index e49166e1ef..4a712e5068 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -7,6 +7,7 @@ brand: windows metadata: ms.topic: hub-page ms.prod: windows-client + ms.technology: itpro-security ms.collection: - highpri - tier1 From e126f0b44a1842bb0db74dad6a613ebfe2440618 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 07:35:57 +0200 Subject: [PATCH 013/156] Updated to configure include files --- includes/configure/gpo-settings-1.md | 6 ++++++ includes/configure/gpo-settings-2.md | 6 ++++++ includes/{intune => configure}/intune-custom-settings-1.md | 0 includes/{intune => configure}/intune-custom-settings-2.md | 0 .../{intune => configure}/intune-custom-settings-info.md | 0 includes/configure/intune-settings-catalog-1.md | 6 ++++++ includes/configure/intune-settings-catalog-2.md | 6 ++++++ includes/configure/tab-intro.md | 6 ++++++ 8 files changed, 30 insertions(+) create mode 100644 includes/configure/gpo-settings-1.md create mode 100644 includes/configure/gpo-settings-2.md rename includes/{intune => configure}/intune-custom-settings-1.md (100%) rename includes/{intune => configure}/intune-custom-settings-2.md (100%) rename includes/{intune => configure}/intune-custom-settings-info.md (100%) create mode 100644 includes/configure/intune-settings-catalog-1.md create mode 100644 includes/configure/intune-settings-catalog-2.md create mode 100644 includes/configure/tab-intro.md diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md new file mode 100644 index 0000000000..2859223cc7 --- /dev/null +++ b/includes/configure/gpo-settings-1.md @@ -0,0 +1,6 @@ +--- +ms.date: 06/21/2023 +ms.topic: include +--- + +To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under \ No newline at end of file diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md new file mode 100644 index 0000000000..cc0cad6c72 --- /dev/null +++ b/includes/configure/gpo-settings-2.md @@ -0,0 +1,6 @@ +--- +ms.date: 11/08/2022 +ms.topic: include +--- + +The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups. \ No newline at end of file diff --git a/includes/intune/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md similarity index 100% rename from includes/intune/intune-custom-settings-1.md rename to includes/configure/intune-custom-settings-1.md diff --git a/includes/intune/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md similarity index 100% rename from includes/intune/intune-custom-settings-2.md rename to includes/configure/intune-custom-settings-2.md diff --git a/includes/intune/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md similarity index 100% rename from includes/intune/intune-custom-settings-info.md rename to includes/configure/intune-custom-settings-info.md diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md new file mode 100644 index 0000000000..713555d40b --- /dev/null +++ b/includes/configure/intune-settings-catalog-1.md @@ -0,0 +1,6 @@ +--- +ms.date: 06/21/2023 +ms.topic: include +--- + +To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md new file mode 100644 index 0000000000..ebd6a2e1ef --- /dev/null +++ b/includes/configure/intune-settings-catalog-2.md @@ -0,0 +1,6 @@ +--- +ms.date: 11/08/2022 +ms.topic: include +--- + +Assign the policy to a group that contains as members the devices or users that you want to configure. \ No newline at end of file diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md new file mode 100644 index 0000000000..e195a9281a --- /dev/null +++ b/includes/configure/tab-intro.md @@ -0,0 +1,6 @@ +--- +ms.date: 02/22/2022 +ms.topic: include +--- + +The following instructions provide details how to configure your devices. Select the option that best suits your needs. \ No newline at end of file From df09a3b9ade26d31a1530a2f04e519c02ac3bab1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 07:38:31 +0200 Subject: [PATCH 014/156] updated calling include files --- education/windows/edu-stickers.md | 6 +++--- education/windows/edu-take-a-test-kiosk-mode.md | 6 +++--- education/windows/edu-themes.md | 6 +++--- education/windows/federated-sign-in.md | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 56094c8023..21f0dab85e 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -33,14 +33,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] > [!TIP] > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1) diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index 10c843fc0b..d7dd5daa95 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -53,7 +53,7 @@ To configure devices using Intune for Education, follow these steps: ### Configure Take a Test with a custom policy -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -67,8 +67,8 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index bd941025f7..39decf882d 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -23,14 +23,14 @@ Education themes aren't enabled by default. Follow the instructions below to con #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 0d98af99f7..510772b7a1 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -79,7 +79,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -121,7 +121,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] | Setting | |--------| From 883b6029dbeed0e6148cfa0d89204ce9ddf34a9d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 07:40:03 +0200 Subject: [PATCH 015/156] added cred guard refreshed files --- .../additional-mitigations.md | 37 +- .../credential-guard/configure.md | 406 ++++++++++++++++++ .../considerations-known-issues.md | 236 ++++++++++ .../credential-guard-considerations.md | 102 ----- .../credential-guard-how-it-works.md | 26 -- .../credential-guard-known-issues.md | 155 ------- .../credential-guard-protection-limits.md | 32 -- .../credential-guard/credential-guard.md | 35 -- .../credential-guard/how-it-works.md | 57 +++ .../images/credguard-gp-disabled.png | Bin 205356 -> 0 bytes .../credential-guard/images/credguard-gp.png | Bin 276638 -> 0 bytes .../images/credguard-msinfo32.png | Bin 40079 -> 0 bytes .../credential-guard/index.md | 101 +++++ .../credential-guard/toc.yml | 20 +- 14 files changed, 839 insertions(+), 368 deletions(-) create mode 100644 windows/security/identity-protection/credential-guard/configure.md create mode 100644 windows/security/identity-protection/credential-guard/considerations-known-issues.md delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard-considerations.md delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard-known-issues.md delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard.md create mode 100644 windows/security/identity-protection/credential-guard/how-it-works.md delete mode 100644 windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png delete mode 100644 windows/security/identity-protection/credential-guard/images/credguard-gp.png delete mode 100644 windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png create mode 100644 windows/security/identity-protection/credential-guard/index.md diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 32967fd8b7..b433fa7bfa 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,5 +1,5 @@ --- -ms.date: 08/17/2017 +ms.date: 06/20/2023 title: Additional mitigations description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. ms.topic: article @@ -7,9 +7,35 @@ ms.topic: article # Additional mitigations -Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. +Windows Defender Credential Guard offers mitigations against attacks on derived credentials, preventing the use of stolen credentials elsewhere. However, devices can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using stolen credentials prior to the enablement of Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. -## Restricting domain users to specific domain-joined devices +## Additional security qualifications + +All devices that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.\ +Devices that meet more qualifications can provide added protections to further reduce the attack surface. + +The following table list qualifications for improved security. We recommend meeting the additional qualifications to strengthen the level of security that Windows Defender Credential Guard can provide. + +|Protection |Requirements|Security Benefits| +|---|---|---| +|**Secure Boot configuration and management**|- BIOS password or stronger authentication must be supported
    - In the BIOS configuration, BIOS authentication must be set
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, *Boot only from internal hard drive*) and boot device order, overriding `BOOTORDER` modification made by the operating system | - Prevent other operating systems from starting
    -Prevent changes to the BIOS settings| +|**Hardware Rooted Trust Platform Secure Boot**|- Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby
    - Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification)|- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides security assurance for correctly secured silicon and platform| +|**Firmware Update through Windows Update**|- Firmware must support field updates through Windows Update and UEFI encapsulation update|Helps ensure that firmware updates are fast, secure, and reliable.| +|**Securing Boot Configuration and Management**|- Required BIOS capabilities: ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software|- Enterprises can choose to allow proprietary EFI drivers/applications to run
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots| +|**VBS enablement of No-Execute (NX) protection for UEFI runtime services**|- VBS enables NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet the following requirements:
      - Implement UEFI 2.6 `EFI_MEMORY_ATTRIBUTES_TABLE`. All UEFI runtime service memory (code and data) must be described by this table
      - PE sections must be page-aligned in memory (not required for in non-volatile storage).
      - The Memory Attributes Table needs to correctly mark code and data as `RO/NX` for configuration by the OS
      - All entries must include attributes `EFI_MEMORY_RO`, `EFI_MEMORY_XP`, or both.
      - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable
    (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|- Vulnerabilities in UEFI runtime, if any, are blocked from compromising VBS (such as in functions like *UpdateCapsule* and *SetVariable*)
    - Reduces the attack surface to VBS from system firmware.| +|**Firmware support for SMM protection**|- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware
    - Blocks additional security attacks against SMM| + +> [!IMPORTANT] +> +> Regarding **VBS enablement of NX protection for UEFI runtime services**: +> +> - It only applies to UEFI runtime service memory, and not UEFI boot service memory +> - The protection is applied by VBS on OS page tables +> - Don't use sections that are both writable and executable +> - Don't attempt to directly modify executable system memory +> - Don't use dynamic code + +## Restrict domain users to specific domain-joined devices Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. @@ -27,6 +53,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: + - Devices' accounts are in Windows Server 2012 domain functional level or higher. - All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - KDC EKU present @@ -88,7 +115,7 @@ From a Windows PowerShell command prompt, run the following command: .\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"" -groupOU:"" -groupName:"" ``` -### Restricting user sign-on +### Restrict user sign-on So we now have completed the following: @@ -117,7 +144,7 @@ Authentication policies have the following requirements: > [!NOTE] > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. -#### Discovering authentication failures due to authentication policies +#### Discover authentication failures due to authentication policies To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md new file mode 100644 index 0000000000..77709daeae --- /dev/null +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -0,0 +1,406 @@ +--- +title: Configure Windows Defender Credential Guard +description: Learn how to configure Windows Defender Credential Guard using MDM, Group Policy, or the registry. +ms.date: 06/20/2023 +ms.collection: + - highpri + - tier2 +ms.topic: how-to +--- + +# Configure Windows Defender Credential Guard + +This article describes how to configure Windows Defender Credential Guard using Microsoft Intune, Group Policy, or the registry. + +## Default enablement + +Starting in **Windows 11, version 22H2**, Windows Defender Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Gurad remotely, if needed.\ +If Windows Defender Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings. + +While the default state of Credential Guard changed, system administrators can [enable](#enable-and-configure-windows-defender-credential-guard) or [disable](#disable-windows-defender-credential-guard) it using one of the methods described in this article. + +> [!IMPORTANT] +> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). + +> [!NOTE] +> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Windows Defender Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Windows Defender Credential Guard. For example if Windows Defender Credential Guard was enabled on an Enterprise device that later downgraded to Pro. +> +> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Windows Defender Credential Guard only, without disabling VBS, use the procedures to [disable Windows Defender Credential Guard](#disable-windows-defender-credential-guard). + +## Enable and configure Windows Defender Credential Guard + +Windows Defender Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. + +To enable and configure Windows Defender Credential Guard, you can use: + +- Microsoft Intune/MDM +- Group policy +- Registry + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +### Configure Credential Guard with Intune + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Credential Guard | Select one of the options:
     - **Enabled with UEFI lock**
     - **Enabled without lock** | + +>[!IMPORTANT] +> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +> [!TIP] +> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\ +The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`. + +| Setting | +|--| +| **Setting name**: Turn On Virtualization Based Security
    **Policy CSP name**: `EnableVirtualizationBasedSecurity` | +| **Setting name**: Credential Guard Configuration
    **Policy CSP name**: `LsaCfgFlags` | + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +### Configure Credential Guard with group policy + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] `Computer Configuration\Administrative Templates\System\Device Guard`: + +| Group policy setting | Value | +| - | - | +|Turn On Virtualization Based Security | **Enabled** and select one of the options listed under the **Credential Guard Configuration** dropdown:
     - **Enabled with UEFI lock**
     - **Enabled without lock**| + +>[!IMPORTANT] +> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +### Configure Credential Guard with registry settings + +To configure devices using the registry, use the following settings: + +| Setting | +|--| +| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
    **Key name:** `EnableVirtualizationBasedSecurity`
    **Type:** `REG_DWORD`
    **Value:** `1` (to enable Virtualization Based Security)| +| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
    **Key name:** `RequirePlatformSecurityFeatures`
    **Type:** `REG_DWORD`
    **Value:**
     `1` (to use Secure Boot)
     `3` (to use Secure Boot and DMA protection) | +| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
    **Key name:** `LsaCfgFlags`
    **Type:** `REG_DWORD`

  • **Value:** `1` (to enable Credential Guard with UEFI lock)
     `2` (to enable Credential Guard without lock)| + +Restart the device to enable Credential Guard. + +> [!TIP] +> You can enable Windows Defender Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. + +--- + +### Verify if Windows Defender Credential Guard is running + +Checking the task list or Task Manager if `LsaIso.exe` is running is not a recommended method for determining whether Windows Defender Credential Guard is running. Instead, use one of the following methods: + +- System Information +- PowerShell +- Event Viewer + +#### System Information + +You can use *System Information* to determine whether Credential Guard is running on a device. + +1. Select **Start**, type `msinfo32.exe`, and then select **System Information** +1. Select **System Summary** +1. Confirm that **Credential Guard** is shown next to **Virtualization-based Security Services Running** + +#### PowerShell + +You can use PowerShell to determine whether Credential Guard is running on a device. From an elevated PowerShell session, use the following command: + +```powershell +(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning +``` + +The command generates the following output: + +- **0**: Windows Defender Credential Guard is disabled (not running) +- **1**: Windows Defender Credential Guard is enabled (running) + +#### Event viewer + +Perform regular reviews of the devices that have Windows Defender Credential Guard enabled, using security audit policies or WMI queries.\ +Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filter the event sources for *WinInit*: + +:::row::: + :::column span="1"::: + **Event ID** + :::column-end::: + :::column span="3"::: + **Description** + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 13 (Information) + :::column-end::: + :::column span="3"::: + ```logging + Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + ``` + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 14 (Information) + :::column-end::: + :::column span="3"::: + ```logging + Windows Defender Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0** + ``` + - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. + - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 15 (Warning) + :::column-end::: + :::column span="3"::: + ```logging + Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; + continuing without Windows Defender Credential Guard. + ``` + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 16 (Warning) + :::column-end::: + :::column span="3"::: + ```logging + Windows Defender Credential Guard (LsaIso.exe) failed to launch: [error code] + ``` + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 17 + :::column-end::: + :::column span="3"::: + ```logging + Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: [error code] + ``` + :::column-end::: +:::row-end::: + +The following event indicates wether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot` + +:::row::: + :::column span="1"::: + **Event ID** + :::column-end::: + :::column span="3"::: + **Description** + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 51 (Information) + :::column-end::: + :::column span="3"::: + ```logging + VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + ``` + :::column-end::: +:::row-end::: + +If you're running with a TPM, the TPM PCR mask value will be something other than 0. + +## Disable Windows Defender Credential Guard + +There are different options to disable Windows Defender Credential Guard. The option you choose depends on how Windows Defender Credential Guard is configured: + +- Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine) +- If Windows Defender Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Windows Defender Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock) +- If Windows Defender Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it: + - Microsoft Intune/MDM + - Group policy + - Registry + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +### Disable Credential Guard with Intune + +If Windows Defender Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting will disable Windows Defender Credential Guard. + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Credential Guard | **Disabled** | + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\ +The policy settings is located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`. + +| Setting | +|--| +| **Setting name**: Credential Guard Configuration
    **Policy CSP name**: `LsaCfgFlags` | + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +### Disable Credential Guard with group policy + +If Windows Defender Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting will disable Windows Defender Credential Guard. + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] `Computer Configuration\Administrative Templates\System\Device Guard`: + +| Group policy setting | Value | +| - | - | +|Turn On Virtualization Based Security | **Disabled** | + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +### Disable Credential Guard with registry settings + +If Windows Defender Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. + +1. Change the following registry settings to 0: + + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` + + > [!NOTE] + > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0. + +1. Restart the device + +--- + +For information on disabling Virtualization-based Security (VBS), see [disable Virtualization-based Security](#disable-virtualization-based-security). + +### Disable Credential Guard with UEFI lock + +If Windows Defender Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables. + +> [!NOTE] +> This scenario requires physical presence at the machine to press a function key to accept the change. + +1. Follow the steps in [Disable Windows Defender Credential Guard](#disable-windows-defender-credential-guard) +1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: + + ```cmd + mountvol X: /s + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + mountvol X: /d + ``` + +1. Restart the device. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist. + +### Disable Windows Defender Credential Guard for a virtual machine + +From the host, you can disable Credential Guard for a virtual machine with the following command: + +```powershell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + +## Disable Virtualization-based Security + +If you disable Virtualization-based Security (VBS), you'll automatically disable Windows Defender Credential Guard and other features that rely on VBS. + +> [!IMPORTANT] +> Other security features beside Credential Guard rely on VBS. Disabling VBS may have unintended side effects. + +Use one of the following options to disable VBS: + +- Microsoft Intune/MDM +- Group policy +- Registry + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +### Disable VBS with Intune + +If VBS is enabled via Intune and without UEFI Lock, disabling the same policy setting will disable VBS. + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Enable Virtualization Based Security | **Disabled** | + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\ +The policy settings is located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`. + +| Setting | +|--| +| **Setting name**: Credential Guard Configuration
    **Policy CSP name**: `EnableVirtualizationBasedSecurity` | + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +### Disable VBS with group policy + +1. Configure the policy used to enable VBS to **Disabled**. The policy setting path is: `Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security` +1. Once the policy is applied, restart the device + +#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +### Disable VBS with registry settings + +1. Delete the following registry keys: + + | Setting | + |--| + | Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
    Key name: `EnableVirtualizationBasedSecurity` | + | Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
    Key name: `RequirePlatformSecurityFeatures`| + + > [!IMPORTANT] + > If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery. + +1. Restart the device + +--- + +If Windows Defender Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands: + +```cmd +bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +bcdedit /set vsmlaunchtype off +``` + +## Next steps + +- Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity +[INT-1]: /mem/intune/configuration/settings-catalog diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md new file mode 100644 index 0000000000..37448d8086 --- /dev/null +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -0,0 +1,236 @@ +--- +ms.date: 01/06/2023 +title: Considerations and known issues when using Windows Defender Credential Guard +description: Considerations, recommendations and known issues when using Windows Defender Credential Guard. +ms.topic: troubleshooting +--- + +# Considerations when using Windows Defender Credential Guard + +It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. + +## Wi-fi and VPN considerations + +When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\ +If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. + +For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS). + +## Kerberos considerations + +When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ +Use constrained or resource-based Kerberos delegation instead. + +## Third party Security Support Providers considerations + +Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ +It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. + +For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). + +## Upgrade considerations + +As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. + +Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. + +## Saved Windows credentials protected + +Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: + +- Windows credentials +- Certificate-based credentials +- Generic credentials + +Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. + +The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: + +- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.* +- Applications that extract Windows credentials fail +- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials + +## Clearing TPM considerations + +Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost. + +>[!WARNING] +> Clearing the TPM results in loss of protected data for all features that use VBS to protect data. +> +> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data. + +As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever. + +>[!NOTE] +> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup. + +### Windows credentials saved to Credential Manager + +Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. + +### Domain-joined device's automatically provisioned public key + +Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). + +Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). + +Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). + +### Breaking DPAPI on domain-joined devices + +On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. + +>[!IMPORTANT] +> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. + +Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. +If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following. + +Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller: + +|Credential Type | Behavior +|---|---|---| +| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | +| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. | + +Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. + +#### Impact of DPAPI failures on Windows Information Protection + +When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. + +**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). + +## Known issues + +Windows Defender Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled. + +This article describes known issues when Windows Defender Credential Guard is enabled. + +## Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 + +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. + +### Affected devices + +Any device with Windows Defender Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Windows Defender Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements). + +All Windows Pro devices that previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement. + +> [!TIP] +> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. +> If it's' present, the device enables Windows Defender Credential Guard after the update. +> +> You can Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-windows-defender-credential-guard). + +### Cause of the issue + +Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Windows Defender Credential Guard blocks them. Affected protocols include: + +- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) +- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) +- MS-CHAP (only SSO is blocked) +- WDigest (only SSO is blocked) +- NTLM v1 (only SSO is blocked) + +> [!NOTE] +> Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. + +### How to confirm the issue + +MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Windows Defender Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs: + +:::row::: + :::column span="1"::: + **Event ID (type)** + :::column-end::: + :::column span="3"::: + **Description** + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 4013 (Warning) + :::column-end::: + :::column span="3"::: + ```logging + + ``` + :::column-end::: +:::row-end::: + + +### How to fix the issue + +We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Windows Defender Credential Guard doesn't block certificate-based authentication. + +For a more immediate, but less secure fix, [disable Windows Defender Credential Guard](configure.md#disable-windows-defender-credential-guard). Windows Defender Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Windows Defender Credential Guard, you leave stored domain credentials vulnerable to theft. + +> [!TIP] +> To prevent default enablement, configure your devices [to disable Windows Defender Credential Guard](configure.md#disable-windows-defender-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update. +> +> If Windows Defender Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update. + +## Issues with third-party applications + +The following issue affects MSCHAPv2: + +- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). + +The following issue affects the Java GSS API. See the following Oracle bug database article: + +- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) + +When Windows Defender Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Windows Defender Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements). + +The following issue affects McAfee Application and Change Control (MACC): + +- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1) + +The following issue affects Citrix applications: + +- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [Note 1](#bkmk_note1) + + + +> [!NOTE] +> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). +> +> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). + +### Vendor support + +The following products and services don't support Windows Defender Credential Guard : + +- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009) +- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) +- [*VMware Workstation and Device/Credential Guard aren't compatible* error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361) +- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) +- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) + +>[!IMPORTANT] +>This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run a specific version of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md deleted file mode 100644 index d48686101c..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -ms.date: 01/06/2023 -title: Considerations when using Windows Defender Credential Guard -description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard. -ms.topic: article ---- - -# Considerations when using Windows Defender Credential Guard - -It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. - -## Wi-fi and VPN considerations - -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\ -If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. - -For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS). - -## Kerberos considerations - -When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ -Use constrained or resource-based Kerberos delegation instead. - -## Third party Security Support Providers considerations - -Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ -It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. - -For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). - -## Upgrade considerations - -As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. - -Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. - -## Saved Windows credentials protected - -Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: - -- Windows credentials -- Certificate-based credentials -- Generic credentials - -Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. - -The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: - -- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.* -- Applications that extract Windows credentials fail -- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials - -## Clearing TPM considerations - -Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost. - ->[!WARNING] -> Clearing the TPM results in loss of protected data for all features that use VBS to protect data. -> -> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data. - -As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever. - ->[!NOTE] -> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup. - -### Windows credentials saved to Credential Manager - -Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. - -### Domain-joined device's automatically provisioned public key - -Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). - -Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). - -Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). - -### Breaking DPAPI on domain-joined devices - -On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. - ->[!IMPORTANT] -> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. - -Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. -If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following. - -Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller: - -|Credential Type | Behavior -|---|---|---| -| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | -| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. | - -Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. - -#### Impact of DPAPI failures on Windows Information Protection - -When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. - -**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md deleted file mode 100644 index f6fafc39c0..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -ms.date: 08/17/2017 -title: How Windows Defender Credential Guard works -description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. -ms.topic: conceptual ---- - -# How Windows Defender Credential Guard works - -Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. - -For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. - -When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - -When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. - -Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: - -![Windows Defender Credential Guard overview.](images/credguard.png) - -## See also - -**Related videos** - -[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md deleted file mode 100644 index f05c26620f..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -ms.date: 11/28/2022 -title: Windows Defender Credential Guard - Known issues -description: Windows Defender Credential Guard - Known issues in Windows Enterprise -ms.topic: article ---- -# Windows Defender Credential Guard: Known issues - -Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). - -## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2** - -### Symptoms of the issue: -Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. - -### Affected devices: -Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). - -\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement. - -> [!TIP] -> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading: -> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard). - -### Why this is happening: -Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include: - - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) - - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) - - MS-CHAP (only SSO is blocked) - - WDigest (only SSO is blocked) - - NTLM v1 (only SSO is blocked) - -Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. - -> [!NOTE] -> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error: - > - > **Event ID 4013** (Warning) - > ``` - > id="NTLMv1BlockedByCredGuard" - > value="Attempt to use NTLMv1 failed. - > Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826." - > /> - > ``` - > - > **Event ID 4014** (Error) - > ``` - > id="NTLMGetCredentialKeyBlockedByCredGuard" - > value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2" - > /> - > ``` - -### Options to fix the issue: - -Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. - -For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. - -> [!TIP] -> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. - -## Known issues involving third-party applications - -The following issue affects MSCHAPv2: - -- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). - -The following issue affects the Java GSS API. See the following Oracle bug database article: - -- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) - -When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). - -The following issue affects Cisco AnyConnect Secure Mobility Client: - -- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) - -The following issue affects McAfee Application and Change Control (MACC): - -- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1) - -The following issue affects Citrix applications: - -- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [Note 1](#bkmk_note1) - - - -> [!NOTE] -> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). -> -> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). - -## Vendor support - -For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) - -Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions: - -- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009) - -- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) - -- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361) - -- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) - -- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) - -This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. - -Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. - -## Previous known issues that have been fixed - -The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): - -- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: - - ```console - Task Scheduler failed to log on '\Test'. - Failure occurred in 'LogonUserExEx'. - User Action: Ensure the credentials for the task are correctly specified. - Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). - ``` - -- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: - - ```console - Log Name: Microsoft-Windows-NTLM/Operational - Source: Microsoft-Windows-Security-Netlogon - Event ID: 8004 - Task Category: Auditing NTLM - Level: Information - Description: - Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. - Secure Channel name: - User name: - @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA - Domain name: NULL - ``` - - - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. - - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. - - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. - -The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: - -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) - - This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: - - - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) - - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md deleted file mode 100644 index 6719b3db77..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Windows Defender Credential Guard protection limits -description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. -ms.date: 08/17/2017 -ms.topic: article ---- -# Windows Defender Credential Guard protection limits - -Some ways to store credentials are not protected by Windows Defender Credential Guard, including: - -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS. -- Key loggers -- Physical attacks -- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- -- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. -- Windows logon cached password verifiers (commonly called "cached credentials") -don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. - -## See also - -**Deep Dive into Windows Defender Credential Guard: Related videos** - -[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322) -> [!NOTE] -> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md deleted file mode 100644 index 519ec863c8..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Protect derived domain credentials with Windows Defender Credential Guard -description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.date: 11/22/2022 -ms.topic: article -ms.collection: - - highpri - - tier2 ---- - -# Protect derived domain credentials with Windows Defender Credential Guard - -Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. - -By enabling Windows Defender Credential Guard, the following features and solutions are provided: - -- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. -- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures. - -> [!NOTE] -> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). - -## Related topics - -- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) -- [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382) -- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)) -- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) -- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) -- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode) -- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel) -- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert) -- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert) -- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md new file mode 100644 index 0000000000..afee0155ec --- /dev/null +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -0,0 +1,57 @@ +--- +ms.date: 06/26/2023 +title: How Windows Defender Credential Guard works +description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. +ms.topic: conceptual +--- + +# How Windows Defender Credential Guard works + +Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. + +When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. + +When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. + +Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: + +![Windows Defender Credential Guard overview.](images/credguard.png) + +## Windows Defender Credential Guard protection limits + +Some ways to store credentials are not protected by Windows Defender Credential Guard, including: + +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS. +- Key loggers +- Physical attacks +- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- +- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. +- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. +- Windows logon cached password verifiers (commonly called "cached credentials") +don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. + +## See also + +**Deep Dive into Windows Defender Credential Guard: Related videos** + +[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322) +> [!NOTE] +> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video + +**Related videos** + +[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) + +## Next steps + +- Learn [how to configure Windows Defender Credential Guard](configure.md) +- Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png deleted file mode 100644 index bfb042a49da12856d8fbf3b3c74cb28d24781b11..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 205356 zcmcfpWl&sA)HVu3(BK4jOMpNaEI@FF1cJLe1eY-Q;7)J?Bse6vlNnqFcaq=?4ucE~ z?s~}mK2O#6D|40tzNyZzIw-~t19B-P~)JWpx}RaFQbywckI{+&mP)H|7Xn|~QIJg{S9V>RWgbaC%P z7JB-F;wZ#5{qz6Ef@i`E->~DvKI6!!^uT2bmU{8*x#GdT%fanq$Kg0@mS}kXbBUF} zWm|8riyUuTJNLYA-phY}{`fIPMnO?jT8d3ZMpjx@CJh7%v{baTh#-l9dUs!1Bm))X z7Je@Yf+QD*S_m-d>HIZW4Oh`q#JOazCY$K ztiZUmVQ$gJBliTab}T;SAexltbv;a%*zy82xA*pNU0q#$e0|G0`Ho45|4SN|FZ~xs zaxd$#Isp9q4ddoKpSb_e6JiauLXzis_kuCe|0O?mEad+_I+wz`cxvFkBu*J7{y$X_ z_M5BypUkN+-nsvI!MXYW-=bb0F6(Nlt7UX_UX{z2RXE-V?tR{~M%LYQMqVR+?TWmM zRwOt&Ki8W0pSPEO2E3lj`1&>f$K12H`Ij<*U_qVV_CXkXvX0?3d6o3~6dS9IGN2r= z93kb8;{WZzwy|a{cReYy5F4%?|3pz+n@pC&7*ZsMfFOau&BG(SsHn*2fKjF`vsfh~ z2<~W_>rz@;sqn!bqd%d2+z|DDssSpsLOa?DpUKPj4UUb;>(0n;Mw^>izn1Z9VdI;i zL17cxpIm$pv&D)*4}VlBM7t7mjKs<1*krohTMJ`IrDi{q2J7?9L?N5Q&;th(%AN{Y0tg zy4`=H(&~lm?g~L$Ln4>fn71FAwucazG4i2M z5~1Vm;^HAHWaWYhs#QJ2+C_lB^I5E$KH1yVaode&|JgdAcWFgJY@Guh?=Qi6+v7!W+YmvZp2w}{xtBwnbLUOhM}V)?B>;hq8Mel<7u<*D_rj}lALOU-+;l+-I&g& z!ND0^u9V->PmS0^IEd2jXK*f~O^1AKJ?FZ|NcGg!KZM`*+qr_c?|0RL5N^$v%l^~1)n3X$ zw?<+RYhF`7-v}I}b8^kd^*=F~R6Px#p2>4U6X6>_ZDvRwmgQ{=%c36EY>UT~&Np?V zR6;hB=d_L^>L$9O`};4fO)I;uE2%drW@0s?vI8`5g2lAxM&*H})nB2expkc_E$bsF zuY11Xy=4fzDiEAj!gQzd`uq29%Nr?U?;PMNbf$Zi#fJuY1Pg8`?>9?8`nY7|L%AI{950dEcDaEqOKz?V2>6|z3~Y8zPbd1ZB0N)4@|XRA%6wn*RW~;N(XxH( zhe8i<`3)tht`2UndZn%vIb3f^N}jfA=|y#d%b}sJ|LP%DQ$ODLSj;T^9^v39bVohU z-HAJ2ZQ?@x-RL_YZ{%PLvRCPBvI#dc*lhD?shX?Sa*e~=uNU<&a_hrx9p})(5 zzks`tszzjkec9ZWy{qs^Ls~og%WJ(3mpxvl?bL~^dX+|Qm3dd?+iNGFcRz($KuB#Z z5AvIivUBpD(*$H`Us+3~Cdkz=YRdC*Z>MEYedSM>4xLG4wu@vQ^48wJb5RI6v@0PY z5x>B=o!ZXl1e`})T~7p=KF-f0L_s&d46&~D$zfiu_Bl?E3Pk_xdft)x06w%|Y=?kz zt=FVMYU;e*3t3XQ}4u-+lWG<1+?c5FH9(^4iF<(%+ue#H9? zN=aE}fUO#JRI|w2Cv{en{)T-aFk@~u35Gss4pk%g-VeDnUzlv$bhW_Kjix*eHqR%N zGXOeF`2r9W9pAncRB#cp-$fo71i^sGX)ks?+_ z(w;->vj19l#Q8`D@)vkpvsHU!88;7fVQ_y7-?)HSXsHb7COM~V{v?20{A#4VZXUKz zah5P}b+k55J#3t2i(4e;+Z0&phoCV)uC4F+Xcrjtci5X3)BXGhC+h5tEUm1-dR0*E z1GWoT{_Zva_6~@cx|xMvqypy-jq1k;C9cei_8xww6Hp7hYAkVTt!$_YL*?Ra- zi+>#Scx&dYG@E)3!%~H96hjMNQ@Poc)*mKtqm|<2Kz^^#`}#`hdH+mDHcC=5GK>J7 z{G>KC2T|tU-g&`2tly^>jCr9z6#%j`uWMep4hNbxJ5dqXP#$7ah1=|;%L6Wp5+(kc z+M9PWC?$$tWZpQ64!RvI3WHVl8$<2`tzotolbaW*lbh1SA0l;pd1NEaZ||i#6vtvK+mLy(o;leNnWe4C%I>0#2C*AmT#f+nuF7iO`Ljt!*!ZbRD2Krt-qX>n8yh$5gv zcrv9}M>7a`pg;NV_xJYznf58$T5nJHh*npICiL*4-`b&fi(;f%IMZB*GB?7OS8jw; z+ByY`nz1eQFQ(E-d(!Nn^LYH4nz(LCq}P|5WdYf$+)`d%#O37K36G%f@7xP7 zN_nZ)zatQxV%7dj=y?f-RtER2*j=vO5CdiGQ*QOud9REzR^Ebln z)YN;UNROA42U5-h-vwB=Uu4& zu36Ci`9hJh_jZnVxwGSnmMnerr$Y~#C$&P%D}15+vn%s*=-?8f&iyFZzV)DF&p#*n zP6TRz?mxR6rlGlkqpa~3Z5HH11Qor6ZneGQwvGFWR)^QS|cjw)x_%XWF@{!X)H z&FnSAvBid{K4LbVAk#A(=~ROkpc3Y($6X@8C*_@X7r_11xTe^y#wI^)?_xEKaHhs+ zav7bE9R@(HjR^9u=kkEfn>LUMcRB~9+ugUOh_wP>uQQxm-#{T>ijklE@(cN42TI9U z{hLr4nD@dANilz8;>&-2f&uf^5g`ey|M^GYQqM38+EEU{u}L^!_d3Kk>0+D`_Ae@K zd2s;cEybn8iCV>8baN!4f3$h`aMvx>c2q)i=TgRy4sh=wArxId#$r;!r}wXYAsJLl zPPmMTPAS(1oJl^eVWr!RbjDpV@l9VOm)fM-Rz^k!y&43jIVY`E|7_^WP)a~$?D3lf zOq;Z4r;ks;Jb_ovA67a*(`K-FN0{@bb-rud-JLVk>;Q|82Sz|JxP1~FjRfBQ{nhHP zmjcs-fVRhT5Y5Q0_sYnmpPUk%oYJ{Dji3@Z98ixXYjpek-_(8Y27aradoOT#a?bfJ z1crA(q2fEpRVE+tnJBaOyn$mBDmadywin7gynS|H~PA zu*yZ@rz)CGyi&auig08l804Q-oprxNYG~Q24He95>t7_VHnO5Q`qMGe9KTosh^o4W z9NH?6)XpwL>z-zSjMGGG$42TjyKVRb8;q;5uO{%E6G`@O1}(%?k!=^hb$bk;F!fr{ z&Vov?NHPe^>y(zBE96B}o-u$}y4Sa%j$Lv-=dr=d12mEOM49D_?q`+HDL#)54spq; zs-k+Fe&jJy(l9iPKRGef)}AUb=5%q%r6Vw=v%zh+2+JN~*sSL~@s^IHoX;@?)cl0@ zY<`Dzep1L6b=P)|~8ku7G)l)tyl!)X750WwIDm53%Fn zbm)A@_uO|zpPsZ1NZ6R1_Y?0960%o~-kbxMW}tF%Mt%)~-@qi$U}6{6uzg7uqx{Bm z>|`uCYgpDn;z=`?^~hoTopIK3L_tyBw>H}D2T+RhM|7hJ;%2;N7nKYq1{n8%ms{m- zy)&{AH1K%0Em`q28wCu&A?dT1La$0joKJU(61|2{`TsMNScHRc(+#1lQNeQY?zdac zf-&=;f_#FAVm|Hk^lpQ2_r`qorpR8I?X8~&b~P33GAh2j*^6y!KMvy-yP2(R;Q9Ia zQs_6DS2s5nN2^Sf!X9bZG)26AXOv&4_{n9X2*@PAiweG5{F$^=ZB*7?cECqEP+H6Peadkb{*TWZ9U zgrLzvd^eF$YfwhFSC>?z!7Y4^Pa*>g+v#+Wc|J<}x_NJeAIrmppTyG1EYSGTD2 z*NeX50BzfS`TPvD&}X2v)m6s8m$!_J`4pj{p;LsmLPA1Sw#jreqG^D?s6x} zdbZjGfj$<2OY!S9GPS@o*Z4b+MW`Sg!NQFZ|0T9NvCp+{c#{g{%G;K+@p9F6cpsx_XJx6BkO}Xr(u!*unj)|)j_Lr&A4Fe`oPsJ zw4@sQdVbseU|pUxGfv%vZFzH(`C&pHJ-|*!NjX;CayYWJp)I%Y#We;7I{-io?a)la z5opqpmhRByB-XfOo0u6<_TT5GVEi{1)bFZhI6!>+9|Cjsc#eYvf#0oD%w4i~=N@5Et*w5YVPVD^j?b~NrOeIqzpFlt-jEb`O<9Jb zIedR)l*h5s5%h%RSLWzOV`!vDQ_qWVq zZ{#BUd_n&M)DWBaA~F5{HSQ@PI(!^*{?!&8U5aH@%l1FHP|E%P#eI1Gw`?K(7ijMP zYejR0tjj0q{}+ZL?BV}^h$#Kv0H6N9EGm*Zq+KGei^ttjDqer%zUii+@M%JX?IBJG ztQfre6!a?o2hPaJc{Us3U9@v%|0(%vAl_N+%D#RZQ8tisUeezBOR;O_XX2;C1uZ5e z;gp$5x!C9LxqhiSkLr=4*#feo7=;+;rbW(gHIspO@Oi~L53LqK`AH$&ui>u?7Q#nT z>$r$90*}kz*8GJm38HB*6`sjH3{OirwQ-nCg{$&a)N}EY1s)TZhclz?_FL=lNTL$^ zm3r6&WQ^3?Da_QN4N9~y#Cyl{uCv6b!~O5|5kp?Zv0lZ`_!q8Jzx63ar!@KH2};LG zP3;s!ci3XDcceNm5JT>(TK6C2rgR(}9W``xek!S`;3E*!_i0QH8DU{)v~+Z92L}W> zswGNxL-%S2se+3PyPESC(2*sI-KeTQbII~SS+dtWzm-W{&zl+&7&=SEpPBlsnIbj( zHxoT@b;siSiYGt4h<0L@i|HL1+9TQyI}}&XOr7aU`9)r*3~|tUYqf=DwcYdUV|X0E z+}J_N;Sv3Z{HuK5uMp%#6Sm!k993f4+&stN@LzeAoga8Q>C}+?pl)lqS0AOtzHs?6f zs7}{^|H-y-+)m%s<2Zwm?$>;z;K!n-OjzTLU&8}M{w?N88QUwo^m-TE3(X<`t} z_Hjg84Q;Pjfcfl{e<=^VkIo!%CK?wjxH`80mPzS`fA>LgkLDGSelP6Ymfoc+KXvF*L5z&h>=TyUS>@DJ25+6|y-ia4?;+)|(OOi@UOGl?FqCG`+MAtof zk-Xg8+&b2^+lgi^+8%kyc6)FrlfldR+YQa9NqH~D!jzn9KL!wieDcB4Oa?x_#6aCR z=tH5SEOz3T{V@Bjh5y4jZTV;3wo<-*r3N?BiZc^BGYj zmhu{8cKBdGqOUdgVCgaZY;Wc|P&4_3(RtTAlt1l#ZBh|Sp-$(Vea!W*gqa^0qix+W z6Q9)Yk~QErfyTvo29d0gwN8;=&T!6e`mYepc5*!s{*OlJvRRx~jdZ;Yn?D4~{MJaRt0`mg1jy;MJ*mfE4BsL`YNZPD1Pxk!#l5W{X{~moBdE zJaL%Elf0~s4CFPL@y!){b;aNVHadG*|I@dyfwyDDBZOr+hhW{3WBV1>+sG^0Z9t!9 zop{DW^Yu3SWnW49qk(hKgHZa;E!)K02ny?CyW8i6LmI^?;S)`Q`FK;Whz@PO;2|E@ zJrNa8;Y|boX6|A233IiawalcXqsj|?gU&$lXR&d6$~s@43;cXl+Mo?KjV(_~-HYAW zzCX6nq!T;@Kzr8+O5LB!SFxMzA8Xp}+kBuDQZ>?Kvv!KA>muxz>Fl2^GfHuLLsmZM zI1HcnIM2JaogA}lF~HB&rC!2n{`k~s@ut8%7?(x}fT-xo3=p!{r)YVl1Hn9q!`(W^GFM6HI zy89_GjF=%MUc2sI71HVqv~1ZA-HOaFIHn9xX)EO?*XZcjF-eNpc|MCO!rx}-q!#i? zt)OLVnGtb(iW6>hq<$P|peQE88NWkAL)gjN;J#9cy#sW?#{ME#tFIbx_en#c>sCgh zurF$JLFh-|OK*@$Dv-)BCeG5}+d};rnZfUj9~NULIfDv3iwbJpQ#6&xghYm54l7=< zMbA>?q_WdUB+_d)F9TzK;3BRbH%m1u$)hW}$Nvitb%i=$hTn3O(U?tA^8COHQUJ$m zJ4sExijVqk*N-n0?OO@6p9@x(lR7{%m;-c#F%_-z$bDpBGb5~e*4qKfpCf6w8(*E% z8>j`zayYEpRUrATQnD2*N3H{CRRvjYa(x{{%WVZVFl9e6=#L*py*@{|*q;v@R^Mad zG867xAcWb=hR;39(-2e%KO5O8qvTlN`2dj~XS;|)E$H~|J%7325;XZBI`6YW8R>KA znSJ@C@1W3pQOKA+I+a2pjnRG#GZPfmWwpvaO7}xAkBAr)G(0k*vpZdpAu`g}P&7rh z2`x-Xc>(Nt@;QLXdgV^Bkzr6WAj6rVytK5G;eFzc=3AH*rj6Zf#^1l5+FRTC7XkKJ z@VQ0_pP&^K9o@k7I2+g5Phgma>zR7y3A#iFaLtp(e^{RXkUU-D4)pg%ewC?6*@VXJM{&0IfIN z-K(YP^SYN#?Pg}-3NetMHmd<4UI4A|jy4>&I#XVbeHugO1Yonrz18}5sWXqO>9d1e za>6>FFFAR^zTPV#=)~VQZSDQ5oHmX9dSmMq7ggWFSGMF= z5Q9->qa0lMZ-kYmah3OqNI=fc-8RPHtw6EWDSWF{Fz_j@_k%4>%rP&Io9Sz2F z`z*HPeZkEuZ~ophtY5Qm#7_IDe!F;&$i%~>eya!t zf1iltRg<8aHfku)=F>F+sbE2LbYAT1LK9v#z4hK3xPyr`co(9DptBDX%WsgxhxI`+ zVE4L4G%t$H(?wP%sj5IVG;ddg4oGhMNk39ak^|^X5x3T_BtPJ8>Tsa~{6=ZXhSk-k z;s+Vp@HD5$oYr1Z>O{BGyL|7d4D>Ntw5v%kW% zEgbB)(sRU)?6{0c2@`eX~{$2eF$F3{od&BM29=942VmJ541 zqr8Pm=x||)dd~xXBNRRiur!YCy>UU*WnS&n)XMD>TAt>kWtH$&wO*aqw$E`gYx|Q3=t&dF)X^ z^H%Jua!!B61@pzwi7>RfLVFs3vg67gfqDjIG9_7aaxv&34 zKPz9!!`fx(R<%oH)mNmhBK&$d7pZ{DmW5ej^<`npBXl7W2RlXHvTiGZI~0E@ESNw< zX`Qcw!!J6sYXn{BnYXW)EL}Nh$0^>1Hz-&)n(}X& zpOf_kn`MMk8hl{CNu1~WyKVo&cJKym4Zg|NJ$A{%*DP#;anQRISc;t&8L?on5OFGp z4N1uJvA6a<(8isKzOjuykHPtS6CP(nnP^i1AG8rG;8FyzKx%;L^gV2}sL)rGly!RX zsp?68LY#NVUoKNbwf3F~A44-k#t>hwgCuwbzhM0qBB$gxYj4!J-Zg%?NQOna^$czz zkn|HMnf-=(XK@zS-x*CJpu~9xr(lN!{zZfT^R%7&apn2Ji;#`=Rf-qAt;+wl$ut^g zJZhsY4_+vRF6L%hS|urGqgbxK;^P_>B>?I066Ful*xp&fbH7tB*pQ5W()`et&2 z>I_Uh?N5Q`8fPd-MJJ*~Z%1cf+T@~6akJy?jv@X9{*s?f?PcdLd4BN2RS{tq1 z+NX5G1mpgVg(pSzGp?OgEH!5!X;upegqW|43wq*{AI9~F@wVI7>WMGDqADMN5S254 zO;hq^fCe#wr||lNC@ncO6S>-&!{LV)H(O3~X8ktd&5h1J{2b zMN0*F7)U=)BJ-W!+nebd#yc6FLV|O}s%lJNi{T!g4s+>@PKDO(SFp&`oJqPiTk-6) zZa!q;jS`bX#Yx>`mvnZgn?}|K4t9*3d7vPs>k`VmWA}bBi%*>02get64lZxf@dBSw+`zoAI|7a;DOflgi8#|G6Y#@Iir&_O zldna~!eF`y{7Jqy?|9z5xREjgzD6;ZLv-Ld85HDtCgDXYyopzlHVBjyt8O8O7OSy?iwPuA{uVtm zeVG7>Us8w4ut<+Lp-C8f<_k@fTK(u&5pD9J`gzf*B~v0p=l1r$Z<2;S^N0<67%c*d zHmZ`x`Qc}I(f6i6I(Yhj&e<-`1f2O?HxJeVfKB)j&f}9e9hZN|u1)uPth8GbTn!>X zdB$BA_+iuAFQ%JuAN~`52mhEt-%70o8m62)3#%=Wm_zoO`X2j9E7}QdoW^&fn6^_4 zzV?wnbgTP_kkQZ=S64pJ0T@XXVF~k|WeEHAlf|As!E?K&xEsq2rPXgyr<*CotCw(n zjAj=~uVmzBgqyT~T7Z=N?n^f)I4Y99GX!fk&|ki#7Ka6DdwpPyRQ|TiC(L8YFyOSm z(#e4JMPZ+~kA1k#i4n#_tyQude1$D8GyQulUNI~KI!$eAl(kIF`}pT{aOLZlK>ncE zg2D&XbJ=f=QxAfO#`s^I*J9&&Bi(hMb)xC0zbMr?FTs`|AnKOS`QUIInJc-?s!8EqVy!M@R#eBn=&0_&S!7k zP2UWB`bhDUQs-+{h<j)scq4$j(lrw(redv=mD{bbSc=;kBeE6VjTy{tAa0&AsnWS$dK z^4JpD#!Q&$X+%n?@e8stfQ{1U2pc$(bm55w(k`V>k#GZmEU$!K2c~yW)34-eox>@A zm;zDgquBFM-FICHh|Fnq8lixyJPrf-*N`&VVrl9}B(U;CT*`mXHh zUVP4}ex{lr^3vId!cB;g+o$PjyuZ}zEeucYti3iqmVuP?hl+jTKCj*v*X3&xuY<)H zV3v1zr>Hk;T*|Y&wVo;CWv=DG;))#U@A?6Z6f1 zv_lunHmf8m>9OBkI{@*8{F0JQPp|3vs;hYcBY}BN87!hkwYd1`~CG^4Ev@XCgu{qApj<&mp4b?;K-CUlYyE@Zbzr5A7wKqb zB)YbtcbKc^R7rq{13mG``?7nL>h|G|0a~5QcYVUXNStj=?+FfzdK)N|dHS|6|ktVV3R+j}drsTXdY5tKL1yI1* zVGus|1zAz2cIVpQj;}lGI-n1WrbM-aZ3?fI)wSXrG z!yT`M9PXX+3@q0j%pb(iO(p}Z&&Ta0I0Dy)Q{SPw_P$9ex<_jlsmFKD5G$Si#r)j? zFk^&uMzY7h`TaduH9q~-aK&Cnm!a^lj!ZU(QX$*X(f<_9A@^;N^=z}1t&v&gZw+^v^%#KzwafsVHd%@tSDC5ciW4_Jx!m3zIt z(r%1fu4t6yR$f!>kG=clNA=LS?ko1#R#iy^?|f&C2^co$AYo2I>L*V0ok&WeWv9pZz=J?BF%~kDq5Z>bQ1O7wG0pfAukJvRNs!QRQA|!x_zA&wICI?%Bb114 zJ!m5FUh*xuveYfAHVnV`ZWvJOOhN!U#V4SfMMbydvTzI+8CiKIeUP!y3t|m#=7}StT8HW@A%}jG6V_`J zzj-`j6A7RqvBp1Y$ZKRW>fbLxE5C>`1sF0x-1Io9shz~Bgci1&AB->0;-iDM6!a$w z9=m?E(8>KJhp#*)bVU>UeW9JNIPBwi3~>GP#p2z!%$W4g@GBP1$}w}vfv5<6XZ6Pwow0#I48nnU z%W>H4YEYh5;(OeWqU-k}w$fgzbyu3elH{70XhVw*_CRmiURFH0Tt}2{VN!`d(<5UP zzZEUr9-Vyr)AI90bHpD3Uo%i6eBaYB#J3PhzU?)n+U(IOJzUD7U;#4l?KCsJYZF?` zrqf8ziBn3pkq^H=*pc)6Ei7XTq$kPPGdQTA3=1HsH@v-!pSxCaLZN0;6Z z_+bLcNb04x-T>CVKo)?IY^n@CJrfJBr@_AO`bD|VSy8T0j^Y2rvLT=c9G!lJO5m_4 z44WTvhqjBV4w;+jL{L-hJKEGv$Y^>bV4q`f%-Pvc$g&la5Ci?Ua1Cn{rK_L{yA^9r@!pr>)ByFZEY7Q zg)e+pem<0;@@ABL-^kEK9-}l%557VFP(}?-u)>c9=N`~(8946T+o#FEfl@eHJ zdz-d?mfRWIA4|Qvrlw>{i2zcU7JJswbxAMVxU0rabhqR3;0pFW`j!0rx3m#9YlABf zf|2+~{k0*>QU>3zB!(oo<2yfaE>~FV1u!Ebot6%*>UPg4os<~j;)`t%3w{RCrT)A1 z)mM;R{veLx`}bKLXnB$up%Zy((5~5(BR-M+n0TN$Y&+w9;2gF) zY2KnR)86RErgKT-AMzD^_DBYwRv|2_lhoe6vYk}1Y%yMWxOxXBU@)SIJ;u%L2VY8Z zEzG>7GH6|t+S|_G%H2wWl_3rRCi*03ucFCJ;UqMyUSOOavhgYcnF!RiU zXUNQei4!soN|1%qD*r@Ok^?Hj*+o(f&Eptha@pH!M%{DAjC1QaKac!80g`IrAn}#lP$qvVYeS62EUm#O{ev38M5d@|DQ0T5DfD$#qZQ^zZfd_Tp^q3xq+pjSL$wq?G2-1rGK^lB~hKJgr)yb{q54ntHHIP z-j3Q47mRMUx4ZqWL!@xpWw6=M(L407SwzNwKu%*Jl8|b3xRRA#0HTsyvCkU_ly`Q< z$0Yb7YyXV^4kvJPtBg!_#HY=1v^ajp6&fha@e#xA7irIY9~E3jWRqN*X<$EmUq;b* zltk24Lm*a(!;M2L>eqK_ofrM_lj(ADXP{I`GdN0t3pO=%B6Jo{HXs09v6~H1EF#1a zh(U0FNn$Ql$=;I>pb*NztS8vGR^wO|b)vLXlw;~f;;9~fd;wP`cH1uWKD5XbaY1K| zFMTpTd4Deo7N;|8ysUS`v$1@#1y?Yp_eCE|ZuL)NKF6W-U5vQ_x){#9Tuc^~d9WLx$Jg9N)`Np+~PR$mcPH z{UaKNFCoRhUieTPV$cJoFci};x-6`B&Ec= z=LOyQ)a7s%oYF+IG@CZv-z=AltJaGLEyTXLd^n2B3u%RW(a?v+w2#z%F2c55|4a}) zDX~Ye^SWp~gFI8dPKrW;$dmwnbX+RyrGT+$LbtXGe@>_<%oh;B5xHjJR>cwN`15(m zUuBJr&F8Mi?Ym2&l+ca??2B^gbX7tj6a0X7V+}XxGuPu;=m^#{MT$k4n`{~Os0A_V zk>_9N(h?e3I&Bk8=o;;B2DBbIaa7aa{_jRw&4dakg?pwa(RAdmO9A7GrltT6q+&Tm zNJoA?`gVQ!>gxqkqBn??K9hi%1DC-HH-*f^bMxTOD$i*{H>UP1+V6Y$#F@UMWgu85 z?<+J?j6w>X_F7tFkgt@t{@|s>iKvYGg0^g@uG_o@&Uval+pe4sD&- zpnVgE{Li%sQW|TT2?)f;{2ijUwl;O`t>~#yhwOLTF&k6|@4RO4KiI3jbBB=I0o?SJ zm=V>R1>WN8Td!6V6c1%(LeB{>_9N6hzw+l`jqeW(P<}CVxTy-FZy4 z7*s{jV5g>SH=Eb&{qmsW+~te*WFMpX;a2TL}x&QF@D4*SKNdOnbcb-i&Sk z0g;5T(s6N|D5uqKG6~Cah9NI_eON`z&Nbh?a+Ul1_4D*z0UU`~rH-z**;PeFA}spU+iSi5^3EFF`oe6KAVorCj5f zCSIF+AuZ3WeBl-Bt$8Ncq+Z2^;A^>wUtL>%zUekXqVk4$IEviT`#7j6{cFB&D*D%m!@7|x$;^+pt1mm~FU*!wvNbp9 z$NGS>obJvaQTyd>%r%{uiu>Uk{lvcPfY%{$T6Ce$7VGR1uVnH@{w#lZ0{YHOZtxg7 zJtgU5Jhe@X>24*l2Fki-R0u6%u)pJrL*$?JaUbnPbrZRYE@cJ2u*X{NwaXI^eSd5k zbRB3={6IGGcum46jBm%b6b_~66@9#U?G@daoh<%rJTL?(n-{(pe3jlBo^_(Lly|>A zd-Tm-GV$YT>QO@wVpX8`%Vp;~$DBoC%pgWf#^QS<=Kl4-NaponLWd9@%i%o@{epHF z;(L`3tMQMUvIHN^%F*p8uvhH4naATNFn%S>Eph?V<9=)&qbXb$0&Tf(?BIERxkBl3 zKm8hl1PcUS_1Uo{19HC`!d%vh`r0IW94CXbZXGA99qI{vCBNk5M->^7bqM?MqeQzKJFH$ap64Z1%!*pCb<8}7DSCL3d2Cmxta+xSiHZ)8#8l3IF4euX!I_Dyu zm-5T4wz#q7x8MN5;LsStPi>kK_EZthQl zCciWU>%X~$M?_k!hr7KKo+=!N(R_u1h)wmeFJo~?V?YLM3tDR~!LNnz5anl@)jP*_Kx2bx4LDim|cSuZ4ej zQ-|_Bulc@n({)|R@!4ekoqigPPPohUs5=Q$4?JRd!5=xi-g>*)V?80JotK8@c=7YZT0Fie&3IQMCv9?% zmHS5M@s(laN81iB-Uj{0m`i|t2Y&C(2>;QFj#|k{{fkVTdaxaOo|KQUE>r0nx^IX| zAKc?fqR7>wkmxuP=yV4jo=hhS_p~>Dbu}X8*}48Uif~5`S|zGsPGe z@8JDM zIKhfAZfgMMBLK%*$yEF9KU11M{`~(=>HWF6}^Lk9`x(AX&=bdFUvxR-bmGj||SPOtP_isOm_Eorg%qrip0oks({VtBa z?7Prz%gUt@r1D3i8%&>W9rRB*cozu?Gj&hl3PlhitUY_?1CV)ccG|DNEE9E{c`oZI z|Lfl3S@}Pa{pxhca7t~2KWi>1}v0p?N9YFO8A9=r|!L4;z8#qhYU z6)}4?bMftt#k6LNs0hJ0iHZ~iYI?PH;3C>E9@)YRzl?)cl5Lr9bfoi;}TxE9` zA-)M4%S&NobH62TL1Ej+^E_{!oi$SzU1W-Li@Nc&OzY;;sTsS8nzwm@7Qbf^a{hdb zdd-2iIiiu3*~TxyCpl~gm+$eh|Bi@G(E;a6ueef*>S6JQ+{IH99M3)^**)zY&_T=E zMcsclk%)R9$a&~uXmX(Od|cWyc{B1MO7^hknb-|<%I@XX$GG6ualgxB@;&d9XY~n% z>Uz;N1P6UX;xm5U2a9p#wZc1+_LS?9=+e4o$zM^o%SqdUII24Ex8+bozS2Z%rlR5= zd@WipfpYCJ=KAl_RnZ%ioAaFwbREmOIW|}vbD{{@1vDIktXYx07j!e10pGGCYU=NJ zTy8u+zBr7*!TaZpWFHbhp4=xnjtGc(Ydq=5mKO~*=8m;8b@(~`klzK3sSVe<| z=E0Zl>=!;5*JX$tc$w6Q@bt7K+r-O`C?bJpfCIq7gEPy5fo4ekV%*?JBS4WXjzFXa zX_^`NKNy5aj;+qrA@V zTi^0sz*zBYX)7uz>;PL`uUctK19vg>ypVFL>TybfJGSjr{{0zZ*yG)dev*kXx|SEg z37m_F6KHATu&Sx^Jg<}-a!uB)aa`8WH1KaD3*681qNiVBZTU9r=vaAT11u?C)6zIn zzaC_CWCp7}cj>TPevdakk58Crxrvt$E*IrkfpKFDP~4H=q!k+MvIgvMDSu? zA$<2A)q4CN&K}&`JOg;>TX|`%um~M~=FBk9J`T$JqR4BLiPOt}v!82MYP(pGo%7f% z6uG6M2RX-0ips-W8eGSv=lj&^hG)_VFE*~zPz2nTr5wrc*W6xM%nGQZ+jjNn&|B6g zVAo6*D@HX#n?)EX)L1Ks5zem!8lO=BY~$K;L!EpjeZ0BRecwqjP~r`65RXq3GuFHy zGB7&+L!+)|8@lWCBH_p8dO%=V>`?sGS*Vr{@1h5FI*W3w!Tw;iA09SY(2^f?Vny-E zdAvsY$hNBfFjGgS7@I8pV^@vms%nj-)w~1qnY1cB{Ecz`G26=gwu#m*;pK*Q{S18^ zjgmt)(LO7rq%A-yE2p&e@3)Vvrh+n0rn;1SHCCwPVBLJDS5@XBP*BDQ(%qi zKT0&>&oH-b*I7KV+2y5TbzT&L%N>{!(yoAEMCO-89HNK*`{t-Z1x&C9aDC2Z=E&|r z|8yA2-@)b+xJEmxQ@5=#upT7t5lEE}&Y*4pPrCSWjd3F!-m2ZVT{t)9DYlsj7WD0& zh;Yy~#Aeft%Xt>dzS;FZE&?jl+{55G!_&}~__d#&<%b3)$7Opt zvbHA%*`nVIE~+utuxZGPmBPcsf`6Ye4t#}HUribO_ZfgG7M{7(Ib7}QyXMB^*Yrb{ zWQD``DuC<&1|F(;`29Yo#w#ToP}z&0hD!#) zb~0tH|IyqF>19hM%cMItyY%ETln<0M;+|-!WCzNg!v9IUR57W*l>B-lLo&FG(|Ek& z<)wUKb$8I@j>mtWHqc09tPuseyGxsz(m!!|!DVtediwg&2!w-=kIyG95miioU!%9a zRpNi(DYq&A7jtJBRb?0Ud6DjvZWNR{gmfz1Al=<9-6-84Ev2Az*P**XknU~{b!a)n z-0JhZ6YE`TX3eabHJ|w4!nL{geeZq6|NpxV9~=b&Wn7E?`JbKK-8JCkL%ns4!M=YK zrN%7{4O-6{9~+vRZ7bX}gMxy*D+Jl7(XS;AFkpVtgpG#mbE=kXzoRvkxS#JTQ$-?4 z@&Pr}y+k$%%d1x^62k47K=rnEXyVx{WD+~-Xq6Ra1oEN({adH*9=~tgyaB5AvlL~E z8WKcAM2ss}88fH%Zf@$}qC{{*BAkB8XeGAA8T++FlUh9v==x2lcN6*F9m^Zw%-i1H zE>22LwpNYcmqcRligVJ&Knn8q=QEZK^;(?wM)GMQxPoQbi?n3=CHT+%H`W0I)Bj~6 z#Q#fC{(p+3_&;92U#UMm?QLgKS=lrtaJ2!90wpdkE+<#l;2^Q#-5o$CyoX#;UXBGQ zp@ElRCjXD$*-fOkx3{po+~LxLDM%>6Oz|nROd44;LP77OD?}|iJtwd#mpN*d{-?S` zcG)$cs+JP@NA@r=@ebG);DxN~%dAC0jwLj1e;Ip=HUJ7PbE(%fB53iJ*sRakT%*r! z)?s+0PMeG={wDc?`YpD4IrraZFr{66ZE0@){pxTizFjpdGZWang~Uc1R)cwh@Z?;( z*DPX%Y4lM^2}$2%=RP8y;*M2x*)0}F+eZw{Wrwp&Dx@)U4-hO$Hb%b2yyDMNyng{4 z7qm8UcP!d!YTtyKIkwF6s%wc3`51-o1I@!tdTiy8OpTWG8K;IRudjY_y=KLN0_v3T zevxm=e_s_Lse;itA_9UAJ8rQSO`#MiMzaKcgr((WbyRfpk^uQBmUQeAjw9o>6j*4< z#E#5@%M%`V@$Q4pP2*-D|uTgwsv+ z@v2|3dR?5`v=JsnLo3g0ixmIahK2Jmbx{l&{l`_~rs2VFx>{tEladlzV>wp*iP3*u zQ(e6X_tq@@`utpV`xa6WR#8#m4XoeX4&Ph=LpPt!`29<~1&Hm+SGX%PP#^{~m))Dk zU!qAbYb-0`T_QLL$rR$gIQ?LHsn?7rS05>Z%lTm-UD|-5`PMRgZF&CMMhJ~V)A$Ed zMy2~U{eU*<3KNKZK>7Egqjr06~{KzQVmVj+vDgV3i%dh4P z-)Y`Cw%-#1TnCyJzia*9a{lr0anGG}%lNdk@KghDR3+hG&mG$D-7(0x<$s(%z)nm7 zZ}38ML=%yVF)N1>RsYl;oA?bFU&-7^QIGEJJ<^B__j*|k{j_PX*+O`*GA^3sSZ}dB zwM=%UriPK5jj)Addijn(^Eu7)c3<)u%sA7_^>x~3!`JktmT!3t`tVvT5U_?!pUN_< zWMqC@;JtS4;1GN>l3RBo{Zt&E-KPk*1Uygpv%!Bd0lP;qs>r4stFfP`$%wb zFhcks<7q(Ux_+8?d}`|R0k*#{)v{Dr5TJ!`Y-~K}yP4JZpa9yZ>K;Dx_bcx8!|r`; zj;n1pl)p5y2SuDW5YEodrUc74=^%3&&&y=Qb5W@KE^dR(7yxrj_guc&&3B(8IBPYq3@d#jiS!u$gCZ$aW}tOHgy8H%q<0 z#@@UJyLWLp4~}!BR@{wp(xqRVNBZqPc;FSXAm0$L#{A^>Gg=lgh|k@f-ljYtt^ zQ$7wfjIzVEC-R%OU$5~?#;Hsdcj-FR@>w~pl9k9qW23wEJ$j1*4ckfnIJ)+HCfAKX z-Cl}{ig`vIGp3XKwUAI;P zrl%7n^S)ah1uBJTyA8yT!}782tfz|0)2u4}ri|y}8o>E0&?6NW}e+_)em-@u+@LEzq$H zsKjMTg$B%XJ?@R?F)j^5paN#Sc6L4iTq&e=yZYjoDD_ic4(v~&n_CbUR7Lbr#q7|s z+0rXJXX><*W~s6w_6szNScf%f4K2x+5H@Y)0#g$cD$j+g-5;u)6fd2Nzo6f`I6WZvJ>!)Lr_Yow# z4X<$E-iWb@7*~_NT7E#Y^HYv*!dyr`jwIiMz$@{%ySJGveN>x0b2hz-JcVIuR9H8) zrza%)6Ur?1xVBO)ouA`Yd4QWTsZ0FxG4$lwqwW!jiI0PxbYEY1HF_0to>coiD;U#n zl%w1#gdrzZ=Fivvz6Ah2iX8BavyT!#=wT%h5fjfHr+fQUN3~@dy3eQb6CTo)b*@l< zyw83Yr@p zfz~2A8$=R6uy^-s6C`p=FHm@LSgV3|HfX^U??Zll%M z&k0Ml1SzylbH5xL%@BH_zvd%t)LKDlHdoS3vhsNK!7dnA4pR;~llz^GG}XN&3mf$D zjk;M+eGgcT;!OKK86mg4M`DunAcKC!cAv5Ivj9=aL!D&IRC)bayEs`!xns>f=8>NN zm{OI^w4TbY-qLxJzEDhkjh=(g(XS$_G54e1W0}||kNqKFTCY*0o=EPn>5A1&>AO4H z(}AbK!OR^>ge!q=WXPs6rEvJ&cIP9KCX$$y&J={fqRkKYK40SC#mUTJz9Wws_N9*) z;^|Dn9bBoNq$00vFg6N64p)AS@A@(RoE_zoAt51i%^sjwa=u*I-@%0Jth2ndw5Nv8 z5-mxe>brMrezzBrbZdsilLbm8wug=_P)U1PRYEf=Idw$N9h$ix(UsIZzBT#cS%_{J z5W4)q&T}-UKCSS=;8#C2&E6P(3gsI1pe5^cA`?PYbqtsC^(}n~uWZg78kT`o=jT0* z?VevT_}k0TqZHo%V-{2LP8ll9zU=LlQl>~Wra3+v%|xK>t(Q$jt*E;kH)Z#g zTfd5sH)CidKZC-jVQdM*o7}4ozMFn*L{|$>zVs>~XRguf%Wj%>;t^6|a%hzwu1E)d z--hv?>66FD6-PUg_}_?2$$Uf zLo&i$d(jX*&nL-d?8)vqh3(k&Gylae_>V3Ze+(yeKOn=wUx~?SuBaA~H|d36`iXCP ziIZ?s6X0G#URci1(F#B9{Mv@uDr9%^j5G9hfiWpjtar=v(%;Z+U&3;=M1kNu1S{Nj zrtj+pY-(8Uc#LIg)gYs{jY34$*Dw^JTm2Be)d$&BI`KqNNljC;;27P8>`Bt~pUf&Z z_EYm!S`Ubpb`K^!mY-&S>Q{E2Su zZ%{UzS9My>%RGU^W80WTq35BSRTF2LpC+uT7-m&4S30B6EERV(k%GzWXj z-4?@!BbM?Dj$3KaAh5NEslt zAZb?`Hy?^Fv7gnO&?E#^acwhCoGA82a2YN<-CMiwQ&& zcXu!zQQX{gupxBljytCbSO>Z@KSho(%~1Zm53*l~h)@+MX4w!NyzoN*wb>t+_wAc_ z#`|A@!<8c%c6+DVRX2xYuoGtqOX#dF4^a20HZM5(AsW{ebw6JqT z%-L8E&S&P|*@$**#@gsicj)|A-adc+{57jbFHKuJD*?9bs;nDNQ-z#PjVLeM!o zE2~VX*_Q%Pk^gM@jk!s<;}^@WO6BLe$ws*vSM&m;?L@Bx?q!i-x8uE&Um$$|_OAsY z<%C~4&i=*R*uU=hY9d_R5ApFh7e|X=?F4Y}$)4L4#kfOdDtgPqEu_k2SCQ)`OR)N< zN;L$y>I`&2R7#n=Dn8rqf~g()mbFedhI!k3`C?C2f;JbJe!`-VBux(@f6KcU`QJCw zZZ_anu)syOUv_2=Uiw`u7R0bV^lUtn7C8rvIB>uBr~g#%7oiSVEUWAu0a^DMpc6x) z;MrKq$EfpdJWM;~E}uMk?&pc|mVOL(c;#uoUy+TO_lwOhT6eZu)z9W!butL?B0BEu zFjku2&WaIqE5b&O$eeiZ5qe7PZQTTT8opiq$x3ncw*i0y4iQm7d4Z!&C>8}86&2sD z_N!FyK*kZ$I+hE~M zxfOAQ9&6t?dJ4XPiq%<96?%4qOe_W{AJXf(MII(&*_ADZ9PizMlBbdaUx=0!5{@c{ zD50pqneQE0_w{Y%N#hO+xAZsNxz@nd!IyU@X^Y`*S&%&w!TfD@*Xln?L~Z`% z>e7U}!zl?E!wbhp%@dHBNMj-^%9^*o&C&D5Er(%KYuAH>$ofo_Jaa|>gL|mT9#i#b z=XXX-i0TAn(d%n9TG21Kms}8Mr92gAMy={1Q0=#*8};cg*7n}Vq;SAi@#s*2{?6A6 zYxp@B9{}%E;SI%c zyX!4haNCmfUJ`;l1x1hqJ44mGsYbnNreO=>$;dzz=busLaZU8^SPWTVW!v>$8r@dq z>cgqS^~*LDa`W|rBYH{Zj-58TFk$}ip4S0f%KEPN@kn3yD9ZW^)2*gPe;|Gs0G*3A zn=aHfWtExRe?pW}IIFj!u*d#W^uTpXc6ao!Jn4zRFD4iACQwmPDHfNKDmev3VLZH# z7xEHnJ8YsNCN6w?Zx3G1pBB~3Zozo7Qtg0#%OI~|d0oeT6H$n|avb~n3+6AO12;G8 zQM4{Ezd(ew0KOx$hE$PY`(@1|s$tfr)zU!tE2t`B^^^KCv%Dp;v_d8O{@Jl_2kK-1 zKjkDPMVQtR7p=`d00YsR4^TuN08zFjnq^hc_)6-LB{iF8V117u0dIijQuxUTm z^rb=UN6;>bpeLKyy+^5_0Dj6hp*f=cIKdzRj0M*}XBll1zy1V?&w-+y{;{QLg=ejj zLSkR|@0@*js>5UE&24z$3&FqDudHd)<_%R36AG08-3^;eqBygvgOVX%zV~gOJ#c#w zI{kmKsad_i&ne75RX$u5OSb}}0GZi;F{&!pUH|KF)&Jv4*8k1=*l}g_M>IV)^^KOI zw}R#33icGmwg+nmhfi9Y^BD8GTkHB27n%XMN$SFaj;D`L_xQMq(CohJ!5{W4zDcI?JN6c`X#xn#>Y*2;{^hMSQGS@ zcEVpGh2%rB2e1WABPFtmPQrzeh}7{cF2u~fkkP^~)oSXP{0qs*n5dKa+*SoGmPehY zcSWsXT*OmdC!+c)3z@d0Ue@{|tJX!Z*Gr(yU+^~R{qwSU3~|h7<|rHdh9tQ9NdKPe_|` zdFyA7sjP~qmI|l-eTJ4wQ!{*jdO==;$wRLPd3CGAdx7xPkQzY#>l&@0Pm`ZHn`c7R zB6Q3O`g6I4hm+Ql9d2uT@F^S6xz#zj%yh0D2O`r4Z$L>@Ja?{$1^Hi)L*adUU9%2T zsdsGmwpUGr{$$?(??fB8^v_bANEI${K3L2_uvSO7#9-IHLX>zaJzA*WJZ~CrJSEruFQ_mypYeG(sg(m9xCG4}HpggF{@A=Bz zK9@5lG9%EKAAM}>6FWE0vEsoGI8ic zzFJ4;xXzRrg$?B3v}FH&>U@WJK)Bv8Nq^3DAvg(Ml6=LK0PaDsn$flJ>?Fj9hc8^8 zW0bhPtBoE1>#WpTD7z^Rl@98S$7RxZ|`^JBCt37nW!vBqFJpw6xecP<> zs%M&abrw79&VW0a;T|H<6d8%uV^7{_SnlGiT!BT`B8099m8O~#gdUrqUX6-#OPt+b27s5l87*OmT zzy79pm+@SR#LcOaa&xQjw{k*!O63e}X8wI3S2I2_F_94vtpHW;^7af>)gwU9UtS~z ze63gVbQ&GQ)3}|XJKzdVPu|&_P9jd5012VG>g=oIQq7mL{M=>oJ-Wm8c^ehIO`t=m zI1$j0aH%5xy4NX-w6wHn*IiXO8?VV~_Va=Hp>@Uw!?*@7)P_wJXj3MGF)k(fI2otQ zbzxIA1bKfoZ0jS3dX8ILNbX4goL`BGn_%Pi_|0$)oE+Ya0}|uMO?I(XrKAvOE=z|E zG=B@fp!B?S^x1jtL$ey|cJ+t? zu@Qlb;weQKVPoMvI=U?H{kq}cG#RoA3%2vnF?C3v1yHQqZwfM_RE@$#f7MRM%fCwEGI<=v-5ALopO`ZKF8+q+rpUQL-Xf1{+a;&Qgcd^uSl1n)$<5~ot zecilszH`lYs}^z*cH&0V1+#WmP-cZ|>GHsg!2p&9u_wbwQAQ#^(-Mk*+UV>n1{0Ht zIH3AaNXhx%uODL*I4~DDV@BZ^ShXsRPe{z3rQ|lW$SMdYsv>NH=WlY@e=Hyxj#$!R zV+G$1a_+Cfx$wtVVMa9HE8_}dqStXApzrpYwh6NSRPP&+x)byYH54FoWcnMKE2owG zkp6oHxSG2%&%t<5xA>(pc^&&g{Vb`CN>u?Yx@KhGIWte(O-{e>uX!!7IG?4AtOn>rP@Qc z1$olFyEZo(M!W18MLU$aB_GzDZ(16TI*9SKM^(Nn!`_iEZ%6v_VTB4Ms&DGqu<};eZFA9+6jM(<7Ab8uq_TB%?2I`U8XQ%Iya~pKjw$0lhb7n4iYOVf2 zOqx0A>FNz-g#@0(NR{z~H{G=yoL*)$2c8e|x*rA>7U1pg4;Eg^Bhu4Tzjf3w_c37< z%)MWuvhRCP$SK(-i9uF=#*dDRA4=;UZ~xlAc{_4?M!*}6uitngy>j;_+_%UpomJZ& zuM@4tqMvdgo%in<(3~lov8hC>eTDvOL~IossdVAD@y`dYEo7tSyI2Q38}XxRU9P*T z7d@eUT3!+-{YabDl}Vv=OM7U;;iQPtJe0q~-7k+Z?SP_jSgmWoQk?mkoHq-L0MwlK^n8pKi_j=+4(# z<9lBod><+UuM|&?yRkSAv9xp@4wguaET)W1D~kt{0GPFcZhm1U>8dtdM%C4|oBTjdi+9Mx#02x3dV0y^8FO0eA579Zzk8cDi3c&b=FHrmQ;MG0V~$JWmTHY_Th#zn20Str09|~0X++YfadyAswOduH19^6mK> zJG9KWFZ<{T@$p}V{AxC)JG=w2KZdRZHZ+$`;^SrGnA2G79EWYO%^-A7Z55?;C@XBMzQ_Q#qV|FAF$^&Ep=IP2B@dd*>4=bM+g+hJX* zofVai-YckNb$&4>6<>~#p=j&&?@6j0_R-JH%`FUR#5U&0uR5El&-bhF9I}!v`C%D6 zWFJ@1jB#Vf+L(XcS%omds2zC)Fi-N38~cwyoOOIkLLUDfKTq(D${QI71>ckwij2(s@V`QP-d2ma5i>w=PEN`DM3+e910sz(xHc*Pfs-Nj zV`28+yl(Fk@S>U%r*@y`2zZo>UGLe-`1=bV92}?#rP2XQF+~<FP{yADWM#LvvUr`r1Jo5*EA~5Wz z>CaDu>d^}q(kSXx#LfA47sj_C%9W`>J6R$Dl!S7A0he;LV{>v@6ux79q=yo`Ks+rt zzx;Bp843QDcLe`UlXYck>smq;MPHt_^wMUWgh_UP-A|zaJ0fIQ6$=7P>O{0lkOdeX zW5xNWk&26}-v&hKEy(x4aE`bv0S{U(E_JuTlb7>uhNJCX=N6ZqzyZC$luB=^OB*eR zndWzAPH@pk1{(4|w2ue(p=(!S<;O&^o6ECl*s;@|UpS{_6@TbVh(DPT%lD(JFMTp` zRRp%)N_?i(#)#hxk(%QCU7c;INBB#ys~5g-@5;q>J|oC4*TV98CfaS}i#b*Jz^7=E z&9Wf4tSIalF>1y!Z5_8*3rt*5 zPhkE%EJjCKH*ag0^K#W6R>pW1<{~eTfrLr=t#tvl$k!I*}nIu;(yB8Omrvs?}ioJpWu~%}H z?(iA~*40D=K7$&c_r*&<2%r`b8>?ZtZk~YtDd=zz0yUq#@8}S{IG9EUFS}=Gzym~L znxOmMC?a*xZx%gJ*J9-1A?obxJV5Y~1BNQ?Zf_UScDI(v1)4o-x#Px5d=g2yzrSDP zQ&kebxR2L|DrNB_LQlSMhx|So3SkN0cT{Xfq9v)_hVLrDGIDaNv!lb1RDuDNIgj!dw`Y$>-ya^c#QQ_~c_CKE!^`8f(Ez1sj*Igfb@S5-|3hu;{AG!>SC(O#%j#b#~}Zv#hXSf zS-qqShiI2hc1*zRBDQB%=xVVo(y#B}o(Pwo`et@Cd|&Blm6ASzx*X|CTnO4s;Ef)UR*32gF3zNW$Z9g zNyLbQrO!0|6$!c{;*MQ-NT*T9pIGms)9wK02@{*ouxs!NlwY1c@g*6wlfVcXIbXbD ze}?C8j;K+vQ{q*2PN8x>^h&|Sd)Zh+>Q$zNtYBUB z#iLo3dI6bWk9qeJ!ukxWizF1yQmr<$_w~2xe~&&%AZu9*`tp^B`nVk7`STH}76b8t z=?KQa0>k&8ll15NjUKj?dlp6;=m`9ByVz|k5Zkb~nLV+@xt=k?slN;N)IpsVZm(Q88R{C!O@*kZ6i(b8E!D=%uP#j&Lh#j=e8_ z#dCUE6++zl?Xt(7E)^B!CpDQ;%!_pa;W}-(Cv=1&Xu0X(XVdvy=D;K;AIL1O6Kbil zJ=n&$IRro%^Ls?|vDAO?)LAEdE?msJfR-}~7dCMK`(cuN z?!_ZSP8=^VcR2VA-n<$u$Pu@wC;3slU+d!O{&C46qiNecaj~F!B-$mtz-c3RPRUG0 zNh-Th)~9v1i1CM*cT+tp!-TVe@97Vzyuy#aTIMWk-Gn`av6IWNv{m5GLtg7ynP*H* zYtV`8Vkk!X$)NRmZechbl@4junaTG?C1yrmqO{CCP>r_}|^}955 zmog>27k=ev+zGWCpSK~AA6x{kre1&41rxcwS6(N|dnu2vb?eyyz1 zY9mq#aJ`s=o~&;4-8kQzrxN0t9wi$;GR3X+@p)`Uz2=LT$Mdf-!lQg#lw#ALcQ$Xr zR9)b1IfY0x*pFVO33#yXta#FG6e#t7vJ{be6W5HafQhCm(r=h595@eF?D7+7#r9D6 z9J5HJ73tQehO2FlW_-6-aWlVM<2>efyQZOg^U>P-od$A0QMJMl{lKge?-7BYek3nRPCA$gBIMb)|Z!wyeQt6!T_KLR%t+Ozl%*^y-QLNnERoydYBubkmaEe&VT}Ly@&6J8Wz_{l~`Yf+YXL zFFe458`hca-=J2xx>7pq=jDaUeA&68kD!KoIH^=@=zxNzL_Z*OK_&KcrF5p^1r`r6obwoTvaYW2r561CT|$atQ#KKFHb zt$TO(=x=7P^I_U@>1PQyBIJ6@T9r&o(Y|{u;L_ID^$=!b48v*zW)Z>``q}EBB`vEx zWIwOx-uOBfL&Nmc)xwvNv5PrB_pt~VTNC6~S6Rv-wY26NpFXL=rp9VFtb+$V+*uIo zmAdFHV{KvseT$Ssl)KBzG3b6l&c@`?B6Qkz%(OwuKQVyG`y(3p!VO>X@>|iC+Zv z<24PpeuCh=*k{f4}+J zjkrSioNY(wg3Qea@LRAe%ZL=KHK5LE=ft8zid*prv02(gdM zjLsa`Y2RJ+4lIB%nJl8NNA*JrxTC0Sa~-rR;(o1OLd=<5G|f$Zq&wB!5g7`{e*9)= zRDX0C_K4V>V%5T|VPIgnO6!;D?RftCjmiE-PnJ{qKu#ItA1ZZ1`4JP;7OSe@T{feZ zLc6-O#q7bOs-YIRQC$xsgC#$6tq~*>&J&Oy6$UXeoZm1QrR}!%ym2m|4J0C5bvc$A9=`CqW(f?b z+5l$d73)RlZb5~wF5u|{%!gs3O*B?kf=Gt=aW|eS^x+&fY#U)nB|eRd{)$bAm=arS zwo`)m;v`&l#G&HiMgu>oFOIig?EDaIs(NA>9TF~^7ER6mC~fbr9g2xEeZ0sz=9E?? z#Qs|kwZ~`m!m7^NBqSPimNZKO12*+_l3cKZ|(o<{^aTU$< zUPTz+L7Cp^n>-r+NzHR{R$bnD-&DdOZuG7@VK|#sP^ceB<4IH10YpD zta?5i3L;!!1?4oeSSQh(@6FzCl&*5e-DUKZojhMHX#z(kIh5Uxj6fb=0|tOaYzr>Fb_h z*xFdpgbuMf-fg6amU117jktLjiyL~mw;}DrggXO-1w$LiZ2<=G9XcNyWxzrg`@ZyzdQyy3qSi_jOM;@{Rl85`?}EK;DjiPKrEe$E{SFWB(E~R&R&0XNla$p z{JydIc-*~)=wTF}hxq8{_riPi7y1%UZX9>mO*y~M+QwijCM@pe;ovr=3tuDv?>uzx z^vZ{99CAywneugEo0sdw%|`oU$3k?K=Os1|&*OCo{Kr<=)3Jb)w`+y3(%5(hn(oot zJI|Hc(ZSksY!mC8c8ugPVGP%r=fi$GiO<^mL*lhPFJ>Z6-HXasMPPmXR`ynNVfSuC zr}Irbl?MJN@6LKWim|=-GkghCGEPspQR)0Fe+_s$bN$56|X~5oC*^Jty+JwQ41|GloC6FT2S@HR;$7 zs#ml|sKSrKpwod97EexCd)gN5Y=bey;}wMDbSBxzWn=Tk+T@x4RWqY+H9r{*?!EG- zTlTA+%Pv2VT@TgnRmG|XQQLz6rKcxf8x*zUFzrEF$OSD$IFXI}+|Ou6wrbfz2b_T- zFeZ56(&F)w;-M87`F0ZKDDpt=)f&21zS{cg;4td*VZ~`jG%UeuwR!HL$7-+VZLxg1 zR=pLLh8Bl2u~RX9 zTwz?;VeSu_8=Kjhy#fV|E$t0mfU?}qzH!-Hrzu+vO*I_p&;Ad~IYN(a`3O(Q1MhVM z;33B?R3fNt@LW-kA5tGy?W&G@O&;$W=R}yG<@+qrn&*doL2c(M9Jcu=8_nzcgvddY zsL(9_IAQk9)7jZoe0x<+o$GGIjb?9V%nv~uIGdUu%aDiI9RTyuAzIf#R6YNPC?5bP z`glPlJ^CzXJcj)xZ$jj^b8VCe7%rZsaKV9K-MY-uRkcL$MZ1Yn{GrMdGrv0*48v0z zhx;Sj8wkiDIMYT(Co0`T{>qOuz`ceBMwFxCjq;~5?hzZ|wv4!fn?aDLKUX*(vhaj)y_J!W$;e@%4 zPnK<5##M5;fG978J}B|{ez-&XLMuWB;b}vjMScuYHEan13*VxoTV8KG*ut&uK~8s5 zA0t9)OvXL-#F-yqwl}-O0S=T0FS5u?q+&j-+@q|(^kV60!q+Ya`}c{t?F0ck2fKq7 zNo;@%F=5qG6D|4`g-Gauk3*;U?$wN^(27!2SENGDrpTiox~;HWSKempX+@8wvn*u6 z(ENem(c|33Dg76|Z}ara88@zIf%dz8ICG4ilhWOCFYz#r@O6pvloC6qa zG$P-niQeVDt=t`3n<;=39wp8-4DAMFMWz!)I1CsbVYJ( zzk59Wxn*Q#Zy4lgcaFj}FL`$vGl`N;-<67TS^coY`Bv(!AExYiTi@!# z>Tr0=gHG`6?U&q(*VSYEkyIoKE2Wb~R4h$foC8zzb>DMa2(-0#m79+|(mYNKdq(+j z!Lg(v9~B@@{aGTN4z}5?!NxInqzujFAh|m_EXfE0LFGzpUTJSUk&j6DL8m6Y$v*7fyXibyBq5I1e8wiuz#am<@AR+VVYDe^9QrAx{udJg9NbY!)>Z)kQl zf_t`;&Fc9rr9dPF--0K_*}E^-?j6%(a13!rLEoj1`|Egf{Ga9@WU$$qsg$hVj~)~Q zk@H>{v*cgC+HV@>0etu2{2gjeVw;zWDAZ3e{vZ zEiQ}-^K%!!9K=C-)BpZPQTjGIP-r~vQhe*e zq<6t87UwQ2D+4O{uVky=#cPZB8?uFZtc5$N3a_h#U!Hc2m-&>zw`VPcD!KTvd75De zif7>$^sk%U$`B;0<$k-N9sTyq=y=MuC(i%!io0hGnj;dX<>eQ$R(cYW&LjUJV26@? zLXr*`>myPH+9PH5Tmw{L3$gMrqn(PJ-dckN)vvj1*aFv7UGWSW8|&+>bw#;~aZm16 z>EcZ6PJ%qQlkZ=Op*Y+_Q3z5G#Q-<$&=8wH+Sm;;G%ulZ4y-#$XXeoH89qCl5-(x_ z58bAOF+M9XZ+T&ughu#&ZG0%<{i`oy_BXo+ms-#}QGcg2hpH{+Jz1 z7jx9NhA0f(XHyDW>76B%6G*kGbjtU|?~e+L#1B^7v~Cl9oUP_S(8Eo1oVBm5Gl<1K z?%Yu)9rfs=o_0s{xbBa^!2x&h0xK{g3jz9dO;7-w3-T>dXiWN(u*7|77Ce!pp{RJ* zt>=1{3cXGZ)ZR|yEf++UZWYnF=5vpi{=~jr>>T-DgM5dVoR*Vv)(o0CXF53_u|=>z zZzPATlOj*_z23042^uY8AGNi2c014N^Sp875$`DSFzn7Y$eU`TSR1bdAz}v*J3d+n zVx7!I*Dm1^KkYN_aeH=S^C)rYJ)iDa`QQW+e3)JBV7kU&9ij?KraxTvLr|QJl~N<} zzm5nmv>o8QJewFx8K^m#pI^YvVFidL;!|*5J~Nvo%=j~Rw^-3+Jfk|tcXXqvyPH2B zDvWH_vyW4O_XcA$Kc8;~|#`T|e zDtP1H1k+A9^qiely9@}Qge^Kmt1Lr~8pEWFYYT{2vqyu;1Gu+Re4G`GNw3J|adkP+ z4eeIq240EB4xo?a>u@;;C=bHo9Jm1tq20Y;n|WyR4+wN)#IHO~{XV zv>lAdkbyP3^7OIOg>B}POL!?UY$Eq9xrj3*k3y_Ea)uqYt|z<|=|GwQk!CFg6P+UH9RSS)Dbr^qdk?*;T~HkuCot=KF* z6_gQD3I_ZSR|O)Qx~pEEmXKGzey7y+cd&L(Pn}wgpaD=UC9&IB4Q~}hXo>vU$Nxg! zTSc|iz5Sx4K%qqf#U-RbaY}HP77Db*i@QT{EAGWLw79z!3GN!SxCeK4ciHLt{=dDy zeX;M(IOB|cZq`_tS!*ThvH8evK9d?M81zB$upMnFp~Uy_SDoH=-JZPSudwkQ3Crsv z)NN=pR>zNGzZ&A(#o!e&mgVJI+LWhzv30D7uHd#IO!p}ztlw2EID>%KN|}9!ENqU| z_HPoWo~Ls!bj|S7r}W5&hm>^BMCU80c;HJ$FW}ot+h(%{BrcJ#5Y-OYqu1vH;Q!0 z^)0HEOTH+wnl*SBoQz34z6f<^-P&m;emYNfxg$CogHEV3y{3?#h zvc8dJ?Se^F_1VhK@#4K6RQ_WSH=q0A@-v>F1)3DJ1$;ci@BJmt+uQw?sKD+5kw!gw zQ^D`|_!}`{CC+GBZ=FG35zXzB=0&yK=a|1Wo*5SwMc?VKS;wh378L%*g<8nX&DWNE zmzA}RlPn~kpWHx}{c~qqRfoAl$D&to9eLwMj5C!_cn4XB8SsZHNj`4)2l^ZobYs-;!e${TcSr})yKzt zg1Vt|n#b~kQ|r6+%|$@_gIlKR`~m{H|4rwx5s4ztC`E8Tj4r(y53AX8W5(*>*4@3m z@`vSpibzBRFm=!Icw;cn$%$fR^rgu9!Un1m)p6P@RMltL;M~^tA2JOEQ*co{cmkFqYNN~U zzT=wA4X=)lY{oV;om!vpLF9vee%S(A z^K#2=`g5pNgydci&ewOs2Ziz)Ns)$$iL2Vbs6E8Xc69dwlPsezNbO~6{)F4RDtNhj zNEjZiY6pSvrK>kTDt?t+ zdTZ)caE<>8ffGF<(^cjFlGJ-^B25};2xjT5OeU>yRW_q|d>n?CUBT!D-G-l8G2)Pl z5VecX9m7JwZ1*+w=&C|}Vz&JyaJ{1-vSY^;V(Dah!{+IlpsP90JmGB-uQwhJQu?LV zH}|GfdGM3p*ZaF*n>eFn?^ay5gV%vbSAwAy6_;!2(1+&FJUh($9v2t47AKl(B-6Sj zM~BrmYlCne%Kce}VDvJlu=p4AXTb&Dy7_yxs>&%4IpMi*{n|(J+OD8rxm-RXF&q=w zdL7$w32(rpg>!~Y=X;mAgBaoLt<}6J(S0@w|N3F2>4Ty8 zt~rs{CsgZ)_YX&9e-8I7te#YNzv3`ChwD_~tl49)cEvx2U~C2s)9)Sc)jeJ58g_1n zpr2Rj#II5azpjlq?uy^jZ7csJT*va!Y03G+{PYQH&S5thh_>Ci&GyT_dG@C11^ZChJD=9O@a3=wmhv$CYfiplJ2&3{`uQrQX|>1B0En}!%c-iPC! zIZi$l3k9;kPEDabX*^zmk0;qDZIHvZ91_KHt8N3q#j=K3C-+w(6a=AH6hPJ11=^2* zp5*k{wM2*xOvXvO=fanob)xolW5tWr8g=AdzywM+_J_+wU_lC-)WXI4K94InF&VAs z(>p-06(2#iwF_Z0MLk-re~o=y?JfQzyD174a-iP%_R9oT6^}?U+GU$9#^Y>}dy-~j~80(Tzh96jc}z+M!Y!>HVp_Ju5X z|1o|5dr#cl9w^7fzS)DBd7R8ic6q&>$~SZUUVZ;uZ%hcXyqM{E(j(AgkTSiMFB{Rl zFnrM7EGHN`eH^KiwBjQieb^2<0{$5HZo-524cqN1VYc2eT+i1M56^QF6Xc@uI=v+m z3#xH+-~#>-rN-TMeeNDD#A-P}e?5H^Gla})UWP22Z%pNMSjDm@akxwo?Cw>8P7ND7 z>7CZA22#{9kVeO~1pIVf3VqX<;`cv9P?y0b6Nq(rX3Bb4sm8@Jy$wcf=S_Y3P%Q8kSH zXF(t$nVZq8@MXjE1CX42!b;M}>^JNydUT_R$-FR8hg&tiCU9kK4-N9n86^O-qb&+Y zI*k?m#jxIWNRMG&ct^&f*KCu_4ja7}`HR3?b>ut?uyl*rD+#Pu;-7p#9>~ve1nw!A zJ?vjv14q$V4i|}C4;+bcrpazwUUYUY`Q(BHe-IOyUQ2|x9s6b?HtUvb_4Qmn$PY@_ z#gT|;z-{$7G#enF9#Mu1xS&gfy3Qk?Zv)xU*J!nnMXsgUe1{ua@^BO zlal!2v@Wuu1W`S<^qlNz_Ox~V0pe13^UPQ~u-eJvxS7paT?>i8q7gX}4zw%t?iPiVMExJal3 z1gPcCbCYYWZFpciL&wR$r=FvL9_Ag<66 zf7Mc|;B>japQyOCkeb+4P_8&aJtAr+Qyn7qj0%RlvS##B%0Y^k4>i;3=;~x9A6Z_k z;l+E%k>bM0t!)kSt&rz z1?EP7u9^vMvF^x^K2EAMUh4W1`BTUdsX=Nns)dzFxRRxf z;`ySyz}Of(v-w2>N6VIV#n${B9#;cz>a$-Ex8)t+!9?;^cw(fB=y;;&PDCdP}On+al1dmM2B0aT7q$- zAHj%z)+0Fh8haIK=y}&}`9bvXNxb121_7~dacNit5e^jj; zZ=}cRddT_q1&**FPFzX~`3c=AX4U;Z%V4-a4&v9~jqVI2ixJ5kKYqB0qEqIe-*%_r zoTiH}P2(Xx`bWk8*BRns${cBVJvqea-*f*ML;QcQ`TJ>u81?esVI0vo1c#_WR6~Tqc66LhK>#m(Tb0il{G3&K@vf=b&;^=?*H6=TJh!8K7>Lj zGzb9t0-4y^*~wHX(Xe%Pj-UFLXQ3yTzxoe@{u1A~SR#Vd;2AXJ=TBTqE2~^dXykt$ zg7`8gTwPtgy}uuWfUzKG0XCB*EG%50QT@AWbMn7&rs)L>3rksf`A>>Jvh75&t+kbv z(Ni&4ul8U5hmle6jIX(05Ec_38cl@$p(Qyv`Px}Mt1ayxSwI|IWtf?nabCZE?(OYu zhx_B9;=c*ODQRL-5^QFMBrq^=EU7~L{}u7bi~sqvJ*V|0f~Fe?&^Id^n{P{taGHpB z_2O{!-{>_$$_b$Z%8p z&kI-KJil9CH&WBol(P6&8*Z*X%g6*Ey0cv$G}Hc7i^oc0Lqr_+41|`;^{-ys-z6j` zcOdxS=H@m=>iECu&H_RDf02=)hrW#Nzci_j?Y}X=KK#Eil|1`@QU3qpTbjeeF=-!4 zj+r;8(iWf49BLP0rat|K6ULVhrsfhDQz~j*N^7G|VB^KJF9;$e^{YwR$p*tv$phK( z`C1rwH{nm(&*b&`?)TROe{%f(UgpKXsr6{QIcm*nO>-#Y`sG2fojh-nN# z9J>jt{BHdH5*oHPsE+;c2Fi{8C>_gu@`rA99CIx_!X3I-_gH5%{*}|e_Ewr?T0{zo zeR$=_iktQKe&pi9URw;5J4T3!-Ju9=%LJ6+xQm;RL$^Zinfm@;xuo=OQtoSe-0@s4 z|Dv~)9qD3~z8mXnV%=_QEgX(^DXIU0-PIw+*K?El%?YCuz$WC!ZQ6*3 zL=(=gK>LCz&!K6m_`ssT{mF;@#0C_+0lMYo_Ls!m%&#^#H!En&6I^CnmM_x^SIw>u zOpvH0WxI-(r?q}kk@|z5nv4={4LB`s#!%SmZQHx<)rtPy1f;4~m+s!#-;jyTcdN+YD(vv91 zo6*D^Y2$qGd`6IVK>xca5OK}vQWm0*<@6sI2&U~(d335LRLe%%m`pug9-8nzdceWr zr;!$*7SlXiGF5tB&;_X$n*w%nE2D3+8Q6P!flIg&=qkHeR#3x4)nA)Aj7l zZ#cG}@x$UaoEtOZ0dvJf)2Blb+QB{`qm^>gKHTL;RPMY+BM2ozYVFoX2LPgL%zTOH zqV)(i(YB4V%)6xbQyX467iq4B=kma#_|nBgg%*3I50UAld6A$pg7;ylNXh`!v^w^yCZ@9@r&ClFZ{`M zX%=^c2iY-)279uc(M7hu5d=mp3Sx;|2QT}6|M}+jgzvrspf)ua5p-2nzRme{I?Xa! z-^8u$x8thuv%X|3P)|UW*2zQHchGs8+M`4dB(38@;EGa*&GrtzbVE}=S;odpvqJpZ zOo%6R6+xevJ{c_m+%PK#j0ZPN-8^u}yIY5HSd){&C6Yap@D*mvuvqhjo(dOUQRu_x z1W||iX~6XuStgwd_0t&YE!RKu0zI-j2L>5${hi*`{` zx*v&Wv$5CR#SzNSYV^* zrRs43@545GRkC%&)Z{gpXSMo-23YKDj|MN#*YLr}(_sDdeutq5FFgn4v~e{I?}hHY z(jhYS+5V%r-3?hu4C2{UgBC=JX)A6m1aepJ`?XJ??R9}P#pXtOY~+U&kQlKI8x7XO**~@29R1 z68e}JCWpYM#)Ui(G9Oj(W}skb^`122dXng`5=3S7EpNL1{X>5rj_#_tt@KyM{u#*m z|A`a#|0N&xJP?xv_BSZ-k9u-NbmLpiDgp{P1!Mf>$S1SGWF7z_S{loSOJeTN)!KlC z{yK4w&RyNzE#LLz9R9i>qTgeqqI|BeuX)I(!D?mi-991Md4EL8|9x8u?UGaVHG;h# zRg-ya2wUY{6n%xX4ga5xm_H@Srxkk2Yif%=f2&pR z0VKH@V{8xGs&jK;(-2n@Q^rumyx}HP?`==ri~pJM%aL=oU{T*l&%$ge=C8cUqB# z1-37g(Wq;5ZRF^*K@7b_YdYu>9`2YitrhWNZC|B3VszgvS$%Xnkqq0=kR9XeJmd=x zpMP#PIQP@}>dm4BN#GQyR5GbbRvXEBKP`+9Ygg~SMw4_;A$h*G0@8P>7-yHcdHbss z9>{b5L6Y6%`?eBeWmtsD6 zRb;J3ya;TRkxKR;q5SJbKkV`b~9q{dDxe)u%{0_@e!~DT^=f-t%Dbr5{DNfLesBz=(bkYt;}+N-}mr( zEfZ51b9ZD|S94BfbN9r1UlLv_%yxl z?_8FIgYn4V8M?V^*E?tW(_d+QHZLXfj{Kz^V0qt<;2;(S(#43y zeb4r;(Yss^MaH(yCjKT1*8*Twi%XoJX#wV1-*3fMwiH40_O8X}w{ByMbWVSA{-YcXUX zsJZxMhyRm18duJD8{N?c7MHk)iF3;tKh?`6;;UY7h?kz;@;Ww<{}bRJgQER!7fl=@ zZS7VsZLO-oSa6z&K~FagZ_G+W=7OI-eTiy(kbfO9^Sl>8`0?`7bR(gZstv3ZIVdVh z6;~$`yPz0KYD@Iy-Oh6ZFU?Ra0Vm4C0g@b2fj0P%mYa^e&wLfeHHQhql+Ci)>d+fu zE&!JY&{oq0O7qmlH&0{&Gk)&i-O+F$V0V6RCFmX(*iQs)>zn~y=3SL}oqBY35K@$? zjKtSq8m-PBsuk2q2(dSY~`mgDD9@v zHK~18wr|U5K4}}2>01R!++us$+W5p}7ueWbxUczwA>BQFwrzh3>AoKNY@w%Ce3L0g z*?Np*;K7Qm=4jgQthVwb9Bm?hNLT6bE{1Caa1`EcJzVBFs8zf~HAf^gM{3K(q!ryH z?PSIf{ewJZriCzUc$0d955Okn-7`D=wvK0GLzmu`)sD5J{^snb+9Z(`)epU5=I?@a zRY>ET+U;#%i42{Kz6x$?s3av4xYo6`SR$?j@0`W5C!9tzDkjDsi0E(Rkl!bqb|+Z_ z*{_IM#3)sfSat7xYhK{2lfQLkI0))56Q>WVb7?B83IIZt)Jrg|T*B1A&9sso;#&DF zsVQi5<>&cJI80R`qWy_ETIEq~Jx`{l_hLfQ95w{U^6uv+GH973~-?jy~n~vxkYOp<9-vB-nU9Q&V7L^;q zDN;Uv^7D)5l6`D>25A<^)~>Tnlu=NB>Rb+rAi^alhzR5=3B7STBIpL$XlljXisA_q zGJH1F%e)kPidSy(e6zpnaMCLHae{>b%$tiugGYfqI76;5oldkLfjKc$uNw0u~Z^CIVFT^5Sup^hyhVex-DG3sAkI27KElFb}Ol}fMdJ5+AO=(Qi=t# zBIeNb*7pf#Qze=`?Ck8{b^On}hGJ3qEa70k#Oiu3i`yNOxCF`))iZyqw263ilyKvI z@54?+l&)VQAYMri0-1c%j&Mw=k^4gD@H9j^Rj%)7@^v&`T+-P{*fAx+%u$uwp|H13JQyuWou8)MxH?) zy{jxDt8#~?qh)%Yv{oh%UGxyt+Ub2Z8FfbsO~Pfe_N7+gaUM3~3pCHc!st7J~xD{{!Iw5 zIiWO71Zn{X4ixHO)SRT4i^s{+4pUSFP-}3kZP!~~*s7XX8@2WGCmpzF(kl_T?jK*h zOVsc9uy1c)QzdJ1BX6-eu`lFw^MS=%sel4Cq+i`90E6s&#&&9CJf<}W)nd{CpRDbw zJU7oXW=w82rES823VKCccz-rsAE8_6Mlm%|W9Hf7J*e)f=wNa%9yJ&)g|GN+0P^Jy zw?ua3-oy?vdXq8|<#P!9< z5IJ0}Xa!@s!xXkA=(IO)Fja+Z69$6nL%JNFtCLK@@yc`*8-8=y@K!*5b(xwp6k7Wz&Gu zhni*;2cIjV!IdAdBGe|T)&gdmQ*JM-Bh89p?=+P@ujSZ#2iP$OLkv^9?4;9`t4oI@ zie;m$B)&r)igR`8PXx*4${(pEDrrMczQoC0oP1FfiJgR7Sg3w1N=P6+xn8+B+aiU4 z``ku_%9aE|Wk{#x>zs3{TuyTdG<$n~E6(=3AmF*FKzI%G+}>kOkMOxSM(2c@)31vC z@;yYV4*GR!JjXoPT19mN=36T?F=kGG0@avKge1#-ZA!?$9QQds2;#! z`g49MEg0m-J@w7?w;C_$iY32Y7ul>vxy<_L6-D$%3n-l!Ek}H3z45{6&WqcfMTkjY z`t=WG)~CG6nRhpAYC8OyJedLVh0gclrX0`G@Tlq2>DT_SGI<3gnuiUR~drWA8_U!G>5^du55H zzl@mD=ql^A1rzG4xiAiIXd0u{+f)h5yr&`zBWpaTabqh^&G-ZVKvd7hY${(ac&c^1 z0?t^wmT!Mmnb%$0WzSdXn88vvqQ$)g4)o5aKM*@hYV=$go#hYAj-*`NpF*gNv)pis zHE2WI7Uz;375-FmGpPErpXiTA7NMli%&En+5Rh>?3II4zNOu*`{V}l;lb!Jab+N95 zmSkk|-$7D%(>+~f3tNX_5TnC#C~QD|z06hmKIMa=m(r}|lGI%}h_|;>u_AeqEwg-bzF0l{Y8_hvDuUWtjB=db@YpZ z%#@|~jZ{g^J8e35>b&-H(Z1p1YUTI^dK8hq(X{%%>dx1ssFx*PL_I2fxxX~hf^?Js zqs!L_ZBtDPUD66jW>J9>U+&nsNuwohm&d|^b#CW~+>=g76htw9wX><9!O??*{r4%$ zqW)X&CBkjuLnPImdhY=HukbIW$LL4Fgo2QFE+5=Jnc|r-c_R`Bo+)gWyRw~DX^<=G z;&KDEw;C7MC}Fj!zPB=co+mqF`nEsQ7tQn{ogQwfMkq;I-_2vKV9$k+wR9zg%ZERD zppX*~sU~MW6s(lV2t@+Xpv#+qHf5(jF@#fikuEGFayflG_1sZ*ZL_(oPRF9lZ=in1 z6!rKbRkf-qFmvlIh>8MNxxtF=Coui{#c^^Ynx3_qRbiFOdrz*`@?05e6fV!e2g#$5 zbi%DgUf=5ceKwOt9@ctqysI=L44ZHX02F41HNrQ){A6>u;Wp@PMYlFpGoHwY4j~ueJnq z&XyhN_d+$Pkv$w*;$uQ=zC&rkZaxc=vM}%cub3EL(@w4QEd7Q9A@8$yd)Pd070TuQ z95-0AVIEB=m+UFHED4c?sFqSTPS4>Hw{bKfc35S@Lu?Gu1`s)yyuc8l%30GZ7Kwga zUB24KDsCwS*7&k*^km+;cV_GL^U7z18gDVz>j3rEIHEyHad4-WLXS@GMi^s35P4iCL4PYN= zinni0eMtFwKO1oAWhYspi@v4|t}@qS658CKTib(D+dayYmx_2$l_=5G6rD%GXG?oq z{j3pXB$8q+7+x}0m(QPQHg&DrGn#NT_a?M^&F6Qiie-vhZ7m!SXs##8I97C5o0sVf z%B3JkRF7d@Jl0%K#MK_3|A7qo&R!n=MO1I;rGg+t;kR#d+$o)Z6nv1T0Igg44(JVf z!dPGgcIJDE^rZ7BS(k1syw>jvqY#%kHQfLFE6jY z+(DzaCmH-a0wic_L+yP{KvGooFPaQw>T=f05->-tL=owSW@NIpx$2&%^f+Hrl}R?E zUREQ^$5$(Y=m)}U&hx{g6a>l@Wuj~EMfP=Xcz&r1my(P4_%E}#)PCk|Vx%>2zo%X| z6>5(qgN)Xg@`}X7ocShesPA+XgyJ%)#8B)isqoRDTn3iaR7o0FV@M9_nb17^F*c3W zq77ARW5IO9n1s?+u$%ek5IB@+3f9SW-n!E18)u58k}3s67tw|HpBunE-gZAk5@IE1 z7#Eci^O?OS+~*HL11RQfNgYWH;D?8KMxKax2HA=yzBOFPU%(}ueGYWH>H;&Vth9Am z^m?a(y|xue>-lPbrWl1BmRJykP;Yqd9#(5I`Znh^I0Y6#&rQo2VdIT2Zvn*N2t;)U zUAjk*F40p2q{yo0-qqrSRq_)xQ%8ZsZ2!nepTekf5?Aa+Dq3huw&qf+?IkwzAPi?; zwIDU2zD=>`*+B0Y#wc~Z-sPzp^CQ(O0U{Y#)S`on?Z8=E4+3A@%nEyStLL?r!tR3ba}4IMjczV0 z)wN8gm$Bs2rh+KeI_*o@v#YLRV1KEifQ(o7qs#3q=$J~)i4uH9heMEVs?m~3k+ND> zpS_T=TX@?P4AYB(f8f@p!#lGS0Whc@^Yfx{;C1EdNXR9_J@CZQ9TZ>`>LF42S|1X} z-~8o8DA^B^q$DaTe$r9%{%0Py8>YbpreRyIm~L)?Bk+T|>WQXo4MMjg3K!GqPtwGT z__0hXA3i-D*h&f~%mp3vGMZ%QZ@hN|17U*2i ztK7Si@DV`_Pf{&in&3n&G^o6>OdVrWzol&qE;ujvTb_0;v?_MPWO}~Z3JX)9sXqAv z=3Jy0zGOcm`D}4=;#0kS(*E%y8Xv=yZrT;@ElbOf8bd?dcQ?3~hYLZ*c!3>L17#Bz zood3bzFgCMZvGOhWL=>ecdl=F=s)sIWWFIaIAvZ?oJ6N;KTIUjf<;Wo(@=bAXP;(I zAhPMGSmCd8?l}nhu}%$DT52Y4n}z{@f@C{3!Jf7&6W=WbVi<+bBzi!?v@IU)rO%cM zzEwGvgmy7Kc5}o9wR+#a=GmX6;_p)pdLt=Ot+Q^Jqz3L84|~unt7FUjl~(#rW0xq5 zCHtUmQ2aI^>6M2U+X#GKm2tNtBjL)!;UKh0CUm&Dn!R?_P8*9;unC`J^IbV?mfW)% z)tMyU?(thwofe)dx?ers3)#pY$FCxwuUlv~`$I{Re|CdjVT|A)tx&8|d1Y&hlI|yj z^RCqL0+3$<=+;^^WyqZnSRGH~u0}i}XQ<-B%aU6LS!jZMn`L6Y76UQT~K`;{yUz;KxDeGCDHztkd}ZwJ4k0&LkIHl zji?rXIHuUpsO0J@7Y?ucWn^7%Uw%VfPT}TEC9>$lL09f4&lpE-qWC~~ep&JKbC;7Q z^ssAESM8z_xc<@&x9f8|1@KegJ@6XoC|AFls#5RqEBUC;jGzH zN@x23r*P~w`Vv7$ek2~IlaOSPS9-Q5RyEY|Z9VU@I&jAh&F(av(*@4ZXmbz|o~nQJ z4K2IvG2z@x$gG6$()YR*Ywy@tlw9KCDC}e{j?xm2t`wi9!tUez(0yE?73_*3*Re5+ zS4B4H2QCuyJ#>npg5Eyv0Zq5aqN84Vg`(e7)EkwzlEiVGTyram#v16BA+Z0xH@rNR^2B_WgM5yFxJMH)6BjNtG%erZ7fs6Od^j~7^=BS*um5l5>0Kr?nsMM*ijWbjoEaaLi1}ZgamZZW&OunU2oMx z;Rhe3Q~DTAXmW66n-__Qf@lOY1e%Oq#esGG7?_5SS7KU~=HIL1)Wn2vFy-qFGP_b- zSMa`2%yDShh(|`h366-sJEK}R989;c%{z8`Oya%aLKg3nsVUG^d4p1$Ulx6ImB_(V zZZh~K&4gyiXc3lqP;pUfeZn4s+o$EyEH4~?UG!=ram)1X#;Dvflzy*)g(ad%*40b4 zU{i9<4S1>jDYyLI+2EwFYx+Az zD3;Qd&n>}xNok|x)s5WQY2AGznr|)4TTOIVlb5L((?_Y$M~Ijx$h#alvmh>o5krEsn|*3LahVsH`3Jpk@qNAN1zUf$dKsQKz5na9ktHW z%oSr2jTx$}4>*@{!QJE=s2M4?Np_f1Y2H35DSLIccig(vBSE?G0_OO{nQv%-j3E62 zHhX9gMSEPZ<`Wi+k*Z`}5e}x3sC;&J*(Y9~`n{pHJ^^BryxhB2W$P8cDC`-`5?vUz zwza;P8{2C*BsSqwBg(nB;Z+>1hEqRyr)v&EMpVN^!}ha1abQ}C{;GpICGr>ukxET7nRtvg}988Frn% zlmG6SDT^knTBIoR%W!L%XfbdylE@z}dyhw$hlGA!zUE3yxv4(|?ShCz8PJsEh!k3>8`(&NS{6RE|zMqv-4H4@dj1%HM=4)i4k3+2vxo$l}vvt9`PAp6)h_2o=8 zvBJqQM|xJ-OX78ldn;;#jL4f3$|qX>lw2wStUEd<43H%90(YILoE#wHg-rK0ullQ% zWc9Z!qI*}aWavr$uHn8f`v*Vkx%-+3uDq6UW?zGUitKHFdBX^J^r)4m#^@%{G2*_7QQ zcdG$dpNpYulI_3YlmsZYK|&QQA-t)`kv^>lLTIhM34lSX}XrBzp)7lsk39iYvg{0 zA@WKx=r(uwXTdag%259r?TfRkp=w8*C0&VY97+Wbn~r>wZCXy=)Z6Ej>$)LAU4^l_ z89z%9rN`YYYwZ>_wYJJRV*KyGA8fdct%)Gk*9+&~5_8LX-w!8%NO_ZN0g!_ZLh9amw1STr@oRtwjcpF zKcVG=CFPdLg?i-LGa70V#^%w6T5z{JYY+BJLzY`as2HdL!xW3%F*RJc%X6<68l6|~ z$b4r27sodhp9?6h^3gp7zV9!h$VF0!#U^3tS+EE^D_P$Tq3t#;=e;ET(XrPd4RXQMyNcw=fv(bn&TP8s{QkkN{6zk ze$MX-jgFvLPfPHeq@M;c+m4tKFaZ@(#=pH-&+&uI85ViDaJ^q_WI_;}SMpG9Rt6Fk zYshxAl{!x?48o7W9pvW~lpyg0oa)h-WD!3%N|YJ{!Nh+|@1h|w)R zCf{JU;WfUWo+T~vT+?Y(wz1RAqHZuR0lR8Gyy+xhy1ilC&9&wN49wl)FC9H%0SS0s zxhvOSyFZ}#2cSPR67C;ZjT9VdxF8fI9+^tNbFL%{GiX90IF5Z{+L=PREx|at3t<}E zxi6nk99kgDJ={la{27GM@u?D6g|kHUAR1B5x7$FXXMRMAzGcNc zHVhCRq|J2eMN1HDp&Pj1N)H7O5xKX3qn%=76Mfd)FAewdc$;9Rz3W_~08Gr3`Ajji z9sSRk3e`z;`wt7t1IR5u3?*+qyaJ4~mv*o-Q7CR6iE6k#FVzta$+ojw-8r%A88XyW z(dJz4;cBnOwAJfVRtsfy{uBhB{9|P=Lz?1 zt=K;v5|GgwhM-DwYQ2Ax_QKl`RO(ikZe1dKJ@r5`RE#exBiFNX7LV(#|D*znDngz zHbnQZGk+F?54~qM_q!u<+DK8M;D^{PJkXl>aF)~F6^DnRAo zDi9pYpFcpdYVCeUs)p4MztESsMWoul$mFjQsYB-_2k%OCB*pvF(Z&LY%g*8@(U&*Y zaJHYFg>&$FQvxNy%I`m=#~C~_hgKCyzfG5W--qheIavx#$m{jm9t#v8Tj^F$3j;!M z*myt9OLi0|tGW8v3@?Ek?_F+kw(Ec`ts%efG=K8&in(8(+5cv#(G>k;XJBZ!va&+S z($L`b&`|d+ndyRwBvWEgqX0O8Q|)oEa&UlkB%8{*-CTaX+H755Lgj&xil|+eTyreq zkE;%UC@5i2qYgk_O!Mb*so;XH1QZVP$4MBI?m- zf-v6<5|54>r}^URBHj-3;Qf);7oOTH=7ujZ$jDGou$FJgX*S0TLb*~b_+Xu5IDNy713jDGP| zG;v#XWX-h*y^-|s+iFphn0tsc`Ld-ViS>&1NTXxfm*(DYjA%k)nkYeBK1EGsZ}Tpz zl`lu-$|0LNE8i4`fh=*@Wwy4W*UJF5a(6MMsoLecMYZ{>FM)Xl@H&PjE1=%y+hUsl z8x!mxn~g7J-vJV35HdL^gGk>cwI$uoM{>qn|Bm6|m)uR^N<_{8T~2Ee6d@`>eQN_` z3<0w5q(VqXl0j_)1K1a2+`dIs(OvL(=Hb4YSuETZr?Ti>ns04yq?7JZ`6p@=Z!W*2 z$;HCIoVQKvX&?&;=}2<aNb&%rVVodc8CzR_Z5EE;8Q{5bpbH z6`e2-Grs0qH_7(&?p9^t&ijScnDXJF=}r_W;(4|E9-n^?aDM*`cGn64)5(Z0x%G`R z`3rs&Cmie`YKRmuDg6e|V)Jknwq(}U!y^rq>-LV|<|^T=+A=4dt#oVrI^pObqNY^t zmm9`G`Z1s#{=qd~Dmrv$x{L+`&(yfbZ&PL`U>-0cDpCd@y zDzjw??rbSWQaw|D`Zq!l2=YG*)8ISGvcq%#r76uaJ>PSARl8|6R|Y3p_2>J>-+Y0= zFxhRcWLhEJPelR5Gd<6#?=)6bn@a?FEht~muGnR>x$fvo;|`^=3`B$8pKMGeFeUty zN9HJX3t6(apuX=+#2K-&>Obr7;~V@?bSz^=OIYpHwP}Gvlo+^L5&!VkE1KE8unh9j z0|d<~*>!v8O4tI7YqgpGCiHe9;jLG1M$!h=p3MOcvRHG86)$v(}bD7z&y!-{F&En=@au*mMaSSSE);?-H zKCSZLR{v%D5rHU9za->ucAe0Xo@GgqU`dr=)^%Ct)TXE-n9}pPZlHqJGYX_qz@L!D zbWd-&N;EP%dNf4*s|*LHf@_Eb6szsTX9G`_fmQcjrj z3Ts>gnD0UFd8vi%;4hSFpqQ;}xphWj$**V2Fuaf4u#Peh3d~mBkJM^O>{_vXb?0oS z-3qJfUe{84v`GI0@?1aV;5OVidjIg^ou1?ep&I}bUm1}s(bk6&+mNQ&h#vdOpFe3) z=OwxY*((CKR{VM!oyhVXn*k)=5gQ$nt9$ZXp` zmfX<}=h@!F{IGFY_Mj|JA3yXQ6yUOG_VPv$Fv+f6-xzJkVEjeYiaz$_riXQ9iMOtV zUC}OEK16OWRc3xybrtOka@ZPbo;W=(+uBJ4`LlSVR%9{w3-= zz&_Ji+hc5t+>|!SWHrt-#)XQdJI-@=2Pt(uZwT7uS5nHdVGkMK=BWHFaN1h?B!__> zv^ztwu&cJ!gRVJEjA;Lh4hF^ATM|fw6Ni*Q1oRJP&CngQ z%F<%Mh_!fLg*0@MXEq}-g&Vr%nse$L3?Y@0PiNam>8JWmg}OZcdnrY}tkpx?JI7 zXQrx6=H@442D((g&nLdX;lN{n2C21`tg^w4moUfDQj@S(LxoY~5I1 zUHx5Icu0JrIl;LxXjU;|LoW;7MSzCU2XkHpjP}6P9>#)&4(Ye{sm++Z;w5hRVTj95 zgg$7?g2Lf)p63@K8_48r4?6kB`xAmH6G%h;>_J}4j3DiSZib{IVMnhd@~A}Hrh{(9IO zyY#KH9z+O-{ta%k|!$Zo=>E;_~K<&N1&Me(vVuHlS_rk@U~99b0;usI9-=?}yo!TX$+K z)ODl6=E?&zT_R2`!SCyo%)H=;4V+3jtpA4{5SB2YUdDZfd+#Rna+I2!tqBMVp4o%f zs856CB;2yQbWV^do+npU{_{W7Q=HH_Hyur5epKOYali7($+@6q*w(%Hdq@%cHbZC$ z6Y5v)Z;dZ(4`$xL_u${EbHNLbT|PmKKioa6^0XMT(*WME>&+SIr#Eht5sjH2{`;|r z=QlWW(a-jsPFIWeCfhjQH9ET<@SO?9xXZ_!?*DTrMbJNoYWPro>WI41+de0E>-jSV z-KFzCh+@Qr@Bg2m#1?pVto#iMo&<(5T!$DD73H%#n*I-?+5ApGKp-J8v14XNRa0ao zAVVbZBLjn!wqp(4a&Ax0|4(e&&#VeAz3T4mHC$l+w|nqe4D6VSRZa)iqW-$+YK z??*=Uwm)_FBC>LE;r-3`mz}`L(t0;2jm18}^E$e%ZM)u$SQS>MBPZ z{%h*0_`k#Lu893-i6Sb+;6C$z77PCJ{}DSqC;j#s)vbZBKGpRNK0r5yncL>WCk{RL z)@H*#89A{BWApUvZK)0GA3Hnerq7lq`oKS*?q%kEnBXDsJ6AiAmS(^0x3(BJ9PE*5 zAE=cg^5oimi=!5#$rQ_|*EV8bXAAa6&lC)LT)aS5W7*KO2(QlN0i11peP4<*V7YOO z*vFhS{?qSNjd!(dkX!zw=>x^K{LJGa5WP9XbW~5mGFUOUzwss1x`QarZVE)l$evDG6?GK9CFjar5+gjSQn^`HB>5;qO8-1ep%ire8jcPIg4E z@IaSFuyBj;AzXe~A6@(s(>!#$I_&DP$Gb-gr+!6ZOtf6LX15Y~ZA2t7w(JS2by?LSSvYucrfqVn{Cs3=EPH?6 z0GhlpQys-{(y9})v@Zy0j8q`F+~%ih_HJnXzD;8=IaGEg3!eEMYDIS<_v62@{+9k) zB@*K%#gfAdmmz4>im+a5`If-cDf>IqQ&VY6sy7;Q0xq0HQ|DdWO(?sx_~NFQB4*zZ zt)yLh$Bgo=nmp_0Gd%Cf}LJrw56LJ46M6v|ZqN43(>T`zTC^-<<+?27 zYS+iz70SoV3_=`lDi&QjCmLub?yfX5Yxu&^jughXK*YUzscy24Z4g-%6NN#eq$cqz(P z%-f*6((G3{cS>ioy^g-k2Z1vGu~i`gL1F$E?hblZgp|#P7(BozFzxk3A^V5b_%KtB z>`$-eJxF;gULFsewK(pE+0GnwwR(2`L~m+4@)jp}D=&hvg`aP=Q{p`k03W`#XAJsm6# zCR>MRmnV`okoWyAI}iK30^Mr#U(dR9SK?~9C8(&sWPucSYe=g(9^t*Ide>`rk^ctY z17+_}QnH%vAIhNf@zE(7OiO0${-MlGPj}Q~e*_b~(806rX1p>H;GEX{QQ-L$E}JkK z9e*spzZ4%jAx8!XKEH!)V##B)^m>Js%FZYb)X6yL>yd?@y6QjA~*%!MHh}q~`ItHv_}sF_%6Pp;>BPm}JVloQPui zVA8>EwbXzD8%gUCG4i-o=7>+j$N9j0{OTzb?p+{uOY$_udS=DY{bX%#4&i+Oagm34 zl4Mu=@KYTvhKfo9I_Z}XO*#vQpb0__XqDC}^6Q<>L+XvV`|ez4b~Qe&vTpJ!znV;) z4UboY%+A+6&hS@%l?{7@c2yLejWuwrgeX7m2`_+{R-ecR9u`$yyc08GzENQBUPBCr z$%)H7VS*%rAbd9!=5;fpcb>Yx8zfCxZ97iqS}g%AOZ}Zy)lEE}Pag|;rvq9Fa>)`x z7I!i9htmhkor=z^Mfi2q7dlIm2!9mB8gGw{q1A297|bULl^?d-FAWz36NPiJVy>u{ z{*CExl#N1$@th2@0VR0* zS(+sate>l1COhl+dBINd%@ZkeM^X2}YVl^vuYNFm6q9)5hMLrw}PC)m~fkg1k= z{_XBd^33o`?2E7Kye8o1m&mFutk;`y-cPUKv zPt}Q&{dPw&^b^NcdNFJ*uz!(e+h_4+MxoCsX@8)Wz~KjT*vd*GLvujJv3QRWR}aMB4H zjdk$S3T<;a>9|{*2bO;Cq!(1%5s(oXYK)cO!d+0wXps!<+Pd?4RjccN(O%G8Ci}P% zd&n4Xx+_<#QAwtC3$;H#FRw;>YkMJ@U+a|tD5`sA-e8lwIX{jlFzad#+g9<5&q81* zsxc_gd+3GrpsxT%Qoa^eAOMd!$tQ{S+ST-Z=Z3xWvtQ=~GTj=DYf^o#{xZ9;uij`Egl>KHa>lC(sZJ)v zAl3y%Yi6j&-5_PlT5PoTt#-(3)MgTAOLGs+do_y#_amO@5Y11ngar99UMtw$Jxp)P zSo~m`Z9qM`T-_g%u1qxH7$alYh85IWw?h=R98wD~pNCuBz#9hB4L1Q=Dyly^P0oFT zjPCuXa6xKzn^d0j@d7J511I{=92T0%9pCZQ6S61U0q!|hMVL8Gfg~|oy{SjD5a=_D z4sQsWbe@q}(+)wCs2f&!M6TZMwd>6z;QS^>ny21?z853)_p*zF{myCZE$ES+J|~6s zk5wmFuVgpyV-%#B?U4sz5Cp^WT=B%$^Sq+u>Y+Z1Y242EK|jaiMWCwZ(3|2SobALe ziD;VXz_a?qY5==ysDsn6!J9qc=o?Ke%QSMK@LO>?cnEXzP1^R>x_=%v$-5ZqQ!pUesE^jjEjemIi*RbQ=rRPC_GGPh z7~UA9fxDX|H(;v`jKKG08G3dL3#PO+*9E}igL&$@=;zGrY`6*38I_)%-u2>}1MK|_ z$|wrFrwDyKJVE-VOZ&+1+iDSg+A5mWHue6ESWuu*`AK>c(!n^wNpB}sF{Z?G`)+}& zecCH>2U%OKpwpT3_FO=c!C4<$0=uz*>{5$wGIy!u<74Supe^nBQ)!fLOX4<#?%v=- zP0$3XHw>D0=z4|U>YIQ@IMvW^UpQn#&s`Yn0E%PEk>eYzp1x>OuBsv-af)A zP8WKk6wW&3!nFn+AKhEYp`|IA?@br_WjzVW6fe_N$D|#UEUfh$PcU8CMStjol-2@K zW5RS0X8=8O6wBioS@(0)UdIC(o~#M*%Gh0ThyoldV(ztJIG&3QMS}{p7Z!~qz-05Q zWg|lMV1AZ#U11YYpUK;1U5?A7MpVR6-OfmrB39#Ti&)}r8pDyfaI?ijN~XmRL!^sm zJxwBGwo{`LQF?uhLxAz|y{mB^D;_#&j%+=(hf9ct2H&{wYB!OB4DtG1De~T}Ig^d0 z024gvF)JxTmP-%)uwA9GNRiNLg)nkasdv>Q@vs`@*#~qbgMtz|e6g-38=b62gBXsb z@(-7aA(agm8CIpuOvACE#_R32Rcywx>q^~j^kwAW{kEq7L^qY}PYlW{YN_|IfjxP> zo;Vfs4HM|aiQwz#+Vdy7wHLWy(vZ*MoO<=eC67hU9U^VlVp=N!H|JcyAJgA}OGPO6 z!@N`ijL;9}2rK&?upXZI^DcML18cT5Pp?H2VL%4`D+Hjvy*r9?5mkddCwgql(zyPb z9j9C8px}DIRBzhGf*Ytgitsm0h6#T@K2D)t?1gp@l^tl%G zG;e)Q(d^lJ@sG8O?#{(#5nx5UtXAOc?yX?n1ywAAU~j7%$NBQiVCAgc9ayQteFf(` z$sJ#er8kFVuKxT;wCnu_fA17PbM|I%Elo-#45ho4*X`Qo2M&>(e=VonJ3_&w-5-twFD5{24C&~j$QdCI}IY_VBM!_#v$ptNzZ@^i^ zmoh{6CN2_yx(@ksaQl*Bu)p5`KD?PIKBoIqv2+49$EPvV;Q%0{Hob8;jek%r*X?Hj z+BKVgjfae3khxsW)jrcsm%hpIOwe(CYSH&e3o5?2i*M%(O|*t{LCFPH9cOVv^^4j) z?(tC?%1qxDJC;A*+arymOUZ&mL*u^yIrHG;@cb)7afw$o*+r#DYqwh&f%ahf~R@!+<-`jQqk2aLS{CF$vOt6hM?u@1{UFKbetu(SaIMjc}RX*~6 zhH^kFej2Yndq(3PC3pXEE%})&_e9ixxoz$TxnZgFMnlz@k`tevC;$*Gj85h;-2q7s zv3CZNJnNEix1_AgOk`#n3M!WdvdQ#n^p=?Q3j*=WiJW_jXD76RcR7#aOOLBKkGI+y zx8PH#AYk$;u+UQivu5@0RDL(bW4HB+a!~hgEJI$3mIG*^G!WR#IS^GR`hSt7Njp+b zK}UISZH6jlXphoOCkkIZE!Z#L*0V*VMyayZri()DYeut&kAlw5=0$4lTp3M{j)xmL zNxMdje+PX7hcn^8Jkqy=j{K`-BL&@AJTlbjT|2qt4!W4IhF8D-1+a{`nsVk$$oT#T z!HR8DPfUkwz-uVeRBaXmSm)N`BMLi)DdWaz2za#TFW}|ZwhiaIy6?eYw>?dZdf?0ID}3!JvKxr+*x)2SCrzkbbGD2N<+B+ z!JQOan`;uZE4)m%9U*8)>v0tQFMYVUmzX5Wh~X zPoCtE#E*G5egrsky9*FWs3}1puDVORAz85nGF7H+7knv=H+hw{2l0|o*et#$&PVe z6?AvB;>dDP<3)N1t+i}KTI6JnfTfMvV((klzf@gV;Du~7oCw@?$n-F+Jq!nu8jV(s zRz|K&Cq8=+Ycy&$#phq5IEk*R>FP<#(p^_dc;d1!X0&b@UtO*{aTWWM76}>TNs%{0 zWS5n40pDu?jQ!Bw-PPQ5#znh(Yp#qYj3V_6%0*_|uKC?LOg)61Rgd>g(JXoe4aLgF zDe9fgM@8iK&V}RNLfIyjz-3Ea~6AQUi9%Wcf@RYn%}8smI%D(E~2?dyEdN7!ll@GcK?f zs&DqLDNu-2DNv6L+w`X{3b*1aiKRY#9@aY|DLX8@{=_+3BNk+3^#aU+hMJIJXeF^~P-{^(w6&YByl=c{zmG&?}KxM5g$OGdZwB{Xw69>B)N zwsGDCU)oP(dO+B59iV2Z-d<$$TKAy)EiuH531)2b) z=xaFe)tV7L@oxFz&!Z}{^WOC|;C36|AkoLb^Z0zReudx+iq|KE(o|_hgTCm$mYPA{ z(W~x8l&rIcsQ&DPowC&OM(xyeb3Y3<=W$8(0AcDtWZ*M_1731)qZ1lQxY2#65#6$Y zE85y>HA2#zn()J4pv;*$j#>9FP{vI8#_a+lRaB6G!=`XUSp-y?Vm@Pb4y)eFPQV!=6jL%F(`l>s7(Aq@U`CkDqtP0{X{Fta%N5sQ z_A!U8w*0G^JoeGEXVxXNl0D1%4ZRYpsCsXB&lm{7ekdP><_aS!ZI|78%qs|9CNs%a zf3(q+dX~ZpD>6M9?$)617y7+o?W9_~yh>+SQ92js5@Ja!koOc_ow7=rjVU&3*% z!w=2kEIrDxO;|}PMPdKJ7wez*UOJ;d2j_AKXi{=%*j$jrRs~6&>Rp040%Vqh>W87{ zAiqzlKum8{0l|(9YtwFz#XhLK!`Ay6{)EN5teluYWwv2eW#W3w$$&TXvXh@!xx|kb zo`8DUxQ*`n*H!`7S+2{gd_Df(_zAo^j@_3ItXt0!qFXF)KxlNb3A9joZ!c%j1!p)r{+HpDkT#BW zC*iw2_sw0TN^0=PkX6A>d4~Nt+L=*v{ql0;&xX7M`nkr+Ngz`p5(p9R<912%tN{QxL%=7N)~cu`6sl;F{cG> zj&7m-l2ANSX%F><;*_*rh5nCye;abS&N69kqw!n3xe7D(fa|m_-@@-CVSM1c0({m2 zHKlW+7d;cs>`}MB5|UGWMEJvEMYT9lmD_CYa|r&0@^Ir@526B>3}3-4%odMHo1x+5 zp^(|tr{IPzt&K~-sX>ryoG}ecx{Qy%27%9G@Xo4WHF7Z-e`lAen`@E-V!ul<=5k}) zWpPwwGCq-VNwCMPO)Pu)DCD@F+Kdn{JkC1vygyq~z5FoS_1;B6&`v1?%-FH8@;(+f z-WaC}kjrwWOz5k-(84ECtc>i8CyI!-$g6{CkpA0EizOJ$QFhcdVN|fkWx>FSQ!;d{ zl;FjV2DUlv`jxBL^7d1Y%V9Wt0wS<@7F6WfPhA`o^fk16sovW?ow+jr7khkc_dP;<+X7#;q#@xj(p!Q4Pis$)Y z@FyNS1!tlyX;O0P-i(_F$@+B;GNXWR9p6$MpmztWSkw8)nzaYPkrTknwe>;Z$Alnh z)6;gv!MSbB1$c|vIY*6h^W&BzPt~S#&NyRpuE#gB)R)b*yd3Cl+nOBaMqbyMxG$2^ zpxZuZr;HJ1Ot-uI>;WXR@*!Ud6aI2zli;9v7bH9rP0X*}7|sX{>=+%DYk1AoTW1NT z5MoBSaj>PN?tj0GG77kl)mI7wck#ZRX89_>YO-*83%k|(&BgC02Lpu*+49TxcLj<< z%Xjh<0-FqpG_0h*!*`f|bN?C}nO@X`k7`$$0|ADLl`034s^XWn~2- zS`t?|4>8j5mF^}gr0{DMk=~uMv0`)9#?f0+jGt0>$Z3U)_=!*KgNJ zgg`vtAc5rk-J-CETMBU~TZu8|in*!xWi-_8g3HbwM#Rs7{N)drsnXeE7d$$^f!f>iSmYC3X&iXB!p23# z{1P!-Z{6FG{b}Xr>okSOGfZ#b((mLamlK@9-Bg^@uU^wFS zip;pzFQApYhP!wda*)xBa$hnrHeKWM7Qhf4A<4ay9D1%WS~WCv}}|hq3T<$2lN>T89?J}&PMkM=bY8A zhl?@_=##|7DK)L(%A8)W;GK?I*EGoOmcj2}V|!HXhWGGrpt8*gO>%7TsBcS5;g7%6 zN|lMVa!G_QcDx^>@4E;HRF6sUBk|dMWCif-Ns~!{f*|5)re|`BIN| ztASC?PJfyP)lx}GN`a{7SX%HRP0FjaxS3YH&4iFaQ&}91me@QeDkBWLvBo-#Q4h)$ zbB(z;Vpm-;4_~woJ~B;Upqn(PR|{XEKO{MJ zT~FrOYpOrpBIsQsi(6Y_U-7lh*!f3a=B-U1D#UYXs6GncTuVBthHX{oIP?I^1qX4V6OK555rUoye(`|zJqUg`kf zSVMZ(G%qNRmWlsmKEKz~tM21$3AI=53vG5TU(c2AW7kW$#JVTBldgJE4~fG?7w0%B zU@)X(+H0+gYh?qPqx9?HJ%r_PmdhF0p`|XKyzsX}i`_|lF)EC?(XV!st0>mslfyPG z;@h1oR%57rH}DyG2)k@!apt8Nw+$i2bqsc-i}IlGCJ3XM!-|Rq)iyX72%;b3X=Bwr zd7}@=4y67cMt4`5>*E6KLu*pr1L15GR30l<*|zzLLAOAFIBPLM($(&s>V$uzNq_tg!1B$G=$a_0Nv^{mnJ?HiVh9zBT5ZE39zxk5d;^ zObBQD@#z$qX)SRG_fq-TGq2ywW7r*Ql5jnM@J(bgvGi#V+v38lF^{|g>uyk~9&7M0 z9uP2p6y2EsbCk68RE27B!pk`8yr|*eaOEcBCa)R683{K)S7apGfybqnpf!!PIL1qWQ-rP{5HU5VdLqP@=OW!>@y%I=n&()jdzuRZF{5{jO zA=`3nAzFlC>^Kto>ws?=Ydt7if}i~4eo>-^E|0gante~_TC^~=jcnBc(J z*b?e_xOmJVKFCwq6%b*^c#;bLB;(ZQTUF`1_kkP6_U_$b;s*A4sXhL|FSQIeZdz1iM@PE19RN@V zpcrdi@vq`yN{M=ny{huX!16~G(0bVid{eIPU3r5SWA>M*oMSwL#93bhYtNi`!pk7c zJ@?D;<4^H7HEFdB-(|h5m&4wLwFxg>Y^#^nK6sa9X`iiu_vchx^>oLJX0uqV6(Jyn zkIRd+^rUy@cUV|h!Tz#sw1r6+k3?LvvihqfJP)-S1iZBth=_-kNaF7rT%$+942UD5 zI}n_sB|ALy@a6N4KfDtKQ*R_%9k3f3a-O@d4Tt1z-90|`mJ$Shi1n4X7vwb#Lhb}+ z^Y|(zfOU6hH$&GpG)T=gdrLjUF+L2Bla2J2ohoN8k(ifqV~aUx5H5Ungp_~1m>l0W zRyPZ0V-=hHN@;()1uDL4B;QbD=}yZQXJvN|XvrcydId9@$d(k1chT%nSVa|6u`zre z7oHX0GG5=vIdpw^PhL)}#^zs@3}CPPseCaeXGx~*|9ON)CS|i4R2>CFHSfpBQ3|IH z;@L;yd{|4LTr8Xu|Ki$@SW17)~Vij_dZsAuA@D-}5%U|$}Z zL8Rd)+Ci-&e_y@v|%B0(8=c}L)Bu_KdpcM|ioefka`HTx47ssyXkKfGh&v@ZHd z)ZE(`$MVdCz}0H)rq$xVijFs_3Uym;NM}erDRp#PJ!C8>lceT<68Zo370Z zO60zGyzcas;lOP2;=}9C{`g}o5HmPWUGrYp*saBiF<18>js-L>cCOn~0F*wVn|}163%Q=2)nJ(Nw<)Jjixw%OPjaseFnDa^#yS=J_*OKtR3w)ji)g zWhnZ#tw-7pk}LF<8$Zd;{w_Ua4;h9E%j_n0$>GE2N(hY69gteV@Pg!c7dMs)ZOdE!a0LXIKNA+x znxFH4_;E?y11t%?GmSevAeKuv1&csRaT+F{is(Yzf!m;rpWSw%Ap1PAp1RQ!Yz(@E ze|KDDWaPg)j!CCWVUz=xkyf@Rz$4CVE}yKh)etIwc=}dlZU4A)7vgrSv28Qg`B3kE z2Z~)CFY_zh!HtNmBIULn6s}1@%q#zkjE=rjF}WjQz*m7m6tUgm+k7ZqY2dadFl|3Mxsx9U0-wS0o3|-=toUkD~Up z&)Jnv2zZc^!mbM(GXjsaqf^R+y2 z)l@%!p0!`Uw%#WYA&=8N$yd<#^NDeceah1~cc^n-fwz`hD+WU;R}LAIPtg^-@t=b| zw9S9u1?!UP*jerB)!+7!F%#2|uFsSi28p2^QUE~IwJA}u_+E)++99mM-4QMZUZ-zeoH*`RkRMf*iFXSv$S%rW`xzJYVm7J%8ia3 zjz%Ypo^hw-a-ou!3%?)LJakMi8d(^{nxAWt9J+QsYgN}xKYZ^lP6?WezRAI@WV3Fc zf+AUrX_HJ&^#(^59)Fv^4yGj*5}5!5x8c=3e`Q_ql!H~cNP2!1q|v_hCci1Xq_5Bg zJ*pJPV?BnX@s=@8xBlUMLbCoM%hMZI_i~*edE-7R_K6twFnHT4iZ(~o*bbq^^ag?K zoRGV3>e3C@o`=P-*QfBSu5Ybp>-ttMQTT@sGhd#%GHbr>9B5_fwUNOA)A@0tID27K zJwn$^DRYofzb(r;M3$NUra5;1Kv&KihjI4h7>{`@OM_#ISU{^8*^fo-c`pj_cx1gL z9JuNVdWBHbK1B1r2&2JZe#v$naHUdmXA2V`@j=v|s83^^ob^p>C3Fu>_q#c0GEfoH ztDmy*9^tqC z=ijQIcNvm$UWiC=?0;)$wM92 zSJ;?%42)F=(>e+{aR9+35PpYHul^POV@TT_xD{)`>xnW+*~DzRk)yc~*;Lfb`FV;a z<*SY(`ULR2t-?$061A@*NJKp1yjnT1w1?rJn$S^asliB)YSFm1!(DP~sinX7+|$2O z9KSHK=(tmXpg^>NWj7 z5-XB`-5Nk1iaK7c19*+dYe=6??n(J^On{%{Yx=OCCCBvL_}dahNB{n+5CWouK-tvB zti;t1{1qsEB_$OjZUY`a-%}>HfITtDH&<$@UGrSz98XttDy)W(zD>?N&2eUP2@C%V zvTj4ie@DKY!27WU`?-0j`a9w@KCq|X z*`fT(td%{#)+rT6kBRQ@2_&5~(K@ocL|UH4%Nc3X-gpEn6}5h&)N&vol!O@?yabn~ zXZ<MVPQo6>TO3SZ zbD#K;9yd{F4h#(DFE?UXKpQHxpe%cz@)0nA*+yyaOpt<5{Z$^+66{(Tgg+j171vX$ z#)2w}+dSAFg(3G0xy2V`%N_p$%u#Kv*Z?Tf5J>rDIw0APXu<<0cOicJxQ$bsPPk3I z9LBeGwh14ARG{~5#$UAN1?WM3g4q{sO{zv%*i0KE z4+y_eT2U3zcgjhqwXh1=d8l`~=K~?_ZvLPGrvj5?gs&nnx;NPjzDLLV!kvS-8Aras zweh9ywphb{&J#t%faEreb{KR#_~)2deCyfQd}7rzcZE=7;TEg@*y)fBvGB&pDf~a| ze+$)}E?F?w*gEyfVVgucqG2?jnEsIwF}QO|LBVYo-M?_!Q(?7@2Iz~hzQ6zO z^w$f&8!!A#+NWQwS1}@a1xA>e9}nSPllO6Ws&>xkUm;JFte_)(S4q8^B;FZuNT1l5 zJ)3t!1P#^eM+jIrJMS~&g45)mK8Ic6Gm9CDnU8} z6uDf1PP=4ED1L$(LsaEgVk+&y^jSb%T{)-lw?XgQhef&Z%+i_#S_&elkRd-!_$dnh z^rmN8TVMDx=DHS|Ggn-BdBs=xHtz)1JCy31qTE&)*h0SAAeI=HiJjf~Hmn~Jh4QMm z*w$+~xz>kY6=Ydu--c1>meMchdTQsH*+K&M2WnnFu4&ZWN9cJP>3M?TH= zBwIeh$HRuMo{5)u=r%~?51(niajz}1`FPk-PW`Nz_-P%Y{?e|9@U>7yb2AnWPI&1l zYI_13Hd}oGH|n%5o%AW$62Vj2wY>I-+B8b5U_d_c_?u7GD4wlmJ3e*=Adb`J0Au;r znr~)(B6}@g7G*Y8eJ20BgsDE*Vn$SAoSEtK@`&FutD@|lTgg}fT($)8yW#Sw z^YT$vzd5Buk0ZK~)`F$5mdeAJMENMnXqcJNR8@JkZDn+m=jPO1U0r{Nl$PqXv9S2> zN`+lAc1$e1nh8%cn|oGDS=!_hE6<=otKPT(xPKxll2YoOLeF7pojIiR_X`^FcZ zBGyS6{~)z@+Wd$FH45oH+b*lCaKze$$hF=QS^M3M*Tl`m`xpI?u@K92sHYv0vC=m% z^_9({U3=WaOh}y10CmyW;R140b|4TLu93rYukFQg>F-}MGjM%Gh}wI4-f{t#lyrQE zoxV82ax3rpB$L1<@1R%!#OXVU!PflN_=f@A`MDlw7lZ}H{D_EWWALLxQSR(JKgKtq zeie+x2^G?1uf9+3+_QeGCGlfh^$gDcvaJn>G04l+94Pme4+yY3D?#Q{Yt@SrPMm80 zLy^8ddBfMC38J+#Smmq!=BcMvFXbTqW$XnR9a#8AUwjYB%~7n1LaG^1G-d7qWPh>* z4HBa>d$au zPE23-I$sAB1a;R>q9{G~KG;ICx0u*X+*?I1l>O7q*3*1Cp-N?g&*IqYtCQsm)d0$@h$%?4Vbh;Z| z?eXVxkmeAO!rt!kSA~Gk%HcB6iT}pOtH#M1fa7$5uKYY+hXGn}x1p%nK1z-`!nPz3 z$p8NR`>|3TzOC&7ojxjF`whQKwS6S+RXk8+0jt1z-4z~_I=t*Pz}0)-Wn_BR;HEl> z`FiJLqUPr2Z1F8?0$xYD%*;%9^pwx}2ooMXrKZ@rl3Wr%vvv;?nd(&jeyGoa@&fq| z|NVl+VcO={&&b?b_ZQ1Wj)BWVLT8g}W9)pCJ~0^onjR9kZOJMtE3<2)s!T`Yo)}Vf zTiiP)D)-7DF|!!|%DDQTKd44{Q}Us2ViEg+aHgWY*i<9>7Z0%bU)88wT>m>NA5(ax zwfeP{CU!^z2dz9@;dSjLQAKgCu_RNb^jv@84)^~pgfvsP+__di~ZzQr3lvQ-(f za6oRU_~wnNK2Tg}A6fXxc+2_<=4AG;;<%#fnL~@@=J8*%oULBiHILgi-o)u@kDLf` zSLZKTE1GA;;97SKp_aw$gxUpy!^&v3=+ZJ;+ZX@uypBW&9&o@42M0$23`fwK3*ms# zZzIOPR480eC}Z0fL1ES5^JYRM5pJN=ZgQ4+fZJU9ii+ejUZtd@=-b)?;P6z}|IG;F zq%r=3l~&I;yK%s$6|mW^@c%G2mb8pD`9FEMoJ$G#AoIVDjR(NJ?dxm68Py}%NiM%{ zY91n7axhJ_+*{xHvVPK@en-{<1Dm&CYr4fXyhuFW;MUKc$8`ZoKzz6}6tIw0czNk1 zZoXjP7URn|i+!FMEI?9}DDupFo$8a~xKtngN&p4lb%99Qa+-dUCnM==Z(F`DT%mF2 ziJA}+a&_30P=ghTpd*g_|O~PjT(|(gcL|2wZ zQBmoPN}Bg@aSW47b)@`p*71p3Z`PK#JkRp4YB1uN{y)%7lYw+)b#Qaif0YuZQjFDu zk}bc;ArF35fpV;{8x4Y`Tp9++(Z{;J1%oX2gJV|OeGQPGgMPOPBC62&kK+q_oU^(vbVW8K=M8__3S z;uSjq8Y3}oq1#VZzx!rN#v7feh{R?@ipYFfohCnTNfiu)gj({QUqO7w*x4gaQC7)Y z^_;po&ras7H5axPKTJ7AxHmEM%;}Q-D-L~-V-s_oCAYiXdRv{vC^YbGCzkY9{}w3~ z{YepE^Hn=jKn%o2fWTWL?%SyQJl?K5gN~6ZZyN}S_YA0Lv-##O>xOaU%WD0IJVZRZ zUE+0Uy`_t>?8_YK{F6*}B~G<)z{_V7F??OYgah?JwMco>S6MSL9vpyl$d0Gwatw!I5bX^&i7tyANhSrKUuX@e{Ba|~)hbw#c?60k%!xte{_}?LOHL#4;6Ja%{*`HkJ^fN zR9R)`no5I%Z#Fd0(=ymY8J}k{Dmd%9mT3PvEaKWWSg`-YeT3Ax6SYeGYqWrklXjCf z{l=fLXvibHv0vLFeEprwS5@Uw`jcRD>b<*wagm$eiiv>g7Zq&c`uaw=NCQFlO4I0Q z3mlOS!pFxZmoR^NytuJy&oqraAIIOs)CK(dyD$L2RPa$C^79S4g~UEw*5Ra+RPpG9 zdD3>t9>R6+?d|<RtT`5LlhMa4%g5bDUTz+tVCdSR8A%>9r0lM1NFFOnrbe8C?kcCcE3|$VvsN4$Z$HiyRg*^8|$@E z>}5ebx8cGPBf)JC(o~UdgIU|8Ji4T$i+a_1fRJ8&?g+SHd1P@J&2%EKtHso;c z0e;`wh_DvP^D_$>fXUiGZTNd*xc1(l*4bZNC5Z$L-#+yozR^>FeAivYp_ZET3j^CK&HsB_0tRm2EUBW!kdTw-Ks0%n9Uz(aN)*`6WRD! znlaQ0kE>wnDoh8;YI!&F(TGoWn8`lPdI0)oaQDl3Gui(%G~4i#9D_Vv}#SwG8meqAaZgFD`Gs;=mn)xAzC$^HR*Vycltb1Ba zZn@IYW>V?U0`sq$1G+_*QQ55d5^?^=sz9stGu0uUzgbFG3~#3NIE%Zb(af-8^=GUs zjc9kWp#pQx5Sx{h#H3`7Ja^`~UI#)&-u)W?f##fC_T6B{#rkjbkrAU}kZ@N-5Ckk=eU0D&}V6cj7%rcQfW^Arql+2#@LT@H=cTjva$%(YiCr1Z+ zp%5jx`m=X|O0vATVN)2^V#zgs(d=o~p#4!7g{MXgH^C85181~KUXahZ#3*&S`-+hBXO06R2R%hM_R4sY0kP2!lXDfDu#Av-VWVl-Zm9FEHy3IYh!QbhXh#C zjczlA;om*-B|)JL{6alfS?{+iL{>%Fx&nOXwzsUzQ-^|GN)nZ-ZsxWT8y+G9&cBkx zYflYisEjID{R+5$zgWc?9y`b7nl@tnkTeY~H>s65gnHVH93&@kSf&S9Bb4SDKK5R3CfVpL8QTz&ATr1)v_l;jd8@5(*=}=1lwKOMVcHpSVcW- z;#!N*SHqodJM1GBY}Q1T2er+ouaP{(^C5*pjqW1X=Ld_5AH9!itobnDQ!|<^D8ki% z#jM=Mf@q6$5WKMW^K&nZW-M-BUCUdoxE;+j^c0(?S`>Fdisp?(qvK-@JkgAA2UoNd zli2rAv?U$JJj2nhKIzAKKh7m>?oSM4`dzOUL>i6rcQ3^%_Fc^9*gKh6WR4y{ zf5wMJ!>uq{ojjDp>C^i&X~tJYE2Zencfy-%mGXO zR=Pv~e?}ub6PA4{M|6$gN?wiTJ}2`s?NlKwK+_9*V?uJKcu~7SR7s3t{Fmt zYY4&JC3tWN?(XjH+IR>Zz`@Hk*y=Ugv{O_ZrtLm;=_d3^g z8e05<;FAx2rvyvf42*oiqK9}j7lsKMQpqf#tpF=_=S@G&;z{+|n|(%&<;pdPr2_-6 z?xNa3+NejEmcyNNc4}e~UeNIiZ~Tvy zA%af{Ywf|B-r31&;I-{iK`Ytzy)B-STKcgPq^SIMw zuS?D!e5ZZEc8iNQ-y1y#nUE^fT{EUSmwXxxh$7)#yg28R+zmil^3oh#mxeouibS{_ zLTb8v;T~a&-ye3YhzR*w{!+y&0J&bJW3~-RRH$DX_l7DH9`pw8$Oy>w^#*ZqA8Ra! zRQ)GUY%2=?^>e&^5FLWG-H!iW!bsKlxFz+kmP6%{r8@tAvvPc1nf@#TGFY+{UmDVz z)6A0ib3fpEznG3gyZsKh{+mvWHKdH+rbpEjW%tR6@3yo->}U2q1hri{n&e?sR))Ph zmNe~7OYzC^`48A1{!&^ZVA*kXXD&dfn!M6E-j|jZ_tneZ4S!UXkr-3R02Kxr+RVac zEHVl?&Cib@BE2P0x79g^M!LO)C37@TmnH)A(<5^SqTeV;B@2i6Hv$S8d5HmLMKF&Q z;HmSaiQkg+Jo?z>5dVhY^!=`-R+Pz*Qe6R?xBOq{iWJ_WwaujHN>Wj+u5G4@4wI#ipy=%3JY?FO zQ;O~f-Kg1CjV?7z7ti~-GHQ9Z22}juTYZk6LtSmhTVHk=+m|Wc)sJ)_O(@?3hQbk% z)uT!WczYCmJXtE6a{Kjp4d1IGoMrjUa5uLZVaUUSlkvt4cOEBwDeUDnP#V1F_G*Et zib40~HAn`$Qub?j23T>8+AOgtqOZ;P6KXOFv zV4=GCySE~Osnsr)DjnWHKI?gd!@L2BA0#uZ32`aahD@<6Pure%2Sq5E|UaC0r1- zf9~^7EcV9x7db6?gm{m9Rq(Y`25#HL>jOf& zQo0v$hme!6us-!rjq5wl|>U${K(#&XFk}dp-$Sjn8%`XmKVLVFMk3)xJB>1$uRVjYV>A^r79Mf~w4L-lb6d@}azxV+~a zooAAh^I5QbLH~b%iaUxbl+kBAA;qYS21b*V zN2XI|Eb#~ku^Cxph?z(T_u_xPKCch(lz}&UOvdI9R5-gAB2eu%Puq%&b9az#D;#npB30B>cxgYyL>lmK^>x=64T$ZKAmTX z(O@%&Nk%2x>#s|7xnUT7<9)amn&$6VJIVZ7e2!LSVgLU`PA_q@DD7nz3ka(FH~kG52oohcC6tnjHP>W_D> zZ6MJfiIeqZ95oLqx&H`>X%K^x9t_jXJd=>1`o!qL9ju=Z;UH*0K^*XueIR z`uE=XdDHWav|lP0BUk z3wo#^Qqw#7HQ zzPRh$8+RLU5+mphxAC& zyg;Q&r$hk3-FHxC3(OUcM}y;@>4rBHLuI^mV5fE6=R!Rhf29moeNz0$8YmK+=Q)?J zak+20qr)3L0I1u1)gyXH{=8v99|BqM{{K&Q5!F`*-)E?OGJedKFqePx9TB3sXozgA zmLeM5lY>LP=&M`_`!zhSoVY1E3VPUX*<XjN?B%;HL(7u4dNjc$P6CW zf86LTJzR97R`nK3;XOFS5$d8xxKCQHcgoi7*s|v}_RfAelwPf|rkkjL+uKO{=OeR# z{=$H~c1nJ;=*9UHEbH%$&l}LJmCP~dI=tm%U$2SfUK1!QmD{Mitu@vl6xj?x{CLN7 zaXl8HO}gLW%StUVB_>G#e_-<-<0me%RL!Gp$$500&fMp0$wYU!m1+r~v)JH74WJ=F z*8nJ!&Q^MGB}ZrRa%c^0%tpZWDMbEkD82fL#Bi7NL{bU-aXW$|uEg^o^&V;15>;_0 zmH7>4=B!w%n3PWUPZObKH0>@ib?KNZ%}VbIy)(tGVUFiZaLG;cAGmN1hvkn;j=2 z?9kbRfdawdr}+2e>#bp{t4g8;q@sLRzKWbv|JQ2#UaW3Df z>uUzD-zR59Gt4LjGp=EE7>@6U(i7~3{%d)_f><63EZ$C^qUY0L<@x1`%n7GBHv#EXO{f}_>X~^29ZYlVkwX-+#3Jdnb2U* zKEi>mkVNd}o?);3U$202^wtoO`KDak)y?$IZ)Y?Q)VFP< z6Che7VEuaEx{>*RfqeXt25{2DQdu|N927mNnHuUuMFNOVa?mQ>teQ_;rm!pcst=o! zSREg46seUndg^OYE6(;W?mZ`xv&F1L) zvz0(83MkM(&X^4tblTl+Oqy$zF`XI>#l7&lPM{3^3i-eU-DuM<_6WyaIU2@AOicZ* zH4wc{R~xm~-Z$I@f7S4cvAH9~Qx`i^KDAOcXj?LWhu07&>~bYWFc%J|!zM3FMF84f zdiYce4SjAAIb+|Z=f5l!`^ZIQ&A(!WbuvGG`p#9w z{BF39G?qpgSN~`mq75M0230xfFXYCPjLx4IUaiOy<=Z9ng6Xgf{$!3j*sl8Ti$AFz zUEN^$VwcqNo_a=YfVp&Je8bPh!8no+XPpu*8NS~~Im$o%zlau)#KLD&I;YqPlNZ@( z5AgEqE=BQqUNlBn*N3<;m`-CKz5~EGi!5(g6~I+OI^T>BjE$^~bh%|7A5C^`hQ?Rw z0K*;*2#8qr126QKxwx{n@<|tl{+u(m~3j9s8@$<>w^!RIYHtPkh{;??( zJzANTNGO*e>31?pIE&N;a~W;ie0uV7I>CSL-A8O>py+Vh%Bf*OhAclIm<*_RnS50B zA`En_i(^wOk4dNv_4&0QmtN;#k}mb;>9Aw(NJw+zC{l_^uoCruY7?|hc%RPy({)$+ z@?I=2;?JZ79)9FRRvTG&1Gm}G&gK(e#FU_8J@NS8RQ>7f(!as^Aa*FY!#@OZuE(T5 zZviEGKs3szV|ZtuU2$lkN4>SHn*DR=3y5G!3)4%TzI*WvV=QYKKV%OCef&cUl3M@G zA1}m6{7DfTkC(u+|>()9e6S1@8~4?kfI+81jGFqosGK4`L!ez1%td`7_`b%*G8#Y=wIkzl;Zz zZN9;PNqGZP0&<8TaEQO~%RRG4hbPzPugX^5tc5Fvok(xV2}*A>#0+3q?u zK9|zN@MHbPohR%tlHYeylLtjDkFF&gH4-mJTl4XoR;Fi|EHG|lj}fL-#r8!NLuTp6 zifRi9mx7^mYB#Dy|AIULIJ3Q>l0>A(-SqB(bDOqBtoE!~?iq){7Br}g`EKQZO0sJH zH36KWdnrA-$#F-m9*z7L;<;vt<0~Al4{2sDw3Yqv(6sZk4)1y_W^k8}fL(9HVs)`U z;JJRy=fwW<9+glh)RgeQl7nS{FE0G_hGBhviD8ay9w;)~_?W4ePPQpO-j*kZx%gani zvi~uhQANMQ)|>Y*|I&v67<1{45hlIoq@img8?`F;!&B_`ihlr}zC6L4fPC15&4*Wxhr?|P6_0FaX(A#Q+$);F7%!}EnCraBRbvs1 z+BE2l-}pMiYsxocC_y9bh7o}*mS?aLwBAI2AsJdE5Q^GN!qLsmje*5s@RR~j1BV9s zovlaeO_0^g6|c%vJnT22v;}(5m}{vxvn+?m!*Y+D6b73GG0d$UY;hS(%>{zGC97P= zxc9FWnZNPxKkVI&XSZ%?R*?m@v%fV8D?@VV%Xi^~@tiqZ9!M%QL-R7n+;_bH!&Gdn z)Mgo|$~>zK|H7T{=Alg9tEsEo7L>R4=DOu+xL5pByFAMb_f>mV*cMA#1HtqR-(L<| z{Gy3XWGR_;#p)#HJu9L%b}H9T#cfCidmV$!+*RLkWZI<@T*8PS24w6Nd}YI!T-<70 zGx+RHvRC}zt5W(u@#r2Fc3udSC=N}fNX-`v2W#9Kl>`WEa}n9OdroLa<)Gk4mTN05 zqm>d9i*V1Vj9$nh9W%M!N3{pDJ%83e zPUs_Itu0;;d5%vc2k4vd&KP(ai%UO$AHcf{a0fP1{b9iUC(QonY3uLg&V78dxtwwr zHWOR|CD0G0@l*wbnY6FG+xUr(36j+h2Hs6TGlXwPYzv5dRyfp6_m@)q&>#HKCKSC^ zgl&+J85bi;k}X-J=d&~$P&;ohUc)#l>}M_A-6u>6_8O=>Vro&E_gl~A_jhM^v>`_0 z-q&fr#wR8^JkG~gK`Tp|53}_lMYdQsHziTHAAaVB!1D6qk`famb&_=r-v4gzQAxXdyHEPGrXJ09%V!3evqlO@dg#3-zl-I|Mb#V=`%uIiOrp)}b{4$XS# zll*l1N}>+BXY30>6_=2J%W*NC z%;xi+dDcyfSv-it?ih#P-!@md8nk}<7X4E`ioYhK3)7iY+iK}SBJY|+W&cuU-yWIf zY5(V_SHhHs=$E~~j8bG$Y$TX%)7m>>>u2{j=;zC0m)W_dKnZBbs{d!?APVVZVgdc} zdXl8b;PqI@PyacD$P{Rr(Sb0&q04u|%&{MDAzQ#yPR9#y?SdNDa`Rtf{cv0T{>vik zzrWW*UXomFBl!}6C1U&s^chL(8U8s)7_zO)y5Ux|2u!-r4qiIsZPRX^jNmWJjt?<1*p=@S$khSX&>?U^3WpC zY<}1^#|FOoPSl<%Sn}gApSW!8d)<=ETbE0Upev`9#x$oFPmR?&?71t7m^7;Nhgshr%E`VRguD$ndxgZwzeD6- zX&)8WQ#O(b;ZSP2vl2X+^43ZY?RxG@S=^`j!H*A;1HU@aLn5z%2I7ub4+>oELEl6j zYVfK7rt%|v&0ict?2JyE@LSyM22xP-Xi_QHVUP`~^$|Gay+AgquWyt746pf!llqep zIYSMGFwW`&;Jdkz>&I&&w*mA2+!zWwrsv`MX9QlX(o`+;sQs7L!!0jA^uE$205CLT z%C}fL6c)xXWre(m$+>Y!s;KYtSUk?zGWqaAIvG#pFsNe7ML>i-9g#^vR{DB6+HITB zFkd}My=~a?N|7-5k-8TzWGV{YXYW@%u2X-0`ox#ZkvHVIdDYR`;&vrgSoQs%^8|<4 z?fj7xxjMvFAR|8LyDudWDw+Lsm^2)rAF>9_?r-q8pH9ECMl)w6>0If6I@<3ii%H%V zI%@Vy5r~n@_4BGZ@}^4`KQ52P`S;nfN8S}MKG!0GI}3MocI)1B|J3!YCNl#1`ir$7 z<)D+NH^^5FkUQyqn>u&vFFo`JuG1ZQK5fZ8Uk#tmSPiRz^?<+={cb+3phrD^XKmnj`~d*nFgzq>{fqsZ&?I%#chZ`D{X z6PP-N-dHnyi0x9^KWpY2>|uN)DfP8a|1%JC>I5!4*NLb1ncV%IeL#-QLA{|YgJfVB zH(vY_QM~DA$|NgzFiV2}^(a7o1*}?o=e@=FN>qGpSt;bpFoPj?MYG4PEC2zr$|=$C?WZMO1qVJ*F(U}Mn+aEx57dYklW_lY{f_CTD5_(nH9DGGMPE!Xc-2{gGwm0Z zBsvv8avb05_gvedtgdk?LaJp&DlE?N7ePTe(b;=ZAJ9%MB7H;U3YwAeX%L;~mvahm=QI(C)-h=hsrGnV*}$LCet$2>c-us6C` zuVnf7(mePq+H~p}kK~~?iN#NkAHJGWsCzE{X5zt;0*F0{ehiB2<9x&- zX+8kz5Z-&3JrLJfyT)9>)Mf-Oh&WL|CMFF|_lKv#EKWfcf6@D)|B>Gz2UAfkgh4~_m z$bGB$UHwf_n~Eb@v`zJArblEGkI1ZD;ZvmC%goLS?C@Ca6pvx%3 zNn-!QAH9s%*aKO^Xdj+U&^07)T*S%Q*;P)*L${0W-)Ek)$#!K>Ux3%+O62rb)RZbq zAAq&$ihtG%ptSLM#V6^6^Y08h-tiLR*+Zp*!tlWp) z6za3KPbT|JW2fgsjMH<-SP!VF5rz$fWgO{F7E*&(5%n7`rzI2Z+U-ayVXZ4w@UCc6 z5w3bwj#=Yje!I1>H|ZucB}CQ}eY`kzur=X`5WBGX=7Y0Qy_}MWslj7Q(AJ_< zNr7QA7B}yKrpTb`=QhIAIoVTI@MO`PUtX|UxwcWYx<97nmnA-#RG;aKWweJZQc!Nf z;dD(Iv5C8ch7sKQv(W~?MBsvbk70zshrV?2Q$Z}=3>KQitaoCc%&&t|QG=Avmo9un zvYnM5g^t5MDbW&u9y7-O9$AIlblwMP=9ZQeAn4fmgMmC}Z#TRE1W@d`mz!b>xvvi` zxoybG!Vbo4;jQ-0vTiWOo>TJhS?!Ao?oL{Js=0FKw);%d#$E7mAx$dUsiiD#|8Qc7vxyU-o=O4u)A|0gz=VIRc%*lH)MK&vqsFTwQ*VZ) zu6B?6wtKiZmt~9RE{v0OP(=!gprj##l5*A7OrdnV%Qg&)e%AM-4}ykr+@Gr9d_K+0 zC93RvNrKxx?vkRVe9|`h?n1BE>r=XrxnPJS#pTcM`GvH7hm76x9sSMY6xn1z0ikr4 zAasF2I;hYd%iC_wQqIWcDVw1VC1*ic>42Tj-Wjuya~{`;v9wT4e*z+N^U|jVZ))U2`+p1%}*_ z2y}JO8WTPy+S;3*26V6ft9ngYEp%2KOv3dJ8&~5xCc6@J$br?`!bqEekol6GQ#AJ% z{)&3U+|G#AVCPOWe)e$GkvvLJKuN6{CvGP!ykj2n{>bm#G)($4{eY)SRSjvf;XoI~ z5F)HApEh4U7~os$=j#Vqhag+wPdNq^jlQTwnXmQ129HA5!i*@L6K}Z?#A;-94>n``%ho< z7r%+MMmvGn=cxoQ49$VwqT&WyXJxPMS=5)qRI4(kB5ZrgpwJa=bU&!hT0Y%hp2Isj zD*^Tb1mP0|FVlt6ST68Lf%?bu*!+eeC$$+I2}O+LL)b9axzB zXh11XVqmS)j1D7B#Jzd>EKury50t!C|3e=2t{=t_dQn|a)} zcet_*GU%!It3_dZrH%9!mK)&g=fiRz(9ydhbHK!r@7I|o05iorck+axTpGZgJ8v4BzZ#Q)AY(^9;XyyCU z!0qYO$CI}CPmHF-KtfV*`BXKEN!H^$uh?ybS{0LhEZ&vvuvs$1-b(T@ozyW z7`if~UQj@U9*dvjdHUD{a=JoRCnQulPc8~z_hPH!m zuF2F$cS8}LfMo5Plsc?1mB z$EJ{J{;6jD3VYq8RQtQpwxd$#wj@<(8f(IOn{|~MevoREv3HdUg9l~$&~E*UN^^B| zFvcPt!XLS^pUIlG?(S_pW8Z&yh9wd%`s+tTU0m*j!Py-}aJwG;lzVx+IN?N7e&s;A z4Ro?+4|Z@Uc-eYX8^ZAG6whNq)F2S#*q-5fTehIs1x@au_WMVc4C_v7n)*#2Xw&xke@V>i@#0^4Gv9Mfe| z(GVddOx8V%&%VHzPtJ!pquL!4Wcs#BRy;%Dy?Wg-@F)+3H*EYa_?fT4gq)z*G!VJS zl?;bN?$1CrWDHZ*MRXLFoXgKZyRovl%v51WzC*R$bIJ?KLg-_(2EM!B76vQoxK(-FY`4cT6S=zR-vS@ME3w#N zC0_V!Jt{l#sosn=;|n`mr_SHznZ_#wwQE!Fklmx$9=#wtJR zg!<2QBF;H-M2GWDY;?J?rl&JRC$si8dqLx=biB#T)_rE=rgUGICZv0E$E8h7*@@bM ztS@<(_q`PPJm580tO>W`6SK%ZX5^b2TI=+_^%YjL0*)8>m#fcPx7UF&jZa&O1)C(Zz5d>bU$D0I=ApIf*+=YC z=#&$EpfWh%O!M})QpQ7Ksb*S9lhy&c)Lv3Q)$cy=yCwo;(U0_tse$3k0}8Y9D2f7U zqe&5i_x1CJ>p^UZa8mSA5kvl5>)ZGFIKSF`aj$_7U)JAR&@L_8=-(KHqb_Sh{}ItQgHt&{c`G={C#NlUckuQ8@EpRQw#`-q0@R%I!fde zDbI5LOrso|Fj8~QNm#nLr8$(|1il_Pq>ZU>pG7TQLoF;LXplOX5=S-`$D66GHXu91 ze;D;OJdya-+7wgGdOZCt=sf8738;86XW3vIRy{I39_`fc`ueoM3lf-AGymw5PkJp- zxT7e=wXV+kNt25ury$Fr^Q-y9)0CfkCXel zn$_2MT#-nDx3 zU2~F9g!hNE+gpxGS&$1UcZ|VLs zMpS8OkdxqyOSdp^tRgJ(c_(0%ydO5GND0tUCl zr-qiRV;rsrJv)v&U|k91$yeW_H5yV?KEb(7WQBrW9t|}!RivGAG@EM#f_+{wNC1S7vJ4BkZ#M49KRKV*ciX!d{{CBOAT*0(_q02>yjWmc@x4;CY|?Q9~0j z<8Zv^n#fNhI+DfX?Ne%b)26tFU2w36y1VFqr&zV?LVrRO=!;>tb&z(=3ETpVJ(Ljn zQ`%uhr^w50v*7DC!TtV10~3nB&n`c>nv+ag-cS^qpKYu%QKd2=+>zO}{oA*b$zhXu zv*d&Ab)*^FWKOel3wVFvfR@pa&QrM^SSx6E@7GB-`}RO0lmZUKVtY_Yr6!q5&P{QV9M{ad$x-Km>?{c^8%|2Rj#2gC}>NL zWd=j}y^5+XrPn3?_7cb5a_eY5`?PXgpMVd7hO1e9fki!a=hX?c|0w{HDkqrytL^bE z3)X&-%J)*Vm)3a)RIb%2%HN;MsHUy+67>c539%)FhN6@`F)o>&MxQME$2buyMR8A4bTHGi8{DE4~L_@gEt zWaKmpPNmeJiLEwLUh@%a_T`J=9o@N_dXv`IEqz#)4qsLehcuF67uGP>sYb;^J{hB; z&d^!BZ;hqfNx_Woye11vih@o`shAKu8Jmzg6KhRihTJEK%&SjDHNR8NB(}V0H}iG@r&asv|r?wYHws87dM`p zkiUDKGG7=a~QGAXGXA0Nq z#U7j~n|#nA)^9|jj<9eKMe766<;^VLuW-$Pewi);v}sdPjhu|Y7DoEe1>v>K%zMh1 zMq5*9^sCOvCMk&syCum^O>q;d<#8K|iaUCKI_iMQR~elO8;Kakg@jBh`QhJGt+TM6 z=olEVABm`GTEsyFYjG;&xKd5SJ7hcOVW55*7q(Up{VeYzY7(rirnncZGx!{?vv_;0 zjJW9hFA4NzR;`mi+@oTj939?MP>)k(KPRait^bH%3#uMSBM%q;CNEHRy%$I}y}&(819M^mAE z>-=?fER<~F8@ni~$!^uoEUW7MD%s<~GM~?WiE|12H5Wya?~BUBpdcxZl+&*w8lNyp zRmQ6>ME|JLwGfVqBJTMXw?p21w~Da+Nn1dm3^zv+e(YGzF~gL6QhqrmLfeep{muJ{ zv$DH6Q~qgoH>Aestj{bwH4Kh-=^|CUaXTh@OG0h))uL7^l~R9Co)n_qMy-qf9_^tC`3^Z{!I!tQT2vL zRIR3_n>+nfY)xC|CDLDDoo!u<-`ak{yrr$^jKKRrVm~R8qU>d0J-9^$Y5hr8_napz z433bfmi4th#FP3tI9>e=^UX^dVP8}}L~M3hmuNgUvwQYXRQyz02#NFK9=<7+wBJ2Q z5O=~_s0My6K_DrK?LF-`&8>s>0CRu7jSyE7%aez4To-NmJ?I@c_+a`>n$cSdmGg|N z4*QMvEAgE*UL`;{-rSeYBpBQ2T#|J;}U*OF7 zF3p%kKLMAz>uO-=v$Y9_VG@*XCH9~ICA=d&l}$e-W{DXlOVC=?up6u?y+3?R-YFp4 zJI}wsZbx8k9|laZG};DE#lk$efY%?2eB@6A9ARv`UZC@zcTLCe-!uIL0#2glK_c}+ ziK?R8f1sIbC?GE}cp7a`U-0S|jptqLBhOwG=~?KuC_Lnqq=ef01J#?+Nm0#13>FyvSxvB;b9%Y$f|$iZ z<&9T`*G9O=Hw;+0Y`@8VRRn$mNYFW>SWM5WZ2&XikEBbuop9IJ?2ph7AA)`ZuN`h@ zm{(u!+3m1azkkYlbGl+t=v_<9Q!f2r@6F{HJQjjHb~5#q?E@WvpeN0xJ0U&mJVh6g z9#`&`{1|I)Wi|~?dtLaUf^gz2Q+A)>MQg6;nJ9fnMm^5CmmI8-FalnYYlV~;Uj;=z zyxh}nUpQOKKHygEdGI;tI27f2%VGP~V3GTfUt8+7Nh3ob@-W=2v2a}_o}c{-CBTtr za)#gYQr>4V|GbziHp>Uu{7y%F`Si06C^OVZr|-0#tt?MJtZdzDL}A6}65b|RuDhvg zGH*QOt0J;#ODhoewZlA0Ufgx#MU(Z zAA+@Pd&Byu6lb#^ZAZRT@Teko3OE(#Qwnpcs~;@t(-1zP9IUY-b)7B;w68`vpDKf3 zN_5r2hG;75#nqo5n>*yf{?P8>Vdg4qK8?z3K9%qE*fy?DD-msj^7n77RifXz%v4UI z`Towy>*25Z00`8zRj|*ZU*zNG-VJXh@w|Q2J0S2{4-@g8JnO0KEU+ekHriE+arg3y zh^KOFVkUcRcy7(mNgFf~^iFq3{ydyz$YVUfGdbxx^k*?TQqR|ao}MDb23spfrP565 z$USs-TZzEPNMw|eNAAj5E}=B{Pyg(En){t+%Conc?|p^0l!V|Na@~C~V`xAa4*bCt z#+)M8sgo1Kilo|amgsCq4DFGf3?laeINArf_F0 zS#5vMVE7o%=&r=$0cl$w<=zB1sGwGv8vL~96Q9))6F7IPx(%I3rT&YY(Ojwe4fhJt zXG!L{8-@i^WWDzZt!|X$xwm0QkAJZ=E#pX^dn*+kl*gGQ36WA%4yq zNb$0DhOf7G&JZCO3DdsJo4 zU4&#iTrwaI-=*+9aM2CFZLK!tST;l8q$N&NpcJR;eH}lg^erI8=D7l^RDCjNQCll^ zV}tn9@=`=9w!g@90!86SyYZyr_r1V_gzj8cNp3(wCwWE%!Ftv#QkHOxg^*HA(9ph! zTc38gKR<;J#}xZy366E!SPl*MfmISpTX=F-#nPGOC1S&(#Ekgq^)Lf>@wcfBXd08e z>L#AMME@-Eh9YR3t~-1J8o)4z?%HsH?Edh;Kxb&cB%BjN%AG@>g3qw)HSz0w?0C<3a%dD}teY*mYPZgi|ZP5(<^>W;Ta9tU^Z58yaKethYE-d$0!xP-Zgh)AfCzBiK< zeNiNeKa`Z>od|WwJ3&oLoL|bD#-<9L-1Ii|B%J~b15^DU2tMy@&lq^W-eMh0jX}+g zr5kCDS=wY=;*2R(Z9Xyh!eunzrg3-LjlUb*bDh52<_gW)f~1D;8|~N9zlPqq*9pj_d4OXJgW7hC$S|O_EpwxBRFY{;AR{LtlD; zDoqtR?IrY?WiqSh6xQR{XiK#16T|lCW#?g>6H|qlc&lgsqxXDmk&VGRU|-&sEA1NGw6c+LPoH>Lu36xG7UJ@HL#XNKf`Vu`dLuXT zL|@yfP)Sz)Chm%rsI4I+&o3?BG`l0x!;5lMZ;JGgae_VhuDvgq_IVj{8oLv5&V@nm z`B2pvct^{@kp@<|G2-BOiXMal{64!%RjY+CnTfO)Izc(rGIf>7LYIoQQKjXtL@m$v zVrlBxLW(5_M%Qa(L++dQH`LFbRo*1YMc0HB2f^gSO zU!tu@w%bOu3F{cMd!{>V1amM`%|$}@Crd~69l|DZt_FVZDnjX6);uL;Wi%|7Wbz|8 zrzh>!M-!lU1>V_5MC?aztkzL*DtA$(dn(x9o(K3wqdM+Qxj{Nx;!`}keB77Zmo^}h zfSfl`fn8C3i0nlyfZFo&;m@9U}UR}?rPWgDpNGL3g=VGz+A*5KuV4Ca9Pl%>a zB5Wl%3O=pGbT@cIjen8D6rmsQoq6_R(5*E}gx5a$vZr0;n|wfkSc<7V#9fZptX8wMApmg-XKojVy;0Xr4H+?xU7(&XW{+#4HG{$ z0JCSynMrz5~ON-_!WPm)Q(B=WWs7g22}m8qHT=WdQBZa;MX(KVn<0Dn3Mq zi#Y6=L_F3DC6MllxNQqe7wl7r*Tvciw8cy_;}Nd&eO=acyF6m%;tec{d9w(X@9T85 zo4yZwRS}&BN&6YtJm+0=Rvms!>5PZ6GlpVF6CyWNklwHQg6p~*@I+x83&h=$aou5FQ z_(L$2FHhvo(eS!#p)|`i>Hsj℘Si$oL~%72bTML~gmhi~f(BoH7@4{5=x3R=)0G;j&Tm&*V-h z*3|JBlk~+b@s}m-*@iX&cd|B@UAceY@~&KL7SZ%h^ERez3dY>bdH@=7t0rjc<$-25~Z}TcENdOu)@?AGI6$tu%NJ~xF`c;Jix_JcFNf_+9HcT zwIAuLeFJFVzfD*8u%;e;qIdvB6g8XYTmNA6RKoF=wc6hA3NPhX|8+Bb>vIS?pNsxx zm#rA${`y?RmnEFIKbdKiTfm_5U478(qTKjL+WCTT&9Ae@3}C^WSlbxYOs%ucB`mG6 zc^-r(mEewR=?$ zqZ7i6-*E%1!o?WA)G##{2)aApV6(vJ%Z7_UvkG&%bNt9EC!ptCs`$Uyy344zwryS5 z!68@(?!n!HyIXK~cemgc+@0VK!9BRUL*ef3?o!-J*4k&E``zyk&}cNEMp2VF`gr== zPYld=F(18*k=4Uo?lF``yK%>H*adn&_%^k+_Vg}bb_a-UpA@HJO(uFW2SB0@l7n6$ zV~sS;9IOu3!RMLgo!XY&88kC(oWWkaNSUkS`sT;smH1jp?HY>h&GPN_U1oaT5w1Au zrMLKVH1n>y&@${Dx20Wu6ZkSG?p?hBQWaA*H}cXcKu)383bgZ-;-9`_3!%@JAGG_} zz1;baqL9{Is!?AHhBtFV!+{^SqO8$RzF!J5%ZX!YrgwMu<5sM28UgA!CCs^?^&YHq zYOPf^CLv{3AiH}9zzStEvIDnUq4KwM+Hq))p>x8DXzmD`0d@Pg{+FnLPb&3Y-q!ZR@3hQ4M*N1%jvbk8ky5RF+)GHq{1CK1h2;M0QW zKpB7H#$cfrp%v?4Xjb<*W0?t}6SvhZ7C#gTNm}phEYi4EgD5`Gcp|0n_4P}AMB%fH z1*xy04z1%F%+5>Lnt{a^M@UwQV~c1&#~XMD+niu&YL3Ez>)|V#3|pt<6c@l8$4c`+ zj-mrNGO5B`O2hT$Xf|c+heR^4o!~RB{~GA?`IOInI^?5cX`|iK4II16u9I8;Ky*h3 zAA(g%_uOyLM685Ht+h5b>vG!3GFN`Lg`^I230v2r2O;;4Qj60@N;~PJ!*{&nV=wZJ zoEu;DBDV0GcjLV$y^srr3ckX_UVxCHA#r?s{3i^I;P`mVcVRz*Mx~8flhMGKzl61| z9f6P!kBErKYx*az=l$i;o{w76=5DydAtyOR`bW0hsMt~c;#gN`LKgUtrPq^3y+h{J z5|iRB*yq_ph*l_H!-;AP>U8>!ih|SZ0Qw6Vp#yY{6ntCqR+2G&#;mB66f9tHPdu4a zZ1y_>U`RRk;1%EhkIDbDF)AIBlI-UNH9Y|QJqDZvMjRas0S-J}@(9L)ya88YJ%4Y$ zL0=omj;55YyNJS$FB1qr5DOZT?U_fcQE&T#b94Voe{x%HlL5~V#QZU6tN)eG`i#H` z5Q2}iFuI%@8#iZmBp`Qvz(D%*tq}iJ_E*aah;+ep0$iRQS>0|>b=`&j-)SEic=YtD zaDmN^@SG3l`uCS?jO>$j&bXjGz?y;I-?G8KLLbYH@qhiaKe`?<80!8%Ecg%lZ|kn^ z%KG=A{&^S4j`d&Q|M&4j=VM}HOM(W_kb5P{tE-2CvaSAz#vudH@~jnW)>EIJp6Y`x zYP*bBRmlH$3xguC(#tf9ue&~>jLBn!6pz;|@L_>y&y4AJspCPzmd}&Y zy4RKn=E{;>33EO*GOYCoZ=r_x`Js&2oEq4elJ2&JP5P`!bkE@2+t;xMbY#W8EngNs z4X=zT@r*P_aAWsZJGlm=`o)gRZ;Qs1kR0YO;Lqi$8c5b%w>{@kbq}NOOgc$Jv+di7 zXtgic_UN}6gEE9Z;o?U8?VaG)8}fE2Mm%L^W`2rrbTOFFXQcl4(EBCX+S)o04|?Zr z3)Ha?@pXr3f9=6x&Y6*T<4(*w8QOeXP4B2)a~i%c$W8wUlA8#$w#8G$C^&3qp?q)8 zB(y^?@zolN9ScS9SBqb<%I@EyZ0}fLX0J~8MHU{CiFgf}h6>|^DpSy;tq;RBmNKs% zrkoEI7ZisUAYGZ(Fw$kD^~E8+1xzb)VIOw4zi}V(x=@Qjal-FqCFEI?;%x++%JAYsJ9BE z>iL@A<#Srq-Sz@9=<^xR!^FoFgmBGAzZ(Kc4IG zv@}4*LA)3o&kIwceftK=(nMJ?k}cjHl^ne9w>o-fO(1w7@o6=H<&F=P8LSOly=D|# zoa9{W9rn1Tyg$E$%<(!^SqooWcsO^oibC_+0~Z~6p%Fl5x6Nx zC${WvkcZN};jZ3$k@S;S{CGgYJ#v#E3d*1qvJiAGEi50lAI z)DxIfu@gJZxg3lV9kWQg}IT+zR#3iOEX=r-5EKJgW76 z+gOMipJJ)W@rc@z^QCKDg!40{u;wd)^=fK(telvT^PD@K8_PrAlIU-T2_^(@@Ke$~ z*I#)HyEQ|PCu%%bzL+-0X>fZ`weS5!Mjb+`nNzUNO@6&5QH*570vwdNhXaDrS@i_x zs6O51F?iM*zmcGA_ynpWa^;2aOBQ)-AZ`OZiD{esyr6{W{F(Wyy7HlO-3F_$I>+Df zpV%fQUtHPuD^{be7rVyiK0nuWE?K-AYMoMBFSQ^$I9y4LQTs*Z(?|!IR-I}22U)pn zJ~oS>B_(dH|4fjebrKQKftLi6eSawdswuq<_HQYRVOZlG_e@KaukeuSh4$N>h_X>j zb~o@h=mXXvnqoD7Y@f1Z$TX2I?$NV}zx#`%W+;x-u*!v>YSXlHKYI2WTCWp?H1*M{ zt8@3vOP2$P3;N!I5NX(rxPS7}GofIxfmPEzSU^n3-7E4-3Q`On-q%FUeN6(#gt}&-Cg9FR9Nk(1?#b!~Ml28JH!* z+w?6;M>X_u4fpEgNwLnJzPmxC)4<3Y=NQ^kcv|%AnE`~CwtsaRV%A%LUPzq2pI&XK z?izV#H@0`;Oin-8an}%x$cx-vE;Ohtwuzo6cwo2Id>?n|M$Qg@ttJO4EQ6Ybr zVTBGmC#j}i2lGhf0kZ+PHI{Fxr`(PoEy(KS0aG~8j)OuV{DoJ*r9s$=3loixIC@QC3XX&BZdAhNttpMm*nF$?yh(`PGcL)yU~l_9~fQzXyp~EQE%}!Ylz1*z0y)&xA zji7uz2LT<4U&HMkgb|GyA)emsSUfU=-8#6{K2o$ucpSk6b)OgKodUyVyJice_N$86 zoITjmOLI(sarG*Ml}X!!t%;|U^>^p3m)AAI@naz+uVg9;8&hDQv)6JK65 z2?N{RNrMiR{DitXmeZx*h@SmUFF_GF9Zq@(VRdq#s8CpV`1}o4GNE($K+gf)RM0Jf zqPn`oArzMsZB3tI&}Vj6dned{E3O{z1DoZ#Fwg+-3;|?11p>_fCHdG1A70?*x z4J1-xVt==z1ya>|h~Xk!Td5JACLs)8JW%!g{>u-1IJhHOXb~Uj?Mj|lJhhyZ40XP= zMeLV&Rw|*S&nC?!#)@_fhKs&XZ=_UqdcDczEop-L$W}7e%YZMgWTGad7g>_W>K+O2 z_>#m5Z|R>zXfdKCsEGbK))pR~02j(a%c3yiwM5NE@r~8a4fH@tfK5pNDlqNF#gc46 z9@&{niP7nMq&J@vIu?8|w>Z zK}r+Y4g?ZvJ)wu0Ux-R02ui1kUha`s@sM*$#18{d{UvN@N`38Q-^W9J=uoGv4;yz~ zWW$887naHUh8NPmAJ`a+`g^E3HT68Fr<@m3S+%~=Ak^0B_KWe; zp}b;1L#t064HNU%9N=d`K;a?dJb`u?386UBmrNCFk8FOQi+kv4-q>d?m5GfO)T#m5 zzJdmt)K4S}kZOf$>C1fuNqiRMH^U9aW4FUNua_ucVaIZ`1&$x>JJ#l9TJ0hLZ!WUP z(*+7n)4#{L@xA9*rsebl5Xrr7y?RnjXG*EKktPt5zVhj1gl&{nmNycoNp zmDj@5P^`QSd>FjMK;%vFBqTHKGYu~D_L?AZdRPMT(R4jx4P(;ngQN%E(VnSrnlyj6 z+Mq&wru0BaYXWuf+tDfIL06+qsNIDmDJy%_>*7q5y8Ap)E^kZ1IgxH(eIa@Y_r7Z` zX;5Ryv3BWrp%f1WrA0=q2MJ$ z*oz7-{N@KLKl{fU0Ri#2D9XJ^*Algo8OcM>ogw}Dn;$I~tC+o@Hl)Xs5DK}h;`WZ> z(>`#|Bz40QMO09cu8Ns~xZ3ymAI8JPbG8(}Dt5$O-K_-r= zygU*NI3J{{ZpfZ5emR%Fk>OZzm&jx$+GyJQiFn|C%6`Zf;eX!!$35A~)n2gC(a@oC zC1rF_ER3)HX4*xtQQZ$IO9&#tEA?w<+i4Fu7NSjl#t(2hZh-CFzS zJM@eAwEMf^5np3nX+=k+V&u^iwIA?q2#6{Jnd-#%nx?*-%^LHelp~)wB?ZoJ)P`Z--T0^zXUsr6lL9`m!OUXN0`XC(2Al4- zSG|+E&-Qb)>x8a|-RpgNBEomwsAD6+7pEiAh&d9s=v01XRO35vLL!Py@QA&=DwQl9 zdQKNIZ7dhgXeW=Oks~$vT4haiFy1tjp^w33Hqqu*6(n&Uu4Fg49PhS(+IO03x$u?9u&8dycdMAZ?&^*0rCDGlhB>b@T5X_}*nLgy&NW!JjQL zBNqDpReNHr(R4YeA1ao=8{5kr;$$ocH!(2~7Jup!Cgo&36 zXG%caw$yyp^9yvt_e8HkZJqW{gJ+uhiy=n(Mznea79b&# z-f0u@`=w!LnRgs8m;7Hc^SfnfGz*&j_l=;r1Vp(GkiE9H`75_Rw=t&=-X4P%xsASc zuvnDW7fV$dMJ@KUCdIk=?8v007KtI4$jOG8!N)GSb-fo`y-kuvuLAA%Xn(~`3k~dV z1enD9yeK8LykKWrcJFzv`bxJ6EQ01W+2;N?32x3l*I(3N_;b0i9|?rC!q+nlK}nll zGbnI_e@qAoQ9`^`kYJhV2!ZI`C^%D}Vqn7?_ve71`C)PUJ+CWsW z%)G@Zrw4kYd8#wA_SMxamANI!Mp(~!CvKW@7p0F3z*e0t*~a>;#WuQ_$1e3=tCh?O+Y6&w6xhIq`nV=1?+Z-(mTSBD%RZ|uUz1}(l{=$jsY2ZE` z3nyXzj_fRGd6bywt09}+k>z{%ZDrp0De=y{OLvZc8F5q_K&VzcqDwN0$m+JpiwQ&# zj_iBI38!#E>I=M|GyY8N!S)t|-c$g>X}3~cjqEnr6r-?w7Eb5f>@zqnTYV4$ITAh< zR79`U=C!Yr4>KsmDlQ->bK0jzqpE+gGwaiehXyNX9-2)<+t2T)|%3-HfQCrF1nF_lZuT?hESup zVy*zkK)gD78INj%cVJ^7!%6pVqiO>iZp)J;8SKm?3}ntJ82NV#kKt$6rg$O})uA zU6bpGLBF#QQ!9j>>+6ZiX-^e&3?A&vX0JX23$Qfj2dWJSiP-mXAsZ0|vfVq0epi2H z_xSwU*DpC9)Z(8lQF+W@qgS4vZCv&^e3mzM{nj@LX`8iPTvA8UA{@b1tRx@UMj;o7 z7p`OV*bM8d^c~k~SaU#=Kz2Zc8v-ysfZ(tj*13pDZ$j6^K#6k1VRzX{7!7F3F4Q#KzK(GL0d*Wu)6#T!RF8hF= z6G1RJ>VJp_YKN4$LmpA=*e|rfX@X73k8;Z zdP{MQMWILfx=+tiojh4Jd);>t<6TN0parHf+)a$QS)Jmg!P6q`=tM${j4i>XB0DnV z@IF|SM`3ZM9cLzJk&de5y`1#_EmZ=*h<;I`_7fjZmYIH8cB^n4l9cKj4wN$ATM!sR z$wvmn>E-H4LIW3@P&JSn4DQ+0rf3-7>w2 zWO9Y2V{hX>{$vt=N0GXc^Wxc-%k0_LNVv4kZwcoP#8nLliu!eU=VQWhPHRRbtm2Jz zc*$oT6FU(a8v5y1$D{tNx->REB!mZw-hBaeDK^iB2_T}n9+ZKZHlu$w@sxR}0Dw9; zko7nEZEwwyneT`Kq&+;Q&|;H#HJ)f}c?yerXMUDM=RL$dEL$HY-&B1u`9ffXu_kI=6_C zri2_7p7C-C_uZYnkh|7Z`1X5D+?ZapOt1E5- zAvhGS7ovY{4oQfE5#%#pHyus}CSS`x;KcR+3r?KzKIn08j>O9`+V`7$&qND2IYPF- z)W=hm!$#C%{za%(s#et`lRl!xB8dXv=RFxc$c}p7^zg7nr#+t?p?q+;m_E@$L{+i#sC4M}qF*1*t`pmiQs5F2D}|pvnpIm1J?DNeB=N zXrq;}(g;UG;T^#|VS{p|oAa!;s&Fkk(Yviwf8{>=&04b+!%Ebm|8);`g!4zUXXTXC z!bl%1y={G5rYo8my(zrAKnqq;$q6VTR}?g`o&`6 zA?x3XE*Ae!^FNt#CbDFsf*Dcj7*I0Eo&Cl>>refz879zJNx_9fFiSeN{(p~20%6j zW_6AArQlqCV_p%kmLNWIRwafIiNf-oHaeR#5^)1bWV>aLBi2QaqZq#BsCz_6&j7nQ zGSO(!Tjfz}?3b1VI&hbYO3dTln`hMS!?pvjiUuG3l*3zjL_a6Ne#YS5Z;X_$zxj8| z+HUOk{9B@_@~Z6qVLSzHHax#b2|+TXOE?H=g{00`OPj|P@*s(!JN21&YAnE`*q89u z$tx6;3uh!Q#OL43C0}N&f01-k?Q|HRAp9!^_9xNXJsldlg>DFOE?&CqzV&h5)8Hqr z_tz#3zIW*?(lp=j!xWj$s>e{75jt%Qpz@a;F2%$oMPoglfPD9*@QnbReZNs(yTqsn z%a+K80RYEF$FF~n9U>2Mf^B#Movr-?H3FEJR6A%J>KIY^>9s?5T+@ukz98SZl2d=P zpi*pj3ueOiG}v0glYVkxX`^Ee(idot1x)T9*?Kje^OUzDi))F?2#OHgzXLJD=?X># z(V2=cy)W8!0=!RLh}soNJW1-XxH0^&DXw~v;p38M^uW`6Y*B~{@x%m1k*aHyz22r& zrg{s5lh_U?YvGXO!n%l$0)}{26<2H)Q({Z{#hN*;?Z6AhO^pw>YI=I>!zE6hT<1Tj zXuaPijLoCxR$oE`Wn_L$J0AAt`RL5jFbipj(Kn%=9o3+sd|E}Vbya zAP3=WFeTZtFF-+cQtt~CET%2Lc+nWc{ zgzRZZS|-=gp;mHNYJ5!TiL6-B{TXs0<~^7m|IENp1Cvm8Bif4#VcJ$#korxCzHD^` zhau&2#3WUU^L)o0;{GTql+?O z5wr1N z(p72X`?y?E$zN$`?8kPd+4J}cZQZKaym9u2yg2BSk0H?oC;tSImo?`C@4K_F`1R?C zqPM#b`sClIdwx@Su-f-W*>U9yhy2kQ@`dkz0gi5^??o^MEY>9iV(~YYm7z*7A0SCw zr@l4XGan9_jnKt?`=p&YhasSN-Q?%oOkQ+pMI$C}LWLB;>Hxa|!R6g~B%im3Jhy8X z0J&8EwX~#IJRk~{+l3f->YnlXP?#ihG_fO$=u`VTMwj_oaKZhVKb2FqHM>0FNm7MK zEjlmTyeX8eLGXpV;c-LW4wAK~!S;VxiGRf$(Ufo9e9gR0!Mm8wbG|~}Vj;4duhzf7 zCp~P_4*yNx_9P;Vn{+BsEE_?u4@SU|AK~XyE?2=_3ZZV^_6m{=y0?~EyjpZ{V>6Xa zBl2DH|HvNzSAEdu7NYrp){;^JSR%&zCxi&IhQXSC!mg3zXEOjjtoaPMXG>JCh+Zx+ z60b01(4Fv)P7+nb(uiPut{gdgM(}}m$OV@(1A4SF*lmY58Be=8hs=EU4MZKr`de{% zOhRk?`A_2@U;}p;2?l@5Xjv z`5&FKhU(qoIpXu_x5X;f5ygF8ftFn0^?`c+=%%ZIq6c=|c>7eoIANU?2U^VOs{zS! zp8{%zO!E1QZiSuPVis|tV!@*ib)mCO&ewOZX0GrFel!TV$gpRuCvl8CTN=V+2;LIp z+Z?`0Tofj9ihSS|9Zs=?dahM*ikCD56+E+J^1;nx2C z0EJGo!wz(IVkZqcW1Z;W<@({K4Ggyxe2SJ<{(oV~&yE04%%lPgo#tcLw1m{BVl}8j zmveJX00aR+{A`VrZ{+JW{1_hd2gLEjjwN$FL8BiMA9n!={Z zJ)h^cj+Y?2*O4eE#s%3BM_Sq+2-?jRU11amO)*p%8`uK9@qOJ&6Sw?PmE2$&gNw?3 zjbv(L&)IyMY$4O8L%)Dc=U@|lkgeF-Q-t5&PqMdN#}gj#iYiHf=@MN}GGG|=ru z!l0ip$DYPnM@sSsa_6Tu(r81yy|7_N%H|S7*DRZAh3m%g~YK>Rin_7k1qYp3!jHzS2{a#Tyw#x3#+!s)=D*U00Vc zD2D09>%`UK?%;Y^{FY&(&^rv%-ow>9B@)$nc%-r@*L02ZMk+uhFuP0PviBHPmW{(N z*}s33zQu9PJqBa}XU#_I=^2IRCFUR8l_bpbvzDQ2FRoHVce(SLOll|-fEq{(^Cn?Y zso!J6tWH!f96T^1op}*gs@4M)*mjNFJb>{px|o)tuffA3%6K1=MQs$Wy6i zA0wTUI6hMEuq)$E4)BEB7@9_>({#GebGf$tz^%4i8N^y%@n7O(Qic7>j|g;)-|3U7JrEs82A~F8flYx6;JS!X`MwCU{xx@S`Mw zla4U_0wXfm_0F=o821NxR%LNz)e$=UAPL%xB%=@Q>Cx=&dzCQ5_pNMjLFnD`j!s!K5oIH5cVoPfA)ZqN0y z^@SrPCnu(&f-^8MprmrYVsE=^ay_BbYLI@U+*)t+xm3Nre3-F+ho8-eg3obUk<wqzqQwj6x5|_{`TRybQx;$r>AX~2NiX^ImG()6f2#92ol1Y zDH0~PbkvDK0ObL6E+aDSBdSwyy<6FV-~ZxB*$lfK9J9cA6+V^8CJk{nO`h&Zuxygt zV#kG6OkR&4;-Y)JFjr_X6Xn9(II~*ra{YQtQdheAN^TzWf|*=*N1f|#RTmOokN*B1 z(MA11ZqlW_O=*u00!AG3cYzUa>1eaez)^eGMJXw%xQvX*Rc#w?U8&6xdy{6TCa3>o z7a|Ol?O{WBhD&`)0^oie<;Jb{Sfe_`SUK40*%}AU*TpH6Ne@2aFYg7yThtzGMoe$l zTn-*RzAf_dv^ji)_jyE`d4E9No|(07RfrEjw3^>;aA&7oxkbsCqh(MiKv=TCtTtFf z_F9=K9Pee&LLyOVF@u(ai${73BP_J(u81erUhG8Tmo73XdjH}4!jL0DPuW2KiURM$ z9~^>gr@!V;DB@UXI9f+|d5}xmZ?<)M(FS|j!A;`i2*7?dv z7!seD{U%@fyBzkab>84P={Kc&qCbD~c)oM^@z!ly_HnA66^_qh6O`oAH!kH^Gn}6k zcd2ab25tEEfay#g_s?oox}qK}19UNuM%vhww61^e^Zt@6w>utBeK`lDH2>!8C&Q&z zC=Tz&j5SS*NiHT@gth1B?&CReho@_kSKu9G+r}BM^dm_WgQD^!tYny4+|QqX69Upw zBmzQ3c&OzOIpLjZ?T=4U>ae-+`1YXh1eT|u4zX7eNyI@el&{4EogDchf`FIYf1nP0 z^@d36s+T?e>P7C2>GdYt{&~zKLy-xVK0ry^Ip$bZ~FDGY}ODXpffjoa>7BBP34BvYyJJ!=TrRlJjHBUNku1i+39~vncx-q8;>Jk56cIm6 zQ`4%~p}2q4TD0qawz{i%y@UgC3>2opN~7;5Y3eLCM3vVoxollSK~gn`GX(bEts~_y zD<&z6$}fs8zIY6hy|yNwyaqUk&YTkX=Q-awDg|M|E{`$0(>apj2dI7`*pf zd}^nLyQs?X047_VK-PW+ikzX+T#iqa;p}oMa9%U6OEk&ol&X}0S}R{b+1W|z?H;V# zJ3Hv-t4_X7?yF3d2x_V~(CL2#UvWMn8+w5em}dtNaS)q%`*#gn8m}H8RuOeAZ-KaV z_27gv(0!B6w*#nhnc>H)e>{m`#D^b!8l}W&P~^qblro5XzO^~be3@GPneb@^uK9;w z4J+TvE^6I(j;Q7vS>9g7%j04LTAvObUQhwP%b|52G!U5LV{7p8lW(BRMqPL6+ls@P zu3zlvRuEi*>4+*gR?0FFZ5?X4V)S<8etN3q)U2yg2>Ic=4~KNNnbH7{6@n&J@^4ZK zd?sJQpur;0v9k1Rk`76rOKFTVjm!3WL}JL5n32Bz2Ul0uI=c-5OnU82SFi(c4|<3H zJp82p!HS^RT33B!&|Sa97rUM%g`Hu~6gvvg zUiFLvJ&oo~t@o=mT?Kw`cP9%^zaF%=fl1K!e=Zh(519Tue{Q^Pz^<%3yIp?(#(2oa zn(x()zw?m$wK4~>U#ubz6$NlU-%sf2VSUg3BH+6VlgQY-(qxB68v+^G9uJImJvBlT zW>CimmWRwuNek@Iyi#g0UNsIl-|(wLH2=_0ScT(&Tte^gDshD7Oi^2$Sj%8xfj2g{TJC$z8A%;*iJ|L%CM6jZO<2V;Bl79EOH`c4B! zaecFOcmjui-<4n>KMI|>3`JzM_7DnW793skA!%yi{z7pak^z} zO}VQ~|EwZopuK~El&!pM(FQ6-G3X8U4)&N){cS0$Y6{ai{!=xY4bH7WJIN^s? zDw0)^5$5i#$-8C*CP*ajxgJjX$yq=B_g8*abob-!|GguAc%%_rHSiuPLKKt#w~_?g z)ya?0-FJ4K(^U#X2|F@9~3EvP;?_^H&XHz6*r}71xV+V7K z?7}+|@)`3q@Lxf@Gx{j5T(gai%f_k@Jr|yV+c&8xnK~=2-pPk4Mh8^l<%fY6!taCk z%%!f&oTYP)y$8MogSQVj`WG?1Th^uszP`R`mc7%p&|Fcvp}vIn=^M_ywQtP&9&T_r znlHIzHm#_12Mf;7mhAYE#gZ4@%J2QO{Z)T|*=5F-$th{CfD-VLB$|t{1 zB1??YRQ_2AmeuHo;NV~{!`2OEtSX3-lwC7Fu&J6MOvkKjq16rtC@Spc*fuc(s;~Y}e_eZTqUYj`(~Y=Zy(}m^f2) z712GS*xr|#l3zVdo&j#4B2M&s_#{$8vBi1#(1nqCOyWTjJ5+NvVdW)_clN>RwVTr2 zuv;pRu)bY55(#;(Z!uxyEDzcR9?K`Ed{cwt=wdy!l}cw9EM`yM`vG9I=!T5&!}*%U z^QW1jcjS{s>w$xIudX-aO)L&*-vQfhhK=?Z`DK?A!GLPe>2HHw@&z@rvhdrc?xUln z-A^@E^;zVBMF#P%L6M=Hl!cQY0KOAsSLPb8iO`g1G7qSQWp*W- zUmQ#qkY1xuaPR;_-*ZuednuVC0yy4#g2;z?=*LV@egU~>tjNZnzaR5lKm5&sv=g5l z)o)w>Pgdj*>eqFzkH3Na$f&0IU0ckruPZ_bo`V6pRU-#U+H~;t*eyM`!<2;WLqig^ zf5Pzd13e$kyZibAedSnppcK*q=1^gF5;E@`fY*4l=(X69?3tk5I*-@mr-p_GP=)R4 znbGUfJ}@xwQc~^ybg37lL`Ra5T?f}O8(XV-;ty?$sdo7YS9NmGcvu?(@-sPa@0z$n zK)2qSa1C)X=Do>V=g%(U^~EFBYM9hzI-os(-r~eYIHz5|X95(ijZ@E);|4a}!q#^2 zf%gH2E4w3}NAz%4A$W-$BlS1kSLn7GUxZ`nXBaD(7TD&`=}5Ud=L}0to=y^+mvmf6 zoS~_nY}-1>Rzzy&o81#;~w3K@gx%qSf$!eZ}nD zuTV_hW}dx56OFmPEH0LQq$Q%DLwT7X?JABUg#UYyxC&?dN9HaC5eHm-rKF)3P?hz& zJUZL7a3K22hx-kn(zU2D3+2R~4qskg#6v z9nd@4>h%wI8djSxS>rV=fT~?F!6A3dZC|px-DId}Xm&1^7s{Wm&rd+rlAbrm^Z&a# zLIsMGGq8SiVr{UC5!Tiw&eB}$nwU@Y#fxlBNI+{u997d5IqPbX;B7)Fo44!lASsGf zRfNC8t1!r6XrZL15nS$ssrf$Vak}LC;YxDJzSu5^xs$F}I3^1g-ZsbapqY}6AR-wU z{ttp&{M1nX>8h1|djUej98Vr|+Q!hS@~k(Wf1HCMQ{i$A)IceF~>By!`wDCs*{~|z;r?^ENt?335;5^J-B;QH3P

    _svPxFnPfB7o&mfJ^=#O*m*`gVZ?T&Mg=1dlNv zUCoL*niIjGfD77KKf?GC;}ZxgN~+Adeiv{?Z!KO?>?V?bKAiDIv z&0zU5uC)tP1+1uCI^i3GPT%66PU7r#AlrRijn+rbKn~RZ37=Le84we9Z9Sf=%T{pF zGtJ6v|Ef*=Q7UWuKN5K@t=8dz0N=Gfe!JTE>03eieHE0Q1DOQWFhXl3Mo_3YF|?>lHF23JHR8_t}!bEL+8>wNj`us5wT>v-?iKCF}K zP3D0re_1AStd=xeCA;0I2grBPvb)qwToP@Lam?O2Nu01dkecdghFnp73y!L>D8@ad zYqN-W?gD;%ZYH?9vF-*?DDf}2EM#W2^1I|C9a!F{T4&m1mgr{J#SHH)X+~5f@q8N) zEN#52X?56KWa{p?pY0F=8*qw~=rsGER;1+1Hrz%uz5fkd0h!+ zE6$X%VgKfnq@>uo&*dboZa^EK-Y;pPZzh&zP zp5U@4E4e8-TYXVJFjqBktTlVd46gN~C{KGr7)0g;86$VnESa|Dmv z+j22M&}bl`L1ryfNgguHd?PC*B^9NpFms3y(=o^qZ+Q0rPOzZiC*sxJxxmX*BwC>_m$36i%$c%=Aq2^L z4CIf$TYf9I9t(Aak;F!&Ae{bXg==U)dymL!f6(zqCQm+lH#?DpCi}=3s&L18wQM!W zhYCwlwCRv?U48Tt-(^1D`o3N!V`Hc&mCcgyq@{H|sN)ek!dPQfc5Nb|A^b|KJv_-E zmLTAY3SLra-ci*Yp$KGKM`oU3i#_+71^l$Z?`5SGOt3a8luNpu`qWo|ea67c=Dx?| z5!_dZ(bGiJ(H?VKZYAm^_A2POJFxqgPdfkMlNg}&l{h`oTnPlF93-53ZBz`kCd|iM zTk5V2mKb+DCq1Wp&u~#CC_=7`?I#qEkNt#PO2YkY=lb=_wb5tSJwD!I({=f)vM+Z& zWQY9JVh*~>R|o$~o+c}bds#xdLzpYskR?82lSaEbMU z3ii0ZZa_>vCx4smc^9%df3`2*>N58mBFkZ!t?H{ z5?#hyYSSeA34vZE1*cpSbirM670jNC(;rECOUwcax*Im|!yPO{)nf(g#KT!UIYJ@% ztzXL~Yn-!LUDNkMt+X(oS$ZZS6{qy;D^Z?1tRe-k|HmhB7Qg?O01 zuVob|)2`)@?QFQs!|NOB4H@H#qoxvS#$`@}cAq!ylY@~&sq#JRNYv=_PCBV}m;~&q zBI$)@ee-tyMrf!w7x9Xf&0tKulzd@SP#zN>;VHV7#5+uM(s?Q=EsZw>FcbA?!WaLW zz=!4~99M)hLHB><(0wOe7)GYp>uwOCU^DImI26cJ=X_Pn4EZM|FEyjHKi1dw;QDKd z40YM#CF}&?UzYkg z{Tqa*L#C(F6I|fIzY%eWkB!BUemul4KKD1+#7K;6q_OL#@{tL++D0??nNEgNnJv1+_8;`qfLCpTL{7}X>;eTvWa zOncv(NEABr`1)_={>b1bVM#$GyA%J_>t%20$||?ySx^A1Dv*Rby9ZQl1^=Cp-o*5 zF>t_7cJn#X>4#feJcy!K>bt6u2fGH;Ta0JX)(R&?QZg?U=q3)Ci9f_#%WW=?6Z27U z+Tup8M0ZV^B5^o8l0L2`(y6hpT3D3+%(!axNNv+w^I02HhJ+< z8krshfO68*U)D5-^lp+uc%71SP3=A1v?6r1^8HbkkxoMU;I8=?Ls-ne z(6tDy7fBEx5TcaAeL?!sWQ`H+JFzeK=c0r-=MvdU#Y}Vc=8+?>H3&5?9_No~%R?J8 zRu>zH>vN=ES<;$5=ciE)Uk;n6B7A-OPdMDKZQQiky_<#!i|8x8XoY&`d5iV=#=0SL zMM+Lr=XGAeGiQv?tchFuK>Wv>EY@JJSwVHn%Fw=!zlIjbUK(bs!QJ1rh!%zO^u_rN z9Iw$vx7&f**E7+tq{2EQYl=~pHFuc(`&F6aaD7jX3iH&W^!C(89|C$`9`WM?5G3v6 zMZ5-iP~|azC|}{Z_R(wCQ)EK(tsr?b;FLEldQ(BzAl(OirLO^afHh&ttv^IL-VnV; zRdW}U|7v1_5IOFqWoDD`Qu^#tHGL8OU+9{U2$ms}X<&WHGoau0?cV`g15OIziA@`m zRMm7`AsrDl3JU5C7YJW3%wPxm-Eu2?dWYxqP3-)RYX>E6?4NpU)KeP71caw(j5wur zHY-`Hi*mg$a?P_c14)Xi6icRStX|-nLJ+!!{J@y^p;@>OP9@(x(C zVd%ap;c3D!!9vkkT(ST)uZ;PULyoy0VjGj) zRU`eCtgj-D;csnmi?aUN$vj2bqh95!PJ1^2rrA^?GTF#if|K4Eyi|)VmtYMx8$sN& z^Poi0UDX^Ot>lZcpkj7&=njP9p#OoSu4)|FSB3xSOwS4!)L>`aNw;%Ya{K_~$@B~C z6T#DYr{MD$6sA-_8Iji{?x3M5L?ep{;%7Bj#q#Trvp<=3M%&lx3UV`YYi;go)sQ+g zBOJJ^<6dljg0<%EK-Oy=S;m)49|KppGq_x>@+k$sh=u*`ToI+C7sxn4J7D#~vvedgrF9 zQy`@9ntNxD=>Atl(a059uO-gjRGF&GNetWai+Xr1g^(Z=?8vuKfvk^&a{{4-PJ4$c z%x)8eiKIYP5Tbmxq%N&Sm@Dh;8Blaql0bY~wy_DI&@?W?8aU)7`lxYb=I|m&aQ(G% zr>Z^qYVUEqIJY~O)VnI&a(kT2q^;bclwjP2YNKl8S60OG0-xp0O(}p#PV^;j&Mb{{ z^2zVFGYcr^t8Y9~n`cb6zhvep<(mzi-c4?(iktYm{Ng;7-8}U z%4kN73H7tPGp*yzdIS*Q&zhKw6(d0BZ`=Q~LwHC3FW~DmFR>x0)NZ1F)j|1_RaI4; zp({4RbV}d&?f=b&N&yFYPXexpCh(S{@!_6eJ;dLxC(L^P9|D<+2O^NK2#rsPOm|(y zxpc923t#bMIl}cC4|4ir6*gOne@+`3Z;XCUN*`&ibxM$C`+q{glv_vsllOJVrr&nV z`PVc?41CbWu3=z}tN1d%Da8W%kF6;b>wSd~y>HSxyr5L!?R@lqD0{20x|VGVm*BzO zo#5{74#C|$xVr~;2=4AK!QI{6o#5_%=gL~yd!2LceYh`tyug@qRE??{y|?zaJVj+i zjQOU(Ub2MqjRXJ&ZXesVcz>|qc)miGr_1ZszPl%VQ}$9VP~`>7g19p92PV2X088)2JQ6*(Y7--EpC_ zm(!+2CGAdc+`zy!cLYEse+t*o(9m6fm)6sOe#5&IknP-ZMUu|>fI$4TSh2somRpkS z0AuT>svznTF{Qs`yF?c@umXq@`z8tcDCTyf@SB(w`hGN;G#g=Y=~1owhT4(lg)Ut< z!LMyd8)h$h!Ao=5U&v=m(n_M@QruRZ8Q0vuR0H{1$p&Cz5&HRLQhU6!zpW7of8~hy z4*#onAl4)I!)e3mrxr}hA(*9WqSkmzuxJS}_;U1WAg{@}|D%3Vi%4X*B2^?>os2)}U5gj#xN=)}q{ z0GrAZE58LMqjzcs99P5q!cdrp4YcuEU@o2_Q zZIBd$!GfNYm6Le2Ec;*D&>I5y3|0E#;G4!t=0{EH_ZqX&QF{9Ygs<6*V@RWyv$Bks znP4Rq=+v)><0dk478c`%glHzGtvRS4pPNz#zyc*F70C6Cl+iOZ7Q4y98+t2N+~>@0 zh>tZaT7t`peJU?zyig>eZ)~qcp}2Vq-CuZjNFo%K&DE8=s!r3g>n+gkPs2n+vw+wg z>{ayOlrC?+?>@5gKU1kcd1tyAs5X07me3tfpuT+liHWSIDKu}=^pq16+2@>9sR<6< zj$wY1HB#@i2zNZ7L0j)c$^D$LXzjz@YzKD#P7{DnExo-l0G)_wH$>y*H?zh(mPrqK zzzyhen^-*|MX&*#alJAA#&g_X5;^zN4L3`7;I2d@V;shP8z&Msjr-O2vm4`jTv+#S zOs0)K^}4Z!lh{>$GWm|dxzs|4&V`ey47|c>De3gXH31@zphTRgGr&{GVw9V>xGq8A zW*Z)HrV$J@J_P<0H2%fygRO5JsLyD~oM`h@-7LvWXCmw(Y|`#!Dmq`f2kee9x`o0Lu*>%oslWvejTDl*G`QxS8?myPbEw$>uYIzNiNE61l=X?Iv6`?ZCnU z>;S=JeE}MeUsCFz>PU}&a|kI?R#uoFi5uG>+mO%&Ilk2$4Z4k7`Qo;oF|n)k;#sf3 ztb0^T#VaQAN@@0nF^x0SZa ze~Pdq^N}1mPsxue;4L|t3MuCy%S>jUi%9zYLOyx0_k&Lq0)dHX0=`+5j+MCnFn#GQ z{3*aAMacQu8|mDdA4XG_IJXK>6wGb8b?4+ykyxMicU#bguBN8O*1=&nu5zu(&R;gQ zgX#`eda6zuf!h*C@7M_LVoT1mQIEN;Ox0gx9fWp@;P@>eKpkiJ5kj8vB2RQ#A7JrHIGib$_YZ1`guy?(X!}dSNOv|I#tF zRUH4S*Eclw)oFj}ZgqwwOlr+Ckua@o-p6R`2HhGdU~iI7)@(4BQ0<6 z2SeSvc#gL+kJNV5k_SXLKnVvES^uK&T@^Qmj%Cnf)BBTd+A+cW*Qw$gE~N=GN&8YW z)nHz%6?dXG2l}>>jS3nqz4csd-j`!dM>9P*#a4IIWtC}XsLQ(tQ3xBZrO$V4nA|Ax z)4GIhF%^fHa^v?2hxs&B$kNdWWp|BLgE?`nm@sab8}kC-l1|v5b=IF%rTU%l-Gh#A zq;b-+9muR276cmpkN8hoc`&fV3^iR1JzVRd`_bC~UQN=b&0H|!Js7Tg>Y;Z_X%^^P z0<(-}*e|N{D=wjMPSfcgh(u9^Ps(Ry8&!o}G;j2*7qp_A6o|DfFyHR{MI5q`GeGzX z9rOt9e5?UkGV1W|%B4M(neZ#uWd*{fcMfFZ-n{DP2fiAwZA1t5H~ykoh|bps^em0O zz9k?U^=|0;8E<;IdKN6Z1vr{%<~Pd!FvqCwgrF_dG#7iPhUhMzhVZHxS^4Xaf6+JA z2!>a?OjlNtEMo0qihunote}9@)6*lTkh{%-pAdrgK-KgAjgSiUQtjX^f1ASM+xP&| zRPlsobEua^WyG)n`=3F|62L8up))w;sq_f=7na|lRlNhw`I;Fqs`&mDr2HEOWcr93 z|93-u_b!i_4gAC#Bo!>ED+=r`q7g$OF&x=LX6sXs!4@|D9G}Q`o)$Ny!df@ufeh09 zTO3dxt2cGA34JE=ANZ2%+5e7E_NGIafq()u+rm!2Sgs?4_e1A0*yu8X)4YSe_vEl8 z38riD!5fOo4wNgGAz-(DDg$Ks@I`mMx9L&8)RoCab?b3c{eeMUt;E@x^9)2_hU3C} z=t>%^<;5i0&FMY!|UyVAU2Ex#hdw_Rj&Bp!k0!A;Yis ztZi9c-c#CIUc;eX@cD&5Jq=Av2))Niu~*+p)!nd)DWk>EV@$$gi~j$FRrUVCasB;w z8+!juoCb6%VFs{aezPh6NFTag{r`OIe=hWYiCLm_jEu3=e@PRIhX7W3+nZm~yr^hs zP|Yh0^z>VbWhxa@)%rrb48ONy&i~bol-^AE=O2&s_4N_3vZ6^PQVV!{cl>zSk;7gx z`SxuGAa@iO7w4ZZRnDoZf)@<2RpOG(;@wxYvtvk4Pv1H`3;~D5f)q;_7IE*9;O*B! zuLVu_^nXIxp)_hkvVW>0b0^_9-d5NjA+F&2oY-ycsZg#{ne|eUxBcxtS@vLILdbyi z@e8S~xX7p_#PQ4J@a9)?f?bBJM|bnbYYGji0|%SFD>LJ7>>7_tHxdOSjY!Rrv>uUx z(d~p;Ixxdch%TA3TW86mWaIBQoOy1iqjqBcXuO^Zcd`uok;Dw?aQK%c-j0wLc^|NR z#^Qf&XGBuB1>(}j%SC6C>lG0mk2@$lJiM#Bdk>(|%U+t1n@hxdw$_ZyVzD4xp;3>3 zhewN}Od1G}v%5Ghv`0%QMPMtA0t_K$$QoIsi#zOzRkauet{~4}FiKqE192?kv;zX$ zf4u+P%;}pQXF)5dbyJ-iPK6Ic0U^8#r&2d2PEgJ#4MIOALQdchofzP588pR=AuM(9 zSBN+uF1oI@3CHl|MgJ7Yr&#Gpg{W~labx)K!X)g|O5W4~K@@mZS+&cGfBRN^7TLrhD@-8Qt;wb!q_h#AXf)(7=0!1|2$rdzkyaJr#71% zk-LM@#LUcff&x4cstY|m!0qmLf&g_*jmw43b_nU38C3tZk>5{_09{P}*rZ)zCSom1 zwoIKMDcV(C*fkO#`frLU-#+e3eT)!#!MH74Gp?SIkjS!L3tMQ79rqsP^(Lsx#Xn8h zU3D;0P}$zD5RbKBNNOgi-SP>I@M=|B2h+d~=IHOql1Ffizmzks!QLGtlL<5B^VDJ+o6b8FUtp}oYXNAGop>Tt7Q8|t=OqmvC;@she+%vfS= zY|H*HE)KvyYc9AgC@Ap!F+tPsgO-0_cc+9g+fwaZ3{Lm()o7N#HbfJ3!d0ZHcX$}s z*SBjwt$Aofo<;P0d~|N(dt_45kDE>33lCJ}rMZ&;ci%x@jmDVUWA9J^C-0x9=0ji( z{2qXXs_n{Lg}hMTn%F&W;ZfAH5e4z^kO1Ud4FbQYhO<{sDq=4kOmC@t@L?_8crBKJ zr9BfC(}CVE{`>LQA*wn!Id9q@cMDqb+c-P~o=f1ZO|J#E;5&(;b$6fIRisLdPdpin z6uXt9)g_-T<+>fH>I$RPuHHGQf3>&o$jnmBmP$h1;vG>*D%*3YAJFHvGBmrz(+_2N zh&Wf^wdoI|J=|!AwhCStr%{yU7+mZgR+S~)b%jaDc=={9UyjPnoANzK^FHT!KdsIB zi}>x0qLI)ZPK95kwQ4sHZN;UUkF^_T%n4J}igodrvsTLZttnJ}242e|@uv}e`Pnn z?V?>1G{o3)j;WQk`b(YJ?36VeeNhG;r%Nuc#7m9eFP~CUzQBbM0aaU?|iEkk1?Do2?1HK&Vr3?Q`TpaklfWq=SUlY&Rlh@cy z{Efp?pH&^nrj=$b)6=+6a17=$4``kCEi8)94Ybu-)dh;TKRQC#cDPkcpU$v$I}9aOxqEy(ZVT^qzJ zjChibZR9(wVn6~#8P##%{rid6ovs`4`!p5!!LdHN9A5)!6 zt=mK+8UdGgE{FUl@RcAYJkaqOEwE*Jm7UFXo#~mXIoSeMMl7cO2pUCwKIRG^NBnnC zk6gAoU1tmLbk-Sd5$V4`5Wd1Q*UJAK<=K3=NxqL}NEn9&cs}$7o(9~u-ZLQ%>B~Rs zesv~=MH?TD)n6lo>K5oe#GFIuRuU6s-qaxJ#BeE*QHb}VUIG;z6{hR>^44W@&q^#D~ z)&PzuHkV0Ky}FwpI)QE)FqApgW%a)z^L%_)nfmeQ3Y?&thys%5wohw z4BAX1_>r4HyFo!GiLs?ey≪%0NyjHDq?Ca*r1%wrYCoCnk((S9xs`HaauuVJ>ng zuj)+pL>*$$q-g}~WPrXqw~GA)0$ODDHnQovS^zOPivt*D)AKG;we^OvtGvfUCc&I6 zHY8&~WxGOi=U@yN@rJc$vn+(1Idx|G`{M^7&i?Uncr{*Y4tDYugN#wotCw6dvdb%12@FC;w-{)aM4i@rzv2EQ^{J zPW(KG)6yGdN;{kbe3a|wxZ4j!9SGk+)!e-uH>JM2u{A$8H;$B^9zWM+_7p)gJsXt` z3~mpJsbRgP_TFIv3a0YGn>NzekCIRCAi2{v5mTgh{_r3;2$^nQ`#biJ1ojIuTE=MD z@)M2zY#%zZI{sZcZB)FC*!KbvtMy>cCUk~bj_pq8URw*wrz@zTvf!+~Wsc33852{x z3oyEEzHNOL;@cw;Y2P)pHAY=#oUOn?ef;)wnB~gq&Q>&MnBkC3i7N^kTg+A$CtpWK zhlWjP6Jkc#tnT4-L<32tIEkmD#c;bM(F`dsTzw)p1=3G`zD~5#8dHj1l8x$Hp8JQt zD%_x?bGgG(ebW}ch@!nLwVt6Jjxr^oRjm-v~e$&)zs7hLvIWm1#&t&>I8c$B!X9GeYcAzf(O&nZXw%nn*&J|Y- z2qb_WAF=fyPQ(dTMA!37F$=~W$VKi+6UUa)t!LU{$rVFnMDLc&o9mmz*52pBH~2sc z3yackNBr(^j+p)h&*CM!zEd1$w#Nrghdq1`3KHbp2D@RTAbbLQmD)}2&`osMN|V_T z+Rq6o<1Z9{j?`Bz*Qo%UB^Z6>A#)$NY`GL7aVrZo0y}6o$RH6Vr6j}MgODu`G69z& z`D2*v?Y^;6jLoe_TZGnOSyQ&EJ=@F(53;g3%B2mEYsL14id-Um)mR>Tk|**<;sSth zu5y`&`*X2Qp}B|CEk*pbLfw@#!V>zCKYeq*Lq&P1ZiZBo5pQh*B=XG8Q<-^TB56Y+ zYT&g#xH@dKC}CLjQ=5n>rhi77LPpAS4&U1v*U~5brHK=xeqB4xwh>v7HKeyao)BL1 zz#YyDz4EDzCEsogB=YzYn7X^s!ORD+zX3sj*Bz(*dYDro@YU=&No_qo3;~cmDNkdw z?|gp8^T75xc6t|c$w~4e9Sqkb3jkgd2maCtCixh{evB#P|)~|}t zUP)SAeYX$IfJ6q2m5Af9F?^820~h~OKn&#UaMkJ#_Z)8n&omPn$B< zsbCT&-z16Xh&zQkWEgPKX>CVGUA9fHy@lVu#AyI0aFKH0$Lv!>`?xh_S0+&ury?%X zB9X~{$tG;XZ6nQ;AVcLhe6wT6jf==4BIG8`*0xLEL`g#3-HAelYF)GVVhs_+Ro9np z2N5`k(piO#leo&iTu+j(oUZFp#hlSBbTDe|KQ&3=k;JV1|VkD7PA3) zZ;Rd0yyUqMNPBpELU<%HoL`77c|}bQelJ95<_hIBxz`6lz60;}3&fsMweCNg1kAw6 zkVQ3>HxlC)P5T=cFJl*P2f*Ss+&|+lQ=M;@A|zyzyxtmu^Sn9DL>8E_K|(R!m&Dh< zFb3nM3P&JD7fI)k$>mK9V)w+N@6Lh=s{z@%Gy9BJRFtc6#9}GaM!OpMA!9}nTU#!l zY!M^?Qg;?cx1yZZKn0DBkKWy&0{71CBhb;ymq1AP#!#7{(Ji)Xb;gZ?s$jUr9o`3h zVEh)wr4+`^#O4ahBI<(gK{;xuwC_@?x^blw`^BBSkdeD&E9wE2A}+j?<#QBHaUhyN zw<+G26~e65c`d*ysoJKMVN|?ma;?+HQ{9(iDJ2~4tRuC-1q)B@A0v&NRnhP+)RbZp z#28KBcziD8CD~%plGq5ZCDqpp{Svc369{+)b6O+UDkZ;Mqy%Bx3UwG01hL4gj{F$m zzz>AQBIqB(&Nz{4ReZxh+Z=p7Ym7-uje>5J+Lm(a+h0@~rW=qhjYC1jSG?yrs(f73 zTk8T|fW5XQ`eoDcVP{t)r%}YU=I1%pltaT;>3HL&p8!1n@wDo`9eUNs!p{Jbo zoZY}6{$ikMi#L6e;=Sh!>!<0;bhu8@r(Cm&QhyT~3<8 z#%XI4KC~Za?JmdUUA6!^lBQ{H$92QB0lrlE`1jE3fPZvrU(M@-dziR9Hp2B?C3x6f znG?n~lXUo7$(>#C>Uz%Qds{Pt~?%Z(>)a&TIF@X?KV}n3$-3Q zIR~>{6!~JH^Q{B+9DQM{v8;@~&MFJdx-9~V>vguyw%1xmRJtiBLc~E+D8QsLKBKoN zfw|nxJh;0j*6C>ycrn4bE$NF6JnH6khakoZ*KB2jXtoEt#+=pnZ()eFM3Xtl8B=N> zl70KUV9M$DgP{4B(HKTOR7~JW?Ws9)8sl&uM6p!>L>o7fRVrD~&v>e12%RF|18uDi zile-g0%WZdhj(s(N6)gW&gp6^3d4M;Dj5|-Ka$Axv(#phblTv__mfU-=p%SW)EhUM zLNPP8zqV`VSq#pqHU`&y#t;AR>{$=nV&5=cBUX1tU(X&T*VKCN!pk18cC5L#S}Fo) z-Q{|wG9QR5-rTzl!~XNapmR$^Og#L%WQX+r{$g_qC=URPAR>Umh`yd40nT*B>8T|S zmov;@H2z>uAavlG>ZitE?C?}A5uiQKH&h_`X}L@oND8*rXU@aN0VG^c<3RJ^zJRql z(&X`S8}jq#?YK$+&NNtd zq{MTEr74Ma{bH^J8H?Ez2v9iL9xC&r={G6%*YxItUlR?8X&ulPS0aOng7a+{zr=(Y zNQ2i5`}^X%#+S88J7w#rx)G6)u<02Y@>M!KymEAOcD|l(&v#GPDk>`UfI5`9dx9;O z26oTJAjEw=30D9UM!M`=ol}uFV#Jmnn`@KCrRF9BpxlVwK=pS^08r5x-9Xhn!Tl?3 zN{@bnbm^bpFzEaj4Q{yq{@N`uJ{RD$>uvr!WU_%c%6rDwb}s{{`9^!W5s(nN6ad@C zBrr&>;Z;b|0R`TE{`PSK_7KfJbQ{0UH%$XbD2JIC*L@^f?bxC+ijpB3${aCWbV*zL zevGBXL!pZN&!xRzONHe5n&M;K;YCP{1yk5!RQIt__l}UYxZbG*xt4MZo2iI8i+07? z^YQ#@W5t@1Qi*C8Ve>aeMfQ`W(6gq&N_5vnbAH_Xl6y=YuYnmD{VxMe^*ueHYoXVc zfJJObo)q4K&n!|V@7uP_28HKz>t}$yA@B8j0Xg>P7dAZ$!OR~3;l1$MLMSB6VdRn{ zVHu;`D!PPbMe6;){fK3mmSjw|6Zi^?6=Wx^_Eey(_vHzOUyd%FfI{UtHh8CdF&w)5 zhXwg@cosfqkg(p^2P?se{65VawPfq}C6K`wO{HNzj5d`Hd4~Vvo+$cM3OzU%Zx|2_wCF zZQTFS2yJ1lp-T@DT5=|m?2*TG;GZ<0=O*}AsHHacMQctN4Cm|6Ga*D-5L_JNc{01h z_%J+QTXSO)Kd!5@dw+v&S%y|m_+CfnlYYQjmq288vc#u}pb~0z6a~?-Y6}?*XLkgA z@3W2$-{2W2o0N$Z)hQ9MrP_hdtljk8IIDi}$_#(kpM)%6cXIMCW_pjT4?$72eXndv zmac1trx05$t(BNo7|(z=3yi;qqmWeRb1^B7A}NnE(TdXtO4@GZ<#gDl-8QgEmCs@4 z3j#|n$u*O1QP=wu!lX7`7O7(tPageXhlU$QL=wb5MPFCAF-s7HsWHT|#q;mSweyTx z%MEY`G+NW`E|6c#FnWi_k!kOLO)VmanP!(a0jYC<^%NzEpw2Ot!NSWn+WWW`Lmt0e z8?4OW3bC{QWw6$|7S_9nIb55-_L$T{1$@Kgp1=zT>C8;X_bo+Fj#?JDcPxKw!O(+( z!)=f~bmjM!$HiGT$6Yf!#NRfJdTklL{ye6WDeFC(>iei3-PNQV-M`%1_V=Z-A9tdi z9r*gf(P&scD6X@vEDlL1^Bni{zXx$-9X0E(r8A;25WR+~!@IuJHQf`BOZ7b9W-EGn zNr}Bn-VuaPHZ$J{O`|TIrG_4VV5!Gy?x|jvQPgU(NM^J2w<=8Pr<5 zBMN8!!V7R)t?du>LajGO6 zD?vd)DH~ij_7?@bLGvF9xKVWxBP7_5VCWZv8t=Prr-klZ2{B;U!7bIyNFo((6ieuU z<_eq5fm2$+fuH$u(dFQTr?4mLr#qYD{o85~A6!bIPE&cz73=$iyrl*TE#BB#QauXk04I*= zMtfqD9lo_<->6s@{X}J}`ej&V8r5F^flmG7DOn3IUHg0FmB?keDtZt&kq^0B0Q+&# zoEL)d!IHhVk1>7Sb*)Q3oy|AH-|y`?uy0t0ODr%AtY&JpN9jK(2=^aZEn8e6q@V9a zv<=UZVxaR)^r_m__B(e*!)&b&IKOVb!Z&!&!}Sixbk&)qT}@`JHaXpJN@m3q?N8up zb$DWyn597NhxRW9BwLm`9^AMAM-IAqf&jmqSRz9I7-jEH_FG~H1taOf95 zP7yhg*yl^y{uO!R`BLln4$At$2s8*xF z7V||)QFm?xCLcE?IumeQ+#X`_TqaIa)i*H04{*r}5kkr#zjj!pIgQrO`Up@oq21lP z(B01S)@HCfkS^{P7e&LAaC*)LXA|%*H#>Ui1cJ{c?Lto=Z05a zwVsaT4EKMl*P)v|2{ZqYt3Ogvu9b%35~9_|EOQ|@QHOm*`yj*!on!BTCrE(`%eBd&5TZ^8e7%ySVPY9w zWu)h-J55q|)68@$1Ws+tEi5S^|Me*hI5(SI%pNl2CTra!EAGG-qQC5;%|rTnY+}Ou z;N@-N)Z4|xWSE?eW`~J9YArUNhA4CwB&1o2&wdMyhKd%MHzvJ9lQMqWGF5zHs#o&W zQ@ZyhXwXBkphG@cxyUBOaV8pLerlM9(L@klhm6a}(SA1?vu}ep{nc)_ZruC^>Gg9khK@RZZ4+k-F1=%pg#qHkDe0gW5 zB_WQr`5YRTM@XU8yem!aN9=G`Ya#PgJ_4MMa%$DAW3E~3%F1(}ZK zm60E6mhWxQ6L?FZ7B0q{33okpmYSaJ6u3zQP2AM$AH|{)fL0<5nV;|ZS&f( z{2D12H8q-t+SaG3vF^ujdfCE*%j5>hIx1sW(A5}NVg;)4f9Vm||JGK|`i9C` zHuemh*Ao~GY2AWsWazJ0Y&!XI7Z!`5_I1-rvd_msl$DiF0Mq7>3)!6MZX!npi51Fd zNz~*eD6< z3IK-t(u$bl8r{O@pKlCc-+RBiOf?hW2jAlg*pbNn z@WC;OPBrKQvdIw!7*ztYu9J$he6=j!*}>0N?)dkz)n2QuiKDcUq$RvcmG6JXGMFmi zSi4U2)yeDAZ>c_)<}P;xuh%x;lMk!x zi;a>Tu8g--2_Rq@{tZhJ1cv@%o&IqErYqNBrnqKr8+J{6vTMG;aQp0xM*2PDa=%cq zn3B9_{n~PGKbeTMM`%fk|L14w@~=4+7-Qu7jI3Y25co>5Srgb^OTNBq;`mj-2ArXQ z;ZxC#idNR{DmZGV=CyZxveum}B?+M!7~X?+jn4|31b0rf*~GpYDybB8GoyX~DifF@ zVdH43I9qspSqo<`;FcO;q0CD;|m({=96!Nx*!6+Y2VFIUjJ=cD1U@_@H%yLVWP$%30Y(($;RK*?#Ir~K)iORH@iLbK5e zlx#cqLEam@sr2I;IDp@HqSA~M^6DR7d=%2mFF1j zUT0hOmZ9*zU4bd{^v=R|87i)jP{2riq*U+aRZ$$m$^ue!i8Qv^A^%OvPCoiB_VH1^ zLNDwC0XXJqNV(m7N8>d>!1a1huP^tyU|bF=$+U1U?xs%q0) z`ZW(LC?itC<#RO zUo%I8umb@6XrkA-j=Jxf-;3*)SJ3NfpA)yGmHw?a#0tXHdCkZ*O*VNQTABjdB&3f1 z^mg^+4r}n0AyC;5v`hf{w=ntcjzHXG0&RCBu;|Gsofc<3H7EN~HvOrHe<;rWV2=T1 zX}L>4wqo!~R>W<&v$(R-uLP0JM>Ai@Vih9-cRMdzDA1%q!~KxafJi2tBP`M(h`{O% z3TMO(NSg;@X-U0z#fN-nXUDwIrANQW40OGa&F(h8=LIo=q{)#3<4kd>j2BE@-xDHMtggq3qpC1mipEbXCepmBXs$K$nv&->48Z(1 za-re8x+xYRW0_{G6INS9Skrs}+i56RxUS1;n67VN#Y?EGu`_h?615~w(y-hc@@e03 zyOF#HBX(J7TqX1ww8xQtL+(7K7H-`(+}6Pd0Wd@m{*mJ3`O-T<31~KYmVa2%Hf%76 z*akOD`3zuYsP@x2IGC~ornM5^+E919Fj8q8WUYn6T11aS%!al}cRq%1GBR+ zgh6kGPX%GWCLdDG5eTj&VmtI8Qd);2)kP53Tu*5w<7flRI_QE<8#+GR_}lcUR$Fla zUok=Ss9AeI{j|l)dwK4TUbr|YlJXCev*i92P#@kI0M9opm@m{@I*Nh1rz{j~z^ED- zToj6EgoyMP>&+xe4*nK_cd_LpVE<g78~U3`rw z@nHiC{<4s6(}V_0ke0i_RbrwT$6udps`eo|1(zG}x6H|x%3ATimU}XIB^_FaEENuj zp^dIG+atmr8NI#kzXUDmTr@hUOodVCt;&8Ui!9nbW2!Nxhi23BoahkD(J^=!zA zU2 zW3=1Cc()>PIa>?$cL_lH$h<{%yCRxCzq|~JiHbt;{e~qyUc|=7gQ}{k@|H-6ih^g& zajKfL`j#|*9y?o`a_f@2z5S_>{A&aZPxKP%2oj!*$#iBDD-x@>r5T>nW0(&%I107J z7M(jODZ`_nxc%o~z55LU-HG{MhhhrVa_Ers1bGu6E=>&c27M z86&%<{Qh`M?4V%!j{&k*%VTQnBiuif8|WY&3cpvTAg?&Vd`~EaXu^urGd&Ax7+>E$ zpD2hr+;9Lb^txl{c^xN_R=Up8p=;c#;%^+6L37C&;_npn3w$G<{+O^pDR(n(D(mZwz&2f&B1XhiVwT3)9fJtquMu zm1y;8%r~rOIeN3QWO>19430W1n_EuTg&LgO z$FmGhqOH!nZM5ctK)yWBIq>rdS%%PRO{_)U=--QrKe^gmletpmlhm0}6tpPJ3_L$Z zTG=4=R#OF3n7mcat!P#z}Mn`%PPbV=O$36@2WoigSZ2Q$DFo0u4Md+T_6zK)%c zkRW(|Bjo?muyMUV8kqIFRruYup(4jx()4trF?ILplsGu+dQrV?IWks<45UrX! zJqZ`t?^fz}Y7doQ9jza5-XHr^O&EN;t%@)~FaQ|PD@Y(9V>UZKUwFvNduYS;KXMj8 zCA$kbo`<@p*Zv9q67^U9Zr5hX)Y;zRmVlSCJki1j6llZ6CkwPWCLM?WA$(*sW^dO2 zL>iG5>Q<&oOkqZ>GWmjpOxhOh-%qIau1}Y<_EXW7@H3SvZ7lS#_65= zzzN*H^wI-TqVO~;pn?a#K9|33fxuwj7%y63#R(It%wwmW9#ybUtfPeslB%W?hx3S{%{3vK7Hof_k zs|$#v)Tpi5gQa5wQ=%r!k8W4(Kg!~Nn(o2IGx#zWT=nI-Gb9jD$dzj{#4heqNr;Fggv#_ob-w z(ptSYhFY%gL6t0g`PyCk=yhAgDVHM)8~Ka5{qVjtH}kpZO#MM#w?lg7eoib{HgwId zNKg2cvD9Y*?RIH$o-YeRcGu&Nq5ypNgDUm?{rxH?CZ^JZxG#T@`sO*e8k$E@a;rCYfhM5kF^u-^zPJ?)XKiX}*4U*l}_<}V)151IM^=_}`{ z#pdhLHf8=D)ss>JJa2p>(jvq4Z^^Bvv|)~xTNo>!Gy2bRhKHvR#*5)#X<+1vu(JHd z-hRetnEF`^XfwF#$+~}4ZQ@#1fW`_xJvi@My;RQI_Kfba?`ApYmxjF)=+A z4zz~Z6}$#~9>I5l)pvLk3Qk$%$^WyV<{XfIV2sv&z_CKZp$t#n|Ti{KUwo6@E^ixx+ui zY8(g~OMMPd#6Y;F=_tU~ng6boX_PKQz3UZl6U~mL7M{r`wf)+g^!)jNcoJF)nb@_J zcar#zU=6TRlm!nI%jXUKUQr~;IY*1&{C(dq>bld2o5^xYhlEA1L3mTdHiR^=*uZ=} zLa?B*_pZ&>{e)4bVzq$%wy}3c$T}u+VR-wiIJ<53Kc55V#SQ8|F52l0TR&ocdS6@j z&vg*zNf{_Q@f7gjg)I^&U*0D89nZoHGJa{83&>Y`Phc_%1wIy!PIHTFu zJ>N{CrKMqDP)=bz>ug&Brh7oln*nf+tQj&_Mt>-o8m3{Z^|-s zB^=-2ZD6cnBKmWNujGY^HG66_BAad-_L6lp&Abxr6=v=!=897g`2`aPuqH~?uN=w) zcJP@_>XgyyYnQDgtFGtWi|gz8h5Xb8WI_vcbq-A!h>5Juelj?ZO$1&$%7aW-2QvWl z%~cOgP!avsHO+$VvF`=wP3T%9Kmk8ocyz{-_o@mz#7mhbqin{+hT!c>meR7I*Cz7q z@^^Q|4K(oG&dI~+JVZ3K0WzoMMjQMrbDqDJ>%UsrLqC#}hdP0qjE0foe@dKV%C&fHP-U>jiwxSdhP>&vCMq=IG3)LW(l>3%{|> z;PabHr^IQt3V1NY-sZL%WmrLz>X<;%FkyI4UV!hs;P5kE1$#O_*%42OLs%-iifR|m z0$B1Yh&S#_iPI^Y2ihTg&2$e0HYM?+c7VQ`y=!Z&cH&W-9O%zT3h>gZi*<*xs-Y|` z8sxp0=*1Nkz8iCNB8HNDQ(LS9LzCknx2_a`T@8&b*EZU(i)itcPD29ZteiaBKR9K` z?SFxiYkrt*E;+@w%4KkLC$$lh_Xs!j2p8t%_xk!%1s_^?emRbw(+$#%$H?>V(SqM2 zsS?|`D7DJzxcKbr1#&E1pv!>qVYkHfPk_A+Xw@3my$IODkAy4up7o6FZ&C26GOW`4vA9^CB-OGYG zU#rS4EgbRl?nBJQYN}(oE6SRradh!@&%XhFsxDFvGw$5faK7=joF9|KFH4Pn9e8!4 zs(G1o7|JCP>>vpV4+j|^*y{!Lcp&?Jiq@{8*SAO*WYJ12dQK|dM2Zt^adiZX$<~o;@BHf>GUh2AAyf_tfpR%1bi_bhJ1#HZlDF5g-0cw_Frs~CM zD=1=QDXmW35a4uLny=}{uFVrZgp&Efk8$NvdP8J2`^A-eMN^eUH zcR`3dyFIhn-rC=j$<1tewhL1gF-5M&ca8V7yxVaz)66HZ+i^|dI(wx=90rj3q)RCXAScZ zMeOHOlgR&t3$V-vC`EbRztjqAjX?Ce9Eavc|$Z3#0(dnW6hHC}n|KypREGMu{M1JsD@bA6F>Kv+QXWMg^ALv&i>he(XV zYUmz!2Bgx)tZ&iiO$tV(GxkZ2gEDtGjd^z7$U&BX&06WB$U$|~%1K>%`@be;kUL;v z@^Q{&S5#jzt5nEt7d1#XEOIuA>)>J8+ z1!a0NbzPWCa03U+7`}s} z!8|oD)oh|1X4#RUj{6V4y!duheGW!$@n&G8R9^innK#w7K4@L?xfuq-Y;$OdeLARB zlLV#>I(Y50wRTivs}2l3i_p3uk618oTFtXfqC2KS5GrtJu}?8xT=Ii6f`)He4SZz( zAG+Q-I?nZb+-{S`YScJslE$`eyGa_`wwuPbZQFJxwrz7_zjMy{==)pi{dd;PTF-OO zgMIIP?Q5HCySCAL_;AW+l{|t)61xyvS7)Jk&2(+9fE87MR~zONyT825%n)KWfep1W zXv}Oh?qV2>so2<>BX?m>3}Yx{_KcF3TF}e12?OU@-ZZq{%DN@gGBPcY8ruh&Bz_2K zqz+!a>&^K+2P>}HJ)gniZXk3a83?4kdCG%$+f?|IV@>pv6+yhsUF&q)+Aijfzq?WY z=7UsITe}RZ_zk?MymOkOqrax?f!nZA=`k=GB(pDfv-GRDDpL4G!mOW_R@*@TXf>merR%UL_L-# z&r_7$e;TZhV2x$9x79FT$u-8w*osz)6e}8;w)EuFmW30Ly>qIRoM^QaP#Asqf~{y1 zVMZ`rqhJc>cfA?t1^B0XaWHI4#0Q{lFjuT#_ypYVl>_a=h=-RjvLfH=s&X)%5`DC* z_NX2~>?mLN{|ykAT4Mj+Zw9u4CYS(`(EhUa#>S!$K0M{zD|>BuKl*&Z zSR&K?I9pDpiF@qs4511fc&2KP`%Aj~uLoZhFK8G1%187?@49P8Ly&)Ors#nMEW1l6!f!e?Ej}pTHD}%lLer+o5lazBpvbpxA)$~B5z6al}e(Wk7blsR{4|v zNJu{)+{2*9Hy^+Ka}eEdA3Y}(TD^+9DsM~<+ytPO{4~zr7@e1D;93@grN0|@q)it` z=Bk$LSEkC&hgPdiIr7{acAJ&7Uk3O(I|qsSGgG)A`o=sq0?WH_&IVPdcC(XOyWu_e z4_TDmc|RRAQp2Cl5L8jG63cW#a;hUGRiGv=Y}H|N!5J@sVL9CtFM#%SIy|`_IuD-h-WMQ?|2o+_sdnW?Zjd~bDJXM z)o50>+A2({4Mlx0Enw8?d}l4l^q%Fq@~WlZ^`CE3hm(I2f6Pax$E zhU>T(%y08h=WoBrVa^ib96XUXGMbSqNXvU4W(9RisVsHd@BcmB(S(087YoE7KkePhF^@{c?{{G{GR03rLk^B_ zU2OmBI1ip4qwEQcJD*#x+dXSrbJ3mx3VP`n?oR3G!pP8#ihr}-)}Nw|sN|8Gpo#{0 zgT*!Rb)T4JERR=wVE#A1@^}35-u8opq-TCULGC0rCZ>nXX(C~MUu3Dt3SDvyikP!o zacI9-*d0iF#;zEVoYJA->5BT(W+@OH5J}uo%kXPySx`gC(>F1I=2|KSQmUCVMIdgH zO6(^P(NePkf-5dACOr{SY4npC)-_Ioyy}xV+McFxZ|(e2>*c3dCB^6}6F52xgZRUI z-RoMNYLgE_%^_M55dp-BLT$la(fOrLJB0fSE`Q||PjD!LCCm+l=oAYZu%G46P~(3x zVra}RDfX1Hvs*GC>VKRUD60}3?&wi#bbNk6#1)csC$ZGP+#0Lm+x848$B)lxr6J0H zW?pQL;A5p7Ow34^1(wL370WvM+v6(Rl!(>Xy%;zhB?Qk* z6!T5CTDmQMnE^+`#Kzw^iToBZCWBNX91be3T5tT@SwSO5LK2dc21fF6XjS!m(_IS9 z^-{bdV$=cc)O75$$-dAJvT{fjKEd`el15wTYcL%dJIch@>dz#J_fyTy7;rz&g=J+C z@6V;WKO5bXs8-(wZJItM+A_v@wHNiOqB}nJ&!H^Te^$f`eePYop0?e)**m3ZbAc@D z(hB@h`36ftA~v@ns^VhnIw@+ol#M}Dm2HLL-4#dW5vjZ zF*2()LK0kQNgY%0r1b8ZM5MN6zl>%o3N!e79axIj?5D5;TgJ+Dqsv3)Kbl=! z!Y^8%&s`4cH)#M}7opx%aPxghRMA#jpXx@W&*II(0!ggG)R5NVFFVq%MxQ9_9g2l} zPjqT1D4=Nd`O1Y3^|>es9N1-wr$v7iwr>$RPrX+gQPISu|EYhK{O*F3Sg{^}dN?Eh zQ$4~%RhFn?1@SZO^UV89zz9Xl6EQAT2);#HJw6;4nYauY(?vtkuC_hiZYC(%-Ur0B z)M$rKd$<4$!!3hG*>)#LsTw&FNwL@~-s{a~THZeD!k=AU3;@8zwvC6FU+FEl*TyUo zt5mWi2P42b2@-TQI-Vh{c0a2aWYZ7MTV% zf5#6WNVbRV<7sShAZ0@Xs;c(7gVDenj-h8WPl&ds!VvOJ^pC*-6jb3jy3R17@m~-z z!NsO12g|`n$r>@8H&M|0?2)mi$UDw z*M-z#@~-R1>Wt{NCf3-_p7CG-13DDE^(5EEMzX;1^r8BGuDzZFLtsy_+RQB8mj&$~ z2nwUKJoi6WC@2`4c^r;K5m}jfyiDKU-_HGbJ{TYJM>zJRU}%aQ zBkLI-lQ5u@qm)B4TOUkgzr&M)d>L6NNncqZ+93~_rYGrmMj$(1X^q9#V$X0@%)msM z++q{APm~W=j)m)*B(%~R4>3yO|E0=?VrnWq#gxf4ZOMiIy1Hw`{*7pWAFt<23!b*eaFGRtUA`ZYSp=_lJX?>sFfF>QMF46MjXcI=2lkw8upicH|zD@+Wuj_5r zJM-aNt1?-zIQ3wUr5_p&AJCT=k{_g9246#mftj!_#)4r9ujn z>d+37XiPP|OR1E_vyBc%#*mW0`!9yfCFVO4sfoSlkZoRJsvRc1@)C)RXJtm~;OCfD z18OKd@FFJ#M#u@|Jw-*4eq1dgMG^4*boZK`lJMhN`YUfsuOqCkjs*k)`2)V% zgCaE{9&9#icu;fg(eW`12Pnnc_kUwbw8?~#VozJtID@wDRhI-y+=CiJ`&&Psy$Je@ ztNcJ`vXo4Z#4F0LGEFn)Mu)3oV-?vE<(!T4@o67ZpZPggV$Ga7b^Z5NK55%2rGx`!v>FnZ@Ue$A?jeDM4`G z&Bb+IeLW=Vzrxa!iRJBj=}GpZDhDZxdo$2jbTT%=+W;7{DU8k^v^-`uU(9J>Q zoTf9N8JXv5JORHs`I(seD5oqGWqQ@~6Xj-Fh|H!pm=updri9J+10U6^!hBhhsm5?b z`0nEcru|jM9IlOJBf9#1v<>q)2niYuz57zFWE4ZdWop_j;hF*K&iN&)LC=d;cAi4O z9C4f7WIkw++-C|$o=%lzfCY;#Cw1En8;~18o zf{u>x>vGq13=-SBUD=M9z-gTd(Nk9ZZnqpN{n02Nz5W2!*eP+X)^&wpJL)~6G@n$r z9MA2KMlOyvF6PIgfKn^1WG851_we5XXBlem&QydL;;XEmc?ym6=6zL;4vI;JG(+$V znK?3aD({19_xgqFJ|ZAal$Q0a8t*(1?zspcqy7Qo9<>}W zIjIAp5Cstr`z{p;D#umReq!j&j=5ZI#40^LUtxvcVH~%Vp5Y(J5QKAt;TSl06Fmbv z2hLZqxYoVUJk7xF3S`>pyyUzjRFBbo^mKN=Qg7D4__aYl56cKPPs+#NXGGAz0eXH_ zwaVgQgQjUmm7QP^n{_SmzlfN;@x*#JU8ki~n~xleHE!B91}kq|8m`n@zKHe*s)f{& zScL!<2mpPObziB-0Q$Y}(*7EEBAS0palikW0LW+fI0c`yN2nb>CA0aRc*c-6%4dkd z-t;Ft=W}{(-jrGx3m)2(T-Eho}T0%Pr+JuR>iZp?}#h&rmrT>q!fkul7=0IV(Ptjh0EP|HJGiN9Eg;4bKAkGuS7bTpiD8PGHYU|MAOOClw&2n6e7$~mLx2dPem`+|@poSayssB8KaJ5bo1Z4IFPt|@`QtR;^a zl@!5mlLq#BeabUq-AUyM-1E^sxoXaA5#bk>!rWqS!nOTKcjmrSe5G+YBfylhybxb4 zvfBIhUewI;`Tp5#td!Pmu!PX)^;xeFp+{HyUGD(Xwr&EZ*I=&*&w--snfuB_3mXWI z8b|J$g=-QE|NFxCsf;5wB_g?L1;*}Q+ry<`DP;!nmsE@2F3e)_k2$<4Vr(S8rJR(A z^#ZEohv&gIUG+%!|=61~>^m@l!V z5UFl6ppa&UH$6VSuc}g$>UiTyjNLYfr;i!%P6V9-RTO+`ikz3}R;c}!3blB-Bqg7M zYS%hB8=e*4i3!Uf*E(Az?@9J9Nx*}1JotbniRIHOr}7!Rl{Tv}vFB_Ba$Ns~VN59%)3dqn#pt&C{Ak3^Q#2{yTR4FrxyM}mc_;FV}Xw zj@jvEwXd5^@~F5bMwOh|w044OJ?w2ck55b~i{fy6q{$EwxA&rOU|AD|Ui&vv9naTe zmf9d<3d9@&tboN%+VULMwr{E_HltBBYnbeWYk9^xyMx`=JWmYO;!}hk`X7!G$6@%& zh^FSH-f0n_uui!r0&fkoSC>A18wR5#36dpeRT(1!2aYcx+rT&|hImsAs#UeSc;3 z%K>ZQRAPIfR`@7}be+PHvk6H#Y!k5sDYgzCmg%8 z87F0)$`3G$eWT@}aRw1-|Db4M5zE=tMJ6N5(y~Ch5`Mtf%1rGk)u|S%Hd`j7dJLF4V70A{vi0x~r8;>7)Ht$ki9n zd@1il({8R-oRf+xQNqQu4-VI4^L{OM1dgV8Q-kgT0CJVqT-!#bj*m|dRFwX>k*$Lr zsoa!F&pA8(NOz8kI19lM8sYCW1o|W0)4;6G-4cMCz<#rWOILKHufcv)PlRup?6pDm zSr8P~T~Q@E?mxMtc421byRXc*7Hhm+I11xhLVI zw%+v7etuNKDT=(dRtV2&Vs6MjPB7w4=^K%p22Nq3vAGYC6dpUC_uEr?DyL_k7P$g} zFqNwhyCv#|`v;ToOIXp{&)tz&yWqEdO80T`{<}3Oc29OJ3*(3&ql&OailAsp<;ClR z645x)h81NiY%_i(DWw)URuH5d82F1*c>!>KIuD?^e#CmgW5%9e{syBgdM)gNc;~3? z!M7t{7J<#_+Gvu{5TO7TdhP{_ElE~7ReL*lR(0@wXvd~~mKV0I@-2+4mzBXhq5y&3 zdX5#c6k8SRq~~9XLTxC^*Xyo|G&}nb_kLEH9x|rI?1jT@*nN|Utr47_*+u+c?v=r~ zjOccDc0jX1!`nMMPhSkxR(i(y{=V2Q+w;KQy5jQPB@dNH4T^f23Ya2HaugHSLg9=$3 zT}4t5PqVoX(F);Tp_4W+1^iyVimO@;_q|sf>RDj;)ew7j(+%_cRsGE{SIP=gMm08a zj8Vf@KSfaqM#cki7Ozx~g_d62hRP$~;guEeHpayYdbLtVeJlliGZ1iZ9Z!pdmU%0E zv~!}`vgOX=Q@sZt;9QdVoVrk5%iC#Gooz$~m=rXW38$YfemPd=5`@SXUAFa&S73#P zMs1JrLG*gd`O)H<@jwjtP*xmH3==yws^X;%J?89KeF5DsY@)nxHAdq^Us%?|u;LDP z&107C=?>bzO*~a#J*^EH>G&^y z%N%cO-?D&FpPu1%U1`kH*W>!g6cWMJrk)yg1~tc@&a~8QcbuQo6fft^xb}~7*ZZTs zD%-+Hb*cZ(djO+<)*?uKxdjb7k->3vY>o2rh>a#=jYYu;adeds2+GoXx7#jiRYuo4 zoFS+#Xl7fW2@`^A!J3lEwpoKFG4ilu(uh}bzNG&7S_|irP%fjARK?n09=Wl;`rT=R zUOFiyZ*2LtjlicrWL03UkflhB4_#$IT&?S?gvligRxZR+;JAzk|BJj@>T&7RHZ=!c z={(@_HGsfJah}e!3+Jvfe-l0Qa-n$n(zV};!$EZ@y0Jj!#k!uR)I=`W$r}V9OUKQ+ z@pir(lL;IG-^8aQogTatx{hownLD2j#P-A?F=Quxv>YF)+N>kLD+U&4ZnejG@-)F3 zovQnP&cd&#>o}R3QyfG>EdU0;UAf9;kJJ?K+V;FfQFR4fKS8(}EKMqF5S=(^yZ&ls zsMcs>W#^>A4r@-pClLo-40Zp#7$`4Hc5gN=uI^4kl9S0Fp8|Fcp(5yw?o6V!vNYjU zy`8HPSw`fvPytDcjFJ7d;5xaMt4Oviw<7Y=@U1Qnejy2Tg_kHqB$9tKxSjuIaE~F{ zkIYocGHvoyevQ8tiA)|6Q)jLs05H119dwZTZ^QWci=3AhO&AMbU;~u98;qWMs!lA! zI5AV6@*MtRm2XAm<>86I+=-lXAW1!og`qdurtcS;j?lNlycHO(SS$mxT$Hy?g{Vl% zep2P;n1%Z?nHczYp&Ps0`1`4n=N7kXZxliYzXd|#CpfLhqNn3SA{6)M@Bp@WonU*@ zc)c)7=Q@AkKhj&{N=CjxCn56AiM|y_J6nk=#}K}HI^j``A? zmFEZs%^?{%7SG9DSPb1=qX%`0KHUdUz64ly)m@e8bnQ+T2>imK^8AQw($q+W=!j~@ zT7$hV^^(uMah_14D{@e!URIwt)odi7xRG#r?i5FI(DO8809kGsy}hp@H2XKv8178N z-f1$TuifMvk&O!_(Kxpn|CU7m@HUC_od1u5)Iz}c$%=#`v?<7iH8zlia)?{E|SC@~cp<(`& zlCYT>MSVlV)8tQ3O;6Md)Vv`oA_8%Hm*DdwsK+(MHY>x<$!R~X)zHxJO5$3x1PuX! z*}UBEfcJdci0VUv5W%!}Y#1C*5aa>gv$L%-K1l^B#Q>kwu93W&;e?4@104N>;;_4l2g=Y!``4hIUlHQua$Wz>R@Otw{r5^gL34-=zJys_&Vm;plf>S$4~N9%jj_FyD-0TAA1kx z{Ml#(V3jI+)%m0c2a2 zI8fzp>>D;`B6BocV4R@3$~}wuw8)_7{hTO)JPw3XhHWcKLrn-`Q6DXf<57WfP%Uui zl=ASB*z^nw%*Mt;O&)KU6hoEH@q`K1CZM%vsT+)R;ahMjBb-65pRS>>(?Taxy1%GB zFZE`kv!s`bVbVYFv~Ch>pXhhmcU0lV+E_Q(K{sho(yidO21~UUE$33EzqtuK=OOtW zcq=?t9CbY${_x{XRtW*`5+l7C z()*OkOB+{jbP(<`J(Fxf6$HtQ%@XM3K;U?f;?*ewR&~QRKhC@Vfu^BqZdkx68-PWJF!n zAE2yTFGK&)K=(7?{L$HvYk>_59=-kOa*3*=Xy~7M>a{+(P|rG1i%4@R6~WGt4UVns zCfdaKx!P9uUtbW#`!`QKD78m@All_OeA5X?#N(Z)6u0RfyDas z>El*HSU_2~x)*BqA8=;wH^jfmH6p7il3XlWnkW2S(eUnI1*Ymfd2~{mmC%H&hoJR3 zFOk2kNZ}tC+#iuhsMu1 z`Eiuu>9S-Y`wN!|l5fj_hGSIV);HtlG=rhDjC$jL*qzBpeE0E3WT?72yQb=|0RsU; z?8u5S0L#CGF^d;Jr7G-?ij5ny(lBH~1@GIY1<|$1Xy956QF3qHM<1 zL9ol!z~pJnU9~3ps2yS)R?N6#?kp4y84cuSj88-x<9g6NH-xnkXSI| z9%=YNWmyvOSH-V;@Uj#6yh-X%Zg7>Dieoi7JeonwFYS3wJR&-RQJzKAXe zEt|<5Ql?r(#KxvNQ~}czLDiSAf3NqS@;zM^B;px|^z}jT2086;|G=r+tqW_T_d7x( zNf`JG;}5z}p}B4s42xWF1?E-fg?tP zwrVX&yA#%aVWjT8h#B`l5itV~^Yb1r?}w(@;8okaS)M2nhspv7AhfZz<32nR4&ZxOoQ+M*uKTYJI zP37+X4KA1m|Ku!E#Sw(h{BG*3Bh|&>_JjZ3l(!9){l|*G%*#XGRS!w{1vOgsQh;>t zCV=S*(0IPo$p!M4MDPz(Ib5A0@tfYn7hBNF$&@PFj&XzB{HVu%7|DW$ zKqr?PAVU_in>9mwZ*f6PW3>Vd#D}Tj7)9!kdH?onqEb*v_n*#T%E5d3Y%g1IWu*Ad z8$h5*r@IP~gAW2c{uCCHrZSuTq3e7EGd4C>t20JWR8-u{TyyYoa9d-ogjfBkp@9>D z!}d)Q1cPV&jTx*YNQt*461N8yrUK9dntQwy4u0lD&wf?j*&BhWo{#EbAUs?qEUxqn zZd+Do)ae=Kzh5UJ(dl->#+E!Fb9JSIQl(oLOo_gEmJigxQjMO^)c zlv7i!?)ZiVfmy{m)m83qO>VTlURK<0K+FVmBl2MxKgWf3me-035+8uHE5`HuqMh-F z_1WV-#+gJ*D6A%+f=dt?U&}ERFF5m@+J6)6bR+r3jhyz~?F-fe0c;A;@Z+6?6&*@% zB;Kw%uKd6xcq0zb1AO0PzdBUW)UNwVR_=E-ab#CL6-RNiym&NX>_uq>0z_T(k}aE8d&1uZQ6W!8s_$a3n7B}amvs!0HXHR+b)7Z15!b;2U; z`2P|c+CNMf%=mG_pUlgcyFC$s%G#S@o$IT5Lx19mw=)LF7%KDF+#|B0)`EaPX<9t+ zm7bdhJj%2?im;71FrpogzJ#8%#ucKSFs&9(eu3wo$tXJaH(}strD<5doV0cL4a&S> zM;@XsZMFoIlgj8?>HjbkpJu4*8*F-#F02%dT z3$_2%c8*V*Iq4gsAoj&I4fX{Fle2eR@-Ypx&^2DfAW3?a&SB98XpJ>+mmEMh zG3c#II^go&Gtu8APx)FYLF-KOOYGyrJT8qHk1&QnUn-P#L+1(S{6oxkZ)o#&6FeAa z9iQYuyP*4hnY^*NB>;C-NfQ3UO{(NA%5!t^4>7>6c>{v_zf=vJ=9+ zaW{55W2)yR-t&2vz1-v#FE75x%Bf0Z3h4@E=&KApviymL*dRKI}KS3r7 zd8f%bdKXwh=MtmW&bAt^uC_WoW&$5~y{q7x01t)pD;+GDQYy(9o#N-8V>cp5_mw~$ zM0Z*s^L6hQ@;x~Pd*~@gZCo0a-S%XjspSH4? zjMMI7KDQ3ivB>bgG7&T=TwMbQ_ zXVB9m9A^&4SO#V$>Z~`CcpeiI0|Cm^&yY;_9LqpDM1*E6jn-Vh_x8~8_f>mmCSXDz8Wqw5 zz$I{Mj7MdE(PBN>3di*-Ej1Q>nP$p6rehGy7&Xm!G0mW$7+S0gNNV_FsZR-4{k+O< zIRYm=cYiE5!nwLnEJ1r!Tzm^oRG`KKB`?hi_J!T6!o6pCx}t0S`0n#lRmGE(Lxg2PeuN zRsmU6GN!fYxI>r=Sm4%~prs^5keCC;k?FAJtun8$eXltPQi8s&MQ2PfFpv)o2t({4 zDkf`n(+J5tLrWhVD=EvtU_rNHaVDzC<{5Ohp?x%Da31@B=ZI9m+=Vw8n3ZzOhSnJ?}p3;T`k1;XQjK+xQof)du=mh}z= z9@kUXz!gfvc-CSf+WTlv(YGV5->Fcbua+bIhm$>T+;4PcJ4CJG2!CF+CwkN%)sIjF z2@kuYN4tMuDunv@%;$WdLnA6W#eYz)k}g{SO9Oni)izscHY-8g$TIa3)-p;)7K&kA zcCCbywtAvpp9iac-@*@EPT})dC77}UXZm>N-`adW4d~CvHiSdv{GuS*n7GwD@ty*a z<(c$Br6eq<#_|sGjLR09;uxaZN-vVB?B~{I;@TZkhc!lMDJhOd=ZfGyZZN$Mmv)nW z+lNzTwulDV5pe$`I_SQwfbUiGCBtvTyD0Ng0SB*mTy(^dBup33;j(pX;ET3mvS=yU zt7BrugIJF*M8iGC88+WVo40GtII#zgNGm&M-Fv~U97wDjc&-fj>)^3uwV0VcAR~Zq zuPp=i?V}a z1ST%lU)8FK6MjQvy`t{-s*zt&7l+EjF=#v{pO{lhzPuC z(%oc=tQir{^P>7MZluPb55kRvW7^xf6@UH|J%VVBjh85FSRm#B(2+guGd?xh#Nna7 zp!hI(%{VMncfyqyP_kO&>Zn3=~b^EbV_00LyyBWjoIv7)b!d;u& zg~Q-rE_c6%X62LY5*vPcA%V>X7Q#iOVM3gHxtvkXmqNCu61VE}A#4ecATbwzm!Az} z7^fnI$wD9^#pI8KHo`|g`_6;IMz{``By>X}khrg??36+D{6LkU$OlM2MY=Mx{+Q0P zj&01_B7G{6vH(kI6n`)ZDfrON?ct!Hq1i`$XsTr#`A_AyH{*uYWaiO(iy&?K|x#0}KSquE`&fo?VUJ`F{ zy5*V~F2G`#dLWvfp3YA*vCy|PmH6e7B8q4-f=1oSUwCIKHAWK=qH0P`gCh=q?j@$08qW7p3N_NYPLxE2G z@Ze@xD}gCxkzuT{AO@tRHgXmz1Xr z?r^Zgu0(Yjp$`oMJ8g_4ZLEW>CfJ)s19wSR1kt^9%wG36RPOT^c8`u(0XZHI6>ZX8 z?mLOSc&A%ziFlRU2g;e=LW-0czAVd3hTr%O-&$zwM!JS{@eCMk7o6S4``!{y+$LVh zXUbK+h6IO_>Saa*N4B6JbA3R^)UewCI(z2W(9V-x#mI{?BhcJzNm4xNDHHu${JK}d z{O=-2Yw~!%5391T4=tK4s%sV@*4V82S@P(RmkJlspy0&R?e!(f_OC4``Ok9par1;| z%%R0T@yq{2h>XQVQ0j@qE!ew~iwmv-VQ+huixoILl?-k+dCeUo^5+Ikur0gx_Jfj+ z8-XY71XT_)xi%Z&(o4~_rGbZtDFpk1V?6($TTMk|b~9{bw5Y7ms~p8+GFC%VFiPSk zr34<@heRA4Z?E1t;^bsJm6n_BNqH-U`qp?Ua-2&kaf8~Ko+%4fzfg)g4Tg1fY9`CT z8}dLXSJw_5XRG2OO^4J$_@zK9Ga?yItU6w8ed!Pu3jZVXi5rymAlu zDXrwvvDW!rqo1uABV^|!rzTM7a(Hj$!bU>J#bt&xeFWK592;jPj?lrI%<~S{F+F9Y z4BX6E!su$>Fqkwm^|`-Yo&L#omnJ6~TK1!7d~VuD>s&E#h?eLBhB$*G!$UD6jVorz z=Hq*p+=l>7t6Z&!&wFRR!O6W4%iWFM&)#W)vlU zH2Q8|2tLopJL^UW=Bc?tS1>6bOFw3rzrX*N_vh{FU4Ud29X2PAk?tfy;X=OA=|Vn> z%)-LGFkmW~*}+C=L(5H`wD>UAQ}<)*Kmb_Sgm`@gO$-hxJoAHi6Nyd`N0dvF~kdGET zIuC!=5})u&V0aUuGW?0twdWSTi^3A{5z66X#3CrYAPWg;0B5nxvNas3Qu?Q| zD`L(DjE*4~N2J0Y;X~tE=oIF?+hkzR^ltFD4Kurxympcdugp+!SQPd{KmniG60`8WIx~ zX@Zt_Jj0#fCk!vNYjE{>{9K(=L?5lyfM7>B)c}ypIFa-bi_e8X~r#? z47PIg+E2?bk%6l{v9Yt&kf;r<6*nt5`7XvG17>oLYIV>eG_j%3K0x;U z)PQk1s(+!YU`A&rJLcrI!%P_0MfIC;4A$E(6qyIRy;|XRF2mhFSrUb6p6Y4Z7`3h` zEXCe}L#=ylg82KgM8{^<(wvd6zIzFFE_VHZgv+$Nj;7}$S+Z@Da^V=D zM_3iQ^b~JN^;;}YmdIDHI{dvRVn)VA#-G9a+u$BrS_)lKi3q<>?>p=#XbdfXc--U$ z-(RP)DiT)*A;P?~$4F8TolY(GYb6aTa~|vwr#vH#A4}JBLq*Rni^SRuitD9s+c-;q zT|X25x-xm3<>9I>^byDT6;J)`<{VoqPYc*t1TSk75!|T?&yh~E_JgXGe-Mh9*mN%0 zb-+`y7D7FAqJp?04eM)ElyjJMe=$p=)G1#)Nw`_V+@(R8-06pq zYx8(N8bxn41MhfHwCym(X(A1{oy5>xUD(IOyae3rMXt|1!b~FF;4K#$| zuI{rV5`}ZmZZ*R(8}+mP*Iu6EPQ0Lebg9dzjpcW{=}=0U?s zgMG5KJEasmtu2O$Aooj*q!11f}O+|{cZzub)=Kd z<%6}Nz_Ts)w$PEl2OnXrcWHM4LdD%~>5{QqvMZ8y_VnqbHFz*8B1CQ$8^Wy^vUO}u zz}1_H%V8-RcjHS?b!~|55qct@ifVN9#WIQ-W6Vu6giJFS-5ZZ@ut=d)bBiB8Q>wHl z>iksnKPeR(8t;J?M)&1DRf&4FDrL)i0XZl(rRv zss)@#ZaCZLGy$7vX}rlyMO=zeWM!|VXg0IG{2PV#UJf(t8-<#i?LWd{F2f6*6FpTz z6Q3+;-B-moI25yht4pjlV1pl?NLjRLL7jN{j3!oZiaQ1@gRlbl8{vXoI5XNO21F;A z1jSiH5#WrhjJ4(k{h}vRpJ(|_g$mI0w&w{lRH{Hgs*AjgykTQ+-C@Wd#iX~+K6A+j9Rei{Xki)GMa<8 zLBh|?f1mYyYsiRd^d{sXkRWFSM62jXJu3@E)X=3BL7yR*+2RB>voA9vUy6wJ00dAJ zMz?-{wo{s}3M0o{u+;y(H8q{gp;Uj_ACfn{qR?5#(TMdsL~wnYke9yUrms25gh-gQ zntx}8sC5+K#7-E56wY+~2l0HwGvwsSmu+R?LJ z?S>V?M-OeLze^4;s*!^UI{BG*3_72j>sM~~HuGBnL>S`&18us=(onQ{1 zqku|JRo$)*S&OJeY&&+R*9P%PiSy90Y0NdgHD(kDzwzNXN?n}{e?}mJVmQN-L)+hV zNmnK`@!ajcILBDct&Y^chDWyl!r3?jM*a}(4cAK{+O_pBR_gzwdE{AE6`U{l$Mg7f zPO{`FJ2c7@d?!{mRU$@CJ=cufr+2{f2~Rpw_vYF&9vx#VYn0;%=U~(ZwJP1m`1qT< zURn^Ji*fIi%O`FN&jZk8LHn9cQpdCt`_pf5;^&Xc-4iTlbq)P4o@D=VK2($KwO}R-3+e3BO?FUA00b6&_}?b=j8Or zF9c<|yrc+~Xigg-B5)2MOqU9`_kXdvuI;6QQ^_vM{gY#r-7-bZET_M)xpNa1~BHup4h)T!RmHeskj`++uULHG_g(N~TquyFzc4 z`H&YC+Y~q!rsmU~Lf{^3ViMJpIVSrsTmm|=*G!sv={ZOLK!j_ZnIhmXzXlB<-uRT- z93Ay`4e6Q&Q)5b4uuqwN69QZ-U_vVqetCr8)#Dp*sdh0{=oqK4ReIBylMg(58J$$U zdCrO0^Tz6~BYW3+mHG}YC5AF!yPIuC3mpRd$ z#yE0RVEoO=&?~pyU(_7nKh#{r=`yXUMc>@a83h46^B+|;W_J#(tt2N8d5MqJoAaV( zy>&S7-uAi96x#L8jAtq1iRzlZ{HqDUb`YVu_j}3@^@5|cZ#pT{51|YG>CD_t!w}fI?EsH*)(={ zAR+>RQ89H-!6??FDlmbE*!6iuNNN(@OTP%ZZq{%neE8^eS8aDkW^@WgZ(Y#VW*y_v zQp234=dFzR=7wK&@-wURLiIgC=p@?y)(qEnb&^>U?vC?3TXYE=u}eE&J08%58ZbS_ zcRe~GSdYW|?V>l{6}0-yLPgo%_ejtB1kCfq#{$@-}gr@#>uNu@0L@8txgof zWY+bpOGAQ4e708*0w%qT@c&%;8mYq*Jb(*%`5rdxK3bE;YLT-XBP%?3tq!GL=&oiCv#GxK{ z)YZKRjYi~Ur?>bPdm)||@EYe)qj#>*!oTKq^aX_8`4ad%%j!wm(jvZ9Lzj#k{4)Pb zZaGU2l3RM?a(yMB&BmC8oefcXC>Pp^u`sj#eh2IS~Nf|HPcXZufohvriSF))(pjl(e^If~Spn(D9^qmb?zE?)k}_4}IzUI;jVVn!I2B=-$l#JFKsET%B%4V;N+qPAf)^zP@ejb5 z<_;Z1Dy`9+?bbkBdIOuV@jdQ_;W!M4RuWYrhkAs=CMdD2y@sa!m3EXbD52}!w~Zus z6QwjXrrMh@c0%&>@cFE|r3BiPVB|sF=!$imXLwcFZF5fKsMtl%;ShJBYE|Nn)RK0h zH&^eYkA!G9!RX=YrXF)c)gtKG^J7`FC(hd>*%>t*K|gt&c&=IJ+d5^Yx-A%XY{4D=EBF5yzi*he^HlUl4CdANWcBS-6^Q ztqmSE=kA>b9_NQspR*(<#Tt}eFkd*k|Hay7f)Czjx}HWre?6y7W+TB}X;{1c3&|T1 z`Wx2VHmd1s>qN`nYD0F0J-zxO?l1;Rd8sTE4nw*wI8(1NA*>vUe_XINBoIl(sAfNN&xuoT03j#Vg z6rtt;X2HNQyVDW5vz64(XMZ(+$nuPJ-Q`PL`C zLzS?tGx%Js@f@ldYrdX11_78E`*YiGiqeV+((yE^NlcjNSbChy>5kB0-qke~Qy~NJ zos<-sW>v=T&OhhqvV5bdjOxO~07N{3Xh?~NsN6RaG(J94{}PLxDM5+Nq`R8sb#9Ai zH3hGqi1qyaQ~!8a|FnNaNB67L?z^f=AfTo}$5oib^q%-t@53f0{v-d~?Z$RvH8vZwY1r7d(b%?aCyi~}wr$(iv)jM!d#&er-%nX9U$SRs=9+8fJb%a0 z(x0U=`4W^#aa=PTRaaEpUUYDSgf?*&fD$U)y}AIx@J5I@S%iCkmmFr&KJ9`ZkG8q} z#8qoiHvT=vMm<9=rdZ}&TYrxi8PMZYeeh2t7q6zb{>i>~^zXSpn&OfY85tQMclV=PN$?#70tyPK z^73*w*~G9gSRRTDs=Y~LP$Dx{P)B&L_{S`-eE6SdW!lR{=mA5e+7mfNaAc7zkXJG7 zW-A4 z67UtbzKxa|vq4|jn;t3?{?c=0OC6GgKpk27L0LfQ3<`^du4^U>we9f;3N!}mr|zP& z(hEwOuy4H3!rRiNk~@0$Q`6wv~fXR%RLql8L>%N+M4ZQ$$ztn-|HwJ~>Y5@gCOG zHiiBA)eIC&aC4?fD=Si%ro?37SkIv~axU-20as8jf^X#f5Pch54+JJjS?!DIFm+fk zyiYVze4e`z+ZCrRW9paNwqT40hcCByAo&>?L0ESTbt5e{Z(>Wbq73~m+_EVgw_{suv45lnnoZiD zGVPsYM;!O8IQUlsEv|qAlEJmHn#(U+D@03lig2AHyr6q;$<11=hsAPjM_RFOE5o=N z9JO+VT4Grqdj~mgqDRaLR3XJ)2a94+M)+r6;)RvYdT=(K2G zKU+VXYhYkuU3YN<-m1((&=!6?Y(?y8%*OMhwv+ zN&p*z|ElXefz8vIXH_5lr|GBpHZ$*w^A6t)&nIYFQFJ|hdQEdi1h)WdF?_wLYj&ne zBc4&GI^#hG7J$y&^H=2`EFgJ1`phMH8-CBlNj&~TXkE{^-8aU(Xg;y?Nk8`xI((s#jbFI z-?WyEd{{D8>Q29_uMC!Vro<%Xy~oa4y4`*c)|G6aBfO`5Qi&Fj&~(H)d&35gyKO3L z_>1U0@*XfgziDRAyVG10m9i^qPzbhXf07gvM^RI#e2teKD zT??>0`AYN|G2uu>**YM!r#&-Aq>FZ?lcp5DF2M6$!1fg2M+lK2pfFkda*kF?Xbbm> zMBbcr286L6khrH|d+RWUfamG{nVZ)BMRaadEfeiOKEi%aq<`=;PDquGr~el4e)s$e z;r<6*7VrzF|0ihX?^@yi2jo?V=6@1r!UD2R@f1CAfrQbCk`6n<^}gSi{2-AmPy3Xb z&rso&wv@DG^t(DW>zRI}7c}Lx?0zDKIvjd!O~j3xNUM>31U+rJ$|vJoSNWzAeY~~x z^-f}WfKH?D>^0DdaJLnYtE;CQN4+h^JDZZ=Bt94P$5j>mOw<|YaYRYBhf&Ff^xJs{ zR|eHgO>--4yFBOLsM;O-?AA}eRb^_XRZ&w`aeM0Drn69>y$4jpu@Jo&wBFuTwJuv- z;)v{zUNBfc@W92DL$o~cKp}Ksa&*X*jwk2>u6^u&KJmb#tUJTtt~dxkoFg&S39Ur9 z({GpXO5citDbz-~Lg+0|3^ARS@D2}zqw`_LG)M?rb$&V>MXe^MlgfDhf~VBL(_pR8 z^uhbF(~gMs%0+&i2XDUTeq{fT3$az`v({SR!+=z0J&fRY$sX%}dpJXyko8@TY7^Q+ zVej zk^VRl2cE0wd_9>Eg6(#%md;u(YyZG;Dv;(-^9JdtQ9YQc_Ym-Z<*HvXMBtrjaBmvx z0ZYIUgkGJ>D@kkc@)2pcGfjQI#()!j>KJ}~a+V9&*@*0KB_^U~w}KqWN8qbef@y5# znArt1uOO+_*nlEFvf6Whe>x@~Z|kp(u8qTBMZdqp%hv&gz4wm|j0x;_uENzsP1gT* z0e`xyuZ}-NMYGWt{<+x~@hB-0a-Y!AT%|sm;+L4LIwtC$Q~OZ z?k@-g%q^c$!Pwbcx9~C89y|Ll;p=uF>L98-cjPPwSWh0Wt) zeB8LzoK&!3R#2B)Wb)e*YTJAWLd)@cxBbnkE_&HlX(|Ms+Nc_{j0c+S#N17W5U>mB zmZP6j)ni5e2kPD~ox2bVNmV=np9H!r5qY;FeD7gGL9237h#~!L0 zqR-ZjpvZ|S%khVpqCbxmdrnd>f-S|o+d#9&gBx2I0nrqJ$i)B0-7)@^7NhxT1#O@0 z=EUapWF4W6Uo|^eT3-C0qKf_-`(4az=5LOU2(O(@d8cM@`1CKGB^=4^aZ>N&V{PtN zVlxmI1Xcf_iH?C@pt4^I2SiNv&q#uB+{R+SbuPnUKZ7L&p5yAGYecbw?^>0LGMe<} z=CsId&Nzft6n?B2d|SCg8Bc_KFRi9y9RL(aA(ksr$zuZ}^x`9-qbi-bZQ$NEb@H?~ zO7(l`)_|1jy<(HgqbRmV6P*6(@C;&AUlYWbY-9%t1|`yrNe>)2>JCJk!iJ$g;2tRx zu$E7IIMSQM)^3$IAN8mYZA}v5x96Qr4%v0(4pn|dN@Vin+ zYQ9LMivF9MQ(CtXeA{FaXyabYgK#W%i^E-m9%9CczVPk%CXFswiZdSJt98=zNU<_F8{hd;1=l+a4zUqb*hH$U^DUT`p(O+WvsNbh`rtg>6)?2qLZ7K)tp##g+l zKLL0&aHOQ|GegTyGPx=xUyzYdCAtBr{9l28kaR>$UBY7uTNF}kf2=kuKky$mO)dC$ z3*5H|I~x-r*xNP{J3FSM{iPHPY}J@~jr{1IWU0rs$cmI7*)7h<{J4lcoyP5}qY490 z=6?DynFWDShWiP<3si9yFvKa~0mN3l2fKa-BX?{;6`BfhM12?vx!Mw-b76QgZ$)94pUZxZ z$Vav=%qdCv-4VHk1C)eEmkQ~wews_crm{zy1Um)|euq9gBQ&oty2OsTU*~L3arVBj-E;QXC_f^;U*AL*McS5aWagT#Jifiu_^GqUh zPBQ+;`rg&)Bq#rnVT|RMs36VsprQ=rz+uFtys~T!F5jW=!BtJ~$YSD!H0_VHA+=d= zdH5SzOu_BWUm11yo24at%ZP4%SbepfUL1*?Ur4OAn2Gs|=R^6J3yV-r9E%{-7n4!< zShFZ}kBohU_)^b3c!3@w5Pw;iMFlqQfh`Vu#x=O_N$HoSD&2xVR~G0g2rp99G0ObX zI4fj(m_%AHBLxPy;7Z+A3)?z^hO%}tYBgkPHP)HWsAdvb2k#7YPEnuhD4p+d7sa2O zl29@qJjkl&_t;*{UDq{JX?c)sasiZ|l*N|+8|6oK;Q#_fZs@UxVBXp1mu<-M+xefq z#{j1hGTvO`E!+*U)9EIjMvm+veWhcy@{rO-?&r$` za)SKx%2ow!b><1CH`bEFo@o?h`_mGh9t*z4z^o2We~(FV@s67|i~lc(U-~8Rp8YYj z^SxTflou;%IVN*LG*UsuC2q6ZWzmn z%)32feIPSbTAdbomvvxTo1B<-X4*G+%|@!%{YL(MJ4VvA0b0_hRpw?k3@bq9+#*gC zb0TDKmlrk-qaT-uc7^#_xEiMSnc^SgUo~$kr?L52U0iMAL6?@km95z}i!odi-R{uw zeZkiT!Q{_*%?ev$X=#9j9x?MWc=uML>w?^IoHV9}T^2uTJq)p~4ZqE6Z&|afyIrs$ z=0{ioj|s8kR!NXei`#m1%?NU|#^ZZ8Sojyb3yJu}ylVQ;(ZhupS`nStIx+ zm+Om}o*H5*8qwf}uBV*0IxmNuE3d3D0-*XL&uBaNV6B4f+)j4J885iR{IfR;fO0yb zo5qHoez)0F1luUjI9^mz(AwXN1Hacb9VYTrXNVM=hz&j;d-Up%4%UTcM2Hb#eZkV} zp4%800)3@)YmW`~nOMMEKhzQ1HAIY3zkTa+ zKcddh0&;Ey(OdC1#eONuP>X04OXukR@aGs`Mh_|}32Y6mCsGsB8J|~|X6eBqViiG^ zTlJ#q7_8RA&h~Mr?|;o1&33`ySKz@2U*Yi3=-uKW!+5T!Q>$4c8f+_6mSE@Hc@bbt zuS*VoDlbe{<*`8rnYa_-vrWPbyj}-07V6J69ov(joGbH_wS?2 zU-f>T`DXm3796A-%`>E!g7zF)pg4tvlLi?YAt5T)`alPZ>ZDug9zG8s%L zr8ETb#8xQ5FzG4~BW`{&-Z{?OVXL(!Qml9dGhxCZryl3eJ2lG_+{dUsHhYAGE8o47 zZYhtW`I+!{V}L@AtaDx9ClS$YG8bL~AX@*JC_$u|%WG}ZQ_nq9@K3W?v66EW46!Sw{Id2k zd}j7nN1?k=kypkd(ay?YD82#ajBdtoG}VCMQ=*SrjMk z__e0#(46Mgjj}L2KpK1Ka4dhqC<#YBIC~qSHBFay%Z^z}NJ&VsjJTOH;jxh`9P212 zc>4tidT^!r-h-HvXEs03C|ZR*Eqq_pTwkB0YATsS5kB#Z&LJi-A@9uq|BNoN&^=NO ztjJPpIWe$2VK|4U+Zr&B?#DZx?K4r*AMV>y`Bn}V5DDjB74t9#N7FV%(~ES{t{nK2 zATqT&qg4kThrhXNq&wvkYOwm+y`_ZK(m9 zQ?b1F+}5O4TxoAA#qi^>>YcXy=_j zMP>yfo4&rp@3|~2(-?C}`Kk zxHvmeVMO=g_#-P+|F!eUNNP(eBqAACC>$#^yLSRX=Uaa8;(RX2y7 z(8MLcqe}}vf{@1d{>G)#0y~epMW&aCtcg%}Qf#QL6&5>$eo4-YnhAGG-SMwiF&UsU zFs}F=q7NP`P6>$Gmk7EK$*d=`v5$qn{NhhdX(u*+QGQ~vGT*QZv2@L#d;vJ3{NpKV z&D!!&m-2)wTQ$xpYGAmw2p672)s??YiIpZx*Ra|T7Fk|7ZhMlzJA?Cg{R z!{;1*qD2nltmfuV2Gj7rKHt5_(Cqm7;AKeeFJJoEma)kCbG(tDqnosdhj9STDgSnL zIvnuL^zkP)*K2ae!Vi^_^b;yRV+Vetwk4NGQx1HSBWTiT5C1)uYau5KfC7t^xqnWuOt^63I^4 z&q|hjrB1>TV0Cxt)4tli%3h9=CRS9yyRUem#8bZ@l^Nnu0=1UkY`m)cSVVfx-_bw& z31rlj6}FuLr1EgJFT$jSMNXZ7E7+i0yb=fzZ3lCE!>oE|A&iG7S?K zLh`o4X&)Zor@%y2M;C+y$_WSmPiy3NC`@B_cxGA^vxRs{&SMNLLU{{(TDYEpOv&%Y zzsh2AW+Por0E2l&bSB1!-)hi6X4f4Q7!l=_6nwdmJSh2oCXN`IF6K#^o}eofx)HxV zr4>miNtoXLkZ`I!@)P#=+_DpeHfEK3ZtlXd)hxo?d#{yAHiQgK0`Xoo?A&JrTi8^-sv&oYW(eU zg#6p*xRv{lw^6h$^LQ|uMlOiwgK&bBWlE5kn&F1$2$BEte;9L4BfdQ zr2~#f7x+h2vR4X9X1-LReyE%A%A| zqUli4@a2xhrt1;PmcVJJ>Q`7<{)*RSbtEkfplCJ5J3Hz?XOUY*ajA_GsQ~{+(*KFQ z*|`8u?27Epu9

    3 zs1KTLxAom*cTG9Kv+nM5d*j9r`MAJ0wTYg2TJVcVW180Q3V%i8njbA16FmE~zQxd= zSI5xv>%^L>U16Y41rFGvc?9)ZZsFn!aQU%5(Qw;gG9ZzSrCWk${WVK|41;8!9{k@H>@<59O3`{X}E z1&&dX_vff;>c^ECxy0NmtGjl*TnVQ&;>ruVn#n3Ac!w@6$*aOkB-LB--I!{~AE0K3 zO~e-bMW@;Nk4|$F3Bzl~hpR!+^LLQ$&+8G`VnY|RzdeZ%8dZGS_v(_pEJV15HvzS4 zUxF1)XW!_U@{os9B}3745L4M9JA0o~ldVv{*13vGfa_+ZJx@KDgbqmTbbFR_80Bot zvR7#{iwqJ|02;wvKzlPs(bw1)oW(y8^Olju?A}B%;tNy-)s@%>SKSL#m>a$A z-UGep6P_h(Y6P+WQA?jn(WA~g$19cIiAmi(QE{NmMR8tWK|&Ld^lZ&f&uGswp;fKk zdkJUKm*VfqYxZLri1S03KSCXJZeHQ6&Od{r!^};b2nIdNOLy@qKaT<9w5@<&v>))> z3L0PYcsBJb->zLfukpm6I6CIOtiPBcY+U5-X#bn1kD|p>wK$?tc`W(2kgVRgJ0E|| z;9X0SLjVNpmn)GX98`Dw=Qylxnv}rHf!DuJojLp!g9%?az`dX;c2=zqqpK{IZ1j4# zuwtH}Z;K?`LpzfT?23rv8$Un4$e2k;=P>oAdbIR@oxj;PG)1Aw``6Y8%b62FQi-9Y zYzDBA?T4w3jF@a&c{nO0zOxl|T_ZR<45Ua3DUBkmLEOZfDvDaTp;{Uu<5Z?cy^Ecc zN7XO&VDT@`Cje+%tLmeqfM@u{B-NKsZ`rz=W{a@AWb)epiVPA($F&UH-wsR+d=*$a z7%kAg-d`=5_-;h)-)lONf>Id}`%|)||8sV3LBjnZr||R7K!O;J_d|M8jh-JvK~zW! zOmVcfN+2P=z`Y>Xcma{b#Lw{_;DVMzOi; z6^-2co#nRRP2JO0)U<`juTJ!zYSL_-%%Lza$XwpQ^i3dO=^Ur9F`*9+>gw-D(jxIJ zvJ|8G_~;@cO`=r6Fkfy7Xl41C_FgaKQyEyXsCryd#hJeVSqS-rH@|fC4x`UF8u&&% zYYbBH=Y{t+b2p09XsHrB#uPM#(FxLa>shb7Q7hE9{ns2InwLY@%*qOas`{S#Lu|^y zn5on(*q7J=^N2(FGaK_?gi5K^@H0>9|MO@i8z2Humw1$L003AIROA|G>pGl~qyM z!opPK>|9UH;4AfDBsL-U$UVAJPs*FWuh~M3vy`Ql!Ys~!-x5`L7~*Uj?&vhnK&iYt zs6TkONVrIl*~l-Tc(&RDjMV~hp+<3h`dprkrho}E?bpCNvu{KiVm~^txAVx39D(E# zC~i4n1YliJz)=(Fo6}jd51aB!9w51D?*sGlGFIUfsy>7R+bJp_FtKz;Ww5!$?9BB1 zKf*7+L(VBU0w%T{!hOv*F?uIHr|+=2Q(~{64j>vFbOn(9)iaoS);n~j_^)R`t)YLZ zz(2FG!OO$QDEnCCC*1UHh`BWN0U;zzV{5hs`#Hex3vq8EsW1lSQ>PF_B}36c2x!IU z)!BIH+|muG+RLrjjw<7k6Cg*uY{(ZQEnk%&s?0P2?AiRoRSshOCU1Kv|Ji=rO@8xL z{{~w~H??}da6?peZUI|etmSDz%%MTf4^9UKfy;rjnHC!Ea;mT+PZr5@t32oOS-kvf zgc40C#)m#4-{OxwfqMWLJyX^4-x9zlQUHDDf0O`bqnp%oUL61b)AvHy z*gVEd1Mn}iBUtm_lUaxY^m>1-TTL$bRFxqBbD#dw(}7hJwzNAHrSq|G3g!4450reU zA!cy*U(~x_1Vq-*-448phFvj!X=34N}~T0Gn5vNC%3Cq(wg$f2?GTPYEt7Y&y>0Eqso;bSvy1^c9eaya^Q2#LECh$&;6e^x zd@i6T;D8IFO_FwV2K<~YtcK2(vfSM}k4ZpOuvL?EKWR}4ljxP=lF&DqA0Ni+T6AyZ zjm6?3%DZKluFU?V)2Ze@IWz(%2~V@Ndk(L)agM>U&)+K%!B<0iJ81fl(|osiM7_d# zLS-w_Q8prUX7E#=oYg|)PTkBCY2RU`PG+7~jo7UUTmk59k~5biMcPFE&cMKCc%&y> zkI!e#gvx~2Ge+|Qy&1kQaVAGQ-*D8_>;jxS^$RTSXCUm&N7gbs!;?d(y`=QxaVvYT8s#AoB`gUgjxUDo^WOGyVA z!CkY7x>`h9q8ZuVxBJ$O^MrUC^GZhmP>KInms?{$fB&l=8uw=_17vdt!^p&akzJLb zu4z(F&zNYAy1%>PHmn4Ld;FkoADr*3`5?9arvYD1Hr-mU?qU7P1_xe6^qMx~uDI9( zlJXfU-*vF}BTeaQHV-^g0chZN@9sZnU|GUl9$xu%vp8ux{6=R~SJH>>olP`GAR_d8 ze{JG$FD-x?_JcFKXoolaIv{XEo2T&LC-qD3#?S^n0aM|@xjmPZm}?71_jKG7@?V*F zzh@@n=T({*HSx0MYl4XPdZ2?_iLKSuaz0-dSq;CA`}9r_Mqqwr>4`^#?0%G&8n6DKzee8g+lImLY$+RXW@uiNI2y%#-g@X|!Q zD40VCkNSAd2qq@0b`W1|bg6$vjTG3!Aa}J%5W3_LW3&VOqQ&eI8tG*Bt9Ea~Yz-Db z)5iYl+f@&Ha&8!93Povg9J`hbIBcHpXqf^E0hhrgvfs;^$97RZdOfnKRNW4Jb`{7T zWpTQCcAkzlMGO4IPGN363*gpqmV|;m^Z}$)$%YWdP)#_1rw9IPF&=H1ECIqpEzi>+ z63!1vA(v3LMwgfFJk$aykvpOj-sG1k@w;9Uyq5&GkXFZJPk$e=_g~GT5ScCm&o?ML zPb#cw@O#&xkG(@h3)OK_!NK1~9B3Z>(u>W<+ITwimTHW4yj372G$x6dkk8!gp6pW0 zT29T7;7S`(%#oG>%qUZT?kXcdheF9;FKPbCH7?NcJDHS`vBFy4o}Tb!M;+Oe$F3W7 z#tgngF)w&F57^OSJsq5L6GWBa8iQTR6-+zsr0U|J6GJ80J>7ONcVlO}gT=I6k~sL_ zC2|La;0)*)-s*ez?x*o<5b+8;ibSa@u=5G=L*6+4(WpRYs=X%H3-;Z60`^` zIVF{NgKx*)cBu#Ch_omVRtK|M@vV72vtN;^N}biWH?c+}YE*}d)vgDdc>+!<^TfLb z@cGnX7DkLP)va;oR8~t;K|w)NvU0bxgW*781`B$It8~d~Kb+q+l378DrMo${>9O?; zWh`tIJ$^mi3uZ63yA>6i26=M8ZIvvBg$6gcDvu_)^^}~V(2W}4sQIm>;5K9Qc!H88 z*nRcM6!}rNcz8U4mj-8V4{=nDT&=Tc8Az_+6It z#H3n(3G^h}`Qf@PPK8#~%KzCxF{sX`S)#BK1Nuld_Vd0A~` z^GcK8KfGm}Iy7=^XBGJam%)aWuba8*G@0$i(5D+kAGNd&ktE8BjP-pz`)Budp7znPHaB;5jg}9tfrSDQnJ#X9gI8ZGN2A8% zn~7cpe)Cp~dlvy|6*hJj)DQ#qFt&mI*~t*CABAceQI=325^^bHeWQyl?@EXUbS0tg zr6;^j#;-iapXiEh-ypuUmFv#peUV{`-=av09HHNP3%bejyWs5<8CW*gK*X3B86Rr1 zGr^(bT;fLF09;cQ)Pq+zxBUR72+8dfnFlWP;*87hE)#@{lU{!$TT*&>i@!fPHLbus zuNwW1xu^2{9cuIQWGlkB`k27h+RCGY9a)lb)sIKI49P|Hlu-YV$c*_8Sb%*O@Z8g1 zK=ukgF!k*x+xIY&&n+AoAFwJynwZi~_zM+e+mUA@m0x)9uGF7(aJQ8*Kb@og+ID~s zVVtohYy`n$b@a-teBP?j5tgIpm>kAw%zI)l!~xhWodDm=ey~B74Gz0?c%px3W@GT3 z6c{V2+kmJ{`V~y&&lh~AU#$@@{@+yEs8EM^TLV$t`fhg9Q+nQmX?-d-Aj*&-gpkXpI z3F{QuybdSaMGrYC>foYuCVs@=uCFh}3rn5i06{teuVq5LK9-=r%iM3pADWV`_rP=c zdhIKv_FG6fKxaIdzxA(K?8CE2Sldz@#BHZkq%%P^Xv3jk)=-J zPW60ny7#F|8fznRt3Zsj*buVbXU6*FAP}F*58^Hv;X1*EfoozA)0r_$0CidfYui^X z%^nk3a8qrCFn@yU8#=Tax$CDTU_Y+umAB%j9a)@Hs!pE6LiiNuKLmbHW2{}#17ZCN z2gy^Zq-5D;d^R0Y5gCX8sdj0fJmV#O{Y@F1wvv@)5BMd!8N^kxVc(GH+u7hq7S}hL z1Q_WPsz}ks&Wsxdms8Se7vo=@>+8$m4@B&yHTLc}ht7v%i}*a=??K^r2Y{Cao&So` z9zVpmfn8O;BeJ}jyNyU7tjC9;9Ie_}5AXH_t+>i18B)hOL<+28GkqF)6qY}Cp7Fq- z6N6(fC%LTVnmayEerdE!<Nu4WfEuS17zDS6F_ z1ZO4XkceQgFm*078W3EK&Oy+G1-cwYR(w`J#z^QJ8M__E4y;xuX6txqcJT||&Bz{H zqK6{(O+|+3KA1#SzgOtOyapq_fq=~UHG)S_=#cmRWBY^8 znhNCKE&3(WR)lYgEK(`w%t3)7#MnHEvFuMT|L2-RcZPBRrez-FgcYC6I0 z``-^mKwi4LXO!!B1h*9Y|1wzejukY|$rYbD97IC z&28k%X$pRCzue4Icspb?sb&o=`ytu&jCKEK2lwYVJ~j$DD;=RhzxQ{!XMlU0XLVHs zO_0Pk)OVVkeA4&8_6eSP0~&~4bYH{<7Yt<>{-GKnhD23Uc^(iN!iZ~}(k%rvvAf`i z(A9|gZ9RM`hS7Y0u0N?{9kM`ejV;;K7mw(^Cj)ShZ!1Y6d&cVzM4D)Gr+nK!1fqKz zP?oB9OyU_Es4uP@Fe?r^_wRP!7`a=3c9s0V*X&QumbMg~KHhtb_2Czx$y7U_JYi|W zyH3}bobXtYBjh6x;*RU742`(K;V=3{gqbFvp`amMl&iP#xkR2mY4lygy<=jvtXBC@ zCb~{&3P1uAr8{vB4i7DD9=nUJ!`JDYZpgr?h5puAI=(MQK53XF2gN@cr^hIqC_L}N zOkxARpH}&5hMtMfRaZZx-@vraU;0^+DzAwt{nOAvxXXn!s=0CJ4E!4t9KaSX;-T1? zqZ26pt3vARh~@pMLe2$cVIj-?LEFVE`I(-BlupE>J5#F^|EAi}YQ+3FI%!&K1G!ox**XPef8ymM-~ zs-6`P#P%nS(aKC<$RB|5&eTt(dM*43&{}TJcYH-H_F#EZ*j*@QE&oiGO7$~c{D}*x z_&R<@c_SoI!v&W1sdHsawD~XaPYbsA;g(@!&;y)TB}c}fhk)U8}>Ob%N-AxPmO>pO<5YO_5Z!) zk(EV0>-pU-gmqyU&1;^Brwh6U&c&1Hyh3($QVxd54#=WD0KQLa0-`cgJ2d9rW8|{= zyt6q?^0?53?-E!mf0dl`^XHQ(%qS%#Kh46I7=_Ki*yY%k2MRC!Dh zx-~e^l<(IHC|f#`@H{a}Z!5uZwZ|W5br$515iEGX8jfKE;F+s+ulJXB^<(bwjA{po zh>7vLxNx{UoQDq&qg$P%ycqNNUOn5y=J)6`lE&s)yB=u)mi8>H^Rx!%8$(%n`CNzX z;SSM*;cQ!Mk;*_Y%vMslK@&E3PfSs+XLoUn)e1zLjCg9swFN)e2r*&=|Fjewk|~#Y z{nwBV5q?~S=pHQxrD<9h^;wb?xofsW>hlZH(X^G=HkI!g)balMYjGmk8{}c9v}L3p zX!}uAi50QkqB^cLOsxPCjR^7%I0}k@99%F3$?kML?iC6_36RLUsES&~MAdP? zjRNkp_2a^>_%fW$PQQJO!!yFQy_A~n;c~`L4lVLH*CqXEfIQRw@l1trd@ADcK0_Qn zQ!>ju>+FXZQQ|`dL8fPIOfF2GCJ(bY4d%u?*nGZ9{k?g3R9qq7r$fIKqxf z`Nz4+I9@k^+fm7E+nQfm^V(-6&m_FvwwcqZ@@lZ8Rslh0TE!to>>Rv3%ig z?<2GxGagh24)#&k`rIF~>nvh5me;jseBIs?ju$ zgEhODveGg0uj5I@($dK;h_3}ixn*?bFy>OBXqSgPpf&Fg@F_5RzYle7a%Uwrgi-z* zw#)Ja*)Blf33x%rH&*lr_z|Gi#DMU!jsAt59W$88`U8*M2E;RC&hMp@-0rH%yJ43Z z;`hFG=q5R2LPA5bGvp6_EBv-6wbG@B1&7T6=O{jWs(T!5Ii*|B03bemzr+@$#{Fe& zO@~&x91N`7Jr|scr5f&&7Ahj58eX;nKgmD~X7UtYS!?SPO<$?OSqaKp{^ThmtmUMm1O;He4S$obY$2R!j@yyFG~wEna{19CqbJCqZs5 zdS|^q`}k|K`dQHe$knN)iu> zX=0v!nTXQaoW(|WI0u_E3CW({6<#$=D7mqCiN3^&g41=((su{U7(d&ppQ1xZONBCX zxH#)INZ9qHTayIK=r;ejBavH9W#-YwX_@u+e?9Ylzw6NGw}cbdG17sweu#;mQQu*C zUnH(K`Gee3=*h3Pl3Vo@%FqLS4*a17MBeUTdn~m~LprC6E!mW)oU!ufK zOleWu8eW%p+;c-tWp&ZgeQ1Z&wiOXHC;kzG#<9hh0IV z>&fSSv0`M#Mnwf{v^g?u>#rTI#;J3A^oe;VH?<61e$lhXlm*4Dw=Mksx3qFxqg8u! zsULy91;!z#y_emdq@D)`nsri&My)+$PFr^Nf z5J_f=cyuQAU*99Sidk?)FbF1t2^W;Z*W8^%JIY6ZL@8R5b}Y!d9X&WAf^>~b4e*pM zHr+hJWWy%MBz5;#ocsqTHVec68@4|(rf#3MAtXZj`zVrcQht?m0!{kQBt05La7 ziy!+=GmJCMhy{iLz3U61w|OtFrYW(sZ$hzrJ-R=VIB}KA+C-E$jFCByL1NtYcsdr= z)UbbSXj7``N!GXb*3@w`{M;AFCt2TWuwCU~%mn?wcRc_?@4LFc!UvYkb&SeaCJ*r< z4}wEQBGL^;)MM4v75_Qa8$+I=E3W&_kWyGhJg=OC#MB?r)~Xl=R{8}xL^h5vu<_z_ zUDKD7?Q>YlLF$BngN4I=vQdVSL+0AjQZq|hMr4C@zRFF1nrmdVx+hJ+HUicg!$P?~ z#KCk%U5TFX_-MC}t;tmK%Z_@vH09C5R+^YExy8iTPaQQOzJ3x5;~*q-o)^EQoXxI0 zfpcGF`!knLk9f(xi+M9hbZTB&zyoI1uyvluouX!g7Wq*On)pmvnTF4L9nXOY^H#z(+qg<65l^;uk` zJN;z`rrbXe&S;^X#7tPYJTDo{Xa~1@Od?LgU6B=4>#okfwAOt!38Uz3NKTBjAQ^?# z@QFe4dY6T@#mIfUzXT6`ss>_#Xf@TAwQB1)Qj=(w^dylM^)~doq0l+I#Wps9x&~*y zC$Hv5>spExi#>lMgPEmu2Z*?1qb^ThGAMwGsYsxDVP_)hxKsv$8>a z|8}bO2^!3`_^*Z>>R*@BYv`wqs)cM{GOw3C6Bq)WmYk;Kt|%(WAbq~Pf1NefMyUMq zYIL4YjTg6TbyCo8W$3cL`Y|5tjf?MviDh%g)uV!FC6+P}wfl3c+y1U;GTK_*uzg!& zjI+RFe|6DcV?xT~z@|4*8Xrfao7s+D(S4x3HfrTgkJ`xWAQu^9H}`zc#dUrMpsJ5a ztkN;yc|Ia0L$CP~C??7=fLdwR*FpMZO^cKxzk$Bz3ySYP-k_B>4Q4=#&Py3pQ?wDf z;$EUG_}=0sSj~vN zzBuTw`%TSRyJA?b{0m@gsyPc~f%=pTE#h)@Ykpkj8q8sJri5odO}w=!PpOZ(-@)FT zg6L+3jD0ml%Ej8yP;zym;PZ3hX8>Ir1GRr{K6LYaG~tZyzNmoiVNAw<{GvBfw<{a> zVO{E_k+2B6$Q$8QB`UvS0uu|{w!c3ht(^x3vVdkM#&S(T^&?9c_xiyU&q!lW$iZP# zRdS8wecU#X(_T0(^J(^yv~J{O_7F|=DNZJjr_cIfdcoSV-gam7*1ie8r(@qCUGe~0 zRJ2bEQ`94!bRo05!ZD9QFDgD5VH13I2>0dS>J58^ z%$AlGX;o_>kCg(f7Gs8K$x1`c(&7guwu8b>qyqFQH+Pff8SmEa19GO`D1j#JA+D>> z7f2r`lB+J^5#eqLmN~@@;AjwtFP#)1p$Vsa1Z4Y($5|?w-WZF+Dx;rhE0RKq;JYyH z&y5!sWW>wuVKIW?v}${f)>f?c%J&~6N!XKvK28v^A~gb3)^PjOJG;BkHM+6&=3+Xc z;$yppfBL>fktA_fH`#?y^KUEyOQb$`EBBm^&xUL1np@EGyz4Wi?a_Is=DhgHRE}_X zrw7vRbcZLRx!>P5=`^0mLd|>Vn4DFsxAeuzz&>0Zimtn<4X3{y+r!e3tXB% z*`QAM628jMrSnn;{4f@NTucdeR`BLMhj0=uqQhyC>hVK_vbn+gCYwE3cCfg&XGb;I zW0y*{AKy1z&z#aQ(Nz%&KQxkS@e221PK~rmi&!1JW-6mcHWA6=wj!LBQvpP)#TM3P zwxIhotrZQ-zq@Myc~(Z5=Z{eNJW{lHzKX<4ZFo<&%duU?aM4wJ3oUuR8o`@L+jl=R zMBb0O+D!C$GGzeaTxVh`_AwWr-UBjgwn-K{45`r+C{&gJScEYxT zO2z}Wi?;SJ9>@I^l(;jZ%!`+L<;N`Q6iqA`t*_Wm=nNS~qXh3O(%MpppnQmP-bU!P z2|~;^VaKcjR48(Bh6fbD2;3-*jjUc(TpklWeKif*2J7J768aazR94Uy5G5}NRvnGX zqZCqn@Am3aO#vevZeFAkDde)>)ZFUsF+{6vtzVF|`l0z>n7k$Tti46>B1kfNc1nrG zPgW%B&RO$`+G;-wf?={%{P3`4Wtt?dWM%RVY(NknZlxb>Xw&3Fy3XJNGF8jAU-`6{ zOQ+A5p!`J-K@p#vZ{?DHk!OZ=5mrZU4-zDPC#7dq^))tY@=Rpz{-#;OQGK#3KlF4t zVcr;f66>gBUr!1=Gd2XSBh4?|z_Hdsv%NxLlFp25jt@!}#gqRa%Ha_CinPDKPv`19 zw$YJS?zQb$eS;As7A0eIW=Si@w`H`FvGP3!0~EqhNWKH;(Rxl5r_~CTM5@^1;8!6% z9OjW?(9to;K6%vB!dXd?sCQd*3Xi=YH~!TGw2pV1kt-|?6KqdFTcGuh;dX)6N566l zuJY{&$12_Khj9)WdQcL3$ChSR=~=eaT8U1kE`|#8_uECxM`uA` zk2fY9&ct4V`i}`}w)yc2geu1Qgy{H{VivAQZl#ion)-{1(ldX+94iagdzop~mZ-Hc zh-aSdz)cu?uO~M2DHLEq$>yLhEvvOkpya5#Lk;z+vQc!H7Y)^n&lVtbO{)On);Kgn z3U>`~G@m34u+2*U|2%30=*q~be5;hyyfu%y9GNzRHDZF9p4i{!zMl%zSm6v%lc ziQ+>0C=F8On4DYiUq%~V(S+gInmXLK@X=CwgM)gxxLA_2UdzJH?r}GL^~on(Gd*^k zWfYcHraw->={crJl(yRf^=MJ>dcL>|lrjK{@aDthboKx&(me~Ap5CGJAeB!7q%kqE z*2ZIoZkGWC%Gs20gskqk{ji#W4eOZ!ho6>W7iHB|9|^!;T`<>32X;jJK~7f^gHYv! zyUM%!PG)~HVc;K3=Grs z2;+MLN8F40z4}|bR`NUDS8Tk;6Oyig3d*I*Hvel~r#a9XB&91UgA5bEl{fRxmB+WQ zkelEf7V|do17~<7AT*P8l(~OT$jVF_eaSh{>N@i$gH%_#9z>MJ0#bQ@3LQCIxcb)N z>8C(1@1W37s?7CZuNH5(QuCUs_X@GXT^1kY{mXk>@AfK)Y;X_R_Vpo@$({uimicC< zIM2^Y{Ezl# z@IHZIeg$rMSI5FxD|~w^6J+@-A%-L^^&#KIQOMHNAFvZH)`MML%&+z)_qQwNM3825 z`rXm4$)jCB(EE6u@%GdD`s5UoI7)aw*DT*y9i_3P=ZeZaTZ=oHQPZ|E#DP6ziB_QM z>n`-ySlLAAxbKB>dvDaqZzT7H3pAkwrA1)7j{H>{0zmyz_Uj73geVhLZr`Q31cBxp5Ln4UC+%j!v_wUn(~ zvdhQEjc}=e>eME2XW6Y?$#Ot?IM4gpM8k>7hm+vf7Vcx>``yj;d#dg5kP+}`w{d<_ znJ{9Msdeh0LxMH}rT4TAF6_^Sp}}YUdbXP@+|Yu~V%>drZ17?FZ#qnD1BmvU3CoefaiI zSK{on7=?QZy~o{~1@-aUMn|kpRU3wGrCRSpBpEpCth#%0@Gel@)`JNkxT}Ie)a|z2 zE8Yk790}JE)hqHc13%Z|H=mClJudCHT`?uuUyBKof!KXpxg!eW1wI7UBhH%k730|| zi5CJ)OfA8emX_d8?#_lYe?*89iL$vk5udDqorN6HYRAe|XDA|do(V*mn+$E-NwI8X zq8UR5arB*Mf-am)a?hCSCs~_wZmM{s-v+XTSn`L1)_pi(kZ+?VI;PNQc=3#Qj_?U@ zqhF%x7%}Kti6GWGEVmSoHIG0|A;hR+6S*nt?v$9krJ+B!{iPQ#eA|d+ed0EKX>rTW zV3G+!A0QvyizMdzc^v4}`uTdD7q8W&O{$^eTl>zP@)Z>0wRGAr!Wb`WpK(c4!(Nbsx|AP8)AL-~?Py#E*}C z#wWO?*62CexH?EV1>C!53UNHE1-yT2klS}O9OvkC4QU{mLTmH&7yF4^aJ-;LK`zM# z-G_{V3b3BXxjcj)oR6a#LR_V~1`++OBW}T;Hwwr$3~7e&b}?kVMCBG~S`WEz03q-- z0-NXlZU$R>LCJc$So1stg3SsYRHE6^y#(4F?HM9w*H)q9AJlw*(VU-RhBS$t89%(2 zSb~qF9DlVz=CNA|+-$R>%<012&*M6|s8?#v(P(CHf2)ZAvVA_`I;=Nx-k8Z1eWJQ` zpoe!aF<*E3nyY$3*~W~K4C7%aw;VDc%7<~S{mAirYxHn7c(sN&u?ZB~orSSjo54>F z<`%=8a+>R4Az)KS%=24)YN&%osTeVE0>?bl>H{g2i^ zF+4f+_s31>NcrJ9BdTQO^ ztVO#CX>Z3T0oXuus0wgdi@;{0pT47Xov|*+>o!0WU~0<@CR`!v9xFth`l6twPW$wf zg(sqk6%u^xwpxgH@*=~SDNt>o!Jqkizwn+X`{SS~_?^|8rN#2|3nLqd;mhe^OiDvI z`<3tI_^OzCZv}C3Qj*^mUxLHnlBA_h`0p5OfOu_;H?bcKi-yP_5pMyPPjVJ?Z$)2_ zZL z19^<)fqE$N$HG5sQn9m19&lc5oMGR-Es&Cs2up>wSUAW-+|QqHFfcI4Er;u@<^uEX zb?C)pHr1X|tfR?h!BUm!gpG^AOv&B>@Y z_IS=+IfL@^xpe~k*-Wm?lX*r61Tpn0d2=HDyoj!*Uj zPV3bwYwLpaFFWOekx>W(IiQ?gKMcB2%C2~bfknG?0p=}K=yi5^6#G8+Mc-I?dJ8-gvo=5;5tSKX{ z&W~eA*RV?+!z)_dUgO?NrQ-*!Rd?qniEO~G`j*xS&KpX#*XE0d1ooNX&b~lzxl~Sg z=0mkMiux3pW^avV|3FvBl%vn5;bCZ@x&0~hHZ%Y^)0eC$TgI+wWZQa#KlqEp&rJy7 z{c2g=(Y7b2L9^K+m6(?X28FBgLv<31QoB)$j0bB$2d}UNub2e;S|~PG<>pa~!Dbc{ z^}<3YX$GfVds6GepxkxiZ^UZXuoKI}=?Utz7!_DS<&&>=qRy@26M12%)+sFU%03um zwI`$z4FcRhf{K`#0M-+iTSWv|05~Tn#9Hea^iw0s5t3B3dDa&2r}jTJOP%6aywA#? zx$D$DW%7S2w^fAJDl9QRsGtc5l*SMt=7bf}3PD*#Ha2V@BhhYk&gO2hG_D-&Fm%|~ zqt2clgz{3|0yVtKde@KNzNvfjSkW|j(Oau(XQFr^WOBG%hz*-XO;EADK_hDHo*Ki* z4v<{0Y1AYb|HR&!^NEnjJqltv9Vwgn_2V7_9vhdNR0A8&3md<6*|GsKNu+~vTL*De zSzWEUYIEFeT@&PMUUA!)v4tu|XJ;D&P(9`4D{)A+xz{xhiArCv_Ma-l2$?6vMLmF- zlc&AKeuS&Y#jQY|3db%1p%%2v3qogX>qK_jghD8$E~joqb?P2wr+Fj@fU?=w9)%hnGL4;nG5}KM0MY5pNnd*j5*e(5EH}=;S`uoRf)n7KUe?O`d z{G&7e`C=0{`0d|jjDLQ156bSy_;*j}{(6RVf1B6-e>gPR9O+or{_Fu>r_mn3->cBm z!V$l{@v!sWL^v*#kQ*&T>5Ir|em)1teIf56e`PozPlZVdN65#&L<%TA$0n7mIoIFJ z*+4-SB;5`~woC!h?esWSz+scTx-cF7ZVM7OLjP;!_xA?5xP0g5L$iAY397IYe5Y4T z4hNR|n8~9Howt7{D{_ZVj*%OlVQu4C;wKbl=!Dpb0?F91HY`@3&{`mp#5Z=@pRb4m zqWY&4m8*OdXFa?H4+P%}MD;4j?ro-*M|~qMWEW|Imjo{cwqRF%_@C2?O=FJn;jUq# zqm$ftv%f)=kI2PxF4vNZSCAwgRKf5eBJB+?;S$VsVFXFY@m-i zq7~dZe2CmedX5!W>s?*WED=MxuBd1l)10|EF*vi&X2fspU9d5BC$UdF`BqQw`dft_ z8O1_lOigoTCKrBXuXFNenlta;vwM!WWo z=9fSQs<;<t>0(&K{e~oPTvE-5MuBt`Al|O%1=Jg$kCz-jipyY~J zC6mI;{=`7sJL5~+<27Hr!CUG|C)WUwp9UOu-f>L-fJwG~Zp8CuS%mmcM#-XcjFN|$F7+<7y6tqJ{2{lo< zQPnF2N&m*dRN;J`6@G@0$6H-p-Q?fD!`qAFVq^WR=E^rReP8^NlJLLJ6jM`~-Wjwv zHWJX#(EQaQUh$x*DbCN&G2`mbMMev&_hkO*_Ft)JX(_3x;bUWCe@cG`o`B4~jaYl@ zo>iXMMlm9M(;{%(E_!s(DzjX$tyFFsB#nE+#T(rr6u?(&st1>|h%nzgREcmDQgZ5h zj_PU-2%9KbQVIu)zIDUkpq=R2k2T-Jm<_V$Kpa}u&H1xTLzDK?gw}zLy=QXLR`lJ!|uH`BV{9$lCObwUUFOyQ5pVGA$Ro^z2}{+?5>MU;0I6GCGo&^ z@{1D^ssfV;LXM&7LBt#1ioQ8wdBaO{0G6OFwum{0?9rEQ|1YiMtz=V|k}n#*TQ#@A z#^e2>A9Qafefd3J%q~6~-|W_)q#%=s0@JRKOij$p!ufYLphY~-P49`{dQ<#2uDZtx zsT+(b2;P$MVChx?$h@m0wu~HfEJ(&4@}6*s%klE63uRyW7*xB>QD(1NYcs}OivlWEm~KJ& zV7<>w;vl;E6RH;DJ=J0+2Gp)@z-vA8a?dMRx8zjmP8*#QrI&+_r3IZvhyZvE8W#(`ETgJvP9!^-!|K5>hXjo6 z&{P`3jJunm;+U(1FXYxyxKk5=x2ydRV@sRc8D))*4IjZfkiMS5nr%*)s}TSu;RGR1 zQHZ_LWw&;n#rI~AveVTW{$LI7d)gT-v*yR~MuV<3vNXyvZt(-xN7cl%;x2 z05>b8jJbC{K0aI)<8J_hu00^9y}+VI?~kmhz_C3@JH+&^`hV`~6=4i8FFuDP_AIrr zCGUC1$)aYd)$HFN)bP_`m}o+`wTA>=@|q|+Aq@Fcr&Tk*L$AG_lBpE+XKLYw_JiYv z{eiUr)5y|?$}jh{htZuU20mvnr}&HtpKc|E6OzDI-F*`%2tyUER$+bhN3+4{t=#W2 zXi01B(0r-+QAt-iqT-JlTlU4dY!+2we>e1luW7$se8B(b7G8>kUrEcM^NiR~8r6VKTYCG8B(l_um{qhcY`h8o-gW-iDXiMfiFYZn|1YR;h z)Jxq!qyKHWZE)zCGYRe(DQnPYr9rPTPtWnWq7>?5?uPX4UvWzI#l^)$Xe%2OFGZ2& zd-k8Dq!{xF-ud{x6Cs`<_2i}>vqB=PoGVh6GSzCkxbk}8MLGP-1p3!@$6J)xq1Qo< zy*5G?y4~K^{X3xea>j~yzGLweX7<(P3s~`+GbOy#<>kil9(DPCIpCqdb$>ZqxLVCO z=pgkMgZrW#+%1Cqz@T8@uh)3pc=Q22*EbkCBpXK7bh|37O`f}Kxe>z0un2~WwU#?m<1F^&#X^BUthIoJ z^67z}r_TPnVt36yZ5-$^FXxZR8Y!@S9H!;%t^B6#K07;I7x* z=fGSyEu*Us3he4bD``SPi7MyJUb>Xf;Svj{8+aq z@`)p6tN9G5RQhggK&bT%`xH6_TO;gonHAJ7UkCa4$n&+zd{Kpt8=%?mYH(5owk665`Dyn;3SdF$!mOt-7)=pGCR8=*8?u`;4EZlg@iqKmBseSS%pDv$(_p zA1@I!w~?W%qZ-4(!Bwi@&(6AxdrS+Z`F5}Z=KvA6-e{Mws1rT2WM%VJf;EmWD{Yc1 zcmY_vAXc!8l^Fw&nNslGi#^HPl?uZw1pwE{GNGM|{pW}nd`f!*E|SRn9k?rDb_QFj z3ycx*fZ36AwX;==g>qU~$+j>NquB7D2OgD~%pzxb<4(T{cr4iWwe$9H)xVN{f(Q0` zL4$$GCk}7_>((ty`_&)aJylfV8|m}2vaT{>0YT7C|72(I;YdOU?9A<_XGD?v@of zLqkinxvUTGh=k#lX)%7JUUYi`gf*Hys*NAwJ-9z2_RXFm*#eND(fF@gZLz98aEOmx zGG9ah^@R!+R_-8e)FT9fd9Q4#q?>bxn&7eoM(Y4dcGsc8^8volC_ysH-5QI5*^U~E zX;MSx!|stGGC!wRZu*MUaM7zbG$B=8Vn%HQeCRHq0I<^t}5T-<99TfOk1g{D8*D@iTg2v98#Y@Hdu~>aLQ1hdvOa9jcwA{PSAcKTc0@%_L~M1N1E;|{@oHw9tbx_Q zD+-(AwQBQg#D38jhPRZH8CV5tH1^Sb-hBFEAq-5%tON>EyxW@7 zHNB^nUgSc}_WQcdnpDWx#AOwHe!7As=!(K~tnewe78{|&e2OX%?ndlW)bNv?J<67N z7sSbkfup|KHTV{)#d;Ovqw<8Us_5wz!0Q_>BAVkKBTHWhr-z^w$emw>+S2a;C~18g zduzLf^TZi{MlMimhIV=JE)qbsDGO4mhV!Y3l)LfN7$uT*5__?0>#nN~k!LueSe&mP zZB>UF)m;`l$FJo>Ou^b!~lM zFlzs$V)*GH*3E-fGMY3%bd+BI_(C9)djCmc37K{5F;}v^-p^+?$VOVurDt9t#L#~1 z)M95%y7A*!Q>Cg+8^>w3&qUf%%ymdjPa22Gap##f>V!ZRb1Ad-#$yz1mA#{#h8i}^ zfD4dC9qfTccVCC|x^Q?XW;RxQb9uH<^M0r56e_A`@o#y(!`UOEBih?#0=Lu`Jhqql znMjvlq|Cg3xZ#oF`uYOpO9^7aM4$cAps8Vx_2rkw(QW!dl5qcf8f^7t5uVqF$b%~* z@C7svY;Mkpdov~K_;?RS8@_1beEh@PMTi(=qJhro{_VFqedZ&Mkf~{CGS?_y4o%bo zJeQ4w9SHWo(}SXx&W}=(1LpVeuNk8=!2(*PG8=;xIdjCY;-Cs5eZ&LaJx)R2yhZ?Qq$id-=PnDrqDmpDxBl59xsO zEf%1q>S)^(a;uK))Hpawsiy}WcM&opEdqSn`?h{-Y@lP~IvS2Zaq>8Hs= zsC+~&ItD2L@+Cm?AWOmv;YUh=ae44g><4NG;+JLp@MQYffu#oY;W_KB(}0jziV1N_ zb6SFZ2K~?R6oSt}^-NmPQG#xi5HO($pBrqOS*Nne-H!Z;|EY5X>798`7 zd~)o#tLdZ&>D3<2d!)C^QEr3qI7<1ly_;~)Hq_E^czfBOdicdp_78@M)Gwi?FrQ)H z?%#ocd9ORRN$LWN{bM8_-IqCvJQ@JhQ1Fzbj~$zw99gL5YG274a>d|p_xQK*dqZ6O zXQGDU(p05kpVofx&1aK87gzg2X-nxpxEXm2q>Lz{&CNPTi$qGJ;>(pUl&WYA0czIs zLnhLn6Qha0o0IjEE&Z*#Z3Vo0dTBZDYAxa2tSAWM(fSKIjb}9c-OtREGVx`T<)2zL#_0i6L;irJ|^l~S^h@nVtV@ttPMg7 zQJ_UV8(eL5em9suid1SxF$ZFt0_8+}CYCnfsSI2AxJgK5{>5PL7`;jcp+fth%|-l> z@~f?Sf3HZjsZZX^rV7m%7L7u7wUBKvUyU&UD6H-8Dk5)WN!nYr?YK*AxDjLZ({Ar= z`lTS7`GT5BH#+I*{XEw*K2=S-jkE0*D@eZDz;y4Omjo;U7>NDavuH|OnQ%>9!OPhE zQBCqmlR4o^R#AY5StHQJ_pGZbkLx|Y`PO96Fk4++*ThV_;d3;{eR-QbmvZawOj%h- zKkt~)WA%wW;T6nNyl%xl5isKdEv{^>Z<`&fa@L&ZL;YO$3Q<#jkRt%0S*9}RezYmj z*_GKIlW|+Xw>Zy<^2B9y53j&@ZOy96%=qoisVOj?#m`6FJoyVCPH{FS{?KylaAHt$ za}2fWxB}o`5&v~T?d80BZ|L5oD1n*egc+{At!WP*tP4`DG{=1`$`M}T@T&i2HFjNW zGUok!*w>^qNJ%2E5rkOY%AVsSZb_5t2&m@3jrI}(qu;8Cu$;(ilmK-e;-h4Z*j3$y zE7^agv#w^8s{{jhA1BGJHGMJc;@9#cCgjjP3cV~>lMwSTJiI6LHIC(*Z6&EE7jJeDPlbqS$1S)g#>M$Vqi)Da z|5!R385@KCwr(rkb-WzTlytR2CpEIZzCMfbEWdMBsQHGaI|M_@-M#T=t?Axq`X>gj za+Q$nPBb}!ancmwm#zn_uRS`XKp4<1ySpTNpRc|@{4mG*(MI@Wyr}(p26K~~R*YzW z1J3YUC?&VC($HsohK&08>iZ8=`odVCKK>aipTDN+Z^|*&=__{6D3Kp$Ea{zZ)Y-Me z3OyRmHLc-*Yy>ems_b&3SaR~N*#l)#+Sxspk=NchCDeFGS2m%A>MZM?xwiAISB#CC zFke#JI?ok=Jzw`8EbPqvrvZfyD+|QRzAu1W@q1aNwv*CPW|ljLbyGRKr5CQ9w>N8E z9gA(zb*-)TR0lcw!rugK3Gw7({KI}Gh2Q@|Fy5V%t*o;P4_=L_JUAP+Slu(WegabH zFfG92qq5OT^cx+37%S}-NmkWjD!1m1Yt7Ve`)~OToL&TKao#>Mbj&TB`IHKH;MU6@ zH=>o<8&0_{JDp3sE?BV_Rzzt09MqvjkgS4rxZI~%W<&p2c?x^X=R>rMrfo19hqgbm z%~$=T4Az9ux{`p9?j&&~7C z%TFPj{kS#bdi%1f&5K~?qakPQRkeF?VQNE(ke?`C#jI@_CEPOmJ3 zXQV2wnE9BY`q+Au7hq=RYdRfOO~fOmy32&9E&q`qYD@P+Ri!$HkhCb0asdwN3aT9K zf&GnbK&J0n_&44*Q54M|{AkAJOp=nVEEaYYGfPXTtVSE!M8_>Tz5aNV%_}XyreF`^bo5BWGA4PjO+T~Smj+*q6>kXJC*|!9% z{TIeA4lDP_!5QuJ=3`_dES;Id`8PTp$M@3IH>JSR;f|)WwSIi!?}mdH`AD`*kJz|V zh7~-?3E+f@4WWYWHlvg&g1s5UlJF7LzE)k?w!mg?-(khe#;g8UnywUID&4`xD|5e3 zqQ!q8+5eVnphv6p&-ef1uX@6-gd-#S8&>G?g?UM906u%N@bao3^(4*R=xBPs3h**? z1x4uD>w#k-p%F2}9aY0Jqb1L@%OD-gaw^)WRHChsgPFt5lUV7?Mt>)r(ioAwCD!QX z1j=FX&ZZQ+BhR&$L$e)jgva7HFhG~%w-ejVmRdo$rYZej2sUo#OqgB=k30V(Cx0#o zc2XZyBD=PI$j7sp_?$_{MZ2NoqzrnC%$gb~nA8}w^!p6Q7|;89|HLI(rJQ zg?#0C>nyjuf7r_F_23#LR(V^%>yb>KK&oLfo{czT67yP)Ho?yWrg(`cni$b68$|rG z8xLjQPT!?Kdo|18LYK=#$w*LiEgEB0V7S#S@l31P<2!vaR_vG*vVGnbkqahY z{sJ23XpY(=z0l+UczQavE-7q}?hX(aj^Br;8lmUj`Nd%{D6jIkKbNLo)^x=rV`S)E zv#ZZdr)qnug5!oMA7Yi(if-YN-CoWtb(~g%e|ZqAoz3aj)|dcWzg<}c375>r5T#`H zX0)!Q{^61@_-;5>U4^d0Y-~KLAzjDE*>8VZs9OlK{t~7UE!B#iF85wwyI&aR>sH2O zjh#a%A}lI>V;y+ENOD&%qT`Q%!{rEqAM>2H0mXme+i8&cGrCd69!lm`^6(On`EqDIOiOi;tk6dK>&_w{3po?AUIa)5-Gk_uJt89` zn|}f=zmS#hmb2mM%}s^aJ<>T}ad+&XhE%zoXff$OFe({@rnSgPtLUvKNPFJ6Odt-Sb*Z+SQ}AQo(HbWKK2-1(HVhf zc{>CPI*|CeE_zJZhua_boZu|)QXTWG&Blj5R|3)RTv~I&eq_5O%5e)wCkQtZpBeM# zpxE}-78#oV=xUgnsKWgG zpF%93fs!1P+g8^66dj7sQ=V=5H>5a^)E^ZkXIaVR`yt&J(DvNYNMZK*!|B>9PBTUx zDv);2<3~UtMz`tbcW<}H&bfbD1&9rsXQxQunn$RFQmztRlFG?etZ$E=+&LX6S&ODe z_Amd%g5woYczh{g^PC>DVBf;|47%hgU9I?)NyOGZO1Cwapd2e~_oVbocua|i7Eo+3 zhQ5EfqXSMKE*yh&ex!Zks3JoEwnI~TEKeU*5}*LoxK6(~a_nqP@@`I9kuEgWejn6t z^wPI{r&v8x93_i?zI1hvJX#or!*0EfNy2#;br1mCyGEE3HRznr;YuGB^3Ye0LS|^J zZU|2%CB1T&|3tD)p^v8IfWFu}D#ojkqI$b>-dS5@VOW?Pdq^;zeqYg;4bR%eqtb_l zn@$%+%&>J|f(n20m+=eIbuQ_{3sHd4C75CN&&X&TWD$-z5e@0r{E|G|0QilRIf^qy zJQX|oHao}vFQF?-H2@y=OO1FaVIPC?vA;elgNarNf$TnPueFX>-~6Y0)-YF_08O7; z!m1n`G+G|1PFKd>`>J=CD*Ue2smJJyC|H?ZrqSByOOer((YFQ;y~midLhfppC3=?7;rw zkfjxbZ;)t(7T*>2pxCt#CuPZKg=f6vL9$kI_2knx7t}Bn?s(obVh<@S)tw2BqO@x6 ztAj1Z^7$KScL15@qWwdUd#g`hV!fIWXw6AjA4_ld`9`Ckz+!Rk@h&q?lW;TK%4)uU zcC6829oKzq3AkC%oNuraCFPiKJgs@N`2#oj#?oJA?bO}^_LYO@^~uEG`K|$zWSLO$ z8DYI&)ym<#OEq4o$OxLQksIqdM4=xolRlY%7+pELJrB6T|9PgOX8PVGU&Uc&6!B1;LU*q(WZsH6fNkY;YHsWQtAy*Gt2d*h9R<${xb(82R2+^^Y|+E6YtNK#|(&qh}3GX=tCXk zYJGjxf?B++YlVxKM%G&n6PJhEGk*V&8t#K^T%6*C`xc)|@;dMKYasj6pCEyM1O~n+ z^i}1dTAZwDfE6Xya^TH+GCLA0`a3DEQQ8g)rF9%`zzHsaE44m z9XkrWBMcpurOJNc;5z55l8TZx{VV5e{ruZUSw)JXZS5`9@)`towjT-Ub(5b$7IUH8 z_6NL=Dm~C_@XnTboCD51?duf7Wl=?YI`mnym$uz?M%;h+JYrWF9n#Hft30#FTMi1B-fcj0 zjm7kkrHcADSE)F)=#M>Y%IegzY|X6764ZiEFVlsS<;m+EsMY<(#)5jt7BjJ&2M@FW`8^E>tY{RdnUX7@Y> zr!VZ)XJ%o_uDCjjZ7>U?(e~WsGUKLj4G1o=>2650uY-7(@0a;q*9i~35m=VrkRc4l zzNe&o6v+@vPuL>(amHKPU!_~Zo;6A+X9yGDWZpgWtc2&$e&a)jI5cAqb z1fVFn(GmM?j}U2*zP8a}=?eqUM=@PrUB>jLrM>S2^yi!$S~=3dbW|H*YJ<#tW4ly7 z#I#iVq|uEmSTfw9XgOIWU@MNtVu$i+KA&C9Z0|$+(5P63MaKgd?OE2M$V>*lF>zhp zOjz%IuGojYV?1YLS@& z`Y$XlUkvefS+v4)3Cq|#fBvR@dM9or=nSpgidZ0N{8Ch1@y5EdDbI@y>fy7n(m&1+ zz(tlh(^wUJ;GHcMI+vSbJo-O4`X+8aGkr_Q+1^O^##Lf5N7A<8@Y&^0`@@XnPS2w& z?|1h!$bMx4ougX!m$n@{DEh%XpU&qUkU(A}P=*EL0E9xkeiWJE`OzkQEFfIy!Daj} z*m@4%s6OsfP4tPona}r}%5$R8!u+b$?TH}O+y@Jd?}3wG67IF=q#M}=d82l^L1<_y zWkY~QyU?)mPI#3wssuD!VU_3M+`M}~HhGzL$2LFNnXbJ0ET~Flk5|QIbm?3RH+?QR zOoDkE|Fi=Qg8p%%RaxWWh{r_Dh7i$A4*AYxSqly$HOTMeFg!&m59m{srtj;k@jNxN zSG6aSsoE~gsGRJEU6aJp&D`7>deReOd+5@5)zEIQ-ev*XbzqH&@+#hno6J(~hQ5Eg z7+oAyZz|bADIrxed{eW%jjG8mJcea7y z>uWj5T^;xuS~R~i36Pav?a2DzHgk|Jv#i5|vYNQNKTVIo&Msy_B7}vWiuOq;BY znB}9cZyjzEo|Q%5jCSk~xp!4Brf`7~X+*znh z+Y`7*dA=oK!A?hnK6Y-P>biWJqNj$TLNd4327_no1vb&kW2mVD2=FxYzXm^ih(91N z{et7}78;;DjFl{s&&u?9N9$kg{Y3)5V2rJ2bd`2HDX77Z+N&+N_XYmE9?Ry(b*lbc z%AY02KQhopC6{59$+*4Y{BALf6Qy+r(+T@j#?VCjjwsz84=vtuv&qJNSqoS0= z&GEF6blu;6iBY72SwPjzH{nv9b6jtDTy_AuCr&|cv4FS5Sw)UGaQRY^^Ypq{J!v5u zf`NgV%FW5?`TCc?-rZ-T zo%U#BgPh6+xbiBL>#kGzx_!N{O=~s&Y?-7@^Z0#eiN<&xoC;4;!%7PL^d~zA9!fO8wd1X4Rs%k zduX@Vt*+j1RefviuV5%7PxB_~?p%RUQ>(A6vkA?v+Ja1kW>m7zhLmR$YSr3cC>}Hp42)&eUo22u#p{X&l_8x)-zA%CA)5&lPx^jK1z<5zUVn}eC#a`}R zvHwSSfit|m7qwabnvH4!UK^6&j1%IHu4%kP^!ojKh)QHAx<3d6t5yFU(Jk9}=rI;7 zzgX$%tfc(&yG2w-mYTiO*0UBje0}sM=UdmEr^V(-ef1FGejlx<8y(wHD3H{Yoy>Ph z8HhMPU=uKBSTP>%{KsRtCZTMZWj?#WVNkQgp-2^eD~?8(&VZ*t*)PiSfYMC9&0^4d ze0=t;ysZc{MnL*J3}sAgQ=N4B=D-|h90Vii)M8z)2%oOv;r-{w_O?l0Ufu@|4s7hO z&)_nC=R3P2X1x}TWhy8v6gro*(H%l5B%~v~SnaeYPd)*P`!*)lGacsF9h1r?SUPlr z#^>Mmz0>GMfb@-nN)#fq_XH6IXC}U_$9bDq#hLj6W)H$6B{wO5S~8~dbs?9NnG>oL zvD`msQpq(C4Q3ii_lt930cM%v`m~QNpkJVs{!(4l0 zcm^p;601K~CNX7rLG@tE8X5Qz9n!6gz$6{-X8YFs2ib zym!h#GZW~ra-FMh#3Vdm?m=RyBc2*}{3 zm*G6a>erG#A;ovOr4?HxRZ)l#HD;^o%#%d+Ry38h3DRVmjt-5Pbg+ zTn?9?g&e;!`TeO1jW~)V%_enc7NWi7iii)3SlsFNhw51PYX zXk-TnYL-J_etTsisi8V}MLFVRuV%BQ-Xo0(7K*n0|} zq<=y9sCQMua;&LNG$X!#@i6L(*nZ!4i`)~M;`>30!tA-^;tBQX=*0A<#**XH+eawc zklafL7KpK<1%|vWbhx{3@F2L6G$sgbr~h`Gn$=?Wz)y87?7y6o)Gwa6nlLjyQK|)XXq??RKuWObS?4Q=sf+%TuDJB)c zMkc!R;XNu+kF*Dbs- z=Js8%b3SGKgWzxS&Oh{QjFm+|T#xY1FN#AvuZgOBea>CiZXtSO2Haw!C0{HZV5%Ka zddl#l*mZvFX!SN z6ZoBeUokfnY5w@8!EEby7HhVDU}wi#(v*>lN3yFXYSQj}%j>`lA(Cf#MD#F|TCn?a zw-rN`e4m1RpQQc_t9xtJ)n+xTL^ zzQ@=)Q`-MpktQ@r<*?UH(lPYyF2vVl5ZwiPD(Iot5!=ZmL%~n%f%${u8xl=T5!GeM z0)>s&p>1}4<-jJDLq&=+@b|o|*q?d4CU-9*{RgTwaGEdkEJHoeGB#_N+5VHb4}$~J zUC(jKcRNW`CY8Ff*2f#kAmw@UlzIKIIgW)k5^xLvf#@D(@UX`@o9s0<^qH>V*X1W@ z>=&`OEB5ee5NxltC{1d@hSShZW3d2}IPNisqIoA%#XLhNm`weoALIl0hDlNs-a$D_T#| z5>|8Y(NhaybY=5-K>ECbnBz5$O#O?fkk)lCtj=0yl;l+Rf-8$`iwzjdnnur-bBHd= zE~iZ9Ou2ZtqWGn*($AZ7Lz?HNfNi>Ojgbx-s9#e5qNC;ugMPk6T=GdNTR0wIcP~60 z6*XDSa5Fdz^*rl7a;z5%@wAyxQBietcZ*9eI-V?YlUoX@%T!lAHS?7YTZi4Xw|_Kt zV%Mk4ACMP~VMZRVa+tC$80M57jq4a)0PLFjFtXw{)ei8m+-a{_?> z0w8I97yQG}YqnFPXH?EipdXUl%tWoS?nbY-Ly<`*%5Dp~Fu5MG$t`^`JyD%_CH?xK ze&RM2|Cvdr`W>Me6mMWP_AUxbei_dEp-b7QO&pfOapzfYfUKNjMR!z@<7}-}iFD+4 z-1C3%443Pm+!UpDRJt1%!$+dL%uauacBB5$R%sc=j}EQ^^3=NDnpxLwaHXnM9^=m{ z&eX{x4qDoBQ?9}i=*Cuank)`%e@y4WLg7*P`imRz@kvnvfaG{2`%h~q_pL&yZoS_% zzTM>@co#NhBto?0!%+JcdW#R>XSE$5v0@=`1rdW%A}2(0RGw{IHSUDanqK<|2%^2! zv`ptnMmsj=sZ3eui2h6>0wl&({yVmZ=J%)i>gN&y#P=>T*ERB*qV;m3{tJbM-H~)HF2nv);TdiT< z-pHPm*-8uN4L%<6{Y?x(LwZ0;?zIH6veeR|?HCb>6`i9iUJf+W#PU(r_7@Gk?)&sJ z0lTS0lJD`vKOq3Y8VPozPG?^Fd2kH$C7QVVpOQo;oeR&>P@o8Vp6l}sGy+ALtg&b z2v`=$?hvt+T4r5_OKdRt0*8-_+X*yxSzGQOAz~a^Ylul8!=^YzWigQ^;T3DDdFvXP zV4NGcB|Qw;S!g>hBt8~>;q%sQhhm#pGCLvCF%?>SUr%Eaj8o8ijJZRxojV#b=b}II zd*p>Bc_HezMiL9oXPaC{SaxBvd>@xm0@TPT3^J5eMjbW|rfc0R-+RV44m!U~#bq`k zwf*=}>f0&7{Vk5(1nHM-0e=wCOaj95;iTqI6=TrW`AL}aA!{Jpb0rV5;}aEgjosTu zeW2o@6ewM8z3tm!ZkjS9JYl|P3Bp2gX*Y*TX9i>S60zVW9AE&5gZ;=ZZ$_fE5JR(O z=;Kqv!B3b_AEb!;sN$DogY*l{-=<7OIn?g;CuY9q4$%46QpvG?bzUi1M)4K=l2RmW zDXWULBw8bcoAC>qUsqFB=4-ftnOUSG|bUioGOlWRs*3WGv8Y?S@iwfD!*rIW@?Od4Gv=>PisH$e>=fu}9w`!(CvtO}gBu~ginzVJgS}Zpv$776WJH8(Sa%JuU z-FOq)L7f)qN01fQ(-?>_-(2EK<36b_pB?`H!`)j&)wQi_+99|HcMC~y4{pI7g1fs; z+$Fd}2=2k%T_^7D?(XhVldQG&-se>N+qw9wZi>bg(&p%G^wCF`_j?|Jk)9UlUdLFw z!?xSlg@D`}@$ura-M6(Wt&a-fg=YR$$_N=yCqD|#sVz}Ypz z_qkDDi6tLoy@oSunOr*P8vwG^wYa4{M63M`Fi!SSS5G7|=wt%_7x3 z9(0yZKlcG2oX(|N6FP02UYsMDCTcdIJnpf`28X#@Ld=zBWAN&@<2i48u{7Y3@kUBL zByuAoG$fedM|wE@lBt|(-&?K9Y&ICx8l@1FjYbe84y#*(Sa=867=i>3QX5J`C;iiw zxLpp%IK%#KZgv4IHyV-i!FudHObfqkfm<;)I<4A6+s~N?@b8T|7ZH>2I+_cF09X>nki zHJd-9E(`1vHTJ}nn+=$}JjWdPYQBMfi{<$c3FB$u25(&$CVG5&6fQN)CPd;_71g z(91!Io;VtHzr#Q>nY8?t*8CF%|28cYjRK7!imd&P2;?Wvd!gp?8T5DL7mBod_a4B6 z9GGlFtSpO1vh8H}${&Jr%C0H4Se3X@n$3k!?<$GqKYuq6;ra|k;zKynM;k#}AGu}d zY~UblU8UeN6zNyVPfrZsAi_pQjUe3`^znmR%&!ICs-)0%kC#Hs?4g9bIUslQ{g#o= zH}E(B?#pNy4;={C65EnNJZTBR+4GxDDa2cFoApZ}wR)^WKE$dvC^#6)anCs5NHuIY zpJZiiqRT7ZOL@wv4P%(Yfl?Jao=fA7V|gU6`TYI~86y&-a;?^)m9o-x?p(p=KzxBb zCJOQoObmc)Fk=Fau|TO^U(B7Kr|~?{-eAEsrDinWYG@Ua zKN)Bo0hA%O?HZt^_W!)?oOZPqGZoSGM@*qC^iUFU>zuAMa zH!4H&!pv>a9op62Ocz(%t=x_hL;987k$QaDAS~Z#utt<~AGAokH6lS+!wXgHiQr#x z97C|C=mA9kl&KbtvYr!-qf;@B{b&uLCh0;zytod)q;L8X!I&?BpKu%ARh6DJI&U>Z zp{6%>`&@&QEBaF3yY~d|z(+bDchfA#SgTeoC0GWbj!x?8J*G)GT=8H=9N{k7B~Co$ z2~|`14Srp!+YrQ-C8-Ad;+pIXu-Q`l;niT!l0jY!xoEVar1H7+r`Iiw(7V^{HEPzG zs?voY+977vw3`pw(d=09Fehb)x83*-`Kz~O{VypJUF0VZ9{%`-Z%jmU%c-zrw=bGW z=bwDl#}<97$}862KYI4$z(dInJXfXl>#nAA4v5v;1*_L{@1BSc!Y{4!0QB4a!!`O0 zD`?$P9Afe2=e^C@9pdjeM+r`*QpMl9?NALbyml?eP>6!=N&3G-O~XZPaRICaG;_Z` z66<;}H2TkB-PZH2T+-|UWf)N#RtO!7wOK;mMhD8xfL~r>a3?m}VQ`yfheFm~0~X4I zZCa|lA#TA=_0fNi2RAc|RcUKZ1AR}W7HwriH)5VC=Bjx4W;&<){nu8!QSx2BAuku6 zGEsE>V%uMC&4%_}J^M6c9K3%;7F~t@ip(eKR85TJXA>}Vnfe_bxy!X4s{xrf*!CzI zq>Dr3Qsu2iWK+B8A?Qdwo!sqJ0h;EVWO=aNVFgw5>oyVq}rU(OcZtr5@3~W9P_JtxHO^C4ZNle1{4LEPe!a!Pf4C0$CjNb=CUwCF^rz7?K(R>|qD=vxf8U8C_Ix zz+G?%wLG1w!`_=MVr+f{QnHm1spDl(YfG=#-^Q6}l+mitf7(`EByW@HHYYAVd0zQ6 zKd=?@HICp@eT7A18Y-*P$8#AivZsn2o$(#u2d`_&6Q&%j3p;;Eeibif^arVL@{2SF zaF!d3q?|D>9sq2fad3HvXils|Ro8mYaikLU#r6fINakRG6cU_n$RjBGp%kAZ$vaA_ zF2pfpR7u~oW~o+f> zilhO>uLmr(A0B?50*mnxm41hptVoN{PJ*qzkWo5bgej;RO;?~`&iI61-dHAUlFzXX zJ+Ciz5IrZ3IG=xY95)YrtK$9AVYcy>NV51Rk)(I1pzZ%iMjZUV@*aU!)~uMD|X-Pnw-?%~%yIhtnY> zFPY66!)^DOciI?hS*RyCR7PoiS%a~BH7k?IdW60xB-vaKO5mEfr2yKm6iNS=EOhx) zLsyj+dror?Rl)mH{O&lQG#`g-HTvwWMdwaaEjD9i^u*omslMSN?(m|7_1YYPZqwew ztL`#|h-Atuq~z&JTdK$rK5>8hx^G^_Y%OB*Z{*b**}XmUAA?v(`lkyuDy>(_+2tsd zWOU%DMx$?l%Z{G)r!a%;evGZ4cOp5l&r=(|HiN<)Qn|z)@PbJAKYlbOs#F^whjdvK z&>()-myk<$hy%_IJ?K3J`p_J6#dwcJ3HW;kE1$%_a)!yzOJiTOK6uLFu*N(|tj=L> zii8UXP1+3IpC|CM(0refDg5P`WIl!r0B9O`lI_5HvKj~PIT`6`Ax8ZPdbQW3__)*C zRDRT6?EqUQ?a+0*{2*;8dKu%Pk)th0wA%0f1mc*Q^;jzzEl>+`1SR9v58X^}ZQ=oA z?&~iWaAF5FFbg8li|+a!G_+X?&)`16A0@kF+28>zj>>VB z=kE(0spcQ^KQ>gZt;6gL1z|A>;m(zB^~YFs``}~6q4=;^7%T6WeVlk|Uq13sZ0Ml#rcWGzz>GP z-nHJE+LVcZtk_fjD{6fB4!D~D6;C+;JP@i>Pn||Z2k?$Z{YU&R15tv5fF)?ydO_ZY zyx^YM2z@GCBb4N2K~$X=E_B@l&wIF4S+f^z)XbK`3xxnzDisc)E>EY`C@;bfjB31M ztF2^I@3v%Tbpq{UpbV+>yodda%aDULa0ufaDggfVmm=k1Xr<*YxEnm$OqzDi#+fR0 zIct62i;lMk;Q=YBgfh(0q9g>8;o*iH(rS_h=3KHUxSLYEyQC-KJmti?FaB0VXK5OP zufK!4NiP!^HNHP2kX8WWxPiYZb|+3G8fki72AW4Z{B)_g!)GOcdhe2McGb4p6rRdX z1n+SQhG+oiqfVPW1WcW<)rNj5k`4)HX@hblZqtXk(~dBls%``d63`WGU?da?;X!75 zKd(Gb-zHnB|BXh5bRAC-N4Irt)4LrOq&^NjiXE6-W}IB%J{gDaY^0oqI;u<`}X z=iJq-L(|gY`o?2xxp{P96){!uXbWdt%?NXDcJorPSD2){&ZO(e4bMVFXVeLW`u*A> zD*r>7Y|~q{KHMCns9_QG?)t{Odihr`G;gVaRUL;n>T06bx~C08i1@_MC@cSjQbXD% zd-Kkj6*#DeL_Og*!m55=M$=n}&!}KYom|k>lp+KU&i_Z%#Uc_{KzW6&pZ5TKW@-K| z_@`j?q&_cuf?4^}^^5H&lS;J)pFHQ7SZ`D^uO*s^TFs9SU#x8a@ANTTsS|fxUTE(14*-L(Gl898Us2ej@bF^+8@qF}Cy#ru zrzh2S4$mZwh?b+Jq~br5>ftKncZj!VG!yWWJE`0798Q=x(Pr(Ls~v?wDZi)d^IaJ3 zbG-L~os{j(wb-*X{uyBAdU}oq2pCv`mL$fqi$RFONG-c7tO^~w#^KixFDF=T_R3!GM76eNl-X_8GG+Ftj_w)}=eWIE!W zO>h~dtt95r6&d}|_w#!VYY?UIGJ8i#DtI?!|BY{3bDRg3#kYPD@GDLQtQ7H|6CCDql%&wR;ql6u{J1{9QZ)AS+<9aZi3vU3Y%j?cDm>y0BUP58;wgng z3Bqkcm9QGPy4dIq46$H732&TuA<+^?2&Vx_z`-_H3H0N=Fl0kegOBrR}?`Gu+d(^m7UK+Oc$7uQ!@6YmAl4@`}@*be+x}@FhIt(Hlf$7 zwwf7&D&mn$?)zOrDiZDmNi=8iVa)H0Wg!c0dt~G?7}fifFItw0mBKV-YmD zCRdG$6t!w0^GAi=;naG^OSJ}yTlZItOL-H@Z{%5nr8}y;mnB<3llHpQ(@l%>nK~s) z^!(0W1ZuaD0#4fS2<^7TdYqr8MR$WurjDhSq(?A7GiP4)`=-x^V;xEutx8h*9hU>e zNG}d~Xn7SOsc6pUX5TmI2p)_aVNS6_+=^NSmvXb=avN~lOZYUmwg|fVy|#R_QaC}W zRAZ5PTs%IRNU!6=0C$cY{J*1~wvfr4i=&VaJ=ZAAXVJE0+TBuVKL}f`=(c=%`{pnr zMv$ywuobkBcv{fFj5RG66{Ql~^tQ%ymR{{(kvLf`kAv{33WZgYA7x*k>g9nk19>#g za=h<=4U?89+*g^1gs}sSqesaEYYE@@=2%E=Ko@=9xubIl0oiVJV}pW9GIg3LgjEg1 z!C5jq2Yki{KLdsz+E~n*A<(mjQba5N9(qDiWGthUl8XN~lDW=#I1}mEvVVc;Jzrzq zdFKdKy{Cz6&a>V>Iai4Us7(IxYbrLiGZ@<87y~LwVaFa1n?j)I0pb}N^PUY|;a1EwZgN|t;kFW=c*(m2n z_$wjC{oRYWhXyA)Pvy50(r_?+iH67}Jsvre<6x*E5iN{rcAyFF>Wc)3*hUnwM(jpX zu3h_p5K+~pg}q2U->o;};aK5}ZLA_3t|4)W)&BMzgp_5&_TDRl9s@5^D)=FUIiX5_ zdV*yJASRVtj{BOu0EM-yx8;_v@w!-kDh7he8FlJXH}q&jeWnmd3JB`w+ukjZ@JEPU zZ7*eaO}4ogd) zA#R!mAa2}2l}Rcn{E2Eqgest(9RqpePQ)vU6=E_g3}&jcYSd;g$jscUL)~dsD-aHK zgX>U)|4Cf|e@o3YG^#!w&uwiDrw zm$lnPn)m%$s52X=Oyc>9@s)@ZspOQf7ldXOa4pT0?AgB$N^^bpC$qW$lgmN~V|g69 zET8w0Z(no3P2{yFDHdA6iV&324F{!k89*uB`l1U|cc_~eHX^Z6b2<#``?!zaSgUIV z@|1>cbj-f)q$_!X#iS#(Kpy@&Q7q6L^{M2N3tM|Uv4&XTjp$CN?TC`}Lhu?@J~Ztc z5WRNK2K9J99V0xF#9qo8M8mHKui2G^Am@Nzl$3{GT}j~Gy?TY`4epdVUc^JKg@tRo z0Vq&v^Or?g2_rF4RtiK-g@ICH8GN3Ln5KQL%6Pv zJ6Nv_Z_LS%aNgu)p5BeFO|-0vGve;#L_*wuz>}l3Z}Z+W*6DRr-(TEbNWh)yo@C~* zC5^*nK~oq(Li<59T*+&vkG6ACt`yKNu8B`DE( z5a@VYhYMv$Z4bL$@IDx(i+|gm(a3`_?k;yUVU96N7*5XLrZhIoK9}Dc`?W?K@ z+A85TkF(iHIQ=<+@4?UG2K&AnqO-F3 zD%{6$KVf#>p0RyS|5?LoGkB`3SdT)|D}lLeK;SNGi0l1UYX$Q6Tg0U&>4o`|aDEkS znYJS&4p0me+J3GcY^Ik)Xx7g&?qoJS$8v%PGjGFux`(koFj8pGiFMpKi<8BjLxl}< zRezd?!z88z+$fs|5>wRzOf75&oAvtWwTfj@~x8QaSGbO zl*+G#ll)DJ`I$q4+fyu-KhC`fyJrEcJtOm-Yi33;US3{t_`0V3v{1Y$q1li4S2UUB z_N%PrbHH~iES@kS!FdoiMZ~6rC#HZx|v+I zAguN2KUnMM59eXMYuC-rqeHlpRXTWX#)@WmTmujBHOeBh8l|tJocA%aUP!MerBG&x zq~z4tGx5B=Q=iZv9L!)ZanqSf#3yM1S*91RSNn5#0OWA~j{XZ7W=MO2G16QDLIUmx zj&SvM>8B9~OHlgK*d0m&t(2I)`ZKl4ke(62j~h*o3R4v{2*~c=<~mpi2}Qo+`pWBj~sUfLio5LhEp4FAo7<$D{t?;X(lL7BZu=#OxV_y zDhSyN|JkX|+w06_ZP?l^U8R*cgEJnC2?`ho+UF4FS%NVpj^+-}sQa}?z7rMhADVW- zENg&MZxAYb^ROj!T%h(Ws})PQ*W<^N@8#NfE{>k-HNVbc+T45#a%RqFh^d2JJ{n04 zh8DeNdf;K%hEuEz17M+sHz_x!0_@9fzNsAhVcm^lAI^PlNXoQ#Wu*B5mj0@Z%AJ%5 zzSbF%#Zz+vmu4bYyCeXOUQAcXte~$qRSf~feTn~;J#XVO<`QL}1|u=@DajgRc(E>j zEG|j-3hjxZaWWa>Q6J;O0retK?PJaHK1P~0%*^$_;>=QK=0`XkR~7YT7(4kW2#S75E_AUtE$Y1!RVHy&b z>XzZQi+Sc`4xt_yaCU_tIGW~hw&F+OTqK~cEB1+LH*Rmd0TF~DQyl~R!I0rR`wjVGSq(m|wYOF)hYxZs8_n2rb^6fee=op`WV~VcglB(A^QtItx9CliV6W zKsBh+qx%1j{x(g@rTzyF|N6{B)P7^MW`>t(8qb=LX54p84VpRBk|))+g%g*=+bA+xOjZ>F0xH>zWfy^%*BqZ>~v34-_?SP1!f; zd7Jy>$-j}{A!Yn$CY3HLTH(dZC`(^H++=#0PSTAGyOHVeZDqhyO>ITx@vNeQX_AQs;cGXA}LF0@usKriBLF6EqNJX>NNt6ZlMw2tD2@Oq{OKRjh=Wa1aN8D*KT_U~105gOf= zD>SryiRl;VxI)2h?uIm$9`(Z`GDR^{y)LC`1->HP6P%}i=HbzD{#|ap&cC&5{-R;( zaE`jN_$P?IalJ(WN3^|x0vriJW#6Zmd-f8eH#^im=JOD<;_`e&G{Hedf`+4=>WJOh z*c%~r{*i(G!H|!S`+Vulvo7f=f>?|EA0)XCc~=Fq9jHbc-Mz}49Tjy(@19j#_iFF9 zf{YG5wAUVOkel~E>E@;={_P$DTCJmX&x;0mI+F_!)F2n6onxNfm=7|_H<{nTyWi$d zM{1AwJVidxefXOt?#zdsC3_i1-)sXx#e4V87aACd%=1j(gumKzz|8w`Vo;9y_Q`r(C+@&XLW(4IvQc=;;Mqz;70BeFCCxWO3M+1# z*pjOO`FN=va4(G%y*80-+*^6EPv4yURaXNSy-^iS<()A&t;4_ZJ%r@ zZPKshuun~nLdx6dj~H^N7~)Q3UqRHmM+m*HAzpMoZCRFIH^tq#*<1{p+rR0b@lkIG z`K)9M5-u4#u5eHz($VCjDq`o&on=6dp>=}j10l;*hSm8l1K1;9KTf*um~W*Of8XIu zVc6cX$6I}%tr}*at7Ff`sh?}ozk=F(5_T7~r(JItID7BsV2n+M{XE{E@^_5TH?On< z9(ge9;V2I~tZcTnq>Y^WK`w92tNOb@c8Yw*x=0!MIwrb^`|5fRU4x;=`uxl%IqS21 zcS2cp{X125$cgaypiB|upW1?U{Z#xOtJ6LOLYmI5E`5NNH-f`xfYrBeZCCmEBQdE} zZ;%fHrUVvR9aLJ4&>V@lBJ6`Ha5)zFwUuqazsV&;czBg{Cxye#HQmz7O?)l~>>)6D zXjTZ~vJ5S~i!Sv*F-Q#u&d|06lmv@PN(V$}3e+d#g>2t#T6L#CN}S)=8_tVIrFs&o zW772Yq&7u4?;uo$rLJx2ki3kL#}Yq3@ldO^LUB5sb|=PIurXJ*_pf4ZW*E~62CxWQ zR^*3eUNNbZ?w2!2;TZtiEcooHVfRx90j2$la_R`x zFHjA$RhmQ_z??;=_pjWitD};2-`7F`E;N+L6*z2_BmpfJsnZdWlny{}BN zl64)6Pev-)LO?adqdd3^TOBW$ISW<9XNDS|suCRZ1Ig}yvbc}KQy4S9lIIHBS4v~{ zo7^Zp$PTJnkcYOBk88$*f1OtAwMMH{oW523nEaYoN%#x7CHjdOm=7E7{5E2oYfK4e zjjbeL6ToPa!rK$jBaM4IZUACQ_-r@6xHIX4D~%pT>Vjb8n;;nZ-f8;Ab6u0}MDC#; zdm6&f;VL0OCdFTXY;@yjeD(bL5s>wqEwyn9ckzoQL&hEurtOA;g-qCm4B}Dhr0&NwasF?Z zwPJkO2%6L%T3Ng6gkjq<*I&sMX z^-dk<$2lWx>0gnxIyzSoiXUy5-rQ_>RGoAqPDa;xLHHGj>FF&$bUQxzfl8W814}S7 zRGxM@t^jl^I(?$w{7#9{uM)h&FM0f0WHX#KU~8=p$K&Ya6a3a`z-=<;(JdbD<=Nov zvMztpb0C~r*tIV_n~#rd0qpC-h0mL!D^8kZbd9Ow62}l3R<*m5Z3Zi>U7Z+yDttk# z65wZGt)p{HONW)w#60>8==gc!Tk+bXAGRVJlt^&j2zTzGjP2XdD;ubeNZdJ3R5UiAccw%}dhr{0F6?W!{9e$YFJ^=}^9(w!n?7Ao5uE~UnV|wRu z1I2U_`qyo)&T*Z*jB3p7%3iuU8t-$%5#9mbfA(*vcc(!lOmo53BLok0NoH{SNrnnM2xRqg^$|)| zT0eGNSTXnonltGw$2gs>bZp+au8M^rSfgLuCqu4E9t6^1?&%6Bab-e0<}aZwt9u=;$+Ss-rc(QAKUPq4rsWWFrY2zlYDe4g5@9)!2h5cX%Fao*V6^iT8w)y4^W zdR}`l36r|(XvZ}vK^4Yz9o7F#6Fr{}Jiixz9sZVB26i{!QQ4Gd^GQ6FVo`ZKg9cM5j*Gg09z{A$)XTGO1bge8K z!XG%OV1MVwS+|2$T3SF#ajyY+<;a$KOS;wCm}3k-7^kfpEsc? zl-*k?H-R^*9sR^M8zj4QT`8`d@zmhHYN|PWDTxls7P0t!y{cCVre(1i`ij(!-eRM*rO^qh9Xfh$mt96_9KRO^ zjBCNt3R2Dv%pz!-^1Yw~={7WErZF<+@j1YjOw6NqJm|V9}3Jmc9rd~hvBZ2bnCML;aM063M*bCZ4Z%p z{{=wfWA9o87hrUDcH=FU2;D2)e*C@cH;jv!@#gmW+>4!aO01u$$6|(9^p}vU9{cS0 zxXgTF@ZHfBpI8?>2o?&az{Mp*MEouw^V-5L0feD;cRO0VY{$ZdQ-|zV7@{B)aPX)~ z7iQYs3QR(YE`p*R7*knoXPIU*=d9KcBnMrEUKm%`jW6b#LQ)q@&d(~#UOyhYyY-}{ zNMm~^noFQu7CI;;C}m!<4(rqO{4)S7C|-&JHas`(_n&**ZJ> zLc4s`3XjS3>(?fU-OFK-V(S2Rs>x@1skt%&Ax;NF4ty zueNogXV7j=-9@XG2PFP*cKH35D@n_hvBG>)m5sgk54l9Un^vf&1dp7O5=}N9o%GQP zbD+l|zP3!Hwu)3Ee42aUYoHSo)*hZ4vDq3KNDwM76;1X#u#C*2*gh)#O#m9Nicfn@ z@2G+KIuk_t@u8-ZHxGH^YQz5y7|=2{F^LZo)V?@^Y-9VXWFavi@@SPBqa;!$9kw>} zo3`>2X?=@#UN6muvlofD$qMILquyI#TOH?@o`J!th~X`LwE(4z^a>y11%AwJy!T&P zQqQIfMqk4MM4%Rte)rRO{qz_Sg~rt0Go|6|Aby0rWKves9xBDw?k^F*qLE{M&&2VQI9CXAImgVLA%GSqm$ zGRkWqoG=U_Clcu7=Iprc(wa(STv&^DTpsziOHqW}^WH2UxD0E8hIY_tY%7fQ>E5bJ z)x|rwZc9VPs>?GKxt*FIxTt~2hZ7t3+hwloK@7@RGNT1g7q96GKu}-#4%_SShgdrF zv(Q}vuJr6Zc%?kRDbC$>ldR~2EgRIUyUNfk;e5rfRve8T71cY>6)yY+0>5!zE({Na zf|dfPb&Ok0jE8(UgHMwDIwq_Z9Pv~jsTZh1{qK5k<^d?b$Hz|X&q8|lHH8p)wR;?Q z{}LqLgz*J_5jgK7dFSY8*t(-*0ru+pkT6|F!tbm1VI~{4nX@ayYV0wA$6s4Y!(*-( zfa2fnW|V0?8F@y3DexU(k@fFwcPUra_Bki~9j|5BK&)nPJYKr4tAmiX+V(k|dz3Ht zutJnw9i{9^s$%7=o$!F`t6ws^wdOMjI3kXG6D?RDDeu_)W0m2rtd1hg)1CP8q;-Q* zTV$SuIPX|!mpS1vAF9yp~FV#G|bM9Ty#vW=n-_8#4xl6>W}2 z%soy+s1@YWKt=H8^@B-RZdFyUz@EGN$U#G`NcwY`3 z>WEZeMB$Pv3FwiJ9s3W&HaYnZZ*T82Sn{`Za_T=$gX|}f#-LgFmnx?JO4z2dH)~(Y z08{&V<(HRd3n!S&GQ6(P`;LRUxyJF9|L{AJN>CFB#({$OH;e-jY_dleBu#pUnOj?K zUoJEnnWrac|6vH^v6(6)Sn^N3|IrJVx`G#qylMrzNoFy)h{vtZ+Y!@$npts{$VG7w zVZMV8+DBCXU671XOkJ{m@JG5><)Od*$N?>!VHf&fU1jT&BhT%JlpJKrKteyp#Q)sJ za%Nkn)a<1R<(VPg$$@Eod*FAnjM2+nUJTEPM|E{_$>N@J5Y*tVKD3TjsE`Muad5DB z8xlaPG&E!?I^!v=G|CawnoaVLkwhliNnGtML9JNjmTxU$qx+F$@pe{IfUg+(OFyh+FeJ{ixAo!x>&LlbM0v=E2{!`~%lKWNdY{ca5>MG&vjIb4SpsiJhh zm10vOn$|}&;=8_*L7AS?+AsLp zA5w1#1lSrDvLZt1TtVG_xp2>$7-ob0Kh+eXT}w#<$4*D5D=qL$OiU#8Alshv^7?-m zD72Kdj+~BQHyn0}^$xn)bWestUX;s$@4o^M-;50TJ6NzkJ2Di0MY@?5NYZMt6u6t-UJQ6B*QmKXKqyB( z1(fPW&{vg4IvHCD@xVoSKBG=B+Q}9+N*+r@K=gVMgf`{^)_=Y&kwB~DjKo?M?VsKa zSDv8Fw=Uoa6U0qo!elR2YwIyR2nq3lo(arj!M^?Jd85~{NL2O@dLZ+9S5*!~Kd2)D zMkWMVe+9fitvF{PKGxBEd6egL#Nax|`L{7d((#8==i-QcsE5R&N_Z^2LS8wi@P$sZN@|H*K?g zy%*C7Id%ASZY zC66HO9x~zne9l{YWjp^*DD?^}_H|`K;m;G8e%M%U)7{{9Hnf7WE;JcMS5k^T#D&N& zO_!fPf3A1A{9|L)oFfD8!v}h9N=osi7`gA?iQPN3WMpK9 zWOqnzo-UXelf&C0votI0_RY9#Ey8PuHGb1INuANd0-q|8)3~8Ys-t2P`lAEwpi#>m zFNKfhDu_g+mjb%F-Z1rJhL4yz>FpieK;7OG4>m6 z|0w~r4cB6oCY&bZv^L9N*gsoll;kWl8exc>j+>yI1UcL}Z zl)yy>Vu-s7$^-`#se}=03A06XPUgu}n9tIJc(4$Sjg9oo%otvZpGirFDUD3Kb;}gx*5j$*1 z&N~&I^m^D;&sH$t>l9HZ?*lBEv{qNeDsN|>=Q4xKrGsfj=KCcH-AY5l_4Q8oC1Xa) zEy>P+QDAp&7rIh1%<4^o$rTa4dpMYTEBnk^w+ zVwSWeqz$hv6{GFYX$E72?qq1{Z|A+p5n`=$rK;bU%nvCIjZ2DYy$^6oL1+n5(dcKR z!FQXzXR0qZ#}g$$ zlvQg)vP{F&9c`v#@Nj{9pfPmi86`R-ul&W5buylF=l*C2nxB^ty1;Bew)19`X*RL6 zK3zztsH=lKj2LWoJ7H(`T2Qa7>AkN#ARnh$TCm{X17;cRD9#-Cjx-H}>yWiUS#n75 z;&hqM>s`C%5vL<+D_Z>e^E+q;tTEQw?s{ZiL8?5oJKYhR7%y6F9H@N#;wR50SK6|K zP*Nm5XXCrTa%Lq-5hoaDqC;LlXtZ1H#=!D>hWK7QG_uiOqYz`PPTvd!jpwonJH&>O zp{6qnj(4Po$AQ{Ymo(+^#-V(J=(ggvj2~WSNt`2815~5Ldu>fZf=0s2-;l;7VsEX> zDl3bGLd5;8-y6Z^bdo}^nS{J&IC*-{^;dWJ2g@Xq##tU%isJJS+0mPNb!MzlJW=fk z36dj{Y{oHXHvP5UWag(rLtAQatrGWc@w60CQNbc+mFcXz+TL29n73C+s^im%zL1$B z@LgVb*F8Ig{h)g_``Mt$Qdoq*F1##}Pp1yE-Dn9uBu}HZLPX6@1>y-xn=$_GC^`CxB z;PO8j^)&63Uyd}rbqV0>8*x5*PTDANxizDsihVwvI@ssa&NGTDpIvf9k`WhgFDNWD z`)VH;dY8wTmfDFzKu{8+M}PIqaAyGuFHgT+5nUVfk;B21Y+_s)*K^uyxX<4fw+)9} zwfAmdfuioLUc|p%ACSzE3P+U7EI}a9CTNw{+0P6jeB<G?>B2QrAj%RR8wuIz2k94iM_CTy%{eeGYa74Nii`yLmc4_-&iWBVe70QY zTjg)RB15stHrDlR)P-dkDw$4-X!YV9!Lhn|sXE5yAR}mR%8{}COeb?=Wdxeq8VWBy zbW!>Icc)&^E8H~J98+`0iU?hqocqK1ttjTD^T8YNGVfc;t0T-8OGSw1&;F`+tIg@w zSJEJlLxLzght@Jw0cz9gi_&ea|ovtqimKY=WW>z*o5UJrM$; zJ8!EynUL6ZoWwjVVxt8<2q>o?Ee^vFH=wMc$!adejbt)hPA=);98$5S!}sd|KLO%} z`sLnIVBJUgRv!;sOoV&BrnZ#@LIPiK8*4QL%oL^8205SVF6UyIfx;xv?SO0NjRnk= zlXP@+_;tNX$^30N40?S(jXQUkG~3xXUXh>I>0`?fDIzk950DD(bfY<3zxC#^HebML zS#gC2i$FXdtnE!`Fh*&lDp{EMlu4BIsZ7MamuK%*8rgzd^+k+R#!?>Hz4{);=*BWk za}_zT$e-c;`}Zn^@aBgcdt7FOBfM)^z{7}c5SQ`Z+uua*FjDDgE>)HN)k-_dDzrT) zc?oN$k(mht7#BqV<;8~NeKJcwmWPz&coJ5}!Is(G8;Zh4kBihZVf+3e4I6_M^*(SX zgYVGDxyT7nZ83|+NxCXXR3R$Vcf~a~ika>tx7Q#hk5`R-MKf_3QuGCxuUYSmY6TA$ z7cN){__vMvh3da4^+x&6|F0#l^QTCTFMl{rB=W)38&4$Gk zRu#x$etyRH3_2pw%FK9o`YZ$~C?C_WgUF+q3t=Cg0Q>mB}mqoY`M<`HJ8Au{=! z6d{D$>$0*1^)#Q!xN(|fzO?6;@IqeyJ?DKp?iTR&2$v7aGT+rXN{~4}4#AjfbRbZ2 z=S0)*iRfBszPU3T!qa2_*CNR$p96hvmaWGGe+(6BHd1dpkVvoZ=k3|LF>o`Yb5Z5` z5ns?%EoA%8RsDI9WFCCi(cYZmU*6GV@VfO(@w)qPd%C-ku|;(BvaRpus?Hzj`s43c z4rm33L|*(?liq$5^gn3RW%1??_x65QD_mb%fZ9|>^=F^|pBX)6CK?{z;2&UNjGT%} z(A%rx6{OH^KEcMr%i{Be>Hu~f4xg=eq7V|&ezKfzu*>^7kVf^_itsB65mBU{AH=^U zg&8b=tn5LvDF4JSP@4DJ(*93t-Z$9$fNqFbv>N%uAWEMY4{9#5Uo6P~7xJh`Cv(21 z#X-9|0H&8P_%1e;8Y*V_h*5Q zDvEQ5{15vmJUhgLSnSp@&2zpKHbuthI_eD_8SGcU9r^9Q+QL;5ihchzXdu-9ce4vb zm{bSlDNs*m^)S!rIxWQV8a;q|;_!CXpYKsiS0<0RLm2Pr5{L8g%Bl$t3w^O%ieEAR zNrG5gyaeto)D(U7_b15~L;Grqn%j5y09I=hqv`|h z9K?&QOV?W%gQ}kVv$M1=zdf<=(35}-pVq(4fzHz67v-iikD$dX^uh2aaJv^^3ny4; z;lb;>7ol$fLh}$1SRc9&oow2vDdLxyyf=2zaUX3Od)!y7*R#V$ z|7d#nxQ8+gN9U2A8IjnufLwdnLcFU~U4iXVY!2`!Zi2Pwl{lJRUV7MuNkP5lA&g?j8x(Y<^%U)J+`SVAz0C> zL54R*@QJU|73-;xayFaTN{*jXPT*#+^qE!0EI@mOB{W+r zj0bvyhHE}5WqJMdtqrq^O^=gquYUCmuBK)`+$z%zdrSg%wG^`{%{V@{&PJZNrRi#w zXJLFiR6d`)X{rBZLq|xoq(H#L>7`{k>((xl-ukN`}OzEPMkDv2dP2aule$@Jk8D@=c>8Y3W(kr zlX)VLr{W#>GYeV&X2q|;FQuo0kDsVQ@LE#3=~4*%-6(YMHJ`30EBb~l_J1|^R$*;6 zQQK$*3N2pTTPRknSfOZ(OR?e(!J)W2#UV&>C|00Yad%QIKq>CQ37P;wg9Q20_kF+b zWdBF|+6Q|b=9=r7%ronmx$k?{tOfS0D9?}3q2;%w0{_^2JJ{-pnfWg0z}C1O=`sNE zUYj@^R1^ul?2J@DD=0R+mHE8dOkZh|6JhMQMa|b-5Z6yCF}sZ0w0JVtK^ASc(B!bF zgM~}+{Z>I*+I>eKU8x+6S*8Ki=rXO1^QXpo8HEGI0(md$hYBg4+xlqp)3a=J_0JuL zQ(S+Nu(&yTm*(H}#Gnb$7wyl&|C1VnTy8k5g3#6)-|PTOsm6DTtnXkoLCNt$ROvyH zm~r-Fnsw?)5+erK_ixGg>zpDl8RR4RP=e4?yiAId6G9AokIEqj17L#q6`qH%;4ikR zri1>>8!GH-IF>cgVR%eDl)lR(dQ7{zx5)v38rx)i(ZOXWEMh01Vm2e8(_MJcyStke zkI?Q)(1Jq=y>5io$m0pQbF@{v4t*O{BRcI`9XuO4-_Tp*-v$$;`9~-lG@0E;^J577 z3=g0WiYixrQefh4t~vLUYAbso;X*<;ww|tXod5k|M9=5_)ysEePVHgZiTMn8Z{;Og zF>ydQqW$qu9QBGT`S02GCq6X9TD9 z>%7hw*mN$xYu1#FosFibB;tu#On|1JteXg8_k=1qN&`s-ICc5_~DAn0c=(?H(-|Rn6{xr|j&tgHL$R`QZtE zUv;mwNu~)qD1rcXJrmZ7(x`#O$p~o`iu<1?*RBBkg)f1}WddtI$lyi{v+o#Y%d~6X z?sK2F%l?{5$(WyFAw%h>%+GBouFicXc35J7v}iW)aN+xL8-@g_mF^N}^5`E9=UXC% z=aP>+T!M$+)A`r2uH_}K$B`{Zq$p)CJW=B&Ry(MKMU{&j_eCc-dlM0`nc@P zPV%|@6p~y{1i5u%&(_r3?JYDxF#raSEIJ=)lATPAZKQ`rsuu<-Va$p~YSpr@Q-~3I z2@dvxpC`Qgg#QWuE-KZ8v)@;bOfPP7;@{Wnj?}<4|w0b5}0boYt!cyhv9%I<5u=Z(x02gtbtF zvZ!Rg2L;}K&AXpleet8B5Q~V2Xjxk19)*1^es9u;5D8gkw*s6TeW18HR5?%&o#rb) zzU&R)2?Uo2xo+xI=%3(&&*Q*n9!y5x^=RV?u*@J|<%QaO^Dm-yV*G2>zWLK67=*s7 zEw8y*mgCX>yl7nO;HTXY8-$Ah?%5|b_)hwCh%iv~mUM>Gq5}J?+jZ7Pf^g;L_Dt*& zvMgz?pM^%^_N1iBIa{DSJNN>GW%1|?w@Ew~khQ(nq)sTood&93nK_7!^{!qX=oG14 z4ikMx*lr?XtpVA>Ig?Yx5V-DtbGldvdH&7-`CQz90+=}#h<}&wV&!u7Uj`o9M%_c0pBL=~puQur|h3HZHTcuz`KI zcOXl1T_2}msnTaVXISH2EjCcQ1u&ks&y7&5zZsWG$uPb^bx^p_=sYBS#2`Dk>;Tb! z)SLzwsCKQWdcPks_VpXvtVTv?7(!<)uRL%TMwL0|^sIjO;(p|gAT96>b%H1ler;`i z|DEf{Ws~3H@l2-relDUDO=byOZ%Go9eMnj2>7`&>I4$2YqYD|#ggy6LE`#E=ACJ>F zh;COr=Lu*UMvHhN6YUV>81T{odSwrM`ON+`J`HiMu-T z^vMc@PTfIaX3KPqSb@}LumHU|UNyt~Zu8daUC635HTQyDp|-@~C8-0ZEI_n8z)?t+ za#2XS!DaiI8+9Zeb$mjF*C>OE9xeRjgm1Mv&)y-?fxR#emu6kz5Q-&|L&Lj=F@9i0GDf@S=me z>r!$8e(p)Gx4LriyJJ}4cc1Zj%1Z?OWEzE$MpratzV~CrsVa@s$G*LjH)k5Z*`>1B zRA%VZnzpIa*z~YcT!=;$hvfh%Q+wcW->t0ZM8(Q+tW?gD(*{fApoV78 z^c8#R$Ww&{zOexV=g8P3UQ6}08Fm(=TDp)oTK2R$r5FdUD5lq*rr<1u1HK%4L`GTL zDB8B?%_48k8WmOLteLLMD7GYvYq_O!c0|~Pz1b7M6{Pk}OfpwGnvaVD>nVRvJnBuF zE-X(KU#E*{Pfq5Q!dQ!F<5%)&Pfy^5og-2{)>=x@`u7Qgcq&hSA10*8emVSIm{)A0 z^vcaY%cF5u%HWvuH6rF@;>Svi0elaD+ZR&GSS%|(lHgI@<6=KFl)s&!yvOJ z^ko2{{xJ!8pTKTz2FWK^dV9aSL$OjS{CQLi?b(SXAeEb2CG4wX`<338NHy&~gIG$D zWmb6|@vQ6bpX#l?)|sxpb13t#)ZA)}UQUInbfz>GA8Vdmc7W2-g~i9LhmLKdJiHwQ zw-SrkAoE{w0~k=8cM)b~2RydB$!q#`s@fFSeP@Q$C`f1=aNl0W=2lPXY^R~ox-mQ^ zDYs79r^Y3U*YWD%ak|f~a$fe&n{QPPdHvS}JCtd+UAr&)#cC2yhQ^8qS=p{hh{$Un z`lRETyAGlt=Ca#OS>TVqOBC&MRBXq8l<-O%HZ-Z#K!uQ~f^GnHkAsuc)2^%){jxdx zf+U-HN`7!gljgSW=iXMQT%8-k&J?rzi&R%F2hT3o7mk&6=fPVPA|-!d8%6FxumFd9 z-htbRqM-=Pq88`RWv=P=d|L;3Dz-{t6?ngIRT@)xoE%8xh|4YmH36Wf)K(4Ziy0P6 znM``CBD&F6+hI+=E@B5*7ajZ$92dah`qW!UlI05^J^YU&tDdc2io*H_#qvX( z6p87shFfF8O|vUw(|GiT74z9G9J$KOFzd%*E~Z{qcB+$WNLXS)9pPP6<9VQeek%3h z!4eaSTQ1^2~OfKwn|o6#j+xPm}WRfpxu+pz~{AP~z z*pk*t&6133eU${A?dgPL#O@J>ElV7Jh!@SttfLx6&c27H;VEmJ9HO)A{I1{mG)i~59hY>=;t<=g>K5c)4CSzx;iwt zlt8}R7N41QkN#4hMXujq^K?qXZ4@xFuaMF5g7p5P`?ILC&Xv=Cx*rp%ffqt*cu(m_ zQ{;4cD0}(ljpfEGcYFxY>#iPap?GS>)gPbR(%*Q73^Fj!GHX6L&QfmNj`h@_OAFP< z@kpZtWZPMdE{}dsG8{1SEnmXx`%t~o(e{JWGw*5$=R~=+IfqHZ!|m2Lt|qy0+Qt#+ zF~gge((C!oSvzupr#svXCSu=(3cIWWh{)YO9%%1|X@|-IEHsTAzWA7M9SC_ISUHAL zO_dzA^uNVG=0&r4ZAs<1U|zw#ddUt~J$5!xBBv4QAYRmt&oGpE@PL6(LHdJcRbP?} z&_!~8Z;z6^L3j&lRE`7jm@z-b68U(WSLe&qgz_nz5=&$~NB*z_#nr%?CB{6d6WHtG zcG#!EJ^Spsch~ImY8T=+JB1~L1^DF!2u$G2MTjU#05_`v+G*)jp~r92Y6Bkm%}s1pg=Z)LX8qSilag7 zKL$BBlVVuRP2`P}rfchpN6~w$Tf1fLfGaOKO zuKxE_5^} zA-aEbb%N7Z1BoY!U6@vJBJ?}RD{5|yO(R_qptt5m^mq&n_jhqTf8FG#g}Z=#!Q$7K z6aXz*=+%8zh~vTI8H1Q*-*BO}Bg$Aqf06)e|IpPjlWqcuKC?Y`Vxl#zSBz!b59F-n z78mz6v8^MM4AguVZ`Hp#bt%q6JT`ai?m43k*xenCf+hN}#`o>9oJ~R03{+1T3#3SB zrULsA)}w&lp9iJOx9Sa5MqhC28Gg3E7+j@qyZLCbaQ)F=3@7tS_!0}_!%hKby#ac% z=Lmi>Nvcf{X-2`BkRVxLb%CLr*%#uUBIzgU8veW&akydC7f(N%)DvGtOf_v;d2=2l zJQvdRdK;vE$^y1_L0$}vjQ`lVl|jZu9$#vVZKOsUHBuKY3@nt30YFzz?N|NrSJ+sN zWf8Nxg63?W*iVSvx_d5L~9p5`Z*&#a7e2@U`~)$Ef$mAD`9rL#}O76L_%cAw9j<5 zm}mAGO0-I(ds?!ni+!6p#^ZCg<9$ib$Md7|7`Ju3)3lFa_#(vnyz>|6kzh6Z#hnrp z0H7)@t!e9BpjYne?1|GGoTx!WOl)ps)e(%P|0Es$_-4fIVV2H)%r9Z7<7o=0CQLG0 z;ug!*_0P^H&AHRBp2taVJ7@O?y-Z$II=+ClF9-{;K~^B+$U8=3j{E~!-fzBx_Oi*{Az1dZ$DuD!_nq6c;d~?(>6S`fM+xy3d}(T z_Whod-MBnSs5yx3A6dY^H|tW!P05QqwM|!_y|7M0xn>UVI8b{IId}(FhNWTLt z<$^wUt!Jm4V8z?qr+#$shpT5;H(IaBV?r|AthkM7kTm!gl#EFz8{qIWML%vQ_Sjyh1Ly(DKrjc0uZxMkMZI7sZ0lZ~L+a%)7c!SQ1YLlb8kb3z z!EthHtr#3Acd^O1JZHX7M=QHQ&>Ez*tz<#u%Oe*07U4@$)Ac^AqvLLkH%+39O!!j89J0pY+;}Yuh7)@W zJL6Y9bT@Dl#71m?<27%Wlr~O{v|(3eRW|Qf$$;CU zp`q0hUnX#V-{U+2&j}0p@fYiL&NBT8xG>rmUL;DE72wIsPlvi)-2k9&X9nP7+nlg; zI(xUgKbfaho?gC>TSs43-$Z$;U!)3c9~7OQ%QcsJULL2u^hS^mA0%p2&uyHBGA*?( z7vsKqwNK=in#e-6vW(kBUMFMtOuFtMJ|Zr3J+Xn%$>40KNR0Y;p+rLeV>DN$iwW12 zkhVW{55n=;DiHEEWkXW`i7UHvt+#-jU`q=vcm)G0M$-4Tp55Z%;3-6Y-I&1r&8If<}uSCKqb<`_@#X=41c z61p294(kY$O)_;yW1Fd8lulyL<9Fi$s4PLbdOvf*`8$P<>&Z9Xsc%S^=8@Ue+v)S3 z&1qxnx6OyWqZjm%CRxQ4*QQR=E6Y!_u0g?jl{2r4PEMR6wZ*UIJ&i>#z7!W*EP%Aw zvsXJQuWsq3t3MrjZ%s9bJrThFuu*}Us5J13^+RDDB*v5*H&c_{SaWn#-^R1iQWtnk z7281g9|bC7tq-PpMqOL;KjseQ zEGqlT@B^LwBE=&W9$J-m&yJe1@)} zo@6fWE|DYya%H!XUPQh+N-j%&YBU#5VxTLgxD&Z7nGm6-RvGFqLoyKEG^ohxhkdxo zi<%dh2=UX5sD#+Wd{LA!4TQiCTi_%iV-<%%cF~`kbtP@1p67Sx{ikS}#U=+7EcoH$ z1_|`>$e|&8wo*!0H$#6vH6x>xtbK)@mPTzvA@V3qJqp`(j*LnuiXf=#rLv2TJ4Q!? zWm3o4?2I5rPMb8tdyz7oddF9XhzUB*kbpJl0r2`<1h8hFd^8#BVq>`SZes&e)Lu{; zb;N8l*;glBpp@>3?dnzQw`j+I82`nHx~DvXzQZ16wg#*=?fDvibXF0EuYU1DI-u@G z8XoGXDh{-c@Cr8ga#^m&hf8xIYMgugV+OhCYqWsOT~>1PLkni(g#oM~0U>L&(+?)h zOU$;%SzCl!8Td~e`SFegnD%Af2@6Z^9EN`_ULFU5t~`u7;J-j=1W)kj9En6G$oh$i zCXD{Tr!l{`%U5(P+xN1xh!^;J5}gMOlbRSlBlRQgEC;6J=QwS%I2Yp8u|&r^alT>B1vkg455#+ap1e2PR$?Ule5GGk{X{g( zk*HC9aSUrEFwjPDnF!4$#|OLZT4D%DBqKIPhi$`5XQ^IvN?qVX8=VBM9&u zPDnCA(I_R|?tinkLmtlqEnd5N`dEGV(hW2B^*AG+dppYQ749 zdyQW))+v!l#{6+-y%l0^&R5@CG?g0pp0+#Qz~vrjjQuSBeY&4W&z#n5I?DDqz{JzV zv`@^2k`6n^K)C_b&i?HZtGhn8xpWn$dMqyrI~{iPG)}s`_@#5AD%Z=yqMt-zrV`}* zQFLK)zH)Yp7FO(BcA(|uR&NkyQ_X^Gwd@4hK&S6U%SD6Gp$FL_$09&TR%>p-(Y&6) zful>TpoAmd!#XfNQls96-^p0DPZm62DA~*4>~-(r-D04Jz--!>8DcP&i7)p&0Pz;c zzAMH;;Uq&CuY|i|m{VUEvsg z-sja3V{DE_o6?%b%`hszNVMV@5{(uCT^q4|1w~WqGz7xGt_@vk8wC zZ1?M)>VKHq7L(K4?gEX_=Q8Pv?dg$h90ZlQI=i`rmY0|7XJ=ei{2 zM(r&5vH;fhU1J%xrE+NbC@(7u*wG<+?vyDcEG+!0-AoF@|ZmzSlvl_57 zc5GyDa6Ih+7Z(@ge%CX(mM5^485kRa86rtDk!;m=+9fhm`%*)I3_0%Qv8>N^u z8P51xQdIPkkB?YSPY?UqvpQ64RU(g>C^~ME%D~IZ3mvOmzGOl;ZXyL{W?_-zBzXY7IP<9nU74+xD#AR5BLhJ8#c<7)WIn9RtNwG`|J;p1&3q6`clfUy15k zaXVOVKOx>YXcgZD&yNi0b1HBvJ|jCnjFZ7hGgFT-EAwe(d=gK`m`fh{Y$YmNu~7AE zx18JE}MvCABHa$CtEVU}a%C~c?OUQVU2C`ct?$4%~lev-q&|$h`KRb>8GgcJ_`W&CvJ8L1#B3|Wl z9APfhD>2SkV8mGCzFXGhRiOs00Ox(uUDBgQomY4M);D>SD=% zm%51@7E7X8ZV}*9sDUXwqBeuSfHR~qGPYpn6#y_S@9%8WBz&+k%VGL1E+{aBvCWMA zZ7d!*s>v9_=n~ z!5Gb1CNDWQBpk7kxu6pUJ=>cynYsIC&9In?*YL56-rFwWEZa;HWW1|j?;6AV)iFKn2x$3#zM2fs9lQfzLbNQs}%bmQS!n>@L_2A()Lfvrnyx`D{+L2*UpAPJL z(~XPqhkb@`Yq+qL;!k2uSd_zLbe+$v!ez|PWsGH-iQ>)7Ck>7KsXcUr$I_BvBL)VB zjglkQy9)-5efz~kb|iQ6w(__Nh!Sg@Dr++2$XjIiMJmnI`DF@(gX|wKSc|jy69pcQk3@Gqw zlNU;UOI>_Chdp57V%B}{{u7^Vj`P`zPG>| zOD{pLQ5+|O;OZ|qo*KzlZ7&5Yg4zBwpYbITs@sTctWvb+6NZP^84@umbfy#>M$?jk z05wV}t-DS6f|7K4R;BG8&wRu7-gqGagLb|GoC&?t<1<3QZi;LR!ySC}?KNX8tS}11 zq{N3GfezMy{OcChXdXbo`{ptiU4Y{2GQ*@GvSrW%)whUHsfX*ZE%KHaAec zONlRM@#;CxfF{N|imonD@LY%ZPksiFiG{n&1MmF#Ok17tYz&i~5xm-~uLU+qZC;|> zy@c4P89wWme3le%VLEKL7Ftp`0Sefo= z%(?BoiEPVdRi~H{!>E*MTk$M8B)0@9<2fnbFpbjRHWp`m6F9B^{725^mE2M%Qz$wF6%z#7+0J=B)Cd0s*{A-kg z^Le{A7zbtv2q(P|%9&U7J#SYVRKfPuOZWE7K_Z3cJ6u%UJ8!?|(&V&Sz{s&AQ8=u4xdGh0l zIjFz|cvTxy`H+=XA%4w7a0(!vfx&mH>kqL6Ir_hSOM5INnE*`C%@+6%$N*DJR?NKR zQ|Ihu3Wf0SmICFtRbfnuWxaB97AVsL&&)bfK9H*P7o=}-of*fS19Xn8l*2`+m7Q{R z1asTdO|trpoRBb;qHeX`E_1qpax{o^GyTDY_jRb$k(~?C##SN&J}%c6E*qXoyBmhb z|H6#6Q}3n^w-J~v>~`d7Q5MdK?o%?2;;l?EvFB+cQvQ?gDo#O4IWe?0@K{560(Tfi z@X#$cM3>;!w(b4j+1cBZC<~~_RTmU}z3U==Oz`Tn%KJKb@Oix8rU&s?zMZY*-7OtX z7O#goD&?sM#iz(nYa70>1IU+-v|SP(u7uM9y30<%6N#~IEN7RtwBsDp#DT>cuy$uyk3wVB7qjd^->Wj= zMn{Fs3|7r&F2@#+lHxB5Asz(h;6Sa1|2x)3ncJgB?t2~7O6dq4V%Jj)!%PYb)BBjK zC{>c^fcNAcuRRr_0|xMUYgHR->8__N0Nm*5NlCk_hYZvOjYJ1L8D(KIzu&%u1{^G5b@H0%vo9SB_W~g1|gxyrl3cQIW*5kfU0_yABx#w`Y zek569eGePDMLX-8!g$3SMDHzkzf=>@P#oy_})Y8QmeFt8V~-hxKo> zF>~pFyR}nC@{R?*UT(eSjM7*584TKLqh*&T!x%)G2cLl96!dofom>SU`w3z~HlM>O z6cI9Px>l!}5~<9G?XB27?>_D^BHIC!O=gPzd2CtEVlN(+H&X<`-aqkv_Qd>=_89DY z|95IYGR~Ju>NjsG$SxEzLabT}W(B5kG~mB|9a!Sj;AyNaBHy-X!D~{`THm9oLC4t@ z=YhM|zg(`-NZIaR232P}P$t^g=YBesrpej%D-GLz<)Kl#r$G9yO#|-q%kL4%+Db|2 zD_Av_=ya#j7v>#`YougxYrbX$3EVH( z#FaVM`TSm}#U{u*n8cHzoU@q0=Y!mOXY-=)SN<}wkFRC(%ldVbJhqgN{6BtZ6rkI5 zg5>=Qmn!)ZNIY}-_N=SZ&qrH3O~0c|r^XmN%+@z12GS(3G% zKeuvd$GtskgFHvQVqxiBUA=E&4zK`8MdFt|HPKVZW4hXkcKGsgWx)*!)c!mXuhpiPk^o&VLy^h)ryiekm% z2q1%;{#RevbqfA}$OFGOH#Q%r8VT&WIlX8O)^XLgx?bveHc+ZBAmyv3t6O@flsXkh zE%=&-5uG?oVD#k5RSeDIDA-~GP`v-qwdBb9$2ZI6W@BYE*+VT=oJGHP=iFLbjJ+SD z89n;FqBXvP@82IREG$5t|BSVWb#--JL$mg4Ua&E5ZMsVuPgh_L%GHwDoCD;a=)(0s zEHK&60}G=?1c0#3oF}(YD&rM)7AKg)A>lva6rp5QWcEMdcu9= z1#a*hfI2Lxuh#opA6WKyqf1~n4vIkG?!ql?ZD}GtKeAMryvI23`tTG< zRS)K5sRF=<$}f@fZ8sP{#Uz`POGb(A1dIq@{Pqilbx#%Pwghur$Ib9zVW0ukRe#)#m|x}^T8iKSr-t41fHVFKuU0jC$v*kl2mXStO&>uS)ve<0AYj>5AR{$W90N^4L=L-RlQUJ&DC0@ZjPh;=*jPLSYvv5M~MFBAl0-BNIsH z15C~g000{K(ZT*WKal6<?_01!^k@7iDG<<3=fuAC~28EsPoqkpK{9G%|Vj005J}`Hw&=0RYXHq~ibpyyzHQsFW8>#s~laM4*8xut5h5 z!4#~(4xGUqyucR%VFpA%3?#rj5JCpzfE)^;7?wd9RKPme1hudO8lVxH;SjXJF*pt9 z;1XPc>u?taU>Kgl7`%oF1VP9M6Ja4bh!J9r*dopd7nzO(B4J20l7OTj>4+3jBE`sZ zqynizYLQ(?Bl0bB6giDtK>Co|$RIL`{EECsF_eL_Q3KQhbwIhO9~z3rpmWi5G!I>X zmZEFX8nhlgfVQHi(M#xcbO3#dj$?q)F%D*o*1Pf{>6$SWH+$s3q(pv=X`qR|$iJF~TPzlc-O$C3+J1 z#CT#lv5;6stS0Uu9wDA3UMCI{Uz12A4#|?_P6{CkNG+sOq(0IRX`DyT~9-sA|ffUF>wk++Z!kWZ5P$;0Hg6gtI-;!FvmBvPc55=u2?Kjj3apE5$3psG>L zsh-pbs)#zDT1jo7c2F-(3)vyY4>O^>2$gY-Gd%Qm(Z8e zYv>2*=jns=cMJ`N4THx>VkjAF8G9M07`GWOnM|ey)0dgZR4~^v8<}UA514ONSSt1^ zd=-((5|uiYR+WC0=c-gyb5%dpd8!Lkt5pxHURHgkMpd&=fR^vEcAI*_=wwAG2sV%zY%w@v@XU~7=xdm1xY6*0;iwVIXu6TaXrs|dqbIl~ z?uTdNHFy_3W~^@g_pF#!K2~{F^;XxcN!DEJEbDF7 zS8PxlSDOr*I-AS3sI8l=#CDr)-xT5$k15hA^;2%zG3@;83hbKf2JJcaVfH2VZT8O{ z%p4LO);n}Nd~$Sk%yw*Wyz8XlG{dRHsl(}4XB%gsbDi@w7p6;)%MzD%mlsoQr;4X; zpL)xc%+^yMd)ZNTI#eJ*$O)i@o$z8)e??LqN_gLa_%;TM>o2SC_ zkmoO6c3xRt`@J4dvz#WL)-Y|z+r(Soy~}%GIzByR`p)SCKE^%*pL(B%zNWq+-#xw~ ze%5}Oeh2)X`#bu}{g3#+;d$~F@lFL`0l@*~0lk45fwKc^10MvL1f>Tx1&sx}1}_Xg z6+#RN4Ot&@lW)Km@*DYMGu&q^n$Z=?2%QyL8~QNJCQKgI5srq>2;UHXZ>IT7>CCnW zh~P(Th`1kV8JQRPeH1AwGO8}>QM6NZadh`A)~w`N`)9q5@sFvDxjWlxwsLl7tZHmh zY-8-3xPZ8-xPf?w_(k!T5_A(J3GIpG#Ms0=iQ{tu=WLoYoaCBRmULsT<=mpV7v|~C z%bs^USv6UZd^m-e5|^?+<%1wXP%juy<)>~<9TW0|n}ttBzM_qyQL(qUN<5P0omQ3h zINdvaL;7fjPeygdGYL;pD|wL_lDQ-EO;$wK-mK5raoH_7l$?~Dqf!lNmb5F^Ft;eT zPi8AClMUo~=55LwlZVRpxOiFd;3B_8yA~shQx|tGF!j;$toK>JuS&gYLDkTP@C~gS@r~shUu{a>bfJ1` z^^VQ7&C1OKHDNXFTgC{M|V%fo{xK_dk6MK@9S!GZ*1JJzrV5xZBjOk z9!NTH<(q(S+MDf~ceQX@Dh|Ry<-sT4rhI$jQ0Sq~!`#Eo-%($2E^vo}is5J@NVEf|KK?WT&2;PCq@=ncR8z zO#GQ^T~S@VXG71PKNocFOt)Y6$@AXlk6rM*aP%VgV%sIRORYVwJx6|U{ozQjTW{-S z_si{9Jg#)~P3t?+@6&(!YQWWV*Z9{iU7vZq@5byKw{9lg9JnRA_4s!7?H6|n?o8ZW zdXIRo{Jz@#>IeD{>VLHUv1Pz*;P_y`V9&!@5AO~Mho1hF|I>%z(nrik)gwkDjgOrl z9~%uCz4Bzvli{bbrxVZ0epdf^>vOB;-~HnIOV3#R*zgPai_gEVd8zYq@2jb=I>#f& zAH2?aJ@KaetyY{2MCXa~Tc6?cGLihDgG391QmtHMWG)kc*D6 zV^DYcbM{_q&Z;rqAJxp7&02fybB-jC>O<@^SIwH$jOxZ1HEI;y_SfG80DuG};+_Ez zgg^p-7-XQd%F8Stt85b(8$KawBv~QZNv2JMk)Sjz25dwd)*>v#Oh$-VSilU!FbvIL z5f+F610oQC0A!y)0NDot1pY0A0Em6-;iltrb1-Wn>gJD zl*FmZwwX-Hty$k4LByp%?C1(6h!{nr1_N2&&3pFI;u0xETO*9dGA>XQ7#A=G+CUo- zCK1?{6>+U6B19y@B7i73f>V@jC_+c|Clhr-JtolEA~d3OrAu+{?RF5bh!M#Ztt`;4 zb!_b7;Sd6B6|^~)@fbxxWeHsp8!;l50?c3m1R?|pH6pS77>-u$DmNb_4ykq878z@G zr~-Tn?b_EHr5XY?YKk9ZaX=_icyv!fAZ9QN3;+xVvbJK@_sFh&+2RtZjLK5RV;Pkg zjbw9E3RZ?i1kA)5ECeA~GP&*~VZ2BAyWt;dB~ov^sF00TouzjLdJ=6r0SL*g;}>pT zi3-L92uNIggb0e6nRTYj+(1^B`)lj8yo%uhvJ4Pnfe{!@43-{$DvLl*Vgq0v8S{TyO5-l!aVF7bP$$A7KqovR&4GN7? zOKGGqqzyE~F!_>HWf1X0Km<@#@3Vz>`B#K(v|9M7CiLw#I;Tn&5fKIMDVZP8(mX9J z(&93PL+WJ^L7_1&QEDlL3L{$E3PNjQ5ff%Vw}gqWAc#n$IXVyq9kmA9gfi3A)j_Bu zjcutx5j8qz#pu;6YhXM(_&;5#*7Ncyi?k!h(@{mkjs!zeRRJ1nicN}$TDf-0RGG*mjaX-Sl@7LLu9!S31DEd(MdY|usn3YJoLAC@E{ot>IsmEC?NrH5E*JDB)^O`1LGoEN>_iT zRB%cBd%a- zav$@R?~;|<6Qhu)R2zyw|!rwZTOYKca=ySgB1? zC!tQN-X`Unpp%S~1|uV-7A~EM4*by%4ANihraP1Kfwr*)Oa+Z`z>Y99hriQ@z^5E3C~Hl-Q#WqCQ@*ywHS z#?mr+eG!9VOxnOO7shDLMkU5$jK-o3N`?Up6APFHc5WqNucv@yu0zJ6R5YbgXj4Zz zKM@MR5CanQGFe%n^>r+-$ovBL6bh}%5?W(yL~GK9%2Emq&B`zt7A-77!el20frv0$ z4JI->Z&&kK)z!tW;BEa~SA)>Dk(y$;oqC8Ml0yc$tSn_~tF*L;xjB#$!!j&b%WgwhnEX;ep@v>J<2aV7(^9Mx+(u(j`)t}vYVad1 zqIqT3q#{in9Xw-X+p>(fX_}dKG;1qC+plW5if3Zm6IZl=Pf0VLXFAH?OxCA4iEdqG zuI1ETqFQZaiKF76ioL5XA5-BpfU4`wgfB$8_{gc5OsQ{oe4hIL(N-gD)1@En?BiZT zlN;ic5g5_QF($wATmT3%Vb8Dmg~&EBw@pW;{%pYuG7@PdYd9OQXswBdsX#TYB^3W>{3kFi@O*rCjUD-mR zLfu3WbxrOfPUR7g!A3e>C+;V=YRc>wwvE7OGbYM1`W=r8qBy?WzV;=o6-?mwnY`E) ziC_|!zg?HG9EwO=q^raQ0l@VSYY)+L%qTZs+48%e0wIY8Lm+!afA#o9`UF~&f# zke@~r#2QhM6?hFNz6?)0!TxpTJbfJ7O0CqaC21sE1P&bwbolVBB~9?TCM_t*`S_o+f+u(r|$c%hqw(Dri(-TwpXpsi6(AC^2^1-%8d}>16_~ z*iQA*EVF>3K-;zCop>iD8Dqjt#2=w5J8y9Ek{Z?V*_DU z(96rRZ%?*+53Q{-GBPaV5z10DtAbIMG%mBEprS;fQP?egh7m9u@iseRr4e@gi&gDf z^+jBF5xadP!s3oTk~c{psp(z)V9a~h$^Fn6SLx;7Epf4;3EvpS(f?eGN1Y{y$rc6VOfB{y60jUg7k}It471dMyd6>U8M;=nzfO3$6 zFo8sr9h!E|vJ0pJ7%(CX)r;nJZVP?@h^slanu{W#4rr(tq}eA4)gHH9HxzZ|L8L(tRBS);1Rto4I8M0Uos=Ty&jyJQ>TmZgFCxu&i- z5jSHALks{}UgopUQR};DIEP}4(MYz&G8%JPpe&VUDGk_w8O&q_OaEWR0S6^TT;MJV zxkJF70-BlLfx8Y`zlpgxF(6Dvj&~C#FfH`4zGims%@!7k6vkuT8mp}liULLH&Dsrw zg&F>wf-{~MsZM#c>Chre)afdlf@z#+UCYpjCW!djsZC&?UF1mKaJwQtr1~WM-#@s8 z$Qb5Q2(o(}yZ2z%URqwIUJqr7vBqe`TLs1i3XP%^W1Ja|m~d8z?fOs&tuAMpT;_Vk zyM+o@!c#-X{zGl+#7CR(xd=Fzu8}o~3ny0m!pv?2Ws2t)d2L1Q+O3wBX*dVuTxu#c z$`XYpZKTjLE~O|@8qyltkhVuWtoqll{=OetV%o)&tFcvVMSo>d=d9=&OP18? zzy!x9dZkBD1W?pPMVwJ0G&79!6qe?(yiBW0w6K7|KvXWqz}TZJMhXM1QD`YkXn|qT zMvT+HI8M#=+s2OBBu&7C38*pB{h+O}WIpPI&u5tvXP9KA{_mtku#(0b4JT+R^#UW? zSi-^pm&!_9V&=P{jF5<}3{#I|T&v$z;uEI1D30HOjLP2`y=zLTx?V?cGj?0ZLPu-F zG;hx(mT_(nv0bX}Qg#(5YQ70_=Ipu5g3}ZAXPLXFrN3jb|1@hoRZUpEj_ip1gX2Y} zlk0S}7(oS4%VLN1txv*}^YT^QzVX|u_GE^3*0lUk61Na~vwLxqD+`G2@nonBA}k63 zljY_#^#_#aq!f^2VFi1hPFX+u+pp2X-{KRS0#b^sp4uLB2wb0l3<*F=k@AZ!ReQ^> zbb_v?6wj|vo7aeB#U{xlF!HvIoyyCa+{bNAetqoJVmNZO)324e5!1i2i!e1J6NH1r zZiz3Iy@_Q|;zYu;e-r?2nQ#Y!{gOexHAT3ts)!2~j7@x?7m^$CBkrQD!I3~WmttJg zsGo<`tVOq0Q#+EytZA$6E`3{h5e6$F1{)X+V~{B*rScvInidxN%X=42{O!<;Mp7Ed zGce+nWs*rwcX^%Kq~je?b05&I`ypJ!jxO>BEp7-9j8}U3rnKR09=mFL3iKsGeq7CO zDK#RsDe9!C69$`1Ta2+g$AOYXYcE|GVrM!5!@|Z2t7L=>>^7P>8wyV-VXn%Zwasig;_Q6ljPsq6dv{V%PwX20+odpVS(;(VvU8r}>AjTc4Jy1y zBL+Fi!jkMg8|%AeFb~5RZPHeO(O8O7+;I;p`Z6 z@wrGST6-Rh=+n&^*W)y4*d47QqEA&)M1c~~1yN^-+c$b?QxGi#nH$LZD)ycwYrAM+ ziIhSyrcptoLbk?IXeml)P1-sv@bY<8<;p0&<|L6b^V&LAR@MBH%5yMeJmON5)>M?%dO`{*1 z)UXPaQOSjd5oj&W&_Ez|P}rulW`e#Ie3QgRR`DyKTG)Ktt`|)?w)p`$)p#JcrG+3< zyfCE2d0Jk~<`>m)C|M2wr53HJEU7S38ZNCL3PZ+-a|q&k-r( zt@+fkb`?Js&B8=LbPB_+AgIT$&D!L7rWz!a$De0uH(hNN;nU5~m z+=-id32nHFzV=5~B88Jrk)kGSb@5o~R&VV5fSNxJI?l4i7-`mqv<4d(qnK4`L>sVi z9`cM4Ezov&GqK~_lvpJN0Q(An5LqK4M=fP53W%x;KM^+_>fNADWVF^vS1STe_V*L8 zqp7pr7}7jAy6xvv*@aU;+wRUk0qEc_ghAepi2P=sJG?{$0UNL&6D%$9p0i}%QWC(d6c+e03Zun!j4PABffQ(<_httn@agPD?)bWtn>vNstQ z0V!(}4lw42*u5LOcGL0-jK*jzqY*}9H6Fw6wKCg1XYvH`(~<3l5)s6uPoeG&Ub#k} zw%HRZRf7BJ4f7hCht(&MRj|*?QNAl#sUrAE*cQ}@cV51wAp8caM1nwcfgHTJAnUtv z_Bq-5Zq*-(*1UNVn`1R9FfLIPV$aC1)9gU3c+CDR5+Hth4;E<6c6AhvY8|O{XyPE4 z7WGDrmBWgi+rKvD^$jR1mqbM=9 zZZb8M21Ox-L1{=B+PTqnLc6#HzzX)Ey+Zek`*}sG8bcJGnhQZ=JPSZ%nL=w9B7XVs zcB%kbKcf8%iwoFTrT~gRr+PBc zbmRi6VcpPi`zDCj=-8&C`%q@n?xUkChRHMjzQ*K*XfaD55~Px7)2V*8b5iR_!yvvR z!lc*TlTd6#Jy|)j)4War-HN9(idq&87I25zO&yH0*)lY9oS39rRa;+CGm?Ai?3TU* zQ}-6fqwd~gDr8dcoaI{rxXaH%eO7D;f_7-0dEXsqqV*-xcCXDcHZZPB<;#Ta92ZLU!o(*CRmvsac0ghj$=_k-Rk z4Ri7(NOzUf^|Jk*O%S=nV)NFAs{D&n-T!e&zYw`wYR>D27M{V*xEAV zu^JUL($J;ROvXTKA*-(ef|9})Cv0GoA9V12He%l+0(dn6#mh#+>sw62u6jkXU#rSq z7>H&Tsefy8mwE^QGPWdy%$fj%G!;k;Yol|;dv|ANouhW|Q}YYNkj+in+N9A4BW-U< zkWwpmB7nVm!wQxDjEUXZ0{Idq`9 zcK~r*fmlXCI5?*erM$>3fHF?|FN!tgkfjBzuF?8he_?@oxdGT{E?JctV~tV4MTyc~ z_rvxs52rMN7ahf~QBg;=OD(({*HS>mJ+t1v9W7NglVQvD2n539&H|9tpOdh_Fo{|i z(CRX+uF>+c^m{?lOuU9;w%QV#}4ORQLJ*~FHLDER81*fduT21(I0zOo}oA8$h503~0!BlZC+seWttz zl?j0Ufc8C&21B8q`o@1Zo12CNl-Zm!OH1ZbK!l9Q`GTQ{;8NdwiM>w5ykGk`27DbV z6@cfQ+MmSfh_O9E0H`QC?*R-%6*U|Dc9;^0$f^%$1Yob}kV;YZXRLHoHqLiW}qse%m6iyCd zYcMWB9o|2Vi?Aep;+N%~<&>wJFQc+-Q zgsm~g1r?f0BWy(5j^m_dH&X=?d5OA9Cau-Q4{-Oq%?{-DkcgI^frtv>{w3LFsMk0T zKReBH_9&tdkSh!Z zvb-cKOT4rog8^lVSW{_4vr_<-Mzp3v!x(6ml1ck(s;Y792XbTJL}dt#bn7Jv#pdsZ-BhiL%9_+u`d9?**pMmj#9fC$9etlht%Ym?E(Uzzqxg#!I zr_3)^#CmXC=O}8mj0g21>LhL7>EjFAoX@NDx~bTl>*G33j=RmeHoHP$BG)z3SC0ZL zmA2pBnHph&W-6e@d)H*J?XsPo)Z}#Po2Ai;d#YJX$!l5)Q>G3Z6E#71Mo=WT1-s4Z zZO|Ccor1a@PYvlD@xZOCd*U+0fmDAVrUNIh!Wq$rl&moxi#U1P%8}k1Iy156!94Z* zP#Hif?_*_y&ix(?d)c?{=La4JbViwzg#p+b8eKu`UWebRBC6X~RT^AE)9T9oJI#kh zji^o(Z$}Qg15aRA_aMc%i?}M)0oRhR(g~Dx5`HZwH)~c?C_<{#Oebidd{xQGzpF1fy1_>J?)BmRoCElDjKSNMF1NMYa48_<^7}_Es3~DirJE!LKh( zQ-8mG71IH5dO+(;v#N|0?%e$;c5|o{&cV6#6mo?;lR+*EE7{3i!@>GsbnFDY>oL2* zQrmLtnq|U~7jY4~SMxY_q(kt7*Jf311y^E)D?_ZU5CIfL>uWG)37^;&vui|tVv9^E zVROu0GimKz4Is|Fxrh*~k|NaEY1gREl2lGXfrv8|=a!z81;}{Z^V>0=-Ti~X>oh8DIm_#Cn_F!wrd9)dvZPTAo z2%aggoy6{t`Z^6kGm1F$9t;X{as*xzVv74EAm-oM5L>!aA6DX0g3KR3?g~Kg8M|07MxP$%79;m|?ep zEANOR!V$}YP}vS$3u+RnFQ)iUI;-01DDmt#iAT0R_T)B~r}(WP#Cn9d`%v>$ z)npARO(N+_S}rIf$sbX!RdlZfp{~fSN^?z%K~hVOn%{a=MG(Y&uy-;V4<28h8jZsE z3Qwd+q9&3$HM`0j@~#e!_$^Qpv0f^`24Kn*^)d|ln471C^|^(;bK`HGWY$ob<%*mh z$P>P%bE#+RDv|l*sla72f$(TvhrRTZ1aq#)Tu!PfTr4*z?ELPnS%7Vnkxd zxj+M0z|8JU2UFD%ge9`i@`e>~b(2Va=2aLH1}clxd`vVa$L7dk&ufP{t2*Es2pac? zIz5Bj6OaFG_^9gRuE40MGp{6Pe8t&r@1b2oyIC%z;KUmNLiQBW$z|5)=i)`Y`lyOap#tVM7YN3Mn?Ft{vu=^?b(~H@1ns_N<*U& zwnj86cxx<$A#F&D7Nf){W+jzM0u=mrMD5ukLUR<_^`#P)qBv8Aqu)>Hnj#Rh2aaev z9k7j#=e8!IDMCnzh_J8$jLh}Tu3fZepW4_(b3=>^Ga8}Pq&X`!wlr^zxF|?#GKRRi zT|&IGOh1iPJxgMJuZY_#ayt)U%#y2})2?c^*Llokva*=1uG8wOnqMFQYAI6VNjGPG?m7CgBGyAsl-#(PJiK^PV!fA)k+$%E!(0tW0B{c z>l4zBB&mr}qat-*Fcu}y^eEBXH>pio(td_?X3;T(!*tgXKb{-w<(o9E#S#5RX#35i zZ>x;!=L21vRKM$UIDko0ZX@ruRmg<$Ol$8QiPh8NHkha>B|B3pk{Pk>+TG!IzMjB# z>F=;WRlYX$c$J#%Rr(UY2)72>-|eKDOJu8{ zHC2WEe@C0yaoA=rg<5tNe$L`rAV=%6i&Pm7u-L0corNHgh*Fu57>E%uYzz(OX)wn` ztTGISw6=#pOeAH&M~|4&C@7E;VMWSLtA>y_2-vlu?Svf1)&z~Mm-HHZZzo}!mKs&d zG@}7j>(lVN%HAZ{ZQ57NRdYh4z=O2>XnI*oy!=&X(n5J61xGm3QLnp|-Kw~*N{y@~ zkg8HcRLNJJyE>;JPArwitkV8AR#nuBAx&C)a@Udy&vuD%mza72Fj3~p?$4Nn0|LS- zcw>##8X{m3kPwq0&S12df=y1OB+Jn2VW4GxrN6Ly?#Ob^N4Efh%4{C?v=00j+Rm^7 z-t>kf`1PnN$RrdlA8p+CL4bfGRfQ{m)qfcA#if2zl*n=FmdoYZ1tI_uaixs9npsp(e>0; zsi{1~l$G^NDJImZ6}tszumq40GlR5S+ur}qQF*x(HO-Tg~ryHwFXPZ z+M0=5-a6_b-BN94=pWYFh`1@-36#pvKceV zf=Zng&LV~l+oOLOHUEQ5%(QbAG5*j<=H#*k(*TC`ZDJhA6dAu5dMnqu5m)YlM=KHAkCCRQWd z4p?!gvrhM|Os6b!wUiqlN{xqaBpy0&WV%xunH85ImMN(hCemWK{h!V%RJ(5Vaotdq zG^WJ58;cN*1_|0)iTIZ{fuo=`ZLIiIBTIux>Fm<}yLxWa@&#NkR3P}I2$SA)6lXSp zd@7Y{r8-mawVNmoZ!-&@>GEuY+L`mVmZV*loh%}=RHbEcKQS?%|E&EdlH58HI<>{H zlXK`wep-}B1}1L#os95(uuRd2QwQn z*5>d{IQkj1WL5lqj5+?!kFA!g>65htuGATUWAP?1sC`@MCcGZOSJ2*pD%LAy z+W3knQw=ZYAu!@AB6k(eCxfc|X&_Q6SvQl$MzNk#*g$K^HDx_0LO;hamxZN#Y1jPV z>_u~OB-(%gD1V~Ez_Zf=l9=Ef#xqqscqJB5bla#qhZ0U#MBXI;Ynj9@q(%f0fwB8a zRMYua9x^ObX)igTa1t|T?Kz6jX+rme-9HPN*mXPbmsZ&VztiWG6E4121-1nY+a{A% zuE_g^`z+>gWddt^`fe;Mr=FEU3z%)CoVW;kD$i5^wC1!aIuW8~vR#pV_DmqwB!YgQ zckRXQvoOEJWr@+)Y>jDLsG=}qZFC8(6*CL7ai=`O(FQC1A{bspf;g-Kdy?3EYM8E* zf=r^j6C{Y*1JD)83s&t-Xq*4NeAIt>?~l;~2lp>m9oL7}NAP?S<= zDvh$Y>bP?mBJ6EXTzl0t6!p1PoQl{lBjL;i1WY6>fPoU3>tkgxUtLwp%W7^8N`W<( zj8fb49W*M)9`Ps*8za_xlkxZaSVK1fASN6xr=|-tvb3KvcsmE~Bu=_U=LiO{SHBH= zytIPlC0ba(aE|hvK+gAs)-u-qvJwL=;_jU>#4zkG>#?q}-6F=WbeWs$9O?bwipBI9 zD<>14cY+DC{e&5?TLx_}FH-+m*PC?AEp5$G%!W2fSF@(6PfE3~rsyW>pZiy}zTZfI z8t+1kn6HgW-jP||14(xkdtUNX)Y9$R%o z$Tj-g0e=#^yC+RSL!B`(S}X7EtrzMa%wX-%oLt(@1<)*TTP%rq>{D&__~6DVrZ9n; zm9W}=6Mfs__Bw}l-K~#ba+uk&bfnyFt7IZVY^}%zhRI$}HW)x{i`SXI>O8>~(%CQ&Ga0QNpc@ye;(DI#jSw1Hy20`}j!g9(8U`-@=W#h)s80Pgggjx@AjoK6Ftl8D~jHV~DGgV7tztV>yo(2GlWhkNH zkk)p|-m@{c1OaVr%BZw%DX1_~+G_<2F}oXM*xqU(6uOolU=`cgIQ`MA*36ZX9mU=z zbuY2SykIry2(#o$mKS7WH?6MI`~u3-j7MrzsBwX@Mp=?6VeF+S?litT+~lPipRQBf z#43X@U(Zz4h6B_}3T@OfaHdiZk3O4B7KsL_lOSW=fk@*c5fL#Y%mkk6ncW+-u}`gR zsQE=?8FV3|F*ZlEITn8h1Q~`1+e@CEX9QogNJZil^j#FHPZbqCTeUgkn8Y9fUh=Vz zQkyuUhGXx@T6}n4$=s0F*J*i;7MC!X697da;}WGtSz@edtf93Or9FT^%rN4p91&h7;!s?q0 z!xjc0fBYoUH@Q{5MjY2~qfS+uU?sLEjFy--(IpT)`n=vMb_hdc*u&zGmKL$Rgt?*Q zJ%GRlx|Gt;*uZEWmnfOEfj#KqZmkjs;1AX~3JPHT&cIFkRa^Vo2JUIn@a~wELkFgY z{5QE{x1@_nX?7&h(r9$$R?Q*O5lF6nzC*_Yp_zDlx@wmzp3~}7ose<6P?Ia%(zZ;f zz6d~6joGRbqtT?D?b2P(jy!#j>MBI@v#EWc)nYNPxE;D$eP=@C4B5<5k~5<2*wGTu z)aS^gLP%Ju;}7e7ul8lcLe$ho6Zrdf#u1jnXe$$6xJAM!*fNf;w1%u~Nlc@I$N4QO$V_7O5d zM)Eh`5UoiRk+Rdg^;k~;*<&V7CZ$l7=3>z;`c|vIUvVRyf^?}r#Gi}^g5g9mx%~vG z_0@QZvf^xG>gj0cC>QYz2`RsG;+;@Xt!*Za%&Pn@@Aj15(T6D%ELt|}#&H}pAmo`5 zM0E1sMoV9aEx}I2#U%jJwr;7F$ms(b2i2{=OlRHTFSdvXC_#{itAG-_f8q}E3qcsB zB%O24AQ45jFsSw&gU<|Z}^l!YovDN0isWlYA#UNmSAu)B#d zSRWu-);%A8>gbwnnk>fbpvcO{{`KZcK@Rc7XURzxhkVvvUR}@gAqveWM_i88xWKp& zZD6!@7D#OE!Pyy02Vu;be^o`TF*lAt4K_6Vj7=CSVGr@E=BA=wm8tQnW(^VN?%viG zobZ$EhyGBcGu|e61vEq;EZQI^UYO_gHJtO*Y;Bk74^XmL=N(%k*&LD9QaZ6VT$I3I zD-PJwR)lkmOj9gq*Cmv=X~4N7oy9hrW74_S#_zqEWpo=sP{~8=m5c;?yv^S|BrISV z^surd>l?ItpBm1yK*nPfMWziETE?X*ifmk>U~%4y86sfz=j81Fxw>P*m&r2>PCEf` zSXr&U**bXz2*%FFMsmo)JXTj|brnm?s@DSmT}q*$4T=)uk_tnG7JDPLVPPf~V()p^ z>9r~!LnNXi2{6#C-EZB4lFG)CqHw7%^^PTRY>oA@5v^o?@g|X6c$k^hWwpANFDvo=~qwDVt5x<}d0cY}Rx;gzo7F;lv&kF^5ty4Le#- zeU>|Bu4lx$#&o`bf+C@kJX-7GY*l{nT2Tz! zM*hlHp^kYYytBr28utmxR_ty%1Z#(EVee$x|WhmXrc{cy3} z%U6t|mRvoT9$b;=U{=8YDt{J7jR6rpq_4Gv%?}-kz(_8khrT8ZjfZ}nB|hq7>m70i z_r8$E|4?1U_5m{Mo(am%rMaN`LENiT$8&pDGc%*QsBm(GuJmP_wmFT>bW=lW&@0=q zg!HkRZ2BJ4n;qZXB@1@`H8xQ^g14KtLMU5}&)`4{`!aH5k>*jo@R}DeL1LfDJrLW$ zLE#}9l%Pdti?tcO4Ry6Zm5&D89PV%CZF7D{vs0bx?q}HdR~?NOKUbc8n9{^mz*Ch_ zC8F|Qgn**a-erNTscFSRhmH#C%S2HtpJn8uEKvNC_st~${FrL*zxdh3x^azxUT5K! zIuhgH`+#@A1RrLUHrW?brD|W8@LCGHVoU@I*r3n6wK1to#HQZZ3pK?&hZ%C^vbg}j z>Z`}u_eI@MwiPMcXzL*zdG2FMmSOEuk>kw2UMA3$_Z$w0>X_Pb%d_SAWgCv1E{hh^ z=XmbQ<_7iMfAky+2zm$-s=q0VL_T*_C<|GA;EO?0z=e>6L#FBa3!>8%TGwcy74@CO zm=PhC)P>J!1>E=!y5O*MP_4T&QdLwln%4Q2Z-KK-&v)6_-=?Pa7~-2$Wk)$+a2QO% zAjx?{dn8M7ZpJP5il=riK-|LjM_EcGw?CZ2Pms{MR9B|-9V=RIt6qRL7?7fAIYut^Nwr`gez z;FjT~HLgO5m;@eYWm2h^=EB`u`t3*eNFldj)Gz(&8cv!n zZ&2D|EM8TwQZ=Oi%9^nRrx4O9Jsi4IqyMXaO1bF^ErSTx=)}n zFsS`u^Q|$k+3N@>z8sh^p+Pf;eBM8(Ybw*$X6G&S@uLVP(a2Y8=$#$-0IzW|Nyq$H z`YvxDoJul^FWroVoo#5M|85QMetF;Q-6;+xU|qszBoWk*KfxX&{xiQaJr6Y8lqjFN z;G)S?4Y8aG>Mg@ADJKFOb1%c>el3cswlXko@_V?Wx<=N$aZq60s*voo!>OcFCj9aR?@5s3vOCezuMlGhSfGhQLWy#EO)!JSi$$2P}^msHN)u9}RAU=hs z+~=hvs3S9~s!VIv$o?Ea%cFyBS7V6iEmzA6MWiYU1uiXhf2x5qw;SigSzNsh{su*l zgiA_-fGOpOLF+67z{D4^XZdt%s+v9ye02B$o@yTT_)}tXh9B9G`i}Iy=eiPFr&7V5W*(cQg2_19Um?(nE4p+pag0<xK%3Jb zU&bXe;w7uf$rakxtaQ6~3!94vI;c(-F**8Y;sH?jCLNA{e}C>}czfaa=eF#hR~~c| zVWgbERG%kph(!grw0H?^ zyU1D4>nqqe?Q@#w7FySKpae(Z@)!9y4@EJc$6lYQB8ryI{J2foRv$zI02|Hy1*EdA%ei$2 zl)3JzW${!ON&h`ePLSHgpJr8rIMqS{#aSBoFJ>?2BAV`@T1bTIB`;)IHFSkH-p@Wc zW*STIq_}{h)MH1QY`8zKWM;J)V4Ui)09c{qq)IA$Frox9=<$ZgzZ{WN5XTB{-@ z846}v*8H$1$44Be+=74*08BC%Xm<2`aTT0z*6v!&wIIIuDwSgLLN#lK4*+Y7f}t%v z{tBI4-GC$b(Y}jl@B2#Sp;T5B)e@mj${yGeMhp*z=JHop71Qr)c^=XDDtHQZg3MTU z%``d%0zzx(>U=$v*KGS7>7QjwXf<`Tp%dU|D|h1nlm*uUryPyE?C>7Tr*_%uH4{h z=axJbCxlFp>kj6^@H7~#-bmF4|H4;dz;&Om!uDHY5(AUs6?;88?yjVJWFm`JJl3T( zKT|0;>towSR1&Id&zug9G**WKED)#T=8qTE%Llcr6$SrT3F#~ra4|&EFwnFz-g`)s zXVAN*5MJlZqVV&Vkd1vONI5?=uU40NOSM|^=I=%zM&3}adu=<3QgvZyZl|00>ms{& zaLea$za&$sEvZ@+Nr)H8(r@SqJK5tqrqmg#{r*SFuAvTQm=cM2ut1|Pi&SGh9PtkpOavd`G? zP-kDKx&8xS&`#hLR3P7`9#bDsYujCRj8~JhK_w3{c2YRh_|8tLE`>0##_p$9T9w>t zr1C)BK|)Sq`SynkrW6CX%fta$3haCN>Z2@1RxeleE{L!Edg6Xs=7gnuh0MD56uDYL6oW)m4c3ccH?3ofnAciq zhWEYuWrC_YL(L;2MDYCzEDakKtS4K=Ga?|4z(dn_9-=l$87BgguEZPiu_(Siucfc(LG7EHA>{S7w}62Ov_`jQ5qO%c->cWzbe zFU1KH&;hl01*Oy#2P~t6x0ddpWOz2BxH|YockE2%|e&?`2M$x0&%qMw?#AG}LM+>SY+r2xmK0TJXrMZVSFTr=}lg-gkE&h=l#Wa{Y9e3dNNqe!-eGvMP`ny ze{f~UI2*^cVG_yTCo&h&4JR6oiseVtNhI( zUp8;4QO1NF@q23YD8K+&L1{=bRtEzoZe`y`2u<4(t@_$)KEO|dUwdHKk;x!&pjH+p zjd zK?*jKe22vXn!_B)JKP`5m9e|;_;b%3?{```j=(ChLfK^oUr6qT85AQagF9l!?CMqv zZn27``p5*<9-WuG%xb8C5iy)Ep7ZwQ4EDd;T_^uUZ!x=>cC?|I)*?`=eEpFtfOuO) zVizs8ByZi!6-HzRqMjrU7Vg?B#(Xd_oZYt+JC`LP^3|%@|P4gS^Z7 zfhjo2sM=5n{WQr6GOIo1kG}4Sk!flUo2;it!7l!lDX(PD+Fmd6QL1g|3r}wnklk*;remT|EWzbV(2l9~>&X7oa^r0070!^W)bEmpbF&T>F3QgLzu5g-Qy3=nmi& zF0(qP0zEH&dR&Yzdd{xRq)q=oNJ|RKM(_A`}DMUAQL~HBJ zI~&RVw4RWzRM!BR+sFG_vwT`L;7tFCx9aEt;`xP>+l~%q~^ILF|V=KT>?n%ynkwcgh63ka_^KJmDdR8S{|t@Gu@U zjs+j*@Uakj3bVhe^q$R>j-lzJ+r(6#&UZOZDv={}alihm@Dxc`Mm8LcSMj+DtNagK zXoO(%>*Mju;ULrTQ&=1*PJTaQ*Sz$~*3{^Z(U$J61Dl1M_&8?4XtV%Lkf5M`Y|gmF z!)#Xmv*kuhdS13og>m`LS&DaUGBqN*9r7`%`Gm$GQwXTk#*wj8#ZbG2Rb}x`(T_;m zpwi#=Z{;u+7n*=a@!CZ3bNAfNV0rtDk3g(SNO*rY?tAH-meuAKfu!l;1aXrwqpjro zZzdbFCnRVw+gXP7NLsL%fCtA`TTNZ5qbT~G=YyUe7bz|h+0#DL^Fp(zuAc=Ow-S)KcA`>_DpoQg<<>(Me%SZ zKA{&8S`8C9Q2XmugsX$xj$ZXI1l7WKgFdYa4EVR1j`C|1Wj1q&3Qn?J9P9F|FY`>e z6q1P3B|6)j=!Cc<_kL|%h1}#DE47-~+dvZq^hN5IM%qZ?XU)A;?sLYlz(B+b3`DRk zGYQUvJfy?;Bnm77Vxzi#Tj*?otStF>(YJij3AoCTKTmaDhi$kh4wEU9QAOK`+dS@A zs$;CrvmK-!uxl{5e=%yZa)OG+@S`s>?qWU-t*f2t9c<}o2xwvR3=pZm|3Z}Y5Yj3x zV#5ng^jw2sc2Of^=y;%vLLb?+R0WGd3aXJopGBuIdK;AN|JGy4wQNGq>Oc4`nzJ|2 zHFuN;MquiPNo52e5Q6i=VEGTqb@gz^CcG+Jx%;hS8pu8>7>g9@KvqYSFrWbN;8?~s zw=9U$QxJXeH#*`kK&jv4 zQ(@|baY1-{4ZoDM0b!`7=o0v^)iv>OMuc{dGGZtHH&;W|mAolGNi${fJC(d_z z-Tdr7_Gb_PgnD!II#AsaJrgr%QM#o={_kIOb|x-{^0^gj1}<#sScQ~{%%LYcwyB>r zTD%7H1}5?$K8!Kt@HMPxz;#@!BFmOLym>qG6Y??b|&WUvD{Tv zWq%;Zc#3}oTCz0LD{7~xr_F>n(U@^CFAR@h^Ji(|cG`wn=n@#RS78uK$U+Own8HlL z2eVkJXU6)kObSCdtOF6MzeI2QQsa_wuLJQaKgnQ-*X!HRZ3~CAl#nqfDfDhV1cvXj zx}+RJUw!6}h#Bqtd7o%IBuQu5_%bQZs>KSv{!Xr3neOr;@UG#@ZL<*R9k2W#$6;hb z|Fo<&T4Q*vub`L(MTnAMbuNJPLL3A}<_j}bV2;di%@TXlKBy?-j@p^axRW=Ey{~|r z#^O;HY^pfYu#0K4%w+yklq1{7!=ug^_@e7do#lK)bMa$$pp@&(0h;(t3`_to$(IxH zs!m<>Qh)Q{4=K@PyX>HB%DC2kYe;WShHe8HltKq#su+NfTEA-xl1juFlN}VgQA(kl z5u>+bq+>#wD#pT#lH>TM(^?(+9r+mUxrJigIPyS)3Cm@!{G|h45b|kWwLHCp8^o5P z6x_i;^NrP@dDbDf%V#XIctep>_AGU3fEF(euHs9}4t0~-;4x-fjU9q}scltzeYr%K zseZFNZ)zw}Bg zOG8ip!em0($y1{giuvsr4t}oSvwK(ZD^jvmYk7Kt!qRh;Wzbz@8zLHKzK!?nFB=s} zlkKHX_KRVm;`U7#(rIS?VRs_1;~>(uNaAFmZ5C#`VGn0 zO5_3L#I$i|sN(zOBSwr!XAr_iaRW?@<+|Ba8;#xr+Z^JmrtaXaL#Rx|im6{#U7q@$ z{%c=TKx4hEI zQYYsR(`jw5F$1MIPGgLbvvv~PTaf6YLi%pCR@hQ|rmon;K-RbY`j+5gEpFbTDj7w# za3o2oNcCiQX1$dYvu>*Cjlli}NFLv5DwrU)v>4kE;guU_R}pR>FTcpcf(Ao^6vMqx zG8D^}H*Oz%?XsT_`-FbHq>$u-PX_V|;QiB2mb ze7c&eZJiRD4IG!h2BUq{99Cyb))S(ZIL1hMkuI;DNt(ij-)bj?=NOi6&+|C`ldcN*9 zP6`%$ac(9v!iYs8%wiwbr|P8e#m7^=q!!iS^ga4fQC4-=fA*Tk8>%jSYt0tlEPQiw zktqIge(q%51v{02g+*@(_~p2L7NuHb!gw_`GxHeXyriBk*LS{979-#F^rOt1}Zs4%#r zmn6#D1$=jz;IkvNKNuyzTKHY45A1kQ(x0y)ts;lDXi@Mgb&wzU{98Eze{eP2a9Tr} zl*1PkzbL8ONG7S#e*zBwpc!&_Ki5*eAbDv?8q z{^)u!SHP%(g+<3HoIL?~yU$ z!s8~*6**)n9ONuIvR&}8i*ECiiK*fZf{cNC*oW8r`$x~H zSc$?JIt7MLZio)Tst8S>1BM~B7{*$a8bnF>ETM^#f@WQAS}Ql}u@V}QMEPGY>i|xI zQ^Q6FYU05{kxZ&W6D}I*){0>es_dv7d+DDWN>L)M&W>D2FlDWZi)(H(VC!Y)qD69 z)0!~%3{-wcs5FaQ3fJ`H6Mo9a|9zF~L9ngLIaLKy!9ciJbD}7z@ygFH?lzlH&`Lfq zT$i+|R3XG|ljxU)}42*s_kbE^a}X?n@O=U0%12bNR>6W~7tl)qWb zIm7%(;{=D7=?Iw%=NerC=x3=M8JLx-jTQI?P;Ye*N!HlVyJhP!gLu6^HZRwdz& zRNBl46Gu^}+D08hnm^nokzJ{XQuVx#uShO*?b|x8is@B=w~rMhjO1Oe08hb?!DngL z7dREIR_Y>F79r?U;x1?!3@TJIifB#J5O>5xVrs9B<@tv370+|zFn&L%=}5}Xk%@kE zkV@dI39wbhaG~!&A|idqSx*)r7XxeAY~OvepFi6y4)_US{MTX1cTTz}L|{=UYz zeF9487tW}2AW5s`nXo9ZXU5PC*aOpt*xEhZvIlA=QA%b&6|h1ikiI$k?Q%soj2t)ypF>$aCm(MYC_?QiFmL^Zr7T z+ogO4W`5IF1`P=?usLiL)|5L+h+fE+68}!lDUrg&jn1qkGTwjudCAO8s9?&%m}8)i z8BMsK9p=R2*45IA%`1W^!x?ELbwxAEF-bDNKGcDXAHc0)ruB6-6u{Ou4^%8hl*!#j z5SLjNDFn!FE__x};)>$zL{9x_qZsR~ukhl=-lqNoK=VX!LR5wM*G}qthESq22Q}@q zx^hFz5~_Qy#++QPPv-8J_Cedq*)MPDJirXk`;mNU=dK~*LN$3XALhvSq|bb)D@iDV z!%k;aGTg<@J*g|S?vRE;ClX?HQ;yJN=@U!q zAPgwoFTblV-OBZy<3YpFs5v6pr?U<2N6j62Z&U}mhM|WkQrHx)UHAMi2zS9;3(}&7P<3MxKJWmqfqYe&d5TW%0KYN9AQ5#K{nuog*>2R6_0& zVMQR#H4B)nP|DuKY~w&&_wrP7IFlVZnKcCM zwv48+Z1ZI{3fh;ZvUWsL<(l?2n$%6rE^)zCRh1um+?Igzy+=K(@^#<(j<~)oHZ!55 zE8Ui=q<&SKCF`LHdzgYBNcQxD_Pj6!zrwYqtKHR?``WkNn{QjrHq*s+&@xdv`4IjslZhe5kUw~$mQgTxH(y+q>#h`(^I7RAkK0LdQ`eBHn z%#9z3For5j3aic0KNeJ2IO|&$T{FXAjr1lxs>^OIe)^z`>(zB%HMvQ{%YRdEz@xFm zGmAk-Uh*bEVURNr!Z_Fw3I#H=C8`I(y1)|)(!dytdNxQxasELhi^|aDjJ)yHHOx0W zv9*Z|hZbw2JH5i6J&(g+Xu=9_hFtYQY}A-|w3~t5&GJLCW$~%2MZEoUqQNvDDRz-KSxj?8&J=XZqd2R9098_@Hzl@fg|ua{lj*Lgo;ZW4^1ML#WV%n*6^5VddiQ%K6V z^A8W6|8@1+?J&X?y-$IXlyO}_Jr6(-Q}pz@{c~fnsx|UVV2z!JW7L`H2IrWk4{JsZ zkEk04TUn9W)*gMvuBe?s{K_O|xlE2H7Vi4dvosBveuA~!&oVU9ydbyR$%}LA+dq$sqhTR zIooe!2D--S#suj*{bn?}BGU+=vU2N#bQlKazXrv2KWEUfOE73+l@WBG*Hd6^wBYLa z=~iV%m}!NX5!;SYE%EWYR7ZTgOJS&VU>h(5J|s(Md(=2`gB46t8E5ehz-zPg4dB1| zZ3+)Mlc~kO3Wf;E6>$uo|}%nGaHueG|Avn?$t8zLSE5@N1xK2^fh+Hm>J_X&7<|M{-&tIl(_y{s57s^`s6sz!@{{g)m5GZ zne|EGOuO(l&5} zSsdSj5enHOUG8Jj;68dfB=D#c$e3H!cWOB9>K90Ps9d@`aQSna6sZ}Nce`tOykkIa zfyvIxEx&9m%fa3%FEV@mV11}IiOb2Z5OB`#(U?ctRD}VyyZDmHY0w9RATVRbcM!O&K2DmX1iCU8taocC*@%Vsg;d#8Orbam=uTSN!t`s70IPV!Xox| z>?pqYn8xUnUcC9k9SKv_`5`I;8ol5zf*%}(^3DBu@qQ?Cb0~+zFI1pkZ)_0EdES8O zvvnsfCqunf^&h1Gw&Rwc!_gO%3zs2wttKoX?aI zaBj6&j~R9`afNb=Y|0cssG7PHN5^5SoNF~AhEZi(m<%;m4kecmhNM5T;OeC#v>E^( zqwRhV825omrAIV^52bhw{!-yCxEP%Tx7_LLrF)pUZBbb&1y9~B88w`Q6}{-+|JUtO zjSl06Qk1~`pcq4Yait%?;W88%%egczfoSouxi_ZuHrc*uzGU~*K~ghHq^M9dPTU- zu8+*O4*z;TOC&QxZCHvX9Qdpqx7##EQ3|cLXv>b$d|B~V2d0)&teT2|f*ZEyyJ<(k zaV<=1&;^6)t^Z=mn3cNwT8F#N#L9@?1KBF%K#tbZbxc-WTRt?!PZS^6r+9RdAa+#( zKP7pEcy{vxhNM@LwrmeuID;IK>Xz7VsRFYCRHlD#^qo6wn1g-mn6yhtq($SCM)d)uRJ+W zj4)6f#lk#~-s6&j!8iSih~Sg3Lk z#ne28L=ykz1rIk8uCuLb$0#<=NS|^EMxPhVQ~z4_CbFQp>_dXyIHQE_02=`__0w zK%q?alwL8ypt-_19je29y-kI}-cslm0Xciot7q9{3UcJi`Hznv1bBlD%IVOjj?>Yy}w`S)Rt zl7Jh1V<{*77w%W3*kvZ)gjmKs1upL}W_2jpAgqrj;;Q)9MBO45!n^zkR20YrjD7-k zwOOURqvGRokW+3kP_z=Nm(hgcu*iXk+!woS1`>mFDny+N;;6@8Pkr#;t+B}Bm}6gF zooxI8rHk3k$rgpyE?wFI9@WxnNVC1%^~w@J+fqsZt&P$*GtiVfGOp1lDI|kxvH%^K zYB#K7nCm+NmO&K;a|^i&EGBbdZHNN!2Q*_W56ef`+^+xyn({9!jsnxShI;muxsj;i zdd?B2ESe?9DeFO#pD306yJ1Jf>jWf(XfXI|EEcGF>LUE-WN8oxY2~-REQwvDWptN| zUt!HiA&gW28P-qL=7TgGsVw3qv9#Uc4C-3sL{|W@A210?UtDgszIuZhDC_f7&YH+f9v`v`}Oq7ro)Q;27~{ByS*b%}SDmR26xjnMVND9h1Bx z=6&uMb1ze^9gU8N@^SYgu~@QtdWcvS}JibcEDN|ee{I&An@3399gOSbsKwv)h%Upi(XgE1>UO{3K{frl*A z@nf2i*$TKnKoce{a8T$j5quQMM-@FeY*=Nx(I?N|5m^{l6YKI(mn{J4N#}dV?~jz3 z&|MBygz^9xX|htfVkZ+{VMlB9+ML-E?pHc!l(gonbWdnq+K$E zn;p(^qJ=@YI#wl?+tH6ZQe8_UvGqD{=37@HDbWbJTP+OvN2A~{?+NA^=QtnXhVD^3 zda0O?3U9(aq3>-Vt@g7(<5>pbJWk4V)jcl)w?>?xEWyhd^Mt=^LO3{Oo3zEUoG}QT zD9P-mBW<8-IAY~K&9g?XTgTtl0%qS;(~T*W6n6|vk-F837wh6EQqb1ZeT%F^tgPS^6-0_bhb0bB?)kFFyw~xL(SI?sk91SRg3T#OLzpsCLbxaPiwte(Gi$1)-;q_ zD2rQ~#uW^>@al-$RO)91S}#aLqSSa$KMZW#|JsWCL=W1}<@gy^Lj$Z>PLNrHO8Rhy zE+Peov5YDrSCh6bWU4LDkt|d?8^o4f>wpZB!=s$LuHHP0g**CO$liq-*IMUzD4&uR zP3brocKmCCW>;PiaRj=WFMrfqOtynRZ1wB%X$P(nP5#g9@~^wo1qM0yoB{j;)+COs4kOe3GaHRz=d3c5jHGvFyFtn|WYt=H~oZ9Up9 zIwW#ePWB&qxEnr_3sqtIDj3;{_%B(Zqmiz>toTLrdTebiq7uEWyhflAFRyS1m^z&A z4$yuh73w*i&yEr!+rwh7*DuMhK>vc9DE&+fEb8Ks@2Uvyx$qq6_a{{~Ew)w_74ZAM z$sDTls2M)A?Ie1e>pZ-7yzuJhhw)=`v-P@B)NP}^6PHv8iiYYR67u+{#zvA;Nlf^M zE_Z)?@PCR`*?iS`KLbI~M)$o&@NlhC5-b2|vVfN|Xhbg|jWuea&M0I4co`~5P-4^1 z*=i9<1^X$~y6Up#okVMfbvh}0o_^>*Cl`kI{h}0tK0kH2zAwAxdeGP;|I4L~;^PAY zAACdqL$sLw_nZN*KM5}&%eGE?WIW>CHp6vt1Z4S%2Vt~ewR%Xj5Ri|M!5>n#P@IK6 z$i6Aso}nN-YnaSeuBZV37RYAC=I!G9j)_e}t#DIo3Q?*aP*u*{$N>;0lZkvFN_{6ukd-QO;mNb^6t^ZE z4j)h#fJUO; zXh#WmN8sS@U6Xn}y$K(+$^3`c|Au}{%*|&*LLDQ2 z5ugV%$+Q;Y1>Wxs{9`Tb*mqk;_E*vi_TS-A!qVzP*DSQBv5i@)<02`hQsErC?YsP% zG#L^(k{17bBVgA%&5A?FqpsBZy(U#5=k{g<%=TZ0_}?WS-smyOYTe}m`u=4x!jqZA zcWWuL`zU1XHE&8AYJM+oW09JZ-hvdeA&$lrIVwxf1OkqXOj|z1v^e2lZW?HDcuRLd zKCPAGT3gzXrAY%+H5coz0>$Uo?b4zm?a=n#1Pl;F;ZvXwpcM1On^k>-3vt!{9U1?xt^9AK73uMPf2x^(l!>!v zxf>Z7k@P))TmDN*LDqm2-LdI#QPZEH5B!!Cg|61)+bY;6F5f_MO~g;HE-;dzhGGe#WD*kkI*7&Rw76}inDRdk|GkbNZ~C3DPzJQO3$?m`6@oBvpgUbB zsjn!gNiqQ=a1@LJ!aN-kF9ZlP8fbZ|G>{OI5%8g_e_HdPm@VPq(eMmH@kB|*04xEN zOl%Z<{5-Hz`f|fq|5Mk$R~4L>*Vhx{_U8*Y?<4n5C<$U}=5*pv9yMG)PiR6zrNCe@ z24yzdygBVo-I2gkF;=Afjfr?wfkcB2M8ty-10sp}Z^PIPg!d_ihv~)qz#BlZ ztV~BA7=(gb62n6of`S~}N5;UZTVOgUaV7o#NI>w?{da-h0R|(W5gt5b^d=5e zr84ifh-xDvoLqkthk^p`jl@YBxFVAC6i5LF!EBPcxrx}m^M8!U-) zpI>C<$PjS!Uu==Vjg`)T&zc~J$603f@EAHA5PEbSTLL?0bYPgn7cyThuofvguxbo? zaKhOKy8lQ#)SaCry4tjBsN^&X)QAz_BzIH(4h<>Gz6V^stopy`G&i%x4Hn}Z{5Lhp zdIgJ-P1%*SRmxWTMs0~`z(5eHN-u2pcmAw8XT*kpN_qi80x%#AK81dCFkH9}?xPTg z-FAFag$Tu)8tt!u`yBea3cry)x_UBsM43oXA7^LZE}*8k!s#VxZBvn6%w`H^$#+3R zrBU|36TY4Bq!66|#={(%-HnQ5L?2ngBp2Zw<$i*gy~uO=&=TT+$s1 zZ}VKx@9%$XKo1Um_wI%fAIvldcQOE#b3cL1qOKMq&16V@9ug-fC(Bs0rNreE)fvW9 z)RBO|qAFKaijN|tYav2Z9|$K0ht!oUOYi?WeMh1u+JB!&$x9)Mfvn*hSaMyMbPAO+ zbfs<$fgckkGAV5H6#PS+csH#eOBUSE&JQqNxc5>ivF|SQ5;JF97L|xY?BPiz&%LPPLK6ICzqNfEy=c?3cY!MK~^LoIQtYPO9 z7Jz>zuxP8_%;36Y*@PqnqdVyWx?l1cx&D zZ>k~PutoTE5`*XsyzUTW1)rrPB=J1GaKYe4k*rC-7E>6BD>16J;ESf}TuIJavTwmkO#66H$Wh;Yt3 zv}jvHgTM~0=o{uc)z=5$(1#U%;@vQ9M*FRWU7xfaPUw`89b<*`$xJ@rK*s&7tT8CC z$t)US-kup41bWAe^AH`(xrSKkm@RU~8}y#WLWqDraQchIqcVucVa5=LHnzj)-7d1* z3^{Glu_VAxLVAvdI>kyf<@>z|$vli_=xS%EzR*X=lzlXiBwywb6AnL|Kb+qOKcy3_ z)uy0wRUiM=+QEhGwU=0DM{Ssycinlu(x~U1{@MPDMd&@l$$N*e=X#GdyN_w(KF70$ z8Fk}&nAe{0!0*DFHqfB=^09fSPpj7F5ua%wW2oBr;pOSqB|GDv9oYmA_@2`tQTG#E zk@uxt{$ zrX@@JrsLRk#EEOD&T+0 zRk=>cPm(X}g>;8%RtQS08DH^!WqUqUKjQZI3|N<`Pjf>3cC*p9^|0MP5RWAsD?>sM z-zrT2-<(6Kr=e^5n=pPDK0b!j%lu)c&)!?lA}Wsz0&tCz>GB16aMZU2j>+&qBh0PqAr!fpjaP~KoAKSTiQO~vLFc0TAUU_~T<;+F zJ+spPtx5jzEJ($FyH)hHT*d!N^lfOzFafEu(hgVnzWwfTO7OhxwZ*`x_iVwl_u^Hj z_lP;(sZSX)0+qPyLj!*IhMrJ$(0_Ys176QN&%2&$1bZnfTn}gZHXoYfiTS^pkEzQ4 zZYPOPoP{=e7;#b*m%g8hK;@c*K3Tg&OKkQ zqm8~EwLjmB8Wjt0zx1cpc6>~C?bovt|2^W1&znmY&=;c4TZ=(e z{%5`Kt!T!7gLLsT|8KS9oS9x!@zA2C9{Mb?-d*$uFQNj~0ZezNk9fhUVQa)P&|Ne} ze4lW57~$vPfxThUU%`o2x54!a&5j7I_^V+p9kvR&j%Jo$j|{`P~5-*u>n%NmiWWgO`@%#pnZmyH$k!tBP_ z3%7SHr-z~U#YD=8e}wrb@D0f$L3}gv7;*@>%VlZ1EI6s{yi5D;$Va){ea)={`S6na zVw~;d@NlyEu+N#K(_a{+z}neA_7hF$a&n}TNpRpFE5BQH?B42+{>T2|sbK?M?=MvL z{}%%g5mhX?Py>mCeRfx6?>cpV<;YP$ z7&IVoP;;?Z-S`q>dOOqjm9-t$3Q=rJlquEcJ1kbTdael{J<)NW?$16M+IWp5*oBkH zv^;2}_{0K2A|6#j{t~2uHSxr}Bk_OhclMWD{I-i`!^tU_O2%`x1z}s)+y>S^oVqUz z*YA>&^dzRPr|0So?KAY&yVrE*lx!TU&s8zcrraLnr5UT&AN-$; z?*i-BxBkDm?JazDBJWkxQ?*|o74Av-F4K5>`ULvBE?=yswgH#%qW2dNFBiSnQ}pMc zp7%#luaC(f=5sc_EPqU84X|-=xtv7{xcmt8q|c)f_Mkgai%o-#hj7UVRORWbwby6X z4?CfhL2cE-{>SrV;yzYu#or<%KfYOtJ`(=*l#*1y?QrYk7jP$UGwNIG7Y`N?7ycux zt76Yu;LXwT@PBeg6f`rWgS%zXpMP@hZ7~SUGZbKZ`f~kYd*F3mquYva0k<2z{j2|v ztTzFN>V5x!3E2{|Cwq}Sgb*W35~Xa}$C52OAq*qgO0q=A7DCzgosnHa$i8I@+1Hsd zW9EIP`u^VQ{lDjO#U17{u|op!>!l`|37Rf`9t;M|GQvtBr*tkLMs!%DL-QFd zF5xdZvuB3;AxDd&kgZ(Imv@HBVD#6V| z(RWpOn+cg^d3S-U5fx8;p6g_BtJWMOIBC}>z6+2(k(jyc9`Ei76plKTNwLQ_ZsgVpBEqMts*s+xQ@*<1Hz6}f1 zb9pyQd@g8OWBG~-a;;%ICdwHUUrai`(njlvx4NIdXFFSBV+ z3h&A%KOU^NCEzl15;lmBf(Gs^v`66kqh-4nj!hnHc#JUrB805PT=9m5UyyUNn_%M1 z9WOliNk|zH@WXDEof9y+*h={RQUonm1Bh*Nu*qrs@9jp{dUThmYm3DF%lb3^LDdOO zgp2G~mrmF0u5Qocf7LdhwvWSphCxnL5guD^5IlL1gYLJV&9?rUMTO^y2oNKY1+mSJ zoc9G5vcRMwTDE%LCpfOM)*6|aHK4+hLW67-QnDx?+1gv z<-q}xiOM*o-EP?!&{UEnu{ey^ng=$W^*o3khb`M=ITPmm$}jdukH&FB)M9frH<8$t zS!mN~4W#}k>Q+TFfEPtre1R}D;44zv>}0qPkJ#~dEBjR@J@qcUn(;SIkGN?i+N}f5x@d<$A88nk!xh)WK(3;@lk03Nj%1%1|QI*&ut2F^^yUy}2zdl=7! ze!dfcF`Z{DG%xW#5;g?m1YABsZ5u$95d@~!`0jAmM+w)xqJzx95qo@(?osxtlI%7Q z{xBauDJnaUf}akpzW0BXYR6$r8N>I_wHAh2Ax%Hqx*I7d=i?#+b&1xRh?hM=CfMad zLuW{WEv*+uSx7POW;i%+nJygClAgI!U&-F(_dfVJYwJk{omzxK>p45jm^wo^tJOyE zTODz8@%(|p{d>v zwc8uPsf2EQA;9@;cliZvI&AmLTiToM`_IXBl(0R$AWqsk(zy!yIqzk~1T~4a5+GgI zJ{k$;-j*SD9EX9YW=x6XA11v^l5e+BZ$CNdVxQlaA;Pa9utz>}t^`*h#zu(Gah};a z$W1brh`J3jhZ}Y#6N`}w^84zII9Nx`y*fIgX*6yYr4d*FX{8R=;3OWnzOrZVxwQWG zDtp6g{0aua)e23I_m~ZsKRQnY9BbYw0h>1%hT(r|xQa^A$GU|sQ|sFI z-ETMoo3sR?;TxPnPh16i$nW%9tAvbe+s<0?8fvoAhqGQ_wz6ifIZIW}aBu07QQ2pG zrhH4phy5V8AaARA-=ne27K7m-zU~+<#R~65BRTo<3L}eM+5`K{Or&JsVvnJpb(E~E ztrw^>?eFplAdZTc=259RP9bxdOV|yM&OBYOxn3TjP~>}#8iQqk zpml0Q&jo`i{;4?{etUN`UfX3 z5a1&M{2^eZ68}*k+U)5VLrL<3383p(W%9WC!^Q@?cpWOtL6G}?eP-*tmOq$vYk7mX zA#)^dym9B$jgSo@O3}*sh}VStM_}n<;4)kAuPt4sg}MHO1dDIMOx0ueR&jLZeb6UuBy8X z=#ei#dFi)`CqGIkQI}xRP-Sxxhn??!{RXA!i!bdkoyXSQ}7OR3zg{ zgqC?=aO3IS^lAp$xbr#m#%e?lEnC%OeXo^|-YY9Be?oCV)wyTNtn9gj<=NM*kw>MJ zOX3oo6#oNp7C>fmhVWAY8v+O%{WhuT5AfX(s#;_)@7IQ%mKUKn3aN;WZ`0;K`|vY`SEhq* zqda@xe&MyG50%YR&8n3CnDEB(eMb4ivP%l*KOp>lS~eQHqIB55iD%*wyO1W!!^2r> zVd_A7-o%F``gs-Kz6Osy7nnBrHfS~2@Tl!(O~ETEVYfdD8_+ad6z^ge>|M|9Htk@b z1D0ciCk1zo;c9t?0YP^!AKFCIswI|cU{-qpmC`A0hAtqWv9IGT+eeQOf}6tx)*$cx z!DbL{+O(s%Ll8jbkLI9Tb<|6vrAFrFQ5+IMD}7KZrCWnHE>7i2Q3nKQJ@Dp`fBM}& z9lP5dbgC|1fBmXMQR-mu(NVNGt{YJYtQ>?#28}o5zMj=K()I*hk=qaLLlw_6C{U$X z#OEs=eO^F+%NS8emvA**1~~!N-8k>NjXNDHTRd`u9i#}G{}&=b!SHPYBeS7_6(5Wp zRY2z2S|W9G=^p%v~qoyd(_84HGDDSM6i?q5!^^ zFzOftvXNkce8`a|QR%Z4rvb|oiEVUWBRfy@TM+`%0#X!m2ePBeb&6WIM*?2BPQbMQ z%?}^1`E4NZXM$;imTmHV7}NxC*g@POjT_9X5$#-@iEf?`$djC6_QkE@Vaq)W!ca`Z z1XuTEqs$xv7afyr#sTmh2x1$qBR@#Isrgqs7XbY-T_Rg{ouN{9rLspJ_K-vNowi1< z&|v>W>p4>bxm$%`-OD_3X z=I}|#wQlcSV&Z6b(???IM~u63Qn{v|67NRvEY3brdHI}`Ue!4?x~vA$={NRtkk@2l z;w^W_ZMCRt6TviWm{CFW5NvmiFXj>?=&4p#ZOew>;0+{~+0$(=aXCzOrWtOVD+96$ zC~RP1A$uVv;|+QisaS@Ff_lPFzV0`i3VzEyFI6LA04Lu3`Nf8umNQ`aXSoKa-0?1- z23HVjt(}(3Z*3u`Tjw>V9bG+gaNj<)Wv(FQs+pxqZ_sgmY5Wq)WLxT?>BrpssV z=X1EWwJwl`a&?!It_1L&<2~Ziq?Z76Z;PQqBuzd!EV$_pfex@mT z{celoi!(-3@vuYH@ux|o%1`_I6H8B4JwiZ`pj*U#kHKCICMetKUnE-o({5_=>;eOq z2vRZ#{#%`&k`SA=9Peh*u|!w3C(rPUsxqmSL} z6Kez|s2T%ZqmF`C;7@X6?oskh1Sr$H?tg01y1_w8E*WjXeFiK26*FJ61%kQJ{)Y z3g6@-C?e{EIPzoWZ-kNrpl9R$Z*HU~*mqP8z>imP%kzlenfTX7jAbC-j}>t*>0J=1mZwTepQWTO3cqSQH1hoe@7Zf-D0APcw0cQJd>8d|Orn-C9nP2;?y6 zbcxFx3WYpf`wmhA8e9f)99{=_!+!!sK75}m!f*mU=U09ZX1v?0gFW7=ooxV7V#^KZ zZ)1Ze2sCeen~_YVu>K>k-5KBwOV3G=VQpsUsd4E;ej*Fc$rS>^f&`$o#QnFu02n{) z#G_c!mM0JBK?LckOT@-so25SR$Gr@GW{g-JYc2n5B) zJN?z61W_dt`5q~}0~-eqOHZ4IX~7)KtYZG+FT*i1OYt*?J$f0AvmL#Sb66EQClsjKYBeiFB2eB zLIj$_jmgdeB@qxz2xbs!)eiL<9fYh1>YTD5PUhU}Z_~ZBX<9PhF}JWl|2P^qR&OU@ zLW0HKm@I%?SQJWt5}Ny~fDpsCb#SK|N+|Iyi3ox)L!h~iexHl;QJv#ZAZEr9Y(g+w z&DnI+cMS;c1>{hbAYs~%n3^V}l@10<2`aBp(BGpZYo}(<_g1 zdAT_tMZPbzU=M)QgKUhOo5yFwz;>YoUDCPG+LL(U9X+|Fsq zJr{59enTO~qZ$ZC#~$_?j+Mm?`XZK+wt@o>rsp^jRD8mI-?dQ#s=B&=8yepyr)J`# z=ds1}sQ!8XChGmIFokVwUwTkQQ`3GoeBa2q(Dzo8p$fm*=}JkX16Oy>qUNNqKLko@q9wLl*l~L6QaHx5C9GPNsULO&uXAbam(VBMUYD(;32sQd2W-SMB!jgFnN4`6k-3n&j*3Ht`@G z1;ZvWEoFqlPnaeh<8Nees1$cSYa|6)kCSf0E#%?4NJtE|FU==~Ukfo&MvYXxI$_d& zQ?I5(4%-159KGuGmE4O}OcTPF$Pj7l82dcIzshg%j^Dn6jz@--larKQ+vYj>SJtq# zpY3W@6%94PoqBoBgaOQX1;j}C%e3$RS6I`zp)J3@06p`;y{)`i*%Biolg^~k4W;4G#STNTAc{|sd5G^*n)*bUjER#f zXkuYP>%v{F=5?Wl?^wuRv=kTUzKSHecFR@IkA1C>WUBrPLk>*4vmF4j?w+-+Um z)dpV1-wCm{lh~OV@Reb{F<*^e&rc>aj-(q$H~$+^{B{LiZ;Aa6Bkt-`vZ{lR%?gf-+yqeiq1FHvBLfD zE%NddJN@TQmF=nO6a7&=E2N=M*ug&acG%*`*hW1@Irf?c3V0HExp%VQc8t_#OW))U z%%|NNCJK1q%fI)~asUcsOvC#bf2-ctnBI6)l<@Re+!oSBzF|v0qKowMoopiRnAIxa z;kF`DvyORj)oR0~jm_Ms`@OpiqnH=U=@t{V@UQIzNaN$PRZQmoG>2WdP@|f(qg`&u zWLU`kBeI=zw58|=f1(rv_cfxXdCJn)-1#qK>89uQZn-DL8@?Rfq5s!_KA>(gCWZW_-5GV9;Cn+R<@^F(7Mo%ov+MLERy#p$vp4UKS%$ko9f=*VISsQm;PtHCU?*#muRgl)c+zj zhS$50%CqDO>4OE%*qcpWK@ys+A0sJ9G31XC`W>XPUyH_6;uIWIUQzb!Kjkp~`(STr z9rtwpwtWy;x-B>u8<6fKgN8Sg79r<43JEp(hxdsn6Qonhy6Epl-Z3tuD$V0oUQtuw z_Q+!*V&%Q8En;~(q09X@0{{2#!ZgK&ElWDekVjhd#K~zw&tZ|#EPh4Y;Qbv$>JPSq zBV#=W_>1b*U<-oEi#sSHqHA%nx};Y>j7QwWMWrI-% z9EQc;dwnQ_oAMb2AC~=MRJluGs6+oI5j4!+NhUpOT`YQa@N%Er4$n^3_}fmUip__` zE`OgiC+h$00>8mP7f`_`^O?d;h$Y4QS5(tOHKiUV!K)W|gSo+mjLM;t@^g^ zPEpzN1$PRH{YJ*yrFehnJwse6jM7PJkAW5$@!UB2{xEy#GAhe-XN}hPj_SKya zGafO{m$)eZdEtGPe+e77Pukhg&6nrsxy@!4(jU;hHCl=kx^`8dDMXd*jmV%Ev1Ze=h{$*e+K|E&7Qgyy>)PataSGPm#2{OW#p{=aGa@B2Jw z*^{%b+eDO?&9pCC*9${>l*Yt``;!c>>}Vo%nt8&#)&_em&o^`0%Ei9a<)$y3v*Zi6 zdd+yH+zM<&P-f?1V|7>J_G{*xm&Q+fZ%2(? z3pY0HBt6H#e(i-Zr4&13$a2Pih0lN2>^+AxqUZIvyEI68a1DGIYdJ9U57mslYal_7j#IV1&gOECn%(L-t2MusRZWY~9o9BFyXT|Eq%>q-6eH;_n{T}P z@3a4W2jwnlJEBcuI!_#b51nAFR3gQP-)HIQDPF29f8&LCv^At~%UnLgTo_Mxt!Vp} zb7bVTNm%++n~(rqcJBYL;amP$Gsy#lRRZal9~m!{iPxHmZB&5H6Pa=$7^)RE!2Pxa+eE-L# zD5>_}T{v@Azr7%YR2$c!0lRzo{;f1IzVWGslHjt@z(}cROQ-7#Zf8N>{mIB?UCk}_ zz?$#ha+d#@N`N7R>)wX{8Ren^<$hoO&hw%sIFZ=t!rPyR_3AP$Bd^l?bg>(d20%Y! zl!l@IO_x9MiSW;vG$r0M(rx@82rGt3C%6Y)Rg+6f!->)6BP>~%#fUvpv>LYl&z)y^ z>Me|3Nc0Rzi=uQ>e)w6)nk;xlQT6qSE(ala;ZSjQyx|n)K6&uL4 z`<1#vHqnGez2g5~C!VJPUggv0KuT}LyXsQ;t1$Z&QQ^;?1?lsbE@{_I-=6h~{Ha&+ zTJTPY0oiaMVL<^Ne!Q)yRB$rGfq1HxcjYPmwkszFb>NgVA?9Z^F*4Q0jkTL+!Oc>@)r8($xJdQqi*xRly9r zhG$66EKAmZ`{o}6huIq%j+sf;({pDcqZYrt-#IDSF|$q=7)1IJ5e`f3VP1-sv5(JH znJ(8lQVd@ZJELvOAJfDG>%9_ zLjF7K+ZWF1(jP9ElO1-1P7W9zE5nxy}oe?Enr zXZb8mR*#M3ZEo00CTH!6U8Wezom)`0dscR%0rDHvx}TbB18PGZtRm+;QyU8T?hyYy z`I;RY(vP)`6sIm4$VR8FQnpKT4dd_UfKiBqtq3&noHq}=H$UI9%~`ScxybmrGTGnL zT3J6z@5ZY0!ssdaMNhs9gb(?aMj*9|xATmT(Xo2;Z)0<>8#`cbRz0N@U1%HMY=4xe za#r~J4$0rsEuC$SyZHUzUb$>_>GqHO@H|=3kU%u!H<3@Z%6Ucb1r9;H;gJ=!%rWZw z4%NRq4K9C0a{UU;jtDPL=wvF_Lg9PO8TQRJ8XZ=l2WufLEhKANRR5ld8GYh^=u$pp z>Jb9#4s%s5Q$CxTVkCXG2=Pqhvj!$@K3W<>h|gSlM&akftxx z@1!qBM#sDlpw@ZjWOY&@oa}vzO4O-MHgJcvIMwlc|CN8|Txc>=!%2{+)~LEc zb@y*ygmEZ_)^dkg?%>Xg_NnaMUvfe7w6km$+CRVcKU4iky>2zJ@ntTAK6~)iJnMq6 z^R15#w0(hGAA4T0RLD8HdFer8L&$o0Oh#YLoukfjNWIl2wUGGeoCdDW+I&JssmzvZ zbJP_&UuG3q`Og~4DAKq#HMN3W@P_P`r3+H*cON~|VQhPJeuOX7^1`cHc`|CK38|BU zLKC^|aj2o$+b~O>9%OBh`PBy=UUKR8^GD>S3U>=i2nXku!6Eo*ps%m6v~--SK1H}` z)FRgOfuCRff+7`o6+w34Mc$?z!YEubECb-JF!{a-9#@KH^jAvT;Yd98YBvG%g!W;Nl7gJtzLtQNr{QlYv>4b7ndz^E|~k_ z+QY`#`)Y=T-st_6zIUSRUFtG2GOp7#(UHfSlMK$UN7hBIUggeCf(D^?7uxIV>(!p3 zb{7&75*AFl9#qxTOgYzpKJ;62#U&*z;KqBCMnD%(<)rfopJCwalcXYgFmlfmXwKn>tZ!o&z*&D;F6iuhZ6N**74K^WuB{|jiT!KgcZS%$jj@j(KW0I%3JQL%ub*_Sjffm- zLe2%qq>4fyKyk6^dd;?P>Fn%$<3LtcmP-kSvbzmG+t5b*xwO>H%}qy3t5GhA{c1$} zLn9;9n5o;=bnT#Z`RilPv$w7zKM#8 zy12OHG}G0IN>ui(c-EU07Z)#eMWGyRqs+%Y{P41)7^> zvO_8q%tcZ6P>UD$Yd&O!c|*`29eYZ9xs65MQL~6S`0Av~C#IyNq^ARIv4l(Nq87Ds zkX5Bgv1yI-5PSIF7^Fl8dB>3LkutSf$r3(vZV8RY^s9A1+eXEyrW z+*}SN*bU%rX;)v4tfwgk$k3bDxi923*N~Vj1nV0ZFflW4&(!O2<+IlJg?%n5x!?E{ zxXcZzYV7C%0ns|lGcc=k2KQku1k!9^U;x}iQE?VuyC^6qsNl1C=k8r0F|oM@?~OMc z3gJQZKYr-*7JT~j9S-?%T}H-GU*D*BOdu1cYuf%@Tt3@%pUN$rMeX)`PcJW>jGJ;( zPHbh(0mut+3#!SnvF?3&0yFYE3Pk7BwY0SC?d{dnIuwyJ3=9lXU{XxSWM5^D>a;Eg z&;Pl+yu7fmFgMqBf4TQXazSBX-n&P#P{$<8ALWPTHualc}z4rNo%r7RU zbo@j4Mz@XT?lh^iG+eN?#mmy4X5tT4pWnNsrUu1K@$w1@on%g>LD)J(7ChwBiI-S# z-PL?x^&JfjO>b}SzUjN5kFdzdLqr5^9=PGMve-!63KVz6=-d@?aUDB@B8z5|RIl%k zwC~>iIyhMR=@UhAg~g*s8fsw9PA&6TkPdIXzQ%Yf!Br-^gB8_3JMB>yN^0=6c!X*U|?`^assxqAIwNkNvU_6SK{@QPxt%? z!n3GoBCV~RotR10r}?wQl47x$nOuw18J*U~wXPiWfxBPG_j?|c+-Xtd@PtQv0m1j4 zny_KfHM2YH9}rJ1EarxDwWOq^*xA{E$ADucS&a*QDhh_Wu~;Ccuk@>~jg5_g!6<2_ zd&V29uzlBSCgiWav&6eqz2*WF^sCp3KnI>I?)S!qtn19DW_mCK&FejLt@c!5<7eUr z@3dsScem&QF-kp(Im}2DZBiH-Bz~UrW}WBCU9?2(0r2Z12={+hj6NH$zqonRP3?|=H$2*FPir&-KK3CTi%`VH&&(C@D*|oG)Y9c9)s5R}$H8 zhPJ&@x_oO+h2^rooo>}4h9+)7B*pC@wNGGLLqDitpFq z`bbz<7#fW}SRKq%@GZe*6`R&x7H!{2;lH_D-@5>8v zFHg@yjZ5b>TwPs*f`U-&79z}1KHkwH945NDywG<+;*4Bend#}GgLidwk`VV}Vq$iD zSFT*SvY-Cs$&;y;zyNTfrshlMjBMFD-+tx7=J%PIrGrtFtF{TV!utmY@cp-$9i5%h z($ZUV&5hO725>`1$Il|07o9J-a2Ad>c&!f9d#%>g)^aKOUl$P2z?|o510m~GRMdEh zxznfKMe(#mV7_0=%Qr5)+1zwC=0Zk^x2)C1yI$i7>e58A9pI}I zU042iV(Q?9#o6P9>C>!-$wr}#7!_f=h2osgF6V}Lxg;L~W}&t%7T2uY)UDaqw%a9g zw&`eT;25M?14F|TcxA<;v%0!^s;t{P-;v?r#ib=`YHBcrh2TRPQs0EOSBCsg0pht%3{Wf;e0U<(7`u!IxjZUTjYZpW=)U zD($NvanOyISd&3Zi>lPCYM&9SnQ#lZ?@+cn<5fx(hWiKlj=z6=ZueC0kH4bTgA6p# z)6-K`i%~o_LgY_x9n-MOoWs~*s-4Dv7YgO&=JuBQfLO_Kn3gKz;(6mz_&!(rvn+tu z1{d5JL59yhr>Ut4APdi|D@Xr_d1;aq<1&w>u3x|GPWQejDx7ZQka1VV_?wuRcz8(A zgXv+)8K+~`r#l2S-(IKaw=UnDD9-^{5hQijS{7#Jyu7@3@7`TJCJ(E>&^T+Mum2eJ z<Fg%kt<{d?Z=^N|~n#EL}7VS2QFB;Uh zLu#FKzuD0JFzt#DWRiSIlc^-rMc<@%wPN+t4mT3F_wE;Cg?3)4QC`w_F*lJ!VhhQ_ znat5A(pVYPT)@s1-qe2PqKceOYfT*;+SP0h4h}G0_io<~AAM3i>1-nX{N%*HaW(@a z2)pin4NkwyX;vgFPvt>^0moe}EdlLhx&gOes#nFufeR!iCgMI*wR`iZs?#b?)(+DJ zvwm&7t>*3RJst=G%wx?T_flop!oz}mB;S-dj^zFR{Y3Tki%5_OR?bqjgLiJev#U1Q z@@X{7hb?+$Mtun(qdp1b)dk9f!cLRd&(`PJ;Jvd#!otAe#^L zq;j{PA^i@0FqU@eS9k-Vv1PC=Cn#UG$I?=y!-=`x%e4%-w=dUP9BJu?lHeG2dUM<+ zBYisd@Em==#cpiP&HA@^UsqcC&#MMtb41;jYwU`?G!8U;LPqH!yNJ~F-uZyq+S&+C zepA-9Y4>v{uPz#MD^H*BMB$H21yw;1=6X3m23lwLAFZ4XAEvY_C@vNi6FbIBW6GeB zk@0Wep3*)crZ^o7=4o;Acl>kY>txnUIuAndO@^2c^Y+MLEphWkpW^InmAr%H)zuBt z-kvIIU{#UHRlv`t9=X=@IYvtUIWpilw99l&Z<5wn28GuZ&jbA%nwPAo9!7nHnn2Ql zrP(ad?OZrzEBxa>q;*EOPBw$PN|Hg%;!cXMNN@wxe>poxBPN`4?8gta_LF8*_p$#6qo7hYW zGX3HX(7BkH*gJJL-|ZPe26CV68M(SiK&e1JNY2Q>fyato3%hM@XU9(;h+awBcfB!q zf4lzE=g)#dLSWzkitG9I?ULDGoTWniSsp>b^_3(jfA*_aRCtk?AR3#f5gy!Y$m!w8 z$LW(j5Y~;0$8Nb@{_|LM>d%DL4~JxFReaO1i4N=*X4Yonh9z))g4 zrbKVc&)jwxDo|0Q9@dS#ld^P~*MOPo0zYqq{mEnAhHmM&NbRL}bVF?sx~Ca&5s?!k znriujuv=<)&>^U*s@1hU{sA7Rq$cSyXIB|kf)>c3Y)_uNuLj_J#dT%S6a>PxZCqF! zh4LLR>$3E&EqmQ`{~4^L81#LoZ>-pq<9v6Cc_UU_zKJFN;>C+tsQl#9kytXR;WoIB zB*zPwivqy*gBgmcv9a8U+=xlLl^>t=7M?~>>H!_p$ET*>?rrI6u;GPW(eI6pkR_0D z*4NiT;wB>_B%F%zZ~gVx3Dcz2eM9zgE3bpGmds;=t8>c~ykFW(Z|Th+wNH&h1kJcFx6?wJD97(iOK$BFat|IAl+ zHH{^?{l*OaEk$Z&_SVhDq9PGvPL&pogJ1oCEP{?$s`MY+l>zrNm0WI!^+}vNGuj`h)%R`+Ub)2 zNIu-_jN*bep~R$d;HxF37#Zkn5T?Pzxzk=E=II^R_R&2?$p1$R#^8smVWR<(W;9UM z+uXqX5d^z7$Q5+Bx?8G5vCj?|J3+EJFP}aD_}H5@Z-PAx3#*HYz9A-`18goXE-oTc z1;{ag;>TKj@8JOLfXE7L2O_1B2s3(i^uduHe;aGd?H0^-WB3RF;4kk4ypN6s@Yc0z zdW*#THXs;QR#pH2mIY;7S=?b3Ttg=9I*k>Tn-q6;cAgB<(o4(Ay3M!DKB+D-uC)80 z!=nvc!gJ*WDVAnGJ~QKt`UpZwG^~?fgt-sEHvlLtEHZ+m?s$7wJM#zgzZ8<6M zQS(3Om&KUZ|DhDpX?N6sVb4eKK_F1O525uJ*vPI53rjhh4`nRf!M-NPRBa?Z1?rLh zcT#}lzJD(ZKyLRXiN_qPsI0H8QJ_jY=siuF_^&a#)&|hgK*@`nn`al?pZfUBRSBP& zF?{T;ooIZ8cY&IFjq}QveN!c2wZJH+C;3wJse#cd6G^;Tg>8bE;6pnj)c$p&X{yCW z0WFi6ArWRRkheWN_JFEX>pUrG)Abr;-q}W9acB#Su9%mc5IS0)lgP=*0c<3b>H<_P z0MrGt-wNn}mffBOccWrM)rQ^H0AEoBFu?&z~JJ$6Mzk0EqB> zRy*ADJw9Xf$?4=^P~I%f>Lk!JfXaj>NGCH!d*D9w_4U^f_gNSj|H=cX2)B%YZ8AR?hc$xSK8|s|2aVLIA>E`Qv-tc#FkItXn`B_!oc15 z_;`?cSH_rJ+U8HUeFg5Pl}&FkN7;r3b&&*3T|vLKt(?4cKEhdtnyB`(Ti}K%xY-e| z6e;_Gu4s1r0vFDTwQupz>Gb3XOlAMQPL?Bl8$$j1_3QeEhMaPqYGW(LEiiOWj8enX zbzNg6$K{!?rM;qSfIR`02*^~jtXsyU^D&qE)>L(+{ooreNDz>EWZ{1PzzD$mfx;!Z z$plC#7Z=2F_%b>*InE1+7H{6X85vao1b$Jh~EnN2l&%Tyrl~~ zi}HadH!rQ6KW~1IDsOHg+?D-~n}Y7VD?K#LI=E}zn}y!ET@6|f z7o!hcnJc{z*SIdO*0IT-{k3_Ap1!<5bQNzB$U+~8vlXC^W(W+@Q`~%<8TW_bnGsY% zAa5d92hs}zN7x;KU-~o#;&G>h$%MQQZc|mgkS*S- zQw*}tErS>#fY@!LUVvV`a>W*WHXx(G+12y`BZLUx05br{3@n4o+-P(L_+bak6ILf# z(q;S}#pe+rU(cL zbq8s3UUtAcz$c*k-GUg(CP(goopQ**nxX3+iyf(6^}Ad12xuOS7_`M~4ux8Z0mNhV zTgt(Z1{cls1cI%BKWlIW{&2?v-~&gsa~T$!=oI0VH$$@U znlwCCB8$-j%T=+Fk=AGm`W2=Y`Yvjggpu`gr!I*4dgJZE@fJKP^MZ3cUH3}|<%i*2 zU0py&p&zPp98p<*aBhi7HS+>4>H`q0u4FGSKW=9k02`|uAN!mh{Przyf42;mop|}8 z?j1}4_~zpnO?)4kHcxp_@v#2Iv+?kf`O)y+^`{x~-e0fjB<~dYh|%{0F1%K%ye1%h z0kZT(X{$osF>;rgXa?qqNS>i)=1;`7PX$#B`k?0YwrJ>Oc zv|TKsHKqgvd=0(}*}6fOIBPvjn0eP6?% z$Azl%wqQWRACvS4xHviSWoy3WkM4-aasWR8fd$BY06l?iqhjH(d{ApBDRBj|04)T& zyK6DE<>OQ@lSM+4o}Lc!n^=I89i6HwGE1)amltN4|joXipO*PiQTNAT=*kGK?++=5jaeL1d)*4l^AOqtxdXGfF!i zuz3g)URE*^QOg(Mtnu}7p&=au^~GoO{emM5k&*ljFC&3GaX5)bGth5Mn%`3Mn;#I! zPVhU>?EB>ogdjM2?9t0R-qrN%{8y)k?@1Q!RJg%kh09}l!a=gEo~U=^?<09f%>FE{@d=yz^m;>%|VlV~7K zPS4QLZemdaj)T>|@K&3B58|?zl2S`f&eG;&Wjp6xSiE;9 zO(M0wHX!zlWoS>yhrnr{XTo=S_<}GB`fN3^B##r?9{GhZ?T^;dwM27%6RF}3b7P(a z>zfu-4QDQAQH6!=8s|7*Ld)ZV((}c1Y_!5_# z=Vk248=faRzqzO+HkW(ff+wK#7_wYFds8f5-f#c$cP31a%Na>Ic;vZ3{YEFFtStR} z{K=8Va-X$>tljtT-z}e2$W}70^~-_`DyWwSqJ&M|-7+#^@6Q~vH!n6^&x1L9NL5hL zmi~T(D!m6^2JsOn&miaUluXaf&CSe+^t~ldW%w!caf59Nd86_!@w6+&*!VDG!`Jt( zcF%HGX-py!bKGIrh@BW21h)Z?K^)D!BVlR{ufC&S?>6q5Rb60ld4I_sd^ID5#{v-X z$SrJ>+v+^T{`l0(4&jwCC#SQ;!2!Ms3e~-<^>O=4U!g%})jQ6kEtLj%Tx|gypXv@} z+AdsxvJhGRkV_u`!5|ZlT~({{Kl(jnah~WkBYN801%lt6ZCqMfin%0L0mtLmr0hQC z=i~R25I@fDfEAji^C$0mA4{fagPmnsL9wJdqQ-UhA{SRFB-^;$S{(*!!crCYyRlXR z+(r&ss{zK)CR93fG9_%f0AZmSdPPY4`?YJ~UMn7_X&B@V9K`QseOe{d&sR*sXT-Gm z_!u+cIKN1Vg(iyq$zmuXBXX=1%Jt_!1R!1OmsDL(xU-*eq0O*RhOImI?)8Hcm-{3G zjyHF}!Wx_oz9)_k;zi$R$=fIInPB;4Kb3&rNUB$J6J6l!hOG`r^g?ciFtcr+8hqr1`_kugCNtTm_ zm|30sa!*{0(#fZil5IkbubT_LiDv|t0AshG54Mj2zXwnSEbqA!5P&JS={|8OJ@2mY zlbe{hxWV?jMm40ZR;pus=SAR`v&RNse?;6$erbTHi{xIIrq1RdCJK%Png@`*h1`IS z`}!%90THYEJ~B64KST#|`V?eA@fMWzlP3k6OzLWY34nUuXcr+r_P>`lNuolF)1>y> zefq^65L9ej$=`97%2>e${1?EaI@;RKPEKG`19wNqbyJYKK|wVLs9+@iw<~ym0d9@@ zDqIQ*quXs^)TIcV|61ECAc#$XYcE&!fr83IgX@P;*MhJpX{RwWfX6^g0Mjf<7@#c} zn0rP2f~F-7fi0>@tJuR49bcen0Syc!d{Bn_VpjcVm zW+gy`0ylCM2qqohh-&HCtYe2r7g#REhVegbhWK}1^FszZXnZqiAa$aTnj@u(aZ};{ zHTQOTjCKK(O`F&*-CE+ibxHArhdywLU58-^Egl(}ovj;rb?as0%TKeOX_0F}^l>7- z-C_*%#ev6X>Cw!f9L;%#sIK|3y}i!+>+9?JnPatrWWfsGKx*{eno?II+$0x%v^1z1 zRB-}3tN>)JKzD+w=E@$Q#vA9^25+FQ6CyakkCIYSAQ*!MTP=V!oFZYySyBoL3KJK7 zcIKMFFF_jLKm-And_Vab(5oFlnkLyA6HLA0GFhQc?OtS3Ep*5q`B^XDb-pDKRQEy2 z6&!>ytQ=I@n153>&vI)Da1|gNjZAz?8=Cb#poG zrRQe`nbdF(@d|<*%`W4dEM@Hglf71Iw<-_6Tc zuXe+s1VSGJ$2H`+SPAKaqYUe^=Qbd|KERwo5&OlM3U>WmgJP%gy1+!PV@^`1GHveO zeIsGj0x8kXU_?+suKB^72nr(c{@DqI$=;tZUr6%0Q2chq+kiSyQ&Zy;2?i4lEEbr( z#NyM0Lk5OOGKS10yVj1L%%!fr#3iNpfcw3Pd?Pm*N0{lnXSAoD=N5nBmCR}r$h%a> z^OB9TjJTAjG$dL>*_)KW&j%C$ut(m8rVR*Pf}z?%%{ZtsgUJ11gqgcgkV&I4TVst7 zN(8v@>#1Ds=S+xPu{#?-i>xJ4X`M5|7-0{^TYr<2@JtK&$R=XgacHDG0CG2)EoVso#Iw4FQIhOZhf^ebFEqy z!ou_ClsPi3aQh_TPf$n${9Qcg4TaeE?}k}DvL%7Tpcnz1QqsDOBT4Yu2UuLNM`O$o zygPvuuVKrX%5uA_acW@irD*j|*H5SRXz}`R0$}nwf6^_GXYXFkMZBnecWx9Rb>UXj zysSEp{o|`IQPCT3DbS1mK?PCMCId=|$e*P`bHTz0ZQWq+x`{ zX#U2ao`lTyvQ<)hKEq8-vZ3B63P<2Z6uML~!^0;r--dfqcfHqBE@Losl79E_@+xxa z%~Z|BMn>xjDC71lF|rS5KG_ZeW*5e;w6`_; zv6W&Uro!^-$-k-y-}v3-QU1s`Z!Td5><4`Jw?}C^fwS2856{Iyb}accwAAWKoQ(MS z^QDQ2wYk2^S}r9OvmeUIKc`)Zb(v_Q@TL!esRjeSGjH#E@6Mfw8>+#&WRkqRzp~7B z@9OGy!78&-PpYb_%E_^X+jacL_uQq$Kd0E)eSfyR>g_d%kwo>;<~C+G-aJ|9PCDk& zIcWIJvs>w&e~eKdRfDf9Zk_OfeJ6Hp0ihET;vGYsDSeg`M}IRirk(mNPF+eZ{QMhK zvMS~&&1n{D+r*Gg>j!i*SMk`JcJ466kYBlTA8kQ>l}=LeFQ)Sh$1N(k;kfRmdRXh z+_+KGy*f@HJfn;mcpk6cZ0`6CHgH1{2Xg7gGKeeX54G#Aia5x^m5fpL%!r!F~v? zsWFwg>Fj=L49-AFArMzKP|bl##85}fEN~?4FCJIMbpL8V>NM^{v6%F+jk)GP$QPs) zU3zlYM}_higx^shwqWgw0iJ~4!K0#rKD;|mbMw|M-?f4S@4vC5_?hAfX%39-muS`M zahk{aSq8x101I;>EmNBnw}1&ZeQ~O1dc{U=V^cKqUvBf6=B>$I6N2RZhtikc|9XZ)e?;S~fiA z64|A}_K<)=Dekl;O17`#0_J1IvMAwa{BDO?NxPLm9g)O0*?K&}D)pySZYbj!>dvR9 z)?1D0&G6$>lWvl0UJD@!GVRB3w}baG*;!c1A^Y#@>H;8hZ*RSt>V|TpR}nX44eO8s zZu}?Y8Q3iT=0C-4tkN>zCACsF)w2w81}fYi0HZ(N;LwZ?$~RWq5UsnyWp--+ZYXGN z5+T`sF}Lfux8uGqkAv)Fw8U`&KD!%qd=Jv>vg;pGQn-r;Z(O_P3RHJ6yN??aBM{X; zJxI!OV^x~2Orll?1_yQGjxEq-mvcH7|GaTE0ji^L*Q-IC=Cv(_F$tFm$i60eo$g^j=_^ATR8QNQq4pjSAyLdtJG`iJWOuj4g)?3;i86 zZL=;AqTPn=hKcPG7W)*3lYu2_wztffGo=EM)O7bjO=eS%4@3~q+uoeR=hOiI!JZ1^ z9aKNwVTS%x8UBzJy#ZO1(*Dka`dUbzVMBd^1Es==LP&Hdd=)HSc;c#dmM^RPeF^oT zMGX5GLq}}UyH_zBs9J6iSqJg5&#{O`TVB)IHTrd;OE~Wj9lc6KXC{dM&}dG5o}McT zY`W$8uY+&cg$=4Ih`6jG!a^17*4zSSc&Q>kUlAa)o^d=$`cZg#q|!5Zc}`^`jrt8E zjJtWm&e#bh8Q}F`Y{_laLipt5Ow9h`7v&9rgznto57beP#F@H{2STQ;{!0#a$uqpX zpNfh=-DlYQ34YI57y*|a2l-;0k&o(YdOldF$y)5+b1mutva9|Zzt|kljNcz1KVJP2 zDoP^Q<_Nc?KLIaFg@aB(hN6P!ogpDYB?0ShdrdW3)Svv~4kW4S8XBBQ__T(ssF{+t zdgrI;Yayeq-d=`W+?@^B^mUAsCl>b>7AOB!I*ivX!gic>?IW{kq&S*{@y(kz*|5+kNeD`-Drxl;uV^Z?jc_nzwQW*QXl|J_cXzkLn z%eH{2Z2J7UHUA}G*6_Z>s-NfUjSQz|g9_d*-5I^-6)7!FN#D<*6oj(wgR{&(3pa1}zRP2@QV-@ayf2F6QRUj7*HQPbQx&s1aU-73&X{TOks$2ZMX8aax9(br0Dgz1QKQR1Nf0|hE%+g6o z2?;2x%)WFy{`3{LZDNxee0BC#!NkaD6G+%EcT(Z@`Tmw06%R13bEp3GU&20=huLP; zdn}_HB-D4}uY}k@)sf({bqDy83OU@1QzZC|w<(Oh`qpR4`Axf#icK@TxbF}9z9V1v zNR_2Stx`3(=Pdg3tss;u`R-N7)3C6}*$$i)7QjQ2s7seFb@d%6Z>?@$w_X1XXu&~w z@)sK?(^)Nd5sPi(3X=!@m>U$G-Yc9^QZA4mOCTBc>d-*t^nb^ zwcW0G#wlZgZQLcVwULb~OF%qQji)D>CNh&ID?2kg6C+d}klyxEXs-@yzrUVmdKUpp z$?l#6h380xJD0e7bfCZq1r1yh)$TaPy@E6{hZm7N09;u7*X@!JL+t(;^gKE`x}>CpQ22{k?(7!(x-YSR zC2#F>mS6HNbKil2WOJX4NK^_H1ClHJ<9GHN2Y1x$ZH#li^4ioZ{WAem^CvTr5i=Cm z`RWFr>mm889D+Dd4CoR1m{-CIcH>TYgTg})V!lsU_i!0ng_-cswE62B#OQ?uhfIE= zF20l^kykNmk<|ab8u>?V|G%!-^-K6rPhL#@>}t*Y0&GSHl?T-Qgn@B(uVsjbECK!X z-I-tyv4PM~Kl0%mQv<&_w|vB^q_T6Dg@ru<`XYOwSb(A?XN9*)2oAd?LmXkQj7I!@ z#h?lV@53y%S4O#ab%)zBGbJ*F^j@j+7=*+`)9WiHWn%sHc^QO?J#)1~jul@#a1WGl zH4h{KRL76ti~Yao*g4#CSSm}MQcO7I{ zVebKPW4z>TO=aa;n~#)sO28HY;q_MD-O1VcEH!}Mc=Q;4Q|^h=yGfHxlT{@Xcq#Kz8~SUjfFv2DEQa)RoG%`cp>#E@ z^}|m+Jd4*)jA;UD`tH@_w^)dFfG7qVCek*&18N~BF3l8!!GOpXDd>D`s4m*s0-?ND zN--xVu=2Uhj!}{}qbFS=o{O-P8OGBH0cwXk3(Sbgr##Z3` z`AsOBf%;Z*U!J_3;C>S&R<=dicmNx8bJ@np{ul-~7R}a-g^Om$PgLA1M7HUx!m_ zcurMPzu~&ofiPp}2Tw*T%+V(N^xC-;AHhPB!RR0R=Bl0i9X zX`nDEsKj{-*&sAQjm3_{om~7y$!p((wRZ}VR;-mk`OCgJI4l9dt*f~W#A^!QZd2h# z&u8m@67wA5UiU^uVAI2SB)$J2P(3DY{t9)T#6_-b_A#WrH<%AU*u-rAuC|&lK-`eS z`Jr?OE?Q%y_oG;r-J-C8l>=HVtD%mi)ZAKsP&&y&g>f!kZDh5#uc7LHOgh+RU0Q*N zB>No;^~9wn9`)IqE!?g)2o$QInEQQ{%6Mzqk{yA?_-?S`E&rc9fpMm8#gT}M^+%r< z*R*RgPYe{;nYovVd7?OvpFII$1;G`k6%5^IdGy9vcnSmpvXe4w*O#8Ze5|p7Vh-?O zKf30)p)6(ZTePfWBE;le(fVe8DPLsJ8q51XB&0as#1gy2d&ePxf}`pt1O5ZWlAM-l zYwv7(2uLpJ>!Wn(tlphz(V9SHBbr1uL+YwW$KEe3tai-riBX#Kaz1SoiZ-%%WyoVd zoPiOD5K!k?%N4p-%Uz+Mpl5&I-$<-=f4}#+oAmQ{iuk2Dw9sZPN&V2p<@p+V>}zLF zk1B>Y@(z4~Xe0;@4s?m1CpaNC5E1REpIq41@_n@J$cN@x&eg7TJOR?n!KKHB`W2@& z^f`~88hID=nXxbYK?}i&trxI7Yvx6Hd4q5t%&HX!$R5cB@5p=!>-B3+H`3DjFIV(r zlhCH)3wB{Yi*GC!&AZO{i)Ua*=2_6z=aIA0w{kxQr*jy11=E{7A<{{3KDqfhRwFU% z0_T}77q69H*EdA)L*u{#UVA|s0XaY7Yenr856Awh966j7za3tzu} zg|g#5tX5iHEbjU9Cf{C_4L$w&nVB-6i7#I!lT=ev10?j0!&MN?OBM{y+u7Pad-CMT z)2C-+uzVr}2IZT8Q&_jN?={V07A zqRlne4ci|}QAOs;LPUA?(H+bY5?MCT<)47Sm4>qcI4a;^1_uV9&>Xgto^ep#2tZmF zoCj&Th=?6>P+u<;2Zly zF1gvryRtv>_cUDt_v9MoGE0!J7JfFy*jWw7Ms$df)(0Y;aP>A0>dQ#KH?{yE}dE9lz6(&Mi{G)_<7_o3ND*oX&xbK1X8f-NxM({J?Dwkv`GD`ffR zv1^>tt-sohhSvTemTFWzo`c08-q7(@39q_(Xp5{dOeW*oP-+^IeuJF6zj#H8cKVaQ zn7gZM?nlOqxQLi$e3Fs3XpdTcC_FE0da%8~m)!~ue<(_6n%lwV3!lMh^w@>gbo%>j3C4bT{g~714(+!z*+A^; zshsL*L3PfjSGf$2j_=dMN4|QF;&^mvaY%-Fs_W+<#a|uL&(N_Lvlsr4pPo1zsk~JC zXD5YQkV2_-qWy{MAB=d_`7+6GAaavOxepc+4Cu(yM+W9s`klH!+7W=rY$#{2(sGjEq2C~@TiwZCv+>sevw#ENY7gy zZDT~~Z`5hOyTtHr>X`+?nugmj{Kvid#Gl&DZb3^I&pGFXD&BIgH)Q;Acvt-L)EDXy zrd)NR4oHsY9MN>u;#C}hRiznwLnAiCt3i^7?=yco^Nbm%eU5)e%3;O*8_VO4E$=B7 zuiRe30Cgr(>zUhP4d`&4!!r`&%`>n^BO^W-1af<|t9WjQki30FcOx7<)na+~@5Tv! zqP(u#y^5abql1(GP*fG(JsDNXpiCoDkw`3@fVPRDlUN>~-%Vs$C|3?*c;Ccw_+~MN zFEB)$0a2qIxEOEMvoRX<%R1u}Sf-hK0@HXMBC3eCARxg z%$FC=MD(038ccExKCy1Cn>+sE=xmzABWC9J#)q2{J)asOAWW*~)-`Okvy-m&_jZ;K zb9GcvQBRhDRrc@$1f&)8$?G4?JBtZ%U1{aPj#|MBQulPiM^1QApve#SWdZ{AM^{-2 z@6rSjK3NRnSTjgPFr^>~1@D2OI189o5|7s-&RMo2`aASq?J8D?Bcwp$J3KWg+@PdBo|75EapaBt-ZWq~ zBEq^CcH%h)!c3aV+ndyzH_+a2^aH1Nz5p`j-$4od6b+l`ynUl?+ zLg5|%6a2{chwowfi>7;z^j-}5V8MAJcKi8X7g7uBn+)DR=&{BZ0<2n*ww^dCzNbHr z*7|7-&QGmU{8%6)VpZa8LIEB03CN)CA|G}q^|8w{$Jvtp`$PEQ^x@H)p88RfC)AWH z9qUb-@-!W_32^EAPDmt9cKG)Wi<>l@KZt#(#03d2240Fpu%;j$>KvU~Ri`8+ zLCahxiQupe%)s*DxDLGi` z$IS7&+rA9`t$sQ^-QCH2mz0?sK5_2VU0|d#l`I8z^p9v-hjVK60bwL+79o z`^_W-0iUOxX(AeLo&tXi?yCMdMa7Z(lslp(2Zu5NbXE;EIwY_8jk((LZIw~S!u3b* z5=li1e9Hp!B7*;X;-DF+=~#{{R70+6GzYa z6Oj@4YNq}59Nm6fKMn?7em*`idHgelA|k{E$o@@8CJ}5y-Qby*UKA?C)c1nxG_w&! z`xu6lrB|s_!b-IRpQw7DVO}2N2nQJ+*iAt6w$Gtz<0ME#&2#1qv@_bEa*&NT)(;&R zFh;!rabwk2)myhFQZK&-Mb^qG*1g{(EWE$TT~>XjMLY5SFu;WOPSNJ4r0;#&(>V3^ zpO=0}xeyiY&1cyhf*5MlQ>xiVpy>#dD_46>4#XczS{a#{#)USW|15jp+5?Nr4P)a0 z5cx7iMn@Z(n3&wSQEAhOIuFK_%CfRIIA#{SRxTQ#El>u5__U&;qN(ZPJlKU|p!9$J z`nR*}YQ2=*5FZz@6X8G)I6-z8q5Ek3>(|m2;FhK36*4YVHljLT@n-peQp2! zPhc1qHu(f4cyeXs?o?+opu1AB^TpM>Ih;k~AYsqW$cW(5N>IFEXc!$E>k0l6_T4Ep zFolA8VPG0lc>6!L`XW+N(rkk)*0o=;_TaKbcJ6HcHS=E8KYttOBmmRF7X~ zr%7S}()QE84#y)oSapmo*}JLvSE6x`)VP9rkOO+mo85^qSPUb#_5KDfqAdxm&vl*2 zY9OsQmsxO@jo18*r*lCPzzw;iQ9if0xFb;?q1aici6(H;)Ukr_9z?p3NK4s|WS?$p zZU%VL3#8GlqSf~iM03OC*T_tpwbem8uBrLlC+O+Zr(ohZwCl5rPqsiN`Of8iuJf8cSghuH;?$Av!fmCFrO2(!pAk?G zy&BM+qk~j$wW*mHoih% z-s>L{ukRX+t(4xmmYtK+-r5@3NM`l09`7boZWvVc_VzY4HFbC2v=L1S1IYpT%F949 zMi2znpMaheKas!t0;*Y57Xe_xSQhm2ZbTT-fMka42hYKj8(VAew$HVfM67#PXsujW z+55vro_hmr7MZj-KVnqDqD~}P@S_}>Yx#mWzMoYbVmbJj;;!;)y^V{EEC690=y1WO z`O$m+UgBq%n)|cWdxF$JNIVFdbG`zn1%N(YSh-c~#L5Z6b^Omh>*b@c5xR5B$qj-j z!!QrE^CR@Jwuwn>OboxM8U{2jSviBFPsYMsbxl&S71HJTVQVRv9a z-I^~vWJF~kTIa0&h#7gJpQwO_MGr8$DS0tjd*z|H0UZWlqoh9BVGZPcr_Gf{)qG8kM}oR=bD?FAsOLJ0&1TmdpFUW5<2Kjs_%0c z>+8Qd$WuFc8x@WW?DgJ=3NKcgXmKu%xi90 z%aj=&DB!iN*g&vmOP)s=sAS}`2$2K;7v>@I{KwNERbr+5{F49b)@e~szP%|mrF?K1 z-IdigGaDTl(Zm2;8f5=8i1kUwm9uf0Y4;aOfEp!iBnGu4?Aka!xFYkDC%ub_ZF4R5 z)p4maTGBT6@4qC*6wWe}oRI6=FLA+q=-6*04_=!iaouX?zIqD+C)`H>cz~Eg$=!>S zcVCA40M?iH?=M!Vxx2dqGAt@6_&|pBKUh~!Pe}qb5yqxq4DlGye#k^x{tLk2VCRPG z78DSeb15HB1ZjsI((wa`v1mJiuw-`|BSgIckq7jq1o0}otE;ocu&MSqaZNm0^Vz0pr)+r9(dyh;=ZP ze;$iEkSkuQU;O=30({wVnzwJz&S^Fuzbtjzd>1IYRYk|FT`)2T682oN?~`xl3o=0H>F zomI5CbWK|uoFtDRSp`qBfq{YH!3(%J$Q5;UljeWr8VbQj!LJSmpk_EuTU*N(2w25|5a8Jq zJXYX};nCKWZhwAUsrIqA#`xayS4>f5YV&4CD4K1C3|3`rlEl*2s>Ya=)E^O>hGNgT+qHc z23SV22SxBS2snMtB*;}@!=VN90zRjMxp(=}r5!;dkXF9JQL@S)85!5dgV|d~CtF3> z26VOJWX2t2RxVR8=|{YV)e6@R!qg95V6Qr#csXiq_Wy4A&{q`-4Qrs|LGuoC2DoFu zs5|Q0Fzw7hNB8~yr=6W0P&Uenh-g;P)wXDj$o_Ncf>O+7<{Q7eCG-{9>p#H|n)(j^ zy3pk3&+|1K6gwdL3!;i{ycv-wTklwJe!gwL{`|Z11>ok%&&Ri6TKYm#j=|9@g7|DJ zARhcVaC!g5N{f!|91Qw9cnk$ZhVF&lo*ul%2YTE{dvh9dqYR(nM%18N2!F^(4cgH0 ziJvm*__pVi2L13bv{--!F)uYHr=2n#427Z+b|%lj1;bPT5h>Z9*cm9dV%s4{#tRPT z%`aYTf_(!}YuIzG`ZvrW3~Q!cZQ|eB?J3T-;5Rw5(mL&ok0z*Umqf^A;83s=!CdGK zHYU#kYw7=Hi)pQkQLyMCq^;=wOtqq>m}hwihaYww%_-tP6<0jsae4GE#&i~6u3;tn z3-3gd%fA90@2gk4efwKxMU(qbf^AoyhV9IICL=8<|7~p3&AfmZO!s20pZ)b**KVaP zv6b^GEFC;Jh_7FeMW;G_qz?wlmBji(R@Q^^;Q{IcVGHP}q$=h`>#jdvyol2#K0&1~ z7O^zCUfXteG$oY45y2U-R6d6^BMAE}S$L8}h>I&3e9Cskps!bI$h~If{mSbG%gRAX zaStr89G7?=g@Bn)w=sCl*Da48kb0)8T{>uT6{X;>XGG z_JbUQ*$cP3FRQDI%~888R<1*MyYH6K6Z;*sJK)_Lw(EOxrKR{55cEO)lb8SPtzz%N zX}2N$5_+gS5&A7HKvaMT@2v5W#*--eq^1csqXn&kcw27=^|wk!fBmXyo4HiE(sdb% zbj*LvP@$HdN0~pY0rI~4UDZBS^HEQjC0}(0jF6gnm@j?Bx4o=*~?J z&sxd>S}l3%C1XI=rC5DIE{29dsBou-A4eY_uo zadh_5I=s3R6lxErDevNp={aX?g1(c`qzCX)`5bSC+$3ZQvfIb<2{@dk#^v++8~8=8 zuv5J^TOGv2kZmyob=sG8dXEc}uf6(Zxv|C>s+E3(IL?d6mC3!AoY22j{ZrC6Ip--P zKC{=H5`>m2I1m?-*-j#_o`9AQV9y2ZW>gT4Qs>Xd&K$9_!MW2t>n7?tkZBuAJ!q zMtg90^QVz4WF+fT>VK{DSDu{?h!``cWVP>z&zN;+AzX_Tqm3}{-?$Z?Z7_>hQh{c3 zVPWBs-B5U0c{xZzRWQ)6W0XU46x7Wi#y0g{?ZF3>Q1cC6X0G;ZokZ&6u(LIWTauw9X3nm>BW3?l}9)I}*Ao0u_Ro4#}@Q4&& z`Gar|Zw${De2g75&BF`ab~Ju&})-7X}l+*76-#G%uaSd(KyUr(l<$^D=4a_)-xDpi%uFz$W_p8*27X zlb6i-SvHbxz98Z9ZG&2D+{|VIYJLmgJ@BuwuXrUN_*OW0!r@GqPg&Zoh$3r*M2EJ?hmh<^ce*-*ISg1F0<)F0{6m$7SneRd6o1J~1K#Tm~$_XwSjcEsVxngR%?Seo+ z4|0#CWY5+!H8a*r@hD;r*WY!jDNQTrNy>SHu#p?EL==}$~y*@ngv$q!- zC*?xQoSQ2Kh62bfl?+`7`a#mm%J9Pp!WN{g;fYT`84YK2&>bWb_G9=NezUynbYAyf z86Hi7-vKlLFCf(L(xY()FrPL0Dm6O*J|M`?pEo!UM)ipQ0E+T}q9=bk$R`DMIl_3@ z_wRD`WgBssg*!km=edERP+Ut(3*;@rp*G+lDK9D6fZJ{S4)f{ptMR7*T|yONpsx>e z*}(J=6Slke%TMimP36ci$DW*eP$T$k@m>?Szkt%n|80{TpBpOy(Iho9t8)B+Qm+07miR1?&EpGnsRCBKj9*MpjoesSS=q~LC+lOCz_uL{ zrdKCq0I*H$sL|*+I_9z7DKf@u{6Uyn3@uRF?!oPk2Td+Mnd=4>>7|3%A(hLKTv>h~eepPZ(ZLuz5{{!0IqIx@>C;e=$QP#xzzty}>dF?AN( zO%zQ7w!vQmS&&I1o+s-&a|g9I{Ps*xejzA)T}Rx1!}15%0pF2@QH0#UprE{bdm>Ef z-`)r|Ws_1TD`#hCnb&}6CSKNT867;qa@EA-@_|z6oN>`EyzJ7(lN>MjSCAqlLSEqhLd7JuxCPWKL(br4z77JCwY2T%gpGj zE+P=K=*UUO+cn&ikc6=MslOb0H8+zcVkzt@a(gYTSthVWVEx(EfY?d)r-SnVc;`1M z|HG8 zU{2ws*^mu^2N!gyR|(Z%hun=&V>@;83Mo?@*!ExJ09`|-{9EEo6NMtlAe%IlYxGPo zLd+AydWO+Pa5zTJSg&yb3<&8Wz5$nw4PI*sO9=)U#|N}IphjTYyril57EGHqq7Sgp z$EO;61)!Br(~Q4_!O!g@Xb-Hp?DIYU(utZWveSu6t>NYjAax*kKb(fPusqZYyBuj-E96BAIOf3p5o(YTgvGi;>3ts!%tydj7r_3#*C*5dB< z6eGw-ZFw9E?Qc7tS)yLy0+3~Nqy~jwkKRO}l16n2M`*3j=e^8PagKkBQkndSLnOJx zw0COGanaWO+QRnIXg8<$$%Wm)jYEEzph-UJ73UTaDSDK`B|L_H{?q=+so8%wfPlb) z6!{cs9NI-tUj!X{OB6N7TVEigWycfrA8{XXT!^cFV*dU67Sui!%ItL1U_tu#dU~f# zzM=gTDfLNCJ^MF-HKs?TA``CmTHea2KvH;k2C^*$dGaP@^=+J^tfk)JCkd!eJtk>m z6^pCIWL7Z+qJ;`iloX%gf3UwTgFKMx!~6Wii0!tT}Z3q|jsu;S4vJ zBmRM&1Ox$GabjrSPLf({gBvL?a2(3k3=NYy^b=pH)*3}D7l;L{58rvgOoD{dB$Pz> zOs9R~6&}a;98?)1;}-fnuVMm3Drzy6zmpqy56^8Sc~qF$o9)~j2|S8f>`FprbVz@) zg!oCCZ02J$5_*sL4mnH$a(^>*PMh>PufF?NwbGK_&fULrRYBlnq&DtbRsC@ybV>0q z-u2$0hM+@6)-Nw;_ZW2(R}}->*2MBB#}xOjvpp*up7IgSP2Q#b?Q_%Z0T7RA+RMjyBwoDK`WAXcWZ~An53Janbfw74=Re80}P&^5xXa=w&>#L(YfeOOQ}ej+CNv_G&A{SUnp)jbUUf?)S{!+EvQNZF8S-D z5?_R5bb#JPoWUQ9%|xA;-8(vvAwi>7A-r-pwQ&)1{Ko@2TmT(?e$8p4&k#&5uEg30CR8DbsFr zNYmd*s2*{fU%$eB?$hX$a~2kpf?#I9<-^CnP#*T*#=!1G@TSM%*N8cw!;uYG3>Fwoo4Y%teK zzhZAYbbry;t8?I|IP0~T59fy$eVul9wLW}Si`^TPUfBCO(H%USbo6bQswy^R6(au- zB1v({&1>CfJ%_T>Nn`X9)4$cHyb0hysfOs&k6S=fH{tg~sR-R03N3-67_H)1E(Oxo zg>?T(J6c|0Ckc$S?66jquJ6{(+tpkqTl7Dc(9pAdI< zQEFjz>Y8Wq?S3uIBIlCe62A!T1E%#FJUH+vS3NjY6f6Egxda464e~X@4B5NMTJn!# z=x-_uUp5 zF8D$;W>G277ooD^B4)M7&K?+TM4wG+tsA4KpPT71G&eK;RkJAhhVyy)Yhl_(U{sL! zD!pTc4M`_RN(gEO)&%I%GN!jA=URd41$jlV_0TDj;@|_A?wip>A=l+>+9<;_*_RVG=d{9n-P;Z23UXSn?mAxX zeH=+rd|0o+Q-St7>iu*D=ujw{s>zeJLhAI{5?OW0q&++yWncO==WU0ExrW%r9cjtl z%Ct)kXST)JzLn7tKS|}T$86J19&ffIUgPsjz2GK7*GBjDv+Z^&hKn(;#L}4g(z-K- zKYaZ75nQ16@3U?d;x!Z?0+2%&3IEj9k@<&A5L{$Dfj|bZNN7jLd?^n0*T~h5i3w4_ zvbnTcrw+pmelF$mFfv#}|4aK>JBiVApI=sVNQjss&Y{!aEBAF~?{`i6E(M-hAZ1Dk zXBbkj+og5gWZ%F1E`uZms$_BTyicFjfbjqh*1X}$=hPn$)2B0CS zfFr&+aaoz{_d;OE;Eh;l1<}?9Z=VKKo{CML>8pn&dw9p|4pDtg#p{m_9}?gvwqg>D znj(Nh(q!%=BO{hhTfw@9rO?)v*@DdsmbV+9F^IFByZ`&Gh^{`b0oIzw?nU&gB<}XG zx3X6_t(h$gDDTdbcId8{gtZ~O4QdE&AH8P|09EwP0OMehRQX@JdN(uq*yOIl01;$tNrfz&W(n zYvvO)81_{fo*O?-!MEgS1ny2 zgH2aq@(=EVNN1-=-03H+jrrq2{oL=rO7MIQVNEcXQX~I#q48bG5SLpiRL9=gwKwyG z%&OvWz@DU>z7EYX8B#cs0J?z6jkXiYGl~LX=pjX>s}5it$S_>WD?#D>ow<-8K(R*W z`gO3;yDmnl0S5;CZUND`iF*o=d+*(%pzZsIxd@59O!eE?%2zU#6pHF%dFGHKO)zGP zQHy)ZvoT;qIvcUvSagG-AqK(uo!jP8(vMORkL!e_CP6CHgv%VyeMia~WH}p*d^huj z$Mkkd(?m1I?ZZGUDe3#sQ+~SnvHKNqp6nl z5O}xB#!}asgD3&cZ&+3dny^j7aFI)W+td< z;Q-dW(&K?RXqnu*c=vD!?NGfavTrQKQ^Fw4JdaQwu{}NVi?#9;vMtl~Y~(txU{_!&@v-3A9UD2d=__Xi*B#GtI!DLv5EL&fsEYQriw|IL7M zZxO|-9zJzsjE3D#c(9QouQMm9nGdm~q`Q}`G7j_lDuP#;PWrj}xd`NYzMjQpi_Ong z-BiBTSivcmtp9exCaQhzB>K8`(V7)1{8f7HT7LYxowvunJF*^afP*G&eo@~p)JAe0 zvs;jHU*@K62XFrvzeFPRO!S2w5xXLIN7mLb-(en6%pYhNUc4VHdP-%)n$r@VWKy6V zqi1cPv5M#c<6rspZ#}A-XU@wt|3tm=jKz`b!8X#Q8oL8qOOBxJU?;`?>__(ad-GFk z&d#2SvVCRazPqdAzOq|Ci$wPSOe9?~qS9m@VkVh^sWth!S^Mf$S_cP^c8ue?r{w_} zC+3HCRsY+66S@>Lw90#L6^^?>hp1c%uEW#hvhCnJmTFHKG&Yh;?7shdmn%Ski_zc6 zLf>uZTenL5jXCGc8#l5&)T=`+-%0sSEcku)9GZb=-BxWR?9r{)op2QO%7q_SW;_$t ziCSQ>?yo&7C#m#%1O{2|B(Ap>K*L4(>z~O8JY#8oCQ2SBt549c#ot6coC=d{-D1Sx z_gYc|*xDv6u1U+q4^49yo1{M;T2scX#D7lvFGeb*i{`=mMz8fhxl-OQU%k4rbk*2c z_Fb#(_uNM~0Re%@Y2dOzF)1P-Kq@06C+7*;2+&GE1_fLrG+%`FzM5KEzSF6%(btpS zz2i_)8ijq~*RQ*?Z3lY-Fb+;wXd(?=*bn$p=rk1d*M6u(XN~k!hvZ?XWU@vFp)74f z2nflPg-W#UA&nCJ1D>MA$T+=NE>uXm2|BE;9kZw%F?cT!VZw8hMqqWN<6Z1?_3B-p zmI~jklH@^2+=E-m*y`P?yvQkB%m4Nde82}NCA7j?0eqN*b*GL@G!E1jxw+bMFA@@} zLAn{rbAeE&61uNJK*#rJ@0D_d?$|kod1$j|`0IhbV1N)yOJ8Hb_a+45kyBpjFalZp zXnnI3czR25isHOmSm@^9hX`^pM2`t)_cmWa3)(_CGY;#P%qoy45P&3&MDqp)Bwf6i zDOs-g3^$hW^F5W-&*#5Bd~VUCIIBm^Vzs5xDSr>WqAijGip1j=k^ZNt9(+0k4FS-i zEE&G#@b}*DgC2I9+Pu(nblj!<%$4Qd_CNd568KZPU;{!&rs>PjN1s*)cnQ3!Vx4|D zoyr5% zc%ZRbqdYV}YAaGQT@vlrAe8f)dKN0R`(RB0ej`@#Ka%#6>56d@ql6?aR6z0dz^CU| zq=f173*Wom!-c<+3W?U!rPI|vXG#1Y;TBY5)qgiu))hQ>Uh5 zw}tx9ZueGq!cI%Tcsa+vy9t)Kh2eEhkF48UpM1l25{eB27wLF81@-uhjjk*svno|Z zgIXiaV*Jbx5w#lOu;YEr-#$4Y^n0@r4)3QVbvw2CZ^tdFFIFK{PEa#cS*NyP+Zt5< z=c!Z#t}pzase2x$DLcM(>&af8;?*hp{69giVv^zom$E$;4>uA5BIA?pPu%?}6CG&Z!a<7|eq8mEbTq}EC@*|oxiB;K za4f{u9BL$D2obzy^N9Vf*e6r2Z$`!*PYu?5^9+wRq{kh}%AdNAV@_D6b=J@=lPOF+ z5Gx!kW0A<`^s*q^46eU%l>QHe6f(cwr6TJ!*2~gLTxriVXCECNd5pnUF~1oh6d>dM zA=WK-_{{{zBzrs0E?q>)T)3yZFB`9(cJv3|@!L{--k(WnP!1)v)%VYAU%E|tlLpIo z!b~M%(NaMt*-y{*s5J8u< zF(a=;Qc{M@cgX2~x(|3X6$1rIvor0#;5g22YZMC)OvrT1KObQ(8)WhNwLuof)l`5a zBF2Z;sAZJ=w^{p!FQy+IpB&x9AMi0c(46-bt{t7*;!S!jmt*{yA|J+I{oL1PbXH3L zdfm|-VhBjHhiIL@FC*WMVf4tZVgB^bd?Azhb-#zc z+Xw@!KV5AKX^znQcO14F6t5&=cGdzp^p0lU<1{`jZ|SVc?0PMF_VUcUbf#cr$onIR zSqx35O8-O~r;a46eG=Xyh>owHyPRr%v&WO@&k;7rgi0+hkZZw~sRtH2SSJXx`s0XZ ziyuzS*sVQRJ-Sl!Y--HzL-ro2`$Vz>zjM3#dpV=Ayfo-gnOq+ihRJ(0U0T!7Sp4u( zIl{FaiG}qz1GLMG2g=L!3eZowJWZLzLlkeQSc)_)Wgm_I!iC)?W*qM2TGZF)_ik9< zj6`FwnJo=lLG0*jAN(uJl`PfkMXiqi4;;vJtg*kV-*Gc&W|_|)%gc*WMw2<_x~8co zgcH%;b0l|0R;6(NBsa#H6(ytf$nx<8H z_*TEXb{6$1Y4c9AxVqu_yVV0e6Hes=^9BI=1O^tnym#FX&Wk@mD=yCEd35W~ddme; zK98YydRX$o$MKwxuAVa{K!cBsDzXk8uB|~oNv01EIQK&Xc2WsYX?xr0Hp~qg?y}!sL;T4hPUCgHB~(!43tu12`VLvW*I$>pwhIL9F8S zA?Q)^3`pC;qM|^z6>E_oTzc_5$+pz3jWbt>^;KlTqZljK|6pa8l%-@eh)l-hp-|F2FCrfq5=Rfm)pMZ_(kL zwmSj&3y9PW^n3O>Rds*}vfp~*OcXq{Mg1~HAAIozT@Ndh3sQ3)EN?W2=m-?VY9JED zGT>=Ayu7NMC~F!4!6zIBMN>p%*|F`vEJ~#Q-Lsl`{BvI5xiX-m(As5x z1GzjPPxfCWqK!6Y4DPy9q7gSX5nTfzr1lvnM;R!pGuoU)42a5y=lcdwu_nA>v6+ZO zr2F^sMinHm9o8rYZfHWVYhl=dgj8!6+SXLL{YmP-Z(3-hbNB9D3?^VL{fi}7O@a9T z0lK{HspK#aN$qa_=L@(=HL%0b2#@9TX$7HsN0aIX2u9%vZf2!Us=f{_FZqG$OfE{{ z)CFT`Eot7^^V#^E*Cy9Bi?zR`Ane}~Z62d<8_~vTmuRKjbOS9jo?V5C4NwDR0xD}4QBa644e?rt3JIWiO5JyvyE5vM+7 z96@PPQfF6eR_4qPh135hVRP2_yPp3;*?Y%h`G$YvDzdVvWbav4k{xavD4&(2IRK&0&;JWB>(MT- zt+idj!!%o8B$CKtZJqqQ_WtDK%UpZV^&|>;@sdrBiTNc4+xz7tPJM5zkyUYWJ=;(J zS5Rg%clWwpGu&MZ(8HIIcuuFsVndWevLX9Jpy1ddw& zdXqpeTznDAzlZ2-zUp!>N=CA2=@N2R++<}H3cAN0$Gzh~qGJ>L`mXQHO8mMu2>69J ze>^cPA&KOdYy>|6J^*hcaGb75#}VMDC`91u#65NOuXeYeK79%hT`yB$0L^Njm1yY5 zO)lX)j=~~F;NUhLJ% zNuEQ9fVmLs)?024(JysEC4zP1ZuG%QfIuiUj4YIwkbIP$&&xSTkw4pHt_9qU=g2h} zj7?%3^ckRl@mK?I95PfY2$VLt^M6T2ZDI94WTp%NrNRMJDu8#C!G2I&9$Ww+!^ra6 zYO;E;G#&xX4@fw$PSUi_2dGG3x$+n$qOTEnP%Y=P;6MJsLdF-G;{M$>ceA8s#ZQua zRa4%8n&RAmMq@`3DY z6@S1)Kb_r6WwM~e4Y(bkUWh|FfYV9>0V8DG2aqyA@&fykRXNzxg7mAmj1+VkW#v8) z0)&YP4!{+|8I+Zk8`DGJy@Jr%8fIC;&*6)ATcYs{`2RRcCi8DZfh|SL=^=ClCO2VO|{si;m;A7vSbO2M~$wuC7lJv43Ef zt5bDf2F4sw8sOmZC7KQ{3RTcJcz_;wFn`VN5O+= zNb44d>6R0nR%iT!bh0r@X6i`u>g;PFK6AkXC_glP?QcWk2VgKmgz{LrWDd!|Np2K# z0jLTuAKlr&&oo;g#cpmPOs>KtJ%K+dwflY-4Ba9 z<(+s4p=4FCU$7jOgygfy8|M0l;oV=V>)I84kqx?}z#ffeZ!a@rCBIzeVfNwa%Q?!Lc%rI#QlH%8;3v&hg8Z^@TZ!Kz3&3lqE+Yln?@t`I>s~Ab2ggVWyPmr)7zv zl0pG@>^>-PH8?_61Ny2iH9aJ*K*IH)?F}SoW)7!OVAMH8P|F;!1QV~ovi&PfTudzW z;Bx(du=_425s+MpZU;00kTfPbdSR7ra5ZJj^aU)vP;#3DY369 zPN1Q6oviKUk1w3PJHq_njChZtp*=`I|Bf$^w-Y!W!K~moLZdoRuEPnU@c%!DprLW= z+pm<#vpQf!f|2p)(KpBe295ff4uFuA5c`+Elc3LA^U-{rq;ICrn=kpwJrfe1D5;PM zuR?r`?Ke?9I5p+D*h5ZVyZ-+0V%0^I z$zoY+3qXP-BNY`CVgyOcj=_#^4TTCKCO+B85eGyVfWTqWf8r-BBy?Vx*v_FH;6=d} zpgMIR%0TL5vwh^B;fni z)QE`qZ{8$S17!~)6w~W~hgY^G%{xau=QCTk^+nGAl>i*P{l61{QrXKc57EhTUu4Vt zaIdnJR;2SMoLZ%NB`{vASEuAlCeg~6;7?d+y}yA+a~Gra4U+bBI z#8oHHWeYc#rxu$R>Ey6nR3f+a^c6ky6(zm_wOgLfX`tgOingc!T^FFb;kCCv5dN?%R5p(c*XG#-Pm*<;Q)+K3930LYUa1g zVF2uY4Mhs*vDzgtxd9OmcnaW-JI)5@D6`F#0CX;3ywA{n{}ETg0H`eTF*k4&VW5FT z=gAwPH1{>Zny`wBo34W?DJg%Mu2S#sLXPpNYdT;aukxJR{_>~)NWSR3Y$N4&sxmWu zJ77=z^}8YpNkX1-+LtK;DQdm<+F4pdEsW^5o@uK4yX*yRTsQ1URs|A;Gmw`6GfxG1 z>qPTZY;#N$_6@L+2HnaL4gzr&KC=sjj1>k>l)cEk zOyFYzzz?XSLveaQFZi2R^h*1ee*R!V^!2?9Qm!;eiy2a#t|pfi3yEvUnA7cce&@Ev zmgr^cu&VD=qjP}ZRANA(iG+L?OY6}{TzgRN<6$F9$+@ z%!y2*#T0nMWtGyUc}FE;uM1L8#uBOSORea3HL?{(?x zWP92eyZ>$bHYLQu3L(3H32x8`-;leGO+VrLAUT1DC)@C3I;G3u8XX5Dh}L{VsD^-0 zly$`GPWf_XCY4BJd9|i`!1AghdxDl3>dAbEyt$~=Q+$z=HdRwL@c|Uj5n*Bh(*B+z z7y;k96^BIeVjngf?0-*76LiR~t4l_Lnjy6LWg;S;)|K;UVdz>~-uvAK(?FE3xbkPi zOV|aQuG4Mrlm3v59r2-ll76cetRZF2tK)+Y z|4hdpa<3{zVL6my>U8KOmK6o5Cf1I>dL^LOYtN%LXkS<+i*Ev(E3<2T`AM;$Mh9$B zSd?KF1I=EPc{r3E5u~s~gLMmHMIhS)U&sFUjeoli(8N)&z3TJY9!D@Oqw6l2ucG9t zv(x2Et?hH+hCU6e3GaoC-lIZF8;7Rdj zMt@o(^^T#j@xkHgwdJ2Yxan9k7l}v0&j46UWYv=hZk#AiE{W&LCYN!rbvGrkV(f$; zy!tXxYg3Vko}3V@YY{G=`1l$78OrX1b%5VA9X&n&QOse%LLTcvZ-SvZ>2PMHf$e(r zCwh^5Nz>>#Y>A%M7A?7dC402Cd_sF1i7aj+cM|4NDa8;wrya+N`|CC2mIWo z+k1*dEZOm%rgg!&w&a1$4}0e_eSYk8t?WCo|1u(mKgo68^bGj6v!P>4NWLUv^`{Nc z=^!Tkxj51-0Pl}Fejm!?R-D5poFzoleE zDsn1vCe+mm6<5}z^kGT!V_%*gz^4Bf*`S$(RjF7E1U-uOrzLmcZpGJuo3m&Tl>9PC z%2|;?QtOQ+fuIu5a~~HTRf6ai+xR*6*=A>lzw`m!;)_U}#=0`SY)N0CiMrYeA-CFE zr8qe){9jyk*l669Jmu~4;9ms7Opg5RSDqr!G|5QJbZt(VC+`v*iMJ9 zja(#j_^r=hEnp&Pvt@YCMdf>VW#1DjwfXrDMpapo4{6}z#>!ecW`&3ai(rCrAY}Ab zLcj%ek%;BxKn*aZg=h;nW-|X~GCK;s?tBuXFwz0lmjsV|JMuO>v&x7kt6_u3{ zAR!IMtTQiU3!vy1wxb2Iwz3DrLg@vXgqWF#G!Uk%qR96eOO1C2bhy zIKM6)6>lhkU?+*8ovRBoB>t%;3fdm?+0MhCn|MZkZ(^rz2FvB5EwzA}F(p2INO<_F zi|L1(=%@1s3?LH%HCse%N=jj*-zCSaY}n?cr$0x6ipTl5;-P-sKQ!4?DCrMl4z~>$ zJ_+a&^n1`?a6zx})@?w7c&EZvaOV9-;Xj)+8x=*yFml2J-z3S2Wx60-dU`W6EvCpI zcaiLBWal=s2fy&#^AcU=URC24D|iF(VAHNwgm8rVHerk9lP4gq0jZ($)cxJvpCcgd zU6ljg9Bd%~5Cg6Yz?}iDvtOIO8?twQ{rUw>n*u&6l$8*M0o4@(ua$NS2XH2Yy(sLR z;Tu3)?E3opX_z*LrZ={(jN>1D4@I2{izp+#AAb=%u?}4Y0=I4jJ{t_IKKb-X9Z0_N zuokKSr5s)`Sdjl!s0Jmm%i7^Rc8fd?GuNrviLi~0n-p8KqBqudHVBFGd_`=uMd{TO zt=>)YyHAFVkuWoVYz1xP>a5ox%s!2PHX*xm1w0V~?gxwx*dtW^jmcoQt@oRuLZUG3 z|6qs$sRuqv4Kl{es$id@Yt{r?wg3kwRDbs2>93AtFw{_+k(-z5$)d3_o1296mA!sgP z&;lSl3|V8y8vKt_GbG}q61RaJho}Inkn5K>7GhM0fy?d=9EP327j`o6c2OE9h%8UF zc*yO7UpR2BA-`BSLyi)enVc+4Lz#;HVQPX%%P(Oum|S3I4-zPsv%yRZS}-p+7cAfs zD}BHNkwgvl>6Jd96auyqb)}`HGxtnhuYjfxSO_=T1M(R{54vGQa1$NIlZkjm;6-i zPLo`|uwQb+b$2bRq&1JZc06O+LgRjZM&QgmsbLQ=lu_G2aN-7A>WNjbyMv7OIhTk2 zVB}m6MtBEyJ|B%;!S5}23F_C>OCA5?@!Z7&Gz4%$2|$97`h{crx~ca@ErHzKDv%IZ z750YW!I`&nqYv1tw45I)e!$_<>wjzD7fF-{#!VDklRi<3?vbe}t=ymS%stsWPLY8{ zoE05RCS6KM%}l^ou%ISS#@Vv~rjUrLc1jY#UrmV$C*42WPZiY1XOvPsRM2IUgdSw~ zQ7`YP<|Mm`3{CmHqCtBOu(O8kK4EA;*yo@`t;^uOpBpydMmZzSb)fi;@ppJ$NAVhh z69vv`L5Ftc0oTSS*lZE^(XX5VhUk1>oVhGt8tK63IKFlfgcX+d*e^V21Y78Z@;{36 zKsgH}7WuQXgU0_C#Ic@wDED>ekfmKY zG+S=j*+Eu7*uA5Jbbj!#HeDeOGU?fyvhU~;-s)aGeH%hnFsnjH)uP*LY40>?sdt&QA$dXW>M|M?Gh zQ%>=3$xZ+xXlg67@pb@hd2>ick{s5pD0a=^Z^k*YkBE{^%X+_N>#byJO% zAHiA7oL&zYaCc<8D9)8I3D{g+yfg!v*s!~Ue41oVc!zN!AYg7$+Jel3C_<8==2s*= zxnV--TmwWUSkW^DsUFww_;l_W&e}d04^~9%oCFeno_u?4+S|G%MrGMq9R$V#Cytmb zo*A5mrFuMVIeea~lBU*l@v)zQJMR!n<~kXR2zgsj$Klw-H>{l*;bRXAmR&E!_QfD= zlCPfR10XeqR#ldst;vdLRa~%-$(IS&Af`dOFRf>D-4`_J`vm@AX_RS%c?pPn1XWJz z<^)d81+PRcWv>X=<&_83iA-jyM;6w08Wmv}DgtN`=yoSjzJC~=QE6#h-u+yeWPpTz z|Nf!(8t?%9dXE5Ew7d?><@0>sYG@_u~B1yF=2)P4f=y_01GD5unW9)g)_EjUtm zrR4#qaV`+dbdH-~DH5cNfax6MYgV739Cp8e!!B_GD#tMwz*{JiV5HmF1R&F2xbJ^V zpDHmC5ow*s&dx-1+2&PkRi$uiCwR=w6xn^2cP~_*E!4E*@@rSrk0Ec61t= z(@1bV@*6>sO2^(Kv~?~}+}&yp(?F*(13v*sG^(|!2q?XcNES2i62;9?u9*O6z39}? zFteM;0{!4T5un7J3q)_cYX<@Fr*D^ynAJ6nFDug5e?$vo0<0G}F~HH?*XQ*$m<5>& zc&hB|wm))TpflfT1PTd21goxo28l_?IVbX%$bgmuFlj;AXKm(*AJUY(4*+ChP(=hW z^S=QBuw{Xl8>oDFE=*BQZWMs5kf(#7Md9vU(;2+u4sKlaj^Qp0$vrNsj4~v zfN7xrR!!i||4G0ELIP%g2Nu$W&$hO<-oVP%*VBW7$e~i+)#6`I0I3OoL*_!PqFEbr zt6p1MerKbFfJRt*KY7n!|KQ8<#i7{asxFhz)BQ!R>-X{aABh)>?Ak4nc^xO-&o30& zZG3X={o&MmgBg#R->d_E5ue+Utb2(i-RuJf-rpKlN-oWG*}AUV>inKJ*|A&GFKOIz zn!^3Oaq>i1oT5PsFKS-k<<5q9r?20-%D!>tpAQ~CFe?*+>Djy=m3>pTst(9p1!|I< zLbx$})Ijh2fy>k{ND@t0-8$Y|g(L^0byph2!S9$57_;^^HaCdC@*QQ~06Q4a^uoHm z4cY@oKsN6#`HYB7O??l_WIhJ@E#!$WUuuDA>2}&_eRZ{ta02X9Ae{hkVeYh_fLMh( zUQw?d7zym7qwMa$LVBOxLdE-I2-!g*E)EXtOrSXN?Q^^dFm{;@;=J&>5BPyR2{i)H z)f)Ly{bOP8)nvw(?{U|Kv~_p&=Dsw#2b~a)9KKqw@MHZ@Rg2=*kMf*iJ}T~PaVQe7 zPp^8h=dA&qM0^iVoltG-OXFdP!JU=e%^v;sL$S<-lGB|ThrQzBA$q6jr77{oH9YkW ziGb51yKj+^$IreWzBdO2DiZB=CVIEqdqs^o!|>|t-tGw$77uyTP`@Y@9Y(O4!gG+$lmW|$&I5S_bfCsl(PNg=y*G33s9ti;7_27jo}BzVUa#L`JP+IN z<2ul10jnhh0<`@+m(qhEjUzVBaZSYGQwaIz^^n8{Lyx1d+@;@Gk=#y#H51={EE~nQ zFKFjYd=#}=c8;02exJQYw2+sNq}=c&QcGfV=NuszK%)*<*BWgW6yg0`w-AV<01`rG z#Bb>R10Y+|&CdG!`vd5Zl#~=W0I2FTD&u;-nKBXTO>uFRFo{B)s8NSc0NcIb%y}ACC^td_E-1(R-gwxN-YMg z^C-V+QAtd5f8;Yzsr1_2@D|pln2j%YxkR43p>Qo~=HuzfdgD_?v)ICoY-K_seve&j zBGIG0M3*InPXzlr>$eT|RIbsN^?4?A>`l1ro6Lb>vv(EiUVFizmp^si@%N18buZDx z=^4T$J>J@kcbV6ehm! z8{6(tfI#Td{}OM>tfI$@Sr`B2Pv}LEhX|RmSEue$toI(P$a7$6V?u;tX#~ZL3*}}i zIMxP~%Q`y7l!w;3RZmDyQ9p%nw38xhph{L6v?>`v*KU#ItGRjtJZJlo+LA??22h7d`5h}+I~>w#E#;1^z&gNKakxnRYn_(Gcgg5sj58eYJI z!y12&h#u6X1?en;I}H~eVjsV{Gso5FW>%&F19)hCH=mYMLXkrz0 zHhn=Os^pG3;uQ#lfj866A@Le2&XC}C0I>1I>PSTOsrT-QxLE#HAI0g+7gJSq^rPc~ zsZ~j08#e8ab*v zp+h#rxkZPgb!MzP8tcRKBc{>gQ+i}o`tKy^5^JW@#EVys#LO3aOeK9?MQJLSL4VTW z)yns>G`qOh^rLd-ZoXFcc6#q4jfGKpdk=z#n(lQQK4PqVE2l4`)bbapor<|5@!w4~coff*Z;xgFZ~&v1S-K}L zrBn)JgSYyNa15HsL&d-2e_Y~9Gmr0oE&Z;b^A|EB^?}qI21RkV?a6O0G<2S^ixSmo z?K^Lm83czaJ=S_BKyUVisQa6!XHoc6mUZs?lgYgygR=8IZMmN>-;T%sIrAjNjKMFf zirMqJ-s!AJhLlTx!_nVbyD4=9Jy*iWy2R1tc;5{3XAO>-LdOJ7oRM@ zci@)QJBvV*3q04l>;eT_ZYIo; zuspUvUgR@Ic4aMC#WBV(n$a5%C;Bo_Minm7Ju+i9HYS#60;)0A{Ft?i@cW-y7Z?iX z_SkWoK4i*Li#smOr|GA$R<9p?$Q0mmVJ^r-7|#xV{4#0XFLQe$@eL2p#!|1tdgYt0 zftvFtC-LGZWz_a*uh0E@Z5~&;I*{(VuW;LB^ZVkI=hDFEL(FTA)92i?WPTlayPe+g z>(kApiEr^BpLX8+yiM&fN43rR1@$WG2;NzH?QjSr3hrwPN$XiFM7&VNTv6Wr4n+sz z3;nkqXnZkaa!*kcOYRt3ndvEB(ixw5BEq>+h+FyDXvkDGd}?<-;-2lpY3HT2Zw~9X z>OKkUnvcl|KBkQ4_`VR;n@lj~BK9KH1$;!^_Xs@3?5D%jy&gqvtThk5IC6gbZJ_=1 zBtC#ylJeP3Wy!=14A~hR8Zmk0^OXe``y6jgO=i<`mjCF8s+0;EkL$PApW0N;rKCZ< zvb|q^yF|L$nPl3T{0}RxSx;ZvxHS%q9=?)_6^KLwM!NSW&3W z2$SPYJ%^!}WOF>%iiT^qZjRS)rOr&h_zq^u9&QlN8F&t}JXAsz9haeIA`U*$8lZg{ zN-5syO&!Y;xbz!aXxH59w12DL4@MH6e3vO3gLIs9oWCX!4u5c7m!gDZ>4_{S3f+B` zdEMkUeVWZe%h>Y}KgZjASj%1%ZS`?{HVV~cH*1A)etSxYm<)y)r!wr^3A`6x;_!;< zZqK?KS^K@8`-Ri9x4X!ztaX%@Oc7gASQI0bR|&07mor+l9r`jDxAG?GOgO5AvK z_#}Az)`~KED%WSsU2#wF5d1wW(*DW3ZrqW5Aj9&h+Sm5=`T?U|qC_u;&ylZ82n)-t z4qFP@XJ44?ev%3@6CQ64`TW7#zZ;vLXe(idtZ zv;wN$y&Lr70_Dy~l3>Kwc5$!o0TIK9p-Pd3>R9q`;3Ma3)Ymd6!<4E8-)ojFmu`{OV=_ET!b z*P(0LZpe;K2_c@2c9o4y5|5wg$F8a=l*E2L)v6ahHuO9s6?q`uJ3x1~WH z7*!|i_gLg(x=+$}sd4%|6Q1T$C;f;!^~vSoLgstszn+7!%+4U>5tBj0cJW8?y5(@f zX65zXmP2B#)$zmt$#4w;vu#ziu*w^vj1NV*f|8e8D0)@h%W@y=4+Xk?swf$wD9vUG z?#LJ)-nHjk4ldb+-Ep$H{(+S_#oKG4B~P9@oNK|~@w&p~b<~F|Q;}g)d_DfohVJeq z`He#U`AWQk0J};7lk?Z~hcaJ3@OTu(!mo`FqiagU#g)SIXx&?P$b)jOnx2#IGLvSO zu|xHJu24(un4&lj3hSJ@!9Z+{XB5`GmhJ0inNDBwss=Ce+xFWPz`QE2Gp{oluI<@; zli2R|HS5y^n(a$y++s%nV!UxM%)_zuo$g>;-u}p6#4B0_KUlGnvxT04jY0Qrbo5x4 zv_z|~96ECynopEV_w}mZed0nX{6>nZMmU!GVpGb!i}#}M1RR)s>9P4S75Z>>EIS!C z`*j}sQ!Z8SsOU1rWZq-9giSa*7N)Y`zq_8MKRfD0Bcz&cOjMaew;uYuW;cX5W$X28 z{s;5lsh;B;w^qrCUQJT?EE~ohP%K|&`H3s&(Q9&cy}?cK5+)(Xsy-9KElx}|g0{-t zMe5L-+&>?nf8q&|+SYcdFFozvwTpGTiLX5?@=mOvAa3#Q4dM&JR+ZC1-X0Mwk zEXGDt>IO$1IP{frc{8o=Q?+XVKHZ<&cDf$r0Q@oye)c8DA2JKeNY9A(NhQiLGw?>2 zbC&h=aQ=#=W^{~grk7LUG&TsS#z6bP{ewH8pC$&3(xS|_`o8w+H;jw(PZd6;zxJ#` zf{A)*)QCw;b)VU)pid|E_a@C3@rj{Q-N@Cn?~0Gru=rn}%DMU2P}_-al9%71mM0j< z@ahjWi4wZ@@<#gUu++_U2R?c6tCbDoDmP6GPd^7eo1UQv;xR!DRvmsJNi!xtGfIw*>(?i(E2};fleCNmaJ@2a8rw*T$inP6R{zc7LeHzL zvNY^hr6Cx(WO%1e^YJ6)92tGoKT2#fS65k*1WQkUz{Mr*Wm>#CpWY zmbNj`RL@WQhs2pD_XG_XdFtIG-+pRd1vB~MSI<727%rzR+O%b~MqXjEm>tUw{AO+4 zO<}fACWd&cd84=C5Hk*Ioi8{suJma5R)1*A_dSaR@9OtY+|n|K1}mJzlBpQXl5Dh1-ow%IDCyPY@URQaYc?M4LwUa3&`BC-TSiJg08v znZB@zjpp;|tvcC3eQsTr_$r@)sZmdR&a9S4n)41L_Bk`oyFZ@|2-BHAld0`F-gWff zy@EmI=HyK$cvEUs>(Rze9^O>>M{WN%+mk=&@GJw>4(E%6k}CVm(^jp@Uk$O;b!wcqv|_qHTl_3G_o zMTS05uGeU?hraZ__BI=H15RW*pey;ZeK`phdn zV)F#(h}`Gt6FJQp%@fPiOT)NvB_tz%t8PCdB#NR9x!S-Qc6tuN#f3{6gb;(h-m57^ zem`#_7Fd%?_YI~qeo>)2W)UJ2+sz-!mGJs*CS3q4akoZq@6Z7z&9_JfmBZ{#%}CXA zT=+r7!*vvtH6)m+)>{iYsw5ez6I;oz9$$uk*DkJLP7!P^V{djWUbnUq&kVJ^_c=YM z%88mz??HLT=$-1MirwE98lTHk69=3Udw0%_=$h@hDH#zX4&f9^(vZJF&kS-riH+tZyrvY;n})YJ_g5N0rBNvjN40}DTgc^>TgqOXTJMh zx?@{Gp&jF$srC6~Evk?BMp#Wx%B;y8hBo96j$EFwkfI))=_fhK`54s^-}v9fEn4-P-neAc?-+}e*GLn$T}_uyAl*v?LwS< z5an86-k;52Z5?Fs%a7pGRHcrz8%jtje6K)j2pw6x6?kJVY-@~h9Dn~_GyH;>!G30c z+ibFOzA5MXwCB=V&FA%0bE?&POkrvdw;H~inJc}O`Szm=uS6Z%zV`Rl9j-~OrEc+= z_htfDI%AlkN05DcB&$8D@|(j1vJk->gN~X?jL_%??u&s3f!4CNzu2%!WOlsM=a+o_`ej2+boR5ixxOLtxyOz^WR8Rx~lJR(_S! z=UHpKP3p%%!E)TVWHW}$W}Tc!`MY#sM0ARrZ^ov+eiEmqTU;;RZ)K&vg!Vxvrqi_N zQV*z!PA^@)h_;0q3R{)KRO_?n$e}+6LhT-<;myzx4|34NgMe2&{oO9EoOCk}dEH}6 zV~=<+v_T5Nh-i&tZ$8q+;`{N25aAo{glN^#a7iXq<6vOMm332Oa87UcO9&l~edEO> zHG`5Fx*d*}6&ZW;7Zd!BJ|HFLVGzpA$A`;?uHi4oEuDbAVne!UMH6C3wPQ#T&H3Vw z6{51kg~K#4e-xzS4%^!zasP_F@Bwl*|DE?N>^jxVkTVk;w9&k|t3M~MNS5+_M#rTOsnrfkIEQIIN+&5P%~9CvTDeYr z=TGen&Pn5OVubX?mZ#)7&{+6MFsH0+bYge}o?FYF|4`XzFVY4>n-3oBt6#IQer3lW>BoY z($=sioA}Zk|85+U@E>a)c)Z)9HCvC$tmD-9Rb=nnmg0^I zizAZmf)i#w;?-mBPq;&p;kZcd(S{x(!=^6d=0!l)MIVjSDT`$+??LExs+aYI6o$ph zHxVD7arfHF=YHkWhNKEB$#g%HyeVvSUbef{ADfg&6To>*kBB4?yb93_>gr~4a%OC7 z$z*VAjPj;$Ug&n+CF;fU|L-&cdkdKXArGGs$#$FGWbf)i__InzS;?63aWcKSO4`$^ zOUI;;QOL-asM{;87Y8xSQ)Z4bUAl4+BV^gty|a$lLikEZFuGS=TYZsHo-I-5F8yV4 z`NYB(ioD&t-90HUbrT=4VJJlPK9%WG)CO1Ua!w|dKJK=^#aS3mb_f+SIWq=bdG?ER ziKcO7in{Rag~Gd%5f|{-Lyd?4`eF88$AEHb?Qt zSceWHGTq(+3r0tEr&XTH69Uj=qhr4V?@r!s-Oip?&;pX<_sqMS*4fG{X-SJ!urC$( zlKl+prYvqrO+deeVDs-EqE^hx{#jZg+l(|ss9XwBj4RjeGZT!7ik82d_>z(7En_EV z;;?@vyPQN}23akZVk@Vd%bPnX|HiUm3U-ot1?!;ru`WDpV!5uFXdy$hVzeMfqC7Wl zGy>6MDMKKks7R#EK@=6DTS_ZQuk>#aus+=B_v>*Z#FW2mNs7rMPxX@4OuK$7+K!sDG{5(?ZYDtdwL*o7Kkw7U3mI*t_;H`e-q@`nry9!=HDkh0 zV3qlEa4UaHc-XQ}>|jUuJkyFPmD_~GOwLyx%h)y^`*QO&D&u2uV~B_Te)iHJ5=S5* z3g<$(@+)~p^e8*W*R*j~@7v5u&(Dkf`%oJNV8utn2y$-{J@+K{AKZJc8$fyUSA<1z z!&0ZX4k4~lw+Wr5hoo)$$sfy5_}bM-bZj+M!w=pma)v3sRt31C2Mk{<|I<4B!0kFu z+Q&$0+N*gjtJDtr--W_1U^tfyXr?ramgf>SUuF9`8MJ+cs^yN}Kk+*sjWv{(^t9LE z>g#)4)w8}R1np2P;sv1)*GD^PtsLz2*Mwh6%xrL9WlNS4rIpGG+*PChcXF&buq#MZ zWL_GcIa(A@h~pG|`Hd|Ysrr~l^t9feJZnQg;_APy{vpqCMAw|`csYTr^SF$V5xu~B zx0nRM2z+e9V60$dYMrA$?qBEu8d_jMaVcBf8|235o zmi@5SJ?Ts}2l<=V8bDb-WUWt?(zy@gn%PXx!o(DvBqxT0zo4Y)@#jXI?I|-%9OFEJ ztczY)@|Mq#Sh|1Ue$aHRiJ%=iuAz3{X;=%O^di4L8ZzX)DPp-G{E&s-Ld&!3mq0m)!(WcMf-M#{tZbcgcJ%>x+@rxTRpeI^^IDy4r)q&EMJ2k9sO;wC z@bhPi3O<|prV`I{?W|S%rMn^=NebHou`*ZClQSg~b_R&sKb)P+$5*=ZYCWB1wvskE z*AOp%ear9O-CJ}$v6r#VL>+zFdKiboC_g%uA+Kc$`IDt>EDVt@qSLhY^ktEb2=i>5 z&0v8{>{go?GhRfJhBy9O(aAEVr6qH6X{pjS(Ag+O1^fq&x%_AH|8+p__tHxM}=51saiH zknyOn#!_0*z25kpXt~+Tp2D(NvT4|J56?bAnCgC6P2USgwy@=Uk()Asi6sG%o7LG6 zyK_}7T|=YVT^dWD>yoy3>Gd8W(vGvQvc|c;C!j-)lD{+Lcpe}u&Z1xxz&+4#HZOVL zgkalMKg3gH)Uv^0P&P^{Zb|NGzQSvM9*xu(1aUJT{Go2%e#O20_<+1Dck{9vx@;_D zYL=g!UH-LQbH@|i+sqkq2vvW7L*COwSJs}a#O8I-ll9+3S=d*E{<)hM?NBCm=P`~v zz_1>BmDXHI=2!^RO0gW{r?Ihp5JHJ?miY6*r>LPcb38SJXO7#lBr`WllXJ%fw))XX z1bx-y({79SKeuma8vIG=+_J!o>`8dJtpToMg@o5{VvVxEo21MOV*-2;yt?>uvbg3qDk9)pp!5naq2Bk zam!JYxZLxOe=`c&B|nuEdc#p%6yj0z2ZxqNODT|itHMjD@V}_o&~Q(JWnP4_uSl8YE+)3i`#akADMq{;%dLeK3t~cJ!by* z=Q}PZ;FG#1+R#$4`Ec_u} zc#r68p!j^14zEwB%t}Bk^dxl(>7_rUeI@vL>0uLR0!9qs)pKX9-9pI3aWI?qw3*Cf z!@E<=^DNT3qn1(VuC9~EDu+qyk1x9PLu|C?b*JTI(3)mbE26CR^P7KX_;8zaIQ`;Y zH36{gz`{FVzzBXUP*@iU!>r(sW9GrzRiQC`FCQA%%zN4b9A19OQebj zMjf3o{x^x*F@@N7tUB3{OhW%Xxk_`=VkUaVvUtQ0v6WNoz$O-1^ovSHQugrdn_h8p zkgEE7w2<*LQw&paC&?$;*aAdDZX|NWGYeO~Oj=d3Ha{%gE+ zjL9ZKNTy`EOKgeZJ&C*pAx$IwzVfeC&K9rRW&}F^`(v`2A20XBCid($QAzf18Lc=p zMJEOfHu#1Ii|^FKaQky`7msG1drkzF@K6@HE%j~Els+RjwNVO#EsKXM?=8o~9fD7S z{BH(CIWJ|fQd3&6R_ zO;S*NrE(`}#Gh812B#nh<456T-zeF$h%1oJawkExMRZi~Ys+tM_c)x15>BUEN)C_y z-Jws0bohWD?LE0>@&vRv$puTRzOjp*Ap480Z;Y}g%tG8alc4JSnTT7zyu zyn&Z1V~A$olN z_)?m88?H|=NRFGWac5uC+Kygk`ozcX9~Ll&vkl%{J5LM_^}M~siGYKqczqI10pJR- zhy<(8N`0G}H%s%bhpScYZf@XbWNGlMlPNxz2JF)A@0^jV4YQ<&TdDH>E-KJpwrZm& ztVr_J{m3_DJb&6Nk~A`z<$46X$>XE%!1$)PW%YZa@pvNAV}ZePU!ZZnH#If&aJ|tR z>`oAx_jA7jQ3>dAh@HckQ!g-iSloJ2(omU`W4^V}xw!W4eHmT~DHHt8nnyEwpoL>n zf%*2@h*21tkwYvpwv{MzMLPA)M=)t?+^U){D$n2hl^CpuRlo zrz}aQ+s-u9ugJ;7SN>3?RI^))SgGk#hzt5ytV2yGBeE`G{ z@<#-{j;g!b^St;!JLIcqE)PRr9DY~AlKSjx(vxD86KOr5hdzda*%md}Z+!{kb66KY z{sE2_KU4}{qE0BhUjO-*y)_JjFZUh7$79)36X#GWV-L$r0sb`%4=ObbtIC}@&4^{N zS^(_PF`T(G+2Zrb-X^Hy*MMiusyE@P_ae3HLKNKI3`k5e=y{>ujrzP86207UG1V|y zk=>7(NS=Q{>IF4gMl-SRFXAZ)2A9&Wz)V?NUvE4)SaBd|f|wr{SaFrmn@>)>+=YS# zrk~As8=Pzbw--9M9HQ~}M=to~cX`_JPiTNN8*rinhx@$P6n0YM?C%xkd3H5m#0n~# zs|-f`N`1;z)@fy0J#%r86NZD0;#Txi9mRG z<a$V4)RU_k}n0gj*OZ_LcY#@c^GUu^Xt>$e`NaZ!g|B{3C46O zxG-&hfjj>d^cYwZt}}oOgxGmrz8%-&g%)cP#Z+$=g2OB zrf4}F2CD39OX*(>^&7D{qyrAL8r5XkpYG*=1CeD1Z(qsko#WK>gTZd6k;dPDD&N7|0K5!@G!^)X*^ZXZ9juhh06Pw*v~6a+f7{RB zXxIW27Rp3sx60I(3M3hTXz2TN`<&OzZh7wr2c2nKg_6H-qhDJtY5a6WMb`_vPS0Cqpo`LfFP>%qDOkl?KG4A8NP{!daEpV{SNC5Lr(&w#A@ zeKw@U{?<1{h1c-`Ll;*il45cgvK&B`DVaM>m-eD){j4#JS6o zq~d6d8Fk7D4UAca%yEU8Wa^mARu5SG$%+h#dl-l7vn3ZOkWXQ0vl*`lM%vVTi$g6g z#rHtt`F8-9M|xwUH}K~z^VRBL3aFDLL(%9D4-W;P4=Q5_J^sYVueUJz) zt}$bb{1*jSsQlUQBqmoR@AM92N7`{Hmq z)Brr3NrK=DLarj$AbsLN@soM+ac@t!v!Pah-UR3 znH~Y@aMMJgwbwz;OQ$$f6TV1!!WBBYR{G{F643j{<(GJzKs5t-Bt(V%d>hJ#6sF^3 z(6IvA;0&w^z=M}~bP7g)F?#KfS_1K4C#e8N;E=MJ_C7s^VB%A3|1|CXJz%DtzU=@Xo25d+w60}&jg<)?KI|+;K$@r5J0L-qyOqRIv1_h<5 zY4-%#&%(yWQ?TI$ALrD+3z0pnX>b4*DABeaWH5lq?R5O>3raHkS|S6gD-2}F+?SMQ z)*O)FqNU2G<+~7INX)tOgfk%^X|-ii?kdD8hp5K^Muda&C8j+}a)Bww&oH^G{p#$z ze@Zd)JMhWmPt+qU7nJ0a&j*7`W`C7=YnFTrYM}>mxz~5$8J=!#n1~?gJno%2QX(?3 z7vJwxadvbpeAqC4zs#uRB46NBFv;ml5iDcniiYKf@ki2WmlUznP!qcE$)$WH{939g5dQ^(xHSO1}xGJqeiMtHs*=t60;e)iT z>fsmYnh@&C(yT+a;JK3@ljxWR`B#gAQ;2Emjx#J z7Y=lfa}-Zm6XXa(S>=cAC6^u&K`Pm}iTx6tmI_X~8PjkS?&VfR^`(7@EKd5&@6gQ6 z9-Z^Vi`S=}o_Z8_)iu4|bBp(0V4%TX)^~@2N1C(^amVY5r?TWvkH|9ZyuIP}3{$qS zu}UKlr5r8U`*nvH8bckT5;AMp#(4%L>Pi^&;pBJUJXE?{Kv{b;pG0PJUj((~Kph!{ zEhLK3a=*%H%c7qoF-Qzq(F)mTFMFqt5FMNb2}_-A48vU17%oa65T6v4B@kv6zR2LL z(nlqPBSOoVYy*jBTlYY=uIONYRTI%3#w53;pi&`?s|_3-%Th+ngQSZTvdu8i0J?t* zBvPWr;SN4j!>XJGok;1GkW&RN>MVxA%fWI^9?d`HjgIcAoX_wjwUkjOODEJO_1pPM zw5)CqlLWmBAhRr`H7Okc-`E{F_Tbe`s_jH zgH`t#pugBLp8ws~JG+}zcMyv~Et|(R zhzOr2Mm53Vh12OIP+9| zK`Z*{Ekwm{)J!;JDw>l0n~#QFsBS&AJ8Nswfr4h1gxBAh_;a?oz4&vE39a6|DV1d% zT{22Pjr=d`f=16?crU=@9V;IRE}v4ib*dWuV_ZpYo^qm>1N&@_{~u9b0TpG}wT%jo zgmeoC3?bc}0z-pzNw;)^v?4L2ba$6@2nZ9JfCEf5JeD(WhIWB7MJoi5P?0rSN zd|Wp6arEDfh8gR0JR|Z8CT?cV_Hae#G!OFT2=dVNz}tQwz@hR6LspqRiLFuf&&UDE zz-M-Gks{6j*ldjammkWT8R3x#D!=()ihqCq?KfgJO;Qr;V6WixfVAO&>b6WlQCDze zgAhB4DBHg(j6(^O^+Vx{mhTc}NNGGOrehp|PSYDq6Ve=NCVo=LD~3bi$bUCjASgno zYT%FKkI6>^Ri)}Nxg}M0XARfEl~W&ROCAyHWFA103D4V9_rzV!muCf)ZZKf?pex< z^QNLAi_wY*AT^2-ihDYuZwq zRLSK2o%|w8<$yRF_!2`%&%cWe z*G?e?of+lz(`?jml%z@gocSLS%4t6V+`j?a@GEim6tZX$vQLe~2_rF65X8U_ZGh=lqL{xo{A#RavmHw&) zNcSJep_ByV&;DL5nn-S4@$r`q)KNpyS@|@lX}eR5$L2n z`mzp0O8(67^a~k9WJS)X5_G>>>;uMGJ3S-m~no(181+wQcta z@OzMWw?WJqe|`V&dPmAGi-|xYmTuZ`CKYyXW{7HD;ru)9UC|&QZ7vEc9C}4AT_Gd- zT}~O1I@(X#F}`$^)RL9G7f~7_vMrw0=hq`>jEFg!=C-JnO#wd5BM1rzd6}n&^$-1} zkOxr?P}gvC?k7vsWT^%lQkRge_WfwSjb`{6oAsU^Ce=fOjVX;)?CUR6NShd(>!IKu zuq{aL@)aW5;m4c3*cmtCK&2;4uUsn_kFJ$FwJBfG*5W=L(SUWiN%c#({%Vj9m8mO~5{Y z7|7cu1`R)a?iao#xseWbiyzSB zcav{l{5AQ63*$1sSL9S}?Zf z9EPNn{F^@n`jzV6h_E-FWREW%z%IV`r;NY?$epTzXiYZLBp!ZpQS&tNAwG7;E<(o@ zEw4$+be;fe`7CLb&C*_@6%!#VEb)GbsVODAY;TfC9~){K!GzeKmKc}i4fdlzX81qXj#^Q+5VTjjx5y7!<26WSUa%ok$M3AFQ^Gm~? zp^lDZ3OI-YF?KVkI-9xs3Q{zdR^Pv911E~8j2$ikNsSr}WzOxz1`BLn??xWa1_wDY=_z#)SY9xkK}nj7?9ijP<7WzbvuNH(o3QLGsTR8tr) zL`#acT3M>s+$@;t@&6Us^H&i3T-cDQA%ZzUlpz2Nh%<^b#(dfTc1;Z@?G+TW*O7)o zA@vt__pcEQ(;%95Orxm5kg(iml2uyK$}(}bDiY%Zd2Ibj4AS|%gz>O{6F``@C7!ZV zO#qA8Ihk1qMkTLw5l)96L=-We0p2{%fbTdpG~c^Wz|n~1ddTw#{hoG7NXD*}@ooqG zWRcZjcX;I@lZTanS4gTm=wevR%P8_STCgyB2=+(k8%k1P+9lyA?|Xj%uAY~H7r!t} zt77AFR373gi)(JvPD$}Y$ha!2#`RN<1ASJ`pV%4qZ$uCslmdj zD6BZ%xrbAB5^JQa3-h}&h6>c45|TtQfJrSK8!ksi8*I@QYmwk(ayEX<9P;&AsM#%S zk)LUi|Fth4c?7EXoq(#VmlW|Z%$Sgm3)=nP)&&L$X|^!>Veqqici3yQ%?=DyGg`nC z5D$a~LZadE)8`)ABcify^@-$gK=4mZ?Ud0wM>TQ(imvrj&B7@zXRj(9UTF6!>uE2U zfjj}>Hihs0@J*ddBM~07>uiQMZqK}CwpfT9?ctLP#^*J^mOZPVt4Ol{U?e>kBp6PF zNh974lSv^?t_o0AlZl8z;gQH;Q1u`FMH_PWp?zBkw`wLwu{}-Qou1vD8UJnFia1!q zBFsAu!+6rOjK#dbH>R3TX{($e{V%HpXxv$3#TeKasu&VgF`xuvFmUwW5T)u>gF}+@ zP3Xi~17ONUCS&oHCnTzkrYg}i@tZqa7B)6}7N7A}*Q-BxFcCdLr&_CZVTH)-quLT| z4V~d&b|$Ff*KM&ng;B9^eWEf`)^L;WOr$qL{J>o@XuM^%*8LWD^A27SSx6(AOk`j{ zj&cw~!as>^X0xNZK=&qUi!>QGjW2E}5#w?!^PMkjQCPYg5Q;EJh9fa^BfHtXj9?08 zYni{Y7|^9(L~~Hmign-^;!y@`1<9TWgX5=Z-oFaT$LU+;CrlFDXzb*1I$&!EruY}#6MiHQhN z$SP9gF!+)+ND8hN@8wt70zCoaz5vo_bHwy-QN}NW7KM`p)u0S;dH<&=9p=AJN*!zz+^t=bmf_xCLZnTEa`T#4==Tvk zoihh*Z@v_+iyt?u!pC%>Nkl3_itRrSMZzeuq%~`G zXhEv)oxZ9Z-#r##xJeF#o`$W*^dmzcr75L(b!x9Y7r>usB2OL$Au2%?p^>mi3h8;qtrRSa5mHk3*+@mY0mYd`*qPWy`Q-oz`ScHA=E&StExmmfT3 zb=L2OybkEl4a8MKV9N5imNpCef;8-36&}sg^SJ6wV6jA!FDT;%!-}C9o<$hh#d)6u zQPNCl8yj_khOA#SDx7^a-0#$Tx9(i8M^C107V#>8Uv6{(BbcYoSWT(1$?(IhZ0PV7 zX9O#YTI+$kTb{(}@(peJP;0?3qE*UZXJ@0pN`_ikVy5787ZT0PCnK~xxn}FF=-{?pI z6+QSG-;Ghq#v|9b!*S(=TL}%t68fLpPPUAjKDgO6mvd@vOBUn0h#|k^aluHFHNwNr zmrL>JmCV<BF`;)8n}Sa3B2Ev==UP*oDw{lu-laRd2Uo>!btD_;3d z;I;FGJzJd2q$=_26W(rVw<(PYN);$hX!iyN$!ltr-sF&WZBNf+I)NQcdQ2rc=`^C} zf*;H1cUBI0oq3Yv2usFx`-n51fq*w&cUI8^r_S57BQF1A_I%ldZelS-PhWR`!OY!8 zxAgMWFuga_Y&o3rSrLVI2d;!j=~Lk!pU|5lwq=qhPQ7xxB_B=X$?Q07ay0!=YFms) zs2vpYL~>D{FHv$6Gqqtmm%Kje3O~$GHgU9bv#QN0_dZ|Gk8GxG+@ZIO>0&02VD)#F zRRcqY#w=~zL`D8cDq$W|Xw|ZF_npB0n|x%vgKZ0jmooJXh1T1^7v)PWUw0+^zVJd- zW>rHFU;@0BE2f@#ap2Wb+jT26k!>{D;JPbN1vjzPML+Bqh{4DHC4d;c=YxjQ<`=|XG6wpIa6=lb?; zr)5d_o^LSk~0nXW+$Y z(NT=DJrepot}l3?-#*`V`*}BnNcWrZAygw{3Hj>u%j!f6Gz~gk%>_YHEWG|hF~q- zh%^GbP`5V)?FIieBkam{`2QyMXlZ_jl4`|#Rj)bFMB2)C$SWd*BB*A*BwL;%f0dzE zJ6=nA?|n+OQg)Wh-7qm5rGRvcM%f*4g>`!8d6@3^{&;PHzoGsu(^;uBYpYY*Mwr&% zM3?8GLj+$9xA@eNld#XZ-%m z^tjRhs5P&UWR36hel*TIh1GAKqH(vo0d_9S@)c1x-Ey1F()O(+@`3)8Vl)+lkKR6%nSmC6h#}C-B_Sb^{PcqHEyV+!0%*`I zfja(jf;o?RnGS6#=;5A%#%+-;T3@AcH_#Wq4b{KN_P>_TQwBa^zttt!eF zg+J{GcjLvLj^h?8%SUC|fZtvGk!rNsZ$9Tiv`QH^F+R0_SoXq=OMtF?Xe^7Ob$?Kv zcI91x!XuiAnue65tB73K+t+!<0ozBJBpSY4ul>-@-=tmh&#B-jP#T%&7c1Wk*7b#h6n=eAD%;46xmcG(#S=CzjXE1X9 zE6ml~Lh+E*+lntv&b2&S*K@r%$b)&sT4w8pxHZ;mF3cvtkfP>)5n^Hhfoml?LbJjT z7!mH$v~j9a4aVW$_yml`4b!b&ZcI#l&6{%_zpIbN*yS!U%Scf>U;m~ZsT7#0tr&Hl zp=$YB!$HOFLVwHSzje{7uV55WY%i|(DtzfK5cpptxf6y6*oBJq=}Ifb>iwXbbeEfOTnUNeMe?1qcO|pd;Pb*!ZBo*S_f0 z`xRgnid3Ui@J`Rp%0T1*8jeq%JfYBteh{sJjxR3W0r5Ve%U>}-pYO$8i$vR&V^>^1 zQ_Posacf^SUT@*kYBmb;4;`Z*yw94Brz-SUgso#SW4F}MWi zoeRQpSl5GRip}F*)68FGogS&y80@6AAdIZ3BEiR`w4sHT-C3vlpBCu^(8hC3PIhj- z3aV7yn?8KIEC}UnS=60G?Bth^4NvW7<|gQ=-fGx48XVsb%m@N$Xben9 zz7z+a>6LrJpuo^M@WGkXQxwuVd{qj!1%M)5aQl?rZerU$O2OLI2IH zKGpmB40z&Y*Vns&4jQ$<9js_%!W3Dwo_57Dm0D*L+as4;3vEGDpni(DjV3gGEBi5U`i1swv|;*WWz&V|zNJ~)DCMGF(@YLVtJq)uGBMY1C z(#pn$DjP7=4uEAL$Ah$Z0FYHBopkMv1}GqA&5EDEf#w}h!Bj4a-JakU?ee)A7~2o? z-8Ci!`8*t4Vqb~2XQR|Obxg_|E>--+tQjfX4W)Ok9V@?R-ecspMl6izwpzyYt;C0Q zHoZ6x6RlL$c|ozw`$JOowYQ`)PDu&b?G~SV?x#Y5g_-nh&Fn8*JPPtI0kg7?GLB0U zx@eO)qT%px@(Df^1UvU{C!2&AA$fXqI`=P|L@lT`5n0A8+8%DjtJUVs_tTUll2FKy z?8~djBVgufs|OT{dGB$QE{@Nx`tHHk*Jx4LV_cc3<=Cm`CMRNKVZuk#X6eJ)PLF8^168R%i?{6B&RQF=Ei!`EQ?oi|)%FWBPhB-}=>S zrC}pD*t9APa9Xrjc_vM2P5Hu83GnVM@6&> zF~4hReSJdLz}P7WLt|SUn7RO@b9OL1h#QhFV+^o%KninvZ_gVvPD7dW6s2|acdzk& z2-E-lJ&Db*>vVpN zWnC%on%yQ4)M zRQAztV4QYrbJhI!lzSZCJIHg4V_p?U=;6nCM*Ro#qp{q#A|PBUxX|Y{?SQ;KhO@-% zTxf~lcmC1rT4jFvuf_dI%h?o;Cs-4*t2NawAg$&kp{16~l1-^@47AHV%ihp?dmzWn zb%ub-$SeLMjl`p-xf$Ma#0OK`s;F3+t--uqamm@K=qx)?>9Gdp>)WaJE6*E6Ne#W` z)yr*?I;(>6f=Yq$iGu8ylq@9gC^4f;1&e;fatUESbv70HI0_a|U+{=-@%emzFZz)&P`D z=;n93nOpXpU8|r;R%!J|Z( zvc_h8&l(u{X}}c|1vr58n%%UTFAK>+5LZc+pl2eB}IK$#*SI!*;3VHY@0bGEy>FdikC=EdeVgK`_`Cjpl(p z5lGn|1ns~cO-U0D0m|14I5MYj*=%oZ&D2^Y(9HpVtCEruKm(fxkYg~xF91Xc$k$uI z2zQ(k>tTQ0F61Wu4(tcGvP}ZhVxS@jpo&AM#aa{F8lGy*T2=lJaI#g8eh@Q(b9#&Y za+_g3=b$bwNc>woA3T8p)~f;7lq5Ejx2YB_fIwJu)%vV}6ax;2ap8yJQktvp7g@Kd zDas_>PwAjG7x7_uYyT>lazwpY zStQ=v%VazrFL?~oG~M!mi#B<|S>nYS+O2ml%E9{k$V81?nXnd5J-{Uy@}TwFga&OkYnF5s*kuRm{3OyO*VTX^_Tj2a3g7 zzFFgWo8h#ru^E4rnG!bx7v2!y_l95PH>1>&Z(CiX(M6CLm_mb<_tF?sT=8699ttz_ zHs%mvd&d4sR~(s0xc>yxw>Tv!&FXiN*UJ0c;#6YSWLfBvQR^%l2MSut?;O!LRr0rw|YZKOB0hTW~q*7tjDXG@E}$E{E@ zt_D$?p4v_e+PBAS5#3cD1p4mY{t`a(IcjQcS^o1bAE!z$lNH!Yli-|B{XH-M(6e`q zE<59xKnC9)NZFq~i(Tj2zSN=8S49Dk8}Zd)eSgr>T$V9b3DY9H9S};)lob?o*Efzkdft{$043loH_)w4@ji90Iv9u6aW?N@be6g_u0Zz*4<@wdJ&*OPWzHX;GQMA|_Zj4gc!$4n zCt!#(qxJas6|wkl`nb<8>d#~{7=M*Axj-v51zvpWJVo(fPD_s|8IHH({dktG4s#2* zP+e=)a$`3z+b_m%10q9uj@EtdVO>gZ2ARyPf+qt9%&e_aEw?p8+>(QS2{M;ad6-Mg z*-M=`=tJ_~#1HH3?sYpc{O~>Sv6*PR*fobJgdUZ6W&HS3ZXe=y>OOTW%y&(*G=HspLT|Y44q0+UfgAr)I8d=v?@5J)Z#u`^xJn?jk`kpJ`mt@M$=GI z-g>*e11cLeb-UT`W;z`lwro~@FiSGs9wm|5(lwpXoBBFzoZPpp9ciQKxLlW)w;b1& zwA?k(x89K^ES(P6g(uuXoE5)& zPr{cDv@bq2qqHu0wx9bn|88p4yJ*Jhpp88{b3Of<`=C627WC@WtJZdbZ>nkh$zqH5 z^?3OrPr!jnqlX0N6JpENvJIOA!!BA7ztyB)cx;l_c5uJOtkJ(#F%oeIAr4yi==D0| zq93c3oRSz&A}VWi5hU1%ybf~;9@5QnKt3QuA}vr1U{$DGA*ylgB`QEv!EHg!0aEH! zRX-Ta6ZibBli+@`i8>(f@5pqJ3^U<`cCG|79X##U%vShpQ?{u$*dTw6w;KG~jVGtP zzvVT9M5X4}lJens-BE{-_m30BUG}Hz=H^dg{H^q_RLY$!$Q?qw@;Dc@?8*!TbnvhW zdYTeeR&XAT5|xZBui^~MSBTX`T`t#p+WhdZ!S-8X&bkaa<~PZPVz}x zT*el;@daVXCPZY|REk>SN%eEQx>9}(Qn z@8(}sH_AqM0^A0FJ0RmWRl5CFlKpzfnK17V5~;Sla1F*}4_*gS14#!hTnM|eLx`fN z04k6_ayS_~R-ZRElp}O<2nlsbg*a~6m?n7hddwvBGhOzL)05tWD%}1Isl7kn=6_n& zxKm5Nf48@Le|o^)dNqgsSysQ|EUu_TKlMo1hj%TsH4!{-8PzM_PH>ByT7G+VMCppc z5Q7nsL?A|TB-wXcUMW7#dLhxdV;sQu?*brXB>;5@)D1m6JqO{DhlQ>gFhN?;V7C6b zq=X{-0XE&D?FlFz!EXUCVv*K+BJvs_N<(3Qx*&|9B;JX*F7~G0b^)B;1EO}m_aT&P%6)!AG$p6dDUjD1u^iKp+ZIN%gP$~`Ex|k48|7CrpzKv ziD`}?`<)GoT>V~^Mf52hgc8;VgUFf6VRD&Y8CZE6#Tluvl&rv_1L5Ky#rn|F{jHO<>r$Xc|`|G>k!8_cedXPAD7mEL3+ zXezli4=+zFVRX_n2Wru( zuqvn)gjO>;7se|KW2q}ExW}j?g=dwGtBpwtz$76zgD4;1Q+-m#z#Ii-jY7Wmf-wsS zutsKb@0v(yISjYEu!Rabt#7&r8+Sc(TB~^}en?wq+>Hj=-rv9bk zY{1Y8(jOb;NE1WyoOr+_uqx@9th6$6{D77bwV4rChtjo~__yH*7k`#^?12KKszgw+ z`2Z^emZ1;;$xeAFmB(b<%>0rWl?y~GW^uX#D+ z*2VF4P4o-Xc|-Hj_BMp?8_q|@Y2JVGy;*Ia@v)d0erGYf!0dB~G8O%Ru+O8Z`UJ4= z{QF;w@9%Ccr#pcRd{D#pNHq~?%u9v4HvATQkSeu;iY?#--M`V&(gNPB9j*ZTq_WUA z&o>K@XBR(d?RJ;DMw#GWErUbVohSOp#<)%ngHcA2(Nf2PaolE+5U-Hvla=_6IxY$$ zw)eN9L^|>F=fuzZOjNB!v7{jYsg<|=T!ew5Ek4uF|AjKd`R2o*?>eHZB&&dIh$~PZ z2dgDJ1A}k1H-Hbcv$v;PZ<}^icMrHv&cN96Vf-$6pC_$8j(8z>1w`f_$ZsM<83OK( z-rnAJb_YO+9aM}5*1%8)b!iT_;&jS~A$!eNY`s2AXY(EA!+4*C?hS+OH|{WXY~^l zzCVBN^vwmku96Y3up_5d%LQwuf^-kdg+`b5gItU%x>(>mjxmbv^ZO(4k?~zd(XVie zr+v%s3IOqLYRrEIRhX79jXEnoHeLLy0R~#9^>GVx{R?~*rkj%8By+QVh;rn>ks=pA zcy5UM&`?cz`JrG*iX|KOOoe6ZZNRnyxhjLGO=@Wwj+{D1+nkGNbAEh?;d#kh8=L0) zyX%QpS1GoQ!LUV85EvR70;{+(kOhQ^=z!Yc(&dmFC~%DToiQ@#eEAK|N8}@Z%hg0V z+OucYODzl6-&%nX{OL1ZfEouYS5Valh1+U^2fo2W=@ATE5gT_)EM?B_23qu>4yPr~w(zl*?CyxL=@ZIS&kAb#)g&x#My~3>|PCT%Zr-2fO(% zmB4Qim=2BmmcKX(Qwbhg_|+Rj>am&iFkAtT2dq&WK?DXoyi*{N&hVxNI0!LBcwC>i zoHv67=su`Z#|U1+`phrKRTMz80WfW7Z@5}dKihflXfHVe{jT1Zv^r`um73Nd^)DVw zB;=4^t~d4o>rvI+9I)e9s@XsH zk;%FVH9H4K?4TJeH!?aA!4#p|Kp7MHyC{n|!cIC)*W_msB*QQka)?Mr2Oo0)W_m@O zW#R(e!*%t!XeV6+#9`1a+iO;N@OlR2r-eHllF-hFYWsorfhQQI6Ktq54-p z5*!a!0Oj+t0}T=KQfymcG3p>}z^ zU}x{4!~(X@YKQpB7OYgMvcU|3b5bUHul|5@jy(KsyfKv4g7hflPQn!gih!22z+r2X z75!UD=f2AXz2Ep6@~J+CGry#r|6>i#Vn`!i5k@yt01Y@Zwi)ZdTpTE-x*%;8CKg|C zKIWeN#wd;t3B7fw*L~Dp&@w=LI7+uHlCH1r18EyaN}Qfs%d9|^@yzI7(`Jip8}G^w zWJPv@1j>}t98~t7JUB(^j>6mVq6lVZ9+fn3jg!Sj%JA>>vDB}7G}UkaxnXcHn3l5E zOs*4Cs)u1`hZA!|D({EBM0ixx!;whhfu5`^P)66>$nBAkLZqe0ZB*KfzyLG{r1e5% zIi7Z)3yBDaNFOI-1J=dhbT{AsZ=pDs6-nOfv_tf?NRgIx z&jA@q0~fdhinGd2nOLJ>G0#EAEAu}%=y#Mcs{0yqc=%u+0@PUHNgVv%Hq@+VmZXBcfQ(2GG;WH@LIsOkZ8 zs{=5V)p#fWPm1C_dNJ5OQwmQ~C%l%rgkO~wF9#)P2L%ScwxvNdpG*6#$f-+9<55MTH-(KDea%1sf@n#*KMl<6-`c-@OOrB)Rh?NH7w#8^_@L}yB6nmsw7oo(ljJsB z#^OKW+14|rb))nbhWl+xDi)Kyw-jVi3TUXPXsEr`@tVl_h(sTSH094k{E~o-1%6mfP-z({e&~=yE_W5P zluZZuyIh+l%?S(xND)oa&$gqsElRiH2352XcF55w`aQtw9$w!r*kT2fqLgK5U0VMu zTEX#yNnxRw;i>z7Cpa{O$Mug&6>TP-h(a}k7=~k$H*-aq$79et+NHa}vlGXH@r4plUQ*AknhQOU;WSDI+fDvvPXyc{YgJdXNHQhM(oxz=w&ODQSk5>$~lY+?lD`~@k)-Un1{at5BJyRu0e}TnY;9{ z8|=642Q_JUKGpwy04|K5?`6Qa@J^D@xHXC8KoF*aJp%3YyFo5R3d=haj76^$=wvCW z$!qcAb8?KdzaJu~59>%$c1gvMm>1b7Up7{>*CGp?7{ z7~;8w??5M0_$ca=9Pkn*Py^3lJWwe63Pe`^2NM5Qlz+`4^_>!)ND0ws5@?kT&`S3v zZi$s=Qtwp^zj^LpJrk!GGcb>R_9{?tG{A;M>eW#Q*^D(F2vhH|l6f2;d_@lr_qU>g zYo5dfG9H%uJkA-KBti0%6gf;MHP0)gIgY%#6KtRU(@1pf^MC9!0!eEnWQqX)l7x?p z)P@-r67le1{pb4)ZtqNVS3LeI-;a6Dwww}c-o4F0?bGMqWS z_wX7%+relXP!p*WA?)(h>}DW7gs&Dx;O9~>3q(06S6NsrnMxOpugLdn~dzNydio-!o@GjCEFnv&fO) z2Qjl2#b8I76fXP{$hq`XMb)j!Ajd7R5|_FTfdQ7}a)yjMX5f?=thW)X{`W}X!ch4j z--e1_B}pS5n_GQ(T4IZ-9)d*fKce(ZnljsxOQktJLTFPU*?L#PB?b62_(@|Bk)zeZ z|DT#r7dZtzJdreA&n8V)JT{6`<;W@HH~eFtlcG_4U=&prz#=Utdf=yB!iNl z(xVu28c8#RYsnEdKU}hJCI6!dNH!7we7R6X=2w0Eol~g1#aVWON5Jy^Xo1Sxs#AUP z-kXUx?RTVA>MZf>nBp*49wipvS>|LUm_)T?inx13i|eaQ;w`JKBk-aSABYfPFn}PX zT>6-MrOLG36x_H|0?^2eTPo_`AgO(#uG|c;Fo}RorxistwWS||`NMKd4;bcRx~b)` zqMXq^y3wHF+yXz#6*WeS)@`nRXHLY08&B7<*QNzh6N72uWVj|&!x|ugk+wxx zxSaC6sv!e8S*mn1HSVRprh;7Bol-n&l5g~QgJ7WPB=iBdGY9BdmS7FRbCyT zh^u244cpyJP8A4EcqxK3{;Z21Pwq>Uh)vL*1hZ7X=o5i5Xd;^#KHF3jM$vxf2Ll>` z!ikAe&pTfwf*CFIq|Yj$8|Da4M{F3fJ^8|H-{RRJV&wk(c&uDpS>`gXV$bi#XayeK z$5p?sks0IPeeM1>KNSbV%u7~JGb7Dx+M!QY#tC&hWvzDSc=*Nei@mCuE!PQE@&WOj zsUC$|C7vJKc@9VDssx6}GA_;@vmQ%PIF-2SBvDO|!lFl;mn^r2o_6)B39l27P)+yP zNCW;KeS02ZcttZM0$4}<5DTA$5nw*G!U!U?W7*&~rS6T;E&K_qcWPyP8mC*nYEgw&u#=q~%7tq`Ql; z6~&tcp8O}cMnfKdqosyHcJ++dx<5`kDoe2)+hSD@ z`ATC_bQ!oNv-~jH{!Su+*rp>gJ7$wy65hdjb}%Cb5iiTk>poOC*RZSY6!TuX1*t=@^i&Z^2qJ`)ksjaqT|@6K3S|NiLean8v= zLr<^$Qy3W+PC|3&RREgG_{7Ri&zMN(?(|#yEJc8(0=k0)IjWhEOR=dmY4N)4?e&W= zO_f2~I$~~y_vpkq`X3oTu77?5x4M-EGBKRT-V#oCYhICpA~bu-c?l8ZSXcz?Q^m@ZXBN2ki(H00IG_} z2V}RzwwT4GKCcXQq#gf41xi3C0x&O#45!*=DU1$_Fp;(u#EaI3CpufW?YSY&xXQQN z!vw|v2~5YBac)1}MRYS3*~q=AVOx^=hm^3ChA)xEq(B|T;*z-U8eiY(E%oO?hwZ(; zsWaq%wp<^GPLC=A16oP{$uxb+ZOQv|%ptHuJ!s9jWjmLwYt3omRw8v$6nE2IwvkRu z;f188=Fh8tX1VF=jT`BP65)8MKO}N}EX;YAceGTJy<%I&fWs%JH1~yLA4zqSD4tPn z`E&EP9j4JW4FZjvezg?=jb>jn#ifpfh%SsXIb1qt?Y%O5zEd-#p{k`*HPS{(pYu8U zDbf9=$|X{^jMkv5H=E=ctq57?2<;{kRHgTcPng3}6HMTr53mH*mfi8nFbwdDI%CPl z*VUK6!SCo0{Ftw_A0TS$8YsxCEYGUq6+fPG6>2f=m9uiVZ?Q@7l&yz_(nyg_{Qp-q!d7GA!?DitD)dlLthLy@G0dO|0cE{WD{3`q@^ys8pUOwGe z!=7jyc8m3k<_!%2LuXGK&Wj%t9&Zc_+ZzCFe*SoPyMBw$IRdxW&*`k(_DgkHn(9?I z+4yV2oT-H9OrU) zLClvbmk%=nUqG^F;>2%g73x*hIPzddmh?gBFI9T;lYd1q*`f-QWg58(yl`VwF$Hmk zBYtB^)^uUERwyW@etdm4D5h7HO)bXyliTS#l*Kt^wXxWc&XvP2dbK~rC?PU#^`*rY zGJuyf#Qh(M?#uc~f*t3n(BxdL#rB|>B2`bj#>&~V3JtXwIV~&7m?9JT&Shu@r}DhO zwkCs+tbZFdtG@0xJT$qpd8eRuD=KXnO*B%?90b!?YB_S-WusG z?vyofU54y5qF7J7ATPTDbB(47olEYgFY~2BX;u{As~(10#-Ex!Npz7dN22u;EjDVk zlUhQ=&hcV81<;`#tF6F}Wk`9l*J+Hcmg3BO`>v;+t7_9d9q(PFJAw|%dduUvR~yHl zIrBW@5g=?3_|EIgmU;=l{-0Xyn$rb zrsdRJk7kF&TvvG3cR}r=Ch&IWMuNV$+O$xpG0K15(1*`?*Q~vPf>}2C__ayVjyD*y zkGhfbCa0&r0Jsh@J6eXx4Bxkc9w-P&`K?S6+olXAav|JtS{ zK6T@(=1a&0dQyVr;v-*_qq+}cpB|e3Eu<_jXwj{m%U1;F1_>fT`K z37I*TY(gw3NZQFb0ON+AyFr3Z=WeF)vZ2eTunfzJn+bJDt?Wv>RJYN@%x2#vfW~Z% z7{X`oVfy-`%AW7dr~67!ht0V8^|Gb>?$=9UAc?rc2o#Y*WD$%5Um)#oiakK;6jC$9 z=r{|kC><*jxa%6L=!;qD+Iw-5zyp;+S>?h{v!?fhF(o>;PS5r}z2IwOEi)#CjP22h zO@y7Zs&2#UKtfA0e`7sm87eC}Xk1B?OS;tS;v#!&RX`%f7Z@+wlbLA{N6I+MfrmZA{oc0 z6=cc74 z*%Zo9Vg&0oryz587fDD^#Z=TD7O6NWO6 zkKXUt3WN!pY{kn(7!)_%m`pSTs;tc*MouopN`n{gWVEBax+g@_@=GeAWs$*Lh{$y&Je!TgmKF}gYXsT1lxPM>~FMGIl!$~Ib zOv`|uu)7R+`aP5g78*~J%+np3PX^eBtwAXkNRDafd!H7@qINwdDXj2LL?+EASl)W| zV_|`j@$~c*bk@~8QoRo6EVU+5S2VMS*^9F|JeAlnFVutXDEA|T-_dKPg|MU^M;8Z6 ztMoq4a9G^Wsa~>G!+QUV`u_X62Oru2=1h9S<4e6yAy2V5Zv7z zf@^ShcXtcHo#4)G&i9>L|E>C`sKScP?3teK)oZ=$c}0RLTPrX-nqNeA9XkgB9Q)!0 zjlcjEVW-pqOAAy|tfMJwFGn?u$F*yi5&X=|s%Q?I7`3KlYN}`i{HU7eR*ci;G{coN z-y_uJ?G%-3;nj`h6?I}t;F}-l)pGendHq`U$h(7gL9JZFP1WGXUaMU^UQ*h~Kq`XU zxbSO`9(mnZMo*Z5q=+tY9A7dTB2&yf7Gkcor2FvkfGe70bmFa0e?Rl)W-EN?t`Enu z&$JCHvuMYmM>VQ2N?>5PNP(y?i=4h1F3X4&ruQKuGB$O!E_oZJF8T;Le(mU|AAgGD z5Nu_lf0yg>8(N-^LbG`ONBcRN4-M<+VHSVh;i}!`Jvg|S21`JLb^E&k1Y(XmudbP_ zap9!{7uu|sF5^aEx66<0^W}b@1r;3?6SB-H(b?=69In-7mN1Pa$2pkK7VsnI3^h4g zYW_K0d9oZ8Op$?gWSdjEBlkI6sm-jcy=B-Vocfuj{TOTfP2ZJU+xoP9ba4q?yE|;yB$&K)v< z_o{|zWyY0heX5;{W>0K;o|=c`ZL~W$e+ctt7JSV%g z69dJ``#AtnJ`^WzvLrh%uaGK<8-yc&|Ba8e@PdZUWI1jSYlfq=k}rp_g6jJHLg^;h zak(}wuW4+5Z9MDkYx>JLgDE8OrY=N+M~ z-eM|*^r`w+r~>wwea#@Fy) z2zF`y)InBxjS%6o;@*{L_cA|uJ9eTKu4gB`i?Hwda?5Q6>6pR@dQ3Z%~dJ_amxbL+c_L#AS;%QW~CaN0rN-6_{o;)EBrtk7mR0XX$@@ zB7V8mU{EBt&4^3Z>x+P$pE0ZY0A-lNAsh$fa2L!}i7AikQYpyu*Vr2VFmWTd7SG z&Z9TR%n?cmQRm!X7Tb3CHx_YH;HdE)>mZ>d|H(1{^7zp1aH}p_pk$1Zmj;D4F{7;g z*ba^I;@c;5ku>He3`6w-+kHdD=PoHp5vF0p>7H~=!}68fS?E#}MCoFApq&NfpaIx`aiufWdQ>#N_8yx{&W0v(+>L(_ayR# zikxI2n-fG>V+kUo$IxM7CLDfAwCmTk&+Wqoxnr10UO$CmbH_iz@u>MaBnsj^GUYJz zg-0q(z}qFuk=Xew&>2R+XOl-feYV?a^;fLnLOHZ3TUj_ve-QjC=*a2wig|9WsCCYN4r^(#$cpPWLy&bnLk6(67Ib zM)#K=WxJ}y^wTnU8oQsO^o@Q>B-{9gU-t*FS^BnYjP4|w-VU4CoDF-=)aF4WzNDEikCwYx09I6#CN6;O7y# z&~wGMB8ok3ZJvgM!77+OTw=IJEZR0Z5&3T&zf50}WXUcd2M1PuEq-c-xz(gH?&yo= zFK$nzizip8XGQeor6B+ee|%(Bn%5%6{2?p(e)X78VmFXSGHXrYKb%79e&hvP*2K?X#%7mM9ox&u-TLdRNC2 z2^kKsK9@Ci+*w5>#d4fY#>Jizn$#K?UJr5k%L=RTcNrVZ%D|r zuyOgdy?YzADfwBsdm>Kx#6)7g5+ix+C&y~GE#Y0sueT^jK1F2=hTo~M+|5_f$4`a5 z@T@YHr=ykD5c*Ewt`E26J6kv;RJ2y^>Nngp)9cE()oor@mr)&&AEXyy)wO9Jr0B!% zC3sFhL5i=a1p14$3~9h^Jzhw9 za?o*TCXUKHm7#eg{U}@`JoLYX#T!cfkPIVBMMPt6 zo{|DNep$UkhhhAzsg>a*IzQd|3_MORuPu0Z%`en-2=a_9bs^0rAz>9{-ul;=*EwEY z@n%3$M^4A|b?16c(=CJxW`1^oX}!gGjOYzj`@lPe5~j)$6fVj2C!tb|a*mjce9%DH zGN#A*Etyp#X>#SVI9SZ4FdNfjfceO^LL8$xp&8|!Fk5|c5q4j|ojt_;oBRM1)mu?W zu{5cY_Fnrh{rjdy&0nj86G)`0p5NT-4j9Q-G_}j6^)KJXU3BN&3E}T_|=O#)A#Z?>(O~^ zj>kx|VQoHhpLz`2mh$eEYDUMlc!nIVF+*Py2tI`ZmfWG;IkXAF2}&0=d6yJrMjhPC zT(IQ0noZ>=Cp2H$$>omJJ)GvTEvcR)v3ggPI4Eah%(RXYW!npaZiMx*iS8Zt-K-O< zES3cN;zypum^1`dnkZHA?X?8nqPRDd!SHBH^5OsS`h$WwD4A;NOOvQd9udhY`Z0{b zKS@enJZqM5b#z#gY0zTGI7`@>0e>A?H|+33$7HBMf$w`GCxJwLKH=eEa<24~oXW*C zE_TbM-%c%BoFGJ%=Rlmi4l40A{LX=me0>%33BRv!uFW!T&~E&;K8`?WO9*Gi_Euij zFOx42G7r6jpaV>VS=svR|Fpk?XT0cQUhX&V{>zqs(Fo-wFYVAQl`D>#H=Y8ZBZT2& zNp^`wUt51wXnc3x=yj5pVgmX7Mg4yqcDttlA%eBk$hx{L8BT|_{kB`TMvo~e+lho< z%CCp|!gvyga6v=+#KrQ;e>T$fACWZQ&i4LnYxjC^o`U?h94hRPu_QsW6rop9(Ym6n zrA21!9&Bf(-AyGdSw9`-mn{f2Px6wJ@g@yf;muR(6p3Xk^GHlf98~g80?FA59$9$P zP0CF`68W9`ct8v_t#Eb=+u9yyYDu9eIvQ>a1zrHUM4||KHezk^`|#ul%Og!04t%YN z3V4}f6LU+Jj95kGr#uRH4n-qAIE)}C`Ir{pmJ~BHa}$prI|tG&eyPUX!%;;;9L+E1 zJQO#=F{X363VJum!+4$Jqs*ZF(zcr$;QyKM$iC;u_MAUPNbO)oTti2;ju~wAU*z8S5^pij>1ljEDz(I> zFrJsj??WTWxtGh_m)pQhNQa-b9I-xDubjxHx_FRXU5X6VIT1mcd(*GIIzQ!*Q$&#@ zPA*Rs48a{LR=;mFvR<9e(GGlpMR66~<0ZSZjVr6R4bBUEPTw`R%!x0`6A;(+xG!Y; zi>|%6h+|97AF$#2$Gv7HMNyCa5{(DDe5pR`#~Y?kIfs3qF@n8Ot{-M5tF&^+oV|Cc zw6dtw;?yeF@I244Pc2-KNvR@Z7GRtTb4kb0V&|+R2^OY366L6vdC@{f{!J?fGTqEQ z^!9ztwI%Vja)Pm`36|~);ao@PLB}t$+YG91>B#pjopHaE3fG*q3WZpRUtxN*9xsfm z$V+F9I<1n9Og#D2ow`}KGUEvGh`=t#+qQoB{Ij%i1v2wnxka4hFVU*3mil{h&dBT< zC3^4dQ3cuI+GNsCvPa>os#WaPW=uq_8*mw2U~95XH}KLqj2^&|l69;(b{&6bMPN^x zI>`0>g+j#v0{r)cDd3Gr4upq>$wU)PS(E&5KVy?6cC&JY<4yVDq%l^il0=(jqs9+Q zZfBzCMMv8Q08(0zsJPg$C&#pe&=G{r9_!+NrFT@Rb(bmjV3vOVqa z^ljGfjH5e1`!VVAo3~c2Bkj?$bG!2-4{TIZ@aqV2bDxiIUdFL~u-YwND@otmimN9l0xirU@iomnPX-7V<)8TT%IS^4^ zwl;#!%D-$)Rx6DHYn7W4mO>Z%>O1IYF${N1k?`v8&_1?|r>n*clY7IUA!Ko>3YCOn z0sBe4j^6TKTYacNTKBv`@vPoJ972}h;x~0qmPknVcPqEA?=KU!9cq~U_6N$(6)#+8 z&A;Pf%y4e@OBK$}*Osmg|EWKJbzkg4pXEy>X!3YpOKal*&oKB*C3AaeA8F+6_lMM> z+>|rY_(rei@OD$Od%Ue&S8;;bu0SImlzKSeRYWcCcTd*le(U^9$2Q`zDcc%J@y&x$Tx#e84U`_YId4 z)g@abqf)e$(rx}0In5jw-@l$#6Bh@%1Pu|YL3fk*C8jlRINicTlLPMr$Y@kn!XV(i z9HE!P1Pd-{&?B`DgM-xOipmU+sSbaNt1dziuwxZxiB=m~FEHPLC})%Jya*<|>)d%+ ztMV7bT=JdF?M&jEd*vy9k$ugn(6MPcmGSZM-ycBLsLXI$O4aaaltaA^n~S4w_%fmi zzCN?0r1I)?c62@xqkOLz1i+PIfC*LQT=yLf-%DN* z{M2ATfyE#AnZj?e4cHr;9u2r5XZ=ti%f0c+bZ!L)j?A+<5{ca zM#raz+w&k~6Hs!~ZmOwbKiDPYwR=2oNmHL2&5(gb24fQtSD|62&1!3m$~;@^>ZV#p zA8yULi02|QB^)mttu(o`ci#uiI$rU%wMJ_Ayj(7?pup`h?WMi*dLFySF)jBQO%EBV zH$&G#yR>*e3fnsJ#P&8{AXFTO77h4`pjs;7cn#P#i^pMg8CPB{}# zgfQDPH=Yt4TiM7ntLG|1PvBc>c&?4Ba}`~6qN~QhTkZGEbI*qv=XIz{jsmg3SWYK& z!tUO`ALboHZ^DDScv+ucb69HkpE?pp=;o7kx&jv7%>u_RNtV|fp0lUKVC4DFGnvvkDK6bq3FUs3xAQe&j%*C5{4?BEKbpP zg=?9wQK(DM46$opk=4>+)`q^%nXQ9VFnEy3?NJ*PQv4T)?ll$8c-ILp8fht6oD?r` znfALAySp>0SU{-MRLT5%W53RRYk%pZimBVoT>>ob}#? z|9;IZGNLM}3aMidam3-E%0WY);GptFn?)rnJ@te44!x26Uj%IXe75m{4#h`>J2+C+ zHxk$aJs5A`CeJ;7M}3JI_P`Ndg%4-Ks3HsAjUxM;lzXSTQ}{tw(u(>bgiJ+T^PMR% zv+ZE<|0*P*gj1sCCx@d3ggN2#69bZyeMn}x5)*S#(MaL^$izNVnmI&83PAdF2y@0c zs1hCi2##r)9aQUHG=0GCe*N>mTETz9TREu00r2MgD33)P6#-hxID%getHP4e`~%}W zyo1OqSiCXip4(XD6bi@IMw*4gjIg3#AbtML!BDO1M-bF!4IfDNmEh7piI`*MD6xA| z($;h<3)LkLxucs5rqJYd@gcgq>XFN67j$oyszaJf$4$gkwy4{9{_{60$81<`aY=J6-E6El`L$!6 z(*0W!pk;b3uEjS*pSw>uHbj`aYSLa2dh8rZPIO|*a)Je9B8se1fLlOYQ=6-={jv`Y z*85imqD0FcX-J*LF=30G^X+PsaIRkjdhIh=KO*I>VeKBzA;N&l@Mqsq1+9_rI6`Fep^v%Ph(-v^5j9E5p{idzdIBTp&PS_Zq`sSY@ylYv4igx+SoH8*_6& zFzeG(?6a+$;>rBj2ZtDUqJTDY|^A|3QWd zeE-F!P|(TI<3GsB?;S{9jOv4H&+s;6e$tSMQN;eO6pu@{Mvul=d{rk7o?dHD!?Gd{ zICaXnV;53p<;JGm*1>pzlH#$7>^OEFkYQ_Q#`UFvOXB*a1`#A#D)CN}Vhx6l+#AZY_Ord(>g9xN}Qgj~KWNslDCbPTxT@SEwV%zEgZ2KVglSY)RHVW9C|ZPN(3;Ch1VdZ7Reql5n~TI>_;z5cZz%CkQF#%$z|1S-b|~ z|7DxOQ}uOO=4q*P`GR3vSrd=>-O6u52wBG8j4S!6`V9;h;4`6zK8fGTASWG(N#+-< z$G|Kbd&%X;I#VER&EFmEpp2v|$!|ustALS-H-SvD)buj18C=vT%&_EA0un(GGO=`? z+`!^sR}k+B!v=uwF6P+DHs*@EYhYpmhsFj!MWw(uc#kB zWvyzIkvVVE=~djMatHwd&0=uZzxuJF6(j^Rb=P^y;dKM1xRSzC9_)ieA*spFPwQO+ z3PmmKD=M0s*LCi+KvhJQZe2X=_4-Dk2{HmEyTNTDqqY4N*`svK(x%qzUT*&XtM3_x zOdYDW7Ph%5rD@_8A+C;2gfra?sqd^@DzXk>a*Y0Jl1l!MkOnC%tO0VYotbKQRXQME zR3_COEd?mF7k9nz#x0H~Qqg8JPldC=ML+)wJM|WCwHN$r!}Ldhc_`)=viE)!cRlwk zF7BvA84?12e=SCB|}yHvUDpENP9(?KFH`x~v5kyAaOfq6mhVBq}M51pCCcb>d_<**vCv9`gOL zMyCz`<{_-0@ZuSNU7_V8ngm;JGIdeG!9RjhRw3NpX~M!pu6C6?dG+MBy$>)5By4A@ zl?^1S=W&%E*eDQXZ>h*emM><9rL2dSFSbLiA3S>5S8s}+*G|5kwRv7gJwG-@EMF6Q zI-giSpQW!oZOv)lhcv-H{q;n8=+S&6UL3#9LTUk@To(w-H5~iO=^yuL64=_@#HPyW zOdn=0M_kLS7th1{UhK9@RP`m_gXQ^@KksSZ`5A8;`>(ZO!aqj3)fr>;<%9xs?-!P5 ze0Lxvc8Kif37Qu5K*;4n!c|g8+KJ5kwcash{O^|RRnyjq3WPo`eW7F4dvr$h#z*2YRga z4*kb<*hrOF2D-~JVgn@SDmwqqs~y%Gs|C}qXdcSN&hLY74=JCq4w>7#W*ogEMt^+V zX@X86w`HTn?W$+jgN5go%R_Uue61;$E7nqD?Wzs%-B|h(r-PO4 z{_^I6o%&d-OJ8iUdcH=D{$N}L-g9lnW5tnt+0C;|>))sWyH?h{UrVFOE9i`kvJ3|o z7$x%3q9FEBB`;!_vTS@#x}_RV1GiPjpr2M=fF~%pxF8I z%>9wJQoM5A72s$ONHszi?av>r>bz8~2#SkG{<#;rzYizjJ-#hiZfT(UMsQ+(r9o-E zjHBFi^(Z+3A^QddXoS{<)5* z$i6ni65>GN=T~4GMsv#5xE20u2tvDCd+qk?F_6HLe&x*Tc`dNEbp6aw;s2wsQF?bB z8181MGYWyhGMk5xT@!v-BQzbhBP%s9PnRWq<;O$o$0+V23eS^Yps+xbn5z?x$}HBQ zN+L!EBgV7=Oe$!d_$QaE6*QR%iWl-;+#I~3{+ttJ@=8puYxVWjsOb4r;k&LywM#zS zRn`9cq3rqK!0lha@XbwM|F-v!jKR;Qas5SF>L2&BTs-DQpFYf0;3(|ZZRVk>eirz* zw^uH)Pv>P_!!@hWcWftQbm?gCBJ64y<*gofrC%`b~)68ri^ zcQWw*>P|RG`CfDT6#*_F?=H8x0H9{1n)kVdfkD)+rO$5#Sf^d%&pS>{< zu_4rqc&u55=u{mwMD)*I-D$zyvy%jz0psD9EXu~8tuLzT{C8r20tHvwxt z6?t)pKdUS3(xm$DYFm@!AbNsa5G#6B=r|F>D0VV2D{ARn2dp#N20IUzU3m0~3f+ZN zBY~m~TcKq9OD+B1tlpGKcu};Q(pN0Qe(fEOQT-rzGv){XmZ}A_`IHp7+qO0Oa;u}L zuJTuH(f1lA8s1NDZwF(Z1J4Sz@bV2NMPJXiu!}Wx(Xf$@pH0ygn?+LvTOPSI4{!&+ z04Iy;N0C=9S;ejp(;2U#|F`y!-I5>+dhLZ{IhRxN_H8Q((|EoaHg0Vh46f$tg{~kK zfTDkXh>#RhL!qHyO%!z1Y1`+n?~7k+)RP65qk7qBsIy{B&~Y1>74zYBDdrT?XhW^g zI5R(pLJ~gcg)h5vzw61 zcpOwr%r2|t9v0zV(=7NgGCTW!sf`Mi5$0c& zbD$kCYu2O}zaiK2AeDdn%sIDHVI^pO3MZP9i-)nE^HM9=CVEuSVLN27MlAc8zRVh# z&s~NPravSY`>BApD>Z6a1T#L}H4Es7=Yi1pRJ`H>GM+ZZuC!$JsVqhMrgX0wGmR^? z@7ML@%#?|?)}dDHIQu5rdmH=m8^V>qWu)M8Q9@=e00wpET#ee-lcL%Pzv!CcW`#jR zTY$!J@%}zHkC2ux5Q#V5u}wg1L=R^Kww$CETZ!W=B(2}ic&Id`HPQ#?nmXFU#AT1Z8@#%Oqg}n26J52 zsJK;Wzx~_J=$iTJ_?n}qF2~I3o3i1yw!CrzjmWR;;_I{JPbN14u^(kf2ig#n(~8d% znIp8z{Efwqj~vrTWm2fn;x?EY3du_yW&iNm$RKH?*S$Tn7N{{b4=+ z%t@X3hc>0tUpe@%=eMO>-oHi0kKTY-T1XbcRit^{BzN57LDYgG3$!d}^v{;5VvHeQ z8rz%rPvv#P+t9ueY+sgHS%GBPUHB&Tdf-YF+v16++hTqmL!;b0emO2Dg9imxBC1ju zJd@sgxm`y5=paDdUO5uzp%3N86yh}X`+!b8y`H?$bwz{L`C< zIlnPoQ$>q`^`#M9C-yp@ZixEbO48?yXyrspYkE+^^M}J6274yJQ%VWov;pT{LHDPd zKGxZ6JI_znan$K(LXG!}#^(;=zvuGpJZWk77>vor0QwdC-A6a{&o1!U|6%Y6k;BQ? zk13yG9l2#lpWFzF6!|Ikkku>52CHP3&!nu%o%CSK4%H+yD_1xZy|4Z-16t z28yEYr6wP$h~O+$Q_#%pz4W8$Y<8muaSSBG%PJ~rYnMl-lP5jePTr57uYkCn#0A;~ zVKZe$%hN@iqAMbS)%ZX`bvBfcK-%7!f}+&wNJ0Tlm&^cgB+JW-&;=Bx$)MXh4^|A+ zn_9(lh3$s%3byymnP>{c6{ZQK$^N$bMC%82r*7s`lU@y8l*6}~U6&L_^gEu0vziMa zhO+T~oCB)3IpE_^hl%&QU*4aD7wVe#drH-4m>8yAT3@FBTp6-jM$NYPwJJ?>H3bh` zxMIu|Ec(pvl;qB>;-R^HZ}UvnP35Ce1X@q7ihcQ;Y2zp6=<~p7U(&2bgI&IFMQ?P2 zz2b@8zTLMr%{Ir=m_^&6r>98satfgSB2771QJXZv?eR`^{YN12{Ttp+MMI^6viWa? zsUm70)a-0w2fT_&Uo{cq@~(iiDnI`gY%?0@lee!tNj)x4zXp8K42WUH!V-A5{w0=d z0VCa?QZSu{(x8||a#TroCF+Z3=2^AQ5OGJXAK6R+(o%Qs_L!L!GLJKrn3!4iL|grJ zDazXUcEE}AxuEv*V?gUuZ@}@>qaoz+c(Ta@vghyFX5ZzhVcTa-Z}l|NGXnjd{dqgP z_rmYsp6)^X1V($W<It?0$}+4%L(9KWINd%~S3i>?8{L#Ce}e^AZ6xL8Si$P%g0n#loH9Y)voeF zN8)T3yNpaabNYXytA83ryS+z;Plt50D~fro(*ignR^=Ahra_xrpYJ1i#w?bK(X-=j zfta%Cblz+H+Jir5b)0K>zv+gXYtjw`rbOoU8aXyg#+HrAuF)>Zi#nCUWFs&oF7B2a zxyk8^w(eJC+(zq@bLGmhWG)u2C`JhD*S6}J?YGG-szt2V6n5Rv^uht((o zdYH8+PM#+Er|{~T69ITZcV8W&H542a%;IqwrjzFL(PkN*FDLTPV++bWwpWTv`5L$V z3(CCU%e7?NtvU+N62r4TH45zt%gI#Bm@<IxdxD;cuzttKM6}l% z?x`@0eW*Xs9gU=6lRD94Zj_k|qIE;cdj zmN#dyel*tf8%yXPm?daz?=U#AqyH&ncvVn=9g%)EG?drGFAB0Jot3B(xUY%1;o|SI zwqaR6kt;red-0ED zcwMBPq%P8gN{snG*Is`0hMPUy@go$VmlQNt>_9t-$nlWchr{cUWSwi{l}FzxMvi~o zPsJn)RACUKAi*_sg@vzLd!zaT{s7h-=NJV@9hef&@U6Flbs0!DUy#WM>#;W?>0 zX2%h+elgsMB>M1{IQfzd$o3hDwN2or=n%qIc(A?o+Qm$-W&dyK<3=y^SV#BL{d?3K zBO~-qm27!~WI@&od*beB`!#r6hs~ksC3aXB9E_;_m1IGIH&xYtu`Tk7z?*tGKu>w1 z`ZSU12VL5#9%SH6NE(($>j1+TLuS-r5F*b|7$gxCB&H?{m*yqFRQ&E;F@z~9%4-VI z@`KVVs9gL1#{~$yoHru|T*q*Z0IXRa3NtZec12Fm;|*&6U|c(z=x<|Za8Y_|r1o%?_W=v?_SOKpJY za$4x@306YayT>v_Jza1^F(K%5RsX$H6 z{X+LvpmqqBh@Sfo8;#?v#&%15ZhbhJ^#BmZ@UukL+-G=}m`Nf_Z-?~}Wj}7>ofIl7tyl(XLdSFxT39y50H$C*?l{HiBHnabAG=Xqp z6TRF`VgIsgW{-FOP8%Hlc@^w() znc2=^-wLny8Oso0{lIl!X>o;w)9(Tf7l5z1gJ)V3aJYo*Z?_UKCIE8@-{}73=3Ht& zVkvZbzgTaqQnvRWmAwNbuJWRyyLPt~z!Yr)Ck;xy0P+>Nr3N8pP1 z5kr})OUPe^R`;*2uz+4apI+h8dH;unP9x^|bWHJ25Vzp!J!BIulE3U^a z`9%lmoY$$Xt*yz)$&giNo-gi)Zkub5&DpEuNF?&}KsQ%Ca#OZ>xMG-TC&>RP7 zufngYm3BMQP&a!rp8E=3p7wK^kbhq@oVSyrqR`k+eDm}2luFeU<>i_CPP$ek646>( zTJYH{zPMf;F0<@JL&GAQ1UrD@dvC8W)O?%g^VWe6121pcrHP42L2WG?dJqc>%jWMO zH}gFC$Ma%py4xdbPlUz;9vBP^4Bm{Fn6RSaAISYV12~_yJcsAg!}xe4W$Ho1*?>d#KhhG{WB+SP%wND zm6e@%t?e;f;fr9*CoV4jg5rwk!w3@U?d#i7PbK&by5Q2&L5Y)@o7)YhnNI6VQFMIu zIy1PUK(s*;C91Bz6hhxx@A2sJm`_elUP#CoSfbkI(XuMauTkm?z3QyZ*WH=+s$98F zaqIv|1CAzHB|iZ!Pcu-vzfmDdbj==89zshrK!iV;m~_g(VJAIa1(Q3@h-^@je$+$*j zXsa$Yw7!HKF%*hW)TAHm9UR~j5m{MSELR!Jl)V}MrHO2Z?KnMh+DM#HZJFeW_ z2psSO%~HnQDD8E*XD*1V{O_HX7OAv6A040y3JS)4|OJ3%-X>-d)) zFiw7;4GrqMw)WWA(b16u9x4m4m`Fmod^0_A6E`NYlOMH!Ovj8}3d3kxrMBD{f zY&Gd<;K_*+&1r7dc=q6OIQbG269cf|Y9L%o(48q#d_jcMqB)zzVa7qV2Vs1w1-`?& zU2jY0s!(VguYxRf8Y#4k3rrX{JY5f&g<())%)M8?`vV zrkruvzjO%+2|*#^PHgm0R}`bEQu5CzCSC{Pu;ay=p)Iq8t^SM4OOCKmBBI{E9k9gq zQ`PrYwqh3vT}6t;ayhp)9I93Z5?sxNC(v|$Ny*8a;H7{3sAz>mll>^I9sJc+=q>#$ zA7X#{hd*C~7MwaY9UbqFzulXgn{%yKHAwhu8n4pDmC0L=(S!(0snZf>yM9(0!3lX% z1_zQ72!;A{KGcnb@Hz7xIyoB%9jLQRe|#-Eg0i#bhKkQUO^{P;`w9);ZP7}2`x=kz z9X^u%_>3w)BxeXFucx*CA;wyMFpF24ru7PR-BK((*-y z`05YPHUZ>jd10Zcxp`Hqr^nx*Pf$8w0$!*z1QM<{@u!mJ4XOpRfRIKwyuNU znC6lOq{;wdkNK%7yMxj?4?vJ4B_#z>j4Nnkt9}iOLS$iSDWwS~BmC!|)5YbDTkA}* zvhg$;#>-mS&h$ry`yaSX24E5c#NwM!uObHURs)a;UpTMzP(UaFUh00w^JynK8eNJw zl_jQ6BT$G$O|X_4a&x*K9}h~gc7NJ`zBt7|t-76$tUVq>Ob_a!m5kii0Y#Gc{;&!x z%)k?f2Xed&EId|cW?q7kYDW6yh~d4de9|aUvjGtik$`{z9-@eQ%g=O89IUJ$Ju#-Q zWwBHXb}ohwixndm>$a84F)mK>Yp@#d8?6wXhC(%jFF^`m@?KoL18`2@RB3fy?v}iu`@NAuX<;n50qZt&~!1V@N$4pe})pudsE!_I7+lRrtwGxXv zlP&!=)!W^+5)1CS%74p)&l_`dC!pxa^|hY&w5<%~;jGa==wQE3`7p5TM%tjKZcY2? z=sMx+S;$sIs^%5sg!aDaI=GEh>0!J{`(N8rod5IvH8wEq0*9e0!eLS{Sd^joJU!c< zbkx=Hp)M`}q3r770t(6#lKoXqOUsH=6CvMoy%Xl~N9!9V!s+k>b0S<^#+iXF3kwTL znuw>sbReU1GUESXx+2_hs2HaA_&3tEW7De!RK3zJ~Vd+nC4`EEeMWJN;ud z4U;*$1FM~^EuPt%c*jQxoLMrzJrR3ZuS?pG$zeb*K9y!=V>2V|RV)KEOBOsZz-Fi9 z=T35ptqf-UWxqBrCaQnpX^P_C8Ing)P6YH{Ov6fy_FA$wBPrU()X(ZAb$HiZ=B~sx zRES^a?6VfG=q{yZSk7umR8MpYiprF1O-%X~p0|*nXRAE$^C*6uh`&brMMwe_NH}qe zO(rA6C8RU^^v~*E@OBo{(&>G=aFHOxn(Z*-1oBCz(oH0>$9uL-pPwYGo?T2< z3Q9<*C&csAR9_V4nrEn0Uaiq;om;;zzlDT+^|bjn0*k%U>^ZTMuF-rq&{LeDQGM4G zVs*zJ^0XQBEn}hShM6`*i51IZkv{V;aaJNX&Mt{wQ7h&hc>#7}r;Q5nm>xFha`+B$ zHbF#2e%(IT_T<3M8XFs%xVkbzB#SBKU_0jn41h=vI8&07K~Mr5DW1Ol1AC4O`m%4b zo5)8mc;URu0D&w~GF#B^FonMYisA&E_V1to#ZfY!`>dbz?kgA<(oliIzmnLHpfoi# z!B&O!*4229>+uHQA&8-X>rnL`>bIySWdaUcU*dJbxn_ln(sM%@A^IQ!bbQSa;ZuXkrX zy;xVX8UN<6qlT+?we@kbBY10GTo|Z0m~(qR?kRnAn0TTU@R!tPtoY4KkvF%rM_`;i zU4;yl^ThxDK28%6xqI01+$1&p)mhpd(V&O71}gqx0@TBjJGL>rJog0VM|Mkbe|vK0 zuY<|tP?5<)PM>AwmO4k`)N@3`Q*?!ze}+eDVpP}|x6_bG7_yil+i`MnXo@g7Fp~~6 zqx32v5-J)Syn)KuW->}d%Xfn_|Rg=cQT}^BuX^>vj`3~C`LV4ug+hEmKC8S$t<-B0&SZokOKM9ca^su`(zi5>IQO4RbK z>DN8n)qt7%Hp4!z(!spPr@@iBc5e}hp`Raq;c=z(kB_g} z8{Y;n*>+?hNr2Gj2DaT$rvSf;B~G>I$Ywb2BqAcrW1I%UvG>zo<7} zU^#-S2meyar|Yo`tg}*mVC*M-0Z~_QaIjO~E$@4bx;2lcRbpP&=6e?lA6Bc?X4U6> zGBFKNb%z$fod!=13!YTzFt<<$>vkuwCs>=C>x&yVWvTptkkkfX?McCw%k^kbqv<>c z)i9)=NSX1M5i;XgjvQZk0fhB{efNlgp*VKeffkOG-SR~^b4m)e%qAdv7HD$05og@1 zbLx^4P!=Pqg*(&uphE?EJad9-~pCnW@$G<|HEpa2!ly{FF-vU<@JF4=$tK`&nIA|SW<$3?=_kL0< zPDLiHBo4Y@1`3P`X=}r(H{vw<`~w9C>-J=cA@?p7+OTNabs)Uzgm83xMr`ReLQL|M&uAMa}l=o)_#W8?Gy{j_j}R zc>z!2$OC>ALgS)rmT=GOM1OJrIrVM#tRGiTeZwI#fxA%6 zD2?Q+>)^VTnk-@r@HZDMY;1rzs|wq_u;9dW`ozaJvnGs3LLWB68OJ5kcpo)+Gu)|NUrvDu%<##iYo0j7 zt7vtt*GUG`5_-uRp=JS^u?EA-10`4PLR=5qjkGHY22c~@*Cqk|iKg7qlY`svNBQ03 zbZwLtJJYJtmo8%D`HB&=1<@$`#@sWZUo?{Q@-*)zjZ0ACd0i~=AY4^cSMFc-+!m!! zk42~+-FuPQjT`1*?<@3bmHF?8R7DgUnCDkdr6!ZjuPg26!rkp=CFnL`FI_v0cD{*g z)`TbQ{tcFHIqAxi9^#=bz6TIpF1zw6cTbL8m18z~x=eTCwJ$b(?8tOf=9-YY$#czuAl<46DT4oj2JPV`ZeEez9`A74g(>>B~dGH znR5sv8UGo8!}*XZ_TJ_zd#f_Dvd)Z;x4Uz?xVYSG)YQHn&aSogyk7zv4Y!@Z^q)Up z5n)v1zZ?PO)isa%350Hg^(oNx$C?ffmmm(mzrSzD=WN@r6m6-cfa?)$qXxyFmqOSpYFY@ zYVT^We=kXQtw2RO!aexD+k8}>stvY_dFnkqKc5(xo5e|U5HBXwmbxS90L1CPmme>H z&E1s~Z)rc8E2fr4-&OE>#S*T|id}7~b`6E##M2WNq?;b-3(^&y!LqHcJuo;yV>=EQ z@l*^N;(XDD$44?sd&&?CK;OTL@kKAC($n&*q0iJf50tnN5cgP}L`EZU7IBD@l4Y1W zolP7~n98@bTUBJvzNDB7^6K~*Czg8q^+4c z(VR+&Vox3U^{CLdln{ivpzzF7fjz=lSly3J_@kxU|E@jAy9E}URSQ0-pGeI~*YD-S zJqNo$&*b?9!Efghzc+py3F0x1vFq8r>~Y6vY{86G54JBR?Hy_MRKjJnO!pXw0YL;; zCwT5$dCqd@JfD<9Aa%h}c@y}A9Hxae5@?5=(QJf3)XG6ALXa`bT#br9o_u9k0?4fK zkp?C8;lpo^<`WYWQBY7KBO)@`Y^yYRGS5T3|-W?22u!+43H)W68M$c zthHokX9JMOyq24VyL)R@RTTgdwzS~R^u>@bW#hHsHeuY_YFQ7bo&yGdpF!q~-}akc zZkM}0xXSQ%bo3WxH6^-esR0g?NKT^nlaZcrc3={OpV%_pFM|()o`zB&RuHzToxcA( znk#!xrbnZ`iUODJ!%KjVq)8q0#Vve%^4Vw79UT!RZIUtO<%f3#^RAG{ku2!kL;hp+ zF$)^VH<00P6=2Mc*JaGKeaB$%rGmP*)=_f&`LPS`tuub2Nxj#xpuHf9P|zWuHJ6jV z2)*>$(NulxVS6d8tUgX*UWQy;Dbz%1?KIfGCq3PVxAW-6HC}TEqjYObkuW%?mL`tH zof9_6QK}}+&aK&kG-Z1idwwElV`x!GE-x{;Vs+)n&+bUd!=6!>eB%>LgN zBWwwar&AM-D{oT)_fT1G3vWaf(#;(KJOqh>!$9K*Lpfn)szPY|$uw>Y48IX(sJ#TO$IHQjOu0|t|Xp!ne z2-_&!0>CV-;KT@?0RV8%UF}ufP5=@vC*B0WQA9uPxTvaPgVMO%=IqnXLMF0_v1QfN z;K!}*UDju(m?~gCB@!*i=hkIO=t<`nnzArVC{uEh8G3lU?C%?wL#|um6i8X z7Aq2SX&XXVWlnRE=5}}6zlw_~@CIW8&)#Xw44h_)V8MP~Obv-hjITb4^z8?#)<1rj zOpg$D3{oSN^RJo2B|J7u4~Liu+F{?ZS@W=cXOvg5o^_g!drT4f;Rz~wc%VBxbV}0b zscC+SQSE^UN>Ef{VTJM2167WnNjK2g7Mo&-r8-L4krl`vC5P2Gr;fQDP#Jxdu1PCF ztHGj(@%cF&?HO0yGH2`N{{vbteyo*p>hufnGSvu0*cZ=Z!*R{w(k2((^5o*+u-d%nJ)f{HsDqR#*BuRw!xvvNm^Dm zdSEM9fQWNE+wmEoeE}&VE)LF=I#MaEVIr+IGUy%1DQoyUEDkU-fc20*1%Mm_;d^*^ zIIs;=Qdhd(9EyCs?ENVHerAB^=;>|l&wrYAO3_HG@q`BAxfZsx0HwLLpTZ|Vk_WRs0I&ykJHUs=0|3r$e57s^zt8gEChr;QuhcjkDQQ^% z3p~+2wa%&yM#j@Q2Ao2TRmA~h zn30|y0DldbtyjF>UfeH;Lx?iJWKKBk|H%S!z=K$6?g!w!x?Wy;onxwTAwq?11#UI~ zNu4x)H`(3;4+{&ct*-|ba?16h5~H}77~l?c=F+BhRG5&MXeJa$n&C`@6MlPhlg{n& z=mUe-_^_MGbHDBf*fax9Hqtfzi*r2U|CVTvBpk4^nVFe^y;Z9s(T(Tjd5^~nFl{D^ z9vmEmZJ=w$)S1ZOvTD76);_nh-~`~9nh9>RwsTD>rSYmZlt%P`yYl?}-A*5f=S=|R zZfI_4VQedFLJRilwK@RK_)r0&{NsY0oE(jS*H=#lMSZ~{qc7fH=Z;StZ&PbLqu|~#lR1mn5mP}`mrvTrL9@f%7H0|e&W1d8 zd~0;cwH&z#cJFA3in|9v?(wknU7#tS-w)Edk+$TC4shu zLQJ6HAp4`>MD+sI{i7<8?QhU{!#4$s86xL-XR zmzS4wb4nHSKmhRWW(@dM&$zluOQT40fP?TN3xEYS{f=qlPXsL*!9)%>0i0r179n+& zh@Re-Sw$NV<1~1_JOT&@z!u29KQ4wTE7+LTG&RS@Xj->`4+CZiAmgyHv4`$ly-5fE zbVxW(w*ckj07U_;q>vDJ8fs9|XRUYk63;-M;~nFZj|A3gPheqwe!#>%;5fENMPvfJ zwY0P}fc66+KQkB*#Pvf2r6`rvr@(=-$ufAnv@!|(jo!_(JhPn=*O9<@0Tji`+as|M9OxMRYV(N^gFmG5l*4Had z_rEu91YEc($DED~t8F8uJvzhbTAiNNwwwaGy7&tIj%j@z2OPFO1q+m-F#!uzC?o&t z9${1k-mv9IpFCu$POjjS;d6IyB}Cjo`2>4feZxr z@^Q!<17h<>z$hKGxx6m&!tlhrM6r|0VGKl!AHHjVZ8Bv02Vj#7B()9kK z#_++PW}L}CD`70ekIWesw3%k(rb0ka=4Q)TBl+|qMh8UXzgzyGgUW@9j_1s?OZ7dS z#Q47H#m~0dnZQ)HZoGAlX@(xjoIA4tfnI9u$(QyMPwy%bDtAt{ie=auJ*B&i^^3}( z@wiCC1p{AGNf|^8_oo2eT$u=h!63LX5g%0HwCJ7Cpy}T(0vdOB z_?qvphO6h0PAery&zco4OP8L&kwdSx(pTjX$LHdEj<=F~jt;8VTY*X9s?82u+DE0@ z{j9rCJlD6S4lcJ7Kck8=4m*ogxA~cNw=swu?Y|cfcm~eg=#x%B8C4sbxx2gT>-VD5O%zdRE!3YCNsp?vE&{e+P&8%o zY@HHElXvWat2XlSBN4e7Us!W3$#QH&DDB`aY^W6f>FGx9D;szFjU<-ndJxc3TvdDou{PzzAe-uer9Ud1et0Hvnb3lc+P*@PY1qRxhy zA0-oUrPsokM~bTSA6s)HR5|5gv61{GG8c1O7}FLv?$oCfD6-Wqudo>faG-^$^~S&9 z9IpE=8sOF9vge)oMR-V)_-Ve4HX+Ie=fDBUCxcIZ&a-FDuW^#}%b1jpmwCekMd?`; zDz%8QKvQAxe*I8vva(M**_EmCf;}fYpP6<@9OQOpiXdlgES=I5XOehl%X3p`W~icp zzP0m@QT35S$?>uAP06bAfHTw036XeexZD~sW=`BKcWm)%oRI;iQnOfE|FB0S!*Nbe z-A5ghtC&Mq!jNpyKz>iqO{32HO8hSJv_gPRVT*KwG>wFhm%wG1*>{p|aV;OvgjPac$N*9~XdPw%gF z+Q#(Fl%*;&(=|=CtJB1eE3dsdsdqkY6nh0Br=WloKc1C^#n+A|hBEAXgZw_@N@(`l z+1-;OZSA&vN;xcT7Z38H0uDSD#YaI9DhGS*Kv(H8x{1F6KFos=i}daIjSr1YLDBLl z^gw=CyZ5ckAss<~yZQK>~3rd*lr zTXr8%nH@u2fvR-xjZ3Zs$*p$!HfH-~mB9KuQXOD7;^?l@x;5Xo_NqA9z(e+UOB;&! zYB0GbiSA+6x}UXQ$Ij8m>|m6@eg1a}raxgW?C(YTnb!lyT0@AqBRrr%f*SWnz`TDA zo$(}F?BZgU`}(Q9I|+sZib#n6i>C(#x$L!5l2Xm2j4;D->!9}bqOz$n1Cu(3AUk0W z;gyk+6K0UbdI2Cje3v(#)0Ew-2= zdl7X}qFb~4y;yfPT5>5RgRGh|m*P7Nqp?UHH`jL1uUay?AX`9AKM_=uR&My+kK2&B zCc+W^3G+2#Usx1fRSxkD=+tKU9cpN66spiJSI_ghb zd2_A2zFNWR%U6!oAV6|3B+B4LSZpwQgDgaKV_1-Usv_bT;$=6G;8nAIwWj&}@b9Lw z7Ya$}W38iljZF~rsy3Q5x<&uHpy0e!E?DA7O|htWU&OnCgn}^thNLdrm!Q1w>3$5{ zNqmbuzNU}JkgAJZzV70|rKew`4M2GPAJO=R{NRJgDkvl9bgc0Hf(zk!J==g_q5aI~ z2#w)@!3V15rU2){8^DOsp(g+dM90j016Z+L4@MIM@CKk2ctj_yF)}qh1RA9Pfu_E; zb|%K3>yU!1EHF@p*Xu*rcuK+9uu4Hgsp@55C5N`l_h8CEYi~tpQB_;fcLqUMIKNAm z*6luA*gP_VNn7&^Y0z^gJ||#Qn!-Y?-%j4~#slhHfRw+Ap-_U#*Cz$4_2SS_c?}uB zhl3JjUUR6ld0hg)AoM%+GtzTVV}b=87WuCUhzKC$Atn235=`lIzKe;Ay_4yoK!~%9 zo(o)a)9^_*_Lna^`KVeCin_T3L6iw9`iPw!>0#)-<{OhlFVb2DbJ)I(uIow=vs-+L zapHr199}Agv#*zsMk1ztR1X3&OA^7Mv2wauzopBNJ>=1aFGwf8qV;FWzk% zmly{K=mtMZbKS(vAHBSLuDV}IdTs;qj8=dVny=8#ys9@fGqY;k2(VbL|Gv{p0=sET z$g)7|39!%!xXRQ zA)!(JM}+wAYa={wpE5Ys^sOu14go)?9|UF%eIJ41f}`)Lz@^D7N1#hsm;htJC_MF{ zYYes1$=#a<5_)SFk-9Pe!#BTrPv9E==h>?WM?^O((#aUeAV9J};_FSYg?L$s9;MUi z{YH278rGc~O{7ZuCKz5(9a|t;yyAZ-InM7`Bl7`b@b6zN&awdLSiZ4Pd{G* z-&NB(29n`Iwk#}*2{)5oz=5=1x}Q%1bbNI5|Nm3v&|CaU+2qLFcw{6$gak1RW1{8r zNqJ+mfk%N2Vq^yW7!%1_J_Rer=70He<3*wVLm?1ZXoC^BjsIsLH;V;V^?ke%^^?gD zM4HG6eXw9$px228ZFsR|bWA~#`kh!?7|_&G{*#$MjB+d4seBGt3*_4l2EqU53e zJA#mW8Wz7dIelQ^Zcu@xi1nLlD=Z8X?4vh>j_Zhzj+qf%S`dr+k0jf)F!c9fuR;y> zhtQ(c3!}$?ooJu~ex!`L(dqtIO)p)mx#}ar2L(UL-=jT7#rQzr8MhUb2>NL1E(sBm z^Xs(o_c8J07iLuw`wiL{avm(4Fzo$qq95;5+4~s{IZhFpL=^qSvtwT&i03%v!nMt3 zeB64pz120OVLIPiFv#BVL*B3DJ&U>@ezjogs9p0d@ek9nl&Ss|)CgcW zB)&-~_Zdk2Im+3l#k`%6x}U9a&OhjO8|TWHV<7qzMU%0Cul07t)Wcbh$Q)ykm81&Y z3!&&ECh5cp!zuq8mR?_iITtcm0!IO1As}lNZuTe&4P^&?6@_PERZgI{BIx69pW#U| zgzEGc5xr-lMdQp^1fL{+8GH_ncLg^d90{;oqKw!D0%`?0wx7vex` zHE<#{MUxsZC|As2y1xXM{5o= z;?_Df0!)P9L!|%Blrl!1B=L%3m!XOC@+}U1yfn|<&fVFXCoWxJde-ozT}wqRg@Y!| z*PBuZ(1H2*XNsUvYlV3KJW^oI32^@eAx8U*@M#m;z6PXr~6OU8c2|w zUGkAg0P=nPQ3;LW>5`t665W=zBsYvfP8nWj?4nMDlowPvW4 zjmGO`*?_6r7j-TmIPYSP2nHl4*eUd;p*k7<*GojOE|Uq?5w#?7@)ifM-+A_yHJx^& znIim}XmalV^0FC@nW7!7P{BHGD3s~xe&5_3|D8y;J$Gy}OaDaFyfoI6?s_ee4b?5X zwQx~0cIUF36M!a38_&LExySS(bFyOY^=2cX^WiT!EDPh2wL|K-gQnbk&di;9OY&iD zn;J*CTuqZH5ihTP60eIIKpBZ0OF$ENbCczdHWm=N{l)d56@fhfjTM6qy&Vv@zc#SDlVun?e0$`&j#j+d`3 z?)d56MRrMdF8}ljyX#rwZQNIQ=K$H|y-+m|Gr1*|E=t1#_RhtnQu@94RplSo#|lq~ zcyE>&xMG7F#OI%fAw#GX;q#_mOrz+qt(PH+sUhig{RRj>+@qkw+b%PMYyWkalOnVF z2$?;@2|#74ZW4JvT9HYV{&(0gV@;5JNduen;}1>5+4oQ=RyQ1qq=@H(+2xKQOh;_- zXikOzM_atRaq`dSoTzf`$-$UKwM_t z07>>OaEg5;qIxkrY=Dg+Pmx)-M!)$wu93Ds=lQo+3$3b^qa2^}-frHVtN2AA~5Q zM1>e4?tfXKsTJ{~?w6sd4(BpVAwC_5*D#o;D-2tTkwxx#1I3HY=~M%N3$F!y3CeBZ z;o$)UGasm&8f_qeq)+?>VKDZ=n+N@54)3_RMQ_8qfC8%&(R@!jF|R$}62BJ!onzk7 zzzhfUrs`z@(9^ok@N|{IY~kZ2Ydknxo1C0hu9v(A(QfFUp zOQ=t+eU5=led@ct+u3C(|Isv!ks59PIdF9-xH4KByCiLZq&7Zk!dJ9=3~$xpM4+;1 zakn{E0;hSL=l&8c(=c^YvnJ(q3z(>M`A6NQHGAe92; zmatq~Ec%}GKVjLjkEwg+r#y0YdE5A5X{8GGDs9bW;B2cfh$M`yYia{u3)Y$wzYl`= z7IWysFG-@dykW_VyJ(Z?Ye{@@es`M|HQq*F0Se_wW|TL>gNAYHm$?oqkNuSx7_YYN zE^S(ubHBd24h^-ZkvtR$sfgWE==sIA<>DE)$oDTRv{8sjmPNxuiR@scIJ5 zBa)8=bJCb&saik?h+0Oas7hMr-28KX-D*nOQFCZIm0Pw4nDwc$3?$cuNeo(Bztu0Gv`a^Hw-AUSm3cmWw=wSjt8(3?9%$Z5c)ZPvbJ);`|9C+?3) z)?b@euzl*YneaU*I1omM8%?}_u#`TcT`x+YMH|#@0Agt>&1R-lAjE8JR&BO7@ztmb zDhbv=@?`BD-wq9E#Wh7xYatvnSQ0*GM|Q0|C+Fq zKnv1Y3l+G)L@pMu@=ugnN%&pwNR7)X5k!J#KZ37o%7!S3^)EI?CSyaAr53hTF>$Nk zzaDa{6T-s_VL#n%7UL~^zGoPx z^*5|e>?LdKyr09*%c;et0;|V?UZ_kc_AGK2Xf;h72lmS$*|O4SqmwTK#XX0GNl@0! zC||`5-8&@hwwjxNf(VGme}9GvgBUK{evR@OiprYh_0GliEuv=z<6VUGEe?b({ss?V z6EgNd!Up7wC{=@4pwg>_$5?hQtUbtANT<~4eEX|n$;G!;p1eIu?M%K(F;tZg?aTAC z;OGLMIy#8a!y|HUYSUjpmpHX#CZj}6N`|)x6Ri?X|F~pWxytHMgFh{ZqInd%1usp1 zKB~(yB$-VmESiZI+w3bTeI(zR;IK3_t(W`-q2&|*|0rY{MI5bA^HZUIokE#WbZ*bp zqJ}*ceF>xd^`8Va31UkpXbd>?<+4=DcldY8PLDBHcQ>vEz95ESMzRSVA|Fl;a(-ws zV-9W&`N9e%qZ}E#D2fdVdmqLd=-}KPqAjWSFdnk1b3?ojU3yr|nBRcMk->|9iJcFf zTDmXhD|UnYvK}t>ACbRGT&8hM2sObk0m|OFLSEZ+tD-^N+pk*~6RSZG16QS1tSkdS!$G2qp z-H~EPRbaa#mdfGu!-5g%l82z)O<$?O$->Vo3D? zBDJ9Txh)bAhGLpykM!z$oDYJwr!=~frLcKMc1pKMZ72y?{N~k^ zqqfcOVRE}=kUs>9GPGYj%31<m4=GR=v9S$t@EvtBW4ksNwnv8wn1Bt95<8Ld3W`xm)b*rIIBgzAAJ zEBAv3+mt;KhqD2@iKg?NJ(NMm)JeY8wX_w3bPjavFVK~1W1!2scya@AW=U0%mM0e@ z6RY$c`^3j)?Nb@8&T$;4;%+_u(e#Xkz9?8g&P14>di2=@LHtV}ks@U>9Skdspn8%$ zi@b#mBXWkrI-UB!$sL*s>kC`FJ^4?(o~MQKmxm=*YI31nn7LP55BOJt&)j%3n&1B) zT>@K3(_lm#&!D>t`#pKX`mHKcwWVa`;IQ7*?J>sAx}zzgB>x2&qA}KKhTS_~*f=k7%z%SGzfXMtgDWlU@*g#2+ZX~mKpq7u`&~#j|EV&RKKfP)CW6{IU9-4a< zHW_S4dz&gYGjW2C7C(Wc!vLRq9z$YLEPpBHD%G#8Uf)JGA15$H zb#1rz+)dT58ZikJ2WBvv+_la6^O14ZL+}sgpVAMoK)b7w&jFkSCVc>SMF2}==DsTX z$~2J^1qBX<2TdJB<|r`TXC~r5^IWOSFP=>p{2D>lyuvlAjC0WQyFk_RaLac0xvSd* z)B-jNQOM1x3;+eZoh96^l+2JNoI^ORVO7<`>nhDkj}OGL{A0IMuGlqFtcmpuTORGG z-xUB9czuWO?3wVd4L7}sHsyqp;(fDO#I?Zjz6xe3m3(t)xR%>?P-tl1g{@r$wJ^~M z5w8sEVM={rK2=QiLxZHHH%)vPDMKWVjry%MNbWz zDIF_Gj8}|su)ilXn>kvt%&)Fc{G^iHL%}!O16*D+viQK~@wrF|xyUuHXT279u@X}O zHWJZ%%7SB-Xmyy_WILuY-9?eSzv&D(RdILtf6Sp+7|q-&K60?nL7m;e=9erBEq^(M z=#Tl{xTaPu6yRzBA)o>5QYQ;}C z+0ELtuIqk%%pDpUS0jD1TcK~?>i4a(LtojO_g@FIpVnxfOKSYR9O|u~lDnV!;m>d> zS6I}n&p2@LAAxQn(4{5{>9*Z~!0&wqt99+|nY2X<;dC9(t=c5yBRD*iQ-X!~JvCMM z0671b`BYuY*fw6B8;xR&FGqoI_1rW%c1yQ?^{D8(eNWGAlrq zR~*Vbx%P9qDy~}fiIO9|vx4}_W@qyT1*cs*oA4!X(vmVhu}UL62{*htebM`Mu9Kq( z(Ym>W!!M@Q1yfnZlzK|L%&)#7-@OZ;5S4z~C^D^PgA&EEu?8cgo_7+1j3#i?R;g8x zY|3-kKihUS(+NS)38C-qKT+5Viuz^Q8i+wamEQ1osfvq1auyU}AmFGpMHY9)vkGcR6ayw8xFxCJxaOdae zhX8TDJzrs`?_6t&q6+N(a)MV}O7muGjncujhde@!REA$B>;);}R4Z=s}#gMLOrnIsw{P({jE^&$RGh(Kgc%Yqwb{ zwh?E<=Ao`!*dH>oQ4+8oIzeI?va|EP zElPzf$RyTKrV-e+BYywEP*r5^BL**{A258Am;o4RfobgrDgvT5tFBXo_=oQhNVi}v z3Ex70@bX<`0Idu9QC-^Qx7E3Lk!-*aA$c99gE!}Xo|pX>j(rD&4j~*isEk5&>g?!v z6T+N)hI*bOw_*Bshg70j`vV;<|7ys*KPv5v+x?TjY|)z2khLDW{X19QgD1Wuy1vxT z(lJPI;~{Pk7@A9~guX;@U6K2*AO<3eXfkJCIn9X%11>Dfv70u~EXW8;O~&r3~BzklmoAv{>7{O<)%>6zsY zPKn42^2#(=6A<{8vWw~bkQ9dhjrA=~A72bCUvTADYu_JEwK_YuO%cIUN<4hmjVAt= zhBo)hs=CvVGxx^Bee#_Oz*-Zm6X*>gmCo*3Y>G%kV>TrA2Qz~kzOslb)8c<8M&On% zpHXadE|4#1LdPBYqm63Bh%LCRP@KW`AZVouJgM_OveWA)fiWIdz$!tLKG5wMBwTX2 z!AQ^TY}{bzD58GvKbBFPQ=lWy|D^LZTI4Ix+1llDdq{vNI!FK-cWy_Ev+XxT0f=Q* z0Xq!+ld#mc4{+5Q|9b%lAV~3J*kv9~LMm0?P>d`YZ;2@E*ar-hI5YzQCj4JV z9%$u_7$J$9b)hz*S*7(AX~Mp)2;XIfsKf5TMUoOjglY z0gg%+7MQ}L-+&~edPjZjQ3MNgbi`6jZh-@jR~lUFHmNzu$gZ}Po;q#hDekTY3@Bn z>&?GsRlhnL&1wFv zIqRH=3*o@m_R2q5+xJm&Wv{gtS(uKNG)(mgVj18qA9@vsfr4q2FYGga|GxI%zy7(N zL;(cix3{;dafY9LNPNXCFZ zb&FeW3UzSZ6Z}{Xy?aD4f?ahkRgqXV(uxWCec(ct+R$nrj*5Um>Y-#CrdzCn#-KNd z1wII30AXNg51^vm2cYO+8Nnh(55cKQ4U*LeXheM^7*Hh||6mg&J#xYJbrZE?aC5r* zIR@qo3M>3@%^#HdAf8iF{A914vIeQpu$s2S+0~BP1&wxMvddQe9MJX%-eHa|$AW zf4ZLJPT$EwtcNVj43+bhURi)d=`-QV?VNtY0ei2gV;n5w>a6Z*TCnr>o>3&~IIAX4x#FOje z1P~6iLn>3mXKehXgCh1~5@c2Ni-l--EU%x(`$h7prnmWsH1v4b5Z;mv@lDYT*aJj@ zN9+-&r)x8KqJ<~;i%;DEPAe~r(pK59SydN>e%+SQkXwA{Ag#4cSWW;4JMXWjrOoo;8RXvYXaOK^k-(la7mhgKkMT%8p$(t%a9 z@7A2vgspyjIRhy{EieMV&MGvN2LpTW@^=oWOSK_dBKeBK1yJenKNKZ!l-hjiPI3uX zxgQeL0fEzzR6;=nAo3b|BSzEXHGo6vAVLc05Fkh_dUS(OeZYJXLq9xddX{?}@7#J$ zoaQKUG?2d9`8$-2+!?dobC&|-(V%-zml^=H4oMEV*Pdp?mF?w~$+vJpjf)cR$>D8^ z>1_3fS9H8Sx{Lq!H1GB0ZKOlW)bN$g-{>Z}-~OP{ILMtGfRMQ0FK)f@K|=EvLZZ&$ z2dzd(`NV}85*7#1M(g00BS97ixO|$84ymmUsUCbIoo`?loP7l{GVT-+N++L(UBDG! zhAq?m@%!U_{OW$n`#~_1|M2(#tj-!jj8nwIs#9#ezr02ZNuh+;qddS*oYN5w52qE4 z)CZk~3KC&b?i~9^@l_&=FOKapP`a6r9bXuc{G$xX!U~ezj7k|!7=vui)B9(c9xVfS zPE@hUdDR?-YlUfYkp!pFZ8YmFFg1*QQ%_UW0TMVhylj8mo{*p6J3m#a2r4Yc=XnD! z>l{LsYJZM4AO|yq1Ldyb?LctEJLa622={ZOM%#Snpyy8v~LXlC#V3RW)!`zYqK=kOd&JG?d>%+xUHU~ zpJ;2n#pnHz?EV>!23e~G2= zdwK1OU5(#`K~v_>>S<`;M`RHPIIC}0&?f++1-fr|lC#ndb9ALlC6Q74j35SJf##*e zuGK{fPIxHA6*sz6SPCI|E10LZRG4j!3ZzGW8jqqmOiDPRO}@ncfg)!jWU}pL5KlJs z&BJ`O>|FnwpD*XF@*h?!kpUoN;`x?YN(WX)>)Ol*I82{k9p34;6pdTBEe#X5dg54J z$5OovOGnN*nmjQdR@^o*(FDf4gCX;44X5&f*A<1Bd!TGs*eQ~2jCowQd^(c%|I`&P zQY{3PU>ceU-%nBEdmO|^wqFlhwO@O^j3mAuHPODzqs+f)cRWscz39A%<3BI{dv!e5 zoQ1zFdIeiPYh6#giks_AJmI=cSRQlPxt+N=T}OB{-K}!C37;K%>``*P*|{xuYS($Z z{cpPqA!0yd4hQ7%soq`rw?WgwfByV!hXc+SBzzEWPvpr27{9|Du@vHE652sXaTyA` zM{N<;2UZ0WdHc$)DY;xt{kdqm`OdfcXxZq$hDoDkC@ge_%2RTG#{M9&fb7Uo`1Jes z_sRY*NkP1{aTl1~PYg7QI6*rpjk-Li2>Bvw_nq#uycmvIm}8K;!4Asz5Hz`o*+f}2 zx-S4x-^oKZ;#ko5U3a=UeF1A0SzW9d5B@~MK!F31y0EV_u#9>MvDhT#IM>>oHSc)0 zX60^4Hr?KTv79TY+PL_?+-v=H_oD^fp( z+H7MUw}h?oUG_Tjp%%Z@#xbqs*fLxJdsYUTa`}p}<3ddau^oF-n=Iu?WLiDP5W^xn zCB}H6j4p)+k3hS&QHGeIktx0p)3Zht+2O@kb>=+t2g03FL)lrz!<3POsIRa-LCM^1 z+i5&4S5~jb;~i)ruRq8h5wiAaZuV$_BzS8ABg;5c#=hbG=?*-lyQ-}UdERLWKszJ# zI}P+53=aDPT+l%BXCt^|Nm3nlE@JSvvTSzkVd@vaKmUBCr;J9Ms165>PzM8bgeE)Uyca($n38I&?7 zyKxZa5a{;}q|zEQ3G4=^C1U0=Iv3xS3}sd{SpzL0Q+U@txzu%^+r1O0`u4t+R;;4m zjGFfAa@bWf!=~;Ag_ibC@;n&G%X-Wy>I#H7?t&(w>|@OUp5@@Pv9IN5i-!R_HO&q4 zgBUY5v_;*d5VWWoX0=^n6`m90Jh_3LWc^aP*(yQyPyOQxc@XRTLF|FifY0K-B2IM* zISiLg(H=7EVdB!*UU5tsQ*PF*xSX0I_0s4K5HjdUW$P-}oM^OQ`|M-Gf#zJoj1prQ zp`v>a$oY7&NGI+S`o#iW>_#QAG2Y# zJJHn+;HaK*WF_8mPggrZQPnI!9u=yXikg-9ei)3)<F6#Xc2Rf8w_ z-;})*?XY;mRJVvWH=SvT0pQ|vSCOLxU{N4mNbIE1dz3*CECKO1R0G~uac~)EfCvL! zelFvse7%Z1VRQyUs7#;-WaZE4Z)^^S`;$4skr_+1MOhwnF>EHcc`8o}LtO!qog?YK z=&38t2SAUD=q_NQQbAJWo!_*YltyfX85uZD`oKbd zgsBG2@2{JGeqm&EVysU!Zx|A%o9H^XQ%X28CFzpnR7HkvRrip=IN0w-$ec)zP+x^$ zXr~0PQ6m3{XFz&l9%pUIG^t@Qfxw@X@|cHl-exKbxgZ3e zL+(Q5kWr)Vl&p0O#ti>yuhHS_v03Fu>p_-?e9fV{x9@mw6aD$}lD?snmDDkohVNn} zT;23Y1wa77@q?E1rCBc>=%jJ`#krllMRJu$27Z$9LlCpU?@~Trqij&#J3HDNalQN% z<11&o&N;v*?LqAP{Ci;GoKSdyM4bzdlC-0$q??X1;lsWownPb8aFgG2@g0||rkR$g#^ZB!qJ@V5!$zw?pQTr1>5J1RKqlFlN^FjxR zL8I=#f)mIeW55og8UV{pM~$S{*S7#?(H^&n9@uR)#(SY*;v_pCXCc<^QmOT#lbHFH zu1iZO#7j(j4gX0X{I>YU2sV~a0||IsziAu7t5?~*;3&@XXxqYw*Vkd|Qv#uURBuY# z>H%x?KIHHrm9Wn}?$z-u`Is@VAi%y&>u`HlvEW2?)4s-1caW2VGj8FdJm z9LeVMtAFb(t1rM$ex8sLDw{ald=>*1rg}@`XC-=AbbCMtT>^4cFL=C)djC5!0h$ab+3Fw zALSEMcqc|G7E(~|iM=qa*UVZ7960&YQz-z(+I#)N`rcXQF82sHNU%bCfd*tv+F@jF z%NE3v{m@S&y!1wfE_g6B&V`KqW9XJYD z3s}mGN|ghgk;ui>tQqAs@LEd9+A=uqc3|@Dm_?^n+hfswID1bljyYhw4*+Xq&k<1~ zn2o_!cMl(k**#y^imVlYZJg5a90fxfQvSa9B>u4d1pRWhu`MDxgHXGZr-Hpp}Y zxHuIC!cOyXTV6QxJ*jly43%0UofbPqo*yhw0)<&OGaj0UCmn zV}Gr5iFut33qxb_(M+|;f<8pGV8uz2)^d7t9|1)br|h@+qS9<4I8wNvexZ4X-zh;^!k+haj4cVV4;R zQHBSk#MN)U=!jx2bin7uEXa_uVsgR~)C)&!*9x}Vn^`*E&{YsUzMz&;O{18i@*W2{ zDu2TtoVgB*Z`N|g)&qo7=y(i^=?0-O)SdC{O^32dQ~7e;wVE=_KN|*$;STieq~+Ei z`6*wP3bgux(R2Kt(X-Roxq$`;vtpN5l3Sj9lf+y)wI{hPcviqpehz3KH`Q4tP2(kHgOS^53#^kyZC_6+Z}YDYschC;ge2_o}I=Z^)}2W7i-T}Yxp`%I`- z&fa{U-dS(Ag$4FBR7ltrBycntAsJ6$g%x5{8Oakuh`~bh>pv{PgM(f_IW3`@44B)=3ayl z3zRl7kTpdte!5b7V}?^QVOwF$e&u_FS+*1=Dv%YavTpdYyDMfA;~c{G`_6;)41uT=9nYTg`&ac(e`PRg8sH! z7q&d8&Xn%F9pT7XD~r>(%BVD2`PE4fhx;5)58D)pp~6OBDuZ%dW36M>kBIskI}>G` z*WRr$I(m7lM%7djRvHSud(OGEC@52v@!-fQ$&N4BqWSs)zEoa~k|76aasB?A1jogJ zXHQmRcDG*`Q3nYNGfUNMV%!r!XTi8WglpZPPit9ww&aM3U{lwQGd9eHi4h|8`aSbw zn|~**I<-_lVHEHB|C6@ry!L0i&FHLJ%|F{NH@Mr{mZ_tCOpc4nSow+hyE*@)4H5_x zbG;(s{u^}&e0*o??cOS)pJvL8CT<$6kN9c4phLhhR*6VhNspS66z@$*TBSEPm9M0g zxJhe?5lve|HX~j{1wQtl^P0vtXkp}WQ(eC?i@4-1j^3E3t70@Q^1iqxL0n*aBAQ7| zy6cRGiD>2ED5u<%=+bL{xpk8!di75pDTob|`n8zektVJIUBtjH+mKQ{2Hm^}6DZgO zq!4ydtTQyeQ5z8d zg700m7w2FmeA6f6_pqGn#HNzQ$R{-AvL0SDau{Fdh7T1`jJc6Q8~=B*!7k%IOGozhTZDN9-Mqam{9-HF%YZy;B|(kk3kJLl zVE_Wvc>29sKy&hcc_^rrX^h^=BPNNpp2A6W!w4cTlB}(GF85L2f_otJ^538Q=RuV{ zyk)@kl@7ZOul_<(LnRt!X(1UlDYpGE9y10P6g{HOY5)52=QU52*_eK(8pP9YOpk>m zj7lEKXneU|r=Kg{6)d@UBn}hfzh5`XdG8}rd%hN@gjinAM1kyd1eCP)-S|-l|9KNG zJ$om|WqG>xAfyeKRG|v%It?27R(9OPb4k{39cEd{;aW9B|9wAcTXlMy85wyC-itOb z8YSMx$?-E%=W^rBP455qZ5RO-qW3bTV|z^34F|>AG6*dnKyhhYs zw?9(C|D^W6=ZcvUPJcUKiNX4A&+Ch+dDMN8p%&js+t#R&c%}x6vT&y))I|NySGivb zlc_l!x>S>ZA5Cu@Q>ZhZ&>mi5QMBKGKQe+kffoxy|52wB^?P(GGK0Q}D4d31Ev3U7-~Eo4;almu#WU7a}d)?x%8BmwoD zmFRxmTN&IV(%0>QW`LrL1UXIY_ZX`$Zp?gja&m$L${eQoCg-)WH)Wi_y*BS3a+B#B zAMc>7T8PnJOlFTVxvQ)U0%;Ul$DzkDFb44dA3kny)&e(UG}u?=LGOE;RQqn3O!Hmsv(C~_%%Uc;c7rFAM@1@ zE4oa1eO}A*JUNE~0n5n9R9GFZeVzi$kH_y`xk)k%pQ`oB4?q)_X#-%xo3~2ZKQ6X? z_*jF7M99xK29s)kwk~Do6%aUpQq%!wO5inf>Xg%lq`oU#6z44tzixR`M8&tC?@yf= z^nK|VE|cANg}nE>xDK=E> zay)d@VHo1F<05%Cv_46H0Bft&(f%p@q&kEaakv%}6Dn!n!PXnL` z-3J~^MU*)mFl{gq;M!)l%q=Z1$G?ByY3ZPuXhOau?-l-cR}b>6Bg;CM5QT-I?);Jk z2P^u4qW|}|l2DIYp~dp#hASh!eh@)8x6!dpI9fQ}*e@=v*a_gaARB-`HG2FNSVW8p zhb-qZ`A3E*#_qPLy>HcSd(_(T5}q#pK>m3R=4;oqwY57sI{2+8VjrIz`XC=I^4$~=$hqjy7dSw()Nw_~IS&x^WKCX2yS@o;x^m^mNKWJq=fdw# z-S2pBK&*4!8!u<#YZlL1-om+SGW3716%8d#&za7Q?!p-XV&p?$JW2Ffj`8ef)4;&! z4Wk#WMpQhZ%0;yM^HD0u^zOLLFwOh-?}a`03(1M>!5#(3_(KjV?{60wcf`Q>b^Y=k z{ssQMv4H`g*9*$aA8MP$oeoU5>?qcM|E_xy0grrkb{6^$e1k&bhde`Ter{lY&Zc4^ zCZN!XNmE@z1K2t);Ql};G__O+P8nJKYGI+z^nnOf3e~bl z?G#m(3&Fy`>p?blK6+n8USAO~Skt$&<31~XXl!8-@={$-j|hQ@;`sJ2eLOE-^UOqm z;ZlGZ0glASJot2rEQmzlI>9grysIOhSR+=*(xjI&Ad21*nIQSfO&Op}=A2&BN z4!Lp!*aAd4Ul7pTU{d<42kYdIP+>umH6F_s4fobMVL<$x|ED!68dg$?%{nedHW@@( z>s4}2qTOiR_5D;$np-vo1`R*9W#~!Prv+w}8Ot&`_B{6COMFJhTLKtWqAJDP?Aw_+nyqor5!AVBw2C zJ1*xtSODzM%BE}XhYwclxa)G6FjwW}Jq0orz>?g+YR9$iC1@E?u=u~x^MG6W3`+-0 z%z&$3F?;|^1+>`U(9o6v5CGd+Tjeb+SAc(cdXRKB8m$52uo!+0II_$9)=={ev?WOO zRO@u zY;|d=0;b~wM;J1zai)oF@&vB{d#tXm{xdASClyRIypG1Fo=yAWln;G@Hv&Tl3i?3| zn3J^?QtSWMf*bVV0=B{&hMN6rdJJ*veEm?mRD;}}QO-!5gNjhPLdnY*7-F<+uPF(f zaGdV(z9}Ss`_2s=fl;00zRX&4dtk^O%5l!0KM#)q{8*sRdbTxcl2y6Lh;Lv*1VLy6Oq&zFw6#4*x1tY63 zv#s?t7)Hdu27Fbl0eLy=Tw;6sov@bv$;qp@m`Yw@K#$7}y12&xc+laYp-d_XP`Y^@ z{x-MH<)TWru&~f|Ut+TA8XX@WhxHKfL|!^=`P!d#T_&BNDNtqm<_QNt5Z&F|TX_du zx?d|RN9!)NA8Z1CO-}1xV1*ffn#$s4zQ=ro9CQm5_*v>?%<|)?iA_#H!QyVh%*+fR zq983 zp?qx*cXxDg{^QhrX3+wQ2T+6e37>4iU%XjsMt zFuQU@?$?DbVk%KnAf4w#D0#xsqQ%LYZ(fVBq{rm}XQ zzhnwvlTJ0%v@?Wv2GoFC2mK&kXm4|_1x!SZD>u8)!Rt5tQ=V$xs=t^b{JamdywQCC zkYFxXW<9yQ=?aLbn8!*uq%aH=885g&w4iLqa!{E5Z7`CAK>uGvnANXa!vt6QKy!){fg|0{Tf#`6M1g2KEkO_zxGYx>;cUSRe z-e|R3@o9H&Z!eIuw6!hWKeC0Sw#-pcQ-5o7AN1$@kv({?K{+n85L@py7?NykY+w)x z>sR4*nHdRFhqX03f*=sXhxOJq8VMmXn}Wp|JMBS(s3;Z&vFa}+Uq5I1sR}xl zXQasv2|YY-u5a?5R}hazw`jkgc!WV0Ct>si1^BA*7xg~%1il8$+69lReq*`L5`7%* z2n9eRQU_xJff~9mPFYglSUEZQ^V<$CPuA3kn)v>j5rbc=$%wxUQz6Q{1G*!74J{F~ z!H)5?(M_J>a|{NhDt7yk4|q-NlzM3p6weE$R_LZV0;8ere3jI46^^cPn=A{*x16JZ5EN1OyhXuB|0xAi|<%UZ~d>(U3+6il1I@ zGkhHjmSq7}PreO0oFo0Ki)iwe&Cn5y^OX3fliT30YtnIHW0;S7mK&l1=&aZa|*$MVS0xGJ*^Li|8=l^>M_=wLhJAuy~2 z9DfpLli=Jw<~xGr)UbFGDDW!01kIBzo3N7vR7?1oj=CZxZSI=AX(kGwc`8uzBiR=@q^ksdTb*a}$_4 ztpCD@?km2m29SFgtBaeiPpg_WdnY&ztqTVov@afl3^Uw`&ALGDF0kK#W(i1=TcV=h zM@B|qo}Qdcc%0_>;oj{l-(fL@-!C7#z0=_AfHREwtU@b}SBB}Yn-4l*u9%YCp~FVR zV}!HGq`NB6RYf>hW_T*BBwz8@zao6$n0`yF)o3z|>F1)P>`T`yOl(W(K)&gD^?K+?*AGz-=r_*Jru1(V zAtsXnmQEegr&5}A?^&)(+)!^oYlfQtAKHWsuR(s}Yhvn4ivLUfvm}RqT!@o9MGzw} zA5>#G=rKPF(N0CyN6MYQhD(5n9nXy+-s7iY#v*gCOCVU`Pq)%o4>4}A8h7SXWc z@T;)D0KD;q;DNzGbKlE|zP^5PK>1=N#0LbTeT)ZS6y+NGyaazyK$fftd|wi| zqvcc_4Q?^aMZyb=+z>7%8Z001ivpbU(9oj&3MS2uh=>Sy_7$U@4SHMNa41lE;&^hn zv#_vmc!d=HCUqFjs;8T4Yv^dXfGuhfKS_cBeS%LxjgH!^_~Si=WCuecKjMCzVoAXxppV6G2_w<5G)@wK*RjmFE88wn}Sn!4$Dg9JV*< zGF4aS!>Hi-3JuBhr14A{92;|ohot};CqdVZY1k?YzAK@HlZ+W(N`Q?1j=(xPJj~;u zW(K>jpAbYJ9-o?9Wty-@b7nIQ>u8zz*H>{AKL^|Ff0VgE`!Zm^X@s1g!UKWL%Jku{?E}!|>jpp^ zT&|T>S^20+2_-V-h&`vBGocd(?-_y3GX(d13i}tk9th&^u8rfMtYNAvAQns%@rW5V z&wxP+0pjP+n*IJUF)`5Vx;me9Tw%FxCj*KT2K49Cc0aNXP)b$gbgiZ{ckx3U+oG1o z6KA;rBs^W;!FbeLCN4n6C3^hJZb>3fQ zam)U`JdcU=%0f&#B&)tt#0z6`cc&|TikR3;i7BOhNR$&SO2&`xkdS?`uRZH##0`DG zm!E_3(0gRvNn+i@n(v{R0kxTQJb&%*@g5jpNrS(Vo;hqY!KD$9nx=_v&FXFn3JSNc zKpYCeKIlhuKkm7JV-~0-Oj)XHF&CUtI5X+pzi$uc?ZA$OG6w*GQrm@J zYjSirtX6&ecnzM6bY@S~PHTBOIM2btlApi!d#T@ZneF;@6oAu^!-Q;XuApi?M4H~3 z-fZg?5d?4IAw0sbP#c_^mSfQTuw&PL^r$>MUc>-~CLG~FfDd@})YREGn!0wJ#n_sw zQ>VM1pF&#_zlfyN&#?zqn}n_M-@q7lgkTglRi5FnvjaO96zM&4(BG5ox}7mfN`#)yrB2yN z_LrxdeGvuwE!S)TmW8{jdq%YB9#<;ogzWEsbJH#$5z?i;CjlOB(tyw2(&0Lksw~jI zIgjI`Z%jyGa-b%EZL&3xdNKBIEptUhs?Zk@If6T!9N5EUcah7c(VbNuD+&d6POafT z<-2xk|MxLyyYR!)*Xmcf>hna2Or)?3L(dT%<0DA>#5CfAPM_MzCQXG#th%WD^O*!D zm64W^%gN51&;C?pS^StQnCGF2K zOJc^46`Yms-rX7@&B(}@=&FK1{^Q4A4FUL>0qsA3{sd5-H84xpthNURqH{u*f=a~+ z!5`24M}o`#ulNnOCSw<#WhZB;dB>PFyPDO{?A`oYWE2!1^=d`&H^EK`wngxWT!jOK z>jO&eZZ4BrB_bw9q~*>4Dn0uY%8R^j92vENL*WTXwh+MVIrLE?A0&7 zHdHa%FWeV?pB5*@L1gyeokad(lyb&5&V6#mke_S45sNpUH<+F~PBHt;S*wY>HQ&7> z{Nd#j-^ah&AG^=AO6iDf;DmvA=-V@gy&DII{L3WzzrQFnQ;MS@VK3XF&(M&$yBFGj z5g_6|M!WYi8zc1tkh~ssAvFUPgt9o1zFRd!!3NLd&M#k9m#~NX6F)@xxw$uC|FE6E zItqnz$LLosh%dea+qt)Fo-1Q*mDb!>+g2Jfv$I)ND86ZZj{Rz&MRwOCW^I#9IsIzg z!0e{y2Vp;jQ`-ynu*heMh_a?Dr^H!@q7QX6=CFTI=ZJeHYU-6@el7D05ipTjFJ?R# zG}sOz6Q*9@)uR4c!5{E&ZqbX4`xlCJphIW#SW#pJVFYrqPqa*Ck*?x=n z@f;1W$lL7}vC~cXuSnyfgbulUB&_6vBO|d(9o_(6v4HZ@_hrvwyU1dC9NR{Yxv7s| z6^WZdeX+*S4K$wtolO6+xvIUZh6jNdp`%S-c$-!oNDI3e)0JbJjhx!c{M7R|RMUpm zH`-ms0_pfP&91rJ{|1ZVbg7jv@4llJeQ-I|*M}o4Hdz&lfBdI@3L0q!7F_Nukd}>} z%%lq0u_$xkW8}r?9N=x59gaSZUU`8|~g-o-8zHGWuDh z`+L&(mSHNz4_9L3_~>zMhf9Bpk%WujoXP9^a~A4`WuHI3HnUK;kJq92aNWz9zneH! z!9m?kwl4cib-0&0S*c%#!-}v(x(|2e2y3jHci`;J6tVQrW-RJ#BtcXXg%3~+`22j>t6J&pH&Ddf(3;(vfRyLSEJf}9 zW|+6IfItOc>1&TWYC9znzgRvW#jMk zf1b@TH!EDa`zWWh4+STRMoGoPm6ID#;`6vHZPgHy2^qxaVfpqj-g|BRAU}qQw|K$p`^rfd%_hqX0RZcanTZ?<9vqYAR?y~5_ zHvL&zcsT93e$Dr-WyjUl_Pl%Du&=rgQ&X996i4?`_|0A2&0Uv&?Kl_2xiC22bLUOU z#djYD6zrRnW_Tj4^Bjsz_i$5{X>e4WHF>-ga1x40>YJ`qFm+{*eXp_ZZA|Pc)eoCl zG;f-5UjDF5{JiV_nf_`~CQsTe#vdy@<1eI%bHttG0=rB@sq!z3N$gPeA77(1tSdzP zmmM0WJXwx+KKj?5itn!w`5&FVwLRkuIJ)Lvd&zV>?Wu?KzDfG@yIPk0MNWS!Q-3SN zhBEG%?=ArzaseJwB)QKx)KA_YoQies?Y^iL*)=8FJ^79vHq6q&^Jsq(fbTYEYqcle zZlDHL3(9SBDEp=Q`!2rn?1|Vsg zpQAO0;;=WRUZvmY(g!OV+fQ4;YxmTIEV{_4Qm;PqZdLUy)%Y-9=B3c9#h-uMvBfT^ zjwWPTPB`~!Su|#ECY`0CZ1jCuX*K@)zh5t1DqMMVlk8RMj03UIZxNn^=+)AUlmQ3d zyW7TQ;vY>&M(qpU^*YB(jBnmLAMvPp;7j-gmHQt?U0(^9Gspg5AZu0Ur_U)c$r){j?G|xxZt{7QbC`3RX59dylaej zt15}ZPaenHU%XK%NyPqJlGlRGt!EjP$@?o%Ab5;1{C z+zTrCvCcQ8JdWY?^9&Ac;W*aobUVrAml7I+S}FlMucxVrIR1 zZ(R>0kc4pw4((tkYCQChlf?In28OS$5u<_Px?tz@|WPFDH) zcAiB(tDCkzuPW|xz!>pyqV`I;ua|RZx?f>3xFzs{tTQrTDb>&E5=7Xmtw!<^ zN@QT2+`fwe*Kx^BX>a}Z%ide0&vaK3B(_eT>EHPk$)LZS_>nbD|2$zDW=0J|+{%kN zHM_iR^FWPChBaMHLxZq;5?8c;cwH$eqh2GXQY=fnW2*F~GA>Q2)j<7$LZU--qdohT z%{Nr-509GKP8V}Z0I%^C*A|T>o!D+6g8qC?7x#d7yCW6}F=cyzb3OA7IRd^hxkB6M z>r4Rw0g$+JslmYec0O7oT)rOiqIw={r3W#nEaGL5(_ucZmrC&PYUeHX;Kc%2^LDHr zJvkwf?CT@}-dnda(=W%%JWe3`6{ETu^vHA7p&xJRgTBy}Kgco09k6Bl{o%q2vYlhw zA3w7B=~=+n&(AQ~zI@jDgr2^9m8gbFm~2GXgp`TfQ`l^Zfn)I@BerOZ?puuqFRSEa zCw?CTCtvcI2(Xyi66MwA%N z*1-puukloet%V8ww%f}gDcvCxRAacc@?fCrig91U>c{fX0<2=+Z+)BrqZ7h!s&3bu>V0xNIBsyW5*T-aGF1hK%SbY1XWbWAd;@pb-U&qt2@!{CDZaV- zm!M#t6_=jQ3CD=QaVCYP%(KlOw2}T$bwt@{jkyugQh;nz=Vl zxa=Dn;?k}t@(AVcuB{P=tq)1k1}0g?Y^{EmCEmutFj3fkqK!L{9oK2rs!tH>^RN!V zli*d#UOcBuJm{D{=2jhB^F;asiT|IZx980G2kdYgix6re!2_G_i|y~~d*q{ZajBK) zUXFp$;GKtfU#0F^YtP(vP3_+Npy8wbrC8M94akx`CyDWYd8U67dU(J!C47Hb3x_tC z&qK|X-0P@5i?q2yV| zq@z4$?b$aJv}R3P<&zlO{v%y+@Vg-T$(xHRgk8*SEp$^5En4Jf^VQk1upQ6*DDI+f zfo@2(wL@-=PFd=!WUHrQ*1TMcqn#qn$+23$3kF=~GYB7(-CKL?9-=0^QddJTB^=FZ z&oyTJIrG=!5RJu$k2Leuv&@WXJ2awIqw4S2EYrTfL!%sVb#MsO!=*a|f`)ZXSGq{3 z9^;#Q`TUzrF8Y?pl4e61RH?Au#InnH-npq5fMyu4hPjt6-c%%6#9`}z6(w=vgT`g7 z78u|1{4y^kkNAQb()`Z2Rb?7$z@2+V|1W)5xip`;@C4^VtJ0HiarN3&^O5TqJ(e&AXA>tgC*eCS!NT$Y>9-5>DHg$O%Un3tPF1xLhtN9C``u67HA= zd~FVRTVI*N%*%rBudMj-;cepS{-5LHf84z)MOA*+u+>NBT%E&=CPN}6WGpzgu?4#fv5IW34P%vt zJs28-X}r;Bh1IdSOfKgKi^{_iu~5WZFg5*?u(?_SKt($X@veH55kGb*w8E-s>}ud*B)*_TPGn0Ff#35CBXaOM_jo`FvfK%CMk?lkA{Y0mkybh; zpUmrdl@iS(Y5Exja@7^d%dsg&kE7#DL#jhj*cyMq#^dsNN@EA!F+$$h)vLTa1ss=7R37kjy?UBN$XuKaglNFu9^e3-7caLud|nvdx|5s2*(XOna7@UR=cmxic)q5&zF8Y{Vw@ey5PpU z`+=y`cH>3dzx|!R{%X(O;$nA}wi1PsJmi>8&2AD+&2Fu2f+ob`g0$4tHX`X>nvizN z`)gz`DpM;j!AZhEro>D6W(K;n&99i8^Qjl#t#3%7H9tM1dG+Gh!2SV!$m#2FW8wVB z6|ur3Bpm>tLI+ldw|V^`lxrJfufnSAxLk&FfFHuy2^~hd_>>~#?bEhPJTiC zuY9WpVmy4!)4|lsWt@itpa*l@NmUuVII)2|w>f>(W)l*`^88Q;5c2Kq7Ll%zg5E0axAy8A`JJRx4;qF888ewKQih~Ez9}z7N3b_8f~hkYHi)5 zMhK`dh@&YlKJ=l@c9Wv=tBcm53t+(@FO)P-+DXyLwf+g?bsvC<884%T@S z90^S(`mM8f+A;U=ZJ)#hD_#66{{(uy#Eoc<0|muSwP4hm&>pzN6Pe4A+ICD6D)&wL zH2A&G?Nov~OpS*=0X%*;R5}`zBzixoc&$6vU%J%ab0PE2qOXMoG1I4ORR7}CAC~(I zu~Xd}z`WU}BrL!Sv?{ZO5Nf8rc8bN~=qNCvvlLqydKYVC^ zVk)Y3Sjv=Cldr0*pZifE>1v}uQedQtbdhn-i${NDrTl2gZ`Cj>A|X)4Vc?QD#%3iL ztn8Nij+UIZb5Uim10BuxB7(PUiiHpuX*HKuXK%z`J~cYXW)v>p+Ha4hU3sk5 zp=ka1+1#ODs+a<9K)@L5gns>%>T9Y_pL#k;v!yeVZ~r4ZMm?*Y+3Ut}1feN)2$~Ty zmwd7?13oWSQxeC)>ebjoJGC=x=#osGgDpvD^G^{cQzNRf-@lU zJ{cvg)Vl0FpuaO4qD7IY-bI+h+lFtPb#6s!$K*e139(kf#bV(~DGcWhzsG@T=zdS) z^MTZ>_;ZKsG|8(t+@60cdj3p)4?+zdh{w?xPI#abN3`)^#I?~SPyj^zh;RY zEoAV!&Rc3WVKw9VoFC6otl5iG z#6H|c_Bt_C7)I!bVJoqz{=Jz}Hc^MK%dcJ*=)Egn6x7ns3+G1jX$yv`&rNC1%AN=N z=j5An3q55Q|05DD&wX;IP>D%^m1jETCJ80R3m&QWz6}k={GQHQZB~jlQOmXi?oH(Kh?g8l(hz1Wi$L(2r+FfW`=DimNxc%!KolPYE$ zTy%>2NcG&m5->hYp(P`0{dA?pT+4(P^`e;Dq>}G6I}nX7B-_;%bKStFPHMREg0B4k zG%tl`64n$Ljv`9X+r#a!(e&G9Eeo`rPJXQGl&m@gH_7lA<`s$)QzGp=?ZI(Naju^3 z%-p;fl&1EnTvV>~0dMNRxjqqnv8bN;?=yq>iHX*b=ZteNS3I2iTLJ6!nwiCgq)Owq z_R_*^N_@N`aSj&Z@(B9GSkOuaFDY)uDSir7ib1;&fZO`?zN-)GHcP*^+2}%jntHg< ze=b)ifQy(Cmj@lUHJn=-Q~xD7=a+Tf4#k?n)qcJAy7xo<>M)<&LsLYUi9r));4Uc2 zdsU^A@dD3ROsTjO9W%cBx7}nR@*lWCA*{?wFKA8iPud(cBJcvQ9r&O(6XTH>N1G-W zZj7ynecp0#;i#}y_T0p)Kw@bNC0{7Xx7rJTEB4S)YBc2{p_spI_{oPSSqC>B4ZWAu z0p}8bAXh2bXVuPoAOF+u9=h7<;ZPy>Oj=c6;}7dNtnGaGc((eMg8l3UN98TLMy+~! zW(1wKeXG+^nEFQ|8B4d%dt$Eo==9W20#kt(^L>HhYeDBhavjn|$g-;@+!ndHv*f z&&I~3K9lTN@Kth36i39h-uR#4oDcZVRhJ8j8&3s>D!q`w8ZOXztg{thDdyDCnQDBF z*@qVQB_0WhacFm^Qn!*yx6U0#6VB(VuQOIvpCx}sgxKIQgnJl9w|(LZ^TsXK0K)e1cC)Eax4NI* zH$w*Pm=VJ~pA?@uVq-1HRVLQB+PO26BuNN-qva4srzPY$ivT&i5s&>xJVZ;?iu6(& zCQW-7NrHfs?~|?l)vA`aN@IA1@V7vm2r|G(#;%&J0hA9V1l1HAI;}2J%n-OOudIM@ zFemieA%u0jk-MPu{_^FEQcDcGw!4SNHD+cW3IRQxa@!Qhd4XKqS?gI%iA*Hp$6=80 zX+l;|Tf55hU<-8nkT```N3VT!0`|X!61D|e2U!h~3-otd(Af~;3&D*_!lEJ~ zydn-u7ryC8yJ62`CKIsmMoTQ#((+$JT780I^;sw`u? zgoTHWi>0cHpi8|7#$=uij*Hvx?97lB{x*;K98*f4mRGtCQ;G^fjHYAoo?SuE_=EyJ zO)>=ZqDhQSMF@Z0m>RW*=N}V89@gRj_Mj+{eR{g|k(r~Tqc7*#MBVTp%Ag%S+qhOZOFXYL+fJ zG!`Z^1|I?lby|7QxiANg)M%6QBP2!ii_xTutvgYs@inUifnSH-d`A^z^tCrY2Af4i zu@Pj}kTwPh3CQ#ycN*Iu5|Zi~$DvFSR2JL3y*1c({J&nUi4odXhsn$(EkM_?x&K>9 z_?ue9bvqWy?sZ?{(R9iXSfCI`Hg0xzJ-4Rs0efk;_^5;4!En%PFP+6;9O-BNC|#!$5Bh3Tj1+>w9N?TGd>+kjH{VRSnsKkBu&8(39b9x|~{f zo(JWTu+HqjfI3vAfSRyc_oL_oG!_4PDVgu~9qeVSlwdxL(tAH!ho6GvdzS1j$dtEW z0(!LC_PEM9?hYXK$SEikBhx=RfTA75?0p(9stJfPRbk*Th{8|fEqa#cXXr|06Wk+W zz(JWDq4xTH@9hGULLa_~psuE7mRPJt>i{nwAD`34bUjp1fFtc675w$L=At}(IJ3BitHAT$oh1_yUR){xK#=$8Ul5Ha5syzmpJ~J0JjlCAL6&9ArS^9f+R`x(pTm& zrL=q?z4y}W>=YjF7$(# zaN7>l8Is^6AqF7~X$*3q$JU8GoE8&mg(- z03=L4LU9&SH=di5V{U0VUThln;1NQ3>Cz*3_FxV-*w=SoP3@~`b#`_T&Z@B2p(Epk zUOyM|ix)>Tr5BW|dP_oYd+a`isUGZQ0muk;avHYWSE?R;DQOHM9aMz7LH`;V4f-) zne;dx7Z+FZ=q1n@yMqeXvW?;P;WQx*5%s*HkTuTe7mq!aXIrFRGlz%nUp7-eecA%i z3_O4^;jPwqK1(PifR~4dM_^zejps%^=%Lboj{T+NRzl-+<2-&=>(PBMb-c)r*uut zhG_#qp1!*GL}M^<2EKS9db)4;rSqRKQ-_-c%AaO8O?He!+%x3tYhi{j)ca|r4}5!hMT}itU7K1en3>4}j_ zWwGB2VUT;h!QeRzsn2)j^|c_$4r@shyMPw}bK${dbE|{B0W}qsaRBlEErNZ2^AXi7{x`c+#CqY>&i2564^ z-qsjhFSDDIMNq@Xd7J|j1FppWM56oRwNXrJpC0O0wPb{6#zis)cSrLfMzW%O*3|eYQ}D2VZ%<#t4!l|kPljU2x|)RhCP@4C%jmYrzd$! zdM;EY?LEX1;Q>YiN^!ok-1TJR{*{v$l=j6~l3TO}bZ4qPeQvi`r}cmCljN>n9DR|c z8e;_|Fu_M^?HwJ;D>SFyV{KRpMHavha?D~G>cEu78!y{bqaiSR@Ajjv{mj&wVkD4= z#@gJxi24V|1&$f|C5BLY7(sjtu;L{2+b-OZUs1Bldri&JCaHZ#Q86FKYPe5eg8A!S zR(WrUQqe262-1XJUe5n}^>PBf!Bp5h7-ZrmL9`u8qdmU3JQ%75asZ^jFwT_D6UP+K ze7dB%=Y?>Z{U8OGz@aeJ6aC%Cvx-AtAk%%q%HhB*SOnD(qwfOjOB2sxi47u9=fvZ)#rhn`CC(m;rPgjT z%CuhGGdXGX?q)rc=jPDJND$%A$NeZn z$N4au_bf+#9IARddT*T2heV)9iWST6p+RXT%!;q1=^=zv8hZ0|q_BQ&vl?Qep#(zr z{qg-`)9(1!DoRSR&f*&^NLj~HbpwN5?DwxkgoGyd24OA0L*VyenqKez#EjzwCh+zw zj8k}aP`UFV<%y9IWr&8sKfdT#6VgM|hKtTzXUS3}Q-GSO&KuO=4BlXn{Scdr?m^lfKlv%xN znKL&x7jWH3HaUv@Q#-f;GD+U`luH`4Yuf8jG=@e;C5UnB^~0oSK$r{*?=fA>gPKk7s;Fo*gZ?l{A|_{C=<3AO@PIrz9}o;!o!HZ;`u z-=>kxj^Ht7cV=!C-tdPV4^^o=X*(fS4VH9~VQV`bIgWmiey~c)Lp}uYZL2fFtnu}4 znZ-nllHeaCb?EuPXF25m^-0aXPL;D2$Zu^>uU}AMva-B9RPfjXHW?*vpaw1rlon9E zmYFH5SgEC^2Blbg#YrcjZ%Jf|^7Gj*1n+y+Kv1s`iHavdm2Gyj-9^C+da&m&k0}fv zFp`J3Z*xo|{}F^3JRogtBEOi(mQq!91Uo|z1KVyLjeNGDK^&c&HpxLl40`8LSV@h> zu9!mc0F-=GOP&;RHCO9$>a|-GQN!v2>P95FvNE3NTU}k9*WP4{L*AlltBA+0*{x*w zM3BJ2<_=u$wN+kvSoPXN@}zJE!rDm2&AVP}mU=Ix>7gJn-Z(jm%vSj_HFeFenxm5X zlEIsMU)TLRmTYr;1!zj3_y_dM@$r{<9uP|>p2MLuyg{63BM_uTN(k3-_15K$r;2^) zG~|Z@+_?KBqTXG;(SN^Cc43h1=-@ieuEY@b=eG2h}TNUVh;RO|_Ay!3DLq~Z2{F}FL zx5YrDi&BT=rQJmrhe{6+r@{v-b<9CPd3yRxZT>a1yR8r*&HKOQz(ezS#bl9}FM%yC zY~?|YT&?>HloOXz8Am5)$G zS^7f*1GmlNJD#{SEI5`Ah_~(}PeKtClnrc!yTs5ITrfz`mC$Exb9{V((3LZ6Ff^h= zef5KXfS8a2>l4=>CQqJ(VRP5AjE#_VH649F{y!$8EJI6<#&(tnzWPxJrWn`$#@>V%5v)=|K?9A~Z;~@FAO|p~)jeqc`W#vuE zK+ye;9nGv-I16^{-v0H-&TbPPLH|(rpL-3N;&FDwkc}>50 z*JU5A3q@(1Q>Na*b8sbfQj?($XiNTFLE!-3BXB4qfB5j8S?<@e3a%n+X+ zN#3Gq#rM56n*}k#eupv9m>h^OxqU!s#6m z3o3DabaegH@XgLNJly2U2P|zOPZ_zI3iKyVpJbbs!;Cr~M@_z9xTLL30gRU7KMiyhc0cRm?W@x{ zA75$-sL!mDoFgN(EtS*NA4IP@XE)o2Mf|L#rstzZrc)M^8J!=7iCMXLrUWUEMAWa| z?(#@%dwF{McazI}x+mkX70CgEw;B`%TmOwimi{^UUUA%L@rt=T075k>6As0`VYprpZ&jMDA@S*7(7g_oMT8z zU<&Gpg}NbcC|dn8_gbiYrEz~BTwTvjpe!M*r5GmtgP7NUAHv!z!ULwlBo<0FN-sZD zjS9U^O&I?Y^Ng5}6kSb;c&s*iwP*UBL~Lj*@c5kxAJ|5$x{~%a7%(;oDpND zppHFZfI!JNoI1dP47{LHe_A%=m)9?k5;%+ss{Z4%+xGiz46R97$~UJclT?PfHm3iN zthWG)qY2lA7bie)2=49@Ajks2Ex3DdcXtWy?(QCfyM*8x+=IIZw>#wf&$+kipW09q z+1j1y>FKw-AA6A4H}8#?t36v*8KISHrFdjrRY9NPMOR>L$>fs7%mQy$W~g!Umg-w{SvA zm`5mWg;=rPfQyEypf}jn<2Ovv_efI-uBHCR;MmMDnHt0ljRFv{Q>kQ@we@+zuef zIgg|jO8=pUCy4oc)XbNZ&DtgKWtHi{AhGaA8r%SvghO8m*tpCgbjZIB13)1yQioZs z>Et+*iX+=oRF{y7m;bLTb{%98V4U0C1s>y_w#%(#D}C9h%~?l+dS}8CJf66^+ce7m zL1s}gry5I~P?o$w)dRSQ07c{P>vP~W$&?kRDM?4C!^4@j&&SouBcrEyT-Tbet4UG! z&($gDOb_{z1=AlJuE(-h$wM0rtF@CFdE61D=h9!6=7;wYdoH4p&P?j&Vpmmq>dZO% zROmSa<8Sy!;qvK1W9evuR^3$HD={qCGmtwP+n5MUs@`H>lRNQ6ZtR#5h_PScwzIxZcAt%6Xqu7(WH}#~s3#rQjPzyRv5?nHM@2kVdx5 zqJF6Qw4OUgvy(Vl)NlWt-W*r1M)uUH?qIW3-sX5t!*G|^#o~Rt)t?yD(A0xE@$p5c z*Xhk?xtbLxx1Hjj^R_(g4$~V+zH5z_6FGYKNsUKmUZ)SdIUT1X6O~Vw?DM|&ukA0< zrqx}~i}*IayGl*3A^4mxk4a4e9hVa?&+m_3f0oR@KE^XQtbKo3PqMlbhhWHE3+X-0 zEn>M>eOtiy3HAJ?tEfNNK}G}hla0%^0q(3ogyg=SY0`s~lBl_yqtqQYk?4t0!pn|| z`LvIK-^^2Hgf({BpLK!Xg(D{e84zW@@+S_JSMq>(BF`ppM9_R%`eb)TPj#jfNAGs= z_E*>X$GdcjRK7XuM98<`G0;Ke+H~f;N!%^)rGiV(?N^}S965UH;OVMR(?cLbv0H@> zB&nJ5==X{nnP&;O_E!XWjb2TL>q1?RlNWWK0@16ed`9-=u5(3y$GFX-ZO{ol2I4y$ z-J@b~+C7odv5)vLq3cunncy57y&*vOUz7&CCRgN~M{{J`;(Ep!YF3Y;mGQ*sig?pu zLOhj=@p=_4C9tcS#Sk3eg0)5n9#5Qr@y~(Txzo0=i>Y_wB)O8G(96x?^+b68tCSal z$hF>Vf{B?h0c#=;#EDi)=JT0es#){jy(0$Nqk0m6VVE=h3FFuD*H> z$Z&pVD!F99gL;Jh?PgB6JTEbqyI}?ZJU_j_qM?v?0!$xa!psGeR;@T3)Lxff<(L$ag@{&O97c^ON(1pvqsnrs;l*&I zSKFU|cj}qAb;h9mcCwtxIKZnFYg<&$9x}jfYZGTxO^#~qe_ZN8xm4#nJ)Oe$)sqkm z3uDEL6`a0(-cnVWKdXM>5GcF~3-BzrUG+R|5okRv^PE8Q;<22u4GTJs-WmRd%W_x9 zzUj8vylUq@${c*u))eHtQT-xRtIkF{!Va1&vPo$qt9JP$0k|7&OKVy#?^xKN{Go>k z%oFl9)EMCqZ9A_L&e_JuE9`9*k4YV6Vr2ML2RFw_F&Ea{FFsMG!#m-#SyIBmetK9Q zK|Xf0;!BvprNkhEV(v(r*CQk=1kJs>@96l|=R>>H&?Nm$qtg2W{}tw9mmlxwR`_~Q zQPc2r6Cn)czgiLHK~@HIqvEQrwb`BKth*o0A`hU;Hv}mYG%1*I|MM@fH%E;$L9kK- zTwda2KF1l7Y9u;{vt>Uf&uXD-i8q__J~F27eZu!4_`%4ksgmO0VJV|3D67h>kM=X+P_b=BvW^c~b z^cjl?$n^`qC3h5Mat{^=d3IgFAQea?h+4(3-MbKOv5HgxVxQV&w~@uQ=5y3=-?aW? ziFPt4Eer^u0XD4c%g`dDvm&EEbLTAJCG0HBajdZl-7%&KeKhQ##5skO?_1MJQ{|;H z3r;h@wUV~?fn5)rn=8u9lAkcePr2g=Vln#j9L@v0ljbf#)waza&LB;5j4<*xTvC)s z@+=$~wk6F#iE$p&I^Ucy-BDWHpj-=KdfM7jdgIeg_nZ}PX;c~J^+L4p$uT0tp3kPK z_PN^O_}1x;38qF!ze%`p=wg%6-EiIz4`+Ap-`JaEbOJt&0128h3gNKtvY0uo(-&9FY!3nQB#Ds;Pg%iT@e-s?%04ehpodT(e!AiOx&7ZhGkG$<^YNYwqYbf+WFw ziAVK*!d~G02t*vbHUANXjj^*V(2j~BG|>%#D zI8^+z?;MGB;J3YyP`GNakJ9=Wa+e2DaTe&nANQR=$3=^T3!}Y9$mv52>i1b?CvE}M z8gB;8nusy$5MdpQyjH4@mA^*r`&2*dMM^nTl#Q|pu$w@+= zetrz}bJ+|$tJ3G|hN}P>!Vls=amIAVvO>dyFctu(zN=l{Jzd}1m9Fkz?jj%vXvb~^ z*thW`*Puy>#r04-)*Z8($pZ46icP0s>uv2{pOrp;oFOf$Mc$`O_U~FSk8h_CP$*W<`HMXd_3@n zioaT2P*MufEv08ilRcAGmrQwXOw=N7RM2UD=h23EqRyK01xY$>5m{*Prp`cI6`^!8Piu^Km2pV#t|Ao@ zx1kQWPhkoBIyQ(FraXf#(Wn&fwIIl`3~s7+v(%9`4Le!rQ{KS3z8}`LTtAM50&i~b zEZFWCCb?A7Cy9 z7M@>wPG19EpHRzar4B`nLT;nf95=omj~ZfSqhX`E8lgs6VggyQV&w2J<%&sNrSX#Oj}VIQswidR z)Y`QTSB`ROitjy(&)TmKcx-35nKGq@9#U&l$e+*xSXIyJ#77QZHhoWlf1NkeF?ybl zTl3YPPr^rH{7%c~AvX9g=hiXaZYPGsnvcHT`*W}JAvW&EKbxNRj#_VY=NtCOn~t9) z=E;eXpG&ZaA7grl*9R&@y!5y_yYTr*df~`I!ORe#9|+&2IJ(8JSKy%f{Zw#Rwvkx` zxuTS3&P%#MbWJb26`=E8-*spcBA>gjpjczvjPGr4HMs9bZdVsEC>t<|Ydy_hAO1z2 z)18W>7~SwUi1Rb*SiGFR47O53$31%A&U@c;9AaW$0DJzR7QdfE0D@)i@}Ojap6%@h z&6*KENrZNzE{NJ#prSH$K2{*^jc5B_aonu6g$|-}aADApOdEtOpxCg?N;VU7nvOmMb zsW5e3owjhTd0#Q`zH&mwd?{~h@AgyQGVm>~Gb5UQOv3ZOC8 z?tL>nuX5-=_`LTEg@83%zn=U$j@A8Z?3)W;UuzWPpv3<`XFwaIut$=D%3WY=azN0f z-x0neKq7$TTkcMI--Zd_bl=DKdBPxojLqh6e~SeV4>?h3QDS!$P?kXoZ2~6E7lk$d z2Kb*{0fexuoE+O@7eLgY1?k@%1-KH8am+I`lDxI^+Y4lt{LTmqGgtAm4^jc-71AC| zDLf6RLOazHm?_ju=-pvCk^BVZc5_LSK;w*G6_A47{eXabTRXCkdLhN8=LM^xK%ThzzUr$ebxU}#A zW_}gbt>KLZ|6kH*pJD*15*G)k0>tty{E#F6a_uQduZ#Uw?!)>EWd%qdBnX6hAT`e; zoMeXD`0s;$7Kd59TY^!ZNS?8)A418G%>d#||A*_|e5_v{=g$hwi85FP?U!`Rl>Isz z)THNoHeUlJ+zq9W?@c6*WK~rd zdyj-BFSyZht1Iw2F3{n6suv_BF4`;v3ReFr{}qG;_0$dz2@(!Iv_S|q;SK6R?-^aD z>0X5GNi`|3TS)wWKCf>F0t06Y4rm?!4%drS$337TpJn-0D6a)}W0k`|prSTJA(v`W zqoVnfaxv!0j{yOUELQ@zTLhyU82>&eg=WVIdKyhcX8VIyq6bZh=eHfIs~s7Bf9duZ zM(=kYQoJD1$Pa!@Br;ALwTv&)3Xs6RY-=MhJnNPm3W#Tem@J#|zXSt!&aZ>(b**M% z;`yp=@1@9L1M*e~Vi1R|Sd3xk_2(l}{$Z*Rm?3|O7D)`j$1~~=;jV2N?;D3wL~A3) zkDvJU9^>SWa#SfsH(za*0=?t@rz zG3_1(8d8vfq=o`W1VBR2K$xPk{f)YsBdRu$8a&PxfqXr7AI_02d`TEgsWJ6I?4q7w zhpsvs`iMd1@6(g_-=&bi=Toi7cR%ZQx^9fQjz3=k{W17Bztd3&JlgZo@LQvEZ#oJY z2!7=l0yIchO7vGB=qY8X@$5dz-&j>^36Q4H>&rU-J)p`8@sE5>l8JQ~!$L#9F?XEg zXsGB(q{_6zSo;xzg!1I|BWo3Dsht@cy%>u!z4>UFRog_^Vfxj-PU^$an2KvM%Q+Q5 zj|U@kDDk8%N|j*glUPSKs%P$+Yf2-h+cJb04SE)^12raIP!QDYcF~)$H_`EOy3(b( z#ycS|_*w9j5yMZ5Mi3D6fPTiI1kX-Dnkk6ZHWvA}a97wN!u(U!h#a9(N}84RaHTmT1mSJ;E%)V<8%vj^e ztV@3VT9pL##yU=IuG`(l3x547|Mo=86(fW+P~PrM$^4hJjdE0y0${ zF|#&0)Y&_tCxi-3OlTu4KZI$PBxpYsW~^O9l7|b_PL+b>_5Y+dnu2C_P1`;<&KpPp3L;i3~s#3KF-w@O2*85h6~c+A78-w`E!F*+&^%mQDs^c1eTn?nY)B zgY_c({@Yxr{*_Q(I_+j4{$r0t=^tvL%rVS4sYi=T2{Kzgm(7YO0yYjyNjozR0dyX^ z>P+H&R)ox(-xUS7a}H~Kczlj_v6$p>BIC_9MNEtua0MZBUkodwNmb86OSwPai(aW& zDK&@iEeRTpIr zNB?rK){sayo6^;kTt4mCphj^=kl|pVYMtw8VS+24)@66m+j3=_RW+IeN7^k20wN(Q z2H2oy#i__3;emMxPQJ&WaNBs-A?Q{Ke{?4o&afIz@ZWH4Mn9!Ps~|f}exRdp#FkS7 zr_`1&&$DZ1%1yX|$c#!^h6pk-(uhk+~bA*1@& z$`p8uVP2Z@(1~`ZMRD_dj&Q(kAM%(){7;+7R^yx8)abtWa2l!j!rjEkp%O=#B*qnb zNgWpQ5nvZm9iy6YXsCyzb&j6M!5VpxT8I@zuAJ#oWD7ViI*i53T*I!*JwY;@GpvN^ zVWY;(8OIG?s@C4mp*D$v$)@4PlTA~Jvh;^3*v+bWzY5d zafubxo0`61U%rbRQgJsm5>2B?wx-VEGb4ecX8iTjMZrC)wGCWfcr9A1*`5iUUmXKR zU7{vi!=FfjXON&zE_F67OHHlDI`mG813#J+9Z0b{F-%pj`yq?|5^AIQ_&fh)o=S>h z=F%WakrPGocKF^-(Dro8aK9m#Rf84Te-a6&uEwKW97tpALZyT*FC0A&+5z5 zWfJJSU^snXrucbM$DGVHx6IZ-pN|jzwydld1LEcMwP*cV;I2)eZ(Zfw73--oAcygf zsobXN3zyF>%+uf3Ub$C7p9ko*7w`6G+j{|ZE|{jBKaB({H{j+I&*mHMjk!IW2vgwY zV_Z=4?@%nWS^Sd;4BLR(IiD2BivI;~Ald7CecTni*8HrBM^hvMLRF$1G1Wq+9l$Z< ze)o5R?g?F@CB8N_-e-}vi1s%01?j8IsC0wG7Fpi?@>IUKcSlf}xK*6MBjpg+{0jBSTa);i7DvVYncG!3T1lu;Ls8Ga zRliZC=bc$VFpF+wI0F$TI7|7Sy2wus2tOOT1TNy-UAAmonJ+x4_KreZQ3!hj-CgN?4=cqn6 z#<`w2yz6XbHz}0EicYDxZ_qD>IYL_Ou7P6TukzP4qf8G;HGHi#!kqHr;@Qcm(vlwU z=;c>OS`4Sv69|(%7l-dx@0cKBG+ia^uoQ4))^_G?e`P;^nfUW45Owy7qO9(_;Lo zyqqrY@kLtiD~--Kd(20B)7qFqk&nc(9D|YliMrGl?XfNy78C53Xo8KwH^JGXf#Qw? zk{Zha1vEM>{g5)BEd3BkZXT|Q^TeoUSB)()Hl>GE0VV*2L$3C zsRLVnelD-2Hr{iNp*uh&)K{D{&WVuk5^@HVdqRN?{W=BA4?FrA2k*q4b`7@R_$B2jDkd(QqmO8+0VZ)pwa=J zN;&K$V=9(e%aU$EeUL@_Z)0z4BMTB#_`d|1*J*4le=fFFQ0m}3HB+@ZN}ba*BY!MQ zS}qSJ*VXs{HGWDqzpWBQ^e{ozB4wmgfyl1s!qWMq6wKLH478r;K8HZKs$9A{REqRR0X#)L(*HuF$ZWqg5nH?9z<%~CDm(x^k&>3u;V4))_4+k0Rj1XZM+ zBUCD+yk7~=V~%ci4Cf$)V-NaL@ia$wZ^*{Nb&}UYh;K{odOU|!@y(_A5&8bYztuZW z-2vy~=&+|FX4UfOev-^@>i0TmPLs<~+~pYQ2@?m4v&eyq219=;?5OM}I)yC#|`ntwfJg_x%d z(p~7Ll3x#(?jPsl!@*U?9?&e~wIl0*OAyxSn&LAejG&Pp4g6piD$c$S4K#G|eGLRO zAbg&w#DF*Zp>!@x(RhhtHa}&4D{`Hjd{UVTUclIg|73qqRi-sDljB`oa1vo|qkkaT zhRNnRNe9)HCzc`moaR`EkFHbRhy`rRwwCf^UgWH4Rt%L#fJ#OqV+^usv+8C$Sn)2- zW92=$=Vfd06IuxG;tH#G&4@Dcdh79fZK-bY*rvS9EU;LTx``jXZD(0FiaJIWy`8ZM z_~H{pl(*GOS?8-Pko5<9>dG0{qdY6jr@qiR|&%OR-gzrczU zs^XKvNiP+3fvb;%#hzALG|J?^48Gg~bi@dybIO6^nI3O)49n=J=jd_K#@TywB@0*J zYBizZT&0InGgng9S+Rf8POuYOi(j#u8Gc!K&_x8zh)bV-8C|b4z(0?5ACmY{9(SCs z)l;Uc8MDIHqMh7Ob}Qee%JeI2uPO@KBECpMv~5b-yGVh znj&`5N?dFH6)?^~R{8voi1Z_Y%m3P7j58dLXIwC6S%Jw7?Pz0j<`#kP z_xx3uj|5JWYwg!E%UfX1=(CaE<@_U#{?fT>>R2yQ>Q^I_WbpEpXnGlJ)ufxHtDtU&h ztED&Bej!__zl8n24Cd5buC9Atmu%?8BYiLtNL6|TY=6LLq2O_GNs-?)eigY_C+B4(fUI+g3r_Udqdq_8zafZEn&@X(rSCDziKQpV-DVtTBR+x!aG^gnyFHyqgUx z>4DP+aJF=(HQ79hru5;NhsybU8ANA{o7l$acXT;|eG-ZgNJij=$(|4#{G+U&3A*l%ci=JP(?SC#U%2%&-w=;r-P)bV>5BNC}K! z=>v1QivYuh%3c9Gau{ZaG*&Zss8SHwx-dk#?-)$Up`5+T;UB-#f?Cr*e-c-lwtxZ2 zKf9b*d`~2}(4#jSV*Z=%E%&;aVD^Z z@*@!U7u1p=)fO|hSQZEcCcK{aaQ}J&d-|;J;xe56`y?!~39aR(G6L|UjRKM;qNDk5 zR~(aTvH|oMxSIfHcGK)L_ZP`v=tvQumId(kP3K=6yt_X4 zUs1?OK79j8(0i~wWDy6kron=qf0p_u7jTZm=rQoDb8BIQX__LIET z9K~FG2jkWLW1IIomMK?Sw%*)lr^-)v<=KKyv&)u(?)kLXf#B}?*>9lfE{z-z}NTiq9NjB#swS~ zzikO`O;3(tIP+3&Cb}t3V#vk}{NyJym3f~UVb^Sb^Jh=>d1LbKqf>=>@xazbws#5m z>Ll{k1xhwU&vn#J)m_9*n z+)dv7tuGIZ;#*e_dVQv>vcu#av4sSpMOrg+1?sGVi0-e9hZiHE^D6TN4#k z6&3Y7EC$$*14ohKR})}m$Z;lRU%zZ0BX(=1AeV5WR)fnt{y|*SviE+|%-47BoNHp8 zn~SAn`yHX;jqll}XpBfB*~}B6BiEh@DLpCVUsJ+UHl4AXqYuYT%0;Xn3g(ycYizV` zIA;h@FjqUVr!uWotZq58CZx<%3b9mPb$@Wz#}&NnMLZZ={>okct-Ls8r7$uuSHAw( zqIHGF@n-ny1#l#NAD7p&b8=p9nz{hBfh%CWD{$kuRi;#e^O-^Nt|t3=eiFZFT`Iti zni>Km(c-eLBNYa~c;PdYVLMW?kRV#|X}Vg>soe!ddbX_?)W}+o9I)p2(u9xwiRo$3 ztuOZ4tHx9J+2((1xXS(hB(iEudt(vxd+x70T^On_ykB>+06+`H%g*~x;874t^#IBm zrS`M?#vwDj+UsLC2mYM^#3)P3K2aoh=BZhmT(}J)vVzHjYleZa)2UlMF{qgOM_sU` zp&`D^1v$@F2Ox2K$JbQJZM+vvUa$(97Jgjex|Tb^Plw%~NHm{rTjUSBab?uAbM+r*g9-5&NF_{AZu$lwTE!y_6<&)ydPiHGkBEGq zE&%uNjg1Z9Cy?Zk>GI~qbQjRZY}MNp2)DAHSMM3?vmUx5)$-{lpgJU`N+z1+cB!Q_ z$B;dxMjb0qSe4xHp(^-!2WJRtiXnT0pfvYFX^kqt%5VZl$Z2&Pa$)Z|yjWIdb+K?T z4Y;kafWas1T>HTAg7QUf0@JjoRer|~v1gxYIZHb>ZIi)@CMz3upa1;3*6FyjQe8_E zv5`9&Z=0bwwV6ryD(|Kx6_6EFp&h#BCOpM=(r}983gIR-OY>qd=HjX~%B3@Q%~|am z!ueZEaC&>jwZEs9Sp99`L6jbRIz<*FZ;fqJjzdI5MGm;7eDhTnM+0(U{(j>zG!Yw^tvtz{Z*F?C~b$&kd95HK>{ z9@kAUHNMeyq!YY&6p+sFBJq&Wcb)`k%IXiS9J#?{dOrq=!$yMs==;BCYD9(J=qutI zVDp}UCPM%yP=~&dQDO+6<;LH?3oSn4OS34MbX9D|A^g(Go}vc-dofUJ3n&ucbg<%T ztAMAS$%-ewaF)~UEiZu-gdfM)gEl05)f94>lhDE6k50G2f;xIJIZO~v<3M@H^K|+= zhS}Mu{m~*_W7Emix#ur%^mUdIZiC-^#mtxiz%Zjv-zl=TmNQ8lkq=nx+}P7j)WVvk z`5?inuR3nnDHlS4Qa$-2L+)5sennv}afTP!*2-_`8_AurFwsbtc;nMrSOxz%x;|ag zF+8oAYdH%9I*UkE8~ZbSZwyr=aR%NpXrSLY5L!UZ!OFr4DpS{v9i}P!&tD@Km&v@% zy2YV`{%7NQxRe53V#h$;ElWsw+Xx@rT>MSAcD7u4s+6316~z4=vflJ z_S)%ypZx=dB=T~0zrzr#u$O*KQ4cUde47$yEU~z+D{ttsfmK($ngV}jsqp;N0kMD& zVjo%IRFVBTxf3wzN1 z`pL_jTfJwDmzZql1IZLx{hEqn=s7wPy>F z#1k>y6Vdh6Nu0-cCt{gI2)6{8Ka}bDK8__vrwLh-_Jv%y<(8Q0>+9!IqejQLM)CARot&Nle^r;mg&!~` za{E0Ep9|9z83J`!1qB8J5i115^NrR{r=Rkf4x##2OvUOrpb}IqS;1gy`(#|r>G#t> zzvmdkY{llkZ2{zo*$~U=ZD>5Me2%&JpyCj>F;9s$$y6*zz5Wb&en3WVD0GzAwH9GMAiv159q6IwSoNS_;?BLUvsm%rCPYYX^ z*@ka@H43gN8mVkbu=Nq;c#UKKpgdQz|7|0|f)oS@Uf0_^)n*+{_o5R7P>5H!*b0ZH zR&&5?jS$GPcNIa0jlaFxg%K?^J-I}Iw=7PB)6pO5IuWWEXQR7vV&uxO)Ru=e?dhw` zrp5l9M$S@`vxqG@mn5OmDgR|i^yh6}*Gz`qJymcaQjn*gm&*TKsy%mL@N2*nJ&f=) z1hUAgPu^)h%UX1=DFO(D1loh}t98GY>r4w!k!P1&Rz*8x>TgHbL`oszja$P3R7Zx`YPf8gXH#Hzq4K{EJpcplK&CUG&H5D}`J2}Y-l-KY5I3%Vh|B?fMZy`az%4V! zX}&Mi$66Hv$^m?7)+0&Ae|}qizwCO% z+;Q0H#`}?f>Lr7N?s>4aNBnQL67g`DJOCMn=u<9}A2ebMl5whqX`L}U(l66-%NK|L z{{h9t(kZ`jl&-Zkt++p8H>{?hrZf^IYu0GN=AHz$^7fMA9xfA=zpBs5_IRu14n2SK zg#RsV-bnt2X!WK!xKPm2BWAdNRML;cf(^8$yK#8qnS%P(KG8OU>z%*P(C`qx`?U>; zQKVemhhzAL0MoGas{`DpR;DtYiSq0Zri_~`yo?5I^TNw}v(ldYw!$?L(OH$+km+R* z>8tWMub_|^9wh%f7Yu#C?|7z@6uPXfC7@Q?eDmKqyzxLq{zHlyKVc(k5RV4-m<2bE z1CR6Md5Z)Hgo+AsjtC%yrp4iux6Akj0%1WzL(JBZhr$=T5vRxX)++boFo*xgtOa^j zt@<_wt4}61Mq9n!C^~fQvEX+C5NpWIA77jppZyD|*~vma(OH3@HaUdJg4j9qaOB{( zTP?ynNd2+KXvd2OjrDG1BrRrKwWBfR%7Uk0izi|LT+!9x&8@c-aCfrj*s%RyO0y(-ou5@XDt;n#ro%I(=l(>d zLGzPI(s=>PIx00Uy4Q>uvnP{@{7zaGyo*{bRzvG|#^Wxd%kh0VE(AeML%M1;W+L$p zJY?`3a1qwsyM*AnnMJwF0V7bX%i|jO)Rchx-6o~Dq4%=#djV^s!$IM%)L_q;4{hK1 zM7dWDqoX%?lE2g?EK{UO!$%W>KqLbCggmphPwOgm6TC(nd^MU{+G^bQP0$)q(! ztW*JpWxA4w4ihWE#QyIwr{mP)LmK20s0=R;2=F5gCs^*G`?t&0fiIN790^otn$4#2 zSMT^t6h6Ydms)k_MTVJTJ#TR|9KGI_d6ZFQWYFIFwXL;csamNCd3C5LsjdwcE|96= z`(G6uSOBg}g^cYAX?zds>5?U!UM`Ud1q8Ia;S z{4QMg$xo-{eBfQ&=&Bky$Uc|%XC?M9tF+}+Du^QB`C+bD&KPF-$iu9g+5ZC~MUoAh z7;C4HEshaIQziB_+R{^$m;1 z`%N9@sOn`{IH4FKTqF4G7M>p@^q#!p&v*D8y?m&Csx+0qRLYlnbT07tCtoK)&)*fjzyBk>lowUZ!en^S}#M!_hRn$BB z1c>Z1fP)%7pfsVSr6uS2*ff$Pnc_)p;>B`5YT35PKl28a);`9au1FagO;9GOTnzw2 zMW@`RVgnQDaU*CCQogi=gXSLZcM{>JI8sV;jHx77?v#+7A~2^b9|^0;Qd+pGXrB#J-W99wJwzuT-)kWL ztXz(20+)z3v_Gd<{m=AxS zn!__r5G=IPc+|^;LWIx4YKyuQ)@{_D%sX&7g`d z)aKn&U@Z(eF9J0$1~uOwgtA)j{Alp!Cw|ZoC&K*dhvriO*y_g^LgIrHmQUj|Wj4|J zMB{Yj#CVI6_CUgB=iO!m;A3a@M;D;$nXUo$V5@*rRsGd7^}ZdOybJMjt?X{AjmL+XngI1w^T2|SjSoK|OVW!VYRmqp&5QH1iNNXF2u?JCE%(c)<825;|6{PbS}odiDkCMCa{O)cnFhD+1`vH&kTvNNK$X;*Wl{lcfw`LQ{1a@K~C%pXpg_RZzHlk`+c=`ldy zz#xbW^vMW)mByc80&@hFakhbcHR}PUF=gmi`3s>YIV8=cgn=QA(nKJz9X^2_lf@5a zXNL;kY<9o`Xe`BhMNh1Y8a{#5$7C~(DURL);F}7|nJO)P_VcPs+j4 z=e{qnDgjFk=d(=w9zjfD95T9u@y%bE!GIivWqVOw00IQk8zFtQ9#e|u*KQL{k6nyg zvfd6RmXu;{yQ%-ODW9i5GQ*jCAv#k&yJLcj{jrph+NKX{)_#*Ran0R zp~nYice7UcSFh7(ry8wi09|A8$hIza`7LHCP#bL{@bRIdzW(#i*HV6tv2vkVMwrrF zgc&c(LsB8sNS}`oxlH6R1`Y5>wdnumteVly{Tq~eEGsIH;{Xp!Td#XAF3{jS)kNf0 zr#peew%ANpzvK}%W}5;HlNTArfn z4BMo7ql74j>jgh)*48Y!{GH;iyw;T6g5AEd<=S4Ge`So#;Ur5FVhX6 z+kV}#ufDTMR9y&>w#6WkV>`Y@U_~q_Vgv$ce1Bd)gG7uXA(Y)5K>akj{~Syi(3bAi ztM4)EHg?b*!~WA!@z*+kd*n+HrFHGQW>n?w-~cFn#SY@-vSY&sIYZ$ml$8;^_|voT z({{qEW!?>w%ao6!`V577nQU?MXGzeAB^8u#UWfg+MnIGyv>nvuGm%3d15JZjlmxS@}d914UGZZFe<|L#=%7h{AiD!;lZH}zYPy!GMPfawW{e=h{*mIbC5~Q` zy=zG`t4CPP;~^R%joC5o(Q+0CX34 zEl3bIwq#0s_Rr_0hVl?eV#XgN9Wx*JDK1XUPt<>&H^zzoHm>F|zt#W39<-*2vB>7i zZQfa-;=T6TOrNECykzc`c(L>zd@zTiF@4nnF)-B*jPjus?zB}|!kQ8+>D=+?JwON6 z$mJbT_GH=eJ>26{mP>nrVqaj0Bqn%L0)bfiCsUiC4!@#Fvx#9NzO{rIIiO)WxU=BS z2_1bolCh_;1~`d4ACY&w3@Vhqf#8~-)>Ic4_?aJ&3LRzcB1IHuRB;q53;}s3F7FE&G7Ujcvsg|5$n1y-_U-SvlDh&h; zhK7yZcXur(v8s_bL00$)(_TxdKmVEMO3+-WU#E2C;%kEsj%%i4YDv!2gF-M7&i5zz zeqe@Aq#|wqd#@X+y1}!>TMQ~huSj%db_${1kpOa$p z7NeE;7cPt?TvS*Imw$=@b(TKma_Q(G7IaAp^p$t1qp7KM_lu8JHI_mF>Hg_ZejIQw zmx$Z{X`_~g$pOic8&^G_N>DuT+2nP7ShlUJ7ePI?y%?jP-d?$?BTEc|2;%Zv6o z(ikVf!A9dC{tyA>*LF2j0e@DNsQ3Qx5mR1t+hLLWs@Ony!D-cT!D&wqIW`(uXx@Sh zT}pZ0AB(oXI7^f&N1V4$%96poLRs;tg{&ypuOH{+KqLU}R78P>#f^(dY9IoG#)>ID z%>ER&T2;k9*NBWvBpDX!qgnVh4PSiPafP3D7Kd3ETxGxRapS^O8Qz>nmZp4oNjrKL zZ~TiW_NP0OMd8FFp{v(~@(DWlTEASUI59l6Rn2)Emob{-$bB(174HPE=}G=_jYvuD zm+Zsn%CT;nTR}k^=Zzj^+CY@GyCfpat&!zNMG`V$eI&nk@NXsN5Du*TiaFa&d|1`= z3TPu>fT?ry>DhTB@gM7nE#S4(^{ZjP{={CJH^}nJ&Jx?^o@nJ#r+KH%ZiIFJfphK2 zy8T{5n?1~u%5Dt0`eknEyt{B)JZ|)aZM~jUcPZZZf`GiKTz5#6 zHiKGyqiWE=>|aw>5wh~k(BNd zkd*E&X#_!}LrNM1X{1|PQaYqty6-x^@Av(`JH{R39uE%20M1!w@3q&SbFOFp9y+-= z71lQcog747;`J(hPmj|O6&iv0YNLyvZrb& zx-Qd$A1!T0HU5z#N;K@PaQ!3Hc4tqqTjNaG&B=~1Pp?oT_UiqaYsH*Kj%F@7T^lmp zGXKoA6NODD=^p)!#!eIU%z>+g_0GU+oX&cw%7h0+w#j=eDu!egY51clz1)mEb7POz zpE=st6Y&r3+5W^D{^7Ay-_h?-4{rIjrvm1Er8B*R6i*F7FO@8}`lL9vP1>-qdeIX` zjS|uLGh^l}W(~cW#jGiw#~@DLZISJk8K?hmCzZCF^Z|g<$keT~E~hlUvld~~I}UEG zc0(y^(ye>Oq(_EV_8vv#Bs2hf9`9mAH~`y^12}pF?A%E#HCzjnUFSsaJah5>Ek{9h zsnTQjcI)E(b$Q)g4D1Wn&JV6GU%tDjj61oe37&X0vwD*fmB0vtgk6JUzrF4h?;gI@ zfbWWc{rKN_s|%_T8r@rO6ONo7(4qPI2ZB4LL6gYaCah9?Q4K;&ZpMGOMqa$uDOuSd0e;m*|Y~)Wm zBvG)Rt3;uM3c@0KIme^&A7j;z?e{C%lQ zgBVUfN@Q%{b*|XA*ueWjs&kwHL%7vD#-zyD=Z*XL9^h zhGVm|GpuGXp7_%c;z^ypn$i3l3E0r3yk`D34O9O!^JWJ1Z`6cE(G4&%?_S9H$(ft4`L|oq&olL<#x=8=$C;|{6oRYjM z?DOY{7VGFAW#Dm;R7oM0&y0?X_!O+&NZqg8>ttHxT_e#buKrd%|K7I4`tedn9k|OrN(uKA*ME z>iI2ZLodZs*r)jVM5gW7DC*a(j@m~A1iJHNFmL{SIwa@JK0aZmy5gO5q6+z(i)@!N zQ9!kRi$7x)QM3h@eDrkHkHkpoX}ALdsy6d~k2UH_Wk=n|=Ugi6V)K?r*`Jf?l;-ub z43%TNP{ZIMcq>;lGfoM}UNqIU17T6DjcKol?7wdbni9~Ejks0VzpXyVX_4RaQ*J^! zZTw*QK%f<8384xT|LhxORDH%Dv56fsxqtiJ{{C_2pDZg|B}^Rk)ZoVitE|t!Zo=XV z8VhM@CH9Qdk(eN@k+(RMUr;Mydz_#^#}Ge;i_ac=F8lEnwK1K(0YkFi?Jl|DZ*R3O474>`>S#d&~sS^>;rT?Y;E_!_r(C2Sns%2q+Sdy4J32D61_e7_060} zK18F!`!OgfQR_%!N+9v7h860w_%_N_B^Wt_cn815z>! zWc*aKOb?7f-)+9y?OJ_vKvgNQv{5-H4w(td%V0Yo?! zg}@2;okNXg;9n3!DLgYfd;L?6t-5?uHD8fJz}W&=q64zx3UABhV19-t8l+KffC*9E z9fr@{E$Mq)1XldS_{H>JdNJWkb7NfNM zzboZLHvd%0@md}E?Vd7FaG0_3neNk?%RS7mY^q=y`2dG4zU+;qhyLodA3T%wsquh> zrNP={J{&D&2wHJ+JE5V(4pWqRqwGx1dp!v;z8Cvn&$y||9XP1O+mMKyo`eY2p9Z0V^3qJ#gVVs zD~E~S6y#6UEBbti|6;&_KiT*(v*JLFOVyR8%3K936}W9mEXA&5dmS#;Pc}|-mgXf; zvlYK?yTCis<3qhT5Tc~`x96xr@TiaeL>BmxL9JLkY#nB3-6sf?U-&!c`=3nXP4$CW z3?>sM1kk9!iL}=D7R)En`^#a?60K4B^-dMoY#+6#(qguqtx<@}1#oipd!}^7dqAsP zUPzqj1e9@znlgs$`sY;3-6@Q=T)OrQcBNzT&Os1>sp}fV;USJbk==U9TKO)9;aGs9EPWdC1P#R0u=lCA|321^4_jhcdPh)1+Wvu_9 zg+H3dT0ECC=YjEIw@-e+(}aT}9Gh`|-ZS-2yLP%Fe*fjkq?QV9UfSggUJ6q5UV8Q? zJAZ}-dLuZMnXzB&(T>jKC}LTK^33(9VUCZ+VMtNK>KwllhNMDZRs704jzQvI`awY= z)fP;{&rV4kww6chVk!>U8a>y!r$kC>9GiUVYzMj7H*nse6!2$3IS2|G!uxRRV^r|a zpI0R*db8#MwYQMnb->p%Ajv##FZFvmClFk_el*FvkkX~w99ip4WaoipcZucdqg!`5 z+deqFl5!8y0f#}lvW(V=#rD6?cZ-)h)oxUJUT#;K&;G%nGJQfjHZ?Yeht3Wb57KuZ zepX_DU{^np?uVPrV{zikjIOmDF~$ry4hB|0VF)4f6MS7 z7EP;p`@!*X$C?ULAS&Q5Ogw!Ag=JfOx9ANJY$`VUZ1`-A30~`9BT@CybaN#gTcIU$ z+`7t*op5!1&0{Kl&0?dLQ57VzGBj?Y9TgYf#@kAMdP%Q`O?qRzDI+hEZ!KDLtP-|o z*=EY>TnQ4Nt!Pq=zhx_qj~nnb%Zo=fJH7bu^@VtzT6-2gq`LJ$Qup4T zoLVO}0t;!v;;A||A+w2;+*YoH37n^m!k+{TCvn7i&-f=ETqY4531cSq5h_2j9`18~ z9wzDVD=+3aTJKaqSiG4%<%SdRMY{l<^TQU!c-cn`@8x9fc6dQQ*X^!)A#c)c$p$nJjs z{fhBDjflD1`b4$U_{Zc{^X`jt*Lws_-<#pGn~R$B+sVw9gId?`2el|jl)vLSe4B&# zDNjZm1opD#r^&&!TMoAbO1hSuRD$`6=_>eA%J}`uxV7KtDEr(sSQ5W-c>lmwROfSA z2QGQ$!x?L&$1lI+A2IF$yT4ZeHVje(>3NguQ4(%?A z2tTquCrgxRv-lGK5bk$uiul2wS5F9DYAl+Oy_;rHf3tLOl&9DB$kLg8`^Z4+W?rhzk824(K9jL9H(mU%?Oq>n{w@aBsLCDNiohH$A$@vPt8 zmQwR2aqJ{hDT%K+uL8@Gt(WraECq?2>uP8WY*U74*vytYRNIiaGcong{dS`Qfuz79 zE_p)~8hHm97y>Fv%k{8v6Q@XkIb8$#{PZoQx%l4jO*2h!{b@lKy)NgM>}2?-Yq_X_ zkLW!f%U7R&fJ;r~nER^W(`x_|l;7b6vMAUK- zoY@K3v${2Jmr=Aq)bd8OY1rdxEB~NjrwnkiUjPm!6KZ5z^Kx1ZU+Xuv31CgVo_m`eTR*7J(mVYW`Xa(4M#vw z@YJzh7gO%XdLvHEudLciskgqXz!2y%^C^#ecy!$H4hVRDUf+QC{R&I~ur%7frPf;rTk<8PZ+f-+UG!n$j^?1Kko~L&=Aq{>WG84a5J6 z=f|d4O8#a|aPe?jlRp}5mxpoW^+dTR_VoOPl|jRl4y)+AVOI?DoRZYDlH45&B#u-2 zsy3V7uyWs)GptVa2zSCydetMZ_6caDc|2Q)X3hA1%@Axa9TQVqkWrs;iG8QIF^ZP^ zf$)*ZkvWc4Tm84X;J&x2uXpQcrr2H5t{&~8$q)KAi*?gHwI4FsW)7o*+4&gL15wMe zT+22(0%toUqorFNJUG%Um75Q<-@qSofW;pjwU-6UzqM9^*hjs9Mh+K=GBDn&#K?b6 z9|`{a72J((5S2oIISN-@fl*X_3Z0HgQ5|p?>R1NeN{0(gUQLT<2lI`!wYBE}1AH@V zTroX6+vs!cDpv_e;NXlj0jn3l1?Tq$O!AIUSbPUO3Ampu(8dTk0$eyiPg99_UtH~! zm&?U@f(TCzfXuTbLQkFo(D(N4uJf$wQfQ)~uLl5%pD+6PWho^Ag8O%mWAHo8U=<=8 zv%kj$zdG~XgKKIUu(J(3)(GS@V6kg5mpL$OKnrfayS?@(Z8}E; zCSbXK zKOsf9BzTigfT~M`77PrD0I=!(i_{p%YU?=&qz`s?cXxKi@U*UmBM6>4SBM`oHv;!v zY(o}sjcx7hG=iWNIBC@#f`dXrNqIN7A!44`VwSknak!RfXj{1gLh6SO?>k8BcLJwy z_fvsmNp&naeh@D&?Ny<9M#+LyXi9xdntss|o*`Nli$;+m)@&#hW?hF=Sy`^`_mg6( z{W3QE$j2Wmg%BY9xZhs$J7O?N3TTx~N{9qv&sUMMmcIVn66^w6y)uyOpT6&RdiuJd zpt{K~BPkUfyt|K0WF>D|i8xV8@CY>K95vAxaGH(>zcAr?ky;S#Q%yojbuA+8jDBsO zN=Fyw`L*lMQq2Qf&!xoCuO91%0ub7<41TVV`V7uLn*lauoHs|(-4^=F4^0K#_J8l# z_~@SlQ>Gxsaxwp^yR zEZ5r2R9TLFQHaPU7xp~4yFTzcY(r^^#0u@W^v)`w-0PcjMvDH*j^X_k z5MSRdVc&gDj=)2#u&6TKS`J(v9DH%RPe{bP(Xey}=Q13B=_8X@SX<>XQh=OI_V~k_ zH;;4|IEXtN2Jme*nbuAaIJDt7J_!QFuA$;^)GOYzY`)AT6p?|{NwD+fkgxLlv6Eyi z>vL;K=*<_c5G_=YqLxMra8I!k58^X5{s}Loo#QHImaV7#;)J*_Y^6@d1ZxxIZ%ty3 z$#s+Bp-Ms*C`;WLzM7_*#X)-8Hho@p9eDPdXwdzo#k{#V&YhSrBBTFV*0%H*&Yi@q z+_h}AriCJJz${~344UW~X9qoUlsZECv%xP4sr%oLhd?@KvYgMeE8(sj+q&GOy7unp2{lK!xcsN6tuy2plYbgLF$`2?BGm-pN z`gZ6x0TqASa9od7lbMhO9sxF=xH&n2FP(L5I5%~i^e9+TrrzVH0ppy*aQX}e!pKvz zg4O9@WrD~!9) zuv4*sT02Z&A$$nGf64y$tR@x!sECOp`Y-5{oGXmHDG&V4rP=wyi8Wm##XZuv+!ySg zJt3F?7WUG-%PH+dzT8VvJSu(BZI!bj$4J>}>1xAkWRESXVt;I9)cs-!*7)%bexNYE z+tSRxittppxqJpG2f!Nx;?niPgW(4-fxBO4$dEZ$X5-u=0K{Nv*< z{qmx;?Zh1so>#dVOFw7y{BBQUfXxzEG&?&xLC6ma4qta5`xM`UCXI-$6_6FM6!R(L zgZmAzoVaj(P-{9kGB##%GnP*`Xn%8Y1Uy4h8mC9n@wo?BYUhmWD{bcm*mt-6mV=2P ze?f;sYH}>y$;0&Ybjbc>b5w(0&-?6`Ih+vy`=6DAcn9ejf+V`sifkQ#qwgAC&S9(s z8^6h`Lk;HmEFLd0Nm~sThs2>p%v@f2FCnaN9m|%wfNDlG01YGK1y}iI2um=+~L0% zzpUy^G`a#|;q^Q9+qWT;d>#|*i$4Q7*5EZ0sYtvBiL1Tzibv#uE;F9*w75gy- zUYnV!EfmoUIBbmurwzsZyQK}$dwvM4YU94q5iL8u!1qjC@C^=H_3nl#xH~5BE{i<2 zjN&pMnghWZjQh@E28>18%84SoLTumwKP$&A(D3e0;*x~rdzLBd1Y3Gy=L=Wq740m0P&=Wvg45C{>3!a0eI{o_2o% z9^^@xp;`CBP1I)d{|OGdlPH#AFVFk|+M!JmW*Nb%C==`wGm~y!BxjVbqPMg102G48 z?O+&MEnNlmHKCX{DyNo34ZSBN`uv%-Cj=i|B+!eNCv%9odB6PFl6+)X<0^k@P>tZ( z$G&9OeK@;A+Q!e0L3RDnCB_H68`oz4@+!=>44b!CO$vL0KR+#++PJd^Q4$C8 zzex%q-0QI4M5tP&1gDVV<{{|lJl#YghW8t{$u~kL&M^abB(N%>_`~X8rwhOqWU59M zV?L-AzV%k}5GMopL1iQ*8AUnt_rs6ebYn_i{I~}J-Jn;F9%Ng$9FnkMdGLHLSeB1` zomI}<+?>P&<{;%U3V4VrVTEdmjtyiMe;Y7=lX!_+Fj=(6dAy3@IVR=b;gCF~14zraPd>?A zMxE2hKGecbs?f~r{{~J@oXn!Z$#?;+M&4ylD6$ng6!88eP` z$X1Tir6mQOpGOxTq)+(r8^#T)pGFg3$v$eIry{M%DByA2Ro-6xzL8Ya6-AC7jDxG7 z9^1BgIIbTO1=4o&@?va-7Ki*%Qm|FdByrc%j6Q+O!WXmoz6ik80|4C1dD_2J2Bm|Dk?aj-i>461O|dBkzPUhkC@w&8-4&m2eocb6sPv3 zQHMQ#E~NS+k50){JAnXFmVG0K)WYT&6ch|-S>cZuBAELtOTx0_e|$<}2?f1Eg8Q1L z+8We)O;~Mh&lwXr&9c{xdpj#W&*8f4?Phokrd88z4|0a7l&KM)v;;X0mIaa`sHiSk z3`qsts5?X=v=%xf5hxoY8W zR$L-Jw-9N#yk2*H5Ev9}{7ktKUrt|0Ao3cL3EAeV7=JMe2Z0{T$7X;0NXVI!T==Yt z_1T+esh?7rK91}ft(M;6v2vG3T5VK~V~8-W=FA>@xAI70@;++0d}=}(M#z1%DWsFr zSf^ZSNzYdO!ugxebXoG-3X#F_4@%V^s^&$p9r~0`;|ob?>rTbp()!fM-hD=b6L0o= zewtnAIfh>~O=aB@V|`CJMcJd9e>nNwUe2KIF%X?%H#SG=4=)ccwxzZN@lti9W_G1! z2J`qK6w|*xMJ&nipO8LsYi2CDvVJ{bh+cfxV{?DEG~<_f^$D}Nv`M9~j%BN9Sy~i} zN@Spx;9bYEJ>LyTo4n?-GwYWQ3MiKQ%_ys8d~4*%3KdVn_LYbH=`GH|_*T<%lpK_Fa&N84fXLld5 zBYt1R8e7-R98t{x0&Zcb_53UG@)>R%r>l|Jm~A z*JB`r!MH0nzvnsW?y-9V+9)~Hb?S=r&f--bZKYAOO2`(XK6>wCT;KYCH7sF2Pp{!1 zO}&=Oh#g)-kB(c-xx*gt_35c-!>JFI*V2y|A5gEl-TKt>%Wci>tmUA)^IAmYusP;F z9~7%AZJK-d0( zK`)}#lN{oeI%mbf4|`bF!wOG#Gs!Jz1{KCqk77aC22wVTCmCsJup$RYCoeLm4E=-+ z?Sb)YPWRM&_i*O@%?6y9p^(!}%icMo41%7|=>&AxiT8>@M>4ywuWw<&K&}#0E8tsU zb+2@RJj1lq)P7UW_n#VJwt}FIu%_yH@pqF2(40C4RalNa@sdDjJzDL#3}y4X>|eHb z2Pdt&2(I;?x;q6{Xv@tSTdgFW;GDR?+Xfvsz*+>k0ljJ;1Gh%8&ktkSkiN4 z841$tTs0;NkS28z8N%!qPr^ZF1d38!waurc<-qYvXnaNZd=3vQwEp;cvp{-E3KKpW z*d!A1JSm_`_K{ubj$~`D15UWt?^B=ItZ))b*zGR1_`wcZJaBtmA_6fCh|C>f3Sm(2 zGBGg`s>-FhWSMgwQveA+Ft-K|@OtZ!hX9dr2S(w2)J3H0IJ5%n-QfMx1>JyEt`6zd z_2Rv6g%&eDS~i0Lh**X0Hi4_{`N85a_8rXNv(fEp{M2!}e7=XaX^5 zKh-{WOX2DkkQGRP&I%*$vj^F)l}1Vl{6VL~X?*C_s~9LSrBQy*9o1?v+bn-ckWnaN ztVPNmRTZt5^qC6OdOBq&DkyjjES$Y}bQd|x#=s~=fzPK8_omS4xT+g4@BB6_Qe2J< zR*i2UN}o>v=nah$K2X~+7rp)^|0Ktp7%TMB7RkU^B=g|lfQpiG{Qe~1Ct!M3KB+Y@8TN)rDHtIfEDc6m6m($ya7Q=@bl%C zo5Xv^lTGEO7qh_WFE!QrlV}*I9&fIv+THEDwOCgilo+;%#J=3*5OJ1?s$Kx^$lH8` zDcWG8(r#T=zYbEck@K%$$QvMQZV)!M0GG>t<3UDBiswo=eH|tE{TfjI>)9jrI^XxX zTuXFO|9*G16P-Y6k~x(cbG`L;AP1$kI#v^C{8(QBmEIubD|%GpJV{!M zSrQzi5>iGWENHD&1k6`9jtoMiiNs*DuVRv&)r%-by~HL2HquDNcP0egMbe_~vT8Pj zLc%6Wa0PQ$;k?i^I-X&5*ww$fo6X_=V{ok)cy@9$w=@RDMdtD1k z?gDQ6X%*l`{5`nX*(4)+ii}|se8Rc4+-Cn;^j!_4+8s|k#31q2xM|u<&*03|)UkPW zPwuKzy7%F~lcrfv7Hm!&Yv29?$8{9M2#p2kW5LXS+|769H-z`A^)&I{00$?VQyp2H zM9TjY|7bR~eELV!@mbg%SP|6RWK@4M}WZ5 zy7v$R0Scpr(89vJMUgmr@Th#xr0q2cXEY);g!JdZb;!c;YSXC_}j4je#$OSwD%@R5MY! zhR0<`)oyR0=`U3i46-vXkaAvv2WRsPZrnJ28|*#%5PIffpCYT3yFrWOuX$v(?#pzj zi^>?%4(P(v5uj#%J|xo3oGjG{64utu05 zBZFtKFKM_FvBH!e?5fNgGD08*u=8Fe+l%D-&u2!gC}{&*03A{QF?=7T(~FHb`0{mK zSq365PDO{U;Rv}o;9PgX$`xQ#*!PFnux?4YyoZn;Fp&b6w>dLm4j$D%g9HED76>vb zLG#$b>(TJgg$BAWe(v^%K&pPRTLI{iL>6gcm05DlE7M+TR`I$GML7n&zp^5jfTta$ zdk{Bp{X_do@pB_9auuE%lo&NMYIgh!sd>d^E4L+S`6@|_&+v1k#uLEcQs!|#)Ih=}HRyLE3!#b&*;bUEs1I^6d=Hrd8dO_aQH5IH4hzQf%jmCeLmcSY8I(#tZbA)D9Z3CE7OIe_RzR&l52|h)=);e>;UMo+610|L*|6QFkgzeS#=CqUd_qf1`zBFHHbMX}#rKVv+$_ zt)kHLP{P$9xQ2|25jNfLnj;Q>y@&o8e%^X5L#A1OJ4i#Pk4ma6z5ZWKq=mw!zJ{~mOu3ba4jBO+MUO*_tJdQMAk)+|^l|a^ZC>NY>s)(5jZ+7#gUjpJQ@RM>{d)?- z`UwGzc~%&%SIs(jJpvv_Sq#)|qE%&@sPBj0Y`9sZ0QS@4*=mpwuRwf*eag{+c8h`4~BQ&U* z)Y%Y*zxvW6geTOlU)@;0J53tr8$kq+*t!!v5`t+jlTE?n|GRo{`l0b5=g*|O5=s>M zR=C0tVrw)Sbv8AkfRdQx6Lv(L^^L`1)KC5pT%G%!W_gC+PG*!VSS&}DirV{M1We2m zRwe)M#bn~Vfv-cYf%y7aOLp*!yXnSfeOKEBTceZca_ax5+eSwILQt%W);Ef?AF&cjc>P6W$Rt<>6 z1YQl%z5LI@EYYIJYJ0f>u;wX;V?q{0GMVAPc0)iU9U#H*hqL+e?_34*AgrHsg02nQ z3y~PrAO3SI_c5Xogh0^?Wj*p&f(y{4#@Pt|G1s^O5c9=;8TY4T_HR(o5!Jv8V)y{q zT0?fB$CmN&%t+Q#sGf*3JMminbY~R-(PHMZ} z?X`Z=9HK=qnp0dJ?s?bdh6F?K|95B*RB$z_7UN|>FOG;0{&hmAtzrdg&{KbEu{H0t zCc~z407P2wOxNeb_9uYz&r*8eT(H4sHA_)~^*=J%K}L zz>8a;V&Jg*qqZUQA1)#OvlGWPca18 z{f`ft&WCmm(ys3ZTW$&UN>JUA@R$Jo0aSg_cI`P-EQsn!I>w;3x$Hz33jg1yLtjt> zZv=!2kJ?LN&S@Gos7Vap@$^H*Wi4NYC`bdkRsjeTCOr?h&q%7yJ6AJeW-C z)QRG?SlAi6AkWAc9x5U*cW50qMjs=GA;>8Dn+d_o13(TuE=R24TYjMU{twt+RgIsb zK5aq~g5rfFqKR}ekBG26tC3D<1#J(S@aa+0I4wQQg(GJYgFLd(1t3lCLq zgsy=lPK;XVpHm_Uc={gi&=84tj1Kg?uP2V}?pEe&?~vA${V6a4jt22QVFf&ZKY!PU z11E^_3wUKyE+AN^Z5c(W7q!Xi8crNtw02)sV3rQM1Gr#wY&Z`LT4<0@Ft6WMa$#N2bl-}OtpS`Nm-@vAXTqMm$AzGyaNNSrJ;(wIHT7_DDtvsqq5?C;z9AGr&j z$q$%Ghd6(e8083?BZl-$FJSr++uEabEdh| z?5>W!z8TE0C@>MJt!<$1`6pUNTqrkfS><*3G}Jkc8>9s66qwfNlo6#ALmqY4c8|&j zaJb3{XR=TL?R9R+G%H)mkpAy_wWS2a3SP<+xA~W_em#Hh0UPPyQF-N8=tTmCn>Io= zfL~fFis0{2W>OL_7w-RKWHRp#c@dY<>yN3+Pu4X$=z~eDbG`a}z7Lnb?jo_Ew)S=l zo9}w)8&pSHgj#NDHKvkwYX50CBBq18KR5N7i8UZggH;7HVnAK^Lg zNS@Ax)<2y*lx^E1w#mHl^t#T{Pe5Cg$9xz11@7uw*GChFH$M-MxBZ-2GsG z_2lMw*o)5n?s6kEB!tjt1ayg1#T$VZOnh0O8jm$e?0ujYXhFb(L9ng!r21(@;)-It zT*zOMHYyNl8%O@+2K#TXrty9ykT8Yyqu@KUCBl5v;0Mq@ox=v)Uatwg@nRLEAT&Lxst>l46?5eV&V`C&*Mf_M98(+xVS~fyt#%m@-`h6;*iJeysU`i zCE1w0J)qJ-8P68~|=%f^wC^VhQG_cAzhVWFNo zdIiEEnpl8WpCqEMWDtiKD)b0pqT>G+a7E7pz+OsGy$}gccS2b!{ zY5F?)`i}Rh%UPCC5+z!3_?%!SXr4d*_I>T3A_e*87JK6Q<5#VWNLgSLw*hED0O4~Z z!)xfz1hAOr6%Y{MCsReK@|+p-(g*+X&d*J+rx*>6lHezT(ehYx8@?Pmb8y?V6B&;e7;^L}~UPtEADbPt1AV@RuhH zwhUsU2Ii<0rs*>sEUYp6Vh(~e^O+0iKDDk^C^hQnP@c+1Oj2v;ZT&ApH4`PxDjqF6*JXyq~f%|2II7MRYn9iq7Q3oPX)7UEm1+mBV~nJ4;Kpj3giThPaQf<3zB(rgD#wrVGC3OVzQ))uH|M0);u1easGXeFxj-t%lpW8rxM@E50~_@S!(?B0%+jDz-l8-! z5xChv4hp?ShAzZDtTWMM)%rO|J_8LC+})D)%+;Oi4Fa--*1lS{Up*i(qcG?oz42m* zZ86>Jc4f9jG6VwwLp?JI6+T8J0(DOR$tsP4`03~HULUhE{t)Zv$c~p~aU3RJxke#u7WuNt@T;z$37%}HswSx5O6JEm;~Up~S!a6_S;NhWsY1r`N^bt7zb5`{ z<`|C1bM<=SiY;eow{i$xw zFWUGFZl%7jN4oC`xAUB%P2Hd@&s@L5zKuQ15`8FAC37+IWVxfM-6b`6rv`Nj{Moh1 zGOb~EjJFijER{W}h*pNwPqg>o_;tQhPweQvPQIuac61bi*!?+k2Au$J6oGVOs=ebV z!I{IR#8crNj< zE0c1DH?OZ_=FxE8(EsvGU(d(@mX^s&{;|n`CF&R)PStVVg!N2$rW$7)&;I*khX9y1Zy z&TDDsoqRIEFAA+rS)VTK{X`ahdZQNa&1^UAlmhz2{P(B>5cX3n;q!58`#d@?zrZ{* z$~0qCJf&J+$TH?rxmi|o)M|XB6#nJzN9Y297>9<&nBPLlYmzBl!@vGqzBc?yIn<-i z!Jr`3kw0^Z3_f=rmL7_%m+i?raIaWL5u53E1h#YUJojDv&@T3afO#U)b1&GjU@~yP zrMrfm^~3BlJ7y{1tM~2_9k|DBxZUmDUoX`2P74_=$v#1CUG@Kp1;j?aDiZS|S+-x6 z{606-KeuPh(;+t*LJ@GLMRKZoT}3#rQZdYPA`K9sV&?&&6hjuy-Cm7kRS?uFKiXsS z{bW=>BQMq2R8*nzwMkAWx1QX_8{Qz6sX~+0p*Idk<`LiYDA$>W^H$yz=-aDyfjvk( zPSC13igWe}^E^W1@jXRy56;&Gm`H;ZlN23U6q_Z+J+qkg|1{XA?&X-F!4!r@9^+5_ z1|(><-+R+nNh~2vw20Aedd#$_BwA1A8~4nddQO#@ZMjknZaeRU|DxtTJ z-!}NBcIT=2NoVh;XMdDc0eeZp4Jhl9yNt>oYrW9RD*XOa_ajuWX-L))|{FZHz#xS)&LF^j{8y}jEzwrk=%w<~WCu0`s`fhQn@ z@Nq!u$*u%4sRCSiTpTeaQR+Wolwk~q9aM_!gCtVb^CLIdMf*%zjq_Lq2|x?e8gC-= zt&7Bd{(8jHG^Y^9?S;BG=4+Ee5gIRxpV5 zVo1W@%$zTXi~iY_v_E{Q_z>3pAT8}M7p(hVw+yK%F_YW$!iE-v4C6Lq40`#95D9<2axtlDI5#)8;5Hrn3P%8 zVqsbh$l}^)wHa4_auL}Z{HzUmsluemM8H{Hv%y_%b6;)ki_a{-SQllchP}RcecA>5 z6Zh-=%D!Je^M~3As8L(}Lyw@PJ4U|kCurba`61LQ7ix{x>8jYKm{g@4xWS%zTLjis zQ|CuQ+>}&x=PQP+1K%lh<}m@;-`wp2>%yUM+1O@8=)+8%^Gz$rN%dAN%6i^bnLpV; zXFEsP28NeL|A=Of^I)RcZL`Jy@%+9{7~`s3smse2C)A>m^x>{1YZ*(KrYJs z)%TV^8Dqlyi$&=v2BarFH*A_$!9s9}D0=u>q;=_8Sx>$$e;HBKh!yTKpwk8vPlI+7L?eEX?tlKsupC*K^_`pgP zOn-H(yYuSDdD=TmJNQ$j*QB6z2WL=>U-VFnnYO2At=wNQY7%oV45njUWOvK; z7}cSR9ciHY4HuS+M~%~j;YE8)9%ok-Y8ELZHb;$kX#&~mq*o#tdTH`zSv&)MeOC7G zn#aBY_9PB$ypyAQwv0k@{H5GSxpmH0PQu?3oQ6-hlxyt_{z!1m*g8(y_y=#1$>pQ4 zVuAW19+N+gzrRwU8c6KUWwWBK0s{Q!+Cf=tHSkc>eH`1!KMbDlDu09`6y5|Lx;N)i zfy9D6f*EXxZcb35@0Z0UuQ1Qyk48RXVKJM1!yAL}HO zqP*IE4g^uHmEV3Q+etjx4CXgU>LXx5yYnS{Zf$jSRbU8XW*NghC^eYQsoWOmYS@@f z2d6e!ZDKKP6@k}p|J$-!>CHz8N@+#0Q^TcFoMxLT*9elT_mAFx&d_#s4$vM_WN0nn z6r7BfE-$&J$=7MPb%-vn=zJ#9VA0!C^2tswQv_IcNMkhh(}0pKsY(5 zv4N7#mKC(#PjLXsF$o{v8-4d-kVz8r@$J}-uqP}uFJ56brmbWRC}MWnm;ut}7yhfh z-ElGRx%>$kfG(y?s+43;PG4zQ`a^vc7YZt~TK3$2M>MnIw~oHlqq2#=*MJpYPD9MF zhZf_H%kNV7tE$c0$VW+AOXnKqyeXf73rCUq5d8}0>i*7r#FXBEAR}EC6J0}O&%|^J zE63P*MRy`X5w=I_dDCADxu{=nTnqH&k$Yw)Fp@tfE_{5J_d8FQ;*R&dV}q%uuiEWR zvdyS+HtnDJX+Ui8UJbXrk?bG05tuJ}9{gmq?AvOE- z*d&h7?GkI-BdfjfX<@9q-1kHYy?W+pyiq(>$KNYD#VGrO;HWDh|5nKVzEB|DsKEqn zUsAPJz+#qx`yPLwPjR{9WkrGDId7Ct`J!?wCJ#t$i_UBQL;vaLzIcWQinhNe!=l%Pn?HxC6m@=2hr^e~$fkQV_bKHJO+#0| zYa9_50|0>HP3DA^JcQOx)`oO0;h z+T5hyhqoMy9=SbvJ@M}Awr+co-Gk+v=NIL{hlc3O_cZVB(IoCEz%yvr=#Y%~rkvQD zG$^#IAo)C-QD6SE{?K*wl4xBASV~k`xATV@yH@Gs?Sq36YyH#kN69-2 z*)8v4M)aU(KKJw6=1* z%CERRGsF0_jBxdXBgL)K>;y**Wyi;3@ALE~RGS&{WU)L)thGUGW@4iNOy`LE!~1NND3(3-6bL--5}i{-FJ@9`@HY} z-nH&o#uCq&GxM80wP)|o7bYSy%21#cbeV5n)+$l?ah6EZNvk3&C%@3?i#sE|luyz@ zyX{p%D7!{>p{6IpkVYq9YR)|YyZCb!OP|_Ex-5f74pTyr@={p(hc09ClYG?xGIafF zf!~wN89Nl)vT4YTcGKD^p$b14+^_59O-^Mqms(^`jC)ttF;2<&P0kJkGsrgP+TWM) z*{1eq$&H)}u0nJTh}{tvcqDPT56U{_KHKKsd2B&XZvo0w(0N44$Wf|D$s* z94FO!`sg&!ku_{!zPCNVE^F0lI2S>lT71&55eq+c4~}U!M-qNCK5sr8ttfPbw&OK8 zxGs0=1@9j8@7`-)4rCWS_^t+YoMA$JSC!uHl1l>f>3jCc;kq2mAoX%=eGlXCi5&i@ z6+8IL-u$1s>UF-}ji*EQ-an*Ppv{Mp`w~LTb)>7^Pd|f*lwqDFG)eE&r^r41IU)i} z8|b7xrYF^a!1__oLB|f5U!6gLYgk*4x+^c4mzQtXa2|#pt`*(!&kFO)qR4^nf>sI z0euLI%qAZjGxtANO`zPB$010O0i$n>-y*7=C0g_DcESQa@Wn&d=`JpK%|C1V9w}4r zV}}11;Vz~>X+?(+WY7r|;psy0Chqcgq&DA>w*?z_jI$N`oA+p&7h=rj##`k`H_3R8 zrv5L^AUE17hTWa|z3(-G+ivi27?X=Agqa~ME5AFX*!PhcI7f6sHVocZgxpiO_U1aj z^|7+@L2mlTiDuFF`7<1(>86_A{#g6(1+=!IBxlrX0=>UCk52DpC`zB=2ZQ*R`&5%N zpc0FW28p9gv3ueV0ax}m`9-=E848$D>?bJky%?Hr8>>yUJn*FHEDAqsARxMdTc?A? zS~G9wxp3m2Hyz+VD=kAIe{B9yAdX)<7 zYUrO|J?qgXB8VVVLB7?T7pV)K2u-Y`L`Z_i1nrWr!Iwss;SE$U&c~d}#0)+=r435I&ffPWpog5iTp!eVFdKOnSG6rQ& zsT?C2<$CR{G6pmwjo1L=M_>BLYde(!D<+8O1t5f?y;_6X>~qi4{=-+b z)^PaS)|xOEejM3n;4&&Vk{Pv9a1h`lB#4`pfqED}6%(qcfE?vVG@ICOnti5QtpT^c zfWII(1dq|1@#4zkJK4A&0S<^D^Iwq+rTi}APLG)KJ7ve41sdWX7I<@y>>~d6iOR(R zM}eXwl{PJmNVMMjaVX%{pMrw!Pb9O<-5M^oWK@1~t|lwFzAj}pa<91*w$!VH9{xkx z9q9@45=l9PToWrnLptL#KNZL$>i1*uSQc#B6fV?=YEatwHS z;Ka;#>K>mFIMiY3N8{bgWBOQ1%RQ5Z4YpuT7{r%ipX}5&zoKE*&9g=a5NJZ&!ZU6f z_hC}rpJQlt&KFaaC|pL;3KNF^B#jA$5dwu}psi z&GWgFGvm(nET36=l*jjfw@!l0T(GjEFsi?116 zu+gYI;I!eOX^857Dzrq0&p-T2(d%u=!pD*vqoyGOAnmd6vh!i8CK`U!Jb`Uq75(uq zIE<7+%3+zpZp<*srhk}t`{F?V=hU+*s2?9D7WaQ8yT2PgI!gri6Yk&^#6|E0^(#dx zw9_6=#Cx`m>P$eUk9lvQS`g@X60Z0k>`VepF(0kjA8R2TgEt>&7SI4$XDi8{Yo&xO z94LK%Pw45Udqq-0;9C521mH9mdeJXrRg(>}tORMly#hJKWHluee&4k|@Fnf43(yNC z|BBbfk$jb)jvn$~L2PXF2=rn9V@;8T?t->6*@5tbUo|ymKY#!JR6=WnnTTOZlwWe8 zx#=BrY{*{B0CG(yni8u&ph8m0KLY$1o3&X@iJFSWK-AX(3FoWVW>!*UL@HA=;8F&+ z_m6SuoeE5XTV2%tCy|b`hP%N#z>=?+WkEkReE1M$wDVIbDB>kl7|kzKQ+4C2A?`;0XMsO z1PyLSTyYfJO2@jkMZUvCzVk%B_e3TOSjOJ+LE>+R%Y4A+&(?fcc!9wa-K{`$t1f*x zZiJf6Pvi3^?r2b=zVxBpQSZU;|L&q;1KPQ``yV0h@$1s(1ynHhjj!auaX~{OX93H0 zvTgqJf^pHCTSkVxq6nIQBMt)GIaU1xOBgc z6Pip6m55hOpnUUWeO5pf_7Q1~Pun6y_quZ6=T?Jj^9LjMgt1woH_;guX!h!9WxIL3 zD```9n|>~JtCRdF_1TaoscMtQHl<(Bc*OBp^jewew`rS3iV7QlP~h{v(#SiAsdh5} zej&XY^Z(sX*#FL6q&r8MvL`5;!?_%|3y8gSUZys}@L3xQ*nOZmBGyA_KNel)X`6Mv z%l6QJ_)I!=Vc;C(){Cy%FY}0B_&gi-yX z)kxz5saz7O(?eY2KaS|eD)HFedz`+Mh(Vmk-T3~7WXR7s7&Lp27gf@&40gt`BaCEy z@)bBWm(bO<0xSSX3gb>1gC#wFoGRm}8<(Fv5?vVv90dA^Q!~1c2Lwo?K_Cp7njQQh zL8Hd|CC#U%=_Q%hzv8+`q-ATF-yBw)E$YH)=>Ckf8!yh@=rcHJ7$N-SFy?M=k^c3E zodf5z!wuTUGl3u?C&x_o`pI}Qp>3KI$w@9_t5d@{!c-?BYKk%xz73Vfks&qTh^rha zM)n4udR<$QcHuI|Jz8SVIY`CwclN{c>4th{pg=m_L}4;BrqrqP_R^k3J7iJZz(#>s z4YARPWx*J#f6DB7#lDU~q7`O#8RJBOJ^pz;DKt39Cr6L6eT5#)GVlGpw{^3nFw_ASPwErv&I)#rgL1IKSj9q_HdijK zq+ENNDP2>u3^3@@3NRw#sUry>B!+y^$ELGSKDlz^2eP05LlcsKXqMIDz83#>q){Nl zSlPQ$Y9i)c_{5gnPDIU*#W^3=Dz$pwG$PO8RerPSIi@BRj$wD-KHjN{?nGixAlHwV z6HENRS`|6Gaa*T^rD=qv3+ac=^2Ms-4L)o%e$5fI=c?V%89|e82%JzX@%|~fpzwY$ zsIWO6e$@E$@)GA08R@z|3TDAA>ae9)a_;ECN0a4;|L%{+YTQ|jq<_>yx|)n+s0|HC zXZ@c=Z6J=Q;5=y9qD&xuxJG`>`@w+T*XHxe1v9M?wRSG&HF|U_tv(tB zwR(X?@iZE5hbtrogX>Br0L}x#=8p>GdP<|QOHhK~5IQ23aH;;7vg#+ ztC+zIt7#&Gyav><6q@0g7Y!ipSlic50x!;yHmbqMfjf8 zbjo)wt!|XKh-@isZ{7Z2_o)05Gjl;R5^81!+fMBiqDv0ZGjYnTO=0B|3Ahp^ z)U0oeFBqxDem&00%xrwf8~z)UTB&TcIbe3~bhP0X6LZX4;@!d}XhE_Bx91j@A#={z zVU(dT`EIR+*~vt3qY{2|fvEZ+oj|7l1 z#w%@MFyU45l)dGOc1VO+M6BPkH#W_?zVJQ9&#^rpMY{+ozL|0BtbB4PcWuvjI+k2w z`1l(DnrfGN6t_P~ZFzabPx7Ia07v*NFGiqLW+JhL;D<{c;R9z%ccPwN7D1GA_H-X| zJ4x%5Nz`-VSwRFNq^&syv;%rH^6?S02IlV0mnJP!-LZ5Cnw8UZam6bNqb3fNerYg+ z9%WJ2x|Zd@dzEh=T0e9J;7}~h#4iBcouQaNRV`V+`Hioh0?N=;@IFZy0VPGoK(hU2 z-;kG~(_F=KjTim9l$ft>wMwzQ3_W!Donw(c%$$bJf5-MR+y9QKQ94?kePGhqtMGup z7fI&xvMAHqQB_Vsb&MDCiMh){S{mS67Jq!}X*1(QGO8$f{IdILeTI@9=`%v&ii{Dx z>n|gvLV$5!{Moj(;XL6lhu@8y@p}eNV)(loI=nucdO6b8uu!4Oo)m^nT=tok)Mk}C zt1QWefL_1Ys&hDImKX!YcE0Pv7$Uo^03-{xi%B9U;#G80BI?=ot=2+zRor#A;&rB% zn>w?Pe04*Qpm11(e<*TqQ3I9l?9N`9G<P<*S5+t^_F7f)bb{-j?)L)$>0hbkU0x<<)xYL`RF62?_(k=DY~*H^%L;QvjT znLL=Qcv8_SGV7furcj-K`u*z4wKu$xCSCfZYEZ-YfKX{J105$Kk1RvgSHiWao8rYO zarVaDj-ui(_%djBT-YlPSNZy-X8NYjCTRP``waJfsL&*;5BP-HqvLnhf7;9u9ygGS#+;pwlf=3Yu5ruVbjs{v8GhQyf`?PDhSqaa1VR|p z(JV!OHh9Bh`%@wdwt5`oMbtTVEl0o`FylcwAOY-!x*S%Ve^YX5l9!DOm7lGvCNRJ= zJfnyJSO5)77ns7bsv?e*GM)~QGG0MRIVCO@sUoScr#+0zqx z64~{7Rh@Rf=nZWDV#MOs*GgJ`7A`U2Lc3Wq!Keha{{w;eAx2EYlLrgiOu5~+H9dkp zQnDZ(ZzsN$I;QfnaVw8E)8*n0^xADAn4N5ZKK?7IZ1e$0Dql&A@e2|z+5b$20SlO} zbUFGsf!8+B8dMAMQ(M;ZqAGzAr!Ix8t+w7s#@$)&R*Dx*AdEWDz0vEjdOhl$$cpf| zVdU9pR9;5gpRZ5+IDxxm3vFYbUng|Zx{9o=KkQ3JjQwb$ykT|C63Hw-g3+wDnNLwV zT^un+)Tl5>C6gC^UP8=>B`!0ufVIOI8?m8T4Ki@FxxPOl6lMd?6}7{_TAoY<|0h`s z7V+mRq2x#qosZbIsShxZhiU5A(h?>_N%+d#z;o1bT|6E{sv$A<>t3p=H)kPOTeuJ~cnScbx7ch^<5L5D#xRg13Vly=JpGSG$ z>4=zl_SffUn%c3jP~ZPZ2-CR2s*N%kMNl8kI@}6>f(!sw0=3=H7HJ_9LYT+{O1_^w zpwQD3Qu$hilqfu#w}3wlK6Ic5a^QpWS9%l z86`JHU`GX7*;8~q@RjTs0^L(foX6Nl;%F6oYY4cWy{>NF~<9p4w3 z_SgdurYJbG`zXBRR7SI*kIauSNPuVb)@8XP0HESv;ck_P*0jmy1!*XL2;ViFxg1V2hZ!2&P+f1Rsgy`oDDDqK8UGJ+t#NK`pf6JVpQ#00UhL7s^} z#6NICFdzz`ncl;#@}`ofbhpz*;W>O623S0RXnYOwROOCpj{w*afD8Oi^T?U&D15H~ zE!qv_3%hRq;L4r=#7C@SfcuSE%HnfH!hT}mHQyy`APYkf09+gJ6Q%R`tvoi;wsZCY z5NEyz1RKDG1np$v0vJgSK0Yr%|MPf^qJZWjrSh}ye19&MTx1c0?@88QZo(o!CsYyt zlkB12wxvf?@&s_@)mrU#4xY(Nqu#M(EfOS;4;s8D3f)y8Lv_}-2eq&OkU&7SZUsTZ zngB?w4hJp+oOZ^G0fwN|s2!Hxf4c#w(14u6Tqjv-?%?16>H`P>;4=$fok7dMw;uXl zG{3C^csZ8HCpR##V1-FHz#Qsjoq!7^JSl6hI=UN-5?u#PKyP02mvM(%zhBa zcA3vc!=_CO?geZbAa`4j#3vMUNNf3MiJScPsz03A827rM_00RIn0ft!3Hij~YT zzxX7!pY_$QA)tS~J>3Gy=rF{9qYW$t9UuiR=3OzBIC*$HyU}@0&(B#p-)RFjp2<_d zIGAhq6M+CCK>cLNpVKiV7|sxe5H!i+I(Z^>T##&-mYLbQU6?+r{%P69TZAi-0X**!~81}K zFHh<@(*7rhvu8cLjujpRA9a)fCDE*HwonR-EF!Zlk$kd6#vJI*({lHYB~JlW`+ z)js_vf4(+}NefUFO8Z{;kk_)5QnyG$jN2FB%Z-Q45}4s1{+DP!b;J1b2!!r17`&Q69=c!6G!NFEXz3NRB7fCp2E#w(s>eXxp<0*hm7V0ZyJUiUfzDi0|zsjQI|#_mbw<%*^)2=MOhKs|8kLVifr6>&BSUH5>?i>=cCOyh@zaWr<_;j<0}^Zv!y0TlU}ptbHTRqS`g+;A zjft&xE$>sqEIOQUh^Ubf`31Z6o?J`%vA37fT(f6+?_Iv9!bk?6*&@3K ze{)REPV+qfohjsf?wWlw51z%`&fB0P8R3Aic()muZ*XFw@@sl(4t%7Ylk1wSS5PWb zs!dMh+1#9OGf2!=j-FtN{_P?yFarmVxo`3(FnFg5u`-8iu6+ z=?)WLw1~?^j(c!nU<_anMu0J6nf(q%E`_nY$i4U2SN8$9f|QJG^5Hq)T(-6XOor_* zCKDqgBL+MGOaaV@NzM^L*R7wF5bb)01zaUT_Wwaq0KDX2clYM9U&O)fyE7o_p%ZgM zV9=JshE)v6GNZS*H#0Zsfx8F^Aa?k?Iop|lF(`7B!=&@bA1?cuyDqgXPGA}c02kKB zyW-V!H>Ajm$ups2vLLirxKMgN$ z?6v@$c5l9slLX@sU_o%RFQE{@huag!mgA80m%y|EI26zte0*90G9UX4N%NA_&EE`A z$HK$|9`5g^^j*;%Nku+D4iR8fBz(x3EtyF+Ni8=!DBtoWu`j*70tKH7(Ga6R$X0v`!+}UNU?ZoA>~&r2kB_CA6am> z$tv@E@y=f)EnmU#&L$#{@GHt)O7i?sRvVTqTEYXWEHsiv6$-{oQJdvQ1jFj~8* zq|tEdP|T(#8=Lk;QK{z%u(h>?itEuhXapE$eHxXZ!rh^m#JgpmS5TgFhG&ON%4Dw_ znsG(D?6|%+KzrO`u&2=RCC_N{3V?gSo6n?)Zk6EW)v5|G*_JrdJtdmg9kX$E(;D7< z&^a|bWCpxZg3gZ=|A$i#g{a1`gYwW9e*&^L%x&>AB8~}7e z3+ESX95r#XH|pZ>Fkh$i(7dnZ``mfGALsC9Sj2nD@g5+uHqI{=8tzJBF%8d-*EGn< zn|A8S-aa@U`aC#_+}?34fMqc>+8NKjxxp?F-dlQg;fAWa`p&ZjqxQ>eV z&;9c1A*N7gy$KtnaQ1~w#{Dt|r^5EtBZyqac+*UyD?MZ$fSnu;Xc}gPUJD-x$JXvj71<*&U&13jXnm%BQ2=SjX^j2tZ@V;<>fcbIU6-z3< zJ(z@;*fuw!0&ud-Mvbn2B}0tCv?d)7FtCbj*;*s(F1L5>>-*RLuvg(>iWGf`fN)r! z?*n+d?&)D!zuGy{W$>irT#uf7UV6B{U}oG$-)vXa&ju(woQD%Y%K`ho%#;*hkf!6y#O8v0@$x)75aW#IiX!EM}Rv0yq|pDrU^7)$o*Z- z^;hI%bFf+d`1_4g*&qNuXT9Ai4i66pShQ?j=Ugyqs;gZO7h8QX^e?TggwG#-v)*@c zJmyoBjmSN+7rydogA*aWwd)1tcCA!MQPL}BT+U9lSv((qpji&cPA#>NxcLm1%50D* zaLAA(dz}Q5xY9G2nkm*%xj%O3?X8Q#)Xq~4tCOp#UwI9Zvg)R(GIOaj>+lfr)d1Uo zj_SI}1sr26ojTe6?Dos4fGDalL*!08v4fle7%k4cF$9_UD1V?nfq{){_2d0rwrer6W79 zIsz$n5)4?oSByge9j+>6rTN<#B4=p%qtla}PrdNVbDx==Mjl_g3Mvg=Xz8&vnfdc4 zZHLW0Hs@J_gZxW#CBL7_MAokOJFxriRxter9@gCTYi%Z;00JvmBwXIPtoDLY`<$Ni z>4#D;uE`{c;l*8KkQSU~W9Jp+#c5s`!60wyqO=`Ia_UmLC6%_!>On$rk z2$+hGL=V81@7FIKjM0b5NHj;kllhUscQR4#TWd(&dvsKBK$=%w4Ni+~$I*_{_`m)V zXF->QjQrCjhN=6U=9ZT9kgcHPe?nQbX9-PXa*vhn^w=^{14^_|_k;Wc{R4Moa8sXJ zBvw9M%o*Q%GmR;VgzW!)t0C6}FukN5N-lS_+IJe(mdk~xFaTj zDYRt?^}RpIMu4&7Mv+9G-T~U5z+!{V#51|Kk%vM*5%!)^7gYyy{oei^h)qBP#dn$ z>yxT0^*ouSqA!#?y5IGd%M16NZUwQhR)sjV!>17d>S@E zgQXaN&$u$3C+)0!uRCJjfaP$VjD(J!o;c=B*Ij7~U~Zom5rFUWoNr(D!>L$xwfHjg z^X#|L2A$>0e}aHaN5!xR38V2o@sCTs*s~KY1ilh%Xh;Wyi0YI7bN~Y~GCZ3k78X2m zz=MeQ0~vY0`$BkIdu_>6NOmqmYQjEmB|=np=R5&Mcdv4*S<~Sd*~fKG6gn{ zglX4S$iOM5wZn9U2^j7{K|#aA!(OkEOSm!xnrs(9P!GqH!T{KH0gxbp0E01jkH;IY z7gRz@#iUw;vZdOUrZ7P3`F{1Ik)`|nrMkL0_{#wqVff`xkz13~@^|KivmSShwS@(5 z)6{!CfWRf#aPJ))AXV5-m2o_Y{^ofKN~SZ|0#neQLM^F;dgGgt_kdP-2hN#HPh%Up zXdNF955#D4mNv@t(9wK7Bt-TrRjz~dIQe;c<0;zN93HSfUtpVGS|EGON080nxnnh3 zcIpeIQ)t+ldVd8bk6R&Jz5sEc)DyghBD>O) zdh>V%ohtu9bzQDh)LC3bzWHpC*TwH=>Ut+T$%>eZPDM-eHD>s!uk_kj=a`u+ne1)9 zFUS_yd{S>Yl~p1yNK6|+_BU@<3?`+m8mUqsGdYp*4-&-b`os_?77`YQ!{RC~2|>UP zw|Fe3d`(TV4u^npqY72KGLa0%7UlsMMbD+Hlg)a^rNzWOFr6iyWCD7FMjheeRZ@5IQB>^C)V4p4-`BP6aE7Y?EP0h^KXR~fY1v?P*yD-$mi&NW{!91WK6yd8uBVDj~yS*9Y4?Hm?6!O-KfmI=k-P)ao?_Qt$kdL zpCRbQQBJj*G?Oy<{_zv#BjzSjB%|0u2rsbMR@#(ttKv&uj-T4?7>*P0s{0}gcKF)Y=z%9GFt)J zQC2~DFeZjuowk^TfLXT&7-nBzACN~;;$Jhre%6khsJfD5|BKY1al2kegL*>T3$@)r z$^AfPDh@=_!(M36bwX7E7kd5H0>_uR;eo|}=;0yx0($&f7wF+@ihzz^zsGae4UD1q zMS_6@olgNXI<~jT!(^ZR`8m&=KGBZ2O@d&;S@ajUe8Z?-vOqSe#XO1rZtxdcn!ww) zZ^;%@pmFn;PD+1YGOo9%sk3$H1~au7+-6ND#nXG$^@l5NLI_k6@9ahSCsgxqB)#x! zN?HbIKaidfA7oDF!~Tmna{lnb(cbD6qF6-n+UKt>O!xweX<@nDbYP@k{x;Vuo_(kO z`_!vy$AKC2|6OhdPW}vq6k%gnKP$sPA(13|SU8Dk=rnC8>68hyTZDuzna>0POP-~h z(k0x$l+MH0k3Mt&k&oihnuXsoyyS;*)Z)ZeIM}Hc=*NI&uEbmKzPrkrxBYJ4k(%e#+KV~vyWuy89z9@sw!0hcV*LeZqh5M)uYa+Q z*cYeKXT72FRi&7u%}K!50Y%(hEQ#>)5{i_=wE&M%-HxOeH8pjt$o-oYKC7wUu-%x^ z4_4ip0fNAA8Hr~zqX3Rr5za>rL~AZ><<81=YOGZJ{Mrq6TZTDSfpJmj&zx+IY}VE# zFwNx)G>zYWp4mW!3FX!CoN+yGf405T^=g)E`087G+v+GcWc#kQyRzS7bHR18-a#II zdsRXT$+PZkT~UAOI51jWP~%#$<$=-LllP~J(y^BCEJ3SNgSQN-s?EV`uB9=gF(B>vFR#TOODOa`zLCmf9i^9O|5r@5}JwZtE;NX4;JIaS0=^YxhicJjXY1Q5t{Md zw>n(2zupMExm!7?EoG#b;p(O6Rj*TB!9JeI{6Ol+*#M@FkpM$`s_iyd zjphPp&)Pe!M&PD|xy;~Uyk6LD_WW_4oJQ29SI8}F7?UDPxEG!KNdbaao(mF18Naqq0ZXLaq&q~m&Pz#Y1UQ2#Z6->J z;6O9J_Y0p_f+IN(H+Nq*e_hxhOk$(Cu;`7i+jLup7TT215&wQ^@^pk6}wI zI5_zf51UHh6Z1G^Ox$dKV}(clVhyG&65!ARPAZk@qJQk}`|ank4Oy5)gZ*IkzQViV zXJ6%J)qcvg?`PeX?VXpk{dDs4^YjD`C$K|TV_RkXB3=9xGo3UE z!%<=?;=>usgJ@t77qsq&`)Q@h(=7q_^W{P>m=?|t7H<9wv5xHVZURr01Mqkp&n@?p zdD|Hq!}KUP8xp_SgZ(4;7uXBJoU1ml*KC9HDm_3dchLcYvIO^&ZD1%sl?Db7_PKHq z_$WMrKbHalW!ttFBmJD7ZU9bl*@I~6q;kBj101k~fg`!+t+V&x(?fH1>VKE6bCtJ1 z<*WUo^-yZ=2qrQF?l?}WIufx-gFWOYfqU{|f9?X%n5mlHm6}WKMYp1-0myD!aq%`x zc?M8`^=c06vS1o+SxG7gb&g98)rz+ZOLqphg%`j;jOraSg>*n29Ub$TW=2Ot{*E%c z#g-Y5QwEI?q)Mgp79Z^HlVt`hG<|ofN9phsBT|FA@YE#me)&WKSx6 zk+f>R@v$sX)yAbW1p^K{-v7OJ7!Bc)$)mRv$QoF$^UKwEgf!*zR;FSkjhU5NNU+SP}ctX+$zHVn{!Na(Sr--RboE7-svxEF9l_gtDw zlck=SxDc<)esH>|RBuvGj$lNsCLt(d;WJl3uSZ-}SB?cEo`#3pf3MYY=Mqa<1UBH! zr|jM{mU$0Oe2IrmyluahX2v+CN>#v~q87y_B&79Ot}q_Sc@gr7S_fQEN*Jj{C`l+O z9UX$`0HVrITX>VQ#{r^Ygum6;s`oy7QK2@gPltuPlQgwYi%`uT`h5P*rPeilra<0r z^z}vykiRR^l)CE0*X(b&R@+T>G+Afjsup;AU7m@ZRIYwisHn^R`WIK}5ye*zx+KSy zTp95k*}~MWp)W#~U%1rf{H~jeZ%ImKgFbKbv}2p8ou*KNt{^xkJ#w4{hveW}edzR}6w%j++f zOv$yn`8=ny7E$xLCsC(fNRZ7Xj53aUe-$+flWf2 ztn7Le({9?KeV?m;-R&B^!!l#V%jg|Xz zZ@I!z$)=OV^ZV)2RVP1hIaJZPyn=Q!%*Wm@YA!H0ecuosI6Br}vsd>yJ@aB#7AXo{d|47?13KHi#E)yf>f@O`=d`_PRLgHevj}caFjl1UxYe&4p@K z6Z!jIGnZykTUAEnVNzAjL50PB&Jm@zp2 zYB3PTcZ&6+no`m0MdFcc{BWCoHBIh9f<;_`-1*`A^!D+Pqe~)2^)zOW$5%*KB`re+ zoe$Pe418I}f^m|UwJ-2(%BytE-tG3$AQuyW1;i1&azj3j@06+bihi)S2XB$YRg;j@ zE~=VW?dpnUMki^hX)O*9d#bByG7??1XpYdk>HGDIPWdVbiE2l^fF$^NW zOTC2yN5vKto)Si)9GI!=fxCwD5=uk$+w%4}a+TWgHA^=7+gH#N^yZh-TKzYg$fC>I znrJc7Z-dnmq!|-cWs4i*S=7%2cLb1-0FXwMA5>n|YWHbE)?~tmrSqc>Wg{(|ZS`kK zvIv89Wo@#5@W(yT(9YazX+LzjsBXJ)9M+zZ%7k1u%~mPA0;3e&O??($l#Q0}`a6Cq8~Kp#Ka=e|w>}s&P^*D`0#9$vO;^LqJ3?{hLj2f= z?2Hs)3`IkI@fk$ab_9IC-tC)RX2C^J#p~I$qQJjT!hp#8&9EUQQ9)wUPCV%hr6i6d z9-$L54R?ZZwRP3L(hANL7CVJ_h_SJt<8RZAUm}*$KL&zxdLCWFQ4*%_i1$3gnxx}` zKmrJ{5&Vsjanw2RZ@#{h^*wpF33rnDU?yj12D>$be_5cK?~De9#Z)u6BZXXk(`r+l z_;LzVMt)t-71Ji|rCIz^1eIW!!6bu8@%i1~&eyH2UihH&^eX~D91@?uL=TdkfEre# zF>lO}Vj!PbnVEndoA&MZo}R1k19SHSb8Hwy{j}*(YCu_JpS6+pltFWxI)(21iH5R+ z5^O{Qdj;Q5ot{EO~L-TJLFvFjCmQGFe?G+_*l?9G~lfDI=g-c2p6pFx}CF1OL z`)BTcn(v!AMOkJv@$guPuw;ZZRj!CVSp*es@GFl0R0T|M?JrYm6YShEs~9;`Q&I_g z)*85z3jHZ!F0**pIfSnZJ+Eq3gL<$l*pc=cOxnX4C`_vLp`Dtk{WNBxUpQIP;qxd6${$?Cwb(yc=AUtX1(5%@y)9CbPz*mys?ZLn zl$2DWo*pP0+Ol`*@k#0^=i;>2rDP90{Z^ zo-a~fT`^PhFfJfLDdGC2$)uqqaov*7joFdf zHkI_BHlND*-9EqRd5J}WjY5t3ToTI#Q8JEAQcRMhm$d5#4jwuxrKzYS^vDEPOZjIx z)#Rr5e`|Rn756wWd;m^APA*0cgZ+^K4Mo?zw#DA>%PnhA=xfnL3f?Xxioi-SR2-yE ze5?+CxOjy^A~`KF2nrg-Xf-m`6O!{%3ekLHKmhpnL2e*`?ZE&X-x}{88z0mI%B{Xk zbZmaQ*R#dP$=%gvHkAAn2R^7LhNvVh%H+L9moh*O4Q%No#dGic=>Uk4|1^C3 zRtlQS@UoL7bb_0(?_#(indq1``@EmElT)5049%`gPM`w;N>Ei!#j`_C>Cp#;O3Bj7 z8(=d}W1KKVy^g!1CYVzGUtyw9fb5S^$RKhHp+HzlKcZ)m*B7>BF`_u;8=&iSvXhm^ z$*G`!kM2CU3$pPb+4)^P2KHP0d>A zY1-`=5g)YvTR$Ihc?wetHaHAXf7biUo@p<~(+r~Kt?NGC7=IKGr%(tL1s(jAKSBjG z9?=CZ#zm>eCJ~-uP)UxGFFuk&Iw86H|8y)eHZI}=G8!}?^{Ag!0W`CZHQ^AOQ-#eR z!72E*!Vmg>fd(1PUuElm7em>I61Z`YdHHPAUTyp8qN@EHum!XrVPa{KtN({Uu-eAPWW%I-Yi2 zu5)rYhm(dhQ1yKG;D>*ll7c8UDG!f=D28UrQzU2e840e-zcNYK^wo<&3`9!Pj+Z~Q zF|ky*qb;~>0m$(7ckAIhM+1X}C_7v*@1}usTPq;1KmGiVNlek}l}Mo79)I7u3a_l@ z5QZm&L%_>Vp@5*VVF%fP@0oGQ$LN5BA?`JZz3jq3hO>hkV^hc0GgsaZ3ZuY5#|)<{ zYLa+=c=I%0S#}tpTHI&f$^SK6gLY&pI?j#QZ1Q#=-98!0kU?}=XK3cru9Wx8Vm8?n z7)%Kq@e(wWF{N^{Dt+N>ig3gw5Ic48z(pJ}W>o@Y$=vpR4lb4V|BfiGhqz1J)KNLJ zg!8R47$evzPCq)z}2Y$P`d^1LMN{QQ(n-Q=pPK6Oj0# zu;NTk2-_zkod4Nu;u~Dw4ONRZtrx;S);O>w(R>1_dmur)JEA5*cw)tv>G^@vnq0J> zLr6V>zT;6yqA=QZg@1w~+lfbAzQp{7aZC{h$#_@#Z}kc`a9Ldk<)a3A7(O6$h}xZs z4R|CQcc2Jp#zDR4?RsM9$2Fs3uDcueIHM&dHC(ROM= zcrU4ZC}G#7kZXtktB72RJDV=|;Hl{Iq{5hs|4wfktlu^gDX=65FlLQWk>18Bl)mc0 zQ>T3GLgJD#Qz=9rMR?hF!O|#+7edtajNJca@hu)V3wHizWHtL)LxO)tdSaR<&47fM zX&ydK;z`9FrQIefC5G>7wwd`%xd$3MJrEs0dV$w%x2LJeL78i~(T<>9^F zTdOE4{&@Sp`p{Crg_GV$QiO&v5T347>~hTg$?Mzbd+|HPVveqi-H-!qDC)jQDWhxDi2V1#bCF}yko-3B=AQP&u*0>aA~}Y$ zFioDO?MLwz$C8XnWm|mh_`BwqrJIMvS-pb#E2k_pjC3A*V+t?0Kqe0v5&JbcMtb4@ zo;oA4kg^9B(t9CB;2rOJmT!#XA58K5zTueFEA@oV)i5fK*C8d8YDd#V&YR7+D(PjO z72@lm6sjWQXLXv^iaQGbGq5Lh^D=P?Y77I3MCcb39w{WI7X7qz5>QI`&L<+AX~#cO zzw;3W@Io!pgE{xY;hY4e5YZ~JLVI6zk5X2W5a`sswjs#iZE)Y$?RO^WpLy$4M$9Qh zpJm`p`t{%D7ZaNL+lz_?B1^@w;r8^P!E=)IzpkPdM*dA`B=``x*~*;ym`yyvSQd&e zMuW)e+;WQF;cD&=U&9KBv0AQH>F5C8sMGAR zTm4As`yW%x`&VYWS$Q&3UqQt3P}*`%sV!;0&dr`3tM0#>hO{VBJ?#7ltq0hX&u}GtOI2xL?BQb>i(It-NP|P|}$1#vt`dhrbLI&+ml9z7dYJ ztNbsRHD<5BaukFJ->i`t5C53a5BYZj;xh24kx`aQgflg*=*Hj_pqR3V^M~|Zv|_WmcAEc) zWT#;XpdH{7vujrGL2{heI#P#4R(0~1F?HiO;gN*ug+)xQow%Km? zBBZrI6Y&=Ep8LD8zD-BC~?qLF*{5&m+A9w1KYA<6dM_j7`_Aa&MRZwH+?rI zkeN`thxmS+0wFU&Ui`=h@ zWOWJ({WGr^Fa=t{A%J^EjOLgRP7Gpuf!I+4Y|rn5H;s;N$FfAI+5)D7@f3MIy5Sm4 zSF!D?EjSQYP&SO&WU#7{akZ6?w5Ks3$dBT_YZk|zHG9`XWa=06ob#zzXI}f3$ff&L zgQo(1#)X8Nly=kEK7(L9l!xz`nqt1~QK;9AmqU*s+{~5MASp3Mr6SSoVX>*)a5SBZ znZ+Q_qs#HI)hXha{e9Q#V)=(lt~qngx%Sz6f8t;SSv~B5J?MdN^3@s;<;lWb%C-?C>?`-=_0lMypm;T!~1O@T|f`)aUF`Vqiv+}%S z>JH}G3(k~cV``i?k~mA9@Bei|r=hIs{5puIS0a(=xA@WCbILoGnm;L>F9F!O=7o6B zlls~N(Phd4JkH6lTKglnwX$=8a8bX!|X4K8$*y zX8T9hOrPbEU3Se3O~FM1~`sBe23E>^B2fW69_!ePI~zXcROH zOG07+X#``v3|v43t!7rL#dS2xUh&a89je9o22MP?pYQM{k*!xf{|xeD7hUO$RD-v~ zQ*m#*@rgWJAxR^l#-4~yOVG^XjK&l8nztN791_;!bvL#i_?K(HJ*BSq=KJh{Tj}4N zuALB+%hu&eEnc1dT*=DMl}~Q-_7rmBbMN=q6G_vz-|VTeH9Vv0P0I}SKU-ysve~eC+DOYtt%)J0#@b0T8lmzA3(91l=PFMbrDxzutm84;+Ou4uw4%8)Rt8^W; z%9DC3-fT$_zlWkc(qZ#6SG-*3T<^(4-JJOnA8 zo$0NN5ULQ=EqtMpXlfD`e(d&(l@cmSh`}24LZS&>q-no6*xcJnZ$59zs3tdZsoC?M z34Nc$-bZ-sI&Cm-9MF9bG56NO#4_ti|HYrIwiR^56?G1&8)N|sc^1m;1*N7SovF%S zcp$?b*)2ipdL`^=-x>IgvXohC*fSPc*?iCiQUmKx>xwLq0J>TIr~m5_5GY@^8CXU4 zmCU@eEhGcTX?B%C$#VsVJ`H=5uBarTc~53m_@`x{Ovw((64dCf66fn#>%-NfQbKRK z>J+U%Nhlkm+ZC+?7e}^Xuuka~wr3)WTK&rxoaO)26KQInIiYJiyvS-CFaBLVTjO{-Qd-Z5-ZAsjtlt?yz0i&Vf=4GG-G9fAM_iFs zJs}cQ1E(oY2=YB1vAu?v4=`oqM>;AJVRWJ@wF&al<4&rraYmjFnF4|y7yB^H$Y-i< zv~af5FAfq2i{uAl3VHCAaNT#MpT3MlnhH^>R2a<_j1N_R#Laisd>F+(2fRIfnV!oR zv;H@;z?|#%Ie8NGw~Mo^4=skD)DzW)(~5;Rr(0x8@0<31IWrDSGTyjcNVoQXG;gfq zLKmt|;3=$mw87=EV(thZdg^wvQu=2h?>XaPQI?_pW|4+|{c6|qQ$)1dw{~|<)205A zMDdan+%z<+{^!Uza*hCLkm>cvixsi#L8D(cSiC@nLL}M)wua#F^777#7|K4m~Y?q*?T{)_ZzxWAFXK> z07-X0n7K!~AJKenSnWS4gnywMk$#?IRH6>-EA5)cjm!`8)IWU#*fY#EL`D}vB&3cB zX)$ZJ2cJCl+V?{PV=hGZota7mbG=L(bw2JYQ4-YFiln!-+NG^mC@r=h=V;QZ7Q6U-(RMN?XYUNMluS7@k zd9;om`2S|TTl=U@MJXP*)g|XvV*0DXW~tKJ@bX99Cwxf*gNnTK$yrja4QzLAmZm?s z8~hpdF1i~wX7RZBkIK!w6SQ_N^;afb^BJzTojkSWUN)6E=4=o3?3Fs{3hhvQUF3&J zG!o#Q9U$u-wOVg43a}K$`=;$pQii-HJ6M`XResd`n}*9pr-*%HD8skYkGnnL2^z@} z4|EpKz_b1!{&`>eWWqQELQc_FK4WWljyP=31Gq9ZP{Lp~oAGB6MN9HUYQ6@*`O z1j{;^dI6^!N`}Dd^FW3l=y>MUf-VcKL;|GS` z$JtfSU^JJ?ao~rKyv}IL8XOdtf72|XnyK&3|9&D8TtKRp9cO%LXHP3unQw6WE|_~u zpSbq4C1vGnF!w<*$Jmt9LVlxUiR1gf=^C5jeH%SsDysKN8ObAGy=#sKDJ>1$uZIN$ z^qfTlrvxzYkLNTYAj2GDX@g!g{5T-R92vpqMGL@;J{koRxoY$>U}{0An5`jnhG1}y zjPLtZR`6>MX-0FtQTFOfU~jtNV0zbmCvCu$!}gCQ)e?aw?fHDk0cf8aav!+3i)NkO z3^(S>#%V^{k0hOc&6OEuOK3jMftp_K+2@=Pkd}tKtgp_@1XW7M4)WDs4n_d!&Y4aM z2@A*GM8k=h3Hk@32m5uE`*bBm|H*KQEru}IfFrk0Z+|Sm93LKlAp0$G#FZX_bK4`o z@e+0_iM$=gY|?E|Eyq)jl{15iK*ElC&!UC9_JXLZtMIJpt?O!~sMcXM@+o)>xVk+2 z{Y{2W26!Rmsznwz2X}1+KZ0fsX%n+GJtQr^t`;jr{uwV+=Inx48=1$TYEREm-axW5B%?iEX%oq3M@X=r`3N_NvGu^ z9=6RmQy9MA-{WKfQ_M&$&5%89oOx|0QRljyr0i*GU{hN=@ovVgY(wN-*;-vk$%FPw z)zEza78E=VyJ}v@>q$~m+rN?LkNB?o;t@M#wZj4QCp0e08U!@w*D6ScwzNm=O}sth zw(!n8>xFwM^xZz%=+*V?HtgXX*J+^FaAlRbG8zX^gT`#XO*`QIim5v0I=+9qUF&e2T6Nob}Mzm)jfHuU41>9{4yUs13u&KCTB zulMCo5uZHz_Vb_a9B-YAejAP1J9>UmX8M-&@Uyo_!2p0yEg#6CZ@c^y+Ef#^d}-Rq zZZPJzGGk!F8pszIdCem)vy`#-kmg{eX~v=cfKSo*ySG)fI|rSkWWn(-fcVmD$XCau zRXr+iZLo#AGcHzFA`-mCiXum5(l?xO%(w01j~fQVf*}|{T+lgG+7a3E*bN9%3Kfrx zna|M;)_BJ0jcMbEkUMkmyU`ddNQikzheb4`I}ialiOb>QBFHTetOJH90c1S-)ekWTS7gFH~DAh^D|~moELdY z*oDi!`6p|^t?K*8_HCesl2MNVYMjq8<37{DiWuyMmmCHst8txuFSF;XI1SE$2YHzy zTWQ7*xKrG24my_?Ts~1Pw)*{0rz!C=zseKjG?>;UxHT^LXX*1Wn$w>@{-#t{TZ_`K zRqXb7deZ5$EsJodw7<8u3L745Zl-SjX|m00kvdnWoSIAX_-SG8RC|+>8YcG^Za-I% z#n!qiSLs;Xd5_OX_>9Kb5Dj}(b*S=Zzw1yTC_q=Owy(`BELbxzG@LV!?{xaTAtzmj zav$~~o02w;ypdMzwu{J_I*R)bM>YjIuqt$rs&oI zWmxy_i>AB_avUS~2e%(psNY_`RBw6t?Q4ZSmCqUN?YVKbQP_D}L&m9a* ziqD2VhBd{5<}b0cf8t2}VrmZi{b}4+{+9tjy`4$~f0xiJcA~ogXd-!u*y+g}Gc7Is z^9z?@*xR((EYIf_S))eED>93wcG9mO@qXFyD+s6xgExr`l@}`E3seSWCb@uY7njTmEP)~=HnQtL}En}AQC zK+Y=YRO**%{3&9YXKPkSq{=QhRbBI7ul;kn{y<-T`+2T17k=VcJJMWyN?0J_IEX%6 zp|k110!!+MPk4GSXGwY}X@laBDFdFIxjP=b9bj&Jdc^4s>s^omNi zZ;4kNf<+Ixd*3$=ohbofs9}qgCNOwHJ6wOMx&C%AO1bE1=c0eTn`S7be^xGK^6TL0 zVaq4qHOK40k7tsV=e~El>u2s9wACN6u}HSi-jtKgexr#AbKVg|r8! zQpL*2_^CncvPr{JWbmPLn`tumI7U^tBqc6&Qv*7D2%uBkq=#+_58V+n`Js#|B1Cqg zzkjFvvdQf66tKZDlszSN)tsBf2gOTqq$s{fq|LS{E`ajS&hYzb7M4C-z4)|$nZY%} zK0T8x_M)=x#cY=!&fJV}?9DB|jnc2KwFBy6E!XVLji&%DY+!Ewf5b*l+Ljd5cx|6x zhg}K2L9Q$r^s6sskwx9^=GptKk&bugTjh=iz`COrQ%_vywE}CJhSSDPd*ER6B!aOy z%&YL!-7g~Vqd}=GQ%p{A#*2dFw&u-AT2a2aM!lT0sP6pj-(Qaez@?O~XR0?k-Z%N* zN?qSyE02B8r7Z|dwUv{9Y3i$}UZ7t&ge+A)`1&58Sz_Y&CL}+tIG}t}X>NV^O}TvI zePKfk=2K1YXhjv)8xsxt%t7G$uqqWFCl?{f1umKshv=*q&n*cPU@tIHWEm6GXx4a| z;SsQYuqZf;?!I|+^1X%kWptyN4*`a%rk`4P${byP6*(JKb)#?uA{B`e?mt)ZNyZu* z|05Z(?u~{%o}rD^smjOuRq-PBb0~8hX|3J6OV>HVJsLgx5?JV5zW_|`r%w!b-OlF6 zdy2ngyKiommiG7e)qp>pn44Wp5B-z~6kL-{a46|msxCWm!ef$^KANsH<-Qq@Ynii> z8oVd0=k04#`&aUkdrt{jME*RSmlT}i$`b88eQln1Y)LL3M6S!)c$2q~;H0AGRrB!A z+0z3malY@JyovQ}Iy>hXL(hal3rMLR6^zw>w&BA6kUfl7&m^O?pOX8Bb+DXUXxm7g zO*ENOG8SxIj;EX9n`qR@MgnHD@SIExXWe_4mYMz~)u?~%z+3E_k_So5Kw4@6F15Pc zP=<_7=Y`k>xxhHNqv}Y*5x-SR9ISed#m*Q%Y#%J+K;{XGlU9l*a~wGvzgT{@Ld$Cs zs~VI#SU8Dmfsa2YNi5?#2^*2w)ZqEp6T|C_uq%0Ln3@o*6q?5HAe*yDfiQ{US>Z%2D%^Ru|}{M%kN>&pM7$C13l2k3D;gA(42)9T+jrLk1DdcJJlh$&XRQ<>9vrHUjX<|aMnVrL=-8AW>*ZWV+wj{qTrJP&Pz;v0 zkyaa@g*U%1nEZBG%{6XU?$>Q^PI~ACtRh2W6^fM<)~6T(l#~0{UCG0Ef=AvLD3hu= zMW(-w=yElB2~PfW^SaZ%A<&E4bi7S#tjTM8dj`F*@V{ymvuhjFsV+MVWsPZOb$|18 zX8v+33+3&buz8I@V8a+%-(t@Iq$sW8Kex+k55#tgOL%%YGG@A$va=`L_Z;idBwfNO zjZ@E11%u(Zpb%YI8C4ltZ2Sk#JiH4r_&gTTkF2N8xXE0{&Mhs($qIS$SF6$JFrm0+ z;5y3?6zMQb;0n^7Q&t3my9XB&7n27yFc1Qb=wsa)xeWLAwCKOJ)Vz7e{>&B*uqJBr z+nfb?0NVerKW)cZoOL1!hAYyF*9_-hk0PZ~o=%c?EmtI)`d%e|uj(`>UK~MA9DJYq zNLx&L<(+n9fjwA0<0bnh@5sVmoj=C(h)14GVs1suC?8wFVD(pt@+)1pE7GNQroxe? z{k6c{g*1xC+MKphJfo39iS;ERuia--PbVMoijjr`GZeT*gL_uLvJkIayXd`ut6NyS zX_U1uM2yXLp?ZU@Cwts&JgD;tPX{-d;+IP(?io!=r#sbw$wFFs61~xozzR-e%0B3hg)#EG7T!D_*)TYK0J%&cQ#}GpEF`){+NC{> zt?0tXLLmZrCZ(_YLt{r9$+zaF0%=`eO!b_seh`Ug-ToXo z<^6W=(*SC(9(~cY{$-3jdZ{0XL%AA@`O^6w9rSmb!wXs@gB>&^t1XH=0?qDI^&t=|se}q1;S1X!~ zEHTJ;*J}S0py~?>c$77lygN68sE7;3b67JH*|NcRm}U&bb~p}|8;|$+MB$96P`)-Y z{`FM;Hvi7E{@wuGIE}BVL42_8&3O&ud&EMGY+*+FO})Ct$wbiq7|(yRjuWaQG@6 z`tS5wlAI#5=F*Fu3MkT=u3YtPZRNJ7i3<_GcRoE&YjQoEsHE1*uu(@=%Om(BXmI-q*X7EWIDK8J1FJ7nI| zjLS&ESb_Ne$X4#Pw!{^Mg9_?f{mQaz?!@b=wBKYhIqMzUFF8t5+GChbmAqA!X|Uoy z=y@b^-A9+PFQ4b0rHI!Iodsc!!`R$!BS%Ka1y<%XDK=r45Ro1%v30qW5M;m;3y4~lr{HirPKj?9Gu+dYIz_ERsL?VKAv!8wtC?+HJt;fbVM`L{ zoSO;LQIQj168w^{Az^s#wx=GKB zclpcs1L%&PVV!BLc9UAeY|c|m0PT-dRMHdwAV!^hneu5m49EknFK9I zOHk;yTD`Uem_}SyAdh@RUimqV=*;wV(%B9k`mVtaoAFb~n##JOdhPZuP5GbJ94BLC z@Q0dD{%aTMo_Zz4P*6_JFq#-VMlObP52c!wd+>Z?-Sl_Mai0<7kdF}!di9(xU~icr zper)}>1U+kFO{#}^hI(uX!N)q5b+<7lx`Ce4`KwyJvv@&D+AB~?^%6(5pItY0k$DP zBAlC<78{jW_$jOXdfv>@n^0!>>x>|yL|N~r*870iR?awC3~&%J;_Z!n6Fx)J^lG1cXV+#}O!C+^2H-mW z(XFe9;%=>&$?>WuLqcFRILE zDn$>)ulxSDuIV!0$e@^kg)6bbLj?fW~v zirRbOG)lf!aSKb|(MJEu)$$pz7e==VfyF89LL!lrjxEj$_VuIga#Nods$bv)RQP;n z*KIAC@-EQYnV)J;H1wX?%c!+_r_4%HNh=Q6Q@P$=Uo_ee9@csg9#!S?dH_^Zst_4$ z{T@Ur&sO|)tG(4?3KkgwJqQiIqmn^VT2qfOnOcmv$GR329HIoq#azW?9I!!wR0Sg6 zBBf&sK5**afGxtb@?4bn%J}O87R2iFV z#)Uy|M#unAKp}z1=d{y4SZ;u!&u8Oi4{M=_|DwY4ac+!BE?b6Wal8Y^HxW`3PoU|g@Lfc0+q<3AVClWon%jJr7ZuQ!O2Rw86Bw=>-IG8H2F+pag3RZXNQKNq`#QPZ#wF=iq4&~gY@Fqt$vfQR1 zXrsYcUW%J7%&JAKZ^xTtrsM!Rrvo91-!B-70)mX*EDTC#NCXFiE*M7w5LIZZ0vi8& z+9m?hI7$y4VI>0gg9zHg5cC5D3YR9#&#EM7>Y~T!fzY9XQPD&Y zmwI4JDHw!4wzAT37=TY=10qzB!~gO;k0Szrh>~Mf*6T=ggDXn2>78yyn%xMO#P@UAfbg%ElUB7q8C6u zDl7`BzS=g`VB)tGT*<(8;_#4NKB_oT&6qsxt-w+JLYS*JtnC{)O>C$&I122ZiCn)glV%sCjY zh#sOqrBe(*XoS}E^uVom3rExeJ!0k|#=LtRSe@GDv9ian?&*OwY;z}F(n?lE73^5b zj?LDG4;L;iY#D&clTw$#mklKI=|FlJ1rDJb7qJJYodsKTJ+KZ>$1n8s4pmTz9e z8mnr96!1MO0J(BOoZapYB_TB8Gzk~)q_!;UX2wLO8}M~r_@uAkwCN^fC8e4y(zjJS zCzkwjwAM*5<>l5Ns_aK0Fu3Hv_+T=*TXf|U&V9_-49rjjROs}O)y#$1S5=J_A@UfD z=RAg5k0$VB%Zm$sin+RnSv%8=3AQEL5Y3CV{c zG(<3%78vgXo-tPU&C*$&Tj2-$RtZt_$hCt)K+6bNJ=B(A#89ggXlHU3Z}`S%mbYg< z*8)|4$Uh^%?{7K<0$OeUUf zk{X9OJjBl=7bi4L2j%njlJ*28I4}A&o&dNM8ZD@fwF>6@ve()Z( zd(dyOkC)lcuGIjjh*~O^B8KjEGWCrji+c=d>%4#zRaOLnhrp)8(N1~BEH&XmZfAXa z@(($gHR<>35*#dEzX?w7exKd#a!a00`#(R+_CKA-%4WKga=e}y6ZW&+R=@4#e{^^` z6w%x!etmaN0GRr%JUCoDx(sjolP3m9gb8jO`=$QeNuGB4pUv<1U+wHjdG81NU%s#R zJ-Vv5zq`HMznYc$GwO;CIA8$2Y}S@Ri)6sNIORUlwoB4RnWW$8{ar(!5Ix@BR}Q^` ze8s_jIkCahU)yV7{ME4T?~Af28rH^`(0<(S>dyux*{0*`miLNvdi6Lx zOsvwArR>K}i_eWxHj85FTYk(Z&7=C-f7tu>yZ?BT6fdsLg37SXrpNrnuWxS z;R)UkHU1xkTj>evPeQkqzt3hDXKXZbMsMluh+vKNL~>>D_xpuF;%ub6M;ZujW@vqW z)ZYdqFGFvASWaC(-Q*U~;`>VyUP*XuGPL~t`NOcs$f$|akHVh;wy_y>4z6Oksh+WR)*lpemxHGsd+>IU3aPT8yK6gNz< z3IU9OQp=*T$Z=T$fUdN}nD-$xhMmamtTj0|1csGG*EvwI`{~tesFJhCw0s%5e3}JAIsVb23gyS@o3Hg`cy+Q*N zt|C;qnpV}T+Ez?joD*iNVU^e4H5^E{gP0PG9RB3`ReO(5vcFOP;z9D~V};Vxe3xMg zVHu}Up}n5G3ad{^m%Ub3RVTKI-o<3NpU&@;xmfQJo$B``fGnNDad3<~$@aj=EbR~qqw`)t6-36F{!SHcyjZrkVwZt3s2Ao$Kz*W4pCeZiZO@#^z)V9X9dxT!z6^@9?^Lyy3d-zs~ZaWoi8I2J{&x=o7popY9 zhze*QVtyY#q7ULfa*PD#^*jryK)>!!`ra7!$PAjZ_#g#=3^bIBVegT(BNSY3f+ZD6 zv+{!J%>^NWA?T7JECb(*-`*F8#q6bRjg~p}?_AmwsQvbG=j<%W+ z7VI#ZSCgpKh5`8+t9yZ<4-5;JijqpfRU+UX2he)W*nDX+5TikMAep4x-=16w;Dxc_ zR||(r=0ueRK(yxGbW6u0dPlpd%5mThkzzTXb|@?C_4ua6=L8M z83id>Q^C8q2w|9Sv!IA~+GHzRC9s8NSr{Dhkk5m_CjXvTnkLst`q&qZ`e*YjIG3;&8Ov}&lmJMGPaU6HIrFaCsK9jm>JYV!oP1yjOjNMbvgYN0FnODj1q`|x>-4|BP{YM98J zjRZb?yvdh(y|RX_SGlNFI5XdMn8aphuM30%haDBHcqGZFA75=jvXr%pkj9G#Yl)B( zc2Uz4ZPNI6a&JWz@0esGuYQIj{wlk8GF^#N z@pH)#GC16fRIt{`m@j5gB%Mb&R2~?E}ZJ$q*){lw4X~S$1$VOsB1zJ3bt3jG{hp%>E8W zm6;9*TG$4Ft$(>h6lc zAGgW{Z@ux*^?m~YMv(UMcRY(Bw)%~7^y2-tG8aXS1&~L){yFCDdTP)hTz!m-V@%xs z)t!Kp;IV+zVj^S7CK;E;br)q@5z+*Cc|qu%yE!kRb*W0gCPZSqQdaXuH+$c;@%OHJ z{*Y_S-g>%Jq686+mNu@ZFm!@3Zh7~4aSze=xi2a7t5uqB$Ps`r8-b_GXd|kLhT!fK z!MCwNs`1o>)Jlb5j?{672H0~#G-}K4izyuv051^=MHB&*H0R_@GUxomBs<&Of5i8v ze>?j_oNU79R)A~&jKibcqy*00hvKv|uC{|uNjSLNKQoc|b&^hBL>1c5+q?oA|Fgod4SB%C$6a|E}@)2}zxY zLLJulrq+&F46a8lQ`}ScIsu609x^X1Y0Swsab6Eyh1+vv(|1-Em~?ZQ-mq)mc>s5r zhU@%s!*o!4xoyPa9X%&4|MDfpt)UdnBwk!*DtUU5>``7(<*X__a& z0f&1oJGooY;rY%O_WL!TV6o@-5zAA!f0nzA)JxL9hdaTfImu;(Jh`p%Y-C5*w{HA< zWQCOW7*9_hs~M zrtd7fk1$6?(AiL~1ufBs!Me82AX2=O7aw{aEi{F7k=CEc6McE~q0yC`f-OTu-*8#S z*jH{+SVu&6EE+pWPsfy!Ilb`OE-dVFeN=^cp~(wphR#4o`<%C!bNP~xU1U&e-H@#= zvs*OTpdvT7t*+2&PCjvt8R&w<8~5s0Tnn)pDL0t2rsG#Z0WVYvd$Z{_>PGE-Q#OomH)#!)$6sF!T*iKGQYSI-Id<{c8!VQBKS$y}<>m4# zG9&jH;@X5X#*#j}q^sWiJOpy^?kAD$@71a^Rj4S8pM3mCK$^ipV(MS$6_e~Yjy>MfrDAh3 zJI`88O9#)NAE)6zkh}YMBG*1Wq;jyzZm;L$I>9&K zhw$ncdO2{AJv%iJgs!uz+=cSN906tMJI{JU)HmEghH&(uCE92^GV>wZkW=!pjE15} zwRk$^G3Bptj$D!OIDoZ-vf|*VM{WPS!6cgR1Ts z5##`m=ZET}W{mf4I_bCStb&$Z{LZh;#^SY+|1(UW5~Tap++&T329t0F;cDUKZR>#|R5JdIuQ@6NJf36WliufVOL^*_+FehqJgyR9wITa`%&C z!Is9Ust!urP%tq)3yUsWWgt344itFA%PV7PDeyQlBAN^hZ2o}mp>SZ@b8BV`^Zo{` z1}-stB00<+nZW-vW4BUo4}v0D%qJr4c(cd_7F!tvRciErHDb&Y^yfldJsmwu!gFtJke=2SkC?|2ay7ywi7dEXO$6e?3-a3haILf4lX-w1+xf#@O!X8)fhNJtB3Jb&p`g+fXX4+{Z<0|`)i zj$sOBV8$Z(E)r%agqI3sIu;;kcaSlQaG{umk^SF~eHj`T_yogi)47+_C0Z@?iCJ~9 z6j_^D7ZG`_phT=wC|ITlRZF|uvhM*oL=+#T2j2F#QTKQC^VoLcleW_|m8asI0iuKf z=B9KsbPy7?ZAsiGeSbm`rWd2e*xKwMR;~KXdqh-Y`1g5P{x|X_8mz#fKHe^t@P_SW z8dIMS+V!!WsE`4X04NGrwk<9iYn=e@M8#t#gd>8_h{8Ld3dp^C%>Qxl`->W}nO?x; zGrTXSLS#7OJ`_Pc&WA%vI;v#S(0-o3q!5)NxApA!9FdhXTbgt`T2qx&3?$xO|3xT8SOMmA>~4P;y=ipI<#9GChbXEJ7~8XqK7L1{6RgM6PYaYj1C_ z?~n;hT(NCzoBn+Vdgn16NLOH0790=~%pY_&$4A4=AL;6-CJpZ~ZU`AXvOmKNPk}Ki zU@Gv$(IH~b!5e%Flk_8-O&0wD|3god)s*3pTkoA@!1O_lJ`)J&3TdErJ>)4W9EL_n zAIl9fjgE^3fzXPe;h~@aB-CS-c=zd1VujBOp;;AR4>fK51n^7XYZdMRmIba$A;qzi z@~XxG==hB^7kpmM7Cs}#*YoKP?hltco^~O4!4`oan&^O4q8@S*R8@Mqa=_bp1nyKT z_h0cYYrzmJQ9fuD8w#bALOGJovSJ>)?INmhXf*ZiR#R1#4TIswVUhiZ=UNe7-sf-I<<_)4?(naZ~c!)iAbO;(5 zFZugk5G-hFo-uPi_g^cCM7GJbPIO)vy@e$N&VlMY(o-aQrm}Hy{qzY(3)F#{{0Pel z#0Tz{OpOj;#zY0=CvCrN0r>Uro-S@=4$7dV znfb15P`T)t+}5oJqC-OokpWR!`p95_;L5qyo=U%fzuDgj&P~NSo2g!2;;Y z9b2Ma_K|0$%ohlM&_=Vy9FSJR?D7*??>-ik`FGlxb?cTNkb&f+A+aC~7)l%+AxfO^ zL8jFHm1MI{%`b%pcc+1|gq{x2x=L8jvD<3+e@4w(5E&n|67{Ij&7M&0H=Qb^&QckK z5z^7cC~dvi{%a=X=pwTRC%L;=5I;Oo2_1vJ?Od`a`{v|-zYe5oY@-UAngtr9U_dz~ z4I#9!KyaH~HQ+!i$-WlUbKeaWH%^GCtjIXvRY}`9$-!XI^T!AO!xhs!?L<021DyP6 z`YvA>QCTvENKjE^g~ZU~Vx^@S>0uA~>c&Gmgky2G`8LU9*2B_~Wl)QA3{*Y^7-M3n z#(!s@)tx#{D_BICU9=Skgq!lJPRK?Em9Tmo1x(l>xEvySSI3J{u3hs3qd{;p7PPrg zQfNI?`tRE9&M=xs8`M7_4S>u|rPgJmV_`u-vC>o>k06?;3D7X%I8py0qFjftaLk14%W0jU~5E$0+}_J*EfH}H)gHeEId8UW(~L1AX7mW+oRw>ikG2N{!z_v7gMsM~zB5}$##j(86o#uS0*;GQ zS^mLfD)3K5{m&^ms!~-B6@9Prc`IySGZ#AlMd-w+sC2ULOEC_O$1 z87{&@SU3n5;YRk5fEbmEpFk)}VO7KE!Qh-Op8vzRi2H~VVb-8%;2?l7RT^V7Z^uqn zffoPJbh6IiXC`a1IfgW|cB!=n_lhD#>Bc zF2#nN*#K{kd7WwyUBDBA5HK9h2ty&~LCAoD5p+}@9bcXQHJZAXJvxBWuK^bqSV;>J zghI&zxqD?FfGb0!RFc0nFOLdFm`TD!sNAwK6O^S{!nHx_SK&U76dj$|9;<&gm9w<2h=Esj%uuj!6W2H z(R3D-c%tA7p$H{_9c_aHi74Bb5jtWHR*l8{Ul`IlCRbyByvhd;cp;3UARhd!ot};s z?u03cNly%ZWJe`y_lmwwgPzcQp~}Lm^skGH&T7Bo%iG~n2JTF%tDmC&i?iH4TP9_4 zhsIleb}#m6SE_#aH;VEy9FJJ>k#d_*QB$9Yt4B`r>FAR|8_S!`I)j*0k{Ah_k}K3} zs*+K}cDj0Qi*(#{VmTGD8*1Ifg_!9LS`vC5amyuh#dm~J!v{PH1InZ*#PLx-kQweV zq(Bj{|9bp<6I>f+;0BDLuacveCydnkeBa)0jC#*q>iX&S!W0hN zRpENH-b-$mn*5)Iswz2SPX;}YL>e6r^t9uS)Gk+=?^`V0r zb#!OSBL_~-=gPv~jFP4_f(p`bGeS&q%pi_*LKPMBJK8B~Kq&`o9GiJ&pSd@y`**wV zjwr(GZfAavFFSYd7}}D~{@Se2so9$h5k1{H_rL0QExvO;t+;jG?0I&0*L<`^@sdp# zmEHw#-JY1xq;CQ)pL1wA>T7CxY`rw>I!?wfB;*0`s=j?vH*I;t`(g0jc3HbQV!G95 zI<2!+oLaur&!9YAdLQ-3_oz=(JL<(@&Pc;R1rHy^=~U$l2_Hg2rPz4-=)_p$4lTvb zU-viuwUt(%+dD7IYh#tAJHJE6#f$Q$Mu(W8=SJP_H@i4~SF@yxp0n@DOmBYP-F!Pz zG?BcUI^<68`V7n>|KrDLN{oPA`x&P}rCFh2NnuPXDVI@$(^}W};pDr`M^faJlwz)1 zBlp+Lgg*Oe(q=QdYLb=qgaLCT8qUdS)Ze3dOsro)&{|V|c-*eJJL!LWTR_{MS$z6k z$PfkkbANZ*t}_T7Ac$Qd2K-h`_J`fMO^FH{lS`R$pM0_kAWKkEGNzuM0$JJYzWO=p za_k}p{>Z~6v!+3S3X9*jg-)?g=l*?%ZPHBMxc87=4?1$*eH9Z_a@K9$$aMGrZ8+@P ziBl1ybM-vEY;`N$ab{t*bTJ4W$D!@QI;8nC8?dEGzReBSgxg;SVhLhRO?9eais{tH zCUN!urd+F3iuI?*R6u$aB6;lu95)+?S^97MreB-RKT;>-_n3?(r(hsJU=YG(4A=Y!At#Zk|mLG zWCjmGp${*v8+)d)TPYV4+&i2>xx$J=8i64Ajf{hFqw^1hFi3Uf!XOj>ohS-s9~7Qi zLc$&FQg^I1uF^>AOuz3@I7O_L&BgH{sBhi4P2~z(l1t^*l7b$w0f)2B0 zG*Y6z!03bcJgduCqvRzcN2vlIGoYfiSw+Q1()j;37AFjq@LfYy_hMqOh-`MH8DVr` z>C$SP5%00$<{v+IVTkD8uw1`@Lo5gx>I_&_iAz9%Az#Fc{};;($Ed0Clp|+mtmQ}q zYr$wMkH%9%qf&9X-lx>Od>4R8Zw?&HsHy;OTYA3q-(dP}^=b4Kgr1(h_(=dYN(lAS zDGL-H7nC+`K^&)D?^W;Hizpt+lxNXZRoEzj=+@=4{{~e3cS9Jy#HoEJzDIllLKxN% zjczy?YOZKwv&PwR{sJ}61I3|fn(oc^m>ezxW~Vx)>i9a5V3sLJH96k z^uK)KczMtZ#HsL2y78xHy53lTaXC!-ZbdH0UDrOUTd~JQY6$qVHT}bH_Kp7(kK{b()u#366k4L2%A!sHN57C-}Q(Zh0HtWYp=uT0+V+DHuOj_C68(KORhX zh@Nhuf*>@lC!`OUE1|qRKw0Tb(ab?a)JK-Cp$&R6mE(cZh{Yi5j#K%^n!~g+<^z-r zl_g1BJ8I*;z5^C+>a*9q)%ly%K;WvJF?Tr~c{l&w1RQmUw7F^^bwCJw;Ed_RQGeg) zISVr%L=I@2yRc{mH$8TtqECWzI<(9^tJa~K#SDq)0AnaA`uW) zD`p)W*7@jv`p~cntwOr@X53pqj7++^E(04$59g<5XRiU;a~S|vJVy2E?G0zjbgx$Y z{FXNWso-e_6cAVddT+W+mp}3_-CWP>um<4Tp7t7X zww`>&!OL;iMW-N{{n&@4O~$n+2_nxnw6G>I-e41AN=FhwmXIiu<#dUcCZaUVr{<<6 zVBVP5(w9iK#*DV6efF>9@dDRtZEFiIK_3tt0LV}wjfaAg@(dtIUkbR}18;ReZ~+$d z<;~_@Np1J0#JRJ;5C#}=o7J42_X3Ojqxy}{z#8*t~o*efYNT57sdfLXFhoDfAXXby3>g`EJ zS*ho&vUu)A+S4n5og_W@Z$I!b0gc|!;9+n7bWux7OMv4Lmi}b34JbC?QMj$R%;*9i z_$T08NqMU$U}`31tO1haIUp8rfK=+{W)*9cpF6P&ywl;_fuB2>=bx-=l}G}{C;M;O zCFZ?(7XW=E&akwxdE#T#0Ukx?$a~9eIZ}+ilxz*!&_X79eWAZ^++A|&}FCs&vJ&+3PbFo zo+AY85hN2Q@h`h?pB4HevpBW<8z+YwjM2@$(A{Z~Ue}+an?(rn|4B-0c9%f+zYW@M^#2D3Jf| zx%K74S0-Ig&?+%eQ5S#zwww*TfvA`1+?>YvHOrAj13b(FU_Jg!;r{@>*@5ZHa!mZ_ z%=hrO+;53y1adNK9ODCMUNbpHr~s>K%DwUAlU}OR;0VkS0O`ROy#ASM9%!yCG(skC zKwQ=Z{Qw|`TLD4@4DuBudtmJ}pR_Z~JAa3anGC?84En9jMMWPE=W9%F#ph;VEk1sv z=bHnBSjg;GIje_qu_=>qdq2(#WBu!yuS?tYE@D^#;PBjvh&NV;Aq!d)JS?w03MXRE z&QS6(O~t0v3u2cjX3FgU?Suf4&)a^p5Bp9Q{JEhA&h3=|p5}9R`S7p;^%>*o?oXgS zbbCa?B%NeMX5TM|-j>7M?`AxH4B4;%aqID5^pPO~TLavfkoWZo;F&-dokk@wf${q{ zfQe`ZR1M-6FAh#Ju4OSu1vGeCS2z0;v}>*Dhqi8>9u%;%uWEY=kz9}XPY^!PB;f%8 z0m`CGY7x(ntN~|O>N#i~&+C&lUS&Ru(DiZH3Npp?ZBII>&1H3S^!x>O2EV(hlxkzyH}uf$+meh-9R`lnhhE^3TGLRot-v)b=4{;t9nj zd^;9%)CPSFLc)A!0pMT|5M$MnLryPtCjdw+<7UVlP>dPB2~T01Yqt6NEMLQZb9`ci z#0Xw$B=((mh2sJO>;pipit`VH9$+224u)cr^KSg`#mC6bC&(h5+J^d?Iw<`bQ+3(hNxAep|S!r9bg#zNj{%%1AA|NmJIP>Z9_`H3KkRfcJoc`hM2X zC1wI|1m8m>CuiU-*VEg5)sKv9@JTypp06IoU$I(*fH@}wP4vfx&_7xCFY_L*-i_>8 zYaWvQ?ZqxQ%a4hHAq1GjFLIL|#t#1!tChU=?gt32Hb7Aj0Eq05=3v)cfLff@8E;6WmOZR!hB8EGZ|E%=%8#rr$(BF9a~LJQ$$AV7`1 zB}1qH{EVmH=6b9FtQY`L7$Nvf|HG$b!2Pgh2B1V^d@ph?pOC}0^FLAAWtm%4_tZef zBPAjN?2e$NM-ar_fxVq|VJ9h^!)4SXfHh#d1ihn4czAf=QdP>Y?V}aGk-?Mw3TSYE zD~S7^r7aeMvpGivg97(C%8O7wo#$?XyGK65RiLdW04)}oyeDiY<$?8fi5|GHsJi>(Zf5+Wr5mgSy5f0-2S za4m#_3{UAwQd}gOEe~<9D$4&%$gs()!~Sn-7b|aj(R>GfA% zO+H=V<{ofu0K*puBpz&h8itDLQtc1!vYJFKRY>jTLgy)L*a=TuFNl`5Hd=<~4*yEH zePLX&;@D>tMn*>9w+k*6V1Fg`@m*TOB0Eu`CzwzyzvjxyN(-@+Cng`_$*`SowcNS& zLI1Ww`0Vcox+tx$d=o z2kW1l20z6_UiT?Xz;!sV`@gb(rVUh@ubS(A{Qe*11*z?Ri+Mrs0d%Qp#cl@r)aSWF zV7B(a{6nc$4dAGPvG7(+IO4V)Nl5Y9!0_t%T}{JbqSCS`t_ z1wH`q#Fm~{fmm|A0Yt&=khxG$AVf4*b*A8(ZDY|%N47bKe|IDyT%T-dsyRp`uI|zt z7aIV7r66!B0mRc^Zg@GmdwR~0xYf516fsnEBVdM(tS{tsbTBHP_P9Gb^vB{^M+gr& zY-H@QvG*bwG3PQoIaNg#Di0GV66!H<`A6`z)c$F`?bwzbhKU;fkx%Rq+faP~sd96x zYcZY!dsc_I9MdCP_iHKq-vN+&aYMu0=dmYI2B0)HV#6Sgk7}_`4c!6y7ODYIOJM55 zLzIlzeI95dwXu@tbrxfk`~p-jZVmm4iv5pj0tfIHu);R)pZ_h0B`=~0BJpEz+AXbH zCh_&TIILskQtGu2O9>0^YQHiu(g9j$G!`2h8GDwdSek`3?!WToT!gv??nhi4wwINO zR}dkPWs-h=!v0Uu4i+97@R|%ed(u?HNfcH*|b1M^3@T@QH@T#90-D(jib~%2HR7`5XmBF8o6m7azKXl5Av}YxImEc!_o}h0rL@uEzx1XdOGOL_?b24 z_p`qYYSh+{PIX=S0ap_q?`wO*i`V6lxAz?&-ESdaBO)Q8HK|C}NYX~DKxP|V-uNGT z@9@_S#=I}{co}(RiG|#S=bYbX6pQSQLn(qR<=+)J=0rI1cpqIY>;;#D%hW{?27}ho ze$JX6cdBGU({%;r;XjcWe%jXys8RW6HtlH1_wJCZ>gmCQVvhXy^A>oBPq?kyzxyx( zAgh`3sYq~H&lVo7RvH~rU5xm(ZvGzkosJV z(P`L&Zve(u^@Q~=fU+gUckM@0lQ;zMDbt@<86Mjybf()tr#*dk)dqb?m8izqb-o3v z0olz|srD5dWFeg178GtChP^<&&RH@`iboT3S%)3}1`_(8oC|VXQ9QPIZO$-AbSB1c zJT!&N)lB@TE^!~j|MX&^zV+U;58}n{AfQBOuZe#y2;Kg+dD59DyRW{uIXy`vj_A)4 zMTBW={0T)Bt&9Q&*#PmsY5nbJz?nZ-Y4h9YiGHdmYpgyP8|N^>oaB%_^er>MJPm)) z(jV5)7Zw(PJ~@6OuYm$W%+C+%vWRjY@pPNu^RJBBPl#_jo+ldTAh$%*M0wkdZs8=uwzP^61l?8aVg9Qp1PbDgNyrfO2DkMtl%|}g zG71FqBXCiG1_vsz(Qm(ioo-p%J1q8*Poz(Y<)@K_3D6Ty${py_r#ju;bgl)+tL5f~ zy1JQ5XLlgz!EJ@$Wc7dq3I#&0M7{KhxwUehe)TlL_(Tu1`5p%>IjiEQ%QPyV6k9cR zY(a+aZDXIXGLcW_pSWTv-+J`3HRR9-roI3oM-p~E*P|U_TDRTusd^V~W;dNr6xTgO zFjVZeQYdovL zL0t=G8JAaA4V;{+KfN~V0)1%6r46*Ue?2fCmLSKbD~HjIP@=baVlL7FN=*1g)rDXB(}6TL;oW(^2CaQdQ4` z%HA_0vaM46wq;Uq=wg7g%$-~;JA!m-vzp4SyN#1v{5cma1wcE8$arUX#}G2!|Hbq% znHyLs)UGt?bc$k5cPC{#Xe@ifS!31#TUNq3{S4v;uvpd{ACv7h3HE4knv>nWw==uCrYf?E7dhJ5l20W;q{{O#~5e(7u=e!Q< z@cwEg>S_zLog=UJ#@IviYm+v7uQvRUS8K>x4WW2(i-~x7>v$oUIFOlkZ zLh&)GIA~${^nwJhlBwDx-ZH!_5FtP5d!IaZdfs;5&m3x}bNYBS#iR*~lqC2{3L=g8 zoE4Xem`v5o;lG*J$$PT|{pQEpeNcN^TU*~R?g(+uFg7~Ajv<71K;@6>qNxo7>!y`4 zVRmeUOzDritDUB3a}KzX`#6D7NE_mijj^tJcgm^F=? za|>W5Ev>AyYb@2Mam%%8_5kWl7l48%zy1ZY2=;&yD4WCt=FDtr{)(0fpJIu5Z%RMb zV}`p$l85<|y>7HPgvR?p)#F(`harTaxahX&-9nI8{vKhmrfC#RyN-+L+oi#oSo-6wkGNsj zr!a5}2$ZV1^kDiKo(CQWk>}56Q51p~K6eKp8PLsj?E)57y}>jCBW)^)zUvQ`F8`K) ze_94fAS-v>vrnrCN3-8HAj{PpZ9$j0Ix`3?e0+T8Hp=Wa*4F3%$}!cdcy-2UGT`Nr z3Xg>o9>OQn^_Yl~f(#E&6A%W9%vdX?82$Sl{dA9wf)q5u+3OlPrT}t?Wi?_RKArxM`~Wy97}1E}Ja; zA;6#lkvy;0C#)Two;K=zkqo&aY}az$pdH|$gs9k=GeuAHO0$s6c76L#>Z@G!)-gLG zKdqTf`Asw7f2f&RCRsRNs>WDb<}a3qx4^|p7xK|+vu+yzar(QE&x@yJh@&m5Zs*Ih z#IALmF>&~yG*+>^I~6SK>Hs7n902_x(k@QaZE$}4AbfYT#a^(Mk|`X5?0f>4Z=fnn z{e;>4>NJF(Fve^Ab}Hi`=hN#lb?Eh|F{9t#Y6pc@`<-?03rdHBR+g4v^^lVCiJp5w zb6L#E$L9$qld(0cOk{vDR}J$_i}(BFZN0K|(aJ(mLsHyO0!|na#m$_)wqOIDQ2$P0 zP59@dCAy0H(~M=hiC6~VX$YH`eg(c?)usQL%tvawTb@6DbX-TWdw)L#6}Y+#^V@*k z=|T8BTwb(2-4}eb%-qv@Kd|6;wl17Od=AZMQ(8Fh-@;HZonZirb4Er+-rn~BZ=b%? zP`1y55qGrJU>^1SM=Av}m9!iNMWF9g2H94eJWzv7P zHCW(uSL}7O$NkV^?Q^jKWrmc$hmacPlGioDB%!f4xo~A7Ij6TB!u4B zurPw9((XD2r{w11>3=!Si!JUEjro|J~y4k~-HS zkP~PiHDwx{-HycGaW1tYE09HWXtsPL4cg62D<##%&OWdDU%-E-TOLf#B`q2st)3XEqL?Vg&J{+7s)hv# zG=yv)DEM-@J}!1`oz7V{|2xeK&Ki3t`F9}FQ~h9mO~s`}VVkU4ZAk@oPaV*(aItwF z2{gH|&wKvg>%&SQwGgFbNfru8$4I%n)PHB@CvT z$3BuVPu1-G0A}DU5fU*L4I2yEb#D-qW1{3A3OJC)TH;Tb6eF$Kvr$#3=dMz1tdO)Oc&umX*E_Fg{u%C1H#1Y5m6ZS)$so&O zIfV}}YBR4^Qv5w9n%zN$NQp&p2b>R-IfM}+(62J@&HFL9P-`Ls^|z`j82QxPHQFp#~{!kKroCay8*WY9eAKhhy^(V3i|hL8)Zz zA#xz(`B_MRAfQB)m7KeYL=H<)@qU}vbFS@1>Z-JElwZ#6e%q^{y7<2i0(eaiN#!qj z+)pa7Z*~<{IA};kG8Z9%@G)32CsYfz1QHm10a)-|2TY9)W6>o>5A;-epMP4A4wHy= zWYZOXLLJ@F|IP_Xhn6#wK`Ut{|DVbzQ|R^MxXys??L&P3UV4n4%PJ6s5K43*vXdZ- z2P%dDa+2j&DuOnr({Z&Lv=x=t!XaO@Q&q8!RSa>RaEMr_uqv{;iYCAk31(lJAW}hN z)&E^`@k8&DAA-T=*=&)Dxno9Uo>)#sSTHme#VT?BB1NY<)9f@tlDoOw_SCE2=dJbP z+ehy~VJQf9GK5u3uFE>fX*b(%gYD{KE^_7J==a^S+aSNK9$%^2|1rYUHm+k3p>?$B zw`-XCqwbIW8TV`?r-snHKN&g_qWBny$Rv~3kOtLi=e2QdLdM7FuFfk@vw)cSP9DkS z`*+iCsIepGBUlChuY(A5Cx~e2|P>e8IJH*P-wkdg1(Qz>QH``NLntf4BqSJtx%+?Eh@G zt(;zTKv&!#Q97iNNc5coDagw5SRre0;REroN;ep=mD<%mY{!}i7(8N{R(0*|@U;Gf zqsjZ@O1ydGATH>e#>VDH!VWi`PF(zGFkui2KM_epiGza-$V^w$#9-4&rrF2Ccx_NJ zs@1g~&)7XiYumXWGs>=9jhGH{TK}i+-szTt?y)p$ZK^4xgY_wHW1 zV5G|!4iPy)KOQ-N+=Pq(LXNSH4{4WRq9vGO^xX-RJTB9;ALJo0>4KpqaSTD}v`yjK z`YJ4$j2`58r*A^`^W~dtl&GCH4=G=lkwr)LSwSC5nWY<6=u|=h+w%ntY$6&5+)bLk z_w9z29r&y#-tM?Y-bCUXuj;+WqCUUCrl5eGJ0hm!Vl8ZU-Kto_sf@!zS*KqQc|(Eq zsx?-e6Ad@gu1ve)w~Hkayf}-|2HR$%G*vrB7(DE&lV<{$>9j2HaHnhL65cog$(b*W ztTMpHw^}B-7nC^p$k>$%2+;YwPfq?zDrb#98kyKzN*|ff3AtPfRP;944y2#pYr-ppet()Eo zMhoqblbcJXk#tZPKomp)N986)Fz19rPy@5V%HExlTV9y(_z2k8*?ysnGYFR`<6&YI z^^ZatH827&qL(jk=7^UIj~O(!CzmWpFy`MHS{+2@5Cpf)E7^Cb%%KGJr-;Ivu|xuH zWT(s8Y=%7wR#*Tw(JLur24EH^BS9k&oXcFm8AOJVVvJt+Jj zs0;6>u+~eg1-KDC9_r)(G;WyQ5J*qxjx3FM%HT!{+77LJ8@^6&dl)kw!yMzsok7=Q z9NsRuAp<~GPkv&ih0Ylo8HKJYo;2DM2fuZ(Uk&PFihjvcRw3JpJ=z=mHs`r}Qtt!W z4ttv?ajT(g_)EvIJ{O(P6bh55UaZsJ=F^Gg+2^OUMl-)o98;ZcqB9mk%zdb1h9a7e zzQwnAE1hDbP_2az&k=@%J`YF6=8s%V&9gP4uSXn$B{FP>;qAgmP6-l}?lM|Qh_1Bz zj3tf*j-+&mM1jLZ{&5Fhu_omi9omJP0z|%dlw%wn8>hmD`eWVtbocIY-!-xuOs)(r zXt!E+w%eeH&(O+O*4~Dmu)~BS%bm!O?>uX4)YZ@R_d&U=Ho5;8{vb-NM^r;|DWzP7 zk4MUDf{Fg^o1po4rsek~ld-@2?p|4cCP)KF)?aLEx$Y%f^%qgNzGun9)#>8#6zd_$!Z$NPA ztX6MrllqEz>oMh=Zc9j!$M5wuwco&^D}m;_5t^jym4?vxE?4=H`AyC**)q8r=bal7 zbbbk4WUI5|kv^H>4~!kXp{p->b?8tKj=xACFFObNRohWuQDB3kR_6~&8_^NMOzWa@ zMK2R{-Le)#Baa?B8AaB*8)uQq4q79Z53>uZCPEABuU+j{T07=2T`94QyV!lfE(un> zlYZ)J`+gJQWXgK~@KZ@9V)oZ&Bt7lRKTL#UH_MT`TZ3t{|1hS9{Yt5}A?j-dsJFVu zRb^}P^jWeE6z?!m`wSx6B{s5R5G&NXSEveD2H)+7^G*=(I~EQ#ccM9sX;+^R8gCxV zq1k=s!&SfP<82BKM5BHCiYZJK+0N%BfkG6VImOI!#q}p`Tr^w5t4}B@w5l8Nue!hv z*?|6N6)Xy9dT|#4-MA;JP-DB^M$mrK&PEb6&0~LP?rN%aUl+yg^ciR8a~!g@H7oCH zbTh*NJt~q}}U>$zFuWvG&MYZs!e zyWm(5TVbS0kPIkc;6B5#vaH?Mc#B9|H}?e(R+{U&!bz3JEe^l1qK>!1$At6%}c^!|~RTo6$HDkt{|aWS|;5F*Ke^ zC~j6OaKU4>PMBsymfCgn;tzZ`T;{jGo+A>y?r5E<6bVai$p31URCSCtgTfl?(@Km60qee?ryJh1RFZp!3QezT?5^x@UAvjxORw zFxfY{;#Z8KivH9j?V+o-E3CD7m*Pt9OL&!6=9OG8u!Ucx(@Iq>yvuHoZu-WN_E{kOX2Y$_5R&k!x5u#n?kRFx?&1!At1Z z6ARpzxi_m{z2sa$_x)6?T6C!5+9WyCnFdF7O+f7)>b#groYrO3t1GSZ3Y_4XO$h72 zNTx?u_UE~O*G`Is*r91jPE#MvEfpB+Q;!}F#c{1Ej%0dl zT3tO{X2Wo6;Pyr`GG_a0UE+zFQgW9N_1JL5gBGmOhlW+;BGprcB1zInF@?%4c*2`1 zbH`=kj?HKNUdAZGstLj7Qdpmm^*fbvdGD1`jDo(W85Df|uC=a}|DxiJeK6R{FlS*m zhL3#pDY(G!#CS#Suug#z*$9h^DDKe6TH8EuTbbw0X}5ci`?`6QFol^|R|0wdSExgl z!M-AoF+G<|%Cj^#Oj&B*n8%@&dsF={b%)uqj9YSPceOGequD2typfsq7zq5Y%RAsV%zflN%I}t!{)vGe( zCpJ5SQHc5#o>wDlTcqv%W@eeLxvKynP^(fukIfs~7~W{$Z$Y2rnwOMebz$FU3W_@b z<)%D7`@_6)jZeU&-TLQcPgYb+6!tmP?nq&Vgg2f+^nyf*y?q85v7d^)q`1I*85(!w z?Ua;WR`$-!5e3r?$snKdDm1LH80N$vw*QA$^eHb)P-<#f6^UkIzNJxGfKTN&VmVxT z4$dIPx1=$yeC@%bl7758sS;cLEJi_ zzGF?~4o|0lS<7BnFiNd?M7G_FS$Eu4c|$N^+nBO*=QV_Yt0XPQQ1${Vw}ENKddH9k z6PcI;8v>L6EqE$uE|epJJ&iajSjPGxQ}w5}f_V@{bdP;U6jpZFd-g$zi0|^Zj`4)6 zsxukBKgxyERc!|jbKWDOb`5VInMyV??4!$7hzdw~a2`Blq2jZqun>N8OT*_k_`rfz z5U5NZtVX9ar7nVxC5K?D!0v;PuKuWFL#fc_?Rn!zrUxB`(%QCmUSth9r38y*kZ>cz z9W^WYZ)>h**Pd%N`jClT?K-N$TDL+}<_-s%ODv~`f+y1Nh{HtidxKua|UI1Osu3IT%%f5YbbxUuN3$Evl^D0izR}?@E#UMhM=>>vC~O(_U8a4rEBzA1WPM5*7b|Qv)kiPGALO-=Ru)7J7c)i z-ETLqR|Ma4onfw>X1~8fP51o=jgWx+-S7KqD(9x0uWXyQm~%kEu7UoOrTuG}?4`}rOZ84G{K{BFeU#|7d z{7s5lb@AWaeM3RPslS>tA4+>kl3*}Ks9m^piqJ9FQAcZ+iB%>DJ5#0wy}3T0bGBa2 zFS^7)(njq{Hh(=XYt+0)ED}OFGbvp zsB(hGSIOc z`sqn%MMVsX8(+xhmuq3F6DBRC3QI18ez5rNgN=ukcAd)9UN@P*+$1Fa+pl!osa4pv zuTIbP@M=_WVzIV2+pcDgxcvmi9(5=f9$DG8t)T_#>vvVKyS<=wG;E8#}@B{kKOP3g!uC| z(D!mWmxpNZJ{!OJep1KgtvX+GNc2K-}1kJb3CTGvE3gVzHgkJI<1v! zb?P*vMr9TsekymKeuEd4tmwwl(IAH%QMTn3tP)6GEDpdELq-{tBRkw~on4;yj9bnv zxjJg7SmA~%tp6)Qy)-cC=4J$QduJtO(9&71! zk+tJg8fuxr2$pzWb}VXCI)X6@iM|wGO(Q&GnKq@B7B%M(rpWZq0m%~PUCq?HFW>p& z<(QDaC08bD&lGtZ@mny8>b*hB=T=CgJ>AJHLb=p%an)<}kh0>?9MaFhk;S-!!EBXy zM3Z=02(@WKOw7Wwp4njyTniWF`Rp*S=-bWeV!Ceb`Eu%-@zQ;FT>7nq^zHpgv=@vz zngoi~qti^Uz@eM%?Z-Q|7WN~&LjNox+CB;Fui>U&s}kt%W7SHFwOsz{ef*MNfm%{r zQk1HGRV^)K5-`dASFaS)WpT1c^>&ysf0eX2ICSbJ%3?%~Pcv8Ih@}PQBZd8ahp<)c z8~jxh1+GOD!+BBS&35>~eXF48ES(O($}TID!L}2=;o@S&drr7Gbw*-BIL9%32S};P_{jbRl^N(o6JnKeh#4 zzbr85!h#`J7x`5VYpIycrUrpz-%bzWgxZ&Dlk?-6dWpj^e76-AC#PNZPUos!IwnWXXU?Z_*qY5DqFh>- zbq+}W;a8Ll6wk6)+H+M7ERv$g_#DMQ!amoo?3rZM+MYwQzr&?K)ZmlMKV#^mgpJ_w z;#Pet_8w%*Eg1!c{j(nhge9_+NYq-rQqO9QyAPIT%MGKrR#JbD^SJE&rs_QBK%Gy%=3K>6_|zx!p!4vi;l0shHmh z+EhBWl1TKiks`l+5~yeZ#wS-}JX#*hk&>3pTv%tXc-N@0U41w#hNSXBcY#R=qK~YM z?$kbfp*i`$yLabR{)TVrW>`4lxNQtlUF~aA>wV``_GJt!Q`~k56~Z?7=m0&jtGinH za#Iq~RLss3pqi{$tj2y77d&_7kruddpx5A|o@z6UAmhrbj3URrx4T;|JanbMRBTxTV66B-zYLuaIQM_ z=Mj}%F71dvyB8M|`@_GEE)73)wR}^IP!$`V#;4p=MHNj&&etqfR(m5yL(lF){f48$ zZ$bivL`K#6?O=FJs6dsW@^fyn8Fu6Hc*|4n4$RkZVK0*2Etpjb)juPq@OZ}7KDX)M zWp1B;-TCJ0n{xjI{SyXmwuWXUdA?_Bs<5~Z?y&Ll8u3oGx(YNG4r;Payn>?{j0g~3xSix3%_@XR(!k;qxgR~i!a zXyWZKxv*1(h`LsSFI{+*yTlMfSP_S{%1{%n?Zc7}zLs5VU^&EK5{Od3)w3u!YkrW{ zaF*V6Ec&hP`2t?8dP4^DEr027&D(czMaYGXsbbP;zM3(@Wuf}9FPtFD^F$AQr~I5l z?bn0v*}Qr6E80XgD$fhcF1Lymoo#+OUK_|gG>1y=_`2nAv@iXHnzcfG-Ois4KA^H{ zM|ZOjyBRo0N1A^9$RwGTQ}j`-M$7PvdiWQ0L;RXz^=eD?_a#|3Z`)fWn??~TIvB?L zjWREXLn%$-y%iIfIMQcDV0o6*++gjoj80}wlGqIQS1FIoQikmjh|tL*IBwNKD|j2< zT=B+LAKS?fBn=tdOBrZ{%&f(LYN5thMR?RskL_|Yi7&xrs!*m`DDm??iiF}e+mgb$ zaSBj*i(Itt^ZYbJ2@;KE*9jJt3A0yj$2H~&hz zKg5Uc7P0oQ8g6-Pzf$j4ivO$9cBxbg3~~o?&$o>Gm5*gnSGY7+pF@#sTIqjgh2XxN zu|VdS`!*)jlpgQdgiTM%$@Gf8D$HwNgpL8-9F=aV;045DYOkoQys>q1LPb|kv1Dq1 zU`9qOH*Epk`X^rL#vk4NHvPpN5zB>U_WIq5^1FP<9fzbPEoCl8yA6uiRTdp3HPX!c zg#s;17s2VjCXN2&wAd@Y@|!Y&5f_Y}MSqXgGqT&zl~ z5B`ROn!P9wdUUy_za8qw*(7L)c|czskBB=ir&dxF zdf5J>HAKbUBGgGk)}@K?j~;sK=YEGtDd>v`qLbT+iGn6SuzipF`~#+GYH_?7esGF9 z16lzBWwJR0%P@uIxT35*;$zGe+2#dhIdkz;r&EXHxz>T`#McpAkz!Q}%194)#AiJl z6Q|dw_TJ4cDG@_hom;S_8Yr4d>U|`8;@F8s%8FCytHEqJWpkR?Gc3`|r(*j|l|adIv=;EV{%%o{d7{wO(v;rh@3*dyKMQ+SvZdh|c9C3T1=S%< z2s}g%I6kF1t?rBXc5MT(Bqll^z9IR(+CuJDyQ_QigP$6&3Hho5jn2qom&d=al~!d* z!cRwFnUthA|L@HA=`-4yeVhz-my%7@Bj`^*Xp-aImv}RB*%V;29&g3ok(KqbpSUq| zoC+e<6!;DM=y=laAUh6bJV}uj-?%83_Oz9ziz9Ns> zO1Tapi3Q28TFx?bU;DvU0%S9x&_k_PI;pXr65^G44i!liNjtPR4wR5trO`72ZQqcu zAN)bDAbDiVVS2vCXj{fiDOs%G{pkdbV|)>(LWCT z{$PrswT|8Lo$aRtRp5J`i&l32D5_yCcj~3}{pBBpW+g_Ys%l<>e@-pbc;BaA#U+H% zaSD4IOw2T^oIxC0R+yXjbyh(*@;%wrm)t36(4kD!$9mK}=rVsy@AMOXjLuy?J-w?dYLdpj zFhA)0Vf&74Y0w#|f#PzNlnpLEB^Fx(o_b-;Qca>yt82c?pIC=VUF%uC-L$Tjfcvzg zDv>Xr{NLQLT}w}`z3hF_nHd+}Kes>r;;&6G5y%rBg;OZzCtKQT*B9gHKA#%JZ|5y| z^)}EUYu{FLLGrsfM1t+^azoRGDD31?ce;(+@A2@=g4wdm^$)|szGp?he}S?4NtC&y zAbqXbrn!p$27dn?-!=vk4a4sg#8j39l7?Ov77I+bp;;yN-$UPDm+WTmTj{3HY$cR2 z6PUyBcsbgAN4H^fY;SKhVAl`C`*jebl2I9Hoi7e$M}0$oqD3yY8?a6;X@(F_qo0ym zRxDc@>f$ri*v?^%%^*Z4BavunCQHsanDFr+@&YZg#d4wMg)Fs1B#W3t!g$Dp4yt3J z7^=V`9EH~Aw##&dNK#Zfn$p92)L9aSkw|a#pnAPuWPUAb`@(Bqb}n}>UHF-Z@i8&N zb^Y-~0v`yRN&Q6!j!G8XpbJNjcU92LX0_#ZvyIQntIM`EFCfvuDn|x9rtGcFzh=*qibPiXoWz2ns<@X7nFt^o19Xwmq1f>x3I4MN4ZL=n(Q0Q6Y)2jLB|BW~QBo zaL1&Bjk7YuxX%4-&olDS#4ySm_Ejo`D256@fBR$T@!&oyoSuKT;DIwvrCpA%rcv@m zj6SzlULhGhKkv0B9s6LvfWylvueCJB`zA&;)(w`0VOwI={1_AH_!8y4NAP(AZj+oK z$=#wbJlbaFr|-MQN!+E-v;BmO7(4E28(*KCM_HeyNXP@t3c*0{X!G^jhZo)tZ>`#F zpKnivw8*q1=1EaFdS5nw+V*b0d{d{OtHi7GW62vKb*fB-?z5hnWt!X8 zlU?8W=gHZoF`(k-KWjdoA+X*h=DK^)^NFb}_o2_CtkQf=#5KaKehB6wT|f-3vN_d&>Hb^(1INDFU@Er#Jq*6szETpQ_Gfq;$_|>= zSD#D{keo=G&^ZRmTci_S^LR_wXET<<5-WtL>0*|93bc28 zlptiFd?)7mGx#;~MIxEUWoUsho|{nIx>DWY8FKu=J1&OuAv;2a zZTZ?$0_1>$!F!%V;UVso#NF>-zJFrBx2CWl7zk$jQq;$xf=d5c)cpuW17AA}zc4+! z(^+kpT}TYU1(xmhy#-CA1+71aACkt5q;_&oGA%4uZbqN}@c22CV(4dmiQ(xWiL+pg zn8&_+2*EP$SiGe=TyZ<$$QnKk+Um2$%arHVx0{+b&%&>*O-09gw4>sc*K5Wo@kMCW8jV@Hn6lpyb$<9>MZYnFekK#jkE@iFJLhQ@(Uo8 zv6)AQk(gI(tF7sV8_91QSng~6)tE^#^_kiznaIPtk6{yt46~`6_HhuVPueQ` z%-CkJ@^}2^_mus)e0g1Ub?N5)ei(ULwZG`3@LeR{%iA28htYwwwlX)~kibLPP|MIu z4SlcgHhJh1dcz}L?WE)^*NWt^x7dMKd~8Vxw9%CPV*RMQt4Y7d#yx-R%L@98Z#6KL z7Z#B8ib`^k2O-D7_I8&E8VhfDTSINzb4FZ4&q}SW&RKM zXwJA>J%_42q+X5My&B+DG*4?_(cW#>R)rAC=gYm(;%cL@XBr6&vt%wG{kz6!j38@=zZ0ZhPe(eG~RXVZ5Y&0`@`TF)yx!ZTuclOf4KYjHpPI2Rh9i!&3vQQ z>4kkRaz1RyZ`e{65gIxEVoT1{`bvGdSK1OJ1UUVC(vi9NQnD{h(=R6dg6+B?I^SXk zCJ%`08j5u^-mX7@2ysmw59*UZnwQ>3g5F^y`Wa z$Eyr)?(kiTfdsY-0wlbR+som_pwA8u?aB#Q{v+mdSW{%zk%90yh6VTsi{G)}|A9z( z1w!bzM|@1Vla@Mzo?Az~{L_!od`O?VNlXm2WhR@xoLyxg;PEv+BC@hni#ti`B@Y{7 zTgnvhuS=vqGyNn$wd6Kw`tr{z-x^MQ28*hvm6TGn0jXN?HtTtu9xig{(Z$#F>fnmM z8Zo2T7ac?w4*Iln$O|j01z5%=L^>>dhURyF(#Z{1>{+vEkr*9(HPAN0Y-vc_vv_^Q z znaIM=S?LY))bLfRv;>>?9P*TMrBentWav3c)DVDYee?a@?QKvgbAO&C6)TGkQJvINpakGN(wV8E@;*1O zka!obY?7)$L+}w@`_-vLp2zJFLZjG+D>N51j!-KR%2dK2t~Y$+mBRN_pW=lc8SUB8 zp}h1r)O6l}bm+IX((J9EgndLTp>-Cj-oPR3uKY8@(ecoGwMlpXbwzAj3uoklHsM~! z4ep1u$rq|VO1H12$1JurBMQ(`Npu+Ot&k~jO_;aJ5*OG6JeSa|Ayw#A7(Dw}%AEi9&$u8R zZ}f&ZIWDz(VtO6Dg(s>LS8@j{vZ}Z7e$6*WhnQE_!eDA<+&IK#cGWuj?WBbPE+Kh0 zOLsK$1=r8;n)4b~@1q}G)Khw2bcg47eQk?sa1e#df2U|h6>N^b)InSi-!`88T3OJv zXMvy@|5r*w|Gf6Z6pphRcdvgMoVn3cAlpB)bfIXMRV!OcAkfsBW9 z!3DG2%Hyw{IVd*Tu*lEs zX!l)@|gX#~OGQ&qTsP?HF1!^x5xW zzqjqtrxEzwZi|*oNqJ80Mf~kz%StW?cuSv+yWL>H`RZu-%N9!u>E5ZPz!xDo28md+ zclcqF1IXCyc@aNW+L$twt*kU+>=k zxB2lq6FA^4BAAQJ9%HD8quMroczbN$yc!og7mJ$Evf-7^MdE>>+vh0fC`~n=QiH`Y zM#A}qWmgO1*cxMv`jHgou<(IcWxMX91;S|rL2Qx-ZFY9M{e?+_al;Egy;EdgZob*yeP4F(z`eRVpcHa4PR3#^!iiInNn{e1i4a3IJ!!3K@SGH8m9{_^ zQxErW0os*6O=o^L$va?CL&&p6&MlAN!XUF|8E7Vmvcx<5A?;2O%~0=xP1NI6I)zYc z)tVt-jCKTxLx~EjhU(D-nJ?4jU2da*HMVPt7hA3!WBuimbQM#+STvh5BaObcyso}| zxY?JK>*9HOm{LpN_i~P`%>;ucFM`XfI&U|L}u?z>g_=t%!$ef4pW0C z2T`-i$V;87x@u@wEmuh36z#JUc5%~{*3+^+ugh~?p6YUht`2G#O0fQ6Y6hf{d1P01 zIL3s)*0!_(2)G^Cvq2tyZG_auV!S$u;}+$$S2X?qf?dj3&$cOJ$=>pY$d6sy8Z~+{ zOIT;hI`Hqax3n^;l5Z=|UI59J<7dyvm0fl$JDTIImDX#IIVBj0at0;>AyLo<+c&=& z>ZU3iDy>6B;{dkKoKNf76j+}cOOYkSEsF^q zVq=?rB5i8ImJmT6A}EkpC!QY9tgh=}U0$@FfGUv@tMlJ>I0p=>r*(a*%THEc=%)~7 zUckg?6tLL%s1c>rkSSwBE3AnTpkqUpV2Ya=giMga$0Xd_U@d8prmIvNv|$sRTNQuL z<-Pu|xmqs<{qeW5>9ZO$>&ulsM9mk7^_wOAY9|z0__s|km@Sl>{o`Nu4}Y0&|FrU6 zv4hRRoxusLK`U%ARCiueT@6b5iR1N}KLyY2@EssM6Q{gAgA;X#%=shX0-$%cx;kOC z)YJ0vAOCUx;qmUPN12Lcx|^zHHBccZooAv%jOsL*&a9QSqU`MEK^_ivcu@i&V>cpy)0#XT-!fB=&^h6lA zgDeFrVMYlzQe)0i(6dp1%k=j2L>e-{0RpN;WQX5Rt2Pzz^GzI)VJgf_nW+FuHYg^m zZSq-8PUDeRuNI-OjY`@qWo|4aUBzQ0C$YYp;Iyf)hf$Vgf41}3j^)HN?2X^9y$d3a zp}=P-#{fZ$`e{C8+h&o69g+~?ZnrPfWT7()Q<<}vH1z0%pHCvHEt_tutDBO`1Q;ZI>mCA=Lk(GKvGVj^l( z&n{IwGSm+;W*)~*ffQ6*7hPU;IRUeimlT6MwOg#BK`;{QQ^E6pu{6@SlvPD$4W#ta z-7BQ^!h4-=FOf*x#g6cXX1Zb&N&zQ8#2~JMuFG1F2dtG47!W6V&@*nt8;5bTcm+ek zX10ylH1CZxR3k%lVVO~EJJlI1p6|=9_7{V|gso1E)KY8^|8AQ_hfLJv9KEAt=~O2tzJ+RmTt0W5OLMz&O~o zO&NyIfl3fabORwTGDw20C#}a?U)S|T>q}iTfjCk0(BWr7D?~n}Q3MuFeeUK(G5)KO{m&u6zJt45T?%b4W zj0$!R7+bkPDrm!)0#B1*Hms`E%V_^*_#5`e$kEUd0ne4-_M1%B5NxG*OalZ$K%7^( z_dqpW)Q+|s^z^i@uXTAvb@XbS`Q|e^Y>J%L1c2IZ8vA<<5$Zk71(3EMq+Wrn+yBc^ zg@Z3GK@~Ty3c(*E-A0=}s3*c)>v3HVrYE%IPi#BUCr)SvTXcP1*C$<{tUeR92e=Q2 z905d{j6QePrh`mxUw=W0Kq7vadWcCP#1zRX7)hfHfK^~oJ(-=r&`2__JtIf5A zJuW8i^0f_s^HS~k{Gm7WH)`7814t?J z#8N_=iwa|Y$Coxty3Lw3zTXB=x8__%_cwQa*KccaJuf?~xpVmVUO%co>ErUGKqG3Y_ zXps~>(PKh0p+H;c*~QusAtDfwGC_)(7zj~``u&7ymA&7Z%U%WvsY(S^>v}xt z@qksMkv*}Qj}DQKnjJ(BR>-Pi7ab9sRe)`6oo-+2|~nV0t(FN$tkKq zYh4eocB(L7Dy5XEOdw57)daPkKCZ7nV11Er;&KJ4bjQB!HXuIZK=CE_{}J)!vMor$ z-mI*4t!x{l;MT#y%H6d4FzvsZcJIo3W0(z6Bi2Je2Pq~>kuph{WGXC$q`~}DQo@|F3VVoG+wB= zws{hY^w!A0kRIY;?XQ_tq7J8xA_GP)$Nwz>?1C=+`nAzWw^g$jxp?aA`*zkx4eD|g zZ#jWG8U!fVr2;?Pk!6yyV|kS6R?59h4=gv3Jvf<6kuy&^Ffmxm`l$PkF-xBsGe0WD zlTEmfE*uqdmQ8c)iR#wukU+Yy77eeaRqI;Um%2RH<+-lUW(zi%ChUqB-^RhV!!iv0 zR?KL98hVFuUM@D~rr_C&;)mhhnP2ueL0QrEU7K;<6zeS?)|Iq|bS}1S%-MTKPRv%G z=zNFcy6w!!8#lDM^O9k4a?>MEW7OZsmZRFD@eIBkIVTv$;4+VsDDX8L`h+htJ=yxH zF0XZY(&I#*Z{Et+AJuB8# zk>uAd0-yw28S@Rh|x~3$DjZDqdffZ-NU~ai@UI+P!*_Lh~om8JUtpo zmSXdadFJWFd5_zN^7s{h`FpLa!xLcgE>cpV3p`?r-sL`FrHP@KVR?G_`KQBlceA_S z0~DA^x}Q|k6*>{6kY-{mkcp*I6{e6`WKvz>$EnacvWkhp+zG=~wJ_0k)tnqw3=@+0 zue{j*ztMp=M0Jdv#&6s#efF?`jUQALd|T)?0`&p-jR8hbb-rknuR8ex1nyO(g1u zq%kMPC1<#(GUtL>*#@`CR39yaMhT#JJTRew6n-{`dq#AFgtLf@iLjLUWvV-g`63sBQ6p3Bkc1f~Zg;}1U zQY{f81U8YUb+jX0GY^Qwgr?W6WtHsu3<1sZxFU!-qyjVTJ){ICHzz=uW`Y2@c zybiuO!dHjfd)dM05u|wg;m&S0O&QewW=JBLTKJ}G97R?(>3Vpb^$KmQ z+{PDe9vM<*G<=+!Z^+Xk`mdc4v}RdwS=YsL-!>D*CV>#sSok(AzY0=p$@Nem90^-z+phF6L5453N3!qj zjM4yHJOzaW(=8cEMbOl&s;+fCF6+_i0ai(Y$4v&z?`vIMaH;jME+6aZ7ppJ8vT@l? z%k^cyeJyRV8fUl2IRX%8b-{x^oP&7d#nWyRFb^CsGs8*sXtvnKEPeG#tM-4j&UMj@ z|KjUPK8eqX8rNjs;m0^wzPh^`OrY%*EOIm7et+}u{r>J7%paCISDhhKk)i;s8mYRb z&tr`Y$5w%wxv`Z{)Ah`s;&c7G7}Lu;mzTH>;4aBx5%2`k>iYV(pPujj^Ys0nr$>|` zvSL9cXezdHU9e6jg)-3$6q_dO_pB=oHs9dg*K+u{zOFC`Xr}Z;m8vG5q!+=0(osDQ z1d6e@$R$J4PWAcc!~MJE_T9}+ltKe5%@noTx^h~fehv;P1ye;WQmd^rij^H~we_Ur zXg5$W!UTes+Jq~|^Wg^EO7`|Q z?s`rGdt7vuYB0x8aPy2u$(8_yNkcL7gRs=hOm_SCf7!kN%XIg3rKnYds>kx7mT8*y zGfPPmbV?F~V(rXzE4_^Avaw}{P0=3NCC9%o_;<7Z(eOhFlI8^S~_QKvVui41d-_+ zV61RA|<9 z2aDAkev<@HeVP>ptB~7i|Mk58X4-#1xmT7*`6@G6JY{Ai*5b@*lCqPjU@A^$wVJA? zXT$oM$%rRjtw8Ij3(LN5y z=#W4tbTI2T#kl4vryhN<=DQR?OJg+5Kp)&Uc-fgIbMfP~@@><`k)X5h%{nlP?J!z! z{;OMWd(wO(@7t0W@Z~@v$GV0X3T)=KPns~uj}==$Qs){g@&zMB%Rrh{Tjdv zl6F?VwZ+*w)#L>Z1)0$qt=b_G1A6=0^s%er7;*N|cwiDLy&(*s;esdbPEcAJ6o`Rl zH0VT_n8HrAzOJXI_4rgzpRg{l$}rG)>uoFYWpEQmf$3~wxE=quwv3HVR!@vwXmM1QCzWtNOe554{kX1Ab@^oV z6Raloud29C&DuQn&ZdBn!Wg^vhgV0S00N{D0wujIoaPJ6Oc&FG*}-&y+mJUCF}6Vm zIQ6$)zZF?{Q$5)z48N!5-*=tSE94gcl4}c603MfNVi6VPo59RjINjggf46`C-^>0( z<;}X@7wFof+}o<>gUfTee3?%*2@C^RExpzU1(!% zLa8sum%sn;@vlEU?!VsO?I5zk=qJAcTDh)P6f?z>FBD>DvaUECtIW84$Gi8_TJ`jr z`P~e8w3R0}3TImvtA=1~m(|4)6Pf^WdOp1T^1Of8mw76?$Xl;U7;D9{TA5^aCt@`% zm?o;CDgewoVwH6T5Kif45OM$eOeJlVwd`QNhrely*;5ERaSy(TRTZ|eGP#wVOX z1~zsx@7h_Kime2~P(sF^M+B$C63I- zP+>);dD>6&4kd#21C~xRc+--R-@AO9pF7JN*b0*zHMzy2Y}c$ge%L&n)%sl52Mzsb}za4hkU&>8;H|)_f}OO{tz1g74suJov0za;_LFN_0)RSq&5Ty zwDG;PJ}a%~4m8kMa#;-h>ggvkeTWNE+Ye!ViM2P#T5SPvY=tjXZ$7GGtyY&+4=>P_ zBs@L%(AHk#*nBiyhY9Yq^GjB2Ho2PkKrb*Z8 ziZj;Nf{0X*z;UN}+zk!H^@0YI~oUMGi-lA_d{QYg0waxjtYbfCGde8yc6ma(D z3=9*?-F)-yZvUao@4&sWC<%z6Kqhx}F$nxjZ<*Z*#S`fRP|x?RRj@)6q^OH&g{|hN zdl)jxL&M<;upVTAmN}x~3E||?@r#B#v_mM7fJKi4N##4LwRSU@f+d(TxOK#x4DO(7 z(X|o#&QH4{hm2Br3o^R0NUqM(@O`T{{>n2KCAod+1=)1eauB6_q&m9LJx;tWvZLHc zxi8bB%nxzADEB6_u>b{9e2+2dZAcp)`1l|#xurhGIINmiGk>+%Jo_}SWaUDWv zBoK+6U7Qf8F1o(@Ns4uS(e+^U1oLCx5V6OR)(5Fsd$%{dj2%25IMEq4!R=UHosn_# z<&JBX=O}SL#k_nMhT$A<*f_sgXl#saK(4l&HdQ5fkqfuM6L~E8(B_a8@+Itp*kuk3 zW5e@iH=(4d*&SC&M#h9=qD|4wFh=J3vzHsSd)88L^9e2o@uFcVYgN$WwE=XLqC zF3-9gtghKx$>r*_rV-a+X1N`U^EJ@!w41}CivNv(g|rDnV;z>JHO z@GJB%3Wr>)YSs0$uBTd$rYE41MNl9}Hwxce02%NvE5Ad@*%kqlF9HJr?j*3u_mkpVB%f#1qMN1^^#S?FiW{U(3O zKkRy=EnoKVB}f6lv!hCQ0C@UD+0A#~-aPzyzWbi#vEt5bHtbk-PJ&H?jML10B-PYV z>1;jNy(ZjW-MR9bKLuOX31%4h24&cO#+x@i1iER4ElL*v1?zhF>F1yS=fCg2-cP%! z5MrXBr>m+fmj%-ab+S^TIuV<9Tr1Tu?eOqbSq^qOdJadIrz(Z830PCTaH)kM;d(MQ z5KzR?jetycTwk7E_a6^;5AXbN?jnGR2fWr5>*}%bCWT@w#!0zUGc!z(9pq^4(BLNC zY?2ScKt`J6Ny0G*ZWS%Ek0dis0DGc}eBNzz9HyrIz4*Xwc7y(PvjjPOK3kJEKE5rM z4I2A4mN{e0XZ4TV$ll&F?ZMBl!0oHgeVi`8zEvQO`W&%=UdHhDtBttuE4hM}*!Ig6 z_p>(537{0S@OEa|$^FCb;p^SwpJo4`GHF#a%>^$8Ez?|fdzp5AYEHTiCAUVG7(fIv z-Ch~fnHosb?Aq=bJHZ^NGl3|UbpOWfhbGoEC@*#dS~Cm)M5rdkSVfA+T*_R)HA}GT zrP1oxBdJ+k=%r|EzTawli=j*QGM4hdh}$&5N?a}zhSOJ>#&npB>1g>Idk|(S*byk( zWQ$>UOU@2G_Q3gpxd&v*7^)78dI)yl5L%aY^#t9P1boymx&06$xmkU_W;#V02YAG; z0w!RB0!<)tk*Iw}^K{s}qyxyFM-zclm@4b4>uITnmk9bGt)(F)JtG>C1hYF<^T-8s&L52#l*@=qQkqcCXa{F|%r@3RTq8QV+*^JW^QZQc4l9dSvB#T91EUUw^>z zvoah7oCP?umLc?e1*(f5?!eNNbaUKm&u<>TX1BpTO z<i(8nsU8*3xC8pZ?&*3~4g8j)@FMjSOFhQ#=Nl=S(;{6QZx=@%fUeIb*L^w4l#E ze_435GP(JT+!dn}ns)anHZynuXOZIZ9a8Q@9_a{0nIXjuqy!_)aMBL=qRI)hI2#2Q z;FKnv)=YP0odEmKStM6|{wu%_$#qV+3lFL?Y&;djRJ*Q^->6})g-5cuU*-x!m z!-FkPn={fTdv2Q1>PgN{3|@E{{@^!TH@j<6Q|2Xw0gs4D!5}hNXHw@#yTGW;x3(Fy zT7A{^bzMKz<5OK;p$jyGj$BJ^-rYs#^1obfsCOu5fRYm@0t+rdE%&eyZ!wy1W2OG6=-JYBP^6 zYi>b`ynC!p|*tygL#C8Wa)namq73kPH`{U7k_0e*~oXBd>o( zwWF4lU&(9l`W+y}R$cUEXeHXCPRip5~&_6Q4>tdy0LAFx$}hc2;ufg4O49kt{YFNaV6_y6nNzkV~{ z+{r^>EgsuoP^(-QoF$DFE*c z0d-m2SfIz_)9dq(FArZmV3w)GPVwVSYqfQ?X=M?zSRo;BuZmR-V3|4Z>~u&hmI#Sj z5Kv7eJu-s;gj8#?s}EWzLjqGeraMRjgcvo^Q-^=J-F$8HHxuy{-EcEyNDQa{szYtK zSni#xYzb(SuVtvg&ej4N{n%Uv3^>jeo^4<7`Qi~~wO;9Viw^gPJINln(H4B=4?SoS z?L}Ni+lBevQsr%5-)?r3E4E#rY4IF8oo8|>~f562e*f@Yg}yI%zfjuA~fRcPQIEgBuOa-n5mhi`~Y}f`%EF1*hbamu%4c+ zuHM{?FX(+hkQjt#2-{Da6`6soXxS@UFA|#IkhId%pp+r8Wq(}{hhal-+NcL!5Rus3PKOv(>`hfDJ#0b=>@9;|=EFJRV}R zDpjqX*7a~gtuoJLDuqOaS}|R$KA)cdhaG={u8Bi!f}vtRTDbI~i$Ir~^(}gMdH>qA zrTWIrz0X|njz$V{`;xRS3HT_@;9lm(dH-Q|^DTI5DB<#Bl85q&LOgw@$V8S><}%GP zP4H!?)anM7Dpt)Ft4Cc=5$j=&UxZg#M6UJ_kMwtlV@g9)O={A?h!Bh#!eZ@c4>T|W z)*uYP)ZkuT?Jy<>LRwgdb?*r`4MF|z(LfE)W+UeN9}`TkC_?R*t8@F-&CB~7{O`i!(r^Jor@WsV>i_2Ep*#vA%+8IT} z;W)E5hCRpf8h-KC?2P($7uQnP*f8U!1CC{qOP!bGl}RVZcWu|t_)~kwR4%_T6bpGFf1B>uY7&*$@M_?%M2z84Cf+#F@#m<3Oo6H71iaisx6(91VWl zElkWjg}tG!rbk_0*X76c^juG`wjP+=1O_t=pJ$T+oVl1>=2E$syWul8-v+5__=ySA zu>aVMCymLr59u`{NVFn4Tf7T`49>D@wy2)g^|&ra(*>pkigQeqJO{X%!sFq!9@h2e zT7R_q9H>pSry9~2ys>EI+5np)r)^tKpCjq*j~JXD10vx};bvqXOh+5_Xm$h+rYou? z{kI(d^BqcS4EIZ}z6JmB>%YW}Vl+9OdmVpq-%wQ0LM9_isW#i0pzq|j_?Ylou zH(#SXtaUb<$eA*m(X^`7u*TSG)=-Jyp_!z%S|oU?0cY4-{uF+3(6SIdZ}Is`H?G}u z+aDMhMcgx?7+@lV)n9)3^uPXd|9HQD|1H(UI$6!kRI4l}lv3w;;$#3QB8GW3Rn$eM zo$cSr{j>h^Lq-ge=BctWiq_JQMTY>q%%GgB3#LXpt%r}FK7IT!-|nWpz##6jOVDU) zwOUn55f%tg43h#{)Czw98e%^?Wa1asaq)asTVq36H$gpuX z0;Qcz8Tyj#3@sC%ZRFjM*E)B}Fxu_=hidaq<{&(q{Sf}n>Gr0=A#jUlzkQbX_ZM6% zwrP28Q0pxjQ$qAT%Y5|geyGy9!^iE=KMkdQoI7zGF^<;YvG%bA14v*lYm5t` zO#&ucjA#cTn!M8R2p2CL9SChC>^Yg}Ac&t3;>V4-gP9U$sH&%vEvIN?I%Pz@4+wm; z86O%}g8ZB3xe6njW*#UK$VQ6=O!2spzyVZ|LYY9JR;(3jRE3=uJ)8iP-M-8Mn67|| z=y6?sT3-Gg^^|TkP4D#u=}Gwad`4Zj`sW!pCat%sI(1AwaJt<`r zbBpDKayRe4-t9h=@@SkRzQV+8@-tS<2%(99MPveslv#?K0%%ZEt5snpwu&yM2VGxv zIhd|cA1edY)L?2%qdLqzZ`{hBNi?m6C1+O5Eq>vdeSmafOFcFYD+M|R;m<-dgC?Rv z4foWZjiUCz6GX&8cY7WjXSP0xHVOxq)9}XByjkY5lI>dI#fP)XOUj_g@(N_i~PyD~k_(}T(mGAl&kt`jAXHAK2O0Z5!D2VWhW>a!W%6SRPV zkT8Uw?3)IGm{>_!*n;Fc=IEqWZ9Oc@%es85%X3{{peGB0CuS0fFX%CL&BxHXKN|B) zAmLUd=;M|4#+)7`ZY=<+%@#GvE6KAmUOA&GpxhAEij z-Q@R!AEdPt%7?diO`FMe+_#hMMH}tC;rs1=Qk$`=Aj}9eVrz6bO)xoK>QupPTLghP zEh<8kJSjZTNW#P_^|&q{m(wq&;}h0rQ#ELWSuz{|#ZoxiPOyexl`M4wQ1>yvf@pO6 zOdGmZdk#2KaATX&_EU2_$tcTUkw^@`fW>n%NvttVf1*=ekF_367nkQFp%Y7pCvdh$ z(?!?Ub^TH6lj$L>r@lkXG6jAd;JTT;h;S#+e0!1e>$54byqhCrb3~Ow6krk*NS@af z!n46Dajg1k)w70&@|S|~6_BE@u3u5we>bLZRmuP7BNXTU<9YKpzxsN4r}qO$5meW- z0+ZZ6-rWD?{@uT!ysx;a>m-~#LPslu*PE)=WXjddgO<(HXAb9*HuS%msvnira0+g; zvTNq4>dOy*z5njR-Pd22xrh+z=XjcdRc&3lEF|eZ z4rVBml?s_?YP>j8fQSwE_iVER*T#d@kuKBaUSp9EOR~&n!?-A`Mwk zBBoBJf!GGGZF)%?a0yK~SZljKu&0g6{Ux(}c6|;$VCJvd>f0fpeO55;zna;_2D^N4 zQ{c@#|Mm;FPn?NxHr_w4oGC4BK#CAvn?S!UfAI=`zTKx`BjH?=SK^hVikU(txqX}; z{lw@XLy zV63?LHsvslFGj8IGGSPgnW7nu7-eJ78`B%Mkq%ve7-CYAE_GQD`L+aWnagXa zY_na`RopQIMPpUe)2SW~2r!PhEV@_Owy_xr6CuZij(_<5LMcV!sCeo1^_AFHWDi90 zQsR6kj>W9ibgg9*|N&-0^{JL5jt98G4hG-NTnY-EB=lu71U%0v-Qhp4KsDpcyC z^`Pskt_SF;AJw6j?hhya+;u@o4#h4n?^61dOl2UAn-)#u- zu+U~U`7*2D&qpkIUuyKj{|3l(n1CxYb#3ylffUTtRp-lQT*05?!Wg#v_^J+E8j*fl zv1JSxf@g_BPd~xwUZ#7Ndnq@NTXLr|o6K&?4#LnjZK6s!R0cJ5N8b)ZjD9QTt`mfM zT<{o@Lo{5;k{d@QbU4>k>ssrvuCH}@sr6OY7pn`Liv-FG&#e(woG|D#ZQOFhaCjHu z1fm%A?PzoJziZQR@p)6W>Fwu_5B8t42L>V=KX=YJlu0!XeO=|Vo4b*I$?NIeVe73A ziE(_<(D-po0+ViUYYmX$jRPwmImf`?GZ`}n>Pm!!BRvTn2bT)a{RluZQYxoSK0;|7 z|6HuTuJxs^PwVNqE-$tob6q%69|i#cfY1c&D>zxILkX8#JEez^EXU;f_qN5&xrd|fPh(5t)@$@r?sB69-)3ZtN7% zMN1ORuAMe`f;5rCkH5VB{m0i2-`{`t-j{1pQK$k|xvo4NO+=(X#AqnMG+~}`JYl-Q z%|p3=)Tf^-YUm+>^#r|eGHVPk@+63%Re8QkF%*O8vcCNE@%YW{d^g|BamKK(D>YkJ zmWjn}tzu#*6U`v*ohq32s4H|u;{{#4VaPA}<~CSu)5cKo0v9# zZMe3>7+-l_O`lrJF~Ts@XAdw$C6{|;H$A-HJ^X2R|0mwOH;Q`B^W0I+d(<73Cz)<` zQsyoZvbFq=xSEG&G&J^8gBN7zP-jh-oHuXwt>6(-Ieylhb^~uW5K>qskx6v1YhqkB zBQW(oyw=|4M*xx5*J*FiIbXS$$$mfoL?hh4qPQKvwj$T?g01YrK2S|=I~%NI*f@nD2Fwhy5kf~ z5B^kr5rS;`Qvk3yzr%)DlJ;wRd;as(U#+&0Q?O0LnPk+{r&(w8_x zGYI`^MZ>zkR+1bL%r4;>gff#e%bwFsDYq;SQtnx9>5D}CgOanu#W=jCuuoyS5I13Xk{G6Dw1F#iBKT5T0QCdT_e3~Tbe9UV zH4k-iTtlJP<37&$Yc5KsELYE)8M>KJ1-slo#Lh*GWBO0cw8QDs4}Y8A{m0$c_namI zMOdwvsR3HcvSMCQCl_Y{$TV@cvvs9Sm~Zj;VRv{wE)_6upmPz8z0Jmx2+wdy_YEWg zN>K%AKrySwr;ndLzMmd$b~lsISkj5VLIrg-Ewr>CP6jPjCf1cuD>J27s7V|F20A#? zSe}!C3_sbTLP$0gLzq_J2JSQnz($VsnT7Q`FOCz~r}dB773o5{#Ygb!7Q=GiGEQflIV><78!5Qlq62X?tB9AOcXSFc77b+pqTT|8;l& zZMk_^RcnA0VO4S-q@Jjva5vvfyBn6txn~?U8Pq>mn~}kdg4d?X&vb+sZ}u^>tST9E z7j+Vw0~4wsGWM#g<6W(fr-w+gCJM(Whe0NsHS?g!f-*^&N@Y!TnknZDY}@+~BHj6D zpUv3ijTpLYEt4=e{e5tx2{g#sAdAPBwPE21Q?!2^CAza!vXR+b|7R#|$h4hd6``qm zB0n)J0BY6sv@Wl(+HHN7!{0{f{OZEcAUCyQl09iIA#s8Xkzj6axQr4CB6 zPq@VSp)rnr*oUpA%SjIhnt>%pq^&?kznXm01k=`zoHw&o zoZ@sstSvBGc^qC=wB1loV>`Vvoy*n^)@kozX; znS;m)awFxT%wLuHJ%BRZ`;sseGg@Y+^U*gy2s}4IO=AmEeXT)YEpP>BN)iETHVxLZT{x*#zyqH0UobVLgCNKlkeC!3l3(~3 z`I#MR9-{4T6wLES@_!sfAh*Jrfp)REuWrE0IY?6DV}AyBa42%6k~1#G&Gz}sMf6Mz zoy0S{<;lS(a$m}wlslR4IX#wgOSv)GgOg?Ce@4WmQz`~DDIH(}o3IZ3FaV%1ie>|9 zI#ARzREQl^(v&$Zp;+Y|C#k4m5 zGLGn%@8t8%mb`8|51U(k6B;&~oWuY?x1!xRKNRas1smx6Y|XGSrz|9!f@5L!LhkL) zP16PeBF!7ym$vgkxvef^XA)Q;64H)AXd+1XP;{n~sVInKEi4p2hPnXozrNc|7wA#z zYh6CBr(g8+N!KH+wx~wS5YPl90H-h1rZ8`bcx)Cr5_V-jW)+RWGuH7nvi3!~-5vW-xP4idE~WuBTd$S{ENak=U~dXIQ|ywOT!`>n~bAT73a( z7%!cW>bO)RoCNeuA_z|#IqOgsP9S3gQaFD+OFb?Fz(fT7sAj9$(R6V#;%j0XUN>C- zbdciLuRj>1_=BtaOl{WJZIi;J$nM>I_ow^Ef93SG@oudXN&zN7jHXzjrjb#~fr;vY zp@bheYRUj9IwP>vOc^&;~()}Ow z@YBcF|NQIeU;pj)tEo(-R-35wL%mGa%B7-IOcg}{K#G+a(@vJ7O*?z{HC}$=FRR)@ zfF^6^22asD?HHYOsvzQ-0Ki1d47GBx&~?>9qxylY*WQYjeCQe0vVmlAlhu!s$3?4LwNJfTI7|RZIj$I z);E-Y6BhAJW4~de+Q1yzAhcgL?T-VNL3*zKF*#_q)5bblM{KJo#5}fMg!$mgX}JYaf6N!cYLCpTb!{ zfC8C0&2l<(>PwhJdbZh(EG0dYN)v04DzmlOL*tf63BdzV0wG8k$LkRj&xTk4kTS6p zoeG>5usG2(KXV0Q5r#mI?*KC9fj!nEg*M5ApoKC~CNs14S`y;E?^OQ>p;i&-MzVDcw+N4qf=`}R8HG8CgV_8Lh>V>__!Mc{A59pz42|GhkzJIlV(ph%Yam? zg(6~-X+f(}&2*`De8u`|b4i-Ukf*#e>{A(%O-x-&lo_y5IFlAa2x-|jhNaC8D6+2u zD6B{@DfQz>l~%PLPqwTSmR&I_s+MX+@$%_E>+27&BUna|vPuy1TuLqL(XYr(Jg1zS zMsFx|e`MUJS09w`@n8Ch)8_Y-1Q}IwKS6<)qCOgta*9A8{!0K#bNqKXuv*Q5VY6L~b;21J;Cw(OpA-1BXE!1clh@Q7geeko5rttI;Fc{5fSS?bb zi-6Fjt}k_csmpU+o@zZotHlwvCG&JTf zXmNm2ZjUi|fls7Vl(EZZejw}mtojLdq$xbw zJEW!-K<91M6pC}OS~qijYKjVx76i?-5V8$99#&G!Px`#bFNs;r8X79HB|$r-R;*m zkN?|z|F6oO^2RWk%;4l{7tAUQs%lkzB~jfWHS<$I0X40jCk0j=p@4%FS`F2#Qsd@t z!71V*k~v@AYzlD>1m76w(UvXtdV2l&$4@`}ZFf7#bY~Jf*dMNH>xy;doUyJ&p#}3S zrdkcS!QF@HbgD0_D;%8!Ld2~u-4EOZsEpK=vFk!2WHGCUPp`|T<8shxrYIp+#2oIg zt1V*F#K}|4kWx@4OiHajd(aiSfJTpfO!?mhRSazi4`6FC6;WbjM#(LNs6;Y=zN$J? zqz9)1@Qq3uOnNLXT7Pq9`di-moRfGSdeYAN;vg%xmE9)xYQ%~GSLE+jaQn;kEy}b1 zU%71f`)1+v>9~BFO}rg`Z>c~KIW;y+dh+)bPNztHEU32k8*Y4%jY zy#u^NHM6R&M$wE=t*3Q4>bkad#~h1caL+!!v5(jXD|@>Uw-6XXG_yf4@TBW4G$TX@ z^a9NVm@UC*qB^1PT3t?cU23f@pu@8BeyAak!3Alw0{)(<|*nR8vhQR!ubnE;f)vcX3NC zls!SFrsJAA>fjSZDiTQ&WCjZB@`0MmyV2$X0;=`6tcSY3=<=-Vi&nR_>e*0jCW~jE zeq{>IzFxR5ZFp^;FB=OCgMD7}IinqC+&VEnD?iqGwVeq`ZJO4fsDy1bipHaMd9g~LfA+_a<@K<9=-dP&gvJ3FKjL`)h~jr6_rle|-XPdMHHTd^MM z`n)bLb$Qa|+18WVk&$IzwxgGl`T4jFvc%;uZue<2`puASM__om%LDN`+YU}Pvd4=`S)>@CNr_8Jipy7EUkqtX>e}O6ORO^c_&vkvV`f7GaceYW%8x@eP zwA~|myii+Uxhfix)P)}sLKeU?R~N!(upRtC1Z{UFu$nEZtEx7iwoD#0Ht)aq`u_<; za&a}m`-+?S*g_|>(l>Il$@YXnpys%dnHs_Ae)sVG?cHC>{%hr}aRz2^4^HX02vk*z z^Tq+Csvk0qJl7+$X1ZHq1*GX}f2JUYTw0oL#)=^Z1j!@pbsjBpeW{ zIQ{bJ>EHkQ@Xc4{_Ac{a(DS80ZC$ypwpNNnX82;5Cunu>h4){T)3Y63t1Y7^LQGX^ z0fZ8J?N7XD3}feqm!CkU^>sadI-H)D{oS4_G%GX+t5Qv?qE@#f0 zZ|l+YM2gFVi7yM_$+M+EJqL}(z88fRLLD|C4OFlgR+8sz^&i*>|G>r_+58!Q9U8QW z=RAMV-``#R&r5s}xNuSC>aUjt-g?A3B60q>4c-v8eZU49-OvnP)T5n|^g0JH-Dr^k zL?c(UDqx)V^X<30cYmJlK9t?P%2ZWVt806{9Q>F?z^tzIaH!88%j3KG=C0&YCGgs4tngB*O+?1kK!EIgKAQvtFfy-Fw zI>A25$ZQMZ8S*8a-9rd*xl`3VM}6b`T9>+{1w$H7H z0ZE`AO`4uL15^fArL{PvoMZ8ifxdK^b(*Hg@{*voAS3hjEykqDl&qkcw-`(RQXUJ`t-p|wfQXVNcK6Fj9O^||+IO5(= z;<$SXWMY|1nM;|Pa#A(pQnBiK(BpGGzEDpRX%sb4;M7+mL}17zF(4FX;RTU5GxVbs z4qu6ua>Dx`IU3_zc$_wZuZVn^o@_jKyE~3__V;UZ+}Q1}MB}uL@!4Wme!L*jo1&2> zuo2Jp$cCO$Fla%$)C}+?Db$&5u&<$s5SdxHC@ZiV@>LL9ZyaBA=ax3embp zj0fES2G$`dwPr_R7CcFj_oR)q0U??O6t2)}R!vWJc|M&!*3+};5w=?A0iPMzFA<0u zU)(-2($$OFF3foOffsk;??w5Izg3$d4o{sm=Ip0lt>LU`y>L`HFh$$6f0Ph-*8U+G zbuyaKXL%^#&&C_h5=?Z?=>M0-2ff(g@lsh&RRdP1#0C0hVPYtNuTILtVlzGND!)KCtE-1`mxp*U5~($epu}qW#Fq9 z&;K%mR?g^D2np;lgJI+-aVlzuD*VlEt6x=*T8~;a{S(jBhc0hlR|x)z*O!o#fA)2i z_*@pcv?`nRZ%l7uaY=z?lHKF(_S@a;>wTTo_? z1cAXS-6j#qP}EP+g4Gr+0<6=8we4(5d0{#}8x9-(4$4N*nx>V$!PE_80js{8p8n^* zzyELFPxlY=yS-Hv&;%ZfUzO{MW%Y#mpr90*K`ZJi6x=@Y_6=65hh=E zeQ^QI4V$L9wmoHrr&Fq&CR#?5_Yx8wJhUR1QZms z!-caq@sMqsnLh@aJ$h~Y3O#UW>KYXBrG$i=!dD69T5**0|*)RXjyk_PN=r@OCj@BjPs__a;@lbY60QKNcQKt*gSvYwXH z>(lYm&xYg8&7bG}J*FWuZbuh7=gT`O>RpWKTUXo3X9Jjv_58lCVrv#UUYVG&&UA5# zL)H`GQA8dnl!96*lT9}>%K?==x;47dJy%okXSc$Twe5;9q|)M6|Rp<`p?7E-NAyW z(W=$cx*QQSqe%&&thi%IAQZ%=d2I|s?rG9wYhD;@dVEU%CmGF~(uQoDDO^V#<=2SK zLCBV+K-e7?V749)^>lz%7A8?^IkW=b8G~>jNUw^fJ*CwxZw&ijjG2uj&m%E$*V+=v zDFCCXR%NZGtJ%5~LlK%*QzOjk%jxz1w$o3<>QT*KlqlklzP75-a2vp=EN3sx44(Sl zX@pT`hTO<>Bhzi!eTY;P<=(hAP$RjEh{Uml!vWKQ3i-SkJS^G5QNk)=pvT>4hlFCj zS}l%W_ylBkbOtP?Jyn`>O* z(c`-Od^-M8Pak!8p{9OIM2v~GeSmc4Zez8XxHmwG&BSabqD?58;bvQ`4O`p4y!e2$ z1VAj=+Q5J5t`Q;(2O}fm@X@ud$8~wp^#of9i_<+LEd_g*Oif?c^;2DbL47tmHiV)P ziNKLRCouNW$n)32Ak^`!F8@eM1|jN%O9dyez~?l)^P138RTs0P+R1Tk26%bdq*Qsn zgjQemiTnTS>y1wRhK}TEyD|G_U02O@n^9dRBKxmy?!MpO{e`=4ls9Ixk?!9bYofZb zVGU0Ts}{Vw=FwW}0Uha8XRy^BE`SQHo}e1KzzkXmHLTEO$~KL{{3SL23~~lI54W)} z;8McI9iY_{G6b7H9|gej@t2SP`NPe-$J@v6T8fX2}RW~SzG-(ck8k~9ZLh`ty#RXPTsa5)c10sl+2 z`joChg81B1vi-4pX~x90OH(hxwPx__ks(*8NpsQ-e5e(R)n%U}D9J`QPvK%&wl0&1mm}G7~3KbT{7S}fGy~&!B2y$?C@5xj#jjZ^RLCy!PwkpsL;AhcaQt`|F(Pl zZ?eBrDG`a?a#9$eDnt<@Rz2GK{B-*Cqt#!g_g~*Ue7)O$WhlW&2tWdj3-j?P!E!Tn zEo8FG52Hvkl;!y#y?M2Gd>h2ftivp1oq;G?Hq2Vt7}wy!5E_N^j%6xU-3>u7#FuR4 z175tdV@ID0{vSK>+3gncln_*kKqi!cCoF_HPfn9jmk9By>-liAU{4s)P!#qKg|Zdq zA^-*r4BDWPrUZJ@^;nlvZmn_JK1aYuGf|Xgh({?x492v?0vv!Kn8$oH*eehX_H_TP z9sv_IWZ*(&f)tuit9rT(XsyRXJuLuWVv@;^Q9PkST9D!}5wI{17w{h`?)MwXS)z?O z+S$>FX>W^$U?Xi5;S_4PnW>ekwy4&%iee^(s_SYfTwnC~^YZ*3R!=E}B^m$C*PHTR zXp=UQmutx1_-p*TlEXe%NZA$nQ<>hE`L2|`L286Ywd|Nat0n&yWkKQ; z!oo7kG?i%rB_LL{y1Lh5MSZR>Ki1Q;)GAC*ieN5gs%+%cmEIQO;eHka;t*6jAPUP& zUG7TJVmbn;$VW68SvyOj0yRQBhzQrCyrv z{*^j6Up>OUv*qq`@9umdq>&~C+)-|2dYE<}%I>jD_rQaR08&|;*t#Z^UPdtrj!xuJ z*_nmZY&f^oKu@Bkq~;+k+FCYb46zusF)TCBYl&nzLF<-f{j@Gm>-x#+3v6MeL=$U* z(w3WS2j}|SHL>u@ZwO^=*m`pDY+E(s4|08W`iJd$xWqUHL;%AYu%Qj?3ueHg`cK0v zGM!B8OX`qkZS%^8Bp1n3dWGGhkaQl6Hnlty{zuSo2ejGo_H5Y4z`IF5Z5@cDP8Kx3 zx$HS|j|lDq{HPdp(yzcuU2T1>r|0GLaXo#sdN9p=#%-E{K6pN^I~x#V-`8&d zL)hGG=0Y+DItJ(@xY6T(T-sl#H z1SulpX^nGasElNrHBTp1*b@0HtQrC;4rL9{_|A;~S?KSq#+3b8aei5L+0Ir6WH3m)|zuJHG-{-sUWdBgzmBvk; zMx(k9t*eHnbv+%{*O%q>qtz$5c4k;$G&Ip5!RWT08o7%Fa2-60bL?+Dhb#0yzhJrFlnG2S21-9DHUctUc zyv!K)F)o3t4SRb@_RW%Jdvlqgl!SQF<(N%nZGSgnYagAMsODr52Xtw6i=l+Oe;ul8 zWC%BF0=vfYT5IQYfYQ!N%g>zyYzd zgNQl_OFb!FLH zUWsMp{KoEzZHdkh+Tum}2?@(y%KbDwl=3L$PGmL|jZCsgcW9Sy=3L$x>wyvjUM49; zN)aI`W>rnA8c>LntxxsvqaHu9R={ysRnJCYh@1tM!5xtSQ9~phv{^*%Ok^JCrXJgv zxp8}Fi0iNpRa7%`kfKF`B&%w)y$yKd2WR^2nUwqwUQRl$RApm^0^v9y4Y3I7?d9EM7RY`|pUIUna?e?ql*U3*q;U}+fGKpT`cjwY zdV12+v#u{zS6U`yp(QX8fo465r48a1-$}u@-`P%OySAP+T}avvGA{>hkQw5`_D*{w zvQ!jOGDtM!4-oC>gmpQzSP!8Rg>VmrFkHFFWLjZIt1s*NQP*eH*M7LtDBjxW7%rP0 z_x0xgPd}Yu9S&Jt6a7gePs=lv(I3G_fI0l<{f+8pe4L<1(*>p%2z+kBZaMz~viuKt zQdlsH_V-uQPW^h7U&=|owApVLixnMOU3$v`F_C6w#z}VX_P5{d@BW4J2b25C*(icy z95z3h09hh=587H6TbQiIjvI zVnGo?FNq;^2oNBI9v~##==&}2y)*aD@6X@dxrc$no}4**XYIB3+H0-Pio0WBbmFM+ zQ2+pN!uao7cL9Jy+<*6-Km7X^Os(tZ-i|!}+aUx1I3xA@cc1ayOUu6>3At-@1Ayuh zrEwbvy$#F_0D#J*W4jOj0syiv8Q(IndAe^ghlLTvtYTa7VH_T#&(ixPE`GiR`2CXz zi2Z!>`Gx&A5578lod4IY`=VbsGdWWvHwW9&!X<kcgJ}Dv%$Tq^9cM~3n231$iFq8o%nk2-wSdO!O*LQc!hoWi*c=w4(T&^5TaxK#pZ85cK|vt6nKTLcp<%gOe{XR-3c5{&$LyI(TjuJG zaJxCYeZ^7q&gw*rg!rz4d5N3k>Vc+T1`)KC!arjeZ>ZZ5132O;o;&hQT7KB~#D(!Z za&K>DW~OIF=(d;)OzA}1?T)toQ`a7&Moweyd0HfUo_HLW5`H1yWgqDigu7`GjiUEf zB?w7p)S+vg8jVT%oUO~Cq*7cppTGWzKhul-K4=Ljnaa0_*LJZ!u(IPqDlM3@NVE;W zfj4}ayW49M&wc39TZ`4*O2PZD%h#o#&nmkvTEtC%NPHZyf85z;|J?2H>pReDwH>5W*IPk;LDY5mjh>Y$yQ7zc>a zCOzR0z5sz!1M*bMFIuY~_i@fRrKtKJ3oiixt}8p<$u|aUYh)^*ULI)(#m@5_`2CX4 zdv!aifETtaeqN}rEZL%{S6JWpdZ+A>Qk}u0a!Bd5@L)!$CXZt$I`rwiy~^5H<+j@P zzi9(NKX@`iB<%iWm#Y%OHV9$+@S*Q1Z#*2q2(euJEC0j{4XgR#%Js4B^NZYx==e_0 z8`6d)PRRTSkNVi@SWTBOzv)kazy$w%5zYOzA`=BkdVQr;wcQ9{Ift`O>;J}J@e*{# z@K0Crci71?mb_zJwIJ1Y=j!7}K#sgo3wvC(WlxM@k|G66jOg{&48bG`{pJzSz$j!B zGzKHFv(q`NjYRJ;EhvOtZif!U@64Ao`z{K}Ch!yRn^wXFX6~66-@7P|<#JV*;ytih z!g3e-9!gwVxR91Rop)_LCFU&(_;h(3x1hhbyXFh_r6TbgP@GOa%g^VXS#=W;p-le! zp;E1@mKOs)Iv0Us*pdhDM5+Q~!K$f&#g)4w3}wQA54_n(#~oM#`zT_);XE*Z5dd&L z>(F?Yfr{Oiti z&mPuk)u=H!or>%}ULJbj)_61@uQy+ZLHEF#pS>RI%fh$4jV?>Q?P>b_9D96&LZ_RI z6&NM)MkIL4HAS*_&PR=u<8khd-qi54ATd-iXx@KcD_PM>c%yN&o{`s_3U9U}%VFuK zF7Z$w=%=$co8syyx5h+ZGUT}i*evtBWU*1iyEiF(lI-4%cK8iznw}d&5aOlhB26@E zGoluIr$(frN?Zr}3cM30ndMEF{P1q8vIH_C(W}f4cHdn${-&%8xOpLE)jQ%Tv&&Hy z$enqnf%L`lT9m4u$E6~N?Owc#@_H#*JVsgs0|WpbiFE24UiRd7fmIV`*Qa zd1xOte7yPttoV27Lg)n5Jm$M)BO12z7!yX=GM%^s@~TyH4GxWmrc zvW;ez06k2W!8B!5_st^UXU}Ctmqv+CFoqCDOt1??CnHnIWL|)NcX@|N&8g;8BbZ4B zP0KYRjegXJ-!77&Q^jDTb_WrRdqEiJQz=(xIkd|@Drm)lA8nybFqTbd)F|h;3nNuA ztIKQQjm=^JSB#xJQw7(B0Q@gD1f*k2IYh9=#V^Hatqh3wC`z0WCK8o?SgjUd> zKe+Kj=eCV2MlcS!rs6oj3szcN@RmnX8*w4GBB~VDgJ>U6BYfhEiE#_-j^)=dS=VLR zQYgvdnhV@n)b(5&M9oW%(Wa90^=iC!8fTOh3OCJI56DZJh2`t<12YLb7ee~-a-zt< z48A`b8lcrn^}@3k+UlceqCBYCS9|>6t|3Z2WaU0y+jr&q0H#M(EZ?iFU%0<=W-~zF zI{K@kR=GbetZCSH>CQE&W~FxXy{<#eeg~+?RZ`IVG49H@W&_jQ&ipX+8OX!k5G=LM z#&sWP6W3H;0YDW*Ue@tvj4p`3tZeIZ%MYcA$1L}TRNn*u`QH`VF~Y!7(N9ap<#-zr zszT`>)-R7>u3Sf)9)J4)@GRh@%us?fs`_NS=}+FS4N!(#$tPX%TFcKH@84Zp-wLgX z`Lj0`ds_6$i$~v@}=pBv#&0P z6i@3G_h;g|%ll0XWgu0&b%&l~cA8}Zaj5=!!29Y$gD<78H8u2Tj`f|ed}KZWNkf=E zu*t14y_qa%5wmcwK7UlDxBaKM?!NK3=N|dc3Se8_Zu#((&?UrfTljsh#n_lwi-lUe z>u%Jd{`1Z?mp0%tw?ebH+Q#>1yo{>SBhTti*&TQy{B*6|CkWCUI{Bq^rh`ii!d1T3^cpMIYg-dJ>Uz)Y_mug3HlIIN?5aGqe6C?eTbM5< zocv@<8SptgR(?_}vp0FGAZ8)(1nV|3eAE7z$)91K|1H+9@=w%G79Rn`j6cp^vc8Jh zDI@M%oev#hacy?NiPwI2#u#nxmA-dK<#0m!q94NG&M_BjkIunGKjfPbp&!Ak0DLiQo9FHGc`TZ6Lw*|a?YL%Bk|&(%(8y=lTitZ?OY-TmAQN=hZQ8xa zRE{_>dL?(fx2u8rN!rjbZWGvFNA|jh$`wzziN&ZL1Pfg5lMIZI~_aR_@JhCRlDD-hCGO4aF^(I@YSUyGaA$7{QH0N^iS4q)}Ls!oLHjEj}>vr3)5e9)}MI!BryM}9lH zfM-)x^(U|25W5;yqiY{gVW7$P6nx%ZOrjNfR`}q(S&IWmlVscea_f&Za^}>_vV79= zBMn9ersmD&wO<wYPuE{~*WABvz))T`47qNz{RF(>>Vh82(V)F)uGVGylLTpVnT-Hv z{Dv8hGOL|}y-ih)FwK=J2%+ol2R!S~S2vlJEIncEG`?vNfbWj6%5uQkNz#|q&TIXI zTStb?yobruven!U|51s=4!R*3q#l@xgBcY>j5LP?*9DFlM9i{aJVgr}HehK&J8CmJ zt#fRH%y+(sF~~Ky-#{pm+D_z{kM1rqs@oXv)wk0!yU61`W*XnuoU5z3>x55j0&mRY zAlakr@zBfGBgNiupMkL*S3F!Zi52&pB5aMXee5WelqtGi+l;1q=r6Nf#Y2&OAMmND z^dGC_$_~@@oJe^zN#~QI6S1&HTgW{Y zZpM2cQkk8v);|s*><-!e+_n895>0XDdajtl*9Xo`2l8&oHy2H^;F^)Xn;q7ZIj3^V$la%0FOqxxtLwiWU76ZgAT{#viHmZ$Zq{RX@8!L*NEUrL z3X^mr;3F@`i^`Qc_XV{7C2;fj&%*uv5%>DPFRU}&WeM12G4PFyW>z4R>oP2&_zU+Y zzQr^eC5hwK*aWyT-}VmIZ3u^dl`4{(LgP7Q?O}dUuJ05BE%Uz*>M^IuuG*g+EH-_| zJ@G;4|H|UcqcMC{+>;0CExm;I%nG&_f8v8bz`PP~_n;W&XG}6fI zVzyHl_`PP<2FZ;t0(UT5x{bBD84ham3?30KJI3{`x_LRRaJR^aExhL{*Y_JKUAZ2S zz;(5sGJiX_hc2TMf||Ey-qzyxI1uI{xq3wFon(0f(jb@L#%>@|mT$={YHK3qkG3Gx zcA89YM%>jB!Xy;`P(gjbI)qKl%sk{_f1S~xp2i-l?fST=t`G?>QFbn)$hm{@Q)N=Kc=A=)KvUx{>G;Gc6yicE+2;e ze!G6B1@QP%AUd0U|GnY+AZCI!X`{h{w4hh1@hFH9wKDmgE(=b~4dYFDSQs^SpF62j ztw}M{RcFwyxP}ovJyDKZFzQ<87x2B`6T9AP6a($*Wh+*J0DP;zKnF)z<|^-Tn$pBZ z;w)ED@Hlmwq?AoueAwel<;ml-8a`I<* zfKi;?^Jifebcs^YbcqSCXeg&W3TD{SgkRv6LWjqwk@O5M6S#?!VudG@|}mJdX4 z;~lTphB`K0lH&knrsywKCKm39%3h?_=e({C;6|}Px1KqVW-|4i=jt@E>!%W zS;4H>aM;PCAx{H-MVe#eS1Sd1^Uj=dFV|Zyq%OQ?$saA4JSnyWzx`451xZs0$T{lO zlLY09LE5BeHJ&==qHYMj2ph8eM|9mVBI&_JQ)uGr#m}dCYX?Na9Ukb6@SXC@m3pK< zIw2tDdtzCBANJ>9?!NQW{=V0*=fG`;-PO*!qt>R*fr_!>TTD&?kqA$Sr zLW{Fjc0&^Ib*NMF`CRB~+XvXsp~IMCJLa$yTk#Y-^OS}9-*Knu7tf_HxHfAkUx(#! zcW|*EkZW9u7Ph^r0R5QtO3* zVvQl4RVQ}G34o)U?Io=Uf{dY)rEf1F1E53TnSe))adn|Unlj!GHhIPriR?`uE@A7^olQLBKJ`VRaFLY*EM(5n~_u{-)w)&>5LK4V&X%qM4{M zKG%Ew*78AYdfo=zUAOFl0wDvF(mYM zqvH@f)1t<`is<=)RSm@~lchqi&fc`Hq0)|-d4{ZYRIU}}t|;a8UA>|T4W#-_8tq+Y zEXUHtiGmtVR(7*XMg~M66K_R$Vil?l9AFig16SRsFr-RsuyTOiN89ck#;Jw-5y-yq zC42g;w4dFrGbRQ#(1yjPkE7usAN`$Vi||V!{(Gki`@5CaaxtwTq1r@xY0qIYg< zd!#;b%3jBw&&$1^?W+CALRg#CZim*yjv>1u4S$OMx2ZQ9;?Qk0v|)v>H6$>fUgejT zGL43Hz2VROICz$JqS3lwFfi3K;FkYcG1X?l{MIVs9=n6c^3cCfc5cADIUP7N6 zM67k1HS~E|_6Z7YZyYTpN1};+?WUb`zD2II{^L!nz7BrGUG5Q%XM4f5J3k(gF|IJ? zD3u3_+$4L)2p-0e9~4^Q7jhiU??=!esX16>C4=BQ;+qMBlzYKXYU7$Ub}XuT!-oEm z7t#W@$9qoGKi=3WSioU=<@rK!-rEFdgIPt=`=oZu?#pYJU94~=g+|@N-x+oh#>7bc zv{hR5m>9u^WWqaS=oon0wqYGglB0I7E-&R^?tnSmG(+tJkt*@j zq}3TOV5MH-xXalFH*op2b={lV(%Ymy#YP)bP{kOw9vkh4dh^ZkhY`qZ`$ zS_OT~0&{)`ue+)@a0F}(3sV(v6_ZR1NLqIvI3pK@)5e7seniNygkj z(Iq(udR4%#FmY?GeGdm=j&91krxzlybu$Y`NG=!`aP7B})Srno7!m%<*4P#3wX}Ji z24{CdH`OAxr4`~v>FP!P-hPo8OCkD29o5Ze3oD%AQXXv-YU%F0UfU;sQUWT(t&g6x z@SMW+@!l^TYkga5%1-U*_T83eGRDS`FQb)Tpz}Ay?P`-5ltx zx@X3~DE-i$;P{bqNgI7eZBj$GW=8^yQf@<;SLcf;DhtV+H0Nq4+>C~9y_ABjaLdze z3AX}QhGriFXxEP%Ub&v3h4+%5Bc#IL5!+MibpY$^QNZZt%mYuJ>#w}~3D%>ys-lmW zuOBfgI+T6mvk_k5aSvZOMGO?Dkbh3}s7?CD!wR-W8SQTLZ7_P;fe>TIX%T`T4=Li~ zyI((*ZdQ=_aBbiCT~6ommc0(3O8cbU=``(`F%t*Os-V}e>PflL zvvy@Aqu3=T#8+LBl0YmQld>=}^y9fsAU@nE8bs9CdeozsONeyeTHlz|&FS(&frinT z-BfTuM9HGxP6oytS+x$t=>Ae4TwQjbT*h~Vk6elg{sCo)qgPS5sk?mQKq(^6U{srv zMAU3*nUwOV=(sD(m5Q`XLAHO~Rr2`g4|#+f4b}52FLRQgbE4BzEV@VbosS?*!>MQx zSC9eV`c>FK?pbS{0bifj-Q{FC%EVoCKD}bw1uI8Jy%nYgI@8R{k7HwQ6v|S?OVvn-yzlLXw+X(Ih|1_|%>v^=8EL`k6nyS{GFdNWHB96keLaqu z@W!LXo1_^&lKtMuR!_Xqe$pCWvN%kUqF)455FSbcZV|`zX}^X@!p@QJj;n}!?9Y37 z!q=?3?+Cz+q&nx=Tur>+kpcK5xt@RZF#U&Kcwp6!ZUwURIT=7vJH9r=hBE&v6A){r z)@KoE$Lca zcHHv?-hyevR$5`H7D)rDEc&yLJWEqb2vu@o^y=ugIq-gNfeucO6bO*jtapTDG9iR2 z;=@*5&kGtw&{vssusVNu_bN7ES;z3k(_ty!2jaW$It&9$I-5(EHq8LPP~Kh(&y(MM zp>z~y^wEd_a5+c9Z~ysk+k_kTT^WGo^JAU&f3{TwWU21!Q62Z#Q_a#1*j_By9KS79 zV@$MF$^ksuaPeiosvDOrAi_fw?b_oxwUT$tfXz@Ojkl1N7_%5&;eSNA~rVSvKaUbx8D3ko%gmsK=&lVT~4 zEfZ?fF0+StF`Ju^fRR<(rgJ}}8*M2qH9)^kq(gfyU!PAK*~>|1xA(zOlO`#p_D-i7 zzg&1~^gSmkgC0x8?rtf;bEj=7>a=UV@#VD@#N`Xd;9@?B*AhXM@vFUQkaslPl8{z~ zd2kPqccNdr&X`owx4_iKt@PAe`+INLwyNC$rv|2itN5C#cf3~ls+m7)1;Mv(&(}y5WP3uj~3nxv+?=_dc_x|vwOWJ zj+bvLddim;j;LVrqI)kVVLmmZULvGMLeJ&J)&^PztSP3PD*on``GyWgRuzj#=+G~nczo2Wu6Qo0*@g^}kEaIJ(2vHKgZ@tAjc_-F#+L~AZC#rEOiSVY}ovxBpMNxIH1}7Whu@Hy%4JOYwY})6L#U`=v6=;8>u;0~zCBc^!P3@tbcWUoCcizG!jQz0xS%j&BDd3@&cVyM?$* zF9=zVwj2*DHt#Mo|6HG4NXiIoU6{l>(X{V5_b$3v6mawlji}d$uF^NnV_hys=xkQC zcL*3*Sfe>;7dt1>o9e+crtCL4I4gItjq{Ck_ab=4A~@^@UY-wAecX}h3m`JTGuzJ8 zXoE58Vf3mMog)96X7P)OhqV2tfOCT)raMaKwd~IX9*~mc8!BHDW1A}@<~ELm=Eyu) zw_^9PtvG?I)HQ9xumt|G&gg)$#>AV-x<4n+aU`Eke3r8sQag;KhGrYoCiFHs;ligsiPd+PF-H_ zuyH-LGH%0miaw@Nwe$i#_~D6+^iT0<><^-@MO6%x?y$ zwaV}ZCJwDq_;`;P~Si-l2?6lGxsSvx< zN)!LebKMCgce=#!>s)w`JOp=dMP3pga+q=ylh>gtb`93s8X0chqPmJ-k6N4gj5>qd z_uAvhap3X=uS(eKn3IVYb(kO5misVwWMI6?$;LD}Czy$i9#RZwB{OVTwp-&qr0%+t zBlh^nUUHT{j<2>_F*c@pb1QVmmFE^@zcIdCblnOv|K&71gHN*a9Fo!JQ0PWa2Q5eN z45_8C2^uj1uU#elmmrJf-s(#>94OzctCbvXW4|bE)lmSTm_6$#_GmEP%$C%AS#3w2 znn#Pp2Op_Zu%I&A)3)x9Dk%D?l4P{bNb2a@jJc3Df|P$Ox;&b7>A4Y%7BdSPRu=xC zcIL59Ajo#@fU|g3Cg7xNT=}b;iO=nnkg&VEr>%d~Jv>PlU2qKpB&pq(;dxj# zH7PJG^)2}P4E5{1t#^)dnZkakw=U%$D#Db8>ut7E89r+Nw8MEiragU9;}C@w`8scI zh_Oc#lTm|2{1Kjl7Qx$yk9T0!V5GbWdbNC=Ik(dJ=J8*OGt+)Yo_vqjvE?T6 zQtME@g~g$gLp*zK(Z>pM=F=>&^V4#o+OwvN`A)kg84r3*Ika$(ST98rA3-6W@Uoeg z6=CZ^Z69l^L5nqUrNPXjBbhkg5x=Z^L?d)0P$p#PgaGJ61hr%_$xi<(YarA}Z_ZpY z^xmr>3+1k!@fc5Z@Ul|6lo#cz{L8^eV+I}G;lRe9k(9rm8tI}OA>sG@If7w)2q#l5 zRJ=TUI|)q^KCUl#nXm2AP=D#Vf)CnBKE#Qg9xO;VpXK%3i+r6^5mJf2i*<50*Dv?% zj4XJZ(Xj%7pIjR*KYO(WVgF4=ORc?tXBu*&;rm}1uD8yE&vFy`2HlU$m!E!Rp9(i# zABu6+AGZk$In82PvjrD`@rD4UB=eko=eY??#SYgmktl=Mj_btcB+6yK6J%kh*g-(V zOK`a)<5d}P8Abc4h1NTE{+oQE#mL(l;kqH;!>tNvniFFjku9%dOtq!F6ZB}7Id+r( zn{CJU^7&iC`7{u7Mym)TW3Jdrkw0UZkmHUX%oU@;!$qtt3D`H4)bC zUQ~m4G^U)mvRCQev7DvxL9*$4EzfMZR6M`d#(h{=@tC*YK-Y_(kA*gep5n`k_WTAG zwCqW^1D2wyygtgn4apymkrR2a#wp#oUm~*`>FWbA;x^d6dbI`SnMz;+J$e1| z+7a+Vqd$K4%{j~3)>qvII}DI<40|_Zk!bzvgq2^nRLsyn`v}E?8c;dcUdLBnWw-^d zoqOWyG;x7VkyE4@02PhK}@#famQW_4V@9y|kRBFsnwJRj-Kjn|d53cq;tGH7}HUgv{#;>2Qv z+D$z1!vnp=@G|~x+mAbWjmJU1442zg%*_T?=dN|f6*ixi5O%&edrNF8_$5epUG@F< zJ>;K^E$M-qjkx}$m@9BEK|bTlV;^QsM+*i*tIf(kP06^lt)3+~TKqHhZqvUv=tSi1 zr^yS0Mc(&buH_jB=%D>T2NmtwWO)x7Z}L*^6et`(U)%^ReNX)G>qdk^RFeD);#aHz zwn-Yo_eqGMDb#6qtnHeJJvZ%6Pzd+mWsHVG-Ve>jq@;AqdW0Aek3Qk2JsBUdN*#vj z{j9h9%m{~7g=M8}AFXWu&ho!Gbt{*0kd65M&`sr})+CSFV2q<<)k&Vrbsf@;*QQ3R zD|wG;0eNNS?DNmuEBpbLNQ8eCmYDYvNtmEDj*QYrm>lVthG01Ja!UaXbQVz`i-D5 z3rb}oCz3rQ`qzl7jk>mZ%LN?f&wOd7lNTtpcogFHs#>HtTx2UFgztdsftb*0OZ)Ph zW$;Y_m8b^WqE=K^$e~#m6fy3734V51>o7no>)5_ap0PMZGf~0>Cgf4;(1VkUi<+J> z!UqeDbA*Hp3(b8li+SnHn$#}6n@D*+80IKeFb3DW=KCzgwly88b;P8R?^=IejL5yh zv93ClPuQ=}oPNe3^vg(ibRKK^(bh?E^z~}VPcy#rt|`22Uv!Myd28KQe^~sZt-fPk zE+x7*dI5f^zp7)zCzc}0-mR)Gnx)nAs!n~$ku9#HyWpL2L)}u!+Xu^!fxj(16^!i@ z8VeAMODy}JvfMvnEE^6?t%L77;B|ufg!rx<)u)8r)^31g&i=F92}dg0qPBKEsjhC*jMehH*Cv=s5uI>N2S3!J;;N1hk= zRsXqh^&8fJUbzrW=q_*14|ux$FeWdS{?c=xKW$9VJ)*q1UO*|rm=t(p?(JN^F<+Bx zOQbo?w9WM}MhfLt25QjbeYo>R408ZkbuW9W*Pk{98aI>)-g-8>(I7Dstf>K`ODYp-JL^caRZ&0Cr-4#EF7GK zZpO#S7HjFfT(Zk~f`G72U@3)3;YJBFf|^+!6d+c{g9eii(2twqmqhPkO9D|2@g3GB9<26X%NfaMnGFslDt5^)83`KsjvJ+ zZ+hLUHWIJCJF+od;uW^o;Nzq^X{U`RKYao7NRrz3`LEzctIbz)wq%M(?o1e~t9POS zRsk1PYK_-4$Oe1#3O)pf>SaQTY0I@7pbR_BctIeyI_TEu zZ#p4Jmv@gCBn2s+_yZ?AGx}fQghLzH9|H`X1X&yF`;kW%uqlZB?AYB&QaiYEU zQOFe|G~F7b)vkhZHydo*OVh+*n+Y2ewJ@F?U`~6F8pfM80-62v|A|c~iUq^@$N0VS zo0f8F14m9miYqVQ99+q4-eIeW!FfHyRUv7FQfbCkb7sIJT5mSg%U;Hh5kzY~XAZK( z-$NDZc|{DUI-?2RmNZ-2pxx#zR7WB_JnF@0xJDm0+72goRU9wSwMlC3-%K2N$npMtgZWXTqG!R@Qn5geySr6;p=I1 z*>=k$i`N}VbM z(5j5o?0Y#1*$+OsQ6+)7R^uPLMB#&uV4<(8I{X>y5M*xZc26Z6J&0M<>tFTpV=B^3 z8^kxU#Uboetw^FH=k=aa?nqx}>9sdQ`fzKymIDXU*R#quI|?V8F(tq-C#y9p=h;;C zR7%QmC#>0=Lk6c6EQ(H|Po75g10$zO%vIHL8!jybS<>8*Ik6=1#=x|l(_Yr{xm$_7 zSD%;axe=27dbUwlytjCtUwQ1slNB@HxQDljC!eQjra5zIk5e8Jo2W}6JF_iOYrk=i zZ_fXXdxYoNJ*|n=9$ZV*(*DI-La4mnUWnNHo8znm40d|mpGtM|LJ2>i7N}^1-$J8m-z>kl2x#+ znJYnqUg!pq!ELS0s@aGTgqpjE5=N}q))3avs~(a#fS0L*^n`J{567jy!-KUmar zT>=2Ouh**A%8Py3r5nrR&&5{;eog;=u=t|*$(iVV4vNP?e{sbiyECrM?IJzthR-L~ zaj;do?2QdBg?IWlaHlX{-K__a*{s0&9T*loy*8E%$lSfVCI9F7Lm@&vFJ04Rxh$0U z@8Tf)&&9cs;B#A1%i~{)CTqYHEgo%ySBE(G--Qo&%*OEE=+VrcJHY!V4*|x5?>H6g z>$ciEi2n_%EUAd@KhC}X$MwlT^WeGvY;eEF|8=EE!Lu>|4!780giGnyvZ!#ka8hjF z-txq^5iWH;y3L^y;4#qOkU^vA#Hs$26_Q)jJ!*qmGiPVvrrtgEPdal&p{FC7lKef* z)%zr1Y3?qfw|%rRyo9CsYBf)0&)&i@fkm5|Ss!Z) zjSrxz83+MBi*mN6_;wB&8LFi1JwZ;rg>zMB>R({XQFgp?v*x+d-i4^&RW01o6X+Hl zzsF`wgqZ&gYRH+X@x&l18nLbG*^=N7{7ltVDmRE(Q225S_*FOo~~e8amm&(56c zxA~^M%KZlT0QuBWE^Fmqglr0RMpvuU89IfTDWHYRym$Pqys7;U<5&GXist?N&u%D; zkfP5jZV6d$nvv!aqbmsEt#pr)0CZNVIOL)N;JnaaU^#s3%c!g?M< zk+DSl@0gdM!(8S?XCH$tE!5_keQIH%KFn%^jJ4j-nOs-=-k{kY3E<3WH%T1l7LE9h z4xw?9VOu3;*?WouAJEM^^Kaoe)veJWEWNdb?yz8ON^vpp$_uY~MIpgtw$CI+2bgcx z8+44>8&iyu_Le?5wo}?T&4bN2BaW*4mQX zn99y8({<)4Scml%F=ULPXMwbYmZo?)izJot!!oRSlZH0m4CGjW*CX||=v1qxhXltpXYGx{{uTKLd!I074psFu_} zTdNA(XvcmUz-TqQ5Tbxm84}lOgFYQ(%BukXFfj*YF<%b0flLFajul#u`6)e_6>`zq zO3}fm?4mjU6A;6~>;Nt12BB{>_w_7DYD?hgGmfwit`e$FkDeT#*@O}ET5Iv@_^JV< zYonvZe#C2Q3qVTv&CSj*)76Hws|~_tfHzMzyaA8O$*vK6dx+PHjDYJ9>Qjag&WVVM z3z_!0y#DzN^*CknF7}HL0r53L7Wf+-oM;Tm&3$sVmhLA~f<5Ew^ne_Gm|UY6pw-l( zVw+jRrZ~M7!}5*3{3Kj#wBgp^BchlE3(!0s{WS}7hvng9KR;v(n=>Vlq?mTYwwDK< zvApLmslaKO#SEF9*G>ua~dvp_5Em5c2ozQQkhTSKr5taO$^%eOIJ%puZ(ok{J-)_LXi?C1F^cCKi}(_5!f>;_lZ zmj(-#s||JU1`141vK#tu~Gv`TH; z3d!X(c+-RXLJD}z3gu^RCbZi~&ez1t3ANU&>+0x5ogj;<2IUXbd(iM}PvXQbYSkrD zWLj;y;{3BkXVtv;!)WI=9@^NsH&h&uWSSQ~uz|Y|&8n2`QGu;}QE;{v1kx=koSBIT6)g=Py9yNoqQef2m56tWNecHaXa&FcOgCIU zQ|9lK?!ksr+_*XPCpvl9pHC?n9EmCUG>IT!#!;cZp&!La@6m>utXNZ0^6%0!nZPFl zwt02zptIPmRLYdX-cT#0RUuiy0_AB(sKuToV)MS!^(x=EYtII{#8YLo2Hf`^KG|RB z$0x4)l(ECLI!&1f$B2a>AbvQpkXv--^WD1wIJTl-bQAEq;%s2j;~^t3AgFu&{CuZP zL-nUCkx>ps7LB!E$%!rJcBw}Hf!yf6?4PaCI^!Y4vW_5|`;V0uT8|C32m59PnHOP- zJZr>T0zRqX+7_?NAAGxNZ~E=$8H2VclV+j!2AxWn(Ohy=TPFjAsNO^kcnB;cxIbl) zn^DL0dtZzAh^R=3xb;`Vn!R;`kxND+aZkKFIK}>^=27{&DM?k$14Ca|IUSqWRYAhT zvJrJ89UVvj#`LC72~Zc}RB{cqgO?7KHLb{7{U=NXTT9JLq52w?HB>KX}Zm_zQP7B|0bnsuac z+M%`&_Yxb>(s)No&wTu_!r{(ezO^P*>KC!`OT{%e*6oQq_*^nLipJPMXgvTcwYB+WqfoB?&DN;Y->CUnqm2agsGb)?kZPDD8m$y1hopCme5w_Q8cX|PP# z>QP{~y`oF+hgsi;PK^H2;nB1LG2YBCyWGNz%<6Q-rtipC)Txulz{L+)I7dJItR?B#DRXN@orQp2NwIikwaG`NWt1gUh9zv&Ad|3f!4R?Qk>eGP@V>AqWCM{~ruDHV3T17jyo+nU zi#LYPbd@C$qhr?%NvWHbtLKd2)2JOc)96~}=C8XWptXmrYX9fh!_12OIF%lVyQ{Md zp{hzufnk-?Gyeu-t2IZy%+pqgnfy9oo^q(oI?9O&%?-2ksc8Go?Jz*jweW88%jpa% z0b5vud0#spv)be9F+39y|J45&d+Bfg{@rGK{5mRg*hRg;jVeJ2s6{*IxN^y@f%yi{ ziKd}Lrh%y1WxYUBySn+`$~LnQm^MK_EtTqq>gi*0#f7eU0>*LzU^(u-GDyl*+UVT8 zDi!S?RNxX9?BqM;8}9aZxf*|eZhe{EfW&U>AGEBr$mTi3u!^aGHxC#yB4SoAt6mX~_RSIi0|^?o9(Qb)CYe`KojAHltb@@j<0()HAY* z^|HM?MR}_EP6wKDndb1Yd*?4=rOg_^fFRhrcGt>#NU9(G_w& z$SXd`j;?UPR)lMYOTN&At@wtVmwK>fXhPkP`B5Hb|@8SMb zc6RS4@m{I6%2S>H$|JF(%JrlcA4sI z3g@_#2XPdWJq)1;Jx9fh+nzgisOzOTyt7&mB#r#V5iz?2`02R|3kGuyv(1Qq1oktYnXcAe6Afbvd*gN_;3Fn6(Ok+V9Z z{f^YgPM#OY=UxTjPQin%V-bbEan0pzdesN|GDdfTlSS*wAh`U1mOY<8e2;v!;~&0f zpsa?AN?l@P?pEz?aEG$YI~7c2mFO!s=V~6TODo!H%B24c_x*k^PYqANN>T*x77QoI z<9v`yE)56rX7-NJt|QIThStsC?B*)}$u*U+aC&O|$`xx$xvfx#589D#(q;n;)|Rx= zP|f`bww2#Qq|UvwZ^qJHx63T)VpmUOBrq9;yH3p8ESLF~lul7EF0VC{o2qvc>7q*g z)iS`MyZvE(^sz~_5gVzDB%xfFsb66sCgKj;PZ!;7qLA{KCr6kbe)P%1UWlTd)~zxn zex^|;MC=PAUdt7Cg$-^eZZ8OJ*{kg9F(Gm3m2>|TUkVHpyHGAb{E*q%b_fFrc-|(u z^zO*BGZ}$(W~vUiV;)>~v5p8I5vx4$zFag(v+haqi`yAPL}wPRl{d3c0FYtM9nE+f z(J`i*TWQz;#~F>aKF>O9eE7ZDsC89>z>lkZPlB}zW3f$YvHdSj`?n>>ee%SdR3f*G*=Vb} zVZ+_j$)K(y&#Ed+B%1COo4WbWvojd#UK&NKciIQz(`I(kv1$c+524`+9;8k!0RZ`8 z^WW;}K`w1O=YOL>f5$r_s#d-@!peSY05c`V%Q$dz{BkA->{I;S9%nQ&MJ)Ri!7{i! zAS+ZDGt%Z{>$mmx60ZM$aQB{3P44fyZWO0jK}AKR*^mx`g0z52Q#v9b0fN#Y1f)Yk zb0Q+rq!%d)QbUM@-c@?<2@oJ6HG~j4B%z#_xz_scwRSt>jI%#&zC(C3Qhx7qU(a=i zqMD;CgH&nuUG?po(47b_++Ep4U?-FIEq#|jPG7vhTK{*59G9(F zZWEzDXDD`SJfQ7rKLF|<1443|ZfxARs=uUUrdX%NcAsgZ>3U_uvm{3w*glMV+33%k zGwWYxklBY4p;83GMQjCJJKf0VLI+Z4xKm=^x6(?qb_I(n_f0wUA9DTfd44j_uLfPV zpHj%{-o6(&u=KFIge0M*M)sE??hgBR7;!W!nstA+AG<^ltc-!tFLG>SG|h5TqK%>W z@Xm+hULh?b@^>^tGw+ElB#MF0y?(MVfuEsfoXNA&h#rX&ps?7$mczH+$G~XL+XjyQ zUwJfm4PLt@?gAXq$hrjF*iq3olF!p!TM64tmmisuDbwxg>sdiZ5{lk38s~Puz^CKu z=I3Rj;AJbQ`ab5{4Bs4TvG<5I;RzM%Z?Jn~OlIy`Lk!(Sbkfg+gE?YuR^rwOZ~1*u z0(tFwkxSM+y)0?9_{XQdNJzV%4AKj}VP|&c`b>G!+Kie^PLnNyxij(4Xq?*{N7{=P zBe_mBKWzl}M{JDgx?8$nX>ZKA$_Ojn350oGRcCCeyqepk&e0FOl^)q#zk61} zFb>rbeyOV&Mc?D@R41fcbg7)zV3l6E&34IMUlEsKy?dbTci?j}Y?jDo{JnV&<%aUS zGx;iU?cA0N$txnffV}CgT}k=S)ytI~5Ir3H6y-E~SpYppyT;esHy(Vxb!%v?#;`Zz z>E&W%p)h!tZczRZ*2v$=S~&@1`zM_vUPn7uEg=NZksJbbqx^4HG;UZLAbafC-B#{eejJ_o#1Ub|lLZE>7-$==B0 zp?&>_6SkcPGDl1j;o!B5?%fR1^y5U?1)nMdAB}h~@|uLcNrBT=F^&dl+g?DQMbpQw zzmzqi$@G>f#=f;0BD9&4xj7z2o{qSPB$725Ddo>9-8cF6p-FFNsa0Kt1ZdT*&BLkf zLUkhU7BaL;#kYg*VL4oB$e~6MvnEJAS`J8^S>IU-**9Vx-KO86n`1N9y>(kYi04%N z+M3+I$Y>k0{1#gc3{7+>R#D?Ye4ZQ0+quTngp*^x^m%8m`8+{$@osW}!FKu|rW9(6 z`?v|$)+T3E^jPQ0ozE`2v_4yjaedVBVkQis28(F-_i+ugQt=Ma)&@2Ah6_~-dGr-c z@?B(Y>2EBr(LC8EtczRfuZk-;v=fH-ed%d>7#b*`EgevwP?2OH`>?Yqd=^wS@L>4v zZAa#QU(W>jM|_SE4_^H~c06!%&#f}#-*@(}4I4sd_vm`;yb28UIZzKPkt=P&GHR$I z-fA(GY_IUB#M|a^Gt>5yz5?!6`%P2XW3L!?p*Kt&z7gvk%^Ow02`u8=GMNUfQE$2H zBXV@G>1rJ)+s}DZfkh)?d3TpGfra{wmieKN!4D{Hj;vrUh8lxufbcaO>a#M ze6sKrla!d{kWF8T@=nFyozEq=r@bnA*52TFGIfYBn?$F4MY=isZ$-bj#ug>!@g2xV6gx5$#Mr`}jO^9?qm<#C>( zc#W@EVEsjjmMYfBjB;mQW; zRVEFPFr=3=^GdG!&dYOz7lVUiZd*xIJUH*#?9x|TrrgzUQF@`z(wRnJ;Dt*@x1qPB zsz*;IvCSH^dyRUH%qq3?Ex#_1Xxd=|_kqJ=} zNBGs_UhNjFinZA5<_(rw|IR6wtQ_HqN7*9@7Y+kDP?rr)uHz{%b=uB&%xLQtwnF!h zkD{fnE*sJ>3}K|iwBD^R z9l%0Z>_&6?KM&bYnw(7@ipWkLXHg<-KGiZX1i~uW(FY~i=GZ#ukJ1kkn zY@UJJ11foTMnM*(YS7&L5Q);s<@5MCx9?M05>l_f<5b2^;lSwKbw|v=s&U&5`Uz3O zU?CgYUBW5OKQrCbMO%r#;#s|ylyW*>=EfTq0z%X$=uU-h)C>g0T(6iuE3VXpDt!kx z;~4T1RAgV ziisBhFw4Ds}u|q3&Hjv^cJsGj35*Fp^(`!YJjlS@x4XaZ# zF5JFiH(`?lOOviDq+YFEcmQm5CiDtxfi$?ZuQ&MmS6Ni1 z)nY~g!_2O;wVzpA_FZtk_7iKScGrZyOJ=MZzFW;dx22mU&2iy8$Q9*wh_Ez*;$T+) z0{NcuTFY3WNOtIO*WalU@k?Brbl8<(OxRj%+_+~~j+Y1%wnvO7L+n~=&m7&FEznJd zZ1ho_w>PKAhCZUT5ZH_vXNb7 z@{^)i>8T3uVr_A6sxQ0m{E%Ex;r+K(Q0-ImR*tZvQ2(^D^9u*x<5}>l*68n5p ze;sI0e&DKWH{fv)hnHQfgYpU)7yf~+f~Q>4qk#!Ictg0$4&T3lgGelw91l6%XjH!{ zRZSGCMJa4ekvnQLxa$JuCz^urKWj%YGYr?46d4;|fU9He!P$mw6&@{UXo zhK4k>f-scGtsG;1r$p)fua}#zpiO8@!^s+OjRl$*-4+bz*YdTa9QeG~qc$j$MuuHzWYq68!|kZIeQ@lz#zBNzchjA@idNSfm(eH z>xN1-YDemgH|fPh&QfK_CZWMq_M0|Q7|d4#Jc!&vWxTPVLA@rPk&>8mfT?3Juw3bF z^~V~~5?jddmlgEGhNg9C^Vm2~GHED}IBIU>uuvw|u4PjrfG$6;jfY%a z8!HyZ4lvo*t1%zgGd!6oJ^_?43{?85dedwi{Ed=j|D%?tp$6I zNxlilHjfd3Ne@%}DD@>25}be-;@xKf3vXnLZs-R>N8i^J1C#W7aSo{Z4v+g}rTE63 z(V4;4)`~%C@eLQpfTb5HV|NoOd<%*9@VRZ?wp*nmx(+l?+y=zrIUPl`WDtddM-N&h z`y0(q4kpAFY!`0UV-G&;e-;Q`WRIVl-ASbE#5*TCeDHsuRI8U0#{!DT1A5LC!>0YRevYV*P2_I(g);PcJ!yd|wW-Lh}ruQG2FN4oHnaw1Dqm%*J!9>x(Eq)p1*8QO& zCQPxM@M;03GKK$fmmj3kH5MU~0=h6j^5S#YcjoJv;uQ8Pil;Z=+M~WH$w`j!E2@8l z=BheWmO}0qmt5RzBlX+``DJF9=MF@gq6fN9Dj)(~rpq*Vq-1?wl_o~ZJpQfF92Vr( zpX=u(vT@0OfkmIjLV^h9K@iLKi=T!7HX^R64{z8J9fi#J3#l7Ep@5DYA`OZ))%j#cYQJS~14REiEy1OAPz@&!C@Hp5O*~Z^8=K^E@-l340pU zXyu{xs`o??e-AQ6$O<2)WnpRq=I^`3slNUz2*UYrOOf{OHswiIgN^iUPUfPH-OE-g z?sG41i(L)t^G+2d@Xg32b%Xcqn8V*(V}~adw0MQPx+7=4%KnQ1b7uc{229bMrTW7MpDL;}I% zjRv$QeD0nOz5Y_49VQ!I5Xr^&@}fl$do@R2f!j_V3YPK6ofSjYEMVPXLjiyQjPr1o z-})rfrLz^gAp1~oo}UFpK6G4e$7eb9-z-KS`SX&!6r0(9i+#No_A%Jkp_gvf`4ez# z$|%j9cqERu9g^DJ+FhF&D_Ngj`OVQC(-uTk*wdz+Drt5Cji`wbhz^e+we7XCBFqS_!x^tQMj9 z!EWESX_aO^i~Z^$5ZO-nueGqtkO6?}tX|czU)7Jq&#~_YWb2 z?|h>=rYxX^KbI&WOYaqvJ~}0iN9DMg4nc}z#cXB89Q8L0Bc&ad6^d+(x!c(8 z2J!G<$4jZ-)zwR5dvnmKhwH@x05B1DW{dqgyuiNev)gG3{`5^a;v4gzKI!j4&mQ>b zC8s<-)*u5n()JTGY~x%FN*8mOQ8FB@4|!oLRQodV;lqc_gj)n8x+=Q#1+Sr+BN=J^ zmAqLUesmy2AM}fjxK4`ur-*JGiJR7o>iQnv?J`;E1i z<6DnB2(uNo+QVM|D5wL4d4&QO)aS%%Jr57|n>2>pza~7kBue=3b3+BcZ9?5SKxSw0 zuf)avqO~XLs|0qj$Jh1Fu`Nvs-7dFy0%-E;#!b=lI6I|lo_YSp9Z%er1{}IJ#BOn8 zp;TrG?^VSVaVF~R!m_KDI8AO;ShI9VVlS+n31r4>taR*m zRMNTJ%FDKk-rmxF=_dix6T)+MXYqF!V3nk;0@rPk_SlHoFlwZL`JIA~pl>`?(Kr=^ z@IBb`^?dZCLb=9&nS#LzW?1*%2sAN{kJ99PSGA2mm%%Jwx+REWw4sP6^JzX^-eb5$ zYBl^CDB?BpYfbL4BF%F4q@a_z4}AD)AuKx26dhgmsRp-^h0>G3qA9$*jPoF{J@!<3 z$H3pdg=vs0Y8^c1 z+jUP)4SUX>79r{u<>z}tC|F0rOm4yBTm6zMlV*91TR{}D90!vf;n@q^UN(VjCpBQt z)Sh|cS79kG7UDiG%6b5Ml2@J`_48^n6BAa}U|(gIS5f^5C2ah2H`Fq_f~i3Pl=e3u zhq?fHn{yiE*e|~;T zv1{vfSwIUix*)WzEKQ^@;Kg%yMMUHp3n=wd? zC=+(|{Rn8;HG$$nFmpZSbw?_~9UejdZ5b7yTW+p-jiM{M7UEB}|3Kgim`!ca(rPnn z6w++t3M@0e3TyvKiJaO26ltoSzERv@_0N)>Y1kCYX9Riv^LaeR$3Zf0YA^bodg=8e zid9d9)w73XVC&~cMKkr#spToI05(<@F(taT7Wb{s^~Q^w7&=UXv_g(y((UVDIIG+oqH19j8U_@i4d0aRF8(UO2^E$4?NrTo~ zavGu5bKrLBUfLP5f0wjvv)7ZY-UbcdH#Os5yYcN#5L5tz8pCkhx;MU;I+@_YHiTb~ zfl++4p;EHe4ZrhwXQW+LepVTH<;}5MAN0fr@)E+IyEwwbiU(?Oawn>sc1+_D3lGYG z)f_qGc&uRI+8ACGi6!d|N5JTdl$dKxL^HNpMxlsV{I$XZ#uPD{ZOhw7}lk! zMrUtZw^6ZWE?sA9xVu3?T0=T5<}9H6gqSgoj{0SW2}^b;h(YHAK++xOvCh;8KV5Vk z1lS<);xIWB9iqN`Ur*69;g?K@jif`aPxN6r1joy|Sp^8q1q!>~B*)edl#@ZVKacPt z_{@l7ugJMiO@{(z{ii<8?E)w^kFBRa#@2C5k+-v;5sa+$xcaa)8@Ju)Z}leG1ot2M z@F|{G3Li64xT~yb_Bn4qlrZ!4`Dc42pEfRfoI@SRRu8RfExinF4DkQdxDx5=iZl|l zrr};Aq8c;MHSQwD^#-BNCQv%mW+55j9>c{&1s0;3C-2gy7UetC@D$G3;D|JyIaSH$ ziV*--M63%_DrWfA8$;u19w{$*`FImDGYscPT$x~`fl{?F!o2^F6wh1XCfEM){d_#@ z$JYDj!Wzgd$ADI7^OL+}nn(dr=#Z6)54#na}TmGF%tW0bva7u@j zmQ{QsxiOJE?v`iknL|>`FTJ+L++ZPTOvio|LT|;?U<&2O;zFUF!QIH z$nc6He4`5~a$Fspw|SNln9j+YI=L?Fm+ytv(%?1gi|HNldowWTLL=xHJVR4r_a>z6 z4${d^nmA3r{pZHR+k)DK%u*)fJ8_uryq{JeA>h2g*SJj^vqS%S3Yx(Z`*o#f=~-8$ z_hFVuFgEZa<5rGHy!gIRr($mHGOzEs*C*y4M?{%i!&j$L;hB*Azp>P~$vkRWwb4E9J8fnx1fq6zG&IxG(N#NY%n>O} zUbMptWG&Bw9T~kX4-%=YB6!9FY|cD=2kkYCFet4aP=~^pgVvYRZ;a*TdIM24>3dyP z`i^&O#|PF1l|~pmiE(KToLe#8xIM{bp+uPeL_1xQf!i!I22YI(EeB*Ia% zf%$Z)Xtta9>4`9ud6F^!d&C@iZ=jJ3SCA#Pi`yeS3OYz*j zu+;RZs$Nx#Y^g7hhWnC+tgs4CA+8X@hU9G9#Oa`jRMsn*_a%>gqD8X&r5|89HLn9I z%b&Yh!7jxsp>y1(?Cz%ehv2UIOb7%fxmF63`H?7aYa2YwC(bH+M;(tou=dWV+Bwd9?>FC!?Eegeb%1ZdFV<5 zcxOIF_KF(H+VS{}xKhASSb}@m^I|OFYlkHryJzjTRN~-%7X%63gKZ{&ULl?Cp7_*n z^mE*(r+PZ@U50zHXqlp!8lmCOO+DB&rMT0gx*qL?9-5{M!G7Dd!n34aR0tWnybZTD z?esT~|9p@Rk3+$y;R%faaeIKrF>{GpvWLAVt&v?(E;p;Wtw<^-l9)c;n)-OX%hvI1 z!OB2Ii^x9TLl>4y8(x9nhXhCwfV_+#)1e(dNM29VtxD&Op5_>nibIaAS8Qj9j$R~X zDNY4YL?`K{udfynBt%rTdvlHKTw<9}mM^obq|Ez_t6N3$(K}niuxZ2}JKXwL_;R6= zPW0fS=sX(XE|L{s_q5F;o&5Tarb~})PYbojW0E-yJy~ph^LZLieWg*WL|xo08~lk; z1y|b1Jlkjf9m`)SRm)~5|LBV50~Mpj`-E9L0d9i^6-PsY1UT(TdSvd;Lo)3jXpN;EgmgHKb6Mo(VOH*? zr0C#1+P9S(wP|69m3So~Bs*(6(F0|URu9b@TtJ&P4UPH8Tr_vy2OetnQ&>q6a+90e>9L(_;H7VY?S zo57FpYb9*9>TAiHt-8EFxtjs{gjp=tvZa-(mg=`_EM`ax|=QqW>Q{mtH z?kugLBpEL>b)&^!?@jOo4%hrf;$l_18~vxCMM~h{{$F19VWMmG^$nAJuYC(F<~ANX z%0z?rmjuBt2`(cW4+L)^zXhc7|5UpxaO}5p$$#`ZKpzVy@=SOM{dp`$ujIOl8IISt zKq=22bKF-leSDSmaqM2*lFBB_^0r&yTduijV704OYEX~-2*>h$!>N($5V8P`Gjy!m zs_kqBR5uEXLOdU(5<;zHOgqC*X4Vh23J-4`+O^#5S-Y1T;a;R6^S-z`sx>&-%*&m1 z?c>wpSjAVfn6LEzOrBtia3w<)pg&3KQuB?|X;84rk=xlsja2dMZ=CcRwnv1h&71LrXMATbr%uTF9PH5s(nMvi1n5fNFM8k93m?nJRA-f! zmzQn#N^yNCzfK%4WcAiD446Ygbn@5dS|QxG&=&?vhdh+ZzL21KT5uHO@9)-~Gsw~(8)*AelnuBNkT5s4@=vaaD6H3#E`tpFJujg*TFlRn1 zPvkGg%_hZn7Jvh_RD+^82Is1ajImO4>R zox#;ZZr7+iy&(mGeqFhDYs@pNqR^-3G-zSORqwuK#7~1k$99-2F9kI9z!Ir*lfN_l zqnrFf`fUU8~b*$&+$8`vnJ;z zA$4mR48%~}ST=4eMSIcz>W}B&q6>EhTa5C9WJfc0oni$20-^_FN7{;hCB8e@HFU!8=t;Q@rt_%Baa$&}uwLe;;PQ||$X~@${o6uLV&kGBK z@TAYXcUudCr53uFOB1<+oNf%62515*BFXoNw8_4-pV*?h)W_))0Qqq6B4YTu)TGFe z&_qXEu{AB+hSFI6E;jb8c_h7a}$if1k{O@CJ%yac6C z;Y;Aq!|Rg^I=)7j+ZD%B;DQ^UMmX_rrwpG?mHeryODWjDbuE4~ESfMRnBKBg109O4x2q3ealL$#(8;--Mt8H`v; zPcP5T-g69c^JWJ z@_GkylP~wK3;2D1Y@kV$>zb~%j{Dt+1eOJTlKmE}^O>Z&Lc1S?@E281V!KJ55TD#@ zP%e18tkrR%FN`gg&t_aSFI55J26>{(JM613UjWE1H9({HDmiC?iU+x$WXb~Y`A;gR zYvY$AXXS}hc|<6%Y2mpJMg}8~Cf!Y7pwKOlQQNRVMMMSQy^+~|yS3X;z=^SQeq)+e zW2f}Vy-Gb(Qt37+nlvUaGZI~V5g3ljndOmpA}4Q((&1DQuEAVtLdGR?6wxDn!?Y6> zUoe$J-q-4SerPpX?Z-fK9n#Xds9a-%Ia6iNVc)WId^^v# zbLzI!^DB3TmoOO|bAT9~NUt|EhS7Sh3;n9K*Y9guPKr`XwFSEfUSdOW0;Sz|<7rWF z-=33F3f=rEw(e6>|JUY90jIb z+iiW%$35!(1u6@qGM$^F!&Ep({v{#_c1o4=WZCqAMsc|HJdsQvY{bw+z;Mq^P7RB8 z2jQ;PImtiSTBJvJhUBfr%ALH6?suwVSjCEnB~FQpm0MJ}yB{!_v|lU1Hf~*e zcpf#z(Zp+6H<7-K9okXa-yA~jXp_t|b5}4afQb4dTa1`tp z9|ij?`YBg)%p-N?Pc*+T@rX5z%v>2N?Rqdy`Vi@o(q^RtdJ3fa@hn!|>dR>|tgg3i zNO#h`Y0EF?`RKh-*8dUfPpl2O0QY}K>K3U`GXZUr14kV*GI!2>1K}hibD%{mH8Hqg zM}5D@GsB9xB$wAG>pLv8DaQBd(yHsYz_YZMis-qqc<_x#zNuo$c+d32f6t ze(t<9&<9#!`Qws zreL%kKB>=z$Zxvk*fr~+cF;g78>rV9)tv=5R&-SKf!*`e-Y+&MIJ!GB&Aa=BbbCKf zcg%qU!8x%ykyjR(T45M6oCCNZ~g9hClU(^=gg&`@!y9NMeHKRRs$L^F$md;k4 zRTRs1Lv3D!-GkPNNkB1G-CLs`aK$O%oZt+8Yg4qkr^2dq0EU3QDmO&%IU-(_A9igVUPwm0nD_ zpHaG3p`T@ZHEEW(Lw|DSV%7y&EMvhQwahQ5pz3usWqp0jE|dEgM8TJ>&?O4veP*9$ zdbHu-y4goyly;~SG3zqS9*yT!CeD{Vbf*u)$_0~VS$E2mVP*9dE{ISTKa02mh2iD9 zphu^V3W$Zj%EW%GEl5solL-gC5*>cV0J?WlgYN;=KcdzfQZ%GkE#{|SizXgqc=a&z ztq7<}&EsTpZ{h&Q*`sdN^h*SzF)yI_=TYlC%dwLn8Fs}zk{NU3@y)E@=n$4VCQuM1 zJE2-GXvfUU0%h#~h%ew0$mu*UeOb9lH^d3Ws%E#!3xfO;(t|wnw+1Q@vagngGmxKU zgFcBlO2t-MokbVDSop#H*U8s_1Lfoy?ysxwAn6E=WqyY@T8DVCXP_XM^1cFPGf~`p z1HDyy5GX_(uQ04-IZ<&1l)KvpR6W~f!!NO;M}@NKXx-+_+JQXA_3`->fkI%GyV7r2VJl9rS-+p>*{I8|d(WL0tigi3mqc zq_r>=QsD0D^a_v%Q2h?q=em>|00~3oWX_u~ht6Fxrm+xc|FHl{U2kRzagK6(7|0<6 z*Y)-rHnG*Y2>&FY&xe?ti(R2jI?5+@!nKv=ua8e$ykphzew*g; zPs9$WT%v=aQ^0$1b*u)n4#-ou*HH~~&wCxR<3q(8b}gCP9wV@7pHG4MXSX|Pz(4A8 z^i@M>i{|aCfd*=xqbmd+>;bMvpnc~ig`q}Eryj+{O*^~+yVI1M-w(`#$HB<$A|X6_ zZ9tuudtDIxH=&YV?fu53FKjust2GnI+8ZkwZ==FX4X}Ahz#x#egu<|p#Femyx)}=9 z^+p+r{&XXkVp(2L(nr5{M=BApyr{g7;Py=Hz9{1*eUnb*(A>Y4qiU0j4Y%=icXzjU zx6#F1*>O!=%IG9qbr- zNaZY>Y>Xmv27Nn`N{YcouiTxIqlTJxS zS-c2TWGt69AzuXUiTPuwbqIT63eo(G#thH}ap`b`-}-oG)=GNq16YYF(o#wq*Ouj;5Qio%l7t@doe zaX%5(421q-o<(;r5t<=#n47GiH+%qb0fA3*tQDkq_7x|V;t}r^vwdtL4+6!o+#pMx zjKnO%&e~Ruq9c9EGN`I{*xFUdzrQnS@-z3T@|r9UGfNY5&3dtpO$#?8dDkB4SI)I3 zL9);e!A1jAAx`S77*FL&%GDz zodiB zfVA*?>FM5USm^!}cf2UvE6S0*!09o}uHVSWlIOGgxB#VWgCz(TC1+&%i))mWc7H_o z-Ql$Ro#BjpKo7wu?I{1dlIe$F75y~m>xIjyAicJ3)3Y$2H*jYw(kf@((nP`Z&ST(G zXa#F;l@;UXM|)di{ZJ9{z2k`+IWp%oU1}^9hdGj$F33d^_d}a99<3S#_FCZc9#O&Ml|4BCJ#Ivk2XwFC(nO~ zI%al%&=*MABfq~A{VyTA1C!c6A$z;@zS;C9g3uHzwKYF}ZR=+X*S?p(n@pw@$A8J$ zxdLc6Dk? z&bm19KXf2x^8ZT*b+#!0RsKiDUJ)bQ`0ph=6(Pg_R8Wgol3JBhI-{FTmMvB1kF-Px z$|nvChNrT~_RuRUtu*I_Fa>+@UqQL+Nn`hODz!|}%cY2-9o&+(Xdg#C;zeTUP{Q=4 zO4bBSTD1?w{r#Gf=yym>%Rr+xYnBD zBa{W)Trbi?px z2m=G#EY>`AZ1%rP)8i2TmZs|=^B&;+Kx|F@kVDDF*Uk9M^$=JM&pv*)cD*?0AcI(J9aKR;p7wQ-ceOz@t4tuj-e@ULYnmGM;@DYlnvVa z8gNcgY`55HRSx=(WF3)L0kcD`#H;NWdoT5ic4-n(%iHG}&ZlF8*MEN(fu>w!#Y+BD zsKYo(`=9o4C$Rs|`?xPv_Ar9(lU4rZ>{!$j_U9!#Du9ehFAhYa%URz&|EEtUSWCso z#oR95E(iRd`ndmJlaq09WOY7;6Bnx4JaJd)R&XZ?v=TF_Up59~E}&Ed^t1m*1kj^PRZkyyf= zv?Bhsth&|9Y-^kX+uYxzx|JiGh}r(>jzrU)j@CtDc}3en^0K=_Fc6HWGuoXWW=AV{ z-Yc9H;e0_C!D?gM{&SQrUG`6u?o`d{7aj0*ALBlwTxuE+!a7o%@Qf5(J6S;cos~me zuT0Oq)bV`hS=68bZzrijVuNaCXNraXAt%+`YSeLf4$kiY+DrY)_Jcg|Ld&xIXR{fO z4ey-(wh_PvSat`K8!?sjp2WwJ!}TU$2io@b>rP1l278J4^Uf!>zavBS+e=C~Zg4N5efpvZLsPm=pS!${t-zM$OTf0m|O zGX7BS#9id|3kx7Ko=2@{#_uGLJ06aEyZh}sg$9!!n_w)#Xp%{I^?rD_c>ACLBp_+4 zded_ciNl0%eY0g=Ru@DYC}v^M9mE6Q6pT>~pFtj`azB6MD>RF09v3oXK>v^O*Eb)OA%>;B*9pQ{DO zHjVQBTmyXl6T7XOB0wL@`8u1j|CXsc2Adg}u7jT@!#Us=<(CcSh~o%jO1Mk2t{9%chlIoY+%Y_Zk$d9`1NBGKyeG&qX#I&;exRgdwP^@pvhf& z;%NBjZNx=+XEXxR1=F^;Z#ravL1IMZe`ga4?iZvAHb1uBk76V`$$rAUjlNu z3fI0gp6ZY+l$mjX6@>4$Pflr%SJE#Xx=0vZgq59q(dDg{J3gNZPd}qRy&=shVIEwi?qtB}_ z6oaeXGnW>O-x9rl2=h4pWg(>;rja>By9N)9o>oWvF0mcL(#MBfdaiyc_hUekbFaoK zSG?&w2#7b-tx>=FO?9mIs~xr`cL+x)kj@#7n>v7E8Wp9Eed-vaiIHEzifjv)JNvCA z{7nKRWw%Dl0N?=q_@JDw0o=7qvmJkGk9q}1%}=Zu3A(3Fyud)8Dto65TA==W+w>2(yl+KBjXR;+;l7O_@hWiZqHu zL=NV|(JZvsdR+v?n;w+)p)#u#n=<~S5LpJ7&;-<9pM#t0CN27UDz1`KjewTuJUla+ zPM7*ssa5iSHc%f5-;&CrEVrGy7}L>Aw3$mDtCpqlJPYo^wp~5$l+G9M(unHRX0rgH z)Dk>i2i}5pVWr#p^yG5=!qz!b&L73+(Wx{&bcOTm*w~Jg1)NgxL$RJhu1D?+!b+88 zDC`wnNDmP!%)T1Gf#a z(BK@3rM@`K|KI25ZLS$GP@lxEIRDe&;gVACb6nYmOdrer5Z@;xgreVO%JVH0{49yt zv0*aI4*t+k5g(Z*)S|q6)FpG-LeI@B?^(JqD~NN!wB|Lx?-^pL(Vp7~e@ny*=2p_1 z`sbl{J9{M^TBIXJPnTxNZ)+n@{ zX_y{Z@pqBJ<^W1Zh5Ex;Jn!X}XnZJp$J>N#hkVZ)Fy>L;3X7;fv^%ClNNS31Zu2KP z!-B`-3TsPhXOl#l=$vYB&XmK7P&YKGzIdWsUf_l<{WjGmo{zYO6ziRPPvf z7;p6o$7dDg8O=q`n;`C*kG!gqUsAkQWViE<+}e)hYbxjnNwy;;7FUYGMm`JvaX!Th znvVi9uqMySRz9zBkWS<>YVYglPblZuIPOLQg>>B$tDsk9jSgYTe%iYBgTTYk|A;h?zbExU>?xxa9 z;>P2x{18)37}c!l?Mu`e8clz*@Zv~+F!xT#!ntVV=HUO+-FXEywQpfO>N(_i6i^XF z1VIp`ir`5QLJ?6x6a*=e8mg#~A}v5@UJ)#W8VE&*0-*;akWfNEK~Mhjy`zeN1y#*bh)L9$#Pl0ZP5KO9f(C8Ubzdrlx@ z0=iR*oxJWLKU(IL7wV2Qk3K7>=}bEf9K-c-+aRYWWy#Y|@fu|*wx5KYG~hzoyB(Al zolEhSS%^3(Ey@D&Ms{aJ70fs8iz!?N=6HADBFZhlXC$B@*d^dkkcO)WEG97vv=tHG zL%1Z|ZQzhUv22;LOVx3{-5!k#I}zSQioiUVZTRRG@X)BDLf_iE9|M~I_+qnF-F&l< zr?RYQ)X~2>Hv>cOgI~$1sP>qV;2r@T%$o{P$-~g}h@Z&s(&Cm^&g`9lg_l@-iPRGJ z<9@E~8FMrc@~CkKY6I?LwisUfA?ER3Q=;=z8d0`}=4*Q1UrIr_@aSJ|=1qvs;#2Y7 z!}m&`4M_g*bCLprhl>?z{Nu|GD384xpjTD_!~eWahzO@gt{McjbZ^tpIj<@KQ^P0q9DL0Knl`36Lq(`@85_AmiJR z?McuM8*gpy9tt0rnqTqXq2pB25D9+Kv-?~&X`b1sc2HP(O0tV<8_Fqw7MeZwVDAm0 zNnG+FLO{~PJW5cO)qf@9v`JI0nkx%e6X}jj9CVG9J#LV4{Ww)TBj3udU`W8_s6AK+ zrCn&6F$;In$P1tQ3_E(1rS&V}k&=FFk{Epc0x)W!vTiTn{Y8<*d?_lREwz-$BDD1? zKO{``Nx-xK@Un55f5Sa8NHG~NYc4_fk#q5ZpV7CM*{4q33kk^VQBT2hdS9qXciII3 z2oJCOtg5yP=u*XJ9|Y<93s4D5_XGm{sEFxROZA)ZokW%=j|#Wf0+9XtwDV5TXBAXz zX&73Sc3ViIhz?>7_hR$@*CDRVahZwsE}PRXi_W#sHDp$3&q&jil{(9uzPTq}7jD~k z=(uy+0-aIT#!CC7pFxjHdTaG|JD%rySGkQ@XW4$?D1oBzc~agb!UQ$}p5YZ3oZ-~q zM<+w!?hEAgVS3|jz1s~HlSewQB8BB3Ym&*iofVr-@U!;Ioe;sW0*fouCd`Y_jkW&4 zJ^sMbLQb2Wq2R=pWGO{=mn^n<%9uz`B0^}ugcEh~#jNGK4Qqk!+g}1}Y#-T&+`n67 zMa?c^Tu}g|JH0?qeHsWq$zCkvUT22xe8VNkb9 zSpB9qE}=N8MqwMBM{Mfqx-qdpHIM4Z2m8ak(`Su}d(J?xJ%7}TcWQ7i_zX(Zk&e>y z3o>Lm$dd4>y zvh@N(t}v3p9wkjRHdz|6{kKeewQw7AzB!pa&gMtoz4l5==>RW7RZed-E?=y!oyLQi zCr4f0xK{TF01!_YD1v5mO$U>iu35o=q{hxI3-+_Q5F^RQ`0y7qa+T z%D-&#oIyxEpU;W_*fUl!<;A+!*i6XdJ|wz8B{KQj2T1PlCA@=O;AQtv`1+#V5NERp zo9yz`eHMO?r~a5(iI}F>XQY05;^Yp_i9DR>g=pvFnvAe=j?XJD4S z%VWggyd*rUa2DQGQ?dFmNio|$Gj#0;9$uwU%3TRxNG7z?H9YbNn;701eB--_W|=;% z0g6Q41|_a+3oPH#&$e^}WpopVn1phESdgh1Uj0A{@hMTKw+$T1yAJ@YaIjJ;&Gryo zIr~v-7un}**yxW(gXeBMg{pE29M5mat)SVT!gFRCe{roZ=x{eVZQ|O{o;AMzp>c0< z4x*FxmWfzFTkxZ6*Nm2?{AQ9EH(!*iu$27qztMc`DoGq&*Zkvgv#rJArqBw(Cydz} z7Mmcm;z-Pe`&kZPrboVLz=V)!l&T1WL<~!_Ad79FXe$Z4_wz_S;LrNOpD`u5 zn&ql*Y1Ctd=RZzMgl!_W(J%81zfx9S@( z^2uF*a=}$HPG5ynBf#87=p}p27&Z&q2e!HQs6K?Be1a0V;I`lSvB56BL;bTtL#iI= zj~_dy=}n~&yRK zz-!_-8c+2N)}jrWd@nk|JZt3Zli#1ys@5*7+=()MuJoHK5P*rEPdT-_`iC;Fg#azw z-z4Hy+FXB-2LyyV@BSN}Z-=1xZYQPutKJB>{QJ{wnZe)nzYW(nVaOmEejW|r><1R_ zIP5Ne9l+U>Ki}Qi_-B8U__Ify_-ib~zow1Zj>F;Ce*R8??Giuqv;RLGppYc{WV&>( SLFx8rS1+4gD!=IbkADJ8=nw}0 diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md new file mode 100644 index 0000000000..283e8615c7 --- /dev/null +++ b/windows/security/identity-protection/credential-guard/index.md @@ -0,0 +1,101 @@ +--- +title: Windows Defender Credential Guard overview +description: Learn about Windows Defender Credential Guard and how it isolates secrets so that only privileged system software can access them. +ms.date: 06/26/2023 +ms.topic: conceptual +ms.collection: + - highpri + - tier1 +--- + +# Windows Defender Credential Guard overview + +Windows Defender Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. + +Windows Defender Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*. + +When enabled, Windows Defender Credential Guard provides the following benefits: + +- **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials +- **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system +- **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS + +> [!NOTE] +> While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures. + +> [!IMPORTANT] +> Starting in Windows 11, version 22H2, VBS and Windows Defender Credential Guard are enabled by default on all devices that meet the system requirements.\ +> For information about known issues related to the default enablement of Credential Guard, see [Credential Guard: Known Issues](considerations-known-issues.md). + +## System requirements + +For Windows Defender Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements. + +Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats. + +### Hardware and software requirements + +Windows Defender Credential Guard requires the features: + +- Virtualization-based security (VBS) + >[!NOTE] + > VBS has different requirements to enable it on different hardware platforms. For more information, see [Virtualization-based Security requirements](/windows-hardware/design/device-experiences/oem-vbs) +- [Secure Boot](../../operating-system-security/system-security/secure-the-windows-10-boot-process.md#secure-boot) + +While not required, the following features are recommended to provide additional protections: + +- Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware +- UEFI lock, as it prevents attackers from disabling Credential Guard with a registry key change + +For detailed information on protections for improved security that are associated with hardware and firmware options, see [additional security qualifications](additional-mitigations.md#additional-security-qualifications). + +#### Windows Defender Credential Guard in virtual machines + +Credential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When Credential Guard is enabled on a VM, secrets are protected from attacks *inside* the VM. Credential Guard doesn't provide protection from privileged system attacks originating from the host. + +The requirements to run Windows Defender Credential Guard in Hyper-V virtual machines are: + +- The Hyper-V host must have an IOMMU +- The Hyper-V virtual machine must be generation 2 + +> [!NOTE] +> Credential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on generation 2 VMs only. + +[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)] + +## Application requirements + +When Windows Defender Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*. + +Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. + +> [!WARNING] +> Enabling Windows Defender Credential Guard on domain controllers isn't recommended. +> Windows Defender Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. + +> [!NOTE] +> Windows Defender Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). + +Applications break if they require: + +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications prompt and expose credentials to risk if they require: + +- Digest authentication +- Credential delegation +- MS-CHAPv2 + +Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process (LSAIso.exe). + +Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Windows Defender Credential Guard. + +## Next steps + +- Learn [how Windows Defender Credential Guard works](how-it-works.md) +- Learn [how to configure Windows Defender Credential Guard](configure.md) +- Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml index 3661af7b0e..a4b737a9ec 100644 --- a/windows/security/identity-protection/credential-guard/toc.yml +++ b/windows/security/identity-protection/credential-guard/toc.yml @@ -1,17 +1,11 @@ items: -- name: Protect derived domain credentials with Credential Guard - href: credential-guard.md +- name: Overview + href: index.md - name: How Credential Guard works - href: credential-guard-how-it-works.md -- name: Requirements - href: credential-guard-requirements.md -- name: Manage Credential Guard - href: credential-guard-manage.md -- name: Credential Guard protection limits - href: credential-guard-protection-limits.md -- name: Considerations when using Credential Guard - href: credential-guard-considerations.md + href: how-it-works.md +- name: Configure Credential Guard + href: configure.md - name: Additional mitigations href: additional-mitigations.md -- name: Known issues - href: credential-guard-known-issues.md \ No newline at end of file +- name: Considerations and known issues + href: considerations-known-issues.md \ No newline at end of file From 17f3d2f45c240a8d86d9d19f7ad2066653195236 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 07:43:45 +0200 Subject: [PATCH 016/156] removed old files --- .../credential-guard-manage.md | 304 ------------------ .../credential-guard-requirements.md | 138 -------- 2 files changed, 442 deletions(-) delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard-manage.md delete mode 100644 windows/security/identity-protection/credential-guard/credential-guard-requirements.md diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md deleted file mode 100644 index 086a008176..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -title: Manage Windows Defender Credential Guard -description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. -ms.date: 11/23/2022 -ms.collection: - - highpri - - tier2 -ms.topic: article ---- - -# Manage Windows Defender Credential Guard - -## Default Enablement - -Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. - -Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). - -### Requirements for automatic enablement - -Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements: - -|Component|Requirement| -|---|---| -|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**| -|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| -|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. - -> [!NOTE] -> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting. - -> [!NOTE] -> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro). -> -> To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard). - -## Enable Windows Defender Credential Guard - -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. -The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. - -> [!NOTE] -> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. - -### Enable Windows Defender Credential Guard by using Group Policy - -You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. - -1. Select **Turn On Virtualization Based Security**, and then select the **Enabled** option. - -1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. - -1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. - -1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md). - - :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting."::: - -1. Select **OK**, and then close the Group Policy Management Console. - -To enforce processing of the group policy, you can run `gpupdate /force`. - -### Enable Windows Defender Credential Guard by using Microsoft Intune - -1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**. - -1. Select **Configuration Profiles**. - -1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**. - - 1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings. - -> [!NOTE] -> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. - -> [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). - -### Enable Windows Defender Credential Guard by using the registry - -If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems. - -#### Add the virtualization-based security features - -Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped. - -If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. -To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM). - -> [!NOTE] -> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. - -##### Add the virtualization-based security features by using Programs and Features - -1. Open the Programs and Features control panel. - -1. Select **Turn Windows feature on or off**. - -1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. - -1. Select the **Isolated User Mode** check box at the top level of the feature selection. - -1. Select **OK**. - -##### Add the virtualization-based security features to an offline image by using DISM - -1. Open an elevated command prompt. - -1. Add the Hyper-V Hypervisor by running the following command: - - ```cmd - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` - -1. Add the Isolated User Mode feature by running the following command: - - ```cmd - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - - > [!NOTE] - > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. - -> [!TIP] -> You can also add these features to an online image by using either DISM or Configuration Manager. - -#### Enable virtualization-based security and Windows Defender Credential Guard - -1. Open Registry Editor. - -1. Enable virtualization-based security: - - 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`. - - 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. - -1. Enable Windows Defender Credential Guard: - - 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`. - - 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. - -1. Close Registry Editor. - -> [!NOTE] -> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. - -### Review Windows Defender Credential Guard performance - -#### Is Windows Defender Credential Guard running? - -You can view System Information to check that Windows Defender Credential Guard is running on a PC. - -1. Select **Start**, type **msinfo32.exe**, and then select **System Information**. - -1. Select **System Summary**. - -1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. - - :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: - -> [!NOTE] -> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. - -- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible. - -- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** - - - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. - - - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - - - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard. - - - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - -- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0. - -- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: - - ```powershell - (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - ``` - - This command generates the following output: - - - **0**: Windows Defender Credential Guard is disabled (not running) - - - **1**: Windows Defender Credential Guard is enabled (running) - - > [!NOTE] - > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. - -## Disable Windows Defender Credential Guard - -Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). - -If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock. - -If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). - -Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys). - -Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine). - -For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security). - -### Disabling Windows Defender Credential Guard using Group Policy - -If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard. - -1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled": - - :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled."::: - -1. Restart the machine. - -### Disabling Windows Defender Credential Guard using Registry Keys - -If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. - -1. Change the following registry settings to 0: - - - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` - - > [!NOTE] - > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0. - -1. Restart the machine. - -### Disabling Windows Defender Credential Guard with UEFI Lock - -If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change. - -1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled". - -1. Change the following registry settings to 0: - - - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` - -1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: - - ```cmd - mountvol X: /s - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - mountvol X: /d - ``` - -1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine. - -### Disable Windows Defender Credential Guard for a virtual machine - -From the host, you can disable Windows Defender Credential Guard for a virtual machine: - -```powershell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - -## Disabling Virtualization-Based Security - -Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS. - -> [!IMPORTANT] -> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects. - -1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled". - -1. Delete the following registry settings: - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity` - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures` - - > [!IMPORTANT] - > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. - -1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above: - - > - > ```cmd - > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - > bcdedit /set vsmlaunchtype off - > ``` - -1. Restart the PC. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md deleted file mode 100644 index e8e539e520..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Windows Defender Credential Guard requirements -description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security. -ms.date: 12/27/2021 -ms.topic: article ---- - -# Windows Defender Credential Guard requirements - -For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). - -## Hardware and software requirements - -To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: - -- Support for Virtualization-based security (required) -- Secure boot (required) -- Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware -- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) - -The Virtualization-based security requires: - -- 64-bit CPU -- CPU virtualization extensions plus extended page tables -- Windows hypervisor (does not require Hyper-V Windows Feature to be installed) - -### Windows Defender Credential Guard deployment in virtual machines - -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host. - -#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines - -- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. - - TPM is not a requirement, but we recommend that you implement TPM. - -For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/). - -For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](/windows/access-protection/remote-credential-guard#hardware-and-software-requirements). - -## Application requirements - -When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. - -> [!WARNING] -> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time. -> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. - -> [!NOTE] -> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). - -Applications will break if they require: - -- Kerberos DES encryption support -- Kerberos unconstrained delegation -- Extracting the Kerberos TGT -- NTLMv1 - -Applications will prompt and expose credentials to risk if they require: - -- Digest authentication -- Credential delegation -- MS-CHAPv2 - -Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. - -Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard. - -[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)] - -## Security considerations - -All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard. -Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. -The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. -> -> If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations). - -### Baseline protections - -|Baseline Protections|Description|Security benefits -|---|---|---| -|Hardware: **64-bit CPU** |A 64-bit computer is required for the Windows hypervisor to provide VBS.| -|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**:
    - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system.

    Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.| -|Hardware: **Trusted Platform Module (TPM)**|**Requirement**:
    - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| -|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**:
    - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| -|Firmware: **Secure firmware update process**|**Requirements**:
    - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| -|Software: Qualified **Windows operating system**|**Requirement**:
    - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. - -### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 - -|Protections for Improved Security|Description| -|---|---| -|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**:
    - VT-D or AMD Vi IOMMU

    **Security benefits**:
    - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)| -|Firmware: **Securing Boot Configuration and Management**|**Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.| -|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**:
    - Secure MOR, revision 2 implementation| - -### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. - -|Protections for Improved Security|Description|Security Benefits| -|---|---|---| -|Firmware: **Hardware Rooted Trust Platform Secure Boot**|**Requirements**:
    - Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification).|Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform.| -|Firmware: **Firmware Update through Windows Update**|**Requirements**:
    - Firmware must support field updates through Windows Update and UEFI encapsulation update.|Helps ensure that firmware updates are fast, secure, and reliable.| -|Firmware: **Securing Boot Configuration and Management**|**Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.|- Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.| - -### 2017 Additional security qualifications starting with Windows 10, version 1703 - -The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. - -|Protections for Improved Security|Description|Security Benefits -|---|---|---| -|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
    - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections must be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
    - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
    - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable.
    (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.| -|Firmware: **Firmware support for SMM protection**|**Requirements**:
    - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM.| - -> [!IMPORTANT] -> -> Regarding **VBS enablement of NX protection for UEFI runtime services**: -> -> - This only applies to UEFI runtime service memory, and not UEFI boot service memory. -> -> - This protection is applied by VBS on OS page tables. -> -> Please also note the following: -> -> - Do not use sections that are both writable and executable -> -> - Do not attempt to directly modify executable system memory -> -> - Do not use dynamic code From aeeceb1cbccc4caa9fe1945e636cbb94d6f88f12 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 07:48:06 +0200 Subject: [PATCH 017/156] index file updated --- .../security/identity-protection/credential-guard/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 283e8615c7..f41d1c2353 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -1,7 +1,7 @@ --- title: Windows Defender Credential Guard overview description: Learn about Windows Defender Credential Guard and how it isolates secrets so that only privileged system software can access them. -ms.date: 06/26/2023 +ms.date: 08/08/2023 ms.topic: conceptual ms.collection: - highpri @@ -89,7 +89,7 @@ Applications prompt and expose credentials to risk if they require: - Credential delegation - MS-CHAPv2 -Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process (LSAIso.exe). +Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process `LSAIso.exe`. Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Windows Defender Credential Guard. From 22cc1f65f51f7e5a73a369531ff65e533fc075ac Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 08:00:38 +0200 Subject: [PATCH 018/156] how-it-works updates --- .../credential-guard/how-it-works.md | 25 +++++++++++-------- .../credential-guard/index.md | 2 +- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index afee0155ec..9a745822c0 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -1,5 +1,5 @@ --- -ms.date: 06/26/2023 +ms.date: 08/08/2023 title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.topic: conceptual @@ -7,11 +7,14 @@ ms.topic: conceptual # How Windows Defender Credential Guard works -Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM, and Credential Manager isolate secrets by using virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. -For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that is trusted by VBS and the signatures are validated before launching the file in the protected environment. -When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. +When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. + +> [!CAUTION] +> It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. @@ -25,17 +28,17 @@ Some ways to store credentials are not protected by Windows Defender Credential - Software that manages credentials outside of Windows feature protection - Local accounts and Microsoft Accounts -- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS. +- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS - Key loggers - Physical attacks -- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization - Third-party security packages - Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- -- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. -- Windows logon cached password verifiers (commonly called "cached credentials") + - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols +- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well +- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected +- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host +- Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. ## See also diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index f41d1c2353..88e91291df 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -2,7 +2,7 @@ title: Windows Defender Credential Guard overview description: Learn about Windows Defender Credential Guard and how it isolates secrets so that only privileged system software can access them. ms.date: 08/08/2023 -ms.topic: conceptual +ms.topic: overview ms.collection: - highpri - tier1 From 25f5df667976ea962a9fc908912b606436e45a7b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 08:54:52 +0200 Subject: [PATCH 019/156] docfx fix --- education/docfx.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/education/docfx.json b/education/docfx.json index 29a46f0323..a9579639a6 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -41,7 +41,7 @@ "manager": "aaroncz", "ms.localizationpriority": "medium", "breadcrumb_path": "/education/breadcrumb/toc.json", - "uhfHeaderId": "MSDocsHeader-M365-IT", + "uhfHeaderId": "MSDocsHeader-Windows", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -76,8 +76,7 @@ "✅     Windows 11 SE", "✅ Windows 10" ] - }, - "uhfHeaderId": "MSDocsHeader-Windows" + } }, "externalReference": [], "template": "op.html", From 658c947fe1b1aab0469b7eb7ae4da23e807601aa Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 09:34:25 +0200 Subject: [PATCH 020/156] updates --- education/windows/edu-stickers.md | 6 +- .../windows/edu-take-a-test-kiosk-mode.md | 6 +- education/windows/edu-themes.md | 6 +- education/windows/federated-sign-in.md | 4 +- .../includes/intune-custom-settings-1.md | 13 ---- .../includes/intune-custom-settings-2.md | 9 --- .../includes/intune-custom-settings-info.md | 6 -- education/windows/index.old.yml | 73 ------------------- ...-guard-secure-launch-and-smm-protection.md | 2 +- .../credential-guard/configure.md | 2 +- .../credential-guard/how-it-works.md | 2 +- .../credential-guard/index.md | 2 +- .../security/includes/sections/identity.md | 2 +- windows/security/introduction.md | 2 +- 14 files changed, 17 insertions(+), 118 deletions(-) delete mode 100644 education/windows/includes/intune-custom-settings-1.md delete mode 100644 education/windows/includes/intune-custom-settings-2.md delete mode 100644 education/windows/includes/intune-custom-settings-info.md delete mode 100644 education/windows/index.old.yml diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 21f0dab85e..d3a6d97411 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -33,14 +33,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |

  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] > [!TIP] > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1) diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index d7dd5daa95..408976797e 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -53,7 +53,7 @@ To configure devices using Intune for Education, follow these steps: ### Configure Take a Test with a custom policy -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -67,8 +67,8 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: -[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index 39decf882d..0f8053524d 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -23,14 +23,14 @@ Education themes aren't enabled by default. Follow the instructions below to con #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 510772b7a1..915affe187 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -79,7 +79,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -121,7 +121,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md deleted file mode 100644 index d911751e75..0000000000 --- a/education/windows/includes/intune-custom-settings-1.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -ms.date: 02/22/2022 -ms.topic: include ---- - -To configure devices with Microsoft Intune, use a custom policy: - -1. Go to the Microsoft Intune admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description > Next** -6. Add the following settings: \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-2.md b/education/windows/includes/intune-custom-settings-2.md deleted file mode 100644 index 1a601acaa7..0000000000 --- a/education/windows/includes/intune-custom-settings-2.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -7. Select **Next** -8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -9. Under **Applicability Rules**, select **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-info.md b/education/windows/includes/intune-custom-settings-info.md deleted file mode 100644 index 8ff9da4294..0000000000 --- a/education/windows/includes/intune-custom-settings-info.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/education/windows/index.old.yml b/education/windows/index.old.yml deleted file mode 100644 index 849e1d3e1d..0000000000 --- a/education/windows/index.old.yml +++ /dev/null @@ -1,73 +0,0 @@ - - title: Get started - linkLists: - - linkListType: tutorial - links: - - text: Deploy and manage Windows devices in a school - url: tutorial-school-deployment/index.md - - text: Prepare your tenant - url: tutorial-school-deployment/set-up-azure-ad.md - - text: Configure settings and applications with Microsoft Intune - url: tutorial-school-deployment/configure-devices-overview.md - - text: Manage devices with Microsoft Intune - url: tutorial-school-deployment/manage-overview.md - - text: Management functionalities for Surface devices - url: tutorial-school-deployment/manage-surface-devices.md - - - title: Learn about Windows 11 SE - linkLists: - - linkListType: concept - links: - - text: What is Windows 11 SE? - url: windows-11-se-overview.md - - text: Windows 11 SE settings - url: windows-11-se-settings-list.md - - linkListType: whats-new - links: - - text: Configure federated sign-in - url: federated-sign-in.md - - text: Configure education themes - url: edu-themes.md - - text: Configure Stickers - url: edu-stickers.md - - linkListType: video - links: - - text: Deploy Windows 11 SE using Set up School PCs - url: https://www.youtube.com/watch?v=Ql2fbiOop7c - - - title: Deploy devices with Set up School PCs - linkLists: - - linkListType: concept - links: - - text: What is Set up School PCs? - url: set-up-school-pcs-technical.md - - linkListType: how-to-guide - links: - - text: Use the Set up School PCs app - url: use-set-up-school-pcs-app.md - - linkListType: reference - links: - - text: Provisioning package settings - url: set-up-school-pcs-provisioning-package.md - - linkListType: video - links: - - text: Use the Set up School PCs App - url: https://www.youtube.com/watch?v=2ZLup_-PhkA - - - title: Configure devices - linkLists: - - linkListType: concept - links: - - text: Take tests and assessments in Windows - url: take-tests-in-windows.md - - text: Considerations for shared and guest devices - url: /windows/configuration/shared-devices-concepts?context=/education/context/context - - text: Change Windows editions - url: change-home-to-edu.md - - linkListType: how-to-guide - links: - - text: Configure Take a Test in kiosk mode - url: edu-take-a-test-kiosk-mode.md - - text: Configure Shared PC - url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - - text: Get and deploy Minecraft Education - url: get-minecraft-for-education.md \ No newline at end of file diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md index 15c8a64f62..35ef8a1826 100644 --- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md @@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/index.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 77709daeae..d91542146f 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -398,7 +398,7 @@ bcdedit /set vsmlaunchtype off ## Next steps - Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index 9a745822c0..dd259d1d2e 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -57,4 +57,4 @@ don't qualify as credentials because they can't be presented to another computer - Learn [how to configure Windows Defender Credential Guard](configure.md) - Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 88e91291df..6ae7c634da 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -98,4 +98,4 @@ Services or protocols that rely on Kerberos, such as file shares or remote deskt - Learn [how Windows Defender Credential Guard works](how-it-works.md) - Learn [how to configure Windows Defender Credential Guard](configure.md) - Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) \ No newline at end of file +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) \ No newline at end of file diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md index 891ad65444..9defb85584 100644 --- a/windows/security/includes/sections/identity.md +++ b/windows/security/includes/sections/identity.md @@ -24,5 +24,5 @@ ms.topic: include | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. | | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. | | **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.

    Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. | -| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

    By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | +| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

    By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | | **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

    Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | diff --git a/windows/security/introduction.md b/windows/security/introduction.md index a87668dc0e..3de33d18b7 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d ### Secured identities -Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. +Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. ### Connecting to cloud services From a63c06ae92d6ecb48c3bd74fa27f43b2992fe43d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 09:42:00 +0200 Subject: [PATCH 021/156] includes updates --- education/windows/federated-sign-in.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 915affe187..6b703ae346 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -90,8 +90,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] :::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true"::: -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -131,8 +131,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`**
  • Data type: **String**
  • Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**
    • | |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`**
  • Data type: **String**
  • Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**
    • | -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) From 9af9e4305640027473852d5dd32f5ad1e8e3e2af Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 09:58:13 +0200 Subject: [PATCH 022/156] cred-guard redirects --- ...blishing.redirection.windows-security.json | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 54589ae7b4..742bc4f296 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7334,6 +7334,41 @@ "source_path": "windows/security/zero-trust-windows-device-health.md", "redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health", "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard.md", + "redirect_url": "/windows/security/identity-protection/credential-guard", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-considerations.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-known-issues.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-manage.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-requirements.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/index", + "redirect_document_id": false } ] } From 61bb75c5267d315f31973a662e223323f0528287 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 8 Aug 2023 11:34:01 +0200 Subject: [PATCH 023/156] Acrolinx --- .../credential-guard/configure.md | 2 +- .../credential-guard/how-it-works.md | 26 +++++-------------- 2 files changed, 8 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index d91542146f..6ebbcb247f 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -94,7 +94,7 @@ To configure devices using the registry, use the following settings: |--| | **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
    **Key name:** `EnableVirtualizationBasedSecurity`
    **Type:** `REG_DWORD`
    **Value:** `1` (to enable Virtualization Based Security)| | **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
    **Key name:** `RequirePlatformSecurityFeatures`
    **Type:** `REG_DWORD`
    **Value:**
     `1` (to use Secure Boot)
     `3` (to use Secure Boot and DMA protection) | -| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
    **Key name:** `LsaCfgFlags`
    **Type:** `REG_DWORD`

  • **Value:** `1` (to enable Credential Guard with UEFI lock)
     `2` (to enable Credential Guard without lock)| +| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
    **Key name:** `LsaCfgFlags`
    **Type:** `REG_DWORD`
    **Value:**
     `1` (to enable Credential Guard with UEFI lock)
     `2` (to enable Credential Guard without lock)| Restart the device to enable Credential Guard. diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index dd259d1d2e..fe6e78a7e2 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -7,24 +7,24 @@ ms.topic: conceptual # How Windows Defender Credential Guard works -Kerberos, NTLM, and Credential Manager isolate secrets by using virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. -For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that is trusted by VBS and the signatures are validated before launching the file in the protected environment. +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment. When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. > [!CAUTION] > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. -When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. +When Windows Defender Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials. Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: -![Windows Defender Credential Guard overview.](images/credguard.png) +:::image type="content" source="images/credguard.png" alt-text="Diagram of the Credential Guard architecture."::: ## Windows Defender Credential Guard protection limits -Some ways to store credentials are not protected by Windows Defender Credential Guard, including: +Some ways to store credentials aren't protected by Windows Defender Credential Guard, including: - Software that manages credentials outside of Windows feature protection - Local accounts and Microsoft Accounts @@ -37,24 +37,12 @@ Some ways to store credentials are not protected by Windows Defender Credential - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols - Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well - Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host +- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host - Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. -## See also - -**Deep Dive into Windows Defender Credential Guard: Related videos** - -[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322) -> [!NOTE] -> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video - -**Related videos** - -[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) - ## Next steps - Learn [how to configure Windows Defender Credential Guard](configure.md) -- Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review the advice and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article - Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) From afdbdd6e5343a92548b2664bc53b5edfda87634f Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:22:32 -0700 Subject: [PATCH 024/156] Update EUDB link --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index f78a8739ae..e9223826d7 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -81,6 +81,6 @@ Previously, IT admins could use policies (for example, the “Allow commercial d Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. -We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/). +We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](privacy/eudb/eu-data-boundary-learn). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). \ No newline at end of file From 2f23c65fec203e4e7ff1c8a16d14d6d75725c18e Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:26:21 -0700 Subject: [PATCH 025/156] Minor changes --- .../configure-windows-diagnostic-data-in-your-organization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index c91810a6d1..931a9491f0 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -321,11 +321,11 @@ For the best experience, use the most current build of any operating system spec The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: - us-v10c.events.data.microsoft.com (eu-v10c.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) -- umwatsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) +- watsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) - settings-win.data.microsoft.com - *.blob.core.windows.net -Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their diagnostic data is processed in Europe, but those tenants aren't considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). +Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their diagnostic data is processed initially in Europe, but those tenants aren't considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). >[!Note] > - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. From 6a89e276baae939b21e7e742f9b314f9e065de79 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:44:09 -0700 Subject: [PATCH 026/156] Add Autopatch and Intune sections --- .../privacy/windows-10-and-privacy-compliance.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index baa9c0f762..623d508b5e 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -227,12 +227,22 @@ An administrator can configure privacy-related settings, such as choosing to onl ### 5.3 Microsoft Managed Desktop -[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services. +[Microsoft Managed Desktop (MMD)](/managed-desktop/overview/service-plan) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Microsoft 365 Apps, and Microsoft security services. + +> [!NOTE] +> MMD will transition to end-of-life on July 31, 2024 and is no longer accepting new customers. ### 5.4 Windows Update for Business reports -[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all its reporting. +[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting. +### 5.5 Windows Autopatch + +[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Windows Autopatch reports use Windows diagnostic data for their reporting. + +### 5.6 Windows updates reports on Microsoft Intune + +Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. ## Additional Resources From 3eb67fe770d5cbfd82163941a38c3d4004c063bb Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:45:49 -0700 Subject: [PATCH 027/156] Add callout about MMD EOL --- .../configure-windows-diagnostic-data-in-your-organization.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 931a9491f0..105325130a 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -357,6 +357,9 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az *(Additional licensing requirements may apply to use these services.)* +> [!NOTE] +> Microsoft Managed Desktop will transition to end-of-life on July 31, 2024 and is no longer accepting new customers. + If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. ### Enabling Windows diagnostic data processor configuration on older versions of Windows From 7a99786c797fc2fcdcc7c3b30a6bbc339b4582ca Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:57:45 -0700 Subject: [PATCH 028/156] Fix broken link --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index e9223826d7..b7c4487f1c 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -81,6 +81,6 @@ Previously, IT admins could use policies (for example, the “Allow commercial d Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. -We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](privacy/eudb/eu-data-boundary-learn). +We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](/privacy/eudb/eu-data-boundary-learn). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). \ No newline at end of file From 7e887ae528990aaaf606ac0901cd888c38cf5cfd Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 11:12:19 -0700 Subject: [PATCH 029/156] Updates to 5.# sections --- .../privacy/windows-10-and-privacy-compliance.md | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 623d508b5e..9af80ac4e0 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -225,22 +225,15 @@ An administrator can configure privacy-related settings, such as choosing to onl >[!Note] >The Windows diagnostic data processor configuration is not available for Surface Hub. -### 5.3 Microsoft Managed Desktop - -[Microsoft Managed Desktop (MMD)](/managed-desktop/overview/service-plan) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Microsoft 365 Apps, and Microsoft security services. - -> [!NOTE] -> MMD will transition to end-of-life on July 31, 2024 and is no longer accepting new customers. - -### 5.4 Windows Update for Business reports +### 5.3 Windows Update for Business reports [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting. -### 5.5 Windows Autopatch +### 5.4 Windows Autopatch [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Windows Autopatch reports use Windows diagnostic data for their reporting. -### 5.6 Windows updates reports on Microsoft Intune +### 5.5 Windows updates reports on Microsoft Intune Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. From db7a3c09dad93995e75cce9ede378fa10e645a87 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 11:22:11 -0700 Subject: [PATCH 030/156] Update list of non-EU services --- ...nfigure-windows-diagnostic-data-in-your-organization.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 105325130a..720b1ad0d9 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -352,14 +352,11 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az - [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) - [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) -- [Microsoft Managed Desktop](/managed-desktop/intro/) -- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview) +- [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) +- [Windows updates reports (in Microsoft Intune)](/mem/intune/protect/data-enable-windows-data#windows-data) *(Additional licensing requirements may apply to use these services.)* -> [!NOTE] -> Microsoft Managed Desktop will transition to end-of-life on July 31, 2024 and is no longer accepting new customers. - If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. ### Enabling Windows diagnostic data processor configuration on older versions of Windows From 80fd4a1471401ba076d1214327d9c6cda2075533 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 11:22:50 -0700 Subject: [PATCH 031/156] Update section heading --- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 9af80ac4e0..2e702b33d8 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -233,7 +233,7 @@ An administrator can configure privacy-related settings, such as choosing to onl [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Windows Autopatch reports use Windows diagnostic data for their reporting. -### 5.5 Windows updates reports on Microsoft Intune +### 5.5 Windows updates reports (in Microsoft Intune) Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. From ddfff370627f487c6b804ca782560a9fe0a15a8c Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 10 Aug 2023 16:12:35 -0700 Subject: [PATCH 032/156] Update Windows Autopilot references --- windows/privacy/windows-10-and-privacy-compliance.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 2e702b33d8..71d3061064 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -99,9 +99,9 @@ Windows deployment can be configured using several different methods that provid If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions). -Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies. +Alternatively, your administrators can also choose to use Windows Autopilot. Windows Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Windows Autopilot profile and policies. -You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows: +You can use the following articles to learn more about Windows Autopilot and how to use Windows Autopilot to deploy Windows: - [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot) - [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process) @@ -235,7 +235,7 @@ An administrator can configure privacy-related settings, such as choosing to onl ### 5.5 Windows updates reports (in Microsoft Intune) -Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. +Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Windows Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. ## Additional Resources From daae46119497e7495e3a065e6c7239a57fe09a55 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 14 Aug 2023 07:38:38 -0400 Subject: [PATCH 033/156] update --- .../credential-guard/how-it-works.md | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index fe6e78a7e2..ead51f619d 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -1,5 +1,5 @@ --- -ms.date: 08/08/2023 +ms.date: 08/14/2023 title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.topic: conceptual @@ -11,13 +11,6 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment. -When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. - -> [!CAUTION] -> It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - -When Windows Defender Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials. - Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: :::image type="content" source="images/credguard.png" alt-text="Diagram of the Credential Guard architecture."::: @@ -33,13 +26,14 @@ Some ways to store credentials aren't protected by Windows Defender Credential G - Physical attacks - Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization - Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols +- When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols + > [!CAUTION] + > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well - Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host -- Windows logon cached password verifiers (commonly called *cached credentials*) -don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. +- When Windows Defender Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials +- When Windows Defender Credential Guard is enabled on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host +- Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available ## Next steps From 6acb2ce81ce9500843fd2621d69b4055241110c7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 14 Aug 2023 08:12:37 -0400 Subject: [PATCH 034/156] updates --- .../considerations-known-issues.md | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index 37448d8086..54f1bd4bde 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -34,23 +34,25 @@ As the depth and breadth of protections provided by Windows Defender Credential Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. -## Saved Windows credentials protected +## Saved Windows credentials considerations -Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: +*Credential Manager* allows you to store three types of credentials: - Windows credentials - Certificate-based credentials - Generic credentials +Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. + Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: -- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.* +- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed* - Applications that extract Windows credentials fail -- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials +- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard -## Clearing TPM considerations +## TPM clearing considerations Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost. @@ -74,7 +76,7 @@ Active Directory domain-joined devices automatically provision a bound public ke Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). -Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). +Also if any access control checks including authentication policies require devices to have either the `KEY TRUST IDENTITY (S-1-18-4)` or `FRESH PUBLIC KEY IDENTITY (S-1-18-3)` well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). ### Breaking DPAPI on domain-joined devices @@ -107,11 +109,11 @@ Windows Defender Credential Guard blocks certain authentication capabilities. Ap This article describes known issues when Windows Defender Credential Guard is enabled. -## Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 +### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. -### Affected devices +#### Affected devices Any device with Windows Defender Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Windows Defender Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements). @@ -123,7 +125,7 @@ All Windows Pro devices that previously ran Windows Defender Credential Guard on > > You can Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-windows-defender-credential-guard). -### Cause of the issue +#### Cause of the issue Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Windows Defender Credential Guard blocks them. Affected protocols include: @@ -136,7 +138,7 @@ Applications and services are affected by the issue when they rely on insecure p > [!NOTE] > Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. -### How to confirm the issue +#### How to confirm the issue MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Windows Defender Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs: @@ -183,8 +185,7 @@ MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, versio :::column-end::: :::row-end::: - -### How to fix the issue +#### How to fix the issue We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Windows Defender Credential Guard doesn't block certificate-based authentication. @@ -195,7 +196,7 @@ For a more immediate, but less secure fix, [disable Windows Defender Credential > > If Windows Defender Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update. -## Issues with third-party applications +### Issues with third-party applications The following issue affects MSCHAPv2: @@ -222,7 +223,7 @@ The following issue affects Citrix applications: > > For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). -### Vendor support +#### Vendor support The following products and services don't support Windows Defender Credential Guard : From d0488d70bf19fac4f70dbf801dc7334d257b953c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 14 Aug 2023 08:25:22 -0400 Subject: [PATCH 035/156] updates --- .../credential-guard/additional-mitigations.md | 2 +- .../identity-protection/credential-guard/configure.md | 2 +- .../credential-guard/considerations-known-issues.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index b433fa7bfa..9e79c1d43c 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2023 +ms.date: 08/14/2023 title: Additional mitigations description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. ms.topic: article diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 6ebbcb247f..e9e45daabd 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender Credential Guard description: Learn how to configure Windows Defender Credential Guard using MDM, Group Policy, or the registry. -ms.date: 06/20/2023 +ms.date: 08/14/2023 ms.collection: - highpri - tier2 diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index 54f1bd4bde..9ad2262448 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -1,11 +1,11 @@ --- -ms.date: 01/06/2023 +ms.date: 08/14/2023 title: Considerations and known issues when using Windows Defender Credential Guard description: Considerations, recommendations and known issues when using Windows Defender Credential Guard. ms.topic: troubleshooting --- -# Considerations when using Windows Defender Credential Guard +# Considerations and known issues when using Windows Defender Credential Guard It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. From 6680a80d1b7979e0785cbd16b154e364d92a3aa1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 14 Aug 2023 08:33:28 -0400 Subject: [PATCH 036/156] updates --- .../additional-mitigations.md | 54 +++++++++---------- .../considerations-known-issues.md | 2 +- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 9e79c1d43c..0749408f9c 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -48,7 +48,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. - All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. -### Protecting domain-joined device secrets +### Protect domain-joined device secrets Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. @@ -57,33 +57,33 @@ Domain-joined device certificate authentication has the following requirements: - Devices' accounts are in Windows Server 2012 domain functional level or higher. - All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension - Windows devices have the CA issuing the domain controller certificates in the enterprise store. - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. -#### Deploying domain-joined device certificates +#### Deploy domain-joined device certificates To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. -**Creating a new certificate template** +**Create a new certificate template** -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: +1. From the Certificate Manager console, right-click **Certificate Templates > Manage** +1. Right-click **Workstation Authentication > Duplicate Template** +1. Right-click the new template, and then select **Properties** +1. On the **Extensions** tab, select **Application Policies > Edit** +1. Select **Client Authentication**, and then select **Remove** +1. Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values: - Name: Kerberos Client Auth - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. +1. On the **Extensions** tab, select **Issuance Policies > Edit** +1. Under **Issuance Policies**, select **High Assurance** +1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created. -**Enrolling devices in a certificate** +**Enroll devices in a certificate** Run the following command: ```powershell @@ -128,25 +128,25 @@ Authentication policies have the following requirements: **Creating an authentication policy restricting users to the specific universal security group** -1. Open Active Directory Administrative Center. -1. Click **Authentication**, click **New**, and then click **Authentication Policy**. -1. In the **Display name** box, enter a name for this authentication policy. -1. Under the **Accounts** heading, click **Add**. -1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. -1. Under the **User Sign On** heading, click the **Edit** button. -1. Click **Add a condition**. -1. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -1. Click **OK** to close the **Edit Access Control Conditions** box. -1. Click **OK** to create the authentication policy. -1. Close Active Directory Administrative Center. +1. Open Active Directory Administrative Center +1. Select **Authentication > New > Authentication Policy** +1. In the **Display name** box, enter a name for this authentication policy +1. Under the **Accounts** heading, select **Add** +1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then select **OK** +1. Under the **User Sign On** heading, select the **Edit** button +1. Select **Add a condition** +1. In the **Edit Access Control Conditions** box, ensure that it reads **User > Group > Member of each > Value**, and then select **Add items** +1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then select **OK** +1. Select **OK** to close the **Edit Access Control Conditions** box +1. Select **OK** to create the authentication policy +1. Select Active Directory Administrative Center > [!NOTE] > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. #### Discover authentication failures due to authentication policies -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then select **Enable Log**. To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)). diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index 9ad2262448..f25934c035 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -219,7 +219,7 @@ The following issue affects Citrix applications: > [!NOTE] -> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). +> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). > > For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). From edbd4855a23a4dfcfe38782349392fab8f229faf Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 16 Aug 2023 08:00:39 -0400 Subject: [PATCH 037/156] Dropped "Windows Defender" --- windows/hub/index.yml | 2 +- ...tion-based-protection-of-code-integrity.md | 8 +- .../additional-mitigations.md | 16 ++-- .../credential-guard/configure.md | 86 +++++++++---------- .../considerations-known-issues.md | 76 ++++++++-------- .../credential-guard/how-it-works.md | 28 +++--- .../credential-guard/index.md | 44 +++++----- .../hello-deployment-guide.md | 2 +- .../hello-for-business/hello-faq.yml | 2 +- .../hello-feature-remote-desktop.md | 2 +- .../hello-planning-guide.md | 2 +- .../hello-for-business/index.md | 2 +- .../remote-credential-guard.md | 74 ++++++++-------- windows/security/identity-protection/toc.yml | 4 +- .../security/includes/sections/identity.md | 4 +- windows/security/index.yml | 2 +- windows/security/introduction.md | 2 +- .../ltsc/whats-new-windows-10-2019.md | 8 +- .../ltsc/whats-new-windows-10-2021.md | 4 +- .../whats-new-windows-10-version-1709.md | 2 +- .../whats-new-windows-10-version-1809.md | 6 +- .../whats-new-windows-10-version-1909.md | 4 +- .../whats-new-windows-11-version-22H2.md | 4 +- windows/whats-new/windows-licensing.md | 4 +- 24 files changed, 194 insertions(+), 194 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 4d3e1900ea..b341fb250c 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -70,7 +70,7 @@ productDirectory: - url: /windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines text: Windows security baselines - url: /windows/security/identity-protection/credential-guard/credential-guard-how-it-works - text: Windows Defender Credential Guard + text: Credential Guard - url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust text: Windows Hello for Business cloud Kerberos trust - url: /windows/security/threat-protection/windows-defender-application-control diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index 89a10d9e0f..17cc685415 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -268,24 +268,24 @@ Value | Description #### SecurityServicesConfigured -This field indicates whether Windows Defender Credential Guard or memory integrity has been configured. +This field indicates whether Credential Guard or memory integrity has been configured. Value | Description -|- **0.** | No services are configured. -**1.** | If present, Windows Defender Credential Guard is configured. +**1.** | If present, Credential Guard is configured. **2.** | If present, memory integrity is configured. **3.** | If present, System Guard Secure Launch is configured. **4.** | If present, SMM Firmware Measurement is configured. #### SecurityServicesRunning -This field indicates whether Windows Defender Credential Guard or memory integrity is running. +This field indicates whether Credential Guard or memory integrity is running. Value | Description -|- **0.** | No services running. -**1.** | If present, Windows Defender Credential Guard is running. +**1.** | If present, Credential Guard is running. **2.** | If present, memory integrity is running. **3.** | If present, System Guard Secure Launch is running. **4.** | If present, SMM Firmware Measurement is running. diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 0749408f9c..9befe55b86 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,20 +1,20 @@ --- ms.date: 08/14/2023 title: Additional mitigations -description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. +description: Advice and sample code for making your domain environment more secure and robust with Credential Guard. ms.topic: article --- # Additional mitigations -Windows Defender Credential Guard offers mitigations against attacks on derived credentials, preventing the use of stolen credentials elsewhere. However, devices can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using stolen credentials prior to the enablement of Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. +Credential Guard offers mitigations against attacks on derived credentials, preventing the use of stolen credentials elsewhere. However, devices can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using stolen credentials prior to the enablement of Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. ## Additional security qualifications -All devices that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.\ +All devices that meet baseline protections for hardware, firmware, and software can use Credential Guard.\ Devices that meet more qualifications can provide added protections to further reduce the attack surface. -The following table list qualifications for improved security. We recommend meeting the additional qualifications to strengthen the level of security that Windows Defender Credential Guard can provide. +The following table list qualifications for improved security. We recommend meeting the additional qualifications to strengthen the level of security that Credential Guard can provide. |Protection |Requirements|Security Benefits| |---|---|---| @@ -37,7 +37,7 @@ The following table list qualifications for improved security. We recommend meet ## Restrict domain users to specific domain-joined devices -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. ### Kerberos armoring @@ -46,11 +46,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, **To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - Users need to be in domains that are running Windows Server 2012 R2 or higher - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. +- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. ### Protect domain-joined device secrets -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: @@ -81,7 +81,7 @@ For example, let's say you wanted to use the High Assurance policy only on these 1. Under **Issuance Policies**, select **High Assurance** 1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box -Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created. +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. **Enroll devices in a certificate** diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index e9e45daabd..14b312e0c7 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Credential Guard -description: Learn how to configure Windows Defender Credential Guard using MDM, Group Policy, or the registry. +title: Configure Credential Guard +description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry. ms.date: 08/14/2023 ms.collection: - highpri @@ -8,14 +8,14 @@ ms.collection: ms.topic: how-to --- -# Configure Windows Defender Credential Guard +# Configure Credential Guard -This article describes how to configure Windows Defender Credential Guard using Microsoft Intune, Group Policy, or the registry. +This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry. ## Default enablement -Starting in **Windows 11, version 22H2**, Windows Defender Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Gurad remotely, if needed.\ -If Windows Defender Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings. +Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Gurad remotely, if needed.\ +If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings. While the default state of Credential Guard changed, system administrators can [enable](#enable-and-configure-windows-defender-credential-guard) or [disable](#disable-windows-defender-credential-guard) it using one of the methods described in this article. @@ -23,15 +23,15 @@ While the default state of Credential Guard changed, system administrators can [ > For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). > [!NOTE] -> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Windows Defender Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Windows Defender Credential Guard. For example if Windows Defender Credential Guard was enabled on an Enterprise device that later downgraded to Pro. +> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro. > -> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Windows Defender Credential Guard only, without disabling VBS, use the procedures to [disable Windows Defender Credential Guard](#disable-windows-defender-credential-guard). +> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-windows-defender-credential-guard). -## Enable and configure Windows Defender Credential Guard +## Enable and configure Credential Guard -Windows Defender Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. +Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised. -To enable and configure Windows Defender Credential Guard, you can use: +To enable and configure Credential Guard, you can use: - Microsoft Intune/MDM - Group policy @@ -50,7 +50,7 @@ To enable and configure Windows Defender Credential Guard, you can use: | Device Guard | Credential Guard | Select one of the options:
     - **Enabled with UEFI lock**
     - **Enabled without lock** | >[!IMPORTANT] -> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. +> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**. [!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] @@ -78,7 +78,7 @@ Once the policy is applied, restart the device. |Turn On Virtualization Based Security | **Enabled** and select one of the options listed under the **Credential Guard Configuration** dropdown:
     - **Enabled with UEFI lock**
     - **Enabled without lock**| >[!IMPORTANT] -> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. +> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**. [!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] @@ -99,13 +99,13 @@ To configure devices using the registry, use the following settings: Restart the device to enable Credential Guard. > [!TIP] -> You can enable Windows Defender Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. +> You can enable Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. --- -### Verify if Windows Defender Credential Guard is running +### Verify if Credential Guard is running -Checking the task list or Task Manager if `LsaIso.exe` is running is not a recommended method for determining whether Windows Defender Credential Guard is running. Instead, use one of the following methods: +Checking the task list or Task Manager if `LsaIso.exe` is running is not a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods: - System Information - PowerShell @@ -129,12 +129,12 @@ You can use PowerShell to determine whether Credential Guard is running on a dev The command generates the following output: -- **0**: Windows Defender Credential Guard is disabled (not running) -- **1**: Windows Defender Credential Guard is enabled (running) +- **0**: Credential Guard is disabled (not running) +- **1**: Credential Guard is enabled (running) #### Event viewer -Perform regular reviews of the devices that have Windows Defender Credential Guard enabled, using security audit policies or WMI queries.\ +Perform regular reviews of the devices that have Credential Guard enabled, using security audit policies or WMI queries.\ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filter the event sources for *WinInit*: :::row::: @@ -151,7 +151,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte :::column-end::: :::column span="3"::: ```logging - Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + Credential Guard (LsaIso.exe) was started and will protect LSA credentials. ``` :::column-end::: :::row-end::: @@ -161,9 +161,9 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte :::column-end::: :::column span="3"::: ```logging - Windows Defender Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0** + Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0** ``` - - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. + - The first variable: **0x1** or **0x2** means that Credential Guard is configured to run. **0x0** means that it's not configured to run. - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. :::column-end::: :::row-end::: @@ -173,8 +173,8 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte :::column-end::: :::column span="3"::: ```logging - Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; - continuing without Windows Defender Credential Guard. + Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; + continuing without Credential Guard. ``` :::column-end::: :::row-end::: @@ -184,7 +184,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte :::column-end::: :::column span="3"::: ```logging - Windows Defender Credential Guard (LsaIso.exe) failed to launch: [error code] + Credential Guard (LsaIso.exe) failed to launch: [error code] ``` :::column-end::: :::row-end::: @@ -194,7 +194,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte :::column-end::: :::column span="3"::: ```logging - Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: [error code] + Error reading Credential Guard (LsaIso.exe) UEFI configuration: [error code] ``` :::column-end::: :::row-end::: @@ -222,13 +222,13 @@ The following event indicates wether TPM is used for key protection. Path: `Appl If you're running with a TPM, the TPM PCR mask value will be something other than 0. -## Disable Windows Defender Credential Guard +## Disable Credential Guard -There are different options to disable Windows Defender Credential Guard. The option you choose depends on how Windows Defender Credential Guard is configured: +There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured: -- Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine) -- If Windows Defender Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Windows Defender Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock) -- If Windows Defender Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it: +- Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine) +- If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock) +- If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it: - Microsoft Intune/MDM - Group policy - Registry @@ -239,7 +239,7 @@ There are different options to disable Windows Defender Credential Guard. The op ### Disable Credential Guard with Intune -If Windows Defender Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting will disable Windows Defender Credential Guard. +If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting will disable Credential Guard. [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] @@ -262,7 +262,7 @@ Once the policy is applied, restart the device. ### Disable Credential Guard with group policy -If Windows Defender Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting will disable Windows Defender Credential Guard. +If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting will disable Credential Guard. [!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] `Computer Configuration\Administrative Templates\System\Device Guard`: @@ -278,7 +278,7 @@ Once the policy is applied, restart the device. ### Disable Credential Guard with registry settings -If Windows Defender Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. +If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Credential Guard. 1. Change the following registry settings to 0: @@ -286,7 +286,7 @@ If Windows Defender Credential Guard is enabled without UEFI Lock and without Gr - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` > [!NOTE] - > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0. + > Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0. 1. Restart the device @@ -296,13 +296,13 @@ For information on disabling Virtualization-based Security (VBS), see [disable V ### Disable Credential Guard with UEFI lock -If Windows Defender Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables. +If Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables. > [!NOTE] > This scenario requires physical presence at the machine to press a function key to accept the change. -1. Follow the steps in [Disable Windows Defender Credential Guard](#disable-windows-defender-credential-guard) -1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: +1. Follow the steps in [Disable Credential Guard](#disable-windows-defender-credential-guard) +1. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: ```cmd mountvol X: /s @@ -317,7 +317,7 @@ If Windows Defender Credential Guard is enabled with UEFI lock, follow this proc 1. Restart the device. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist. -### Disable Windows Defender Credential Guard for a virtual machine +### Disable Credential Guard for a virtual machine From the host, you can disable Credential Guard for a virtual machine with the following command: @@ -327,7 +327,7 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ## Disable Virtualization-based Security -If you disable Virtualization-based Security (VBS), you'll automatically disable Windows Defender Credential Guard and other features that rely on VBS. +If you disable Virtualization-based Security (VBS), you'll automatically disable Credential Guard and other features that rely on VBS. > [!IMPORTANT] > Other security features beside Credential Guard rely on VBS. Disabling VBS may have unintended side effects. @@ -388,7 +388,7 @@ Once the policy is applied, restart the device. --- -If Windows Defender Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands: +If Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands: ```cmd bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS @@ -397,8 +397,8 @@ bcdedit /set vsmlaunchtype off ## Next steps -- Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) +- Review the advices and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index f25934c035..511cb21186 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -1,38 +1,38 @@ --- -ms.date: 08/14/2023 -title: Considerations and known issues when using Windows Defender Credential Guard -description: Considerations, recommendations and known issues when using Windows Defender Credential Guard. +ms.date: 08/16/2023 +title: Considerations and known issues when using Credential Guard +description: Considerations, recommendations and known issues when using Credential Guard. ms.topic: troubleshooting --- -# Considerations and known issues when using Windows Defender Credential Guard +# Considerations and known issues when using Credential Guard -It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. +It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. ## Wi-fi and VPN considerations -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\ +When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\ If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS). ## Kerberos considerations -When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ Use constrained or resource-based Kerberos delegation instead. ## Third party Security Support Providers considerations -Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ -It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. +Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ +It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). ## Upgrade considerations -As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. +As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. -Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. +Test scenarios required for operations in an organization before upgrading a device using Credential Guard. ## Saved Windows credentials considerations @@ -42,15 +42,15 @@ Test scenarios required for operations in an organization before upgrading a dev - Certificate-based credentials - Generic credentials -Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. +Domain credentials that are stored in *Credential Manager* are protected with Credential Guard. Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. -The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: +The following considerations apply to the Credential Guard protections for Credential Manager: - Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed* - Applications that extract Windows credentials fail -- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard +- When credentials are backed up from a PC that has Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Credential Guard ## TPM clearing considerations @@ -105,29 +105,29 @@ When data protected with user DPAPI is unusable, then the user loses access to a ## Known issues -Windows Defender Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled. +Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled. -This article describes known issues when Windows Defender Credential Guard is enabled. +This article describes known issues when Credential Guard is enabled. ### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 -Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running. #### Affected devices -Any device with Windows Defender Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Windows Defender Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements). +Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements). -All Windows Pro devices that previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement. +All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement. > [!TIP] > To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. -> If it's' present, the device enables Windows Defender Credential Guard after the update. +> If it's' present, the device enables Credential Guard after the update. > -> You can Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-windows-defender-credential-guard). +> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-windows-defender-credential-guard). #### Cause of the issue -Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Windows Defender Credential Guard blocks them. Affected protocols include: +Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include: - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) @@ -140,7 +140,7 @@ Applications and services are affected by the issue when they rely on insecure p #### How to confirm the issue -MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Windows Defender Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs: +MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs: :::row::: :::column span="1"::: @@ -187,14 +187,14 @@ MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, versio #### How to fix the issue -We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Windows Defender Credential Guard doesn't block certificate-based authentication. +We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication. -For a more immediate, but less secure fix, [disable Windows Defender Credential Guard](configure.md#disable-windows-defender-credential-guard). Windows Defender Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Windows Defender Credential Guard, you leave stored domain credentials vulnerable to theft. +For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-windows-defender-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft. > [!TIP] -> To prevent default enablement, configure your devices [to disable Windows Defender Credential Guard](configure.md#disable-windows-defender-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update. +> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-windows-defender-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update. > -> If Windows Defender Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update. +> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update. ### Issues with third-party applications @@ -204,34 +204,34 @@ The following issue affects MSCHAPv2: The following issue affects the Java GSS API. See the following Oracle bug database article: -- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) +- [JDK-8161921: Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) -When Windows Defender Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Windows Defender Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements). +When Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements). The following issue affects McAfee Application and Change Control (MACC): -- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1) +- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1) The following issue affects Citrix applications: -- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [Note 1](#bkmk_note1) +- Windows machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. [Note 1](#bkmk_note1) > [!NOTE] -> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). +> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). > > For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). #### Vendor support -The following products and services don't support Windows Defender Credential Guard : +The following products and services don't support Credential Guard : -- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009) -- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) +- [Support for Hypervisor-Protected Code Integrity and Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009) +- [Check Point Endpoint Security Client support for Microsoft Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) - [*VMware Workstation and Device/Credential Guard aren't compatible* error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361) -- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) -- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) +- [ThinkPad support for Hypervisor-Protected Code Integrity and Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) +- [Windows devices with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) >[!IMPORTANT] ->This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run a specific version of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. +>This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Credential Guard on systems that run a specific version of Windows. Specific computer system models may be incompatible with Credential Guard. diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index ead51f619d..181b081369 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -1,13 +1,13 @@ --- -ms.date: 08/14/2023 -title: How Windows Defender Credential Guard works -description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. +ms.date: 08/16/2023 +title: How Credential Guard works +description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.topic: conceptual --- -# How Windows Defender Credential Guard works +# How Credential Guard works -Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment. @@ -15,28 +15,28 @@ Here's a high-level overview on how the LSA is isolated by using Virtualization- :::image type="content" source="images/credguard.png" alt-text="Diagram of the Credential Guard architecture."::: -## Windows Defender Credential Guard protection limits +## Credential Guard protection limits -Some ways to store credentials aren't protected by Windows Defender Credential Guard, including: +Some ways to store credentials aren't protected by Credential Guard, including: - Software that manages credentials outside of Windows feature protection - Local accounts and Microsoft Accounts -- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS +- Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS - Key loggers - Physical attacks - Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization - Third-party security packages -- When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols +- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols > [!CAUTION] > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well - Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected -- When Windows Defender Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials -- When Windows Defender Credential Guard is enabled on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host +- When Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials +- When Credential Guard is enabled on a VM, it protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host - Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available ## Next steps -- Learn [how to configure Windows Defender Credential Guard](configure.md) -- Review the advice and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) +- Learn [how to configure Credential Guard](configure.md) +- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 6ae7c634da..07e12ae48d 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Credential Guard overview -description: Learn about Windows Defender Credential Guard and how it isolates secrets so that only privileged system software can access them. +title: Credential Guard overview +description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them. ms.date: 08/08/2023 ms.topic: overview ms.collection: @@ -8,34 +8,34 @@ ms.collection: - tier1 --- -# Windows Defender Credential Guard overview +# Credential Guard overview -Windows Defender Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. +Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. -Windows Defender Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*. +Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*. -When enabled, Windows Defender Credential Guard provides the following benefits: +When enabled, Credential Guard provides the following benefits: - **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials - **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system - **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS > [!NOTE] -> While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures. +> While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures. > [!IMPORTANT] -> Starting in Windows 11, version 22H2, VBS and Windows Defender Credential Guard are enabled by default on all devices that meet the system requirements.\ +> Starting in Windows 11, version 22H2, VBS and Credential Guard are enabled by default on all devices that meet the system requirements.\ > For information about known issues related to the default enablement of Credential Guard, see [Credential Guard: Known Issues](considerations-known-issues.md). ## System requirements -For Windows Defender Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements. +For Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements. Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats. ### Hardware and software requirements -Windows Defender Credential Guard requires the features: +Credential Guard requires the features: - Virtualization-based security (VBS) >[!NOTE] @@ -49,11 +49,11 @@ While not required, the following features are recommended to provide additional For detailed information on protections for improved security that are associated with hardware and firmware options, see [additional security qualifications](additional-mitigations.md#additional-security-qualifications). -#### Windows Defender Credential Guard in virtual machines +#### Credential Guard in virtual machines Credential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When Credential Guard is enabled on a VM, secrets are protected from attacks *inside* the VM. Credential Guard doesn't provide protection from privileged system attacks originating from the host. -The requirements to run Windows Defender Credential Guard in Hyper-V virtual machines are: +The requirements to run Credential Guard in Hyper-V virtual machines are: - The Hyper-V host must have an IOMMU - The Hyper-V virtual machine must be generation 2 @@ -65,16 +65,16 @@ The requirements to run Windows Defender Credential Guard in Hyper-V virtual mac ## Application requirements -When Windows Defender Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*. +When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. > [!WARNING] -> Enabling Windows Defender Credential Guard on domain controllers isn't recommended. -> Windows Defender Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. +> Enabling Credential Guard on domain controllers isn't recommended. +> Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. > [!NOTE] -> Windows Defender Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). +> Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). Applications break if they require: @@ -89,13 +89,13 @@ Applications prompt and expose credentials to risk if they require: - Credential delegation - MS-CHAPv2 -Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process `LSAIso.exe`. +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`. -Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Windows Defender Credential Guard. +Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard. ## Next steps -- Learn [how Windows Defender Credential Guard works](how-it-works.md) -- Learn [how to configure Windows Defender Credential Guard](configure.md) -- Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) \ No newline at end of file +- Learn [how Credential Guard works](how-it-works.md) +- Learn [how to configure Credential Guard](configure.md) +- Review the advices and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 35b4058caa..aef79952c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -42,7 +42,7 @@ The trust model determines how you want users to authenticate to the on-premises - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!Note] -> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md). Following are the various deployment guides and models included in this topic: diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 04b493aa73..ca9a3ac20d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -257,4 +257,4 @@ sections: In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. + Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 736e333462..14583e1619 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -14,7 +14,7 @@ ms.collection: - Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices -Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 3363f0ae55..fc229d2af2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -88,7 +88,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] -> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md). #### Device registration diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index 84acf6b19c..d5d2188aa1 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -91,7 +91,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md). Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. -Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md). ## Learn more diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 41748c9408..3b66d57d4c 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -1,6 +1,6 @@ --- -title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard -description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. +title: Protect Remote Desktop credentials with Remote Credential Guard +description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. ms.collection: - highpri - tier2 @@ -13,30 +13,30 @@ appliesto: - ✅ Windows Server 2019 - ✅ Windows Server 2016 --- -# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard +# Protect Remote Desktop credentials with Remote Credential Guard -Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. +Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. -Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. +Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. > [!IMPORTANT] > For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article. -## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options +## Comparing Remote Credential Guard with other Remote Desktop connection options -The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: +The following diagram helps you to understand how a standard Remote Desktop session to a server without Remote Credential Guard works: -![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) +![RDP connection to a server without Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) -The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: +The following diagram helps you to understand how Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: -![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) +![Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) -As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. +As illustrated, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. Use the following table to compare different Remote Desktop connection security options: -| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | +| Feature | Remote Desktop | Remote Credential Guard | Restricted Admin mode | |--|--|--|--| | **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server | | **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

    For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). | @@ -52,7 +52,7 @@ and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/c ## Remote Desktop connections and helpdesk support scenarios -For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects. +For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects. Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf). @@ -64,14 +64,14 @@ For further information on LAPS, see [Microsoft Security Advisory 3062591](https ## Remote Credential Guard requirements -To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: +To use Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: The Remote Desktop client device: - Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host -- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard -- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk +- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Remote Credential Guard +- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk The Remote Desktop remote host: @@ -80,27 +80,27 @@ The Remote Desktop remote host: - Must allow the client's domain user to access Remote Desktop connections. - Must allow delegation of non-exportable credentials. -There are no hardware requirements for Windows Defender Remote Credential Guard. +There are no hardware requirements for Remote Credential Guard. > [!NOTE] > Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain. > > GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials. -- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication. +- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication. - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016. -- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard. +- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard. -## Enable Windows Defender Remote Credential Guard +## Enable Remote Credential Guard -You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry. +You must enable Restricted Admin or Remote Credential Guard on the remote host by using the Registry. 1. Open Registry Editor on the remote host -1. Enable Restricted Admin and Windows Defender Remote Credential Guard: +1. Enable Restricted Admin and Remote Credential Guard: - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa` - Add a new DWORD value named **DisableRestrictedAdmin** - - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 + - To turn on Restricted Admin and Remote Credential Guard, set the value of this registry setting to 0 1. Close Registry Editor @@ -110,32 +110,32 @@ You can add this by running the following command from an elevated command promp reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD ``` -## Using Windows Defender Remote Credential Guard +## Using Remote Credential Guard -Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection. +Beginning with Windows 10 version 1703, you can enable Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection. -### Turn on Windows Defender Remote Credential Guard by using Group Policy +### Turn on Remote Credential Guard by using Group Policy 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation** 1. Double-click **Restrict delegation of credentials to remote servers** - ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png) + ![Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png) 1. Under **Use the following restricted mode**: - - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used + - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used > [!NOTE] - > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. + > Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Remote Credential Guard. - - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. + - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. 1. Click **OK** 1. Close the Group Policy Management Console 1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied -### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection +### Use Remote Credential Guard with a parameter to Remote Desktop Connection -If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection. +If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection. ```cmd mstsc.exe /remoteGuard @@ -144,10 +144,10 @@ mstsc.exe /remoteGuard > [!NOTE] > The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer. -## Considerations when using Windows Defender Remote Credential Guard +## Considerations when using Remote Credential Guard -- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied -- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory +- Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied +- Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory - Remote Desktop Credential Guard only works with the RDP protocol - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own - The server and client must authenticate using Kerberos diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml index d8e6726e39..bea00f969e 100644 --- a/windows/security/identity-protection/toc.yml +++ b/windows/security/identity-protection/toc.yml @@ -33,9 +33,9 @@ items: - name: Access Control href: access-control/access-control.md displayName: ACL/SACL - - name: Windows Defender Credential Guard + - name: Credential Guard href: credential-guard/toc.yml - - name: Windows Defender Remote Credential Guard + - name: Remote Credential Guard href: remote-credential-guard.md - name: LSA Protection href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md index 9defb85584..881fdf7b3b 100644 --- a/windows/security/includes/sections/identity.md +++ b/windows/security/includes/sections/identity.md @@ -24,5 +24,5 @@ ms.topic: include | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. | | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. | | **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.

    Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. | -| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

    By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | -| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

    Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | +| **[Credential Guard](/windows/security/identity-protection/credential-guard)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

    By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | +| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

    Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | diff --git a/windows/security/index.yml b/windows/security/index.yml index f2bdfb4f6c..fcc48a3bac 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -74,7 +74,7 @@ productDirectory: - url: /windows/security/identity-protection/hello-for-business text: Windows Hello for Business - url: /windows/security/identity-protection/credential-guard/credential-guard - text: Windows Defender Credential Guard + text: Credential Guard - url: /windows-server/identity/laps/laps-overview text: Windows LAPS (Local Administrator Password Solution) - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection diff --git a/windows/security/introduction.md b/windows/security/introduction.md index 3de33d18b7..da173743cd 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d ### Secured identities -Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. +Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. ### Connecting to cloud services diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index b2c710d264..99cf0f87aa 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -208,14 +208,14 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) -#### Windows Defender Credential Guard +#### Credential Guard -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. +Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. > [!NOTE] -> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +> Credential Guard is available only to S mode devices or Enterprise and Education Editions. For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 48b3e3b651..f9e49913b4 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -149,9 +149,9 @@ Windows Hello enhancements include: ### Credential protection -#### Windows Defender Credential Guard +#### Credential Guard -[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. +[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. ### Privacy controls diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 55b211215b..4f608c1dd6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -80,7 +80,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c ## Security >[!NOTE] ->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall. +>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall. **Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index b617d899f5..ad971e7d6a 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -141,11 +141,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge). -### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined +### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. +Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. ### Windows 10 Pro S Mode requires a network connection diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index c0202f98fe..d40de13c9d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -41,9 +41,9 @@ If you're using Windows Update for Business, you'll receive the Windows 10, vers ## Security -### Windows Defender Credential Guard +### Credential Guard -[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. +[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. ### Microsoft BitLocker diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index 4e91dc9a19..b09c1ab588 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -50,9 +50,9 @@ For more information, see [Smart App Control](/windows/security/threat-protectio ## Credential Guard -Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. +Compatible Windows 11 Enterprise version 22H2 devices will have **Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. -For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage). +For more information, see [Manage Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage). ## Malicious and vulnerable driver blocking diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index 3a56385d67..14e4a16dfe 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -67,7 +67,7 @@ The following table describes the unique Windows Enterprise edition features: | OS-based feature | Description | |-|-| -|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.| +|**[Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.| |**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.| |**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. | |**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.| @@ -141,7 +141,7 @@ The following table lists the Windows 11 Enterprise features and their Windows e | OS-based feature |Windows Pro|Windows Enterprise| |-|-|-| -|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes| +|**[Credential Guard][WIN-1]**|❌|Yes| |**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes| |**[Modern BitLocker Management][WIN-2]**|Yes|Yes| |**[Personal data encryption (PDE)][WIN-3]**|❌|Yes| From 5dd50a002b3c23ec646b9297fe92c42e63c94722 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 16 Aug 2023 08:18:59 -0400 Subject: [PATCH 038/156] updates --- .../credential-guard/additional-mitigations.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 9befe55b86..e94b2d4cec 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,8 +1,8 @@ --- ms.date: 08/14/2023 title: Additional mitigations -description: Advice and sample code for making your domain environment more secure and robust with Credential Guard. -ms.topic: article +description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code. +ms.topic: reference --- # Additional mitigations @@ -41,9 +41,10 @@ Credential theft attacks allow the attacker to steal secrets from one device and ### Kerberos armoring -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +To enable Kerberos armoring for restricting domain users to specific domain-joined devices: -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - Users need to be in domains that are running Windows Server 2012 R2 or higher - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. - All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. @@ -86,6 +87,7 @@ Then on the devices that are running Credential Guard, enroll the devices using **Enroll devices in a certificate** Run the following command: + ```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` From 2e8a09102ac9ae8605b9738b807fc96b3556b484 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 16 Aug 2023 08:29:18 -0400 Subject: [PATCH 039/156] updates --- includes/licensing/_edition-requirements.md | 4 ++-- includes/licensing/_licensing-requirements.md | 4 ++-- ...s-defender-credential-guard.md => credential-guard.md} | 0 ...ote-credential-guard.md => remote-credential-guard.md} | 0 .../identity-protection/credential-guard/configure.md | 8 ++++---- .../credential-guard/considerations-known-issues.md | 6 +++--- .../identity-protection/credential-guard/index.md | 2 +- .../identity-protection/remote-credential-guard.md | 4 ++-- 8 files changed, 14 insertions(+), 14 deletions(-) rename includes/licensing/{windows-defender-credential-guard.md => credential-guard.md} (100%) rename includes/licensing/{windows-defender-remote-credential-guard.md => remote-credential-guard.md} (100%) diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md index e803e8009d..d64cd242d4 100644 --- a/includes/licensing/_edition-requirements.md +++ b/includes/licensing/_edition-requirements.md @@ -21,6 +21,7 @@ ms.topic: include |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes| |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes| |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes| +|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes| |**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes| |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes| |**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes| @@ -53,6 +54,7 @@ ms.topic: include |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes| |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes| +|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes| |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes| |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes| |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes| @@ -75,8 +77,6 @@ ms.topic: include |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| -|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes| -|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes| |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes| |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes| |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md index 28ea87e8e0..d9d793ad2b 100644 --- a/includes/licensing/_licensing-requirements.md +++ b/includes/licensing/_licensing-requirements.md @@ -21,6 +21,7 @@ ms.topic: include |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes| |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes| |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes| +|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes| |**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes| |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes| |**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes| @@ -53,6 +54,7 @@ ms.topic: include |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes| |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes| +|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes| |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes| |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes| |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes| @@ -75,8 +77,6 @@ ms.topic: include |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes| -|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/windows-defender-credential-guard.md b/includes/licensing/credential-guard.md similarity index 100% rename from includes/licensing/windows-defender-credential-guard.md rename to includes/licensing/credential-guard.md diff --git a/includes/licensing/windows-defender-remote-credential-guard.md b/includes/licensing/remote-credential-guard.md similarity index 100% rename from includes/licensing/windows-defender-remote-credential-guard.md rename to includes/licensing/remote-credential-guard.md diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 14b312e0c7..bd802dfe80 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -17,7 +17,7 @@ This article describes how to configure Credential Guard using Microsoft Intune, Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Gurad remotely, if needed.\ If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings. -While the default state of Credential Guard changed, system administrators can [enable](#enable-and-configure-windows-defender-credential-guard) or [disable](#disable-windows-defender-credential-guard) it using one of the methods described in this article. +While the default state of Credential Guard changed, system administrators can [enable](#enable-and-configure-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article. > [!IMPORTANT] > For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). @@ -25,7 +25,7 @@ While the default state of Credential Guard changed, system administrators can [ > [!NOTE] > Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro. > -> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-windows-defender-credential-guard). +> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard). ## Enable and configure Credential Guard @@ -226,7 +226,7 @@ If you're running with a TPM, the TPM PCR mask value will be something other tha There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured: -- Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine) +- Credential Guard running in a virtual machine can be [disabled by the host](#disable-credential-guard-for-a-virtual-machine) - If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock) - If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it: - Microsoft Intune/MDM @@ -301,7 +301,7 @@ If Credential Guard is enabled with UEFI lock, follow this procedure since the s > [!NOTE] > This scenario requires physical presence at the machine to press a function key to accept the change. -1. Follow the steps in [Disable Credential Guard](#disable-windows-defender-credential-guard) +1. Follow the steps in [Disable Credential Guard](#disable-credential-guard) 1. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: ```cmd diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index 511cb21186..f8bc11b54b 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -123,7 +123,7 @@ All Windows Pro devices that previously ran Credential Guard on an eligible lice > To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. > If it's' present, the device enables Credential Guard after the update. > -> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-windows-defender-credential-guard). +> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard). #### Cause of the issue @@ -189,10 +189,10 @@ MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, versio We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication. -For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-windows-defender-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft. +For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft. > [!TIP] -> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-windows-defender-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update. +> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update. > > If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update. diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 07e12ae48d..7b4a51586d 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -61,7 +61,7 @@ The requirements to run Credential Guard in Hyper-V virtual machines are: > [!NOTE] > Credential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on generation 2 VMs only. -[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)] +[!INCLUDE [credential-guard](../../../../includes/licensing/credential-guard.md)] ## Application requirements diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 3b66d57d4c..0bc1b6fb42 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -60,7 +60,7 @@ To further harden security, we also recommend that you implement Local Administr For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx). -[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)] +[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)] ## Remote Credential Guard requirements @@ -127,7 +127,7 @@ Beginning with Windows 10 version 1703, you can enable Remote Credential Guard o > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Remote Credential Guard. - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. 1. Click **OK** 1. Close the Group Policy Management Console From 45bd785900fe37b9d5f0e1f464967d4c7257afd5 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 16 Aug 2023 09:18:50 -0400 Subject: [PATCH 040/156] update --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index fcc48a3bac..963c96d66e 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -73,7 +73,7 @@ productDirectory: links: - url: /windows/security/identity-protection/hello-for-business text: Windows Hello for Business - - url: /windows/security/identity-protection/credential-guard/credential-guard + - url: /windows/security/identity-protection/credential-guard text: Credential Guard - url: /windows-server/identity/laps/laps-overview text: Windows LAPS (Local Administrator Password Solution) From b82c320950b880f3e6c77c033debfed1e28744c3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 16 Aug 2023 10:59:10 -0400 Subject: [PATCH 041/156] updates --- ...ndows-defender-remote-credential-guard.png | Bin 15225 -> 0 bytes .../remote-credential-guard.md | 141 +++++++++--------- windows/security/identity-protection/toc.yml | 2 +- 3 files changed, 72 insertions(+), 71 deletions(-) delete mode 100644 windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png diff --git a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png deleted file mode 100644 index f7767ac5f0dd612bcdac44338ef6dd5ad45c8e45..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15225 zcmd73cTkhh7cU&KAc`Q00@9QYp`#RO7J8Q+st5s*-g{A`H|ZUuONW4zP$C^d6Oi7d zgbtwyAq2?#`2Ajf@BQOeX> zDRmI&DnAHxMeHU4P!r#FpAq;+WG@GC0)a?6{{CG_0FzJym4wdn%F=|3H>nJ5(LnXhztuV>j<%Mz7N8&0tHD4W;lICkaWsX3j_?6nm(5<=+1NmBok7R_ zi3p(X#@}X|md@5t(6`+YRsaZ)ywpog_w=1Pk8~QBl#~6!V$TAvL8aIRe)-2lL5JhP zS00T`>d-zsd6;6q62}3(OUh9djru&mo_NRMcp&yH^#ty9t!qpoq;JKMaPHV+_D?&Q;uDOP>iT5bHiEzz&Lxm&dc-Ge^=iy0D$eol2yG%P z#tDAS8qG8wEj3A*|Jf$g@5`*12eE*RB1NmWJbV}CnNqrv;uxA*7wvF~g@;=e@%Oyk z#9l*IbT50|FEMO1BgN#VV|Y3X@KJy8)J zZMPmuMwa>AV8NuF#UEi5;l5=NCND3TR{_k3?#T!=JdZMt$qkKE)AsDG zO;n&j<{5)apbsQVByB2E-b9J4(Jj0~XcL$>a;>IECg##CJSJKFVz91joqV8rXgCq0 z?BwbVi%jgpfxBBBycENi`k0eQ7iYW0lIrAZ2WHxdCmYD__@Pu;l_XV1#t*TVSRh|k!nmeZ ztw#*CMdg{IuM-_@Z*c4!O0Hqy92L9#yX6?t<+Uv9le@$7t)=r%#R!=y#%}aZDeZ)6l|xCV|QKL zT=i$^sHjttCAZua$VMCZ;_eBE$aPuJE>tZ;aW736X5wkENc^= zPetx$R5a1rkA%+i@}I;%<4%Pxodwl)U<%+O86xf{PR;o zi=QI=bk25QN~`z$JfT4H5HT?z3LBhH zX5|_B;MvubU7Z#eZ2DXfUMcbT`V@l`q}lrzHoz>Wou#SmImGeN8e?N&T(Oqvc8SG6 z&WWSE@5hlcOFo#FY37ck7iUny(}2759j7Py_#1Ue#TxOE)I!{b@TYiM#;npIRS?Mk zOl>T>KgwphrgyX&3fPA@LMRnb&Fa1$?^hq(o&*B9)Bp1z^9AGv2=tpM{%@=QUw-Li z@K3zN;(v3TzroG~{@~qa%>1juFByG2h^C+HfJ+rI^^Y&`ww5@*w7RkHuoqt8+?}VPua?*f)EBF6*bS5lQwcpWR@uvoy zki7g(c1;2nzlUM+kLY^uzKB^$N(QNqKIOU>nun`?d@B-nr9#llu&;f1vrdw?sNv--?!et|U^;r_M5n4V92{M|#ez1d!iv zyu^YA(v!n`}L}{T3j2Got2vhLoSdPfuF;hq8 zbAfn%&+>z&dXH!3mQJ|?2Vx2pQcld?RU1Ft;!?G_>F<1tSO0jkq@vug(G{~hx4gWJ zMT^UReDQX^$;0@hjY36u@$;)Sg1m$wM(wH0mEGU+`>WX_cU~b;fzP!T_RUTPuBiPw zFidRTYr8Fp?NvRPEeh!B?yj?2Xz{@v+j%cj_a$uc}2Hi0juntqo2tUtkN@p$|M%9#dR=tSzp!8SdWM*$Gs>VXyxR zYVH{8)fW31wLzEmSve}JNw00_Ufhfxo~l3*!Yr$TZTw6VCqLB~Sqp0V`UTOkorQR+ zDe~Q)$gIS5sH6%;%xr26IE2ocQXD|}E96mid7PsB-10`5yAJTchchhnM}3nqo!4MU zq$ij#PQLD^r#^_T<2pZY(e;4V?Ck9I<;6u4Ev>5`UzlhRfRywM9$$^q`?L0gmcnr1 zIKeOcoCx&drCMU^RxNrXY#pxH+P+vBLY!eg{byb zp&)+(ju?%LXuIMQDaE6a6fKRbdQSOv!^O0LgEv)*)1NQzL{*^|5R0pdLq9cH@m!1l z=n=5AciL}WBLI{I=-?E#U1|BzPb7OWFR}O)D**+2nC6i1%FeN&t){uw-?A+U@^1q# z1tcFmXrWK%UmiXrDPT#XiQl9OmRjqd#a#y(#Ma&3SDgl5tZBf*F%QwdDeP7~x?Z4O zRt+W&q^Y+YYzJ(D!x-^ayB9WWub53nFFum7M;p27h7P8jZ=F+L%x#ExZvH5~#6lo1 zexC#HA@_KZZobnCs)>oMqn#>>zjXqSAEAr2xK0H&`Wg|ITPpw400quTRg$W0p5QzG z9T+&6^M34^W+IOCEc@>yG6oHW%4Xe1nG0u1`VU;I_uj3w@-%${V!(2aR3yuMB)uJX zPAVtTSWADMTp>t(*tuthRz%A@?j<};P|q&&faTRNYQJ@K;2X4w8G5GiKPh^i(hu*( zr2wY2bX)4Ux=sZ)FeE?18YNvd$1CC?f5Z=^>31$k*{)gj3c)^vEYKVd^G?B?aiJb} zfzbECTCcE$wEY3D9(k#nwMQ!4&ok*8{QLfg{==LI!nT(dM5180m(A9^l%Dwpw#u`z! z-%e(*BG*3>N`b3~)3j|@C_o;GJB7uaM~1honzJMQNqk#{leM_#M8?rTQG78RyvNcLVhZ`$ff2WN!v8mq}Nqjo6yX+;5<7SypqH()xv9$ zsJ)Wg{mdXi%x7u)wDxrh@uvhDntlPiH7k0*tTraIlVxMIWXfhH;}Q#g!TuR9E>fPz zWy6)jfNy5x#t^~k;#u#&5L=oB%_@7(PLt8IVAVs}t;)|XVY|Pc=G`BLGSH9&F+A`^ z!lHX-*51yWH{466hlHd1&Ol#gJRW|Yi8HxwvL9GI!GzlXUb^9+ z9_xKCtPU|xJPwm|o6tGAKz$Bc`9PfCNol*_qU#j6OpzRD_FS12Y>NjYo|*?8oHe7S zbVl=OMxOCWKD*O{SOWLCl3r6@h0`sF{1l?IEdS%P)li$2E;yQ0z&j&E;|P{qA$pdw z#o&M-k9&%bRncXw)mzC$@GD{`nXDbpR>qdH6tMZ!3zphDq2x!T=Uk*LF}}H3e2$)Xb4$H8mR^Y=b5hSYABwN%jX4OB1>2Kew&Hk}U{;;}^#2`#CWSjGZv zY&>|pZvL=f(CO(cPqZBL6JoqSXrDO@Ei?($=X-JbQH67+ z&(MT9uT^)e!~EWw)p&nUZnq}OX1NNAuLPD(YGoJkhcn%%%6T=|jV*e;OHy*eb&e=f z!0Mh~p2v9WGmZ0Ul;8Vi%nN9(*W;7(q~{0edqen*bTN#sg0?vBbh!c(5~A^JD(DV% zI&$EK?fGXjn(-@lwc-!&m>9M+RPB5pB(-R2!K-%%29MLueL3|s4^IQz>5lvvh{OSc zv#^s^zmh^K^V-0thLTV928hi;T120PAve2+8G-wqYPuzD=9_^pm46{qc8P_^GZrxY zgzi3?b?9VG*~TmA(=W5m9^TJ?Q9B4bq2|t^1{-bJQj_?&4A(?}htkw9{G!ukl(q9@ zaMN=oy`Ng&`uX|U*`Yf+J}U;E|jgqbB1HQhOpCH7{`%AixNIJ=$%%qk$ zE@J_W!71+DEKrm+$}zcbi%`jn;jOpFrMGAbx+?V>Fzbr;O1)({hpvkmCGFc zx=kiu>4({kwv~(VRntt{t7U%@v}!&NsJed~k(R@72tWJ9VyFvgZQ|Kt%o?M!g5GzW z5>ZYp43GPnd&E~a$*#20$Qka(wY8vIh`U$OhlWDiae&YDR(?B|cVyo+{}PKN(>qnQ z!$adM-MxM+e<;1u9kY8+sj?L6Ucp&Jf{>J49_JDJqh*#7B(awLWgS8reF{%!cpTvH z(bnw2&A`D)!IEb2nfYbeA7X&@QiS=fFH^Zw)*QyOw4Qv<|( z7q9Xi!&e3oR=S^X&?6URsgIspJ`frB;yufOnLiZidoY9~`EqcQ(OJ8ZBLX%IvVHri z&+3*v5+6Y&z}>hFqY2oatXe+Zsu-#rJHsB@wP06i8gD2V!O;PwEv!l`OiC)_RmzIb zTRV%?urWgnBdsmg(Frp%Y0D(P-?9uI$Ko@pAKL}@mg@S2iuhfey?D$kA(5$7k{c~C zo$u}6%Xl!Hm7H=$gmSUaa4u)4seF6F`j zIX@cNAYZ((#ERe^_o^GwIr~ssCu9iN9{ybrON#!KN5Aa6=PCr6j2pCM&T`(@Xcmky?J3{k{_@|l()?W?kM8s+9A9cIrCz11ZWW*a+~^H{Q# z9_mefnN2fG2ufgC?FKuc=a7#raBvIJChg;PXYtgC=!BTM`fj};-tLUiB{@CxaMxqC za)@RrG-WdNN_knC3*-Ix*me@pZGboLLn)Zwzki>n`OgToUDM)QZIFNOSKW#O`cSFk z?Ws7MlJatHq1cz~BB*!`$0m5`0$TFumqrGX5X9?24uw1nmD+8=?Y6eIvMeZdU1DKP z4TMm&6%|8~@oM})h~Px3{tI#C8i-tBn5H8_iUEj4XlZHnYpti6Je*Wjqaz=em6hoj zd7xsM6;;IcI}-mXFCPDP2V7Z@pnEx|*ZI-JM7bd~4hY^gq)u_TfYz^!``z8$LIB}m zIa)9odwS}rrBwoy;^KF=|4zr_a8+c4ktJYm$CSG6m?|jU)oku8g`~d@2$7!*B|v?A zd^{v{oUTEBD|59b&@Lodv-o@N_sAdV+)4lB{V_NMoS2Bd1 z0hlg(%fWD{oL2GoDA$xY=|Cx%5132!ca)BHKER`YQ0NEy15wAvLD%c`Utyy&o`6^)bpqs`Xa|E z>8aS^2lTFOXJHWDc8d5gp#<#R$CHA|eTMdP>2y`r`T!n7CH32sE(5fKe`$kOVx;x- z(}RA2NXavkwu8Z~@{;D0rLg5Fry}FWZmM>>wmVd!mM?8QAlTxCIv>nZ!|GO@5(fY0 z;I-sBjgXZ2815=c>D5)xwtYTl_@6(2d~q|a6UG(TZ40o9gh;LTpN6%d-Fnlr{3LU6 zY@W6;T4v(Ku8Jglx8t={fhxO>)D4+7?bLWn^SP(z^e7-&?4IE~J_|3>;(J~%C&dKwa;q;J*f0M$E8@6N z25^;LcR@eQmc1d`Ui+N`s^a;-Caf5W<wZAs`(bCEb=}zF?fSeM>H}av_IE<_NB@!z&HJig}z<$ z*!1+~;gp}%=k`T_8zB5k3*56kzgK-a>r`mqGPX|Z77_l(8#lvnkBlfp(`QRx%OV3h zFQ`r0Nw-qS;#4tua*IcjnZ-Iy!Uw*99^#XemX@Xt-nasSIPSxtM?!OdT2GH!Y-ZY8 zzlOwzeha5i#b02`WaS`8DSFm^>t5MtJ(daa-YttUOUE;3OD4sT`&L#kF1At{(s#hx zMTbLEore53+vf741q|E4jn&x;qUPB{DFeQqtPOx3C|89_rt zK>aHF=kd-=BOD$S6!hW4hs~|6XyK)shy_VOLGzH1C&M#(j|k}^qM}+#K5ma)Vu9Oj z#9`1BF&m?WLuo=41qCe76_>5?P&xP%ESwwOldy9IL@w!8aZoXkUZkmw{QZ?7=ht}R z(11N;kn)hBR|XqoH z9#2U=EcGro zJ$i&hA`4Wr{&KrDH8lXuYBN*IT#7L5j#6WL>V8%z$_*;pm18Sa$Mq>?Yr_!Gou1cP?w($6g)LTT$AHJuJ z+u4`e@wd+UK2nr$^WkVN3%DLIv1E{%_ix$`0&i1<$=TW2wH>Tu&3r7@?nZyQ#KN21 z*931#5h4fJOD_)s5DWEMA1tb*!WW-x`YKwIjz7YYEJd_#Khx{cZvE>=)IJPPVt%JS zL({uxPTUbnz9yfXiaZe(OiS2(Z@LZf%1G_5b2k$Z`Dh*RgDfB*fI(eHC#ljKFs2Or zPoKtDih17BtF%-(YYXiP&?qMc`P&R8K@$`c-vocl59gU4;xe~=^Ut)nv z56F;N5~dWi+mBH_Iyz#20sQJ`)NnPjKqVu!QVedk>4b{yX;avwPJSt7)R1 zUiue13mht9e7+t>Qx;%V@i8~t&S(W7?Yc9qg)3YLvMRv%9-yTT$87WjTt+J%NQ*3mFpeCxp}DVs zrX2G*!C9i1uM1}^C=D&eByBFkO_@S}X@HpTjb%;~va_|a3P-G$46W%mxjP(O=K=gA zRe)gDG4^peMeC^G&ynk|q~An|?$)m`0^IrJsy(Ejm|leALkJshIvwN^3&IN?h9DER zu#w^Mi}lfHUsNAn&1NwS?@tZ5+z!W676|NW+T7e+dwcuX*cbp7;IS)|_vWnjr)cQt zU{=%YWc)g(CMVrH$YiDb7`{Yood7n^0mFeG_Uso{OJWZLJeYBkdqb zoQ#Z_{MNiHI?Qc#8`t+EP2oj?KZnd}t&;y0z)@}Afb}b8i#uOp!7J5qxBc#Ug&+9f z4_@Njb%)TdSk!s=>cx-a47=|;Rswh8b66DXF>n4joVCScWRdv~oLoSl$96Q_eGFj? zIbepcZ#Fi#wwMrxkwye2#cdodQg6fil<9TX1)&@LyZ&RH>q<*`rM*jNpZLnX_IXK9 zKPGTlEV?+p@@ME9VAMVRi!dbtVlo%^w=1pPbf<;%zRNuN_|g!ugO2txCofD?ot4k# zdOPg`uEPa^JF+WORrYcC`0ewn&Gz5&qdMA1mYFjCav;^?_v1pp&>}X!i$g2Y3cSnA z*+;J13ytVd+**G+#(S*~ z?J$R6jCrGmyOf58Mm9k8{NM=ggRN!yU8G4i)E>7bx}gGMEOQZFrW&2mNtg`bX`vPb zCbT(;&U;wW2&)=I8J10{AVu6cHJ_2-*hK<#z)X?^4Uf`2A7cI-qKKo(%wiIM!(&TTXp79SPcd90LQpj(ZSH|k}Omd)ZQHg%S7y>p4 z2yQ|C+rkEkW6D{_k$nh*FocV zvBS{5Xo*$b+esV%$jN!Y%4_lwYw;1Awst=(ZE=A1fydgnriaomdKG!Fsgz3_8ofXa zatpaJ#owvc!7DX<$8<3#kkk*86x{5!7mdKY*3#h5ln2fMc~eBZZBw44QU-mX4B~j# z=I@|#Gmr6e3$?_>+IYpIb&5L zeof9N^?*!zyi6a{bKLD(+Nslntuk6076OFdf&GX>%YsV`9@T< zQAeV_xUNFy0pNfdc{FdA(P}kzs>vAb+%BcX?L+Ho`fVL*frg+3eL`EwggScmy#t+v~I zB$;adl zt@*}_xCsO2#U#!fp;;(}hoTCs$As|=q-~EDk_yHN;pg3lh@C=nS z>*RrdDc*gD=XBR)!Ks!JWIF?}I~^TT+0~%*H4JWTAWa7#lE~9ru(9vh-cbg<3-Mho z95g68>z+WIM@u#?A8)2|v{!m6P=R=olat?n_y8O)`yW0R6$Lo8FR9Bq*a`ACn$num z4`Nh(4oWfjnyve+8JrAZIZ`}ajsLGIjQ*nvd~S9vdH<>ck6OY1N)>>7s2n$Tq5rN4 zwyq+8$@G`++|f?}cYU0;#?{)WBJem`Sr_Xq9}SJ!_TZqsODuLNfc5C9H>9Hq3;Bk; z$jqFXnEh^Z>?MkG!+kh2g|_xcO`^(K$;xMMfL;*UpJ}5Q-mT}z4($p>tPk{|{=1m3 zW*-<>tRPAqio4g(iR%S{MA6Q{|2j*=u>{?s=6h z&9GF&rDuCgR4L0Dag7Hih?SMz*B59ZyO?pm#A4K$I<`{9k%z=K*W>;zz1gkzI&cFuuaD2Ql!<#n#f_oIO{tOYtR?Wju*V4QhBat#FPa5|ZVNz2k=Pkf^1T*k|gak(*3`v-wq%f@?% zg|X+bT3nP}`ANr!hLjYUv=sSh`S%ac+~+T`xC&E#?D*m=YdAsN~7tkaOs4`bh6@gxlWFQ?hP9JCRp znTAm|R)wn$)`7%c5bfXp&>Al-b5Ko{w$kDvxU?3Vz&Mk<446IMB4M9H=D+rexbyCL zziLKo6lp&}^OeTHm_g#TV zQ>o!MfrTg_r)*bLlAv&IhWqH2QQRDL9+1kLUR|h?#=-#4-a5ZJ*Jt;py9*ip9Eo`Q zvHBcHswNj*Lx+kq*&5RMN|(JFm&azm;4B3p&s5g>qvoxlnj z8)ssYL0@jKS@dnToQ|!Im3)8knBiKR%iN`0WNdR~p(IoAmWN^~X+ zJ&XPhln-(Gy1Shxg8MzutOsiLyAa)ZbGY87RiB;SdFz%ap;N@{&wmPS;co#|A|i4z zdeHSnZwL#+v$ZT^w^8LQF+?#R6Tq_L73jvb%&&4U%r*~Dz%#T=AxNRO<@~-X9`P|1 zR<*^GE?(D=Gh3MM-4ValBJ3rWhucy1PHR5Xp`(}inZR3MNKj2CO)PEwM}#8w377Av^$MU?studPF*9~qciAb58jh!bRCViFQ~SNSAQ-2ilfTNwogK2?QoOhyqkt%; z`_|I+Nv7j2+1$_9j4}OLVnOBMQuFf`XexW`B^F|^szb#>p-?%tQvA}!c*qGk<5Ajh zj9y0`ivWa9@{YOs17@MBSf|<8ke1*d8xkeVAaG^Et>T)o~P`GODRl zPMuTaxLiEv)yRtM^EQ3*-C(rOC(I=II@KKxc=q^>i2EdE=e(t==N)ZuN%VB#w_RU* z=1Pa-=4IAx3*zL1Nw9y;@>1c<$#~g$UsABN6cgu&&z#Ex#l-lbEIZM+$mu>aIxy-v z(e3KyMptBRa4(tCI~Ghb4eRoFev?mQ=WOX?VLFpbEIJ4s_Z#9iRV6)#mQRO0L+Erpb7V}NF4Wat=+A69k$ zLLwsuG*tHT(p|&EAEXf}ioA*E4vBoKo+!1Nkb>QT3p_MpM?bP{De$n3e`l|iQt(SV zz9@{JPW{e#dxr8D@+x#X!V)Fq2Q^CJIoxqTxGS8K((QzL*EkC}Gm?)#NRgZBcqj7i zeBFePW2fw@LME7^hjIb#vM^;qC}f*{_l@u3oll zis5^;;xASjr*$|o{K#3}l=Y%-A~BE?ASw zKIeA)UHUAJIdCaMiB~=z8=qxZ^*c<|&6!k&SUl%ji~fbl;3AYrWpl@Wkqah(tmPYbz^N&@e`SHx|!wteIH18 zp!egV95=}P2}O((uSbcyp0(h*qzM=tN92zduu(b1k$>qln;C*Mq3G~<(mPsoe%?{d z9TQZm77i&D_YtWHvD{D}({pdXaB;o7&ab70f59B3-vo8F!A+8l%Q;(1 zPk(UX?e_wKQ&YFU-wBKa@6Ha7Q)lYsr~9=1!94Fur1 z0Oxy7Mnvt^|1gTNwnPcnKX9Y=sE^44!6tD?}-TxYR%d=IgT{j=2U1vqlon z-)9kI?=Y^MV>}{gHh2l%OUxv?&>}jAjggTtaF8G+Q|Rp_79fQzeMCpP>(LmpTXOe4 z5qho>({%VJlP>GhXdC@_@AFVHFmX@VWMIW*au4^6I&j z_%w6%J890TPo|`_>rt7E`pQ|(*175^!q*8mZ5(k{^Xf=d9QD;$i z+xh+x=y_65u=~s2c~XZwZ61ltr+9X9PWF)Iq}b%k+o2uHY}_qOk(bak3QtgsgL|qreimoei5?DLoy4Dk?8cl5F*q z$2zk0d+|Y*ez|)_0@>i3ODmqW&W5T+>qW$@Tt?R)Qw%0ScXSN+j(ZsSpOTXo-P<>I zQf`m-C8wgic|PG68Pd}gxdYJLzUN!Yb#trk6Ci^ewy+$wlnF2!+CrFWj|0?T-@DPYd zssFl~6HbGs@UMQzsjCL0{J(W{SY!fe*%-7KG_2>Os7mfw*+y|4KNG4G!{(j3`AzIq z;5qso0S?YP9=K(r!)au&|MPWkU!VDqt-*I>Bptv~g=I7*#a-tm3SWindows 11 - ✅ Windows 10 @@ -13,94 +13,96 @@ appliesto: - ✅ Windows Server 2019 - ✅ Windows Server 2016 --- -# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard -Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. +# Remote Credential Guard -Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. +Remote Credential Guard helps you protect your credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.\ +This article describes how to configure and use Remote Credential Guard. > [!IMPORTANT] > For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article. -## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options - -The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: - -![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) - -The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: - -![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) - -As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. +## Compare Remote Credential Guard with other Remote Desktop connection options Use the following table to compare different Remote Desktop connection security options: -| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | -|--|--|--|--| -| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server | -| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

    For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). | -| **Helps prevent**                    |      N/A          |
    • Pass-the-Hash
    • Use of a credential after disconnection
    |
    • Pass-the-Hash
    • Use of domain identity during connection
    | -| **Credentials supported from the remote desktop client device** |
    • Signed on credentials
    • Supplied credentials
    • Saved credentials
    |