From 24abc6f31be2049b454f6eb07e7efa3d40232853 Mon Sep 17 00:00:00 2001 From: Alireza Assadzadeh Date: Tue, 23 Feb 2021 12:27:28 -0500 Subject: [PATCH] Update to version v1.0.0 --- .github/ISSUE_TEMPLATE/bug_report.md | 34 + .github/ISSUE_TEMPLATE/feature_request.md | 16 + .github/PULL_REQUEST_TEMPLATE.md | 5 + .gitignore | 108 + CHANGELOG.md | 9 + CODE_OF_CONDUCT.md | 4 +- CONTRIBUTING.md | 21 +- LICENSE => LICENSE.txt | 2 +- NOTICE | 1 - NOTICE.txt | 20 + README.md | 178 +- deployment/build-s3-dist.sh | 142 + source/architecture.png | Bin 0 -> 612690 bytes source/bin/network-firewall-auto-solution.ts | 40 + source/cdk.json | 3 + ...work-firewall-automation-solution-stack.ts | 1222 ++++++ .../__tests__/ec2-manager.spec.ts | 92 + .../firewall-config-validation.spec.ts | 49 + .../firewall-invalid-policy.json | 26 + .../firewallPolicies/firewall-policy-2.json | 26 + .../firewall-policy.example.json | 29 + .../firewalls/firewall-invalid.json | 8 + .../firewalls/firewall-nopolicy.json | 8 + .../firewalls/firewall.example.json | 8 + .../ruleGroups/drop.rules | 79 + .../stateful-domainblock.example.json | 15 + .../stateless-fwd-to-stateful.example.json | 41 + .../stateless-pass-action.example.json | 68 + .../ruleGroups/suricata-rule-reference.json | 8 + .../network-firewall-manager.spec.ts | 327 ++ .../network-firewall-service.spec.ts | 740 ++++ .../__tests__/send-metrics.spec.ts | 74 + .../__tests__/stringManipulation.spec.ts | 32 + source/networkFirewallAutomation/build.ts | 27 + .../firewall-policy.example.json | 30 + .../examples/firewalls/firewall.example.json | 12 + .../config/examples/ruleGroups/drop.rules | 79 + .../stateful-domainblock.example.json | 31 + .../stateless-fwd-to-stateful.example.json | 41 + .../stateless-pass-action.example.json | 68 + .../ruleGroups/suricata-rule-reference.json | 8 + .../firewallPolicies/firewall-policy-1.json | 12 + .../config/firewalls/firewall-1.json | 8 + source/networkFirewallAutomation/index.ts | 88 + .../lib/common/configReader/config-reader.ts | 63 + .../lib/common/firewall-config-validation.ts | 214 ++ .../lib/common/logger.ts | 38 + .../lib/common/send-metrics.ts | 80 + .../lib/common/stringUtils.ts | 55 + .../lib/ec2-manager.ts | 170 + .../lib/network-firewall-manager.ts | 491 +++ .../lib/service/awsClientConfig.ts | 40 + .../lib/service/ec2-service.ts | 97 + .../lib/service/network-firewall-service.ts | 308 ++ source/networkFirewallAutomation/package.json | 39 + .../networkFirewallAutomation/tsconfig.json | 34 + source/package.json | 47 + source/run-all-tests.sh | 37 + ...-firewall-automation-solution.test.ts.snap | 3364 +++++++++++++++++ ...twork-firewall-automation-solution.test.ts | 38 + source/tsconfig.json | 36 + 61 files changed, 8968 insertions(+), 22 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .gitignore create mode 100755 CHANGELOG.md mode change 100644 => 100755 CODE_OF_CONDUCT.md mode change 100644 => 100755 CONTRIBUTING.md rename LICENSE => LICENSE.txt (99%) mode change 100644 => 100755 delete mode 100644 NOTICE create mode 100755 NOTICE.txt mode change 100644 => 100755 README.md create mode 100755 deployment/build-s3-dist.sh create mode 100644 source/architecture.png create mode 100755 source/bin/network-firewall-auto-solution.ts create mode 100755 source/cdk.json create mode 100755 source/lib/network-firewall-automation-solution-stack.ts create mode 100644 source/networkFirewallAutomation/__tests__/ec2-manager.spec.ts create mode 100644 source/networkFirewallAutomation/__tests__/firewall-config-validation.spec.ts create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-invalid-policy.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy-2.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-invalid.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-nopolicy.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall.example.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/drop.rules create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json create mode 100644 source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/suricata-rule-reference.json create mode 100644 source/networkFirewallAutomation/__tests__/network-firewall-manager.spec.ts create mode 100644 source/networkFirewallAutomation/__tests__/network-firewall-service.spec.ts create mode 100644 source/networkFirewallAutomation/__tests__/send-metrics.spec.ts create mode 100644 source/networkFirewallAutomation/__tests__/stringManipulation.spec.ts create mode 100644 source/networkFirewallAutomation/build.ts create mode 100644 source/networkFirewallAutomation/config/examples/firewallPolicies/firewall-policy.example.json create mode 100644 source/networkFirewallAutomation/config/examples/firewalls/firewall.example.json create mode 100644 source/networkFirewallAutomation/config/examples/ruleGroups/drop.rules create mode 100644 source/networkFirewallAutomation/config/examples/ruleGroups/stateful-domainblock.example.json create mode 100644 source/networkFirewallAutomation/config/examples/ruleGroups/stateless-fwd-to-stateful.example.json create mode 100644 source/networkFirewallAutomation/config/examples/ruleGroups/stateless-pass-action.example.json create mode 100644 source/networkFirewallAutomation/config/examples/ruleGroups/suricata-rule-reference.json create mode 100644 source/networkFirewallAutomation/config/firewallPolicies/firewall-policy-1.json create mode 100644 source/networkFirewallAutomation/config/firewalls/firewall-1.json create mode 100644 source/networkFirewallAutomation/index.ts create mode 100644 source/networkFirewallAutomation/lib/common/configReader/config-reader.ts create mode 100644 source/networkFirewallAutomation/lib/common/firewall-config-validation.ts create mode 100644 source/networkFirewallAutomation/lib/common/logger.ts create mode 100644 source/networkFirewallAutomation/lib/common/send-metrics.ts create mode 100644 source/networkFirewallAutomation/lib/common/stringUtils.ts create mode 100644 source/networkFirewallAutomation/lib/ec2-manager.ts create mode 100644 source/networkFirewallAutomation/lib/network-firewall-manager.ts create mode 100644 source/networkFirewallAutomation/lib/service/awsClientConfig.ts create mode 100644 source/networkFirewallAutomation/lib/service/ec2-service.ts create mode 100644 source/networkFirewallAutomation/lib/service/network-firewall-service.ts create mode 100644 source/networkFirewallAutomation/package.json create mode 100644 source/networkFirewallAutomation/tsconfig.json create mode 100755 source/package.json create mode 100755 source/run-all-tests.sh create mode 100644 source/test/__snapshots__/network-firewall-automation-solution.test.ts.snap create mode 100644 source/test/network-firewall-automation-solution.test.ts create mode 100644 source/tsconfig.json diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..1b5f27f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,34 @@ +--- +name: Bug report +about: Create a report to help us improve +title: "" +labels: bug +assignees: "" +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior. + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Please complete the following information about the solution:** + +- [ ] Version: [e.g. v1.0.0] + +To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "_(SO0108) - AWS Network Firewall Deployment Automations for AWS Transit Gateway. Version **v1.0.0**_". + +- [ ] Region: [e.g. us-east-1] +- [ ] Was the solution modified from the version published on this repository? +- [ ] If the answer to the previous question was yes, are the changes available on GitHub? +- [ ] Have you checked your [service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) for the sevices this solution uses? +- [ ] Were there any errors in the CloudWatch Logs? + +**Screenshots** +If applicable, add screenshots to help explain your problem (please **DO NOT include sensitive information**). + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..8c46516 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,16 @@ +--- +name: Feature request +about: Suggest an idea for this solution +title: "" +labels: enhancement +assignees: "" +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the feature you'd like** +A clear and concise description of what you want to happen. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..db6ceed --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,5 @@ +_Issue #, if available:_ + +_Description of changes:_ + +By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2093049 --- /dev/null +++ b/.gitignore @@ -0,0 +1,108 @@ + +*node_modules* + +# C extensions +*.so +*.pyc +# Distribution / packaging +.Python +env/ +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib64/ +parts/ +sdist/ +var/ +*.egg-info/ +.installed.cfg +*.egg +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*,cover +.hypothesis/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# IPython Notebook +.ipynb_checkpoints + +# pyenv +.python-version + +# celery beat schedule file +celerybeat-schedule + +# dotenv +.env + +# virtualenv +venv/ +ENV/ + +# Spyder project settings +.spyderproject + +# Rope project settings +.ropeproject + +#cdk +*cdk.out* +*.d.ts +*.js + +#ignore these in the deployment folder +*regional-s3-assets* +*staging* +*global-s3-assets* +.DS_Store +*.zip +deployment/open-source +deployment/examples +deployment/dist +source/deploy +deployment/vpc_rules + + +.env +.idea +.vscode +source/scratch/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100755 index 0000000..8dacba3 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,9 @@ +# Change Log +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [1.0.0] - 2021-02-24 +### Added +- New solution AWS Network Firewall Deployment Automations for AWS Transit Gateway, initial version diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md old mode 100644 new mode 100755 index 5b627cf..3b64466 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,4 @@ ## Code of Conduct -This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). -For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact +This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). +For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md old mode 100644 new mode 100755 index c4b6a1c..67f2886 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -11,7 +11,7 @@ information to effectively respond to your bug report or contribution. We welcome you to use the GitHub issue tracker to report bugs or suggest features. -When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already +When filing an issue, please check [existing open](https://github.com/awslabs/network-firewall-automation/issues), or [recently closed](https://github.com/awslabs/network-firewall-automation/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: * A reproducible test case or series of steps @@ -23,7 +23,7 @@ reported the issue. Please try to include as much information as you can. Detail ## Contributing via Pull Requests Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: -1. You are working against the latest source on the *main* branch. +1. You are working against the latest source on the *master* branch. 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. @@ -31,17 +31,18 @@ To send us a pull request, please: 1. Fork the repository. 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. -3. Ensure local tests pass. -4. Commit to your fork using clear commit messages. -5. Send us a pull request, answering any default questions in the pull request interface. -6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. +3. Ensure all build processes execute successfully (see README.md for additional guidance). +4. Ensure all unit, integration, and/or snapshot tests pass, as applicable. +5. Commit to your fork using clear commit messages. +6. Send us a pull request, answering any default questions in the pull request interface. +7. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). ## Finding contributions to work on -Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. +Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/network-firewall-automation/labels/help%20wanted) issues is a great place to start. ## Code of Conduct @@ -51,9 +52,11 @@ opensource-codeofconduct@amazon.com with any additional questions or comments. ## Security issue notifications -If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. +If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public GitHub issue. ## Licensing -See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. +See the [LICENSE](https://github.com/awslabs/network-firewall-automation/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. + +We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. diff --git a/LICENSE b/LICENSE.txt old mode 100644 new mode 100755 similarity index 99% rename from LICENSE rename to LICENSE.txt index 67db858..19dc35b --- a/LICENSE +++ b/LICENSE.txt @@ -172,4 +172,4 @@ of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. + of your accepting any such warranty or additional liability. \ No newline at end of file diff --git a/NOTICE b/NOTICE deleted file mode 100644 index 616fc58..0000000 --- a/NOTICE +++ /dev/null @@ -1 +0,0 @@ -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/NOTICE.txt b/NOTICE.txt new file mode 100755 index 0000000..68807d3 --- /dev/null +++ b/NOTICE.txt @@ -0,0 +1,20 @@ +AWS Network Firewall Automation +Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. +Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except +in compliance with the License. A copy of the License is located at http://www.apache.org/licenses/ +or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the +specific language governing permissions and limitations under the License. + +********************** +THIRD PARTY COMPONENTS +********************** +This software includes third party software subject to the following copyrights: +jest undert the MIT License +axios under the MIT License +moment under the MIT License +uuid under the MIT License. +AWS SDK under the Apache License Version 2.0 +aws-cdk under Apache License 2.0 + +AWS SDK under the Apache License Version 2.0 diff --git a/README.md b/README.md old mode 100644 new mode 100755 index 847260c..eea0150 --- a/README.md +++ b/README.md @@ -1,17 +1,177 @@ -## My Project +**[AWS Network Firewall Deployment Automations for AWS Transit Gateway](https://aws.amazon.com/solutions/implementations/aws-network-firewall-deployment-automations-for-aws-transit-gateway)** | **[🚧 Feature request](https://github.com/awslabs/aws-network-firewall-deployment-automations-for-aws-transit-gateway/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)** | **[🐛 Bug Report](https://github.com/awslabs/aws-network-firewall-deployment-automations-for-aws-transit-gateway/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)** -TODO: Fill this README out! +Note: If you want to use the solution without building from source, navigate to Solution Landing Page -Be sure to: +## Table of contents -* Change the title in this README -* Edit your repository description on GitHub +- [Solution Overview](#solution-overview) +- [Architecture Diagram](#architecture-diagram) +- [AWS CDK Constructs](#aws-solutions-constructs) +- [Customizing the Solution](#customizing-the-solution) + - [Prerequisites for Customization](#prerequisites-for-customization) + - [Build](#build) + - [Unit Test](#unit-test) + - [Deploy](#deploy) +- [File Structure](#file-structure) +- [License](#license) -## Security + +# Solution Overview +[//]: # Solution for AWS Network Firewall Deployment Automations for AWS Transit Gateway. + + +# Architecture Diagram +[//]: # ![Architecture Diagram](./source/architecture.png) + + +## Prerequisites for Customization +[//]: # Node.js>12 + + +## Build +[//]: # Build the CDK code +``` +cd source/ +npm run build +``` + +Build the Network Firewall Solution CodeBuild source code +``` +cd source/networkfirewallAutomation +tsc +``` + +Build the templates for custom deployments + +``` +cd deployments/ +chmod +x ./build-s3-dist.sh +./build-s3-dist.sh [SOLUTION_DIST_BUCKET] network-firewall-automation [VERSION_ID] +``` + + +## Unit Test +[//]: # Run the unit tests + +``` +cd source/ +chmod +x ./run-all-tests.sh +``` + + +## Deploy +[//]: Follow the steps for deploying your custom version of the solution. +* Create an S3 bucket with the bucket appended with the region in which the deployment is to be made. example, if the deployment is to be made in us-east-1 create a bucket name as [BUCKET_NAME]-us-east-1. +* Create the distribution files using the script provided in the build section above. +* Create the S3 Key in the bucket network-firewall-automation/[VERSION_ID]/ +* Create the S3 Key in the bucket network-firewall-automation/latest/ +* Copy the file ./deployment/regional-s3-assets/network-firewall-automation.zip to the location s3://[BUCKET_NAME]-[REGION]/network-firewall-automation/[VERSION_ID]/ +* Copy the file ./deployment/regional-s3-assets/network-firewall-configuration.zip to the location s3://[BUCKET_NAME]-[REGION]/network-firewall-automation/latest/ + +Once the above steps are completed, use the file ./deployment/global-s3-assets/aws-network-firewall-deployment-automations-for-aws-transit-gateway.template to create a stack in CloudFormation. + + + +# File structure + +aws-network-firewall-deployment-automations-for-aws-transit-gateway consists of: + +- CDK constructs to generate necessary resources +- Microservices used in the solution + +[//]: # File Structure + +
+|-deployment/
+  |build-s3-dist.sh/                     [ Build script for create the distribution for the solution.]
+|-source/
+  |-bin/
+    |-network-firewall-auto-solution.ts  [ entry point for CDK app ]
+  |-test/                  [ unit tests for CDK constructs ] 
+    |-network-firewall-automation-solution.test.ts [CDK construct for the solution.]
+    |-__snapshots__
+      |-network-firewall-automation-solution.test.ts.snap [CDK construct template snapshot of unit testing.]
+  |-lib/
+    |-network-firewall-automation-solution-stack.ts [ CDK construct for the solution. ]
+  |-networkFirewallAutomation
+    |-__tests__
+      |-firewall-test-configuration
+        |-firewalls
+          |-firewall-invalid.json
+          |-firewall-nopolicy.json
+          |-firewall-example.json
+        |-firewallPolicies
+          |-firewall-invalid-policy.json
+          |-firewall-policy-2.json
+          |-firewall-policy.example.json
+        |-ruleGroups
+          |-stateless-pass-action.example.json
+          |-stateless-fwd-to-stateful.example.json
+          |-stateful-domainblock.example.json
+          |-drop.rules
+          |-suricata-rule-reference.json
+      |-network-firewall-service.spec.ts
+      |-ec2-manager.spec.ts
+      |-firewall-config-validation.spec.ts
+      |-network-firewall-manager.spec.ts
+      |-send-metrics.spec.ts
+    |-config
+      |-examples
+        |-firewalls
+          |-firewall.example.json
+        |-firewallPolicies
+          |-firewall-policy.example.json
+        |-ruleGroups
+          |-stateless-pass-action.example.json
+          |-stateless-fwd-to-stateful.example.json
+          |-stateful-domainblock.example.json
+          |-drop.rules
+          |-suricata-rule-reference.json
+      |-firewallPolicies
+        |-firewall-policy-1.json
+      |-firewalls
+        |-firewall-1.json
+    |-lib
+      |-ec2-manager.ts
+      |-network-firewall-manager.ts
+      |-common
+        |-configReader
+          |-config-reader.ts
+        |-logger.ts
+        |-stringUtils.ts
+        |-firewall-config-validation.ts
+        |-send-metrics.ts
+      |-service
+        |-awsClientConfig.ts
+        |-ec2-service.ts
+        |-network-firewall-service.ts
+      |-build.ts
+      |-index.ts
+      |-config_files            [ tsconfig, jest.config.js, package.json etc. ]
+  |-config_files                [ tsconfig, cdk.json, package.json etc. ]
+  |-run-all-tests.sh
+|-buildspec.yml
+|-architecture.yml
+|-CHANGELOG.md
+|-CODE_OF_CONDUCT.md
+|-LICENSE.txt
+|-CONTRIBUTING.md
+|-NOTICE.txt
+
+ + +*** + +Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + +Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at + + http://www.apache.org/licenses/ + +or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License. + +See [LICENSE](https://github.com/awslabs/aws-network-firewall-solution-for-aws-transit-gateway/blob/master/LICENSE.txt) -See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. -## License -This project is licensed under the Apache-2.0 License. diff --git a/deployment/build-s3-dist.sh b/deployment/build-s3-dist.sh new file mode 100755 index 0000000..55cdd43 --- /dev/null +++ b/deployment/build-s3-dist.sh @@ -0,0 +1,142 @@ +#!/bin/bash +# +# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance +# with the License. A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions +# and limitations under the License. +# + +# Important: CDK global version number +cdk_version=1.77.0 + +# Check to see if the required parameters have been provided: +if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then + echo "Please provide the base source bucket name, trademark approved solution name and version where the artifact code will eventually reside." + echo "For example: ./build-s3-dist.sh solutions trademarked-solution-name v1.0.0" + exit 1 +fi + +[ "$DEBUG" == 'true' ] && set -x +set -e + +# Environment variables +export DIST_VERSION=$3 +export DIST_OUTPUT_BUCKET=$1 +export SOLUTION_ID=SO0108 +export SOLUTION_NAME=$2 +export SOLUTION_TRADEMARKEDNAME=$2 + + +# Get reference for all important folders +template_dir="$PWD" +staging_dist_dir="$template_dir/staging" +template_dist_dir="$template_dir/global-s3-assets" +build_dist_dir="$template_dir/regional-s3-assets" +source_dir="$template_dir/../source" + +echo "------------------------------------------------------------------------------" +echo "[Init] Remove any old dist files from previous runs" +echo "------------------------------------------------------------------------------" + +echo "rm -rf $template_dist_dir" +rm -rf $template_dist_dir +echo "mkdir -p $template_dist_dir" +mkdir -p $template_dist_dir +echo "rm -rf $build_dist_dir" +rm -rf $build_dist_dir +echo "mkdir -p $build_dist_dir" +mkdir -p $build_dist_dir +echo "rm -rf $staging_dist_dir" +rm -rf $staging_dist_dir +echo "mkdir -p $staging_dist_dir" +mkdir -p $staging_dist_dir +echo "rm -rf $template_dir/vpc_rules" +rm -rf $template_dir/vpc_rules + +echo "------------------------------------------------------------------------------" +echo "[Synth] CDK Project" +echo "------------------------------------------------------------------------------" + +# Install the global aws-cdk package +echo "cd $source_dir" +cd $source_dir +echo "npm install -g aws-cdk@$cdk_version" +npm install -g aws-cdk@$cdk_version + +# Run 'cdk synth' to generate raw solution outputs +cd "$source_dir" +echo "cdk synth --output=$staging_dist_dir" +npm run build && cdk synth --output=$staging_dist_dir + +# Remove unnecessary output files +echo "cd $staging_dist_dir" +cd $staging_dist_dir +echo "rm tree.json manifest.json cdk.out" +rm tree.json manifest.json cdk.out + +echo "------------------------------------------------------------------------------" +echo "[Packing] Template artifacts" +echo "------------------------------------------------------------------------------" + +# Move outputs from staging to template_dist_dir +echo "Move outputs from staging to template_dist_dir" +echo "cp $template_dir/*.template $template_dist_dir/" +cp $staging_dist_dir/*.template.json $template_dist_dir/ +rm *.template.json + +# Rename all *.template.json files to *.template +echo "Rename all *.template.json to *.template" +echo "copy templates and rename" +for f in $template_dist_dir/*.template.json; do + mv -- "$f" "${f%.template.json}.template" +done + +echo "------------------------------------------------------------------------------" +echo "[Packing] Source code artifacts" +echo "------------------------------------------------------------------------------" + +# General cleanup of node_modules and package-lock.json files +echo "find $staging_dist_dir -iname "node_modules" -type d -exec rm -rf "{}" \; 2> /dev/null" +find $staging_dist_dir -iname "node_modules" -type d -exec rm -rf "{}" \; 2> /dev/null +echo "find $staging_dist_dir -iname "package-lock.json" -type f -exec rm -f "{}" \; 2> /dev/null" +find $staging_dist_dir -iname "package-lock.json" -type f -exec rm -f "{}" \; 2> /dev/null + +echo "------------------------------------------------------------------------------" +echo "Package Network Firewall Automation node project for Code Build/Deploy stage " +echo "------------------------------------------------------------------------------" +cd $source_dir/networkFirewallAutomation/ +npm install +npm run build +npm run zip +if [ "$?" = "1" ]; then + echo "(npm run zip) ERROR: there is likely output above." 1>&2 + exit 1 +fi +echo "Copy package zip to dist directory" +echo "cp ./dist/network-firewall-automation.zip $build_dist_dir/network-firewall-automation.zip" +cp ./dist/network-firewall-automation.zip $build_dist_dir/network-firewall-automation.zip + +# build regional rule groups zip files for each region +echo "Copying network firewall configurations to deployment folder" +cd $template_dir +cp -pr $source_dir/networkFirewallAutomation/config/* ./ +echo -e "\n Creating a zip file with network firewall configurations" +echo -e "\n Building network firewall configuration" +zip -Xr "$build_dist_dir"/network-firewall-configuration.zip ./firewalls ./ruleGroups ./firewallPolicies ./examples + +echo "------------------------------------------------------------------------------" +echo "[Cleanup] Remove temporary files" +echo "------------------------------------------------------------------------------" + +# Delete the temporary /staging folder +echo "rm -rf $staging_dist_dir" +rm -rf $staging_dist_dir +rm -rf ./ruleGroups +rm -rf ./firewallPolicies +rm -rf ./firewalls diff --git a/source/architecture.png b/source/architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..76158f9c919f1339e5fc6dcbcc048c1110a2f95a GIT binary patch literal 612690 zcmeEtg;yL)7bgix2m}ei-Q9va6Ee8FOK=8vhl%2@K?ipUZUK_u?rvd_!C`QpoqX@T zZ{MEX{Rj4Jo$1rnJ=Jx(Z`Hl^ySIKfOie`=3xgB`1qB65UQS8_1?71i3d)m}=Z}$h zw3U2tkf%rP8nSOuDo4n7kQY8ydh*uF$|$VJ`g4>gk4RCT{%L|dBp#9dw=VOD83pw} z_mTaCfKZDY zoW45>3L(Rvy|#di6Z^$>Yzl zp4L45mNiOO;L&S|(NtdhXG-s=A>O?^2{t3AnWtjB8L7gM)9WC*e?IKbTmC8Uae+@b z|9s)U%8$NB(3k(ZMpl13fBgS%{YNDKuSkMezl$+4OgVJzw&^psM|wQ5I76I(IU`ea z+->(rzj=(U`~0u!1iZW*0nfELmaraVeOa;&OTtnQy8h*l%KRy>wce2bQ9u+Fy3nvN zSX7E&v+Dyx1g)+A+g}J?32yVZZ@Z){5WWeo9%8=7`5?c{A zks)>t!j%o^`rm&5O*jqqU(@?H+Jm{W?+SBj`oOM0cV=gldppU_Z{|j_`pBf6-$Riu zGKWGE$*+F)17y=vp}EcTE?vF$Xn(y23iV43k&i-utOHVI06y1AoSjPC+9VA9--7bO zQQ=u78vEQYo<_xmtJJY$;}2_pv5jG8-%$6meZIb4|Btj@Zp?Ca(frlp9WdJ8K&5*j zlIN@|6*_F`jsvh1h!9{PU$N*D*iz?KzzFA`%KW+(8Z(Ri*ApmjsD%cNwh#XPp7(L* zp1$AL$WPQfd~SK-dWK`&Ek%R|uxBNPZ(& zLc&D!pI$!15_pZ`w2A-yJ+E`yIU%y3&AGTddh*G3i{}D$nyUMS4sRT`xv5?e1asnj z`Dk7j|CY9I>I-)#E>#u9-yOYwqa^p<{rP{c-lO!r%EZ<9Me{{Q$W2Lb)RyzO^Lj}y zD@V47lMg>r2>1(EhRR*kx-^w>LJ4hRUP6{5{Yw--rDY#+N)K-x&-Gn???( zA7FfcD>c3^6*@PDmuKUXAisjS8j}d#ewhR9N)0*fiS6yR7i12+4{ZADMNr-JtSs(3`+X2*8T8b*y`{exf1^JyiSdTu0)?KmHII-9-;{}T=sVJzZ;Ck;OFyrHQ z?e+o|iHL~Ou{1QcUtWG-Ig53^U07In1K$||r#$W|LNKQ}-^Ry7-@xy^N(u`Z)$ZOH zW8g!wZ6B&M-d{0vGd#3tkue8pWS8MnOB`JKCt0T4_2RfB*`an9As)A<+;!vJ{YrWg zu8MOF=6V{ciXggb+hA(n*H9j7Z1fI5I6K2lPN)FCwJ}}-#AmV?Vs+1o<9ktI{t#Zoa<;pfrA2`pO~CP0k)eq2p}Vo57k$`{zNIoKdyrRO!_fZ z;{kReKmSnRf5!LS6Pn3^%-$f1$+XU_Ebi(w%FgEB`9T)jBG!S_@nBB#pE8TibDt8q zZH1sXes*Bi03KEjiMJ~XhGjBSgExH*Ph6opaF3@Z%WdpSElf6Y31{=WiS(CBAmwad zv+*~|F)gs9i16?`acSl3EBOyhX7@crn$w<-{#0=IxX76$9G~vSuU<{H3mj{okaaMR z?fbsJlK*Lm1Ar$yR^BEecp6US^L7<{N39UKdgWmXt5THimi_=mYf<+j!^f41lAuaWfzr?P_FSeQ3dF4st;sb`Iz;F4Zi}QoW;om9~0S zN1|kVMzmT*u2^c4ef6`81}W4wmorKoc&E+KsPhxvn1;7GD!GzkWP>mdQ)J+h z&b_s}591AYX+ga2_V{4Fd}vJDkQ`glcL^XBcuX@r4v_xzRSTCBtLUXkYlU)aP|D@l zsN3Opzxz+=q~6;&;#xJY2gEL=TLI4-vzQ9Tc&_m8_E1sYuTe7yfA69(u3v+j4*O$o z87E8@dmKs7GK8A%3I@5ok4b+6M^(|D{Od{7j%NzKoxt+V7qWed!_|)wP&gp67 zkmy+)Bj@D{T@7;Pc2oO8zHc`%RKPmRrBROlcRknAeW65q~WRgWJ?lwK;B{>$cOG~cyCf9RS#mWYlSO}EN_Hav8SzNV|nNgB&mGEfl8{T&OR4n3@+h+V6|zS z3*K+d$BW*`dcgD}DyW)T&mjG7PGiX53!==->}FW*R&33FD91P6`LYVf$U${n3!6Wi|1#%`iO@KL>b15%(nr?BDq~2u1@RYzxhL~pS#+U zriUm*w@wb+*Pg8RdVRke8kw~h#Wu{Cxx5Svf^GQ%O#NY*>9F>Crtb081A?ORg545| zDihPIE7h45SI?Du9A{;{Kp}`qELC9hNnUS5$H`grEcQZ7gUF(3*`4K0uq-&rsochR@we+etVDfLjpe~->CQc84&e ze${JCw~17^?TLmQ-JMQwd2@L;f0l9k)^@R;c_iL;6X&n9eCM*8Sw+acq+_}-LPJ^B zNZI0f9jO^gwO473-$@XrRVqRl^-R2;86gR$T)fkD|_4*^r)n76N&w+_)7ke4Eq%F~9 zw)89oQey$Mvx0jnP$a z@jY+%x0BO^(5$bd~J!>K+>C#i?L>lF^N8M_J70XzA-yRaObB zgapyNq`f{t^NV27Q$8^MX4+7cS8%}3L_Bo_m=ud4ptvh7ons47*<3?$-?Hg>m6 z2;Fi^t-(@cgr^;vcXjx#lTQ~+%VJojd?xN>ji5waD36vV=Wk05ShvGrDeb9Vw#L~H z3Cpn0v0fTl0UGf`?nj8u;Esfb{bzM|2zJNCx~ZTSpBi>U%Bksd zZi#6;jh!v?;UTwnIGT8UDw%cd32uRKNM9UqK}IVLG%p{4@R}J0vpvWz?WX4^(n_V7 zZY&K)u{@$E6QVC*Uxds|?+Hzf9|xV==x$1Ut1Zxwad!>Sln5(Qa!m}1qAkAi5PgT2 zGC03_I?3-{{p0lfj0Cc;YJcdoJZ~W1yiB{HsoC2ENnAU)oo|%+nwekZUv*R4tqpm2 zH*C72IzS=ol+T2;2)E}7J7FCnM~@U9U0yY$2=X6hKX*Pd#_g718Wuk5{#ic|gwG&V z$dFGK$8U!ZX#KAKSlsEmmQcu2(Hqurtf#86ZSwM_b#W#g4^u0iEP5MA+(`F~-Qkab z$=+#xgR%5r$|{T${PXZ4GMKSD&)d%7raAlqS1#`m|>JKg*mHeJpCZ zA+LjUQJRIuNlc>~rX-4>Be>Ae~omZlMd{KULhBt(iHpgZf5aa|?t16pS>z-K8EbDSrj!wq=W$wjPkCD#>)2b z#K7OKYlKGJBKYI$I{w|#gu4i&1kRXelP)DE9~Lg{tg z#aOKH)`D`l>8R^R*wg?4!1vUU%Gp$bA;O^5z?*_CP~vE(B#cOvJ5o}nrI{tn;u#Xb zm&Cb;y4Rz-Zu^iNSyth&aU-p)vNIs?K2L!fd_N8qL{FL6>U2j2MEf?hxiN8H6-Aj~{wKpd2@;@CooSb@TdH!}{ZN)-Tmqzz9* zB;Bx6r9Tx0{${~$WS7)l*T5 z;M(^iLwx*8I4EoA_fr&*=dOQyYhaf!m1ILGChTPiPhRs-jN5hWJD~7t*3b*^Y+b^*^) zts+aWR_>fGsBofY|=t)RLKuVf%? zvtAtgV(r7%u@E_OjqxBT3x9P*h_XP8v;UWiCDXf);YaG1ecy||u{SQYS(#Y2tTE7X zGmfEGmJbRjiGko$M~JuJK8}NYk`WpOnW7si2qILMnbou_DPdc_Y{6cosZAF8QoBBM z&ch*O7vbKz@~eZoXNUC41$;TNdw9~&o*>Zx{+$;%QsA$;sh8V2dOjWmTP*Su`b%ms zR!cHch)>YJom!6k+!|n^5dONpmz?d}{YOx8S28=d?O45nsz$*}_zBST)`h8um527JPrke_w#RpBLgQW<%P9-f6fj0pt*w*C zm#h`m#wV&hP#*Z^>^l;Go#xZ8qYPifII;;b9`4A13Hg&mEYn(rMNMr;!fp`rKlwkX zsD%S*C6>Xzi?&|+$3y3ZJ%+~1Z@|(Q6(%`BEf*?Dj#cV~NqErMd2sX(2d5=aVR|~H z&PdMv%!9GxebPbOJ?E?oV76haz3b#q@Z#*O>6y>yTJ*!IW(BNhfl$W-;!sED<)^wp zJ5l~(5DnnvuL$7x&l`}Bj~B_vO2Jkwc4_gSqxHMm%A%Zh5Xvs9+}j3BjgMY>h}y0j zQaMuXkqSk~{F=Oe_)DFO&<3)j)Bf^_QLbR|(s3C&DrGlx3Xf8QC_2@p8nP7edObW0 z_ZD#m@Lk3S#(1Tj(xa&u4v2kshmv!-(chM|>Mq@ObC|#<%Or{--Q8!zUfJjnU@#z! zo(yO+cc@f2&ApFd3cuQYA*M!rBV+HBDxqYqtD<}SkSz9dMpcoj%?BHenW%hB*Qa!q zH$YZ(zk5F?`DZ2eGvYru=q8J}L}O({Qw~(M;Y8X2FY{sa?A4B;*hs80c>}cK(DtvW z|K3*Ph1Hv46(#0Dnr9xnJ?(LE-}LN;O95iGl@`I}SfLTcws7Hw*a-^gIrlJO`Ye=~ zdvnBseW2!50Q)6F&T4lUAy*sQ^_B-+*eCdQ=fS4!{-c(?RH>(Knc0l6gNNsdP`7F?RH;7W=%~bWDl085&PYl(uiUd~Uuv2Vm zV&&NWiuJw8t{P1IaxIo@$jG$&G$fMUy>xCgsmfU9z`d-tZ`gt{LeqRguK-1TJr!b- zPzyf)Fte-dNp^U5$4J1Tc6Zb!Qql?H5^u@WE|y$R@Q{+pl~i@y3Z7?Q^a%sv7T$)O zbnhHEGy7yDQNGgBBS&JkQr`mSDKGM^XBR7#gS^h>#`I3-%BYWZ6G6{%$>e1fOXDNb z29U7917r|SI$BAX(}gdXRB|;=G7AHBe=ZkqDDNaQDY+V(Uv+<5s)k!AB-Mxn#5fBv zv5ZogIf+iH2R>0T28-X+`ER91G7ZxQw)sjn(e>R!`CjXMO{{abSW6gaIV)T8FXO1E zcRHw^dJwn_Is}NHZO=$KDXq{=gT*T{T(AqsqH~X3vBjI)BD64C;uu}eTSnG`S`fyo zKUH;StcUjE-qKypy~XwU{yL^U7%Fnp>DO9EGCwdREV)A--;(GhbgqUWFvH`%Rb891 zf|5B~Sz9!P9rX^#NOpKJTOgHR3I2RxGqY9;Bo`SzqCyEyPu$2)Ox$pP;KP|SYBjhm zW52KbV0OvkbskT-9uSn0kdb$obDKE(#N%sc&~qx1vq*G;4ef(N{><#NDRt0Fr-Y$F zik7f{$mDCkxkK}W;--|vn~HJV!{Bko-uEkryv)iG6HH>1jP)@QIU%Ia@TVNd;D^xa zeKVs{Ex(mWt522JNV*;t1>{rRvlLME+KFI^ejZAOjZ{CR^+OQ1G&dIv zF1cQ{oIbrc+j;w`7baBaj*Ob%8vZ>;djgzGkuA^>LCfhV*UWp8>+#WpSE6t792`jy8&; zgGky}?igqlROrdS4>{;!$NQ$pLKvyh@IlY^4*QdbH{_v z3Cyk*1^0tHGV)X?sScMMwtGXm$0$lGkGkVjC}V*)eNBE8Rp?`wc|36}@|x%inx^%Y zp8zks>ak{j7&`9gE_AdYJta~==ltuIf|5~ZL{ek@G(0tV-o3wU%e&$hakxl6kDbZf#YfF3*5o=NCzUN9! zfQTakT5&{PL+*CrWeVTT{|yH$v?qR~vYo&DIm3XcKlA?p?PZMAVI9vd>H%%ad57Uc zWA)wT`h;Z+gsWI3e+gUW2Szx@LC4A~(94^~M*2J&fwmewSlS0@LZrPhuc@N=uz>13 zBV9ve3WjXcn)|g=fo!LvOG?s{>w+R_&6^j6Ct<0xWe`w-f!+N z8K4&f$r-VrO|5|COWuzC;pfA<`Mn)N>n+-z_S%XnY`s6lGl8O72nd%y8~I9S*&Zl- z?4q7;vC0h#II7sH>TUh4v+#$z9cZ%&@nW!5b*E$+_G{%YN9=9 z%mO(0^tA?xurRzGuf7OPEnGgB1`mNFUl2(bl2T?a3W~RuIpR7w`w6X*=BGhlyJCdXw)Mbaa!-qIiJ9jz1c&9H#$rP+Xn41S}r$b z?{lP27B1{JQl_=9sSohm_`NUWsv3R;z_+gzlCWwqoK?&Be*bWX3|ejTePN`p8f8eG zRkz9`HEdg9FJMd{QyV-t_9cF8?H(T95G_LFh{H=vcPksv#zRfP?T#0B9`e|F z>QbV4+0|5ic29dGDrzN4G0lHZ9er<=RGX@tXS6Vew_(UcW#{-L?-`rq8YOu3RDjF#c9NA_-K zd2shCPoKc>=m$K-%W$}wI4;hu$@$9Lu0F;zJ1hpglGl+s3RR`OOwrx;@*fr_O0nLL zrifhKjQKoFb3G2EbaXr{Vq&!;Y%~Xv6=3m1p1@v2K|1f>1`urHg%gx_E$1$1f)rO5 z^2BkHJQS=H&%ic{02v&Y8Jf&omL_aTBxu1Sl>9pi_yaL(WuWLuN#a^a-;yb=8F}W! zy?PD%eA1&~r{fziYpOfMSN0@IM*~aLzgQdu(CxUK44F90?@9I7sPaX?X1^n9%T^Kd z0Ks-SyjQ30kgMTVz*&^)Zd|egXYi98WLqIS0#@mZtTUD{qCNQfQYGD*Ajamth<_`) zN*e6oG-KIiKI0-fYvj==$onQifhvxDW4e8MzP+{}-U%5JU2NgV3TeXB?m44T*HbXl z9dDS0);&u%b8U_mPGi{;uv;=2mSO1dxD+j6A4^^@*wEhH*@HX2S(ccYmfF?TS1h3H z9iLT(tt`XNz*c@OrR=wZ2Bp}ZQC2n5KX@l2{g9_^Ea5WfCwGjFV*A zAw%M2oTg{W$(H$Acoq4i(+|m;vjaY;Cyata2!PoGBBMN{4a!D@YcG8VyEJL5+x{&h z0zH7vYTXL)c4u6FN4&z;RTT*l;xhWK8!z&5-`gSnibj+^N1|e9t(lT%X$)dYzH3(U zyZ<1wblApI+^uI-z~8Vah<(QnU`nSI?wmhw&|*9v;=9l%!Z7J(8kac)>=@=fi;UoP z&}uNC=!3o#&*!5Q*0wnvIFJDi2-y#x1>E8-wjOfrlBb((toT+AiGT8v+9Kk?5Xd(u zLBRJ!<({j5?0sQ%xWhW5vh6XYIr+pY(dfe=1Geh|`9!Q-(~WlJJsMO=I$*aGTv>n5 z)2m=3JMrAtLyz0X<(+oCr z7hMgKF^4pCS0w@PJ>v>G@gJU%h!dFQ6>L)M<;u()%DD=RjQHHj`SZ z*5D)2QFi;m{C3$;BO2;GIh7I?8vRgm;!Ms+o;u{RmIY#U7Muy36r;P>Us$;84G`@| zRdElGE1a`V3Vk|GlyA`gEFU|A?m*O|yt_m=WGGc)I|0xMd$l>`q?c8L zs30|k{|EhwH8gvXhDKsuqeNDY0Wl(NPV*6LG&UK+A{&EdzKHh6fg{*?q#?*ziw3=J z_03{yW#N%GouJ<2u99UKz79KN!2mH_^{n^Y{VpJxu`s5b^etSmXm!-I3GpQ$6G6-O zVH~-!s^}Tzg+6iA$f+K8V7UaV`X7B(%KPn`nOYmVBsXDTc`F@VvEsC!Z>ibnz~}Zv zz2`fPFLE^{jILf|z-B1Gv;y1m-3H@-mg~y_AX>&p){9ci5_?C_d%t7lRqcCy)5-MK z5|jFcg2NT3k)X3aN;Tu{qbD}}B+D)qCT`LxAx#F!5#{$?Jh}CxAar~$ZeEy_7i7{p z;-cXe&~nKWIWj-r4dJqzO9@uTH8sUM9#ZL~?;3v4vP~H;-#z`ZzN*PSk(|Z#C16!D zo{t_o-h@hHhuUq)B+jY}`E-2O`A>-=nuEcI)1p^V)%3MH{eWv;s9>`t@d3lnm@0rN z1X58?@y)MHBLBHb(jxBWMN;^c2X&bIPk%N~c3d#hd?vHhtF%j0X^U|Cy{|n{^yJ9^ z{sbRn$#!`C%NJ>?8e}ylvwy9n9eS~$RaN+Gmf>C{)gSuGgDOVDzUv@IYb`xBo!3zH zfl(1J4B$+Y3HsfYi#56fpAX7U4>`MPlmprM&htbArs*m&ns7qOZ1R)vtUeSXe1<7} zM8EW@5il_=e}Vm`WO02#jFae5a}DH*P-XycNX1(n;9gFRDiSPzA{^u7<$Fa&@Jn5k zrICz_*qe>dVO72s(;zh?Jk|Y|UqT7lUCM;neN%&aJ~o*!-h5R%dvNBEGrDFE|3pwSWD#Z{6zq{Yp{y=*Q@cm&={y zD1HE66xn%!^i8#c3Bh<7yNvK3ar{1(CSkBqfnLRuW!h2GXxAM2~q2bt6uTBhC*~3kM2Z9N5=bVPV;exts~{q z%(SfVHb;pTqD`G|$4PMk1HG?r&b$a)*jeLB@IxFV=A}dn?kqxqd~Y9kWc2{T4@vVn zJdqPwf|q9ju4+cyBE2C2Sb4%wyV#4F1qzMj`rbw_x4YYhxi-q&cKCS?89Lx>UN-Re zD3{3RA;Uu)c6WZ%OTz*o5h49LFAAA@J9A^y@G7?XdPc?b%Z@z_9UFO`5Aj&rZa1pJrq$ESt@q_zI{sHm$%M7=WlzsYHcZ3&af zcow6sGfmLrij9Q1bipGK2br=RUlldqZ(I9(l`-A!c0BbfayOS>nxW|?rtMo=hzuU0 z@rs!l*-Nc1ITeJyEvH-Y3IHX;n4W>D;IqC#bAHa=Xk9=J#(dA@7>6tq&z(GtB<7ZJ zU{8}|A=Qq4b=2qyaTn{tt#3e+e*_#SgFP!zW?~R3ERs}_K}o1u`zsbm=HIQkjWLY3 zNRf{|?bQ^*rSUUwj<{u^;$wnPmjz=K;EY|=Aj+mF(oXDQY@UVxo`v#aatR`o*f-Uu zpnI6fEL=1ehYeDj7y^G5b|5^v^=DK?jttRlg~cRM8CJ0`9HC==Y2j% z^uR_(zd`;gJg9vG!;i0wRl7upeS_IohR72-ROjYCE5V2$ceDO6FcqcF0G?_G zEPLWJKZMs<;hzr7LK6wC6lC){=_|;EklWfUz;C6Q(-ayMw$UYq>9={lZ$@yX1{2bi z9~HKO-)FG#v3XPrugiGS=}Gv$HFQ{6=8Av3TwjootZO=S{$WT-Xw+T+pFg1>0@$wU z$+U4sIBn46_33_5pMs|`CKZ)wxOA&Kn%T2gRxeipGk})s>x(&ga_Exmfq{%@2Y*N; zW!fu6%@jGHRKzCi_6k%?rNM+Zxaj-Q*^sv?u5lRMtR|At(04bX@G*{FTZ-}IO`wWh zqR~2&@hF`k)}%&3!K#>~1?wbK-!AvJ9?m6#cQW-XqQ1ux`c%f1QN_@5BRH4L>I-S< zB@W7Owy0|$%rckWLQG05x7p;7tLF47o9uy-Ss?yn<@A0Gm$s0SsP$`A`Y<%Hhq9j^ zp6ynJJzCmg!Iq!3zNTjE78M|A=ANw+zJh^ISe6mVUB7=PDsr(7aO20=pe062-{$+E?m0dB;Q_gr<|KgFC zn|L}LrY|L>?xLb(m`a}DLPijkN5=-CKblX95y~HW9oNWtc=q+rN4?t_rq4cWlwiMi zA%B-Zjs4U@<1PLFWWd^&Fb>qYDQv|J41Znyern<8v015Vu?$*Wx`t|H3D&B`8j?e` z+{)qK$ikdv!G2icEw-JH2~4L2FL!4?0$u=YbtTM zhOX~nL^(eV&B$xx0Y~c}NjeT*RUAH%ykCNSkr<)j+yKflq~Vmv^PNu_1^iMpgzmfF zu;;uC*(hHP0Qb)n6AJ;xLvE#C4%l|_#&j!xQo@a=2xr`BLOAck*VA%$w*zK^*!1p( zzcSPv@^;f8HN%LiZ2?VvZf@}26ci4u);IbRnmlL7)n8|vCf)w1InFGT`q0sjC9moM zxp5Sb#0@U4p^RIL>4k~mbeiJC;CMTZW9DIriK=2+Xt0sXAk)IZ_^}}$DgS@@7(sH8~uZ{pdC$vy{`={p6?F4F70~oQmtY=kS{*= z!j`sGL{pK2y^H~wK-JW1X%dz+Y;}oX{`OsRLi+eHG9#j*qAhrWgrKK%2rfa4<=qzN zQOF6YpR(29n()3qnam{i`3bCwClbRsfgA#vn~|0n|0Lj=7X_r?e3g8ame}x22`eQi zGy!X&y>>z2DeU3fib?}VyTskYI8g+OOG9i%JSJ=`yTj|h#BGQoq4XG%bVmnDH>8ap z$@x&;X4++klRBKMj2?3Nd|oCLh{~i8<8)gtwo`kes+-I-DehQRo()Ktq3X-Ajldu* zzN$XVaC@}Q#bKf(eg`L8HP`PG8<2YwGJDAWK*7fIEg8kz2oRhV(1I`))CtQny+ za$`BQe{af?wkRpj0+w=^x& zx_;)@nRC7-0XQx4cGyWg{Vq^Hvp5uKdFqDkC^q8tXmG#)`0YAVNnX~AVV0%hTw?x@ zK}jsBs3@zbxZicP-F`@|6IL0iE3R>5!t8`ZA?{f_siNdktUSj$Ho?Q+7OX5l#02ZG zgsdz%Qi$o&CUwd0@bYM8P2Mdt$&xF#Y(n_79Geov?dpUl5Tn!9S1>R-Ks0@QZjOp2 z&zD5TvAvQGL|ngP6|!~g_Jow6p5dv?Bl;K|M*e*y9r#WvDl3R|;zv+T!>3!Y(ypME zlPvZpLe^5j?H4pPr~R(+yS&$=GGRxRgek6e$yB$6eRnK-sLRfbRsP|;-37ilw@;&j zKc4Gn(qNA-VDn2vj7DqaapIa%9U^XiScS|9OQBVYZ0iv2xcl~-6pA1pV=)uCBR>G7P zr(FGawL(QMvE?mJ948&3M*6Qwo^H`DNpxi?V5^`KnxHz+?#NTO;S-=?n^pR?C>H8V zWe|xfhx;SnZ4HXjt=L9)IW7rFyh5YBTe#x`(?jLx(FWVacn}kyd$1KPm6l$fg)xC? zi(S<4ZnSrt)=6Tu!|9CET(X{%F{0CvudFQox~V&dQq{G%I_0)%VnAHYLC{z>um~CY zM-f_gaOTDY)5b6e%S}l042_o%sw|MuNKq^nWd*A{L1;1~_#{q$H|#VSqGX2)!HO0W z#mb@n1R;2o!&;+tZVx>sq~colaUt$30fL?SdQH zMWf(K5~s@2ai*xL@3<4AXbY{5Zt&7y`zw=xd5ut zYSMvZH;)opUz1>U6TCO~y7rIbvCqEF&b-Z17l@3D;#sStBZjV5jqe;xHtJ5-3Yv#;_R@n#V* zJ11tDJ#*P1mB`>J9CByfQ&VQmeye=P)Ug@0V;<9_e0!{G0=J0Tcel9fL5xEOZ*OiJ z$d`y=Dk4O@!sCv@zw8C$`-KPg0xDvh&P@exNkE4=i+f3jAW;p`sd$$awF0N-`iXrq zUR13Dyca?BaqkYOTF>g-u&b7w4l!O5^pMXKZIRE|8=#T473;<_%nbu|=gpt*fLBjDlj5+#HM}!$wAjW9FhZGIxt<;Kp1cy{#lQqv%PKhfE-$TOnMR6MFTV+@22s>9zO@2m2?5o=dZ$; z`I(Jlo#m@WV`ecAyNz0Ai!IIoz7*n*UX9(GSFFvSP-OIXbW`z-Hrwxz%=WTXWZ;K% zk+8UiYEG!HUzVyez?dR{9;XB$H8__id$)4$ah{_5n2#v`=KpU7&AI2bm;zgGG&uuq zbs(%K-yZa=sVRu}U<$95B^{T{Zzx3SOU|GaO)haoer)VVBvBkr2AIMBeAi=Y(h%7q z$abIg1`c0{va~F4jMU6KUa-@e#uVQT)XzSIM zWm0E&a4t0j8W1DgZd+n{=CcryU%dCx`tE&O;AFJ~J#$_u-qP874QWARh~TBrnQVnP z>Z(#>=^jux?qkOj>ny=>M^<5#g6|2~LVzSegC%9~M9-lY4Od&uVlnPpI4JBUdZv9? zIdGJCHg-zLux+{GZF7XGPdG3=`VxMwj@%<+8n#|2F#h3olw29VWug%6F?F~wHg-FN zjh2+i{KCi=I)(JC-t#^O!E-0{Sd&O<$6Z>sLK6amHm>mm&8~Q#=`FwZvue=Zg4D$$ zLq&pB11@4vUlIlwDTwJFb86Q`_#zxG8`V~5rnRkLSQ;_c&%zy0wiZ<4noV_#vj@coLjXz^vXGE%bMOi9E!%#0WOSC$j) ztAAxViKqpH_g_Q5LjiHu)aMmYJr?`7LCBmkvTD7IO4l8845g{z!}AV@=28CRz`T`D zo*@DsJcs>S6|V9I0(t5Ci=XZ!_A=6HS12`3u+N)USH$jyx`LjB49I z#Y7$V@mO}v?q$dh><9;mz^4{kkU2^f{0sS%1*`BnRNkEm}DnX~&qLz`F}@@(`(14PM2jAl>3p%EuGQg4PK6?b+myNb<{< zC?mFCH~JO+KYgqNaioP-o4&8W1*wiGPX1sMCCP%{SCEVS_rU}|d2s9m`FCiL5@i&Xsb6>_*^rX~i|1F2IZwTvK|a?At# zA;pL?F@X0r@PmnKP~d7+up$0?_o)AKDwWGaN}-Ck&oE7>eOGspp+!;!Or90#P(0NsY&kCT^kPN07=I8~82Z@^ zv2Qohl3=aqv{rZ#m3d#Y{YBgKwMsrsT6!qWmrB5wNICq01IjLBNi2s ziPF^a7SLs+qt37m0s@C>)t(T0M}4|Fdo zEruWIQ*dO31uLZ8UNMWLtQ&utvudb6Q-91b(utR}rT(rHKiq*8x$Q}LWAkM_+<~mO z$o_4S@1#uYkrchM(7>4*W&gd@YFgye2RnXo_aD10zM4!-!B7dc03PEulTDW=ecor< ze*!TC^mr`&usM14RBpl~_n4d6KtU=S^!bat`a=h6OX8@p9yG2_+c+Vq$kA1%2-r9! z>1E&Nvo?Mi3({3Fyq~^8NU~-;5YnoEMIz%H(8{yeGv2o%#p9lsTCG`u{?1h{3i9i< z!D_l!@uhAvg;>xo!#1<>_EQu4$N3=nfY-hoq6g5uJVo|FY$4x(c0XgZ)UtLV`hn6C zS;sb}p%&NNVg64fGW|bGB&hmP61C{cbNeTl?B-Ks_|c#_xS*eZ0e>tKkrLe zfW>g|M3eEgfsxs;h~511y4-S`xynVScV){C7n}8iXZMhy?nri2M>+mt03NvVYfeK{ zRMMfNtDy?o1H6jOda1>2t732($a|>oIXD5GB|Yf1b=|ED&g?KcG1iD=l&1-=?Psad zAkP5OQI=*~9PHqjfPyLOg>U6Q!R=%Qzk&|g)e1hh2NC(YGUG)XKo9n*vZ?*-6||-N z`^fUCwztW?sqsQM)fGz}r0^2)Q!mE?j8clszO>}my%gcs;M(5uxE2--vg4Znlx1)> zwz)EYI-wg(UEsBc!S~j-Q{+4E;gBWD z*O$bt&+3*x z5=MDn8s^wlVEuwGW56WGd-{T_B&Iu3 znbx`2rQ-EwpmQ5y233OT%ChPULGN2q87#!)F^S9$?O1I}{rUW3y>_Wl|F)_Izj4P8 z!`U90-i@t&Q3@mD5=8ADA8-}iCWODrdf4Vz9RK*}#b%HWR6?eIc0#q#KYG{x8W zuT0L>fji!#fC4CR0WVI%m^_QH>f@cuuwxj(5hX6mQ2>n5LDdNXL$dm4yFN@t=1oAs zN#2Ov&TF4f*9Z#52y(cnz|fT?fXMBeL_@_3UDWrrfst5cb#CUy{tB;5QeJOxBLO~U z9?H8P0Npi=|0QD!56KeM`5%aCmUPnCNRUP`Riqx# z$m;(u#3+;He8FEls9mD2|LLiZG6%3vgNm}TatQZ*GU|PrgJ&9qWRL)<$U0+9_DkQ_ zS^Eqgf(*;*zRVUlFZy`%wv!8aHYjj2j)3ivQnXfhY$Tc3;H1|R$#viJeQV^Szw)Ps ztHcw4M;1jqA2JA_%E6;`!u6qmG9y{1BVXlBA_oC4QKFl()-V3)1w7#lc$8K)z#l{N zTuk(*n-q*G?OaO+WU{t$(cDgnjJ8fxwDWa2RBd5>Q4A4y>l&H}1hQ+)E-fdOc147nSQh{w`TCr2W$-R7-;( zzsq7!ZB0_h^Oy&UjnZpD^U(HdX}%bI{D;5&iB5^0;`bR$_u`b*A2Rw0KJd373|M)& zk`nYJci8G10pE9I)lw?+Z?+2X{rjKpd^Wg4rEy>Tu9vhh+n|gAP~(?MVU%u%fl3oUYtc5J7hhU|D5Gq+4pw>-4aka(Tg!77V00E4v-$|az zfbS3Use^QJrLnsOdw-Y*R-I}IJ$rU>!3fj|&YMFww=n4S#GNk-wPrl!BZ*b>sUXXD;X zZ(|l1Bpbs)GlYs2q!<*-yapbX2Qa!9rC`_}KG6LmOTd1sbE;^+TK)TO6kJv;|3w3( z&mK!oe)}Jnc0?nfoN|ZTu8saP)3jZ&(BpIGPx0m>Ne`$?A`IkIZpsMJ@thFCOQ>Vt z8i7^e<&~O%LelmG0SXuZ4s`Z???lt=w3c$oC4LM@+1EJpj8T56>iBe;Dk+k@--E@H z0GWHA8smu1AoWJ7$~M7&@@o^e=3b<&((OuO0BP*X?WwHOp#D#OFB!h>nGz;!T^dJ~WiTkvYP;?GHCtBG5&SrY7L zu1gGsSwj-WKCN_wo%>Q$R8(5ZH1j`L8zPaAQJp2^$N%gWX~x#;Cf*SrbQf>zrWkNw zLpgl-W!XXBo`;*IL$#?We>^_*3pG0IeoIOpvs{!sh~MFY00FlblGemAfM+%XTTilm zX^uIPqgmJ=1zly4@K9?(ISthn_10aXX(ZpO8}eqaXS29Qg@#JQ57PxhmHa~|ALPnWmK)Z9bxAGGHkrq)xDDJ&Up&46L-94&iPio%2KFy zn^If_NNFyaxL!FRfuNkypLy;XEOLB zDz9KbwW4OowA!imkY4TLlHm7f3G4%dSZ;)NmYTNX(ff>yk@@n+b`_YBzhWei z40sh8)cy}7H__;?fCSPbB8%(*MZ<0R1{iW`X^=a1$ZGE+(Q#jSIaT?ysJrT#| z)6vbveX*rF=asE#Ub1Rn+st1eqBST}O@1h9<(U4X_~zXYgvcw%L%yb~k2+O*YbX$4 zNx_1+t|%tvV)T>E>Da|({@ zFq+EGslJ6n28i1bmBOkLSm|5fyNgUX{HIObH^TXf^w|Ezz1MjCQsWrQ|I2+s_RndD z5jcw`&A!#7{^dHzOwT94;$Yuk7YloNUq}S^pE(T8I+RiH9{;SougQHuNQS55Dp+!^b(cMs*}P(CkBo#}ZCzyF-N$iuAMyQK+E$_*#Ll88iJ*trCJ6x9&; z>$|LH+h5wfV_%;+2;@6+X8iYe|C+HUicF#_=l%;kS58Nf3nO%IRdZY;a7KidMSAly zt$pzRj~uwnMA~bfWVvtFTY2x_A_O}Vbxm!}zlpmB)5+hDgi|PQyhZ(=cIE33?k+Bm zd2ny>`6ywwsK=eCyvTRZ0j-E3i=ITw+wG71O#t^1Sb zF*)*GPLV1EN-j(i2RMM##6&zoOn~doKYM~JsC#*ri#lxLxxVyQrd7xRuW1EAhaP zdnRI^nm-))Jiu7qXqeC5=q3vNz=f0DD0}oTvWSiUKC_ zWrSDJmlV7Dp_FjlJpGR*w~`Y!GtKn!To~SlRMnMg`6X|3;-)+#>%6qf}lsNI)cNUp=#7 z`l^Ni>14om?rJP)$k~nTMb9cop)Hw7y%mq-ac!a3OS3Tw z1asaPg%%qBC9tW44S;VaY!vJ#ipd?uS^fI}UC_`=WA`ry^e=|7s9G;;9>S@}n6k+Q ze1S-aL4PhQZ+vjXX_Lz{25QP37qERLF1w{X_FJWEdoz`jPCrCKxxk^pze>96a0iFG7aoFqrj)?Fc%o!$wKeLVbSz5W|`mUhKwHh5B8 zrlh$o%JE5(@tqpXV0czM6;bykB$oL>7b*ypy!Q56IO5(=-FK~^IL5GG_$mH)pC6ld7-p|%u37C^Y(rLq%HY)cZ8$P^_wF1{=$cYW>1-M`PZ>Ki~~sE zwl$12;@R)BZK--ai0LkZC^C$~7^4>=9-D zWWe#ucIh-Dx74{8=%}7d-sse1pCp~Rfhs>Q{s~yI^N_a2?)VzI1_{K&5s6q^<<5Y5SO*kn6uH9K*9N7>vxh{FjDAj zg}gGG*4D(~x_^TOi+tI_ZWuq+!W*xzImZV$~W~nSG2gc6TM-S&hFc!9b)2z%5bO0?zUPqW8e0t z(=>2w`%?)DyXvOBf1x2zgyNu2*gqKP>CtX^wL9z0-6^lTA&{S4Sc7D2KPP zR1ZZXBQfi#MIsoH@whyTJ%`CfwkjWw!Xc#T2@!K1*S?NKEJ8py$&E{P4u!h-fQkmk zcLQXIK}=rN^#6`_FF*0wG;oNY+T=#NA(r=?Bh>bH`KP@}uN>(*i3){Rr1dCs z))-WD0;-c8A4}pvSN>6O_4p{LV7?9vn&Nis~<78`MZJ+as3 z3ty=GmwWG&`Sq!43gvnG{eKEGvabHhuh*^BLA{X)(p}C^hjZNn^U9VNH^SE+Tg7MH z6XFwvZt9vFpUQXMd}i3&J8THbm%k<92Ri8RBbBg|;6FvZx_j$^Yg_uvvYlHv>(<2G zgYx@%8hRM}q5p~bao{&Sv#CdS?20`3Ul7n_fi<$bn^-fq7%SY(ct|GW31`b*}9_Qf+BeI_l7;{>!P;U+z8pKreOapk9*O&fq__{*8| zvHE*&4W*59L=ep0(pqfvfG=;>hO(8pdJyC!Rg|cMmwX`o73Y-OdCVtuoE$N){uR7x zyMYFFf{%DD`_xDmXOM44Uk^$^W~uW1zKp3#vTgyQwyu)@Jh$YaIb ze)uFxcoK_l3M4ffOz^cp!nEGH%zXWP2(A8!2~c~b^}LocxEiT~Y@%I;^vVUP!i3}x zSDt2PWHkJaHnojcOs)qAMQ0kSU&uRy;e5fJJ8u_YdgilTve_+lia88IUqAV*$W(Z z`L+BYD%D)Qz}ctHJkw0t@)&;K_kIKDpk_un{P}j?kIRd?*2W|` zzx~~>4?vdQGwxQ)=n2M#_H<)F5Mlm4)B*Idk(wqZg+4namaVL^ryPT6tKeGz?{vbf z7B3f!{dB8DaHI*~88yQY>;?NF0c+(C_4cBPJUIjO2v4P|Jr*DbJXZRj8tGrD2oXL} z>@lHcnYos${rj7=41OLl^fVGT>7Gy?6J1|kmJ*{y^3T4ugT&IPsO91DUaJ<@~U=3_( zS9X4;QazIL3G#B1v*hU3D&yhh4w9x{Vhs;(y|dOeEb!D!9EbSYGINrR?)mm$s%vVm~FTsMfTYtfZc%wPZp-@7Aw={$R#Dd|GorE+=`qr2!hcd{RzK&Z^7)QQ7&sQ-T;}+zDNxV+6}& zolIbD*Pj<}Wez@HJ|nJRP6(<^EUu&!*s`g!ZhglXtCks448XjuGNa#B zBt&OP*b4y;sgm|)BP(B4P0WTl>xS$F2GwoRej^#iSUx2c;8{_AOvO) z(36c6X~i)eeI$_jHa9nm>}AfN(8od5I?PpmOcCI0!rnHaZZ9+KVEAS&+;4JzX$kQKYfmNFyf1G{&H*vx z4rTeR;9xUz!E`Z4KV16&Q{x)f>J>7-`dN^!t+6?tAvUIN-3w|VzFfF5Oe3KP^s%Ub z)Hyj@?}KXgqv)*4nPH__5VMDTd$Fj;O`TrxCgL1snA*=;svHGsxA+v=0^Q7pKUKt~ zs=9|74vu3kfvrXiHs#DfziO=1o9s9Aqih@7P(=sh5CQ73T5Cn)9BC{T9y-}0JdK6C z{D3&?eFqr%apxYDg5Yd)^^-T*x)-SOGF+3vonry3MJwaI@z({p6dQWB0brx|U#LE5 zxbk0FxID#abR!f>&T%0;P1&U5ivtW;tSNk6rLMyY4{DCk*rq>@EvJH`+dtl+`Wl3KAHdp6B3k8)5#(GzP(5h}PC~+HIkWkX8rJgMytN zZTJQL+kP+PG6b&m{2}gCyW8OVIl`!}6bEqgZA~b(h@S}wMUHlLu>9k>eDQ+U>*g|!f9q@A4 z;o3Vx+;_MMFv2qSt2k^7u7B~NaYk^7&TtT@z#U618J(+x7|^b$j8TRheC!9(-f)VJ%AZUk1aZH2U=0$B!s# zN>!mp$7*u0-Je%c4hKU{?G|+3=3Cc+Pz2QKf- z7{niD#e<{Qo_m%i&csIDfoR?eb?-3Bk`l)67;E}ZErhI1_~vW$$Gsg6=p*QNSC3H< zsfu6Wk48lsR(xf`gRf-9js&aN$5tgDvSnw4{F&G}A~-0!PUdt6p~t;=y*Hau`ktj2 z*oVBenitnH~Y=`9Tn$O?4$EhA%?p4`vtI{N2=AZV@*7Ph7IBc_rx25-&D~tuZs<4 z2V#tIGbbEE>nL>a{B`Wr7kMu>pwn~Z=otqcM~W8^?I`W^2&=OJYTwXPoYlo9 z9=4qG&e+s)cg-T`5WA#!v9e;7G`@hFJf}XJ4|LN@9U|uB%%>dS9N-zq_hsl{&Nb_u zHru5OXK>i1ZIUEce)oj)$(`gUzY_y*a%Wr6;}6Z853&2+US#jBl(qZKU7>v9!soKWwYmwO5yFaKGJ^>{+^MAA&WR1S};?r*5UP!&~a zifK(cK|O#V@FC9*vvA1kDUJhX_bMuO-N*Elwc^UQU}bn0}NGpf$~Y=iP?Y#u-QBGEUbQw8PF8844bjPhX)ulCVKF?dc$)2Moc5d^c zwccl&8U7*96Mq?z=a~$=wQN;7YlCqQt$XZvo}mhwSjYpS1$LO>Cd;e0^tYIM7d+us z0}pe6??@-Yr!0r?D?bMBkX{_h5LIVzj=Ngb*Cu(FdVJWPYNX ztW|zajt-Z+`wR&Tra6_UbjkYC9C&&59SIAD3z0q|_Fu)YN>y~YiDT!&t(MyKd^DjU zSQf}1v6KpXi#QIEU&05=?=;)q@pl52SMLKQUzn!BO_RN`&v}myWf1jjE{C%WlwohG zXmQn5p&wuB{3OSt;;9_q_1eex_)edKYhQOJ9GY2~`0}q_UJv;#%y$*#?;?*wcEqIZ z_QsGjhBIEpv}mPtytAt6FM0GG+nn(nRLg@HoUwn7^Jb{Pe=gKbb0V*svN>!yW(8y!t6ic}IkL$m#o8E>`JG6tO=ge-Re;8~|Vb@gi} zDm|p?98Uy(cz{4NH_;(LZ1a@)1^ct7w6A3h8P1P>AkjEmmVU5lX5HP)&?5B7FS%eI zAjijy2&pX>P(&We11f*B?~?^ELYZqV0cK$Vyn(flM9A}zK51#R&pEo!4LraP_=n99uu+6!M`4Rut)irATe>(RxW|04uD}47%y-hnIE&)Yz-5#<C<;Hx+fPMB9c=V|4vfh9<=iEP*|MvP8h26g=*WgGCR1Dsbm*%2rB32kTig&=24|LOIJhI|?wZ9G;5C-IdD5eE`w zIl1e7_><BLg*It5x37DXCCKM=6s*C7X{3Lm`}35k*=}tj7~bsk;ZCMl zr-}9$GXZZC4_&_}w16iL#UBz1N6%nXYDvRjc#xPkbWoV-9hu(hlnIA<#%KXeu_dum3u*QdRGdG1X* z9>v#yP9R_f6IuxmjJO_~Vg6^sEo3x_)*rtKcQ_zbd^Go~K& zg@b<)fIfY!mYWxcvz&1xlt%y#T%XY#m@NTu6?5&&Yb;?VF61>)#Wy4T$p@~xL1588 z4oj`nR|^g9!)0>nYZ1G#p+xQjAPRiM?!--dnWhmwoF?Fg?ibboEDO%D@8*}o9zHv@ zw)H5-<*`lJmfFX<2&s{+YsajopF$%%$fRE@l05CjNBOV+X?hp^v|D8uPGj6=(h8|! zwit&jHtF?vh_1Z77NHd{?rwH9Z4@qoOm;Y){Ef-I^eI>XekhBS+n?Be7f>G3PV~mx z{h>gIkWZenQ&hL7c5?h@J&PA_b{s1!@ccx=czymu$Gx}i`ZL~9 zQ)C0EJ+e&Y1q(}eU8eDx*HbeGCia71X3+5Mw@-h4%_tQ-7rv7IAfCC~Grpg6=M!`X^k zseo{xnDr40ADmft=9J@=%F@2Wg^OTfo~JXBuJeLB7Znfm`qE-AP!U%3J$<(%56OqL zjXAR2xcutChL%dJ%ilcPH=ohK;bz{f8Rv^*5&j#R#B%bmF;C$caL2estL&f0c!#ht zMl&T{ExDkcE0n_8`6bx53hf(lIQIt%%>WwkUl31qDol!xpqFxfH_P4x3?NiNbW|Hl zxu~dpo3)drZXcx8D|K1-+X$Lv&VKw-_imM?UN{TCgj?YsR6&5cuBmP%L~cX52hfHo zdRWK9S48kYPaH=Y10UTQwrVG2<&Y1iwQb|0MfH1f>zfJd`13Em_+fA5O@z6*^G3L5 zOm*3$LelH4YOTar;)z{|Am-k@TItXiRKWQcHod#Q4=LC<7bTSv1@empgmu zCA6`*-TN7;R$sRfUAxiT1`vM@K4_3mjPPElUL5!=j>`pujpndfKJx8u?q?n6X$#*0 zLxRD7s(ca_6*HaO0H|HJrjw2RDWWJ2s|FbMbRccv-loIM7h0jQkHb1|Z~w8c{`O-G z0tsY@-L^}IiEaXakrN(ba5-NYWTg;0BP?AQ|HuX;0BHotcQTnUq(1Cl)1$%Iro zfH)uWp$iZK=&~+w`PtbP>6JaW(bN9pAPql>5Az(H2kIhxc<8wG8ru$SQ>w(L8*5tP zoL>p1W8@yt5R%`7NBxi<&O}yx`Re^S_)!5TT4_9u0yVLt*@QzF8DCP->X>oRD^_pd znw&m-ZiOD+=1^TD7W-;}r)Nm(;0tGk?5bO*S1a^FrB+eBz$Z_`9b@?`YKBRU@~E9H2PlQSvS+aX%F2&-|-%BaHMunw=j7cJH^DlRDYG_1*01)$>9Y zZ~XlxQgH-8bmZhC)I6Af{j$S7<$^I&*YbPHS9*`q#_w0&{)c!FXvsZTWMs$oVG&4l zdi39GOT|-_F}UpUW9^@b!bil6Q6d5IX0UHzF;u);;^}EM)xcsyHiW~{$qMA;JMLlv zh9|sU&6}bBQts7|gQI_Oy`lC^w&Gw5V0kY3rEv2jpT}Vihp-7pqZW#Unt@L2Ceaoh zD8}A=6c@Wn@k#3^jf<)~3S_tR!stc{WPYWNF9*XRo%#W^tnVhJ3PVY~fCWg#WR4le zfn2_0z9i3gdSN{rpNxsXKgBjJuYBlY6GOMHj*QUqA(U6Daq1{-&=SyVg@%#|95O22 zp4Hq<;{iimi(V^mAl$CL+T$y8z}#)RE6m`w?u9+JZ2xz5;RMgG1QKmPM2@ zT=iAbu03vfUk2aDLH<=DYJ-CgdMRzn=Tm50%R&>OyifGf0~pj}Y0BV!>#TkvXI$te z$N0i>Z@YlKZxol%dyMt?Y@X-kqeXFTw4S2eJcjwKkD=&NYKK`WbT=SkRGb>iznyu% zf&5@5@{jo}s*p1pQ|yp?0t=~BFN!OITis8FiyzcxiqH^KZmVtzdBCJ~9%VxeAVMC? zOMbaET*`<_fXcq2(E)52EX1D!e}$Mr$z}oh>f5*85(d-~T%5PxQwvD@?ENUxv9b`7 z7Bs5e>2Cd|5EnIb=q}pZo}L>jE%WY#4TrdFBb`2U-n`l#i8~fqY{C-(lSc+~sG*6* zw?(15JRa{S@8&>GCj8GOAlIpILq3?X=a6O3A+*)lX@6ujgK5P{I%Ct7gQB}1G0)-rN4-%rxHi07-e)Y=xFMbVoMXfwB7$pF{Ji_apt2HPnF|x z%%)bLc-1RKXe8b*<^%uym{ZsiEA&H=Zh{zi)71SNWU1*k#Ojy`98&EkiBvPGzlUu^ z_Tmx%E7QXeX7Gc=T|U9l7F>43KD@b`Y;gtRJ7kw$@T$?)VOB2Y{+)5I)+O5HcWwhH zo#5hMRMm?kpye0GvFucQM;DzM%Xlp2ZvmRy^wNIgKlSJ1_&acmbKXXu9cjnY`9$}# z(UYY4+{s&}bV8lIUM5BdF=Y>rn{pXZlq*T@E>%vLQtV{|1!KG6%L~0LXSr{mgS+w< zR2&Z?%C>nP&IE#Pm!G^o(CRMWdN#KF5+J{nED4dBG%oLJ(~Rm1)G#=CZX{ctg5huM zTO(v<=H4>+ABRZbwhdo9HcSK1-DBsWN6yK-4B=({>ZU&s(N7)gS^pNU!81aOV}UMQ>lq9pdN*~Q!NlI zULJYpEcWEH@x1?yAl-wHTW>QkFcz&QvNgyNCps5AcgRe`4oFJtJQKcE-ZxDAM?4Gz zB-GZb?z)wLDOLQX>FLKFd~b{t>QJsGX4;Za6xF5bmX;XCgO}qyBg*35%oqaU z2sSj%Jt{>MHFTFbwg5|7n;d@v09kWVzdA)p3hqx-S`nV4N=a?HIqFSPZ7x>HMj)H4 z8D~5O)(=D{h1&#fK62jB`~iG7-pk){<1xEHZzYPzAMb2LQYlY+z5>yjW06T1 zj^_dt^?}r7EIw;2NU7_;5-5m_?_BZypt6>kg+F;pGDW^dQ^LJn%K2073U{3k5bZn<-hx)sB_PWX1 zlY<{8rcv|&Qr<7&yevS3BP2>^i7B)O-GBF`Ypo`QU&S7?skBze2aT1MG?&n{f(ojePp!p(}c}@qZ%NXfy`l1vq0H z-wJ!Wa(SlbB|1(uU;!~Kc|_f)SZUPf|3*am6uq&HjwpYfYb}#c6?W$_B8~mHoEf}) zlX83E!k+rLc?_BAB&K+A(f`GVlWk3YFGDBk&853GK&gME&z@E+>TcMRM+Qg|(G4x_jQe8wIu* z5M-u{!J^ZdoJZ#~v#q=+v2(9D!396S1h&$lm4+AQ#|x!rprL5UaZAfXGBkk#e~$cm zavUI`*$g-{Y64$QkTeC4{thA1LEJqRW9&bR0gdID?>v)n-2wQkn;~B^`CxazHlvQK zhgvXcA|`ptGvOKWWhAz)ZGWy`ad6=63kUaFATGLmU9S3dEa zy`uO+Ux~qfUg^QBoQ@u|0Jm$W(I$6pg+H}9JR}q#A1kWjPY}{4 z7k%~h@&lR5gN14RJXbZsLI@%bFc`#DwbQnGc`fgCX(sU*4P_MDg=1Rh`%Bgb$^A4Q zWP#k97hBIZF{b&D8xiQH2BgRXR4DNt*K2(1eT836lsA7Qc5u1l z><*LHsoCzJuC?T%cB5Tqbq;6wzh&|W*TW8Oh9Puw1dzf$sly}FjG6J=SAOTNGKwjk z07&rigOq)R(9pQxpC4o62ZgIu?X$eFU2N5Xx#eu;3?$Ht?^5MyNalbwv%T6zl2T&- zuizG&eWF|o=;i(C;uMO^^C9Yfnjg1DLNMlHVT+wd3B58D5W3M{smP|i3%SL!L+4BB zj#njn?$!7~`vskA&EL$e9;NMCoo9$$V(K!d&0h@fy~Yv!$~kIrjpfP09MN@^4s>yv z%5Xpyv=Y=sa7S#mrcH6Uu0(Q!0kT9O(Cz>(hkaC>pjBILI&B_iCqIIGf9+~Iie(1qI3{g_lbIfz2@zhkEEA!UBd^$t)SA! z-Q6(vbceW00)iBGv?3UIxn0f@byprKe$KYTgXeUX7%Q;8o%-M@HZhbpr5^1h*VL7g z^|P=8yvk6;45MuWE>-W(JMJuK+$kk_N*DW*rDpmAxV+6JmKz(!L zN0y!jsdqFtz8P2*Zztv_KAIr1?}+KH8O18R3+}m!Jhu(Lc{3{%d(*ESpI}OlL!C-I z&KHEoX&i}g8d@RpJk@)C7U|2Guj!6?-v}8*ID7_$`tizqX`tH3Lsl*QU{P2*z@|xk zRd$!#fH-KekBSS)%HwNAa^i-Y9CCX@HX*mkI-7K z<;tdxE{BAKg*XlbYmBAQ(DR)n`}Fv4JZnm++&pYjFzP6+pv(N9NG!#H`Io0 z<`!^B!!C~Dx6E)ZD+?_=YYd+JsTD?-0_iCD6pdc$wD=phDB>(kifyRp(A(>+l@!02 zW(ji-Hq58+FxLNhJ%Bsu1kP z-QQ&l&IT*==|HYaf(wY+*d>>vcPVmzS6R5D9_xq(SFfRd8S9)o5K{-PiLWomiBMht zd|Q}-`+JWVpTeKd?*;^}Xu_12Q8ev*j8{6)4|CU;JWjDI-M)rmds0yS%bbgg0bFZM zF+GbE$DRjagI;g4XPYq|Yep5M7x*5HEZ< z*9Xuy{r$PxD?ICF(dn{P=G2PXXjcki^-&5EdbM9|H-ZCz(BB+`wyqfjV~!g zVnu%vBmY@FdUy+?&BPuJ>OLz$odgCFN_4$@P78SrddD_mOT9w(fYHNo{*&wU+dlrm z6&`ndSnH>B0#na^0^n7f=ixO@k$C#Yed%N+6|a*DG2cP z#c}e*<9vr))^$d+XHgY{8<$lY!d~cYTWRP|h6bmmW`~}r`5r=t+3yV-abp#;>l#9E zK&ecd1BlJK-cQr|7JI;ej)PT|nVn~N3EA00yA{@w6XTu?ovmqoM2ML}NI3Rhk0qg1 z+v4IEUOi0Pg~HEc4K7YG@q}o)mI6Ke(^cY!`oR#?Bl=ChlN-i`ORAypTGPo>UYA_C zh-D;s9X^UCUwl3gb9}GYy5^~V#}#V><(bht<=xkqmHXUlFdSR4D1_8BUV_kJABp$Q z5ugz2JDt7RoB6kzdP`IP*#yTiZ&yeWtMNSH)h6w3lfCr%tK4u z=@@ffA*E`(LDjF%c=3&|t_|&0^7~(1Bhs1Xb)ns1uS(Ym$>M>EEwxG?9QGqR9K$CG ztRexYUNne!>J75pskiULV7ixBktqD(jB_T&;aKjW@ZJL<=qMlwIw|OvvYw_TQEew* z|Bai_^uIi&+F|0n6}=8$?T=}~%+l}z`6GI3+D()b&SCD$&2Gl7&b>%3kLU}jTCzSA zX6HbwkLG2+7(25t9Q>pbjz|!beg?4`(bn<$&95$rkl@woT?AN@T~y8J4|WS5E=lA1 zU77G)7n=hKPcok2An-J~tOi?a%!mSY8Hk$ftrCMQlgDQveEdL!nBtJftscIWFfA|a z1+*oKY1aIe3g8x=Jlwp z!zc;fVGwR#l~07V+E+~RcrI=T`bv-O9Cw}VHwx4HC=z%}O_>?5p|dZ&dDa322!WeL z<_V2_@C8n<;=Xq;s{V?`^0NN>e_0oVr2vo{JFp!Ash8 zyyW@^9{CupE8V2quz5J_b~h|P5%ZGrfk&=CtY^cqP&L?#eLjUIl9`ng{~|$VJ*HG0 zCVdRVt>E&J=_d$Jm~;bAO8Mw)?=e+v4NO-dwv`Ft{~0b=CZXAXR;O!nTJ-2)Klw7 z3hHsczk7&pCk%azdJaQ|ms#J-+W{6f<)g@AvfYDvu*j%jRg$SbOTTwI|3 zCV8rIE0>55Kumj~4tp{859ZB#%3pQ%snz!(s^lr0c=4^ZcV?o(b^-l6`3INy z{YVKWfXPML6nOm@ex;oi3u~p9!y>~Zl4dlX@Ntg$DT2Mok+-sdllPxqcl*9!>hUHS zCT!847n!hOiaG^Cy5XfOYw=V<&?6rtp@;lv_b6$HP)cbDZQoM8>hf0KEFlqyxL~aI zIu#(=q{Ry*nvzyy={W&0o$S82jESKFSTErcjO$;PBZb$i7%CW9rL-k9iT*dwyDczc z@ok7JE{~s1^{zBeo-%O-*C^*hg82k{gj}L;2T;p+bC!@q2^~&kl$#lvL7Q9AyZ)eP zIT9S#o`YVbwe}I)b??#>jF*F}~B5%-Ox>jLy2z26PucQ$3Y>P(ah&VTHx-QL-iGQd)=(-;@0 zVix6Gj$`O$;>%!kD73-~&JPF`Hwg!yRn8~K#>3hUJ;>eLJ#&63KpTUVk8E9W>^B~b zp5;_?BK$S&4YY_`WUBiMa~|mCFZri*u5xl zF~DzZF<%fG>u5Y^LRN@kvk|i=lR6xFIt&6)?%}yu3^p$q-4l@n*D<7{qdw3I6&*^w zWFWsahRP>gzY*e^zaRF+iP*U|`}=qCvS4lNP?b9@vXvNx>WZ(Abe<=OnKspyy0~Ou z=YsI>S;<5LlxsQqI*O2xjrnNoK(t!7h1{l-2_>LdgP=EZ9<{~1A*h9t7 z&sxQXU^;LP8;jcbVG{BZ#+G1V!us_tsmA;wwm5I3k*);Qw&IyzSrmMc8 zemX*+#rLoy!|VIl(`!a?vm;H&!1ahwMY7X*hP6i*$B`@%TSsRR={r#9M;h03A3R|?ENR^okLwbYL_yrs7ALY}DH1w1^{iL+q7o|M;+jq3Jq7b8q&j`liBx9p3&OpF}*N6V! z%vfm8-mx~2n7~yPRW(G_I==feD;C4Pm`B{iaT@zPZO6gCQVkX`i_(Rm zo(fP*_o03qs`%lZYxZO4mkPw1Ko2LCN$a@8dp8jNu1CFq@c+ZrSI0H=w*LcyG}~y9 zoFF}$7|!f z&bjX^-q-tj-`DY|@5vD4d6wNfu$&(I^>^YkU!ks#k6A))36>*)V_NH*e>4;tXG21| z{IASXe3ShiP9bb=?hAvgT0?9N@@GV~t;CVM$nuh&- zZ7yT(+Dc8ypQN8G6BqXU(mY+~N**69J$8uP0Evjnz{_U?);0Q&iHVixEgnLY6kZdp z44KS^D{pTMqnj}T*EXkUm zAyy`kjOAsej$pDsd4Dpaxaao!_AZ**8!go}jIJf}f!$;oj(^hN1k$kR|F$jm*4j%IHnOQv`;9?eGIrDq=INYFYJC~ znGRL6eT2O6si1#0$wkOSJ6Bh zlXhgHdvS`AF@=aJm47%memRdL_A>l*{p5B?u=|%MlT|hu{(1QMO2f1#aD`i?1cuoYyfFE4~&B*Nqso!0<7@ zq~Ch5YM&{eyuXcno-8kR5%z(7*{*Zk57yN-PKt6007PQ;XA`*ren&Uin7=sgc>v`4 z>09*Nsg#57uRfps{%fXm&0Q*wPn0}t`Cf{Kju>-}Us)4Ji}e6Xw5d(x^0fg{=8&!N zf#dyAzjaW$%ouTqald<(LOP@dO zOyFP4a>fTsE_1^HRYm+*9>?;f*R~{zB$}DDRQ%rxOnn10aQ=K!zjVF8OFV+%=EqCQ zuv%_6;tJEXebPfDb0333n?^A4*5nL>HOtg+eWJ}K)tKFI-Lv8XGwt|b32C|rGeWjM zxS{0nV~K?{$S1TF6V!vYn?VLl-?;Y`@A#fOwfkiE0j2cDwgzbv#!qhW5*C% zB;7>f&|=}Ll*6$$Rw-(y16yOauuKm+RDmv$q2^IwN3XBucAW^Naf`T*jcQ&|FVIcZ zs>lF>=2^Xi^{4TH0wy`hu6NKjKq4-8jx+svRQGZr>6^oe6x#!8$y82*$d?E^?6zvv zA=bmJGobWWeMo8kVQ&iOEW9b{Ee?A|gN6Sof0M2;ns}z*IrOgUCRHZqs$b#5cgNV* zuiIxiIWswn3C#m;&xpFc0@RUtLFWTfYmwXl_Yt!7TJ0!{aEl=-4*!k;*z`6c+|YL_ zX?pq@hsw2Vk(H#cG2F41?ZccQ`19Wb*(nEO-ih#q#Mf6Sj4W(6V+uOZ^yFGk8+kAVG;!Z!qhK@Pi z13Y5_J*=NM-1+wE@da`03*1wm_wrOMY^VJbc6ae&j~t`NLh9}BJ^y8IpL*rd`S)dw zIl7c(TUW0S8uto_p4C0RXs!PK1d#Kcw%lH6Yn>^su{(44?!Q3Uix#PLtC3;O@7h)V z@@J9M^GAjAPw5Lk(l3CT=3Pq%$B}Q?%w6O;A*eUkc)>mhQ9?5pLy8Cr5tGgx1#xwC zjNb|{>FfW%iEnASHMI1UJCKQe`=Z$oUkGZR3$d8rInsD{@spv3`J)2$)-h$Vxz(|e z+VmhS z?pf+Znv#nYqmuF`5`x5}p68N8k_~w^!=>APF0S=+(t{ck5D}`>1Ld_`6NTf)5gwAB zQ-WPQkcHL-vu)i(xtZvL`fHz+uSuOhHj-cGTNC(l!ijm9HV!B>aM~`;S03j!8ATjS zJ?xa!czE%P#?|0z07?3d3A&2suxqS^PqG3BA`%u_j<0QGF619JBOgz+MsSXIJh_5n z`1)He`$g_u*kK)@=JxwlY)z6%Am};p;gO0D`Caddgs!(2&-Gq@{p0F#6p_o)GUR){ zQa`F5C>8sx^ELtN#&{%N$I!g_O9$Dc`O#wfa1-{Y=DpjD_T9elqU zurr6|-rd4QPqLa=f9xHYxUxqdd_msz<;HsI!OB*`zGyAoU2T|>)X}lunoaF=NXYV6 z{!wzbn3S7L6?F%%kMalWzP2j{Fjz3dCjaLDFBTHwB7Si6vI$#>H3-9fg(jVYj$gkVubMoJS-1?i=@9cK zT_tB(@}~bau0n{+c!^TxZ;yNNsjL-r(4q|o1R^-ejakXf3w4xx@76hH++f(pxw<|` z9y~NpqSZE8PKGmG2b%^8t^7kl0kk)`Awn&7()H8!f19BPi}&zh5&pbJ9F!#O@!v|QT*n{ zy)DB#eYh*}az;t`k`D$S@Td8lC8c#X8k3lBb9Icti3tY2TXW~lq!H}?UB0-)Ine>u ze?A?%6PqE1K)hIDJDRoaTZ`tdD@ac?>kJl{W?HJKLX6zIb*M@ncD0pjwZ(ogZRtCxsWt2wC8y=<8qo_Uc?# z(J0IAbly2Zg%Rv9%IRf$+{`sNM>7(&>vYeteu?p0;N3+2E}4Z%F7+5TtBApOL-}y`@6At*l_iLziSODHg~2LnH}|7R&grN?(_>soQKGrt^aN4tO+~N zd|Q6c+Ho7PF{0gZ-$F5|H#YJrV*7ZRKMSuu6@EL`Qx5;3hr~DGOApp#Ex#wKZd7K` zW8xcOkUrnBo#+qwt{MJ_GSfOeDbtwI-33n9M`XeDf&rYL&KCqvn`ZyyU~=&LN=j6b zeatSq5^}ylMG{?m4O47IM1qzxeCbBN|tbcOwrXwK$kiAFq;x+%^uek3Rgxv+l=TF|= z-bI6RB01N`7*VrJX4GVhFTLKiwoyzbkabfZIBoujP?Fwn@Wb9Ab<7|0Qu2;0xd58? z=ajkC&@H9KJv^+dR`f$1)}Z09&T6H4FI(sTs6yz4h00fw)c2{eH$ac033I6+M6&VM zdPSD#Fyu0}(qX8LZpKCIiX`DUn4{bK0ZfCUWfJM^Na2!6Dl&Q^j!94?GR2cjA*+pB|x< z#~}jT6NM=3S>Q+i6uY_1tvOt|#a{{L!5#DednPGc=PbW8AI{n#y^;Hl;1&C_4HnLpXnp0OqtCPW$?v-gaLgYW1TO2-c< zUbH8lo)Awy0coVq$n958PX3X&-q+`eMTI3-9)a-S{a zLR0(nuAS?nK%~!ceRRToG~A7S;ocX(kmhiF5`T52E>k1}2)Cafe@?_rKa?irvOoR> z%2MF;oe8JYlWD;t55x39i}<%W|CsnCpZRUV_1t?(E3fo_dUOL*Mb#aqtgIoa`wdf9 zXtWF}N(pNy(w|ZO2yY$Bw3k{Vo*DL(EC|j|W6Sq$-(;2&;Xw)iS<^9z=e6~L+|8kzK!cO}0;ei45 z$LnWZ@F(-eL!O~*eBX$VF5~-OQ|P$%DjYrtRIz~L{pXXs{_6g7Knmm4NEzi~WZIf0 zdYti{PVzbE*ChMZNFs~|$MI}`wT*deZ!AWDMgNBW4&urcjUwPxSmCN!M8RBsv?>(K zLh6x%TY*}tId}iHjv^rjKO3BR6U!8o6l5P|MyN8Vus@)S-lL=*G74fIEmU~dbsrB* zm`(nH&yY!jl$kui{U<)}4^ZFAk*zI~AfV}XI>m6-{dYyxMJaGKR6&}9D(gF z5xOtwyqVLOtK!kmNn%z_bmYZQV97Mdi-CCG=C3999JREw_m_d>nbqzv&b*so9y{^3#fv!MU>_{Lwtor(PfC- zR|7zuMv0mUJd`thq+Z!(1tiHu+%Go6Sq|CORMn>$7w8E9Llj2Ek@`IU$uW!Xx&?hI zUK5D>mI1{4KL=Z!5pf={vy^9-q0oZEw$b}1d%~@*z?pqPzvbgiLh2g)cbCZ)Y*gsv zE#to?3uLToor}lQ#Rol9(oOuKuFSc^^@x|D%*5H!g%mO%?yuLKll+*)5kr=;fsTG20nWuJjB& zTA0`}>kSbHS#?`;mxvm&r*0)bn+xvc|7#C`8@R-0Ps=#hWg{#mYF>(gtw_#Z2AknN zWM4f@UR6O{Jz`nGQvE*O*wUB&&l3FakzRe{zIc&Xmcc>hPWHDF?qlPv4RVg6umOk< z`Qku=P`B1sUfzbxw7z)Jgj_>brA{9IAOZcg8+!@4^=JeCRn+!%_m6v+7+_{bdjDOk z{HHFK^6Z<3sUvhSA)QvL(;r%`j}3a9WY@}8{6!O5D+6iEf9T~kihAuXMY^1&l*Z8F4U?q^SY_HO1_r8|3D;R!%}Ma^&^vqvo}6e>2!;gE8f4AAp5m!ymGxbcs}nc zTcx>F$(S3f*PZqHHs6xFvj{%(_2wA&I(Lp>J)hm6cJ^RDo!#&)$gx%Q#3Pnwg26Dz zF@|xl2hIeOmR?)9;`?@z9jOj;W^b#%Q*KAE{)71~bbx`n<0+pR;z!mC>BKGz#{O{& zD@r-Xr!w~#`Vt0<-WzGR&~3~!+|JK{#|aYyr!L>FV;IrU;G$P#R`gz(8OO2wiCwS0 z3dag;lAE0H=r7SJ-S;3e>zjFQK~Fx7aS~i~@VlqRqrYhIJ)BXML^M8@#|pymz~!FI zP*E!_x`;w3+`!4ml2Y0H~5R40HEDfX2fKw3Mt21jO4`n_hlHDCqC((7=fy3O2()M3Q+IulQR zLGwPfCPp?yJ>4bVLjrNFn0@bSbH=pGmf9E)RLPYcJ-^SwjFJmFC94mB>A$ZT#3N>Ge z@8;lln4*brqiUWUx<@2)bdc7qXpzE}kOoWvJ^KC&y=08ZQl;;VaFw3x{?+| z^Z>e)2rlRv2ognxEBx4s&Q_A-An}R-LGC#8z_@k$^l6)k?{QZ~XYv_hbG26wQ>jDv zgS};vk+3gxx6>1N5?l|}>RM7T5@DT{|hmYI|2T4&oqWIIRRzDEYl#WT@ z3TFaLi8+J)OsXnFb7fo8dcNHYa&GNM!sua;MOP_#EAzgro>yg-Jd0n0a&c*&%oAaZTB^8S=@wg%bn5YqZReFRUu92Pgqa=U^az2fADqt|QXE zf%`<#CC31&0&xBdtY7(0OV1rD5@h>z;jLA%d$M4=pnDPSS2%Q+l5Wya*MkEm+A0;x zim=x==Dsn#fyk8|gg21rYm62kdN_-UEvi-zqea4urI**fHt^n9~dc;cSgk!PL;F*gdwQJ>bNvU&JPJneUHhF zCSAGv+X6CF`~G+%IC4N3tte~7$`m!i3q#;Wv%mDQWT3-(?wK;)h+RSQ~mJ73+rn>#&ydgsIHXv|E2 zRQRO7(SEZOB0@3zMhu@aXO8yY-TMBwj_=G3mAxe-<_-vz#*=8Fxk42@7ijFCrx?yx*>W7$w5 zR;i)4hlqvn8&%N0c7+F-J@~|HsUnirm0HS5qgNy2SMs7CSC}SKh?)FawrWF+oE`CO zml^_}f!N7@TM`~#Po|KVXVw2?-MY%>>hVe%&QqZG??87Qr#>>^PinEl>P zQ&b*uK1kEuZ_mY7ptJ3Vj_0=-ugRUo``rnhefH_${su8i9yD%rUse|mkZ%Ipq5mp^ z{`Q`mHb3XwzVgp(1R$`W2x!ueFNkwR)fHFk>qzLSZ z0%qe~^OAX>LoZ>kI3qLk9)i}inPraYXJ^^zeQ;hk`29xx>zK<@U3kS$me#2U*7X$F}YZ_6}CZfe!f zQZUo@4h2=HC2@ZxVk5E+51>V=TU9gsH3(){M`&_k;Q)H{t9WvSCgAi%!nZRncl(;g zDE9#WXnO2*^D$z0dBiK5I3y@}t?0dKYNV0*z(=$N&HZR4Ux8c@M7vKNVWQ~(i^&+c z;L)ghJ>pHEom%$Mii`_7T6(NJt$kzm&Pc3gdy%>sF>n)&tu}gs8CSTVjJ8fe75X@2 zJvjPxzgJqT53vIfLfw7hM z8hmr)jbddf)mXVU$`yf{_aXfEqtkk-09Wu9AMD`h=$ZSlFOV?JZ=G&!51Q4^N*;0K+b2P8A;GES-V;R zeanPWCM`4fknq_|x?^r1X?&qjhaaG|5N@|{Loj`g($w@De%&8L)+|BN;4>**6%Y^vit=imO9lPbxFD;p-j;3b*1r zht!QMC!fdfSBR}4REcbp6R!5F2yoBTwTiqeHT@geM~_awa#XJvGIewR+o#<}mp@#4 zWvnJg$pr_TS%*r0n6hM|=eh5ZstTlNoC@-Q>hl5EUtD@tF$FPiAtPd0GJ8Z!GKG6_ znWq;^J)xlfII$MhI4*bMw9Ow%Ui!11p4Yi*{lw%zt3mS8bYq-QsT$jS5(s)!&$IME z+?slsclH1w7@nzupxh=e5jJNOrHAs5CXeK;YVoAtlej^=U?0>??nBNL*H(dWxMjjQ zGNmjxycHh3lb5!+Qtwc;s%8F(XS_m>Hoxzc>l&3n#=SN5o=0tStP{m^OMiw<|fK$|E5R>a-nW`w4sBYv?6e_NDC>gK} zZny=F1^uTqG!B`1`z(x}9>i|8g@2=ElTx zb1bVlO}_$U<}_`52H*rAEhUjtn?yQ^NQRHm^MOILQoZ?NERrD`IN9@}YixoAu9&PM z%7KQ0PilQh@0Hl?q3%>|HGPR?j0G%Fl44eTUX#bl9}(p5J8|~(-TgV zY8LtwvSVzVq0>IIGs?^QT*mQ@s(j4wSxUIEbOr5MBwzBq-IGz zJJha%;(>n|cU2>PL&MAnG2yi^)307NYJ;jXHrK^ zv8i3)f(MP>MG!-HCn}3KmH&AA(cIp=!Y}X*MiJs1nY6prgGQSZUxQfo_dkGS9tZg8 z)?EK;3gEhy%i|q~cn+ic8GFA2qni?07ajvbTaQGrPJm_X+lslnEJwc9<5@l$TX>r3A zAx|6Oj7k&p*|gJX+J^{{MgXvH0fAt4Wzs@1i$|r$a*VTx0wa9`6fcoSE*SN?AY%po zL&>RclbKiWsx$&uNM72o(QK?b4%f{M&B+)VX=wbq7pc{gaZjLT6bPhgJw~L7w=qd% zu0}xlUnPR_VYjhB98RAkA5WUrMjPDb0j`?b5L?e{p^Zi~0p?*?#1jFU<$*j5*Is=e znS#(pvzr-W^i|n|{D0nLoKc0yXKT^|s9m1CbJG|z3l)2)v+Db0XC1zw)U={prRnma zcUT3NnwXKSosJqov2?&!jICG`^anqp5!V_q;25ABpdbBY6G>$|hATWI&KbBTlcmOO zBO9261uw@6Fin3W<9}hQo?t^)D9nd3lsN;XQ`)eGWP5GIKGcAPmU#i}55#!{?XaK- zv7+xYEtqy%mp8T7@=K42q$N~l2tx5A^lcIhq2fD4At;x@5Sq1K);WKi*4^p8=g{m^lRcvye7 zPP$CV6kSx0GZ9j?R5gejVkf;6JPUH8{|%}nn|Tv0mF@bsSo63n);?yGmuh6cvazDS z-TeLErTUZq(Og%Yz2_!1-)KMX&iLkCi+z~y_bG;}>c*bjHt#m}UJR-#iuJ(x;@~m} z+=@qG!z68pW*U5 zSd9cp^}6y(5g?iQ8*$v*N|NCM2;in6F!tAO{Gz0R^ej_qJ$jVnbnO<(Cfh@IHZbsp z1SQFYVK~)`0f_+q1hB~`+dSt0KRPvsTHOO~W*UeC1>@9x?gEz-49LcE3C7 zPTBv!;q;oanjeuAAI@Hs{0qSUSB~w!l{6mm*YQs;8)CQgx`87u);ec`(la95p8YEX z69-b0-V?7eq{k14KA}T-;bU|@NQ>ApFrE;R`MKm@(9QLVd`w|+3%R(H1tK)+RRQBV zybsFis!wH2MC;RFW|LrpY9)isdR|2m;R~NWdgE|VsP(qrr@t5J57!V%;4Uf|jZ|$y z@@!EdB6EOJ?mg$xE3-%mr`VOPK4V^s`?Vi?kria)v_9#^qz1GxGL$sk{=6|*_<(Ca z=GB3iTquf|lju&53WAZ-l`Fr`1~O9weHxpb_2@=3c(yzHX2bhCz47=-PZDI2`1oKf z^PB7Mkplz@BJ>nS!lJQ-JWUoG1;D${;DZ!CWUUa| z%!FXFboMeQsv|Q*(O&tQHinGU&-7%GKt>voPW4v?2F0{J&B&tbo3Zo(C`Msuk6yWX zi3Nqx$S*;@cFpPtEZl-M2EYn;ME{i2N?9u~H*#^ur?c-qmP8%GExq^%l2 z+2#w!KN!%Xen>V*2CwSg--s!!Uz#vfOFpPIe)2G4&R9?_ zvi%c{UYQDI)n5#rxwS8L^G20CvdH@PKj9m|d*Gm#N!5hMOZx%wh;Oe6^h! zir2kw$Rl&FH!pX$mnR_lj$`D^#>;?+pNWzod|1CfYHkHI91`sW7_jT|P0QpQX)5G_ z!FPF6XDr-TpTRR_)*-sDHHDcJLLPuBZE_%I5riCpt-(KUq-pv#-2lMRYu z=MO0P6=N8@)#PvPCWDE9`+gCHNBNV5@T>D|4II`8lRArB#c{7I^?{9IR%hcM$}aYU zt%MVpbTt{HxXK!#$~@vi;RoEpguqU`NKlzJyqMfLdP;;GA(woi&2K~to)!p9En}HX zOXjwM=yF3nhmMeBoISJ!4BabW#;7n<(8Xk26@my^1?YaE6h?ycsyCsulfGpuWfqV( zH#fCkEUx5&R`czf_;Qx&=N z%jTSj4Xr#qFVi}CG{z3|MK*Z#bTQ^RB;}yI$$v)huL9uoBd&e*IG=Mi_}f3s%!{rw z|N38>6g2GD$9I6yRY1@7+Ss#U>RGrCB6}sW5JKt46WH^Jr@R^abwj?qXzQInTS5^w zF$1W^eKUKWjx+Kxk>rNT?=AYR=Cy*zTy=#|&vF2E2dhgK-mYV#^TMFnjSCqTi9A=kZrU|o5Euio;B}A zSlkZO>qnUx&r@8XlQ@*9vX<5YQb!i3gE8dgE?ZNQ>|KRNn`REJc^80rKl`a%wI!kn zz;U;NAwlX;#Pgg_O)dH6{W>f!?fn+fay7Xs?rpMZ^4MZ|jSKW@#xxFAvak941-9qw?EjDOM ztz2|a7+N7r8>cm<|ncHKD9{NWJ1 zF4L9BB_Hzy4LJDJQrVw6X+q2i!`}|G(AmdZGHcE_d%iRwvMs9vn-2hNyu6w zPtD>{uN&uWuR^Xo%A3(dm%)yd5uH*yr@y`vEh*Gi&(tyb?(n!#XXXM-3eZbi06h8n z$cTStdb*nEf4K4w*xwNaf2EHlD~7j2;qPTq`soLeVxAB4qm-3HhJTZZ^@Kvq^zJg3 zs?#*D4olpO*;0CTx!sgB@sds4#u;$Spe7${ZWR%zmhvO_JfWz-K?^8t@+x>8?v+^} z+$oVyxwawClSgh~Lj(AG7-|4LOECn0yC#Bg(pkO9DPHO+7;ZPRU>Oe5D{OoUP478< zAI|SG!ePjZl95#7Dmo{kC%5m}b^iIVm!UQ^*ZAq3qSsb!#)d^XJOjuIn&A6>BUHVq znhY<~E#E+4gMOYcbOg89=#F!k8iKEn)3xaWJ`jYuvt>xlmx7>JhhH}&MKUF;#8|1{ zL~EAYnbx9yGJzHQtk6yT{>%VlLVvYDV4R$;s8ogj8?yt=@JH0P8l*SDCc}vDhwNR* zdekk`9yIhOr^Dn7SD7x4;Ppi{G$_oLuL$il(vODb$D^|35#OO+;v%tqhITM3)=W8k zAw|QM_-I&#p9LfiqyoJ4Gs_zyod#THO4ge^gdccHmY(WrCV%!r(l~466W#UzUIcECL3hQ6JdnfNY68s6g{!-fA`nZ0LEz+}BOU_! zhEAI>)80zl&q|kuv`^ztlRt*Hj99?4P^-pI8xz0J~0yuyKF#u7PXe z{y|}kDu-Zd?>a~f9!|05)JV$-Eqybmim)NxmVHXgQX9%=q~dDj-NQpppf(&WsKOV0 z%c-QPFRH?fj4nfoN7jlFn$xTCK9$R9h#4YwhiJ|Fx_nh6P?1;ld8TANvX>I^;xP8) zmo*2-Oe=asIh{ItSQ!aZ+~%eyBnFmpoe4ck$O5ebUr}waxc*+7kf~wE0l3>qB*lJzQVQSAaw7%~(JC(oqtsrY(?>*2C z&hG>6QO>nZWt|93zcDu23-Hu8W$yL^*M4oOcDBb;m4I{qTJrpm?^m;0b$E1cw+E`E ziIj|Q|ET=-yGYHknkFCunZtER12WVQ(w9X4BP0C689jcZ>;=CGOYDl=E<6AKduk>S&hZXfcvW^vd@ZbdiX4I4ML zsQ6mRvXYW`H0=_w@K-kmS0+(y@dC#ctmAnxTQk@XB?bNbQ}rZP)QJPqAshbTIvP{$ zD0`Ug*pAz_^>Z1Ws$Oq?ht{SQA|o3fNwPCf9jX?cM=3)goMS!qt@DyrU1-FC2*Ovr+x1T1{7hk|U?w%`^_7G#L}w`JMPe&#{| z$v(OQzHs;iG+o|=i5_%6dCJGa`AOm5(&eMO*DCcs?!9GP@22if{Fm8?U78Kk%0E?G z%hqL3xKtn0v;FykEN$M%-|l4|X78I!IgVydZh8mqZrYH4G~rk}YkZrUhND^Q_(=)? z>j3(ir|3Q?iHE{L9bJ&IGs+N~V>YIy7A+X|#jB)%guSNll_-Lrg^9PH|AA;uPG7d z6Qf7P3>!t(2|~!5jH0 zh$R`+UvQO)F#)N%fl-0MuC`T7x9WA74KYpp^|Umet+>vwFddFYbWih!Jf}ICq z=qItuUyj#b-}`b>))j1VNb{WWhjw85&S#Cy*Y^frCo*(mkkBCIcgN2HPVB0iAJ>T1 zNtdkGVFBSO(7L4xnpNKVN;jJ|hSD;V;pj$}=h_xZ92gpNChyH$x0VJ_dsrA9`K+>8+9*JI*41Mnp*+62H z3)|GU9iD+&vS<`he?KwsU@ruiKJ@@9EiHc|9@f4zKPD|NuS9G52Qpwqo;caJ{8Y~E zFEQ{;>$@+qyu(x_+4)`W0K>Ed;y}DdBH5rRqfA#Xlga253kQ7+oCq@2&b6pE5k8dd zO?bN_Hq7`f|B8HC6(GlFinzZCNG^6}?|0K6%jK3?tAsuJ)gM2s=uk4v?HtD^ZzVS3 z?!+T~ZqL>R75-{Ldwb+I_+PZ%kwA7RVR0>dxF7LiN>ANpWQ0U+a6r><0T}1FADs!JXioOt+<z-Lpfv9PSoQru+ ziMQjMo<$70_PV;%kbEYx2_>7YF)CJDqu#Pi{fh-VO;0x}(Ct|IA2 zgHhKXg!d!IV!0@c#`=sK+1J!oTYXnR5Md__ynYLM1Ww)M5^KrSF9T9uk=UkqEP9Fi z0)DnGy3BXi#+Uhdo8TG<=tO=a%A}~I(V!L>|M1FxgB$o^Tzhtg>208**-hD=ff%}a zP1^(X=G-BY3#KvRtsV*)D{PCu3~Ey2HVdc1faL$u1{0ng{)8-OzMy)3@M1ZnsAJl^ zx&=RjGfD{wR9W{)Wc(`0dluXGgztPUernk^VD&Q*3CZ9P-b!Yz%Z>y4(|k-}i?D7b zI4=>qR81Fxy_z4qp7u&f!K}Wx-f|F-5awSVb-$!9{C=7!Z->;4Bu)^4BkJQFC0=6C zw_$&lss~@=-wwv%PDZAdt!2JtdfZLMj8kXcS2){AU|0Ka86l5x?bE=UY)tgK3-<_- z#PgctztbkEe8u{{mGescNY0b%bL^FV`@+ZMvn8L5!MlJ+ zqRTUPXSCaGGiYjt)lqv@tS5s&ThjmS0aDZOQ67*(X;~!)c18)IIX466B!pNgv=!YI z556T&blCayo#B(Ouby%y;}h5#PUo*3<5$Qpe7dAruwELY-4kg4kUzLEb9Sch68dXDD#;&v4!@Lk~38eaF zZ_rLSWq$%%7!@6R3@%1&QwE@niVBOVi}$cfb1iS4FNv-4y$m|p;e4cKNApg$h)&Fm zwYMGZrEZt7{h;f5b+Dw3DKL%f`?jJ{>o!D1hIN!iOQ?)0R&7 z|2*Ow*Td8GM>ra<8VHlIsdEQ36}*7>WC2|$W_~-{EOKKAm>!UwYPzpXTp6Q~5PQRo z|AHZaIDX@gvvT|V=Q-cQ_%a-!1vs1=W)7he}6JK{kr{Zt8^!S z>$ukB;w~n`d+J;DbA>ZgshF3iqaIvWXGasR?GmT$^EZxiZr{zh#yH{OANsd~DfeKj zzpl(08GCb}*o&~gvGXw^X=&thow=*oCc)$K_3A%agRJ_YXWg$a>kIh(fAW@A_|?|% z;Jqq~JE!E;Vcc^2o)JMHLMN{48*iaC-I#B$<}nnG*FCJZYNL2qB)`_OmQ}V-i?Sx7UYC+uOb$gd$RS|{lR)M zX|9}^-AI3#Nb|eH>84+lU{qE4SyBD(U0g-hPN<#!aOuZ((@^qHgsJTI#iP9cu&Ye0 z2n+ssc9kShv6eWJz8hhs!W|o+D8vNhBR3cJP{`Yce%So1{}NfhipPCp4P@OU+VVfQ ze7Smc_<79sUclq2=>THW2!{G3SC$iDCDmp&FYQIuba6F|oY8tF;_;wDp>7dBl0Fqi z*NBKvBX)B8&@ZyT#m{NsR++E`Hs;+vKkqkO2LiK#ADvyK#<5pg9NMiek^3OjQ(2qt zSTwA3Zq0I3wpI=|+UrQm^Lw&e zE5Jdx#e|A@Z9l+uq|N@Id3hq5=cSBjXnp9wYwAG7Pgg~=pLky0{<)Vf`%2-bKRJhX zuG`1um=YfSeN>*?`;)~__P27lm=d?Bq5yO@Nh5G#cPmoCN%?bhiY#%pXm2_M<{zt; z=o=6Qp?IzLAE@=8k7*-O#eVd(6bN|6#r8Mh@-WM;=%SyKP_@LFN9`Cpo48pito~}X z>{qjC%#G>yzj&REJ~X}ED7XpY-zeN^llyyCt;>G;_s78u>P&T_Jn*mgfcIA$pPIj6 zn)iR4?^RupH+gyVKX%=re981v+WR6Uy-D=+Qs}w3VJ^(ok5cxH4f3-4ce|OHbf|Tp z0nh?*D?0)hei6V0)#GH9%ih4DDR-s6cTWCY5E$$n)--nNh%`|4=kp-}a}W*1!_f-A z+^2;gmdjV?Pl6dum|Ky-jKN0tr(+@bZN2x$BMPk4Em0zRWO9ezO&M71PFd}*<^-24tG{%wcTiYzg8pUkH(F|IKAe>b67t0 z>VYq3FuuiKwVZDJ@La;oets+JFw^*x7l3wfW>d%5&md(_`N};$?GAkXdd9r`ZVyO{*d3@*Iy1! z&DQ>x!~NIz-J6CnKYy`2e7J+DI(f=@b@{&g*UZe%J1EyVh%Hn3c>mQC=c#XE`sb@z zb+~ry`t&b5+1&QlPLInwk3xx1vy_>3+M!>hW$SRQ*v;ynNuT@%P(Vp7e|dY)rmlV4 zkqtYt6Q4`$I9W*fJZArU@#vK?5~WBvQ&raD+8OPG5?2}pT|eTx*gvu)2siVtkBy~y z&Q8#u-iuG14`Ix2virMxoG+$MWwKZl`gApYr``8Bg8G-4`Jd`D4WQUQs6Sf2u8lSO z_0K0H3^XWeR!M%m#o7(idW>f`#`gEcQjQ}macYjNDTV!#U~K+S-j`d2=TB6cJK!?8 zNX%Zz&GK}UduDua$@^vA_&)@alIpMEE?gsXUaH}BjwScUp~L*+T#Zp@kUbz~P$``V znIhHZc5ja_bo9KiTfe%r{djNdDaYIQ$4%3LsMzGKr|cDNJMX@qZ8Wa^?AvT!f0tSO z^2=oRMqb0(UkbVHr-j>!a%J~UoqmMq&-^(1aC$~?+Dtyu&hu@7xNL(Ri(Q0tPtM;K4FRuH59PXBotj)5J;^^yyC`_@jbrZN!8QHc^H=@{lc>hI zF+RxnMD5|`n)6uw!l*OWGiW#C)f+SR@6D}${JayHw!K&so8tEho(SSut_tLSp-ce$ z+3Yi5Ht>tSSxm3!Aj)di55R?Gv=i?Uq6rKV?!OG05Wpw%rw|G^usos$e?yeb80qf* zZfJL@f;tdo@)6 zmA=w#!J|l>Wq+aQYw*z$$dutB;y%pMv^1@o9MgCid^%~4iBE07y$cSGZ$94=nu=0c_I;Rg>-J*_ zf!^)zKVn_u7G?IXLNDaOS!N0!4*pim+=m@Aai`6b1ijZp|9o<~$aXTzA`+!BKmRlL zU+CB228m-jGKKNKJ!{~+fgD9lzOgyK-TZs5NwjDz;wrE8I4pik>$BRA?WgN)8ONtp z(#IpM9y7!4$A?*+lKvn10>6j6QMN1wC28?PxdEjx%Qcx#Ual;BR5D*5HqqI6-nOGu zOZJoG1*Q1$r)rrFlJKM`Kf!+GGtnf4M}pr4dgmzylpp>wXt-)My=rRT;nFos>p{-9 zR(D$Mn%aAXF7NJeMEw3r;?b#p5ON$H|HVR8qUwW;_b}OZnO=}iXxnkXd18(o57NKR z`@^K4TVzLp6p1*rJB&-x5%2|VNGf+ZsDDNqi$l!Rx*e6C9Cm#a`eWW=b^WOJ)y&Up zIF=@_I-YX_*RtPJOrK}44lOSTH>aa@!y*nVb11vpuMD4y;qpGq6j3v)Nn1;BkfiW4 z>6j&`kp7b#!?n0eX@?Oc7*GNn8G2;XI%wtgaqh#ube*|Lfj;svEWA}K93IPRR#>yF z>GbZl#aq?X$NFN3JO&xda7O{Fx5FJ=K~*UychkbVWA*(7-oG7|T7*@ax%iMLGyJtA z?q;a76>feTHWvHMTPE9t5HSrttu!Hw05^Yv**o2PW6gy8CNOFemhY~Q1CNadk?D1~ zlX=X`REG7Ll6{&6b*HNJzp^;Dde%Gh+U3MHutDX7CD<&VL~jj!Bxo9;V>XU)1MhQh z#qfpm!ip#47t{k+4hT+d4Rwfe>|w3rfFLhy$83WDd?GVuvhG% zM<~G808!3#tpJmvYIngC;QGx%d8UM|5@E+9H42&mnfkvK$LtBi@Ne6X3NTr845EM9 zhG&IFe>vM9X5A$hoboW@ex@-!L%x5EIT(SU@x=pF~5t zPYRN?_okm%E>+2)Euw!$um7NarPur7W9vbt&)pe=*H9_KaQfjRxD_5fSs(X|HO@U}5N7 zLp40D8vPSBaiqxx8DacTg%p>s&iHhM|8IsF6*TeKpA13bk~J5x(zaiQat8v4y*yr{j7Aqy|G=)e*2t6)Heg|ZCSkr~fwpnroHu^q8% zmeVu~&?7+LhPpzf!51};UQ#>jE}EhQ%u>c0{*khaV2BX1xVD0fLVCT8`}yZ zOg~rcLTfuGl9V*3!u*V+kn+MY_L?gLSx4g8@1&0Oqz=p8il4R8(zXFgm{IFy2Wx{- zO=V`oHEA?=6lAgFr^Kpa0_DW`kgQlRr`0g#+~pI7 z>05NGHR;+!-*LzgIUf-GtsleQQt7@Go0%~-?oW}6JO~p~34{^QyHL9D1C`yam9NPUHK;Gmt_N$hL27@DG&+7T9vBSR z>|F|2+NU`~2gt!6KBGw5z^V#>r#36DNnV2b#OkE3dGO76h$TFJzT82_@AHYn=u0c+ zl8{&)Ti%%X0jnKw_O5&8NUTH`s~|n4#!uP%-h3z=7V=7SXL?9Nzn;jqnB0>{($}FwSZLv;9BXzs+3t=sXk4&bvIL&*$&FPplN< z?-35XCcg+=vYp!rx#-(uIBq{T)tm3`L7UR)i{Q-V3Yovc;#7ksq&~k=v?+ZxYxH;K zgZm@-^3v~7X+H&xu|ICln?nTJSQaJxlb<-td?0kUTur`GsuX+8I|J^UH^o`W;#2y`q_d8{d$)_&xh1EMCe)L;YJ>*)N-O zl_+p#SB$+&Szvt!jcT`KYw1<^r=vBn+~O<471b zQhbaJGALgyBzU5|!>BYZWxw5hZLlFsi@wHfJ5?BV!E2yv)pIHEL&)?3+7OX1pSGti z6MBEKI4}<-zr07kON=nhi{yJjZomFGqqw-L#jj|GBUG)Wfm%ab{|2P&HqlXMpn1-K z&_`jQ24&kw9Ur5K=*4nwvL-EKD|>JP$F1vQy10fg-7xE=JSq0CY3|_ynKKcItyk~Y zs(kOw{!EGGQ-KJa!!0P2>_zzby^`{FE?BXoe8J^vC zKaD-UEh2`_31;EThx1n(pVGR=Vzd{THIkIR8d_n`l9&j_0rKNRC@rd`#*i>;1cfM^I8+Rf=r@t;(W;0a&VDK`cm< z_H!c233?6(3RKmJ1m7=~skNw)t`s6`OM)|S_GwpiDOV0D7P0z6k+MJg00)BcM91lT=!{wc51Z(=wXhYXW|QXs)q>Um6f; zK6p0}yURhlh9-!ozcnk0e?{jS$qAw8?PU!lP6J;iWI@x=<0%(7700Mb;3lTAkM7sy zMPFic&Gg7{3dH=*!TjaoQjLehQ8Lt&TRTEc{txG@1B)**1rKIEe?FdAlgnf7t!&<4 zqb@T<+z23rg)bGttvJzQZML5$AL(A;4*wp8G+s>R(mlM8D?@fXb*ZX3{UljNqin1P zCPQ>_ajPBPnqF;Wmo{l>aP=@6YVf$Jlj6OV*;Z>ttm~2CqP|k#ULe+#plrMb2`AzT zF9CGr@Hr_r&DUU9Vr4cd&WXk9n$yM?4~~?bXP$vAn3j>vbTp08{;6)hO@Q1g^nA4X zWB%ww+gJPQjr>?1$;+IVwiYwz4s$Oz#8*hpdIF>GB-Of{e5)N?`@UB7A?RxNSN+^O8W+FOw*kqc-a-Uc)p*dlIBi${^&uZIPPOQ ziWEBW+(9K;D;z~ygiuc9#DmHgsbD8bf1ouy`SkJbRuXQ?q+!r-G;ePNNFFrEoS61x0(p|v0KweqSkK0&*h#?b?&RWV+-wZ zVT~7s>2C(LhmPh4&f+hpZYq2!lH95L^{HNF02ni%N>4GPZ}xal*(F#cdpTRPxH>sB?n!h#V1Y5u!E zgAJjpB_3inHv4z)6kP|HAS{Te;3gS@mQfXuu9O*8uc>iHpaV#AWWX5EOG!4MiqF!H zLq+f4oIac_j6ZsFz`Dim^u^U9t-H$T=&53Re!*MyH_G$HVx(Waxl;Gk#TBO(a&v;F zkcu&fb4y$t+CNTo_cnfB1>TE8uxo=$&WQWBGMLqMXUtAce&+41Mph4>$Y=lk3!L^W zd%82PTwlM$=|Nwi46kx&uL353Cy#BJ)D=H@7$cfF?y!XnTTlO+6>eSjkJ!mK?j$UX z1E7*^8((Ju%xxhGt)wPbmIp7AFhq-`LthIP6>p9_Hc${*P_a+^xSu|q+U zrX)r6Q2s6>Ku^4{py@!fP#CLKU>_j!I@JwLw$Ql5oYBWkv2owhlL)C!J}Kz4!aj{v#PtESd0$!@v{T%yBh?a9{*I)eBm$cr)U&4MVE=rDzqrW!$v zGQ%^pChqIg%J#zY+n`?y0pTW$d{0OdabdT5=nH$hupsS4Qp&_`@Gh=Kn4P;5{>GDN ziz^6k4WbCyPfUa_OzVag-jBcYEqW^2eL^71GqBJAM0;a&|4yUX503AJv&-LP zN;8Ag^mN;1t4hX8+8taygqL5sofl3HjoszwHpnHrus4cpOMNOF$alvfgQWwgVul%(H^ z6T?#P$+yG@i@s&30=%gHb{eI{7{-bHSbm`S<)PW;_zG{ZKhYCYy@Es2vOb;qVubf{ zs}gV}b<^PK&H`aYbih60QB~QB2PeHLC!f-(El6*ljYZJ?c2kt9Ac|G>N&c6vHb9Ls*%B)8wp1-y7)+_-7@>Sj!;`K4QMe`Vw=lh#s!` z8hVL7S2A|2@-Zuj9aXr9{YL4u+L8Fnk;PG_l~af*zP_L%y^!n8y;FwYWS6e*0>*4j zM+@UBKWs?9NJ5ma{CQa}|NhBI!>+Bl>(zICj|>x6gWt_&?GGQi&u9+V{5cEm<5`$K zxtleS?;(@v3pbM+VyzwbCHziRWU~|ys`mR1Cec!MfJLnd+FmLx-%yr+{656jy7)=~ zF-hzt*AAXy>V7p{wCZ1e3=#S)! zl2pfQ2K;Nuf=E)q;eBtrZ`>Q24gf#$)K8PTg-q-H<$_dqvCKBGs|&)0Ts&y{*+mTsLq2SGGCs zjiGSnXke9UBKUR%Uh?)`wX&nyH}2%tp2+9= zk01Qh+~xQ;`!d>&*1!I$q-^tq=7r9HzFSE#g$FB%3h#9RAfm;uB_FG$#HOsG{ZKs# z3UdE2`HLlYu_WWr+JE}@qsh@XxBUdhjK0Yh5r|4RG!&Ssn64Uku>Q+Ki|fM+2`r}F z1s{?#8DI6HRi)>0$Qo2`@HhnX#}Uv5jOsouzCvO*Le@p=5o!Di=KMptYIr;a`Z;Y- z)ay3Z56}n2m?a3YUw@pXY9s`P1?d1lD##vQP@-mJ^>x6#n5qNrZIbNR&Cn5RU>hG$ zpP-_;hE@cK_3c}Il?!Nw9**+eoNivBq7vyb1OYuo%;=CRi`r*(IDqrVbHxFdrju9i z-g7P6KDtLLXVw2|*Sx4c|0WH03^4gZ$;(N{xnAYxn_w_JKwsCd{U zZ?Hx@$4I+?fc5!23!K~%Ea%K)%M0#BIu@}{~lYfA4r_VAS0{2w!XIf zo+IJ#nB$V7c;%yjH0kSjdZv&PhNKOLy=+%OLGfOKt2p7Oqi%TJ(AUIY6+J`lQbZ57 z#Eylrtza8`O3|*px@h5yk5Moo;M#cl#_HFb_p0uk>E-NLuS~z4pTZnvmguBC&YxzY z3)gL_1i@fIAY-m7!M%KU=g6zT!{84-52zQ>(>)x8TuUVZ+4SKmPZCdQ%`z$=N-b)` zARQdfe@BP)0EiZ_ux;hZ;-shUA*4s*8 zFqmdVxmnE&d1u|XC2wUt1<^B7k!UwLp2k;BS{mnH`m`M(py_qFH+XkcaZ zv*zqIl1a23DRm2|4~(@L*4EEad%fo!CG1sK zxGYQw3d0X=cEayQpEJ&gn<79*t6Tm77*5S8;2XT^dPfr9Z{Wy@Kp)x3bK~;rBG5{2 zhD>gejNtgW6cTOHxKx>5{2t-~9Pg~O4_Ad&?-S*N*PzePUz8lGDt=kDN0c7=A3r1% zMu)U0gzKp@+jlrhtViA6!x16C*`~g`PH~qs+CuMNwHgIUys^RVspy?e_4Y7k#%L}I z?W?FokRE$2h z7ni+h(vQN&j@+p;nq^Vv2ZW#51&T?apSU`h7Yy?%$*y%jxqq%q*}YfxUk_wH7F{Lk?WOU%Sj zy5T((a<1Hq1BIzfT-Kj@CP5spF}%BjrT^DU=ZbfAY@`*2a)xmh)_URie3INv7bm>N z#!x|Xw!|0D&83OpHADpZIfU4)X9W&1%ZO8Qh=gW3I?KXE%{Alzg@!EYdp}{(zH@j4 zp6WR*OmU@n0o~7xuoT(&$t^*i4KICWEd6ngX=vU8e0!Mj9DdCT8s3xr&6Q>eUEap( zFJ&E53`Q2HT7${UBioVhPDWfCNt18{5Urmkw-EWsJxj6$g9eUT9`|s=m3E5+oJmXz zCm_oU<`3Ii2rqqYipmH>SW*YNVEUyk?5AKk@!V@u{{1e&{mB{up33xv*KoO^-$(_B z3gdPJ7sfmOE=SE&w^h$SZ{4ogVQD|D3iS)_p4nk({ABzlxjL}x-Cnh3TAOyOiRt|7 zdkUm2>NcuYvsFAh9^YE31$=C^5$suyw!O8!&r{tY*0)OjE6u~|wk9+{Zbg&p{^5~s z6V1`)rp^WRi`Fx}``-f32e+3WKCNlmQJiT!)3~=a(Z~_sc!fFC+DdF(>3%4HoAuTH zz_1VfY3%rU+Syx%6YCakH$^7t^}c2%FR9Cxn~X%w-H6DQAD^W1uTE)b2HL}&KVa|K zWR);^zd_FPK6+M8a@a8VSKm}d^%la+oix6St8koid47U0lJnG9*st|(beH0u4~5}X zVz8SnkH#@_{leVV9o5`Kt1$4)riS;%uLf6r-yoYf;HXa{_{O*1?tsf)?sO6wL~_nT zYlioJvZ&N~^f+pg|1}x6T6lhJ8&Y=7Gr>+I%$X8j^zQzL+1XlYe1$SGKT{T4Pzi^>9f;}!ouq4jcrxypn((D-n5E=HXA z99{@jX0zVKr7Ns-p86J8dMY|q(c7|z$&yZEOkNptB7kh1c`k(hB7^~|6}bT2#{n2X z4>S=Td$9_1G$fxSSrQ{ax?_ur$N7);#vu1xsK*0em;Z#Z%xPsrJ0S$jasw5 z)|RX!3mC~64Zd1H(_QIO%n4T8j*Uh)eaCqwWHYJrMgV#b#nPe-U>+4F9 zJih3`9lYtpr2mG-=`FET|3`CoCgxV@;r^ulRG=q z0c#m|-uOe-{o!gN769Sv(z>4g-h&h2R1(A&qxpa_DHSxJ93o3Q5#f#`RDv-0PpAmA zJ)WY44jI|EYwbjtcmj1$lM4oQ7L<~>(1%aQGW~K>L-4N9S(4O1!R{mcw17!2W|t!~ zJS>4}5BISn&dsGvjNdJBJR4aK?AlZ#cY$4JYCq3eX4oaB1w56O^-$RYvAFNmw}3#*c$vuist1DM3O(oWLu(iT+CSLfb4lXYk0l0;NCW};H7b}ap;EZq@v4BR zJd7NQ#eZN89ZiQ(Q37Q9d4T{Eu~0zqb307GBe+}`f$dKhI9$~TG<2ppN~~mk3=4{O zZa?;!)?LT;@tvJ|e{9~*l+!MZlRR1}r?4==-M0ot*5{mz zhOG;bM6yKIr?u2&7eh}`uho3}>TT+}-P5NV%{}9LnprX{W-|>#W5=O*l;G#@ zjelmF9?tW=Ifhq~0E@53p1sJ|bHn=^-7);4a_ln^e#e6s)s~^3knEjsi~h#obl0+0 z1h6r~+p-_1zw0#X$IWPB{&C<$Yn^UVX)$0h$#2G{F#kJhE(pW>yky^Gx0NDWv=6{> zn&#zW?_SM}e?9p0-8ba?WQdZr+%qlfNm#i5Gs4zM5fOYXy4nz$xj27S+5QN zyCpgQ)IFS?W1rhucEd^0L`hLdl^apPpcL~F%7Xwxzj&6AY$xcSK>8zA<8Z@>BOx`* zaQkgHE;vj@D(h63HWQ7(zjOiO#ONZUpv;-te0~Pjqj{VNEHy_hkg0%)CRsNETOyu z?UVd7=kUuATV7a8DfTMhRp!E*_gcEUHI#a>gYTHq0vWRw9d75u#jm>@+4FHMzR?Bl>t0VNb?QzWG+q zVKa(X2gcDItPxpxtBt>gUrJw-;T+n#b$uD=UX3}K2Re1U$z_$5!!1pq{ynUIulJwJ z#4jYOb9A}l?7|hEZRXqUb2ER7_AnskHMI|aPB&BDGxm=K3ioleF#i_zQCpoqxa|gc z8?tMjBr9dKV304E^{S)`4tgq1+9e)y8quMA;}#tQN6s5t;hzCYLN3m$GVKjNe>>^~ z;yIdhX7#G-+q8A>)G@99Kq~eHt*s_8&7`#M-u*`Dp|wZ)a**PF(VL&bPknU1<;{$D z-`*=jy*0Gm`Fd4fa@c!2fOuZ`!-I343b6O`#Uc}ELqigmeUtS);41|OZ4`oG4~lme zgd44h!HK(;FsNa?X8+((_&U^pr*z#&-3jy(7E~&%PU}Ym3$ho3s>^W1+68M6Ak67% z0NDLG>MDUazEr?mr!~a_*n~%v#^AP+9FoIQ#Hyr_5c&|=YcWGW<5)wjkk^b0lK|%{ z_c>0GK1S9ogR2rWf~(9Iz|s1-DFS*DD<}^qGLqs&E}Do^q?9q|9G4&)S-k7s$VN*T zcPOOmM3+9JjFAPhWr{{bHV_@f5h$mzQZ9te^#KuDFL(M&bZ$Wgh~|NuM+i;!&5Lu$ zRYQ|)$Y}$3#-^tVQ4&^gw_pj8jXH6NI=$s*p2^QO^^xDfSX5z@w5OhQ)Bm$}D=`ll z^<6ce30x8ha{$;4T(-!U)YZfMZXL<8dE~qnXk?VIQMfe}H7>wa!rh95B$32x)X-VW zHPDsONSO5Fn*|e@zz$k`+4Lz)D=L7^i)gW*O#Pp%V+EClt54IC`L?Z50M&}pGhsAo z{{)%3VW_4eWs?|wz1K>h^JjJQkdJoRbJRzIX`0;p{U90o7k$gF3c2sarmbh^f~x0G zRy-F55(khn11MF1CJ`d>ZGlZ_o1^08Mi_cFo08R6rp6tE(TKl#$`@+t*mq9|OR`3- z^G3XETl;OP*Vae#?L5ze;aitsDz9s@TQ3e<%A;vcPU24pTne39zL<=%W*2CU@jUMahkJ% z96ni-?u#0b7m2Pc@>tDTHaT2CHD4Gf_^jx) zTPqYSo`R^5+S6fuX`VI4^_DANkJ+bUMSB%bl2b?}hc)P-@8v~vKLd8KR2Jwdd%Ahh`$qoZ&`14=s)2+sI1AMC7`9xgHN4q5s&CZVCI9;6m#MjHgmLO6boJYv#%k%m zKM3=sB+4N)(aRyXNm9ISa@f6{eT!?MOcB#Z(CFnnf zu~ILp*y`~>f_wy6Tk)~fRsyVLv=OqZY>{ih6o@YHVfG>13){EyVYX+?Q-1#&#{RRfv<7t#m zxjib4R%L2QJt{TkfESxz6bDUoqLFp>qaMyLhTA0IcwNJm5L=>x%!_5>TOb~lar&NB zPJ#IBHvi>*RB;pUZ!eQ|*9}{*3N!{p&(wVo(na=~=G`P7DCA0mH_I(Tg8~9zW{!RP zV7KebXda?`-@A|DX*8cZJ$QX%s7jkPrrtA0CXG7XWm_!iDZO^+zw^#)bl%gB#{ND( zGpqvXJEHtj6icf6HaaMU$*45T=c@aNb! zODMLGltwGQ;ak6DLwn4=c&^jfSkLT_-g13)ox@r(=qgEooKatv=)K>LqMs<=PHplW zD!n)lY1J_9%^_cky0u*TpZWusb4>J)MeE@LwprkiO#*Pm*mn1|J-bXbdlBTLuU0sE zBau*eCD~YRlxf(Rku@bvYr~e#Bd^zWA5kMVeJ{;Mj(-d-`BqFdC;>0W?Mu*=p-2Y$ zwtKtkS^_EVZqZ8GT?|=*)h=lFIz>Lk(Jg9zmDCogr$hp}&*TyqxpH~d65Pbv9dAm7 z&PhI$5BfbB{BnTlB|z*rh>N^!^-Ei|6;sUqBCwFKWm! zS7u9TmU3Rp7lsV$VQK(CXZ#GE{O*=!MC`)wD^6*VC-u+G%b!}ck%riP(#uHgl0a5aSvBR!mhbe&>zg0cA%P4I<5`m2VynwLqUL}-+u{G zfM+~(=%!kt9Z{7QNlNXe@uXPLgx-rNs&}EFM2JRR({h3m5;FGS{821x{A51m&u+!_ zi+=$)9lz3>ina;dHT3MR+HzmJyxGFgm;8mrsa?c8`%DCb7pPMROrPYrDG;#6YNn(- zg!Q?DiQ&~Qk2IDEOkd(;N-zX=n(`i2^c(K?rHkmVXt+R_2{3`cC}SORg=2$A&VCp7 z)-9|IEY%Blj>?9#F*N(cW94f5&- zYNRlR%?jedCBSPkS;iU{b|J zK(0W6+Fc!HIqH1>{Ev1>$X|n8$-?om8>i@Fhw9Ln}%+ebsq!-W3NF3_+ejZh#vxJAajW-qy&T9oM|v8fOD!9 zoIq>vAK$>x5#@^(mosG#9vE4f(5d^#I%(7lS~G*)!zm4Q%7A$r2#q7*$fQ2?4TG3+ z3e$TqDp2ra>;5HtNeR5QkoS?z*AtJs77SQp+$0o9jjZsHckyNcVL(Wc0!0b5 z?7ToNz({>a(;Q5Ko1%Fx_X#IXDK4$yWf+FWLxO+}5%^v5qLF%ja{^p?c@OQSHu~z# zBDK5g<_R6&XDf(RQ8sQA*_Im3587@oz8=qeTwrZuyH=%y0WBJ(qE!9mNOTiT)^!pIK|YX6@tAKzRw@o=oX8a0lT9|kX_UdWsrJtpuV+tF zRv2f8>=8zgYDtevjgO{P+#QKiio}bHMOZlNMWAb`-(46D4h}pzri_x$b~FF5Pu+g+ zqP+U-3Ca#znnN-`r1|7&LC}Ss5i^#sXKRfa#M98l)Xbjlwhe~w9e_pOW`1q=UljQPsmKE=bDgPOs@CgPnH3Qb*p9kmtN7Pt-ca!o-GctG$js|BM{qy4 zaYAe*tJ%DZ*yuXJz+J)DnvT=`!5_<-N;|vYKi3oD{TAcruXLBOX(ru)Zsl$qF2R7f zvayBk$$H5G5Ll;z*HDfQL;1sk&8!V=MSmC@ekMuLaHKgB7%muRz0C!L+A)KhlGFWM zV`TH8#KKb2wm1kpu0J^p!BGe;=&>e+qqWu%%|LkQ0f%JGbZjgnycJxBmkKVW@~;mD z0U~}N$ z0G#8sDES`Tkum#m^jfyu?63#XE!|GsG5791Mf?8zrX0S)T3LKn0#tfH}z(HB}=`=ep(bK@#g@Gpl z6EIx*tM-u)u(Ul2oRx7+y5alv>_IjEQgek#>(~5Qqd_3gu8}xPr$MAt@)EQBjCFi! zo;S(?CbBrq7g{?LK=s_#@JFN2yYq^d2aTag?W^6^ue_cuE#$8F#=qLPVQ!Yc!J$d* zrzx$NL~@5}bT6G&t8Z7G@WdV2%IT>h*wzu1TYO-!XN>A-@gcc-?7l&83hqbA!+YUv zKEeB}V|Uiarpk9-Hnc4t726ey%G9|QOeV6T9Az#`!zJ`qWmo3P)q(m(@A>VEMqTj= zM1F}Vek0^wMfDuw(YeiitCDQ~yx49CC%bhw{Dl z=VC68-@65Ko3=duaYT0NIR+4_(-k`}iyJSddETJ$v!ou%kM6$)S~%uB@rMr&FrS_rr2dPaAOo%{;dgey^7_r+7bVUmi5w@HS(pCIcd-5&PGU(+ryh>d zowx_{f8da-+QT(&m$Ki;!)~gsn$Pc@wLduDq4Q{wvb;YbJN&;MfQ1P84wdi++oi&3 zi+7>0I-a?7K8aNzyVi0Am9h=%ij46LoSGPvc(-nVy=tjv6vlIzl7LrR`Z>Tn!TlhD z0s8_vcaex@^=UK!i4iN9WaIW3E}=_k3u5&Y{0-W~-upliyi@_&KQeZRSc_hbJ7$xo zpD`lhu~azv7O7+;q~M&*rs_6_(Jq{hNTnyaRGhyU^8%0$!XnW98N0=D$eJhvGs+E^ zMp6wgyW8sXMw8>PM~qWFz@J$}Q(Ed)LtzH;(1HZ{3A!IaLdB4dj>x&T0KK)PAi-6;Ud8{``?o2!`fZ84 z%L9s{Yem}>^ z5mDJNh1`$a*9z%pbxLM5k|fE6b79Pe@%fvqI@DMt9Y>+_b?|sf0(=-$2!$g7{Wz2( zg1+N9CkB+HqNMuda=c3rMT#qzP-paWpDKV&IQ-YTGWLr-?2pNQNW!0OMo}2MZ&KC- zMf67dZXoq}S9KuYOk4u;Qe#%>EiE&)d9Nunn?r`UF}6?r%604bUL3GYQ4JUd_LG6} z0H-bcn6P7H@f`2jv8?IApD4k-%AG5o^>`IddC6Tnk+?rdusijEVObSYOV90=j+WY+ z7t}A#4lZVvGOqX-a;dWtNUx-TcD+b=E%`R5cumKz&G@W%Xb%hNy*eEW5`WlLbn_w) z)uH<2GokVHQEnb_?|kyG@MIOfFKK)2y!z$UWQ6hQ@%o3iYBiz0kl+_XRFXA6)lV#h^Jjs`N7{OZi0q)<>79s;c_HW_EJg4ACLl^Hl~KxPNaDr z%?o*FU4MZJdNOnRQg8|HmqMKB)IezyIkyf!5<3gXP?YlgH2dBMt=gQz%@U- zcJeC2pYDI=t6S?)TFQ>OJ=~SibbcC(kQRNo<=X|}F9SfxRd##;#^|%8`J)=;X-guU zg@HDHNPxajT-TN+1Kp7gB1ga`qUkRaAi%_tVphQ9=B`FBVMgi?%-EF5BKcZ6=7+2F z&a&Q}9D*((vgOffj|&#TrX4`NHbddABuMl^9qmJ2Olh`UoSQw{T&`f}Iow5?)32YC zU)2Jvj~pNNwkdv__QQ;%}L-#-6-IkH+``jf*G#>lwmR5Wm}o6P3c zE}KRoKSgib+U$S)maNlqSnKQeDoZ2qol+;xq6VkX6xPNWqUA zlj_#@u;;C)i~#V4a5ardrI z(Kwyk_f)%kVnb&rmI*xzJ~7%QtivPi{y=HHe-zL}U{6SWoz|)7CHP0+NYSwW*%rI` zsd!uIuRGcKtaPeuP(AA@p+a&95|~N>4b;(&zTW-iC4sX=0dbBep))=N^1;1ZX3Ikq z?Rn1IkA7pm&n7Ql-H!nn)a8?}bdeu=#Bx8Psu%WkmuI)+BmP(v5$GqwwwHh+hIoWu zUJQ(QTPvIp{kY%dSEsjN#o0G@;{_@SYr@50D=Kx{t%kuU0?lPgn#X@b-tU0DCa-D&N;o# zf1;e({3i{a0AU|bvA@yx0Z4(6*r)pd+29_*wEPapt99Cn;5t6aGykQv7zH3p!Ug89 z7Chd^4(%b=Gr-;cF4{!;g;Ga$x2(kkcOtot3-_xg_w^JfySI%LaPfRRYhK&EF3pq1 z4%>pCaCaWRQ&BKAi&uZr_@Qj|=9>^e5ZGSw+W9DsPEn{IF$v^8P8lJyL2FR=9i;MRAJ&ev|v3sYZDXT?K?D2IHUdolf%coESv(fbB7`BB; z&riC1>P$uJ_hFQpSXSR=y=g0q0_0~aAy>HwwDJ8LhAk7leEfUh*-6@EIv~(}M zlyphAbV)1SAs`_r-AFIFz{0-A@9%lunddKObmqt`d!PHdJ}IBV-l4Qk)Dnjv=;wR_ z)$&f-_lP-R`16s^E@lD@!4%S$BiFVgI0I{?(Vpq^DGIqvtTcgbXCs$+ zB-h_wml3+POv`tL^7N$S{GggMe1G8?(2E7Pe{eCK~c#Z}wmtPEiGjxYrV>020vM?Vl;}Mh4M@cXjb_9YHkp{zqfJ zGc#a&ToI1%Ewo8b3o{JerD7BU#I;M``A*}fke7_sfgxWW&%K6H3bAByTuo>{4s1O5 zy5CZ~RPYlHDqMTS`*7ukh?|Eq3Wep0d!J1F7H}(Umu7^ncVZ^Kl7h}}3#nTQ2 z$Nt3~K)cL%Ndu0g;GL*c_AWT$6&`rCRews^TWB?WL!bc-M|UOkdS50$*sHFtgtO(EJIfkW3P3fOSDNX4QHo%|rO3ie3eDuVJBai$qv(U!sdTVxlsPNWj-j|laYngmXSa&OL4u(C;cfRsH$ zwG9Vk+$9_(!kY@MRd9aiZN zJ{ycRo@sb$F^-2NV9({h6>_VaJL@*TiA+sN4bgIGu$fX#t=hp{G{8D2L>x;h`bN@w zfg@>@*a4B`M)qdKdeKV)d0p=ybI#!@qfb1xf3zJ5YtkkPLF~7MmhoqO zpUX#!*^IC&i=s~|VQ)z3nWU^nF|hR%hN=4$CJL+0>%FF*4t8%WKO9O6axtkHeP%+H0;NFr?MRxy;L<^Ex#kc&dBJ7N|2(a{xz;*u z(Kz^YfCXemdboTR2AzhC&;T%{#-0MPyR(cX_r>;avR>+r={~pEydh4ZxA7T#hDJoa zY4zVvb*ZklF3c3F0OFYX{0Y7SkvRq~khbZE6DX3H&B0%fOq{{@Athy)$>0DL#R>$= zV9@*ko{#-mcC*!H+Z#=Io2q}J&@Do8fK2ZFH64Sr$Xv$7uzL~FATcL^Nf2j{Y=edK zd6H#N)vG|%3_7_;w4JCDQB+U}GVwpHLz4U#1eHtSsYNe>gd>qwlugFkzPqSv9>|{W|*n)Ul6n7YN9*& z$(r8p4zGFNYSnmj<90>@*jIO|eh75AtfE^PewG&d-@6GAPhlCL0^+G8IF*HR7*5Ks z(Cvw%NYiLSD$H=nX^hMKEqGx5saJ z&oL9E8{>O3E7GGagN9$`z_Ytsu7A(h(~M7x8{S*k?sUBNM#drsoYy9&GkReh~{=>0gYwD-yNBTLS-r|^rDj;0j9zLUuCl~2*%sJz$}eMW}ES26}a zPVLOQn1~f3KIuivtSfv!m)4)jD;p5cAh~&UyzDLVfhSMX)Fj^XjFpLy;(e;)qFJ}Q zrS4|ec=UZ%^0oPD1@#7)F6FxQ#j(ro+w;d4XGAKCYsug1m~W+2H+$1l(Va$J&2w6N zd}n%FQp0LSvHm0zwDkD4*FY~`wzkEpZusb3?v#^i*t-GNEVDNk=zjoiCzx077^|LW z9q>B$fY~_qQk{swvcg#GTCK0A+)8+cOGKL}8ANHy6nLlq0(CLEfDMR=umKYkGj1j6 zTlSgdX7{M&@*WkDD$)(`=$)mkHyR zQNyBF@h>83H3^V8AuQfN>m6>OeJZD}HzkhuiP?p?P% z7MC(jh#2OW`$j^k+@rq=yqHawPCX8BqsPmYfG~F(K$d->RVU?vo2v{Ik0!Z-reLC} zY+oKEZg(QSpq~C*lMI#x-m&rGEa}C2i4XU)e*_oY$;F->C7;PGE5mJp>G{RhxX5)L z3g83xeuVF|{K_DIjEa}w#`!Al&C$K{0#@UB9EZ+Eg?U!No17N*mwW+@8R)>=8+Moh z`1hC#0Wh#pR6pdEBKk|+wwKcDH-{oS5%d1Gl3 zy-rkTU9a5(d-!mYa|lC66u$xR!`_ORN)F(NkHX!`Xa=9;$xbs1zeJNilX@LL4#3`< ztdV4iCokk?W{xpt(Pp0c(}HW>V~=Y^KRFWd@P{o_a~QgU5j-5Nx3gToyw`+WRt@w` zRtsemIt}m1>NvlL-JDW-SQTA2;-R0?i9`1d(S=|B4?D5Y0+}tqE}m_=mGiJ*G%tto zuK?xm`waR+KdmsCb_r;@C&EhFOUdCxS`;iTaxMO>9X0DB(ROU%IP}Wfz7Y)tWYia8 zWxM`r5pVMr=Fq0j#Oh6Y-!ie=g~XG6u12v!>jkri#_9;)5+vjrkExy-zE8UyNTsqapo|v-v{QWU>eN7QnN9O1N40^GVys_v^Yq-f z%gWFEKgKF}hwJW6q3qyz`uumZ$`ksBoKcGq>`_@D5W>n`(YXC(&h#0RIiIJhVzdZQ zmDEP6i_S#GlCo)?I7HWn0eX}*o?vhz9F>~_+kcsA4Iay}wc{>}RHK^|ZC?pCi%zcfzhQ%^sDzb|<#I>m*?D3z=|C;IckN%z z&)v#h%gcUg5OrHa$a%;QV7nPFBszYV;uM#T>G=odv~sYR4a%C4cP>U46ou<1q0K!6yhjHm7|D&q&y|cp|@sm_!C;Fd{)!z z(Fs^DB>w&BfO?a5@Rp@o9U)D=tN%qe{8>}i^I?`=6O=CR11{8S;3KW?s*V!lKl?X@ zi)eL*!8yLr{1~au*s@g{$`CkaeFd+)pEd!czE6cq8cnsNIi&RU-iG3hS5%xSWNEnI zTWX$2unRn~WCQ|NJr2@Z)mzCW>G{8wHbW1Cj}2=jZu}}J^EF=uS-1P?lj8hH%hk&G zu6t9b7)DCy_3a+10ce>>-0h71`7l?%1Et1uT^n2315%*CE>>Aqg0z{x7h}q8s~d1E zz9nKHX4O_}hr|^X3&sW*SpRsktxV5vQ&229-z#l!IJ)2vo~8{!-l=BK+7p<<={jWAHY^Ov!bZ*VmP$s(q!at^InA)bRV?cbc4HR|(SJ{g8FAtD9U6bZrhDPm zK&;}QUpLh-XQq8h*Hh?OrED(6=24>aL9Q`ZO%zW42g9_hZji%9c3c29C%-P6f%}VBWhAp!eknU zp>M#eS2qejcnY$7TF9m4MyUIAdP*?MZKN7{(IV*;s?|FNm}AFnWY^*N0S4G~Gooiqh|TJdi>gd^KzrYl zD3u(3AQ?XI>Oq^_KZQee=MwUZVT_BNX$0km#HW>ogx0GDC*xnn0YB!}-7 z;nHJ1XE+Zr(~{B^WGld$;<&%~b*EzLy|#W{>a_=$FD#jZ-xLpelL3L?Z@dP89EmkY zIe@F5|L4tTKo+X>i^XHAfDXk4v1-oor;NAkVz)ic(piV3m1|@-Ls@yu>n9Kc87Hw-o|2-aqPqN$qJ>qAEHZ3fb zS++u){XX@1+pR_)sjTdH{Ng{yYPbxxG{lr>bTo8tJFLwU@??SAq5BM1u`ToW5s@X> zwZtF8yt7iVz$mn@N_$aFZq!$?UAc!;B921?Il^c7V9^0Au7R^A9Zm_gnw-hNZCGBuq#-@9E!lKsu~sD) z<%9EyinO?+^FhKTtB?vzuh{&z-(sI_i)^1g2J>LDtuU+ki@nfU`;u$y{hwbxk{MP5)m0h`4Yr!J8>qJ;jvlGW0wa@cOUtm`ER&NQvi-ikv5{Z-S?5Qp%KlmmXe0_j1<}Yr!AsOPPcM&t zR+P3svCk8Y2{z5b9in$vswipLn|2yF-TyuYlDI9J0ZWAOJw+nwyF)nqA_fhClXJMW zbo-nQ=3PDkRvqRAOn*Y`PFq8tB>m59A@F`W$5%^N76Le*Wk1xi>ocr}R+bIs^V||j zgQ$V(6*Z=F`bVOMDE<(xjb~YDNh`nVwrICWn*$#LkMHx17a)%2$Y{?8%gdGPM@vVK zYCojz&jpCdRj;l7Da7F6(YEDAGVJ2uMzUrIn*XaBS>*SyS5$ZZeK+vH752bm{|jP# z-@Dg*3empr&F~7`%J8JqTC2zL6Q`D3)VnEkBN+aaeFzJ1?~hdfMAc=#STBD`*z(e` zgn(Sg`2*sO10%KMvftmT@G?9Rn!85d_tLiO0n%yf@tJ_NLP?z?*kN_`zwT*oLH zgG^vMQFxRYDm6otQd%106gWbUMU+vNlMib|Yx3~a@cP<}q`l;6yD<~Tml$q81#rZO z04|%{)2zxevtU9B(&agq_oJp%4sN)wJ&?j6P?WT(w?&MJ^>sYAHfS~xb0&kh@J%nZ%Af2?QVhDnzRiA|0cv7NA4K9Op2@3a zcjC){Cj$_NK?-TEyEQiS)9wxsUg+}>n;mv(6(!%0ipCxBd3WIBnH_{e;y=pZ_G_F? zrT*Iz=(t?%vIY2{iK9({(AnC5wjdH1^6p*Gz*|-<^4(;#ls&GYI_G^YaVUoL*XHa6 zG$}tI9#emdPF$;^8uObK*YoGdA3KtT0n}QtZ@8YjBHPHq=?F@j*YQ%*9CRUxV$jJ3 zliWt_o|6YY!{!L$&uoaF+ucFN08y41C)r5SwT$oDe?1P4DOYvf|J7UgQoK_73GrXt z%HDHnI}z@I=_s{giJbkY+;vb7xY-QB9x5vve@fz}U9(tYY|y_7c-P9CqElWx9HBaPBlaMZV`Ci_Yyrtgk?OE}a}QvqvMC8^ zG(edhX#(*pgEG+ngv$zw`S@uV)QW?PU3$<18`?D$-|TyrhZDNFeO2@p4ARif`1qmJ zihy*0149!{%A|Ycc&D2h~l!{yqZqkHEF&HfLN&sIs&C zpTr~MzF#lALLtPXdQiKXC)LFBeF^_vCj&z>?9edoDswDKdv{d(k&hGQKKTo#7 z{f_c}pw~u3A&eQ*8M?X9r+pCYbsdg|sOm?1g^90xkf`LoNFX#!xg_NW!B~V|#MR-R zB=UCmM|Rx}5X{ab%(S%PwB#lHv(`(WrNnA|;qg~3>XH(ce$m1)mD3@uEB6*5$D=%vCY51VL5>cR!X^Ed@5h|?M{CsxtdnY8rRZoV1WSV8R zO-7{nyY&Y{K`+j1zbKU$WnkTq$;a7w?6nOo4G*PzKLsAX`O;F6GXJS>h{gHAy%vCF z`2phwA7I>w`v@c@1M9Y2fDv9CcXaSwf0Oa-oM$ZT1DDiTJV+dBWKhdNDh?&84Ecm+ zAMgZ9FA*&J#g)r7PICfm#wq3Py#BC6`6okNd?J&?k3he*;)d|i{X1E>SoPi1?@q~i zbsDQ`KT!$Tq2%8GR-A2&Sct(m54n(CcQR0J6e1h*0mFC~TmPk^qwEpBVeMD%_|Pbf z3e63ik+BM!(2RxjH4DUvv$o&TW%E2(0=F3xJ8N>4F#}Hi?3raduy7|x^05Z4Kb$HN z&x`8H|DP*@OGM^l%j)4TNLZfJsch*0 z#TQxz+^k`En^MVVuigh<1Uh-&G#`fWp$BT*)#Ck%%HKbvB5kE;h8KKmet?!0_>y^< zqQ2vT*r*znlRCq4ZM6}A$4wi@tVl{ajY!l)da>$3+n{y~;32$Q^$iV?OWhAkQ}yd{ zQ2iV+s`_2=Wa({@j-FBFcDi;#kNF)U-wgh%7`1yCnumZ3bWu(ApNU$a_gvpbOCrRox z9ej$>-7}$B_?d8W9lx52p0OvPEBz=txIKbN8OPKi{B;iR4Hz&B7tv&lQbmxBmr1@0 z`MEk5FwaMGcQ<<>YH?pb>7voT=7{&%O+S$>!(MuzpkgpXj-2l`J!Uu~`JazqJ4!{l zB4KrF0!QdJQJOl?e!>M@%UeJ2>w{{HzrNRU1r;V0l^(3;ycQ1}yY! zcn5ve4J^LAb}@XN2!m2U#)qhDDq|Lt*j&Uhto8Kx z`87Atb!I*gKd2>^!Nc=9I>otTM%_^Ke&f4o=SW>|>~h^k!#7LnzkXlbO22;V{`Q5i zz!+f+qZIqwSw_)$HaIz1C5Ydtg^vvIpKbcWZmf={4s6^qZ=az-rKD90Rg9jcJmb)2 zt`244%fH;wl8*Hyo=;}~cw-tE_%NVMf~3RY!xHyhx~H&7IcRS^JgyC!;+$~_ z`~-^NIY%gXnSICs#bu(|MiHaNZPE+!|4u!eGX`@2!W&xMMigo{MOVP&&KNU(tFS{Y zxl)P7yMB3b4gJNECsc7be#D~kGZpU)0F2I2D9)ca)K*~HjOi0SH-9eL3ZF8yXLm9e z&C$&fv^ZJGntpy!A`)O_ytvsIC0`a5QFbO@Hd0zPGFWytSQa(7Gu@w&)t8aUn4ZO$ z$C={ zf@1TioHXih0BP1mLVujpPx%p$MvSn{!YGU_yK8=a{$Ut`7)Dny?eO?JUuAg31E2RN zRN75+^!}#R_9GfM!^?8__}QK(|E1UelhoWFgPd3NwWE2-orD|ON|_(D%RA9vgwT!VyjHZr^KKfSJ9#J-NNXJUgeO=carjCpm5#l@$%sjvYn1tr{e&5;2 z4Lmk4MKT^AQFbBIJ)}Uu4ZTH@+~?s#E(Q1v9>7ijW>81FD51 zk%5~j;^Oa?sAAA3fe@{~1j3EnFjI+%w0|>Mx2Bhw2$wL%i*Nr@#qc@)pn5fakjelp zDoAxG^lJa*K`o~oC?A!}U8Q`(V#cgE1uhNQn?4>yI)2p`L`A|?t0cPY_r8i3D%6aN z-Urv?IG_LkPHVKgktr6SMCI*XVG2c&#ANa zA*)WHyD={iR^nzm7*V~ilXE}lvst!5xhSWA% zh?BQy(*cQu@qP>O3sKVE&O|0Kpljo^k||Xw$TILLwAD*8BsHl4_zZP}BHYfRn1C{J zKTVDyTH_8m5R<a0P07wZ(89aj@_D zri42dRdGw3ggN9ZUlzmdkCr1&72ibU!j$jR$#Qp8E+h2GQWxTR;;tW_X#nTAbMw>X zwvHGS?u> z6!7Z{)N?Jbp(+hG%M?j1?t6-NrD}EkZ?^h>1E9U{;A;UnE;)%rclGQX-l{MsTw&5s&Kb9m zfwmHq1rk^KzPDX52d_OdST05VSec;#GT<^n{%)wP?SI0hy&rs_F>9Jd0Qi zne7KZ^<~gXW$_`_y;w%&UtHNap;O9YNF1-!aT4%3pr5} z<|hZiPjA(D-bF>hz`}kc5`QVY%U0W- zm8OD>WAiz57czcproOQc2RT!M&%pb1&Xou@2QIWv3!$J>1~cG?lB}>kPOfm# zH$@eEsFqL56euT?yEqdI9+gFV`Ru!B8`?G)0w7LK^*}5z2?+^fTM(hx`pL=a91}5a zBEbH$EZLFb=E_?u-L|+G(w93>)#K=;kTpP5ZdCLo)UNfm z<3+1OK+P9ZZT8BCpyGz-7g|XtwQ$z+A0ZFv&fsA6S5#>KrG+UwRn77L!_)gA_& zT+I{?L5|IJyPb8tR2`;%>SiE2zP`T+i5yoKw+~2MiZQj|Mcgk4OQAkJz~;1HzyHdp zZAAdwLT8%*dUb%0O=4wbWgmT=?Oi1o>cEH=UIAiac~2g3jqFzzZMMSv>Xm-{saK=39c zp4S+}EjK|IBYTmC5+TV1-C=DZlti5M=1YzQbRe&~ANPKLwY}}g#wEC|jEVh_@|;^A zE}Noc7B4mHu^}lJ6Uz(V7!c>BaR;-eJR{dU=m861@?oB9Eyrw*t9P=`ST}enaI@MV z!Ael(D#7pe*C~T1Rv1|d+wB5!7!!qOp;O%zG^7m_@PesFSixb2+bu)3SsQz~#Tz{dm~j(bk5zZtZ?pISsD~etrOwj55x| z%ggICma6sE&d0}RuBn_t;5|wcukA^W@5L^cNt^3vGV^#kmuZ9bpg>iguk+Obxn%%s zC&M!6;cB6GW;fS+)%UdX=2x9%_s6ZF1j$?Ytfu6{`8W?CvOrudSR$|LAP*7ZKdpK6`>L6v+BrHs1g6Ul&+;j?n|RUiP?f=CI-ywZ3Ai-@bdnbVJc$R_cVljTGv%Zamw7PTix1q9}fdsTYdw;dY)7Hw!e}9sbDv#v=ICIzqT=QqkIN z1QTGvu1%3}y~#|;lg-W-&m+ZBr<=0P-)QWcYB>gR04cX+?)u%xvG=@|VZS@7yh0?sN6PaPjV@-gW- z=^Lz#eOZwK!_TrifKkcfp9!x7rw=1-v0%bPPj8^q)v#Zrm-<}%^u1E{KA~%p0TH={ zF6!omr!IYwvKc-L83;w@BnA^y^#N4^gMcHim!h+Wx=8xrpaXaM=Q)~mI}vGyJ7BsH z>u=Pyjvtk!l#^pH0fou~BR4idM9MUEGW0x&mlV)oC1I{^_-uY+cL!n%trN4+cN57k zfSg0LKoJb6N{HAt*T0bS?}@LN=oz%q(I2PNPpNJ{h5El5$Rr}l!dxfHNu3q(T36te zv-y9L$|rS90OJxe0Rmb_MYG^!u>wb8>OZafS_UNRdf?G=}LEq#@{fCK*odyutAno&oYRKg+PBM;hn0fQ zT)S}VdZInAOw*>ia8_FGxR%(3eaFkL=UukGx(1vaSI#fiRIOF`dDS>wz5cbgTH*J& zlC`&1<9A}d(NX?rTZ zUR62M46}MKVSBQC+JanuwPu#<-+jsuDtas`lbo`>okNQDmxwr73nOVWinS;dSG35w z_Z2%C5uTikOv;PSQjpSVC-f3yhD7Pn#n?YLQ0A!|wn&f3$(omKey&ig`>$^X=Msm$ zv`OUHSw*0XCi)rXK{*xNNdi=GoyisB;Vb*pburv`6WVtR+ek%xANRS0JE1BTMbSr1 z$lYu{5)nS4xY_?Uyy`yHd9!-|ZS8>| zv0n1wuV!#K#nUG&EG*4m znwgmy8&l!Mt*ooVs!#~-{qyIK=ju3o~8i3VP!*sz1b2 z^?^}BE47Xl+uEkQ%S!spnHNhX4Hoibpj0;4wcr4&S+Y=C?p(S_Q!G@r!LYscN}X<( zMS8J8JHIp6!eW;De(J@xS*RJY5B&UQ@63CrYpWphIp1u3Y)exW%pGsYkfiI?9(2j^ zW)9xXws|_({6@&3F0l2>Hv5+0T(bb3l1f}(RXy3XLI^er)CRzCgU%4AT;ymzZjMaw zsWijZvB%=Q=|+L?U1A`gZQ%b{?;?gPZkVjYk5_YrvKP!Oy^)8&w@9WF=auEK zc5HOCi0?U5YEc2b=jHy-ekdWGsK-8vAgkW-@2}+7&ZmEx@nYJwRwF14^nlmquP82% z>8n}N3qiqhcckcPkvlv*vY7bxsah&wfjd*;H`I>2klo+5c|p5>OI7nt08EBtj*Q0wvG_JY z{BFM(kDS{t{Lgpb_MZ&&IazM6R}I{q_$=^#B3S(p3@)tqr(yRFnJdG2UZe#`!rU6sv|icsU`o}AP;qa#JNQv9Bqy8?%i&<31IFESz}kr$Hx zh)?7hR8p$utn1zidD*!&Bm;Bh+_zp4_q#+EUt1z?^SxKDsLHt>?<9lpJrx!`fZxHj z3-YcGc{dJuWOnRFLIFrgTgUuFQ8LtRJCLw?OSBCYcQc$&Br!F;6RI^U6B+)ktgJL} zQ^riAt>z8evegU)N_fFFzB5PUC?FW#!~I>0B0NyqyPD<@ERyONe%|_mdoOO!qX!zL z3b^eQlGEH@M2m#SF4|(&eklPtvEnToXjwb6n-CS^X}@{F3(WzMjadf(2pA`K##^)i z?17y!1{E8IJuqnox($Hb6_9**l)aUr<&W5PS)3WE#x1walEK?R`6wd5Hr`%509;r= zU{ib!6aWvEhy_#@|JO0VI_&W4XBH4$;uCx^Jpk3RCYW#9H9#}ofV{nb4cByld=U(i z&f%;>a=rX`H^>tNYn?m0MwY$aZ0_E{g7o5ZH>n=K9*8}+@uiVU?gp{2nj-N9zdzu0 zFk0MG1)c3JugiR!>yrJ>s+qn3d7_?k(zX?!uid{S`2~1HJ}k`JH4N`q=bivoBxY=Z zw45HmVLwI2Qm%G|okT4>l1pL}MyZJFUqTRDblt$4lweo*lL%?TbOn_tVFL&>;l{ui zWrDR|u`3yV!NMThLlOGhh1j?atRmOw#-}d!m?VPX7Mnt1>EC*}DX-d&uu=P3B}x1@ z7|0|}dP33g#<+{K0^NOtjXo_EXs+%;At)`}EP@OvQo5J7Gz>G-%PxKdIpf01lL~Z$ zRVie5N_ZQV8O*7^>|`o?fN;EK-L)O~+IpV8{6=KGP`J-9!X;x*+7?dQLEIcqG>hhL zm-P9$=ZTfP@$E_`e`n`wLi0D(q%duz6yrg;nzt8)#NiRNp%`r5`4PnK6Vx)~3~IO| zm{QRL1UQ+V%%S|1bm{z+NT;e4j5i9#sKO6KRN^wln``y(M6<+?yd*ty*Z+p_Zp01} zOKA})&2%)mhS(KCo+2MDjRuB3QF$W+ZytbfK4{uWFN~0%`29;tb93_*@nvxq-^U9{ zWNaLe&D71+_Ew23x3a=Z95;eK#EJtlY%u;%xaa9FX8J@g<#euM)Z2KT)a25;+VPV< z!XXZFWVgeZci*X~DD~mADuKU_UjnY?qwP6mo3kq-hbdjTFYj2NndnWHnwP&90&73m z>t_W$yZ1?HE5}JD6#2gWnlg~F&7)kOkg;<}F7nSQ!rA+yy6%@FAjxxIB>d-yZ4vVR zD=bWn9b2JK@(iAYD;VTF3b*eY7Jv zMIaD#^FDs783nO7^A6E>esLjwjjX?2gMMT*v3$P>xnDU+J}4s)k0t#q+tkI0Bj$E{ ze=(?NEYYS-Z{KzQSPUJTgSRtp5pH4NRpxHsQd3r=I_*y`K#F<_57(&0JT58mv?B}S zM(F#j_SinZwB1aZ6tG9n?(B6P8GJn&@{tsgK9FI-Vedk|%3k9{9{A-8 zzMuptzG0WabN4c1Ke40NTF3$Sc50-_9bE@~amJsDS#@dmS;725xj-aOLLDE}FIGjg zwhWof<>8AUw=nYky=#9+nffy7v{l@H?wx5nR;}459T>z2k^gu}PAGixHZr{T*}I*i zOc@)EL?RH3Df~9E6ABN&#{gN;Q0GFEqXyDhfo0T~J4tmzoN~c=K1&CE8ZdggU8|sz zC86d*bpT!8uI!T*`tw<7IU}qoj~9g^EhZu8(Q=KX1lwTF2w9LAw65^lDJvPzQWWc5 zF_LJm>q|oykn>M=u9e99&%~BG7#1SJBo4hRAebz5UC`1>3Dfau@Hc7@iA&pAA17{m zn-$HPRHA~N@~n`@@I=AWbz2RE9^)PCw_|f?Q(?3_`vw|{lAweW*Q0nhWO((dSqDbJ z?C*Av786bTbSj7R#SX)?2ZL@DG1o6Mz_$TZgqOee7c2XWrLTtYg^ns83gsTA;3-?W z%$Zeux(}=ANm;l{3w8dZ4Dg{z#$b)5Td#ccNXi#Lp^0i=j zZg6;}j7~Ty`tM1xVqT7J)wcxZZ&u_5WWPMkO1@1ztmfz6pLy;{nAVOrO)4z=?t~DO z;T%st(<_SUK|-I4a)nW{cyMqam5vX%^3+iMaF2OMp7h~5aw=(PNB~U_M8+DqF_F0# ziV3vnq2rGa_aR4UrdV&*dVbZIwmSYs(|f+idUm^)54jutLQgjQ8vR#oAXT|Q@MIU_ zd>qhDMUfIY1Y2Ber)Y-mQxiF(oaakIB!y1Q~N)?(e)q;E+=U5c=VSj;V7A?m-N9_sBjD; zx4Ck-^LtS|_ z!(CHA-z7iTJp>KeP5H8@ks5T2IH__Dv_GbI}UXrb)Dj_-4DF>%IZSimi`!y z*P~sv^s}>MOH3g+;S&GeeKg(G$ap`#@xrYCNB{kL5jCxFQ{6VvDyR5&!aO$dP|b8& zaihG?^G5U2wSe$wFk&Gu-gZLyQ~-RBJl_;fWRWQ>tbnE@JIwz(^;I}@CSbwr_XHI% zmkSt4ioI3kC0eGf+T3`;p!vIi#OKf2CKr#_oH;h(k8izD(Y8G`F+yb1ANSH;hItZA z-108eC^yZjeiXo==5Q zq5V9Z5pZ$z%Wg}Ai^oJ^)v2UY(J38WrHdqG{U=JP^u2TTr1@XF+Q0h5ixu#V%ynRO zFCN#B{gTT!(3|7W>><0d9vk*-5lei+;dvZi@X_e3ZCHCXs=@@^mCm4A>W7@BHT1sN zNBS>V(D9&Hmt%tR>n&&|?sq!EY(Pv$YSD%)8_Dz?U1t%p8+K`LL@s03kZK^noS_1-*swygO+sno9F+}hJe(+O0w9EJ)$8WcTAf-P zii-mj+JW_ph=9hVfG9!%7<8TY2m7zHLgG!rw6@7jQQ^uD4N+vdutWn6O5u{BFX{ux zQO%(9$NSTz>`h+Ak=XG`^(gMXh%luXA0^bV`w#wQvp9qDyYm~{A2LTeV)sYhB}4=H zyd(+8w(#8*tOG96+10LuuJY|T*E4luWgzSpXoROTPUj)7n^tts31>58r$HeF7oYUk zg;$#ez9lT5_-L=RO!^y8BBP~Z*JA$b>`?Bfb0?^ptdg39_Qbwq4KOtv>o!sZ?6`jqy!~Sf{Er%u(8;uz)YX23Y z8G~s71;+s(c$}S|Fg>k~p3Hqctn{3e@i~sFrY05#HYCijmpRtGq)5 zNs06+aL^-(rb$CKZ*=AQ6z~-vS79#Rh+zRq?e67DFIl_@`B!?ZP356R54}9N7-SBc zcp2ky`>hdPCTuB2`uKVXhZsvU-;D^UrtiipA)A|QSoec<5^JbI@~dy_>D#PVql?b*{@dT?!(HyxKOwUjf&^%Mrdu#S)yb)+YYrWb)Q z7ERT^`^2eb{fbnHu;RlRdRVJtMjo&Ot|3vkWJj;Mk@ww-Yk@c7Z>2DujymUp?w9Th zJ1_)axay)%e3lf4vn&SStMFf6U($pq#01ANLS$DS^z5_uU^+KPbMKVZ;KU*h%jqR zAqBc1Yf5h(%r-yJYw&!hfDxf(N0WQp}%%~n-CWl{%}+fIb6FteXVm3 zfVl-TSTnv_=jarjBy$DW*iQ%>8XB~SFnYxo83{N2m6es*Mn~%%XxSr=0tmQ-gviID zFflQ;zOu5hh4e8zFErG7t%z?Qe}s-o>8k_ZTj+k2B!V8Se?+5WpyAq(ERmKYXe8j) z+hrQ%ln&bGaW33^`y>u zG2u8VFG>O6PeyKCo;0T}L>51%8=&z;O*|4)$^P24gH>#R6h_<9@N!~i+HxMl-7@75 z(wNKD^S#XaeNGw?9Ouw6@m&KCPtWG3e+ulEPgUROHR+^~2UxCMPCZ@yv$S*{`1|M2 zpBm~GXMusUk^(+qecs(X8~Mx1|Nq|{0$2SFv)68x_vW`(ji-W6y-_%J6* zWS+yov^(K5x%1r>{0Mv`x*%%5qX>Rp?myp)tqzI@6G?a9wJ_!N_t} zn1iUb_$0C&52()h1rzmzQb@^d)9sZ*#@ycX)44GMi3FtO-;8R5RNEt#0EV7^i~hG& z7aG%3GDd|y0P?r`|7bevxF+BC?b9h6orAH_A|NSU8&V<&NJ&d82m=J9bCgJzAf1BJ zAxM`rl7dR7APpn;+LgsXsdE=BzP)Qs?YFul@D z3ZaUzWzfyB5Z3sUgVc6p65~UA_O8@w8d95SUsg%m*)s-fA3Og9l zkafK=b@Jxm&L)RIEmhm_fKzFO^Q0F`fP>xR=b7FW@)E_Dy(-o6bx|;l-NrU zTuYFdAF(i8j2@E$n@;)RG{iS42(WW35*#l2FIQl{I*^O4pD*Zs-}%ff?@SvxK7$v7 zh3IK6J|lghgkM2uz0jF^^Vw-|LQXM$|_AU8T)nNx6f?_vqGbjpZH{)CH{Q8HHbp9c5-3Oo72IM zft)u#k2T8RAEG9eF{h)A%3oDm{2TgIjTHUn=7#zco-#iF(Z_dSvlSUlgSBt+#9>8e zF^iwEqramT&ZmyLUwyTZw!GGEub?yo(y3b{V_pRusr0&kBp2Lom%mLdb$Tl`<#u|* zfIht{h{zET>*!wNe(CCkbB9!O`BCDMljLLsAS^5ad>B4>-w^D=X}Rjd*-Bah;KK`M z5@^kA2aF&(SMu>1j5sm<&qVAOb0fW271vyvgeJ%;!XqNYyM`U?c!@G4W6(9xp_yGq zC|iJ%>y2z($f!90?wb``g^`}iRAJo#o^akvj+h}pzse4`YEs6;CmiIB0omu@@E|hm zk8&doNMtHp#UTeU-oS!|XyZimct|NN*M=R{Q|sa)+PDaQ&Z1sks#Szyifc(`Q@^u% zN>w(|fFLIKz8r272&ePNp9sy}1o)R&zi&SdrAlD+bvs-xmqIm@{+u#jLRjBU@q{O* zBvE*%LVZ8sAQ=u1GIr@7hZ79ckR7+P=e@o69!BZt z00WHDmh{kQ_uyUGp8S|da7Lv5rZQ%{8bc5AT<%gi*YVe-Y;lo}76e{URzW;5f#Ko( zrQ{!O7}=2GnWi%S<>HsfLd|I13|h5X-%`8`L@k|U;rzM8!99rRhD&om=Lc|5=3hv@ zN{LhXFYC(U-h75vMUso~*P$A?mrl-CCCL=kyQVWv1UKQT$ULRq_F_ze#kv->o#wUA z)!PO7)2F|udxVHx9mIS8_wO{x0j+TRtDI zHhup3&iU`lp8Fqj|IL2jwwQARcD{jYpFzcJUaQi})1heDLRS;iuQtEzQM|DvcKd)- z(t!pp%wF8CQkIcrRPi4T`2lT(X^d0cSE&w|`0c9*%(M34jN7Hh=@K{lzt}Ep|4#RO z#xa(fr|EcsOMJq_(~-AC>?JF5*z%OTK(Chh(;PO5=dR(XjMO52D$ZWekKfO+IryN5 z{wYFN7Lz|od8d-{&~9`GbL8L-llyzYd)GAT)>C(H&$KQA&hsxI_uQX7*eE}A|JY|J zx;Fr{lkd7ZNM=U(Y%$(Xqp~>ZhzNBNl?;M5UpPZ}P=?}PGuhi?SiK}~YlV#Kg8Yh0 z%>Dg-KwCy|d>E-Y##J-}on%KxN42yw}5QY>bV+<4QY|0<(Igy1KU@p&dk`-nEV?+L=hT{+&sZ8K`V6y?1 zBE6+VAo++op~?#|`$COEO>+2|X@Wj!310_%P-Do2VLkDSi_Qohp8yR+FRUj^D*hjx z=liG9^dI-{lwii>P|uy((4C}4mIVXt?z0n zXfsdq@4aomFbxrs!uNR>chJxjw<>jTF0=NI2%WdNkzE(9ebuvlQCg&=df6Me9%U3S z6=Im@!U#32>>I0Owiu~?Kn&cfup^Y%;fycnU+10ryD}~;m=ja2YYjj^G7M|l7PWgH z5OBsyb2|NHnEwnrvN?+RUN~~BVBzifB6v5@>Vi-QJ=vc&)=gF;hH+@e2noe?Ruynq z3P`eA{NK0Kam@WSDX>|OC?TDRDG74gx^vY+a}`x+4AM4G(X{m7k>8f>mkKD)2oK$r zqv14yGb!);8NrJ}OfkXSwhc+xsBKWTE9s%%Sw_&3FD+bQWyb^~Pw< zH+3sQ;jWv@{WZ4NnrUw={9C*`Fs`6QgWf}OC4;}^S76tP_5F9u0UUEU#CUJz9joy! zec9)1&B)$O`x)H3M1fq~^6}!*18+{B-%Ws2ZC9qhPg>qc^2u|GXF!I|sy{olsYtjLJOl&M++6bas3sw=9V$leq-m0@&$;h_o^j+(mBjR*FyM zrHeq=!B>fLs1P-Q8`lDfdeo(>7llLZ~@4=l?Mk@%y3L&&2-*PcPFYoUpw_6@~ z8iE-ghAY9y_^q%ob}$hCtfVK(I#9%MOZi)WDc%WR-1W(q)i@bRi@?K}c3dy6i|>H{ zo5pop|5buhqnGgk%3>uTB}6cr`fGr@1J44;@I0_WvxGl?#p1lV!N(bLo-$xtB`cWS+LTfG#nL_W6p+9q*RbxNji`qQOVKB*5t=5cZ zV57o4-%Vy675H*+68qeQkW#Ts?ON$M<#-7C!L2v~3Jr^;f8(!uIyhi&|AF`OE4|fC zgSQIs$@$`u_Ya(Z7Z(3RF98+cokRXV3#lWrafx});TziX;4jXGu|NV*>qAwOp+Qf1 zEYNkZvEUrf_WWFAT8;gf*5mj>iF0%>?7mMz9u?#Kw_AG#F$K|MMmhT6s&PhB4@<72 zh-rI|slIl*omC*rLV)sx(v&FRuXwSm^Y1r&wwtGVSw(mB=>e^z*rTO*;$!c7Vhl1A zT*_yms`(#Qo~tI4_`*_BDVsHo0vqc+TdsIGFw3x>l>;UUTn&x3j+B}~cQZt^kQ;3$ zB;WaG0N|#32bOzq$+<6QS!Q=eUCZO4)E9JkOrCKtMSi2Cz*rOQv!7HWKY~+muDj2& zpSHC+bk5`VelFEq|NHCHo3z=>b5)A=1gBiq2d{UHzA@nu9|eHttoUU6enb9PM$fJy zUWagY>YC6i38=$rcx-`isieChYyc4R{1K||47y{rp(8XnNXjRmKZzGXkjOdU%=Jxu z2~qaA?OR7YNoJav$?s{uHXe_FPX!j`weKj?@Vmlj2JEAxB~!bUj7O!|pU(zA{FI0f z9fgjw>r7@Q%J~>Pe&S>Q)bo6}UquNLg|w;1;{{^ifB-D=Q5t(okUvL99vcDBG#et+ zT)yCrPazi+*#^>T?{nIX2TPln5(@z&IpOI}Dt={uDgE*M7~|3c71<~hm;$Q1dQ9}d zRT@`8)bSNK&h|~NJ{UkS1SMxtrp44Zj&HBb1rCg!{=-a+_pJYnS0Fh4pu{nK80M3e zfe@>jpZ8UioJu&t>wt|XcZ;&cg1JbO2V@*?b-z}a#?dSnkK#}P0J3AW{N)N{Y{gSc z?qT~QIr%l@040R{1K+2L>T3fA-!r@muq~6Zv5UrNVTMm-B^*(p-N=Z`l&Pnq6Z>kY zQ8km$MVgftN%)XeKFo*8ghbUKfZ-g~-)YBA-5fzjcB{ji0T@=01T7hAmG1phyzXg* z(ptu#Al-B0yR7=PPKr51*mkJn_9ZaO+P7@Azxi|YE_pNFsnNZ5CT;cy)r%tB7YXs7 zhAN}3w*P^n=nn<%-g-u1d#{*C8iPm{FxiWKAN+eUDW|OYVfKfRo#EkE*AnGhwT-$! zMYy`d7KAX|#qMwkKO(|g&xsU5wOz<=UNrOcHXQn{xg3uE46!RUIr3Mmg0~GX)Cd!U zyl-1xX~x_&IR)}?6KF&N9=PX8w55HLUwkHc8~NzP%bAbG=Xo!wbXKt&k?n^!9_?;V z%nJ&NW9pa44ii+!6hZOcjF5ax(4rs9)9Y{V`P}1^G*}4D)myEx7D}!pj*7VFuNFgI zD4hXKspZDdwe9rm8f-HODEr_c0r^bG4VA^3%LN1)H<#XmU9etC-&s}lOJF@(60D|g z&B^=sGukp8RjYp0Z}hi68O~eALvw5Vs3RanSMjE1hxx4G(^N7lXr^vDrF>~K^L=rF zi~E+nIK-muKqL4}?Nv`hCagCta)@S0YKlJ~c`;Vs-w*R?so7DbXb)5VP-nireRTJ| zq~&$*n8|L;?`MX6hd+2WM%q(P&dyBCZ<1#>i z53!Cr(@$H2)ri9$!}vEd07vh`N7=1OYA(W#oqDN1WL`dza2(_!pHO+dd8GBM@d zO#Y@0(H6gn2Sb#?$?c^R<2RAV$KfCBEd+QfrGOgpXx!q#)PU`a!$IAFm|Dk5l)seg zQR_3c4+*?TL0DG^Ku=e*1`;^s@zA3Pr>Yeof&0xdEb4vYR{qI)CLfUWW>OMS>Qr-j za`Grg-poni-<*ewiwh9w$`*dr2L{6AseotsFzrRGS^{Ovr-5~%-c;R?dJ8vutU%G- zTkzYQ)F=CaP!V))2$8vx?Q~^mzdav}_Kc~~d4H7p!br=#|3^ zE{_U!g%k$6o|~N+{#lX^1vModp7v+FyM&zN?O1i(Jek(oTY7f;W5H2b#$~ucE5|NC zYw_qCOBq=E=U8~xy8GjxJ*1}|@n2?_9nO#LLsxp{lVtP^br*8q_uHJym`-<&zlN{A zyCYfmt)U}N(y0LijB)}+d;05_%s&Kh7z*asTaII%p0YkV53a|NARE9`(Q}qe31kay zebDTVbH1#=UXT638#yq}l{qgR!%dBN51$RGcN~_(Gx@$TR?~ice>Days^CL&4s`_^ z4$B$)vKa(}jHs4;n(18^2VXoh6o|C?q1*1u;U)l_mNRb^hFfrHpL$dg4aDQ2BZ_`# zJ*rd7IX%bKs3Uqy{X-BhLsJcmVH+l8XDgxD5#gflSQR z#mMAjB~9=3=kVKEhn>e}C09sL;O_0Ud2iRZ8wA%tbhu)JgGloRvq(pSffT<8Q6G^1 zWXCJ=p+SIxr+fxoacW}XU-HJ042#XLf}d9@*Rq3C(z|iscU5xeJdF5K*IC#sn=L^*jWh?45b7Q2>? zv7k~eGKi>|h8sDGILlmt3!^jFF;kTJZSNi!z`1*7OoP(j2+Joc``{Wm?sV}SuN_;( zpddfoNyfaZnjpTQ)4WZc#sP9W(1pD>+BWA=6MMhHwU9uI_(1}mjQ`+Bo zJXYP91@u|knA-yR0reC?PPV(Qe_P}0 zYpRSHi64ya4th;mq8Wg6uX#l%$2XA^!Qmjl%OV@#qxC*LqyOQaO4Jk0>%z5pz)u}{ zz#OVL8g#5Mda%01J$kSUqh-piB>c0eUhp0+FW1UStFwMt1DOrk_YVZ^3B6zak|z0Z z!BR8$((lzCrdw(m&0oHi(vkNBarwe97-6_@N4kxCsMs;lVT)SHi<)VW z>q3esBKb|C*XK;U0pnR7-zes(pK`1Y1!5k}28l<=k%Pbd3AP>q;&mK*+>&%Q%=)C5BXo{(&)Ys1#2UP&p2w^eK33 zn+b^BvcyR^;MYB@K6f4gTwAY3Ml>+-FLDj#Nv{Z6F|FwhBq^ij8%@&teO-0OugYfe zaZk1vz6in7Zgq{Ae-N>f>CQu5UOE|OvLTr#IztNNQ+2Vp#)@pxuB|^3)4uv!ysSh! zH32!DWwejYkV{UaHR)*es#!iMeKg%I;vrI< zl^_N&%`pmyXz9}rW_LLS}8vBY=nPMsI^hOS{e+H2pX0Hlgt zn5gg${k@T-3`z-wg;GAjuH{EexRGT9Xy!<%HAcl)>Gt8=@aCt?YoYj9-NlVPPZz!5 z`^oBAu)5U{{6Yo`@2{rZ10VMdMG8j61kMvmG)Eha=w;&HyOVPmH(Nd;UiDa`2J&qT z0*C{zKH+ahJyC7q6W$p{mKW>>6~=#w;R=y0j2Z$!LLtRu{7*-|1A5wYi8_ag{1^ry z^E8XJr+Rzy&zc121U;|hDjVX?49O?>M;kr12Z;^-_LwSd8M5mfe%8FEQRNTI9%~w? z=O0TosHdQA2j+ponPWYp)Hg}n#&311o->f)9>hC0?K{NuH#Lf-Qi7L8e)RoGrgX|D+nRjx$6IY5&9y{sTUAW{fZif5rQZX z&jHN5fOo_58-8$JfE_MMHay}zNKqqRr~mjPdCM2#Qa!aG!UsD0A8$Gj^Aa&l8&U)# z?>b=YR&$O6Gp$@wmCliyRiA$56`Vd!8U-;z@4kbqt@LW*BA>5dULTdvq#keha@AnR zTM^&au4sa5P#6s*$E)e{b_>71?Lg;dT0~Tog@uLK2d5LJ7n^NB%#$Lu_D{V@Pd3ur zXRNWT$O6a0h~*iXj@a=sh%Gps?llrb0M?%GVU`|xy33qC?nv7A<^H!fujJ0;C*=@ zu5+q$1P^+*;egZ5@&6cWcLq_>cip=G*}pH2H;DuLJ|qA}?_phQQ0}Cpbiar^as}nl z#4`sNd-RhKGJ=ZQPhKR{ta@jubtJiI3ALKc{c>J@@j>?2%QFD_JYZELDJn09RUZ-z zjt~FwxS~ZZYH2H!SP}V0!r%}e$Tv$z;F4rN+$&34B!AEN;Zl>Yg%akh){WLNb_hpDK7~@#fR% z+(h&*ndr_(D+`t3MpZ0tdvfJuqE8Q%rYTyX^u!R;ElNZxl<8d9+x=d2n#Zv5tQRMefD1l_{P!3*&IB2vSH_0JlT= zTi3@`?`ho~4vNze-NYdECb*LMg5x6w-$UE{jSA7AEl3NofFHc1F8?{sOOgsL!IRb- zrET%PK$MS?g6n{#^TF}K%A?YAb=e&wkAfI4>vjyAUXqM7@^f6)%kTYOxkqy6%VR^R zot+jN?1G8Vmn)v3+t3O~JB~*Ya3z#)d&sGw(>-Rl;9VZ7eZP-VgZ9O%*m_ZS}^RUYh3OqrG6V9LCq>P{iwsv!q@kmDnQ&*nDi;XZwfnxajLf-nTP-O z;Sz88W&b!>(^BFX{pb$Wgwim~k6I2Lay;Qg$VBadTjWYT1?Z>oCBuk;DIJ?NK*HP_ z!jzv3}cp<+EwC%UmrI>!~nJe)Pl!mr;OtJR>0#sC*;;XH$my~86XZf*~ zx0J;X=T$Q|b<7Z8n=p>fqQ|&puPQ$#9?D2xeK2}@XIrt!k=t51m?Tr#N%mU5+O%E5 zPcO!m4}gMGiE&B)s^E!cA%U*kLKS{#xbnpe9X{!(LHPq&Z)ECJreTqe>1q`8W=Jed zo-=R&E^HW$l-AAAd#+s%tCvZs$Z~qnro-rhXaR2e2Q6zkmtPe2g%+SrMT)2l&ad_3 ztpPk`(Sc?wPz3|2^+uVwt*f`|hbrp=ml!5v3eC{CeCctB2X#y|CQeIxna z2Yjp` zQGhuVI)jINX9;7ZSts8juMO#QA>Pnw$E?@y+0(rEEQvktJO{qC!-V}RCwrEb#!O)I z-|Vh#zYPT2j(qZNi!C={q1)vHQ)+qy9(YXXi*PFgw|tCj-LYunCA1QuF(+t zE%9+`h}d<6H<*5gJXD?N@GYt7{_8A{*VFvrz|dR$C9mk`)34ftIEl??7{&GN=>zU0 zi^R~})vSs0z_XBwKJFMN9S`NC9<<~wPmbY$A=Ef=`ZM-5?{!Mk?H>);vWm^y`O8m) z+ID}ggaCn?=6uA-?c6r!Msh{g+Xphw@5DH~p30p&Ro614 zwd*m$QJlB&btY~{>u~Qc`@6dz{+i$RWnZxjgp)8)<4^%jNgFD;Gi6fcaub2p{2Km~ zv2ei(AqKTel#&qz_T;^E0FmwbfK~6X0Y5dAjL(uj0R+8^L!Ur;x=!|sFuZgw`_GbS zOf$%Z`xdaS+rf&$ZxJ1-z*a!t2`h+5A@d^SF0=pIDT0E0jr^guZ8hh<%v1X_FX zW|f0=4M{eREr$-sileND`9sf2TTMG3mCY&icPnFI`iO6(aBZ!KC;ePJ2Vz7b-Jd>HHyn5m`pp`0U=X#-RdBPeVLn> z-jv}1Tf#W(3E&7k;a@eiPZF(h;i&hxQ8;+97u3)}&JD`eFUN{W{9NJW2Rq7~F3}qZ zf^4{C*l-?`iSF>-8O`C0fAerkmffPuw|Hp%mTKoD0rfkl3s;Vnyx#*2%UX>~{zKAb zrVdGDm^9>;V`g~*Y|R#c*<9`#F|}eRcz3S0ptQUU(Kj~iV#@qx>OEbUm@fV(#hEu zfChSdneuInr`*mzT^g?v3k3~Z{@@RGW$z7cJK@yn>F$cCKA-BAjSBJP44a}JX;Wv8 zoFukZn&l60x+IJ6o!T~M{YJwc0{k|(Km{v~wezPh6WQm{-c3`Sx!%MEQ z3@9Yz`8%Lwz7@GES-mV37hSyy3Kn)#*XT$3WY~MHagNk-3_=-rQJho+7#-Xd1dISg zNNz*Y9(LrVMs-!;%4*t;4!ZlKOU1ReSjc`E96Sj5hn@Sk& z2}8M|T#?E^T2Zfdo#)*NMd6=_1uN+d<28mQ0rr)($9>{4h3V;AESb7GFPSbB$1_?a zpLL_z#R(*P3S>M2Bsz)+KuWqDQWO`6-%C>Zz1l&%S+y4BNqwcE_kx5t+A3?85WoC~ z%mu>>gFHHplXrufedI!d<{Phck{mT8Ajp!Thi=UsFFzY!@K6g5TzB2}H(KdZIt)hg z*&vI#`5RX)ML7xA@aEmZY29?wd4(!42+`TgB2bz)#MLa(~Ozjn(QZCVR_UAzW z!9v;8Rqp&-0aLiF4M+ArsvLG{ACj9};Qo&)cY;k#9je#Rzy3o5{o7HzOWECc2P?bd zTUDB`(w3R=>stSQ5Q55ljS{4Sa3y+U72xs4?yJBFv>{sPNNx!sxNa5kt0c~FCd)8q zzY-eQvoWV7(F>_@Z1(^Tg*MDcwlL3FIOFS>`i@PU3PO$eCZ}VaKP#<%!3OxBjXbkq15RIiKG2ebEnXW4h;8i--O+{ui=hphgHXbLN=Q z45??!CNmtz`|4eJ1hRF#q=Hhp=2+-qe?^UXL zU9qC=%llPhApo>^FsnUuvCOb|Z|ZWopLOy)@LP09U$NkYUM|V)@?{O~s-|&seqsak z;8sltPRzw`zgpzFT6Xx*8njIHR@vQ@Y!-t6ZM7<|{TtWlHtA#}O}j2DtmSPFk>18L zp2^7#>)^YVj^lC>k5Nm8UFX$AKNhC-y}CQxk?XjJ4jlW-=_tLI6;a18R zFyT6-QKoQFIh%N9p~_smH$oE zjg9Yk?$aeXB+`Cmy3-f~9^sve8lp=gqyl7L;c7*p zPKaAi<8Omy64XoaT0S7p(`;I~UopL7!;yZoxmtZqn1DYiS@b~;59iQgx z?@9=n#f1BvgP8l9t0p=Npdlp{ zXBltuPQnVp8OGtrQ|x;GbN@c}98&rkiYj{j#`3ZA*O3ZY?f-CcH*Ugep_TD~yGhV> z;PHKvdj}D9eZod0!uDd$bp&#K&vW;!ub}XmEUOJlhRk3o4}n8g?reX%r{<_PF|-G` zr1!Ly)+f9Q0Qmd4MVybj^z+ohCFi8HO%wHO5{>Dhs@?VMPd z+<=<{0vN>-EiXpEvmSo#!B=H@Q-80?k8&T-a!dyV#mND;p5l^Xcjg7c z=}X1MPADD7Vx=k5G&!(&`h$@tLL5%E*D-Qw8-fBJWCJMhpp*1io9b8l#Ag{MfU^`b zZt3UM-TZ-Vhy@SQvi?~=f6$b&I5cClZ^^Wn(ssiWb-hQNX~xHAYUK80OVH$ShXkVh zOGP(z(t}|ljvQzwpXsycwvY#!8MNbne2rM(em1Y-LY45UdiQ*4me9j%?USzm*QJ{5 zLV=t0ji=XtSQMn{UHH_A5}baXMG74|>F5l+z5?5AQ?a=F{r$0wz*E(ZVAXnD3GCg@ z)D~J8|E6mHNp2SV|C&&J+Uk`S^l!3e@t~&UM}GtX3$B&G+@(s~zMM?c7%-YCE)*{v zJC}%3s8|{=9{K0XOX&Wq4JZ)qEKx3rvAv8gKnssURYF}OPb^_Q_wgf)Wuk6)mF|E} zol@n5D7jXMd%%9Ydqc0vcbLDNn(ejCwVZ^@j%@He>A1g0v*`6^KJ8g~)%@c_s99F&`j@rc$d=N7e;LGE`!Yf3BR8G$(%AZ#{B&KvZBE8Vo~y_kX;(^flqTJ0575OwhMpd)8eCyuK&0X--!&+w}*4nCb& z{XuL4!oEGabZ62^91z1YebvK-!d*#D>VXl8_Fh^8L!q?{&Ds z1&~doo5m*+6%z_6>EIeb@{_?WBAi<=y!Jwe*U?^BUW`VH#)VnCi&cLESjr!nl(s2D znUolClAUf5)n7P90pl6h~iVJsMG|qCxgW67bz6^kd8B9%c#PD$==g4>!j1 z*-JQA&Uh`=e*TC9$;8@xGPR(D;LVS(A?>@g0F_}^q2fk7H$TsvFMfpeqd(FBrY+pR z`#}h2-MK4Al%QSPp_MHZeA3ottH_g?xlWxr<)$Mr ze~x&$_)F#~TqM@fu+zbNGo1qX+XIb8LlJdGWn<4?zx&WgU63|bikTIb-z6hPM`iT= z>VZaQ9$h&v?(s>@&bhq5LC3NFG^EG)mJ`KAWjX)+n&u}owdwo5$B;(84uiooHA%kT z`v7!#9Q`Ese?Ji$@&ONe#>J&ywy+YPb(xG?0iRI6)bW9Oi_&*!D+VbxH~=k*SBqDL zC((!9gzlw{@xasmfhUL42erR+C7lLUM3G4JlKRq*QobQKJxvo(T$RRhSatFA zPVjJf2Q&~Jp9Ihu|5-@_g`oU!BnhJ3Xvz*;;;yo@+7`ZRt;8TeG%kiFl4c-S`t0j;{5 zR9?YTRW}Z4gSM!q@&_5O@&y zgbIZ;ozD{_CDkRkth!`Ap4r%=d@=ZGOP&DeSw&?KV%}~nGxfIoFyw3kW$fAEG+BC& z!sFZ5BJnp=)O3N2D?sMO=Rg_%d1#|=LAdrBN77l2qzS3uV#7=zuO6F>$wlO5z;7P; zo50sWxu&+xEkL_62XI+8-V_6xPL}qXw&&e4+e+YF0#}kVvf=kl`5up6k#HZktrD-&6V~}OfrPic2ba#bBW%wK`K?Qy=ovA zA-IF-@R1r|ItrHdE}sAs)PK*u9`}pn+^C|Jml8YnKmjKEM7Pg@I^hH3w5}|JC{Pdi zy+Ghnu=ZYh)X`D~CV~tj1-c@%`KIo!Z3&>h=qB2~%!&K?+d~=R8!(pfU&p2XGU+Qs@|fs8$p%b!YH| z-r9GoIFb#WSJ3-tc9~sLChHf19~4-(TUXXYMn7rRuyC!j0`+u8&bk;M6CK0Xq*1q64BluTxX2&3v$Pr^}Dz0JikKh~-9?^@%m8o*u^c!N``$`^D^2>FO1@ zA~HCh+%;kKT*t*qeRJ}2at2UBxWXREC+A3b48e7uW8+hECScQ3J0a%iwGKM6D8e-dUEh0mDl7n;xg9Rv}DE)yYaTKq$NF;bY=k5@X`Fs2ARjWl}_G~%B#L5d^M0ebgy#c+X zmUO|p{Ux8i(eH0X4JWY!X5tWCB_N!Lr{{y)0HQ6 zEWevnV_7X_e0%5#t7+-5BelB@)T`I2NiMak2s`fBW@#(cgZ>Fntd=Ngc4etql?*^S zh%ruJcUF#c(EXmJ@}vILOoX4A`OBtU!gI?_m|!?S^%y{ueZqBI3hf%}<1`(o;tt|W zusV6JBruaUbSM4&Go7C>DJFqRIqg;>GBT6gg7teOG_llHRM)j5c$CoGylLb z2%q_ccQ5lS%Y@LYuU~sJTdV;>2yNt=rR}`gO*z+mQwG}eZF`puI zp=#+{)-l7E_3!MnY2z2hL^Z1+kEo(!lBuBng0kqa3dr3dm_{_ik^)i?$?T)XNf=b@ z79{{-P8^V9^!8Ntpz2-6;9a8`r74062U3eoNkCdE$$)Dotj$zj7+sYl0~X5=8>ju% zOd`x>o*k~R7X9N1rzgWNIGKoR}f8zxTcley?)aYPbrTOZqvl*x(Mp`TM zw=P4K0chJxSWyYEy!<{Ctzr4_-aWBr9gZ7hEW18l-Mxvm#i zM=Th~ddSLrHU=7e&-}!J2!xM8KsDiY4fwR^z}W{dc-el_Kre0+eSF)`f%En+)vIe0 zca1(=|NXV$?-e#SS4vl_ZL=v3Y{{=<{@aodO8%O?07_+9An>#?S2h!^|37q_x;KYX zNn^xVl5f0C-;$`ZL7X3pxp&dQ)ryc&W-V67-=3JEq$m<%uCM>P;;OaF{>@I%;i<#h z4J&ygY^P#rWhklo*ZzDKzzM_OhkXbj+<=6+f&XpA5(|Aak~XTCac`@dt~%1?+K_2i zJ)qor>mlLBYT868tlp)Fq5R{p{DW0!sep$(zm^*E<~9Y7jfE&bS1SLQk`0u!q;>?> z8WMC!>u^-vEZQ_+NJyry;z|?~ue4F!pE6t&_%p3IV=F|5p!%870SkRameTdjiI9|r z$vu^}DvzPW;;Giya4(@g+3eHqGLlhb{#e%^$@^-{%>?U|?j+z1b&_O~N&`xW2>CI9 zMWjLYT*JykpZOWYE6_SkOo-5g4^(*6y`&c;w2AD1$>3&wP;OQMl=M${5|t&v!u4?n zu#IUgMGnD+)o4|6cq0KRC>v)Crfb@R@8e03?;ClM#Iqdl!?ao6;;CHVE&QA<1OZCw z4CnuW%MO3l8f1zw!bhh|5tzb5!nZ28!fF2D-jKXc=JK!2-xi*G>a+3+DoZy}%C9|Q z3f}Cv_Z;W0U?xzwj10p(HZxNTSmAskT<%*f+y%V}{Mz_h#|a7mbMAO&9N7I~1fpHp zNg+O-WWeM!@~zD}Ezq6@jEt?jHlP zFEN%x)!?9oPJga93|my&fq;sy^Q&zxJ3&0%GYUB-KhBoie@oNq-_m^f-_o?b&bsDK zxBKeQMi?@Bt-i=QZ)h_4Q>yERc&z!W?Yl?wn=*Fq8Au10P2y)ux|>YmdK6hm|t%-o3ZJTG~IV8yiA(cohr(w;1hOY(SpZz(oxk1e68jAS>3a zQffS=Xl`36?ngbb4;-gm3&tn#A{|1c=zl2dlL12&ppC^1NMcIYm)w{$5PwU2-}GQq z?@S|Nq4=RONd)r1>X;2$+iJ3-KP-0==97Cxe;%v*+luY zi}4-?@Gjcd-AAuIQ8eJkgQF<;zGtD+d7i{x=P@NJ^xSnPgVdgN&TWi zs8hXFEQ@(q_`GLItr-X;y+htB3OJfPfV=`d0uU|`%djIWmRN-D{XoGE-;Yn0CD(`+ zI7xWvx+xOWlfMM!;xOIGu5$^+K?9fKNQq=Jd)-uoD+wrrHbh}9tN%8qd3qoKJLI?~(C{eUCc+gB={J?hnnUMcI*<+%(z>xY_!9@Re{=et` zlS~H}X93DgVhHt)9H}&y7_J#(q5ON|PBu1DB371%^Lul?iM1e7+~9X{-yS?E$I5>G zHt2S3%YU5l+0yaE(mY_{88rC|F((Ce;P^FOrPYCDu(tfQa>H>7a}rl&TIew=lPl%nMqteGpK6Z+m6cdC8$;|ADq z17XC}f7HnLm}UZx>zho zI-y_xrlsXg=%!sl8-#5%DQQ#w1CLDm-p-R+{q!=+^ud+3i*JH}&7e$YpJdWp~LSDmk zCsCx;ipZr}e#8KMh?^c6uKCo@da6GouW&Gwdkbprv9)?QyGT}zY5M+k5 znbzTVDOW37jM8ofxl*kbSJX#tCIQ)-ZX`>T2Rk?qJUMM5VQ|hnK$mVTr%=di0}#P- zcG5nE9g9BEanVhr2`WoUx(M>XY#nR-b@xX+2r35J3ZWMW%kh+myY6jS%zUG3vb53) zURP~IYHve%G8L^s!m##76mZ~QNW|TxPnu2Et5PNe1g(>_aT-f;tP_SHdWIIk`z1tnBOsTU&eD+z|Z{VBEMRnxsB5vacQF#eP3U%R~wafK7HWzbKo|#n&5go zjiFzWI9KeOJYvW`CrDrqm^wSJz8k1($jHq6jjkgrJq#r8L4TvKd#LpFZM9E&w4nm% zMJJ&Vxr+_<<9iu$jj_+>)SF&oASh?ULriRx_ZiHT9B4x<{Bx6%G~`L|0(Mf8rT8$# zU0E7}Ah+ht_{RbxR{6bpsx+>e@s@W)&|=b*z5p-8Oa9(h-f-Wo;MAEIpanI0<32Op zV^IUw4pC>XD=OJAUAz^Y6IHu*{RX+~+}`)E0u_-IGuKYR5f|VuCpbh0aVo9B>@+3Q ztx4cO4qmu`)uC}zqq{0uLbl8@VgT}87OiM7x*FRVeYf)#VXtm2NXiZ`590ZHqx7Rl z^J|*msa$)pPHGnueBND02m0mBo399w41wjsCtQ)7uu|%ezj<4b3O+-iQds<0LlrV&!+AXEpu&}nZv?*;9^*{1nXAmiX zqTj9!xkQPM`wWQbJ?(a`)>?|S9G|+&XPvIrGfR>w-T(MLU<2ol*;*l(HImlch(Cci z)$zCv1ZN;Pzo^|JvS_Vuua}Z)erx)p=z{1qmg4c35v4+#Zz&T(8SbMiI$(Y1*womq zG}_#IX%A5`+ewI;ju>*QJid5_bmqu(C&~nOcHPJ<`~+oy4`VkNj)|8VzsmL zuLDL$xgFnlf1xGWy>|=dfg57pnm}vyb)14O&{}n6!9z!r#gLJcJHMs_+$;vs;9JCJ zAsN;ag$4h}&-m2tF@B)kU&gV?*~i_#1IKB@p>?n9w+rNn=fGq3FF8Gkz5oZ}zf)f7 z_F%;F@bEDDuC#ZHdn9~^4D#iTE3eW!r}$1peuPt1E7&B2Tv!Y~IUuxm`JBg_$W=|F zw-V_}vZ`=l`nyPzUi9#!B6a!|T{Gsx*Gmiz=v!5rRhjhGy7ak4pnV5s@g>c@Xkd2s zBKC7cj&oX${HQu@Pd`w(J)WFWmQEm7Mpg(t=)CuFc}=Qk6tQ6xN(2I^ZKq;- zk-4@^kD~Pjm+7%9F(yfnN+41Z)7yFvvKkwH`uM@fkXYFmPMQowLS%dw24ceU#h2TF3=8A z`!@K4*Yq-XHHsJ)f|7-O555;ER@u8nY(`*xS5YsGk@HRl<{lu;poN8#oUV7^#;Lya zc!{61v&$|MB)TT31NVJQhNs2xT7T%m!aPh4Z)x0^2M^5%MRmDH_d#|D0Uogkr*h&F zIQSASvJ-YeSw2iv7N?}wj{_6lTuW2REt70<@WDk#S-}#Rz4xf&pMOZ?!XOT)cZO_5 zC3|juf@)B}W?qq%%AoA=|A_kPxTfFkeL#?A8`6&02uFvAloA_Kf@5?mAt9ae5h;O< z6mX;p5ON`UhsOq#ckWz<t#~uvP*~ zClgw&(r=M(FTuck)7vT84F5bV0@bGeh|gSYd3HXt*~0SgNyxk=;&K&jFxvhN_yp1} z3ki<_f3_Q{%oR%Yu-|S^{!A;VBTJaFcxbd@EnyTXkNHZiAvW2v9uS-vb%FcUDvQXvN{ zp#^O6cWF#2fB}Vm=8`b<3QsX(M_8|N6?n3BZfV!VVrbXL|0U1posZ2VI8-b!vezP( z`*ZL{ED08;w1V?PY3kljCiw>5$If5Ysj__jYfe>Aw+f zU4Us6j4h}evFpB5&L)Vu*%q$>gi>i$X_=S|Hhldl&aD4Xj2I!9Pk7qh-R}T8{w4wLIlNe%X_SQ_Gwh&&@h+A8aBpk;<)24NF!PYE8cb~U)DA#8Kme^?B`PxKN)nbt*X4&>(o%D#n0 z2lE1!!u7jzdNtB3Y>f(4r?;Wr7JphlZ0!)v?N@JAd~LV{?=8%a`5R|tZP%v;Supic zs)^DnH2XVf+Pl6!2{b%QOtpl{n&ag{?=8Y?&GfytNJ(b5Y^(j6OmA_YXv6v8#Ue+i0bhYvq7+;n&y7 z11N`p2O^Y&u1jJ;#6GY}Xjf1qP~;y+jL?*DnR0zN$qhx+P;H)bD)|+4_Z3d)K0pF%qgK5Bs{fa zuw+vEu^uY7a?jZem_U->2#sq%Nx|UXirni@c2+9y^H|$d zH34n*FsuvPMWKq?d{`641Xqp>gs^zs!)u`V)70$vzJUQV*#23AeDHG?u^vS!ESa*A z*gz~@6!c!yUf5?W2|rCgq~B{r$&N;-3eBIO*5&H~H0cS2DpHT7Ucpn1*FEOZ$}eWD zr(t-+LM5MdsQH^aV}b2+tbBMxW`Z{M4Kj^tbPP|s5A!b1lDqn$F&5FRQE1_L!xk`k z^Ksz?B;=AM4B`^BRO}fW*_oMsDl3}q*3TS%8k-OGP4M|x3FsCjaA@Rr*1o#Ir*@#8 zo%-kJ^PeQf=k7;a)~^)5&JX;cV_G>~{z)7#sQU4kw*m4{jm$u#fr&~=Da=rFuO-AL1OF+bFF7x=U85@0p z@^??N2r?6@pp8iXn@O0hoaCoz;MrR=w=d*24UnS&Zmf1OcS zc$wgTNHY^;5@^S8Csp{$$)??ErS@g|ciXCZ+LKn|;!H%j#Usy8w|a~_hf}l{K^#+d z5&3nQ52!A{IjDQ8QL#V|IMC$%idn~cXkImq#J=fioKWZml7s=`O(ncAH@D<)r=huR zfpF6z6r%b@*e^u|cLq}jp4R&^3co-fEUi-1%sja?bLM%)EK6rqLe9{BOIbx#ixv>< zv%^{RXqqdC1=<%0dS6m)%b4#)wOMtuw-G+u48CA`bJHtw#JO9RKeY{(G)B|UvWC?6 zj%#D5LA?prPB4VbmIFs-B3dx~7^(JHC0Y4RxI(4_!lUUx z4ZQp`W;WvZDBMCVu$sk1>}i1Kj_TVNU$|$fdsM9&m3YD?!w`*ta=Emn(DK8jQ0tkO z?2V~C9UymQl+6dE^JBQVq=zHDVkcKtMxkQwHSw%5k26B|k^n^N)U~9Que`IO)bV;} z8L&k+W|CHqrCNg>OS9DKcIAI%hixQ(AEINtydG0-G4r1-TG$RNTEs08fV0be7J+uK9#tsfA%ut8W99ierWT~PAV@~2S5lX8(8 zd}{*jus|cb#192Wxibb5Mw+?2-6UtQ?{)$ph&Mt_fjqdE`W!nJ7p6)M){Dfa+0sCS z26WUgqyJDdSnk*p$U0{@MdjUQHErzC{6IL`I3POiE!VpZ!??wU<_ZN`L zX@G>$s2$dUa0{iU@Nzz!46Z=mo=&soUh4~_cGp{%$odE znNjh6>z()WmCBRitRwS}6*K+o?oSq>O=Y2#*Wrs(aewmszN-Hy`A*|7SMBR>InK2^ za3?OXEer74@rm5-dB>f7^8vp?Wr;|0n(!GmEJ8drDi$}0XW($m7-m6vVEd5&Zs6X8 zq-6d7w3fgneb^OwV#p?6D~pc7C&f44;7?#RVL9)O_T7B~r{2)0E3pT%^&xF@ z?Mz4fEdXb<#E|Qs{pQcdY^$w<(tJIvH8EPQo@!5gYl)tQK(S@diutk)`XPM2)H(Q3 zBtG5sj0Mbd`K&>O6CD{=#lu}EP28)_V@^KWoz*lG#2*k}!$8asV#Zmy>ZI zhqTO>++~4MM5+hh>`>tj->a)wTwZ$xuONrsU)IR}ptYdYdZqt_c0jz1v2DNXwWnyv zYwVv?*E60gGNg(tH3|z2dO^#%PcIxgz~Yh*u5#WDx?fJQb#At^Q*dW!FXk_{7{ z!~nHgTxth3R2~NCWOC#ivj8`0$z@R^;UW|3`24yA3D_BSFSa*7OBp0;~}i zz#~ymQg$z-ps4J10V&z8@^|EY+%-2mP)xtNypU@0~}(dWF@NfOx)n zjs>%mne-}ro=ydJKYi;{*F|8WStB$A*#!rBy~1!Ia$UOOBn)!A4u~115C`v^?%>`* zFl3@VN``zrkTqsPt92xm7KqY2N-L^BU8a?TH=RXmzprc-9*NfNkrt z=|73e`uC!^#;Y)m0!`f}3Mw$5Px1vhc4q{yeFbarKs-p`eZg+-Rl1|cj~jGp?uU(s z_@sR_`2@{K9cnS`(jtXtq~SbD9Ha^(Z!8tYTY20_Pg1obPufC=Q%UL|)x|VR4@ng& zrR&$EXfT$gdEB9e`ceyFuQ~*IXf=JiD!r)(ZOWOZe7gz;?qMvI>zz1ODXKQW(i0lK zfRxz=!wD-~QR-q}WF#v|ypa^f12?b${IABR^j$UR69|8s9FFc5`@I0>dbq^PjX%(` z`bb?@d#?x@7JT>wH2$kW{6~Yak8(GlD31Ha{e+W%!jxyvUkzI~_D(&peEzi#J9bRU-oNt-n(bpH z70q%d`A$BOuDY%BrFcVc|8Zo&*86`%&r|nFPe+lmFS=3(2>_*O2@rK>F7-MRJeoFP zoz!~QZs+98zMx~0qkS%?KuSx>!zAir96QL};oQhs;v|=In2-a81W<|7RTdGL7#LkM zSx6XERAx!6P(Ki24#Q`#Kje${tFRu>G7?SGuFF=IW7_A!`0y|i$vv!d}8!A zp#j;_!YLT09q%dP>Im0B&L>`g+*XU+qvWv)iqU&HLXh=wc$Rm0gdR2%mdHfH#Hqwj zEbN6!bzi?!te~BuFfx*kJ^b&hLl!X|Iu)-}iCzRjV-|i@mWQfCUB%u#J2}ut zR-Aktbx_qPDtM9?05WH&VOG-1Uv=E-B7^*!F8?)l`s?KxCvM?ZFE>o6B=vi4wXxGs zW^j=;3>tsuvn{=$a1=qZ?V2yts?$XY%MqU+4iwmteX1J*PWb-80L+KeU{lMvH*3^K za{!md{Z4z~4@n_A|1n2ng96+sK8o!0_WZf2Kejz_`gRG#^;f++H8n+Sl)e7?u+!B~ z6A0&iF(Cavz(a4+1EBYp3txU;4E|~O`7-eH?L~9do}U@(^*=Y+)o-_^63l7G|Go+| z7!ZW*eFnx5G{a?m*0%xKW8_sUS#kruq!V^k4nLM(Vbqcsn5c?-&x<7|E(fb;1DL+& zJL!s7wfXw4?tyTdkhIyr3wUi1L$)IuCXf>7MNkBq-YVHnA`3T`t+fFsh=Htulkeg| z#Cq=!WKidSF$tGvBb!r~!}Gpv>W20|>857Ps>zz`Eq#5NF@^R5)L_*cArDQT{ru7V zTTCdYvAOcYd(ye?$|nRq0zZr|JUpCH^%X;Nib>Lh(#1#bp$~sPq=zRUkX&9re;x;> zx5zblug@zC9uNI_o<#XzIb3#>7o`;=cg?9IVWI9RM^Q(*kmM_=W%iNru?wVZ%?3#T zl>v1yhzDt>0&w_uNExE$mjuYL38#;F;TaMiw4&6=XJC+w0l&uv2y-#~C3v;#GzEer zoAyBSpXkd#-w4afp2w-Lfwj7bXuKe*3(CRcv>(uhP18n|cob?GsGHctFTf?aJB|{z zdeI@s>vre4!;m#i6m|m56`0ol!U62<7|N1ro)*O?+qD|WsKqBBd_UPl^d0yg(pVrV!4Sqo^_-!d;TAPOB^4|QS^rCKYhNpUjO2Bu)?T4liICZ zRgPL1P-F27XOwiMdP2GY76*4=aT?O3@`QqIu&&?~0t)+Q1#BcZ*Em&1qVJ{l~`vn4z%u0cqtxh1~ME4qG3P-Axxv9WJz z78%(YD!1Rj_aPk;8!fKpq5OVKPZmxZ#puqs%y2}hYCL?p`fNvDpZg@atf#is^w#m! z)Qmve`?`erbB)-F>bRfph)*t0&v(Y?FM|qxyEi1y`;FFZ>t=g-{#IWPpXZ!E--QLE zrez(dL)o$<9_?vfi}Zg+`>~mCJ#RbmLF?|4)5}?zXC2z_`1!ZL2F^eH^u5PjC-D8^ zmp9p|>%PM5jR0#y{tKf~iZjJZJM%fh?J4_db34jtUwrpy^j+tTIls|g)eWf^r>km14xyaE*Mqh9uQj%-zVmLOz?wPd z(ED=DjfNr3KSsTaqMbnat8lK;us#Zq{+Qbf?pPewOQUS#imEOCVZQrCpNk0^@di%P zx8r$@X=W`(JjhW$@Jsa*_ljFq3wzM$n9JJJpN|jgMuPnVKSRIO`5gcGDAAe~G_Mmu zNsFO#K#-d@m7J(cS!jkfrpT7($FxF8RZB87PypdTsjdqhq!yJ_Kk;fWPa=sKps0-w zB4(eM`_CE!)B2z!STa*SVb)$FMQYo-Oua^jH@d)()%GY=Y3$gNT>OL<8;zN+ki|{D z6T`?8<8U@;^e^Pq7AZcAS%whIg&OmPV0YEbnlI{$nsq!0fv!N@Sp5R&au*fgk>9O8&VGP?c{A0FQ`EhF<>4c(#*jvz zMh)?CMsF=Q$%yz821gG25&UEa9ZQDoJxhT;QRjPe_m`7zeb}H?x&QsC1Ly93-RL!v zU*j>^SMBr`HVU5lrdquR`0R^cU)Wg<6(%k2m-60{>(TiVC1U_UJ_H!xIDscCOtzG890`9d6Li*J%uN{!viLZcs4?|*;>Pdm$M1{%o*tWvs*zuw!* zHGWebv|k-Ctb{r0_+D!LPs>{N1JSk@mjMm|?fJl4B)v% zirqQ;KDxYIo6}-*rT*m4yoLPY#5dz?v%UW1TjGjlM@xA`baBv8-_~ubit~ltRbmwa zt1!3qc9%FqbdAey!$;olMgJrzJAo#fsV;|S4j8jq{sDXU8uRk@W z+3M9Zb2g;i;vZ7ru5<{BmE07hmG@I9@Sn9VI_C}Q->{xPA!^_TvcAp<)p!|5-^JOj z+ALk}T)ZX%6DnOU=k~3=C9y$|0u{~`=@^&`(K0O(w`3>40!)8xB=PH7&ORAE*utB^ zj`Hup5JMmWt0nh>Z;AFtQRarz6&xW*A1qP+hIWLv?zWnFnQuxCXhz%&#-VeqYE@~t z8SRS4-ySYR%i(!3X7*aBmM_#rQ5K~` zS+dX~=#F-c*SI;6FH`~+4pWKBZORwFA%;q#EHaQi#3HE0MBp7*6Vwygv87B(K$4(> z5-I3rf|up3t};VLgy9xxxv5C4eDpF>KV1o6<}^eYV}_lw6cL}5 zg}Frq&-6BDOUvW$*y(OBmu>G%f1R`OvU^R!(A|AGeSUjCYQOgQ;{Ec+iFa05A<74_vHh8_>f{Vf{w1$1k~?9uM*SVYT(cMH*UH5yJ>`~__=xDP zG!T7pbW-bVi;rkQ1fQ%5>Pnx7+EZY9_UMWIFswgnTk&a}YNRZ)n6p_J$X*bK!z`L2 zqa+eb3hF`_)#O0Bk-}Qm@s3D#2UR1tYI}wN4(J#WYz{7ACUxe#xy7V~0;m`@lROlS zSXR1L??|k2p&66D147#IN6XuF!(jXSk*&wSKb5%`w@2??v(btn9<@7C@O85I zWs;6kmhWgw&b%3g8|aT1KSD#C##RAeIf(5~*EN6%!}B5fzc=9bIKOOmrD|&q_Nf$F zw1xME6=MX&wq8tliBgT2RW#okS1QEwMVvdZB^0~@-+ywu zv5=5;32X@W31EZvQ#$naMG8M-X2IJA;%+YUNv67Vt@;RM(ixA*-QdE4?5P5%-UyR1lzjBv zejY=8ZONeVV=5UIcT+_`I75x^45pY=vGxGBPYCIIG0?sO+qckDjJgY`nAX5qFU+)J zhVZ0s(JKT}$r2C#f{0AnW#q7gZ1~Y>=gZd`rZLx+`1l=a7IQ^D0jALEPe=n8LRDc) zULD*vI1TnniMvb_L^LSBL!Bz1_i^WkCOAzMOH!w^nzBti3q>U_gN?I?egs_vJHHo8 zw-2KwQ&dwd`#qzfxyk2~#G)9XN1s=JlG5gyDr3%fx(njDYQ>n>!0zo1mL|;LE(6i% zu_-l4_3$+|?ozM^V(LLfOv1>fhD~J$eTI;_STj!`f~gi!IvWGe;$P!w?j?={szhm^ zb$gNd?;8`C)+3`1N61(#?Kaf}ChY%xt0_G?N4dqH?G9l$v2RTd<}>ZEQ}>56ezWzh z^P@2@^)lZYPvqPS3Ca??l&*orL#l@$U9>NYQUBcmj(>Lm_y6qxslPjb6}sipPC!Y= z1vIir=-|ZN9wJ9snLveSKZgTLd0m^AA|t{h*zPnynQznvPe;aWeaGC?ZvC78aPtc{ zX!i9tEng;GV3%a?eLhkWYyAy9aq2s85B|^nF@w26(bpb`RU$7XzlpUtBa{He0P_Vp z{Akr<7tOyyhA{)D+CFbWlsHATT1eCqgO$#*&njkqS~7vx66A&7pmK^lB3IIw?eK^k zohp+8umSa(T)EnJ6a7$Ra>#J>6-f1ng$WU84uOHJU}prMbrO{H?R+BAPJszlN^ako z{aN4p;uH66_EOYIf^%LTznd_;AUR!FF^ZytyB~c9d+t}v7!HE)@O=e(u*#SCAZ9nc?}@#o02ZFcMr)98%pS|A#vJTOkoB@Z z$dzEqEr;|6Q*FabQLLh}cIL0!VZy==Gx4*tUhr*8xv(iOy{}Do@4aYc*I`U0dG3O^ z{=KJR-@lRQ_j2wopmM!*4Fvx3z%KCpmwMZ6DPTl4f1%){c6=Cy7z+^kvWe2`y%57X zjEZ&0m$RS2{r4SrdoJnk6bU8hJGU{;l03?OKyz{WO6cff^Y>|LonR|$wX3hc`(}8M z+odIWo)<(QdOP?FarwJN9wt2@`P6=Y_t#;d(Ch*-7ih?g8y?Bf)(`Ml1TCr-t7?Qj z(8ri<-o#&`@gy(;xIKpIt8!!;cUbVt^5~hL75oG_-7v~$V-egmW+<+VZXj#eQ8FmZ z!fM?jkuyIA9Yva?XhnR1ZePI_cjR~2?!iKkJN0D4$v!sPRED|HzgAB^5zEm+fo&~S zS`o%dsYO#>m#3cBY8Ja#FeQ6zfjD5k>tTc*FiSFtlDmKNC*j>nEtyIMgqB%Wy4>g( z6vuO1UYs)4F|Dfvs<&$^ASF?)gC|u>r>WtE&H#Jn%x;`;t|JX{7&ET8QaPgSijk!Qy_UsUSYWFGfKQfN7o1dQQ_)5*B@Hw>R{Uv0qvlWrW^LQZ4pUNwWYgOH?T6F$?!fW6qla^IdA}t8sm}b# z{%+-sr0<_t!r@$A%KXj8n|EZD>VCD3YX9U!t|vZSS+xIir)9_L?vKS6m7l~u1`kF* zoj935h%#MQ7)>DN0crQBfWjWjNUXc%%_WCK8soa5k_SjLL?D9YSL&rB; z6QnOdbPNTxH5Pmg9GZKv?T2$jba?V=u9%>xzlGHzwDWo zd0r%Be`(A?fHCS8>mxNS>mNP@aP=`Dw%~1$%~bwUjK)<#%gZxeT`$(Xl8&G?uIg^p zCkJ8*Hd!1vW@;xFXB}vf`dhr_)`Y&x-+1&rak*ijUMBwa-24m%{&4-{f6^A}Sa<(# zelC{xd^eoakx^vWf38p0VXk0tj>+HK_|_ul_hU0-FIJNeKTc9B7}8vPzO5AWXYO*7 z+jIWc#8)Lcg|`O|U8#28kM^Kr`-cMM&rb>r1Ix$PlOODN-xMEP_6Z7@s1>jHN6YP5 zK=SM!zFFy_ZF#t5a5(9@mDPmmS-&%dzo_|z<@PDJmkNqTzGe_6UevKD$5*n)~9-x3Yt)4D5sfmlXDMtGxx&K|vrk*)6Yjdy>YdFkr> zo+>OWG4198_!I=mi)Uulv=CE7AA{7c8dMcpL;(2>K~7*o z#YeJ~C)asHxbR7oTsJpH1pX-)7lMhzIqGFro?&Zn8g*!H6DHbje9VwTLYD;qw*3W; zCWFNqN>ch|W`ZJ|R1R;omh|8t)Sfq>~9>wn+HG5zXzu% z0@NB8%aYS1cp*^Yf#Z)LGe4X_wX$ml~QL$u!xZgTHtqkdWGtd-4LJ(6Ru=&b62t zC}wf=5&oj^NhVe@*pYl_M=rmO(5*+y5b&;mNSeA<%WACRuT+6E;3-@rD`>>kZVUjv zi^X*;ye){1FZg3XyF_Opznm9!J$Ug9>hoAl8O6GqS;5)FB=eHK$w1BvP<>0lq*meg zHE^is13(eYopD_Nhoi@ykkM!4F|)2mc6)22gAAQKn}kG#jRjdy(Q@P-juMXw!WivC z%x>RrFF@PGjxh4z5ZWvhwgq(vJSQusp8Z|EoK2e^on5c0iqDr8^@Fe(zrDH~Ua_Bn z6Yeg$iunZ1=Z?so&->l^ZgG%*7qpGITT`(b5G#kjJ^$rl^8X49`5^f1v;BIGhuYu$ zp1YpZKWQgS)+faLgx5HkF~(UyiHTk+vSj($J=3@2euSIAM7v(*AfEl=9Uvj=&Oebk z|FwHtsrBR}!|H`_(4#Zj$~WKdUk&{77_;5$-v`&|VK?^VQ zzJ9|KuSmuGa--fDN4=C+G;crK1onm@xhx@0ZQ+Fr-~%uNLd-^VFFogrbb_X?nqTit%1=Qko=Lgl_6TDV%gE@)^oqOIs^opw zToHf;SDhsQ+WvyJsjkwo0tP0z-K%W;VZ5wdC9!01%pjo&(u3_lzxo2e-s#9ii!~5^ zX}j794{&IiSiPS}c{At5-&)1#vFhbFQ{3lbGA?peXLq(%lmIOB z=X&e;o@audo27qZ1v%r4X+4F9zTR#gqm=y7m862x2LGE4bpFi-;{2xex%!zg{s)Tm z4AaMd%S)Lc)#V#R?umfk18TGtHzlz^Mi3&<3w~v`v6G6~b}0y2BaxGHSp;9%!^@*7 zM{UO4#Tx@JUId%}9*-&GI{6e`=3ZH_wNt?qJRAP5?5lLS<)4r5wy%4ZPmeTah;ev) zFuQF0=Xs~RVq-k_tTHI$_1FEZ?O!hsPyu2#l` z4*}U9jEr#HV1A=5h6)1-HZZfK#zf;MJ=Q>RXd_`$nd?9LQdE1b`n+B`xU%JAmH1`}6m1w6uR3m@skj#a6~_*G9n&k0h_g;TvciIt9;nfi|1`x=8cV zaARYXhZL-^MJy>@uV|0pp;Btb5J8u?r3Ue1V%4V)Mhq@_wMdgB7LIwPz0ukxBaYC0 zWVAG>O6b6nOMWKTGTZq{NF;EXFm;pDE^feL!cwpN9a7C`|4Ny6K0B(lZy`ahikzIA zu?ug6`X~n&_d@P6K`voypn~fc;EMRtDp?Rce1u9EF5=tHnRi3~!6&m3(4T}-zjOMJqk$9t&p)_h zxHDMea_cjNIK6YXJ0 zY9}&dA|SS}2sPpuCsH0VLMLNF_+dv~V+n=5;j_2FmXGV>zN`Mls%O$}s2D`KMGKMQ zib=qUwA`wUEfVQc3lVe-kO+-D)E7LhUbtEvw2b+HTkCV$5To~wBEDS=rI)Kkg<9#s zhM6YOi!)G16t9s0F3t;G7bAkD7E~Up%0;X3shjBI;L(aG zL?S5wWCCM;VXp5mqI}eudEcD*%S#w#bIs5(`!E}b8XKY?nmfg4Dg>%z&X1m)|ViUG~MK zqyzgnO#9Qgyv2wYNd!)uNtT=jQo#_ZeeSG>7sPPp=p##Q12yz;HJpJ|Wmm$y>JTRg zUU&j_j9Qw42WS}`#NrHYR{_>V)jW(tU{kQ#RRqQo7?vbL6N-ZdQd#7--%^G3_cHs< zo!w8}fG+?f*dqqg+h&MKi=JS_mxQgz>D7nkGaSw(&1N3G^{z7qEqszp#;5FM2u5o| zXRg@|A;Dz6j*}AswL)F$(tjaG$1}exwu-BAE3Ol~|96nPj4VvoMp9aL%{&k=(G{|r zs1z+26s5AjJzdmp61WWUbffB7;P)~wxu~9f8*IPa0RFD4G+e(jF4zTyW0TM99;%Af zqqJnL+W?o4*Fw`CGEkv$Af(G*|FHxjmCXHhyV6ug_<1ByhzC+NxrZPd{iYaIuX_=Z z;UM6iO{59|ueNKVwK0p2_$63z$aD(WC$Q=WM!QaGF$_J`iS2?t=?_2GV8rK3PxkJP`KiH0YW zzjVGN+}Gh!70T>d4Pl&iX}oO=3=%hiyn0{8EUEUE3b?i@M4Dxj)mZKIx(=`#?VCRI zyt#-O&rliiFq0evZ}Bo%5{rF@`K9&VQZ)VH%Qk(QP;20ma@Q2(x)^R58( zs(~NWWu`t#I}EEh#-92RcS;+K{33ql=5NzLrFo{m_1Zc4-!$Pxk9)%%nPL4w*n`u8 zng3=8xyv`)D6cCG0i>&A){F^_6Oa(fRF;axO(1Wg*w@1d5PDy`_u*ePbSq+O#>~_{ zKiy@6cJ~0cy25!&7ESi-=eNa-U2vNFi;9h%++>g7$;FKNeSQ&jwS1r-HI@*SisBwD z5YnspP0#~q{t&j$1|=S!xoMIPXZ zaShZCik+xilLFvFpdoxMJb6MZ!UjTLF46B5h%3*`6ThJtC1Kww$m~W$rt=k32v$(& z9hjOToIHVl3=xHllNs7HPNsh8_X6&nDqro_bRLN5Zf>okYa!8n4@@8|WIn8&5z)r# zOI{Q_pz32_iN;Ac4B88Za@)+(h7gIJ++nnk3W~k;+@1_=9yot<@fr3X=jU=drL>M0 z=r&U(=U|2=V4k|_`0LOy=!O`_tN~EfFG2RGvdSPmrVQ~GOlEcsSy2$CTf zA)hAhwSL%)2D*x+3%uhFxH)93mywZrMMmN1?VZ`$iV7g_tMRITM=84^I85k~b%N+i zHn+A)TDi?9OW{OCeCN&#U(JU8dzkIc{Jz=V5fD~CB3Zt3nrQdm0zE1|dx}0d@Xfi` zs47x0p90HB!Enr+*ByF0_LgohtZQ)cn`41nEMM0!<1?<0+PY5um0$zW6bf_}dc}uHm*In(g)u?`;QfQJdY)X` zeN#dnUtIF)7&(7fIaHsYELuo!Nh^Xj#*w9{V_@!E946Iwi3pw1=L zoo?ztg-!zPAN{5vDREVE-;pYR{OR2FRq4;Af-m#Nd)s9cS7`*Q_iu9pvHNEjvg8#t zi_Ha?A-}^^UpPAv#xhQ34tF`j_67pUSHab32mTM}^>$e0EuE)~7e4(_*SryP$|yYa zMrk-$Ah%ou%WJm6n7W*Y?T`GjoG)VBu>kg|dtBW(TTWtHF$k~W5HJzHr6g&)_)*mW z@FjwOL$h=G=sh}EP|2bJ(IyrL+iUE>q_|6Q62Vl8QMlixn%rp7HRQ->Zk?>BKxuN$ zsI{qGd}9F-e5GcpYecSsA_cg} zZPn1ihmc3qeAfdJh(e35YTF~VdLEk5G4KUC0~|Hx;AkyoKSGgXa0+5>inmcx02N5y zC2vwADR${Myl)oMf*|JJN1|HpIjZ3|?=<0AyIpw2KILpeDW&;wRKhm#2i#l2g%;kb zD6U+!b{3Q&z&`oR|GdE;KxRZaZ?Tg%oV4iQIWdf7`_T01-yHmA z>)c-O0oNP?hEjJ^l=svgVV~aF^ZD8iuFafJg2Wv2dAR}*( zib1vqsAF(nz9TKesguUc5^mXr5RJAUR0B9FT|i!y=Fh=D_3bLAt?shW z*c>nnXBLtEiV!1{@7}_3(890ke8CzFjPX3FoOOnzUXel>z^rK5O?dB@##C+C7$k00 z-D7!N4P=x65nNKOR&;*5%2h!^Hb3Uh*RP+-dItUk2Pg_Cfc2%FF<0UW>wP|$hj;zE z$g;p9k8W*krHGg=P5=16g`NS0`MIda)c`e?G=F{P4_dOvJqaMCXt-S)p^$m}#4D2~ z`#PX8`JPF2$fvrb*j0rlCxWeG!ctlj6rbAT&#@gYclq3eH6k2VmedQxizErhW~OdI zc2i`9T2u~>k5U-NYXpS3T<6*gw7b31P+l>EP_5BIi#evhwecPn^Wu16EO80GNAQs! z3jtBE-v&CvbuDmXF#EgYfyL1%R!YOjcdeQ52}z@9W)*ED6Du`+hgsSK1A;|QbjWLlYny6U zv5}^039hbJv3uf=6&UJW2O>paUJ+cIbggX)-xuTT0xgalKPZk>4OIyK6ylvw;h3xJ zZVbpf6#f^}>mvGf{t2o*{L37=o}oT9D7Y%fJY`s{S{Rvh&-jMn@abfm*6A9l89-|B zRVdz*5PfekbLi;w4%iXv_0uvzw0}uIFCj%!hM^ZXiWu+YzW-h!o;tijP*qE&TDx|a zd?xuc$HQ8ow@wGv3*PmnTAe?9+|2r>k|y)!I6-YEHz zcD`^D$`_Ac71GpqOJGdpJuYuQj1Ynu32Ou+)rE7ZuJr)iYUXrsZ$|l3W-$t_3@x1C z_P}b4AnRm=2u(<#AQ^;$TGD=FoCr#!Nc_zmZOX8wL0fxi)KwvVV>=g-yojO5xEB*< z8kTl2CJ`Nz-u*3Dqu950ycygGl-cZrq9r8&zWpX$naQ^%?Wm=l=Pt)v$h-)}Dxrkc zjzMy*7Cm@vBa~g6;=TLpQM8Eyps4;#GMy+@yf7G&61mTvk)2q^<_ihc^|rm=^fz_W zq0jKjno+H50B}1evylQ$>+fu@8FFIc%wEj*(RK-8yDX(&p{w=*syFykjQgLd-9`Pj zq2T{4?zQXRf7I%FN*{FzmsYF$0P&7wTds!6><_SQB+&RfJx0F1VT^5qKlE zR^!BSI#P$Qqy^xgl-aNHT_4i)fH6i5)9B$MO*lp0R^sqcbL>zpy&SN?#2KQH_7Xn7{9 z{&_oWTMo|#kg~_Cj!&Q$lI9QT7%}=n&UE2K%PRG2TXc{3GVa*AAsY70aqdOg4f>1v zi0f~9rakmhZ0pI*!A^lV0L7%Ie1uS%K=Y%l8Inv@#zrwNQDBEoUM($Qonl5B_Kfy^ zFV(b%*~xUQ!8llMT{+x_)>A0+XjMA6xM&fSn8UIde}|vh>fZXimWA$`gGSrHT^epo zi3bHFIRdaMEMs>4+oHa!#I$M5&islwWlW3GkZcI~kXAC7Y7oXUntP=R-5iR$3TQ!2 zMx6ii;s*<;WRo;P?cyM}8A8bWZ@s1BSZ&^)|07cO6EWd*gN4Km=mBos7$|6q5nedp zreP@ra1>QfuH4m}UgWoU?HC}(OW1l`_;`pX2mc6GA#O|uU|$s7+>9p0s8?HB(*cet zy`o`qKoLBh(UrbC^)X7pIE~%c2M0;r!=A8TfK%F_%BcILoj^l62%Rr)lyc3#Qs@Js zR9XrJ)|2(OGLYOV>w-uS&h zoYDkgXo3Q2A~fK!at2(l2)ztANKy-LTCP^73=?804G+Ujc_UnYt^SjIZMh;fBb$sh z!W2bo5cM#7TBShz#u~CWHdXKB{mUy5HJpUrriK%J=D@Uvx;4WJ%p+<+k=!jjzauYK zoU*hl0Z@G==1ig!$4X(+2;V9t857&b{Ah}fLnBA{!a!nMxg z4L%oZKgL*cRO1S1O2j5inIyepqP3aqF_vk^$juJ!3^8F~bCsm$ir?ndr~+O(bwGrH z(SonBq)oL25erO!E6FxNxv1bP@>zj^@0YbR40wwuj9`0_D)*x3@^nRT;d<&|$TG4H zuj z2KnMIp_E*x^%o4em)?2XS3C=?edUP@zScoMKOY@U=?`mNY74VAzW8`@5}uqr(Qx-d zUB58<*<$zUZbNXA8>hUF?C-|qQxMm|#SMy&EteB9O6S8X9oFA3>K`6&i4Jj}ZRO}@ zUHDu?9Ly%>ai=J-ikZI}xfm`x{dFF-_Tfq3*(NK)(zF#u^757K_Aez6kt_fJZ2*1QQ2k`fEASV8vT5tqDW%PQd6yQhvcv{P(g2=!sCpKkD`rZbJZ5!~~ zdo@)y_yo)!NYAqqLu5~;v+3#;^AVu1wtABsUIlG{N|j=T4%n3{NYFg|^0E6rep|6A z6bBFPQ6%#_*!L&WtuE)K@G7!*nA2cXbc~AtAI(pS^i!W{kVe2z&qhFe&WDKs51B^D zACA8v&;Y_qwDtiWgGgRP7Y2_K|2q?nqW+tgP5wY>-!B-BQ>oNN<)(vAX+Zs0tcPs| z(8c}}x5vIwWDDO{!U-K1lUZ7vZhrkQf}H)ZeETgF`WB5(@8{@HSugfNr=WczQ}S13 zFWEmzt_pM9Kzn)s7ECc}sve7mM;&*e4)MviqZ-z=Kcrvo?uL_DJfPtm+_-h3(_klu`YR^~4YZboAO5m@+wAx84I1ND97B4 zjvrwMCP0U6m*8Ymm-8woSh;y?-qTaUkL&BE-kYPI%cG#{of$!OQ!I`g@U7KkGvA6Z zSVtD0=sQEqv%deL*s}&5#g#7#6@(#bDjj_{y1ilE(2{i4A7N-mV~fh?>UI;kqai9bf~J-wRDHoJ z#Xq;LzCz3%_2{L_Z_T9{f69~#x;K%mJ}k1}e8EJuoBJ(K8^le^0to6#HG|#6TWyU( zD_(^n32Z7HomaL#`M z6mZ0nikrrP<=w^>g5ToT2fpfE`|w1(2WIT52HOVk2~U3}_ofj%Op^Z2D7?>Q|Lap6 z`%LL}j_i~p07^m<|FUJ!!T>!!V9tX|3`xir>H`B6EF_*K{S;oqGNvWOikB-MmoZj2Ik>jbZdNV-eZ=Qo zm}O{qvw3aV6k~i6Nd7G40H$N%H?SzwajK6U&4fd4GtRPy`pl3zBIs;Y{0g{5gMGIG z9K0$ZRrof9oGbf0eeKTyD7dNv`Hpl>=nrJ550Zm%I6$g?LN98~Ik;d{l&+-cO&^cv z)wonXvZ!{jk-vd|+a{zY8I^&-_PtY22bi7a5Nm=ozXcA2_4K2OTm0l;} z!1El|(X<{n{JZh@5je|Gf3>`o7VmxbJ!^Tnp%u{Rr8KvJ(hzjKtUR8*240rHW;3A#nHc({rOdv`_xCzA^(wb zv)CLA?y&w_zwMbF-h5W?m*9nnA$}M$B74C84h`H1@Dd)8GEEkdIH>07Pi%fC zGcc)Or9Wnh3f)Sv;9a|styhz|aT@}f&^MR%c31Qzce`35#)-p*r5wT>?S3WeIox}1 z?+$u7fl<)A&%`dM!-r59e50(!FQC|TJRM3A7MVbo$xF*JVf!;kHYH_mzS4S38>6sU zAEzp-qpkBO0beKd4cn0Kmqs_ktt!+mP2E;j51+iy{zN+l0Nq6QCxdj73-7!8Jrdm24!!#aQjnuJ zNg^ z+|QqQ${piAbC!Cf9*nVWIh5H~6?q2PC)J>*Bv)`&LJM%&6?63^*(rK4SS{2b3HIiY1a* z^GhBh71T1t9y6Z*TD|$x?IwF0exG1Dm%;MB!}xzYq7jKWX-(kgjBP=BXWgnSn$J3! zLUW2=b9BgDryQ1GUtXdKBDLJQ-C=F29`|uVjH6*~@^Nt&OEB!NImUJhRn?B^YyXvY z8arf)%qYvAfJta0`IoRRQO$%4*c-A3%R{Jrj!y1%ZTV|BFB>a3x#>=myM-^PP!7Fs zD2fSNu@sQ}QRvh%>&7FuuFZ>kKj_W6gS7|Ghm8Ek9!xTT3_X2#v_jHl+RHk{YF<#`~6{FL~a5xp(22E_Apt+(=t5;>@}@>bsquT_M;Ea z%=S5bv+|gmoL|0q{a!8Hzo?b{FE9o9j#}U+Kq-z7pxybh&t2~+ikX#;eCMUlmD^zW zS;Fy}$E@*_s2AH4tDz#(Adn61RqeYtdcy=o`h|q@d8OjFxlLK}W%(q++j(wU^~_Yx zC5EYg#@~Dmm0wJV5DZmO-aTWYGy7vwl(3BorGTlNZQmg`xUVPp>@qvVoo$QF=;1`y zHzDO;rQ+M{%QPw4Ph)Z;yXY0W>GWkgQmg_GCT)= z_0vR&88+zj%(5sm_X1^Xv zD%hNvC(yI8bggAn#+g~TxPyrQ4NO)Ywt+T(+OxOsL+pT9q>kAWq98(Yj!mbInoC!o z-Z>v!vZh*f72-WiKovQ(dTE|}$Y2iZ`tuT&)qOBtLc4+u$>)sptbo{dV4|OCDh)L} z>(}0d8lLlOM@^mIQ8J#w8f3$29S&h8M_3?ZnvkhrWDUH0Y;tNej0mi-EY5s?dJN35 zmD5?+*@T=dxdA3b0-QCs(dbagra3u&8;T#_UeEO0wS)JPnDrA>T6ojQ?b^AIsgn2_By7r27zYN;qwB`pFYJ+FyCc zwITzXLnLH$yWnwlm9FBm75?o*WXGVP^qxL z44ny&;M*uB*=k?-!XsujPo>Bb{?b7D9-vl!5tjEtI|ATTj3%yKaYCNp*fddTB<46s zb^^mNzF%p>7rydQ4tX$CS`yUkhOeb=^{^5%J{73Q??tn5y#&H3kzlB(;#RJ9hgy+Z zHOWLL@!L9idsl}>Dqx}zS!p;xeRAaW28H2&<&&dfM@x=;Q2_V{E{|hy>=U*ZVa-jq zA+p8l?o3VAIt4L}rU5=W1wV7tBO9wJ?&_sV>&I-aD+F8j7rtyNDr&q9$(yp$Xri$q zrmxiREkV!*B*qmoHKBv3cu%yeZNHzeTG>d6Z>P~Zr@P{i>7sL8Yk3kl=t-N;^6p5| z{Nax_-R=UrMe)+}4u@g2Azy+A5LM?k9?aRRJ086-z6~XVX*2E zGxTzQ`rnTE3ggFRtwC5W)jJ^C^tXOPeX5*3@yQ?_DOwfE@2699x6VaZR3s zt-E5r%PpWhreSn3S4m+Sd|=yPC~2Q*OE2oFJO3qQ{Z1F@HQ9aB+Ow%fR2{zr>HP%$ z$auEyaTLQXq4tK}`megf8w?jaI5|p>@rkoDKcXc?fuCv`#x2TYgIL4_Fc7Rc93$4i zK9BF9kmh$oTFvI$Wsb0ozd!x$QpF=@UUEPeTR`hfE)!OLuQk)3az7dcacLx1Dx14* z&!{gf5~lxMxrC&!3`(B;>JCzGTyku=!Dahh+jIl!t#=$OHIk`C4hVQIXJ(|;4_CIZ zPrLME$#d`AZSs+9vEMM-&0K48OC~S4*i+b2c`;ingq>Q!CimTz`?#t#91YT*CMW0% zb}AKXh76oQt`hW+h#*gFZ4)veKIRUip#@BV1cCc)bASWB`0-N4^&0dE4gr5YdT?ba zndb8QO~}2qPnRp6S|oTDup1dsR4CNA;YdDTdc6}@>mW;-$Fn31M0{KaYoe6+)4p`% zb-j`KeD~}S;(h&?niUb5?A-fwuEpnk?^@`Iqn8i?h>_(I^X}qzFeG5k<{GQ|M(1d+ zTkF{#=yykqUGpcI{k-AIEzhV`i-F&4G+9cM-!yi{t3}6t{v~G;ad1Q6;u~H;@g%2* zuI#{f%jl|{FR}4o_L>y5AjkrU<^AA@@OvJ}Z9@U0S~f=v_AsoNji7Ni%Lm7`TkNKL zu(st2Uv;dd<*}xgLw{`BXh>QN?*PBPWGkG>VE0Sk_IlR&y9l|;T z+HTHdp1;B@>H8R$=DcH zbgsFY+OQnpdFNOkn-YJ;V6B$HGt3*-1eQz~C$5y^CI%=lU`Ns1g}u*-n^ZIOc4m9Y zgP|C<9gQHTA&z~*xdVKejhOxJo4Z#ouCEz(WEBDAkDf^l)3X5*E)|qYjcgVx&WmgIXLWU2HjLO0k$*abWLj{xWsnPsF_!rrm`9r3y zb*kGlc7Q8KuQZiej`s3fRi6CI7abI7wrK%%t^VmgVB0VvNVv4P>`(fSeqH3y`Ar+f z)*umhHP+GIu1Zqu9xu_l9U@S+J{ywS1eqe|><&~|hJH<{#SxN% z&RCH1t3JnMnS(`q2^}}L_ta;3%IdP7+JylU+eImW>KXBJ!R6Yr7?G_qb%@sp?> zmeQLqETh&Fhh+R)j9Ie7uiWQZmk}1`W+W+Z-1yQO)_k+kY@MVonaLZyPI5{z7|#wT zzJaFGvFEsMaY(IqkOJS!CHP=V85Zlei_3r|XMR5G*Sz{k61L+I_GCX+xiEVUvt0$Y z5Dm}v`tz%syvpo5`K2^+S^Z=^s$rE<0_-0_dg$(kP}tHrXGmKby1EDWM_U9a5KlC* z6_rsHP562)%bNB^H4?2%-`A>Oy|* z)wG81#Y3)9@6Y}d&Rh3C=)I@j#!4(+c1b7O1*@9)dQ1$!e9cZcJOu>wbq1}x$^$yHux$900o+{_l<%qk1987t<{rIpaS@3R;d+3f z$h32hsmTBi;>Lt(U0KCeo@SEwLj}##&XHIOW=bRa8m6Mt<`nyvO}a{-W99UWXm}s+ z_dXpKpu3_CR;kwQhw%UuFiY)OGlg=c(N_qKrHd4S#&9B5`*?wvA7630C1X}z6JH>T z>1W8#+o5h>CM;Wsbb;&?A3LZ?#hnf4yr%`&TD5m`lp-{Ap+qCO%UAMjdA0Z<4j+7Q zMLtcJkpGju^@R;fj|+!v7Hq93<&Yhi4Y8eNTC7!rSKB2kU;QxZjjN!;J|qZ0BS1(lX-%wq$JE)4~S9&5gEF+N7v_zIRDbM;_9 z$LDOQ?^a^P&rq!lHrH6=Vu+1ReRi-+^6(GWd8^7hrJB#um#$eY*b@8~osMO6DO4|u zvt~8oo|j;i7?iiP4&sCx|c zA>%wjcnVb==UEJ}vt4+xhu)(RLY5$$tr{2F?BPCaIJurgOvQ6F5$W;PUN4uQz40BP zjqneZZkNDMbu_cSupcyD(x0PNN*vI1Q&=rx+x7Z*jI&6GZe{P$ z@$OR*Sm?&z9K-IoM(Dj8Ir($_u|sB7VI)^th!#)mlDGQy5G&7euETXZ{|>R{eT>@| zK}MkiH*brrgIxZMpk)1~c7^Ye?g`F#tq(rF4a46x_fids{^5?@k+|XemP|U&BEC)r zetg6#dU4*c+ID*s8CvDPQ7YnT>IsdHQ>gSKq~Zd`}cypzPW%b-vPFeNME$7rA~0~HrDF`zqLaI ze8=wZV`xq%6-Y+v!LiRDbkj!C(stE)SUMwXeP%xLSk#h2+nXl%@0Cg8%|NiEyxiMg zXW2H}G~W6<-0q1tK;{?{d3!^xr@r%2fY)bpfga{FB7Ac7)2y(=L|0g=kFfE+YR!e?C8ozdUYOy|E?^`xWi0Po%n~J#ec`8==Cx`35Q$ zXnk=30|$`r3%11d9I^QP(W!gilsxD3MdI}^AVR}o*tfFTrkWrn&dYS=)H7w7WVd@E zKz70T(^JPkgye4S4_6OTyiIZ&gp(jZd6{bldmdnf!`|BgvxU@x^;lZdzlQ4Kv2W^o zUFvHj{@wMAcaW5%z7upeID>fHHnc>0%r3W7QkOX)^wW<5|`Vt(UQj}64`dw%@6~PJnXb%-p=_&y-iLziZkmV$~W>QRB2LpV|e_- zqjUQA*g!M$4vmI}Jv~#^?4dgSK-+PsepI5B&br*TG%!2RZO__{DAO^VE?F<)%VDE` zF5sR>_$o+NkryCS9B z+F+~{1tKfRAg-rNzO z{`efYxNwMv1#d_}%eF0_f@AIq7(6r2D2AIVwoyXl&-D;@G6z4RL0%vM=8 z4INKr6raV87s{=zYvT1J#d2}_aSxGR&pYR(q6Tz@qie<~Gh0xf%#PY`jv|;S)LOM< zDtt_lKeQ}1!ium1q}PoXtsUhK%gf&Ad)(|T+^|Y3z`W@IK~l4KJyJXV^w!V@(O$4u z=tc<%QU97QFy;6RT*8x_PDnoX(Hj~w5ZD>(^RmRjl!Kz3t8T4Kx1GfX;fuJ&ny{Gj zG7@sme){F%k{nfBq_co(zhN7GcMVGAVt~DVG~+5$M_R?lc=@QyRN1k8XS|tiiPl08 z=e^5<7b1SVjq?_JAmG^(1v0N$hF(3L`{)QQqZf*Ayfu1N`Sg@}J?5;V$gwHaPjkU5 z{z`%Nh<`5a3f4W^&}-;@n)y%$YWgHo{ro2FikIzSypj##bJ;`D_t$Vmfgf3E(V%Ci zCyg*~x7+$DmIDD2;?BK*xDcB7^bIRiH3T|c3?d(C{yBkl%wbb!78THtQpFE&B2dCeaPtEOOra;IbDp{QsH z3si-Lb5PO{3azp1?nh`F;^urAE!)FDe}-|V-W~#_(i24dCTQJ7yRkr&-u!bDI!ueW zxa9^u{=w_<2J-#8Bs_g5>Z8Xgdy~&T_@}Uxp57wi0+FD>p{EOw^rLYeI^o-nz53^M zhsz=i=8aR2cu5`7o&z2SOgO%(v5_zL&>V2cBTxG}S>n)f09AKp|L)_ts%jdlXf|71 zfhoW`QzulObkOl&m@lIf1kKC5`u02FCx+VCjqUUFMrH?eBa)73kzI1y`v)Ll{g)a-2giA1X|2SLi6pLZwB`%;Hin0YCFl5g({pKne5!FpBt+L+vQ=v1D9P zL6=#-Q2&%FIHvRO(B-^)5%`SXFv`}q*8YS{@aa`wN``#fP3&uvy`Wy@djk2q$`XuN z%`wvJPYYh-=4~LUtzV}??KBc4H7?VuWi`m5OGs+oa9`=y&!w7^Q9(s9L+$w)SK5M% zu;XZ-7cBlYE`Cflh%&*OGfG#+tHF|AW&| z_4)o(vRX>1Lk2W1TFQK=&$q-4hO3n&#aP9BA}2y#VzHWoBgMM?rzoBLVe0!6$EtR4 zS1VI1vD{NWdO`QZsGBEaAjpfl`TJsmj1c3#-JPXl>#2yUiv`_%6I| zS&X3m-W}f38YEly!`YxWkmF5tj|CgUjR4+_=kSU(kA+!46xnP&NCi5)^7b~rWLjLk zfW0GkXD0~rB7YhNf7$HNA+hRF{2bi*b?K;?{toV`C}5y%y1q=f3tk#JX-1 z_mLpDUSk=0Qd&Id2ERU>XpEAzU>p67;h^y#9S9lX_)&S~^s9LX*`@r|!8C8CsR`L- zmAv#&aPbrL=fumBKAiV*E8VPG2Lyh*tXeW;%5p9YM~}-(+s?;)#-w*!L0oiwz1V(H zp@E&iTSXQN{-HduF5Ock47M5OWsSWBnfBVdA6;GwE#51Qf$S*W2=*Q)Gp@&TOFm0! zX#~bkePSug1!H;zJXbkj^gXnGmyR>9~LfF@|jTN%2toXJnya3bLz(ccnAL zf#fvAVHYY~;%C|$q%~3NA&PJU-)#iTx}S%CsIm>>0{hKXDzoFg2||~1XZh%S$@0Mj zmy7$^tgack?ZPArox3KrqGqy}Jr)ee_wzAzFebg4P8t#;e&2#{>G?N@h;{UD-u}XLAZ(wnr^V0 z5Q}(yYM()|l*o?v#HDj5y`FJtaRskQ5P{S1Pfq9{&qXnezIZzcuvubUA|jmlwy~mi zWswlRgGX{6dj@l9s7tV9pP9PjX7|*4$hv|mI3WsGTP~p1HL&rJd2S>1P@i(yDWc@8BMHS9dNyivD7EW@-Lr5pVYzhdJrrDHZ1 zFB-AxzW%X^A0A*UZ&+dyNv<`4@dT8rLRJ^1UW| z{|wx5HR@zFC}hvyt!yxb3^{wGFP!bSv8`U&O8hHrnWRa&35OM@=0ho5;Np8=5;MzB z7Lwd)TMG>L*m#==IsJHt$PsV?C14bukZE*FrXGI6}IM6NKy)6E05|ne5 zQFB@FmBLV-G`Jsoa8vx1A+qJo^c= z9$59mm96|R;O-_q73e04+j-@kPF2<^RmZ$LdEUw9Il*VeqsA<+=E_z^L; z5}h4euG{jrCf}+mSRet64y%nW-v9Q7oZQOi|9fMc9{v?({%5?g^h`&E>b^NL+qt}^ zvHfp3Ucg%ow7Xs^rKiz*g-8+Am$MIb0IFu0dv;UtHH_M;!i|nafqW322_;H+?9ng??l5L?phvi7nP~Udu-Ins;D~>D$ zM~>s2jGyryD<369F?^!GIlAxZiTlkwowM+md8&cXTkz7=wNC?1Bk&bkoeG;lB6vNW z5CvQD=M69nXw8-8_ZVT!dIb62{q|Z<>3W#9YrZ!+a06W|j_xTe+ zaFSFO(WuxSL~(P@WHpNwmV-3S-&vnl)67$(4D(6X>q*;7B7imeWvF^p&it# zIu+S;n03Rsh>}=+@nf5@JweMlFyo^mhR0^2pulg)!*TfZ6gb+GE~lY*F}LGGb-(%S zDLrh&cq+U2$IfsZbP(#cU&*kpvV}xG$`fn&0W-UIuu*+kYM+k(R^gvn1DNKP!l~A- zMdQcWxmWOiewUS%V|w~JAn^owV*ow{~u{-iB8 zNr8OhRjj&?QT22VMltJ4fpsf&R0QGvyf%Gn2~p)EmVeM)ONPd!&1$qq2|Q=+>Y9m_ zV-__vxGgrJw+7ib`r?AYr$?8b6@rW%=%EiU(SZErsRF0OFdFan!x9jGX#aDTTtZ-~ z_Hln`nM|Qx7}4P4xFD)Sw>#2`Z(2g5p(?7h2nL({pQ*WA~^#V__|NfjX#CHec1456i8gS z%V3plhhpWgZD>bto~81qBk9eN+K}*vWmiNco}rO<^&et>7`a(zT+F|PzlCF&#mC>m zpJN&k@cyg&;NjjjP-M~N(eSa(i-)0-dCWgw)A($Nv3ShCA-dblS51-o%*^{RTLa6# zGsjGDxANeWBtc0>a+s zgrtDz;c8Ep&WsH%TXg)Z8{|2jy;4}-u+p@KA$;#Va4+KWI*z~UYqdF3co002ma$z- z*AJ{Al7!*U`Y!lrBCVvIM6eC|d=c0t6#b#EcZoKGmG$%3*pMJAqo(}CZ>CUm%L_iT%E2ky zr%~7=WxZ<<6ZCHvp@bgkp*2AiV-tL+?=7MjPyd~^UyzxiBnOA!bbH5w=low$OUXCa zRc3gkZY3_G$!n@Z~3kME(vNxw;-ouFWB4^Jxod|72&lsg$Iw(ts8 zeX`YZYQlRpckFaHL}n?8rF*Q_STCr80kGDQP?ko_Y_a(44UiG`NOUz8)02b()ISsgxPTuaOwJ_%qR-7!fVHP zkO2Rs#2%k;$UbAKLo0wIX8Uy28(Em}x39cyTdVKC1q$dhO6RlhqkSD_bA(SMw|cOb z&sn+bEEw*9fLhnIen<2k5ovdE!Sl5wa3quHt0c(0p9``J-h;3-02me#%zT<)^VW&x zHOJ1Do@U~1pGe4isLHEoM#jM(V&K0c@z0%_5Lrq6yW|9Y17t^U;}UTL4DP)OwACoxrMZEC7yrKW zxBcs3?~Re2)G%MUV?|zP@5kpnklb_qL+s~KB^bLe>FnL~GQg35LdCT-e1(>km4XAK zgYz}j*?&Idn5^*ezMg}?6qc~Bq||C4KjnKn=eaOFeMf6E9S1?o;PAoRzrK>@`tLN8 ze!}(tO5*?Gb?rw&d!XN2-6s8GN6k(WwbAhqWlvH>^VqrYgR{~1agBJt-zt3EMm>yf z9O^?L4*sNoRO1^_x(bIL8B*v_jvPN~6NQz|NTx^pgl0L7s5l1cjUGtKz(A?Ybjqh!!`9zn(s z0qUW?_;u0%yjk##_5zA_&eZ7|j#s&CNkAS}tq=QKr7J!b8o`h~6x{3pop+Z0Qsd&C zZti`!21E)D{*W5vt1+#2Unc2j}hXI+Fq3KMa`dni} zj%T)?%7<{E?Ho~XGd{wmtViUn>OFf!Z&44Njc-4qdSQf$aRY;Jcffr^^20 z{t8?en-NESbH(q-L_$Vt?E>tjoskq2ucvnxerN3-ch-Pnl1&VY%z@T!`*~OY5k|-Y z8~lfs8QLB^{EE>?D%%QgQU)-IGLnkY0iY``%}ibs^84Yzy|pIyvrWVnwhyt;FUmOq zrCvXpHN(zFYiF64MmxE0ctkx`Aw@w9{?^{*qsngOEW$lxcjW=IoQJ|%p;u6B@xph3+wIQ zTA#aIbQ8KBY2N&&N{>xE-MjXm9ntbv0QWK(NBg^%i|zJC+!|>d~ywO4B zl{cb&+=A_FH|8(J9)?ud5VfEbE=eS}M7JggCOq-?zm6|7o(ID%(fg>i+tvTIWFu>U zKKTEmzN}C6*!msqy!Qi8ZbWC&Iqa)5CG)=j#5>Uvp}^SV;bn&Y7$s;HtJtfoBOZB2 zQgr?$RPR~E(_npQS?&(|`%Z2NHL`Pi0|hb#yX=kpzqc=5MR(@Tqe^wf{WiliZm@vJ zpijf=2B=DYPY)(UVRb$b^E$tOkfLxNqD-%N86xuFiH+6nxJ&WT12O7y))uS-PCPXjfrqpT6dOQ@#Y%|=W z-%qin@<>&IxVFl8KwCK8aSB5jS8;u96(AJX!fuX%A9MUyxl$p3t( zFHB}jPwM^lX%A)MAmQcOdt%x|163XIG7R#u@Jwg~eA3-N=X%@c!|kGs#|?^R9za%1 z2MBJK-bQ~E$1n@mxN4%ot!C@=f7f05$FrqOpdW~w{8hNHY^RhtsS29VQjlb<&9nH~EGOk?~Nr*D+%72z4c@ChPRnR7(c6Hg&P3{tThDn}!1DXXT4sAC>20 z-Z1*g*B|CfST(b_mO2i+fA(^%j4Ij(!zG$Kf zS2Z3(bq<08{a-IC4TdDw_Fe_Tb;1bZ>wy3OqzouLa^ICZuQjh(HQ~(&#GWmBkEytP z8H>Rs?EM+V2M)5|Mlw3KYnZ$GzmL^{V z3sqVCGjUbmwN4hMW2*UoLhfk&4z?-7S_TlL#+rOy1Yn7V&&g5QQJ zaluZ-6q@|aR1|sKe2jx65K3kCVivjZF9an^8JNR-rJ{zB&1+k zr$`i^6I5Q1oV0an$Hul`0f`)dz9o>I3cRk@t%dPOaHYz{(NGsf!*Ac!i-BVz<1sN4 zKX>{G?~GTr#O~qy(?vqstcT988Xcs$+RJq@8dnPBuX}e0UHy%ES!m6)r?YA4; zyJnvT4|y25yFHp2aLb4Ls%T1C!_aWsgmG<6ERLk-GZe+){h%5onQjCbH@9}_GLmhF z3*k1zTio1F7^dS5!x{fmH)pO}*xq~9{gqk_6UX2%incbAvUgL}1BRzJa*&KDooNEK z>@b?`aZEPwU(8|g5!Cb+6O>R@dUFq{;UV8$FY-NquCQ;kM2yjp4Mkz)+z!T;c1u*i zKly}AgWr;k2|q6{GP)}LatS~~5Z9etTRNW5yCG0bU;i*HeJ|5_p|VI1itq-c5<7$on0sbiuW5e=m+t|;{oQVNg{b1*MjL`PfG9X`Q^}aF80aQx?QVb zW07-1d5I!m&nT$&#jcxB>wSv5%b$$zXD2eYqYrxd1QHww3O5j=c3ZSIl?V+mG_1Gp}J20iVE&M_(yT#yjlQSzX z`tEi9AGu9))4)OCubVrd3#}gef&G{8Ussy`9+Oe`$JuCL4ru$`OwXh_f(Ci$P=vr#>TZVZ4k)zgByMAz z`xdfak}q6Z@-wHM(uUd#VGW#50!f$j!Q_p|bp_#_s!0gv{!_^=&Ez%hg>8 z2bUlH^Bs^T>(Si<6)q(1{fBR$IWENOL;pMK@Bf+sB-{U!r2MycKDuE|9rXkfKi1z8 zPkq_>0M(14@!u3pX)|7|@bga!J{ZO{h6*Dfxt zMXa26g!)bTP$Ijm7YxLFmDX^-6}DzaW+B^%Q)RK>xXtAOlZ@=jk#*M|<@U)LgI#ex zMu>V8mCv+9N$l>G!e`G)lqNuV=!#eNG3_Z$ef&x3`?<^+8-*aU6uFy_^$oWc3u9Mt(Zc6A-;r-2cQa6K^p6*uI&LHRIKj#ui+0>i z)USkHal*gWXZj56vI9}En9pV+z5v3yt%Ykb^~Z@~gJw@%Z0o3aB;}EoSfniOwN=07 zE_Sn~g>3Da+PYyL^G1B>yQUA%Y8{ocB5 zvXN=*D==C)MGJAce~5HAM-edDi(@h`!4I3#YtoE8q2f$=oMiSTk7Ni*a4K`b16vE9 z$m%9&PP&wz34#Z6t`uKIUwbbf!-PEZu5SXvf~)bgZ4gY=hO7qSnDy>(auGL=MDJ9e zKXMD~p{LT9YAkMW;|JNc=FmD0-P8;Pd0vUf?N}fVP(%l=P}cZxO)0CkWqK0ihLD9M z^y_kRxV@8;+W0Xl78C<1EC~PQ2n3i6Udqu_HAXoc>pQ%ZmUN#rZ1iT zv02nKtsm{^NZcI&S%ibW{q%k2DSmORm4d+@U2^Y>rNV>$ocT1{Bj)k~gDhmOmeuts zH0tJQZL{67y!FUs(4mc2Zvnl_0X5dy^}`N)kd(!38OcMMoQ7m9d50!n7b{`th-J|y z+`>_Pb#&3PRaad^AyR9>X2OSn*C1^UF#KjRqDAE)!>qnX+tS_?gQFcX$WNoXL{qsA zP{9#C&YdkgC3|w`zQ5}Vpza%fv?ve72`e(pMJ6#y$gBg6)v|R7cT!*qdycPg<%^hwLPA?(U^#0$s&= zQ&^zuzNbej%}xoO*WV~gGJtI7ID9kbDdM$WHV0%-a7;N zUnNQ2!Oz|-EMm<)yES}7+6*>5f3M?y#Y2y*XtA8GrH=Qw2DbOSr#2(OI_hj3$XD9)W^BGBBz%BJ7dDQEr>5s%_j+(85YA}7-AEcbU*__AKozPNBqSIjwqXbXyI4mxW`~avZp)`CSl3D+U};%PBtK1 z>N!oV2$DFb+=*s~uWcdUoTTAp;f#gcS)b@NN z%c#io+peH-GtmF$ZX?zQG+Y8uJE|9GOLN>TzQX0ANqho(p(&2_+PPZ!w9qJYp~d2- zXsch;(r-JG4^Joh!%}dqCGUoowq)by{dQVeYV5$vxaK~0`ziCetNlR!)&1l$-V2xH(qJ7%={h`RhHL@!NAH2Sr{rbtq3aEN&bG&XEE7Z~dA}Sd@ zrX2rJyS^9o`=#CXm&HWJ&1>vlUlmEjum$YEOeIWS|KmY>$FI@AtEmr8?Gck?6Ne6L zU~@{a`Sq*>3W zrz1DwHV~vQ1L8IWqCqw4G2FWElU|9)_ln-<`^y3sU@yAS5%)`LHaaIOB7)bJx;qp~ z_bS7ppC5UNN}GzW@+1J+X={AF$zOnipWcXZj%37o*9|LjR}9B0H{WCf^tU;7 zxDPzp+*FBzhQO_N5doYf`90ou82_f=em04%t!Kc#f4G){61JCb_ex}AoeM*NRzB~_ z7+bwh>``9udKug@&TZEF(#LxlFYM!ht;&X(Pj{4$lnp|a8CvA9>dPRMGC~PWzG;_WrxMaNA*os870$tADuXh{)h0H$>l-Ai@Jo&f%{WnPJ zrmh_$=82?q;Pm`I2<4@BCbs{kXw+-bL|H)dX1-V z`mDoyHn86};~%6|mxmy3LDTkk5y&^wI6Zf7!ww)@CxBAW0(NRf1J8GW0*li$!Yus6 ze%h+)8l9fhZ!y#t5Ph~MVF|3v95C?m4c`#4(H;r(5HjYJKvxf(+Afcjce@N|MWX=vqo6!2(i@oCThv_*t}&LSqBAFF(Q*Q2fW z?TVrdqt$Wd9W_I|0up&yoyg+BmD_Es@3F+`#puYYf74YvV|}6Ikn4`d(F2* zyS&<+Cy*jgge@up(cX z8OutA?Tw;YY(Z{*-xo{6Y%N82<6Io{6O1 zb;js{xApw$w{2YllsXME#&SQ=(22T*0#A=ED2C=YU1lpGSJMX`v97Fb+O9I>30i2$ zcNWLuSBWs0e(LykBw^UH}$mMRJ@c+DOHf_Di9Imj7ATjOQ9E0cWc|%U* z+8y7J_P@CQ+{FyB1z5!0r{Vec>z7+@Q57IVoH5uC@OZ~7p_M<}iCEl8BKH2fMU_7E z%^KG4_I%Fb|3}kV#x?c+eOv`aK}tkG1`|b45J7s>L|RH3q+7bXB}R95h#=j~DCtJJ zMmLOx!PxHe`@dfI!#&yAIs2aL`o{b7xjYVQfwQ<+2G-GcSBTyyFm_T&o<+N;ms9I`G6^G6i1=zOwZYQx;(?wHm z+ZpxFhx0Px&7P>!e{%d*&4+akAT`nTo(Q}{{+-Pv-Q@;zl)ra8ok$Sx@_qbaO-}4t z7FNLdVD?w)P_(fBqYzF{i>iksbaVC>Q);HS*^*swZIdmMey8ee8l+h*=_Qux9mIf- zQtifkT5Yy9_%7(t|H4J^zn7FQ_s42ypw_a5Bl!wCiA7|Dx7ccdrEWHNX}EqV<|`)e z#MCHjo3W*_W8LR8Wjhi3jr8H&q8CGa9=D!!!f2n#PrdyMN#!WFt{$kxa;zEx z!$yrjx^+qDS#HhUCe%Y$ZnV_?7bjeY6`HIWB4$6~`a*Kx^H!7L)N^6P=H{l9KiqUA z9R;X-hEusLx_-hx(c^mg0QckbS0?e1I{Ysa-aiyL>5` z_RL+d|5IR9>KvQLULJv zmg7#V`lTSU=$YydcEB6pfg#xT#UXm!f-fK5a@j*|6M!IKjA(#H3f=4+7lS>I{jSA7 zHf}tdV|Ut{{GG;G+se@6#_oQ;V-5?w@FYM^b00g~9@fr?Z=-*L`*=hdKdqH%H)F2X zqo}!yS}*6N|Gruu*aq3N+Y{|FuYo>vf8w#hM z<0Wnmywb4)z?^4&WA67k>V%rjyF}9Ch=T;F+pu=~Zl~b7u6e`HYHc!w`jtTsa7^+>g)Z1}Ot=n3MYaO06y@Xe$mvqe%#1m+sY~oTvl|dT~Dvk(T@rE#2jl!~!*fjB**E>*AW zTwdKZ%}iu9p6sT;TMiQ(M$dVk4R;Am0*jEMvu~VA-TBVANL@Gx^6Vr$SnhgfJu2Gh zU!g+Yep#E)-8WtL-TW4TtMtxv^fnZW0(e#Z({&}1x*&>6Af|WHbz5s49?yhTRaJ$M zF?QBE_tLmLcRYB<4kMyz($Bluh?DWVW$9zFr@N zXLt4N>p)$Wu3kk_NC+Bl%}~F>_8CU?E-ch8n9rp;QFCKh+ccQ&F9CmgLWSKK8Z+Mv zp1eY7AU9_Et5jdYJPP9nJ+}T^A>W);you!O@N7PW!!F<9Z6a=0cr{eMW_p<6^g!2Q z2gTs_L}H(z^^0443PN|DH;?+j4M+?xNCE=$F510TE4dTne6l?zj`hBppylmr+ld|2 z@m_DG(DjPjccA$%DX6ohQxYrADeT~fm1HAlS33N0$~z?w3-jBhsLo3v3>srRLvE*g z`AIrVn(*tju-~$&dxN5{cQiMm;Ge3qk#(B%#HbPRvHCNZjGpAJuOQ!w37~#iUj{=| zF3wAA4M#IX4bhLQk(3L&+1%hA$8dYfO&QROzRbJ>*dx2i9t5Lk5PPMJb4sB2$? z`?Gyiqi3H$1HghD(tJB)fkMFx9v6G$uB@^B2Phm?Nj=z-^MWiMiRDce7LDiANlu^T z1aKC3ms&MH6x^fu>0cFnUKTRg2>wg}{xCzKW!n)*p+i}FRxEKvi%F{s1Xf4?q0Y|S z2rjt<$VNp8XzuX{Afb=Z5;ypA*n2CgLgJ$kV?@49X1rP2bSAVQ+#2UIODfTSp$&`h zNl}JVa1#x#gi*6$r2d(PjhnBYPAQCy4%aW!@gTFjg&c4;kgZ7X+=#cEQ0w+()}%UjS-Xim3W9)eWG#~$_N2p?SATg8wKo8hnHh$(KyP||Z_BYXJaTH(#p?#ABL`!Y(7#LzZ z_L+aDS(e&Z24R}zm1{WTzga1tC6o*PC9e(8-9LVu^cQ5ky2WKs_IgefUIc{C=L6I` zp94t4L6!8TYqc_tRi2Ff54eJBY?2Vm88-Ht3C_U1mkSqJn0SWjj!!9s{Cctb$QdJU z&+Ap#amuPg`RKdqj$w)~?$dz66(&WLwL`9^)7bsOJQmriz}P4i<*}JS$l|g2ciw7_ z2rsx_z#HxQ>u;^~)b}2r(|*P@K`2H&mYh~b$=y1S&GXt8l^C%LhREbeAY7+Z)QlHc z6ROjlrZvV~2NPKm%hloi3~8V5T3wE4W=#Q+dv8hK=pezh%?R(=(?OmMT)Akc{pk?3 zCpxBcr@N+E{a0Z||578#64*A~IbDx2DQy-I1*bT|CySST6_=Gk2SQ65;#4s zvPpXA+|!5}6Cw6FAD6f!6+G>G!wSF7Jp_GCfCTuv@0ZqFH>?IRW2|Z7br3tC*Y`tv z{w702%@@8=Mn$hqT(Kd`d2JGMt{z4NF;6mnjiG<9qC2_){>|cV@3mX+fwiaMrj7O) z#mRJd%oS)Z%5y#k} zs_S@nQY(7PV~1$s-j-==oUWS1hrIzYvtibVs>9ebM50e{5+uH0pPSQS`RNhb*ON!6 zJw!^Q@z*IuDH_uZ#%4I8-+XKw%7WB<>V;x8Iq9!!zu$RYt(Qv=_&h_^FS-}>gXZtu z5rb;71d2aaui-pc*FEtHjHG=W3GNDZOA-0AAri6oJ;l%4b|p-$jEl7v;cg)*bj*rZ z@Df@#q>WyhP_ZbU!qykh0D9ry-|yCK&y6$of$yGkBZtzUAHc#|09Sfu5?Yi!@g_DbA3R@$WNK3*T|dv@yd zUnztk&uM#8IL#D)#3GB>sksSFxB&|yIzK^LUlk{VHwG_gxAglACN87}|dZpx_ z|Baoc&dGhj^4);n8rPz&OO@9l*ogdm-+Zcw{5ilnFs{kF+KFO+#2X_Yu?DA$G?>pW zG&>%JN0?^1{bp*}<@GqIgxxWL_Sm5ch2QGhOPNo@_{fdbe~ph>6lDArPsmZDEqf1& zPk6qK!JhPjqsZS>aHMXNJM9^{2+srk8|$Xs-@mpgT4dj~Q%W+3#q@l}3P9SLZaH9+ ze&>5{YjuWS@aDXQuTN{*5W2@YD}2HS48Ov>B7>nL>2G*J8i=ySt<)7^a`NwPn%^|Bs|<^k45V)93H%OK~nl;Uge> zWY&q#V`}2Ts}KHL`P$l_sXrSq^g(suNuz>EE2KDVFy7B;?3uWF!prd zeX9MJb$h-=G}`0yhy%8RKY38(;)(Q$; zT2^R2xrv?SNF%T`1G*1;=^}&>2T44y-tTok{FaFo2`qq#HPOMpHXk43J*RYEGmo7V z)A_((4}=jw!5sHp0>r#?`%m6@l<@J5cxJSg^5ud}+Ylm<#Edh!aV?bj8y~SMhEo_} z%SyLHeKJ0)w3e5!q=hhs$?82j_v+fACON+Y63Gz^JLP$Vul04nhF%ORX7z{uodl*^ z@M;kU@1DDK3u-!THF3Sq+c!fwJZUg^Oz zJ(9n&Q+ZKBOqat{946s3{4c&7wPC#%)Q^coYs*R+?Bse~UcgVurnRga4}0H4$iyVo z%zr7m+<9D#B7%zJ(Gx;81Rjvs^R9rtls&UNxpr*+$)rU=3|-5VAbDVweZI-Ug9yKm z*Yx(`=nb{CWL`7~ci;aVC=!GY`SZ@lfcp`gch0+q$}~A5_(?R^%MAkmr46O2(UP2DKD;W%*^dync?G`i^DIr+@z6B=M&gxcgV`Z?I!sORl75WMPX2 zJeG?`;+W`#2mwqvg;KvnYc{#Xf14hKj%UiB_ci0aP@i2UTvoMWFz3YQhMI#{n={9G zvT0eZwIo&l@|sxa+}2XGfQO1$wXY52+(7YfC9Xxg{t%jZ9ymVA(De6;i2vvZj97=` zW=qq$wd+LXMJd|g5*_)lOvUzZep11V&ucej);3CLXy6yEutXNwia^1-BSB~N>m_1W zR)Kf$k7E_1j!WW3-kfIhbwy%7wO>qH{qS0n?XDYHT~W9ga@jEhH@i{RY(g)F&Srgp z6JBVrWaTJ=6!EjfGWHuVwuk@tQDARWJ@lnd&rnv>fDq!hW_<-lAM9)G=3~5JYS$q_ zGwzyBOkwu!LnN2_Hi;+YYPJn;dY3T5KJ?MnS4P~g7KT~)H<8^p$Z>=>dEFOCmi|xz z%d>Mrl$aP7@r`(iBcVSW@G7GB2#Lqi_S@M2~xl55Lm`KLufvKEnhVuvkd}%{3yq#nP$v;&#a(x z7Oy-!QcC_Y)u+xG?XKDT3LOVP>#_C%hhSx+KQ1RrgjjG=XO93M|G`H*!y58_7>%=f z18^wXX1vmC&VG5tIFJsA%EUGn!TY@jl)RDAyfgGj=2SI#LvBLqNIiv+S*`3jiki2- zmQyLGY+kC2o%)MxsiFzDUaSWP4uUnEkG((R+p~KzXt-1vfNGMS&7;X0?HLkD*QK=8!{D-0PVdKmI1%ET9+rTW*4OPDYjAMHkl!zew79PO zY7*krVuSD|W0YGoFD?aHL{PHn-4kLy-rXy)SsFkv%f6?N-iz^HSyc0moc4KE@Y3XQ z(T^|CcN;&FNd6)sD$m)LCtfX4zaSr-*!y zt6y@~T=`6Ln3FEzB{GuJ-oJx8IMAWQ+?>K~&-*SOkMk@mMTGvIfJjEz8Ia=)1`WDy zu)`kYZydfF8?Z074|dA9}CQEc^ahu3&!!n+1I7!>0TwnzATq`F0_z3=3Mpb{s%Q=PD zsZP*4AObmIqejk+xmmcp2D=s2L=kah3AyA@VgIqVlyvqi)Wy(i_lZ$*X|dONU%sp$ zUJm3vA?53QS@|aTKvjReKFxZABf=Y=EGXYObn=3nJM%lX4|JL?Vl8mpz?e0zzmB)& zLc_hR+u5W4N8r|m;)C-Yk4l%g&eOX-iTb5n8lj!zyr@s7t6Pn>llim4bC`7XTOt}g zDbK68s`jhmt{xXB!_@`r`~T<+R$ZonY?tV2JI%TX_&Sp*{q?WcnqcqHiW3_5%V)*8 z0TIM^`)&k@SmELhmI7|*3<9isekBsTeWw46m|ul-=4m%+B9 zb7#dz)3c9_iMsQilSCgdwO>H#us}0LnfNj?Z^CyOb5Gt%-G}7uH}1nhQBU7ZKvy7Nuf!7ceH%Oeg^uOxStUtmhLDTGU}9R) z8v2%)d%f3wQW7etKbpyZ$-b_8c{jR-;=KsZVP64Ky4}>3`P$~YOdo?7PoNciHE$ZN z)mDdG#sToMEZG)vV%CFMivo(DuuEgObkLstSA5y&gY2DZ7n^0v+#up|d1m!I!n1VR#)?0AtMGW8aH#cwN+7hjF zL0Az^W=?0&cU7X_ni>=gGRYM>-M&y}3$0f>9($92?AK`@-y~Mg;CgNInBxv6A-)zT zvNzYnhjgn7Ba{kEc;zTxY|@hIgvwm12_v-YNtro7Y88(<nG(frO?oqPx5Mwe4bqUCL8RXK_?Z z3mR>`)I?+3eqXcR#-`;%zAE>Xtv2an$)_H`W;M3j!+S`~xARK-AGrqmaHY1k|AjNZ zVHf2lHJAB^wiU94AExjL+uolUHDO-@B`xbSuCv%;GX*_vJe9jXlH3Kmkur#Bq3GGb z3nyGoUqbTbGNP9iw&Or4gt`4EfY}!EEgx@=6b7}OHK>r~eX|Sn+7S2F&ZoL$@_KTl z%Fg{YjJRJ{3vUryHglzJe0wEIZX(bRtVsMQ@6|pkw$H}goMOEct$%JW7Z&0`+j`P> zho3Q7jwT}QSwd%)ZfXKDl5~pC^eHoZ@xxa9==r9`iNm~H-dS>Ktz?Cu_5xq)1k|V16w}Rkf zvM18JNZ z#xuMn>w^r~Q;4j|LOR63D9m1N{m21EGwspHN^()}Fk0*XJAOV=Sz5n5FUR;L zcRADJh>Eu@wD6}CGBz(1s-X4hNSWz#G7F944 z*C?v0D>W3W&b7mACE^PWuMz5p9t7vT-N18WTd-VTu5#C3FGG9Ky3QU#ehm(!)OV%i zboONEwX>V!<%kkH`?7rS^a2T;KH~?pwct!Tp5m>R|FSN~P(VbpAT^1kwM1izZnG8Q zZoU8CaNlO7Be4C~*c6b?d;U}36+g;e4cNiUq~kn!pAMeJ>M7E+t8(BQZqvKfJR3PEtutpGUHS*V z=}C-ws5OoETr=*zd2`PY z1*0Cp-sI-)<(6ih4L09ijh^Tj7*#m8h%IY9Fro(>ZU;(XbtW{IEvPzvBd^1?pVsq<5jb5=nZ#=cMA1pW9y^!*kTrl8Kq)7T() z&U6Ky+gfbX(9bDSwH>8q$>!YJq|+=>By+#(W6i}Ik#32@F$al^!ND`;u$i9|v5I`K zA}1p9aI@?Yx`gBVWVZX$&(0&RjTgQ6ie%*`vTYbi&RL4-f5K~RL^6h*$F7L@cBmQD zZpjc{SK40S_mR;8>fa0GN`-c)xdKJKhkwE|W^-UP_=bt5=I8%?xVr*!(KqSeJZl`K zLs3A=LJ3=ZNzPkwciBUAkK^_Ccl}?@f5Kt8>RE6D+@U-vKcL5@22V*$tE;g(zgqN& z$`cTjE6B}7F!@N&UMx;NNq9z2clem8-r<*cIOY2Vg;TkpN?^)(n;~*kM#JZvETA!! zp?SOhUHLl)tmR^QR>-Y2(gC^TVT$^!{P1Zq1x|+cw`A!@B!4nRU^GF!0twHJ86Xc3 z22zYD)tsTAUfKkLmeh?a=qnhyGmQ0D)&`qM8tknWO%(K~VTheNaZuBoub-Iz{9D|d zZcE>0l`iS_Lxjn-p6M;x0j`uv8EM9K1Q@jc`fEHy{IyO+ig_U zIj3=G*Rhmb!<+f)V^)vs%R!I`>!%dSRc}4Tx^ba4IU$sh&5uX>`J5a)ytVr|oIS5^8_23<3ixboAv=S&AI@VcH0Ie6%< zv$8CmrO)OeG3fornG%h;$vJTh6l~7{bL@I@)fz06cq_6|URZGwqLk@&GS#IV__}ug z$b-(Z1z(QzI*#aq`?aM2W-*Lo`{TSag7Tmlp~r!FIHzY+&c?~MBXdB9@Ic8d$xpUv&1v^N7jDJjxC~XU^$h;ULp1VprPVj`{_37bL>>lT)W1BBN4fKi)Lw*kV9l{QRtYtW{}@R1%Y;%d>XVCfb) zSF_6iB;<`r+!j;#{K&;#LTU-^h7hH;_zJsZJ5mFz{@gZFHvK1S*&z2q@OMBQ#mC`O z)^PcVie=vQb0yOAe9p=Ri{l=5Kg(hH;h4y4OVB7%f);QKdFnKv{&cE1?qtovX8RhY zqBfE&S)2WNIIr*uw047(O1#i8C3=rK=5(BM*3Mu;K&^IG3jSY!j&Mp(4x|9(}`-7N@Ud8Q8CX_E%I$EO@9*K zL{q-2K}BT$4aa4f2hI)3yrXK1W%6{k_-Z5j9NGj!~FJ?>p;EfS8UF0Qx?m;m^3NtGMp!FQ3lIADzpRqOK~m-LL%zd18cAv<$~eTm z43TH&EW_=?JpcsK*La1w1<&#uHaGN=2_p)CW}pVIpw@n}jyC49zRfK&IbImSMgxp3 zr*U7crrd|{I7^4H6;{1HJuHb-ZnrKTTzvcFCg|btxB}vLHxKBMBwUIdO!JOeO-n$0 zdJJg&_r563txIrDFK!7Ulw2oqSX~nf{(!lOf^ZN!E%e+>LDQalyn-&85D)uCW{%xcKt;Z z+U2#=!~E&ZLOSV03|{&&ytHaxeKDO!pk zdj7md5T#d?%lgP=R*pDgvz?&tlUP06*T@iD3#s# zD^&FJ{{Em8W2VuFyPL->WFrxn{E5U)Qu9*L0MDK#o~S~kv5kI&4hDc+laK(WA%GzG z{+2es@RCb4Fj_AJ75dqXl*eFFG@ro_{8WU%mih>tF-ByiuIO&8h}|>)$nJz(6xlY_;YL`^2 z3Cj@8#Dde4*zIQ&-+TQGMS8G6;n}}6vCUXA4xC5TN17QmKdMtPw1c-~7YRKv%5p2q zElRQ8CzJ`eV7GGrr@!9xdn}&n_^H$0qK1$vBV4)M$ByXFcCQL_AQPZeRD$4c3*2Xk zC7k?GK6l!vY~kA@)*Cw(f9u%>W^B+}WiI%y!2$xgUAxw7in%#HgaNxIFl`oxej_8fP!M zMv8H+=d&-zch)M)J_!d#FrNEQGTRwnaO$r&x_jGo=z?2mCF!vgcI#}7{oE{mxyigf>ekh5qmYlE0r}KWsPKVk0rpf-^AYi=;B;13lz@0o z`HWlb1MgN>F?Hx;-u7Y^o+V`>rMGiCUmWh=Egp2^Nz(BLi`b0}U6cdEtuu;`_j7%C z6Gfqg3>0HNqdNS%o~b&ob?Y;f)_VgLoi!Vecp8;EKK*u5FN*&&b-iLJ-)P}FBy5t9 zCQy_i!drNJwQo#Blj(?V$d=C#B=#fddm4l&GmHDJ=r5-ObTAIt%Dl(|F|k8n&Xj-S zPl$p-g^RNO^E<`F%lPK_+@)zrfg_;9XUxqbIj&Mt|G}BrKi#_yAOYDnmEY#dh{(@N zm0EFx5j`T&k8h4<74j8-Ke?H9$@7bR)sqX$M#`3AOe*ZUwi3(>*L$PN?Z)cKL|#i@ ztEfDaD4z+*w&4-tlNzgEuixLzMp9P2)(Z)W(Z-N()J@@fy-A>7ln^ABpv}+B_;xWu z51}H7VznQ;>_>t^=cd&;>W-bCKIv3AVch|pE*z2dSoh92KWJCjNc_>T`Y5YZ*QafD zh)yy%(m|4)I#$NM)UP_|=69SC08ahKl?_N8@vaU9{fg6Kr&dmkUEk_$H_*AGcS)CF zY)quOl=l0N{>pDN;_k=k*^iS`&1m}WnnK9kl#~Fi?qK!^d=0avrY!$UC&#%!YTOcH z;%)9x)7hYWcuTq}(Bw(?HGZiWJRSAD#wat1-Mvk(GcizU&gO~$%#N*n7 z9`XFFyJl-b2an6=TdzD-s?*iT=eJ!O1zja6RxRy{=}S^q!hCr{@=sawoJ69aW2dsb zSoE2(cPQDQ7O0E3c=fEfP$|Z;Bi!5%3z&W3Df?k1Vzq#UiWl~mg@vWVcDWySdW5cf zRd>tfpvuzsQXJe;bFGZhNh*n__2&i48w|BE>n>z0Uzl-t^=@K6h(QAO* ztvFH9;d{=+vajxnxGL`Kp$Uip>j$*Axaz#NT;%bg|I!BT?78TPf@XchX}&&X#yQ)b zPYcC6XeCaS_pH?mq2OK?&%L&~3l|knfpgg%G5rNi<4th!=}1F~nU0A2E)RrAPwt;Gt>FwwAR&6- z_sPFQyN6SmZ9LEXZMR{l~*Df60o$w@f{JMc04pndDnU3lj z#99&ou2jC>*6@o+Q4a$aF#MAlHZBB%M|A2=RBD$bTwjt-cKc(3;yzHRwYK5A&A@i~ zV4y$CTRIO+Mzo`Yl_K*uiuT3JzpI(8;f%$6MBmj(c=|S-(ppD>`CyF1LQIodPX>{B z86pI2w>nIJGwp9u%(g~>fpe_5{G*&~mjN)RgSLNCFM5J0gQ zGb(*xCTw+#${NYwhw1*bk=jU0q?J-~o@U(NeVy$GdpaHejcof{yDD6VQN6Fp?DS zx04#*75Y!`zZHB3Xd&KPCn*G`jL<0p3qjuns7jOMc7aIk`j*&3Q}v;A%=KmEOH#FI zeiW?9${zIQaLPr9gr5|DW~aig{&#c}(%rk|z+ZL2UPVljH@6!+aev(!WcS*#rNHxV zur&7L4C^6CaXqEYGGX%RnEtvs7_bvjv^;F7u(N44FATvqVfS`Sh#sBtqWO6v{4??# zBUQ8gNq;@jTSf!2v^zacNOw7^g}n_n9t&Z4j~zb}FKf!$E2F&h@Hm{*EWn&UM=>u3 zkrn-pM)Cgf3b^MM(x!^t)6Jf$UaGMBrJpdr`)yem1=scI3R$_A* zfHBka`}J*tv@g-1E#5sBIbb4VdHeKZm~Dl&`zBYZ6LqAJ*R6iN#@Qm}W{zoAnh7R5 zKWm5Z1bli|znn|urP z(q#vrICiCw!_`Qjzb&eEbDo|mrY$=g4jWnIB}56A;LSxYtR<=}7WALa9y zr|F3L9d2jd@=!^&L!J{rU_+O_mGG99#fa19%kTT^L4!O7{MykF`kN5Rt!Ps=C&xE) z);rIqWJm3_jKd9A=S=V7T6}y|`V6XvhyH`E5LgnR%}76U@sF)PYS=TDe@f1NX`IPl z$~!CE2YvlKg|IT5of;TayeeXgYf&OD^_YA*L0~ML!99NUOk&=dmoIL@EYp{yiH>4MmT1ismOFMX-uS@q6c{ z>|r5Ch7<(xy&zuOY`*(EOHbbyRWUNfo3K+}M{l5GOY(jdy2qxjNAe4`a>jYP&zp%n zVAbzzzx(5E;I#8fGrE?+02pHbY9EP$p17`{6$3S=iegQR-;&#V2XerC%_xIDyuP*k zvX$OSjh;T`3LF^dj-7Vp+zxj7#)wC}cd{Z(Y5;-#M@L*{=r}$N+$0ZiKY@pyky~>X zzW>}dK!D{m7I_vCEJ!U}aU5*%qfq|z4#@XCnJqolt~ufz`VJxIv6B2JlXUMx%Ng3e z-ruAc`tVq4854Qg^t8<^KjVhKasI5pUT=1ZmnGE=p#**Mj`xb=S%w}xp(>@Ex7AHj zhU&~V>qfE`wHl4lrzPmQo+ z3^{nxhpd){y4^l}Bd#GnwQn>n;f z)p0$^S3ND9?}qx@9$S;Z^;7;fEr%GJY)TUR}EF#Gk78j;@RljFSe0 z$4wcxsLml3AkWChp!hWdZ$D!ujW-RNN)~Nnh>7EVErQ$*PEtJE?7#J9d759}l5a=T zM>VO*-0c<-tk8ON#zZ}3(TW%ImY%w8N1cs$ZII>TBK&+H^a4J%em%tYDxZ{hXT1Q? z3Rf~JOAw`Hwm%I~9y?AKd3@s>i|~A#dqONtety@_$hX5El*?0RrfE$W#k=-6&R!ue z+vdRMmZrX79}Ppk z&oF0)ed#CbfoxnaHBESY=u(ba%qc06sR?}~VAl4yo;%xDMRJY;lmK+__?w>maNBeZ z6pw2f()C;w`xWpA&V_D7!WBchrIZ>;LmVHgBwm0&3RctO^J=UtCl-ZVx7L;|JOZx( zWYfV?ru*J|jW2*s12p&ZtN%{!_Ku_GhQ>TC!+Rd{EZyV@_7R!yD)~&zFagM)wI90S z^xr7#Xtx?xsQ8W=){Sc5Lv-c!ac$etHYdHpQZqH}!o#T$>7*p(eZ~wC`U8-G1|)WH zc2jhKh1w6QHF;Ctspc;vCHt)SUaPM1T{P=RjzDkaCad;c+}`I`JSIGgo})PHz?NR0 z)2Tn7Sy+8oAE&1uK%91MMZ2J<-=1D=6l?nQd?({N`tZ&S?7-mL!Df4!3=ispqqI2~=X6>S$X zoF7@b7{xQ@YFGzf0jvgu>Z?ZX`my^|_c<25tS#^BL)OW|Ca3j9XE3&asmipyYw>p!xQ8#I| zT}!noS2Og!jao5QRHMkgt7_k2;IhxO!sq>3t$hcn=Etfs>99n;0? zhrH^ZSr(^d0ihKufXv8}&+m@5 z8s}j?f{ciEe%rxO{(;(ptSA24sFz#=iT}w5q*$6}2yPOyx6IuDqWv%+ z{MV};%^_5UbAFP^%cwWv{KwBM^)vWUKjCedn|)=V+7NyOFjh0d2sgL7@39X?{j}^~ ztqiiZ$+T4$32(m}qh=_fg6zS--m_edMAWp>t04RI=Oc7Wgxp<2bO)(94)4<29e0hb zcO+_W{?N1x1r1B1C4c&7cFDb}7G`J!9VBZ0p%IS+nGJ$CZKE?cxJE2pH%NIn*=0>| zOiG^547_CW7*YFQcYEi%{|@mUIv(N&iyiyrRquZjA|hh?8~(=F>UagmsPb^Gx?pLS zX{b9-oNCqo5n&TBsW`se&hnv+JY<=-(&twgTlv~UTrc>5NVQxiV&z=ZrnNSP>3Lqb z1cQcbNb9vh%v`w*RGHzgvasj9XC%X>DQEkD^pa&q{S^m3I5gL`%>sV2R}A!SAEG`t zIOC46K3$<9RE|(qOMjT=>Q%8S&B2dsYooRnI3LQ9q!JCvEq>98nc;MJtYsgPhMk|` zd#8nnpy~^dC3)@mGA`<4#w1R^RkdCNt6jU|H)ECDdVdk-rMjVxrJ|Ci*B3IF)!!xQ zx)^Gt*Tx3q8MhFC8%C}dzvq+*jNsQH&oJ-t8GrkGd+g;KU1I{N4Ft~mH?ENrneW!K zyq&7F-ZHQV{+$!UjVu9rQf}Jm(ffF`AIg~u;?p2T=J;>V*Ao&Pj&8PbX6+ZH3i_NV z?`k;4+n^4T0|QG;H+6L3E6dZAu zl+bm_q_p-JK&05Vu;NLhTy@@B4*~qLxdTF9y%$6$B2{~7D?;Y|`ecRsDDMkD}!v&L0= zN3;8*15o|l?Ewpkuo{lho8rDJrizT0fIMjcvf-Llc<#TcupIWFAWRJtt%JS2&Jb~4 zXsj~ReRPhnsmJ`TjdeHE&JPC;mk9SP+0F%*!?KFA8l}}N8&y2Uqds2$iIcbx&Tt%v zKE7fWgb|$%40tJDHiqLLW*nU4kxup(5XB_5_^D*NjWk-jMd9_%t@~`2UTxgGn=UETaq=jyc@zgZ>qW%T3ab*>bAU?eE&G`18AWlUF1i=8%D~P$Mj1blu?#8giqDi zIPLRtGW5o-l0O;#x|)B%x3eJENTTEU$#|^(!$cgTyd0MaW$;u)gSEN+l9LqBu=v3t zjF>2)zU1HS)pG?zKbs8)**0WgLe^j_PoN6{C}a&&aJ{l_>m9nsq8e<}w{gl}e|l(q zqZiVHGchN9aCm3-v-{?`@n+|i z7@K>I$Ev81YKFW$WuzE(%7mLfWkc=*`jCKaW#H0Tv(6uVOfSLn%2lf~&a>_AGR`CL zJWgu@84G}wLhW}!-i(*@HZhK|Fm~#B%Q8l{ebu@)?p^w}{jz5EtPNhz0&&2A@tFsw zH5J(7;8QhY%R@0Su>r_ZL**=D^(gklrfKf?l=}~M8HKM2W-v026%adqVsxQ+1wCsG+B`Kqhj+Z;X~)Q(&><1H+s~C<5S?uhRc9Vt`BU)l+|ZpUX8}^zes891De(rr zEIjL4dy{nV7F{pnPNbroV!dHY^zgi`_&u{4-AIludZ};9n!ys}UGqZ&i(#H`? z-e~!Y594CX2B?Ua5e?_3jnZ%ti(EkV9@+l*O5d{{V}iC8KaeU2Xwy|u9qD+xVmpU9 zydsZy$(0BjxutdUTy=q#Of(i9OQ&q_M?QSW?lab7Q>~iT&%s*uz&0qc&MDy{8$ zqT(j>L1gjs+pl$XmVaQWS^tTDd|F)}3O$^8zs|N_zi%zj=E_p&fFE`i`ci#s>>(Ad z*PvPJt#$LyE`NXX&7o?nE7Ae)_dRY^ZbwZc)z~$Wq;UsUDp{a&ULQ!TPqm8HWZX; zvToHO!2K`$-oY>z17<+8kvBWR(YzX?C`Ldtv@eAS_dJ-GT1?H%Q#$(&2A&IVb_;+R z0ulXWCy^?w_zZqSfWm+N&IJ2Yc6nM)M>t1)SLGHC>7|9v3tX}Hl#I^?LD1;LM1@UC z^#{i1Rk))2tE8GsG!eGHu^hW3I zb~;P;*emP{{-EfrB7R=>1nUvpWl*euhvJA{K=x(&^hZX|r%yfNOm`XjukL_TR^`#S z4SvOUVrd$ z^f7&jiiHtwwk>?6$?O9F6b&eSc7x(&l#RyyLH@?^SdjiBn;V^h|Uko}N%= zGqA9-uK9e|wcQhSSn%0qdqK7Wf0|F1U)Ut>L3Q}*#URi(O4wBx$dFg{;ugioJ+%F- zAQ|pJtVX&ou+sM}GgOAF0mLBRN%@$M^!6v`Lyutj+xidh_L!tijj~6K*1>@0;}y~y ze$7C{BVcxo{D(Th$c_Ghb#8G3)9?51JR2jvBfzAbObGZ3tZzYi$4{FBBey`l7Z9L*+E&`fD9iE8zz&2l9=*? zsvY|$yskDtdftg#rjYP%y+v7i<6Y5R?w3wGIERREEK7mzd`}mM66mybK11qE+E4>) zcKIaclmwvWpqs2%9Y?Rk>8G04e@fHRV8Zx{e#FTaRKHjL)=>GXpTP;}D3CmCHi zGr$lFX_KMr53uD4*?)U4)$sfT`;;agC08BuK%!Clh0e=+=Il+Y5sNdP3Uf}3X=WX$ z<2Yh+SaiwDymED3>edau@$u`*qP6fbx+A2^d9eRuuFo#?XtaSz;ZQnkhy zVbdP~)UVxl{WUXw(5;Dr?1KntcBX*amTwIVzDEnSk?%3d+{dc{b+tuqz8_fUSptF= zo}1U}ejL*sRr=r+ESU+$xHm;1BnG1ME~lJuEXq%$caiT4&jND6@&`a;8gU0k6!MK& zS`}{@Dm-DYPtNQvz&k3=R>VZroQ#h=wRyWq(HZOF!Ep^nxvStH!{ldBMrU8^$K9Xx zv%ez_ln%j{w(!@;$2RZjtFpp5tJXTXCpVa+vrB6==-4Qn=mM zsa%Q+Or?=}UPU2$0njCuSCy)gvAPr`M{|CJlcur@sx0Fv)br+=toaw*<$y-&e8FcF z$*-_NVDL%S?znt|z6$ry!I`2FRw?e@e`*5N#FTMHxTOH49i9CFVLuPU2MLbui=8a#~A-0w|IYLz9q$Ndfi29s`h%Y7?TK?zWF?ra8Bc4}4LBl^M0`OB zE``sN5*zvtfclg3$;;OC-8;R;S}s(Hp?ZpVV$_i3M1cg;*9$~i zmsAQN+`jPj(Y)nAZPvll%grGoxsXWhFo!ZH)5#Hc6kRmu%daH$l2d2h1&^L%x^L?k z=YQWNm%D2jVVZbWuVtLLxcsigG5nSU@6mU5no?w5-VylnDrNLkDnmaY?d^*!*@bS0@VpZf*ls z_DKB#&hJC8d_)0#zOYT7JbwE?qQ~1yjWlZ4d-V|oNE9tm6E^>xc*b?C_RbNnVUQd> z2D8%+V}>w2;?j+c>3c)W-PhvSTfAOKknOOu9N!PzeSR^u^E3maMq4$8<+p>6_U0@| zwbs5-yiBsIjznz*`5}*0PbKx@2(a~8$tOWwey7@O+~ko3h6S=J4QlSVZR8BqQ-II1 zwhm7z$mFMB*w9xVOSNz0MsUQ(j};YaOhsW(5Ct^Hiki$8q}o;9k^G_kdZO06Y4=B@ z&N{nRTr+EyOfQKXmFs;)+nX13Js<0c-yLP_n-*Z7Q#ZDBYsy%jOmUlP4b|Z0Tf|*9tJ*I} z^Zbc%;Z4?z++bV68Sz)&vD7N5fX;9sPhx8CQadEjdr(#z&gGkmsB86gC~($k8flYb zisK4#ux)2@%Ll#kpt-EHOx z6`k+X&Q?I9s`UwfEUGS+$)@07-lP81sJcMJ_Q+GP>Lv^)-Umqd6hZ=7CU&Jj>?i-V z8&JVYg7GSSdMS`mNS&4cz|C#$Q~C~CypOw~Bc;WguX3vcvyYVe0^1s$8=dWv8QJw} zPf5r?JcHZh(H+^5qAc-bpheEg8_SE8^Sld~@Jd?pt<)@lQ#HMy1Td5B2$NeKi9>zH zTJJHT&)BTru9ENSub#DyKl;QNh`+!=6!&%j#JMm^Dop-~Sz%=#X7ld%S5L9X zur`x?jwna$*kJ12Elb&IZd0|fEynN<>F&QMBKBaltM5ws&QN?vR}tL(%92v2HPlh6 zvVa;Vr8nZ)y413>U#hg5oVcnnqN-VUrb!O3b2GvctqGqW_cY=G>QVpPUE74y_%Hr13#qu{AUTb6EEB%np%|z9%EIhHi7Lh zempm}YEzjg_YGBJHv7$wV^yEucHk}VX_G4_1KG9C3;P7?RUeAW5Bg=qZS#xWG7k?P z+9LFYMt-nPo&Z@a@THE7NOf~P_g|ZQp2hW0q#VE1rgt;{x!jbXZPY(XVBRaIs!y3E zRr7^=&@&z2 z;++Q<+O&wMRFiQS{6#FmOZKRkFm%l%+` z=lM3?vtScklbJ78i{{(=y%?&-!SO!rJQU?peDOa0vR$@*a&nJ6&)MEd#7(R2(5nC$ z@Vb#Zzf@W^Vf!Ipn-%%)-I`DSSYhqUt}1?lII2=+z)RS5j08$CVme-A8N5 zDT$$JHd4U?ea|URPLay3W@b$lWafc4yl}LvjR`drT<{({#e6p-@rr<{3=2JFf*0O} z6M0n1LEr&{`0bRt1&1-4|cvwtwoI>!YJnRyD+RmB7(IUxHXcnmS zfnV%wpUyZ*Qz`h>h}lM_thlJwl#w;-kH(pKi+f@eyTXvETJqv3NB85!+Gp{j$~2qA zH~N0TN&u{w$Fs)A&r_s&oF6PJJ}N~esK664?cmb}#w&`%N-9#l097zX7_<3-=WfIK zrcEJ^Bv#SheE>pK>;vE_AoT+Li-u0_CT)7uN_@-Di@V=nNx*&v zMl&jD%nt~3oDr0xmcKJ^kOq}IjW5!^J%Dg~Q&aly`3lR3w8r(yO$&do&gr|45mA0% zkbydBajoi*1@hy@cv9l70+!coNd7eocmK#yp@gV`AD(Y;2_(BZq=iCW{iLk_F!L}l z<{bA`(K`S?^A&sheO|0*6wY_>IqN(0oag-=d@tmS$Ow8^C7b=ZXV)bKFGPX}4}Tun;Qn>GzpU#Gk$d4rEy~ z6`C;7r%MImtK$$869b@CnUu4Jz2=asQD8VW0J%`P6F5NxEYZ}(R1ULPEWND70c-2* z@%|F!V>6zHU2adV9w@}z5;ZXunwY3@a3e3aiQefiLDRjBGZMB;i-Q%E`v;)8dcSzq zeBoC7RWdQtp)>*fopfV?9cg)Wa-sU{OZ<2ApRwMjUPC_95{(#p^~QKypDX-42(`fd z=dr-#yR>Q7W&701zuhfQ&4eR;xE@`DG=*Fnwy$=PIW6%xNA&JQm2Y;b{K$}+>C^I( zLB?#kN%*_rRNrg*q`(@0CaZQ_{w9M>>eN4o{}1`H8o|a#MAKY_z-hr7d$7-gq#?p}ANG!W~r>L@l z#1zUG_M4YUy5`b`N!0u3ePW`Fo5z11uir+(q2p((_R@014>}>y_U&gQ?Fl8VkR8dr$?&r0gtFE>LyQ^l9RV+j9qZ$T%xi5?by(Li z5ngfwDshEUwa^mRo)JdpTLXmZH!^i?hllr?dbs1EQW9B?8hp}CFxpl-qFvSeZC7Sn z;PIakk?R|kqWv>l*LUuWVUuteknQ}PG&S(a zi*f)H_+IJ5_Y3%uN&_&~YeufT^ItAjVOW>34;~Ep4))@Km(h@At)y@E{bzCN$JZ}t zxEi-cX_iMIPY73X9FtIq(QW3Y?&eN}zpBi``AQo2=zqej7H{*Qv zS7vk#_SNJbQ$v9-zZ-6PrCzV4oYEs$m=vmpm&?!09HuG}p(;ZFQ81z6(6iUVRU1Ss z;I6fu{P5Qq&Lvj(O|V^^oF}Kq>dW#-Ktqc&y#0^rZaA!JY~=xJZuajHSAL@Wy`0Z} zJ${r4a5~vF2tQXkYh`6V7x5a4`k$4t3IAwq0JS`9{WL2HG1B!i?msr6CLr;B!iZ1; zwdf{E1d#Ron@Mao_CD%_-cs{f6!g;@UqX` z*I438gs`5e0_}JJ8eeqwf=lQ>`;S>79Gk7!?LF{x+*};ui0;9EYZ8A=8B-5DMe9V5 zgzT9~9b(A} zSBc`!D)Qfw4bYEU#9!UK`K;`ZbZfzN8;hdcG-{Xt@HCLu`TM!!J3Pf)qW}XgapV7% z+o^tyQ|<*G*i3Eq$I7^^UGcLu6n_Ri!U=r~)C2xr$8P3AlW=88{-`W29%8N@R>I?- zzQj=0IZIUyKX4)`(yAwzo}9p&KfrjIU~=fUb!5rJ1|Kc|1Fr6cKGzSqKhAYO4zJ_) z7lr^v_*&E((&X#R>Gngy^-wR)07!Guvsc6)Ps6jX>`GevARqtvUo^E#-e;-1;kqxP z{((~eUoV#PcJ_;x?6qDP5?uQlhHwMZtTZ7d#LL1=@>IrjK!|FIZg{& zdV%XPA$tHOj(enm=Hf!*mHeU5yhb|J@xwnps# zP~)Fz2MEbO6n^HZ^-uG}lrij3+*P2vKfWurteqm~ zyLBLbpJub<2_eg~JR%sM=_}b%6lb!r9o33Nvd8OD7k9`MOcv`HKR=&z0DBz zkAh$a6a<(#wNDH6Md6Q?>ISMVf*n~l{l^~FqsdxHW0(@(tDre!ZO22nxxZ?_dbZC_ zysXD?t>tqLw`?OL*Ppj&@L(%e(iMBFkEGu=N zJvp)rvMn+&pG>IvCNBoka+`d$-T3H$@LHW`Uy5RLjJKuC5Kft0Yxm?c?^w1 zxi`f^_T&HMhND~e5RcIhXT(S-hm}TC16bYvH~M@VW;h9lUag~vSxD!f=@`U*N);eC z|LxV^CIZ16ta4ENA}taY66sDhvh#|~0qrx^Uhf~Wja{k^4K4h>b(g8j5e-^H=tJX3ejFxdPZT2N^FYOi-Eradi1_o$|_F`v%R2 zPdQj#E0Z}uaaT7R{BaJv|KQ92h)_4^E`ZEft=BE@F_La(ISa={7{s$xk7=vrX7}(@ zdKiYYUQ1;XK$(ve|Lej4S1K_94i0A9`)ZF!X z%BnFpH}?;Z`C2<&k4zr;*Z(N*?EDJNz{gzlkH)}_Dw?+sNQs}la1vL0u~00sS4DNL zZaI1Zb^AH@3;HgIV=vGw3@C3^yAwE;Q}C}zmN9*GmDUh3n7s8rsH@lK&^lH?`}3`l zzmsEfDO7Cl#jzs$zT(u`?G3lKzXWl!ZFozo3+EW3xoKYn6O z6gW4cD!;k6okuAD{i$x9hgD#j6azV!GxsKdLZ*3aHA25G7)c=jUWpVa#3%H>U7b*r z{R<#s|2E~!{uZHtru{6@86bH4WRpro9G<%(2;lN_SmakHr?95)DttYNTf{Ef>q9!b z0Wfe=YIeQqG;v?yamh`OD_WYML-DAZ4rR_COSRg{J60zc4fwt1l=|PmWVy%#pc$Kh z{RkOGTSp{0w{e;@I5JXoT{Z3I&0HjG-hGjnghaR&LkBeruxpdp^<~#$>R%drYNX?O z1mFE@-E#r!KA0hu``#oBq`sHTYoSbQJQw!WcK8(#3Dd+5+a#y>Omg3=n{(|{a+4D{ z$2WPOM%BFp!69;BAUzHW+yhAy$JS@xFOq63QpN`QI&=*EHDJ~=+3{C$%HrP!)lqj~ z;^f>LtBaR@ml|{Mxq8MLz`SbWhOGi`*j5}9&EAO{GeQErAgDct{40?H)?;0Qp+j!+ zbJ9TO-T5E{DJ2tIuWPLKwJHJIRyc-Vlk3sHTXSHcs}n~qUv~jvczi$3tNp6?fx==l zH-#LEG#p?F+wIJJ)g%ZbSHq^asAejfykZf*hF`&cVKCU*X+efpkJBN&!P1z9a$dIl zJX`qzp{zk3Ch-^`Lccws)i-3Roj}y0I@2_9E$)(0{&FdlE-Hr0i42{J5ua;!yP}hN zpIS|UUY%`B+Cuam*2CkZ;T$=N!6Be;XE=MQOP3S!v;{T)W>jf?+@`cHc$3!EQKLWK ze%$|mb1G3n?}H`P@oM+KVJk(40i7vYWMCxfI=f*&-{ZkSqPI)Kax_XZ1mE~FAB&cc zrBX{-q=AENZFA9Xk3A9$*@p^2)96U=AYdD{PMYM)XcT<-nB9Lgf1HMD`xSvA4XX2^ z^jdXr)9;(aXa~+=1`Z5sAZMfP~>4!OV`&MRACEVTkOSAV~^Anh$A1$@ZAeq z{o6YPXd0s+0|X8frNm;Gcul^cGjghAw?&JslTA-mnk!V?d7-JfG#E=K=k;{0V%EMP z@;O~#Oz=(G8^E5VV}9D?b*xuopYF*lF{ngwxd%b9>O0D8j21-O+RoP>4@#gEZxa$y z{ckQTD3B~)F=ZrM#--xucyAF^vj~pg0s7Jx**>mr0jf5Xt5?_7#4e9UHK{;>k8gkh zWzivQS7_Q9)tkgwW7IPWB%iK_f6}XXB?Dmj-xTP7wI(K(mw)qw$!uBYuPFgHP?}zK z8sUCOW-xoE`Q2l()DTE*F?|UjgtZg}sCd*?nI1njZoOgtC_)H;rL%H!7NFe$0h$Fs zF42iSHYo2+NW``^`eHd8Nee;=}of2Tx9%C}>T2j&if zr-AY4FrY*S{yFc*z11nE6%LW#L2EE)&NO`{mTTDHHbcMhu^a#EQ(A>*&%UHx`Ki!T zNpg%Hq3@N>^upL+t1l!7OYxnNKTF{(91#ghdv~pvOTNu06k)3GO*!|n{}B3OJgW13K{FkDddUm+hdp)Ie@6)>hbwdyA!)#ZLNMpaNllDJLcr^;dFYj)_*PE<3H@=D=vVwu?THq_nv$#DkPDW? zzXpI`$gHgzFYPUf6lACu7rwH-K|w);T+L?Pgw}6k6ekh2EZ)*$fIb0&e7Q`cs(4nd zIrb*pe_RxLsiZ`}>W;Apho)WWUs6RUT%n3Qg(P(fAX@vD%Oy1C{5G}gf2_iN5-4%S zl>=e+1Uit;VC)0fwJ{7(;OfIDTmoZYcOTy#OZaQYf1fx5V-z=LzLt>PCS}ukVuvp& zk4po~V_JQ;5YR+0AovGP#iLA&4K zCH?C*90Zc`7`8xb9zq@@P>!!kL0`#cQ0oZvDH*#3nr=O4l)94t0AR;oD-o<`GD@aJ zKtCi4e;4^0kUPNJRJjsabv;5(<}7NgZj3noD?vTpuu2m9^G}qAldoP6q9>}Jx7XjH zcn9d6Xkc|^>VkjfUA@K+5L9(Gy~2;wBR8Pkf2R}>9j?N3WEF$ zg_D@PsR9Hb65cF=y@9RjH844bw}}!;;JZWd`WnMQ92@80(k~B zwt~PS1%PBn(#?=VI*`QL@3@{45ZB{GwV(#zQgDJ;6ri+A4Z|VeTriUa?V&=lPy)&S z>ZeWn6`s&cA_bv9VaAArOEY4#gwtZs36gm^zRd~s$pi0a&Io!}pKCM)UN(=+T5L%i zmrNPiX*+z+beWGdVgX$p=TzXw(#W_U;iIL%{mt~<`_8m)Fhlr+D&8 zTDI4o?jfn81sqQ1gxp(P)^}Ye^b$n{CYA=Ro9Zm-pHNt%JXmjsJpTKW43JVanP~Cn zQ?^W?`Bi%I!J)+c2Ibu)F849P4YySL&)SD#RZX$)+Z`OTeu<|UWeJQzcDw~s>xfa9 z>bF@Qx2#VhKA<$aTV9WE%8spdeAJj)O_u6h@~O6+&OXk8^IiQxT#NI(ur8)-606{t z&XcExV*mbtPR8h%cO;Cm+6g9QR<7=Kl7JblVf-3d|X7%74ilA`}>Rz z%ZzH2tFb8aiu9}SY=bm)g>e4-B7>0z!FQ_yq{tabD1{FVSI5V-7WB&ILzlG(6S1j`CY_FdJ}x8C<}p zdZ53;%Vk*Jm<9+S{GIQ|B07MR#1)Ex_FiofWuMfz!*-8!TIpT0Yt&^yuY z5my>~q|{t?g2^C`_S!rDpHZU0C$U@#*YBsmdV71LgBUs{*!92u86gjmOK7?fG3B|k zV__38n7=<9e<>E$0woQtbN}pBdRFbaU45AlTsq-=%zOiC^@$cYB>})gm#r?HYeCoWLc*MwwZ+&J+{ZZsN~~ zx>Yiy-r-Wo-guzyC@=Nrm(wPZlqi%te3VmP-{Yb|<@jp%X3M;sl{7z^Eev}Zr@8Er zRg|CWDUSV=!LR8mt7GBc^V1KE26Ys#wOEp2tb{WMwN4iLJD`NjHc(`H-Rv>d@ON%xwgr!O!=)Y8qOo&Mj<%r;Iv<#_< zf=R14nmQ&pEgB9M?nW&QYq+&I$uDZ=SMIQ(Q6Yr|Hb0<}p_xK1>mf8gA6H<$T`iW& z+5Wd2Y7vL57SGIQbOWmxX9kw{Ku!a_UgAv?@HJWPzgD&?(Lml?(NmXPThwkAc%Gv{E=>D0bDA||Q zum9lyy441p(Vdneb+CYA)I#5SNH0f&qWIohj0H!u0aO@B2MYs-TJ*{vD9eNle+zO) z?z+Fl7?FI4%aK!#Z_Loj;^%q;yNw35KiPs&S#n|EJGy%;c3n_a2d zZE}Bjmis=oZ2HxMeZ32exzAr`BRmOVHP+MW=X9318SkLco!#+|a47hX4ouo}Irk3T zH-?^qzt+}H5ji3a>)qBe*BgKX^f{cnaU{&zMK5(tA?fE2*nn6~(3bKvWAl4~8oUODg?*e_kl_Np@{@^;OXY31}4syGj*2_G?ME^rfpdOg7X8R;CCG@ z_%QUQOCh`;#nGaVMP0v#)c7Lq2_idLRsA5`2p2IhCJmUn{_+a^eNDfhk6?gr+F+!d zuSCIy-ipUEfb$jqi|sh!=-Aw}OC$VgXye*@eLWKp76)2dvE3{qH3YF5)nbSh+}K03 zq_!?sy*wx;5b-`SDf$Ru1u9?RbsyLc9)O6Jk@5tu+o2}T*pdY}`T46Sj+f5hgJ6DS zQ$@cs(tVmmLSNey>H|0;2z%|ee@WNSK{%tHu}EUn+m5h^;V++k`%G?09jO``{&1hX z={?)mz1_n8u&Qa8`jUbgs6Bh$9MWjDOraRqNi7%W@c^uVbx)}GSRo;7Yls5 zB^`WegE}ORqp_<@E@V;}?S{f9lM<5OICnyRo*nEako0A`AHn;_kG|FdDOkWNb$Yjg ztcv;HAnSytdAvv{&jmUyx&wlePU^;93i4uYyyh=}gUrAtxZ`7wMLYTPB3D=a-h63N zIM)gj8rxonB(<0;WcEqm&7oSE^)lgbPo7%_F2~~wh@@f3Cr-Wn0_lD*Oo{IP!T3kY z#qo=5=;C@<^aZ+DqOcb4?V~N_8-Xuof*uO9R1P5as!&6cj_RF|Z)Z-s2vmc5snF_nM7I>YOP>gKdzhQ8zDu7{@B z@U-aH>B%t2-n=`NAFM%ScYoce(a{9xl(41{Eq++I>d>u!?6h#JtYsNE{rPMUgQz&S zH$Estiz3QbTTp|ib)=B}w={E37dwD#(4K@@yf$A>{QmuWyaW zmXCYi{GJDb+i0?s>d=S;T70=S?rU?jo8pPF!S`DB#7}8S0%o_^(HY$loh_t+KrO}2 z#-Ymn)nHzyqK(VC+-|ITMu<2<>o_MSIsX^0_i*aO|Vi&Z-niR1foUSOAN|epKH8xgw&b z&PYwVDDXzz-!I!=mm|HmbNs#bj9Sdg%-kFWSAh_=JzkX~6cjsZDMbMXvPG|z$n5Ow z3==VD7Z(7mN9`GXis(dM?%l#%@M9k*AXxV0*nutG!h4nUCLLx}{bpLsebMlR-n;l` z&!3~o1~d;woEG4baV?>}k8XDuu5*DRFEI@yjQx@i?m>2^SplZTUZQsM!HmtqK?=Vs zd2>@?EfX6X8!IdJRNriloOdVYJu<|EAj%>WOb&$%(xCh>3~b-r=g(CklgNraXu($! zTi}W4TY!ax1b)eyNpqX|28ZngJGD=Ht!9O+o;OR_70>#y)!tt4S@48*vjRcI-S0r} z`ju#)&OroJR@M~SqFZa+wrAf$1&vR}7jW${JFT|TC|Gd1u&d?Z!75*;=JkrG0cZFe z-Z5*nN{FUhJEYqo1{yH0C2B8y_}PLdcBZPUn=-or)@lKhK|DC?4sN@~976u}W7@;LXA0;^UZa9rSsXpz9q7psJ9~;vg)Aunj(A8xg z=!|S}XB1SQ2io;=b91Z3#@;I3LJiD1cy}^l_JQbFCnqo9KZPmLM?-<1!o^42Jvl1= zLpW_wD+&9E#^_7Pv6kFTQ_rS#UWvdy2lF*+@*5!?kC`1U`!)^_b0jj!{iO6iECMAAT-U6dp7;g|+C=Kt*Q9V^G4xA~&LOYd5mZ1Hp z=ufXE4ZYc)q&t)Q+js@btqx<&DbNk=pBZ^92l2$xRh=R{K_3MpNdppJLxQIn_PN;6 zkE%}#lwCK_IMKh*r@JrUnS)n?j2qn%fYWliy&p44x&i^5$d}%gM1p7e7;(A1CjvnT8^yeBq3i9X?A zb!~jWhE9g+48e6;sq&c~x!7x1RoR(rJaXXS0=7y(takI^2EmVrjh;ZWZ_gc%^OU>lR!=2YpISwOtJ12l1b`woS4pWW0tv1zaa+gucmxJV3i)InC7{jl2a!~;*7vt6zsaB zrRhuiHPDhx_y58WUGmAC-=@+^ra*32?J7D@`>ZSj>xt|j z4Y?Icups2pp;&t`o|0*0(zLJr^7-rz-WUU7X&>I?;JY`EYmL9brsDEu-@&QozDR7aZ@4+?AYglb>+7lr zn$I3pxxmzJ2{>oT>F`iLRMMyGl2vRe#_sc^^V8N7lU2YBS~a-IQZtHvvUq0IEkkM) zSY{gic@^(bQBM2dL4o&ftc%A^qV`-89W8BxR}9&n29nzv!K3H^hvv$iA(rJX5x}M09$h z+wF_=%(A>^mw?W>tje{P&H8c{-ErCvcB)r&5ziQ}ceSyJc7i>(*Q}$FFh5LaZ)pZ~ z(rDgj1PNl@IJLwFuQoLgiozmR@lMbkD7OzSUcc_qufV1_9_=^e96U3&s85qpw2f$V z-mQb0=jWw6b)+0F0L=8hH0~TEoPz!nhp<`cYe}DgL2}>Id)RcO?)sT@i{xPk?lCVz z6`(c;qo^}xH%KpD(5E!^dvD1B)(q=z2wL)E*Dg5FApJBwvrM;2-1%7OXC7(lC<32H zf;+^TJjFEnwnhQ7zZ9WVasq4O6Qw&1O_o5rVa{3K(G5vY!=uD^rp&lHN z2-_|MkE>2XFQekqRnPV+eB-z6(O?AKDg5|=l4)hd@a`5A2vHPg9Y6-F@DXsJ1`xrG zx^a<2uY)yrMkKfzAGGwe?um;yGMNM|17iQEy|ES5u*Go-E6{0Nb}V)1I_Q-2KxY6 z(2P15&HQ9cQQ&0ycG7ZpPUsL`35ju}l9iphJ;tbC#I>l=Qw1#c@D zQ!4kZb$$_5g8PopNfbz6)`y0pfp5q6th;-$$6g=&gg>G^Ht0k*HR|~*^%0;CwWU$D zir1RBWx}%E9^#V93X%piJECv;0Ur*#*l5SQ_4Q)UBXDR42;;v5|6&-jr&oXu7_K53 zLXNrKnQ0%#!$^xb8sF$`P4qtHDlYWsd48~D=RWUBDlFoN(bV zHXjRP3Am(*Jpi3VsLX`>n)`h73hWjUF&HxG7%L*nd`85G>{NkR3%@d~?>g(6FwLB{ znLBB|*t^BbK+B^(kUjrvhx`F59K=N5|0xjQj%(Ys6xpTn<9n9mtgNo!taJtQ>pp+} zPG;37M)KP%M+1V#6OYLNxTF_BY;94YqDWnR4#OCC8)3=|?bI7jO_hxrKT2I#jph%N zDJNrXOP4w%0ata9S35W>aT4t(=-kM$?`dKeaA=0>{1@)EH8PYZZ2hMw5Ir*hH;oPo z-lBClV}?No8){c%4hNnJ;NJB_#xp88YggqK;%i&XBrqRlH0(AKt-ft(fw@0`-iEDT zO6%2=*iZ`WiiNz+xO`iMI+<(%bD4TQdseZu+hb$N z7oQ?KV3KWBoZTm?ZvxH_Q|gA?u{~!EK_78A(d`jCT@<=?DZCZ0KxeJ}gP|h!4WGY7>)Z^|a`y!lvA}KE(fM0u8T<}9 zS&he+MCYU8xYu&Hk+5aa`-L70$d7IouRzIBY032!^xZX!f|jb6uq0diOSFAITb-kW z;Ajiqd$$`ekUliIxOvD54tb=@ASx?DLQQ_>x#P+77yQ07@toS)t}1*{LyJWB328B4 z7uTjXG5f#6oRf6a+cH;p4~9aqZQfnDti7ID9=-18bb4&URb+k%0%lMARF3JE$zsPdu?vAq zaCC(C(Bb6HfhaRP9j4^i?%@_CU-u**lA<+&nJ%eEt!*T8VKKbx&dzug_Pw|*H51)a zkX_M;<^AUvQWGIlDpI{1imzq|gp>Vp@dRRYQ(QM%9iO|ebjJQrMs1bGqh20vDM&`C z*ehp<)qocc?i7b`3kI(4rqR&w_eBoQLl8NQQ}yFk#H^OupNN@qT)Z>9T#lqbr0dPT z$i_OHNL0VTyjj)PN2y!y?nWd(D2!m+gV)$j_gK%TfhTk=CP)mPCm^hftPXn~09+I4 z$;n6w^oiFH!QOGa4{^%H&;yg`1{f-bB5>mKGOQvlMYxo4CNZlG}w@FbgXB>JPP>n;lycqiKrRXHxirkNIm& ze7^T`DuCVm9BjID1m}<=H4bk)k9PF;lA4x_mdw-30#^t)#i>efI8(?S2pHKn|nmWqi)b=x~JS?2*#mU?||+~%(27uYsC9o zd~S!k^az~O($P)Hgmp;Jib^Vz5NXn_KwwL$a}mOs{*fgYhU{=|C(pr_yg?51otX?E z#f_So&*+t8b|a>&Wn0jad}$d4gbkera+FmUl4xIO}D#Tx^VBZ{sPfugRdw!mKkp{#-C6G-^m1xHUvYRx>C%aHIep9Wf zhYTBQNk;DxH{xfitr%Azz5O*y6k>`Ri;Y6LRCo2+iljt`Xy{?2#_VT~ujhqr%@83H z0&|y7kGG8638A0Y1yBtL3UPfXvUDOfTo$dSo+_C6-$7~?ofpc$0_^F;PxvI z)XCU6!-D0ww(#(susAku6VPM2m$ULUk9dw;Vgn5l`K8F!Y;B!;$sg7^@aB~NAtoRb zXHI){FvvDHnS&S`1`+s)C&y7x)Vn@(Ul}HrBD|w+o1}?&|Ti2~AXzAYsoJ?4joi78;uaqGpRL zLT`+^;2H}?nwm_R?-VYMViC(??KZkmu3LvA;hc2{-11+n2@l0l%dRA7dzeE|t;c*@ z*pM5SDGwglgRq3e>oS5`MZ~E|#m*aVwK>Br$b1#ZQ-{wS34!2cUs z)%}y*`K~kA8?ylj7CSmJ6NP|c#F7h-c_X8QG~Ge+&)Syc!6Eq%=L0-pc&PLGgO(9q zi{kxdhJ)$(p*vk|{Y`*8*-&}7HwtCDz)?T3H$PYnZC zE#AIe41gm!T2|I;^x}oJ$SYrZR40v3a$3Ub+`U{1SQ2B#<4Bpw7uYAcEHBBBjo#4C zs@IVo=F;*Km^nX3D#usDi1tU@Km8oy(>D4)wEcxwlX3qBjw^yR8zCXc*Z=`3>1M!& zQqrA*q$u6p8{H+12&hO%cS<)XDBUH}GGM^(_W3;D-}C(kzUOd&v$Mm!vG@Io>$+ao z>ye9Jh?MNFVMYeX9LQ&Sr%t>hXXnbj4(okDHAo4UPRBwZuk9Clv= z6$YK0ln45oYknWUz%OX~Tygy4cE5gM^NV1G8HV&;`Sbfj=c{|f3S*n7@JPQI026dr z8DsFyBN^pne&(fCt{QNNVrrhjY!P28<-Nsi=Nc~9dyg(H~4a+dB+w8iXW-Od2v&2--F-^s;bA{!bD8@ujmN0abH(^%wJ@E%vd5WsMIrM z)Cj!sytV)SX`@Jy@@T5N-wE9o6wb7c86W(XXV#gzfC0x&sz%VJ(c}d#Zsdu0=F&rc zGdgX-W4AiQQ<%kWzfOK#mX3VZcMJP!Rv7m4r-2NarQffbx6$DpzBdkpZTa1J&PP=r zSU)_?_Fb!;X_+|(mKnG)%Mo{)n=K`*@rK$7>Rp*^NCi6SSYef;qgdf(p_bbCOJ47X zKuwi?S9j`_WvFoiN`6x$P@X zmfhH zDE>1^^ye6~5ro`K@%em2Kjv)0?G0LG7MvQ?_d?@{{?(zRvzGQ`Z$=Mkm15R=N|Cm18&YAO5LgRfJw#9EVo;*R{JWen6oE?L)oGunzQuA7H$!HV!Y5 z&8hT!fA>A-F_P!?C9#k7hth`9xD0me=*fp=e4}=-OKeX4r;*YbV($}=p4+P}-bXxU z`;?rTYGQ-UxhHv%AmZeocd@7CfUZou{SR)~ROfjN zeg!Qhjm?k*+wXt>Ok>Ny56524vO4Bmd?N)u$1Z(dxR0Xs2r8VVVnW=9MXCMFCP1@Wxl*hl z2sbg3e5r>}>AI=JHmS_GPerHu9GTzU?$9aW^Vcw^<{l^v%_kD+vnRiVN)x~=^lfc) zso|S`iMh&P4Uf_E%tp7TqBZnR(-gjnMpl*iVj?6SJUN^VPw6c8JBn9#P4jGc03 zG~;)j(9l8)aV4T)&^{;BkAR*05PC;WlioYR`R>+PVn@kwS2AFK5{Q@2s=jak$5n!Tcr6&+wNVcAMk4*7c9z1HD-+5ZP8LT z1cKLlMI`cA2qK7yBRC}&hTyWS||DR8ippzO(aT#SFq{4 zCLz7aHLrfvJI0@wwfSXgowNh%&gjJhx5RKEj$IE#ZvpP{5nFL-zDxkMWOwVD7V*8( z(mOW8wE>r%Iq0SPd(3Q=_wL8DocoX&ykTM*hUTTF+FN3s9Xewt{|->b!%cy3wKdKR zlA0br3%43o3&6fYfv*3i89jNTE4rz>1oRiHs_se6M>Ilg>46_fLcln)g^~0!H`)>e zj{?5S9;Z`L4_uf{ew>Qh7&=--fTU+9o6JdGLR?zVBh%&ffN)8{^ClFZG;QhH27X1y zRNq}O)`j!_7w+#q9geV1WpFK{JIeghk&2OI3`C-z32zE)Ay?^1odZj`M1}TX&tsCf zBZe;DW$l&U;Wusvt+%~f_JEDY37_cnf1o2p-9J||R8*Vl0{@^QV6^kM7?sOS%KMtK zqHrs+0c@kpI?shy4-c+Qo_}3S#w!*E|EJU5;nX2f50umRab#z4sY6n+cip62&u?~e zBSs;_!2lxLA5GaC-yT&g`YqHBO!lv=sFu z^9bKlNqWzpOY+A!M(vOX*CW7*IGFxcmpaWCO&u~mBhmnN>M{!ORSs7PeehtMsWl1c zGXEh3cLW@-jhAkH6!G3gL%S%t^!`{bF$TUtx9Go_c*KPp&S5-{hRU&cwV|k@X&FQ(rB1;VmT-1g&d7=2+q5$ci$CW8X}~xU5NA z40T9}H}ue(I>ec=n1kS1f4rx7ViSDfq@)|`Cwum%i5fLT;I#!o%3yaX|bRP&>09UDIale58o%!@?lNi}@Y z^>DOs&%1!j2*c~sm&!RAh-n?Qdx2>2oq5eA>b$mvRYc5#4>~K}UuBSX(<*9EY7O_- z&vcr0O7!LeE_rr~vdWvrBLE7Ii2T>K?Z;5~snvZ^#LozLkIclMYz8REKQ+r93fnC@ z7zHkjEdZ|4bsZkw1?h6GOc+4OL_`IVJRq0W*7iUfAdxIjphOy^5BKKP`j~~Le9tJH zwzH(`^2(j(l^$9)jQJpm78~nIKECF#%g@ywTXEidy^`ZheGo&#&oH%2A$-CdMVBI) zpNmWWErdS3hL2h(o5gFZ8227IIfMu5Zl4q`nXD=G(&iJ*fh9jf$LR1Q4mx(bCz~n1 zbC3}NtfWP*dOpR=IT8ZZxG)Ood7jPgf{6B)8B?n{!>DR6wtlB(S3-tg%F78dx$OAuQ!lq6C2%=Nbg?{5CAN*b4?f4 zGj#&jZBwd`* zljmMk`4Lb`!ZFLC>_vImx9>F^W8aiYS6q#_ADcA1o3+a8*E<0gJ$mfxY!9`b_0oTc z7<`4g=G6v$81~qz3JA@Km^zoyfb`@a3^5=u2tG?q>eJr zw6gl#f%5tMEa8^AwG1cA_z}*fKQ=8iv z1u3!-yXp#NzE-%83#D5xC2!}egK+16O?-X80`w zm?=4Me0YBIxW{{7X;+}X>ub)nM(k5V*OL?8fFoC9wCp{6oXP46Y!cQN^ZXUmX$z#y zTlPG|Q)(B`jSR~zR};$`WMZ#_el~wt&>C+w62VgQN{e6%@F87KZ!pjG2^L8V^7MJ^ zxjC(@4P>wTqw|Yp$=tRRpj)?xs6T$|*|LPkuV>7m{X--01uk6fQSrSurUY1r)&!l! zmv+?Pw{LHmyx&oWWcfyfe*j+W>d7~xc^*BOYeedBi&#qC7+`e%vEZ59qD7|#2WVm{ z263_+x7`BbpE&FjHc}QJGZ`6M)86eA@%G8N2B9qoDZ7}@rwCybo9dR?J0${37Rh21 z@>XQaVE4&2&C(C5*KX`X!Kx`OVu@Kh^J+GO@=xH!_t;&qP^U;HPJGM$)2U2HSq%6D zMZl^w@M|FFbT{UWIay+vvCk-3%|taxG&p6O0%RyC;nde|tE3$o@HZE)tgJgJ}s*=#6ldMIhh^g`Maa+0N z1b|q7=O$4Z!8OC}%Fc8?`&ZXMP`pfBx5LrXc<@CneA#ny|L(zkm93+_g=zp&n%N;N zKRw+Uj&L63ZS{Kd_s`Up<~piMNnvXfkkvST*ip2)+Px&n5ItxCWYIVJqY%Tl`=g@W zt>3m74Qpg1dUFDUH|~3{)%+;I!y?}Y$E)V>wjE**gDCNiFBk^#QZocbB|n=!j@mA@ zy^Y%7m!1?(I>}&r`#xwX2oWJB`2Ogq9nj6T3``V!hTnYQazzWri1_()meG6X93?8K zse!!x7cf~%3(0}IDI7Mr-VuG8P}?tHL};bluFdA@&b&vNJK@Cq=_&3DfAK4#$fr$C zZa0_-_v7Z1z?E>Cho98qg;Fk_882-Nr3G1ne?6JsqTC$!3OU`4i;tdjXdQ`--}kvP zp7FiB(t=)7@dxUU9Y zD95yQU>m-8ad%2P=pw~o*NH7mFJVdfPSVke*x_)(l%kt972<`UbR)F|sw|uSR(x4~ zZSBB-AO>c9eN>WoPUlpbxEC#ay^(IRIF3zA%mrfnk0ZU4P5dLlb?kic+bp1d`*BUA zPhe>9Q=jJTTy65nQ>w`z6M|h6(dL& zeR#*K$Jzi8=dt%CX^EiF&_L{BVyXm>CPe(Adk0s}uTA|vbSv;eO5*x*=3jKUxJ$;t z8z6S-osxO^!_p7IC>VFsrArve8B#^|nyL}xnm+x@d*ItL6dH3bku-<@^rF$W*?Xu4_=!`O=#U$4HI@N5cX zO@?RnGxU7;Ya~C@70>?Lx)xw<*4T2nitqDBOfTZ^v@X5*p5j=+d=(IKlIQwIY;p!H zM%9A|K-gwmysY!9MlwGWisd!H~5 z7Eo0j)e45_i7a?&WeJxIVD61Kop=J{Vh7yeD+qHEw>;hyt7kq<`c4;qohDoHlBZ6H zJbfHLg^suBv^mb=z$?^UPq91FoTS0LuxgJJ%l{vBT>fMa+-TNqE$Nva^ZbMy1 z6CW0b2c4j@;RW4~PsSX}TkkK`I(1@G)-A`x$5;E{Hv@q5c>g#VntfIm8H0ApTVhUU8&gXH0!ZJmcWl zVO;g})cwY-Tp)kIMXwmdP$f5)GY2hgye)@*^`j<$QN-R4-f@3hC}#UVpWA^czvex@ zneU$=!((vC1C+z!>+elgNXwpvs)O$zA%+B_Ld3Fjb^GNFSpG^6OKjlPoRP7A2#ecF z1&`Z_jh$U&cAyM(2qfpAGs3Sye0jA}LSy^V?|h*hXf8QqYRV3M?~^`cvH!drl77}G zC?pggwWCx*KMZ`XvXg+qHZb@J24~$ zd2JCF)DbQdQr2%paT^K^EO>rwJDQC$X+(Gbp7A7j3wG|3e0p$b-EE9MjK z4oG2|4_CA^>sLlS<98Elh4+1;jv#VyDY{FSLZNi>={2Pn6~fd=cdX&pBP0e9Mp4k3 zi&v*ETs!^ETLE~mI`$TPxpQbgfV%`k<%-@y|Js}1s27|7-@$y`VJ^XGmjRL#Ht4g4 zS#Je)B))QV%&j_kW-USZc79(VLF}31BX5PZhSi+qZVkmXMK^U`KFLp$hbXQ^J8aEr zCIt;|fMM3l=TrzRG(?g)Hj`R5w~DYh_dNj}PPA?GgLGGH!CPIk(X|qJuPxyabQndt zEH#qjKEtov>~G&QJj0ePITLh9Z2s5j#z{E$VkY71? zMU=EQjHzyMd=Q-V3-^FrK1kPH>Fj(Y4!OY%_zF~zs|-rcu=k6kaEF38bD0rySL*9iB6GnFnOUg~+i<6ZpT>pzVkMsBmi$TJH9U~@TTRWuybRi-RZ_pW6im`aNJ>b`CZR6Q_5EtvDN-&U{aCtaSLDo^Zr@vKM^!^3^LbUqVn$a@^gjiyQft* z7+_S!@pN0`{qtCU7t?I-&KB?JZJLh~(nD$7^nl>0=yE$WUM_BI@`Li`XeMzU%K?Vh zs1Em)eD8e}-;I-YR~A65_8oxuZaCA-*S9hf;Vpa7(cvCj{WD7$f_6!H23oPkOBb$3 z&0~&50cpG@M0KS1&3~XELfY^LoKGIBW*q*=a!j%S1zsh|M<+CnVqR59`Mh>)yAbCA zBtCgkd#@}zKsc<**^BMf(pzJBa3Af9Z4Ksy@0Jt~uBoUducj8$v7&Uw79!HoG~8Vo z$s8I?PaPNMMN9*)_xTQ9jssI;qJgs4V>G>%u zWN%6dgAsWy3{sLc?t7coe*SjQ3=x};HsY^sZ^Gv0aRjHNE{+Q5FMb$Rw29+D0%-}n zPqwE2US&RYVBp%e4wP&zIO)Sa^~Q#!KaZi+QH69QY=N3{29nuif4NQe5T5m+sByHH zOEvT>jc+cn(bJGTKyPHO=>xR1C`beY#BWXRD%Jr@^YTu}K>I6f760hQool{z%&YaS zK?=Xw8P9J~4=5kUpqe&|2$RFMru)xKmIK1?AHNC+xIUY?yWc-a{WahvkC5FeCeg7i zl1}rO*A(68>5y~Om)S|SJ0h}}EorBDebR^bP42Llvm%aO!~xhFvSg4)`%ndg5n>zq zYB3hL5)%HZayFhJ(&Zax$BC`iepAeeS&J9nW}v3R3BGzZW}iuA*Q}~c^~Oq>dhCpA zd-13<8WU;>2y{;54y#6Qp(hpfxrmXZCq8dFp;ly%*7T>iqf$3uGj7rO);?qG4#h@% zJgY{?s{4950X}aM;4D7IE3!n1>O2j3xg9>nk-w*t8p8XjJFS~er(|1Z)70DZav!dP zA{lA4&>4>AO}j;0>F*3!G3w&iG*4Xf4Kl37wRk)tt(0{a0>t-*3~my(ovrvpS<<+X zjR^rhxyuM&Vgk-zef{7@@PqqTJ4~jP_i0X0A=jr#Oo0lg4N4^8Xo(#bzLHu`$)iyM z7e)%;FR*&BRUwOeg5gwFN23|;nq%aZOi>R`3Y2s5ow@p^)_oS zI2=7v6h(Dc+2Pu17u+Ng5p#eG=COAeZaPise8UBdlDj;3yPqMIX zQ0R9G^Lcoj@S#UThZ4e*E=b`@8rVNAps~sYye6WNoXnL*0kqVNO3)K#5HjUl>Kq(unZnYhv|AAuSVQ* zzC?eo`P~159&$|^#Pn~Dej2K!jE$5wQ zxF`2HL#aChIDf9Bk7SK-0pqvjGrKZ!d0w9v zu=a{UF~B*sd!pXV>=6VQw$9QD*b_T_>+RjRXe>zaD56%~XfO0hV_bz?+int zoc*HRamnzmQ9a%S6t2^XHf?z4Q)`mfZeHXX@JG1Be~O5a$bO)X&x(YnG=*~@ZHudA zmB)cbeltlSmH46YT+(Dcs}%uqeWwIrrHV!I$KEC!a?`@(=yTYSc4A%i9Y=Vfh|xgw zAru_JUm84mgSa@&NL~XH4xdt3z@_OXXkXsZWEe%X?VPs)dO#_y-QgF#ntz*+nDO4) zXGi42DqPzm=yK;nZh&~?klp^H=T2zOOj`t!G0MC}U^3Jb*nUcmNM)e5!2dj^cn837s1)%GWj5;62!aP#ki;Meovv84;@xinFiF328OGE6={C z=ke;Ft?aqxUUW-@4(7%w)>g*mOQ>9~Y~ilES#Y5ea|<4Ayp4FulCJ@VHO&%}56o$f z>^)C_NEX?f^+Wh~;C(#aCwY6<_+)=(_C7cd;w2OiqiUy}$3+u^%dIZRg?a9hHTtJJ z7_kyM)9!dw{XO%25p=r(a+o`vFHC+Lq;p7+!JWN%wwVS9)1RkATtE3R10$@r zC3$6+#8U-Fm-^45N`=C1*69D%NbW5dvQkFus6f*#Y# zM2MG`%~#z=5zraV3BCKa0i%T#s*0a*b4gobsMlvg0>o))Es-qP0;iX9&Ro5C^#H)t z|23QdK|)Tr5n@X{p@?Ny<+hYXzCCTAno^6ew&p(K$m=Wd)!x)pG~oG(b`F;8>E$lt z#h2olQc+_omVaG$$lZ{c%aP+II1b$Ahunu|r&A}TpL1EMV29jgC+fm?pj}aDxFyKi z5bV8e|LR8$5IzQzaEd!2v4Ks%_6Rd=v z?ORJ|G#$bAD3{T2uUa%$t-|Ap!xeqrL=NXLH=;oHz8|i_D?lkoj$}E@M&VGmBA-}O z)peq9VK6wiTqGHvDDv!03Wah82tOwINVRTyGU*3~N5*!p>^Af7bPOus#DZ~6JcprX z4SJtkn|Uk~WC_hK*c>@F8++CF@>9Vh?nBoJzTrH9vbh}Qz>`hvO0c^!8KZdqjK*3D z+DvLu2@qAa!)eCc{b@%i=Ig%~c9N zf^u%c9){I4;C#OP(WN&2jHVcm5eRK6H;7?~QiZjCskl(qh#@~FaRkMmDW8I;!akIQ z`WgnHjMm%$$m*J8+)T(mh<}c=iNG9~t{PEMNT+yWIG5@`u+LH z?V@O_q2Ni1ogzrkJ7aP#v{LB@(`TzLw(sfN!h4UN?34< z{7u5PkKBV(wUSvIlJjW~n=gYj`1JT8aj6uM3N;*qGPz!I>jksOdmhh9?qH~+7&M9iyAQFBjeT?amyuVlbku{D&c~5kw?Y z6a2p7#omq5Sne_=n~!p*L`>OnKM@k=K2QEm+Gt*qjeLkp_@dHdnCM(R-fC3ls4GjVb*5Kx% zdaLDP_p{TjVU1Jp|HVy?z>OxQTzdOMo7#VgHlMUMuq74Hfbr{k#_BI{`@BeJXL$32 zBC=OJ6Xb5QRlt~tOGZ8tg1hm9XbI=~l+pPVohE)&TiF2c1oZxm?3!tFU}o;Ko)?L3 z1XC8wLxX%jVRoF6&V%Dy!%t zd+0IvqL#p$-POi$l+5kBfx4>pW@%n-?zz0rA0Cg_&`7bJB4y>A(+!zMcBVFY#$i+k z>l2otw0Rt69+aw2TLL!|ryf%s;)+OFh8{LUZEg6Qm*sBxwe81hGvaqUs%E2!sG7fV z%!@z6mEQrbW_)a{FDxR1B$)wZ9!x%rl3|Iu#~P>aJRD}!m)er6{La9c(4rVmg}_pj z0oVK4pQbi3R3B zit!drYF_^Zki?3!?|J+4ChizbM^u~GDS#pxc{&)jp53N>F%dn`!Wm{t;7_7xV=#J$Sq!e*wAmobjsJOCb-OD32%gv=A`_xkSJxXWSi4IWPJaX5ah4~T z3OU=bC}W{HZ5UUJr-&3oFyh<`y+BybQ;>6FfM;m1NjbD`JInfWMlr#P!K}1I8Y+_! zKvP257ZOy+UDTH=|rVH7Vx2KuFc<^Bw9)INP&t?VOB~8-7$pJYe zO}g|0U%d;*+^d)U(@~zcjRAPL+p4pK_ZAFlHv(;L$F3?yyf*>t< z6V=Ex8oPE|0ev~YtW9WR;6oLCX!~}|JzLB=@D5~fTOb+=@*mwq%prAopl^+EG7V;9-N>u zoiAh!-aMo~#!kJypiR`8$e-~U!}j%rqR3ve+6udg8Xwi(UWEEv7VJ*8pZ zB2LR^6ht@2^*`IRe`7A2`u{uzD?yr>h`xg4MKKp0y$E!Ma7{6BGODT4nfMVvmD9kE z?ai&kJfMXE;vzrR`kPr{sw|tvaQ}OhytFVFACKKfM*yYmsh1pCp4~aB3<5EbTMTR*-F~IYuW<%H)`Um%iSD#O5 zjxi778Pu)&T<&ecBP!c0`9iy#H`TMXE0g zkpN9oF^0U_&D4O2+OfXLe^}>big-V4FMYt80N@r(QeR^tn5RhCzM+C`L&nrU5L^cACM$J+MqmfAWy(f+n*)1#+G~c z?~;p5F#tb_IwzT&AI)=Mhm^919vo}FG+cNuG z7!SYZ8=P{Iozppy3P1l*fgn>dGnzj|eI;|!bj_zP5~A|m*xI#s!Ot0Yw=Iuw*_)0p zV$SvArjo{OA1)`{kd`@j(T8t5CnD1^O7-~MLVg(aMkb*9!1QR*aOg(qXUWdbq8(7f zNEX*Pd1>kRe=O;4v{-K+0@g>_FxLQY?~AI+p4ld=&p-b4s=$d-wzeRv5-15lED@5` z>N#!C_I@f~>8jCRpi}FTk00U~`r=NFG=F9`dN!qKR{p$f4HRjnY=tB_o9cemUn?)Z zqtf_NipR$RLp{+Oi0-GBy#WhwTZGH?tQRy0_CYAxsY5}0fQ3}UY(@CDhK{D7uM8(B zk0R@+hIv)=P!&u1hLPm~l~lQ#SpHxtD;Bypll0=+?OCJ>eBp`nUCv+0S$i1jAAaaa zr0GqsuWjrP>kv8hg`4n_Eq z2C|!d@~QZ2b3A3yPwAvlwLJu&L1d}4{mB;y!^x%Q*+8eIJ=eSu|CZ)_*)&bp#C%zc zt8$R=y++D59biDjp%d`2C61dxrz(Ao88^cFIM8d9Z&o*PT*EnbEjV~fR z4b?ku&HLkzZ3#2JKs8l)T^zDEOqmpWBz@-Pl zNL3qyK21=#43wX%Q2TVeIvj4P-3YKNkKRmuO-_LJM)A9LLSX)lF_M57kiOUZ+075Q_q_PE^b-xI23t9%iv< z$x12D3yhHrKC|w68>LLuLiuv*v8>b@G)jRAw%J`3ORcd=z(7GA+XA1EGl29o~D#- zEyq`dmF6xr%&)YxV_JamXW+IyPFU1mI%$T}jVMsn#dv_dY|--gIroj@+Tc=4M*0)W zhudEaR)l0D`6JveyCv?yF^Oq0=7o%>-7ik4+pU~ zR*+yq4H^EDa)w^ZJ>?!(WJ8xmZ#&B?>gDuPZx`KTKVC*`m%R7Ap%a;Uv=lO8SokxL zU~KJU-eU5wVc47Cz8BMKG+)D)5vwy@Z%?;VV$Y%x@1Y0|e)r;6 zt#*A2w0%JngdmrTyr)~Ed%EF6bU2_QIv%NDpn6KN1HLU#DqmNMH(m89=!tB|-st8- zrZC+gdi@9vODNN$S#Q9yNFW_z)IS|TlvL$OiNh5Rp*Rv+Xu`f#mz`csPS$7**ed8Q zC;z2Ora>Wpy?{x|hRcBd5b$p(!Q(d`)yupv_1jjaPM>?*q1ugN{*JUJTbWJPvjomc z7>OQ>WkZF5uIg?k6lg6vT?tBUB7fQX$6Kr(Ph@tBe=z8KG*nd3C#}ZTBD|IPRzgJR zN_N)w$ zsU8*}J{9r9Bi0fPM3TBUP$?dB6Md=jT%f*{*wIb;%s+UU|&M;ow*cJIg_D<3~TTj2~N}nb)$OP`!w-)J3o6Mh0N_TDI0%70lUyBdke)u z9mh1xo9@ADD)NJ(4H)Tub6NV8f-AwPrvbeZ1zaVy=Teb+(l^n4`u$J(NgGR-PUw=a z4;VyiZm)!yhNN=>`}#l2tAW;*g-mxPBwZ0_;$P@uDQ~xq$@f1@j*D_==$LTV|K#Kh zp?{+HL*yzoHti3!;a|H;&a!u?#W=WEj0Ij{d~qa80VX0kQEy7ZAT{3`o@Jbsh% zBvDk4#AEL812K&+P7TdXb)%TB@TcUt5?fBsMnfKtk8w}^w!^hyQ?djxnL1ApEupLJ z+lFO?bKY4HBTY6+A%4hhGS)yj#Qk+7jTFy6jVMeJLv33|Zzbj(qeh)#OP@;+PM{L) z)d2pGOrhtu>!F!8RB7VQXFou73nfqgT<2pP=O_!-F#OA7|3j|TeU*eRRZKIDnWnIX z_p4(39_KN{q76@?*6V7=>}NpJ_q9RLWi3^L1o5M9;V~4!jv5UW$isq3|L}Q5URG9~ zFRg1->$%^>vOirWleI866RwTBTs=$d5ny6@sJhxs&d=f}s-uK8 z?U@4{)-FWlWMjI=$KzPlzQveHUoMN_w~sMbTkMD2@X~ys^KM>M2nn7J)7H@o91+!wx4!Dy~s=`WJlbF>h-&+k+6Z< zh-;KWByk#GBgRMr2TBe;T!Mnk#qQH7&c+X;gD%7W5I;$>Yd0`2kWj3}6S*y3A9448 zWd$THZ)09q(!c=Bm{^6~$_PLZDZSC4O`{;M#L;!Ag$cn@;giUC?V)-F;3RMvO%jsA z%GhI@b{UCb{I=#_@nn%^ns6YIMK}fr_*gRvO>r;b0P4MUqGN8fi$+b!__lMf3)IBD z8}fu*7Ji+-0SXrD;db9If>dDi(sT1FH49fj?s0`mf8HEIsj9u#eTv^32?pn+f$Di; za!_6G?T=QLC8=c3NLqW8@^e=JA~%-Ycp$MjSA^bQY_&UB*s>o{6-KKlhlID?OHG z_%6US#$ZjpaY7k?tFC)D5%o2;ZQis?g81)4pdVKOEaO)G64RCU9Ip@oQ(l@)W|@ek zP|VilgPm?3a+jF#i2PFFH-ih!e}9j6$}(JTE=xq44m|t;cma9^oX>^2ISIZy&Kr98 zknKG$W}oaS3X_&muYcTHvt++QU)juceRj}sFQEQzb=uK^l0DV$b?N_l+Nbn`Hq~Ph zFLu9`FpM}nVloi>@{gDWirRE6E*XdO_R~TsJ`^A&uUl46M+dqGKPOHoP*?>KMiU5g zn-K89QcCe7hZNyCsSRj&jc!Ll?xd!OC2>Pt0t?L=A}`#?xe<+V@2N){KoVuJ&_ixm zCqopoK3X5ST@WgqVjHL52T`&Zl>eH#ZsFh9K*a}xvGRD;KSkntQtPfN36(`#9^2nd zM~hM`TK>TKA@BZfrzCmM_@S~(aJScjJM$+8l5bRk##b9IoBv$$mB1H0Iw3+h^B}AQwb~LuIAPI zV0I*lcalnBK616_8&~0Mt#)r1?F4gY_Wc9PB7xovkbFYkkNb%k2%S)p=i!fdG2;>J z9Ck0|EQ;lIUSJEnFm@k8l#%`5_sFbdO$>S^sqJR3up}CJz zA6Fdf?lAq|#%5>BY@zfYdUnkB{<%nd_{+T?06+GBfC;bT=l>ar7pzSvfjV95dG~2)S&MCxD&^KB?bS8DaL0NaQ6Chg)5C`t#!2SzRutL~#Hl99eWKo}d zO7tvCp)oK4ZE~g^3i^gHBfCBogc-4XcvFon82c889zo5Pg+(idT@tcBtC~yk z)J)%{;uGz8F3jP~w}GP)&C4%S*UvhLCna)yTG11TzCg&fr@fg|8yi_tW+zYNR)~*g zY2;dxJA_WIS@@MUWL)jAA{*H?oVFX%+{V-h4pMyL1TpF&<(8G`!>~@(PKlX^RY)&; zMJa*6(&ldxzJ)%)6dHWVrWUj-h`pj*=GECi_ReJl-;wbEj>qFS{LA2~RR%yQaxxV~ zdTICeRjQbE*N150#91=(X!b}>gG1kq%Igl*LsZNOm~rZB=%9;% z_PQJt2LJNLXzV_0Py_?!WOZQ`ShT}9-TzH>Gd>ds*H#C_(qvQ*lJzb4c35BU3mss# zd;)(Z#NFS2sXAP!Q|+!V*W3GOPbn{|8*JVaChvC8EV5H+n_X#J0qij-k<-@EnR}4} zD>kpQydOh^T3XaQX&VY^hJt=w{4%n4J=pJ=zgH{l`1)V>A#}@;(C+MH>vpj{F+#=w z+Z_K#j{f(;WoctF0 z9GVm$zJf?((hmv#7_Tl-nIh3_rUrK~;ms+940tU^K89 zMf?pMT;c*S;gm(R!Z53$AA9cEM$!v`oTGwaCef4>9!ugblqMl{2rUg0jF_w-nJ3Bk zXVIY5wPBk=dbv+|C|agbM&LU7C0t4`gL+zR%!)b@1KOZTpw%aes7 zEkJhi|KsYdqoNGEFHlktgqa~lhnS(IBt$}nn4uBr9J&?hkPgA2q+41_LAo2HyA_a< z?v#?auiy9k?p^EtH*3wBHN)b(&$G`yd+(E2)h^l?Qj8W7-(r8t%J52V@LM?;a;WV2 zz^t#6VS$F(Tc~7%?Y-wc#o29UCo%Ft`70;KPsN$jEI6W}pq@m%T%KB9LN}s?6kDeC z-zg8Qj$jN(Hp}=bi;fr_Q%d#UD$6w)(x%Fs)rHAL$>ONk&<+g$EmFovxz|Co%a4ut zC+n9%kHc)J9E)!Xk`q3rh%z}CvK0U39T1{pRMJ)!!nwd68yewG1r(yn(eOIG{g59b zA#XfL@bnskbX9s38g=LO=m7?WCZ)*vWis!gB%rKg%rk`#XdVSFON^hHuU%7Ci}~&> zco77?dQEeg%9V&+T5aDpuh%$~{QohaK<0XMg%j|sb2)^Re?9&@g1a95KT7NI`l!{; z>)o`{TB47Odw`VHyAAd_Us1f7wXZ+G*75##sr1j&E&&z*fe8^}N_SBS$r_TrIkg7) zg)qQ@ON_H8-37pxN=#v9x6wNV$OI1TYZx3P4UFx2sor&%hrjGDW$u$3?8>)2JDt#t z;7IwjWwZOEBmFeUWgQgCMEz_65c7cj*kHJ2V3nLFyl=4i@McxW&L<>c06BlPHIviB zeB;v8q0FTVbQIkUF#V^1OyO+8Sq>cuOqS{U`&s9*fBkAUm(-|Z)xOpXI}5ZoNyogn zImNO2Ozp_ptn=pJU4p>aQb%sA_|fn5HcYQPu`z2S*frd;mp}CqNqP`*tCg|^qUgJ9AfwY0BVMbURIgg>ZFk(!KJ?n zB$^9I&uX_&WDYmXX&05|p`rqrYWHMvi{FeA}+4={|jCR1ku@acMU=j zeMpn)KXsf(9oqwr;$j_tCTRUOEBEu`Zf)FMroP18(jZY0p!*6;zFfQs_t?U8>C@|Y zpS>}&>s!w;)K|E&eX?CG+~}aLcE!SC7-AHDh{1xq4b58+DWrS=Q8i1ChOPfAgRZK{ zxIjQ8@#;Ah%G=zDKV1dBUtlGA3y$IP2bDkg5m}X%ZZlZ*6byN^qdS`V7jDptbUm#* zPPT_kCanPK!kq$907V4i#I6RaD*`*nf}B**h1KrpBjq0Y3OTD))+8)=82T-ndZV$i-5PnS47%9gFqbe7z~6^BN{4*7b^`wZ<^#a5cHSePvBC#wzpw*7-a? z0z|hys_Ht*VhmI!g=0-}VbI69V|I|DM7 z_;5c6!aRNrk6G_KIOdQGvBz?YgpktfnO#toS(>yaW|Zgjblse?@zU${5uM* z??FdqWG5K4bR%L(l$KFsri2!EaMv0iA$=ej_0E7M#E)(Mn5)yTSB;w!5u|*@ef9?S zTYBD74uuWSd1^sEiqoCo!JD zwsKcS0nEvKuwg^pqyNg}Q!lg*Vh%CPkpLct&^qY0Fg_J3l1z3GXtl#lawiU#)oghy^Aa8D z09YP&Q-xslmb-9Bxd%7BgGq|HKUCxj2(E}|L3>78bgapVg};UeAhXDM5qR;|?o^jH zKJpjQll+InXxR5q^Bk4mXJCZJE;a@@N(hB=E1ZU2+>2lX)(^%Qul5c4DNmZ*r!n$v zF52XYQF_>r9FZy)Qo2Iz)jAq8Cd4}yaEt!mzO75{<5cA0uI#R8*Kc~x1{?y0V&<&(bzTX^Sk!<1QxGtv7nD8 za@(?bKLcB#ZoOZ(hym7Fpp3+~F57>;Pg`k65&(LxyS^cNYMg6>Z$N5sJ89!Lpl?Y$ zYPJ513&mk^aRdRA|8PQcVk8V_CJ+WU)pN1zm)?-u&y`i@H(>q4l27mBm=@b}4pG}VBj)w}nY ztC%SXASkUYg#D2!DJzx$V&ap0+;4HKQli3b{Hx>UR4NC(dgFIif?F2$a%H}1c>yzr5P!IwrSmBiZr)4PR1H30$`+1KMtb*>ULvQJ zzuu{QB@woX$)n0a)o|Mcfnemr-83;Umnk?OR3AL!!3K^gDq|q?)hp!eDHb}L7~fG) zFhl%ZExL$qd>%FsQ?A8Z8Nv`3dcQ|P^*$iuuFOo-#!~x@b#MxN<_Ue|kuva`Py%Iv zN7>kT-teFDOQZhSX@i=$_deG_3r^cu&G+XQ_U7pq4#7*&5F9#1FE1|MS?_n>&?zij zFjmjeIjznLDTfg1A;0>1G|i0N?;jSp>>R9fFYSK()o9cTVcS}SEDdwCNg=8be3fYOq{*2Opx?>psOXyE09|8#xtgLcJL!RM+sA6P&gRi#B|xxAj=&#E;4=>3(1_fi&4Kq6eF` zUSknUD)dNcRT}01eMc%B1&sG8>3@4$-odaiIy}7CaWf*4OX-4mz(z!H2y>2Mj?Y)- zhSzyy!66q&6s*D(&+OX+|B%x|m@)Bvq8P3~I&?YA5(OZndD!TK3qP%KyHd_gv5rnpkT+U7s%vpJjf*#HfojexPFqj{MG7r z8x$Yo_I+<5dpHP&2%>H5IfX9zb5s30!xtB&CJ_o$~31ozt{73|)7*cEh4l zFzEN7`Y^HUBIJHM=7r@o&R-K&7oqO=zH7YX?j2G4?X3=A5MWRGE%dvZzl8mk=S+R= z(*okLu1o(xTSfJbl*x+zX1A;A+m$CaamZ@w$Md$&J!AHt0hPo96jbf&>jA&+8a(xa zJ;ce~X)42s?0>7zXdc#{T~urM-x|{p4`P%UU+>g zI~vb%V{LY{?K(Oz?Wa@Yq1fdvS`-N_dZ}oylI%kL<|{`O9mnP3o0J9YO>rhp{a>NB z0bte0&m8e%mE{@x87oAz^SXr0$GxtMb1<^?Ck)<%n(IJ&=ZU`Ttr|6Ep8sAX0Z3Rp z8|byhCDEiQR61$}3Jp9|(_>%o*{RK^11((WAW(Qe{^$oR<|o>xb=(Xd*2bD`SU`KW zz4cx`N>OWEpDRySi}VOatZdmK`j_J!YuvJm5X5*`$XUq-^@;D%#!bJQ%Ga$Yzdzovw(wY48zYM(FPMtk9yu-amNkyjOw zw@~?Zrl$*$+8QhU^nYK-F2XM1o$7bRTN++b$n-a?@SI%GGw1?_{Q== zN?&t`r+8$DDXLflBU8&46ZBVkR zhiZzSBcC{Dm>2Qyf0q=;9MpeKWd6*y)@t=nk#CK4ELCyPk*%Us@DEm-2d;UA8DUvv8v0tqgF34xK9?hL8FBAiG zf9_9yJE0;JjfvsTb4>1;RaUH)%4w;*zIyAOHZ$b;7D~w(Vvc&Gwyz$15Yvszw|bc> z)T8U4Ye1DQZ+{P_vDTP3e^f~c-b9sZk`x(wj)Z-St9fJHxh<3j9$3= zZlR$A>+Rhg6_>>Q8(eIk4H5RL^$om!u+uP)@FyEwUv&;&oc0HgEDIf6h6Rskb_`&m zP&#tv)%3?0LV7p?TF9b?z~vw{R#vh+o%ni>52^|wf;K3l6Sk9E`a)h=jm4Cih$lrVVuGlPi1 z{erDrJ}(MFS;_Zq?vvP3LLEox6zgEx?#H4Bn#-AQLR#eDmZL@C9!kO z+fX5Xj)lp&f?Ki8>KtO)zAz^$Y}-oWb-6%a;-m1C!ga{otH4w!%jrPzpj%{3Xia3j zGnJ;SjH7pSD96H~yv!2Y=^O0S;5>sc{L5;c6**rn<+5~3q$gTXuD~A>LQPX*h!2Em zU)>beB<_Yhdi2EoVCalCejf{u*nK?7d5B^i*-Ni>gUKT2>`de`N8w4td|Cog*1g-f z-%2$a&*%`+NbnbQiKP`p$Aw2s>Gk)i2jL|WI3W+Y{P}~{k%qfJ0?WXY6T0X~Hfr3_ z(k`QFTbjZZeg8KDS=hbM*d>*s>fRQm5AWkGb>y~CAHsRdBR)fA90>oc0lp{m^wllx zGB=+;DV0+uG0!$SioSoByeqr9zT7^6Xl}s2em8mSHB=w+^(3b0+kWTAL&B`asim0Z z>gAYc*JgMhm&cxM!E*f0b9cuE_7#|y_v%~RMX%%8a?bX6XtD%#? zwQQ;Pnw@XdXo0J#SsV3E%P4l{ZJvZ^#*w#ZAT5hDP3AFYX0R$F8q$h=wJ0+ z>+|~lwUd{Z4-E}{{z!T~>OWYM?{;csz^(pXDp1s~m#JpvUXUHZIP-fRrhcYNDoIxU zLm$63P9=xP|>o)NK{?~2%8~jflJDWR2Q}2>kmr!`}qyA z1WK+ZtK3Nf>j=~9Z4KTY===31@54J*zGY4wmYCBuPE*3acs{~%HpX4$ozPr6sPjt1 zw}}j>L0t63hLL`CQgy_{w*CnFd#%eld+!+Q#iJc{_5Sx(4BJ~f1j%5z!TUbK6%11A z(P8eSZRH9DJgjf4?C#E5X`RLX7)Ozaw~D#0JpJ8ss--!(S?eQVK;ln+8-pF2T?D1F z`*iW=XsDi9w{|oWZDiypwEZ`)(dc32f_7zbX2G$QC(&PK+UxIrLbl@N{b$YeNt5{3}|qaK70rSl0PFpu6`zismG{pY)lIv72NXGiiLcV5qCW^kjknH1+xie7D) zELPn)97MeBntvid%Vvv)n|-BR0W3T{Eu5oo(@kDkjuI|Cuz9mn=4+s-c|EJ2;{Q0H zF72CF{$~#LkcwdZ7=6Jf1KIuPM2=R+Z=h<)}U=9&QA<|%Rk!Z+p>GsdEx0Pb5u z1zGmKL0>&QH@&XtX{b4$tr_CH8iq(4O;V&4&SzmffxmvJHI<*QDJ}a0)jf%Fj0!e< zOpDtbDRX1U<<>nVBRhdTR{eYFBK2o-YO+xE4^>RMK=-tCxY$)Qf`zJk_UF6mAD!LL zJG-ZPSSEYAr&ru;eUx6<%R~{2wdS8R(cCm7wm{gBDf&uu**^iZOqza?*G-eH`mizd^(96Finpp z5;b#%zkeQeitaX+x5uaF!=Z{nxXQT18lC8x@L4u5`n8fS__`onrZ3(8Jg3rJr5CC- z^XOGn7X*2k<_%eFj2tFo1to@wL$S-ADKDm7Pz3rP#g5J}+78;M)GN`=*jesyi($+g zDfLVoHLcATW(H2ZA1-T~c+S;{2MWTEk)K@%iXc*-ooqV4JG|2Pya-^u+l1fFg8AkN z{eNPP<^+Aw3P-dTRqwP6^9Jc@THmh7c2a}YJa}RCIwesNi#12s+40W_hiv9cR8aNKyAqyiT>tWvmuMHQkGkT{XH)CpeusGfzOx8UYTn|`6o(u$ZLLEN*qJhGT2~XEv z=o*o7h5TwhnGfzn2XxB<=fxfDfD8{q5ih5jXhsCt9`Lxt@hco87DBcJilZb{gEQ%Y zF}ZFykgF7!a2kf4lfms=nxKcWKOtOdqag}m3p>na3kFfYWQvopM)% zu0{ORnn+XJg#*!o?v`TT?yD;&Y;0;3o}{>`_5xPApuQNJUsMP;s zU$5c?gEP9EZ}BYN*~}0dDbt=WlfT!V#eTloux`)ia}rlT7FF0@3)SUuVD#L(h|1l} zv3>q`#|ds&c%v%h328#+BN)-uTei(`<1YF`%b; zw4{PJ`XSoZByt$}A<=rq^Z~Q$fOVd_eEO3uB0s`jDh*8n>YUrKJC(cBf*u1xvGD7R z?d|c>7Wp%}c=Olk)^>5mHm`c4xw24wRHX7)q`EWhy;n|b0#;pQ&dP+u5JV7}^Qt%= zShayx54`p=RWB*wWvAcUuB1it4qyEwPEqYmn#g@7?u}I33a3a3R;jye+cSC`MmV)O z=~!W(<{@mGZV7O)MgJB@kvWHeYzU#pINYkd0mxv(mOx=VK!DH+w?CyPV}rP@f)cP0 zcsOVx1WMCY9Q6Uf`1!%DIX#pT>quSl+V|a&ll{= zO0_om__>}df*~{66npOM3zgfK=+zLPS?sfvF?tcxOdCP}_p=2iRyEM2tjI0FVTsUz zsxVqqL16M)p+Q8 zU&kw*lCT8}>{KU^I(hnP{6<%mCZ%J5jUpUq!BsYNti z6xo#e)h?y`lzLxG9KXa&d%Kz6)G*Tfx_X~P#_6}*uEg!hiZ3{=-n_&t&L5tLzG?Ma z`4+ulbnC`4Xw_Zt87rHne%j|ywC3q^9s!xa;lfw;EH5DJU!yQMm)Bd@CL{dxc($U) zsxJ*(-sv!lsicg!&%eur zCd^%A5BwS>{Ntu~j>XaxB(*hf8?Fj~*E=S}hB=Wx@*nOH{79dqmfK98f~4g0`v*fn z$42M~0tdPO-UG{XA)Udg9<>}|7`-~_Q$gfhHo{Uz4WrNyBYahTx~$M3+~@Fx3Z*3# zHSll{L$LvSwDNa`MWk-yn_C=pKx;T zpPsrmkT4C?6d=6%@v|{$b_-MlT+) z1i@pjN7x50+9xT=4#|U9ZbVJwuvZFZ!IViG#bayyE`wHw6H=^PouaBNWBSQ9<%aN| z)*hY^l402hI$sIc*KpY){}07!6-&B#2n18&rlOfYcjnDaH0}m21zgU?Z&Z=#cvNCq zF}~jY?_w*Zm3897@}NgqjJR5-t+Oe~j#OnStUnrT68~sY{Pg6{muij*>mgJMNfGfp zO2BnFjKBmkc|bOEj0Jt{EU&Q#xU75xJqqE|*DoD*w*(#S)w^BnypZ({LZDmNIMYaYVe==g*;7ER3*W%+~}AM?w!PNLV0*WsMDMY4_y8_}}lUf6n(>6zBe znVU7$XEoM9lCsU63xHch4h-QKfGym2fNWIa`y;;=qpv!*3fZmt6ZN$4NVkqK;N7a} zBa9pmZx>D%nWO?~?ND*d0|KwBx%{UH^F6}HG(GAA?1%eP}S zp`WLL^#)m2&`;;@xOp|oXbikZm_?%K@7X4wBkRJ!evD1Bhe0nA3vIIzuYbPzSgLCY zt?M`0USB?dzWZanJEHlFx?~H4mmqx5eRLNh&dL9;+ zdouAGX*yvrY$Ibgf^xN)Z*vd1UFKAK7~#(&GU{x9--Ks#AK@heoRi`TkcRuOl0J14 zOyg)4mbO82rhO6JQAkm@-R_mLjp%>f9LWl!5b9&ff3Nq5%p89tu)8?noLJjtKFKwD zNkvh6+{=_%EbS8MGlY){VvETO19h?aa*aJfmnvZL={^Lx+Y_kZGx z2hu`#F}sBscIgZkNWs361?D#kr7snmb+i{xWy%{G_)cwyBZO@tOH`ByLWQ$PAd4L- z+gox?y>u^%vnyh4+=NFWa63buY(0QLoO|hD@YvPkUKS!%!IX+kAYHOEjpM6Rz&-7f zB9{Slf;|hYnTLQBUTyFmbM$&jeFdojVxVup- z=*_jpEttspQh}so8V`fDyK6%=mDK0Z8)kL_!#}73|8|nO0StO>aA!7t+AzxM7(&vn zN95Zxpw2Zg4cTV|(AxG!lf+^M_Z;UYi3;sgkQsRX{9fI^(w02_QTk$+8mWyuj-k8Y zgDUAs{`aS3>SM2nPst$k{R~8qCFIr<#OjiiX=sQG4q<<>kXX|MZBsQN{W$pN7s4SJ z4Jizc3QcR~&AiWS>L91{I;IX<#Depd@Ohiez(k|%GTf9DCZr+g!@^Wgx3I;*@TwK- zr^GCnN$}DJKq*Z8sv%4Z9+;|)*5qQM{Pyms61XP{Ts zTgN-BLdy%5&L2V&CuE;7kH@_+tBEFp&}<`7-pQ|NJ9#GWD0|LzEd|XJZhnGrGUgCl z0OxfLtuHOiS-N+Z6Ca583^5}9jp0&xAg(z2djSjgWtT;F)cVTV3qE+R;!?@5q}Krn zQ9Y~mITG1=Aa<2Czxo~f#4OSNo6=BXfoAw~i4UG!jfy4jZJ#%)yt}@5)|^|I+Ys8r zqv#wYeH54ca=-Qj861yM&RU7pcbP9znY$qanfyCW1rVPTzH~VM2Xk;j&HLvhTl zcWT@^p|fE+QzTQ|eO}50|83`<_%a0`qoW*gpt1kpg08nI>2iTtqvxY6T0w~q4T`$; ziEo#im9ip8fnI1aun%e3S&Q|a>T3aU3;tELgjo6#z$i>oC#<#^99>`4q!U5YRTNw){p?ck6liS8ULU+1 zEXW8R_aHjK6hk3Y9g$t98XS$OqfZ?b>-T-4v(5VP2_3$WIZM!)_T!6GJMhl8zx?y2 z&v{%xE9L!mJ$MCY7EDtMP#UA3f{eoNrBKne4Ay3uifB#6*k>P+U&BZkk%x?v6SzT; z7?6Gq+c2`l{{hSzH3-`Ux;d`Am#~!k2Li#JS}?er86TW%6;{O{CC+6I>3XD_|G=+- zg^|S25O*;9{>1MHE(lGIl4S_t5sbW3bVZ(rH{cT4t;HT~Kwd!k?QfasK|sHmpGIa> zVQ6Sk=*QBqkYW+nhU2AId7ltNnT>4o^Q=>38sxO&wm~gumOKGhJPeq=!g095^`$H; z7j=FoHY)z(WrVrV66gz9l~f;`otaohYl?vSr=#eO84!Tk(Jq6Cp49i0+v&W$`0P+s zbNy+GSknM?OV-CIOc9t5LkN8$GaJpb$(-mJqm;AsJ;o5O`uoYlT@(>S5_JpoulqqY zS8YW~6(&A4T&>MN6z)`{T|Hc6e%@9t+9I0Vrf%<=uZIRbGNZ6htxr8$S%1{s`{wxQ zG;+^BA#urTwe{DyeM-u~xNpnA(2Z8|U!Ldmhc%Rh?bv^^8hE3i-P>I3f7vqaCScwus7-FgpLWp3S#HrjC0KkRQ& zR27{>8>C}V4p+WicFKkYU6%<;i^)ehQ4e zSZa6PeQho)R5(}{&ZIATpo#W4nif&mw9Nv`#%F*W;;-WK-u)&!s7gpT`Fbjg$^fPe zcQ)QyXR;&zcMr&}k4_=XYHN!0U_Pt0SUUI_$p7|n^w=3l7nqz9d*Xi~b^M^(AAYR` zG@2H=U4srpav91W*x;0b*#}Z&aa1O$V_*#W42vCv?b&i>Y+0Z95da2e(8m(O8`qa8 z3wc(h@K~%xgpY`L=O|RSlDhj(c@T~Wm?tY)*%Un;LYAUq@q+)dqpxzwBPzIcF>>`q zt&rKz-pK$-npaU=zE&h*p4iqJM%qAdmCHx^#4!lHlhhrIV>HQGswFu1?G~$kimidi zX6*y#$7Cx~`}omZfH5TomV>U#AxmPs0M)MvHSh@qm2eIBLUUq8`unr*z;7jJ(vztc zp2GclUmpFVOag<6#Ju~8yTWDo=#N>bVnD`H2qF);ZHNs z>|QkV3IfRHPCQdmW_@9cm!AyI)@rAgA%D8MW<7%+6ikUdz`wI$<0*O>QhKqB>F6rW z7q(G*tI7$fcN9z>-x9E#6}j)-J1tL{G*Iz=j8=ViIJnoLIB9d(Tj(jX+BF7?+^HZw zU&-yexlFtq?E9J|OQYwLRoKU`JQ$l@dG@^$*hu!fPOD1ifr4SI?0Qp;M6+g;5fkXr zlrITaWpx7shWv5z6URe9XpWQKZP1Pb`~x{HwN>a?#XL{{Gn;X@v|l+Tpoq^uJQmOV zoD3{9w`&esTRE&>Q3u>GTu-<@wOb@e9yRX9bjoNi$Z$iXWYa$!4%3T(#4dL~CCI1n z1=}?l6iFA@R#c<19Yo`~KY2XeVWFhb-kLYtL3@9H2m19?c2ocFdJ)KG+pq)C=Isz) zcTTElNH)7kX9!RaJoK6Te9wwB{>v_`sE2pntWdTkf7>I1&U&sGC-nbE2~%rv-TSV~ znecyLhgDZtPKL|-TjFzSZ5xTl+cnob|K@87SM`SL%VJ85p2+~`tC3h~T$xx1&=X3s zA%ysAIm!0ee_W7750@xY%J5?>x+isA>o4XTes{97RWR;!Oj2D^S!$?ZOdIaI>;!5a zOj9SdnM}p-GBhXH?!?;Kee6IR5B=U&KVHsn$bk!iUdP4pV?HXEyC{{{n6**?Ww}D7 z*m%7`9sXKFL9Ze2rAWBrjPXXSr%2d9eWk9VAdWO09weJgJD>lED=T9^7u!)7ZW!GO z<-?%F4A{STF)ntzXGbA|OBUF=yAruFG}O+`kE7ko3ydHVC?>X^C(b&re&EHwzEq03s#}O1)PQ78_g7?Bh%pC`XT7?CLU~SmW6FG{#$nvm829bx%RJ zUNrZH>V#1-ue^6|musXKDCg;$GL!*5);KWebMU%rPFbX#omb5!aFzCqrlX)hsi=S* zKO{e;s4HSLl@dL8oP#6%YYXd_2e1#FFWe4@<)pN{q}8eUG+Sf1qrNvAj=w1!PoKY_ z8W+x!a<#rS&re)wBprxs1{GkqkM8NmT!f7G`5f*&KZpUacu~)WH`9MlVg2r?SL|B* zk9j6)ka=bEycj)W1lE6{iXeg)Q-VIq+p%FpqUFTH#jD)0tCuy}evshDY=o09U zfHaY+{pp)_1(C_ozl4=kDr{i{(B_&vno$K|M7lq_re%b z-U50yW9hJpwD8wo@QZ~2I0LM0LgKkK+z0Zj>4cSmS03eeDu``nPZQJkhB-y12)xhT zvN~XFXX|zVvD@r8SM(PUFrI~0INc@>A`rl6i2~kYum)*<7#!I9`6+2RZQ4>lzW zx?AWPP4%Zsz6WEF#F1$O3xB-9dRLo(y=3UhDdYh_ z$pwMB#%0#8H`+C!PIcF9?I>;f=uhFue*9U|FTPx%q;wXI=SSb4dX% zkx+`tmcF_7%z^IZ=-DbR9O$PHx{r5kC8)0ct5^b@isGnvuSGiRG+`Eky8*W-szPHnWtBsue!-HngtvWVDih(WbB{iN@8yC`mF{HxOAd zk9OFc&4lyd=n89EF-k3dqCPLQYu?5K-aV+{Jz_|euc4WZMK|fk}lohUq$usehppD)?Nk^aP#Uo!}s=f+&tlZoDd$v~# zb7m_5wuWB+DIkx2)x4|j0<%6jKR>m|lXti}>%efFtisGTOwL$o*ONEH&Ln?a!QXcOz7O4RDJLW~p%EMYnc7F? zPsTjk5Wn|p=v631Q?p3lG|5N(EPp$@sEg=&gD`iAKQn~af|H}sVsE&g0;3d#ef!M7 z?FRE`urjOP6O6yPP@m4F=_94vm0~(n4txQra*3I;6ukz=6mvx&`L= zslxa|%V$8i9wPUM8~`Z8R+I8avS2wwNTk;AvH&bV6;%j_E-<&@2?p zkKU7WGkCixXXj$#x3*7p>xi|Oyhyvm)eLi8wn9$S4}ksnCoeyhT7LG#IC>-6VP{I+ zMq64?!h|s?Pgu(JeCjel^0SD5o!`ye;@+--j5z=0_m_*mPm=p%vOVqEhN5`(S3kSx z(Pw+})59{bn$^6$WY0Ke^b2Tm-Vc0JS@Tz65r!)NYyQr5`WNc1W zTCdhqNv|y*3&?lNi0<$IJnHRZs=wv)4jv&qzyNV1TdgJ1I&zVl*YboW%97 zxjZuRd9$a9xSN`WaO1I(tz8XV3`Il@!kpS-mqs%Kk@LXRzJlcIhKdqsV_^Ul5P~-Y zC*#rw7{Fzu&nX+~gBBnV9!}Oa3L~`YD#gU%;+T-c``!%eqw2OLYD~Jpb&S^IBLmP#UFoUPZ zGx2S(n5pCurO=(Xi7$4)%(_G;Fpgv&O_)Z2p*W=I2!vmu(H#@$F1EC_QD+e=RL|p7 zW4*2~^oABpMb;bb3g^dgrjS{En#?=|V7V;-fl6Mu=;*%>9-a;Ad~gteMVz+@glVW) zM;_07I9;8M<1q)?Hi&Wvykoe2@l9kE6nt4wPCAT+PPOrie%0 zMmOebBqR(BbEiMzOh(Gl9h;aJ;)OaQ06W=9J=B+pD5g{NpipopPL(rxy*~H(q1i1! zf&W0g^3i=Q7{@g>6|6 z$n@!%daC%xAWfq%28HW+S_1m26di5HWtm%%x-!<{n@79hse^YCQ3Xs07uqFY6c+c5 zt1a7-!+6xk9uk23n9&*0I}ztt@Yh_^4OxG*KR1H@*8UK!mgHgD+l!Pn`$Iq2G=1@v zzYLC@SyV@4cHel&OTWoGgYbbTQHG{H+2U-sWc;ezjqm)?6t$tvZNZ2I!9B#<9>4XF zSLXB3R+E+5rUxyz$P&?8l9G{c4>Oy)3O+ zyp^-I-*H~|K8wy$y)ZDnp}M^MRr0&QJmCvgQ&WAN!cL1)e}DBm=H^CuomZWh;Xix? z-?N>sV$sb*_O=hNclRpUwU77Z;h##g}UNQm5lXe3qWPNLD{yN&BxC1BXvpT9gmrUjnaxUJaZ@%WX0V!+!82_XAD>f{_rY# z9&a^7xUgxWL&D@~#VLc<{RQ!ggH|k)_{LlAy zU-uL905dMvIs5GQ-mkTmFz``|qIL&Qsq}>?)CqmpKsM5?F=>sS6M!UHTfJd?m^MhV zZc0g$`5eXyv@jaU>;I;pJO!f-=M<-SZhN<_erf3yBSXA-1ONb(GNcmA-)&8x5EG-4 zHj%ty!}?{9^C=ae+3@22uStoPO~CdgIPI0`$L7r~+7>PcnT!AuVYY`W-fBKa6E~hx z(&lr#I>V&!67qF|HFip$rCIM9thdtpWJLSyjrPpp%uikrD*fX*1E&49<81EBi5)kO zr;1K)!C~rb=^aNcK3dyaUmcJb@vOz(-t9DPbQOF zPLPHClxp95-)3VFVn58h8D&D$z96|LY{zr&H@5ak%enmW5Uy^)E`7+{Bv$@;6cWyo z5Or|&)4Sl;yC(emY+ZUjAcMFqV3~H$aiwpyYW2)e#;m}~?sba;F|QYQJG@B`Kom@g znWaNeNH7%TzUi)Kbh0=PcZG-zuHR!2Yw9`hC`W8FqJG_eQpJHbne(VM@D1ebVZ!p) zB|0%rG7gh&RhD|SSs^MQhwrW~*a#HkvOZO-k6acBwHU4w@k z4Erd}4FTPagOq=jpu9&ua=;CyiWC(pPf9t#) znG`Ks`zK&VdhA>-?hWbUYtK!EzrI*RKMtuH7Hjb%GIHao_jKNN{nSS)B=qOyMXoWi zaFDZZ5PQ#=;3<-;#ja&8KZyvbbENg;u{%A5c(GLV6L#94!qvk+EZcypczK3UCmEh` zb1ZYC#QxU3=)h?7q(4vi%egN)iNOMhh||wXCDoUpyu8|v5+BW5Z@~-=dieqK=iV(5 zz$WC^W0I(WB#ROL27FFK%YanIpt6Lf0e$Hti(t4#9cs+ZZLiivj?o{bw&VJ+0UKaB z?fS+54^;>v4nV#446=O2oId|FgkEmy$6G3GhXiC%>(8$3U8wBybg%}CjC`~BM$u;28=bP6E_ApEnXR&yl}eAu%(dn`gQ1PtxXp` z5b)dtBVfVo7b%2Cz*DoJd3uVB6_Z)B!XZ$naogkCoj{232GJ(<)EnnpNH9V~b=K-S zSK3a1a%00^93FNI4Nfe0`9=`0OBA|jh?=RaliA~Q!~Jz%*A}3$qeluH2NNc)ShH0@ z|0DSufZo*GTMMRsqXCfUsb=fc=F6oHJ!RAq|u+T*}P9=)*EWWf{{A0O?I_ z0%^BUo{}=M5K5u(+35K}8rx#Q+cBQy=j@W1rik99K5h7V24) zo}KRarl@uJt$~7fB({n*PlN3pb-BH)rM4A1hG1&*=|ui4nOW}zB2F{u&Oy|z1JTF_{f z)Bg8)6Fc}-ITz9o6hH&c9r4}l+(q86p6=GI-GiaO%B~X$Q6A6lmT#KIb064edMzyK zPI8i0g_s~)o$h`+jEM{~EcObJCy8qr(6;-tVZ$6**fY!NJ`dxIx?i6K7LZE2u!Qixbqz<4x9Ym@d~(dK5894?yJFmN zfB!|(*c_F2pIB+!VtJm{Ld7)}?0I`v{rmpEp}SnNiRgvj*ZtY6i4m0VRwUTeKQvAx zk`kCkbwF}o&%4L@~zpeKfWJ$m3ce**Z%CNMH*Td6&5mcbc?w; zid@U`w0MUYA8@T+A=)S0OoB%rR)b_m(I9Xkj&6*;EsvPbFX%w&7u_zX923plSeD7NbfIKge@(;tE;q?ZRE_q zolwaS(C4k>D4+bz2#38T$2Fz33B-DR+C=Z^HOqRpUWAc5`rP|c{;E-2&YH&-Yg^JI#yZnm(upqb-ftM({-$mD2ao%F&# zaQ3_5p}gwm7oKLyC&9N@v;6Z;t{);vj#aJY+ElJxfc4Ol6 zCGAOm|5DfGl8D7P4^n94Clnk-%6YM6;?v z2QVOjA8k!tS*9OUu6#zQBVeZcwr`tSPH@LG*@E=Xv(Z{66X7@>0w773*)yY~XCCfaa2MpKR6YJ=8Jy%w7#Qz=yAaqEI#Q_!NKlf5yaUyMkh)8 zVG<{ewEUNtC(n@PnsQdjKpbD{^~W8mh&KWz@gpL$>afRqA`1VzuROK_#-{4V8s(#G(>UfaIGVxwNm@Ja`Ngq)u0_NC zak*)HBhON0J&0wNe9nG=d+P+Kqst}L^Oc__5Y>6$kzsrC5VWOZ$s|}Vu|vlKHB50= zCU$f;j{lLvkMv&T$y>X^2mDoXi|6N52HkkY~-*<3`i>UiT>0*lY$XNS5ff& zYi2VdhB^+203jEs_Vq{U*Bj(lqYd7g^>iB^Yf5P@aj^;g??QiGBF^rqKoj`i$_r;v z{>guvQfGJ1i2bWLOC&xW3K^_wR995C9_b)@`wdT44-apyLKvIXM|ZI8+mhj+>G1nS z&f}XfQg8a#yM_Ik#3Ny91lz5i99I%g;3J15UbdYgSl@l|vN>Znn{mZSmS-SP4 zZ6Cc##EwwsnXuYuKFWIx?KrI_2$07*TP@-k2-VC9LD^5!`5YnXd5GH*C3G>uvW+bG%u@;!*dprPvYC79Ufc*C4EW zXSI^v4@JepB1PwtUcK}W$S0>Kmv?_|{2qGr7&$EK1(2Ld89B@Is2#w8l zl^A-c=9$?uTwI7SqdhYwwaKs{G^|G_+NK;)z$k`KyY%m$!<3fmkJD3&Q+UB9wDnlw zhNa``LLGu@JN{7JDzEi6#A`M9MjWBYDF1O3G5I`mf^HS$-s077u3N~_kjTJz>Ha_g zW&7DlqA$Pt8WCOiFAEGFLi{~C<1W6-euxfdTMXVavwtyr3lR?xWwx}nyxO1Z0Lh_h z(6^3Oho}*XStedgQvJSLWywb0;rjK%L+qBhg&7`@Zft&@3$07%s08Xd4}hZf0-j1y zHi+H&^R&u<;E;=d>?Rm zG`n?S5zKEl8XP-MsK?`r{r=$mq5y-M@1IceL%XpxJE1$F*FhK|FmUF4jufxv~_VT zCDfkE_?&%cMZ9Y?KeFX0(uVZFU5Zr&FD50{W}!(&=*3JA{B>Stnv+Wer+0Z-&Z5!7 zb)dJlw)6Ar)=#xv9b9~k@?75qxqcH2G%tSo*V*%NLnSE@Rx8ig=+6Bl{@yVS_rU5S z(?=^uE2{&m&7%3J==6?DkFZrN)pXJ!Wh@GsPvno4DhH`54gzRZK20iFlSal21Lsg{ zQegErGwvfHz0^@4SkT6{^|B^ec={u^Ko`vFTu*4avJ20(PI8F8IQXVbq3Dp(|uq!{{L5V)FJqK^3Jl&xjJ0d@_MkoL9M%;s6 z2un8jLPC`XVfA>LxmKUW&tb1C6)eVCUKn7C9yuySJK;fjwDv|sz~eO1$*?*KLYkmv z=AE7vo*+r?3E9ROzyc%oNU8J!?1878MZcWo~@e~&zUT@~sD)JHUSm@*84%cvs#uXcB5-zZsr>RjW-jynj_wUhqY1FRyIf>>j`4(BdX z)LAw&R+n1%M+t5J*1s)S)qR@J$-#`Kk@XnYBII|wG zFsw>KUN**=HB(vf)ke<6(&tWHDAqH%cEW!VuKbPoaqkT`fr|C{buU%=o{sP8MG{n& zNO8?M7`YB*n5<^~U5z0ZR~l$LJ#n-?zy6ufE}yykJn0^NCsD3L#w34NI}muzVgXmk zq%YOGIq5*F^5UJk?gq9gpcQDZj%@rQU+*;rL0yZG2;RPTG~z99s&IMueSrzLlamYZ zH)WVW^#a>SbvbdZ#7Mm#EQ0Kb3nbmbk@tjMQH4uZ%QT9EY!0Y&$0*Oy&7>RphodwK z3Ubc9MstU9 zsK`RgB0T0UlN$-*T@F@=OT6~xT>2gVpSS89{+cq^oCwblK0wT$!!lLzUI-}stZ{$o zfzY`;1HNiDxN~Jky-IBnPrxI)+D(<_8|g~g#}4~13cpzTcBhV7%n=8cn>zOEP=h@F zw}$->an_EKFtvw7>Tl5_=$L9}z4sbR2O^gSS`m`b=r>o>x_u=D0&WNuS_*dMLFVq0 zm%|?UfVKG+8-Pz2NpYE`u_Bb#lsR7;Rf!|UFP15e9v#|rKV$b|3)eou9`@kE^Qprm zW5HrHtWzbu48%oXf+~Hb@j2AfOSy=mPgc|!o7QSOlLx-||HBQ{C8A}qX+Mko7kjE6 z`)ZI}FXqEjcd0hKQ9G6BP)OP*7xQLx$=xss9_*UclV@R=EvoecnMq0=^F3$*7$eli zCRkL2JIQUtP**WNb#C2U@gSlV}gv;MuU*sXj+wekq+ zVvf8xoESIr_S%ah42WM`RZWlQxZzNW4{6BPGkyO9Ol$n=zBQrSDy9KXovQ<`oF58Z zY!&+QKjVxrBZJr9ke4rNkH_Bp_ezQ8bhZ9-T=jueDN);QeX5LHV=TxVeZQKd#8B!v zU&Tz@;2s)=txC=lbOiDHx*1`K`^mxG(&qjxp_IJr-7DSK5F!I6k~j}b*7ftAY6=Gw zqT6$DZExRtxuJy75NkqZ>kKuk#1KAH6raM=kL&<2AKg z==es&H{&;0dF)ukYr@JLRNn5P2c>>wW1s5eTU(!oD(j=j9bL|j=$dhe#D8#bQ`HJn zq}*>-Q$(vhNRDe&SFYVw=+Pd*7D7-aL`Qg97y2b!XD1?7W&3;_nkcP#i#+I;EBl@M zz>7^!3NHLC<#`6o(^1;bpqs_=mQ4ZKAqgJjoTp%|GR{|WizU0LWLtpo^M zh2?sGr=Fq|kgt4f`CtBY@Mp$O%_3b4rwl=^<&G6!1h9sK$!FiL!m>ywirmGrD<`G_(bC~a)|pd2Am>#t3V|yABaMdr_J;G zM4MGAQ{=Q37eBWXBF~Npkbc*g`EK53m!~YL5z(o;$^&tzz8oE%E%-Er5ki+;Cw<}E z3xCtEt?9SJt~WH!H;G#sHq!IEWF_&obA=$`lXZ4RYB9xd7jya8~S&&fY4G8$c88|gHf7SYfe*3u3v5CwDks#bJN1^+ibnBf?nG>yAi)T%Dz z*=Lohe{0)28@fR+i=A+%bYZb`H-DD|pGyMC(yu`L4`dThkG_XJ0m)zL`k^J_ao#gR z|CKJ7=}Lu2XBFTY?pDiJ2TRMsb|<2g$_Hi7IwA0dhn#mDq1l@qd5A0vI*9_UT_HYv z9!M(TbBfH3jvF7td3D}B`ecxQ$(24$LZRT$1>wNH;Em65D3u?%BQyZfB^M4lS!ffQ zu&^PMJ6r2n3o5LF$X2bic+w%oa+f=1aR$=o%7#$Yn-3kgh+8ySXVGCIlq6^{<(mR1 zUcw4})~FQX6WwGOi{1;;O*Y3jC$&m?`n!~#2tV5U%f-m%E20)mkEwvw2^ea@_sQqY<_W9ze}zMt!hBq z?lhwGZ<)-9iq9`~lB=&aVQa+U;AyI|SSmbYaRM*4(07>hl~wmINZv3qb=_}!aQJXp zIriZ2zMO<`6a-v&SzQ2e)AS&($!^m`AN{>z!X>y!cI25;2TF(ZWK`kQo$N2!@1bwm zNkpl@6rGJ{QS&*y(2s*q$?-a0dHITasz<$1Sc0a*cbE{-+WKZE|J9IPp}}GIUqXr2 z+f_ophndgINV{ftF=JJ$QieN1L52y{L2<%vZeFUv?>dmmMA~<|aF(e8jM!7QPn~q( zF|y4*UMJyigZLfqxh}v86Th(z_j(r|7r=4^kb1IFel(M#krOn$Beb*sa z`BoPW@aHU6M2RX!fI}J1SAjVZu6PiT4)lYDRT+%>Sm~qvz_40mMZ(y zpBrxC`Pov&&*;{!Kw@hh_gtJ?hfNZ&2s(FEbeDR24nDsm5D^TGp>`wU+kZB+9rx4h zvxOF~=IG1ERYuzO!9hfpI^i+KLKM(Vi8l*s4Z=OCTu^#l`a&iFi(Wd-cpm*rC*EwZ{W-P_ED6&;M1Tf;-f44@&w8V_SMc zF0z^ZgZ^%qcl#5W$8CHK=9=iLknsEZ6NU$~cDym{>fSieTP{hvBVoGzY3N$+K}Ggp zh8Ll{rHrN*ffZjy%Ii(yp4KW3#%WpU-G^F)?c&WqPWFR@W>h-cVF9#B=9oK)7gy^@ zDz5Pz(X6-%+xdK}jD!hsMchhauEPfs2?LuNvGt!9{?EX&_KQK@Xy)n38Ze3k{Z(tX zx>^uthCQE>){FhJi>;h^+^J3;{v>ugB1K9isU+mT3v#fm<)0(1P16O*I`+rrQuSg;}%K3TlDha z!_0ru?>QLv=YItNvFTf&LeY&c{=;V8!RW&JOhG)LQA^@`MF2ix?p?CeBTS8z@!00&okCfW|V_&pdf9xCG^z^nw;K<2PqiMNTFb>YA zSZ}i5m}zl9m3h;J*T33O4mpp)N}x=?h1_&A19r?$5C z=LngZ={L`w)RvOjc&&jJnoAd(OBWP{hb z9a#{V?vtBd5XYBPybGl^75^>k##;Hx-XmhiE-3I%gmg1@=I2wA`pS*V3b@ZiRyDP?2J#WMDUn@NNs*GOlC#9=w_pp5iy~meH~0SQ zsugtWmIL1*R=<-ZZfUI}(HJ$AuQN!3Gfqy_m1l8Tg?457>F5IyHb9Uw)>Rx%K1A!j z<+3%KhG2Vm61K8($2Kb}Vu?qMSuB-DnwbuaEAt4>`wy-RV1O}ZMbm(hSLncxEr5p; zV=^G7`jVRc_|dwau^A2Rw;OU!Q{>MV@L_^~kZH?q!oSA)R1VL2Q<#2AVy$APSRcvz8)yRdY<32VDM10?GgRz_fV``TOS&x^|!yayi*^^Uo7Bv0Li5D3S5J z%Wa~b%J#Vl7=KxWRh0uZJ1m~#hr{}*qzXimU$_#CuHi1Qyg3RcoG2GpEPegT;;;3? zliYu663c;?MgR&U)P{CIaUD*N-rVdA?8a*kJ%gVhSs{b`x^*6}HY3(iq!{y!ZHeAG z_;E>+5234n9aB-0xVCKXE1-0%eyPz%t(i5$_YYvcZa$e z0=TW@|6F!m@xqmPp3!Bz3tC3RN?A`TPSH7wViF3D0~{``k?*I<8svv6ppWR*X5yA;VE?A?@UABdZS|?$ZH$zG3xjNGBg7LSvCDto(l@ zV5ilN?!ZzK-(uabC2@HY-mapZQ03qWoN1gcwx0d~v*Ob6UQ)jAIUk+Pf0R|A*w&0y zuGP-2#I%tmAVGx5{htAC>Mr_8`4iUbRIBBl>d7n!n0O z(aBlf{e^`GXFS5>N{0nMvqw{Oxg#j)5CTAkN5;pl5P@p|=W9!N!04pPA(eUBd9T3vBaGdtG*(G@W1~KAIOd|GOt%zY;iBBVjuN}B=+XOUCD(xuZ2d=1weOj_2$5Kd8MGLh%1_ezaSpvTSlLSEj* z^67nNbzj0HhcA@Xcq`N*F2h0)NVW`CNFq&Zo~-7apFSMkxB*nDR&Jk;kh0f~MTuK% zM^B&cuBvZ<*cNbrsKJcG*(TvaSA8rI0V4L-9@Q@qIVJg6=k$}7O zdGq5i3^_{7evinO%ur>Zd_YI(Sj973miWs0T(2_r7lF<8S#@ZoS#gd~X+w-xYp*Ge z%2q0m-Ucu`RGOL2M!}f%ECh!Zf1FjEk`G#%NWBGLPJ5`l6&SXYAU*|FMT_-z3;7-4 z+Qnv)`drz@x_T*$ojR<78GWN{3d-0F#nyr*ZHXX0bGSa!bF5^x*IzFtF0KhDihd%W z0yT9f8M5mc24(%sSzKV091oh$=^U3I1p{$u;l3+xk8h@#jAawTvbJSbf7eUGqaOyb zl0p%M=E?Y*(ib5)b7zhf4ty4+v&Y82*MnfcOkJzeMX2A zcO@CRt>BY!Tfn4ycjGmiDFv8hVb#aYMqlpdJ)-a}MWek?GvTp_f01a@8d-c=$!;*b z?f8RYCRrnf?sdAUt{JDtFpM3KroG8r<0Svh@IcLa!N}*z+&?D)MQ)qND+4%^)SS!j z24Z}d`Rx0?sU`0h$~e2f`li;9ElkTCZ1vnj&iBk`CjbU31FtqkjEO>U7C+TEwL9mi zyOBO3O&$z;@Hw`~y8cd$>8y==Aczc=hFiB{y>lo$66(tkqMs+7oJQii0k%hGsng8( ze4wmi__J<-aFm92epyBVR#VL8Dr%_!dVfj@l;_ylO;RIavcNgm4#%;$v zLW(I?$_oZi{U_L8)0wQvp%-7Hbq?)q$%Y)m={z5AfF*yX9t6z2xOSV1Z}Z;G(9J?e zKZoS?%DPT}6>I<19C4p~`lbv%vG-@K zdNK-+;>?*~u<%811FHk*LX^Vw14g6mg`estLXdVABAOaZL(2|es^=sYepoA z*7Dd%K0>iTctv3Ezw`_JVp5=DH9@10(>jT8ukEJpHN)(%hyr+56MhlV1}d`PjaZeq z&p)q-+muf+F{=6@;VCSr>EYp%MN}G+UqNo`7Q#jOo?F*{`2)Id#3(87^a7YZ%@`Y< zjBgaQB!A0D|I!DWW(?|?zUxE|Rcj(F=sEM+m?Myci598v!|B3PsNxd>i7JJf$tU&b zpf#G(YUqbmf@*B!eVH;$=RQev!5{+8xpy-p`Hr(N2-1{`v}ffn10E9>YTG--VFX%i zG;ZZn{QI;YCDe!UMPZf69@uMoAZ+H=nc3`v{YEFienfd|rhEAjf^9{KQ?AzHEIlt! z%Fo%|9X$_u+I-uW^|!D1mRu4f)w>`~LIO|muR z8EhVg7_1kEg1ke~Iph-97Ed00cS`55JEkpgbF& zE59blWmB*j*Lg1pz1FnO+V{T75X!F8j9Ko1i3Z=#d3R&GQ__k}YX-Jz+}r1TDrm8lo1T&0|HjJ)~Wl z(5bTc0VS%+F&8z0`yac!UstLw`#06f;&bAW8CKGR%6Eb>y}cZ_D8GQsaD)qvr^Yi& zGgtKCg3x?HfoTDzjk$mmd*&IxuR3DFjG8w7rUZZUHR^0IegJ(dB>fAd(>Wc0r+b){ zwu@-kAYE%vJIGRgeLfS1nQOPX^Im%}Fc)jsKYH!Fey1D>=YPogff8J|@=LNE3%KT5zy;`978S-I?;#5x9_mvD znyii68?{Cqw_`DSkSZ8}e=a;$xnFSEst6g7Ji zB=7{s_WbXHR7g9C?qR|DOIYIjKUN_hgAhs|@Iv$n5Ub(eSmqTUf$7ix(I@k7-QN0) zx#mJ#g^c~D5wN%ly#Cl{*4y_jQN6lWJLKppAT&IhQR+y(G*mfZfjvwLZ;V1E`oJ$sK_pI2S*mq;fY-kM7%V&3@k` zo4-qb5Xoy~0W#d(23O>kiM0+C+BJNAbbW1UQ)HA3~0Pq z{)*M!69$>j~p@(jj|=D zSLkT4yYZBLI;SqAvJWOd#nTcHod#CfQ5zm;MV!CHypOZAwIvCFwXoJu$9>s12dda@ ztA13GWx-8*1na45-be$BUI+(4s{I*vKJ|1sJ%r2Z_rV)O^98r$)bowU-0*zV!&-8Z zoEmg_ce5i-lyo+G#H8TZRP;ksgklgBJE$AkRp3`Cb!VdJ{+>f;1S+AMnuJ+W=Et0H zOWRz{9Xnr!zCy=doZIP=g?wR-4sZI8rJ=%G6t(5bwr+~?f`3oNe z3-9o0rbE&#z4@zO=P%n46E+;GMmqMsEz4a$ue*y$9t0XRtNH~ie^8&6o8+1|dw$2? zR5PF|y?3KovAVG2?xq3Xlluf5q>l=W+`xQ(a5r16QQJbj{LzF1{AR2^>3Gju05L>4&h&V z#ZO-c$xXa`0hu2M`nBIi9yz-=Cj+~b;-SjE%$SBzm>CO(Ff}1uD)0Kh^c<1IB$21( zmzq9vQL@$j=4xZ@`mFQ8?vv^>iB9jRPyfLq_&U5C+F$I=Gc*F8% zYY}R2C#miWF!Q-A6#hhx#@BS0&Z(0Hx&iTG+vCYwt);@>nVkCKetuDbq0E<7|14B? zKDb%E+#CT1e@(4qj$d8wp<}rnfS_-8_pN!MAK1b*M6v|Nbd5_3iC=u2c^ZL8N|UVo zX*NE=ddb`kX>i1tM4-$Xw%!2Ghz(sN#kv4}t*m{=Eda56zggLRE5u(W*t&@Xq*r&v zUFS#_7WuP1t0Xxec6L=p2odGyGVia{7CUs`L}DiBaB5zljw%vr{^7+RuDq}LI5KB- ze!CF7#tgzLFPC@%M>qAB#}40k#(l1~-65|N1G=^%+jcWcGI4oHYej8Rek>UK%Op~C zEQ-yF|7TeVKHyndoz`LOl)j<8APd(eW`1 z@D6OvL2v^iHSkMI;-(pqm+wVobS%2zNsh8e@)jKu_KYcdp0}7J-Y(5 zXxL!(V5zyy^WLA*`|iZ1`W9rp+oD;jTV&=y=*2ieuoNBm50HM*$tIDSd2u#Ian+1P z3*_E>T?Tr~_PvMfcf%?3I1=UOcG z6!B->czr5QhKGN>bh}p65+J?g1Xcy4>VqqIwAr{pM4dXxFRg>6gs1Dc(gwS0*G62u zIXTJK4|K3#?Fx=$3MJG!w!^#62^C@$jK-A#7ikiG#|FRu^WJ zM`=d~KcB_{jE_ICwu;-jCAAJZFJWS$fOO6Ec zagHN4zgA^Hm~K|yVZkQ-iP(xi2(!PIkCkw+p8A0zFnSj!NPQ3^71=Z?(*17aVk%o> z;j$kPB6Gai9{IUB2ce@Y95=4~f<$m>?9&V74J6h*a_{;0X@zixv z_o1RLK}{8peRPSq*4N;n5IkkI_Q6feg+cE7SLJAw-_UHN^#w-(M#KH@ALQemUD}D$ z<)jJXmw?elJk-d5>d!ph{-Ek<{a_Nsv%9bTAXx!PU)kAmT6zw@K_=j*?hs2&fzpmq8I zjZiuZ)t?{lC%6DLX#FPdEF%~VDZMSYp9@5-^}eiUOoZMkeeJq^d?X$!h=)lT7cwJ? z$0N*uZ0){{o`iGtW$62RY~Q{~l2WnkVvEI0X2nUpMpxe1QYD!cW=^6)kLW`_C$PA= zBVN!$+8xoNiZ?Qhm`jt>GpuO1uws5eQHnj6?N{=xb)#QCV9Bx5lk)cru8CbJqBT9= zFTi=ULdir*#Wt+NcL0I!HW*{QZH(nn>Lk;VG3O0R9QC7%U4S zpS<=dltR#Z@P$U(b)nneGh~?Y^<5?=+)C7T|L+gpX=4iXzQH1M5Q;BjS`0v^A|9|WtW#G=20xP ze`x4-NByaO?kd1FYCUm{V}@ua6^#V@hy_glV1Yf(HEhag2_>F8QgpJFk{2B(*DJ8# zVAvX2hk;{g#leD$neGkE;eJTz0ML`P)NJDZBP}n(%^NKHgb4gE6ujpJu<61s?Q=|H z?*Jcv0D~J;#)*r$Z2n+MWK3c3N8d(g5(q5~u&6900YV3u?-?h@Uyx`XEXWL%`J!(i zb$M!2-z{Djkm+2W=4`AIHV&bKzu??``v6X+oDt$Y+fOS*A9Vf(8Ya%0@I3U7jyvv~ zlWMZPw+%kQ&J4rD=|FbCimTqc)3WJ%S=>&$&v|0^pl>mNDf&?IpM4#dNMB9fF>6WJ z87;3X4c~zvpyZaiH!8$l3}MAjKmNdmBU4Md#ip^ttS=-2YLA(8BU+y*err+9zN7cb z$7OxwO~VQ{9vS{8hW$%UtzVsmN}Vtbn<`c!q;jY)K}w~WtJm!7v+?`N1mkV~tUIjE zk~yyBJI4ygpWGpk7{fJsb^jgZvLJTE=(4QhbCPanc+ye*XHoR9q!ynhnyzuDWg_ss zm5Mbx7}Ma*0r~;(8wSe=aCn?~^|lc~%I?Dp@itcTp|7T{ZDa30tV@0%I^L7iMjKc* zlkjN9GhyrVo=)1^v@&AB*68X*L7HuCQQc!_aMS4MvoZrVKe8W@;+cOIhcpm^ce1AU z2lECbaUzOFWPE(A-PgDCIYz-9?o)pZ^-TAd?bei?sI4!tGOJMx`9u5VT0^YCe=la6>mSKU4O9Zwf!nq8Kuun`=^b?^Rjc^K_n*E4;ZLVoUIJETjD&i#fB{S7L{ISpzH11 zr_yC|jC@1b9R!=ZBH9HH@ZoqW7B^7iFWp>0}0sCR&8$A z|BfiEJb6uS>WX_~h$wb2zG(pm(JP#TNCFrIh3Ff;yifYMqq4~l|1oJZZ~sk{dhsem z+zY|}Wx4qGRA7khiUWM?xcGQYVjR~9Gw1WCY9D6+O8m}(meB`%nWo)JG@ZLI~@@GdY zTU;x6S^0FW)e%gsFkbj(okf*>hmk4nF_sh6jr%R&gwT{^;wotPqDz1&E_gJ3uCpC$nN^G8bUL62_@)=)}kW9JY zRmMt-p0yf>wCMHM$b7EPP6Ka6e$Bc*Rlpc&EOTh8>knewv?38xg467gvOX9=pN)}1GM)!mIZUI+ho(ew0aTN>xlxEY4s zcG>#l2*I*g)>J;$^?%=vPN&ZgZZs2@jKgM0rUclL@aT^a1jw17XG=`CyqSWVElQM5 z1)eiS&00R>6 zDh#4C+ecH9Xia)DzcP5AFqu9Af8Mw5kTgspp!@tDGN};clZ~M;Jdd<57y9LSl|%fV zPGC9wyPUf{K5FK8YzC!+^Ap5fX~o32z*mFO)5uZ>tMN#^R=Xni(wm{@dp!PtFJ|m~ zEE^nrwi(Az$wSc!Z<*xGYxO5$%&&1J?veu1kthR7iBFY~FNekZV+ZVz8#CZ9er6{0 z@?`D)o~L7h4QF>fS3g4%I74o!PMnb$qY9vy@P*&k+|#$Hb5f}}9JhV0<_$L$q{;## zgYh$*?q`hetmh&F=qQRNk!{Yc5qdta*+lcM9mt;YJesrI+j#>VL0KZ6IX;<{uke_W z>G3zt5uw^<+!yB=qLli1tuc-mz9?d)VrRnK@TUu`g3Mo9v%8<;(i-E5dG8I!i)ces zP9C+OTMW`$`{d&d8wD;kSfLs9ddcNvZ-L@o4?#)KJmxa44v5aIkLUGIbg8WzzUEH@ zEK47)%_FTZXpReeqAf$T2&8A^PTkv8qmr6sqpu? z5o4FB*J55`#!(?B?S!+zg6kH?Zm>mQ_A;eIR$4kt>{{=v`^_2_~R zEID}3a8?)y19NW@2L?yDl6*}&8-9kq@nIH;Y|qGTdp&0IX#4km@d8-C+Kf^%BinUWo1DpRZsO0# zUr+tT>mlp~Q4s|4HG`zz&i*%1uDLpVTvsvt^y!n1jt=(i=qe_qtgn@+AV+p0=0W%Uy-Ck3sQ$C}@*c|3#Ob)C)noL@U}71wC;0A~{ATYRGrn}-B+R8L_W`P21P0IYfTu(WhK#Zw{QUJ{=g_UzTt{wogc zj%?}j+*EAC@kClIRZG?%KhUGOfFyimiVjF6^@no^9lkTcWkXgfr##&WOeZ{yS+c*C zvrh5i1zKRj{!n6`huc*uwu;v1Bo{7_3N;$w!^S(B_oqO-IxG@}5_&bQ4K$h7G};)( ziYH;$)v?bVO4{=;0rTU!euJqd1(RfMUwmhUdzBy@!k9rx@_NxYx5`)TFfJ4Dq?1!e)jH9g>D01PcJ|E+bsjBpOWvM35MeL z0am))tx-2ihM((mieWc)q-kSWiMyR~e1oQu8LV84DWIEekE?0$CNshc$c7E+AeXTF zG&vNt2zSNzg`Z>_>4_WTKEN<9rvsrmnF(FwP3;SVhR1&S27d5>d;4uI-!{LIu_-Ek z1s^FeGG}Uvp0LZ=uL)&TG;>~vk51Rm-d8T4x+eHj8D4fL<{o|$VrWg6A715tusIu8 z{N}~}me4CCijz)$ZeT+&z5bOg?5c(|{32^6(4`({bj3l^qj>-Gz?BQc zL3 zYGg!>d_%}$?HP6ck23%aPiFxmvaPC>Cue2NzgoQRvz@-uIXWDDUV7MKu8@gJAt&dx z?Ub+k6TPmlyXakeOJd~~?R1Un6!CP|_Ypt-WAA}0!tWf)V1A1k!=Y;S7$GiK2q=koBiaWg zKnb{2K+o}g{CgT(fCm!9i|*DeAgyR)I~SWlk>oO8Sn3-P4c+*a^U+ngoo!KhaObIe zZxe$`QUEV}#^mt<^;SsiM|>|wq%EiDZ2FVFXuGSZ$dicjP@6~JX?E1?H>?Vi`;TDX z)#$L+J0aRF>*gyvJ>z?qk>kpz6Da6c(H{iI_ss8+HJ|f**?KTk#)p@leUYWSW28fE z=nI4mx{BWOy6>m?KK)%yL+U_{+O}NGu(P%G4S{zDP-l58i*J7Gt_nJ(!hUa($NKf@ zc6NiYGN!zdaqM`NsjY+jbBAjoeQiX2JN23XLWRN|clq%?l8^&!X)V^=+#D1hA;!pIM%Fg&~ZG`4mxPlEE5$2hR!{h=IU zw1C4j%SL{KiqWfyinvs!`+ol7FS5^}OlC#=83vOIwb^TLAJ3!|-)0N!lUNhq!J4PR z9SqSP|1;&&cI6DE;DX+0b;A2Q4u$2J&%DF#;#)gN687qfm-o%h^)De&YDUB@ znL@{Vl}BW{$5j~nLs;A5XeAIw_AW*A52)Gpw06JZX(W~$EI})5g=(imebw6lA zKh?h8SP{DXKFM4a`YEKd2)&?O@0dgxFx&}a)dTp{rO7Z(i&&&jKx-u#XM@FqPv zbQ~rTuW(=V%@%$tv#oX3v?x)tP<%(f7xZ%taUoJCukc55Kr!S?1gsQ546hPrE$Vyz zT4Pb?;{tWB``Gt3YvO1y@_Ao40t$>~Wz7qNkdZ0I>T8~4Z;U+mXSoY=>cY!p`+FuM z0pMt|Q=lxI#$Q6x410XzY{35fV-@;B4g5Zv90hRo=9ZLT$=Jzmgj%qPRr;NI7%BUU z#vMcx*FZ9E8nYQuS9pvdE>eJ)h{q7FQJ19Kq{3ixWoQ!_}7Wa$*0j1{B-i2jA z&5FpOEB$tPzwu4* zf$2{MSc3+&ErUtK8uUS=H{`jU|j8nA0uJ=J>!F8ZBsf3=C=qIsx5Oqp$t^qSjak~jzCL9Cq&@G8S7CO>xH@xxzm0DSqtnwAP*%2+$lZJH{_;h@4Ziy1P+;7d3 zxHpXDil8qFx!@qpN(xU}t%}vF^90&Y3O=m}>glVEUJ5dw6<^5{wss}2!o8=q4Z>Yq z3O*mXZ=e7ZFo9ym)&@v8)`Rtp$XQIU$vqeu4L&Mq@v2*tGNa)%@j>NC)RQZ*@5xd} zjp_BTm!qJ2Hok+|vc8|Y9N(#)mWtdu*=|y9kXy5;-W>*=G3go`So-X@8?2ggokfrH zMYlTboUcyrT#v3hN*D7~00e}os#WEBTU!C#=iWDj{_&z6wf)ftF-(7z2C%sMHpPTg z+?$w;$`6P&;ZgHukjOpokE&=trJO}eWPRu|@nITMt}v><+*t+r>#arff=Dr`&{SlE zfS{5Q-v5|f58Q_lVzm3Mg}icHv#q1E`}5$nJ7*^dW<>K>FYssmdegp;r$b=}?jz|_ ze`XXC6crj_H%0m$*w|a2u)){;Vi-ZkW0j73v)`$x-4U-j;l5WNMn}CZeda1D`lNpZ zC^LCQ;jo5vE88z|v{T%mi}dVN2a6T}E9I^84vgK1arVoCcUrf0g`j9xu$Tw-`u&>u zUk!4Byk*Bs<9H?(jN$Bdd{H58iZ<;VENjk3M-oSu1JQ?#+w_Y?)D2WhW}~-3h)Ul# z8ZF@dbzdNFBb>z>iLUx~BlE5ozfHO$xWmNfFF0W%1 z-=?|HOZ1(q*IQ5Ay?qINe9ank-tjo~j_ls@T-VB|Z+p=ca*+zsjeZ`tQmt)iZ=+yH zOie-k;4phUU!bkMlp|S(;9oo#5*3g&zW9<3LI8c*pTfCiIV_jEsq7GfE%4&Bb_dPzS}dyM=QsXEs4-f)##|W^TBXBY{A0Zz;5!r zq3EhKVHI{E?!ZhIL8shu#ZtP2#6(K|3?2(FfuHPAZvLZC);BU{*wcyU5<|rQ1|2<< zFh%SvgNB>vHiI!6?Xe+jF)em%3^1iCV%<$FTj?**h)Nur%0P$hm`WgN-~3bw6}@5RzTu-s7%m$QB5t zqFWT;VPOY~IiprSzsrnS#z-os+iGu^2({BNl$!22@EHRK_set%`a`r4qb*I7YQoWS zrDMcT7wSqTs|KzyifG>a%Bx+v)y0_P#iOI_Nka5vB?TQp=eX3~{9S_HvK*>8-RKt| z9>FdbRR3_m5{kAO^=V~PpYVa^_V>;4+Ud$+CO>PDIv@LN_O70cJm*g5yzxuBPG>U_ z#S^O%raxVNomPbSY>zlmQNHvS$j`#X=pcHkzE>*S83wr;MLUE&oyy=|!g!j7hv- zzoaDstY&^{t_L<6c4u9G>VDx03mlBo{=%()_3W;O!lU6q#lwtGG%OPMxn{)9jhM|yuU$(r3t-^wGuSLKMKL|WaiKmE`$7_aI*T;?lkKmXj<{<^wAB+`Y6*NAnp%h9{h znNKp^<9NG6%v8Ug`LMGL16SmO#Gl^9I2jIB)<}G9U97LWSURC z`g-=v?3>erhhAH~?ebpqKEF=sbsLHK9_zP%`Ul|=0^+x^jA}pY0MYW*^0ZY?S`mL} z)7{^}>=N4Ts2EZC`|WV5bd~-dq9_*|{|(=}W%FTvy?U!e@%ve$%rOm4&Sl>&_5Hrjr{a8b!MFp{hkb~HcQ29W$G=t9l~Lz^Xbp)B4J1(r6HS`9fy z`f@Sx@S%!&fKnKYadr>#9hdv@-Uu_@sA zHUlaLrwdlE^W}vcmRTj$(}l}MfA47gonXU_(cx@2w_;ww61%P;Ok8&iIWN9$!91@k zMxdF188GWAO)F^p!)hjUcStc!7c)*vFjg+;f7kxz@D^1GP|gy)3$=dy{rB8q`%y@h zvV9e+`5wdSBOFeCd-)b+gkY_Ll3mW6ekawSZzwJa#KH>u4AI*;n zT}kHH4L)Pz6leoP+sfQ^;#S{D&qMCr-0O!kMfx`Ur+h&C`FmblZw=wA(;SbNRc_ea zdU-W@JZrn^N&Wd3$6fFHv>VPrsPK69M{S*w|IUC9O8?-puT-av87}k9k8ayhL~*wl zdpYKCHZkub)y!ijNdRE7Za+Q35G`GOCLP!z{o5E*z&Qll-@)fN0d_zo~!}O75&B%ae2O@4=4)ep0M#tM5 zO3p&Z3mfW*!d7jmKHfTP4yHnWN++@2BV^H-JjA2ohM_clwEDzHJm~D4JY~tq-#~wP zU`U#nMazz7W6i>1Jv3x(U7Uy2=rS)OM~thXEOVYc454)<+UjzA`?i*dNQ|twqIR9K*UrFl#KF&Ovk_gSX6~xKhJKI_?$ezB;FM7=40>92ju0< z8|bSFF|GB0Q5{v0gKIN5li!G5l5I2<)AUsQl68(tUEuuucVgA_k(b9pv-65ToR4qsCa@+-Y@80m?~qEWEbP|2VZsV|IqBTxcphCvo0_* z>B1vr|Gk2Ks`PHPMDTjrP&rJ==U4^LoxK^v1q1Af%=RKk!NhHEE3O9P1yCzBv|Y^) zLs~jS6hnu^&s4^`lB=!PC%}1FNl*f#8MjNxS80?77l|9`Ov$o@ITF(fbOVy@B2rkS zMpQ``zDZ25%XAT@tMW zkAhV!jL_e7pS$;N#DoyqK3+%laOY%NHX-k$<=s2-rL^W zss6jpKx2hgkl9vAbbUmxTtr`Gjfo$(K}`CJkt)X=(gn(DWC^v)pa;V2CI~OL0=a(+Dtn!@XtaC9 zXXmxY917Ps^5-~{qs9iYCE^*M-oKyE^tEuiDG01etJZ#X145Rhy9K$2dKjz#>fJMs zx>Sw}MdcdmK^nV4URrF;78;tGk4A&$v&2+pxD&+R_8hRHMG>HEYwX#nP+R{G2HjKv zF-?H>1m>zHk}A$E@k4>2TV2Cyzp9a?2cv5K8@2FuUc(Jkc zc9fC{ZbUdSMA@XLCxyQoXwr6Pn!$(U=sXjQ2Ep#L(dwqF>`l+WYf!)Ez}5`3p-u`; z%)HHRHoxgnNE=$?kFz<1S2@Iu1%VoWDWw=6U$mi4-3g~p*n%%DO;hKo>UAG5EUu{H z_^J7-XORfw2v}>Qc!Qz}QneFoRj&M^mMkS4p5YF7yL>w8h+6Uwbi}|J-TN&{@O$&# zK`8X)&L91Y{n8Ym_o=v=2apb5j9g-wv`W4oqgJv4`r@S&*iNWERI1lZ??=RhK6=M3 zHLouC#eWYqMmH5C=wb5n0GVlmhD z!7&!xPJKjSsvVYaz^8%HJs<)T^hW1}>|LjAwFgybeb)NQ-^dd54lDIiZThVxT=e*Z z-0riqb~sRESE+6`aXTQ-tC80v{ftyTe#wH5oX`f=)e(OZ)2G6TRv~wL9>9KRZZbwY zsYP7&d_C}XiLFiM@Ta5aBD&+fVPsJ5mpMjZO?55*jaMn0`xS*#g6ZIRC}S3H zrX*L)#?$;Le9a}rV=A9Q;0Haz#QS+3m8zW&Xe9tQe6T6x00|G`j!8`e%48)O%aKy} z%surN4hSPY3-Q%{@^k((Gz{@w!51L}o-rC|N4=kXlQPFl;xG9ojxR(w z6zJRFt!nzeLsHS`s&wXWldX~g{n~3lr~gVCkWy78CB>-{aJbY-GnSPTf0olaGShK5 zk#!1@8|bbDM385z^%1&^O#LUW1gpU1W2##ahy_kD0rx0dI8{**O@M4M};aV==>HPGT^@5IG3t`nPawQ8dwHg2rx`nS0;LE(9f~qjF}<0Ee0;d?9j!KViJ}Qk-Mp}jB`}l;alfZv;w4O& z4*dw?V@YB1=`IYeM^KK9-8)$}gDofyJmsBs8 z>G0VaIO*Uuz&Zy)CCLO>PT1i5(|9a<(VG+a^YijKV8b`OK&XnJRFD^ToedrDobxoj!*bIb4(!+jNzmje3&v|o zl{}@2AHGm}iciFaedd4T&;$(g>*yu%C6+!N-U4NWW`frjQPKCZn&k}3f=oRFw7&;% z26v0DC`nOa0nFI)BU@(v=Rh5;e}0-}(+}+?CU!<0aHD7FCd9ZrHw>VB)?N~^>!?Xp zIcS>Vxp$DC?I&Xct(nLjR3FY%C=W3&FEX+?FwC90zex(S+kJk{3hpPyax4rz9UTq# zNJ)?VOYg$Nm?v37jXzw|MD2_DNGfWllh;o!Pw|$r>XqskJ8@Agx?Lf{OlNQ$FKQ*} zcP=Z2z8^eC>M7fekz-^qvUqaR{pH)l3PP`X2KqwLZ$rR;g@2|>1+wNm|Gm0S1uo;! z)~Ip7FhrlE8)l=b{+&s(azpwNI-L$a)(~{Flkt~iR6ghkf{Ktc@Tje)$+AY9WIK^i ziF4plD}!w1t-1xp)xYDDxdLvRe?hx@9ga-C_nS)|K6**NB*Q<-8-Vq|H_rj5kEQMA zug*3U+-2V{oe88gp93D&@+jU3aLZG4B1MW;TPEnTuHMX)-G_eU^2|f{jfh17y6?8s zi*JFGaH@^FO_pTw<^wd_D|GiCsS{d6rG{+Z0u6LBU7C?!*-)s!>&F z6fagFxGNw>!+H3HgvR%3Fc_^P2#Fk}2|r76zMVqL;y@b5hXqw6cQ|lT?`nr42}-oS zE^mL6i)9;0t2x_W+b4TQp@(|uB9|VR?qkZ&i0vdQADr7DXG}OqwlRD2Hg@XowFeYT+O`wtIV3(n|+>(4$aUD{~>iiwgEXm5wC_kLM zSTK^L9xZ#dTwANTN19ymKq5wMW(dSP>(}``(`My?NuY15Y+q=rdkX8vGn5u9ks-(z zYUZkR!yE&W-=CJZ8hqq1xF!gI`dz;uW%q}ERu(PF!0iqz^$#4P9qmy6&EJTwkbqSO z?Wi$%1Vf-I%8Y~P6Rb-ul1~uZ&Vc@3@22KkKXt}@{(!3)B=booGB`#c0J=81e%ObI zD$O`5*a7{dBvFOi$&?neG|tAk6%=KNPEU|u;%9a#0#|7vtBhMgBY;BSJsmiD=r&Gl zAael#I~pv1b~9`^J1Y7GZjt08Sno3)H=*TWO#61AIS;R{_-jbm$aUSD*JOOK6d=rw4qdfux%VqVehh z#cekr|77BRx@XL8I}h`1!ZkD|MJv!x521g5@xFcgd!wDKUx;jbmdq=x?$_u5TW%le8r}V)hO)dzp0UZ1V<^1@!^{$mn|` z24Ag*2i)iH0)7>LQ-~vNRz)?FjgD8>!t%5O3T z`R{&yN!1DYJp8}k2|xW!!{=0?Dn-^z%Hb=93`;>F-?z_?)%Aw=-y2veAd~NxV!&wV zz4~9W!8`2W{m>cJ<+3?1_zjdq)&Lhwdl?ox$S%zznDd%N(D6urA_3P#63q|H`Hjv? z76m3xXZNYMl4L)|(+wd52T!Sz@w-fffJXja>p9BhA?OY~(Qq29rR7QAue> z>PQYtWAzS$pa-`|uFK_b#dITmIE%g5f)bB2LjZI%!wOfHlBO;A-R~)3^Gl}_nl2BI zx)KheDP$UyG00d~utM?V)JyU~vIl%WC_g3edf4?3DHrGd=uWE;je>~(+K>VR{5ZWA4a_;Jgqwj+bo1$hQ9o62N`7JrbWm!pa`D-Sz)SN;2@-WNRN9nX5 zg1bZXcbClkp19*A2v!Y?t&Y0av?U23g3fF@eeF;ov>FHvsFA?EUn<142~{g-7=od^ z4(v-n?2q;wzT_t03Ebq|rT6%mMSf>x4qsDY=%;H!VciTXEPzo7sqsB%Cd3E+vGV8N z+*WY2r1nqu>Hanam4xHFUw3&i#KAiu=*KOf#qW-y1kTc8@(G7-=S{E&;-5+qDuB7* za{fNJ4_!ytapb_(-Lidvlc<&U}L`C7@jXPqf?`yE-<2 zUck}56M4nJyDwjIskgF8b{n>d4WC|5yR`R0|M%63{D`*-*ooo>pi_&m%(w-xBW6@~ zM5-Rx@e}O_O|mCI7RS$*`)`nMT$dr>L%T_$_Ja=I1NSl;&~1FOc$#5=GY-dzf_#+H zD*xFDA?SdOIUW5$`i0#P>u4rY)8HqfzS(X0iG&BF znOr$0l$Ww`?1;uaJw)15`sgV3#Wb;dlJI*Xk`?blf_!oI+vhh>H2d1?&a&Mn8%nKCEHP8!s#0ATY|EOKthgURljmgY5a|H9XAm0V4U`2iX+5<_uEu0)dAiSF5D#g+ zGDK1m=|p|%t9CK>N@y{cvJ3`$op9xqY zvwSzK1=9qi2as0$?q=*lgz~>3ZII*-$RuW_$CpP#fc?@XDbE;1$p1ivQ6)vvVkWOw zE!l2@ko;Mp`dP_j(#D>O?&k9ykxQ6_TzLKj>NI3OW21`NGwcFE>$F2Jow)F_NVr6* z9bX294m6Fo9Je;*zZTjmt`p?FV;x+~GGY^EtJV zQhLmm3HfRrX(Vaaaq5>Wke<`y^=rnv2cY+(CXXDN12qrPgSVGnelJbovk8u7&L6YM%}|}dPRBkQe4vj+weOD@mtra+(+9kWWqBSK zi1jJUzr`g{D$%jAmq#&tf@7Z?2{+V|qjkg3Z)>}C=KFN#dh`Ta`BQN$c6VC=Q|(jlaQM#IqCe2QaD6m3lfKW>6z$-yW?SKleVect+;f;{bL zoK)Hjks(9#kA?l=(tD6r;h~{Q%n<2=-XtE?nZy%>aXb+oR2M7_+gY4i@XbndSNEiR#rr5<-#*{a*9)L_f7_h_~rbQo_;@6<+T5{ftg!{f? zdfodY7Z*%pnN7-^9|>k+je&?NPIdmnp^xMp)ShuYv2!}w#+C2V$RcVnI1&GV0f_#4 zA>5m3Cb(;0Cz2p|Y5GPJGGA^Eet{B?tvyO*Scm4&%-hgpD6a|MX0+h>WsasX_Cr_& zcKbbXUBh|LtajUdKIY@|#frAZ@Q3CSV;|3(zqaKafySn=hoQ=c?dBZUZS!l-kPH0Q z&2@+5BcENN&3!{oK+#J+I6(D|8Me9o#;7!Lw*WZ~Q$2;dk&%HXN0Nq=9n=qPL&oBB zqN*G2dK2KTNQzEcH+a185m-Qxu(PSg)UfL|qq7Ku!V<{tX9gbxG$=<-<{Lj#o~ zb)77I3)XZtAL|0^foEmL156`U7KkmuF$jViRk`c{&XWZYn%SpWTF5??%WJBRXA6gV zPOslvMW`|@y~rEVfB2lex(^6et2}L5!;am3(7q;VI#?T*)yS$p;a?$d2Yw9lJeEDB zkG?$m6OWL;|NAc@Xs9jc|E;yWKulf|6fg!YAZ9yXhw}gT?C@{MFn-H`BH{kGCd?oJ zQSX*GLbq(m;LW%n@3eCd6gY2%@fVEml|;>bw&m1!3;TXg94M0ToLO^0Q_wF)6F$vM zlEycPMJo8g1$47H6Mr@$VUt$3rP0q!HS_$lb}293%ynvJ7axt;*fGz)MkiQxg4dpIqBevZjwl>8Gf@C4@6&L3kgS|v`_4TwI z5IQkG$goDlxt3pfe*0nhIH)W>T~aR1_%x!bua8Q9JXA89=Yfba4}&eNsDA+g3ZJ{$ zs0Q*wKl8AX0!%#r6!L1gSCxSmHw6HorTf>t*)rYbN2_%%&c4HwMC(@(!_@-=Njogy z?k%_*P|ea$j=#V6LC&x!_Z>aoMJ{Q+QzB)64h=oeM*0pwJOhHI{ z+@c(H>Gx)$W!ULR0Od#DKN!sTEYd_PtvHqKLcs!#kBozx1YM}m);4S{h6bp9T4+dA ze}>D#Zzri8TGJSSlSE47C*3bA0RYlpjgAaIC zn(>pM)K5w2$xrwJP(aA-gtC&1Q}kErL#RzruoZcCa#|!IO$|kW7rROv{&D-WSJwVR zY?lt76-Hhc58`|;Dlek^`MN{w{de?vxP%!*yK4^My6xsTKlDCS@W=|$?JlAG9&S*aG)nq(fi!& zdN^Rdf~ga-44cYPXz3)T7x{4EK;?Be63KKLkHG2M@uK^`w~16#)sSv^(QuI$npfGw z1$$*G1e}n6u2>Shn=n0>PxpDsr1K7o;=r z%#?U|Sn>Y$uIO}hKa^r*zEI@(x%oMdPR{kLkn{v^)J{fUq9 z`!&V)_X}MCpCj_QMcV8RmF2!0h4Pl8;o{AsAfQ=rzR*UBV*5{L5_>j( z@#YlBIC07kW8Q%72&87gv@D~g=-@-98GWLHae!99eB$Q-hoYF8s;e~;OpQ@l1{Fe) zB~l=!b)=?^2BaUOc=NA=ikhG?`uP#Qc?LuyE%ggIIr}**igd-uQr%V+y^D=K(e=b; z&MmF_0cH9Dt)4Bh+5ts|H}phz+`tB|Sm`8N~Bl@0R<6_1*eKU#(z26K24aKXKu6erIr zKBgrlkqJ8=!XH@<0Tb;}eOLLhgZ^%-_S|J4+tFfY-58d>#~`lD?Ke=DlIWc7Ktlq%_d9USN9360Xf*YK-mzj=R8f~zSJS^`GUdfZ2ercnU*8g@ zlcE>ud^TDiKm@i2mFaqK{!qSV)vMdUsWe}3I$I1P|Gm0Pn3!)y@rfshlWgtge+SfJw$ITzdL*A5qHArAUX~AMw@? z&C)76CWhZXHD}j6?f2z|A}N0;*;CapMVKYEqwD|`y-#&7 zFgA9X{XdlI{*6Ds#x=?N<)fQ_2}8P#z0Y77oZ?=XfA{>J<2hp1=bKG^a8Wua{K399<~aI$C+SXG7w^|!k1>XKVXhQR zE6wd@$B*l+ci-%RpWZ#j-Xb5|;SwJQ9zIS!R0^vMdOvjzm9&lexY#8mjp2*Ly$7oj z4-Ee9rtd18aNNz4o2OhUOk~>Pk&s0B0(ZHWWMuo$1^K7P1BgPYEGYl2M5s73;;)CZdnFpc9&*SuC&1s z4L2T-4^1OulcZP1R9+vC?+t1a^aSynAUiZr8i@~W;6;KSjU?J!0mV zS;g`a>B<5DM(yVPRJ2T^pB9*2C?avYt0clDh@G}k6>e(F$8|Ss8R-!GgO@-ygo{#* zof3DgLXCrL)!I>#O{g$>9dV_zJeR9{or`>}i~LU)rD}%|07W_gLTnogzhpP(FE)vV zK)+)9==nJ{VS`nl-CFr~rzN`dmgMZH)VVCtA&DUG1(lBeDZRo!;|C?%`CQ)E1-W`` zdH6R8K1Yk6|j_pFcIDAtvxn47Wv zcJOyh(8WdO6~(crr{!NTel#>TyDaisvC|WY!;M6a_$I;FFi{54#<9Dbooa*p&BgKy zay1`Rmcw!qEL(NtKp_}fy-~7!GhG!j7TK$WZTR%6wso-J;mcNH8M;-Qk|3g#7%`dL zVVwW)F;y>MHEsF-R}^kX+1XF4Ki}V_x7%;@jzrL~Xy^YQ$Gwh?_j7ohBfd= z0-8UqfGPvf5{e4p#~sz0_jXaEDR*^)FFFCiVdr-Mk{=%$e4kEax$(++o6vFt|9Cff zZSA@Kg1xfcNq{c{pF6#TYe*T!?9|VsqxJNI_1J^`*nnjc0oeii=3jM;E^c5|nrjV4 zVbISxS^RCIu~JnZaO7ziz4z?Fm9m6|{UoFJ1ugOSt3`B1;4emXz-byq=AMWB$l8 zPoVMW_J7ez*zn>F^R)QHKREc?Uw}LiN|*d8f!qC6AhZV)7YD?U&$`REv7$w8JUnG0L_s%(b&d z8(o(l4aQ*6Fsy zU)<+|M3C~+WphEaeU73Qop94f;PPP44xF{dSEk0_4f+D@1YXW9S!4Uci_2 z=yTHQnll#eX{_N)7IcwSkb(M6^ai;}&v1G=zL~TO?Ad3$}|AYzOT_Uh< z;QQ+GpT;xAh|bmbhSd}%bX`Hu_8>G1suhcQUPxp}FhX7aytf#9PD6iDciZZtI)YtW?w@?Om zhpD>Gn&2QQEDN^W!QVvo)S;r1Jx<+0Xy*_BOm~N?<}`?)hDB2DsJZnnxoTL{$x`ks zZ9)jTU@yr(Y>(GyZyXqieO031rm;TK=eK3+cegg>wOKVtdbpCf-&s62Nxd7*xrqMg zuMyNAr44SV+ia=kyk171-mzXaOuHVXsidB4sb)G}4(6{I-t_R$6Ehwmv$fvg7}c-D z>=$##Cb1@AA2qH-t3O|zV!svRakj8fv7JdAA}rZg`3%INzU~4Ib^*<-FL4gAm`YJk zQJM@4zRU0LilPNO;{cJhF-jf=M*eHl0X-KPkMc+VSc^c2a{qoc@a@ClD#~FzhODDi zH{cx}@eCx29wDAm8d`#w3Js!EM3>!ya(d;jf4n&sQNxx9lokmtXtV@gh{SCe$+CK>S2njEbFF-7Z3|WeDdRdhL@4hCj z61dC{a)YA^7|&o!Dh9az$|M!{Mb)o2RJF=qGs*yIn;GG*-1NAD-)Lxp;RrkG1WeW( zK#DK^b%$9#^x9gGxH>WE9r25Zmbw*UfhpW2gIh;N{PyqE{-i_TrFEH+iRVHya;yQ?f1qQiJszv~J-oG~-8RxozrvGG4(RgpzcqA12| zsW>ER2x`PcS6q38uS}CT@sGw9+2%4KR{-j!cjTGpcxGGwW0&u{YuX9;B3 zxBkO>t-UlQkQJKg0!!2W<4Gcb{7D0z)w!3(mDhHGc~QMAz*}$Mnf+ZDiK@%vmY}ek zNW99y63weW4xpo5kgI}wbV+@8$<^7Ls-B`6hXeZ49$-05I@tJ*!mP+t-!Av^3|s5! zD#4mgVG5J^?IH0Oln1jP2yil>!Uvk$-{}j`?3e&<9TQjAx*d^US2KO`wMr>!JHVId z;ojN+WDPXHIcR@Qz%1!wGlK#+OorsVuuF42?|wdkll~#N z8qCYcr%Gb)egdCU5J>p>z*1n()~JxwHk4vG>4j_g54okOG0l8hK8@^eN)mRMj)GOR zeo%Fm^V%p9AccYR6TPnrgkPOoc*d1jKocdq4NUCKx-l}8zb+e5$*M8RyY6p)$lwva)9z_%a0 zlEyE%QV>Wx4aKq0%ZkGUtNwpPy>(Dj{rf*mr?7;8cyNOwxZf^>s4 zf^;|1U4qgj-MutOJjc)d{mnDOKe`J$Fz39_b-nT{;L?ph==0N~VoKTDOJ+ESq42Qh z_SG~~IBlL6jhDwv@xZtZ6u5u?BuR%Vhh0b(@C>pd@DZT;hCkLnoO=hA8^lS6{gBX? zj!_Kzo)%>!R{aLY0e;GZxmhDg4w1IkK7N+e(OK$JYRq22lRuGp$|w0<0JiTz`TD%% z$}Dc%DRFO2*q)XDO9{4wD{?th-FuwVyW&2--Uzi8IdWuue9F`A4V7C<)9$I0TN3ry zi(jwa##n~aALoeNpPl{r_|5))uC9ra)<0KDU!T?(nKw859d?z^R-r)0qTPAVxO*2N zS#yQhEoSKJ%3jKwB{OtIJPOB+eIXsq;W@MxXD)mYAs&OEpl4^Vrx)He7)ev%?$w9W z-E-uB?8w(|YQUN?m%WRTp=j{+F~@bRp0#I zO;vwX=AT+7dBMNA4RY52bQ=Z=&jOm0KcvJSU19b`Eu|}YgXxR~rmf7=KLbT&5)1-f zq&wOfu7NPwXb?$*vLXinGBG?n3+8A;iQN};>Q~MolhgFIwsv&MgZ>hy+uK`!oOrWU zMxXk9QYIGdyj&`mn|67HQdEiC%C6Cj0sHLCtaMdH1tKN6AEXTBYA#vZAqfZY!KDT?k zmL5R(5@9z4eJ;og8^Ean#A!}c0>H-Pb;r@o_iF!0YT(8}a>njo(jdW#HN?bJL&9Hv zeKXbI2+8rm@Q$Dncl{ba&PX326aj)oP~IG^onP|GJZY8|#B=8Dsxd|mjWd)ae%G=F zVxS4S@=P-4foDc(M8X}OtG<@UVUmei?TTSs``KgCJG1UkjQ378A8ku4NNh|1flD6h zyUcXt0O&S}W;r|hnp$QkWtTLjc79n(bO!({u+l&Qb{l~Se;rB_$u#pjISpF*3FV9E z^fd-9;y^^D-Y-K)`k$#jU*gtmA>KM}ajLL)iOE?4_B10uz3#ci>2`Q*Ki9Qk9$nJ$ zus2ek%Z6i|sRV@oTYUAM?zE%=?Mj$!|5mx$3Ym>Esoi||wBM;2Uo8eJc@%LgML%R00*{Sno-(QN|u6QJ7J}^vnxk#r6g>rchifPU{~y1(XUY zc5x_8U0ehnyVZY3o45mtOTgHr_5icjWQI89#>Y1&Civ{RRnwKe^el#QE4%dUP|b_* znt1VPKF%;JY>@pAg3kJ3N8{QwYB2ot0VM58E61nK>!&g(2~4XdkZE!9p3(4vchBJ98* z+&^uI-2YNqad7j>4PqUq*Ct7(XqyW-4xF-%yVCH48semY`eQfL4%B=Zz@#wlX68GD z6%|e+Wi&odK%I~MCqNpY1ghFj=QN2vgmr4^YirlvNN&_kDA2pTi;YyH(GZCcN`jA+ zzZW6#}_44On8FCYVUQNt0KsnEdc>7v(q08(gP|)gx$on;UW<=aSy3>8MPFV zrTAND7CZ+iSg3!k<+_2**}eI0jN+?cyD*4^h&V^^%^2hm`w!cK@?je_7vsBdTdhCg zAoPeoGs25~EM&afYMl7=gqUDwV@C|S9Xtvons+31wb;Lbv2X2{2=?aK5hRhYA~Tn9 zUa((Zn1;>#ILR1LXX)oh+t9qnGa*B!-ii{Dp#t#aKA7mdKZfScbRW1UW+;w42&xQm zCQc#~W5S|AVv)na1>Qp^SX)KeloV$iqhz+10#WzwmhjtcrcEn~txYCq)n z!8DvtpKK@mHaIq*Og-9anRC);jVD0lg9m!4NBDAx?*XRTY(*O$F}CupAGOVPx6Na! z9^2B>N8~|dIyCs3P5L?}H&4R$Z}}KR%#9F^+6F%I>le%SOu-yXn~g+`eT|TP{*-`k z=!d=XGzKzN`B}a8i4Io+y?bxYZv*6yYhGz&SG2F2r|4*J5hoSyrqEj^(|t@T{Mg$) zqoYW6ODHM2sO$gmcL|q0Ms?S+jMM0kjWCv#!sM-qG_GJ&RWDM`yPceNT@!kE^dde#kbtHI)TG z1sv9&_i?u%#YIZK*txoy3|bteMTD#Q$UV}Qt$6iA4?S3=y z_u%iMbbbuPBgog?<)useND^C8h%b%(xV9q_W4a)C&j+ zjYOct7Ghdl&VWX75v^DFKQl$@)4pZHXQ^+CsBI$iHj9v zz9hUNJ6dR#`3e05-H2Qr7 zHAEVxdwBURpW@QGQqsB*aFerjq?pMzEGP6|T7D$4Tqm%MX8ySa*#had&~Tg6pTQ7_ zr7s{W>WauK>7Pzn&S9@%_%zPW8j<(T*0|IhyCv=ezS<&z9hp8~6H`}!Aq%J*yQ^x` z0|eZ9fV%_GriYJ5eAENpxt_s%zV4h3+NC{TZ$mntS0B|;*#BGq_R$GtjV2(bx?{O8 z%7xwBm}j=LOGQ55B;aVNRid-)YK}_%*mMUEDjqCx(fT_cwO=o0;x)n17O@5YZxJL% zjB@YB##vgiJ>(F5#3OtwF>jRcfP8*}moM3NA2EDsX;vv*Gh8Fh0<=^a@7p`xB4si? zT@OkpNZ6osOebGp$~_jHR!Tfk#^Rtw2;G?kup^o&h(A@tqMZWC+bM-w;;|mrF1pr= zHYu&fZ{6$^thJo1>Ft$DO^TXPZdy`PG^dEEy3v)CLW}lpM-m8*3U9;L5v2z$S^tsO z83Vh%<>lqt|83Hvtfg*OSm8IQ;+k4oW&c4!si`_n(kVLAO#jKTiHK&f5k4!=V&ESiV>G2$T8 zUk}Z*#dj+dE5b~s$|Tz`ND<2;FaFp`reU-054B1r0nA$fC|x)yB#bMP<}q2vtUT*? zRlh-3$Wu=HAwpFCK`RQ8Erv7`;v|3j&99d)MZUab4!T?+B0sQvCaPwATTR;^hQ!h@ z4bznNJ{8kNQjkZ-d}ep}$e3YX_qz{;=hSChAU&(St*u=ov1K>QWkWuS6}KC5BNG%l z-;8SBOhD1~4b>RpU~EXe8q~cgc&gNli3JiPbikmV4h=+2EZRkY_n-p@wE-ZbE@ozg!@}^lgZi5> zXo3{)sS60X#8K$o_-^#@PmiKi^peI>$~j@?f*RehU}fBW)<_`Ae9M~Xx$9ODP}%nN zF^CCYys%-so+$t-SMZ4`x?Pyyd2#`a==+rYetJxq;eV560tgVZFbI~IXGefXLp;$g zh0Uh)V#Ih2@N3A(xYCex1tOeAQ5tLDllCg1pBs4+nQsFb9}2oLt#yn_V^UigNZ%@PG0YbJ^qj_$Zd_|FxD9b zk^!;#_V{>OBnquWpi_c6%}2g-7+P@7tm7I1gj`l&!s<`H zd>w(e1|iJsKZ?g=$vW*eNm8d>yU3-yw%_piPv6>+ckcNTT?l-MEStG|x7lR(kZ>N^ zfF!Jwk@x*ydoSuuEyjUG{{ti;jTUHlQ!zNmT$;x)8NLK zzB1}$Kz@{cw`!yZ;nHlgGy-%18YJYUV2*um;}mzWUp#{PS6oe9PK@Ks#_8rGR(uysEf%2nO!W{L zk`P6*%LhZRT-m1qt~QBx?d;IFl-*VgeuPa z>T)|bTO4VaxYu5Xb-!W`Nhk;L=m_ZLSceXU01?mJy1mAX-(-4Z%c>Zj{66B&7^89mnr&dH^MyqRLLgdR&3o5G2|FfMSmg0tvnya25eu2KyO= zWW?MUzdMGNYaN4L(d9bf4w^L42X+QpNI*j$BqJUoqP>9UorbbB~-zL1O@QCy)0G(=`ZO?VVc){?pT{qKqg zNSrQIm%(ewUr%Nph__1k+6!fO-v%6(Zr|*(w!8#7arLsme11y7HexPS5Xn*8gL2-~p7d#vjv$3qYO(h0i~zox=l z9Hpxtl-^&TkFA64RjKpyGUC$6 zmCXe)!RjtmW{p4;4uTO_-J$nsoRjm_Mdd`SU!VCme5@<}7;2Z#=C-n=Mwtr6V=2(+ zb3@6cx1`VOH;);Aeb}Fz33?4h(|Gm+ak9}qxsAZ9?%kyZ@Ak0$LE@gho?$L@5J7$# zvbv_F=2fvB6xAmn$-grxgwe3Hc%#Xnva)1sWMavMZRhSM48|dD%xB@CV~j1<=k0+P zLU&F@oFZ+=#Mb{@_}urUJm}s`-rEu;c*lTv5&>X#bJ zG<)Insh+Q2C0-;K(Zu>W_n7p4^yF0Y`<@aao7aU!9()~StH!<`h8z*op$8Ae@Fnh! z7r1;(tW9Qv{&*BYXxxgQo`C=5e`>kd5JK$;{@;7}{q{r2l6lRyrYf<3s$}dV3!LQ3 zwGSx-t3BMs0txK7)l`!cUzlWayDi?Tur~t9r$fL!u#nhHaRJDFumt4tgtmY(rY(%W zaM}~jdvC@iT*Jyr@tZ%DAwC1t{zE}$5MbOfKma3I2t^2mtcI3{j^a~HHh+Jcu3NqH zr{`vtsN?2cw-1=O{pPps(IKFCV)f2xIvn?_K3PUTtOs|E-`6$Q1;*G4-mHh^-w0$r zJ8rgs=5n5`%zn#N*CD!(``7P3$Q@2pEIHc$`M%*szBd@VE_jq$-fPE21$*MMpEKhO zJ(eS9^^a|# zfmkqv*)9)Rguacimdpwo;=LI69A}3?o7Dw7{1y*r@<+`!5*buM$m;PehVLET9+Zdj zwY1<=xU^0Vb?XH)&S0fjWx2qgopma|G`T~>DVXSknkgh@RG$jFCX zNP*b5Kwj8Sct~$#!jN-^g6--9c(xKF`kJK(!1lnO8&GeJg08kj(Q*vy%Y`9-Rvt#HY zK~9Uv!XMHx4ChRYu7{$Ubw+ z?=~eyz-^BFtZl2}8C+Cx=auaIaOm$-2mO3cGGT;~el^fdKEUl_1?>6XBKm>_an1s- z|Gd6m`)THPct3PH7yaCRC^#?V*_-w#5OY^J`hFNQ;y6+k2%%|m^v(JBY2{=y&t>+( zyZ2RL{NzfuS!A%;VJzfg^z+NNvPH7cha^zv;n3;`qJu}!w&uZ%g5B|}S3PgFuHIC{ zZQ_kGHZV;=VunO+AJ{?!Sqk5zj(9k6PUx@=6sRRnlF!_J@`b{MXd@N0RsJ3PT+cnnWidAY%Fnyq+;IMb67 ze*PYP;uULA&z1hCva(y!+Q!Ci0^j50#V{p!1J3lG4SDJE9KV3yOi9;+!c=Zs3}6sF zvnQpAhoOyLx$c1SYBMEfXS+-2L2UZ(EpV@z?KNDguFh0sgd-$S{PZB-Q<&1Nz9UX2 z4gpY2?Z*N_t(|*n?U#SM-Xp<=T&&KObNlkjGt(JPDq-V(b!9AEEiCj6+(LykLWSHy z72HA%!puam1qHJObUKVh+J)aYr4F>1t+kjv#cvL_c#o`^XG*Lu)ya<5{8&y4G>Zy# z!sNb-z2;w8;iI}D7*yg3E4!FF zM@W(ZW{)Gb2FhoR@?)cc(71KES1Rl0TTX7bNkl+#eFOCj-->-QJxewB342m zMTC68lGNT_*l#4PgM7RgD4q4#2?qwraZ@_k#p15>e0cKdvom{LP)Nse$01nUXUp{w z5g|75G|!?%eWJa3y>dWjQ-Ca|4nM?T`oE!mBY_2(WbAr?LOT6NmdLXgg)wf) ze-qE{I5zwfg4KV+zc29crgya3b-!Bgkpvh!7QyL_WLMVTZ`sqF@#jHj5S$I@N45bA z%1Lk9YlDC`` zYM8Y4ho_w7=-GNEOml2@kG2(ptEOjJjFN5~{|G(t@bQs!+(B*vxtN%Cqs8VjlDESY zuUwbAy@fS6Fu*}}-P9Zym)+# zxy8UFBTs6jrt2+yxZFbZBZpCX!%<1O1#2CZKa0=Z)WT@a2(gIjF1tU&V>~mQtbSS% zpaWdzovFhybYG2?AoKUvFfSJx@1{bpUQkWlo~7rGDQ?%z#Kkz>Z7Sm-n_VbF%ZBW z7wB)gFe{e~mwNtrYjhC1mlIk{X`%%3|5eQLhZc;h5%a7$xsIEGNrF8A{_(637hx7J zU_#=WC2g-_H5i>@7>Xc_;`jf}^*Dn?+x}e?rSEp-qE{Q?kxKK5b&dFrR+c}IVD2aL9gjJ& zMZ{fsk^fCJ9olFx#s9bFVvkYube3s34ynr0VZ!1qjV5JkS=BNC!SeGl2NhwZ{GQ4 zQCd#o;}#17tfzv4mMwF^muYemaR|DNfNMC=3F9WI1SF#M4bXuoR7(Lrz012)_0`hD z9DA{wg*nHwWlQ}D|EHN2)lT8(1)bfsK~Ce{(Tg1a&nJ;p6aJ0I52?WG3QH3m`B`@T zMxPBIwy!s;8cm-~_2JsWwLqr%EM>pGN0NN|?Ixiw`Ep#SUBkV`RxK$YXYZ9VO|Y#R>% zBbfJifrc*tgT-~ki`|LhUB{QHiEItPO;c^RICxVd1`6gPwbY369A)~BUUR-Q+y~Wt zW4*9DSvOuNHNh5S=S^%^=T(FOLSvwuX(6nr5g4Ob^fvuQ0gj_W@MQTk5*_m6qn%gy z<)Q6uj*rX46pju*r}i-11pC_vlj8o`uwzYgJslh50S@xp7k|1TA3Q!4zE0%;1p3@E zVUj*SV%}7=kPkdK9XD@&%N}{WjvWab3)ynNRx9=tagL>82+rriSFI@X|ELv{qC#se zqTV$6=X1fgrxx4%k&%*PBYS@{EfFu=WSfTVwp?`|?YufE8y0MGgDB_WTZ^8=G%|enpek`;npV!3gM+?< zmo#2+WCBZrs>G9})*=9y43Z1eIFNvEkQ+c{rjqO$O>4VZPEnJlA~wD#G(Jv0j^@)g zz_+r9*+NoncKFr!kiy{*ZTm{bM`wAll~K5vQOYBvLhg&0U3Yi?3QzxUp8gfu{$ZY( zejcLH!)oLgFUsr8Jg!to{&4Qe#5RD52jg1#IA51}}_*bZFiF7;nSmG2kS&tzfXnsW?P|)oB zNX8Cvz-q0^!+F8~Fh$7)NPQ3+Go9G+}_!ddp0B#O<= zmy{xPO}m~71%RPAt~&DlwLSFNba*9u^Hq4zMQ~BaB$s72oA69$;LL0#c4)&8MJr0| zujSBjGzoT_?d|m2sJ9a{+iu!M2cm(j`wKtRQ%==Rei1hRckQbTsRLlkzsX;}Uv45# z4|#4r#rU9}(J@^A|A$EdtnPg%kOccb42cwMv0YibrZ)A{yJCdm)4u!2^tq<0lJ+Xr zo>}OKv!*hm;}Ai!Og9km@>XBz8jSVb+Z$sMcb!k##Q7buO`W$hU)h#I1%2BAlxf8BZ2<|bgu)GyT9l)EG1+^INLF!#-c6E4 z-oinW!yMuWNPss^f4DXDq+vu;#m7o?Mo(;Rnu%^mMA zs0J0^R9aIDy#sY->UU81!M-w;y2Z90dm+%U9!01|Gqf(LU=(wv@-~h%ay0Nbj>r?= zL_9+;cvsDW-y2s;_6?&-8rlM`CZtOWG91Al;)PqEHw7d>?Zmmg;)d}`MnoRPE}cDv zhxHIk(i&qUs-d({T9`!U#-siU3wX7QXN~i^$b~mJOIsyvB}J0O87Yl$2wFon=t*Am zo_zOxphqj66~d``0byfhF(1s6(fE!15L2y(YNN|rSLrpLg%#R`1=`^SD4Iwj{?Vnf z+ZkQKRAhi^K5@%XT#;&6q`P-$xU=*#Bl8AM2?WiC}Fx|i};hSA5fnX z9LzgTnA8lo1(4bR=~oviFyjnCKb^SEU;pl&BYlhL#wV$G9m3BprBdt6Pf%Axx`ro0 zz(vfrz3KBJ=lQ&nDClGTVwea2L&rV0&=TLQAI806jOvqYeOdi#(d@>BkRGk0-{Ch-FSuHI~cN7jL;RvU@7>2Q-^fC@h zSxsFlCpmE2;hDI%pC5T9rQm=k9E*sG^_2{HdoNZyV@s&{uyZHGj|Y|OV%L3yyT7|Wx?89t`8c5)$75-7ee`C*g+zKH{fD6Cxasn^ex``S zyOZV6=Kc;kho_A;FC}L{>YLNa>%UI$dzW+6sG7}xeIqDT37eRW^?fsi2Qeq-`|7sa z;Hy-5El?U1H5TF$uI?R4^Uq#6_<%AcB9cIqXQ;@)>+d|IU&ZC2`(fxV~|? z3Be^ik3=?EJqjJRzJRR*pE-ta_yYt7PB`Pix7A|jI=lnM+DJbNgahKS#v(cxJ zTRiqySys&q?t$u0?-G>@HRmJMt9sNjK&u9>9~3T(`yBC$17m0^2W7QS)CVA1%8V9# zn&yJ~)p_S9WU&lbhY@kRTd#M3do?MEH-w(EvU_@DgS`5(R{i`uxj^X4nXaDj+ufV8 zin7snswL3qssRUHacFX(#s9n36|CLt%7VGrJ$|m@QprDCnTW7scBp^wQ}~DPEDZp| zhyT_8&xuW9lWcdE&A_mcaj4wbXG?*Qz96XBPvllwK@{Ie1P$OC3@t7qTCAtumfoK; zRq!@QVH-x>0^;p(ubQNY-+{?@Kmco_)<96YpQBDnM&2X_*HTJ9{i04R>asAz#|BWNleMgO!?m}EnYFSz7B=^X-{IYzrk#A-!-^@y_^ri*VGVk)oA^8Y97&{T*i@UFj9jI4q*KjF5>081m#A}Gw06|c?Im;L zg(L&Y+v;ts6CKj~*WyCT3tp0;<7T~$=i5fu;bLPQJZ>5iD|q3TwXp`7#XQ0=DET1zLZM% z?wqzez3{>|LI2#cO8MPrn)m_}Uul(ApBDb9CqrLkM+PXN$HE0Bc68WRT_%|wJdR9r zcHAu1s35i335HPk8F#(&$KDLor>DrPqNkApT6t zJzQopk$hb$0S29(`wyxw&bP=%(@zOl&2zyD@vE&kISC@eG^kDuej5xzAd41cxu>UDvA9y`h^X- z=t`I0k0_(86usB~;+&2O=r3Ro=1+L{)=u2tIsl_56p>V2qm{O4x<`hT7T^?)*g<@E zDd`ztlvg`30>@HuIImyPrbE-;F!#uYr-{Y#(E}IK6z!>^qEln9n~JolQBS?=W~!>^ z-5^mIt;EewBq|B?Rj&g=KGLU9;@iE^P6O<|+}|=FG91_Z)k?6x=TQFR$HcVPbP5yE z%(1G6X&UA=jdg_wLIsWfEo#k#DeqWp*1ISN^{o$}m& zlViTs!n8fO^`8#>L|L^hO5roNVVf?pDT=ku|9k4QhuS3zz8@4wGo4CnA>?R@xC4aiBH&8hNINnC@8ni6;2;!9V6XLUsaCmiolYem zOJOhQL%qfO+E5H|o}RnID{(U^$`R0E8Toy2;y!RKaTnvksID{;Aw6#3grm;$k-%y@ zp6~YuWf`yco?h?iPBJ5kyTH~GY_&(q=DM$_*g!?8DstLq{G$0ZNVu|EnGvNJv23xq zwCniE>%SdQVqtRHGBN-h-h;m=s~z@cou8(ZMHCApyGA@-k{e7E|E}7|je+b#znzS^ zmZrG{UA6%csRk*j1`(+)5vdj>zCO{og!-V4nG+)m@rTlwFJT`DNewCSga6`tQhcb0 zkzP!6Rf!Vh5hjb74tev^;a2c(_Pg}#j$AfICZ`wfSO8WMbp?718e@i zdo2t#9`=fc=5x!+j(p2rZza1j6@j-wkVE$qblxspzCbAY0iquge!mcMWr0nzG=+h^ zfc06Zks8T&$U&xCNB^0HIW(%%wS(@tHyTbWXYqW>7uVbBj5+E^a)FJtVg%mhc_Fil zKoP|LJ4{U%*mhY{-veAoN9F+FY>_q^k6{l7&Ov-;8K)Rvdk+skgP;$<5U|dZ*u#PP z?N@KcG4S!dFq*8#fm_l^h{OoOAt$Can|g6B1=xD2oT1@B3kr}1oCt>iaNScJH3+cR zdK(Y`-=e83_gM(Q$w3qwG4hQ2^gtUuilDR@>byddU^+|)=kD5zTMO12yN;?k!Xl4cN2I@sq;h)22%9cy!5OJSpZ#Vp zh0>>Xx5v^_QUCI+4WjDuz~%N9jMaEur1)W zu2B<%P0uof_5^h81VU$0UGpj2-1`z6ugj%#3=`G@(5<(5+&fOv+YCgFZ4TKcG&h?R z9t2i=n+O{|qsP==z+L!Ll63e4{2U#p2j1p5EImOpCj0{%A0n$f?3XVW_QO&5B&t?! zF>u}5It@lxIZE#?a-woFj26pMnU_&d+AdDq#h>c>w?j0sCh|V^gL=rjEteV}f9+g= zXg(VGT^)zL&Do5W{5es^FAji-Kf^z+DC4^kQE+2XAoctz$wn^l7LI2Ra5iCygD{mO zQl+{%a$*m_a!aXXcAyC(nPFNx?+rK#B=$!U{fj03f)=vZ*@55?m6swLPaB3lfkG(H z_k|BZlM=XEmb(Ub*xmOB^_R=3tKo180+VeZ%s}!sP6K6l{GHbzhRTXD>D4jQr~K zWn57S{lz-cJw`Q;T8~J#BU4%eX#mYK%udxr<|S5pEYT;%uSl%p2fS;!M~yS8F5j#8 zCO4U8gnE0?jU~+NNmjrj=01W)8B20F^|95}(MZQK^>aN`VhAoGi<8V~O}OFSdcpvZ zBk3Jk=@e7vjz+<&@_Os_%%)w<;KC1vd8{1vdFe351t|}uunJ_?SaY9)nCxE~l%g7$ zqUxE(gN!(h93SShUiVIAwL4;0>cy>BivQxFE>jSX?;{A!NeS`59hr=Wh2b4U7+X@= zDVVCz_qts++8(}?HAqt+Omz8<>1cJqM6*1PXEC@UuiNq>F4;#TK)5=q6@Ky&r?&L_ z`BK0{k!@Q>9yJ4|!UKfjE)9h452(gA&S}i@iBh&kHZ4znhmK5YXKmFsUj}eZphksu zd}*A>BCBI@T)rr>0vnORL>%dimoEZcU#p3e;ws7^S?8$cX63Rkl|*VlQ&?|Mvqg6-&`e& z-rBur8?1vlI*yPn*X8u$Ervmm)W!yn-ye^?RHNq*e12ky&g!Gf^xGVF@U7c(e8HCO z=B}KO-zzOErZFwW#7&3Se#TapD>={d3O{YwI#wQZ%qw3Un$U@na9E*1>smwp zeXT6)=6znWt4Hf+6KfPb0q=Gx-ZX)(3Aw_-;}V9>X0)`4I1~P| zvn{L7f`}wbd-J@#aI=j`5QS)~vmy>yMbIv2q#Y)G^Aa-%II{Lg8x0mDpBqqc+k@m3KXqSp<2wC;>$l~@> z`7m6gVd5w!?k!5ky4%LJ32Vv}1+rj+J!ywnKEZ)M?w#U*1!At<$&ClcGREEw8xxz& z(xIxfdWh&`sCG8q)ykQ*|Pw- z!gQ&j)S#=6z8J3|O2hs`is#_TxH~-Oh+NZ{m-&J2^=7JXTzser`XydB-p2Me%v$mKJ|g`_g2oaMa|F_8)xhc-$wN7OB-=iqZir*j2bU#9*)vBS^+g2EqnMP9~; zV$qMVu9%@Hz&0}Kt2|FI48$^2}e?G@2wi?@Oz1E1}ZmnyG6 zWKKN*i7al?GL``3rdTx9bzpm;9H_YxJCBcK@T=3UzA$rf9?9HnOE!G;{1_3yQVe9i z0-+Y^Q7d|B6KRw9+T-#3NJmMJ^%&=_(KCYBJnWZKNNrPMF$N6?=##piAPjVD4GBy+ zgqiKAgt&;1Q@XX@7K|an1fleY`qzcO6-FcBDyBVm`JZUa`8Kn%#S=c{bJFu1fktQm z&1?D{v}GQD2W1ftn%yEEMZmRH!VMF4)vvqJrP-dZR$Ds#EkQ2sfB&(Y!qk>w!D=FJ zouD9O?br7o&ns4h7x@5wbM^G3^WhE-PjzSi?6Zo!isDC>OmsiD-5CWU$i}CO1vh?M zy|Fn~;J}TEr<<0Ph<@uaZ?p@E;Odo=Jw2hZ;{D-3MO*i2jlH;Cw$w(LnZHI$hUb-p zb3g2u{l?k-3BTs(ac!70Oxa%y9$m%J_q}9waHq0RJ!A3d*qK@=3TV0|C|sI2sHiPZ zYWHe*v+YLJXi`QL`%3~WxUsg@R~Q%f>pfPX{?M?90<%{lgM|Aidy{LzqMKnWo9=_> zC+|RR@o87_TgPu1KNxd*ugX^*$7U;@Wz;cBY+w65!k=58tG@;F3}WI&TiZS;Ft=Qg za322N)PCAkwlcG}@VfO3=k_y@CVrXS>VCYa@LN=@4bjNj+3!5kHB$ZNSi%(KVnHKo zVf^5I0me_}{WNW*F|~5uX>VrMMu)b$nQhOJmk3@;G!?VuX*n zA1t?A6r;;Q9|i`Ve^wfaindj@?2vi+RUSJ3X+w>~nE;Lq+SnWy0?nuBJKtpZ?znz& zF(%np|ILeChbXY0a^F{Kl}W`)%toNEo2rv6Csxv=wGn83`SdjWaN4U>Nx17zZMb|e z@jSQWv9Pd^k(M?z2eu>;X#R50Kf&2{_Jp3Xd?#z%a}%iY`R}!UtU%Dt=MG0&M@Pr4 zLnuZ}={meO+W2?AMbq^jb2N5FVd2a>Ct5uCCIR>Qr(OZ1J5dm50_^ep$=C0@B?-G> z2SH`=*$SMnh?iBOmlpWJEURF5{rux5HV5 z*14YOwQh89*ljdWiVOC;zC1hd{n>E-VBkTyjFD1*bVFjXohBrc4gGol#G;L9UV@gP<9Y*R+|O2ZC*BRkaLkYNK#kG7}pJ5f#ae} zzq|Ym8mv5oiX;e{f`Ok7H1kQUeZcrER9}bhR3tEqiqu$HBgpR7e5Vbn28K z5bVsVizg*U=|zNq9Y}(&HEEa^mAyx;kLM*VmURYs4Nk~}S!EpU(Q1VM3dLaEUn%As z?Ejb336RPQE>0R-2nl0d1)uGD_0{^y<6OIIKdXAyom5n zx=^>CMKDAc2k)K3WNNS-D3257xmywLK{J3kq{fN;5r6-DVJzWX7s?#{9^ags2Ku>$ zaNZgXp@<>sf>eX-d;w9{X$Kc@yqcoeLa=FG;MDi}QtdJAx)d}ZZ@JV9edq1Y97k~x zp8KtY!pJU^bBqTp2`+N&G6N#7SRWOZhzz;uuuSrcx!+5vgLA-@;ZjelUJxB8^L~Egzd@k!PYq63S8qHY(Fd85FeMU-Y^l{yGFP z)|7gO6Z5b= z_7ln^o|RI>^E@7RkNL8yERqakB+Paw+7JC1G28t=&S1;>by$;zdiosL(mY2>y)F$K z;Iv0!*vQ#qyFTm0A#WOjYfNFS%Tmi7dVkiryT^QfJlhmEJ9nAOew@`NyR+K_r(5~@ zW#dNHy>7BSd%_S18aM}AeGmB9efLdPYz&S_+Cv_=anGshSe5NcTP*OD&a*poVHTu> zRk?n_&d#oX{nw|lS=|#iS(ESPFKaNA`gEaj4h(oQrl-oL4=-lOfjr{|9nGCMu78yv z0M@V6Ncaccnf|e_f_Mxp&Ba0e;ZpVqFJ;;X!x2OApu3&j9GfN}XsDr|TmBY6N`F~* zgKLTC-FS#o>qOXZiLcGY%{>N2=q;{;u)9r2CWvzWy6a3f599OOzawtMFYbPG<+`R% z9g0zUprZVbLc0S&?7~_1QGf<5u>tK}iI-JQk#3HRwW0c%6-CMrMb`wj@Z4-%Uu^U> zeb3kN^8e!&T#eqTdcac-_B#Ok`;g;Zq1QdFVhDlD6B`#g{S_Oh5wH>|C>qrN)I4yy z!$}!}vi!_XhL3+pDQeC8Km+tRj{>}c2v<(U;k~u)zhc2LOT1Jb z!gj74F#vW|`@RNJ@GLr;B2!Lk?mj9?J`_s3gJO7j14B@N=*;rr&~a0-Sir1&m}H}k zzt_sy9Z#dEJTI-!2FN<;TX^TRxI5&Fu zotWYj<>#I_SClSD0pXuM8e21zDGUgG1eN(~KM_FOTj3YnnT!Zl-<7gEZe@ATDhfMa zPuKk*UQ*E&nxf}LS*S8$=zjC)bn}FWjK+c?F#js-_v8}x7eUSKp&uvPI*iI`D6Z+5 z%Nt@oeup+62LPT1AIFYt*h;t07i}+ItI1X=}7b(OR|l-kaE? z#0(<&-S5x$IiA1#6L)f4N3JvHdA=43?{N_VJeGGld%TomFCO$d(6+;FtmrE{11X2} zY(wYD;K{)FFp}(UI!f52F$c8(#}l!aB&S;*@nI<=Uj{9gJhglk$g;Fdaw9*z3p%c`ySZ+E zol#%^+Y5W>dk}Ks)_l3C8l49JvzLBD8mDl9)lyttlNz@lm}15|SGIJ1K3M#7h}ioz z^85Nz>2?a`9>hQJ><{G-(58IO0kJ`NxKeEH!kQ_&ko=RxCpCvv&vo(00RwW1Xt(2& z#oDdbVBBWFHeH!{DFheZA)rOUukeOrf$W@xV0NIaG0Bpejih5^{j0k)ZjHMiQ*-@~ z^$fKX*5F@Ea9QbR=F2IPgEXGq`l9gkRWt5H-fN*=Lv531iOj|Ivf`=pIW}x8Hvd|1 zQF`j1e2YW|{;;Vf@mc-*c}W)hpF?=Wtp(VtI@Rd(zzZOxk{al3?yuZO$FjU54nVB*v@yhp*PD72b*Q^kXAk`fuL-!Q&&0Q^f1BwdSPj<3&zGEl-HBadNxT`xe5NzCqSPzg1sF5P`kXDsnH2>cld=LgA#scnX zu0Ng}*RZDgwDWIU9T53Z6C+Y^Q1@{0`qSMVoD7a;&%+pcuq zUPG8RrdGRGo1%KotW8!>Me{eau*5Ls_ zz|Ba=Yp!Fau?)RJGG`!uW#87CB^i+c;ktB`2A*1$UJBk!5L8l;=~b!o8?xu2ew~@z z>mDc5_(X%NIux?rmLjz*4umUP6n;mlL=oW<;=_Hf?A#STgpedcvZ?Lp6u3~iiaZ?0 zG;9BnKh_y?S-XNM-5r8;PcT#6Sp*1$pkR4~8qGc4;t``^aGY*y(%^Dhs&nEw{0}mv zn_4#be(iaSAMW);!5$CG?;tGjXN=*Thh^ugC(#)s?LE$ksK{n-`Xmcq62T2KZ}&Wp z$IjZxvA;5e;-hB}>;}6kRZ3(R=BnF-Ii_N{U=H_suT^Kd zWLD06A8HVQs)XP_z;U^TE|AkBBRj0F!c7+7n5|b5f+h;+=4m{?a#A3yr@~f^ZZ8!? zx15(>NH@op0}F|lo>aoIq~YZ50z@Y^e%RQJc+Vg|tc-hUCVC4TNC`(^Lp_PmrXR4p z{OLLEUbrG1g9>ic|FtX(T;-+8i$|eo)(PB)I-*tSiGj;*tqP5jcakV>-`=tAvm-x$ z++ov2P*9Y*@^1`vEL;CHQn(qX102wYy=IJO$??fxkDRm6BH2^7%Wu8I)64Kk*awp; zTM|nUA<^gEc#u#O3xi);#0lwyL@~2csAmusds`{kxuWS2|DPGfAl#2VLmWaa=7B#( zoqf2g9(^x%V7RFT``69i;q-wWtdUl4CiBTA(Aa^Y2+>ERK1v_g)DrHtxOi)S62r~a zK@y0yTvO4jSw1(E>S?SaaK)SJ57BTqElc5}-aZM=W^FLZtI}UhIIeBm4TG=103_Lb zhl*)dV9MtuAYrU5q7JSIjtp;Rp%Vt!nM#^wDqv-f#ILDl+N6L(4<&d*8455qRprg^ zIei0wVU>Qeny_d;a~A+u4is@0ld3A`F$T9^uDc7@33?5mO;65 zG0-4@tr)VBFa!szixjP?_;)($@&m5eRpnV5BLQl*#NPr7z)^9I2E8gke#nyFDoe}# z@(95dNp{?jo=QyXD1v(q%9w6czw^EL*Y z>pLvm?7H?$EXu%$f^adn;u(tTb?^CPa{>ku)ZGMa+h#xf!0XAKAaWYn>u&83EAo!^ zX6xzp`m3)(RBFHjw!jJb_rxFRxREUFq_1uwGWQjLrcV^!L;7NvWlU=Th?pAt4_Q3_ zPgBTQS149Kz!G{8epV-Wi^|nM*lv5Ky4%Q|%ywgHMl-zT?r2H!QVJSZCqo160|a#tVzFP%o+orv+pCQ@JMXPNEe_}+M(?5C~<+Ge-0_1>4S z8m(FA*K67)4CRX3$J}ls6qc~X7BCRV(!zm?@a7DqRd{s&WHb8HFx~?8al<+V&HaYv zCw}|$I9v8pei;SUHDSi1cntyrzP*m&J_TwSHvos%?g1S7yJ+<4FT@gRwwC0s1cKe(6u zO)`kaY_8Fcf8zS>umwR($a4_<*2Jw1y0=zfcc!fJM>lv zRa;BN=*;e5d`Y@wn3}O4r-L^Z&Ze-jyNT{(lwCc@oZb3ZwtxZJh!Pm5)cpqqG1QDr zOEAvu*?Sq40Vrz9Xw>!L{_F{5cY25``wkzf<#;X|2D|AJ#J62sEHr3psuLr!nBf&L zPF~*eXkbs%M2ZKx28NYbtAo1bo4Z185n%P0mqhEpvp(Zxd<-18C_mn4bqQ0svm3 z&E^Si{wOOV_#;o~zkiq-Cl^Y>Kz;Tn2w@Zi;Xm4hPB+LnG(FDV_Niu73-5UNlUFm8 z6%j2fw;_m^32#h*QR(hoaSkBphsR1eOg)BTAtG2SJWWuY?ImCYFcoK`NzK(*4FRHi z?jpj$r&D6J6G|$90vY!i7sj(L-B*6x*LGwPNYI%B=-e)@Iv0SYKZ{jPxGx8moLrli zc9tqLv6$f@E$x^i*hu9C5i6Gh3s1E?8W?0~4{O{%rD1E>Gc&0f2QSM!Qo$VRHnyF> zq@$=3Onz%-N3F}mf=lR`>=50U#^cyt0gU^035lP*SYh50U>4kK#q+j`nFW2{I*Rb@ z)PCZLRwOsaZd5>&V${i_hdKE)lrLVHxQ_gT_p>G@NrW$yy)SKkZMU*+oDJe~?}$j*gCxA3q)p(9)kQzWqEv$@X&sTfya<>~*O=iXt9YhJRLXe2L`% zTC_q>!Afzeu0p?Xh*`D;wj?ho?(BUq%9>pv#p*$^-`)ZBozCPIp=K ztQ>xGv)-cF&9eFm-5rN)El^grIqO2^`7^u@vzq$H;$OFlabzO7YjF1Tpgaa*yM5r! z!dKE0EhYttKrtsnlFC>NN&!fv0j*&`rImkKs$Cr2g33k)ob49Z#382oC%pH59iFX0 zL(WnSm$yC588 z>pa}@&@#^QrS$`rxuuE>sEV!AtsmbS8#h5ic(D+eFUPv6BtF;zm}Z7#52vD$hI)O! z6rmA!pRj<$M=)C5l7uLTiGq8xrOJUr*-?XiDZ10GlZ&ELi&3GQ9TT=I;p~{~x zuXZ*!-@t<2zC}JM0LOwLqdi!09`ACumY_3KJhNnCiKLXcfgARF-iJg>!UL&x^k1n@ zCDRi%bz-=Yg1UCSH-f4LLk;lN>*zcvP&2+dzQZSmQLGr9lHd~5+CJ?!BvA#JtrE~?KA8h>(>p06`39kvLD9n?x-v?rn8?Zj^e>9dALT=#KdJN- zeN#K?7cyMHnYDfe_=GT0El=z0&@i;w{!@A!7`@V-Xu%PZ z`-Q<>1w(yHVWOL`*F9lCJ{S_-%K}8kCXA8!XBE8UKtb>NBpGo)^D@TX1iI31LaB&- z2qoi0b)EsC#QmKGWGNcnNhup5-|e0VYCG-=#RSmJ?68q4CKBz} zKOz%j@kG((h-4=3%O%|33b&P7Z~xhs!*5%~gMw;@X@Tbp#Gj6bvf78r$v@yee)ePh zUhO>q=~})kGJbsAZtFveqj}`@2o1PUd$=>mI8qw?1=kK<+Mcq0KTtZNOj#z7=#_FV z)s#Y^UN}rvN4#NElD6)Z%8Y)(^7&_IPX3+8s5(Kf(z4yqB}{Gcr4vSHAXGLzfY_h(g=qDfJ2S4+P^**c*yjlpuC zU8j%KL1((f)*Lo27qZ)F`RAOdq7sHhr{7-VR6>L!M$o3F1&o$uM6M24V&gYh#kB=q z6j4;Tvuq3A|4tV&CCyiim!(wN-@o__<+gBq-!P^VUP=UvQDx=0L;b zlXit(DLGe?q5H9SFxnB_!)}LjB(;l*DPM!ICA8-4dZaihq3$ho7$b>cxmCA2&;iU2 z-WS6Eg|1`RyF5<@BLx?|4v9p9j*de*C%Sbb>}+!+f&e5Jlm{9D!X>j9LC&G4{S4{@ zV84E#Zx>6v6ubFtRKLLmqjR?&hB2>RfoBN~Ix zcJuXmc(Lzz2iX}OmCVYLgCTB35Llrub+rdJF#`P4RVSaZFjJfV>uAQD9*v9N?s9Q6 zTp2lsQyHuZQ&f54-Erx{A3mKRd$Qhdf|~V?LeonOZ!q$1s{i7;rl#CsZf+194)?>^ zvRYx;uHWD|m0jJMsuw+LKxuJxFrwl2m|Jy$%=1KRuN&`I?ajHp6gYnlS~);akrF0G z3bW4p{u5Jx++taSGiE@64M-#`YbACiO=rZ?~*0*eCI9oZL)t#>__;O!` z^%l?y#59(5k?g9sG;ZnU#R8dj!n3`D4WcE(Y2T*2VUm4PLS?#R@_bRL)x_S5MakU& z8p~o#Yi%mT63lN8Bn_Wk!OptuH)*^v)h2=UB0wINEpAEz0HfPhMn>5-dET)FH_7(( zJ*^>}8+p8DY9)VT;EbWw+7%Gxk(n9~3vbS$R93kuQ@##< zkk0C&djXagdNMx}V)T-ynqlScEp*$hL6h70bkj^4#zKuPoOis8XUL6u+LTH?jioix z1c$aEMIIb?5}ohr2?^M>FzBUuB@dXG{m6);p}o`BDY^{!O8m+rZ{_z);@V^}vK)%m z+$|H{g3{2YPAHiT^^(eD*0Sf4{RK~;2#;w#c@%>O2}w4_GTeZGn>wX>ASm||$jZtA z%mJ@Fow%DM&_mgz$_k)EX+`yc#7i1f?h&VwiUBb#t^5$ZSGJMI3@t{*z2^>lVM4Pa zxJ^6)7QsUGR)HlL8tAh6EL2WIATcQuJtR^f44A7Fvqo{h6uYQP2b`HlbSX}x$Hv&k zj4~Woj^^%DAxe4vbl4hA- z=-O*rvA2UkR7YSQO-E}gAONLUJc^rez4yxVE^Wvq4NcVTTijH}9v$KR`PxH;DUS>m zXr7M01h`Y@Z5Po@)nKyjry`f7A<6deW13bu-$ut_F^@(lYcS}8?RtWGt~T969oaq% zLGJ(t)BNkoF8SCd1=V6-{ymGp$r)&BOGUo_e~RPmKi`_pHT4Ho16VXtg_SX{VjjWYwb7qo-s$$RhZnVL@SdoXwQYyMe| z+auiJoE)jC$|J~x_AurLAd6d zKQ>ggt$uxcPPkPpr*ZNz(kesd#LaCh(lT`@7wu#w*<4(Fzj30(4MK#DXN3roftps; z^rp&&eKS>D>;i%D3;=nKfgZLS`QFo$Ry;xHksoKhE2j6=n?8)5a2}_S1ct#q3Hm9D z{7#=}W-kUiz~LTgw-M8;3+!8%A?VR7^mLg&(sJ=~P`3{Y!OV-|0`ttzUM62sZ|btx zN-UA7U;(BL&aO!=Fqnmi|F&Pyk(vn2JL1aC`zf{i7lu316AOpJa2a*5puiR;pLM#4 zR5@O9$#2}Jo>u*&<>5PG@6FZ_hRg;4o^$Y1POtE@Kb)?^Cw~6RBF!fh*w*pbowMh& z>C!1vb%{s)bQA&z*fwCL)Pk$(BHe#6Jx2T z@7{KQ$O0Jp8Uvy##Am1XtYjy`dKoq&?>`2}DwUml!GLG^FM@w0jN>oj`(w0rRltPV z3<6(FMd5(4%?~1liFm=teSi}h(*u3$ljIx?t#=>z0jvUHHyax<=HL@^t#vr;?i>21}#hiDH<`-{Lu;w znhOAYY<4|>1dkUSFV{G#NVYwck ztOg)KB>og|W)CAfqodtn0i2jeSIWEr@4}P}A}WB2U&k@SG&7ua1IX})Owux-Mv()+ zqL+A}U?k*e4E0CK5rQ|ou;31kHSJ$Nl6gG{eCU?QZKWtwWH^hpZwt}x_rEn!0n_Q2 z0B`BRpkwk>$fGp`8X0*?_t&+D%~*wwd+52|+CJ@}w&I?EHPx-%9fHfUH&*-!x%B<@05}b7{IQVxB?toW#Rm|JN@f zx~U8D6Z$x9yUBnT94BbYgzz-5fC_TAUzZxTxsg(7N1*UETfxB3^&$`Xpq~ns0DbsW z4l-iZ>79Jy2E(c6LF-j6l#Oc>k(DeUIfOQ`ly?XUa=p+m7i4vNdl1sMq z=K$+ykyAhae`Q7ZRsHq$U`v_s9W#a_rcbe2)MTH6Dbg$BA)hH*w?t^*+avSgCoBtO zS(leW#y^uPsYCwK2B2?cJ04wi8OHDZS&LN^ZvLmn-h{UKO$#ts5~Xe1syvf{5;DTR z0r!~7xjaL`F{6*z$OlTq@LL1M`6H|n^zgc(>bXC(XwN;3!(;C0YDtC)pRTpXwzguJ z4F90NFmGULG!>IlUsVnpx?(9prNdtq{-?nQ64dmK8`3I@maQT%39ofYJ*1yHOOudz zztH7@MRGMLMrdt8xLgn&1}`(A5)D>S5c;wcXC+?-z;jouBgu@&B~y-zSEWdpacNoS z9LQQ5K~xtnT|TR;>u>Oo(??dYkU|bcr2q6Vf}GDq7@+;o@(9j6ZZm z035q6grZ(t^~1m51nvF)6e-zFYOqRCzx^}9Pb|HmJq&NafNeZI$5?u_!4>t3_*&1X zv`hCXAViUk|41iP?%?!!?dRap zr^;iAC={nRpVx29aL|*=qBWT5P1W*kn5On4(IAZZe>eNXl^4_NjQ=REcp<3?tp57s zBqIfVUelexbD3vH4JM{vU%wwN*>X1#5z3SyeztMKe1A`L*$;J~6Pte*W_uGMNZAGV z8vFo@tBy8(ha+JK1=uB3>{B4fYrf~+3hVFJmVK9rzLSq|3;*)wW?@<3*w1wI1WV+1}X&RC6_98h7oAJ#DrgcN}FAOiwY(I__q z+yf-u3ERTjlF?dV5|XtoskrR>4@)hE;Nug*wO`spC3^7rE9y;`x;ldZbHw53YItyL zq3S2*dm>XA}>65`sBZi!515sv2t|B`k9 zK(kRBcg~|pX2=3rp8q-gV~>I8Q^?&*?WBoGa7X6tY^G{zg2Z>Hm0 zeyv;>erW#Gk3M2`0r<85%rcb&LQwGmR^l2x*6M%CG*oWD;_@@D3 zF-=tDQ(G{`odYRxmzG4-D^jL`W|m!)>e4-!+)Wt<^soz){DZagRxR&-^pKaZ7V{Du&smWSKfqLv(98w!IqOo7W6IEUqX8Zci{;> z)?ohT8=uPTKU=`=vb$u_{p2|`VyWvstn?eK_Uz9Ux&Tsn z-Fk0>F7PJ%tsw`w$D=dKj0YH^{y~7WJzo+RuRuq!#VBAl_rI#4&^BunP|)=scV759 z;Uv^!JO7A?RA4}GZy56WsXsP3%76rYE5KG6nv7bmzK|p+1aQ`!?d^q1x0a{QM2+?7ckRyNTd@mk&rpWvt&W5L;UU)Z0$2il~1{ z-(!TGzjpH2@}2Mq<3o#6B`n!i)mqW;Ij;ma;#Pn2GnOSX2H`-ng$Zqpnw1N%%I#el z;j%ft_wN-9*KX4_9Z&tcj83OoHxF4p-@Jux;ivUtjzK0H2F(9h{qLZjk1|7gfA78{ z?mJ9hDfbZrFei#2c=QnYNy7;-mBijPV2b2K^3jfExtFP!a8OWS&l0qPLII53V9QiD z;)rfgdP2k715#>v@viCa;kLFaU1X4e8lqXHp_2syegVX={?}f(0ny7GqyqO@oak7@ z07)&wZA1W#7ugl%O@5Nli6CIgXA78()17&DAOh6aJZH)yA-1esi3q*a?~*Sf11RKy zSs^;<_t)BiIz{&$ZC;OCDqPd!B;(31tRwz_uiu-gP%Jn!GQaKJ2Jhp3+6}_9daJz- z49$^Xh6`u5z2aCfWEqcWl;^ZLn_UM7(K$e2cS zIaH71g)X3BlZ0nNI)Vf0iSmUMtPU_GxR`+*MT@m~Kd-HZmdAmm{ojmNv{svK5Su6oRqy5vju z1tozOiYnp0YLAa}Ceo|D?KE?8hV!%3R}y-h2JF9d6j&7Uzluz`%voPa%wMOb)#U2f z_;Fn%BGqvj^Z0<9SLNSJ&3iK%k15wY6*!Qpnw(5R&`#OON3{cmuM08x`^@`t*bw~e zSSWto?M?)gx^b_Q<$c~|JOt`;*XumlZ!?DO~oZ*r>W)Fq*{Vap%kTIp6#E4Y2gt__#H z$DhkYfn7U8h`O~uh&{DB9+dn;IUFyhK;Zc3Q-hdDPzIdW^KX)?6ug6#bFUi?&{7*p zed%*ORj@YQP$>m0^!A!=rdXK$%K7|Z&mjLOGrT9$FX;W+`r`l;=_oi3j=!OPDjmdm zfi*_2@=Hl{|^b2{e2|2Z{H@qU4wMS4KY|#{Vn_fm%_`$ zQCWC0=fYP`Zbk9%Q#@~JW&6_qep(dqB?#NzjaDPLRk^cpIe&PLZ5lT8{a~$-%z;~f zJnq*DE)Wg4xC&P`cL{gptDsks4P#boI6$batr!*iDL7c>@T0*j6nIvxH$d8RjfPEwz zboBn!5}C>F^#`3T>DS{6hn07!HrDuV#Vq&JLmo;>#$Qd72J@v#hAJ<{w)VGT@R$=@ zU!_d3uYdk_#d){E;^Hc~HWLB@n>A7CDTe(7jQ~EAZ(ODiSo!?E<+|M?I1}#!od*Lv z^ku+Yg~#ou6^=%KQqU+~>vTz_fk0GU*7tGdKk>!f}x0 ziiwQ$R1z~Iqf+uW??R|>FXp^%7@#EuoXk7w6t&ees6FHtLpwLrEp<=>^o8mXk>ZLC zR*|Jb{~5oR6@>*-ydFat#rLzF)zcjS$OV5(yVbTComJD zqU?1CFokn9Nr0@cCIjJXeE&%huUGC?{*9#ezXsa#Pb+#C%{`#qsY7BkVn&1FY~$T8 zsnLEyK=PVu)1<=6P34Nv`AJLbL&4q(>_C3UP;0z3F#w|6i3HcEMODHBq5=<~q;tr( zC*UCfHTgz8!P#1|b#eAB_dCw>RARF|P9?l3?E!4{%^f z7y449YFIgNdZB^lFhFc;Cil2F@pihlAJ6wkUw*USqC$fUQhHLPY^jQs9)7r@(_4>U z9G8q9_|H!e4ZaVU{il-eMI_(JNr=b>)OeW2QvA#z#&lxo#i9RF$V1;>MFI$`2d%2R zC6&L<$IF&}-!_w(^w*njxkGi}0_6G$##Vm&U0QeblE1f}pY0p}Y)@UV_tM5azmH!M zQeUYT-_MWvBXY-}Y_04b{(RL}@r>BEPd)QFBWNM-`t*KI3^fF6#1{OLuOkEV-fm+z z20nYtBZd1L)_uArY*7_zsobGz`qS|w9gE_xY%X8~(fdi^28_M_yZy~B{YnD-P}J7V zKlyhblS%K2RDwWvqFL^^7Hjlf}b9r2u}3&39b{e_Vjtc7!3{AxiiiH?il+>2Z~hT zR?8i6cFa#W{?_d-eBbx)4eZ-H8z-HH%Mm$ow-j!*=7@PkqIkF-PlofE`UGWV|KEsE zUvtH0O7p|UUMm>Nh+oC-$stBI2TL#Um(!5T?2i>9?@^>A&(8iW8ZMA2%wg*wmJd_O z(V2y(T`k^U9~^}&$L)1mR;ie&Csuefyd$C2bEr5En&OU!o)IVS}9`uN>V&L=alrjK3PE*c>qLIYA1NCx>3Lz?*wmUjDZ_ zfC2a6YWqB`z7>aH7Wi1>X9_^IKz;-?DfQ3ayTkyk!rDFZT9L~_k-I5dI!Q19AiVGG z6g_?xB)Dm&XkVSi{zk=C@N{Fq9l^B;h}GE($G0I|sS~~M?Ndc|(;1|}5uz=_^UY9@ zpl0(&)@$mI)ZTP-UQ>6fNT$ZkXG0@@?N6_<*iZxsz7zWxIcTC6)gN+WLcAO*V7j1T zHpKaNiFt2_%64k4mCwsa<5^@+)LA{O{#%?aMQM@j^%veFAOHz^CYSqZM{F5@m0`Vb zvhzvJ0RB)YnNMLA%e5o9Le4}Y#Jf;7G?xI*;iaCh67GGjVl1ug5*kTpC&ogcdIzSi zw|4atpK$+VRndX!bYlk2TLa3ZKC3O)iXdtnPjs!}>Pde2P-N(qjwX)gx0A7ry`3~T z(?O$G0QeyX1o=a$z3xAr|M0abdSWrx^@M4N99z?Pj~+v_mMb&?1f=xhppSJ3sQg8_ zsdiKV7-tpQA!XeLgs7x$7zxwLUQ>f-c0v+LvOYLnKlWx8MUY8>aU+1Owu01=(;JN? z_)1-LpG?#79@Bn8M+Qx+)e$Or-u^47X>M*7*`ND*7+hPcTJXd8dyn&XC!wDhwSuC_ zJY6j@?yr;^0Rx^IaZrzDgEzauE*X7ozZF_*egk9t>gSNg6`!^az~*&Wg^P+sD#6)R zxam};+fc68@F5e3O33tQ6&q3`27VJU9Nu)PRk_m%Kl+QfEPj2QuLgQAaFP*hS7(9U z#&|2d`g!$d_3}lR;g2#7%6Q}!9CIW~Jma-iBNk-w_hVk&d1#{2jaD3W|Iy%8=BkOK z?{L@V)~voT+R0wad9P=CqD#RtZTe4xXJ`@ez;!80`WIt0?{7@obQu#o12+!V5&wIejPvn z%xHEC$Fq=ER`$8@)x&F;py0NeyI0+Q&Pm_pEuYGIS^?vw(B);Xt&e66>(Uc3hm`{? zef+%B*ECRo^P;d!t+2rRju=$76?U-{trPCesSXSyc}=7rpO1RshnL-GU=&ZE`>lDh# z3FwpA(gVP;I^3oYU;bpEq!sm#+@)6KYgS#iRt2|RC*6LLqfIJBOerL!phEM)Cf8I_ z)9jP#MAlz0-z=R{rwK1|DAW6_nWIVqut#5m4rnr@N54KZd5s1;xR+Z;H5e#H7{!05 zJVDg3rBhP9=uOM;`Q$Phm%8E7Oi~>=S2<1R#Y)DjtYAJGk^i@Ipdi+)_Ty=N#``yW z9<`EZh}Vx6)7F!k4XsybF6>Q(Urdg#G5%GSpkMlW{REY}fXtpVmtjeYBKDbb)yeWa zQ{iI;l}c}Y?PxH^BvM~ga1j|2P*ug!NBbDYYZ8|0g9bMm3BRabtFf?d{0f=K zlyNt+XGni_letIj$S}Hjo~sZ4*Z48G@QH@RPgLfJdeIux?|qt(pbr*)iNENez7TOO zz5X6Ut$ItdVY_xFz3Z;UPgf6r>)nS%EA)c!oABdG{gB^xTz1!^=H&MZlzg zr{cWgrqZICWK9s(GvRm=i$9gfHdU)#I|u_w>YIA{%GyF>@avsBpg`=#Vb&Gu^9}Xy zc9EfT9$^hsjg7YU!qC7?7v#LmC~?=c#%1=?JpPLL@TBd0D-S-}4j(JEoW&<}BSmq^ zj3ov7$t44xUG{a^WjU0_f@V9cAn|?Z)r)Fv?DEgQG4ucG=b7-dZjJ5p2+9wW7`*=} z@e*cCt39v_U!1yW@anv{=T(}I zL#-|cL-kf|@VbyEDZ|2=c2cMoyZO9~45JEgi|x+Cb9_&JHTicehN?pLF6Tu0Gp&OO+Sxj|fjuWkc%}1&e@gXLw%Z$?@dgVm)^9^?eV&+-muasAINA^<0;Qypkx~r7kx9&I0-pDs zqcnZE#)13l8CBk0TjN3Tk-WA@TgF2mh0V~9f9RX=GfnvrI4aZYdCMQ z4iF4DjxsimJK1?u{BF-fRI_NeHu$ZQwHdh;m1wks>t6We&lu|Wdd6o|D@H3`Y685B zpCI(hw?MBIn(o<;X_)D3j2p*CV;IPNn$n2B4TUoDGWL`|@p5?kLC`&Em;}F#R-k^9jZg?{3$XB z|DI<6{gwydvV|S0VqUxr9x2~S?#Eg*)xY519q3>p9Q%raJ|C^Kp;zcQEJ}A^*DX$; z>C@NcS8mVAr(8u6`>c6s{Tp_r-_>A|QdHRy97WFaMKy%iq#e*JOvIswCUwMe2xZOB zYSv_4oR!T`O?XBcBjQI=uQ5cdC?#P&bY{DtN-QzhH~XElYR6 zxQ|_QSouGrrquZT>Wy;wALpd!&T6lYF1x4$U^1w|RJh=^B@W+*p_caCKWcmrr(%Ax zy+(VWeO;Tf;QYI0OybbTyhV$6qoZ%_ph^VM(bxRgy(j4H(r08T+9l`f^y|&H|9+-Q zR$)Z56^hE2$R6h{<1^&_clY-yS`ukfhFcy)3C=XTT$%(OEv3FE^Jn6^m7HESm+5cy z=D3eq0b3*O6!<-7(6w%H<8=9_4P)w;x*sN&*>1_rxJ^W53)5Nc&1&{xkXV(VpM>59 z@izl`*ZK3NFE>4WI+r%*DUeOQ?-hIP4cEFY*q}Rge0JrI@ac-h45YV4W&h@oZiuFl z^;l&r{lV?q#rXnF3MTjLz8RE@!7#GfzxLH&KO(OBE1x}ec+iIffX#PnuUeFN=cqN1 zEk64aRT!hFfj57z&twe1NI1HQ^}EEE8_I`I!`sKd87%&`vHVhju4X+OmTm+#dBo4n zo1NODh2x|S#9eB1AUCJL8qV=W%6{WgAX&p#y`LOw2^(Wtqtc07!AyLN(bLsXMBv#O z@26eK&&}901@<0IMU8Iz1q?(=Ve*^d^=b9tRQYnV)#@kNe~pHFqn&lV3-3qT;fYuA zFW>c6SBv-$u*kgY?~{&JXWRx9GX8(-Qycc&&RgEtyuGG-G2`vK z<8m8rZVs6pu$7w2ks`Ro#5Q~M zk7Z#ZLH5J!@p~5d1nQQf=RiH=sq0d$|H(hgE^T7>ew6*0iNuzmy2sVw#Ls9#Wq~8c zK}_Y6`MnV7mU9(7lJ+V`NUhTy34+1;e-R1+0aq+gp)a?y$h5DA59Z8uiPNn(j3T0} zisn@kIu4N19}ym9YRA&`0Tg)pS~itlF#gHr7yot&YAZmNZ#R@EU~)F%m+QV&!~ z75peXCW|5FrQy~%}Ix=kgUz#sQzBO&$4y}z%-6aeF# zdgesZ@HY7a6V-sZ`|hRgD|(Y^)%R7_yXs00R!k>2m@1^t=)FpP!oMl6mqK2bNZXA$ z@4>D(%7sgojgu%Yz1!;)ADZjCuEJ!{f{`vEYtX?OHbz?EHWr}yvNlf^OsUV=%T3+L z>g33b<5T%Gf;JwuModl`39-^&3)g&n7RC9XRoF?hfhg`&g(Vc zO1|@S**c6*3Bb0QU*CXVt||AX5tnxtD?Es5ctS>_EY?&$RN|)p_*MZ6;Qi4fGjx|+?YDYknO8j@XUFrh2 zI6` zZj=4WQ~9z?DqC)St-Uid^M86_21_^6}Gaxz@;*UNYXBzn`o-G%_^z%c3@;ok1#!oH9r zy+8e|Tlm_;>-?%}{MZIB`|I7-HxOfxgw#$&v|0y=1H>YX&aGb|;ch)W@2Em`=Aicvmq4s^g9v21Qf1bAwBfO(3W?lUMeOOgZ z4^Df7g--Ohr`F+rqHrs>%NBpM!?LSj<&OA`bjySHWgAZVTTisF!9!s$w-n~#sOL96 z(x-c*lmTtCLBZTQ_%OD>v2c>8CnzVT+D}A&+jkC)q;a1dBO42V6c&|k=HH#DYu(1!wT@F~S>|sOlb$`4BU6+IEu48n= zZc`>&ot;}2;ZQOQ?;sb?$Qq=kNf^5z8PK#Qs|AdHf;?D<6mW@jOzvSoi=r3pr*GRO#=?;oE1@wHs?kaRC4o38ZY5Wzt%*PZQ0at^vxf^n!*JocpWDhK2| zT}m?b_?@AQ@2*SpnsF%?Ab@D*AFOoHvenKD5xf##6Aan z&YWx`<0gcY!6>Y0B?@h?c48B>k^1o+8!VSV^3-GbiU^Y!tzg}3;GvRNXz(ED<%-@1ov+SSB;S4|aHY2)o>EA?F7zu2D0spg zC0+5Ylb&M*>Ltz%L}jl&)uacIp@A@k(2D?!4s3ZX zpm|w$8NbW?;*%x5lL*jtA0@uvs3*2 z>RFzRjrrwFap?d@Ui`u5$(ZQ;G|H@vTy0~a<0thAccR+iaWWjVxCzeP8(Zip^gY4G zbTCyG`PiD9MSZF05whDje&TTIsd}j;9X)CHv}1yY=VI*224?EjWG3zqxY6p0IxD%(wRg-CTK}S>_J9 zA&|?{@0h2ql*%24!O6wH*0f?qr`L z4HW#Te5gQ*8HVpSsKDANPOYd z@GRcVOe8Pccb|A|8NovcLCs5>|M9?vScE@Qk?KZf)jHjhRjOtF@4(+qSD1HiVccN4 zH(q(tEk8ZbGjx+;GUIttAFt=IR>`*WPxtwo@vB>3;GrY0Ld3P?fdWU(Zt>;j=TGzu+hkR7 zHI!i8xBlImSEkHH$fCg%e#rfR5_c`pMFSZZ|`r*X^u9H@cxY z+~4k^IfUljwmxJ>y@hK&bg`Um+AFbAwl1ElTo$}X-!AnQnDY{E^*z?aflXNB`P>JM z)Q%YA!NC#1n|vAw9RLQ@pwry7JQ`DVG`tn!#L{!!TnHX+dMsv~O)m+m75XL-<=e2x zb=M$0*DTsAGan`xD}Nz|*psCd%aCMF~T8 z#h2ZhQZ64-rXqdWkD#VdrAr8vOH~rm&t!Ob_`!=83I$F=f~hnBkF1pR z2>p{1JbyMhejVqO)QC9iD;n8Rm%ew*XzC^DYB3%a|p!r+FcEt`AHlO6Uh6rx}C}JHmIf8>m_eYT@bBJT- zMh*w3P+kiDS8eM~zUE`CZz%@}5RfFsA>VfnEICRqFK>;J>F+La4TUlRt)*3PWQoKKc}#GshlKwkQ-`xbVye}QT^iWz6m(Cn z*=snpoW;iIF_J>>w9UFG;Zh#a37sM1WmJ-wSC6|vn8zTaoDxjqb74tBy0;Q;7VSem zME0`i>{5H6%6@7%9FdlvSDLy>xuSm6U^I;cK7?A`KM5C(rwf9MrG0rHuX&C|W!2G_ zf4Ia5LuoOyGn>&_^nZ9RG#1M+eD}M`mV+v1vQdb#h+oFItd(-q=R^i6LbZ-wF}F#_ zo2`fu%soZEnx~b^K)M8alij=;z~)=a5lID6>F-=df7l#=@1uR_SVbaf?jLObe5tct zG?3!J^YTWW1owceZZPzmKCkyhk#O4z^qRpMp>L8i@7`2u)%mV%5CL^3$bvsJ1tg^YgS@P^B&C11awvC|sZ3F%Tip|o;8+>Ej zKi~QH?J%G(Sl96t1vzTnD_P|bWZ&IIWut0X4SsBoO{afX~$IhES$>N9R zO$iWX50`^aQZ`|8-pv@fBf>($f17C(kn$yxsSG*?V{mPLVgB)?B;QL>^6ks6OZq#p zyz|{~;o7g{1NaH*wDwZ@Q>XqNlv}z}zXqKzjlAh(_8oTbKr0w^Q#Y|jSR$$l+mpL^ z!E$%(LwSTIKp~<%x6WMqN!3c0!K81A*LKhY(`CHb zBIa~+-4*8+${RxW$DS1hiJ_k9=?KdJN@#Rh*U0X6MFRaT}!#<|`FLMODGyDW7 z*%~@SLjBw(y!dHSce?obIVcn^x5tPt6IhtHmg|px-~1kFu)SMpIoG!t)gx^VS49sILl1Z>^%~=5YUbE3qwf?AClasSn@Qb`*Df4-4`<>-WmOwdkn%hAebz45j>b zL0!T6+n&1X?TX4Xr(ND@RqmMaUZdPQy@8+U= zzIYZGjuXVGHcQR%85D&gqrXxAZ9h0*5EY^@ju=X1LCj3to?iL)+9y~u?b>x@MV?j@|9~p*3tY) zO0g>M*>n~nqexPf5lp)QCCJ67(_d=!Qn24%%nYaZD?jGE2*wcivlh8gB2Ij588{wp z7xzKbDM8V0e+7fyJCuDFrH4Z0`%hwc^xoQr^W8(B5!xhz5D~4{bqN#lh51dN_zI@^ zga~B-H^Js)v$gZqWSj)@Xs(ZWqVzG9PbES#rwP#KV4ZupiMtfW?4&Fmp+v<}Fg-%U zqB*>hna3*mK$)K=CCB4z7D^MM0;VX^_^*!QHod8XrMc~2EqKx)!xhJ_`fQw0$L0?l+!v7P+C;r;WZTSQYEMnGxygVkz3q_G@H82{~`irysk}hh;WiH>1sgv^H{pco-YG ziv8uwU-PTf{nZD#Z7tsHjQq0+w=PrnqoWg|q+@689!H|2u`>?LeQFhF2k^aMlsm9* z3QN*E&w~Uo`qTuBLma%tgLYnE!~x7J?`;>}#Gt`4wS>x2B9b!5y%kJI!T*_1inq0* z%bAvci=So`V^lNhlF=soEQ4VdshmA2E-uX71U8?;Jmw?4d4*~oD{^3>x#?V3qey}gKj zn|%a~gps@JLok`9k8jf!5d&i2xW@qf#(;edEUvovV@?4_DVJ$t6Yoo`X^jWUFX`)^ zI`S_m6jn0{JG{b6PB3~nxdh%f@nuQjB&H>q0ddNrP7vaY288gW>rwVJ`zc(m730hRkq>|#B&9BnvDHOeIIvRXf zJel>41=OO8>dX#Xwv=+c)Zw|AKA6i+h_k^DN{g>0f3sD>g_jDx06&$McS?IY9IRBy zO4!UdYb(TS-L`(j*XFINwgWg3*kWcXBsZBL_LBI6&Idzlv^L2a%^%m333RsjE*ISH zeZ!z%&Y)+dmETYmD)o~=mhBmR5HIQ=y^V)(=nCK&P)OA^ma#$n)M%oJUCw+vNWVO( z0!g~%@8693#~d7Nu;V3?CvOgd%SeT@kA$iIX|uthO&p#CP6p*HTsXocQB)qa5$<)) zyfJ#O3L#GA5lZ==+i{=il=mGVyv)143S`{@V)CQNH)wGtDJq8Eki}|lZll1^e%@oODHd{ zYyujf5`j4iI(TE)P9wEHKVWT6-r~vMV761oXDQsoB0)kOf9cFp(y%h%>BPPj|WPysNp(TY;a-blp|s7Adq>svU+=$p40 zd*gK^^MKp2S!=Yx3dmvE^wy2>k1b zje0HeVX{9HcvuR8$4Gl0Q&a5s8#!>2r2;`rNsZB{=yjSDoD+kXSOgR*mC@lSv&xB6 z6LLIey*3uZ*iKZ8w5|amGNL4|<(bt+BmI*hAmWPSenD1u=DvYu`XmgH$c?!bJoK}2 zjzp0Td1}gJbEZrv=UApB<(9*4Q$e+rkZ67+Om_a89X3g zRnDOqqLU>8zUQ-qfz@6`-THRqD4U{^5+^34xSt&kBJ()Q-NoEsR6v>F(aCtIPO+e! zm*A6Q<13#!Kajti`dm5Piju>hi%AfDJi4p+<~te|f`UPOzS5-xN-86rjIo4>0&b5Y zwq$GA&aNqnT)>h63I9Ewvt7CwmG^LKjtJ-?rWK!n;f;t`;;>XYKwTkHxZ^Ls^W9%x z^_XlH0&YN~Iz(-V(vC!J;>JUTR;XC-a^99p=~ZYmCdvWxG)2SKnr>o88w?Y9S!S@a z3rgyF2JsQF9E4iA+TFB9Z!q8G?9?-)Dlk#SGIIvMFhN7a!kVPgP-ZdWFP8HpkSX90 zo2rNafExkDnkO@$uCR}-^Ing?Tf>;PT+8jDXD4mfVvn=5a(K)kj-q5KM74rFK!~7& zbEm!g?jMRjg+5DDx5s#fxeCJSp~%fDqj!kN@NNvzVOJ)YL`8(Hpz#OEOX=AX)r58# z9jt*+?-7`$I74V~@aBGp1Mjv@>dh17hAo3D;=YaA2gxnMROa)~EE1mz8L-z2perE* zM2V&j`^9l&J);GEIWIsXLOXv6dC3@kW8Xuym(lqptb=Er&o=zHR@rAM;j15&^HvZC zu9!2@>FOU;B89TKgE?VI=${7D-vx;6l{c63ycBI5x3}hC55tuPpF3a2)9K?3mo}<9 zy2pkj34R41!z?9SoWPsMH7pdLrQ;>&uvJLpkNwRmkkG^V^sm8X5qeuESBa%xAZ*Jj z)eG0(*no;tsmIZpuCPSkGy?)e0Yhchkg*UQ)u#DvBe_TQisCyf+$H+nZ^`Cczb8%r z$s<_FR-M9hjQcBi$X1lX!kC1r^(i3QQIp&WncG`6C#h$lD}f5umo2nCO410e2{%4r zJoqGNzJLKILn2`C+4NFCG_lf}m3?oV;J=GZwiMJ3zH76GB{t zM_t-yL6#{BI39#H@$wg6Qc4MI+o=-U^zw{!YGHVKfCR;K(u)pp83PvVL1!~8=C|^^ zYr0H`c%W0}T5?TeaZ0#lDmm#9u9=lsDqY}KMjtsT%K$Md`2$x*N2Rej8776W^)np* zEPPGyp1_C$?uasGEBLL)fh$oh}hY?qhft?(& z-!Vd2-j7#!*~r~%b%wbPdQKUCP2hQSex3PAhqbDtJXtGINf92McMw$b!KXB5(B3H& zV-}!&>*7bbe=}8+gDtD}NYqNO<~S9v%~}<0gcTguNGd%NY#~HSnHj|i{_OBg<6&$i z_7&DHw%CuSSYND;Vu0F%73&g0NMwn0resB(Bo%8e+Z|*Tk5AO^8CF{Kgn15814cRZ z(3>_9E@o@%Mbn9uB@=$Tz+Ok8GCGUxgft2}JyQBTk77&#y~KjuJ;-}ar4B9%92g2q z%p&9a(tLbemdOjY8Psogxc(D4Qp?4!X=YOKCn2%QX1pNNtHG3PV1&1Jd!VWto3RR< zQ;ePIh{2>$fD?S%Lkbik{d}0ll|`mxpXr0|)dkQxn-^1pqQ1Q0!x+z1_uz0_p$`KpvB zX^o>sKM4*d+Oi<6!WyW|Zw1GE%RmA+)*)b{k+ z^;;)vAKpYo^J?)oyAIR&I%4Pa*$Nvuh&iLu+6pw2cs#f$EXwS=4s}Y$ae(Wly*=sw z^4EQJAG4Z};2*$J!X-=LQCQZsSa4SF4R;y8zzP4H88F3*y(6!qEJH>b5lZ;spdJv?Pq&xdVP>4FUja$LO zzV|0T4~VG56%Bi*Xt9eXw1eVLkqoB4UC!C=L$vpgx4KfxjFcd-*?^O4V#o)+PKc_z zIW-A@{RiyjQ!)B`c)lc-O0oh7YePFb+yba@M68uEjaI{<-fkWMjS|s_Qs{r)AEs~N zuv9k2PX_(Y*(wrGkaIW39RNi%ebJz^c*EepD^Cf>BX*;tsv)2EWX(8?B~z=ip2^0& zL{xZzEv;v({$`rWC=aLFu_JuKAA|lo2Q%>lg-73{fcvj5YW1osTku6hm-g-f zV?G{_3l{X)#v~WRw!b8{L|>&@QK~YVC=CJ%zFJFy{#-(c8Ha)g3*T2KHpZ&hmF!~x zqv$y*X4xAgf}XP{EC7l%@!`c!UcUojg$qnAD3k>{irhNStWS7HAeHsx0~(@Dk8{>a zo0z!#78IqcA|n{NS4Zd5l!7b%W};Uotr3V642hS4Vr1i(siZU%W+?zZEAIN942Bue zRA*p6gc1}UCIs3bH(1L7b$2GRN?>px<9GII4Wg~a60 zfb=OTPtenXy98b@MD@|b%#@)ZKh-{56hRJ%fpSd)m}st83y4feO;47Xo+zZh?3W2E zdBXhsoXW^-LdToTWhuYF7NLa0u~kk7H9HymJPNTQ{iZbjxi`qz zfp>3&F|Eh)DRx4($4VUSXyP=;^N-;+0~LnDBT)I0-z@tUo1!A0g-7fXk_+e`^({Wj zC#8%Cl>QID?zA*fsKm*uo1H~z)5WKH-*!tUyy&cB`9Fr{ znu6zx!J45Q&~+15uDw5DNap3MQRc z9D>J;`Cv~$Ngn?6PxedT^@vfjK|Zg(v2tiEIZLBSDk!o`f>=r>X{_1{#XFH1dTqX~+#kUKRPqOCKc4Ek z;SpBYGiU^llAfu$g^Fzs5j)YHn#>2Xv;NPtxAJ;;|EAxH?E#eZWP34h0)Qh$R$`|} zv4PF}x6W;_x*5e}Mk%XQ6mX-v*w2*3rBDKRoo`Y!Hk2?X>RUp5tz89$8C{}B1YN5P zy!h$8OqyJ`zO+|>&Gyw(|3chx!81Q*M%riGdZx$)8H&ME9L;%Hhk@ilpHc6!@$gV_ z8VDQMSUG5s-+=MAfgwb0fbi>iAOEwqu3fcLKt}o5baG5~vD%qI7o<6h3>Im2Qq}f5q_McS+juV%9 z{vHj=v?@+J6v=dudF02u%*4Z=<_$DFC$A5^`^KCF`1Hyt;F|$9^^*6q+5@u>9Frd>7R&mb!ETI*8HuJ-OY%_$z!yL} z8DBhIS(bb@zKu`HPIOR%_by+zezNTfKmTxjFl?-c4^#g4t=nIrZw|+c8%E&%pZ}C& zg5h~HLRrP0i9SM0!`e$aM7?`u9iyJ)QNV3Clcm=Hv1u{imE0K-j22IJeo@}YiN9=mJ#Jka#X`W(o9{$UTaXuvIXxON%5Vo-0W_xN*R0sK$c#>WOHxgb{*Nq=!K?UvG$!zXk+BvR2hAl&%BzwYrS zJWBM(kS6UJa@KffFiSer!%?Fxlhjx63z7vzB8jXn#{7c)$?j zhX42fk7A|zrT$7ANaM)hJr=33FWqs`KfT4oC^?b?{~sOKN&3Y+NHhQhB!2&U+;Glq zK7@z?xf5$@P)EpF4EcR~>peO(eT`)Mq^u2ZkM7l4-FsI4?USrl$aNao)mAat4u{75 z(QjGE!RW91d0%w%L;l+Lw2BWAP`F2@?1%fG%73K}3XhCY`m*jAab0>yp>_B5@rm#R zkfpGHJe~)qc&!8V2miJSIwr^vgA!a7x=INsp8u^|?$;pZ5Y1Sg&_v{vftKIU4F5GY%kWz3n%wZcjc$u{k|?%7s%W+1aeX;fer1AHy4hbMp@&RKUCa zSC-{Q3b`nhl`VlCh97nlcsIYlc?n;0uUb`ExZ!P(eGc618DT!$Uw;aEl}NMoQ*?6Nx$$DxEd1|t|{L$*38r6cBJvoyKx+*B&wmY2`0wyFH{Bk{rEx>pNCb8h7 zxOq1y^IxyK-Q(UL=0ltjdSZ^=CzZ9qK=lh_w_`!3zbXXWm*nGZ5MZVB*C>JSEA;vj zzDS_(;0}BsK?Pp)|ELf)w(J#5wUmG1f~um@Kj$&WzrpSvp01Xjt}>qZ`opJLNv#6R zjHX;Z`eVm?j5Y9A{piD*#~Sm~=A>QCQ+IKubl-_sFSV)Fpg#FKoU6|EjnZ?@_I)9_cnef`Sv|DLVQD4bvQnQ+u^ z{W~!0wn51+-r$`U+%21Fq0(17K7-4D>&Z4br;F)X^96v!4aD16x8Jd5%ejEvx0tU~ zhRX0PEPL~HtWvu$R&DRkHGk9Zf%Yul3qNb2oougfMt>pWyT|x?JmbW+o=v~D7-APx zc8F_JAn5rV?A}AJ2nyFbm*W5Gh2{FkuSCYrZ5W@(@_;D!{}!Ad=-Er!3+tj{Fg!ry z$)osEb4#B#t5%Q_WznpiM%{a1F-X5k;3>$>cCP|BQtZdNHaN96H_$^x(g^=D+q3 zgY?zNYBi_eHltBTPRv9<^3lo!hjP1|AFzJG?{LTz;_IHi^D_^vi#qh z;ahea8eTL(?|{juZvRV2Yb-GM~7wqI&edE!EprDPiYMtbIt zKk8EiKS+y9itNIfVF6X~S8jpf#QzantJn6QyZfSmdE5*jW1-(g@zP_Ek`uDBx_&l^qio^0dDVO~<{VxDnc~JfJX^#%0wRfXLJGE=s`jf-Y@!wf_Ny z^C=trGBb~whXO)76tT*VVUK70na};iFfJt8(S)!F zlpuJ$;6!WBgHf_%X1QksF#tbaj=o-5;kf$;D=7eVT+R-YJju6A7n@xC}V z&4Z9I^5futZvfg_-?2HEV0Nqc@)x%M|5{sYmMFD(HH?=>BUnBn`c5w9&8uF1yRmJy zuJp}S_yvsWRb1C;?$&U3D{cj>!ttzdVNt^o&+C6OAoR6NPrD{~2yh*S68|a(VL@Yz z>%Ld%PXCTfC+S+JLwCrlXH4ez5`{Bu=~7tg(?lh& zl;~Q~w#O^oV>|!NsWNRG0|Tc~F0)}0yOv+yKf%kA^@a%hBmVIx@tDyzHy*#aagRCt zCK*$qR*c>D1DFi;vE1`S z1-ky;!4STE>uQ;9mYtx;*XsuhFUo{A>$I(qd42GEy|tUnZNYzEkemBT4H*)Ge>pdA z*S<)O0-I8FI!)fgy61s)%wayJcLfx3zE4!N5A}_PRXecPMhpO%XZqk@MMOkk+*K+S z4vy~4lzT0CYzsaNbZaeR_Jn-2??fbB;8d*iU*qz)?X!?l175l8Z378oy zbL}fDcza@cD$-i@{=DbPEWIq*-saSImi8noelr?pBP?#-ENs`DcvUxR91cFE7!bbh zD}VFvP+qiuI&X9ACSfS(mw2$7J^HIB?H>!Rw0WmU|NJ|*0B-Xrpj()%P|tf#*DB0h z9WR6Lb_;d+HVNPuV*1e=mOM*!1jx?rHwKp=4YrGE97^x?z^&H}9A+accG>O^4oi-} zL?WK5BuxHUt$Z20numo#mxG_MUJ~Nsyzc{sRKH2QvaZz1>7oG3an18P9~frL7ONs} z(1LBNq*_delaPw`ezi8=TJBEdtCwoj=@zYbLp^u%lk>I{&N59kG`Ne5h3Lt6+O_I2 zx*$;F8gDAtvF^vX`K{4(%{Pv^Fjsy#JBV)!3>%F5qlxZB{X+yZ5292M2(uX7$co`# zQQxt*-B&cXxOKn;SEh4Wxf(t7$54O|>t?A$47lk-8d2Rj`Td<{b9}t|4R_2wHoI>6 z6v(Id@h{kej?YlggKyvfU<$i|$73#MCCy^vR zD@)(;RmU=7TSPD2dcWey4eFehpI0Kd`>;Ai>)p{(^s(v)rLSm6RtP9xP?xns&TaC@ z-oQcHApggV@tRND1^(*YWI?<(XY7G7zBnmqy?s z^0awh@y|Ac;UH(5lsSg~Do^u28~EPR`h5c^;f}V+fyU0<)H`ZY=Mw4k@qT z9GMia6g+@BGw5c<)CEzk+3j{V*evMz+sD%?N+ekV6)zM%7s}4g&b{Gy@aEmTr6hRM z6V`)+gPr~d(DH_*m$9$WK9GxYG(NVt#gK2OR{rT}SdEGiydr$#P+e04^hf&KlQn3T z0P|G8f0}TTnFN&husL0hO~7@7VOB6^Q~3`&$N6rI^QvWp*A3c~Aq%cIC!eG+xIX{v zNHr8ZAK^fI(~#-IJz$gczG?K7@y-EyE&XfqnsI-2T_u-sq8gw>L^|N^FhB@FFiThO zH2SgtXh3z#l~{F!&YWm6>oYXUAx6!L3na*ijhOpQ*e!T%kaiAiYimpN0L(57F%Wj% z`HAy_EV{>qZK?aMoZntSr=)?$CZ2O7HX@7+HfgTxpuC2H4bWR)juvEsnUQ1)Pb!)Y z0)YzY;k%EE3$uQl4KXrkR*XEhed-QLX_VcmMBafqZIAUb_W)m0KleB0>ql=F3?lX( zuOjg6rsmJ{s)CKF6nr4I;UrZ?I@k6HIpk|4H}%?$h7-TtJ z(kn#aeIhcZ$gEx6L*0K^)r-M{3zvie#kp-BW@(Ou9s#Cj-O2oeWMQT&@zWCTcE9Bs@cAXU% zYT|a>ZES3Gqo#ihS?F6?S-0Kbb~8$^9#UsORgc0NOU2h~;2cfe?7l+J^u&Kg zN}HWmNBko?q{EXLGDr0q&GSxmHLJ)V4zZTwJBRSZG z4PS7X{WymE134Rs_c0ugfl3)ZlW1w;JU4>J$r)~lyM=Rpqb1AdO4~Kq5|#XOl60)g z(L(AcU`)DEuZ&%`pU2I1;3@)pJRHRHL=zLo7>Xfq;&&0hLL4_wx;Szli7RKTiX0HP z&g?2iCjEOPmE&|g+xIC9ieeHsXhVl{?SM64=RcB5RaA+847bMpKiJ_>=9*(IN0a925849-O?@%qw}Ny9a2l|C2Qm6JLe%hruA$ZA!uQtKM~lI`&;^%MC*Q|Q&6sHa_|S14 zvYY)KlFGI-R6f7!jImZUpB13-11Xt+b|28xIxX&1xA;Aq%f9!_Y;1A;ie-B%NM8$2 zF=aB(`zhKV*3itiO+a9H=9|{*C9jP*$g;;a87E9~%sAuzer5Ys<8{Uc9&{T- zhmNCJ!{N^s^9ePTVEd{FUwO`bJJZddB&c#+@LF%X0WgNfDAXp8?y}IQM_#9(T7|ey zO35ve{nLpo_yG2jk?A3PKq_~KtH@y4+=U7W7+CC!)_OA{;7W66d(Qai5hYm59KNl~$d!SiULU8|585Xi9gJfb_dn@^CqNowXI&EyqdfkB z@CaQ(fl2F}o>?M&l;plUIjDGyJc_jz!oIRFDgLIL4^g5WOLOw=Z9bXv;D=M%9TmRy zKsq>FzrU($c4&+dYswj>YN(Iq_)a(-4XUhaIcGmj4WS)gMi=&vg_B{*ZW; z8F>}M0mn1?3Qn)NUOt_BL3H>@IFh-SKaI;r5Mj7@16`!-B|K>F&meEck3UtRUu196 z*xRp=1%yi%UHK_WZqI|3<3+xu)_h)f{IdHK&rkYi;KhPPL&wuL>+iF}0hD%yluGoA z)n&>HAYA@Hlin^(3Y`x^)ce$!HxFHs3={Yvz;PjO2VDm%K85Sq(0SjZMJoCq3UfU; z#Vk~>+l49qK5cj2ta!ilX!&!UH8L|pFY;-9?avx&c#NF^_j--~;LvSzjO_m^>vG~F zpge-H6~a|FG1=9GOr%`s*#oy9{eT8fL97Jt`(+n-1UvV83h2F&V`7VPUpCdPBDH;J z&?ftH{3m=ET6VjC!&V6O6QMl-?+%T;Uw+)HqU`Qd&{vB*jES&|2CbwD%1&bfWm%c{XPIS&?(V0mgQ|(%x_Dg%%HvZRPJ&B$ql;Zl#W< z+n%~LnDYsupNRP0Qho|%pKui)-qWG<`}Q3sHN1ze?#FbgCh~wWFa~%W2op%yBBip% z1aL}u0Y8tw=vTg_V$74gCTH1UWC+(qtB1u_oX`z0(rvKi+Tdo&-R6K>_+{Jxeb^RO z%kQri7_f0$_Gut#Iz)UAoJn5UxB702E-i=|*h`lPm?9XC>67&~^L-W$>AB{&4|ps9 zZ-B@3qT4OzBsT_V+O4Ekt(>^T6)%K$L+{r2T zqaHndCRzB}HcB2AmcBm_t}BG=>E`fevZa9BVp)Z8Xo$KSkwDLH+sKzjr51p`X94VIvXcGUmlC~S`!;s0VACZ0 zH7)s?Y&;HIWm$(p2T}{7adJteL`crd57d|OPucqMCjJ@g!#hY`5ZHw zftl@r4KOhxt)&4!8m8I5mSr@65q}7ng!p6`#L7u3lRkZXQD&NaDQZ~RvL^H64Kr#P zy{U;ab*3D>`2{|+&PGcSBX2HpvGf%N49tmsyKlqWH*f5{zrNj56F!GWzxBg;kW%*xVfAw%hYvhY?Sg<#WqtOK$&v8kMV$hWpvAlu!|tiqP~;REOG}yUVu+cF z)e_a+V4=Zj5#a%L==B+fLw#c-!e_#h8|`lr_GbRrMgw4vBeqCL+Y*>0`m8b#y$}iW!Ly>sf2KF9{p06@0$iZ8i9fz#% zg#70X484bv!H;qxfPbl|eHvpTXrM=M{o@DWV}EbMH-5%MOs2q76eh;xyt0FrD=QLq z3$?o&j|U?|f>k$)scma55iF(s-wZ+p?>t`RJ*`3SYk}AJQHCDX?fFsp9G`jjL^ON3 z@H5qC-8g*f;3AK_t)}fiI3i(n*|Y%+iHzfE*`FR1Q?pPtUG}Hlnk*~y25(e(pl=up zBTa$olHN7&Ou$QDp&#ZQ#sV_kWZ*=f8w+Azrz%EBdmy#b`1&+_MEbSIAV>1EtTnUpPJI-2YLvD?{y-+BQDLgqmfQpnVSysSzmtpi z1&*5(QE5_f$3!x<#7j4{GGcdm!yNIxet0g2h^)ie+ikTAy;L7P+YY?8`y*Y@6gt&!Z@l@-?zY7xC$z#z8X!PZeZi`Xc9oC)fSQYf4 zglSPg_B~Tf6*NZH7qkKyeI@QK1DaZi_7sOjYq0}YWQg+X>-*Nb& zOjJopNcjW^vp=!*@w1Y5fEnoRS277 z?K;_|mOyr8C=#mJPCQC>mm5*ZAOY24Rv5|QJ{&UhPT}3K>vdO|C<3xSQ8F@e0=HKi z@T7dsaHrWt62cfmje@c0^zWW<3R$d5`aT_>I(2k(2J^OGV|Y{b1a?*CQ-3C>&$*h% z@poAg*Cd3->s1KIH+?xRG=y60bMe&r?h8G8!`ZxGG6Ul4mxSJ3Pr}eWO)r+lYQlL6 zirE<^Tso`MO*hsc9{#_zx4zI7Qk81F&`C2D=$Td9g;3%?Q0j9T@>95Wr3)Mf5nXqN(0cRBBomTJra_?X1=n-Ow( zai!ja)gC+swO`TYYuEYmk<<@ISq*yN?o0A&$FI(>Cto~g__9pG=2PdVgf{ZM`Qb>>WQqY@M^IOY$%sU^#;Fxe;0!u#>tt9EXwtzo zZgO`)^mGSvwjNI_Us0r>G--xtACi%C&Tc8Z^BL9;6bS2gw#Iaa$ORZGE5m#60;Mit z?LdlqXDGVat7v`A{_o3~xrO(I9G)Kn@bYwe(=W_k)}+KcuVJ+Qv=2~!2Mns_+7Sr+ zpdm2!dZJ7N@vg?f!2y6TSWuRPD+hgNyeV8XtPN49?hN{Ua+jxkHqd?$6Lu z+4fY7|JsK5DV)!Hp(l9jWX$}bFz63-0nP4w+2=mc?zb?h1h?HFxM5u0%@?|k`+2C9 zea-m$*EwN5j|Kx%8n|9s`}^rE|20+e$8&kQ4#58ZKF!Yf@z@E;ZZq%rYS2GMF9AJm z(Gh6#`5g%miNkJS!}KN40}Q9BaGon@%4M;G3Pa?0fNL^nbcPvFk?=YOieR#1WB-?@N&s%HlR3)k>3eb{J*( z_@pX&NWpi&{Dfl%z9Hk+O9~15;B;r#BX-iQ_IW5r`iA)c$|#4x{)D@+OvBhfBe|xk z_oS_%;17z){0`mNoTqT#*?od1zel|E2Qb12l?~2v#mhc08VBTE-&<53TzmQr`%mbJ z;gr(IYJJp;t_%2fBIHA_C9I_?orrPtD3&IeT8N%dOc|bNr{*&dHRZbgH0$tK-_=?S z)bb@8E;!tiA#Sv&U6tFmdSYQ=Eg30g74s#&-k;EB+ zDFB}p`%bwzBH{)kZq#2X2!|~6nJUDtaO_{B#l5b7ZL;ym=w2Lqi&uGbi`V~=3nKbf zF2%1M4ILIfkkQk@;YokpAyM)qGoB@Q`{9F?w=ZSs&SOMlo5H3{BJZ}X%ADJhi#d!R=2_T7 zH;|OkAT${u$$CE*yP1LuL@5@0V|aVftp`dg+ro>evS8uRFylHuhHyGx;1>1aB!!Xp z!46{yW`_g`-S^Mgaub(z>1tFMZYg=G2wrOLBI^Vk+)7{PV_T;L5TR|fqlvymzBMKJ zZla2qBzm;JENm}J=>6)oJ+d};pPz@8F=@r0-Dy9a)SDWt`3cmf+k*6)58ogtxIGyJ z*(pXwq)Dh6Z}{{ehb%LF>X_j(854`un8Th`Efd(d2z0`4wl}# znqfm>qQ31PNsKP(`qQoq#|xs+=RMuF=!34|@!RvvVy5#ssY};!D^eoWG7jgCUy;C zx{DBs`&MDL32=b&ksWs1M4T~7@~UOpJ+2I-z<_d zBHWh2lt$*fcbQ2wPYYTH;<5Pe?q~FiH^p+M5DF2M9XtF4h0aql535m?B3CI)zn0D0 zwnqh9$%PSrbOLyEOnG9;Mg8QZ`NZXf=YwAtwUwhVlR4L24GwWU1EeZXFO$sA4OOt zqR|gF29p|Oq8Y1`;$L19b$rAFYhEyYFiKSV9_|(_S2Vtp+JvNpfJr@dU@?(rL06pj z1!|t<(HE>QFrpRgB3kW82KRv-$nbAbY@EMbI`l~E3~O~%Kk zY2i*1xD!IsuNBvRqZ^HgfGpl`@hug(Z6a zE>{YRZPX)f=1{)RM<4M5Ntd@^< zd;$2^ni|o|})st0YAolZSPm-z6Vkk#P1b!+a5|AU)Ka{!*jL%eKlWgxI%Scd?}D zJyZ;o@7vA$emwz#kBjUFiPs@*7i0e)QC}U_(st2mW|=cAj(YbME{8#9u&)?;S?OezT6R z<9@>y@EZf{8}~!^`al`Pae$+yzmdJEYi-A|IQLAxs4c$W9H?)!1}3q%DAxB5-bVPO z^|*=1h7Ic-T>79U^a?f+CA5!tAk5uMIvIyFX~s;?%(=NZ1vo(24hBp zPH8U@(Q6o?-hGh8P-D|7RzA-M8hF1_y&4ER6kS7KjQVtR!+c~AF8f2-5#KSFNJq1P zEx|&3*FVTA$sEY_kZ{#MVpaH~7#rV5ErCQDKBSX80|MC{eG0@ZmK6@AxqOFA?<5-(CMsZj)6D*qFJY=3NbE_!*4!T<_6XnQQ{Q zO5lG^jkttb>%H28zNVi!ZM-`H?d^|uAV**2Ha7t5FNI?M%YH$ZwJ@36&0@bnx@Zc> zK76)J%irzP*e)s9OH6TJO&vp=YV{J)7lZKyZ82m}toA9?SQ?mPNOmX8QJ&jzI)qOG z|F}W}fWABJwTaY}7pPFz`^8KM;AT_u`7dtoTVP6T%es#=^<}%y#Pc4-gO<*IC)D51g=dD$YsG#^ZN=TpAKFytWCKn0W+3=rPDF>LQkKB<9QD(C~_S&r`X4PhW;F7VeBU#=HmXQ2$FFT3La=z;dl`x`HGy}eG>mtp2mRTB8CCO?W^i_BjG z&ar{L~yJTVVrKP3*e*e7Y(u2~%LcQ)|G&7jAmEHEn zB&Cx}k0>vbgQ{|213WKpYl}iy38*qtI50*HsFQ~x`!mF_8iQe z&Tfh9Z(y~Nx@m|m|4rxqj-CofUCjXlnL~tDH?>gTo!2|R21?K*i`p(QiTz#kD5ax0 zX!E`7eBJ|)LP;)Au9k$b*4*BfnYBl6KHh>wS4LJx{Fl z)5XZhD8l|bbSixRC)TnWusZq2&odV6gVF#noC=RbjN9Ur)%>Dhs{57|rWk@gWmqL- z3LFS4>lJZbmEwpQBAC}mw*1ZAg!}TgJ|p4pTX0~Q{E4lODS~%YyLe$)fY|4w892bq zXnn&%@+3ElPHSTLwe!V~=Wn|=8Afy8P@7TYx2G9m>*Dn>4>?>_z zT5eiu9c2$SYChn@hGEG4U9^Vy)wm}6>;cs(fUOYm#pgIU4~*&M5;&Y??+%h%Qa{4{ zGCujW^s}zD9lkNp8oLQM$+1SA4yt1YSY!mY@!u|GJ*RbvV`7k+UOQWY zTW3-8E`3V72AyBIevBG|ql@Qk3^-WhD!lJ5GWl78pOk2uV+MyYttXMe$y|EpVm0r2 zBAJ5FIu>K6s>O^6#~4AOC4HMOeZ_M{b9Rc^3{2tYjgkcZs4K}6zh*tB&}ebp>syY4 z?Cn%B8l6C^;Fk`}+0)(LDIEjL*;r97Q5T9ayiy-jz*TEsOfY(Lt(l*JaWOZc36mq_ z`|03}9X-aUy>#n0BphdlvEtxf@8N^~_Ni@RBEsBlZ9A1y`Ht*B@4bWgzw*O1zy*&!UyY+&?=m68>^JTxadwD4o9{)$> zy(9k6-oA$POPI$Lnif9$1*_1|FY}ZxJm`F7zPlbEZgb})dRbZM!8Zm2t`{%`T_=7g zeMJm>;|kPFD6fo#(Yx=a2r2z}LWYTU{BSuku)9^!9-D*$if1Pwu}_bDb*d=>1wl zw6vN_UF020lRHBI>nEEp+ab@+sdOF0s~i#y%TClEc+l0)X};?>p~sJ33bYwN=R(|G z+)|zzH~#vsQ8T*}!<*u7r+~cOit-A7DXRV=>t}M^V^R`7+g4gmJ90bx_ML{%)rJR< z7GazbkNO{-q>|N3hLxqFN9~h1U~CqZ)P_M=xo|`_$OPT`Vr`quAKRoqzGTYXje7SG zr<0W~Cth~E%4A~ar0w+c-V1RT&PP`EU9uwI9M6$gR4n1-!)hCsF%(n}NZjAQ?B#kP zU`+%BJ}7x|zG>aX0tOLsp4IFSyJawsnVyamXhnz4s>Dt`yE%@;RuqupALclI`w7VU|+UYdBq7iaF#Ub{^ zB%$+dPC-4*4Q8r5J66EAS1bdo=7{CBVEL__mih6HBaqI{hp zr0M)>=~do+k-_T37D}Z||KDgZ#i)1In(^(5<4IEfr^YI?f?s|enj?AFHgzC}-FQf= zJR7IMY?}OcjwQw=DMrQaWl70IC~W@NEWky zcynPxXy5-52^#_#zLyB-k|@T+K@o$hSWA(VXNEoB^_Hzv^kf{ty*RsmE)!ehbQsy7 zvbi!FyaNl{?3vLcznk{B8VtUQNICvXDMs(TpsnMT)*A&XhPy^Yra zf~E-eyyyF74>m=|++OvZRi!znK+&h)x zGX^gc-?kvT*!6(M|0CMswTC>O=3h&z@9UA6gr5W&l)(eehA!jVA_rlV+y#C% z1I`upRE*?i3LeJF<{p{j4{L8JQ$C$e#V?Hm!acJQeOm@0#+{2wzpmqMS++Nl4a~X# z2~)6rJ|3PQJ~ZM2{Dl+P22MA@Q+av3s@x`uwIT?Vtu)bC$CNe^3qLu)`A6Q(`tk|3 zQ};<{O-f)=)}_H=mh)Qp3g_)-(p@r`o4a<}KyQh>uWvY#$`VMAW1UZoM{ntGKnr}Vz55sHRy6DajekJ?sG)mkJ1yb;O5kI^j-P9r4*R%|S_$!ztVUL(G zsV1so!g|DDxoJ3;L$P=NEOZ`{J3t8uLKMVrzIH#HrEHHUE12xd_bgC4+{3vmHN^25 zNfGpy;`+)Qk#l4+q)Fp8kjVyX0^)BUhIkC|Tz+Pnq>cF^8J76Uq5WOf&CM!^l>QBh z9%cQ2EdmTMzIAw{SxbOLm&*A5itt<=aLC&8k_m8n(BsvWrOeU%EEfwIA(0+n=*$$i zZW$i>x;)svI89_NZ^457`T5vt+L6=)2@;7{0P*$f&VYQF&UM5O7(NYv?_fdjuc`i6 z&%|i69+1+qMRkM6(lw*VC=i3K>vcisN{#LOJNdh)SzQ24S64cdt13 z7Z`}!zt*rhqw!xJE$!(HFl56RUR5Zesn^_Zp}Vcd&50-x3!FP>%W3;(al)jDZ_9W= zE!%4RhAkC+7~9B>F*FAzz1#jUGVez)qhKOtxnA5p75K0C!d@@6YB>TlX4KsAi&JR+ z&wHV37*#iitl9~nEKMKh7}|JKX#fm>HxCZJl7Xsc^~Jo(E_SFdjO4vUf+gtVbSFr> zPTWSlg07yweub;a0;{aEX_1%fc@dN;^!*-sxd@hmiV`{3f3bPRM6w_&Q~98UrL6B5 zbl2{RGf5h_O?wSm!_)W;Dj7^i1m0flJ=Vu3ASQOgXjpy5b?JZI&SoRoPlzW;VCcdo z^ggJMDd`parDa3xcVJ2*ms{WyV3hv72#IYcrR0;Kebddpda9u=y(&Z7{^#Pzx$N6{|%lqpV1}o@S zF^B!i3Xx}bY3JSVP1h`F-x4C4(-gOfR&dJdeQ@+~pX#-Y)Grzjyrr{^9=|v4hIVO$ z)qBm)>bo+4ubjo4XGe^r3Qe$-37o|dug2`s4@qq`oF(`z#o3WZnW8_juv!k7BGGGLTp=ZTP<{QSpZo7Gg+B!^sWuah7}-D2>*`(oqi*@p zktVtpza$|c*zM5!)oXNSt|Z^6>bLaQr^AytUgoykDWq8`4X@uVPa>($xp3Rb=g$YG(8CCgyl&7`=d9v8=4KZ$!4Y9az2oCjoT1{~#=J-K?;P{Z5e!A$&b z?;=%>IyDDJoIqIofL}o!>L=83)@oRIEu}u~9a$Wrr zj>#-#D{VfoJ=$HeF@_Z1sZUyb&uSQ(>64Tq>1zMs(c|BjsNp^$H}9DLWAFKOtC-Mp z50fPBQ#13fQiE9OCl~5}3_(5uw9*X!!sdhSNcfrzj2vvd^=Fg?Z|QtncW+;RwA;C{ zX2fy%v(H<%IcYYKE`7uFMFcl6t)SQ+qS&^8)jVpZ|!x(*N?-7$~;n zs!fXCd@hC_`wJdNBTc7W3Cjpm#H}Pf@ zEPw06V*#@YJ_ms$)zq}esif!dxJ4BaaeKqBu(?XZ_p%sj(?E91Z) zI5FfL{Hm~s6xy?dsYzYkICK;v&FL89dxfhq&RX7nk0n7&=Vu=4_b#F7_{mG465lUR zz63rbBZO#F`4=y`&o{$N5$)?zMeZH*cVYWHQ$<6fyg_A z`?>Q1ly>4k^hx$v|FdEYae!G@@gvHxbtYxd`vw}Jm-&7lZ+UI+sEeFf?^R!x97|Qc z_`ub0I?>B2(_Zx_hrnSNciR*9oL1UJ_WFH<*FF2~~$nr?l7cAkvGH+0;D z3}>C62EXGY87LM?z?Xn>^GAuScw(%+E>-X1vf((S!S5zm$Isx|IoJp(MEyGOn^B=n zB}h)6cdes31*;&XKmE83%WYlg+$}XM%~uLucrJZV#P|7|rFc{M=2MC9Q2~6gPfqg} zJHy%HZgJMnVM_7N@BV!|-|DY6Yk%=*;y;XG;z~-uR~*-^q6J3r>f)S9Wtj_su_40M z5f&O$=4{?>ypqIEn;lif?~`WwM2LsVGZv3X-}0Di71|V&5Vq%D4i}-yV;+#sM4z!inb<4eW}nQi!W+b`!1{!HfEQrJlJlS7C&9fm<+B!LVelWp6%$V)JAQ>G zsg8Wg%d&T?TzfyT*JLR!>YuoqLS{OoT&vhCT_pK1wb;YMe_K+5GGaD6=J5}=tKWVc zN#hUOfxcZgr*A{^XofwLg&QVzD*vDuR<#5DHR8Mh}nhjqUMED=Uo$#jfL;is5eHW`&3oyAjE|e_=wZ zvN(_!MO27eTk!U<1148!V1iy354vI*U}9m(oIQXLUinJAsIAurRu+8~#?`!iOeKj= z8Kr1^%`D70V|1SQd3Wg+n25CBHM2NB?@yc-@tUE6??r`-y{2>Af z8e5>HrHy%#$4=%htbDyam`GcHvQTGhaSL@d5{HcBA>m?2yD7}#;tSJ5p~ga_P0!g7 z`+A-OjOCA9BcHJDsfpn~VQ3+!${VL$&Zfy4B1}^}``!T-DM(4yukrh$Y0;-a>P9r} zAp5hVwC{#Z?Ckci8fKN3W)M?g6pp0}b9vEu$q9qCC)=sCB(}x0SBk`S#R*^FRvmkm z%g@S#e6M?(d;?|0sp_PrdO&=pG5s0XxZDIva@J(EsNZ_CvV)@{skImmjwr>pH15NW z^Im1_Svmm(-ZkjOmg*GOWu12&nC3vMPJ=SR^U}|rVkrl|L;*gHKn~`~-zY2q1N8$0 zI)77)ZV|m;@l3x&@>ngmrQ4Wr_rJ*lPbs2Gv@X0CZI&6DluNJNra!kn|zH<^H z$Jf$wLI5;BKGW31vBzO~grglo#{7ukng2JkvhW)r)LOgk?#YqUAb}1QqN8b-r_QIN z-E;ROJKggH8QVI`%!8a0U+4x{@6jZb@890GMPlAzZ&k!Srl`^UWOL@nux`A*NX2F-aj}P zWij;Uy+2Ef{Kpc8O((5%`Jx&C!S|S_Bf;qF(;3)vWJ}O`+I<#Zn+&}-XaoYag>(r_^ZOA}34w!-I(76C^M1oyri!S)|NCVg1a3+*`ks@kENAxI|b1M&i9!+ZcV+#b*+H05tC7 zM+nEzkl`p6@R&_H)L?#%+NnDCJn^eM=AQgU2WiRV;qzB0ic)0GNY+-!?#k1)I$Q7Z z2&0svc{-e4^g|aTfAiWnKNKf@CnQn~c=LzyHR2CSY8 zaYb|unBfzXGhMHf((+-Mv$+Cb z)Z_)0jF&A>PNHU;KqKjiZ792yq%O7C>rb@Rr`3dZ%phkU`!^efiGMg3q)7hrOh*t)Q{X9w}+IS-(ZbQxGV7RynLHY-A#2)#&+R({jR3$LQ_Z3-D4)p4ICAA z{OF*_L04@>RG2)8z2tC>_7e@aI#v{`Ed3aLTipR&h3&3w>J^!-#|yRD#7`U&F&XkK zFP+hj)F?hD-@5_UxB*%r7DCtCvTPCXgUG~V?9|6aJ=P@947OBB<>7G;4_JN_b>MvE zFk>!@abo*Mn@{?SfuQC)n}tt{ZEv_vZ&he`AIEI%bXK`RHNj|;TOTN7J${J(F)tTk zwxgsN+f1RdE7=d@mc-Sx)qp{An$}4K?_N`<+Lejk`nTAu*jYy+AeF2$r(CRPZjhebY zddd=9-h8emy4Eu9Uw@r~d$MrHiVS+nAR{xS^>}_Tj+-7SjuErZ0f1Q9e=*JUk@Pep z&Z%hu0)CyKjq$abJZ+JVz0KjF8VrP_R$EyMxopoQAMsN#a_s|q-SWi7mPygiURv@I znY`oEi%7&0jA$oyqeKAwaS+odiN}32D~T758Ea!o(VIDYK^M#=MnPHB!zhC?Fr8Vo znt8tX5M4LsQsfwwMU{_pA^hU2^!l9RN>LBGb$JW%J&bw4Dol0L(!w=>XjI>3z%88i1@fa*B-N7gqh=;n~4 z)=>Vx4{9%joQ`-h^FFxzL6Tt5Aj#WQRoC5kSPONl*fHd-k00sEu|BogB*lu0wa=0_ zQNH_9qk;0m6U;d)$vfkZuQ&TR97rgcJX2#Wv3x;Skgj#YztHn7SBy`^cir*euSWot z(<<0T8wxpkf)Nc2tbyOH_h6_ZA+N^Zu+&54!)QLP9yBRBFp1rA0mfQv^Lc?fl+LAP z3KS?OGh7x^9vcA%y+$ADNs<@|gCDC5SMxq(ypv<*|K7$l*#MFftc_(``WTUfeEQFY z8uPl6zMP}a;Cws|Y#53<1&Ik6V)CBTIH5)9FsE&hPSDh-58{sSZNG%Ay>4$?#mY=t zQLPL?U46f#%H2GukK2UkpoF-qw3)0z^d72JoYl(c31yJ}5b;+PcQ4x1^g8aJz;`>0 zt7+mR(f8=_Vpc^p0#LV%Zlq3J>K}vrhjriJ@xiU24)<+yZ@t?<*-Ex6n49;~R2471nFZoIB1x zuFM03KOQu68igefRK@Yyd42U1mdH|r1YM_7{J8NSb(oPO;~J6s_}7B<&vv7+4XXL) zQqJU{b02umgcYRB(KLv7f{l7uJC**R#HE9|>eEkyj3e(VHd7lbvLvF)EEpmL-;e)H zh7&tx2hA>|0EC9DC|0rkN-)rqh-;Zn*oh5Q{Us3JyEDTd_V{+J+M8sZ%?n|u_xPL0 z8>zy*$PYO0UM2}P5deQY=K8EAjoYVv%{s)FVxr!x-TzbaOEb@UvDlojgYMi@iDsGZ z<Ej5<9o*2MfA= zM`4rIIY4Im+X#2V1Vvg>}j!^V6JI zs9%b8e|O=p^s3b7dQ<;2=wnggYlj%KJ@=yD5Ag6krAXSvp0EV2yy1XY_QlDB&9#lK z&(~TN9MwF=of%HyQPI#)!X=@y~CWe~fz#_$=q;3^9+r!6;nMtlTW~XoGjha6EGlEp@S6%+Dm`+=g9oowEm1ot@G%!9ya)6rDVyMr^>?Y%%Sj9Pf^vFQOv>X+g1?!L*5*NIo7w)*r0X z-`({5sRKz!OvV3oJga-Po@JwR( zFs?CmnAf@|TEGo?_p1ic(!}Is(i^+C!H-D3VnaQnz&PJ7n&lddwZn|6PVb4M6D=S6 z&f$-17o}uR=aK>sShW9mR*=qM39kZ{hT@J+Fn4F8>Y!mL9o|1~ZZd z+o7*PW}gAl2?X_^zTbiA;A%UcN&p7V=bg%bbszrM9A;3(+UZlPV}c@1ahV}yJ&@Ck zyq}}Sy=qQM`n_n+r258#MYDfXRAxtRT}$^v7DgU!Te{VY>;wM(-3i(S1--|V+&dQ z05H4jkHySnY(S2)-rQfd8U9`W6tA-$Pjl>WRLy6>K@iZPm>@0=jYswZGL@PxnE>9q z6A|QMGVY??&6oOKTm z;fB+PHY99|VA$SrwWw8lw!PH!FiuR&oF9M1XuT~4=zUPLQosm_E;idd+l=OmJZaSP z*}j|_(VBnb|1J)f7O&e?`!Wav`y1P73&v@SW5nG zkYmEV1^Apu`NG43BzHw)w#^eMV@aN%A)EEB)^d1b@$5tPxA3hI%l>C^!!%S9pIOw& zeBE#!+qILe;Tpf|dpaeynCAG9WI_DkjB$iF(tP)pOP0wkO)LzjKM<>Nb;Vf>H&K)Y zCqQ72bTvvULeS^Xl9 z-f9!dONfc4cZB8TMQz<#NP+LEw@>?8)`JW>EFTZP_pGN}@pSp$Q?} z$RX%=p`mUT5piB;*|HF43XFmxI7x6iPX%UGnwyEsG`j@<}b3`ouyOc zgSgiMp)Mo4(Bw2IaMfeU)H~si(-1eEqV(Ko3Tip=5salO#wF?;*x&b|iC+CHz{vUg=+cgOr}KMTS?YKcxI zDB)ydtNhe}L`@H&$ol zn-%r9B;PMB(-xYNebIplLUpZcGe!Yfm1Fq0F0kZ`-lY{LVfwye6nf0&=e=Nb3}Tsj-2JM8_sNS!xv*);^7_L*E1a!-kF1zWbhZSQZ~H1FexiPca|Hr{LA_ zJ>4HCUi69Ub?V*oZ>wHd`oeqta&Tn=lYulaQ~ zZv;?#BXVj*T-OaAS3q%QkH>QJ#R_*=9Afh{JPtRQHooPPepNl{^)8D~!-^T`rg7=C zN3vouC$(dB5L3g$MW~UU2wDwY-l}&yG=k;u9anekzS7$vZQ%O(JM?OedrFZ!x~Fa& zq-bc?k}A=@zYRitC|@ppGaoMmYOw3FP-o#55r%2e+ znW2}M<$Xv*LV3hhdCz}0=-=z^|5ErGSmTs={i0yjs+{Z^ii!gHa%d1@LW`EHFQin| za^8(sx03B81QxW$BF=mQhC9f_s#!smnA6MJ$L&whf%VX!>Ds+>QuYrp#58rNq6f=5 z3iuL~l9JqGXOe8-OM}AOkqZf(J&<#QvR$srnIoPn=#Oo6eZrx}-Z-G2l@1E^ zRBscC!>+It?FfNjG7@p8yZZJcPRA5=QNKZa{}d5qHdf^GD&oPKVN-C=0$e}bm5FP= z|M}Io8I9_D;K5~Ng(%v3;M>H#Mi#W2*JN4`QR(=#C47Ow7d4ogJy^Ym8P!i8EP)jN zl0Z^(FTBFXjOh{MzjO(d+fErLvLFDbi7Sxx3w=yjrg}Xk=S^DsKq_lnq~g$E(3zGN z2R;(&wbT-9;&Jp*HSKIXT=qu6YZQN5F$7@VK_q9naVeN3L}YXoM|sJDD`H5&6xyF@ zT<4%C%Q~Flzb)Q1AoiNXH}q}u?u%hcq6MMtce~ucSjZsae2Y)fh?T+T{-C_tj(szJ zj6T1Do_ryJWtpAgblI!(D!wAsnu>)%O+W{0c&nngA)sEf?n)2FB*tos5vV~NN9&YOODis7?yU_2phP_naTlT4X}?H+#K zKvYO9Rn+_O-V^a5;*itsPp%6=oAnero;1X!8nxclsW~mZmzdQ3{d)kya(mt$JckjX z21fB*9g51PqK?D1IR^JSPV)!VJ)j)SivuUpO|VwM&HRn%;)j1tAkTA(ES6ski&twU5S^}xG@?* zEXsl~pVjWGvBPism_mDfLXv7sC10xvkm$uP8<&eFjq01g>NnR2-Tuu4$B)1<4Esg- zdVHicNpcFnMvHOw&jE3lpU3;=h8{pRN|EEaKuFrq697T-NXkT4BpE#d_N%(mNXLGL z9(ac+Y~jkjS0Xxq=ef^Qmw$NM=N9ZZS0-({I)n{0rJwRBW_GD~7d{_tr4_Z$rAlIu z-}FSSJE@C)18$jYQa>FpVFah1&_dKOv-C_BAI?V>ROD~gSh(iiBX&ML*c4r3G(Xx3 zc(jCt!8kU_~aX|Kk zf+znV7F0HPsgc6l79*-dB97u~H4M($5$_R@z_Nl7h@t3Xz;MNORvQ1gGjHS2YxLnc zHPsR>^Vz%MK5EGhm$nCufb&xW>)qZH&DFU!4M)%O9RX^?dk5}R zJ4|oNdhplrSS2y20vEgjyG(X{D7_GYdoEPIOvGH3R}_ltQX7C2yb7OOd;{!))P$I)^vLGhDvA?Fc?Fk?#Ae8I(ujYgenR*HGW`&LM5#}m zmRu75y}n{>dYN{v+#;+D3d9=kIW(CWM#*q^sWpkNmgg7Y7uG9&hZ*qH-x&V(`29ZF zdCquD44!ogQa4O$2#Ptlj=(=ffK}J<|;_B z=L&J<*?e=s{xfEkM`~_Zy&d_Yi6mEr3i9u1=XI%nBERcGZaz6&4~tw^ujM8v?QV?x z=#Cqbo++QJ->G}+XL(apeYIy$(AscU{ZVI3!rg-brw86lHs9W@q0whs-x|9vS3|!A zmpjhvyHkync^=8h8q4)fPHQZ{K2?Zv9Ch78OcLu9iGnj%!ZT~&P91c+&Sc6rqApc{Z++#|gwgZqbsApV2dr4zr)bC}8z zNK#nk@ZjHyzx*W68!xpR##4Je5EoR(n_k*GL$8FAIy7x?tyi6qwt)BHd=>8pmSd|; ziBKh`07gHp=2#Q|mgH6+*a~T?Z*XNHmma99{Or&%anZZAHJp84#jxA&n*GUr)6ni< zL+&s30Jy`A%+zO|E<> zE-zf{h~rqJgGR4i@o6!&V#rQwkCK{+)6AV74^!~ppYT@Ls?t-;AN)hUsn|zx{j-A& zEt-o;MNfAq_D+XD3j1>b);?Ek)uP=~LC77<*~5~rM_>PvO-8C>61DYd(QgC=J}!YC z)>})OAiItVO3LOgjX85mBJDYsq7z(iPwU4wD~`byAS*~gBrxe-Z#1uG6XQQm+J}Cf zo?aDwB8FrNytKDxRvDK5Jn*4#8_BC4jM!K8(}f|V^3)l^BMLE)Kz?m0s6enLm2P1k ze!=Fi$P<7-{HKQ2fir_j?Ox$vtn!$g3~G4ne7~gmz;AOfRc^`l3|5eJe`Ck57#Fmx zAwAdf7kOgsjC@ckJ8-ZSXu!gLqy0G3vFQcMs4* zI6YtMy1gbi&nq~U3(1hj{)Cv?7v3TL;xcj7LEUFsi81#H<+h5Uv4x*dVNjY;qaFmP_Ciu$huLQK2%*1;EkOhbO#Sy<-+#LOdnZ!W`9*o3HUITd_t}_XH z`@g+=!YD9lqJyjDj^;}T5DSAZBg~y$Ha5;#qpXhN+;Y_~FE2Re-%p#sq3cOH8R%!w z&a;A0^(m;Z=csE+{3lpbA!Z$l*c{I0XiwR?_1MvyOPR-Xm5KaJg+_Id4VXAv@6_Bm zO0Rm2Vt!%b4vF6p-LZ`rv;TO{{ZCj18>+6T8{X!J!^^|u853wIgO}}0CvIQPUG)yS zCXY_(dhobi0Zoa=9N5$4v4s{-QR8PyN;YM73k2Ydr`B%Yn2AFF`{3r)vr9b64`pfn zAo-Y7ET^_zFHq2im@%y`t0;(gquz z9fhjJVhkAvz&iA#k0D!CVvc7&iE346Tv&)4w;_ zV6Mcd=TP>tgpD9vdy-ksP#cqA?1sfHeMZSc_g1koV^E8&-uJIvMl~V>VWrP@wna%A zi@nsYCa(9FPU|9D%@RXP@|XFw!rgZ_O)YAZIXBu>q~*Q*R=07eQ<@5X5udfY#4 z@>4yY{M2yTf~j@wxYxprl$W|lj`2~nW@LFpeYtBs5axp(EPmISGG{`yUA=c^^$e^U zTcWjWX~uS4bJsPUMu4RH=_7ePwHSjQ{yS4^{DBz-|CfQA1DtLPm`lMiy`At(NQ#A@ zD-Svk(46~N^|hOjHkwNhklG(Zaf1E0)gW|_EdynRlI7bVbi+NW(ReS!1ZQN=9{<~IFsQEC^fke>C{fU#K6y%!9jr?E-}^kgi*e-3uW?B4kf9OZ^aB$R}9Xc{dr1*>vDVG?n87Q_0K*$~W05&gR{vM25_?{~QV z8#y4lP z6Z3t{$|+WOKIcb9f6H~&Jc2u=WfjPo7Q z=}&02N1}=j0Ix6~98z*hgg14=E=PVSFPnTT*E5=DnyVJKcPzq*mH0dolg6~^Wz?pf z1!M~>P>D`)#?~XBiQL|$dpvr6C)?tK&cDLxk87bK!sI)d5bN`r{1M0P=QvT^mIzsL zkTD5=KrwCP`TwGG!9G~;HJ6fZeSxMQuhqwf;n?o{CpwX$!&;4^{m*s=1_qlN7H1xh zs=6|)<2n`?)Jm^u!^liyor-h&6Z$coVH!h^R|W;C{>ki&@~M2uy8x=ANM#%b>3B_A ze_V5bh=Q$o!ZWa{$JnW-fT!A=e96$Q9irbvJo*cQ2C-;%7uIX|U0~%lBwn>~R@X=& z+9lHYIu!2`0YadhWbwj61*97}uHoYkM&kc-oDhW)dAB{G{ET&gje1Iw988H+9~h#| z{=seQY}U}LduaNz$iU>&RWQ6#$;CAQSt2{Vq(*M;ioeeKgUKsSy~3E(tgz9!IyZ|BV){*Sf3e9{*|kTStE{Lqxj#61Hne54h-#$W@naA*(M4 z8p;GX&ZxWhSC8>XfzcZ!FYZq7~P#xsm4>HAo8mvhuQy1usJ3NE29yKQE14H*? z=Ue00Yel&}wGlP$VsRF-PX8nx!iZbH(}iuU0a2{FQ|O1{M*P#fmz8nY3(65kA&HhoF9nQ#^66O^p$=Ekc z5@ewLhw8US{eORB1rd5@vzYq9(PW+41AC;{s_Xy0+D5wi%r;kU$80Zjj{c+2|ukb^*6=tJJaqWsD%|Yb^|3U0T_RA`?mGpzai~IQNu3-;;vahI~OqL1y)Zhh5c`e%=v`6 z_GABlk$Jb7lr`u+)FO!OrYYhwC^N-AR?BKU^?m9pE_6X=@;H6Az_-J+an3(~tmXyG zSYs>28(evIq8GpcK!#mJM@zWEUH%)#FjS(jV)-8({bK*QJbGwn-0Uhdrcd~g*q-Ua zfEOSDw)TkmQB+~_npxoQI@y2kC5hO~cOwETKjyVqZ{NROOHECULBYqdsug3y!{vWn zxUsU{-Qkb0>}RDCT7zn{r*vqnFg1H)mVnI=Pt)?`d2%djCAt4tKoI=xF~K%pF1Nw$ zdb}Uo_3TmdWJmgfcBKITU^|$vQZ$!PS}6YbsCW-|4dx7)?6~$<#lBJsXiT3JJD1X3 zJX8QVSFz^zcl#-WM7{nN->UBx)ERjv{y(d2A*F)ef#kR_=)a|h^$`+$@2k<4^S|hN z3#cf&HEdWBrIbcgx*L=pT2i_Mq+39c?o_(FQ%XX*dj#nQ>F%LxV5oulAM`!vJ^#19 zZ!MNVGKhG28KSo{4Xp12h&cO&fpPB_ zz(CgQk@n0V7@WS92g_g|Ao(RBAwe*O(9qk#&p)^X=H>@lgS_FcQP!y`DSi6-n@g;C zo%%h%u>YwNP1RT6mFx__sANWG7py8-uvI)a_;_RPa#_~!p3KyJ`kq0-p#_73W3xRC zzJb-pwr)oSs3PE;7!kV*9Y%OuAa11+)6KuPZ9wCI7r6K6f6ft%j!6J5$}!*ZpAI;T z2x1Mu?%mK>DV4#B)g6%Nx6n-$7`Se3hP48M-**PMFf@EzJGQ1J7)GaELIORJSC z+wOY|j&lyTVdv90u(-Ef$42qspIg=kW~@Jc(SmKoGBfg5ytQhpKisUxwBC!4{k`5{ zs1t>V(*u9$K6vRT9R;Gdd~|_xMS&B4ha0bpMYAA(;+U+$LV!3RB_Lu%5Rraf*;DXr z30Qb@jIE<;fkMJ%B3p^i#o_OHbj+PQ4Qt!&SXtH(d*mSO(b%#l6W9EECDj|ehs_sy z2t_HmoJZ4gF6zq{-FGK`@IWW>eV?KE0jBj|6;d}ZB(Sg8-SEK^2(cpG=aSlKk zN+CJ#3y^COhgJWb(m!%PrN3O@9VAW4vfNoJ(al_g{jf?Q4iJfV@lo;XzZb$Z94LOA5k@@$=rn?J z5rZ7V$?Q((9dt_1L}N!&%rcepWz^Ph!PmP#ez*!?37%o+;PAT~ich8#WV*{Zi#rbk zJVA^Xqu*kK4yCELoA%1Y5EPL-Zl@dd%ihg)x!p6aLtN9up~-_31jN223p7C55U3Y7 z>YLWv+x--xLyvdxNeSHM6ANG*tu)!WK*@B_^23c#G&5jMA0`Ly1{x2qe+|nOYdGiK zlL71xvXklU0QqIBFF$%1dy6bX20GE>@9%8_Z?Pk%W0`x_YnbZ??NGhwfs8x!OUCNN z0}4R#K?nET#%IWV3y+yN{_nQmJt<9MAKIye{;r#mwz1TkDUKn)SKfO=nhb{(I?_PFe37OJLN zsTM)&r^Tk)ADi1_x#xzOI63k0S7lE$bnIyAvOW|He15+x^1|UA_Kb61gI9h=XD*{-nQZYsSC&E3SKXTS_Jf!$GA~~#u^f?z z5?{S^er!Oqoqe{T#_{LQyo_l~yBPm#C$-dBKN!$+b3Z}wUzZ^>I{dLr{aN|GVlp4B z)$}M1?hS?1{d{X$(QldzNuvL#RGJ4nLb00A{pu0E`eoPk2wYc@mAsmC+z&|64R~9u z09^?jC=HDng?1C!0K8Ak0RP71gOk9SnHd}K?Q@c)dYk2F3Nb$C{mUhfBcM)>rr+A;`2Uf(~R>|O3MD8~kfj+ou&dxBPd#u@U z=X8@$e`{ld_%tqo!;U{*rhjC_d+2-Yi4|hIVD$SKq256?DILwn$ zQ?CJv2B(8L0tTUXgbsnX(H>{N6@}Y7I_9#)f=*uH(JDBy8cA^E1$zPA2;0tJ@7w6a z4fq5DQ_u{Ny`LUHPjx?6RY*w4AY6tf#Z5r1`2B3N3!6`fscW;GCW!L%>&mDR)I7sj z*vTw~An7VmF35YlZuCHiF4r(1Fi2*ck*IPo zWqcy^dao>wynQ@hR@N%~UAGvP@IEUV{-)b;I|@#f2JH=#xUaR}n+2@hWAX4vMWv4!Ozcz~9bt?t}$4KEjS3(XXYJ2n1Du*Xc zO)h(fj9>hFRnxc$SBLVQx3Ir#CwYc`Nr|fi_>X3SSNcQfGJ~UV#O%HK?AF9rC0b-y6TlA)2)^1}X0&1o9a8u7G_1B)mXz=;)~{^E6VI36A``$-_+15kc` zvh(&U87M5wa=I+yfp9L%)K0?%ks1bc%EeAbG=*LvEMMA%u~qI!d({Zg2tZDSDDIM zGVRdq0xTjhEKCX+ipg;Ga=mr7X<88-@mT$`R@fYFvth3XY$rEJ#Q^9k+V6aB zv{kEd=G@0|-*5XJ^RF`jj-*hX4&a7=#Nd3C<$b*aO#e?~8SVe!v|u-b7i7%62ABC# z3{doyJ#qt#(S|IJ8@r0V@GTt5P>?Ar0E zN$o!L?%anPcaVE zxuRrVL;Uk^ctfwcV86$rT)Z9K19rvA;R0NZXt5w>^q2?Yv^qm8v-PKX0(v0!iDHJ6 zA2^{Rl9+Qm7WT1B92V!PT=WutQNsYKi4DA)>fA+u-bs}bl(&&L4|sFpu7Eo8p<)VZ z%dqW0GvF=ilLmbA;qGWn=yrSxbia*+Jw=QT850x45mfS?MG>Fzf>%58W)(%c!LGmm z;Wn5!c!CCrbb2`e6?>^%yM7q6yT!aiqa(^)I6LYZ@CL=ih`&R_dw2GxO4Ih_09*cy zEZu2Jv#U*38;h9NfW7d2cP!~+*L5rC@Vt#Io$g7;P#VtwOoPvPgRK$}&IaS}B*CFh z_}!~MhCzX$=MyKw@sv{SA)n_@H1uwcUDDReTO9qC>+wGvO-h}THWL<3*ByXu2Brlb zH@$6py$|R#*^Q*V*~3MYKR!Rgra5$f)GgXTP6zpMkWoJ^@B0=T#M{5lPP@%iM^8pG z<{ww+uA>z(X;dFX`KcpHF(J0+z_QY)jVQEomt5O*tweE4rkjhK=RVk(%Df>0A<2B4_->#3bwP$ z+~^Rt#i$`Q)Agg5HD89v9jBUIY#2EF5^u%2 zapn3_VyL99eb8w*uQ+*lE}~VhO3g-WBQeHE(B3ULLgi_=0j;v*DmmIlu|i#>GF~s1 z$fy5-D@dvN-Aj0U+^q%9bCndawswl(YPC{zf@TpnEQC(&rv&V~%imGs50oiqDU0n; zGmCuX&Uc$A9fBpYg?_<9_?!<+FB%$nr&)oZu-iFa9MIe)-%K}wCuGE*vvIqO6s3V3xmrIjFswWm2BTOG zg1VXcEKm_@EzdMS-?($$%Hd=jb9L>qY3N+xynCq z0u8y*lOq9KULDNa2NyhDT>vRjdLC8)Y>Vm%IT}3>SYnJltwdL@Nqh0mZy3KZCb=gv zgP(c^I?R9M@1Qf<8CM2yfX&iyOFocvH=8fxzOk%}IDREltaC4YbNXj%M{l#Hmgmw?ZUC{S7yf4TBGUNp~h9_-+`QG{sn0COFKO#D6y0PwK zLP7xUwfv(Axla>?ICWIGP}sbUnTg2;1adT6-J<|H#lXCpB(Ab=5l~jp^7-JO`JkO* z$7kUM*~JNvtKLj^-X8r5?qqM#{kVm#JT_8UDPt1s420eESOyHZ=z5al>123BJ?=XI zJh5r7I<)O!9$(kN`j2mmMC!WoFa#y+U&ahsb%n>RXGs*%>p6n!;T*>?KDMZ<#8IX0C=W$umT7LBZ_lT5 zAF6~YCB3WqT4yzDBqT2<7oQyQ!w8#FWV{{$gossLz=X$D_GsFCj<=` z6BHXui6&P#(+LXV;!#24sNzeMNdmT+;I{&kp9N6Mp**Uu=(wtx1M1@UTdq zms;!Q<7+g-06)bknRw4m=*R{RFP(qm zj^R(diN$9{tYEuGzLK~s(QCb~D(@4+efr|H$aT4xlrkacH1rD&mE=1zahG9Ya{J`G z;P^gbQJ!LrAAyONy?tLebG2&Kx@Ul6G2hrn21rgbxId@19OY4(WPYi#e`tvrabuWn zb+il?{u56v0HJ@55e{CDL?p0zJ?JW`Dv*M_QB2^CX=JS>6_Xk#63|NZH+0wj_B~RH zF6}9)z>Jkni|ZR57&eob3<{+n2n6cQd&z08bbI|wyjHFS4$yyI_5hR{kt@h~^Vr-X z+)q<8=y7nOAOPnX>g@sF_nZ#2!gvn54u4-?q=lznvr{pZ$<1rrpdT%Y`jHaY9Z&(r zErx2pvs3^{aqSL&x!w~cWguyvMvaU2nguN*DPnuxU&PA+{e%J}`O5G4W`IG^*GDLs zfIsrRJE{oeKasQkiL_w6xLEx$(K~~tdFxhrc5fuW`*>Hz-sM}YR=U;S6ALvx20Bam zgym&re@|qp6V_-oIWmaKo3qt^*Qv4>adhN-B_@FF?jBr5F-4P=%1JdL=lje~Z)-5c z0RSD0W$&@JWeq;f9o1f6duQ?ww%Y*fNsL$~pA#dnxdG#4`IN!n$O(Lacle)_ez3jQ zoaxZt-IV>{q%WXcm}<;TiLLTu%1(XzCy`^tQrp?M>^MMmXj;Zi8g+3C;Jj=7Tq zt^$VJ6N2HwDr)JPyv1A5TUg*N><8^N0BH)wuJaxIx?C#fZDdVe=ELi)N5NA-)5TI`(kCh_};0c^KUFfxR+3SmEft@&7ooA%XGOW#1)x{g&t90`26{-xwSd0KkOecsjMk7jfb~ zl-*^77r5=5+v`_mPnNAHKy$0>g(nh*^*FtFx{xA5QSkgdeJ{nTbij83W$@kgkLnX( ztYW~fJnp9=ASB>fbmS0+V;6~Dlr`-#`kdZ36Q1u%BXslqkPDwsds!{DG&0$thSaI+2EuFR*)bb?H{i+06A{@dPWjl zy}AcCCPI3h8^Ls}#ApQ^1wc8jBqtwG zVhs>&B8heAKYQ8z7V8mi&irfE`%2;9(JQ|A^%Y3=ZG4{$7RXk7&vrv@(Ub;HR9x_v>3THVj-fshvEQR105Elcl zgV}oks`K#e(GXyComnWhc*>)qk50SkUnr)t#Za_zt;UQD)TaKrnz>IZE8hT2UNw*I zov9V&`dN`Df48;dYbdXl=J0wsvlO-|CO%m#qc|EGT8-pv&V7N-{W%1ibnb2|ZJe2v zJ{iFPQUWPdG+d9_<|vS(xhJd)CXeT#?aB8lphKc3lEkL@psp{D?l-=;n=yb{1NYYw z&?M%e>?qGwxX5}v401#(ftEu)bl|J|(d;ViaDZCEAMH?4!100MS%qt1itztGa?xiF zC8s*wf7JITdr!Bx`fJ)ib{AlWHaS-b*v=*z8c9Y)41ph@XK~qgTQvZd1IFjy0eyBcJc zC+ZRj3UglzMKDme?lU6hC?T8CtgcsDJ8D zksOs$u4MAt{ga~R{0}k>EJwS30JvSjUuN103g6nGT@}6?kp{l*5cC^!rcfl39861XAt`IBS@4*N3zQ5^G;0?0mUtIDn@`Hs2-0Gs=9)Swm?fOg) zdvTCe9#W7DD6bNm$tcC?P3bvH#>~xpt9Qw5L5o}7D_!y!-3ysIst>tvD?gFBxvVA8 zF5zywJM=3{ypKHx62M4XWivCpf6g!RafxodH4yaFh@ozyH>>@!8TqeNCpYQBl++{1 zk&uRUIz1E)i~JYmz7%}5F_-eew^>q1A7XtB4-A+%G(% zyK&6xkuia}Tyvs?qTuzK^ixlP#L_;>eU!I3sQ=JGL&r)^{BclnA0Va5dU(vwA9Z$) zVp9AUYrB^Xtqpu;MUXg;L!~w?#uUL5b$Bm_b?p%wgqxN9#z8j9tCp7zn*+&$o zJ28_@1qlYq;cfW8CHw|0GuWHbF>N$2{PysCb>mv^rSdY|5=em3`A8gV^b!-{{kq@i z&Np_dBt8F&BLUKj>bnJGFD`zH2MG6cle}!Fpnf1NUhq|nTp`xm>ZIN^?t*HS%->Dn z(88j9_E~tmPD=)siIK$WDL)<#bI)034$^@o?D`uC*_Da#egcccd^(phu?03a+7(a$ zVGk*f261!eY|SM1Vqn^N#sUE@oA6y|`p_Ds)jvSWYCXj74edVLQ{D$axSO&K`#tmmduXrUD_VHM&Aoa*RjUW1p*63F`R~qMJI0woU;mu8R823 zl}FsfG$63=zf0UkCKA(Z#C;$S`mZLW-2PLc5bA>8O^h~D>AJ@Kac(e`AkqZI`R0)_906Pr#ZF1*i^GBJXdwZ1h? zYwj&g#~8Z3X-TDPLpVx*Cw8oi0feUf#a(EMF_o-3=I}tnySM}>2pl_POuIBbJTiO* z4zcm<#bgK=`0rYe<+)5ZMRRKi?wbMc6&;|}Da5ORka{(k-w2qz(Vj8gP+v>k65@O? zdz3LORL+U5$8s|=ywHR(4js8|IGYekq&wMY}DogsAe ztSm6wX&i!nrM!1Gyvm*iP`?rr|E{ofesk;IXon>?P#MQiksftrXiPV^&1=hbX!?r! zd@4oBY7+1fTRr;xgr+a&w0o%upF`UxzQPc4q^hwoZwU-Gg}AsCqZuzX+NV7a57q9AN>tFgz``Q zO1zS$(yd<-sGPt&nETBGetffQEQ?Tc2n|D{EhEV7cDvF{SDdUEviXAw zjC>Z@kJ5TW7A7t#0 z<$!)w9t0q_Ipso}t6NSjv4{h$H3jezV7gM(R=YKLjoJfiBKRZZqM7Mz_DkPoYkh|t zyozZns{G~g0uxN*ge!u+yjpOqHt5p3eZ%a2t}$~VQ*@8Tv6*@6AyGaogU)xpxp-Au zKR%3bPr4k1`h>vYUVvCiJrst_1S9#1(N__9d;I5G1RJ9^032@sY!fW9^vh4-giKYj z13&#WQCD*i4+hWvHM3i*ZiMG|S2UtouEAQx*WT|=uLIK1&l6Ktp*OtbR&)|=znd#B zzPZqpXd`uL$e7xYza{u9UL!?ZqTgL0S6tBQkOv8$yc4gMV{q{u@7QAgyFJ82%Ky3_ z$d4)S3)h0lmwr)>!A}_2$9@;THk6Tnu}a>euTcTM2v6v~rE8uzAYcpY$u~W^OtAEs zFDFbGd78Cc*}2GyOVmidaE0yh=&JeE?}6z=D(a=AMcNP_abWIm&* z?)B%zva?!Of;F4DR8cFjeB7`}}PwqYNY!nIkNM0Krn@$UxIoh@&Bjy1@NH6 z!@jEBSF!rKVG+$pbevyXhy3p37x3aZ;95y68J#1!!M?E=oo8mL7v=weWt|vtq28YD zB`HoX=S^1MwdB_}@LreA^6lO;GM4b&SnNsAo8mC<9bR-JI#(Z41Sco`%+2z^O+kBg z)B#5oy3Bx03*E=bQU{k+7xOd11duS$;MjnxZaqu25oYf~A@emtx0@NOU6_GNpG%dc z6;^bvWgn!-(f!@}85mIst$#lzfFO>2`4v|5!W%ir09kxze`OSB3K0qcY$X#nH!U}J zqJwKMAUQRuSDLu)_nXv`Rbeu4Sn3g~_X1pFv8+$?)4_f@g$>?-Z|2#zrE7Mkc$|fh z-4NdG0g?_r%*PIq5%m8P?*WR85?e+)CyqRl=EyLn=mkXr#jBgC=)xbrxTmq?TMfVa|&E=-~$|ve(cplzBQ}3 z1m6vI@@GfYrGj{af-;vfAoX@OmQ`J8-L0*SLKIsFhJpIe%<$GpDTh>grv_JPM!v=Z z^ecn)z>eht<`Et~`&FpM^(8g1qloFNd$IdJLSF!<5Bw7FehB51G?^U94eNrGvrNzp zn3WZw3JgURzGG&U+%vjG|6&Ajw)tUnmG`1KXsc(rsr4hD+EG0yUJ;!bosKmGKINr? z)5P0mIez(geuInE>qkqh`o8$1ef~F8WR=k)W?P@@Og3fO!CvLE?p<2Smgr?Nfu3vZa^&m?|9%Fj+-Qow&FKL6&vAk~zY&KZcxSobuwN}-N; z{r)z@$M5kQ9!NPG3eVAb-aE?^T3=q2Jwbg;UkJD`e_drDVET>q0|-|N&7}-Kefs1N zLicmU3X>~3=5t@H7q>i<{6T&NSU}1q=v?PM6oqECyc6RIP3^T37-2sA*xmTYTL(G6 zDYD{-8TI<+sHqrh^ZSo4O*{6fXV z-f9Qm!_*w!X%(l6Y0;GL&1_O!;t!4#giq9nJ`x6n9TUUdDtvtC@O z;tJ7xCXaFI449412x>=agxul>UUsisj$(XFpX7Ci9mxq<)r1WtNzBdPD*1T}d=tv^ z`S8o8&5f@47_pG;^X?2VnH?0IxrA4`qw8~>K9{p)mUa5^>t%kPPO+Lr`DlDRlN!Ro zXC86Kw#V0#5^FCtb6zQTY4@D^rN%tGu*rws=Fjdsk`ev-Q|A2czgU)d#k^_ZYYtxV z_w;8D`#2T7IEt6@`&}z*1AZn-R7bl5oZ zoaUW1`L}LiH_dTV=XY*gRkp|OPJ^Ky;6YE={QgD)|1(4&2{06L=?ti;#`0>#C%vNJ zuwM<~fLA+sdq4^%TWL!)>+H(KS{|p`G_QW&7qpY#3Tz#|E1z!zFL&0?bd`DJxqdW7 z1V)T_rbT=iGDc`lT|l^O-J7nNF4LNTfhdr)vS`6fU zU`m}MKYM6Jt5epMQC7<`Z2d>;RIskyvW9HdEi0YdCgy&y;*FxZAfa*_jswr??a#hF z$5)9XYeueg?Z5YWxOVnjw2jOk-+(i!i;S&?f9bO{9))#f7$vS}T{V|No1Jgk-u|8f zgS-={Io>`w{#CSh(t&>Xj2|<3vY*JA^aYm-N2=iEBrXWYV$Yd>r2O|?*$EUXn!pL` z<&h;LZQ6*iW6F>ynA$jsTcQPM+U73OW{H-rEGBu-h@K*wM_B7kYTg#78>0u9@p7el=C%Yh_|2AXy zNODc7_GcTClCv?#4;H2b8LZ9;b>rU{`eoesy)SeZyk5WX0p{CW-tbxdRUgJ{YepbQ zQ2LUWg5}REP$wL0tGa5|x0lgQin#K5ck0fG@dkmifo0~YFgU~Nn|K;~!e(>)Dy~Y+ zxpD2*@#^z%?=_2kH_!w&qS-ZwEB^sW+r(QP&)fE{FXge;_IQs_tzMdOLOez@;tjOE z_k1&Rgis1-@d!kKykgEX1E@+73B4m}yTM3PZ`uE+_eGOI))7~HR-lIz4gJM@O;3e_ zjU8$?5gPgW03MiB#V0d#z-k+CA9f>%LMSvTSU-tAD>+@?4OkgP+`&0G!B%e);=HCR zwIZJu@P(EpgEc0JeYGL+Jh2fULia6A6isw1c*m&Qd|Bw{@$xZ_&tB9Q&!$0ZjNb)l zWB-UIfs`!RSs*y|r?piwreg!)sZ8+T$Y9m-Wq+$IuPV6QsNp&YU8|3KH& zo#2@~{xL`~^n3j#fvZUi7BU{>+`reSnrOuX(-4!Lhpg{3)_caT@_`q7N*yCcSopEX zvDI{?Zo(fQUwn@uq?`$S0{$uE4U5U7V_sgZ@u@f=8x=CVYr{-Kyht|&dX9|NC|^7D zdU!t?9--LsL3X+6EO)d%$wGK^mFwKhw_!tlMDA?63;MmDvI`r)e_#ibW+f};Jd`H#xA#LYq?~&J&I!6s)J8!H_lW(KMY~KMTq`7%Ipc%8zcWp$%T7|Ox zn-bq{1M~@Ds!%98zhJ#@&q$N+vJKoECzPtci*I}%&lgN-R{i2hkc=o)g*9N~UnD47 zlVMr~NBku(dcyiCs?yIn!<+t?KrcSOFSLj_~lA$c=%<$K0L8xOApsZet zd%4-=TC(r1qYai)UjTx5A*cK5E^;9&F5^@SQN z1=Q%r?|(-&!u+1|a%s;2j+W7j^5UmhW{51}Oqyk04kE)S%DfI#pK4MEvP*l0*dS~q zoV&oqEfeb*<7-5To)!?KXv5w?4$LEfA+Cm52x@C&VZE#_2x#ERU_Wa#rDVN#)w}(; zn0oDf;~oKAh24*uVqU41XsOaUxS~R*KnKw>`|@Tt3fp#sv7$hktkLjuwPeVei)yE( z+d&XU<~274qqCD<8WsFC!z<%Pe| zzUv<-%&u;Zm?|Zo=q;&}@voET(cE=4gmULDe%2?RAuP zQplyJ)1W;FEZ;;Y2pg(`NSRQX(>>L|de>7=rHqy+0L^e4|GM7XE(4uElm2{Tjb5^` z>-O`%VtkM0HlRWYx+OA?#-09(F`^cHaKz=6pOW=x7-3#v-Qx{Ow7vZGGD{u4J}FM^ zoE&SvPN-=!MYx}o7{^{m#eCaU^2}MfG57_-@RSOl8k*+yxyp3YMAr6hRXWW?Xa~RA zeh$|~8sy1oxLRj>ou&OvrvE&(;#FVRrXiUuR<-Qf097^B=-sKF;!$L^(&~B-Yl~Tp z8r6Uh#ig4niE=Qh$iKaLzQE9d92vR;k@wpURyqqfluQ~EqZBt(zM}3s_4UKZ3qX;w zhmqWO81As6OrIdg`Hhh1qHirf3~|zvr5K_1Iq&Op5|w7*)#wC_Zl9_$?Lz{Nu_crs zR+%x_1E++^Gr`)_*0rF!w8NF`nsVWBXNA3Om&A$qpd@;Ez>4WE43!M`54F{ zuM@H+KqrGPDm68_V`uq~r+pd>%sZaw(utke%&MKu_#{g1JYLZsI;F*u{?Ng|RA7n8 zaK~z#6jTvqU;2q|edXmIiD@C$5*PKODv4kx3T8u1Di;?nkH_xoq;s!4utdca9U}${ z%Daln#lmHLDd}1>OH7AK%KePeW~2u2iXwu8vY`x?==sdt`*Af!W)WrmLIq%sk#v1v zlKWkf6st>yJ_tv7SG?p6N-!S9?KE8n9}Fog6t#F(SM0fQkECF%hE*+l*$V%io#EZu z!s6*j=O%xrkl>`IGiFN;cX6~D?rG3dgv0XY%p+Q~JAV2_!}Zfr54K$twO`a{V91E2 z+*WkoodxV;6{(hl(s;Eha%|?MVj=_d0o5;Z^AH>HLb;}g>@6UAAmZ22kno(z|f!%ww(W?slcCA>9* zHca*V&)Umz#m>+7RLeinkJE%j&oV%<*0y5|$k03t0zK^}PJsYXO=UQ9>ELW3lvG$V z4JM7Er!qiGISfcFldEq;NCg`A_?Q2C^6jbAYK*eOyB6>7(GA{R{9bO7>ci&fhWt~0 zSx=q5wW3I|EEMu|V=0dKVddB@r$~Ce^9)do9D<8I4iY`#f%W$TK^{!2iN5XnGSa@^ z150m|XOdMsMyZQcN?8JO*dlD2!HK5{;%_sGpOvE>eNHF5AXYU#8!6~YIMcC63qPJP zraD#5;p{u!h!DNeJ*DNhM4peszKOZ(G1EM!(8HOI%0(!6_fo3aNsosdMkn6Bu}}nh z#7@Al+fZ!S)d+FxVOtowx5?H)Cb$WElV;8*nHBc-dpvsFHi?8fCaj2Zhqnzj&1dl` zsccz0ELHifl$DVC((~U4(&h5lVKI>ra82zA&*Hge;0zrW27*gCF%bhH`vx?8w=P~d zE^{rOY@`ee>BZ+a`@BR{VT+Wyc)2Q?Va9<%C-}|lTOTlbh^fQjIHyhK2lf@;cZ5nM zv445^u-%;5ZtTI@gry%R6+eT#IRe(*(n-J{;f2jxk{>sMjn8?z&;2o>_i%NB_a>_X z&hs+s#cO+SHQRTlE;O351CJue3hoqN-z35A1*>O;m?#Ed9~&+Y1~+b*O~ZYDO*8O3 z?P4PE;URebEF)|B&hmDoyppE2^*YVI_4UR^0QS?Dj6LubPQf>scA@Hs zu=3pAqoK#)p*6*D=7A>@D^ZtB`_}@&tqYt@ryhf*{aWrrE3Zv`HKL7Xv*d1Mc=l@q zg0yWP;13bF%gT3_24&p|bBxCda8cSfp)32+a1t&E{lewxKes$SJ0D(Vlj-k+`=x8y zNH?Nc=Apl$b@&`1w^2N-TZ{MXxTv4_+Ae~XL4%Xs4R1?KhmVKi?toudWD~b1(pc`7 z@-_?b3|6iP!W4Q29s!G7RtB?KlhGO-eA&3YBz)N$+bY&X*!>W4%|y}B$qA@fHP<}sJgotf&dyoktED$lYIKmXBM?oF zGrgX;eUvCv7;E3eF%#^_>6Oz8ld`c>sKh5XzAcjvK(TG~cYSny5tGC*tkBuxcGfC^028mo%t<&!Bu0)79up$z?hzi5Pj@X zF{jzTI6$*5>!cQ=FTEe+Lw=OENpC;b*>j?-vCe`D@s=X)uV>%rdYGr~+FU(6Jbz%t z{j`M~Kc=L2gd*}u8HF6j3i_Nup{{n1MWYl@fZMtkapIj27v`BD*J6#4>xM+Zo+Ogq z(7h79%VQB?cl++rFhN&Yq)VfT`X>n#h^=(t(O!7V3vs`a@=KZgshGWPt$D+b-Mz&l zk9*iu$8Bw8WM1_3KOS=`by}b)N(}u(O&&~n8^k2z?EgyTK?LD}?`*~T1C^vaO-RG0 zLKhLJX7ZDAbv)`^ev~rMo>Gg&9z;CGPIe=*^eijYi%^r#2`$RAdT{w}PCYSn(fLQ< z)kn>mNLbZl%(uY>JB~Sxjr`tN?^m=+KLwc`SkROg3^sd)5lmP9A`Ka?Kxuj-CNVJq zD+n?RyZwE}($pZ#NFwXti)G}B{!7lm?sF^>^Q z%GxUhtrMb1S&~Jqr;VcGrzW0DSDJyG!|Ku&jD@hONVe-JGBd=ZxnuQz@kt>uwS3Pq*;(L+RwZ!w$FSn1Z3&0LGvsS|uQ`(~? zbJ>G@qedY67MezgE52FfEfjoZ%eyTdk6l%Xi3%!qRGii5<)q^QxI^yyt8q9zLqS|3 zE)JS)B!aXlk9dw>roTvtT#^!e9aTWpSA-fjFQ3Kic(SfKh%5GS3v^?1#;Bo*7Ac|L z(3{5iYDVaF&Se=*p=223n&ZtKwi({iyo36HTW}^^ha??~w5Toof$F-O_-Gq2( z2HAUQPzIr8LVQ|A(1tQ%Pqz8t&b3NDaGlS`W|sAS#eAtq8O_OCFg;><4a2!>(#3O< zZd8I|QMzGyC+v(MT2psRJC!OGZTJg*SJaLQF;YbcbC+F(d| z{GG^MGbDX`Ax&6ogAe?HV)a!P?@s`(ZY~2WMM|8A?m+Uo=5G(Erd@Ph%UiY}RjCLj zPv8Gv*YTVa26jgH399K1P*G)TW1Dx*{f$Z?}xH0QzY?w`)_tQ za*r?k{Nkqix*r1LRrxQas$C}a=q%1DiWKj}7mW5vQ}uO%6zT&sOLiw-zZuXS`awV} zn1M&`$Za>qEpAD>Gu^Pd6XA3%bRrM>Kz2L277?E~$R_6|Wf) z9PcS;`D-zYO)?^-skl2T2^^=OSgDhBOz^1`gqPU+I%E2<#Q^q_R)WFv2CE)Fv9h3) z!Lcbqt_s6G8-8HpqZ_NXW`5Kj!H>zg^G2hZ#@MYvy>Ffs9(>C?O_1WV z3e@)%iv?{kmVIjtk|sQtKSvwexg#y6 ztZmMWx}*HQBaMXkfqCQWay&7KG{e0Ue6i0V{X^M2b*Z;ov-KHl>3nm8rP&@Dbd%)B^oa7H(l zI*4lq4qZLd0f9@e2lx0s(%|xq?BvrPumQJu@+r-xmGt;z+0_AM!sqlnTru5BpLrpA zL)XP`0bET(F(;}89#yOiE~6H#P`-MIKzw}MiJy8lghwwWO5Vuq) zVgJ=6%7+>yO$L&H3lq4(qGXzoMQJO|X1}F3>yNAZ0uAF75dQW5tptnmus0^58tVEn zbq)I&aefzzW}|R;iH;|p)XNaoIQ!7Buo#xu8fTQm2p5EDqY2Uu&F+a)>0mYuA1{8W zzR+nCDXfWv80M~)m0#}4mLfLfK6sv}U-wus{6;L+W@Y=$xZuY(wU|Md$3DbhA(_NS zmIqw#sYSWv)(`s%T7PEPR9&T)0ipOXNTA?380d8Z|)hGc3Eh1Cf$eqUy5 z@*f|o0mtv}1Gw*)jr%r87Ptr4fe#;Rs0`aCl>r`7T5|OmZ*S zzH|e|9m2-#_Y4kB{06fb6IIepf%Mft?45R>8Rm^n0i{oWK7Fq2`^(qfD^^ZLCpzT` zhYB7ZnOCgDF`EU4LIojw-6p&xCr>KtY27iN-^^dB-B4R^6oMQ_OJR5>aFl9AUU2!Z zE#W5+_(c3f{1ueS>OSr1ycInH-%mv#E}@DW?oZOQZXrJWOU9qu-$!-kj>4z-zP#=( zK*w~#Ng0|15@Lyj=mXiA>Ca(jDHLxI@49$TR?_rur2+4<>_{zGpPqUk@^?BROhMB; ztR=f&BS?{O;0VJaW;_BqQRUb93izC-@^GTpaG!Yo%Y#apehF|)_|^V=B)QR-)7OJ#P@z z7qrJ}@sJBwk%uwY=i1o5l;7&+V9OE*MwYj=p(0-@jv8vF4olV0Zk~52;HoQY|Cr(m zk*%%$M7Y63@i4X`XrBVWv~f|*RURTBZdoo%{1;nWxY%V5aS+~NGxn65*C{DCTU($b zklB8spTM1eYgtd$BX`$=>=(J{DEo#R8`mF;+pTCcx@dN}!tTxuQu|jOVWWzF?E+C!vyU-S5XE zufN<_eP!lYBgq^fO+n0{A#oA2X^AH6CA1ix1%}H8J}Hwj zK{u@RxZHhwa1XHToxz4-3$5EL`-b2;Tt2qP^5rTCmpgeUvah6>EMQ#d_kaM%t% zy8g%qav}bdDnMJw-K?F_5UwPGnf=h8JHji_s`f@)gXU&*ji?MO@Jqq<+$M<*Sth91 zm;kILU*gPjcmWLZB49^O%9ckks8>f>bi1f{Kbj628LU3ZU%>M}k1q0CLGfNiXjjv5 zH{#y%zq4Io?50LnAs)P{KEm#AN@m%FN~&b?*n8?^K@yPB2k^+^Yn<*_8Dg7+s!P0c zZm;(m#|>E%2%Osr25psymGLf52g0OtAI%~zR=sJ+wB+04E5n_H*$^G%H}Vu3C|`yZc>M>xVv;kVL}lP8St z?&8^UzlTyHiMZD^r0T#;$PL-=*tZ8ocIGWnbf~&Eo5qp+8nu1G$@d(wSI>6JIs?kC ziSdKb#gS$+eeyi*Zl#zfKhErd_{2Xak=EgP6?!)LaU^Hvs9?{|55eb@l?O>{|#luK`4>q99bb5sUw_nh^*`_Sy4uHWM!NP z$H?BY_ueycviB-`WFBO8Y{xmr@8!L|pI`rZT@{!ivDF05vYCG)PX zM@trc+4QUJ=;&+wRjq~-eJxQJkH2Y~6~ymc3nC>L;6i&}S9Gw849Q#3daTt;qiU+u z8$Gh~w^T}b8Xa$iBSf9A7?e&)4~>j64=vHHkT2CHPTctPauWI8c3+sNAK$g1<|XlK zd0=vFWh_zlGns>=|Cc9y;P4qbkHdBP`hXXD@xW13KOfj#Apf$9F=tA0+OB(8G_j?% z`<8E)N)fiCN;{z(S(|k2%_8!f30Q+xKLBf&go%OXd5iN!Ozqb|Lj-=-aVJ&nGVT0G zOW_yKE9XB>Ya0j=wa})%5tMkj>|>RX&L>JinJsTi?X}Fq_sIsu8DET6p7pD)5zjrZD_`16>51GD2485F6G!?~x3*q|M92f{0u{NrV$m=_!=Qwr67KOIQ)QrIgU!yTVWRXxPF5Jpa8oyQ{UHx@B`{%NGEOhPLe(xIn- zpFd^G*pO0DrVSGPL;5Ny(Adp=GKcF>uoLrOU*^)V{}F?bBynJ==by9TF6kt%x@)60 zVzfL-5d7YC@SF)cLG4byLfuW#nedEfYDyhKN}rT|-?#VWuOG2I6?ORZHNx935h1W(m& zYxJKSU1Uaw9&ZIo6ZN#|VA@*cT{b2#5mro5G!qUQyRNXEKEoFVOv5=d4=7j_pV z@T9}p;Sja4{OMpmq8^1=TD5bt4lxz z1;$nhtvk%%F?7;kp)zt{ec+DMAx%}ZOfs&1*h2(L!~wY(j&yJ=rp5(Qu}j!D)H)eEyOeWE>J2ATdYUO0zd%b6H&3}G|NcwOy zMXDVYhL8k(H+T0t#~AZYPW~Aa+rvw)gDoXs@kNZpi-N#dC8>-kg!GzWcbWq{MfOca z!V1<_?cQyT;ut8FR>y8Y;$_dpo&_Aw81xoxt-DBt)EY|EtcHm@_60b_bLWcbdb*@i?)kOZ6SjL}uTn%E>r5398J3h4KhjYV#$XsXk%o(@h4_*P=a zBor%lh-rC3`+HW$LTv0{U)@VNc_oyt_SG{t+3qSmRcp$?fj{o2?4<%nFAyF3^q-w? z%87AtP?qFwaS{x{nIrE!-h?AzaD)17r68xn!Kae=4lX=-= z`)=cflI)nPQ2VuaB4D1Yw&p0zht{dvRQ@a0v%AI5K~ z4@AeTawB+g&wO@ke9}h$*t?36e+KLWczUcVs~1RkxyvdlRoBc02Le8cdxv!=kY8kmUSrjXgPV*F4FD&64}XV zJW(mSXS5N2&AbB*2oCR*V zJog+t4r}*aEcs(M7xAfXoscOu#rZ{itw@*2fV~ItUC~?81H<|vHmhm}56>dG%~d>w z`5bXh<}TCCcKMQx{93uX0o*{G@o%#>MoL-Ti_3D`Y`OXehwda(U5w%P{iaphV~pAQ z6E*~x?!MU%O?2?n5MuauRk58v`C$2NH&-jU4=}DM*#?vAnf=U7@Z~wTjKg=tFq)Io zuO%OTq7=0{$#^1LoUKFiP7AJ8C_{&XgPepsc)*9w%Qh3sq=iDUpV>JvQx_5ouZqSa zmhmgPDY8M4+uOrApq4_A$^fFRV|HBE_e9!y=+4yi@v`S6i;(FrR(X=CF;}Qx(%8uq z9$$HSMw%?G9WO|3m5kvg%n2QO#6RnK?2Ehida6gn?saSlEsiyo<}eo9H}&)ydD*R% z7J(u^t>yp*Jeo~j(X;^zd)LtH zH1sr(buc3(h8*Wr8o{1xrX5wYtTToI^$m9Ozk z`tlTkrOZDZul=yF4mctiR3qQtCyM@yHWvpRZfE`%VBY=v@AS_|miSk6U(5nJj(yb& z@AsyHg7x(h?y}>RMcRVRq9z@)u%UAeA5s^B5!eP}9hu_fR7-y6QD={0%I1Oa^J$jw|`yg{?92J<#bo?>HV07PCcX@r#U|o)jD=?3(O{ zy1RK8p|?wZnNOndIT@QS(#M5?+zzOrp!X`Qy0I7TAdZ*=uLMkw;qh;C7|yePRUcVm zE)15c)p^zHULH{2gX>qCvWYHE~O4{P@K zU!9(z&57xT;*(NCjfl_l(sS=n4Iu;Ui>Ev}!l1d*jw8apBV|f5@%^;P0qzLCHX+4J zno+6WVEO=P&;Lfp!K|nzP)MX`HzO?Gg=Lb* zT>Gr5;Bcy7xrpnN({ibo7B{sH-##o!pfvrwC^?H!l&xeB{3%(snR^V* z3T4WvI+svKDd{Pb-*z&gL)$Yw<{-5eiR88Is7YfhU#q|g+}0zc7mz?Y;p8(+rZ_@H z!EAJU*y!dlOS!7UDS^xLQKNKc@57a&0G2E6q|nvzd?o3B9Y2nW4`5aQ(5$(epH>&k z-7hm!eEZnoH&{{MU4CwjHSN+PaRzICesry|bqa(1eLgeq4xdO?E66vx=fGM!u=y4k z4lTWkHLwK}78ixG3XNcmYT_q7La_QO-p zO?1Zsb&^~2UVP-oUq3Ol;Qd^1`QwKJ$|vRtL_+vRU*mlR01HUZYz4h9w+&-FEV~U) z@;mVY0-pV>uxt|N`yJej6&EA#MTu|XMU{Dm*A2&S;@){Y*T((kB`Le-Z3ep5Nx#bC z`I@IX+guY;*+{C@A^a2^9_w}_-XB`B#`C;*^gegVN8Y2-I?ZqXJ7uA;?u{bEp5eQR zcci)zm1UC5YRl8*L|x$*O{!}0+}&nx>;oW!n*9BzaA}E;oZ{@~7IzF^-{&E`7-82u4c84f$6R!_avN12 z=Z)u^ACxhr`bNZ?lcY@|FTGj%kT~KWe4;I(9?`KcU*g((75!bHd^;@RBN+5_dZA{Q zcWmY>X0=AuMI<_B#hm2<%Ic+DWP_*S;n?~=EDea8z~JDZ;NWQC>BB$v7|inyt596Z zB3829%DrGdBSwYNSCSv)U8)HgzXp>HkwI(}m7JBUA+;2R) z8x51~C}k`!=;8UPjlzqfkBL|+kj=^Q{cxmn@h{QMP_d{PUj>+B?-Q|7^q~{O|v~&72-I*(g206@wc%Y9;4t1fpfb z%qJ~*+r)4#F=+Fnz(&m5D|M7dIFl*Ow#AjiF{CmvZYKJhCXp6N3}WQF_QV`GhFT-x zdNF`8%LMIAwxrXG16im8965LTQPE>e#tN4KJXYre@pIuHqkZ82i3XTHaazN!XFv&~ z1D~N%#`|F(=UCM55qwy(`@UihpKNL_g;hr@ahN=`WWlfOIV5AUN+xkXSAPBgO{1c2giTI}$A6fG^y}C(5N+<*+-8*56m5GJMmF4bpgiDx6@=#CR~5 zfPXE)@y+Y$LMl{|SGQdo+|9lha942B*@NwqJGGC}w$N*>uB*@2G<8(^x+M7rJ3UDh z!!QlU3#Wl&__)uX0|ri?7W5VWC=&D0o6{;_HQvV=NE~P67*#lju16kPFH{zTr1Mg< z^Y({dgzl~sn0}2cDnWG(h3@X@yFO1z{~GC%*8S_xb2w&M%l$yT@&bR+BU+cd`4k%u zlmq{>Y(}wjKUSbmjI!^}jLU#2CPg(P?TL-^6k-ht%lVhV@zgW{4}x~qISRgV?_ zgx~$J`}pMeFhxGkQFq{R<}{xsst8&Ajev7uxM8rb9mg_qUo1ijGSIPaI;Lg>w$xi& zCsHH*2WF)-R83GlnvC6Pwr(DPUi7BRknbD$x7s|=lf-~xxi>e37cWAwjY`#t5|Ge! zgh<;yPVjIR!^S5c?W~?TeH;vDy)>uK|o>Z-xm4=YXOPY!PEsLy6beW@$B z=M;I>ru?-^WX^g6@kPy+-&CgV&&e>nhRNDVMkBZ#*p(f3ohKYoMn%i|Yi6q?{k8O} z&8}-j+5QK2X%GBHOUcb03F%POyVLN5Y(fTD1+|}Q7FwM!hRjQWI;?K!&+fYt-VE$^ z#UpNoOz12v9#utvy=-_MVk7p?3O z80BVE!RMYo-lFj(F`pYewsH&{MeT2kb#Fw)-)?E@MvUwdZ6>eB@eC)mjc~#H4mdA%U9>P51-^7m_Ya^FMEQ-wk#8$)fFiV*vE=K+*V{_G}xhfjaTyGReDD2D|mA>13V0HsA??6E6Rd zM&bkEaQj@)@j2n04qwppb-r%MU&=j@G*fA=aAU&&esNT%ejR<9h)O=%Wxx8p&U}38 zC0%P|qo6}t(LiRD^cRgCBgL)?H*42BS$oG8r1Cvj)hWz&&ai9L^!5B=iV~kEciphF zN3yPc%4$CARi1=(Ew|>8#Zr$Ry91l6+pmhN-4>>@n+)VK8;4`@vELd^+Q;?egUf{b zInk0^LZT8e?5h`p_>ruqaCO>r03U5n_usZXj2}sL#iMP6)Yi}C|9Q(Mg6=;m9&nu8 zbthdSpn?0zNzcMVS9Zq)swk(@5Fb?aUSD7GYzUwFN}>+H>h`Jncz3v{zK-p@yS8|` z`J$?!5g9Pt^h(N#C(K)OQwWAvf41Xg5!!L2Wtsn~AABlnxc^v2l0DXP?KEOxbfHRB zfjEazd*YC*Y@|Ciwjva>!mdX?yKO=n+!EeR*|$riKDp=kfig8jviLOVFA{%TET1{u zQQE)$dS~h7*4<3%U14CZE$MXIWaw*R@u;c4Njg*>{?$;w%+&~dN5o>LvAP{RZQY1j z#*_a(m+8W<5u(aK_H2C}M7#X;*dI8*t3Zy{wCUc;#ktVeIMZUhs7a47kejo+-M+Lu zwA&W)p-*pwqWAW7=Y3Bao`bd6%k4{uq-NF9g7s1|g1}&>1d0IU4d#{7^Rr%$mg!>t zf4rohx( zK*v9ro~+k9-}!b=Af!G$Vg{qc>KKD=EGU`ZDunK5H4Yy>^MHRgR^FKT~Co&E4}tS2VNAA$M)bC8rCg zOP*+WN!nAZJCvkEjh*9sK(_YQgW2ERMxRRgN2OOz5$O*NxgJ_<^S9W^Zm0sR4ZLx^ zn)GOWm)uI!W!_%%^dTdkE{!quTCeuJlo6O`fW_9giszWPkJh_B+IDzF6XIZJlA`OZ z`{xxLajj$QWGpjP&|S1-|Kxtv(gR`s(Dglz6L=+Vw#}Wy#DJ)t z#kY@$@0O%hRwNr2`RAXmpK9B}$+@ZPZ-06migOr#@35`{dY5b4#^Ub zfrVW6M0oKPdWB7wQ|7VxS*hRsS8Izgs--r2NFsgWVqny+4nU@sfTE9bqT@X@X|iSB zj(r92CbCPL52ipRh<`@ji781+09e4gEu zaP8|2@WHie1&=(TeWKv;Oe1}lz^sz zWd75Cz8T!Su)-EQ`0cYpLQ&!r5y%n*%5Vf)$d&-K34U5liIRFwl-87pv}&^h;QTh7 z{`>v+O?5l}MYYE~%^biQ9^HI*J`y(k*$I;4>i{mTv6)gms4es=d^KlytnJZaT+u8Q zvIN~Mc@q&iqZ$6i?iY7oRkG8a?AfN|qhts388-F5u*x%U8(qc^oU6wN>(V!GY#B~x zKdg~j-2E+T^&Mw4epCV^vPvsL>|rbbY&TOI;qszo(GPhpC+7rw{r~hU*HYleQz-YH zyWFsa0XO>tqXj+&q;Aj$7nU7?d(t50!&UZ% ziPrY_XhsVnJsk=XfH+ekDrsY`h8)vw7=M_aJ@`D($tIyTdGy?=4_;y2)Q%ZGz^wMX zHZYvka2vk7nb+RlRNgKc$R@FJB(yCAnE&A;k5k&xy)pw*?H{kE|49gT^X@Aelw{Yi z+vATQXl0`?N{BA|S zTQfFc!9H-IPk0uaBlI^I5LIEz9TEdN{hOp}D|eCuvde+5Qu2!i-c}J;vBxE@m^`D| z&AL`U&g)_SjB;~~d_9%`%c_)G#C*d5>%V<&p9o9f0{-P>c7m@po=!&h{%dEi?+-7_ zUkX4f%xyn0Retf{#r2Z3Mjf5HhLSNMvoGqGSnkN<9vKF!(Del1zcTRc*#v)4J6X3W zxGJP`R4wgWZ{FDVWY+G7jSbo(HaZZnp2jJ|Sggr;)sG!S;^)O(Ikx{?U&y>L;~bI# zQojj*{y%&g{Kyai*TPpJ6^t z?9Z`ni07^dHQv{~|B9I%+*yhO-*cvta1 zyLx?R?Z2O{$+4e)+}FBgpVsT32I-;Arh+FI>w0OUC5VNYV4Z9*;YdMFDvy zH~^4$2#GEAbr=urIJ%At`@wHtc@*ofDPCS%PlmkT*C0l`K%%F*U#F4g6O}6amN`1S z(+>W>g}-2dxR`Or<`lPsF8fCUOuc&kYTjk}E~^(_-wh8-yIKrn2d>|%P+Ttz`Dl0J zRnUmqpio`~EX>6KK+LnqHaVkTz)^K&GPK9+zh<^e7F??1&q2)IH5(7pzR~N^L9Fd* z|41ni1P0#(EW{A*x31Y*dAOp0~_t?92Fno{?G<+Vj?w8Hjn^T#Wg}7drJPOKLR~3$LH?Gt`*dKJMt-I^eXwss;FB zEIz69tZ1zrkE^ZKW7+kf-QICmJX<3nZI5HMP2LymXM;=szTftBmt^{+3r%gu55>99 zkwS{3=U+ZDu~T8ZR}CrVFe{LsdnK99O5=3MQ1C)C=&umFI=by+Zfgr%S(bP)8u9NR zf9in>c_}PIn?(KTtcO7`75E1#S7m`mIOLIe2MzLOwp*Ti@WSPKx7$lvhlRr;^DiY;z*&vjzFEEiam_^(bpco_(o zD||`Fn`EBEhvIkcJhH`38_U|h>p@6^b6mw=LGld6B zsn63E{1y`Lee2ofI}2ir#XeE;d;0_1kB&F)G9lF}|AVm$UWcJQj{!PzBzeR4JTMac zO6JE8iG=Z%(B}^$#eT=uo{UW`gcOZ_`fGVKM}XxivX0$(EMjm6%P!k)Qo?H`h_1rXUWbn`(zG) zx#7!M&iq1(>R|;l`lY~)=n8ACgY-dLTLJdyh6iHgJq!)~ZS4_5b@LgaK8EXA8KD9< zBf-Mlpq?LPu16wf$|Mon&jW_y%&flj=2Xyj<~v}MQg_>Vs=^K?K`=Tv9lID*)?OYF zv%qvUQ1^#MZpM-Xz4C+@4FMZ#K10#E&(%E9MM+wLn^lqBW2$#d5bNEY zd`#+*x6`wuH(3rXd7Prs=Z9*5Io~y6Rmb2+emq+xsOBpB@tt!* z!G`P)NJ|%Ko=FcLEq&4pf$z@+3rT^9Q;LWMuA?U&Bo$fuj^oG&HvPn7;5Nl68sR&2YAiMebME1G9%5f!j@a)NLy zTe*O7;JcoW_VWxjQLXJ^gVc9#Jg8It!+R~)A-z3;MbL2%X_no)^S_=b-fNu-TIkd@ki zH)V8@DkhlUsJ~~tIePK?6($jQr6LZ&&m#i&$+DwKQp#9_sB|Lj+uyss7aFGJC< zGjcw$N`67j$z*a&a}AMgIOT=l3lh9pb;7uPhBNvvefa zmU#Xob}))+VdQWKX4r5kOC_CPM-4C1y5}N~Ki7wkdQgEKUaGS^Bz=dPEcV7bFAIJv zV$~bx#5b?YszB2}0_r}^4Sg(Kj{K^kvj3j*Z#EHvPkP&%(+X5sxBrW;2)yU1nqW7? zq>Y>00akxtI0q1tmuL{qf{052ZMXeg6s*;GyI{2Orm5sy6YLg9lw2qHnaDE zRCqjrCq3!(^M^v2==Ts`z~_{P&!t;aAElkF1+aZ6JzqJ#nFS`z+FD^+7A* z?=?-W_FD~}vVcVsqqCVI0 zzp3RocbnHAsX%uqtVBwF)7pY5eKOz)Fo2qL>@Nx|Z*k)2*3shpf&Tl5FTtLx(h+oCTo>f_ zmOgEWj2)2?uv_G!WW}pTk;=3Ie?y4`_%Z-0-%o>OQcJ%dul%<3%>8olDZkPOXHK^h zWeuXtK_PtTfS~zT8kR2+!dyr^_kXB##vFsgjeUUxd>LkeL%iw)C&+iFy@#U5t@|Tr z1hp8TJF(PUo(fO>8AW~et)XZIIHMvytxZve?4>m&tmkGK4$*qWH_~ObQ$&L{+{YTG z-^;`ssF3F$Hj_5zOCZ5;$QxNoc}EAE+l`53Vt)i(V^kX=Jy=t>{R6oRTd2>@#d z(7%&;;l}|H;gjt)QpJMGeEfN#eW0!kUI4wl`!D}9?KXHBwj^9IEOu$lR#UMqKn>vA z5qUOLuh;Fp(X$PI!Cu7~@uqL7mrVJ)P}4DK*UKSR@h^pOaCD}%>^}Jj?k0m-{6>qc z0C~m33+lrh(yL=L3bHilM-DP!!#u4s7tl|8WyP10FfmM-@XtfJXC&EagYr!Bt<_m0qkAGCa^rJVv4FWD2(>W9nA)d z5a?h%d4x3cK&V9a9zusiCkqUW7qPV>T0u?vTcjtMbm1>ny`DU$d$4zgCnPdL*m(Du zwv_tQ^wE2|Y|So5Itqi9MUbbPMA?i_tF&>YBT^l^x#a85INXTSLvu}A}N#Y1Sp-Y&UeMC`Ce=I3Qa-HAO! zl#JN^*5(z&0VW`UvJRX_@1^TO&HU2+!TCTO?j#h9mP3@_m0q0wFNcd# zbZSf|)wBJ@dvmo3be(AuN$~d=tWeHAqLLREb`U!yvjDmKWDXqyfAt&KMaKxtOg`oz z)C&AfpIep_vYDUNyBhX<_b|)boLdAgV%QqxTK4_RVfuAU{B(F8B|kfhGE!E-S?&2T zFAONsFPy7DgLRhZa0mxRc&0w|2gs5SsURpz`w9iCqLJY>f6O}y3uJ)?`p2cI`>}P? zfUpEe5LAQu2;vlD&ZO?M6RXK5>)I3LqEOe16$0y$#aOcdAy$U;Ct`Kf$>{me54^3T ze{saZ!Vm?(BSy0n;abJKP(XvWJMPJIw7kW|P*%bA0AeRx;~5A+=Z`(Z64Gw>=ofPv z;1KKnS7naq1eU*pM)*AadDDaMIMjU&J{;kX@$ZBzperkkh|GZ;uQ@1zgw<_gFKYKl zW|;RMvcY{0K#+~w6ow|g#e=k->A0E|Up(U;^3xH4h67XG-PvK(iOCa^5upJ=H(wE7aQ$ypx z7kI?DP2zi)a+e@F^mV+@RrCvC`2|Q8RAT|6!q}wJFH2YSV*z5oamyPsePbC7a55rgWy!aw-&x9sJM& zQYrbA!`2CrrIShvUVcP>Pj4R45!IF$PIuEPU4dQhtWJL47}{gps-w#BhpI$VUWL4A zOL{v&>ce#3=U;5*>o;rN|6ykT)IirE=zclcu74Q5*8Z8a0F)2_tWmtc4o;hP8_`ZF zQ`6`!0B>(?ilfV-%OgN+2NQ0|>JNehhe^m*2Elnk+7OKHiWiuQr&z%kG=%q81kSeC zito{1fc#(x_q1kPNAsd6mgq*6Y4vSNWqmE~bQ~kPHC2TXN98V6{NA~Gk%+56_LX&t z;ba<0=qdz5Whia~*~;4|xA_O?9ho{-A{tIsMJK4q=gX`3)PJ<1EwRU1H3)qL4kXOK z{`LyUj>DkSQn&_3`p^&7pbkeo%ctq|OXZ4?S3jGYNus%(t|@(yn#|4#1j`#QdN?Qk zYPj;ULGSdB8}*a{_u?zFyM9LhUAt5MQ@aPeV}M0PMO}Gd>kBM>lc*Biv1rz z6nr1iK93fQTs_IikRVoT(=TT2Zl|t2w z<}dMJMw3aN^fhx;v9Y>Fto_q%VL-JZe@R>;L@b=z4upD0ZBJa=xet%7cx^YD&ZSS? zQlV4SHC1`(VUXD@@9`K~+tn9I%xcWrj(rYsq)rlzi3sU3RpbU@-V>YF+l(Pe+2A6i zGCH=t&Brw89!&krFwr=)ao%66sjzyx5Zx3ob7H?e^5%qz$nce%=lKYzXN$e*Y3z`x zTgh6D!(g8qLPm7?4)2HE&A?B;?*)Uq_G9rcbKvq7570D6v}7XaQVQ6uw-U<{wySrG zMnvA|wSS`<1@U1A-)hkInWO6HBH>YOm2^SqaU1(^0E+%V45D(3a&fT_%Pqu|{C6rn zDU9eT(uQ1>I*?TA&s(j5-!ExJB*HUou?h+RBHfg(G&9289`6pWIqBiU4Z7S#6oPM? zQqsHj3CoEMErEVhK$RqcJ*)v12=(GDD#q|`HW3o?UaEgoosnQsxTNg*Bu%RS%doa- zzu)p*M*XX31)OllvL9Q z^tysVbN}mgv4z4~6vV}J1;c3ixIKA;_Yt>IympPzGP30Wm+I3c&<)9C@CJ24(IW9I zWHolH0Q#xpO(q@}%Cm!hR`2Oe@wj?BQ?EN>n?%IgW78wEB{s#Nn0%hp=fF z0QfBotNir?B=;=i(mY`GA3-9qQ;%33S()IK&jCEOQrj48{|%Is&&m+2j4;`1iB zBqX*K6i5G_`l7)E^Nm2K!+iaZA)_Gm4d4l{HE2~dyAYy` zazN=Jz^;LZ#P!h2RR#nA>@dXstI0Z=rHiG(lpDV>9)%(~savgQMsfeE=kCCQ zoNIM*m45h?Sm@96u(*ESyJKbG0g1=xFst{N8cT9&#(Um8Q{cAPKISBbA-vChFPzV- z_zt4cKC6@F^Ed+a;AB>HFwSw4J2Z&^m#f6EJ@x;Q#$xsirV9CihxC}(LwrG&8e~JO ziE>KX!Y6~#oLU#gJ?vwtVBO>XSO7R)M8|3-_$ zQ$H_nUHyB*QW9>l9FTfRZy4LjnrF-IaMJ5yQriT>YrCRt3!TL$Dne#hX-27oc>;!= zUl46ap33% zY(2kv>rTYURN1<-jELWIRR^q3M>TmM#0Vn>aorxA$DO(vn;p&_gbo03gn%RvF1dIe z%(!9ios>{W4+^@N43O^9XUV4boMan4Ccm|l>2(l%N*PPuVZxHQli{XVV;_4m<+^rq zjHnv#K5jqe-k<_BSohQ@#J7)E&4TL0V(9v;DCr4UKdT62r%3FV`!Z-yA8WiS37KI; z7?kNT>1UQEbATzqWtklk;ZYZfgBn?2D5_3Pk^Kilx^RpS1qr#h+i7BNbpDoXPo+y| z7{Zrdg%p+rHW2m_T;^bfQVzX-uDL^JedYlXK~OWwp#(kwNd8+v3x1&L={D*A0aC$o zq~D-|LMP~cqoV@-UqKoQH3@XbJu|vWB;=t!VUQRFuT)0^>>)9WEnV&(8Y_M!0_fO<3r<HhlOfiO*?Z|)kV@L2N3x>yL0h*DRy&efefYKe*qiP=%&1|_D=|F!a=aKmh}+m_thr0LmypnJUp6wJr%-*?5-ubs)G z9JYFE)28T`e4Z3GgEAF@sJaP=GHsJd$S(TFwYOB^fH}VN$#Pcci<4QwxNcp5M5XN` z6csAT=w$=J3l!;XF&H*mY_s;!AVU%yfVV6t5V9h%tQl>Hp6D?DqqH(P{wqpk5PCqm z)DajWOZOi)q3uFg+(B3MgKrzR*dSEBJY z_uZjAp8#Fx=$i05FX67C-ph8D{M#d+eo5~R+cDo3ax9vn(wIHJKlF53)Yc-Rk6NMY z!}K^uNZz9pkjkSlsT29&uEd($x%ibJ63PB}%ftHGXw+D`i+QD zU!R%9J29vTQRw)nfpwL`?J8%Fedm_m%*4hTQAS7KUjV>x-b=rQ z)|cj?tRJ$4R{t20r$ZVvjfQ7x0cL|5!d?dWvvflPtu5N!`@uI}nS5gTL7*e2Z_=Ud z4U2|HSzm@-nr)HHJHh|fTVZSr zSb%*5H^+U1q9tt+29lBJk@xCfw!ax}e*~4*fQ*W{HBKFhOv)Wk*w=0uxGR@PZ@pUb z2$M)w@Oso#-}vq%4ULLFoep9`S4f{6XGF%G#>Uc~?%c0$bag{IBY7u(@sF3v=9gVB z6#e10*HUeAy(%OzMFi z7sa_=_78Lfx(I+%^s%eXBQ}IO=w&OSk^Tg%3@tyZ?h2q$))`4iVwVxO$*^h)qu%tt zZFzy;335>(Az>RL^1WdI=PNV=x)o7DKy)%b$RuF>xx6uKduIZO085|T=f0rpNnqj2 zm1@6`T&w_%_yLMP6CfVAQrP%_$}rQ4Hy_J-Aqt+twF(K?2j00_KV>3&!sIIbS`n7& zQIceV6s#2B+c|$A5j5IB-1VsqGtz?dbrv9{vLmh6Rf?X&lYq~;D%AISffKy4E>{k= zztW?V*0SmH>ofy2m{JT|f&bclDUQFpaqlIrgixK?a~81Y_qX3mCkE?PZrE+AZI?rF zX4-GoIcpzIDiH??JT0GMNo9-9#-?>&)hk^}ZIJhU&xKzz+Ns&@Oq9}fWDpuT){WJ& z5DZbk9~^3Ts3n0u__H~x<_x1()A>)lA5A_K%goNz+ImBtJ4@L?u((7X0klvryA#_( z%Q(*4a57-nxBes>;gxovcCxnV;!4F)_wt>-P&)?{Z=DN+V3kkiYb@ym;mPk(D z@FccADryQ~!u8GBoCctlu|1=mp?+3}s6hYt5F?19z^A#!xL6m{f&pn15+4YK66t(F zz83xR8-tynFD>1REiyxkaIkwL6;?ox3@YkWb1 ztTZvX9A<3#y>g#TkrY#x_}f=(h=5eeRQz!)Q6yIM7%>Pc0#fCkhG3472FK$j5|0^69-3dzwx_u zaM^1_Hn+?foM2!isx2i5^fxeTV=2A*eyZs^H-Drtdi1h6B+oWfY|jmwkS-TVp^{O3 zWs$E!rDMk3KKAFka7+kTl$fVavW_2!RXx-~_CFe^RV zP9A)gH8{@EiSNyAq~#gFWr3{dfPPI$AD0Ge(R3uy8TR^S_T7AJG<1O(G?V}UAQLRA zF{}+yEqB}lsNmh;ZtkGEA()M)OpasxNKv7p^X(>&kDwhHZMf-yThnJBXXP@9j z<-VS=xQhs*(-)xEl>M0>2Xql`;vv=nfPktgD}kbL6aS^#L7-EYT@rFuKJE$k{8yV3 z|HyJS&XO9um1Y-_*JIG?;c2ZIv{^ry()ymxcFLZ{KOtKuQV)=KOH85-Ycoz?e5rX> ziX)^^F2|Dd&^FddzCz8EMW&1$kKOasN=}Hrd$jDcmF?*NeB~acZbI1Z+|98Wt?(GG z!~1W~Hi6S26_N)&7N@{aWlA9z!F5|>bld4yu&Gokb?eFH#%@UtB+C=p?VHljJe$(K zx~O(1>C+^WRp+Cc&`#o}!ar)@Wniq2f(%KKIM|@TYKBvLeZ9+%mW4QIYk7y<(>fWb zrqqEF=!M@SdKz7P8XeUcgQQm!7n9)umDNqlFn}zZbyR&pSl&S1pQ}K_;)w%LE*&ET zAU6;;+5XMiWc0^95LfF&LlT`Z(ANqUyfrac+sw2W810g)RwnB^X%f@couUuKipJSWOG zF4{P5ekWhIgW*uYB5%6{&$4^XLACa!e$>92_u8$k4OhDzB~o-!*;)|-!`e@|UWrg#}(ZkMsAh7^;au@k=Kk9XoEOEp|Hs&SMm5<+QKF)t z)C3ez1PKYfOHqiF2nj`z-kTsI1VK6oQX(KEfb=T8il{U}q!;PEgY@2e@5#J;GqdiR zd)K;aeiBF)@SNwIea_zdypHIV`Y%W@5LfD`=Llk1QUlmm9F8GDISGjIM1-XAX-78q zsM-?+Y9DGK&gE!)7&1E3X+{eZ2T(w_#meoDrtt^+P{ZpgQ&Jfvt#6l$99%(Y*a3hOWH*3G_yBFh z*vA~B@>uHJcQ5P6^4JaGKY!O6mB`V^JO&8VxpXcKkUBk0E3}_dp9ZzA_!vclV$_F= z8p}~Da|V}(C^9E_+xU^g#?lS|de%F%wWGu1a7cIB>)5!Q7T~{UR41riz5r7J;+jgV zg--4&>(1xCim!w*$(6*-kekO=SC15R#aDz7Ed1y~hJNFg%~Rh%iV_`|mI0jIzlwu4Zo;ZqT%Pkl8D(~#Ev0iv~zd+VZ(Xwzsw2(ui8Yyk0G z5wp27Sc~Z&K+k2^hC~j1h;IYu!dnLzZSjIb9nTua2(L9K4+ez zDnu!vla=J1GK&jK_ppwCTTF@I(SJl~OVkA7plc$Qb+j`gSM5Szr4Cl*I|vGGiY%wX?8e zYZp)BlFszpuqOJ~wnOlv{KxyMVdG2R9=p5zh&#Jm>)jTbOsmjGG5JUOF%ph;_!bpk zd&<3RlIn{fush5s18wwJPwG6*)wr)SW1 z<|Lh$&hR`Dd`Ugt&JFFmh*%K(V~=|51rNey$fXCt9Qii{5$v{_!!7q;{3*55}|cwgQ$?mO{phiEK0 zwwvSw-FgRb@q`w^%6uBPGa|L;hcfoCPbu=CfXNJ7NaRRr>(~p9;f2!hlR^wARN*!+ zpky>Oa+-RQS`4}Li-Nk!r^tc2+u8~~)Ct#RzX9d7kPE7wcN;vUc0!F#2WF1Sh#)FH za{;l-do>gGm`Rd}%8iW;fuR0);Wt5H4IC;-xXcRY)xACi$nKB)nzJ<)e}T6{d4_)k zF{d51=abw010rKQdw(eeC!Bi13FT)Pdr3m(hzaI$qTESF!iClmCxHD=S2knfNGi~| z$DqfuGc0AZS4iI{BH#71|H%(l(?t0(vq!WCN^3SCwiNoKD|xQqhxxo@sdIxnC4Qqi zDr5n^U=_^6!hF@S9!yMcH6pbZ;QtvNfH9fkNUO&ggS+?jZ~s#RSoZIq9z%oIe;8Bm z^5Bcp;59d@oB|rT!QlA4&1zqzJ5e`w&!V$8G;3o9d;0TIyCg~o^=$)-r(`Stt-rBX zi|d5STr*v&zC{N|ok2f=yR>*;sye|3u(Cq_sWCOF0Jt z&m3hLX`c(|uGo}vIH2bI852fd%j?iesuz5=)ArAi+R z>}!Z83*vWHASW$kXkdreP!IEmmB^R80GC;YyGK2#{lC^blmd2|ym#^&11gD=NzW!K zZoXtBuONaR3L0O2E`+1+8)$Y2bxkyW)Z`SRE>P8P_aWx>S0t!ai>jAk+O>cK&;HM; z7_X-gfjlKSB_SaJu>lGx%ILFO94~Zi9lf*)!^s%dYVB5V31eq<)zU5@kOvh68Kv7} z3WP`vKhOSTMD#MJ{W>6pReJ8Lp_P?U1JLjP)#Fc8@Vbj$8*<1K#WQFYRYa}P8ebP> zgg5SS0Q2Kc>c3bP#ssCa^ah~N0UZM_h^2qYkpWN>pkf_jUkBlcuZE>aykiO1WpCNU z`_%8Y-%blICk$wiTlNH%*N3aXOC*=bPGDw62k0&`=$<1`w=*0T`2J{|cSP8r+4F)& z)b_%y)n~6%K>$B1N5k#SWq<`2bue8le&>q?s=T@;Hx6CRfqko}B3jLn5RDw7l|b>p zfENZ6;-L#y1XUN<_}}Jvmz{SeIyp`ErF+vl5w8E$7%LA?dpMHsUV@n2ROkZ<>6011 zWnfm-g1`&ikq6Eio+Y=m$f8sOTyA@RLC;x={pB74@ZBQok^H!qAGq1rJ{`BTv|yUC z)R7zlk1V^H!t7?*P7OI#Q>vV|eOs74ek#pGA@SupK&iJ^M+h|d>jTYxle~O6c36Yc5 zX8s5BXS6jJW8EnuJQcipAKopCn0*>zzN_N{MRQezbv;DBWy&y<5~0Ic?Rd0(UQ& zy8{luiMU>9O8lN9&cy64nGfxk$M5cM6AlY7Z;onD=7Ou7 zc4q3aV8{_y&AahZiR~&8LBVZU1k%_b3YnI9LY$D0ATU`u)7Qehc!$*95iM=~S77xw zur$&)SQ&IBW}jyCzoH#&4#~uBoV~Tq_*O*aKtf|EbzOCyW)fXk8K*~*Xpn_x|6Xg? z>8A5@O z7bymzrqx?MfB$6saMDmoIc-eVd~&|J^@maSg&N-Rb&9 zf&Xid=twd~07{X<05`=|Y`Y$UHaBih5r%z1PBS3O#_T(i1XTCxR|dc7q#J1?-Uul0 zsZRnek_NrgT}4nb;Jcrx^D!k3XLR29Clt2*R<%4W4MJFHvB)Wk*{5doIe)d=3-;c* zF}1(j0&#LMJl&aC#vBst@ou$0J4|w~)t7`~XLdrxxQ=0av$i@U*_bbAJ@3!d zhx5%p4v`ED4F8x#EGP#ahd-^(4v&g@{qm)*?(x}rfgl-}&;Y>~+Rw@|4bThvVn~H^ z`3*}y`TOS?{C<0Wv}yS+>_Id#fXO$6`C|0x^E~}xi}m3=xAbZds7?^U_VAIY=u8I^ z3zAb%=t+3Au8KL+^zy2PQyw}Ji4LsH>)HJ%0RwDg4Wq zz#Dpr{&zeGm&Z`BL8U7{2)~Un7Ow34{K6%#dGAf5OWmV`va7T-^TJUPs6(l@;I#7> z`v(uBk2{%`EM%-zZzmE}8?FeMLrR%HojYsgV*1v$8R0i0WSf;k{U5Ec#a`_Dg*tn+ z&%NI&TO0etTk!g*vXFJZs{Sj!dVejVX7KOG1>GNtUP2u~s`~r-_tZ8-*jx1vy5|j16({4SJ zh??{3DnHB1Pjze0w8NMurOblzE4QB5GkSK```z-JXb7VWpn}-Gfv$dLYgYB%yQ5j< zalFMWSbbDs{VICdfn!FohH$y7kP#ai7$mfCr*o7s{eiqNW>Bo( zz|J-n5<<5pi3CURm*?ZaO4pA|jm;s9mb?Q^Nd!NzG#3)^aM%m~pYDx^fBU8Wf6NJutGbq!X1!@>XzFODx5AW@J@H2`mcj0|=cy&6 z$0R^_0Fl~I)bkM)F2gtT099ct%x^BBU_^7JES7--<11_J698WUTqW#*G;Ma$B9K9) zsFb=YtY}dsuim~Z34s{o#HUlG`Y`#r$rW=q1h{(!OD$HoY~MT$9VOH83p-}PK37t5 zC;TgV?XJ2orZ{zDx1A*EUoGL%&VoC?eChrmu{zOMTOkYIZf<^l&1r06h;;7A-4By) z4IyF^_6=82+G< z5+^<;zP+FDFe0+_OwbZfZ;g$SC9rT-| zM7Z{H(@r)1VS3&T(=_Mf$@iFLiD@5KA`=Ts%S`tto+mru;nY8YnML5soja+kQ~qiRPpDkaFYwy5X3pCW4Jw457jap%@|g<( z0{-K-!Ei3@&x>?qyZ%238ciT3JB|bgxXmElBN-y4G4*d3_C-5=h9;a zio;@mbG1=lV$Pz937+{k1)P-R-@ts)4qW_7vQDw4Qh<4dC8&Afuf8prVP{0%M1*~Z z3Gh@&&kS7iQtj{jiY7%|xA%vi8Sa;=&tt>HPLclYX8HE){7pc#ug_^`vBQGPV>bB2 z0%15E1`OO<{UW>@5@fMUt%(Ar>uLwl~jfqhzXZ3mVBe+&`UsC0@hwX#)PZ)0I!ZD*pIlF0R(} z7g2!CU3(oCc-n}}FLkA0{3WqNe-8%llutG-;>7j_#C@o|-U(gFIB}!qIl8o(3L?zi ztwkF%A?}KZidc4w>Nwuh^Y!!7EqJ+EUwL~(Z02l%tj(enWv*h?6h!wE7ZemEEP=S#L4N&83AeNa)>d9kBmR{O z@bW69>iw~G)sAYjeB!beeF35;CHC2KIIUW`GCTv;^*seJwITfV?YTWVs|RWuZ`sS1 z>BKx#xZiEQf*lHKc&)K%fQ!OxIb1bUBuBggp9DTQKNIyV*$*f%I7MD^H5*-SFibp) zUT$$eynNJ54tLIVKdwrxcgqvIwVOvm3jF)&XAR&;QmE|UN?F+*M^_z3Axw5VBRhgdrdem2~q?B#w{Xv3704%BVf*O1e93? zPJvwgv&awC(OemxaukdF4-&D0_27Cl+trh*9E{0_xfRZ@-r6!sgI+AyXm7M+(qa(Y z7hrO9(7S3hqwN5*S_FtwmK?3o&{67Qlr?7zKn?+jq(LW?E8`n?D+H#(_4YeCL?al6 z6~`$8s%qZd@Rw1wOc?<)+`5(C^88gx(jCf1<&Nx#63oRsWV1mOK@i$vP77jM%ZNr6 z2n$6eB%JLuAeP^2r%I1#X>0FBAkO;2;%%;te<(^3Vy*0^M zyEofETjuEvMQWEzeHWHM4q*aRKf;Oab6j;Jvy`A%o8 z<2c33V71znu0Qi02bSwlWYklQ%%%AE7yq?P%3{{b*;^;0xgn&4?7zD6K+|M;B^+yO z<8Etf1Ks~$2EKtWhrFPy&5b~rpW8=UBi|;HrN=!E$K40`AGw4iFJHy(b0*K?LnUR^ z5C0}v%V3LXk_aO8>1oLK*K+WM^MXl%<--x%Wf=Ad@~?+#xKRJqOYqZAH-GD&AI@*_ zf6n?`JrpchQ|7+Ev^(FNz8ox%1||sgIvrK^4QGc**RJ!dq+^+72gyTI>FAs9Y$5}& zB`(jmtB;u{zHN}Ppv&F|cnIyMTms}0g(&it1y$c!`ltasOAp3{-O7H`{V)^aYol0% zf+j!`{P^1aYrQU z5D8auW9Yg7a40_jN9@|}^@II^prQzL#;Y~1T*qN!L)xYff-?fv29`|PRN!*6NWEtI zd?w2)dP=iBJ+KoTQ9JQgjwUY&wb0A67ssp4jRJUQGq^uk8IaLmq48a{CWGJd^fZmg zbuJ8G&H~wdpKd>*&0jtS!x6s*UTBGP0RE) zq9>J>n7iJl(|u+=y(K<9Xl4y5%f91ut3H$HRTrmAV#3<0JdjUIyhrg35|xL#13wCc zpi>fdXK$6?A(zXq=5g$xs?m#+s-ksr=iA`c{rQsr!|dp6c4=%vpjWhwv-oCcZ?-K% zr$8Pff#$4`){gmIC>K)utM-1sUwwEHQ|Z<}GI#GJlj&{9cOWt;ZajknS#|uRUAH!f zW9e|jWLqdXRiaAwV8usZnKexEuZJjnFq?v7GO;1WeTl&~Y)b6)&21U)w!1aG6dq4W z+!rb`4bRGC4VV4&Xa@rH*>rfF8UB3cc@p=)HusFj#VY)u0gw zlO^wa*bnYvPI+Q|FBZALcPoQ*771ku(mJ8mLb3MqS;9e(IrjaSH|#bXSc0?_{Cv4k z78umAWOT}v_0zaA#@4XGhpvjn)#XZq4^6A0#YJijyChm^r)9(b7A{r+h zA#IpBv8J5R%Cpt+my$P~%HN=9=vds*r*1(k2KjtT;RqDZ|J$Y+un%yh{q#=%Lba}D zMC~!~TE&CpJIHJ!e;A;W=RNof`t|eDC^p`T3ZJ+1gFa zd2=i~BjdV>@AK7M$wdpjZ4j_q(q@qo(Rd9jYPGlE>wEn?;tr?E!t2P$NP&~a9Tnok z>td~T035~L_x+N{Gnx%d)RVT7;KkKZNaLzI%oT2}_QW7#3Db`}Dhh%|Wvv&57b4B4 zNvt+Di$DkX`KHX4pzZ>7GNC`)mW|qTS)8%WPxNnEBAz9ZGnhXRKypx9c3R?iYU4=wmW9#T$PL-OA^ne9F0-C5Z_AJ`HcV zxW{?r#dS8i^c%1!qg>>2!Yv3do`c^1UH1zKI$*lr?{ajzvhxrwZuMOf(Om#MP=)eI z9~qlBn9%7>nE>7B%|&}bU4&BNU!*o#5(Uy2U_>M7>EcEv&=3s&oy>15g?OX=`@kWr zm~y%#Nn)U=53`3;tCRO-nT0<173YQi)xfr(Tdi6rq8Qt~}{kh?nQ6~Y7)cB$wyHyl0=U&hPN2Q(A6rZ1ok`Y^STZd1-M9iPacl z*4Pp(%)-0@O@Vp}Bxmrybu^Nxpr0lOBek1rL#h#%Iyi%4{6BZ@ZV29nq@XbdqWDAL z`?p{BoNv8MjeI|)v@vC(>ZQhwlJGd{Fs=nY1v?TaG^}1G^y^1BvL-w+u|rvv6)gPm z0sUAC(2x3A=`k9@!Hz5465Ea4iMADiwHrgh=Ey%2j=>77hn{`8tpL>lsCT6oz`OGI z0A%(_QNI)Tx*F)bOMwC91vMu)8$iIhPW;}jinyinlk}2Jp+{?>{cHAr9fT8#&5X^uK{1u;Ql+T6&q*ppXjs!FaO$%Tl5#rcy!ehXkNqK}eViqes??p^jKl=o6F$+ep z_krEp54R@A8`nx;*l_qk(00P}Bn9(^MzTACGtt9&hAo8NS zZ>S_cX;LUnWs-H^_*5n?s!BygrKn`q-uO_}y!Pu+)y`iEX_X=Kt5BKAIVHab`dU-- zG76~_`!7uNT#8oiv7_QPp_Xutz`uI+!M)pBkrQ~LD7?gJxjRj#J^l1Qhn3I&rS-Tr z{0wjq_=-c{a=d-QR<;xJN3iKscMGm}Z{J`PKN$4)S3-bhXtlH)#zU;glJKd+c%e7H z<9zYwI7?5M)7pPelDKMDh7e;Vna97!3wlLsmr5aSD;i0d{`VMDJQ-^F!!Wz~AokU5kE1;mfwN*Cn5xvgLWRv5mk|gfn|Eu8_ z1qF;XQ;*RUaeK0#=*CU8NHtP+vRC zoRN0fi+UvDNdH;UB#kuPpS5@>;Sl*HwwTFi$x#s@seItSA&09ucKNw4h4Qbl^&aW2Gg=dVeBr@QjjHw};Y+yY zS$pLGv(fntUPjAf*{eHRe=e8YjcI~QfT5^h%huJw$#az}K{^@{-SKw{Xg%zWz z%{`XqM{7X|%O29m0LuE>8@}Z75f+?o!HRo4B<({>OJKj4~b zGLChgsUxy@Z=h?d44Qoi2FXVuWsE<&wsT=66Rdy=5` zg2V)}#@4<+AAPkN3ws{7JODpD_WxXpPB;BU=I=k|V)Ff+qTIdO{#EORZ2hmGp+7XrJn+68NSMNz?L0Ns01sVn80iM#`|OzYr!e` zO8ZDY?%=?=_)gnqUJR1OZo_!&frRT$+{4HU010ragQQ%0YQDVRetk*pAbSiLuR1-r zToogb7I{@mda|OOfcohSN)9o*qz0&1Z?yP5)*U3nKHp`pM~^N8$C6*%+hwdd_y4su zU3LQyIKDeo-u*I=KsY6gR)XrjeJ@EQC8Hj6p)%*XPF^|JzBV>|ok*6HEK40F_g-5q zLglusolo!3@9S$76>B$#OMmd{T==tP9ZxZ?k|@e@ktv?^yx;b+n|eVGC5s9ypPurn z0a~oYM2Wb>w)b1`99Zpaa2#*<(50CuX-EL4zty2#jauWUCGtPkC&&d^(HnSVQ(cfN zj{vIjTSOUC!VV-MZw{Fu6paf{m-+;biTK52)fGcAMm-O9xyZa&X#k%he9pHj!%}A; zaw0Rm1bmCJQ$8sON-tp4swqpklO}p?kfYJ7vcV^cPP`3Z# z6)t#9Q;@Or{I4F;-<%15v;WJntG!EGN9VrJvz3Pr`Kt^E1b*WT^h+o~RF**xH3-o3cfds=B?=T4|*o*Bc^;}1>6kxZ25*JjK;HEO}UISYSfnO-s916R?m%l zV&gh}u^~Ud<*y&$+l+3$EX{PVgYlwI7}pNpTrI+U!;>Xb^v;zdhL<#vUV zM-C6~t(BE1Rq4@cOEJ!8Y0o9z4sMqP^q+6n_H4 z%D)ZSAQ78#%Pc4m?8T*epRFdppH7}z7_3O{DX|(jp$h-lfY3m<6M;*A{hE^+6vk3F zV8JcgiQbnxV1V|Vna5oINcSl%l>vovetF{ZRzpL>UQJDWzw&iku3pjGMSj)|+@~R4{hjv()FY+a}w!iv$B1Z`d(YCiQJGdDQgr<9o{aJ+# zv_&T1vqe4hw>-=9Yc5pEYb469k;4ofqj9OjwWU?hCS{iF6z~~1y`~bQrz}2VRQ$Z( ztLQHUpS{o|Mcz1xedpyKx>4`qww|@TlsI$}9g{N1iX>0d-nk^SoxTR0Di^vg{tCA~ zp^JSFM|81bnsP5KI}3mv}KE zsk=Si=a7}ir8pY-XSxQi&$}V}oq{8J#pFwc<4V3rU0hofXVgygW>=D-nyzlkVxjBS zgcT`hQ~h#@pZ{=aA1r;6_WYr2SAq!@Dd~!70pFKZwVqcXeojv=@(U=3K+7doD+Vsl zXx5E<$pnGzr|b1cvqqC9IKDuKe#W&r;bc&3q6!z#df4;&-H;}Io~_&XuC_-LxK@7_ z7z@%m$>D`z!%q64xpcIwg5;;K6QZwVP;-v?fZ46a!QhDuY5)*-FGK%gg#!@_`DfsW zQ|f^@R`R|MOc!A>BZ!Pli}aVHPpVe!w&BH|NXxWm(Mr^2%rhUCkT`KSlvvV_>JrQ| zGFC8Mp)1o{$L}P4t}@ISH(@jfi>{8IXxH5o{U*VPMy9qd8J$oe>~oV3(P+TqeIV=v z{qW@rIHGZ4{tb29dbFz3(Z(qKbJ4?X^?GRVV?QLWtgLL@4x&t0;^R+f?oI#0gz&B! zy?cGFcLLqUA0f`)(+|iw{Ot$1`1l%K+-MIsM@D4#!!T1-?q&Ge0zyu8xvn4-V>$XM zmUyc>@6Y704dMO9Kj_1I=~EV?zCV+0GHE+$?{7L;85aX)msbl0mrheEnB;bW9X9a}@2m{>?z9 z_j}L!`>^}1RV&+lgP?;7c45rP-X*y_F7*xA zET(W>;m45^i;Ma_>+D)+cWi`>opLRMX;_HqffVl}tCg{XEhAB1?dZgi+CbliMNsrH z%R^;>*xVnttIZy@wju&4%gV|YA77lzhh3PoFQ;OrnoH73uf44}-$Lm79lvgqTjkpV z)PS4grB?iygk}WcRCRJj<^uBQr6`~UObuh2&4M5hh|T1op`nzNlvsM$X`RoFq0W_M zJIuKu-A>)xG!E>~Bwt4T&*l5wtg!MX`UXtZ44qHJ>(>J&T^K-4Qggb*$TN36Q&{r# zyLayze+LBy&aMK~J7JG^g>Ifx-*&pj*n`szaqU||J|agYd9CXs@9%Ll(94R0wI2l_ z24NJis+A%#7K>Ftp+0>uTz^nJ=={0GGS#cOrM=(&r+I5Qv_aBO-}(7cI3)wW4!B&i zNXDhkbl{u8eYDzftPWaEF}f>@&ZYVL!BvP`Zew(7TarF9RPG=Uj>_jIx0CHldRTNS z2f0a5hS{Id9S{D79biF`0vG8DLAjA=`gsVx*G*bFBOd)G@o;V35%28oednj~Ef6uW zqWubaM`cp#QY0aMh~;N$iQewv#0OIct-rsw2)lORTZhA|GTZ@54udAsdKlRGzeUWE ziPJs8uU|YHpPq8U$H^XquKwWV%?;llpxjS%eALm^(GjK9r!!wV83`W@c-mL0IxXFJ zGhX5@*s?3Zf4}H;%l*ll`tX-S)qwm)DR=O}rDA{mOZ}G$F=JOKLB0?ON_l2SoI(Cd zhtLvrZriLPb;Rq>BMW+hEqW}-DPjttzu~Ous3{a((6P&BznY2X0bn1=lAu%Ysqj8D z4OLEdJrS;XOd*csC8AJQdNZRoc3(CivYyF|(_Es2UM>7-pvFk$S6j7usK0DUU#~AN z3j4Uy0Y+2IV)n~1QHmI|a;YsB5`><3zn!wP-#NJ!@n?wjR$*`KDkZ~S>)~D?VEM1^v!_H00O^yAz|_Qee6*iQeJK%%T%$6oj*g}^ zg}?J8Q==xOczScQG4RgY+ZWc4GXCz=N!69G1X>&jKF~@WEGaoTal`#(Fm4fKUCGH^ zk~%y*-M{w@+PYPW#7lO&+5`|+yW)gh@&Jq zL~i_8xDbuH$Ym5Omec;3s`v9YJ^y26!kyGqFbzDPJ13oLwWQYM<l+ zR1SgVdXNwj8Yx;lvXRMPR&fE^43T|3=NR=&C)5ZxgII`mTPi7Zd`1PY9)mkPYHJr- z>ZLUUK)R_*2A&m8p`C&m4_40o^}>4+eX9a9_i z#<*XYiX@S0Vqt>zf&zO)geh88 z>=^&dsO+EUC04E+wwf7DlSgTe`$uPMl^>k*+-xKa!4vp4^_2PapbPKl?fMSSOxnyu z`t(q^uJb<-2&?ToW08QYdXB-I3$#9zq``iyLX~<=U*;~J`+H-TM<0x*y4r zI!`$BmP(OKusNy{XaG3x)d_XI>_BUtMEQ#upa$*&M%w42+ z8JUHC0naj>^wI;M3)~y{k#hD^I23U_kvCA!(5~6E_!0arIpzJv{(XN5=hGj$KT2tw zzL}oCNJFs+0c)*3;7AL5J7wu0V{JR>$(N-O+b4a3MqGrM=qx_H-I$Sn1Oy5PcVs#tkqmy&mU6Ak2$Tu~+L__kcJ25e*F;9}I z34x`|Y6&LhzwjaykN_q90impd2imu-w#!u>kuB>`mx*)_Wv;i>9!YB7&O7)>&m61C zuHM}v&|ybz&sBF3kF+R-KJ8X@YE7LhCJ)YWz3iO0jO0E~{bie3=L4{sY1yLO)ocY^ zTY9f1adVrz%Q@wXV!Lr~b6G#g*(-hk{pL=K zcb*Rs`~GsbkkaY{_?W2zCQi)#U1F=uul&7UDA4?T#E?9FNp>U$7`rAr^&3?`EJP?6 zeBdAamPYQ9;O{?Y)dQK!H4zg>b;;CYQGNvK#>I?lr0!(n04@SHzWJl|woGwed?2U1%BVhrZ#nR<-ZGlr-YRf$%x7va`)9&ZJ^-m+KJ6jpn) za_D~}ueZuk{fAD0q)mpxbZ_Tl?Ju=dr<$Igv$q|xYWW2@G}s+_I=*gTp6te!JtE01 z@iz>9ZniP+fx3XL{dDxrRgd>2u|1r@)+TO$ zfN2kMehIlZC;haH>TnCjwdqNiVL;&e-Q-qe`RIg#jmO!>!JVl%M#lAG8G63^-yeUHjvY) zF}T$ZIe}E#@)s)|4*SrR4mm#&;3!GBeD|qC9VlTzhC+d}$WDL7l@2(^M@iyxI17^Z zD_d11hi=)W=u2-q6xDCsPGEJtrzsg z-B62;vkwKU8y^aeOA=Ag*(8EIxiAt$a*dGd5$JP16=pN8KFSc1zD`;D08+?@Xc<&- zAp9UQL-3Xa%$1Kwx-l7R54)?(aCQ6pZqy1W0XTEuF8Pg$hUuaYP#Ul5wEDV;GL>x` zK7nDY>QE{Qs&)!(<=bBfZ})*?OMXGXUU=7alWmI?{w&$Me^@Kd_f?X;;TwUyC~($Z zvVS~g{nwOdaP8ycx>~<;s_T5tjUTRUL*IW_)a4B{euRItj64fkvsAOo5G5H63EwZK z*gt;yFyQDnL{v;4e${Fbb{h!qf2O|u*KBW{sy&iHV5cd1s#)lK;}-cJ=6G?8jDuEH z0%GIISMHJN*j=nMSx@b^B|#NMviri%w|5(cd$<@Y=MfK9$98)@?7!=FolB%sq}mRt z26{Ga?>m^>*k6u$EkjQ>j?nfiD}9+Ghih`($l7YMgXFJbRrs^@r*D7e<-Ov@G}#nZ z-dbG-B)h({4;0?p&&@m}J9EjaTEpMk`h&ht$$VeLqO-tlCr;(F=|Vb}3Un`_^%4t< z6Iq7tU{^@>6dz*E#N%)x*eZ^eLe>T>$G&_#^)bXC_XO-!!fxVK`A640ilQ$X#WZ41 z4m9jvvu-;n(!?2V!aA`!s>&Q*Ncszb1;V!w(M0%Oi)IMS3$E+P ze47^b-d~p3t9*4dOK|xM1$iI646{akdQ~doNw(|xkR`bf@|>Ff!Yc3vn*`~7wUzHts`GsJDlT0 zm_9;~NY3HMR}TD+HyK8-7dtf_zO2+r?Sri8W@7TKVLFC9f7xM-qs8|cY{`l~N*)ME z<7>g8u6@!V#^7iIAOH2m%_1j!(SE=+)-PA?^h9UwKwx9kuW88e)PWu46nnio@@z2A zR@Uj%bX4l*&!=Gwi@8F)TN7af@zbSXIknh*-Gjv$NnrLQPEJVwn|$%j7g-$S+QYYW zkv^H>BT3v%U54uPRJ22})kFVha=23~5Ec#~g8})v`mLfi^+~ERlunI4)rZY)O+Vvr zRoajEd0Q{u^_Un!B=|&vVO|Xr)M8 zD$T#4W2|5*tTxSd`pe@3W)~(vn_*@r)NSn!R~&_?FYfEtpR;(R=5GZSNAFsvk}!J!0u1mZN+ z0UR%Ee(=;@Q5Y!uRciNo^Xj0iqv1DSFTW}^*2oRdBHY_d2!g&IZ5jN2fx{8O^E=aNI zko;hb>&uZ)gy6@ymRGTg6|YCeW0q)JPe<8LJr)u$brAS(NX1e|~b|)$8o(1Q~ZrA*=!vB38VMG*Gkg7-UvvFSJd|P3E z(ea$e*XHIb2A1fvt18XEoO8M$c6gn)KAjg>XboT+X9{~RrV{|aDVlWq*kEbNX&$C? z2}2SZ4;IVXnf!3~-jVW;C6+8*yW7+k$l4d+$&{Pt5J)(x?mu&iqb#JOKaXAh>HM5_ z0m^A1z0i5Em~`h$jS;yJR?$d+A;Ho5DcyCaR`|O-CE>f#^Yp0o(};sbVc?UYNC0r( zD1KnZrOv^JdmKJ{HO-ACJ#(A^3wgo8w-fgFTaTPNcAakVMOVl41rP`0PLS^77E8Ku zCchdvdjkT zo!EFnxD$^b4u?Q3A-i*}O(jGhz2Ud&$`%<ugp%{2D=%@_A zmWXs^BcpD9kEmu(bTFe@h7m$FGJfA_d4{^%=`!aAZ@b6ps;}L&G|lnA>Y8J`@uT~H zQ6bL|BbzA=(Tf(OUT_sg4XveCPxM_CoCwM&BUwa-5#~v{kSVKr|%aM%)eRVuX zU7qFa*?a%K@!5aySTdnsY#$cPLXw&+BF3+?!;^Y%le|_vfy~9Uv9!UpSod^wIJaPn zON{&Lc?ToBB98mxIj$#j-@Pt*lZ~Z1Dm>IpBJWGL`l`3}bVpE>XC<>=pz7MQynozb zXp8yjwFkXbf2kuzfJz?s+)FG1U(HAu0ta8?7F~H0x}Y3S4a9Pbrzb4e*xdAPd zT*aC~*oBi`DT)gB1ijop{V>S7nLmEfO8zvtAYOa2NJx~`K&`A)+M#lHaN;xZ_u@^Y zlVWsMZqc9!k}#cAihISucxfrt1a#e27u`U`)wmt*v65 zr>V|lKwG@~%9o3o`zFLK#hq^+0-w|9M5UAg26d8#s{6pABQrLQZgtW6dm$U_j`_x$x;D|^Lj8tqTYOX?`aW&N9x5=S zj%5ck76!YnOtk>PW5P#BMDC)px&zS%OBRf7SS2Zlr)T{O1gm;v8H+eu&l9L_X%AZ- z7imB6KK9w>!Dae^7kc%Ofjs_t7R9CZAdJAY!E@(Nk}igIARm^&|y(Oz82v(;J}rkQIcT)zCdq4(5D`BcDp z!0P)&&0#B7*J`9%BrUTO%K4`QCGA?}ar1BWVAWcuapX>}$F1g^YMk2ezrQj0^NTCL zzyD7p06XNtFTk7690FhX&X54%1r9^r4No*W*O5K1cq!!?xsupxz9@5O=)*;&MUF~# zGf{q@?0`U}Ia9iOCBklgZo#(~mjhLw3$vhrcrEcQjRMsPT)*4jQ7!|52jwgSM=Cxi^&&?IP(-=} z(LQoX-i}swx}DOSj#+|DJNwOAO-F&P;IX?~dke~lELb}`Cvq_Ga*gnE(!$brJr8HN z#NaEZh=pDQ&KlSo@Tfl1IQGzylTpd6+(;i1PEP%vbOJZNC|DP^2$tELx`lF{QG4~OO?~VE{*0)Zp|4`TqE&^E1miQVd(MZGe@euVGJE;S zew%y7*&ks=M$~Q*n~5>h{91Gu^Y5~1FQ?UUv#qsz)CG6Hej28FIHIDjR?Wot$6Y}e zQFaj+pcPzSo!PY~yy5`qVGEx5ZlNiR7F;4yun~9eG4NC}%?&+^II0wQg?8dW{w?cL zOVHZaz|4NjefV<2pyoji+grw-_%!V9cK7MhO_yi0L!acXPFCD3)Pa&po>mbDU&v@; z$$(&#JUyi?bT7bMtNoBbigrPqY8J|#$2c9godH#scHY0<8)b zItM3hK?UAgAYseQlY(g4tMHB?(K?(@ zt{p<{R$z0Rw7_bh9E^%BWFjJyzmtxXwM82$|uM3Q&+ zES=HFzlH=l3j9TfK>D%BjmW&xw%EG;i(gjqzjPI|IPg(qUj`S;p?p-_%h#yfa=QLxyICn$vQjz;rZF` zD>K<`E)Hs!hA5xp-*e4OZ0ugfm@VyyWDmNc(KkGOlKa`Cf5lWJ-B5WDh^EaKOC=VYHo z4y6$wu0P@n1xl8Yw61yo1)w zxW}g%3u|)@$3l00EtB4>4-A3hbl$ujxVg`UFIb&oyVSzgM%uzr+#L!t=tCn$pU78} zXL?Cx{E_u0amDzGt#4lx5q;9B5b-SQ*v)=k&!F(%5OnbX{GPkL+bv?Y62@|6;>q+> zGRk9*3k}tk6slfTEAsQ9(+r$wRpWU6+68;}=Sm9_+jO@$5c*iPE*X;E1OdqC3%%T7b-9+m~4KCPejiP!a7G)sjG`&Kt?o{y=)U zmbS6UxNu`~h&u!x0Rig&3H&bGp1mMv6r>{*Rvlxoj8;N?f;z(Wsg3w)IX$A$4<&da zO`(M!?Vw;@8XEx9$H%)t(w!{SyuwZ{kM-|+*kbRc?xOU3fsA*4ETFN^EJ31^-^1`g ze_x}0eC#|Z#uC{yyBeDEzDHQ%zNHZp!g(~S&hPL3Iyfj9lh6xr|5=C|frZ2^FbH?m z_Cuk=J~jQ^snVQ~q!k?wNj7U0YpTs0{tHxbzpxWM{n>ZPF?y??#aI866#v}~uP(&9 zE@+I%W8VMG%oTsWE&s>B9`S9ndRif){hjlWtD+(;yKV4(UvAU1_Up^^48*KvxVnIg zDUa?i#(`oOzq~+2dhVAG=D(5>b=eyK5UR(-L{kN%;l6nAsy}X4i$`i>-NR}&6k6~| zL1C9AdA|y^sJ*|xBB9wjdC~uFkLLZZ!CCxcXyn3%w=LVZHbjrvpQTCbv=u=TGK)lh11(kUWn>Ii{A zN5Yv&+ZdMtal3R$&J=>xP+D+0lS#G5M?g-KPjy&!QM30EXI`WN*TsPC@E{|rm=k=O z_->ALyC~{8+3HL#_&{HnD!R9jO~apdrzvD4L@~wfP`|_VbmTM5wn3^a8-YTdR`89 zg!Rm;@K60&Uvjr6Zv8;s^%Y5|{45Zo@zolKhQac_z9T+l^=mh~$8z)C;9zdeH_iX^ zfz5`7gcJ9Zu#h=CwZDon*r&nVHamMJ&s>sVyB$g`Yoxt%8|D4)V%Do<&DYOf%^ky7 zq=WTZ)2wQFkk#LKe}e28_T6szwMkUTho3LbP8N8;KaGB7rR{fRUBww>JQTKw>K;B} zvpu$<1lSKyvy==C4c*&!;b#Sb-i?ap;LG3VGLoBx8fn3{!xIyZ^SO>m_>@97*~kVl zJV$X#5{koV%-Sk@Z1dQm>rvDodD!yMlBSg{1_yS5nh`d){zFf8jCACE+KqdrJ17!9 ze6a{`-ZoSq?+0q{SqRVFeUKFkWRhCc0EOk=Vb6O6F-G8L^wFxoqlls?OdewS9`Q4o z5S(~=N9W5bLB>J2J|3GVs9UjBgUEfKjw4>L`}KCuy!s~=-_&&9bKz>?sO{_Dl8%4? zWM*}c(H4V9nnPDk|C%SmhxMn=a zwEx-c_?kWWl2-7uQ4cDSrz>L3eIon5X1LlP+!@+Yaq%H=ukhCtDas}$>GgDEZ(r?= z5aAyz^(gBa-bc72%0@}zB2^F=#SfNw++{9_r!wiV7yVH^ncm}^$oatU>hrJQcS<)9 zhR-&mKAp41%%-;AUrc!Z!hy`|i^`cx585ay6_H0j{Qb3|iwyEY*Xwa(4$)O~5bK_2 z_B4cPj0|%9`gInGiYqB&`3(%0;cs$>>-GbS*o!&jONCSd9d>XET!_1E|NhAC2H}e};T?3m69?Q+2 zn=P1s=f~zICacdMoSxoe=HTF<7Yvzy{%jd^&P_~BIrax(m#)qpjuxx)o=;;#Nne3y zvoJhiFk0o4AwNPMeEG$e40s6o8iQvLXefJ8yAalyT=uH3NVT#&^oGuRm306V7h5YE zh=$b_8^6(*rAI{2kp|UsQ&K8gQGOay_p!)d?Jb|{<8b(C@uRlyk<7)@rS9aH1X8Ms zzqNAf7%w`yCFz$4pp#NUL0s`WocQe5(O4mu@vJH1-0t5XvO5czTU~jxxstPA>p(`? zjLcgrB?f2BTWwfFXr&cl)>?bI$fqj_Y1TO+lt zNzAsI?Mk&5d-RyEpv^Ai^ms&7XL`aroq;^lIoa|0>WxPU+T+HK&d{jex^}n^1G#sP z{i*T2(w__Mq5cFls~?AwSse!v6!Fm^u=f;H_Xkwu{dYu5yvn zsOu1q?EBl5bTNSyT|xvW@4w&JfBR(ffuns*Tlli^x7Sw&0U|u+abXO@r``p=_a6-Q0CHrIA$oyz1*wW+pO}YLzB$v9MLDZ!V2W%ZExdjLNlrDzBxFA6Fxm+u_y#fobLSth|20&64;gQsWiiv2N%75s%RoTY! zb>X*JWTwssJ(f|f3Qu#Fm{EEwLjj&`vsY&p<+?)O5^$y&R?BIpGUAu!B`b?*tW08) z47FQpglSsRlwyz0eE+s?J$>`6j5CjlnSWe$#(;@$Aa*@OxwfFGl4-^!Up=A^`Qmip z@&SXqTmv^s%xY!XA+>#`mquvPhT><>PJDmyAbUD-}}01)ztTwLt?{R zpBwTz%XnVoKbAY8^sSzyDof^D(KcR@Y@MW2Xy*_wr4w^qedjN<4SZ0|V6#CwEr`_} zF5U;vt#J!8xOe@Kc>4jEyt6M3WO7_Z+1{OWC(S`0EvQ%RuSI2gPbtUS=+^Oi5B6r? z!|BEk%oFSGq2im&ukzOJ^Mv+AAm6fteYcxkJa5CEK*>gWueoi8sgQm~0yoSU)Ya5%TMqq*-W_r^`KAeWoJ ze*FT;c*#}4b9VuEvi`;y+)-^^*Z6pvm1(tOl6+{<<@EHl(3ZKhpH5Imfm%wnb`Xfm z)=duxo$KjTUd%NplD@d_M&$LkxJT@Eziz)w7s8!o(Qqut+2FXz5wF+7ytF z$!(YPj9qp(RQt+#?CM{a&Jzh)r{wA#&x~u-%4Rk_bM8EITHAPErP z@}HMVhfhU1zIBklzI4Il;P|!$74LnCxm88x+s`-ou@$9iy`}5ytgR(!fsc58E;**| z|JBIRod3{8R>0VVN$jia^q{PJD~U1~@j3DdtkQ%ERubbr^3nQ`dlX}$Nz~x_F7rjf z*Lva&9!QQ>j8EJWC?viz{Hx@aA3U87zcG6M!Gsc6C~e!pL(9ZZQuY%PerLnnMvUa# zuce<&A z-6gFLqG)8Gx9lXl@o%9qTO3!j0^dFrCq`ADa+GzD{^wp{J*Y{=2W0WL|(M zs%0F{TGVgn$;nJH1D-*MUVevbCgBrHgi+mMd@uBg9Eh=`PE@Z(<*9zW7(ZV2X~ zvj@394E11qV_I1Di2Sis7aUp~G0RXYPC z4ywrsU*Gfe@(=!;c|8@e>+`%CET*8V#dP@eSf2fQyu|5uHWq;uhw){}v71-6;?=h4 z^CFlX4whmBGqk*R=r;?C#QbrgG~puYDAPX?`Iminn;%aQKwf+TffZ5D1Q^}DR(_{n zdkZrcPbB04XTZrs$5r5(>CYDfC#Zz%V$A{b_6gvdWts=4htgJY;+#GlVvsjfyu-1VD+AI*dw9_rbBB_&)rwer#FNL)1|9Y<@4R?MoJLmQ}PrbNNQ*~h!JlKDb^B$T4O!}F#hg4sgfGCP-e5F=jG%=qu5 z?sC4P^R-Ql?#$R|u3Llab^5tn<$p_cTs4;_rX+zReVG1{Dkk~YD=RtYe`d7#kMD2g zcn5yq<$#;FGGz{&00$Rqm5AB{aozSMvh@8#XxeYJSB`Kg_oI=LZwi8WFlemmuKH=E z5irxScTp$o8-XI-R~zeht27>9y+#x4G3dP6V4Y3eoz~0$hjHe|D4HATNTxX7Qy$$c zjuJ^at>8qqjYLo=2H$Yy=v@0O=PZ8R*$IRbdONgs;*Ty*E(w_yxAVyZX6Go6*izdk zcynUB(z6=+WG*+hUv=_2=W&(3IVgIhO`6)ir~h8Y<>G1Lz=u5NV3zM}8SE<#49k+; zH(e~BJZe$&wx#So{Z(@sEpD4{6Pp}k`I``O%P`Z};8)g-N9Sj35(mCSr{_2Bs6A>f zT1aWKWBzAh@}ivB!z!<`k|sMH=JnU_b7|}a7@K}a{yBbP*Y6KHTD;9A%?50VeVCt@ zlQj*c%|724S;BlNiMx1b+*JGys|M_5O3E7_ z!<9yVoPT}vqV2Fo(U{bxc(W^tfGY>}1ixxXqC zH$%InST|j(omxGjekXOj1(9w*(HB-T)7luQ#b_idvBsKNj$vR4tw*5V1Ts z@xp6;2z-MR_&mZz5u{?ET&-+-bbTCA)S=Rgs&0iTJwSCqV-N%QY-Xe)oIf%(OxGS( zV+;#Kx^y{zq;YwmpFSXkjVahY`!i~gh+^kCUdu_ITC930sJfq<(s2XUU{$|S@ymnb z;r`py!!Z}Tu90;@1w=Jxq;-U}&cx358SPC!L3eU^bPLUzet6T0CYIzG-?pvlmE7_%;katR zn<1}OZ)3?3#P>5RdO?y~mePmURC=i*sC+)~ad=VSlUc1k0TN|G5<6H)>rVrldm!(p zembYo3ffbp>dev)D3}bh0veJNF#~I`si^AH-FTkelJVz(KQ6xD?^<^*6G#Q?n|bBY z?4w{3tn*%(7ZM>)kL9krQ-DMt_mv=OLBCw}CV4?8gh>nq5+Icqq=WMB?-YFIVX$}g zQ6Z)j5h(fFj$`O}&$96z7|u2f;{S$S>{z* z$-v7F;7K!CKX9L>OjfPoHd9F>+vW02(?Biqerq9q zUrU2G5G&-JAFzD8woj6QE+Y8Fdf!@X6kMr7c%XEKB1l>@AQIie`O^HqjWPU${R8W3 z`Map2qW^S1pUxf70piXVAdCD%$WrQZck-#(vpQXa-+oH(@&+7JoEkB-(MH7}zuqy2$4rO-O)zgfQNHx2BOEoZ0am0-JJuSohb1 zk8mhs5?Z^Q0&oR1u6vb|j8u<-Tqc_w$d_2*mt z`7nwtxVRCwlxCHTZ@E2f@iajkmD$r1db>krrr#1X4##6h!)-drcfmAic>=2?2)o{yTpQG9&6rvf`WFeT6 z8hiLt1|rJ9xh%T~Fpp$NM=@Qr(cKly7=jffO|53(S}mY@!t>!|C_0&(r8)Y%{$;jC zkJ(Cf&4`}%8<%E0$u~=5$j0Wr%VEJ2h+F!buc7fw%oZhX&-ethaZ| zPCfmVQ`rzv^(u{G2lLo_?+X;Xcla;B(98onBc6tZ$H5kXlP{}gHIOR{jD3~6z?y$@UKXEToZ7_<8^Xa?`9O&-{k!|4-lrO+s z6aD*>QD{LlcOxdT(TBIhk7K+H_Gb^LpV3@@;hG>#H)$fL%Ntkce$znL^mqNgLH`xD ztJQThVnkgrcCsoEZDh^sXBw=#5)THLR<3QGz2BwVbQ1Wf?N#8?CWVAp?1Q3I8&_L@ zsm4`e5!cQ@?@>u!h5v(V_gZ=Q%Z;$~Aq!{{|7kb-lmf)H1?|ixT`UQP%fo2M8)GgUTQ5vqeo89u8Vvfga*~?vqQXaU8+gpOGv6;mSnqNM zZ2wkX(6_V*t^r12Q1Iq<*O1Kio2xuMkfy~YON*I0-M&?9Xw44&JN^S{ScD)?;2YQC z?7W-gwdD?JXA^bvmG1?0+a$;l6)zn9c6Y!3)W_$3*TZ+!_6G*e&dybOFNBU>ac@s9 zO25v?=t!N(Y;sapCqwzfB@UJe?oyYF>WxStaTmo&`KmW6tYEX2lN$i9E$~sqv@*iV ziInBx!S)QBw%f!f40#L2v+EkAC)!aoA1YKy?1nytXp(RRVsqAdHMs-P?3~VvFaupd zvizk;hYSWPE{G<0{3jrfo-HQo5(?YpFqO`Oih|TVn-{Gxq6w&nApYvlr?|_eZc;c4 zzZ2;g7s~wJ#T`y&WIS z!KI#_Bqm(~vV>?L32mO6cwN!dSm;$O>#l$YXiBMFl{7ag{ubW6%8?e`AhA}7PyyjX ztfO&>8Ex?oSNeZR?!6j2KNyn>=FNG?^I3{(oDbPL4r^Ho8;6d?Fb|4M=k=fZ6DDfC+>nr@pr9Y5 zq%gXZ+}bE1d0-FA?pM&PF<6AKcxVhX`M&CWpI5i%yf0w?m$TXI8-o1XzV_9+ZN8v; zLVsnBJWgUOa+&)_w81lcMj}>hl8GKKMs*u9_1TXj#h{gQ8eip+rrpst*=e~8tI8Wy zKL1=*aQTvyC8g38x7b49brYtip`l9+pRGW-XAoq2yw6=~WkTU0KG%?sGQ6?PQ(az@vK;wAZ6yd=|9t%8miMP~^o^ z_~Q)eh*w-JK4*i-On-e!e5S@Vz^3-3`_!Ky?qJsacV(q3_+~HQ`#V*9|3J!c#a3T` zohTJ>Fs$jy1!n6WuRbJSPIPaFI8LWw z7J?@X+M(!^m$oFX7|b@45j(Hr_q@)9>rpjoINt!$I4nMxr5j9@IcD6n4XlXyHP@!r!Wt>kXyLBJOGAsfmgAFVGuhR8g=BkZ$ zm0lQ5VmwPG{G$I~&d7=JUu(q+-k&jvjgI1yYilYzqfEqu!RF$0XdOTGe5b4h<$&ak=|`; zcT^i3*l52PxBpiw&@Vg`51IS-G9gdv?WWt%N*`tL+NUNXW86QQ1cUAx^v zHz;>(u`#Pt^*4)2+@Qc~8U}DOp~gyj?>8U!y*Z6hm&DieFr)xnMJmd!DOA=p~k0vcAgQ zNj62AZw5Q}E4zA9KT2(vb;F63a{HJC7goP_{r9C(|L;$kWGj?XUYVgcxXtE z{P;0(&1~}5uchTh$J}|TAp(f3$6E4qo&9oIMqRz>GE{gTcfO5mv1R)gYZFe&W?hXT zq+rX-m*ZZ3$S{c#MU$LBiBaf>*F79X9jIF49Xa`X@rWOoVgwZ!n0;m6ws$Nw+^W0O z;huw+2|1iV`49qiryxt^9IJb{gnbQ6k%Uj|oO?qt{P-+pKthX?ZWlzSU+Qpz5Gy!n zv4ZSwsOzv#q@JVXH7)<}f=gA~f;Ik_ih-ac;;zWZog3}$T*Y(}0=MXAH zdn-o{lGldP&1VpI^e1Kgu9%0a6L=RyZauBjc_;R}I`6iy4cMoR3 z%W(H}3|i}6L^OrjyYMyVi}U63%P(5oCh6l47I?obqA_T=?vkBoB|zL>6Egb4l6Y?; zhFY)Y>c$gI0i=k9|0-N!S2QC#e?T)5*yC-e(`osw`BR&#Tx*PpFC8t@hC`M4mKhFm z$S4zyt%&qu@0sOxe|ewwnZ?n3Px3LWUNLFjprH2lSL@*KhyEU(4>NrN>sAsu`6ho} z2$f%Q*xBu3&d%-yfKB`)=?KX>Dx<%Pj0O2RR8F*=<~65PCWcZ2DkBLU6A33W4UyaMa)LsuuAL z=(aSy*ptPvz_FnBd>egaydfY;&5ICXSOkS-T~JE!1eLOa(mv5is5k50{0TGz(ve)m zfyi=2XwkZp=5?hvDHGUHK>m2o^m+b+G6 zQu%-3+tkLnPYW9(6|g;cOp}W_|8B{mOxQ0!@{(Q1RstkOJmQgsaGEs4lRk-+6CX)J z?Tuiy7UWcB<$U))hg!u6d)4&(2eS}(z{o)FFbK{z0vDsOEQ^AvU%AR$WsEG$D9Exo zp!%mmoMoemzRb|Z8&FN^&Xq#W>AqFel+>>(A2AT2v6C7de(61O%Pm7&l+j@v{_^+m zeQ(WReAGmai)Oi|{=0_E3)k@a@~;?kQPG=N!FFOMda{Z{D}80e7sU?J5~2ltvl3de z3Qm|l-+U46m&uDMZ`G^4>&j&t)(rgfmG)}h?A_xX2+}g0c}|9~WxjaZN|!oztIsMq z$>vkjW68R*g1n%A5Tv85{u|~N&mwS%cRD_~J}ogCLXr7;x^=grSe`+4?>Ocx3wLZh z^l2uEq6B1F68{$(<14TXZ669zi(?H^5jZCCi7(up**QPnUYWYd^=1&@jzW>MOnyhz zuk{@qP|Th8G4!WrXZZ4=?B?($z3W%aL6Lyb?AKSXUabpV=Z^L+H7Yk7 zb1emwdH`F==8~I1UN#O_0c<3@xThf5f=x-zT0*-|o7=j^M{vghOh05uDzaeYf<(d{%tk`o3sff?N_uCj@jt-mm%3pWM#`N(?ic2x1@oY!M`d$VJMA@9EAPb%{aeD zP)m7}&?6oi#fQW7lcQx9DNLnBzlfqfbVoYgv0eJ%`A{VfS_rajTC2Sv&60EuskaNc zdp*#R=Bbjc{6T+kW7yP|bp2a3BVi3flrW7q-wdSEYjp1#ujK=4Kc= z4&D1HMx#t0e)L|r_2usT^)8i^syM?CPRrJnSB@jH= z*#SYZKC1TXRcti%l!k;&4;^RZqjE-bjYjH;pQ)~$%3fN5{f7-^p|zhrc09b3#RkPRE#K%Y2Ygj? zrB7ER828J8rAtjq>scl}3=3Wm;Z+~|c6`P9`D-42N=r{qfAeNf0+3Non*aF)EH4umW_AgFQ2Ubdb~iyqEy3apSdIvDXEXli7Fn zt@vRT+;{v)XIwv$H~9P6IT@<#g-aJW@3DJ3vOOj=r2ai}Niu0K{N+P_ByKmyCqaAX zMmWDVQpOUuKty+o>C(n`243PyRG9^UE)=ZNMSG*BSJi?U?%APGf~z=QPj}(n4@-}) z#ze?y?ppmXektN|4Mn(0>f)`6vT}E;VBn&hb&d~yvh<;FbJhm0aor>qB=$eqCizlO z>m3+BEu{(%xP{PoN!$s$NFrrfe!s=v-28Am=u_Tu7D#BN%)I_!>StmCXz>?6rqx@# zNy>kRz=MN>S+LUJMU7$o_o*h}b*=Xevn)Df@#}JZ{3wrC+T+o>0s(8Gp*XGEXskasi`$U*n&?mq^+1)1~$^*q)>QSBnb`*zl!Cu z(sCAwNNOFjkrDUFbpBcGTX*x{7f**hBALJb!>T0Qi}IsPr-xs%R;sYC7aJfZi2VHub!*DeDSCu^Kh2 z<5nSZ<&?!85lbvZJ-#t)2_kTQ$IO|Sgm-r;VvwH`lyJl%5v%V(L+=x2_*74Anhiy?+G<9peQ!VbF44VaragMYE>`w;jh zQ*H}0QLI=V9TQ0^)VuiK0vpDF`o>ZE%=wDCt{RAMjb5QC2%!&bmBDHa31=72_;uB( z7+*<1`b>WgCQ`?QN>UK!f0lT!AaeBL-l-w8bW`xn*?-2rz;3$fv_vb0@gb8M&DkYw zdYW!+)t&)&+GM>{4N&=#vmYNFDd$xd{=cA#vJ9aUd&U!e-;=E^0?MF&&6l2uL@m)r zXW$9TZVNv_3fkec0A18&FzNW{owC_J-WZYKjwPvNnM?pj!t56wd8$3 zurTOH$?O796JUZs4))&Czl`$fI&2S>&Lkr1D<9 zn+{i_U{jYj6pr~K3d;fI_V1{lcLUK+Fiw7;t6svwG*9gfQmSNRRP9TYo8xy;IaoVo zgy~G9zQ3s_fXVsA=LQ_nM?u`|PZHVSQQ&4)t3~Xyq-7_p+|u z;?-XP?{tW*bNJGoy;`nmaDPJ-RAumqQ^RoOMjwXxSsh*)K$E}MB)RjWST|pak-)Se zV5`vq|^rH#DWd?k(oTg35wm#+LX_X78)W$_AgJ4SJS8`Jr;TVE0?G+~R zSiKtxcd__^hDqF0nu8SL(c>f9tC#g6_7gv_Llmu_HRcKWswSm=3pBlpx?gV}wEryf zr6+M5dg>|SHT;4@I~8`_Q(BpI?;4UsD0kpJIS%w3Kr0~~F3uyx4OgxuK&^vX@bZ5R z(fmfyz~dKOSC>#41~P~>^J(kWHA*LSqEd>+CXaV?na1Fu>-AKW=D{j+=C2~q7ZpOz zPpuHRGpbHH0?34B$Bl3T_ou1t9|i|&Gd_S%DW6c&ucH;1rON(}9;V2m>dL0Zj;$7?5gQI9>F~{4xwA7AhHm@s^t)tHlj6AH_yNVA z;RZ4fo{QKXJodt+I|Qc)f3p9=+(JQ+>GcP=34VTl*Jc^TY*kefNzvtng@tww4z5%4gAj>&qjeXbFH|uqoZ&HbrVLocpeu_ ze=+;-?5IPgbkDaanxT`ZpIE;A_0j~@1?EXAthyy91x5QB4SKneeAlx;zTO1%cV&U( zk9PdtcTzX2pH@SoR!A-SKsVn@Ng92*ZZ-6S+jaB;#J%`H50al$AiW3FSpR|vBoL2M zI#l-c^JG~RA95;T%%zCCV!4_l56TlR-hOYXjy!1=!hhzqfeqwK6$GBxHL6>a#+as! z0p2RfuXgw>XGee3Yc9X#U}yfmX^h?h*_SV~s+C@5p7j>US4}J-oSf95Fo|$HrJVnw ze7{5CZQhQ#|8Y=3tncbfUArp&gGa*}6VXkULr-Q^E#CXyr)Suxw(N?EBwC6ry&c^* z({$m9%nm4kji*)FQ9k&(LrS^XE7HR8%y)Q(z7JEG9CLKY*2l3G^SnLts2Mf=!u?wp zahtmHrnaYu`ydD|7pdpjcYS?4vHET4Vr}n24jP9E+9dARGy-jL@g4{+@oTVheD3Jh z#mhpSFTwcRz}$DWy5wU0?9go0e#TTvjQaR85Z|3KVn!q`S3Sm~BYF*-nyV$xrgTYv zy=yiO-iy1!q|UTkl@^v+Yh&>9eTa6z(!4N z-IGg;1@bERCR(ZX;W2TN4Yzq-kgR~4|4~d+R!}h+6;&j_FwjUvs@`Mc40K$JK##vE zD2gzI+ij_{CqzB9Jpq@P6ye%ybaowM<%{$PEmFgdm&-$Us53Rp#Cf6vDCd^iS-iB0 zmXp6uDy2ipb21;Dd5r+p>I0zV+Q?t`tdFZW-pGKbjLdC_5zLH2s^m2f21x{yZWnkH1@4AxGC}XXpiQ_e*n;tQL=ur zkoWgy`X=)J%cOmJ*e&mn2Upo6V0rLk#^^CjnyLCqweZMl14YPGm#&lRG}9IOi?h#f zF6#tz!hDWc7Nzg+K~mojU{7tnoN7`~s+rdRw3#rBDfX3?#U(=C>g+3Z}KUec2rAYy+!!ASA&nCdm`BCI}UP_rYPdNupemabs zu%=_Fggky=!~uyWiU!oJrz~t{V)EAC^F6H^l5!c%g3d-Gm2LiZoh+&+7<@^p%Y0ro z*~R}fRsVtvA2qQ5LG;o$CL9oV)ZX_*Q0X2dT&FDO3FLEn)y8H9*gHi<-jmSRON>b* zAv!TY8RH!8bSk<0ZB^8?an+gmY9A*1e6^9R#(amxIvtvb5rhFlX5MQnOtw0eDw>3C z4|{B^%L$DpVam(DP~n9~WuSaVGf>U2e?!OjkhmuL&0|!lP*d27&LI{)=6BNKd(ZC( zx9!3ZnVo9G16Th2|B1G93!5vkO;|aYAyvY4sv+i8Z7*BQEjEZbI)Ke%b`^iNk&?zU z{C6P@)yZ+bKX51735;kHrU?WUWUQyCm=r+N5Jg=SU9-XOBaajPe${ZX2kn`EojsZR zx4K2r;XPN}%-DeSjQ09L9=Y?t`6+)XMGZe6OZ@CvRpa^GLYuI&QP~G-S&}fvRlXb3 z?#vR7h#w6r6B?_y0{^p!@|A?Q=PYlYr#6vJe!#q%8cRTKo{k!B2)GOY-1oq#=C_s~ zt3o5EdrZl&-u5U^o6$q=Al91SonMB*`+s>~NwTAGTLU z19XIPnNRF5X_3=09)97;Z-nEgna%^nj^+ai`yyuVysl3$qi5aP@1Kgz|8aCa zPZs}6%Kx|IdEv?rK$AF^>ZtHiFS{e(h0L3{l<98aa0W3%OnW+;cDavzrB@uR{r?g2 z^Tohv=FDHEMZh2>D~5!Fh34Q_5fp%wDCSIy;t7^F_am;ufyt! zT7*3Sh-=w40b!FsQ*s3oJ+H>qf~bM!vbB9fp%b`;HRYybH=#5DvR2>vuNHY*gqG;J zfCpCfenIPmf4UpP*y;fDDCNnG$-Pj^F~st=32wB8xko#DQ#IH~jTTL5iwtRRzg%Ln z48a1LyEb~3g9JkNjt6Y{#HG-96h>*?t`j{MQaImgg&<(-}<^Wyuj?_ipeC(MHJ z8;Mfhf1S6CcU!)76KOzgT=72is=u=LcAnfD;b-DkXBrA$<`v*wS*f@S!@m0@_@gZM z3fz5s1t_)og50_gGa&ZpN?r z%nkwG)=qsecsF}*U)-|=NrEg6K00+s6MihVYu>zr)oppWpRo@WMWvsD8TIqN&6GC@ zlxidm5P3MrLrHbRPjy!FJQGvNc_yI;OPwgPeU5;SA`JDhC+CrX#Okr5B zEhewwwletly-eDrP3Y!kOTw^aN?y?I4nLVZrG-^-{+|wdEZI_>XOH6dJ#F2*rpUVd za=Uk%QfLA_DgWcQ?&gw^c{Q=Hc&W>p3OC`YT>2%qVEFmlSvWoGZNXCoc!t2|0C^eV zZVMg2^eJCa`H|K;d&k>Kd>NXMt!)dG(iTjufPv*md{>oZy`7s+KfX75hXYbA2m_rJ zfCBYxdHBnm$xZbWsM!=efKbU_U*R~d0JY}*1YUv-DY5pUcV=|Z`B~`4K`F1VTung$ z`BcsLx$EH-^yw>rKFQJEl@L21daL~Q&ge#=YGzXD_$U{pBTZ%*sF z5sCc@O;0V{)!VlbuM$kNtI{U)>UFr}+P6jxNKf@|^;8I8+?MzD{~a!FC%NDhy+1te zIX(T*r>*f-ZG6RNah$HR5IgvP(e;*5QNK~wun0&qGy(&|3?Yq#z#t*akV=VkcPa=< z!zcnXC>;_K4uXVq3eq9nAf z8v-=2d85U)2I%@k{VePEwCBle@Ym$QT|7uX9AK2kz;gjyAmnpu-ri6lO924rtxSHC zbzd=D)lMi)2V;q()9mp8hAsZb@MkdqmP=K(N`>d{Sc`8gF3&fw-FKkY9Fn&X5Q+d? zp`~`a%Vwj>WeSyNNXKUS`eq-<-Gb|EY&NpR3ojOl38tcfN$ln^{k?A|4~{llA2 zXsZPazKzbaa~nwpJ%5R>p0Ks1M&lW@0|vMH7UPbKV3q8WoUVb^|7Oh3Je zFnbr2TTq4sDz^vcOj5SrcJK_&5cr9=Ggqa>9#6QD?8?Se$5%|xQM;ty)I}CGsylvJ z((8y?Sz|{2&pCz9$D9|Pdj#F^9VV?X1W(zt9@ny-zh1Gsx4d@wZP2Y}TtMb`eO}fo z3FT|~)tHD3VoKS7qfqoaz&@7IhHb!z#U6zK4yF z0sJ_!fUyI>qA;+QxP;_U7%WKxa9u!zWv%~ThCPa5V4DW_P;Hn3n>EFmHh2w`xJ+zR zyFAZ42h`B_#Efb^TJj^L$&27`5Nh8{G{%C+BK188zKnGvt7d0U0dMd9;F& z=giF_2fW@^3Es+ZzFIE6jMIjJ;iBS84r(lM(521)apD=K4{g15xSQL;t=mwES-2Uh zyVGBxn29W6cO0M~rJ{eWAyL+IWft2c{^L>E2@}RIbCRamfI+dr?G4Yif=ZX)t#OJ6 z!HS!*cRqCj2TiM z)1nAykK0$C;jlTk!C4&LJ=9WkYRX93HlQt5Ria8Y84zEQQg7!4=Iwm$HUx7ZvIPLs zjoEC0P99`bgkrni>Sx}yyGgoIA* zin1xXV_sJMKb&%&^5)&I7M7U)FkNUJj^!%vo69->ra3`GdAIm4sbuMgdA(NlGXCGc zz9Usn*PpRMtEBQuSjwd>WAZqw67H5J&<98 zTr=D|cl$B~~?zro){Krj5by0e@lrC-2PwD`GGh#sRZH`*ii6$E*Vy6BuRs zyu8lqj!-?#c^W(sb=41fD~y9<=A4XKylOzBDh5mjE3>GtG61%dz_nKZtipl83ocd< zPcTnURM8Uq(1tFfKwI*#|WV7TEf#F72QGkALOM zK44%x4C3Kawxc$}hC141NzeMfcGBsNvzKMN{2lQx3Fcu);P!Gg#0~n-ig~V?zZWzY z@|bn=YP8z{))@u%Ek{Y$7~cU2nVseW9Ck zA#+<^#Q3RS%e(?=R%+Pt=5Bt6$L!gw0%siebmx;r$T&b74KF95l^?W+SbFwdSnWiw zQXHosryC(NB$4SpAGIIHxm#A!wp_9}yE&<<{G6IA(Ll~Z?tNwV6&;>zOj8?6C4Iqp zkLnoI@x;341A>$+I{$Kw(#3+Js9L1{+hxV{^kC2~BEn51@{>&@SJ_+L;kUt?o2b0e zcZI_QiA0~~;HZWED%5>$YG1{(oLhp_%n5<69UNstfwbQHg76p zPsZ=MxVY!7&=8`ZP04{b??}Z1!p9Mz|;wlW9ijZSJ33%(8$*v($;B@ z35@!v`QP6q6Bv7!wo=ad(%LrG3Zw*pVY|`5NfSPLgy29gzav{Lq~wy(5NB&Xlvx1L5EzS z{P7>z^aMn{Xh4@3K7(g4eRxh&W%4I3fz=QXo_Fah407p#=UK^z4IU4CFG(!1aC4)1 zgp*a=UHTnaBL3Q1^I#A~>usq@|3=2rA)y$ouXPGeiY)w5n3ovDn3EGp)~zpeI({#~ zLp8C0SyzXXO?u!0DsW5bIKdV8mrn&Ok?YTL3O=?##lBI!GYL!qJa6+~MjI8rjJ>(q zP-_z_$f2(r|8~Ov0(E)`QIT|29>sVMKe1L^Vvvb96ubs`J0nt-6|diM+3Z|>a)F42 zD^Rdj1(2Z)FYWc$t~k8?D#l}d4xsEacoY+^Q8Whi@dP-h%J}HoIrJ~&HlntO%)(V7a(~)nTE_W#(kiq zE4Un0o;I*4)S$OT2qul`x~nGkw_%H+96## zg3XU`rBzVuGYqi5QmJ@h$#jAHp1^9U!VI09`0N9}V3#AGr<6)s?i|SW1w{LM;3pp; z8wmJ=v1ul0x0Lo3<&ou3h?UUVV;b0fEWrTy080!zNIHD2^)p)cf-^`iFgoZdL}MUj z`d&wk*1;#?UE92OxQ^#?n`=ymn|>Dt z88rnw^HJ($APqPia)q+AJ}t$8cl(G1(;vFun;!y~fD7^7uXbNy(+Kf3x)FzJ5+M|# z3HV$ioJfC0MT4Vdw%7axPxany!qwSe|CSRogP#@HA_|`Up#uk#Ra~$bCKkN62R#-n zR9dF}0^D=1>4-NAA|s;D6%`tD+UFlxJ6V-XH#MG+d7PAAGaue{edGMh0EfVhgrzS| z$~mt6t(BYzGIyk76Pu8V*L4ldU5wKOj^)Q}fJsxtZ(J+>IdI#8F7@yJ@bL6JUF9=~ zC|HQ8lmAw79lut2pDniEW=`NBGg{vOCz8GOBGYihVW7751Qde2voYX7(H8-{TFyodJJPGGkm!lIrLKu>H)|$VxX5~Ld zj93c=kscv-_Tyz~;3y0XA7tA*AgjKV#YuuAAtNl1hS%_6IXo-I~#~?0&mBjBj^-> zbvrpxz+zGVd-rtP|PBMomR+XI8c{2g-IRGTjHxRKJ#+dy4cPGi`+ne&- z6z_JQ3uQQa&)=Y>s^tO}E9>No<{IgL7VF`C({?6r;s!rGb$DHsdA&*#k(v5xM5GX_ zyO4oDK7!&wM>JW8uMAPtXw^dye)voeL!b?%XYJctD662C+PZgiqOx$Byu$TaJ6bbN z7LjEVdOmbdr+V@WsNH!m=Tzh?%J-Q(D48^FJg{FvJ%G*XPZgJ8jBcu!I+Y0QGPd+( zf=ssH5J+ubJG%?=e(Zb*NeO|W;NSZ?o@`R{^TrN=s9~Gk)JRSi7;>3SUM&O!^}-yW zIl=E8km7pp5Y`$2T_xTl*xwZaPvI|fuVhr=%QN@vwtrlfsBaIA7x8}(mqM0fH?kq> zN(V#a+=xIWf>?2&|GdJkkWsEr@Hw}Mlx9ugi>@6FUih6rpPwd{IIQ;HVPcMv9emsj zya+$oSyDet0z0-TU~-(@L+qrm+u&g1t^|3`vzR)1z5D{B;{ZqA-mnZ({c@;Y!HbJQ zyYKh;rGPgVIK!OP^S0>>*kgX03LA2T&b9t+l|D9Yy=@EB<&RlY#psj?6>fszggx#k zrCOqb92^!@xpH)%9ZxjeUx~Ueqt49#AVw@a)nmQ-s7VT^x+i;;TpLg=yV7AWc5NiM zZDRG8)Rdm;Zr;51c-s%)LRMU7EiTbSx;&2f;8JyDVL-XRn-pQ>`Jy;*FDTBQd0x9a zHom3=m;dD_>4u&d+u;7gGE1$DI{D|hfi6+@wOM0%=1L22)g16sJ$&cyo>Yfe>PdI* z54EwbLb>O?Bm#8O(?;v)x)vj$CuhARa$}M02pdA418(hXlRl-mB5)B$r;|JJ5OE5E z)-?2e9-wWUc=szozTGx2_cIcPA~x*m6!a>m0`7yHc!z9kskX30s?C&kmX=#Sq*dBc zgJg}&tj@=7V95y>)Lz_8^t(7yst$eVe=!p5Ac}{+QiT(s;KqYgpB=+qh^(n8!VLS~ zlE1}g{ms#^#7^ty_DV?M3tpxCL6S{9&Uz{_RLgddDMnUh4-038z*b@mBtD?U)hp47 zh*mqzR_wW!s$BL9CA|V?{cym<1HtzkcsNboAvWDC^$Pg%vUKh594Sq|%c^^h;l&t! z;wTkoi>0MdKBXyY84(@7Ij*sIb(S2UUKbmnFa5Kl$oRsIH1G3T6|2}1M=N_E&Af5_8kvJ~zVQe)*Go3UBHX-Dgd(iRT>EL`6kXS7&y zMkcWfaQq;kWuUo$ZV2R-JXncwPvJ0um)WCg-JwtzlE4J+kurLWP=vR;93*+tpCc6I z#T7QuSs2jq5D)d4wy-`W9yK0gSrZrv8-S#e!eiCs6Pgn+i3n>vu=<7L)9N5|ms$8D zcjBxpx$Y(*{-M)cm9(_kdv?s=wU8jp0@c;Zo6xV}RZXkHMEaF0GuBz^*1&oo&2nfq zRrty>wFqm#in_fkZ^Wu2ld3JI9f4oIDhj(z#msYv?lO%!i}?z<4PnlM!p?dro&se; zL8^gpNCM^TOZETCUwWy3S=PuuD~4ML-?b@|A?)B|N}G(4_H2B+#CQ%ifWwmR*w5|eS)%AWsJ<+RDt zLav`vVn}9%8LnKtTevg0={!ejWAHh$pZ?DD?C%`lDmGl#3o1|>N2Gx@b2Tf1a9Hq2 zr>7OatHK=t!=+5q)z=2?}oX<)U- zJ<81U{i0;=3={bZm3h~i=4fSCa`O}&uT?ME=>Ybnt^}{%+)9hsrmeH*4PS@lSL!bh zF1#&fsmdfw{#dOIn4cYApLJ;Au5N%VJ~E)X#>!E5hhn$R=Gnw&>SbY-3t;{H7AXSQ z1&$zwSj#Ox@h9Mdv5QZK>LIl$Lv{Yfd|*ciN&j23`zGdh@}otlA~GA2b%jkPc_Bg@ zQk3>lkq)p6p;d#oZ%OsQHt8S3fiMBe(>rn@Ig(Hq1SFbzxUVX0%#K^`@0EU7rA2y1 z)e0j$`$PX3&0#64C9(RY{4rkry=@G)YO}>a?PaT(c zIlrp^Hto7s=Y8lP2Hwmh^n~kE_H$?>FR*ZY-e6*9=sKF1+IJ%Wcw>Gr%4wb>_EL3g zD*5yt6lYOdOk)3gUlnD)XR|$(9)GQEH;(GObLSTZ4Hh&*lG}4!EMq6O_?&n_ok;O2kL-=Cy<;I8RhwVOtkHwIw1BVYv8(c^kCEg>h-+wO;E0vp)Ws# zLVy4PH|{ch(W$zMu|s`@8Rk={BX^Uk%x|k{Dq3;h#5%ic5$7eV81ucu^$;gh$yw zdVp?M?12(c3+_$J4mJbfBHQTDLhC>FIUi`D1-MwA=4}4DF)jWgihicoiL{D*gRon9 zqT17=LThq1{MaGx={bWZ&JXdsOyc|>&~ z6ZAO-Zn>6f?8b^V+MHcO z9+@YWX1!uYp63AHJuV#=a}Eh7H3hUNm##ZSdq4-QjqP}%#g@dSBs>M}$z0Bf{q ztb#N)|5b|~Z{PFSduRnCkm0|rL>LDdJmuKv6o9m{AAylV5%*r@jtZqU^~F~aiE80f zYH;mSg@U$;1x5@(Up-4)DR{!Nh|3Vm!V~u*WmZ&W2&@yzR@2|D4Vo`=>^J=h&k?({ zrvby{Di3FBiI#2m62DQ)vnt#Sxt0hlBHZIyV$^70!p0#L;FG^`)W~<1B1vLNf~#Hn zLJk=_!uMd9e-V?&2hGE3<|dnNNJH3U&jvS?+amS=uj6Yz!D0R4;m7EN zkEi!_w&zqYlhx=Jq5Y-)4aNyVBg@Ov)b! zg}Hk3f7-u18PSf?B683BS97n++ta-6hPf2tw=<_1?xhw3&hXc6QfJT z?6jW4; z2uq3c8d}Ptpa(Ppw%rv?XFu))V+zw)gB)70+fqN=u7XQ^ZO^7%O`p#V@J}>l?rovN zzyH;p5pGJ1W*fF6YDcvFaCKN2a$jQ&28BkjBk4rTS*})Yg}lLp1a%Q6@I-I`r>rW~ zOAYM!!V(Wa4t}+wsgUB77g)AzE*f`Cbqa_?8(Hn~2ub_r4aOSoi;=*PcWA^hcp5&w zjwww9x_p`}-ktEq9g;?57>(mSV6vJf!0+CjB3^3`{E)+?PNG2BE~9}G$qn>V#r`x< zG^54jnZ|+&tp|flx}2N)>ccM{K^N>gEl-fej9n@ zMa&5E|G4`$ADd{3|hh{EUBv=LHPJ=3`bWau^2Do4O=+Kb;7#t)71A#N0>~oSQtml>8+} z4irA4AsEGN*2Pca!jt|(sn=_LP#ev#QW}r@E6@iXaU=|T?k+w}#5^OT1L*=6C7qNV z;xB|;S8mpCGG!okS`{A^BJHFJyNmvTD?r+*>ACA-a-W-hh#?X2U+xiG6A~YCVg54m zQ=`%zhhR0a@C^9Xsm01+=6Qwo=z=NlfHvfXqB?ey3eP``T|2$oHo1)6)KiB)J8tsY zez9)x0|g9#f_iAVJ$l7j5BMIgnr;xp0nx#8k>{mS-eWeVC*y2!ag*}fbFy;Rl+#_AE`#Up8>gw`ua%TV6`oT1*%<84) z-Aqp0cTVoj+_YBN39@*h1hdpBj$05s__O(7_gkeKW(FA#J@c<(wL<`D(qtJd@Xsd^ z7I}?8J6U@p8S6CD}tx07NDWuUT4PG+b129 z=_xLApUmQIql0&VmE$A({aM;q3Zm-Of$6vD4gL!M&`L;qV44^AeeQ%^nz(BXHFzDi z{e8|OzIyxH5kF=3QehR5XbLIrjJftA-3)4CvC=Tt_d5i2y^m7{}T9F|nLNz@y;i?@9-Um*z$~`E^XD zN;zsSAw*Cm@^5bI$g+~bsa=NoQJ>~}_RXYlJN>!zGM4C#T}mS}nCYsjCh`I*k@V#X z`U_+?xMIhC2IB4FJc&F2zsS|7gea_chzBW4c=UZxD>ue1HDr8WJu8gP{EA;Jd-L#m z;aXTgfW&3;_t_<(^Vs4Q2N3x!Cq*|ZRZl7P^aR!5wy&iUnm!~TwBrLdDwaIB@?{j) zE3ECKcf}MB?Q4s;bB1kPwW}AGhCjUxjv(6A;4>dX6+OA{tRlE{Hj#Nn688G*ozZCG z+L8AG8fgR+P&?Reo#;{bg(|+qc}xiPo5qhrf3-xh=H(v=2_MUj?A)J3nZB z+2&vHisc68$^i<}cwW-cohB2&;ejLTNNPQ9}BU?>qgDFDxo6 zf=dQVc7Ja1I5JAJ&-!rgX77(qpq@x)D4A~^$yz*_j%sVpYqX%_ouONQ5!HEm`IPcd zq?h}}Xo>u{#_zZ!A@j>}SEG;Wxl=bE=Z7#tw<*>3fgq$nH<>aT_K84l3&G^tS3Qv7 zb%fE}NwwNYsz@3J&jguvJ{Xh*Mne7Tegf?U_GKCXm#bn3U8z~pHs>`P7r?*v&Z>CVoX&>MT01YoEn^E*JhwZ!)jJ*{M7x$g6?O9 z7}{-Hr1%WKCqqgvi8{eG)ib2|)DR66*3~C;sDxa>S`da$%;XGs&N^Bb~iB+jMo+{(H zWI!**75&1Ub!Il}E+=PvA!)gDlqc0svMDFOEV^vjs@Uq-B|bjc9P4m5^14%ZQ-mxl>72YKEKUI(>%L|<%!GIs^7O!))!|J1%Z&G=Sjp+BAJIuJgP3*;(eq1bima@h zFA`#bBxJvR`wuUiovA3zr9Ei-r!DGa2Cx0=sli=7V9T;vJ&>51H7P%i9JVuwxKmq>~yi-oqJ--I@!O|v>rBeIl6K^n_fP%I=hZwu|W z3A8XY9Zob^J`l-8gs$Jl0>Y4n3$jUps%?)@9j(#*j{EH*Y=0Jh1(k>lP6AtT9%0OH1$OD&H9=Jw10lC0c$x%-wb0h})i~XbhF1h772? zajcb#SJg#ROup+H-uqh{pJ54IrR@)HKi^JP`yHCnE?QQ0GiBN5W z_FP-80+!P^8g-4dvS`evV~dmPJ=Z>Z4;VP60P^Mo2PIF3m)EmKN3V|Qi7a;T0{%b- zpFfINx~a8fRQ)4qOLY{9ZZ}qU)t!fW*X(}t6S(;C@Jg%j&cuk#n$OxG?!(enll*aM zQ1%eW%wRQ!5UhBq`|vjnn5Npp1L#}sA0*9ax~r;Ulw&(gOU0A6_^wv!sKLy<3o%^~ z50c>nv@I$12lUU<+_Z2|C_beKj9Hiyxnv4up*cs$e!&2i*cpBrc-zk?HWp>r)CVAd_43#5LU!Ea)ygAcW(dhqt zP7A_%@!Co5NVyA=IxP9T&S6@-EaPpC+r`yAF$H#6-qN&j63 z%6UWO;KH(dh9y1%;QW~`n;TPv1x1Xle{lxA^G`YO_Wf`vBRyfHNv_AfJYp>Y1VS>4v z3Pb&{Ajfsa&6UWH_2cj}R=JR%#rt!b{Ewr%e_TDTQ-o^n|Phufi1nRT4b1hW;fEaa**6bW}zn_+gyG9rQ0+uyJG877+)ymBj+J zsM1ci@lYZ8>>}6ofmx(oyqD!#jU*-dZrmSc@U+AeK6JIy1&}Y(-i7pnlc~2eF*A1yni*8pegwO=!c`tq&%w^@Tw|paQ zKwHfkxP4BZ4+)OR(;}rBuAJo!%HTEB+Krd!7qe5Idu9oBwUMnr{hanbP>=rf2Q<_8 zQ09xpMPU$=*k#Tj-6KbRoIsiVwf5Il0U|RUi4F7xnVk5o0OD?h(GaNrxCbi7d4P7* z0Q4x7`Tufmfw2Lo-i#<(H-GDMPim-9>+c5t=K#Qro0t4b%c7wg5&hw#mY~GlxHL(( zf+tm|(e2)pc4f^}@lKIKHBY2)-WJDbg)jH8d*ElSo*A0L;%LFjk|4rKf`654WEEu2 z`*WCV$TZE<-lj^~e}tW!VHVr-!Jpn2$KlR%D|_9CKm{=MPyV1gesBj8T6l;)WtZjL zeTQX15>UfG;XPY-$9TS?wEF~QqN1kUn5q{bl)t^aXVr13XE{mD zL&SU7fi4Is^RJXvv{W!qK*kP(&wF3qXiKJp)I8w|;q$_btv4RlQ2JrRBuv?zYpNWo zT6PriXH^)?Nkk=pC+=!R3iXeO$`zy)zoxqECE3^h%c&5~&2ofj5AoCaJCtDl2nm#> zskphycktXQ&zv{d-lXDeC03mM?5yv*(W~qrVhoR6s^Mp@)SZ;g-NcjO5Hp2upiF7M zZsf;3oUqx=YbQJc0GZr5+Wn#1jD2EE%hdBZG!%(1j)LbyXk3Kjo4_j|D}PIgP!MoU z{{QBw!1!#fygX4iryy>s?XV-q?xWXX7%%=I(PIjtOaV!6%NJ%@O*;Q#r}LEMb2u98 z(<4x5_i1q{XY;}`JUazRwDd0+#*Yju>re$%|I`_!K4 z^TJj*Km*dZa$I{V41~@8e_;ba$KRMJU*^1+ldtGJ6&S)3s^fEANxrz-zxe(0K#SF$ zY}?6++h{1sj0YJL1z*rL8?{Siy`^N8`~4-Jnn7na+|FAi|Ne--F?{XfO4+*t6N04Pck~A#)#nQy zY&kwvV#pn8{bx5h6A&CVb`MR{f0}~WBzF!{J_W8!Y$DC0WnE?>v#x^q-74;ca8#Imzk22DMo_Z1U z8-M`MVob;{d(V#&+=+V=%+uuQ9tWrj#1le-L%NdM&=?Tcg+EuPt4u427Pm5|Xx{sS zft-*u^7H+@YCR>BCVoVWu$M>*t*y3&YhWH+u`w)V5SAYFh*W07|>7 zUi5}PzlDuRF*kG|6GdV$T|>86DYsMC02G~uI$uHeAKLhAyxLg_B{ZQkp^#WWx)39$ z!k&9ey|<^IF~L8sa%^OvaXn$9L1|@`6@ZPVZpuahA5zOl>vx)~%XB$Bp1K?@p*~I*Z=o`yHO(^H zt^c+IVR8G9;D=e&m>;)czj6NV#(!_QFra6)uB!>yr-R1s`wJ_^nQ}ZSC0yD&u9LMthMiaS z_g2^bsC_y$=lNl1v{obVnBLNf@N$WSufp^NW;ufbqW)2AlxdMot(s2&SNzTWN_e;3 zKt0;D5m6y87%qq#3BGaJfBHFwi^K%JiRi{V?88PAfJJK(+kP~j{INP$FvDBWf0MG| zFUP17jh0E;nZp~!-MO3=QX2uw^lnjP@o^QZgz^p1st#1kS!nLjq{>WF)H8R^g zFEAFY2J|t>(~a%bZdjO5R7tRWTQ6rp(f<9jU)sl4`W}j)%*s4D` zSm7^M7?#Ucec0Gf1$I2|nc_Z`=tpnQ;HRj(s62F&*~cd&qyY3k)o!I{gs5%C2p?#n z!zn3JlHtgr?T^nT)Ayf6XU;uQJ*mbAeI@H_2J!r|^QggLyv*pi7iGA=8=?!zr`y#f zqx(x4%hu2|<1+dFzdf#osUbBclRXPv0Ic0(RdB0i$1k($?|QUecH2z2X_P_pDF{Vu>0*H37;asJszZTKoc#Pi4dVq+`;RXGygjw|9D!c}y?Yw~`wD^g z)|VHMvi!$&n1y3B|8<-NBU1=XK8a7P_x&B8Wis=OW(o>Qq{cXc;u(^R>qfqvxHVj7 zuVpZbg)inir#|$2@4Ea-^^;nm-bC*Da&2n_*p`gR7SY}pm*J=UM_yw5KOqvJfY2{` zYU2akQy?Q%UU#8n?;MIV_efdizD0C32$Fg2R_yK8EtP0lwJhxYLQz!X$cho#y8E{X zR_<5v%J~`pZ)mX@o3i#meG1bB;4WpJ76(=mo@BI8NvaDBdltQg2IXx@(NYSU##<79 zA46Al68udG2n8(;jkC+D$`2XW{0i@cox7hY&vLk~b0{_MPPov!ZsX&@c!( zEt_JSqwPE}c6ozXe@bZo(!CjB(1x#3?ICq%yXp97P?8uulGj$_$Uot<1yJ{#Y|OL1 zGur(Y02mw`=AC!}o$R6T{u!!o(fmJuv1qW-bDR&XS*^44v59poollh6;V=Y@jm6t0JiTSY~JWY z*q-0HkT{aaS*}3o6^CcBPC84p276oQbHnePc zfWs_PC_{+74d&$PN!w0@tDq67A&$kq1k~+7mU#9*5C|3Jg0TH-R)AcgqTIMSa20%N zdz2t4qs;epRRfgOW22caEYe{6Ld|XepW2yWI{M7}Aw1r3j$F*qQppN+(bOt?Nv4(Y zO>croEF3F{V}754bQgWXK?=&k5IJ(|{1>Tu^FsxCZ~ws%0Cqfea!8|VbaQul=xwK0 zVcU$1sr#9aV4Ym2CR+aN{KTdV zUoNyNm1g$sy(^(KC29l^;~$F+_lh?aAq#yc=iiIa<5#V?K z{+)|kFb}oS=V`Kf42PZrzl3%9AErYXJ3q7TWsG(XCZei*=G3Z_ZE9)?^AG{%yA9>o zWh$n|bg2OQKP)-`p}cFrp!n0)QnEGS0WXf>kt{rUy1(!+n-MQ?@{-WI^wQB+c!6G@YDGMW z|FHLszFgTkQ#8$7{Jo?X(7UE((LRAEJGu+GC-Svb;=~fC(Tb&P4+$#|$y=f{M#zuZ zvFu|9RN1EGBCc2dJ=qF?j>+j9;EI(MG&zqEP_Uf%bjtIUh#QXu>+qNhs6x1^;ut;+ zY(aR!Y!LE3*hjS&@;;;a!x*T;oq$?qC4k3QwHce?Dx{JC2-K|9g@1uMs3Dt#Q&c8> zT%`J(j2FWkPR_g8ybWcVC&#KMTN)qSAOgIjrAM0Sv-jv(MrB7!6_ST^z773c&O5S7GQaN$1|ns)!&NA4xK_;M)v17tE2V4w!r z77{f$nK%DVX}A6oOcEOZmB;4LK<~0<><0RrJ2q2fEwU8NCKM+YUbS=qmS_2O;r2BK zd*>(_E^~T6K5qwN;_^?3bZZz2$jU^9MTUoUBqRXc{ixT>T+M3d(1oU7kET1mN6Lq@ zt)>rANx$B2c^(Z-z^Hz58^&A9zL$Zq~lneID?zkex+R z@XX=QCvFNVUUXiI8+Ld>7W3d>tMVzqUZJdKaE2B<&fD3mWZcz6vcaW!X7KvpXS}?q zt>032CZ7!Bqa=8P>W9OQ_U**9=72>aUv=-r-PRC+4Nrf6KK-X5joT}d-h|^zGA*=WZt`UKcdDM9`sboAYa|%dMey~c_xR@U zSS2Y=V)qA$lsI`n9_`ssHP*~Aat|QONcM*$tb}UbMXUmKU4Y~Fc?1XYhN?v6A(_;2 zpF4(^dJC;czyOmX&?a!G6^XzklW$;%2R#0$DT+5f%%!4+FyG@ucEM8LOhWO{Aw{Nz z820yfAgP>;Rzg5(j{md7O${uyxd!mOk-inb;jofrYMo(?WfEff{tMSf5Q6FAv|3d@>%DG&?o1w%6^s0J?bxURD+D zAmv-MWg2xTxXis%^9cRJ>;{HS8j$* zgBp4P;)5w?z7x>C)z_HT5AC-(G#*Xi<$Q<^gSi`yd~Nt?!+zHqzYb7FUH}+_hhZn} z@w>ERxz|U3ds48iI?v%8;9I%g7E>|xIo26?>9pQ`i%SuqlWaREbMBRUX7xTBHPJK< zC&bGqW#$J*CEX?(+e>ebA@}gOHzqn4Z$0Z9{DJ4QR~vz{KQ^oiuwUP>u}7&wR~*~W zBvei$W0e5_H~6w?TMg9TcJk?+M&Xu={N1S{LlKU#tQj%?J5$k zHfZ>z=hYJvyzvB60!q*KVZ`VhoZw6P4U$7e2^`>&pt2x97+w92J`#BC3DDV1rc@i~ zqbsaXO9FgM(8tzb`tAytRB)Jw5hy_`e)E)Z150<#0R`oz(68bJZ89}=&g+#dRe;Z% z00drO?I8jKUcib{Tqm`+tSHUU&nZAvs0%1wO~G$sq9a&=0u~F|EZRcHT@iq->4(Q= zc@4?-f&Y^IZX6#>6?3632V`RF6lGf;T@K*)u@q6c0LYBgAjf;9R8+Bhsl74X2=k{h z1RrXr>MGIz97Ip!7_h~Dwe!0cFu{SK>c48C=|Hu=^E)zi=5Atxs`r8lIVkFn}`RD+e&0N({{fYOy~{I)wif{yIy zWxf_nH&vZDaSxk+m~mn^TWw`?NRfC{y%-- z^FIB7I}lfc)7zB~5w{7y=?uDFf$PTHO%UqqmiLj)VK24kd5JsR^Go8hr?s zOz+5@=b$1>s5xBU&w8Ir`SMYB%hSDV8>L)++&bBJITf;k)BpnK+bxQ^VFRY$4ZXU3 zZaq2aae1?slh7n;5NZK#Br|2IA9nWMj2SSozyojc90A&_n%9m=MTL;tFlN3E#Al>J zX>$CHM@Xnwj6H^mI;EEy7`D6y1j5QBfZ|(Kl}@^c>lrW}-ERSifbN^gi~maOKrnMz zqu_B=N{_^l04URr_9MQIIZFDF&i)jm3LksSo|Taep}FxWi~nPDPYneO&IC7^%7`OM zlSdy>$DvC#X)rw96J~qZ*=$JMjRzYq6{zI}rES-QSVxlCs!Zr`ngi)0AaTzNNESgZ zdvo5Bv{-9i^u~tpu%<#!5&$>re8|YvioMR6Hn$QLMPG)-fCm5&7lgH1PL|vCN_#zG zd7TDk6*d=VS!io(JI~>I{L!#}A22radj0oo9D$}Zs(-Iiz6BVv2m@;$4#sq~!fk4o zzow^~>3b1QZlrt9#&%9_xZSTe@h|%Pxmj80UvLiP08V|I{=i0|o7GQlja5D`ot!p~ zD`Vp0NB?wm99%el0tgBj)XmSEE(8%n(=o$^dpfIjP60E{^dIT{k0s0_!9_h_3Qt}o z>*=Ejf2`5{)59TOWNR`YOTqukj#}0<&Ss|biM8Xky?uPR&sm+_%%XLwT0KXJ*8cDa zrW&^>^?v><<>I-Y-%pv@t(QO)yIxjN{T%Y#2GkgL(776y0zVH8a{N970)}U}Ku$Lvib}u?S6jMwOjDX?DH53`zbtS*bXOLoItq&X z$l%G2;DjFR47hNDl>B};-*^2bQpEvRRYFMzgGeIy4!& zff1cyWzfo_8w^FEQz(?nYNobhU6tM*Y)2gpZk_~m@+@cTp1|>GYErEo>Drk zdWcwlvmMoph7M6DQqNH^hbe(dX&X8Gfe?$zJk zi0WWLU2NRD4zxgBS9Ji}^)C3T3?_<8OR40AOsXShyuH2WzQ442@}$qeB9O3_<^+!; zahG0TTJE1?cctHIio^GKxBC4%ySP1I$I9hjG1cd;%cB3xA^@Z0a-n#|j*gD~V>Jzp zhSeF#=hI`^;j)=ufQ6>ON>$Y5wxp@meR!k#cdy#oTFJ4T$w|W(dw$ZN)%70e^8=%z zJ)887{|L4|w#`Grzr1eeuK6inRGm^@EzBcURY_%xn zUD+Xc@Ot@PN!zqcfTP1sx_2Py>Du8Fm_s!gpYjWjVKcL_Yn$Hf3B_AlHjR<_O5@i? zy3<;B_k4V4Rh|dX+ORqy(oftb{qC7%zH6awITZ(0yS=!%?B%UCa080b_LCxVbV8Bo zIKXvij1>`~DQy!<9a4i41==OAev4L)+OHyRDIuH$uU9PjC7%GJI*I3qnJK#$AzvZZ zNpKjVRsTh{C)GZ-82crKCf0|?P^veywCT4aV>o8g;>8nhC|g#jD7xNvn_12rjVO+# zH51>DF|`yS;->2ea8v{w!KW zv={+ng116Mvx8KL!&hO!sx5#n1z1-SMd0(#6Y)CNe+N(1XCahPfbv!{p0(re?`2A# z2in7FUl$zxJ{&Zu2i`vO$vG^7=w^Q-H}hv1NM`Si5{H$Q)kOU0;nZ5@zKTNeGhLy= z0sE1Wkpj7cz7(+{5bp4dAI;m zwMI3!Z@c_NL|u%2UU6OFKl&^w=j(hz$0y9Sl1u;WvIcv7cJr?FZ@Q1M#sH^8aDS@q z?9XlQk>i#p)?E#NqE*P|4}1kx{jJdQ#4p)t z^yfgTrEygE7KuFpCMCu`}zBo}x(Mf;x&-*CP3Bv&7WgE7v*j0!~3;v!J$QgFjYI5S5 z!20@Z$ZguV01TCm76Yim@f;yye4{O(3xm}Bf4seASXA-1$1B~9Gz=-Jl+rN3pn%dL z-Q6V}g9yx!QWAn7-Q6PHA)$0PNOv>bjpu*PbMCwQ=AQjZcpPRwGwZkZitqZYtHK}x z#k@2IMo3Ey^Np7ZBIYxOEFlpiGTzs$5a4~J5rkZueJW+jRf*sP;P!IEfxwB8*bfdg zTZoA$XXW7q&`|Ie!MR|WR46lOm7Wop{~NeL<2lXum8U?Zt_RkJ73+`UIc_O93eDEs;O^?U{q{EZt^;AUn<^&LfODdK!zk}U2kV3dZ2L)NB8 zARg?ZA7UlwfAc|t7}$|Hg}QYP*swB~`>voB6-A^JWxYpB2Sf6+gwBr-^9{%4%@?yb z=etozN=tsHcuKvD*0v+*;-mJJ%HJym?56{9;P12$Uq4ftdH+KC;mk8`wlRX~{mvRJ zsuvYpON7r3XlRR-NzupIgv?E-)htuQhE$PQqsq>~>1Jp2+3@zwcnZnZ#AOb)Ii{anOy=`G5Y=y&IhDVBuqX$J zi25=hz9V8Wm8psPwh`*NfX|1z0jToY35lb2sB$7;6^Sd5;mje}n}~G=HGF`NM@A5~ z?>tO{%m~CcG*YB1c+X^TI$(^w?yypQ=Kj!S?kOg3#is;_`HLicWnrjX$ak8ZCO6C04+05mm{~JFpFtb#JyKHF zzT^Ufb--#*yQx{#Bjp8vh3&Xd)vZKG5i#>{cjxC3e0q5~6^xV7cm`{>jQ$nbY*6p9u;965VUJ6XM=tAx>YGk; z$6ROf)e7@nky(B>3$R%y|E|!W#V-YSV`u#Owi8;9=~q;8ak%vPw8|RvSMmFMzbEdJ z`q1Zv@^8q2|E-6>Q_;mH`6;rQq6CNm!5^ZCWZA^e$DxrKqK@-I5|fxIPqMxW!~VAcnc`R|RRxUX=Y_T#1PMWuADcCy+XJUZHwcMx|N z3w|!)*v8(o{DTat(Z`ayzG~geO^n&u$6+)({aZ@)yvm}`2BDMnV2%Wgi%%xJua0kM zBEwkQmfFT%rgy3nU!B#0X60rUv%0AV=wkoBA~s&szUlY0j|H96%vdoB{K$eZ~;wHV2CNJ zX_SM381orKLJdqhVuy#%q971VaLpJEAD5OETYu37p<|{y*^dWi0mbCRx`-Jes6@bX z)p|AaFQ1>>I>GrbQaJn!Xy=U!{sC1&?)fd_rt}lxv;%=&KwCKljQTWIi)?b|y@thx z&q+TkulG{6tg=1iW^H{vc*a{kF)*jk0+Fb~TaLW&PfI`iBn6jun=t=fxYj>y0L54TL z%AI2}ztxyb2)+5oz&!We$@yqiv~GPEuz2|^usCA`c&{Yr-4^)4dt=}!4NCWK15c!n z(^7Y5z#hCT@R2vlsc|#Wz~ErS@@PCNY_uPs!?z^)a$7P3U|K{u8_wUS*?*gVe{U3d7;U;7$ee{5 zUPq9r_^&*Xmi2HyXxyS(6P&1X(A!juK_q{Y+=0r-1kbzzorM4WinG(_e+zs9jm3nl zl*+baS+CtuCAhe!)!ci@5%1AKYCwnj6{oYNV&xZp36Sj(1AA#-OqY<Cr-;oGPi?yXg`=psQ%bu$X{STPTBh9 zRyT2P*0ev>gMn=CH1z13fqvyI=rtlH`+%?aop$`D{7AD#b(!+XQEX^6kGw%9_CoWS z8xTI8{Zq;o4Q1MOFi>m$$Ce#Ut%QFAeYw%ZOxk*B>ELq}`LLYsd6i8FsZ5On>Q#&* zF9udDoW3Jnby#W$791dVne+$X41}hIG^WK6MiH^gB!Gi!mmz&LCzeUVTK%w|v9E%R zAzpyZuS+9bzXrhXHcb6|f^fT)cG%fthd>>4io(Gl9kG|1*^ep9Cvlmu94|Sp{thFh zKfsNs44f^hNu%<;{KXGwkt@6Pmumjr!=L^#KPD^{hO!y7WuED9(eZJ07)75!9<6o) z8c!n;8ACnPXC|F-N&g1(&(-z5*! zP8ISUX@oim9;i(Ry~9du{7zU2EJg-FKDahJ%hAIIzCfzDuCPDwyi4Q~4!CP*!3fH4 z`YQ06{4P)Nk0;-hl=#K8*$tNT-;S)W+uPQ64K{0UB=RaMRG>^6e38*ADCoGOD}>~- zi0^9Z>cv8@XcO;%eS0@b*69J{Xt%Exd2Ew^tErQxW{~@^Ol#7D!L4>4fzHuv+FO4` z83d|GmhfP7rMD{>66oo^er+xOw;!GpE~g;g{7`Y<5fZTLX$flBj3DQ(YuMy^zS{Cp z;8oK@z)NIH%e{%mg;?0_IYqN7^pJt~N}BEpr0CND;9qonuXG}k!602-OE1lv_-%g7 zP={(P`08(0g36)`C&;a@)&t=igzF`B7sT}0*dqJi>m=LBb9q{c0Y8cHkLM7gsBa$7 zDuo5`tAcx7q0P0!>+J%z$0>0{N!b2Yh|EqWeUC@KhMdD1#aPxppfIev2cp=$!3qpI zVtm&;1jehMAl-taCYnp9>8yhc(eIC=_P(x{(+L{m=*1JOB9A2lq;s|WUxWmBe`|E; zvr0Qm9jnVgS?(Bs|2u(cgU8*QBxTgVGR_4!VSt#9@&xGLO7V<;u>cBd!Cr87RrpyF zNkX6A4(vM{w$;q2_8S>-#-C_p07=2*MgA6nVuCY#(wtM)nJqC0KA+`&Pbl-6=W8mL z7!ZS22KV)%fO~HFC|$ScfdM^r-_#8PA{Jzl6UkY^2$))4oIRV)6u~u?n=p{-s)12o z15k#KxJX3a*!L<%0AdH)7$7Y$t_;lbHO_Mp6IeV-k>8goOI!z+EK-eQu&j!!s;c5T zak0JA)}}Z#s7+QTP3} zA*tTMAU?&V9aSl%YfdAa?2_rKRWBA*o_w)11tE}za4qbV|g&Wi7v=; zYM!4Tg*H14#kXaBKo4`^rZl+n7H*=NkgFt--IWZDEtCQjWuYE9ah-mH1=@@Gr)ZaD9|LI~?6r7yz z+(;=@z+LR<))H`LB^MLrPpC~E0PD-#CqGyO%{7xV%VerO-TBT$cJ!sdHmOP`%*Vlnj02@rs_2%b-uiF*t!x9@;qe z!W5u*vAE)!%*4pZEM$U!q^WOo`e0>|iZKgs3VvLsx~3yNE*@9c4%6>{k56q1Fj~ar z1iIjGL0mYSW0h!yO38N_EE*|PEF$?38PwQv->mX+VqTgodd616{)*Jpw|Q>BKsg~` zbx4>}?|>Kf#ejGjYmR^g|*80p!rgH8mz|iWa#f4WreJQ!b^T!xbe~25BFWK z9V08Ho}eC!*%}+qup>Ir*ry-F{os7CF4>&{Iws_mJYo_OPG3=x$j(vmw&w+3ov*%2 zec}SPjGlGo>(@IP)Zmba-N6HCemBJ&>f94Cy~)YR(e?|Tl5||hs*avH)_hyIIzG)y za6cu!q*9^3OOO3N;JIF%DYH7ln`W7jo-K{MtWl_3rD{VvsExC2bvF<|dsqFqj@Wbq6e1(5bd8 z-AncO<#K+7Xzx9t%i&$Aj#=sQQ`K}R#sJ_-DF8-DQ{1-ztXVX|bVQQPl1q+DceWKp zg17lOR+nolN;x0!lAgC{vkHt&mB**ExVp=~$!5wqEV;AREZ77r?BaI|D`mIV^$Vb4&i0w2NM?pHNbZq=?Ue5RvlmD~}0sz!}|E zl$NObj(&GO3ejU4a`lPM?sEE-FV33i@=s_cR%&z*a{&BGjrG2SYh-x`&=t!K_*7x;Qq3-(zJzFUmzx#Ci5&;dzxO7 z#>VuX3z#rx!_VS31;;gB7Gm5{N;7~9HA<9zcU8#~!2pfcZ~rn%c=>wX(lAmA{&+?!mBm%H?ES&p>IJ%bK8(9kEtJuz)k=g0zfT2FWk0NbtLLASF?&qchHiv}CNZ_V# ziR|*>H%c$#DJZQ(??;psKJV^RVyy{9E82#aiEM|uw!OAldsc8*A6i!)`hJdb5hy}t z&vEw+ahMSRb7Wpw+ti*vOsCw9msCtbvzH{)+BhsA zdrYz&lNhr!Z+~el9nwzzle5uN+cxH;0|iNYI{ezD$c^skRLL;Izd5RmhB>YC0)YA8 z>eo2PZS8BLkmAJy1*(v08X&31r&__~BgNHgTrqfsr8-4e0&LLDdSuo8U-Qk>5HY~$ z9>R56>G%r*n5s6GW|x*u`2PSlJIhuB4ybASO4QcgKG){a{&eS%T@VXPb(`qMiqLU%1Q({7W66xgfuzWhqf2$QiJyTTK+^wnp^>WKv?e- z=BM)+p5B~O8*gPC-d213TDt26BR65Uz$}M|9m)fY7iB6JRp-imXvcRf%z8=M{?4)}1cCD4h!kc<)%D&S@h#9%#88 z^!2M`Y;umBFArncwj5xLfP?i6{jFf?W&@p4F~R?eh!#YVIWz|{E0FZJB!v>?R} zZNOaNBG!IVnpm}4yWI-j*WHu1yd9#Hy(5IZ?`^W1aqu&MA@6t58A_>Q!h1l3kC&Hc z+Gr#zL!@{(a`w&e!(QY~z~Rq-GI2Bvcc3Xy^sFrtKegf~kc^x2PT9owzyxsa3E{DF zbV2s;Nxj?vIqe}pFC#PT+S#WPeFF2MWaxr)*a83gPD90T22sHu`+6Poj^_+whRPB& zNRt)XXQ~7cKz{@Svuq)KquO2rSV_Xf1n%Sr*92+iQ+ zd5QB-11x_rZ1K|p)4ebeOZ}XaB|uQy-t#;6-MN+&`3_uzvCr;`=X)#qpUaH);hIkmHDVh5WGXQ|tJ$_3jMVB9qv<`NYQ3pC1MRT0odh9m9=on{Aea zPA;~K^IolmMVjYrbMB8%8cm?TLzNY#{H30fSHi<*aVVwBe)4+<7Md_p=4`zyK&lw( zQ7|PDcE@~;?^|m_;*m3m(!bTy_SQDCwy+~R<}t6sD@a16=|F}w zCbhxfxDIqcuC3Q^6wS3M2S$|vhS$UCO`(krF?e_r0DXZ`Lk3uRkrN2{>LnM$K+pIL zGR%E6hJCe?^Arf4z~k zVH7g^iG^EA)Pv%(-f0T|b}sCd;je*#-$p?L!5@(#J{~wt4hfAx59WoZV=FPfRf>s= zyBzsnE_nXJcjHmEaF#R9#-C?3ws>ByC4i*fz&ee0tom|3hzQJWE3Pe=_fzVWIqnTsGZ)KI4H;FJ`J1U4gJ1$ zx_QB5Nl;L9QCxhV^)u^ADp~#mP_Zdw>F~I>l=|(1PenV#>@jeb8r#ZwdGR>gXVO#R zJx1FUPVm&0!IyOmG(;!x=MQ^K6zSH?XG`LVOTE)M0J!$FfrFmM`3qHNu_cf~{p_3_ znWKt~5#X&zjmo$Q8k4ALQP+Uv!=Vz1e5PlM+%5gegFns@xHWO zH=yGcnPGi=i?$H4v+QTwX$i!vGyj!ZjYx5905nS#?ho@_e%rbD)J6vt8ygp?h6$Ul zzm1|zVKLxw)oqy9^D96TC*ojnOvpBN^kOc@wSfOMVH9DVtF{a_(eeKwcaKp8l`nW- zq6>ECvrFbSN{|b%_g5hS$oSW>uE01$O*(_*8191UaD1>#MKXywTYTguPz_rMFDg;T z#K^J%%JhTPWEvhG0=GkWAc^?~=;lz$kL$E}b+-sl@smC#pRCWXy%fB>ggiX{{zgkf zd0{&ppOmzr|Pq_r=OBtt7SCIHMiy3x!?CPd`bb=Qdxf&YQJ8hL_z4Rli<zIE5W%KV)Ok)kXc4`TO_p&xbEshGU-692$tPqP5n;Q#Aga`EE?h zRy|D6s}+pfN08)1(Rb9pV1I+Pu%IPr}{qs*tU+{<&yo&HtKA=lAd$e+r zxn66^rF?Mc`>28K6WaI%n$H&$zS*fSBkac+P1?Rk>QuW)+?yUMw|3~%7+)e*Aut?# zkYJsW-&9;KD1wcMd+x93aTSDM6YlXgq9 z89)p|JzKwNO-5UqlQk6zc@7+Jpvs`u6vbV;bVeKp!^Dpb*tP(quz+Fxy2*SF5#gsq zW}M|qh}xv5HhqgK1U%E{6mEd_LENS*z;9wnu80BfpjN{ErR*@EJv%cH_Ud*p1P6&ySh>73L9H|uqc1BjrtUWGbcDyXxbCX} z#P$HT`$`9zKs3Zy!J_xW-ZT-$-QRTI;dF7kVK41m^(|oEdWBa+Mn=Y)=p9s4)P#IR z4=SuD3BL;^0R>sqqV<=F{EUDeMXgxjgtP?n69WhWUids<=y1UHmh-jH zXsGxtBWasw@EhMY2<@?3E#-tM_>)>bepmZo-} zAo4P=D0h>{`OXvsDr2>t3o^$yo~?IsVqIFK_%YrK-fFB55f!!bkYMxMm`ubt--0RuUbFKrLWZp|MJJDQj9#}eK{`LJtNv9=%Qe~ zlQ24sMeTx@+AWZEFGT-S91 zF$PgAND{q6sNF_!WAf$b3^@=1RS3hsGX0S9m>9Vu2Fx&k1|6gHU8)A1hKi99F86%A zf1A$=8$<<&H!%&}vgPDZ`G8R6|9|izksqeHH8!9+P(UMGJ!05|G^;bS>_8k{1JZxy zm?+vZ{IVX7BxpA(18)$t`zSp+brm2TB2CW5&%5Fj-MqhC+S0kby7Kbh>W&~sBIc06 zEU2j9$&%Dx)4>nBo=8fOqkQWDmb$iw zfCAwqpuy~kqCRF_^q*RYQDET5f-#}Vg6)sgnVY;XW~`ns1{^kDnu2Neuhf^LEUmP( z4#9*(d&>$@xODbfWkdxgKsAo3U2)+@k9|5e4!cy_yBocR7#uWz;+9wUJQTGnKLaBu z+!y>W4Q9P3c+-;#QC4rhw_I;h-{(#gYt`G#C0^KOxVLuR!&R!3XjZcGD7NqCKe4>Qfo>)7+7J>h30wJBXavkI#Vm%Re6UGI#=GB2JL ziztx4Uyx9=m=*l&vhVI}R{>;ZeHW!X9%wPneW9D!Xw=v>r7H#t8MWE>B_ZV@cNa7g~7;`Jp|Dn;}pZ5*>QN} z=leB}1~B1nbaf27rUnOF^E+VP6RI*AXW~nX$q;9iRwPsRz=635VgQVSN)$z}Crkp$ z!erc{|36|x0z?0Bw%Bt(Df-)JSY0sb(-@6OCgpEad_T6RQ<&x1r&9e*Toh1H_q>8@ z;-E@>7RN5>P|I88Z$&p0#uPN~>FS@{B_t-kzas04JmR2Gvv63AqNJpxCxhYBa)6{X z+>zucEEIY~Sc<9yr4vxVFPWKLdXE~(zOBc1{J8t8UBO8cI*da4g`6i-D!J~96Dp|Q zX-R@dpiZZ0xFckhplH=V&b7l^>Pz>r(iQz#-CcKYz!CL!@xZ0d!<$iYihE6$`sG!< zJuXhp&WVCO>ap7%^59$a!kBK8)2$H<>YzN^2gLnO>%i>&mMiUJ(k=1~+YXh6gVRb{ z?Y+d;X}*!rZ}M+9^oH(t@mzXm$3NLF<;{-hUU7^t4;*EpOV4DB;{uLx!))`0D|3jV z{LuUwQ+Sb0QwkrwUIfET^2ckyH*bT1;;g5~ZLM=;Z9A_KU^n^qt7}%_`0G{*-_X02 z3n;vt9Q|5`k3k?Lch#GQezcj!?%sD3=jGq_^?U>IR2bYeH6O*$kNmp1a`HK+t`lNz zT0jjjirb7^E-a9=3#9L%9`gzSTW6gM=8hp1`XqdreJZ6J0!&5bVrH5AXw}zJM~zJf zzbvAzPtC8fCkPyJj9x;@O6>x z*8j#kqHKezULoOADo87|Fm9lPE2?8{dUtO<2eCgtG|8H+Z@%D-*Y;Wla^S^{zL8Kn z{!sipyaiFrKS3umZmhf$+w}Q3gBF>C7!w;B*`FNQ0DS|^pJvuAt3%;O!UMw7?{<>P z>?zHUN3h7q>?ES!4OZpm)`}D9wu@J4MM^}UU(~y`OZ^ar-o3C-vG$waYDUnM8C+Zj zeeSfhgHlrUrMO5kl=P9^y_0*<+NpjJ;$i;clCMtGkra3iV8X3&x**eZzimi58BAW* zYqkL*2Ia+DcE1Yif>czkN52?R9zqXdnC z#33%IfM^5DN;peK8cf=L4O!H^0;sS(QsD7VH8RNfV*;lPNa20&@!{54)P$;BtOR4| zv6&6>z(KVG!oE7!V7Rt4!2TYa5^qoHQ$gOBLBz-geNG@`QO71qfbb-o(pw3)E_Rp> zllZCuT*s*ZX|b+r$e)iPV(M0eWQ;O0DG>iZl~I*l_!dyH4gl2#p}`4UA#*^$+I^aNqamH*qALYW9^dB80!P~-$R=9w>Y*nztG$;2 zm;UzU5|tOffR!a~@jQJp{%N??uuxPSFTz(pjl|>*zHh{fwg<8mxJ1a^lDXi~ni=@+ zAx`ExO6EIRhYNR&d}sgPK*f@cebC$C>4#44lZ#-p!8t+w`~Pd0-6;` zNE#jj7P49kwP(^on(WEpKt|UU4vd8m83bVwxdU{;Y&IyHHWx#7jYXt9m{cV39I}uC zD6P{3yNO;${%vQMiGA|AMtuadLl<%`^N25$x*2TOiN4!-CU*?r)=EGC4iLb$F@wI! zn6nMT>^Feq(2;@({+$w;H|~Z3Tu4Kl0O)N9bo0)~&VeEb*4uHdlT4dFM#l2SNSk{( zftTL^5fL%)j{kl9j^!})(8xXCHM$ct_~9 z6(p@k;=hW2wf*}BIDXd`IC1=!rMJR%2Y0~;Lz7Zabn75dp)~!Q3XYCQ6F?u*&ZvhO zAj3EyeE?|N?e90`7_jZe(D}ns{#b#uFG(zk(FoP1S_SHWsPdi6-E^WW8&4bhBOp^_ zKeg7VV(UrA;st8S;^{`cFvu_MzGoHpK{$nf%e)m~2@IbcAntbWKiU!4&l|>6YZ*W% z0w(tL?mye+(i9cx#<@P~dIgNQv4qZ~F~Z=6aWC9b4SBX8+`zhuq{q@y<}e|#Lr5a# zH3YIEG-Wf#X;6p9LdDz#)K0Mg49YMlZWV|ZsqvwWFDjCOrK|cfe(+x#K(`i$PVt3X zCY+uMSS-Wl4cC;B7LXxkEHPmN#>UnF^a%`*Cd;hrFg!+j9Cii) zxH>KV70mI~G?GLeup4AjpbAz1zsa>3cBPTXNdUTug+BMiEzHmRe>fZ9Z0zZgs1@N6r> ziN`(p{zgyKYGffSrAu&e_8cMGXyjLYc>C&B&}n3(UvtW+w!Ho^2M~EiWua~s5cr$} zm^~<*)!GM!(BD0(hEWn+3wG3isR!V;{)?4X#8H|Egz#U^S+P+Zb_*{!EC~j4@u+F# z26TR>QqNFlFn@6}AGuNg0)`g-`$LCk7j|pOtpl4qe(uns3(Z@g=`__+3ryXh!HSAt zWK)^|c>W*O^&c209A`wW_C4?`_uYr;OIkR%QX!%3J-=A=Jq%%dFUiFwADnP_TY7)sHvH4glA`^VSGaF+ zL`DcI+FB(vBas;tQM5CYrt)|7jxkYbU=8 z4>IC)Yx$$`dHs&`@#m^e0&@XTkG5k;oL?@N|?f6G@~Q5*1aQ^UJ(vMP7BVQ z|MeH2?v7Z*euAQ0N}YO(o*tDu+pgSfi;@1DWfJAztFu<#*}6;jU9(>W zabH=$xP>QGKfae^fHD8i<=4A=wpDe9$HlP1bcRsLMpaQ+*W^ChVSZjQII|_@1{UZo zKA?Ym`BQ8owPN+(O=%gx4?#u(S8-;vPX|mcomjwz2;Rh)|6Bzs&=(Kj$D2E%l+cqc z#SSWyI6R>9-(h&;M4LTqS-C*5`X{ff8AO*mc9 zsh+rbzUk+kK-oV9npA96KJVOs53V}pWqn)OTi{-Rdm{utY2<{2tUI^}So}NtrLGP7J_|F4(sp-{nEIzh1M(w{XO#xW zsw!SPb$k~;wf@}^;o}|g0T2TGYvn`N0PL1!oB*8_48GLhn*HW&h?mJ;OgQe zN3mnMz-ebO>BAUIm$>Wp;NG;q(Ns)3y`KEtApyPEE$b$CVZXW7g8fvBfuKkmrqhVD zNYGMGfQ6921UdQv-AbQ0F%BJ#oDnx;z9(TZUVl}pT&3~l<*rKTW;rk&D~YO4$A2!U zr%GtG4)(tOQ~U3jV26SN=f9-wmGm<(7RRa6Brb0J=e%?P=SBTm^9Rx$8e-z<2m?^$ z!wS>lL7&o{t=H`cjA3@B<21#eJ1~&A;Bm~j*D37J)Jvk{7-m04M6u#~=i=O)tdAZf z`Cjdf)Qxf$z2W9)xy{qsd#OEYMQ*6u(dPf}9=*gb%AMd_F*1QTA%*>g?1jTd`Lfi7 zERe$&G~3drn^8Y>o3D$L==@_p3ur#tO*zFCQlCK~e*BkrE{n|Z|FL$DDmuhx9~eOQ zND*t)t6)P%*KHS%k69tamVQ-~xFm*Jj+^mXe_tjq`LZf~>PER7V3l44U%Tl5=K$G= zP2mN>L+_6enfdb|MgrMY@?o?HJKHDA#@ZsjJ+7EVFI)9Y!#7N$Q6ZBX{dOmgjr*?^*?)R=FnAoWyShk&$d43b+_oZ-zP$RGZZd&!dH5EIOsRe6*g6OfCkKyE>v@_P* zM1yvB>e-b26b!ZU^~JOAdgC87y zWyU8PxBTd?!4Ick!Dy>PU00LyV6!9Jx1!!lw}HF82Zsi(^0dy+_RZ_|pCnToi2Hde zujYPPi(dBT2K`jO0yfkvjVMRpmo<2JP1G)h2TVEj#*i5fhBVioEljuWad@mjpBmKf z!f&6bGXIO2Lg=*8&3?xL<6k4VRJlpvCLS(?!di>(fvw%(I~ zhcCtv=?`_bcSIWLRMCHU2vPWo@vitnjgi7j{3?x{h8o^ z+YIk!k0Yes$=vHD7H3xGCcy*DGUW$zoES64_a8SaX)l;B^SzCb_@x?2C~x_Tw*(>< z+L7E^XHDiZbTXO<`h?;|>#nhDPf+dd*Yrx;%XCMOt>}B8Ublsay;Q4j9s6dTS~~Sy zDovH{i!&B4kv0Q*V)4|R(tX={kA?^@G7eYsd!Fun_7h=#d%JZ)4R{<>fjIR++4$@U zyd4(KL-kLFhhpd3(i`v6J$0o1xkb7F`o3gyt5{zA5@3<=e;$6IY1DVn_k&>afK|Nz zJOK^+DfA;YeWOcSF17>OJzs@U!w*lgU;74X1k#Ri{c_vhY}9||+ap`HaNUU(S+s1J zN5WHe+G<;1-5+yb?c>Oz(-_m$Xym9zTr0?K3+l0uwB%W-i5wifNz0Dsj@V$@p{spc6_1&MgYhsNb(=w!zF%BxgkFwQOw2?@^z@<0F%@ zgpyO4;Gu`a9ZtG*S=@eYUZAF@AtF59{iNu4Su*o&hljMxU{_06AJwJNce zu~b5%a(?PvKclTuSDav0vaWqYuFRhj7aWZ6b)gMb!AfE1`ccSwEZy@`r(fCNC?^Ip zH759rZA{;%4Yf6iCX!)2!PO1!z51<{W@LBCAAB#~25YAUv<0;^ffjv3cinsle+gu@ zpZHGAr+V1h<*D7hLsiX>h15`gJ`g))hAAO|Mf_@`XgbVTJ#{}@P;*=TcBxXtmT&NG zS9E;7-Hda~oem*>kpD?^NuELzhxs9sr_qni*qZN*PBD8C``nS87^HTtOWUqKW_ZL& ziU?P1ihu7Uk>sIw(M!EFpC(F%DC87ODw(OWoI_|iL6PIl#@-&}q-E^X%;v5O{tKE! z@7m%Z{lJ$ILle~h-!W`Cjj%>)UI>q{%!haFId19cFDd*OS~7J_J$_`8C%LnK?)9->Cmi3BYbtp|9O-tIsA|F~*^G;+)Fw1Y z_NQ-as7_%OT=Yz0m_ZjU2ki(Jnn!xSx6%?Hz=1LUbg~tE9j62{9)2eJ%aKXOQjqdLzpACvxv6^-9OIDI8J_VlH^V?L?_H>@{+RP|lJ+PSta|8iI0D zh3W7m=xyiiqVH73QM3u&pvP3&NWB>py(uweebnEu^>Ur?Xg?k@LHtan3~k180WMnz zWBs-epw0yIFny?$zLt^u`C-|~;t28>!AFiKoB&I;FJZPK%xEpB@@L2&b!7S`iV4tO zA1G-y$@D|RGtTKB21?T+_hc8Z>QB-Q`v-;x{B>!7$+gC*LoqgdP@k65#(aRbu^!kF z?6tYG>EHV~tu^u6!#k`g=tDnuzy-z#@^sa7M%Cg2`RY=`ZH23x^#-Aq!rfg`XKTj8 z;5{pN$@h*wz?AyhN(teHv$FnWXa3w(W<5#A`I2IfpKM+2X}tNc2v z)v2^dKblj6(k_i5f)M5|Xv0T>PY)_!7U$kprJV}8OX<>K-+KsHt|!*c6wjg&&EFFV z6tA!-%OT3BqEZup3ofOC)-d0?MZKCA+p<@>OIFJAZpR|OSgdkP%OXn=JCSrziJw4X z&&I#`N$y8|=-_DCvR~%kkDhwIckK2Wf5Gfr*vS>MH*!oIc5{GkP%~Ylv-;%KYZQfv z$U?5QK8YIPh}Jo#49u`3d>#lRC+o2lDR%s~R;AC+fZbMbE2y*;{+2q5Mhv{zWhk`MBITwOLYLDq7y$?HK*teqY9aXNU&Bw6Fh%Mr~)h}S5HDEi- z)n$_+M@WN@AOE<|GD1D+M}Y8?k?s+AZ|Jy#fc4ONji`6PB=pWyS8id`t8cEB3Yt+f z>kA#$AH*)wC9v+_t$SEHP}Vtw${)2uQPG+fOQ@*C-2-fnrCRTAo1aZOY6+B4+_tWb z+Pv95>KAM)r=bZiePMKqvWZ)cc1yzV@X=jcLqW{39cMh)KkXKgh~0|3d8eWI^8=Nz zhSCV=@wj_R1V}yBM36KIBr(A?f2(9zpjJ$jjw6P8 zkhP`x0qw}liue}n)OYXTB`Hq4&eNp)^t#CdKz+N zb4mAJ?F0EU7}p&G@9~{!R6heod27wpQ=ToW0%vU>?((hA!1-Sm1sNg6Jv9O;eGJSu z{uKlan*+B9tp+S#CFCZdgtESaUveci>K#R9^<6XK46PgGA!^={xC9*f!N-A>$E(B zecfFjRdRO1TAE?ckgByQ6cK*edZ|P`#loOEdv(~*8upkIGV$~Ci;Fjl#Xv&p%G8RZ z+i0`B(OPY(&O&@L+pD9-J=n*a)F0gLekjg=Ou>5MFiH$?sE)(;fhBMUK^iCopJpTo7`VPgCGYZtGGOxL=-<=PHUuY-%Kmf$n$xr!_U}A3mid!RMzudI<+1#$An~De513Q$G+PaG z?Vdm$D#B^hs$8e`)<>V>Vtw2xNQ`lLW~H(~x@=|Ocho92qyCE56kB0a5?f#j))ms5c}#wUmZ1E)a?8aO1Cw zk6RvNXWZubEK+|h=;pA86#qpVY&?B7Jcr57@uk$)}o9O+xA5&!VIDYPQMzAAvCk3r1O{>pYYF~r}K;JYw~=m!5) zbFTIs!otzj+9YGa)=lQU(&|Qb4cRwh;-`f^*6Q)xNKy&qh5T7(8!d5S<6KNlwbjZpjGH&pUdvov7CSSwxtG)ydhnMybl|WP#)cIZcqIN-@xPSacg$Rm-udrkA}v~fT9VcdJFg#6#Vd)A+!9INp(96G z3+e8y)8qUXo4izOCSrXofnF8Skxl2kj*M0PhBv@d7v@>++$DEb|eP&Po+9j=kDiH@^NHIoC7(aCM*vS%% z@O?$)@%Q+b^P5l2iYy{RAC{B*a}6HC6@9fS9Ax$s5^?Mn&N=;|(S{8~q-q4qIP&j@ zTfo30O+Ti}al7HK`sRy|5{7Rs%y1q85Zr@;2goiRR|_pvHTG*S=BsQ^4d;C&_J=#h z@vt}r7Y2Nb4#7K$5nA?lCf%R02bu%M#}i9tg0_M%;#vYIu5(J3KB^Xt#ka~rFEgvP zel9I#Z#gZ0{J!ffnp_uKSq+QMz<;lx`az5)+kB(uUZ>jOAt>RT+JpAO4G~DQTF-8> zVF~a)O7fr7`mH(QJWPkwgcR=9AArO3JZOa@&W#swcE^raNNYWAk>rr2g`JPX6=Cvm z!%?4=9O$_W8`&dls}3%cJPDG3u>IybCH}$h?`-L*`sBA3k3YH(2WDIO+zONuE|wY} z?rPBbeUW>C(n74(?y8>-w38))xsbf2N2_ z#)B?Ie@c7kRW@3Wg0gUKWxS$VF}sqgj+QuP{UxummY<0+qQ8Q2@$KjMIZpELiM0{# z18Lv(wz2qjq+6Ybu))6!?wzp@530q-^DM>9ml*6JM#z>XgHwnkLJ;L=-&dr<8rXiL zPKQ6|x@xjguA}jy4dV<5!>D7i(TyrT^;J z*gLELRV6>h?rEESx#Tt!Pb1CzdS6}5@24?k;kh;@>5@b(`|`UEfDF2>dp4s?|MBec1{_!#M34; zO%AxH&2oNA!fldRCk6%z=QvlB2EK9JmG9?P16q15Bv;PLqbrMo-Tx?Eix~rT7BS>= zpSJB!!FUXCX}UA+OI$atohLp||A1%BX)A0yRQJFj$yvtsQXzZqQhxZR+?~*Rbl4)nz-WW8RS*_4@eYdk+pY z%jyRGD48!hmbHP|akbYyAZ|g8l*;Sbk0C?3JoKrKFjkmp5$x-$V}7R;qUQZ^_3MFb z+vV!-#-#KJh@V_|$hbqO>qyd4RL}pz*;__M`FHQ5HX<>iqyi%)ph$=0h(jpd2ofsY z-7q7dj3^z_jDU1^gLHREcQ+$40~6=w`#itr|NPEb=fyd^khNyHX3cQ#&;IOv?d!Vs zGsiim1-9puGT*|$B0f%R+Pn(-jj~;YA67sqeA>hy%=FV};MQ}xh2fu9%&liyVr}xl1t>dG*+! zyZe*bjr~Ms9umG?Wf?ozPEzX@7NubD88m3<=OwyBT*&yK1xrN8QzoYhU~j{(c6M_c zqebC5CCtVpiS$qKSSDfFXQS4>at=aAEK*qd;z)TH$J_(!_scwn)hR>Z&P_XdUgqy# z1V2L@wjaQ{Xnq!rEzY4aJq>LYJ~No$`BhxY^$BxEhu>xSWRNda_Tz^A=?UR4Cu*Xm z-cX4Inc$4T>A(D%dT#?GCztND6Hj~$H8{&v2fueB3x9~8eprnToGwFcE})mZ3x^Iz zP*aV^v+jq=8x|A00`EbZb=5W^W&FIGBAvQft{p{-*nl6{qoG8yAEoBAV6{WiN=r;o z+;4FIa0KUkbsJOPcK?~KnS?@AYLy62C()wA1#J8bEIRF*?G30n%6!*V%YA-P6?QY- zYH>eaWZ!z_xbe@WHGGG&%=w=wUoo?&*0(+1FwaP6{0QBfx6}JtiivjK zbC&k42|fPWwsYdb$v?%BSN?wRU3x(ZE~Uqg?g#G|p6=i>8}ye<)Oy}9nx6lz=U{c} z_EDq*PhqYc89`sh9sklH>;%)&e(02dTjyRSx6?cs96>#`t4?i5s&J>#XsY`Ho;|iRlqWFM zU+`J*7PbRoEwpkfVmlG*8lm)t*(CmEuAJelwzW`^M!nO3_cO9}LG81UVB=pG_nRLj zoDt^b?6lY_exrygAx1B*_4HEt;6Enb(b%83>$HOFdKRk{dvusr3I3L=k*|JwUPud9 zSy5Pc(@?~79=<2y8<6iMZv-D|YNMn6Y*HjzCz(EOQa^0^QE?)XXls+*{cs>p5Z^Jd z{jB9$9_s#~VX?Fcw?{-aUZu%`>@M!y6+ru*K0xZcIZeJNwJPnQF_#Hi%N zL}t-Bhs(}D)#`XRk&_a$Txdb zjGJEFq)mLUF7zddLO`8`2^bTW&pPZN=Ic)GrrX`p(|C4_4ienu?!PCk7smKTV0k3P zVsbyp9I0NRIr?>rWnoveirdZ>t?;FL`6IrC7;2yxed`e69|0rn%Xk(nwuE!6%eP(` zWx6PQ3-i(uOgj~$hm;*VAFfX9X)&YoR;tKZ!~t}=4gaDq%;9R<%~fO$=(}FJuhYIr z@j|Y((h0R$|4VDVC6cSi6mGYZv7NlV*UBQ7CaufE>74%q+l9`l%2?7q#Zh~Jai2_< zx~^OW&jncjAZs>n)KQD~Ds~blAt2Tv&TI!e`}8I+SXn8pZK+|alN_ke!ggoDO|bre z8=P7GGtv1$umw14e0EfUF&};VeOvJt_aVqXbghL00uxK*_AM3nr@Uhdl1m}?Ex7Z3 zDuiloJS#mC*_RB`U>W9BH(kz9>Olj?u3{e^EsVT-^TeoJ90Xs{UhZw)5nL9w=9R2| zBcQw-c-YdC^Zg|9z6I__-3GM&>_Kv@&F!(Yx(AaRCPvKrkl z>>dhvav41aJj@*p&T)tdDNFzQ7irR7;Zxy0kaKI^VmKl9TgYOKo5#H%?`mRFh^JjO z>Q3G``RXZfKq%Z7^x=Wu4INDazi?x12$7|J2-S~MpNj_1+zaKd*pB|aZ-d(tHPu(B zFK=D0kC*Js&J7Bt`O;`*k!#dF`@tLDE;q4RxCf@s* z*v*7?4GST+pR3U2XcTI#_BCKuQ)mGD8s7B4^erJ_R}Vm%(Rz^chg{l%c$j*Y>j6$Z zBXfs@*$t<-2g`s?|xT!2#MRVXnFHY?z8O%bS8j6RMJfNTd&I9b-`W2RYTDvwE&EBcEL3y zAMx(t#vR4YvqnN%tMzmDq*6GNYQtLS_K^E{TnmEixw)SjpFele%1=7UHj)(@L~pEz`WM?z<{OpH`k2E1Eqy<++bV8V-wJodz5#a{QmBje53Qg z6(j4Ctlle;Q@!UV%77@i72f=EM_FgE@^2G5!W%+M;VQ14HU!>vzC@g5JW+03_OH$fF-4; z-f+wbESh}s80u;N8ujj73Uh(++i-t~nf<+Df_&RSw@@OOtAck%2RRF`!FubaFd z5)!}B{`50vihacOOuZ$OToD(P1zQ0vy`+%6`?VmaXV_g2#$Peyy%nCuC5oQJVp3UO zX@14ncgVTE+&bjBp=)*aPC>rh@&Ki|zc7jEu~o1rSme!2;=OMCevBsbK+=CQ{?tEA{F|jhg3L zxB6!BSP^r2aOj);bX%Kb6G*|Uv1gpVOKoSrb%H(Vu)vyf9jfTzP@gb;wB`E7S7Pe` zF{wGT8VBzUP#;~heRLI?s*NqgxLDQ#dnZMtQ$8WMhtzD}#28}z`Vk0^GtwNpn9*ht zd>ML|svh>esikBDxZgc-ff?CH=kgJQ;e4W|y}cB-DX8v1>{VJDyC7+u2&8X9)g!i7 zWGl%vF@tCYp)W`Bodae2kgv)TF9ORLc!l>Mz?wqoee#bm7y zaoxBRKF?9r)oJVYUD zr-y9^x#>@K;(hz#IbE)PV`3WpLPGp`LIPO38YN_%*Z=uD9I^@Nr1ZoI9%S)ZNa&cQ zK)9YF`U0~*!+SUL_l~Yd)JIu4c1u^j?9k2>d)gQ`i^^U@_r?^7N*Mr1o7x{vrEM*k zW|4qBb{0gE*P!@17uJptlX|S~DK#2Ji*q`A&(Q33p&CfpGeGj=`?b%;A_bC3qp`j? z3DFyZIY{ZSC{z-E=F=0}XJ&e$c5wSS*wM&TV91|06SNX}^Cd#?k)?QCHaATiB$jht zY|w#Z;E-VfUZyRewEcZ|cd?A{d{GKwR#tWXUaJ<%IB2!85y}9P+|9j zzaL+7Y|&+3W${OyyQDs-GtDkGpU9)>2{e9}^i>?LWHd0!aO#KmT+NSEHlcl5pzL9T zE5EP98^)h$W1qNRdaA{-Ax#x2hc?}ozs>EE+~@f=dr)!X@IY_Fv_#a)Hw0!(P>4zQHn=0g%=W15o2JBfD9W}wUvRs`{cf~QZPelU9=vjb(~ zIG!q4yk{1(RJSa#*IIJd-2a&LmYLLntcGoNk!e$I-pi-L`@&e~R{s)_Fu=_1z$?|f|)|I@xi zq96Nup8Ez$WFND1pk?Zs*57s8vP@2!oQlI$$>$K>OmV+9&u!snz#E;xEwjJAaP@_< zLa>$s@etUSAsBsg>bhj$z2)%w@OPdzZ3iqhhSSITyziBI-RLO6atEi`uEjnLc zAz4kjP3SxHdbZ5qv(mkM-yAmjaOR^zo7#NXci)E2ol}n;;H!`ZVkl9+Jz`7QxwWO)6r#Uh~AdA^9V`sh1p>O}-)8 zzyh=B7S| zytd&p&SCWXz*mC_D9hY+IoJ?*LQ}Qx)lV^#(oN7;vsj5|PeV@h9CNa1$r-{=IFOLv zuPx6;V3WdstG><{)kx~07ef>K>s`BGa-NSdTt3}JTs~Q-jOAV^;*nR+I}(N7@(0+6jVUJDS{#iuutZ7p>WYR zRj^nwk+_My8-}gXjrkmYaJ6$vX*(p;OjFGD2}h)cFbDHnAt^>m^69*UT>x3*_MO#- zR?y_Oazd=q516mm75h8T0wZ;T(%^<5e125esXK1MqEAri7&cd!6*kjM)AA~2v2 z@gZOC+(LUDyw(#6`fO1;B0Pw}-jZnfT9Dj)MS%5R+~`Yw^e358I5#l+m-%@8goZPB z{l(R`w?PZ}kntyMl-p)E^AohDXiI0*CBY|A===Tmb%*jYtslw_77{yUHiE4Oz*T6r@j`kEOO9DD5xUx9p6(M zYu{MvNEi0t-X}jZP)$MF(%+}I*1wx(RQtC4MRjxYZ>W9yVDCWngElWhBek9-@v4k! z3W!efiTJI0efNXhEDIw?{14mSLx+{TXRtwV+Yj;Q<9%h~<2rv^i|wR#$oln9-^Q-t z44YT)0`Jxc;B`*xNb9q~{Q0(yMjxi%l2wnG3-c0Bb8OFbPH&lH58hOF#i<+&B>Pe? z3Uo6S;pTfxd?TQflOyIjl?n;|c;8q~*bC=^^6vOGEp`?1*fCW0Cv^N?i#!PV!vPUi zeb;-87uYSG$jM;X&8y@GliuWgWbht+!DfadNBPGfi%r*$py%NsP*~6*!=C$}(`Zfx z^u2zr#9k}ObNx$z7gS*zj$7Y$L7T}%kx$g(Z=i8ygIXKG;aMg z$s~mlEhxHXug8mb{$(?D{C@t%-2!7`;<_PKHTe**XHXg>R*t{}C7&;HVf^VMBas>tw*LFVze_fX5plPNj0?HelyxUhLaty)Yj1ari zZ1`VljzD}?gj~Wo*(*AdcjcT{m&QB zGUq#BA(lg&ye6tSH)LxE>qWq`d~nLNJ6pgWbr#lVe3&>MbBKk8lPo;+V5H)01?GPf z-6VAlCbk#h0pl0S;#xYehm-gcS>Z8(sxz9#A!#iR)^)*{n|vJ|Ja$LFIe8@D!?Z<- z^}B2ZGi#gJ(g$s)Cv?S&iEL#@7c!x%HlrwKw7%tIsNkj(b(>0zLU?wNPCK78nZ_LOE%BNf_tVKbBLxX&~EPj-HBpg|28 zOr%#(c3)aktCfH&d?84ZNsSUkC~YhG@`@-~wH)T49Eu(49*&S$B`?7^N4qnYydqc=_gDT9WrgdqtGenwVfNzD|V|8Zi{=;qMzsT+vYc|E{+~rvPdZ^U>#4Eep5Gi(E$UTC&|c ztVU6PQeXb{X3sr-u_2L4wFuYe$4Z-I=LjzY@Jsl4`=Z|-ef3t=&Piq%VIacE78j5X zk|y~gqWWY&e`Sb2*N zuHEs*+t6jki@7U^A&qMb$g=jsZWC)!=L*eJW>6Swqwl@J_BC0 z$&*GErT_(#U+!7V{$_r`F@VMJ^Yf1i@YBbjH0k3|eTNv$d%lTz#KJP2529EMY1Zrv z9#rggV!&V}{>-tX$jIl0KNPPtPul-}fHYncBx#mqPgk-Yw+Z%T~Cz2mbGNNz%WJ@od7s%rIORHT9LIUAvnwnqd6KR9;t{v=ed|;ivyw+%$P| z4Ji2wu)axd@_}jMVr@Qz_pmn1{+|gh1^Efmx0RS48(IMATmWK}CTaBey!4@`7V57g zz@7=&V{ah*7()jGy}#-1{^4PSC5s`#W2B(MH`?0muURAGozF-wmg*|d{@KqY36-vBo*_>Qe2-aDsEA^k<`ZCv$ z)RNmhbgpa9H1Wt4T)tRi2baQ`b0jHVA1;fzLT>b~{-7~1gq;m^eH?%zU+kWAT=B!H z_2ipQ#E-YWYLri!#~>a&V@CX~Th%tIp!OnJQu2ZR>jWI||gq0V>~Zs?RXxtz1bf+gKo$NkO;rB>0=SpKkiW z0$kD=_usAheY#p-3Gpm4lm~1o2s)?dAt3mLf#wdGg~^f6fF~SZxz`_Dp#|nxU?xaL-z6;~0!uga3ky}qV>~UG1kGs<} zCj|o3J)2+qH2GmV4I5w)P_Lls0rf!#m$)L>GQhpM!!NS~G~a|e281V^SL1b-YfBdA ze5m+b<=ybGz!b!jZEBf2&3g5!rMK?xFC6mNMtc(8tC>bYA1~u7hA(j1wnXzjf4!*_ zgmZBSYLbmx@jRWmoK`{@JiHp|tRoVZci5U!q!dizZ#7`)Vn zH?ps8+gpUv zpa1XLZEsQR*i_jYS&N!%lL#`1`y_}*|jV zp?5k@yo6iS3lb_l_1^3r%zf-fYg>yj3c8m$bDmYh`e~gENeAyQT)6O|j8?mgYG|&R ziIa&Vm^DfFF(F`$T|w)7DlusaA>3BJbbVOr*c52dIYwOh4$%tanGpDPoh#1yk?LPx zGBZ{?!UbvYa-|z4z4`3Cg|Q_ww<=0`Rp^J$14dcvxh@m<@Rp&THdW)|V$!rKUZqWr z8#<^muP7#KOlGd6#rRDeK0X;)|2*$I&@6iYy*mZ55iVi8T})oEiL78;++;^LfFQfZ znK~w&7Bg8e8H@3yU+2G%tj@;qXQS?*i!t#hL5*GYu;UamaH|6HFI}$#-4PS$HkFjp z$B~DIjs8LwS;E;@ZE$)Q#Rb77Xt}F+-TKDw+>c&l)`O*=zs0)p07frikEd#@)-4{{Jb z#32e3t;HW{ihZfn5jGnufl-I;qKTW>Ub%x1+s?kg7wN?8_n&gjUexotF>L<5$+^oI zZz~D5O&HxiES@#n&rOTh)ypNM{A5yrZ-xs2l;#6Qj+5|1^L1_2AZ7%xcR;4&=uBK` z+X#)1;xtU*rB|vKc|yI|yblqU*?h-#8%ti{Gv@hAai3Areb@hfLu!pEFc5Mj6pV}- zXyU_$kXyN^d6&BWirOBgE+D@q4DfUCuOmqy$NHRanf@z`bKbzYzZE3Q{37`*A5Jg1 zf^~C-6@)gDQUxbextT)~TcYP!)TMpcLQH!{_?z>`P z3VGQvoM(h-Z-zbfAml3MP^GFizdbp%*pRqIwqyZUYYtp@bGir=g65K{EU8JD2;4&M zcI87s{1qVwWm(Dd7wjPO?FIC24l|oI2b||#7}P?=KxN8O0OYHcd$eb%epU;!T+z#X z!vMkAGya_;V6L-CN_7rlpbV4M+tc%C%uuPh&Es5PaXP(vUfYW+ao4_yLrU?2PpD_l zMHNT z>p$ASyzidwYInF+Jv7io#J<*VJmv+5Ds*PS7)nDKExB`Hwik0qR}19TKZ09+_~FT1 zoO)hrM=C_vS18iNle|Oe?YlN4v9zvi!~3jk)=hRU+z~#VFI}!tM;ZX4&*b&aYZvmS zzaXMwGm&NrXDrb#7TF6&{qQpYjVS-x=9(~IzzB+jZd{N=6_<%}?)DEAuf37KssG=h z6>-E+JcjH$5h?lfDf}qem{V|l+wSyQvC8PR`eeUBfin}Ah8^;M93Rq-0LKTm#^&_R z%^!TxUfs7^ZKRHu={hB(cZ-a-(eWL`&fhHRS#B6%x*F;v zF2m2~dBd<*Q`Z4slccU`|X7?k+&`=0%q4pU#A!0DvuBmU>gX|7~bONt?xc z1>M`4Vt`YU22C6Pu$@A-1fqXRmOrmIkz-b?$7N~ecByWF z*JaxR=cuDe8DJyc(>r~Z-BsPj#V#5ZD{!`nk46GKO*5`wrNBoQ)aHfFsLkttPQ&AQ zqiIZ}Q&j6s3c;i|!l{>wF10jmxe_)cZ!0&XgE$TSgfqux8lH;ImF_ zQ6(gZm|g;rO6A?$T(?EPYTVOXG*&_;7vOjiFn-#R0_hzJ4|D44#fZThj$`jLhSJlO zIi~_bm;E4f+lXbJS3eUgAvN#Bl)JL$1q{{=cr(j`qDw*vux8Ok`@Pg)P*#a{91j<^ z`jxwo76cA}ipwS+V$UE!>}IN{S9M{{?V#GYWk^T@$*aeiL4!t>QPsmrHUFCVD=g=l!3lL&yZ}7=EQcAtL`KlmI6V!_ z21r3^4KOv!2+@hD#r-~M->Ip<&aI0@i|*$o2EPu^*FB`B;9GmK!eBo#50L`oF~o8* z^5?_}au?0(Ps04RCP->=QQh=`Jin_L9+>AZ6v>h*_YERxJn*)^z2diX)*%NcF2LB= zqmRb`-90d2Toi>)+uF%rw8=9dkgNdUIDR%QYy^TJ7}KZ$gb|@Ff0ec;he-AFg}< zoP%_Yf`1bO|IKx97+#C`$LOZq`;F;#UwOr=up-Xl%1CdqKk;1>Py1aK*EwH1?5a@x zCJp4D>Ptx3r7-EXLCYyxL&A_D(r7?xEJ~J=*W+6 zkI}mC6+BKxtFE)F<9IOV@AHGQ|CU2~V-7Y~{vwpN!`fmFNVoV(_&fGNoo4TfZfS}! z^y))wJzX`$fEwH?i&MXJw=0aHIlc+NwbntKCb(%+g}Cgb(d}J}HVL!N4gc^}r+QJj z)eCHkO;_|e1P)xx>l?=G>=MnJ?6h6^BFdU|5|GX8vOj&O1#q(Yc3oyNyOd7T;o8mk z(fOfGt7pTWL7XX{!`){7f|G*FDL2zh{uRGR^sSlyx17Q8|H*{L`Og2-eCG}}|H8ZA ze+}SY_Vf}1N`vKcZ_E5gH63#OgPJIJRl9Qo95O_7P>cinf-#$|strv4o$s8~XN;Z@2NR+RCVf<*rqN`aW#XWG zcXeftg$(y!L|cG%JTLh2`|C4xF=aU)WZU60pBm1;A+8LHN zW*zt6PxE_pSU!aB1$m2U^;#FnzullN4Waz6!Jh_#FIzj)pII?9dZLXGtuZFfBeqxR zG`IViUltkpad0?$xR~h-NDBLL$sefx=_EtzNY7 z&gi*{ZBqT}>_Y1B-$8Vh$K$F@W0Tp%l-~#Tw)Gd$GxJHmsdW!Js+z%5cq!c83*D6& z3)Srifn4a{pX6uk%L?*!Qne<7<6)pI_x_XsMIx*(Z{~fN-`zz%2WNJJp*FJ}1ZYKk zy~6|cd>?ASsCdqTKX%~uqr*ahk((~yQJ z3lBfBdK-L!J*M0-GpWwiPdNK+OF?*QuNQ~<2y_=LHIUdVJZJmO1)Zv__0+1(GR?Us#> z^b&Kz_k7#L2CfAf*FQoz;=Kfw*O>(f5;`=4z?(nW9|rdD@aI1?jELND^?96~{^|Zo z^D6%FW%^}D^ad9gq!s3m=dn0;SsJwzC*JZ)GqOCgWvMj0b9$iF;&H8s8L{)(16@!s z)eJ~DdYRH{eEHse+Jkqr#}!}6b|n1I`CU>Bb9*5ANB`1uE9^0XTZS%nx(}LUbWQXV zNs*dgm8iD4cI@AK9L#h4^rzDsc~TFZ+&oF1jD*Rg=@`!5NQcTHL)$m=Lcr$KI z1rZbr$g42;&Hz1~COv|>w#4etEg^mphu)N>d@Z9+icWi_jkHUl3shWt_91vC=bqi} zTfRJg5}2hy((L^&Z0YBFpMkxyLzlJ0+Z&conYo{sn7nTPeYn|$|(~CT>(CV z-zzh{IsWTYxsNU^y>$&7+2A@Blor9vi3>vTx)##)A@uEjH7OL-Wh;B!g6)X`=`GRm zwe)c8n2g~RN>y_WsmO?7Pd*uPlq7s|!PjoFLEW?xCiu+jJe~*$*8=JL1N7lK*q1-fX(;N;`v$ zzFi~%VWPq_A}3UPZ({9a384K#eokjH4HV^U_!%?@7;B@XIMVYsC`T%n2h`FVvl7p8 zpMTTwvtI_wvdCDmunadNg%gX0%_t|V$K*3~zTJDaQ$AihG;l%JPF1pn6jeyLRuH zww3stCX38;^h~ZI(Q1H>-vg%f4V*2dDV3~@-9_}4Soq!b<*6QPXG?2~kh@MODP{8I zDNiB5#g&73ST=lhq-qhvXISHc)IUXed3M{*%A5VAd(M;rH|}N%{z~)e`Sm1&KPm97 zO{#Eg#;st96IFp;NZTp){vc-a)+RWFEO%GxWN7QV+#TkkFDI%&v2YIH5qCXcTEPZ> zi-eQHW_lsjkE`4_!FOe2;97SQf0RYMrkMW*#6rK2xydIWGl(X`vzENO44x4_a*U!> zixQ0mxsQ|KQl{yNoI8lIPy^F-WY>?+=I+avc>}3Bu-st*q`MAT6l-XQK{l@k|vX*i8VEj$B15UoChPGQryM~ zu)P7azzsL>g+!`PN0uUOO!v6F;C-Bzty2UP$Q7{H$AJAsl{3nS)ovQx!o&1WNKlS< zxV&neW}D&V9yF3c;onU(hY#X%vH*gi>E*&DbeM#@h_qZ75@bysZcq(y zuI|hwsY7?UpqiMDWl}CywF!U_e6C|?ZJ0p_BEv-yEbi7VEOs_P!K~w+sH8oU{QRD4 zZ$g3hUv{_d^{1L*5+!11ddB20RW+r2- z#ie4p))1o;*t-P56Oj72IX-v;JJ#C`DR6j=Vb|F1t3`pFWOeZV!^u6Md36-j9RJ=) zl!Y)Spm}!_X*&ps*19u#63*mgwE<@Sx|Jqw!BJaR|ACgw_u#4Zy`D*)V;5#Wr3YDKr3ivrc^OtUJ#Y$@E92SEY^AkNu0dA(4q7 zKX#{^+E(Ugd&+RL>cB-W2Ff$|av&I{u_?uE@_LaoTK-FC9)>CXOE(Ftz|3%5Ac^{S zAXY@fk|80S%o#F@0V?KBRh2CuWx;;P7y7Sl&(&vrdf~TY_0Dq@D$eFtocGIP6Yqm z&%(Q(5;*)6|3X$V9i&eQAwqxFIS3)^*s+;z$dj9Nl##Q90^kGdVTfpYA$AAHw=-hl zyb#LGK}ft=f3TgyI@sqSR?({144N&b zU&-~Rr={PlvI-0=zmZE8o}&1~$&oGR$3Fp3jGoVF@)O-R*qq;*&VnX@G`|Nlhw+u3 zm|>@}EFPtfYy4$kuS3<7x_uIjDP(P`***vocfq#zocD=+73LmH_-l|VOs~mGcXVeU z;wLnrY&I_NyTe@Nhp~g$q_b{}X454fpI_@0`PmSz53mqqYZqyHq;>Wpp$LFo;>pMW zX^-f;pL_7y&i^AqeBL0V*sF5%X%p{P_p%C1lOgED{vlXP&z)lkB*fz4Su_;Jt57lC z;E>ZVz0#8mevliJk|Q%a$}t$GwQ;1D{4g_E{P;5#QNus0kqi6ok4_pWo4*CJ9-7zQ*rIw!F@uP&~ z31)c6zhfP&BJGV|e(H_4lEYZkq{90#OoI?E!A$|e7U!4tb$#iiKkD zZi3nPve&_~6u_MlZ!B0I5eq+ZNf#%)Fb;cT4V0RjSbuxjXy4)2U7dg4+SP};cc(-Cx*FWIj57?+1;>At6AFQ{|FQY zSuAWO9jJbi>wt*uW*g4{-zHaI174RvpTzh}MzzqBv)-eLQagJzLx~|ow zdQr4c1*jjpd$me35KEgx%Hqj&-eXmOzYa(zpGIBu(|a=P>94wa`+C$ic?(%nvS$ zeNZZih@9&VF?XI0?v)J=J$>2q}2Jg*dxx)RNMcL8joI? z+$oqE1+`oN)zfEUmk~8QG}=y+`!8kMpbEpU=_u%^k6Btnd-q%Jm@J?V_z5b9Y-jG?3x;gheGLZ8EFIz@{9&=oln& zD_F~kTJDhqC8OiPo=Gqo{z!vxmd4e9+1{1+MZ@}}fo$eH8@Vh+fFk_1{^E&NqooMU2afS7=+ zva8S#C;>yH%lqnQIIjji5~x`LbmLMeMX4$I=Wa~354lU}ueZ@M_kW!6O2TyF^Cuoj z%&Om93QkCa_s1-Y@R&LY> zsM?wg^VQAtH7xgUMbaLZP6BcR>*y*cA=~LnfXlNZXbY9kJLSTTME?`72Oy@7u7m3+|1GiI!QcmfsWlk zKZ_lndp;VMf%hBru!h=$wUBmj#JBSCDu)so zncK&=DG02X4MV4&DL^t)WluS(u2G%TT-yO~oLx zK8Ijk7P+0Q*1)$1wlPGmLOs2?Sk$lKIL((X3M)}45XHn35+{5bCT%-K63ujZ_1^uD zZtoQ(l-%kGbK>tW6WqOk3)SDYuY&VYtwd73;dZgNTdG%8lWV_hf6qmI*C(=F@Yp-l z-fh;aG&(CLdK<27BEp@TcNGx>BQV(vOytm9HD5fr6lnlxC!~2+}oSNJ=A(sDOlY_f%qpNQ#n^lJ1a3y1S*jo52QS z`#pKRukYvgCtMfX*d9BNbIyI==icBbxvpPHaq<<*yHB$V7JRz!bNm7EJ)E25AbdK&3&nP62#}$+=xy-#DzJyS5R9LR z0YLJIhFpFenDY#L(TaU>Sgc^JDs=_1U1DE5!M+&zMw1!S>#8(}I0?P+B3}hUdjQid zygk_im+(GFIQvOAM6Kj)K==RI zK~I2#2G`b%pp!Wr$|ZQIReyS;?K0*u!vkdiG_Jsv-WTul@!>cF00qZQHUIo<{oi8M z31|cU#AgHiq3|`fXGD>@3e#p%^&RFCN!qCnGBo>kqQUVY?~#$Ug4G`)+AEOO#&(Kh zT!66|8M>tOZ|7~rA}?44RHn5h4lbo}skMFz!mMn=vyFj+jfu9XHf4j#uiyORAh zOiV4+HiPYiFgU(;Bx#R>Zb%sJJlZ3sEkh!~;+|@eG{FiU*Wpt@u8u$gErp3A(A+qS zJ)@OM;3|$s&U#;m6q?&8n7XmK|c6X?Lwc9Ynv|*(Sm<#)cD05m(V{Pw689_qS-l>SX z9+v~n^aFp%_oNDqX!fou-1g6b>EV>x1b~<}22rfC&-D+ORoFwWc8a=Gz0Trh>klyQ z)Fb|9NG3na1{(UL8r$aq9qXuUA#vE9DDV~@k3>em|0*7UJ3jbyBtyn`f$w0v{TWUZ z3sxEK;T{nYmAHV@Y#jXv5$;;&t|xh9bqXpE79D_S#=VC0fYVYTMqWSLGW8_yS85XJ z%;kMwhr|~rU7%x?SJe5wi%St!6*+!m4d;xgL(LjImN%4wSj+?%V4>lU1v^sz(O{u* z55vUQ$uxv#e0$HKi7@J3brox3VZ(Jfyb`a>Cw*iZ4173dTDC8f^bwNpyg~u^${qFi z;LnlZ-pZHHtBO5hJGOWTa)(+z{u6yKGzCsZ$#-8w9P(^0#R|KO?s$KqQK8xo0+ea? zFMtdvTBg1GpWvC7yf*_l8F~pgK%2Vp;7GIpaY8+WA-CV|Lo3N1V4xK4l6|nPZ<099 zba821DLT3rG86ZZs?rV=*7xn^&%kjR2X-hBGY&}6s{np{TvvGlQa0gs2@SOc@Rj~# z(?@vhB(p4+OoBg>`nOIzt zM#BZl${ii{R3qU2?aW-JAFq$z8;T#Xhje@iYkoiGknl;T7~*DuU>1;K&iWcEH8~Wy zZ0nNS&0;q_#UY8Kn!N<3nD4km`tYHbhME|@wPCdynR`8|uUm4-qwv&HkarJY_9(IH-KKN&nbawj5YkX*m|un*~Q zXXmjh{G3cCagKVd`>2V?Y5wdp(e*Ey8ygdpv`>b-aHR@B)9 zauh;aUk?QkS@)VMa_LdpI)3d$CYT`9I9ORkaG}HTsY+X1uCI8;Fqz-UJhizsMiead zl%*0^)K{5zv$!kVQfbd$Q$bFl@}#meVJeknnjW?V8}NUbPka|knKD)inRhLWKCPAF zNCLS1#m6mNfii&XtPEk5j?xU5Rczi~mTua~TNEiMT!~AvqhcT5yLGkKTxYUpYtCwu zS?I6;5moDI2FzA+zxAW?aL`;meS^kN+-wCXgoaK+%{V|AWC4~dzK&S_?_{?H%8R1v zhA_|nS%d%@>D@Y_ObBAJhOh>HrGDeqK4WLG6z9SH4em~bJ*lo&Ln}T4sg=e?)xA3F zhwK3~SwmzKtlh8|pScd+fEQu{d6vg3{X@T=@af^F$fmx&@*iY7g zNF)oor<~{Ril%2|a=bcqotW!sMQ4bZpwEt<(oa1t=pO^fIsT$b&8x&e@`H%KtN52u zwgQR1EwFlAi7sxRP@Ii)i+UP$C%+OU-fd4Dm9*Ev{4S)4oF*Xmalja7TJlAnD`K~z z4X9c0&N*SJ6*j(7)^ZO zQLeA@pCpq{#i&#|XYs=k4!HC@21aU#r1MbI>=z~X1Hju{sMVnI3NQe^fM9G-WwC~C z`r}LWsCB9MTx$WQJ*oJ0zjd&1vw;aVU6y4C(?(I12J0r?zZ@pu!wEHSoP!B9Si>bS zA%Kg;#mQpY2cgl!(tO+jHXcN$!JO)6?-U{Jfr>_FD(r|H4S%{{h)(zIWXiO{GKT|N z4zQnj!&IN+sBi2^<^;}#hNCqS<6i>eMSwFYWVHbnhKw5mX1EJ_vplFB#+bJb#8qM( z&Gb|FIY)c(84ub`WJ@WT`UAA1CUxs+!Z1JG=8TMOSPHk_s+rEfQc|gHaRMi_Vt3zaFi4^Cw z-9vqX|Ck2{uGan<9OnRHj*AM7 z6GK$;IivaK;V9piHW{g7x*qI=`1EA-^AC0Eh6$LKypkHUe(F0~Hk;DzecN3;6rP8j zun^z9zR`}<^UeVZv418VX*!r8AfWlDhT#Da9KonEF%XP@a{2rKl7A5X_o7eILdEm1 z+|PSD63C;vcl+b|59YtEA5#UrBz^~rKd_emU333y){jrD>HhkrjX|(U>mWmek1z#| zq&A{@a1RzrIwg%v9aS(w&OFvdSUPhA zve+idMq*;9*)pC6aF0~C4<(x`_bQ8m>uAimB&)Q@T=Snue*1Us81)>LF4-HrMI0fi z=5*B-_nSN*R!i!;M7Kev6Y5VH1-sq(iYqm7f=3YKkoO~D`5!RX1aWEpH$=!srZ^CZt3!62N}8- zvXi5Twebk!w3Wt@K-}yB7p+wsM@{yFHI%(>`8n=u##-F(bp&A7lBfa%1^{{TOu;Bg z(rt83q$F;bf;6lzPhP&VG6wd9D?@1r;=Eski5oy~;wn5DKE3{KB}p}9wrg8eJ@I8F zzbO2lt$mRlfrXshtv};N9NmO$UvDWh5ji=^8b7SDnvmEjELS98vv8DajV4uKiN*|F zH7%kCYd05y7##aAkY2vx7i$AOJw0*Bo8F6?pGUH*Yb-F!itt)`+2P195W$X`m%pj4 zBAT-aUWz)FDNuj!OR1$CAPkz|8hAyVh=h^^+rOmG|LElYbJ9yRTtf66UVBpKy66fU z6TJfa?EY%~rRk-5x9b|VO`)hMwBr2vt*Y=vk|#MMj>Dx9#XILenns$YtZdX{p814^Mzf&D zsnzSK>Kc$#*}k*vYcI^emt-i_WW^PdRB8?4k(jt1y}>z%eR%-STm218|GnEEcz)1? z0@4C&7l&MC@@l!Ntv}mzhHGd>@=(SK2%@0f|unuW2$D2)wY(Dpn zwx7i5vtb|{b^xtRs&X+4IeWV}0^2&xIk=6zj*Z3!onokp2jeUxACmQOsQ9kj+iN-e zp}5KGWD2HkTGl6fGn(#35>TjFXT{K_QE~75xNp$gKbFx)A;8(M$*ZbKMhqbdy%iC`S`!@WznSuFMY50+3I)~I9Xe043VNj(0cM)J-a;up(Gk%8Ct zq9T8@h^HJ8MDf$BwUFzcceSw?0mCz9k3`iaKU7{8=yNzvFgwRZ za~aLZ9L}3P9d+BX$3x67cofcw_r@-jd#hF$63>l>a$}(DAZ2+!?pXu;^+ zYixd5_-#LRf*u=Mv5wjRR#pc?>^!%FA+a(Vsx>Hclc<+3e!+v`E#frJ| zp}oc79@}d$ClKeKbO;ef)?)L&xHw1CA%w0zA;q=jbW@}UFTt=1xt~q_eodQc91Oju&swR28$ILV5?Z%(k9M zC!-VAX)6==z83E!t%b%fbviwyc6Z;PSrXSEj)`qw(G0X8exOR-rQZo0*s_3+Z|!b< zAihVvk$hFLKWUa`%#uN{ma~@F!y2m(pET&iUY! zttUu$7yC$BLH(w_gG(wTL`5qOCOiJ|j|BSq{q;iGP_yrJB

HhNh!d|i z@e3CJ-AcA;PfyU>tR%j9kNs<_`+Z-TVf~_`l0He_n}lo`bImmzJA`5dm`dSD#7x(MW;4` zRmPhBGk8B18}kldgDIxLb-||H=Q5f)M#Z2+d2JSo3#$p7+j4Kj^ymO>y$#7i^oG|c z!Y!b4ByOyIp^FTj8_+;`N+N+8Y(*xYp&=5RmdEvUKg3iAA^Txe-{aYR3tijdH5Nbr zNpC$Y-frY>HaRz*L-f+e?vg8(DNA80=XWptP6omw>b82)?~jx%1qKaK`U7i6ur`^< zS&j|-q}`ZW$gIP)C*)e8o!Q4?LjEXDQK|lc3~qDRQroNtW6HazRUpGrH=@|$se8^E zPwZQ~FaGxe(-yMuvY9AkE_(aih%4 z%hxVg)+hbZ(gfLYry2n$aesdU`uDrz_Jj8cf=2oD=kGdV70tj&^ec~lUd!=b5h#`$ z7_nGQ83oEOS)D4elUe1E9RKLcaqY~cyQ)PgWwDf_7y?J zOHDj>5Ho>%M}T~Ib4pN~`CUF^+W}CS3IYqan#Xa2eDNkOe{2@ZJb>i%vWr?;`-cVQ4=74&g<5sBt87I)w~ zlsr0zH6FK|%#C)Lc_IJ6_GS`ex$8>$d30jP=$fE@!C4W|yvq;k5_`8#sRLF`zMjdh4f0B zFa-Od_A%VTs-!#lcC~b?!x>;mwRoQJht{8=yJnNd7^l#S0XVPD(_%6ePqioldKy8L z`r>ZjqO}Y0Mc0#^{`5g&WAR#CfT)*Qa+U9o2+B z^2nw^mUg^Ci=qJxEp2VwWrRKnLSoTcmlsG@bl-!Ql1jT!K}hABKSw#8xlUdpo<>7!h0+kAh%{Chf!v5f zxqG>GXyL}SQ4jbI-^Va$^6O0*(Zi20aSxAJ42YFDae_F;iqa9k9Wf!*Jk5(WxPeXs ztcwUXhy?q}Wkn-&N#pa9#us3h!%`Ia7iw6zFqTc?h@*!Nb|k+H>LC8^y{r)*2}zL2 zV(RV$CxK5|5pG?W=q1qo5GGQa|AFD%tbfg2$6d1P&%Xm)kpfZ_Y9lhE55AorIs9a)`=u%> zKv0K15U7(mq4u)+Lpy(7Z(7q#$S*~mW{itTLgiMmzQrzRE#>7X)Q!UIHcK-wE}ZZ zG7_#^*?%CTQ&!qLnZ>7OrUvg05F)zG4DSO3^pusCY;gdQ)j{H}J6Jv&Dsq}uAd6@; zecQVTvyFjN;)C17al50Bpao5vUzw=1a9_j~hxvpY zFuwj|WF0I7VCwD08dva!dO=n&7_(=vVbyiM?u2Sec{pU8k`P)0gM4d+xU7m3%Zp0} zbAGqhhA~?S$W=PHgsy>l2uP1B;(j7hbxlvQ$dDeUfa9; zYRzmVs)R>cE7h^J2BIE_snC%?_t}#ei?b7xaul$$^xl!(Bk?@wI~x8#41VvLL-$>b zE%oZR_hO+(P3QS!sp|_&Pc>6F1lwMJ1ZN#?IO1r>hsoW8o!o=*5&#gZ!@}opw5(Cq ziIB&~vU#s+kfDtQvC%TRH_$4A&ElkB!6--Ol^?^;nE5fvQ6s1d*(10vOL@&WYBfGr zRGX9ZHzk}98!A|&yQAn(X}3-y>o)fIKXff1Z!{G-{5)Vg@ml`XJLhB)_?|)1J~BbN zF@pbSo2|%oc4lg?6jI#@_k4y-E&#DSe6TQu{I4N7g*E zeqMZO_Ox%q;bV_^=`KY2Fmm^bm`pTn(QJ0}H|*=11Y_==g^@q=yKPz;l?xYZ7BVVBGOZ~rbQIww`}NZqvPE+wSpVX$z_tcf#|+V9 z6P0EVu(C`It$#3tv z$0{#k+_68WS`0YO;hLNb`{>!wFhT0xbhkHCR)c+q-Bc%YUp&_ef!)LB3{}NZ(%BX` zk@O$K(w{(wuc}?ZJFZN?2FSW+Tpte*;L@g+=}$%}rM@Yo@P0yza6Qq(l8gZ!9BVR{ zk+X-<-4YHLk5P=>5v_>ld*|Fm+KJjl$5hQqa_FQw1%Q{!GjlenUeaaFaciJ;N!|@Y zGC88@nYj--^D9$t^bzQZ?Yo1uUT}F=NLCDtASKnd=qSoa z#FNG4{GHpe>LylmxLgo|7oN}xVXPf#5BNFpG$v5EqIWO%~~JcXnkRUu#=N)D6fWWi{WT7QKY<$k~j+@QdT$Ba1usDgcmC$kdyGD98d=l*)vS73F`^Ej`REZphtPX-kYO;?>8YM@|$^z z7gqkrv@#BRnAUpd$iOshUK@MtoaS^o(GF~XyPU4|Gv!KInaJC(ik7*j`5+ zX=*cJHmh;%=9zeV*z-439-XcxU^2K@fNoU6d#jyQ*X-}NJqkCl=-az=UmxZE&sm{7 zTG6yae9yf4+smc;^3&O%HpUL@c0m48l@HT9r@R55%%x!2nfpOOk_e6^$S`4pMOWx> zir62p@nO8@nw!;QA>DIf$rnWf2Xi?TEO;G(DUUY&P@!@>^l4ncWgPox;EICEOoa~< zlfB2UpMSE9541`L!8l!Wtfl4T*LXb-bVy==4pvh6JX@DgQQ&wE{@NUGMF?2mz3S_s z(0bILn&rJ%;A)mAX`fN!H3%k)5C3T!IKyYX!V^FfDZBi42w&-wT3bGpU025_Ggz-i z0X`e4^=lFAvlFpn`1SfYMdnhJYDP7a(ke(HG+y4`xc?Emvl7!5>0Ox*_c~WX)lV6x zc`K4ELF{?c5e!GRv=iem0uT6#+>@dW2C}N$9rS&4Akn*B8b2N$6?+hWu9f+X9m#e4 zCH!n@ehy(@BO|wshwu$q#4PL6tLRT@8ddBgLCrOy9{+-9qP8vxvg<=%Nq#R%Dc1O% zT3FccdkWD8xAq_Md1^AKct!x1D6#z$w=KvSm(8LUVK$x9Rr3Odq>(798MVU>`}@{< zDx&1zv!;Z&f!wydvfR*Z+kDNsbkDLtdbw@Ji79;3JK7>)g79%<%Nog`SrgtS^4+ek zcF__0*6#C*@1B;!=YTfql;V*Yv5KhZzaG0pKI*&=^u>R80^pZZc=bj8$aq7u%fsV} zf=@1?2 zwPNK8L>fMI?Og7*V)74R6V9>YH7 zrJ51y~l)$y^ijaA3DoNPqK!XiA7j(Qs<2kf-Nap=Z zlEfS31D6sKcMC;T(4xp^rLanPNs*8h;mvjg2^jN$64OJ4Nu*bQu|@?`q9^1BU@hi< zSG4b{Mma5AhP{GrBB0f0QFnP+Fk$&?m81|iGgeVP#}1`{K#j!6y8uG)ZKelSLZ0fr}gOm>xC9YBUkzg};jrvvkz}V%Skekcyb}Y5*{AE~-I;>WkhyKmwg{m@GPS7vD+$%|7m{eA% zbgmbi(N&q7PjTqvrCC|(t`gyV+4uT6gh*X4hh&6+^ep}1_6*o=2sBX5n^xlui(6|` z07T&|N4WIrz58Dj`%e|{- zu-v=O&jW`d1;oc^Bs=F!z&g0xamRamy(t=fZ@nUJ2$9Ge7@geqo2Fv@_yl7mmK9A2 zYTq5g2k~3?cdOHi0pN*?lFLZ0z>b|RG&DIrJPDG}i8nOF^uEi*O$88S`;H*5?#X0OnawkFWl0}r zG|6Dt-JrixcP|ah?#OM+xV}OBSiCyhDSnq)q|@uQgZRH=vaB($ZgXSzm2w%`EJv}s zBuHFzoe$8qZK#hnL)5h@Uk#oc79p9Jt+vY`mY<_}+f%Qmp9nrzZN%6KajX@F2XC%L zg=K-()havEr6{qaNhLoG%e)8`@d&DpG#-!}*RlwB#t!=bBez+H4Ihy>zWsoo@T9yJ zaB5sn1M*a`Oqn?+x|8tVig}7_pqRcnraqIWNfH1KETfb8k~2SuCMTf}4NAqkuzQ5recL^5Dg^V4`a&?^;k&QVt}G9xfi@ z>iq-Ic05*q3)ye0K%al=k?^Nq!LC4H=5SxlY}c=6Xyd3#6nVEw##-{s$845$^yd6* zO*%euCfFIi!%EEX^@h=in1Ned%y^eI>r!GL&3e@DtiENdWM1m}6QDex*WQdSLYSH$ z7he`|i%e~w!k3dR#+ChfdUKOgmI;Zo`?!i6(3mO5`6@3p=9L2#+oq2PmrQ=ezicab zF!vGjmt+k)KXhUG?X^C|r(G75G9&tZlN<34H!hp@;#<34VbCY8-G!gt{IXOms~9tQ zIjADzmjH}djfsAg5~!fSk`_o_q=S%Sr%;PsfUQbiOofh+TLzrzKh}u9!_o##e+=O{ zh4PZB5t_jr{3(e`FzbXi0h}g7Aj-i|F7@VGi^-zwF>^xk(@c`eJ)u66Z}zEPbZ@r- z1EQT(Ub*lgmx~@+^7Sw#dJsq5-E$O}Rz($smz__$ciyg6)hdzqW4wmk2gMf4GnW9 zk$P`3eYp&`N{={v{UFkiHGJ5LDQe7&C6pdTz7hyYM<+DXFGr<9DD-|xRC=kKtouee zV0I?>3S^^`@NTi2fI^$nl4bksa8d^7Il9sQUeZ$ z>mJ}>D9fv3!T^)_OK2gw1GuE_=Me}+Lbe5HVeN~tA@C1Ir_iquK}goIA{$E!Py`2d zF1H?y>|Y1uyDXg#Agwk@Ga71sJI|Rp2GfT<DD?yi0ncClOL+jKjy)43qrF6 z9Gg4lz!mUuGUPkrV7dY8i$LIa;Ur&2D)=5I?D%vm9ZEHz(C8DxbF%7;@>ZKqHu9!zBD{msEyRTEtZ0%s62 zNLW}|iF)?u7rtikZSUylNvl6>O7`?RYa0qUuW*>Jlg43AZ;3X)%+JqvXudvQeB%<< zwHgy8y&OdDgWN$b_#R%11+Xys9m#4)K87E8%m9VriQbRPt-%qG`3W(nm67sxO}|=r zVrmA}Mf4ZtZ{QKZ_nhe5M&P3x_S@5!JO7ugS=!hm9}5J13X)^9mm z#HFI+vP(l@7!JX{s1j#`5)Jvdp;gTV?_um(k# z)T{_#y7&E+Wn8lkBpET0ObGuYA`Horya>x!w?L6Rv4Rq6JMv-nvImlR=;-ly(}aw^ z79dU+%bX9VO8hQ>c>;1IM$|IGgNF?V zt=8qiunzQsRREOheeZBLr#&#bC@t@IC@0MubRU;7$GIo15zq3G5tz(b3DE1y*lXw$ z3r7~Y$80vLL3{bH-`Yt(X08X`<}nQjYj;aGBMfs)W#)I>c(G6qd}TMn`%@+VC=M~^ zq}=G|xm8pa%%M=l5XcPQYE=Kj8I-wfbR>lN z4eG9;_2p8lC%A-bXr`+9_}5X6rPgakZkL@!n9FH@GS6p-ZBWcH{$(^dOdJ0nDwCNL z_-9H?M{9H zgMo$gI&99V?UAOvDWwc*DX?Ntq7Qld(o82uUHXKMj73LRcf9mnn_sZ2_x3l*5C)x@ z5AC7&vzLJC!F+q?DX*vq4tYP-V*#9=ort=B&u9NGmhF`IJKURJEBQ0trIPS=SG=}r^Kg?2aX~h8Pv#M937dd$_JY-Q%y2Apg@W$oO zOC;p)8cAc0$cmt%GuXfdU~^&LeLwNgy#lOUbbfPZ{1Rb{5@ z{-lpY=-Z!Mm2^I#GMpt)&$mHR&4TOyko67=^}zpN*2(Y_RK)yZdvTn}vTKD>2_LOE zyj#nll=Q?=Yf&mA@GZm|e-7tA-4%<1FTL`lGKM$j{{gNYVE-q zw&L`RNy7>w@ZnZichKJ6OlvqJ9y8t9`K;qA;+JJ0=BdVT7)KhxN8vv^)#h*|&B5~k zwSMf$kLJRnB5A@`D-52W+>w@K#$MZ;PZQ~FcUMSi_VjA>6#XL)s!Yz(S=$hM3CH-| ztHF@#dDL?)3?K9~4Q$qQ4wF0&Sez!q3W-ek|M9%|=6`kZ&-Y?~zS*^_$<+AbU-uf4 z)HdDa;7>hP*tyMZ6i$H+m9bd8aqROfoO@0qf*^pfcfv~|hqbS0EB-3$qX!BJpCMI( zt=7w+po{?!XrA+Om^1(^FzjjqC;l5Um?{Z?(@QGThg)K+U!O0@T7^ONmp2dgDu%Ep z1^msZl?cy8e^HOQn&;{e(-#{F#tzN_VkCuk{Rw^YtcKDwWYBDv*NZURwQ}5(R3wr1 z*E-L`fHl!I)bZ-QMUR6y?<0PO*Uq^Ev%UKZjmAwu)6>&!UiE%yHy|_rz4n*Akob;+ zCfL}!nel9JP^aXn?u-a}l<;>`p5xA+=F1}HPK)~q)a0M$vTv?K);t83EqL@gZ}XO` z|11Ayq%qaoZTl+pYDTd8%|jA;IftSRQIg0vE%sMDMVP4Xde|=RCst)TF%{;471=O^ z{W>QNqy1G`@7#l-JQzgXE|u3`>16rcmeA+6WpNy|>WCv~-A~BV{Q96VGSWf99k21FMdfX~$b z>ij$CcDC=@D;7j7hlfcaBzDBri_P4Z9R4jR`ud&aww4iCf(6s#Km+SG84QD5Hy+`i zLUAc3hIJk}{6H6p@b`_q%a!kZC0Tk9@diwRe)H^~MSaN?)(c_((|^@gimw}Dw5|p| z8uLu;-}e*WnaPu|tbIg8CTfdO4v|@FM{v@?wBu!f0;$a^h_UflQ9JZQn2NOg%U=Ue z2u4wvEW^B*88PEl_%{Rk)}5JxoVm}c3B1St?(4nZPj(h@SkFeC_H-itqc8l_EeOAp z9wAbiwa*)DlFLEf$Lv(9!6TW9^+Dv;)2s>)!Qw7!TBPu`it&jFwEqJu%l340ZsNoq z<_e=!&VD-%{{0N%MQ{Ft7sO7Z_|*krz!6No+%ExoNA|w_B{TPO;(UH< z8Su3JJDlK%%c4i63iJ}gX7x8jU4)5P>ja&iqvg@3CjbQPhH={K&Z_EJwz0 z?@*qUi5twQpmDu)Qt9EhNbh#6Lm`DpeKC07HyHM6soI|n*1g&uurs}Ik;SrWCQp+Oy1t0+qKR&Y@_pNzC_X+4;ZfTnTT8`5X=dF_=A=-K(9T2jpv5%--pc>B{gus+uZ$vDls# zu>V=ip7%-^hlLAi`PndJpf2=MYJtw}FC`mvjt!)Yj0f-7+Ns&G z=#6B@jrH~QwY3K9B^@d0@)vkwVxr?wtLi!UoKCa}bJC~t`<3_7XZ$DXDWT>`W6?}? z(4VlqvaVk)Y6zL@(;?Zr{dv_oS7f}M z78Gc$pwRhKz&y?SlE%Ptr%e;QdDnPk>W#1cX~G9sAFo*x{bGwireaP`4(z0dqe;u7 zhQM{BKgQu!3iXF-r}uezd0Wq3_@z!BE%;p7r+okVGbA{;C)np|-!sL`oM^Y?)iS>V2e#0#w z9!RyW*T2G`1T#0iB)6Xu7m--y2uRBgj*_S1K4Y&9`WAcsiQ(?{+kwC1nE5be*Dk}& zLytA+Nf)DxP#kAwnXQm7iHVlqm1xl;&A7dvqp6bT5*i<_fB^ddA6B9Cp7eWhx`I-{ zZGkDN^u%hpw~XZsMktUCPDXf@85#F_=q5L(K2B1C9{JLmrD{PpT<(U)@xf}@_?>g5 zdPuP`g1`JE+;?5^NXshaM+TYXs^vD|B*dT(dL|p%slf2{)KDcRb(E4rm76qndCYtd z!yH{fGhPHlo$MU~a>#Lxa~TX*?H;9-oCGlwscW(!hGee#AH%=Qt&lv{j*w^iyuj*v zzBe;gX3imwnsscJZnz>0T3YFdcn5=zK@~B3Ga&Joyqe*TjmXCax@g{3wl9$#%3mNI zs`7#-=#R0a{5G*#RN&_x52;^E8P>TOx>|kVD$qCccRyL{VN!M;NwHBjuD0_~CoVFq z*ced+-|M<8fn68W)YRMyaht8S7h|VS{Q2_?Ib|j(zSRYW(dPt71mtj9*e^8D;C*y) z5mfknw0|_CDdj?|XdwR$FNF#E%hk@^b1^2_?C6d=pmRr{H;C z^hg^*m=9>95yid&$Aa$FjaVAYOvl&fIs|A>jCaem0ul`2w=`rNHMwJ6+B>=DgG-Do z`K<>#>hCPCs%LoP5_u?9EimFz9gpsy5wLW$u;Vsqs_$Wk3X2qBvK-EfzW+s7+@Z(6 z=@Gl}ooRF})dVC?;0?!$Orgg)3P(WC**{cZI?Ih|v>pTFVOC1<8dcW3N20XhyK36c z`n6eRlYaBXS2Flhw+QI7w)oE-Q)V#Ja})3N@4TX3#E!b8u5mb27eu{vTl{^vCT^-3 zD_r?V{E47oY-#7Jx@;YC(s+x#YL;hjYtq=U1AlUAYSI5d#-78aJ2oVhX`j>S(BMnWdIXr+Iz^6wV{+V z7S3Y3yeE&NU-T4Cy6AF|k%Get8Hb)~0Nz7Gr=Vx7eWWxnWHj6mL>PWiI*q-)qHQ)Q z^|sY*T7$hJ?n|YQ{c$Tm#AF*9p8Y7(kcEb^RUuG*`QL{oc!W$v3ay!P)>+JBkYC$W+4krE)m>h;rTFL7W!TvGr@5x7v zwrb3hsDvTd2d=&yfmp24Dd%(JmI04ynY0`?MaHbE@QUd~h(yThR0M5^B*3gK#JVFyt*B*E91qeM&~Wf`OaeY zgv94o65j84G32J_Prp${9s$A;5w{?{-A=ygz4`2cyYGJ0l-whU(|&~H5UzUGp>0#n z7rSkhvYZu@&WM(ffA?h>xEMWCA*hcJZ;4N^dNbJYc=fnrFD19sx_w5*UiuZ?@s11; z8+Y~oxT4Vz3@ORd-Cw94inXS|7Gm6H+dQf2kKyk)yfwAv_1r)1&n}_{S*xC6yfWW8@#5r9r@-oc&%^h&F(Np z^t5L9_2!`DVZ5YQM>r+R-MA4GP0gHd44}hyfCk{YAEdZ%Bx?FF?U)3h*H0?$P~y2h z6T9Cla3?OH7ZEC>pYtts=+F;~-ZYO@XgnK3^bS$|O)wLONb?O8pbV{KEpHQRI?KS` zmbeBG5QejHzf1K!5cl`FkTpbe#Kx^rzY^|ABmV|jXoGA=4+osUa2%43&HEx|exDd} z8wiy!=%Ik$Zoj@Y*OvEvKf%PRJ{3Rhe}0eB$zhNua7+@A+H24L{sWAG2>#m+*{DtD zE_Wy5ueK9A@|~k`>JrC01;v+;-F6bM5OWc`>03Z&TB<}(*z)@oA}JhZu(|$Bdr^z6 znW#6q?ECXwI1}OXyEv)Fq*wMINe{8Zb@#gpdJ*!^3BGNJ}C`o%nRRS zp+%F%i@ccZZrsnW1SBk0TM= z8Y|g+J>x_iZS8zEMhyft zgd$5;mRiq|uknxpzha^IrTVm%nypax7N08ruxc~;6Do4`q~QjDbvggzFfJ^nm?CN~ z9)}!fk&m1QT$`0Z5;g8FpIf7;oV&&OKJDJErr=mhlc&cLvplby3GKrzFY&I(ft;C#(G6-Ty0+0nX&p!a{`z>Cc!o!tk!d@GOR)l*m$X%B2D$8!B z@jw%QK8`Km7K0s#Z+0KCbkdh#+a}5v(a9_V0$PL5rCCi6+q3evproWR)naE$1bo51 zsndy8K3mD|8ELi>v4vus(9|)BpMNYqRF#Xx&*(jY*O*pLF4N1oed?eXuUm~UZOjc| zP;Fq1`JdNig`8#Hu)6;S`sx3D4?U2^3~vY4G*yXuH92l(9+*l5r1ie;)jpKIVy%TC zxc+^oAk_#e3}~g`6Psz`1_Re)DB|S_zE&kY1;{l=I3ETkm5&82daC(39e8~Uj*7!x zFQq6RaOE#Hnz?3D?s{l|lcJnZ53(L=$pG>UzHz!**E81u5$BES3L(rnA|QQ9@&H1o z(9fGT#tO8TDm>=H4gc-{Y$2SBOJup%7kMGgcxIq{Qy!|sk~H|(RWsyg%4;%G`@22E zHus}Q21+sOqwnQe?l4EZ!E&$jbCAjhzLt?9FDJXrGH^wwyVOOZHUjjpKt);(wv`AB zot&-3FQDD`y-CY`TnMD{PT#Ish!stgVgoi)Grlk}t{$mB)KmRsM#Rv@v+LptlhZnt z)i-etUdS8mlMYBZHX;ydzB+(?3UD`~T;JGGp{uVD>rb-SbPPD9o4*I-&&*$I=0D@N z41=mLN?h$#bi8_S!S=jXzD#05IOG2#?5%^Mextu{MUYTg8VOlxkWy3{7F-Yzr5hBH zE|G4Qbmmt5F-KKQ+V_x;>6&&>0uGt4*xyVrG{b6)S)d0)E3 zyqnTbMP_w0Mfbw21bcTsKGW~=WQ6wjeCr9R8|%DmVq)g~7AUlB^=$~OTUB~A6YW30By)kRcLQg~a_?rludDQWXcY7X8Cz2wU z-)BY-5WgIy2SDOTt1kd3AymL=`ycRN){&(XDK9`Ne+^8GqaY;3F((~xy?m6)Z@L7Dp;~VNhCW&!V5#?A5-zkUCpW~T?c*KEh;x=G<~8b; z_)*<}PEkJcXeLpa!qgOB`Z-=Aood}^#PEvE-ENnjj+CEYrJVj&e{W~Jy+r<{lWB;% z#|obE^%nRcVwL8*N#X(t=5;`1=89;CT_w0FZCiAu$*&;8nd}U6S`Kr|#0!WnL}`Tv zm8rdap7z}(?>yXeUAbvgA(GB+?(Dn6g6S$E6XBoHbHzb-WQzb4;lcKU38^60sQ2H{ z^Gk9j2ONwIvr4ax8mlBH{+l)E04Obvjen<9`DjMR#qykDACr zU@s$wFQ9L2Y*e0)t8=sisqebZI{Oo|*YuJj;E%$lUa#*u;mjGR63I z(EdBeXUV{RyjBV=;qRVtFZVIC3wa|<16val6V4oSs~jn942~|VcEexf3dx?2df`T6 zWCY!fU6zOC5~3ajn*}vQs%1RUAY@s%&`p)Kb$&^XJ<@BIXK#?XW+uvA^@(=0xp|)S zqqgAv{^g7be>{4j@2M+;71BT9>j?`>PY!$h<-QcvgS3Z>GjAihO`4uGU*=DSJIpri znTr{F1zk$2-UejGC{x!R{Fmin;Z5kk($HpZG(;_$f4=c=Wr7_?1TIoflryAl$2k)q zg-%-$2|D$R7c0Ha?qs-^rjaW2xKHJO*-urf+^;))HAsYpn?F+g$A%O=qE(rnf8PNb zsjYv%5V>NP5Gej{Hp@+0;;AdLx7nI@&? z66;_UzX3^vu5|Tn0Rw(QPfAQwEaI(=hIo)=7=zu?jp@edLD@XJ#)p9%+&2@I>1E!E zjYf0$<`{0JB&DQqZy-K>+HGgvRaREUX3^)}_c|Jef_g5>jZ&<3mK%(lGQ}QU;I^sl zHJ?E6%mIDq!I+Q9 ztc=6AEP<_;OzzD}MvCwON|MY%FPN0HiDVh#VU>7Ai=Fl@*atzJcoRO26FgP<$_<%S zG~)HaH%*CGerNO1C!mwkI$hL^l2pbKXJnG)g~G_9DOv_dkD;MjYor&FfyDx8WMys zFIpAzuw@-Dm706bECP4W{V&$x`S%*K6vIT!hmA*WCPCyc4r{2$AwJzVDJuCXHD+b> zXHpgE(5xZ+xPq}6xo$E?G0v9AIH0=rn23t}oFpFP7x(%EsJeI9%Yji}2{1U#<%PyD zuyfx}e*Y?_ht-6OG6=q*z8n5LmW4h4N$Kqrk==mKT=arpioD0$S6La0-lR~asfD#( z!85gpr{b&cl$O%D3$`QZe>rVNzq`I6rKw7)Cp)EY;OXDV@QL1eC0cZ5wOpd2M~3?k z5#r9=uOD&iHZIE)Z#P=9`V4;~MifD?H=nheJceZMIn}z%Hq}x0W#8;LA9A3BUCyGk z(n{B(UsNeE1Dx;_1>^^^K+Gt$BdPT79g-kM!cy;VM=5-?80C`|gkFN3$K;kxLT95- z+8fm}3%{98#CV_xP8MK;!|5Px{<0=@}@m0%UZWvpwXu`M$fSAOL@ehCi#Ro2X2`x1-5W#&AF8*_gYGCmX1Kdg*a z$ZDg5FSgpx-$=JehMavLv=GRVcvUO-)OwhDGy<5rxd0-Mcs} zE{W#Pk{yg$>j!COm5^CMaLjaW5hbBq5QHX>?%SaiFs4wo6DDPSuBFVp9Q}#a z3+OLw219@WiO%b(FGM+5blQAIT{vbf14V7I0*YGa_bW`;01yjG7XWj92)w53DKI_i zl-43R=2Ax9)D6jv@YQ_dhsT~9 ziA^lAe?%)#5fT|N_6H>+v&BaWYis{-lE;I;hC(3H(}s}zP!qCl%ixZM%hR1k9lqF| z_9pC^(PX$yBWx}^61rjO`mom7GIip%&t@3c{F2?{WqZleb7wB(yE_;vvWS3(SC6CS z#tG43MzQ}>_y2e7KjSl(tVs%njDm5fuFb;Db@G66l^^f_0{?4Fq>z3$VEJ z>!TV3>zX&+Cfi(hxu?Xu-4w+O1mR;?BXlLs^`cl|1v<=V){Dc{cj+`TppgJuX zcw4#3TNm+EaI4Gvc`FO04G^hY2#v-Q^q((G!ABpd(lpBGJgNeaSpiIP z9kt`?ddMJlI~6Kou8&1WBqxzj4C2M8p3$8@=4mp)Jfp0PyAu|N%}tL>>StvRCuR9w zVSV|0s-Eu}lM?NE>%apcF5Jm`3sx|b zqvYMsG^tENf+;PYQWUrlDqI6rzozVPefLh(RUlOYwz&tl`}B5r{A7NGNtrol#6qmD zr=o*-00hvK+BoNY&SJxXL`v9p?-OmPTqkG zaV=HSX5@nRj(~ZR129Ga3YVkfr!8cnm9$^z+F21Phxt7?2zE=2hdk+?{0MpJ!W($P$>N#KxIrm}QxrQE2RWGoBXXd%0Br^1O51&lyK7Rl#1Jv}64b z;f#?kIUWSpo{j%3RceTFBD^>0GaKvqv@q=wXk#ys?=V^4q1apapTTVIKmIx!RGFzt zZh)!0m%VF9LO@AC#GjDZ;xwHRAmWEToqP?Bl)i#~Qm&H;eYQ}}ia2<7?deRa-;Nn~ z|M_f%G z(%oHvy9*hGQ;9LN#JFg&DTBSmy@GKsB6WAEEa^1Wx6-7e)7Gi>n<{LMFApGo$olGR z+PvF$7D?EO9bn$oz@tAS z&SD>pHj3ar+Ux3ZFeC8`4Yx+ZBVD}&VPU)(y%p{b~ z1&2uWDKOhIz&iC&k3Yt5EFw3;<2x264<^4?VG>K7Ozl=K*E*qPwTJL^xM3#(w_`b{ zkHWq`eOjPxZe3&_YC9;)UM((Kpl@#|kB1`Q&}JDVJ&sfl#N# z%@+|T%%wu3#6R~r(S}DxCayfH+SF;VQriXE(6AUw`bO&ST*O^nU3St&XV>@)N8hs0 za3E0=Z>5M$`MPrBSWIMRe>&yvpb|!@rf;lD0T9|+JlEgnzfI~l?)P0%!~0Jf3@k4U zo=P^{-n1)uuHnG+j+oMjIdIlfp7M_BIaTr7*TMgFn7;!Z=1I0UH`_p8u<7Wre}%f4 z)_;WYz1ae>ylDzOrTRDV@$st-_+4>o6EhmQ1A&z$Ass+wz-geq|kQ(Hs2o?Rne+mu~@mt zZl!h8T~!=2JE!HftX*Ing@5XxzNNrA+MpIo4FwR_RrMr%{C(d0w*FzK*~0`D`|=Mo z;$Kp}x@83uXS2Empuo13n-`*16Un82SB66{{R6vGzv!tI&M?E*`ixaY2H|QoY3EwB z5Tn$0l9G=gOl^koKo7lE6|kyYkND%`Z+#da0ga>+q9IJQ%sdp5W8(vNrSKZwa@ zxY$0?*OZqJk;lnOOYq>v?RGOz@R6C9!wCgNV>H!4bXEHJwb^>Z)TR;f!1$pZa;{&c#1V4Oi3`| zBHP?OHTSUUx`ka+?P)eJLx=bsTy6uVt0nojP z9@e?-yRmJhVbd}s5KjV!&VzV1^4FeAp~NNOfp0@{9x=Q9w$8MhqO>LSF96+>sGb%z z-53+{jslD4w!S@B=OgFj?*Z6IL#4}wxwvEe(MAsnU$KwFq^V+hxb$2!J(I2BGp zE_&3yZ;WfHx!vJwKI-KQ!;dJ928pdQui2A>)2h+|v6qzL6N0c2BQCY!qJm8C-xoFl z``=x@n#=T+SWZEOpk5y9-{XjyvN*_Zc$W{a+&iryCvUC4 z_g@q1OtYExyIqT~;mtOqQQW})sy-eSUsWHv1=VM^d~mm|{FI>f(2ewRH`*C{PIf{l zs1k63G_=mMVm`3J6*sDbH;5XaMgO+S4F6Bb%stoE z({te+0yx6Ff;%%y-s;xVSt`JFy`lMjo<5SB zWwj>WK^}T|s2=u1M!r_{6NIq5py-K|JiGiSDftU%hZ=dgeKnkz1KHhTITL$!qp&V^ z!#?%>8YsTm_{sSJ^<$$J1LSx!u+>;2j}*wfY4PHm0W0(xOqL>nlFcjcH!C?_cDAX{ zWWSK25`v!|T2ltWLP~(N;uo>;yd&o?cZjgK^XBtAiTEpWtL=_x0K*Bog2E#-On&rZ zVjI!x&B~-3i6r5o-QdKqlo&~z*g^`fD1un}bX;o?fqnnCzOFOjOJX?fs65<-hVCWe z;SdMEl}fF%U+~{V=s@+*4>9poPI9?px<6BHF9yP(uGn-Y8|QDjz6`M-3I1nia5{Lh zEe3Eu|4#uE2BB`PERJ+Ysh!K8U3vDW^QKkT82<{R2_{?;P$iJ}b!=u+3mHQ~kH9gh zjDTE8i#<{q7()XOD>h1ncb;K{*)~!l@&@v{D28>o82`X!Zbdb#!-tNj&C2ydZi_ft z8KBV^4Y_;w2=FM-X`)v0LHGVT77t1#o&xj#3+dhMV*H1=L}(sg?7iaPU*2cCp%vZ0 z%bey$``yip4k4bk%{03*n|(9rvu6rp9j?Lw1P9WGW}Z^mhT)-rRn-Gnj0(QEycG}c%Ys2@H+1XY%9OHt!HJg z3n=G#2}GW-MsxUEST2@E-TdXS=6jf3r=jG)CpuAqM|Ocz&h=!)!`>uZ0H4%zfJ6W5 zI`--V*i9~@z+j?R=8^a0Y!UU4FP9U$~gTse6fS z`61KDUJjL=@rq1I%aW01^N8AhMP&F@@dG)9Tw<79{QP}Sjjq=VZww7(AQ;5-$mBylQ&4aCWL^Qoq1wZb_yQBx^REn3W|s z-7T1T)9ZoQ?b|gN>PIZC2@RLq#fttPmrPBcIcRHZSDQI0X;k00I_1Kmb4@Sv5|&b8 z2~_xS&VKF2G5lHY1R~s{maVF^DM)e_(dMyko6v)yioL%$@%$$-D1$tTtwBGjAsw7E zYjU4)voWCX2uROJ!UrD4hCdM}%n=b{&3l^w1*g62jSB%%glwoj+EF@<>h+y_(a~=V zDI~CyzHiQ*H3!;Y<-VxFBl_iU&HfHd>$jN+G{$B@j-$&I{Oc415NN7o(hvo(T|?sB z!e1#A7WcwDT{7DR5`8<$kYxQuJaf_&jUVh(elsz%)V?ncZ{LPW$W zc697BQ&bQ*O^Ai(v1xNT1^IiY-_bLvG!M_{q)jm)XQLe@8C8ty$(FuXBgXME2mY76 zg(EpRnSkM>n65`j2gsqY?YO=60*pc9S8rdxTIEoV{zy%6HK=z3ZjB@ z06{;k@21_Ya5rw=MPl_Ca`@RGs9eliS{I_|#&KoS%#wEeYetu|Ny!9ax{GBXobgp1 zMWINcU<;5UGVI~qf8Z}TVLaH*qdP=r2Q9SViTDl+S1%V7G*)9LsoD5tQYW|{l<&Qw zW*F6pV3cn4bZst;(;)=6Z_+-u@(0xe_YUX{^RqsZ5W3i|+(+#z_e9pw$Hnw{+UXB|b^-UbBMFg#q2AbF7P0@F`}13@xI&uS`m*4iyPfZaEmwVT zk1hMH4J z6E=*AFK`j;5(BGo2BoSrbo4)noC;gILh@Qf)27xG%QKX>$KjsnNy+6Hf$bLHrHB0k z+uahEJ?hHxnm0y(4Y0bu%Py{qh(CcGa;5(7#@c`CvF8d#hMA)h8I$k1;crzr#{*bE zqqmZs?z2B!`(mTjoCwti5GiT*Wu*)5s>b%IUrG^eMy9~mN>rRXVrKSTggYsZp~HSV zreqZs*G%mrA@BnZ_kJPP;LQQ!_UACH^`P^Tpi}^^v9Pe%y-4X#Ad^q|&J7;#XW?9a zY*r(!LLXJra*|$pMquLvaW$R*{IsbZCM!w?OE&%2-Ky5kLSPYPgfpIm~UDRq)Bjv9E4V?t=><-Ul zeU!DFbMd6eYrk$oS65f0YxNB#+;`Hs+atFPR&hRinGJDQ~! zpMy;^Nya`uIyv$iokdvQemNOyFmWkmK}ZX~Fv4N`P;?y&~r+<1q7NBmVRA zX900#h_tlr15U$BPMx^~#Bg^IFLQIpBfXGtW-k!?DJ#9{sM5;E5SC2WQROnzowdG{ zKE(zAud5_JRtqXN)E`9?sTreL8GDetyu5>0)Hq1`WLSJ7W2N7*odMYABV_zj9o+df z6E!f}A5JvQ&4o~T8BByPXLr0))(#&cH zdAxCItj`~xY`e-zVJBeNzaaB=aI7N^4Ozd$eBS;+*U9L#DGQ{D)c{;o^fdMrR+o6{ z<#Ct7Er16=)55=(H70iw4a%VHt<cs>ISJPyvvezfdKVclwk-?C?i0WeZ)X!@_zp0>t zMVp_C8YBOPF4uQl3JL*lpW4$cfa~c#dX6!^hP6f;Mv&p^I(@wGj?!6 z%@=F#6JmvQz6vn)WjS>Uw=(WKV5}k_TzAgi5%aRXm);i`7g}H}Q>c$g?3u=dbo;Jb zMScw#VgEdxmT=S5u+Qb}Wh`&%i_}A1lp;sEqy}C_qq+~TRUkgyYEhp^oIDV~4@lR1 z5kIXE^{7xl8zg??;xITY=T&f(){`Mn$6GbGG+~cr8j6WJAvcZO$O(!W**^1Hlod{KD+l zAI#iAw>xItrKQb}K2ksYxe}|GMB^w(d+UT}+hc3ABb_z$)>^pWM{Rk2lNWk~>4~@l zyfHdE?flMu-`&j$>vuyP^d`6ODfL;>UF@VT;oF1CK4g4OkL#$BK+^{bdB$!wdCGfK zBvE4wxKKAD>yrQV#SNNJk2!7k%J!TYm{^yjz$Q6~Ltivw3o5dc4}lg~O`wt5P*@c=JZJ(5_^ESQb@A^b1*`SaFsbLoA0@Avfyj7 zqN%6FldY}scPRtzWyGL^B5srZ`O!znot&P2%Z3@zaiH?OFqC(0i8duNSXqw5u&I;F zlayBehr7VFpdIhl4st~6WYxL)x!n>OHR7%YfIprzeuKNdtNb99!}bWs_beki8B7eD$AS&W)PW!A>W znhdL3fqMz~R<%q42@7F*!sXTfHv)%#RYRI82{b*jpqF-l#*JJWGYoyE8}w^J(lnaQ zU1!>^@>Eq?d^L~iw_G1Q(&o0*<=S1V7A2N(-n=J;H*|irzTGEY}e=bDd*`rd(sNJ zEPox_1QwepF^#1Nt$5qtOP{bMrB%IQRpin)ACU%>UX% z#U>b8say&Qz$N^>GnuCyG2^WH4?SK~qtBJ;*dp8mHlg`F8Ws~oA$iWdE?pBJBw?ww zpI7uz5#xcq3%pNXWMuvxea8IlMI^A`@<}F0Z3(#jp6I7aX2THT(`hHH@*`gpo98~V z<7LQTlNsS!ee(0y>3^yY``S&GN#}vOTKbX&f(tU}?7tH;udzM~A7~6Ir|DSYEnv{6 zNtwF65E{G`K-fwj&Pd#ox;(a|CAkr|N{03)`%pC1Y&FEvjK&IoJF?Z#pnQ18gy6I5 z!i^8_P#+ek6DtR)UEc6LoSdGvGbS?#U;}l2{3XPS*~&&*r7nWR`)a}N2tN-0lS zLKRxwAK;5o!QAsGC{=tb zB8>|O`v*Iw3<&RZ>lu-%oIBrgk{FzPDzSQ1>m!$!(L%!c4uyeMSv%IDXh*|$vzf7}vVnI8-2e7j$rZL-g zEmJVs=i{-!baX^==|-?6MNpqH0RWFF;nY2wlEb*Fnze$~t=hs6v@YDsR?`dN zj2FcBi9&v%!gHb*y8`otUVdk4tCCTOQA%}Aj?|=c`C?I^HS6Eu+A*X%c;BVq#Uqaw z6-P^2p7tachcq<6XmhR(@>x{%W5FRPjZGL+VzBof=vSJBw<1^=VV{~g;|eS=3=S(p z527Kl{2+$dC zgJEAOP&5*U1^QP{8PK>j3+sbd_cWW_f=|oJDz-X)-VvdA8Vq@&AiwS$1kquH3G4GX zFROV+{V%;{u~u3tv+xy^I~yUUJ-N93uoU^8#_fG8$@rhTw3j=LrAirBe(kFuv?q4G zuk7bDS5~VzaP5MLzn9a*a~CX-cl}qRS_zUoG^*>D&0rP=Qm|L~u&zA+9RmBWK+Myt z<{a3`G@r5Kzn*IKVg({`uD0HNC*`~`i`lvH7Iq9#2F;4lWT)qkONlpxaTJ8qUcPDc zR>lHhjhaTS>bYi+zq`4|J@RJxR>*T|m3m(eB7c6c!|6e+E+x=?fxG~+{*?mji@aUD z$PB4=-unmAj>oZDxh}vR+%>4Wf?ih_mU8&!0t<==`|)mR?><{)I<>Pdn=F^6uJ3%_ z2S$#x{?%Rc{M$$~F*xk^AKoC*B#>Hl2^E}&ZGL+p_WM9)!d6AK@QYvwdb ztC&q`AOc2-3op9wWo4kNyROH)JyT;ByDxnc#B%$`577nRv8``}YQEx~qVSctKhhox z>~8PO%m$<-nEUNT3uFi_thY#1uQQYaJr?0B<;)wW_1iWe+t zN`uZ`e!bRxoaI_y!4ueFpxK>;_1K9?y-}#M%GEXEnk6 zDoa5cgc`y{@)o>vwUE~aQaX7`$Nv9mp?mKySrwQ1qE4C7z%aOfNK>XEr0q(d>kgOt zO9y3eUIs-%gCKo`u=|ui<(>;%1E==J@u%#w)kl$~jIeh;iOu;yBa8so4v6$zI+N^t zf71Z|=j@<=Z=s7WFel|SD)$(UA_bB%AtY*l{LCb&1(ixhP>*wgKX*3fF@tG)?VA;~ zn?u49NbZ4vScAZdVU>U3Um#D+;7JD^2#1!HX}%(}cdq_K7OrlzF=lT2SH&>^KMK5Q;Q8_pGHe{%kDcb)hMio9 zUS-??hj?)W^wv6X3EaTd%+7bPwr6}e@g4>;_lIhEEoSdFE_cd3?j@5ug~2C{l==ej z=?yvx@oh4Q_ICLTc_^IRK`^84Z#dL?>7ePe5h_J|9j*@suJ(Kqe4MXm64e#I^4wrn z$##}Igmi z*!q+33&dC1P2AULHqHV-ltE|KWg$gMWLzj0oQ^`pPP`9j+X}{pCV&uc*RB}Hb!P<{ z@*#eKEhy#YoR9)V_i^sG6Hae-GipuQgm@|WYWt$6koHRo&Nj2+RbNkdT}Bo-s4sD< zSK+Y$lR)a>&f|82_kg8?!AQJnCR?o9+;g&ny#d+v2vYs>(8_!WXy5SMf<;t$^zsbh z{LotO`$kZ~n8#ERLDL5N6iDtS223iom8j@_ST`8AIt$dSU_cv2b`Pahg5)Npv<|zs zOqs*IZ?s^Yx|X!DYZ`92G!(UtR9uH^UMYc|;;y-j0{`7yge6g{geW`7p7y%L=ZSBy zE=?nJ&~J#^Bp5U3`mTU9yz2G1Xw8(VlIFqdZ&xi5H>?vimmLw0j49)p{#OYtc31QxXH}q6Az`biWTS^mkYS9>GoN0bQ;RWjp zmION7NK6>2=SGza-Ts#$`MT{_b9IQPWgrXxsGX{0GYF64q$4JJ>weaJff)mg@uO(Eb@ z9y#Sv%1K-F+5!xD^ry~Dq#HBrx(U6(bIk4)5Ym?N=&_MtEbp&Sn0n}#aZDlvzzS`n zl;q#-SI?WbrcVfVWOo2>Z30}>hb1*oG^CFR_WVrh8cvqM`<-iG@@0yDrNYY4T@~ih zW2hn#3@{#)Ax-yDFGR0IVl-3#J^~pOtL@-awjlXW-4906%0KOgK6QNeG(c%(=wuz) zH43*U(L_Oyp(6h@@Bg=PSlh&CaYca3dueJIeNU( zvQ>&Q83}P94~%<|AdtU0<9JCgdbx)cnZh(1*`5vG9~`=Lo^5KBNDuzAdfl!|7$R9K z1aCWEGxr2cC_<|xYX>xnOW-;rGclFWpen0)>!|88LXw_mUc+!MxDt-Sp#K${bMnpb z-$SZ7AF)!ZAB8^2v6)(0L|A{5(&X}GHR?~Ifb{hoj@J%R%1i#(o77Vt#Mj?hfC-=1 zS2MNrjM9wUCdVtW6s8)S%6A)(5yTH-tu;O>QNMF`_xlJ$+PS0@0v1Q+;FdKICu>r1 zU|M+FA&k%$m{CrcI5w~bGsws8>q%@lQ}!sWC_PsJe6q(E?OAe zX-3Y&B}@zT5Q~82tIuD6UfFN=U_w&=Y)R;HasfSTj2AInz>ty9cml@qFMsgPOGjF2 zlCP|C5Z>EGCW3~RfI?^C-Kg`^z!^o{$@v=2_313-kleL!h*a$)r zme3^`RGE#N!LNGBdTRIW=IYFZJoOcEiXvLo%e(Dw)IR)=h&N~B6V(DFMdBP?N*zHb zhpY}&7i$nsSt;?{UI2|;O;!GN!?rJDyq8F{&A`9-Q zW6{Mj)B6&zEPvaXI)?>fHAiLLetU7WWPBa98l?`IM&A;cw&XV8w;1G=r;%%~jHA7- zN#vZInRy#xr(16Xa(yk|ZMHN-;)tPyiFYC_f*>3;z>_|aO>fV^nub=wXGuhvm2uW? zP5)^tPaCw@`nVS?;fqOqT$Wd)vBcEQibqj@YX!VG28GH+)GCm7=_%YL3a75t8!sl=W7Lm679ix4Y~Y`=@JD0d zzS!T5z5S8BH>u>idT%M4?a5JMotD@}n<9lRa$Eq(J3 zKd46Iivrv62O3(_Gt#lRQq8pUf-!dBXZ7?2FiA>ROR0L{Ki1*eguo)b5s}ZBHQ}hL zM1wtbfJr2|5vht{SZYP=1LdR4lgbn(nAov>haD)%fbsoG25(0O>}FD${n~x_JoC3a^yn+p;d^O-5Hoo6@n6 zc3ZB}QkVMCD|ef!GEry1Aw9CLdFyBG_wftXH?_{X*j?Y8R~DW;<<&DlDWSh0YxnjF z?Y~jsud&t%(cXL@Cs1BIV2B%Sf3X*~~tjF%1u{0u5 z4c^alC%cOgk()*+T}UD^!KID&ametJ3UgzyJSq-ilQ6@K%~LI)WAqa9-;k z^|kvB&SCOyvuBMD{cm*n7viv=3M;opP}~`r4=g_n$voXvVTb(KE_e>;OC`>E!7Tg& zyX#k{2$}}|OHh7&7<*Xly7=!Tu^>UQuRDi88hsB7HjWaW_Hwyy)E;yZLn(4-*ce%s zF;yc^q^gfLmxqokEErd^m`vuWa3PnAYM)^kRwtf@VIkbxIP2#x4X~;c;u={-APXL4 z5J+L`qQeqt)%oQG@l~esaW~JHB~gS}h(|y01hq&uaRSysMAj%pk7>=1Jdc1$FlkIY zlH3-Z7V+5Atp-p$-<+0JTsWi+d_P`MTV z%;?Aa(CdF$CqiCmtE;PPYlkeazn5%K2!sxYyycs8tH=uoNcH?c`(Igxm->u?G2oxB_a< ztKnggtme%WIkup{q~s<>pb=~1JmAXFrpOyvz;MG2r`T~jA@V`#I=1&pY%2-&Z&Z@M zGTRmjUztbMm<>;U-(mLTs!gWDMICm6Bc!!ZRWA>_vP{e|%3*IB7Z`WZ3zAH{n35DS z2-6tAMy!Co(jpiQj`k#t(r9iz@k0-;b1NpPk~^@#p7|bfzg&tWv4J=bFbou!I zzOWGtHGuz;9igG8Pv04CJxXD9)M$L;`cQh>+#+tO;roxrNmq8;>2XNdrRZPh`uuR8 zEYE$Szxp^DX}z6JBS+E6g>ew(-%;_uy|G_-XF@@)MyLSQj~gFQ#NAiUzN+R#;gmM& z?FB2pP2g#u=zI&JG|SND>}n?2c+dEC3Pn{K?+oo|D_CWf-)%p3Pen_=-@}%DB?OP z%EysiuvbOBI9tUVW?z4HKHZ&ZUWLqVL=^+(SvK47WC6|PIQttf5WZi&{i>F;qTHLV z!6WPWbdHD_qFXFwpO_vfSRe6sVlgd&Bw3|h2hWb0X_MR%MZP)H%eOtaV zK*=yGYK2TN{ha57l+hHg05Psg#pe~u=P*>&{ff@Z@mGNIkyK8;1jHM@`SuVn&jNNw z8qA}AF5)TOL133usztIvU=6SYA$Z90-cfHqu$ZyM*X5p}{@@47gMoNS&5ca{cd4%o z5{du#AJ``tZm4|4$pPE7AIb5_B1y+~=bnN}p6*mAHZw|^R@ULZ`Ugy2-Tb#;+iCr* zRRrGIrg(q#YIDIK)}9`bh_#Ds%4Z{I`chQ(CHhjQpD?U?c$xmpWcu>y?9+sj@+Kyx z2HQ^n3KD@bQ2wZg*}c29utA4=6{a9rQT=B~V9E)|u%S=lI=By23pZ0F@h77Dt zEr)B$;t-8Ofsxx%lPRBFm1mwf95*|pS?-npXxww~@o`N2DOC6+K&9VdwA#ioiixND zL0BP)?ObJDJAbD<`(i?eK)8Xnwz_Pb--4Wz-r2p6_b=}4o-JkMV+~FeKFQ?n zF4u2b)m?K=ete|XeR{06d!#jR`nr*)?ednG75a#A7886N326L-j-lSTIBs%~>24}F z91+N`4WzBpz`{qMVbvcZX{lb{DZ{LL2p^^tzr`6mtAOgQfyvoMQN)>RtED_2Zq79? zClhnHDBY(Z$+-QCsot2Z<&;fOw>`U9c8FvviGK9GS(I!n>m&M@XpeDn#<3UX*c}7d z-yJ4{J8a^|9kznmTEg|pqAO6 zII|}0jE=+XY~`uuSe)v88aZPrw4|J0GIs5QJ&86O;MF8yyZc}??fjIe_*UApzhC5U z8Qf>UmAT#^tI5rdhp1BX6=Yg>gXp7tWup7+Ly&YjozLfQ*iKZgCx1VsudzD z;Bq_vWLfKb*ji@+yJ=8p|43X?ArWAw+K((?W!({ub5#DSx9|b$ShB*lppJ|q5AOzB z@!CVgGS%L(F`{G8?<6G{=jWR0LlC{5C&RZH+5hx}~^NVFXtjpgSNflWh?Avf#-&d|#D1FUHNy-RK@1yR=7N zih>KQt5d&AO5=u0MaVKd^9vKv{`l~?e^&_pES~->S;p#0LW005IklZ671p0`+Nm07&`3p`6(IS!k3D3>`G?u_hcbb1}tjs>tA-Qk{XIiXQfpSqdHgQd zb1{6dAA0Sw?^3ni--OGTyZw}Fx0hI`W#Hz?fgMhDszL1nYLEQ%jMH#DWDBwLO1 zt0|r$}CI^N4@9h){aJUch$>9$Q5$Fr-agM<7?ELx%AB810F6)=cCC(Io11Me?; zu*0~|?N2zxvtnnxO0U+L$pckKo&kF)ufyI!`eJ(3!HQ)>oZSlI#_ZtnNt>ACa1qgbi#!~n@{mzuFR`rXt<=^DO~@;RlyOb!5*cz0?rHq7M?9~{4^1U z6N=uOnqXmvb&(O0+ffUPbD%0^Biz3Bu&!dJ#0q}NZ=86SDTFE2pWb04`e|)f`@2=+ zTg6{}u|JwS7TDr)6Sw_d(EhK;x_yskJk)DI!Ou_HMaiW3Xm<^d`Fn7&2-?3i?U?Sn z`sQyK<1MM1!l2|%3vOwJeOI3Yp%IpI2It#`D8ITFz$z2N7g8M^v5Tvqm}^T@vDD)o z$sm{0qy*}Ix92DHsCNYg!1W#e&-`&_Exeq;h*<1?v z-Mz>r04ehtuV|DZYQ%&*bL~Dei{(e>pEAWdHZBHWGB7cvJdx1Q12xp5rkR74(3n{J zbi^MllTZoDh+)!-ePp4C=0$b+%hIUWM%Oiac-`H(+=9r@f`}a{W{Bo5IAESR#f+ECk_~>Pu`6{v;P&H!iG@Aqj02DYHiP z)rwCb_>X+Aecp(J*yRt(CCbb3gAG+87goFudTWR^Yo~AwyQ4zOWb`lhu~51(9f%<0 z{&L*nIvba28Z%K)@dVeWo`i88!pZ2LcQ>faGQPXptWmpFcufDuE}gs^IKV;GHYaQ5 zQ$AaX)A=LBQ(gx!Pl4O}jprNF3Q3*$CvmJREhWpnJ}`eUbHi!vEE(Tm_i4&$rVBP* z`d;}gZ7_1i=+6##u;Jj#7|rJPFsvm>;Y-yg>iM%JJQ0)*uG z_kNbp3#Z@&h_%ALz+fCb&wj}O(d+SAm?rS^lSgpjLa|%KI!+=}0>G51(?#6rT4g;<;nTk~Uuv2hocL6I51*_A_)?SW>e3EHLbKJml zFkN&FMZlhKV-kP)x#bHcmv{>T>ltowMK1hdDPCA;9lv}S%g>Gvnc6^X_IL^0`Fk03 zP%7i5gY&`@y|#NKha0Zsj`Z^9Ay^sytxJBIO)|7RkD->XtLD$G>-r*a>W?b|i#AZI zmx8B$oaIR4mM*f3k3b4v!~t#G>)BY%`yZl$ew871i;R+|otyG!=fx*yRX8bpIbmH9 zVjL94`Tq}7UmezD*uE_#NDTx9B}Pa}DM+(Xiqaw7B_T+s!04e!DBUHYbPFhrbazNI zI!6u0_C37s`#X;B-yJa6o;$AVyv`6FRbz+an5-uFHTzawj_D)~7~t~Gc~fyq&5*}qmZj+$c`= zNp=n#YQJm{WVr=vBM^H&5hA$>{sE})`oT)xVC6%A7V#Hh=4+|Mp^sW6G8z~E$D)8hn- z=+Rd>KAm=a{>Nlw$0J*2F+bRe7$WiSxLV5NX_X=WOgZlRfw(Qf%jB=H2%rD#|6zJ1 zOb~wx3=;WcWy$3=(Y0T3*CB8Lad`IyRU1+D6(g3GPA~g)&{S4%7E1<$Ef^lB(^8am`^8 z28A(F{$|$D6#DxMdo7lhoj7t#zYH8@frTK_S~;S4pghc>YM&Imi;$iQHwwigz=h*K zWzf~di;$zJ`pB@(nxyO;mveOi&wef+W>Dj;$z}k=FlyagJM4aU`r&X~bNNHrDC|ob z`M%^P^!X&L^UXsz`VHsmQI520qFlL{HD6NMFeuCx;HcZ@0bhIgt70^Wk(t<~dxp6x zSq|19fWEI-DMk-D?fWuz@L{9NibrBHzTOXg)v$@xEYXYrg08MEB3UIrPxCj(d&*b1c~zq+Dhq{7B*=$s*z5ZuQ9T7W60kOz_T)TTtfB=KZwnRD{Rto$6pG zQi#OlBB;3aOn|fEdGTaWQoKks8Joc|u;I4|fkoChVPF2SfeYskwY)M?u8%r1Nz;S%LIbZdRzJToJd8{NQ9QF3EpuN~ zvU<@bD5&k9>@b>0ieT^?>=d1|uQark^rN=7W_QCal7kbYf7N0Qx8U+pwz3*A z{Y%dnZg23DD}3s;uQt8egDH4et(G)_8VmQIpRa!&G>vy zp*Ciu^Mtc(Sd*e>?9ETdEa6|qpStw7mI}FfJ&u8F>Ec3{RoTtFEN8CLMPzn_+<#WX z;HtWDi*arJ;m_;s#l{VNUg5$Bzwjr|QF_N9*XWf0bb0T)pscFv?9(UqQD=%VI2pdX zC$1SVz4W^n{WaZ%$sd`oJOZc$Vjf^a^-hMxmn?361pGcOvBWUL#2f=`9TqVvn;rq) zFS6S|!vy?#1YtOh0}ptaT#5?bcD?lUOkO1Vxw`U_6}xBRrdpVW@O_~8HhqfzMRWSe zaNpkX@VD-#<$X{cXj0V`-!T8<58W&QH&2+sZMs3LbE@CM>>r3xKm+A#j;!1~Lheh* zJi2cv)~14$cu2*$E>46WZBM01`(S~hTU?`5Ao_FCi5n#mAu+zG)JjNCn{4iZ%&U+wNup9cz*+b*yT2uN=?1UpFKYH{4Ru zFYx`(7Kmi$)d(j&V|yiYe8h8G@2&3;=y#9fT>$x|yS|WlWbuh;6aH$`!vCQ*i^IGK z0wgn!QH{77@jdh^DYiyRI52@!x7&Ov6tm~Bfp`9tw%3UDP8rZ$qviM@E6wI5c3j*UR{8@)pM=q(6PiU zEH)gL7{X+UZKa@u1-dZDCCvvlzB3;qO4FCq@RI4*iHvSYuNYkIN z>lcY&M~-5LpuMj!fag-yn8VpTP8IPIr?|dT4D9}e(MUkQuP{H~#}^g&b!2k^a_YVB zWqvJDyhYoqziBUv6o;0iYOW{4q#p)LIg@XI9{d)lmA8qvY~pWuWNP?OyRxs&4JG8vE{(#~HA1p3{7%Jkd1+P)kfuy5N~&LS*3&@fHFrW(xSj z5QtS4EYTh*cYfIon6nf$uC4f!-FR|g9>FS17RQ3=6yD&elFO9iIX*-mbr^fBa2Rs$ zHUSfH+b-VQ)8OoIMh{>S6P4+t0a>bTEyNbznWdd?oHf46jkN+LM1t9dTrF$hbN3dl z*}mHPdf4fx0-T)TTUL}5DXqYA^!%YWU@qD`XWi7;2w_cD9(r(0rlYzz(SBHplGtW5 z0Ja!^uW7VWO~;Q&nCLnzeVKb-Vl;gY&cCyvPf$eKCM@~jW+R(Nf`!+%^UW`^1bx`f z62~Xb3=3=DY={LjnTNbkl)X}+Ic8GECO+h_QWhd zL+O5sO8oHc`aW)U(FyWum=t=E^F}wk!Uv|C0iWr+*DMy;%gl*ctW-iNxZF#2TB@(l z{DPRcjJ`1Ip;xTwhKdSWA+oGkv6qi73v(-acanU&BOgf1=%Dc=@zB+fiV;Qpx~{)d z=sWBlZf~+YTcOAaY7KHlKq)yf=~221_;|m#png2)L(PBk#J`8?9w85(Id*iHCf>g= zT#(ICpucCJ4F1uckK)-6y@BQpM15Y2b=SFqOWqQ=vs z-ZRypQCVgGU)26Tl?*A5efAmq`NsE#P5kv9ruJcj?v<17%?;Onk=sUY7b)+kyuXf4 zY5$wio}3}bm3`@NV`r>uC-uS1ROjuy{@W#O^(ABV`4ruG0>kqS)dl+|L4L1yCI@}L zCVWmTZ07QZYDh9T_&nPZ{hC=(vYVC2Uu@~SqP}%&TMf}2HZGCn+oI~@n67Q|1^YRf zYxL>c`NG2ai>w`VQ6pJRjsGOWNA7v^dE*c1>h?GG=lkX@ zmF6v!<}DTHEEVVLsq2r=JzaJSa_j1e4MiT-N!QVT2rH#KF`VA4FX6W}PFiXfF1J?s zFrWInj>gTvx!=(+<6onAp@+5(37Roz?#l07|5(YCbxP^zBi^IxNJS@{a^d7IeQ7#c zyw$`xdf!~Gb$Pd=Pl(tFL|}YDVEn6@>q4R7Hy=)w>{Bxq_S{NlH@(*ez9&BFPAvq# z&rF=b$C3v9*v7I6VN7L_(EF*GVq-@GUkh5s&Nn-v)c%TKP|o92$7C_xBJB>dogrrw zUp9Rz+E|;-7ih>VK@&|3wzU4)cBh+XWmzI$(7EPYg=g5aXIeoPA&Y3|&4VjK-SeaY z<~EgZJ<@yly5%a_&(~Rime4c|xdt5gWl4Bn@3H}SpmW48y?Y)_#LH^`u64xYL~G1D z?lRS9VNMHAsw+PMbg_fjE5H!AWiBBtH5IUS(b2nFZVOR8`{p11#Cfy%Ats1G-_@s` znqn!3njA<69I!)y-!!v+Yn#1i0k4x!_*n#?u#@@;{Ew|qea`!W|`iGkHzzJ z*158B1rs@LjF^&JuJkT&jc5;p`-m9v=)O>xpQuOB*}oKcO<59`^e ziW5}>S9ua_8+@{iG84_7`#qSp$?Bd5U@jfkpOvX1r9aCiM{SAnpyx(__4V1D-9nfn zU%kIlhNWbRl516S33k{ht1u#a0kj$`@>$LkMfk!_@IP&$+FDlXw|5z^OOf+I6k974 zhqV+%c$%{T8=effE)~knTtsIt;dh9yW;qa|0h82~g9cl^&G7o5XJsz_Ye<-j{Uc>^ zUf^UIW|@L}esjl}i2u`T({93w^0QfKmmS@fs|V`yUs41=!s;6u#6(3e z>sxO2En~f56kBnnhBuF{s!2sjj-Q(V0J+Xtzd1@Y$v85FpRC(1O9(+nktdKpytz&>x!vXFNGNnrZSne9^oJxU%*1y!IXe-)t!yW#3w< z*Eua6T=EIp42A9@<31j2=l(sMo12>~)&;x)PB{RTKj7AP22kWKudhuT-FuH&s%?fb z<5?Jd4u0dt32*vLNp%0ofZ(v`-KTIQ zkp^*tWKQ*X8gj6go=)~N?yK(=qSOMo^XDsn={-FkyWDR+Exhm8%BhO;MmOywsXr7A zBE|+%=9VmLq%h|VppKRi@<5%0H-Em_=w>a<-^mMCs*%v0RM(Z7Qck*g(8YY@Wgu8w z0-%{Y+VE07hks`$vqhiS3^0VDFlv5a7XA`|!m*llu<@|SNd~FEEPVg$?RN}N$^-@j zQM#)X48ngH45(h@;3A=%V2Hhi^=T;aLe0Z~Dv#9_<{8VqZcU#4OoPvqOzOF%!8%?= z9XpdkZUQ0Py_0SjiulP>*EH^#{kpA|sh>{2uyqE7CP?IuxHD^i4t=Z$_=V*4W}Gyn z0yVP`O+dy2H1GFZ+XZ-d-KQr%_3~2>Plp z@slI|oBa1njy?#s^<5myYz{Gf{doO`YZps3O~^p`_y?mN7tEXF1Gl1*QocIS`{WDf z)Bu5&LDC}}Vk0l{U4x{L9^9dy$l!Fd#bR!RXcj@#G{sIq|7Jr#5Td0przO`&$N7t+ zBj=aVlIE&d|4SN>?%TIUXXWL9pKuo8^D}}wqobqIhg9rh?SQQ56mK=nUrsyI8?GxXGG zP`N(X_noe5@G_iSuF1_T;orpyPGfsB#Ra;=mvH0c?)6A^LLuiUz>)_5W}cmZX8IB~ zgpQodbqgO41Pw5c6yAJ-y=Hrk93K5gb7}SZ+?S)u!Qbq-IOt{h-3LxYJO*IB&%JUo z*0d06Bhp^Edtj517wHMZ5AD%$j&U$&w_%ce6mv4YulY~Dl(gvm2K3azi3mdH_ltVm z+;Ao>zvcAbhm)-@t0VLG#BYZjRLpC``pEhUIrt}-<3Y1`jOe>gL> zUf2AMS!BqM5%i0k#Q5V3x=RrVak2 zdzNxCd3K>aypeEt4JFH|m#iB{A9ki;jJ~+}ls^nvqQ~&1y+m7y3vZG5~$_3V?))@fk&7OMf5ZVXZC@U?Q-E ze?$iym=>lt7XH|r6x*Nutdk9I2vT^sRj9X~m1VwvCSA{(T={9)ORm1%_$HAT!_pz3c1#P&_K zG5yQ!Jgc$NOcbItM&AXvDTuBF;(w$&XWy20(%|paz_8QZ9eq^R6gZ8Gi~FTp1{oMq z|IgFV)^=;5!EMD8Yv@3`QVISC!yG_mup^+mcke!$q)rReYZ+}O`n*d?|pj% z%z$0j6P7yf_N$W7)q6;2xH=Z2{(urhM{WPqRT~-LrllKe`1o`$adKZX*_;Li>9{`-{|LI`NtK8Klv2d-tk&M62Rna5`?fwMleUDy;q03D zl=_mu3ceFMKTR_C0kC%Url)XueH4WwAATyRrxbKSO-dMO&7w?VZ2L_A*|73whA~uk zHw2qqm=BZ)2}}@2qCEYS>j4Kb?CWzbYsko|=5=T~}yyu6%KeMd~Ob33BLjQ-aWOWQZuu}|E09qZe?bW063%&gVa)S9U& zY^}~pb8}f3N#_8+)b-xD>$7TR@|@KtKZ2hi5~Jee=ICP}V)Co8eZeuwvBMeHD{H@ez!%6_ zeR8FmuyklmtX9MXn!=Hhll(`QiqtbvvA0z-#a3EHvpOHNdH^|4i)n!cl#>nOi+e4h z@hK6Vktj<~G-X4El-oMAx-k)VsYJrgi%%Li+g_P#wuuldn|B4VIMAL^_1iHkA;dmk zjW7)wMGJ$KFe%o{;E7Ox6ElEDZZ|3B5!9|%dufx>=9T7GKPhg$w35>@F2r1uyoP!| z+N3d#LWkU^90cKDtpF~?%P;!I5L&OrZ?G!hb)?)fzX&_%-6wL#mZGIy=>Z=EOMC?V ziQ0$UZ|0XMk!i04Yhms6I`mafxu)DB*x7@|zCHZ2%diwO0?tOB;R#T3I*^9tK=A zIV-#dRf#wIAm0T*fPlMc4EM5CGtCzYG0}aAB@}tO;P}Ua$z#B}u)Aw0}R!3sfn$X6tR69tH_rjZI_$ z(|LrmtiEuGn1a3Mvmyr!5wvqN?hIb*#cp8y2XIH*q1iBSe{E_tmD3*>pV_kuBNor& z7+@B0G}yK&ASTbY{PA2kkO$uc@C~$4$9+2fT0-u=JLb4Ry`cfpR2>0s^%*boJKp-rsOOe}5uj0N;1W zfVD3?gK>89Uf)a>o)Qvb>$iHtT7|b>i11A_Vk`QM*4M%|9`PE;r|xfN{XXowyTpBy z)-;tKbIKi=t{#3h5(=!Z>KO=ji+bX^jY;h9F2$8$^p$cabDM79xXM2!5!E-g!AHy= zHzj{nLBG5A)!rw<$1MzI6yiyeb^a6aDJtqy)K_4cA^tm$3#KEekzH)*6YI<=%nEq? zdjEO}+Z^Kdkl(~X(2Y|-paNWQxbW|qZ!2r6e5o}E&yjCN-E`ReReAH(&&m4xR8;!x zC;%xbyU{Mus|?<&Fx@ZFaX1t&+xKanLU zM!zkYVyCt{4<)UDzF6@2bKiJTs|+#xU#=U(P^?OtFmQs!?^X)}Y`!yn;Uu}z*DnKY zKh6}%le|&`q8@XpDfSk+@9$TvcS>>J$0JVS$}&Ep`??C<3(b-NpX9BB`~jy;X<`=5 zn`>H#JjS)ph@3Z5R_GJw>utG|bSO2c#!+5%2-(%hxpw$KPT>g`meuAkyxKS8MSHb6 zN+POXi%;zUHPQkm7nDmC6@nS9_@&cx>)lBKuYG0}^0&=U3p0t0`t(zOU0Zooz4rXG z483@5LIdoAwmQ|(yZ$|hn7hC8nDYI8Tag1m{^g$g^&cx1 zLYWuQ!|CL4a;XrZ5K)Cq@c)jn_%PrYLyzs@`nRckWoz!xvd~Qwp77M$etM*B_dUW&ADJ=bSX9{zK^iyUG zS8XqJ6ljFcnCG!G9-ay|HNOH(_;0VuyyiTKec8=P2;W8A0CSKule6&cq)Ul)s+S$! zO0o&0Bm+}FBQT-jL8`QKR4AA=FE`p5``M7u`CD%e7L|p?vA>SNUV;cWm)9w{=ykfW zSJN%H%$QZ0mM#AzKy7-z`8NLMma5s+rChLF^X{zl_ixF9x#Z;c`QgSRmD%CNr<C!V1& zInq0&y-TxEK6{VUf#K2P%vJcR`sY;e*vU#Qni+TyIRhEEueMQg9JLXb?x$Y4Qa!S5 zdCy13@3FBsEW#r$W1pq)Q0@yw$cc){qrgq3g)$Mh1}CLOO1LoKs$p&^;u3Y_XP-)poxUM>Wu5s(m(a?gTrO_ zpVWE(?Bv6ApAqFM5<;_q!R>!;ObWhLGlQOpMiZObm|ZzsWM;5!WXiatjHpzG;0)nSvbLt zm7m?rvW2h5`D*k4vGou>Q(fT3bY6Qc9-S}SK#m)fHy4U{%5i(J1peU?q~ zkSB0$>3WetMMdR2F-$!d0Fk?$=UQ&&Ta26iW>*_|O-SD_0^uG4w4Dm<&^Exqy)(!3 zW=Hpkbh!~Y-vA=vVu)ED#{cKo)e$x2wFDUiL55M4n_YTS?;Xs#@H=aOlF5wk!t?DX zbM5iAeH*-2L5Etz*5pBj3-^xV@w$kRD=T$Rr){{NW#U0wEuzymiWEt%zeoeTKNNVT zM-3?l?D#(QyL$kKrk9zGTtitxl|1a1O^7HkD>0fjUdEZ!;~WLNRfYCqc+HYHR52q1 z8=|=1iNfKp*<|w?2r^^E-sYGj^oFidcn|tK2ojZtJKsd*6teyqnSG;%iRe_md|oQ5 zgixJnQDZZxxg}Z-F4(1HApC=tO=+`9aaJg>PnfWzG8h?s;HbJi-GDWupAMBryRA@n zpPa_Oo4(GSW;-I?)3O~-6+){0gdT(Rj0}*&oUGVvcKIP!XVy5>X5@@p;xGfaqN%#+ zM_qMOe@SS{Tl(1T$Qk5!wau`0glbjI{3ME_ogB+^%4sna#QzkT`i6F=!TqQISKVzE zwd6~xTOs=!*4>2PC zxI5pXST|j-8&_KoLATV@Odw2s&ZpF>+!FRmoi4a$^}(3;7u>V@P%f^93)IGj_4!oH zr|OG%hjMVpAsd|!#r$=b6Ai%b=O>E#nq%#j@Ethrxs zSQ5|ZUSHfGL7Qb%uR8!D>nw5e@~-vfEXutUK1OY30ap2?H?Q+{wziy|-|6T)m{vT~zEHa@L-)CrN4fV*NgAm|wu~{2|8j zu3N*CrIlX7RePQ?W%KbWZ2$R7SOaxPmyvzzkqaq%eGm=ci5i7YMp2esT_9PC zAQDS*VW7c6KkuV>l8bg!PJ~O>d%wOj3U6w-q+)g$Oe?}i=N<<`?jSYvcEJ(rUm>3J_ChhGMvW$F2gv`I)8(`dvs}2mkL%? z#Doqm_%@2G$b8_CE;{FEKV}G8tvRfC+d?T0a79*~T@$O<0Ui_{_B&w{@QEG`Ko9v! zZS5;)^E6~B`a0M%z^S`Utt!zdjsY?@ds2E9M8iYOr;08p-&c=l!gzoUVnSy9@Td zcIMj~?#}xu0y*F3Q(l+x4kd@`pDOnN6+_m58a+Y0M7I;sJ4dpj!12ydh(~vuZRmsKR zqVAg+Uby8_KuVx472N2-#LmfjKd*rE0>aM!Q@kTF?5 zHa?zWTh8W2w6`2^6aqe)h*lx5I?KM9Dl>ksRe~Eh@f|Gbds?Ja9-@;h=Ej}{gn3$= z@s0#7U)~Pjfjh4_q^^tkeoE`c@SDXvK_KFBaN}+oZ|1x9^%15o5gh&zgBi9Vd;yx_ z*^0X%L#iYFS)_l^Oq3{c6>)UX%SfpS?`Y^8I*h{?=&^S4Am?xEfuBzniO=_C*ZV1UcklML+oE+Es^CV@wNO5dB z(MWRlXBem7>rL=Pp$ovG=LkXBtaO&}TMSJa*V(J6lWM_!tVJdxzs79hq5$|Rx^2D$ z6xL|`6f1wa3RZ^Xp{sc#Rd+%4mS?js8M{b4{CiSiiVi1g@w}L?^|`H&oUz0JnfA6p z3n?JG2PJ7fR!3X z0~T)7pU;0sKKe_vTcrS7Yt5qk_-Z$Q_j#Iuo$KvAWtxBT{Nrv%cHZFaUb#f=o|I}Z zZQ2>6?atq{&FU`&^*Flucb}93>viiucsi!GTzA$8Iy9t(8#KOnbA5lUH}~F^lZWRE$7d#^?j1wG3m+W#j6*fm)=fqXSo$()#&C~h9Bs}p|bED%|JH3d{@tsvsD_yCIU{Gy(R ze=Z(RW-KNV906YXDTbZ*1Um5f{Jcj$G(E6@o8fM^5rTv1maeAi%~WPOl3?gHa8u&| z?{-rvt=9seO(e9Fw(Qw0&iM{i{NU}?iaWRu917#CLP#o_SSCOmxk zXoP0~thiWPMm#^SJr&~{|8#R+ZLfuBX|ATi-QTP&RgB<0nq;ayKy~FYw!OAuFo@sW z^!H+ma|R$DaQi%sN-DYFHvr!uR5EKJ|A0^3@|Z}(jBr;~yEdC@Z!;1%tPzkrRRKG6fi;nk=d zL@)C%GGp{YOG`2mDoSs1xKvohlP1C2=1)+6Bu7m2H$a)%<@Ly>09j`aPB!QfiUa4i zvpbE~La$l&0*>Vr8(9olBF_fp2gt14+^5A_%$G%zNafc_Fs>b%whlcOu3yiX=^17H zIS0WWwu~mqtSYa6$WsRtAmG6x8=Cq?;SJW!&znS7IwHke7;cVM#h1P{&;}$*(ctGi z(;tAE7lCm0*GD`V(1J_fV4^6}x_JLu_l+adoK37jT~9TwlH(h+Vtd#WA|gp8qEjLZ|B0@q(l(FSz?DwX!0JFove3O7}Hq6BxhYjENmQ3?A0>nnE_mpZTenSB#i0~a= zbcF_nBCUV4&ehk`T9s0!F09E|oH(d~ba&?XVKaZY-dP>YIDVOuiwf=vQR; zFjCIXGgPQpl=*P;ON;{kW=Bj&bin6`3(oXIjbDG8WKI3vuXFWa^_KNd zrxxsQW&^wEPY>ljB^q4zF4^H4N>&2m7%gO-d%XBgZB1 za$P}2ew|05Lyi?da?b1NJ-&TG=z**HpdF|#-4Ml7Q!H5!TU!z74_<0Emh~(Fdgi_$ z%3L4YXGw0xz;bAXGEoLWsKqLOy+qbN9k#)GrmZ}B&Xilo^y$_6X`tOZfw`d;FPb-((~GujMGLXKK+6Y& zzHEb#&-iWtHjup}rk#ZU*NDR3)m4idrXDe-$J?eusV_*T_m*0!#*AE@#hZ%LL_QUqGAY)IU-E&2jon^1a-JgknpU_+Y}52dt1~mSR7}cot<4QAO-dI z%V95|ocKh~R%~o+E=)Yf3si(?*Pq)SF@0pw@zj}mCTn4_`ix92oHXp^N^ghxT3>B# zZOJ3l^|b`h6)M%Jr@y>atll!Nwf9tlQ_+9JVV;ppei0zzx5+Qcy87JATuo*J_z{p3i_yv znG`;Kec|Sj#3AGr4EV*adkq(6-bn5(bpwJ_FM~C$A5fMExolDynZ!=!vvgq~8b-TO zy&tPrvI$#mPB%sXYzs#5i>FLPR`0^@|o--?hi zF>KhaxX4zhOR*BbMQ6=TMs<7XeLhq_PYRi-wtCF0_+kL`6(V&1G>3`;vOZij^4j{t zqn?Lu_Wi9WX7x`@$blEER&U=O6`f88E1l9*F&B~Y^8IsmjWFW#2_Q<}sA^xR?zQFv zb>-}?XAwogm|#TBUySV;wHI#sP+>i?F9igE^qf!r7_LeH$GZE!6Xoz{z=$f_w9Kt~ znb@E{FX952>NvS(YxV%51z@hz=Kr6$&No#nt0%jQuQtL*rSI%pE&lfLQ?&$qs3(RW zy?i4U2zZ7!TwCurea~8LARL`>Ij@S=FK~ij$qMamuNNr5RuffQB#_hoIu&*X;Uv;BES1xa(=m^fl*b@jmqUNbydT#iuK+*3{SW@ZRWmt&8W16?~DE6#lG=&3`(uFPk-&KkM{=3D!IRg!O&)jSe zwv0YA;3hTDlY<*gFe@^-5iU&R4-jCd_1&r2#Xsx!MuI-mNF!ox?){XPmiQk^Wp^u= z42ttJdT1#2e@G}W*ddSa1%OfKkU*W+Hk9!5gMa-KckQE&FAsps7v>(@hytw0hk0QL z*B(;xQEAT$Dd#)y_ck-ZsjR`;(oSIeuiO?{L>=61U1Sk+u ztxD_!E9&SZo{d-H;}bnPh}`_u*ti4Q+1;I2`)CeKcnZ&xAA*Q+K~@B9T>QT-K1Ilr%KmPXiU#pB#=pn)t28Hpi-$JGoOWII?t4OZr`Q zH5Hd!2vvi6|KPRzn&^~0JclP#d(OPuCJwSL5zmXz9GU&}v!^{j;}>6E->OOFPkt%V;ZQQ^ zCGuJUG4zWYjr0U@a+Jv+)5`*3F?=kci!Cz(My=&i7s|To5|eVo7Rer;TRrZbKpNwC zz1AQ~k^11- zbs*x#$rEEV$Dg~$?oX7#+iSrW8qYiiZzjd^FcJIuyh_RRO!E1Kb4jRYOBtRO)Mb4y ztzT?C>p5`Uz5LIb5?l@dT5^D52;6sWGT3WfzOeuAx(k=N*K|`J;@8|{&avTWg<7%kxaBs7&RiEw29+lVWdOdaN%~Ux%sqT z?KyJ}6%6KF@x1Dcc}*r8$-y(^swgQRh#xgDqFA%tR<_;twur#Rc3v^j-g$?p6G(ZQ zsm^%?OA!zYHBnpM`#x>+&lOPlI$0{BXZ-dSy!e;z^Wt}{36poMm>$1FQBA|VC};Z2 zA-^-lCh|VXjr4#psw52%k`JnxU9tCKy7U2fY6!S@xj*chWSZ!I1^CIiMN z_G5Se-&qi^KJPB(SsW-FaALSEz?mpQbcb1#FzdL-YTv%X&^(uLJ2;B4mm}~C zqT~`j04T+AayS_P+8^w>2^r568NUoYu0ALJSq`axKt!Fxw}=^izH22UC_-+VaK|Iy zqtq|rO9e-O&a^r*31I4s|3N?L!AZt|&j0oTB)j?_ziesaf0eb|FId>PGC9uQ7%-^) z?;q&(Y!oMz8RG8U_kUxVp9bcnKNIO8QvdQ?P_V6f2;tSHe{iw^14>u61IMlSxJHCX-}evSp=9d55rx@`egF<9gz8Uu62Jj8atTH&a!7Z| zJlPV{3)V{yliKVk#`uTykK2B}^C${{7V^f{MBO45r$=E!Ygc=jy6@dd8l8t7%7Vg{q z_aMnu6gu^Oqa$_w+rumMp;UtEe+8c;7_k+o(Iz+_glaNCg6zh`vETEIgosf#{;@u; zTeaC10`=*UL#`?7{7FAfb4G!6d7mfZ*ioTEM>||ap>5Y|5q*1)W6UPo56QIWn3ta`u+8OE z0LB-;K-2c{b~Ht!WRN_*$h#0oXq;R!RLC&$P7rq~{}5^0?L^}kt-h1~m74|PjQ=iZ zYw&t`k2+M_;4xjh@@1Smy-heL!Mat&L!2tHZ)Xp9a>_0hOejzi`@VycV$=}6B;WID z*#)=OExScpp3$K&O`Zv0Q;I&y)LPZvBSds;zKWe5S6cMFnW(Wo{z1SImV__ zk-WCb^907z8gaS$+J4cLi0oQD>+Jhc%)PhiXYG`^fLK$NlfbZ{tETrbFT31)F7R?& z9-?LUPGd7G#n}*<#EN?5dUKo%#Q~}XlvvDx|#28Az(9be9O!OHl;%ESS!?l z4~|}&i-f%b9OlmjDv~kw(v=6?D0`-vzI?(QNPNzILJN>tyAdA9BZTNjs!dT!p@&bW zB)gy_J^Imr42_Drk@CMa=@H<_-wR&+&qEvGeYt*HheC*GdT+rYQvxP8qPpG7JLk2K zwDa@xEG!ygCIZxvs97F^8X~@~ix#YZvUsCdjHnAsIBnanZ(7ELTT^gu-T{yu#uz(7~5l}7VSjI$!QZ4y?wVyDzQ=s zSS8>52m|j_n;nO;&8=J!QHn`uU=;4u9=Wl$JY!)r$_&m?gT1}-#ojOFS*Tttrya-u zFz|Ya7`};{8iKI8Wt>(Hi%E9i#fE%a`Nwmz;^M|1L2G#At1iZmJ5#mww)2;4L5_bm&E}B`x!Jgz!WscQC!49|wG9Hqz0q16)Z_nJC9t^aAi8?z6(+xNur2vqw?LoT#5K@OMGe+Fx8NYN=V9yvKh< z!Hfm0iWh7{x9(mlEPlqdx#QjUuU?Z!;di1H$K!|!fbgM_` zpT!4?O&GlfN)E5rD4JCom^x6AZA8mFj2Kpb?lr~^=M3JW-H|(DTZe7+9sv?5xJUD1zI2<>jiwZER!S8uP3~u*7HFZ7Ht?|&erbv{@$?7)YstNwcJuN6OV;$NpPF1v+d1ULpXIaO*X^QelZ=X4nN?YlzzI5~P8i%c-!++{g;RaQBBo)Q##!=<{liOh>fj?`vGs4?pk^gdUpTxTdA3A&Ry4+$2 zK8?;$tbmygV~;u!H?O}$bRWgM=IKx5$;<`>td9%;?rrv=Irp<+_XV&HTCnGvpR|3%cJB6%SXM~I;TlRGtvQt^3Y+17JvL(XU z_uVjNp0`im-|u?M;CH=d!N^Nopay!xz95$3cLH*RZf_ajVM%)v2_ve|(vPC=^Yxvx^RHVRMgq6J>8^-S< z!+OQt(aYaX>0zo~RowXVNT1tAP6u(&NAj%OjvJ<8R4*!@?R~^8v0Wv01NKs=wts(d zalW}j{A9WUE21g>^i5ol?{$F8=v0oB5V_D5QjIm2`o%g=ntgd{#7&AuDw}Bx?d79B zh-zSW>z><|RwS_kbT@<~x9m_+7 zMP4igdy3)NwM_R0%?FbTrnTV_t_FkOTIBxu#!Q4Dp7{cl#XWE=Tjc^c$BKAhiu%cH zo-$H%=h0K**c*{DfG64t(wOTOH~tM49Y1WMBiY45w60Nx)!8l3ttBJoef&Hta?hpo=t z+^zLfeC%I)n`xUpgI~Mx8Q_c(!JOE2zCH8Y>^F8M{Z_8=^)OjawGco!6Zno(F)*n) z3ou~BEq(Dr?IR}__};2lukzizIAv`(Yi<%$J zS8dr{XCYQo0~_|86VOQd=&Hppf~C0Zzv1@V#9O%49Wl!n^DDTxy%L4q`Q3d5+Cy>8 z>n3Lvr%oxDP~5e!&_rky!hRuDl^oaB7TpDz?U{P-dRzQp&@4gaEKls0Pai_AzvbUh z|6i10j`>HS)#HKY;v{tX!8ajNpeY@eR+F2d#Q{6YP=JT<^R<4;EyjX*(eX4D3UHkSi4XD zHf@OMF^o{nyi|-lu2%)gBRi&`n<9nB8O<}*N<9mYWYo+~Y`!9{Ktx^+4cihyBr5h~gMhv`wxugXu}k(SH50A1m

Pl>AQ-VUh+)}t6 z8RSeBT}2btwu1b=0`Tq6%`_xsN3+Wvm(E_E*3IPW(7k>!%zZv971w`W4J=|Q8>AN= zIXihCeMp2T)Tcn+1j&>Q`iF3T3{m{(XEnr=zQVQvy)Spja@Kn{qojS!cmJzg?!n;g zTabslKwIVa0+V+Dx*s|rN;bj3#h_J7F?xN4N_fYLxk;REOaAuL8~P$p1C zhiGKt=|Hl4K_6$$fn23x(W6MUgVbwg(v@k~5Yk2kRg-oDR|tYx@m9$bC7)4s8`MQ( z2Ygp!E(dO30Ri3gNP&tU0VKW7-oF39>h8{^OCKxX?%}z{@W|rd5#hZVr6^2E(sWf0 zFx6`5epBmVoF4>hsVf3fUt)!ypu^mumChk(Y+&3X33 z=m1&^Q=6&t9EtxU5}pDMc-rLr!#}GOVBOGrWb!^?7l1m7 zxD5h0LJH;p02!yEF1U61BF}N-V=II@&=9Z6@fO6F$3qh45ac+1|5pQO9$W&`pkjN~ z=0^O~K2e%$7Vr+^1;cG`bt%V#!1q~f(KL<%DnyM}g2&y5`cP?EI^topn4H)X4Ta2~HqbtZpvDW_!$cE6KP6T#MT`ZuEzlDB zm`Y9^hOM;M=b^j38P$ZV4}e1kc$lQy`~~lS9mC#~TZ%^b~ z&m{t#!KsPxL(tC3cbiSd+aR=pZ73q@Q!=8Tf}B^dZ$CAyaNM2 z(%D(q_rdO>x?pyoKG)@9^4@Pu)h;GF$;t8djH*Wf7QYHX=Vf^R-m1(lb7AIpIlge- zG}BY)%!A|5%Q)im@W6LG-13)}a-Ayn(~a>SL=Idm4JNJT>a`*nIO|}&d~CMcAJ0zY z`>v?2kqcS>D6cgfM0q)7OoS=2kSnkI7nH#~Wk1aG?UbpsAkcQ_Y-C84pzX-MP< zP>N@<+&byet@)di6Y|kN;)2AdgW4r6;Ai@+u3g=Ew)DN4=Q)%ND8{HZsBUR~gzx$S zh%2?QtMh>0qc6wsEf3SmbIOGEIY{M!zD^v!WV2}1ONA(C&jRTQ3w}Pm`I-5ZFvK%h zLm~gLupu9t%1py&m0-2y_zyawgLyZ__5pK7z>x6(8H}J1z$>|*eHnm^nt(+Q;zp1W zfxw`_@Cw5Opm&i&`5~@fI#cP2t;kOE*i2mnY{D}Km1Z?w6?rt zqy}?hS#lNVn~;Lbya+W?mA`_i#e1NrQ9xkxEYMX+y>UR#BD)~w`O@>U+w=Cz;QZV5 zE1X*&U|~3#=b?yO=?Hqu7{q_RzQLmRYCSGNh?nuLMVAZ)Ed?zJv1G*maclD39u76m zefx%;l~p;lux;>pAY8Mnd;RK>)xW)s{|?B@k4_2$Z%F* zjp$TcY@$>W@jr(rnA|^yr+U~%Czt8^oNADx)MMBudMs2n80o_b|4hZ2D&Uz)J4XWB@9{chVxQXYcAXkP;yE)IFjN_KPB1z6p z)-<4zK2qL$AS5o12JTPXMM8Il`U5%W4Gc!_=|sr@7F)PC6Mj|(IoeT`Pyh1^-P7VA zU<#cXsTU>tZARAfPmcynO)D3)rmD)plL*$Xf4<6)UZY*J2b!FJ88 z9eT1>=ZWb_R#qPQS$=?Q8B?qPqR{=iaqf{WcGp(m=J{3O;eA%Q?5^=*NA%6vma{S* ze(1Bk|Lk?IMM2{}pl6agf%BvVJZQo2E+tTEh-Qr9gxvo_^sY^rYp;N_tnLl42bnH{ z-?4FAc0IL5i4rNJqsG506pC6}AYuS8bou7~?&>-j-G!_y9Ns8k6TrWjXa9>@IP|w{ z7A#G0yjeNahr1REbhx^Vx0I53qj5|3u`g|W{R}LSaFc0MnYr8L!BmeZk*z;5eV)CN z`yh2#mK?G3;iQ}ZAi(?qQR#z_Z5{mUdjA>f{Kpo?|L3Ix@H$m25n}&@3_pnw>$6|? zGesz}MM^VeSO3&sn`<;S5rK>$9t77XjyHn_v~^K2om9E1-Ahi-8hQvV)I#*mKo_YS z`HC|V7`i%SqZCcmNV`I{7fMro_A(@cMc)8$dJ+o*1Ssfcmhd(ZATo%LuExdPo1^NM zk`Tj%K@Ruh)P9-@y#*!o(n$Tk-F3QF*KFC=p=-$3ITImB|Ap7)Eylj0uWxy2Asm$a zWG5oLFFI}U%|2@6Hwd zztB5!r9r$@rEe}tE{RSL@&vFd;T@oN4@&udx)j8_`a(Am`a!cTrxlroxQ~e7jJUCn zS)l5GTwCZ*j8;^r_cI`7w@b6pJlcTuYCYrkL?-5ssg_mU>Ib!+)yEX(|R!T zHg42-qQb|A)VKdFx|eJH(s}pwpo*uodv^;!a7h{L6{)(e12EH-pW)kPQv?}>V2ee+nw3li^Mw7@(eu{u_OQ6grsaB_ zg}HuY?BeG&JHsW*Tc>R)!G!6+Z@WDc{*AE+cghGRy02 z4&8n^3yGrl45fCUxROk=Ue#%DO-xdIaDH1MHdY6E$@O+azhH-Q5|PFnx%7Bi4?oeB zwooZzW^z#e|A*PkmfYuey$*&v3S(wp%Rk-zNG*gxD4uqbjo#vqHWjR9BP+^#TO89% zFrvLWpgq&NlR|i;W};dsT5t{djiDe#QJfx^-LglTc~YDJ-k&di+kF43dCpII=gaBB z!u@%GAL`yEldo_=xu$ku08sI&7}~+9t-AwqS2@`~xH8RVKRpW5hEGA#5pG8nV%R$% zVhz4yEf7*$z{PmcXyFR3L)S`}UGrMHm$TB4U z4+{A$;$J5i9D4Q?C2g4Q&5ju^XZzK%Oz74k07ej3KfCitXN|%l3yZh+2YHlxdMx4T` zI)EH7jH9G=QR2!dKSbMzL4d0nfJU-_WvYONVp;}WmBl}niyn=XW>E^8hw_L;^UzW3 z3?4u^b()y;KlW3kx2U_WkkMT!0zLn&P`!(M*BxPEWRgDNI3k3p&MxjXOq>4V1i$`~ z^6fV}z&6{tMmOuv9i!ptnR212suzEpHWyYfAV8NC3+EqLz)+?-a!PT{UgKO~_%Lkn zoH)rE7_++0+K~ln?t%h1R1npm!rArik()JCxuNPT9Qffwb_{B*3j&13?j(Tz$3wzw zfY+|H4;a`D0G5Y)jJc-{16?2Uz7M1e782{QHq`y?_F6#ET3sWYI^hnqZ6hC1%b!c+ zTn(B=ogxi6Iv`-Tl40y~PcIW9tp}}woc$mrUcK-ENH0Dolgg@;oQ!Y%@uc^IF`7wk z=5*xA4g8OOd6A@LGxG0w;U|O6Z?holL_0_*=P&1E`N|BJ+-T9KFp*Ln$sEdw?Ls3T$62qu| zag`dYxek6U+0GuybxXu#7RvX`YOQ?tXV$e3hYfdG5WgOpF-_Yru#%s0THPGNNFd4= zhN^fe(vQ%^>KwTMM*TW!g&w{>SICyzX-M4VRqM;-<;A4Z9!mQ$y;qNzWT_39`6d0P zAg1vaG%vw?vGm@)7$~Q~8P|`d(B|nK-Rv`QQc6^?ZqG+WR2=dlBq80z;8py-7Tle%+D?;{xW>y%^48faF|S)C3+#`d3K`Q8VeTd#Y#ynXuHpzHW!}ER%y_;bATn!J(abu(SfuWRh)Eb^}6!5zg{B*^iG_#e}J8D=H1K* z(oA+lb&ycjURpH2oJSv6&`9MQdoy;6uGtGGIi>?OM9;s=h#G9AdUqs3H z*vdeDHo!uhW!|>{Y8FaPfI7ZHRv0D4%U5$DD=_+0FQ47C&500x?bPbS zJA$kG`s*uxw9n8f{n?Xq-SVj3%6WjMcV|-vn-U#ORZKR3`1VX;fqPd0FI;w6*+>9a z4>*N9%TbMgRlr7YY>SS2U&W>0}Yfu@&?r!b?gb91EkEP5JkX;7T(*Icc?r}5%WH>=(>IV8TP6Go2bv&EbIFCeb`zf33|QHF!SuJ|vuqKpc?#w?h{z|p{VTNg}> zs-_QEZ#)&SN;8@B8waC*)HMOMh`9)B-GEV7DdBmRcMZSeKe5@xz2!9Wv@jcgQxZ3h!o9LnA3>@(XncO6x$d};A$gC2l>`50rmhQ? zmYFVlzo5K$l-sWD%NSb7Z#Vb2IYlqaqu_*8rTdlgzGusQ3&oSK-?vSj&?o#pPc2{{--gA8g$+#8{SbcklkwJ}k9y^okg?~9_Y2_KsG zRzx^K2pGuBq~&_kMYOW{dv9;KzdzHBHMLv*BnQf4d-2(p^4piP>!<;QM8FTSsYCiG zitiiu8_?e>c*Zy6>R;Xt_b> zcR;&pGk9*|CQf^tQsMNpS1!o^m^(j_EZf#7hl(YPTz>N z)6*L|3At;f7jj|C z#&LNE&;)z9+Tl{fCs)kwXbg=Op8Z=FBRjPRubyY@GWa26Ea@PQDm5|Y0x5@GDOT91 zg&(?f?*L*6@ZsAt(_MD({*&=83wMA-Tdy=R0qpBj}PJxd?{Xin3;QbHF zr!+zWUxP+-*g2$*?fWvo8aDp1CAZACobt>XzOq+5)9gLL2F_0AIeHw5=7u!zAXq2& zUKN5Y&T}`WnpXGB>=OrdbroyHGwhLx5jm03zDP?Irq>dC%Y{K$#mp0~5LcWhLo>_i zTBnr{=vLXZ4D8dZo!A}TI$-$Goxejn&%tV|d4w4?kaee~uhJyoHH&XP;TE0kVz70x z7@zYLdZ+)pLf|S%g*wxmbj<5z2VU3ED*t`TffA#G}E@VapA^w*9kvO%^ zi(d#eC-fDeKH6bL`V51ph(1VrNQBVB!>-r}DRvu$F^&kZb!6fACd3P|A;`$8A1RI6 zJS~*l$9@fnt0P3o&fRR9I$u;xKR005G!?h$tX#AD4By#!_x3H=0e(=vu62EJ7Y$x% zt`0Ir9_5X3WW9deCTeB=h--+>jgz|szxaQVffz3s_AHGnY3{~MGL#%3D$6t6yT_+ z;~H)9m+@FkLPE>{z}H~|H1tB=;TzVWitsx%JV>-!s6t7sq3a-8S?^{<`ZyN-e48YX z9r?(|mVma#I*e5;p(^q*C^k6BW$4xgDnId9YnK6{H;f`G1l+^_K4st5X$}#kF85#5 zMj-e*ZxRtn8R-hx_7`gNO2gi@=1KOyqvBXug7>}-G>Re}l34agi@9U^T1H+w*7VUs zF`XHOr+(3=36GEagz9B&R3{uqL%vGzW=R(%H z%*f|L_k*^=u1uNOs{K1bWGT(gUld`pm}^VE?<7eslak&ljq@Kme$(uACAzHr(H4NX--WF zMtz~2aohE-_NQl=r;FQZ<<%zBn_AV&Ht7=4h!0!mdz>_js`p0X$17$i0aUr;iQkDM zh;R7#RmW1<_2H5(68_;&BlrtTa_VbOX>>&HAL{bzT}iF&-%?!DZJ;AG zwa_nzn7XVNR~8f`=nmL{BCETYHs_Hyq7RUN zyx@+!%v5#;WQ57z9-|Bl^mNw=2bP9CkZqNG`3hkt0*wWPY1UodNygnSr4f+%Xvl8f z{(N!HnXeA4#LAXnN-m7Wjx|Fv{ExF2Hq*4hal_s0`?%F=r!pj1`4jPgn3p7m@&KBJ z;Kkl??|q`I{WA=%R=q&J#8=>SQ3dYE*VFgB04 zTH$i_o?|hsUfDd-!#ke$Q`_>6%lEW41#{dIoZWdnRbI3ODgT$(ffDbj}?^gHkNjIwhys z{-tF!7;&Cztuh^oZcrUf25C zCW!>G`qlncUXZZf(3)%B2#`Ou{@md;jW8SBJ)^^>xDJ!1oq!*Ya>_|#x_Y)|zUic8 zo)T(<5S=UMo28bUHDR9|S}hJJ;4gaYA^5}5%m;GD2SDbITC1XK`x*fHIle-so#}Mz zNmZxA{?SCtT=PLdfa$>d!NXRy^8wbGruyBOv|n$3H;eO-Bv(53$ON=L&Gc!0V4Ixt zMY`>aLVLe4VRxrlx-3cmWxLm1y4=z5t_YpTZgy}7;_#=*ao0xZQ+}>vuNAEA`Nx|p z3d#A9{AU-!0R@$=oeR>Kj{S-8wVM{jT+^&&JGQ2$0pBo`zu$amN)#HFsKi5G*!ntZ z8FD74Evk;cUa*84lrD9%*GA|>)t-5bw9XB>U(q9=uk_pbs%ccmVuxCmos=oc@2bHP zO8UeZ;1R55jCRu2;Wv8m&$yAI{kZr=(9S6+vWW#tUGqG-kjEdx)&Cp&2M-R-{}B7F z|DK9cGgZ**zny(t-%)E{AAdhpnR#rXSVlmu_D)d?)d#Bu`Mi689L&3`m%$)yfRq#JW>_w`aDZqQF%)#?ypHX*S0%aL*u;_J8! z027cym$GFCZbIFe$B%yzt!J9?UT22fWJmsD&0(XNkN@l~?(dY)S$gX&?Cqe8^Zs)k zx4S_a!dOs8Ew_D_WOcdKS1Ad|VyAJ1yp5K0L4>cbqcPIEZF-cdR*_lH2hZsJ66^4i z59^S)44#Qnj0m(4ekwu-1g~y4FaL~1+Q!M}1MFHtEs;w#_(KqQ=RC;YT!-Xz%PBBx zaE#{a0NK(LkD<*~GAi&M@SziV`n%Tkx(G3mVuxbiP$UmBHVR8VI7IRsDo5NM+s~Bx zob--pJ(Wt0Q}GT06ZFJ#L?T(YH|;!Rd&?#-vv05k zOpiSmv!EsDc7l4TZ8Mot6?eAL$96f2Gn%)XKfk89`C=m|+DL2XM;+jD1WGIDnlJO^I$BvB+KKRQ&>e(!& zc4sHWMrLyfX*S6``~#oZJ5McNp8nu66&{l?jN}>dSKoAruDYBpfpuQJXL5l&6MH~Q zMdxttL})T}I^Up8NO8<8IN}T{TrSyxahaxrot0F*e0ibW=qm%elx{Gx8bgNM+wSZf z$`N8qm1+jDcQ`qa;UjS7C1l`(_S-e~X1>$l=@ecLgn0nrV_LsP0nRO`XZEwg1-_+; zQ!h~+cENu@UJwcYEe})4LY(jwasv2Rj1jVFYd%H zcMqmmnyx*uDTWDLoR57$w5gWte;feE)@7Ln5B0?xIYHi2Z!O={MO`0|J1lB$K=uh9 zM;T8=9}MyjK;-UMR~9m|o3=fIDQmpISF}MBD0p1<N6Qdfyk`<#ol1& zOp|c9FB=b`eRnb*67CT0$n%;v5qgF7-g_*&H*2m*?sIGSG6u{k{M6|G1~xLy$_Rrh5rYgz$PHdEhhU95c{POdo{3RlkLwC;ZJHGX}$BU4Zk<-tiwFY;btI8|N`P>|M3cm`{FA>nlA>hd^Ep6kW&n&Vj?VhA z)t5=>{E?3%NqY^}6xs+QeeE8$mZu(h{~PxEVG@7u1L=FUir;Ukr?dEf3|kp8bAQoL zcyYR@vo4f`gEy`8{i1E2NrWy)(;9re?9$3NSu1h_f?VcPv1os}hqR0pJ?pYZ@8{8$ zKRI$P<~y*^6=ac%m3nndGFabE8Xb}GDpDfjD7)_S+!5HBqgt0HPeih1RaP%qLhD|R zvAHW-9A&X zdXcp;gQE?D9VT0Ig;C|FZHZVUz4PO_$BhdUps&ljhUqSDhuOZqT~k?);K#T-E@vl_ zvB_tfY0NR$p*xG9W~amcnP!n1Q(%6>frWSLut+D}A$hy5Et=}lsQ!VD+qB!NF{QXz zTeM!xCQdiE8={rOD2he)BQve75Fd>oKr@rl4cxx(UGx;QP6);}05vgw7`XaJ)x$Y6v04bjV#I|aA{Bq{he zk4Czwe;TnCsWH?Uy^yhLS*turE^8S{*S^-|H=Y%I*||j^qS^`8z(Ta|L_n_94dp@d z$FS&QKF!FKU~exylep(9%WpnFxh%2Je2W`N;!fo@x+kq;H=+<(MNai1H*^jx>|;6} zqSLPKFilXPOJqm7L{ZU4^?CceB(>JkpFQt-W$3-260fBbJ8^ob+W19ZiMWqa8hIl$ zu(uW?h?R3#TWQKiH7m+^PaMQm<@&W{HfTLy(B4m_bFM4e5=vVY*a)MdRk~C5UPs=4 zRPft7r#8Pzq&yOHrjgF_O#%O0L|QDY3$4$Knva=7pX7+PWzYC~@0PIB#V6-=qc^%` zOQ?B}{`x?ow6BkDej~6q7Rq1sXf-l<$^TK^f=44D4za*((#=UJ#VpjrG%VR*R250) z`qhhs;iu;(zYs;mz<){Q243p1I4(X)w)>F<&OFyHxgK98sM?5Q9P1sVrDAY?n8x)! zMw;CyWik5>7t*w}oh7^lxh{9QW!#g;#~f6>UPV<&Vq%h1`Fmq?@fX_6^{IsLhKlU!XhPnD znM<~}WDqWw(g(4Hlhjj7jk1LuM&*b?Y>^D)Dr1VGI_>K@;b2oC+#ypx1aNc2s;EmP z1yXC_(W)HCEL%W7!8FS27V1V5S~@4++AT%B)0$udh37>VF*=*FMNqg^gC% zQ;r)6M58i^ikx({Sx-Te^;^Tz23x|N`+rVMRlEhhjI{2E{bknTS(}@}qSOB#W7cN{X39SAvu) zz1KXkdbR!dd=waq)*M9JeO{WL=ONE+Nb2bs1~W9Jd9`2-X zit0GxD6Sj2mfc}(n!o1n{1YnYZELsWLr0tdB~vkqb-Wi41|&hv00AGZ3dc4k$~f^D zsfPh!c1xe)K1ZxjmP75{L;rB5v8)5b7$y6*r|d_BXC^#TSy=QekRMl&{=c#86%ji^ zLO8Mew7drABfz=rleX>#$g57&Y|$g z^z;{(f>AbP@_N`bb|P{s-qo)MM9yGWNVO$d`B2Wy-q*3ZB4Py}l;HgyAGEc!V;fbK z=XM{zYo6Q4h@pJNoy#0U{wuG#YK9x^;H$>U{AnS*BSJg_!I2F-(z0IvAn<76pX#`% zMkEM_Xxyk6-?WwjUlt+>Y^^1oh&Yo3^+0^!j=|Yr=jAA~XK1=S_W&$W+AM9197HJl~BO4gnI6ZXa6+K4dy63c$Ad=uW_QuLR|Jt!A$YV*NBKn z*k2tP$Rn@T-kfvDTzyj3U5&Z*;mQJjql3kx`8y>Zsj$m~}a-57tF%!hKa-8B$o+k4=} z6vLRHJgq13V7h$Ii8gW-y!5gl?s4VHK~c==7dp%q|4s+Q{WnY0v07oe!NPb0UFLl* zpZ=uDFiGSHK7&vTkIUgmM5Ee!p9784s`Fd};)w~Gdxnpvy-au`tWZYe1C1rKu3YPn z9e70fAn`Bt3ahg|Ld|-s%OA=^A9}5iKwHalHUuD6yXvMzBi-ofQGNTmN)H$XIbY19 zGr#+uMwyQ*)kTKC;o{Rd*1I3E6}+{&my^V?z?W;OeOW+it-xuYI@Q1g4xpmaFd z0i2`t1+d`TX|#`TQ8JRnnd{8MB`9_%(a8Q6*ixff6mkzo`P9CH7oOGz(&L0g%63#V zjebj*X>EREda7E(5be8!^a_hGS9C-L9Eai{KT9BiJnO5#=N}*osf9eaUKPCIMylz? z?(4+)3&`PyqAbI6E&0O4mQcSk5MeCV2M_xpjnV{O$VWUhmSD0-+@>j6%L%je$PkJ+ z>mo^rhjJ6{OJlkr?|n4!&sQEw5_G5C4?qu~Ik-Gb{4!WVnZ~Z38e3R1n25M7*zvLh4n~JQ{+DaFvo3qE;tqt{`aF_?zT32nn|}Di{!>_8A3` zoX3IInU1)KRmK?9{u?J5Vcgsm#+pdfxuH=#y<_j0#d<)JLLu!+DA#9VYgn4A=Qv?C z4#qT`4g;#Bp!>dB$E-3fJ-%)o-K0lz!nH83DSu^Lm+gY7<7x4$^D8@~>lLuy1@E?0 zRo1jW_cSTB9`^@y*4k8-gso8ODUf!23iP#M@`%zoj)%H+l%XeLn>{V-$5rK!1?1(L z9z_8cOMf;#Zw@SI8|GT989LP<5c#wYPot#e&f8AJ&a`u|?6Z$CSoZOxMS6G!y>$>z zEzx5mcWE1{L3%d6P3k$r6=WFL+ToOTdrr~<=hOjIk=DJ!drs30Zua4(A3^qHxqV9g zPZs#1Eh6gPLV6!w#+u}gLjtywQmD5luMdQM*JHrE5Oo!*vJ`nQCxVw_FiuL}&zcbD z?e1a`eJb_DhdP-j9n4`@=*=k`MMgqr`wKjq4eqJp*Ad)?U7SyM%{{R4KbG_$D7@Y- zZ5rjqsQ=Zx)Ij7_b7GNWf}9P@P=NsPd+><;LEy@zP{E{wt#cy|;)bioaHCRaoy2>< zoywwKiB)YEGI(MgD+N?=Wm_ggxOfaW2kdbG!e-TDRh`&*2(|&sz|%Tw;dJ+KoCi<| zz-()#vV0ju1f;(A2(M@EX_*L*MVZM<`oL}(rPrB)_$l)*9P2iV?>iT^{)c&zM5VDz zm#aMSc3e4gYB_Cu;Vu3&wkY-c@Cy$M`FEfO`sddyQK04?F~+B$%bQmfXTX7%c%R%h zLrFwLryS!^tBeHTqZq)$s&Gbq|nYl||_wjo0 z6R~Yi46rtQ$*k*JctncBj>WUQMu}JX>xJckFD`!Uq$x}tG`sPriWty*=uiKBB*u+2 z-i`5EpTr|=S0mWarxi!DwN>HK^D3elva`oUhV&)E%}A5$Jyu7meof zus8#h%o|S`-noc}T59ZtcB7N!K(q#dtd3H>Jyg;d4~>VN<#v`O_(Pq_+R?MXi>X-@ zHVFhjSv=Y4@4Z6Xce zn(-mp6xZd(w`=1pOY*M>jM^q;7{^AcmtJ|`_SAwKWpgzDFhu(bst`Q)Kg_?Rea=X? z1)BT;$lAP+BD#IRCHUTQ!D0Bj{dU=(avbz0Z=9~!d#DKo!pK}ns-*U07-<+DSU6F4 z9P1p%I!OZ(KD2ki#n=7-rYKei`Sj;H0+U}frV2i@WXs4r)@emelR}#uQvic{>?DE;iEWbiN#%Z z);In^L+aT+xuI>$I#2DR@pW7iyo(S1ES1Ii(spc|P14LF?s-RiGTU;pF>Mg2rbO-P zo`V|s12wGrf7zi6+lwM!|NQfyFszKlkD{Ylyt*#_ZaGnJkDnY8=;ub+0QpJd;bL6= z`TcSo-utM}?;NHEpT5TR)@DrxRLdqiZV2rd&FRAAF%>)l3XhXh3L}iZ)58j2rTm_l ztM4hhW7+gk`Q;Vk4m7zPSMNocozk3(84==OHdH%f4tXYXkrs+)Un&ztp|!A53*2Fy z5hf>%eu3JBY>&WZ=9{;lR7}sd07-HcTrjH~GPoVk;hB64Px0;1i}vLkwl@pnnJ%m> z)1<)KcJ4&NwtGWENEvxJHL|UzG~!leGe+1#$w7&o4{TuesK8AL<2xGaf|Fo z!zoeyn237>5|wu6lq7_qIS`=_C2aTOxWTC?*Y_hjeS>FdeTnPwqdx=H4hD&)-Jb8q zX;Mt#fV0L;=)&dpL$ds`aCx}u#|lc9D8NfR=_)4o{iwT3QkKtXY*kx#XE$U+HKKjy z{_}A4WmE!?uJO^BYhgE>_a~O_mjUIfVuT_$@)+Y^oyL-05M20ay_ej%`{a6kQ!1rh zrTn?}n#BKl^^$gx7R+UKek-+UB!7H>z%ncXV0gpdw^=uTBcAb6!n5$^UsYse@+MOp zZUi~b+Ubw!Ppx2?N5nW8zgk~$s$B-qbyd6JEbqYCa+=c2&#fX}`Pcq#ZHXGezPl@S2R7kj(SVp*v1^?B_*!!P zs5EmpP8Du?|AB+;C}a4=H-((QaGb!OQ``5|&vM;ts~CNPxM!rBC$HP~orej=CIz84 zz`p{29_n?^(cgIdYxot2QH0#>G&WwxHuCTa`5hNE>yQ;v(1Z%Bve(5Z(1L#792T0* zXDAr(;!#$MbsI1+(S&u|LHtMiDrY?`_iOKXPK#N9xsJzv@x5Ler!mhh|DI)bxu$jl*=wCmtenblmbAK61d`DSaX!zF#gjmX37BwnVWtgVH5Q4Ot&el-K(e&b*8j;z0d01Du-1Si~#U}?#_PzfUSUZKTPixp3&J> zNStsQLoktDRHiM&7M9;-9l#YVLKq?+O{l-G^FBe}q>D=L) z*-Fxy`fE{|zY*9J{9^W#oe`?Ad3Li-MqA-&>SMg43aUYP?|*Fl!g|(JH+BbfMzV$Ge+BSCe^Q#y|9*uOsy#9%Vceo5^*a5Vps&NG zRP`RRI`o6{W-}Ju{<=F?o*?_hWzltCOvY=M!FGrO94K5fPz@?`-{o|zOK=L`IzjO&S>fbuG#G+Nm%U_VhAdvlV8uE$LEZbd_=pxvN*_uHC~>ZfTGqIJcH`FblvYQ|9P)npDT)x2W%@^=5O`y9VwOD%{91 z64(Is%$qJ5oYzsras0 z@X*gTD2#S(GTt}99c|XB)V96yUS|ND_lpt# zGlqXV%$zjKX_Y&}BLm@Bh~zbkYRbZ(ZrH*;wm}8@AEg(fv(3$E7%SB6fM9?z1xXJ; zej>W2&UW*NgOJw8zj2EW--^nY!P*KH83-wcgrqE>UWWV`xDEU)K6&7h4+n-2sYtFz zsPOzlkggt7+qlbwOf}3E@ z-SJKa9E9qDJq#FiTabw%SE@6Fw>Epup4Ct6%;P;`pZBu1TLUmck)=z95V*{BDBiFD zYzPS>EnUJ&yu{cG$wmX7Bfobtfn2OEgeHl_o0{q3e_xZ!VNPX)mO1bu9fJdXSx588 z?#M_q;zC3xCr~Ffz%d#nqqW$4IAW_XRDV!iY_Nx&K3#Kqk;lPF@I3hwbbfSX=a5PV zkr%1~ICMh&`KP9!wQ51!h0NNXlLtw|<#l?^k7C$oa|M-V^=`^j&9KYMgMCO8-8;Vc(n{;R@!3O2kprL*)@B@Xc_%p(O4xg4RKzRKJoq1| z3gNnes`dLRpv5olrLL!E)6!=l0LY$OhEX3!j$zK^D>Z;6U}m6PKyJGwh))9RhaAZu zzZ@PfL~2wEZILAK$}$qzKMgu_HcxOUr1V2P^3^j1&OA1(`$-Z?i1Eo-Zh6lw%p)(JGJ|j1~xU&HqM}GF1 zm;_9=lqIU`u`E?73jqz_bs_ITE2w*k2=gFmM$4BNTUNi#-)T;33MC>F?KN!g=R3qQ z5jVuhwG~|P34Oq^R+r7ewIxEe@#wxbY-hGrHCA;bHW8t@pMXmg7;u0eL1^4HG7-M; zu5L(=PIQyG6V?GU_#ZXQ8!Wcuoa8XX3grEwmz%kz$W(Ma;T@$)S?tSp3!G_w%zJ7VTh6ToD;x6#Ke*Z{n)|Vyk@diB z5Emm^Jh1DxkRGU>w@QU@T7Djm!2oRwplN2oA0J2h2%RIO`p?xV$Y~GalwwsHQXBy# z3;iDSE%=+&dX+NS(yQSVbH#VNB+kkDmn2+921m2-!8<&?~cCt{`c8 zf6=3<=lZB6{w?y&>l_1MzXfGm{;HYYLD`r1H|La6qeICL2SuM3q(;?cJy!U`DRpos zQaaI(#l8Marnw8Jt22-E=a+`XiPje_r0BH*TFd{3v-gZ@a_icKvA0dLp|psg2nYy> zNR3hi0Rd@BSE_Uky(KDQK%_URktQ9aNheD0y+{oZI#L1zNC?Tdg8O;S`<`)reSaJg z7`gAY)?Bk**PI;@FE&G7egojdEfFhN*j5M*%tmaFB&*E}$vSoR+mWBbJYO&=Q^iH>b_1&`r$?rp6h zpV(SZcZW&6Y%H>9hG0+;(jI+jIBZi5c{yjUhCI?h{1C66_#9P~k5VgkQ-En+C&LrB z_e|{GEl_pD@q=swy(BrPuj5%XN?gEf{=(9!9rgw*8j@7YI{K-CWpNA0T#CkrryhL*i-c1t(P6I!15#twhEKB`NBIiiKcc&xTT~)Dg7!YJXR6 zC_uS{vqHY=*J){&^KZDr+*6F<hyz($2yGbUkX54ACD9LvcBWF&vkYUpx% zp5><&BE3THTIX!2lA$s=V3q{%UMU2j-dWU5hk3>*@zHR5@>2_yk^2k3Npgl^?sTyv zk*|6ZlJt+s$t7l+A;0NpH)kPoD)C@|Z$h_z4kdIJbq~~v)IltTdz=!TDDtM4O*wo#^HO@qW+4-d^eJd`x%P*^exj(_aw_{wkcKd@t%% z({9$ch=mVt-{3d4H&N5LQ`_t7(|&a|ti3scXjvg@Jf`VbddJ4OffEgj?T?eALD5GHoMXMbqKN=UzSzW z&mhBR67H_<&C$IenBMs>vB>MGbWeT+`09R}3N@SzcTqB;V6av4{A(+@3K@_dtBn zwH^~E!px7+QLg<tNMCi&2KRGuiPX(!JMLuY4E4CH* z9OSA&34wd6OYn!;r(5|!i6;LvR1mC;>`ui~-HIzd6@8oCnSF<4NBLR-vqR;P_8>`a z($%YYy%a&eckE%aPsI`S2>8#tQ}IQ)Iis`fE>Uq^i+jh2yAd;pJpx*KJ%BsuO2!yy z3M{_X`nl9r)Y7z$d4_`|E}o2*kr2NqpdH$@z)5H1+*g2V`m$|W>AK`e!YydJ8>8ll%bir(>!Rt--644##p;s!M6C^T~3&xJaHG`Zi;raA$Tr) z7#kz#adJ<8wIa9ZZ?LM#w8kNbn~(^5vJesW1XO4E^9UIxTiUU#MXgr+K;MaN$yth! zsX*ZpY%6p`qT-gpkInvEL8b&mbt|$ZxqNE&0ti48i9jGYiLjfL#f=nI#;9n-qo@{Y z{HgKai96j90P;QmDfsdwi3qu&i2BRVYvPAb8P`a>?~w9-XPS3ld2Y{cfqaz(4OORO z6uan(Yh;RHhVt{5J_|{5n{auCT3k%{V<(Xm9p1NEyT4Yuk{=*geaCjb2=?s6=ls59a80#z}nK>PC53v5j3PUHZ)eP*_|w~6*QGwt zLivokOcu(KI9e*d*-MlkC_r?g^Bww1&g88wNAayLtVBf_)VjAG_?}XfmmkP6h-p6PRdx7Ys>{3-Z45jbIRKY;eT{FeDB%~#XRr)rEY z0CfKNRpk z22#g73T`Sh(EV8E9>xEgVO%Hlm|wyWN#relZiwzKr+m08=vtqns!o1s2^{X51O}=< zwfH-Q3e0#43l?k&?GHz=`iKK)M=c1pSDuiUG(5>yFC7-mIW}D?F1Ju^tA;Fx7u|`3 z(aaySRUn-1whEFSH}*16p^enkcOgkt=Mk-(y`!R1N73POH?S-I0h_1g=`~2=#g@FB zxB`R`er&6&KO>*i482QEQ3%Yhn2$5P{AeM;XU8l=M!CByj*u)Z<&T0!WR9vI}BW=AjR0C2_KJ!Tr0?!|U|4SFfr|k=>sQwb(A! ztTcua`t=5Ln4I9*235fwE0LRoq0FbLX<7q=&x{n*Z{+K3EkG$F`ybYlyt>3o$Q9A7 zF!SSrm5bNcD;AQRcK8aaQ&zBeR%Mv^+~pNTR#pla*$F50D&lr?im)t)>95UHu#MLm zdUYBT_rkX4qA^y6GkS}yOEV@nb@Y>NENAKH7t-|d@<&+!y*{n1m3}GEUC~sH|G|(_ zlcmBR66vsWh~kS_`T|b*&OT!7WwQ2IoqCEo z*W%qCo?be;*tI=GS|EjCcay%C*PhSp$oYDMu7f;7#9nf6Tf~*deY4w8E}~l983G7G z(OBrk(3#t!cz{D`A1E>(pQ>Ceu?--lCwr`h2%Isw$6x&g=oV4t*zUjy>TAfg^%Bx z$(YYG0anpGBoVTl5fK>ann02}qbQ;d?cPY4hfE{6C|4*PVwBV3=Af_Z)X+T&13wob z<4FL?3>I8Z-wQYBgu9$@i~GjT|4d0Ldt92k7dP#MVY}e2lk3P z|M>ae=6B(YwgW;T4KpelG~>{$&Pq+kUb71h7uxZZJ|$4DFI zW7!>d)%d+q#bz6yix0D?-HX;JOcH`zu@F}#Cs?tZom2W%eKypmG{~`)Lss|Ed|H6u z$0#nRy1H*q5@k{A29DJn>NqD5v$Lv~6F6QPRXX$Fx6+-eR|+J9m_<{%-71}=7ZRMh zpp?f_!%@NM+U{V6%27+MS3ee98lmcyS6{)}&7NFzfckt=7kSjBNZKFD(+9IT9Pg^) zow_Á^$QJL1Zm#D^rRQ zDo@_v+LkXJC4%C7&aXD5t1Oz){swz2pq^Q^H|U}CD*5B%Y(ehJ*G$RD2m4&O2BMnH zk?`9Qa;>*lz_4&lVm#6AleT40Peh@A2GQ;u@~TbrOM|@%Qx#eDJb4qf1mx$o2x5I% zR~i_>QQusWR%93LPIvW<_{eRM2E(vkx0E8gc*C4c`GlSxSGzr-@rwZB8NmM_Q(47A z@4P2-vH)&XtdGv%SNm*em^-Wk`WkZ7in(Pq*ETU-R!ys}m&9o%hmW!DDy$EjSPop! z@WFcD{9%Xbh$VX|3CKr&c4Q786=G@xLP<+)Q$1&fz}+MS5$=++ zzrU49VVDDmDZr-61+{zy;O~a;w&$@-7H*TwIuF?&Z}l(K-4Q=dL&Ko?wUxs@y*o-APz*v?{L1n8=f+(TVO05geh<|sUesDPA;49+()jX zA$Kb6TdD2o>-@^Eh^M`}zp~tyUTlm&x^~TK#CRzip~TtWi4vhTiEprbt3Bd^ zPm);I7;bS@N5^Bg7R(hNJzB>1-&-OuEfO=-<82BsO_b19j`|vNOUs^Le&^=Jtj7mb zB`2KwNfld{`3*Bs>!riSsm<%Fun>4HJ(TnnCJcPC?lvVs0^#OOF4d&FBXByANe`=E zB#*3s*4&9QPZ#W?AoeT!m{MzNW~l2c&`E6C57Dy+d>iNTqF~~UPo`O5AIYtZU$>N4@a#QdH&%T7*mpDtkLgXKL2ES;J z&}aw&fa1-nX1GiX$JFr22szF4nlkqI`oN)xW`uvjv=LM2obj8AHNzB9g91{fVlN^hR^&5O}&+@ zGX@P8paUUeJ6fG24K2V*(rWlcdYS1jUwQZIE6Bd9+zb z;RC1ekPe{nv5#d+Ea-Q>plAn4{omxt*6|=XAU|(|2A8KNLYU_PMP~NG@Z>zi?L($K zd73e$SL_As^yy1IZWc4h?{vT{B>PHNwL0DUTKY8WTbyu?efI)y_7~Uk85Lt_h^C#? zQ3pn3tmnb1q;t;-I>RYObJ%Lf&h74}rl@M1MOuIfX_zm+#f2@Z=rOW$Yv&ja z*Z&7UwzoE`;qGqf`Oz4f_m+KSv^4O5L8Pz0-s0gB1yV~n!q3b<@oBC-M>mgGv3{W= z)@XS_(rw31(lIhTa!+J8#P~D3b|hA>!dS0jV`JDD@dSGzR{oeVb9nT7^>}f<4#M}j zem9w!jXTVJecdtacuu;7kaA8kT*t;+QJ3x?Mv&P!3DTfiU*-8`draNn{s+itmz?5U zzOs!fKYi(?-0FqcQddkf%#qNP{d^` zgD@kh&hr)?{4;|`KLj@%r=_>{xz`L3C=?FB^}Y;eW8Y+F(}tQwpjh z$JH4N+dz_3#b>D3O%`M?%tX4+Pa~ttx8%Z|Du-PZ{VT6pv|pN7Zl`)P#IB7{At=^o zI?ctsw~JoSN8F0K&RY~N0FUO#NYyqC?hkH-`ouHCmBQ6ObwUsF2(dYW3mx=@)LL1z zl8T)r-sXWO;W#B#`XhtH5NeL{F()HVGzwQPdUS>D@g0so{g@XS7f`dq4ru%jgdrgWdVo_` z2F@O**VXQ1y4BT$P^>IKI7`G-${0sgr+qlSPAst-kqyDX_w6U~j=j0D#uWRqNoCtt z7UPRVd+(53L-%jNeOTV$HyR9X3_+-|J(Y;|Kw?uZXT1C;_Kk19sY@;RoD_e6R zg!@Bu47=VO z0R>pT-=`a5LHlw3mG->zuogV^Bkey+8w@#8Hy*(PT%SaW$fiBQX{W4WU5+qXwnV?$ ze{~K$U_~p=MV32OA~Tk7d!|3l9u()7LYll=^cz&7T))Rcc%P<3k$nVue?;=y$6uq+ zgGOt=LxEPV&|qNzENzhf6CmH4B>QNk+^__x-o6%;Se>@D-(^io2;C#l@{j|dTKm+P znAy+6{hKa#ZiKc%Bb}o4^@%c!W!g_vuv8G$kxs$<#kmgpGYSo{imeI zbJDy=A4`f*2vH-q285C7d7T=!LICDfsbBb7y_}3BbXJuSFd18+QXm}%iG`$)`jh1W zN#KxHea&+56He!^hJAY-#>xxgR+i;qaposK)+c`q7BfT?u4&l1p@xsc6T9ulb|YVn zOiVm|Es=`t{}UM3_I*La8fPV01OwS#Ry}d)@CHpY2U4ZWO01 zUiXBX+o~sOjh^+sMk`0k4Nv@XI?l1`;2sNNV`{&BhRaiNX9zDuCpUeUdqA%M?c>GC z*PJAmp4UAd>&oy+F|~TdDX%_qoX;@W2o;^DZ_{D0$VNCiD?Y2V@(Bsj}c!KUb245l}x_{Qk1%bxmXH{9PMZ zWd;lV)$!47d_rNkH4kn178cKCyri! z)oN|^m?;sGEtdcg)P>TiJWa$DLGFuBcm3z+L`wReGh}VWK4&Og4OJC@UDt%&dVgY0 z$su?z**Lh?F!CSzr{sXk$>NIO?JlRrU$LxoG`kcdLdYmk>UiA62nVP^yN3gId7aQ~ z!3+Y@>f>FIJ5J!HXi)3SR78s0nPxVQO;B(WNg`om2%yjeZzg;`6<|7+L)Ex5NLBJv zACq&Q43#W8+(sH@*i7lAW?}0cX#;MK*??|Dy2vVr!jCTmuW`TfBoNZ?e(Y zk3c5=zM${!LaVnUA#J#z6Kd|yJDCv`n-I!ZjTmFt8S%MWzaBI+i9Rz)#i4xWuLh|@ zC8WkfuZp=Y%cm;bechk-_<|fAK6n6sCOj&FTAQdL3+y@zxcL0J7O8PNU=m-*`x^KZ zJNeL9t|h#pq7V3&R7xd8W9!W>EG{}hF4wRb>wK+BliTmyu6ohEK z5p(~n*Rc-kqza)=i2f&HD=VXAw$J`-85O+>tGAz8e`e7r_*?(Ac7+p_VE!IHm?v~( zmVu#eQQr!XQ>z9nU@gxZw!V=!as?H2^m%$=S|IySlIwNcexMFrWMvfXZkm7VeOVGM zh}y`21)rx4zoq%e-!lN}?U>(vbK~^WV^2M75?+v?fTZQ8-;7Xto^mrlma(wmLe#7D z7?Z|1O=9R*!~TmIGVyhdBlC~Ov!JnvP>O~~Z;b6PBFv6X@VvS_lQR_ z5~(4G;1lSjyS&B0GZ0>+wbP@kr;iG{WZ80BIzU`%*vcTV79cu=xCb81BS!(*w7j8= z-oI$P@}+&&{q|CQo7oVpKz9$;k(V_?R*E>Pi~qU4rj+R%f5~rE0p+eG-VfV8H!1hK z8`Fvn0k3FKQqx116!slU~bw*Vhj{c9ND%I&1e}d}6S${s+~ zIeEGRv?i9t^V)dF86KmHcU5KsFk%w=>NktH`8bPnS5T5(YVO}XNA1fdl(`K(2GMoW z^&%iFGl-AQ#+mrc=}4>DzXSS`COq2mO+M^27Y9<< z*~g)J`lR&llE)W-gd1q(+2}~S{Q2G6OeP3?5$o={QX_p}zfTy-_o-p8MfAKdqLg8= ztM@fsb#FGJB%Pv-C_{M$VCHD=ITT_|yo!uXav%S6c9~D>3-dO9wO=vdmx@5eU4xoP zP}+I+dHt~P5Xo})p0=6npcxc`zH$tGuTqIRDb~6wV{Im1KQk|f2vbR9yUJq96q?>w zhfeXDnA6PEp(J0jlhHPbn$z`PW$2`TGX_^LqzPk85gqTsxJQM#+hh`9XVTU$g34NW z1BLS!=%=9!^Gj-QRSKFJxmtTBtCdkj9zRl2Yj-4Nm1Lc}$3@<_jT=x!B8PSy^NmP9 zkXc2nK-xQw-C$Lgv9v4P(F`yBBTL9w z>+=dKPoGCw>;in4ZnTJ&JYKIeTugC1{0s+U%u3^aoU8w3Q$3ZZKMXJFA!v&Sf<8AS z+(b<#cxz*Xsnz2%Gg6Vc1jUa`phOfl-Dutg5QyV_tIEdRe?vnls5}uS1S*ZsBKcdr0STiL(8ONq0|U~ay7jwf zBlzLJgq=s(`WH6Xt^lw5!}pBWA^cG=KA#6we~#tjBx4MM4ysCVr^{X09N2~yg$bW~ zBD6lyCQRe3A2a~AY5BmOvFC%9w~xWN9|WCI|6H|^0{tD>+S+or>1h(aKqvK4bFf%~)0%iCc_9%2 z*XQkr@$zO`@i5-+-(oaz!ViW>6MyqX+=Onn$eE*^dm)s&KKfGBXp>|wOZU=&ntgnG zabTL7^rE53V5ybVELpz;e@OH8!rS(w?4yS{c8zzQbW5|KFa2yihmFcg^*rm)*-00N z-7K4kHy>k85A8|6crsP$MENHegK23iT+qnE`6=8fg5AE}tY}#|8(RPE_g>n9<>K*z z-k{^|b8|6vBrgd{vzgw7TJI6zvzzlQj_!$eAL&^vL7CUqhLrx1MdUtweX<7sgy$01 ztcFz$T;_a!5o{L>V|0=_YWw){nZ}_Er-iN^VolQnt3(~2zJ>tTgLP0qG`%M^nB8|@ zLuaD9qoW7!v6SB0m`_P>t-h%eb6Xssk^-;N^W>w~Dp3UQ0Q^z3(A?yGssH@$)>twYHE?f#Uuc0ug=v-Bn_n9?_1oI2RBxf7+b zvea0ThDJ?Hb;S8~Uz6PPQ#AJ(O=2GV0jeednP+}g0+h(fM_#Bh?Kp$+^@%^PFAXwn z#QkLA`!TQlaOk*HF*bx%yiPTiw7Q<&WK!fF7S1}D^UNeZPF6jvQ&n_V$)<3RD+S+j zjNaIJ8d75}hcE838A-7S|Ma7EXUM=&Cr_8(@ReUqekJdVD_=hc3K9^?j}n}A#Ajb( zYsj$>xRTYV&^Hyq8s|S>dYKVZKi_%Ivz1};RTZ3_ON=S#^>U-`fZ$KOEkz-W&8x#;5wqdC+o#uH zH-Z|=vFf&&*4dWwv{_3SAx_2!7!FkG@Lg?t+9?6Qrv9xN+*KpRHzim@- zY(Bga+4M{6SL3qvOC{Hp2D>Bv_S!dI3~fn zC^9G~WsG!7H1GBtqYq0C+vSwWA?n?ojrrelj zM&%ojR_6kDOx;h@1VcpItb5OZGt<6aPNT2={P~rQiu0;R&}P3KqGFC3GjfNUY>seF z_GRy^+ujlkV*K8@Z}pl4&|v$I3g#P)2&5*4Ea?ts{DRHwpj%s`wS|I`bXAsmf*BdyEAILUVX5$tdkQww}qdZW$2fa@H)33 zxM2*fncH1Ls-lu&lhhu1I|~JP3%MRVjtUm|jjCV2?pNTw42HffbhimyHo1&6{_=E_ zTnG_*yoDZ0_ z!KpCI^CI*pJlswHPw5fpS2gyEBd8qwY(nVD4tD=97gRlJ?}Wj*`y%gIKxJ(^)sBlX`CVErtxyV;U%fzCT7R03mX3s=6mr zTu+bNL}=LUFLzKQSbdhk9aNEdPnv#wK*eLw{Iq`06Hj-ZTiasIm;z~WL~UM7x1LhLV z)H7n`Kj1I4?}GIS?jKa?^!NLy1Epmr*BtOu_GN~_|@2XrFl&r>J{ zZ>Ko`Bi-h~VUqB}PmI-oQ;W;1-I1G~mu!Xk2}e@vW}TL^``jSkPv{MIP4G;_jpm4M zJveNnK!30|cJ>%!wdBV!cUq8kNs_+6X}l*GM~F629Uab8mS3+p?{Zj zZT61E)&}GcXY%v$Hq|XP5MV3csz|j3t%PhP>t^YPi7Y`P>3oN zA0$3gdd7V=t{#1R0rZ1oErNj`avWO=!Dy9_@x&MXs?t>%CU_qit~P4Vl~G63jJ$D4 z@Xi;AAoYHd@i3bCmvb&%d$eD(Q!c91glGzzV?Q-L;VM7-eNyIcb++XU!|{^ znJw;g6%r~b-!Fzf+JB4DdLe4LuJ7W)yy2r(Un|JKg}E3Cxa~YsM25e;x_}ZpVPNt4 zG|(M1ku1+XH&bsm4NZdaomuee7lgq5Y!1?w692INllt<$Dc3hy`#yTEesfz+lL>i> zENDnw#SB}L-trWmB;~(DvYKQx8vc6>TryAS-Z4>uLD#xDMuQK$Nv71ROp_c8G>dMc zN|M|@w*!ei=Lk*nnZC%Jr%4aJz;C}66;^$}Gi=uC;I+}XF8xA2);nJXN&GqX%?pQg zGhW%+Uf=g-XZa87nUh+%;}U((0iHAd)x^a%_|(5XDC0LfS0HlK70`x79i#q~;e5~N z!rFu%yTZ3?5jzjgw0<*GcZ7e3R$F(tktU@Vy!d|ndqLPJf&5f`{q;Tg&i{C|m&{?W zFpdjr)F(8D#9?y=-cxPagT=3li|k=h=dRF)(724B`plxJ5vy|}UimI|U%S86N%m*C zr@JTNf0&Ij8wc<FYr-S0_q;7Uw=_^)z(CxxtD-Lb^jQrI_6y${}p9ZR}- z@YedLn1$Z6($<(2UeSN)GR(NLOLi|!PgB2XPSJzS_2Hoce~@X`b`w+pl2Qs7%0~KV=KIq|3!B4m-Z$ zyT>g?4&#Kr|DPx?>Pa#zYv_qzN8U6AT2QTFc<$eB3TG8=kf-e91!43!#HaVhPql46 zqxLUQxjmfZEJg@8ALiU)jE-CF#xGJ?(`{ z3J!Uf{%VqKe|pd*X$|B0-&6VKAS2(wKuiA;d}T1C^yUZZ2byc`ka~;`YzWclTUx7)ci({3roiqlmqkf(_;`8h#{PYTSjj|gT zpZl_G_*UTpt7(ao+{)+lKK!)=o=vB~DW3a6wd=s_(`r4}4dzAygYy&T`-S7L^19uo zp~airbkX^1i%0tIhwJ~|4X6x|8*vRM?<-XB7I0GXfFcB~KvL|_15({o`NNK$OW2$j zY~WY2N5*dzL=BoY_Pm(>_BBH}Qy?nz&E_8B+F!O*+u>SHn0~bRPYA&cys10Do5FNW zK!rfBV4By}R7dA8&hp~U8non%)3jpzZjTweef(KzNv~JU9+8}=jpz*S6-ei~T{}`k z!jImMDNOJbMW7}S9JS-06%5ehA^3-+2o_3v0a{XD(;S2=Q&%1U(#02=e~*$A9Oduo znuslWGf|qU`%jGn)xhh2J|FbYZ#UaIoKC- zPh2xFBS%?kT%Jp$oES2iFY(TJ8we!67&pjhxiwVt9MS--z@4il&fiL-wv}N}ddPOz z%o9Wb?=0r#S92tofV?Kq8186a`g_c08zNF)cR$QZi92ueb3ipcL&h<~OCvDDP+{UF zoiY->*2D%l*o=RQ)ff)NyS?&}6u1-Y!;;aQw39oa%>M9+6BXGd{%I>jA zc}lkNSCH@56-Ym2eD8owN(D>2{(V; z$;1Nn)y;OgzZ+>I)!z2fhk=sT1lp#S1Bq*+U-oVIkM6k!1HS4jcd7`P`=AyPN1SLv%Z~@1;V5(tB&9vIt?Ka#=vjy3?&RiKK7WDZ)ksdJ_sU zvBkxg{b?j#Bew>jUG~KeJEeR|))hD4_^(a;W+!v;UX1zN&i~WXXH}1o`|)!*tISgZ zx8>?-CzVELYmqo!w~~J?#y!7vZR5EQkb8=(cMZ1%>@-y~iPU=1y>zDLAHL4J|GRZd zC*oMo#&bu=0Tuoh+cb9}J6wf(2;BK=&Kl*r*Or9mK800b3Kvi7z8sx)osm4iYwAx} zBuM4jXeEh$!bHWd$29?MMKSfRWeN;-n5;bYR|gIi)DBjG%KF#p|K;zWzRp(`(vloN zRp7_Hjp%$2t%CmpZlscK*SfCJAa)|ku1}dS#$?MV#H|2R^}KdnxM`j6i+z3kBbsk2 z`W3JZ?Vk%u_tgKhdnOx$p^7cZ?b>QzWJzpHn_{!V_foBwOS>Do%Lq1LB~>ECtn%h{NO>UwRnAXlJ<$=!`H z@nIHoe=k-Lf!;$TMs#OWRtNBx&D*}I|+YLMaUi$A%`hPq9$#hupyNCDaLqR)O!~+Xoke#a? zyN}B88}?2eo_(|Q+k$yR?4-5W3AgPntqKQdE%qdcBq%C4g7IxrJ@H)n8PxdRSnYTS zf(dNG6`PG&hJV#*&>g?lWFIibk%w~Uul@V$JYD;s(JYUrrRV=#-^jZ zxf!kf7>B?St$C8*FO}`a>z!iEwI7k%YRM6oOdMM}4R)jX;6KJcROe+h7i=fZHjl6F zkUK^;M28@_5NWb5prnLTfJ{bS_&)~3usd1qIW5h7wSl*}tYAw{zso^+wK%n0)EQ}# z+h43GiCb{ld|fS(AiJDbHgVxHpu%CFye6*;WI}q&SA2R4szuwaS1~U~N$n8mi@b+Y zqT_~V7Tpw2DF;A$zg8Hk?Tw$Xj$))R6;Se)wp?CHjKB7>Xejuz0@cIeKVIxkHVdM( zToC+lf@7R4HcsZ2%GJj&XX&BL4j3s{uuOJH>RVlE0H*2fzeW#;#l?GnwV{Tf4nLJC zK?C9g0mP?V!%&F`jD7kp@BP&x-HicL#2mDMF1s0dDr(WOa&Ar37V3ID(N*VKZPKH$ zN-1^m=glWJ-D>Z6c((r#n}8WuT|Il|lSzhyT+JuFbK$(K7^kpw6KK$>2~V$uA$vz} zc;8s#44OD(XA}ZbzIm@nSVNSSQ0;iAu()#v4hyDL>qcXUE_?^$y#P-%3>y5&Wc|t|37QI6QyVkTl|gXPV*tv&6c517b&FKy@i`k5c7>Z zbtn8x+R#U9{4gCqMS|M6+M&oq`QB(cK8v17(L9{CO-nY`9BULm?E@8 zbt2RT{u_Gj+!ELB8%_T9LeP><{h|CvL_UH`4&p8%92>qBel}kje|3DS#b}N&gSy8-27%wo;bmj z`E^*u5x$r;y%`-z#5KfVR-x{92OA)4V%9^XG)=7F^EmQUefN2MUyT)FR4=OJDYl=` zEk)7Yie9}-Hp7~DE)#gvp_KXYMr-B|xgXiRw*f8Yi>aX9Jn5pu=KMg#Md*!{tpGu^ zoUfv<=_B+eaX+?V41m`v!W+qTB1jnxuhTen-`KN$>3oyRL!3Y`7~%4>X&& z8;6?9$Sd48t2cYh1aD>_uCI$(%zoisRA%=uovE`JarJ?1Nn`1L4X?+h+?iWH>s^Zm zy1c1>R>Kc#Rj`kO-&&QN)E6el4TL0l6H7Az^3QE)f{zF%9`7%b5xk6Yh(fYY8~7Pt zfto!IF+R4wGPyhQ7$DuO=HUvwuYHl^GOup9uW8d~#11WS(ZwLF{MY`y3w`%`6Nf0| zr_S_H35V+etfMR4#$^XrEBqqcQVf(hd-!MD$KF)JYcn)Rc~m|4HH85=kqz*daG{ex zmAuuU<~#kh^WGXBk8{ z_r?9Kry;`IX#Ks~>G`UL8Y%G5 z>LS`=g{7`uMJTEQH(!M(RyhX^VQXnkR`71ooXI%c!_ucU}7Nw$kz*(HeGA>+CF0_)3P#S zP6ud8y#kldyb&U0XnU?(Ey1%naiSWR^GtH37Z;KE=|^0_pW7}6);F9I`>R(Fe^BcM z5R_wcssbu=LBnt6f@4OY3a9PlUhF%;S2uEWpzYrJT|^2l1aZAl+|hgHC|>vK^c#`N zsrTnZ$=hx*L)D~$mliL6h8DW|`1?spWwYE*UIu`eD`0+oFb~!u= zZxAj6dwSX?_`m4@_dtue2B%y929u_}0e|xW?^05(<5@SKJNsvO)n0s_J}mQ$zOrjo z)4CJmF&8!bfhnF9W`uD|x3WJ&Um)AKhA?t5`WbKs_UAtT2g;5c+SaWe*f9^m8pD;D zRmpK1Y`inrgX1Vw+uE3rW#(Pw8wzdYpX4nw0!)c0h|JU)TiZQ+_0r*7#OI59nDsGPKkPB(`?8vgkw zSZXi>qfvD~72^GgZdpCog@B2>YkiObHL~M**UVjQIt=A;i7-Z#E)P0a2-K!ErN<0> zZ)hUjh=psB>4v&CbD;?TrZ|fXBMQuidh;qcLx5kIQHQg>uJ|lqO~8@VTF|9&c77L) z{;rTi*T6|$rQ{E&6H=h$STGM~Z(cW9J^L&|-zw2%2NW+ZylW;u%8K9SJV#HT0WgCY z&tNArhA_e|f)seN<> zBzxSaw@oH1eAk}v=f$J;#y1F4vwLk?zb?S9 zZ*PZs8DZSW**3iYc@Z~ChN3Cal955BX6ik(=jF@`XLqFnN^n)x1Y9wOpwfR(ebLY& zsrb%nZgK2m;uwZvJ&eqk8h59oz4b%pjBV$v1`1y2dC?A zAp_gKFCDR%p8J!@^B|zBeTf7$+-nw_StuSdoDA;T-5&7W-C11etsB)DB95&H{*Y$YYC$KN@%bx$Ws}0;5wTz{GeevkFu6xH&HC8T8NXxFxh9g zJJimtl_cbCKg`*j-slZkAwmg%Y>5}Nie)JMD8XboCKFgJ)DfAlu1VzH*6aV(P9c`v z;5+7dV0$nYSN6(rZ7Y^2!NKM9}23!u2rl|Fuzu zXT1^((n#gBg;1sK13%RY*C3(MK>6!oEfc(7pNqT5`2_8-jE_pIHw%n(Tzx+2=+@LW zGN7Hibw_%H2sx(YX6)I%^HL82I&fxK0#nmw*gCuyKQxr zIUL+=k)oUm;WANyXX&y@NI8@|D;#!%8#ZA+bnhYy)Q3&+Cq6~l+W6Fq&-SJppaO#t zW5LHha@hUQ!&JMIJrK=U#)=`L&&kg}$p#3Ico!09(v?Qnd}*(G!ky#1Fuzhqhr(dQ z!diVbWrWFiFs29R{7vhX@&IcWdO&P9!y?LXs{JX~`2c1f??L-@?$=7-vwRAl63a}` zbMZHH0rD6FUR|{*a31GH&*8?c9=<$*(SR)5&8}4^8~X|3e0CEiBAa_vqm$%ZQ-hEb zeOPJrxnjoMce_UwJa={)j!gw|zKm6@FP@t2S@FM}=IEiJg(4eLvKE>)?h<|3*eA#% z$r3A2e6GyRS$E~kIJSGuCaDXd%+M)@v4_Em^Ix#d%+ZXgRo&l4v0@1C0i+&sf8fQ2 z)E9>O9URK4+Ni6$_CGTm#fd$CW z4OWj`X~YaJK1&O!_^3ChUuS-A#h;dvwqhBL82y{*0HQ9kfoJ(I?^ zrvVdQaz@KoqFs8miL*2d76SEPM?5!KEqim2RP#Eq%tmF{p`&{RJ5T(0S%W6yF z)Sd5C9AwhYP4JMbIco^JDLUsjWV7_ET^dmxv)MCR>NfcXf_**t5rTcd#Y|Ve`eRHy zYsuK2%d{nBfBlM)yVCB#7RGQP-d6~{*O-_0*{&1;-TR$g3Mn7RcrKnkmC9q;cM&S- zJnLi#d3{S2o3c<5If^AQ-m5MS3^Ba&eMp}&=F82kZZc4zfYq--3j@C@DpPClqz#Y#nfTK(j6OtKtkv#` z=FLoJ-o!aleb;-lF$|&VPX9lQW(Dgc7Lj?nm@TIO)H=Nhsz4D&Ct6xN;*_aU1}|Mf zC|bu`8UqT?u1z86QKY%2#DMw@L`UK`kf8Kbzju%z3% zZC=R72R{4s#on-?UjO}NiLEy zCx>?d!KyiiSn3^yMWYPG;_{uCq4C{Pk%Zj8x?H_oAglHoRjY_91g(DOqkaM>FrQER z=25Pps$T+a*rHc<%{J@dPt%sq4W9VJS|sj>q7TYyF*4B@GnV>ub&E{t(n)SCZg*_}Lv zZS{Qr`wF^vA$0nJuq8?Q{;RHB^mL7p)CBt43$_r->sJzn*M2+ctPCyE7JIBr)||3$ z0Tp+#@V>AORok0iPFcM7sQOHy>1E?3N$DY8y>P?GU0WRjy!Qsf4qDp&TYT}VHLTz(1LNTrV2ZovFjkwv_kDUrmE0@KR zNdF&I-yKi&7ynO%M6N4)-7b+Wd%NXc63Wb8A!KvyO>wVH_Rh*q_RPrMWMo7(*(2jx z_xJYc`~5wBzy9k{k9&Ea^M1Xa>vhf^Y(pHI+%QDP*y2RuSd!)j9PX#~yCgHgMR(+; z+N8_~@gofWtJ^?TF`(xp5Uo;3gENi#E&p7Vz`LnKsz^1cCrM$*sDonh$-ZTyUH>y= zSpup{_mtksEx+G}E0kU|ZNHMvKD+R!_{+KFtcbUwZ>BHYgM+^OU836Wq**+sd#iEv zvvwENeDW7#`1EQM^pgjiqALNX;$PNIRex`b{QQ-q_B76Rna=BVe?kM>0*Oos5CXrTVlG; z!#b3^&LpE}G$cC1!&e~5?+!hlzE+uj)>lu)$VPi^+U2m8DOp<<>!e#myuc>*$cW+V zQ5T&berAH$^@1t8xF(4dD*PN@=kMK!KF30Az86*ja@w=5)qHYYFuMF)8nZM`a}Dup z_`Q1hcSj@+X04xmKMMFI1kE~*1{W_CeU4bfHDBE{%d&q@5UAuqA*QRkK)(`2A+q;M zyXF;HfSt@#Thwqa;Q!?RAUGabSW+$jYXDxqHG=Uj}RU zuUmpSA9q1x{CaCJ6RD??_P9W+m_`Or5AP`utSzvy53xp(bpUcnF6F;pjvGF_lai_cdk57 z5u|eWuRY5U@MVvzH2KruC%Oi|>-D?_efQ*e-CCgoCD`q*RITRgYoLD)=zZO+S1ohi z{8f4Uy41tzQmeLB!r>8Ai9mdnK|JOhnEX(PNz~lG+Qx{JAJr!X{;m-?i`UA(S}ns) z9bmw5QnVSqd?WCwJJxI7@|$P?jTYgR-KOR9#&M;#8}INf_H*0*+k4_eH$Qzm zglhC~Cq_wz*YLSpM}$dgXljQG!1_MGiKxnmwC>B#&s~b`VXh2LZKlh41;tMRgZvUR zk6oqab0R6!7BjSKjEIKM*1(d*+-S)5*Dx(|%}jkkVIt}9G!K`3%fpu(rIG1!5ZhU= z1^FN6r_xtrMp&)9^lDm6Ce`54u!Fo9s;e>0FA&b?4{t#Zj)(RViO?48V+dE3?;$t% zJ|nXo|LY>}o5<8dQ}iwDVR_>AXvLJNbHV4b+L8O0{!;Wh2@aM6 zH%!$C-2I6$!k$Dic#)(oV_8%=qktnlaKaaUcgNMZA%efKLUa9PFpaSLG?lR8tO%>m^^%`X~ z9VNK)bL!pnawi=_V3T;TyNd?z9%*)lnoEj~&t(tyE4y!sts_02&RWkJ`pq3*3PyTgq$>~V%$2oNR@-`&9(|LNJSV1aTeirI z=J#9KKWLYe9QJ)Epc$EXe{awEgkH_-Db@91qF)k>(&S*^ylGF~GQq<)!~MKda|n`} z!MgM|B;L#SuV{N>w8(Ei+f?D74nm;*KY_a!-B%YNmZWvR%(etM8eWm%mPPvWbiQ=k zE{oNAXJtNtijwt~f5@UtZUR{la?D-sBHahcYpth>FU6FyWB?Dx_jJQ z-t~zAv{c`${@UvlVt%dPuh}xTmQu5(3aek!jVdk^COMw^ySTn~cF^77dG)lhg``m* z0C7J<;~&V}6kzTfYI1|5^WNR=?2AG6ymZ)TY}F?U;bRN)+=vKrS9h?G1 zJGq31zVgsy)PQNAb7ACU%3#5D07E_Z7VSfSH@tMLVqqrrDvv(_|D$pz;3LONG_*C| zglJX#+@1bn*E=jA;jzGabvN}k;k!wX!>uok*HPHL;f>?NZK5(?;^Bxv#xJ`YZhx*A z>m<&8gQUG9-fpH@KEL?gv>-GuxT=&{fA+J*$^wtg@6yjt=VI-7mYfl3Ur5C?6|dJt zzR0{K<83{B&~dLtA#7yAcIE?ZuQAr6i>`7{tF}JnbpMRc=<+(@+vQ9ir^unTDz@JT z9Od%ooi1V@=|OTmoVr!J1jd;dMROfpdQ*{Mdraq)R2+a&90G=yUFy%CfBbS%cdzW& zw^L-`2QD6KZVP~yh{OE^K@@!=o&)3p*OA>0`<7(z!o;rghBRzslym2G<6d)Ochn^N z8zJ$MaZ#8{238U4?RR!QVZ|d2tp=EqBkQvT2a}5vhD|lU-Af7>wv(H695c6fy}x#D z%OLLhotbwp#GGB9qg4>%eo%j-)_9#e@=fnM&}nywL3*o;V~;>{d@j=Y2)DR zSN-Oit=HhugR|)@KkUV*^-P2QdW+AzHNAmM*BN&rslfx0xxYw#nZzxi30L}hniF0P zvf12#O2eHiUBVmi$P}{?`Xl&E;V=F7iW#YLr;FP46xP%~@0FDx&L-#4D!-p~=Yu{A z*%FKM4IU-!eR|M*$yN3)%XDM9tvla?aXtUDhb{@Vw@J~=oX9Yh*Gn^^VI4ZTs0N8WlYqev z*FH1o)%b>yNV!b@zH-?JK6Pzw#Pr(-zM9m+TDnuJ{dw{dyXu=d#%bI?M@8?ofk+V> zdNB2X+)Grj^yCc0_~Lq3MP}!mfP|$Pdytq~>+8kDkLr$Umx;`ul!j5m@b`O9_9A7? zl8@n$c@Onpm9zaky6x6KncnvG1%v2E?cW%}&xze)m=BJ=k#c5!boAXmQO&~`x6}36 zs`JgzN1}gyHX-*0TOXS&+76v}Gb7!69Br-|GneQOiz7dn(|`O-0tY8fy=mFNe(4 z@GN5z&&`2SPKNpU3|QZn58*p3|6wjblz2h6#Hou%X#~-(=v$*)CvD3jnK@B??Q*Rk z6|p{S@FW01^Z{Odv;L}Tp@0uER;y?gXc)Yh0H+>F@eb({IX6O}JAml!Gm}ob# zTv~#V`!P+>{#lu^zuT^Ub>b+Z&&Q#loLl@x6kCxS-D8-*3yN2oG-uawOO--uk5cVE^QL{?D<1O=4<;(am8YiQHY6pZ5;*nZf_nTS81$ zUCC=nxEzg!vql?e!izas4pkO2+$x;LoYM?mS#>_PR;&5)D(l#~P}{Fbd^+PxW`vaQ z=KIbU_Cw*b2b#L?9ADqwb6+WLl1k<8R~XW9qg=@#)K9GOb@g7@dRNGozvcZ#-?I0@ z_XXYhW5z4-mgc3C@ILP1Sk?8}sLJ6CmupdDj(NG*R7zUT?&X$`>F|3b9)&nk`%gr^ z_3z+ny(me$sb^GC{+_Aq_!9P}l{PZV$!

Rf{pkdib zjG^OW1xiV}HlMftDFava@8YHBq6TOg8+;6A^eUI;)4*C6)maxrO%nK}Dbz;+eus)t z!QSWQo;#+k<=zbphG*U#-JEJ&r;-ikKVBTM-)D@&e(r3`+5;r7)8XQTM$SzYRa^hl z-V}}M$uPqGSB#t(2ge`4N5gys2JwdK3mE;idU5P8X8wBO8fy0vT!*BtvCz-zsTeul zaxeb)a~SHcJ`&?BmBP?$S00daK3;#mX*79GOF~EoZ0iWB-S_0{(FGVQr=J_W zbK^heg!A9u>HC&#en?idF9 zTw53#5DV6kT+m1ePqE*aL7D`a4kbhf6r+1aJOICo7AC|MSG4{#L*d3R5<|`l4vLKOg z-*pyuKOrJyMijP~*B!V;;ND4;0rg*>$ii=Jufcb>9-Gggz^;X#&6M4rGZNIrZ92V- zHS`3o?84!FT_u-NFip5$RKOeeO4M0^{^Rcepqv+Ypjn?56OnRSAn^r* zbQ`Mm8l01$uh7O7NI~@iq@j@Va8;LRWrmDL#l+{mk;HSgmc?^PDoCcclzI>d*PtMJrH}-YUcKPAmeOY<6>so3 zgI9UA`YXU6(EBQ?Oi!}DQ!rCN_@9E$qGb@F#1UME?;{@H1(%NY7YZ@2CKAUKtiFSL zzb$^+(MM4h%H#I@YVQ`ZR~bH(Wjq$I=9=QPm>oz|Is`4|;4CuSaoTwAzcQoD@ar9c ze~6f_{zc&-u)U1zhiGjB;CU>sd8KHHO~zXv3dHt3`Dm~uWFsFg8N^4hQ=u0n=65Z* z(Yf_N$OgyC^Uq>*RKh0sBeLLqWPE$nuZl0Y#M-jh33Pla9EX<%$6l~4>$|v7-MeSE z{Ph`d_H1#Q7IN8s`jI~+c=PSncw0AL18b|^7M(~nmhbw`*4Xx&EY{Z9YUpzOD`+(? zV-k~+!RlKL6s}CjIWAd3 zv$c}uK3F`;lCfsClb{I!8mLjOv{7uI*ngX4==>K_z61_zIzp?x$K_7h=3IertK=UB z&}=)^ed0H_z0sF&fB4)hGRj+!&3C4vE3@eai1M+!ci)sg1=lPx1tJS9(&{z6(N}OB z8Q`#m?E6mO!Otunl+f%Iv8y4@e#0+89GE#m6rtH#o}IiTRO0|Lz7VCY)rEwOHdnV-|=Ha+-?3l*by?M z?LIUR-oD)@3)GBcR05cW-8dVmjSW-`uN?Gx+RqOj7rUmJZ0DrK6D zjs^9)u#r`Zwuy~fp`1wS^VdmJ8k4?||LoxpghO2dQOriGw>2Ii;>LaN*#?l3XsWr_ zG`n3oAwLUg^6=;0wcPAz{w@%|PAVGg;$!c2sdx45Tg6{VM&G(ey`D;ju6Q<_0rt7c zUgpFSxS;#?$P#)I%NQwC&8nvh@!~hsbW3 zmU^*ALo6zJ#!P^&b3LeAG_^|+fDohS&fJXMiF>j$zKtwSO(u2+t z+@&WI(t63iKx*q;OS9;tS{1BUKt~!AaRvW`h~p*TACEnY4oza_T2ZWlMka;bW=fH( z$(o|sCq7n6vRi};7&C6hJ}r0p_Q1nbSO@(PO~#HL*_LJ(H~L~!LBsR>8S;vh?YWu! z0W_YAfCwxJ=g=GqMDtU676qlj>G|>}gOQe_tv2brB1!G5UstMR333(ELK}U>WbV5KW`A1_&Ug?4slv`N+Eg=3@lu1*X2; zhM2<~DBT*X;C`e(+`W-L=jBiU1NGC9rO_Bu#{19WXwo=io_*On+o_@7e>D5%zJNmx zpJCuGV$$@-vcdtg_qAO@y~VWvSOB&8tb((%7{0$jNzeIwS!9uvQ^rTmMGnhw%`w~v zmruvplWIYiZ+$TtL^)(}Eqb&`y*y7FxxSGDnx}6f*8tkU8zg_JXCKrC2to|CmMk0}tXJ z5g(I6DvY$;>D^I;x0pf#T>(`kHu}4aT-~pSbAD{bDhW>DQC$~C840Ghk7yANmVcu4 zzstPG{ji-TRBKisWDlH zzQ_MTkSf0BAO3K=(D=$I&9Q@|xUzn+J6fTfMeKbNw`=?I?I%W6&C~5mlxvw~BL(g^ zEzd_)lsZ`Y8S@m`8pNi6jZ(;bJSWj#wHg_DxW801Bc@XWvq|3h5fif&?5_>bI73@VTHb#D zwq)W44BuT*?s?$ln@7@fpyzmvp7B$GYlk%TI8EVo{ApOJJu`7wPJX*NN#(63GL0c;E{aB-9&XTCiLJNM} z<|;*3T$!5NJZ@jm+(6B)`D!R?yrtaE4Bgg>K3U?34M=BEt{l< z1Dlna+grv>N;uKsswXMa;m#ZNWT#Ox#!YbX8R>d|8?0juTJ=z-nSO?(lY=Xl6zoZI zEc03a`+zi|z<8HUb?Ji2$6K z1bze6jby@Sac;^YIG_ zl-hCsdsi`IbO_Oy-!nWvd~FJ+rCD0dBzUHT9OwEy7@~we(!)(PqE+xYe!ZG&)4Py( zI>v?tow-}6R`_$P+2uLD0)W@}pySoGiI&Tb1d1502&C7q93rBn)UER~?##WTUI5c? zZa9;aySxLekK}{5>^16l_8aJ*RTiYYcMgIZGQ8KvG4!-yAHp(fxoIU`hY!70zu@d_ zJ*nRjXix`CKY$GnbPPc&s~a6*(g20=szF+x?pyBSm#taYdXGu13I(YPs%P*irfMOZ zg_JiHufitRi}|EWRsL-SmtiRG&HK;(+f|D8*j8&HdV_$%a-@T&hS1=h?Fj?`nfPc+ zE3I_ie3Mm6)d+O9&$Ez*Sc@J9aEvX0BfcepRIyn!p7w$8F?OTKlcXz@`7zVc z$hM)lkzM3aqGF0H#_5F(W6JE$zaYmt{d*E9Q6oFtn5@4Zw|iiMQHQIR?b|TK)4OO( z|DnXA{A+kmV!ti|<5WZxV=-ycF81Lq-vuhzQhEh;R|!oF$AzV%t}r2Xp3)s_;t(7@yM3CGmP#pk0)jkPPf)UH*EN1 z>`2$VME`~(@PAlPF)IZ|f!yx~_P=t(bBB7}txT_@ZoSxSSF$eA-?t!1^W$vIxg$p9 ze~R}IGV*D@x7=xu%K^{bPzZNk2}g2S_Xo}%H1Zmmh%6{?;rW-3x&M| zS+B!=@&w<$vsKq*7>c(a=zdvky4tiEdVRZ9Z(qNz{}oP?RwMn)x$dUy?*q>B@H7WD z>2S+5iiJfWZu8cMP#Q07c9;tX1ZtUIy0_ouB4LB)J`Y0KBqbV47ULMA9@hHG?Ob*I zOC8Bi+(GrdGl{cH(?WhWcRQs{tl1GKb8(Vs-zQcRG-~F2>$O3YY;yRkd=mV`xK+oG<44DzP+z9T^I8sa37e*XjVmc-f25 zyr+<*&c7g+d~Y$Miu+I%lDNB+*>&&8`3R)Ri@&cf2{CP^7hp(<;T$^@m%pQecyP?ylKOD96?K?MGTdGb+Y3-}`rX_QKJ^@AGKyKne)snUjC-gRuj|h-}0H`ryC{UEaFfeQ3Lj8IeG=i0@Ei^Eg2gvw5%E9vGVpr*Ph6TF+){P z#>ZxzQyWMj@I%}t^jI}+#>5<+KS6=%ttJ3JWcliH;YvC`351|el_5?hA#QPwO86Wr zMMG+<`NMggiHE*8O$Sm@qPW18;cQi(SK6jQ#X0y&|mpbj^O$*b_})#kQ^4e3R${_E0dQ|>u~)CDm#XR8iqf{Qmex_u{)S!RATNlAQRD+>m1rgBd!Hf3KLqMxp5zYVf8uk^8t8EuYqQ>7%!)X=X2)?ikP&Rn@l|cJSBkoDm+j+>V(7w$ycdzJ=9{a>o|!Rs*?F2KR$#MKLqG(D{Y)ib8=NslLe z=p=hnsr2)3=aO%d$wThK?Z#>;D&vt~rT=(CR;{nbxkBO}gdkpGYk*wYxVKQbfDK&R z=0WmA z8s!|?2eC_!qnOsraqk}ELb9uY!H#p#v236IJq*epeI6Tx76% z#z85shK=2yYU|cM<*fy71+HE<-4O>&fC|%B66@3YMmvyY&}`xV7@VwXm^G#Wr&u!1f(LWr^hn^Sft?9T8=E|0L4#5jwm6ICEQHiTIA<)V^mGe^7p<#ohi7cFgt7qo+*9xY)Mh|!5M};X(+oWclt~W&$8%Vc zD6u)Z!W0tJ9oTfb`;J!~#9T=LPG3Vh%CCH*;&k(5E8(FmN6q9hD9Vo>Y_r3$&%grE z`zT5;ewx15+-P9^NDiQQs9R{zsAsa3bd`1^K)Rj=)0;Qbt7gCPhhr3T zy8Ee2M?pn|>Ftjt8Qa#f0DYaw>IAa12Db``DJTXWt+zaI7f_*t7@hWL)voXv0C8pN z((IK_K!tcp1q6ENrFRhyVrMAN)GO4|>m#UcE6V)j7DOSX*SmmMh$-bZmQ`n-l?YH-tpmL<4%s80Oou=N zBwCP(7BPsT1eqw9i}CDP~c6ySx)Jl)JuN3&F-wwZ<5-4jeV#qey3RM+<0~6p#UoJfGhG& zfw30>!x*$D^)!b)a;A4DtVx`9Li~hPHkI!S#H z^>xEc?C^%}PJaXQB`Q%eF~PT)mM9Uu4cKVi9?3hJW*-4UmpUMKJC&4v?d_AKQB8bPrnJbm!BXF|fWQQo``YI+288QawarElNg-wWp~Tl4 z5s2uu))+baZY<0|^R=#PP1QEBaGyf4LjUk)-nI?RUPoo#X3`IVO?gjrzQSP8NhaS( z5-MFaepvoLjd?S)NkvtM<)29vZ!uIq@(3t+4FK{}PJ;u^!*>}gTqas&Z}iW7vOnJS zFMy=3Hydpnpjtj?RF}vuTww~$xI=qKdVKJ+E~%_Cv$WZ=nb>ybB(rD3CTyiR1(Xa% z`oqTn8ovrr@Ye$@iApbZUM4{%nTlT}%~h=&cZk3P@XCue*qwD!9rPMMWRqZBCDaP> z;Tq1)p+jQ*1S(9X+MLD&2h36{>amgZfn8xgmQ8(7Hy+sDoPpt#Or?E^Co=l9K}1 zG?wxAQewAM9$7j5Z~*iLDb%M{mv`5^ay+yYi>J2|09&2u>r1bFhqxJE=ns31xbmz? z-i0#<*wx3oSk;(oE0|$+B%u~6x%+v+GOyp2KNWLr*-LB3pHI&MWbW%K36Jq<>lEVX zTF&aJQc8Et;t0$S*b_I#2Q^#LC1B!ew1x7|v+QoWyM08;`w~zB1<5>TbF;6n=+`Cx zbHik*vN++x{%w*OO|QS%By64d8H2s~QeqyL9}o3CwRbhh^0NU0w|<-yoPc>+a8XwYXc)^V1f_ZH(+11Nt#`!yhZ18qpS<8>7YVmOOT4icWxtRhYucxo*Sd#x^&_e4*i0J1OBapGck$Gs=c z`X_bHH{j(8`Bi$@$B_bc5zSXPUTTfAuAkx28a{MQZdV-|D{&P{56!ofoA5}gA5Zd) z|IhQi@od;Qq?!Lccz-z6nG-p%pmO(&TxKtTIGm6c#+l>@%1_>PqpmoRyxb^iAa#i} z!$xny$P0T_66Iq-d`#IcAcf={Z8587h^=>_pqH<$ZGcL?_JgQS9?B#eObyP$0w&wI zXU!5^fC7?Icn-><0=H!~H?giqTRn@*O$Cj9hl1_{c`4s_+YkU3I}>H&U5zP8 zS3Nz*0^rQo$swq02swnG4P5%Vj$U>EOi%lLjs9U7$cBw4){;dLKcInis1gCZTBubGLk={pL-v7~uVO!(S_2ja+~sEg-XTx%?rh3;2$Bu6#`N2~ftNhh#55JBY2)Z<;5ez5*`Tb(Uph zeCkX@Dk%N$j``8f3nlsI1Eb;zdZaYy9)Gy@DL##Y3dZR`u34W6g95yVZ(yGMkE?gV zEc}!yW5DhUHxtuE6CYQep{T*-9%!m`-ozK)Ku=x~c{rB2Kq|y^nDeRLMi(UaSzq}1 z0A@6p2@WTg&ZV621Nu_^3Z;pPppqM7wp6@2#u2?G*<`rPE_QLr$P7_#9(AAFW5HK??nJwi45%`~5`z8H!54%4M$=J4T@* zw#e@tjnwfJ9gQr90)W5ARN|6{KJej;&?+*Z+Zf$w)r-%-eWG^iDXqC-`q}M5w z>^`gX2eWz>aihqmfH47}A9$~1m9{Dq7l+YM8zqxFP~FLymTo#d4aO zQr`6VDT8~HC{`(~k+`)AXWze$pJLU7EP-)7_ie|IB|#Yh?G(a+zYW4Rip9M@Qs6%H z4xbO3^!)zsyxQvmZ853U&89uz5G`~5{Fe;k={Eyw8ya>^Up0Pz+*|N|+}zkw6{&X( zAfU2*X@jtd@&Bb^VTzo^ynxLM)NNH$iEV&BTz$GlpR(^x4Z!^yp5@JE5_t}Kxj{CR z4)9<$qc35$A1jYY=|b2v?bJ@$`VyI$W7goTEQdQ;S8yBXkL#?Aa)BxjwuHrz@C**4 zFOR=Q$MF74B^@o92mS`CN1LC#Oq)wR2MzA#Ft0hULjh+G`GN&;hjko=XJ(13kGKaO z)JjLC@i66JMs5u|_az=_0Mg!BbY?yAk87yun|0FX1Jl#8RnBNRgd+ZJqG>TBlCS`D zG}rnk@A}18(z)S?2JA@R;(ua({{IY`No*4A)JW8ay~R~O_(M!gH3m)H--hNG!TUT$>)sB`Taeo%=9bq@1i0zjqG>qhL% z7PEmeA%MPDa0UMm7R{SDfN_#fgV+7i2VO55IERT{#xCs6tV)9u_#JS$;%$DwTE{qL z(1Zanby$V<2x<%c!HqVi&Zb0M%QdI991_R)^;ka36$ecx(p*FLvsM8*e4m*JaOSL} z$j#U?G12-cpa4DS?!zT1b&5h-0?Fx&Pp4|g(|J!0Nae{hq4iw@_ovadc*NSJk~u;Y zDmb6s=NVTPw)lD30S`UUb-FC~$dCPaj$ofQ_4`dql*z5QBD-&+>&=OKx8%FR>X=5% zlYDbU(2?(D$`)ER@}~_3EbJlsHCZ8cPdiOlGmt z01fIpfSNB*UzIlK#dHp`2px#n`4Qz#204$}XGhE!cu=;7pqE+4y@mLYK%^x{Th`RO zCVcu$pC22rTz$lNBw%asIg7JU3dkZBDkbPCqt%@#rjW@qi-$u?6+ z81rV61=<;NU>N#r#2b*E9geb`>w+k8NIbr4?$rA4z=`c)={5r3oGAv9+PIeUq67FHkzCTkox#eqp#6dO^I;uj)qB zF9ibMY|kc)0b!*riw<1Rd$k{u@EPpaIODP`=r!9DADDglhVJ{2G@B!l(ww>W+Anh! z$I$eDQb&5P4Scee26T?(yi9Y_blq0!f4w!bJMnc}Nt{fw>72=WY=J!F7C9bM+=%r3 zw?Mo-fgc5&d~>f?OZ_&T^QeIVT;Leg9fe`2>QVe5@f*VKnY)QZM}K5&0ppLv8w~~@ z(=#2ZeCSIQ;6luOMf{-shHm&SMlMuMX9E{zf*0+KXix~Q&oY!d3ExZHDm+|Wpx*=& zNUzMQ*FH=EkWW=dkv9Nt?nnzZ`YnZ0sm-Uv9Sn^RoLa0jOF>N|v}P`!y$JRIHuSiN zZ2kZr&1TdZyfBSdM420Tq28W_cMn`1W*JaH%1tf*47m*?*>JSk7>1xYS+c~Tk^&KH z@aX{*pbqO2xUbRPSlxZckb(QCs-U~XBGL+!a5^Ht$Kd{BqK2o>$>j{r3Af{o*E6t&#b@DKwO0^-}(-U$155FU=dE?H9be zMK2ROrwB8=v3e)mok+lt!$0K0UyxI0ufCE(^@pbY?p|kw098R3P`%o+3PLQO0iIjR z4;CwvQ|bvuzClG)oh+ zcWwFNI-lpb`zz?Oq%!8>m95^c_N7MXE^HjtLt0vH`v-=ofdVC~JlYUHcUU9^^rjuO zgYMz(03&t!Wa6F~pz+^U_@UWG7fNuHTcM#z$P)6_4Crl5`~idxumkRz8*2l1Amr+zf=A& zQOpS>B4QBIp1~lgl=2nBKEQ+3*YDxGpN$$nR>O6Ec2V2NsY%kp`5x43#Ptto={QoJ zj;^mAnOTbsC$AX~jWu} z-12FKN(tP|o<@vE{S=E!igU+aonntNvA@1~x%qTAU7v5A&bb+#?#^Kr!)XM>-FAQB zZ7LM|`dmaF9Zc8S8>N?(e)%$A@wOkh$@p;LJ!sykpBuP?V0Z)ym!7Z4D=I1qQ1t=s z0BT2puvZ2x*i1S*OSf(YcL{O~pV6nX?_#-w@W)En5qE%M2roKDL$%RL3IK<4X~P$R zWTOzl4YD)_=qdRRln7OI3Kqbf9qlqfo}K84eUBqrX0MOV0hIxm1NW!9T@3Af=luy ziXU)!NQKidPQiYbDkmmfII?DRYG`x=Y2h_|D(7ruDQh3prkE?7Hi!Z)SuM|A^Z?#s zA|`-TsP>QHhsHCnM@yKlI+sy#x{DsZZr*D(oo5LA{{Eha^4}N}W;Lb!&;X83dd}ug zUq`lM-pF}sk4*kl+wv|es+{l=v54Aoz59GESKN=jX)krm^x!*R`o0EW;w^7_duW1ai7{z^@rv2M^$uHjCZ!wjn!EFL=lxXz5)4K|8!=u7;4?5}l@iExos(l$6gHAI&G0iZZ=WUtV5H`|*OIC-ne_oH^a=3<6qIreopIL>>ZhU1KInr9meU1f_Zr0c6)0B8 zApGH@v?RcP6xaVkP?~=XIJV{Lgkag!>#W**GqWz8$J*)o1v676M@Dau7IrhqQB-T$ z6VZY2uMb#K2T{(=`bNT_yv=KPI2!+lXBJ>6FFKhq>aOSjCJfV5@Q9VAaYDs?U@EhE z$V83X2Mm=l=zPhM@@w{7+gHi7drm0@32+;Dfn@yZr7rI9YQs0Q`Odn$GFz$C z(84hNd=x%GcqHx7S=RA!Yt}c2Mawu}2c_Bvh}qE(v+;r9iM?#oRq-l$Any9;-K;ul z0lBV^Gw*0N7{oAMm{r5vIbQSp?TCllIE3?d)8DBdV#>jb?AzUyvxdsWN8gHy?k+5v zet({6jR|*9_?^TUMzwUA(~}AuKX?~sU-P_U;p;JyY_qrw$8cW}#~lQ5!gV+NRao$z z4#pgv_50j_#jhL<^mrtx4_0P4tB*sm-IYYMXmmL}C)phqInY}<|J}&$-KJqq1VQBR zYxSyn%-frga+S2-I>A4S&mK7T20+V*2+AIn3y5tA{ZXp0?F>2j_~>gELBY7`fxdW7 zk73{liZGOv*U7Is$K_P}W-*t|@spidfj*ii#-A|Xfj=iZGahWMM~N+$c)mG20ytP~Z0xd#Ga9SuJ%GfLp{ z-$C5r|66njFjNvW;BNQ_p($QEFlD0;447G+2?54p!(qe|m;#FNU?VfLRQPGR1KFe< zbhzvF*;OJ0EtZ6ei|GmWu7B5)n6n1|dOuzN2^Y`iC!&EIc46(niU*ug-kMeGFT2-d zr}u_>rUbdSaxh{NKd0cgh}6FK55G?7w&Dd}D-v_-NpZ{}5Ko8)|D={2t&VuyMFVLk z_Hkr^pSXH9#!~vj5WEO41{d|?KXVH=`TBMRsR#kEy#WWz?};gZUu=>>otx=vAJTp- zu0ba9)AQ>is&Ly!RGvUlG6-6dH{ZMqZVu$o%@FR;s=CM3EdA9ie$ZeDT1G;zLuuBa z);ymUp)Kq#(ZqN!L{$6Khyj^-SMR!_^yK=z#7=>^g#JneR(}FB{Cki~!r*w~xsH4H zHhH=OjE{U__NMWW0xY|o4U=hK%bO|f~uWjp)W zXVv?|VF55nCFG|RZ3PD*%!Et&*d^eU%3he z^~IKQL>3DEOnSGvz&bYtAO5jPhl$X;$h&@9kohsD#RikYqNv4^Kb49(!$`muqP?4M z(zLu{FL7rkCQKOq+t$sSHAmR;?^%NoTf02V`|`>=7Hz&b=DM}bGj>10C;o6z_nE3c zYkUh&Pp|(d+x!*tIDE91_Tfk-v#0u%sn`%spTGbAp- ze(3*0)_aA+`FCNXdWbRz5_K{{5WPh=VI-vJ(S_)O=q=iaU=THWCt8Xgy?3Jb-g^k6 zGferO{NHaM?7fdUa9y7DTWj5I>5maj`PsVGsw9fv5~1t%vwie9(of2j24YNwK{RN$ zEQbF1Q}p?D7o{lMIq3Zh%ef1BsZ+$mS4dWgJU#Sa*0Ja$34ik)>x=O0=lj7ZLRx4_ zJgdj*S$&$BeB#zr_SM49nI_5=!);3S%2t3m{5lPT(4yv5Ca2bfULmyRq=5aC(2PS7 zxFn__eF}kBn}~&-Yyn)Ml{OBdo(Sl`Pqs*b1q!Mpz&-`~VQK zcN{Qu2f;p*(MhF%_`%z;t=xi*&IiOKBrTWAzVF_>bA7Co%nleetMhDCBaIx{e?3d8 zKl{~AA%CIFwA%h-GQPn3k*ywUl-ZN})DkvZw*{_!+>+>J1I<>=MoV8}$nA`4JDo

p{P6Bey^U5`-hk=URRsHhG?Cd`6IMX#S7h~ua8L9$ApOU4LMqQa{a`a% z@JOTz%}g zD%YMp!f#7|18VaX86@(~(Y^}zbm||?9;>&@)SngZD;dsxR=o=#zwB``aM42Cqenj? z|7dQ=`^cF^{CU09z2sQq>@}KEJhlK^`I2qFm_HJ=QV)`CUd$~tj*_`9z=BNS*bclb zi#ZIc#acd~g+r&+&i`t$C8Z*m&n zZ0J0yw&iT2?3-YZm6er*F`O`9XLs_u_JIwu<;L-zzqHpMheOnF^?)E#%|g|5YdH%4 za7hx!fuxvYYVF$ox0}aBP|Tkj*iCFKwWlEJ<_0GzsNo&@x^gkxMJ36XVmtTFB>bBw zggsGEdEZ6aR6x-KLLd-vq>y90Luv@D!T?ulX-k`mVArW+;no~Xa1{PQOw$;q#;)t= z3aX@rm{TR#?$}H1ByRQoh0yutpH=H=jr!Rdj@12;n;a+C=XQLCyh?4RC8ax$$PPJJ z4iAL=^5Ggj%nUx@R4-y%Ht=hSApfJKVDz~jHR=!&wha(Q!?1qENhqa#ha%>@@(Jev zfLz!7eq5!|-OoSD%ospeS#Bc99e)j?>|YnRjRo^NaP${g)Iyoj2{0fw@Z0ZvT>*$ij=9vbra{ic|o1@E@+MX}@E7^sZSi`fb1bb*<&h^eXL z<71&^D{E_$=Wyy(N6SqLuCM4u&IURj$zc6@TCeW@_XFqaeU*ryy&%|dpU6*nlepVn zq})LR0adlBkFUJjKF0yd_2hKX5@&A97(!&rWgegVBg1{>+Ks5Q%5gW!rp2O#HR(*) zQKh#BsX{|$z0L3)vtQ4Gj~_Q`(V3Guy8QF{nlzYcg^BA9qa*i%Vecvml$JcF@sEIy zl1RlKZ#AxQKbQJ6&~kyNEZQUahqkjaCGgoT>3Oc3GF~=Or5>!*U*1-mknZJD&E& zY~)#JK^IPkN=Gi(Krv-y0i~F;@VGaC|9)j=U>}OAf$@t(`_ijl8AX z*$|y#JztUw_&#DE3S0l@AyuWOorLGhA@m<8M|ZUb>6!YAZ0=~aNU;;^HJ_3CYlj=|2X9>5gCtIpJpsu}N$)lw7+f~}U)Hkw*+T-)w z&BqTC(wI}jFJ7J-XYPB@NnR@cu)@m-eD?8|W%}zdx!+P^&0ZbFCjC;A%*CXBq{ZAW zx@BDk{6*r!@6SN5XDxsyNPWoqjn|?}Z~pUmW2|kh#yFb_>B)$)bx;d zMk$@HlCwhQDt`P`{56Ze#WU86%me$0XHb?e_dfji=;i(qwnA)jVzg@ybd^xaD#wJmi1g zS`}tF(ZcsxH3Kl}+FQn)|I0Bk?vg_!xN&o}Hd$wTdib_<4w|mN)18lxH?@1!G|qb6 zc{R%iZhS%&Y_!Ewtcnau?!BsNxqj5-Il5{Fgl=u2 z5y~8AyHh)NTkArU!#*y1%q)>J2vkg$`3F!Dv2Nu0w2CF|gQb|n{kq~M7FW?<5l+c+ zzUNOd*FCsnE*XUs!&=ApSzz}&_s%YmE}UNNS7ZW!&b#EB(}f1U@Ij*?jDvc8lp0G*)sJJQ7Mi*Nk> z{f|K$wi?f$hu6pZQq{NRR@={<2y!E+SUWm3^PU|G2A6aCk5sTqxo+-AtSm-2rq-7< zHKBVye7we^lJhZ^0&snH5y16|a?RZsgMZVm+k*x>18h=U$gT@uWw z1SyTCAp0|=s{1b-v+U%9Yhb6hQW)5mf^5eC9-U|>b{j^TV6^)^0|p3%zG-cf9Cthe z6c+uOYpxlB$)ClfsPhVd>tn;)5W`SArK(rw;A{Ep)p4tVEA_4f9_>9D67^%?M!1aU zDr9>5E^o7I0JyR6v8SB>wHS4Raui{vV9#AqQO3&O|DY*tbvg03ZFpydKat-vWxN`Y zprBA#iQ!`wX*d=QaxPUWK6jyi@0CzR#b?60QJMu?CSmz8A@!P>$_x|@!U?QcK@FFh z&?%K-KzQU| zyEI%6H#zrvwx-~L*A(6yJxO*%FjLSvNn>;6PKdmkLI7S&>=PMzIv`SJRCf}V^9UUNZ?f;iA;65GabkM1pWdCQ*ami`vlfmSs zWv|;v>#iB<#CcaE*yWX!1VMW<3PFXyUC*?Zp5Amnh;a{U?JdS_#*a)(E7`AetgwiW z7&W#qQgoB2?aNB^4|IwY!w?VlSa4WmG!U&d!k>2{wBmZ6Ry%n8o2R}NHRLpyH%~xg zKyvxJW@JwWx~U@6kmW$W=(ghow`s9kZG)UgwO*j0p0b7hH!^QphL5QqzRIxk)cNio z&=bizqI?K-?ker0=B%4M-#P-)bi04gR?Tm~_rBYdWH0Ej=^g(R%6bXL6=Z-NjvV}4 zT&y~?oeqFlglcxl$tReXO#x}L0SOUN1FNSSq5%;ydyT$mt?XL$%+gI1FCYi9D|QBN z#>`6vkNz-4uipjoG%b3gr!l~V1MqGwc;w@BCIzA`YEW)&ZmxDEK*rMqj-f0lpp(4W z&5K!IE2&+cuR3;EX<1rWxcO6*{o$zn7D}Si$g!R{VOQDrV-Ok7>F9Aq4D&X`PJwQl zP4{Yr@tJ@6tu%iqGy_p+{Rq*<_I$DJOjOz-Izd)|wy6>9i>`Zrp zpo6Wy*0aiH^=)pEm#5wwHpaj!TGm3D+fwB*XA?O&_l5F@-!vS}ApCDG{73ew-F4yZ z>5>(PMY4vub1662`#H^wptsj&fA}wBez`EoE&7xy@wGu_{{{BlVVSR$>-{U`-cra+ zwA%jDg0(ckqorcQm(8Q1{B?%B#QVN*E5U`~?8ZJlMtXy7hZpYVrt)osK08O9VV{U? zOWn{5LDwdS6U~m2uT4CcZ`NWjF`02zK!AdQxPo#LV}r4+1st;3J zECg+x22ql$x1+So)mqO~R92b4-^E2r*8$q|JFCPkaiMV>b9=KK!95YX_#$x zs5zXgu_3Bx%AM)FYc2VIgTQ2!?&M6-C+c`2s$q?8K~tRlJiT*Mc@9RaJHQvHtg1V< zHyTIUDBAu#GQG#kr->K5@kfg2j~k=GQyF;-t%42uYxm2Ulyl_GPHXuo?(k;kWXitv zYH#%h?9hyCf$zyI%vVVTtml8ouWqUSjlN*Y8^7vgN%TN-ZHT1QJ^6%)Bwaj~8Xp&W ze72n`G$tX*FC%=>V=*>VCezwbNMtX9*fpCYRl;Hr1{F0rUG zWB34ypY4=+-cIl#!+;2}SAuj6!0vA-(*RynX$1D>f79+c zpgq_E-vTryVoP&Wzp z0QxH3u^}AJV^HhJ3Z7{3_x+3NUBN9^wNo&PbbY|Zj32FaZmh2dRNdXx-(q1Znwk92 zcLs`@z(RmUa^Wxd_UWIFVaWZjLc_`FePMtc#3MXoRJ;Qih6~6;2IAn~?9aZ~&_3$V zn8>(Qv#omI_$j%sw(pbkdJJ+Axw*;IOpAcRqNyptX$R-yL=6Ym<38RhIgeZDX+;s1rkp49y{R_autuDc z;KnD<(4I^e-asTzd~`tNWNl;;$pswO07i^|V<3tw)MOmaHQa!2(Sx(#_e6WRddKHl zJTW-T!irP?KcDQdPXIPXLzj26q`-!5x)doyTPlyWyc>gyQ)avI#6hqf;?8ZW(!HiP zXn4aZFP7)}?9izMw{3(xxynY5h=#dUCxEf z4KP(JtLll#4!dm+3dhvnWHlOTCLO*}Wqzfi(pOpV5`#vsg0BJYu>YPy!F@D~ei+b@KA0=~jDipH4;%L^*6JNpu=}2>6fz4_H0+2l1Fz z9xB#^*>Bf3AnXWp1Wq}Ym#@ywl=gVEG3wNU3cb8n;mW2fN%RrpoOz4QJMa=<(5Rzz zI()WC?T89kFaYdD>{-J8U zsOJ4r#4&S^(4&B>qczT#N!O7@>)y%0kTfOnWIF{N`gkwF zVucRK<8uDHkFFE?D&vw{1jMJ9DH7k2)wkHnp|{8@@?jf!!NWTY-N2c1)G&T*66bX+ zP>&o4?Dc}0AJ_m2?;f;GhZ?=E+0Ck2R~a#(;7847Ihn&PHN=bCBZh4-q3hkMzAV^+ zYqNCd(bXHkR;@zwb++S^UB=q@mmkUC5@4B@=d|u`+ejt=LRbnxljz8Zli}61;o1ol zWLStTOIBB~t<&bUP4OZziMP58KHHw(xmnWj%)kdBE+j%R@X^vGBft`fH@NrzUk;yW zM?;|ccriK(+(sinVfnJ#vcXoxwwn);Si*_}W7t>?-a(HQVgeZlZdG!`VVfxB5jTG%GU>5R5rT?X7anQ6tm$Ap4* z{U^>P;_$-~f7+v~M{sx4Wru1TLs@RuPWP5OHJ|HU9l8U_p*CA|Q*5~MHTB)l>Y99# zJwgH(%+H0Yis@`|n~&Gy+X`g9lv&xKy{0SY7Fpm%7d&{LpoqnmKt1*}&!m{1w`iZM zaDJ`Wuw3ZvB>A%2_O;X83D3Oglpa)!?{KJg8E8o3F9l&1S&i>eLuV34I zXG|E8pug5523Ot5w@Nm8Y3~BFLLqu)B&Kl$xK;5_O6t27RQ~U6qFdALyTFG!N(O)b zeQ{tLfWqD&cjUZQ{3QbNp46ld#LZwg4gcb%4r-w%eGdRu@1Jl%cq%>3@PSnUfM`gP z#I>xzd+yK+4fW&HRzB=xrUYYXOmfQPeIilRNqREJt{wXEaiqn7lc3D=_Ku%a_OJuw zt8;z$Z5q|TgU(@h|6AAZg+A23qJCUc+9xvN@A+bDFhE$lvAa!5DU5XAk&DNa%JLi6 zF#x+M>-Qx)zyN5AdQ7a6vU@nt=9^82J2^NF|5PKJ=tWW<7FI=5m1v{(M>-s8BAxzE z1^fRA$jKE0-kc!>a2kS`#)|LkHMtZ*(p;^Ca%c4G$2lNCK?pHmriz8YD=D`Cg)8+K zH6UAJvon>RrFnal3rq|I4pln-fCYaedLAwy*+CP&yiHGaIQ}EaZ8vCLY|s+fd}*?L zr_Nty;qQ@h1z8YC=NAJ zvH?H&&2?;&?RWAUXM>c%`}u7gdHO`*Y4NwlhPOr@-8Da3OQ>Iv5|L7qcGo1)C(|0z zDh7@cpQ12QDbE*YN=08tTt>EOn^$_t(-;qREEh`EqKqti_YjL4|fvmLR;B zgZJprhkmqC6jxLx;@GzMvqWNE&K&Mu0;<$gyJXqBA#Mu&gT3Oi+Ectnl8_F2rM~(? zvAdrv=Wc!0%8A#_$a5d=<(*)}Pusdjcb)gtAv4fJ;}|8j*e@0l|X!&`5PRZeAHz8Zp~u%)RYo&j|6FlJn^CoSeu?*>?l$|5~!*$;v)v(huo%ia63q z8*dqe$N<+!V4)O@tlOB(X&buj*!2kk>y?>rY{-at+CS-udy$L$6Q|#u=g;OC@M|Ah zl!@nP90~MQGoFlGq>VIs{#{;C42bMLby^X(U(UY}8!8i@YQRkBICBe0PRD}xoSVpD z=yd{*8T&+V2AA-sp|gV)a5ee}xkeEqf6+yJqdbtE4j)(Bk(zY9sh5La!PF;PH@sSZ z4MTkf^@%aJRfVdcyfrq99huKM| zwcDsQG;k`?;JwjlE5QilIN-I?YAh$tCL2yD$k}$`UD?t*<<0lT zna3=5zeLwzR{o;a0(2JD!Fj!r1A=@r*Ib;c#0c3P(-Z7FBsLjUjgHufRYF+y#g1L< zRyRy6wYqFmn;#l)^_uGHGR%^pIsJA436;1t)knQa#Yb#OPf6@UetstB;^J~lU$)t* zy>m#YXhSPc_u~lBwSJg`0>!mt>^xye{%mT%rio~1-gCdp zrA{-Fd_|LNVI}oM>9fAMV=w_t1unJ?F`gVf+^0_ez;>M%y+73*7;+D6cw;;rExw&2 zXXVoSla@dYfzhbIEyXi)?R18yv?)>moU2zzvGK60j%jqlmT}_KQ!s6L>>~jQwPUcM zOzD&IFkAi%#9L*KFr^Jr7N7Tu!tIJ1LxExX_J=r}d_!H`kp;!qtd>E4tvu;?Xyw!f#Ml7X+$e>wt<8C)eeF%3N5pUzd()EpxO$>$u$ zH+bxmoN}Zz0=zh!;0M0tPn(gf>o;KtaKJr3R<&W#`Lo|BWasty{`nA|k;)h+a-5i3 zoUixWLscKqsp;|6>K>MHf%Q)^YoNP13z_ta zzMlO9n4_VG$=*AE=HU!^5T_Wd`g;EKyn!S`X2CY6BY|Pcx=VNZwS+>0*l&@(v^OrR z)W7@BHT`laF1a7B=2PN1xek6kjtk{L4yzN;5}rA3x4q>PC3%ErvUL--Qwt-7jEQ;+5Erj0w zD7*|i*&cLeW2UTYDOp7ph7^(CYFiI^5&s3b*WU6CBXzFDuBK zb#A`vcpCmp+q@MX49^Bj|BaD-#~6Zb*UZ_bqtn&jfg_vWXY7PBJ1w?gnCY-*ZlnHi z^n<&OIEP-~!8jHFh>LxWkLWQi#~A0@>-kVJidd$21e8hLZtz?kb;(?~%^D)G^#`?7r>RWuh&PG<-C7r~}*+X8}boIe7D;!?PUxWTceB{K>KXRc7*_sh>Hup zrAiQtAwE~!emYFkaDvrq5ucR@ivO_ z(5_90KDB}=RSoPn0Rt^HjVvM~mnXT#+j5@0VvV=vBdA%9bH^c5B*;gkb$LV_bB^15 z%JNOt{=9lPThzi%{({GlYB=@?ti`QFL_S8KDm5BTB$Ci*?ob*8iu#SHTm0dYFIa2M z0wlMADh^`J6_m=UKM(MrbE`K#lF{SeVYduB+Zx2-E{}hfwQR%9y|d1@IM%phZ#T~} z{q9e75JD8Hx@~}au9W*ZnRK>x$1Lv7ls}Ju*ev4mmCfM!ix;%Gan%^Pixl12${lKL z^I|X6G%-}7o{8|o)=<(g;3svuq!(-A1Y!+9)W5lfMLo6cZGHKfH(sn)T2Ybh-;iYg z&}Z_lH5Yn5_UoG*gQPHZ~?AU`jF+ zVWdGp!N?ODkHg`AbOS`v$5WV&4CDO z%dG%ag|<&}a~E}UH>NJDqcnZ}WcuU>wfL)3K?1Y+)OaTTnEL4*K~ZLW*%VqxxW`b? z8PkJ6J-6k+PH{tg?^)~lSO%`!Bl*3$ldr{zkA}r#F^O$$(Nzm_4MrmWnieGQ6R{{_ zkfHhEQp&sUB3~maCfTiq13Wap8%_*%7K=|5`G$RTz4P{-@Sb7bb7-7+bQsy4Eb+~i zt6}Q^xB+gyXZr+v!9iyhamPU3ustv_Ix+#JujZDL?M#AWP+g zZR#EMmx6VF9ySHdy_q?|K0_F>TcJm$J+WI~Z*NhEY|8e? zuZ=Pwgn)>&a~aTKZw(~dSX=(ytFB9AwB!AepjBc9^gC`(c8jrQ z47gl;8Ul8$D;OIACxPUq+O_MZVsN*8Y!8^-MQRl|TyO42YVSmVShoS;%M;~rFWaj) zJU?W7?`$`BMRx@n0uwlg-DijJDi1W}hIfGpUWg?~!XAANvxRkmU9EwDSOh~HtL9z@ z4G|STFsD2kLnD$T?|kT+Nj=*l@H7zn@D*O#5$v@j(QqJmkt3Jre2+kBQzG;V7LYHf z%$$a!##ams>*2n3weN$IUb_lyyYVbqS0Uo_=RtazZz_R@e8;D zv5J1vQRE1SL;F7XU+$kD?5rFD7?a~HOPMY{n?>)JSjEeI{@?z=`?M#WUwSoCT{54s zk`UsNw8$G0k2;njrzy9nt0r%MY!epSTstfsnQruQdMf2YoO$93*-2fK`Smo?9aYMC_U2fJAETk6wq~+!Fw7KR9Zxtq; zBIir`_Ln>t4!-{hF~qK}rZ8OJ3Q<$*G@QUbJ_of{!*oj%FZBj+{Yu0Q51dstvn9M} zlKG5ketiEi`{#HgOGoD5&M-+}Y}sk%WzD@48_T4sQ7jFCUSp||1phw=DV*qE<5V}w zhNt4bp6cmN|3(u3D<ie(PX}oM2?{6Sn@dSAc+*%efoD-)Zqi+QD$U{<^pU$YS|GY?5PrYyP`Se zJoV`PuhjT=nBpo^61Th=Q+sILlsJOwGTg2sY((rHMQ!{rrzp#9sj1-pRVtKM+CVVP zXj~Y1SnzbRn1wfCOT{Ys3dTG4p)ZkRTi?`?_-w0(o7T-<#atk}9U_FVwJ?@{n>)49 z7i3#K8+aNUK^s@c@_n!ZH5&X)*|l~ zeNJZPs(ov9Pl10v`G{)=H0kBl#NGq5vNO zf0{chlfjCZV*|?i!g4*$GITOwxWMV&#V&KGw6C_L`W*{_J-Zb_LV(cMElulvC4OA6u9a!i zDAH#5e#~8DBJI+!EjM%f#=PejmMWy3*!L zR;Wdli#2F)pii$moNX=(L4W^)8ZF$WFsgBw*@2?910Pd~nsvCzw4mfU`Js;<9+Xg~ zH>|Wh`%%a$)7tv>#t4PhZ-X@5Nt~%Z!P=q1r7U~1V2K%avqy20 zzkvg;6mFWs|EL_HG~ixoZS;6eXA6E$Y|cT%@?zTeVNHYV`rNN1K_6v-AvQRd)Jw;T z>T1*haDFMFbLSqxZ7=St8dE8Kz1KH{&k}Sx%A&jq6YllQ8Xdmc-gMWerjZvD%SzY^ zeWEL1!gpJ86Bvq{Y|**7`GPyJDhO#mJ|{s4w-x^LL45EFhIQBPx0S@$-?Ss1DVkDU zY4jXBsWE2d1XazK=_T`d4Y8Ad)nptnu9QFHenla<^!7s!Qyxe!?lhMCDAxh{Ec_mr zDZXeGW)Ut$#1NN5xmBixg4qK>76wXbr=$81F^Q};NRHBd5KRban(GD`xPhbg1cA9h zp|V7*ZYOg;lX;kzodn=Xe0LVh14GyM_Ux`|MXe)waW}UqD4KRdGbLTjH)NO*T@A#JflGs6o<3g~%mF^XSl*1gmv!wr?Ip#lFBF)vY&XR2N^5Jb8Tnm)5iy6+ z9EH$*X+XZil_KX`gT8o=oV7b<`SCsmy(y(6AZRI*?_ytgK{?6dBgTA>64tT)@NwZc z80y6but2`Jg98!mgK^Jtv>u0>%6qtLep|CSZ+f5|$+yUl!WF9G{9CU@#T$$lRAykd zx9Pm*P6*p34xMg3P@N}Kx{CZmTPn(Pd*(&Y#l9KZIlJ3bJnZa3GYzf5(gVx9F3G5( zr?-*zSnxO0mYy%zA5GRYbNX65mLGdu*3yZH+5~rj{ZA4-umBrcqg^!o&H3PbDL|fS zaZ;lzWySgi;#njGVLXYsC!Pk+=E~pPH6VW4P4BhhCTL0?877H4T)HW1ZINk=9Zqj0 zy%)YvWsq5>WvrO(f7nfa5u*!{D0>YoqLDydRm3HH$&>7Es59I#tqpk4YFf@5pL8_V zyPLT?EQ5T+@HTu1jS8Xnzd75%GD6p+U^g+>2p1gMW<9^K`14-v@^TljpM01nURdeh zQNBebo{%_G^RGg=TBM&^QSqpW#`?f+e9s$tM{z3mSby$HkQ&nK1ms`lU3nuhaEE$K z_-`p-?Ou~LpTuESR(zKHC0HUGJexyrpk+C)wtn*rxBQaZscFFgyYBqiey9J>F3R>B<_?P3xsh_eQ3koFJVSCx{Jr@M{IO(h}^`5+R~2T_bqA(Y>g z(%2o4qLts24?BhcSuna71QA?i74{?)kA~ic=Ti}6!YBs?4h?o|DjML5s%8?emL|Jm==AL{;7_)udGp1Htfv2FcF#vY zf!0lX01=zjH=w*^<>VmtB+Th(v|nChGwG@@8oB>ju%)g}_oNs2GLsc@wApEe851rL%31`%}kZ4SA2f*MySp zBXXC{zGZjDN{njv-9N?*B=K*g6%-WsnSH*?togG&I(n8cSFNOLU22n44lxgAp&f)Y zE*%h4q2Q(jlL{a8ukAhu4VB-DoF#SMxczAHYu)Nub&iO6S!=}Tx83M()43-%a6MNm zIYK-{fGTDs4Xx}&U#)FpE-28PkN;##hjEIcCg&XN|C{Mh?f~`YKkL??1bxdNrKcdhHq$kOn75 zQ66N=Pvq63)uE@dxD*hj`l^d1KMu}Se_V~ea?7D+;3c65q`kWIQ#W*bfyLa4UY^gp zwSz-{egnvllAv6AV?xdztnl`Wc+iXI^y;Gf(6)Bz))^LXzynDiJ|%nH*hcOm_MND8 zZ7i;S$7Iv)!vEIh-6ZCDFk5OLM%1yxEfo7)RdAIsGgKNtl1lsnB%z?*>_=tqw=h#D z_R$(0Zeb@YKKmuM51xp?a2AAg!j7%`vqe(4lG+Puc1rlWTnqw!)_UBN{x@xOnU5Jo zY?T3(;*9xxpLgc^qPFt?X^gFk{r$k8v4PuouNMTHj~OIU;b`y7tG|7ZI8@!&Xd>v0 z&|C=+m=2A--+#hvZf?%b&Mt0|xZ*nax9C1h^j7d73#lcyaW9zNudnmtbX)K}#604J^F zW`g8Q2Uu%*H2HyxR7V70m`{*`J^!3R3?yW>EB^lc>}_UEpVZSW5SgDX$MeB%R-M0v z0a$cCvX6rAK1Fy)3allsG7L%-X6rt!$NQpcI_r^iQP@DcXIR%(IkjZ|2_j6T%8u_S zcQG-NqMo7H(obas%#_@k)|N}a4#H<(`nd|*?+f~7nHd-cd{=aX^l!8Ci^C8Z@XVH) zfacu!tY%;DyS`M_)aj3p>4YZk%?RHeV?%#Fge*tjH@Q`>!Y!RPWIc<{$t*1Fce*Xt zH_76rQf}5{ZN$|(WnKx9)KZCt5;(JJ@5*?3#@cSA#Xzx=2H3N|bBfx4)| zuXB0`d`IBfDe=Oy+*SQhtZ)mmaN|t>K0dAV#IuX3JfU5uvQ?tJk4%Q6kdqB_-WU62 z#Wr}h(`AJ?qf~H;m5j&s8~X#H%okX*xc`djWLv;;OYDJ{=ue^Vg@>|oE3ZUUi%QVT z^-SU7?+)c-6YU?Jy?&FQ{@1B*rEKL%TGxk8RnF~4{@B&nx&`1E`MYbUmUBmKUsT%k zj$ZfSD?9|nLH6UNPp3$z_hc;m$HFTt2EM7!t@VDfDoQvIu&CWTaayj-JZ(jvbS3@c zUE;kWR!oiGa2c0l{0bzN+{uTcF`eMz)5d749S&_j^CZutcN0tXm|o0-v;pMy<4?$$ zPSB;=2wzQ0YwDc!AsC_Xi4sG|5q=5+%U6mYI1Qb4rlK%pgSr0$TksHFH>_=t(&?MH zULvnOHK2$ny}vBP*aV*D-8nkG^jexS4mfIdtUuS?L@w6&>tW#IOw4HDLRY}DTse#bz&RJ%xR z+E`jgci3IQnVXX{->x3O|&qf4!oLh`~pgr)Qui#d9LJKFj9) z*@}(gwD&UgR4hzVt{h%ZU0i;>;TKA=PKDK2Z520#q{XNIvZiW28-JNU^$28@CN>=$uIu#4whA3lhaw%Sqi3K^}W93m0D*y$ERAR zMGVP~&nxLhOG@`EVeOi;5gsSmF+|6ZjUMRF5iot`;%RAC@XNOXGwWNN(t^}euofNE zZ#R{9iO=m5r?F8;$L-6{#N_^zC&TUVEPO7z9aZB>{Zt*56`8#|H>oX zOY5A431~2GIMLvTZCQYPq2uchBgfp|ADY4buLeNwn_gaMwvZV4VLHvB6Rxb`;n7Wh#1 z3sNw}EcE84hZ*T|W9o}x9fn%=2|e1Ka!0b7--~`u3f7FRm4P=l9MRr@4w<+nh8nRB9crXbKb2^b{qNm zshLqze3b$f{!}B(_V~_KtVWUrgJuhm*{c}~X$KoV-^}fpvS8#kf2D$tn2xft{HCu@ z{YJ!@be3=dvFv&}1Vmqe1LCRf3AHsawL!A(odXJS6Co~qX7m0jKmkor+*f{ib-dw! zeRh0#S^MFyGT6VX>>0A@G+LL`G$R0W&3MF|!xOBS`nP-_HrUhSFtR@saI(DL_$kDJ zTq$dPqism5@{&T(43>?*sE|!et{+rpWgtaJGQmO$JXw$XOXLvCey5brT>Sj}3=iRo zC20j>WZSV+)mja4*Zn3~7keb0Tc4wP2p+=D(g|&yS9$@M4-vvbg$kxjY7d2kp7rsi zq_XK*#J)0R#}j?|T)7XFL2GMub8abkUC#$69QcP>D3i6bNZZSsRjdfvXR$Q6=y>EO zqL&j7#_c>ruzwhDE8kkxDE{&H^^o?-=Sk^nG}-exb=hMMoQnKeUTYE*B7D@ zoH(sQ+ll`0=+~Trn2{ly8b4&`U}qfw@ZuqTrAQT&gD=ZV?n(pM@%1)8bbiI4DP~cb zN^BCVv%mbh5A!mK@dSQ>5-9lYw(S<$gsv29nZH>s(K0P_y@|=!B{iulPAEgi(@d`mikMe+ zYgo0EBfcHD)5K$coVxe*2l?*8OQ_=^w&olq%$o%}Bk0b8@k61ZXePdJb<(Y zzbRt`ibDf>Y-B4A3t+8MBQ5?n4s6V{v>o(pzJG=L7V(+FqoYGFK?5|qatLa#%Z3Ft z?<0rhCMjMS=C(u<*7Ln7a%E$;1M&1)hvA;mgN2HhFR_5*BWQ}_OE3Do46gk;%OeYR zpQ3#n@e;p+gOd~3ewxpxjsEJBoE22iuL8T6{9BYBp@Ec97Hp!3oQH(>S=?Ky)U#D; zZux)a5~a_tmY0|7>+31mY46<8D=|Ee0cd4$@kD#qPUoZbr@C3NPf?YwFHBQkEk^DB zRF}snt^5WwLJluWtVVz-um@O!Hfqn@<~Xdj{$tcSi7?hBB_(0XclDJlMRs@|>$RTr!&kgF-n^9p z&iX1qgq@tORvp*+!@Z9~^v+P(=mFgEK{hGSPTdoIKH7#tFoJ7{xe5yCX<;Cr={1wi8hIA!KE&=TA!yc1~@r^ z<&^QG#cx14I=z66Fzod57dWTtbW||p>6YP*Z`e#y>6^yQt;|gb8lT|mIkM$du{`?6-;wZD~ zP0`3QkDK%X=&_DffQgF>{mw`qU&B_CQT?9A^xV4SvwWIf6^pAIlL*j*=ZXbu&8wcV5hSaG z4MYuTw?SrtbSzGQQ0lKIh#Wy>>M`liuqSNnJGn2(sJeT5dDT)Lx?bZ~y?vvcm}pP$ zMoL3ZPfXOIb~htCx$&^!&TQxq;m0`i1`<9K{guqCLx%pgQwA)?$lJ$<>11bf^Qd&r zJelgWlJGBn59kS9N%^TxCaO;@a$z=A%z>=JaY;J;09d4%6&~Bs-J<~4cvsMT(rn8` z@DZ_IFjSHt(k$re$qc08saVz<11~8{0OHJx->oPiHBzD7n6kmGWCl>Rr^y*PAtDl| zqeKMWJ3tJifFZ=YFjK9KUeu75-hqJ$oit2se2T;0UhVB@;k?x#90ZBnx zI;BAcq;ml2ZX7@f>6DNL>5>o-7-~=yX{0%u&-eE~Z_c~J8(qt_bh-Dl@8`a+`w9hv z?j0~-k1bjE(3HN4aRPUnEcukf=%0QdeP*xsD$`GFp-OA2OxV!Tk@`02&7FK@W_ID* z<9okh$~XLm&FSmA5je7xV3#K&%+y6oO{oR1@4f_pj;rnsM11wmpTIa=_I;T)ibFzX zQV*{x%I+$g@3SoXJbtdNI$Re8qt{?JwJ?nHhbK3ho7XqaCN_>j@Uk;d&RWq3lwBA%W;jUcClN4#9m4w@r6cP<1Dv@H)ot*Gbn-B?5l7We24+o< zg8ofRv6J0aauFJWGnAmD9^W_o!wLymSd{c5H^;KWvw+oC3GG%7j{+D!ng*6hn>2JJ z(Mh2`hO9FT2c6kFj+zRFPl(4H=V&jTE<}@Ar+Wdq#5;j#*^nToRsQ?eXM3oC>FfaS zm^GY~G<_#Cz8Kp8q6>T_$FI>t@Wvsr{@WvE0GDm5G$(|vn;aFh0`FA`sZ zk3ptX^J2N)_6eU4hBErz;Q+Y~n&)ir@%i7?fVLt_z>I?s7qz?F(VqA`M62KQJX$@C z>;7UZiBoySQC*Vck)OG_c@y(Gz+>sir0sZ|K=+}*XeDaf_Qi{N%hQj4S37hHcKT%@eiHL1KNSP7S zhh1GoL$nKJDqgdl&AYWW2S(VLzv4zt|2;ouh?5IW)w20$9B=2e?;xD2H(~YXHIwK$ zdNGOrkkv}H2Xao~&KyoK*zz53I`viljc|8<`zBMwi#%`IpU>V4;f!NlsqWl!loRcI z;xq}Z7tg#BE>Luz-J{R1N)h9bhQX9l2b}`ik5h^}^Ryn=(#Z_MhDOuC1RBvnA2aD%@QZ>9u_~uRfbX2^7to zex58?U#nA}@2xA^FE&*)<^Sg=XS9h0Jc|khzmj+pa zFE0K_{_wQD4@<-)AyX-dby2oUIsuxqCs*fr8K{DDlRDUX@b9~@>%^`Q0)nyKYyP&4 zA^K)c-|k-@^#p71V@)JZT7O;6Ts?77)De|`ZsGFto)G1mC-Kf=qNa=BpGwjF@C*`Q z^b{G9!%CaFcUOI<3R-o+@$r|6m!~ce8^o)zc_Ygmxj;K5U5X+MR{_Uk;b-S69$V`| zT@5~qAnu;=!SG@Yh`V7y=5wM0*14Q+t0RsBW>H3q68U?Pkn0^>DR!^_=riU$K6p?6 zU)P;&t<&KBZRt%pa~>#)EUH{F831*nM56F6rZrhXs(wU3OUyc#pvFoTCc6DTZY%U#g#rzN6|e|W(l~|7E>C>!RxHkMUAV1B z6Cu;y2K_u$gVRkf-fDo$2nY!yTnnOc#Iri}keZ%qaWOG<(VCT?KFv7e+~9;YNj2Y< z{^%DM7ncZNO7)T$tN!g0@a@~TB*uthRrX2~Bc*=bwcKduFhXTZWw$Am1#K34%g6j* zo%DrJ%KdHWSFenOSu!h>EV0sATPPzPUNSf9uGk;cS_!;t=HWH44YS6w5>=JesQ3|f zyp;+dpP}fTmRk3%oFN7s=zi1bzn7?rzdYQZ!%hd~74n~2?G|~&c`^^gaM!D1g{=32 z683g#G({vcR$>-;MU z9&)@M@?BB(pPkSC?hUQUpwoTf7hGUr?xiYm!o|63=a9Ry3|w8k%CR$oqr8geDu};X zz)a0(vU{Lt1)hnmIVdbJTQiRyUkU5wGUS)1}LY-m2 z#j!iP-l|+yVa{@-GaFL|I>3ZCq7=fiWPktgY*B{?%DU zU<42?0YW7&f*-*{L4zV8Y8RkE-r;GaF)_1EOw2+*z!$OG84izGAOt2-%c}b7Y>@Li zQ6wumDZX6{g!KYM>aSK6gbif$AffM~?!lcgcnoxdzcqDZv{8$a+!HNL-RvE~yI17F zwg9Zi0l$Ryg{alDm4zKQ1v+s=K#lpvAz@_rfoiI;1lvB`&>>1{GyUf#ZRgg& zF0C}#^`@2o=?dz}*n&NeO+mXGZS`O=)!si|=8C?SolPah=IJE;5AHkmw1DU5oxoFl z@kd)fCyV)h(@M2}D(9iu5_(S^lEK4aMd?|M7lc23RPMK8+0h;D{-Id>+{UN~?P+vk zdiO1w9E6Xn_n~GC{{;7XC^$|!jYA53g>ZgQ3UI#r-61h(A^KX9-XL#0PAM%|GcyPY zwDOZ6wOH|1KwBHd*A#-~RbFrY2)=!raVcbbH>x4M|Loyi(fZA26h5G7Xbc$EPISsJ zJ6SQ?&^QpjC-AJJCTVC0T9QL!Vid)m?tq-{prvf!hEfMFTs)vsC8*S<}+h9>d9u4c)uQ^FSPzQiIn-T$*Yr*(I+<%)k}k z6ao@!d5mG*T%Za)Kiip&RV=*(C4_#?*Ue;$;bugFTYReoqN*CO7P3rPf zAWASzrcKqEtTC=YH9+Ag&ly4-2DO7V24&u=Yj2Se=A2r%nTqVVqW1nupploBK75x>XRe_Dg za|R`&k_8KU+*^$*1r_B6;sHiu>PsW872}x)A|V00mJP44pBC;f`ydJSnS+^PrP&W^ z$3sj`j11;iXz2gjMjB#??XXL+muyATOF_?-Me%3}sK6;mKviL0hZbiHkT<|-aEf%b zpJP#k1bW%i>G~|iOVHw*e}&T__M6?}^N!H-q92=i;vP=%i!6ZKs6~Vg9tR!S#0^3^ z?h<^uV}nmlSG6}*UzM+445%!QlYv@&wu4H$1dGDaNI8UPIFk|9ec{8>IhWA)!~zVx zSKd55k$BuTLDErxSMdY+3qLR>eTO1QI%e#PsQi70@3`}Z`0k{nY0W3Z(T}AQ#ZJr7 z8;Arm*_AhpK71g*SP0h+k3KYN03#;m5K%wC{Ooi`&4y&uI~5S=3}sN~?&`{hL2076 zSYwjU0rwQ6Ybx*aKmHriFxLz|5(b&}M&mQhW5p2Q56X+G6%{jhVEg#UjopU-V>-d( zL{$v6n;l!T+g)Zgm+LBCt|ZPpr+QVX2dXmsxSeOR9_#qeXeIkt=%iKW4xra6oFe<7 z1^I*%^F~hhhbxkD|NAaH?vD4CqaWix@TazHimORFfDQ4HVuEuO&)0DXItfszGP4OO z=_B#+sYvtTeI`Kg&LP~P0*D4shCz;B#c2{%PIJ}Dy?(Q6=1-V!i&WhH6{E@mO`Q3j z4ZT4a*Y?i*k;94s_}@5R1I+T_KnvaAy$0PQz%B~-H;W3%<;45#oSk)#!gLa^2XFg`EP#fpDgWB9KkF}w9jQ*Y! zyA%Mo*J2D$6J&$%W1QMNnHuV1fbcX*TOV~x_bQ+zCsSxLH5;N-LnRZ@8risN>Dlj) zO*K6UPLLLxkCQe4EcNWX++I{;JegaZ`I;8h+(b22kt##+^6ccB_LJ)({_)SDlCwFv zCsK!r=BU#hzz*lQ&O+AG@|@Z$i^tBgb61}e^u zq@IL+If?MHSz*ub#sH;@CfHUmIs5eO{}^je2!>sXtWn8rBd7jjP8If0T4(X1=}Vt- zG98-o`J{R(lOelL8BHSHQ zYHV|{kYqs2bQbwLz;Y5V55#jZeFMSQgpk$g%2gNi(8d{EK-p!=ase5_Ic?zpm^1=P zn7;&&m(Q6sUZ`B??k(?%_TKSm)(%=Z8M;mswvO|0*$LPKHzh1IYL=Fn%v0}U(Nh#X z`N=aC9T#mN<}Bhl3;-d0g5&PNPSCb+)zU+_6K&ep8^~-HeO_zaFce9&BdWlDKQof- zHHbYniq7!1?w`omOWXc>K2(;zc`Eo>jcC%5FFAdz_0IQC=Q;5uQ-1tr@TmZ zZW?j02eC6u7NtYF!b(T3a5R5YORYj4Z6}}G_cnO%|8@MP9fm`=tQ#ucL5O5XZfRdW zF$K9yua0cC>#M&0K8@+;Uoo$=D2Rug&sTtBR-<H8M)9en{1XXp8&I&=LzIhA*g}JP*VhM_gi&a0nsAdl01RmG{Y3q$!M~Gtq%B zW)&<=(izOF6Ly@fbb{P$$5Seks43BiO^XlVG|Zz`Y^;h|f9wTwa3zaefxM9Uom~md zQF5eiOA(=KA z`2?^crAcoMh0=c^`v}4_7v*uN{L+m>Qc$CiMQd3hu(If|31%Vx{@PXNsOFzH0P2H& zuDk}nxEK$+wab3zcFHrKK<>NML=?ii7DIA_;d6vj_Vp5tPbt) zM-`e}yCx-me=d6GkEUn_3z5nHcg1|g@BEWr z@oABB`4hdk-KtmLqp_~XC&7|ghLW^ET0|AmBvr;9=h-(1usQkP31c2kqkP>EVs|%| z*WFNQNcPY!c+GfpFpl|@BM=)pAy?#b_+^?oHnv#1-+{f=`Ii92n-Q)ev8)Zi+{LFygpY*+Yyy$lovkS(_nGzg)xXEFJ81G97%FlY}$T;2iJvaTEi+V{q( z3!HmGOJLIGN0vn|c)HWWK$nRTIPCb@M!87|=s*rq$QurTP>on)S7^yj+Huk7>{TeE zJ^iXT1wd*wi5ty-iW14HvM*`uvalZdvERA9EP0pqBxc4*guxWT!s-8Z0T#jU!+(IlTRElod!vo;E`B9!Vg?LTq`b(h z5?`C&D>svW*h7^T09fa7ZGL&^V^p}Q`C{*WTt25i3BDqID_@#)=?}JRvw-~M%eou=M zyqU?GFwiWDLW>!mMja?leq~QOEYh~2*N8yFs9w1|8Wp=g&qzbm05zhnycL+WlK36NpZb8vrW^e4Wpi}LLO2?hVJ>mtaIhJD+g_z))m*Y2o@ zc9Z5;IF!-ivR?~wPH;EuYJiZCt{sey2jy6zJa`nl5m_1YqYo9=<1VgJCYJc2$=bv~ zf;HcmS$41XB5tq$VdkTS46^VUSy(9eA8%_H$lxFLH36<7dGLs98%Mmf)my+=M7g2~ z__6R^*WyCi&N=;sncn!$hG@MRDyb8<9f~Kk;4f%0(s`k;MJ@Mhx!FYz;j$=5bU!dS zc=ppP&)c1$rllJoIZnqk=4|{~Y6N6UF>kbyZdVUNe<6aI1jcRj!HabIH24*c)^Fzc zgkRw*rN&_VyJ`L?MGDRfXeSy20W~naVjl=`ym%Shqrm%$nFikzZ;T%oO@$PLA@1~5 z%&}*D?mij;>A(*E9TW+g&^y~1U>(@O1CBK&AuC`|y@vcO4JD7-2baLCNJwE=nrcVP z7=~i`daRk*PiHTnzb!QsPiJChJ7xNteImvt97_@n3IzcpJa?x$18z-O%wKKIQ&9KB zWQZvy2Zq9SYV&-D=iq18?irJ@7j++_tReQaX&vU`%zZ;Izmt-h#c-equ%ft=%wvYs z|7-i~LZ#>Ibxf{>;Yu@T(>4L{|H|uHzfg?hXU7edwz2j?GVn`R*&)rtW{%00?TIhdmN{40`w9o+7_oUO&nIbnt`Rchi2`kE%4H^B;Hf zbiTm?8YOhrH+N^|R$tJ*5I2M6Qi+n#&lGVU(^Yd-p)nqV(@l6MPGU0Xa|Yc0OCn+KhZ33U?{vFCf;UY)72 zCe!I_YHIT7?CtJ;<=O{48^*W>qpS{o&Xink0ks_+51run{CtSR<3}CBsJ4Tai%#NI z`2-O_?v{yA$IuZ8hsM_+tb3AW`Y;LXVyJ;yc??&x6!iNTRL4RlEJ9HQARXrHhlsF9 z%HBYykw_Y?qH6XshjS|{l?~lA+rZ&f6{fi93uxm=2=}N9I2pkA#nOQRpLhrd$UuCe z5}m(kK+VcY)*H_4-lY^9*tK45kM#b7W+r5>MM^~Dc=BbF&ljiqOc88DS)(-=qT)!}?P2%zA^eje0ZJm8_p*#W+6v%5@SC75Z@GqEC>`8u<- z*M|hV)lzIDb}9!LvY}{jUDjb}xMC#n!^GuNjJE$7uRE*QOlk`;m4^oE#nnceyS&URmS;w}o@-%C=>?$73E};R zkH6FH(2PPParGL4%ubq8?S)`M{u0lwe^>G}GOh$gg+u3pb>GMTEB8>E6XL2)8dZ0v z>bc&qZO6v`RhB1Pf_8{O&`236#D^f`CNWm7_GknY=R{FupC&hXPtn#Gl7}3)#J@bb z+b2Mx)299(r5{n;a_$tH5sCpR-qb~5wtB2j&YyA#aC3hS(|+0D|I8dCEkf)kw}^=MNGeB0M#dG< zYR7tL@MpkUq#C_2HI;1ge)FBs@lq0#{7Wh9tPnu_!nlE6z-t9`ifDvq_RC;lI6$#d z+X87(Z+iCya%&zjlRY4QUAIcK$NjC_=NUOnn0>%5I1Ji|rLc`3EB!>)2$%VOvH0xjdd0dsr^@!s8rC!*{rYIQNtJCjl&m_4^W<6!)z@S? z7S_(6TuOLZvl*16vaSb=Yh*s7GAkYwY48Thdq{MQx$~E207=+OniW({w=xh?o*~KC zx)=EQvg+m&FThTUsjg@~Waw)^1ljF8B2fI`?}^8DwopZ3khjIq;;h{8y5&G|6jP<2 zQ*r`Z?6>DoF~g3x+G0)ZeX%2}VhGzwS_bX6Yuqp5e2A!iNU6jWM^*bQ9?K4=5!7lQ zSr%nF5*Iu3t|(DABopv&Q2>-Bc%144`xQE&66$^4Nq^iTpq5_>#J_}uzJ5|5yYl&B zX?RDdRqS`v(u=`8d4gpR94u9|HC*YutdDnxdcD}_oevc^W@bYr7sF5ZslgerJEl-- zfd(xfF`?78`@ZJ7gsVP`J~Ap|F(clNFQ@j1R!od5V!z5h74?#SNmVedvr#*f(=J(m zq;zW|3^Ox-`+xJ3Wk34=#wU;9jQ=^UxRJ0xzsMw3F&Ojn$DY>>F`8UhM0#^_8W+5wDpLL#Hhj4rO4?sz|Q zD0wYZnS4_b2aHAxBBqkh)Y11}efj93sv2dz2wdDL|1!!y~LaynSKzDo5S z&yK;y-(GAe0=k5{_<}I$NIzs4uCC+eKrC=vU;l>YdT;-;Vjflk=IYxBtPs3VFyRDt z<7KjLjx7*E0ynl1$7|g=T0{t7Vh!q6*j{v_I z$JDV35yB`$1JvRdkxmvC>Ch~sfy1b16{!w_l$QosMlZ37+itW zt-&De4RO-E%N3?}AlWe}%wrC2Us)T~Qg__8eE#slUA5$GTRS>e{>HU#t-O;K`v7{H zd1==8?BgkMd_4w}%`LuIoZQQ%0lr~5c^|9fLTVdPq;#YxmBV~FF?a6lS4Fm(IK{uK z`R_d9@=IT?RIi#~rDG5`u3@9VHJcp*R7mSz-6ffFwd0)DCemU7qm;aSj#Frb_m>~v z6Jh!-{1HS)MlE91>IR6tur``8tssCaQroXMWvXw z2wD#QZOD6`&{kbsRrThdzCLsE$Xtce2oDxFQ|n; z`s1DrKp>3Dqp$_pryJ%B*J|%)UE1Ge9-qj{_du3_#l_BqrQY*eX3PJe*9BaQ*8w%Z z9wEU*udyWTX7#O!tY1b;14JTT!>4?_ydoCctN*OBPVjb7-hggiT9uj~MS}Z!< z2_@5NrM^J~=ick$4Fe*I=(p0U`DMRmPqAr(ZYZ25q`^{RE>@p+dmdpkdxMo`SZqjA zHo#KQL*`;PmDtYV5bo%~9o@b=U^U+vZ57M00(o)>$KyLDLqUBCY@!wzk`YovaFpzz z07FhTMR5l;G1V4}k|9Ddz55`A_yjUMA;4;<#y>ei_@uNdP{ww>0~OQ1BfCf~L|>r2 zjYugK!DUSmvQ=gKrugC+*tcn~YAr~2BI)^dn1+?gShkv&#tHLicol;{XpDIe^QZ#~ z{A;W&Tn)=!ng!Yx532T>aM{4wF)T0xTlk!~vvPmm7feF}I3**yvEih<&eG7pn;h83 zEdIt3hPY-7rZvmtKffq!lv0tL`~OtNEANN$s}!0H`9tOiuE5#tzDBXkeDp$I9b_WvM2Y}zK5c}BJN#4 ztiy);M`4rs6=+VXWtH}<chholiek!_OdziHV`GyQ8F#Wlg;B z#L#D&57c1mtb3um_-_nSp6@fVz+`0JzpGn|qq?tG4^H>qNN8&eFn$9<3F5iV{yAQy zZCpxCFHFhw)q3Y8=_(I zh@TcrnvB5i*KZjgNw}<60bS--C@>$tSPE$Lrb<%7mBO+c_Ju`%$AP7{yi_^&^~h@^ z*D>ps`64M=l(91$;?(pWoG{s&YlWB@ZBXGJ!#@VM#7Z;)FR2<#FX5r3O<5m>bh3Fe ztQ+MiS&{s|Q;a1AyO&sbYUu7Ld>@2EV@1dyqLHcm(KQ;{bKd;;?ev0u#oDBGS)AaF zh|l3W&O#{HI~T7vNaC9m{+K_vX?^kWD*%`P^az0~@*6jo4rMdd`81y@K0p*F8}7+> z4wxFBVGWRZ4u(NP%|3ERtA|P0?Ofp)M?epRG>;glTt6dTJ5Dx}^{~A$T2~?r_1$KF z&k2lMT*O58ZM0|}y2zS;u9$w}WmC3~haFwMHIvnDAUpy%j#~~Hig%~0Jvzdny4INw z{}+HW_C9nsS=+ASaY6P}%f8%V*T(@@TGQr+-?})@2c`I>zkK4=S=Mz;0NP#4M~dCs zfCeq?mhHrH?S_a%eeL0|5M+J-ek}|TWxTcC1EwOv*SWSN@_^$VclW{FbrpzK(HbK$ z%rti*vZA7bC@t{nS6TE6e0=;)!jCWkG3Uj^ztZZ zQ(B+@@VUCyP}(u}U471{=}mw`iyT)_P`EnQ%9B7G=DO5cS4)RNF~S;p8BDu_t5WJWa7EqW(savQbJ3C6va#EOT)Z0Sa zRd#?1c7(yoYTw5AJKgKC*oQ}-&aXl5jO4N!thg^hmqcGv**jzEv@I^pukHj;Q~+@AZhXtymvwiB_eBA9)IhnbP9N927c4EObVR(jF|Hd z>|};X0MHtMTa>ne(Yfg`3G~)9C^<}pO@EH*#imGO89Q0{oe^UYV+i%SdkntDV8zg7 ze^@fhs3lkZV7mEK<)kKu3?@lfzj<0r=84O^S? z8Iw5lPD#hXRy?HYbp>F$TyjJg`V~1%0eO!rS5+W$Qqx>eT9yCbaZb0Ig7h-*@>V#g1@T)BCWjBH#enz#*=#CFY*`-ygyo7yl=Gwx--v_&kvb{-pUN}-cce3tGrs-6 z`Hwy=5LS`QsAfnqO@fRA^s54M)|e0%PbUC~xy`SW1&CJ*A`E_0)x^P|7WtF(o|S#%v#;KPtVTWAZ|bu z7%+8Pg^QfCJc8HU}04?aesV2os?-`Zka^vF{QzYN;Y;NCMw_NXDp&@;`4qcbt+i4#_J5to<#0KSDNj2T@D@SR@H`Na)ii z4*aw^^=^fa2*{>q4G;Q0@bm4as)A>@SwWXPSKi>Pu`_ZYc#zRl;c*F=hYI#7Hyqjq z1gu0B{be=(TaTw%-lu&VWAFASr?b+>e}4D))6{S3^uuDeU0b&b^%djYB8A$F@^|Hy z_R_ilMsI(&upJ^$^N|nod54~CWz0wI`r0*3+71oApqY5&MJ&p`ge(~N!6rFK$7R*e zP#nQP?nIo7gL#NtpkUw~sg5clzGj-BrOYJzFdZFe-Y>7#ooH%5oU~um4Y@(CUXF0j zS;Z%1mNj}1C$lFfH|cZtL|l-xZ}uQ;J2Wm9QxX&FN^fn&{xnYQ5Q7L88ZSTB%imq&rlG$f+{@41#e&?-*=L1JaM218T zHja4fQ?Ul$dR0H!_`AL@mC*^7YH_c%?C*bl@ow?(9mQ9Uq(iU%PDb z{F9czgR@V(1U5?f4GU^oOL7fQa}#hNYXeK!0jy@g3Od5};LCxb9aj305eGoK4Rlg~??;*&&`2)FO8Ffk?L(Bx zxcmJ_ORbPlG0<`$2MX_jZ}117mh~QTZKZ0XjfAdb#{MP4k*n3x$VP-hH+W&NCWtZ< zL6Nu`2Pg$wkAhzYG7#q+C zS`Jo|w%Uaqm-U&kqNjz5V$NOqH=Wjzpz1r{y`-Y-F~G^$;uT#^p7yMdI^=ng5Z|GX z*6O9Ho}p{PgwWMyRXg*V(2Gk~&Mjzi_6cK7+x&|6V+{CX2Mp$8^5JO_`vQT}2SSZ1 z1VpMKhQqB_Xho8OJu@nN$rrT?wnAL;@?#0Al&#uV8FMH+!_O47G0O(=bkte-(PgM& z3kp#OvVCya{rEk#0Jw(7Zn9)T0IJ24H^*f=GgUlXlmL0(C4Gmqv>pE_44 zjoYhfFhn!S`lizldX z&V1hY)D<&3$=xn*pJisS{rCy&`YYBEII4gfpMF&~6d;`odJ?x{9FkpL0|P$t4X%4O z^lkMMUvg8-Gz2FS474d?=S~c~xcaQlI)z9m z9JlI`KKfzH=tR1Q8UOGwX2eb@S`8u@{)zOva z$MM%NwG2I<$jqf;Ig6QL4=RC-^GkVHE+4{w0DKTAEX}NvA)dm&e+1G&53s7Sa7i=+DW zsfcwJ8midipmoZO)$AQN z+Vh4w4kw9Y`k~!ap?8X*`B6G1{8K|vw+i{F{pV`{z0aH6J~?+FKVf5A>-=VJ@0C~ouqoz# zrp2aI9`cjORB{krCzbrbLSce2*-+_GobJdm7Rxcj%587Zj9hs)I_LF3be=RY9s`Z^ zQWLD-G3F8)u42~<@3P2SEZ^&{3FOR)kBR2|Yiu-q+R=f|X71H(;C41*e~-Y%!m}p! zRC5LCSZwDLq&toLY!b?%{`jQO{cX{&e%!_r04-z6>3Z#6XxQm5I5H~mdc=72V!E9F zoY_<(67k1AT(LPHKJnFv#LI8Ja=Uf+BUySkQ$?P&D+hts6-( zRnmEu&u-}M^z=VZg!AGu))enYd@moUQO0#%d>=u{&Foj#7xwZQ_E#unF&(2I@B3hJ z52=_EPbp?Tpqz+=#UEYXp=)qQE~efg=P&Nt$}axHRCS!DTeUz^fr z6D+y7!O`JJ8Z6CC1f1z5LffYh3fP`Ag)wq=VB(Ve9Mb_(8|I%IZGf%VCw4k-TUKJT z0Jk%`QF(cJ6P6mlcu|X5#CC{i$Otgw$o=H=b>H{9Tm>Ar;B?ugHfjo-Rb|>tz_DoV zLtHcHP$_8<5}_mMiR@`_m+7~_f&a-Swrgmly_z)Xc(XsKY_m^FAT{?jLEu5<}V`>1^8{C@M4@2*&?8wz?mA@QKC71b_CcTn2N?oZ^JBL>u$WW zU0-yz=Y#LV{0BvO?3Bgi@PA|Xz@y3dx1mi4I}`|=)fAcEFf8pq6Eip1|81c=_4S{3 zX_Oxvo7d5b1o$ZKpw4EyD3@-M7C&l!Mr_$)ehfexwwqcJJC-t?Pl&aHM@x30OL7fL zxl9I{`W^_0671UBrGUifrBm{1p-4uFQYZZX0ja@+2*B?$qro$9yYGlpVXLp6zm&tK z_xqzNYVQ$0SJ+kjJKa_`Sk$5FE42ZY<(N}iW?^Rd^x7fz7Ei=56=JTf>hdT-^n*^% z9G|ga;_^Ko4*dN~DOJ4>E=H*2g46#w)R2%7ODISfAJpBdJEE4~GaHL14v*ddJUC#o z?!Ej^>v0Cum9h?55+A2I?%5C^J=2WvwPv`C9WeE1x>)$yW**_7@R4UITM zCyBf>r7WA`)Q&SQO-ETQ+}ggJLX zC^?LEFc9!i5~YZhu8QE*`0X$9*y8FJ02D5syg*Ovy@lB&7fbtt2;0+fI2~6`71}3EWP)7!lCDgYd^{ ztES^rl zx^Uc0xQ7gE{mCGL=h4aTRBd@VT6!_pXq_-UcgFSNU%@L_4}hS^(>($dRd=pTfAnUFwbl6@oQH~G5~4!)ZSj4`D5*0&-bqj zA@zCgUD7~QlnJ%Ex;h}Mo_O87CvB%9O4JdmvXp|e`sHDX`D2%wzfKcegMZhgRhN8E z5gM*-GL&I<)%VlktDChQ86gMjoxS8e(q>MZIR4E#KvlBiP^v{CyJ{`6~)y_WYt8q$8r85p;fwKJnSXT>Ddi%V? z(g56w`V9z+FDpEHQ%Rk>*k%>x#zrT2P8l;cWXVE-eN`{B_sA*Z2PsemAp{y+G7|12 zE%hL9K!5==6$XAWTx-6}jNkmBtPkt=Bl_6*&y}3n1a&zIcURq02H&4p31HRNi8;NG z+r*+fqzRio)C=2-4gm~yn2dt#SJ|eW{?AWqg}A5V|7*rPIMT2@jOCNwkRPMLO-gT5 z;K$0FGRj6ik#b}}R-j9kQ$80TFZrZcVQ(O>g#771JwUJJtr(~;=Xq$!N2hdbUrzG; zZ`3T(*IoL~9Sa3S51&7`zR=HGd$U5#u-xG*w8a5H9E(|skZsgysuQP0POj55`XSg* zrm5styd5s{{s{czAO5uIQ-F_Fq6{BHzWe_`pa*MKwgp zfFt8M0<6W~H-Bm}jIPaVf2o%_8)1G|&rk33jjery1UB-z zZ^r~$=N1>u{(aA$DG^|_omWhfzccoE!AMR0b-ub60R$zX?bzl)cyE(1ou*4eE_L>N z0*||c>n}iOh%iX2LR{AmF;z*bP7Vo~mlqTSnj-G6s5np|Ps z>1co(4rY6IKOKsPPRerw0fmvFGk9|aNqa;3HpPK`JK%tN2=OBkR)}nt41*pu!qJ#9 zbSdt4mdz)aoi4wr`@q=&3f+2#s%d|=G!`3RN{-G!r;!iIPz7e*O^~#x0_+a@Za9(q z^#&dWe629`+jRMbrkkbdXFu37+3u;p+U4?8c(soe42GO0ONKwTf8_79#GRlxu<30w z&H%Lcl#xU`R|$~2krYTi@fA>nZFJ^Sn|dK~y& z1^tr2XNV7+`w~^~r`B0E0FaMDsXR(Z&i_vDQ$B4`%eXyzJlc~X6maLUHqtw2;U%et z=65Ia7`UCvf4mChkt9sgs2Cawj-SQ@e0Hqq?Mc_W#cWG>hQ28SDlOUJDf_nb&ioK2sdCE&pobmfU8{jD5dRa7BENw?yNAAays*lC$O% z@Bg9HZI_hC0sl>e)bg>?bJjf&a0FU?CDZtD_O_0(*6?pI4g8nE3Nn!H&eddIsW}6+&Gfu{{R?ovcm%v;QLo|`%3^S|0F5o z)t~Q2(+KEQP;?SauN~3&&gp(#Wx#&(;^*K3nSVh*a44{NoH;<-nI;bj!1$`tS~?zY z*%2MI7IGhyu!znSvWc(uPD4XuJkBf*B<^wlX5jZJ;+4w3#foo-{n1yTsCTQ4Q_q;5 zb$12vF$nwmf(&_{ODO>P5jC#m)(u|+zJC4sdqrK3ebOGN(9Ih-`_O1_J)3H&v6<*> zB5!I5k-r3r11RsNQy0qhEPj+z#3{6T%bL3^@+Kp5lCHBXBrg(u04K%U={<4Vc#2ib z3EVZ7)y79!nc{5NKKvN2Qw z%S<{ItSr6V?pXO1z51ezZ99Uy2f8z z^c*G{pA-5>gH^HF6nHMq$qh*;39{P4=`A=XoU~J+WWY}|ZjLaQkq&P62XEVNVpLj( zcHaifzLESK7Ukz$j{haRW>LX3c3nb>MZdt8@iN5g_W3tLcfK&Akazm8*LQwI#^vrMWxuZ{KY8bJ&-v0o)dhoZ~FH4eL3WeOIB7^QL(#$ z5xE~7#2ZMstz~LTNA#OFkopG98aUe8k1GVs2^<`%J_&pvyx7W%>AAVNW9D|Rt;d`J z1okrHMOLnQ21T^^=%=yB^pGj5G;w9~qmreYEI(nIwION(dO=|fvvj*y3``5w9!}SR z3n1d%8wf|B+B^t9t8Jr{m6rxTSWPX4+rOOc0ui3qY5YDW@!m`8?h`Kr`0>g@6gFj~ zB_}7Bt8!B+_6U`yReCx;D=aCic+RGiy;n3L#3NhFtC{o4r^dA-d{K&`wfz5g0fAfOgPBX=-RZdG^0$Mxe00QBV?gQ`e zzENkuaf5t+f8S*UuSa)sg11uV#EDT6MhXj3Q>9onYOHXE9K%iVk941I2rb49Bf6@y znKjhb+~X`|0`_LhYiMuH$Q7}Uk}FwfFA%V85HY(c_XwN=*20rJ$Z!E+rr!{9)VWE{ zVmyK7E2e)$f$(pWk?XGBzOeS|>`na}auS=YSue~;@wC|v+(Sev zZAZC^`#Uok97YxQ>O3}XY^PBODOied+> z2OAq=TqvhYhFV2qFg7eq$W=;YMt`;=m!1=poh}7TEDy8Te55zyuoSn4a}oIv!Egre zHBpoLjFM-B&?FMCCDA#KBoX-B5Kyk7!@w^=!7&S!!D6YdZm|FdTJI@~>yDr&d&ls~`?i@T*H!2h!$!?u=O_B? zBFYZRUtG`q%^Xh+>~zVI4^MgT>W?qxPBH_t$$f3LC7zjd1wHVlK6A`{LX{*_-A5?g z9`=J+xB))xhk%=9^G-iuZf!OgMvb10aev$>e+_Nx`e?~f z?6_k)aDN0GCBo7u!3P&5?fQ2NxeRvJbr*Of<_=Wd?$`SZW zuyBODHfaF()iDcvGv=&d!Ch)yP4=bXN`rpas3|wmJCGHd<^e1<=nY5LB}}ETB|RG~ zg+tl_d*UzB1BMTzu9llz#p0|Dk|c|vkn89nR`^Xl1}}^n-cNO{Ch_kf%8i+*7?Q6I zBF>U?*38X5tU?q1CIPbZiwVnr=MSP@u6{%#h_ou+9-0`P$pbCKIN@;<`mDc z`1jwDGKnmmz32)=$mylW#r)m8wTo`Fzx_>HPRq!3^cN&>BML!c_w~2Cvw)I{$N0PF zT2JE9(RK9gH8njwJrxy|-9K@(yvSfrd~$Vg5=k}69e5(Nq!}1P@}r+6YbMX#=di3#orCc99jM654+0kJ@+q8vU}jVG7yl^T=<8C5VyiDdRE{#a5vZjOdQI$g*e! z<>r&C-?t6J;R}||)`Bp+qF9G_fG%g)S7S1>>0adfJ?@4;d+2)fik>15u&v+p19mIO z;qs@+OiA6(t)Iz}5Wv~GQ^yyPQgmT-WT~)v&0sico9BV}12`K_4+IavaF3uwK(n79%!m5)&vr!!9p2w} z3<5Q35=Xi!ZBywel=8wi_GAI=R6tufd!MdIVUz;qMz_AIl`R@!4`J{;}Reka7E2RbBY}5|0s!TK=6V6V5=;i)$<^wR<)RZId@#Gjjob89C za4(R6fv%`C`(PiWnG>njxwi5cvm z8YA)u+3+4bEtGHxagzGxgMZ1frCe-vktBXh$m}bZn8isr!50?j^fz&bsw!x0w ze(i6}eMhvZo32KjhzdR<8+rXyHH+r-EnN@a)z*inNdNqY#hqkB*%EDzUqp1~mA`ZV zrxioAbzCJSVNLummo=cZE%8vXa;`522eavvN$>FBC9z?U68b(Gzte7hkYEkh{k2S0DOz4t zH3_gbYwUj354d{6frqe}nv}AiAkC-%tP%)RH^gn?vF;ZV%lF{6J1PKr#F0s0VwRpN zM6gA$XTKQ$2YLb%D#+N8392T-Cr+qdh7MBT_~t{CyR*bN!z=0j005J1l!DUbN> z&r%zas$+?+F7}9LKW&m`ZcnyRQT~g{+R@iJqNR%o{{>6co~*)+(!WplQ($}i7r1;j z<=s9tp7J_VhyhBE(L)77hJi~#$?sN^Y$MTT?KC_hzHH-nwPFM+rN7W^@w{Fyd;VG5 z*MIxsxi}xA4n0)cSK<7;@`0$9!BRA-kxxNE|Mxo>kE8dm{bQk37Is-@dj|vhx9wwP z63QLW>bqs1&pKZsi(lf|g!10dE6DJtXi4keeiQTqRLvKTpI!WB8Tny{6M6O~ub3on zHjDwU>P18-{e9;raGM&eWC@4MHL)ZY&LK&XTAB3jIk6jyb-gLQO@J0Y86yfQB`O8Q zStC(E$v%UQlJ;cX?FPr4X9WW<9ZetZeW8n62>6@b-x0l1%%bD9Nd9uzVN>I|JfANX zR4V?_QO#O?M0k4cq_26;)R)&;!#B12Fzi(#o9gD@!xp)9{Q6cmrOOWq6;2Mh95&G9te#Osj<}w?-h8UdN62MWX zFz1_AP<1%?O~$j&+HGY#8tqcYLVXhC^$l!$6LB5=tYktNO0%4To=tzGmunsp7^*Vc zi==Die}L1 zrM2)>&%aAN3;@!BcgKo<)7RJ?#MU^N=@%qyI^0;AP=;-lgzHTx!Y(%$F7Rv0ZCVWlcS7`AH0Iw;B)uo-Qs#Ff_GM>Fp77V*^R_eYv<12L3p z0RDweqlMx<9nErub-p4)7_#Gq)&UF#e3{lN2oizn&LaN)WGx2uc)Dxp|GDaRYs~+i zUv-WjEpU}j4L?Amv`UhDU-7m=F3F%Czvq=%?zw%{cCptm7Ylc#-e;L!y7%12XJS zKv^=0D3K%vFn_vZu5p#l5~pMyH9qNVSVTMQ1twD|7w^f=IOap6z44znF&k9q3glp`plbfVXL#1^nI9=Lr!f zgW}#G!Y65|Mz!pw^MP*a1U|~qOWT190<8HxTU}4+FWxRSXw$mWevqLU=b5>Ej6M|h z9cmccHt$%fZNfrT3~fvmuvEM!fHF5xdAWSsygVL5oZ@F`W<}V^6RTX^!;Y|j>p-6A)^_o<9)dK52 z3`lDLth(N=_#gZ5l&uCn^%MQZ9noW~u)bLPAq`7rrOTda-h1XsE4tAFy#W#4K42;R zeiXW}sJ=B?;xJzmhYo-&0PYSSx4qJK3I_k3LrSilnjNJLblZ7BU&ptvj~3BEQk@uD z~TNJ%xv>7Ckc)YGVh`t$2w0lI#1{+eX6JK17d|Ye~6t0?p5{U+t@yM#sVsj zLD{X{q2v2y5)~|cANr+SdJ*~cjBl!$>ybO#qzF~-^~>?6>NisoxUlrr2Wv#m_qe{G zd+W($`1`akdaGF}h6ag!U`FizY*kHW&-0i;ZZS3Rzk!?VoPVpg5AyeqpT^PSNw-*w z89KT64k?<2pTeVaJD@n>ZS=X4{f_vW82*qLhE$FC>+qMMC&u%xPx`!=9!ZxF9)D1uP z={A5b(}&VtUb;$@*(yH_2V<%+zC@qsYPWtQ(?jRYo{! zFI8cLYN2G}oVd`$bJatE=wDvn(jJjE0@yUH=E=L7qGS@#DYJjQQ4={F6~_4U^*0Z~ zB_6zQsPr`y%h6-Fe6cnHrHOh;9NUua_TUi4l|>zHiO4TiBPCMP&qf4-w@T5yVXF{> zdu*35g?ZrKc^9n$I0c7G8V%7QoucuzTVhXcyBdt% z%>M<)hbj;kd8H3u|71^(RD>t!5vTc#HIZ+Vo2v)u8gJC^4`6r8ou!W7v$@bmmKu@LCG-X6hQ4q|RuvGN)TVuP+~x)7hH+c4=42rorz$tF(4N zwH?X8XD;VDFdgY!<32DuSyw)0zvbV3aHw=kIi2ilLeCcsU#&dsnO>P4pV*p{EZfi1 z-UN*+ll3o8X)+71N8K>G^qF~Re_Pt7%nk1jm^jMtuhP?g$RYQBrtSbtS) zKee2$V&4RHnnVjsrmU9?V6UHph$8gWJ)5C}dBGLU};v*6f>p?GWo3ka{Lt5JaRqsB!ZhkqFANq&F4 z@lEOx`A#rr_UtKNcy*U-sQ-7?4(dLV3Y5Gc4p87$#SDVjdmzO#5s$Oae6%9~(zqBr z&GGB+-2@^o-I!m}tAAx!&7GDKmGt^IY*!uPKkKcNH^D_zpwZ-mVvd>(uIrGEie38Y z2>S2`%dOYXS2pzYhNW-vG8(>w!K4e8k4~ZQ-u18BMI<|pZLxl(_c}J&C(DIr{!B8W zZXjkm{ptG5?E!Mdd`seBF?(&M8ZCUCx$Jae+WW0=iaE0|L#sQa*1lvP z8_x>T0oUlRsJ&VoQ8DU0&&0j2{XunXB{R)PF#XTB{NF+r#!G*;#-kNQx_fwHU>=(n zk6loSw()s9&4#7>^jhE=xP~wQP@Q{Q+#MCy)c|$!*7#k%D+l_$?~Fg*9oFvZa#2$n z#pt+R4Om2NxR-{SLNE6kN>x5y#$jcjI~4Etf9bdH59nS^@aolq?f(wII)dt z#PziwLQCk_kp_=_Z9Eo|o~L={XA0PcE%G3LWa(9;*mCu)0ZLWn9*B&Xw6RNAx(H6V z{6()b&R+lpAl?|6)ww4jf{$q{R`3~@c=Gi6aw+Jw?y;JVC}h^WMbY1Zx<12xzbIWp z7i9M)h)6GIxdLDH3N>x|>$5-witaOA58W(r1%&B2jM3fZBF~50WV!TKF131#Bp>-| z!o!{PhqY%_Y`!-;VH~K(_n#Pw7{fza=wwJpp*Sk};w7;_z_$eFlBgfWJYmpaMEzfS ziI?U>bxhB{IB$TfEuy8xeVQ>c-Miit!FjGKaTQ)NGH!>Wa;au{%lLzd<@f^n2|?_5 z6S*1B#E<+~B3|!U*z(qA%P%m<*%i}Kj2J9)-YH#s_^fS}I(K{{NqL4SDTzOMeqhbK z5-r)@$;+}r_3V4+Rg1H2_@+RI>|FKX_B~Mjb*kTOaGex|b-p9iFNo$NmSPu}h5jB`+gl>RF>@amuwUJA`EcSoD@{`-u9l36HX__o zCh$y+iP|I1GV7JCd3}Dk{|;R`_H~~hKMXgC-#?Yepc>$Yza5x!<#>H@b99!;TmJfD zMPtl|VaDf0UH|aWgwUk>pRgbSPRrdfJJxQ1=MtEc=~L4*3-jIrhEapJa)8{f&yIob zt@6|w*7dz5V^ot?Ba{>iPNtKPW|zJ(_zC1Lt`&53RF|wj1OglcfTPnK0knlW4 z#{En?fsv41R++Amgn+!J9%&K80wfYC)MC>8)pf1&jb5vlI*#DOW0#%XoVdrSo#VeA>oV~#38T#M={OcYvu?7|Bq+( zxdq3Mo~e|KZ)N*bt;_ID7yMgj_@t=S#`}c9*eRtOu|8$3StmE$%-o-mEyf3}a87iVL42gdCMdtW{s5-WZRlm$^OFEWe{FJ`k&FCEBJ zVM2!fe|j?BnQ2X3JSB`U5oB??IbfmP7V=aE+gZL!t|;5wrsj8@1W^Xs(!DSXY;I1* zs)g9l@xNNY0-(m($7%B%2$j-(4DmlF#Tb8fLz?OALTWynUhvm)O*MijERs4(e$it4z02@%|NN}|qx2G3g(&bNRadxE-)b4s>d;hCp*5k@YtZSF8*GxVt+D+CwTVfwxqWXu4;^T-6i94>-McXWK zWBvD$zjtb@t$fBR|EN%c2>eB~q0*NyQipy<1*y>wY>c(*v9B;O+RVo=KLav#Y0lVp z&+!Oiz+ir@F=)HKr)4RP-#9)Rmle0$oEc|E!yNqkwOe5~Dud`X`BkZ+V* zQyF3gA!S7I;t?jx|Jx`r4bZZ>tB>Nb>Cn@`Fpg+w+#3-6AehOBi%R(Dl zROrdy-^UqxytZv_{#h0O_YseN{ai6ZYI^Bvzck3h&|qfV6Ps#obI@apJ}fXim*lT; z7*R2S8uiHm(C6?i_v;${1^=UZUdmj8pRkY>m-fRAbYkRhdV@@Vw+*WFhD-DeBk%Tv z|7ksyvBmIS77{FZZwxSU`J5(B_0lso+sJQRM&cJ9xMid4p03Sf$f*q z6Eo(leRE|jVLb6AO-0R!W6GM@`R_8ce%MCW<1+H|g+jM-;7F2pLk=ZT^uuWEwtG8M zv_y|(?5or1ZO1Knjx4&g|JA-XLCD|XVJw$jl0egVIv?7Zz5Xlf5<~h%Ep!^|dpWG_ zcO?NEN>rS17)k9rV}@_mO!s8Ga38p8$9*ID#BG7OE~aexuJvA;;cYsGL*sqqLJZxD zbRYO}F+W>mRTAINjk|{2ZRH4MN~0!?_~bg#SfH`?u9Nd`E%Oc=f%a7!Y$Z7oW?r%z%nCQr*#y$P%g+G}sP+;{p*yrvE>`!bsmKNjRus?r` z43tZlggSv?c2R8i?KnC$Lj>$Gl+p9z)S z3RWW#hOiEUh@5qfktoI<+T}E4a(i&gEQz)h4uY-9FZCL73CjJC_k8dSRvJ~W8Wr^S zJlel3karRHqDh5)wcZ`+vHV^splKio4KpE2Ec?y8w{$o02PmzG=mA6jzDjDfbVfFp zU=db3S>pR|@1)U$5^QY?G^}>st29di=W|i?S`qi2SVpshrr9N0RpOF--uJvIRA2^+ zt0;7M-PHB|rM+)B@r;&JM}-7=1r%Yt9APhZ|GDb8wOa*7MA(>ifa6q7&&Vx)ghCUnPd_&LJp3)+400 zvKl}V9lGCvMI4<^C~R*0*Q$kZ*5bh?DNgQYJ`o+`wCO? z`se=XP2@K&1K~r?AFcB?I_aC?m+vlberGl&JoK^X@?8m6cNT5qt;hx$iTUfdv=;}= z9A-f;(}1p~Q5{Xo3m$KUfpWjRQy+};x*7Vc%_NUTCt4Y0)YP>z_q5E<_#Qc*WJwYw zy)Y4>DCftoxjJVdZmQR$Uyc^P2=>eOs=lzQY5%kAqOg7bEi>i2_iL%XaPgK5F~^$r zpDwx`msZ?hidw!tn-3DMOTN^#LO9pb*z`spnQv20^!-qZYGzS$xvcTHWGB~&<>HlP ze!@r=;fOKwm51Z&nOy1;us!--UFLlRBdC8I7}N4c^l+Qp7eU#)$zRqwV)1;j8*cDM<=2 zd4XbUV!^>c&76%g=mL-eK147rV&ed^#M?zqic4JnlTNf35{Pf>_>mku4ysnLg3DJu z0_I^rU9T5q(Cd2MeyT@~&F%%w?oLUH8H22~T9%$s40X@C1=>sP)8rX=@B7!g-Ul-t zs@+S;k|fp-M|4AMEjDHsR836V{w#+S*P#Or&!RNwwQ#2=#?ruT5Gy)csckGw<1d=dFqA`%ej=EzF((dz&T@ zuMYJxXp0`B9Ub*h%KA2!@I!MdH#w9&T{>DaZjwgttCdAT>Cr=hkr*o>CVw*{Sb$_p2H;-4zZuabZ$ZDoEOExlQJ{N1OU&C_CYpvtvu~4u|hbw zZyPPU=!naWWHE1vezG>J8l)19XaGBL%I7WntZmDVe=l^JU3GnMK(GM{fHLWuk`P3GViGjr*5Tkw zT0qjx6-(qIqp&Jq&5^zqBZbq6x`YrjR`A&wesK!Uo%j}gJ-n&7oCUNQLNlyWR$7~? zeB8nuXIu|}_JtlVn|n6{8nPUIEq$T(rt!g&Kyu>4Qls->`iKZTQ7M%Kiq#Z>D)afv zg>S}GwU*OSl>q2&RjF@{5^4R0V(L)`dYg)?ulfentYct(6l<}b`Atr#wwd6b*RlBE zIIP+$;1tNu_U1cC=l#n*_Q6g@!d_e1WCN|Cik9no%Ite@XU#Z`8zqvgo1jIl-SkFEsS( zHDmaGi$@EYc%7co?D$Jf#{vWbGYu_bQVS|!E4Z_+k?D(x)PauW`)&>{J>(?+^fsv( ztHozHSD$@Y;C)^FKltOQV9KG}gbs%Tw0JGT>U2iLFR=FIuZ|~FHpmNN8dG;Hr(R8J zDUezHiS&Q(q_EYW(Lc&OD|6L2*RDKhk^l>0{bLp_+mI zeSb~p2T8=UkcX3I>K$=AMadkCMkqROlQL3psJVFc`8ve{%ZI(XH1_bzfY|9zSHs~= zG^DwtlfKRui}@ybU;4IcGq$e;^gWLzMdt0#-qQ;^eNrPfjT0AR3*RoqKw3|-{``FH zZ_%Yavu-8L)8D$myF^|u+_)A0BHbnKyif59J0{;!@enFr_PP-g^7`J*wv1MCXJkJXO1#oN?T=dGQ14TtJtzdC>Ie;WVv37t(kD={F=bX3DOi#Tg4yj;S zhw1K6IEoRTRB7ceQj=otUyn0PRvkt~mfaChLMCp=QsD{QVTF*FDz>M z>kMedl2A9_w0SC5Cq)=&?NW(X|KeJ!IrV3}#`k*?rj_4Zu~* z)PcI3u7@?dJH!kb%IKco^eowBj1+B%WpvSZTr8gFJ+ z{-{pDzQ;IfRQ_hVUNm{5Yo=!VvjN}RNE&SG^Mav%AmUH4lAy9v1A z{`b?{Hjm;@;|nB4Z)IR+f}mz&4RdST*dSgjPTDPE?D0*eu;uL$5Ddn;*=3E?=&2}y z;gvLhRm7)0y9<`db-kf_I9Q0QBeSA;dSQDCFfgK35{5ymk|J9D=<;89sjdMf>H2=r znA=JX!BH2nSK#>97oD^gjOXVq(A+V+>i0H`J7Ie44qh7>=jFe3jl`!Xg_jSgKKX}T zEmTC_ozC<|r>^#`c&RD~Jdp&PZ8aKZO&f4!d}eT^@Oo1K|&IhD*~G_q6}M=RujVPV4eKxb1MGbdk^$H48L%VFSW)J{pqw#fot{B(xbHJ4j>4S=HUh2NsYDrjgqg?{+?mC`TE zL)_|<)g{Gl@O^k^98(1h|X9fs46SFA@x;V66oENxr?RFONj-}cdm{?+JL?_zR)F0UDe zl*}?X?9Fu{ub>XsbPm)a?hR8HN@+EyUx3kWF{6}@s z1c}kgf^UGC*}d>?ub+sFZdrBWCUEE?-AzDhES{JDS)gc|N8E_t$!o$O8EB9J_fm2o zoz(gu_p5tkXEs)SYU)e+f?pL!sOyZVKDja4vhG~Wk7%b4kcjf;80Hia+z^%PlqCPr z^dG#>YRx4fzXWu zZQi54?ktf&I+`(4ingRG+097L>yaADeBCd>SMCqjF_S3Tml${&95o)usFA*Quj-zg;T0I8Kfa}a zRHf(OYvW+03y49bK+5N9%Jhm_tcHgc-KQj@R-dp^4ufz5!0;Y{=dc)(`qhBvG+S|^ zqXNHFw|tgw0%RENg?fTwmrA1_waXw7pe%1;3}E zhqW!{Pp>XFw%I?ah!OO9NeyHkC|yS7+bK=JU!Z{c{Ifb|)njqFDYUI%Cp)`DMg#Q+ zmbLAXr69ROrR%cT_`WR;q^-mofgx;n-S-B!?TX?2>x<9ixzpbd;+iFrT$yH%6KryK z)%DSs?VYlx3;+!ZohY^Q-5W$-UuD>>73!Nnkenzw-XbX5s%S*TQYXRhy;91j|Kny_)1?eySFA}H(hM`oroK`ooB%it;~*6;C^pUUlM=+ zfJ^W{&(f9G7c8}jRK>sJfxNnEj>2%{ND zNH>8#$JMb?I(W%krK$|MBhq1P?JZ8?ba_p&F7|_Ki3LUXL@{a~YOW&&ccv`T)+6HU zvc>DVcABEF#1((3b7CqOXn1Z8U(GH?h3M<;8`yLx68B1?)h$`?q(%vcJX5y5%Us-R z9aMLcforf*_j@868-d*WRz`fbx|bn*WEdj)#X;Ad?WuorL`5BTL&b#L=tU2!?N_=$ z_pUx2hqGI}v3G5A7l`02n8&DwQ4Wo^)1q8Dsf@RNg2$)IbKajj|AHiUcdF&Ay?$~8 zzN`x~!@G(~IhSQ5`Hh<9GSV9+#hd~u_8~yz3r+R3nsCQmucgT~l8TUz$x(oY7|oDn zk3)bG1JpsPU-^^n5YUyR1LrIOYC&JB*H^Fv`&6>T)3uz{ar?eVLa~N4GcCZ1S*VK2 zh$T?7hU!{qbJ4l|Fcj_$U;&!W<=^Em4UG%0_Y*mCS&-ZeeIg#q-MPcImY6}4MuP^c z`_EwkyB*6m=`Y?aj1|4Y(NS0mY2B?931O4(4h@F0A={8RQ1UNFFj%)4ck=Zbj=J_!Zu3+s(dUENj^2ZvxDfq^dF2w1W?)d`t zB`~aLAN{e=Sb*upKP2VAWOJwLgxPNG!;_#VLEI%q$-`Nx!mWV?`EOlpKdl>ID)NJW z@|FBb?OGfUITOO3ehXkVjO=*`48J!eoH&+lYBI;GL}P;Fj>$2>zfA9qd@s>3QNp3Z zexY+%8vK@{@3-be7;zZi{;m)UDRj439>rbj%6nTmUVN!{s92=~&P+*ne$8Py?q4DW zg#GqI-M+!6)PLad9i6mtI(1%SBZU^)dOMYiU-*v^ii({KwmTQ#0csXzC|T3i z+FtvO93838Z;?h{D?y2NIn^c26fwWUId8xH&uCmZ|9F2oAnrR55fxstt(IIr!|Zm1 zWcs=jWW2fnWlT5&Y9@)t+#B5tE>GJwa&W&4QOoH|imqG3Nd`iW*W(htociehf!py6 zDcW&#i3WYTyfk!y;}gJ)r6A1mq+1_0@Q%G;bYw~8MP(J5dXMP(eZJbwW`0-D|BP9> zyK%KYeD>h+6HdFEFRS;rckp|U$eg8M7|;k50@?&5`uBM2@l5&Nv4JQg2~~qV|fxj7c_B zMJS;6Rj`Q+ZlSY(2$iOE(Fp`IhT~ttc6b0$-YO4Xe+=y*3~)54Nr%^`>#_Z%dC^bN zkgtH;5YUx**7cF91OBe@9iHUPF@s-VMi-HI#6JyBmu;-riDhRlVUO5iZp6fsvwjGo zd;ABfG!(1mx%BW`5}NnS0j#Ly<>j^ea2S2;oEb>$+C@5mhtQzXO2F7^!=kaF#<8evXo&Ru_ZNkDmGpc)f+l|~W++Dvy8*>| zomT5Q*Xrr(7LZx+9xng!%~*f!)~603%55_-o7$`eOg@3@ zXqc|I$KYT&=lg?0LT$~3h=-aW<&0|A(MjsYhi3&4u*~nK1I9Do)g`$J`&WZoFvMY7 z#HrK8!e52KG^so4)iXAv9P5te6PL)JfPI_TKbTlmGtX}&j_{LD`KJ)?x^e93M>07- zA^X<2{@QUYh(=ImC0dKAmj(j;qD2Z(Km6tHl*w_1~>e3 zIOobyEx&Yn`49cNCN_LD*pP*~;B|!CUQqI9%N$wd{w*ka)10xT@YmL9xzG+YFems; z{+_1l&0ShQJmPiqoX>+Fy;s{}2PY#owN*h&OUfTqgWqxBt&s>l`O09GF=ZYt-Yhyf^ueL0Xf|(t?x4(Ix4k^EH#Uxc8i4<`ZGee@{qvMrh&CAwlYk0)x(S+J-xDJg z(s;kjK&cNnrW8rj6e?R_y8KG6Qzs36YDNmRr(yDU_sTTA3O}Ps)4iHfZPne zRrj6E2FxLz$^q!zkA$*XnhE);4%5$p6#V_lI&~sYGPd?l>&BjP4RB4%VKWNQQCA;T zGEi(VDh?3PLP2r{BKJ8*!%OGNlHGJBY2)f zPVeV^Q#qJ~UB@&9+^osE3U(GlZ_jTw>^b@rG@w^@#xfKmkiK>goVp*pfpnwmolP0e2g%|)HwMzBFWS2gmzDJSt5K*Eb)1l$`J&+CYY47|rC^I%I zAtrxKURl}A*?s6q7qD<;XJ-0%yvBZ}>@NA!^Eo-43xS`oSqEVe(WN}AuBiLlF)1nC zl?=iog`mG)r?X&ZXaY>seP{4qM^*{Y@mty1@!gvh@xwh(HSdbL0Y<0KBd&H?KV8fK zt6lb1S1;N@P;x3N+biFj(}_qLzegk_YRz|_KY!kzCSZH5zJfxbj`q3rE4~1e+t1GI z6GvPb;cG>uErnsJ6~n5~ORWtF#_^=!^z`%@*VOb3qfK7F*>bC1^wpIMc4cLSW7ZUK z74F1<<|vF2z^L{l$|TCQ_fxfr9J*=rjlP#hEnys8V(Q#?D@7DY1GN>-s&y;Dpx)tpJ>ySv0MqukUyRlh5VS&^mqXj7TH^{- z%VF=^q0w}xi$h}O>*})X;qHe?{iN%(MY+{J9?d-)1R|n-?z~cy;Mk?4Dlh&4Er=g6 z+}uBu=(qYS4|53gOKZyALOou?*PZ?Ro}th@&^kyxW)|1>)Z{)g`jamo(D*8ffvFL{ zz1bfw;Sp*+-orblES{l=r{z8I5v$G}Lzc|`pX`nh>IeT5z~On4S77R9REdpP8!NR` zTT6e~?loj%x&4$eMf^}M)q}mS(D*B{C(~YgA7Vxg+^cFP{@bT3f#Kr?XI<@&$=`1{ zav|xuT`C6i4y+l#!zH8VB2mWm z1~@~+DZK$4W;bf8OPm0+&=1Tt=v$k`kr|a+1wEJfl8-WwZ8Y2+2jmANqJR&~_Mh%x z37Oyq$3IAgNy6ctane{mD2Khydf1sCPf|3Aj`u`*ll8Jk_VRr z2%FG}<^>g_q2{}E(=G^kyjUrmYBff$|!2T#V@4A>Q(k)dwZ?vH6bNbt25#XGa=>=#V^%pkU_Ab;E-mdx zz?dJXlL`z%lmq((C-tx;(X=QDgsiSwNKiRC?%(&=9L%~KdXZ}VY3Xoc4_oiDF^~xb zpZj)2(YJ6V0Z$=)!9yhu10uANfo~}2C-5Pg7qCw^~6F=j#yHiNhL0K zI7$#o!vRl}4HF{+)dc}wRK5aoTG>ouZ0vfGXQB@7nB{JJlO|YQqxMOe?JiyyvBF!q zYK&aRy6vg|T#~^YCMZ@TKhW|cKyMOgQoi?kigm(mPI6)=mV1sr!{OIQ5UpDH_I@MH zO6fwgDBu~o2JDoMSs2~9+5S%Kg#Eo8&h*)y*Csdg8|XtSH2PU!k>-X325~jHqN>Ig zYon?JJ)2yKJ}&o^;$(cXZ`CQshTO!sGQs69QCy9@#)T7~uY-iS3}&2XECgIO_Zk7y zz)c&IwKD1WU+MLj>~gfZ zZyeaCCoY&}V9uYjuR}+%RrdW_q4k)(W>$<+xk8Q`-^A0)W2h6B*uKm#ZCm&vy^2arG@;1k)J zcnXMd0pI-r>@Imky|4j_Qi_iB5O&wFypm2+TAI*{oi+@x@NzC9ujw9KzHMPYkH2{M zsbTx1Ohs0}zx!4=egv57ZB>opx&6mI$IQKr7=}T?_F8+{_kOZAdBu}%tly0J>VH#! z8-$mS>C8eq$k@cz_`?Bbr6s{sOa;&sw19~~+HANx6rLxWTZ^ax51dW)zdN0!6lF+8 z!7uX$AQAO|74lvS5@bUR625gl=X;A>z|#0V6d&9fqHtgM7UEYAM3OjH+nIc)?ZSHd z!4f+%Io|DkRUKUi08?)7`Fv7hPQg3rGAlh0dYMb?;%rDd6vl_6LM1Hyy}OqHy}BRNOIt16Qw$|+c{s^h@-r0ejx=nEzFGZ zK3Ks5x>lFpwwkM@O_{8)Upu_~F5A-#eT1zU`i zLiu1L3qgs(TJ7pCsB-H47R4=K+_A3)v34WE!VY2k(S17O7U;)j$Bn`txp~i(1y2IL zT777VK@;R`BT>|O$j9eG{Bl+E`$ol>=*ekG$!@9$+zy-Cj6g-H#Ra?hn)Z(|AAG7<9ecvtURm!$uk3?M_1U;h~te>@m_CQ=1W zBYXGP*Oi_Nk z+x7mM>AH1a>Cn5YUZxpTnD_%tU=#y<-2H+131lDi_IK-egsH5q@8Sa<8MDiq zlb~5xwIRzqAG^x~6RVZ01|2+>{#NmTHPH`OX0(NZSy~D@O2erhxQOg% zs5ay7LPI=zVm;*}A0J6gtI>M)u(WCpL=g9EI9~)`Uyil4s4+_L&9;nnAsTrQfcbjS?sLeUf07t(n;fC zG~1t3ng5b#zznlX4_w2SCu$-4f!xa*&!O**NcD1$f~D2eNL*!l79?|G z6^ZCyXtmH5Z*aP)-u-x4572VG8or$kZeMvsV&*>Y=0wwAf016bV6ULBAP%GX;eLyi zcoKH|^Gy?B{NW7zHY7HM077^kq}Q71lSA4@V*&=7n3%*^c)qO(;^U6b&HY3t6+^Zv zdO@D^T(QMkO6m^2qVH_&0wQ9h%RxJH;9#lUE3N&*&w6gLwF@rc3vE9v^nCXC(LwEk z_eYcE5wGjmK377ME?1m+{bUKPLlyuEb zMq1bNJzGrMmWtAyTqpjR<;ZL6@>1);{tqAtn_uDf9Qj(Y&DfMrDoopjaXp3 z6D8xNbF}fW#{`oikyDS&bUNhwBj zUwP({{HP)hF?z;SX)GacILD_KVJ|vv76f_X4Xvc!GNb6|LR3wUg^EG=T%+@=E6vK3 z@CXm4GHJqkjB7NP??vqQct9n`E+_CH=a}NOy!eq(C$-f`pVqe^ft^#pHLumBE!;}_ zVr|e)@?-z0phv?o)!bkLjK5^ui{9i;heX!sx;_Q;v-kp!RAck(bAiY(S)ZMameEC` zS3Oysq77y@LxNoX`B!qHJ|r?<8u&Q!y6&4Tnf z&(Nnpj#-GB<8KaQp#$Z~m#-j1K7=#e)OW`d&#h6zWAkJ?F|n71+6Mze6T9JXhy z>AHU2(@$`NP2omz;oDYX7$&3NUemb8R~PWtp>(dMM*-4z+vizvt{WX%r)L=`{&$&A z#Toh}xm6WlETPtgmy1vzf&=pCd0B!vxe0k9Z`lNCQjoL;$s^_(aK!V_o7lT))x^MG zl1{p)7f>6+D!o~KN9KV8$o`(pZ-&b6W8{d~R|WUqt}iVuUAj!Lw>tEe%uwW2ly`ch=g6@TcgP#(_e~pZc9G?QdKZi=9p=56W)(|pl1gZxk@#idI+HH?q!gKmSLZ|0a3oGGn5U8%td9ogvW zEz?ChKFQV}vPto#_4D`N{(*$vzmohAp3^u30AoH2jE6wpj9S||1$7tx1?7rF zkbumd{FH7#QN^wOxo0!vq-kPeA}z@$xZv$(h9Y}qVcRrU8QP7=UHN6lINZ5J{AOsb z5X6fz_WXFL4lwz0?lQ0W=5?>>GydLGFU;w2;u-U(er*m6LWW)wS_YNBeL4 z>~@NApLC}a)bT0)sdKV_MgOo<^#0w{A7lk1K!w4V@e$?z7b5rd3yl$u) zw76uw^WCnALx=4j>jZGg@~@KTJeWK~r2*)Tvp4)E!!zNQrw2O>4JK|2{D(4c>OMPY zpHEGH+1d01YUMmEBNxUth90l@2}H$tZ0#qf;k5U+rV`x}Z*`$P&QZy$;T*ch(M2B} zZ3~pvGJ^Kwy9XIt1bot|X6VunuUw}S8C`EI+?3RNHf*?1Z#=z7S!Nosd`*M8E&R;w z4ur<6ykA7hb)~`YgM8gWScL=X?w#vQ=lek=c@&=6SmxjKr>%)?%D;E!xnWJe0vc<= z4VVe^#o%m(^DOyL+p8QI2e#rd&O0Yvb&k3uzkU6zmba)0Up!hgc(j=Ne8*qFLG$o= z_~Ym!|Bk~C`_bwxL&`nEpyrMvf9yStJMkE(_Um)KtPn)WnbZMc>bDiF?8_6V>|^MV zyoT4UQAzoD+m8D;nZYFn>g?i%lGWT|RR7(x)%`ne{;q-8aXAA8fh*TYLNI0TIawYH z4jD~j9#D}WP^4)Kw`KZo9AkrxwTVe1LtDbtgA3oRO!#%o11*72%xvilj~rctNf*Nc zn%8Wc!aKNg-g^8TWuaRLzb4`^i{ ztM^j9)83+Q3Gt^|fJ`zm?_lu8d}-R4y|aw80XqPq=Szz~EuhUBxfFFfXzFj=4Dt@v zM3sOV)WL|GKq1JA0y?n`nw4U?e|&%CHwN07^tV$-8lMwYGcR~A#d+HHAr}Df!+nP$Ap)vS_NM?uinypc;Jug zp~Wgm-MV+a@pW@YRxdvd?xX{O9LwI|g3>;h0gLgKF=qAEJf4G&>sfFWy8~oz>3s$UhNI(`;FN$`rF^o6uDb8l+bbEL>K?`3#$dM3XWIGQQ+@CG zh{mL;m6y!DPW|@nuUaN!x9vbc8Pai*rH|jkId?Bt(!UnH_u9k%>Q%6N&t`!JsA_bM zTR!9Epk0Fj_2lsd#ssJs(ViNQp9&=NyA7^5Vybzs}#(g@n_JMbGXc{s;@}mlJako zU)jC=(658E%uAf5*mbIvz;XuX5SPnI$ah6bT<&*L)pM+0D}P1bsnhSi0d9*Fg1{H_ zv?QvU-q)|C655HI;|g62GMGG$Mk|G>)T%?hOqYXH>POdZJ%pUQa=upvMZfUkMUmvL z@1cu3J?=@Hz17iF-8vRz0ksUjd5UNY9 zQl+!+$qxrTchJ^!C+#j8;H1g^b`!GjogF)+7NS3F7XvVdahXiEnepw9Zz^Y%v%_o| zGZNbOAA1u95bq+1Z-8~yiu9vY-$S0>^$Dg@LYOO&rg=-l=dO7Nvjme~eZbqFc!>4& zqnY_0ZH;A(lmO6{LzsV@QK*Um@-W!zYH?RK!gcT5K;QLyT*zRc`=Za;nd%2cg4YXp z^g`gQ`r>Wg$f9GNU*#pK@mz{EE~r9`26hZ zMl&7r(+kWbhn$>uxzSfwzc0P)dzam%nZB$`V9z_neoe8F8t$<+fjoHq#GzA^g5c#l zQIaWF@z^B`731<}e}vPCKGpRnxV~EWY)o`L>*3RRo?K=O+Sxgwi5B7gGEjU9HN2B2 z0dMMy1&Oz`l08cw)jYi~L5PhwlSdvS<&z#nypH8yt8647Q2IHN1a~Izeqr5Ty-fW{ zIeF%1s+hxMY9c!~?|KjRBYU?^&j-oZJKs8%51h1GVLh7q$K)c&@hmpjvx%yA3gTj7 z<#st`6sJ%7(z!ySH|kQum-FN1w}^)uFQ=(&^yb%|t(gioznp6dA{?)hw6F1G#3$67yi!p=quXPqojw}pR(4bs(BS0dL z0#Xf%G`FC@1A9YHuV2YW0ihXX3;5F9KRqe&6@0}67g*37-q3X(jq zVx`AnaGqOrUHZcFs`~xQWX*hj3?e7($}gvy%0sijKTZP0=OFnmGv>wF*i?D0e27pv;HTA(C;FyNE>_tdePy2lAykW`Q&rD zuk%^#>G)q&fg^8r%AV?nWiSix4O|gpX5U-v8lVLSCi`T^O`O50IipSY(HnTAndw`| z#~R}r4_uVe;@R0j-E#O9-{4?EzT9ntL^R>#E6VwJ*i;yQ?Sos-H7$)wON*qa#9dZ2 zzb`*n^*88JchuCsB_pDjNY%gLqbdhr$@t5Jc2bOfLnc1S-FR!{n;)SstK9z^i}Ba9 zfILH*7wrDaY92NI8X=VU4yqiFi_+;_ewO0y`jpkmhtQt$t+pR)4N!@tt3n10Pt#vN zA>#-vEpl?(2&4kXGKCwLp@X^Sw!*ohKx>!e#MW#w$Zt|N75s;(Ss^nnJFhwb%#Nec zW%zS-V}g*jp3-e?lDj1}+#U0YfNmzm6WOX~Fa90Uo7jpqnn+;kTg3#kgqp{}n;=qv z;ibA8EQx~1eAO$eGZfM5C=Cc8EK!XCNF7|n9X6~We)P5(0!TM_4?%}&u`&XMizw&Kt9g3Uk6y^F@7}=J;02xN*?Zd2)sF&Ej+s8HjENw=iujy7N1SL10JHqCImpN0)*vlBeFbwxt^ZB(d~pc9Z5#t&C2`pu zwntXdJIVMlq0Kv0yNIczAR#i77(k7sH_v6`8RZ!`?@bX32p@C74op$rhc^i&7StZM zeWq1es@v@nw_Fz$70o(7T1+*e>Tdy!?1Cp=zI=H&G4jPK7b>Pd!^=BPX!+cFrT3#1 z#p$Qd%!*;>xJ86M(NAh7pU<3_wu3qeNm%^FQu6!Sx`=&NG-|qT1GjlsQF88K_Du+0J$PYpX zSjxi}2~*Tot+SU??|nHPq1{+7|HX)S+~CGA>2+|w{)dv?i6oTS{yD5W(#`QL7TIM5?^(EK^bfVvI7Nd(G@BIP~ z!>|mSbcJ`!v(!^p3c~vh$)GZo2EH_*%gEIU#s)KGRg}31I0{Qb^gq0KO~4k66l!yZ z{>-xSixx-R0*m%;q2oe1CVf%*{WRKd80Iiwp}d7Gxl{n(LQekXnsg;__^QcMYqnjc zvR|aK`$c88H1+-=R>Xt_)1s&R6AH)zJ%jQ^K+lLbMhYjF?@(P}Hg42@vx`a61Q;Mh z03pD&Jvu|jAg)xk=w0j%{jRF!Z@!6dR-aCKZr0@D`3gD;e>KiV2ebERsH=D6sIh~J z)iH;fJf-<_0QWSLJ~yhV{?XbR;vam-rpfF!^7Vy7+I1dYz0^zRf(zPvlXkBGYTbWF zN<2XFCS8dS^r^`~zG@s-0(c9v{PLK*$=iVBO1bLtK7 z$a}$$+ny8NxV-;SKZTz5jxBjAVfE}*lnt+m$*&y?6VH9E>Wp4Do~^!DBm!ehnh7%V zf4OMx>qU&q^<$o{R>^K<#aMyV{OD*Em||1>utxn-+joun^MVPB;r`rYi}-s(!D zaH=}>P!~33Yq~w;L@?7R>=0%QavS>o#Okc5$R;QWFR)PWgPGIjVCE1#r!!&;lE{E8 znUeQYm=7#F#9Sz^fXbw*HSKtqT^9=;oE(_XnGh!1ya?oF1(_yNmQd!In_Eb;OKK<_ zK&6O=^g!K75HUQ5Sn_u)431|@kWHk5GN9;5hT{))=O|I&#aLmPLe^aL~w%CgaTc+C$^7h^m$ zz{(Mh{`qZN!gT*G>{^Jbd7PN(gQLX4ltvnt)j_42M@^zGOFi}V^}bhq&TvP^r}(Ru zBk2lcJrd4ZTfdVkou>tL_qkq;zLY2IKO`I3%$EtH9H==5GEVAWHmNUnws~(@dL36i zh5c);I4um|UJ_qpTh;2H=eTVcm!w;)GM0DuvAv9O4>d{fez$LNN;kOJ>c$Bootp@3%gkQx;B7F?N*9j! zE|y)~10c+9jC}?28-+I57Ei3NCiyEg5|SWU!N%?t3Up2VCSPSs-s2ZJz?5(S_j4SK-5 zfeLNTj``P9p?(bEJy0q573WH3t3hZ8{tS%cf?C|~`kFyFwi46E-W%DsSW_J{|jRMJQ!e0`xRC#83M`qdq~ z!Ed!U!asZvm_?Yk5Oc!MP78cKW`O+DsJ*3#?9o}=RchKvxl|x%vViDmgYL!ezBgx5 z-=JV@?{WYYTpzqok2#M9;!J!aSvKnXq<00|ySf$<2^;iEtVu*oLozv9pMMW=_bWFJ z|3&S86}lk#D!IzI61~*UUyC{czE}(Y`R4fd!`aegyaIm7JAbZzFCP+jF|YbR zjct3_{BH!;4ikXujHsY_eneP?HVCYwR}3z@=2MxMB+;KI7!Q2;vfMCZi4r1xP}|-} z@Eua*%_)r{mH~*8YLTn3fSWKFsWgkeK9J$x9z|k<(;^Y5HrP%~7zihv8qD~V<%7-e z6`Rh`rXjj;R?3Hrcrbvb?vYN(BMq!G#5-xPH-wO~sN6@SYd}KcVi0o{R;v5R><*Ak z3cfLKeF-rK{RlUQkO;H#EUf*c@FrY9OG~g0(tKvZ;{b80A4?kvY1&gQM9g<`HGxH_ zl*C*V_r)mLBIMzZorK$9L^bG^V$zSIxs<#ek0x(lep;`Z4&u`%0R>c9cp^WVn}x6X zL-85RGTE_iFrs!4M~0nlP#2mB-@*(Rd`?1V-8QHk$ko}U;WaAz+`te_pM!#zn0>#V zZ({te0pMlWVvq}S#Okh&{h${T9VKPZMF&@H2Mg_j$@aqvKBKC=rOC^i4Z#HsGjAn- zTL&g}c3viti;Rpserq{AHbw?L*weuE$vDE_O6;`!ULPyI+tCau_UMdY z)!Tf0*&CO4Y)8OM7D-XrGKcY(+LfpOJK-9TPMzY5=X}4l+Z%v*gIySQ`2?f-zM{fh*ow z*94LG6Oo7#fNh}xV0qn+ebO*G%Cx{>HuNGn&=GO$Aq7>5ioCPu3wQe z!35EvoZNpsB|gNu%92RMP&~p#L?+MoFs{W=uH9;S%;^6 zB|zk(C=#Cc=wM@_{^oc`fFwDq$o_eczta0VGN;>Q>>o%dox3G=Z;Xx+GA`BLJ6L{q zZwglU=_}^zpx>!ft8Q#NeKF5_xVc_Pm%?SYTkILNOk(*B3^|4GE3J-P#L>ny)Tne+q`l1uy(aFHa0GQc^M@q zXAnx53R(n8H~GgRF%WlRCmFL$KHKu-Kt>`@$-OP4>B9#R^l)^*qjhV3qBkK`U3)3R zH|ZIPzB3bEKEcoFR-Zdw;)^Ew{gdyfTRmfMphn(U-_JgIPD`6!&>9C=Rhwv!DfZJ- zoV_*o)dzO_=j+MtZkqceK~|uzr>0aujy#Kg-LbD0jP(IC&ovk!`K7Q>;<6S#Mdp^@ zauYePMsxC9q)19j{fy)C@`!(HJ%}Y{e(*g{A3>hx=Vy24W%o(#ViG(dA%K-4xYgO@ z=ki=ftAny-W=)WD_ipuKif6vg141&rkb^p3&uyv%rUs&8pvZ?!;9n|xzO25a@VTdU zuSn%u6#a~qsWf4>5INN?cuZYE);HzX8$TV!sqX!%Kd615x|t%wTiCmS-CR4Vea+9N ztjr%RBH5}g({$7AAaro+1qPUNIe)Ed}`eIy3^<3r0|_S zKf}bnJe)akFwapxXddGl!XzEQ`7<|ucLBPde9368gK6}WjPr>l{0MvMnlN#>6z#C( zB`;6$>18X{R2Q99!UMVTdjGpjN>6uZ=R~PpTsg<>e(9efcv72&h?OBcKG2MChu`}< zg-$%bAjUU17I|RyD#9gm+E>5a zzQ%2P#^-D|Re&su`MvlHdk_tL9Bcz^#5x%JzabAdy_PfLaNXVS9cpQgD%|?~JP>P& z8NdFz+ux&^^`KBYPk$2jm^3PGw&=rK%*nyM$Fx3MoS?hdYL>8chJpWG8XQ>(Ro6K| zVXx{LOm;FC-mUdK!g%uIhvA#aE;s2!OJ-l59WA!+4q?4}JZV9gJo2#m{8S~zMgk$V zm_P)|XlhGLP@fFHgkD*{1`9~Cm5kJfpGtd$Y}1L3*0f|B-QMf^Hu@Whg)s$s+!if) z@3~U8r5X~+XqdVhS6S=*P!d*(e(7CtMq_kdbN&U26F~(;T=(}``O%G~XVH4c!-^r@ z4Vp@8h2_OZw<3WN&7&rbLUIS`eKCxRZO>*Zo<=s_krrVYv7Jvh+n}V8D$$lB&Lct0 z8Hz~sGg?|tWIIjh^YN+==Tt>}@Na-F<;32N?&S{|D z&!-i^+MzH}^U#(ZWVDe?fH&Mw(Odqshjkwr{rs$FE}sR{!zDJ7{f;|=T+Krg*F!Fd z6wfn+gc7!5$2aZ;W{ugmLzi*bi8nND!|O*d4HViducSjEFX=UN)au9z#&YG3{qDu& zX;xB>x#w(QfZ{b6k$HwCJFb85#j?{;x~|uKab(2(QP1|~NVU7O_*clYsb?tf@8Y{> z-!4NB4=(Z`&&2WA%J8B#Cu{X9joC71pK{CP(OVBxX{p|q>-U_PQx!ljMEEv6 z3Zvx3%eX8?d1RnIVM)nGe1pz%7c`Y#dBx`L%~yxp$%0;&G7F32kkudn8V#eW=i4VK z$NQ_d@B^Q0A#zDqD>te@!PQohb61fSqZqRci?CQce_-6?7Y>1YmkDkNWGr6d4fv{t zTzn>_kbH!Al)ocdyVXDxXXIfcKs{UA?<>0~COvDYsYuldsy92eMXiUKiy@Gy?)o&B zl_oFH=$FIjCMn6s`26afhbq`puJWR{4K-LNpre2`;bNRC|%Bu_dxy)ywB_$>JM3g8m zkMHp1BAEdM_1qJm<OED3Ppv?k7?$jBAvlFIz6F5ZZ1x#N424l9h;#Y$muAgrm8=dHeVU1Hzl$E|%m* zgVPLuPETSX>MDfZZ8fhv0xG`Twe4(1de=FaSULytoufp%>qNSSk}ohZF?8patjA%k z$J^_fNUX#7ra1jEZLP!B*P$!l_ba_=R>w}%qL6=EBoj+WvZ-S*u{uo;mmD0G!{<-7 zTdcomF)|0!LLrmA;WwD{EstPos8&jtKDHFio$OsXr!}I$Ed!~f5=06)TZbFjxmo9p z2QfX2Y(?H0%X2;f-EZ_4=P|M_CEk_$j?!82&d2j8qG^xlabn(dZ%(aUq;lPOtkb<< zd0AqY$+S@UU1T4BIoK2S+v}lvZY@QqQT}qHTd1)TjV?7*bg7Fk>P-iG*e}LBxRdNo3V!`%y7ki`Jq|0_*=l~un--uN9Zds3e&((;Dr)Qay z`xbdiu1yktR;m6wR=%3-c(d-@+va4dx*CyUHq{~CwGihz%7D?=)vfS3_ujqUL#_`$ADOBlo)A?YGwok$!`t)$Y4=S10e<=+X4!zd_hO{eD)`_niDJ z?aRs_@5k$#nD4gp$9v0-=QWx$vqI6x0AlqFN89<|48Nh4nf?Ryxm0 zJbSyMIE-r?_P(0T@$bA1TRb+bd%eH^lhG2wF#XT^X25+u1g#ff=|Y;%8~Eml;dwU( zmEmB6pNp8oByIIv*Fwz%I2z2U&g499wXZYWxvhcf;~z36@7;2>4`^9{mOA5lszUB#){1TD8Cu*ukbSA}OQ%^=wK%aA4l~f5 z6IZ0um#Q1}iC=X-jm~#)XzA&INg@o-Z{(d%o-=%;WeL!HV@biI_KBY5)4Te--6;$~ zxp7V>+I<02JZgHScZa9kgpb=jP(yIBgGmSkdI9g5XdlOw*|AEn#%ax9MjNi>x$Yp- z!k96G<1;NVG8yH{@fOG^|5Y8mp@h2HcQD2 zj?~p) z-&HB1lezoC$4cu-Sr^VGUZgAX$n#gqseIm)%j1jM}=oycZIz4kfcWDNgw)U;z;t*MF>dz1+*iMg6LXbJ{ow z#hK&+p(53Yo=)|h zzW20!>@25H3XOrR^1HH6I9A}$Pf0!tK7jxdg9oTBXm zILYEB(BXQhiAefUVPUc&th6BVo~v~xW#_h+JmC?EZ!40Bici9E>H!5p`L&S8MkRt* zzhvoTvu-h0`@2FsohkZaTO&8|I!b*D@p9kV+I|c1*?!zhRdKcyVd&$w6y}d{I@RLx|%evFE^3 zYP$pvfPJ0+m5L5d(k>>AyE~25cK08hvnVYijC43t?JLIG*CiDgLgKWLYJ#7RU6|#3y2|zMy5X$mhXso;k1ji4ARe~CzWC4V%bF^Rr##EIcX4S z7WVUnWgvtda4ffm=&{^{x*x#`Ou9OOJBKa(IGPtts3xw4`Z!tuZa3qzFhZp2V=zk* z%Kke&3+joue*5?jr$icb5H#?39=MuduoB{{Wc*Q*|yuyi*AF%jf6+{}xB4Hj4Tx}7F7~s;RoA9a4^$2hvSVLP9=TRV(2P3@{r)d0c zBEJa-+eWSrO?jAmMk7~?GtBrz{N#`4N8zn7tFs7^b}5o)-`+kcHL))-R;;6Ehh_vV zK*PmARMy{XhK!=`+v>68M?BAsZC~EPKI_84z|7d;N((W15lp|57Rp)Egu`-W#jmo* z5+_NT)jZhPrhwlAX5GbGFQ$zfRNW&n;XOHC`}8~7j9UO^CuRPF&BG&CDLf{?aE(p zR<1NbuC6%{9BPY*X?OI z&pk`^WZt!P3w8~<9z>Ja>s1iVv{E}XM_ks?G2VRu12>!4!RGt~e&HyCTPK#5zjOJ# z|CwkUI#^SSpj2O|Vj#CiT8txtapuUHuGDe zEzoT4hl3=jJ|WBzGPf8T+z+)Fa}h5>2{{t#6N-)624vM3P6fz@vXH9HbusCS5$BuGMOXFO&i`m3WEuZvA)MdrN~#8&s_a32D+=d9{(~y>kgBJ> zguR0y$z{qbB?Ap0S|z3M<7~iB%i>PzaqR@V`#39ybj;g!^8|@>3g_iPevTnH2r&4P zrLP#3*j>LqU$q_;*2NTM3BQ9ZS8%f~7j3U6U4I{0sUk;Qr2PhrNH~E>`osA4?r(pO z3D|fjtW_5~VCpWuG*w5m(MZJzCfa!GPT;n-p>aLxozM_Ab$E&4oNAvC2Or^3m6l*N_EPNt}^1x$&Ved#J@(Ate~Xp|?em~m*3=hF}&G>>jwv*Q^x zTOgXQc?q8@t%#CwWvb)iGj>8p)(sdCB?`O9_swHCES~`zJUtXd?jq6w%9UMaLF^B) zNf4Hm>pE8uB}%s!s_yM#%&$cLc_+*&W(TaQC+X9$rl4xN7O2hlq`h{Rv2e@E@keyx z=C^{cYmq2?p$DNfxJOzbbj#Bzm>jW6^#c0S;sbgKH^--W!z8z4HIIuDyTTq{7|y?E zi7i3x^;Uhjx(iMJidG9uOroUe2L#@T0g<9Y-FPvN5~Ok{Czw^DWIQ`w(HM@}LAGP; zDwBXCX3&VV4FY*dk4l;RA&@DUNQ?x*URMaQjki2`WCx4BSle=3BYE1*dw$mUug{kl z+WWV`c;i+poRV%~L_NH%t07E%bniLj>yqN=qwKU$%3sC1>f*ArKl&1;fU(yY7ZJ^5%k6E= z%7U^Da`Xy2#zv}hW4tR}KuG7^$Qg-TmHRpkt6Um}843ip;Cggl-+EXY3f~4{wP8*? zECCTy^*uY@83R>XdF>4+f<8;00=`8)OVn^g5T;D!;fqG3ke@XN?IQaNVPH|QBHPG# zgvdaLs)sK{r&8;;64+ilg?y!<*m4|5^yuJJgY;Mi+eoByIPQD?CVkv?TBLbP>-5^QG&ta$}m z*uy?@wH;bT5*Q+8eGXG%qHG_=6ct)YzK=``7Vv2~o(CJrUOP-!E2+cUejj>jtrKb1Cf4; zMvv_v#Xp(rq6tH-Kkc_G3Cox_VuV~5U4P9lVD_SlFq=r}7N2gwTiL8RnDpGJTpTWX zg6L0FC32)_kK-?B+Kd%enxPFgm6Ez-(qvb#eobYtz@(1JzTWQgJENXm*CX-W_HF&E z=k0UEcJqI>CGeM~@XTW2g-IfWeToN3rwKIUSJ(Ap>|j7HacNJTkS#U|Ee{db&3AjK z1XLv;)8z9F-@hKnYrx6ji1&`Q6=+84i|cER>@(EceABOE=)?{n1t znnqam4Sk4zbB&4jQHBpbE5^@0kDl@Ppzi!MUhs*1-RW-txB#4uayH{t*`94yJg=ai>VW+_2M1ms!UeBA`ZEZ3h_eC_xM^r6rRdY) zSI)=a6xdEzkxqHr)Ao|5tQHYe^3YVIbc?mW0leoXDAK!5YYJ5O+IYWLP0nc<|FUDe z>-ep%E;*Y?+?A)R|9qC|oOAY3%{s0_n24d&aep8(zoEZjZ~3P~<$P?GZ9P9`FyAQb ze)C(pa?|>so3$tTK4PD=`KV$V3oDna~3 zvtnDn>Ps(t`l-CH1SorH|=p3A!YRQrvRw&eAbt)P}l?! zB$oN*bzszgYZJ^-X49)fpf$goo#K`4K7GRM=AF`AD&bgVmHJdS~^md<;g72KyU8mhE9y;H!_6IBW)}f}I``5~?~~ zIbJ>8VBPp!5oh9E*`$%a3i6GNj@rY=szes_TiKrY>na6Wxs+#LL7A8Qw7I3_y>8Oi zZzS*J8I-rRwn|;$kc3U9aOysAh|EG0@)uQ)=F@xNwwtfspzf(~dV>3nPh}`z`t9bS zQ~y$L*)E`)eef%6nLl?1m{m|n*P`cdu=PE={@oMr;<_C-7@C;yh;+^3cLf4`NwF48moU6 zK5hi)DK(Lhgwe{ahOo4hY{Ya`XsW0UDRHSIHXENFJ28eTpY2Y#ypWHwd|`e zL$`=XIR(#+cw+SCDK#egL^`zz}Gdpn;@s%s5jht9s~m)hMw zS^H8(a>QG`Vc8C0l(44r%%*SH9)8jfm^o~6C{N4VAKZU*l z#guDBq(L;3>ZeLncR#t{1BX1pOrB@JT$e_+Jt@lhp}!s!g^UQyEN);-v(u+7YZQ`|^uW=xU)=Jad8H|Kk$EMSw&m34=HTda0L!%S zD>xK;>q(2!AwsX50x&L5a4S{-K0T-G=Zmj`nTu!*5`b&2Bpl}(ZLg|z_j?BC63Rv* zBZKvOT<@yz?rA>W`jUFO21-)S?nfp!xIXU*Oi7DEw?GctxC>rOOii^y4r8kQ+CaTa zQqb)=z+RQh(zO zhHb67!$9q=(l-)OmY?6<`ez2HuUms?_|Fo{4smP6g0tp;3486*zvN%E%4WIKD1h zHhEEdc;_+Me51+kLdELwYC$%31*n-V8IU2>~G&b{&T^D8uYo2zm4;8CJTD}2qE%@T6w>97E`YhmsF z_OUD@N3G(!2f*3=dlsa7)X#zRI6>uyf>jDkQH)sKE<1{|4z_esdhxzk; zm2mw-vNO;-bmZ4t$L{Fs$Kz|X66d&Gz}r(wC@}rtP*?jH8jdVJP_eaLnQM&(TPWzn zIP%f0;DZh~)$ejDDypG;qpM?9-HG!Op^Rk*`X-L`_!VMs_=vdXdANYPjYu-px1sFA zbLxLBK@M5x?L#g3e@*K^+x+4pW| z=ZQ@2yWQ06gVc}ZV;AcHmG`a@IR^86!yqorJMJ=M1cXgQ?a49hn2p*KdtJs?E;!73 zD-1qm$_(ck5$`(MUGywJSQ~M!GO3TkEIRFL={y1Z@kC?UlNC}~*=aspMwtvP4$qhI zz6Yw>j|C%9^P<5S?xk2kPot9YZBTRX@L7GK&g1=+JE9cVMq9^%Ur2u_(XWi!G=9`r zysjd#4VaAjzZmN$Ydmz8W`+K%f4TMV&9bY@awWW;afFbxA(h3SVhGPZb0WIVkZ^XGbrt1CYCA!>>DmwmaG=J~0SQ+kQm+1$1 z?(%o)tt1YNgLNO=vG%PFd!Bj&gTYm%a<{K>mjbS(z2)s_H z=mlTi6&(x-JK37TP~7)U+R!Q8syho;CDPtq&>;d<1;xD7gt_l>U;G}SemJ*Iu1{@zZN;&{17YMU!W+dw9i{mI7Z1z_MfKNA3>vi(E1Sm>HShL`8W*Z+tr91rNW+562JKY0pv}tp9o&&R@OdcYn{pdzY>{u5f-pCk~W4 zRH{WIGb4dRwb}72o~ z5e5EjJF+dCx*z{-KqF(cJMcvvCTDU2xj&EHoW7A2Sfxr-Pii||d$RF`Y_EL6mF~Ax z_D}>2S^edAivA&Rcb+PquNENCb1n7$Oq3K9$y>?U4nz42B?0Se$=Sac)*sbia`34? z4+H3Bh`y@Mc0-y><~`N-3ps&0N=JtSfPzC$YTk9QUYi9$#!w(GQ zYMKVJKZe_1>R|Kxizqe*c_DZavtC}Sa@m%6K=Swm6d#RbsonDQ>XtlN%gwJ^0bSpq zEB(yloU@1LIYb_H!T2z@tsf6wq&|B(Ug7jJ?0s76D3TT!4rTqz9&F**gLenU_LXpyJOP%z1LnXEr+#h<0 z7XI2dDPwrzD{ZyHUrQbCiWT1XIdi6I=FewYYQa|{Dz%m3rI&np_=yUq`9!*&J)G`| z)Oe0ju68^*;J5Pn9REzMp4ck+ zAl~&ES}_;3FlnT_o9TObbue$Wnz{bL(??Iy>V0W4VQqK4t?J{c4T{`%7bbsBt|Z#w zbve^N9Vwm%O21h$Qgh39C(^o<>o_1W0Y^zd^EqCgv-D_f%_pYz^w>bcGHv!mcZ8A&*YCS;mS_?*fAUk}>_PZ;CKb$*7!2wv=lN&=;?G)@Bp1Jzz! zM5;3RZp+a@Hywi}Ool9(_04UiT-xGkj9zSxcDlZG#-Ot@^+i7c2DGv z!sMION%qNSY40LrGNl{Vh#-f>?R>i;Aq-o=Ya|v-TiJgld;);UcQw#7eN`^7`Pq+r zot`Qh15xg}oCNgnd)C|FiLC%P8NV}~EB6EBy{0GmYY)?KK6u4;kwj?~P_iJ&v%@DR z+ZSpspmoHFPsu$k89Q9vA~*ry2bQ7c;$eH(CxNa0=}xHP@!82{oKwJ3jGcDmhx>m| zMKCt|^$3^QMb*CpXwsy(1M>$q^!GhVKG54rh#YTbLx_=|4QNk1>IczG-2a& z>F)kp4St^Ok{V1$1{vA-Px+O2KU{()aC{Aa@*{HdSKY7oab#uQHox&z82Y7Upz*k+ z9)0+qE&0zjJ#ZbT5hwhQ=Nh7nONzhp=TPI%0#UDd@aaz#)y1>S@cwUc)5kP2SFXQb zCx4SA<=;zyG>dqmRv{|+pAf76^V@cCzWpCA0o8we5fkJU*G3-cDgFULu=X3AA=Hd* z>yIQ&eHHUo{^nh@TpfSq1q1H7eUsv2qgSiW7suzIS`-v;fWx$ZzCdWK{+lHv#eex) zxd%GqdP_=DMX@)@Ye6|eWuObvxfmd6JSO>DZ(Q>8YR#ona>hcUvSHc(jr#_~YLH>+XZm$(H*2sr~yR@S}d_KQYih%iz!N+7kcgNc{8S zI{=>guQB@j#Syd@#VG&fLSR?D3EGPO*9(E{0D;v1{G|UMKGw|nB|}@vY=`N=$iKiJ N1sP>jzO<>|{{c_PdY%9P literal 0 HcmV?d00001 diff --git a/source/bin/network-firewall-auto-solution.ts b/source/bin/network-firewall-auto-solution.ts new file mode 100755 index 0000000..68067fa --- /dev/null +++ b/source/bin/network-firewall-auto-solution.ts @@ -0,0 +1,40 @@ +#!/usr/bin/env node +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ +import * as cdk from '@aws-cdk/core'; +import { + NetworkFirewallAutomationStack, + NetworkFirewallAutomationStackProps +} from '../lib/network-firewall-automation-solution-stack'; + +const SOLUTION_VERSION = process.env['DIST_VERSION']; +const SOLUTION_NAME = process.env['SOLUTION_NAME']; +const SOLUTION_ID = process.env['SOLUTION_ID'] || 'SO0108'; +const SOLUTION_BUCKET = process.env['DIST_OUTPUT_BUCKET']; +const SOLUTION_TMN = process.env['SOLUTION_TRADEMARKEDNAME']; +const SOLUTION_PROVIDER = 'AWS Solution Development'; + +const app = new cdk.App(); + +let NetworkFirewallAutomationStackProperties: NetworkFirewallAutomationStackProps = { + solutionId: SOLUTION_ID, + solutionTradeMarkName: SOLUTION_TMN, + solutionProvider: SOLUTION_PROVIDER, + solutionBucket: SOLUTION_BUCKET, + solutionName: SOLUTION_NAME, + solutionVersion: SOLUTION_VERSION, + description: '(' + SOLUTION_ID + ') - The AWS CloudFormation template' + + ' for deployment of the ' + SOLUTION_NAME + ', Version: ' + SOLUTION_VERSION, +} + +new NetworkFirewallAutomationStack(app, 'aws-network-firewall-deployment-automations-for-aws-transit-gateway', NetworkFirewallAutomationStackProperties); diff --git a/source/cdk.json b/source/cdk.json new file mode 100755 index 0000000..9a31f98 --- /dev/null +++ b/source/cdk.json @@ -0,0 +1,3 @@ +{ + "app": "npx ts-node bin/network-firewall-auto-solution.ts" +} diff --git a/source/lib/network-firewall-automation-solution-stack.ts b/source/lib/network-firewall-automation-solution-stack.ts new file mode 100755 index 0000000..7e5c5f3 --- /dev/null +++ b/source/lib/network-firewall-automation-solution-stack.ts @@ -0,0 +1,1222 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import * as cdk from '@aws-cdk/core'; +import { RemovalPolicy } from '@aws-cdk/core'; +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as s3 from '@aws-cdk/aws-s3'; +import * as logs from '@aws-cdk/aws-logs'; +import * as iam from '@aws-cdk/aws-iam'; +import * as kms from '@aws-cdk/aws-kms'; +import * as codecommit from '@aws-cdk/aws-codecommit'; +import * as codepipeline from '@aws-cdk/aws-codepipeline'; +import * as codepipeline_action from '@aws-cdk/aws-codepipeline-actions'; +import { + BuildEnvironmentVariableType, + BuildSpec, + LinuxBuildImage, + PipelineProject +} from '@aws-cdk/aws-codebuild'; + + +export interface NetworkFirewallAutomationStackProps extends cdk.StackProps { + solutionId: string; + solutionTradeMarkName: string | undefined; + solutionProvider: string | undefined; + solutionBucket: string | undefined; + solutionName: string | undefined; + solutionVersion: string | undefined; +} + +export class NetworkFirewallAutomationStack extends cdk.Stack { + + constructor(scope: cdk.Construct, id: string, props: NetworkFirewallAutomationStackProps) { + super(scope, id, props); + + /** + * Parameters - Values to pass to your template at runtime + */ + + const cidrBlock = new cdk.CfnParameter(this, 'cidrBlock', { + type: 'String', + default: '192.168.1.0/26', + description: 'CIDR Block for VPC. Must be /26 or larger CIDR block.', + allowedPattern: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}[\/]([0-9]?[0-6]?|[1][7-9])$' + }) + + const logRetentionPeriod = new cdk.CfnParameter(this, "LogRetentionPeriod", { + type: "Number", + description: "Log retention period in days.", + allowedValues: ["1", "3", "5", "7", "14", "30", "60", "90", "120", "150", "180", "365", "400", "545", "731", "1827", "3653"], + default: 90 + }); + + const existingTransitGatewayId = new cdk.CfnParameter(this, "ExistingTransitGateway", { + description: 'Existing AWS Transit Gateway id.', + type: 'String', + default: "" + }) + + const transitGatewayRTIdForAssociation = new cdk.CfnParameter(this, "TransitGatewayRouteTableIdForAssociation", { + description: 'Existing AWS Transit Gateway route table id. Example:' + + ' Firewall Route Table. Format: tgw-rtb-0a1b2c3d', + type: 'String', + default: "" + }) + + const transitGatewayRTIdForDefaultRoute = new cdk.CfnParameter(this, "TransitGatewayRTIdForDefaultRoute", { + description: 'Existing AWS Transit Gateway route table id.' + + ' Example: Spoke VPC Route Table. Format: tgw-rtb-4e5f6g7h', + type: 'String', + default: "" + }) + + const logType = new cdk.CfnParameter(this, "logType", { + type: "String", + description: 'The type of log to send. Alert logs report traffic that' + + ' matches a StatefulRule with an action setting that sends an alert' + + ' log message. Flow logs are standard network traffic flow logs.', + allowedValues: ['ALERT', 'FLOW', 'EnableBoth'], + default: 'FLOW', + }) + + const logDestinationType = new cdk.CfnParameter(this, "logDestinationType", { + type: "String", + description: 'The type of storage destination to send these logs to.' + + ' You can send logs to an Amazon S3 bucket ' + + 'or a CloudWatch log group.', + allowedValues: ['S3', 'CloudWatchLogs', 'ConfigureManually'], + default: 'CloudWatchLogs', + }) + + /** + * Metadata - Objects that provide additional information about the + * template. + */ + + this.templateOptions.metadata = { + "AWS::CloudFormation::Interface": { + ParameterGroups: [ + { + Label: { default: "VPC Configuration" }, + Parameters: [cidrBlock.logicalId] + }, + { + Label: { default: "Transit Gateway Configuration" }, + Parameters: [ + existingTransitGatewayId.logicalId, + transitGatewayRTIdForAssociation.logicalId, + transitGatewayRTIdForDefaultRoute.logicalId + ] + }, + { + Label: { default: "Firewall Logging Configuration" }, + Parameters: [ + logDestinationType.logicalId, + logType.logicalId, + logRetentionPeriod.logicalId + ] + } + ], + ParameterLabels: { + [cidrBlock.logicalId]: { + default: "Provide the CIDR block for the Inspection VPC", + }, + [existingTransitGatewayId.logicalId]: { + default: "Provide the existing AWS Transit Gateway ID you wish to" + + " attach to the Inspection VPC", + }, + [transitGatewayRTIdForAssociation.logicalId]: { + default: "Provide AWS Transit Gateway Route Table to be" + + " associated with the Inspection VPC TGW Attachment.", + }, + [transitGatewayRTIdForDefaultRoute.logicalId]: { + default: "Provide the AWS Transit Gateway Route Table to receive 0.0.0.0/0 route to the Inspection VPC TGW Attachment.", + }, + [logType.logicalId]: { + default: "Select the type of log to send to the defined log" + + " destination.", + }, + [logDestinationType.logicalId]: { + default: "Select the type of log destination for the Network" + + " Firewall", + }, + [logRetentionPeriod.logicalId]: { + default: "Select the log retention period for Network Firewall" + + " Logs.", + } + }, + }, + }; + + /** + * Mappings - define fixed values + */ + const mappings = new cdk.CfnMapping(this, 'SolutionMapping') + mappings.setValue('Version', 'Latest', 'latest') + mappings.setValue('Route', 'QuadZero', '0.0.0.0/0') + mappings.setValue('Log', 'Level', 'info') + mappings.setValue('CodeCommitRepo', 'Name', 'network-firewall-config-repo-') + mappings.setValue('Metrics', 'URL', 'https://metrics.awssolutionsbuilder.com/generic') + mappings.setValue('Solution', 'Identifier', 'SO0108') + mappings.setValue('TransitGatewayAttachment', 'ApplianceMode', 'enable') + + const send = new cdk.CfnMapping(this, 'Send') + send.setValue('AnonymousUsage', 'Data', 'Yes') + send.setValue('ParameterKey', 'UniqueId', `/Solutions/${props.solutionName}/UUID`) + + + /** + * Conditions - control whether certain resources are created or whether + * certain resource properties are assigned a value during stack + * creation or update. + */ + + const isLoggingInS3 = new cdk.CfnCondition(this, + "LoggingInS3", + { + expression: cdk.Fn.conditionEquals(logDestinationType.valueAsString, 'S3') + }) + + const isLoggingInCloudWatch = new cdk.CfnCondition(this, + "LoggingInCloudWatch", + { + expression: cdk.Fn.conditionEquals(logDestinationType.valueAsString, 'CloudWatchLogs') + }) + + const isNotLoggingConfigureManually = new cdk.CfnCondition(this, + "NotLoggingConfigureManually", + { + expression: cdk.Fn.conditionNot(cdk.Fn.conditionEquals(logDestinationType.valueAsString, 'ConfigureManually')) + }) + + /** + * condition to determine if transit gateway id is provided or not if + * provided use it to create transit gateway attachment else skip + */ + + const createTransitGatewayAttachment = new cdk.CfnCondition(this, + "CreateTransitGatewayAttachment", + { + expression: cdk.Fn.conditionNot(cdk.Fn.conditionEquals(existingTransitGatewayId.valueAsString, '')) + }) + + /** + * condition to determine if transit gateway route table id is provided or + * not. if provided use it to create route table association else skip + */ + const createTransitGatewayRTAssociation = new cdk.CfnCondition(this, + "CreateTransitGatewayRTAssociation", + { + expression: cdk.Fn.conditionAnd( + cdk.Fn.conditionNot( + cdk.Fn.conditionEquals( + transitGatewayRTIdForAssociation.valueAsString, '')), createTransitGatewayAttachment) + }) + + /** + * condition to determine if transit gateway route table id is provided or + * not. if provided use it to create route table propagation else skip + */ + const createDefaultRouteFirewallRT = new cdk.CfnCondition(this, + "CreateDefaultRouteFirewallRT", + { + expression: cdk.Fn.conditionAnd( + cdk.Fn.conditionNot( + cdk.Fn.conditionEquals( + transitGatewayRTIdForDefaultRoute.valueAsString, '')), createTransitGatewayAttachment) + }) + + /** + * Resources - Specifies the stack resources and their properties + */ + + this.templateOptions.templateFormatVersion = '2010-09-09'; + + // Create a new VPC + + const vpc = new ec2.CfnVPC(this, 'VPC', { + cidrBlock: cidrBlock.valueAsString, + }); + + //KMS Key for the VPC Flow logs and Firewall Logs + const KMSKeyForNetworkFirewallLogDestinations = new kms.Key(this, "KMSKeyForNetworkFirewallLogDestinations", { + description: "This key will be used for encrypting the vpc flow logs and firewall logs.", + enableKeyRotation: true + }) + + //Permissions for network firewall service to be able use this key for publishing logs to S3. + KMSKeyForNetworkFirewallLogDestinations.addToResourcePolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + resources: ["*"], + principals: [new iam.ServicePrincipal("delivery.logs.amazonaws.com")], + actions: ["kms:GenerateDataKey*"] + })) + //Permissions for network firewall service to be able use this key for publishing logs to cloudwatch. + KMSKeyForNetworkFirewallLogDestinations.addToResourcePolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + resources: ["*"], + actions: [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ], + principals: [ + new iam.ServicePrincipal(`logs.${cdk.Aws.REGION}.amazonaws.com`) + ] + })) + + // Create a new log group for Firewall logging + const cloudWatchLogGroup = new logs.CfnLogGroup(this, 'CloudWatchLogGroup', { + retentionInDays: logRetentionPeriod.valueAsNumber, + kmsKeyId: KMSKeyForNetworkFirewallLogDestinations.keyArn + }) + + cloudWatchLogGroup.cfnOptions.condition = isLoggingInCloudWatch; + + const logsBucket = new s3.Bucket(this, 'Logs', { + encryption: s3.BucketEncryption.KMS, + encryptionKey: KMSKeyForNetworkFirewallLogDestinations, + publicReadAccess: false, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + lifecycleRules: [{ + expiration: cdk.Duration.days(logRetentionPeriod.valueAsNumber) + }] + }); + + const cfnLogsBucket = logsBucket.node.defaultChild as s3.CfnBucket; + cfnLogsBucket.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [{ + id: 'W35', + reason: 'Logs bucket does not require logging configuration' + }, { + id: 'W51', + reason: 'Logs bucket is private and does not require a bucket policy' + }] + } + }; + cfnLogsBucket.cfnOptions.condition = isLoggingInS3; + + //Solution Logging Changes stop. + + + vpc.applyRemovalPolicy(RemovalPolicy.RETAIN) + vpc.tags.setTag('Name', `${cdk.Aws.STACK_NAME}-Inspection-VPC`) + vpc.tags.setTag('created-by', `${props.solutionName}`) + + const cidrCount = 4 + const cidrBits = '4' + const availabilityZoneA = { + "Fn::Select": [ + "0", + { + "Fn::GetAZs": "" + } + ] + } + const availabilityZoneB = { + "Fn::Select": [ + "1", + { + "Fn::GetAZs": "" + } + ] + } + + // Create Firewall Subnet 1 + const NetworkFirewallSubnet1 = new ec2.CfnSubnet(this, "NetworkFirewallSubnet1", { + vpcId: vpc.ref, + cidrBlock: cdk.Fn.select( + 0, + cdk.Fn.cidr( + vpc.attrCidrBlock, + cidrCount, + cidrBits + ) + ) + }) + NetworkFirewallSubnet1.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-FirewallSubnet1`) + NetworkFirewallSubnet1.applyRemovalPolicy(RemovalPolicy.RETAIN) + NetworkFirewallSubnet1.addPropertyOverride('AvailabilityZone', availabilityZoneA) + + + // Create Firewall Subnet 2 + const NetworkFirewallSubnet2 = new ec2.CfnSubnet(this, "NetworkFirewallSubnet2", { + vpcId: vpc.ref, + cidrBlock: cdk.Fn.select( + 1, + cdk.Fn.cidr( + vpc.attrCidrBlock, + cidrCount, + cidrBits + ) + ) + }) + + NetworkFirewallSubnet2.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-FirewallSubnet2`) + NetworkFirewallSubnet2.applyRemovalPolicy(RemovalPolicy.RETAIN) + NetworkFirewallSubnet2.addPropertyOverride('AvailabilityZone', availabilityZoneB) + + //Subnet Route Tables. + const firewallSubnetRouteTable = new ec2.CfnRouteTable(this, "FirewallSubnetRouteTable", { + vpcId: vpc.ref + }) + firewallSubnetRouteTable.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-FirewallSubnetRouteTable`) + firewallSubnetRouteTable.applyRemovalPolicy(RemovalPolicy.RETAIN) + + //Subnet Route Table Associations. + const NetworkFirewallSubnet1RouteTableAssociation = new ec2.CfnSubnetRouteTableAssociation(this, "NetworkFirewallSubnet1RouteTableAssociation", { + subnetId: NetworkFirewallSubnet1.ref, + routeTableId: firewallSubnetRouteTable.ref + }) + NetworkFirewallSubnet1RouteTableAssociation.applyRemovalPolicy(RemovalPolicy.RETAIN) + + const NetworkFirewallSubnet2RouteTableAssociation = new ec2.CfnSubnetRouteTableAssociation(this, "NetworkFirewallSubnet2RouteTableAssociation", { + subnetId: NetworkFirewallSubnet2.ref, + routeTableId: firewallSubnetRouteTable.ref + }) + NetworkFirewallSubnet2RouteTableAssociation.applyRemovalPolicy(RemovalPolicy.RETAIN) + + // Create Transit Gateway Subnet 1 + const vpcTGWSubnet1 = new ec2.CfnSubnet(this, "VPCTGWSubnet1", { + vpcId: vpc.ref, + cidrBlock: cdk.Fn.select( + 2, + cdk.Fn.cidr( + vpc.attrCidrBlock, + cidrCount, + cidrBits + ) + ) + }) + vpcTGWSubnet1.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-VPCTGWSubnet1`) + vpcTGWSubnet1.applyRemovalPolicy(RemovalPolicy.RETAIN) + vpcTGWSubnet1.addPropertyOverride('AvailabilityZone', availabilityZoneA) + + // Create Transit Gateway Subnet 2 + const vpcTGWSubnet2 = new ec2.CfnSubnet(this, "VPCTGWSubnet2", { + vpcId: vpc.ref, + cidrBlock: cdk.Fn.select( + 3, + cdk.Fn.cidr( + vpc.attrCidrBlock, + cidrCount, + cidrBits + ) + ) + }) + vpcTGWSubnet2.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-VPCTGWSubnet2`) + vpcTGWSubnet2.applyRemovalPolicy(RemovalPolicy.RETAIN) + vpcTGWSubnet2.addPropertyOverride('AvailabilityZone', availabilityZoneB) + + //Route Tables for VPC Transit Gateway subnets. + const vpcTGWRouteTable1 = new ec2.CfnRouteTable(this, "VPCTGWRouteTable1", { + vpcId: vpc.ref + }) + vpcTGWRouteTable1.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-TGWSubnetRouteTable1`) + vpcTGWRouteTable1.applyRemovalPolicy(RemovalPolicy.RETAIN) + + const vpcTGWRouteTable2 = new ec2.CfnRouteTable(this, "VPCTGWRouteTable2", { + vpcId: vpc.ref + }) + vpcTGWRouteTable2.tags.setTag("Name", `${cdk.Aws.STACK_NAME}-TGWSubnetRouteTable2`) + vpcTGWRouteTable2.applyRemovalPolicy(RemovalPolicy.RETAIN) + + //Subnet Route Table Associations for Transit Gateway Subnets + const vpcTGWSubnet1RouteTableAssociation = new ec2.CfnSubnetRouteTableAssociation(this, "VPCTGWSubnet1RouteTableAssociation", { + subnetId: vpcTGWSubnet1.ref, + routeTableId: vpcTGWRouteTable1.ref + }) + vpcTGWSubnet1RouteTableAssociation.applyRemovalPolicy(RemovalPolicy.RETAIN) + + const vpcTGWSubnet2RouteTableAssociation = new ec2.CfnSubnetRouteTableAssociation(this, "VPCTGWSubnet2RouteTableAssociation", { + subnetId: vpcTGWSubnet2.ref, + routeTableId: vpcTGWRouteTable2.ref, + }) + vpcTGWSubnet2RouteTableAssociation.applyRemovalPolicy(RemovalPolicy.RETAIN) + + //VPC Flow Log + const logGroup = new logs.CfnLogGroup(this, "LogGroupFlowLogs", { + retentionInDays: logRetentionPeriod.valueAsNumber, + logGroupName: cdk.Aws.STACK_NAME, + kmsKeyId: KMSKeyForNetworkFirewallLogDestinations.keyArn + }) + + const flowLogRole = new iam.Role(this, "RoleFlowLogs", { + assumedBy: new iam.ServicePrincipal("vpc-flow-logs.amazonaws.com") + }); + + const policyStatement = new iam.PolicyStatement({ + actions: [ + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:CreateLogGroup", + "logs:DescribeLogGroups"], + resources: [logGroup.attrArn] + }); + policyStatement.effect = iam.Effect.ALLOW; + flowLogRole.addToPolicy(policyStatement); + + + new ec2.CfnFlowLog(this, "FlowLog", { + deliverLogsPermissionArn: flowLogRole.roleArn, + logGroupName: logGroup.logGroupName, + resourceId: vpc.ref, + resourceType: "VPC", + trafficType: "ALL" + }); + + //Start: associate for an existing transit gateway if user provides one. + + + //Transit gateway attachment. + const vpcTGWAttachment = new ec2.CfnTransitGatewayAttachment(this, 'VPC_TGW_ATTACHMENT', { + transitGatewayId: existingTransitGatewayId.valueAsString, + vpcId: vpc.ref, + subnetIds: [ + vpcTGWSubnet1.ref, + vpcTGWSubnet2.ref + ] + }) + vpcTGWAttachment.cfnOptions.condition = createTransitGatewayAttachment + vpcTGWAttachment.tags.setTag('Name', `${cdk.Aws.STACK_NAME}-Inspection-VPC-Attachment`) + vpcTGWAttachment.applyRemovalPolicy(RemovalPolicy.RETAIN) + vpcTGWAttachment.addDeletionOverride("UpdateReplacePolicy") + + //add the transit gateway id provided by the user to the firewall route + // table created for transit gateway interaction. + const defaultTransitGatewayRoute = new ec2.CfnRoute(this, 'TGWRoute', { + routeTableId: firewallSubnetRouteTable.ref, + destinationCidrBlock: mappings.findInMap('Route', 'QuadZero'), + transitGatewayId: existingTransitGatewayId.valueAsString + }) + defaultTransitGatewayRoute.cfnOptions.condition = createTransitGatewayAttachment + defaultTransitGatewayRoute.addDependsOn(vpcTGWAttachment) + + + //Transit Gateway association with the TGW route table id provided by the user. + const tgwRouteTableAssociation = new ec2.CfnTransitGatewayRouteTableAssociation(this, 'VPCTGWRouteTableAssociation', { + transitGatewayAttachmentId: vpcTGWAttachment.ref, + transitGatewayRouteTableId: transitGatewayRTIdForAssociation.valueAsString + }) + + //createTransitGatewayRTAssociation + tgwRouteTableAssociation.cfnOptions.condition = createTransitGatewayRTAssociation + tgwRouteTableAssociation.addOverride("DeletionPolicy", "Retain") + tgwRouteTableAssociation.addDeletionOverride("UpdateReplacePolicy") + + // Add default route to Instection VPC-TGW Attachment in the Spoke VPC + // Route Transit Gateway Route Table + const defaultRouteSpokeVPCTGWRouteTable = new ec2.CfnTransitGatewayRoute(this, 'DefaultRouteSpokeVPCTGWRouteTable', { + transitGatewayRouteTableId: transitGatewayRTIdForDefaultRoute.valueAsString, + destinationCidrBlock: mappings.findInMap('Route', 'QuadZero'), + transitGatewayAttachmentId: vpcTGWAttachment.ref + }) + defaultRouteSpokeVPCTGWRouteTable.cfnOptions.condition = createDefaultRouteFirewallRT + defaultRouteSpokeVPCTGWRouteTable.addOverride("DeletionPolicy", "Retain") + + //End: Transit gateway changes. + + //CodeCommit Repo and Code Pipeline with default policy created. + const codeCommitRepo = new codecommit.Repository(this, 'NetworkFirewallCodeRepository', { + repositoryName: mappings.findInMap("CodeCommitRepo", "Name") + cdk.Aws.STACK_NAME, + description: 'This repository is created by the AWS Network Firewall' + + ' solution for AWS Transit Gateway, to store and trigger changes to' + + ' the network firewall rules and configurations.' + }) + + const codeCommitRepo_cfn_ref = codeCommitRepo.node.defaultChild as codecommit.CfnRepository + codeCommitRepo_cfn_ref.addOverride("Properties.Code.S3.Bucket", `${props.solutionBucket}-${this.region}`) + codeCommitRepo_cfn_ref.addOverride("Properties.Code.S3.Key", `${props.solutionName}/${mappings.findInMap('Version', 'Latest')}/network-firewall-configuration.zip`) + codeCommitRepo_cfn_ref.addOverride("DeletionPolicy", "Retain") + codeCommitRepo_cfn_ref.addOverride("UpdateReplacePolicy", "Retain") + + const codeBuildStagesSourceCodeBucket = new s3.Bucket(this, 'CodeBuildStagesSourceCodeBucket', { + publicReadAccess: false, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL + }); + + const sourceOutputArtifact = new codepipeline.Artifact('SourceArtifact') + const buildOutputArtifact = new codepipeline.Artifact('BuildArtifact') + + const subnetIds = NetworkFirewallSubnet1.ref + ',' + NetworkFirewallSubnet2.ref + const codeBuildEnvVariables = { + ['LOG_LEVEL']: + { + value: mappings.findInMap('Log', 'Level'), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['VPC_ID']: + { + value: vpc.ref, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['SUBNET_IDS']: + { + value: subnetIds, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['LOG_TYPE']: + { + value: logType.valueAsString, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['LOG_DESTINATION_TYPE']: + { + value: logDestinationType.valueAsString, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['S3_LOG_BUCKET_NAME']: + { + value: cdk.Fn.conditionIf('LoggingInS3', logsBucket.bucketName, 'NotConfigured'), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['CLOUDWATCH_LOG_GROUP_NAME']: + { + value: cdk.Fn.conditionIf('LoggingInCloudWatch', cloudWatchLogGroup.ref, 'NotConfigured'), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['VPC_TGW_ATTACHMENT_AZ_1']: + { + value: cdk.Fn.getAtt( + 'NetworkFirewallSubnet1', + 'AvailabilityZone').toString(), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['VPC_TGW_ATTACHMENT_AZ_2']: + { + value: cdk.Fn.getAtt( + 'NetworkFirewallSubnet2', + 'AvailabilityZone').toString(), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_1']: + { + value: vpcTGWRouteTable1.ref, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_2']: + { + value: vpcTGWRouteTable2.ref, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['CODE_BUILD_SOURCE_CODE_S3_KEY']: { + value: `${props.solutionName}/${props.solutionVersion}`, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['STACK_ID']: { + value: `${cdk.Aws.STACK_ID}`, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['SSM_PARAM_FOR_UUID']: { + value: send.findInMap('ParameterKey', 'UniqueId'), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['SEND_ANONYMOUS_METRICS']: { + value: `${send.findInMap('AnonymousUsage', 'Data')}`, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['SOLUTION_ID']: { + value: `${mappings.findInMap('Solution', 'Identifier')}`, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['METRICS_URL']: { + value: `${mappings.findInMap('Metrics', 'URL')}`, + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['TRANSIT_GATEWAY_ATTACHMENT_ID']: { + value: cdk.Fn.conditionIf(createTransitGatewayAttachment.logicalId, vpcTGWAttachment.ref, ''), + type: BuildEnvironmentVariableType.PLAINTEXT + }, + ['TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE']: { + value: mappings.findInMap('TransitGatewayAttachment', 'ApplianceMode'), + type: BuildEnvironmentVariableType.PLAINTEXT + } + } + + // Code build project, code build role will be created by the construct. + const buildProject = new PipelineProject(this, 'BuildProject', { + buildSpec: BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + 'runtime-versions': { + nodejs: '12' + }, + commands: [`export current=$(pwd)`, `export sourceCodeKey=$CODE_BUILD_SOURCE_CODE_S3_KEY`] + }, + pre_build: { + commands: [ + `cd $current`, + `pwd; ls -ltr`, + `echo 'Download Network Firewall Solution Package'`, + `aws s3 cp s3://${codeBuildStagesSourceCodeBucket.bucketName}/$sourceCodeKey/network-firewall-automation.zip $current || true`, + `if [ -f $current/network-firewall-automation.zip ];then exit 0;else echo \"Copy file to s3 bucket\"; aws s3 cp s3://${props.solutionBucket}-${cdk.Aws.REGION}/$sourceCodeKey/network-firewall-automation.zip s3://${codeBuildStagesSourceCodeBucket.bucketName}/$sourceCodeKey/network-firewall-automation.zip; aws s3 cp s3://${codeBuildStagesSourceCodeBucket.bucketName}/$sourceCodeKey/network-firewall-automation.zip $current; fi;`, + `unzip -o $current/network-firewall-automation.zip -d $current`, + `pwd; ls -ltr`, + ] + }, + build: { + commands: [ + `echo "Validating the firewall config"`, + `node build.js` + ] + } + }, + artifacts: { + files: "**/*" + } + }), + environment: { + buildImage: LinuxBuildImage.STANDARD_4_0 + }, + environmentVariables: codeBuildEnvVariables + }) + + const buildStageIAMPolicy = new iam.Policy(this, 'buildStageIAMPolicy', { + statements: [ + new iam.PolicyStatement({ + actions: [ + "network-firewall:CreateFirewallPolicy", + "network-firewall:CreateRuleGroup" + ], + resources: [ + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:stateful-rulegroup/*"), + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:firewall-policy/*"), + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:stateless-rulegroup/*") + ], + effect: iam.Effect.ALLOW + }), + new iam.PolicyStatement({ + actions: ["s3:GetObject"], + resources: [cdk.Fn.sub("arn:${AWS::Partition}:s3:::${CodeBucketName}/${KeyName}/*", { + CodeBucketName: `${props.solutionBucket}-${this.region}`, + KeyName: `${props.solutionName}` + }), + `arn:${cdk.Aws.PARTITION}:s3:::${codeBuildStagesSourceCodeBucket.bucketName}/*`] + }), + new iam.PolicyStatement({ + actions: ["s3:PutObject"], + resources: [ + `arn:${cdk.Aws.PARTITION}:s3:::${codeBuildStagesSourceCodeBucket.bucketName}/*` + ], + effect: iam.Effect.ALLOW + }), + new iam.PolicyStatement({ + actions: [ + "ssm:PutParameter", + "ssm:GetParameter", + ], + effect: iam.Effect.ALLOW, + resources: [ + cdk.Fn.sub("arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${ParameterKey}", { + ParameterKey: `${send.findInMap('ParameterKey', 'UniqueId')}` + }) + ] + }), + ] + }) + + buildProject.role?.attachInlinePolicy(buildStageIAMPolicy) + + //IAM Policy and Role to execute deploy stage + + const deployStageFirewallPolicy = new iam.Policy(this, + 'deployStageFirewallPolicy', + { + statements: [ + new iam.PolicyStatement({ + actions: [ + "network-firewall:CreateFirewall", + "network-firewall:UpdateFirewallDeleteProtection", + "network-firewall:DeleteRuleGroup", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:UpdateFirewallDescription", + "network-firewall:CreateRuleGroup", + "network-firewall:DescribeFirewall", + "network-firewall:DeleteFirewallPolicy", + "network-firewall:UpdateRuleGroup", + "network-firewall:DescribeRuleGroup", + "network-firewall:ListRuleGroups", + "network-firewall:UpdateSubnetChangeProtection", + "network-firewall:UpdateFirewallPolicyChangeProtection", + "network-firewall:AssociateFirewallPolicy", + "network-firewall:DescribeFirewallPolicy", + "network-firewall:UpdateFirewallPolicy", + "network-firewall:DescribeResourcePolicy", + "network-firewall:CreateFirewallPolicy", + "network-firewall:UpdateLoggingConfiguration", + "network-firewall:TagResource" + ], + resources: [ + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:stateful-rulegroup/*"), + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:firewall-policy/*"), + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:firewall/*"), + cdk.Fn.sub("arn:${AWS::Partition}:network-firewall:${AWS::Region}:${AWS::AccountId}:stateless-rulegroup/*") + ] + }), + new iam.PolicyStatement({ + actions: ["s3:GetObject"], + resources: [cdk.Fn.sub("arn:${AWS::Partition}:s3:::${CodeBucketName}/${KeyName}/*", { + CodeBucketName: `${props.solutionBucket}-${this.region}`, + KeyName: `${props.solutionName}` + }), + `arn:${cdk.Aws.PARTITION}:s3:::${codeBuildStagesSourceCodeBucket.bucketName}/*`] + }), + new iam.PolicyStatement({ + actions: [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeRouteTables" + ], + resources: ["*"] + }), + new iam.PolicyStatement({ + actions: [ + "ec2:CreateRoute", + "ec2:DeleteRoute", + ], + effect: iam.Effect.ALLOW, + resources: [ + `arn:${cdk.Aws.PARTITION}:ec2:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:route-table/${vpcTGWRouteTable1.ref}`, + `arn:${cdk.Aws.PARTITION}:ec2:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:route-table/${vpcTGWRouteTable2.ref}` + ] + }), + new iam.PolicyStatement({ + actions: ["iam:CreateServiceLinkedRole"], + resources: [cdk.Fn.sub("arn:aws:iam::${AWS::AccountId}:role/aws-service-role/network-firewall.amazonaws.com/AWSServiceRoleForNetworkFirewall")] + }) + ] + }) + + const deployStageFirewallPolicyResource = deployStageFirewallPolicy.node.findChild('Resource') as iam.CfnPolicy; + + deployStageFirewallPolicyResource.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [ + { + id: 'W12', + reason: 'Resource * is required for describe APIs' + }] + } + }; + + //add modify transit gateway attachement permission only if the transit gateway attachment is provided. + const deployStageModifyTransitGatewayAttachmentPolicy = new iam.Policy(this, 'deployStageModifyTransitGatewayAttachmentPolicy', { + statements: [ + new iam.PolicyStatement({ + actions: [ + "ec2:ModifyTransitGatewayVpcAttachment" + ], + effect: iam.Effect.ALLOW, + resources: [ + `arn:${cdk.Aws.PARTITION}:ec2:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:transit-gateway-attachment/${vpcTGWAttachment.ref}`, + ] + }) + ] + }) + const resourcePolicyModifyTGWAttachment = deployStageModifyTransitGatewayAttachmentPolicy.node.findChild('Resource') as iam.CfnPolicy; + resourcePolicyModifyTGWAttachment.cfnOptions.condition = createTransitGatewayAttachment + + const deployStageFirewallLoggingPolicy = new iam.Policy(this, + 'deployStageFirewallLoggingPolicy', + { + statements: [ + new iam.PolicyStatement({ + actions: [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries" + ], + resources: ["*"] // Per IAM service must use All Resources + }) + ] + }) + + const deployStageFirewallLoggingResource = deployStageFirewallLoggingPolicy.node.findChild('Resource') as iam.CfnPolicy; + + deployStageFirewallLoggingResource.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [ + { + id: 'W12', + reason: 'Resource * is required for these actions.' + }] + } + }; + + // skip creating the 'deployStageFirewallLoggingPolicy' IAM policy if + // logging destination type is set to configure manually + deployStageFirewallLoggingResource.cfnOptions.condition = isNotLoggingConfigureManually + + const deployStageFirewallLoggingS3Policy = new iam.Policy(this, + 'deployStageFirewallLoggingS3Policy', + { + statements: [ + new iam.PolicyStatement({ + actions: [ + "s3:PutBucketPolicy", + "s3:GetBucketPolicy" + ], + resources: [logsBucket.bucketArn] + }) + ] + }) + + const deployStageFirewallLoggingS3PolicyResource = deployStageFirewallLoggingS3Policy.node.findChild('Resource') as iam.CfnPolicy; + + // create the 'deployStageFirewallLoggingS3Policy' IAM policy only if + // logging destination type is set to S3 + deployStageFirewallLoggingS3PolicyResource.cfnOptions.condition = isLoggingInS3 + + const deployStageFirewallLoggingCWPolicy = new iam.Policy(this, + 'deployStageFirewallLoggingCWPolicy', + { + statements: [ + new iam.PolicyStatement({ + actions: [ + "logs:PutResourcePolicy", + "logs:DescribeResourcePolicies" + ], + resources: ["*"] // Per IAM service must use All Resources + }), + new iam.PolicyStatement({ + actions: [ + "logs:DescribeLogGroups" + ], + resources: [ + cdk.Fn.sub("arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*") + ] + }) + ] + }) + + const deployStageFirewallLoggingCWPolicyResource = deployStageFirewallLoggingCWPolicy.node.findChild('Resource') as iam.CfnPolicy; + + deployStageFirewallLoggingCWPolicyResource.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [ + { + id: 'W12', + reason: 'Resource * is required for describe APIs' + }] + } + }; + + // create the 'deployStageFirewallLoggingCWPolicy' IAM policy if + // logging destination type is set to CloudWatch Logs + deployStageFirewallLoggingCWPolicyResource.cfnOptions.condition = isLoggingInCloudWatch + + // Code deploy build action project, role will be created by the construct. + + const deployProject = new PipelineProject(this, 'DeployProject', { + buildSpec: BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + 'runtime-versions': { + nodejs: '12' + }, + commands: [`export current=$(pwd)`, `export sourceCodeKey=$CODE_BUILD_SOURCE_CODE_S3_KEY`] + }, + pre_build: { + commands: [ + `cd $current`, + `pwd; ls -ltr`, + `echo 'Download Network Firewall Solution Package'`, + `aws s3 cp s3://${codeBuildStagesSourceCodeBucket.bucketName}/$sourceCodeKey/network-firewall-automation.zip $current`, + `unzip -o $current/network-firewall-automation.zip -d $current`, + `pwd; ls -ltr`, + ] + }, + build: { + commands: [ + `echo "Initiating Network Firewall Automation"`, + `node index.js` + ] + }, + post_build: { + commands: [] + } + }, + artifacts: { + files: "**/*" + } + }), + environment: { + buildImage: LinuxBuildImage.STANDARD_4_0 + }, + environmentVariables: codeBuildEnvVariables + }) + + // attach inline IAM policies with the default CodeBuild role. + deployProject.role?.attachInlinePolicy(deployStageFirewallPolicy) + deployProject.role?.attachInlinePolicy(deployStageFirewallLoggingPolicy) + deployProject.role?.attachInlinePolicy(deployStageFirewallLoggingS3Policy) + deployProject.role?.attachInlinePolicy(deployStageFirewallLoggingCWPolicy) + deployProject.role?.attachInlinePolicy(deployStageModifyTransitGatewayAttachmentPolicy) + + + const codePipeline = new codepipeline.Pipeline(this, `NetworkFirewallCodePipeline`, { + stages: [ + { + stageName: 'Source', + actions: [ + new codepipeline_action.CodeCommitSourceAction({ + actionName: 'Source', + repository: codeCommitRepo, + output: sourceOutputArtifact, + }) + ] + }, + { + stageName: 'Validation', + actions: [ + new codepipeline_action.CodeBuildAction({ + actionName: 'CodeBuild', + input: sourceOutputArtifact, + project: buildProject, + outputs: [buildOutputArtifact] + }) + ] + }, + { + stageName: 'Deployment', + actions: [ + new codepipeline_action.CodeBuildAction({ + actionName: 'CodeDeploy', + input: buildOutputArtifact, + project: deployProject, + }) + ] + }] + }) + + //Adding bucket encryption + const kmsKeyCfn_ref = codePipeline.artifactBucket.encryptionKey?.node.defaultChild as kms.CfnKey + kmsKeyCfn_ref.addPropertyOverride('EnableKeyRotation', true) + + const stack = cdk.Stack.of(this); + + const codePipelineArtifactBucketKmsKeyAlias = stack.node.findChild("NetworkFirewallCodePipeline").node.findChild("ArtifactsBucketEncryptionKeyAlias").node.defaultChild as kms.CfnAlias + codePipelineArtifactBucketKmsKeyAlias.addPropertyOverride("AliasName", { + "Fn::Join": [ + "", + [ + "alias/", + { + "Ref": "AWS::StackName" + }, + "-artifactBucket-EncryptionKeyAlias" + ] + ] + }) + + const codeBuildStagesSourceCodeBucket_cfn_ref = codeBuildStagesSourceCodeBucket.node.defaultChild as s3.CfnBucket + codeBuildStagesSourceCodeBucket_cfn_ref.bucketEncryption = { + serverSideEncryptionConfiguration: [ + { + serverSideEncryptionByDefault: { + kmsMasterKeyId: codePipeline.artifactBucket.encryptionKey?.keyArn, + sseAlgorithm: "aws:kms" + } + } + ] + } + + codeBuildStagesSourceCodeBucket_cfn_ref.cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [{ + id: 'W35', + reason: 'Source Code bucket bucket does not require logging configuration' + }, { + id: 'W51', + reason: 'Source Code bucket is private and does not require a bucket policy' + }] + } + }; + + //S3 Bucket policy for the pipeline artifacts bucket + const bucketPolicy = new s3.BucketPolicy(this, 'CodePipelineArtifactS3BucketPolicy', { + bucket: codePipeline.artifactBucket, + removalPolicy: RemovalPolicy.RETAIN + }) + + bucketPolicy.document.addStatements( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 's3:DeleteBucket' + ], + principals: [new iam.ServicePrincipal('cloudformation.amazonaws.com')], + resources: [ + codePipeline.artifactBucket.bucketArn + ] + }), + new iam.PolicyStatement({ + effect: iam.Effect.DENY, + actions: [ + 's3:GetObject' + ], + principals: [ + new iam.AnyPrincipal() + ], + resources: [ + `${codePipeline.artifactBucket.bucketArn}/*`, + `${codePipeline.artifactBucket.bucketArn}` + ], + conditions: { + Bool: { + "aws:SecureTransport": false + } + } + })); + + const bucketPolicyForlogsBucket = new s3.BucketPolicy(this, 'CloudWatchLogsForNetworkFirewallBucketPolicy', { + bucket: logsBucket, + removalPolicy: RemovalPolicy.RETAIN + }) + + bucketPolicyForlogsBucket.document.addStatements( + new iam.PolicyStatement({ + effect: iam.Effect.DENY, + actions: [ + 's3:GetObject' + ], + principals: [ + new iam.AnyPrincipal() + ], + resources: [ + `${logsBucket.bucketArn}/*`, + `${logsBucket.bucketArn}` + ], + conditions: { + Bool: { + "aws:SecureTransport": false + } + } + })); + + const bucketPolicyForlogsBucket_cfn_ref = bucketPolicyForlogsBucket.node.defaultChild as s3.CfnBucketPolicy + bucketPolicyForlogsBucket_cfn_ref.cfnOptions.condition = isLoggingInS3 + + const bucketPolicyForSourceCodeBucket = new s3.BucketPolicy(this, 'CodeBuildStageSourceCodeBucketPolicy', { + bucket: codeBuildStagesSourceCodeBucket, + removalPolicy: RemovalPolicy.RETAIN + }); + + bucketPolicyForSourceCodeBucket.document.addStatements( + new iam.PolicyStatement({ + effect: iam.Effect.DENY, + actions: [ + 's3:GetObject' + ], + principals: [ + new iam.AnyPrincipal() + ], + resources: [ + `${codeBuildStagesSourceCodeBucket.bucketArn}`, + `${codeBuildStagesSourceCodeBucket.bucketArn}/*` + ], + conditions: { + Bool: { + "aws:SecureTransport": false + } + } + })); + + //disable W35 for the artifact bucket as it only store the artifact files. + const w35Rule = { + rules_to_suppress: [{ + id: 'W35', + reason: "This S3 bucket is used as the destination for 'NetworkFirewallCodePipelineArtifactsBucket'" + }] + } + const s3ArtifactBucket_cfn_ref = codePipeline.artifactBucket.node.defaultChild as s3.CfnBucket + s3ArtifactBucket_cfn_ref.cfnOptions.metadata = { + cfn_nag: w35Rule + } + + /** + * Outputs - describes the values that are returned whenever you view + * your stack's properties. + */ + new cdk.CfnOutput(this, 'Inspection VPC ID', { + value: vpc.ref, + description: 'Inspection VPC ID to create Network Firewall.', + }) + + new cdk.CfnOutput(this, 'Firewall Subnet 1 ID', { + value: NetworkFirewallSubnet1.ref, + description: 'Subnet 1 associated with Network Firewall.', + }) + + new cdk.CfnOutput(this, 'Firewall Subnet 2 ID', { + value: NetworkFirewallSubnet2.ref, + description: 'Subnet 2 associated with Network Firewall.', + }) + + new cdk.CfnOutput(this, 'Transit Gateway Subnet 1 ID', { + value: vpcTGWSubnet1.ref, + description: 'Subnet 1 associated with Transit Gateway.', + }) + + new cdk.CfnOutput(this, 'Transit Gateway Subnet 2 ID', { + value: vpcTGWSubnet2.ref, + description: 'Subnet 1 associated with Transit Gateway.', + }) + + new cdk.CfnOutput(this, 'Network Firewall Availability Zone 1', { + value: cdk.Fn.getAtt( + 'NetworkFirewallSubnet1', + 'AvailabilityZone').toString(), + description: 'Availability Zone configured for Network Firewall subnet 1', + }) + + new cdk.CfnOutput(this, 'Network Firewall Availability Zone 2', { + value: cdk.Fn.getAtt( + 'NetworkFirewallSubnet2', + 'AvailabilityZone').toString(), + description: 'Availability Zone configured for Network Firewall subnet 2', + }) + + new cdk.CfnOutput(this, 'Artifact Bucket for CodePipeline', { + value: codePipeline.artifactBucket.bucketName, + description: 'Artifact bucket name configured for the CodePipeline.', + }) + + new cdk.CfnOutput(this, 'Code Build source code bucket', { + value: codeBuildStagesSourceCodeBucket.bucketName, + description: 'Code Build source code bucket', + }) + + new cdk.CfnOutput(this, 'S3 Bucket for Firewall Logs', { + value: cdk.Fn.conditionIf('LoggingInS3', logsBucket.bucketName, 'NotConfigured').toString(), + description: 'S3 Bucket used as the log destination for Firewall' + + ' Logs.', + }) + + new cdk.CfnOutput(this, 'CloudWatch Log Group for Firewall Logs', { + value: cdk.Fn.conditionIf('LoggingInCloudWatch', cloudWatchLogGroup.ref, 'NotConfigured').toString(), + description: 'CloudWatch Log Group used as the log destination for Firewall' + + ' Logs.', + }) + + } +} diff --git a/source/networkFirewallAutomation/__tests__/ec2-manager.spec.ts b/source/networkFirewallAutomation/__tests__/ec2-manager.spec.ts new file mode 100644 index 0000000..aeeca0b --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/ec2-manager.spec.ts @@ -0,0 +1,92 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { Ec2Manager } from '../lib/ec2-manager'; + +const ec2EnvProps = [ + { + "routeTableId":"rtb-0e99886b16ecb5710", + "availabilityZone": 'us-east-1a' + }, + { + "routeTableId":"rtb-0e99886b16ecb5710", + "availabilityZone": 'us-east-1b' + }] + +jest.mock("aws-sdk", () => { + return { + __esModule: true, + EC2: jest.fn().mockReturnValue({ + + }) + } +}, { virtual: true }); + +jest.mock("../lib/service/ec2-service", () => { + return { + __esModule: true, + Ec2Service: jest.fn().mockReturnValue({ + describeRouteTables: jest.fn().mockImplementation(() => { + return [{"Associations":[{"Main":false,"RouteTableAssociationId":"rtbassoc-041509f1a595fa5dd","RouteTableId":"rtb-0e99886b16ecb5710","SubnetId":"subnet-028bf1f940038d771","AssociationState":{"State":"associated"}},{"Main":false,"RouteTableAssociationId":"rtbassoc-0c83e3ec6163f1999","RouteTableId":"rtb-0e99886b16ecb5710","SubnetId":"subnet-0884864b53eaf5171","AssociationState":{"State":"associated"}}],"PropagatingVgws":[],"RouteTableId":"rtb-0e99886b16ecb5710","Routes":[{"DestinationCidrBlock":"192.168.1.0/26","GatewayId":"local","Origin":"CreateRouteTable","State":"active"}],"Tags":[{"Key":"Name","Value":"FirewallSubnetRouteTable"}],"VpcId":"vpc-0ea9f7f530319814a","OwnerId":"1234"}] + }), + createRoute: jest.fn().mockImplementation(() => { + return { + 'Return': true + } + }) + }) + } +}, { virtual: true }); + +test('test the method routeTableOperations - 2 VPCE', async () => { + const syncStates = { + "us-east-1a": { + "Attachment": { + "SubnetId": "subnet-1", + "EndpointId": "vpce-1", + "Status": "READY" + }, + "Config": { + "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1": {'SyncStatus': "IN_SYNC"}, + "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1": {'SyncStatus': "IN_SYNC"}, + "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1": {'SyncStatus': "IN_SYNC"}, + "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2": {'SyncStatus': "IN_SYNC"} + } + }, + "us-east-1b": { + "Attachment": { + "SubnetId": "subnet-2", + "EndpointId": "vpce-2", + "Status": "READY" + }, + "Config": { + "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1": {'SyncStatus': "IN_SYNC"}, + "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1": {'SyncStatus': "IN_SYNC"}, + "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1": {'SyncStatus': "IN_SYNC"}, + "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2": {'SyncStatus': "IN_SYNC"} + } + } + + } + + const ec2Mgr = new Ec2Manager(ec2EnvProps, syncStates) + const response = await ec2Mgr.routeTableOperations() + console.log(response) + expect(response[0].VpcEndpointId).toStrictEqual("vpce-1") + expect(response[0].RouteTableId).toStrictEqual("rtb-0e99886b16ecb5710") + expect(response[0].DefaultRouteCreated).toStrictEqual(true) + expect(response[1].VpcEndpointId).toStrictEqual("vpce-2") + expect(response[0].RouteTableId).toStrictEqual("rtb-0e99886b16ecb5710") + expect(response[1].DefaultRouteCreated).toStrictEqual(true) + +}) diff --git a/source/networkFirewallAutomation/__tests__/firewall-config-validation.spec.ts b/source/networkFirewallAutomation/__tests__/firewall-config-validation.spec.ts new file mode 100644 index 0000000..13bad4b --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-config-validation.spec.ts @@ -0,0 +1,49 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { FirewallConfigValidation } from "../lib/common/firewall-config-validation" + +jest.mock("aws-sdk", () => { + return { + __esModule: true, + NetworkFirewall: jest.fn().mockReturnValue({ + createRuleGroup: jest.fn().mockImplementation(() => { + //console.log(`Inside rule group mock ${JSON.stringify(data)}` ) + }), + createFirewallPolicy: jest.fn().mockImplementation(() => { + //console.log(`Inside firewall policy mock ${JSON.stringify(data)}` ) + }), + }) + } +}) + +test('test firewall config validation.', async () => { + const firewallConfigValidation = new FirewallConfigValidation(); + try { + await firewallConfigValidation.execute("/__tests__/firewall-test-configuration/firewalls/") + } catch (error) { + expect(firewallConfigValidation.getInvalidFiles()).toStrictEqual([ + { + "path": "__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.invalid.json", + "referencedInFile": "__tests__/firewall-test-configuration/firewallPolicies/firewall-invalid-policy.json", + "error": "The file in the attribute path is not available in the configuration." + }, + { + "path": "__tests__/firewall-test-configuration/firewallPolicies/firewall-notavailable.json", + "referencedInFile": "__tests__/firewall-test-configuration/firewallPolicies/firewall-notavailable.json", + "error": "The file in the attribute path is not available in the configuration." + } + ]) + } + +}) \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-invalid-policy.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-invalid-policy.json new file mode 100644 index 0000000..929842a --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-invalid-policy.json @@ -0,0 +1,26 @@ +{ + "FirewallPolicyName": "Firewall-Policy-2", + "FirewallPolicy": { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.invalid.json" + }, + { + "Priority": 20, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json" + } + ] + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy-2.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy-2.json new file mode 100644 index 0000000..1efe322 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy-2.json @@ -0,0 +1,26 @@ +{ + "FirewallPolicyName": "Firewall-Policy-2", + "FirewallPolicy": { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json" + }, + { + "Priority": 20, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json" + } + ] + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json new file mode 100644 index 0000000..bb5ad6b --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json @@ -0,0 +1,29 @@ +{ + "FirewallPolicyName": "Firewall-Policy-1", + "FirewallPolicy": { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json" + }, + { + "Priority": 20, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json" + }, + { + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/suricata-rule-reference.json" + } + ] + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-invalid.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-invalid.json new file mode 100644 index 0000000..a9ea930 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-invalid.json @@ -0,0 +1,8 @@ +{ + "FirewallName": "VpcFirewall-1", + "FirewallPolicyArn": "__tests__/firewall-test-configuration/firewallPolicies/firewall-invalid-policy.json", + "Description": "Network Firewall created by AWS Solutions", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true + } \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-nopolicy.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-nopolicy.json new file mode 100644 index 0000000..ca7272e --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall-nopolicy.json @@ -0,0 +1,8 @@ +{ + "FirewallName": "VpcFirewall-1", + "FirewallPolicyArn": "__tests__/firewall-test-configuration/firewallPolicies/firewall-notavailable.json", + "Description": "Network Firewall created by AWS Solutions", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true + } \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall.example.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall.example.json new file mode 100644 index 0000000..8bc8538 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/firewalls/firewall.example.json @@ -0,0 +1,8 @@ +{ + "FirewallName": "VpcFirewall-1", + "FirewallPolicyArn": "__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json", + "Description": "Network Firewall created by AWS Solutions", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/drop.rules b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/drop.rules new file mode 100644 index 0000000..e37904c --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/drop.rules @@ -0,0 +1,79 @@ +# +# $Id: emerging-drop.rules $ +# Emerging Threats Spamhaus DROP List rules. +# +# Rules to block Spamhaus DROP listed networks (www.spamhaus.org) +# +# More information available at www.emergingthreats.net +# +# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list +# +#************************************************************* +# +# Copyright (c) 2003-2020, Emerging Threats +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + +# VERSION 2793 + + +# Generated 2021-01-10 00:05:02 EDT + +alert ip [2.59.200.0/22,5.134.128.0/19,5.180.4.0/22,5.181.84.0/22,5.183.60.0/22,5.188.10.0/23,24.137.16.0/20,24.170.208.0/20,24.233.0.0/19,24.236.0.0/19,27.126.160.0/20,27.146.0.0/16,31.14.65.0/24,31.14.66.0/23,31.40.156.0/22,31.40.164.0/22,36.0.8.0/21,36.37.48.0/20,36.116.0.0/16,36.119.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [42.0.32.0/19,42.1.128.0/17,42.96.0.0/18,42.128.0.0/12,42.160.0.0/12,42.194.128.0/17,42.208.0.0/12,43.229.52.0/22,43.236.0.0/16,43.250.116.0/22,43.252.80.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.9.148.0/22,45.9.156.0/22,45.10.16.0/22,45.11.184.0/22,45.11.188.0/22,45.41.0.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [45.65.120.0/22,45.65.188.0/22,45.80.28.0/22,45.80.248.0/23,45.80.250.0/23,45.86.20.0/22,45.95.40.0/22,45.114.240.0/22,45.117.52.0/22,45.117.232.0/22,45.119.40.0/22,45.121.204.0/22,45.130.100.0/22,45.135.193.0/24,45.159.56.0/22,45.220.64.0/18,46.102.177.0/24,46.102.178.0/23,46.102.180.0/24,46.102.182.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [58.14.0.0/15,58.145.176.0/21,59.153.60.0/22,60.233.0.0/16,61.11.224.0/19,61.45.251.0/24,64.92.224.0/20,64.250.144.0/20,65.97.48.0/20,67.213.112.0/20,68.66.48.0/20,69.8.64.0/20,69.8.96.0/20,72.1.224.0/20,74.114.148.0/22,76.191.0.0/20,77.36.62.0/24,77.81.84.0/23,77.81.86.0/24,77.81.89.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [85.209.4.0/22,86.55.40.0/23,86.55.42.0/23,86.62.28.0/22,86.104.0.0/23,86.104.2.0/24,86.104.212.0/23,86.104.222.0/23,86.104.224.0/23,86.105.2.0/24,86.105.6.0/24,86.105.176.0/24,86.105.178.0/24,86.105.184.0/23,86.105.186.0/24,86.105.229.0/24,86.105.230.0/24,86.105.242.0/23,86.106.10.0/24,86.106.13.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [86.106.110.0/23,86.106.114.0/23,86.106.116.0/23,86.106.118.0/24,86.106.138.0/23,86.106.140.0/23,86.106.174.0/23,86.107.72.0/24,86.107.193.0/24,86.107.194.0/23,88.218.40.0/22,88.218.148.0/22,89.32.43.0/24,89.32.170.0/24,89.32.202.0/24,89.33.46.0/23,89.33.116.0/24,89.33.134.0/24,89.33.198.0/23,89.33.200.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [89.34.74.0/24,89.34.102.0/24,89.34.104.0/23,89.35.54.0/24,89.35.89.0/24,89.35.90.0/24,89.36.38.0/23,89.36.136.0/24,89.36.138.0/23,89.36.141.0/24,89.37.92.0/23,89.37.94.0/24,89.37.96.0/24,89.37.129.0/24,89.37.130.0/23,89.37.132.0/23,89.37.134.0/24,89.38.240.0/24,89.39.69.0/24,89.39.212.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [89.40.209.0/24,89.41.27.0/24,89.41.28.0/23,89.41.49.0/24,89.41.50.0/23,89.41.189.0/24,89.41.190.0/23,89.42.10.0/24,89.42.152.0/23,89.42.154.0/24,89.45.82.0/24,89.46.47.0/24,91.132.164.0/22,91.197.196.0/22,91.200.12.0/22,91.200.133.0/24,91.200.248.0/22,91.218.236.0/22,91.220.163.0/24,91.229.52.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [93.114.51.0/24,93.114.52.0/23,93.114.54.0/24,93.114.58.0/23,93.115.59.0/24,93.119.118.0/23,93.119.120.0/23,93.119.124.0/23,93.120.34.0/24,93.120.46.0/24,94.131.228.0/22,94.154.32.0/22,96.45.144.0/20,98.143.192.0/20,101.42.0.0/16,101.134.0.0/15,101.192.0.0/14,101.203.128.0/19,101.248.0.0/15,102.196.96.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [103.14.208.0/22,103.16.76.0/24,103.23.8.0/22,103.23.124.0/22,103.24.232.0/22,103.30.12.0/22,103.32.0.0/16,103.32.132.0/22,103.34.0.0/16,103.36.64.0/22,103.59.92.0/22,103.73.172.0/22,103.75.36.0/22,103.76.96.0/22,103.76.128.0/22,103.77.32.0/22,103.99.0.0/22,103.100.168.0/22,103.134.144.0/23,103.135.144.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [103.197.240.0/22,103.199.88.0/22,103.199.184.0/22,103.205.84.0/22,103.207.160.0/22,103.210.244.0/22,103.215.80.0/22,103.225.72.0/22,103.225.128.0/22,103.226.192.0/22,103.228.60.0/22,103.229.36.0/22,103.230.144.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.28.0/22,103.239.56.0/22,103.243.8.0/22,103.243.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [104.239.0.0/17,104.243.192.0/20,104.247.96.0/19,104.250.192.0/19,104.250.224.0/19,104.251.192.0/20,106.95.0.0/16,107.182.112.0/20,107.182.240.0/20,107.190.160.0/20,110.41.0.0/16,111.223.192.0/19,113.212.128.0/19,116.144.0.0/15,116.146.0.0/15,117.58.0.0/17,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [124.157.0.0/18,124.242.0.0/16,125.31.192.0/18,125.58.0.0/18,125.169.0.0/16,128.24.0.0/16,128.85.0.0/16,130.21.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.108.16.0/22,131.143.0.0/16,131.200.0.0/16,132.255.132.0/22,134.18.0.0/16,134.22.0.0/16,134.23.0.0/16,134.33.0.0/16,134.127.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [137.72.0.0/16,137.76.0.0/16,137.105.0.0/16,137.114.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.144.0/22,138.94.216.0/22,138.97.156.0/22,138.122.192.0/22,138.125.0.0/16,138.185.116.0/22,138.186.208.0/22,138.216.0.0/16,138.219.172.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [140.82.96.0/20,140.167.0.0/16,141.98.68.0/23,141.98.70.0/23,141.136.22.0/24,141.178.0.0/16,141.206.128.0/20,141.253.0.0/16,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.135.0.0/16,143.136.0.0/16,143.253.0.0/16,145.231.0.0/16,146.3.0.0/16,146.51.0.0/16,146.106.0.0/16,146.183.0.0/16,146.202.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [148.148.0.0/16,148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.118.0.0/16,149.207.0.0/16,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.121.0.0/16,150.129.212.0/22,150.129.228.0/22,150.141.0.0/16,150.242.120.0/22,150.242.144.0/22,151.212.0.0/16,152.89.228.0/23,152.89.230.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.71.0.0/16,155.73.0.0/16,155.108.0.0/16,155.159.0.0/16,155.235.0.0/16,155.249.0.0/16,156.96.0.0/16,157.115.0.0/16,157.162.0.0/16,157.186.0.0/16,157.195.0.0/16,158.54.0.0/16,158.249.0.0/16,159.80.0.0/16,159.85.0.0/16,159.151.0.0/16,159.174.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [160.116.0.0/16,160.117.0.0/16,160.121.0.0/16,160.122.0.0/16,160.180.0.0/16,160.184.0.0/16,160.188.0.0/16,160.200.0.0/16,160.235.0.0/16,160.240.0.0/16,160.255.0.0/16,161.0.0.0/19,161.0.68.0/22,161.1.0.0/16,162.208.124.0/22,162.212.188.0/22,162.222.128.0/21,162.249.20.0/22,163.47.19.0/24,163.50.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [163.216.0.0/19,163.250.0.0/16,163.254.0.0/16,164.6.0.0/16,164.79.0.0/16,164.88.0.0/16,164.137.0.0/16,164.155.0.0/16,165.3.0.0/16,165.25.0.0/16,165.52.0.0/14,165.102.0.0/16,165.205.0.0/16,165.209.0.0/16,165.231.0.0/16,166.93.0.0/16,166.117.0.0/16,167.74.0.0/18,167.82.144.0/20,167.97.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [167.224.0.0/19,167.224.32.0/20,167.224.48.0/21,167.249.200.0/22,168.0.212.0/22,168.64.0.0/16,168.76.0.0/16,168.80.0.0/15,168.90.96.0/22,168.129.0.0/16,168.151.0.0/22,168.151.4.0/23,168.151.6.0/24,168.151.32.0/21,168.151.43.0/24,168.151.44.0/22,168.151.48.0/22,168.151.52.0/23,168.151.54.0/24,168.151.56.0/21] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [168.151.128.0/20,168.151.145.0/24,168.151.146.0/23,168.151.148.0/22,168.151.152.0/22,168.151.157.0/24,168.151.158.0/23,168.151.160.0/20,168.151.176.0/21,168.151.184.0/22,168.151.192.0/20,168.151.208.0/21,168.151.216.0/22,168.151.220.0/23,168.151.232.0/21,168.151.240.0/21,168.151.248.0/22,168.151.254.0/24,168.181.52.0/22,168.195.76.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [168.211.0.0/16,168.227.128.0/22,168.227.140.0/22,169.239.152.0/22,170.67.0.0/16,170.83.232.0/22,170.113.0.0/16,170.120.0.0/16,170.179.0.0/16,170.244.40.0/22,170.244.240.0/22,170.247.220.0/22,171.25.212.0/22,171.26.0.0/16,172.98.0.0/18,174.136.192.0/18,175.103.64.0/18,176.56.192.0/19,176.96.88.0/21,176.102.120.0/21] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [176.223.116.0/23,176.223.118.0/24,176.223.160.0/23,177.234.136.0/21,178.212.184.0/21,178.213.176.0/22,179.63.0.0/17,180.178.192.0/18,180.236.0.0/14,181.177.64.0/18,185.0.96.0/19,185.21.8.0/22,185.30.168.0/22,185.39.8.0/22,185.55.4.0/22,185.55.140.0/22,185.60.201.0/24,185.60.202.0/23,185.63.35.0/24,185.64.23.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [185.116.172.0/23,185.116.175.0/24,185.120.8.0/22,185.122.128.0/22,185.123.144.0/20,185.123.248.0/21,185.124.0.0/22,185.124.56.0/21,185.126.136.0/22,185.126.148.0/22,185.126.160.0/21,185.126.224.0/22,185.126.236.0/22,185.126.248.0/22,185.127.44.0/22,185.127.56.0/22,185.127.68.0/22,185.127.76.0/22,185.127.92.0/22,185.129.8.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [185.144.180.0/22,185.147.140.0/22,185.156.88.0/21,185.156.92.0/22,185.161.148.0/22,185.165.24.0/22,185.180.192.0/22,185.184.192.0/22,185.185.48.0/22,185.193.90.0/24,185.193.143.0/24,185.194.100.0/22,185.203.64.0/22,185.215.132.0/22,185.227.200.0/22,185.230.44.0/22,185.234.64.0/22,185.237.104.0/22,185.237.220.0/22,185.237.226.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [188.172.160.0/19,188.208.48.0/22,188.208.52.0/22,188.208.109.0/24,188.208.220.0/22,188.209.120.0/21,188.212.254.0/24,188.213.23.0/24,188.213.206.0/23,188.213.214.0/23,188.213.248.0/22,188.213.252.0/22,188.214.94.0/24,188.214.95.0/24,188.214.140.0/24,188.214.155.0/24,188.214.193.0/24,188.241.211.0/24,188.247.230.0/24,190.123.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [192.31.212.0/23,192.40.29.0/24,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.54.110.0/24,192.67.16.0/24,192.96.146.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23,192.133.3.0/24,192.152.194.0/24,192.154.11.0/24,192.160.44.0/24,192.161.80.0/20,192.190.49.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,192.251.231.0/24,192.252.16.0/20,193.25.48.0/20,193.30.254.0/23,193.32.66.0/23,193.46.172.0/22,193.139.0.0/16,193.151.160.0/22,193.201.232.0/22,193.228.91.0/24,193.243.0.0/17] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [196.1.109.0/24,196.10.64.0/19,196.15.64.0/18,196.16.0.0/14,196.42.128.0/17,196.61.192.0/20,196.62.0.0/16,196.192.192.0/18,196.193.0.0/16,196.194.0.0/15,196.199.0.0/16,196.207.64.0/18,196.246.0.0/16,197.154.0.0/16,197.231.208.0/22,198.13.0.0/20,198.14.0.0/20,198.20.16.0/20,198.45.32.0/20,198.45.64.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [198.96.224.0/20,198.99.117.0/24,198.102.222.0/24,198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24,198.177.175.0/24,198.177.176.0/22,198.177.180.0/24,198.177.214.0/24,198.178.64.0/19,198.179.22.0/24,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [198.200.8.0/23,198.202.237.0/24,198.204.0.0/21,198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.26.137.0/24,199.26.207.0/24,199.26.251.0/24,199.33.222.0/24,199.34.128.0/18,199.60.102.0/24,199.71.192.0/20,199.73.64.0/20,199.84.16.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [199.184.82.0/24,199.185.144.0/20,199.185.192.0/20,199.196.192.0/19,199.198.160.0/20,199.198.176.0/21,199.198.184.0/23,199.198.188.0/22,199.200.64.0/19,199.212.96.0/20,199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [199.254.32.0/20,200.0.60.0/23,200.22.0.0/16,200.71.124.0/22,200.189.44.0/22,200.234.128.0/18,201.148.168.0/22,201.169.0.0/16,202.0.192.0/18,202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 33"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400032; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [202.148.176.0/20,202.183.0.0/19,202.189.80.0/20,203.2.200.0/22,203.9.0.0/19,203.31.88.0/23,203.34.70.0/23,203.86.252.0/22,203.169.0.0/22,203.191.64.0/18,203.195.0.0/18,204.14.80.0/22,204.19.38.0/23,204.44.32.0/20,204.44.208.0/20,204.44.224.0/20,204.52.96.0/19,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 34"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400033; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [204.106.128.0/18,204.106.192.0/19,204.107.208.0/24,204.126.244.0/23,204.128.32.0/20,204.128.151.0/24,204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.147.96.0/20,204.147.240.0/20,204.156.192.0/20,204.194.64.0/21,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24,204.238.170.0/24,204.238.183.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 35"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400034; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [205.148.192.0/18,205.151.128.0/19,205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24,205.210.107.0/24,205.210.139.0/24,205.210.171.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 36"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400035; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [205.236.189.0/24,205.237.88.0/21,206.41.128.0/20,206.41.160.0/19,206.51.29.0/24,206.124.104.0/21,206.125.16.0/20,206.130.188.0/24,206.143.128.0/17,206.183.128.0/19,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.209.48.0/20,206.209.80.0/20,206.223.17.0/24,206.224.160.0/19,206.226.0.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 37"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400036; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [207.90.0.0/18,207.110.64.0/18,207.110.96.0/19,207.110.128.0/18,207.183.64.0/19,207.183.96.0/20,207.183.128.0/19,207.183.192.0/19,207.201.64.0/18,207.228.192.0/20,207.244.0.0/18,208.73.208.0/22,208.90.32.0/21,208.93.4.0/22,209.17.192.0/19,209.66.0.0/18,209.66.128.0/19,209.95.64.0/19,209.95.192.0/19,209.99.128.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 38"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400037; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [209.145.0.0/19,209.148.16.0/20,209.161.64.0/19,209.161.96.0/20,209.182.64.0/19,209.242.192.0/19,212.162.152.0/22,213.173.36.0/22,213.247.0.0/19,216.179.128.0/17,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15,223.169.0.0/16,223.173.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 39"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400038; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json new file mode 100644 index 0000000..ded9f03 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateful-domainblock.example.json @@ -0,0 +1,15 @@ +{ + "RuleGroupName": "StatefulRulesExample1", + "RuleGroup": { + "RulesSource": { + "RulesSourceList": { + "Targets": [ "test.example.com" ], + "TargetTypes": [ "HTTP_HOST", "TLS_SNI" ], + "GeneratedRulesType": "DENYLIST" + } + } + }, + "Type": "STATEFUL", + "Description": "Stateful Rule3", + "Capacity": 100 +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json new file mode 100644 index 0000000..70a9a42 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json @@ -0,0 +1,41 @@ +{ + "RuleGroupName": "StatelessExample2", + "RuleGroup": { + "RulesSource": { + "StatelessRulesAndCustomActions": { + "StatelessRules": [ + { + "RuleDefinition": { + "MatchAttributes": { + "Sources": [ + { + "AddressDefinition": "192.0.2.0/8" + } + ], + "Destinations": [ + { + "AddressDefinition": "124.1.1.5/32" + }, + { + "AddressDefinition": "198.51.100.0/16" + } + ], + "Protocols": [ + 6, + 17 + ] + }, + "Actions": [ + "aws:forward_to_sfe" + ] + }, + "Priority": 100 + } + ] + } + } + }, + "Type": "STATELESS", + "Description": "Stateless Rule with Forward to Stateful3", + "Capacity": 220 +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json new file mode 100644 index 0000000..c97b849 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json @@ -0,0 +1,68 @@ +{ + "RuleGroupName": "StatelessExample1", + "RuleGroup": { + "RulesSource": { + "StatelessRulesAndCustomActions": { + "StatelessRules": [ + { + "RuleDefinition": { + "MatchAttributes": { + "Sources": [ + { + "AddressDefinition": "192.0.2.0/8" + } + ], + "Destinations": [ + { + "AddressDefinition": "198.51.100.0/16" + } + ], + "SourcePorts": [ + { + "FromPort": 53, + "ToPort": 53 + }, + { + "FromPort": 1001, + "ToPort": 1053 + } + ], + "DestinationPorts": [ + { + "FromPort": 53, + "ToPort": 53 + }, + { + "FromPort": 1001, + "ToPort": 1053 + } + ], + "Protocols": [ + 6 + ], + "TCPFlags": [ + { + "Flags": [ + "SYN" + ], + "Masks": [ + "SYN", + "ACK" + ] + } + ] + }, + "Actions": [ + "aws:pass" + ] + }, + "Priority": 19 + } + ] + } + } + }, + "Type": "STATELESS", + "Description": "Stateless Rule with pass action", + "Capacity": 199 +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/suricata-rule-reference.json b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/suricata-rule-reference.json new file mode 100644 index 0000000..1f99720 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/firewall-test-configuration/ruleGroups/suricata-rule-reference.json @@ -0,0 +1,8 @@ + +{ + "RuleGroupName": "suricata-icmp-rules2", + "Rules": "__tests__/firewall-test-configuration/ruleGroups/drop.rules", + "Type": "STATEFUL", + "Description": "Suricata rule group", + "Capacity": 100 + } \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/network-firewall-manager.spec.ts b/source/networkFirewallAutomation/__tests__/network-firewall-manager.spec.ts new file mode 100644 index 0000000..da0c3f5 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/network-firewall-manager.spec.ts @@ -0,0 +1,327 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { NetworkFirewallManager } from '../lib/network-firewall-manager'; +import { ConfigReader } from '../lib/common/configReader/config-reader'; + + +jest.mock("aws-sdk", () => { + return { + __esModule: true, + NetworkFirewall: jest.fn().mockReturnValue({ + + }) + } +}, { virtual: true }); + +jest.mock("../lib/service/network-firewall-service", () => { + return { + __esModule: true, + NetworkFirewallService: jest.fn().mockReturnValue({ + describeRuleGroup: jest.fn().mockImplementation((data) => { + const StatelessExample2Describe = { "UpdateToken": "c7007261-d236-4997-8eab-7e15445c84a2", "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2", "RuleGroupName": "StatelessExample2", "RuleGroupId": "206bd83b-3b59-4000-9ff3-3fe369f34719", "Description": "Stateless Rule with Forward to Stateful3", "Type": "STATELESS", "Capacity": 220, "RuleGroupStatus": "ACTIVE", "Tags": [] } } + const StatelessExample1Describe = { "UpdateToken": "9b5bc310-99d4-45c9-a16e-bdb58f883a48", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [{ "RuleDefinition": { "MatchAttributes": { "Sources": [{ "AddressDefinition": "192.0.2.0/8" }], "Destinations": [{ "AddressDefinition": "198.51.100.0/16" }], "SourcePorts": [{ "FromPort": 53, "ToPort": 53 }, { "FromPort": 1001, "ToPort": 1053 }], "DestinationPorts": [{ "FromPort": 53, "ToPort": 53 }, { "FromPort": 1001, "ToPort": 1053 }], "Protocols": [6], "TCPFlags": [{ "Flags": ["SYN"], "Masks": ["SYN", "ACK"] }] }, "Actions": ["aws:drop"] }, "Priority": 19 }], "CustomActions": [{ "ActionName": "CustomAction", "ActionDefinition": { "PublishMetricAction": { "Dimensions": [{ "Value": "test" }] } } }] } } }, "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1", "RuleGroupName": "StatelessExample1", "RuleGroupId": "7246cfe2-00c7-4ef9-8d47-2b80bf8840e5", "Description": "Stateless Rule with Custom Action2", "Type": "STATELESS", "Capacity": 199, "RuleGroupStatus": "ACTIVE", "Tags": [] } } + const StatefulRulesExample1Describe = { "UpdateToken": "dd7696c5-e2cd-4882-a560-21e28570fc0f", "RuleGroup": { "RulesSource": { "RulesSourceList": { "Targets": ["test.example.com"], "TargetTypes": ["HTTP_HOST", "TLS_SNI"], "GeneratedRulesType": "DENYLIST" } } }, "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1", "RuleGroupName": "StatefulRulesExample1", "RuleGroupId": "2560e622-5d9e-4c5c-9680-958bcb5c231b", "Description": "Stateful Rule2", "Type": "STATEFUL", "Capacity": 100, "RuleGroupStatus": "ACTIVE", "Tags": [] } } + const suricataRuleGroup = { + UpdateToken: '72e4e89b-acec-4184-b033-2dab8dd2a35f', + RuleGroupResponse: { + RuleGroupArn: 'arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/suricata-icmp-rules2', + RuleGroupName: 'suricata-icmp-rules2', + RuleGroupId: 'f593c04a-079c-423f-8558-b02a8c0edb0e', + Type: 'STATEFUL', + Capacity: 300, + RuleGroupStatus: 'ACTIVE' + } + } + + if (data === 'StatelessExample2') { + return StatelessExample2Describe + } else if (data === 'StatelessExample1') { + return StatelessExample1Describe + } else if (data === 'StatefulRulesExample1') { + return StatefulRulesExample1Describe; + } else if(data === 'suricata-icmp-rules2') { + return suricataRuleGroup; + } + return '' + }), + updateRuleGroup: jest.fn().mockImplementation((data) => { + const StatelessExample2Update = { "UpdateToken": "7fa52fd2-6b3a-41c5-8356-359d17a01ac0", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [{ "RuleDefinition": { "MatchAttributes": { "Sources": [{ "AddressDefinition": "192.0.2.0/8" }], "Destinations": [{ "AddressDefinition": "124.1.1.5/32" }, { "AddressDefinition": "198.51.100.0/16" }], "Protocols": [6, 17] }, "Actions": ["aws:forward_to_sfe"] }, "Priority": 100 }] } } }, "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2", "RuleGroupName": "StatelessExample2", "RuleGroupId": "206bd83b-3b59-4000-9ff3-3fe369f34719", "Description": "Stateless Rule with Forward to Stateful2", "Type": "STATELESS", "Capacity": 220, "RuleGroupStatus": "ACTIVE", "Tags": [] } } + const StatelessExample1Update = { "UpdateToken": "327d0dca-e671-46bc-9ed7-83cf51773868", "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1", "RuleGroupName": "StatelessExample1", "RuleGroupId": "7246cfe2-00c7-4ef9-8d47-2b80bf8840e5", "Description": "Stateless Rule with Custom Action3", "Type": "STATELESS", "Capacity": 199, "RuleGroupStatus": "ACTIVE", "Tags": [] } } + const StatefulRulesExample1Update = { "UpdateToken": "cc4687e1-f370-4e10-abfc-12984e1d62e7", "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1", "RuleGroupName": "StatefulRulesExample1", "RuleGroupId": "2560e622-5d9e-4c5c-9680-958bcb5c231b", "Description": "Stateful Rule3", "Type": "STATEFUL", "Capacity": 100, "RuleGroupStatus": "ACTIVE", "Tags": [] } } + if (data["RuleGroupArn"] === 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2') { + return StatelessExample2Update + } else if (data["RuleGroupArn"] === 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1') { + return StatelessExample1Update + } else if (data["RuleGroupArn"] === 'arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1') { + return StatefulRulesExample1Update; + } + return '' + }), + createRuleGroup: jest.fn().mockImplementation(() => { + //console.log(`Inside createRuleGroup mock ${JSON.stringify(data)}`); + }), + listRuleGroupsForPolicy: jest.fn().mockImplementation(() => { + return '' + }), + describeFirewall: jest.fn().mockImplementation(() => { + //console.log(`Inside describeFirewall mock ${JSON.stringify(data)}`); + return { Firewall: { "FirewallName": "VpcFirewall-1", "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:1234::firewall/*", "Description": "NetworkFirewallcreatedbyAWSSolutions", "VpcId": "vpc-1", "SubnetMappings": [{ "SubnetId": "subnet-1" }, { "SubnetId": "subnet-2" },], "DeleteProtection": true, "SubnetChangeProtection": true, "FirewallPolicyChangeProtection": true, "FirewallId": "string", "Tags": [{ "Key": "string", "Value": "string" },] }, FirewallStatus: { "Status": "READY", "ConfigurationSyncStateSummary": "IN_SYNC", "SyncStates": { "us-east-1a": { "Attachment": { "SubnetId": "subnet-1", "EndpointId": "vpce-1", "Status": "READY" }, "Config": { "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2": {'SyncStatus': "IN_SYNC"} } }, "us-east-1b": { "Attachment": { "SubnetId": "subnet-2", "EndpointId": "vpce-2", "Status": "READY" }, "Config": { "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2": {'SyncStatus': "IN_SYNC"} } } } } } + }), + describeFirewallPolicy: jest.fn().mockImplementation((data) => { + if (data && data === "Firewall-Policy-2") { + return Promise.resolve({ + UpdateToken: 'aaa', + FirewallPolicyResponse: { + FirewallPolicyName: 'Firewall-Policy-2', + FirewallPolicyArn: 'arn:aws', + FirewallPolicyId: 100 + } + }) + } + return Promise.resolve() + }), + createFirewallPolicy: jest.fn().mockImplementation(() => { + //console.log(`Inside describeFirewallPolicy mock ${JSON.stringify(data)}`); + return { "FirewallPolicyResponse": { "FirewallPolicyName": "Firewall-Policy-1", "Description": "FirewallPolicy1", "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1", "FirewallPolicyStatus": "ACTIVE", "Tags": [{ "Key": "string", "Value": "string" }] }, "FirewallPolicy": { "StatelessDefaultActions": ["aws:drop"], "StatelessFragmentDefaultActions": ["aws:drop"], "StatelessRuleGroupReferences": [{ "Priority": 30, "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2" }, { "Priority": 20, "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1" }], "StatefulRuleGroupReferences": [{ "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1" }] } } + }), + createFirewall: jest.fn().mockImplementation(() => { + //console.log(`Inside describeFirewallPolicy mock ${JSON.stringify(data)}`); + return { "FirewallResponse": { "Firewall": { "FirewallName": "VpcFirewall-1", "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:1234::firewall/*", "Description": "NetworkFirewallcreatedbyAWSSolutions", "VpcId": "vpc-1", "SubnetMappings": [{ "SubnetId": "subnet-1" }, { "SubnetId": "subnet-2" }], "DeleteProtection": true, "SubnetChangeProtection": true, "FirewallPolicyChangeProtection": true, "FirewallId": "string", "Tags": [{ "Key": "string", "Value": "string" }] }, "FirewallStatus": { "Status": "READY", "ConfigurationSyncStateSummary": "IN_SYNC", "SyncStates": { "us-east-1a": { "Attachment": { "SubnetId": "subnet-1", "EndpointId": "vpce-1", "Status": "READY" }, "Config": { "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2": {'SyncStatus': "IN_SYNC"} } }, "us-east-1b": { "Attachment": { "SubnetId": "subnet-2", "EndpointId": "vpce-2", "Status": "READY" }, "Config": { "arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1": {'SyncStatus': "IN_SYNC"}, "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2": {'SyncStatus': "IN_SYNC"} } } } } } } + }), + updateLoggingConfiguration: jest.fn().mockImplementation(() => { + return {} + }), + updateFirewallPolicy: jest.fn().mockImplementation(() => { + return { + + } + }), + associateFirewallPolicy: jest.fn().mockImplementation((data) => { + expect(data["FirewallPolicyArn"]).toBe("arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1"); + }), + updateFirewallDeleteProtection: jest.fn().mockImplementation((data) => { + expect(data["DeleteProtection"]).toBeTruthy(); + }), + updateFirewallPolicyChangeProtection: jest.fn().mockImplementation((data) => { + expect(data["FirewallPolicyChangeProtection"]).toBeTruthy() + }), + updateSubnetChangeProtection: jest.fn().mockImplementation((data) => { + expect(data["SubnetChangeProtection"]).toBeTruthy(); + }), + updateFirewallDescription: jest.fn().mockImplementation((data) => { + expect(data["Description"]).toBe("Network Firewall created by AWS Solutions") + }) + }) + } +}, { virtual: true }); + +test('test the method ruleGroupExist.', async () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: '', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: '' }, firewallObject, new ConfigReader()); + + //load the firewall policy + const policyObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json') + + const response = await managerInstance.ruleGroupOperations(policyObject); + + expect(response).toStrictEqual({ "FirewallPolicyName": "Firewall-Policy-1", "FirewallPolicy": { "StatelessDefaultActions": ["aws:drop"], "StatelessFragmentDefaultActions": ["aws:drop"], "StatelessRuleGroupReferences": [{ "Priority": 30, "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2" }, { "Priority": 20, "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1" }], "StatefulRuleGroupReferences": [{ "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1" }, { "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/suricata-icmp-rules2" }] } }) +}) + +test('test the method ruleGroupExist error scenario.', async () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: '', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: '' }, firewallObject, new ConfigReader()); + + const policyObject = { + FirewallPolicyName: 'Firewall-Policy-1', + FirewallPolicy: { + StatelessDefaultActions: ['aws:drop'], + StatelessFragmentDefaultActions: ['aws:drop'], + StatelessRuleGroupReferences: [{ + "Priority": 30, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-fwd-to-stateful.example.json" + }, + { + "Priority": 20, + "ResourceArn": "__tests__/firewall-test-configuration/ruleGroups/stateless-pass-action.example.json" + }], + StatefulRuleGroupReferences: [{ + "ResourceArn": "error" + }] + } + } + + await expect(managerInstance.ruleGroupOperations(policyObject)).rejects.toThrowError("Error: ENOENT: no such file or directory, open 'error'") + +}) + +test('test the method firewallExist.', async () => { + + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: 'vpc-1', subnetIds: 'subnet-1, subnet-2', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + + const response = await managerInstance.firewallOperations(); + expect(response).toStrictEqual({ + 'us-east-1a': { + Attachment: { SubnetId: 'subnet-1', EndpointId: 'vpce-1', Status: 'READY' }, + Config: { + 'arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1': {'SyncStatus': "IN_SYNC"}, + 'arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1': {'SyncStatus': "IN_SYNC"}, + 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1': {'SyncStatus': "IN_SYNC"}, + 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2': {'SyncStatus': "IN_SYNC"} + } + }, + 'us-east-1b': { + Attachment: { SubnetId: 'subnet-2', EndpointId: 'vpce-2', Status: 'READY' }, + Config: { + 'arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1': {'SyncStatus': "IN_SYNC"}, + 'arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1': {'SyncStatus': "IN_SYNC"}, + 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1': {'SyncStatus': "IN_SYNC"}, + 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2': {'SyncStatus': "IN_SYNC"} + } + } + }) +}) + + +test('firewall policy already exists', async () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: 'vpc-1', subnetIds: 'subnet-1, subnet-2', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + + const response = await managerInstance.firewallPolicyOperations("__tests__/firewall-test-configuration/firewallPolicies/firewall-policy-2.json") + expect(response).toBe("arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1") +}) + + +test('test the logging configuration object creation from environment variables', async () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + let managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: '', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + + let loggingConfiguration = await managerInstance.createLoggingConfigurations() + + expect(loggingConfiguration.length).toBe(1) + expect(loggingConfiguration[0].LogType).toBe("ALERT") + expect(loggingConfiguration[0].LogDestinationType).toBe("S3") + expect(JSON.stringify(loggingConfiguration[0].LogDestination)).toStrictEqual("{\"bucketName\":\"test-bucket\",\"prefix\":\"alerts\"}") + + + managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: '', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'FLOW', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + + loggingConfiguration = await managerInstance.createLoggingConfigurations() + + expect(loggingConfiguration.length).toBe(1) + expect(loggingConfiguration[0].LogType).toBe("FLOW") + expect(loggingConfiguration[0].LogDestinationType).toBe("S3") + expect(JSON.stringify(loggingConfiguration[0].LogDestination)).toStrictEqual("{\"bucketName\":\"test-bucket\",\"prefix\":\"flow\"}") + + managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: '', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'EnableBoth', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + + loggingConfiguration = await managerInstance.createLoggingConfigurations() + + expect(loggingConfiguration.length).toBe(2) + expect(loggingConfiguration[0].LogType).toBe("ALERT") + expect(loggingConfiguration[0].LogDestinationType).toBe("S3") + expect(JSON.stringify(loggingConfiguration[0].LogDestination)).toStrictEqual("{\"bucketName\":\"test-bucket\",\"prefix\":\"alerts\"}") + expect(loggingConfiguration[1].LogType).toBe("FLOW") + expect(loggingConfiguration[1].LogDestinationType).toBe("S3") + expect(JSON.stringify(loggingConfiguration[1].LogDestination)).toStrictEqual("{\"bucketName\":\"test-bucket\",\"prefix\":\"flow\"}") + + managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: '', logDestinationType: 'CloudWatchLogs', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'EnableBoth', logDestination: 'log-group-name' }, firewallObject, new ConfigReader()); + + loggingConfiguration = await managerInstance.createLoggingConfigurations() + + expect(loggingConfiguration.length).toBe(2) + expect(loggingConfiguration[0].LogType).toBe("ALERT") + expect(loggingConfiguration[0].LogDestinationType).toBe("CloudWatchLogs") + expect(JSON.stringify(loggingConfiguration[0].LogDestination)).toStrictEqual("{\"logGroup\":\"log-group-name\"}") + + expect(loggingConfiguration[1].LogType).toBe("FLOW") + expect(loggingConfiguration[1].LogDestinationType).toBe("CloudWatchLogs") + expect(JSON.stringify(loggingConfiguration[1].LogDestination)).toStrictEqual("{\"logGroup\":\"log-group-name\"}") +}); + +test('subnet mappings function should return an array', () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: 'vpc-1', subnetIds: 'subnet-1, subnet-2', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + expect(managerInstance.getSubnetMapping()).toStrictEqual([ { SubnetId: 'subnet-1' }, { SubnetId: ' subnet-2' } ]) +}) +test('subnet mappings function should return an array --error scenario', () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: 'vpc-1', subnetIds: '', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + try { + managerInstance.getSubnetMapping() + } catch(error) { + expect(error["message"]).toBe("Subnet IDs must be in the environment variables") + } +}) + +test('vpc id should be return from environment variable', () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: 'vpc-1', subnetIds: 'subnet-1, subnet-2', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + expect(managerInstance.getVpcId()).toBe("vpc-1") +}) + +test('vpc id should be return from environment variable --error scenario', () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: 'subnet-1, subnet-2', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + try { + managerInstance.getVpcId() + } catch (error) { + expect(error["message"]).toBe("VPC ID must be in the environment variables") + } +}) + +test('Update firewall properties', async () => { + const fileHandler = new ConfigReader(); + let firewallObject = fileHandler.convertFileToObject('__tests__/firewall-test-configuration/firewalls/firewall.example.json') + const managerInstance = new NetworkFirewallManager( + { vpcId: '', subnetIds: 'subnet-1, subnet-2', logDestinationType: 'S3', logRetentionPeriod: "90", stackId : 'f449b250-b969-11e0-a185-5081d0136786', logType: 'ALERT', logDestination: 'test-bucket' }, firewallObject, new ConfigReader()); + + await managerInstance.updateFirewall({ + Firewall: { + FirewallId: '12345', + FirewallPolicyArn: 'arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-2', + SubnetMappings: [], + VpcId: '', + DeleteProtection: false, + Description: '', + FirewallName: 'VpcFirewall-1', + FirewallArn: '', + FirewallPolicyChangeProtection: false, + SubnetChangeProtection: false + } + }, 'arn:aws:network-firewall:us-east-1:1234:firewall-policy/Firewall-Policy-1') + +}) + diff --git a/source/networkFirewallAutomation/__tests__/network-firewall-service.spec.ts b/source/networkFirewallAutomation/__tests__/network-firewall-service.spec.ts new file mode 100644 index 0000000..8bd18e7 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/network-firewall-service.spec.ts @@ -0,0 +1,740 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { NetworkFirewallService } from '../lib/service/network-firewall-service'; + +jest.mock("aws-sdk", () => { + return { + __esModule: true, + NetworkFirewall: jest.fn().mockReturnValue({ + deleteRuleGroup: jest.fn().mockImplementation((data) => { + expect(data['RuleGroupArn']).toBeDefined(); + return { + promise: jest.fn().mockImplementation(() => { + return Promise.resolve( + { + ResourceArn: '', + ResourceName: 'rg1', + Description: '', + UpdateToken: '', + RulesSource: {} + }) + }) + } + }), + describeRuleGroup: jest.fn().mockImplementation((ruleGroup) => { + if (ruleGroup["RuleGroupName"] === "ThrottlingException") { + throw { + "message": "ThrottlingException" + } + } + if (ruleGroup["RuleGroupName"] === "ResourceNotFoundException") { + throw {"code": "ResourceNotFoundException"}; + } + if (ruleGroup["RuleGroupName"] === "Error") { + return Promise.reject({ + message: "Error" + }) + } + if (ruleGroup["RuleGroupArn"] === "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2") { + return { + promise: jest.fn().mockReturnValue({ + UpdateToken: "aaaa", + RuleGroupResponse: { + RuleGroupArn: "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2", + RuleGroupName: "StatelessExample2", + RuleGroupId: 111 + } + }) + } + } + return { + promise: jest.fn().mockReturnValue({ + RuleGroup: { + RuleVariables: { + IPSets: [{ + "foo": { + Definition: [''], + Reference: 'AWS_ARN' + } + }], + PortSets: [{ + "foo": { + Definition: [''] + } + }] + }, + RulesSource: { + RulesString: '', + RulesSourceList: [{ + Targets: [''], + TargetType: [''], + GeneratedRulesType: '' + }], + StatefulRules: [{ + Action: '', + Header: { + Protocol: '', + Source: '', + SourcePort: '', + Direction: '', + Destination: '', + DestinationPort: '' + }, + RuleOptions: [{ + Keyword: '', + Settings: [''] + }] + }], + StatelessRulesAndCustomActions: { + StatelessRules: [{ + RuleDefinition: { + MatchAttributes: { + Sources: [''], + Destinations: [''], + SourcePorts: [{ + FromPort: 0, + ToPort: 999 + }], + DestinationPorts: [{ + FromPort: 0, + ToPort: 999 + }], + Protocols: [0, 1, 2, 3], + TCPFlags: [{ + Flags: [''], + Masks: [''] + }] + }, + Actions: [''] + }, + Priority: 9999 + }], + CustomAction: { + PublishMetrics: { + Dimensions: [{ + Value: '' + }] + } + } + } + } + }, + RuleGroupResponse: { + RuleGroupArn: '', + RuleGroupName: '', + RuleGroupId: '', + Description: '', + Type: '', + Capacity: 9999, + RuleGroupStatus: 'ACTIVE|DELETING|string', + Tags: [{ + Key: '', + Value: '' + }] + }, + UpdateToken: 'aaa' + }) + } + }), + describeFirewallPolicy: jest.fn().mockImplementation(() => { + return { + promise: jest.fn().mockReturnValue({ + UpdateToken: 'aaaa', + FirewallPolicyResponse: { + FirewallPolicyName: 'test-firewall-policy', + FirewallPolicyArn: '', + FirewallPolicyId: '', + Description: '', + FirewallPolicyStatus: 'ACTIVE', + Tags: [{ + Key: '', + Value: '' + }] + }, + FirewallPolicy: { + StatelessRuleGroupReferences: [{ + ResourceArn: 'arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2', + Priority: 999 + }], + StatelessDefaultActions: [''], + StatelessFragmentDefaultActions: [''], + StatelessCustomActions: [{ + ActionName: '', + CustomAction: { + PublishMetrics: { + Dimensions: [{ + Value: '' + }] + } + } + }], + StatefulRuleGroupReferences: [{ + ResourceArn: '' + }] + + } + }) + } + }), + updateRuleGroup: jest.fn().mockImplementation((data) =>{ + if (data['UpdateToken'] === 'invalid token') { + return { + promise: jest.fn().mockReturnValue({ + message: 'Update token is invalid.' + }) + } + } + if (data["UpdateToken"] === "error") { + return { + promise: jest.fn().mockReturnValue( + Promise.reject()) + } + } + + return { + promise: jest.fn().mockReturnValue({ + UpdateToken: '', + RuleGroupResponse: { + RuleGroupArn: '', + RuleGroupName: '', + RuleGroupId: '', + Description: '', + Type: '"STATELESS"|"STATEFUL"|string', + Capacity: 999, + RuleGroupStatus: '"ACTIVE"|"DELETING"|string', + Tags: [{ + Key: '', + Value: '' + }] + } + })} + }), + updateFirewallPolicy: jest.fn().mockImplementation((data) => { + if (data && data["UpdateToken"] === "test invalid token scenario") { + throw { + message: "Update token is invalid." + } + } + if (data && data["UpdateToken"] === "error") { + throw { + "message": "error" + } + } + + return { + promise: jest.fn().mockReturnValue({ + UpdateToken: 'aaa', + FirewallPolicyResponse: { + FirewallPolicyName: '', + FirewallPolicyArn: '', + FirewallPolicyId: '', + Description: '', + FirewallPolicyStatus: '"ACTIVE"|"DELETING"|string', + Tags: [{ + Key: '', + Value: '' + }] + } + }) + } + }), + listFirewalls: jest.fn().mockReturnValue({ + promise: jest.fn().mockReturnValue({}) + }), + createFirewall: jest.fn().mockImplementation((data) => { + + if (data["Description"] === "Error") { + throw Error("ResourceNotFoundException") + } + return { + promise: jest.fn().mockReturnValue({}) + + } + }), + createFirewallPolicy: jest.fn().mockReturnValue({ + promise: jest.fn().mockReturnValue({ + + }) + }), + createRuleGroup: jest.fn().mockReturnValue({ + promise: jest.fn().mockReturnValue({ + + }) + }), + describeFirewall: jest.fn().mockImplementation((data) => { + if (data["FirewallName"] === "error") { + throw Error("ResourceNotFoundException") + } + expect(data["FirewallName"]).toBeDefined(); + return { + promise: jest.fn().mockReturnValue({ + + }) + } + }), + describeLoggingConfiguration: jest.fn().mockReturnValue({ + promise: jest.fn().mockReturnValue({ + LoggingConfiguration: { + LogDestinationConfigs: [{ + LogType: 'ALERT', + LogDestinationType: 'CloudWatchLogs', + LogDestination: { + 'logGroup': "network-firewall-automation-solution", + 'prefix': 'alerts' + } + }] + } + }) + }), + updateLoggingConfiguration: jest.fn().mockImplementation((config)=> { + if(config["LoggingConfiguration"]["LogDestinationConfigs"][0] === undefined) { + + return { + promise: jest.fn().mockReturnValue({ + LoggingConfiguration: { + LogDestinationConfigs: [] + } + }) + } + } + if (config["LoggingConfiguration"]["LogDestinationConfigs"][0]["LogDestinationType"] === "CloudWatchLogs") { + return { + promise: jest.fn().mockReturnValue({ + LoggingConfiguration: { + LogDestinationConfigs: [] + } + }) + } + } + + + return { + promise: jest.fn().mockReturnValue({ + LoggingConfiguration: { + LogDestinationConfigs: [config["LoggingConfiguration"]["LogDestinationConfigs"][0]] + } + }) + } + }), + associateFirewallPolicy: jest.fn().mockImplementation((data) => { + + if (data && data["FirewallName"] === "error") { + throw { + "message": "error" + } + } + return {promise: jest.fn().mockReturnValue({ + + })} + }), + updateSubnetChangeProtection: jest.fn().mockImplementation((data) => { + if (data && data["FirewallName"] === "error") { + throw { + "message": "error" + } + } + return {promise: jest.fn().mockReturnValue({ + + })} + }), + updateFirewallDescription: jest.fn().mockImplementation((data) => { + if (data && data["FirewallName"] === "error") { + throw { + "message": "error" + } + } + return {promise: jest.fn().mockReturnValue({ + + })} + }), + updateFirewallPolicyChangeProtection: jest.fn().mockImplementation((data) => { + if (data && data["FirewallName"] === "error") { + throw { + "message": "error" + } + } + return {promise: jest.fn().mockReturnValue({ + + })} + }), + updateFirewallDeleteProtection: jest.fn().mockImplementation((data) => { + if (data && data["FirewallName"] === "error") { + throw { + "message": "error" + } + } + return {promise: jest.fn().mockReturnValue({ + + })} + }) + }) + } +}, { virtual: true }); + + + +test('test describe firewall policy', async () => { + + const service = new NetworkFirewallService(); + await expect(service.describeFirewallPolicy( +'test-network-firewall' + )).resolves.toBeDefined() +}) + + +test('test describe rule group', async () => { + const service = new NetworkFirewallService() + await expect(service.describeRuleGroup('test-stateless-rg1', 'STATEFUL')).resolves.toBeDefined(); +}) + +test('test describe rule group throttling error response', async () => { + const service = new NetworkFirewallService() + await expect(service.describeRuleGroup('ThrottlingException', 'STATEFUL')).rejects.toStrictEqual({"message":"ThrottlingException"}); +}) +test('test describe rule group resource not found exception response', async () => { + const service = new NetworkFirewallService() + await expect(service.describeRuleGroup('ResourceNotFoundException', 'STATEFUL')).resolves.toBeUndefined(); +}) + +test('create firewall ', async () => { + const service = new NetworkFirewallService() + await expect(service.createFirewall({ + "FirewallName": "VpcFirewall-1", + "FirewallPolicyArn": "__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json", + "Description": "Network Firewall created by AWS Solutions", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true, + "SubnetMappings": [], + "VpcId": '', + "Tags": [{ + "Key": "SampleKey", + "Value": "SampleValue" + }] + })).resolves.toBeDefined() +}) +test('create firewall handle error response from the sdk. ', async () => { + const service = new NetworkFirewallService() + await expect(service.createFirewall({ + "FirewallName": "VpcFirewall-1", + "FirewallPolicyArn": "__tests__/firewall-test-configuration/firewallPolicies/firewall-policy.example.json", + "Description": "Error", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true, + "SubnetMappings": [], + "VpcId": '', + "Tags": [{ + "Key": "SampleKey", + "Value": "SampleValue" + }] + })).rejects.toThrowError("ResourceNotFoundException") +}) + +test('create Firewall policy', async () => { + const service = new NetworkFirewallService() + await expect(service.createFirewallPolicy({ + "FirewallPolicyName": "Firewall-Policy-1", + "FirewallPolicy": { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2" + }, + { + "Priority": 20, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1" + } + ] + } + })).resolves.toBeDefined(); + +}) + +test('create rule group', async () => { + + const service = new NetworkFirewallService() + await expect(service.createRuleGroup({ + "RuleGroupName": "StatefulRulesExample1", + "RuleGroup": { + "RulesSource": { + "RulesSourceList": { + "Targets": ["test.example.com"], + "TargetTypes": ["HTTP_HOST", "TLS_SNI"], + "GeneratedRulesType": "DENYLIST" + } + } + }, + "Type": "STATEFUL", + "Description": "Stateful Rule3", + "Capacity": 100 + })).resolves.toBeDefined(); + +}) + +test(' describe firewall', async () => { + const service = new NetworkFirewallService() + await expect(service.describeFirewall('firewall-name')).resolves.toBeDefined(); +}) + +test(' describe firewall handle sdk error', async () => { + const service = new NetworkFirewallService() + await expect(service.describeFirewall('error')) + .rejects.toThrowError("ResourceNotFoundException") +}) + +test('Update firewall policy ', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallPolicy({ + UpdateToken: '', + FirewallPolicyArn: '', + FirewallPolicyName: 'test', + FirewallPolicy: { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2" + }, + { + "Priority": 20, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1" + } + ] + } + })).resolves.toBeDefined() +}) + +test('Update firewall policy handle invalid token scenario.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallPolicy({ + UpdateToken: 'test invalid token scenario', + FirewallPolicyArn: '', + FirewallPolicyName: 'test', + FirewallPolicy: { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2" + }, + { + "Priority": 20, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1" + } + ] + } + })).resolves.toBeDefined() +}) +test('Update firewall policy handle error.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallPolicy({ + UpdateToken: 'error', + FirewallPolicyArn: '', + FirewallPolicyName: 'test', + FirewallPolicy: { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample2" + }, + { + "Priority": 20, + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateless-rulegroup/StatelessExample1" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "arn:aws:network-firewall:us-east-1:1234:stateful-rulegroup/StatefulRulesExample1" + } + ] + } + })).rejects.toBeDefined() +}) + + +test('Update rule groups', async () => { + + const service = new NetworkFirewallService() + await expect(service.updateRuleGroup({ + UpdateToken: '', + RuleGroupName: 'test' + })).resolves.toBeDefined() + +}) +test('Update rule groups handle invalid token error', async () => { + + const service = new NetworkFirewallService() + await expect(service.updateRuleGroup({ + UpdateToken: 'invalid token', + RuleGroupName: 'test' + })).resolves.toBeDefined() + +}) +test('Update rule groups handle error', async () => { + + const service = new NetworkFirewallService() + await expect(service.updateRuleGroup({ + UpdateToken: 'error', + RuleGroupName: 'test' + })).rejects.toThrowError() + +}) + +test('Update logging configuration', async () => { + const service = new NetworkFirewallService() + const response = await service.updateLoggingConfiguration('firewallName', { + LogDestinationConfigs: [{ + LogType: 'ALERT', + LogDestination: { + 'bucketName': "network-firewall-automation-solution", + 'prefix': "alerts" + }, + LogDestinationType: 'S3' + }] + }) + expect(response).toStrictEqual({"LoggingConfiguration":{"LogDestinationConfigs":[{"LogType":"ALERT","LogDestination":{"bucketName":"network-firewall-automation-solution","prefix":"alerts"},"LogDestinationType":"S3"}]}}) +}) + +test('List rule groups for firewall Policy', async () => { + const service = new NetworkFirewallService() + await expect(service.listRuleGroupsForPolicy('FirewallName')).resolves.toBeDefined() +}) + +test('delete rule Group', async () => { + const service = new NetworkFirewallService() + await expect(service.deleteRuleGroup('')).resolves.toBeUndefined() +}) + +test('associate firewall policy', async () => { + + const service = new NetworkFirewallService(); + await expect(service.associateFirewallPolicy({ + FirewallPolicyArn: '', + FirewallName: '' + })).resolves.toBeDefined(); + +}) + +test('associate firewall policy error response', async () => { + + const service = new NetworkFirewallService(); + await expect(service.associateFirewallPolicy({ + FirewallPolicyArn: '', + FirewallName: 'error' + })).rejects.toBeDefined(); + +}) + +test('update firewall description.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallDescription({ + Description: '', + FirewallName: '' + })).resolves.toBeDefined(); + +}) + +test('associate firewall description error response', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallDescription({ + Description: '', + FirewallName: 'error' + })).rejects.toBeDefined(); +}) + +test('update firewall deletion protection.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallDeleteProtection({ + DeleteProtection: false, + FirewallName: '' + })).resolves.toBeDefined(); +}) + +test('associate firewall deletion protection error response', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallDeleteProtection({ + DeleteProtection: false, + FirewallName: 'error' + })).rejects.toBeDefined(); +}) + +test('update firewall policy change protection.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallPolicyChangeProtection({ + FirewallPolicyChangeProtection: false, + FirewallName: '' + })).resolves.toBeDefined(); +}) + +test('update firewall policy change protection error response.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateFirewallPolicyChangeProtection({ + FirewallPolicyChangeProtection: false, + FirewallName: 'error' + })).rejects.toBeDefined(); +}) + +test('update subnet change protection.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateSubnetChangeProtection({ + SubnetChangeProtection: false, + FirewallName: '' + })).resolves.toBeDefined(); +}) + +test('update subnet change protection error response.', async () => { + const service = new NetworkFirewallService(); + await expect(service.updateSubnetChangeProtection({ + SubnetChangeProtection: false, + FirewallName: 'error' + })).rejects.toBeDefined(); +}) \ No newline at end of file diff --git a/source/networkFirewallAutomation/__tests__/send-metrics.spec.ts b/source/networkFirewallAutomation/__tests__/send-metrics.spec.ts new file mode 100644 index 0000000..f4a38f4 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/send-metrics.spec.ts @@ -0,0 +1,74 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ +import { MetricsManager } from "../lib/common/send-metrics" + +jest.mock("aws-sdk", () => { + return { + __esModule: true, + SSM: jest.fn().mockReturnValue({ + getParameter: jest.fn().mockImplementation((data) => { + expect(data).toStrictEqual({ Name: 'network-firewall-solution-uuid-asds' }) + if ('network-firewall-solution-uuid-asds' === data["Name"]) { + return { + promise: jest.fn().mockReturnValue({ + Parameter: { + Value: '5d358dfa-bc71-4a48-a00c-0931e8ec1456' + } + }) + } + } else { + return { + promise: jest.fn().mockReturnValue({ + + }) + } + } + }) + }) + } +}, { virtual: true }); + +jest.mock("uuid", () => { + return { + __esModule: true, + v4: jest.fn().mockImplementation(() => { + return '5d358dfa-bc71-4a48-a00c-0931e8ec1456' + }) + } +}, { virtual: true }); + +jest.mock("axios", () => { + return { + __esModule: true, + post: jest.fn().mockImplementation(() => { + return { + promise: jest.fn().mockReturnValue({ + + }) + } + }) + } +}, { virtual: true }); + +test('test sending the metrics when the uuid is already in the parameter store.', async () => { + process.env.STACK_ID = 'asds' + process.env.SEND_ANONYMOUS_METRICS = 'Yes' + await MetricsManager.sendMetrics({ + numberOfFirewalls: 1, + numberOfPolicies: 1, + numberOfStatefulRuleGroups: 1, + numberOfStatelessRuleGroups: 1, + numberOfSuricataRules: 0 + }) +}) + diff --git a/source/networkFirewallAutomation/__tests__/stringManipulation.spec.ts b/source/networkFirewallAutomation/__tests__/stringManipulation.spec.ts new file mode 100644 index 0000000..743b503 --- /dev/null +++ b/source/networkFirewallAutomation/__tests__/stringManipulation.spec.ts @@ -0,0 +1,32 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { StringUtils, Name } from '../lib/common/stringUtils'; + +const stackId = 'f449b250-b969-11e0-a185-5081d0136786' + +test('test resource name less than 128 chars', async () => { + const resourceName = 'Firewall-1' + const stringMod = new StringUtils(stackId) + const customName = stringMod.getUniqueResourceName(resourceName) + console.log(customName) + expect(customName.length < Name.maxCharacters) +}) + +test('test resource name more than 128 chars', async () => { + const resourceName = 'Firewall-1-f449b250-b969-11e0-a185-5081d0136786-f449b250-b969-11e0-a185-5081d0136786-f449b250-b969-11e0-a185-9-11e0-a185-5081d0136786-f449b250-b969-11e0-a185' + const stringMod = new StringUtils(stackId) + const customName = stringMod.getUniqueResourceName(resourceName) + console.log(customName) + expect(customName.length == Name.maxCharacters) +}) diff --git a/source/networkFirewallAutomation/build.ts b/source/networkFirewallAutomation/build.ts new file mode 100644 index 0000000..59a0817 --- /dev/null +++ b/source/networkFirewallAutomation/build.ts @@ -0,0 +1,27 @@ + +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ +import { FirewallConfigValidation } from "./lib/common/firewall-config-validation" +import { Logger, LOG_LEVEL } from "./lib/common/logger"; + +async function main() { + try { + const firewallConfigValidation = new FirewallConfigValidation() + await firewallConfigValidation.execute(); + } catch(error) { + Logger.log(LOG_LEVEL.ERROR, `Error in firewall config validation`, error) + process.exit(1) + } +} + +main(); \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/examples/firewallPolicies/firewall-policy.example.json b/source/networkFirewallAutomation/config/examples/firewallPolicies/firewall-policy.example.json new file mode 100644 index 0000000..abf1fd3 --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/firewallPolicies/firewall-policy.example.json @@ -0,0 +1,30 @@ +{ + "FirewallPolicyName": "Firewall-Policy-1", + "Description": "Firewall Policy 1", + "FirewallPolicy": { + "StatelessDefaultActions": [ + "aws:drop" + ], + "StatelessFragmentDefaultActions": [ + "aws:drop" + ], + "StatelessRuleGroupReferences": [ + { + "Priority": 30, + "ResourceArn": "./ruleGroups/stateless-fwd-to-stateful.example.json" + }, + { + "Priority": 20, + "ResourceArn": "./ruleGroups/stateless-pass-action.example.json" + } + ], + "StatefulRuleGroupReferences": [ + { + "ResourceArn": "./ruleGroups/stateful-domainblock.example.json" + }, + { + "ResourceArn": "./ruleGroups/suricata-rule-reference.json" + } + ] + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/examples/firewalls/firewall.example.json b/source/networkFirewallAutomation/config/examples/firewalls/firewall.example.json new file mode 100644 index 0000000..a831ca5 --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/firewalls/firewall.example.json @@ -0,0 +1,12 @@ +{ + "FirewallName": "VpcFirewall-1", + "FirewallPolicyArn": "./firewallPolicies/firewall-policy.example.json", + "Description": "Network Firewall created by AWS Solutions", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true, + "Tags": [{ + "Key": "SampleKey", + "Value": "SampleValue" + }] +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/examples/ruleGroups/drop.rules b/source/networkFirewallAutomation/config/examples/ruleGroups/drop.rules new file mode 100644 index 0000000..e37904c --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/ruleGroups/drop.rules @@ -0,0 +1,79 @@ +# +# $Id: emerging-drop.rules $ +# Emerging Threats Spamhaus DROP List rules. +# +# Rules to block Spamhaus DROP listed networks (www.spamhaus.org) +# +# More information available at www.emergingthreats.net +# +# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list +# +#************************************************************* +# +# Copyright (c) 2003-2020, Emerging Threats +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + +# VERSION 2793 + + +# Generated 2021-01-10 00:05:02 EDT + +alert ip [2.59.200.0/22,5.134.128.0/19,5.180.4.0/22,5.181.84.0/22,5.183.60.0/22,5.188.10.0/23,24.137.16.0/20,24.170.208.0/20,24.233.0.0/19,24.236.0.0/19,27.126.160.0/20,27.146.0.0/16,31.14.65.0/24,31.14.66.0/23,31.40.156.0/22,31.40.164.0/22,36.0.8.0/21,36.37.48.0/20,36.116.0.0/16,36.119.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [42.0.32.0/19,42.1.128.0/17,42.96.0.0/18,42.128.0.0/12,42.160.0.0/12,42.194.128.0/17,42.208.0.0/12,43.229.52.0/22,43.236.0.0/16,43.250.116.0/22,43.252.80.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.9.148.0/22,45.9.156.0/22,45.10.16.0/22,45.11.184.0/22,45.11.188.0/22,45.41.0.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [45.65.120.0/22,45.65.188.0/22,45.80.28.0/22,45.80.248.0/23,45.80.250.0/23,45.86.20.0/22,45.95.40.0/22,45.114.240.0/22,45.117.52.0/22,45.117.232.0/22,45.119.40.0/22,45.121.204.0/22,45.130.100.0/22,45.135.193.0/24,45.159.56.0/22,45.220.64.0/18,46.102.177.0/24,46.102.178.0/23,46.102.180.0/24,46.102.182.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [58.14.0.0/15,58.145.176.0/21,59.153.60.0/22,60.233.0.0/16,61.11.224.0/19,61.45.251.0/24,64.92.224.0/20,64.250.144.0/20,65.97.48.0/20,67.213.112.0/20,68.66.48.0/20,69.8.64.0/20,69.8.96.0/20,72.1.224.0/20,74.114.148.0/22,76.191.0.0/20,77.36.62.0/24,77.81.84.0/23,77.81.86.0/24,77.81.89.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [85.209.4.0/22,86.55.40.0/23,86.55.42.0/23,86.62.28.0/22,86.104.0.0/23,86.104.2.0/24,86.104.212.0/23,86.104.222.0/23,86.104.224.0/23,86.105.2.0/24,86.105.6.0/24,86.105.176.0/24,86.105.178.0/24,86.105.184.0/23,86.105.186.0/24,86.105.229.0/24,86.105.230.0/24,86.105.242.0/23,86.106.10.0/24,86.106.13.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [86.106.110.0/23,86.106.114.0/23,86.106.116.0/23,86.106.118.0/24,86.106.138.0/23,86.106.140.0/23,86.106.174.0/23,86.107.72.0/24,86.107.193.0/24,86.107.194.0/23,88.218.40.0/22,88.218.148.0/22,89.32.43.0/24,89.32.170.0/24,89.32.202.0/24,89.33.46.0/23,89.33.116.0/24,89.33.134.0/24,89.33.198.0/23,89.33.200.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [89.34.74.0/24,89.34.102.0/24,89.34.104.0/23,89.35.54.0/24,89.35.89.0/24,89.35.90.0/24,89.36.38.0/23,89.36.136.0/24,89.36.138.0/23,89.36.141.0/24,89.37.92.0/23,89.37.94.0/24,89.37.96.0/24,89.37.129.0/24,89.37.130.0/23,89.37.132.0/23,89.37.134.0/24,89.38.240.0/24,89.39.69.0/24,89.39.212.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [89.40.209.0/24,89.41.27.0/24,89.41.28.0/23,89.41.49.0/24,89.41.50.0/23,89.41.189.0/24,89.41.190.0/23,89.42.10.0/24,89.42.152.0/23,89.42.154.0/24,89.45.82.0/24,89.46.47.0/24,91.132.164.0/22,91.197.196.0/22,91.200.12.0/22,91.200.133.0/24,91.200.248.0/22,91.218.236.0/22,91.220.163.0/24,91.229.52.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [93.114.51.0/24,93.114.52.0/23,93.114.54.0/24,93.114.58.0/23,93.115.59.0/24,93.119.118.0/23,93.119.120.0/23,93.119.124.0/23,93.120.34.0/24,93.120.46.0/24,94.131.228.0/22,94.154.32.0/22,96.45.144.0/20,98.143.192.0/20,101.42.0.0/16,101.134.0.0/15,101.192.0.0/14,101.203.128.0/19,101.248.0.0/15,102.196.96.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [103.14.208.0/22,103.16.76.0/24,103.23.8.0/22,103.23.124.0/22,103.24.232.0/22,103.30.12.0/22,103.32.0.0/16,103.32.132.0/22,103.34.0.0/16,103.36.64.0/22,103.59.92.0/22,103.73.172.0/22,103.75.36.0/22,103.76.96.0/22,103.76.128.0/22,103.77.32.0/22,103.99.0.0/22,103.100.168.0/22,103.134.144.0/23,103.135.144.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [103.197.240.0/22,103.199.88.0/22,103.199.184.0/22,103.205.84.0/22,103.207.160.0/22,103.210.244.0/22,103.215.80.0/22,103.225.72.0/22,103.225.128.0/22,103.226.192.0/22,103.228.60.0/22,103.229.36.0/22,103.230.144.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.28.0/22,103.239.56.0/22,103.243.8.0/22,103.243.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [104.239.0.0/17,104.243.192.0/20,104.247.96.0/19,104.250.192.0/19,104.250.224.0/19,104.251.192.0/20,106.95.0.0/16,107.182.112.0/20,107.182.240.0/20,107.190.160.0/20,110.41.0.0/16,111.223.192.0/19,113.212.128.0/19,116.144.0.0/15,116.146.0.0/15,117.58.0.0/17,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [124.157.0.0/18,124.242.0.0/16,125.31.192.0/18,125.58.0.0/18,125.169.0.0/16,128.24.0.0/16,128.85.0.0/16,130.21.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.108.16.0/22,131.143.0.0/16,131.200.0.0/16,132.255.132.0/22,134.18.0.0/16,134.22.0.0/16,134.23.0.0/16,134.33.0.0/16,134.127.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [137.72.0.0/16,137.76.0.0/16,137.105.0.0/16,137.114.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.144.0/22,138.94.216.0/22,138.97.156.0/22,138.122.192.0/22,138.125.0.0/16,138.185.116.0/22,138.186.208.0/22,138.216.0.0/16,138.219.172.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [140.82.96.0/20,140.167.0.0/16,141.98.68.0/23,141.98.70.0/23,141.136.22.0/24,141.178.0.0/16,141.206.128.0/20,141.253.0.0/16,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.135.0.0/16,143.136.0.0/16,143.253.0.0/16,145.231.0.0/16,146.3.0.0/16,146.51.0.0/16,146.106.0.0/16,146.183.0.0/16,146.202.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [148.148.0.0/16,148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.118.0.0/16,149.207.0.0/16,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.121.0.0/16,150.129.212.0/22,150.129.228.0/22,150.141.0.0/16,150.242.120.0/22,150.242.144.0/22,151.212.0.0/16,152.89.228.0/23,152.89.230.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.71.0.0/16,155.73.0.0/16,155.108.0.0/16,155.159.0.0/16,155.235.0.0/16,155.249.0.0/16,156.96.0.0/16,157.115.0.0/16,157.162.0.0/16,157.186.0.0/16,157.195.0.0/16,158.54.0.0/16,158.249.0.0/16,159.80.0.0/16,159.85.0.0/16,159.151.0.0/16,159.174.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [160.116.0.0/16,160.117.0.0/16,160.121.0.0/16,160.122.0.0/16,160.180.0.0/16,160.184.0.0/16,160.188.0.0/16,160.200.0.0/16,160.235.0.0/16,160.240.0.0/16,160.255.0.0/16,161.0.0.0/19,161.0.68.0/22,161.1.0.0/16,162.208.124.0/22,162.212.188.0/22,162.222.128.0/21,162.249.20.0/22,163.47.19.0/24,163.50.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [163.216.0.0/19,163.250.0.0/16,163.254.0.0/16,164.6.0.0/16,164.79.0.0/16,164.88.0.0/16,164.137.0.0/16,164.155.0.0/16,165.3.0.0/16,165.25.0.0/16,165.52.0.0/14,165.102.0.0/16,165.205.0.0/16,165.209.0.0/16,165.231.0.0/16,166.93.0.0/16,166.117.0.0/16,167.74.0.0/18,167.82.144.0/20,167.97.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [167.224.0.0/19,167.224.32.0/20,167.224.48.0/21,167.249.200.0/22,168.0.212.0/22,168.64.0.0/16,168.76.0.0/16,168.80.0.0/15,168.90.96.0/22,168.129.0.0/16,168.151.0.0/22,168.151.4.0/23,168.151.6.0/24,168.151.32.0/21,168.151.43.0/24,168.151.44.0/22,168.151.48.0/22,168.151.52.0/23,168.151.54.0/24,168.151.56.0/21] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [168.151.128.0/20,168.151.145.0/24,168.151.146.0/23,168.151.148.0/22,168.151.152.0/22,168.151.157.0/24,168.151.158.0/23,168.151.160.0/20,168.151.176.0/21,168.151.184.0/22,168.151.192.0/20,168.151.208.0/21,168.151.216.0/22,168.151.220.0/23,168.151.232.0/21,168.151.240.0/21,168.151.248.0/22,168.151.254.0/24,168.181.52.0/22,168.195.76.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [168.211.0.0/16,168.227.128.0/22,168.227.140.0/22,169.239.152.0/22,170.67.0.0/16,170.83.232.0/22,170.113.0.0/16,170.120.0.0/16,170.179.0.0/16,170.244.40.0/22,170.244.240.0/22,170.247.220.0/22,171.25.212.0/22,171.26.0.0/16,172.98.0.0/18,174.136.192.0/18,175.103.64.0/18,176.56.192.0/19,176.96.88.0/21,176.102.120.0/21] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [176.223.116.0/23,176.223.118.0/24,176.223.160.0/23,177.234.136.0/21,178.212.184.0/21,178.213.176.0/22,179.63.0.0/17,180.178.192.0/18,180.236.0.0/14,181.177.64.0/18,185.0.96.0/19,185.21.8.0/22,185.30.168.0/22,185.39.8.0/22,185.55.4.0/22,185.55.140.0/22,185.60.201.0/24,185.60.202.0/23,185.63.35.0/24,185.64.23.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [185.116.172.0/23,185.116.175.0/24,185.120.8.0/22,185.122.128.0/22,185.123.144.0/20,185.123.248.0/21,185.124.0.0/22,185.124.56.0/21,185.126.136.0/22,185.126.148.0/22,185.126.160.0/21,185.126.224.0/22,185.126.236.0/22,185.126.248.0/22,185.127.44.0/22,185.127.56.0/22,185.127.68.0/22,185.127.76.0/22,185.127.92.0/22,185.129.8.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [185.144.180.0/22,185.147.140.0/22,185.156.88.0/21,185.156.92.0/22,185.161.148.0/22,185.165.24.0/22,185.180.192.0/22,185.184.192.0/22,185.185.48.0/22,185.193.90.0/24,185.193.143.0/24,185.194.100.0/22,185.203.64.0/22,185.215.132.0/22,185.227.200.0/22,185.230.44.0/22,185.234.64.0/22,185.237.104.0/22,185.237.220.0/22,185.237.226.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [188.172.160.0/19,188.208.48.0/22,188.208.52.0/22,188.208.109.0/24,188.208.220.0/22,188.209.120.0/21,188.212.254.0/24,188.213.23.0/24,188.213.206.0/23,188.213.214.0/23,188.213.248.0/22,188.213.252.0/22,188.214.94.0/24,188.214.95.0/24,188.214.140.0/24,188.214.155.0/24,188.214.193.0/24,188.241.211.0/24,188.247.230.0/24,190.123.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [192.31.212.0/23,192.40.29.0/24,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.54.110.0/24,192.67.16.0/24,192.96.146.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23,192.133.3.0/24,192.152.194.0/24,192.154.11.0/24,192.160.44.0/24,192.161.80.0/20,192.190.49.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,192.251.231.0/24,192.252.16.0/20,193.25.48.0/20,193.30.254.0/23,193.32.66.0/23,193.46.172.0/22,193.139.0.0/16,193.151.160.0/22,193.201.232.0/22,193.228.91.0/24,193.243.0.0/17] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [196.1.109.0/24,196.10.64.0/19,196.15.64.0/18,196.16.0.0/14,196.42.128.0/17,196.61.192.0/20,196.62.0.0/16,196.192.192.0/18,196.193.0.0/16,196.194.0.0/15,196.199.0.0/16,196.207.64.0/18,196.246.0.0/16,197.154.0.0/16,197.231.208.0/22,198.13.0.0/20,198.14.0.0/20,198.20.16.0/20,198.45.32.0/20,198.45.64.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [198.96.224.0/20,198.99.117.0/24,198.102.222.0/24,198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24,198.177.175.0/24,198.177.176.0/22,198.177.180.0/24,198.177.214.0/24,198.178.64.0/19,198.179.22.0/24,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [198.200.8.0/23,198.202.237.0/24,198.204.0.0/21,198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.26.137.0/24,199.26.207.0/24,199.26.251.0/24,199.33.222.0/24,199.34.128.0/18,199.60.102.0/24,199.71.192.0/20,199.73.64.0/20,199.84.16.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [199.184.82.0/24,199.185.144.0/20,199.185.192.0/20,199.196.192.0/19,199.198.160.0/20,199.198.176.0/21,199.198.184.0/23,199.198.188.0/22,199.200.64.0/19,199.212.96.0/20,199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [199.254.32.0/20,200.0.60.0/23,200.22.0.0/16,200.71.124.0/22,200.189.44.0/22,200.234.128.0/18,201.148.168.0/22,201.169.0.0/16,202.0.192.0/18,202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 33"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400032; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [202.148.176.0/20,202.183.0.0/19,202.189.80.0/20,203.2.200.0/22,203.9.0.0/19,203.31.88.0/23,203.34.70.0/23,203.86.252.0/22,203.169.0.0/22,203.191.64.0/18,203.195.0.0/18,204.14.80.0/22,204.19.38.0/23,204.44.32.0/20,204.44.208.0/20,204.44.224.0/20,204.52.96.0/19,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 34"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400033; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [204.106.128.0/18,204.106.192.0/19,204.107.208.0/24,204.126.244.0/23,204.128.32.0/20,204.128.151.0/24,204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.147.96.0/20,204.147.240.0/20,204.156.192.0/20,204.194.64.0/21,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24,204.238.170.0/24,204.238.183.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 35"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400034; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [205.148.192.0/18,205.151.128.0/19,205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24,205.210.107.0/24,205.210.139.0/24,205.210.171.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 36"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400035; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [205.236.189.0/24,205.237.88.0/21,206.41.128.0/20,206.41.160.0/19,206.51.29.0/24,206.124.104.0/21,206.125.16.0/20,206.130.188.0/24,206.143.128.0/17,206.183.128.0/19,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.209.48.0/20,206.209.80.0/20,206.223.17.0/24,206.224.160.0/19,206.226.0.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 37"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400036; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [207.90.0.0/18,207.110.64.0/18,207.110.96.0/19,207.110.128.0/18,207.183.64.0/19,207.183.96.0/20,207.183.128.0/19,207.183.192.0/19,207.201.64.0/18,207.228.192.0/20,207.244.0.0/18,208.73.208.0/22,208.90.32.0/21,208.93.4.0/22,209.17.192.0/19,209.66.0.0/18,209.66.128.0/19,209.95.64.0/19,209.95.192.0/19,209.99.128.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 38"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400037; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) +alert ip [209.145.0.0/19,209.148.16.0/20,209.161.64.0/19,209.161.96.0/20,209.182.64.0/19,209.242.192.0/19,212.162.152.0/22,213.173.36.0/22,213.247.0.0/19,216.179.128.0/17,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15,223.169.0.0/16,223.173.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 39"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400038; rev:2793; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_01_10;) diff --git a/source/networkFirewallAutomation/config/examples/ruleGroups/stateful-domainblock.example.json b/source/networkFirewallAutomation/config/examples/ruleGroups/stateful-domainblock.example.json new file mode 100644 index 0000000..4465c03 --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/ruleGroups/stateful-domainblock.example.json @@ -0,0 +1,31 @@ +{ + "RuleGroupName": "StatefulRulesExample1", + "RuleGroup": { + "RuleVariables": { + "IPSets": { + "HOME_NET": { + "Definition": [ + "10.0.0.0/8", + "172.16.0.0/16" + ] + } + } + }, + "RulesSource": { + "RulesSourceList": { + "TargetTypes": [ + "HTTP_HOST", + "TLS_SNI" + ], + "Targets": [ + "test.example.com", + "test2.example.com" + ], + "GeneratedRulesType": "DENYLIST" + } + } + }, + "Type": "STATEFUL", + "Description": "Stateful Rule", + "Capacity": 100 +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/examples/ruleGroups/stateless-fwd-to-stateful.example.json b/source/networkFirewallAutomation/config/examples/ruleGroups/stateless-fwd-to-stateful.example.json new file mode 100644 index 0000000..3169f0e --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/ruleGroups/stateless-fwd-to-stateful.example.json @@ -0,0 +1,41 @@ +{ + "RuleGroupName": "StatelessExample2", + "RuleGroup": { + "RulesSource": { + "StatelessRulesAndCustomActions": { + "StatelessRules": [ + { + "RuleDefinition": { + "MatchAttributes": { + "Sources": [ + { + "AddressDefinition": "192.0.2.0/8" + } + ], + "Destinations": [ + { + "AddressDefinition": "198.51.100.0/16" + }, + { + "AddressDefinition": "198.52.100.0/16" + } + ], + "Protocols": [ + 6, + 17 + ] + }, + "Actions": [ + "aws:forward_to_sfe" + ] + }, + "Priority": 100 + } + ] + } + } + }, + "Type": "STATELESS", + "Description": "Stateless Rule with Forward to Stateful", + "Capacity": 220 +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/examples/ruleGroups/stateless-pass-action.example.json b/source/networkFirewallAutomation/config/examples/ruleGroups/stateless-pass-action.example.json new file mode 100644 index 0000000..c97b849 --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/ruleGroups/stateless-pass-action.example.json @@ -0,0 +1,68 @@ +{ + "RuleGroupName": "StatelessExample1", + "RuleGroup": { + "RulesSource": { + "StatelessRulesAndCustomActions": { + "StatelessRules": [ + { + "RuleDefinition": { + "MatchAttributes": { + "Sources": [ + { + "AddressDefinition": "192.0.2.0/8" + } + ], + "Destinations": [ + { + "AddressDefinition": "198.51.100.0/16" + } + ], + "SourcePorts": [ + { + "FromPort": 53, + "ToPort": 53 + }, + { + "FromPort": 1001, + "ToPort": 1053 + } + ], + "DestinationPorts": [ + { + "FromPort": 53, + "ToPort": 53 + }, + { + "FromPort": 1001, + "ToPort": 1053 + } + ], + "Protocols": [ + 6 + ], + "TCPFlags": [ + { + "Flags": [ + "SYN" + ], + "Masks": [ + "SYN", + "ACK" + ] + } + ] + }, + "Actions": [ + "aws:pass" + ] + }, + "Priority": 19 + } + ] + } + } + }, + "Type": "STATELESS", + "Description": "Stateless Rule with pass action", + "Capacity": 199 +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/examples/ruleGroups/suricata-rule-reference.json b/source/networkFirewallAutomation/config/examples/ruleGroups/suricata-rule-reference.json new file mode 100644 index 0000000..1175cb4 --- /dev/null +++ b/source/networkFirewallAutomation/config/examples/ruleGroups/suricata-rule-reference.json @@ -0,0 +1,8 @@ + +{ + "RuleGroupName": "suricata-drop-rules", + "Rules": "./ruleGroups/drop.rules", + "Type": "STATEFUL", + "Description": "Suricata rule group", + "Capacity": 100 + } \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/firewallPolicies/firewall-policy-1.json b/source/networkFirewallAutomation/config/firewallPolicies/firewall-policy-1.json new file mode 100644 index 0000000..4a69cbe --- /dev/null +++ b/source/networkFirewallAutomation/config/firewallPolicies/firewall-policy-1.json @@ -0,0 +1,12 @@ +{ + "FirewallPolicyName": "Firewall-Policy-1", + "Description": "Firewall Policy 1", + "FirewallPolicy": { + "StatelessDefaultActions": [ + "aws:forward_to_sfe" + ], + "StatelessFragmentDefaultActions": [ + "aws:pass" + ] + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/config/firewalls/firewall-1.json b/source/networkFirewallAutomation/config/firewalls/firewall-1.json new file mode 100644 index 0000000..782b4f4 --- /dev/null +++ b/source/networkFirewallAutomation/config/firewalls/firewall-1.json @@ -0,0 +1,8 @@ +{ + "FirewallName": "Firewall-1", + "FirewallPolicyArn": "./firewallPolicies/firewall-policy-1.json", + "Description": "Network Firewall 1", + "DeleteProtection": true, + "FirewallPolicyChangeProtection": true, + "SubnetChangeProtection": true +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/index.ts b/source/networkFirewallAutomation/index.ts new file mode 100644 index 0000000..49c47bb --- /dev/null +++ b/source/networkFirewallAutomation/index.ts @@ -0,0 +1,88 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +/** + * @description + * AWS Network Firewall Manager Solution + * @author aws-solutions + */ + +import { + EnvironmentProps, + NetworkFirewallManager +} from "./lib/network-firewall-manager" +import { + Ec2EnvironmentProps, + Ec2Manager +} from "./lib/ec2-manager" +import { ConfigReader, ConfigPath } from "./lib/common/configReader/config-reader" +import { Logger, LOG_LEVEL } from "./lib/common/logger" + + +async function firewallManager() { + + // declare environment variables + let envProps: EnvironmentProps = { + vpcId: process.env.VPC_ID, + subnetIds: process.env.SUBNET_IDS, + logDestinationType: process.env.LOG_DESTINATION_TYPE, //S3 or CloudWatchLogs + logDestination: process.env.S3_LOG_BUCKET_NAME !== 'NotConfigured' ? process.env.S3_LOG_BUCKET_NAME : process.env.CLOUDWATCH_LOG_GROUP_NAME, //S3 bucket name or CloudWatchLogs group name + logType: process.env.LOG_TYPE, //ALERT OR FLOW + logRetentionPeriod: process.env.LOG_RETENTION_IN_DAYS, + stackId: process.env.STACK_ID ? process.env.STACK_ID : "" + } + + const transitGatewayAttachmentId = process.env.TRANSIT_GATEWAY_ATTACHMENT_ID ? process.env.TRANSIT_GATEWAY_ATTACHMENT_ID : ""; + const applianceMode = process.env.TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE ? process.env.TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE : "enable"; + Ec2Manager.updateTransitGatewayAttachementApplianceMode(transitGatewayAttachmentId, applianceMode); + + + let ec2EnvProps: Ec2EnvironmentProps[] = [ + { + availabilityZone: process.env.VPC_TGW_ATTACHMENT_AZ_1, + routeTableId: process.env.VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_1 + }, + { + availabilityZone: process.env.VPC_TGW_ATTACHMENT_AZ_2, + routeTableId: process.env.VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_2 + }] + + try { + const currentPath = process.cwd() + const directoryPath = currentPath.concat(ConfigPath.firewallDirectory) + + const fileHandler = new ConfigReader() + const firewallFiles = fileHandler.getJSONFileNames(directoryPath) + + for (let filePath of firewallFiles) { + + Logger.log(LOG_LEVEL.INFO, `Processing ${filePath}`) + let firewallObject = fileHandler.convertFileToObject(filePath) + Logger.log(LOG_LEVEL.INFO, firewallObject) + let firewallMgr = new NetworkFirewallManager(envProps, firewallObject, fileHandler) + const syncStates = await firewallMgr.firewallOperations() + Logger.log(LOG_LEVEL.INFO, syncStates) + Logger.log(LOG_LEVEL.INFO, `Creating route to firewall endpoint.`) + if (syncStates) { + const ec2Mgr = new Ec2Manager(ec2EnvProps, syncStates) + await ec2Mgr.routeTableOperations() + } + } + } catch (error) { + Logger.log(LOG_LEVEL.ERROR, `Failed to deploy/update Network Firewall`, error) + process.exit(1) + } +} + +// Initiating Network Firewall Manager Solution +firewallManager() \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/common/configReader/config-reader.ts b/source/networkFirewallAutomation/lib/common/configReader/config-reader.ts new file mode 100644 index 0000000..488ae6d --- /dev/null +++ b/source/networkFirewallAutomation/lib/common/configReader/config-reader.ts @@ -0,0 +1,63 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ +import * as fs from 'fs' +import * as path from 'path' +import { Logger, LOG_LEVEL } from '../logger' + +export enum ConfigPath { + firewallDirectory = '/firewalls' +} +/** + * @description This class reads the json files and return file objects + */ +export class ConfigReader { + + /** + * @description This method will return the json file names in the path. + * @param directoryPath string value of the file system path. + * @returns Array of file names. + */ + getJSONFileNames(directoryPath: string): string[] { + Logger.log(LOG_LEVEL.DEBUG, `Config directory path: ${directoryPath}`) + return fs.readdirSync(directoryPath) + .filter((name: any) => path.extname(name) === '.json') + .map((name: any) => (path.join(directoryPath, name))) + } + + /** + * This method will read the file contents and attempt to convert the file content into JSON object. + * @returns JSON object of the file content. + * @param filePath string value of absolute file path. + */ + convertFileToObject(filePath: string): any { + Logger.log(LOG_LEVEL.DEBUG, `Returning object for file: ${filePath}`) + return JSON.parse(fs.readFileSync(filePath).toString()) + } + + /** + * This method will read the file contents and attempt to convert the file content into a string. Method will return an empty string + * if the file path is incorrect or invalid. + * @returns String representation of the file content. + * @param filePath string value of absolute file path. + */ + copyFileContentToString(filePath: string): any { + Logger.log(LOG_LEVEL.DEBUG, `Returning string content for file: ${filePath}`) + try { + return fs.readFileSync(filePath).toString() + } catch(error) { + Logger.log(LOG_LEVEL.DEBUG, `Error converting the file content to string:`, error) + return ""; + } + } + +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/common/firewall-config-validation.ts b/source/networkFirewallAutomation/lib/common/firewall-config-validation.ts new file mode 100644 index 0000000..15be7fa --- /dev/null +++ b/source/networkFirewallAutomation/lib/common/firewall-config-validation.ts @@ -0,0 +1,214 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { NetworkFirewall } from "aws-sdk"; +import { Logger, LOG_LEVEL } from "./logger"; +import { ConfigReader, ConfigPath } from "./configReader/config-reader"; +import { MetricsManager, NetworkFirewallMetrics } from "./send-metrics"; + +interface InvalidConfigFiles { + path: string; + referencedInFile?: any; + error?: any; +} + +export class FirewallConfigValidation { + + private invalidFiles: InvalidConfigFiles[]; + private service: NetworkFirewall; + private fileHandler: ConfigReader; + + constructor() { + this.invalidFiles = [] + this.service = new NetworkFirewall() + this.fileHandler = new ConfigReader() + } + + getInvalidFiles() { + return this.invalidFiles + } + + /** + * This method will validate all the files in starting with firewall, firewall policy and rule groups, all the invalid + * files will be output to the console and an error is thrown, + * if there no invalid files the validation will exit without any error. + * @param rootDir optional if the value is not provided the path configured in the ConfigPath is taken as directory. + */ + async execute(rootDir?: string) { + const metrics: NetworkFirewallMetrics = { + numberOfFirewalls: 0, + numberOfPolicies: 0, + numberOfStatefulRuleGroups: 0, + numberOfStatelessRuleGroups: 0, + numberOfSuricataRules: 0 + } + Logger.log(LOG_LEVEL.INFO, `Starting firewall config validation`) + try { + const currentPath = process.cwd() + let directoryPath; + if (rootDir) { + directoryPath = currentPath.concat(rootDir) + } else { + directoryPath = currentPath.concat(ConfigPath.firewallDirectory) + } + Logger.log(LOG_LEVEL.INFO, `Config file path ${directoryPath}`) + const firewallFiles = this.fileHandler.getJSONFileNames(directoryPath) + metrics.numberOfFirewalls = firewallFiles.length + + for (let firewallFile of firewallFiles) { + Logger.log(LOG_LEVEL.INFO, `Validating the file paths for the firewall file named: ${firewallFile}`) + let firewall: NetworkFirewall.Types.CreateFirewallRequest = this.fileHandler.convertFileToObject(firewallFile) + + this.validateFirewallFile(firewall) + + let firewallPolicy: NetworkFirewall.Types.CreateFirewallPolicyRequest; + + //verify firewall policy. + try { + firewallPolicy = this.fileHandler.convertFileToObject(firewall.FirewallPolicyArn) + metrics.numberOfPolicies += 1 + await this.validateFirewallPolicyFile(firewallPolicy, firewall.FirewallPolicyArn) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, `Failed to validate the firewall policy`) + this.invalidFiles.push({ + path: firewall.FirewallPolicyArn, + referencedInFile: firewall.FirewallPolicyArn, + error: "The file in the attribute path is not available in the configuration." + }) + break; + } + + //loop through all the stateful rule groups and verify if the files compile to a valid json object. + if (firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences) { + metrics.numberOfStatefulRuleGroups += firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences.length + Logger.log(LOG_LEVEL.DEBUG, `Firewall Policy StatefulRuleGroupReferences`, firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences) + for (let statefulRuleGroup of firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences) { + try { + const ruleGroup: NetworkFirewall.Types.CreateRuleGroupRequest = this.fileHandler.convertFileToObject(statefulRuleGroup.ResourceArn); + if (ruleGroup.Rules) { + metrics.numberOfSuricataRules += 1; + } + await this.validateRuleGroupFile(ruleGroup, statefulRuleGroup.ResourceArn) + } catch (error) { + this.invalidFiles.push({ + path: statefulRuleGroup.ResourceArn, + referencedInFile: firewall.FirewallPolicyArn, + error: "The file in the attribute path is not available in the configuration." + }) + } + } + } + //loop through all the stateless rule groups and verify if the files compile to a valid json object. + if (firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences) { + metrics.numberOfStatelessRuleGroups += firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences.length + Logger.log(LOG_LEVEL.DEBUG, `Firewall Policy StatelessRuleGroupReferences`, firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences) + for (let statelessRuleGroup of firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences) { + try { + const ruleGroup = this.fileHandler.convertFileToObject(statelessRuleGroup.ResourceArn) + await this.validateRuleGroupFile(ruleGroup, statelessRuleGroup.ResourceArn) + } catch (error) { + this.invalidFiles.push({ + path: statelessRuleGroup.ResourceArn, + referencedInFile: firewall.FirewallPolicyArn, + error: "The file in the attribute path is not available in the configuration." + }) + } + } + } + } + + } catch (error) { + Logger.log(LOG_LEVEL.ERROR, error) + throw new Error("Validation failed."); + } finally { + Logger.log(LOG_LEVEL.INFO, `Number of invalid files: ${this.invalidFiles.length}`) + Logger.log(LOG_LEVEL.INFO, `-----------INVALID FILES START-----------`) + this.getInvalidFiles().forEach((invalidFile) => { + Logger.log(LOG_LEVEL.ERROR, invalidFile) + }) + Logger.log(LOG_LEVEL.INFO, `-----------INVALID FILES END--------------`) + if (this.invalidFiles.length > 0) { + const error = "Validation failed." + Logger.log(LOG_LEVEL.ERROR, error) + throw error + } + Logger.log(LOG_LEVEL.DEBUG, `Send metrics`, metrics) + MetricsManager.sendMetrics(metrics) + } + } + + async validateFirewallPolicyFile(firewallPolicy: NetworkFirewall.Types.CreateFirewallPolicyRequest, path: string) { + firewallPolicy.DryRun = true; + let response; + try { + response = await this.service.createFirewallPolicy(firewallPolicy).promise() + } catch (error) { + const errorCode: string = error["code"] + Logger.log(LOG_LEVEL.DEBUG, `Error response from the create firewall policy dry run API`, error) + if (errorCode === "MultipleValidationErrors" || errorCode === "UnexpectedParameter") { + this.invalidFiles.push({ + path: path, + error: error["message"] + }) + } + } + Logger.log(LOG_LEVEL.DEBUG, `Response from the create firewall policy dry run API`, response) + } + async validateRuleGroupFile(ruleGroup: NetworkFirewall.Types.CreateRuleGroupRequest, path: string) { + //add code to check if this rule source is provided or rules file is being provided + if (ruleGroup.Rules && ruleGroup.RuleGroup) { + Logger.log(LOG_LEVEL.DEBUG, `Rule Group file has both Rules and RuleGroup fields.`, ruleGroup) + this.invalidFiles.push({ + path: path, + error: "Both RuleGroup and Rules have data, You must provide either the rule group setting or a Rules setting, but not both. " + }) + return; + } else if (ruleGroup.Rules) { + const ruleString = this.fileHandler.copyFileContentToString(ruleGroup.Rules) + if (!ruleString) { + ruleGroup.Rules = ruleString + this.invalidFiles.push({ + path: path, + error: "Rules attribute has invalid file path. " + ruleGroup.Rules + }) + } + Logger.log(LOG_LEVEL.DEBUG, `Rule Group file has both Rules and RuleGroup fields.`, ruleGroup.Rules) + } + + ruleGroup.DryRun = true; + let response; + try { + response = await this.service.createRuleGroup(ruleGroup).promise(); + } catch(error) { + Logger.log(LOG_LEVEL.DEBUG, `Error response from the create rule group dry run API`, error) + const errorCode: string = error["code"] + if (errorCode === "MultipleValidationErrors" || errorCode === "UnexpectedParameter") { + this.invalidFiles.push({ + path: path, + error: error["message"] + }) + } + } + Logger.log(LOG_LEVEL.DEBUG, `Response from the create rule group dry run API`, response) + } + + validateFirewallFile(firewall: NetworkFirewall.Types.CreateFirewallRequest) { + if (!firewall.FirewallName || !firewall.FirewallPolicyArn) { + this.invalidFiles.push({ + path: firewall.FirewallName, + referencedInFile: firewall.FirewallName, + error: "FirewallName and FirewallPolicyArn are required in the firewall." + }) + } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/common/logger.ts b/source/networkFirewallAutomation/lib/common/logger.ts new file mode 100644 index 0000000..f1c69f9 --- /dev/null +++ b/source/networkFirewallAutomation/lib/common/logger.ts @@ -0,0 +1,38 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +export enum LOG_LEVEL { + "ERROR", + "WARN", + "INFO", + "DEBUG" +} + +export class Logger { + + private static readonly CONFIGURED_LOG_LEVEL = process.env.LOG_LEVEL && Object.values(LOG_LEVEL).indexOf(process.env.LOG_LEVEL.toUpperCase()) != -1 ? Object.values(LOG_LEVEL).indexOf(process.env.LOG_LEVEL.toUpperCase()) : LOG_LEVEL.ERROR; + + constructor() { } + + static log(log_level: LOG_LEVEL, message: any, object?: any) { + if (log_level <= this.CONFIGURED_LOG_LEVEL) { + let currentDateTime = new Date() + let formatted_date = `${currentDateTime.getFullYear()}-${(currentDateTime.getMinutes()-1)}-${currentDateTime.getDate()} ${currentDateTime.getHours()}:${currentDateTime.getMinutes()}:${currentDateTime.getSeconds()}` + let log_message = `${formatted_date} : ${JSON.stringify(message, null, 2)}` + if (object) { + log_message = `${formatted_date} : ${JSON.stringify(message, null, 2)} : ${JSON.stringify(object, null, 2)}` + } + console.log(log_message) + } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/common/send-metrics.ts b/source/networkFirewallAutomation/lib/common/send-metrics.ts new file mode 100644 index 0000000..527e357 --- /dev/null +++ b/source/networkFirewallAutomation/lib/common/send-metrics.ts @@ -0,0 +1,80 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ +import { v4 as uuidv4 } from "uuid" +import { SSM } from "aws-sdk" +import axios from "axios" +import { Logger, LOG_LEVEL } from "./logger" + +export interface NetworkFirewallMetrics { + numberOfFirewalls: number, + numberOfStatefulRuleGroups: number, + numberOfStatelessRuleGroups: number, + numberOfPolicies: number, + numberOfSuricataRules: number, + logType?: string + logDestinationType?: string +} + +export class MetricsManager { + + private constructor() { } + + static async sendMetrics(data: NetworkFirewallMetrics) { + const ssmParameterForUUID = process.env.SSM_PARAM_FOR_UUID ? process.env.SSM_PARAM_FOR_UUID : "network-firewall-solution-uuid" + const stackId = process.env.STACK_ID ? process.env.STACK_ID.slice(process.env.STACK_ID.length - 36) : "" + const sendAnonymousMetrics = process.env.SEND_ANONYMOUS_METRICS ? process.env.SEND_ANONYMOUS_METRICS : "No" + let uuid = "" + const ssmUUIDKey = `${ssmParameterForUUID}-${stackId}` + try { + if (sendAnonymousMetrics.toUpperCase() === "YES") { + let ssmInstance = new SSM(); + let ssmGetParamResponse; + try { + ssmGetParamResponse = await ssmInstance.getParameter({ + Name: ssmUUIDKey, + }).promise(); + uuid = ssmGetParamResponse.Parameter?.Value ? ssmGetParamResponse.Parameter?.Value : uuidv4(); + } catch (error) { + if (error["code"] = "ParameterNotFound") { + uuid = uuidv4(); + await ssmInstance.putParameter({ + Name: ssmUUIDKey, + Value: uuid, + Type: "String" + }).promise(); + } + } + Logger.log(LOG_LEVEL.DEBUG, "uuid: ", uuid) + const metricsUrl: string = process.env.METRICS_URL ? process.env.METRICS_URL : "" + const solutionId: string | undefined = process.env.SOLUTION_ID + const timestamp = (new Date()).toISOString() + data.logDestinationType = process.env.LOG_DESTINATION_TYPE + data.logType = process.env.LOG_TYPE + const metrics_data = { + 'Solution': solutionId, + 'TimeStamp': timestamp, + 'UUID': uuid, + 'Data': data + } + Logger.log(LOG_LEVEL.DEBUG, "metrics data: ", metrics_data) + const response = await axios.post(metricsUrl, metrics_data, { + headers: { + 'Content-Type': 'application/json', + 'Content-Length': JSON.stringify(data).length + } + }) + Logger.log(LOG_LEVEL.DEBUG, 'Response: ', response) + } + } catch (error) { } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/common/stringUtils.ts b/source/networkFirewallAutomation/lib/common/stringUtils.ts new file mode 100644 index 0000000..e2fcc6b --- /dev/null +++ b/source/networkFirewallAutomation/lib/common/stringUtils.ts @@ -0,0 +1,55 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { Logger, LOG_LEVEL } from './logger' + +export enum Name { + maxCharacters = 128, + delimiter= '-' +} + +/** + * @description This class performs string manipulation operations + */ +export class StringUtils { + + constructor(readonly stackId: string) { + } + + + /** + * @description This method will return name of the resource with parsed + * stack id and validates the max character allowed + * @param resourceName + * @returns modified resource name. + */ + getUniqueResourceName(resourceName: string) { + Logger.log(LOG_LEVEL.DEBUG, `Resource name input: ${resourceName}`) + if (this.stackId) { + const splitStackId = this.stackId.split("-").pop() + let customName = resourceName + Name.delimiter + splitStackId + if (splitStackId && customName.length > Name.maxCharacters) { + const sliceString = Name.maxCharacters - (splitStackId.length + Name.delimiter.length) + Logger.log(LOG_LEVEL.INFO, `Modified name is larger than 128 characters, trimming the resource name and using only first ${sliceString.toString()} characters from the name.`) + const trimmedResourceName = resourceName.substring(0, sliceString) + customName = trimmedResourceName + Name.delimiter + splitStackId + } + Logger.log(LOG_LEVEL.DEBUG, `Returning Custom name : ${resourceName}`) + return customName + } + else { + throw Error("The stack id environment variable is undefined in the" + + " CodeBuild stage environment variables.") + } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/ec2-manager.ts b/source/networkFirewallAutomation/lib/ec2-manager.ts new file mode 100644 index 0000000..5d816e4 --- /dev/null +++ b/source/networkFirewallAutomation/lib/ec2-manager.ts @@ -0,0 +1,170 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { EC2, NetworkFirewall } from "aws-sdk" +import { Ec2Service } from "./service/ec2-service" +import { LOG_LEVEL, Logger } from "./common/logger" + +export interface Ec2EnvironmentProps { + availabilityZone: string | undefined, + routeTableId: string | undefined +} + +export enum Route { + default = '0.0.0.0/0', + active = 'active' +} + +type routeStatus = { + VpcEndpointId: string | undefined, + RouteTableId: string, + DefaultRouteCreated: boolean +} + +/** + * @description This class contains all the methods to + * perform CRUD operations for the VPC route to Network Firewall. + */ +export class Ec2Manager { + + private service: Ec2Service + private vpcEndpoint: string | undefined + + constructor(public envProps: Ec2EnvironmentProps[], + public firewallSyncStates: NetworkFirewall.SyncStates) { + this.service = new Ec2Service() + } + + /** this method will check if route exists, if not will start the process to + * create the route, If route exists no action required. If any of the VPC + * endpoint is not in READY status, throw an error. + */ + async routeTableOperations(): Promise { + try { + let response: routeStatus[] = [] + for (let endpoint of this.envProps) { + Logger.log(LOG_LEVEL.INFO, `Processing `, endpoint) + + // check if routes already exist + if (endpoint.routeTableId && endpoint.availabilityZone) { + const attachmentProps = this.firewallSyncStates[endpoint.availabilityZone] + this.vpcEndpoint = attachmentProps.Attachment?.EndpointId + const foundExistingRoute = await this.checkRouteTable(endpoint.routeTableId) + + if (!foundExistingRoute) { + Logger.log(LOG_LEVEL.INFO, `Default route to Network Firewall does not exist. Creating a new default route using endpoint: ${this.vpcEndpoint} in the ready state.`) + await this.service.createRoute({ + DestinationCidrBlock: Route.default, + VpcEndpointId: this.vpcEndpoint, + RouteTableId: endpoint.routeTableId + }) + } + let status = { + VpcEndpointId: this.vpcEndpoint, + RouteTableId: endpoint.routeTableId, + DefaultRouteCreated: !foundExistingRoute + } + response.push(status) + } + } + + return response + + } catch + (error) { + Logger.log(LOG_LEVEL.ERROR, error) + throw new Error(error["message"]) + } + } + + /** + * Describe route table and analyse routes + */ + async checkRouteTable(routeTableId: string) { + // get route table details to check route already exist + const routeTables = await this.service.describeRouteTables(routeTableId) + Logger.log(LOG_LEVEL.INFO, routeTables) + + // the describe route table API should always return single value if using + // route table id + if (routeTables && routeTables.length > 1) { + Logger.log(LOG_LEVEL.DEBUG, routeTables) + throw Error(`Expected only one item in the route table array. Received : ${routeTables.length} `) + } + + let foundExistingRoute: boolean = false + // at least 1 value should be present before attempting the iteration + if (routeTables && routeTables.length == 1) { + + // the for loop would iterate only once + for (let routeTable of routeTables) { + foundExistingRoute = await this.checkExistingRoutes(routeTable) + } + } + return foundExistingRoute + } + + /** + * This method check if there is an existing default route to the VPC + * endpoint to network firewall. If + * @param routeTable + * @return List of VPC Endpoint ids in ready state. Returns empty list if + * route already exists. + */ + async checkExistingRoutes(routeTable: EC2.RouteTable): Promise { + const routes = routeTable.Routes + Logger.log(LOG_LEVEL.DEBUG, `print routes`) + Logger.log(LOG_LEVEL.DEBUG, routes) + if (routes) { + for (let route of routes) { + Logger.log(LOG_LEVEL.DEBUG, `Checking route below for VPC Endpoint: ${this.vpcEndpoint}`) + Logger.log(LOG_LEVEL.DEBUG, route) + if (route.GatewayId && route.GatewayId === this.vpcEndpoint && + route.DestinationCidrBlock === Route.default && route.State === Route.active) { + Logger.log(LOG_LEVEL.INFO, `Found Firewall VPC Endpoint ${route.GatewayId}`) + Logger.log(LOG_LEVEL.INFO, `setting foundExistingRoute to TRUE`) + return Promise.resolve(true) + } else if (route.GatewayId && route.GatewayId != this.vpcEndpoint && route.DestinationCidrBlock === Route.default && route.State === Route.active) { + //remove the route entry as possibly the firewall end point is no longer the same as it was earlier. + if (routeTable.RouteTableId) { + await this.service.deleteRoute({ + DestinationCidrBlock: Route.default, + RouteTableId: routeTable.RouteTableId + }) + } + } + } + } + // return false - could not find existing route + Logger.log(LOG_LEVEL.INFO, `Firewall VPC Endpoint not found as destination in the route table.`) + return Promise.resolve(false) + } + + /** + * Method will update the transit gateway attachement appliance mode. + * https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-transit-gateway-vpc-attachment.html + * @param transitGatewayAttachmentId + * @param applianceMode + */ + static async updateTransitGatewayAttachementApplianceMode(transitGatewayAttachmentId: string, applianceMode: string) { + if (transitGatewayAttachmentId && applianceMode) { + const response = await new Ec2Service().modifyTransitGatewayAttachement({ + TransitGatewayAttachmentId: transitGatewayAttachmentId, + Options: { + ApplianceModeSupport: applianceMode + } + }) + Logger.log(LOG_LEVEL.INFO, `Response from modifyTransitGatewayAttachement API: `, response) + } + } +} diff --git a/source/networkFirewallAutomation/lib/network-firewall-manager.ts b/source/networkFirewallAutomation/lib/network-firewall-manager.ts new file mode 100644 index 0000000..184b005 --- /dev/null +++ b/source/networkFirewallAutomation/lib/network-firewall-manager.ts @@ -0,0 +1,491 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + + +import { NetworkFirewall } from "aws-sdk" +import { NetworkFirewallService } from "./service/network-firewall-service" +import { ConfigReader } from "./common/configReader/config-reader" +import { Time } from "./service/awsClientConfig"; +import { LOG_LEVEL, Logger } from "./common/logger" +import { StringUtils } from "./common/stringUtils"; + +enum LogType { + alert = "ALERT", + flow = "FLOW" +} + +export interface EnvironmentProps { + vpcId: string | undefined; + subnetIds: string | undefined; + logDestinationType: "S3" | "CloudWatchLogs" | string | undefined; + logDestination: string | undefined; //bucket name or cloudwatch log group name. + logType: "Alert" | "Flow" | "EnableBoth" | string | undefined; + logRetentionPeriod: string | undefined; + stackId: string; +} + +enum RuleGroupType { + Stateless = 'STATELESS', + Stateful = 'STATEFUL' +} + +/** + * @description This class contains all the Network Firewall methods to + * perform CRUD operations for the Network Firewall resources. + */ +export enum FirewallStatus { + Ready = 'READY', + ConfigInSync = 'IN_SYNC', +} + +export class NetworkFirewallManager { + + private stringUtils: StringUtils + private service: NetworkFirewallService + private ruleGroupArnsInFirewall: string[] = [] + + constructor(public envProps: EnvironmentProps, + public firewallObject: NetworkFirewall.Types.CreateFirewallRequest, + public fileHandler: ConfigReader) { + this.service = new NetworkFirewallService() + this.stringUtils = new StringUtils(envProps.stackId) + } + + /** get vpc id */ + getVpcId(): NetworkFirewall.VpcId { + let vpcId + if (this.envProps.vpcId) { + vpcId = this.envProps.vpcId + } else { + const error_msg = "VPC ID must be in the environment variables" + Logger.log(LOG_LEVEL.ERROR, error_msg) + throw Error(error_msg) + } + return vpcId + } + + /** get subnet mapping */ + getSubnetMapping(): NetworkFirewall.SubnetMappings { + let subnetIdArray + let subnetMappings + + if (this.envProps.subnetIds) { + subnetIdArray = this.envProps.subnetIds.split(",") + subnetMappings = subnetIdArray.map((subnetId: string) => { + return { + SubnetId: subnetId + } + }) + } else { + const error_msg = "Subnet IDs must be in the environment variables" + Logger.log(LOG_LEVEL.ERROR, error_msg) + throw Error(error_msg) + } + return subnetMappings + } + + /** Function to add delay for waiting on process. */ + delay(ms: number) { + return new Promise(resolve => setTimeout(resolve, ms)); + } + + + /** Function will create network firewall and wait until the status of the firewall is provisioned before returning the response to the calling + * function. + */ + async createNetworkFirewall(firewallPolicyArn: string): Promise { + this.firewallObject['VpcId'] = this.getVpcId() || '' + this.firewallObject['SubnetMappings'] = this.getSubnetMapping() + this.firewallObject.FirewallPolicyArn = firewallPolicyArn + + // create network firewall + await this.service.createFirewall(this.firewallObject) + + // check + return await this.checkFirewallStatus() + + } + + /** Function will check if firewall exists, if not will start the process to create rule groups, create the firewall policy + * and then create the firewall. If firewall exists the configs are updated starting with rule groups, firewall policy and finally firewall. + */ + async firewallOperations(): Promise { + let response; + try { + // update firewall name to unique firewall name + this.firewallObject.FirewallName = this.stringUtils.getUniqueResourceName(this.firewallObject.FirewallName) + const firewallName = this.firewallObject.FirewallName; + const firewallResponse = await this.service.describeFirewall(firewallName) + if (firewallResponse && firewallResponse.Firewall) { + Logger.log(LOG_LEVEL.INFO, `Updating existing firewall: ${firewallName}`) + const firewallPolicyArn = await this.firewallPolicyOperations(this.firewallObject.FirewallPolicyArn) + Logger.log(LOG_LEVEL.INFO, `Checking Firewall Status: ${firewallPolicyArn}`) + response = await this.checkFirewallStatus() + await this.updateFirewall(firewallResponse, firewallPolicyArn) + } else { + Logger.log(LOG_LEVEL.INFO, `Firewall does not exist: ${firewallName}`) + Logger.log(LOG_LEVEL.INFO, `Checking if firewall policy exist`) + const firewallPolicyArn = await this.firewallPolicyOperations(this.firewallObject.FirewallPolicyArn) + Logger.log(LOG_LEVEL.INFO, `Creating Firewall: ${firewallName}`) + response = await this.createNetworkFirewall(firewallPolicyArn) + } + await this.setupLoggingConfigurations(firewallName) + return response; + } catch (error) { + Logger.log(LOG_LEVEL.ERROR, error) + throw new Error(error) + } + } + + /** + * This method will check if the firewall status is in READY state, firewall config sync state is 'IN_SYNC', and + * also waits until all the attachments created in each availability zone is also in IN_SYNC state. + */ + + async checkFirewallStatus(): Promise { + let firewallStatus: string | undefined = '' + let firewallConfigSyncState: string | undefined = '' + let syncStates: NetworkFirewall.SyncStates | undefined = {}; + let areAttachmentsInReadyStatus = false; + + do { + // sleep + await this.delay(Time.Seconds15) + let attachmentStatus = [] + //describe firewall + const firewallResponse = await this.service.describeFirewall(this.firewallObject.FirewallName) + if (firewallResponse && firewallResponse.FirewallStatus) { + firewallStatus = firewallResponse.FirewallStatus.Status + firewallConfigSyncState = firewallResponse.FirewallStatus.ConfigurationSyncStateSummary + syncStates = firewallResponse.FirewallStatus.SyncStates + Logger.log(LOG_LEVEL.INFO, firewallResponse.FirewallStatus) + } + + if (syncStates) { + Logger.log(LOG_LEVEL.INFO, `Sync States for the firewall. `, syncStates) + for (let availabilityZone in syncStates) { + if (syncStates[availabilityZone].Attachment) { + attachmentStatus.push(syncStates[availabilityZone].Attachment?.Status) + } + } + } + areAttachmentsInReadyStatus = attachmentStatus.every(status => status === 'READY') + + } + while (firewallStatus != FirewallStatus.Ready || firewallConfigSyncState != FirewallStatus.ConfigInSync || !areAttachmentsInReadyStatus) + + Logger.log(LOG_LEVEL.INFO, "Firewall is ready and configuration is in sync across" + + " all the availability zones. Returning the sync states for all" + + " the availability zones.") + return syncStates + } + + /** Function to create/update firewall policy */ + async firewallPolicyOperations(policyPath: string): Promise { + let describePolicyResponse; + try { + Logger.log(LOG_LEVEL.INFO, `Getting Firewall Policy Object`) + const policyObject: NetworkFirewall.CreateFirewallPolicyRequest = await this.ruleGroupOperations(this.fileHandler.convertFileToObject(policyPath)) + // update policy name to unique policy name + policyObject.FirewallPolicyName = this.stringUtils.getUniqueResourceName(policyObject.FirewallPolicyName) + Logger.log(LOG_LEVEL.INFO, `Checking if Firewall Policy exist: ${policyObject.FirewallPolicyName}`) + Logger.log(LOG_LEVEL.INFO, `Found Firewall Policy, trying to update the policy.`) + describePolicyResponse = await this.service.describeFirewallPolicy(policyObject.FirewallPolicyName) + Logger.log(LOG_LEVEL.INFO, `Describe policy response`, describePolicyResponse) + if (describePolicyResponse && describePolicyResponse.FirewallPolicyResponse.FirewallPolicyArn) { + describePolicyResponse.FirewallPolicy = policyObject.FirewallPolicy + describePolicyResponse.FirewallPolicyResponse.Description = policyObject.Description + describePolicyResponse.FirewallPolicyResponse.Tags = policyObject.Tags + let firewallPolicyUpdateResponse = await this.service.updateFirewallPolicy({ + FirewallPolicyArn: describePolicyResponse.FirewallPolicyResponse.FirewallPolicyArn, + FirewallPolicy: policyObject.FirewallPolicy, + UpdateToken: describePolicyResponse.UpdateToken, + Description: policyObject.Description, + FirewallPolicyName: describePolicyResponse.FirewallPolicyResponse.FirewallPolicyName + }) + Logger.log(LOG_LEVEL.INFO, `Firewall update policy response:`, firewallPolicyUpdateResponse) + //delete the rule groups which are currently in the firewall but not in the new firewall policy file + await this.deleteRuleGroups(policyObject); + return describePolicyResponse.FirewallPolicyResponse.FirewallPolicyArn + + } else { + Logger.log(LOG_LEVEL.INFO, `Firewall Policy does not exist, trying to create the policy.`) + const responseCreateFirewallPolicy = await this.service.createFirewallPolicy(policyObject) + return responseCreateFirewallPolicy.FirewallPolicyResponse.FirewallPolicyArn + } + } catch (error) { + Logger.log(LOG_LEVEL.INFO, error) + throw new Error(error) + } + } + + /** Function to create/update Rule Groups with a back out feature in case there is a failure. */ + async ruleGroupOperations(policyObject: NetworkFirewall.CreateFirewallPolicyRequest): Promise { + Logger.log(LOG_LEVEL.INFO, `Checking rule groups found in the firewall policy`) + let statelessRuleGroupsForRollback = [] + let statefulRuleGroupsForRollback = [] + this.ruleGroupArnsInFirewall = await this.service.listRuleGroupsForPolicy(policyObject.FirewallPolicyName); + + try { + + if (policyObject.FirewallPolicy.StatelessRuleGroupReferences) { + for (let statelessRuleGroupReference of policyObject.FirewallPolicy.StatelessRuleGroupReferences) { + let statelessRuleGroupObject: NetworkFirewall.CreateRuleGroupRequest = await this.fileHandler.convertFileToObject(statelessRuleGroupReference.ResourceArn) + Logger.log(LOG_LEVEL.INFO, `Checking if stateless rule group exists: ${statelessRuleGroupObject.RuleGroupName}`) + let describeRuleGroupResponse = await this.service.describeRuleGroup( + statelessRuleGroupObject.RuleGroupName, + RuleGroupType.Stateless + ) + Logger.log(LOG_LEVEL.INFO, `Describe Rule group response`, describeRuleGroupResponse) + if (describeRuleGroupResponse) { + statelessRuleGroupsForRollback.push(describeRuleGroupResponse) + Logger.log(LOG_LEVEL.INFO, `Found existing stateless rule group, trying to update it.`) + await this.service.updateRuleGroup({ + UpdateToken: describeRuleGroupResponse.UpdateToken, + Description: statelessRuleGroupObject.Description, + RuleGroup: statelessRuleGroupObject.RuleGroup, + RuleGroupArn: describeRuleGroupResponse.RuleGroupResponse.RuleGroupArn, + Type: statelessRuleGroupObject.Type + }) + statelessRuleGroupReference.ResourceArn = describeRuleGroupResponse.RuleGroupResponse.RuleGroupArn + } else { + Logger.log(LOG_LEVEL.INFO, `Creating rule group: ${statelessRuleGroupObject.RuleGroupName}`) + let createRuleGroupResponse = await this.service.createRuleGroup(statelessRuleGroupObject) + statelessRuleGroupReference.ResourceArn = createRuleGroupResponse.RuleGroupResponse.RuleGroupArn + Logger.log(LOG_LEVEL.INFO, statelessRuleGroupReference) + Logger.log(LOG_LEVEL.INFO, `Create Rule group response`, createRuleGroupResponse) + } + } + } + if (policyObject.FirewallPolicy.StatefulRuleGroupReferences) { + for (let statefulRuleGroupReference of policyObject.FirewallPolicy.StatefulRuleGroupReferences) { + let statefulRuleGroupObject: NetworkFirewall.CreateRuleGroupRequest = this.fileHandler.convertFileToObject(statefulRuleGroupReference.ResourceArn) + if (statefulRuleGroupObject.Rules) { + statefulRuleGroupObject.Rules = this.fileHandler.copyFileContentToString(statefulRuleGroupObject.Rules) + } + Logger.log(LOG_LEVEL.INFO, `Checking if stateful rule group exists: ${statefulRuleGroupObject.RuleGroupName}`) + let describeRuleGroupResponse = await this.service.describeRuleGroup( + statefulRuleGroupObject.RuleGroupName, + RuleGroupType.Stateful + ) + Logger.log(LOG_LEVEL.INFO, `Describe Rule group response`, describeRuleGroupResponse) + if (describeRuleGroupResponse) { + statefulRuleGroupsForRollback.push(describeRuleGroupResponse) + //if its a suricata rule group just update the statefulRuleGroupObject.Rules + if (statefulRuleGroupObject.Rules) { + await this.service.updateRuleGroup({ + UpdateToken: describeRuleGroupResponse.UpdateToken, + Description: statefulRuleGroupObject.Description, + RuleGroupArn: describeRuleGroupResponse.RuleGroupResponse.RuleGroupArn, + Rules: statefulRuleGroupObject.Rules, + Type: statefulRuleGroupObject.Type + }) + } else { + await this.service.updateRuleGroup({ + UpdateToken: describeRuleGroupResponse.UpdateToken, + Description: statefulRuleGroupObject.Description, + RuleGroup: statefulRuleGroupObject.RuleGroup, + RuleGroupArn: describeRuleGroupResponse.RuleGroupResponse.RuleGroupArn, + Type: statefulRuleGroupObject.Type + }) + } + + statefulRuleGroupReference.ResourceArn = describeRuleGroupResponse.RuleGroupResponse.RuleGroupArn + Logger.log(LOG_LEVEL.INFO, `Found existing stateful rule group, trying to update it.`) + } else { + Logger.log(LOG_LEVEL.INFO, `Creating rule group`) + let createRuleGroupResponse = await this.service.createRuleGroup(statefulRuleGroupObject) + statefulRuleGroupReference.ResourceArn = createRuleGroupResponse.RuleGroupResponse.RuleGroupArn + Logger.log(LOG_LEVEL.INFO, statefulRuleGroupReference) + Logger.log(LOG_LEVEL.INFO, `Create Rule group response`, createRuleGroupResponse) + } + } + } + + } catch (error) { + Logger.log(LOG_LEVEL.ERROR, error) + for (let statelessRuleGroup of statelessRuleGroupsForRollback) { + Logger.log(LOG_LEVEL.WARN, `Rolling back stateless rule group`, statelessRuleGroup) + await this.service.updateRuleGroup(statelessRuleGroup) + } + Logger.log(LOG_LEVEL.WARN, `Rolling back stateful rule groups`, statefulRuleGroupsForRollback) + for (let statefulRuleGroup of statefulRuleGroupsForRollback) { + Logger.log(LOG_LEVEL.WARN, `Rolling back stateful rule group`, statefulRuleGroup) + await this.service.updateRuleGroup(statefulRuleGroup) + } + Logger.log(LOG_LEVEL.ERROR, error) + throw Error(error) + } + + return policyObject; + } + + /** + * This method will take the rule groups configured for the firewall before any updates are made and compare with all the rule groups which are in the firewall policy file, + * the missing rule groups in the firewall policy file will be deleted, if the rule groups are associated with any resource in the account out of scope of this + * solution then the rule group will not be deleted. + * @param policyObject -- NetworkFirewall.CreateFirewallPolicyRequest + */ + async deleteRuleGroups(policyObject: NetworkFirewall.CreateFirewallPolicyRequest) { + await this.delay(Time.Seconds15) + Logger.log(LOG_LEVEL.DEBUG, `The rule groups currently configured in the firewall `, this.ruleGroupArnsInFirewall) + //retrieve the rule groups in policy Object + let ruleGroupsInFirewallPolicyFile: { [key: string]: string } = {}; + if (policyObject.FirewallPolicy.StatefulRuleGroupReferences) { + for (let ruleGroup of policyObject.FirewallPolicy.StatefulRuleGroupReferences) { + ruleGroupsInFirewallPolicyFile[ruleGroup.ResourceArn] = ruleGroup.ResourceArn + } + } + if (policyObject.FirewallPolicy.StatelessRuleGroupReferences) { + for (let ruleGroup of policyObject.FirewallPolicy.StatelessRuleGroupReferences) { + ruleGroupsInFirewallPolicyFile[ruleGroup.ResourceArn] = ruleGroup.ResourceArn + } + } + + Logger.log(LOG_LEVEL.DEBUG, `The rule groups configured in the new firewall policy file `, ruleGroupsInFirewallPolicyFile) + for (let oldRuleGroupArn of this.ruleGroupArnsInFirewall) { + if (!ruleGroupsInFirewallPolicyFile[oldRuleGroupArn]) { + await this.service.deleteRuleGroup(oldRuleGroupArn); + } + } + } + + /* + * This method will setup the logging configuration for the firewall, based on the environment properties in EnvironmentProps. + * If there is any error in updating the logging configurations it will log a warning and still continue the rest of the process. + */ + async setupLoggingConfigurations(firewallName: string) { + let loggingConfiguration = await this.createLoggingConfigurations(); + try { + await this.service.updateLoggingConfiguration(firewallName, { + "LogDestinationConfigs": loggingConfiguration + }) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, `Logging configuration: `, loggingConfiguration); + Logger.log(LOG_LEVEL.ERROR, `Failed to update logging configuration`, error) + } + } + + async createLoggingConfigurations() { + let loggingConfiguration = [] + Logger.log(LOG_LEVEL.INFO, this.envProps) + if (this.envProps.logType && this.envProps.logType.toUpperCase() === "ENABLEBOTH") { + let alertConfig = { + LogType: LogType.alert, + LogDestinationType: '', + LogDestination: {} + } + let flowConfig = { + LogType: LogType.flow, + LogDestinationType: '', + LogDestination: {} + } + loggingConfiguration.push(alertConfig) + loggingConfiguration.push(flowConfig) + } else { + let config = { + LogType: this.envProps.logType ? this.envProps.logType.toUpperCase() : LogType.alert, + LogDestinationType: '', + LogDestination: {} + } + loggingConfiguration.push(config) + } + + loggingConfiguration.forEach(config => { + switch (this.envProps.logDestinationType?.toUpperCase()) { + case "S3": + config.LogDestinationType = "S3" + config.LogDestination = { + "bucketName": this.envProps.logDestination, + "prefix": config.LogType === LogType.alert ? "alerts" : "flow" + } + break; + case "CLOUDWATCHLOGS": + config.LogDestinationType = "CloudWatchLogs" + config.LogDestination = { + "logGroup": this.envProps.logDestination + } + break; + } + }) + Logger.log(LOG_LEVEL.INFO, loggingConfiguration) + return Promise.resolve(loggingConfiguration) + } + + /** + * Update firewall properties if they are different from the describeFirewallResponse. + * Following attributes are updated. + * DeleteProtection, FirewallPolicyChangeProtection, Description. + * Associates a new firewall policy arn if the describeFirewallResponse + * and the firewallPolicyArn parameter are not same. + */ + async updateFirewall(describeFirewallResponse: NetworkFirewall.Types.DescribeFirewallResponse, firewallPolicyArn: string) { + + if (describeFirewallResponse.Firewall) { + + //update firewall delete protection attribute + if (describeFirewallResponse.Firewall.DeleteProtection !== this.firewallObject.DeleteProtection) { + const response = await this.service.updateFirewallDeleteProtection({ + FirewallName: this.firewallObject.FirewallName, + DeleteProtection: this.firewallObject.DeleteProtection ? this.firewallObject.DeleteProtection : false + }) + Logger.log(LOG_LEVEL.INFO, 'Update firewall delete protection response: ', response) + + } + + //update firewall policy change protection. + if (describeFirewallResponse.Firewall.FirewallPolicyChangeProtection !== this.firewallObject.FirewallPolicyChangeProtection) { + const response = await this.service.updateFirewallPolicyChangeProtection({ + FirewallName: this.firewallObject.FirewallName, + FirewallPolicyChangeProtection: this.firewallObject.FirewallPolicyChangeProtection ? this.firewallObject.FirewallPolicyChangeProtection : false + }) + Logger.log(LOG_LEVEL.INFO, 'Update firewall policy change protection response: ', response) + } + //update subnet change protection. + if (describeFirewallResponse.Firewall.SubnetChangeProtection !== this.firewallObject.SubnetChangeProtection) { + const response = await this.service.updateSubnetChangeProtection({ + FirewallName: this.firewallObject.FirewallName, + SubnetChangeProtection: this.firewallObject.SubnetChangeProtection ? this.firewallObject.SubnetChangeProtection : false + }) + Logger.log(LOG_LEVEL.INFO, 'Update firewall policy change protection response: ', response) + } + //update firewall description + if (describeFirewallResponse.Firewall.Description !== this.firewallObject.Description) { + const response = await this.service.updateFirewallDescription({ + Description: this.firewallObject.Description, + FirewallName: this.firewallObject.FirewallName + }) + Logger.log(LOG_LEVEL.INFO, 'Update firewall description response: ', response) + } + + //associate firewall policy arn to the firewall. + if (describeFirewallResponse.Firewall.FirewallPolicyArn !== firewallPolicyArn) { + const response = await this.service.associateFirewallPolicy({ + FirewallPolicyArn: firewallPolicyArn, + FirewallName: this.firewallObject.FirewallName + }) + Logger.log(LOG_LEVEL.INFO, `associate/update new firewall policy ${this.firewallObject.FirewallPolicyArn} for the firewall name: ${this.firewallObject.FirewallName} response:`, response) + } + + if (this.firewallObject.Tags && describeFirewallResponse.Firewall.FirewallArn) { + const response = await this.service.tagResource({ + ResourceArn: describeFirewallResponse.Firewall.FirewallArn, + Tags: this.firewallObject.Tags + }) + Logger.log(LOG_LEVEL.INFO, `Update Tags for firewall ${this.firewallObject.FirewallPolicyArn} for the firewall name: ${this.firewallObject.FirewallName} response:`, response) + } + + + } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/service/awsClientConfig.ts b/source/networkFirewallAutomation/lib/service/awsClientConfig.ts new file mode 100644 index 0000000..31b92cb --- /dev/null +++ b/source/networkFirewallAutomation/lib/service/awsClientConfig.ts @@ -0,0 +1,40 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ +import {ConfigurationOptions} from 'aws-sdk' + +export enum Time { + Seconds5 = 5000, + Seconds15 = 15000 +} + +export enum Count { + minRetry = 3, + maxRetry = 10 +} + +/** + * @description This class setup the retry options for AWS APIs + */ +export class AwsClientConfig { + + /** + * @description Retry method returns the ConfigurationOptions instances with retryDelayOptions and maxRetries options set. + * @returns ConfigurationOptions + */ + retry(): ConfigurationOptions { + return { + retryDelayOptions: {base: Time.Seconds5}, + maxRetries: Count.maxRetry + } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/service/ec2-service.ts b/source/networkFirewallAutomation/lib/service/ec2-service.ts new file mode 100644 index 0000000..37b6cd8 --- /dev/null +++ b/source/networkFirewallAutomation/lib/service/ec2-service.ts @@ -0,0 +1,97 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { ConfigurationOptions, EC2 } from 'aws-sdk' +import { AwsClientConfig } from './awsClientConfig' +import { Logger, LOG_LEVEL } from '../common/logger' + +/** + * Service class which handles all the EC2 API integrations. + */ +export class Ec2Service { + + private Ec2Client: EC2 + config: ConfigurationOptions + + constructor() { + this.config = new AwsClientConfig().retry() + this.Ec2Client = new EC2(this.config); + } + + /** Describes the route. */ + async describeRouteTables(routeTableId: string): Promise { + Logger.log(LOG_LEVEL.INFO, 'Describe Route Table') + Logger.log(LOG_LEVEL.INFO, `Print Route Table Id: ${routeTableId}`) + let response: EC2.DescribeRouteTablesResult + try { + response = await this.Ec2Client.describeRouteTables({ + RouteTableIds: [routeTableId] + } + ).promise() + + let nextToken = response.NextToken + let routeTables = response.RouteTables + + // handle next token + while (nextToken) { + response = await this.Ec2Client.describeRouteTables({ + RouteTableIds: [routeTableId], + NextToken: nextToken + } + ).promise() + if (response.RouteTables) { + routeTables?.concat(response.RouteTables) + } + nextToken = response.NextToken + } + return Promise.resolve(routeTables) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, JSON.stringify(error)) + return Promise.reject(error) + } + } + + /** Creates route in the given route table. */ + async createRoute(props: EC2.CreateRouteRequest): Promise { + Logger.log(LOG_LEVEL.INFO, 'Create Route') + Logger.log(LOG_LEVEL.INFO, `Print Props: `, props) + try { + const response = await this.Ec2Client.createRoute(props).promise() + return Promise.resolve(response) + } catch (e) { + return Promise.reject(e) + } + } + + async deleteRoute(props: EC2.DeleteRouteRequest): Promise { + Logger.log(LOG_LEVEL.INFO, 'delete Route') + Logger.log(LOG_LEVEL.INFO, `Print Props: `, props) + try { + await this.Ec2Client.deleteRoute(props).promise() + return Promise.resolve() + } catch (error) { + return Promise.reject(error) + } + } + + async modifyTransitGatewayAttachement(props: EC2.ModifyTransitGatewayVpcAttachmentRequest) { + Logger.log(LOG_LEVEL.INFO, `modify the transit gateway attachment`) + Logger.log(LOG_LEVEL.INFO, `Print Props: `, props) + try { + const response = await this.Ec2Client.modifyTransitGatewayVpcAttachment(props).promise() + return Promise.resolve(response) + } catch (error) { + return Promise.resolve(error) + } + } +} \ No newline at end of file diff --git a/source/networkFirewallAutomation/lib/service/network-firewall-service.ts b/source/networkFirewallAutomation/lib/service/network-firewall-service.ts new file mode 100644 index 0000000..9c7a0d6 --- /dev/null +++ b/source/networkFirewallAutomation/lib/service/network-firewall-service.ts @@ -0,0 +1,308 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { ConfigurationOptions, NetworkFirewall } from 'aws-sdk' +import { AwsClientConfig, Count } from './awsClientConfig' +import { LOG_LEVEL, Logger } from '../common/logger' + +/** + * Service class which handles all the Network Firewall API integrations. + */ +export class NetworkFirewallService { + + private NetworkFirewallInstance: NetworkFirewall + config: ConfigurationOptions + count: number + + constructor() { + this.config = new AwsClientConfig().retry() + this.count = 0 + this.NetworkFirewallInstance = new NetworkFirewall(this.config); + } + + /** Creates Firewall configurations returns an void/undefined if the firewall doesn't not exist. */ + async createFirewall(props: NetworkFirewall.CreateFirewallRequest) { + Logger.log(LOG_LEVEL.INFO, 'Creating Firewall') + Logger.log(LOG_LEVEL.INFO, `Print Props: ${JSON.stringify(props)}`) + try { + const response = await this.NetworkFirewallInstance.createFirewall(props).promise() + return Promise.resolve(response) + } catch (e) { + if (e.code === "ResourceNotFoundException") { + Logger.log(LOG_LEVEL.INFO, "Firewall Not Found") + return + } + return Promise.reject(e) + } + } + + /** Creates a firewall policy and returns the response object received + * from the Network Firewall API. */ + async createFirewallPolicy(props: NetworkFirewall.CreateFirewallPolicyRequest) { + Logger.log(LOG_LEVEL.INFO, 'Creating Firewall Policy') + Logger.log(LOG_LEVEL.INFO, `Print Props: ${JSON.stringify(props)}`) + return await this.NetworkFirewallInstance.createFirewallPolicy(props).promise() + } + + /** Creates a rule group and returns the response object received from the Network Firewall API */ + async createRuleGroup(props: NetworkFirewall.CreateRuleGroupRequest) { + Logger.log(LOG_LEVEL.INFO, 'Creating Firewall Rule Group') + Logger.log(LOG_LEVEL.INFO, `Print createRuleGroup Props`) + Logger.log(LOG_LEVEL.INFO, props) + return await this.NetworkFirewallInstance.createRuleGroup(props).promise() + } + + /** Describes the firewall based on the input param firewallName, return void/undefined if there is not firewall with the firewall Name defined. */ + async describeFirewall(firewallName: string): Promise { + Logger.log(LOG_LEVEL.INFO, 'Describe Firewall') + Logger.log(LOG_LEVEL.INFO, `Print Firewall Name: ${firewallName}`) + try { + const response = await this.NetworkFirewallInstance.describeFirewall({ + FirewallName: firewallName + } + ).promise() + return Promise.resolve(response) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, JSON.stringify(error)) + if (error.code === "ResourceNotFoundException") { + Logger.log(LOG_LEVEL.INFO, "Firewall Not Found.") + return Promise.resolve() + } + return Promise.reject(error) + } + } + + /** Describes the firewall policy and returns void/undefined if there is no firewall policy with the Name and/or Arn defined */ + async describeFirewallPolicy(firewallPolicyName: string): Promise { + try { + const response = await this.NetworkFirewallInstance.describeFirewallPolicy({ + FirewallPolicyName: firewallPolicyName + }).promise(); + return Promise.resolve(response) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, JSON.stringify(error)) + if (error.code === "ResourceNotFoundException") { + Logger.log(LOG_LEVEL.INFO, "Firewall Policy Not Found.") + return Promise.resolve() + } + return Promise.reject(error) + } + } + + /** Describes the rule group and returns an rule response object from the api, return void/undefined in case none is found, the + * method will retry API calls for a maximum of Count.minRetry value. + */ + async describeRuleGroup(RuleGroupName: string, Type: string): Promise { + do { + try { + Logger.log(LOG_LEVEL.INFO, `Describing Rule Group: ${RuleGroupName} | Type: ${Type}`) + const response = await this.NetworkFirewallInstance.describeRuleGroup({ + RuleGroupName: RuleGroupName, + Type: Type + } + ).promise() + return Promise.resolve(response) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, JSON.stringify(error)) + if (error.message === "ThrottlingException") { + this.count++ //increment the count + Logger.log(LOG_LEVEL.INFO, `Caught throttling exception, trying count: ${this.count}`) + } + if (error.code === "ResourceNotFoundException") { + Logger.log(LOG_LEVEL.INFO, "Rule Group Not Found.") + return Promise.resolve() + } + return Promise.reject(error) + } + } while (this.count == Count.minRetry) + } + + /** Associates the firewall policy to the firewall. */ + async associateFirewallPolicy(request: NetworkFirewall.AssociateFirewallPolicyRequest) { + try { + return await this.NetworkFirewallInstance.associateFirewallPolicy(request).promise() + } catch (error) { + Logger.log(LOG_LEVEL.DEBUG, error) + return Promise.reject(error) + } + } + + /** associate tags to the firewall resource. */ + async tagResource(request: NetworkFirewall.Types.TagResourceRequest) { + try { + return await this.NetworkFirewallInstance.tagResource(request).promise() + } catch (error) { + Logger.log(LOG_LEVEL.ERROR, `Failed to update tags for the firewall ${error}`) + // returning resolve to avoid pipeline failure due to tag change failure. + return Promise.resolve() + } + } + + /** Updates the firewall policy and will override any configurations done to the firewall policy in the AWS console. Method will attempt multiple updates to the + * firewall policy until successful. + */ + async updateFirewallPolicy(request: NetworkFirewall.Types.UpdateFirewallPolicyRequest) { + do { + try { + return await this.NetworkFirewallInstance.updateFirewallPolicy(request).promise() + } catch (error) { + if (error['message'] === 'Update token is invalid.') { + const describeResponse = await this.NetworkFirewallInstance.describeFirewallPolicy({ + FirewallPolicyName: request.FirewallPolicyName + }).promise() + request.UpdateToken = describeResponse.UpdateToken + } else { + Logger.log(LOG_LEVEL.DEBUG, error) + return Promise.reject(error) + } + } + } while (request.UpdateToken) + return Promise.resolve() + } + + async updateRuleGroup(updateRuleGroupRequest: NetworkFirewall.Types.UpdateRuleGroupRequest) { + let updateResponse; + do { + try { + updateResponse = await this.NetworkFirewallInstance.updateRuleGroup(updateRuleGroupRequest).promise(); + updateRuleGroupRequest.UpdateToken = '' + } catch (error) { + if (error['message'] == 'Update token is invalid.') { + const describeResponse = await this.NetworkFirewallInstance.describeRuleGroup({ RuleGroupArn: updateRuleGroupRequest.RuleGroupArn }).promise() + updateRuleGroupRequest.UpdateToken = describeResponse.UpdateToken + } else { + Logger.log(LOG_LEVEL.INFO, `Error while trying to update the rule group ${updateRuleGroupRequest}: ${error}`) + return Promise.reject(error) + } + } + } while (updateRuleGroupRequest.UpdateToken) + Logger.log(LOG_LEVEL.INFO, `update response ${JSON.stringify(updateResponse)}`) + return Promise.resolve(updateResponse); + } + + /** + * Update the firewall description. + * @param request NetworkFirewall.Types.UpdateFirewallDescriptionRequest + */ + async updateFirewallDescription(request: NetworkFirewall.Types.UpdateFirewallDescriptionRequest) { + try { + return await this.NetworkFirewallInstance.updateFirewallDescription(request).promise(); + } catch (error) { + Logger.log(LOG_LEVEL.DEBUG, error) + return Promise.reject(error) + } + } + /** + * Update the firewall delete protection attribute. + * @param request NetworkFirewall.Types.UpdateFirewallDeleteProtectionRequest + */ + async updateFirewallDeleteProtection(request: NetworkFirewall.Types.UpdateFirewallDeleteProtectionRequest) { + try { + return await this.NetworkFirewallInstance.updateFirewallDeleteProtection(request).promise(); + } catch (error) { + Logger.log(LOG_LEVEL.DEBUG, error) + return Promise.reject(error) + } + } + + /** + * Update the firewall policy change protection attribute. + * @param request NetworkFirewall.Types.UpdateFirewallPolicyChangeProtectionRequest + */ + async updateFirewallPolicyChangeProtection(request: NetworkFirewall.Types.UpdateFirewallPolicyChangeProtectionRequest) { + try { + return await this.NetworkFirewallInstance.updateFirewallPolicyChangeProtection(request).promise(); + } catch (error) { + Logger.log(LOG_LEVEL.DEBUG, error) + return Promise.reject(error) + } + } + /** + * Update the subnet change protection attribute. + * @param request NetworkFirewall.Types.UpdateSubnetChangeProtectionRequest + */ + async updateSubnetChangeProtection(request: NetworkFirewall.Types.UpdateSubnetChangeProtectionRequest) { + try { + return await this.NetworkFirewallInstance.updateSubnetChangeProtection(request).promise(); + } catch (error) { + Logger.log(LOG_LEVEL.DEBUG, error) + return Promise.reject(error) + } + } + + async updateLoggingConfiguration(firewallName: string, loggingConfiguration: NetworkFirewall.Types.LoggingConfiguration) { + Logger.log(LOG_LEVEL.INFO, loggingConfiguration) + let describeFirewallLoggingResponse + try { + describeFirewallLoggingResponse = await this.NetworkFirewallInstance.describeLoggingConfiguration({ + FirewallName: firewallName + }).promise() + Logger.log(LOG_LEVEL.INFO, describeFirewallLoggingResponse); + //cleaning up the configuration stack currently in the firewall. + while (describeFirewallLoggingResponse.LoggingConfiguration && describeFirewallLoggingResponse.LoggingConfiguration.LogDestinationConfigs.length > 0) { + + Logger.log(LOG_LEVEL.INFO, describeFirewallLoggingResponse) + if (describeFirewallLoggingResponse.LoggingConfiguration) { + describeFirewallLoggingResponse.LoggingConfiguration.LogDestinationConfigs.pop() + } + + describeFirewallLoggingResponse = await this.NetworkFirewallInstance.updateLoggingConfiguration(describeFirewallLoggingResponse).promise() + } + + for (let config of loggingConfiguration.LogDestinationConfigs) { + describeFirewallLoggingResponse.LoggingConfiguration?.LogDestinationConfigs.push(config) + describeFirewallLoggingResponse = await this.NetworkFirewallInstance.updateLoggingConfiguration(describeFirewallLoggingResponse).promise() + } + + Logger.log(LOG_LEVEL.INFO, describeFirewallLoggingResponse) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, `Failed to update firewall logging configuration`, error) + return Promise.resolve() + } + return Promise.resolve(describeFirewallLoggingResponse) + } + + async listRuleGroupsForPolicy(firewallPolicyName: string): Promise { + let ruleGroupArns: string[] = []; + let response; + + try { + response = await this.NetworkFirewallInstance.describeFirewallPolicy({ FirewallPolicyName: firewallPolicyName }).promise(); + if (response && response.FirewallPolicy) { + response.FirewallPolicy?.StatefulRuleGroupReferences?.forEach((ruleGroup) => { + ruleGroupArns.push(ruleGroup.ResourceArn) + }) + response.FirewallPolicy?.StatelessRuleGroupReferences?.forEach((ruleGroup) => { + ruleGroupArns.push(ruleGroup.ResourceArn) + }) + } else { + Logger.log(LOG_LEVEL.INFO, `No firewall policy of the name: ${firewallPolicyName}`) + return Promise.resolve([]) + } + return Promise.resolve(ruleGroupArns) + } catch (error) { + Logger.log(LOG_LEVEL.INFO, `Error trying to retrieve current rule groups configured ${JSON.stringify(error)}`) + return Promise.resolve([]) + } + + } + + async deleteRuleGroup(ruleGroupArn: string) { + try { + await this.NetworkFirewallInstance.deleteRuleGroup({ RuleGroupArn: ruleGroupArn }).promise() + } catch (error) { + Logger.log(LOG_LEVEL.INFO, `Unable to delete rule group ${JSON.stringify(error)}`) + } + } + +} diff --git a/source/networkFirewallAutomation/package.json b/source/networkFirewallAutomation/package.json new file mode 100644 index 0000000..12a35c5 --- /dev/null +++ b/source/networkFirewallAutomation/package.json @@ -0,0 +1,39 @@ +{ + "name": "network-firewall", + "version": "1.0.0", + "description": "Network Firewall Manager", + "main": "index.js", + "types": "index.d.ts", + "author": "@aws-solutions", + "license": "Apache-2.0", + "dependencies": { + "aws-sdk": "^2.804.0", + "axios": "^0.21.1", + "moment": "^2.27.0", + "uuid": "^8.3.2" + }, + "scripts": { + "cleanup": "tsc --build ./ --clean && rm -rf node_modules && rm -f package-lock.json", + "watch": "tsc -w", + "test": "jest --coverage", + "cdk": "cdk", + "build:tsc": "tsc", + "build-init": "rm -rf dist && rm -f archive.zip && rm -rf coverage && mkdir -p dist/lib/service && mkdir -p dist/lib/common/configReader", + "build:copy": "for file in `find . -name '*.js' | egrep -v '__tests__|node_modules'`;do echo \"Copying $file\"; cp $file dist/$file; done", + "build:install": "cp package.json dist/ && cd dist && ls -ltRr && npm install --production", + "build": "tsc && npm run build-init && npm run build:copy && npm run build:install", + "zip": "cd dist && zip -rq network-firewall-automation.zip ." + }, + "devDependencies": { + "@types/jest": "^26.0.0", + "@types/moment": "^2.13.0", + "@types/node": "^14.14.10", + "@types/uuid": "^8.3.0", + "aws-sdk-mock": "^5.1.0", + "jest": "^25.0.0", + "jest-sonar-reporter": "^2.0.0", + "ts-jest": "^25.3.1", + "ts-node": "^9.0.0", + "typescript": "^3.4.0" + } +} diff --git a/source/networkFirewallAutomation/tsconfig.json b/source/networkFirewallAutomation/tsconfig.json new file mode 100644 index 0000000..07afb1f --- /dev/null +++ b/source/networkFirewallAutomation/tsconfig.json @@ -0,0 +1,34 @@ +{ + "compilerOptions": { + "alwaysStrict": true, + "charset": "utf8", + "declaration": true, + "experimentalDecorators": true, + "inlineSourceMap": true, + "inlineSources": true, + "lib": [ + "es2018" + ], + "module": "CommonJS", + "noEmitOnError": true, + "noFallthroughCasesInSwitch": true, + "noImplicitAny": true, + "noImplicitReturns": true, + "noImplicitThis": true, + "noUnusedLocals": true, + "noUnusedParameters": true, + "resolveJsonModule": true, + "strict": true, + "strictNullChecks": true, + "strictPropertyInitialization": true, + "stripInternal": true, + "target": "ES2018" + }, + "include": [ + "**/*.ts" + ], + "exclude": [ + "node_modules" + ], + "_generated_by_jsii_": "Generated by jsii - safe to delete, and ideally should be in .gitignore" +} diff --git a/source/package.json b/source/package.json new file mode 100755 index 0000000..ae3b71b --- /dev/null +++ b/source/package.json @@ -0,0 +1,47 @@ +{ + "name": "network-firewall-automation-solution", + "version": "1.0.0", + "description": "Network Firewall Automation solution.", + "bin": { + "network-firewall-auto-solution": "bin/network-firewall-auto-solution.js" + }, + "scripts": { + "cleanup": "tsc --build ./ --clean && rm -rf node_modules && rm -f package-lock.json", + "watch": "tsc -w", + "test": "jest", + "cdk": "cdk", + "build": "tsc" + }, + "author": { + "name": "Amazon Web Services", + "url": "https://aws.amazon.com", + "organization": true + }, + "license": "Apache-2.0", + "devDependencies": { + "@aws-cdk/assert": "1.77.0", + "@types/jest": "^25.2.1", + "@types/node": "10.17.5", + "@types/source-map-support": "^0.5.3", + "aws-cdk": "^1.77.0", + "jest": "^25.0.0", + "ts-jest": "^25.3.1", + "ts-node": "^8.1.0", + "typescript": "~3.7.2" + }, + "dependencies": { + "@aws-cdk/aws-codebuild": "1.77.0", + "@aws-cdk/aws-codecommit": "1.77.0", + "@aws-cdk/aws-codedeploy": "1.77.0", + "@aws-cdk/aws-codepipeline": "1.77.0", + "@aws-cdk/aws-codepipeline-actions": "1.77.0", + "@aws-cdk/aws-ec2": "1.77.0", + "@aws-cdk/aws-events-targets": "1.77.0", + "@aws-cdk/aws-kms": "1.77.0", + "@aws-cdk/aws-lambda": "1.77.0", + "@aws-cdk/aws-s3": "1.77.0", + "@aws-cdk/aws-ssm": "1.77.0", + "@aws-cdk/core": "1.77.0", + "source-map-support": "^0.5.16" + } +} diff --git a/source/run-all-tests.sh b/source/run-all-tests.sh new file mode 100755 index 0000000..9ece813 --- /dev/null +++ b/source/run-all-tests.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# +# This script runs all tests for the root CDK project, as well as any microservices, Lambda functions, or dependency +# source code packages. These include unit tests, integration tests, and snapshot tests. +# +# This script is called by the ../initialize-repo.sh file and the buildspec.yml file. It is important that this script +# be tested and validated to ensure that all available test fixtures are run. +# +# The if/then blocks are for error handling. They will cause the script to stop executing if an error is thrown from the +# node process running the test case(s). Removing them or not using them for additional calls with result in the +# script continuing to execute despite an error being thrown. + +# Save the current working directory +source_dir=$PWD + +# Test the CDK project +npm install +npm run build +npm run test +if [ "$?" = "1" ]; then + echo "(source/run-all-tests.sh) ERROR: there is likely output above." 1>&2 + exit 1 +fi + +#Run the npm install for the lambda projects +echo "cd $source_dir/networkFirewallAutomation" +cd $source_dir/networkFirewallAutomation +echo "npm run test" +npm run test + +if [ "$?" = "1" ]; then + echo "(source/run-all-tests.sh) ERROR: there is likely output above." 1>&2 + exit 1 +fi + +# Return to the source/ level +cd $source_dir \ No newline at end of file diff --git a/source/test/__snapshots__/network-firewall-automation-solution.test.ts.snap b/source/test/__snapshots__/network-firewall-automation-solution.test.ts.snap new file mode 100644 index 0000000..7aa6334 --- /dev/null +++ b/source/test/__snapshots__/network-firewall-automation-solution.test.ts.snap @@ -0,0 +1,3364 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`NetworkFirewallAutomationStack Snapshot test 1`] = ` +Object { + "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": Object { + "CreateDefaultRouteFirewallRT": Object { + "Fn::And": Array [ + Object { + "Fn::Not": Array [ + Object { + "Fn::Equals": Array [ + Object { + "Ref": "TransitGatewayRTIdForDefaultRoute", + }, + "", + ], + }, + ], + }, + Object { + "Condition": "CreateTransitGatewayAttachment", + }, + ], + }, + "CreateTransitGatewayAttachment": Object { + "Fn::Not": Array [ + Object { + "Fn::Equals": Array [ + Object { + "Ref": "ExistingTransitGateway", + }, + "", + ], + }, + ], + }, + "CreateTransitGatewayRTAssociation": Object { + "Fn::And": Array [ + Object { + "Fn::Not": Array [ + Object { + "Fn::Equals": Array [ + Object { + "Ref": "TransitGatewayRouteTableIdForAssociation", + }, + "", + ], + }, + ], + }, + Object { + "Condition": "CreateTransitGatewayAttachment", + }, + ], + }, + "LoggingInCloudWatch": Object { + "Fn::Equals": Array [ + Object { + "Ref": "logDestinationType", + }, + "CloudWatchLogs", + ], + }, + "LoggingInS3": Object { + "Fn::Equals": Array [ + Object { + "Ref": "logDestinationType", + }, + "S3", + ], + }, + "NotLoggingConfigureManually": Object { + "Fn::Not": Array [ + Object { + "Fn::Equals": Array [ + Object { + "Ref": "logDestinationType", + }, + "ConfigureManually", + ], + }, + ], + }, + }, + "Mappings": Object { + "Send": Object { + "AnonymousUsage": Object { + "Data": "Yes", + }, + "ParameterKey": Object { + "UniqueId": "/Solutions/network-firewall-automation/UUID", + }, + }, + "SolutionMapping": Object { + "CodeCommitRepo": Object { + "Name": "network-firewall-config-repo-", + }, + "Log": Object { + "Level": "info", + }, + "Metrics": Object { + "URL": "https://metrics.awssolutionsbuilder.com/generic", + }, + "Route": Object { + "QuadZero": "0.0.0.0/0", + }, + "Solution": Object { + "Identifier": "SO0108", + }, + "TransitGatewayAttachment": Object { + "ApplianceMode": "enable", + }, + "Version": Object { + "Latest": "latest", + }, + }, + }, + "Metadata": Object { + "AWS::CloudFormation::Interface": Object { + "ParameterGroups": Array [ + Object { + "Label": Object { + "default": "VPC Configuration", + }, + "Parameters": Array [ + "cidrBlock", + ], + }, + Object { + "Label": Object { + "default": "Transit Gateway Configuration", + }, + "Parameters": Array [ + "ExistingTransitGateway", + "TransitGatewayRouteTableIdForAssociation", + "TransitGatewayRTIdForDefaultRoute", + ], + }, + Object { + "Label": Object { + "default": "Firewall Logging Configuration", + }, + "Parameters": Array [ + "logDestinationType", + "logType", + "LogRetentionPeriod", + ], + }, + ], + "ParameterLabels": Object { + "ExistingTransitGateway": Object { + "default": "Provide the existing AWS Transit Gateway ID you wish to attach to the Inspection VPC", + }, + "LogRetentionPeriod": Object { + "default": "Select the log retention period for Network Firewall Logs.", + }, + "TransitGatewayRTIdForDefaultRoute": Object { + "default": "Provide the AWS Transit Gateway Route Table to receive 0.0.0.0/0 route to the Inspection VPC TGW Attachment.", + }, + "TransitGatewayRouteTableIdForAssociation": Object { + "default": "Provide AWS Transit Gateway Route Table to be associated with the Inspection VPC TGW Attachment.", + }, + "cidrBlock": Object { + "default": "Provide the CIDR block for the Inspection VPC", + }, + "logDestinationType": Object { + "default": "Select the type of log destination for the Network Firewall", + }, + "logType": Object { + "default": "Select the type of log to send to the defined log destination.", + }, + }, + }, + }, + "Outputs": Object { + "ArtifactBucketforCodePipeline": Object { + "Description": "Artifact bucket name configured for the CodePipeline.", + "Value": Object { + "Ref": "NetworkFirewallCodePipelineArtifactsBucketF2569455", + }, + }, + "CloudWatchLogGroupforFirewallLogs": Object { + "Description": "CloudWatch Log Group used as the log destination for Firewall Logs.", + "Value": Object { + "Fn::If": Array [ + "LoggingInCloudWatch", + Object { + "Ref": "CloudWatchLogGroup", + }, + "NotConfigured", + ], + }, + }, + "CodeBuildsourcecodebucket": Object { + "Description": "Code Build source code bucket", + "Value": Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + }, + "FirewallSubnet1ID": Object { + "Description": "Subnet 1 associated with Network Firewall.", + "Value": Object { + "Ref": "NetworkFirewallSubnet1", + }, + }, + "FirewallSubnet2ID": Object { + "Description": "Subnet 2 associated with Network Firewall.", + "Value": Object { + "Ref": "NetworkFirewallSubnet2", + }, + }, + "InspectionVPCID": Object { + "Description": "Inspection VPC ID to create Network Firewall.", + "Value": Object { + "Ref": "VPC", + }, + }, + "NetworkFirewallAvailabilityZone1": Object { + "Description": "Availability Zone configured for Network Firewall subnet 1", + "Value": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallSubnet1", + "AvailabilityZone", + ], + }, + }, + "NetworkFirewallAvailabilityZone2": Object { + "Description": "Availability Zone configured for Network Firewall subnet 2", + "Value": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallSubnet2", + "AvailabilityZone", + ], + }, + }, + "S3BucketforFirewallLogs": Object { + "Description": "S3 Bucket used as the log destination for Firewall Logs.", + "Value": Object { + "Fn::If": Array [ + "LoggingInS3", + Object { + "Ref": "Logs6819BB44", + }, + "NotConfigured", + ], + }, + }, + "TransitGatewaySubnet1ID": Object { + "Description": "Subnet 1 associated with Transit Gateway.", + "Value": Object { + "Ref": "VPCTGWSubnet1", + }, + }, + "TransitGatewaySubnet2ID": Object { + "Description": "Subnet 1 associated with Transit Gateway.", + "Value": Object { + "Ref": "VPCTGWSubnet2", + }, + }, + }, + "Parameters": Object { + "ExistingTransitGateway": Object { + "Default": "", + "Description": "Existing AWS Transit Gateway id.", + "Type": "String", + }, + "LogRetentionPeriod": Object { + "AllowedValues": Array [ + "1", + "3", + "5", + "7", + "14", + "30", + "60", + "90", + "120", + "150", + "180", + "365", + "400", + "545", + "731", + "1827", + "3653", + ], + "Default": 90, + "Description": "Log retention period in days.", + "Type": "Number", + }, + "TransitGatewayRTIdForDefaultRoute": Object { + "Default": "", + "Description": "Existing AWS Transit Gateway route table id. Example: Spoke VPC Route Table. Format: tgw-rtb-4e5f6g7h", + "Type": "String", + }, + "TransitGatewayRouteTableIdForAssociation": Object { + "Default": "", + "Description": "Existing AWS Transit Gateway route table id. Example: Firewall Route Table. Format: tgw-rtb-0a1b2c3d", + "Type": "String", + }, + "cidrBlock": Object { + "AllowedPattern": "^(?:[0-9]{1,3}.){3}[0-9]{1,3}[/]([0-9]?[0-6]?|[1][7-9])$", + "Default": "192.168.1.0/26", + "Description": "CIDR Block for VPC. Must be /26 or larger CIDR block.", + "Type": "String", + }, + "logDestinationType": Object { + "AllowedValues": Array [ + "S3", + "CloudWatchLogs", + "ConfigureManually", + ], + "Default": "CloudWatchLogs", + "Description": "The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket or a CloudWatch log group.", + "Type": "String", + }, + "logType": Object { + "AllowedValues": Array [ + "ALERT", + "FLOW", + "EnableBoth", + ], + "Default": "FLOW", + "Description": "The type of log to send. Alert logs report traffic that matches a StatefulRule with an action setting that sends an alert log message. Flow logs are standard network traffic flow logs.", + "Type": "String", + }, + }, + "Resources": Object { + "BuildProject097C5DB7": Object { + "Properties": Object { + "Artifacts": Object { + "Type": "CODEPIPELINE", + }, + "EncryptionKey": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + "Environment": Object { + "ComputeType": "BUILD_GENERAL1_SMALL", + "EnvironmentVariables": Array [ + Object { + "Name": "LOG_LEVEL", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Log", + "Level", + ], + }, + }, + Object { + "Name": "VPC_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "VPC", + }, + }, + Object { + "Name": "SUBNET_IDS", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "NetworkFirewallSubnet1", + }, + ",", + Object { + "Ref": "NetworkFirewallSubnet2", + }, + ], + ], + }, + }, + Object { + "Name": "LOG_TYPE", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "logType", + }, + }, + Object { + "Name": "LOG_DESTINATION_TYPE", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "logDestinationType", + }, + }, + Object { + "Name": "S3_LOG_BUCKET_NAME", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::If": Array [ + "LoggingInS3", + Object { + "Ref": "Logs6819BB44", + }, + "NotConfigured", + ], + }, + }, + Object { + "Name": "CLOUDWATCH_LOG_GROUP_NAME", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::If": Array [ + "LoggingInCloudWatch", + Object { + "Ref": "CloudWatchLogGroup", + }, + "NotConfigured", + ], + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_AZ_1", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallSubnet1", + "AvailabilityZone", + ], + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_AZ_2", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallSubnet2", + "AvailabilityZone", + ], + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_1", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "VPCTGWRouteTable1", + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_2", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "VPCTGWRouteTable2", + }, + }, + Object { + "Name": "CODE_BUILD_SOURCE_CODE_S3_KEY", + "Type": "PLAINTEXT", + "Value": "network-firewall-automation/v1.0.0", + }, + Object { + "Name": "STACK_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "AWS::StackId", + }, + }, + Object { + "Name": "SSM_PARAM_FOR_UUID", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "Send", + "ParameterKey", + "UniqueId", + ], + }, + }, + Object { + "Name": "SEND_ANONYMOUS_METRICS", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "Send", + "AnonymousUsage", + "Data", + ], + }, + }, + Object { + "Name": "SOLUTION_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Solution", + "Identifier", + ], + }, + }, + Object { + "Name": "METRICS_URL", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Metrics", + "URL", + ], + }, + }, + Object { + "Name": "TRANSIT_GATEWAY_ATTACHMENT_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::If": Array [ + "CreateTransitGatewayAttachment", + Object { + "Ref": "VPCTGWATTACHMENT", + }, + "", + ], + }, + }, + Object { + "Name": "TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "TransitGatewayAttachment", + "ApplianceMode", + ], + }, + }, + ], + "Image": "aws/codebuild/standard:4.0", + "ImagePullCredentialsType": "CODEBUILD", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER", + }, + "ServiceRole": Object { + "Fn::GetAtt": Array [ + "BuildProjectRoleAA92C755", + "Arn", + ], + }, + "Source": Object { + "BuildSpec": Object { + "Fn::Join": Array [ + "", + Array [ + "{ + \\"version\\": \\"0.2\\", + \\"phases\\": { + \\"install\\": { + \\"runtime-versions\\": { + \\"nodejs\\": \\"12\\" + }, + \\"commands\\": [ + \\"export current=$(pwd)\\", + \\"export sourceCodeKey=$CODE_BUILD_SOURCE_CODE_S3_KEY\\" + ] + }, + \\"pre_build\\": { + \\"commands\\": [ + \\"cd $current\\", + \\"pwd; ls -ltr\\", + \\"echo 'Download Network Firewall Solution Package'\\", + \\"aws s3 cp s3://", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/$sourceCodeKey/network-firewall-automation.zip $current || true\\", + \\"if [ -f $current/network-firewall-automation.zip ];then exit 0;else echo \\\\\\"Copy file to s3 bucket\\\\\\"; aws s3 cp s3://solutions-", + Object { + "Ref": "AWS::Region", + }, + "/$sourceCodeKey/network-firewall-automation.zip s3://", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/$sourceCodeKey/network-firewall-automation.zip; aws s3 cp s3://", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/$sourceCodeKey/network-firewall-automation.zip $current; fi;\\", + \\"unzip -o $current/network-firewall-automation.zip -d $current\\", + \\"pwd; ls -ltr\\" + ] + }, + \\"build\\": { + \\"commands\\": [ + \\"echo \\\\\\"Validating the firewall config\\\\\\"\\", + \\"node build.js\\" + ] + } + }, + \\"artifacts\\": { + \\"files\\": \\"**/*\\" + } +}", + ], + ], + }, + "Type": "CODEPIPELINE", + }, + }, + "Type": "AWS::CodeBuild::Project", + }, + "BuildProjectRoleAA92C755": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "Service": "codebuild.amazonaws.com", + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "BuildProjectRoleDefaultPolicy3E9F248C": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":logs:eu-west-1:1234:log-group:/aws/codebuild/", + Object { + "Ref": "BuildProject097C5DB7", + }, + ], + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":logs:eu-west-1:1234:log-group:/aws/codebuild/", + Object { + "Ref": "BuildProject097C5DB7", + }, + ":*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":codebuild:eu-west-1:1234:report-group/", + Object { + "Ref": "BuildProject097C5DB7", + }, + "-*", + ], + ], + }, + }, + Object { + "Action": Array [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "BuildProjectRoleDefaultPolicy3E9F248C", + "Roles": Array [ + Object { + "Ref": "BuildProjectRoleAA92C755", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "CloudWatchLogGroup": Object { + "Condition": "LoggingInCloudWatch", + "Properties": Object { + "KmsKeyId": Object { + "Fn::GetAtt": Array [ + "KMSKeyForNetworkFirewallLogDestinations70A79322", + "Arn", + ], + }, + "RetentionInDays": Object { + "Ref": "LogRetentionPeriod", + }, + }, + "Type": "AWS::Logs::LogGroup", + }, + "CloudWatchLogsForNetworkFirewallBucketPolicy611AC31C": Object { + "Condition": "LoggingInS3", + "DeletionPolicy": "Retain", + "Properties": Object { + "Bucket": Object { + "Ref": "Logs6819BB44", + }, + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "s3:GetObject", + "Condition": Object { + "Bool": Object { + "aws:SecureTransport": false, + }, + }, + "Effect": "Deny", + "Principal": "*", + "Resource": Array [ + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "Logs6819BB44", + "Arn", + ], + }, + "/*", + ], + ], + }, + Object { + "Fn::GetAtt": Array [ + "Logs6819BB44", + "Arn", + ], + }, + ], + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::S3::BucketPolicy", + "UpdateReplacePolicy": "Retain", + }, + "CodeBuildStageSourceCodeBucketPolicyF19BA2A0": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Bucket": Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "s3:GetObject", + "Condition": Object { + "Bool": Object { + "aws:SecureTransport": false, + }, + }, + "Effect": "Deny", + "Principal": "*", + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "CodeBuildStagesSourceCodeBucketFA98E7C7", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "CodeBuildStagesSourceCodeBucketFA98E7C7", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::S3::BucketPolicy", + "UpdateReplacePolicy": "Retain", + }, + "CodeBuildStagesSourceCodeBucketFA98E7C7": Object { + "DeletionPolicy": "Retain", + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W35", + "reason": "Source Code bucket bucket does not require logging configuration", + }, + Object { + "id": "W51", + "reason": "Source Code bucket is private and does not require a bucket policy", + }, + ], + }, + }, + "Properties": Object { + "BucketEncryption": Object { + "ServerSideEncryptionConfiguration": Array [ + Object { + "ServerSideEncryptionByDefault": Object { + "KMSMasterKeyID": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + "SSEAlgorithm": "aws:kms", + }, + }, + ], + }, + "PublicAccessBlockConfiguration": Object { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true, + }, + }, + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Retain", + }, + "CodePipelineArtifactS3BucketPolicy6FFF9EE9": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Bucket": Object { + "Ref": "NetworkFirewallCodePipelineArtifactsBucketF2569455", + }, + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "s3:DeleteBucket", + "Effect": "Allow", + "Principal": Object { + "Service": "cloudformation.amazonaws.com", + }, + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + }, + Object { + "Action": "s3:GetObject", + "Condition": Object { + "Bool": Object { + "aws:SecureTransport": false, + }, + }, + "Effect": "Deny", + "Principal": "*", + "Resource": Array [ + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + "/*", + ], + ], + }, + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + ], + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::S3::BucketPolicy", + "UpdateReplacePolicy": "Retain", + }, + "DefaultRouteSpokeVPCTGWRouteTable": Object { + "Condition": "CreateDefaultRouteFirewallRT", + "DeletionPolicy": "Retain", + "Properties": Object { + "DestinationCidrBlock": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Route", + "QuadZero", + ], + }, + "TransitGatewayAttachmentId": Object { + "Ref": "VPCTGWATTACHMENT", + }, + "TransitGatewayRouteTableId": Object { + "Ref": "TransitGatewayRTIdForDefaultRoute", + }, + }, + "Type": "AWS::EC2::TransitGatewayRoute", + }, + "DeployProject1CF7CB79": Object { + "Properties": Object { + "Artifacts": Object { + "Type": "CODEPIPELINE", + }, + "EncryptionKey": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + "Environment": Object { + "ComputeType": "BUILD_GENERAL1_SMALL", + "EnvironmentVariables": Array [ + Object { + "Name": "LOG_LEVEL", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Log", + "Level", + ], + }, + }, + Object { + "Name": "VPC_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "VPC", + }, + }, + Object { + "Name": "SUBNET_IDS", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "NetworkFirewallSubnet1", + }, + ",", + Object { + "Ref": "NetworkFirewallSubnet2", + }, + ], + ], + }, + }, + Object { + "Name": "LOG_TYPE", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "logType", + }, + }, + Object { + "Name": "LOG_DESTINATION_TYPE", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "logDestinationType", + }, + }, + Object { + "Name": "S3_LOG_BUCKET_NAME", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::If": Array [ + "LoggingInS3", + Object { + "Ref": "Logs6819BB44", + }, + "NotConfigured", + ], + }, + }, + Object { + "Name": "CLOUDWATCH_LOG_GROUP_NAME", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::If": Array [ + "LoggingInCloudWatch", + Object { + "Ref": "CloudWatchLogGroup", + }, + "NotConfigured", + ], + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_AZ_1", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallSubnet1", + "AvailabilityZone", + ], + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_AZ_2", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallSubnet2", + "AvailabilityZone", + ], + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_1", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "VPCTGWRouteTable1", + }, + }, + Object { + "Name": "VPC_TGW_ATTACHMENT_ROUTE_TABLE_ID_2", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "VPCTGWRouteTable2", + }, + }, + Object { + "Name": "CODE_BUILD_SOURCE_CODE_S3_KEY", + "Type": "PLAINTEXT", + "Value": "network-firewall-automation/v1.0.0", + }, + Object { + "Name": "STACK_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Ref": "AWS::StackId", + }, + }, + Object { + "Name": "SSM_PARAM_FOR_UUID", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "Send", + "ParameterKey", + "UniqueId", + ], + }, + }, + Object { + "Name": "SEND_ANONYMOUS_METRICS", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "Send", + "AnonymousUsage", + "Data", + ], + }, + }, + Object { + "Name": "SOLUTION_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Solution", + "Identifier", + ], + }, + }, + Object { + "Name": "METRICS_URL", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Metrics", + "URL", + ], + }, + }, + Object { + "Name": "TRANSIT_GATEWAY_ATTACHMENT_ID", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::If": Array [ + "CreateTransitGatewayAttachment", + Object { + "Ref": "VPCTGWATTACHMENT", + }, + "", + ], + }, + }, + Object { + "Name": "TRANSIT_GATEWAY_ATTACHMENT_APPLIANCE_MODE", + "Type": "PLAINTEXT", + "Value": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "TransitGatewayAttachment", + "ApplianceMode", + ], + }, + }, + ], + "Image": "aws/codebuild/standard:4.0", + "ImagePullCredentialsType": "CODEBUILD", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER", + }, + "ServiceRole": Object { + "Fn::GetAtt": Array [ + "DeployProjectRole588C8C1D", + "Arn", + ], + }, + "Source": Object { + "BuildSpec": Object { + "Fn::Join": Array [ + "", + Array [ + "{ + \\"version\\": \\"0.2\\", + \\"phases\\": { + \\"install\\": { + \\"runtime-versions\\": { + \\"nodejs\\": \\"12\\" + }, + \\"commands\\": [ + \\"export current=$(pwd)\\", + \\"export sourceCodeKey=$CODE_BUILD_SOURCE_CODE_S3_KEY\\" + ] + }, + \\"pre_build\\": { + \\"commands\\": [ + \\"cd $current\\", + \\"pwd; ls -ltr\\", + \\"echo 'Download Network Firewall Solution Package'\\", + \\"aws s3 cp s3://", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/$sourceCodeKey/network-firewall-automation.zip $current\\", + \\"unzip -o $current/network-firewall-automation.zip -d $current\\", + \\"pwd; ls -ltr\\" + ] + }, + \\"build\\": { + \\"commands\\": [ + \\"echo \\\\\\"Initiating Network Firewall Automation\\\\\\"\\", + \\"node index.js\\" + ] + }, + \\"post_build\\": { + \\"commands\\": [] + } + }, + \\"artifacts\\": { + \\"files\\": \\"**/*\\" + } +}", + ], + ], + }, + "Type": "CODEPIPELINE", + }, + }, + "Type": "AWS::CodeBuild::Project", + }, + "DeployProjectRole588C8C1D": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "Service": "codebuild.amazonaws.com", + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "DeployProjectRoleDefaultPolicy52AEA98B": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":logs:eu-west-1:1234:log-group:/aws/codebuild/", + Object { + "Ref": "DeployProject1CF7CB79", + }, + ], + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":logs:eu-west-1:1234:log-group:/aws/codebuild/", + Object { + "Ref": "DeployProject1CF7CB79", + }, + ":*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":codebuild:eu-west-1:1234:report-group/", + Object { + "Ref": "DeployProject1CF7CB79", + }, + "-*", + ], + ], + }, + }, + Object { + "Action": Array [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "DeployProjectRoleDefaultPolicy52AEA98B", + "Roles": Array [ + Object { + "Ref": "DeployProjectRole588C8C1D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "FirewallSubnetRouteTable": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-FirewallSubnetRouteTable", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::RouteTable", + "UpdateReplacePolicy": "Retain", + }, + "FlowLog": Object { + "Properties": Object { + "DeliverLogsPermissionArn": Object { + "Fn::GetAtt": Array [ + "RoleFlowLogsCA794118", + "Arn", + ], + }, + "LogGroupName": Object { + "Ref": "AWS::StackName", + }, + "ResourceId": Object { + "Ref": "VPC", + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + }, + "Type": "AWS::EC2::FlowLog", + }, + "KMSKeyForNetworkFirewallLogDestinations70A79322": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Description": "This key will be used for encrypting the vpc flow logs and firewall logs.", + "EnableKeyRotation": true, + "KeyPolicy": Object { + "Statement": Array [ + Object { + "Action": Array [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:GenerateDataKey", + "kms:TagResource", + "kms:UntagResource", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":iam::1234:root", + ], + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": "kms:GenerateDataKey*", + "Effect": "Allow", + "Principal": Object { + "Service": "delivery.logs.amazonaws.com", + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*", + ], + "Effect": "Allow", + "Principal": Object { + "Service": Object { + "Fn::Join": Array [ + "", + Array [ + "logs.", + Object { + "Ref": "AWS::Region", + }, + ".amazonaws.com", + ], + ], + }, + }, + "Resource": "*", + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::KMS::Key", + "UpdateReplacePolicy": "Retain", + }, + "LogGroupFlowLogs": Object { + "Properties": Object { + "KmsKeyId": Object { + "Fn::GetAtt": Array [ + "KMSKeyForNetworkFirewallLogDestinations70A79322", + "Arn", + ], + }, + "LogGroupName": Object { + "Ref": "AWS::StackName", + }, + "RetentionInDays": Object { + "Ref": "LogRetentionPeriod", + }, + }, + "Type": "AWS::Logs::LogGroup", + }, + "Logs6819BB44": Object { + "Condition": "LoggingInS3", + "DeletionPolicy": "Retain", + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W35", + "reason": "Logs bucket does not require logging configuration", + }, + Object { + "id": "W51", + "reason": "Logs bucket is private and does not require a bucket policy", + }, + ], + }, + }, + "Properties": Object { + "BucketEncryption": Object { + "ServerSideEncryptionConfiguration": Array [ + Object { + "ServerSideEncryptionByDefault": Object { + "KMSMasterKeyID": Object { + "Fn::GetAtt": Array [ + "KMSKeyForNetworkFirewallLogDestinations70A79322", + "Arn", + ], + }, + "SSEAlgorithm": "aws:kms", + }, + }, + ], + }, + "LifecycleConfiguration": Object { + "Rules": Array [ + Object { + "ExpirationInDays": Object { + "Ref": "LogRetentionPeriod", + }, + "Status": "Enabled", + }, + ], + }, + "PublicAccessBlockConfiguration": Object { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true, + }, + }, + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Retain", + }, + "NetworkFirewallCodePipelineA72E3ADD": Object { + "DependsOn": Array [ + "NetworkFirewallCodePipelineRoleDefaultPolicyF0142ABD", + "NetworkFirewallCodePipelineRoleDDD28B15", + ], + "Properties": Object { + "ArtifactStore": Object { + "EncryptionKey": Object { + "Id": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + "Type": "KMS", + }, + "Location": Object { + "Ref": "NetworkFirewallCodePipelineArtifactsBucketF2569455", + }, + "Type": "S3", + }, + "RoleArn": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineRoleDDD28B15", + "Arn", + ], + }, + "Stages": Array [ + Object { + "Actions": Array [ + Object { + "ActionTypeId": Object { + "Category": "Source", + "Owner": "AWS", + "Provider": "CodeCommit", + "Version": "1", + }, + "Configuration": Object { + "BranchName": "master", + "PollForSourceChanges": false, + "RepositoryName": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodeRepositoryF7BA0495", + "Name", + ], + }, + }, + "Name": "Source", + "OutputArtifacts": Array [ + Object { + "Name": "SourceArtifact", + }, + ], + "RoleArn": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", + "Arn", + ], + }, + "RunOrder": 1, + }, + ], + "Name": "Source", + }, + Object { + "Actions": Array [ + Object { + "ActionTypeId": Object { + "Category": "Build", + "Owner": "AWS", + "Provider": "CodeBuild", + "Version": "1", + }, + "Configuration": Object { + "ProjectName": Object { + "Ref": "BuildProject097C5DB7", + }, + }, + "InputArtifacts": Array [ + Object { + "Name": "SourceArtifact", + }, + ], + "Name": "CodeBuild", + "OutputArtifacts": Array [ + Object { + "Name": "BuildArtifact", + }, + ], + "RoleArn": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726", + "Arn", + ], + }, + "RunOrder": 1, + }, + ], + "Name": "Validation", + }, + Object { + "Actions": Array [ + Object { + "ActionTypeId": Object { + "Category": "Build", + "Owner": "AWS", + "Provider": "CodeBuild", + "Version": "1", + }, + "Configuration": Object { + "ProjectName": Object { + "Ref": "DeployProject1CF7CB79", + }, + }, + "InputArtifacts": Array [ + Object { + "Name": "BuildArtifact", + }, + ], + "Name": "CodeDeploy", + "RoleArn": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D", + "Arn", + ], + }, + "RunOrder": 1, + }, + ], + "Name": "Deployment", + }, + ], + }, + "Type": "AWS::CodePipeline::Pipeline", + }, + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060": Object { + "DeletionPolicy": "Delete", + "Properties": Object { + "EnableKeyRotation": true, + "KeyPolicy": Object { + "Statement": Array [ + Object { + "Action": Array [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:GenerateDataKey", + "kms:TagResource", + "kms:UntagResource", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":iam::1234:root", + ], + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineRoleDDD28B15", + "Arn", + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", + "Arn", + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "BuildProjectRoleAA92C755", + "Arn", + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "BuildProjectRoleAA92C755", + "Arn", + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "DeployProjectRole588C8C1D", + "Arn", + ], + }, + }, + "Resource": "*", + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "DeployProjectRole588C8C1D", + "Arn", + ], + }, + }, + "Resource": "*", + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::KMS::Key", + "UpdateReplacePolicy": "Delete", + }, + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKeyAlias1704A536": Object { + "DeletionPolicy": "Delete", + "Properties": Object { + "AliasName": Object { + "Fn::Join": Array [ + "", + Array [ + "alias/", + Object { + "Ref": "AWS::StackName", + }, + "-artifactBucket-EncryptionKeyAlias", + ], + ], + }, + "TargetKeyId": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + "Type": "AWS::KMS::Alias", + "UpdateReplacePolicy": "Delete", + }, + "NetworkFirewallCodePipelineArtifactsBucketF2569455": Object { + "DeletionPolicy": "Retain", + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W35", + "reason": "This S3 bucket is used as the destination for 'NetworkFirewallCodePipelineArtifactsBucket'", + }, + ], + }, + }, + "Properties": Object { + "BucketEncryption": Object { + "ServerSideEncryptionConfiguration": Array [ + Object { + "ServerSideEncryptionByDefault": Object { + "KMSMasterKeyID": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + "SSEAlgorithm": "aws:kms", + }, + }, + ], + }, + "PublicAccessBlockConfiguration": Object { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true, + }, + }, + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Retain", + }, + "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":iam::1234:root", + ], + ], + }, + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRoleDefaultPolicyAB6FC4F9": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + "codebuild:StopBuild", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "DeployProject1CF7CB79", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRoleDefaultPolicyAB6FC4F9", + "Roles": Array [ + Object { + "Ref": "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "NetworkFirewallCodePipelineEventsRole94323A48": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "Service": "events.amazonaws.com", + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "NetworkFirewallCodePipelineEventsRoleDefaultPolicy5835E037": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "codepipeline:StartPipelineExecution", + "Effect": "Allow", + "Resource": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":codepipeline:eu-west-1:1234:", + Object { + "Ref": "NetworkFirewallCodePipelineA72E3ADD", + }, + ], + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "NetworkFirewallCodePipelineEventsRoleDefaultPolicy5835E037", + "Roles": Array [ + Object { + "Ref": "NetworkFirewallCodePipelineEventsRole94323A48", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "NetworkFirewallCodePipelineRoleDDD28B15": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "Service": "codepipeline.amazonaws.com", + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "NetworkFirewallCodePipelineRoleDefaultPolicyF0142ABD": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", + "Arn", + ], + }, + }, + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726", + "Arn", + ], + }, + }, + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineDeploymentCodeDeployCodePipelineActionRole6EA7639D", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "NetworkFirewallCodePipelineRoleDefaultPolicyF0142ABD", + "Roles": Array [ + Object { + "Ref": "NetworkFirewallCodePipelineRoleDDD28B15", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":iam::1234:root", + ], + ], + }, + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "NetworkFirewallCodePipelineSourceCodePipelineActionRoleDefaultPolicyB01603D9": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketF2569455", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineArtifactsBucketEncryptionKey086ED060", + "Arn", + ], + }, + }, + Object { + "Action": Array [ + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:UploadArchive", + "codecommit:GetUploadArchiveStatus", + "codecommit:CancelUploadArchive", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodeRepositoryF7BA0495", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "NetworkFirewallCodePipelineSourceCodePipelineActionRoleDefaultPolicyB01603D9", + "Roles": Array [ + Object { + "Ref": "NetworkFirewallCodePipelineSourceCodePipelineActionRole67C89750", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":iam::1234:root", + ], + ], + }, + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRoleDefaultPolicyA4A71A44": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + "codebuild:StopBuild", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "BuildProject097C5DB7", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRoleDefaultPolicyA4A71A44", + "Roles": Array [ + Object { + "Ref": "NetworkFirewallCodePipelineValidationCodeBuildCodePipelineActionRole2A3E8726", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "NetworkFirewallCodeRepositoryF7BA0495": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Code": Object { + "S3": Object { + "Bucket": "solutions-eu-west-1", + "Key": Object { + "Fn::Join": Array [ + "", + Array [ + "network-firewall-automation/", + Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Version", + "Latest", + ], + }, + "/network-firewall-configuration.zip", + ], + ], + }, + }, + }, + "RepositoryDescription": "This repository is created by the AWS Network Firewall solution for AWS Transit Gateway, to store and trigger changes to the network firewall rules and configurations.", + "RepositoryName": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "CodeCommitRepo", + "Name", + ], + }, + Object { + "Ref": "AWS::StackName", + }, + ], + ], + }, + }, + "Type": "AWS::CodeCommit::Repository", + "UpdateReplacePolicy": "Retain", + }, + "NetworkFirewallCodeRepositoryMyTestStackNetworkFirewallCodePipelineD8BFDC90EventRule5C587E07": Object { + "Properties": Object { + "EventPattern": Object { + "detail": Object { + "event": Array [ + "referenceCreated", + "referenceUpdated", + ], + "referenceName": Array [ + "master", + ], + }, + "detail-type": Array [ + "CodeCommit Repository State Change", + ], + "resources": Array [ + Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodeRepositoryF7BA0495", + "Arn", + ], + }, + ], + "source": Array [ + "aws.codecommit", + ], + }, + "State": "ENABLED", + "Targets": Array [ + Object { + "Arn": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":codepipeline:eu-west-1:1234:", + Object { + "Ref": "NetworkFirewallCodePipelineA72E3ADD", + }, + ], + ], + }, + "Id": "Target0", + "RoleArn": Object { + "Fn::GetAtt": Array [ + "NetworkFirewallCodePipelineEventsRole94323A48", + "Arn", + ], + }, + }, + ], + }, + "Type": "AWS::Events::Rule", + }, + "NetworkFirewallSubnet1": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "AvailabilityZone": Object { + "Fn::Select": Array [ + "0", + Object { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": Object { + "Fn::Select": Array [ + 0, + Object { + "Fn::Cidr": Array [ + Object { + "Fn::GetAtt": Array [ + "VPC", + "CidrBlock", + ], + }, + 4, + "4", + ], + }, + ], + }, + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-FirewallSubnet1", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::Subnet", + "UpdateReplacePolicy": "Retain", + }, + "NetworkFirewallSubnet1RouteTableAssociation": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "RouteTableId": Object { + "Ref": "FirewallSubnetRouteTable", + }, + "SubnetId": Object { + "Ref": "NetworkFirewallSubnet1", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "UpdateReplacePolicy": "Retain", + }, + "NetworkFirewallSubnet2": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "AvailabilityZone": Object { + "Fn::Select": Array [ + "1", + Object { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": Object { + "Fn::Select": Array [ + 1, + Object { + "Fn::Cidr": Array [ + Object { + "Fn::GetAtt": Array [ + "VPC", + "CidrBlock", + ], + }, + 4, + "4", + ], + }, + ], + }, + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-FirewallSubnet2", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::Subnet", + "UpdateReplacePolicy": "Retain", + }, + "NetworkFirewallSubnet2RouteTableAssociation": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "RouteTableId": Object { + "Ref": "FirewallSubnetRouteTable", + }, + "SubnetId": Object { + "Ref": "NetworkFirewallSubnet2", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "UpdateReplacePolicy": "Retain", + }, + "RoleFlowLogsCA794118": Object { + "Properties": Object { + "AssumeRolePolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": Object { + "Service": "vpc-flow-logs.amazonaws.com", + }, + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::IAM::Role", + }, + "RoleFlowLogsDefaultPolicyD1F03EF4": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:CreateLogGroup", + "logs:DescribeLogGroups", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "LogGroupFlowLogs", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "RoleFlowLogsDefaultPolicyD1F03EF4", + "Roles": Array [ + Object { + "Ref": "RoleFlowLogsCA794118", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "TGWRoute": Object { + "Condition": "CreateTransitGatewayAttachment", + "DependsOn": Array [ + "VPCTGWATTACHMENT", + ], + "Properties": Object { + "DestinationCidrBlock": Object { + "Fn::FindInMap": Array [ + "SolutionMapping", + "Route", + "QuadZero", + ], + }, + "RouteTableId": Object { + "Ref": "FirewallSubnetRouteTable", + }, + "TransitGatewayId": Object { + "Ref": "ExistingTransitGateway", + }, + }, + "Type": "AWS::EC2::Route", + }, + "VPC": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "CidrBlock": Object { + "Ref": "cidrBlock", + }, + "Tags": Array [ + Object { + "Key": "created-by", + "Value": "network-firewall-automation", + }, + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-Inspection-VPC", + ], + ], + }, + }, + ], + }, + "Type": "AWS::EC2::VPC", + "UpdateReplacePolicy": "Retain", + }, + "VPCTGWATTACHMENT": Object { + "Condition": "CreateTransitGatewayAttachment", + "DeletionPolicy": "Retain", + "Properties": Object { + "SubnetIds": Array [ + Object { + "Ref": "VPCTGWSubnet1", + }, + Object { + "Ref": "VPCTGWSubnet2", + }, + ], + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-Inspection-VPC-Attachment", + ], + ], + }, + }, + ], + "TransitGatewayId": Object { + "Ref": "ExistingTransitGateway", + }, + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::TransitGatewayAttachment", + }, + "VPCTGWRouteTable1": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-TGWSubnetRouteTable1", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::RouteTable", + "UpdateReplacePolicy": "Retain", + }, + "VPCTGWRouteTable2": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-TGWSubnetRouteTable2", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::RouteTable", + "UpdateReplacePolicy": "Retain", + }, + "VPCTGWRouteTableAssociation": Object { + "Condition": "CreateTransitGatewayRTAssociation", + "DeletionPolicy": "Retain", + "Properties": Object { + "TransitGatewayAttachmentId": Object { + "Ref": "VPCTGWATTACHMENT", + }, + "TransitGatewayRouteTableId": Object { + "Ref": "TransitGatewayRouteTableIdForAssociation", + }, + }, + "Type": "AWS::EC2::TransitGatewayRouteTableAssociation", + }, + "VPCTGWSubnet1": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "AvailabilityZone": Object { + "Fn::Select": Array [ + "0", + Object { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": Object { + "Fn::Select": Array [ + 2, + Object { + "Fn::Cidr": Array [ + Object { + "Fn::GetAtt": Array [ + "VPC", + "CidrBlock", + ], + }, + 4, + "4", + ], + }, + ], + }, + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-VPCTGWSubnet1", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::Subnet", + "UpdateReplacePolicy": "Retain", + }, + "VPCTGWSubnet1RouteTableAssociation": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "RouteTableId": Object { + "Ref": "VPCTGWRouteTable1", + }, + "SubnetId": Object { + "Ref": "VPCTGWSubnet1", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "UpdateReplacePolicy": "Retain", + }, + "VPCTGWSubnet2": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "AvailabilityZone": Object { + "Fn::Select": Array [ + "1", + Object { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": Object { + "Fn::Select": Array [ + 3, + Object { + "Fn::Cidr": Array [ + Object { + "Fn::GetAtt": Array [ + "VPC", + "CidrBlock", + ], + }, + 4, + "4", + ], + }, + ], + }, + "Tags": Array [ + Object { + "Key": "Name", + "Value": Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Ref": "AWS::StackName", + }, + "-VPCTGWSubnet2", + ], + ], + }, + }, + ], + "VpcId": Object { + "Ref": "VPC", + }, + }, + "Type": "AWS::EC2::Subnet", + "UpdateReplacePolicy": "Retain", + }, + "VPCTGWSubnet2RouteTableAssociation": Object { + "DeletionPolicy": "Retain", + "Properties": Object { + "RouteTableId": Object { + "Ref": "VPCTGWRouteTable2", + }, + "SubnetId": Object { + "Ref": "VPCTGWSubnet2", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "UpdateReplacePolicy": "Retain", + }, + "buildStageIAMPolicyB31D4B98": Object { + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "network-firewall:CreateFirewallPolicy", + "network-firewall:CreateRuleGroup", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateful-rulegroup/*", + }, + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:firewall-policy/*", + }, + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateless-rulegroup/*", + }, + ], + }, + Object { + "Action": "s3:GetObject", + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Sub": Array [ + "arn:\${AWS::Partition}:s3:::\${CodeBucketName}/\${KeyName}/*", + Object { + "CodeBucketName": "solutions-eu-west-1", + "KeyName": "network-firewall-automation", + }, + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":s3:::", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/*", + ], + ], + }, + ], + }, + Object { + "Action": "s3:PutObject", + "Effect": "Allow", + "Resource": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":s3:::", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/*", + ], + ], + }, + }, + Object { + "Action": Array [ + "ssm:PutParameter", + "ssm:GetParameter", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::Sub": Array [ + "arn:\${AWS::Partition}:ssm:\${AWS::Region}:\${AWS::AccountId}:parameter/\${ParameterKey}", + Object { + "ParameterKey": Object { + "Fn::FindInMap": Array [ + "Send", + "ParameterKey", + "UniqueId", + ], + }, + }, + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "buildStageIAMPolicyB31D4B98", + "Roles": Array [ + Object { + "Ref": "BuildProjectRoleAA92C755", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "deployStageFirewallLoggingCWPolicyD4098456": Object { + "Condition": "LoggingInCloudWatch", + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Resource * is required for describe APIs", + }, + ], + }, + }, + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "logs:PutResourcePolicy", + "logs:DescribeResourcePolicies", + ], + "Effect": "Allow", + "Resource": "*", + }, + Object { + "Action": "logs:DescribeLogGroups", + "Effect": "Allow", + "Resource": Object { + "Fn::Sub": "arn:\${AWS::Partition}:logs:*:\${AWS::AccountId}:log-group:*", + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "deployStageFirewallLoggingCWPolicyD4098456", + "Roles": Array [ + Object { + "Ref": "DeployProjectRole588C8C1D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "deployStageFirewallLoggingPolicy15AD5CD5": Object { + "Condition": "NotLoggingConfigureManually", + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Resource * is required for these actions.", + }, + ], + }, + }, + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + ], + "Effect": "Allow", + "Resource": "*", + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "deployStageFirewallLoggingPolicy15AD5CD5", + "Roles": Array [ + Object { + "Ref": "DeployProjectRole588C8C1D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "deployStageFirewallLoggingS3Policy8F79BDD2": Object { + "Condition": "LoggingInS3", + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "s3:PutBucketPolicy", + "s3:GetBucketPolicy", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "Logs6819BB44", + "Arn", + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "deployStageFirewallLoggingS3Policy8F79BDD2", + "Roles": Array [ + Object { + "Ref": "DeployProjectRole588C8C1D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "deployStageFirewallPolicy72BE60BE": Object { + "Metadata": Object { + "cfn_nag": Object { + "rules_to_suppress": Array [ + Object { + "id": "W12", + "reason": "Resource * is required for describe APIs", + }, + ], + }, + }, + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": Array [ + "network-firewall:CreateFirewall", + "network-firewall:UpdateFirewallDeleteProtection", + "network-firewall:DeleteRuleGroup", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:UpdateFirewallDescription", + "network-firewall:CreateRuleGroup", + "network-firewall:DescribeFirewall", + "network-firewall:DeleteFirewallPolicy", + "network-firewall:UpdateRuleGroup", + "network-firewall:DescribeRuleGroup", + "network-firewall:ListRuleGroups", + "network-firewall:UpdateSubnetChangeProtection", + "network-firewall:UpdateFirewallPolicyChangeProtection", + "network-firewall:AssociateFirewallPolicy", + "network-firewall:DescribeFirewallPolicy", + "network-firewall:UpdateFirewallPolicy", + "network-firewall:DescribeResourcePolicy", + "network-firewall:CreateFirewallPolicy", + "network-firewall:UpdateLoggingConfiguration", + "network-firewall:TagResource", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateful-rulegroup/*", + }, + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:firewall-policy/*", + }, + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:firewall/*", + }, + Object { + "Fn::Sub": "arn:\${AWS::Partition}:network-firewall:\${AWS::Region}:\${AWS::AccountId}:stateless-rulegroup/*", + }, + ], + }, + Object { + "Action": "s3:GetObject", + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Sub": Array [ + "arn:\${AWS::Partition}:s3:::\${CodeBucketName}/\${KeyName}/*", + Object { + "CodeBucketName": "solutions-eu-west-1", + "KeyName": "network-firewall-automation", + }, + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":s3:::", + Object { + "Ref": "CodeBuildStagesSourceCodeBucketFA98E7C7", + }, + "/*", + ], + ], + }, + ], + }, + Object { + "Action": Array [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeRouteTables", + ], + "Effect": "Allow", + "Resource": "*", + }, + Object { + "Action": Array [ + "ec2:CreateRoute", + "ec2:DeleteRoute", + ], + "Effect": "Allow", + "Resource": Array [ + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":ec2:", + Object { + "Ref": "AWS::Region", + }, + ":", + Object { + "Ref": "AWS::AccountId", + }, + ":route-table/", + Object { + "Ref": "VPCTGWRouteTable1", + }, + ], + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":ec2:", + Object { + "Ref": "AWS::Region", + }, + ":", + Object { + "Ref": "AWS::AccountId", + }, + ":route-table/", + Object { + "Ref": "VPCTGWRouteTable2", + }, + ], + ], + }, + ], + }, + Object { + "Action": "iam:CreateServiceLinkedRole", + "Effect": "Allow", + "Resource": Object { + "Fn::Sub": "arn:aws:iam::\${AWS::AccountId}:role/aws-service-role/network-firewall.amazonaws.com/AWSServiceRoleForNetworkFirewall", + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "deployStageFirewallPolicy72BE60BE", + "Roles": Array [ + Object { + "Ref": "DeployProjectRole588C8C1D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + "deployStageModifyTransitGatewayAttachmentPolicy993566C2": Object { + "Condition": "CreateTransitGatewayAttachment", + "Properties": Object { + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "ec2:ModifyTransitGatewayVpcAttachment", + "Effect": "Allow", + "Resource": Object { + "Fn::Join": Array [ + "", + Array [ + "arn:", + Object { + "Ref": "AWS::Partition", + }, + ":ec2:", + Object { + "Ref": "AWS::Region", + }, + ":", + Object { + "Ref": "AWS::AccountId", + }, + ":transit-gateway-attachment/", + Object { + "Ref": "VPCTGWATTACHMENT", + }, + ], + ], + }, + }, + ], + "Version": "2012-10-17", + }, + "PolicyName": "deployStageModifyTransitGatewayAttachmentPolicy993566C2", + "Roles": Array [ + Object { + "Ref": "DeployProjectRole588C8C1D", + }, + ], + }, + "Type": "AWS::IAM::Policy", + }, + }, +} +`; diff --git a/source/test/network-firewall-automation-solution.test.ts b/source/test/network-firewall-automation-solution.test.ts new file mode 100644 index 0000000..38c6580 --- /dev/null +++ b/source/test/network-firewall-automation-solution.test.ts @@ -0,0 +1,38 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import * as cdk from '@aws-cdk/core'; +import { SynthUtils } from '@aws-cdk/assert'; +import * as NetworkFirewallAutomationStack from "../lib/network-firewall-automation-solution-stack" +import '@aws-cdk/assert/jest'; + + +function getTestStack(): cdk.Stack { + const app = new cdk.App(); + const props: NetworkFirewallAutomationStack.NetworkFirewallAutomationStackProps = { + env: { account: '1234', region: 'eu-west-1' }, + solutionBucket: 'solutions', + solutionId: 'SO0108', + solutionName: 'network-firewall-automation', + solutionProvider: 'AWS Solutions Builders', + solutionTradeMarkName: 'network-firewall-automation', + solutionVersion: 'v1.0.0' + }; + return new NetworkFirewallAutomationStack.NetworkFirewallAutomationStack(app, 'MyTestStack', props) +} +/* + * Snapshot test + */ +test('NetworkFirewallAutomationStack Snapshot test', () => { + expect(SynthUtils.toCloudFormation(getTestStack())).toMatchSnapshot(); +}); \ No newline at end of file diff --git a/source/tsconfig.json b/source/tsconfig.json new file mode 100644 index 0000000..f4da57a --- /dev/null +++ b/source/tsconfig.json @@ -0,0 +1,36 @@ +{ + "compilerOptions": { + "alwaysStrict": true, + "charset": "utf8", + "declaration": true, + "experimentalDecorators": true, + "inlineSourceMap": true, + "inlineSources": true, + "lib": [ + "es2018" + ], + "module": "CommonJS", + "moduleResolution": "node", + "noEmitOnError": true, + "noFallthroughCasesInSwitch": true, + "noImplicitAny": true, + "noImplicitReturns": true, + "noImplicitThis": true, + "noUnusedLocals": true, + "noUnusedParameters": true, + "resolveJsonModule": true, + "strict": true, + "strictNullChecks": true, + "strictPropertyInitialization": true, + "stripInternal": true, + "target": "ES2018" + }, + "include": [ + "**/*.ts" + ], + "exclude": [ + "node_modules", + "networkFirewallAutomation" + ], + "_generated_by_jsii_": "Generated by jsii - safe to delete, and ideally should be in .gitignore" +}