From 05f46ea225acc65a2e8b8701d2c78a0ecf613bae Mon Sep 17 00:00:00 2001 From: John Tobin Date: Tue, 14 Mar 2017 16:22:50 -0700 Subject: [PATCH 1/6] new files --- windows/keep-secure/TOC.md | 7 + .../credential-guard-considerations.md | 47 + .../credential-guard-how-it-works.md | 31 + .../keep-secure/credential-guard-manage.md | 188 ++++ ...redential-guard-not-protected-scenarios.md | 153 +++ .../credential-guard-requirements.md | 111 +++ .../keep-secure/credential-guard-scripts.md | 488 +++++++++ windows/keep-secure/credential-guard.md | 926 +----------------- .../credential-manager-known-issues.md | 17 + 9 files changed, 1046 insertions(+), 922 deletions(-) create mode 100644 windows/keep-secure/credential-guard-considerations.md create mode 100644 windows/keep-secure/credential-guard-how-it-works.md create mode 100644 windows/keep-secure/credential-guard-manage.md create mode 100644 windows/keep-secure/credential-guard-not-protected-scenarios.md create mode 100644 windows/keep-secure/credential-guard-requirements.md create mode 100644 windows/keep-secure/credential-guard-scripts.md create mode 100644 windows/keep-secure/credential-manager-known-issues.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 82fea36b85..1f51ea87b8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -23,6 +23,13 @@ #### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) ### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) +### [How it works](credential-guard-how-it-works.md) +### [Requirements](credential-guard-requirements.md) +### [Manage](credential-guard-manage.md) +### [Considerations](credential-guard-considerations.md) +### [Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md) +### [Known issues](credential-manager-known-issues.md) +### [Scripts](credential-guard-scripts.md) ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md new file mode 100644 index 0000000000..a0a3b104fb --- /dev/null +++ b/windows/keep-secure/credential-guard-considerations.md @@ -0,0 +1,47 @@ +--- +title: Considerations when using Credential Guard (Windows 10) +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Considerations when using Credential Guard + +**Applies to** +- Windows 10 +- Windows Server 2016 + +- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain. +- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: + - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 + - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. + - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. + - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. + - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] + - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. +- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. +- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. +- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. + +- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: + - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". + - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. + - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. + - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. For further information, see: + [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) + +## NTLM & CHAP Considerations + +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. + +## Kerberos Considerations + +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/keep-secure/credential-guard-how-it-works.md new file mode 100644 index 0000000000..b1e48f5ef8 --- /dev/null +++ b/windows/keep-secure/credential-guard-how-it-works.md @@ -0,0 +1,31 @@ +--- +title: How Credential Guard works +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# How Credential Guard works + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. + +When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. + +When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. + +Here's a high-level overview on how the LSA is isolated by using virtualization-based security: + +![Credential Guard overview](images/credguard.png) + +For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md new file mode 100644 index 0000000000..7f913589d7 --- /dev/null +++ b/windows/keep-secure/credential-guard-manage.md @@ -0,0 +1,188 @@ +--- +title: Manage Credential Guard (Windows 10) +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Manage Credential Guard + +**Applies to** +- Windows 10 +- Windows Server 2016 + +## Enable Credential Guard +Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). + +### Enable Credential Guard by using Group Policy + +You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. + +1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. +2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. +3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. +4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**. + + ![Credential Guard Group Policy setting](images/credguard-gp.png) + +5. Close the Group Policy Management Console. + +To enforce processing of the group policy, you can run ```gpupdate /force```. + +For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) + +### Enable Credential Guard by using the registry + +If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. + +### Add the virtualization-based security features + +Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. + +If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. +You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). +> [!NOTE] +> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. + +  +**Add the virtualization-based security features by using Programs and Features** + +1. Open the Programs and Features control panel. +2. Click **Turn Windows feature on or off**. +3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +4. Select the **Isolated User Mode** check box at the top level of the feature selection. +5. Click **OK**. + +**Add the virtualization-based security features to an offline image by using DISM** + +1. Open an elevated command prompt. +2. Add the Hyper-V Hypervisor by running the following command: + ``` + dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all + ``` +3. Add the Isolated User Mode feature by running the following command: + ``` + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` + +> [!NOTE] +> You can also add these features to an online image by using either DISM or Configuration Manager. + +### Enable virtualization-based security and Credential Guard + +1. Open Registry Editor. +2. Enable virtualization-based security: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. + - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. + - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. +3. Enable Credential Guard: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. + - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. +4. Close Registry Editor. + + +> [!NOTE] +> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. + + +### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool + +You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot +``` + +### Credential Guard deployment in virtual machines + +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. + +Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: + +``` PowerShell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + +Requirements for running Credential Guard in Hyper-V virtual machines +- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. + +For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) + +### Remove Credential Guard + +If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). + +1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). +2. Delete the following registry settings: + - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures + + > [!IMPORTANT] + > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. + +3. Delete the Credential Guard EFI variables by using bcdedit. + +**Delete the Credential Guard EFI variables** + +1. From an elevated command prompt, type the following commands: + ``` syntax + + mountvol X: /s + + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + + mountvol X: /d + + ``` +2. Restart the PC. +3. Accept the prompt to disable Credential Guard. +4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. + +> [!NOTE] +> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + +For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). + + +#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool + +You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot +``` +  +### Check that Credential Guard is running + +You can use System Information to ensure that Credential Guard is running on a PC. + +1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. +2. Click **System Summary**. +3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. + + Here's an example: + + ![System Information](images/credguard-msinfo32.png) + +You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Ready +``` \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md new file mode 100644 index 0000000000..70848bcecc --- /dev/null +++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md @@ -0,0 +1,153 @@ +--- +title: Scenarios not protected by Credential Guard (Windows 10) +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Scenarios not protected by Credential Guard + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Some ways to store credentials are not protected by Credential Guard, including: + +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. +- Key loggers +- Physical attacks +- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. + +For further information, see: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) + +## Additional mitigations + +Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. + +### Restricting domain users to specific domain-joined devices + +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign in to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign in using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. + +### Kerberos armoring + +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** + +- Users need to be in domains that are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. + +### Protecting domain-joined device secrets + +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign in as the user. + +Domain-joined device certificate authentication has the following requirements: +- Devices' accounts are in Windows Server 2012 domain functional level or higher domains. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension +- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. +- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. + +#### Deploying domain-joined device certificates + +To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. + +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. + +**Creating a new certificate template** + +1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** +2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. +3. Right-click the new template, and then click **Properties**. +4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. +5. Click **Client Authentication**, and then click **Remove**. +6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: + - Name: Kerberos Client Auth + - Object Identifier: 1.3.6.1.5.2.3.4 +7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. +8. Under **Issuance Policies**, click**High Assurance**. +9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. + +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. + +**Enrolling devices in a certificate** + +Run the following command: +``` syntax +CertReq -EnrollCredGuardCert MachineAuthentication +``` + +> [!NOTE] +> You must restart the device after enrolling the machine authentication certificate. +  +### How a certificate issuance policy can be used for access control + +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. + +**To see the issuance policies available** + +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\get-IssuancePolicy.ps1 –LinkedToGroup:All + ``` + +**To link an issuance policy to a universal security group** + +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" + ``` + +### Restricting user sign on + +So we now have completed the following: + +- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign in +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign in using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. + +Authentication policies have the following requirements: +- User accounts are in a Windows Server 2012 domain functional level or higher domain. + +**Creating an authentication policy restricting users to the specific universal security group** + +1. Open Active Directory Administrative Center. +2. Click **Authentication**, click **New**, and then click **Authentication Policy**. +3. In the **Display name** box, enter a name for this authentication policy. +4. Under the **Accounts** heading, click **Add**. +5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**. +6. Under the **User Sign On** heading, click the **Edit** button. +7. Click **Add a condition**. +8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. +9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. +10. Click **OK** to close the **Edit Access Control Conditions** box. +11. Click **OK** to create the authentication policy. +12. Close Active Directory Administrative Center. + +> [!NOTE] +> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. + +### Discovering authentication failures due to authentication policies + +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. + +To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). + +For further information, see: [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/keep-secure/credential-guard-requirements.md new file mode 100644 index 0000000000..f1d8842363 --- /dev/null +++ b/windows/keep-secure/credential-guard-requirements.md @@ -0,0 +1,111 @@ +--- +title: Credential Guard Requirements (Windows 10) +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Requirements + +**Applies to** +- Windows 10 +- Windows Server 2016 + +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). + +### Hardware and software requirements + +To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: +- Support for Virtualization-based security (required) +- Secure boot (required) +- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) +- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) + +The Virtualization-based security requires: +- 64 bit CPU +- CPU virtualization extensions plus extended page tables +- Windows hypervisor + +### Application requirements + +When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. + +>[!WARNING] +> Enabling Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. + +>[!NOTE] +> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). + +Applications will break if they require: +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications will prompt & expose credentials to risk if they require: +- Digest authentication +- Credential delegation +- MS-CHAPv2 + +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. + +### Security considerations + +All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. +Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. +The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. + +> [!NOTE] +> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
+> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+ +#### Baseline protections + +|Baseline Protections | Description | +|---------------------------------------------|----------------------------------------------------| +| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | + +> [!IMPORTANT] +> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. + +#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 + +| Protections for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | + +
+ +#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 + +> [!IMPORTANT] +> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. + +| Protections for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | + +
+ +#### 2017 Additional security qualifications starting with Windows 10, version 1703 + +The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. + +| Protection for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code

**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/keep-secure/credential-guard-scripts.md new file mode 100644 index 0000000000..5d7eb958a6 --- /dev/null +++ b/windows/keep-secure/credential-guard-scripts.md @@ -0,0 +1,488 @@ +--- +title: Credential Guard Scripts (Windows 10) +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Credential Guard Scripts + +Here is a list of scripts that are mentioned in this topic. + +## Get the available issuance policies on the certificate authority + +Save this script file as get-IssuancePolicy.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$Identity, +$LinkedToGroup +) +####################################### +## Strings definitions ## +####################################### +Data getIP_strings { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. +help2 = Usage: +help3 = The following parameter is mandatory: +help4 = -LinkedToGroup: +help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. +help8 = The following parameter is optional: +help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. +help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. +help11 = Examples: +errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" +ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". +ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". +ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: +LinkedIPs = The following Issuance Policies are linked to groups: +displayName = displayName : {0} +Name = Name : {0} +dn = distinguishedName : {0} + InfoName = Linked Group Name: {0} + InfoDN = Linked Group DN: {0} +NonLinkedIPs = The following Issuance Policies are NOT linked to groups: +'@ +} +##Import-LocalizedData getIP_strings +import-module ActiveDirectory +####################################### +## Help ## +####################################### +function Display-Help { + "" + $getIP_strings.help1 + "" +$getIP_strings.help2 +"" +$getIP_strings.help3 +" " + $getIP_strings.help4 +" " + $getIP_strings.help5 + " " + $getIP_strings.help6 + " " + $getIP_strings.help7 +"" +$getIP_strings.help8 + " " + $getIP_strings.help9 + "" + $getIP_strings.help10 +"" +"" +$getIP_strings.help11 + " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" + " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" + " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" +"" +} +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +$configNCDN = [String]$root.configurationNamingContext +if ( !($Identity) -and !($LinkedToGroup) ) { +display-Help +break +} +if ($Identity) { + $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * + if ($OIDs -eq $null) { +$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity +write-host $errormsg -ForegroundColor Red + } + foreach ($OID in $OIDs) { + if ($OID."msDS-OIDToGroupLink") { +# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $groupName = $group.Name +# Analyze the group + if ($group.groupCategory -ne "Security") { +$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + } + } + return $OIDs + break +} +if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" + $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*****************************************************" + write-host $getIP_strings.LinkedIPs + write-host "*****************************************************" + write-host "" + if ($LinkedOIDs -ne $null){ + foreach ($OID in $LinkedOIDs) { +# Display basic information about the Issuance Policies + "" + $getIP_strings.displayName -f $OID.displayName + $getIP_strings.Name -f $OID.Name + $getIP_strings.dn -f $OID.distinguishedName +# Get the linked group. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $getIP_strings.InfoName -f $group.Name + $getIP_strings.InfoDN -f $groupDN +# Analyze the group + $OIDName = $OID.displayName + $groupName = $group.Name + if ($group.groupCategory -ne "Security") { + $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + write-host "" + } + }else{ +write-host "There are no issuance policies that are mapped to a group" + } + if ($LinkedToGroup -eq "yes") { + return $LinkedOIDs + break + } +} +if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" + $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*********************************************************" + write-host $getIP_strings.NonLinkedIPs + write-host "*********************************************************" + write-host "" + if ($NonLinkedOIDs -ne $null) { + foreach ($OID in $NonLinkedOIDs) { +# Display basic information about the Issuance Policies +write-host "" +$getIP_strings.displayName -f $OID.displayName +$getIP_strings.Name -f $OID.Name +$getIP_strings.dn -f $OID.distinguishedName +write-host "" + } + }else{ +write-host "There are no issuance policies which are not mapped to groups" + } + if ($LinkedToGroup -eq "no") { + return $NonLinkedOIDs + break + } +} +``` +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  +### Link an issuance policy to a group + +Save the script file as set-IssuancePolicyToGroupLink.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$IssuancePolicyName, +$groupOU, +$groupName +) +####################################### +## Strings definitions ## +####################################### +Data ErrorMsg { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. +help2 = Usage: +help3 = The following parameters are required: +help4 = -IssuancePolicyName: +help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. +help6 = The following parameter is optional: +help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. +help8 = Examples: +help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. +help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. +MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" +NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". +IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} +MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". +confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? +OUCreationSuccess = Organizational Unit "{0}" successfully created. +OUcreationError = Error: Organizational Unit "{0}" could not be created. +OUFoundSuccess = Organizational Unit "{0}" was successfully found. +multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". +confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? +groupCreationSuccess = Univeral Security group "{0}" successfully created. +groupCreationError = Error: Univeral Security group "{0}" could not be created. +GroupFound = Group "{0}" was successfully found. +confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? +UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. +UnlinkError = Removing the link failed. +UnlinkExit = Exiting without removing the link from the issuance policy to the group. +IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. +ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". +ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". +ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: +ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? +LinkSuccess = The certificate issuance policy was successfully linked to the specified group. +LinkError = The certificate issuance policy could not be linked to the specified group. +ExitNoLinkReplacement = Exiting without setting the new link. +'@ +} +# import-localizeddata ErrorMsg +function Display-Help { +"" +write-host $ErrorMsg.help1 +"" +write-host $ErrorMsg.help2 +"" +write-host $ErrorMsg.help3 +write-host "`t" $ErrorMsg.help4 +write-host "`t" $ErrorMsg.help5 +"" +write-host $ErrorMsg.help6 +write-host "`t" $ErrorMsg.help7 +"" +"" +write-host $ErrorMsg.help8 +"" +write-host $ErrorMsg.help9 +".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " +"" +write-host $ErrorMsg.help10 +'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' +"" +} +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in +# the domain the user running this script is a member of. +import-module ActiveDirectory +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +if ( !($IssuancePolicyName) ) { +display-Help +break +} +####################################### +## Find the OID object ## +## (aka Issuance Policy) ## +####################################### +$searchBase = [String]$root.configurationnamingcontext +$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * +if ($OID -eq $null) { +$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($OID.GetType().IsArray) { +$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +else { +$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName +write-host $tmp -ForeGroundColor Green +} +####################################### +## Find the container of the group ## +####################################### +if ($groupOU -eq $null) { +# default to the Users container +$groupContainer = $domain.UsersContainer +} +else { +$searchBase = [string]$domain.DistinguishedName +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +if ($groupContainer.count -gt 1) { +$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase +write-host $tmp -ForegroundColor Red +break; +} +elseif ($groupContainer -eq $null) { +$tmp = $ErrorMsg.confirmOUcreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName +if ($?){ +$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU +write-host $tmp -ForegroundColor Green +} +else{ +$tmp = $ErrorMsg.OUCreationError -f $groupOU +write-host $tmp -ForeGroundColor Red +break; +} +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name +write-host $tmp -ForegroundColor Green +} +} +####################################### +## Find the group ## +####################################### +if (($groupName -ne $null) -and ($groupName -ne "")){ +##$searchBase = [String]$groupContainer.DistinguishedName +$searchBase = $groupContainer +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +if ($group -ne $null -and $group.gettype().isarray) { +$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($group -eq $null) { +$tmp = $ErrorMsg.confirmGroupCreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" +if ($?){ +$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName +write-host $tmp -ForegroundColor Green +}else{ +$tmp = $ErrorMsg.groupCreationError -f $groupName +write-host $tmp -ForeGroundColor Red +break +} +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.GroupFound -f $group.Name +write-host $tmp -ForegroundColor Green +} +} +else { +##### +## If the group is not specified, we should remove the link if any exists +##### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" +if ($?) { +$tmp = $ErrorMsg.UnlinkSuccess +write-host $tmp -ForeGroundColor Green +}else{ +$tmp = $ErrorMsg.UnlinkError +write-host $tmp -ForeGroundColor Red +} +} +else { +$tmp = $ErrorMsg.UnlinkExit +write-host $tmp +break +} +} +else { +$tmp = $ErrorMsg.IPNotLinked +write-host $tmp -ForeGroundColor Yellow +} +break; +} +####################################### +## Verify that the group is ## +## Universal, Security, and ## +## has no members ## +####################################### +if ($group.GroupScope -ne "Universal") { +$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +if ($group.GroupCategory -ne "Security") { +$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +$members = Get-ADGroupMember -Identity $group +if ($members -ne $null) { +$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} +break; +} +####################################### +## We have verified everything. We ## +## can create the link from the ## +## Issuance Policy to the group. ## +####################################### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName +write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Replace $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} else { +$tmp = $Errormsg.ExitNoLinkReplacement +write-host $tmp +break +} +} +else { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Add $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} +``` + +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. \ No newline at end of file diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 5fdb54b819..2cc6cd8b31 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,7 +1,6 @@ --- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -16,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. +Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By enabling Credential Guard, the following features and solutions are provided: @@ -24,929 +23,12 @@ By enabling Credential Guard, the following features and solutions are provided: - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. - **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. -## How it works +• How to prevent credential theft +• Virtualization-based security +• Credential Guard Design -Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. -For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - -When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. - -Here's a high-level overview on how the LSA is isolated by using virtualization-based security: - -![Credential Guard overview](images/credguard.png) - -## Requirements - -For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). - -### Hardware and software requirements - -To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: -- Support for Virtualization-based security (required) -- Secure boot (required) -- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) -- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) - -The Virtualization-based security requires: -- 64 bit CPU -- CPU virtualization extensions plus extended page tables -- Windows hypervisor - -### Application requirements - -When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. - ->[!WARNING] -> Enabling Credential Guard on domain controllers is not supported.
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. - ->[!NOTE] -> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). - -Applications will break if they require: -- Kerberos DES encryption support -- Kerberos unconstrained delegation -- Extracting the Kerberos TGT -- NTLMv1 - -Applications will prompt & expose credentials to risk if they require: -- Digest authentication -- Credential delegation -- MS-CHAPv2 - -Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. - -### Security considerations - -All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. -Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. -The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
- -#### Baseline protections - -|Baseline Protections | Description | -|---------------------------------------------|----------------------------------------------------| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | -| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. - -#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 - -| Protections for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | - -
- -#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. - -| Protections for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
- -#### 2017 Additional security qualifications starting with Windows 10, version 1703 - -The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. - -| Protection for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code

**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | - -## Manage Credential Guard - -### Enable Credential Guard -Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). - -#### Turn on Credential Guard by using Group Policy - -You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. - -1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. -2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. -3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. -4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**. - - ![Credential Guard Group Policy setting](images/credguard-gp.png) - -5. Close the Group Policy Management Console. - -To enforce processing of the group policy, you can run ```gpupdate /force```. - -#### Turn on Credential Guard by using the registry - -If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. - -#### Add the virtualization-based security features - -Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. - -If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. -You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). -> [!NOTE] -> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. - -  -**Add the virtualization-based security features by using Programs and Features** - -1. Open the Programs and Features control panel. -2. Click **Turn Windows feature on or off**. -3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Select the **Isolated User Mode** check box at the top level of the feature selection. -5. Click **OK**. - -**Add the virtualization-based security features to an offline image by using DISM** - -1. Open an elevated command prompt. -2. Add the Hyper-V Hypervisor by running the following command: - ``` - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` -3. Add the Isolated User Mode feature by running the following command: - ``` - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - -> [!NOTE] -> You can also add these features to an online image by using either DISM or Configuration Manager. - -#### Enable virtualization-based security and Credential Guard - -1. Open Registry Editor. -2. Enable virtualization-based security: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. -3. Enable Credential Guard: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. -4. Close Registry Editor. - - -> [!NOTE] -> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. - - -#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool - -You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot -``` - -#### Credential Guard deployment in virtual machines - -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. - -Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: - -``` PowerShell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - -Requirements for running Credential Guard in Hyper-V virtual machines -- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - -### Remove Credential Guard - -If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). - -1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). -2. Delete the following registry settings: - - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - - > [!IMPORTANT] - > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. - -3. Delete the Credential Guard EFI variables by using bcdedit. - -**Delete the Credential Guard EFI variables** - -1. From an elevated command prompt, type the following commands: - ``` syntax - - mountvol X: /s - - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - - mountvol X: /d - - ``` -2. Restart the PC. -3. Accept the prompt to disable Credential Guard. -4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. - -> [!NOTE] -> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - -For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). - - -#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool - -You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot -``` -  -### Check that Credential Guard is running - -You can use System Information to ensure that Credential Guard is running on a PC. - -1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. -2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. - - Here's an example: - - ![System Information](images/credguard-msinfo32.png) - -You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Ready -``` - -## Considerations when using Credential Guard - -- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain. -- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 - - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. - - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. - - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. - - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. -- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. -- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. -- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. - -- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: - - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". - - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. - -### NTLM & CHAP Considerations - -When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. - -### Kerberos Considerations - -When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. - -## Scenarios not protected by Credential Guard - -Some ways to store credentials are not protected by Credential Guard, including: - -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. - -## Additional mitigations - -Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. - -### Restricting domain users to specific domain-joined devices - -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. - -#### Kerberos armoring - -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. - -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - -- Users need to be in domains which are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. - -#### Protecting domain-joined device secrets - -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user. - -Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain funcational level or higher domains. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. - -##### Deploying domain-joined device certificates - -To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. - -For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. - -**Creating a new certificate template** - -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: - - Name: Kerberos Client Auth - - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. - -Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. - -**Enrolling devices in a certificate** - -Run the following command: -``` syntax -CertReq -EnrollCredGuardCert MachineAuthentication -``` - -> [!NOTE] -> You must restart the device after enrolling the machine authentication certificate. -  -#### How a certificate issuance policy can be used for access control - -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. - -**To see the issuance policies available** - -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\get-IssuancePolicy.ps1 –LinkedToGroup:All - ``` - -**To link a issuance policy to a universal security group** - -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" - ``` - -#### Restricting user sign on - -So we now have the following: - -- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring- -so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies. - -Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher domain. - -**Creating an authentication policy restricting to the specific universal security group** - -1. Open Active Directory Administrative Center. -2. Click **Authentication**, click **New**, and then click **Authentication Policy**. -3. In the **Display name** box, enter a name for this authentication policy. -4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**. -6. Under the **User Sign On** heading, click the **Edit** button. -7. Click **Add a condition**. -8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -10. Click **OK** to close the **Edit Access Control Conditions** box. -11. Click **OK** to create the authentication policy. -12. Close Active Directory Administrative Center. - -> [!NOTE] -> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. - -#### Discovering authentication failures due to authentication policies - -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. - -To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). - -## Appendix: Scripts - -Here is a list of scripts that are mentioned in this topic. - -### Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  -### Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  ## Related topics - [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert) diff --git a/windows/keep-secure/credential-manager-known-issues.md b/windows/keep-secure/credential-manager-known-issues.md new file mode 100644 index 0000000000..dae1ef2c13 --- /dev/null +++ b/windows/keep-secure/credential-manager-known-issues.md @@ -0,0 +1,17 @@ +--- +title: Known issues with Credential Manager (Windows 10) +description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Known issues with Credential Manager + +**Applies to** +- Windows 10 +- Windows Server 2016 From b944919155996e949ef81e6902a067aafa9595a1 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 15 Mar 2017 13:28:53 -0700 Subject: [PATCH 2/6] Added topic descriptions --- .../credential-guard-considerations.md | 13 ++++---- .../credential-guard-how-it-works.md | 6 ++-- .../keep-secure/credential-guard-manage.md | 10 +++---- ...redential-guard-not-protected-scenarios.md | 21 +++++++------ .../credential-guard-requirements.md | 28 +++++++++-------- .../keep-secure/credential-guard-scripts.md | 3 +- windows/keep-secure/credential-guard.md | 30 +++++++++++++++---- .../credential-manager-known-issues.md | 1 - 8 files changed, 66 insertions(+), 46 deletions(-) diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md index a0a3b104fb..2e8153173f 100644 --- a/windows/keep-secure/credential-guard-considerations.md +++ b/windows/keep-secure/credential-guard-considerations.md @@ -1,7 +1,6 @@ --- title: Considerations when using Credential Guard (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: +description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -35,13 +34,15 @@ author: brianlic-msft - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. For further information, see: - [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) + - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. + -## NTLM & CHAP Considerations +## NTLM and CHAP Considerations When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. ## Kerberos Considerations -When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. \ No newline at end of file +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. + +For further information, see: [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/keep-secure/credential-guard-how-it-works.md index b1e48f5ef8..bf5aa31aae 100644 --- a/windows/keep-secure/credential-guard-how-it-works.md +++ b/windows/keep-secure/credential-guard-how-it-works.md @@ -1,7 +1,6 @@ --- title: How Credential Guard works -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: +description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -28,4 +27,5 @@ Here's a high-level overview on how the LSA is isolated by using virtualization- ![Credential Guard overview](images/credguard.png) -For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) + +
For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md index 7f913589d7..588d7e00f7 100644 --- a/windows/keep-secure/credential-guard-manage.md +++ b/windows/keep-secure/credential-guard-manage.md @@ -1,7 +1,6 @@ --- title: Manage Credential Guard (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: +description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -34,7 +33,6 @@ You can use Group Policy to enable Credential Guard. This will add and enable th To enforce processing of the group policy, you can run ```gpupdate /force```. -For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) ### Enable Credential Guard by using the registry @@ -47,7 +45,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). > [!NOTE] -> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. +If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.   **Add the virtualization-based security features by using Programs and Features** @@ -114,6 +112,7 @@ Requirements for running Credential Guard in Hyper-V virtual machines For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) + ### Remove Credential Guard If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). @@ -185,4 +184,5 @@ You can also check that Credential Guard is running by using the [Device Guard a ``` DG_Readiness_Tool_v3.0.ps1 -Ready -``` \ No newline at end of file +``` +For further information, see: [Deploying Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md index 70848bcecc..240fbc29b5 100644 --- a/windows/keep-secure/credential-guard-not-protected-scenarios.md +++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md @@ -1,7 +1,6 @@ --- title: Scenarios not protected by Credential Guard (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: +description: Scenarios not protected by Credential Guard in Windows 10. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -37,9 +36,9 @@ Credential Guard can provide mitigations against attacks on derived credentials ### Restricting domain users to specific domain-joined devices -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign in to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign in using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. -### Kerberos armoring +#### Kerberos armoring Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. @@ -49,9 +48,9 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. - All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. -### Protecting domain-joined device secrets +#### Protecting domain-joined device secrets -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign in as the user. +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: - Devices' accounts are in Windows Server 2012 domain functional level or higher domains. @@ -93,7 +92,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication > [!NOTE] > You must restart the device after enrolling the machine authentication certificate.   -### How a certificate issuance policy can be used for access control +#### How a certificate issuance policy can be used for access control Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. @@ -115,13 +114,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` -### Restricting user sign on +#### Restricting user sign on So we now have completed the following: -- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign in +- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on - Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign in using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: - User accounts are in a Windows Server 2012 domain functional level or higher domain. @@ -144,7 +143,7 @@ Authentication policies have the following requirements: > [!NOTE] > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. -### Discovering authentication failures due to authentication policies +#### Discovering authentication failures due to authentication policies To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/keep-secure/credential-guard-requirements.md index f1d8842363..88c7586bba 100644 --- a/windows/keep-secure/credential-guard-requirements.md +++ b/windows/keep-secure/credential-guard-requirements.md @@ -1,6 +1,6 @@ --- title: Credential Guard Requirements (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,9 +15,11 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so application that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, see the tables in the [Security Considerations](#security-considerations) section. -### Hardware and software requirements + + +## Hardware and software requirements To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: - Support for Virtualization-based security (required) @@ -26,13 +28,13 @@ To provide basic protection against OS level attempts to read Credential Manager - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) The Virtualization-based security requires: -- 64 bit CPU +- 64-bit CPU - CPU virtualization extensions plus extended page tables - Windows hypervisor -### Application requirements +## Application requirements -When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. +When Credential Guard is enabled, specific authentication capabilities are blocked, so application that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. >[!WARNING] > Enabling Credential Guard on domain controllers is not supported.
@@ -47,14 +49,14 @@ Applications will break if they require: - Extracting the Kerberos TGT - NTLMv1 -Applications will prompt & expose credentials to risk if they require: +Applications will prompt and expose credentials to risk if they require: - Digest authentication - Credential delegation - MS-CHAPv2 Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. -### Security considerations +## Security considerations All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. @@ -64,7 +66,7 @@ The following tables describe baseline protections, plus protections for improve > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-#### Baseline protections +### Baseline protections |Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| @@ -78,7 +80,7 @@ The following tables describe baseline protections, plus protections for improve > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. -#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 +### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| @@ -88,7 +90,7 @@ The following tables describe baseline protections, plus protections for improve
-#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 +### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 > [!IMPORTANT] > The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. @@ -101,11 +103,11 @@ The following tables describe baseline protections, plus protections for improve
-#### 2017 Additional security qualifications starting with Windows 10, version 1703 +### 2017 Additional security qualifications starting with Windows 10, version 1703 The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code

**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code

**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/keep-secure/credential-guard-scripts.md index 5d7eb958a6..afa388bb8f 100644 --- a/windows/keep-secure/credential-guard-scripts.md +++ b/windows/keep-secure/credential-guard-scripts.md @@ -1,7 +1,6 @@ --- title: Credential Guard Scripts (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: +description: Credential Guard Scripts listed in this topic for Windows 10, for obtaining the available issuance policies on the certificate authority. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 2cc6cd8b31..4648f91a82 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -21,13 +21,33 @@ By enabling Credential Guard, the following features and solutions are provided: - **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. - -• How to prevent credential theft -• Virtualization-based security -• Credential Guard Design +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +## Topics in this guide + +[How Credential Guard works](credential-guard-how-it-works.md) + +[Credential Guard Requirements](credential-guard-requirements.md) + +[Manage Credential Guard](credential-guard-manage.md) + +[Considerations when using Credential Guard](credential-guard-considerations.md) + +[Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md) + +[Known issues](credential-manager-known-issues.md) + +[Credential Guard Scripts](credential-guard-scripts.md) + + +
For further information, see: + +[How to prevent credential theft](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=CAgzpKJyC_304300474) + +[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474) + +[Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) ## Related topics diff --git a/windows/keep-secure/credential-manager-known-issues.md b/windows/keep-secure/credential-manager-known-issues.md index dae1ef2c13..b7dc37dac3 100644 --- a/windows/keep-secure/credential-manager-known-issues.md +++ b/windows/keep-secure/credential-manager-known-issues.md @@ -1,7 +1,6 @@ --- title: Known issues with Credential Manager (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From 8f10d00c003431113b81cd6daa0221623e9bdde6 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Tue, 21 Mar 2017 10:19:59 -0700 Subject: [PATCH 3/6] cred guard edits --- .../credential-guard-considerations.md | 10 +- .../credential-guard-how-it-works.md | 18 +- .../keep-secure/credential-guard-manage.md | 45 +- ...redential-guard-not-protected-scenarios.md | 21 +- .../credential-guard-requirements.md | 16 +- .../keep-secure/credential-guard-scripts.md | 2 +- windows/keep-secure/credential-guard.md | 924 +++++++++++++++++- .../credential-manager-known-issues.md | 2 +- 8 files changed, 987 insertions(+), 51 deletions(-) diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md index 2e8153173f..01b80bc01c 100644 --- a/windows/keep-secure/credential-guard-considerations.md +++ b/windows/keep-secure/credential-guard-considerations.md @@ -15,6 +15,14 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 +Prefer video? See: + +[![Credentials Protected by Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) + +See also: +[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474) + + - If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain. - You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. @@ -44,5 +52,3 @@ When you enable Credential Guard, you can no longer use NTLM v1 authentication. ## Kerberos Considerations When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. - -For further information, see: [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/keep-secure/credential-guard-how-it-works.md index bf5aa31aae..480d0af052 100644 --- a/windows/keep-secure/credential-guard-how-it-works.md +++ b/windows/keep-secure/credential-guard-how-it-works.md @@ -15,6 +15,19 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 + +Prefer video? See: + +[![Protecting against credential theft](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=CAgzpKJyC_304300474) + +See also: + +[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) + +[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474) + +[Credential Guard design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) + Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. @@ -25,7 +38,4 @@ When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos Here's a high-level overview on how the LSA is isolated by using virtualization-based security: -![Credential Guard overview](images/credguard.png) - - -
For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) +![Credential Guard overview](images/credguard.png) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md index 588d7e00f7..a2653dacf3 100644 --- a/windows/keep-secure/credential-guard-manage.md +++ b/windows/keep-secure/credential-guard-manage.md @@ -15,6 +15,12 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 + + + +[![Deploying Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) + + ## Enable Credential Guard Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). @@ -85,7 +91,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window > [!NOTE] -> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. +> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. ### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool @@ -110,7 +116,24 @@ Requirements for running Credential Guard in Hyper-V virtual machines - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. -For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) + +### Check that Credential Guard is running + +You can use System Information to ensure that Credential Guard is running on a PC. + +1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. +2. Click **System Summary**. +3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. + + Here's an example: + + ![System Information](images/credguard-msinfo32.png) + +You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Ready +``` ### Remove Credential Guard @@ -168,21 +191,3 @@ You can also disable Credential Guard by using the [Device Guard and Credential DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot ```   -### Check that Credential Guard is running - -You can use System Information to ensure that Credential Guard is running on a PC. - -1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. -2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. - - Here's an example: - - ![System Information](images/credguard-msinfo32.png) - -You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Ready -``` -For further information, see: [Deploying Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md index 240fbc29b5..c6b43cbd64 100644 --- a/windows/keep-secure/credential-guard-not-protected-scenarios.md +++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md @@ -15,6 +15,15 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 +Prefer video? + +[![Credentials not protected by Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) + + + +See also: [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) + + Some ways to store credentials are not protected by Credential Guard, including: - Software that manages credentials outside of Windows feature protection @@ -28,11 +37,11 @@ Some ways to store credentials are not protected by Credential Guard, including: - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. - Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. -For further information, see: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) +For further information, see video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) ## Additional mitigations -Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. +Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust. ### Restricting domain users to specific domain-joined devices @@ -50,10 +59,10 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, #### Protecting domain-joined device secrets -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain functional level or higher domains. +- Devices' accounts are in Windows Server 2012 domain functional level or higher. - All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - KDC EKU present - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension @@ -131,7 +140,7 @@ Authentication policies have the following requirements: 2. Click **Authentication**, click **New**, and then click **Authentication Policy**. 3. In the **Display name** box, enter a name for this authentication policy. 4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**. +5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. 6. Under the **User Sign On** heading, click the **Edit** button. 7. Click **Add a condition**. 8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. @@ -148,5 +157,3 @@ Authentication policies have the following requirements: To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). - -For further information, see: [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/keep-secure/credential-guard-requirements.md index 88c7586bba..4d095e5eab 100644 --- a/windows/keep-secure/credential-guard-requirements.md +++ b/windows/keep-secure/credential-guard-requirements.md @@ -15,7 +15,16 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so application that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, see the tables in the [Security Considerations](#security-considerations) section. +Prefer video? + +[![Credential Guard Deployment Requirements](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) + + + + + + +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). @@ -34,7 +43,7 @@ The Virtualization-based security requires: ## Application requirements -When Credential Guard is enabled, specific authentication capabilities are blocked, so application that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. +When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. >[!WARNING] > Enabling Credential Guard on domain controllers is not supported.
@@ -56,6 +65,9 @@ Applications will prompt and expose credentials to risk if they require: Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. +See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) + + ## Security considerations All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/keep-secure/credential-guard-scripts.md index afa388bb8f..5cb5a2404a 100644 --- a/windows/keep-secure/credential-guard-scripts.md +++ b/windows/keep-secure/credential-guard-scripts.md @@ -11,7 +11,7 @@ author: brianlic-msft # Credential Guard Scripts -Here is a list of scripts that are mentioned in this topic. +Here is a list of scripts mentioned in this topic. ## Get the available issuance policies on the certificate authority diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 3a6708c194..48a4a133a8 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,6 +1,7 @@ --- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,41 +16,936 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. +Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By enabling Credential Guard, the following features and solutions are provided: - **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. + +## How it works + +Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. + +When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. + +When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. + +Here's a high-level overview on how the LSA is isolated by using virtualization-based security: + +![Credential Guard overview](images/credguard.png) + +## Requirements + +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). + +### Hardware and software requirements + +To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: +- Support for Virtualization-based security (required) +- Secure boot (required) +- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) +- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) + +The Virtualization-based security requires: +- 64 bit CPU +- CPU virtualization extensions plus extended page tables +- Windows hypervisor + +### Application requirements + +When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. + +>[!WARNING] +> Enabling Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. + +>[!NOTE] +> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). + +Applications will break if they require: +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications will prompt & expose credentials to risk if they require: +- Digest authentication +- Credential delegation +- MS-CHAPv2 + +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. + +### Security considerations + +All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. +Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. +The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. + +> [!NOTE] +> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
+> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+ +#### Baseline protections + +|Baseline Protections | Description | +|---------------------------------------------|----------------------------------------------------| +| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | + +> [!IMPORTANT] +> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. + +#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 + +| Protections for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | + +
+ +#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 + +> [!IMPORTANT] +> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. + +| Protections for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | + +
+ +#### 2017 Additional security qualifications starting with Windows 10, version 1703 + +The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. + +| Protection for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code

**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | + +## Manage Credential Guard + +### Enable Credential Guard +Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). + +#### Turn on Credential Guard by using Group Policy + +You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. + +1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. +2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. +3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. +4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**. + + ![Credential Guard Group Policy setting](images/credguard-gp.png) + +5. Close the Group Policy Management Console. + +To enforce processing of the group policy, you can run ```gpupdate /force```. + +#### Turn on Credential Guard by using the registry + +If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. + +#### Add the virtualization-based security features + +Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. + +If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. +You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). +> [!NOTE] +> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. + +  +**Add the virtualization-based security features by using Programs and Features** + +1. Open the Programs and Features control panel. +2. Click **Turn Windows feature on or off**. +3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +4. Select the **Isolated User Mode** check box at the top level of the feature selection. +5. Click **OK**. + +**Add the virtualization-based security features to an offline image by using DISM** + +1. Open an elevated command prompt. +2. Add the Hyper-V Hypervisor by running the following command: + ``` + dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all + ``` +3. Add the Isolated User Mode feature by running the following command: + ``` + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` + +> [!NOTE] +> You can also add these features to an online image by using either DISM or Configuration Manager. + +#### Enable virtualization-based security and Credential Guard + +1. Open Registry Editor. +2. Enable virtualization-based security: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. + - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. + - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. +3. Enable Credential Guard: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. + - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. +4. Close Registry Editor. -## Topics in this guide +> [!NOTE] +> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. -[How Credential Guard works](credential-guard-how-it-works.md) + +#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool -[Credential Guard Requirements](credential-guard-requirements.md) +You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). -[Manage Credential Guard](credential-guard-manage.md) +``` +DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot +``` -[Considerations when using Credential Guard](credential-guard-considerations.md) +#### Credential Guard deployment in virtual machines -[Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md) +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. -[Known issues](credential-manager-known-issues.md) +Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: -[Credential Guard Scripts](credential-guard-scripts.md) +``` PowerShell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` +Requirements for running Credential Guard in Hyper-V virtual machines +- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. -
For further information, see: +### Remove Credential Guard -[How to prevent credential theft](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=CAgzpKJyC_304300474) +If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). -[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474) +1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). +2. Delete the following registry settings: + - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures -[Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) + > [!IMPORTANT] + > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. +3. Delete the Credential Guard EFI variables by using bcdedit. +**Delete the Credential Guard EFI variables** + +1. From an elevated command prompt, type the following commands: + ``` syntax + + mountvol X: /s + + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + + mountvol X: /d + + ``` +2. Restart the PC. +3. Accept the prompt to disable Credential Guard. +4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. + +> [!NOTE] +> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + +For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). + + +#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool + +You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot +``` +  +### Check that Credential Guard is running + +You can use System Information to ensure that Credential Guard is running on a PC. + +1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. +2. Click **System Summary**. +3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. + + Here's an example: + + ![System Information](images/credguard-msinfo32.png) + +You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Ready +``` + +## Considerations when using Credential Guard + +- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain. +- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: + - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 + - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. + - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. + - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. + - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] + - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. +- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. +- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. +- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. + +- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: + - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". + - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. + - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. + - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. + +### NTLM & CHAP Considerations + +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. + +### Kerberos Considerations + +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. + +## Scenarios not protected by Credential Guard + +Some ways to store credentials are not protected by Credential Guard, including: + +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. +- Key loggers +- Physical attacks +- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. + +## Additional mitigations + +Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. + +### Restricting domain users to specific domain-joined devices + +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. + +#### Kerberos armoring + +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** + +- Users need to be in domains which are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. + +#### Protecting domain-joined device secrets + +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user. + +Domain-joined device certificate authentication has the following requirements: +- Devices' accounts are in Windows Server 2012 domain functional level or higher. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension +- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. +- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. + +##### Deploying domain-joined device certificates + +To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. + +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. + +**Creating a new certificate template** + +1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** +2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. +3. Right-click the new template, and then click **Properties**. +4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. +5. Click **Client Authentication**, and then click **Remove**. +6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: + - Name: Kerberos Client Auth + - Object Identifier: 1.3.6.1.5.2.3.4 +7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. +8. Under **Issuance Policies**, click**High Assurance**. +9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. + +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. + +**Enrolling devices in a certificate** + +Run the following command: +``` syntax +CertReq -EnrollCredGuardCert MachineAuthentication +``` + +> [!NOTE] +> You must restart the device after enrolling the machine authentication certificate. +  +#### How a certificate issuance policy can be used for access control + +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. + +**To see the issuance policies available** + +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\get-IssuancePolicy.ps1 –LinkedToGroup:All + ``` + +**To link a issuance policy to a universal security group** + +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" + ``` + +#### Restricting user sign on + +So we now have the following: + +- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring, so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies. + +Authentication policies have the following requirements: +- User accounts are in a Windows Server 2012 domain functional level or higher. + +**Creating an authentication policy restricting to the specific universal security group** + +1. Open Active Directory Administrative Center. +2. Click **Authentication**, click **New**, and then click **Authentication Policy**. +3. In the **Display name** box, enter a name for this authentication policy. +4. Under the **Accounts** heading, click **Add**. +5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. +6. Under the **User Sign On** heading, click the **Edit** button. +7. Click **Add a condition**. +8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. +9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. +10. Click **OK** to close the **Edit Access Control Conditions** box. +11. Click **OK** to create the authentication policy. +12. Close Active Directory Administrative Center. + +> [!NOTE] +> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. + +#### Discovering authentication failures due to authentication policies + +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. + +To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). + +## Appendix: Scripts + +Here is a list of scripts that are mentioned in this topic. + +### Get the available issuance policies on the certificate authority + +Save this script file as get-IssuancePolicy.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$Identity, +$LinkedToGroup +) +####################################### +## Strings definitions ## +####################################### +Data getIP_strings { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted. +help2 = Usage: +help3 = The following parameter is mandatory: +help4 = -LinkedToGroup: +help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. +help8 = The following parameter is optional: +help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. +help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. +help11 = Examples: +errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" +ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". +ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". +ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: +LinkedIPs = The following Issuance Policies are linked to groups: +displayName = displayName : {0} +Name = Name : {0} +dn = distinguishedName : {0} + InfoName = Linked Group Name: {0} + InfoDN = Linked Group DN: {0} +NonLinkedIPs = The following Issuance Policies are NOT linked to groups: +'@ +} +##Import-LocalizedData getIP_strings +import-module ActiveDirectory +####################################### +## Help ## +####################################### +function Display-Help { + "" + $getIP_strings.help1 + "" +$getIP_strings.help2 +"" +$getIP_strings.help3 +" " + $getIP_strings.help4 +" " + $getIP_strings.help5 + " " + $getIP_strings.help6 + " " + $getIP_strings.help7 +"" +$getIP_strings.help8 + " " + $getIP_strings.help9 + "" + $getIP_strings.help10 +"" +"" +$getIP_strings.help11 + " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" + " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" + " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" +"" +} +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +$configNCDN = [String]$root.configurationNamingContext +if ( !($Identity) -and !($LinkedToGroup) ) { +display-Help +break +} +if ($Identity) { + $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * + if ($OIDs -eq $null) { +$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity +write-host $errormsg -ForegroundColor Red + } + foreach ($OID in $OIDs) { + if ($OID."msDS-OIDToGroupLink") { +# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $groupName = $group.Name +# Analyze the group + if ($group.groupCategory -ne "Security") { +$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + } + } + return $OIDs + break +} +if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" + $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*****************************************************" + write-host $getIP_strings.LinkedIPs + write-host "*****************************************************" + write-host "" + if ($LinkedOIDs -ne $null){ + foreach ($OID in $LinkedOIDs) { +# Display basic information about the Issuance Policies + "" + $getIP_strings.displayName -f $OID.displayName + $getIP_strings.Name -f $OID.Name + $getIP_strings.dn -f $OID.distinguishedName +# Get the linked group. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $getIP_strings.InfoName -f $group.Name + $getIP_strings.InfoDN -f $groupDN +# Analyze the group + $OIDName = $OID.displayName + $groupName = $group.Name + if ($group.groupCategory -ne "Security") { + $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + write-host "" + } + }else{ +write-host "There are no issuance policies that are mapped to a group" + } + if ($LinkedToGroup -eq "yes") { + return $LinkedOIDs + break + } +} +if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" + $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*********************************************************" + write-host $getIP_strings.NonLinkedIPs + write-host "*********************************************************" + write-host "" + if ($NonLinkedOIDs -ne $null) { + foreach ($OID in $NonLinkedOIDs) { +# Display basic information about the Issuance Policies +write-host "" +$getIP_strings.displayName -f $OID.displayName +$getIP_strings.Name -f $OID.Name +$getIP_strings.dn -f $OID.distinguishedName +write-host "" + } + }else{ +write-host "There are no issuance policies which are not mapped to groups" + } + if ($LinkedToGroup -eq "no") { + return $NonLinkedOIDs + break + } +} +``` +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  +### Link an issuance policy to a group + +Save the script file as set-IssuancePolicyToGroupLink.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$IssuancePolicyName, +$groupOU, +$groupName +) +####################################### +## Strings definitions ## +####################################### +Data ErrorMsg { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. +help2 = Usage: +help3 = The following parameters are required: +help4 = -IssuancePolicyName: +help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. +help6 = The following parameter is optional: +help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. +help8 = Examples: +help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. +help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. +MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" +NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". +IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} +MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". +confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? +OUCreationSuccess = Organizational Unit "{0}" successfully created. +OUcreationError = Error: Organizational Unit "{0}" could not be created. +OUFoundSuccess = Organizational Unit "{0}" was successfully found. +multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". +confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? +groupCreationSuccess = Univeral Security group "{0}" successfully created. +groupCreationError = Error: Univeral Security group "{0}" could not be created. +GroupFound = Group "{0}" was successfully found. +confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? +UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. +UnlinkError = Removing the link failed. +UnlinkExit = Exiting without removing the link from the issuance policy to the group. +IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. +ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". +ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". +ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: +ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? +LinkSuccess = The certificate issuance policy was successfully linked to the specified group. +LinkError = The certificate issuance policy could not be linked to the specified group. +ExitNoLinkReplacement = Exiting without setting the new link. +'@ +} +# import-localizeddata ErrorMsg +function Display-Help { +"" +write-host $ErrorMsg.help1 +"" +write-host $ErrorMsg.help2 +"" +write-host $ErrorMsg.help3 +write-host "`t" $ErrorMsg.help4 +write-host "`t" $ErrorMsg.help5 +"" +write-host $ErrorMsg.help6 +write-host "`t" $ErrorMsg.help7 +"" +"" +write-host $ErrorMsg.help8 +"" +write-host $ErrorMsg.help9 +".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " +"" +write-host $ErrorMsg.help10 +'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' +"" +} +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in +# the domain the user running this script is a member of. +import-module ActiveDirectory +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +if ( !($IssuancePolicyName) ) { +display-Help +break +} +####################################### +## Find the OID object ## +## (aka Issuance Policy) ## +####################################### +$searchBase = [String]$root.configurationnamingcontext +$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * +if ($OID -eq $null) { +$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($OID.GetType().IsArray) { +$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +else { +$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName +write-host $tmp -ForeGroundColor Green +} +####################################### +## Find the container of the group ## +####################################### +if ($groupOU -eq $null) { +# default to the Users container +$groupContainer = $domain.UsersContainer +} +else { +$searchBase = [string]$domain.DistinguishedName +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +if ($groupContainer.count -gt 1) { +$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase +write-host $tmp -ForegroundColor Red +break; +} +elseif ($groupContainer -eq $null) { +$tmp = $ErrorMsg.confirmOUcreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName +if ($?){ +$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU +write-host $tmp -ForegroundColor Green +} +else{ +$tmp = $ErrorMsg.OUCreationError -f $groupOU +write-host $tmp -ForeGroundColor Red +break; +} +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name +write-host $tmp -ForegroundColor Green +} +} +####################################### +## Find the group ## +####################################### +if (($groupName -ne $null) -and ($groupName -ne "")){ +##$searchBase = [String]$groupContainer.DistinguishedName +$searchBase = $groupContainer +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +if ($group -ne $null -and $group.gettype().isarray) { +$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($group -eq $null) { +$tmp = $ErrorMsg.confirmGroupCreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" +if ($?){ +$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName +write-host $tmp -ForegroundColor Green +}else{ +$tmp = $ErrorMsg.groupCreationError -f $groupName +write-host $tmp -ForeGroundColor Red +break +} +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.GroupFound -f $group.Name +write-host $tmp -ForegroundColor Green +} +} +else { +##### +## If the group is not specified, we should remove the link if any exists +##### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" +if ($?) { +$tmp = $ErrorMsg.UnlinkSuccess +write-host $tmp -ForeGroundColor Green +}else{ +$tmp = $ErrorMsg.UnlinkError +write-host $tmp -ForeGroundColor Red +} +} +else { +$tmp = $ErrorMsg.UnlinkExit +write-host $tmp +break +} +} +else { +$tmp = $ErrorMsg.IPNotLinked +write-host $tmp -ForeGroundColor Yellow +} +break; +} +####################################### +## Verify that the group is ## +## Universal, Security, and ## +## has no members ## +####################################### +if ($group.GroupScope -ne "Universal") { +$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +if ($group.GroupCategory -ne "Security") { +$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +$members = Get-ADGroupMember -Identity $group +if ($members -ne $null) { +$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} +break; +} +####################################### +## We have verified everything. We ## +## can create the link from the ## +## Issuance Policy to the group. ## +####################################### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName +write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Replace $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} else { +$tmp = $Errormsg.ExitNoLinkReplacement +write-host $tmp +break +} +} +else { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Add $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} +``` + +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  ## Related topics - [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert) diff --git a/windows/keep-secure/credential-manager-known-issues.md b/windows/keep-secure/credential-manager-known-issues.md index b7dc37dac3..bf01f06ded 100644 --- a/windows/keep-secure/credential-manager-known-issues.md +++ b/windows/keep-secure/credential-manager-known-issues.md @@ -1,6 +1,6 @@ --- title: Known issues with Credential Manager (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +description: Credential Manager - Known issues in Windows 10 Enterprise ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From 8d5c15e875b4a4fe90040b641137f68b29d26986 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Tue, 21 Mar 2017 12:27:02 -0700 Subject: [PATCH 4/6] multiple credential guard edits --- images/mva_videos.png | Bin 0 -> 140500 bytes windows/keep-secure/credential-guard.md | 921 ---------------------- windows/keep-secure/images/mva_videos.png | Bin 0 -> 140500 bytes 3 files changed, 921 deletions(-) create mode 100644 images/mva_videos.png create mode 100644 windows/keep-secure/images/mva_videos.png diff --git a/images/mva_videos.png b/images/mva_videos.png new file mode 100644 index 0000000000000000000000000000000000000000..52ec8ee035068def0fc0ca14d2c8938cfeb89af9 GIT binary patch literal 140500 zcmX`yV{~M}+9=?T?MWt@*q+$7HL-2mwkNi2Ol;e>ZTse&@8O{< zm6aBOgT{mg003}eqJr`O05C8B0K^UX^$DYZ<5ysfRqVWHX+8OHprzoC-sih%+=@9|y>k8C=t|(X=IXLUu z83HtIKL1l3=D$B~YOimh`&HBq(AZTU{S}7%Pgq&k&dSuv7|?}v5d0N`_`mxd?eq-+ z_n-c!-^B#1EiDbL8~_hviJf0D@c$H3GiUDD6mPpdpn9dYhB zcQfoO+P#zPYf!Xzp5pWmn+C-MY*09$q|^(5kwJxgeZnwJ2=R%w1OmzUcO-c56hmn> za(+>Q2V7o`=twl8?Y5=?SAaicFhPK zC)h0-^NMihjZY4ce{1{n&$gBF3b7>~KglHEMYN?R$ArQhALI3_Z%Qy2hvdg=YLCc{ zCHk#O2NdClPun&G;@c4eW>xrS+v<#0@YGb^%1; z+bI@5sys{_3}~t!N^)iY9OAhJvG%xlaN*3npzYcHy!QSmq4l7AXa7q7|I3SKc&9za z-W4Yh#B9)@n8kBbhtT>NFhoUIQEZg816ZK2>4CmjXmaHG^wj*N>}&iy!1)4i4os^n z^fOZ6PJcfr|1a6mv@k?x04rMfPwd;KVSZuYT%<$=27Vfb zIPe~`WSVHhcuKTtC1hckV_Ro2BgVXC(4lr1l|>rov%LVpjjnYdwwBf{8(#c&;3+O9 z3lHYG$i8O>wWQa^&huvP50Q`IU0t{5{iMwosmrIe!_J$m&xX%~ac7gc^YiWJLmV9Vibr_#fY%~t?dOq#7{FKi@P8Ib zKue4=v#`w0EqRa0ryt`OoVS#tdU7d{~(G{nRekH7>6Dc6N`UT*10W|$`;c)d740LU1KcoC< zst$rP7%(xH=Y-yH+Kwm9&FhS=B;T~z%g&e1_V=RCjX~~vIBU0Cn9Y}pyNOhNlOvU6 zWF_+o-{d0GRAY0Jp>naKb`U$|;(MzOQ7Fgzjm7!aR*4PGP*^qP%k{;E*3;VZ(Un

5mD87R zi^qbDXaroI$Bm?qDT^{Uo-qXN=aYSxTTwTcCeI6-TUb+Z*L+H(iC<)8{=i)G=yr@# zT48qCeHVW3=HAyvE4!NQS}J^w_lzKMAT*t#NhRyvvn-wO)SFLFF3B>FFi&s(gSaVL z?o#JN$0n8=R}GfJ#i1B$-?mPse-!Rpe;On4c_Y zvJ=>`LD_lW*W0OpOkw?gvOHW!T(-B8a*3-rkZ-`XR@*2U zb$?rs76P>0@8|C=tUX87J8n5T^HMtA_N&^idcp_OWN@P!qXrm3;P96KptuLbOK`Gg zI00iA@juZ8k8rO>wow>oA4o(w-8^2`ZYRh7-d})1`PVflmoufUFycnqJ2#Q)3qYm+ zpeIS~S1fw}Iq-&p^~Ye_jklgM0(YppYus--brUrz&qD1+D+byQG-e#U1B+!QOHVRy znkvAo4p@?bm*jBd)sArSd9dy8^o}uRMZZ}WKO=QM^LY>vdeMS(5d$C_$V4ISP<5t- zO2NGTmjvAFU*RaDGklwU_`ap}`9;UaoZMj3a|J|Vr^f~ed*|WVd=NnR`r*ZZ8Yl_4 zNfLO*VZ8#hZ&BIfJmL3XAId2=KLr*)k#Apny5?1khQa4{vbKjp= zHlJBnYi)1Gw{6xS=-OK!O~K~qUx1~*ySPcVs7?pWHdI}h(uc3RLPHCpYpnmBa~BMO zE>BSh5_xI+twUS$0QfCaw_OSS+t7rpgWalOT^XuhyaZ#2m4>oN6$A%@>_;T<>q z-}^EAn0|5*{W{~8@e9YS;htD30WO zB^9}xaq|$$iu5gdt%5MNXgylNpkMa0k<2}XX+IHnVqV*(*%SW;OQnyvOaGD{kS)Zg zfi4@?!=4$Z5RP-?%BdeQ(-{wbN z8<7y@M=Xiz_u9SB%=J$S*Bw}CS#W}{X)>xNwL;RE|Ktqulf$c6og;BZpaFMGfePbw z5$wlnB3y$s-h}csI}Z&3iMFxCjDSTuFX!!&Yas{fw6hjYEkT&f74&}8(|uRD2hOKV z&9`NH;DK8TY?_as{I;OSL?JNC4GKt9OOm{Bwd&T#XxcIdS1E;oB~-0ViG8CeP-sx_ zCEykq>q2@q0Pbh%q`B8y7KJ0VC=yn;U}cTl>q4B5HOA7;P`7L7;AoLgrIOM->heilEDMe^4PwJQRn`&wSDbk@BCGGB`0*J*mv4nO~Gq zBZAdlq-X zKt95;bOM)}0kA5|t)eaFn(YnX$QkkWf;@P93sdV*Zbk#lHRaU$PoSa0V()QIg%Vwu za_jhBFoz%}HhlC;25_QMt9%n%KSf=rRzs<&TL>#xpk^M51m|1qcSi8GwlNnp#9L1! zst5r7o(OD7NCS3Mqs5^Zc;6OD4Nbr5SP9NR3GL))<(L){OpOPF)WEeHA7@-h&d_=&bIHmvG}^)O6YyA3wPKqhxiAW2 z@`SZ$A$ov{{I-!+a!31*YQ_0)@*Cp~ckpR+pM8GtOZ{*H=Ivj@A45}07P z-xw2JIOZUQ+7vlx5eV(VZ>EBlCGaVow7fw?CI9|{4|X*>p-Iy9YsLS$JY|;w*7euF zfR!9FS9SMvtSftXs2a_g20C%?+d@*yU(_+q?Uskjt9pIjq4fLH z22K$+T;Mpirweo4NVRF*8kWn+dCa2m>UW%-;0zF%aq%1>Xnx9imUM&mFUywZ=9HCs zjYP-uS&Lz@y(Md-ZoV@Xj6fNZz$i6fwVU8--R;AMY9Mm5Z6-)x5}Zsh-f7#_gwSR>h$z z+95&Mh$L6h&Hu=W!DPes8ew79-j{w`KyU3l{zkWgrMP6?>KK|Zf^xnk%VQxy34O{J z{5@AIY>+a)2=qC%3>t$B8RAQwrY_6u6CeaPchDSUMA5^69onww5xY#T`jnFdnV6+yQbIcwgIG5xszZLdE+Ft@Y%DO3lup*HiMg41Pf&3;+l|U#;$8=>w z{FgY!a+b-U>pvs9;H_|)BKL})YJ^y+1b7C}BPQc&=FBqGanQ4KQNejB?*pXHMtC-4 zjxJL)^ze8`MU5B1VGnrgA&b}>HTnKnYxmb+t^9~}cH#g`M$oZmlX=B&? zM0AjxvGfI(5s}AYoK@k^3^qrGA8g=+;NL<1l=9apYkLBh1J(^Kz22U#IVX#5pY2rP znFo0z(e_&Cy2r;j&9(M4=_HD!t$xX>gL24bxBh@CYp5!z$^=S4@)6TT(m1*>e`KPE z^!y?IL!jz;ZX^NW(k^;s+INhXxKZUumX0zfJg!Awf`FI!)A#BJY*|%V%j#NaLTyP6 zscX(n;Q7&XiFG0NTHEfrnDXgk`btReCacZdmmm28aS1iW{?^I zsR;XWH@wsMRL!&Gc%igNzKtL&SvHC=&whsYw}r3=ODXf9PvwyonZE$BLka3)Q##w> zkU0?)MUg%TEQup2s4E78vETSceZEE@07JZnagSiX3R0Psa)nB< zps72dxM3ogJE3XPKRn=TRT#lszvi^Ux&nDhTWk&n^@9XcO}uF6wJnL{!us-KeGvLm zj##-VBRy7U15slXgFp>`eeu87DTC34rUc7{M)k9^uPL+B@MZ33p|NtlKS+dl5ytN; ztcsCsV@8v~lp8Fn@ll7JduYS&f-s;YxGcXaD>rM~_Oda4$z!#H<|vEztvb}i?V3eu z;j&uVp=sv9F`ZPbXtIS_g_IL3b`RCvhBw{eiqE&jP0?p`21|^#8X`NZ@YJMTfGK{Z zQ-SY(bA0T^Q@9~hzY;nc%lM2R+MUh&w+9MR;K zX!?@ny(WIY*uOMsC-1RaAuc^G#!!%2SyI}; z28l+Kizl>N3_di4$l(^=ai_jz{na(aYU1yl!vI00FjG1vNp4^+Jc*d)4+K-hDHTM* z`p7>-pyI?iW7$n3gHiVpJn#%zKF%4475Rn8+@hk@-xdMmnq_<0nCz=yE!i17FONKL zC7UVg=GLCKEbX_Jm*#b88K%Ik+w!9Z90^1FNB%8F!D(2Ms%m{{QLh+FeQ(=EBLp_Zd?QnV9bSD7Ien-K;VOe<@n zU0$s3%WKUu*Zx6<&5uAF4HBrsbPl3sYwE}_!8)@u2Zvb9=>7Ei`R+>JU=ei0TTxs;s?I^=f1?*K{j zNFzas8L1yd;8Hf1(QdBlb_t*DJiIOcxbcd)FG}N(^tknzSIJfyq`58@Pkb90#p^R! zQB|be`SO~j{yL*+bU@bW7~w9N_A&QP`}yR}_-ni!i~M3D{@dd0%>d{E2S-fX)~%m1 zDn2>sUS4;fS>k6|+$-jVuxbwyyBH}jKiGmjx|k-zDFj%0ciE}sW^tl33Pm991m92P zlDt=$&x+3GQs?KoNv_YeUF)Zlq)Z*(aHGGZpkT_??OOrZWi9nVSmD6d^gV$MZjh?o zcpH8evq>3(iB}@`4oIH(e+!g>EmS|VqLP}Z)dIuhtW=5UEUKp#)as7A&l&!5wYl5D zD+EI-J0ZZ@(hkHn2FH$Dq>e$JdZrqyG2gLrwz#X9g;StIp<0b2*8K7bQR7GvkwGA+ z&ACzrIA>u757h&v6aAfa%@$IH7O31|nCo!+1PJ+%IP=dwI8Y0}EridrRkahXUlSX- zy&k$bHm=9poq=WFKuc*|?9RH3oSZDD|LKAS8xql|3*u$}HA=Ez+~J)+D5El7320=I^GRecgfqVgayZ zBs|4b>Ul!&CKy8EV4vD>0I!P1&~Wi1Sv0;2G$i?m8So9Yt??WQVeOx!TSLvoUQRHp zHSFj?<~(|?|~Teossp-`H8D7kg)SW*$>F(G%~>5dN)JF8wBvQjY& z;EHqYjQELieoSM&>`!`iWBi6rDW6^ud=7($Nd2827wd#m%7(_bVgVR10sfVc%%#*i z2AyYOHrIZkVF6x)A=%75x~*ly%S`5S;GF@1jQ}1qT9!oH@zzX+lq4v$;l~FSY%36R z)aD*plx;}5xSume#fmKs$lKCHN9l2jPPRnueaof1FP*uadCA!wQBh#W)782S(#HUc z^DJm6`L${vjl;#TiAfFVHl$@kiO2qdvXG|Akd``b-Jy3`?=#+=X5`Dd(2h+Pc%eM4GZMOos7rd?x%u%G5= zt^CRQvDt-6tCEOwOSO}e>3KvZu(Hcb#ZV4CRLzuw{p!K+#pH>E^CQ8Hm;e)`2Y!Na ziQyhR{Toxc#2Ob_o2;!*=_&>epM@+HrE?IT0oi5B8=I2DC|Z&xby6X#4J1yjzUvP| zs{oqcs9>OJKL;VJa^i@4yM9z2D!Dh!DA%NIE9=t*mQKpW`Rp{4nfb^$#e!D|;eJ~@ z<-;EG?S~pylU=AzxGX2s#;ZOlIH{qMV%@JnQG&S_m|GQws?o}P96i44Z@y&ye2p_? zTn<3Fj}~gD?~-d)VNe`n?M@h2@Ix(W2)F^5OVo$}wHR`$^!|l+5H{a+O9VFv$jAp; zpjtUX&&aX;D^9I5q!L&4HdscgmFcTsC>G%MXu^=3`-q}KcsqYKak<#hQU!x{cycDK zy|lQnxbc%JV|`oNxg~YrVekiGxrx=dR7QLXOSz!4xDJEqmE zbxi}%bdhYfyWYi+Hwr~geJ97IvgM-to zQ1bN3wL}+<`d&T4vm%vay_+d$&@{&t2Uzl6>`$ez^rMnSm8%eAdwU%fE%^u7%kJvr z$8&%#O88S0qCx}rHxMBfrW{|cM7)J)D*kCq6=K<)tdFPu4pTK>7$S2K!b0|1maH_9 z9lEz>ZU|ife60?+FIM|Yri6NBg*fz&G|y4B2I!e>%L-E!Jz7;TnU_k6>7a-ccj23q zfD?RMq~ZC74MUn$K%L+e5e6JuG)K{xGUidV(5zEBC|#h5Xom=@>^;v)=leq--!g)n z*hLJa%BnXLJg4KQaWBN>&ZzG-R^sEYx5S&BJCFciN?~?Z^c>=L8glN!CM?& z799UlEDYk* zVTnU5xBDX;+%0_SrzAw^l~RtF;HbH8_IJ9x`zU5EHKhlgvU7;PF0AecGng%J+4$`g zY(O399viO?A%@dp;lP56$wKyoDf89T{A){YtK)IKqy)?|D!@P_sD0$o(I%NfdiI^pigtj_hu?j@X+4RJ0zeFrOdZZ`*wbzm|i{vEdtwkEHpS{Bn{~3;^4RC2xCegSjE{X4>PG2Ej zkdbAodfI-A2HNAaXI7kSf2{=`@8oWC?Phg>vDnNF9=dY)4-NB+6V0@P;Cxh-*J9Z? z1Zh6ubP6cwrLk1wBY^-anL*pjU-DQ{%kUm(~y}X3|P#?`etLrnbdB6GTbhi2qW6tdLLk9W^*q?Ym4d=l2EZ% zX;7GGqZ!|+9+dC_yEX0U(zP|EZW#p;7@8pJf~Q2JxI{$dh;tRX>N-Xh-24;9+K!+C zZ%pt!Psf7OUHxBPh}ENI5)_8o=E^nuFJS)DxVJ$I-By}AwimDfD<7q}JS=inbB{+D z3-<5TYUg?0Z+miUrb-&!*`Q6j-M3@Q`Wmg@>@~E$zRs?%YdUvo(6m>Lwv?M|)12;m zs3zXqX-y;^IyO^X-&~x|XsRX6x0b;Jjk;O>fRA{}(N0sZR^sC4>Bszy zfkCO40s<8r;peSu4NjvnsYbxkALaWOE;2xfjQHkbguz9nS}P_iRLSqEe&y~8|F1Qc z&JfB56+OR^m!@PoX#`0p?92wMT>Kak5{IBJF?@9;kA()c5WauuAT{rot~0+8A}X=HW?6XqU|2wo4At0>5I9p$uK1O> zz(^`VSrUvqucVI#n3MQjQ#2uWhmgdLvCZ4xmLD)CuC%H@2`|xe<@YD}(|~*IH-m`D zrS`a`5OcEFHzaisglWX6SlUZ3h-&+{^~pi;e<-GUAS5wJd!{CP5We(apXh>sqHu-5 z`B__HKnM!{CYC+|(%KaKU)#CwCxE<$-Tgr`no2LW!Rh7TabT;S1W4RYPGzEV=IUxj z%YnC%q*t&nj}INwSx^uL_bF%>w>A=4iY*sIPmss(ISRQLZ2&ovJ14x{=1k$c+DI}C z)q{0*O=@*dci-=Dir#IRTPGZf!(Lzabkt51I(<1{;eI6T{KTyZ{-I;3ru2H<`KJ9g zap>)wpqCbt=wbBfNu zHN?qddy4#GFKxmMbip3%wKFqN$hjURew2|jr%8LO_Z^D0>Np`X0iGlT@AAqoj~)Wb|=`%NYD zD2Cb+FBbxzkeO zK((u~M`**nT;lQMb;Z0qAgW9dJia zDTX_2S`2vHzPE@dGixzk{qb$q>syi6EsFO|wD%;>2k8eW=%v-dMV6M=u6~y5`SGur z+mr~1SxFsw96U)Kcq&G%NEt?oB36{0GT+tqrp1Kf070Zu%2+Cf zt{fdIU(uPG6yIpiokp#84v_Rh)!BBtZwuy0g}D@AF!MVcK@_z#HJihQTpH9{MyWAS z?@=D9fJQsCa@Dj#i&>rRij>$)raJJvq-T6y^GGR)%hMG|KItrLD>|tKlSI`^^eLM8 zcv8_|2u7)G7R4H%B@>if6QzPRY-!#$|C}OTiSW=m>S3S?-JOWEom-CGbih?Z=LznU zQ4lq~-Y=5{X5^wWiNDw|c8a}#e3}-r-&qtfMeKrUHka#IErZ8M%oMSLPR_xtl$fVn zJuG1(b5=)1udiD3R-?5x?C6*ga2pdzP93spm=~#8W4b7|tYZivg%QaDSX$c@SE%L2 zAw(!4PUG^}gKIeerGEB;@iEXNm|j!vxW{jc&P{Wla{|j!X8l!9tGcmbLEC{U`Drq~ zb^qnPB?(goUiq2~O!XIpRkT9Kcy~ce1#J;nej(D3oJqMC4dXxgcq)A;p>qdj(nHLQ z;%Mjl%^$mUOY+8SOm=j*#MX>zOXW))1HGHionFtQw4KaS!J;j~u)MLfx=mn?=mu|? z+o}fZ+9Y1oZ&yatsoCWz-8!ZUgwlq>X~PlB7)1*z5C~~Csto3Uv7_ls)A6ANHPnM> zP&@d+@*P*ea3(nT4QmS9WQxk-AGrp-g|VIjliTa=H>@g;?MK{o&de3X)X~}Z8 zK7K(^NRewu!!f5}1H4F18)IFAJa_6@&rg@cu;_mVUwM~jBKKhaxw?=bFBkBVY%Q48 zX0uWAE%;3Pu;Ma>s4#?Q5ze8sZmjIBYkO=5B6NJ>rf!W#jC*Y-@!WA}KkX1$&;Gc6 zClfQzyP%>*NwWG&bYi} zz5Q@_F6n%9?z|hJtfW&x>Vcl%Gcfan84<}ZSo#4F?zC=+9?pq5BM%$i;iHRjzQp)k z*jRS>^Co<;?l~?%nkdTgHS2FR$u;Yv01wxixi0DS}Csl$aF%~Bi-cO zNj1sib~Rv(GkJSm`@}d|Z|aEYV$asO_5N<{vbNAl%U$PnAoV`aGAYs8{yB5~$ZcD@ zkMG9of3M}TEGe&#-G%IsF!V7@T@o;{-!?Y59BJ+*MAfw3q|PQO`$X)@NyNfS<5Vm) z$omhvwqP6*i-k(2g?t!R_%C~DM%7GBM6IV5$2Qsaa-DC!&bDj9D8Za@m^bX>Z|P|2 zUD+&}BOFm0$Wr~&ve)GPm!3{}U5_y54e3(7ne)Dywvuq(G!oZ5jNe?ZM^ct>U{>v7Y0H}Y>5G8FX)-&v?ta<+xTxiB zsY=8A%N?=shB@v!qFouM3VoPT4Q$SjQE*V#qdJCwoHz7e{a=?vscyX6{+Gc{$KOl_ zJn2qafzkioH>jqJz%yO11_q;XgZr<~j!L4>T^CtjQN%l$4AQah`y?JS#fl?l)dW*w z00Y1q<4oc)KVpuYxU*~zAT~cm7WM^qrwgM$Mnt?nlDzNdTW{+od3dDkPsB;2?1l_C!nksM5rP0b`3*G4g6QRB@JJ7XY%v(vOyx_+v4-4vHf-R^8RbX*D25S z;>W<`+fEhdXQZ{)Ajbv<8r4EK6$hl8t0sRW(iuJN*wu!Asc5&%tQSH6@Q#kmTo@>$ z_5I3_g)xl|cWERd9p0upBX%-lD>Ten3UN8P#$RIq|A7`5Jus2BBTt$fT(-pEZcQ1r zaS>ydG%eTb)nwZp^~W7d=l#O$Pwy?bDvv{k(YH72_p@W`HwYf*I!>>E(GI=m)#eNh{J0a4?QOK)VdA@gEy02Z#~EzFPBo*UCuO9Ko)h?T0D z7@i_E>%pF}?&%D$qp`=tT_EShD<<;}yVaCkKv$i>y280mS8T<`h>eEBShpm1BAnO8 zV+peyF%$(soa9C~eO@a2p%!VI*XP0jl6#NNTBe8VuL66U;W0}c{%t|MwbbnE?|qi> z-YxbeE$DyFO#b3P*TotrW7{SIQB7s+s=i3pvaieDv3-q|>3tQnyJzh-ySlig9 zUMf$fI$XJ8A=^uX3-Hyj8o-f7-xy^yl!%c7N|niMd$}8C!-ZS+{P*n3mHyt%(tfPI z@wjm*O7r&zNeKDh%{uX;SOkO-;V#ZGCA=Ofoa|U^9bC(C^vU9j!Eq%o^26d-B?SzUlTe?#AA6zCAO>=7Z;>a3RuvZ15Kd3y$YSP%@6a zqrI=(?(UrJZl5=uceEeRxNo~Wch>J|-rLmH?yH^emv30OFP(9qfo$IvJP)f`ALpMJ zU)OMX+&tK{<7U79fxElo_49M;@l5V^_lN7<(&Uce_}X)>^#(e{EeTW=@DQ3j68gMANk4^jh;b6Z?-g-6Q$wqTQjW32RI z*IaY7x0hJi_kenEadzHpoizA$le#0=Hykv7tT}`gTFV|pUSj`CVMsII3zU(NIteU+ z!>;yR*A?28>>W~U{??I&B4XrM+_9{3CD|e#Fh?4ON)8S)XSdtm7+7IqeoKf?P_A?{B}hSl3)m zACuw3%6BDVs5NDB;UH*mQQ(gdDZ}=rC{igE?J)eA5V(wbcU=g0JrWzhqx@fcQ5mA> z2;l-6&gof}?6`MFWDrtvNbaD^=EfZ>+-`=kj)8i)y{R!_{0{<B~`_xx}sva0@? z;|Z^=CjI`)KVS9H?7csze>?Aod2T!}TRFBMK8~F^ z9}jpQe}3+0zkH3tmKpJZ@f?dig;DLw{9lXVy{iV?U|W#okx7V5)|&iQCUm5wWpib! z153tf%d&au7Q0kQa-zDW%)c!Z*?$f5YlaDo{;h?## zv7bNbRO=hxZ`2^br|ho)?j>y@R7IqdKKb*N&EhU@G-@6y#}-S z6!h5kyo>wVH0^ap`&JDkbKvax)kA&ne5?9+#Qiw*vT+MR@ZJfhZ9kOid>GdDz7M}n zS^u^eo;77B^H&k?Uyel}E`au-G4=}C&FqF0w#Uy{&kbA+6fmp>cm6qnet^HfF0TI% zKK9zxDy3^Y1NTpUchaprMinj5Ql_o;Qlc4QwUDZ@(kV#st?cX%iex5&;NScxYkuRz zg@0rfw^Pxrk200PycI;^7x}I(Qs$M2QNpC$GtbjK`*TLA4nqKQgsi_77_rdB!6--& z8KdsS-En1>P>%Jm{p0Cy!I=P*nLU#HBaq_zt-)Ck-SfdQ49YG7d9|QnYjL8c=O_!K z{5#vd5Y+Fqj?c5LuaY^WII{|jjSAT#S|k_hPKHWk))pF1fXX8!2~30@>}t1k3oZ3w zHIK2BZ;QR2ML1>_(2)^e;NQ0 zk4SeVdw5yY&3jJ{93)cD#A&s}dk5~*X`-Q=-En*hCITh-=ygay(I29pi3zZ(`oAR0 zPcH35Gk4^VAR;~kW}doKA-^_wp0Ej}ERSECZ0*;Yq<0dL$*AZkC9#S+03FHVm}&v> z6X`0N&OzP{2pGl0%le(P1y9SCTlVvNa~>e{V;u6m5x%!(s4F|KO1CHxSC5<*V-kBQd*3tW zzTIhVNecM3aNm4R%X(Qm?}cEQT+<>6K3k`4e_Bi1d>WqgYH8*9Otel$m=)oE-xrC- z^Vg@z7I$>%siDNLC@K!bWkB$2RzeXY; zh6~Uc54+0b2IB_ApMyQm)k=~%NaD49?3^L8V(?9VFuk0wJgWA2Bc}%bHMSz{9 z9NVW(dUwMyeV@Bf`w!b+Xe9Ta;|4(ykA3ood@2ULk z{v&5r^@;p}|C{66rAxC|?`E~$Od73a+&#ZuDi`unnK^cdLS?9n-~jEI%O!_u6yd}R z)XPSo4)>vi?6ZLrk1t@o>0&B<@%?dy?@~Nai2Oi=P3)@g|L3Xp93eP0A9nYohCv{v zF-@n{?eVa$MI*ePEzK$7DLv>?>tvhWYNoj^rL~>19p9x{AcZiXe)(9iKqZ{{>gK1DW@ZB z-VqN$0bOYj)q8^QcU}-#Zs(!@8*LRK(M_M{n!JsBHqa`boz`mZ4o$YImKI6FQ4^@! z?Oh$@d2aleR9510dswFRc$WC;d#2%Xx!uigexBq(M1M|&)4tzrJ}*ytJvj5+m&klx zMZeWO78P~AnB#tYogI79_P$%(e$)3pi+-Q~JR>!ExEo%de4C@~d<=YS*saLA981+R z-ZAJEWCg)6%^!h_K*a%sA^WK?!-t0R3RTOYwuX&}TymEK7&KUx^fPSZ>dO&zipZf( zhV+*5Z3J+0bn}N2jkwrO9=c+6?vC@oNhb)UGtA^-V1*6zh6`G%t?3UGc|Eqk#OXbY+~jM zu9Ub0XzfCw??V80hErR8nGBfS9?mCrnXbx{lH@;1_5*0HC8(vL^oNji@K#XJ^Q|cr z=9lKyvkq-+4;x9N1jDU^gr+c?k@*~rhokvuey((J1FghAhjxF%95WB*XHM`FWKAMo zgGN+duv*Hz2(OikmyQbO z`@nY3eyiR%@H=XTVb!zsxp z`gHeed;I#l^$uxDQEdI^9nV{tpUKHVQH=)&25lh@j|X9J~-RB#CYvT}vb~37+4E8{%WO?~#(Z=?Kc* zczVasadN3_L=1kZ!~?R7Qj%ZW!Tirq{|iCh$O ze{P6Ai}F*_(2EktM=*aR`{BE#|NJ{lYGlmkk@F+?V^HU2&bJQ&G3He?u9SHi96y>V zWN^H7P~m2*w1Q&v;8&Cuw8{bgdmD znkCpKHBBm8lZJ9x5u2G%!4uaX1NqOPI8rNw&0wZ_I>DdmFhLjzTG>38AbRIUshA#& zn^@ywF>p%bxitz*)@INBr>Hnto$#2p4XmZ|AV!0l4oX9-DToW2O;GzuS0Ew=8EC~W z&Y(y3eX*30;sTC~iwQrmlZ(OKZJUq0mZWcsWVO05`$#QUeE$^+mg*fFS5Z`$^{~pt zruxQy?9w`G^ID_xi;Iuiaukj=rsIQ$LaB3y=5*SmUdEgWzUvmke{uOwBS3GG#A*j&b%@u3KcU>o1Djzex%&8#~a`Smo(w-@wVv73GYAqPVmAhbETQa zms{NGpsWHmT)Hmb-!?xeJ0HU7*D9;H**`Y~+Sc-CkByEeaSDSWzypi?ujdXYSfN&S zbhfN;7-iw5;dGpHFs4C$3x!weG2Fo+DE;cnGGWgDS#(QXaN#-9>Ij)o-J3$1kvp!a z`1v^Fw%@JEYwk>~Y5tmiSOKL_U6rPcZ-hk_|F-xnGat$cf3~^H5yKZWh0aC8l}|10 z^Dgwt@d%unAKKq@{;dx~*l`)!bAspONLZZR(k*Eon;JtC0m9gJkl6o$RA(21iUE~8 zeig;2#}BqBc`(sqk6CI#kT`Iw3qB2%ZZJ1UE-OhonzF&al^(redOj8imsCnb=!_CZ zr7;(MUz&gA64NyN+ERI|>-BU61nJzcu*I1%(VGB;!wLED?=%k_|1F?rtG4_%0@eY$ zJw(5d^W8r|JL42E(>?8fIwUoeS({PA5i;j+{41|(6;HDhute?Uf7<19`34C*VrTL^ zBfCj%QAw%TE7eMC5tJVY9VzxnmC2~OPg+{b_+9G0En1_6Y)!ex279~x#B4zX=UIhc z++!MZJWXkxeAl@K$FN{i*_i7hw%BmkY#1*o$E~cb)Xc+h=&;}if*{r1P0D?5$go47 zBe)IDjS9$b8!}!>YH?ETM(>0FIaWo*-H_NFQyhnEBjSCQ(9T1`S;AJ7^X*YN_dR=mg-AKRSIo87-p~g;CL>gqT=Esj{-*ef$D;mMA=Ok z@)?tD2_?VIH@T&SBd+4RT@m0;ND1~-_4r%ymD{0ip8+r?Y5TA?Rdk&^hd-rnGolf| ze3Aw^o>7!AM`S=K#Qk0`%0J)kN8D$h&B@2WD5PdCBK>Vq%%G~~x?kE~0^)u;A)a#^nS0V&2$*G~>d*yB_4Gqj9K7vX8EsfIC12|6)RrZ}RP5;mmH z1_l_hp{0=1ZZjf6LE$exWsdfZ3F7$sN*BBV_g*c|rd(>%uE)G>*1bCvF@K-=J z%V z6QMlU+||W+y7@9HS=%_o%@fcLFG#~M3+BYF(>3~V>+B2$I?&vWFl*$to;(iwdVD)i z?Qz!lVf@h@xsm(5V@=5(cOIPR;9cLn8D(5JIiW2lN@CLgjZ-BBcaf6N;d!G1G{c{&r0RYP^-`%6IL}$-hD%9)YGmC3C z6B*v&Xy&s)I?GTUNSynnj>gon>K?k%Oxvy7D4u!Uol4Gj22F9oJ|ug56;*9XF5r{r zV1)JlB%7FfXovQSv*_M;S0?TRGUH}Ui9LMU7>d;-_v(hr#-s9`7YrO_>Rx0oax($e9qVS7(_jw{kF--Gk|*&Ry(LsF^C5E<30s?l=>@4*B6;qSqys zaiJlLR}TsIRJ9D3XWD<#`O!76tZFh@WeAe_Go#A}t>o1x7=nPGz_#8qK}hK@l~M9+ znaR7(Pk^8O^25jPZ)keexh9EXPO{Z>aS~FTxs)b7`g$^GO2yDk-f~VZNS29@pMW4X zib}(Qp;NiRzTQi>RSK)y=g|Mj;u8Ei;>=-kvEj~xUFe$mb`i40SoUqH zj`K#ql%^b)CxK8d-CV35*(-HNRPNQPR9Ojp!1*)4=PYm3z+m9NDjx&q2(hq=)OMe`Z@RIch&ep?=@vX89$)LX9uD z>8Jhp9V1p_La^l9r#6+tU5t=59qJpw#TgO@#ldE7m%eDC+OD#l^i3pO*QT9%5~I)V zrNw?N|BG|tpRWNg`6%x6<^Vibq}4twEGJ)^F@d`;?EIL*KMZ}}W@4C#AT){mnR#VT z&(Hn!+i@u}m-!XL_^sSWX^=DVA4V9Ue^_nG$1MFM7Nf38X=)1|sWWojNNd_$&-)SX zT=H?{X*b^XFuKpGsA{BTb-p-}NS?2%*1U3JBO8=TlgOv-C2|`PRa`e$9=z32`026n zKW%^g%Sg1C#7O^AfVcANYvttJtISR=#hUEhc?_u7m zn+i<|wOv3a9EH1HmI9g0fGZ|qKM~57)fDuX;{FCjyuU$(@tPK08;sB4F09Rt0fgO_ zzgg|pSQuzIKfJ3}!l0ywD;=wyE=g*?+=Out_|a4#{zN9q*0)<~(+g{jvYDvI`4Va= z_*ghW4WlK1O8Nd3_A9Fkoy?69K5yuJwP^c#Ax!)4{6b6;P5bF)!@Jb1%vAO{wR#Y3 z!O`n9rR$&BQ^^T0WWFp34^93du+X?BEC|vDyW#<1VjT_bodO5vJ?RVm>wbRX_(AUX zpvB3}e=MSZzRW&-<4si-!{ZEdF1$CV!+~x=C@UCYhQ3pdluC&B`Fo{T%@=zRJuT=e zZJvg%%Q+tu5j*MNlCk~%Sis4~^a}~Dd=6Tj&5?%h5^F`t#sJaAMik>EkyH4Ciw^TA z{GUTTcZXi2YL`*p@xqV5Lb29?T!TN*CiW&z1GTtRD{`W*lwz`IJ^kBL>l&NlkfLF2 zWZ#9*nJNFf`yKN_1Df!$%qiUvq6JBVmAHKskJ~0`-#dBT!pKUI3zD7`8?l1$Q=6f@ zX5ozvORblYc%HFCCdB#2K;T+~xyL)#tdMO|w0LolxzIq>rq zk`MNpiAhr=90v)Z&xBdmP8EP(%^{qp$~70ua<)dL4h_5jUg z;m5TKP;qS0!yL_+K`+TzpAm#K=w+jqMoDDq6cEs+x4>PjvQnZUc&#qel*SldSWmsW z>1ChW`tosa-Tf~v*0e5iq`S_MvocOM{xFW{ljO^pI9cIPoW^qECaAZ^5V(bjHWg!V7v?>rG26-IOn$ z4xxw_j`Xlydhum73!b_kV;Yh^} zlLxQHkO2wgnY|t-Fz8!&k{4L6o}cLdDFQzaR45a}zV{j!XZ~$j6c}zU?Gn!Vkfp0b zY-tW3rnew3;PvN=v@RZJg};AvSD-6bc6vU)Z|QBNyHr;&p|qj+HDJ zE_)ktaMqHII@w%e4p-aA-BbbD$CqbYhF3m zV1{&w8g3F3!!jkwT$HsA0`iRdTIItuwn_1tQe0qdpf*EpDg@r$3q4YjClSnu`egu6 zSRjv<_*n$7CRzgbf`L_!bTD1*z?dn${6Q5?P-EiT+23P_jts?CoK)H#mPu!2+u^7^b#90uy z;ZX?Bk~;kD#ggOz+&ahm|1?(Lm-JhG<{QMDSp&Nkdts&jZh{Mn>15Id>RsFAGR-S9 zgp#sJb$Pk2dN>j$!I3bmD*ce^<+o|Xz+#hP(=iCgN+qHz%W7X_X@|%g7{DMwi%52k zELnr2i24z@Q5Yv;o_|`0GZ{;QaO)dp^(zA>R52p#n#|1HOqnZaaA>Y?{{X3%x?nzK{rl1*B8!!HW1czf4?)6;24^8FB_(F9kNrzq zDD(&eU6E#seVmwedfdlEh_foO zL(2@66`*+b>GRL-l{!D3gjoG=K60IvWr}miUn%m;JF1gXQi5JdJbr4F`&869oAL|$ zi5q)&YjVp{qWAn<@dWQoUvP4kU(w}a6ujWU!Qu-r;usa7UrB>xs1WdL_S&wUo0<&3 z_rN~44mD78H$nv-$!AT^PvHrA1O_0|;}fzB-DA$vd9c~{Xh`Tt6!Q&|rm#`X3v^IG zqc{u*V?}nX1>SNqIDfcZMV>y8ETeV1VE2WIi$s_Ums5n3S3w#P^RMw>k*<}Y%tFJ^ z(-mF~Z+l=_&?(dE8p4pI=`Fk+n~>yW!7b0NVup6bsUYLmVb5$6{mF(~@M}b*cgX?A zETU&ih$kX5j~ZC5)MIfk7cAx&x%pQw21#xUhOAAR%oS5dcZeW2$M8;uzl2zE`VJI$ zRB1ByDfkUG%<~a^&rO0zg~c<_-xuEPXH>Sh0zLdjU>YRDsxYcc%bgz8fRc=8!8vHd z6JTXa&i!^xNP!v{qthOI4BjK@R$d^JS% z@U(MLrxDjRX7g_{6atePo5h}w^2l4_%0Cvc!6cZM#U~{czv8sUAOXw_(0h+XaM)hR z=rn|&)Ix?x1eGMEf)H2(04iESjPAD%P!PWq5DL=6n4F*IRqH6Z*|D>D58j>z3nS379f&8tw@sN4XXwfi-d6CCg27==#E=o&bK z&73%*xK}ClY0fB#o3#Et=jqG>2@1IYDxc~K?`~YXPFWB*T0GcX|sU5LwFrMNK zl4n2=aDMh8d>3OXj<`7kCx_TdCNGkKod6e(m~J#-3(m0Cuw4qbn(8+oasX6z)>DO? zZQk2OI4UC@#R&|AAFx2 zR=b)~G09sOi8NlQTG7u=mcvNXybj3qRF14t(i><9#g`-%1OzHL7F`Zu%c~&lRpUiq zRW%`!Vwo$5H{W0RaN{84m?9g3M*U%2r z>QZK#MIU9xkqyIWAW4y9;@TnXOBn36I+BJ(%&cJGPJ7x$GlMZe#YQo^_4>+T_+;$v zN}!@H|qct8D1^ zyP`0>;|_3thK=UaK#G(U@#=}ANzV(3&`Xc?{mLPkrD3@{$VIhv5Gh7$6*D@C)WOlN zj_|2}GD?ALy94t)P6&#nQ$m8{`hK1I9G+ChB>jRYrt^;lz4rJBdXVpTf7+Zs)KN$~ z#Ef2&$ESA@8or}l`*jqZ16fcvOi8r?B*`EFFcLJcSVCn3NS=o{BE8`yF6rqWO-^BgSa+b zE}5mQ!@s{%Nd2J;O@ak(^`}=i)=V1&l6Ye=lO;5z0r~&l0%1`rE9%o4<#Lc{%+f9& ze}{vCk%p&!h0@QTz8u7;_N-8<$>{1Mg-dsKabw<;2m>6YJ;p0#Z@ zza+I5M(DrQL^(mnb7$ZDu$qN0`U4FR^@7v*!9T=hM!6Hd{g1`rnkPRPU{k2ZF4a8O zGORfFdba}&E1!S3@oOwYZr3rzoBX0kNJ$?)MN72=kfAXg-*hA?Z9)`Nx6O3TM!pv?J;=qN zqJfH+C&Ar!jLp1YUvA}~^h}J9kP~s_6KY}U9?-zmnVISIVPG0=*+dek!Uh!a02t^$ zaK!Cjb>L}+0Q-2wx^y<0b&QX-qq%T2@<>q?=n3MCo)eYO1ZqRWuva8BOH*LMNC-Rw zbaJS=IIiMju-laZsziANZW#XIz^XK2akIlB%GAxIIHmW5J|+8qEYM#Wl5dRFiXo+W z7g6RyBAqam5O5l?wdrV2213rRz~mS^zX;PAZuLG8n_G8JV0eO@G!^q@>~c@D0iIu} z{!k#Gk!t0mBu*#R!orQ&k#j4d9v1L0gW`cGA{JoG7)ELuj5e|6tL%tmY1QChcC((W z-{q*}XHm=%dL5EgXn`it(0Ffz{WX~Rx{=Q|U zOmLg?6A4z>A;ef6I|FP6rs0>0TnuF?Q46^<*)>Mb%ra@C2=2beA^c;3if=1G9tQLU zfCS8-C)WeDM;aPeB!0KmD8n^eBk_DQ2lfGiY>MT3XXMeUkY#+pz<>W$T~0TmQnrKa zS;-c@iY8-dE zcXdn862qdM@Vz0xXu^G8@2WJ5VD4v8FEPyGc934xk$!y+2aoSmr%Pvp)Q;rgDJ@RJTS zsoY~-g08Lbzr$G&6pC8kb8%3?QKaGeSbwV?P}4m}6`BPC+vIZzXQ4{|n~yv%AvL*zjT{!uS}YXIj2L zlyBr?ZAa9W7{c|VCY7M@c9v@g3vs;Dzo=t;gif-HY?_7rI49ZnQV3aShkvzcjW8lF zUaXi#>KvJ*$0GfDFmG2^9B7a&y<#vR)vT>iDwYxWfIzoQLv8|$*k}YBOu+sZ7i2P& zC7MtK5np-;hEtk|n1)J^7ok(a8v0n2JyLdaqu!uE33C~{64C5FStjM;-_=3I4rT$W z=IkcciR`$FoZ`@PS6j=ZBqlUB42sf7ftF_1EzF8aj7X$TlJ!|MzaqxA;I%?)E5ot$ zL$Jw;*?YBcC`vG}t}7rL2TyJn0mPwFUvy!V5OGP^anwrD$cyH^9#>77=Y~>=V#G@! zZNYW8P1}5UB@|Q1x;ib;cXiR4&_KQI1amjo?A&MbU=eum#d1*n%Dz|%tC!lNBS6w+ln)&2wc8EDqGz!Lfv-*>mj<{|<_=YqeTDQ@t~u6h)Bjkw z?b`C~SaBoW%-AO!hW%8CBMAg#Yr~Bf)?C7M(ieq+lP_-Wm$AmY8w+PVTrWG9dZ84&9#Sqab35&Cx+i(8U z(zs|VrkVpIga^QE7|VE}U;F*qA-aDqpsLW!hvJY_*GZ;pX?%NPFNVcor^0Dcz-C3M zKW6-H{dd<`i&j7!35;3Syvg6TLq-H_t`r&RH?D~^Z67LbY1E?;PVBP!mlnvD=A(-$txlT_xU<#oe55OLKViSC~^TNwc_G=4v}5gC+wP++#)NeYwoXvFprrd&7U+e^Yu%D6;>ad* zei}lhWqWNGM|ABFpeBh}6HoLY6m1WM0`Mt4wx_?Z!J|@8mO`k}2M7IxoN$fF25!2E zPW|VLqVR##C<|x-eOgKKz{15uj})@YAfjOo_~*T*C}Kg-5TR+01Md4x3ZuUK2AzP< zz2xZBMX>lqaR&8YbLFzYK$FkK$wfBL?a2@AW)ktULuh; zNkg_rEzjMTV+o9|gujCJixZ`KEaxXbDiJ41mRt&5<3K^?P8nzLu{ z0uKj(T)FQ_B%Mq&dgziIMO2g-B(Dw@L<>i^Ch{Q`=;I<3s2XxQ+8ts6fzp5sB^z|b zEYjgdvf*c5o&k_iqoXSeT-_zko1=sb`mTd8JS;;cJ2VuRPDR6{@>giL>JhQMntemNlA4P+D+5I6r`HQ43u6V5qS6`s4TQ-LGwwEZlV;Q)exkjUQVq`QXtr70yF29u!<^tTH%s zq|eaSkv_+gZ2wpg1{_}&P*sVu6fjv1>K?2xwcREuR0^8{oa%V^ZZnLfl@2I@%P5}~6NouT+6x9Y7 zu}ok91!p`ti$gU%2&)oo8CH%WhX68&kQt|_KBYK9KHwHjoft49Ph>Q$B2kvZjkxy*CwABFl$Y ziXtT+!mvHd)m}Y1O2G# zh~UN+yz3L5{L1{L2$+FQKg_25e=>aL60q)qgAo6+kS^v%#7UeE3vC0cYyef>)7rXfBnW*QunTY9e~ocaDv%eJhHyTC^J3^6t?dlnYam}TDjjK%CoLc<=(l7y{@*& zFT)lCzUj?-O()INh*lbqnurT)rt>g5==1uUR9oC)q5=b#D@GC^@0kI-3n}!WosdSm z*7s#NH~?CA{`$nO8n5p+4o#2oQAb(v=t=?!5ckuE$RtKZcqaP{T*h7=_vK_^EnQM` zR$Q?vvAqN?oNKv(WVf7{7MXrcKkTa=YC@v=Ie=7VZw+qXn2jK%wJ{_zd-j?tU%2TobLYm zs`95(Un`Xm@dZ{Wk_UG5iu-rJGuea@;g)IMrxv@mjnUC9%AJR6)$fVP;Qqicpl_$S z#rLlmF;5q#WHLlj!PtCSHPjaUB&Fi2t0o!vw^(yqmdR-xXfrc#@hQQ&1?>|6YAl%O z;cZpe4ajI15%B(==g@Y1d@`z0I!}9e*p}Y?yx)B{@FT}()Q+Vt}WVA@AU zx~qc0+o4=C$z{D0?jUodyY`t{YOW?e8hG~3HZ$5!jwS_ih4-hXHtnO+jSgy71%I7KklJmE9Z$U*7aL3qmxmCR z#*qn>p(&4E0TGc0PO&mT+YiC`Ta}$=2jd-7i;M|AGyHkUzXr^1Q6B6Wm03lUvJ8!T z7K{w_qOZcI-WN5unJ$RmYfkL+N_8}yIQ^lD7a-=W~M?k_m#6%L-#uU%ut76fTsUj@n zHWlr1p#xJn@j^d@VIj0wDlas13hoH(4FPFsgQ|PieN!b-U_i@a40`6SwvnwaRRh5fa$M^9=!CHG(EkQWL*H=Qrw-pXM zoyNwqmaZp6O~bqKPRrc;Pw7D|jWKJ`g<<1WeY~GTkxL3D;}j6uC6InJx?@Z(GqXWV zKYD#K;M|t!<&R~@Uh3-mnd{lz-5pogdy^D0ao1U?(A)T??{4?UODgiYkWExtBa;5Q zegBF7?ww}9VVlo+2N&1<^{C-<5O(hDMgMC~6w<%Am=?QS4tP437iwL_&dc92RDAw%QnR&VBv^BOqSFi0Vo(+UKC-ysv-u!hDDAi)8?|J3;w&JC@ zsY>2)%)#V7KK9V%Fj*ZEn@lGnWwQRFi zo>jKJ^^N|*S}8t8M+xw78Qjw#qz)H&KMwVXTD>M$Q7%E=ayTZpStZVCl&O&9Sx{X z6$qTTvSK&>db`zNXRaLvoZw+=T8V1e=?kf2t>+AF{mo$QEscI=BxL`yhcstX_ zL;re|sq?Sbq~012350f$~lp-&|JM5PbA2) zq(@!Ye&J*0#!d8+51I09B;Ts?N;L+yNT&ugj92mUHUj97n3W58z1CLC^?fG~3 zQ0QvByS~nE(eZ5<=EJ(NqRa~RRZLu540`VR;OLJwr?z(N-{VThj~?AgA^XhlGU1zdBfhqyAh$6n{H|c+~DBe}5zad-&n<;o zuVTCJP8|IP(TN3tLap|lvksl_42NCU>634}LeG7K9zrQiGMi~h(hQ<1lhHhALL~VRiZ=;|nJkhksDQXZb@fG3?dxLI zA9Hc4DE=e-WQLL8>J!S`;shXh-)icgzQN$I+d&y_4?@yk0k*)?GvU( zkDf?V=c(|roh@CvLA3!sx0V6d##=6HF+~2C1(P4Mj(X2QhimSuo1KSm7kT<2TwOV8bBA>%ti-xKpb{&D2Me$#9IX@0*H z>71+DF2?lsqf_$($Kh=_w)^IQ%i!7f@ytX2t_a`J1L^&2v+K4#;I-TTMqaV={Dq5C z=kGwC5(QV8u@Z~9927E6^BKq^V5`kB;N-c3rpu%MDDQD~@pWe350>-486wk1W%v7E z-HrRMhpvn2bp7TN{q7I0em8>ZYM}=&?AN>t&z)`qj>k*G_ip(=6U%3-7J~Q4j(#tE zhBpf>?@%DTbb-I=jif|AJjVIuUe~2USSqI*ng|cRGdiPjz4<-%0+ZeW83vLr-|v6G zAQdsU)A%Es%lF2R2wutncS~vwuXJc!ub;gK+!^4H>Az{{}-o~M) zlb30>||=nzQztc^h<+!Qn!RH`9jd|hzDEfspIB8+v7f0U)DA3`eo6-1TYcb>FaBo|6)^Tmx5k?aEq_;YTMn?2k!S2=qQk~SKMmC{81!` zk%sKriWgL90!LclL<~l7N-|%3#Ucj>!<&X40*Qj9FrkC4Ccw>H5COvWgXGXjY5#I$ z(xs{i@D7zsZFG4tx{HQS`>lPs6hROG6L?8aL3O>)Sve)S5_iWx%aid3nx9|P2Ld%=srqkzF zaE;@y|^|BH@Jr{_$*V+%Q|An`E(o0AbCH|Nw@-#pi)N0*yvcc*Q0 zkN;RXVcAULkJ|3E;cA{nXi%+e;6Yl$S|HmAHE+s>A;}4(n7J`tG ze=L?hGy`16|6uocDSC^}&PCY3OU}jlG*lu8RtrZ5kdUH2%P|7NP`>q)$@AR~nSv1L zF@C_O5$IHBGGZK&I}tRxp1yGN!cG{M0;I^dGUg4Azpn6FR^R-gfBmt*Gdj`GIH7IH zP-kkn%(3vyMcIZ~yb9gGhQOnQWR>0DCSsXL$lB#+`zd9E3xpkrQ+!0Ud&=f=Y1d0{MXE zSf!;`Z|p*jsSv2nuh1Q+<`f#7>!g8e`12L=i9(uWdw-akfN<>S5CKqZ->rxnLOOU{{ebSojoQWIsGa&Lm1H7Js%OfD*phc_C7_TY9zfvp=q)I!GoRF;-#Wr(^m}yNOh)AfMFu~e8G&6p zs58p${$mk7Xp7*qRUn3o0Xd*8MTL(@CADa5?Ss!Ig!2{Rz^dNJf~353GQ#S_yLrVPzE2PALF>Mr?<)mf}|lAr2eAgf?zII4VC!Vptvc978Z>hkn=^vv@N0r zz#HlpCML$SU&J4;H8lny7SG4{PBPZ@0!IBjgtYqM6@*MDt6SDp&Ag0+ZJMr{Nr;D0 z*PzNQYyc9l(Ks5OhKf_g9J4Ced$o+XgJLH^4*VZxuz;Bf9ks|u^Qrph z$?S6jwEuJh?(v9QxD?cw%cy)VSl>Ux8|b>rCL4i@FPXo#7b=hEQl>!9I;oj=AJJ%S zBQ*QDI;Vt6)rGlk=ogv@jmOrJ5JarAxLSUFONA%3>YP&Nt@r$i3L-^kyJ&wMjtj&s z8tD+M`kvaAQHBEXZVIaSL~RwCYID?8qOnPNAdQ^Xl9!s)o?<);kJk4)7FsToX>3n! zBECc55>L8iD+@F#KE4a~9g_D@2!xF^2#110OkhorA0DiiM|7yw|45d}>#ow^r_ZK} zdUb6Law9*Vv&sHa;;ydZ-IWz&nyaWKzT)1zCp(+a zrrLa)Cqlf@zqrt^u4r>Ou5cJ|YpPrFnrO_MY2PitckJw3J(9ya*_G+{Kk;suY(`}C zvn6~MTV2PyFNiFG3vifoj3A>c8`$Br^0O9Kd-mDGu*-~!!xlFf86%&?>G5b zo|=Q2U}NC<-97)YVC5`)#fT^J__#T_>xV&7P17B(vGmFwED)w*1Kcf<;b0ZeLFISI zQ;o73qHXdlI(V!Aq>zXwX)M#ca7G4-BB3&J^6o%OC(#I>U1eX&(BaT1DN-`bWhSOD zq+F0nXHD7FU?P~JbE~ip&KSImwZTu@Wld5?rCj7`y|JyL12TAx6(tEm6w@AjNJ6a@ z1tp_g;HO6!kcX3J0lx9(CnX0SW4Vm}ci za9c#-xcfd!fh)|~*QW`Dsv4r2b&APo^6+>@VxeA;kK$(g&!1ZAyG4UY#6s?7+)GP( zhWHM4I6dC{?&_)drV(-mKP{diKvzycZOKg9QMAPCzPaRz+3|^`mfgqe;~ZpyDymeb zN>Q`y#=d^_PLn%ix+*w{zru=Cl72Mnme2{O6A7PdGspAFq$%E`w4BYp)L>*X&@e(s zMYImvNVR!oXJmnaO+ji9BmUb^m81e(Fn~N1S0gO2_(MjF{9H%Oe`=g`L;2VqY zLG)lep{}9+G9>)RRqDl>&qqPwDJVX`X^Q=>i>(E{N71qMge~vAf!4Chog6?V=J0ag zN|3*3gX<36!%E)n-_qy?UE^)nS>Ht!{;aKrZZ6;$2F#?+s^znV$k(=>#Uim#^1 zi7j8v?0kR5-+X^wKgtD#d8m0YE@cxUP(C}AW{tVSKvVxZY zCVs}LNUBDY3kNHgalp94?Z;PW@-HsLt&Pu4eDkL*Jc`G@W)i?<2w&3rj?I?lQoP6x ze^oXOLKldYa8JC>Dpo@T2U=+Mf+=%BUs}*9Zb44`3j5x>@MpryGRJ+POTY0=AuX$r zMlOvb&ek@bNma5)1B{1*n)CDehD9mPOgbvt>(P%!|)Zd?!^RsH$!-*SjK9&QQ+g)2yTav;! zcBYutN@hnKGvz4nA}rl!uuUFvB(#?u#kVP8$x zo&H)pXCG=|Bv{(^EI1o9k2c6=Uo5eBOf35#5or^}QSAuY8qG�@ixGbl2 zhQo&R$Z>aEa8fx?x?)!f?7_5{zv8YyB6AK@Z@Py(>fRzqHq<2UuRu)x!J-fYe;q|= z1Jbnm64`r(jesg15&_-AEjtfsEj^)~%YSxc`F0fUzkd#KS+3|;KCkn*9q)hb%QyRm)no$6wgUEmr6H*V_+2 zUi)kD)h^?S-@r{^tRsLE+RbZOncXK7;r>p19oN@~cNSaiTs;sEf(vJi1cEL*^=_W; zjd}M?bTy+^M9i)=nRDcwRo?SM-Z{u|u(nnwzrW@tdlHfuMWg zVphOT*V6!|R618Yqa%^wav5RLur0|6?Si%$;jw1 zg5)M|r&YWCc=#@fL)uEd1W=6;e3Q=@xa!Ngy%{#!$u<=p#6tbNR0)~l)&>{f4~D&$ zhhazb>kBUSVqA65&URi|7-ektbe45wUc-rlW{XAp{_7tLHa0rC%F)4e%NI5uMInaK ztDeAcE)7kMcp`niZ`$Gj6XKSqS zUe9H?F{+TGh1p}l%d%_hM<;~TmS4bSEgd!0+xtS^`)QZ0W7uN%(b#_fWarbsD$e?B z?tQW5#|UNKYx;%3P2Ohv&P~hfa(nJo7+3fG?8j?sZxo2@{U3_~qrD|{RN8;g!1c^mGE?duR6-@|8j0BLD$hdG^{ z^n5qE2M;-&5A(I_nN8aQ7o83tMWbgLwKh~Kfj1NCoXx{EuLBIkk8hS*p!nC_yNQE{ zKPxMHvW8x#Ikl@#Bbpss$CWj;bhZ%zN9Ih&ci4hAtxT#Lu$S^Qg24mz3yM&*r}0Ao zGhl2L8ibnqdLHcx6e5h<{1V;!Su=9STRBs}@(;uJz5p%g!Oyd;`E6n~*X=BR`yGae zp+OKH35DvczWbUYo7WPL=x{pxhO#E3X|S}p?_Q2TEJ`U~I>Y=Qi#>AipFx7eN2CS1 z2$pME!P-R-JD>V{932yH)xp~*^^BmdF9aYFDu7A4F`H`JS@ilDe03{hn?-d^Lu+WO zd#QLbSc5%PO}*_XwMKlNliO?zm&duj-de*vPX&X(?Pc#S-AOFl;3C!M+3ZNL5N6Xi zh7!b1WOPtb0U>ptrlJv84$id4WlG>;#wREtlS7jz=1itSG#G?l=Wap{FEjXc6EW%Q z0Is|Dv8s561${XubL>oi7p=@9nM~v}Hb*PQ;wU0`c!4m3G8hIK@RzzKRe^e@5L#wM zMYd~1rt1XBJ}#~pPHA=pX`7lV77c*XygsGiVUUgV!RKt9Z@!N8zuirT0q;+fOU?Er z)&u?9B%^Zb^DsyRr*3Vl%}gvy!7s>2Tnm-4cP|dD`$K*YD|fM+O4f3LS}2*@AYfJ- z6>B3^ZB?~~COui46gnue>7;1bLLZxr?Q|`Uu=I{MTG8)%8CmFB%REzF_%Xi6Z{GC3lT@O%u2o%AQl zRfp*H0;C(2hPjI1!B!N#0BO{b7kXWviKQ_Z|+9ogM>1(WNvi&=ecM1}>O4&ndhOAL-6|sfxGxpD3H@B7b&_+z`(TZo z?K8RlaCc~Fa9wdWsIe_Z{EXu?LDoqaT@JWgQ|xc`{5$XSspYU@g?(t*js5bEMcQw* z2--$i2ICQCG`^$j z8e6{a80J0}dh!HyEVuwNT+4FygQ{5trfU;FSHe@XpRIC`)e47&mS?)!>m4t-;m_*^ zEvaV#cCDf?xcjZ7qPF;(*Y2#Dk0jLQ9yWr;852@{p3QS6p;2u?0-~7(6-dMN2W9A< zl5pNk4Bd&RkU|r+iJ8~8{{6eCVA*p?MB>)7)ky`vtK~4U)F)pDq(s>6kRgqdx=N3x zuDSOWm3M%aiD*3H@}IMBXNKSj^MMp|W1twZ%#l{HSTy zH6b9)XiXS3Fco4&Bfe{tiHahGsnGnSUkyjD?Rq23V}(Y*6GwB@$Zjmd{Scc(KRU;_hS+D z>i6frb`v+f;u+wsmsRkCw*%j#;)rx;%hoR#>Y;>LOCG2LUOP>t6!!KJAV{%_jPGka z4EXS3!v2q^bMUJ4{rd3fWS?wKO}5=M*|s@ZldZ{~Y&X@(c9X5i_GDYX-u15e{tMUI z_w(HN>}x|(*RJwfl+Ln0l=!^~b-BIP<#_a{@UG2sa1lQzzB|sYx$&=_-G1u*Dm?Z% zaX*OUYRrXVwxU|wt zPaf}IU8KkHkL$~H=dwVFT-|&{ONVyH_C=s1&#zKIVD4X>QDK~S-jj&Fop^+_`jTPy60>s^7F`>lV>I zRNGF!Y?0a7w2^b};t7jNjEls@33D7Yd@+?Lae%##jnkCr@w6R;O2X&1u{{C4=30BI z3mPmVpG51?Mg&Yas;P~|u}3C5_meHt%yrHh{KiZO!V!gol|Xj(tkEww0CIRiMK1j+ z26jM3M6htA@9NN2-|DFJQxrM~SbbsPKp8+**RLX!4(<}&hSFj*&9xE3ODyvMiYWk5 zuJ-Pv*Z;974o>f*r08q4`cd$aryG6dzb0P*aifU2CbR*9Re9A+i?#(sy=SaaI^5{;sHLmI4CI!4wPEJZB92;?gqr!sJzj*y!BV)*OaeTU}!-KOdJ4=Gt{m{drI5 z9SIQ%vhj{HDQIb#6zO#YHokwxSJ|R$m>Xddg2I4A6P2pYo@k)++NP8@OBqcfrAB<- z$(@(4FEX~n7O}@9`fe6G_=aP$}E?Ji*Uyrx&3|V z_UvgXp6~qShne_*ew6`sk<8Er>awA=Nz2>h`D%Zs3p;5%%~fq86FT0(%W{6t1cOlf zU~0vj6(3CXAJ*%pRR{)mN-7J?7i?b(**j%q^aRzX7`58c2Lkt>59XEqI+h z1a;)Z4PK8>yY5K1Oz}A6c4!wE+fI!KI8gp9V)e&t$Vd3=^Uy}rlB7oEt15{0U~$`0 zg;n7)ZBNoQ4E|%Gz}Sy~+*61of80r0i&*^jK%rQ<>%GPH>xFbc3d**o%;-~qGaC1{ zRN4xwwasj zUu<8xDT^bI9jgCGW?*Jca7>`*GwE`II_n$ zcVts|RWdc6D3wrVdiMt^#T+}zxXC&fKwg^)IuXcN0R-|-ou)%L!o4WCQcC}0=Ynx5 zOeQC#mjMUZWbUoquzXB5C13X*l!JkqWq8iYXR;Xzh;^E7)G1y`A6=IT6pQag3<_+ z{FPtfA+c{RS4uCCUbekfTH%22Uo+eD*Jyy3w>hdd2$b^ojv>t|EC}pxyPCT=stiiS zf8oUqZ8s6FNGDBo-BpGa%8DN5dHY~aWnrJP#^y45TWOJ^LNh8WrMolzGfx{w+81bQ z^Ud^7f9=`Sb+%6b88so{>Q>ZF$UAfM-!RHV|I+I;#G>D2KQxenFfMz7pg=-iEs9g zb1&Y$%Az6ekMs?B^qpTxzGbIK(pst9yM|5i-To?bp#EFXp ztND94e*^?tR?uZLdIuI669RdWRQ6L|otQ%fv?}^{Z~*E=%dmS?+De1T{h^neIgGmc zJWRp#%f}tBkn_vpbS-_|*q__rxFt^O!H+n+d$r1Lqz<;5ok3>SAvy18v;rQ~@uF01 zg$p(S87*iy%F!Pw^^>h$s*nk5%lTB^upwZAXMyyO0{3-&+qsXsNnlhp4$n85cU5IO(sk)ChsGD^CC3iWIxW%+7a)s9qV$Lig6Y4&Q?VEpqY50l&!=L`me+-?-GHHV>_K? z)`j!2JFhHtx=B{r+KM4Gq7Y|}oPR9TcFe1l?kt+<$Ih2KqfuLz*2lJBW7m8pU%eDo z)=qED4?IIr1lyV0xEIbBi(Mxm986A4`KJRQf@W*ONuAiwvh5l~jBe`>anSSp1EaUo z#G-5aca4lJcC1P)h>LHL`>5R^F|vsXVPFsev&H})YD0bk{p&AgId6u4vE^&j04zAv z+c74JIX_acfEn!TGO*&m>eJC}-~fNv?by?~X%J$}wBo*qI831LUV$|~u|1FjSEieT z!;F_mCnsHVyx%aAllRp%V&%%<`4)~{kB1A>qjbR7Xv+h5g&!g4PtW%Y1xkL;^F9ZH zMx)!ASyAPeAbQ7HkhXCBP%0UsQVH=t7HB|=G2tlL;GZmb=E9_d)%FK54dXpEudy5l zg5h3rr{a9B<5{o40!?d=-vo#k62o1T?G?C~GM}601Y79MrQ9LoQU{FP!>L`kedzD-ixgu^)ZeUyqy+HR18aj8j)w=7lzlZaDj6yrDowd z^nh;%08MbNM0%3KQq8~x5}fbn3ij)Fb+EOyMC62NUx{=Y1dd_R!l?0nc{|ZU-ChQo z{On*!{4GMI+3Qs|1Btzvn0?$W^GWXq8)2DI#BJ|AR`RK$=I){#k6(eXgqk#_EEF+0 zIfEn#mSbk0jW}B6R&kW_LY!8wt7Z}^OZq<+O!ul0_6{QJeD2Dft1S;1E}fMm5HX@2>V6wcHCiX@}Tm=B$Z$ z1(@?7;h2FKE-u@(9D~J=Z8!%$1BpgbmZ7byc}_!v^8~Jy z6&Jo7@EG+tjW`Di^fv~PPYnv3xuQU=ySp9CvSb~$@TFU;G)yAag2Hl=NEe|g|HIm- zOUod^D))?Bibpo3L2BkNS@AY})m9zpK7l1iyOB`Cd#7hR=h_#S46P6)^`_JrRrZ7h zAng6d4+AwiQNxx-_KCJuIyzOn+(tE0pJ=x1AB&wj!_P^8^~vAe<1aSP6?J#2iApM5 z1zXK4$Bo+kM@IxWA_j*>yJ-HMJNbjqMzb99J6cnmBYr%hGdi)hvntWRSsO zToh2`>@c!FK07C058Tzg-01P0^L>AK$otyy$TO-|zDbqYasM#l&Riy^k1~)rZTj0E zek(U0xocHWDaH(6X-wi(o=d}(VGrR=-pB-x<1d5$@6M3q2t`@eDR23>`}h1>&OxII z-*E_V8BDw{=8X7n#P7(U-w9fdK&M4-F;WOTY8TcZ1CQOfRVXoal=%~(_ud0mm0b_I zo8><$`AD+_CH~vY1sw?`)Jj7u@8oALd#7)Q^KlCQSg=A#rQ9Bi!u!FPA>q^cMclHE zeDX=}93AdDqQuIKf}qIF)=;;GAL5HZVb%)prv)A-yt5cnE0cRumzjl!#RcIjN(0IA z0j`Oy8MDT1e{mk?ThfSh zaIkUAuaVHeO|>$gqjM1&;S7mX=cq?LvnIT&R)$M8%vZ2+IJrVUkCv64jo&!$e+osl zTWk2ZGAga9tYm;gx&DbuR%cM5C`FyX6N)!vWR}!pMBuGjSZz%8q1QK>z zCdu(n!TpI?{#9J;T?&bl9Qb%N>;XyMi$VBf1dGBNo9Q15?p+||s`_4lZ$y4a#4y#A z^v|yzDxHLHWP5&=g}yZFS>CQ!aU@sL@R7 zh{){M8#_J&o|>_k!Gg=flJoH>%XEA|7+fk^EKkL>i$E)8|)4-h)~sIeD=rJ>I&HDA}>+-rxBCtd(oqy>GQG)n?|tzQr5oSJlh7 zF}v=EjRUsVPPjp(_u`2FqWn0Vbd#+r`UFxS7D^jFrvP)ZyP!{i|dUvBDD9A+sx?lfqcx4-p~h;8bL?!MY;`n1ty1Cum$9D7UTV^)0{Uc0Q|3*mVlE6>Y4ya5vR6uUMvd z#9QE{t%CZ2TtI#QKbK$TzI`i~s!BRvYq51^)}$P1W0RY!u(!bmC!26z{Qackc4BjT z0MK1ycbUZ{hhNgDj7;Aj9`4gz@{OPY<{%;_Gr}J0z0Mm{vHtfTfqvF|pv=@4z@z@H zCS(F&_(H-(b|R(;tz-o;J1IXw0Jn~6_5?b+<<{JH)K7g&VEj5I`I7%=Goyk-}~_rfYD91@W`er>V`1Xrk7ir{Yq%+>XDryrjOkM=A0C=-{3ho(bE$cI7x4% z9nD`jmjApn{Y`Vh1(uX;$&}r}g$)m7ptr}nYvJsB>eBoKXL6i()=Mrf8G8P;(-b7g z;I0~mG!YVyf^9ZO3!jNTR^qsv?llD3zhY>`jBe$_L8Gzy2aDQ0mRtH8ed$rWQ8CJ7 zoFaNaJ*1i62%G?4GRNIEoz1Y+b7?)cBGUsW1nKvq$JRz?Wsb45!hdU|PllMB2M!hZ zH7snru;N*(@;F>%vm>hv6Cj}-imbR;noK(m1s!nHYw4Fw@{g+? zLdYJP)C4ij*~C-`k&nLeTwL@Cm(~1BxyUB>YX^(1>Z4Hj)tDCMRogVrTCHfG zeLnChVqJ-?&SIwv3s)-MNCfLBn?Y4CDDF=Ngm7XSKa=)nI+{^@LuJ1Ie0LF~xWR#jMQCf0ehr{>WGp2yST5DL_o9Na~+`>qVXGWNi@*Km7?XbiX zMVS7>Ik9vEGxo&>hz5d(DB#8wlz5kUIMqo@QWY zb;nq6#8_sJs~ZZ&8(ftP9C~;rkbm?>%ePe=56^=m*Yv$u@uS5*9q5|ZMtw73hgm_I zpSMwCV6Z#9e?G~r!3OvgIgQ%j*(gE`;gVyTiT z2+kZ)7ss1(5vb6Gk0+@oBO}a|;OPbJ!}ts3iLy($h&I`iEu%fpa-g&Hv$>qO*vm zwOLet!hDP6)Eq$&hAZntDvm{~mz#~iJ^b_C$=cju{jpVG%ygUWB7}}8=U=IuFxEtz zV*1g$kL#k!GAmYm&N*tg@rhFz9HHYwq2|-dPXxWw4o==4W_CuLbP>0=bC2WEEew1| z#lHwf*O6!k?DlRk<%=Ytd4gx1aEc9(TD4VA-Ra0?%C0-~)LfBcS*t;1d)XG<4e9U$ycfe$JzLQ%bRvfhbFm{gFikK0b?< zZWa*ZPfwRJ*?v9eZ+BuOkD)r1@6$xZCt-KpQJo`nq~xl%7xip+?FXki#Ju&-JwX!M zW-EN|J$y2YSU(2eNj_Y2-KZdpWpo*c1g&c%N#NN|PYJCBHK?9}12MbH`I?o)oJWp6Ge^mqDzLl1B+_$W? zCr)%6WY>i*m#c$sbxfi;_szFSJojuB-m?WFW&GiSh`3!zymt$7I^N^iNR7LnT6#6h zW9zHg|FJN)oH(bVMGK#Ea@5{nA%x4JBv?i89R^yny@B1{hp2=u|B|%d$38hDZr-K1 zi3hNaLXpFZhUSp2rmfDiAsGgJFVD@jzyx%4wQz+%D!N$PdRp?Kb(3xU%+N~kJ!cMG zC#_#WP9Fl>GC|=klH-T-W<?+?Mk@z8te6Ok z*^(OOEbubiSi7qUMDKhn*(}TYPS7k!ib6FG`7y=u`4g-+X8!%w3>hQFH!Mat#XNc( zNwGd=t903aESB+bCRVTrE)vOfixgflQ?PH^PJ)hDx*zA6%;?x{69F>1)oEPzn{81~R>XjIZ`AMQ)Lcc?bo!>stTsqng8}QzuK6t9A)Ousz{HT3uD4hN z@4eC1_nVHYnE&<{l+VLLFJs{<2f~{@kg!$FFGJi+MNw0~qCim47Uw{XtVnuTERZA` zzG@IAUBDhy}AatNb@?!8_%|_cW z7x|o=OBy0$quM$cbdG`M`82Iz8~$n`C>>}Sk|vU6+#X5unLRQg)E>b_BB(Q;4&1qAec4vqpbgU4I?Hmh@llRTZ{wIk316XB zmZnH_(Ic8cCv;Xf(ayXYPB4X$AQnzoye5hwB9(@vSa?__^4huXHJ-(KWo3o0S4w?1 z7ykG50T0rv{F%UAFXV)OsFh|k&+s?}?E0Sv^kh0~$xJ94UipG}% zJ3m!zM5XG|+VJbJWTK;uS`-NYNE#F{4Lv6ozLsti{31$LCb!AxsP3{@GzR%@^$I)mCE>QiBy2!KFnUz=u5QNyqykE2kwsu*f3QRmqgJ(I*MK1kQEOLV z0w#(c4CSc%|A!&bdbuNYj{p4oeEt_!`_b-_wPd@^>wSa;6Ba{F9{Rn9%>96*gWnh)r1 zo>O)#9971FW@UpzqhhsmWIm;Ej+g8HMmD9$NbPFk%3lB~{lhyMhgYa7Rkpo|4ya~C zpbUnZ@~{Joi6#}2OFZMU{Hu$Iw9~u0M*@4#$J46dt`|gSU-s0jwD%^z=NX)?o9G_b z>|!FQ7{K@VM4B|IA!@sZOjB&->J>+5YhFHQ(SzRds^$Ca4X=ryl1+>Cr=}7G+Z0N+ z>WIEbD8C~N#HUg2CJ8WnunYcE!fyP3M69nT_5wd3?ox10L+Osve;m3 z(*XLq+vXlEjAC|iiSAOg4hffkEXb|d$q>nixY|0B>S;nSPhG8Pq#9wrn&U=)E|Je} zKU$Wxwg$T}_U2l$&`)lnUA9)mhvEEYAF?VGG~JOtPC~y4RlIRcJeO~0l7x-BFz|3Q6OryAa&7T+K7-%iHr zZ4%_fKe3wOhpVre9}Q6_IL0z2iSd)9v5nKX*ZP;nwP6IPLR z*c4#NKdjj|X9dPq=D_$8BqFvFaf8Ceyud#%tcou+g41Ec4 z^|IcX*U5<_e_TE2a=Kf6Tw1ytpKN&?!lvh{hP${%* z*+e4nHgt$MNYn-=+B1(?(Em6Qy&&MSaWt~OKe2HBGBH4!!fM0{dpA)_Gg#1*m~&M) zHz$xmpyTFqybhjbmfI z)@u9PTGw(PBio(n!AbODX#^Td0BD6&%cmAqF|Bx?sOuKe`qRT>&iho_?2fzzS$vGl z6#T9hn4Y8>WOp0$ZRNW{)2x^^Z%A}q}Y4Zhke zo)*n*=8^)3+Ey!W!u**CtG{5&e@Ya+V%k@Zv%4TeziCkYVFr@&bAq6J4BX!pacIW! z)B?0qlY=BD2?hA(Be@1DHGluP-)>jMH0P_)i-_a^0697w5G+aH~-l$wCwOgPJMVFFBb(q!$n8;lST1gQ$W zS;-oY+uO_U7w>E{Yn=It6AUysCnHT8Rhqf-YV;tEG<-mkwKb`1@H@frcw)KO0o{n} zalci~v)EXG`rqNbpkX6!!Z5r)VH$&Z?cK;O(#XM%uw;5dayv@B&w5H5YgIphsZab- zRROLglfQ^j{0SiEv{SSpDU!iv3Gv?rCwL(X9ZNtZ5P)+;6LZrDDE>?Mlq&jLxtd|w z`M-!b6Kp#ts}+?;p7YxDDBlZ44b$9?Bkw^8#u#9|$i&{d+>#(O8M&{fSOLRzxt0hRC79araN z_b+E=!k%)J%2nqRJZwN3g-F^dp@8S+!p7s(8B#@6Z>NBl0>9_2{p&szvG;CN%_GzM zNUQ~hr1r(`v7rT^JknuM!~W^RlLXn(GI4$vfy4KY#hZZ;dm8{@v#Vq05q)c6;}Sd` zjd3V9TLpk>wk9}K|<6@$QE>Y+S6}mFg0}v3*OESnY17y2$;GmsH#h(4A z<=%cewDr*iXEiI45*F&l0kBdY2h^j>9lLGFc5VWi{;|l{Dv+&A{D})lg`>pHN)f}R znwF(Hy>0t=a<8sSqKIFi7=*@y%2!2LlfMo-N#Dz>7iSZhiAdB(RTUXC1sj@@evX7Q zw55t^bIe2?)E0vhf#boCPT@W6nTW9w6Qu~gmvtH%M_nJ2#^mbrqMW83#tc@LQ!~hl zoTHkH01Jq|&1fn>t6(&$VQqaW@=`B1uYN3(nz*&$@I>%QS-LAe6I*{T_RBrIL~S%x zft+K4#r6r1Nm30dtR-@p}*!r3?fDNI8FPs%!5h%&n%d=2_Z_|^G|MKPeoh{({^ay|(n zyDc+-M$|Ubsb61r%d3eXhcj6Vy$+62zw;`IrEm)oAWo*Z<-(=wW(TB-$-xv^QqDCT-!3qlo|FkHVZe}BZ;@ZIeRC3zfK z=zLW9h%hsCU3Rw#K0F9{?WaJhp#_q%24IQ8;7WAM{8O*|v#KL>f=3A&#Wyx*;cG-PBu-T1wcOnSU# z_-^ZUU3YT5{|@ziDY5r@bAIl6JDaqxNE$qAdFPpIJ-nd*?xmz2g<{|`cmL{eKlyI= zDkOLxV#E4zP4IkV@Ydo(C2w$h>Gz71U-gb;wV?E~Vc5>+j)4GR@OqWy_=gf`itca2 z0n7yj`x~whT?XnHIa_qShN1(Mge^aFt$RPDZ9twso2+WD_-@G0 zST$@nb=~51-5ob|e1xm(ojnhh394R(NwnM_Q8!!%7q-Zv{{FY`)X5R_^L_pEHoE_| zJ83Y9_Ht_=RNdL>dkj|aTk-1>u!N}jI3k9p`NPxc@ELwB^>b2LboeCbX1UdUBL9n% z4`B%WyI*b2nusd(ceSQe)DH+W!7@<Oaf-rEr=F$iFqxTqcbwp`Hzk zI)evS+Q^Il!-B1IyP5%QPfOo&$qKPo4=#V}DYcgG6J<1!Tifg2-cs$@6}?KWK$@(- z7TjS}?XanFRO39pN!YNhQ*J{Hd6A6I-3c`L1fuiNjaJW8gai99&i;XR)>)?y?2aTd zF5=He?v>@mb>bM$YsA5l>9doM0B^0J2i`q^3iqYMET zB_t2eS+*H+u6ECF2dfS|?RN))uJ;;emQ4q4;z2^*8_xz;CtPdZqYZ<^&Cf3O+%Mr( zJ+SXL_KDxo%$_Ig`ELS*UXR|rpBbnf`IkKBtk>z$-kw+99>#usX%n~xf2dYoH=YNo z-bdsV+K;A)Hd+%YDIFEv*Zq{$I+elWI3F}Tbp0jpv zCU6RrCg6DdjaJU?CbBo)E=isT8=Ngn@RIg6QGGv#GF&D!5qF#o4StveLCp7>D-FwH z!4%k`jENTWM$L(c(-ttKYt|CZ9h?Ncq|%5PK}hke{vrn=(3r^oVhz(T2C{O(nR4=%!#mcpXZOBRbi5Q9K+L{IVH#6yjy`I3^Qe*AEWu`_MzYIk|E zblY~$<2n~lm-9ZRGePM0_vY`3St#oGjRi0G=e4o|>rApt`iU&>T1e0Q!^5YN%C@)G z$Cf=dDw2;jtRlw*r^4-|{t$UO0iUZ~Q+}8*X*uV*td^yT9SayJN#ubGYmS?7_>Z9M zf0@R}i4498qoA{&Fc8eRP@5*9-Jqia+C357NeRPxz zNY-J|FpFM~BWer8`Vm{RIZwQYl8wuzzfu@i{U!?_o5kQ{`HuE2>gBWjGb#n}g^Db~ z5uLvmZ^Qr?{kHQyggr6bfhMTk;S%#RceFa@7(!P=^KuL0E^T_c1{&nzFd>$NG&G;> zD#j`lrwUhBHFb{M%q>=)QS^DbWZ06$@*2M0nER5u{We8VHB}bypvwlKOinI&h#pR+4rUvi#M#Nx=Q^$5PFnAD z;-~O0O5!nJvui^1?|PaN%0DEXO04pjk+J__@B*&l_ufcbI-}KL8*Y5ts(L?kY3dlp zHx^%r9sLE-bXDAg!^3fE<}wtHTK;S1Y+beaCh&l?ir@`Uy6c{lxLZ-Il!9|0x!|PcnV7e$v9peiepH0{!)6=VaW-S)cm7+pE29-E z_~YA~c5R)}TO;D}?Y*bND|w{`*cf=azbyXIy>eec3S7C`JR+tYGtCT&>$ZXYWIH** z*#A|b+vFb$U^fV3{*Y4*$ff=@)X)?5;v|HEYe-Azs6OoA7XmnPPF(K5YFPcwTa4E# zd%5t`t%LYP9TM3YD$t~pm6Wz5HOJnbKvh3%SuU6?Tu{=X6e%tabXuncIR0%}`bQ9w z9Q{i-)_RUoGQKW8UyyP{v25bgC|M zJR>emno-McMgw>P&ns88d9QJ#oNov<)i0hmF!>EI5F8(T-jPaZ1m(?I-tuLAjFG`d z;p@;!ghzw<#{%qvDdx|UHtZ_(HO%6tND}NUA4E>-5e&lT4b6 z<~NU;k35`={}$)pncOf%!}3{j|AUSjD?<=EZVxbX{iF1S=5um50KKPq=p#v1l9I82%s;$%2mzi=rgi+F5E$Y!H@p zJOY%@%BcP8mWIJ>1~gtzVK8pD_E*`>ED_Z$9w@_s-;4C2X<}hN|Mc}`*7N4Pj2)bL zxaZL~GR_{L|6`$lU3ReUfb7pMj13Vr?LT&MLWd2c55T0hm16(U9#r{E%VfJf?oDMt zqy<7yN1N};x7GDHY^|D?&n>O<`aMK^#ox?(Cb6WnH9?AtR!fMk1$N`h$jVQJibnk4 z*kphN=Df)GQ-G$6X!3B@$?L_C-y|y^i)Y{)D83DWY`pb681Mr3!Z!=tRJ?IhmneB# zfzZqYntIYSV3r-@8M_ikLM;>dES@&kw?K~M=y7omE$pRl$~ObN8GYYo-D_s;`W-Q8 zSXRy(p4mdolIr1-j6_Gpl*Y!t2aru(Q%GqZFQw^Mt#!uXSkff{wN!Y9U6g((dYl4+ zb4N%iR8)t=RA&FNIL?PZW1@U-c^std>b9)Q*f=VtZcv zIdwufb#-yPO{9a&o7s>@h1O65(V!5{$LqjyruML@;5G`)zKfh!rJ~SqRl);yE`!73 zmoz`_rj-GKEaLqs?6d;TF3SuBG6hr%{Ey3aRAj8e;xsITC@ZJQWUK>l;RVwUtZ6^Z zXo7`LcEyq{63KHmDL&~ zwsCHjs4HdZLM*e`#$TWuPYs*`tJD8XP;Q;)w@gm}_4bh3x`o@MM+ne;w4bfdtN)^o zNDNkz{fx20=}{sS^N$4;l2#zn?u=Jp!+wpIp~PJaUxN>cssprsH_o%HmORH*??6ME z-csX=Aghfmsw8!=8wV)wIR9wu*>INz%jY$Q&)_xzXXE><3(0%QWI-4dLSSw@VQ3q} z8ACOtc&+HbVne_~zk&D0U3ayjKOC?Kv@?C7HR*`}q;NdR{fN-jB7`9RvbM(CvNmWs z_qcynTecw6JA}}QkCwq|DihnZ@gR4?Qa;h%54YkYN%3T?0h}7_kE3>d|#5F za`Sy&Oq(s4pC|s%W4(BYQsl?!*rYCLANw=IGjeP=+dR~-czNB^3qC!dh-Oh+ZMba= zd!6}^5*Re^?GwzdCmsA_Vb|_DuX(!Puib0<#XXY|Q~}Ybjc|?FbX=l)JI^Oinq@qYttbh!&1?DGqDc5WUAPUw5i8VZ27Z$oerXmCjQl|i4PxyVTBi4@WcBG$dEfB;~MLdY6RH9lnEwuKW|yqkI`F7?C&= zl~uMjgsW{99>vx_RyZ9YM2z_m(j40%<9jswxys(6% znA8iwF8YOGb}Ro8F;**j96p!1IrqG`W|2af*)?!jH2}fF><_U$(q5%66{`g$rr9Cy zK{FP0;ZNoK3x$GI+9AZw%z6y3Fw{n z4^s@|pDdteyvnCXoJntxry$nU)73f&%F+~2ovGJ$vh=X?bu==vG_v#kA~}rYFH+XL zcFM$9_5HbnTOF*vY9}EDWm7l&jle&FBANF8mWR9YkPT~%x--}uD79FS1nnEpH=z z4}UK)o}a5%4T@?oTOrL>kmfE#XkyX^auG5XbkNr_w8{Vk0C9OnEJ^Yfci zf@!vgS%`ZMSwF1n9clUej3v$bNO5z|Znv{BDcLlQO@{EWg@d~pi-!QqKVMts%l&NL z3UWd=ybrwIci1+3H`izTQ$OBq=E;NX^DSN{%wjnEK>epoK92-?{y6;ac#XK^mWJOb zvz9(KBo>0vI(?N}7%ajSP_>wqd1?RFh*%@A!f@6yh;pd5CrM%TeR+kCYl#oedApqcLG0lUk6b;<5FF64O44Smf&4`|=o?BIInv;DxgW_xJtw1gB9{1P zC+tjNsKzyUnUp<>QI?2FTN^>&r!fb9Vk8(@C{byI#^j1KH@-kyPC{Z{2h#BEo;&$? z9P|+DV^(6MMSL<+dDZ;Bk>9#}G2Bc)=h+BQLY?d>b4^u|IE0*iV+R=I0> z{S14IF(p)U)@*cie)G_EEj{i~YW|AU(<>)AHC9s5{Bkpxgvc4%e-lA7>%PKDQ^&)k zObay%>od87Ci5XvqbfvqN)Lqk>#+Z4nd9Yub%6$r@I~#^OCS$Q^!Gtd>z=G=@(^pC zFwb&Y`%c#T`4O4>VB6d5Y__M1!ci&VuoHXY1&2brO>u^%$trbNkM^1Cf#4%k4gqBQ znM>7b+Z5Ig8me1z>+~s;*L1*~kDK3fk3C^1iSHanC2#vkB64~K(^%=k+sCvK{~8&3!4usk7L%Wn)oAI^p6Pc7$9?F@Rxy8$0cL-*>PkE^W&mscEfMn`1>Fp;^00Y( zP%-9&kO-$;KicnaUYG<+=9s*GZ)`+ z`|md*mRf0lgb%Cn{BWw!^(N{!WbUj+mZlSJi**C{fQLRp%u@u%kBM)lTH z56T$&NrR5s?}m=y44N9#`YJ5^k_{bV7rOwW;}PY?(yql4Dle-N_3Y%N44IoCzCe?lD2kWG%da4-k#0w9!NWn>IPFJ@`)&gAHW{T4r9S%JiV)v0T!&PlsLUD|m82Li3ejg4PXPWzSp*UlWdv9w zV)g!h8Cz;Fvecsa6&)+-@fc&2F5>(1JP)UNP$dmd%dr2~zq*L)b~ALqP+6M8g1S^e z7rZZ#Uy9nwK8q27Tc}^!2pVc=>+#?3(4l3QHIe}r`rPZ?cbxjYFEX|7J^LNJR(bpt z)a+7}#yS=72Q#+6c6skUEDb6`uzmxIOD0T&4}LtjRPy_f93M z1U=_`?ggqXTyCM6viW=wIxiZkKwp-DKMlh$%+2eQ3!1YetLaTwpXS%@I}Ss$AInHO zY`qE|78LyE(F*~jiFG)Qoey#k0V{2>f-ea>v02{hk@|2;-#`3A|L@m&t-xt$0+_C{ zM$uaK1EOYlHhAcfVFL1>V>VtA1cFE_8Yygdkcg(Z}lFSKzcayBI;% zV`&BCJlzcF=(jjLf4J>GI;0DPnhqH3efIc;^T;A*2V-)w0qrMdO#F|FQU$l=e!CL- z4;|N#02!NbHF}61&94+IrxQV_{CAg3y#yat@1;bGPRBt#;A7*8!9#(N%g#r_A|^_Z z6$zQEJwtk7a!@PfL@f|NHkAW<;~7?_4B|n7x4Xhe(m$HR#7wF#oq4btsF=>Rps(DE z#Q~9vNdBZ}r*MQCvm`v#tYhYbq&=J*#|fH_QnjVwgP*vyFedZ$mC^pkLJ7kPF&SPI zzg#qz7}Y%S+iiqTmT$>Ic#-ssI-Q(K9tAM1T@~ml^(V#QVJe_R@Ue`aZn@ayXd2N~ zcGrjvCIwNJr>mV5Oq@^CknycusbMy5c`i-W2MgW79p`r!#gFUXZH^>>^YU9-&ajVO z_VCsCtJ^BSS6IOd2*9^nRB@$~E;wU+Mj%8b5cEYA5}tB!J$?t(>AVc2DCe)3iOVim zuvOn>{TEFiYpRvQyg-z&)rKRyNLaYr*MQ1^LI75?btlN5SW(|5%(p>brS3 z)~p?g(k7IGg0H-;0;gS1f472I)zO%-5{FG$St^s=`HjA+6IfSV+leXB2aD!`;#2Ep zh=qJQNwxL$4sTjXp@OE;Lm{2F|AbU9vnm@^J-{qljaW`fsp^zO2{OdeHR)e;>GiS1 z5H$Y?1r@i?Q^O(IXwyg=)mGFK4oZ=*IC+ip)sPr}wIg5^zM;#+3lkpsn-@y_oT9Md zXv7z9Np)77Hg_-7`exyGxny!L1Y}(%zW7kZ5B*ZHrvCIfO4aE=Z{zLGXJ=_|lu2mj zbd1t%wc*w4{Pkg2#X9S3^>T-*>tb(5rd)y7slKbZ>OQ)y$@ksI&&!VCQ_X*wMz6^a zl>^%%O;nHH`-{eB*LSsrab4$~nG>huI)lZhSyW$R?io^1LZa5=N(@vXch(4PBw<;{ z^vn+C4?~VOU&L}Ou~7DC??;F-P2hQ!$>;WAe*(@T#`|g3O^)^HDeHcMe*NN#MAPFA zF&pHPfB(``0=r*(zWVy%SrOvp>zdNzxk*#-v*4x=R>V5Q6(0HK#r$;BwZX9k$>eQ$ z{>Zd?ABaQZu^w5~zAfc!(1x*oovo0`!zQW2X7C}b>hI<1+D?*TdRss4y2n!Ryx?AS zoASe71KCL{;I0O}j3Nm~_2%z(O}ipA@_X>g=C;EQF4sHN3Ysh|>(R-WL>nuXn?p zl`vsF#=q$67+z(Ce2oKW*5QfgOPYj`4Rj3^&TFc+Od%XMfKCYRP`x%EAFm-S!Ton$ zhcW_3*TG_VL)LFrXK%c*ZX>4{Mci{GXg5xMbM`TI^N`7*>2O2O6FTE8pD#?WlxY#UtxtZFD$&Zmx_q0R>q1uv=G8Y*8k>j= znOuCyBYyFZz9JJPD0351ZvJFz;ei;TA?akS_r}q=)sQ8L9!k=l(vdzTSIKV%8}8xx zRPZa2Et9d;{OG^CBHw);UA9YoJas5cko2a};{5HySXjwcQ&ODmOSYv>P8+TMFufH_ zB7U+;>DrjW7)hKU9oLY}<%5B%8i~F5!1{h(+=yjBz_@$AkO!b>wopxu?*fbUJ+tHq z7Z5&JNsYFEKwwGxFv9n%S?P7U!of!=_>0Hhl<5M9hVnK*=L|jBxgD?8N#C96bWA;# zgt(F$-{ICv$Zb=TDgEo>m^x`S0f0nF=hae%!s5q?JIk7-QliSVi8Mired<#XIsym* zQ-q^S=^#O?(aJcj#H7Bgb%nGv&EO3~F~0(a2y{;O=gc^#!Q0&&OX-xBr0@~=K(Hw< z9tSO(abrpoJORz}zq1o&WXok_^o@;euG}q;Xmo7V)Wc$gS7HAZ)L>4H@Fg$2si~=@ zv-9~SfsfXX5yCnaCrM!4;QeOZ!?>`P~JXOTM4I_#&Od!0>h|3W8=Sz@tKL1u? zBAxkR0R6B{%I+2?sbupS6+-T13F~i_mXhPK!bd{dNOHjr@}%-uS*z!!LF}$2LJF09 zbAD06bhGpD^K@za?XMog`>X6F>9JM8NG41X66%+_ zJqCYAZq7Y;k&fcm*5#{`^wJ0Cx&emUTD+%tVmE2h8af`V3Y|Bt3qQZJXi4LS>~15S z$KoRvb8pyNsG~X5YH`Zrg-HGi_P>=;k<@rOE4--yLVRnv1?O+_A<*Rbeg2pdjZAsG zHzlQ!lu9g-H@C4MugIBo?8$WT+y>0Qx$!P}s3zYf^me@gDm z4%B&F_KAi>W)NnO`H~A1kvjk19Nh3_Kf}=QHuhGbk}*CV$gFR@un`wo@^jIgfC+`R zsV=t!L|-OOZBd(qp{~VkdEH$L)GF_2?_^Z`IGCc%;k%UgPQkz3jh*luBXkfbQnNTv z-4JL?rIQ_3`VHSk0-&yy<9O`OSw0?Qh3r>Qg}k}kC|vJNNkA?>7BA25`qFca}7-h z=X;~P;yWIS8Ty8m7z0Cx-A!ZQzq9jUqmxHguuQAeTADeUgaoP0iA2QpYOL400CB|2 z!OKX`Iz|iYHT4fw;ilV##=juA-C{~p(9aQYf(66T>PC2+%E5%d^Q1eqfgqFE-*uNi zoBjUsfKqup*;>C#UwY*fIeBvgC}?H|A%En?4O;Lv?sL*zYe$D1$Vif%9WheL)HWl| zHv=QK2c<4uIdGvG%lk#;qKP;hpW#Soc z@2N2D9OU@%MlZtuA!Wq=EI8)7_P77?etji;#8)EgGv*}3{E51#_>P3us#l*+y9$Ny zi@v{BRh70PGUYM9uWo$OV}H2budo|<*rUt~ME)HOHxdfysmYq6sC%dG%Gs5EUK1QpwN!~f0<<^~>j8gEOoZQTU9`;x>9nJn?po zd_ze2){V!35DdZtolg`Uyb3|1k8m&G_bMAOJKX%L2*hI)I7zHt*4^U)5EP$=!S_F7 z69d(Yy*q)3rg-iCy&q`$Z`pC73Ptp`hf|`MqI{+>1b8vEd+s6tC>Ytg;|vzpvfDrg zm`)F9{6duw4}r!D*)3OpUcUBX&Ohtf^a#sb%*<|+62T;1Itd{#!FJ+12&NK z-0bz%@*7rX86wu7o66lCxw$PEQt#C>4VwS+aDOt*xQ@oTHa;Y%EYfA={C#1hNNH`un99!QZzD;EaPzb|3o}$wIAnNm&ESs?O<-CSSU-?Q`J4aLOVifyJ z?jmJWmai5lV4`&0BylMZK$pQ$+^(R8zS|$cBhhLpBX!(45Zt3vZ zVtHI2Rv$UeLmt@#Y5w_LNYlV^+RZIL(7{gVZdTxSW)2(6>7fTA7Xrj9OH=S9Jemi| z0Qi{U&K2acZXYg26l$2+*hyeo8VO^m1CqmT|8$|lG<#bk#$~}`=LFZw^tJNw@${TO z9_vb5B*=-5E!H#9Ymj-PX%ASXA*sD(eiP5f+cuZ~R?PLfX}vR|m_3uc$B6i|-Y#+C zSgnqYnb(fNrhUbQvyGpPkW&Rcjl!g4u(){!-n3+9=ZDju6MEnb1$!y@f-?=Axy%OR z+Ds2%?LJmdXR^>Ok=cZJ!J~ubiPDO9oO4Qw)wo%At2R^lX18iC8jH57x#4Bk@OL?w z^&YAB2kyWJCZt9yz7l35d_feiOR67s0F`xtVRfX+l4M)J;eh$wbTn7`~4vGL9>J5 z^t58ql~gI`Jk^Sut(+XmC7yk(~3*LsLbzA_#UC^Tk&Jdz}qF2 zv`1}-h!`qijl}hb;IlKL^I(8CyB?NiTHiZW2pY*RcB+3Y1i`}ZZo59ecgB*swI}#5E&z{se!{kbzY9E4?x{UB*>Ev}{z(V-*mzbB6KGLK4e=O=Y?sS~@4 zq{{aa+|oa9p@JrqOlUuXO_K@5Cy*p30-khk9icQBS}%1x`VzrCB-@0xTb7zko1u!Er$1j=`cSmunGs+TG~#KX zL+E_W;93MUZcw8O#AF@=1@3Z7Q}9o}zq|}X*eQahAi&Ng`v5`TJ$D_^MVf%V@fy$o zD^gC4i$DRXPy_KBUZTC@2Y`Z52mF6Wqlij2HBN<9@?&ORDVI?PuoOH2fYkz2b&@|T6Q#;$53 zYk6o}Yyw6?p;fwwsth>wuh~ajNRr`b@P&daYVo7<`c#R4hP6}lIwajAek%ZNJt98= z@q<~n4|)+*g=9oMGWMHazfLgC*_r+K9>0(ZpZu*b0Iy17k;+1SM$h@F-{T@|4^wj% zl37ceq%{)cJIiL~)JP*SsL9|~5R6wX`*M<0(;K{fn@IE1uXd7O=+D=ii@VzM`tG(( zyF@x4le3T88oWHk)aHh1<;+t(>>13(R+2B>?2BH1zs{<@MfLm7w@fm%`V#AD=S0IC z_JwFn+pN*J=QYJ*#o|R%0qZI`SsP22me^lfo-;ne?DE82k+erc>yL^+CY)tydvF8Y z+CzS(f5#Y?4k`~eiq{{>T?_I~NEO1B#aAkhGR07AJwqJlTtNUzQLC53Dk)VNR%Z*v zXMu1yKtaAq>+oS{Yo=)WXQn=dd;~ZKnu(X4&1{n@tf5iJJvKKxPg84oF%-d_@ZHh8 zmLaBi#h#>=t4%sb&n_vXcBPA33FT`{^@oO&J<;j`J*uQ){ZPi4yqn8o$W|6RkS0 z`+@@f38%hP4nu@-e47M@0iT?_xA>__bvTovHfR0ZbKMa8>whc|xD1d` z9O8D2-Y$*F5mI)ag!KB|r zB;zTdwcn&6INr-x5T^+M1)X8KTAUZ;gAAXy{P$w$@~di=Z3+#sXUa*g@H9k%qcP|P zq%rV^svH78n?4(79vAk$X$(0_mTamJyXl^>eJ}UY=OzkG4DHFQrwBY#F_RB_%loIs zbi7%U;4m8*m=)bz1Ma60geAv7X&S(5Bw}BA2@uqYozeyZsuiV08QhgDtXhDe)eYhK z)<(;0BtS!JPX~8}Vm!b~9SSCC%h+^tjOPf3S*in4UuN&qiyIy3m+Nvk-X;H7bVsdY z#1TUZERS4m6_o2#O9<4Nlr^lfpPHW+38d9qYIHslqlqKzZ9H1ry{r$F5g-~kATu(g zt?HAF!|`DRUl|2*HJHH8?>=UPsSjXxDJwQBRJ#u}emPjccTz}OwdD^U$2jUtO7vFz z6;^wHD2|Maj4z-+kUmwJ&%Q{hk4zU@3S`qKcgK2D%_W2i_FWT=K#HE~|JtDA`Ml@m ztQL1}Q=>cPoP#p(>Dpm=_h7kku+ILo&LxLGA9oN&b)e9oXj_X?NhvofV47&T|jJd&(EWOo~O{|tv^zu0A|GvRL z-Z@!a>7My}_q6!7(f;!8D)k+TL4q72^E_0OcpWqi!1-Cfjj6PGTe)PMFeWJJV*qLN zX*tI_9c7!FZ|%ChpX2#Rs@wV2#`ODKJg-8eGCjM=HO!rTqH!_uRcWcLptOaHp?8`z zNG}GQa7o8RI`F1cXk%N31TYx1mG;Z5b>Y(UEP_HcTVaJH@HI)5!-|fxrmw2d-X8_0 z<@|OMupCOz?H;2{bRBtCvw^()>G`Cwe1Mw1f&!S&aFRpoQ8&-C}g{{ljO{p54FAwIu}F%fNm>+CYi9v zA434j7w~a+u<&T%00$id)35dJr zuP5Hhpg#^|H2JZ^fKqdQB$D2s(&^x@`TXiFPbCR~ZhrC+kRRiiaS8aF(_E~h5OJvY zj|AI478~ybDAU#PkH=yiod-Nl%)`WaUlDK2;`wfdc5H2>Ly_W}+!ac21r@N0h zE>(VtuEIo0np@&nk9_qCR_PdOz{nn@rFdfaeC#)e-g|-l)S*6@SThjWQDbSX^OrSMT?REa=ZfUtNy49QYrs%i^Co#R zNR#*itZ57nYi5<0reXIysZnN=+OD=fU#bP*&Q6Rd=Oq4yw+m3%8DXMN3Nvf@kewg& zYne)kzS!2{)<|$uQ~jF}srsRNEP;MbTr+B-2s;^}{s)$N=5JyRFUCR{q2WnejWiUi zrq*7M_G3(51-z!N&>x;lO`|8D@hLk`{8DCX)E6uDZ zkr7_u$ef>a{f$ranh*JUrv?PAOFY>7V%}cc+i!~YQG-UCJco9x7yc;%6*L?P859Ly zo!sEeiU+>p5BG8S^tG!_xBZpmCMq32J(G2@TKhS*t8G33DTcP-@GPf!Nt$Km$NfUs z8>GC~c&rEYKMl2BS~y*NBXdl%-%vtPlt~M@%om@3me{xm^m|x(n)x{_8E{(Gu*9)Q zuq#Sn(dg4R>qQ4{IM5}F$C=Zl!J!cd=-JeH6Yo$FJ}0lpQBq zbIIo}N<{ly!Zo-5SOn6|VaC(rF5p=Z&b^9VU;%wRU?;Ri`$pE$gz~rq%W6tw{9{`h z$xDx}ykr&=4p9vWcoS8&U0rh=EyDNg=kze*4kiqyn%#w`B8T1T z*ScKImTU<$IH!fV2HMt~(j&}Pg*L;oO$^^~O@613mOYsK>DsjHgn1hO3KIVEBo!?| zQ#jj?4sb+xC%;eMUoy4H3bXR^wYBlKfwZ?SUrx3cyDJwePHkPy90ScFcl^Gd96Ehz z3~zh8d#$cchJlXg@Beb3YuhxEd2}k}WaKN=9T;2HtKzc|0mUEjp3m>JxKvv=>`gGi zwdRQ^og!~9G5%V(ZUBM@x`s7DM)U(ta+m{3hhf7Id9*=4H=nA<8d8fg#6nKKDzvK2 zVTuJ=${zYE^U)8r&ouc=@ZL?X35SnZq*pUuNy1r?AKw2V)%#0+i05%JAW;YHkfLa2E zTgyVPLZ4iEX+N@QWFwPl6=HtU_4S#et}R30#g{qLzjt_m%HRFHxhwB)qgf01Y*1bG zbH}FRHrLP6J9W04|JBp@%0FFX5y-3K(M*)mINGf`qFS{ZPoiG#5`BI5 zc_KQskF~p`OiSrENF;O^W0)axuhXij<4i%+?U%EZzen5af*viD=El+Rka4lJwOd6+ zC?#Ry=J0^)&AxiFn7ns}60XfvIoh~G<;EA37Z;ZohPrOyV2(~DWIHr<$5yM`uU{Vg zekLGv(tq~K7e%q;o-eu_iByMBXn$?s=A608ICmkK-T7da=ps6_^IlpDI0F)zLr$}D zH}jp6weL{?qT&w9hmOKJDy#q72gi=voQ~@}OZ-%|pMjizFTBJp>NbYfYUAECpVg8T zm6H0!=hHC>QQSvjr81Jri^qvLYW1u*Wxu2{f3FDx4E$bq?ew?0d$pV1Yv;G+b*d`! z0vJi_>#c*aTp%j;;mI2Y1Tr!s--Ej~3j&+jn@N4j{YiVSa5)%2+_I)M(kKt-_UQM+ ziOKt$^~}I~zQB`j$GvB!E}LH7&fC$<)4k7LewXuns>Z#4ww6>~y11&0xe7>5lF$|k z8(nt#Eb@BaJ-B+i@F9y~>r19;6}GNCv>{7K;!jy4PI+MVgn2b4bGrZS7lTfgq{yV1 zg->xqa;Ui^KPXA_%u2>#O(X>o*wg*f1#c4@`kX)k4o!DzIgpECSyXu;%R9+T%YpJe zHw*|0mOTlYBauc@{yZ<0ObwT@QsdO4ok;urD`nAfF{*ePk2b?c-%g|Fnmy*@2Pi`~ zhs6=U$!YR`<4R_>zCWcUR>&%2qvFNBf4)Kp zrFMQObJ@oIi%J=E)vBmS7ZT5vUJW=s{Pyk7w(M4OG-z`Wf`?hGHK)_OaX);xpr=C`$SQ?^EX<_j#i4T>B$J;t<22OrtX36 z>m~_EaCFcW7$?L3?zrk?l{?!-^>I$Odeof`sb!Varl$I_ZPT%0ry;TVU7l@`|_M;hX9`-O1s>M2p$^>%_K^hY&o1{ z2eg${X-V@|8C(oZ%XG5Q2WB#Z1aQt<`kc({P!JqnLUn|9t=w)In(RNrW(d|O4ChJ7 zqa{!K$tJfd$DuN9>`L(YDxxiV5QD0ZNHUdZMfx{B?uF=yPraCA~0oxK(^maKUU?xOnsoeUX{C*P} z-+O7$@a@u@;%FN~W&|;g@`RhtIDD8(fBqtGfQ`rQolLxDT$$Q)3uz`~NHYg9=u=UH z_p-Loh!OlKCsI5qt0+!9Vss6o_TOzVzYkp z`nw7`oCq`G!(X55ubT{9qIROdbk)iSGcRY-+Z@;b?hpg^H_~5jGO$U)2HL7#cXyjB zad-SZR2MdKPMAj-?rGq-=;m+sds1|8x*o1E3x zv=!69>UR#`ITUBg$`rW6K@prKBV_A@mg1o`JrdzaP#{O4oKnKgJ9_Juq2+IAvXg`8 zK1%M|wzQ0EU}@AejVNww+QYl4F0p)CF2>s~z}x|GIZ)@SOgJD>c=c!!&ue@cRT4Y%otXmp5Bq<*K&kCrjCHNs&nQO0kWw`t zB1MPmKgS^UOY2Ue@iE|))2P@RyZn*y`;lB#ihAgQ%w2e~lOthts-q1y}|oVlH?AcWFbTg6XNx5ZU@T zv-8wYs^SPMDLG;tOj<^LQVX@m3~4KF4uP^21PPykyWQwVhxh9BnLgcxrxGj!H$y~$ zJ39JlHBLN*4K?EAns>N}2#1U%p>K!x!f-U+Oah`{vO&Q&|5&8eoKI;_GVe_Q5fGL= zFKW)aLbCmSC|jXYMnK-bYE<@9bzZF?Lxl=}+6`KFq}GrfszIxA$M2SERTBSB-S_$h z*@UFEf9F}%nPdv(0E>rt)jPYgva~um)V4OqkVz+)+x9hEB7tMTXcNJ^?~hit!@}}= z%K#lyK39`kbyZbWP>kRatko`OTMGg}!`Mrz3$Dfv7DD0!DTx=|jBXUkSZAshahYbu z5ytIlS!QO{`;pKL={Syp(5yB=c}SLJBDDuk=bQ9Iw9?n|K2sbe!1xc2+9H~Jy2^mb zyW&GgGh*oo{l`OGIgWB3;UxM<>Xh<^?5s4CWq%A8@vp-3)h|;q~Gz~1{YeW`GKKu@tKTf%RdPRS73&?JoBSxs19fvX_d>0SJ%qtvj!&6v zZAqE}p*IST7bBRp#StLn1>X8y(aQ&Eq#5Z>v^8g=T$Yny^NB)NGVq8RpYuz1b?k;V zA+emwC^1wvfuj{}#sN;Q<+*e8@^9nR-kv!@Nb>3;kCdQ#q>5Gk7!DWz)nT7B6qTaJ zkU8NJX*D|)?huz5Fr$_U>+Cxkr^*GL0_9p<%*;ggEgHX0gP?ttVu&-|yHtl2Kbknju20@KYOmYAkfEK%; zbx!|;?2X0ueEo2JGy(S`GA`Kb1amCVdfSDucC(yQe)YHBZk){vdvBY*?Kn||W8wzfwR5B(ZI zz&pIyek46fQpUaryVDzSgg7}19K|9n`zqy%nDZ7i$FoO8fL2dN ziZqYFk~&7g!1p-2Wl(V8FRBK91F+C_5%rmgspOPpX`CL=1PJLxOpp^;fl?_Y9`Ze> zJoDQ5Yiv?x5DPffCZnryFo2yvwL!FH8Z|)A^iXQgl%?>gS}um^2#e9zxVY95+;&34 zn5D1ow40iBWt2s`GA%i^Q;U{v@sS8D2&R+>2N)+H(ojqsLKx@Dw^_e?mmML$@$?9+ zlR;FJx*P-0LJDq85+m5wdeu~0z@d6ME*J}9N*3z+GXTg*0{Y|=`utB9vD2fhAmhI_^@iGNmZ>x4GrHbX;=4e3UeO@ABRnyce z7+K%{_$QGTpAJ`0`5e|1UTz)AkF^9)sD$Cd;q;PFB^ZaC*!z&k>_JIm-LWKC0wk11 z5e0^o!d2e%3K+G6Px4|X6NSMz$8@w=$l9xC&)#iw-<|c;R{3_{1kjy(Qj!R8LV0G% z?2bl%N3jK7Y|o25?|Z0@eZ?lRa6EfPp8-)tp;Z>Mth73)k^x|jA){RXSXfj~A%x(F z#MV#5}qrJxL-e(ZC zV|Z>J2MtcC(3zTIIJf`thR`!^DlOeNL!Uf%q0CAI+pt3TPjF=K*NH)y*Na+O?-fEBGM=1wP7?z`ek_ToBC^qeJ@=YB~rO>FH znfv`rRRmeB3Qi@c%Eq$1La$t^*1!IGwcRZsqbyYh$5mLjdYC&*bBPB@J-kFNJZ~4> zmlzE2K!PpH1zRQtiK;J|#CG%jE&iGD6%DZ&j8R5M;+6?WT3}pBpFPd}Z#SMZ%WevT zJOdXELrE+$4q?=KHi(IYnW`MB`+FW;O=GVg5X)&o5Mpx17I<)1QQuqNB;x84&$F7$ zV~Iw>KQ@AAL2M2uCXVw=my+DQ=WsuRjt>PZy*{%)wr}@nczULMzBcUtJ3f6h*R_q1 z3=b!sB<4gJ0B7g%@SUkM?`s!(GqTEy^QTgHp3;Hm#+$cv(eEnA!UcbxZ9dSW=7NtkkDJu=w{!w5iI^)3Qn6V z6chv`krrm0l-5Ar)mGqAjpQ+=irDBG4W?BghNDLh!sZ9k(keY)^yZB|d-qQlg~%2I zas-GA9roS=x$`;Yb^MZR-ZNzDFd1DQvL&64&7yNjN?Tt17SG<#&Hx=OppCIHS3$wDZ!Rc+y+pqCBu}*01Nwt#g4_ ztqX_CQO7WJ_7&Ht7$20Rf0VJ}ZPuDwPRjbNpHVl2T}Z6hsD_i=NT)iKNg$$TCtpf| z!7{_t9!zaFqpy~lt9e6eL;C7t8AkNBJ1dQpe8Q*0*-=M00jpL9Ih_k3k#^R9UR?x2 zLpm-;;6$`Wc6F7IbQDzVhB%5G)hb0ay)0bdW6tTJWAWXJ}GWjkfGu*-{7sdfU5e^EuO<2*KC=y`u8B70k zA-~)shY<%8-L08ewqOkkHo6AtIcLjx<^XVkT;IXCK(m3Z3VSU?q(R*A(r`P$ovc>f z4~|+86$4kTC$wO-Rj!Y#=34jcU<{Zt661#&?uXFMdNavXb@s(-5(Gd3UR0m1qlJU* zDt~Beh;8!3LXWf8>*oB?8GQmX-Oj+T`j*7PxV3Y9p4x_-Qey7{C@p@7Ld|y{h!5C* znW1sWSY%D0?Bahi?}Ux$y6imNvHcb+c>I)TEUAg+FIp=LucC)P(fgnaP=wvoO>A|nudLVG$Mf- zr-^$8%&QMz{fY*^J_2tMFI!Dj**OG)>zV^%@{tZsSS~FtMiV4ZO^2?3RA^RNqA8?{ zsnZ>8{;q70p)gf0O2&gp+bQT{ow5|v!u(y|N9wFp1Bj>7?A0)@^p>-&G>k?cWGBa# z^FTi^kfNCm5|`AJH_m+Ira6!P@#%9JUUTsrc!1`us7G3y1iy?E7#|@bSlBj#!2If4 z`hR!JK8)btmM_(|wF2TlUw&STiaP$D%^F_$T6^~w2il^d(;~s3FKylc02%HA`#ltk zGaS;8Xf{zfPKF&SQRCnM3i-_4^8WZNG3e~z?|ngFJ^(GbL`*nKcU5l_tf8Q^&{XBt zg0HRMp6j<~890!0ucviD&!)lL_9XH%JVp&|oxynyOD{mPORD zz?G8PB6j&ZeZ35F$$j!{CA3)hy^vq`ZB^4`ndiaS%5(3q{;jn(n+GEfE=0frG-4o$ z|H|&`KV5*J<{6+cc5f%X>fEBMNHa7DTzn0CY;OV8A)kX#mLyV7n?IM2BeJSaGL8qc zsONWnJO7_g<6@74icdm9(;c?Qc8CtK02C^@y{vM0axn}SF9fo%9aSy%JC!ZqhWhBw1k>ytaDWg=w9Vh@iPCV-l4HF=sva_XB5my|ka5-PBNOA)S zTdtDzzquB*594wzG9b9}NK#)84JoDTArVW30ac|_*mi`!w$^;w=1nED1W*p+y)T7$ zpWOzVyy2t`k(dqSnWuWe(0Pt|0DSQi!&#tF?|j=CSE8G1>8V1Zc8G zRDu?iT}3_66A4$z%u)hy)lT_mLiU62cXH8i1VOlM98fzSzh~7^onhnLT0wnTqzw zZUKD)f^)25IV`hlYV+ib+iV)Ca6pq^1CmL=*I~Bao7Ly~pxc$B9nsjoe{g!WI%P0{ z+J3PtLKxKlbU}@hfmccM#&tsqD&dcD=X#o--1*wW88px-+tk2LFbsq-g`}?ye;$?1 z?9Tb1aH^3-Ro;gw?+?)YP33{AJvkGHz^sG>LCG>e)MaI>+vZpDD@?paT=$ZqakFfC zq6nsU;T4$FlHi6_wwvupajpe4J;rm^Rrrs%b)G!TM^O`+$4`drtG^oMS5giqMu4(< zpWO%S<=c51A%vyehkqa5i`uylz*5)C^Bi8l52bu8x)N|l&f~Trhcp_|X2T=~jVb5f?O!cECmQV3eM6~&q z>vGLhe+YlOc$_7YdwRX~%zZ}(LxS`w5aH#m6-MH ztRmTi^BUxnuovDbY_QW*VTURRs+Uy8=m6}h^Kge(K%l$G%A-=25u|ZM;Mh=|@KB8p z6c9R-=idg7d0Eo1!dGB-nWoLIsHhhINk|?1IzgJrKB%fxn%Mn@$oATZT;kyrSzP0f za22jvUIf)zCWh`mT^u9eD=fdlp9u`=7wpoy6L~ZBj4vl$h-6r}FkkbY-VOnG@pQg9 z&sctD{f&qLONmw5_{RZlilRK~V(+xyuV=tBfqr-2{dZiuAz8D$n_kypIAoG!kD_A( z5IEdpRp7whhFM~IKnc+5IoC0zr}!Ev%OYHFp7E=W-bLVViz^W^pZ9HN{z!%=+C}Tw z2*DgAhcIQf!FSvlMErcCZkCkjoutlEL@(tzrFddl3|>g8o}B&~j>6lWTo4bDv22=#8vnPdj`eNe9NgMVF2QxuQuW!kgBa*Tv5zIVId4Y zyx`JqyypJ0j)sM2vD>z)*1e7OY&!94aQ@f>m)Mum0*QUbP%2@;ch@Cx{^z~*ssV2H zybTl&`;p>p_w&TKOW%2C1&$XHs?hE85neU~wh&L9CE$vsE_`s~b3gtz@F>2!0@u-a zldd3es^jcu{?ptFoEq!=4kZ|*d>ztRpKAbXyYSk41O+1-9TEFG4ts6m;gV#tFdB|O zEHY;#&|@@s-Kn0x5Ey>*mm({O&!O6{5sF?}Ri*0|Ri7PKed~%dB z;D7-s#Sflp`z~`lw$Omk2blnSkd#izoGMn>#hP2IuUD{=_0g>^>8i}k~o2d_iLkv_BJ9Ap!`MQHunj7Ec-L@i`!xYSVsLaJKeqf@T$@NgCoR@e2!SK>MELlF z)`7+awo=N3+{evz=(RLYQt<1gAu7|!#{HQe9E$IzHl};g=tn7ArgaR&Q7TLZYFZal z7%n3n4G56gN~DABbE!CrIl^gXd50B5Gth9=iPhjE+Fm;9ORZAv@=pqnUP~BU`kM1O zeGV3Jx8(^CG!G<#WV7oTQUal0h=mp>HIh)q%oVx842q!J9>27QM%VkNrr*}bz z?>k>F-s-CDBfJO!8HZX4DpkaF_kS#AAR}JaqB**|9p3kU^tpBgM8t$P1U`%L8`ZYw zI<@!j0@QY222-orJhC@tre-IvrLH#Xc7=NU-?=V$oAvH^^ zShjt3v&2=`HASF9sr?`vHMEant?wG-+Ra;C zkhGW%`83C+)Uir8@QaWD3Y%g+^HBl+Sg^DWn1f0yGR++&I559gQ-7UL%I(MFMX>W}O~B$=C3t(2*tQ=bigMYDlL6IK=0jK$EMh>)k(w1-~EpT>k#~dsmUmI!7dA zij4@v#Rb37Ot7|R7#vdDzXuP2d`gKXhl_rY^V0@lzhPfzn-oyg)0U>a&DH==Q7>i= zeKja9LhmacVS0mqn!Nl~E|1NjG8iCI;4|} zW6JmQPvgA-2nzMq<}T)7Nm1X`{G5;jGeRT?P;@0Ijxk6Vww;1LXy_2thXX0*xP6%0 z_Pb|$yFq8s-6tiby^SQ+VvLG~qq>Ur{&{M!+_>NKN*xOl?YdzQ2ROOi_N3blyr`9% z^P`Mld)tR)o1m)lC>jo`^&H;o4g|Q1UR!g41zwv)<4{nD@r%+OfZzf$(MliA0Fkip zfflE3AJ-kP**{-~c;skVvbIcUWsWWVGJE#_v8bl?toa%@8Z#rAv&Kl&vrtz$WB_0? zhf`2c$|j)yf}#TFO(l}#w$&71OTPiOABivxV(n2UzVb>IA3A=rgB~yI%!qIiD8_El zF{_-@2}A;baQY+FlTlhy24x()>}0tD&vy@*74sq6`^{6|ML!gxX@3ozbZ7(~`bJi`OzHNGGhX44r>pu`b>E5-2Qb{$zty}&*+jq)5C1Od z1P;Qt1s9{Ga(Ehtu_x=hY-GNDNZ?%xX`y~;a?zF9&w3!lE&BXcP{xX#?sI{araRl0 zAzST`;3Pofh?!r5(9>7ho!dd2-goa>JY2C?4$1zp;1?3>eI8}|bE>&kV0`)Q_vO{| z&pW0yqUJFGORj*vuJ&Dd?dth0ap;I`{&qHtCe179Jz}toMJ-JXN6+2YKRACz63I>a zn@)MBoS-lC(^^c}!|OOLM4RA5-Eq-(mSTXKMW4A7&3uu|UetC#kO4UW zg_$3q$#WfFAN16EwMBZt4zM$eIo4t0Z%$~j6z2eRFa&ghuzVqs);p7Od zw!S#-aoE3E@2cDS^ac1{zqSpU48Z=>Q+MxuKge6Z{rhsPIe)Xr#n@O|8J}b|mlXr5 z4>>lj0zP|Bq#buYxL{#hv`l}*_M!Lz(qmLn6C~cTqWq+n`0Xlh_4qPgrDCl#$ zJw81xXl!Idu@^DZfAy;g>;Ob^9K$YAb`G=`a38kztXF#wmC z=E$Z>0?jT8Wfax;)B23!UNmP6(noyxrg|eYNjedik>+{ zyW#?zz?iZ9q*$lq5Pr{mDM=?%lq8*Xm|w83koh0*31S9e!8Y5+9b!DsOsZg-RCn%M zb0oQtq~bw<0yo0S9VhLr90etbQ${h%okWuq_=Nx1TS{SYPyLR7es1#D(f0=;c_C0U zdkj_p4uE;z@oqIgx8P~Z1*lJ*il|c9tLCOv{-}1gIQg<5x=XaFoFE9^G?&wJPoT~u zg+KsN4aOJT$M|ADllyP^g3hwNjRZw|*IIK^qkgZ{|JL6{UF%>{-RcPP|C#yL?}3W) z5rB)^#KqgNtUc@zy@NQeuT8=|L7yCkB>7S&UnMB#e=t{Z!&Uc>MeY6b^}X2B2co%l zCX4*$F~OH^pVWuD6W;oOTEAcJ9;e#{&rd-fE}g#%{;mZ*m(>SO&%HKvvP2JQt$lAG z6c@QHRxVfj(~KkgyMwA@ev5TF^SR_FD*@agVSatA+sBo3gwZ&9?Wv^4uGnBNxI$fq zqZ=(r!3fH}a5#$TK5uA`C7pxke$wpyXwzdX<1jO}6&eVbB=?toG?YQ9P_!(W7r~y% zC!IM9jRh~1Mrv&CEML)2_9-^3d1atA{t83N$cVab3HYMt25Mw`moX(Rnxr}02Ddu+4@olY*{YRUih_~;vsB3^a` zI9&7+#lthysIAG-In5B%PvpxbPgVHqx@KydofX%8p-}bYG|t`eo?l#) zrodEe+lfXr8G>YZ*N`+If@GR^kr^6z&EalpTIc8q*Q#iED^nM$iht*YO92|=!6q%7 ziY4&~$I-MxD2^;dRtpEQ0K@B`e~T#nuh{;S%=i68RNd|WyRG~7`S!VFczZj)KIl$$ zwK~0?;ms@0_Sh(wzD} z^8`B*TfWu~?~#+x0TAhlovoNw0nxA#NX0Q5`tw8{M$)Uswo4vX-ej^F3mJT4%ido< z`*D}su1fKtCSjiMERU?>HM*({CpJx zbFk|)a&BWuzA&KG%r7Y5(>B&O$gj_*vWaV6CDqg?BDvh^54s;jC&tefLK7l%`p1HD z;XklEV%Y8!pa9c-u@xBTS1RIhB4 z`E;A)^&Z7>*!RkIy`A$t;{SL$>$j-8CX6q=Ah95^AYCHT4FXGd!xECx-QAK)gVIPN zogyF&(k)%m64Jdi@4i3y>_4#A^||JJ&zzaL@3A_dK}DC(RAQ{;)Q9E0ZS<$xUXD2r zQYz8v&i=3GLqHaY1?Y}1^K!O8h1G*^vzgvj{uW}UB;c8u9*`;ys_ z-Y8NqH8_YBd?V=Z0K$-)U8E_srD(s;nK!9&&Le?(!QUdH2TKN|3p(KGvtmhZAd@QU zk-7#A3Z2W)WNg$^!wk=wloC z1ujT*bQ(CiRuG9fZ;K&GPYDU_G+3WN(a;Cm0$bmjazpXtUb0F~R2cczFPz8y>sB2C0_e4z6s+71JR{l%U9ylH$b)L-$+3$X6LYS8N9e)L!I#2-FApWCt&dHv_%Pj`E(*U75i={i#IA)D9G#`=B7 zi8xEXywG4IFc=E0nX}t9+pgqf6w!o2!N1@%G9NzP`fmjA-=v=paF^kLH|EaTF^IDFX=ZD%u{{_l+5>{-fd z_q9e2Q9#Uq)7g&6kN;Rm?q#*)f6pzZQW;laGwd{&Fj#I1v$T%1RUd<=NhZLlzVMFO zFW7%3cO9>hokaZ}^Nn*7WeAonuno1JDU74-Ldcwe;g#RBBKsExsVC_aBgmi>lGPCd z?pq6So9_tx->e{iRtCV5&led*)MR=2Hunc1sG5Dr!;1?#xV4Fugn)@BR@!(nEA8Hf z{@CNivScJv1yX7S2X6v>(yMr19r4eaNz~~EyUC{If5jv?A{M{}U*t31M-;igZQ$hk zz{2=B)pWpzg`r92a27y{jb*Ct25bga|000i?e^vdX|;V9C-C> z_^mA)i&Y>0yzaP8Njq5)4BUR_G?TKtsHYV{ONvGx=}RN$&IHRhtuOzFZ`U z#Kg=eFtu0@x!wZC#3;FD0nt@xjRC{Y)qB&==v4Tn)mbeWkxa;ls!B&wYv=Dp5r~Le z@%wQvR$2`7h^2*Qx4CqtUyiM_<q<<{(e@GCBnm31jvSepLWin5cHa+e6^+sfXb~GbW z0+V?!B8l#@hbfk0cnjQ;+#B^N_RrrrXdVdx6diM6I#h)(Y83gaIr4c$VX(>Q_@w*e zgM-rFU9kN*eV5klFze0S*SJsz*kQus0p69*v%> zUJgc18qAW%$_!a!$;v3enVg{z*+|rkey=e|yC&|Gry@Zo!jv=&M)d@7ls>>WTMLAE+mb-&jPXd4Owl6gN>mYUadu zqQ3JcA!sA$mg;%&Y;hlP&*uc}-*tC)f3snsmey;r)YkDhDmWe5e`wPWI2;JtGt0gC zsNHxl#_T%Epi*YbtT6AnaD6pSIpcQPeV6!(XEr|ZWF??o$jABbkk`}e=i7;=nUbIz zc*iM8?)}3_=k<mqKE zKLtWoDS+z;Kj>XI&MzYo+e4(uHOGqY7OXUd4 zzA*{V#^;FTNlH#0ldN}XY3Y~!M!BPK?0;`|il5DGF3&sJ@0zl!b`V)AV_5xaq{DnP z3@;RX7{Fgc?#5#dP6z3kE_;NbgW_C%a!!7&cFK0+L^Ve(7+m0q0Y^5z@=x6QT>skf zHwb+#a=4}VTU^|``W+Lmj(0Uf>z=?QeQF+SkoUXG5TN;iZ^!S&nyltJB5rL*bkn8- zTrp423Ww!7F&GQLs>Et88nMa zg8EDcG%(~-B~|)tW3?t`i+D%}UO?+u1rUEql&@6(oL-M@_W6_GCk3x@gvFeoN|!r% z^oHjLoZTDS$%(|e4mFMdj9+mg`BG%=QGcIfeC1OS4wv!3#6~Mx`k&-joO84$*qleC z_;k^_)H;;L8h1_Rt>#<{w_l6PX}7fT2~Z`i0nEs!%RXZhofk{5pZ5m>*9#GDj*1gH z7-<01_0^#xM1A@;?rM=W492qzX_IIadMC14sTy*UWWc>#Q!bNkg?qf})12Xz``8M( z($BqL!N5zviRQHw&CPe-`a&Ho*#zOn&21Ly9ew-ndvO-;)$yFIliTdMn%(%w*PrMq z%r7N}jvA2IXG-()X#clIl{{KM7=SrAhU?@4P?acY<85_qLQ?>n?iI`jCB|E%`cG@P=a1SS#H%L&VUL`P;2m?_^;Xt1eNG zdY}}kZylBl0~fw(dilpTz9|uz5i~|TaRsG3IbVE(0L+%)*MQG8TrY-6=9n+Y@1|u@ z4X^bYlol~QF=!_74#sW_YpSAR9ULukU6Qq`zMvy>zjT^ju{LfWSQZ z^XdpCW63AUEcyDW)v$BAq@wzD0a&77y8`NrO!e(AoB97(+=k@IAe?LI?UsCygwXG9m&pqy!Bt?iCLP3S&h&B6!8AL;;c)h{CG2fEa1*m0}>oH5YD&?Si9%pRbs1a)zx|Fi?l<{rIew8gC!25f#YQ-v&Yp!xW#+74$YHqXSI+!lOZ# zQmD$1LapW5q-s_?Qz-kGn=7YpV4Y**3ud9sUFG&@%VjxM{Kw*l03i^WQS$Kz57uzP zTgg}7&KMLzPKs}AOye&lR#F+#ydi_$D5rWWHd7YoZ!917UEMotv*{;N?$UBr$< zH!%I0oHtRNnvhOCg19T_G+^SP&W<^Fi_j5U!) zrdD~y<3s!VfnPW)#J~715D(JAy?Y<&wYy=G=gWjAYPqW@)u$>%f@1twHSu_7+tA{+ zd;L{Ww*QCn+L6JM-|oE;Q22Mt)m=xnVc?w!_ZN6a47n*b0bK!*RDv5DB~S7jPcEL9 z<65hmSDk^Dhe#GLlsvDxYxX`37cMC*0)YhG%pI%aIXZc+i&=pFvG{xH^!#8IwEsHj zrYUGwHE?_FX{X7kHS~|c3hEa*1HMZQ-?YtJrg@961_p6`_*j{8d7mMR1^L!Q89DLW zR76-z+vc~L50oWpdX&?-5@(E$g)*F3>6pW1#d!JW7-V}toGsKMA`^mAd6${An-{pk zTVrYH-eFv<^z`}qDWs-4ZXiYiOzi9q${i4^p`QHt{ANV`-Oo#Nbg}}K?fcxe$*FHZ zm5SS2_OWQF@rQyQn%4kAGlkM`%Z@!D7%lg_$Lv)oRU0Q`KL>WtH_t9t&qmr6b_mH>?{JYnCYl zVCnBe{ry`;Diw;GnABb!fOK&tc&0UqwP?f`T`HAMUWA4hxMAHHO2tShi9v|*Q}W!2 zhQ8DIy=Txlh86WACuR^G;I^0Lk{xLC_hmBmzHJ@@_l5##1Qg5kL*U{XW^R@cR4NH^ zA3%(?e{h%01s_V@?0DgNp{>Z5w#0a?>o0Mbt%>b=f?CCF)J*+~E_BKAQoUao<8{eF zHdr%E!3D_TR6uU+w7hY1EDd{PTDg-xO^uhIkPkp8yKv?v*C8Qhe{m6v#kK`j zQbN~?A`q_)(@y_+J@nS^#OKT~_vtd>p|>Qc>yQ%p3*a}J$(p083S~}?u)PkRO2SFC z3e{!6J7a_LeZvFG{$GWDcy}EY<+t749%iM>U;OX4=SAT)fwz0kCsQvcE}#AsQa%4V zns@5BOEWgEnxjFTURbfipn8~u>%6#Yn0Vg*i#SA%&)ZM4i!mnw&m8VFs6%KMi9#gy ze9O0{s;H9#?QiEBm-%Fz8{^f-$H(KoZjZBR5d~`zMLQqPM*v0vwMGVl52I`M38EL= zxesG&H`774osat?H62k}diwZ3LCD*48fc`NMbr!~=UaPtf(b@~A2%UjN6g)SEOxRb z&yW|0&BU?ZXhJr^F`Kjnv2d*ExvY(`Fvq_JHN zCXJfQs*=KG3!?#P4CjjXf)TmVm_H*j4Qe#KJ!0K>JI3;rFWeAe7V6<`@luPU=^u+U z?4GW&@ZVvqqKv45iMsSk6<-PFqRB2YoGNgT)a70Uz19i&B*#noHE*W(ZDBrDcT-GNCm#W$hYC`LrwHALtA1it3 zyJ)Oh=mf0*z&Lr>Pf?l38);90>m;zbGhQ3HJ?KrBvEa~jlaEp`? zG#PJHBjb%QQ7|x_At~J|;;xSNr$zr+hAu#=N2Ve-fQ3wleK;ZL_zP~ej0o2 zl_5n$)?>%si4Ck6i$-}^mko4=+Xg(ZvTlquRJ6wU1YBI{fw>mUx;!=RU_1Xp4#APa{r9vk0hs0NCwhF9acHs1KX{yo9r#X=`4MsGVxiCez$w)h(^=d+)-1y+2x1& zMUFFnufW}_R)cO+nS3gVQ_jor*;TxhDvguoWEKeaDs|N9dH^AM44|0m!PLlaf;yDu z8f8N91_0c-Of3?Fq~TQxbYEUhh9R5m}a zUz?t+FKI?P1@2-?Myy1Ub;?1-@BhSVX-KonrqqjzkqwWAq#4k{NNV`DF~XZFXfz~B z9#EJ6#l;8TJWIB%Qb$IDcbrDarqtguc?GSEzB3EN@TGYYYKTsJr}K#`9dtSG-uWTH zXMh?8zyzTc)>VHC1_Q$ceIeBNq|-l`1*eAu@cFSvO#w*3s5sH$4uNRpa_occwv@BP zW%4CcLEXt3^gebL5~J8+^}915d1A5aoAN#bvb3GiU`z(~&iFsV9@jKT@?!<{fx{6x zs5IU2U!}Q1z?uQ}gjA-S(rVTU1eht|qWv2(Q%G`RKwMh*!1KBlUO5bM(L-sj})F0)-k;L|@A4F|G490DWe57Y;5RVi4ncY1D%@mAt?tBrk3J1=$z5{`LzDJfXJ;KbD- zN0t^V*l`S~l5$d`Ka3naJ#pha09~Upy+>3F)f5qG6Q$KwG&f_{!l)BJN0UHR4a)7h zY+mJ-==DGjz;{52=gBE|&^t~`GVhC0HX-u%2YKHCk&yFG z)77s?TcnBjf-NzKzCsGxlhr1*5|aN0y9SpUrgvnPf21Eqw9IPf*$uF%n<74bTcG~S zoU!zVqfWD=oIW4Bl*{LEX}IXJYi3K-fysP`TAu!S^FAj=03g5m2^BF>kjULXwSKRt z6Tjrx+EZeZ_>YBN)wFi}@{y;L6;)ILo~4SYuf*?b3S=SuK9EKyHV8&8F5o>e%8AaA zyu?MVF^?CKm~B_?TUS5bzzR16vLKrq^1I_VQ+Ti3c`S!=UaV}}3mPA?fYw)6{6>8F zy{io*rB?CuyNYu##g?ylxQ8ac@GW7}U`w9-(lry7lAx!Su+MCv@NrYBNWkBi z`daAFdeyxp+;Jgt^26`mE~`2@9Q2(6%eW;hZJTem6H9^d^KkCJk1RkTi5F8C@Le#`? zoC3gS8VR~?M;p_BEE1dQCgTEhgEiUWhp)`uZoAkD`*4f~l6+Zr^L!DT$xRd1QK;lU zSg@7KOHr<#)3E#}aGTXFUAdD;uJ!Sc?zTCWtAuY`Z_NZhVk<*O@Q3fA@U>k=L_S< zhP7KftL1#xS&)x=n8}%5c_Lw?1*swUIV(J`_8$AFuX0qK_X~J?dwBHrEm%)Jr>yRc z+L>HxR!26anw?Jn2w^f+!^m6v!6c*u>gMvRiX$`BKK}$WuKF# ztOh($R4P+3kHnXx_=oo&_5$XwMSFckmqix1Q%z$hWj~yLY&vr8aMW3@rVyT;H4TEV z4}Z1eugrRjM5aC(TikHt#N}uS(Ws z!cSiVYt}1*Xp3a9)X3L;QcSN~Om5}bdDYd);%}dC)Hg5Eqp)u|KPBvOuF!1rzJ4Pk z)b!~YW9e^>qFitaG+y+XXX~?ED;r1nl-53?CE*-Hhzq<=q#jS2qP8%Bx^ z(qxo_Vb-T6T4Qpeg|&2xbUEI47<*9qojfPiz;t88rObCa;i48+4%tih&)js}blR0y zRbC|hF5m=7;fJfW$FT#r(_P*3!z<(Go6iYGfu|cyoi`1}_gBW9KG$t010PQLh~i8X z96wE;&3N_nZCgZZM|I;#&TAS5Dg0wWbq&HWs?n(+Dn+Jw$@$6*`{nK%4YjUW-zK9Y zv1Sp^o)!JQVDD1Azr8)Dk^neP8uQ?wtO3l}LG<%_~PEGKSg;jBR;8P5H(8Fh{R|7^e-5fV;z4-XjMO1h6 zxvkZBG!dmxXsAT2Iz8?dh@to)+l4%RNH7wxdjI$sFyFwQ13{!hbBohwH+QoY!=ySc zz(To?#2F_fgraTnxFSt zCv-ph7n!{CIR*a^z&|@=Z79uE6&6hW&ZBVU>eAwO=dInlcDsJ^`|Yj1fwqZ(_ax(_ z?iBY6&{SlNG2fp{j=ye(Euge%wLkD)-tl9dR6UYiBL584uChjo(&C)Md~0T(aE~4Q zms>$(6dW7BR-e01o*RNL@t&)$kJAgLyZ*6Y?|3-(8ztKmh+TPnT-GsudU!f!wdRTK z2Yn`x>0u@yth3d|8jOg`Z*6Uo>z_TCwViFce_VN+QfkddGSN6ckz~JyGth&i9_fA8 zPm=pQ()qkx1^ad&)VX5tTiEaEd`q?Cwu&8l_I}w63hn2hCD0(G7^rRi;aaT$RVR(; zI8ll03Fz#^kn-efXQs(VrlrHjN6BMyf8>Z=ZE0CFtl~?HFa#o-;cX$A00fX8fa|ix z5B((1M?sIdk9M8#EDragGFO=#PQymboKtT-%P@(qm%b9c-?J!Za7GHpfTu~yR?XrU zOFbDeH>3KGU2WWJ^olp!uid}tq{e;QF-7{%Bj!PYgeM&?h8_zmYfCM)gq7!&5dvPh zrdBc7l~q@?G#)?=b)fZ*&N#V&Pe_6$cK(;6$4^Qay;Vk^dMWAh~(=He!>0uHSx>pX1qRteXR^NYX}%CGHuBt^Na|Zyl|5+s7x#gL?vU}6DldX186 z?+z+C4IyD5-Hbu7Dc-tS?YMTzJCA{5_jAreHg>*NoL3k7vu{s&?%CHmf3*Fovz==g z%o*&Ka0(L?$B+Js8ttT(_TrIx#~X<Jm7pTotO2$r5io`zY2S0SX}XWK zVWvr7ZO^Csvo6l#;|R$$)l+1Uz+G-BCG%U(OHN!)Im7ut^5YYucLU1xd_`gS@*oRx zk$M-8?4L}a$@@W151%V+@zstey|rVnv@}3$)?LtD z?(-1;(^?wIyZahM+uxqAB6XC|!x|?r|_aBR$xv)*i-}dYWmaLx+zZsbl zCNcR69cMSBD^!o`Qgc%9#R4V=7Ca4CJnXn&z18El-kha@&BF1;Gorb~aEbw+VzI zSR;C$HO}PWDlL-7V(9!)9x$42&nO?Ep)HNdbEU2!Q=1w`bAS*JKs6oa#w^?4SCwBC zBmCr97qey8OVwF56Xk}$}&C8IAfj~NJtPeM8t)qizCZ?i-iR-#BPb$j1lnR6X z+aX})esxiSP}+hV{eY#Es{mdY*AET_(r!K?9xjRN&H~s0L63))t;_LS&VE5U^H(u& zqe}j)$pp~fP1lM$w^76X3n8M14ue((_Ynn4BVhxAm9|-uq6X(i37R#AuPirWje4f# z?cBGR=Xrk(vO#;U$u=l^W)YYiB7ZYHtcjJ~9K(cpgjEXJC_Qj@U;q3=Fc_%G#89hI zMI#|KmHzsaW`r&FJZd@n$U4(2A+>k>i*YLQDM?m>zsG+&y|fxey+x18t^~8{&i#A_ zWJS~5^3P65q~w0syHb>_7Sdpu<0wty5)$kB*u=k@F72i508)#uBmz>BQFSaB2brS+`? z_BHI4g+p7Z*vVI0Un-E)O=CHWB8;+0ud z^rsLxb4JA4Tj6!gU@_87{Qb0`OWEgr2;w=gix(7l&ot}8`SV{~BwI30{5;%M{S^G} zC5csxp6C4ZWfK30>A;?=r0Do7Zz)#1r$AGE+XJlLW2UwAi~|FIzEg*s73ab2Q# z3pSK6nN~(|;`Y?89A!f5A>?;1KUz9Eeza-LK0Z;#E%IH>UOC!Ih)ni>68w6^`;syz zJ2QE(B&yV)v#TOJx`V*sXHkx*IIp73B}c7G3#Mp`DyzmV7Q!qRDI(YG)FL)(%nc@HA|>LY z%D03UU2Td~oMA&ZY;0^VzEH35_K?JDXrOGUIW)!oWKuSgi_A_A7`xov6$o3$9Jw? zwf8KqT{fH_BNG$fDldEZ!Dtr60zjX&bqlClKCfUuIl0#1pO8w{#iSFz8TSgjrF!rS z3Tjv(kH;9;L3H4I1aP-%>pjT_K!p|MTGOlwFan+mv9eVqV7JbDe05yM5f^Kpqt6yr z;K<>G%u=T9K*h@swd2SI@pN+)-yZ?Ei0}GlYv-L}&~^KB)qAHN#G_33y&~`l^?t-t zUnq`PxKjW;9xTt8dD}}XUM%iG`}Hfht8d%bML16W8@qBcJ+vVqY#7zUOlR!Qv}x5r zCrt-Yh-g^htMHiR;iU}|h~KJ({C>PFfg`dRKcOS|{q+oPk3hWWc!=(Qz2zIVJCV?Y zDT5P7BVi1>+`wx+2yV%AnazI3i6q4KEQD@T;1XrpQis=r6>&fv{C<+S`vlxxH^Ab% zG1xn*4`|{`o~#Y0dEOF2- zE5GeCm+zM=toS8?B~Ra*7aZA}f~^@Mx)jI)$RE~Yc_RYIS)g+WxjuoZlt%38OEp`P z!LG6sU+g4c9Ixc*9JIf=$;m0{><%&D<_H#|8bA!CJ7yNUOc)vHr@67@=_XH@-h8{} zQwQeMth++jKE7p4)nlQ!7)bC4aUF;%C3rP0EjDRx8d%DlT;KVL5Ce6|?q6Jxw3^() z!qY^)_X=OJeHID<9L(-7*7J(Xu`&U;-PsL$)jr;ds~mA|h-Zx2)n8xji7BV7F&1YB zep0OgpSavP;v?tWz8QU?ZR^gW8I$Vj+8j9jyQ?sz_qL8C&1SewaWg{!{-^gt0gG?E zifSZxxl$WvNe^*UBpLPb^AY5Z-_ddOLlE-SDhiD^gi9YOIc$d)9ddazNrpy>P@Nh; zae9EJjaeh*?=h(OmWcrU3()a(Ppiro3e~nCo4tXnKDT)ucF5x6DMk>&$zOkqIs%^4 z+zHQp!03Ez?Ibe!O?6^=sxGUqW9$!aZSrbDMBwCl_yTkAPDEJq>jVaA@sxioL76g7r_i9Dl;>Ly!UdyxfR`Vnz2O}d6&}DEB2kz0|)9dS_NBA*bWY5vj zQJKSiAaJ$BKK{=iB_>IY1|@niA&(N(wV;#DbJMlevVJIH%x`;u^JZN(LGBHlf(Z00 zK{T4oE(!=T#Wp+inm|;J;|pzH7%n3tQ~N@2B{8soMVS_UvG`peZqA7FY$uz4EYewD zNSRk6sU>yIN#PU-;r1j1-F=>SGM@KnXl>DT;9ps8>d&k=sJQZ6fumq6gv|+gEHq^& ztO{DOybR_H%j=E=BMn^!OpGEL`2cAcS1+Yh73Zk^0(eKqI1sVGqi(fwz(s4erR-oy z&k81}uyCa9vDNZfBVG)ni~A{-w1Lfm|Gjnq(pYX@6GpPypj)(GR&^Ial{R|1MDXhl zp0t7YSTTLdR)Dye&&6JY0+%+NDXZT&hP+0C`@CVL$WlL6t5^M=MKBGqX@a8inkU(4 zO<~CQ-Of$D*Qz#1yB9pN;<@cAcK|ov%U&(3iRe@}%1#Tt4xi&4-Pi${Hs7D=|MgRO zQdC>vpJ@cD5F&q-TFEf2A|oO#N!SaoY2o>8RhDvPVh)&G`QzVfosP3Zyr=c1_!9o$ z5Uec@zPN*>YEG3TDP-<=GIfTqk07;hOpunT8X8x%o}2`gkM{UoE5bT|;ZdfokW|?eg-nPR*K@ zN9gEK3okU8fJiwB=WoqW4%d|}8USs`5V%9HOEkq7>a>a%TaCPYPi-%Hq@2$RnF-Rzc*E%2Y7 zeLLkV7pM9Nii1gGEh2fVHc27&<{U;=E~f>G-&{_U z7va~Dj|cNk$H&J@(?j=@_tYAvx<2LDIEn*XLpYIP;@b!r1Ii5er)B%`o#>SUc_hAu ztdax(#;MD77O7B$DZ%8iPt1%v+c&OeX^=*bcOdXw@Abz68c4`uHK01{(cQxUb(*8VZK{RF#8!0-fCldwFM3kAUK(LeaK!H z!vHzZnsoejOe|AA4YrtIRS6(`ak(Dx+1Il_g(Q=h<&pnKoAr=hbT5l9;Y+IlKrjrZ z;OLyad#jYbeTx(>FR#S`6g_@^>bw}>=Z7vIVM384K~m+FIDzzySl|$nGt{CXU8!JT zz*^kaU~%1SdHKG1LK+x=TtGl-hEosorGje3)%Cwum)>mAGd3`Iy1@uiU)+x|?z2_- zPuqW=Y8?zy)~wrLa$TUBZ&mcX8cBe}(b8bia%622%W2R=1u>J(M*)i0ga4r7r{A&X z(GW)&zLQ#`K{ds7kxFXOd%S!N(ZY#1TJWOgi2v5?`-Bm+>-10`^aKHAMZWJsL6$`o znPAan!s4c6UVo8RzWqrer)bpmiyaDH_p~6Nl3lJJaP$Kf5Q{8!5^t^5|F-*j@#3y0 zp+>q#HR$e<-)XhY=kd;4I6MCJNdU|xY4nqLWU5a@+t!=eb>c~IVR>|L0yB^ua{Egb z;@eq0H;$O_jauqxu&?4>ki`A~jsQut=*-SEy2_Ps#z#5^Rn40ak@9CbB;Ul$cY@PD z%%l8^i-AeqP%MXe$9a85?V5D`DusPE48#CkrH-U(iKO{RmzqCJYvt>g&f(~V(ZJGm7E4JiMYb67W_rGc!syGM6Z8zen%PIyZkcd z|CQ1?P?!~E6=~*!1T)&BuyDl!TghGPMV{NGc;jvG{`Z&TIabUQ*MtK>cV!?nLd*l` zY-QG7lIB@rSYCZjmVvS9kzC)%{V~a7#foSDMIQrpaCFNc`@7FbikOj$)JbrSCAj9- z#J_shqEY`?L~}{E{8%$~v{9_;eBB=+Phg!%Xc&>8B^WOr^S^EFykF_) z%vx%V+7!4e_k_dmEiI;S+Is6?+5xqiA} z%Yn&3%geC>V>!v}?mE00D$pyaw*vY`J)yi zV@G!QfFDRLG0>X5@m)$XRD}!;2>qC@)Hk~{XD5rziEf5dQ@K1NfhoIw?K=O8KuTN< zdSKsP9R&m|fCw;4tIEr54FV1$ae>JIZ2VW!v*60D`~*?#UUcap5Vs#ytjC;|L7iK* z>#@h$tC4w~3HzhW;<5v*&rg-=vw+eDcbDdfwlqL-CiaE!!6#P&$k?39pa5Hi@$QR9 zBLA(8rUEYB|8zwODzii5b?c)oH}LL{c!_T}i`@1eoYMn-kV355xk%|1f>oom?nnM~ z&qQX!;&_=@iVtHdYiw zYiWJ;W*d?Eb%8g_%ics|!z>B`&x z;(U8{*Er}l=y?clkXL$Bl%+>4^|jMSj26l-CwWoZcKFBuHLjjvm0S|$Nq@%h`YG4# zkVyASqDvTcQNF9X*<0HFb$G{fyN+>(5QVCod93nkBTJTAv=i3LDOG<+-4jS+IoL6t>Z*4M?F|!)C&p#M+zWH zoGM-=J%4K(53)wGhMQX-vzfjh*^tYQ$k6GUC3Ry^(SOP>cX6~>R6h*KlOm{eI`633 z7|iWpA93b*dxy*$Y?$EL5#f?fsYrM_PRK9kajugr(v3m+T!)AUCZ4H`vYA$a~W1*_NvKN!?9y~5w=`8faFPckrV zINT>D#h~?(NyxX;;}`bPzwd?Z{^OHLIs@uYo}seMCQ4jCb!oo2St&vWdiiY7#-U{< zqnKMbA%Fr=yvG=^Y+oeZGL;jNnQX>NM+>2qPwow)-_aK4cy}t!+jR7nm<{@iNwbi0 zls43LBcgZU3pYTVo{TugFr$0HLnyZla zyO~h8=bdpqbF+4M|0lA5hX1@kI2oe_VwPjF>tsyH2V8=FcRs93BC;WooOqq<^ZiW% zr0aXLc^t##mLpsuGmySM5|XspB3~-Dbc(MgRqJ%eN>*H1CUax{iM~`NbJMD00P0^q zF{uJVBauGJdYY{t@1fA6@+B8r`OPU1nO0c^qli#Zq+hoxD+`|MVOBytNKYUUnG{V+WemsuEt!x%qsTy+rr>sykrz)qjenghIwd<@>&-xOrdWVOQU|KUMQ6!KQ{dI>9;AZ zW-VJPt>RiKfmtGx{nTYDj7f?JlXK>Z?9~FV%s&?5P!tK&E~cpj(Tzlq3@uMTEoYs0 zLExThNukH9#Esi}#h%?b1BIWERNL4S=Ju~>7leSO+FjxsHx)E14&dv~PsqYp;KvH8 zmqGZ!d7$*8y#bfgH!|Eu%}nPzW6RYCZFn&2s)jkeEHO9ch4%06Uss@eoM}IMCL>iL zx6T30fBgrP!UNI7%wjR^9T4`VM=jO*PK`YRFuCXxgbbqk;Ci7PVXu0$aBO66?Elzz z_A6&KXDLZr*^Gs*4Ay8k5+=9Tj>n;W&`^Q%PC~Mu)UvT5hAiR(jI(91D1Ux2)to0Mt+Js9DXSJ zNvi4Ve`_Xled>*HGadI+U{A-;W1@H|*8P)D(;lH=YY>Ry~3q;G6BG^68C6D0z$#LU?|=kw}p zYmz*t^%OYLiobO!?q3YfSLA z?@kDlH{GHu#M+8XFE!O~cV$YwMKwDihM8Ha%(0{BX7f@`?h;XCe+*0r_Aso`K4@|L zQW0BM7R!n(&gF_i!$m^}W*jkJ6yQp!i}SGK-O=y7b3l?`1yA;w%U8=2(i<5XQX~v? zoM6gB+wow33}$(hH5d!=4Cm1>|8!M($3E6U;y-BHTKreb0VVhRb+(5)c!B#@1qbX6 zjs|J z=TkOA90P4-he~lqYE;QVU~Io007k1$%SGD*_SMuoktO1^M||h%3!^Q)^i0!f^UIGs zn=+l+q{D@ zvSeHbvTBmk@Ytt@dg{_k7yWK;ki9ut6Rg^_CQvf0KB@nUi!e;V)M-Y+j6tdTh)`Is zL9ZhL%C__q7kkoht>Yi3r|Zs{2Crmat)fO!n|-7gOLQlQTv$79YeCNp*q!ir=51p3 zrJ|~VQ)&!7AHmM%{QpYbg)5gfE*KwRqV0gW752{BviVdb%=H zhf@Kjj`b!texMrBK(olMpW}Q*A7V;N(-<9Vo7EW<{Eb$Af|aw+GCCC|{ETVtK1Q8(kZ}jg{MIE6-{jf=NG8OGq)A zo=?7rwjJ7xnpbluYMR`(PgNu3iLHT8mzK*r9QXnC+(}K28pQQT)HS$T-PSIChT+e;Ub88TvO)VYPqPI z9W}98aN&-OiNYdZ(!LBnt;^HPbRd!`aP@yYomEs+Zx_ag9(w4MZjerC7?2oB7`hv2 z>F(|>kq|+K6r@{98l*u&B&87;ns2@f|8vO=YyH-H-m}lM_kNxf1_EFxAr>HQDLFEB z<{t~V^E*67ga}d0?~h-cEoLJ`VU^^?{=|&hBmHx+NwxFU(D|RY_k9>sa%Zz(b;H|% za9Z`d+tTbH=`Y(O7<%1B&i(=#MO`Xr*j)QuZL~xe9A~cK_Ntg4f&7(S`GKr+f}D;u z@u)?DV#n>1uf~Qze1z=j$k?ECi(0}%yWdNq{K-r7Mlu;HE!$hC@m7}`w^yg3NVHbz zZ`!azY9So#T{2+2`+k>>s>H6KzYA?Jg!+E!WTUq_|F(+(ob=-)Wv%jcZ+m6c3g&n6 zp?UAFj-NtR{vD<$G8^#8Hdt+SW3vjHtx(hs-(Q#m@UycxRA@n1jYy8Von8@1#?mmH zcJU5VleKVLhLK-ce2ecoNv{ZKDQhWy4x;c5`tXl_eyvoajbk}!cW_PG<^#Nu-5OVr=`}b!9U0{ zRVzua(1Fk{+4APoY0WMdn3r~)BmV$|B2J@eTd>Bf(=T}E?P6hB{TKu1`i@ihAYggt zb9-?lJGf3C^Fwdr@@)nF-{tc@WidLJ(sIlvi10BXtu~><-%t7^X;mkeOAJX{f^Z}P{p!T zV7kL4N?NpJpglL1_$*K{dyx!CtueBB`_(w-mgi*-CO^UZ=Prq_iAK3rE({&M29PM( znkJ?A#OlOY218ip%%#zKOD^o1@v{uInQ=$Ym3YrWvl$^0VI>$9P@G8uexH=7#SotS z+x)wU$y(y?SfFzNaH%#p{}*xlN=6G*tIe*HWY zKW#gJd2G6)6Vn)9@|qJ*iuMxaFind^sg!jI`SUO=7-+`vkt@Gqwu9pmW*{jgQ341r z@-gwp*6bW*(~oH$L_)3#?CCwFj$w1e{G1V3rEf@aYQ7BrPD^vCbu|sT{Ug=|zn(Y_ zSe!}{f||ItbXZWY)OPfARXL-{fa{f=a^-m4SvlTcEpfecLzWSM z5`*%QK#;@+@}s}b;0Cg+t9Qq22dsB;C%895L!FBRAeVFDx_sk5gO zGdZz&xZO+aIOKMh^jXXeOPHvD+BQsFSO)${es*LLlw8i}%j&+}SbJ|5J3+ISbTaYF ztV}A!6Xe=pVp#YP-VG@dM;Joj@bKxt!zP>Ip(GJTeuF5o?Rmu#!5KGgmP*#xv(%W*#$bpd1 zWfZ>U?Gi)7VsYO!=uFGu#xwBwTjAJJC}n67^A0vNz9oMp zW+?=@A)MT^<@Ya17$itha^+Vlh_Z8FyAI)&jw+2KzsWml>ki}d0A*yErue zG~g=a=??@PWSXIb>O@0zLg~)`49<^fNQ*WNvl0Ad(Tqbj$m4uE%U#YEDwk}UY#(i< zeHz5~UL+F|Gt#qOdbN?}X7P^&Hqd#s*;zdKce$yVv8kZfEKLXbmTgC6>nob%-nZ0@ zjC{IkFR4kOI-^@*UME|YJ`yi9hGz$NqH1ooEJZFOXotFKWA{(45%WoFSIiW`Sw_wa zt82oG+2*A(GQA_?Q;EPx)cDY9FyXulHBk~{UQ>;3R@Kk7Rm8v9x!Un>v2a{+{{hhX zF*(N`Z$<*PY;?(oUR`_XJt*ASXV$9_ch1QF{Rv>IeT8#IOHVM5yF(!eRQN+a=N zV=4jR_G1+`+fk@WQzCKn%J`EH-`) z`_z|ZOQ9Hwo-yd~Bg4j@r4zmMAB&E^z~o4V-O&Ptcl%pK#=$OI_kP=*z-20wF_}`X zyD`q9HMh5dI^@FR1UmSn71RdbZS3OsxUmO~T?CF7m+{0lUY$ZvV?RG`+&*rY3B|HO zyqjs6QWHQCIc(9gT3T^=rL?m1Vm_iYE6pM2PYErqr?s`U8Nt$d@?YHq*gx_Ku+f(b z;;9%a!sLHjO#>AmYz*--XJIu05Oyq5GIr8ZN~`f;B&8=D>q#NBM82(~1J6Gz+KXP3 z%X79!0N5x&-;$4-HtQ5SGdIg91RN;(wbnFgy$UNsd6#IM5+kwyAR`5Fb$H)qm{F%D zO?nt*GxfB8sB=x*Y>(8(UfHL9H}H>zbk9?t83nP8eunLlg<6S|kjf^?sooBFm$4q54#AiM5sw>u3o_8C!*?0QeY8oK5^9JG6?l_M=9#{;afXuB1qo@~>vzA^kSSy~?Bve0SWLh@akZn1=dlY|Y>8WB3eF zqd?p1@-1-1tU#F>5{%sx9SKSFz9v&xLy zddo~4wK{pd7y82Q;(qdeYW8;3E?Dx*vmdYKJmJ%4nPNbAJdjBy)H)GOZC(Jk%sSi& zTZK=Lj&jdV7BzG~reN%kNXT!a{(8G1)H|XgrCK^g)Gc>vnb1%$s^E~Qw}}z-`s8{a zHq>q#B5Go4D&KG|qqsw~5X#_5ECcPA^7-#QBA*zmtz0Zv2(m;4$f1V#X<1~Cb$1?DWyx+M!ae4@Zu$dR@0LVv(nPh+mG`Td#% zu}WV#;>V!Ssb;#9*X#&-n}X4xXWbp`zE8Jyw2zy^&*Qt*k+(%(cRBb^D-gjyD^Z@e z7Gfl<5J~wSE;X-}vfB=fmj@Y&>7sq8rrGdC579i*Jk;|gZ>6PbN~Q7wVt)w=?sWO` z&mzjdKMH1f5}{q9~AOsJ^1!x(bGeW zbez=E3VZmM&W@iHW3tF%-NEi2?tZ@@Hd}zK|Mo{_41|YIcn7-MKKo2Hdpk1@(IElZ z1Wx&XmtDaS`$oTcFP&K#kQ-K=b(5+bSDh9+_Vmi#%iqnz92Uf=zb|CtI;*$T`W5!K;~xh4tYb*_hyA4H1jd)$>QJB#0Xc^w?7rKsG<+irJJq)P3>p8wJUiD6YW1x>kfzhPWZg8^9Y1 zXJL-_%BJH++EY(a23S-6I=@x~-hI^RD;@||H(vknUr(Uc0rFim7w>IccQQuZ{t7?&lW z@?y$<#8`16!k=0m$0UGq7zybV9&>#1<9>!x7meVm@+bVw{Ky|_q~du0)7PgJJam`> z`NsQE$UyCxAu!j7q=9Fq#5@CGI6l3~yNEJm?N47b>E$9pR;$enTko~w78<;$`}M^b zEvRE?2z0{jd81dGUj%tVXRjouI)n|3wcS(`-36(;Z?5;~qznw|?ezrug66-N55f|Z z*<4^gq!pnUv^;~o;Lt`^^*!kiqPz}uN}=V47|_qJ+Zz7c;jY3WuuRml#A;Ki>+~(E zJo4&x;B)1WIdH_{y*YnOS>KEADAA~Wpgt@R-7xmT12o*Lt7`wAn;$b+ZT&O6@hp3` z4sCYf&|8F>bifD+&?@zkEXK^=H_7-PrIha`*pbO;8GI+uM3>d3v|3pm%AfG&EIqDN zy&ne|3!d1v1V0Z>jHQ?bUoNv+e>M;y)61!?jg8Brr?+8Huwijb`VyV{otF;@nZj~R zMur8WeopNp?7si$&oZPf=F1sqAQaYZImR6^RsIJ9 zlYDSLbGGtV@;%wQsCKh`u|u|TzRkJ|IUmF zZBtZVPpT|Qf*-eZUme&&OO#69y)PGbFapln5kXP7L>tvRnnA?G>8dU-UtST-zTv`6 zIQV8`&aV(QV%bf0H8HT6oUWjbzO;cDkK z&wYvN&IhZ+!Gz){2BCOsRag22K{Th_xMBCDY7vvwBJ~<~?- z1pN?lW*N}vF7ET#*R-lLd@`NYXL%lR_S#q20aTM*Nfe-EQs>@nfDIi)fh9Iv!-f7I3xd4r#vw{8 zwT&x;gNd;jmXc+hSTv7X_`YZ&dzFDD zMl&7EdOV1{G89=Q_7J5=h;{t8KBW<_KyRLxiZ$$4T2nN-Irvg*ujU!Y`r1TC3NSnh zJi9Y-3oZ-Z2N#jyVbU8FrMu-aVgTT?>j3Bb9P@9>D*UFZZ8J>l2tXw^paKM-q_CX1!762sHK@&99iG(tBa zHTaba``wRC$xuRiTR{4_ccs$f`{Vf7HcE5;5ByYC)lK6p3Js7uSz=830dk!zV8%(h zt1Jj1gm0XllFX5x+`H_HgD`_TyMjn*RIR1T&yrccG3~6FG7H>XDvfie4q9@ivig4iAUu?7u@6Q4{+UHAvs!)`r6f215lHZ9B^ZFERQkn*(vcbv z3kJw;AM`a;YZA{GUxWEwR24C7vG}fo1t-zs;`j48*qas04%>stzpJw%E5`1m*^P$QE})Cd`dw*G{be=l>P8Y$j) zrWQBvUt8m7r$g3MY0GqZt-9`f60M7unTCo*=AHx~LGjRpSkCqM3VbdC(#)}W68Tk% zh0%;$+Lsi5(2S}`ej8gVP*y!oAsVK2#gN=3Hw*fC*u6L5N~$*|aeU0kbK0cY3zmN@ z7J%6Hs>Lq9C=Fm|uO5w5)F258Htw^G*&1=a={u#H@`euU1$j}PXKn{z_W_corl1-iR~gG1oLib6x|=EO=t z4uXB!%9!%JUE#6OAWRCuRW?~vXoayGi7W$JDqAdh1U|i?Don}RiCg5wM<6FVqm0fx z8$$mB=<-L?tGtCMM#gm|T7^g)6+i_N4}br{BR)Ajxv%w_EFR@ezJENw*bP#+=wn4v zO9X%vfFvV;*c3h_@vNEr8_tb~qoSvgqKq%9EGA0F%F{0g1W%uKy4+;3Y+?xL6SmHmOiWyiZC0B#;yeZ*kjBsgpD}P= z#zVx{2n7;Zna$(F4%fhYD(Qy<{0`x(2hMa2w1%c|%kdyi?WDL%RUi^5ZDbe_DW#}D z=a?wK2e#Ikqfef%U8!E|OZj0CZ|u+%<($};VygWbHIm7cf9V^s4>j~FY;AByVYMk5 z_Y0=|-SqQ=i*&4TN1;u_g5h3jYG|Uen7f#{AY6xDE=h?_i--<0>T3G|3#{q;xQk0y zD?-KaMw38IR>EZC6pq1UShKj?I#32H-RgJqYwYlEeq2sT;qV(}NeV8HjjAt_>2m5U z`Nv|z(q_+WQhE3NQG6K3ON(FnVw6FCqk>Nm6D)&69=#opOTHFkYEcIsgpI4x^R0Yu zRHpBqzCNl-vocay5)bde44_ygw&Bc{T?Xj}dzFgY%$I^Nt5;v{WY+J-jh}Y%uB?n* z=B@jMOeDlLS9;nw`zsrY7=xEz)?|Z~pF9`7akwQB7AXN3NWV)#id1^5#z&@S^NsvY zLn`FyB7!Oo4zx!MFM~-eKZcGFql{qG78fswrMbN-bm10>{o2zJaQX;04Y_Tv)GH;2 zW~D9xinj^XnTyI~P_=OB7n0;P<1B#60;vN&NDkDJm4vdWd_$BAwa31W8Dm^(<}0*s z8)*Nr(1k(r^_4(c&(8vITeWnik-Vjfx4W;w*0wfK+S%dp%W*e!giFu}333A`Ag2td za2@t+9`$Ww*ym(cDmB66O+5gef!GZI@}ON4STmXTvbCi?aj_l65E2maNl6@i<)6K< zwoE{C;@w751gor!ntpK&np3kOvLmqC$6pt6+3$W>tJt{Nq{3hKGuM~vdA=CqIqC7R z$c1;TB~%^nM8KrMWEAg2?K3V zV_*8!jmb?j9RH(8JJLox7hr(_>d2Y zuVe~G80Z%Nu@GkWP<%klYmKt2>?>J*%vCpNTXEkmWWrI1t0`sV9C63ZmLB?>$rAFW z@T78-Cj*x?DJQ*!{)+f7g}IC|dmA1}tDab3dy z#%&)@WO1?T%3!0TmR9h0fp=)S7zLKZ0XmOtE-oE|MbCy$3Fdu>NR=W zeTw+j1y0`99tOVIT~^ajy07As%Q$wq-yX>*D5zn<6dtD+6}fcQMw5QnvXc&e*dH6E zbgY5@a`F(qeAG+nUU8b7nmiS+U}Z%gOosUD z`E&8vv+Yxy;B>dG`0pWEIDQu&Yld-r_7sL7MgncMp;>R7<`L_xh-l9~aSQ?zd`*Q~ z1Lp9Y_R1Bg;~$u5lTW?7xo^MCkv{#i10pSWdl{Rx6+|o@$4@vP>75B)w%{>SMNvUh!=Q=v|ek3)GDF*uhVsT zKIFlDtaAT&~0LwxlEE`Dw4{**m~v&1-G2Ypf5=LK~`E*kz?YHM5>cx8H8+Ate*O zGKuH~cr3)5_eeXn^!qo_M3*?%0N=yGM_sF@aH$*UDrG;&KGSUyT_X(K8CuYeH)&$h z)!Nq9OhVPDpuyhwkHwEp(U^XV`33l?nZ(`2ERVFv+OP6T90Dlx@%B`zWjpuA&I~avt_6pkjd22Hjv{_c`I0EhHENwcz|?w z)-3pL5(6&%u-T8;aqB)@ffnRi4rp@RHXZgQ_{grooh;3RTTVOwHd|UP`x6E74(+21 z;9y$k=34YFfChT!e#&eX{#D0EiA!)J1P|ang5>BFJ6sN%>HCfIN_?96tFA_Q`%6wc z3XUft)T}OlN?iT8-1x^rO*aKqEIf6;IZ-rid`QP_-QtY0M7H;@-PGdYe86cJeCw9P zsCh`Y+0t@C`-Sn@jJndBqVn zt=DvC$Cw2^ZI5V!U!$&vJU=D`z;%pCF}V}EvF(2n@sX{$zivT|qZB|!mZ4jxBvN=E z{VSb7`AK-+G{ds)-TSx68I`1fN>wG-A7ArrL{tj%xwF^N!?;nHau0;^A!flqsn0%U zo&^QFMGIP}pt#7Ob@keN=lpj6 zyKTgxx^6*IMf?&LsM7_Z4AWPc9aqG9)-E0q0M~hOW-WS%P-&@&nsBLz{@6Mv5`@+K z0m(pQ!+q9qBT$8%5{0Psh9d?%*inH_M{no7A1!)TU*N?w*W^vS?P}|8Ke_wm)P*O% zaq4<)r0U%0a=52apNv^wtcfO!Ew4~&4YhppDvU~kz{v4F7?eiW+PGqn)r0i_^{4(FEl5D!v`j>Td@>_F6F2Gr?R2(o&rIu($ve5eOslID@ zy=PH3>qT_L9~@h(ErW>AIaA$#EX4NwYM7N)a8LpMieFfEK$t&tCMK@D7f-t%M_Ssu z5AjU2^)kbU!+j=`98o6yPCIvRE~S=6YjvwCG>T~PVuH#4l-E>~?3n;Qz5ESW+UFAj zqB;U)mp}*M!pI(IGVpSFI@5>Exk=nDXXjNf$HenKPRol)c&*5{^_auML;UV5t=VQL zoC{<j}z zuF0YGv1T!3)pS2R{H1-m!mq1y{mK(TC3Sc6`}x}JvC6Y^vGsxvkJF3Gubs(@-(W5h za}gOV_v3N%e&gYxrRc<4+)~w?KBCtgo7@stkw5+eflcU1=_W)lRPp}Jk2ZGe_))3- zRp4)`X)MOqui*)iGC;}+!l_B3bE!lhepLF}Va-4_dYr0k>6^2)z86cokkV2N1Aju{ z_HBmmrMjrZxqahmMnty-hh&EnZ8elhA-H`Qm>^8bJY~q+G6GC{H>t>a!4@1+=ozx-Ud+{hemVV{5i}JGxa;@xZ=s7#LZtqr?Fpu6k-dpm zZ$ItXAViI3+eWd~Q#|@&SUwC!EB$bBu|5QU_xR8Te|k*m77`URtBW9$S*qu|Ew&#q zAMrbt|6Ij#A0uD9)=e}`;2Bm8t6+->{ra++sr&Z#;9De>*mOF%;AS^0H3A%x#nF|V zS8|-z!hII|g)~J~bcU7}?2*O8_#+LC?q&u@o{5PlTA|g#Rjz?&Njx+`PX%TncTe}H z(B_rnYp6{%-!cJl3-Jx8b5V#4iZY-BB|!~Zbj;__l`bT(M3;4cMTGg9OpTuh5Gr)` z!Ak#2J~EP68L2FCWEBic>Si;kX}#msaOA&d(#t|;oY(3Wnx#o{JyAg zqvQ4XDo^O#cdtdl?l*LKxy>N>;b~8ZW(XP|FIBt0$5Ji6K|M8`YWS3FVqu6JteCU zifVYSFJpc=J2eSIrXDhg>BEbyLJi?8MQeWGxxI`G= z9AI#%qZYR>yvK+^MAt2TlsEo(Z%3C6dXDq>)c0gc+{VrxaOw<&W|7o!erZ@U^;%nR zL)rwHC&dYKd7N2728RT_IDZ^o6nrT^ycQAZU%vH&3Jp;bxVwO8nQ4)-nxHlvwTE{l zwNzH)wv84t;1d&LiMuUrhUH_I+FH}Vhhx_l?Y|x#K3H(d`cU(}))vd_L5=l2<+Q4S z)-r+KO4K|741s=jB{tEU8Lw#sc_Jzd5iH%qNMJ zjZE+PsS7M#bK&vTT*RFr&6nY@DVV?r-kru{P%qJ>pm$sWSBU`@U;(Ncc_*US-6j1V1L2Nd{ay^++$Zue>i>6E`ND zv2FY^q}T!gqS~I|cXB+s-TjzP1fdPFX#2CEp9tB zH~l`6(4n&_@aRNA4}FW0N#Q8ZMoM(GSFm{y({+Y;*D=NVNDkS2=OuEO>*4M%vZ5xT zFeZCLLEq3&DegDmWr|07j@k@3y9*XQZZ3qXU{VX1!zkNZwvmp=y6#zfT3?;aX*eV<%fA%Q!UoGrsF>mRhxTt)tkVk=v-v~|#kiO12q;2#TbQ~VN42Cp?GNFWE`=k$F^ zU6l$vCTa;uuK4knxwCyf37?TwS8Qyf*L*Fk_7E?oP^P*jcZ3qQ948BeY$(NQuuy$3ZZe`dfa3q%IC6~ON%XHj>IMV@o93i+O<{%{Mapnle_hR zkmhBHfV-b0kuQ7}qYlF~c6J@uxU!Z}Os&ZJh zkLep05NaBo|4I(aDc(BYwBQ1z)RDLl0Xg5QmrYeFa!&9+7BI^h+(^sJt#noijb!Ue zaGb_gv=B&!Ug@+GPQ%cL5vv(-W!tolaOi5RqY1e>xj&tUek$SHiij*uw!w9~mMW~L z>PJ{FB-)ByJ=IIz^qqRI!q-DuobwT8{EZ7d8&`(-6#wCGTpjRV zqgDkl4Sfa1C$rcEj7~@=nYd%>T4EmwVUZ_hHL{QgT7Y z1Tl0kkY9tN2lWwp-y<)1d5N@WOe%jpJLaDbAOrDbVeir?W%j0ay2VAr-v|+2Io=`L zC^hp5F*?2}wha1Mj9fN-)liTA4+gmq6DrC?{0O?wW{&eZM(HKumk86mq*{T1J!Rkh zyMFKC-Uy%dy4An)clRX-#i513#joi^~l@?|8gOp zn|$}U=}#8!OZf3<(io9h*-VEXn4A&zxibGD!a=SRKU*|%Gg>y#m?-C~>+*`q)ZhB7 zngW;$%of_8`Zq%Hq&1lQj)q}8dISUaqZ~5>{W1ohNi-ZNtG04-SKqVV+#LM0f1vUF zixu_B^=Vr}>TdV7bt~;%36-(Pk&k%GVbN(3NMECE`SiL&zJ?k0?-@D1{6Xj=9J9YA;H#F{{Bs>K9kJbr_#wV_7^m6(QyTe!~X5 z=Vq`D&2f;cv@%K2N{|w>EY>?dSs*UwQukf&_WgDn`L*6kZ@T7r>}PdiEzCNM8*skP zB07oVyMb5IDs5U*h=J6o=O!l?(!-1##sTubTZ0Ky#xc`W@}+wx?;xkJ)xkz?CDnI) zUtg6pC7S%0tDL0sI!9$7^rf)k_PBJ*q#c?1Hp8hXN6PSY8hqKp5u2w5{7H^|6j4ui zkjN)Z^0sl!RQg^cj_HkN9l=*$_x@+y~de(vBj0|tTwhwd#p)+AdyKg0gG?R%Mz zqn@|_DM-u%b)`A@-o}s{D%LkS=uMQY)(Ic`H@O_DFda3|!5^oOb6B4<|FH;IEm=!ZDnn!!|7PUPe@o?-K&_6~KD!^9&O~>2x$Sc!W%- zGhM6@9lfjTdVKn?UfPQ!dd78>&7`P^C=duZnu1;;;NkN8_i#X}x@AJ-*T)Ab+N2oF(^#ug%)% z#=``D$j#!josId+c@jj1N;4u~_CsOQA+*C#$ZOEq@o=`|sw{;NY!)*IT2G zw-YJP8!Z9T0$-K|UHR)DR{P+77%g-Bcq$2_HQIJb-vayXo)wzenmX1@!* zakY-Y8@RduahLaNqIkBYCuNLLMx!;LD zip_oSbw0pa?zpu}E!<4X|Ki-|IpJzBVx8biWkEU2u^;D0>&vx$&=4b=<&Rg;GkSaU z1-f(e_)wPZ+@k7V*x|3QOI~ldgw4FRAuv(S+tM7M*Eq`o**cZ`}wm0lSnNC3xq-m?CfdqqMVS)4*R++zQ}R@`^51F`RG zIxDYeXG%=Zr9nZ;^Y6l&^uvqha46GD z!%q(EFpXBF%`WV?I#SEvtTmlE{R0jJA{5rd_&gn5Wo0~?E2 zERTqVc=RLJI8$lgw8FR6OZBaHHs{8IL2TOiX{{25NRj4893WgIc~+4aI-cvu@5ldT zlCPVQxeNg&?s~yYL;LD}4cXOEKFPVkm$T1TM@J9qgI)9f(D`QPg7Qk?0_f`89@!rJ z1o1^0;)?jAwm^b~gQH_BtV*b+0N!(6=(7>fYirXtWGLKjM~f0*W$xV1l0OI}#J46y zC9p-g@Qh#W$W=Y3AFV6KkrQ z_?BD2dOoSC7fL&`R$H92vvUrK_@lxv*wWM*sF`hwIjYw>zZc+yr_(eJihLTpq4!%= zv=!|JQ|pyBQUqX66H+)R^g||gqMf?d)_suldv&RvCkyV?S@v>siKVh{bNI6vv>{&TbUs7*cT#o} zeKFz>YyoEq8Rv1cD@7U0%Znj)z$E&6+)!>5SFZkm2SieBh}RFZ%kj{EwmHJ5z_!V- zhC>?~<_B8F*N_Uh$>@0=wkwkSbN{Qc;AspYB;c4-hzH}}Kh;ZL#;6B^Xlp*@BBDwt z9as&C2 zwfBjM-1N0soJ}H}S>4)0VH`|M4&h)o08x|El&qTJ2?q|uK1I$lf@vo!oE>vt>*$XY z&p#IK3dqXynf&Y-HY|A*2HCbp_L=rcI;quCg>+rpllHiGAzp#tP7qltc0XFFEbl=h zS2S-o2k`@@j7)gEuRQQHLoh~$FrYp*x=Ur8D<`s$hH^*t3`D>r5CPP1^-mj4eLW&p z6GRkEZdJ`}g)1<>pg*Rj?W{Y2kd>rYt5^K@;m0sU53Sj-$!@P;9)`&1>S$dOR3i$P z@I5PbK7=(a2u5?T%r(*frk5n(^FPH9MopLDMpi>eev?;SDOEY!xi19_%8Q=1hf$iJ zu>Y~hIqm+75pp^8UC^$;15{O?GP1%DjK|lSRIH3AH;t(?6%P82;l5S)H$T?mD<^iQ z@l9lUZ`KbaLBsx$SE-kLkD@sn2RWCPWHFlAa0T@5v$y-XtBnPgr4-&!euC~ya=G5lrl5C&OCkZq~j{O_uWPJ9m zS-ngm#(8lj1L~y6ehgBaMk5g>{({w_mX=6O2H5w0YG)VR5LL<`hMkWMRQW@f-)?s2 zpoq)S(#gp$Nq2NN9AC}uEs88oNk7Nub@Z34UZwQ-|AcoP#<=(ZxlzeF?SUD)gUn&% zxC$lz?FpE~Koa{0==6noo!{J+I>_f(s$#~2*WF#8wm%^se}ON5A>w=G$(Oe!&gW!_ zYGCooy6eq?Ff3B;)%Kxs`Y?&1;U)h9HS-ks9K1-W^Pm;^@jEBB`)-uEB~5-RvBi2A z60*eFCr-tG=OXSeUCKIAs4+Y>;(J2tB^sTLN>g;wuTev*wptE`Ij^-jZ-fQ&%Ij%rm^{-XU7IHS@i2GITML4~_u+BW9>~c18)xG+)yL&!+ z_!e zWMa!I<9t{2TmT7TFL9bFH!viBM#}TeeB)T5Vj2!mO1UBT7s07@rm{=|K?=SHnqy5L zB`KgOHvoU!WdS>tI^K#DG-dRE7%S@NVYIjQkEyzRQH+N;FiIy){dh{PJrOO@)u3z|%1)|h9oEkz3{rZAuP%J6bFcvL~uZk|f{Ck9fzi;-ZRy$*5^_s)j z?`iVojiuXlx9Uts_;fZ|-?tbSIt95#C#UDi&DOOAHKOLm&~%Dt$aSG=qFwB$HsmpZr_k?|Hu&ji>tbE}wA;tK`%CuWsIC_j@ylzkt(ixe z4o4**eN7YkB|8Z->~Y#_%@iEH?%X0?7%y?0-s)V&R(i3MEMV5n5hQ$2BnK{b+ zc3JUBTM1W@c0%?ai(&{Uoj|)pm9QWQT$~>o=S$w+eTryo*K+P*1o@0Z)=_8(^|mbq z$=H@dZjU%|&2bPdN!{J5*HbMW$2*S!1rzz?lem3o&Bm+wkvJJ2+;;=KYT|A1hGPG! zt^MrqIo}=|J|pzEOBF5_Z8b^pXLgf6y5MsF`ko8vq)Z1!l)V)FVs*l znF`0!dWJkMLC$o_m``tnUryi?3E2Em1zO|J1z$uw|M`E(B3t~|VJ>ZD?cou>&g|&J z@I>menVF}V^qzUm)jt+tkm7go;m(4PDll}vU!|G}F`B9vKFUy%y?M%tb#@Xgid2Q97hd__uVDI2&hl00Vri)oM zh#X2p;aICzRckKa1zOtGZG2VxDPr(t{OGmq2)f-|8auPEmUY=Nv7SKwBBQDr zt#YHm8F6SOrKlXI%D3f%9M?Fy5X<|ta(PUom|AJ+|KCsh#-K>Lg?cJ*IHM(Q3YKyn z-6+?LJuv};HbGS5->a*Ms}gbJ^`4(jxw1hVOe9YYy?*J(?PEj`6ao#gl zb=m*OY1avvmqnjjNy0CN{nuv)A&!UELn|dCx;eNN|^=ldDT~7h~k%<4JwT?dkKS*~4}W-qven z;g=4YIIyUx$i-0hcS_dhl0l#MRb;go$79*pAcl#W@>m;VGp1_Qk=B6_>(%e{8OoSj zK_DPs1(yeXm4@|8a?Yvea;<}l=)?f0(CuOQk#x)s(v?0{n`wSpx`=@!UdHO~kEuZp z>^44ethO9>2=n1qPpgi{(gDXmiy!lOt9#S1#O zEZ<;j@i8f+B{73}nY409ZSu9*o>DY_DkwWlsvNzYR3#G0$-uS<+0Si*ae#M@ge>{K z?-O%4EiEb2MsHHkooy0uPYQSYz;*ZF+>>zw_;_76ru(4IOQVqe>&M_0+W!mngI9kK z3+xuxe(_!+verayHoGE0or1>BMJ8Ro4~c9gf7pr{mds1ztJt^&d}G(g9uy9^O8eXi zu>|D=)tUthzb2YGP~u31y~DP65ng^mxLqe>s=Tnuzf_bu{B<{dmGLrS5`e$O$>4u>6KaCHOE+Bn}WZ`>p=3{KT&R(Dtk7*rAwUwm#qRl+d zsBwURFid}4;r+BdI{U}>ncGPkuK)(&s*%zEwh&o0)plyH+#DDb#Ysm!)Ad zpMThSBBg4x8C;B3_$8GDuP`e%msO~#91s&Cfg*Dqk_y6g?g5AV6GN%1%qqkc5-+l3yIhi%h)N(K{F!l#qtS@9v##SLn^thjx zTajhfH{r zVAEDiTJ>xeAzRWFw?14@lVh1Dq%bQmg!Dv}r3f?mqIs(+O(wB~_oztn&Lk<=d1v}c zPoqd0e)4zfe>|OKP+MIPh64mGZp8`i?ryT4B?!K@8<6(LJ9p_F+8$)qmRuzyw0rBg|7uk=lR`lWVngt0# zVTZ|koLWAIJ!)T*;wDVnRm#%S@K_kVJaz@6arg%_6UK8s9lf%+skY->xJhzXJSwl4 zEXYgFAVM8krM%49uCq@zRdPJieQOHSR!$qmjhI9CH7M&*8h7yB1|t);`fH*w1q`e( z`m4aZudQ*4chzX&rol&H&6*LBGNX#SO~wR7I}RM}*H)8;0^k}(c{HGDvsfXa84auq z^l+~F8$di%u+dV$pUw5N=gn@|#wph0rVOaqlw9w##eiGrqIJuT|C{<}IK1aelpI1W zG?Vsd-2^`f-g!*lG;MhaQP04lbCbm7=b!nx`Fi)u*U}TzL0XD&H6SNA?#gJ_@s;|eDa!PRHS{UcsKhdwRzubMhbYLs`KDRPH(KMLpZi}~knDG>HA>?! z@fOv)^!sM%jKNaQbI5FS00>p#g;*47loF@y;y};{NR0OGD+9hddk6qK5{`7635p~; zzO0$0g&{&WhNB^T`$PEy+R$&~Y4ho!r#Zu1XT-~ONm>f;&n5p3wQeciq0@afuab5| zU}_M)GP6>BRR1={WN+e`n>ME;z2uRwvt8I~I(pDX*#Zv4FH1(Ol{^OV(?yX=Iiu2F zAmV7)d(jidM`j!B+=B%sM*O&Y+t45+k2Ybm4{GYF$4e2>UM07oW_K8|PvfgGFZVYt z9i~*KaRLJS5cnDewhEMxJgo{k^XSz-V@6}EbA(?t9Q!3(TxRgk+Qh5bURnH%a*A7Y z&W7Xaa9&l?xT7RT<0f%$Cr~EUk;*pK?rL}RAX;Ne z*br5xfc|S<`a)c>WYHwfKE)vqHNiT4jr{Yh^0>L7hr(*temr{@I|De%K^Og%1(@~^ z6ng0pw^(fv@E#YRYlNh3UxRl*B)(bnE|Le2c|XhqK_DE7I{jxZ`+Ks?NOP@}(NDMY zhpyYbNe>%E!b1A*evBnGTZ@*y9oI5)G7tJOnEXghwa#kS2|S0xPLiZb2p5454U|q` zzvn;cvGA)zwt!+qh(p&;chbA>=5$!h@OU%$l9KT$hLocuhg8DSvN*#a!*eOIJ6Rz8 zI#=aL)p(>BRWjo?Zt4MEQ>_dE)d)%Gvi8(VCrnqp$I?j>6W{hhX%&a;5&i}>sbOTp zwu7c<7k*+x3wH<4MuO}xd=h2q*J!KZl)&|k-W3aX6B@efckF>O??UvqsJs3=pc2LKA<+b z(mCLtZtGf@HY{$HxA*rkx#ji1R0sJ0Y*2IV)*)*TI5S)SJ&~?seTbt$CI#2_gRRyV|O@@C{FC@5i>L)%R=s$!IR$7u}@W1$TV+ zOfgE2ae1rpbcDhv?$M_+LYWi;4S=Ju0Xj&EIteYk$F9W{z%|JX|4w1=$Q=q>i|;ed z3UldF^bwChC8&*;to&Gd!_h>_DR4jL-?s-+}NeTeLzce3tuB|;+f{y;pgMAy;7C*?XZkaFUrp6(+KwyJ#Yj07lvFZ1Mz4lYMWff{n0b=f( z+R%?#h?xh0VG-75NAPcAjQuB%7+T`+yTe1RqmUKZeg+elrS459QD$JW|Dp}UO5)On z1W^+sk^ATf)oO+8MmMlH$Q`z}c>HTrK;;!EwDbokE`$+qEW8 za4qAM2uJ(MqUXw#Q{wqbMx9S{DfACRZtOz5Ygem2GcvKt>;N6AKUKt->_XD{ENy0} zB=2S_;ipCV5U8KAa)EHDWLE2%&efU!b=z@E0?66?aTxrp!JLURFxy3zS@nJ=VUEOT z@tZ}YUit>LOj_E_N0`_5boqQE@f&9T->^@z8faUA`ZEB}q>lkWSYTOci7n#^towXQ z8k|oAD)3JNs|dA$S9p1Ah4oQes3Q{}T<3$iwiFEu=hpoSm-D$kF`auW14tyZ`dD`c zpst^MPD7OwqSU!EY_?BZX^7e#UfjV>r8}KupT_FE%i+}~lqv!0u;G>|cli#x3@?GD z{o||Q*1UMpR~Bbt6-+mq9bMPrf@d`aRV1r5;@2U3G%b1lZ-$2y0D7yU0WRKkCo#1p z0LlcH{Jz$CF|+LAFNNSlO99|5eu-kkZKk_azwnqs;rA5(VsBe6bSA>Ky$l6SYFCWo ziJ+MV-{zkE_j1TknhnPV5?fJiM5MPGbE2f{2w!#aW|a2xoFd=^|vetF^UC?lLV z#)uM|<7N1vx|qpf#y(pS2{gUC2!a3hMGZIRr63>3aPz}rZOYkuE8VyOkP?mhV~d}XRdi1RgNAewKZE0jTB zB2nWup7T3d9d^E|jm?t>-)<~|E$Q1tHieBA&{N=O&BAp0SQ2SZ-cG9;NJw`=p4~)c z1oc-VH#DQxS!X-h2^FYtuFi}3_U$^a_4QUrWrAIPCJfa0DGuXTy<9yCXE8Y{jVU4I zHAtWdk^elfOAcaOVW~>i!aM2GL@*fg`qfR#b z4R6!T4tQ}OX-D+jqft_LWuZ5$$-`F5GJt@d8;H@ezkwr;P+W&T9mEaAb`ct zt7xit~a^}?|9eK>e{CL_fZ6`FH1mc)S4FrMV z(SpR@hqLxl{Q$|Ymopd}`t)nSx2gnMW=q_b#&+RTrC!Bd zWGjGcn!I?^(u4~_wfrG*?_OC9gzMJTYdQ`P*b!ThCm=jHIdKj@TbNT7JsHYcwWEq@ zqPM7UZ<8wo#lHl3+`BU1m3M`p!AP!18Gp1 zx=9T!>XKzqJ9?*-V*E(3DosxG@#yY1b9u#TD=9`Uh-c(j<8-LEoqEX?Ubsv6wNgL* zXSxZ|XX-wbB6);p%PLT3SsuHvzi218OLM8Isrgt~to%2lWtTP{t5aU&efyVKE=#$< z)uTl1xPP9DGe(=wNnf2BLN;j}URiv0GSAfNG=fd*b$mV2GBT^A#plUXlV>}JVvHS7 zM{O1#lFw%@qT-VWkr$UzXsAT?qukxsotWdhsP_GqA5K>zCcFOmb{;4FrEBBI_U&`6 z*MZ6y%jf~IoG$LQGMfEe?E7~)!!@%8XN`+TnZOn?=|h!0F&I3{_aoC}AAmx%tbC!8 zdl4*{uLH1z*sO7sZhP0Pxc)}XevU|%X#27)l7?kDG2H!r{#N8Ni}S za>Nf*gndW|uRcFRJmBaRXmnAJyaDk~!8_@CR<6*_1Ulg-1#^qqL?c6ZQLgvBRBI##%lxjRYs`a;4liQ z(5Wf@hP7Kp7H8PH!?vtEG3K#~=dy{q*`C%Y;rTFZG-pDz&_B}Y5NfS2t z=VSGAm}H2DH-SwOXUlbA|NFAF{2@7C5-(HWD+^@;^04m%(o9x4eD4qnFGJ+^KcYoZ zU@Vyl-Z>oE&(Wjfycrs<|DBE6i$}PoG@dPbPrrMR&HnS8P1JepVi3RE;=7xCP}lEe z`xH9MX%<>BqiT9LxklWKP)&vedNDy`jsu5Aa!7La-bT@R5HW7ljuIH3cBiob&ys0S zgZMAbSj-2j-%>~aur$di3XUYfft(D@jT)>+!8N3e46~5_!i!AzpBA&l-wZ)uUwttx zjPpP>6wQ8=bZif0*C!9>fto!!J@&fi>VFnY&hcqWX$0fNna27>e@iw`>%)oTCql)` ziV7-d%?nzOKjSCy=#wRD4-Ye1n=#q2Ef95dhB=iJh8t~+%_KJLK3$r3r+(fD#($3Bs@wual6 zbI?BrozmUpt00Wl>#Uvqfo;4p?T##|V?)=7W7lWX1fM)IvYf8XCMT59+{l76^c;Jw zX5rtb(9o;0)M3`h{DxlS{!P{Q4v*-2Fc<9rg_uX;0Ua~EgL)szOYaKqg*atxtmY8S zx)&Lf1o=wJjf1w$U1N&k&5+`pt@cn*UWRUn{tUJkQ+L{xp|EZob$o}Qn$>g{L9;KO zhex`#(vOQ~?OzUV-gk+W)QV{?F;&wU`tcn4eRly0f6!i8oCj^s4b*(^mX;2)Q4_Iu zow7~Y`5<^uW)}#}XrgF(Pp`*lMoyigrW)_^Ba11}M)}7m(25_Jra?%?Rb2nUMo!Z! zz@cT2JfL}%oU@pZ=0Q*cM=l&=5OHMT4qbGuRC z`@Yzo0j+vI%SPdW@>;9j55C{&G|I9DCPssbOawx*+^tO^D75VJLtBZGYJOoLUMdiXiir!R z`5gQfxOl9HV=!{Aa1*Ebi)p=>Qeyilgq5!7a^X6HR(F$f5g!$(^@pfO zuthKQY_SIz#!9m^Fto#KA~9!p;c=lrF^c*E@iF+KwIbY9Bn0%}z>MO1E!_0CI8LSe zTNU{`{M@-z=Pl9K<5_Bk0ZgX3ty`r<5AGOVvx#(>X*z?NiYfSh2G^G-I9w(OBnC#_ z^YHBm#u_12K|8C6MU7)~ndafSby!f+Vtfsn^I(O7(CQ!*Q*aM&`z2FWRv?Nl3RN3e z^RGsbjY+UYU$VEqMULd+M=0cMv#cs(;M25n$H~@G_Y+ z&p!Pmfa7skYaVLUzNA@rf_t*Yhe zX_36A>S^G6;bs%5PuxbD`dQr!B)-Y6@~59zN*m9t(OuJ}*8SB|#=y!TsyKOr{RmtO zNbj4-^g>O4cxO3QJlU_3x?Dh73iCXeKpoiaEr<|Gk*`$|)SULN7(4&3E@B|IG?)pj zhfIrCpxdXkK~rbg(RGN$=u6gNG&DL!!IgogkWE0?Uis8_zVy(GSF1~H7*3Csphy{xH*#D z8Mr5~piyynOgI(8v~knjB=t% z$iS6L-j$0P5vo~?Vdu?JOTNQrBA@3gNZJPm(3Gv&czpU6y8Lmbn5)6N4DK5v-LqpE z|8dthIo-#Dez|h@EsYJCv2^vgs3N&$ri?gHlSXWO1{|%>hoszEMSA%no=g}97{9BU zt(L948>iovIzs~k_B?fTaX}sBtx8RKy3 zy;%{q;bjF{{EU9Njk{O4E^^T|u!xz~M`=(>p+xXXL`1{9m=^wRXoh526>F@^8psMY z2oY3YfGs+5>@B<5IsG)ZEIu@X7QZRiq!ST``n$}8zlsWkzwL@#F~t0PHj6Cq|EGuKsc9tDF4hog}sVU)Ao7vS{R65b*yLcQeyu{ORW`9O&Cvh}IMrLZq z(YJ2OWj3d3meoZ_>!n;@jO`nlfLVWHgDZ@vr9x?)zA7hwbt`-`hdu3$B*_vm^@qL^^R+-cyj{MML5;qOPWCBnBlNWgV>*AkL zk~E0Ts3qOoZq4^+#`Vj3IwGt30qt1wzI?$!ZGzNLt~qUNv_xUF5k$ziqaK&CXG0*4 z_QdcQWBZ4zJnUb5q3$?r3uZ)tdAkuPfnZ6vXZ!AZm>RKb$%&-;3T^5YuPg=E|7R^v zfYB)!y8Ep&@*1eFYl6%)tTN#`x5^2HXD_}3`Qo2XjlM0us8l@m5|IYW!2S{t zqJRg8ihFdTxby42&QI2t{M+5QDQ5f=N;V<@TUSlv;Jvp}lkmo;VZJ1Gi7&BaeB?sk zKR(L-={JmwI{>v-e1;CtAfx=Dsu*O|{K!U)N+sDqfh#3<&wA=yvcr&65qlXZA7e<< zo*Zq;8B<#y`QP+rdZgOVJUk$SEH&pRkD0Ln|xh(Pdty`__3f&(M1L z8W)vwvn~ccm7D%_$!<*cX_K9ES0ZU0>Ra^$OdI@jF*u23!J}At{8G@7m8eWgG2fk> z=cns#%C`4Wmde{Vi^T=8o7uRuagfjT9x+M#G=&+A^vPozBivZdTDi?U$E`J_qhy9+cUY{#I^6nUGypCE}km} zi!}JAU*0aB0Pvd?99tf)PS>uJL~J$RVSiW>{7H0{`caRT78ANbT6C~0U#4lgQ%uF5 zzrXj&0&(U+27X}voKbRJs_I3jcm{7rioTdCe7DV1vJ$CTK%}3aNwSmYiEb+Unx|V{ zmv^hJ^|vIbwd;)(3eMa0I+*tD{%XeUmFIGor%&bB?VWA~t97))!Ta8u{^@0XgZRu&*`)i}I1f(E5P{8a^DLg-adZkDMZtc@2wiHvPX5`_uA z{eYCNH2C+Q_YO^f#NFkqRxcBNFuZ00mh4kvCMMDSdq1Y)U-iOFR$AXcNE!t2IH<+& ztRKT{z9$Pxhz9)oJ-84(rhQy?6++tXc+i1-CW?aF?s&HLr;4|%UBVz%p<`aHB37h+ ztD3#CEa#O)+Pp^>vkl9!pIDa&#^LGIl%9F+P)9>V29Dvr5q5zgGcHIW5Om6z)^|~C z@s4&yW;7f+d=~3iurrsqLyrqr-V~zX&HE0a`~Kv8eAT|KzBv!oj}bf>U$f6Nc<#nI zfC2RihpDp1G$rHp_E_Vyr>9f@RU=3L`0aG?B*`d{_N%*$>S*wC`6B-hp)i5rePf2IR)z-#Ek(xQr z@2ni5SQ-|;K!ZiPy`OlK{7g6J+`ntQvHSC3qeAarDEFGyN$QctOUv%gOq>6~ar^Dw zJ*7lzE4fT1*(-|=?{s1wD4)-NMnk6Q}O%jXES}=@jb|E_fy*;;Bbrt%g#An{97`&ae`HJJazcFTpX;_)tDFVD0pj399n?sgTpV1Oy%%|hKN)Cde+5zCR@$-kJD}nASmCw7VBX3VpN=4ym^F$LU zCHS2Nktzn`6}OedAEkTM;h43ycshZlSL&~QuO27U4{LlXmpZ}dboebXk z{Jf?D_Lr?;`n;WBrzT<62?uraDvqv}{#$BhGwz4^mxjlA{(d(Zy?QEPg!M9HXe2ursX}9obc#9XoRZm6y%l4TjGBEW+3a+k^oG_d$H|l&s?HfW0 z5+w^60NYZb-&zl+c7e-2l|e$Jg9ew&J8vKEXE9nZp4n^nKacGG zscriF^X+z}WNT$gUYx1(8SMV__SOf*mL*D|ERaji4NMo7z%UWYOs%7SB;@Kos*Np= zD&hf8g{qZBb7iiD^YdoT;z@LR{2W(0%luLQb@tAH<14-5UgOuWm`Vz9zl(+U)8-_G(kns;+bQYY zn^KQ>GId;wqZ2Na7^M>U2xRUwdR^fk2}2V8Ik~J9X;Vns0_g>ufkV~R`P6`kGbpY^ zY)8OIQmZ$o3tC2J@ytZgGdt25EF}8TpP{P##Hj0%@8>#2w|STs#}7%SDv_H-)~*3Wc&o4Xt2VJthd@Lz~&jh_*sB=yZRM zo&H&&sEYM488(Jx&r&Rw;5Dp1t3PzK%b2t(K6kvFzFi5PZjg<%h*p!+Sym2<<$bE@ zkdnni+JO-ShJu7|+n2$h#2Ma6&fjdaz70N?f41JfsKAV?1RQtXtC$}L<{o`Ov%~-7ojoWGxN!~BGVnp*Dg$U0( zan$4810)Nb0q7<7*+Dmx`FV)@r`NckKnM4bT)$0b>G7T;!LE^gl(s6ffj}nvZ zam(*-SE8)-7FbeY6d6H17X>Q@capd}4-XIPUK>|aT1C}4vpk9KPZtt3Vg%lH+fP_3 zXt=~;iERFv(!_UDB5AYTQpt5X{T)8NH5~EA$XOiKjfMZO5i>i*Oq8VVnle{KI~%XiS_*kHlTj2?09Ghl z>`{Q>rN|_0YP#yu9ps-Toy%aR)6aScsOw@+S09DUU*}szW{ymK^@}V_Lwjx({t!>O z0ZHmus-QxU#3^)Nk(%e7YTLb~Rf5Bz^}C#vKfbCuzLSPM2K?@{Z8RM8;B5C=AZ|Y^ zsNRAo1X`fZn3x3txvfx4Vz>r|5SHsktr@Vs_M}hOg*14FH;HqI%(?~`aG0Gv69EC!OND5ewz*dy%1Edq;$SQ$wj=R5Zw z{L732{)xqEsD- zrEOKXyj7EM^2uU~DP}HhW=;+ezyq3WO|;BRsh|A_-}C)D{w3H7D?9T5m-OHq!k3G^ z!y36d{J}Iol3B-0HPN1GtGWQ}*G^32+i2{&E`cV^M8}*9u%*QiPA$m7;V-iJS3?Ad zRA++l)Z(kCG_9VfR_8W~D0ZwXYNgUwb|j%G;x1#nvWPtk!dTs9Y93VZG6euYNvQSq zl5TVpx3}=5-^#-tgPWVqRaZT>fn@I6!dNq>o01Kl)_s@ zAX_Up7KZ3b00Oy?y0N17u+h;HNmVa?+HjD{d_We|8xFYkMc=894himOl5AZHl~S2Q zdzlwKlFk*~I-aH)F%TewpG@Kvk_IhziaTNaLTeQIQH|QDlVDjn_oGIyp^s4^nRZ+= z)iyuS#>~~Vitptemoy>;GDaoQa^2CT#_Rbs0|ii65?)zAiH5n3O>U8f{Vy-@RGZXl z9DA#)WS{hz4aYddF0iNYRlAYe)5=9a3d$}i1u#oZBmuRs_T{8vq?%JU+u zpN1oAhXece{#5kt4sUQ^!=oZ>YA_20n{|P2fJ=e_re^ob;_s;<49@|5$wk8x8+tMZ-W*PkOj4EZ@+SyQR zU=#v4G)NA?1t7^No6DU9ezN|i&5&zH%cHHHA)DQ&AM$1SwL2Ag3tBZ=_`xdAQ{h~`$lf1{E=(Q z$l}jmqWlNy9FtTtN9reWKh$!)Aqt?<0*%)T#+8?q3AWQjNkZ_Y6(XhKx2x0G-vq0( z>?*Lp5!>n+bejj@pce{d2loLLMw!|Wkcc`xv!tdpSOcWo^Ipc-NOOB4+An&tB(g@L z&%le5Sx_i%);+Ms`FCV4KkaJkp{Er@1ZsR!A|wsQ23{RzgaT#Dl1U@$f7E(RmiV%hR&FLHps1ptpr9WO)-MS)z6KP4 zn7CM?eml-H=?ykLh$Vg3`;+5~|G-~ILBrI5LaauKIyAUDF7W^Lk+03e^P16q7J^!# zW(u=*bUa2=IdGt&!Yd7YKGI2EEr>0cQ{D#vnB{i*Hiwfz?jI5ZVF5{#zQ+ub1Yr)C z6%bG7E$~Xqq#e>K&eLXRWMtWSlH=>p>n<>3o#Ss7N*Rh22+Mq0Vnx zI*pd9-Bx?z=tO5?!#`~h$RKi;h9+nbVeldsG1~ENx8lgV(4h3S&f4&2<*GvT_mdq( z!L{U}=u85i`Gyx9z6quurXX4mNJ&{tkBPYSk*k1dse@Qk7&c1(*Bax+FToCPE`!l* zw4tjS?||SnpEA%*o?Huc_D0M9R{8uw^zWH0Ry~Rky$~1PK6S@-V*5LMpNgGFmTak7 z64@AO$P5NZQmu&arPjmH!ch9u?Zx=`793l`u*-8j?_M?nfR*0j3#cS3y{wW-&8m4@ zmeM)i$Zet@gmt^U=xn*Vx)cumq`BeN=lcWfX?RnpR%nH9+1=`uz^7(K6ko|?F4A2Tw7(TqRP7JvbrgdzOMdH5uM4;<;kSpjA7yqg~CnaOytC`);M!`Ft(VTo^NQ_Oqu!0R6?0%j-8n5(rE};fj(8 z!bf!NeP}DsfpMxNMV_B;74{ZK3{M#~xE|JP5wa0=o^5;*kZ3_gux(#(h=I69F=+Zb z+A$QQ{YeG?vi0h}%ULqV-v4A%xx;_zz1~LE>h$Mf-f<9e;u;c2h0EjY2I0k&on&X#==kDDIUIC(1G?ML*iY6(@i| zf%RTr-`>FulHkC>o^2d6FK9PtVz|t9BYGi(%+9iFR7CrKBl8%!e~Ako{D4#y;r{Dspep`wFQ!F##sb=yB(fUn@bNQKHSxn`$p;Vyq zl=@|WR7z4bnaAr(=4~m3{D_XU?RaJx)ln)_s7sd%?Ic@Lp(vf{>WXovD$&&}s`m{)vTO5g*q=9$EfJFJbdk zmc!9Jea||zSQtlX0@aWU=S&O|5(xr=N@)YFZEmysx#HjbLDR<1t5Zub-$B{^{GZVN zVmxyV*1aj>jTY;cw)z@1SDpKcw7w^1-Z49tNBrZU>n0TZ;q#Y`_rs?}`BxU$T#C4E zR}qJ*MBxCFv<6MR)Sy)Ls((0_0~#+k))#S$z9!DF4gg=7d@bXFrkUoy@_@zC-Kt&<~DvN^l&AhJaJ%}{Y4Tn~z za&9#8V0~K*xj$OOKeCbFP-2CqTGPfPvpOF^P-J9eOmg80hZqTJ715#``Xp{5G7@a* z65A}R%tec9B1M*CO|$EV5wB@#(N@w;(cx`TlOg-R5>~R;Hn}_vM~UF8y8rufvdk6o z*a&{0%DLo}5(5yWu)|HWn5Y6rYUD3$e(ggQ-r!|O*}G*UqRd#RQV4H_jrq+-lT@W-OMg@G?Ax#;Pk+yrSihsnA zxL^xV6BmG$8!mf-`dQLAL>vyyX6znDEE;CLkDXwaTMx6GDIBneHSqDs@-h{ZB?!TT z%tj-r(jK*X>DRaVn|S0-!KM=_gAP88Y#~umn9Xd_`T4m_1ZJu2SY}QiBH)K9# z7>-S9FigbSm3O844|A;qVNWE^HSx4|nq{Vra0n}&Vh7*5lw>%#Fl-24?6%V8Yg{zy zxX@sRV6SJcKa6D1Af-fqo6_n3$SjA6>^d8?cKB7js^eC10=q;xQT7k zUYv8P<*x1h7R;)Y3Q?@)RYDKPF4WYw-OVWCM2cv|Dbw4Q=GnFHUB%lLG;Xp>{gyqE zV)^pTs&*t>+NN3RSE@2_d1q8ATaJxXF^}hTA*NaRzR~4+D#?B$E^@#|aZpx2d?cQy z%_6Q7eY^Y1?WXY9+&(V(jk}ctAgaj5eFOIS(=|)#pbJ^JX#%q*+6)kJ?6H;F&F%l% z^6xy1gvE+fZiHBA#@a{)fbFM~Z_yhW9CAE#I-@}9S~w#UK~zn=#I|=t6M4XqUTn0& zT}A@w0S#WkWildYL|XeMiH1~He7tDhm7;B5(_22l)U?#Cv2MeCQWnbKaZ zd5%}ieqHaqq0iyYPHUpr(fe)p$|yp*ch&hMaiv@Bgg&azIf31>;0CKnJO1p|7N-~e z#dn03Wk0b`K`7XDB!H<0ev!~xoi{|dpQ5xN#_deTgO0gA3id#VaP9;r4iniz0|pwd zrs9Dv`kTHPrPG10oWQq&z2n2ZI zF>=Btdf-Zj_16Sy^kPo*eoi~^`DRbx(%VV#=D8@SCZ4nCWIgX{*XR3zft!QiTm55R zl?Glu-*Bn-2twJ~&K1Y0T#dzB@{@Aia2$v-0rn3A^xb2kX4gI^%JD1SNB|WTl}uZV z5NtrOB(7N*KDA9bG^zAVj^JAs8Jtb&jB%w3JREi-J#F;!fdhlkH~}=UptIF>Bs9oE zUx@3KMfgN14_I4R7UtYL(kWR6#0zEv-?V8Dfz4>FwK>)!NQ$McQQ1NcU7uOla^d|KNR7kiT(`?NJ0?N(vDG z`b!WcxUP=N4W)u~pEE4>aEKGZy|7mquC^&rM;W7(9MP<+0ZJ5J7*D!2n?zY%W(I&tzwmSn$^pSkO{Yp?X9xu>wrR_ z?}JFLdB{30I$u?a^f?K!Vg~NHXmr22KVTQavyZj_sk*v<&+IIjRv8(I8p1CHnrBsN zP$q7U2!u~u6XQWqAmPJJz)wn;8O$F;^aDqNPYK*j@MI*Nl~VhYe+tWj!B%hhtr7n2 z@pA+BBwtxrPe<`G)ix;a7YE)R0$4m$W8%wgn>~)36BD->(UNErslikmepd#VzgIsw ze+*a)lw*yMm$RYA^MoSbqTP0hVuzg}V1Lei-(PBjFzA3$ zT<{J<-0`iTc-U_u5~?4J-kS&M5lq(=|Hx*!v8w6ns4n=tDI_8R)Oa8bRdV5 zPeXY4lU{fKYf1qWjwjk~34vnZhFnP?sHApW@8d^r(_uXfbSZ3Iio#l(j56j!_nI&A zp{l9)nh>fG&`auGfYNWWn#Pu5DTO`cf-g5a)6PwVTd?8_a~4vLsK-(kt@u*Y zVn(<8-RUsDckAl?q}Ct`*T7eaQG-yC#M0{?cYEZ>U;|5HVou8lVa{iYWH^D%Sw%R- z6DP~zIvI4xI$<-a^E>OKYUJ>sBK$$E0eC(QNEWb&-u1e!-4YCh59So~-kg~|kF+YD zwQC9u1h5+qy~YJ6I)E`jIH71h&-ZpWJ)PYEW<70;?|c7`96$@?-sbtcb!U}@s`TaF0O^fBO4HmXdZKs^s_cwSQt)8KLwkH;`yefRQk|@DFjZ`y9oqmbB zEdlb5fC8BR1GMndlu&|gdVuV=aCk|XKW(Oixa3ObIVKK2i;D!}lVdJqX8cmfln+h_ z8P`5u!Vs~qI^Dwh@W>x9uzQ>R)Im!5cLqhNC- z^y(hZ1R>m)a;AfzoGAUAF~x#$zvPNd0|d7BBze$^3x#B)Ufv*WC_xB!D)C2w-&87d zI@PH!p}ej-*SPLzt(Qid%d3()28fj@(HNQNEDHTsuLh#-3&!3|HDSMYeiQ$EBFor4 z02zclY-Zr$0Hv^Hxwi2EVH!3Feu?WR*E|+7aC(LUR^YEC2p}YBn`)74pQJrG9QO=! zWH=n9FY+FWDa!yopWY`F_G7``h(-!hQXYAyoCWyCGSzZAy3g15*G=Us9oMHBJi@qg zt|lg&D8Z^paW08BuW^yKB0=SzSzKRe31LEnBoyLRoQE1|=n()RHPE+z?i+t^wn`2N z#ziu!X!#SQc)smx)MtwipsQQ&H_?SU8ediS_=D0tb#7s zIHdqpfZ(-eoZ2*dwh4{aPfM4`tqQOF2sNznM8mXpm^$c3ST7Wq{HE%|fcXc^e}?%9 zSdzjY_pT&T+aHRqyoS*acrXqtlPD$oTzrJ+j$5_nqnz3jMgh#662t-#azHmji=FY z!uuX3j4O9}`IAlDntteEK{jMHchjek$CGiWR6QTkCvMojxAP?4i@@Pm*GEl9dp8W0(y=(}y^ z9lZ!OAv3CHZP<6@O`I`}!PCmEqtW8-+uAA&i5QwwK35UMgm}QL20VOB{h85nP(TV3 z6@B8#=_Ih1ejNYzHp<=q*GDjNJoULhJS1S_@yeDRgyMmuvQ0_Ligbd zZlYp@51d(7wiOI>yB~cU>_A9X+R~VpkQwYslW-!AcY3=*%iSyG))xz4q}8hpGAbWN zp0~a;1rNKdJt2prxUhnUfukF4$~F4bU@t__@`;&R!YD;0!Y99s5n?M>Oe#Q1B@7%G zb3Tsi1B8Q@Ey5FEPs2fp&gWyCM5S&e&?a~z>PZFP-l5pIC_SbQ0f4*vx61h5Mb*1k zt#gyaQGQ?w#pXr{<}7ye|L__Y=r1=yU{icqmtwA&k3$;YKVpJizLVKt%FX`nm7=mF z0&dLe+2>ki3bCZqAHJLm^SrlRs7c6k173;-9>Te_iuJs?IXTKn+GvH1I!wfvppr`{ z1NLM*gS#n_mENA%`9*4HH&+L-65jbfs!127c`-H%07PtNkvFO~cw+cD) zQtqE!KnV#i8BeDB>h{)Lou-P@lpI{GK;9ssY{Yt27x`xa7 z=eyV$l5RYijMZeSPcss5PwlYijwS@>#2!iC3G0GJ`@yR3Hi3Vc-BtQbnNeA-jubVn z@vly+u!%jPP?+qCo%18(5%AO`h*-z@Q`wGdE%v4?+?#MJ?NdPkb6F&XHwk| zHkFaM2nunjN)9=TE@VL((4q7U4D|FvzXS>Y>Ev>Ar_NMIIf!|OOR)5cS)^#b=+~_~ zhL}_37<<`&0kaFWaX5pm4?QC?wmtv92X8)RbJSha+Gc|=#l|O44Li<%?c!{qzmP*V-i&jN7deI{DIw@X_o-4%|` zKKbg6 zgHRzM*1l%w{UO(nrD!4p4vh>}glsY%Nt|nCi&5yjurhtq-*M4-+{FG!l#mF>$WDtuUb1vDn^+by`H6H6 zmqN@G^lgeQ%FuC7zL|Wiw26Nw6LJ4pKshe?Q&>YI_MEMZIltSEQtTM|-p^I!robKo zneSl%gC5_rtTEZeEU(W%t(p*1)uomE{x5x|TPjji$S6YY=Y2y##DL1UPr*|VSrqw`wXEDX zJ-LGHoVUN|kN=>K5#fe)hYqh6LyJw*;N#%jM-DMaeIuOtPw%(RTw0otpU3-tAcpO0 zgXKcCM?Vt2Z{mm^M!!A*-j`AVxmbMKl^jAT$i6c>W z1ZULeK{UH*ji)Eq6~AHdp$qcP4R=g?8P5^Cs{$gy(}I1&+!Asat15Qzjq+*Jg^Va;QTfvJA_`M8wJ)Fd9U221bH>-e{kW%=vUO_Z$#8_z9 zXiu8^&#yS-7~^PlqUE#E&d}%;-gtZgUt$F<40^`=Si8p(ixMCyC$!OX{mQCoW3qrowh*c zQ7dZDmesQKlTWgpIHEZaHBWujP&{#-48xcIXbo!g*nl!0Oe#MqthbZm6NMb7l7m1o zb6{;{yEnXpE5*rX&#t5lhwV6Z<$Z{lcf9(#k-c-dCebJicI!yYkv~K3{dR4+Vx-Y< zwEWT`hZ3V3E`7@tOBwInsnIz<5;Kd30_pcd$ov*R5XFBynMAxQdP1%2&pQ^L>+>c{ zmDvfWf?Ts5q1Ycg9&8d7F`4*w>aF~l+sS-}R@@+De9m>3BLawNnX0K>?>ihw>^(c+ zqWZXO(#`+6d2%@eC0xo+%zh4eIowZ!xnPCdo3BY+qw#D6Q(;Q#JnMa(EQu z6d^{yNWW93MI?XRi#FpeO?MFleZUYSL52Dt6#+IbrU_P^G;9hkrz55O+7h#YL6-#r z-T+%z^_`+gBZ2n)q8H5=;J_duMjg<2wc8i@hn?LhG{cSnsY?iw3}IWS2A31h@8_7{ z)ARjAF5hBVk``a%rz1Fo)q9Xoo`X#pS~Xrgi)Mkym)uBP9m=u~$er}a#A$^ZvI$`K zEIolmG`)NG{q2v+V%A<{Q{1;FOZ_K&IZym>Jv|HthniMLp33oAPL>_T;8?0@+5?=C zvj|j@PFN))w4bD4CjLa>+7|{%{7lrWy!*puZ9(d*zzXW1Y})=qmL_-70H=j~NZ{~p z7u<|CNd;7@l%%T6!y5Km8`~a~uc>1)63{U&3#;yNQ(0tI!|ZC_AMx)`^3vvWK0ba6 zAQ8hB=von$>3dnaz;15<2e)FfY|o|YSc(a1=FZ}Jg06q|&8A#vY3Ubzl{E7v!5;qo zn9OJ{7O|yfp+Lh*PbMWN2E4H-=fCVPDfA`W=n;9>;jgWv*#7of3!`;Q5Qe2Y$xj97 z$+2Vr>FM4vL*;3?lQ91Dt(c?s+^-&~5 zpyf$~CH+CEeN{SHKdHbc^H^rAUFKiOKsY8QKYnto|M{?)SC)WDkdu59f|Z>v5rIXo zVj2C8#b>zz&v?j`A;S+==U9RRU4+J6u^hhOK^R#e)XTUP=(RvGpJxOR7z{MbZse$9 zaw`ofY~D|n@SF|x?hy%5ILii2Gs=Z}BY5yY7LvWX;ja;&QNe}$sOYVb12L#>&(=7Z z1;7%vPt+w|rc*$2MRd|rB(RfgS8VXf7bS^V4(6ItQQY~vp|IkXyHq-wsVH6C5wqit zNC;d_TE+FXX_8Vokf~)b_NlyTu_lCZ5udvBcgvDy^N1nKFvB|}x@xfySTy)zL1n{M zU3u)VG3ei#VJwAM@PC|6V>jU-5!iP(AoLhZEu7#q>!{UleB-pfafOB&m0GLNjA=M4 z&z(Ht7ktO!A|8oeftOr%08Y@cr%TqnoQ?O=2G=k91^jO#f&2!dZV{mpiHAG9yt!3w zT1tt>F)FFeNA_i~iDk#IP^wQ{_+}qirGB5b8GU3^mq-TVq2ByItJkr&r>1fQo-c_ zG=u&!z%vV@1nLt=AfiHcSrUEu0K0pyV|`%w)51Y)^bt8gm9%rrZf^vq2vq;8U*XizyQb{~ld)3Lu4 zC7^*}M=3mN$bwf|y$T@NU7F@WY{U^XzcD6Hn2i!4 zKi1RkvEV_6lUrSuCyl{*WDkQ6oA!wSs$0H@@u3M^Y*Np(1zWOANb_-rN>8yQMkm696KC#@3iN5-!%c@bFIFiGZ`4$MwwmK2$WKE{sk%wo$s8N z82<36hmFFbF(dC-Ab`}8tSY(!OvpR%g&q5!I`P91NWMI<)ZgSFs_WCDhJOF%04Wxl z7bawZE#VJ4&uI#ae(@Syr##dU3{!Y91hLa;0Qd2{bi3$JNk5`mY zZ*eg-RdLYkAYhKp{XJotLaP?UiiO)NZI)o9zIaeOX=!dgsMRzQvjj0h0iB+OMU@}O zjSK0f-=^6iUyo07N7a2%aXsV7@%y+pF}537snkBGu0M-jeeBtd*}z$iaY`8`kn%GX z*d>&W=-h)VT3=R0oioOuAw2Q-=#M|KJ3LFjpnm|32MXz7fLCf{6prao+Xf=HmLC!O z#f5oBFDDy%EWo1%OeuQ56%^L(-$U>q6OCeq#|p4i!uiKyp0p~j&5Ki0o^e~8(+$Eo zB9ZAQme;s@;PzH zYYa8M1aM16zc`I(jr~$)A}RQcT~k=Ok9uf1n)EziPE8aO$`2AnGOk~cZV{`@Ytou0#pC*m z#hw6yURNc$+18Ye$v7$|_$Ocw6RcrIi6GJ5l$(V2LV*eCEU6;d)v;ArOvvnplr(Q# z%q*pTNz#HaSQsOSx>)?=tJZ%zR)uNLi9tUC5xySD6dEE~n~G~#ILtGCo&5AwqpV1! zWahLM4clkXlL-v

%H2R16YDy&&)>`KEH$FS9tGA942@-!}(7GtfaYpOLf^!VHIn zYO;DEdh>&P8=Yp4sc=eE3HrTbY*X7{hD&j+*)N-XJ}3oTlP`=@Irq&BVnRfRrz!lL zP|#-jB2aF8M4Hq>pAy^ngiW_Pzev~#E^9$QwYdbVq6J0akM?l$y}I>|k~i5`M^N|; zNfQ$GJA>#I@7O+~Vm*f#2<5w$VNBiFeNfeU^XCjO?n6en!sNf2p(rgyuqO*NCEPf? zfvK~efMOx6FmxV^5m|$I-&12ps|n1zU8tBWcOoJzGmig;PutyO$ZfW%9Ybsa`^st z!%ica^8-c@ToMgDBr0k?QwaY`ZQ@*;rY?s}@WSFxG-0^hb2V{EQ@<`9PsGIr!T~0v zPw>QHrq(Gga8(K1$G&(lER5-_o8KGjR;VUFMf8OVfag*(LS;9y=Ve(wMD5w%Zbb`v zue$Alb)1*#qeJoPRs=0Dya^|!fqxT&#!EeLG_eQ!%WhU?AE57T-8Z6#L|)kb^2yPp zQ|h7REnl9i%1ol{dS5%N^SonPc~_|P1<1|8nAmCBOLXKSO!&b?=CGU;hkw%S><6gbixs>?@yLEgU>zpV@wXAa@c-Hx`VULNmEH7)&SNq>#u9mQgunBgxgH( zY$<>QgG4~3^EI=AlXjGOQ+E@hx9awL+A=4LfCh~eYnk@BESa~&Rz$&27d(X=D7r1nT@+dz_H@W#7c7!i{Osw|3aQ7dcakFp+G3dhqz z3YLV_C&CCp5xVE6Q1>2kLV7$U))gnoewoNZ5Zxo>it( zg0~=I>kdlY_S&>}*XLF`q82!jfQfeSbEQ!%o*MT8n(gzv#|fh^_d3&$((&O5ES^tV z*ZT^=a}ZJM(;x%F%BD88%y32$<${?5s?|5JG&)2*Q$6{|bCv|ss5Yzi`>RuK)Zwgh zL01LOPNxcZq$K4Qybp-keBiwwNUblf-9SQmG74OSHjQFm!yr1)Yz#|FI$*W8ewwIo zV0k#+2$B$9*%#YG(PTW*S}RL4Zrv>qH238**-yn!y<;)zt?gu1vSy46jt%zP``U3T zRJc(|TZ{DBXt2r;vvcrT@qqDw*CtDe(={)t zxSuh_)UP-a);F~Q+6I3Wh=C#+5o=C6Oz!^8rrAMBIv=GV=t{XZNurUtEG_s-LAh

Z7F&63%@e&PqcXo}s25m$ zizf9pP-o*yj2)E;&Fvi)^;e`@)n{VYV&$vYdRJ<{>e_1dGDQnWQ06TR%Z zBe?-S`11N|!V%>v*z3D%zhI+)(luFwq-dn4JSB`> z)Ffh#;kTFZ{Why~*7C+%Oq<({Tj91$g!NBotQnYQze}5E;I;dPDj%IQE1lJay~t&c zxx)=y9BEtBp5>lu*EG~r&QhLiihXZ0d^HExsfy!TJ2Tm$f4je90d<~$);yK-y()V% zin(y5RS{XKXLGdd;ipluEdxUSXMQd?%|>>OMES5%wUMa(nSuVg(psW>Tr^0NTE`qQ zByGa4S6NNuCiw?&@ee@x>jFFBuWCf3#w0kS@kWcQT$GEVKdqYnMp-{tyy#ptrG#^j zw)Bg;m)^06CR@mi19ix>hsX{oyzLYhD5j~+BoY^_i-^&5OXiY5TY(vj$KexLfj@_P zzSsO9NoWXtf@)K}NV(B^3k-5PE%A)pzM`FmKPqPUq3Si$Sy|n}(tHTR9*t@l?>>ke z!X-t9x&vt5c?ZVGW{7xe* zF=6aRa9dLJfW7UniUHNmxP6;JNo+iR;NU|r!Adxjn<)xd$>wP7hh|SwstEN7TVre? zo2P;Up`=r=kKrxYtOe`+q8C!qNdsQ=WsJ%0D|63=gnh%SOEfi;_l z{sy+Um=@)=$$lnC)gjg8#5D!HhfSDj+|wYROP`J@LL}>;oJ5&N<5ezE!npJui;x~7 z(czwZeB~=Yeu^%Ik5CWfOTCQwkcr5yeGOP3E?&`g=%zXOtX_VlW^V;z4C0RB_T6hN zgQ%O=7?@RvJ}j>h-zzgZ)R=?M)zJ*9ls(}%E13H&^HnSvM9SECt4(#s{-~Jdn*p4F z!cu%z+bS=X|AB|b?#8Lbh#XfblUiJ+27^!xD|CS{7omRl24BQcF-lpFKStcoec^7(i)DAf~78penHart#uU zOWola54C367k5nOqCetk=uSFT2k?o+JS<8JSsmHg*--FU2uMiB%Z(Ou<-c96h~BYC zr)#N_4ko$tjb~lgVB3?!X(>e_UI^{yP7y(!M?(#^SA|Qf`Q&mnETD*r>Y%sKmsB>z zDnBRI8NVj=<@5SbYO6BEU7c=0FcA-?ASfi$KbeeTSJmiM`%eE}hbiEwBjTO>t zmlnjxHD<;D8=_Kz5{(vW_zJPbDLwTBs4=T6;X?!Z#;ZILRR|oWJ^2iWvV!vbCXH-y z_G|oEm<(lTyfQ9>FVE^|u7hHcTDB<^F15|aGqc{~4er_n{B_IRA1P4;qXPSF5L29= zZwbJ!(v2}^?Pp^P<-Cueh?~G4hEq#WuR(eb;X6rMo`1=cw5ow2+3al6YE=?bmS7Xq zcP#R+@9*zLk@>H$GArIjUD`^NcIh>Ori20g9#MrD`XO*xRHp@!SQQR6HJQC37U8O0 zbfZ}pQ?ToOheme23 z;AFx#Qg%tj#9T+{n$RnU8}|z@8yB@J^!iD59fKieM?Fo2YL!!%D#}6M_P~{dgGjJN zSC7!OpbPo(K95rV<~5ITfY~l-;3Xn^(sk?0WkLm+;@8&*-8VU?&uQP*J^!^hlz|bt zmTD$Bm{C>))g?N!nqm57s*2)IFFR&2A`Az79mc~A>#EdIp{qPEC);1Fv#@D8C{V`V zHmZBaqC}<9VNy)&a}*Jv=P=+81&;u2n$-4kV&n6Al_?urTmDokb(%})d@PA@JdXl` z7tu5*oOdw6DZF|4!PZM1Q~~>SFkb@?RytESGG9 z<#M@!@-Z0DxW?I9duENFx;~CDGnt(qTO;o8$>5!#r1rO$GoP0uU1G@2?djF4JxIo-0rP97QmrfjR+zAtU&5&2BNPb%U=OIgBSSX{3HzSK;$=*8aT1 zHgY+-<8So>d8e0Q$}6#Jz@gd(h$DW>VT2i`Uf#8Sak?zkX)D@a9~EW!*%i%S z;*M)?@u3`%#ggyq_&=G%Khzh zBjYclnJUSiZ+RXj%1wXNZQ28k2ftbV&uF3@l;Tv>F4fC@^L}LT9&K>loH3Kct#Z$5W7bVOiJC|RTm!pxL>0wYPnVzXniNt#+S-KcVqR&>Y8Ip{<6mqboi;_;I{gY`3DgHy{D0e8y46%k3W_aMIp8F#lwh* zGkjdLv&{{=)lE_6Wu`iZ!1fiij7Fv2#9zv>41V69mmQq}_?d3To}MlDDh&k|93YGS z@Z$VPVzB8-KdLTu2isLof{e(oAsUK~dW?~Tze$*te#R*8aS)dtj=2zq&oFHy9K6Wj z+>wZ1?T+w1Y{xzN4SMGzuQZK$?y?G_ zSTEKd1Q0)aIT-R{WHGXGeYbaH#)PymNQ!^(K1cSZlk5`ULOR~95juU@8?+_x;epmr zn4l;Tb1*L3gEMoPK+8fFFV>_T_+plB+v&Gau`@0|r@)Xdhoz+tLGXya^>qG}m@@%go94jz#)hxkjD&?eW5H7bsK5b)z=~5I)H8XlpeY%OES`zZI)% zA`0LOxBZK|xvYy_GK%K#c|xr2&g{;j!LrlIcRpda14s04 zv313W2&6Ap)R}`gk~*V zwjso+%yJrxTQh1dr9KXWcGGpFjpr6{1va@}024E#9x|0KYpa>h_mqOJ=P*Z^TDk$(ZmHU7h%v+4 zeW~6m1erK$^F9xV;Jhc-@C<+SM$;BR=VdltPk=&6NwdqD^G|}U{n_?D65UEzMz0#J zyCZv3tfqSNRVj4$L*|zNA9>yeH-pI^F!y8vdYY>+6+EsGRrC?i_2NIUv>is+Z9JZq zOc0UJ7Hal_uyy8}Ahu4U-m!2xD%WmaJh^Rgy8?6+`x^Jsnt@XY`y2L|*zFpB?cN92 zyHx`#KoUQSfIem^es=lG54@{Jui<8AW>3TEI)K!Y*RC;*JOcAMx{B^Io%g+qHQ$Cg=yQ zo;%N{C7@~7n2Wbb3}W!;#`ivIT6?V1<#l*_g~)u~rp)lP_ewNsov`hrK|v*vKyA4- zcnEIz8&r5cW!~zz2Jy7t)?7{bs*Ncn!>I+eYL2B5v(*HbL)Ek$EA?7&R3T`!P~A`L z^9*3$7mSF{lP=?=X}U9*z`1POZIq;455%AfuM^_7hY_DNtl)5QsymG0O20IeAo=@6 zrz7h>8^Nq&&vl6S-WMk}Yc=}a!TcV#OxDnlD3F)eQ)BmKN9E0rhb8@eeQh^@iCswP zUh{vVajfA`ZU|*A(=&g^0`MYAo0f|{-m@0qso==q`06Y$xgaV$A~4$<&5E|$MT@1A zTR>Zgxc&KZsOL0t2yw^F5Yv%?ju*(>=8hL?#`vy==UR+!8qOLirKfbZBAyE^zzai@ zKaH%`{uGfU4Pwe1_96W)ueeoxAEpd(-}7Yb&gSPNC?^kXIpK{Ye-{|_avPbHp`ybj z&*O)Gkuh`Q`bB&|D!NG}bOu~mz?LjV&ln*O-dWG68U%udhW0u0c^$K;@Y>7ZZ+^S` zEclrIbjs`LTAHf#$7v|heXsgRVdK2 zH4~gnEI|>NFH;0V>-A)+_2c>e{{D)~+m`NguP$(3m>C#!-7Pj|gUonr&)2)7`JS(* zWGgi44s&$dO*@~VWchD^UAc&d%3=!=y1j2QGWHzf2*Z)NiG3og*_+^mcm$98Z?C}5 z+!tK&x@)~#DU7Gl1A)+hqKo3Ie^e4?l7c$Hc#4ku0lCAb<elpax z0SvbkN}to*{n=s_e)`%w7L;91b!?_>bC?B+{*Vu*(h$&FU=KFO6Jv{Jj!X${o6Kn2 z8X~$p zA*l{Y7^)bpW94y2fD|Nzu_11QuzEhLcbzvm*x3cs-lXOyfiBB0{Vl3HO7-`7j_#z_ z*8p)E5KjL^YPsvw+4JaGL^ScsCU*OM2Ly87SB10yJcX+vU2C7$hdte!V)AzH3GuHf z*2{llBE|DDw@G%&Rz0%bv1k*{c>SXP_2)xa&V9}ghNg>P{Co@-fO8joyAqU@k%1%q zQ^DY~5Y7s8|5JD)adulVHAG5LhcRcuk%D8vEVUbpIpq!$1JC z!2H)(x*?V$f#P}b9?LtBskuGP&?FFaTUY@{1duy$jD6Oh=*c|eVp6U4ylean4xa9F z%ZPDE?`fY3$4wvy>eQTL3yJ%!6e_yz?fZ6}fO7xX9d6};hb}XNb-JL6s%)=eB2Vb{ z^>c+qC+!jSPxP;0ziX`Du_(UVWHN#sc)Ml9(iV7_f5;9TL|#}6s$vjelnJpZV8VT{ zT%fen@k2Rw6kTcVMLm0gAfiZ`gR(g?sg_$xU3*Rho}hQ(zvzj}e0$bCS*`n_thtnS zMA!k8K7UN^GHO&Zon{wIS}WbIUSFQ1fXB}=!$QM3=h6Q-<%g-HM^^aMsJRy3?dkhm zG1vP%)7Q1-Pz6r}*)>hasf}NcB2T3l*!dX5P@z!_ zj{IuIShrT^FqcSQk>}RPtZSNoMSPb1*Ju9RBR(}P1t^R2zNUoHH6S`; z%dMUV53%HXU*{5^F6)m(&0zkdb^^@Q=LSdycTe2Qp4z9y314fm%kn|VL`zh4eRy#+e|0Tj2f-hT@s4#p-%U+ z2uPD#`GC=4!m*7?)}b{Cq**2P(^j6(+w6u`T-qc zdt+fYvALX@rG*6gk~*msOe#nx1TWjU(@vq|u0qVO5J3G(0>(02kybx4HGV$cxR=4p zV{@JQb{{Rv_X_ETbhJuDK%nsm6dA@205au6ZeG!XulL6>3qJQDKCZ7vqdwakKvm7X zDdc1**V_r#Q<@108vqe7B*SZUy4-lT;DO$eBY65LWH*)|Bgk*2T-%~$>ZbPTc%IblXXH-w9oTa$(Y8A?Ax_$ zNFP#_%3&h*F58SvF@!Hw{CRA~+&Yc>-1zvo+g^G|=#kH>gLFz*tdSFQc#hFfqSvWI zX7g@}MQJ-8I2U8OKO8KqZwOMP)naW}sLox}9GGiSO#@mul06CjXwy-X!^(z;?S}A1 zp+$2Yrb|Gi>ZGhy0*ek2{R;}F(dSe%)!?_IUXx~FMU>Mt&!6!8DPN963XI9weL{?s z#E?#QNIt^Fj0S|>i!El-4a2*-I#)0`AzTf7l&0-llv zEnz=18CIZ+w0B3_>rI8tYRiMPjr&wlVa8$b;7|g$3I>|mM7w{ASc>`|`Lg$ohL#(L0&eed^cEg@1jC%kBsXyBzd~V`zCDcj0M6sgLpT6s0PWf4 zs5Lil;CUYtat0Vl&8WZ=Vv??mPQh(Y;3d0e9X%--EXa=pCBhD-w^+6P@p6dK=VB+R z?P}$$HVz3;NL6Wmd3ic(e|T$qczSbwOXGGxP#>+foGOsce7r7vz5StU*|0Ra8wiYn zz7n6cc|2V1oc-A)6o`9)y$uL0&T#r~_b%uADhEa(ibm8uMfFqn4mlamL0;VMa5^tH z_rtg-@~gj* zz)V1Lt{#t7g*x|tM9i3_^#jR? zsouFe`Q-T$L1C25dVg!CWtHsb?MztgVv5MwuiHz%>-xbc@Y;ip9%rmOflltRwLX|Y zYty=u*bF41Aw=#2Y4hzsTG?Q;_WHcLH!@eGauoBK*b7kj_Bh<^1rn8b3sO~q`_5xH z3XCR9PCqsVe$nCd%w}kELif|8-Ln37yD(e4^dEG8@Dak6l{qD`z2@&$g0BR~hS7bht)+M|Y3LX!MS`?Y+1Trjk1yO6?e z;&Y_ARxNAa%ExILI~C`3v&{w*$H~IN!p>gj`Eco$o4fY1dRK3`03NDwa~Te!YhDjS;;v8R zR-Luvk`~SrIpQLrtsZyv8uWuzS>7qba#0ZxT23>{xw*MMFLORGfF0p$#~u=l0gQyO z*iaJV8S?#>?Ax0@=nZNz;)}cWCzf|C)Ec^!)w55vt+A<-T(F>NTDvKy_~=R11f}1S zq`JGi0il;gAh`qB;cZVT(EL3o4D{+nluOH**BLKhL8ninE_w05@0G`}T4}mz1^!vv zWu;EP8~P)Tz|}Bo2oj-2t2^*s?NR%q`S`?Jv3Q|o3a2hC*cBEQQYil=#0^kch9FA| zLO}%F&)z{NX(ea6IAj#eOpnOO$w(zJ5E5sqHCY~HS5*N^EYc>?Vs9lWt$+~%3Wo>4 z$dG=1I9~gQD_t18F|9U(-qCbk-8#pE&H$JOt0m)%d^2FG_+mRw7TATjdpxQbt3I}Q zyR`xN!gevW+;9G{`Ll7O3nG2TB3So%^8m;RFG{?(Xeuw!3Ak(lRzdn`wrtDFZshx- zQj?9|BgrLYrY8%CfZx5g{n5&t4X?su^D}vGIVF-xX6)W=R_|Vp_01c8`m%;Dh z99>*&^WyS|nP1_3Q&QnJVllku^LFRc{;->x>3R7TH2=qL>t;?D8H6lwzdkS!`sU7O zrqMH0BnSrPbyK1X1)4f_n$!N5@~wDYjl4`RK=_;j!Nj7X^%lpsLb_qu9v%d+KbhR} zn6m|dbke_?*wxkbqDD0vll_r%i^!VJ`8@zG~ZLf=Q;A z^UdLm2k>DVY>1`Ql9S%C0R6)UU=0MeB3NBtRz9^5nSDo!8V+*1x=QpL)G7!u7=0xb0Z=fc;q1KRx{^lDL4)kEyz1Op{3wWzY<;TZcUg z;80&4#xfVHjo^LQTu%8&&pZ4e=orr~kGUPXNS51uGRGDg9p-?XtkQTSCFgcgTKP0Z z=cZUSxw}TQ!Fr{|ttL4=5}(t&4DiXP^KNAHiKo@OHs|J-I{;VE`67^!2IE`10=N8G z%hf1Ax$#||e?%61u1wB=fI+fc{&NBNN9Nz37(AMKH7}u3fSd%lFHpe_E7ikw1JmR| zz@-Y4yR-4(9g9)Hw`T=4Rht%G_iHLtL?om{gwPhXo3d)=%6mr%p;wp91Hia+fzQ_D zbOglB;8YS*)W>F z-u>qA<>@Zd{jkVkcbHjLvuw8BYUv+u(n7*c9Zmvkkyp#qBUO$z_bkKYB2cd>1fpc@ zYGw_E0R%=O?Yk6}63|~4h71xF?UpAHm**4s_h&ThCWYPNwg1iatYqNx zEY3R?x-aHBt9eF4G9G(%XMA_d4z5mSDG|}pN&XH>Yh^G&Zf42ikRV0HIKXzC6AJM; zEblL(ed3J{{^cRjKw=5J9vVHI3!I<#u_1Bu)hI7O6X2i--(a;Rz|;x` zOZO6|7I4BPD3r{Q<@~|%%zeA=L6-#ZNR37&xI9h3{XPWcTSRb#;vY3dmbv{&9T z?dDmMQgW$&jGhrLnl7T1fHyEUKPWRtdC_KF3-PqRfg7;$&ru?S&k z+(ygo{P*S1>&<6v&C|^Q^KlAPOR!|C&P!H5uo-p!*ly$}>A-m^WmX*WBUU37Q@zvY1o@SBG#V7O%P+#sWB;(!1;aOs%*bfKo7 zPov540Ps2B1nU7OOP@P`oNI5(drJpEq=c*oGN(7d4R3S-&OtJ_f=;u3n3hUHod_5A z!hIO{HY`RR1Q6$%=heR-0q{@&FPf!v1th{QTaldQnhm3s$v{256yI`CkUCqc&gyci zH8nNneOm*>+@XIC2snJ1W`hn;XmHZH%ICaevEn#o)v&U=^r##y`p_1CpwPU6)D3LC ztCU~{>&JddJ8jS?qY8I#S(R02y@v%CiWNyzr!n`(yIbWv#Z}JYNXTFLbl}MI0i@y{ z@^$iS?5MJ;_QO;ATc@H7cklLSGV7l9nfqMx>J0;_So6w7!Xr%$8m(*_$B>+cexJ7%rAGPtFP!aFU;xq>ZP&M;6Zdv(7>z z5CCTcL<+CAOQ7?!{;$gOxvj~JjC6{$HJAjt68Z6f4?lm)=BZawK#G_;@u@+{0D=^c z?5K6)P9hM7M$dWxJD&NnxtHnl3W3ZA0#Qh8V5(|ulqFJl9Z2co0b7LUA%X=^C4k+pJ!{+JKVx1LJ(&U+wda4QPT#N!4%!_a z^;o^iunH>vF9-klISOUsA2R}QCI4>qr?oe45Yy%x;EDoQ$zu_~`Ks6SwRcSsx-2tu zaqahSAiu67NBI!MD*)|`IE4&A4R;Fe(vD!wuAflwX<-aF?X-Uk3y|%tRvE%%mP+K> zZ4bn3K~fLt9g}>E+B>3(5P}AQ%p}*IRBi_X4&(D(A4|jyL77iMucs^O7HABAzR_`~ z_h$?#T3os&Z38{M&bNwI2W0cZ#n*eJuV29PpljLuB;|?f_~L&fxZ2C0iJ+0#&YDPse0t)mt{Hnht(#l4IC2~rq3;exyt+bH6g=E_1;|;- z1j+n`Z=o+e;C{YicUV7qb#!zdOfI7dxEH6V#ahX2Y|earK>}+zWBEvBnWdj%wxwlo$aNdp4|8JVaTnJH5?nuI}gN}1`o zITwo>0K1;vUb{xEU8Z7HQc=0k!Xd)+(Hy?{(CFxP&j*%QUK$!24i2olMs99y*J;e# z@9#d+(gNrk!DBOM0aZim-6}jHB0U3xwYj+gG(GT)>PeiefO@<4%P(d_fv00ujoM&Z zsszc&`+<>>-hk`0Gy+el+h{9G%buO&Sr9HcyZ7@wU`eE+!RxVVth>X>4*B9wJ zPiJ=gdL;%x%LA~zm)%qw6cLxRRU@5=lbi9`SrvKtiN!@8;7x%#jk2kO^HgeT>Oa2G z(XtvEi$Dq9V{noCIl8!{M4W7*%CJ8|Vk-idRVGs)5?L5FC?rHGfAaCsJr&y_f`Y$u z3%zVa%l`R@ejVXr4>ss`DOv#-0^F=?9`DAtr?~UpH67XvJ@`=yskWJ(ZSxjJ1P+fgJ zj~sU*5#nX}U$H4ZqOs04Mu0}>MiwkBFZaG0;Vj#&6o>u$y&6cWfo@%UY3a9$IbN0? z6)FrsjeGX!hE}DNB-L2fZq7EN6s~v;XS)+AIXO9rQMbPR)CS-%Oh(g+ii)aQM_m8Y z#K!!%o~)M}a!qP@UhP?3b@N+44~XdQwykAwK_ZNd6+mYHYh;&RvwnUu!R>0dOskQF zmX?;2v!SdEk+jzFU@|y37@*(+9QhbDYE6N>nkE4bW{W3MC~%lU=2CJsFj=Be}!}hT1&?n77%SE|Djn4b}_ZC2if02~r0qENz z#X{3wSa2vvNZ>QIz1(UN5~c&S$;DORHq644ehMUZ6~BMm+7?gr_nQDEk4W}8K(<8vO>tTl$iH%&q5X!{h!EvV zL?Bl);@BGS8DVx0f^J}N(0=gsta~$svWrrS~$;DzsB; zl(2agOmj-yoTjesJOobmTYZrq&?$QQ`mnID1YFO3RWvH*hy|VrMS8{^)GLkOeI&aZ ziRiih(%ERPRbB=I2ZzgU6H-@KcTmKFvh%hlo!3PpC3S22vZcjyc?+44hmDTz__(nK zpe1r%A2nl)znOfV!iLrNuzG-9}j>lHSX6h*URm{ zIXPr=tv#^W5`^vo)3oM;kG+;I~zdSCj~%@_e;m(`6L$9F8gQKYh4 zB7|`1Ve{^kz?`t*FptW74oX9FYhn5%6a8cMBD>(s4%E8!lR-- z8yU?3sW&=r)i!^cZyP*i(M{Rq6F~o0s=VAaiYbSxd#awWZ}b zKS?4#FVD1Yu{$Ih2f=-4YRN2Q`;q25M{0T%^f!t)$$SlfbPyBk0lKv=CyPcieGTlo zJ)ijaJOKqeZ*Onl5Qgig$u9DJr;wmEP^y0U8Z4Q_qTmK9yuyW*T6$0FYnXA4f&37!8nRVMOXQyCJ zqYN+5YinyUu(102`T*bmQaJSj#DCcA>1m}tt#ByGoe6+hazF_WjY#8lDgXQZ@#W6{ z(401kn9|h3s@Z$%ak@y+cr?uk2r844lR)9R$p)7m&5P*nWoS4zHnFha2Cyfao3t$I zs`17S4p-+J-M~-~BMK})o+zlRA2>P_n3RGA{+uwKKDr4D3j@NkNOomy?exKghpnxx zySqCOhXFzmD8s(Mvs?&ed{TnK1zAqsSphD99}^P;xb3EWqtDBYYO3guFcc9gW@bAe zNTP*p14$MgEv-ZD|BAcPcqrTNKSPG>dMu5E8O8{1#cDbokDwy21 z!Rw;6_2jqt-VP}42cwNd!%zD{`nNP*THjDF_-hmA^Tl^;x-5bvmNT_CIU&KmT|H

+fGP-@eZT;hKz43(QN35T}QG@pwG&G4R#vkd?N!wSApwc2?xi z`#T~${6%;7=*WmYEDi8Iz#)LU8}cyVlfOrD*i|}Yd!FPcOOyFK z-ZY#k#O~SRjXV!;?x{-wX4Vtv%>DO@bF&%aYT+Dg?aYPvw6Y-aI&wj57eU2 zAYp_^{0hr^YHG^I$}l!<%IgV?s;YChOmeGo52Lw?Czkqqewc@-Q?HsWf?V{(hyoow zy@dpM=eI*}&b2O&p~Z)?cF$09T3TAQaQ0uLPrfS6JnURh&uIq*1^L>(b1BO^teo3QC`f*P2Ldkfke;u!X9 z5!>=I@Jn5JONO6|(U~QAsmi;dZ0t&%l44?Fs;Z&jk)3L`pp8gRPmhI#1;n}KXOpT1JjlthGBD_W+Z})Q>{-g3dSiEA`q3Pj2w(6Gu-nVZ$_NBP>o4M~S9+(5 zj`1d5enyCmh4T)2SKv*!?3^n?r_9aGT@-EhvzB12Un3$Y3Js`BS;%!4wWvmFn52q| zb;+=~rDX-#quvHQvG=D0WcnFy7=nU=0RCV>fq$F-2AmgAfq8RtbJQoa)16Mo)YFjT zYk}We3twimaN)5vU|D(RS7~TH0}l@mW)>D$Iun4&HWzjdUAwzyixNJ;HwL*w5$>#3 zC+^sD{S$WehsD)?-3uGuFNO>+Y#-HqH6N$lwoEY#3|xoV6En^~BgQS_?&c;gB{fJS zc7$zs$c`Pj8cXc~Bk%&x<393^>!=gqBuFzD*;P81;0thz`a@O>W8tX?=4 zFet1#|5hywCer@tghxFj8DQkFHmaMVp=bthp06e*tVGgT51+czJD-)E4NOx*U7dN! zFze%Hf={uGBRv`?J?Mx$hhmBrrY({$>NH=H$ujJ5l27dgfm@;R!^(<^Ps6{eruQ?y z-G>j^AHgYNni=KhBU;C%lSqFrcij}#*WE%>IpVrj@o!%mQBjw%N9Ubt4jxm5l}>h3 z^a-Z7p2?(WK?23W%$$&vw7#}B|1AU+gQR76YAFV?VSMf&lguR!%RB88Tm<1JBLjoK zO8(~NW^bwx3mz+&Izgq{15~rI30wZB9+=_husUu|JINwXAXJzv4o-eC2_QWD!mIz@ zT_euNg}^7HAL@9Ve(3R`YF)ek3|(D(N5^ipWA{s^nvM=ls@asAB0npt^@FyZ9VLd5 z1C_^s=~?3!m@Q7T6KdNHC`}aRj6&Iu|8*DTC#9^}&}lp(SZVgDi&(P3su_{0b{XL; zcaRm;O}n|fys5xp`l!mUQzIWk!+i=WS$zfwQ%cr&tlD+mUlr9QEF;z->yl)+Ei*O+5))dIGme%?X0V}z0@x~Z}L!K6W{ zWcrSKU%VfSzG*;FEUSIp3zDXC8EKzskr5|t1Do-Fr z?bpv->aUDsUDw3%B2q|7ua|-k4Oo=%ff$x|_g7)^vuP`}wKktz&7r` zP_-Ip)_1#1fR7IxAB?}V47sq7$G&;}+R()0VRjb-H!}lP95QQ3Nl#jP#2DR{cq>H` zdqyntva9Qfr&;OgM>6|!uNWH|J_~a7h)POg1xmrJeC4c>tLu9>I}r2+y6v?$cXtXc z={jAje;Zqm&`vTmvGm>;h}w;L{_fD$#}Y4Nfq%K2)YCg#^FZhTooH8V%6dpyN=Yf` z^JI%2Gx~oI?qwbfN9{$`}7N7d^0F9bL^(Bk4y zA0!@3x7=svahz0fBm7))jAqM)fM zw6yQWF=1gsK?Yh$R@S#SiB7qN;);rd`~@qCtVwU-^fNX#Hn|Kg zC(zV|JP!}izyFNmS+6T9DqvdAie^B>V?d!s1X$a&8s# zaaG3VT%$RVAnB(Hdi(lnhORy^D>pAU2e;3ATL&5oFD@=ZW;`%7M16L7;02zA?4gA1 z!^wS~ZY0uZHz9;G<3)gGg1lBDOF}{6g6M%#U>8O!%q0TqQi|C(dcTNU3%Cix36PVkuXAygQr z_3pPNobx0sImfvV8eO`wbQtl`neY}#&tU6L_fs(bno#Yon^r>v;iiB10inC%q_a)b zmY=~H6}>WZf>TboCS+T3fwG=yz|2uoI!~1XJc^)YUAFbLp;SKD;iLXc^)l=F21cm+ zbE}sUwzB7Ow#%_X5+hq+n0b8R#kcJJk>p2BJ~U(`wfmD?_Kzdi^wsukky3SgqA-Pm z=#;1nx!^I=i+FbWc{;K&@XN{rdrt_Jt`oNl-*#gZ-|d%L^`)0IcRvO88<_hFt= z(YKH!*-3Zure<^lbJHy{>V4GC!N~|#gp}~w%g}#nnM0&B0ye{N&jVr-oAf(Z>2R3Y zD53-@XOh1!`1%;;^LQuFC@g(a&ME3^b*$$Rv%-Rqg!&!E7!}-d$![!WARNING] -> Enabling Credential Guard on domain controllers is not supported.
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. - ->[!NOTE] -> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). - -Applications will break if they require: -- Kerberos DES encryption support -- Kerberos unconstrained delegation -- Extracting the Kerberos TGT -- NTLMv1 - -Applications will prompt & expose credentials to risk if they require: -- Digest authentication -- Credential delegation -- MS-CHAPv2 - -Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. - -### Security considerations - -All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. -Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. -The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
- -#### Baseline protections - -|Baseline Protections | Description | -|---------------------------------------------|----------------------------------------------------| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | -| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. - -#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 - -| Protections for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | - -
- -#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. - -| Protections for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
- -#### 2017 Additional security qualifications starting with Windows 10, version 1703 - -The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. - -| Protection for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code

**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | - -## Manage Credential Guard - -### Enable Credential Guard -Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). - -#### Turn on Credential Guard by using Group Policy - -You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. - -1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. -2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. -3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. -4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**. - - ![Credential Guard Group Policy setting](images/credguard-gp.png) - -5. Close the Group Policy Management Console. - -To enforce processing of the group policy, you can run ```gpupdate /force```. - -#### Turn on Credential Guard by using the registry - -If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. - -#### Add the virtualization-based security features - -Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. - -If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. -You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). -> [!NOTE] -> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. - -  -**Add the virtualization-based security features by using Programs and Features** - -1. Open the Programs and Features control panel. -2. Click **Turn Windows feature on or off**. -3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Select the **Isolated User Mode** check box at the top level of the feature selection. -5. Click **OK**. - -**Add the virtualization-based security features to an offline image by using DISM** - -1. Open an elevated command prompt. -2. Add the Hyper-V Hypervisor by running the following command: - ``` - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` -3. Add the Isolated User Mode feature by running the following command: - ``` - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - -> [!NOTE] -> You can also add these features to an online image by using either DISM or Configuration Manager. - -#### Enable virtualization-based security and Credential Guard - -1. Open Registry Editor. -2. Enable virtualization-based security: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. -3. Enable Credential Guard: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. -4. Close Registry Editor. - - -> [!NOTE] -> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. - - -#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool - -You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot -``` - -#### Credential Guard deployment in virtual machines - -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. - -Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: - -``` PowerShell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - -Requirements for running Credential Guard in Hyper-V virtual machines -- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - -### Remove Credential Guard - -If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). - -1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). -2. Delete the following registry settings: - - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - - > [!IMPORTANT] - > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. - -3. Delete the Credential Guard EFI variables by using bcdedit. - -**Delete the Credential Guard EFI variables** - -1. From an elevated command prompt, type the following commands: - ``` syntax - - mountvol X: /s - - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - - mountvol X: /d - - ``` -2. Restart the PC. -3. Accept the prompt to disable Credential Guard. -4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. - -> [!NOTE] -> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - -For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). - - -#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool - -You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot -``` -  -### Check that Credential Guard is running - -You can use System Information to ensure that Credential Guard is running on a PC. - -1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. -2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. - - Here's an example: - - ![System Information](images/credguard-msinfo32.png) - -You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v3.0.ps1 -Ready -``` - -## Considerations when using Credential Guard - -- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain. -- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 - - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. - - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. - - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. - - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. -- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. -- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. -- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. - -- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: - - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". - - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. - -### NTLM & CHAP Considerations - -When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. - -### Kerberos Considerations - -When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. - -## Scenarios not protected by Credential Guard - -Some ways to store credentials are not protected by Credential Guard, including: - -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. - -## Additional mitigations - -Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. - -### Restricting domain users to specific domain-joined devices - -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. - -#### Kerberos armoring - -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. - -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - -- Users need to be in domains which are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. - -#### Protecting domain-joined device secrets - -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user. - -Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain functional level or higher. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. - -##### Deploying domain-joined device certificates - -To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. - -For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. - -**Creating a new certificate template** - -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: - - Name: Kerberos Client Auth - - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. - -Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. - -**Enrolling devices in a certificate** - -Run the following command: -``` syntax -CertReq -EnrollCredGuardCert MachineAuthentication -``` - -> [!NOTE] -> You must restart the device after enrolling the machine authentication certificate. -  -#### How a certificate issuance policy can be used for access control - -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. - -**To see the issuance policies available** - -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\get-IssuancePolicy.ps1 –LinkedToGroup:All - ``` - -**To link a issuance policy to a universal security group** - -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" - ``` - -#### Restricting user sign on - -So we now have the following: - -- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring, so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies. - -Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher. - -**Creating an authentication policy restricting to the specific universal security group** - -1. Open Active Directory Administrative Center. -2. Click **Authentication**, click **New**, and then click **Authentication Policy**. -3. In the **Display name** box, enter a name for this authentication policy. -4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. -6. Under the **User Sign On** heading, click the **Edit** button. -7. Click **Add a condition**. -8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -10. Click **OK** to close the **Edit Access Control Conditions** box. -11. Click **OK** to create the authentication policy. -12. Close Active Directory Administrative Center. - -> [!NOTE] -> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. - -#### Discovering authentication failures due to authentication policies - -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. - -To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). - -## Appendix: Scripts - -Here is a list of scripts that are mentioned in this topic. - -### Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  -### Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.   ## Related topics diff --git a/windows/keep-secure/images/mva_videos.png b/windows/keep-secure/images/mva_videos.png new file mode 100644 index 0000000000000000000000000000000000000000..52ec8ee035068def0fc0ca14d2c8938cfeb89af9 GIT binary patch literal 140500 zcmX`yV{~M}+9=?T?MWt@*q+$7HL-2mwkNi2Ol;e>ZTse&@8O{< zm6aBOgT{mg003}eqJr`O05C8B0K^UX^$DYZ<5ysfRqVWHX+8OHprzoC-sih%+=@9|y>k8C=t|(X=IXLUu z83HtIKL1l3=D$B~YOimh`&HBq(AZTU{S}7%Pgq&k&dSuv7|?}v5d0N`_`mxd?eq-+ z_n-c!-^B#1EiDbL8~_hviJf0D@c$H3GiUDD6mPpdpn9dYhB zcQfoO+P#zPYf!Xzp5pWmn+C-MY*09$q|^(5kwJxgeZnwJ2=R%w1OmzUcO-c56hmn> za(+>Q2V7o`=twl8?Y5=?SAaicFhPK zC)h0-^NMihjZY4ce{1{n&$gBF3b7>~KglHEMYN?R$ArQhALI3_Z%Qy2hvdg=YLCc{ zCHk#O2NdClPun&G;@c4eW>xrS+v<#0@YGb^%1; z+bI@5sys{_3}~t!N^)iY9OAhJvG%xlaN*3npzYcHy!QSmq4l7AXa7q7|I3SKc&9za z-W4Yh#B9)@n8kBbhtT>NFhoUIQEZg816ZK2>4CmjXmaHG^wj*N>}&iy!1)4i4os^n z^fOZ6PJcfr|1a6mv@k?x04rMfPwd;KVSZuYT%<$=27Vfb zIPe~`WSVHhcuKTtC1hckV_Ro2BgVXC(4lr1l|>rov%LVpjjnYdwwBf{8(#c&;3+O9 z3lHYG$i8O>wWQa^&huvP50Q`IU0t{5{iMwosmrIe!_J$m&xX%~ac7gc^YiWJLmV9Vibr_#fY%~t?dOq#7{FKi@P8Ib zKue4=v#`w0EqRa0ryt`OoVS#tdU7d{~(G{nRekH7>6Dc6N`UT*10W|$`;c)d740LU1KcoC< zst$rP7%(xH=Y-yH+Kwm9&FhS=B;T~z%g&e1_V=RCjX~~vIBU0Cn9Y}pyNOhNlOvU6 zWF_+o-{d0GRAY0Jp>naKb`U$|;(MzOQ7Fgzjm7!aR*4PGP*^qP%k{;E*3;VZ(Un

5mD87R zi^qbDXaroI$Bm?qDT^{Uo-qXN=aYSxTTwTcCeI6-TUb+Z*L+H(iC<)8{=i)G=yr@# zT48qCeHVW3=HAyvE4!NQS}J^w_lzKMAT*t#NhRyvvn-wO)SFLFF3B>FFi&s(gSaVL z?o#JN$0n8=R}GfJ#i1B$-?mPse-!Rpe;On4c_Y zvJ=>`LD_lW*W0OpOkw?gvOHW!T(-B8a*3-rkZ-`XR@*2U zb$?rs76P>0@8|C=tUX87J8n5T^HMtA_N&^idcp_OWN@P!qXrm3;P96KptuLbOK`Gg zI00iA@juZ8k8rO>wow>oA4o(w-8^2`ZYRh7-d})1`PVflmoufUFycnqJ2#Q)3qYm+ zpeIS~S1fw}Iq-&p^~Ye_jklgM0(YppYus--brUrz&qD1+D+byQG-e#U1B+!QOHVRy znkvAo4p@?bm*jBd)sArSd9dy8^o}uRMZZ}WKO=QM^LY>vdeMS(5d$C_$V4ISP<5t- zO2NGTmjvAFU*RaDGklwU_`ap}`9;UaoZMj3a|J|Vr^f~ed*|WVd=NnR`r*ZZ8Yl_4 zNfLO*VZ8#hZ&BIfJmL3XAId2=KLr*)k#Apny5?1khQa4{vbKjp= zHlJBnYi)1Gw{6xS=-OK!O~K~qUx1~*ySPcVs7?pWHdI}h(uc3RLPHCpYpnmBa~BMO zE>BSh5_xI+twUS$0QfCaw_OSS+t7rpgWalOT^XuhyaZ#2m4>oN6$A%@>_;T<>q z-}^EAn0|5*{W{~8@e9YS;htD30WO zB^9}xaq|$$iu5gdt%5MNXgylNpkMa0k<2}XX+IHnVqV*(*%SW;OQnyvOaGD{kS)Zg zfi4@?!=4$Z5RP-?%BdeQ(-{wbN z8<7y@M=Xiz_u9SB%=J$S*Bw}CS#W}{X)>xNwL;RE|Ktqulf$c6og;BZpaFMGfePbw z5$wlnB3y$s-h}csI}Z&3iMFxCjDSTuFX!!&Yas{fw6hjYEkT&f74&}8(|uRD2hOKV z&9`NH;DK8TY?_as{I;OSL?JNC4GKt9OOm{Bwd&T#XxcIdS1E;oB~-0ViG8CeP-sx_ zCEykq>q2@q0Pbh%q`B8y7KJ0VC=yn;U}cTl>q4B5HOA7;P`7L7;AoLgrIOM->heilEDMe^4PwJQRn`&wSDbk@BCGGB`0*J*mv4nO~Gq zBZAdlq-X zKt95;bOM)}0kA5|t)eaFn(YnX$QkkWf;@P93sdV*Zbk#lHRaU$PoSa0V()QIg%Vwu za_jhBFoz%}HhlC;25_QMt9%n%KSf=rRzs<&TL>#xpk^M51m|1qcSi8GwlNnp#9L1! zst5r7o(OD7NCS3Mqs5^Zc;6OD4Nbr5SP9NR3GL))<(L){OpOPF)WEeHA7@-h&d_=&bIHmvG}^)O6YyA3wPKqhxiAW2 z@`SZ$A$ov{{I-!+a!31*YQ_0)@*Cp~ckpR+pM8GtOZ{*H=Ivj@A45}07P z-xw2JIOZUQ+7vlx5eV(VZ>EBlCGaVow7fw?CI9|{4|X*>p-Iy9YsLS$JY|;w*7euF zfR!9FS9SMvtSftXs2a_g20C%?+d@*yU(_+q?Uskjt9pIjq4fLH z22K$+T;Mpirweo4NVRF*8kWn+dCa2m>UW%-;0zF%aq%1>Xnx9imUM&mFUywZ=9HCs zjYP-uS&Lz@y(Md-ZoV@Xj6fNZz$i6fwVU8--R;AMY9Mm5Z6-)x5}Zsh-f7#_gwSR>h$z z+95&Mh$L6h&Hu=W!DPes8ew79-j{w`KyU3l{zkWgrMP6?>KK|Zf^xnk%VQxy34O{J z{5@AIY>+a)2=qC%3>t$B8RAQwrY_6u6CeaPchDSUMA5^69onww5xY#T`jnFdnV6+yQbIcwgIG5xszZLdE+Ft@Y%DO3lup*HiMg41Pf&3;+l|U#;$8=>w z{FgY!a+b-U>pvs9;H_|)BKL})YJ^y+1b7C}BPQc&=FBqGanQ4KQNejB?*pXHMtC-4 zjxJL)^ze8`MU5B1VGnrgA&b}>HTnKnYxmb+t^9~}cH#g`M$oZmlX=B&? zM0AjxvGfI(5s}AYoK@k^3^qrGA8g=+;NL<1l=9apYkLBh1J(^Kz22U#IVX#5pY2rP znFo0z(e_&Cy2r;j&9(M4=_HD!t$xX>gL24bxBh@CYp5!z$^=S4@)6TT(m1*>e`KPE z^!y?IL!jz;ZX^NW(k^;s+INhXxKZUumX0zfJg!Awf`FI!)A#BJY*|%V%j#NaLTyP6 zscX(n;Q7&XiFG0NTHEfrnDXgk`btReCacZdmmm28aS1iW{?^I zsR;XWH@wsMRL!&Gc%igNzKtL&SvHC=&whsYw}r3=ODXf9PvwyonZE$BLka3)Q##w> zkU0?)MUg%TEQup2s4E78vETSceZEE@07JZnagSiX3R0Psa)nB< zps72dxM3ogJE3XPKRn=TRT#lszvi^Ux&nDhTWk&n^@9XcO}uF6wJnL{!us-KeGvLm zj##-VBRy7U15slXgFp>`eeu87DTC34rUc7{M)k9^uPL+B@MZ33p|NtlKS+dl5ytN; ztcsCsV@8v~lp8Fn@ll7JduYS&f-s;YxGcXaD>rM~_Oda4$z!#H<|vEztvb}i?V3eu z;j&uVp=sv9F`ZPbXtIS_g_IL3b`RCvhBw{eiqE&jP0?p`21|^#8X`NZ@YJMTfGK{Z zQ-SY(bA0T^Q@9~hzY;nc%lM2R+MUh&w+9MR;K zX!?@ny(WIY*uOMsC-1RaAuc^G#!!%2SyI}; z28l+Kizl>N3_di4$l(^=ai_jz{na(aYU1yl!vI00FjG1vNp4^+Jc*d)4+K-hDHTM* z`p7>-pyI?iW7$n3gHiVpJn#%zKF%4475Rn8+@hk@-xdMmnq_<0nCz=yE!i17FONKL zC7UVg=GLCKEbX_Jm*#b88K%Ik+w!9Z90^1FNB%8F!D(2Ms%m{{QLh+FeQ(=EBLp_Zd?QnV9bSD7Ien-K;VOe<@n zU0$s3%WKUu*Zx6<&5uAF4HBrsbPl3sYwE}_!8)@u2Zvb9=>7Ei`R+>JU=ei0TTxs;s?I^=f1?*K{j zNFzas8L1yd;8Hf1(QdBlb_t*DJiIOcxbcd)FG}N(^tknzSIJfyq`58@Pkb90#p^R! zQB|be`SO~j{yL*+bU@bW7~w9N_A&QP`}yR}_-ni!i~M3D{@dd0%>d{E2S-fX)~%m1 zDn2>sUS4;fS>k6|+$-jVuxbwyyBH}jKiGmjx|k-zDFj%0ciE}sW^tl33Pm991m92P zlDt=$&x+3GQs?KoNv_YeUF)Zlq)Z*(aHGGZpkT_??OOrZWi9nVSmD6d^gV$MZjh?o zcpH8evq>3(iB}@`4oIH(e+!g>EmS|VqLP}Z)dIuhtW=5UEUKp#)as7A&l&!5wYl5D zD+EI-J0ZZ@(hkHn2FH$Dq>e$JdZrqyG2gLrwz#X9g;StIp<0b2*8K7bQR7GvkwGA+ z&ACzrIA>u757h&v6aAfa%@$IH7O31|nCo!+1PJ+%IP=dwI8Y0}EridrRkahXUlSX- zy&k$bHm=9poq=WFKuc*|?9RH3oSZDD|LKAS8xql|3*u$}HA=Ez+~J)+D5El7320=I^GRecgfqVgayZ zBs|4b>Ul!&CKy8EV4vD>0I!P1&~Wi1Sv0;2G$i?m8So9Yt??WQVeOx!TSLvoUQRHp zHSFj?<~(|?|~Teossp-`H8D7kg)SW*$>F(G%~>5dN)JF8wBvQjY& z;EHqYjQELieoSM&>`!`iWBi6rDW6^ud=7($Nd2827wd#m%7(_bVgVR10sfVc%%#*i z2AyYOHrIZkVF6x)A=%75x~*ly%S`5S;GF@1jQ}1qT9!oH@zzX+lq4v$;l~FSY%36R z)aD*plx;}5xSume#fmKs$lKCHN9l2jPPRnueaof1FP*uadCA!wQBh#W)782S(#HUc z^DJm6`L${vjl;#TiAfFVHl$@kiO2qdvXG|Akd``b-Jy3`?=#+=X5`Dd(2h+Pc%eM4GZMOos7rd?x%u%G5= zt^CRQvDt-6tCEOwOSO}e>3KvZu(Hcb#ZV4CRLzuw{p!K+#pH>E^CQ8Hm;e)`2Y!Na ziQyhR{Toxc#2Ob_o2;!*=_&>epM@+HrE?IT0oi5B8=I2DC|Z&xby6X#4J1yjzUvP| zs{oqcs9>OJKL;VJa^i@4yM9z2D!Dh!DA%NIE9=t*mQKpW`Rp{4nfb^$#e!D|;eJ~@ z<-;EG?S~pylU=AzxGX2s#;ZOlIH{qMV%@JnQG&S_m|GQws?o}P96i44Z@y&ye2p_? zTn<3Fj}~gD?~-d)VNe`n?M@h2@Ix(W2)F^5OVo$}wHR`$^!|l+5H{a+O9VFv$jAp; zpjtUX&&aX;D^9I5q!L&4HdscgmFcTsC>G%MXu^=3`-q}KcsqYKak<#hQU!x{cycDK zy|lQnxbc%JV|`oNxg~YrVekiGxrx=dR7QLXOSz!4xDJEqmE zbxi}%bdhYfyWYi+Hwr~geJ97IvgM-to zQ1bN3wL}+<`d&T4vm%vay_+d$&@{&t2Uzl6>`$ez^rMnSm8%eAdwU%fE%^u7%kJvr z$8&%#O88S0qCx}rHxMBfrW{|cM7)J)D*kCq6=K<)tdFPu4pTK>7$S2K!b0|1maH_9 z9lEz>ZU|ife60?+FIM|Yri6NBg*fz&G|y4B2I!e>%L-E!Jz7;TnU_k6>7a-ccj23q zfD?RMq~ZC74MUn$K%L+e5e6JuG)K{xGUidV(5zEBC|#h5Xom=@>^;v)=leq--!g)n z*hLJa%BnXLJg4KQaWBN>&ZzG-R^sEYx5S&BJCFciN?~?Z^c>=L8glN!CM?& z799UlEDYk* zVTnU5xBDX;+%0_SrzAw^l~RtF;HbH8_IJ9x`zU5EHKhlgvU7;PF0AecGng%J+4$`g zY(O399viO?A%@dp;lP56$wKyoDf89T{A){YtK)IKqy)?|D!@P_sD0$o(I%NfdiI^pigtj_hu?j@X+4RJ0zeFrOdZZ`*wbzm|i{vEdtwkEHpS{Bn{~3;^4RC2xCegSjE{X4>PG2Ej zkdbAodfI-A2HNAaXI7kSf2{=`@8oWC?Phg>vDnNF9=dY)4-NB+6V0@P;Cxh-*J9Z? z1Zh6ubP6cwrLk1wBY^-anL*pjU-DQ{%kUm(~y}X3|P#?`etLrnbdB6GTbhi2qW6tdLLk9W^*q?Ym4d=l2EZ% zX;7GGqZ!|+9+dC_yEX0U(zP|EZW#p;7@8pJf~Q2JxI{$dh;tRX>N-Xh-24;9+K!+C zZ%pt!Psf7OUHxBPh}ENI5)_8o=E^nuFJS)DxVJ$I-By}AwimDfD<7q}JS=inbB{+D z3-<5TYUg?0Z+miUrb-&!*`Q6j-M3@Q`Wmg@>@~E$zRs?%YdUvo(6m>Lwv?M|)12;m zs3zXqX-y;^IyO^X-&~x|XsRX6x0b;Jjk;O>fRA{}(N0sZR^sC4>Bszy zfkCO40s<8r;peSu4NjvnsYbxkALaWOE;2xfjQHkbguz9nS}P_iRLSqEe&y~8|F1Qc z&JfB56+OR^m!@PoX#`0p?92wMT>Kak5{IBJF?@9;kA()c5WauuAT{rot~0+8A}X=HW?6XqU|2wo4At0>5I9p$uK1O> zz(^`VSrUvqucVI#n3MQjQ#2uWhmgdLvCZ4xmLD)CuC%H@2`|xe<@YD}(|~*IH-m`D zrS`a`5OcEFHzaisglWX6SlUZ3h-&+{^~pi;e<-GUAS5wJd!{CP5We(apXh>sqHu-5 z`B__HKnM!{CYC+|(%KaKU)#CwCxE<$-Tgr`no2LW!Rh7TabT;S1W4RYPGzEV=IUxj z%YnC%q*t&nj}INwSx^uL_bF%>w>A=4iY*sIPmss(ISRQLZ2&ovJ14x{=1k$c+DI}C z)q{0*O=@*dci-=Dir#IRTPGZf!(Lzabkt51I(<1{;eI6T{KTyZ{-I;3ru2H<`KJ9g zap>)wpqCbt=wbBfNu zHN?qddy4#GFKxmMbip3%wKFqN$hjURew2|jr%8LO_Z^D0>Np`X0iGlT@AAqoj~)Wb|=`%NYD zD2Cb+FBbxzkeO zK((u~M`**nT;lQMb;Z0qAgW9dJia zDTX_2S`2vHzPE@dGixzk{qb$q>syi6EsFO|wD%;>2k8eW=%v-dMV6M=u6~y5`SGur z+mr~1SxFsw96U)Kcq&G%NEt?oB36{0GT+tqrp1Kf070Zu%2+Cf zt{fdIU(uPG6yIpiokp#84v_Rh)!BBtZwuy0g}D@AF!MVcK@_z#HJihQTpH9{MyWAS z?@=D9fJQsCa@Dj#i&>rRij>$)raJJvq-T6y^GGR)%hMG|KItrLD>|tKlSI`^^eLM8 zcv8_|2u7)G7R4H%B@>if6QzPRY-!#$|C}OTiSW=m>S3S?-JOWEom-CGbih?Z=LznU zQ4lq~-Y=5{X5^wWiNDw|c8a}#e3}-r-&qtfMeKrUHka#IErZ8M%oMSLPR_xtl$fVn zJuG1(b5=)1udiD3R-?5x?C6*ga2pdzP93spm=~#8W4b7|tYZivg%QaDSX$c@SE%L2 zAw(!4PUG^}gKIeerGEB;@iEXNm|j!vxW{jc&P{Wla{|j!X8l!9tGcmbLEC{U`Drq~ zb^qnPB?(goUiq2~O!XIpRkT9Kcy~ce1#J;nej(D3oJqMC4dXxgcq)A;p>qdj(nHLQ z;%Mjl%^$mUOY+8SOm=j*#MX>zOXW))1HGHionFtQw4KaS!J;j~u)MLfx=mn?=mu|? z+o}fZ+9Y1oZ&yatsoCWz-8!ZUgwlq>X~PlB7)1*z5C~~Csto3Uv7_ls)A6ANHPnM> zP&@d+@*P*ea3(nT4QmS9WQxk-AGrp-g|VIjliTa=H>@g;?MK{o&de3X)X~}Z8 zK7K(^NRewu!!f5}1H4F18)IFAJa_6@&rg@cu;_mVUwM~jBKKhaxw?=bFBkBVY%Q48 zX0uWAE%;3Pu;Ma>s4#?Q5ze8sZmjIBYkO=5B6NJ>rf!W#jC*Y-@!WA}KkX1$&;Gc6 zClfQzyP%>*NwWG&bYi} zz5Q@_F6n%9?z|hJtfW&x>Vcl%Gcfan84<}ZSo#4F?zC=+9?pq5BM%$i;iHRjzQp)k z*jRS>^Co<;?l~?%nkdTgHS2FR$u;Yv01wxixi0DS}Csl$aF%~Bi-cO zNj1sib~Rv(GkJSm`@}d|Z|aEYV$asO_5N<{vbNAl%U$PnAoV`aGAYs8{yB5~$ZcD@ zkMG9of3M}TEGe&#-G%IsF!V7@T@o;{-!?Y59BJ+*MAfw3q|PQO`$X)@NyNfS<5Vm) z$omhvwqP6*i-k(2g?t!R_%C~DM%7GBM6IV5$2Qsaa-DC!&bDj9D8Za@m^bX>Z|P|2 zUD+&}BOFm0$Wr~&ve)GPm!3{}U5_y54e3(7ne)Dywvuq(G!oZ5jNe?ZM^ct>U{>v7Y0H}Y>5G8FX)-&v?ta<+xTxiB zsY=8A%N?=shB@v!qFouM3VoPT4Q$SjQE*V#qdJCwoHz7e{a=?vscyX6{+Gc{$KOl_ zJn2qafzkioH>jqJz%yO11_q;XgZr<~j!L4>T^CtjQN%l$4AQah`y?JS#fl?l)dW*w z00Y1q<4oc)KVpuYxU*~zAT~cm7WM^qrwgM$Mnt?nlDzNdTW{+od3dDkPsB;2?1l_C!nksM5rP0b`3*G4g6QRB@JJ7XY%v(vOyx_+v4-4vHf-R^8RbX*D25S z;>W<`+fEhdXQZ{)Ajbv<8r4EK6$hl8t0sRW(iuJN*wu!Asc5&%tQSH6@Q#kmTo@>$ z_5I3_g)xl|cWERd9p0upBX%-lD>Ten3UN8P#$RIq|A7`5Jus2BBTt$fT(-pEZcQ1r zaS>ydG%eTb)nwZp^~W7d=l#O$Pwy?bDvv{k(YH72_p@W`HwYf*I!>>E(GI=m)#eNh{J0a4?QOK)VdA@gEy02Z#~EzFPBo*UCuO9Ko)h?T0D z7@i_E>%pF}?&%D$qp`=tT_EShD<<;}yVaCkKv$i>y280mS8T<`h>eEBShpm1BAnO8 zV+peyF%$(soa9C~eO@a2p%!VI*XP0jl6#NNTBe8VuL66U;W0}c{%t|MwbbnE?|qi> z-YxbeE$DyFO#b3P*TotrW7{SIQB7s+s=i3pvaieDv3-q|>3tQnyJzh-ySlig9 zUMf$fI$XJ8A=^uX3-Hyj8o-f7-xy^yl!%c7N|niMd$}8C!-ZS+{P*n3mHyt%(tfPI z@wjm*O7r&zNeKDh%{uX;SOkO-;V#ZGCA=Ofoa|U^9bC(C^vU9j!Eq%o^26d-B?SzUlTe?#AA6zCAO>=7Z;>a3RuvZ15Kd3y$YSP%@6a zqrI=(?(UrJZl5=uceEeRxNo~Wch>J|-rLmH?yH^emv30OFP(9qfo$IvJP)f`ALpMJ zU)OMX+&tK{<7U79fxElo_49M;@l5V^_lN7<(&Uce_}X)>^#(e{EeTW=@DQ3j68gMANk4^jh;b6Z?-g-6Q$wqTQjW32RI z*IaY7x0hJi_kenEadzHpoizA$le#0=Hykv7tT}`gTFV|pUSj`CVMsII3zU(NIteU+ z!>;yR*A?28>>W~U{??I&B4XrM+_9{3CD|e#Fh?4ON)8S)XSdtm7+7IqeoKf?P_A?{B}hSl3)m zACuw3%6BDVs5NDB;UH*mQQ(gdDZ}=rC{igE?J)eA5V(wbcU=g0JrWzhqx@fcQ5mA> z2;l-6&gof}?6`MFWDrtvNbaD^=EfZ>+-`=kj)8i)y{R!_{0{<B~`_xx}sva0@? z;|Z^=CjI`)KVS9H?7csze>?Aod2T!}TRFBMK8~F^ z9}jpQe}3+0zkH3tmKpJZ@f?dig;DLw{9lXVy{iV?U|W#okx7V5)|&iQCUm5wWpib! z153tf%d&au7Q0kQa-zDW%)c!Z*?$f5YlaDo{;h?## zv7bNbRO=hxZ`2^br|ho)?j>y@R7IqdKKb*N&EhU@G-@6y#}-S z6!h5kyo>wVH0^ap`&JDkbKvax)kA&ne5?9+#Qiw*vT+MR@ZJfhZ9kOid>GdDz7M}n zS^u^eo;77B^H&k?Uyel}E`au-G4=}C&FqF0w#Uy{&kbA+6fmp>cm6qnet^HfF0TI% zKK9zxDy3^Y1NTpUchaprMinj5Ql_o;Qlc4QwUDZ@(kV#st?cX%iex5&;NScxYkuRz zg@0rfw^Pxrk200PycI;^7x}I(Qs$M2QNpC$GtbjK`*TLA4nqKQgsi_77_rdB!6--& z8KdsS-En1>P>%Jm{p0Cy!I=P*nLU#HBaq_zt-)Ck-SfdQ49YG7d9|QnYjL8c=O_!K z{5#vd5Y+Fqj?c5LuaY^WII{|jjSAT#S|k_hPKHWk))pF1fXX8!2~30@>}t1k3oZ3w zHIK2BZ;QR2ML1>_(2)^e;NQ0 zk4SeVdw5yY&3jJ{93)cD#A&s}dk5~*X`-Q=-En*hCITh-=ygay(I29pi3zZ(`oAR0 zPcH35Gk4^VAR;~kW}doKA-^_wp0Ej}ERSECZ0*;Yq<0dL$*AZkC9#S+03FHVm}&v> z6X`0N&OzP{2pGl0%le(P1y9SCTlVvNa~>e{V;u6m5x%!(s4F|KO1CHxSC5<*V-kBQd*3tW zzTIhVNecM3aNm4R%X(Qm?}cEQT+<>6K3k`4e_Bi1d>WqgYH8*9Otel$m=)oE-xrC- z^Vg@z7I$>%siDNLC@K!bWkB$2RzeXY; zh6~Uc54+0b2IB_ApMyQm)k=~%NaD49?3^L8V(?9VFuk0wJgWA2Bc}%bHMSz{9 z9NVW(dUwMyeV@Bf`w!b+Xe9Ta;|4(ykA3ood@2ULk z{v&5r^@;p}|C{66rAxC|?`E~$Od73a+&#ZuDi`unnK^cdLS?9n-~jEI%O!_u6yd}R z)XPSo4)>vi?6ZLrk1t@o>0&B<@%?dy?@~Nai2Oi=P3)@g|L3Xp93eP0A9nYohCv{v zF-@n{?eVa$MI*ePEzK$7DLv>?>tvhWYNoj^rL~>19p9x{AcZiXe)(9iKqZ{{>gK1DW@ZB z-VqN$0bOYj)q8^QcU}-#Zs(!@8*LRK(M_M{n!JsBHqa`boz`mZ4o$YImKI6FQ4^@! z?Oh$@d2aleR9510dswFRc$WC;d#2%Xx!uigexBq(M1M|&)4tzrJ}*ytJvj5+m&klx zMZeWO78P~AnB#tYogI79_P$%(e$)3pi+-Q~JR>!ExEo%de4C@~d<=YS*saLA981+R z-ZAJEWCg)6%^!h_K*a%sA^WK?!-t0R3RTOYwuX&}TymEK7&KUx^fPSZ>dO&zipZf( zhV+*5Z3J+0bn}N2jkwrO9=c+6?vC@oNhb)UGtA^-V1*6zh6`G%t?3UGc|Eqk#OXbY+~jM zu9Ub0XzfCw??V80hErR8nGBfS9?mCrnXbx{lH@;1_5*0HC8(vL^oNji@K#XJ^Q|cr z=9lKyvkq-+4;x9N1jDU^gr+c?k@*~rhokvuey((J1FghAhjxF%95WB*XHM`FWKAMo zgGN+duv*Hz2(OikmyQbO z`@nY3eyiR%@H=XTVb!zsxp z`gHeed;I#l^$uxDQEdI^9nV{tpUKHVQH=)&25lh@j|X9J~-RB#CYvT}vb~37+4E8{%WO?~#(Z=?Kc* zczVasadN3_L=1kZ!~?R7Qj%ZW!Tirq{|iCh$O ze{P6Ai}F*_(2EktM=*aR`{BE#|NJ{lYGlmkk@F+?V^HU2&bJQ&G3He?u9SHi96y>V zWN^H7P~m2*w1Q&v;8&Cuw8{bgdmD znkCpKHBBm8lZJ9x5u2G%!4uaX1NqOPI8rNw&0wZ_I>DdmFhLjzTG>38AbRIUshA#& zn^@ywF>p%bxitz*)@INBr>Hnto$#2p4XmZ|AV!0l4oX9-DToW2O;GzuS0Ew=8EC~W z&Y(y3eX*30;sTC~iwQrmlZ(OKZJUq0mZWcsWVO05`$#QUeE$^+mg*fFS5Z`$^{~pt zruxQy?9w`G^ID_xi;Iuiaukj=rsIQ$LaB3y=5*SmUdEgWzUvmke{uOwBS3GG#A*j&b%@u3KcU>o1Djzex%&8#~a`Smo(w-@wVv73GYAqPVmAhbETQa zms{NGpsWHmT)Hmb-!?xeJ0HU7*D9;H**`Y~+Sc-CkByEeaSDSWzypi?ujdXYSfN&S zbhfN;7-iw5;dGpHFs4C$3x!weG2Fo+DE;cnGGWgDS#(QXaN#-9>Ij)o-J3$1kvp!a z`1v^Fw%@JEYwk>~Y5tmiSOKL_U6rPcZ-hk_|F-xnGat$cf3~^H5yKZWh0aC8l}|10 z^Dgwt@d%unAKKq@{;dx~*l`)!bAspONLZZR(k*Eon;JtC0m9gJkl6o$RA(21iUE~8 zeig;2#}BqBc`(sqk6CI#kT`Iw3qB2%ZZJ1UE-OhonzF&al^(redOj8imsCnb=!_CZ zr7;(MUz&gA64NyN+ERI|>-BU61nJzcu*I1%(VGB;!wLED?=%k_|1F?rtG4_%0@eY$ zJw(5d^W8r|JL42E(>?8fIwUoeS({PA5i;j+{41|(6;HDhute?Uf7<19`34C*VrTL^ zBfCj%QAw%TE7eMC5tJVY9VzxnmC2~OPg+{b_+9G0En1_6Y)!ex279~x#B4zX=UIhc z++!MZJWXkxeAl@K$FN{i*_i7hw%BmkY#1*o$E~cb)Xc+h=&;}if*{r1P0D?5$go47 zBe)IDjS9$b8!}!>YH?ETM(>0FIaWo*-H_NFQyhnEBjSCQ(9T1`S;AJ7^X*YN_dR=mg-AKRSIo87-p~g;CL>gqT=Esj{-*ef$D;mMA=Ok z@)?tD2_?VIH@T&SBd+4RT@m0;ND1~-_4r%ymD{0ip8+r?Y5TA?Rdk&^hd-rnGolf| ze3Aw^o>7!AM`S=K#Qk0`%0J)kN8D$h&B@2WD5PdCBK>Vq%%G~~x?kE~0^)u;A)a#^nS0V&2$*G~>d*yB_4Gqj9K7vX8EsfIC12|6)RrZ}RP5;mmH z1_l_hp{0=1ZZjf6LE$exWsdfZ3F7$sN*BBV_g*c|rd(>%uE)G>*1bCvF@K-=J z%V z6QMlU+||W+y7@9HS=%_o%@fcLFG#~M3+BYF(>3~V>+B2$I?&vWFl*$to;(iwdVD)i z?Qz!lVf@h@xsm(5V@=5(cOIPR;9cLn8D(5JIiW2lN@CLgjZ-BBcaf6N;d!G1G{c{&r0RYP^-`%6IL}$-hD%9)YGmC3C z6B*v&Xy&s)I?GTUNSynnj>gon>K?k%Oxvy7D4u!Uol4Gj22F9oJ|ug56;*9XF5r{r zV1)JlB%7FfXovQSv*_M;S0?TRGUH}Ui9LMU7>d;-_v(hr#-s9`7YrO_>Rx0oax($e9qVS7(_jw{kF--Gk|*&Ry(LsF^C5E<30s?l=>@4*B6;qSqys zaiJlLR}TsIRJ9D3XWD<#`O!76tZFh@WeAe_Go#A}t>o1x7=nPGz_#8qK}hK@l~M9+ znaR7(Pk^8O^25jPZ)keexh9EXPO{Z>aS~FTxs)b7`g$^GO2yDk-f~VZNS29@pMW4X zib}(Qp;NiRzTQi>RSK)y=g|Mj;u8Ei;>=-kvEj~xUFe$mb`i40SoUqH zj`K#ql%^b)CxK8d-CV35*(-HNRPNQPR9Ojp!1*)4=PYm3z+m9NDjx&q2(hq=)OMe`Z@RIch&ep?=@vX89$)LX9uD z>8Jhp9V1p_La^l9r#6+tU5t=59qJpw#TgO@#ldE7m%eDC+OD#l^i3pO*QT9%5~I)V zrNw?N|BG|tpRWNg`6%x6<^Vibq}4twEGJ)^F@d`;?EIL*KMZ}}W@4C#AT){mnR#VT z&(Hn!+i@u}m-!XL_^sSWX^=DVA4V9Ue^_nG$1MFM7Nf38X=)1|sWWojNNd_$&-)SX zT=H?{X*b^XFuKpGsA{BTb-p-}NS?2%*1U3JBO8=TlgOv-C2|`PRa`e$9=z32`026n zKW%^g%Sg1C#7O^AfVcANYvttJtISR=#hUEhc?_u7m zn+i<|wOv3a9EH1HmI9g0fGZ|qKM~57)fDuX;{FCjyuU$(@tPK08;sB4F09Rt0fgO_ zzgg|pSQuzIKfJ3}!l0ywD;=wyE=g*?+=Out_|a4#{zN9q*0)<~(+g{jvYDvI`4Va= z_*ghW4WlK1O8Nd3_A9Fkoy?69K5yuJwP^c#Ax!)4{6b6;P5bF)!@Jb1%vAO{wR#Y3 z!O`n9rR$&BQ^^T0WWFp34^93du+X?BEC|vDyW#<1VjT_bodO5vJ?RVm>wbRX_(AUX zpvB3}e=MSZzRW&-<4si-!{ZEdF1$CV!+~x=C@UCYhQ3pdluC&B`Fo{T%@=zRJuT=e zZJvg%%Q+tu5j*MNlCk~%Sis4~^a}~Dd=6Tj&5?%h5^F`t#sJaAMik>EkyH4Ciw^TA z{GUTTcZXi2YL`*p@xqV5Lb29?T!TN*CiW&z1GTtRD{`W*lwz`IJ^kBL>l&NlkfLF2 zWZ#9*nJNFf`yKN_1Df!$%qiUvq6JBVmAHKskJ~0`-#dBT!pKUI3zD7`8?l1$Q=6f@ zX5ozvORblYc%HFCCdB#2K;T+~xyL)#tdMO|w0LolxzIq>rq zk`MNpiAhr=90v)Z&xBdmP8EP(%^{qp$~70ua<)dL4h_5jUg z;m5TKP;qS0!yL_+K`+TzpAm#K=w+jqMoDDq6cEs+x4>PjvQnZUc&#qel*SldSWmsW z>1ChW`tosa-Tf~v*0e5iq`S_MvocOM{xFW{ljO^pI9cIPoW^qECaAZ^5V(bjHWg!V7v?>rG26-IOn$ z4xxw_j`Xlydhum73!b_kV;Yh^} zlLxQHkO2wgnY|t-Fz8!&k{4L6o}cLdDFQzaR45a}zV{j!XZ~$j6c}zU?Gn!Vkfp0b zY-tW3rnew3;PvN=v@RZJg};AvSD-6bc6vU)Z|QBNyHr;&p|qj+HDJ zE_)ktaMqHII@w%e4p-aA-BbbD$CqbYhF3m zV1{&w8g3F3!!jkwT$HsA0`iRdTIItuwn_1tQe0qdpf*EpDg@r$3q4YjClSnu`egu6 zSRjv<_*n$7CRzgbf`L_!bTD1*z?dn${6Q5?P-EiT+23P_jts?CoK)H#mPu!2+u^7^b#90uy z;ZX?Bk~;kD#ggOz+&ahm|1?(Lm-JhG<{QMDSp&Nkdts&jZh{Mn>15Id>RsFAGR-S9 zgp#sJb$Pk2dN>j$!I3bmD*ce^<+o|Xz+#hP(=iCgN+qHz%W7X_X@|%g7{DMwi%52k zELnr2i24z@Q5Yv;o_|`0GZ{;QaO)dp^(zA>R52p#n#|1HOqnZaaA>Y?{{X3%x?nzK{rl1*B8!!HW1czf4?)6;24^8FB_(F9kNrzq zDD(&eU6E#seVmwedfdlEh_foO zL(2@66`*+b>GRL-l{!D3gjoG=K60IvWr}miUn%m;JF1gXQi5JdJbr4F`&869oAL|$ zi5q)&YjVp{qWAn<@dWQoUvP4kU(w}a6ujWU!Qu-r;usa7UrB>xs1WdL_S&wUo0<&3 z_rN~44mD78H$nv-$!AT^PvHrA1O_0|;}fzB-DA$vd9c~{Xh`Tt6!Q&|rm#`X3v^IG zqc{u*V?}nX1>SNqIDfcZMV>y8ETeV1VE2WIi$s_Ums5n3S3w#P^RMw>k*<}Y%tFJ^ z(-mF~Z+l=_&?(dE8p4pI=`Fk+n~>yW!7b0NVup6bsUYLmVb5$6{mF(~@M}b*cgX?A zETU&ih$kX5j~ZC5)MIfk7cAx&x%pQw21#xUhOAAR%oS5dcZeW2$M8;uzl2zE`VJI$ zRB1ByDfkUG%<~a^&rO0zg~c<_-xuEPXH>Sh0zLdjU>YRDsxYcc%bgz8fRc=8!8vHd z6JTXa&i!^xNP!v{qthOI4BjK@R$d^JS% z@U(MLrxDjRX7g_{6atePo5h}w^2l4_%0Cvc!6cZM#U~{czv8sUAOXw_(0h+XaM)hR z=rn|&)Ix?x1eGMEf)H2(04iESjPAD%P!PWq5DL=6n4F*IRqH6Z*|D>D58j>z3nS379f&8tw@sN4XXwfi-d6CCg27==#E=o&bK z&73%*xK}ClY0fB#o3#Et=jqG>2@1IYDxc~K?`~YXPFWB*T0GcX|sU5LwFrMNK zl4n2=aDMh8d>3OXj<`7kCx_TdCNGkKod6e(m~J#-3(m0Cuw4qbn(8+oasX6z)>DO? zZQk2OI4UC@#R&|AAFx2 zR=b)~G09sOi8NlQTG7u=mcvNXybj3qRF14t(i><9#g`-%1OzHL7F`Zu%c~&lRpUiq zRW%`!Vwo$5H{W0RaN{84m?9g3M*U%2r z>QZK#MIU9xkqyIWAW4y9;@TnXOBn36I+BJ(%&cJGPJ7x$GlMZe#YQo^_4>+T_+;$v zN}!@H|qct8D1^ zyP`0>;|_3thK=UaK#G(U@#=}ANzV(3&`Xc?{mLPkrD3@{$VIhv5Gh7$6*D@C)WOlN zj_|2}GD?ALy94t)P6&#nQ$m8{`hK1I9G+ChB>jRYrt^;lz4rJBdXVpTf7+Zs)KN$~ z#Ef2&$ESA@8or}l`*jqZ16fcvOi8r?B*`EFFcLJcSVCn3NS=o{BE8`yF6rqWO-^BgSa+b zE}5mQ!@s{%Nd2J;O@ak(^`}=i)=V1&l6Ye=lO;5z0r~&l0%1`rE9%o4<#Lc{%+f9& ze}{vCk%p&!h0@QTz8u7;_N-8<$>{1Mg-dsKabw<;2m>6YJ;p0#Z@ zza+I5M(DrQL^(mnb7$ZDu$qN0`U4FR^@7v*!9T=hM!6Hd{g1`rnkPRPU{k2ZF4a8O zGORfFdba}&E1!S3@oOwYZr3rzoBX0kNJ$?)MN72=kfAXg-*hA?Z9)`Nx6O3TM!pv?J;=qN zqJfH+C&Ar!jLp1YUvA}~^h}J9kP~s_6KY}U9?-zmnVISIVPG0=*+dek!Uh!a02t^$ zaK!Cjb>L}+0Q-2wx^y<0b&QX-qq%T2@<>q?=n3MCo)eYO1ZqRWuva8BOH*LMNC-Rw zbaJS=IIiMju-laZsziANZW#XIz^XK2akIlB%GAxIIHmW5J|+8qEYM#Wl5dRFiXo+W z7g6RyBAqam5O5l?wdrV2213rRz~mS^zX;PAZuLG8n_G8JV0eO@G!^q@>~c@D0iIu} z{!k#Gk!t0mBu*#R!orQ&k#j4d9v1L0gW`cGA{JoG7)ELuj5e|6tL%tmY1QChcC((W z-{q*}XHm=%dL5EgXn`it(0Ffz{WX~Rx{=Q|U zOmLg?6A4z>A;ef6I|FP6rs0>0TnuF?Q46^<*)>Mb%ra@C2=2beA^c;3if=1G9tQLU zfCS8-C)WeDM;aPeB!0KmD8n^eBk_DQ2lfGiY>MT3XXMeUkY#+pz<>W$T~0TmQnrKa zS;-c@iY8-dE zcXdn862qdM@Vz0xXu^G8@2WJ5VD4v8FEPyGc934xk$!y+2aoSmr%Pvp)Q;rgDJ@RJTS zsoY~-g08Lbzr$G&6pC8kb8%3?QKaGeSbwV?P}4m}6`BPC+vIZzXQ4{|n~yv%AvL*zjT{!uS}YXIj2L zlyBr?ZAa9W7{c|VCY7M@c9v@g3vs;Dzo=t;gif-HY?_7rI49ZnQV3aShkvzcjW8lF zUaXi#>KvJ*$0GfDFmG2^9B7a&y<#vR)vT>iDwYxWfIzoQLv8|$*k}YBOu+sZ7i2P& zC7MtK5np-;hEtk|n1)J^7ok(a8v0n2JyLdaqu!uE33C~{64C5FStjM;-_=3I4rT$W z=IkcciR`$FoZ`@PS6j=ZBqlUB42sf7ftF_1EzF8aj7X$TlJ!|MzaqxA;I%?)E5ot$ zL$Jw;*?YBcC`vG}t}7rL2TyJn0mPwFUvy!V5OGP^anwrD$cyH^9#>77=Y~>=V#G@! zZNYW8P1}5UB@|Q1x;ib;cXiR4&_KQI1amjo?A&MbU=eum#d1*n%Dz|%tC!lNBS6w+ln)&2wc8EDqGz!Lfv-*>mj<{|<_=YqeTDQ@t~u6h)Bjkw z?b`C~SaBoW%-AO!hW%8CBMAg#Yr~Bf)?C7M(ieq+lP_-Wm$AmY8w+PVTrWG9dZ84&9#Sqab35&Cx+i(8U z(zs|VrkVpIga^QE7|VE}U;F*qA-aDqpsLW!hvJY_*GZ;pX?%NPFNVcor^0Dcz-C3M zKW6-H{dd<`i&j7!35;3Syvg6TLq-H_t`r&RH?D~^Z67LbY1E?;PVBP!mlnvD=A(-$txlT_xU<#oe55OLKViSC~^TNwc_G=4v}5gC+wP++#)NeYwoXvFprrd&7U+e^Yu%D6;>ad* zei}lhWqWNGM|ABFpeBh}6HoLY6m1WM0`Mt4wx_?Z!J|@8mO`k}2M7IxoN$fF25!2E zPW|VLqVR##C<|x-eOgKKz{15uj})@YAfjOo_~*T*C}Kg-5TR+01Md4x3ZuUK2AzP< zz2xZBMX>lqaR&8YbLFzYK$FkK$wfBL?a2@AW)ktULuh; zNkg_rEzjMTV+o9|gujCJixZ`KEaxXbDiJ41mRt&5<3K^?P8nzLu{ z0uKj(T)FQ_B%Mq&dgziIMO2g-B(Dw@L<>i^Ch{Q`=;I<3s2XxQ+8ts6fzp5sB^z|b zEYjgdvf*c5o&k_iqoXSeT-_zko1=sb`mTd8JS;;cJ2VuRPDR6{@>giL>JhQMntemNlA4P+D+5I6r`HQ43u6V5qS6`s4TQ-LGwwEZlV;Q)exkjUQVq`QXtr70yF29u!<^tTH%s zq|eaSkv_+gZ2wpg1{_}&P*sVu6fjv1>K?2xwcREuR0^8{oa%V^ZZnLfl@2I@%P5}~6NouT+6x9Y7 zu}ok91!p`ti$gU%2&)oo8CH%WhX68&kQt|_KBYK9KHwHjoft49Ph>Q$B2kvZjkxy*CwABFl$Y ziXtT+!mvHd)m}Y1O2G# zh~UN+yz3L5{L1{L2$+FQKg_25e=>aL60q)qgAo6+kS^v%#7UeE3vC0cYyef>)7rXfBnW*QunTY9e~ocaDv%eJhHyTC^J3^6t?dlnYam}TDjjK%CoLc<=(l7y{@*& zFT)lCzUj?-O()INh*lbqnurT)rt>g5==1uUR9oC)q5=b#D@GC^@0kI-3n}!WosdSm z*7s#NH~?CA{`$nO8n5p+4o#2oQAb(v=t=?!5ckuE$RtKZcqaP{T*h7=_vK_^EnQM` zR$Q?vvAqN?oNKv(WVf7{7MXrcKkTa=YC@v=Ie=7VZw+qXn2jK%wJ{_zd-j?tU%2TobLYm zs`95(Un`Xm@dZ{Wk_UG5iu-rJGuea@;g)IMrxv@mjnUC9%AJR6)$fVP;Qqicpl_$S z#rLlmF;5q#WHLlj!PtCSHPjaUB&Fi2t0o!vw^(yqmdR-xXfrc#@hQQ&1?>|6YAl%O z;cZpe4ajI15%B(==g@Y1d@`z0I!}9e*p}Y?yx)B{@FT}()Q+Vt}WVA@AU zx~qc0+o4=C$z{D0?jUodyY`t{YOW?e8hG~3HZ$5!jwS_ih4-hXHtnO+jSgy71%I7KklJmE9Z$U*7aL3qmxmCR z#*qn>p(&4E0TGc0PO&mT+YiC`Ta}$=2jd-7i;M|AGyHkUzXr^1Q6B6Wm03lUvJ8!T z7K{w_qOZcI-WN5unJ$RmYfkL+N_8}yIQ^lD7a-=W~M?k_m#6%L-#uU%ut76fTsUj@n zHWlr1p#xJn@j^d@VIj0wDlas13hoH(4FPFsgQ|PieN!b-U_i@a40`6SwvnwaRRh5fa$M^9=!CHG(EkQWL*H=Qrw-pXM zoyNwqmaZp6O~bqKPRrc;Pw7D|jWKJ`g<<1WeY~GTkxL3D;}j6uC6InJx?@Z(GqXWV zKYD#K;M|t!<&R~@Uh3-mnd{lz-5pogdy^D0ao1U?(A)T??{4?UODgiYkWExtBa;5Q zegBF7?ww}9VVlo+2N&1<^{C-<5O(hDMgMC~6w<%Am=?QS4tP437iwL_&dc92RDAw%QnR&VBv^BOqSFi0Vo(+UKC-ysv-u!hDDAi)8?|J3;w&JC@ zsY>2)%)#V7KK9V%Fj*ZEn@lGnWwQRFi zo>jKJ^^N|*S}8t8M+xw78Qjw#qz)H&KMwVXTD>M$Q7%E=ayTZpStZVCl&O&9Sx{X z6$qTTvSK&>db`zNXRaLvoZw+=T8V1e=?kf2t>+AF{mo$QEscI=BxL`yhcstX_ zL;re|sq?Sbq~012350f$~lp-&|JM5PbA2) zq(@!Ye&J*0#!d8+51I09B;Ts?N;L+yNT&ugj92mUHUj97n3W58z1CLC^?fG~3 zQ0QvByS~nE(eZ5<=EJ(NqRa~RRZLu540`VR;OLJwr?z(N-{VThj~?AgA^XhlGU1zdBfhqyAh$6n{H|c+~DBe}5zad-&n<;o zuVTCJP8|IP(TN3tLap|lvksl_42NCU>634}LeG7K9zrQiGMi~h(hQ<1lhHhALL~VRiZ=;|nJkhksDQXZb@fG3?dxLI zA9Hc4DE=e-WQLL8>J!S`;shXh-)icgzQN$I+d&y_4?@yk0k*)?GvU( zkDf?V=c(|roh@CvLA3!sx0V6d##=6HF+~2C1(P4Mj(X2QhimSuo1KSm7kT<2TwOV8bBA>%ti-xKpb{&D2Me$#9IX@0*H z>71+DF2?lsqf_$($Kh=_w)^IQ%i!7f@ytX2t_a`J1L^&2v+K4#;I-TTMqaV={Dq5C z=kGwC5(QV8u@Z~9927E6^BKq^V5`kB;N-c3rpu%MDDQD~@pWe350>-486wk1W%v7E z-HrRMhpvn2bp7TN{q7I0em8>ZYM}=&?AN>t&z)`qj>k*G_ip(=6U%3-7J~Q4j(#tE zhBpf>?@%DTbb-I=jif|AJjVIuUe~2USSqI*ng|cRGdiPjz4<-%0+ZeW83vLr-|v6G zAQdsU)A%Es%lF2R2wutncS~vwuXJc!ub;gK+!^4H>Az{{}-o~M) zlb30>||=nzQztc^h<+!Qn!RH`9jd|hzDEfspIB8+v7f0U)DA3`eo6-1TYcb>FaBo|6)^Tmx5k?aEq_;YTMn?2k!S2=qQk~SKMmC{81!` zk%sKriWgL90!LclL<~l7N-|%3#Ucj>!<&X40*Qj9FrkC4Ccw>H5COvWgXGXjY5#I$ z(xs{i@D7zsZFG4tx{HQS`>lPs6hROG6L?8aL3O>)Sve)S5_iWx%aid3nx9|P2Ld%=srqkzF zaE;@y|^|BH@Jr{_$*V+%Q|An`E(o0AbCH|Nw@-#pi)N0*yvcc*Q0 zkN;RXVcAULkJ|3E;cA{nXi%+e;6Yl$S|HmAHE+s>A;}4(n7J`tG ze=L?hGy`16|6uocDSC^}&PCY3OU}jlG*lu8RtrZ5kdUH2%P|7NP`>q)$@AR~nSv1L zF@C_O5$IHBGGZK&I}tRxp1yGN!cG{M0;I^dGUg4Azpn6FR^R-gfBmt*Gdj`GIH7IH zP-kkn%(3vyMcIZ~yb9gGhQOnQWR>0DCSsXL$lB#+`zd9E3xpkrQ+!0Ud&=f=Y1d0{MXE zSf!;`Z|p*jsSv2nuh1Q+<`f#7>!g8e`12L=i9(uWdw-akfN<>S5CKqZ->rxnLOOU{{ebSojoQWIsGa&Lm1H7Js%OfD*phc_C7_TY9zfvp=q)I!GoRF;-#Wr(^m}yNOh)AfMFu~e8G&6p zs58p${$mk7Xp7*qRUn3o0Xd*8MTL(@CADa5?Ss!Ig!2{Rz^dNJf~353GQ#S_yLrVPzE2PALF>Mr?<)mf}|lAr2eAgf?zII4VC!Vptvc978Z>hkn=^vv@N0r zz#HlpCML$SU&J4;H8lny7SG4{PBPZ@0!IBjgtYqM6@*MDt6SDp&Ag0+ZJMr{Nr;D0 z*PzNQYyc9l(Ks5OhKf_g9J4Ced$o+XgJLH^4*VZxuz;Bf9ks|u^Qrph z$?S6jwEuJh?(v9QxD?cw%cy)VSl>Ux8|b>rCL4i@FPXo#7b=hEQl>!9I;oj=AJJ%S zBQ*QDI;Vt6)rGlk=ogv@jmOrJ5JarAxLSUFONA%3>YP&Nt@r$i3L-^kyJ&wMjtj&s z8tD+M`kvaAQHBEXZVIaSL~RwCYID?8qOnPNAdQ^Xl9!s)o?<);kJk4)7FsToX>3n! zBECc55>L8iD+@F#KE4a~9g_D@2!xF^2#110OkhorA0DiiM|7yw|45d}>#ow^r_ZK} zdUb6Law9*Vv&sHa;;ydZ-IWz&nyaWKzT)1zCp(+a zrrLa)Cqlf@zqrt^u4r>Ou5cJ|YpPrFnrO_MY2PitckJw3J(9ya*_G+{Kk;suY(`}C zvn6~MTV2PyFNiFG3vifoj3A>c8`$Br^0O9Kd-mDGu*-~!!xlFf86%&?>G5b zo|=Q2U}NC<-97)YVC5`)#fT^J__#T_>xV&7P17B(vGmFwED)w*1Kcf<;b0ZeLFISI zQ;o73qHXdlI(V!Aq>zXwX)M#ca7G4-BB3&J^6o%OC(#I>U1eX&(BaT1DN-`bWhSOD zq+F0nXHD7FU?P~JbE~ip&KSImwZTu@Wld5?rCj7`y|JyL12TAx6(tEm6w@AjNJ6a@ z1tp_g;HO6!kcX3J0lx9(CnX0SW4Vm}ci za9c#-xcfd!fh)|~*QW`Dsv4r2b&APo^6+>@VxeA;kK$(g&!1ZAyG4UY#6s?7+)GP( zhWHM4I6dC{?&_)drV(-mKP{diKvzycZOKg9QMAPCzPaRz+3|^`mfgqe;~ZpyDymeb zN>Q`y#=d^_PLn%ix+*w{zru=Cl72Mnme2{O6A7PdGspAFq$%E`w4BYp)L>*X&@e(s zMYImvNVR!oXJmnaO+ji9BmUb^m81e(Fn~N1S0gO2_(MjF{9H%Oe`=g`L;2VqY zLG)lep{}9+G9>)RRqDl>&qqPwDJVX`X^Q=>i>(E{N71qMge~vAf!4Chog6?V=J0ag zN|3*3gX<36!%E)n-_qy?UE^)nS>Ht!{;aKrZZ6;$2F#?+s^znV$k(=>#Uim#^1 zi7j8v?0kR5-+X^wKgtD#d8m0YE@cxUP(C}AW{tVSKvVxZY zCVs}LNUBDY3kNHgalp94?Z;PW@-HsLt&Pu4eDkL*Jc`G@W)i?<2w&3rj?I?lQoP6x ze^oXOLKldYa8JC>Dpo@T2U=+Mf+=%BUs}*9Zb44`3j5x>@MpryGRJ+POTY0=AuX$r zMlOvb&ek@bNma5)1B{1*n)CDehD9mPOgbvt>(P%!|)Zd?!^RsH$!-*SjK9&QQ+g)2yTav;! zcBYutN@hnKGvz4nA}rl!uuUFvB(#?u#kVP8$x zo&H)pXCG=|Bv{(^EI1o9k2c6=Uo5eBOf35#5or^}QSAuY8qG�@ixGbl2 zhQo&R$Z>aEa8fx?x?)!f?7_5{zv8YyB6AK@Z@Py(>fRzqHq<2UuRu)x!J-fYe;q|= z1Jbnm64`r(jesg15&_-AEjtfsEj^)~%YSxc`F0fUzkd#KS+3|;KCkn*9q)hb%QyRm)no$6wgUEmr6H*V_+2 zUi)kD)h^?S-@r{^tRsLE+RbZOncXK7;r>p19oN@~cNSaiTs;sEf(vJi1cEL*^=_W; zjd}M?bTy+^M9i)=nRDcwRo?SM-Z{u|u(nnwzrW@tdlHfuMWg zVphOT*V6!|R618Yqa%^wav5RLur0|6?Si%$;jw1 zg5)M|r&YWCc=#@fL)uEd1W=6;e3Q=@xa!Ngy%{#!$u<=p#6tbNR0)~l)&>{f4~D&$ zhhazb>kBUSVqA65&URi|7-ektbe45wUc-rlW{XAp{_7tLHa0rC%F)4e%NI5uMInaK ztDeAcE)7kMcp`niZ`$Gj6XKSqS zUe9H?F{+TGh1p}l%d%_hM<;~TmS4bSEgd!0+xtS^`)QZ0W7uN%(b#_fWarbsD$e?B z?tQW5#|UNKYx;%3P2Ohv&P~hfa(nJo7+3fG?8j?sZxo2@{U3_~qrD|{RN8;g!1c^mGE?duR6-@|8j0BLD$hdG^{ z^n5qE2M;-&5A(I_nN8aQ7o83tMWbgLwKh~Kfj1NCoXx{EuLBIkk8hS*p!nC_yNQE{ zKPxMHvW8x#Ikl@#Bbpss$CWj;bhZ%zN9Ih&ci4hAtxT#Lu$S^Qg24mz3yM&*r}0Ao zGhl2L8ibnqdLHcx6e5h<{1V;!Su=9STRBs}@(;uJz5p%g!Oyd;`E6n~*X=BR`yGae zp+OKH35DvczWbUYo7WPL=x{pxhO#E3X|S}p?_Q2TEJ`U~I>Y=Qi#>AipFx7eN2CS1 z2$pME!P-R-JD>V{932yH)xp~*^^BmdF9aYFDu7A4F`H`JS@ilDe03{hn?-d^Lu+WO zd#QLbSc5%PO}*_XwMKlNliO?zm&duj-de*vPX&X(?Pc#S-AOFl;3C!M+3ZNL5N6Xi zh7!b1WOPtb0U>ptrlJv84$id4WlG>;#wREtlS7jz=1itSG#G?l=Wap{FEjXc6EW%Q z0Is|Dv8s561${XubL>oi7p=@9nM~v}Hb*PQ;wU0`c!4m3G8hIK@RzzKRe^e@5L#wM zMYd~1rt1XBJ}#~pPHA=pX`7lV77c*XygsGiVUUgV!RKt9Z@!N8zuirT0q;+fOU?Er z)&u?9B%^Zb^DsyRr*3Vl%}gvy!7s>2Tnm-4cP|dD`$K*YD|fM+O4f3LS}2*@AYfJ- z6>B3^ZB?~~COui46gnue>7;1bLLZxr?Q|`Uu=I{MTG8)%8CmFB%REzF_%Xi6Z{GC3lT@O%u2o%AQl zRfp*H0;C(2hPjI1!B!N#0BO{b7kXWviKQ_Z|+9ogM>1(WNvi&=ecM1}>O4&ndhOAL-6|sfxGxpD3H@B7b&_+z`(TZo z?K8RlaCc~Fa9wdWsIe_Z{EXu?LDoqaT@JWgQ|xc`{5$XSspYU@g?(t*js5bEMcQw* z2--$i2ICQCG`^$j z8e6{a80J0}dh!HyEVuwNT+4FygQ{5trfU;FSHe@XpRIC`)e47&mS?)!>m4t-;m_*^ zEvaV#cCDf?xcjZ7qPF;(*Y2#Dk0jLQ9yWr;852@{p3QS6p;2u?0-~7(6-dMN2W9A< zl5pNk4Bd&RkU|r+iJ8~8{{6eCVA*p?MB>)7)ky`vtK~4U)F)pDq(s>6kRgqdx=N3x zuDSOWm3M%aiD*3H@}IMBXNKSj^MMp|W1twZ%#l{HSTy zH6b9)XiXS3Fco4&Bfe{tiHahGsnGnSUkyjD?Rq23V}(Y*6GwB@$Zjmd{Scc(KRU;_hS+D z>i6frb`v+f;u+wsmsRkCw*%j#;)rx;%hoR#>Y;>LOCG2LUOP>t6!!KJAV{%_jPGka z4EXS3!v2q^bMUJ4{rd3fWS?wKO}5=M*|s@ZldZ{~Y&X@(c9X5i_GDYX-u15e{tMUI z_w(HN>}x|(*RJwfl+Ln0l=!^~b-BIP<#_a{@UG2sa1lQzzB|sYx$&=_-G1u*Dm?Z% zaX*OUYRrXVwxU|wt zPaf}IU8KkHkL$~H=dwVFT-|&{ONVyH_C=s1&#zKIVD4X>QDK~S-jj&Fop^+_`jTPy60>s^7F`>lV>I zRNGF!Y?0a7w2^b};t7jNjEls@33D7Yd@+?Lae%##jnkCr@w6R;O2X&1u{{C4=30BI z3mPmVpG51?Mg&Yas;P~|u}3C5_meHt%yrHh{KiZO!V!gol|Xj(tkEww0CIRiMK1j+ z26jM3M6htA@9NN2-|DFJQxrM~SbbsPKp8+**RLX!4(<}&hSFj*&9xE3ODyvMiYWk5 zuJ-Pv*Z;974o>f*r08q4`cd$aryG6dzb0P*aifU2CbR*9Re9A+i?#(sy=SaaI^5{;sHLmI4CI!4wPEJZB92;?gqr!sJzj*y!BV)*OaeTU}!-KOdJ4=Gt{m{drI5 z9SIQ%vhj{HDQIb#6zO#YHokwxSJ|R$m>Xddg2I4A6P2pYo@k)++NP8@OBqcfrAB<- z$(@(4FEX~n7O}@9`fe6G_=aP$}E?Ji*Uyrx&3|V z_UvgXp6~qShne_*ew6`sk<8Er>awA=Nz2>h`D%Zs3p;5%%~fq86FT0(%W{6t1cOlf zU~0vj6(3CXAJ*%pRR{)mN-7J?7i?b(**j%q^aRzX7`58c2Lkt>59XEqI+h z1a;)Z4PK8>yY5K1Oz}A6c4!wE+fI!KI8gp9V)e&t$Vd3=^Uy}rlB7oEt15{0U~$`0 zg;n7)ZBNoQ4E|%Gz}Sy~+*61of80r0i&*^jK%rQ<>%GPH>xFbc3d**o%;-~qGaC1{ zRN4xwwasj zUu<8xDT^bI9jgCGW?*Jca7>`*GwE`II_n$ zcVts|RWdc6D3wrVdiMt^#T+}zxXC&fKwg^)IuXcN0R-|-ou)%L!o4WCQcC}0=Ynx5 zOeQC#mjMUZWbUoquzXB5C13X*l!JkqWq8iYXR;Xzh;^E7)G1y`A6=IT6pQag3<_+ z{FPtfA+c{RS4uCCUbekfTH%22Uo+eD*Jyy3w>hdd2$b^ojv>t|EC}pxyPCT=stiiS zf8oUqZ8s6FNGDBo-BpGa%8DN5dHY~aWnrJP#^y45TWOJ^LNh8WrMolzGfx{w+81bQ z^Ud^7f9=`Sb+%6b88so{>Q>ZF$UAfM-!RHV|I+I;#G>D2KQxenFfMz7pg=-iEs9g zb1&Y$%Az6ekMs?B^qpTxzGbIK(pst9yM|5i-To?bp#EFXp ztND94e*^?tR?uZLdIuI669RdWRQ6L|otQ%fv?}^{Z~*E=%dmS?+De1T{h^neIgGmc zJWRp#%f}tBkn_vpbS-_|*q__rxFt^O!H+n+d$r1Lqz<;5ok3>SAvy18v;rQ~@uF01 zg$p(S87*iy%F!Pw^^>h$s*nk5%lTB^upwZAXMyyO0{3-&+qsXsNnlhp4$n85cU5IO(sk)ChsGD^CC3iWIxW%+7a)s9qV$Lig6Y4&Q?VEpqY50l&!=L`me+-?-GHHV>_K? z)`j!2JFhHtx=B{r+KM4Gq7Y|}oPR9TcFe1l?kt+<$Ih2KqfuLz*2lJBW7m8pU%eDo z)=qED4?IIr1lyV0xEIbBi(Mxm986A4`KJRQf@W*ONuAiwvh5l~jBe`>anSSp1EaUo z#G-5aca4lJcC1P)h>LHL`>5R^F|vsXVPFsev&H})YD0bk{p&AgId6u4vE^&j04zAv z+c74JIX_acfEn!TGO*&m>eJC}-~fNv?by?~X%J$}wBo*qI831LUV$|~u|1FjSEieT z!;F_mCnsHVyx%aAllRp%V&%%<`4)~{kB1A>qjbR7Xv+h5g&!g4PtW%Y1xkL;^F9ZH zMx)!ASyAPeAbQ7HkhXCBP%0UsQVH=t7HB|=G2tlL;GZmb=E9_d)%FK54dXpEudy5l zg5h3rr{a9B<5{o40!?d=-vo#k62o1T?G?C~GM}601Y79MrQ9LoQU{FP!>L`kedzD-ixgu^)ZeUyqy+HR18aj8j)w=7lzlZaDj6yrDowd z^nh;%08MbNM0%3KQq8~x5}fbn3ij)Fb+EOyMC62NUx{=Y1dd_R!l?0nc{|ZU-ChQo z{On*!{4GMI+3Qs|1Btzvn0?$W^GWXq8)2DI#BJ|AR`RK$=I){#k6(eXgqk#_EEF+0 zIfEn#mSbk0jW}B6R&kW_LY!8wt7Z}^OZq<+O!ul0_6{QJeD2Dft1S;1E}fMm5HX@2>V6wcHCiX@}Tm=B$Z$ z1(@?7;h2FKE-u@(9D~J=Z8!%$1BpgbmZ7byc}_!v^8~Jy z6&Jo7@EG+tjW`Di^fv~PPYnv3xuQU=ySp9CvSb~$@TFU;G)yAag2Hl=NEe|g|HIm- zOUod^D))?Bibpo3L2BkNS@AY})m9zpK7l1iyOB`Cd#7hR=h_#S46P6)^`_JrRrZ7h zAng6d4+AwiQNxx-_KCJuIyzOn+(tE0pJ=x1AB&wj!_P^8^~vAe<1aSP6?J#2iApM5 z1zXK4$Bo+kM@IxWA_j*>yJ-HMJNbjqMzb99J6cnmBYr%hGdi)hvntWRSsO zToh2`>@c!FK07C058Tzg-01P0^L>AK$otyy$TO-|zDbqYasM#l&Riy^k1~)rZTj0E zek(U0xocHWDaH(6X-wi(o=d}(VGrR=-pB-x<1d5$@6M3q2t`@eDR23>`}h1>&OxII z-*E_V8BDw{=8X7n#P7(U-w9fdK&M4-F;WOTY8TcZ1CQOfRVXoal=%~(_ud0mm0b_I zo8><$`AD+_CH~vY1sw?`)Jj7u@8oALd#7)Q^KlCQSg=A#rQ9Bi!u!FPA>q^cMclHE zeDX=}93AdDqQuIKf}qIF)=;;GAL5HZVb%)prv)A-yt5cnE0cRumzjl!#RcIjN(0IA z0j`Oy8MDT1e{mk?ThfSh zaIkUAuaVHeO|>$gqjM1&;S7mX=cq?LvnIT&R)$M8%vZ2+IJrVUkCv64jo&!$e+osl zTWk2ZGAga9tYm;gx&DbuR%cM5C`FyX6N)!vWR}!pMBuGjSZz%8q1QK>z zCdu(n!TpI?{#9J;T?&bl9Qb%N>;XyMi$VBf1dGBNo9Q15?p+||s`_4lZ$y4a#4y#A z^v|yzDxHLHWP5&=g}yZFS>CQ!aU@sL@R7 zh{){M8#_J&o|>_k!Gg=flJoH>%XEA|7+fk^EKkL>i$E)8|)4-h)~sIeD=rJ>I&HDA}>+-rxBCtd(oqy>GQG)n?|tzQr5oSJlh7 zF}v=EjRUsVPPjp(_u`2FqWn0Vbd#+r`UFxS7D^jFrvP)ZyP!{i|dUvBDD9A+sx?lfqcx4-p~h;8bL?!MY;`n1ty1Cum$9D7UTV^)0{Uc0Q|3*mVlE6>Y4ya5vR6uUMvd z#9QE{t%CZ2TtI#QKbK$TzI`i~s!BRvYq51^)}$P1W0RY!u(!bmC!26z{Qackc4BjT z0MK1ycbUZ{hhNgDj7;Aj9`4gz@{OPY<{%;_Gr}J0z0Mm{vHtfTfqvF|pv=@4z@z@H zCS(F&_(H-(b|R(;tz-o;J1IXw0Jn~6_5?b+<<{JH)K7g&VEj5I`I7%=Goyk-}~_rfYD91@W`er>V`1Xrk7ir{Yq%+>XDryrjOkM=A0C=-{3ho(bE$cI7x4% z9nD`jmjApn{Y`Vh1(uX;$&}r}g$)m7ptr}nYvJsB>eBoKXL6i()=Mrf8G8P;(-b7g z;I0~mG!YVyf^9ZO3!jNTR^qsv?llD3zhY>`jBe$_L8Gzy2aDQ0mRtH8ed$rWQ8CJ7 zoFaNaJ*1i62%G?4GRNIEoz1Y+b7?)cBGUsW1nKvq$JRz?Wsb45!hdU|PllMB2M!hZ zH7snru;N*(@;F>%vm>hv6Cj}-imbR;noK(m1s!nHYw4Fw@{g+? zLdYJP)C4ij*~C-`k&nLeTwL@Cm(~1BxyUB>YX^(1>Z4Hj)tDCMRogVrTCHfG zeLnChVqJ-?&SIwv3s)-MNCfLBn?Y4CDDF=Ngm7XSKa=)nI+{^@LuJ1Ie0LF~xWR#jMQCf0ehr{>WGp2yST5DL_o9Na~+`>qVXGWNi@*Km7?XbiX zMVS7>Ik9vEGxo&>hz5d(DB#8wlz5kUIMqo@QWY zb;nq6#8_sJs~ZZ&8(ftP9C~;rkbm?>%ePe=56^=m*Yv$u@uS5*9q5|ZMtw73hgm_I zpSMwCV6Z#9e?G~r!3OvgIgQ%j*(gE`;gVyTiT z2+kZ)7ss1(5vb6Gk0+@oBO}a|;OPbJ!}ts3iLy($h&I`iEu%fpa-g&Hv$>qO*vm zwOLet!hDP6)Eq$&hAZntDvm{~mz#~iJ^b_C$=cju{jpVG%ygUWB7}}8=U=IuFxEtz zV*1g$kL#k!GAmYm&N*tg@rhFz9HHYwq2|-dPXxWw4o==4W_CuLbP>0=bC2WEEew1| z#lHwf*O6!k?DlRk<%=Ytd4gx1aEc9(TD4VA-Ra0?%C0-~)LfBcS*t;1d)XG<4e9U$ycfe$JzLQ%bRvfhbFm{gFikK0b?< zZWa*ZPfwRJ*?v9eZ+BuOkD)r1@6$xZCt-KpQJo`nq~xl%7xip+?FXki#Ju&-JwX!M zW-EN|J$y2YSU(2eNj_Y2-KZdpWpo*c1g&c%N#NN|PYJCBHK?9}12MbH`I?o)oJWp6Ge^mqDzLl1B+_$W? zCr)%6WY>i*m#c$sbxfi;_szFSJojuB-m?WFW&GiSh`3!zymt$7I^N^iNR7LnT6#6h zW9zHg|FJN)oH(bVMGK#Ea@5{nA%x4JBv?i89R^yny@B1{hp2=u|B|%d$38hDZr-K1 zi3hNaLXpFZhUSp2rmfDiAsGgJFVD@jzyx%4wQz+%D!N$PdRp?Kb(3xU%+N~kJ!cMG zC#_#WP9Fl>GC|=klH-T-W<?+?Mk@z8te6Ok z*^(OOEbubiSi7qUMDKhn*(}TYPS7k!ib6FG`7y=u`4g-+X8!%w3>hQFH!Mat#XNc( zNwGd=t903aESB+bCRVTrE)vOfixgflQ?PH^PJ)hDx*zA6%;?x{69F>1)oEPzn{81~R>XjIZ`AMQ)Lcc?bo!>stTsqng8}QzuK6t9A)Ousz{HT3uD4hN z@4eC1_nVHYnE&<{l+VLLFJs{<2f~{@kg!$FFGJi+MNw0~qCim47Uw{XtVnuTERZA` zzG@IAUBDhy}AatNb@?!8_%|_cW z7x|o=OBy0$quM$cbdG`M`82Iz8~$n`C>>}Sk|vU6+#X5unLRQg)E>b_BB(Q;4&1qAec4vqpbgU4I?Hmh@llRTZ{wIk316XB zmZnH_(Ic8cCv;Xf(ayXYPB4X$AQnzoye5hwB9(@vSa?__^4huXHJ-(KWo3o0S4w?1 z7ykG50T0rv{F%UAFXV)OsFh|k&+s?}?E0Sv^kh0~$xJ94UipG}% zJ3m!zM5XG|+VJbJWTK;uS`-NYNE#F{4Lv6ozLsti{31$LCb!AxsP3{@GzR%@^$I)mCE>QiBy2!KFnUz=u5QNyqykE2kwsu*f3QRmqgJ(I*MK1kQEOLV z0w#(c4CSc%|A!&bdbuNYj{p4oeEt_!`_b-_wPd@^>wSa;6Ba{F9{Rn9%>96*gWnh)r1 zo>O)#9971FW@UpzqhhsmWIm;Ej+g8HMmD9$NbPFk%3lB~{lhyMhgYa7Rkpo|4ya~C zpbUnZ@~{Joi6#}2OFZMU{Hu$Iw9~u0M*@4#$J46dt`|gSU-s0jwD%^z=NX)?o9G_b z>|!FQ7{K@VM4B|IA!@sZOjB&->J>+5YhFHQ(SzRds^$Ca4X=ryl1+>Cr=}7G+Z0N+ z>WIEbD8C~N#HUg2CJ8WnunYcE!fyP3M69nT_5wd3?ox10L+Osve;m3 z(*XLq+vXlEjAC|iiSAOg4hffkEXb|d$q>nixY|0B>S;nSPhG8Pq#9wrn&U=)E|Je} zKU$Wxwg$T}_U2l$&`)lnUA9)mhvEEYAF?VGG~JOtPC~y4RlIRcJeO~0l7x-BFz|3Q6OryAa&7T+K7-%iHr zZ4%_fKe3wOhpVre9}Q6_IL0z2iSd)9v5nKX*ZP;nwP6IPLR z*c4#NKdjj|X9dPq=D_$8BqFvFaf8Ceyud#%tcou+g41Ec4 z^|IcX*U5<_e_TE2a=Kf6Tw1ytpKN&?!lvh{hP${%* z*+e4nHgt$MNYn-=+B1(?(Em6Qy&&MSaWt~OKe2HBGBH4!!fM0{dpA)_Gg#1*m~&M) zHz$xmpyTFqybhjbmfI z)@u9PTGw(PBio(n!AbODX#^Td0BD6&%cmAqF|Bx?sOuKe`qRT>&iho_?2fzzS$vGl z6#T9hn4Y8>WOp0$ZRNW{)2x^^Z%A}q}Y4Zhke zo)*n*=8^)3+Ey!W!u**CtG{5&e@Ya+V%k@Zv%4TeziCkYVFr@&bAq6J4BX!pacIW! z)B?0qlY=BD2?hA(Be@1DHGluP-)>jMH0P_)i-_a^0697w5G+aH~-l$wCwOgPJMVFFBb(q!$n8;lST1gQ$W zS;-oY+uO_U7w>E{Yn=It6AUysCnHT8Rhqf-YV;tEG<-mkwKb`1@H@frcw)KO0o{n} zalci~v)EXG`rqNbpkX6!!Z5r)VH$&Z?cK;O(#XM%uw;5dayv@B&w5H5YgIphsZab- zRROLglfQ^j{0SiEv{SSpDU!iv3Gv?rCwL(X9ZNtZ5P)+;6LZrDDE>?Mlq&jLxtd|w z`M-!b6Kp#ts}+?;p7YxDDBlZ44b$9?Bkw^8#u#9|$i&{d+>#(O8M&{fSOLRzxt0hRC79araN z_b+E=!k%)J%2nqRJZwN3g-F^dp@8S+!p7s(8B#@6Z>NBl0>9_2{p&szvG;CN%_GzM zNUQ~hr1r(`v7rT^JknuM!~W^RlLXn(GI4$vfy4KY#hZZ;dm8{@v#Vq05q)c6;}Sd` zjd3V9TLpk>wk9}K|<6@$QE>Y+S6}mFg0}v3*OESnY17y2$;GmsH#h(4A z<=%cewDr*iXEiI45*F&l0kBdY2h^j>9lLGFc5VWi{;|l{Dv+&A{D})lg`>pHN)f}R znwF(Hy>0t=a<8sSqKIFi7=*@y%2!2LlfMo-N#Dz>7iSZhiAdB(RTUXC1sj@@evX7Q zw55t^bIe2?)E0vhf#boCPT@W6nTW9w6Qu~gmvtH%M_nJ2#^mbrqMW83#tc@LQ!~hl zoTHkH01Jq|&1fn>t6(&$VQqaW@=`B1uYN3(nz*&$@I>%QS-LAe6I*{T_RBrIL~S%x zft+K4#r6r1Nm30dtR-@p}*!r3?fDNI8FPs%!5h%&n%d=2_Z_|^G|MKPeoh{({^ay|(n zyDc+-M$|Ubsb61r%d3eXhcj6Vy$+62zw;`IrEm)oAWo*Z<-(=wW(TB-$-xv^QqDCT-!3qlo|FkHVZe}BZ;@ZIeRC3zfK z=zLW9h%hsCU3Rw#K0F9{?WaJhp#_q%24IQ8;7WAM{8O*|v#KL>f=3A&#Wyx*;cG-PBu-T1wcOnSU# z_-^ZUU3YT5{|@ziDY5r@bAIl6JDaqxNE$qAdFPpIJ-nd*?xmz2g<{|`cmL{eKlyI= zDkOLxV#E4zP4IkV@Ydo(C2w$h>Gz71U-gb;wV?E~Vc5>+j)4GR@OqWy_=gf`itca2 z0n7yj`x~whT?XnHIa_qShN1(Mge^aFt$RPDZ9twso2+WD_-@G0 zST$@nb=~51-5ob|e1xm(ojnhh394R(NwnM_Q8!!%7q-Zv{{FY`)X5R_^L_pEHoE_| zJ83Y9_Ht_=RNdL>dkj|aTk-1>u!N}jI3k9p`NPxc@ELwB^>b2LboeCbX1UdUBL9n% z4`B%WyI*b2nusd(ceSQe)DH+W!7@<Oaf-rEr=F$iFqxTqcbwp`Hzk zI)evS+Q^Il!-B1IyP5%QPfOo&$qKPo4=#V}DYcgG6J<1!Tifg2-cs$@6}?KWK$@(- z7TjS}?XanFRO39pN!YNhQ*J{Hd6A6I-3c`L1fuiNjaJW8gai99&i;XR)>)?y?2aTd zF5=He?v>@mb>bM$YsA5l>9doM0B^0J2i`q^3iqYMET zB_t2eS+*H+u6ECF2dfS|?RN))uJ;;emQ4q4;z2^*8_xz;CtPdZqYZ<^&Cf3O+%Mr( zJ+SXL_KDxo%$_Ig`ELS*UXR|rpBbnf`IkKBtk>z$-kw+99>#usX%n~xf2dYoH=YNo z-bdsV+K;A)Hd+%YDIFEv*Zq{$I+elWI3F}Tbp0jpv zCU6RrCg6DdjaJU?CbBo)E=isT8=Ngn@RIg6QGGv#GF&D!5qF#o4StveLCp7>D-FwH z!4%k`jENTWM$L(c(-ttKYt|CZ9h?Ncq|%5PK}hke{vrn=(3r^oVhz(T2C{O(nR4=%!#mcpXZOBRbi5Q9K+L{IVH#6yjy`I3^Qe*AEWu`_MzYIk|E zblY~$<2n~lm-9ZRGePM0_vY`3St#oGjRi0G=e4o|>rApt`iU&>T1e0Q!^5YN%C@)G z$Cf=dDw2;jtRlw*r^4-|{t$UO0iUZ~Q+}8*X*uV*td^yT9SayJN#ubGYmS?7_>Z9M zf0@R}i4498qoA{&Fc8eRP@5*9-Jqia+C357NeRPxz zNY-J|FpFM~BWer8`Vm{RIZwQYl8wuzzfu@i{U!?_o5kQ{`HuE2>gBWjGb#n}g^Db~ z5uLvmZ^Qr?{kHQyggr6bfhMTk;S%#RceFa@7(!P=^KuL0E^T_c1{&nzFd>$NG&G;> zD#j`lrwUhBHFb{M%q>=)QS^DbWZ06$@*2M0nER5u{We8VHB}bypvwlKOinI&h#pR+4rUvi#M#Nx=Q^$5PFnAD z;-~O0O5!nJvui^1?|PaN%0DEXO04pjk+J__@B*&l_ufcbI-}KL8*Y5ts(L?kY3dlp zHx^%r9sLE-bXDAg!^3fE<}wtHTK;S1Y+beaCh&l?ir@`Uy6c{lxLZ-Il!9|0x!|PcnV7e$v9peiepH0{!)6=VaW-S)cm7+pE29-E z_~YA~c5R)}TO;D}?Y*bND|w{`*cf=azbyXIy>eec3S7C`JR+tYGtCT&>$ZXYWIH** z*#A|b+vFb$U^fV3{*Y4*$ff=@)X)?5;v|HEYe-Azs6OoA7XmnPPF(K5YFPcwTa4E# zd%5t`t%LYP9TM3YD$t~pm6Wz5HOJnbKvh3%SuU6?Tu{=X6e%tabXuncIR0%}`bQ9w z9Q{i-)_RUoGQKW8UyyP{v25bgC|M zJR>emno-McMgw>P&ns88d9QJ#oNov<)i0hmF!>EI5F8(T-jPaZ1m(?I-tuLAjFG`d z;p@;!ghzw<#{%qvDdx|UHtZ_(HO%6tND}NUA4E>-5e&lT4b6 z<~NU;k35`={}$)pncOf%!}3{j|AUSjD?<=EZVxbX{iF1S=5um50KKPq=p#v1l9I82%s;$%2mzi=rgi+F5E$Y!H@p zJOY%@%BcP8mWIJ>1~gtzVK8pD_E*`>ED_Z$9w@_s-;4C2X<}hN|Mc}`*7N4Pj2)bL zxaZL~GR_{L|6`$lU3ReUfb7pMj13Vr?LT&MLWd2c55T0hm16(U9#r{E%VfJf?oDMt zqy<7yN1N};x7GDHY^|D?&n>O<`aMK^#ox?(Cb6WnH9?AtR!fMk1$N`h$jVQJibnk4 z*kphN=Df)GQ-G$6X!3B@$?L_C-y|y^i)Y{)D83DWY`pb681Mr3!Z!=tRJ?IhmneB# zfzZqYntIYSV3r-@8M_ikLM;>dES@&kw?K~M=y7omE$pRl$~ObN8GYYo-D_s;`W-Q8 zSXRy(p4mdolIr1-j6_Gpl*Y!t2aru(Q%GqZFQw^Mt#!uXSkff{wN!Y9U6g((dYl4+ zb4N%iR8)t=RA&FNIL?PZW1@U-c^std>b9)Q*f=VtZcv zIdwufb#-yPO{9a&o7s>@h1O65(V!5{$LqjyruML@;5G`)zKfh!rJ~SqRl);yE`!73 zmoz`_rj-GKEaLqs?6d;TF3SuBG6hr%{Ey3aRAj8e;xsITC@ZJQWUK>l;RVwUtZ6^Z zXo7`LcEyq{63KHmDL&~ zwsCHjs4HdZLM*e`#$TWuPYs*`tJD8XP;Q;)w@gm}_4bh3x`o@MM+ne;w4bfdtN)^o zNDNkz{fx20=}{sS^N$4;l2#zn?u=Jp!+wpIp~PJaUxN>cssprsH_o%HmORH*??6ME z-csX=Aghfmsw8!=8wV)wIR9wu*>INz%jY$Q&)_xzXXE><3(0%QWI-4dLSSw@VQ3q} z8ACOtc&+HbVne_~zk&D0U3ayjKOC?Kv@?C7HR*`}q;NdR{fN-jB7`9RvbM(CvNmWs z_qcynTecw6JA}}QkCwq|DihnZ@gR4?Qa;h%54YkYN%3T?0h}7_kE3>d|#5F za`Sy&Oq(s4pC|s%W4(BYQsl?!*rYCLANw=IGjeP=+dR~-czNB^3qC!dh-Oh+ZMba= zd!6}^5*Re^?GwzdCmsA_Vb|_DuX(!Puib0<#XXY|Q~}Ybjc|?FbX=l)JI^Oinq@qYttbh!&1?DGqDc5WUAPUw5i8VZ27Z$oerXmCjQl|i4PxyVTBi4@WcBG$dEfB;~MLdY6RH9lnEwuKW|yqkI`F7?C&= zl~uMjgsW{99>vx_RyZ9YM2z_m(j40%<9jswxys(6% znA8iwF8YOGb}Ro8F;**j96p!1IrqG`W|2af*)?!jH2}fF><_U$(q5%66{`g$rr9Cy zK{FP0;ZNoK3x$GI+9AZw%z6y3Fw{n z4^s@|pDdteyvnCXoJntxry$nU)73f&%F+~2ovGJ$vh=X?bu==vG_v#kA~}rYFH+XL zcFM$9_5HbnTOF*vY9}EDWm7l&jle&FBANF8mWR9YkPT~%x--}uD79FS1nnEpH=z z4}UK)o}a5%4T@?oTOrL>kmfE#XkyX^auG5XbkNr_w8{Vk0C9OnEJ^Yfci zf@!vgS%`ZMSwF1n9clUej3v$bNO5z|Znv{BDcLlQO@{EWg@d~pi-!QqKVMts%l&NL z3UWd=ybrwIci1+3H`izTQ$OBq=E;NX^DSN{%wjnEK>epoK92-?{y6;ac#XK^mWJOb zvz9(KBo>0vI(?N}7%ajSP_>wqd1?RFh*%@A!f@6yh;pd5CrM%TeR+kCYl#oedApqcLG0lUk6b;<5FF64O44Smf&4`|=o?BIInv;DxgW_xJtw1gB9{1P zC+tjNsKzyUnUp<>QI?2FTN^>&r!fb9Vk8(@C{byI#^j1KH@-kyPC{Z{2h#BEo;&$? z9P|+DV^(6MMSL<+dDZ;Bk>9#}G2Bc)=h+BQLY?d>b4^u|IE0*iV+R=I0> z{S14IF(p)U)@*cie)G_EEj{i~YW|AU(<>)AHC9s5{Bkpxgvc4%e-lA7>%PKDQ^&)k zObay%>od87Ci5XvqbfvqN)Lqk>#+Z4nd9Yub%6$r@I~#^OCS$Q^!Gtd>z=G=@(^pC zFwb&Y`%c#T`4O4>VB6d5Y__M1!ci&VuoHXY1&2brO>u^%$trbNkM^1Cf#4%k4gqBQ znM>7b+Z5Ig8me1z>+~s;*L1*~kDK3fk3C^1iSHanC2#vkB64~K(^%=k+sCvK{~8&3!4usk7L%Wn)oAI^p6Pc7$9?F@Rxy8$0cL-*>PkE^W&mscEfMn`1>Fp;^00Y( zP%-9&kO-$;KicnaUYG<+=9s*GZ)`+ z`|md*mRf0lgb%Cn{BWw!^(N{!WbUj+mZlSJi**C{fQLRp%u@u%kBM)lTH z56T$&NrR5s?}m=y44N9#`YJ5^k_{bV7rOwW;}PY?(yql4Dle-N_3Y%N44IoCzCe?lD2kWG%da4-k#0w9!NWn>IPFJ@`)&gAHW{T4r9S%JiV)v0T!&PlsLUD|m82Li3ejg4PXPWzSp*UlWdv9w zV)g!h8Cz;Fvecsa6&)+-@fc&2F5>(1JP)UNP$dmd%dr2~zq*L)b~ALqP+6M8g1S^e z7rZZ#Uy9nwK8q27Tc}^!2pVc=>+#?3(4l3QHIe}r`rPZ?cbxjYFEX|7J^LNJR(bpt z)a+7}#yS=72Q#+6c6skUEDb6`uzmxIOD0T&4}LtjRPy_f93M z1U=_`?ggqXTyCM6viW=wIxiZkKwp-DKMlh$%+2eQ3!1YetLaTwpXS%@I}Ss$AInHO zY`qE|78LyE(F*~jiFG)Qoey#k0V{2>f-ea>v02{hk@|2;-#`3A|L@m&t-xt$0+_C{ zM$uaK1EOYlHhAcfVFL1>V>VtA1cFE_8Yygdkcg(Z}lFSKzcayBI;% zV`&BCJlzcF=(jjLf4J>GI;0DPnhqH3efIc;^T;A*2V-)w0qrMdO#F|FQU$l=e!CL- z4;|N#02!NbHF}61&94+IrxQV_{CAg3y#yat@1;bGPRBt#;A7*8!9#(N%g#r_A|^_Z z6$zQEJwtk7a!@PfL@f|NHkAW<;~7?_4B|n7x4Xhe(m$HR#7wF#oq4btsF=>Rps(DE z#Q~9vNdBZ}r*MQCvm`v#tYhYbq&=J*#|fH_QnjVwgP*vyFedZ$mC^pkLJ7kPF&SPI zzg#qz7}Y%S+iiqTmT$>Ic#-ssI-Q(K9tAM1T@~ml^(V#QVJe_R@Ue`aZn@ayXd2N~ zcGrjvCIwNJr>mV5Oq@^CknycusbMy5c`i-W2MgW79p`r!#gFUXZH^>>^YU9-&ajVO z_VCsCtJ^BSS6IOd2*9^nRB@$~E;wU+Mj%8b5cEYA5}tB!J$?t(>AVc2DCe)3iOVim zuvOn>{TEFiYpRvQyg-z&)rKRyNLaYr*MQ1^LI75?btlN5SW(|5%(p>brS3 z)~p?g(k7IGg0H-;0;gS1f472I)zO%-5{FG$St^s=`HjA+6IfSV+leXB2aD!`;#2Ep zh=qJQNwxL$4sTjXp@OE;Lm{2F|AbU9vnm@^J-{qljaW`fsp^zO2{OdeHR)e;>GiS1 z5H$Y?1r@i?Q^O(IXwyg=)mGFK4oZ=*IC+ip)sPr}wIg5^zM;#+3lkpsn-@y_oT9Md zXv7z9Np)77Hg_-7`exyGxny!L1Y}(%zW7kZ5B*ZHrvCIfO4aE=Z{zLGXJ=_|lu2mj zbd1t%wc*w4{Pkg2#X9S3^>T-*>tb(5rd)y7slKbZ>OQ)y$@ksI&&!VCQ_X*wMz6^a zl>^%%O;nHH`-{eB*LSsrab4$~nG>huI)lZhSyW$R?io^1LZa5=N(@vXch(4PBw<;{ z^vn+C4?~VOU&L}Ou~7DC??;F-P2hQ!$>;WAe*(@T#`|g3O^)^HDeHcMe*NN#MAPFA zF&pHPfB(``0=r*(zWVy%SrOvp>zdNzxk*#-v*4x=R>V5Q6(0HK#r$;BwZX9k$>eQ$ z{>Zd?ABaQZu^w5~zAfc!(1x*oovo0`!zQW2X7C}b>hI<1+D?*TdRss4y2n!Ryx?AS zoASe71KCL{;I0O}j3Nm~_2%z(O}ipA@_X>g=C;EQF4sHN3Ysh|>(R-WL>nuXn?p zl`vsF#=q$67+z(Ce2oKW*5QfgOPYj`4Rj3^&TFc+Od%XMfKCYRP`x%EAFm-S!Ton$ zhcW_3*TG_VL)LFrXK%c*ZX>4{Mci{GXg5xMbM`TI^N`7*>2O2O6FTE8pD#?WlxY#UtxtZFD$&Zmx_q0R>q1uv=G8Y*8k>j= znOuCyBYyFZz9JJPD0351ZvJFz;ei;TA?akS_r}q=)sQ8L9!k=l(vdzTSIKV%8}8xx zRPZa2Et9d;{OG^CBHw);UA9YoJas5cko2a};{5HySXjwcQ&ODmOSYv>P8+TMFufH_ zB7U+;>DrjW7)hKU9oLY}<%5B%8i~F5!1{h(+=yjBz_@$AkO!b>wopxu?*fbUJ+tHq z7Z5&JNsYFEKwwGxFv9n%S?P7U!of!=_>0Hhl<5M9hVnK*=L|jBxgD?8N#C96bWA;# zgt(F$-{ICv$Zb=TDgEo>m^x`S0f0nF=hae%!s5q?JIk7-QliSVi8Mired<#XIsym* zQ-q^S=^#O?(aJcj#H7Bgb%nGv&EO3~F~0(a2y{;O=gc^#!Q0&&OX-xBr0@~=K(Hw< z9tSO(abrpoJORz}zq1o&WXok_^o@;euG}q;Xmo7V)Wc$gS7HAZ)L>4H@Fg$2si~=@ zv-9~SfsfXX5yCnaCrM!4;QeOZ!?>`P~JXOTM4I_#&Od!0>h|3W8=Sz@tKL1u? zBAxkR0R6B{%I+2?sbupS6+-T13F~i_mXhPK!bd{dNOHjr@}%-uS*z!!LF}$2LJF09 zbAD06bhGpD^K@za?XMog`>X6F>9JM8NG41X66%+_ zJqCYAZq7Y;k&fcm*5#{`^wJ0Cx&emUTD+%tVmE2h8af`V3Y|Bt3qQZJXi4LS>~15S z$KoRvb8pyNsG~X5YH`Zrg-HGi_P>=;k<@rOE4--yLVRnv1?O+_A<*Rbeg2pdjZAsG zHzlQ!lu9g-H@C4MugIBo?8$WT+y>0Qx$!P}s3zYf^me@gDm z4%B&F_KAi>W)NnO`H~A1kvjk19Nh3_Kf}=QHuhGbk}*CV$gFR@un`wo@^jIgfC+`R zsV=t!L|-OOZBd(qp{~VkdEH$L)GF_2?_^Z`IGCc%;k%UgPQkz3jh*luBXkfbQnNTv z-4JL?rIQ_3`VHSk0-&yy<9O`OSw0?Qh3r>Qg}k}kC|vJNNkA?>7BA25`qFca}7-h z=X;~P;yWIS8Ty8m7z0Cx-A!ZQzq9jUqmxHguuQAeTADeUgaoP0iA2QpYOL400CB|2 z!OKX`Iz|iYHT4fw;ilV##=juA-C{~p(9aQYf(66T>PC2+%E5%d^Q1eqfgqFE-*uNi zoBjUsfKqup*;>C#UwY*fIeBvgC}?H|A%En?4O;Lv?sL*zYe$D1$Vif%9WheL)HWl| zHv=QK2c<4uIdGvG%lk#;qKP;hpW#Soc z@2N2D9OU@%MlZtuA!Wq=EI8)7_P77?etji;#8)EgGv*}3{E51#_>P3us#l*+y9$Ny zi@v{BRh70PGUYM9uWo$OV}H2budo|<*rUt~ME)HOHxdfysmYq6sC%dG%Gs5EUK1QpwN!~f0<<^~>j8gEOoZQTU9`;x>9nJn?po zd_ze2){V!35DdZtolg`Uyb3|1k8m&G_bMAOJKX%L2*hI)I7zHt*4^U)5EP$=!S_F7 z69d(Yy*q)3rg-iCy&q`$Z`pC73Ptp`hf|`MqI{+>1b8vEd+s6tC>Ytg;|vzpvfDrg zm`)F9{6duw4}r!D*)3OpUcUBX&Ohtf^a#sb%*<|+62T;1Itd{#!FJ+12&NK z-0bz%@*7rX86wu7o66lCxw$PEQt#C>4VwS+aDOt*xQ@oTHa;Y%EYfA={C#1hNNH`un99!QZzD;EaPzb|3o}$wIAnNm&ESs?O<-CSSU-?Q`J4aLOVifyJ z?jmJWmai5lV4`&0BylMZK$pQ$+^(R8zS|$cBhhLpBX!(45Zt3vZ zVtHI2Rv$UeLmt@#Y5w_LNYlV^+RZIL(7{gVZdTxSW)2(6>7fTA7Xrj9OH=S9Jemi| z0Qi{U&K2acZXYg26l$2+*hyeo8VO^m1CqmT|8$|lG<#bk#$~}`=LFZw^tJNw@${TO z9_vb5B*=-5E!H#9Ymj-PX%ASXA*sD(eiP5f+cuZ~R?PLfX}vR|m_3uc$B6i|-Y#+C zSgnqYnb(fNrhUbQvyGpPkW&Rcjl!g4u(){!-n3+9=ZDju6MEnb1$!y@f-?=Axy%OR z+Ds2%?LJmdXR^>Ok=cZJ!J~ubiPDO9oO4Qw)wo%At2R^lX18iC8jH57x#4Bk@OL?w z^&YAB2kyWJCZt9yz7l35d_feiOR67s0F`xtVRfX+l4M)J;eh$wbTn7`~4vGL9>J5 z^t58ql~gI`Jk^Sut(+XmC7yk(~3*LsLbzA_#UC^Tk&Jdz}qF2 zv`1}-h!`qijl}hb;IlKL^I(8CyB?NiTHiZW2pY*RcB+3Y1i`}ZZo59ecgB*swI}#5E&z{se!{kbzY9E4?x{UB*>Ev}{z(V-*mzbB6KGLK4e=O=Y?sS~@4 zq{{aa+|oa9p@JrqOlUuXO_K@5Cy*p30-khk9icQBS}%1x`VzrCB-@0xTb7zko1u!Er$1j=`cSmunGs+TG~#KX zL+E_W;93MUZcw8O#AF@=1@3Z7Q}9o}zq|}X*eQahAi&Ng`v5`TJ$D_^MVf%V@fy$o zD^gC4i$DRXPy_KBUZTC@2Y`Z52mF6Wqlij2HBN<9@?&ORDVI?PuoOH2fYkz2b&@|T6Q#;$53 zYk6o}Yyw6?p;fwwsth>wuh~ajNRr`b@P&daYVo7<`c#R4hP6}lIwajAek%ZNJt98= z@q<~n4|)+*g=9oMGWMHazfLgC*_r+K9>0(ZpZu*b0Iy17k;+1SM$h@F-{T@|4^wj% zl37ceq%{)cJIiL~)JP*SsL9|~5R6wX`*M<0(;K{fn@IE1uXd7O=+D=ii@VzM`tG(( zyF@x4le3T88oWHk)aHh1<;+t(>>13(R+2B>?2BH1zs{<@MfLm7w@fm%`V#AD=S0IC z_JwFn+pN*J=QYJ*#o|R%0qZI`SsP22me^lfo-;ne?DE82k+erc>yL^+CY)tydvF8Y z+CzS(f5#Y?4k`~eiq{{>T?_I~NEO1B#aAkhGR07AJwqJlTtNUzQLC53Dk)VNR%Z*v zXMu1yKtaAq>+oS{Yo=)WXQn=dd;~ZKnu(X4&1{n@tf5iJJvKKxPg84oF%-d_@ZHh8 zmLaBi#h#>=t4%sb&n_vXcBPA33FT`{^@oO&J<;j`J*uQ){ZPi4yqn8o$W|6RkS0 z`+@@f38%hP4nu@-e47M@0iT?_xA>__bvTovHfR0ZbKMa8>whc|xD1d` z9O8D2-Y$*F5mI)ag!KB|r zB;zTdwcn&6INr-x5T^+M1)X8KTAUZ;gAAXy{P$w$@~di=Z3+#sXUa*g@H9k%qcP|P zq%rV^svH78n?4(79vAk$X$(0_mTamJyXl^>eJ}UY=OzkG4DHFQrwBY#F_RB_%loIs zbi7%U;4m8*m=)bz1Ma60geAv7X&S(5Bw}BA2@uqYozeyZsuiV08QhgDtXhDe)eYhK z)<(;0BtS!JPX~8}Vm!b~9SSCC%h+^tjOPf3S*in4UuN&qiyIy3m+Nvk-X;H7bVsdY z#1TUZERS4m6_o2#O9<4Nlr^lfpPHW+38d9qYIHslqlqKzZ9H1ry{r$F5g-~kATu(g zt?HAF!|`DRUl|2*HJHH8?>=UPsSjXxDJwQBRJ#u}emPjccTz}OwdD^U$2jUtO7vFz z6;^wHD2|Maj4z-+kUmwJ&%Q{hk4zU@3S`qKcgK2D%_W2i_FWT=K#HE~|JtDA`Ml@m ztQL1}Q=>cPoP#p(>Dpm=_h7kku+ILo&LxLGA9oN&b)e9oXj_X?NhvofV47&T|jJd&(EWOo~O{|tv^zu0A|GvRL z-Z@!a>7My}_q6!7(f;!8D)k+TL4q72^E_0OcpWqi!1-Cfjj6PGTe)PMFeWJJV*qLN zX*tI_9c7!FZ|%ChpX2#Rs@wV2#`ODKJg-8eGCjM=HO!rTqH!_uRcWcLptOaHp?8`z zNG}GQa7o8RI`F1cXk%N31TYx1mG;Z5b>Y(UEP_HcTVaJH@HI)5!-|fxrmw2d-X8_0 z<@|OMupCOz?H;2{bRBtCvw^()>G`Cwe1Mw1f&!S&aFRpoQ8&-C}g{{ljO{p54FAwIu}F%fNm>+CYi9v zA434j7w~a+u<&T%00$id)35dJr zuP5Hhpg#^|H2JZ^fKqdQB$D2s(&^x@`TXiFPbCR~ZhrC+kRRiiaS8aF(_E~h5OJvY zj|AI478~ybDAU#PkH=yiod-Nl%)`WaUlDK2;`wfdc5H2>Ly_W}+!ac21r@N0h zE>(VtuEIo0np@&nk9_qCR_PdOz{nn@rFdfaeC#)e-g|-l)S*6@SThjWQDbSX^OrSMT?REa=ZfUtNy49QYrs%i^Co#R zNR#*itZ57nYi5<0reXIysZnN=+OD=fU#bP*&Q6Rd=Oq4yw+m3%8DXMN3Nvf@kewg& zYne)kzS!2{)<|$uQ~jF}srsRNEP;MbTr+B-2s;^}{s)$N=5JyRFUCR{q2WnejWiUi zrq*7M_G3(51-z!N&>x;lO`|8D@hLk`{8DCX)E6uDZ zkr7_u$ef>a{f$ranh*JUrv?PAOFY>7V%}cc+i!~YQG-UCJco9x7yc;%6*L?P859Ly zo!sEeiU+>p5BG8S^tG!_xBZpmCMq32J(G2@TKhS*t8G33DTcP-@GPf!Nt$Km$NfUs z8>GC~c&rEYKMl2BS~y*NBXdl%-%vtPlt~M@%om@3me{xm^m|x(n)x{_8E{(Gu*9)Q zuq#Sn(dg4R>qQ4{IM5}F$C=Zl!J!cd=-JeH6Yo$FJ}0lpQBq zbIIo}N<{ly!Zo-5SOn6|VaC(rF5p=Z&b^9VU;%wRU?;Ri`$pE$gz~rq%W6tw{9{`h z$xDx}ykr&=4p9vWcoS8&U0rh=EyDNg=kze*4kiqyn%#w`B8T1T z*ScKImTU<$IH!fV2HMt~(j&}Pg*L;oO$^^~O@613mOYsK>DsjHgn1hO3KIVEBo!?| zQ#jj?4sb+xC%;eMUoy4H3bXR^wYBlKfwZ?SUrx3cyDJwePHkPy90ScFcl^Gd96Ehz z3~zh8d#$cchJlXg@Beb3YuhxEd2}k}WaKN=9T;2HtKzc|0mUEjp3m>JxKvv=>`gGi zwdRQ^og!~9G5%V(ZUBM@x`s7DM)U(ta+m{3hhf7Id9*=4H=nA<8d8fg#6nKKDzvK2 zVTuJ=${zYE^U)8r&ouc=@ZL?X35SnZq*pUuNy1r?AKw2V)%#0+i05%JAW;YHkfLa2E zTgyVPLZ4iEX+N@QWFwPl6=HtU_4S#et}R30#g{qLzjt_m%HRFHxhwB)qgf01Y*1bG zbH}FRHrLP6J9W04|JBp@%0FFX5y-3K(M*)mINGf`qFS{ZPoiG#5`BI5 zc_KQskF~p`OiSrENF;O^W0)axuhXij<4i%+?U%EZzen5af*viD=El+Rka4lJwOd6+ zC?#Ry=J0^)&AxiFn7ns}60XfvIoh~G<;EA37Z;ZohPrOyV2(~DWIHr<$5yM`uU{Vg zekLGv(tq~K7e%q;o-eu_iByMBXn$?s=A608ICmkK-T7da=ps6_^IlpDI0F)zLr$}D zH}jp6weL{?qT&w9hmOKJDy#q72gi=voQ~@}OZ-%|pMjizFTBJp>NbYfYUAECpVg8T zm6H0!=hHC>QQSvjr81Jri^qvLYW1u*Wxu2{f3FDx4E$bq?ew?0d$pV1Yv;G+b*d`! z0vJi_>#c*aTp%j;;mI2Y1Tr!s--Ej~3j&+jn@N4j{YiVSa5)%2+_I)M(kKt-_UQM+ ziOKt$^~}I~zQB`j$GvB!E}LH7&fC$<)4k7LewXuns>Z#4ww6>~y11&0xe7>5lF$|k z8(nt#Eb@BaJ-B+i@F9y~>r19;6}GNCv>{7K;!jy4PI+MVgn2b4bGrZS7lTfgq{yV1 zg->xqa;Ui^KPXA_%u2>#O(X>o*wg*f1#c4@`kX)k4o!DzIgpECSyXu;%R9+T%YpJe zHw*|0mOTlYBauc@{yZ<0ObwT@QsdO4ok;urD`nAfF{*ePk2b?c-%g|Fnmy*@2Pi`~ zhs6=U$!YR`<4R_>zCWcUR>&%2qvFNBf4)Kp zrFMQObJ@oIi%J=E)vBmS7ZT5vUJW=s{Pyk7w(M4OG-z`Wf`?hGHK)_OaX);xpr=C`$SQ?^EX<_j#i4T>B$J;t<22OrtX36 z>m~_EaCFcW7$?L3?zrk?l{?!-^>I$Odeof`sb!Varl$I_ZPT%0ry;TVU7l@`|_M;hX9`-O1s>M2p$^>%_K^hY&o1{ z2eg${X-V@|8C(oZ%XG5Q2WB#Z1aQt<`kc({P!JqnLUn|9t=w)In(RNrW(d|O4ChJ7 zqa{!K$tJfd$DuN9>`L(YDxxiV5QD0ZNHUdZMfx{B?uF=yPraCA~0oxK(^maKUU?xOnsoeUX{C*P} z-+O7$@a@u@;%FN~W&|;g@`RhtIDD8(fBqtGfQ`rQolLxDT$$Q)3uz`~NHYg9=u=UH z_p-Loh!OlKCsI5qt0+!9Vss6o_TOzVzYkp z`nw7`oCq`G!(X55ubT{9qIROdbk)iSGcRY-+Z@;b?hpg^H_~5jGO$U)2HL7#cXyjB zad-SZR2MdKPMAj-?rGq-=;m+sds1|8x*o1E3x zv=!69>UR#`ITUBg$`rW6K@prKBV_A@mg1o`JrdzaP#{O4oKnKgJ9_Juq2+IAvXg`8 zK1%M|wzQ0EU}@AejVNww+QYl4F0p)CF2>s~z}x|GIZ)@SOgJD>c=c!!&ue@cRT4Y%otXmp5Bq<*K&kCrjCHNs&nQO0kWw`t zB1MPmKgS^UOY2Ue@iE|))2P@RyZn*y`;lB#ihAgQ%w2e~lOthts-q1y}|oVlH?AcWFbTg6XNx5ZU@T zv-8wYs^SPMDLG;tOj<^LQVX@m3~4KF4uP^21PPykyWQwVhxh9BnLgcxrxGj!H$y~$ zJ39JlHBLN*4K?EAns>N}2#1U%p>K!x!f-U+Oah`{vO&Q&|5&8eoKI;_GVe_Q5fGL= zFKW)aLbCmSC|jXYMnK-bYE<@9bzZF?Lxl=}+6`KFq}GrfszIxA$M2SERTBSB-S_$h z*@UFEf9F}%nPdv(0E>rt)jPYgva~um)V4OqkVz+)+x9hEB7tMTXcNJ^?~hit!@}}= z%K#lyK39`kbyZbWP>kRatko`OTMGg}!`Mrz3$Dfv7DD0!DTx=|jBXUkSZAshahYbu z5ytIlS!QO{`;pKL={Syp(5yB=c}SLJBDDuk=bQ9Iw9?n|K2sbe!1xc2+9H~Jy2^mb zyW&GgGh*oo{l`OGIgWB3;UxM<>Xh<^?5s4CWq%A8@vp-3)h|;q~Gz~1{YeW`GKKu@tKTf%RdPRS73&?JoBSxs19fvX_d>0SJ%qtvj!&6v zZAqE}p*IST7bBRp#StLn1>X8y(aQ&Eq#5Z>v^8g=T$Yny^NB)NGVq8RpYuz1b?k;V zA+emwC^1wvfuj{}#sN;Q<+*e8@^9nR-kv!@Nb>3;kCdQ#q>5Gk7!DWz)nT7B6qTaJ zkU8NJX*D|)?huz5Fr$_U>+Cxkr^*GL0_9p<%*;ggEgHX0gP?ttVu&-|yHtl2Kbknju20@KYOmYAkfEK%; zbx!|;?2X0ueEo2JGy(S`GA`Kb1amCVdfSDucC(yQe)YHBZk){vdvBY*?Kn||W8wzfwR5B(ZI zz&pIyek46fQpUaryVDzSgg7}19K|9n`zqy%nDZ7i$FoO8fL2dN ziZqYFk~&7g!1p-2Wl(V8FRBK91F+C_5%rmgspOPpX`CL=1PJLxOpp^;fl?_Y9`Ze> zJoDQ5Yiv?x5DPffCZnryFo2yvwL!FH8Z|)A^iXQgl%?>gS}um^2#e9zxVY95+;&34 zn5D1ow40iBWt2s`GA%i^Q;U{v@sS8D2&R+>2N)+H(ojqsLKx@Dw^_e?mmML$@$?9+ zlR;FJx*P-0LJDq85+m5wdeu~0z@d6ME*J}9N*3z+GXTg*0{Y|=`utB9vD2fhAmhI_^@iGNmZ>x4GrHbX;=4e3UeO@ABRnyce z7+K%{_$QGTpAJ`0`5e|1UTz)AkF^9)sD$Cd;q;PFB^ZaC*!z&k>_JIm-LWKC0wk11 z5e0^o!d2e%3K+G6Px4|X6NSMz$8@w=$l9xC&)#iw-<|c;R{3_{1kjy(Qj!R8LV0G% z?2bl%N3jK7Y|o25?|Z0@eZ?lRa6EfPp8-)tp;Z>Mth73)k^x|jA){RXSXfj~A%x(F z#MV#5}qrJxL-e(ZC zV|Z>J2MtcC(3zTIIJf`thR`!^DlOeNL!Uf%q0CAI+pt3TPjF=K*NH)y*Na+O?-fEBGM=1wP7?z`ek_ToBC^qeJ@=YB~rO>FH znfv`rRRmeB3Qi@c%Eq$1La$t^*1!IGwcRZsqbyYh$5mLjdYC&*bBPB@J-kFNJZ~4> zmlzE2K!PpH1zRQtiK;J|#CG%jE&iGD6%DZ&j8R5M;+6?WT3}pBpFPd}Z#SMZ%WevT zJOdXELrE+$4q?=KHi(IYnW`MB`+FW;O=GVg5X)&o5Mpx17I<)1QQuqNB;x84&$F7$ zV~Iw>KQ@AAL2M2uCXVw=my+DQ=WsuRjt>PZy*{%)wr}@nczULMzBcUtJ3f6h*R_q1 z3=b!sB<4gJ0B7g%@SUkM?`s!(GqTEy^QTgHp3;Hm#+$cv(eEnA!UcbxZ9dSW=7NtkkDJu=w{!w5iI^)3Qn6V z6chv`krrm0l-5Ar)mGqAjpQ+=irDBG4W?BghNDLh!sZ9k(keY)^yZB|d-qQlg~%2I zas-GA9roS=x$`;Yb^MZR-ZNzDFd1DQvL&64&7yNjN?Tt17SG<#&Hx=OppCIHS3$wDZ!Rc+y+pqCBu}*01Nwt#g4_ ztqX_CQO7WJ_7&Ht7$20Rf0VJ}ZPuDwPRjbNpHVl2T}Z6hsD_i=NT)iKNg$$TCtpf| z!7{_t9!zaFqpy~lt9e6eL;C7t8AkNBJ1dQpe8Q*0*-=M00jpL9Ih_k3k#^R9UR?x2 zLpm-;;6$`Wc6F7IbQDzVhB%5G)hb0ay)0bdW6tTJWAWXJ}GWjkfGu*-{7sdfU5e^EuO<2*KC=y`u8B70k zA-~)shY<%8-L08ewqOkkHo6AtIcLjx<^XVkT;IXCK(m3Z3VSU?q(R*A(r`P$ovc>f z4~|+86$4kTC$wO-Rj!Y#=34jcU<{Zt661#&?uXFMdNavXb@s(-5(Gd3UR0m1qlJU* zDt~Beh;8!3LXWf8>*oB?8GQmX-Oj+T`j*7PxV3Y9p4x_-Qey7{C@p@7Ld|y{h!5C* znW1sWSY%D0?Bahi?}Ux$y6imNvHcb+c>I)TEUAg+FIp=LucC)P(fgnaP=wvoO>A|nudLVG$Mf- zr-^$8%&QMz{fY*^J_2tMFI!Dj**OG)>zV^%@{tZsSS~FtMiV4ZO^2?3RA^RNqA8?{ zsnZ>8{;q70p)gf0O2&gp+bQT{ow5|v!u(y|N9wFp1Bj>7?A0)@^p>-&G>k?cWGBa# z^FTi^kfNCm5|`AJH_m+Ira6!P@#%9JUUTsrc!1`us7G3y1iy?E7#|@bSlBj#!2If4 z`hR!JK8)btmM_(|wF2TlUw&STiaP$D%^F_$T6^~w2il^d(;~s3FKylc02%HA`#ltk zGaS;8Xf{zfPKF&SQRCnM3i-_4^8WZNG3e~z?|ngFJ^(GbL`*nKcU5l_tf8Q^&{XBt zg0HRMp6j<~890!0ucviD&!)lL_9XH%JVp&|oxynyOD{mPORD zz?G8PB6j&ZeZ35F$$j!{CA3)hy^vq`ZB^4`ndiaS%5(3q{;jn(n+GEfE=0frG-4o$ z|H|&`KV5*J<{6+cc5f%X>fEBMNHa7DTzn0CY;OV8A)kX#mLyV7n?IM2BeJSaGL8qc zsONWnJO7_g<6@74icdm9(;c?Qc8CtK02C^@y{vM0axn}SF9fo%9aSy%JC!ZqhWhBw1k>ytaDWg=w9Vh@iPCV-l4HF=sva_XB5my|ka5-PBNOA)S zTdtDzzquB*594wzG9b9}NK#)84JoDTArVW30ac|_*mi`!w$^;w=1nED1W*p+y)T7$ zpWOzVyy2t`k(dqSnWuWe(0Pt|0DSQi!&#tF?|j=CSE8G1>8V1Zc8G zRDu?iT}3_66A4$z%u)hy)lT_mLiU62cXH8i1VOlM98fzSzh~7^onhnLT0wnTqzw zZUKD)f^)25IV`hlYV+ib+iV)Ca6pq^1CmL=*I~Bao7Ly~pxc$B9nsjoe{g!WI%P0{ z+J3PtLKxKlbU}@hfmccM#&tsqD&dcD=X#o--1*wW88px-+tk2LFbsq-g`}?ye;$?1 z?9Tb1aH^3-Ro;gw?+?)YP33{AJvkGHz^sG>LCG>e)MaI>+vZpDD@?paT=$ZqakFfC zq6nsU;T4$FlHi6_wwvupajpe4J;rm^Rrrs%b)G!TM^O`+$4`drtG^oMS5giqMu4(< zpWO%S<=c51A%vyehkqa5i`uylz*5)C^Bi8l52bu8x)N|l&f~Trhcp_|X2T=~jVb5f?O!cECmQV3eM6~&q z>vGLhe+YlOc$_7YdwRX~%zZ}(LxS`w5aH#m6-MH ztRmTi^BUxnuovDbY_QW*VTURRs+Uy8=m6}h^Kge(K%l$G%A-=25u|ZM;Mh=|@KB8p z6c9R-=idg7d0Eo1!dGB-nWoLIsHhhINk|?1IzgJrKB%fxn%Mn@$oATZT;kyrSzP0f za22jvUIf)zCWh`mT^u9eD=fdlp9u`=7wpoy6L~ZBj4vl$h-6r}FkkbY-VOnG@pQg9 z&sctD{f&qLONmw5_{RZlilRK~V(+xyuV=tBfqr-2{dZiuAz8D$n_kypIAoG!kD_A( z5IEdpRp7whhFM~IKnc+5IoC0zr}!Ev%OYHFp7E=W-bLVViz^W^pZ9HN{z!%=+C}Tw z2*DgAhcIQf!FSvlMErcCZkCkjoutlEL@(tzrFddl3|>g8o}B&~j>6lWTo4bDv22=#8vnPdj`eNe9NgMVF2QxuQuW!kgBa*Tv5zIVId4Y zyx`JqyypJ0j)sM2vD>z)*1e7OY&!94aQ@f>m)Mum0*QUbP%2@;ch@Cx{^z~*ssV2H zybTl&`;p>p_w&TKOW%2C1&$XHs?hE85neU~wh&L9CE$vsE_`s~b3gtz@F>2!0@u-a zldd3es^jcu{?ptFoEq!=4kZ|*d>ztRpKAbXyYSk41O+1-9TEFG4ts6m;gV#tFdB|O zEHY;#&|@@s-Kn0x5Ey>*mm({O&!O6{5sF?}Ri*0|Ri7PKed~%dB z;D7-s#Sflp`z~`lw$Omk2blnSkd#izoGMn>#hP2IuUD{=_0g>^>8i}k~o2d_iLkv_BJ9Ap!`MQHunj7Ec-L@i`!xYSVsLaJKeqf@T$@NgCoR@e2!SK>MELlF z)`7+awo=N3+{evz=(RLYQt<1gAu7|!#{HQe9E$IzHl};g=tn7ArgaR&Q7TLZYFZal z7%n3n4G56gN~DABbE!CrIl^gXd50B5Gth9=iPhjE+Fm;9ORZAv@=pqnUP~BU`kM1O zeGV3Jx8(^CG!G<#WV7oTQUal0h=mp>HIh)q%oVx842q!J9>27QM%VkNrr*}bz z?>k>F-s-CDBfJO!8HZX4DpkaF_kS#AAR}JaqB**|9p3kU^tpBgM8t$P1U`%L8`ZYw zI<@!j0@QY222-orJhC@tre-IvrLH#Xc7=NU-?=V$oAvH^^ zShjt3v&2=`HASF9sr?`vHMEant?wG-+Ra;C zkhGW%`83C+)Uir8@QaWD3Y%g+^HBl+Sg^DWn1f0yGR++&I559gQ-7UL%I(MFMX>W}O~B$=C3t(2*tQ=bigMYDlL6IK=0jK$EMh>)k(w1-~EpT>k#~dsmUmI!7dA zij4@v#Rb37Ot7|R7#vdDzXuP2d`gKXhl_rY^V0@lzhPfzn-oyg)0U>a&DH==Q7>i= zeKja9LhmacVS0mqn!Nl~E|1NjG8iCI;4|} zW6JmQPvgA-2nzMq<}T)7Nm1X`{G5;jGeRT?P;@0Ijxk6Vww;1LXy_2thXX0*xP6%0 z_Pb|$yFq8s-6tiby^SQ+VvLG~qq>Ur{&{M!+_>NKN*xOl?YdzQ2ROOi_N3blyr`9% z^P`Mld)tR)o1m)lC>jo`^&H;o4g|Q1UR!g41zwv)<4{nD@r%+OfZzf$(MliA0Fkip zfflE3AJ-kP**{-~c;skVvbIcUWsWWVGJE#_v8bl?toa%@8Z#rAv&Kl&vrtz$WB_0? zhf`2c$|j)yf}#TFO(l}#w$&71OTPiOABivxV(n2UzVb>IA3A=rgB~yI%!qIiD8_El zF{_-@2}A;baQY+FlTlhy24x()>}0tD&vy@*74sq6`^{6|ML!gxX@3ozbZ7(~`bJi`OzHNGGhX44r>pu`b>E5-2Qb{$zty}&*+jq)5C1Od z1P;Qt1s9{Ga(Ehtu_x=hY-GNDNZ?%xX`y~;a?zF9&w3!lE&BXcP{xX#?sI{araRl0 zAzST`;3Pofh?!r5(9>7ho!dd2-goa>JY2C?4$1zp;1?3>eI8}|bE>&kV0`)Q_vO{| z&pW0yqUJFGORj*vuJ&Dd?dth0ap;I`{&qHtCe179Jz}toMJ-JXN6+2YKRACz63I>a zn@)MBoS-lC(^^c}!|OOLM4RA5-Eq-(mSTXKMW4A7&3uu|UetC#kO4UW zg_$3q$#WfFAN16EwMBZt4zM$eIo4t0Z%$~j6z2eRFa&ghuzVqs);p7Od zw!S#-aoE3E@2cDS^ac1{zqSpU48Z=>Q+MxuKge6Z{rhsPIe)Xr#n@O|8J}b|mlXr5 z4>>lj0zP|Bq#buYxL{#hv`l}*_M!Lz(qmLn6C~cTqWq+n`0Xlh_4qPgrDCl#$ zJw81xXl!Idu@^DZfAy;g>;Ob^9K$YAb`G=`a38kztXF#wmC z=E$Z>0?jT8Wfax;)B23!UNmP6(noyxrg|eYNjedik>+{ zyW#?zz?iZ9q*$lq5Pr{mDM=?%lq8*Xm|w83koh0*31S9e!8Y5+9b!DsOsZg-RCn%M zb0oQtq~bw<0yo0S9VhLr90etbQ${h%okWuq_=Nx1TS{SYPyLR7es1#D(f0=;c_C0U zdkj_p4uE;z@oqIgx8P~Z1*lJ*il|c9tLCOv{-}1gIQg<5x=XaFoFE9^G?&wJPoT~u zg+KsN4aOJT$M|ADllyP^g3hwNjRZw|*IIK^qkgZ{|JL6{UF%>{-RcPP|C#yL?}3W) z5rB)^#KqgNtUc@zy@NQeuT8=|L7yCkB>7S&UnMB#e=t{Z!&Uc>MeY6b^}X2B2co%l zCX4*$F~OH^pVWuD6W;oOTEAcJ9;e#{&rd-fE}g#%{;mZ*m(>SO&%HKvvP2JQt$lAG z6c@QHRxVfj(~KkgyMwA@ev5TF^SR_FD*@agVSatA+sBo3gwZ&9?Wv^4uGnBNxI$fq zqZ=(r!3fH}a5#$TK5uA`C7pxke$wpyXwzdX<1jO}6&eVbB=?toG?YQ9P_!(W7r~y% zC!IM9jRh~1Mrv&CEML)2_9-^3d1atA{t83N$cVab3HYMt25Mw`moX(Rnxr}02Ddu+4@olY*{YRUih_~;vsB3^a` zI9&7+#lthysIAG-In5B%PvpxbPgVHqx@KydofX%8p-}bYG|t`eo?l#) zrodEe+lfXr8G>YZ*N`+If@GR^kr^6z&EalpTIc8q*Q#iED^nM$iht*YO92|=!6q%7 ziY4&~$I-MxD2^;dRtpEQ0K@B`e~T#nuh{;S%=i68RNd|WyRG~7`S!VFczZj)KIl$$ zwK~0?;ms@0_Sh(wzD} z^8`B*TfWu~?~#+x0TAhlovoNw0nxA#NX0Q5`tw8{M$)Uswo4vX-ej^F3mJT4%ido< z`*D}su1fKtCSjiMERU?>HM*({CpJx zbFk|)a&BWuzA&KG%r7Y5(>B&O$gj_*vWaV6CDqg?BDvh^54s;jC&tefLK7l%`p1HD z;XklEV%Y8!pa9c-u@xBTS1RIhB4 z`E;A)^&Z7>*!RkIy`A$t;{SL$>$j-8CX6q=Ah95^AYCHT4FXGd!xECx-QAK)gVIPN zogyF&(k)%m64Jdi@4i3y>_4#A^||JJ&zzaL@3A_dK}DC(RAQ{;)Q9E0ZS<$xUXD2r zQYz8v&i=3GLqHaY1?Y}1^K!O8h1G*^vzgvj{uW}UB;c8u9*`;ys_ z-Y8NqH8_YBd?V=Z0K$-)U8E_srD(s;nK!9&&Le?(!QUdH2TKN|3p(KGvtmhZAd@QU zk-7#A3Z2W)WNg$^!wk=wloC z1ujT*bQ(CiRuG9fZ;K&GPYDU_G+3WN(a;Cm0$bmjazpXtUb0F~R2cczFPz8y>sB2C0_e4z6s+71JR{l%U9ylH$b)L-$+3$X6LYS8N9e)L!I#2-FApWCt&dHv_%Pj`E(*U75i={i#IA)D9G#`=B7 zi8xEXywG4IFc=E0nX}t9+pgqf6w!o2!N1@%G9NzP`fmjA-=v=paF^kLH|EaTF^IDFX=ZD%u{{_l+5>{-fd z_q9e2Q9#Uq)7g&6kN;Rm?q#*)f6pzZQW;laGwd{&Fj#I1v$T%1RUd<=NhZLlzVMFO zFW7%3cO9>hokaZ}^Nn*7WeAonuno1JDU74-Ldcwe;g#RBBKsExsVC_aBgmi>lGPCd z?pq6So9_tx->e{iRtCV5&led*)MR=2Hunc1sG5Dr!;1?#xV4Fugn)@BR@!(nEA8Hf z{@CNivScJv1yX7S2X6v>(yMr19r4eaNz~~EyUC{If5jv?A{M{}U*t31M-;igZQ$hk zz{2=B)pWpzg`r92a27y{jb*Ct25bga|000i?e^vdX|;V9C-C> z_^mA)i&Y>0yzaP8Njq5)4BUR_G?TKtsHYV{ONvGx=}RN$&IHRhtuOzFZ`U z#Kg=eFtu0@x!wZC#3;FD0nt@xjRC{Y)qB&==v4Tn)mbeWkxa;ls!B&wYv=Dp5r~Le z@%wQvR$2`7h^2*Qx4CqtUyiM_<q<<{(e@GCBnm31jvSepLWin5cHa+e6^+sfXb~GbW z0+V?!B8l#@hbfk0cnjQ;+#B^N_RrrrXdVdx6diM6I#h)(Y83gaIr4c$VX(>Q_@w*e zgM-rFU9kN*eV5klFze0S*SJsz*kQus0p69*v%> zUJgc18qAW%$_!a!$;v3enVg{z*+|rkey=e|yC&|Gry@Zo!jv=&M)d@7ls>>WTMLAE+mb-&jPXd4Owl6gN>mYUadu zqQ3JcA!sA$mg;%&Y;hlP&*uc}-*tC)f3snsmey;r)YkDhDmWe5e`wPWI2;JtGt0gC zsNHxl#_T%Epi*YbtT6AnaD6pSIpcQPeV6!(XEr|ZWF??o$jABbkk`}e=i7;=nUbIz zc*iM8?)}3_=k<mqKE zKLtWoDS+z;Kj>XI&MzYo+e4(uHOGqY7OXUd4 zzA*{V#^;FTNlH#0ldN}XY3Y~!M!BPK?0;`|il5DGF3&sJ@0zl!b`V)AV_5xaq{DnP z3@;RX7{Fgc?#5#dP6z3kE_;NbgW_C%a!!7&cFK0+L^Ve(7+m0q0Y^5z@=x6QT>skf zHwb+#a=4}VTU^|``W+Lmj(0Uf>z=?QeQF+SkoUXG5TN;iZ^!S&nyltJB5rL*bkn8- zTrp423Ww!7F&GQLs>Et88nMa zg8EDcG%(~-B~|)tW3?t`i+D%}UO?+u1rUEql&@6(oL-M@_W6_GCk3x@gvFeoN|!r% z^oHjLoZTDS$%(|e4mFMdj9+mg`BG%=QGcIfeC1OS4wv!3#6~Mx`k&-joO84$*qleC z_;k^_)H;;L8h1_Rt>#<{w_l6PX}7fT2~Z`i0nEs!%RXZhofk{5pZ5m>*9#GDj*1gH z7-<01_0^#xM1A@;?rM=W492qzX_IIadMC14sTy*UWWc>#Q!bNkg?qf})12Xz``8M( z($BqL!N5zviRQHw&CPe-`a&Ho*#zOn&21Ly9ew-ndvO-;)$yFIliTdMn%(%w*PrMq z%r7N}jvA2IXG-()X#clIl{{KM7=SrAhU?@4P?acY<85_qLQ?>n?iI`jCB|E%`cG@P=a1SS#H%L&VUL`P;2m?_^;Xt1eNG zdY}}kZylBl0~fw(dilpTz9|uz5i~|TaRsG3IbVE(0L+%)*MQG8TrY-6=9n+Y@1|u@ z4X^bYlol~QF=!_74#sW_YpSAR9ULukU6Qq`zMvy>zjT^ju{LfWSQZ z^XdpCW63AUEcyDW)v$BAq@wzD0a&77y8`NrO!e(AoB97(+=k@IAe?LI?UsCygwXG9m&pqy!Bt?iCLP3S&h&B6!8AL;;c)h{CG2fEa1*m0}>oH5YD&?Si9%pRbs1a)zx|Fi?l<{rIew8gC!25f#YQ-v&Yp!xW#+74$YHqXSI+!lOZ# zQmD$1LapW5q-s_?Qz-kGn=7YpV4Y**3ud9sUFG&@%VjxM{Kw*l03i^WQS$Kz57uzP zTgg}7&KMLzPKs}AOye&lR#F+#ydi_$D5rWWHd7YoZ!917UEMotv*{;N?$UBr$< zH!%I0oHtRNnvhOCg19T_G+^SP&W<^Fi_j5U!) zrdD~y<3s!VfnPW)#J~715D(JAy?Y<&wYy=G=gWjAYPqW@)u$>%f@1twHSu_7+tA{+ zd;L{Ww*QCn+L6JM-|oE;Q22Mt)m=xnVc?w!_ZN6a47n*b0bK!*RDv5DB~S7jPcEL9 z<65hmSDk^Dhe#GLlsvDxYxX`37cMC*0)YhG%pI%aIXZc+i&=pFvG{xH^!#8IwEsHj zrYUGwHE?_FX{X7kHS~|c3hEa*1HMZQ-?YtJrg@961_p6`_*j{8d7mMR1^L!Q89DLW zR76-z+vc~L50oWpdX&?-5@(E$g)*F3>6pW1#d!JW7-V}toGsKMA`^mAd6${An-{pk zTVrYH-eFv<^z`}qDWs-4ZXiYiOzi9q${i4^p`QHt{ANV`-Oo#Nbg}}K?fcxe$*FHZ zm5SS2_OWQF@rQyQn%4kAGlkM`%Z@!D7%lg_$Lv)oRU0Q`KL>WtH_t9t&qmr6b_mH>?{JYnCYl zVCnBe{ry`;Diw;GnABb!fOK&tc&0UqwP?f`T`HAMUWA4hxMAHHO2tShi9v|*Q}W!2 zhQ8DIy=Txlh86WACuR^G;I^0Lk{xLC_hmBmzHJ@@_l5##1Qg5kL*U{XW^R@cR4NH^ zA3%(?e{h%01s_V@?0DgNp{>Z5w#0a?>o0Mbt%>b=f?CCF)J*+~E_BKAQoUao<8{eF zHdr%E!3D_TR6uU+w7hY1EDd{PTDg-xO^uhIkPkp8yKv?v*C8Qhe{m6v#kK`j zQbN~?A`q_)(@y_+J@nS^#OKT~_vtd>p|>Qc>yQ%p3*a}J$(p083S~}?u)PkRO2SFC z3e{!6J7a_LeZvFG{$GWDcy}EY<+t749%iM>U;OX4=SAT)fwz0kCsQvcE}#AsQa%4V zns@5BOEWgEnxjFTURbfipn8~u>%6#Yn0Vg*i#SA%&)ZM4i!mnw&m8VFs6%KMi9#gy ze9O0{s;H9#?QiEBm-%Fz8{^f-$H(KoZjZBR5d~`zMLQqPM*v0vwMGVl52I`M38EL= zxesG&H`774osat?H62k}diwZ3LCD*48fc`NMbr!~=UaPtf(b@~A2%UjN6g)SEOxRb z&yW|0&BU?ZXhJr^F`Kjnv2d*ExvY(`Fvq_JHN zCXJfQs*=KG3!?#P4CjjXf)TmVm_H*j4Qe#KJ!0K>JI3;rFWeAe7V6<`@luPU=^u+U z?4GW&@ZVvqqKv45iMsSk6<-PFqRB2YoGNgT)a70Uz19i&B*#noHE*W(ZDBrDcT-GNCm#W$hYC`LrwHALtA1it3 zyJ)Oh=mf0*z&Lr>Pf?l38);90>m;zbGhQ3HJ?KrBvEa~jlaEp`? zG#PJHBjb%QQ7|x_At~J|;;xSNr$zr+hAu#=N2Ve-fQ3wleK;ZL_zP~ej0o2 zl_5n$)?>%si4Ck6i$-}^mko4=+Xg(ZvTlquRJ6wU1YBI{fw>mUx;!=RU_1Xp4#APa{r9vk0hs0NCwhF9acHs1KX{yo9r#X=`4MsGVxiCez$w)h(^=d+)-1y+2x1& zMUFFnufW}_R)cO+nS3gVQ_jor*;TxhDvguoWEKeaDs|N9dH^AM44|0m!PLlaf;yDu z8f8N91_0c-Of3?Fq~TQxbYEUhh9R5m}a zUz?t+FKI?P1@2-?Myy1Ub;?1-@BhSVX-KonrqqjzkqwWAq#4k{NNV`DF~XZFXfz~B z9#EJ6#l;8TJWIB%Qb$IDcbrDarqtguc?GSEzB3EN@TGYYYKTsJr}K#`9dtSG-uWTH zXMh?8zyzTc)>VHC1_Q$ceIeBNq|-l`1*eAu@cFSvO#w*3s5sH$4uNRpa_occwv@BP zW%4CcLEXt3^gebL5~J8+^}915d1A5aoAN#bvb3GiU`z(~&iFsV9@jKT@?!<{fx{6x zs5IU2U!}Q1z?uQ}gjA-S(rVTU1eht|qWv2(Q%G`RKwMh*!1KBlUO5bM(L-sj})F0)-k;L|@A4F|G490DWe57Y;5RVi4ncY1D%@mAt?tBrk3J1=$z5{`LzDJfXJ;KbD- zN0t^V*l`S~l5$d`Ka3naJ#pha09~Upy+>3F)f5qG6Q$KwG&f_{!l)BJN0UHR4a)7h zY+mJ-==DGjz;{52=gBE|&^t~`GVhC0HX-u%2YKHCk&yFG z)77s?TcnBjf-NzKzCsGxlhr1*5|aN0y9SpUrgvnPf21Eqw9IPf*$uF%n<74bTcG~S zoU!zVqfWD=oIW4Bl*{LEX}IXJYi3K-fysP`TAu!S^FAj=03g5m2^BF>kjULXwSKRt z6Tjrx+EZeZ_>YBN)wFi}@{y;L6;)ILo~4SYuf*?b3S=SuK9EKyHV8&8F5o>e%8AaA zyu?MVF^?CKm~B_?TUS5bzzR16vLKrq^1I_VQ+Ti3c`S!=UaV}}3mPA?fYw)6{6>8F zy{io*rB?CuyNYu##g?ylxQ8ac@GW7}U`w9-(lry7lAx!Su+MCv@NrYBNWkBi z`daAFdeyxp+;Jgt^26`mE~`2@9Q2(6%eW;hZJTem6H9^d^KkCJk1RkTi5F8C@Le#`? zoC3gS8VR~?M;p_BEE1dQCgTEhgEiUWhp)`uZoAkD`*4f~l6+Zr^L!DT$xRd1QK;lU zSg@7KOHr<#)3E#}aGTXFUAdD;uJ!Sc?zTCWtAuY`Z_NZhVk<*O@Q3fA@U>k=L_S< zhP7KftL1#xS&)x=n8}%5c_Lw?1*swUIV(J`_8$AFuX0qK_X~J?dwBHrEm%)Jr>yRc z+L>HxR!26anw?Jn2w^f+!^m6v!6c*u>gMvRiX$`BKK}$WuKF# ztOh($R4P+3kHnXx_=oo&_5$XwMSFckmqix1Q%z$hWj~yLY&vr8aMW3@rVyT;H4TEV z4}Z1eugrRjM5aC(TikHt#N}uS(Ws z!cSiVYt}1*Xp3a9)X3L;QcSN~Om5}bdDYd);%}dC)Hg5Eqp)u|KPBvOuF!1rzJ4Pk z)b!~YW9e^>qFitaG+y+XXX~?ED;r1nl-53?CE*-Hhzq<=q#jS2qP8%Bx^ z(qxo_Vb-T6T4Qpeg|&2xbUEI47<*9qojfPiz;t88rObCa;i48+4%tih&)js}blR0y zRbC|hF5m=7;fJfW$FT#r(_P*3!z<(Go6iYGfu|cyoi`1}_gBW9KG$t010PQLh~i8X z96wE;&3N_nZCgZZM|I;#&TAS5Dg0wWbq&HWs?n(+Dn+Jw$@$6*`{nK%4YjUW-zK9Y zv1Sp^o)!JQVDD1Azr8)Dk^neP8uQ?wtO3l}LG<%_~PEGKSg;jBR;8P5H(8Fh{R|7^e-5fV;z4-XjMO1h6 zxvkZBG!dmxXsAT2Iz8?dh@to)+l4%RNH7wxdjI$sFyFwQ13{!hbBohwH+QoY!=ySc zz(To?#2F_fgraTnxFSt zCv-ph7n!{CIR*a^z&|@=Z79uE6&6hW&ZBVU>eAwO=dInlcDsJ^`|Yj1fwqZ(_ax(_ z?iBY6&{SlNG2fp{j=ye(Euge%wLkD)-tl9dR6UYiBL584uChjo(&C)Md~0T(aE~4Q zms>$(6dW7BR-e01o*RNL@t&)$kJAgLyZ*6Y?|3-(8ztKmh+TPnT-GsudU!f!wdRTK z2Yn`x>0u@yth3d|8jOg`Z*6Uo>z_TCwViFce_VN+QfkddGSN6ckz~JyGth&i9_fA8 zPm=pQ()qkx1^ad&)VX5tTiEaEd`q?Cwu&8l_I}w63hn2hCD0(G7^rRi;aaT$RVR(; zI8ll03Fz#^kn-efXQs(VrlrHjN6BMyf8>Z=ZE0CFtl~?HFa#o-;cX$A00fX8fa|ix z5B((1M?sIdk9M8#EDragGFO=#PQymboKtT-%P@(qm%b9c-?J!Za7GHpfTu~yR?XrU zOFbDeH>3KGU2WWJ^olp!uid}tq{e;QF-7{%Bj!PYgeM&?h8_zmYfCM)gq7!&5dvPh zrdBc7l~q@?G#)?=b)fZ*&N#V&Pe_6$cK(;6$4^Qay;Vk^dMWAh~(=He!>0uHSx>pX1qRteXR^NYX}%CGHuBt^Na|Zyl|5+s7x#gL?vU}6DldX186 z?+z+C4IyD5-Hbu7Dc-tS?YMTzJCA{5_jAreHg>*NoL3k7vu{s&?%CHmf3*Fovz==g z%o*&Ka0(L?$B+Js8ttT(_TrIx#~X<Jm7pTotO2$r5io`zY2S0SX}XWK zVWvr7ZO^Csvo6l#;|R$$)l+1Uz+G-BCG%U(OHN!)Im7ut^5YYucLU1xd_`gS@*oRx zk$M-8?4L}a$@@W151%V+@zstey|rVnv@}3$)?LtD z?(-1;(^?wIyZahM+uxqAB6XC|!x|?r|_aBR$xv)*i-}dYWmaLx+zZsbl zCNcR69cMSBD^!o`Qgc%9#R4V=7Ca4CJnXn&z18El-kha@&BF1;Gorb~aEbw+VzI zSR;C$HO}PWDlL-7V(9!)9x$42&nO?Ep)HNdbEU2!Q=1w`bAS*JKs6oa#w^?4SCwBC zBmCr97qey8OVwF56Xk}$}&C8IAfj~NJtPeM8t)qizCZ?i-iR-#BPb$j1lnR6X z+aX})esxiSP}+hV{eY#Es{mdY*AET_(r!K?9xjRN&H~s0L63))t;_LS&VE5U^H(u& zqe}j)$pp~fP1lM$w^76X3n8M14ue((_Ynn4BVhxAm9|-uq6X(i37R#AuPirWje4f# z?cBGR=Xrk(vO#;U$u=l^W)YYiB7ZYHtcjJ~9K(cpgjEXJC_Qj@U;q3=Fc_%G#89hI zMI#|KmHzsaW`r&FJZd@n$U4(2A+>k>i*YLQDM?m>zsG+&y|fxey+x18t^~8{&i#A_ zWJS~5^3P65q~w0syHb>_7Sdpu<0wty5)$kB*u=k@F72i508)#uBmz>BQFSaB2brS+`? z_BHI4g+p7Z*vVI0Un-E)O=CHWB8;+0ud z^rsLxb4JA4Tj6!gU@_87{Qb0`OWEgr2;w=gix(7l&ot}8`SV{~BwI30{5;%M{S^G} zC5csxp6C4ZWfK30>A;?=r0Do7Zz)#1r$AGE+XJlLW2UwAi~|FIzEg*s73ab2Q# z3pSK6nN~(|;`Y?89A!f5A>?;1KUz9Eeza-LK0Z;#E%IH>UOC!Ih)ni>68w6^`;syz zJ2QE(B&yV)v#TOJx`V*sXHkx*IIp73B}c7G3#Mp`DyzmV7Q!qRDI(YG)FL)(%nc@HA|>LY z%D03UU2Td~oMA&ZY;0^VzEH35_K?JDXrOGUIW)!oWKuSgi_A_A7`xov6$o3$9Jw? zwf8KqT{fH_BNG$fDldEZ!Dtr60zjX&bqlClKCfUuIl0#1pO8w{#iSFz8TSgjrF!rS z3Tjv(kH;9;L3H4I1aP-%>pjT_K!p|MTGOlwFan+mv9eVqV7JbDe05yM5f^Kpqt6yr z;K<>G%u=T9K*h@swd2SI@pN+)-yZ?Ei0}GlYv-L}&~^KB)qAHN#G_33y&~`l^?t-t zUnq`PxKjW;9xTt8dD}}XUM%iG`}Hfht8d%bML16W8@qBcJ+vVqY#7zUOlR!Qv}x5r zCrt-Yh-g^htMHiR;iU}|h~KJ({C>PFfg`dRKcOS|{q+oPk3hWWc!=(Qz2zIVJCV?Y zDT5P7BVi1>+`wx+2yV%AnazI3i6q4KEQD@T;1XrpQis=r6>&fv{C<+S`vlxxH^Ab% zG1xn*4`|{`o~#Y0dEOF2- zE5GeCm+zM=toS8?B~Ra*7aZA}f~^@Mx)jI)$RE~Yc_RYIS)g+WxjuoZlt%38OEp`P z!LG6sU+g4c9Ixc*9JIf=$;m0{><%&D<_H#|8bA!CJ7yNUOc)vHr@67@=_XH@-h8{} zQwQeMth++jKE7p4)nlQ!7)bC4aUF;%C3rP0EjDRx8d%DlT;KVL5Ce6|?q6Jxw3^() z!qY^)_X=OJeHID<9L(-7*7J(Xu`&U;-PsL$)jr;ds~mA|h-Zx2)n8xji7BV7F&1YB zep0OgpSavP;v?tWz8QU?ZR^gW8I$Vj+8j9jyQ?sz_qL8C&1SewaWg{!{-^gt0gG?E zifSZxxl$WvNe^*UBpLPb^AY5Z-_ddOLlE-SDhiD^gi9YOIc$d)9ddazNrpy>P@Nh; zae9EJjaeh*?=h(OmWcrU3()a(Ppiro3e~nCo4tXnKDT)ucF5x6DMk>&$zOkqIs%^4 z+zHQp!03Ez?Ibe!O?6^=sxGUqW9$!aZSrbDMBwCl_yTkAPDEJq>jVaA@sxioL76g7r_i9Dl;>Ly!UdyxfR`Vnz2O}d6&}DEB2kz0|)9dS_NBA*bWY5vj zQJKSiAaJ$BKK{=iB_>IY1|@niA&(N(wV;#DbJMlevVJIH%x`;u^JZN(LGBHlf(Z00 zK{T4oE(!=T#Wp+inm|;J;|pzH7%n3tQ~N@2B{8soMVS_UvG`peZqA7FY$uz4EYewD zNSRk6sU>yIN#PU-;r1j1-F=>SGM@KnXl>DT;9ps8>d&k=sJQZ6fumq6gv|+gEHq^& ztO{DOybR_H%j=E=BMn^!OpGEL`2cAcS1+Yh73Zk^0(eKqI1sVGqi(fwz(s4erR-oy z&k81}uyCa9vDNZfBVG)ni~A{-w1Lfm|Gjnq(pYX@6GpPypj)(GR&^Ial{R|1MDXhl zp0t7YSTTLdR)Dye&&6JY0+%+NDXZT&hP+0C`@CVL$WlL6t5^M=MKBGqX@a8inkU(4 zO<~CQ-Of$D*Qz#1yB9pN;<@cAcK|ov%U&(3iRe@}%1#Tt4xi&4-Pi${Hs7D=|MgRO zQdC>vpJ@cD5F&q-TFEf2A|oO#N!SaoY2o>8RhDvPVh)&G`QzVfosP3Zyr=c1_!9o$ z5Uec@zPN*>YEG3TDP-<=GIfTqk07;hOpunT8X8x%o}2`gkM{UoE5bT|;ZdfokW|?eg-nPR*K@ zN9gEK3okU8fJiwB=WoqW4%d|}8USs`5V%9HOEkq7>a>a%TaCPYPi-%Hq@2$RnF-Rzc*E%2Y7 zeLLkV7pM9Nii1gGEh2fVHc27&<{U;=E~f>G-&{_U z7va~Dj|cNk$H&J@(?j=@_tYAvx<2LDIEn*XLpYIP;@b!r1Ii5er)B%`o#>SUc_hAu ztdax(#;MD77O7B$DZ%8iPt1%v+c&OeX^=*bcOdXw@Abz68c4`uHK01{(cQxUb(*8VZK{RF#8!0-fCldwFM3kAUK(LeaK!H z!vHzZnsoejOe|AA4YrtIRS6(`ak(Dx+1Il_g(Q=h<&pnKoAr=hbT5l9;Y+IlKrjrZ z;OLyad#jYbeTx(>FR#S`6g_@^>bw}>=Z7vIVM384K~m+FIDzzySl|$nGt{CXU8!JT zz*^kaU~%1SdHKG1LK+x=TtGl-hEosorGje3)%Cwum)>mAGd3`Iy1@uiU)+x|?z2_- zPuqW=Y8?zy)~wrLa$TUBZ&mcX8cBe}(b8bia%622%W2R=1u>J(M*)i0ga4r7r{A&X z(GW)&zLQ#`K{ds7kxFXOd%S!N(ZY#1TJWOgi2v5?`-Bm+>-10`^aKHAMZWJsL6$`o znPAan!s4c6UVo8RzWqrer)bpmiyaDH_p~6Nl3lJJaP$Kf5Q{8!5^t^5|F-*j@#3y0 zp+>q#HR$e<-)XhY=kd;4I6MCJNdU|xY4nqLWU5a@+t!=eb>c~IVR>|L0yB^ua{Egb z;@eq0H;$O_jauqxu&?4>ki`A~jsQut=*-SEy2_Ps#z#5^Rn40ak@9CbB;Ul$cY@PD z%%l8^i-AeqP%MXe$9a85?V5D`DusPE48#CkrH-U(iKO{RmzqCJYvt>g&f(~V(ZJGm7E4JiMYb67W_rGc!syGM6Z8zen%PIyZkcd z|CQ1?P?!~E6=~*!1T)&BuyDl!TghGPMV{NGc;jvG{`Z&TIabUQ*MtK>cV!?nLd*l` zY-QG7lIB@rSYCZjmVvS9kzC)%{V~a7#foSDMIQrpaCFNc`@7FbikOj$)JbrSCAj9- z#J_shqEY`?L~}{E{8%$~v{9_;eBB=+Phg!%Xc&>8B^WOr^S^EFykF_) z%vx%V+7!4e_k_dmEiI;S+Is6?+5xqiA} z%Yn&3%geC>V>!v}?mE00D$pyaw*vY`J)yi zV@G!QfFDRLG0>X5@m)$XRD}!;2>qC@)Hk~{XD5rziEf5dQ@K1NfhoIw?K=O8KuTN< zdSKsP9R&m|fCw;4tIEr54FV1$ae>JIZ2VW!v*60D`~*?#UUcap5Vs#ytjC;|L7iK* z>#@h$tC4w~3HzhW;<5v*&rg-=vw+eDcbDdfwlqL-CiaE!!6#P&$k?39pa5Hi@$QR9 zBLA(8rUEYB|8zwODzii5b?c)oH}LL{c!_T}i`@1eoYMn-kV355xk%|1f>oom?nnM~ z&qQX!;&_=@iVtHdYiw zYiWJ;W*d?Eb%8g_%ics|!z>B`&x z;(U8{*Er}l=y?clkXL$Bl%+>4^|jMSj26l-CwWoZcKFBuHLjjvm0S|$Nq@%h`YG4# zkVyASqDvTcQNF9X*<0HFb$G{fyN+>(5QVCod93nkBTJTAv=i3LDOG<+-4jS+IoL6t>Z*4M?F|!)C&p#M+zWH zoGM-=J%4K(53)wGhMQX-vzfjh*^tYQ$k6GUC3Ry^(SOP>cX6~>R6h*KlOm{eI`633 z7|iWpA93b*dxy*$Y?$EL5#f?fsYrM_PRK9kajugr(v3m+T!)AUCZ4H`vYA$a~W1*_NvKN!?9y~5w=`8faFPckrV zINT>D#h~?(NyxX;;}`bPzwd?Z{^OHLIs@uYo}seMCQ4jCb!oo2St&vWdiiY7#-U{< zqnKMbA%Fr=yvG=^Y+oeZGL;jNnQX>NM+>2qPwow)-_aK4cy}t!+jR7nm<{@iNwbi0 zls43LBcgZU3pYTVo{TugFr$0HLnyZla zyO~h8=bdpqbF+4M|0lA5hX1@kI2oe_VwPjF>tsyH2V8=FcRs93BC;WooOqq<^ZiW% zr0aXLc^t##mLpsuGmySM5|XspB3~-Dbc(MgRqJ%eN>*H1CUax{iM~`NbJMD00P0^q zF{uJVBauGJdYY{t@1fA6@+B8r`OPU1nO0c^qli#Zq+hoxD+`|MVOBytNKYUUnG{V+WemsuEt!x%qsTy+rr>sykrz)qjenghIwd<@>&-xOrdWVOQU|KUMQ6!KQ{dI>9;AZ zW-VJPt>RiKfmtGx{nTYDj7f?JlXK>Z?9~FV%s&?5P!tK&E~cpj(Tzlq3@uMTEoYs0 zLExThNukH9#Esi}#h%?b1BIWERNL4S=Ju~>7leSO+FjxsHx)E14&dv~PsqYp;KvH8 zmqGZ!d7$*8y#bfgH!|Eu%}nPzW6RYCZFn&2s)jkeEHO9ch4%06Uss@eoM}IMCL>iL zx6T30fBgrP!UNI7%wjR^9T4`VM=jO*PK`YRFuCXxgbbqk;Ci7PVXu0$aBO66?Elzz z_A6&KXDLZr*^Gs*4Ay8k5+=9Tj>n;W&`^Q%PC~Mu)UvT5hAiR(jI(91D1Ux2)to0Mt+Js9DXSJ zNvi4Ve`_Xled>*HGadI+U{A-;W1@H|*8P)D(;lH=YY>Ry~3q;G6BG^68C6D0z$#LU?|=kw}p zYmz*t^%OYLiobO!?q3YfSLA z?@kDlH{GHu#M+8XFE!O~cV$YwMKwDihM8Ha%(0{BX7f@`?h;XCe+*0r_Aso`K4@|L zQW0BM7R!n(&gF_i!$m^}W*jkJ6yQp!i}SGK-O=y7b3l?`1yA;w%U8=2(i<5XQX~v? zoM6gB+wow33}$(hH5d!=4Cm1>|8!M($3E6U;y-BHTKreb0VVhRb+(5)c!B#@1qbX6 zjs|J z=TkOA90P4-he~lqYE;QVU~Io007k1$%SGD*_SMuoktO1^M||h%3!^Q)^i0!f^UIGs zn=+l+q{D@ zvSeHbvTBmk@Ytt@dg{_k7yWK;ki9ut6Rg^_CQvf0KB@nUi!e;V)M-Y+j6tdTh)`Is zL9ZhL%C__q7kkoht>Yi3r|Zs{2Crmat)fO!n|-7gOLQlQTv$79YeCNp*q!ir=51p3 zrJ|~VQ)&!7AHmM%{QpYbg)5gfE*KwRqV0gW752{BviVdb%=H zhf@Kjj`b!texMrBK(olMpW}Q*A7V;N(-<9Vo7EW<{Eb$Af|aw+GCCC|{ETVtK1Q8(kZ}jg{MIE6-{jf=NG8OGq)A zo=?7rwjJ7xnpbluYMR`(PgNu3iLHT8mzK*r9QXnC+(}K28pQQT)HS$T-PSIChT+e;Ub88TvO)VYPqPI z9W}98aN&-OiNYdZ(!LBnt;^HPbRd!`aP@yYomEs+Zx_ag9(w4MZjerC7?2oB7`hv2 z>F(|>kq|+K6r@{98l*u&B&87;ns2@f|8vO=YyH-H-m}lM_kNxf1_EFxAr>HQDLFEB z<{t~V^E*67ga}d0?~h-cEoLJ`VU^^?{=|&hBmHx+NwxFU(D|RY_k9>sa%Zz(b;H|% za9Z`d+tTbH=`Y(O7<%1B&i(=#MO`Xr*j)QuZL~xe9A~cK_Ntg4f&7(S`GKr+f}D;u z@u)?DV#n>1uf~Qze1z=j$k?ECi(0}%yWdNq{K-r7Mlu;HE!$hC@m7}`w^yg3NVHbz zZ`!azY9So#T{2+2`+k>>s>H6KzYA?Jg!+E!WTUq_|F(+(ob=-)Wv%jcZ+m6c3g&n6 zp?UAFj-NtR{vD<$G8^#8Hdt+SW3vjHtx(hs-(Q#m@UycxRA@n1jYy8Von8@1#?mmH zcJU5VleKVLhLK-ce2ecoNv{ZKDQhWy4x;c5`tXl_eyvoajbk}!cW_PG<^#Nu-5OVr=`}b!9U0{ zRVzua(1Fk{+4APoY0WMdn3r~)BmV$|B2J@eTd>Bf(=T}E?P6hB{TKu1`i@ihAYggt zb9-?lJGf3C^Fwdr@@)nF-{tc@WidLJ(sIlvi10BXtu~><-%t7^X;mkeOAJX{f^Z}P{p!T zV7kL4N?NpJpglL1_$*K{dyx!CtueBB`_(w-mgi*-CO^UZ=Prq_iAK3rE({&M29PM( znkJ?A#OlOY218ip%%#zKOD^o1@v{uInQ=$Ym3YrWvl$^0VI>$9P@G8uexH=7#SotS z+x)wU$y(y?SfFzNaH%#p{}*xlN=6G*tIe*HWY zKW#gJd2G6)6Vn)9@|qJ*iuMxaFind^sg!jI`SUO=7-+`vkt@Gqwu9pmW*{jgQ341r z@-gwp*6bW*(~oH$L_)3#?CCwFj$w1e{G1V3rEf@aYQ7BrPD^vCbu|sT{Ug=|zn(Y_ zSe!}{f||ItbXZWY)OPfARXL-{fa{f=a^-m4SvlTcEpfecLzWSM z5`*%QK#;@+@}s}b;0Cg+t9Qq22dsB;C%895L!FBRAeVFDx_sk5gO zGdZz&xZO+aIOKMh^jXXeOPHvD+BQsFSO)${es*LLlw8i}%j&+}SbJ|5J3+ISbTaYF ztV}A!6Xe=pVp#YP-VG@dM;Joj@bKxt!zP>Ip(GJTeuF5o?Rmu#!5KGgmP*#xv(%W*#$bpd1 zWfZ>U?Gi)7VsYO!=uFGu#xwBwTjAJJC}n67^A0vNz9oMp zW+?=@A)MT^<@Ya17$itha^+Vlh_Z8FyAI)&jw+2KzsWml>ki}d0A*yErue zG~g=a=??@PWSXIb>O@0zLg~)`49<^fNQ*WNvl0Ad(Tqbj$m4uE%U#YEDwk}UY#(i< zeHz5~UL+F|Gt#qOdbN?}X7P^&Hqd#s*;zdKce$yVv8kZfEKLXbmTgC6>nob%-nZ0@ zjC{IkFR4kOI-^@*UME|YJ`yi9hGz$NqH1ooEJZFOXotFKWA{(45%WoFSIiW`Sw_wa zt82oG+2*A(GQA_?Q;EPx)cDY9FyXulHBk~{UQ>;3R@Kk7Rm8v9x!Un>v2a{+{{hhX zF*(N`Z$<*PY;?(oUR`_XJt*ASXV$9_ch1QF{Rv>IeT8#IOHVM5yF(!eRQN+a=N zV=4jR_G1+`+fk@WQzCKn%J`EH-`) z`_z|ZOQ9Hwo-yd~Bg4j@r4zmMAB&E^z~o4V-O&Ptcl%pK#=$OI_kP=*z-20wF_}`X zyD`q9HMh5dI^@FR1UmSn71RdbZS3OsxUmO~T?CF7m+{0lUY$ZvV?RG`+&*rY3B|HO zyqjs6QWHQCIc(9gT3T^=rL?m1Vm_iYE6pM2PYErqr?s`U8Nt$d@?YHq*gx_Ku+f(b z;;9%a!sLHjO#>AmYz*--XJIu05Oyq5GIr8ZN~`f;B&8=D>q#NBM82(~1J6Gz+KXP3 z%X79!0N5x&-;$4-HtQ5SGdIg91RN;(wbnFgy$UNsd6#IM5+kwyAR`5Fb$H)qm{F%D zO?nt*GxfB8sB=x*Y>(8(UfHL9H}H>zbk9?t83nP8eunLlg<6S|kjf^?sooBFm$4q54#AiM5sw>u3o_8C!*?0QeY8oK5^9JG6?l_M=9#{;afXuB1qo@~>vzA^kSSy~?Bve0SWLh@akZn1=dlY|Y>8WB3eF zqd?p1@-1-1tU#F>5{%sx9SKSFz9v&xLy zddo~4wK{pd7y82Q;(qdeYW8;3E?Dx*vmdYKJmJ%4nPNbAJdjBy)H)GOZC(Jk%sSi& zTZK=Lj&jdV7BzG~reN%kNXT!a{(8G1)H|XgrCK^g)Gc>vnb1%$s^E~Qw}}z-`s8{a zHq>q#B5Go4D&KG|qqsw~5X#_5ECcPA^7-#QBA*zmtz0Zv2(m;4$f1V#X<1~Cb$1?DWyx+M!ae4@Zu$dR@0LVv(nPh+mG`Td#% zu}WV#;>V!Ssb;#9*X#&-n}X4xXWbp`zE8Jyw2zy^&*Qt*k+(%(cRBb^D-gjyD^Z@e z7Gfl<5J~wSE;X-}vfB=fmj@Y&>7sq8rrGdC579i*Jk;|gZ>6PbN~Q7wVt)w=?sWO` z&mzjdKMH1f5}{q9~AOsJ^1!x(bGeW zbez=E3VZmM&W@iHW3tF%-NEi2?tZ@@Hd}zK|Mo{_41|YIcn7-MKKo2Hdpk1@(IElZ z1Wx&XmtDaS`$oTcFP&K#kQ-K=b(5+bSDh9+_Vmi#%iqnz92Uf=zb|CtI;*$T`W5!K;~xh4tYb*_hyA4H1jd)$>QJB#0Xc^w?7rKsG<+irJJq)P3>p8wJUiD6YW1x>kfzhPWZg8^9Y1 zXJL-_%BJH++EY(a23S-6I=@x~-hI^RD;@||H(vknUr(Uc0rFim7w>IccQQuZ{t7?&lW z@?y$<#8`16!k=0m$0UGq7zybV9&>#1<9>!x7meVm@+bVw{Ky|_q~du0)7PgJJam`> z`NsQE$UyCxAu!j7q=9Fq#5@CGI6l3~yNEJm?N47b>E$9pR;$enTko~w78<;$`}M^b zEvRE?2z0{jd81dGUj%tVXRjouI)n|3wcS(`-36(;Z?5;~qznw|?ezrug66-N55f|Z z*<4^gq!pnUv^;~o;Lt`^^*!kiqPz}uN}=V47|_qJ+Zz7c;jY3WuuRml#A;Ki>+~(E zJo4&x;B)1WIdH_{y*YnOS>KEADAA~Wpgt@R-7xmT12o*Lt7`wAn;$b+ZT&O6@hp3` z4sCYf&|8F>bifD+&?@zkEXK^=H_7-PrIha`*pbO;8GI+uM3>d3v|3pm%AfG&EIqDN zy&ne|3!d1v1V0Z>jHQ?bUoNv+e>M;y)61!?jg8Brr?+8Huwijb`VyV{otF;@nZj~R zMur8WeopNp?7si$&oZPf=F1sqAQaYZImR6^RsIJ9 zlYDSLbGGtV@;%wQsCKh`u|u|TzRkJ|IUmF zZBtZVPpT|Qf*-eZUme&&OO#69y)PGbFapln5kXP7L>tvRnnA?G>8dU-UtST-zTv`6 zIQV8`&aV(QV%bf0H8HT6oUWjbzO;cDkK z&wYvN&IhZ+!Gz){2BCOsRag22K{Th_xMBCDY7vvwBJ~<~?- z1pN?lW*N}vF7ET#*R-lLd@`NYXL%lR_S#q20aTM*Nfe-EQs>@nfDIi)fh9Iv!-f7I3xd4r#vw{8 zwT&x;gNd;jmXc+hSTv7X_`YZ&dzFDD zMl&7EdOV1{G89=Q_7J5=h;{t8KBW<_KyRLxiZ$$4T2nN-Irvg*ujU!Y`r1TC3NSnh zJi9Y-3oZ-Z2N#jyVbU8FrMu-aVgTT?>j3Bb9P@9>D*UFZZ8J>l2tXw^paKM-q_CX1!762sHK@&99iG(tBa zHTaba``wRC$xuRiTR{4_ccs$f`{Vf7HcE5;5ByYC)lK6p3Js7uSz=830dk!zV8%(h zt1Jj1gm0XllFX5x+`H_HgD`_TyMjn*RIR1T&yrccG3~6FG7H>XDvfie4q9@ivig4iAUu?7u@6Q4{+UHAvs!)`r6f215lHZ9B^ZFERQkn*(vcbv z3kJw;AM`a;YZA{GUxWEwR24C7vG}fo1t-zs;`j48*qas04%>stzpJw%E5`1m*^P$QE})Cd`dw*G{be=l>P8Y$j) zrWQBvUt8m7r$g3MY0GqZt-9`f60M7unTCo*=AHx~LGjRpSkCqM3VbdC(#)}W68Tk% zh0%;$+Lsi5(2S}`ej8gVP*y!oAsVK2#gN=3Hw*fC*u6L5N~$*|aeU0kbK0cY3zmN@ z7J%6Hs>Lq9C=Fm|uO5w5)F258Htw^G*&1=a={u#H@`euU1$j}PXKn{z_W_corl1-iR~gG1oLib6x|=EO=t z4uXB!%9!%JUE#6OAWRCuRW?~vXoayGi7W$JDqAdh1U|i?Don}RiCg5wM<6FVqm0fx z8$$mB=<-L?tGtCMM#gm|T7^g)6+i_N4}br{BR)Ajxv%w_EFR@ezJENw*bP#+=wn4v zO9X%vfFvV;*c3h_@vNEr8_tb~qoSvgqKq%9EGA0F%F{0g1W%uKy4+;3Y+?xL6SmHmOiWyiZC0B#;yeZ*kjBsgpD}P= z#zVx{2n7;Zna$(F4%fhYD(Qy<{0`x(2hMa2w1%c|%kdyi?WDL%RUi^5ZDbe_DW#}D z=a?wK2e#Ikqfef%U8!E|OZj0CZ|u+%<($};VygWbHIm7cf9V^s4>j~FY;AByVYMk5 z_Y0=|-SqQ=i*&4TN1;u_g5h3jYG|Uen7f#{AY6xDE=h?_i--<0>T3G|3#{q;xQk0y zD?-KaMw38IR>EZC6pq1UShKj?I#32H-RgJqYwYlEeq2sT;qV(}NeV8HjjAt_>2m5U z`Nv|z(q_+WQhE3NQG6K3ON(FnVw6FCqk>Nm6D)&69=#opOTHFkYEcIsgpI4x^R0Yu zRHpBqzCNl-vocay5)bde44_ygw&Bc{T?Xj}dzFgY%$I^Nt5;v{WY+J-jh}Y%uB?n* z=B@jMOeDlLS9;nw`zsrY7=xEz)?|Z~pF9`7akwQB7AXN3NWV)#id1^5#z&@S^NsvY zLn`FyB7!Oo4zx!MFM~-eKZcGFql{qG78fswrMbN-bm10>{o2zJaQX;04Y_Tv)GH;2 zW~D9xinj^XnTyI~P_=OB7n0;P<1B#60;vN&NDkDJm4vdWd_$BAwa31W8Dm^(<}0*s z8)*Nr(1k(r^_4(c&(8vITeWnik-Vjfx4W;w*0wfK+S%dp%W*e!giFu}333A`Ag2td za2@t+9`$Ww*ym(cDmB66O+5gef!GZI@}ON4STmXTvbCi?aj_l65E2maNl6@i<)6K< zwoE{C;@w751gor!ntpK&np3kOvLmqC$6pt6+3$W>tJt{Nq{3hKGuM~vdA=CqIqC7R z$c1;TB~%^nM8KrMWEAg2?K3V zV_*8!jmb?j9RH(8JJLox7hr(_>d2Y zuVe~G80Z%Nu@GkWP<%klYmKt2>?>J*%vCpNTXEkmWWrI1t0`sV9C63ZmLB?>$rAFW z@T78-Cj*x?DJQ*!{)+f7g}IC|dmA1}tDab3dy z#%&)@WO1?T%3!0TmR9h0fp=)S7zLKZ0XmOtE-oE|MbCy$3Fdu>NR=W zeTw+j1y0`99tOVIT~^ajy07As%Q$wq-yX>*D5zn<6dtD+6}fcQMw5QnvXc&e*dH6E zbgY5@a`F(qeAG+nUU8b7nmiS+U}Z%gOosUD z`E&8vv+Yxy;B>dG`0pWEIDQu&Yld-r_7sL7MgncMp;>R7<`L_xh-l9~aSQ?zd`*Q~ z1Lp9Y_R1Bg;~$u5lTW?7xo^MCkv{#i10pSWdl{Rx6+|o@$4@vP>75B)w%{>SMNvUh!=Q=v|ek3)GDF*uhVsT zKIFlDtaAT&~0LwxlEE`Dw4{**m~v&1-G2Ypf5=LK~`E*kz?YHM5>cx8H8+Ate*O zGKuH~cr3)5_eeXn^!qo_M3*?%0N=yGM_sF@aH$*UDrG;&KGSUyT_X(K8CuYeH)&$h z)!Nq9OhVPDpuyhwkHwEp(U^XV`33l?nZ(`2ERVFv+OP6T90Dlx@%B`zWjpuA&I~avt_6pkjd22Hjv{_c`I0EhHENwcz|?w z)-3pL5(6&%u-T8;aqB)@ffnRi4rp@RHXZgQ_{grooh;3RTTVOwHd|UP`x6E74(+21 z;9y$k=34YFfChT!e#&eX{#D0EiA!)J1P|ang5>BFJ6sN%>HCfIN_?96tFA_Q`%6wc z3XUft)T}OlN?iT8-1x^rO*aKqEIf6;IZ-rid`QP_-QtY0M7H;@-PGdYe86cJeCw9P zsCh`Y+0t@C`-Sn@jJndBqVn zt=DvC$Cw2^ZI5V!U!$&vJU=D`z;%pCF}V}EvF(2n@sX{$zivT|qZB|!mZ4jxBvN=E z{VSb7`AK-+G{ds)-TSx68I`1fN>wG-A7ArrL{tj%xwF^N!?;nHau0;^A!flqsn0%U zo&^QFMGIP}pt#7Ob@keN=lpj6 zyKTgxx^6*IMf?&LsM7_Z4AWPc9aqG9)-E0q0M~hOW-WS%P-&@&nsBLz{@6Mv5`@+K z0m(pQ!+q9qBT$8%5{0Psh9d?%*inH_M{no7A1!)TU*N?w*W^vS?P}|8Ke_wm)P*O% zaq4<)r0U%0a=52apNv^wtcfO!Ew4~&4YhppDvU~kz{v4F7?eiW+PGqn)r0i_^{4(FEl5D!v`j>Td@>_F6F2Gr?R2(o&rIu($ve5eOslID@ zy=PH3>qT_L9~@h(ErW>AIaA$#EX4NwYM7N)a8LpMieFfEK$t&tCMK@D7f-t%M_Ssu z5AjU2^)kbU!+j=`98o6yPCIvRE~S=6YjvwCG>T~PVuH#4l-E>~?3n;Qz5ESW+UFAj zqB;U)mp}*M!pI(IGVpSFI@5>Exk=nDXXjNf$HenKPRol)c&*5{^_auML;UV5t=VQL zoC{<j}z zuF0YGv1T!3)pS2R{H1-m!mq1y{mK(TC3Sc6`}x}JvC6Y^vGsxvkJF3Gubs(@-(W5h za}gOV_v3N%e&gYxrRc<4+)~w?KBCtgo7@stkw5+eflcU1=_W)lRPp}Jk2ZGe_))3- zRp4)`X)MOqui*)iGC;}+!l_B3bE!lhepLF}Va-4_dYr0k>6^2)z86cokkV2N1Aju{ z_HBmmrMjrZxqahmMnty-hh&EnZ8elhA-H`Qm>^8bJY~q+G6GC{H>t>a!4@1+=ozx-Ud+{hemVV{5i}JGxa;@xZ=s7#LZtqr?Fpu6k-dpm zZ$ItXAViI3+eWd~Q#|@&SUwC!EB$bBu|5QU_xR8Te|k*m77`URtBW9$S*qu|Ew&#q zAMrbt|6Ij#A0uD9)=e}`;2Bm8t6+->{ra++sr&Z#;9De>*mOF%;AS^0H3A%x#nF|V zS8|-z!hII|g)~J~bcU7}?2*O8_#+LC?q&u@o{5PlTA|g#Rjz?&Njx+`PX%TncTe}H z(B_rnYp6{%-!cJl3-Jx8b5V#4iZY-BB|!~Zbj;__l`bT(M3;4cMTGg9OpTuh5Gr)` z!Ak#2J~EP68L2FCWEBic>Si;kX}#msaOA&d(#t|;oY(3Wnx#o{JyAg zqvQ4XDo^O#cdtdl?l*LKxy>N>;b~8ZW(XP|FIBt0$5Ji6K|M8`YWS3FVqu6JteCU zifVYSFJpc=J2eSIrXDhg>BEbyLJi?8MQeWGxxI`G= z9AI#%qZYR>yvK+^MAt2TlsEo(Z%3C6dXDq>)c0gc+{VrxaOw<&W|7o!erZ@U^;%nR zL)rwHC&dYKd7N2728RT_IDZ^o6nrT^ycQAZU%vH&3Jp;bxVwO8nQ4)-nxHlvwTE{l zwNzH)wv84t;1d&LiMuUrhUH_I+FH}Vhhx_l?Y|x#K3H(d`cU(}))vd_L5=l2<+Q4S z)-r+KO4K|741s=jB{tEU8Lw#sc_Jzd5iH%qNMJ zjZE+PsS7M#bK&vTT*RFr&6nY@DVV?r-kru{P%qJ>pm$sWSBU`@U;(Ncc_*US-6j1V1L2Nd{ay^++$Zue>i>6E`ND zv2FY^q}T!gqS~I|cXB+s-TjzP1fdPFX#2CEp9tB zH~l`6(4n&_@aRNA4}FW0N#Q8ZMoM(GSFm{y({+Y;*D=NVNDkS2=OuEO>*4M%vZ5xT zFeZCLLEq3&DegDmWr|07j@k@3y9*XQZZ3qXU{VX1!zkNZwvmp=y6#zfT3?;aX*eV<%fA%Q!UoGrsF>mRhxTt)tkVk=v-v~|#kiO12q;2#TbQ~VN42Cp?GNFWE`=k$F^ zU6l$vCTa;uuK4knxwCyf37?TwS8Qyf*L*Fk_7E?oP^P*jcZ3qQ948BeY$(NQuuy$3ZZe`dfa3q%IC6~ON%XHj>IMV@o93i+O<{%{Mapnle_hR zkmhBHfV-b0kuQ7}qYlF~c6J@uxU!Z}Os&ZJh zkLep05NaBo|4I(aDc(BYwBQ1z)RDLl0Xg5QmrYeFa!&9+7BI^h+(^sJt#noijb!Ue zaGb_gv=B&!Ug@+GPQ%cL5vv(-W!tolaOi5RqY1e>xj&tUek$SHiij*uw!w9~mMW~L z>PJ{FB-)ByJ=IIz^qqRI!q-DuobwT8{EZ7d8&`(-6#wCGTpjRV zqgDkl4Sfa1C$rcEj7~@=nYd%>T4EmwVUZ_hHL{QgT7Y z1Tl0kkY9tN2lWwp-y<)1d5N@WOe%jpJLaDbAOrDbVeir?W%j0ay2VAr-v|+2Io=`L zC^hp5F*?2}wha1Mj9fN-)liTA4+gmq6DrC?{0O?wW{&eZM(HKumk86mq*{T1J!Rkh zyMFKC-Uy%dy4An)clRX-#i513#joi^~l@?|8gOp zn|$}U=}#8!OZf3<(io9h*-VEXn4A&zxibGD!a=SRKU*|%Gg>y#m?-C~>+*`q)ZhB7 zngW;$%of_8`Zq%Hq&1lQj)q}8dISUaqZ~5>{W1ohNi-ZNtG04-SKqVV+#LM0f1vUF zixu_B^=Vr}>TdV7bt~;%36-(Pk&k%GVbN(3NMECE`SiL&zJ?k0?-@D1{6Xj=9J9YA;H#F{{Bs>K9kJbr_#wV_7^m6(QyTe!~X5 z=Vq`D&2f;cv@%K2N{|w>EY>?dSs*UwQukf&_WgDn`L*6kZ@T7r>}PdiEzCNM8*skP zB07oVyMb5IDs5U*h=J6o=O!l?(!-1##sTubTZ0Ky#xc`W@}+wx?;xkJ)xkz?CDnI) zUtg6pC7S%0tDL0sI!9$7^rf)k_PBJ*q#c?1Hp8hXN6PSY8hqKp5u2w5{7H^|6j4ui zkjN)Z^0sl!RQg^cj_HkN9l=*$_x@+y~de(vBj0|tTwhwd#p)+AdyKg0gG?R%Mz zqn@|_DM-u%b)`A@-o}s{D%LkS=uMQY)(Ic`H@O_DFda3|!5^oOb6B4<|FH;IEm=!ZDnn!!|7PUPe@o?-K&_6~KD!^9&O~>2x$Sc!W%- zGhM6@9lfjTdVKn?UfPQ!dd78>&7`P^C=duZnu1;;;NkN8_i#X}x@AJ-*T)Ab+N2oF(^#ug%)% z#=``D$j#!josId+c@jj1N;4u~_CsOQA+*C#$ZOEq@o=`|sw{;NY!)*IT2G zw-YJP8!Z9T0$-K|UHR)DR{P+77%g-Bcq$2_HQIJb-vayXo)wzenmX1@!* zakY-Y8@RduahLaNqIkBYCuNLLMx!;LD zip_oSbw0pa?zpu}E!<4X|Ki-|IpJzBVx8biWkEU2u^;D0>&vx$&=4b=<&Rg;GkSaU z1-f(e_)wPZ+@k7V*x|3QOI~ldgw4FRAuv(S+tM7M*Eq`o**cZ`}wm0lSnNC3xq-m?CfdqqMVS)4*R++zQ}R@`^51F`RG zIxDYeXG%=Zr9nZ;^Y6l&^uvqha46GD z!%q(EFpXBF%`WV?I#SEvtTmlE{R0jJA{5rd_&gn5Wo0~?E2 zERTqVc=RLJI8$lgw8FR6OZBaHHs{8IL2TOiX{{25NRj4893WgIc~+4aI-cvu@5ldT zlCPVQxeNg&?s~yYL;LD}4cXOEKFPVkm$T1TM@J9qgI)9f(D`QPg7Qk?0_f`89@!rJ z1o1^0;)?jAwm^b~gQH_BtV*b+0N!(6=(7>fYirXtWGLKjM~f0*W$xV1l0OI}#J46y zC9p-g@Qh#W$W=Y3AFV6KkrQ z_?BD2dOoSC7fL&`R$H92vvUrK_@lxv*wWM*sF`hwIjYw>zZc+yr_(eJihLTpq4!%= zv=!|JQ|pyBQUqX66H+)R^g||gqMf?d)_suldv&RvCkyV?S@v>siKVh{bNI6vv>{&TbUs7*cT#o} zeKFz>YyoEq8Rv1cD@7U0%Znj)z$E&6+)!>5SFZkm2SieBh}RFZ%kj{EwmHJ5z_!V- zhC>?~<_B8F*N_Uh$>@0=wkwkSbN{Qc;AspYB;c4-hzH}}Kh;ZL#;6B^Xlp*@BBDwt z9as&C2 zwfBjM-1N0soJ}H}S>4)0VH`|M4&h)o08x|El&qTJ2?q|uK1I$lf@vo!oE>vt>*$XY z&p#IK3dqXynf&Y-HY|A*2HCbp_L=rcI;quCg>+rpllHiGAzp#tP7qltc0XFFEbl=h zS2S-o2k`@@j7)gEuRQQHLoh~$FrYp*x=Ur8D<`s$hH^*t3`D>r5CPP1^-mj4eLW&p z6GRkEZdJ`}g)1<>pg*Rj?W{Y2kd>rYt5^K@;m0sU53Sj-$!@P;9)`&1>S$dOR3i$P z@I5PbK7=(a2u5?T%r(*frk5n(^FPH9MopLDMpi>eev?;SDOEY!xi19_%8Q=1hf$iJ zu>Y~hIqm+75pp^8UC^$;15{O?GP1%DjK|lSRIH3AH;t(?6%P82;l5S)H$T?mD<^iQ z@l9lUZ`KbaLBsx$SE-kLkD@sn2RWCPWHFlAa0T@5v$y-XtBnPgr4-&!euC~ya=G5lrl5C&OCkZq~j{O_uWPJ9m zS-ngm#(8lj1L~y6ehgBaMk5g>{({w_mX=6O2H5w0YG)VR5LL<`hMkWMRQW@f-)?s2 zpoq)S(#gp$Nq2NN9AC}uEs88oNk7Nub@Z34UZwQ-|AcoP#<=(ZxlzeF?SUD)gUn&% zxC$lz?FpE~Koa{0==6noo!{J+I>_f(s$#~2*WF#8wm%^se}ON5A>w=G$(Oe!&gW!_ zYGCooy6eq?Ff3B;)%Kxs`Y?&1;U)h9HS-ks9K1-W^Pm;^@jEBB`)-uEB~5-RvBi2A z60*eFCr-tG=OXSeUCKIAs4+Y>;(J2tB^sTLN>g;wuTev*wptE`Ij^-jZ-fQ&%Ij%rm^{-XU7IHS@i2GITML4~_u+BW9>~c18)xG+)yL&!+ z_!e zWMa!I<9t{2TmT7TFL9bFH!viBM#}TeeB)T5Vj2!mO1UBT7s07@rm{=|K?=SHnqy5L zB`KgOHvoU!WdS>tI^K#DG-dRE7%S@NVYIjQkEyzRQH+N;FiIy){dh{PJrOO@)u3z|%1)|h9oEkz3{rZAuP%J6bFcvL~uZk|f{Ck9fzi;-ZRy$*5^_s)j z?`iVojiuXlx9Uts_;fZ|-?tbSIt95#C#UDi&DOOAHKOLm&~%Dt$aSG=qFwB$HsmpZr_k?|Hu&ji>tbE}wA;tK`%CuWsIC_j@ylzkt(ixe z4o4**eN7YkB|8Z->~Y#_%@iEH?%X0?7%y?0-s)V&R(i3MEMV5n5hQ$2BnK{b+ zc3JUBTM1W@c0%?ai(&{Uoj|)pm9QWQT$~>o=S$w+eTryo*K+P*1o@0Z)=_8(^|mbq z$=H@dZjU%|&2bPdN!{J5*HbMW$2*S!1rzz?lem3o&Bm+wkvJJ2+;;=KYT|A1hGPG! zt^MrqIo}=|J|pzEOBF5_Z8b^pXLgf6y5MsF`ko8vq)Z1!l)V)FVs*l znF`0!dWJkMLC$o_m``tnUryi?3E2Em1zO|J1z$uw|M`E(B3t~|VJ>ZD?cou>&g|&J z@I>menVF}V^qzUm)jt+tkm7go;m(4PDll}vU!|G}F`B9vKFUy%y?M%tb#@Xgid2Q97hd__uVDI2&hl00Vri)oM zh#X2p;aICzRckKa1zOtGZG2VxDPr(t{OGmq2)f-|8auPEmUY=Nv7SKwBBQDr zt#YHm8F6SOrKlXI%D3f%9M?Fy5X<|ta(PUom|AJ+|KCsh#-K>Lg?cJ*IHM(Q3YKyn z-6+?LJuv};HbGS5->a*Ms}gbJ^`4(jxw1hVOe9YYy?*J(?PEj`6ao#gl zb=m*OY1avvmqnjjNy0CN{nuv)A&!UELn|dCx;eNN|^=ldDT~7h~k%<4JwT?dkKS*~4}W-qven z;g=4YIIyUx$i-0hcS_dhl0l#MRb;go$79*pAcl#W@>m;VGp1_Qk=B6_>(%e{8OoSj zK_DPs1(yeXm4@|8a?Yvea;<}l=)?f0(CuOQk#x)s(v?0{n`wSpx`=@!UdHO~kEuZp z>^44ethO9>2=n1qPpgi{(gDXmiy!lOt9#S1#O zEZ<;j@i8f+B{73}nY409ZSu9*o>DY_DkwWlsvNzYR3#G0$-uS<+0Si*ae#M@ge>{K z?-O%4EiEb2MsHHkooy0uPYQSYz;*ZF+>>zw_;_76ru(4IOQVqe>&M_0+W!mngI9kK z3+xuxe(_!+verayHoGE0or1>BMJ8Ro4~c9gf7pr{mds1ztJt^&d}G(g9uy9^O8eXi zu>|D=)tUthzb2YGP~u31y~DP65ng^mxLqe>s=Tnuzf_bu{B<{dmGLrS5`e$O$>4u>6KaCHOE+Bn}WZ`>p=3{KT&R(Dtk7*rAwUwm#qRl+d zsBwURFid}4;r+BdI{U}>ncGPkuK)(&s*%zEwh&o0)plyH+#DDb#Ysm!)Ad zpMThSBBg4x8C;B3_$8GDuP`e%msO~#91s&Cfg*Dqk_y6g?g5AV6GN%1%qqkc5-+l3yIhi%h)N(K{F!l#qtS@9v##SLn^thjx zTajhfH{r zVAEDiTJ>xeAzRWFw?14@lVh1Dq%bQmg!Dv}r3f?mqIs(+O(wB~_oztn&Lk<=d1v}c zPoqd0e)4zfe>|OKP+MIPh64mGZp8`i?ryT4B?!K@8<6(LJ9p_F+8$)qmRuzyw0rBg|7uk=lR`lWVngt0# zVTZ|koLWAIJ!)T*;wDVnRm#%S@K_kVJaz@6arg%_6UK8s9lf%+skY->xJhzXJSwl4 zEXYgFAVM8krM%49uCq@zRdPJieQOHSR!$qmjhI9CH7M&*8h7yB1|t);`fH*w1q`e( z`m4aZudQ*4chzX&rol&H&6*LBGNX#SO~wR7I}RM}*H)8;0^k}(c{HGDvsfXa84auq z^l+~F8$di%u+dV$pUw5N=gn@|#wph0rVOaqlw9w##eiGrqIJuT|C{<}IK1aelpI1W zG?Vsd-2^`f-g!*lG;MhaQP04lbCbm7=b!nx`Fi)u*U}TzL0XD&H6SNA?#gJ_@s;|eDa!PRHS{UcsKhdwRzubMhbYLs`KDRPH(KMLpZi}~knDG>HA>?! z@fOv)^!sM%jKNaQbI5FS00>p#g;*47loF@y;y};{NR0OGD+9hddk6qK5{`7635p~; zzO0$0g&{&WhNB^T`$PEy+R$&~Y4ho!r#Zu1XT-~ONm>f;&n5p3wQeciq0@afuab5| zU}_M)GP6>BRR1={WN+e`n>ME;z2uRwvt8I~I(pDX*#Zv4FH1(Ol{^OV(?yX=Iiu2F zAmV7)d(jidM`j!B+=B%sM*O&Y+t45+k2Ybm4{GYF$4e2>UM07oW_K8|PvfgGFZVYt z9i~*KaRLJS5cnDewhEMxJgo{k^XSz-V@6}EbA(?t9Q!3(TxRgk+Qh5bURnH%a*A7Y z&W7Xaa9&l?xT7RT<0f%$Cr~EUk;*pK?rL}RAX;Ne z*br5xfc|S<`a)c>WYHwfKE)vqHNiT4jr{Yh^0>L7hr(*temr{@I|De%K^Og%1(@~^ z6ng0pw^(fv@E#YRYlNh3UxRl*B)(bnE|Le2c|XhqK_DE7I{jxZ`+Ks?NOP@}(NDMY zhpyYbNe>%E!b1A*evBnGTZ@*y9oI5)G7tJOnEXghwa#kS2|S0xPLiZb2p5454U|q` zzvn;cvGA)zwt!+qh(p&;chbA>=5$!h@OU%$l9KT$hLocuhg8DSvN*#a!*eOIJ6Rz8 zI#=aL)p(>BRWjo?Zt4MEQ>_dE)d)%Gvi8(VCrnqp$I?j>6W{hhX%&a;5&i}>sbOTp zwu7c<7k*+x3wH<4MuO}xd=h2q*J!KZl)&|k-W3aX6B@efckF>O??UvqsJs3=pc2LKA<+b z(mCLtZtGf@HY{$HxA*rkx#ji1R0sJ0Y*2IV)*)*TI5S)SJ&~?seTbt$CI#2_gRRyV|O@@C{FC@5i>L)%R=s$!IR$7u}@W1$TV+ zOfgE2ae1rpbcDhv?$M_+LYWi;4S=Ju0Xj&EIteYk$F9W{z%|JX|4w1=$Q=q>i|;ed z3UldF^bwChC8&*;to&Gd!_h>_DR4jL-?s-+}NeTeLzce3tuB|;+f{y;pgMAy;7C*?XZkaFUrp6(+KwyJ#Yj07lvFZ1Mz4lYMWff{n0b=f( z+R%?#h?xh0VG-75NAPcAjQuB%7+T`+yTe1RqmUKZeg+elrS459QD$JW|Dp}UO5)On z1W^+sk^ATf)oO+8MmMlH$Q`z}c>HTrK;;!EwDbokE`$+qEW8 za4qAM2uJ(MqUXw#Q{wqbMx9S{DfACRZtOz5Ygem2GcvKt>;N6AKUKt->_XD{ENy0} zB=2S_;ipCV5U8KAa)EHDWLE2%&efU!b=z@E0?66?aTxrp!JLURFxy3zS@nJ=VUEOT z@tZ}YUit>LOj_E_N0`_5boqQE@f&9T->^@z8faUA`ZEB}q>lkWSYTOci7n#^towXQ z8k|oAD)3JNs|dA$S9p1Ah4oQes3Q{}T<3$iwiFEu=hpoSm-D$kF`auW14tyZ`dD`c zpst^MPD7OwqSU!EY_?BZX^7e#UfjV>r8}KupT_FE%i+}~lqv!0u;G>|cli#x3@?GD z{o||Q*1UMpR~Bbt6-+mq9bMPrf@d`aRV1r5;@2U3G%b1lZ-$2y0D7yU0WRKkCo#1p z0LlcH{Jz$CF|+LAFNNSlO99|5eu-kkZKk_azwnqs;rA5(VsBe6bSA>Ky$l6SYFCWo ziJ+MV-{zkE_j1TknhnPV5?fJiM5MPGbE2f{2w!#aW|a2xoFd=^|vetF^UC?lLV z#)uM|<7N1vx|qpf#y(pS2{gUC2!a3hMGZIRr63>3aPz}rZOYkuE8VyOkP?mhV~d}XRdi1RgNAewKZE0jTB zB2nWup7T3d9d^E|jm?t>-)<~|E$Q1tHieBA&{N=O&BAp0SQ2SZ-cG9;NJw`=p4~)c z1oc-VH#DQxS!X-h2^FYtuFi}3_U$^a_4QUrWrAIPCJfa0DGuXTy<9yCXE8Y{jVU4I zHAtWdk^elfOAcaOVW~>i!aM2GL@*fg`qfR#b z4R6!T4tQ}OX-D+jqft_LWuZ5$$-`F5GJt@d8;H@ezkwr;P+W&T9mEaAb`ct zt7xit~a^}?|9eK>e{CL_fZ6`FH1mc)S4FrMV z(SpR@hqLxl{Q$|Ymopd}`t)nSx2gnMW=q_b#&+RTrC!Bd zWGjGcn!I?^(u4~_wfrG*?_OC9gzMJTYdQ`P*b!ThCm=jHIdKj@TbNT7JsHYcwWEq@ zqPM7UZ<8wo#lHl3+`BU1m3M`p!AP!18Gp1 zx=9T!>XKzqJ9?*-V*E(3DosxG@#yY1b9u#TD=9`Uh-c(j<8-LEoqEX?Ubsv6wNgL* zXSxZ|XX-wbB6);p%PLT3SsuHvzi218OLM8Isrgt~to%2lWtTP{t5aU&efyVKE=#$< z)uTl1xPP9DGe(=wNnf2BLN;j}URiv0GSAfNG=fd*b$mV2GBT^A#plUXlV>}JVvHS7 zM{O1#lFw%@qT-VWkr$UzXsAT?qukxsotWdhsP_GqA5K>zCcFOmb{;4FrEBBI_U&`6 z*MZ6y%jf~IoG$LQGMfEe?E7~)!!@%8XN`+TnZOn?=|h!0F&I3{_aoC}AAmx%tbC!8 zdl4*{uLH1z*sO7sZhP0Pxc)}XevU|%X#27)l7?kDG2H!r{#N8Ni}S za>Nf*gndW|uRcFRJmBaRXmnAJyaDk~!8_@CR<6*_1Ulg-1#^qqL?c6ZQLgvBRBI##%lxjRYs`a;4liQ z(5Wf@hP7Kp7H8PH!?vtEG3K#~=dy{q*`C%Y;rTFZG-pDz&_B}Y5NfS2t z=VSGAm}H2DH-SwOXUlbA|NFAF{2@7C5-(HWD+^@;^04m%(o9x4eD4qnFGJ+^KcYoZ zU@Vyl-Z>oE&(Wjfycrs<|DBE6i$}PoG@dPbPrrMR&HnS8P1JepVi3RE;=7xCP}lEe z`xH9MX%<>BqiT9LxklWKP)&vedNDy`jsu5Aa!7La-bT@R5HW7ljuIH3cBiob&ys0S zgZMAbSj-2j-%>~aur$di3XUYfft(D@jT)>+!8N3e46~5_!i!AzpBA&l-wZ)uUwttx zjPpP>6wQ8=bZif0*C!9>fto!!J@&fi>VFnY&hcqWX$0fNna27>e@iw`>%)oTCql)` ziV7-d%?nzOKjSCy=#wRD4-Ye1n=#q2Ef95dhB=iJh8t~+%_KJLK3$r3r+(fD#($3Bs@wual6 zbI?BrozmUpt00Wl>#Uvqfo;4p?T##|V?)=7W7lWX1fM)IvYf8XCMT59+{l76^c;Jw zX5rtb(9o;0)M3`h{DxlS{!P{Q4v*-2Fc<9rg_uX;0Ua~EgL)szOYaKqg*atxtmY8S zx)&Lf1o=wJjf1w$U1N&k&5+`pt@cn*UWRUn{tUJkQ+L{xp|EZob$o}Qn$>g{L9;KO zhex`#(vOQ~?OzUV-gk+W)QV{?F;&wU`tcn4eRly0f6!i8oCj^s4b*(^mX;2)Q4_Iu zow7~Y`5<^uW)}#}XrgF(Pp`*lMoyigrW)_^Ba11}M)}7m(25_Jra?%?Rb2nUMo!Z! zz@cT2JfL}%oU@pZ=0Q*cM=l&=5OHMT4qbGuRC z`@Yzo0j+vI%SPdW@>;9j55C{&G|I9DCPssbOawx*+^tO^D75VJLtBZGYJOoLUMdiXiir!R z`5gQfxOl9HV=!{Aa1*Ebi)p=>Qeyilgq5!7a^X6HR(F$f5g!$(^@pfO zuthKQY_SIz#!9m^Fto#KA~9!p;c=lrF^c*E@iF+KwIbY9Bn0%}z>MO1E!_0CI8LSe zTNU{`{M@-z=Pl9K<5_Bk0ZgX3ty`r<5AGOVvx#(>X*z?NiYfSh2G^G-I9w(OBnC#_ z^YHBm#u_12K|8C6MU7)~ndafSby!f+Vtfsn^I(O7(CQ!*Q*aM&`z2FWRv?Nl3RN3e z^RGsbjY+UYU$VEqMULd+M=0cMv#cs(;M25n$H~@G_Y+ z&p!Pmfa7skYaVLUzNA@rf_t*Yhe zX_36A>S^G6;bs%5PuxbD`dQr!B)-Y6@~59zN*m9t(OuJ}*8SB|#=y!TsyKOr{RmtO zNbj4-^g>O4cxO3QJlU_3x?Dh73iCXeKpoiaEr<|Gk*`$|)SULN7(4&3E@B|IG?)pj zhfIrCpxdXkK~rbg(RGN$=u6gNG&DL!!IgogkWE0?Uis8_zVy(GSF1~H7*3Csphy{xH*#D z8Mr5~piyynOgI(8v~knjB=t% z$iS6L-j$0P5vo~?Vdu?JOTNQrBA@3gNZJPm(3Gv&czpU6y8Lmbn5)6N4DK5v-LqpE z|8dthIo-#Dez|h@EsYJCv2^vgs3N&$ri?gHlSXWO1{|%>hoszEMSA%no=g}97{9BU zt(L948>iovIzs~k_B?fTaX}sBtx8RKy3 zy;%{q;bjF{{EU9Njk{O4E^^T|u!xz~M`=(>p+xXXL`1{9m=^wRXoh526>F@^8psMY z2oY3YfGs+5>@B<5IsG)ZEIu@X7QZRiq!ST``n$}8zlsWkzwL@#F~t0PHj6Cq|EGuKsc9tDF4hog}sVU)Ao7vS{R65b*yLcQeyu{ORW`9O&Cvh}IMrLZq z(YJ2OWj3d3meoZ_>!n;@jO`nlfLVWHgDZ@vr9x?)zA7hwbt`-`hdu3$B*_vm^@qL^^R+-cyj{MML5;qOPWCBnBlNWgV>*AkL zk~E0Ts3qOoZq4^+#`Vj3IwGt30qt1wzI?$!ZGzNLt~qUNv_xUF5k$ziqaK&CXG0*4 z_QdcQWBZ4zJnUb5q3$?r3uZ)tdAkuPfnZ6vXZ!AZm>RKb$%&-;3T^5YuPg=E|7R^v zfYB)!y8Ep&@*1eFYl6%)tTN#`x5^2HXD_}3`Qo2XjlM0us8l@m5|IYW!2S{t zqJRg8ihFdTxby42&QI2t{M+5QDQ5f=N;V<@TUSlv;Jvp}lkmo;VZJ1Gi7&BaeB?sk zKR(L-={JmwI{>v-e1;CtAfx=Dsu*O|{K!U)N+sDqfh#3<&wA=yvcr&65qlXZA7e<< zo*Zq;8B<#y`QP+rdZgOVJUk$SEH&pRkD0Ln|xh(Pdty`__3f&(M1L z8W)vwvn~ccm7D%_$!<*cX_K9ES0ZU0>Ra^$OdI@jF*u23!J}At{8G@7m8eWgG2fk> z=cns#%C`4Wmde{Vi^T=8o7uRuagfjT9x+M#G=&+A^vPozBivZdTDi?U$E`J_qhy9+cUY{#I^6nUGypCE}km} zi!}JAU*0aB0Pvd?99tf)PS>uJL~J$RVSiW>{7H0{`caRT78ANbT6C~0U#4lgQ%uF5 zzrXj&0&(U+27X}voKbRJs_I3jcm{7rioTdCe7DV1vJ$CTK%}3aNwSmYiEb+Unx|V{ zmv^hJ^|vIbwd;)(3eMa0I+*tD{%XeUmFIGor%&bB?VWA~t97))!Ta8u{^@0XgZRu&*`)i}I1f(E5P{8a^DLg-adZkDMZtc@2wiHvPX5`_uA z{eYCNH2C+Q_YO^f#NFkqRxcBNFuZ00mh4kvCMMDSdq1Y)U-iOFR$AXcNE!t2IH<+& ztRKT{z9$Pxhz9)oJ-84(rhQy?6++tXc+i1-CW?aF?s&HLr;4|%UBVz%p<`aHB37h+ ztD3#CEa#O)+Pp^>vkl9!pIDa&#^LGIl%9F+P)9>V29Dvr5q5zgGcHIW5Om6z)^|~C z@s4&yW;7f+d=~3iurrsqLyrqr-V~zX&HE0a`~Kv8eAT|KzBv!oj}bf>U$f6Nc<#nI zfC2RihpDp1G$rHp_E_Vyr>9f@RU=3L`0aG?B*`d{_N%*$>S*wC`6B-hp)i5rePf2IR)z-#Ek(xQr z@2ni5SQ-|;K!ZiPy`OlK{7g6J+`ntQvHSC3qeAarDEFGyN$QctOUv%gOq>6~ar^Dw zJ*7lzE4fT1*(-|=?{s1wD4)-NMnk6Q}O%jXES}=@jb|E_fy*;;Bbrt%g#An{97`&ae`HJJazcFTpX;_)tDFVD0pj399n?sgTpV1Oy%%|hKN)Cde+5zCR@$-kJD}nASmCw7VBX3VpN=4ym^F$LU zCHS2Nktzn`6}OedAEkTM;h43ycshZlSL&~QuO27U4{LlXmpZ}dboebXk z{Jf?D_Lr?;`n;WBrzT<62?uraDvqv}{#$BhGwz4^mxjlA{(d(Zy?QEPg!M9HXe2ursX}9obc#9XoRZm6y%l4TjGBEW+3a+k^oG_d$H|l&s?HfW0 z5+w^60NYZb-&zl+c7e-2l|e$Jg9ew&J8vKEXE9nZp4n^nKacGG zscriF^X+z}WNT$gUYx1(8SMV__SOf*mL*D|ERaji4NMo7z%UWYOs%7SB;@Kos*Np= zD&hf8g{qZBb7iiD^YdoT;z@LR{2W(0%luLQb@tAH<14-5UgOuWm`Vz9zl(+U)8-_G(kns;+bQYY zn^KQ>GId;wqZ2Na7^M>U2xRUwdR^fk2}2V8Ik~J9X;Vns0_g>ufkV~R`P6`kGbpY^ zY)8OIQmZ$o3tC2J@ytZgGdt25EF}8TpP{P##Hj0%@8>#2w|STs#}7%SDv_H-)~*3Wc&o4Xt2VJthd@Lz~&jh_*sB=yZRM zo&H&&sEYM488(Jx&r&Rw;5Dp1t3PzK%b2t(K6kvFzFi5PZjg<%h*p!+Sym2<<$bE@ zkdnni+JO-ShJu7|+n2$h#2Ma6&fjdaz70N?f41JfsKAV?1RQtXtC$}L<{o`Ov%~-7ojoWGxN!~BGVnp*Dg$U0( zan$4810)Nb0q7<7*+Dmx`FV)@r`NckKnM4bT)$0b>G7T;!LE^gl(s6ffj}nvZ zam(*-SE8)-7FbeY6d6H17X>Q@capd}4-XIPUK>|aT1C}4vpk9KPZtt3Vg%lH+fP_3 zXt=~;iERFv(!_UDB5AYTQpt5X{T)8NH5~EA$XOiKjfMZO5i>i*Oq8VVnle{KI~%XiS_*kHlTj2?09Ghl z>`{Q>rN|_0YP#yu9ps-Toy%aR)6aScsOw@+S09DUU*}szW{ymK^@}V_Lwjx({t!>O z0ZHmus-QxU#3^)Nk(%e7YTLb~Rf5Bz^}C#vKfbCuzLSPM2K?@{Z8RM8;B5C=AZ|Y^ zsNRAo1X`fZn3x3txvfx4Vz>r|5SHsktr@Vs_M}hOg*14FH;HqI%(?~`aG0Gv69EC!OND5ewz*dy%1Edq;$SQ$wj=R5Zw z{L732{)xqEsD- zrEOKXyj7EM^2uU~DP}HhW=;+ezyq3WO|;BRsh|A_-}C)D{w3H7D?9T5m-OHq!k3G^ z!y36d{J}Iol3B-0HPN1GtGWQ}*G^32+i2{&E`cV^M8}*9u%*QiPA$m7;V-iJS3?Ad zRA++l)Z(kCG_9VfR_8W~D0ZwXYNgUwb|j%G;x1#nvWPtk!dTs9Y93VZG6euYNvQSq zl5TVpx3}=5-^#-tgPWVqRaZT>fn@I6!dNq>o01Kl)_s@ zAX_Up7KZ3b00Oy?y0N17u+h;HNmVa?+HjD{d_We|8xFYkMc=894himOl5AZHl~S2Q zdzlwKlFk*~I-aH)F%TewpG@Kvk_IhziaTNaLTeQIQH|QDlVDjn_oGIyp^s4^nRZ+= z)iyuS#>~~Vitptemoy>;GDaoQa^2CT#_Rbs0|ii65?)zAiH5n3O>U8f{Vy-@RGZXl z9DA#)WS{hz4aYddF0iNYRlAYe)5=9a3d$}i1u#oZBmuRs_T{8vq?%JU+u zpN1oAhXece{#5kt4sUQ^!=oZ>YA_20n{|P2fJ=e_re^ob;_s;<49@|5$wk8x8+tMZ-W*PkOj4EZ@+SyQR zU=#v4G)NA?1t7^No6DU9ezN|i&5&zH%cHHHA)DQ&AM$1SwL2Ag3tBZ=_`xdAQ{h~`$lf1{E=(Q z$l}jmqWlNy9FtTtN9reWKh$!)Aqt?<0*%)T#+8?q3AWQjNkZ_Y6(XhKx2x0G-vq0( z>?*Lp5!>n+bejj@pce{d2loLLMw!|Wkcc`xv!tdpSOcWo^Ipc-NOOB4+An&tB(g@L z&%le5Sx_i%);+Ms`FCV4KkaJkp{Er@1ZsR!A|wsQ23{RzgaT#Dl1U@$f7E(RmiV%hR&FLHps1ptpr9WO)-MS)z6KP4 zn7CM?eml-H=?ykLh$Vg3`;+5~|G-~ILBrI5LaauKIyAUDF7W^Lk+03e^P16q7J^!# zW(u=*bUa2=IdGt&!Yd7YKGI2EEr>0cQ{D#vnB{i*Hiwfz?jI5ZVF5{#zQ+ub1Yr)C z6%bG7E$~Xqq#e>K&eLXRWMtWSlH=>p>n<>3o#Ss7N*Rh22+Mq0Vnx zI*pd9-Bx?z=tO5?!#`~h$RKi;h9+nbVeldsG1~ENx8lgV(4h3S&f4&2<*GvT_mdq( z!L{U}=u85i`Gyx9z6quurXX4mNJ&{tkBPYSk*k1dse@Qk7&c1(*Bax+FToCPE`!l* zw4tjS?||SnpEA%*o?Huc_D0M9R{8uw^zWH0Ry~Rky$~1PK6S@-V*5LMpNgGFmTak7 z64@AO$P5NZQmu&arPjmH!ch9u?Zx=`793l`u*-8j?_M?nfR*0j3#cS3y{wW-&8m4@ zmeM)i$Zet@gmt^U=xn*Vx)cumq`BeN=lcWfX?RnpR%nH9+1=`uz^7(K6ko|?F4A2Tw7(TqRP7JvbrgdzOMdH5uM4;<;kSpjA7yqg~CnaOytC`);M!`Ft(VTo^NQ_Oqu!0R6?0%j-8n5(rE};fj(8 z!bf!NeP}DsfpMxNMV_B;74{ZK3{M#~xE|JP5wa0=o^5;*kZ3_gux(#(h=I69F=+Zb z+A$QQ{YeG?vi0h}%ULqV-v4A%xx;_zz1~LE>h$Mf-f<9e;u;c2h0EjY2I0k&on&X#==kDDIUIC(1G?ML*iY6(@i| zf%RTr-`>FulHkC>o^2d6FK9PtVz|t9BYGi(%+9iFR7CrKBl8%!e~Ako{D4#y;r{Dspep`wFQ!F##sb=yB(fUn@bNQKHSxn`$p;Vyq zl=@|WR7z4bnaAr(=4~m3{D_XU?RaJx)ln)_s7sd%?Ic@Lp(vf{>WXovD$&&}s`m{)vTO5g*q=9$EfJFJbdk zmc!9Jea||zSQtlX0@aWU=S&O|5(xr=N@)YFZEmysx#HjbLDR<1t5Zub-$B{^{GZVN zVmxyV*1aj>jTY;cw)z@1SDpKcw7w^1-Z49tNBrZU>n0TZ;q#Y`_rs?}`BxU$T#C4E zR}qJ*MBxCFv<6MR)Sy)Ls((0_0~#+k))#S$z9!DF4gg=7d@bXFrkUoy@_@zC-Kt&<~DvN^l&AhJaJ%}{Y4Tn~z za&9#8V0~K*xj$OOKeCbFP-2CqTGPfPvpOF^P-J9eOmg80hZqTJ715#``Xp{5G7@a* z65A}R%tec9B1M*CO|$EV5wB@#(N@w;(cx`TlOg-R5>~R;Hn}_vM~UF8y8rufvdk6o z*a&{0%DLo}5(5yWu)|HWn5Y6rYUD3$e(ggQ-r!|O*}G*UqRd#RQV4H_jrq+-lT@W-OMg@G?Ax#;Pk+yrSihsnA zxL^xV6BmG$8!mf-`dQLAL>vyyX6znDEE;CLkDXwaTMx6GDIBneHSqDs@-h{ZB?!TT z%tj-r(jK*X>DRaVn|S0-!KM=_gAP88Y#~umn9Xd_`T4m_1ZJu2SY}QiBH)K9# z7>-S9FigbSm3O844|A;qVNWE^HSx4|nq{Vra0n}&Vh7*5lw>%#Fl-24?6%V8Yg{zy zxX@sRV6SJcKa6D1Af-fqo6_n3$SjA6>^d8?cKB7js^eC10=q;xQT7k zUYv8P<*x1h7R;)Y3Q?@)RYDKPF4WYw-OVWCM2cv|Dbw4Q=GnFHUB%lLG;Xp>{gyqE zV)^pTs&*t>+NN3RSE@2_d1q8ATaJxXF^}hTA*NaRzR~4+D#?B$E^@#|aZpx2d?cQy z%_6Q7eY^Y1?WXY9+&(V(jk}ctAgaj5eFOIS(=|)#pbJ^JX#%q*+6)kJ?6H;F&F%l% z^6xy1gvE+fZiHBA#@a{)fbFM~Z_yhW9CAE#I-@}9S~w#UK~zn=#I|=t6M4XqUTn0& zT}A@w0S#WkWildYL|XeMiH1~He7tDhm7;B5(_22l)U?#Cv2MeCQWnbKaZ zd5%}ieqHaqq0iyYPHUpr(fe)p$|yp*ch&hMaiv@Bgg&azIf31>;0CKnJO1p|7N-~e z#dn03Wk0b`K`7XDB!H<0ev!~xoi{|dpQ5xN#_deTgO0gA3id#VaP9;r4iniz0|pwd zrs9Dv`kTHPrPG10oWQq&z2n2ZI zF>=Btdf-Zj_16Sy^kPo*eoi~^`DRbx(%VV#=D8@SCZ4nCWIgX{*XR3zft!QiTm55R zl?Glu-*Bn-2twJ~&K1Y0T#dzB@{@Aia2$v-0rn3A^xb2kX4gI^%JD1SNB|WTl}uZV z5NtrOB(7N*KDA9bG^zAVj^JAs8Jtb&jB%w3JREi-J#F;!fdhlkH~}=UptIF>Bs9oE zUx@3KMfgN14_I4R7UtYL(kWR6#0zEv-?V8Dfz4>FwK>)!NQ$McQQ1NcU7uOla^d|KNR7kiT(`?NJ0?N(vDG z`b!WcxUP=N4W)u~pEE4>aEKGZy|7mquC^&rM;W7(9MP<+0ZJ5J7*D!2n?zY%W(I&tzwmSn$^pSkO{Yp?X9xu>wrR_ z?}JFLdB{30I$u?a^f?K!Vg~NHXmr22KVTQavyZj_sk*v<&+IIjRv8(I8p1CHnrBsN zP$q7U2!u~u6XQWqAmPJJz)wn;8O$F;^aDqNPYK*j@MI*Nl~VhYe+tWj!B%hhtr7n2 z@pA+BBwtxrPe<`G)ix;a7YE)R0$4m$W8%wgn>~)36BD->(UNErslikmepd#VzgIsw ze+*a)lw*yMm$RYA^MoSbqTP0hVuzg}V1Lei-(PBjFzA3$ zT<{J<-0`iTc-U_u5~?4J-kS&M5lq(=|Hx*!v8w6ns4n=tDI_8R)Oa8bRdV5 zPeXY4lU{fKYf1qWjwjk~34vnZhFnP?sHApW@8d^r(_uXfbSZ3Iio#l(j56j!_nI&A zp{l9)nh>fG&`auGfYNWWn#Pu5DTO`cf-g5a)6PwVTd?8_a~4vLsK-(kt@u*Y zVn(<8-RUsDckAl?q}Ct`*T7eaQG-yC#M0{?cYEZ>U;|5HVou8lVa{iYWH^D%Sw%R- z6DP~zIvI4xI$<-a^E>OKYUJ>sBK$$E0eC(QNEWb&-u1e!-4YCh59So~-kg~|kF+YD zwQC9u1h5+qy~YJ6I)E`jIH71h&-ZpWJ)PYEW<70;?|c7`96$@?-sbtcb!U}@s`TaF0O^fBO4HmXdZKs^s_cwSQt)8KLwkH;`yefRQk|@DFjZ`y9oqmbB zEdlb5fC8BR1GMndlu&|gdVuV=aCk|XKW(Oixa3ObIVKK2i;D!}lVdJqX8cmfln+h_ z8P`5u!Vs~qI^Dwh@W>x9uzQ>R)Im!5cLqhNC- z^y(hZ1R>m)a;AfzoGAUAF~x#$zvPNd0|d7BBze$^3x#B)Ufv*WC_xB!D)C2w-&87d zI@PH!p}ej-*SPLzt(Qid%d3()28fj@(HNQNEDHTsuLh#-3&!3|HDSMYeiQ$EBFor4 z02zclY-Zr$0Hv^Hxwi2EVH!3Feu?WR*E|+7aC(LUR^YEC2p}YBn`)74pQJrG9QO=! zWH=n9FY+FWDa!yopWY`F_G7``h(-!hQXYAyoCWyCGSzZAy3g15*G=Us9oMHBJi@qg zt|lg&D8Z^paW08BuW^yKB0=SzSzKRe31LEnBoyLRoQE1|=n()RHPE+z?i+t^wn`2N z#ziu!X!#SQc)smx)MtwipsQQ&H_?SU8ediS_=D0tb#7s zIHdqpfZ(-eoZ2*dwh4{aPfM4`tqQOF2sNznM8mXpm^$c3ST7Wq{HE%|fcXc^e}?%9 zSdzjY_pT&T+aHRqyoS*acrXqtlPD$oTzrJ+j$5_nqnz3jMgh#662t-#azHmji=FY z!uuX3j4O9}`IAlDntteEK{jMHchjek$CGiWR6QTkCvMojxAP?4i@@Pm*GEl9dp8W0(y=(}y^ z9lZ!OAv3CHZP<6@O`I`}!PCmEqtW8-+uAA&i5QwwK35UMgm}QL20VOB{h85nP(TV3 z6@B8#=_Ih1ejNYzHp<=q*GDjNJoULhJS1S_@yeDRgyMmuvQ0_Ligbd zZlYp@51d(7wiOI>yB~cU>_A9X+R~VpkQwYslW-!AcY3=*%iSyG))xz4q}8hpGAbWN zp0~a;1rNKdJt2prxUhnUfukF4$~F4bU@t__@`;&R!YD;0!Y99s5n?M>Oe#Q1B@7%G zb3Tsi1B8Q@Ey5FEPs2fp&gWyCM5S&e&?a~z>PZFP-l5pIC_SbQ0f4*vx61h5Mb*1k zt#gyaQGQ?w#pXr{<}7ye|L__Y=r1=yU{icqmtwA&k3$;YKVpJizLVKt%FX`nm7=mF z0&dLe+2>ki3bCZqAHJLm^SrlRs7c6k173;-9>Te_iuJs?IXTKn+GvH1I!wfvppr`{ z1NLM*gS#n_mENA%`9*4HH&+L-65jbfs!127c`-H%07PtNkvFO~cw+cD) zQtqE!KnV#i8BeDB>h{)Lou-P@lpI{GK;9ssY{Yt27x`xa7 z=eyV$l5RYijMZeSPcss5PwlYijwS@>#2!iC3G0GJ`@yR3Hi3Vc-BtQbnNeA-jubVn z@vly+u!%jPP?+qCo%18(5%AO`h*-z@Q`wGdE%v4?+?#MJ?NdPkb6F&XHwk| zHkFaM2nunjN)9=TE@VL((4q7U4D|FvzXS>Y>Ev>Ar_NMIIf!|OOR)5cS)^#b=+~_~ zhL}_37<<`&0kaFWaX5pm4?QC?wmtv92X8)RbJSha+Gc|=#l|O44Li<%?c!{qzmP*V-i&jN7deI{DIw@X_o-4%|` zKKbg6 zgHRzM*1l%w{UO(nrD!4p4vh>}glsY%Nt|nCi&5yjurhtq-*M4-+{FG!l#mF>$WDtuUb1vDn^+by`H6H6 zmqN@G^lgeQ%FuC7zL|Wiw26Nw6LJ4pKshe?Q&>YI_MEMZIltSEQtTM|-p^I!robKo zneSl%gC5_rtTEZeEU(W%t(p*1)uomE{x5x|TPjji$S6YY=Y2y##DL1UPr*|VSrqw`wXEDX zJ-LGHoVUN|kN=>K5#fe)hYqh6LyJw*;N#%jM-DMaeIuOtPw%(RTw0otpU3-tAcpO0 zgXKcCM?Vt2Z{mm^M!!A*-j`AVxmbMKl^jAT$i6c>W z1ZULeK{UH*ji)Eq6~AHdp$qcP4R=g?8P5^Cs{$gy(}I1&+!Asat15Qzjq+*Jg^Va;QTfvJA_`M8wJ)Fd9U221bH>-e{kW%=vUO_Z$#8_z9 zXiu8^&#yS-7~^PlqUE#E&d}%;-gtZgUt$F<40^`=Si8p(ixMCyC$!OX{mQCoW3qrowh*c zQ7dZDmesQKlTWgpIHEZaHBWujP&{#-48xcIXbo!g*nl!0Oe#MqthbZm6NMb7l7m1o zb6{;{yEnXpE5*rX&#t5lhwV6Z<$Z{lcf9(#k-c-dCebJicI!yYkv~K3{dR4+Vx-Y< zwEWT`hZ3V3E`7@tOBwInsnIz<5;Kd30_pcd$ov*R5XFBynMAxQdP1%2&pQ^L>+>c{ zmDvfWf?Ts5q1Ycg9&8d7F`4*w>aF~l+sS-}R@@+De9m>3BLawNnX0K>?>ihw>^(c+ zqWZXO(#`+6d2%@eC0xo+%zh4eIowZ!xnPCdo3BY+qw#D6Q(;Q#JnMa(EQu z6d^{yNWW93MI?XRi#FpeO?MFleZUYSL52Dt6#+IbrU_P^G;9hkrz55O+7h#YL6-#r z-T+%z^_`+gBZ2n)q8H5=;J_duMjg<2wc8i@hn?LhG{cSnsY?iw3}IWS2A31h@8_7{ z)ARjAF5hBVk``a%rz1Fo)q9Xoo`X#pS~Xrgi)Mkym)uBP9m=u~$er}a#A$^ZvI$`K zEIolmG`)NG{q2v+V%A<{Q{1;FOZ_K&IZym>Jv|HthniMLp33oAPL>_T;8?0@+5?=C zvj|j@PFN))w4bD4CjLa>+7|{%{7lrWy!*puZ9(d*zzXW1Y})=qmL_-70H=j~NZ{~p z7u<|CNd;7@l%%T6!y5Km8`~a~uc>1)63{U&3#;yNQ(0tI!|ZC_AMx)`^3vvWK0ba6 zAQ8hB=von$>3dnaz;15<2e)FfY|o|YSc(a1=FZ}Jg06q|&8A#vY3Ubzl{E7v!5;qo zn9OJ{7O|yfp+Lh*PbMWN2E4H-=fCVPDfA`W=n;9>;jgWv*#7of3!`;Q5Qe2Y$xj97 z$+2Vr>FM4vL*;3?lQ91Dt(c?s+^-&~5 zpyf$~CH+CEeN{SHKdHbc^H^rAUFKiOKsY8QKYnto|M{?)SC)WDkdu59f|Z>v5rIXo zVj2C8#b>zz&v?j`A;S+==U9RRU4+J6u^hhOK^R#e)XTUP=(RvGpJxOR7z{MbZse$9 zaw`ofY~D|n@SF|x?hy%5ILii2Gs=Z}BY5yY7LvWX;ja;&QNe}$sOYVb12L#>&(=7Z z1;7%vPt+w|rc*$2MRd|rB(RfgS8VXf7bS^V4(6ItQQY~vp|IkXyHq-wsVH6C5wqit zNC;d_TE+FXX_8Vokf~)b_NlyTu_lCZ5udvBcgvDy^N1nKFvB|}x@xfySTy)zL1n{M zU3u)VG3ei#VJwAM@PC|6V>jU-5!iP(AoLhZEu7#q>!{UleB-pfafOB&m0GLNjA=M4 z&z(Ht7ktO!A|8oeftOr%08Y@cr%TqnoQ?O=2G=k91^jO#f&2!dZV{mpiHAG9yt!3w zT1tt>F)FFeNA_i~iDk#IP^wQ{_+}qirGB5b8GU3^mq-TVq2ByItJkr&r>1fQo-c_ zG=u&!z%vV@1nLt=AfiHcSrUEu0K0pyV|`%w)51Y)^bt8gm9%rrZf^vq2vq;8U*XizyQb{~ld)3Lu4 zC7^*}M=3mN$bwf|y$T@NU7F@WY{U^XzcD6Hn2i!4 zKi1RkvEV_6lUrSuCyl{*WDkQ6oA!wSs$0H@@u3M^Y*Np(1zWOANb_-rN>8yQMkm696KC#@3iN5-!%c@bFIFiGZ`4$MwwmK2$WKE{sk%wo$s8N z82<36hmFFbF(dC-Ab`}8tSY(!OvpR%g&q5!I`P91NWMI<)ZgSFs_WCDhJOF%04Wxl z7bawZE#VJ4&uI#ae(@Syr##dU3{!Y91hLa;0Qd2{bi3$JNk5`mY zZ*eg-RdLYkAYhKp{XJotLaP?UiiO)NZI)o9zIaeOX=!dgsMRzQvjj0h0iB+OMU@}O zjSK0f-=^6iUyo07N7a2%aXsV7@%y+pF}537snkBGu0M-jeeBtd*}z$iaY`8`kn%GX z*d>&W=-h)VT3=R0oioOuAw2Q-=#M|KJ3LFjpnm|32MXz7fLCf{6prao+Xf=HmLC!O z#f5oBFDDy%EWo1%OeuQ56%^L(-$U>q6OCeq#|p4i!uiKyp0p~j&5Ki0o^e~8(+$Eo zB9ZAQme;s@;PzH zYYa8M1aM16zc`I(jr~$)A}RQcT~k=Ok9uf1n)EziPE8aO$`2AnGOk~cZV{`@Ytou0#pC*m z#hw6yURNc$+18Ye$v7$|_$Ocw6RcrIi6GJ5l$(V2LV*eCEU6;d)v;ArOvvnplr(Q# z%q*pTNz#HaSQsOSx>)?=tJZ%zR)uNLi9tUC5xySD6dEE~n~G~#ILtGCo&5AwqpV1! zWahLM4clkXlL-v

%H2R16YDy&&)>`KEH$FS9tGA942@-!}(7GtfaYpOLf^!VHIn zYO;DEdh>&P8=Yp4sc=eE3HrTbY*X7{hD&j+*)N-XJ}3oTlP`=@Irq&BVnRfRrz!lL zP|#-jB2aF8M4Hq>pAy^ngiW_Pzev~#E^9$QwYdbVq6J0akM?l$y}I>|k~i5`M^N|; zNfQ$GJA>#I@7O+~Vm*f#2<5w$VNBiFeNfeU^XCjO?n6en!sNf2p(rgyuqO*NCEPf? zfvK~efMOx6FmxV^5m|$I-&12ps|n1zU8tBWcOoJzGmig;PutyO$ZfW%9Ybsa`^st z!%ica^8-c@ToMgDBr0k?QwaY`ZQ@*;rY?s}@WSFxG-0^hb2V{EQ@<`9PsGIr!T~0v zPw>QHrq(Gga8(K1$G&(lER5-_o8KGjR;VUFMf8OVfag*(LS;9y=Ve(wMD5w%Zbb`v zue$Alb)1*#qeJoPRs=0Dya^|!fqxT&#!EeLG_eQ!%WhU?AE57T-8Z6#L|)kb^2yPp zQ|h7REnl9i%1ol{dS5%N^SonPc~_|P1<1|8nAmCBOLXKSO!&b?=CGU;hkw%S><6gbixs>?@yLEgU>zpV@wXAa@c-Hx`VULNmEH7)&SNq>#u9mQgunBgxgH( zY$<>QgG4~3^EI=AlXjGOQ+E@hx9awL+A=4LfCh~eYnk@BESa~&Rz$&27d(X=D7r1nT@+dz_H@W#7c7!i{Osw|3aQ7dcakFp+G3dhqz z3YLV_C&CCp5xVE6Q1>2kLV7$U))gnoewoNZ5Zxo>it( zg0~=I>kdlY_S&>}*XLF`q82!jfQfeSbEQ!%o*MT8n(gzv#|fh^_d3&$((&O5ES^tV z*ZT^=a}ZJM(;x%F%BD88%y32$<${?5s?|5JG&)2*Q$6{|bCv|ss5Yzi`>RuK)Zwgh zL01LOPNxcZq$K4Qybp-keBiwwNUblf-9SQmG74OSHjQFm!yr1)Yz#|FI$*W8ewwIo zV0k#+2$B$9*%#YG(PTW*S}RL4Zrv>qH238**-yn!y<;)zt?gu1vSy46jt%zP``U3T zRJc(|TZ{DBXt2r;vvcrT@qqDw*CtDe(={)t zxSuh_)UP-a);F~Q+6I3Wh=C#+5o=C6Oz!^8rrAMBIv=GV=t{XZNurUtEG_s-LAh

Z7F&63%@e&PqcXo}s25m$ zizf9pP-o*yj2)E;&Fvi)^;e`@)n{VYV&$vYdRJ<{>e_1dGDQnWQ06TR%Z zBe?-S`11N|!V%>v*z3D%zhI+)(luFwq-dn4JSB`> z)Ffh#;kTFZ{Why~*7C+%Oq<({Tj91$g!NBotQnYQze}5E;I;dPDj%IQE1lJay~t&c zxx)=y9BEtBp5>lu*EG~r&QhLiihXZ0d^HExsfy!TJ2Tm$f4je90d<~$);yK-y()V% zin(y5RS{XKXLGdd;ipluEdxUSXMQd?%|>>OMES5%wUMa(nSuVg(psW>Tr^0NTE`qQ zByGa4S6NNuCiw?&@ee@x>jFFBuWCf3#w0kS@kWcQT$GEVKdqYnMp-{tyy#ptrG#^j zw)Bg;m)^06CR@mi19ix>hsX{oyzLYhD5j~+BoY^_i-^&5OXiY5TY(vj$KexLfj@_P zzSsO9NoWXtf@)K}NV(B^3k-5PE%A)pzM`FmKPqPUq3Si$Sy|n}(tHTR9*t@l?>>ke z!X-t9x&vt5c?ZVGW{7xe* zF=6aRa9dLJfW7UniUHNmxP6;JNo+iR;NU|r!Adxjn<)xd$>wP7hh|SwstEN7TVre? zo2P;Up`=r=kKrxYtOe`+q8C!qNdsQ=WsJ%0D|63=gnh%SOEfi;_l z{sy+Um=@)=$$lnC)gjg8#5D!HhfSDj+|wYROP`J@LL}>;oJ5&N<5ezE!npJui;x~7 z(czwZeB~=Yeu^%Ik5CWfOTCQwkcr5yeGOP3E?&`g=%zXOtX_VlW^V;z4C0RB_T6hN zgQ%O=7?@RvJ}j>h-zzgZ)R=?M)zJ*9ls(}%E13H&^HnSvM9SECt4(#s{-~Jdn*p4F z!cu%z+bS=X|AB|b?#8Lbh#XfblUiJ+27^!xD|CS{7omRl24BQcF-lpFKStcoec^7(i)DAf~78penHart#uU zOWola54C367k5nOqCetk=uSFT2k?o+JS<8JSsmHg*--FU2uMiB%Z(Ou<-c96h~BYC zr)#N_4ko$tjb~lgVB3?!X(>e_UI^{yP7y(!M?(#^SA|Qf`Q&mnETD*r>Y%sKmsB>z zDnBRI8NVj=<@5SbYO6BEU7c=0FcA-?ASfi$KbeeTSJmiM`%eE}hbiEwBjTO>t zmlnjxHD<;D8=_Kz5{(vW_zJPbDLwTBs4=T6;X?!Z#;ZILRR|oWJ^2iWvV!vbCXH-y z_G|oEm<(lTyfQ9>FVE^|u7hHcTDB<^F15|aGqc{~4er_n{B_IRA1P4;qXPSF5L29= zZwbJ!(v2}^?Pp^P<-Cueh?~G4hEq#WuR(eb;X6rMo`1=cw5ow2+3al6YE=?bmS7Xq zcP#R+@9*zLk@>H$GArIjUD`^NcIh>Ori20g9#MrD`XO*xRHp@!SQQR6HJQC37U8O0 zbfZ}pQ?ToOheme23 z;AFx#Qg%tj#9T+{n$RnU8}|z@8yB@J^!iD59fKieM?Fo2YL!!%D#}6M_P~{dgGjJN zSC7!OpbPo(K95rV<~5ITfY~l-;3Xn^(sk?0WkLm+;@8&*-8VU?&uQP*J^!^hlz|bt zmTD$Bm{C>))g?N!nqm57s*2)IFFR&2A`Az79mc~A>#EdIp{qPEC);1Fv#@D8C{V`V zHmZBaqC}<9VNy)&a}*Jv=P=+81&;u2n$-4kV&n6Al_?urTmDokb(%})d@PA@JdXl` z7tu5*oOdw6DZF|4!PZM1Q~~>SFkb@?RytESGG9 z<#M@!@-Z0DxW?I9duENFx;~CDGnt(qTO;o8$>5!#r1rO$GoP0uU1G@2?djF4JxIo-0rP97QmrfjR+zAtU&5&2BNPb%U=OIgBSSX{3HzSK;$=*8aT1 zHgY+-<8So>d8e0Q$}6#Jz@gd(h$DW>VT2i`Uf#8Sak?zkX)D@a9~EW!*%i%S z;*M)?@u3`%#ggyq_&=G%Khzh zBjYclnJUSiZ+RXj%1wXNZQ28k2ftbV&uF3@l;Tv>F4fC@^L}LT9&K>loH3Kct#Z$5W7bVOiJC|RTm!pxL>0wYPnVzXniNt#+S-KcVqR&>Y8Ip{<6mqboi;_;I{gY`3DgHy{D0e8y46%k3W_aMIp8F#lwh* zGkjdLv&{{=)lE_6Wu`iZ!1fiij7Fv2#9zv>41V69mmQq}_?d3To}MlDDh&k|93YGS z@Z$VPVzB8-KdLTu2isLof{e(oAsUK~dW?~Tze$*te#R*8aS)dtj=2zq&oFHy9K6Wj z+>wZ1?T+w1Y{xzN4SMGzuQZK$?y?G_ zSTEKd1Q0)aIT-R{WHGXGeYbaH#)PymNQ!^(K1cSZlk5`ULOR~95juU@8?+_x;epmr zn4l;Tb1*L3gEMoPK+8fFFV>_T_+plB+v&Gau`@0|r@)Xdhoz+tLGXya^>qG}m@@%go94jz#)hxkjD&?eW5H7bsK5b)z=~5I)H8XlpeY%OES`zZI)% zA`0LOxBZK|xvYy_GK%K#c|xr2&g{;j!LrlIcRpda14s04 zv313W2&6Ap)R}`gk~*V zwjso+%yJrxTQh1dr9KXWcGGpFjpr6{1va@}024E#9x|0KYpa>h_mqOJ=P*Z^TDk$(ZmHU7h%v+4 zeW~6m1erK$^F9xV;Jhc-@C<+SM$;BR=VdltPk=&6NwdqD^G|}U{n_?D65UEzMz0#J zyCZv3tfqSNRVj4$L*|zNA9>yeH-pI^F!y8vdYY>+6+EsGRrC?i_2NIUv>is+Z9JZq zOc0UJ7Hal_uyy8}Ahu4U-m!2xD%WmaJh^Rgy8?6+`x^Jsnt@XY`y2L|*zFpB?cN92 zyHx`#KoUQSfIem^es=lG54@{Jui<8AW>3TEI)K!Y*RC;*JOcAMx{B^Io%g+qHQ$Cg=yQ zo;%N{C7@~7n2Wbb3}W!;#`ivIT6?V1<#l*_g~)u~rp)lP_ewNsov`hrK|v*vKyA4- zcnEIz8&r5cW!~zz2Jy7t)?7{bs*Ncn!>I+eYL2B5v(*HbL)Ek$EA?7&R3T`!P~A`L z^9*3$7mSF{lP=?=X}U9*z`1POZIq;455%AfuM^_7hY_DNtl)5QsymG0O20IeAo=@6 zrz7h>8^Nq&&vl6S-WMk}Yc=}a!TcV#OxDnlD3F)eQ)BmKN9E0rhb8@eeQh^@iCswP zUh{vVajfA`ZU|*A(=&g^0`MYAo0f|{-m@0qso==q`06Y$xgaV$A~4$<&5E|$MT@1A zTR>Zgxc&KZsOL0t2yw^F5Yv%?ju*(>=8hL?#`vy==UR+!8qOLirKfbZBAyE^zzai@ zKaH%`{uGfU4Pwe1_96W)ueeoxAEpd(-}7Yb&gSPNC?^kXIpK{Ye-{|_avPbHp`ybj z&*O)Gkuh`Q`bB&|D!NG}bOu~mz?LjV&ln*O-dWG68U%udhW0u0c^$K;@Y>7ZZ+^S` zEclrIbjs`LTAHf#$7v|heXsgRVdK2 zH4~gnEI|>NFH;0V>-A)+_2c>e{{D)~+m`NguP$(3m>C#!-7Pj|gUonr&)2)7`JS(* zWGgi44s&$dO*@~VWchD^UAc&d%3=!=y1j2QGWHzf2*Z)NiG3og*_+^mcm$98Z?C}5 z+!tK&x@)~#DU7Gl1A)+hqKo3Ie^e4?l7c$Hc#4ku0lCAb<elpax z0SvbkN}to*{n=s_e)`%w7L;91b!?_>bC?B+{*Vu*(h$&FU=KFO6Jv{Jj!X${o6Kn2 z8X~$p zA*l{Y7^)bpW94y2fD|Nzu_11QuzEhLcbzvm*x3cs-lXOyfiBB0{Vl3HO7-`7j_#z_ z*8p)E5KjL^YPsvw+4JaGL^ScsCU*OM2Ly87SB10yJcX+vU2C7$hdte!V)AzH3GuHf z*2{llBE|DDw@G%&Rz0%bv1k*{c>SXP_2)xa&V9}ghNg>P{Co@-fO8joyAqU@k%1%q zQ^DY~5Y7s8|5JD)adulVHAG5LhcRcuk%D8vEVUbpIpq!$1JC z!2H)(x*?V$f#P}b9?LtBskuGP&?FFaTUY@{1duy$jD6Oh=*c|eVp6U4ylean4xa9F z%ZPDE?`fY3$4wvy>eQTL3yJ%!6e_yz?fZ6}fO7xX9d6};hb}XNb-JL6s%)=eB2Vb{ z^>c+qC+!jSPxP;0ziX`Du_(UVWHN#sc)Ml9(iV7_f5;9TL|#}6s$vjelnJpZV8VT{ zT%fen@k2Rw6kTcVMLm0gAfiZ`gR(g?sg_$xU3*Rho}hQ(zvzj}e0$bCS*`n_thtnS zMA!k8K7UN^GHO&Zon{wIS}WbIUSFQ1fXB}=!$QM3=h6Q-<%g-HM^^aMsJRy3?dkhm zG1vP%)7Q1-Pz6r}*)>hasf}NcB2T3l*!dX5P@z!_ zj{IuIShrT^FqcSQk>}RPtZSNoMSPb1*Ju9RBR(}P1t^R2zNUoHH6S`; z%dMUV53%HXU*{5^F6)m(&0zkdb^^@Q=LSdycTe2Qp4z9y314fm%kn|VL`zh4eRy#+e|0Tj2f-hT@s4#p-%U+ z2uPD#`GC=4!m*7?)}b{Cq**2P(^j6(+w6u`T-qc zdt+fYvALX@rG*6gk~*msOe#nx1TWjU(@vq|u0qVO5J3G(0>(02kybx4HGV$cxR=4p zV{@JQb{{Rv_X_ETbhJuDK%nsm6dA@205au6ZeG!XulL6>3qJQDKCZ7vqdwakKvm7X zDdc1**V_r#Q<@108vqe7B*SZUy4-lT;DO$eBY65LWH*)|Bgk*2T-%~$>ZbPTc%IblXXH-w9oTa$(Y8A?Ax_$ zNFP#_%3&h*F58SvF@!Hw{CRA~+&Yc>-1zvo+g^G|=#kH>gLFz*tdSFQc#hFfqSvWI zX7g@}MQJ-8I2U8OKO8KqZwOMP)naW}sLox}9GGiSO#@mul06CjXwy-X!^(z;?S}A1 zp+$2Yrb|Gi>ZGhy0*ek2{R;}F(dSe%)!?_IUXx~FMU>Mt&!6!8DPN963XI9weL{?s z#E?#QNIt^Fj0S|>i!El-4a2*-I#)0`AzTf7l&0-llv zEnz=18CIZ+w0B3_>rI8tYRiMPjr&wlVa8$b;7|g$3I>|mM7w{ASc>`|`Lg$ohL#(L0&eed^cEg@1jC%kBsXyBzd~V`zCDcj0M6sgLpT6s0PWf4 zs5Lil;CUYtat0Vl&8WZ=Vv??mPQh(Y;3d0e9X%--EXa=pCBhD-w^+6P@p6dK=VB+R z?P}$$HVz3;NL6Wmd3ic(e|T$qczSbwOXGGxP#>+foGOsce7r7vz5StU*|0Ra8wiYn zz7n6cc|2V1oc-A)6o`9)y$uL0&T#r~_b%uADhEa(ibm8uMfFqn4mlamL0;VMa5^tH z_rtg-@~gj* zz)V1Lt{#t7g*x|tM9i3_^#jR? zsouFe`Q-T$L1C25dVg!CWtHsb?MztgVv5MwuiHz%>-xbc@Y;ip9%rmOflltRwLX|Y zYty=u*bF41Aw=#2Y4hzsTG?Q;_WHcLH!@eGauoBK*b7kj_Bh<^1rn8b3sO~q`_5xH z3XCR9PCqsVe$nCd%w}kELif|8-Ln37yD(e4^dEG8@Dak6l{qD`z2@&$g0BR~hS7bht)+M|Y3LX!MS`?Y+1Trjk1yO6?e z;&Y_ARxNAa%ExILI~C`3v&{w*$H~IN!p>gj`Eco$o4fY1dRK3`03NDwa~Te!YhDjS;;v8R zR-Luvk`~SrIpQLrtsZyv8uWuzS>7qba#0ZxT23>{xw*MMFLORGfF0p$#~u=l0gQyO z*iaJV8S?#>?Ax0@=nZNz;)}cWCzf|C)Ec^!)w55vt+A<-T(F>NTDvKy_~=R11f}1S zq`JGi0il;gAh`qB;cZVT(EL3o4D{+nluOH**BLKhL8ninE_w05@0G`}T4}mz1^!vv zWu;EP8~P)Tz|}Bo2oj-2t2^*s?NR%q`S`?Jv3Q|o3a2hC*cBEQQYil=#0^kch9FA| zLO}%F&)z{NX(ea6IAj#eOpnOO$w(zJ5E5sqHCY~HS5*N^EYc>?Vs9lWt$+~%3Wo>4 z$dG=1I9~gQD_t18F|9U(-qCbk-8#pE&H$JOt0m)%d^2FG_+mRw7TATjdpxQbt3I}Q zyR`xN!gevW+;9G{`Ll7O3nG2TB3So%^8m;RFG{?(Xeuw!3Ak(lRzdn`wrtDFZshx- zQj?9|BgrLYrY8%CfZx5g{n5&t4X?su^D}vGIVF-xX6)W=R_|Vp_01c8`m%;Dh z99>*&^WyS|nP1_3Q&QnJVllku^LFRc{;->x>3R7TH2=qL>t;?D8H6lwzdkS!`sU7O zrqMH0BnSrPbyK1X1)4f_n$!N5@~wDYjl4`RK=_;j!Nj7X^%lpsLb_qu9v%d+KbhR} zn6m|dbke_?*wxkbqDD0vll_r%i^!VJ`8@zG~ZLf=Q;A z^UdLm2k>DVY>1`Ql9S%C0R6)UU=0MeB3NBtRz9^5nSDo!8V+*1x=QpL)G7!u7=0xb0Z=fc;q1KRx{^lDL4)kEyz1Op{3wWzY<;TZcUg z;80&4#xfVHjo^LQTu%8&&pZ4e=orr~kGUPXNS51uGRGDg9p-?XtkQTSCFgcgTKP0Z z=cZUSxw}TQ!Fr{|ttL4=5}(t&4DiXP^KNAHiKo@OHs|J-I{;VE`67^!2IE`10=N8G z%hf1Ax$#||e?%61u1wB=fI+fc{&NBNN9Nz37(AMKH7}u3fSd%lFHpe_E7ikw1JmR| zz@-Y4yR-4(9g9)Hw`T=4Rht%G_iHLtL?om{gwPhXo3d)=%6mr%p;wp91Hia+fzQ_D zbOglB;8YS*)W>F z-u>qA<>@Zd{jkVkcbHjLvuw8BYUv+u(n7*c9Zmvkkyp#qBUO$z_bkKYB2cd>1fpc@ zYGw_E0R%=O?Yk6}63|~4h71xF?UpAHm**4s_h&ThCWYPNwg1iatYqNx zEY3R?x-aHBt9eF4G9G(%XMA_d4z5mSDG|}pN&XH>Yh^G&Zf42ikRV0HIKXzC6AJM; zEblL(ed3J{{^cRjKw=5J9vVHI3!I<#u_1Bu)hI7O6X2i--(a;Rz|;x` zOZO6|7I4BPD3r{Q<@~|%%zeA=L6-#ZNR37&xI9h3{XPWcTSRb#;vY3dmbv{&9T z?dDmMQgW$&jGhrLnl7T1fHyEUKPWRtdC_KF3-PqRfg7;$&ru?S&k z+(ygo{P*S1>&<6v&C|^Q^KlAPOR!|C&P!H5uo-p!*ly$}>A-m^WmX*WBUU37Q@zvY1o@SBG#V7O%P+#sWB;(!1;aOs%*bfKo7 zPov540Ps2B1nU7OOP@P`oNI5(drJpEq=c*oGN(7d4R3S-&OtJ_f=;u3n3hUHod_5A z!hIO{HY`RR1Q6$%=heR-0q{@&FPf!v1th{QTaldQnhm3s$v{256yI`CkUCqc&gyci zH8nNneOm*>+@XIC2snJ1W`hn;XmHZH%ICaevEn#o)v&U=^r##y`p_1CpwPU6)D3LC ztCU~{>&JddJ8jS?qY8I#S(R02y@v%CiWNyzr!n`(yIbWv#Z}JYNXTFLbl}MI0i@y{ z@^$iS?5MJ;_QO;ATc@H7cklLSGV7l9nfqMx>J0;_So6w7!Xr%$8m(*_$B>+cexJ7%rAGPtFP!aFU;xq>ZP&M;6Zdv(7>z z5CCTcL<+CAOQ7?!{;$gOxvj~JjC6{$HJAjt68Z6f4?lm)=BZawK#G_;@u@+{0D=^c z?5K6)P9hM7M$dWxJD&NnxtHnl3W3ZA0#Qh8V5(|ulqFJl9Z2co0b7LUA%X=^C4k+pJ!{+JKVx1LJ(&U+wda4QPT#N!4%!_a z^;o^iunH>vF9-klISOUsA2R}QCI4>qr?oe45Yy%x;EDoQ$zu_~`Ks6SwRcSsx-2tu zaqahSAiu67NBI!MD*)|`IE4&A4R;Fe(vD!wuAflwX<-aF?X-Uk3y|%tRvE%%mP+K> zZ4bn3K~fLt9g}>E+B>3(5P}AQ%p}*IRBi_X4&(D(A4|jyL77iMucs^O7HABAzR_`~ z_h$?#T3os&Z38{M&bNwI2W0cZ#n*eJuV29PpljLuB;|?f_~L&fxZ2C0iJ+0#&YDPse0t)mt{Hnht(#l4IC2~rq3;exyt+bH6g=E_1;|;- z1j+n`Z=o+e;C{YicUV7qb#!zdOfI7dxEH6V#ahX2Y|earK>}+zWBEvBnWdj%wxwlo$aNdp4|8JVaTnJH5?nuI}gN}1`o zITwo>0K1;vUb{xEU8Z7HQc=0k!Xd)+(Hy?{(CFxP&j*%QUK$!24i2olMs99y*J;e# z@9#d+(gNrk!DBOM0aZim-6}jHB0U3xwYj+gG(GT)>PeiefO@<4%P(d_fv00ujoM&Z zsszc&`+<>>-hk`0Gy+el+h{9G%buO&Sr9HcyZ7@wU`eE+!RxVVth>X>4*B9wJ zPiJ=gdL;%x%LA~zm)%qw6cLxRRU@5=lbi9`SrvKtiN!@8;7x%#jk2kO^HgeT>Oa2G z(XtvEi$Dq9V{noCIl8!{M4W7*%CJ8|Vk-idRVGs)5?L5FC?rHGfAaCsJr&y_f`Y$u z3%zVa%l`R@ejVXr4>ss`DOv#-0^F=?9`DAtr?~UpH67XvJ@`=yskWJ(ZSxjJ1P+fgJ zj~sU*5#nX}U$H4ZqOs04Mu0}>MiwkBFZaG0;Vj#&6o>u$y&6cWfo@%UY3a9$IbN0? z6)FrsjeGX!hE}DNB-L2fZq7EN6s~v;XS)+AIXO9rQMbPR)CS-%Oh(g+ii)aQM_m8Y z#K!!%o~)M}a!qP@UhP?3b@N+44~XdQwykAwK_ZNd6+mYHYh;&RvwnUu!R>0dOskQF zmX?;2v!SdEk+jzFU@|y37@*(+9QhbDYE6N>nkE4bW{W3MC~%lU=2CJsFj=Be}!}hT1&?n77%SE|Djn4b}_ZC2if02~r0qENz z#X{3wSa2vvNZ>QIz1(UN5~c&S$;DORHq644ehMUZ6~BMm+7?gr_nQDEk4W}8K(<8vO>tTl$iH%&q5X!{h!EvV zL?Bl);@BGS8DVx0f^J}N(0=gsta~$svWrrS~$;DzsB; zl(2agOmj-yoTjesJOobmTYZrq&?$QQ`mnID1YFO3RWvH*hy|VrMS8{^)GLkOeI&aZ ziRiih(%ERPRbB=I2ZzgU6H-@KcTmKFvh%hlo!3PpC3S22vZcjyc?+44hmDTz__(nK zpe1r%A2nl)znOfV!iLrNuzG-9}j>lHSX6h*URm{ zIXPr=tv#^W5`^vo)3oM;kG+;I~zdSCj~%@_e;m(`6L$9F8gQKYh4 zB7|`1Ve{^kz?`t*FptW74oX9FYhn5%6a8cMBD>(s4%E8!lR-- z8yU?3sW&=r)i!^cZyP*i(M{Rq6F~o0s=VAaiYbSxd#awWZ}b zKS?4#FVD1Yu{$Ih2f=-4YRN2Q`;q25M{0T%^f!t)$$SlfbPyBk0lKv=CyPcieGTlo zJ)ijaJOKqeZ*Onl5Qgig$u9DJr;wmEP^y0U8Z4Q_qTmK9yuyW*T6$0FYnXA4f&37!8nRVMOXQyCJ zqYN+5YinyUu(102`T*bmQaJSj#DCcA>1m}tt#ByGoe6+hazF_WjY#8lDgXQZ@#W6{ z(401kn9|h3s@Z$%ak@y+cr?uk2r844lR)9R$p)7m&5P*nWoS4zHnFha2Cyfao3t$I zs`17S4p-+J-M~-~BMK})o+zlRA2>P_n3RGA{+uwKKDr4D3j@NkNOomy?exKghpnxx zySqCOhXFzmD8s(Mvs?&ed{TnK1zAqsSphD99}^P;xb3EWqtDBYYO3guFcc9gW@bAe zNTP*p14$MgEv-ZD|BAcPcqrTNKSPG>dMu5E8O8{1#cDbokDwy21 z!Rw;6_2jqt-VP}42cwNd!%zD{`nNP*THjDF_-hmA^Tl^;x-5bvmNT_CIU&KmT|H

+fGP-@eZT;hKz43(QN35T}QG@pwG&G4R#vkd?N!wSApwc2?xi z`#T~${6%;7=*WmYEDi8Iz#)LU8}cyVlfOrD*i|}Yd!FPcOOyFK z-ZY#k#O~SRjXV!;?x{-wX4Vtv%>DO@bF&%aYT+Dg?aYPvw6Y-aI&wj57eU2 zAYp_^{0hr^YHG^I$}l!<%IgV?s;YChOmeGo52Lw?Czkqqewc@-Q?HsWf?V{(hyoow zy@dpM=eI*}&b2O&p~Z)?cF$09T3TAQaQ0uLPrfS6JnURh&uIq*1^L>(b1BO^teo3QC`f*P2Ldkfke;u!X9 z5!>=I@Jn5JONO6|(U~QAsmi;dZ0t&%l44?Fs;Z&jk)3L`pp8gRPmhI#1;n}KXOpT1JjlthGBD_W+Z})Q>{-g3dSiEA`q3Pj2w(6Gu-nVZ$_NBP>o4M~S9+(5 zj`1d5enyCmh4T)2SKv*!?3^n?r_9aGT@-EhvzB12Un3$Y3Js`BS;%!4wWvmFn52q| zb;+=~rDX-#quvHQvG=D0WcnFy7=nU=0RCV>fq$F-2AmgAfq8RtbJQoa)16Mo)YFjT zYk}We3twimaN)5vU|D(RS7~TH0}l@mW)>D$Iun4&HWzjdUAwzyixNJ;HwL*w5$>#3 zC+^sD{S$WehsD)?-3uGuFNO>+Y#-HqH6N$lwoEY#3|xoV6En^~BgQS_?&c;gB{fJS zc7$zs$c`Pj8cXc~Bk%&x<393^>!=gqBuFzD*;P81;0thz`a@O>W8tX?=4 zFet1#|5hywCer@tghxFj8DQkFHmaMVp=bthp06e*tVGgT51+czJD-)E4NOx*U7dN! zFze%Hf={uGBRv`?J?Mx$hhmBrrY({$>NH=H$ujJ5l27dgfm@;R!^(<^Ps6{eruQ?y z-G>j^AHgYNni=KhBU;C%lSqFrcij}#*WE%>IpVrj@o!%mQBjw%N9Ubt4jxm5l}>h3 z^a-Z7p2?(WK?23W%$$&vw7#}B|1AU+gQR76YAFV?VSMf&lguR!%RB88Tm<1JBLjoK zO8(~NW^bwx3mz+&Izgq{15~rI30wZB9+=_husUu|JINwXAXJzv4o-eC2_QWD!mIz@ zT_euNg}^7HAL@9Ve(3R`YF)ek3|(D(N5^ipWA{s^nvM=ls@asAB0npt^@FyZ9VLd5 z1C_^s=~?3!m@Q7T6KdNHC`}aRj6&Iu|8*DTC#9^}&}lp(SZVgDi&(P3su_{0b{XL; zcaRm;O}n|fys5xp`l!mUQzIWk!+i=WS$zfwQ%cr&tlD+mUlr9QEF;z->yl)+Ei*O+5))dIGme%?X0V}z0@x~Z}L!K6W{ zWcrSKU%VfSzG*;FEUSIp3zDXC8EKzskr5|t1Do-Fr z?bpv->aUDsUDw3%B2q|7ua|-k4Oo=%ff$x|_g7)^vuP`}wKktz&7r` zP_-Ip)_1#1fR7IxAB?}V47sq7$G&;}+R()0VRjb-H!}lP95QQ3Nl#jP#2DR{cq>H` zdqyntva9Qfr&;OgM>6|!uNWH|J_~a7h)POg1xmrJeC4c>tLu9>I}r2+y6v?$cXtXc z={jAje;Zqm&`vTmvGm>;h}w;L{_fD$#}Y4Nfq%K2)YCg#^FZhTooH8V%6dpyN=Yf` z^JI%2Gx~oI?qwbfN9{$`}7N7d^0F9bL^(Bk4y zA0!@3x7=svahz0fBm7))jAqM)fM zw6yQWF=1gsK?Yh$R@S#SiB7qN;);rd`~@qCtVwU-^fNX#Hn|Kg zC(zV|JP!}izyFNmS+6T9DqvdAie^B>V?d!s1X$a&8s# zaaG3VT%$RVAnB(Hdi(lnhORy^D>pAU2e;3ATL&5oFD@=ZW;`%7M16L7;02zA?4gA1 z!^wS~ZY0uZHz9;G<3)gGg1lBDOF}{6g6M%#U>8O!%q0TqQi|C(dcTNU3%Cix36PVkuXAygQr z_3pPNobx0sImfvV8eO`wbQtl`neY}#&tU6L_fs(bno#Yon^r>v;iiB10inC%q_a)b zmY=~H6}>WZf>TboCS+T3fwG=yz|2uoI!~1XJc^)YUAFbLp;SKD;iLXc^)l=F21cm+ zbE}sUwzB7Ow#%_X5+hq+n0b8R#kcJJk>p2BJ~U(`wfmD?_Kzdi^wsukky3SgqA-Pm z=#;1nx!^I=i+FbWc{;K&@XN{rdrt_Jt`oNl-*#gZ-|d%L^`)0IcRvO88<_hFt= z(YKH!*-3Zure<^lbJHy{>V4GC!N~|#gp}~w%g}#nnM0&B0ye{N&jVr-oAf(Z>2R3Y zD53-@XOh1!`1%;;^LQuFC@g(a&ME3^b*$$Rv%-Rqg!&!E7!}-d$! Date: Tue, 21 Mar 2017 16:08:37 -0700 Subject: [PATCH 5/6] Added text to video --- windows/keep-secure/credential-guard-manage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md index a2653dacf3..fad37e27fc 100644 --- a/windows/keep-secure/credential-guard-manage.md +++ b/windows/keep-secure/credential-guard-manage.md @@ -15,8 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 - - +Prefer video? [![Deploying Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) From 4a2a65dda158e6baee8b3ec152848b9244327865 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 22 Mar 2017 16:19:03 -0700 Subject: [PATCH 6/6] added don't display username at sign-in --- windows/keep-secure/TOC.md | 1 + ...logon-don't-display-username-at-sign-in.md | 86 +++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 windows/keep-secure/interactive logon-don't-display-username-at-sign-in.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index f46902d45e..6609d4fa48 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -574,6 +574,7 @@ ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md) ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) ###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md) +###### [Interactive logon: Don't display username at sign-in](interactive logon-don't-display-username-at-sign-in.md) ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md) ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md) diff --git a/windows/keep-secure/interactive logon-don't-display-username-at-sign-in.md b/windows/keep-secure/interactive logon-don't-display-username-at-sign-in.md new file mode 100644 index 0000000000..db24fb9fca --- /dev/null +++ b/windows/keep-secure/interactive logon-don't-display-username-at-sign-in.md @@ -0,0 +1,86 @@ +--- +title: Interactive logon Don't display username at sign-in (Windows 10) +description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting. +ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Interactive logon: Don't display username at sign-in + +**Applies to** +- Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10 + +Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting. + +## Reference + +A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile. + +If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays. + +If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in. + +### Possible values + +- Enabled +- Disabled +- Not defined + +### Best practices + +Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. + +### Location + +Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + +### Default values + +| Server type or Group Policy object (GPO) | Default value| +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Effective GPO default settings on client computers | Not defined| +  +## Policy management + +This section describes features and tools that are available to help you manage this policy. + +### Restart requirement + +None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + +### Policy conflict considerations + +None. + +### Group Policy + +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + +## Security considerations + +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + +### Vulnerability + +An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. + +### Countermeasure + +Enable the **Interactive logon: Don't display user name at sign-in** setting. + +### Potential impact + +Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. + +## Related topics + +- [Security Options](security-options.md)