From d3014025b0eb7746f6495b790429c8dbc84215f1 Mon Sep 17 00:00:00 2001 From: kota kanbe Date: Mon, 7 Aug 2017 05:57:09 +0900 Subject: [PATCH] Update README --- README.ja.md | 545 +++++++++++++++++++++--------------------- README.md | 530 ++++++++++++++++++++-------------------- commands/scan.go | 2 +- img/vuls-abstract.png | Bin 0 -> 125909 bytes 4 files changed, 536 insertions(+), 541 deletions(-) create mode 100644 img/vuls-abstract.png diff --git a/README.ja.md b/README.ja.md index a66ca4e4..bafc30c0 100644 --- a/README.ja.md +++ b/README.ja.md @@ -10,6 +10,8 @@ Vulnerability scanner for Linux/FreeBSD, agentless, written in golang. [README in English](https://github.com/future-architect/vuls/blob/master/README.md) Slackチームは[こちらから](http://goo.gl/forms/xm5KFo35tu)参加できます。(日本語でオッケーです) +![Vuls-Abstract](img/vuls-abstract.png) + [![asciicast](https://asciinema.org/a/bazozlxrw1wtxfu9yojyihick.png)](https://asciinema.org/a/bazozlxrw1wtxfu9yojyihick) ![Vuls-slack](img/vuls-slack-ja.png) @@ -18,90 +20,7 @@ Slackチームは[こちらから](http://goo.gl/forms/xm5KFo35tu)参加でき # TOC -- [Vuls: VULnerability Scanner](#vuls-vulnerability-scanner) -- [TOC](#toc) -- [Abstract](#abstract) -- [Main Features](#main-features) -- [What Vuls Doesn't Do](#what-vuls-doesnt-do) -- [Setup Vuls](#setup-vuls) -- [Tutorial: Local Scan Mode](#tutorial-local-scan-mode) - * [Step1. Launch Amazon Linux](#step1-launch-amazon-linux) - * [Step2. Install requirements](#step2-install-requirements) - * [Step3. Deploy go-cve-dictionary](#step3-deploy-go-cve-dictionary) - * [Step4. Deploy Vuls](#step4-deploy-vuls) - * [Step5. Config](#step5-config) - * [Step6. Check config.toml and settings on the server before scanning](#step6-check-configtoml-and-settings-on-the-server-before-scanning) - * [Step7. Start Scanning](#step7-start-scanning) - * [Step8. Reporting](#step8-reporting) - * [Step9. TUI](#step9-tui) - * [Step10. Web UI](#step10-web-ui) -- [Tutorial: Remote Scan Mode](#tutorial-remote-scan-mode) - * [Step1. Launch Another Amazon Linux](#step1-launch-another-amazon-linux) - * [Step2. Install Dependencies on the Remote Server](#step2-install-dependencies-on-the-remote-server) - * [Step3. Enable to SSH from Localhost](#step3-enable-to-ssh-from-localhost) - * [Step4. Config](#step4-config) - * [Step5. Check config.toml and settings on the server before scanning](#step5-check-configtoml-and-settings-on-the-server-before-scanning) - * [Step6. Start Scanning](#step6-start-scanning) - * [Step7. Reporting](#step7-reporting) -- [Architecture](#architecture) - * [A. Scan via SSH Mode (Remote Scan Mode)](#a-scan-via-ssh-mode-remote-scan-mode) - * [B. Scan without SSH (Local Scan Mode)](#b-scan-without-ssh-local-scan-mode) - * [go-cve-dictionary](#go-cve-dictionary) - * [Vuls](#vuls) -- [Performance Considerations](#performance-considerations) -- [Use Cases](#use-cases) - * [Scan all servers](#scan-all-servers) - * [Scan a single server](#scan-a-single-server) -- [Support OS](#support-os) -- [Usage: Automatic Server Discovery](#usage-automatic-server-discovery) - * [Example](#example) -- [Configuration](#configuration) -- [Usage: Configtest](#usage-configtest) - * [Dependencies on Target Servers](#dependencies-on-target-servers) - * [Check /etc/sudoers](#check-etcsudoers) -- [Usage: Scan](#usage-scan) - * [-ssh-native-insecure option](#-ssh-native-insecure-option) - * [-ask-key-password option](#-ask-key-password-option) - * [Example: Scan all servers defined in config file](#example-scan-all-servers-defined-in-config-file) - * [Example: Scan specific servers](#example-scan-specific-servers) - * [Example: Scan via shell instead of SSH.](#example-scan-via-shell-instead-of-ssh) - + [cronで動かす場合](#cron%E3%81%A7%E5%8B%95%E3%81%8B%E3%81%99%E5%A0%B4%E5%90%88) - * [Example: Scan containers (Docker/LXD)](#example-scan-containers-dockerlxd) - + [Docker](#docker) - + [LXDコンテナをスキャンする場合](#lxd%E3%82%B3%E3%83%B3%E3%83%86%E3%83%8A%E3%82%92%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%99%E3%82%8B%E5%A0%B4%E5%90%88) -- [Usage: Report](#usage-report) - * [How to read a report](#how-to-read-a-report) - + [Example](#example-1) - + [Summary part](#summary-part) - + [Detailed Part](#detailed-part) - + [Changelog Part](#changelog-part) - * [Example: Send scan results to Slack](#example-send-scan-results-to-slack) - * [Example: Put results in S3 bucket](#example-put-results-in-s3-bucket) - * [Example: Put results in Azure Blob storage](#example-put-results-in-azure-blob-storage) - * [Example: IgnoreCves](#example-ignorecves) - * [Example: Add optional key-value pairs to JSON](#example-add-optional-key-value-pairs-to-json) - * [Example: Use MySQL as a DB storage back-end](#example-use-mysql-as-a-db-storage-back-end) - * [Example: Use PostgreSQL as a DB storage back-end](#example-use-postgresql-as-a-db-storage-back-end) - * [Example: Use Redis as a DB storage back-end](#example-use-redis-as-a-db-storage-back-end) -- [Usage: Scan vulnerability of non-OS package](#usage-scan-vulnerability-of-non-os-package) -- [Usage: Integrate with OWASP Dependency Check to Automatic update when the libraries are updated (Experimental)](#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental) -- [Usage: TUI](#usage-tui) - * [Display the latest scan results](#display-the-latest-scan-results) - * [Display the previous scan results](#display-the-previous-scan-results) -- [Display the previous scan results using peco](#display-the-previous-scan-results-using-peco) -- [Usage: go-cve-dictionary on different server](#usage-go-cve-dictionary-on-different-server) -- [Usage: Update NVD Data](#usage-update-nvd-data) -- [レポートの日本語化](#%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88%E3%81%AE%E6%97%A5%E6%9C%AC%E8%AA%9E%E5%8C%96) - * [fetchnvd, fetchjvnの実行順序の注意](#fetchnvd-fetchjvn%E3%81%AE%E5%AE%9F%E8%A1%8C%E9%A0%86%E5%BA%8F%E3%81%AE%E6%B3%A8%E6%84%8F) - * [スキャン実行](#%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E5%AE%9F%E8%A1%8C) -- [Update Vuls With Glide](#update-vuls-with-glide) -- [Misc](#misc) -- [Related Projects](#related-projects) -- [Data Source](#data-source) -- [Authors](#authors) -- [Contribute](#contribute) -- [Change Log](#change-log) -- [License](#license) +TODO ---- @@ -130,13 +49,29 @@ Vulsは上に挙げた手動運用での課題を解決するツールであり - Linuxサーバに存在する脆弱性をスキャン - Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Raspbianに対応 - クラウド、オンプレミス、Docker +- 高精度なスキャン + - Vulsは複数の脆弱性データベースを使っている + - OVAL + - RHSA/ALAS/ELSA/FreeBSD-SA + - Changelog +- FastスキャンとDeepスキャン + - Fastスキャン + - root権限必要なし + - スキャン対象サーバの負荷ほぼなし + - Deepスキャン + - Changelogの差分を取得し、そこに含まれる脆弱性を検知 + - スキャン対象サーバに負荷がかかる場合がある +- リモートスキャンとローカルスキャン + - リモートスキャン + - スキャン対象サーバにSSH接続可能なマシン1台にセットアップするだけで動作 + - ローカルスキャン + - もし中央のサーバから各サーバにSSH接続できない環境の場合はローカルスキャンモードでスキャン可能 - OSパッケージ管理対象外のミドルウェアをスキャン - プログラミング言語のライブラリやフレームワーク、ミドルウェアの脆弱性スキャン - CPEに登録されているソフトウェアが対象 -- エージェントレスアーキテクチャ - - スキャン対象サーバにSSH接続可能なマシン1台にセットアップするだけで動作 - 非破壊スキャン(SSHでコマンド発行するだけ) - AWSでの脆弱性/侵入テスト事前申請は必要なし + - 毎日スケジュール実行すれば新規に公開された脆弱性にすぐに気付くことができる - 設定ファイルのテンプレート自動生成 - CIDRを指定してサーバを自動検出、設定ファイルのテンプレートを生成 - EmailやSlackで通知可能(日本語でのレポートも可能) @@ -159,7 +94,19 @@ Vulsのセットアップは以下の2パターンがある see https://github.com/future-architect/vuls/tree/master/setup/docker - 手動でセットアップ -Hello Vulsチュートリアルでは手動でのセットアップ方法で説明する +チュートリアルでは手動でのセットアップ方法で説明する + +---- + +# Tutorial + +1. Tutorial: Local Scan Mode + - Launch CentOS on AWS + - Deploy Vuls + - Scan localhost, Reporting +1. Tutorial: Remote Scan Mode + - Launch Ubuntu Linux on AWS + - このUbuntuを先程セットアップしたVulsからスキャンする ---- @@ -168,9 +115,10 @@ Hello Vulsチュートリアルでは手動でのセットアップ方法で説 本チュートリアルでは、Amazon EC2にVulsをセットアップし、自分に存在する脆弱性をスキャンする方法を説明する。 手順は以下の通り -1. Amazon Linuxを新規作成 +1. CentOSを新規作成 1. 必要なソフトウェアをインストール 1. go-cve-dictionaryをデプロイ +1. goval-dictionaryをデプロイ 1. Vulsをデプロイ 1. 設定 1. 設定ファイルと、スキャン対象サーバの設定のチェック @@ -179,9 +127,9 @@ Hello Vulsチュートリアルでは手動でのセットアップ方法で説 1. TUI(Terminal-Based User Interface)で結果を参照する 1. Web UI([VulsRepo](https://github.com/usiusi360/vulsrepo))で結果を参照する -## Step1. Launch Amazon Linux +## Step1. Launch CentOS7 -- 今回は説明のために、脆弱性を含む古いAMIを使う (amzn-ami-hvm-2015.09.1.x86_64-gp2 - ami-383c1956) +- 今回は説明のために、脆弱性を含む古いAMIを使う - EC2作成時に自動アップデートされるとVulsスキャン結果が0件になってしまうので、cloud-initに以下を指定してEC2を作成する。 ``` @@ -199,14 +147,14 @@ Vulsセットアップに必要な以下のソフトウェアをインストー - git - gcc - GNU Make -- go v1.7.1 or later (The latest version is recommended) +- go v1.8.3 or later (The latest version is recommended) - https://golang.org/doc/install ```bash -$ ssh ec2-user@52.100.100.100 -i ~/.ssh/private.pem -$ sudo yum -y install sqlite git gcc make -$ wget https://storage.googleapis.com/golang/go1.7.1.linux-amd64.tar.gz -$ sudo tar -C /usr/local -xzf go1.7.1.linux-amd64.tar.gz +$ ssh centos@52.100.100.100 -i ~/.ssh/private.pem +$ sudo yum -y install sqlite git gcc make wget +$ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz +$ sudo tar -C /usr/local -xzf go1.8.3.linux-amd64.tar.gz $ mkdir $HOME/go ``` /etc/profile.d/goenv.sh を作成し、下記を追加する。 @@ -228,7 +176,7 @@ $ source /etc/profile.d/goenv.sh ```bash $ sudo mkdir /var/log/vuls -$ sudo chown ec2-user /var/log/vuls +$ sudo chown centos /var/log/vuls $ sudo chmod 700 /var/log/vuls $ $ mkdir -p $GOPATH/src/github.com/kotakanbe @@ -238,7 +186,7 @@ $ cd go-cve-dictionary $ make install ``` バイナリは、`$GOPATH/bin`以下に生成される - +もしもインストールプロセスが途中で止まる場合は、Out of memory errorが発生している可能性があるので、インスタンスタイプを大きくして再実行してみてください。 NVDから脆弱性データベースを取得する。 環境によって異なるが、AWS上では10分程度かかる。 @@ -251,14 +199,34 @@ $ ls -alh cve.sqlite3 -rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cve.sqlite3 ``` -日本語化したい場合は、JVNから脆弱性データベースを取得する。 +脆弱性レポートを日本語化したい場合は、JVNから脆弱性データベースを取得する。 ```bash $ cd $HOME $ for i in `seq 1998 $(date +"%Y")`; do go-cve-dictionary fetchjvn -years $i; done ``` -## Step4. Deploy Vuls +## Step4. Deploy goval-dictionary + +[goval-dictionary](https://github.com/kotakanbe/goval-dictionary) + +```bash +$ mkdir -p $GOPATH/src/github.com/kotakanbe +$ cd $GOPATH/src/github.com/kotakanbe +$ git clone https://github.com/kotakanbe/goval-dictionary.git +$ cd goval-dictionary +$ make install +``` +The binary was built under `$GOPATH/bin` +もしもインストールプロセスが途中で止まる場合は、Out of memory errorが発生している可能性があるので、インスタンスタイプを大きくして再実行してみてください。 + +今回はCentOSがスキャン対象なので、RedHatが公開しているOVAL情報を取り込む. [README](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat) + +```bash +$ goval-dictionary fetch-redhat 5 6 7 +``` + +## Step5. Deploy Vuls 新規にターミナルを起動し、先ほど作成したEC2にSSH接続する。 ``` @@ -268,8 +236,10 @@ $ git clone https://github.com/future-architect/vuls.git $ cd vuls $ make install ``` +The binary was built under `$GOPATH/bin` +もしもインストールプロセスが途中で止まる場合は、Out of memory errorが発生している可能性があるので、インスタンスタイプを大きくして再実行してみてください。 -## Step5. Config +## Step6. Config Vulsの設定ファイルを作成する(TOMLフォーマット) @@ -279,104 +249,101 @@ $ cat config.toml [servers] [servers.localhost] -host = "localhost" -port = "local" +host = "localhost" +port = "local" ``` -Root権限が必要なディストリビューションもあるので、スキャン対象サーバの/etc/sudoersを変更する。 -パスワードありのsudoはセキュリティ上の理由からサポートしていないので、スキャンに必要なコマンドは、`NOPASSAWORD`として、remote host上の`etc/sudoers`に定義しておく。 -See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers) - -## Step6. Check config.toml and settings on the server before scanning +## Step7. Check config.toml and settings on the server before scanning ``` $ vuls configtest ``` 詳細は [Usage: configtest](#usage-configtest) を参照 -## Step7. Start Scanning +## Step8. Start Scanning ``` $ vuls scan + ... snip ... -Scan Summary -============ -localhost amazon 2015.09 94 CVEs 103 updatable packages +One Line Summary +================ +localhost centos7.3.1611 31 updatable packages ``` -## Step8. Reporting +## Step9. Reporting View one-line summary ``` -$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 +$ vuls report -lang=ja -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 -ovaldb-path=$PWD/oval.sqlite3 One Line Summary ================ -localhost Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +localhost Total: 101 (High:35 Medium:50 Low:16 ?:0) 31 updatable packages ``` View short summary. ``` -$ vuls report -format-short-text -cvedb-path=$PWD/cve.sqlite3 --lang=ja +$ vuls report -lang=ja -format-short-text |less -localhost (amazon 2015.09) -=========================== -Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +localhost (centos7.3.1611) +========================== +Total: 101 (High:35 Medium:50 Low:16 ?:0) 31 updatable packages -CVE-2016-5636 10.0 (High) CPython の zipimport.c の get_data 関数における整数オーバーフローの脆弱性 - http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-004528.html - https://access.redhat.com/security/cve/CVE-2016-5636 - python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1 - python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1 - python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1 - Confidence: 100 / YumUpdateSecurityMatch +CVE-2017-7895 10.0 HIGH (nvd) + Linux Kernel の NFSv2/NFSv3 + サーバの実装におけるポインタ演算エラーを誘発される脆弱性 + Linux Kernel の NFSv2/NFSv3 + サーバの実装は、バッファの終端に対する特定のチェックが欠落しているため、ポイン... + (pointer-arithmetic error) + を誘発されるなど、不特定の影響を受ける脆弱性が存在します。 + --- + http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-003674.html + https://access.redhat.com/security/cve/CVE-2017-7895 (RHEL-CVE) + 10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C (nvd) + 10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C (jvn) + https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2017-7895 + 6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (redhat) + https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2017-7895 + Confidence: 100 / OvalMatch -... snip ... ```` View full report. ``` -$ vuls report -format-full-text -cvedb-path=$PWD/cve.sqlite3 --lang=ja +$ vuls report -lang=ja -format-full-text |less -localhost (amazon 2015.09) -============================ -Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +localhost (centos7.3.1611) +========================== +Total: 101 (High:35 Medium:50 Low:16 ?:0) 31 updatable packages -CVE-2016-5636 -------------- -Score 10.0 (High) -Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) -Title CPython の zipimport.c の get_data 関数における整数オーバーフローの脆弱性 -Description CPython (別名 Python) の zipimport.c の get_data - 関数には、整数オーバーフローの脆弱性が存在します。 +CVE-2015-2806 +---------------- +Max Score 10.0 HIGH (nvd) +nvd 10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C +redhat 2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P +redhat 3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L +CVSSv2 Calc https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2015-2806 +CVSSv3 Calc https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-2806 +Summary Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows + remote attackers to have unspecified impact via unknown vectors. +Source https://nvd.nist.gov/vuln/detail/CVE-2015-2806 +RHEL-CVE https://access.redhat.com/security/cve/CVE-2015-2806 +CWE-119 (nvd) https://cwe.mitre.org/data/definitions/119.html +Package/CPE libtasn1-3.8-3.el7 - +Confidence 100 / OvalMatch - 補足情報 : CWE による脆弱性タイプは、CWE-190: Integer Overflow or Wraparound - (整数オーバーフローまたはラップアラウンド) と識別されています。 - http://cwe.mitre.org/data/definitions/190.html -CWE-190 https://cwe.mitre.org/data/definitions/190.html -CWE-190(JVN) http://jvndb.jvn.jp/ja/cwe/CWE-190.html -JVN http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-004528.html -NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636 -MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 -CVE Details http://www.cvedetails.com/cve/CVE-2016-5636 -CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/... -RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636 -ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html -Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1 - python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1 - python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1 -Confidence 100 / YumUpdateSecurityMatch ... snip ... ``` -## Step9. TUI +## Step10. TUI Vulsにはスキャン結果の詳細を参照できるイカしたTUI(Terminal-Based User Interface)が付属している。 @@ -386,7 +353,7 @@ $ vuls tui ![Vuls-TUI](img/hello-vuls-tui.png) -## Step10. Web UI +## Step11. Web UI [VulsRepo](https://github.com/usiusi360/vulsrepo)はスキャン結果をビボットテーブルのように分析可能にするWeb UIである。 [Online Demo](http://usiusi360.github.io/vulsrepo/)があるので試してみて。 @@ -397,33 +364,28 @@ $ vuls tui SSHを用いてリモートのホストをスキャンする方法を説明する。 -1. Amazon Linuxを新規に1台作成(スキャン対象) -1. 必要なソフトウェアをインストール -1. RemoteホストにlocalhostからSSH可能にする -1. 設定 +1. Ubuntu Linuxを新規に1台作成(スキャン対象) +1. スキャン対象のRemoteホストにlocalhostからSSH可能にする +1. config.tomlの設定 1. 設定ファイルと、スキャン対象サーバの設定のチェック 1. Scan 1. Reporting 先程のチュートリアルで作成したVulsサーバ(以下localhostと記述)を用いる。 -## Step1. Launch Another Amazon Linux +## Step1. Launch new Ubuntu Linux (the server to be sacnned) [Tutorial: Local Scan Mode#Step1. Launch Amazon Linux](#step1-launch-amazon-linux)と同じ +[Tutorial: Local Scan Mode#Step1. Launch CentOS7](#step1-launch-centos7)のようにUbuntu Linuxを新規に作成する。 新規にターミナルを開いて今作成したEC2にSSH接続する。 +$HOME/.ssh/known_hostsにリモートホストのHost Keyを追加するために、スキャン前にリモートホストにSSH接続する必要がある。 -## Step2. Install Dependencies on the Remote Server - -ディストリビューションによってはスキャンに必要な依存ソフトウェアをインストールする必要がある。 -これらはリモートサーバ上に手動かAnsibleなどでインストールする。 -依存ソフトウェアの詳細は [Dependencies on Target Servers](#dependencies-on-target-servers) を参照。 - -## Step3. Enable to SSH from Localhost +## Step2. Enable to SSH from localhost VulsはSSHパスワード認証をサポートしてない。SSHの鍵認証の設定をしなければならない。 localhost上でkeypairを作成し、remote host上のauthorized_keysに追加する。 -- Localhost +- localhost ```bash $ ssh-keygen -t rsa ``` @@ -439,47 +401,50 @@ $ vim ~/.ssh/authorized_keys ``` Paste from the clipboard to ~/.ssh/.authorized_keys -パスワードありのsudoはセキュリティ上の理由からサポートしていないので、スキャンに必要なコマンドは、`NOPASSAWORD`として、remote host上の`etc/sudoers`に定義しておく。 -See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers) +localhostのknown_hostsにremote hostのホストキーが登録されている必要があるので確認すること。 +$HOME/.ssh/known_hostsにリモートホストのHost Keyを追加するために、スキャン前にリモートホストにSSH接続する必要がある。 -また、localhostのknown_hostsにremote hostのホストキーが登録されている必要があるので確認すること。 -## Step4. Config +- localhost +``` +$ ssh ubuntu@172.31.4.82 -i ~/.ssh/id_rsa +``` -- Localhost +## Step3. config.tomlの設定 + +- localhost ``` $ cd $HOME $ cat config.toml [servers] -[servers.172-31-4-82] +[servers.ubuntu] host = "172.31.4.82" port = "22" -user = "ec2-user" -keyPath = "/home/ec2-user/.ssh/id_rsa" +user = "ubuntu" +keyPath = "/home/centos/.ssh/id_rsa" ``` -## Step5. Check config.toml and settings on the server before scanning +## Step4. Check config.toml and settings on the server before scanning ``` -$ vuls configtest +$ vuls configtest ubuntu ``` see [Usage: configtest](#usage-configtest) -## Step6. Start Scanning +## Step5. Start Scanning ``` -$ vuls scan +$ vuls scan ubuntu ... snip ... -Scan Summary -============ -172-31-4-82 amazon 2015.09 94 CVEs 103 updatable packages - +One Line Summary +================ +ubuntu ubuntu16.04 30 updatable packages ``` -## Step7. Reporting +## Step6. Reporting See [Tutorial: Local Scan Mode#Step8. Reporting](#step8-reporting) See [Tutorial: Local Scan Mode#Step9. TUI](#step9-tui) @@ -756,6 +721,7 @@ host = "172.31.4.82" $ vuls configtest --help configtest: configtest + [-deep] [-config=/path/to/config.toml] [-log-dir=/path/to/log] [-ask-key-password] @@ -774,6 +740,8 @@ configtest: Test containers only. Default: Test both of hosts and containers -debug debug mode + -deep + Config test for deep scan mode -http-proxy string http://proxy-url:port (default: empty) -log-dir string @@ -784,30 +752,33 @@ configtest: Timeout(Sec) (default 300) ``` -configtestサブコマンドは以下をチェックする -- config.tomlで定義されたサーバ/コンテナに対してSSH可能かどうか +configtestサブコマンドは、config.tomlで定義されたサーバ/コンテナに対してSSH可能かどうかをチェックする。 + +## Deep Scan Mode + +Deep Scan Modeではスキャン対象サーバ上にいくつかの依存パッケージが必要。 +configtestに--deepをつけて実行するとSSH接続に加えて以下もチェックする。 - スキャン対象のサーバ上に依存パッケーがインストールされているか - /etc/sudoers -## Dependencies on Target Servers +### Dependencies and /etc/sudoers on Target Servers -スキャンするためには、下記のパッケージが必要なので、手動かまたはAnsibleなどのツールで事前にインストールする必要がある。 +Deep Scan Modeでスキャンするためには、下記のパッケージが必要なので、手動かまたはAnsibleなどのツールで事前にインストールする必要がある。 -| Distribution| Release | Requirements | -|:------------|-------------------:|:-------------| -| Ubuntu | 12, 14, 16| - | -| Debian | 7, 8| aptitude | -| CentOS | 6, 7| yum-plugin-changelog | -| Amazon | All | - | -| RHEL | 5 | yum-security | -| RHEL | 6, 7 | - | -| FreeBSD | 10 | - | -| Raspbian | Wheezy, Jessie | - | +| Distribution | Release | Requirements | +|:-------------|-------------------:|:-------------| +| Ubuntu | 12, 14, 16| - | +| Debian | 7, 8| aptitude | +| CentOS | 6, 7| yum-plugin-changelog, yum-utils | +| Amazon | All | yum-plugin-changelog, yum-utils | +| RHEL | 5 | yum-utils, yum-security, yum-changelog | +| RHEL | 6, 7 | yum-utils, yum-plugin-changelog | +| Oracle Linux | 5 | yum-utils, yum-security, yum-changelog | +| Oracle Linux | 6, 7 | yum-utils, yum-plugin-changelog | +| FreeBSD | 10 | - | +| Raspbian | Wheezy, Jessie | - | -## Check /etc/sudoers - -スキャン対象サーバに対してパスワードなしでSUDO可能な状態か確認する。 -また、requirettyも定義されているか確認する。(--ssh-native-insecureオプションでscanする場合はrequirettyは定義しなくても良い) +また、Deep Scan Modeで利用するコマンドの中にはRoot権限が必要なものものある。configtestサブコマンドでは、スキャン対象サーバに対してそのコマンドがパスワードなしでSUDO可能な状態か確認する。また、requirettyも定義されているかも確認する。(--ssh-native-insecureオプションでscanする場合はrequirettyは定義しなくても良い) ``` Defaults:vuls !requiretty ``` @@ -815,37 +786,25 @@ For details, see [-ssh-native-insecure option](#-ssh-native-insecure-option) スキャン対象サーバ上の`/etc/sudoers`のサンプル -- CentOS +- RHEL 5 / Oracle Linux 5 ``` -vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update * +vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never info-security Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" ``` -- RHEL 5 +- RHEL 6, 7 / Oracle Linux 6, 7 ``` -vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security +vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" ``` -- RHEL 6, 7 -``` -vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates -Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" -``` - -- Debian +- Debian/Ubuntu/Raspbian ``` vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" ``` -- Ubuntu/Raspbian -``` -vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update -Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" -``` - -- Amazon Linux, FreeBSDは今のところRoot権限なしでスキャン可能 +- CentOS, Amazon Linux, FreeBSDは今のところRoot権限なしでスキャン可能 ---- @@ -855,6 +814,7 @@ Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" $ vuls scan -help scan: scan + [-deep] [-config=/path/to/config.toml] [-results-dir=/path/to/results] [-log-dir=/path/to/log] @@ -880,6 +840,8 @@ scan: Scan containers only. Default: Scan both of hosts and containers -debug debug mode + -deep + Deep scan mode. Scan accuracy improves and information becomes richer. Since analysis of changelog, issue commands requiring sudo, but it may be slower and high load on the scan tareget server. -http-proxy string http://proxy-url:port (default: empty) -log-dir string @@ -898,6 +860,23 @@ scan: Number of second for scaning vulnerabilities for all servers (default 7200) ``` +## -deep option + +You need to execute `vuls configtest --deep` to check the configuration of the target server before scanning with -deep flag. + +| Distribution | Changelog | +|:-------------|:---------:| +| Ubuntu | yes | +| Debian | yes | +| CentOS | yes | +| Amazon | yes | +| RHEL | yes | +| RHEL | yes | +| Oracle Linux | yes | +| Oracle Linux | yes | +| FreeBSD | no | +| Raspbian | yes | + ## -ssh-native-insecure option Vulsは2種類のSSH接続方法をサポートしている。 @@ -1045,6 +1024,9 @@ report: [-cvedb-type=sqlite3|mysql|postgres|redis] [-cvedb-path=/path/to/cve.sqlite3] [-cvedb-url=http://127.0.0.1:1323 or DB connection string] + [-ovaldb-type=sqlite3|mysql] + [-ovaldb-path=/path/to/oval.sqlite3] + [-ovaldb-url=http://127.0.0.1:1324 or DB connection string] [-cvss-over=7] [-diff] [-ignore-unscored-cves] @@ -1122,6 +1104,12 @@ report: [en|ja] (default "en") -log-dir string /path/to/log (default "/var/log/vuls") + -ovaldb-path string + /path/to/sqlite3 (For get oval detail from oval.sqlite3) (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/oval.sqlite3") + -ovaldb-type string + DB type for fetching OVAL dictionary (sqlite3 or mysql) (default "sqlite3") + -ovaldb-url string + http://goval-dictionary.com:1324 or mysql connection string -pipe Use stdin via PIPE -refresh-cve @@ -1177,46 +1165,45 @@ Confidence 100 / YumUpdateSecurityMatch ### Summary part ``` -172-31-4-82 (amazon 2015.09) -============================ -Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +cent6 (centos6.6) +================= +Total: 145 (High:23 Medium:101 Low:21 ?:0) 83 updatable packages ``` -- `172-31-4-82` means that it is a scan report of `servers.172-31-4-82` defined in cocnfig.toml. -- `(amazon 2015.09)` means that the version of the OS is Amazon Linux 2015.09. -- `Total: 94 (High:19 Medium:54 Low:7 ?:14)` means that a total of 94 vulnerabilities exist, and the distribution of CVSS Severity is displayed. -- `103 updatable packages` means that there are 103 updateable packages on the target server. +- `cent6` means that it is a scan report of `servers.cent6` defined in cocnfig.toml. +- `(centos6.6)` means that the version of the OS is CentOS6.6. +- `Total: 145 (High:23 Medium:101 Low:21 ?:0)` means that a total of 145 vulnerabilities exist, and the distribution of CVSS Severity is displayed. +- `83 updatable packages` means that there are 83 updateable packages on the target server. ### Detailed Part ``` -CVE-2016-5636 -------------- -Score 10.0 (High) -Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) -Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python) - before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers - to have unspecified impact via a negative data size value, which triggers a - heap-based buffer overflow. -CWE https://cwe.mitre.org/data/definitions/190.html -NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636 -MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 -CVE Details http://www.cvedetails.com/cve/CVE-2016-5636 -CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/... -RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636 -ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html -Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1 - python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1 - python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1 -Confidence 100 / YumUpdateSecurityMatch +CVE-2016-0702 +---------------- +Max Score 2.6 IMPORTANT (redhat) +nvd 1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N +redhat 2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N +jvn 1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N +CVSSv2 Calc https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2016-0702 +Summary The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL + 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider + cache-bank access times during modular exponentiation, which makes it easier for + local users to discover RSA keys by running a crafted application on the same + Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka + a "CacheBleed" attack. +Source https://nvd.nist.gov/vuln/detail/CVE-2016-0702 +RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-0702 +CWE-200 (nvd) https://cwe.mitre.org/data/definitions/200.html +Package/CPE openssl-1.0.1e-30.el6 - 1.0.1e-57.el6 +Confidence 100 / OvalMatch ``` -- `Score` means CVSS Score. -- `Vector` means [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) +- `Max Score` means Max CVSS Score. +- `nvd` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of NVD +- `redhat` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of RedHat OVAL +- `jvn` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of JVN - `Summary` means Summary of the CVE. - `CWE` means [CWE - Common Weakness Enumeration](https://nvd.nist.gov/cwe.cfm) of the CVE. -- `NVD` `MITRE` `CVE Details` `CVSS Caluculator` -- `RHEL-CVE` means the URL of OS distributor support. - `Package` shows the package version information including this vulnerability. - `Confidence` means the reliability of detection. - `100` is highly reliable @@ -1225,34 +1212,14 @@ Confidence 100 / YumUpdateSecurityMatch | Detection Method | Confidence | OS |Description| |:-----------------------|-------------------:|:---------------------------------|:--| - | YumUpdateSecurityMatch | 100 | RHEL, Amazon Linux |Detection using yum-plugin-security| + | OvalMatch | 100 | CentOS, RHEL, Oracle, Ubuntu, Debian |Detection using OVAL | + | YumUpdateSecurityMatch | 100 | RHEL, Amazon, Oracle |Detection using yum-plugin-security| | ChangelogExactMatch | 95 | CentOS, Ubuntu, Debian, Raspbian |Exact version match between changelog and package version| | ChangelogLenientMatch | 50 | Ubuntu, Debian, Raspbian |Lenient version match between changelog and package version| | PkgAuditMatch | 100 | FreeBSD |Detection using pkg audit| | CpeNameMatch | 100 | All |Search for NVD information with CPE name specified in config.toml| -### Changelog Part - -The scan results of Ubuntu, Debian, Raspbian or CentOS are also output Changelog in TUI or report with -format-full-text. -(RHEL, Amazon or FreeBSD will be available in the near future) - -The output change log includes only the difference between the currently installed version and candidate version. - -``` -tar-1.28-2.1 -> tar-1.28-2.1ubuntu0.1 -------------------------------------- -tar (1.28-2.1ubuntu0.1) xenial-security; urgency=medium - - * SECURITY UPDATE: extract pathname bypass - - debian/patches/CVE-2016-6321.patch: skip members whose names contain - ".." in src/extract.c. - - CVE-2016-6321 - - -- Marc Deslauriers Thu, 17 Nov 2016 11:06:07 -0500 -``` - - ## Example: Send scan results to Slack ``` $ vuls report \ @@ -1508,6 +1475,9 @@ tui: [-cvedb-type=sqlite3|mysql|postgres|redis] [-cvedb-path=/path/to/cve.sqlite3] [-cvedb-url=http://127.0.0.1:1323 DB connection string] + [-ovaldb-type=sqlite3|mysql] + [-ovaldb-path=/path/to/oval.sqlite3] + [-ovaldb-url=http://127.0.0.1:1324 or DB connection string] [-refresh-cve] [-results-dir=/path/to/results] [-log-dir=/path/to/log] @@ -1521,6 +1491,12 @@ tui: DB type for fetching CVE dictionary (sqlite3, mysql, postgres or redis) (default "sqlite3") -cvedb-url string http://cve-dictionary.com:8080 or DB connection string + -ovaldb-path string + /path/to/sqlite3 (For get oval detail from oval.sqlite3) (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/oval.sqlite3") + -ovaldb-type string + DB type for fetching OVAL dictionary (sqlite3 or mysql) (default "sqlite3") + -ovaldb-url string + http://goval-dictionary.com:1324 or mysql connection string -debug debug mode -debug-sql @@ -1584,7 +1560,7 @@ $ go-cve-dictionary server -bind=192.168.10.1 -port=1323 Run Vuls with -cve-dictionary-url option. ``` -$ vuls scan -cve-dictionary-url=http://192.168.0.1:1323 +$ vuls report -cve-dictionary-url=http://192.168.0.1:1323 ``` # Usage: Update NVD Data @@ -1593,6 +1569,27 @@ see [go-cve-dictionary#usage-fetch-nvd-data](https://github.com/kotakanbe/go-cve ---- +# Usage: goval-dictionary on different server + +``` +$ goval-dictionary server -bind=192.168.10.1 -port=1324 +``` + +Run Vuls with -ovaldb-url option. + +``` +$ vuls report -ovaldb-url=http://192.168.0.1:1323 +``` + +# Usage: Update OVAL Data + +- [RedHat, CentOS](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat) +- [Ubuntu](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-ubuntu) +- [Debian](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-debian) +- [Oracle](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-oracle) + +---- + # レポートの日本語化 see [go-cve-dictionary#usage-fetch-jvn-data](https://github.com/kotakanbe/go-cve-dictionary#usage-fetch-jvn-data) diff --git a/README.md b/README.md index 4dc7cf46..f1fb88f6 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,11 @@ Vulnerability scanner for Linux/FreeBSD, agentless, written in golang. We have a slack team. [Join slack team](http://goo.gl/forms/xm5KFo35tu) -[README in Japanese](https://github.com/future-architect/vuls/blob/master/README.ja.md) +[README 日本語](https://github.com/future-architect/vuls/blob/master/README.ja.md) [README in French](https://github.com/future-architect/vuls/blob/master/README.fr.md) +![Vuls-Abstract](img/vuls-abstract.png) + [![asciicast](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck.png)](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck) ![Vuls-slack](img/vuls-slack-en.png) @@ -23,89 +25,7 @@ We have a slack team. [Join slack team](http://goo.gl/forms/xm5KFo35tu) # TOC -- [Vuls: VULnerability Scanner](#vuls-vulnerability-scanner) -- [TOC](#toc) -- [Abstract](#abstract) -- [Main Features](#main-features) -- [What Vuls Doesn't Do](#what-vuls-doesnt-do) -- [Setup Vuls](#setup-vuls) -- [Tutorial: Local Scan Mode](#tutorial-local-scan-mode) - * [Step1. Launch Amazon Linux](#step1-launch-amazon-linux) - * [Step2. Install requirements](#step2-install-requirements) - * [Step3. Deploy go-cve-dictionary](#step3-deploy-go-cve-dictionary) - * [Step4. Deploy Vuls](#step4-deploy-vuls) - * [Step5. Config](#step5-config) - * [Step6. Check config.toml and settings on the server before scanning](#step6-check-configtoml-and-settings-on-the-server-before-scanning) - * [Step7. Start Scanning](#step7-start-scanning) - * [Step8. Reporting](#step8-reporting) - * [Step9. TUI](#step9-tui) - * [Step10. Web UI](#step10-web-ui) -- [Tutorial: Remote Scan Mode](#tutorial-remote-scan-mode) - * [Step1. Launch Another Amazon Linux](#step1-launch-another-amazon-linux) - * [Step2. Install Dependencies on the Remote Server](#step2-install-dependencies-on-the-remote-server) - * [Step3. Enable to SSH from Localhost](#step3-enable-to-ssh-from-localhost) - * [Step4. Config](#step4-config) - * [Step5. Check config.toml and settings on the server before scanning](#step5-check-configtoml-and-settings-on-the-server-before-scanning) - * [Step6. Start Scanning](#step6-start-scanning) - * [Step7. Reporting](#step7-reporting) -- [Setup Vuls in a Docker Container](#setup-vuls-in-a-docker-container) -- [Architecture](#architecture) - * [A. Scan via SSH Mode (Remote Scan Mode)](#a-scan-via-ssh-mode-remote-scan-mode) - * [B. Scan without SSH (Local Scan Mode)](#b-scan-without-ssh-local-scan-mode) - * [go-cve-dictionary](#go-cve-dictionary) - * [Scanning Flow](#scanning-flow) -- [Performance Considerations](#performance-considerations) -- [Use Cases](#use-cases) - * [Scan All Servers](#scan-all-servers) - * [Scan a Single Server](#scan-a-single-server) - * [Scan Staging Environment](#scan-staging-environment) -- [Support OS](#support-os) -- [Usage: Automatic Server Discovery](#usage-automatic-server-discovery) - * [Example](#example) -- [Configuration](#configuration) -- [Usage: Configtest](#usage-configtest) - * [Dependencies on Target Servers](#dependencies-on-target-servers) - * [Check /etc/sudoers](#check-etcsudoers) -- [Usage: Scan](#usage-scan) - * [-ssh-native-insecure option](#-ssh-native-insecure-option) - * [-ask-key-password option](#-ask-key-password-option) - * [Example: Scan all servers defined in config file](#example-scan-all-servers-defined-in-config-file) - * [Example: Scan specific servers](#example-scan-specific-servers) - * [Example: Scan via shell instead of SSH.](#example-scan-via-shell-instead-of-ssh) - + [cron](#cron) - * [Example: Scan containers (Docker/LXD)](#example-scan-containers-dockerlxd) - + [Docker](#docker) - + [LXD](#lxd) -- [Usage: Report](#usage-report) - * [How to read a report](#how-to-read-a-report) - + [Example](#example-1) - + [Summary part](#summary-part) - + [Detailed Part](#detailed-part) - + [Changelog Part](#changelog-part) - * [Example: Send scan results to Slack](#example-send-scan-results-to-slack) - * [Example: Put results in S3 bucket](#example-put-results-in-s3-bucket) - * [Example: Put results in Azure Blob storage](#example-put-results-in-azure-blob-storage) - * [Example: IgnoreCves](#example-ignorecves) - * [Example: Add optional key-value pairs to JSON](#example-add-optional-key-value-pairs-to-json) - * [Example: Use MySQL as a DB storage back-end](#example-use-mysql-as-a-db-storage-back-end) - * [Example: Use PostgreSQL as a DB storage back-end](#example-use-postgresql-as-a-db-storage-back-end) - * [Example: Use Redis as a DB storage back-end](#example-use-redis-as-a-db-storage-back-end) -- [Usage: Scan vulnerabilites of non-OS packages](#usage-scan-vulnerabilites-of-non-os-packages) -- [Usage: Integrate with OWASP Dependency Check to Automatic update when the libraries are updated (Experimental)](#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental) -- [Usage: TUI](#usage-tui) - * [Display the latest scan results](#display-the-latest-scan-results) - * [Display the previous scan results](#display-the-previous-scan-results) -- [Display the previous scan results using peco](#display-the-previous-scan-results-using-peco) -- [Usage: go-cve-dictionary on different server](#usage-go-cve-dictionary-on-different-server) -- [Usage: Update NVD Data](#usage-update-nvd-data) -- [How to Update](#how-to-update) -- [Misc](#misc) -- [Related Projects](#related-projects) -- [Data Source](#data-source) -- [Authors](#authors) -- [Contribute](#contribute) -- [Change Log](#change-log) -- [License](#license) +TODO ---- @@ -134,13 +54,33 @@ Vuls is a tool created to solve the problems listed above. It has the following - Scan for any vulnerabilities in Linux/FreeBSD Server - Supports Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, FreeBSD and Raspbian - Cloud, on-premise, Docker +- High quality scan + - Vuls uses Multiple vulnerability databases + - OVAL + - RHSA/ALAS/ELSA/FreeBSD-SA + - Changelog +- Fast scan and Deep scan + - Fast Scan + - Scan without root privilege + - Almost no load on the scan target server + - Deep Scan + - Scan with root privilege + - Parses the Changelog + Changelog has a history of version changes. When a security issue is fixed, the relevant CVE ID is listed. + By parsing the changelog and analysing the updates between the installed version of software on the server and the newest version of that software + it's possible to create a list of all vulnerabilities that need to be fixed. + - Sometimes load on the scan target server +- Remote scan and Local scan + - Remote Scan + - User is required to only setup one machine that is connected to other target servers via SSH + - Local Scan + - If you don't want the central Vuls server to connect to each server by SSH, you can use Vuls in the Local Scan mode. - Scan middleware that are not included in OS package management - Scan middleware, programming language libraries and framework for vulnerability - Support software registered in CPE -- Agentless architecture - - User is required to only setup one machine that is connected to other target servers via SSH - Nondestructive testing -- Pre-authorization is not necessary before scanning on AWS +- Pre-authorization is *NOT* necessary before scanning on AWS + - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly. - Auto generation of configuration file template - Auto detection of servers set using CIDR, generate configuration file template - Email and Slack notification is possible (supports Japanese language) @@ -168,14 +108,29 @@ Tutorial shows how to setup vuls manually. ---- +# Tutorial + +To give you an idea of how easy Vuls is to use. +This tutorial consists of three steps. +1. Tutorial: Local Scan Mode + - Launch CentOS on AWS + - Deploy Vuls + - Scan localhost, Reporting +1. Tutorial: Remote Scan Mode + - Launch Ubuntu Linux on AWS + - Scan this Ubuntu from the Vuls you set up earlier + +---- + # Tutorial: Local Scan Mode This tutorial will let you scan the vulnerabilities on the localhost with Vuls. This can be done in the following steps. -1. Launch Amazon Linux +1. Launch CentOS 1. Install requirements 1. Deploy go-cve-dictionary +1. Deploy goval-dictionary 1. Deploy Vuls 1. Configuration 1. Check config.toml and settings on the server before scanning @@ -184,9 +139,9 @@ This can be done in the following steps. 1. TUI(Terminal-Based User Interface) 1. Web UI ([VulsRepo](https://github.com/usiusi360/vulsrepo)) -## Step1. Launch Amazon Linux +## Step1. Launch CentOS7 -- We are using the old AMI (amzn-ami-hvm-2015.09.1.x86_64-gp2 - ami-383c1956) for this example +- We are using the old AMI for this example - Add the following to the cloud-init, to avoid auto-update at the first launch. ``` @@ -204,14 +159,14 @@ Vuls requires the following packages. - git - gcc - GNU Make -- go v1.7.1 or later (The latest version is recommended) +- go v1.8.3 or later (The latest version is recommended) - https://golang.org/doc/install ```bash -$ ssh ec2-user@52.100.100.100 -i ~/.ssh/private.pem -$ sudo yum -y install sqlite git gcc make -$ wget https://storage.googleapis.com/golang/go1.7.1.linux-amd64.tar.gz -$ sudo tar -C /usr/local -xzf go1.7.1.linux-amd64.tar.gz +$ ssh centos@52.100.100.100 -i ~/.ssh/private.pem +$ sudo yum -y install sqlite git gcc make wget +$ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz +$ sudo tar -C /usr/local -xzf go1.8.3.linux-amd64.tar.gz $ mkdir $HOME/go ``` Add these lines into /etc/profile.d/goenv.sh @@ -233,7 +188,7 @@ $ source /etc/profile.d/goenv.sh ```bash $ sudo mkdir /var/log/vuls -$ sudo chown ec2-user /var/log/vuls +$ sudo chown centos /var/log/vuls $ sudo chmod 700 /var/log/vuls $ $ mkdir -p $GOPATH/src/github.com/kotakanbe @@ -243,6 +198,8 @@ $ cd go-cve-dictionary $ make install ``` The binary was built under `$GOPATH/bin` +If the installation process stops halfway, try increasing the instance type of EC2. An out of memory error may have occurred. + Fetch vulnerability data from NVD. It takes about 10 minutes (on AWS). @@ -252,10 +209,32 @@ $ cd $HOME $ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done ... snip ... $ ls -alh cve.sqlite3 --rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cve.sqlite3 +-rw-r--r--. 1 centos centos 51M Aug 6 08:10 cve.sqlite3 +-rw-r--r--. 1 centos centos 32K Aug 6 08:10 cve.sqlite3-shm +-rw-r--r--. 1 centos centos 5.1M Aug 6 08:10 cve.sqlite3-wal ``` -## Step4. Deploy Vuls +## Step4. Deploy goval-dictionary + +[goval-dictionary](https://github.com/kotakanbe/goval-dictionary) + +```bash +$ mkdir -p $GOPATH/src/github.com/kotakanbe +$ cd $GOPATH/src/github.com/kotakanbe +$ git clone https://github.com/kotakanbe/goval-dictionary.git +$ cd goval-dictionary +$ make install +``` +The binary was built under `$GOPATH/bin` +If the installation process stops halfway, try increasing the instance type of EC2. An out of memory error may have occurred. + + Then fetch OVAL data of RedHat since the server to be scanned is CentOS. [README](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat) + +```bash +$ goval-dictionary fetch-redhat 5 6 7 +``` + +## Step5. Deploy Vuls Launch a new terminal and SSH to the ec2 instance. @@ -267,8 +246,9 @@ $ cd vuls $ make install ``` The binary was built under `$GOPATH/bin` +If the installation process stops halfway, try increasing the instance type of EC2. An out of memory error may have occurred. -## Step5. Config +## Step6. Configuration Create a config file(TOML format). ``` @@ -277,15 +257,12 @@ $ cat config.toml [servers] [servers.localhost] -host = "localhost" -port = "local" +host = "localhost" +port = "local" ``` -Root privilege is needed on Some distributions. -Sudo with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers. -See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers) -## Step6. Check config.toml and settings on the server before scanning +## Step7. Check config.toml and settings on the server before scanning ``` $ vuls configtest @@ -293,50 +270,54 @@ $ vuls configtest see [Usage: configtest](#usage-configtest) -## Step7. Start Scanning +## Step8. Start Scanning ``` $ vuls scan + ... snip ... -Scan Summary -============ -localhost amazon 2015.09 94 CVEs 103 updatable packages +One Line Summary +================ +localhost centos7.3.1611 31 updatable packages ``` -## Step8. Reporting +## Step9. Reporting View one-line summary ``` -$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 +$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 -ovaldb-path=$PWD/oval.sqlite3 One Line Summary ================ -localhost Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +localhost Total: 109 (High:35 Medium:55 Low:16 ?:3) 31 updatable packages ``` -View short summary. +View short summary ``` $ vuls report -format-short-text -localhost (amazon 2015.09) -=========================== -Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +localhost (centos7.3.1611) +========================== +Total: 109 (High:35 Medium:55 Low:16 ?:3) 31 updatable packages + +CVE-2015-2806 10.0 HIGH (nvd) + Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows + remote attackers to have unspecified impact via unknown vectors. + --- + https://nvd.nist.gov/vuln/detail/CVE-2015-2806 + https://access.redhat.com/security/cve/CVE-2015-2806 (RHEL-CVE) + 10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C (nvd) + 2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P (redhat) + https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2015-2806 + 3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (redhat) + https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-2806 + Confidence: 100 / OvalMatch -CVE-2016-5636 10.0 (High) Integer overflow in the get_data function in zipimport.c in CPython (aka Python) - before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers - to have unspecified impact via a negative data size value, which triggers a - heap-based buffer overflow. - http://www.cvedetails.com/cve/CVE-2016-5636 - https://access.redhat.com/security/cve/CVE-2016-5636 - python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1 - python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1 - python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1 - Confidence: 100 / YumUpdateSecurityMatch ... snip ... ```` @@ -344,35 +325,30 @@ View full report. ``` $ vuls report -format-full-text | less +localhost (centos7.3.1611) +========================== +Total: 109 (High:35 Medium:55 Low:16 ?:3) 31 updatable packages -localhost (amazon 2015.09) -============================ -Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages - -CVE-2016-5636 -------------- -Score 10.0 (High) -Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) -Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python) - before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers - to have unspecified impact via a negative data size value, which triggers a - heap-based buffer overflow. -CWE https://cwe.mitre.org/data/definitions/190.html -NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636 -MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 -CVE Details http://www.cvedetails.com/cve/CVE-2016-5636 -CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/... -RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636 -ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html -Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1 - python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1 - python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1 -Confidence 100 / YumUpdateSecurityMatch +CVE-2015-2806 +---------------- +Max Score 10.0 HIGH (nvd) +nvd 10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C +redhat 2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P +redhat 3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L +CVSSv2 Calc https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2015-2806 +CVSSv3 Calc https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-2806 +Summary Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows + remote attackers to have unspecified impact via unknown vectors. +Source https://nvd.nist.gov/vuln/detail/CVE-2015-2806 +RHEL-CVE https://access.redhat.com/security/cve/CVE-2015-2806 +CWE-119 (nvd) https://cwe.mitre.org/data/definitions/119.html +Package/CPE libtasn1-3.8-3.el7 - +Confidence 100 / OvalMatch ... snip ... ``` -## Step9. TUI +## Step10. TUI Vuls has Terminal-Based User Interface to display the scan result. @@ -382,7 +358,7 @@ $ vuls tui ![Vuls-TUI](img/hello-vuls-tui.png) -## Step10. Web UI +## Step11. Web UI [VulsRepo](https://github.com/usiusi360/vulsrepo) is a awesome Web UI for Vuls. Check it out the [Online Demo](http://usiusi360.github.io/vulsrepo/). @@ -394,9 +370,8 @@ Check it out the [Online Demo](http://usiusi360.github.io/vulsrepo/). This tutorial will let you scan the vulnerabilities on the remote host via SSH with Vuls. This can be done in the following steps. -1. Launch Another Amazon Linux -1. Install Dependencies on the Remote Host -1. Enable to SSH from Localhost +1. Launch new Ubuntu Linux +1. Enable to SSH from localhost 1. Configuration 1. Check config.toml and settings on the server before scanning 1. Scan @@ -404,23 +379,18 @@ This can be done in the following steps. We will use the Vuls server (called localhost) created in the previous tutorial. -## Step1. Launch Another Amazon Linux +## Step1. Launch new Ubuntu Linux -Same as [Tutorial: Local Scan Mode#Step1. Launch Amazon Linux](#step1-launch-amazon-linux) -Launch a new terminal and SSH to the Remote Server. +Same like as [Tutorial: Local Scan Mode#Step1. Launch CentOS7](#step1-launch-centos7) +Launch a new terminal and SSH to the Remote host. +To add the remote host's Host Key to $HOME/.ssh/known_hosts, you need to log in to the remote host through SSH before scanning. -## Step2. Install Dependencies on the Remote Server - -Depending on the distribution you need to install dependent modules. -Install these dependencies manually or using Ansible etc. -For details of dependent libraries, see [Dependencies on Target Servers](#dependencies-on-target-servers) - -## Step3. Enable to SSH from Localhost +## Step2. Enable to SSH from localhost Vuls doesn't support SSH password authentication. So you have to use SSH key-based authentication. -Create a keypair on the localhost then append public key to authorized_keys on the remote host. +Create a keypair on the localhost then append the public key to authorized_keys on the remote host. -- Localhost +- localhost ```bash $ ssh-keygen -t rsa ``` @@ -436,47 +406,49 @@ $ vim ~/.ssh/authorized_keys ``` Paste from the clipboard to ~/.ssh/.authorized_keys -SUDO with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers on target servers. -See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers) +And also, confirm that the host keys of scan target servers has been registered in the known_hosts of the localhost. +To add the remote host's Host Key to $HOME/.ssh/known_hosts, you need to log in to the remote host through SSH before scanning. -And also, confirm that the host keys of scan target servers has been registered in the known_hosts of the Localhost. +- localhost +``` +$ ssh ubuntu@172.31.4.82 -i ~/.ssh/id_rsa +``` -## Step4. Config +## Step3. Configure (config.toml) -- Localhost +- localhost ``` $ cd $HOME $ cat config.toml [servers] -[servers.172-31-4-82] +[servers.ubuntu] host = "172.31.4.82" port = "22" -user = "ec2-user" -keyPath = "/home/ec2-user/.ssh/id_rsa" +user = "ubuntu" +keyPath = "/home/centos/.ssh/id_rsa" ``` -## Step5. Check config.toml and settings on the server before scanning +## Step4. Check config.toml and settings on the server before scanning ``` -$ vuls configtest +$ vuls configtest ubuntu ``` see [Usage: configtest](#usage-configtest) -## Step6. Start Scanning +## Step5. Start Scanning ``` -$ vuls scan +$ vuls scan ubuntu ... snip ... -Scan Summary -============ -172-31-4-82 amazon 2015.09 94 CVEs 103 updatable packages - +One Line Summary +================ +ubuntu ubuntu16.04 30 updatable packages ``` -## Step7. Reporting +## Step6. Reporting See [Tutorial: Local Scan Mode#Step8. Reporting](#step8-reporting) See [Tutorial: Local Scan Mode#Step9. TUI](#step9-tui) @@ -762,6 +734,7 @@ You can customize your configuration using this template. $ vuls configtest --help configtest: configtest + [-deep] [-config=/path/to/config.toml] [-log-dir=/path/to/log] [-ask-key-password] @@ -779,6 +752,8 @@ configtest: Test containers only. Default: Test both of hosts and containers -debug debug mode + -deep + Config test for deep scan mode -http-proxy string http://proxy-url:port (default: empty) -log-dir string @@ -790,31 +765,31 @@ configtest: ``` -The configtest subcommand checks the following -- Whether vuls is able to connect via SSH to servers/containers defined in the config.toml -- Whether Dependent package is installed on the scan target server -- Check /etc/sudoers +The configtest subcommand checks whether vuls is able to connect via SSH to servers/containers defined in the config.toml -## Dependencies on Target Servers +## Deep Scan Mode -In order to scan, the following dependencies are required, so you need to install them manually or with tools such as Ansible. +Some dependent packages are needed in Deep Scan Mode. +The configtest subcommand with --deep flag checks whether the packages are installed on the scan target server and also check /etc/sudoers + +### Dependencies and /etc/sudoers on Target Servers + +In order to scan with deep scan mode, the following dependencies are required, so you need to install them manually or with tools such as Ansible. | Distribution | Release | Requirements | |:-------------|-------------------:|:-------------| | Ubuntu | 12, 14, 16| - | | Debian | 7, 8| aptitude | | CentOS | 6, 7| yum-plugin-changelog, yum-utils | -| Amazon | All | - | TODO yum-utils?, yum-plugin-changelog -| RHEL | 5 | yum-security | TODO yum-utils? -| RHEL | 6, 7 | - | TODO yum-utils? -| Oracle Linux | 5 | yum-security | TODO yum-utils? -| Oracle Linux | 6, 7 | - |TODO yum-utils? +| Amazon | All | yum-plugin-changelog, yum-utils | +| RHEL | 5 | yum-utils, yum-security, yum-changelog | +| RHEL | 6, 7 | yum-utils, yum-plugin-changelog | +| Oracle Linux | 5 | yum-utils, yum-security, yum-changelog | +| Oracle Linux | 6, 7 | yum-utils, yum-plugin-changelog | | FreeBSD | 10 | - | | Raspbian | Wheezy, Jessie | - | -## Check /etc/sudoers - -The configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. And if you run Vuls without -ssh-native-insecure option, requiretty must be defined in /etc/sudoers. +The configtest subcommand also checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. And if you run Vuls without -ssh-native-insecure option, requiretty must be defined in /etc/sudoers. ``` Defaults:vuls !requiretty ``` @@ -822,37 +797,25 @@ For details, see [-ssh-native-insecure option](#-ssh-native-insecure-option) Example of /etc/sudoers on target servers -- CentOS -``` -vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update * -Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" -``` - - RHEL 5 / Oracle Linux 5 ``` -vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security +vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never info-security Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" ``` - RHEL 6, 7 / Oracle Linux 6, 7 ``` -vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates +vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" ``` -- Debian +- Debian/Ubuntu/Raspbian ``` vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" ``` -- Ubuntu/Raspbian -``` -vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update -Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" -``` - -- On Amazon Linux, FreeBSD, it is possible to scan without root privilege for now. +- On CentOS, Amazon Linux, FreeBSD, it is possible to scan without root privilege for now. ---- @@ -862,6 +825,7 @@ Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY" $ vuls scan -help scan: scan + [-deep] [-config=/path/to/config.toml] [-results-dir=/path/to/results] [-log-dir=/path/to/log] @@ -887,6 +851,8 @@ scan: Scan containers only. Default: Scan both of hosts and containers -debug debug mode + -deep + Deep scan mode. Scan accuracy improves and information becomes richer. Since analysis of changelog, issue commands requiring sudo, but it may be slower and high load on the scan tareget server. -http-proxy string http://proxy-url:port (default: empty) -log-dir string @@ -905,6 +871,23 @@ scan: Number of second for scaning vulnerabilities for all servers (default 7200) ``` +## -deep option + +You need to execute `vuls configtest --deep` to check the configuration of the target server before scanning with -deep flag. + +| Distribution | Changelog | +|:-------------|:---------:| +| Ubuntu | yes | +| Debian | yes | +| CentOS | yes | +| Amazon | yes | +| RHEL | yes | +| RHEL | yes | +| Oracle Linux | yes | +| Oracle Linux | yes | +| FreeBSD | no | +| Raspbian | yes | + ## -ssh-native-insecure option Vuls supports different types of SSH. @@ -1054,6 +1037,9 @@ report: [-cvedb-type=sqlite3|mysql|postgres] [-cvedb-path=/path/to/cve.sqlite3] [-cvedb-url=http://127.0.0.1:1323 DB connection string] + [-ovaldb-type=sqlite3|mysql] + [-ovaldb-path=/path/to/oval.sqlite3] + [-ovaldb-url=http://127.0.0.1:1324 or DB connection string] [-cvss-over=7] [-diff] [-ignore-unscored-cves] @@ -1131,6 +1117,12 @@ report: [en|ja] (default "en") -log-dir string /path/to/log (default "/var/log/vuls") + -ovaldb-path string + /path/to/sqlite3 (For get oval detail from oval.sqlite3) (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/oval.sqlite3") + -ovaldb-type string + DB type for fetching OVAL dictionary (sqlite3 or mysql) (default "sqlite3") + -ovaldb-url string + http://goval-dictionary.com:1324 or mysql connection string -pipe Use stdin via PIPE -refresh-cve @@ -1186,47 +1178,45 @@ Confidence 100 / YumUpdateSecurityMatch ### Summary part ``` -172-31-4-82 (amazon 2015.09) -============================ -Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages +cent6 (centos6.6) +================= +Total: 145 (High:23 Medium:101 Low:21 ?:0) 83 updatable packages ``` -- `172-31-4-82` means that it is a scan report of `servers.172-31-4-82` defined in cocnfig.toml. -- `(amazon 2015.09)` means that the version of the OS is Amazon Linux 2015.09. -- `Total: 94 (High:19 Medium:54 Low:7 ?:14)` means that a total of 94 vulnerabilities exist, and the distribution of CVSS Severity is displayed. -- `103 updatable packages` means that there are 103 updateable packages on the target server. +- `cent6` means that it is a scan report of `servers.cent6` defined in cocnfig.toml. +- `(centos6.6)` means that the version of the OS is CentOS6.6. +- `Total: 145 (High:23 Medium:101 Low:21 ?:0)` means that a total of 145 vulnerabilities exist, and the distribution of CVSS Severity is displayed. +- `83 updatable packages` means that there are 83 updateable packages on the target server. ### Detailed Part ``` -CVE-2016-5636 -------------- -Score 10.0 (High) -Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) -Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python) - before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers - to have unspecified impact via a negative data size value, which triggers a - heap-based buffer overflow. -CWE https://cwe.mitre.org/data/definitions/190.html -NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636 -MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 -CVE Details http://www.cvedetails.com/cve/CVE-2016-5636 -CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/... -RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636 -ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html -Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1 - python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1 - python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1 -Confidence 100 / YumUpdateSecurityMatch +CVE-2016-0702 +---------------- +Max Score 2.6 IMPORTANT (redhat) +nvd 1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N +redhat 2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N +jvn 1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N +CVSSv2 Calc https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2016-0702 +Summary The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL + 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider + cache-bank access times during modular exponentiation, which makes it easier for + local users to discover RSA keys by running a crafted application on the same + Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka + a "CacheBleed" attack. +Source https://nvd.nist.gov/vuln/detail/CVE-2016-0702 +RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-0702 +CWE-200 (nvd) https://cwe.mitre.org/data/definitions/200.html +Package/CPE openssl-1.0.1e-30.el6 - 1.0.1e-57.el6 +Confidence 100 / OvalMatch ``` -- `Score` means CVSS Score. -- `Vector` means [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) +- `Max Score` means Max CVSS Score. +- `nvd` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of NVD +- `redhat` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of RedHat OVAL +- `jvn` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of JVN - `Summary` means Summary of the CVE. - `CWE` means [CWE - Common Weakness Enumeration](https://nvd.nist.gov/cwe.cfm) of the CVE. -- `NVD` `MITRE` `CVE Details` `CVSS Caluculator` -- `RHEL-CVE` means the URL of OS distributor support. -- `Oracle-CVE` means the URL of the Oracle Linux errata information. - `Package` shows the package version information including this vulnerability. - `Confidence` means the reliability of detection. - `100` is highly reliable @@ -1235,33 +1225,14 @@ Confidence 100 / YumUpdateSecurityMatch | Detection Method | Confidence | OS |Description| |:-----------------------|-------------------:|:---------------------------------|:--| - | YumUpdateSecurityMatch | 100 | RHEL, Oracle Linux, Amazon Linux |Detection using yum-plugin-security| + | OvalMatch | 100 | CentOS, RHEL, Oracle, Ubuntu, Debian |Detection using OVAL | + | YumUpdateSecurityMatch | 100 | RHEL, Amazon, Oracle |Detection using yum-plugin-security| | ChangelogExactMatch | 95 | CentOS, Ubuntu, Debian, Raspbian |Exact version match between changelog and package version| | ChangelogLenientMatch | 50 | Ubuntu, Debian, Raspbian |Lenient version match between changelog and package version| | PkgAuditMatch | 100 | FreeBSD |Detection using pkg audit| | CpeNameMatch | 100 | All |Search for NVD information with CPE name specified in config.toml| -### Changelog Part - -The scan results of Ubuntu, Debian, Raspbian or CentOS are also output Changelog in TUI or report with -format-full-text. -(RHEL, Amazon or FreeBSD will be available in the near future) - -The output change log includes only the difference between the currently installed version and candidate version. - -``` -tar-1.28-2.1 -> tar-1.28-2.1ubuntu0.1 -------------------------------------- -tar (1.28-2.1ubuntu0.1) xenial-security; urgency=medium - - * SECURITY UPDATE: extract pathname bypass - - debian/patches/CVE-2016-6321.patch: skip members whose names contain - ".." in src/extract.c. - - CVE-2016-6321 - - -- Marc Deslauriers Thu, 17 Nov 2016 11:06:07 -0500 -``` - ## Example: Send scan results to Slack ``` $ vuls report \ @@ -1508,6 +1479,9 @@ tui: [-cvedb-type=sqlite3|mysql|postgres] [-cvedb-path=/path/to/cve.sqlite3] [-cvedb-url=http://127.0.0.1:1323 DB connection string] + [-ovaldb-type=sqlite3|mysql] + [-ovaldb-path=/path/to/oval.sqlite3] + [-ovaldb-url=http://127.0.0.1:1324 or DB connection string] [-refresh-cve] [-results-dir=/path/to/results] [-log-dir=/path/to/log] @@ -1521,6 +1495,12 @@ tui: DB type for fetching CVE dictionary (sqlite3, mysql or postgres) (default "sqlite3") -cvedb-url string http://cve-dictionary.com:8080 DB connection string + -ovaldb-path string + /path/to/sqlite3 (For get oval detail from oval.sqlite3) (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/oval.sqlite3") + -ovaldb-type string + DB type for fetching OVAL dictionary (sqlite3 or mysql) (default "sqlite3") + -ovaldb-url string + http://goval-dictionary.com:1324 or mysql connection string -debug debug mode -debug-sql @@ -1579,13 +1559,31 @@ $ go-cve-dictionary server -bind=192.168.10.1 -port=1323 Run Vuls with -cvedb-url option. ``` -$ vuls scan -cvedb-url=http://192.168.0.1:1323 +$ vuls report -cvedb-url=http://192.168.0.1:1323 ``` # Usage: Update NVD Data see [go-cve-dictionary#usage-fetch-nvd-data](https://github.com/kotakanbe/go-cve-dictionary#usage-fetch-nvd-data) +# Usage: goval-dictionary on different server + +``` +$ goval-dictionary server -bind=192.168.10.1 -port=1324 +``` + +Run Vuls with -ovaldb-url option. + +``` +$ vuls report -ovaldb-url=http://192.168.0.1:1323 +``` + +# Usage: Update OVAL Data + +- [RedHat, CentOS](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat) +- [Ubuntu](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-ubuntu) +- [Debian](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-debian) +- [Oracle](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-oracle) ---- diff --git a/commands/scan.go b/commands/scan.go index 623b518d..60874c4b 100644 --- a/commands/scan.go +++ b/commands/scan.go @@ -138,7 +138,7 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) { &p.deep, "deep", false, - "Deep scan mode. Scan accuracy improves and information becomes richer. Since analysis of changelog, issue commands requiring sudo, but is slower and heavy") + "Deep scan mode. Scan accuracy improves and scanned information becomes richer. Since analysis of changelog, issue commands requiring sudo, but it may be slower and high load on the tareget server") f.BoolVar( &p.pipe, diff --git a/img/vuls-abstract.png b/img/vuls-abstract.png new file mode 100644 index 0000000000000000000000000000000000000000..ab8df8a4c540500c2c9466959c7ff444462618d4 GIT binary patch literal 125909 zcma&NWmsEXw=P_?xJz*g6qn*I#hv1A#e%zAQ=k-gw_v5XyA>#I!QCymyPZ7m?z8uI z{+w^G{F&EGR>m4O$30|)eO8u1MTR3-@Jh(MS_LyG>Cp?e)Hz* z8#&2O8eWS>S#LFPbqT+Eu5`3K>Q|X`b+nAuSI+wy`kq=Gw==gjRlK|LVPHR|6KH=giilF!GA7z z;=c95=uE9?DWR$+_q{xt|YOl5|D)j3a|srIjas)YFp|5d$-uai8? z-!FdOyx}YStBJ42z{cMU2>&v^6r_&wFDDIe|8Ej+{(kWfi8p^~R|&uQZ`vll>nu+4 zpZ*%>@0<0+Z-1@r>v7lrP2yi2{X^o-U)pwO@|INq0hVu^}|6dZY|IG)K z#J^Uv1ouC*8{Yo6r~pMyL-%f$-u&8>1PbeRZ~o`MKq3Q$M>01XdzAqnYp&~j$uDME zSn1LyvE3#zq=u04Vl(P^>S_EmkduyoGh!<_E@XOhA~ z5#_y<{gj_&9StwwAWmuJf!b$r&Wmt}K?jy1@m*pAU0m*g0=Qn708+>uXlGC(RtRvD zp#=X!w2lJ&3dfk0kg2*!l;8TRC2{}6=*p8l4>mhI<$oxqyJM>gt8ULS_pQccE-b>iqd( zCh~|MKSq`f!YduAZt`PPzWDi7$kJ#9@TQKqz`iGQ{Ct0Qt0La2l>0I16a$_ZYKC7M z&>tFsq!9)~(aIy9H}ZA5gUWs+Etw^d^%B%7>ey$~MJbiKV`< ztC>&3#$UHl>A6U=$D8HEy2-@c6=7gEW+NEaUp709UKap+R$bY6$^7g5ZnN(7?Np1< zwD{XBhN$tvCJM(EgKm9e=Ip`QrD<1uS=g6RS|{zk=PieC*9yLUY55HAJ}DNpW+4|M zHchi65f~UAu|J-TP+{olepea#9c@L_@kNTM6jN9C1G<2lGyCZ8b)~fc-_KW5^R+hh z`-VU+i%W&1<%AlJlc^$@t-hR3N~SFI6cT~_e7?~gxf>Z@znTlQ zm+d24V*&p0Z#`sCJL>(?np;Ll0(Ac{QoPv0A0`qR!9eY(BH? z0Tbt>qiAs^1-kfroQr4VG**!?w#@v~4jPa$x`S6Hw}(K%t>xojQR(fPe$|Y}(1C3} z0WoG)K=EntWqber6={Ask6P)H?EYA!kvY!0>@Wk0RgoPzMW)4~XP4hJ{z*qfF%Hz@ zHh_asgTSpT{C>|9X9(O>p0VH?`{*ja^PYFA>UNm>yQ3N8ozDSvJ=(S%cP{t@?T<$S zMbBJpF>0M*1bB(rBF|X9gDGTMqp9AjOM(u=TElFDWqstNLfgL+=w7~j=o`or{l}1~ zUj(90C8#$K9cLqne1~Rd%L{^6B|{N`(9atXz8q&#mmGDxpTty7Tg1nXeRrL;fcq1{ zK(_X9_|i{iT0eGtPZB@t3|$Rxq1uzbJ(=~XK3NZvT5?p@x8?V!UT~~Me^i+~<<}xf z*h0*Igt*Gq4;I>aQ6#->|3p~P{30+6a=u}vIM{OgS=REM>!IBdC#?Hh9>$xv{@7(o zBo>K~fg2oo;!6aC2TE_RKgww(5ln341OAoif)fC{9R#0U=Jv$Ir~a7d7Ppmf;rZ&R zzH1U@c?FUeg%F`tFu0>fyEKCetmCG>WNBielKU}Z6Y9zT@#Sx?u2Ni{uZgW}5^P4E zOZnGdHX1Uh3E$mn8>a7=jeME9va8{s(p0n@TLl=p-lfa4+vJ8h$_ltRd+{a(tB(bq z(H@;zXtzcQEx7^v@}TN<FLh}(`Nly0oRO8Z6~If+z0|}G4ZLXjb4NJ%L9Q#9(OB(;?Jy1IAORr zE;7*q6K=kJc~dGR_Vz1786QpH{>zPDv(K8Ap(h40&t=U6U)E3ATED9)Aqu=t8oQ{^ zV8~JDE(t@Lbp`cvnfpUHHI8#Cp12%1BuYhgaWl~IR_)6=$fcfCZ$-vBclIH2?%BR! z<7a*hc_;cf14!KT%IX0oL8DE9!1N{(l?&yRc}4_taPalMfEZ+Edl;SGy|mmi8m@UdkIa+dd-?P2!HL<2zQq7y-+;&GU-9RM zjxy7}r%wlm+!q+aChHvo10&Lb+HkPw&~W)XPz5`!*={b2cK53-@yu2u_E02s+a;Cx zz;uMt{$VA8bU-fAsQz=Lh7fDk2BF+dRP1*ZzCk+DmH74^S&E<|Dau^gaf?fMdqv#1 zMRK86Jqh*7V#m6=H-<9yb*rhpa}A_{KARVA3Z0iZ`c$q}S(izxHf6sq?*N?fm^7Mf^SW4O|0WMdSyaJfc5xG|04jsxQ&z zd|K;#_0T11bhdi;U)t0Hw%Z<6)}p1KFZtmKSh5a{ggNWHDy<>!k*q{4(z9&a%g^dF z#eAmW_h$)M?fAXm3;TIw@mSQBw*@`5d6*)CNU)Io*;q6~TemQ>fyR&MHM1$kwDK(17QzC=y*>wfqajrmxd&t zCrWoVY2^)+jsf*++B0%-*>`=D2fmy9t7{^+A1P)l4J_mfYdAO+CMQu; zDg7%u@meoRxI^8xA!PT$r-d($K0diks>6QY#Dbt`2+U|w(=2NajUCp~K%@Fo^2y?d zN0vR5U55s1`3v7aLe!`0ZUL^^qP4>zmzeM`ToW7p$fpM}xY}DNvi6oILSd3Pq;du= z!xek)j-~ypK`Zuk*^4?sCxIE);JPFJiJyA~8T1cIjrtzH&kJpdL$spzV0*tH$GdwF zVWRMhP;4vY>>vm*ce3XI(_xhgYvAA#2%pWq5^DG@m|o{lM~nJFhKp4_j8nuSB)iG^9L?$;9}_p*t=GnDxr5fmVq%mm|ZPk+kQos(pCyss$H@({?MC*^k$`(c1r1SkNE^Q|oPd(w97v3!2`5W`#G2`pBWaA^YEuX>gpi~@M(y4b)dBX; zREJFo;FS}i>1@USa(|Li}^ob(FsBT*w!M_;5ZazdDV~vi;`Td#Q z5xJc&mZKxO4g48~$vQc=zsbdOUclQNgueiko|wE@1(x zB{z3dgv_!EZ6tUKb*&1<`h;l>`qjtk5nUi@`o?Si2|q}Q19C+q@Z@uW*g^ z!IOt#jE4{Igi$ZPPPot2TYc__qv~oX+m(ff*nsV!fylRL%b_u-nOwSp-1TA|p3`_2 zN5Z}io9Z5v)(s8L_+fvd2p~{+G4HH-AZk&tn!3j8l?4If|tv8=eaIvbzN#gmg4 zUoSJ1WV4%psork8_l@dfY+a-;?|Hb9qOnxS48JnCNjwf9<0cssbDYH(A7Qh_J#|D5 zaetZ=#IJ~x&Q2h(i)@`V>#l#8(Ou0gvJdbc7l~732^G4sk{X?~!qeGz#f2Ae@A@{( zjX?Z~COK2+9xG>pNNU{Z)h5eVoQgdW8z8BrHF!fd+cbQ0Qail7EEiC04;0%z&6!p) z!(?56q9bV*E-6r4Vx^9Cu(tElOFuSkExUHc-!MrPd*0?A@#vmxs!p4fkn=-gtvhM3 z!Zp>KD710+xA3)d6m#2)e{`;l31iG0m8)ofAt$ZfjjA+AI|of^+_W)-S9^0i?W6m( z`_8ICxkJ9&bf3Y=d1G_@L8MIOAg`6Z@8vvu+R%FU>9m!2dEq#H)#Tn!|pf=^g49KfHvxBGX!$5@TK;(Gs2h$qK>BNKs?iRb}4NxHhc3GRX#WUtq{#7&=FJ z>6&#ui-}+MzP|x{r1IFohk5Lsz%zNqlwnYS{-H zc(glaTrZA|)K6~GeLCmrLJy|MF?G-UHpusm_m&%Nn;rS?P47PyEiA1?>b-akEc@EV zwBBJ|GzsaD*JP<{?{kVAy5`%*h{@_VRh0y9fj0y%U=80Jmc*J_?eTjJz!-cBymRge zPx|TX%nun?4uXv`3fPO@QxSEH_bo>bp(;nopBiRn&UEIMSpuzA!(zITkSHV)0&sCH zIKkG|2+v#|TfVIxD>Hpc2vEQPg$!b)5|mhJ%U1`Ys-63=!q8N*DmAmE4?BJJf}HPO zd~0$Xs&u>D1FOheU~gc>#b;?y(d!{$N*`b+f|4qNyWyHxWEhlN6Lq=LPjow7rxv?w zlyK~$)LbNT9QSZ#)o#^sApB^b!>{bW8vqd;Kd!9rD60H`C>iI9qMPO&`HN;U^sC(x zp)+07^Bh@V;3@~7NEGbUe7)HLgTF(|F*iLJzlN(edlj_}1S>V?u!KR{mXKq-2olRT zUJ4Fg-sc?KswCqBPX`a;M9jgv~fI%aUaFQ?xgOy%5U z-?xmD_IF$wJhGe}G=huP#EtLYHH+vh2?&b>eZZ1;Vl%DsHg%TrsN6J!t0_ifEvs2& zE$+O!pF-lI?b2`5-RK2#V6FzvEHm))zitn{y+-2tCT(WidGd|8-`;DB7S(+9_Vm&3 zwa3RVJSHlmA}Qt48L0IO$ir?83WhtT$uhEZq*!bnR~CAH>KxP0%MXjvA0_!Oz%+~W z;QBhk?&9TIrUY>6$)9x&hSn4clIDn2>AxA(JRU`S+e}t^5OEtLYM53c0+Kg&2@1tA zI;=z-^Lx`O8o8HehaD7bA)MEsTgUYYU+=3FtP0IFpZdiFptj)`=)MmyCiCj!P}&90 zjD+>z<6IKe%xJDRmb6cp?7P;YUUf-$OfSw_;-E;auAWa>WxhUSaC?n;O+ym2E9M;+ z-N*sZj9Rxs@BaqA#pEoHv)VbEJ=BkVA*9%isp=L zBMlWvX-hpFK6K(Xibg9ptMhoKD5kG}^Rer06X#n%J4Cpm*cR78;NgdOsYNocxZ>EU zD;h~kK)`9jAN%Rs>>;yDM%#feh42rR+}ZD)r)Q7G#pCYc3m;>x2@hF)Iws+mmSTTq zQk0B)y&vTr_pD5_tDpf(4^`%sxc8JM7GOGG@7CUR z&oG_0^F~bNJwyKtQ6;CdNAzc%dxZbe;f)x;?WXC2r4p&q4?TMN3X8~ z(_Vt(LTt>|=bwBnF{cojpFojfuPw_glr0+5;ppiGLyJC}a<_{pE>LKjL?EnEmt1mL z7y6I03f{JtDfcvDpYJV#m~Lw>!kbM-j>#?Lb279+ozD)(z@WxM9Dt-8@(MIXlo=N4n;E}5CT}Qf9-`Kj(8$=gM=+foC@NDbw6H8`$`W^?j>VECMN}oA|<1tX5_a1 z)vzdshXKhpv{EaE)cxXEP~33sJ0AXoa<xuM{^-+!y=Cbm+7tQ-fD9{1GA@ip(}wyt)}~+M7^rsl8VS6Q(mK+ z(i@wXG7Irje%2wRy1pk&^4t$7^_}J6bf;8(tUTqW<9ohO_B>8E?dP^@EW$WpgGXthHMFNn6t9jKkaA>dp1!9Bp3Rgb`0c6dfx14bHGH~! zf9m4$``|Z9pYA93RG7i3i{FC_Sap4N`lB`BP&yxc{;3F!W%@_5b*m}Vh|!DtD`owp zJ_WD&wcds>i|7{s;^oqnG63_#!jI7(d74e8 zsc~a2-fKVH=t0I~x z=xscE7pVTSi1&Dy{^R|ygbnxpr-iZ=R&mwB^8*jVvSZn zX^&oPE$}@)9;;+)lv;&G*#rs8S9A48gyz$m1eKYLkLgbR#YNi(NfFSZSwLEV+>8eg zg@5MS#l981G5vxoe@Q=@l?8mu5*MA!nmD=fw9Q&a&x7N`Q+Y&AAGz6hjFHbJ*ut2u zQ-~vpPFlMg$2mljKJEvjh!I}?+c-s;BGhaj=PQbjp2X@}2Y76Jx*rb#FOfao^goZr zUwo|&eneIGXosR36LA5;I@=^vUQ*76YMV0O1`;lkFeZucuH2xY$ma;1i&oyk_Vy}N z8X8dXlV;MdkG)44}c+JwB_=Wfk>$SO_qIt<5#!6@GsYWq;c?ue=4@W-2QY8#1O& zdfblMRIUk{_|U(bA9F^P*@1ht>)7ge%UJPMgH{^Jno7AQ7Ml{(K?q(BDf`II+bBNL zt4Q2##vDzm3<~ocu6L&|20_a7p2~i7yNNHz)a}1Tj}BwGh~tV9;gZj)0i2I6ayBOY)(k zAAS=+I1p(JiG_HqEne!0j~R zdYU|X25~Yt?H4SffjRDH0`?Iw7R6c<%Uk!HF|xH2oH5&3tx_IzA5ZwU9Veqm+S$F< zzgVmGH?h306pFYz+tKjN#r}tS*;5{o%4|=N=bz` z&z*xqK18abDrp$vEU$7mWHQ}xy;U%~NFhVr7wT0d0-hA?pZ#Vpip)P zmr#_%^cU&qg3z0Cg5a03yL-POlCY}9$Y#9n0}QF9o;mJUh-NWF?iuf`NAL5z=?XB~ zHA>eDc_YSfK3G&MQD762N0WANnEV!?vCs3_Lm zCCyu?Z|3i|>O1}@t6>E0p7-uI9}Sr6N#d{w#StWnefXn}j65CNG`T)M`TL!`7*{V_ z{3eOqIR>3Cjx0HRysvDSzSCeR=u67iFEVT0o+1bs9U=TunbL}EEO?qu_c(rwV!W@3 z*0vR;QIqK%vy;@6QkLWRIPcqq_Nb^`;5jVyOpGT(S3@d&@!Joj&QByT<7~JDotwX& z#55#0rVZf;!aKX4a>VGdj~LY)Wv0OvzmuHrz8vEi9>cS6$MId64e6a?lIa2M76xp zj89&M)f(SN7`|n7IqqB!>U+BN-)leRy!D4h%mY^gpHYu}_NnGa#XX0qtQIBL1A&?9 zVZ8pa1SYtZMz45fGoFuka?DzpXfpKic*)`OJ4u+Gt}!`H-J2;yDfSd^)hrxgd~o44 zw6&fLXofUiMVfDYBu}0e9CtB4DG1OWy0bWIr3i4DVsY59SBm8d;ut}-&?;7@ySl+{UcnU+G6KnxVu$%e67xP0L$kt zlZc_A-Y?DSz!O>vRFr`v+qpKk=vf1Yj>D15#F3$5s}Gwl%3}!9e;j2&t`t{SSvNfy zr=5P+nxWcc9d3{p&8NXJyzx~CgI4#K_nb|6Ejg}32!s4>8POI3o@rfSe!yQ;IW$%7 zpvpNm0c)jb<*iK%I>m;w5Z`m$xjb!#6TlU434BDIbBLTJCw`kL2vjZKe4=!{G;4!h$~l-K}k{aIHy()%8KJV zGZ)e8LYaWiiq>CfaR(jb7*a;DdGb|?uyk>G9^IxjX1}s66~iufOg3NVFTBMoXU8`^D|bBynmVpFwsk{dFVAu5>r zB=wJbo`wQ^ZjTGLPiMChKAkT&wvMBxuBX>xu%kcj5@Z@uG%7d62(tBMG3B<6y@y`J z){_S>mhrwrss&wRtOwOGX|oKI9HCBrPs5t^;j3|GgMzwzPS=eXv}{*OPxuWDk|L7*h84uz?U}&T!x@lMQ0A*R3rJy z%J3kzL_WkCLu3o{7Nl{By*SC6mmN8N*tjNG!+_M4o56vf>ulIbMb!y&QxcC8-yYyu zpUyQy*}f&)BqOF5y|eQ?$lqN)J#^#b*2R|z6xnwUDUeTu7oTt~`UOt4lTN#f3cM%j zyuh*9Ipr)>d>YEIc*rD98N`*CaP`d%`!`4=Rpmm6^7y~OeVDK(qA9*L3V{Z@czI}) z=$kvauO9Ylh=F^n)C}4#eNg6mo%}$Y<0mo9ky|kX!@V1b6vl!-t52sfhRZ%2Oj?0t zuNBDeZlbt9P@g@Nal#OB2dm~?i^>(wU4#^tHe=a?HTd&1cI`EhG`lN*GG(<4rv$4M zWa3N{v&`=ZH#F#0U1}`vL{lB9Zn3d>5m}R{qz1$|!mTUVI&|zf%i*PcE%aC}o{2s% zT*G{!y-e2t5t&MO6OdM2hB1N;bpQc{+l~U5Ta4|%rX@34*mLk5#J`C>%)LH!{ zEUqA3cJtZD6_coUJ81yf4F(7D+Y%dMs<0vok3Veuu8P0AZPSHT{|B89g7_eub{}iP zW@yC-Y>iuseVptj)*o)4J`B0-{=#_qfifGZNk1IAtv6X8W62kJPb961R*gIFH}q3p zgxB1k_pf=45yxJu*L78_k!7agVXlMhyt{|4E)zVlBO2CxwumG2wk|%voIgz)vBVPhSRj($UqCHe)y@Zr( zmZ|`Sab~eOIJMUHv#;*YO1gfuDcb&LK*^Ckd>s=`F~as^{Fask^~%a4K@YD-^|y^{ z9ZH=0(&!KgIzW|r1M-41MW;t>fkj*cc_7D^>53YoOt42aQ%)Aeq zKxkqkFoCR9*?l>WBs<-ZoA9lG^r3e1C5H67)p2>MnqlwBji7;o9Iubs`vfDx*+qdd zI9X#+@>>}~DXcyh^FawJs(5sH$8h4kr4&SeFkH?0W*jZjB$ckBVjlRzD3dg*_0TuT6mgWp~L3Md9$ zFjA_{c*xPkTU9h3RJh@^%<&!D(`7>;tGcDx^|`<}Y5q1e*M~Nre8x)J5q%ar1E3h` zfhl8@yztieEEmeZ5O%ueXN%vB$6*o#t&D7~wko)jt~yazkm&SDm^j0q0`55*1tR^0 zYfra91kD)w2QPb!G3Oa=dq?OxuIV7#gdZ46FJef@S0DQG0(8l%ltfoqg4N_@QaIzw z#Jh;}FOJM6>+5ebQiMFLh(t`u8_Y9nEao3mQotoj?sRcT-o2iw?COx*XMAlcNo=0r z1aF-`a(%m1TjwFHt6{Y~%MhN6BWOv+;f29V(4a$-GI(vnLy9w5B+!wwyNhxtrPObKX7++`;Y;IUq!v^vJ|o&VP2A`&cxxa~h*%OYnOPnaL7;&>%mvYa zNtj*g|-TPJB;D^86uL5)s!vHhKHmEKI4zU)hc>TQd!K0zljRzfaWVu@cW-E`mCAI z_4vM9?j2Tye4$$$C_IuBhc{)tp2dow7xBsK@=3 z05CG#yN%A2!WSm<5HsBQ_r4fWgNDBAFj^NPW?4zb0BKF?Gh1*6V0F?e)2Q9YABKww zlGxo}uZhZ4#*G96hXVA0wkmBgMLxT8<#HrA3I&j;_Nf|t-TGy1UVd{J@wJx-KPbv?J4`(#?B(-m_qv(z+Xkmfvk9m-^?t1x&-7SMKOYE^ zV8%Izcj1hc4Tf#Oq`RaS3=rY;!Qr%I6m%xyT@xP}t%#L99MmNRYJYTIIC&KA2bejI zh6{UAZMtkEtQlED*?e=Sh@gj5IF6NL1H{)Us5;)nPrRA)+mbF*(otbv_TXenQL820 zs&clwB~o^0SxjN$#gsmVeQr_)8U^ww2H=5iqW*}uu0g~3l;=Zl5$867&sg?XW%tUS z8g)@drp_{kqW0h+QIkwAw`Nfs0P}ZNOdV$qpLXTNqaNKUj9o?1#0YDyi~XIw@J5m( z@;2#4uTczz-6@?fxxW~_nXz4amr36XD*us-M;gGd`NL^U$x4~DQmc~Muv*cdTB57& zk(E>dK%#i`kgH7*f%|R62u2fWBKt#!Vre!-B9xn|M;m;HnIGIG`0KV|Jos|dV!XZ2 zMqdKe^LDzht7ne4jUK{=J;R7v#<#tTgNhcper(^aISFu%mKRb#@`fRfbEx5N3sX z)tL?>K2u1dBy&j2GaYJI(GY8$^E72UsZB!QCX$#}yEPods zzlguW0>{nPf0A|x$@1eNYA-9lUPhil_o$;j<{vlYFs zq^S2;QeBM(<@mGqE%_JF&YOJ9UO>p*a8~yKZsYw7HTX5-2ynx}Nt1;gHyS=-DYa9T z=c*}k3@nZ`ln(3BLL5M?%anV3t%?8W;<~&hs7`k}obDsWIK_#v$10>*^#W@hL!|i% zvoe;nfz@{vZuRh?`YC}(B+N|)_WodaB#G`hl+|l_%W=wK=D4{ZaO^rKEHMcOv$SQ<;hKEML;aMz@)?X$1<-`L5jyhK z#Gx$6mTg4GFHas6H_XaUzUUo}0xN7Dc8FUE+eR$|TO0sPR?hTHH+c~1IgvQQJr#dk z|B@ohu^6}}SrW*>@-c}#vkytxD%kR4cg?#ENlOhfpXcc!uday!n22W^cffMNTQ<}e zccnYyj4%Cm3gRN=&4T_z9U}`eHLv_xt$K8hhdXV7mD_gBu`Sz@(-3r{XUonb{(G(4 zb6S*}$S(s|!-^aieW)_v2^y61E0AD0A`qcg>v z$0!NA^*GmXW3MIhc#|bu)^$S%rVsvt1!*9L3EOU7a@dj>O^*#|aKjjtk~Xqs zvmFa@FQ;a2`^38}*Z~6+`GQ>}QgnlMHJOlGF=77XV{!ug{i>w(3G~S3<_}4Wu^NpN zvvs&GHwFpX$X|kOI5VgBTF`X11>Dk>a%_dUJ?};Z-!JQ!$IIPJ)4 zr(D90@O8mbNUg zQJEZ!S_j|g@oaE7Pzz$V;|p#lSQg*d>rQ>TlrJPRWdS{M-!k$`Jm9tT@<`h=x@pLk z+U3sXA-NG@B~bb&>nvA^nT;C>l;~UobFlp0;$gu1VhQTpE31MozdC;B@p{aw;dax_ ztLix)oIIXDJy#$sW4I^BRV%Fz%kCW$U3JeW4Mqey2s=L-j#TM>SCSL=r0_rKX6f`{ zgx9j2VE|`bQ?=p#x<1{=Ej>SQHwUHU&^AeFTY{)-b=5uZJ=HA8KGAgDu3VmTpjp7{ zr7`49h{&d>r)@Wl^Zl%N@{vWn4AwlzIsAqfo|}Z418ssmjJYNiU$$o_INW3c%6Z0q z9m*c-?GYGw9;KGo@f`Q%r%5#23h^wzHRJ z{nWRXo*R@b^pMTi^v5v6()EztU&aPaY~&@2h-9cOzkXMGRQWrgW0c#plOeeshW)VX zo8@HleJx)C0AGCX>sv~4s&(AIf7V8pfwrcP2&@5>3uEp{pIfCgEkP2K?-D%j+|z%3 zJ1QAHXGn^;3&bPKEjN4C1Pe3 zksrS7ASfGwwi1|D2>IE4kWT^!zCs5dU)A<42cDc}Bs{CoW6w5XKm=!-W^Ie_Zl&sA z7Kx@Y9G2!0y?6+(L+rnvP$T!@k@7R0+&(-OzIUvv&xY|!`Ao?slaX7Bz&7-erAglQ|LsY4_4-2)+VHws!zre8@N5wmPcawGumh0Vr>~rK1?7N#`q)u^@=|`fzmz`h-6|4t|Yq9N$ zG368c+Fjq_ua**9%Ei3DhMLLcv;WBe#I7wZt|eRQvWOvS!-lHYo><`s4Jq10p;ozD&e@pZ&KyNmirY7bQj z1E0;?M{F|K?1~Cwkm|bB_yzEYwDf(PBS99HccHYEM8_W@m0)TH8A2Ke!O~zlH#k)j zs+AV8{t!bulPx}HpmarKeVFkeD4<%#>C~|zE;`4B{ymagDReM>mS3UrCEyaELwtarqip4m#W6iWjyX(wmqPoTu;{m3}nnqU{k=;_PmFJGbHvTXI zv%liC-NXA#`<%X=B)0W%A~t;WC|EuI(fG+55&$0;wo@>nzKUE2XE_*H5$6fW8PZv2 z8Rl)3Rp9<95_`EDbMw^b-8kW6_*zo=WVw?o1A#>r**=yAtpW@c{-)9wYRq33f1ZVdjO0cV4Vs=z%dq#2 z)UxNwh0ah4+vYq>jngORl&FJ3E1g75)9&VLf78VgC-?rco`l3*FK)P3^yHC6qt;Oa zgM;hyf1-R_vM5Q|kBF>drZwtjH?=*6T~VEaK}~}9Sr@I~!H_&U=oW46n+@Y~1`#NI%kD23{(YaUW+@#u z>WY|%#YhztyIihoUq%TYz=$(864EF~BW8o`Dka;Nncl!0$^eZ17U=bOQ(yVSOo{@G zT$m~sx6-bkZh8VJKn0qU4|iPtWKQdajFSDmk^$^ahTxHRHWi&xFy~iLkIZF^2D{SG z^Pn`s#;Hl7#CJf!nF4M@+!HtQp{g66exU7#h)j7;Bc9q5QdhRWZ;?_*N{bvgl24Gn zX>L1#zd_7$ikTlmi6wjqp`P_FrU7Ra@fmr?lc#sx(Sr+$Umr?Goep?Lu^9xzvpKVT zM_sgXj+cF-6)3jrT@7D&brC{Ogk~nLyb-fE0`@b617jpkiyM8FIu;!JvNj^fqm8Z= zU3-S*NQ|TOAHS?GhaRY(US~!|-fNXlGHW+D8!G8FI4h?usGc;_{C*-imiTL~0qHdl zpf)ix3vd&uOfMq}7wb3Zu}B+Aiov9-Wdw32ktT>%6cA}nC;Xxw2#U?=h0Vc|2zUz~ zR#m?Mx>0l@^3`hU0;A<(wSp)OwZNaBexKXmw%OK=>pUYSU-nt`o!usk{h$-=#xbNZ zDTcJb6CW3KtAc*_u{H1mS#iIKH6A0;aqwjORfxQ_O(rztXc=29BACN_5UezK1INacFc1!}SMTy+xZrf%SXdj@m9-p*t*TKstBT{z!- zu3P8o>pxFquH-uir4P5|BJvhOxlL8OeTQ<;%~>(c)PXnnkeKztI69E)%0%Qy0c~M9 z%V#wl*FPja;5VP70;c@itQ%EZ!<~{iH1KL+HUQwlUa&KUA&LdF< zuHGk5bsKX_uW@wLq`DgDQl9B_>p*v;Y&XQqkj*GpRkoBEKyNGvOyM(=b2eyVaVzb+ zVMx@SV+4Cy!wX>D*YQ>q-BsiXcd@dZnRANNBORa`+ED`gN8JR3hkXl?Qn<;7!kEjQj}mXAQ{di%u_@gO$)OM}t*ygsK*q|d_~ zx61C@NxX+L>!?JlE`vlJ-G+s%0qNTySHTbTNfl2FdOq=BC=Bnf>HoE;=rNF6ZbYZD zd?)W;Q-Wc?WY*1H&raCN_>A8L>D9Jh>-&Ay^*<8$B3FxC_jC}1lE3g#q35D?08l-c z@$6U9x5PjVmgPF{i(|<9{dUi^upRKW%EzLh#4%f*TQ7hZop~bSp6dXKBp|e*E4!Bi zob8}#2ttpg$oDS|#Cp&A2cR&mCtFp=;HNBL5P`ot6|3U1mGGR4oA%t+f$MK0iq&kl39q|Gy z0}I5($!tEi;tYAVQ)rL1PU(vnGy`du5>>PR4i$l31Qe>2bcCY}A6Y-$)sH8QOWcC% z4n$_FmSpi6r)Q*Xjwd|NB7s+~zE}Wye?&2mez5fT8$)%_IVtB!J_;;LrzC||-`5Wo z(CHlXWT*9paHDSw)U)409CmKz;VCb|ocz8B3av%Xscd=1E^Ofj(I-;p+gGJ!LkDkY z7V24dqPj2C>RHa88rufG$T_qjxV=qroTg4zjh6d0%e+W#2waCFIOi`vukTpO6D#E+ z;erN3^jFD?x+os>Xxb^N6|L(t5)&Y1f~oJo?_yp~9VQRLMFA8Ph~?MPRIp(ZXs zDRgTN_bCA|l#>HzS>3+ZLci7<*$z_)hsVOhkzswq<#3d4g^U_cmMw`JgEC2W$pXnvTIeH4iz){yKGrysqTS-j%cf z3t|HdPbUe7^8IYpHWPH6h0r3kw2mv4Z>dTR(d9fYK|#4%=l0(ZY8)xpq!;~xMX2jX zNqylpo%Q7MeV|}MnJPlc&_FR7PHgVbI95_Y>~&_7sgj41paEEuS1V4z zK5QfR*`2FN_rw@JaK9*ssO{kW%nGN+cAU&} z(wMs6FBqdLts&whjW|#Njhy&o3tLQg%=&i#2B7g3`AMC#PcsBJ2F0%R$9g??)(=%X zj2e2j%ue<0BN)S9f`3k(;p?9X)n&OZjvU|k{~Th8V^zkAkH^a|Ine%2`WES_~PSN|5< ze_6MUY|Jh}#sd6E{xKJj7RXZK%C#YQ4N4+o2s z;AyY(+xbxm6;56%F9iPLm`l{|y!EZbP0kfB|0%)OyuB?uRo-@cQkRmluu)yEPvgrQSF!NWGKoQSFW_$u7BT+5S znja)R*sAHhUanZ@j})6~_tcNMlFLI1IiEm44_0VN@fQg^5|`wqinZsn_n+APl$|+R z(rWN_lJR%>fbZ}=V=u`=VyB#8=Sl^p*MCUd4h_y*vvpiJra$DVfhw19HM8XO(sW#t z*Qt0D$QCunQ@bx`MW9E~vB-k~=i+5$ZImK8VyK1qx%44EprG?Y{3w~Vq&_o0Y2;zq zC7VVS!_SQUMFRDTs(A5pSU*6g+M(WuB~&6Dk3z3C|Vq(#A=-+=GH2jxLNkEyP2)6G(c(|n)@m7L&Gusntt6JB82Qs z6Q#_Qtg5CaP8By`?qY4tkR)F?2%6eQLkt=;uhC^D$kM{gi6ta3lFpU=vxyi*&>2*R z&#j}O5q$lv1@xI-hfPODhwax}f(#|LLOfa;yzikY>ctmwkcWhRi1T*;FWoZ2c(k_s z61Y$8AJcwO6wJxyFMVQ!zPAet3s0N}{4rul%IiFn`fJU;V76;m8OTsr(m;t1@n=bb z*4W5T>7dF~He==^UA8DuhxQWc`(kichs3KxiUpt7zWd=pQgm5VyV=hucu7J9=7eH~ zOurXQfRn&Hh%8~nM)OKrw&sOt%i+b&0_@spLTcVMH??zALXiY@M4qP4gWT{(T! zG~;6SK|%aVyB4&djuvDM}2DQTVbIY)~N?W&|dKDmWOw-XM@I zb)Dm#8wWd6PZ#^ngqe#?$!B_v3ny^$z=i4~R49b=A7EA^p03{rIOU2#Uz~?Uhk=28 z)(wW9npaUgfh-*U`w0~v6RP7skd}^pf6q=3@fUd399D zBphJ4|FXo0iPt&288ed&O=^4fDn;jfqILGJ=LAmUk~X+)+IhnjZl}Jf5zYHKK{M&b z_q~;H;YNsf?Pp9r2kOwIa6QiI1@89Ax5C?Vb#K{Yuz5c*$YA!su%Xbuq4%(?l#TP$ zZvb7s++c{L{U+FAli+zk$tRA)t$QvLRo|P|ZlM_5+b=;tik|IB54d^xP2>yv^XMw4 zsps^xykm>!F>-M|>gE^<;vqWUSzSrm=JEGy`o3ZQGZ-X%>tDIRx?;t5n|0gupkghwkkdo%S71VgqBl&NOSaxVPO zy@aMUi~`7KBihy(uf9Fx#t()BSDBZRRMT2YVydtv6mMfYHyccw7#SJ$^i#P4FhZ#b z!v2{Dc~2<@5{+RvcF{>5r@kulhmB{5vh5O0J0UYZz}F6UD2x-+WR>^FDZZAG6@XJ| z%@b5@uF=<}oQoN;G=(+;5)n|Lo@1&z@-dGK?B8|-V~?9TCMLpyDs6%y3@wJoQlY<^ z6APfc(h#F`N?PC1s`=yoAC}I+A=37J`;%RpZF942+qP|UtIe*>)^6DB+FY9^ZMG)c zdguB6-uVyazR&A8^|_AQZrNG$!c`EPxKzfm+JJMIId+#o%8yje4S`l5IxTz-?=N#e zqIU**p7sg8hUX0R&c4=TKOx`={=r_gO-Pu=c^7wJIwRFFKs!Q$mkUF<}#=BrTFT(z}*m)8}YH(vpy14 zH4_bHOJ3S-Lsn9_K@%=C9}n(|-#T@~52P&h%MBZAOWBiuhTW9lv(Sv!l9y}XN5)00 z-^&>}Zn=9;=(JJ%e@~D+9Z{SgWraf%o=zkzhH2ToU%ds!a*o`Nvk-c&tH_b?6|dHz z;51Pvw{_G1DUY#dLl?6kP`$xI_Nd?ThZ=|`JV8KI=8K$^d z+t}!=)G7)&@O#o{YhsWV-e0-RQAa?RwOZp)Ularq)b>}iJ_(YrFFE3CRTvKzH@KrB z#%N+;=DHmj?@C1sA!W_i8#CTtV`gP7>A%FEel6+lCgRfaBO5Cw{40^wuySqzP5!@x z!}-l#9*%aWPk(_%FpeZo{$7EsLk71OWzv5?$MNG^X!^@Tm#(K7l#5dC7u!gLv-FrX z^iQQ@4|bsp{s@nNO2VWo!{D`3z_ zGN>yTQom(t=Hh@=mm;6q+NzkP(ZdpzIg5(rrzgl9qxxIC|KDkrr)_CYt{HY#@f0UZ z`QQ)rWD_!+xNH0iOJYqzJvuBzJ5PT1BPPACd~=j3Bnn2TN|p0|hR$8t-luT)-(UZaY;~HC^t!pgGZZET5Vh=r?aj zHmsN!8%zIblOds#DQdc6VA&=`&BsR_3^B~z7KfswfUFdYq7;j)7@JTxSJ;DLZKVSr zsjJ?8a#*@bp(Ta#_eECc_nP3klT{B{KQlRo!n$DWBr}qgk*OGai)nWw?jf$}>CZ7F zPU}Cik;k6=_T0?OO0&fd=^kX!(vVX-uBPPJ;58GLY<>!lNQ=*=&(qU4IgKb(!cB!9 zpDY%mfV(p;+cDs*#pva7)91y!j%*DQzM!mZ1o&l%iZ*`}T@nd1ics@t$lyMbgA5Cm zq#&AiaF8-f z5jaWuFK&IGa4h~8swB;<7a!-GCqu^Hqg#imzY*a3qHUdIZbOn7^Dh^r*EwmyPuHXM z{GLxIV6%q6=L1}JV1B)2Sn$V3H0cK(+fB*!BB(hpl^s2g|NmapAvOq>_O}CT&1al@ zqIFG}HTd{2X;{+na%xNG8C3(-FPSE%X`W%{94}epr;cT95`eXQP+eS2OdG_oC z2qKxTnq!rPDZ@0hv^o!9L1&Uvq_ReDN~xY$agw%DJl)*b;)Z|LR5^b|@(2Gtn*h{!dBfkn zcB9Jq$y6cpI};|s7o6`$h0>nq>(5;-eV0Hp->gFGkGI>qX%Pp{x1F_mezJs*hptQO z$?V6uS*}9u&7n;s(E8J4pp8n12jiN@(LIXNBuQW3DJf1`stkkq&6-aE_(B*YBxFg2 zD33E_*JpQLX@`AL!yO0v>d?>-LzmX1M9AdE;UUflt*S|%g-MG!zTWS6=4E#^>%asH zk7!a1n#1%xjeRq1@S91gEg4C()I2R`z|Lp(0Oh^qNBzp_m+irN2$I)3qJ3nFpV3js)l;0Z7dwr!3pzoV%Q=^hEEyOqJhhBPsWy`qsvV+ zV(zzJ^}R2#goVimp7%^i7m>3wW(b5Z(5|~yk zL><}LR9k?D+E+u&3HQBIqCE#tCSyX9Pu=D=UpstUtVrD%bN}276Als=1}SOMeaSZP zcoB*DW`3@^Ksb-k`(Om8k)_V8tqRFA?q%1gZ~Swco`rdsp}0Yj=Oj|OvK0231*;xT zl~zv+H9<4C-_-Q@=s~R;0&=4u8d=!?02s1egi6eBx=7IXzD{4|6JozbjwtpI&wjJA zaCp04O(L4~a<+7$ZOe4+@px?pc*dVHq$#)3BpY8;^(}g43j{J+ZnU}`Q96A%+j2Ww z2-~wkCE@FEnfW*;~VmnW16Q0 zL(rE-S-$!Uyl|$d!u-th^K(_u0#YzpY{kd5KLCMqmAcN8c8w6+#j}d-hS$@6CPe>!9_nT8o#gmall=M>aRt;i`Z77Q?|ms%%dz>~6kQ z*JH5cq}yV?IOnw1c5K8hI&e;mk)3BS=PWNE3NG`=$grS0(J_}7U1nybc2$}>V}BM< z71|6tko>hgwz14>XlURfCiqHOSJNn~!1#c~)D}R;nbF~{rHfE*785x(pba{sVIY^I zGG9Q@evjAx9uuPmf|>BP2+vJC=;GjL(omP%>^{ zuP-J?ejA-6CyTcyp&!@p<#SAh3DXxMo(4jQ zw(|j9rJM`25(@+`1D|$V2rKC7jCt5wSUK6dY;8+Ij$`Y3`#WxNXKYXN`F{nxE$~^+ z1^Aq;cKc7=X#LVT+vwX`7`SOkbC7j(*Ji7&O)`fLiwX@5Rs8~zRx#D#FsA-)dyx9? zSng&nehb{(Qd3jQvXz#WI^0jocPS|hcXQCvWPXgO`JPw6KmV#OZ}$%j1j?IxO9Xyq z^RkEy>=g$;K?bX-q1*E@Fd%wSZN&vPG%}&&r=%39eZe<+7%=u+B;ca{X^(@($V8>% zM3rPBH^;$HhGCc;ES<3A&xF`QBs+hLbhEZ{=0yhlv`S}}ZB{*3S7(S^dm{*XKipt3 z>I_!PKO%ra;);qw#@iJ!mDT?&mLiy|X%gpyyRpmNe2?;aLl0R*6Z!Bxi}yAf1|sOe zBsy=(20mV_wb{(D2nFTmwz&xU1|EHsuK8SSb$czXKC~Vr5m%Vf`^ zra6t4K}@w)WHmJj2FI@?x6*;hp96oDZ~7I)DHJRhXU6m>trk2%KV#9et86ODQUl*2 zxqYZBcvQy>SJWxCQkqW*t4a|UQl|0|w?bnZ*&T0C7G$TOs=3e-5_2Reich1xIc{O$ z??UWn?l3w($zM)WIFnGyspZmd4n2n)*&WWF5KKbeTUH;poG$CEi#A97x0B~jf=EyZ z@=DdTYQ<_P;osrDzCGLc-TuoHyq^k~(SPkUHEp(dO-!RrGSD*#vHIN2pC=56)~P=$ z?DKu!Uzw0eD%=RU+Mn);ZaceJTkrN5eEH|aXmFckX9q>uqyS6vf?E$dF%hl|xUOm4 zte!tgB;jogxc%q#OPhJE*(xn@GZIe4#1Bq}>HrJ30h$c>1^jc;DasWN+o)6#9L@Od zG+6%5J&?8^gf2&$ttcIgPeMXMUMd`|tTZJrSN;MQb0J*K+EmBdqZSs^NKdj%$x}8{ zvi6G`8_if2BlX!TuVjE?!P-|B?*tyx5TYH0%%1WKfoh>fxb~{;Bs-5QnUoRI)UUqRc+v*>FkLo@zW&1cPMEmuKNWe>FVqq%; zskDIC*z#+Y$0Q^H=}txDv!>jqI=TPX$`X~*)O=-<0Po7{Q@}HfZ@^1?h^vp=$2JIb z^N>G(%5!Pl9e8{8{A*OjSkU+Bu8x!WT{JVZ^_QYTt^vMT6tKi`M!kl-Zy$gk}9Sb$JT*C!p`kl&z z_Kt1#r_9(}qiISK9D_juG z%JFQZof-_?_ZTX7JxT=u@3WQ9jmIqq`zqQ;!gvR_i%=8pU)A>?A6>>Mqeq}iDd>bkMcXoQ|w)b$cWfydt6Zgx) z)z;M3*Ah!|{YQ1q^Mn!pHZ{YXx@=M`vE1#Leiu{cG z+S5$#Lmch7=H{4=VoqkKcr68o()K_pmDBa=jV_<9;HPFM>i;#`WMp9Rpa+YGP7K)L zNV)X87A7dkM~cD>p&EMJN>&#BBL9c~Kc+Cz&Fq2#es9ErC^<=o#8Ogqm*e|3)iLjzQ9qkqO%?rvt2Z zO&OyUOA5892`q$I*7Xioll1E;ngLgzU?9UySb2$hqkdK zVJE!Urdh#fkLmpxL*XCY&wZcoSEL~!L33qov`VYbn_byymB>)GAC(&O6@e)?*ETF^ zBF5MM3_f%22yS-CH1?$7K$y|ax%m8DD^S$5l{AOA`-e?8>ho!s8W@1;G<93Re9G*O z=(0p(b0O)<+FIfMam4r>i^S#}H!6;HYsKL|nu<(m)7C_s&0rF@<{#V1WL#Wa3Idg@ zvsA8-MF^DftOEr>p~2e#ZxtP1ZD>%5^tde%4Y5I}wA}gzGs8|6V5y?Kocw}_erwkg z38-hRHcNe$ii|8f!Dt21{{!BsM6~UguYD_yBx=ylM%? zjEszu3uil*!shRcw^xILoUBbGKULiZ5uFs2oW8M;-rDh+sk%k#4Ee z^rY|hC{G@<@NLaGyq7#NuylBAGwX^4Q2{))f?MxBmEu&iYWo(hwsyvlC%u0Ba$%F2 zI@j6D;h%+Smi@}~Z28xwUi@Xg5a;u#wmGSiQ@K|_?Dyf|OdM^9biv#4j?d=vTj6Km zXW=K=yNmmvj0qhiXLs!<2#FUFkv5pqYQn%p$^TwOqc6w$^n_1X^ffJr!h&LsU4yrK zH@>F1Op|~kIwh+RYAuGo`DtjGT#uhAo*}DT;_W?!>HPF!=X_Usz|xL2wT+RQii|G< zmTa1V2_6BZ_vcS}0H@hEbm`?=Bp@2jpNndwnOK0)Iwy{(LiDra`hiWhr>GzhxC~It zW>DeXNE`+N^6&5OBQ!4fyDaUp*$tM&GJ9$PE$tg4RXXO@OQ4I1_!uQ+IXSKH;<> zLPA2g(Ak}pvJNSNEUG5gA%K3^7@U%^$SRJ(GEZ_KsKIT#G{LG2b?U&~z`%g|M#^}^ zLIWl=Q!aYG7V<_OyHF9>Rcvli=RimNph($O`NJG+p%)f>2;l$Gl$72#R_|)$*r6<) zkn6Ddm^f)?3Uj|;1|TlQ72}BYGO*w6TpkLFi7C>40x;899(F%|e11^*^gOLO)HA<7 z_F0HL*96}PxpAM+giOC)aje1>J_X*n{nar+6wc?*6!9F~pHUKdyDDA!gz(zrY*B|T z(%?v489rNxPyf*_OB$js>#HhmPIS1Dl7Z@&pO+)65SvswEIBGAJ%apqPK-P(4684c z%tYQ6U|C^P-njhCdAd+Gv25hDXb zx}hM9fQ_!FUCi75I1g1s=j}#b|0i7B&XNEA!1kjgx?~a$CG;UejGkN>4dA7r)794U zU%Sns?>AResjQ#n+In3FQ>3s!Z4=|Te~1Zli1#awS&niFUa}}cdm3v`WGqB#vV8M@Y;6?!rxFM zC_>VhOQR?qbjb$&vNP^lgliwwlVt?%W(ca zY-DMQ%+xOu79c)Y30y3!g@uK?`}@s%E?c{d5!#8GJh+&LX(81(QyoWefS+U#qsx_= z)r!i?DU)Orqi;0o)^v7uhJ}4}sQ{*!Q}J>p2gFc;+>elVMfGE$*+vOnKGL4ZC^>TS z1P_AA^e$2<;IS$a_+(IH#IWD3&(0R)4o+ILwiBUtB@Y+PKT}ix5M{~m_VRAjgIPi5 z|3xP9l_$C&1K|^_t^J!LBd}vT*Sp#H!9SqxJf{*~*S>#GCQ_|bU$86^#9FUBEX@~Ye9lqj9{l&EIe$+q!Ys7ojyBITv z40HQDC_J7g%_onze4Z**!qbc*SO%FeSEgg~esJnC8Df&f<>9?CY7#&Amonk=8rNp) zxi3U9=k6llk}yY?4gn|y0NTZ9A{X6Hn+W@zoUyeyFyQ>FAUDI}r%cn*RaN~_m{mAo zI>&K*Y>I5H4Z&CsFU%!X6R2H4A%qD~!UN0DLpN0O4a8Xi*ABkS^DJL=sYYftGZJ#z zvuac>k9AL&S-Dz6HG*yl$_}&mOfxx;x#PgrmkoE`yw+CkKf;DQ84r&Ne1h3FWHjQG z&b<~M^&yc7W2@Pxr0L*6`j-$D#_!JL^z58P%t;gHAW-ry31(d zcCqi8w7ofHvzs}bI>zqqtnO9VIx&(ts95_cFxbbZjlH38co!mckMi~LVx{-Ibyn%z zfk5D6+4D3i*g*j)lqpTD&-G=Yzo)BtK`V(=xZUqPXYln=9TIAFZPmPlGKpB&b>d3e z!{gQ{^x`}%Lq{Ga{G*_NKujqxFwoW(uWW2gmKUmOpVtU-EUG}GdLcCxqv}fmr@6WL z&F$?d|2F_=v_cf=)ixsvoPzQ^tRvmgY~T$e_~6XtxzZS!d6npwsRl~cb$hnUYW^|28}xRZu458}4F}@cdTUESstz4)ngjm(@xgV! zr@}abVi9eyC{t+A{n_6f@c3W+tFAzY71k4+-1c0ho0k(?{S<3lB!Bp3aY!;H|2vHj>UzG8Z4dZty5_C2Y=s!JP}%%P zLo4N&3$C}TfOOrIN@F)%m+AQGs3^6Mz&=Q)e)3a^p}Wny_e3VFW6HH zMItPF7b_7j(b#~9(yHqX6^x<`WYb4v#2MbdNz-yA&iIr%hi81@ylhY)$5x*yayZ(d zA;^&gOHhCzSz{xBpOKL{DO<#0q~_Sf-l58k1>z*E!9umx;H_%D}5l9uq~rpf|dt(R-SX&%5^;i|B`?#ecgb(~XI!dWzvx zd`b(;Sm@{tj>k9I9DPO&=EFBu6RnObyT@`TCnp3)KflCCPESvJ98S8qyPsTMMpx$S zjV1~3^E1Q(W1Z)rMMV;=I;}FW&tcpmMJLCOSEy~Y;g3wE6Aa*wR28fJwG8wapDSM& zjN^^Jp-Imm^pA!XcrjI0=>`5g>0PEG50kN3TtuRNB#yNBNJ_g%*ge}JHQZRupQv?h z@R{ZFe>-bFb|ww^`v&c?gNL1;OA}J?IcxKB`R+0z^7)*l!^Re{nS}HvQJM~G>+NoD zE~yD(#tgF1knlJa;Bnb%uc!?^JgY{+ox#W7xVyV4qNWCj>VVrb-@FE3_J4^ppgMjU zljPON+qYwKwpE4gb7T=>3_7&ncNCHUm8v^aUJwziAR;rr?!D47sc)ncU6OY{H=ZEJ zA8xYCMJSBGtedD4QfnFQ@o@2gE1T357*+g*yEF(80@Sil)4(mXI3=s5Q$Eu-{-OMT zvGHp*W;2g>O0h*FLqj7YBVv$uL}1C@1^z$m@cvmsC!< zBtRBMfK5m&Fa|75@$VEAW0aDTa&mG?B@gTsKx=H%`OA>W=l3_h7<-L81k?{CqHw6B z==;+?W{am_xK1|%WgAQ7j|WB?3|VyOuo#ZDkn?g1GG7MIvbSb_I0vtdt)<=Fc3-i#O=6}Il$CS8d?!411Wlnzrp6}+Uo7v+S16y)6yPz{zf* zFpm+kRPxR?@6U^eeFPR)EEFdL04JA0T_lzmCW%_*5Q__Oc&7eJ@cQe0iSuOKU>GNS zK8;W1ddmtw+xs}%!Wf8dds^%}3C-3nG73;nU!MUZM!L{+X@Tic%{yH{Xe*J--U|@K8d6CA44-HVtkH;YIvWP~SSuS#3`>y0fm?tzB zE>TKZYF^UNu+4ub+d`;s#-7au2_bp{?baCWX$TFxJqmn%=b1mRVZy(wnL7P9ne%Y4 zsDL{lF2P-+haz}x>4Gay{?*`V{_k+y!`X5tSjTW@3R+pYp8YoSFbA3JwlN&sCyGaddR7si`R%bQK4D9~>9}S6^gD zS386CeINV)PGktgU)9xqet!KLGP1JYi;IgpI{41Q2MGxX;9*{7=RNr9sqbnE&yk(} zqCeuHJ;LiKte32x%>~-7tgvwzF;A6zL_K_z6$$bzadM#iJ--beISNe4u7<5PM932| zaF_``+CMvaohz1uAP*)_i9BdA6vNcjbU!SJkO{RkGa$i}OfAp}d_O!l>Utzz?NNE3 z^gBl6bMKO%ZJUw)Moame8e^GkGKRI$KZ{Ex zp}$W+xx$}mm3dU5$PXBg!KKR-V5`!0_cR+o@{O!QwWlFK+6u%8o7ygy`^lf}{1d2Q z*#F8FpGr;|FOA!8%!}xqzd;d6Wa`|EWQrT|O_VP-Ux%okq8BQqP?t7R(I?ATDirLf z=#Rw5nn!!fGgXZ((l>BB1VHJjuNqk|nmWUtZQYuzo1EfcqvB*>$3V6Kfx3`|=1BQ@ zc-p{)sv_v@G_8?Owx+I)Zdg!m zZjOdVDnwD=t94FkeuAiKZFL>L!%G(7QXQ=PhuuY9Z7vTOm$KJgZj?f5b=Gxoue74fGbB6(VAA2vLKHFy>edb{j(YSrvpx8ys=AW!f)oWNE zx#*9CoxioOGcK*FN{wD=&3~A$te*N&eN3FLv*t#MiO9E@&_Bx=cyPWt{n5Nm!78>^ zq~X=0ip-jCq=}e0@oREN`wwhWJ5y8W>4`$Y=lo3ldTww2dw!P)%;nWLfYBtqyrLXD zR4Dg9t;KHN_o%4q@|317A!@2Gh^pdH#D-^rL9*bUE42ZF0LVw1l$}2aPxWfj8~A_u z7@w)K`}EG5UR+)36U9_JPXIdwU5(y#UzY{*s7+2SjPe(2qNWJH?p)z|gnJP{z5Ne*=^`&4yZH$}{g40r*x{8^Va9;Sph*wqEIXME$d_4(9NPOFZ zh_t9bG@g83)kze+C}kT3wgsYE0yQs;c7Ju+FEP@_>M+)9HYaT!u9OSSU&Nqom6t6L zs$^iW`i9EJR$ig<=-b-}4L+B)wS9k0Mygd z!^XzOtlLPKn)y{*4h^fDvx$I$idqakmCJS8m2Dy*unZPH7&sV~9|AVuT>bvE(Y7`7 z_R^VYt&~8<4haR?FlZYZ9;q_!eL8QhzO|lu3La_3j7CLSyup-jZ($c~Df=L=JP0dZ;Jrts% zEx#jTfGuy@=~BH3xL(X))X8KvczEpl+*n)71%PBO-wm}^#JVtDcocZf@(L4_t1jeJ z){$pksnu@sYiwcOGGWzBG;DP2DhLxYGq!D{Z`+kUmhd^Z1bCbygFo|8e{(gpH;7U7 z6mHLB$ZJB@x5CI6F9U2z9#GqJ1;3y_g>R5s!x381WPP3D!$&V)Qqn4lI4rVa1X z*Na*J^7FnBpgUFpfQfb9y%5IeYG!I~3&5)6AKyUT;oTU*E>xluvwVaw-4kV%uP=Tk z-Ja-hAcCCJ1Ou82rRSJI+lYSo=#)+4w z#lq8TATgX~dk@wSl@!G{z^`8N8XfZJ6#;@EpJD;1D-2XUL=ZyP@?K#h3A;jmde!`9 zQy$K2I-B#%eksbgWFGf$pS_yi?mGmdHZV9qK`}sCg$^%tfEr3 zs#2A5ShYI4tJuabbTJe0UTmuMlbf08a!AZTm2z-4r-A{q)m478D-;lH-?z%z;)e+| z4XNnI}h709X&nFsRX_5*8@QU zZ3nDPgW};~zbk{;{SI|Z^7#GXJ6w?=JfQ&1L$gMj`mlia#VnJl0wDoP%80=oO&y&$ z$&&E!aF@RP=YuShi_M;Zjnx)|R>v^4WZ5z_k+&~Sh5TMG_e&-`?Cg-CsECL!mm!}4 z+kYS&98T#qD!?*2Iy2+)`SGs$XLL0BDlAwK*=RA_F-4Z6l33*6e&Q=nGP9AjqkV?! znqcrJc@~kfgnPM^l7W}P&9nAM?V)&^_Q^}@cBB(l$M6|ERV9c(y(#V@sUXG8A!mF6 z+}`d9C{`X}3;4YZ+pzvJ=yF&M(Bf>~3c7qpqYb$`XgVk8tj8)e7c&>sx(u2@*!DX#Cq${g&p{#A7EV&Uq#Uqr@rs_6VT zNX+Qr1OkEOZ;8A#B%@%h7=*8*M&4(%FjM|2DYQZT#vQ z2?-%3+72lx*~7Ceub3RAbS*s{jMoYLOu82e9*2Tzl<$yr7Ik5zK3SS-9lmiCW*!0fqle$e9a`kFq9%|iQ4cO~iSdmvD z`&@26x~E>7T7O%?NR`*j{evqyBA-d#ZNGE;vwIx}!HKK&FN??fpZ7xmY}Cii>8_qf zZ=c(mprG)u2YtIu1L51*?8r?80 z;l2x_>n$tOk_X%cP4W2S00`cP;;DqHwpJ~ZWs`}j_E!LRVtvIT&wdu)gq*vY4Z^Fi zV(P)V9X(ro14z)QrVvdkpWqj`OYoP1m^axJz`KO}9!Mq1NKv!9g9ZzHvXl??74^O| z!#|P`LM~FvN}ivn5(c)H@{vehUhBD<%}DqQ`rOISQZQXHoP^8`G^ryt=Lrm-?Fxr- zTTHN6C?rNW#D|!|Q}a^cfwZTAI}tbMMPH*KeIPxxb#zofw`7lM7ny7~mWc(S{|T<3 zjk+coAD)6PBc5cmMW{kT8ATRYR--Gh=Z-y}cj@<(&m^wT_yw%+k-_n*l+*z=y2uf( zSfTnwJeq>oUo#3e)S5jT3_@bEBqo^ZFp&UM6BEn$msgfobYEYeA%z|v@5OjR4HcfL zi~G}oUl1ddalO4_hRwr@__=8qsHr<@YnAA*4i8x)BF2jQ#qjZueV~*r%+C0&^i~@4 z!ow;ucX!QYWMt4V5QO-OSo-Ave;@DeIC*${yuGJqW}?%!!0A6T)7sANcy||)c426U zih~1F{>E334i-!h)p+{&^m!biW-CV7kdTrV#>OIomoM?!Yr>|-$$}1y&q>%=HbGbU_Zry1|iCI)$ndQK; z!=5Nj{>@D;zQ)#lAms~w8nROtm37mSP?9mhiOZ6lIa+L8KpMVkt#dHd3>6NzD7(%# zXielc?k!`rmo-PMt@@Flj7LZ$-D}2)C`wyNZGFUggXkXCiXY^;%iuH${UOe)* z>G2yWM2LI~%#v!goz{ncSIyuk&J>YnRV##KYf@eXzBd9m*C%$obAKc#Rrz?Gcr~BL zDdW(0CJ$_&v+ooj3dRO&OZS;jF3kzNyvq_w$nIRsAyJ1BVp#wa(SWM7{D{uygS$5) zR^N*lSV5b-fP{;e*!flfE*a(ylCT>hq9`@1bf7RkXM#YycrbiRz;b)C481W)KI7Zl zAK31M5;Mxk0;pcfEj(T|d`I#+c5!^(FAQNuPaWbC5qV~8Q5<~Y``6)bS~SR-ia%~t zOxk@K&4IgSfCNJtuo~|Wh^~P=z7e`Z6Tkx7``|95x#l9FWC9Jtq=jkGkb$n*##xVS8q}F=!%Y9`WC5V4$S~YxpO$IzcRd=BmFA5K13ZVv>h@@9{##J;&_W#o@Pvm zo7(DYJNsE2RcQd+pvGF=$dBui|~U@PWO|GsSU9W_4eiCxa>C=Lw>Pv&e$EZQb#2|`8Tamn{Emy$xcIDjX`-W#S^ z4Go~pk&Gl{1$_gcJbDem`D(SZpz=6&i!X~N;_T4@!3~y^BAd!-3J~GXx8Ha?cbLzt zJ6~S-91X{^unJwHg0n_TQHtF9JHl~h1)0}FlYydN{)!&WvT~`IjSfIX>~@6vt4hN2 zTK@Qo*!4Tr8Me+jJO9-N<=+Rk^$>J1#Dcac$ODs-;ibqwF`-X&OKS+8d4P%SN0Y*F` z>ihx|_r~PDT`5+D_=(P{y|TeR)O``QtU~EDZMPk8NfDOY@e>b~K6QeElMe_8aCbi? z%JZmotST@LgMhGf-zJlQo9O4z3@fgVK+ey}i5<-#9CdlRNTn4|NuNIRpvd6uR0|4% zf`W|rB7vsvNf&@M8@;kN#JPupF z3in~iPDueaPCmVIFPm{zXSFNr9Ns=M6>D)`61Z1WDyAQzFGZy^aKU{!O-8{Wef{|v zsZ5>n4CC~U_JZeK!(V$qzJ|v#<{SqqkYM#^mX?+$a@`v5vbs3E9K9U5S-XZ8hN)sG%i(W)MSpvLckoQz++AGU+|V)5)6!GY)iyb)udOmE+N3C{rS_nDzLMz- zY^CH+V>tGg!Go+ycG5n%_X>c*BZ9`Gm?M=JOC*$H596a+_6x!u5LE(iLWynbSqdW` zH2|tZ^P*6hZvYVd0GLJROObLWsKPS4gatT>(&oawU>ham{V-6x|*4T%kP6KhdL!}G*`XF{b#@yC!ll}3e<{Tw-scI#&? zR{lfd>0Sh-N+LxhK?|qkBcbM7jF+cgWnbf$_H83;r{H2RFlBZNRp|E5;&+z4R~Xy7 z?r13fPJ-)5ed$hDvNjZ3^p6);YC8K#&|r8$=~X4YA%-?a(JU=4{>KEeAZJOQ8zgs9 zXELJU=ToH}lTAj0HMOvQ+^%OA`z!Q06q>h$%NO|_#-Qb_ZX}N)pY3sk8BC}$J!y`icK` z-j*{){X!D@@PX{HCM&q8E@_WqvO>^ZCFE(RAu~~WEFohe+{e${M#mzQYpkojNI?)Y zoJ?tZ3K6P2HYqo4eQ?7N);)?_iw&W#bbErG@asgM;DrZevW5w?a_6hB=t`&e81;{O zu_9V#Ny6I=^yL~&`ra$s}Z-*clt|B;uigg}zjeyI6p8oUBGco{K zCNk^iQ;o&Nh9g?a3)@cd!)P@!noCp{N;E>{L7e?o7wpqOzO6jGCgMqmj_{)P@z&a< zRs6ff7tm-%vNJdmsSEcT&kLae^#doG3XeC)1wCS>_TM_mK^T;t82^_)klqv=Z zY!Pic2ex2oi9%4G47;X?^HqN|9Mtf4PSrkh2uoKvkw1+)Xr}amX3Es97&}nwQ?JA9 zkL$C2R~FByv^0V$Oq_qIZLFO9niwDLp4kbg~siw+OpA%0#*AUr4I6z0Gr(~zZWFA*cU=kp6r|0FZudh>Z6GlGa z)tG`(Oy7z(zD_fo;@-HPZ|bmtX(>ukmknpQcENK-F5(FIp4=3VLtDyFnk^(?EdY4@ zli82k3BqGFP}l{{=&cGsAhky402*Vg{%d}%?y(%B=Lh&pKPkQpYnV7=Dz4043V1kl z{hKo1l*&aJ+WWKE{eD%;%L%z?>Ht7YNDA}h;Hq%cxXK6KM&G#@w>5L!Ub&+r6j7DW zxrVaPO{&N#3}_zx_@3+<3zojy}9Rm-Za8OnNf>~}) zY=nK=C<;%PA7AOyqsPYHZu*l4U&ahx>bPFRvD#b)|g7Y6WtHNbwZeg{37P zRENZ$UlfLRg;T121>H$^UMN*%e0&5`BVb=5HqWhXY`}1NdzzzodU|?!4y@I&jm&Lq z2&K-NL`eef_8L1`8mhU@2dqBh7$9ESDD1MaM-JVNSo{im_A|l7GQ~bm8Fz)Ttuo(M zs?)lmlFN9Tosx!=QrFxFr~L_r@Xd#2n|BlAiMwA0GB>F%U!e(#<`fgl#Ev#rIwC_( zC(Ydo9#T=gt>G-Nx5B2%#m+&>hTVL(6f39*EG{{ETMb^#4+vL@iE;8XiWY~~xY$h) zrF)nb5c%)py%z;_RHTogWLu)Kg(54XJbxzEW(Ma+r=F&3Ek=`e07AUUEcmsCyXitj zWn}01U#%D92_?}2ATb$X`{rpaL8B8PxVLd3 z-)&YZ{UjLR*gRD0Y#!fwk;Ndz((cKbY-pkqw$UmxUyImJ(7%|^g2Xf)7VN#hJVYhP zqLfKU379_uIEf&6nw^LKflYFMZJ37MR1KJwju0ys-KxTx z`0T|_zmcPasoU!rf6_THf)isk#G0&%?n??)?OpR5@j7mYmq2)?~ zFt@R>Fk}%>V&fAPm6gm7**F^K!U{G7H$n^EA$y?cdp|5)NJCV z5C+#<-=obMC~SAt;IWD^72VugQUD1H&SX-7h{T+5AY_>xr{Zc&RY2h;XQ1({s-Zzq z;C>lIJ)J(jJvE)D>#_CQk`pHf#!}fRoUPQT>b_uX!2B*G9|2h}Kk`o#^djs%a%9XU zwRNGpTcP;(#9$GUEU4nX-3Bml1c(Zj;%iWj4Uslx2)#H-<721!5LT&87KGT*OGzt} zq`)W^6*L%p#9h9@p=%&JWS`bR?kU z%Y{J}`uB4irW`U5<*EUouXX#EdQstL&WXN1e*}OSlN`?WT&={ljK-RcJyjzOGZkZ? z%4{>(IGOaz{vIyqU{B@d#*5akt22PV%bynv=L&Q#pKP@UKaH7r5W;~*be&hqo#yCz zhZ5^*$cS~Rru#l)qV%{1rO@S5e3_zx^}($n@pdl~UPAj9T#XcuD=_jvrY34%<|5`K z8pi9EcsT&^=-!R79JemwT8%f{!rP;V=rzD1IbQm=VGJAE?hg>BZiC_z(H2Gv=9#A+ zrAQk<^F;-`Z5(!^_h;V2rXUi#MOA~K;u|a~0<21VK*+$@^6FGYzhuD`G3+;mm4uUh zei;i3+;-%|zlKRh1}`(|Avpu<8E(0p`7SnPdX;%0fRYq|mu%Ls-+bkN*PFJNmf34> z5@Tf)X2APbR1)FVx`KkR;?O?jf?$2vHb+BQLop4dfUnsEHl~i=4|9t%y+2NNNYA8D zBT_$#)gX4*=n!S}oz-L&DKauM2kD~~H3&z?%Hro<9^3%>MyDs(UKtMjOP(&EZ2cT7 zw#E|k0jTgm88}d}+_$sc0WdH(-?#}kU_0hJu#gV1eo~fIW z%I%;2_b6$aGj=hrUsYz!T;pz$yruf$>i#9g92$9=^yqX#v#tv{qvoK>gMpo+tq6f* ziq7Fm3`iylTUb1)6MAz)UzjhF?98zMR%JYaDwHWy$tYc-t;hgViLS9N3#Jg*cr>g*9$TB}&;( z@)fP8vE5HcAX+0@K%Mb|0t{Z00E#^9spW&iMDTa;Rltrr%VJa%39_zcUjXkzN4SUv zjrMXG#2HD30f}{=vs##jLf`m3$q>*2^ZT2c*VoXJwEkyY3zn?}AifP15u4*;sB{?JvCSJ;5w9e>-*L|%g$>V~f!?d&l(?2UCKn716 zV{qvA<%qTc4(}jpc~a z%UAs5|Ms3QQF?-EE6 zIwxH#HAgE+Lxs-zguKW9vyI&s3jwIUjC-)<7c+NP8+~0JmX`8nXgwZcTVp&PF^5(c z*lbkFqfpT6#`8OHo;z0%_hbqL9gWQ&Xv`@Ysnq@QTJE-bzh8fzagBzeGPRm~Bx`e4 zDZr9DS^a=5!%zQ-?A!jYLxBafDZ{so&)dIHLF*KWG3^;VP=}1i45{;M_-LfBCkyx7 zD6~S9p8)WzA7wC$f~?~0{f)DGQ&VbTLsM5<@foRG<*Eu9WO?a!h#9+!u>!x@=^Yx} z*dq7{4+Bx13CT~+cwA&2clrVMEBV#1xzG%gTW+;zz`rUP@%GEQR@W~E^3b4_8MsUdUIYja-DOA#&2Wbw|0=(>_Hw$; z(i(e1d%*DD1qTlCLIF4)r;~NI_L?BIlY+5yht+1F#-K>lRRxZt=kt;G{8B*->5O*w zZ^NU=@ZPnyJJsDy1?B|$Heci^$bX(Ez@PgO5t1zT9cM?|u{v~%ff5t+st@IE)>8GW z(_xq;VlqfObD1_{m1eoU2v{IhGn%dvCZfEIlp$IwE63!zAUG$rw69E>uM20M@bRr- zQus+!OUU@^f`Mb>eL@3c>=v(Z;}+viYLw9_)vZEKIW=`US=sU#U3M8=dcL|fc{O%W zwiBjTN;w_BD;;c3Q>19D4Cgy*DvFU&vUPgH3^Ja0SoP;s7N&vkPh> ze%rsvgY1DUtgx`~+~Lw#$rL<-WU2<$ojPzrsNIX|r~j6-X%WoIM+~L~;xmF8TwVvf z`562i`MmuRG-+2Tlp-}$Uaoj>4Zd7K;zNU#%_?sRR5RtyVkBp61dvmz^!sLOk_sc* z>7HJfp?R5p(><*0^8~Y3t#46pQkWcR(Qm#)&67fo`8;~aA$;z?FpoGu=t zt(rWVP#lT0mvuSn8~V%py1_Y5;X6?7UrZGIe`Y7m|7d}Wo61;3cW_|OK+$r+?5`rirs{OKZQLrqCmoeB=tQ#m@qpW8UB458&{VRt9e zt4Xu6Szh7+E_$Lm}J#Rnlq!` ztRAgz_|W2=lg$Z{?JhX_D?qClidu?&??0f*Z3 z^*MX_INTjlfBs*6$Q3w4gVjgfs8cdF6yg7`4_JQgCj0Y${4LCXA3geKe80## zq~h~gt!Pz9D<^Wgi#h7iKEUivW)$meEQzyLy}t=$1O7ISgMb=a7>$>cmPr~b+9@D`JNUGwSpmvR=`Q@RGo-a=uSRlc zv{7gBDC;!#sm!d0Peb_k2r~XR9;bUShYOD7%&!RnCo3Fq60a~un315vg9&)uvGQ|X z@81psQu0&{yx8&?>58V-C{}}VN%9pT`<{_XMG8i88(GUM-$1Xg9-zY$I842k)dVV} za?Xv6ru~SxR=p*<^c8ByCF>@;TIkd(vDZS+Im_) z6U^nH+rynholQ(sNyo0DqQXDQ2n+n=zk{~?Pct`B&{U?tBdRyMp@Y1&y{fz1g0?(v zocTX{?#)R7kc{u@{h3~~qhR3ikM?~Fpb17COY;CY!vF(|%-nrgRL{sj?O#QB98%s5 zY_eKJ-1%y!%`15(Po;jhy_FRYN_GHHD)9PJV7kMX>=FNRp}qVunlYJ|jcl@oZ;il~ zzxaO!)f)@G(@&m_-jtmY2tg;N!D5y6rAXCiQsi z*Pv?kTFzF29)2H1SLnjg;!Oz~<|BTt)5#xgOCUV;wv=V)2%mDADnFzE`D!Q1SO~+$ zKP-wcq&n|XV1Xfja7C#w`Gu?X4FJxf#k*VTORY7G1wL21@9cczR}a*3%jQVLqdf-O zv<-drzD}#P=?EBdf)!Z#wU~H`7MjvSVgVc^{sQ|a(g^9xN_^`dbb;X?^9|T z1~4mJXn>)l;`o-P?D{L8{G8`)*f33{t@YVbo7+W>L8|&xX4-};6<>rD3|%Q26lb&n z1`d|mJ+#8chGoBY$mrOuisN+aadSs>4A(d8UjL0T&W9#EnN)sYwrR@ zBKrx@i6GN}Fq{^Y0hBw!T2HY!$upGQ#>+JT{dNP#U+Tlp6R@pX&X*b-Ux#oRwO9>1 z&A0o*kOOspZ4KuJzHCR3?@tb#4L{y|fWJ1m0PF;*OosLTgB6>LRnKOtHPF&ZhMg7V z7S^`5%GYRxG`lIE8DT^Ve`HZ(c! zdKp3NonlJg5XS8>WR3M83+OZvwC|`txxbGQ`(5%9Ti15>3#)(oG>0%}XL<6wrflGq z1!>&QAYgPY!?F`4ov5@RpA;{Z$@-)Z*Lu^qBBV|SNXfCnC2RAwb$G-74bW-tP* z{}UrEzg&1-Pk(p6KC9OlHaE4Pm4+8tmF(}bgY$r^mIn$ai-C~a%UqwsDvy(P&-q~j zRZDEFkf30AenV}olQ9Kf7EyBFgw`jh+ks5<6HK;7jeQuS!~ZR2wcULbM>CY{6Ed7a zj~%qj^Y**U6c!ygl9!vWxgn83Al@7ia(bV)wYD+h0$bkuQu4r1-@N8Q`IH)+7L&ys z=n8(Gb*RFEPthE$s1vE;DP*{Lu%t86ho4HVStdd@z+VC273lT`4)W(K7~2ZZ8JEg3 zZ;2=h^AHfM(F`Yy8SOaPnbDO*D!<}7SWqX$lsu?ND$^c8)Tj=yp(^t=HsrkShckoG z&7RzIBi|>g+!IqziW#lE&NtcvUsnSB{vDp2bhNd76l=)s2@(~hprPjE&yo6Ll{(*| zbQt?uR&~4mH<97b|8&+;QcG20Ng7j}o#-yCM)e(W3zK2zZfb52ctf(_`lW5tj9xJ4 ztrHfx=iTEmi>4>2!+(7uIkQ{mZg{b>CE)cr?#Rwl$w&amX^KrP_Beg(;?T6uXtRH9 zkq^v$J-NQXXUc%b5el6X840u9I--eAt0wc7BnEg@9Uv+v30F zBn)0h{`&8(o&h?7)(}1YUk#o)&wHWm4Td)FsB4r-#~&E~9p=jGX}F{=%QQnNN)d6{ zh8>Orz|sdhTtp4u9K8S9O3h8Fef4>shNbg3FltIKKD#Q;*@TDNZ9x%#_lbV;+DYpn z9Dcj=d@*vG4QJYRlBx^pA-szx-hQ7!4HRE}-(2i`E8M>i!mkn*EO;JV*x6*!`}eBc z14?0(n-h6&G@h^E@pR?}z8w7a`W#t4m6;SgC+c4z# zv9^Sdf=NzX?cjGghc8_CMj$wW-K7puws9^d=CspZ)8#`?ePc~=P38L)AHQa#-OzrUvYu0_bEN4B4m{w4_*Xl8 z&ey$+Co{N!WW!3g!)ggCF{{xR!$VK8hE$=a;PI19h&66ZIp#%dyk4uG8J^ zfJ;b%huvb1klPU8?itv|sn?D}LyJHsTdVg$Hg?D0N>Q7?Ost&N;hGti{zFChKW*h# zC3V2lkx=-Lgty*#TkMgf?{Qr7CGhi~2|?a<_Q;E$EY32uO^TIG3gzsIHS9__1Tz(P ze=D0zD>(}oYo#>xi!`%PSw%2)J*kV_MZ$Wb_3OEQnST>;Y9jZlL-z{dIS}~s_lQiA zyrW?gnAdgbrB&8Wcl-ASEjtv{*ChWeK~%EUacCi0Y}xQktED6!C- z1{6L@`HwTj@&ey)F%Xp~z}>(XPCd*Tu5_n;Bop*^2d0otIg27e#$ULnrA3QDnKI$~ zq$N=CM#ksw&0&12;ellA?qTL&^*$asT_kw5184o~K{Zn1f7S0oo;?R!Fhjt!VhFwS zzDJz-p%L-HJ(MKF>~X>Db3N{J`daX`avU4fACrDMwx6+OR<%`3+NI7`sm9kT7Lu4r zr5yVco|=uoEQHlREW?i=lM#{7$m$h|eqdGm_X1P41NU_?`4v62Uj$lKV2taCy-R@Y z^AlI}L<^^2Y4s)#z2u+V9=nUrBDP3{jeC+%hj7~gzpMQgep-r(eqH^JEd#oh=hQ++ zX#G_+G%2uknPApaYl!N9y1g9&@!2guIXc?L!584;C*${a-U*MzXEiF87;=GC99RGa zZO6{j2SDA%ux7xbDE^o65E35W;yxzQV=?N+8Z2FHJIJe6_EvZF(07qnaIvHApvjuY z(ucrMpAD;19NqG-s<+W*Q?r$zCb%mUOSuouk6d?9lTK_(e_WQ`f5ik*Pa2#JCnRwm z2&i6h#uvn|?PfH(ZC5H)X${dFEmjdY9XaiE`lVZ%xI{oMzz_j-TV)YJf6row^-)2~p1WPb*iAA8?k zPZnzgf@ERYGK?0HaJ#7qfCPA;DJYhpy*&DV!B!tHS*O$NU*O|Ph+E6q(%CL{qNe&l z+2IJ&g$$#EGK)>=)yfX9!fE7dQDWd$k#T=RdUIf zw`Ehe%2qDK*Dgd>&%~6g##VHa=(w;Hyr^q0*Fk2!^%eWkzntwRDuO$?0@wDsv%)sA z9t{UMWF>QbaJo*00@uS{@eleJopqiJwT?t|tlsqo+=ikQZ+2N$PI&Aohb_C=K%_RUnD345oZIO)zmTnt$6f5G6+zawxH&Y#l+Dn=x-qSw1xfTK< z%(p>dggHraWC|iDHyRgT313nFd<>YLgJ<_A^MQsjsgANIj z)!U~j#+n>_wWA^}m@*l^t=%VWohPaqY6jISq%`zP zQgXGZk0{>mdlP{+nKPXh-TD+qJ~@LNGJ|Ss(Hm}NJ=! z%Qn1_@kaeRdWWbk2OqG15&!=4EFt>!{eP<;nMF{m>AU~OZNGn{+P46l(d*RN#pNS2 z^V!8k(61yuHZ~OEx^g@S|XGE&AsZ&3;aBh$5dG7ka;O{VvomYXRhX00H=t1G!Kg(ysNZd3P zz07Ing6+r8#Z@Rc`Q8KlkfB3Ox*K0o4W=!K7VkUb`)R6$Y95Z5^t${uKLmdfouTPr z=5A`VNJe1D^phj@^G03I;>YaJRHwig`_qtB^ho+KjdmSx+$NgAHkRHV(S!?r4_cOI zRJOg3t8(LG;goRK6o1o#U@;uk(QjMmtfE3jbxOwIB4udVh@WIdm;c~C+Ro^=(N2OB z-+=n`&8re*shJ?xpLR0@viL9mqGnHxwDJ(c7Gs$VgOPa~^bbXY&I_$DUZk@`q4JEh zE6)yZP?1(UyxsxD<#o1pbo^IUQ*&W)kuF(yt_7C_?ZrStWAEa?>uIi>N;;ly`UZiH z&_aPTIJ>t-SjR739rB^tKB<3_s#YmcgISg-wYLk#I&%VVAOIF|wPr&2>6PR53i-IV z`wlA=hf&au;vseYqsaUHN|7vCAL74x zJpu}n=b4!s)!A^51=K&!qV5BF!e43w7*M)w#<_7?&Rb{zv`aQ`@*OH^K$An)*Ay~} zqxzB@EQuMeZ`6}jhefGg=08oTvq$WrcN!(fy9C5^CV#$^1h3JOTNct4_Qe`rWa&8N zezA&G7^TsB@i}?%X7q3C8HL`S zq{UTEPP)}|1vaxl-R2_Yq(Qf(@II1|k>bHVvNLLFD&h%0Ji;3lD1#RfIH00W%$`;I z(SduU`)DHRYI7T}Kj#$d-$C9;{Z zcEJ-lmm@!SGNdo!l$tSmbWY89V0{Z9btizfb{N3-_~`WY9Z=hVI#XUgWZGzpPEBRi zgF8Gmb~4h|rpJl|o;wP~4w{>rS5{W`_xG=_uUChLR+}BrBl9txUwA=JeL$HM=&#r2 zyYY5n^5s)}(3{&}J9AmD4%d3n`@z|=TTtkt8iVc+=nlh7&Z9H0jV^}+#4@A^(9TpE z$3NDfSK_I1D)7qOD86luup8Q(+t#k6Iuo$jlm3)^ReUo?`cd}@^!i+KCa>ibjEWSC z2p{-(r|@fW(|fj`8RLSjGwe+i9d#lb2fPwS0-b(|vBasny0O35*z2HZ%1%DMGI#(%G|InUP8S>IS(WFE)W>) z^Km#~cSpI7PT{{K+GGR_w;)<~q7QIp0!%I;*`l7neZ zUVSQob?%FEo`31+9S)HHwxt2l``>E*PhM)yPIp|L^oK1hEVS|QiRE8T7q}T1kmk8L zIkBqisi|=wK&BCYtA_od6@_Mn!l9HUz*uG!L~J&JZX<>NZ3(WR)WO%vV>RReT~4yt ziF1i=e*yEyjly?IMSzL`Vc;IxELw>ml&?!M{RK?qjHdw$Ck{DsMyD#B=xzAsm- z(4q$m@`Oz@aMJ*aBRHowXk-ZfFhPkZNhBRgztX`Rm4q(^8U7bl9<_SdA{$EHwzE4z z{U(pYyTc&SmO99B%her0<){qwI;H{@1$#}#J&m!oks+Z|=ZMUY_k(D0D!~a+H7{f? zBrQTQ6~;DVK{4AO9F!n|`fV`TKF^txL_-LBMC(*Au@~H7HIZIvV*LiXAhT7> zh7#&x=DmAeFTAfuaHIJ!hwgQ$*J^pl1<1=tcD zVG_y2lUQs9WZGMkqikj-uYb(Mev58^)cu%=BamIxDWOkvZ}Obj`pbmhKkmtA&bokL zR83}y*>{ByvnC3<_$2=o^5v0o^vhL+F%Q4PJ% z&r&6QEW6KjKnwxgxVk>i*^+Dh&k@oa$vU$ncJ!wfDC_tHE=@4ZNa-W70~L z5=tLIV=@L(rX1!7QU+*40hQS=t zjY0-MPqnn8?`*}&i&2K9ie2X!30ZVyPG{%m*ytm&?OHXm$bNenjWS9z*#UQFU0e>X zitTO03GVDOMX>!@6)a3e?mB+9A4_EEoL5Z~XoX~E(rC{n?Jtcvjj6MBtTGMl(xaFO z93`+1B~r3)nAfZ^T4ZRvlRb<0+vtn(Mj3g5+>;efUU4Bb=dU7d%03JYO1wKyo+hqj zjZ`=Jwk%a8A4MHKEjyfNwl&bzmHq zCk#>fUs96m>s%g9#keoma)BNm7UJTCGW5q6Cw8`u!DI5fL$$j%jPm1^<9aI@G>PDt zA{qh+BO;_s>k>)jLs>N%3auaP!#-}ETqPreUF8Y!NqZ>iFJx9J5GRleCl^Hy>+kLs zZuJi-0+?ptLh#pQt-@jH0{~1$Liq0*#OXMtz`pylMLyRBKh6Y{txqrdhJ`>6h@r{M z1xLUp_H0Z+9uLfFT*k{NPN!@97R>Gos5gqcmlI|30y*#fda-A_?@0Yl0a6#-9DE&x zHVff*-3GZ2C0ibXfI1U{mu6GcG5DNt$1TiTh;#59aN?klQRg`!4Cj;4=M}h}EEgT% z}wM+G%G4V5s1wJL!lx@s-YV$h?{+*W{ON3nh8q|3>L+t#Vh-PILa*2a) zCY7u$BG`GPeMd9>Y*R#ZjvZHTp=PZ)IA_`nXFFGiqPKJM>>+3R9Te5~wL zktBq>rzfU6K(|N7oxcYPk!W&La#a{VquaxrD@ifXcX4-p;eGiMNwT`KWZsIFikAE} z1NHne&7n*l$Y6;aXK^)>`!GMS7)}NDZLlMLVXtG4v6qtc@X?p6Dl9D&8l8^YH9k1n zI^5e8zlxNPVcy5_@N_r6t;#B;V-XRrh5c&lWTdQSHyiv*l#X2MA4plwUB+HcUtg6Z zdh)9a=6{>}1_@%%EdWq91Oz&Os=w#&W9w`%P++LPE;TkJ*_oM{0B30E5wrzT%pd9w z1;u76hw#c%lw%8%gR(XC(IHhp=p_dI1Z9uxK;7r4PD44v-0A~C6-f$=fXqd~Kne!| z{k`aZ@7pjtFor&U{1>z#rH{tPu|E+z_E)rNL`%XaI6UryWf)Ta1P~b{$wvn&Ok4Mj4thBQE|VatQC5RY>PW8r^hW<$3zz+Ps_mk)bQeEtX2=%{1G@+~6|0aa-BWNJf6 z_9$|)S`j+&&D1d=IjML^@s2nJ4lUYU9jJrVJz$wxGZbLRQk2>{XMXy#nt zm~U|B@_G-tpMvhLKK6Za%@dUmY5qC0nJe}P4tv|u3M{sujuF)kp*H^^l)bbppme$v zxzokz;Bz6g+f~|0qmyDj>UZHVzM7Jn@-E%Joxc*d^MltV%ZrcP#bcB7pi4%1)64&y zZ~G1K@{kyiy0!8t1x`tEFDjJpa+#%3%9Z3<0##wjDlfVP8EYUx(+bmt*NI3b^Mz;JGGVtu7bft zmzaFiAVu42Mq~Cyio;M(is_ckSNu;Rg>%%_RL1skmpiQ8A%zfl1T1f&*sm@0BxDs7 zjbVilY&ara)w(6;UWjPH$gKcR3hcF0j+UFTJ^?JY7`!&ooai}CZ>x-n_2&-6Z5Va| z{<&!emCs;NQ7|u3Z5edd&Pr|fv+sZ=ufS;})c)tOp1Y}zv`C^>LP?4cDf>4InLmug zc^A;)f6yV|WFrn+^x?S^8tx2guC!rIVmO@ak^>)VO-}cCB?U(FV-a_%&)i2g>8@fG zv^M5RZ#J_ZkU|&Nc)o0M7|wtEXhXWkgH~tz#39#VhP?XPa9qy5_ms2t>N#=YL|x7P zJ!qKz2=}JS>LaW&KXTBH&QnWp)ZKOy9d?FuaCauuyTYXSSYvx8VU_n;6b;N_t}&ju z9D{?kU7SK3*qydrHR~mNeL&Dae4Pa95XXpNGS&1#zUg0n+7|_f(`vIMvz3k&xNx|? zGdud?`h?{%3Wl_`Sx(lrIAo;k420tMdtuy|8@GX)_xI5QJ5*Ii3+hhVUoDkBtv3aw zlExCG5<2bKJM36WqdU7Ixw@FO!qdQ6;jpQ>s@A3(y197dq@`*1!uzI(bI6tKA064) z+V=0cFr18iB*T%%XN=12$`&~Ky{D$<;gg!fpz6d3 zj@<4F`(sk>?O{=;lew-6@&!b^jG*4hO}qfYV*Mon)l z8|tc!?ON8$^D$v&8qqr6T;=gEX)P`=;JNO!63&QQysM7LSB~kw7<@mMs7D{|pMJTt zIV&uU3zy{hYARl}ewrnwp9N(gb8empKg#@@nU*Sr>hF&u^MMmBpo|6|&U#Q8_B()V znx3A%0`lPi32C74n~r@6&3fWr>AE{gqJ)|Y5znoOu!e8q-@JYyW3w^>5d^H)0slBU zks)Rxeeo+Qd|n0NY`t&>?@A`xyS2@$tk|p7&RiF|1XpN4&4VUcvM#boBX%4qZ`s}x zAl!@I%+28#y94(;PADlaclTaBYYBq&VwTs}S4f$S2V6{eq3Cw+CNk)DN_rz~M-xk* z@}QBCpPE-xM1`Z2zwstv)|W!1kLetpOGt#W-W{b2A^7}q%QFH$dbR=%IYVkpfMzlv zsf%is3ftA#q76z#)*=KB0D=8Ljgjq;E(!US`9y2yN9!FcJ{6hVp^)U2Mt#91zigA< zyvpr{PUDp-X#QhjU>a1V1^Bh1!=C>0xTp z=Kc%soC7gyNp`Dv-bYelnU2<|mx4+!airt|qsRy1cV)PnJ58)zCojVj@+0#T!VxpcKY>75Iy%@IZpp5RC?>k+yYRL18Ezeg4x)910ss1Yg zSPSJ2pfB&b9##MSV*)~*P*GDev$FEq9ZA^TH4nDg3KR+NX=>n_&$T=<^;kZ=&Jp+f z`t=(g{x@{^LtGfh`ZsJQ)}Y))qsmVl=dy85Sa?m*5y6>unX9Y(?cw3lL)3}W2?^V8 zAyYNyL(Nk|HE(hGR~hx!DUC%eQZlCz??`Vh2iM?303sM39u8Cs1zRS_z(53njs1OX zaS=WORJgjjIy?`1=woe-(2cTW72xYjLKiVj}@_wQT`rJNiUK`S1pg1Efc7A(Uu+K z_C(Qjjw6y;@JtiJA9m1RI!&|XDU>A)OnQdsUCn@Q|FEZ8$PFIOdBZVA>~EiLoe^M> zlVp?0dK4RSw=2|@0%X5m+NYgsooQ*-z&!#z=--dSyxmi3PfW&$q%-Wpfxq>Pc9o2F zc1Y0==|0P0V%>FNHpbR6?~pBK_FF4-dkbkTKNWL~>G`<7;?3?&oyM+LTXo+;K7@=C zmU~X&RMZxl}`pCfgfj?n12d98%d7|&MXhU{=hyTvwjzDw=?@$^x&o6>D zEX0JRCy?Q0^8LJ}lbw0@-m4kRQ)w1DJ}oSGG&kq1ccNnBlHFitW$3G{c2{JszOuL~ zQFjx#jc&8TKRyP9nukK}`;hnV-#;MWLm{;^Hp)v zC=Wa{ESd?6xO1bN*2vd?ee85pl$m6F)9AS_?*%`x$p1_G)FHb~qdiCJ{Sl;lSNc6S zi{4z$M^V1o?uWo+^f~4!As)7+_rO+th#?uHm%F_LDUXh1;iqzSrt|HqwzkK%<;P_o z*tWssg4Vg#t;?;%>%@|jlKQcFCQUr~UL=H@QV9Lt-kvshwPw`LZJirQ~(dC1Gj1y=6M^W(8b{RepXpOy)kKG!65 zbWMA_W~|6*a2}?&eJRt3BL=FOD8D51X?(le3^+JHXa6LKBFf3Omisf=^vGE8#^aYu z16MuQjIc|Z45gB?6055`B^rcrB+N{IT3Z+U;pyZxwK`iy?dHkdSdEGV=UI zaBAv;&Ua-ylOi*RXlhg;=!WZ`NS6v}W@8nIpOrO!cn8c04Tk27kBI@0Bp@kheySL_ zU;yX{7cSM-oo@wD`J|-aq6eWK;M{Ze=3E$qM@EtpxANN79oK> z8OL_rkCtzyOINnCSVGw7`-2os+sez(m<-iEaGKoNGo{eIV^>U29 zup38cn7OTB4x#d03GV}+H>?j40Z|s8n-n$HR1{hCUzT`z>gvgA+~j2az|V#zhTRmo z=a#t%=?iN!OA!5Gyj?3?^Icra%rv4>+R{AI_Zx2s`h+lTVa`t&xp>m9A5=R>xX-zH zWQO29(AxbvfWQ7CXd|KgX*pW#uE?;>WiZ2BP1SG#vZAeTkY$jTt(JyMINTaIz{bL& zOPge?%7Ito=*DLu?ye9e7k zzS%8zygIChIt0+seSM!r&4c$dGBRX6fW{t2|DbYlAKs3) z5#;uM<%;i~_7AdC%J0Z^z;u^K?7m6fcdxpS4B=^-llX&G6L4i1df^poZm zw0qRc9n)FsB=X}?0_`gjxRU8vD2B4&NYjIhgU#7ljvxh#JrpEHtwr?{(o;!KnlD}S z3oM!kHQ8OxkN#q|V(M~@$w^$x5w<6mR$`y{e2$8OfXl?8On{x42_kC`eeS5zA4`r% z9Ad0=UN%TABILW*5VaYJ(px09^!w{YPk=59b_y<}S|2 zo)fTeezg@*C{XzeOca#+MOsyHLCw;*pQ$s(&R%A1eXb-o-*VCTcA&Ff$pCNy`T&#d5c|G-IaFG$o)Ru)l(3&h#W9)*~lmWIIG+jmLhWN*KF z*$IB13H=-y&CGdkkfd(g`dsB96t76o0saZ7LdsR@9FAx7e zEw9bn-|!eH3?#$agqE!&TqtV!g0jQ78s_m7jF8bD}}e@kPC2=+jY=S~WH%vps<@ z{ND!u)L9Qp($1RwSF+BdZn@d2vN~JQ%ZsOe$2Lw35h+B>Bu0BpOJ6f41!XZek-%=cOd&KV@Z7TCEF+&#K ziP6Yusa+JtTKc`rDklJ~hPnz${*=!jYMk;dnp{4xujVsMd2@N8=n#TJNDTYQHKY}a zDBG192rhfs42eqBX%ZMHm+%krQv?kPWRkQdJzrfoA;NAbU>*?5SNk%m@W5kxt1j(% zs9MqX@4g}V2kp*zA-$7q%o*g{*ZRS5zEVtR*pzD#N$pOa*1*sr1&3#TXi?l|?BwBD zqJgpwjZ&LA8u?A%UJE_FejfFh{HMn-Gcz?h5o|X@U7!ZC_8^g%k7qI(vD)V#j6|^# zv09(y&yU&KUnm(`2#3O?OPXZDaAvAzHr+9;3y^aI>#l8Lli^FbHy8SRiDXFOniDQ3 z9YIj|qfFP92s(@uo#%AR=HPF}S*E)4s4n8MLnxE&2Q;(vpc$lgCtmCxfu3I*D+j$!C2k1Q4a;|0c(Pz(M!RRgV zez8ZY>n`O&&nc|?ZPPR8sqi9$tGhh{yPwLJ`dY{3svt34sw73rDNUNX=x)R0=iz-H zV(yRcC;JOLRj1bv#Ri2lB!+cd%Y92T+?4EHO-5KmN#@q3CdT&rm>9bAE8iw-(`AZV zT3P_cWn*Jwe!hvhIn0)~w|8q{A+!U#f}&z|b@d>Kh|DejW_OpmQ*vVlXp={oU=943 z1jqG*pK|2X!?HGM8Eq5R#DjB^OEGAOB)*s1_|J1Llw8^F--oo^5LxHnta%dTsLd4c z-M_!?;Z8bc9p|*kTgwGX4x641-*3chzHa;c3?t4SiGIJss>k@F=#Nmr^6PI^C4Ba0 zz)y65fwQ(#H%uAV>KnjJOI-lCu*Z{cTH{eFGnja||sjW`}N$ZiEtWl`zPrJoxzEY`4 zX|nk)`P@^@I8GI@m1nqa0qe8vF(bc@%56Yvk)u~pE7xoNK$uG&HQ9G=u!&RG6VM9= zhYaN%Zy|o6HIRr$c(pp!C z8CG+0aRD#P!paI?1V;oX5nc=Luc4}{3Mx!MhVQH{FSh~0W%Ir>FTjZw%g5M213Fc$ zK(iy~d7ZAof?~G?&>;WhvXCrB=dlYG{GcIe+k^~GT{kRaI0%rVL-H^g{9-a{3!|<589^; z4`2N6V1KIJ?1cU~Ji}S=vOB^GyC3r5$xTm$0g(k68gRQN80mB;j#psD9yUxonc zr`K`H1#mv48Jh|#!u8+YW-O>dQ%3?bwXwM<*9ChT$L~ zMwcz2)HJ#I+=ugg0$zzm^uiHbjy*2i^S*QUAb9MG(M7#(TGdD)q4gG6>$0Xso=P$2 z-*B@5N2Rq{Gd+$f>P)t0_KcOxfA%e{@b{@Ls1wS~0eB-%A7S3{!*777^=WxN?pTu2 z4`Y(v^4SAjCEGfksiYwnd-R*cb%8d&&WRzf=g~3Emq-=Z7uPU-7KbBiOT=p(N=;1@ zPcjjaADGsrwooFkAP5Mt7cP^>=?##7JtjLtF$(*;jW~QcWd+~qEtuDtyQc&9mGC%& zGMbX^l8Lp@j!0tSB31oLDT0R#c*)p<;b82~2rJ~3PuW*R(zk`O$#~l?UavNVx!UCH zzKR~wVT8hn35Wbppa{iAFtl}6 zu)z0;G$GAV(en~D)}A~IlvC32tetT7I$);zGz9Voe;0xtaMWJ@lC?HYBp^!YCLpI^ zt7+E*gGM^X2bbsn)W26yAw{qO;ef$DU-QfRRfRVRhuroYAu0d|!HR^TZ!9pEK zG|=~Y6drNV{o!;p#zQ*tjJoGly&+Y?sa+O zM!=XsL0QS*4lO3RU`-(-WM)TUfYGae82;r{I=4m~gc=a+9s=|&0EPumT1v+nhE38C z^<=?`ztHI`kqNJ<5pR?t@(qZG%8rvN`6jb8H^;&Tj%bJpLJi$*uYL0Mf9zEIrjuQr+&Sg(? zT(S%eHy|}9U!v}i1slX9=i{`P5^D!JV_0K>;Nk${C zi0;k*N)4!p0^ZgSz#qVu&wkMgln8km@9;~f#HaETG6+$Ku9tN^*8W#>gR}nmdDWGL zjm=ETBV$|Uu9Er!i3aNGI10Sc@?Z^tc3tR!*Y7OcI8KSx(UZ7Ij1lqVh>-}2=Cn)Y zlYczPsIe=SLw4Xt(RM>Z0yUO|+QuB$MP}&e4-SxAZ$cl_*G?Nx-66q_0TJ6}#U(@RHYv(Ko1f1^Hg%80M zLrrs>L%$w^-Qy(;XXn04tuRG6@y6{xa*vAA%uH0fU9$ z2qOj)VysM|je$_AS>1klQmU%txRd(RRtcdBWhC?GpeZ7wsw*$;!taL|ef-?suZgy= zCnaFaI>ZSVmn?py7dmf#CiTA|YPhrRixf3MzFr zaL?A#iU1K2!5#zkpkPpTQqsV|jZ?B1Ec_wOisFd9N+T-k7(7uLdN9^#HdNz&98a*# z<{^s2j|}1qQLJnE5YrH8OzVCz2%$g}h(B@kTL=Wz1`2|R5dDjoA0!SxWML-0;e7&N z@r>0lPI0y%Ok%J!z-4M$-_ayk>KVZ#kXMny3F9ZX1)iu`&KMBi?Am#Zg|fa&Yg1ZU z4hbqR1m2N?8uuM#(g-u1uf#?PI;p}p4%gyOC;6Jx(kT9z*)x8ixDcuK&E;Q3%tBI+ z?XFH+g&T4D<5g4o4|op;k|nWg%z&=Q_8*}|#X<8J-~BR?4c(?gm!g=+F_hOpD@wI4 zipn{vb$`<;O%?ps@b>fc z(EQVJ`^92$NojBG*~H7J#N6o%wy3fk9mn-2s6uF)4Rs;4t^qnUHzZ`==RrwaF(pKv z!r)OB(`UFRA8%jIIi3kuR!w?yLCn;13*~$2M8PwrqZEEC_ZlMN5;isefq;8|Dc2x)672Oo^c%qrjE%43jeC)l@|Ja2u9-_tBiReAg zsVTqSc1{j;Ou`^D`I4Ys$Ew}0!HE{9!tFDGy3$e4ueO0Xl zCR`dluku8%@>R(0?Y`)Nyob>DVl*MB>NrTQGFSAF3WEV5R2}L=iYUSd41dH>8K@6> z2JBQAEZ7M9@j{yRB?H(|mS9e{8fj5$d)?;jt_E_d_9i3Mg(Xa~+^1J`y)41kyuom> zcgNX%rkcwJ)^5%Q8gZ+<-KLXnD7kKH=h)Ljyrc}+S8!qe6rKi@n_9MzG4~gT@i?Jp z_TX?N2)8dl({27E%8;z2q$CHV)~CPx{7vjl)XK-jh3mE*T)J9PQqtewe|mb_*(u1K zX`reKyplPWf?}n&A7HWcXlk(-i?0Q~_k&3k9?I7~ikev(|Ni;^nEI-)sK4*)8Ctre zLq)nS!`4)(_k$Z6qGCZS?u#k$mpb=zJIXgpR=zT!WeAr z3$~z^T;K4tV=~AD;2l(_&zdw+1IeF#)42%QWTUN-G_!kay^&8S7wA;%kggs818NP> zWYxR#PQMjNAIe<-o=0ZM`&*q+xbPm+M;fI2I!H_?Uw%-=9qYmc-L1{i{b(U-Wpit1 znE^~33=^gXC0o_jK2kjmWNpgPB-h1IZaQ30Z%}n{fEyFidxwE;Tj37748D`0VwQTM zlpj)oIaraLoH9%ys@k!E=HdJ2rO$S=#3$3s2dnGfuTf{dvP2;h!TXPk8ExC21(i2uRIOOu?k=H#M{3-ec@kn{OqDmpS*PW zNi!yn5#Mzr$}WJS!LH#Nd`+OZ4Io)drM0|*oL{O1kby!f7Q~#T%+qj{aO+Lj{%HPS zRPVK-&wVOf+QVw&YJ)TX3L$HLlT7{%0uIV21h{O7v?@FotTv3`_rus&xLOz@+!_;< zr~d7$()1EtZ~3w?8676^)ZZ$v()}0r$jKHH7nU#Juy@z7kyd%Q>YeCA zHGL(voT|0axyocaiboYt&@t4@_qxUx7SJv;($g7n!@kpUfn5CkUozpiD3AdpSea?Z z{ZF>aR+iKn3}H7)`1rTm6?hfScNEUrTHJ5!&Anw0B8UW|=Nhp~uje-#S+hCF;vK3K zb|f*h@o4(5iw9JtR{ukECND_3_Yxt;2$b_L313!7(l~JWu!DfJS6h)~?}AiEMTTr) z==-D~KF0byBUiP^l+K097U*M;6rEe0Li*rqDWyhGCvT?r3TM@Zz^RYOsoGdmVT2z+ zJ<9Snfl1PESUX^@YS&|6l7ta582XhPOp-%v!ppFgsruuHlC>0lVj%W@yWQ{$+RS0( zW9|u-;6D-t6U;P>qr;-w6Cs%qGK>wes;TwOdtB;TEZa>=_ghTKjF0NA)dl4Q1pc&8 z(>au1aiGj2JzKnTMvggVT-}!0iho^i0crH?YC~6)6mfhzGM_ht3k87o+|B zzK}l#q9nj8P=hts*Sj4!9+dwxMxsYjl3Hq^X;#JeQv*fA%;3y5#e$f-I}tIdB+_9v z%z!?Xh`E@4WNn84MZ1}von3ta@8ECy`NIxi@z4>*^Y`l$Jam|&-snOh)5?;jkcRIO z&bEblE?xGLCUwGYH$&Lxvdm6PX$Kt>7V`n(jxOzigTrUvrhQ>m9^GN%`tn6%%(hfF z>u-tLLb@-?HxS(0WC%8x9UBE5?spiZN%qaG@RdjGGvO0Ax}WC=6V&YrLzMJ^3!G-8 z0tl!~0Q4b&EIQqYt+K5m*UI|E#GrG1w(hfaKvww^t{5I#j``|I+wO|-PM8XFqmxPUfQ)!gR*h(qZu=?hK}Jo2u<$R6`|3tsw`eu9>zMQR9q zIvk=Y2U-pe<&KsM1PyY;gvW#eV{j@0g(4XG9AvuNBf^wLa+6Jvuv0MZLO|^B9dLGm zAkBArHHBJ8e;$ESx3CHMD+wD`(YKE*&>!Q#xhcxE`iybVr5+>r3{=J*nGYV==~Un5 zj8#6c?t=1H%Ykx%EKn;2c^U{fU1Jqx_`a^k*}bm~-k8}Si&0XYwx{EcRk{{shv;2% zBfl%|5!;Bl+_gi@%%;zSU4NBU-%3;84 zD6Od@#$H9fI*&Rlc=&L**hob~;|2INy=A$3m4hsWv@yB9_;sl)qfC)FgWu&4)cCzX zS+=!@{PWv%jX$OYY!|n8k-H97Ry*M}PPeDI+8$25E|`oFhq8qpYN1(f1egR5F%)bK zO|gIE9kDLoczy@xlxLJHkz`B>md2;0zDran^-a*ASm3B1MJ;HnE@w}U?=_(bPT!3e z@;vDxeR(>1Y4g;1F?DxuRb@$}-?wv9;l=ZwE`b}C6nK7-hy`Z+>SML^l|MhrA zk=lez6sOvHItpbk9obU;B$=h=xx10&lVR!8n65#kwQGBI$q{R5iC=l|lo~rxOn3A*A0Syi~c}Rvp#+aB~X_ zPJVHg6aDg4Ci!C9Czh-?pb}O*mA&BH2 zo`si}H$wa!;QG1cl#3}y2oD?o0AXdhGX7lOW@7w2_4Nij2do;9%Pql)$yEZvgj0ZX ze7C{gX466m3WgKN!vv*4q9hc=BGoZD-j4xePA5V^fGzlaI^;VForx&aBL&R;&YM~O zs!z|}w&Hvl*;e@yE7Dek7rn-$7fAa7(?|M`?AM4-+`jqT?H_VDi@<^=DDN!I;gE%b zT}6~&IzZR>uP6==1n=-N7ZVHJ>QVt>1ta6{{N}(ySJq#Kh8C!^V)98L_ZLm(J1LCc66AHF_$>Ap)8R(n37)N1&GiGh(YWSscvbwTOhmc8@0iE_iX zjAU(OVRq&vG3|&;>ygjJOCfHrPd~ii9FPDNE?$l|_4&m4yg44;%gRg3rn@dTs||O1 z-t>KoX17sYQ^zE#SK#*w32EhpEN~7U1+Dm#A>*CDCb!*_fBUBdA0B7ToR*e~0KoJq zJ?l5~647d)3#L-_x7VNUg7VTV@daDFWh% zM_|}vGSo3cz8u>~hI1>WDgLrYmYS6)ZDC_m0>Hn3$xKinU?dqG8HtXGSy5U#i7rPQ zKiFf+K5wn9sfo0!4~&G@*N>baSY`-91z1$?MW~$=)AM{kTk1E=VjamUY+-y3f6TRK zgzR|r{nh5$?Wge9=cKrB!UNuH=07{+eiPpd!TxRdN6gFBp7uZ4H9s74G$;|clfsdE z2X(>*JzrJtjlU-u|FeiLVVBh!gPku|Fa*}sQPtTeK9o57kv8$ioqW!DtHjXNHBmJ) z=0{6)Fx6&NxVAh&yjqXrg&Wo@w7uhF&D0M3iSvC`USX{o($r0vI=34BV)yf&=6IZH zoVSo^7B_tRG=7oQdclyJ7O&>0C^_|4aMPaU(9dbwAf z4S9*?bBuJ;SXs{E=ioub7N*jo4p*^9Q>U}S?~coj^eKG3G`~C(uvsj-Qtqw0Gu0gb z1n)b0EJ;0t{T2R_3Izt~EceaVVLubG6_$C7LQRW!`Jr)Eqd9$`n>SOp{+yS1WmO(2 z{K?{1QLmp)>ETH!gQoCb0QIH#Iu@j2XyK|b%z(EB0P}Fxbbtvu#y;EtnsND^Zyx|- zljab^bl&5F#qy2aBF+Ldn;qW&SO*DeeMGFeM3Puq9gETU0D&hk%NjwG6ZPBU9208X zfF2LZ%>WPMBY`Mv_iT$Jt(B+1p6w4}!q{GZ9$>Gl5K5A?`H%dmC=0=fdspYJe^%S; zK;;RgaO!mUs(b1zw44#?SsLGClM+ju)ul39l>8W>lJ63S<7+1}9`&Uu@bOCSwwLtC z$UX@!8SqjqVq6iTG&A}6xru0Eva<4UXC1G<$49lO*$bnWv9aWs3lhI5#1TCFV{O@5 z=bo;UPFqOL_t5fP5Lz;*smLS6O19v?2@!Q#-`q?XN-Mkn%2mckovfrJ_cL8r_mGLn zt^J|lXu)6Z@t6@juAhL5M{sCwW~Qd8iP^4^?bM7bQ5iorkS350ylTrb%a5Lp%Js`w z(+!t@w$Ds1h%qGEfa(~ensI>>ik&ka+*Y&SCoUk+M_O6Ng$dPdnpNB|Sb&OQU_?c)}?VOQc`ER#3^#?IldO_hf5C*DI+viI_3BaIw zC!eTIY(Q_6L|`2R=gCJ0NFpSdL^Mt4rL;B8O+HZ&5d2+P5oW}%xz! z&S@vi+*RbLYk%$@9f=HO8{AFdkE?OgWqF5#-Y$HuG3U6-#|gS}JaVDA9s%h#_?94K~fHZ?$$P zwdAGyJuQOXyT2QckUpnL=hG(Z@bEc#76j-L3|`NJyJbk$d_Z|i2PySQkSe@;T-O$C zPvLzLxY+A&9}|PvF6BzW`>i>3#FuI~ zkR8dkA*#8$$9RgOUoz@^DrY=k*7#?9M1WsL{3X;4bbE5OY>&!U4Q7Ayu0FIJ_mtPV1{?M~s3M0oq`iVoZ`$QQ5 ze>ho(!9KB>sHn-mN>3XY%TC2qNk2R~*pla80BE{2?;#4%q@gXHJHF^;7A{ugINGhc zHNK;b5I#h*X7!^Fx$5m)joi)=s2@b#EJZX$WODtjq5e=H+{r78pvNXkXK&&KLp5E7 z#b~jzetFQ)2qE!**O%rpN=uBW&zehYm%7%`)-`N#xvOeWbkiK2O%Z3&Qk0iZ(n>IF zb2+{f7JRuii+Q?BwZg1?VW1!QN;NRJX;bB6Y2Jkq#6cWfcSpaYOj&`81Qp^j#7B&@f$ z7c}X*Ke4=w31do>#ep=|*H_Pd_DK7NdbxS=uTjY!rq1K{(jF8fAOi0Gep;!gF8w&g z{^$Yit5T`&SLB~toY!7a*U~W1(J(Nvu`@k^*natGwXXkWoKM z40gnWtgNhJ#)s$D6~V^+YK<7-=Ud?w-aPCah_ZF?jiK;-M;=ob3`m*9ssH zxIrZmpI`0YC%)p2P#CD;0+r*aiscfKkl1|r611`ycfP(E`6K_Qi@~D7{JdU)YVrJA zQ%QPw71^IZ_2$zbiG<8~1$H1UgxyP#E@mgWg2kVTfg=uD9Lh$WVzg!8gX7WC?quDz zsI398P;IqxvbIn7tna2n%s0#n+^^Pui#UsLzaYf=XEi# zFdDcU^?w!Jgscd^j0(KKW_W>7QLx%Ep@)-1F`(unk>PSJIDU zB<%2b?OjJ|vofC$-{^YnmyAO)cmufgKp?MRjGzN1w0e44oYa|V!57VU;jh{<7E#(X7Dr+jr3jAF>yWYWB z8?SF~TYejb{5jQCQ-e4946*W%aP8az#A^sJK%EGjF~}GUY)lf2f)EIFswLoDq@|@j z#1S}YD}kX;z3?vLK^Zf}he?ZP=r%zU^ z=T|CoXE`)kn{c#mWTa_VGVL3dQ>3FJE^&>SiTS<1y1iKrj3O1n&rzJHn-^l+i<3qh ztSa}8fMd_VBg>trAB&&ew4ER0e^pBR?~B6!(Ggfm-@St5KO-X#4-Xa`pXBt=$tloixw&~SbFueN6tFPrD;GuE9;6#+W4heL4W2BPN!_{HcidW zCJ=cMU#K%`gwhmSNp*y9lV^}h*01)6BQLvX>Dy#3>rC5-fW=LmGZwszd_Dnwm$Cgyx-%zr%?vK z3Fc3FInn$Rj+^=6UP|!d&>2SjwybbB9mgb#>gScQqM+FUK=Qb2l_9BdARxjoNrk-m zGo;|bn3}kTxG;P3h{g(c(7gvRlsW)R1hQR-HHD9V0H1{c2}m~b{gS$ntHl6WLG}XZ z7eQbyO#;O)9>BH_&CU`%#&KM5w~1tmCGHQ3OzEsxyX@ z_EPo4$977OD74#s@>yRT6a{15>P5mEq;#Wue=g znw~jB_0&k5hS2Pat^wC6N)F|_@kn@JLlYul#7FevuD8JeI%XKrYl;9nMYWHOK~5h* zf+D2=qM#JQOu#c67Z+DvLEi22$}jgZ3Wgxu5*D1;SVRfxn5k)?_mA-drLFXnaaM0K zs4%V106mAhR&OkvE`%CR95*fj8Csf}fUw=88g2~NiF!0}S*nxW*v&MKU_FJA;-Q(% z1x#ujMT7lyu^;)tT!ruvl=Fu*#n+1<$E;a*JM&Z%j&scW7#5gGxZhoRk{)#HOiDNg zW5mt*AMC0MzNZ;jepkN+0O6K=cDD9%qw;5{H;$+d*QhtwC>KAx=JfdIQv|ei_;uq2 z2Ur4Fo>iX1<^~^~0wR(Ru9pPX<8fDKH1RV1Ev*aMnroYzBzp+9`z^&oXb|89y}vc{ z-!FXCZ*g2(9e)Cw{2HfUi}vH%F_!9w(CX2)G7B`Sk{89t;|&Pt&}&&*ZI?Z)4{MaF zXOVV1UsVFaZNS#2DyZ;>S`_&R6AmrEU>|j7Z~9uk|HeM|BtiJdz+An8L?qcB=k&(?I+*BEiU+xoE45^_ zY-1t7fyA)B>V5Ir14Mu#2VLJt{TIKIWP4uo2@v|1MdKEO%EYW-o9$SCAseoG{Cy*# zrtE+i%<2P`wTLJ3jQuiuvOD=xJ~V|}4Zcg}t**peuL!a7D>+IOn@%w}CYRkFM2{f; zKg9sHDr=fbSRDbf$r$Gq(L&`@(8IWU;BWuqr+x^QcO+#>Q%3IJS42InjJUKae+N`9Y094apm*p0Vh|yT8zM0C_4+6-@$RW?_d1j_^C8Q3@ zepMh0>j!`;1qTP04PGleLI}$dN%A(SU>N*V`dNsuyVvAt{APWwojN~onNTzMD}Q^8t>J}! z&Hc%}L|S{*r47UTee6kv2BVzb(apg-ms<;i!$6ooq>fb~p5+BP{j^{hhG51U!STIL zZUnLrf)5B}SefI^`IFzYtdVHs-5wDu$+SBnU;q67rVJr3BqEN3csOYr7Z&g&BF zq4Sn)egR~GC(`?10?BQBGysC)T;yb+VlYb4n^xD+?h$mpzRVKzuH~qGzk%C){b5N%JfU*`72B5?OXPD?qHJ-!VRQUs;q5CBzKrslh zN(jS-5nE6rh_f&=2k~#iV^BJJq{qjrX=orWGN};WmcjD_tWhgV%Q%@IV#t`E7izYu z8m{YYXY>v9xyFf6zy6k19Jbyk?h(0T0qZhk7oWsi{8g+XdEa<{2W~}=xoUoR9 zQ$=#F)o^18+BC_Bvf{LiAX>lqSVp=^wYpsnBH1O&!M-&#g-D*-7=jWx;=Cah}bKX}b2|RN)&C5o*PD2Un;le9p&R&ris9 z`W+OniC>v7&d!FGjdo6+5**QdlVplCu(!7t5dkY-?e5Zfu}L(e1Jtu(d{oFqL%Ci( z7I_Qi?%_T^TBb@^loEE*%q7!?A@ zKb7xyw0|+j_KAE*hP7H|TVhH5r2lNEFucTi1b4Wj;cQTxM zz(=8-*kvT=0)(;^e=olQykh+>u$L#?qTIE$$kWr)F45)FQ=rc& zr|Tu_fe-Him|ie2bGPT0`%1o+*1h9|l*S=2{G7HBa>ua-H)Yz`eUg?A$3VqEM}38k zf-WsD&p<~P86F-M85#J}MP;(~y(+Zov?%m+H#9UQbYM3dp;Ssj{5N!WHV}>_NeT%K zG0K3NEC=8y6i!gZUJTo`1G0LfDFGMhhqPFg4`0DB^vg&SuJdnwJUF5S?d{~dca}_9 z(a~*-`raf8JEv=ujb8-X-tco0q32lHsmRO>;42O`#@P+ZFAO}EeFT7J4!?-a2p8$K;Y7bpI(#7wr!>}t0&v;cIYS`h4EP0wDg?vr{#;C5|b^5Kdh?=t| z8))aC^ZgaE_3e@SOArgIGWQhw*mnS5B|uc*608L{!iAtm#?Hj4%W1>+V)o92l^`g9 z^`O_-p8Sr{ssvL!-TX9abD7xI;`-}^w7WW6Hkgf|;H^;HL)utl}hG)N=y|H#cBD+G|-$zISQX(jw4cFQsWk zNSK_HlheFQMnFJ-L!26y^p>vFhV=VtLS(hmQcg{iRO(ELbcGrs-Bnxs4;_||I_0;? z4-j}7I4WQYL%TqF*5CQ&08IFMy~%dq{tSpS0(cdX zXeQ^Cyq^*25YU6Jf%iATD*$K%nl;d>0UYAkT_$L-q&6WNe#_g;*q_Mg;0i<{3CxuX z-JF0(fX9J^5c0~zAW|(CQw*X9Bj)P=D8mINDI$-^#xO^ROMBywRb-a?WK5BQ;3D9% z4o8PRV?_X=5(;jFAsgmm9_007-Tqutzv*P0+Ce&NDmT}R`FMzO1yT}OnRQwsJb+3G zYhMg9^3Pd)mhmMhI@mZ3gsQ4qz_BQ?yX{%Weh(=y)Oq zL*y?fjfd0NQmx8&k${@6w6s(#O#OQ+r#dPsDl}1vO!(JEKP5P`k~wsA4F~5eOr|-b z3jmuc#y@2w`hywA7&T0{mOj5j7=<75Ir+*B`3CXmbV~^$f?@QQf$qhBVWUXmoPuqS zX9R0IGdk1QuFKt*1p$_<$;v*C{6FCWiLqbd(6cn74lyrS_H22EN4ri_aLd|aDQB2xz*fdr{Wn_eyhHWrrqlJ+oG7d zqwMO@B7bbALc`Os?CE^ETe9PA;jeYQU;ma@H2+iCZpN#tgG!BUE9@matN6JBtP=~? z&q+;ZKfrl=x8Z~Le$Dy;7nGPVkKf??wcpkzuJK0FJ+I-Z$jO(0T}MJj?Ct9TF=q4m zdhJA$BVV8Jws}p@&HbAbikC)=F6kjI?jq0R;B2WVq@}GpH?_?3##0>DEXGj_?Kl@q zxV32(J!%OCQ2QpPOq4XFcH%Grw- zw<8f@z}nDqYjbl;OKqj4Lv5TZNs>2kaq;3*RVPyaWVE%xQFPSRloaRJ+h5|K*T zYTI~WGQ=u9;TM_#5S*xAabY$*OVgqfPJQ%t5|`fOqTg(r>&X5zrSI*Uw~^n=@~_$z z?GWpbaP+wJL#KI4B8YeL)5yQEh>_2m7pyb(!Vbz~k0oj;YD~1jGd;zW z`l3)bWIGnW#ej=C*YyiYze+N0U#pAfn;E}ixO*(2+szH7hLdG0$se@NLx>7r8MlXa zreauy-jCM=ead+Gmzw@XlB`#M@(^B2k@GbxJOE>_I{6>Mbn+xu2BvDgf=PLwL7gS@ z6*uGiV>7<>CI=P1Emi-S>9;V78D&;&2vO+k6f zs6E2}sLMMp>BY9SPT26wLu27|guMUx<{|UN@L^htvgBjdOqt=+74Hg#fb)1n>;V20 z_@J_iF?*V>WAb6s>FfXbB{e-VhrAWX_O33zId}bAyyF-YJxPx%U&m%qtCdquLX3aG zb!3%YekZ-<*=Bi_HYTL^(4F+9rC;fQm`G$%HW`HS^K zTpx@-9pvPE`fkAcU1gfmXo8ex_k6pKZ;NZ8aK=cftOZ-AY{RH(Qt&}Q_nc%H*2pT* zR_Of{CAhOZ?{~Rm-{5n4W<}{&hoqA!42(a1z({vd%F1uL?=?R|JGd7w&u2WT!BQId zD!bWn+t5sAOtK^V2)7Q3LSu1%3m2;<33lRSypBGF=;R?qPRw*xa{#4AIk4SE%a{xP@_JT>0 zrKA}ij#F{wTcvqeGGD|Z{yRJ%TbB#ApCyb@dauc{C7jWkKAX4PK(G6vgnjO|w6guq z=}~Ese>|M+PiOm{54Ma6zigKR^OfA5ZdUAPt4#1*7MdI{`V{ndKF{AT^^L6fy>!p4 ze0e-yz%cT8TAF9=c)Gk`6@GR(0@6sSAeWFh>~S!S`{0*$nMWy zNC(^Ay|y%157`Wqj-hF( z^g=)?`@wh(5g8DfI(nW?d~m^fKG&u;+|7#q?@;1leex6YH`KAkE#+e38{_>*?2)#= zZ7<^1Vq@y7Id-}mR*Q^9iTLK(vH!Sy!3|{i_48cIQwU{)-F%(rK?CItIZVh~f*|hr{o!aeVZgT=i=flW(vFlf}nK!hcnIp9S#`HJM_q#ezHH;Td2Y zK1-}VpS0J@lc>|0G# z?7T;BMQf2;DkoQlx`djQi&JoQaqqA8);g?Xz^Ar= z?x~OzBoi!a+#|}R@`bAR@-)1;Y8(CaYn^9`5(aTTue6`+?m2&f->5CLA&Ak9v$mb_ z-P$JnINY{Wq*QX>al*guWM{kJrwsQ~bLnq-=bw5S6-uC;VUW^q4beBf&1 zhH~Jgc=~%EoB-_dIX({H&8?I<cUTZD0c&+0Fj z$gIb*Jy~g8n%$Lm08z6tYIjBv;7eYhy_@6vT^+0VUhgTs|K?<+@nB+$(GdLhE^wlt zZ&z_p-ZH-{)jgfmMLn_2Pr3QFjo~--`SKa@zk3-7Ljojgx{SX@fJfTfPJ`?-pz$n= zu$vWpOfXYrnWyEhQR<=2KoE1q<#ywSadj=jugZrZRaxI}4t|EC0&L2Fh=67Rv`cVK zBw`fLf@Q68TDp{aCa!A*<&t z;?{*6iFb(i$<AO_#C|!Mg?C^3OWv#{fp|2;u3mWtR0RngN9pZ$99c)N7i1a&wtPIyq*JO z;&DnLzB}n1bA!I6EqFu zR17l=X=EAk3KCG`<-+4Yg%XblZ}#%KQbaX9R5M7UKD+Gq1hls{X7jl(PYS0{(;-G0 zdf0ER7c@!jc?ITLq%ApaB{3_p1W5lVop4kUuNO zGLGRXuxer;nCak))yc=syrveR=y3Aac=<&+MMMf*VJD>Vx73pCo_JB*N#bR*t)~5$ z;ix#TUmw!(Ap8h>lauqNoz*wFroGzNL}#cbVkI@z!T`T2AiR0!PWU6I`^loW7544O z*`o7Q2J$O(UL~+mbaN`&Y}>AjNik~l8kGopwktQ39N(ZPxh13Zu{ShU?Iq*LV;%jC z{fgfcK<})jgLInpD><}pnzX*Gf-Xe#05QzY>TI)IvW(hKJ?6S+vw8Fn4Ubp6sCrF) z7j9x=VkfP+^vx2rJEKOepGw>FF9NBDh3_^exk(#AbOKo}M^`#0*?l^8^Ok68K7U)s zzP&tA#3xN2W*HdkuU<{H0Z%UXnTi!Q@9jEnMnZ!R-tXViykUJ{=i}uUrbWd(uc6$s zl-T?m>!RtUO)g{WJ3$}jw|29n)OrXX`D}ZAIc@vbu=NP764}1F&ByUb&VZaywd%=V z99pNG+< z+UJa4rgM*+EZ5cJ&k1d_?_@=BsDFJY)A~*+HyDw-DFlui9s30R!8z$7w3m~B&=F#y zHP%d_-(bFMJxvA)-E(g%iJ&(~cFiCR4-IaL{hC|LC&+?B1kd_T1-{EzGo&_Ir} z9}&D9NkTOfM49Ca320suz9)#qLmfOrkcmHtbuo|rrNmFgM0)}DNyx(WTDQZHBaB+cN&Vd6%{w%UMQ`e?k{`B<5nn6eK&alneTyS&lF&f_VJyiul=m$t z8&mjf6ks&$qB9)q47zv=6&u3?yA1b1oHuGxcG_<}(V0Grm3>odutM1pfy?2feJ@Ez zheyZ#HpVo-f>tqA5-$N)=YtUCbMNLSf4l0Xg<|I&R>?@Rm*E$`hQ}@86+hlj`p7Ck;H{8?*9(6M@hJwOKe+6#X0Ar4mv`Y9AsowL%Va! zCkqwYow^TPhaH7YezlP`YBlHzJKRkt{+TYUYn4>x-EEWvMSc5rS(#{MIqmBtfpnn( zCMnZaePAFJm!$-OpdcA>5p|txMw_hVe6FpE=tA2m5(FQV9DrG;3a#)7Kf?dG_uJ`a z(lR+-D;b7BeJ2kL9b=lo=0+6DUzhR|M5QBU!#BP>{z~`nY(Y*It*~xeea8Zd%yH@X z`S1`B7V|@@(;r*|^|i_ttf$Hsp86f7GL!%l;j!Y{zCJ-Lf!0pzPj^$5zwXAGUUlGt zmMS}nm&VO{scW|3thIgEjqcfa?xyAAKTvt`%}Ds2r0IdU%u8zhFJ?9>2)%CD=h~cOSl)8U<$c_B(MN{K zJKpusPaWn&O)cnh3?)*-()_uY5`lel$c?chk*z_&huW$q|lUMcMwA8y8H=P~g zEO(r>Jz2lI@V9HrO+cnQM_}NV-#>d3#ATP`+YY51m5#}3YCT<{qj=NHK018I5%k<= zpGP7@2rC&=7^Przf&bZ}axd<06(yct-0kD1kvla)a*Q_Zq$`BS zN$T;xC)?atON)zhRf~aPbJy3`j9L|SH8p8GU*;o;ISH7wtNfn40L@T;4CTe$qd&6@ z@XbL>p?GO5#-0c@6}M;-LrBE@`B3nb?L_0sHhF7)Jf}PPhs#0QY&ZzAVC1vUE#b@E zbt`NaAy^tbROoa~!9QQ_eS>F52rdkWQ5ZqeuGGdTYkR4}YY00vyzMI&XmvUAnw_Jj zZnWMJ@`mockP2Xe=AV+Vl?DyM)S5oow*=VpV= zD$P1L)#J;^06pSb70MF#7Z4$~k=;6YQk;kD{NUQC7W-@pSQ$j{4rGh1zTdSlxYibF#~v()N-GEso`*nSLr zI#Xc)2|maQA0BXE2Tn*3zr=M!ez!&5D&vppx03c}&yk z2^48Ko<|mr*7|sI8~pKbp;DNQYxO+ad0W><2wj_aVBzYV+j`~8j`Bb}$RXz05B(1j z$?F#$kl^o$iTx9uxgWc#Ix+<{WqJA)>e9o*@55DbzPl95zp1496ox|esf(6*l@OlV z?EOft!<_l8ZWl9t5=j`e^ZA8^%5IPNn3SWR@`*$(288vLv<`Ny~X?C_aT%{H96{)FfjFr0}Z z<+c2i!fxCN1(+L`yR&}Q$)jIe-Prf1auw2f9Qgkf4Wrz)t~8r@i-|$^OuB>1wX4_H zx-R&VRYU2_-J&NvIB#9G~WLDj*#^(1ctweY@bsgma3Gt1A zHI^rSYyb0U2?kHP`{DKJxi@xt+t_c%kv?X~1j`P~4yRn`{JX5@-$1?$>VNNOp6G!7 z(f9DO*@Xk6Y3}aN9bCnSLz%qz2tDIlGa@{f>!BzhmvGQsHiCE0HvF=9Z*8g_O%ZODMyBQr<6$A4*N0P2%*DB;J#QDHCM{0TQg1k?(Y~vsLHTNeeMw>LnT% z`xP&H>-@}RhRn->@59QT@T!e}?c|d@ukYW5JhZ>%QZW>GH1bV8cQyJfQlKbwa9vWa z#1;wDE0^ZN-_q8<@{nc;5s>vgUpLl~kc7E4)CJPBAnylB=81%$^##Xv#^!WfNTdPx#y&x zKRh6`@<4*!w~PQ#G_TXl`JDn1m$(HGHrn zCYjHu56m|r_u)RpXTDm{1vvK`MJo9K`5Ndd13y*_^yG*N_;}1szUx~03O7dE`|w%? z_r0l`gakcXoo;!F3P5#Bypqw?t@sX7VjM1z4Z?@&1&?#)f79wQ+o>gN7=baeY33JDQe8l9m>|NaB#HM5;K;mYg_~$*U-! zcCcO=+v`P4c}R_H&Zcsf#^RVfvHF1^=(lUq=%0z1gZ86-nU9sVpM1nahR+TG2GF3T zPpHH54f)6WcnRUQ3Bp$pT-QY5evxAA539gi@d}(4PwyYhRQg{{Yw>#_rLSDX_roJ+ z?@iiITD33Tr!Es4X9;2FTZLtXBWsf#PBu~t8*@ zfyMm({X0p-y2sa%ph}Ct^Fr0MET!T>JnJ;V+nSmhARU5lZF8(hg`b$le0Gl)to+ftPeL08F_v_jXl=6 zkB3B@NGBkqDG<}sBfk$#vN4aBcg?gLXuVW13!PFbG&~$Q+W>Z@ggZKwbryD3_6z=N z;75e-^l#3&ED&|G)tj1uA$y3a@@wjX&787rP@#rKO0-KD;N?Tc;doS-XXqwkX&L%m z^=}C+d?^*|gP;;0vF^f+`yvbNSnPsXI93`6^9Z# zHPhWqd$qoPW%GZ!VIlrJaj|@DA<{tmI;jSy{g9Eddc)2?*J9WY?!yzx;!&6;3(pv; z6MkJGBsjrq2WlsvjJ_Q;tN_gg=#}-uQThlk1*x9*4TO@vPlQvbGV*(NE{^YAcFcO; zYea$o6_ub$vMf|ScP0V$K|t!ZFTA%2xqNTgKYlD!#Zplw$wkjZoNsgZQmxujljK zIq*=^J$PMsiNA6f(FF}9Ly0&0FC4C3td|lJI=)u6=x)AkmmYk8VG3mhaV<{l_`C-V z_}(0Cbo;OJ*n{#{n{4j^N#nsS@Gz*F&BC5K8i6s&{5F; zcmCq8=0UuId2`9GtCN(f?B3=S@R%CLnfCs&+Q}NA%V#(C{hg&gqkTSL_FF>5G1iLo zN63}315ha8KVtbh>a-s$ztg7W#>Y zuu2QH=cE#4W?@en@5h88SIQWNi4|#TXwj$a*K@RerP+=SQ-JD8A1QE3Z&T2rQEBa9 z6G_$6;-}_h=A+zquqiZjd+}eC&W)D* zQ1zRjhe4C8LdlqRw_}r~=JPxuUtuW66#zL*VJQi{Cn9dEiU%k0lf4w)MIDw=g@ZL0WBzK>i>ztE+C+B~&c#jruZgVc>OG8TjkIK})T}I=LKO7E zbW9KRo5X3NA}z_q&&e-lZOQPUDqxeeBQK1)5yOC7g+J_zVi^t%uF4M5zuY5+vP9L8 zneQ;F7=D&vP}UBBS=dn*XKUQk3u4xH;OLHU3z zFmjDGYk^_Efv_?WG-v%P+W0NxDCTWo>6(}IAyt&lT1B9dNF;tqA|227Gb3fPLAH)w zdS)&G$>XJz)n!}OBC5}Z067L5R6g*9GLG$=yP#hLSj>5fl%2SUoUTnD{{}iX`YBrW z;cMB-9^FC@_?A^ugP_J{Y{@pV|Ftj_ARx@$n-lC%Fd4?=eLjC9Ro0QcVg-^7>6I?{ zN~4%*rrq+P*7Er-@b2t*IZ*TpiJun~j|7KYfJ`!mf74ccB^1VP5z>8rZJoxVe=wZ~ zfRAsCa8}iwW4u&nJ*fw$tSIZ-oJ5VkO^?=KEI3>44ZQ|mYSt};6juU8&M}Sld+stO z>$&vM2lUFHkzsD4WK+mUi--+_B3T z)E0{0_10PXj{Le>^IidCrM$I%lboMi{8cW1BP%28$1N58wnP5AWL;tyRO2tXDC$kJ z!aV1D&d+%zaRExha%elhc^m&s(`(yk~6{ANMVF3~;9W89DXAB-w* z0=Y>}&hp0WShY=t)fPj7OJ8;ptWgve$u6<6uwJf4NW*>jxdd8ldFy(P=l_V9`QI9D z^cE=A{)=H?Z@AX))cZ}}kBO3`fo zM6C2?T929^)nw^Fn zg?oWo?keItPzx&>vEI`f__zH~&ins(ZyQMvO3%>-Uv!ZqFYdudu0u6~oC|?t?`hAF z-Vrkn%c<<;0&#d^(SfVV49>rLonC<>N_p?`@$7_yM3;V0{czM=4Kh50orQ~*;r1&x zM}JHQ!cqRF%{#2Oe_(}EQBnD?x#}tKGXGVZ9{R5M>OFiAWIOfE?wY6>C{pv55ys(kXloyHS-zry#A z|KNCU=MCBa^)eTIGZOt1WG+{{_oVW4);Cw~pV9HoLQdTS16GQ?_2}`Nm^^HJE%E2A z&ilZ3;7Zr77|Q)?jH4|vGGGDc!oqC!>gZ6+rIY6oPWCY1PC5QwHnu|%!b$h?_W0_% z@PFT#%{=He6)5Q~ZMBWR?v&!&KTdlR+<*Jz5zJa4r*zpq-QYLNlahhFLEK?#j{tA_kBgU;+hG zlPzY!d5Y+XONF&Ja&RcIZy~jHacI=(678s(ttA#q`+t3H!pHng;pn1$9^8JuC?-YB z@#}F70Bped5yZhcJw}iQ;E4phn5}iczddVIXqFTgt7~f3FP}w5prP5VaCshm&D!YF zf4)ItV~^n=l;9xDUJZ0Ic<=jG8nO$Iips$)GT*V8ott-avJ^xo_1~T8n;NO%zvV_uQPK3R&K8y*Bxhk{x^` zej?&}IU~cbCMe4(C33B1g0EX<;v_g! zyf<3^D>!!MndIy?wQ^siRx1IUuZkf7Ns}hjrA2w5u(0gLoY;Uoe^!?uUk%fLx3DWA zXSwHkDfRLzDGl>AKR8vkHS{@Se9Zh$!_m;OdZmk;AT_RX_f_^Y|6Rs2{{Jq}nGq<+ zB=%6jG$ecG0Qqo>(Wb_ntGz#_oI7l1Wf;uL$M-Oi!HGs9NVa{jzu#mrnTbiORIAPO zpkAd(OHFOR(rEp%lvf)2X#85!Lz2Vsc=jI9@o(HQZTQ_~=RIIe@Fa^AAn87PaM>-! zUm6n<5WKxyPXimcicEMioghFqQ#${i6;t5>WX~B#&Hr2_~ zo$vwLxhNH^d|3fMp4&AKsMCn_fWn%#Bq5V$N-kiFq|V&t6KQ2;m(i~rXX_2Vqb%8g zL8UpAg28V%nucmrWiUZ{7}8sNo#-vftLqARWEZ&S%=IgRy660VryMRni#-}fMr&zJ zvZoJ#aOgvsG-8FgOnPfuVL;*{H@5~I7DgFhdy+sR^zY_oj^9dy0Xszw*ek!iz7DAY zuXy%B!@R!u=}%{8a9YNH@jqQ|pat>j%@5iH=@lGS>vu>{pidz9*_oM{SzDLGSn+Z5 z@CXOIJd~@I6&4l(@lse!`&qZqM-M2&D1O)y* zFO5HE^I1`RD^EGF@K(x3mgsYyYV_M!s9Sz|lXdG2q1+f%KZw+I_DDbgBTzU%6SBTzu%JtS68b74K>qKMuyg5z;I#S z@0zWE|4BZfH-A8Gu9D8M2d36SI#U3@iK|A45RQ|~dlIBsF^`XruRx<#^yg?t02Em8 z+LqhY)YJ<^k1V?h=$EUD$p-|y0d4io@qZkRq5mzmD9@h)b~9csu51DKlNj>xq@*N) z_c|c$@DI`5J6JzQa*EBz<4DcbZh`9oVw1AF4l)%jhTCcSV zo>^~x*76{MHtPhA+lKvT)L!wtciSab3+V>zoCv0KK`*J1H%x(>$AZ@~O5lN=*g01{ z<#P!GSL`(&K?)M>p_UGq~5_eAh? ziDb_##_ozB`fP&qSuh}VN0xBg0ZR0xR5nF<4HWe!k|Mq$hXD)FHyhk)WlC*+yFCAQ z5EqajlNdwjBUV%G3~?ESPvwCIT_vT?+=?)yKspXnstgr)R52Dg@B42vG_(ZY`->dXb;q99X2ACX=%|l@gGU5x-c}m+2s1J=l9LzI{psxL3ewBT&OY*y+G0}aNd#HF z_5xwfta_~wZBYcbaN*(MVToR;*(?O(D@Zr+{lY>>KZ>T6>re$yrcE_G*}l!izYaIP z-^?}>FM8mgteT#M_zhA80<+)kSE>zm%!WY$u$BszfyzI-}v#SZ*<;@lR-9vp1 zczdzE*A?#M&~OF0p|B4A=zb6(%GwMY;Y|+PR4*0Wv&;QiWVtfe{Sp$xz)?uONZdqn z6xVaTOS#D@s+Ec)|5N)PihyQoR&+^q%!uluxyTre(CFa$ba`BB-WN0{@SEw3M2ozZ z4z8%y|K04r&>)VOL(ak_;S|68(~7_M&0a9wjB8-dZE#&eiNb_1U`3ZkRQ>!(M@Kh0 zJzewb*N#gY;N1=bkNN`OdZ3)Px*jTlHi7jrK-CcT{zpYe_mdq=18M#ef)2RztG^P7 ziokc&ZiOM?p7iI(#l`}Mat==v#;l{QEe@YkD$S)>tHuBz(=foAKXnFQ&s+}rFO{Ef z9ahV`zO1_IhYMH6_`>l6NtSn#ITNpOfeYL|Zlu@Z&jv6n?!+@~hrw+z6gz5JrkDlc zxR^@1obdufp~9At4{HwCAxyV!7TW$_a@GisGPk<9}{nB^J@q(}?X~zSDitjIL zsW3;h3DqLVt_cZOHqiMM4A{^C=!7-d!PJ|*3}u5mDQYAZ+_`?@r1@xP--NF2H}%$7 znpwcrs{hwM{(^@%5)J(k`!dbSovxl1yj#*+rp^!~O^+q#?fqDR%<|*6!$v1R@IM3h zeON?7y(i-Px5gjrf#1X;(84_T{1f_aum8 zv|>bAe8qir`F7lQc$e~)2aDyepqXjfw6goNN9LbiMZy+tWtzlbzl9_Xua7CyOSU6v z>pi7jZqjZGnl87AH{qt%ODID>IxrFjCc+Gjg^$05EIIgops*f?ax;5KK{`a+>~!X! z86yO@qJvo&w{f=qOj{3yN$e-nYVTvIdRgd18r)o8-w?g;S*Q0+7k&l=X7{p#`k4(GKuD0LSz&u|IB15js^$^6~(Gl-AI|88HCm z5@!3+2XOoGIhF&)Rowm%2mnqiE}ou?(*=LHL@`BQ)^K`<#rTZ8odkh`|2oA+41JUU zo4(cTkO{Do9c}tr#f4w8naiMxVdP*GnB;+=p#c;`;_+#9i zl;Px?hu$@ll1_rrDOW8EX$XI1% zPH!L)llm`R)O=EDFFj|^m5#viW!LxwO8yeF7 zC^^}ORj3^5-u2~&?w=%*duY9NrSoq+7H^dzWz_~9!c_lcPob^c0jc^w%JdNG38j#4 zZPq6F*8&v8Na8j5<;AbytG52S)e!Cj0!V<44oHK8V!!qh%s-r%n9wRXEb}Tv1Db4u zE}!Ev*SG6w5%O*9CD;`I-RVULo>DbG`P-Tp93UZA}dk&RtB+E|5vuAAfRoBY5XFEk{~v|&eD2^Ez0_F&hHmLZfi_;#H-xv19?7znkIHt*J_1?| zh;n}oO(%$@vOZ_KUgalh%@n2}P?GBLdoFC>9E(fGU+|x_ijZyTxR`j6Q-_TNXhzl6 z7bcI7jjT<7h?3a8(5rOfJqQ>^@)Y?S5b$r5a_?dp$>EvTQIE^=uF?DYkkr{FAUkov zZW*+hV)Os>9T3D3XULgWx~kls7^Dbc&QMTNR)!D2ju~=#D&!^5QD?wrqjTa(kpnc@ zu$rfjECxd#?SWhsJG=kBN?%`JilVjtFr+AD!w>l%d7Hz+K73-U<+yA~O8Ns3Q^pFf zsDQIHEboAp2_hb>1?&_FzYA5892%5c1-zBJ{q>K;c~VYgkLSNayH`N%KV2(bCoigr z!aIT&qUFQ$7i!H(a?ZLFT4{VYgvT^Gy3EA{=jwMPyeU8DLR{LO@14%68qg=3b7$lN z`b~#(d#u%-t?yBl*b64vieCA_T>-%lGjAC1woflfXMsEj|6D`m6l0)ob|cc^eR|eC zaMQ$bSx7{l5^`4CcFDa%V}i6Tr+Sw{j=vqz~_j>$Rmne32l|t_M>llj|A^l|9il%zM!Y$tb?7% zQd=Eh_{b0WNP!{=$O5tA$^`Ky$xtQ9_ZR{5W6!I~hE z0gsXi)Y#F{aY6ZC&Z4}$zJ5xXm#mmoP|Xvim#^|vfwE;)s3h@3$0{!Q&!%ga+L<2=Z`m4|&|GoU#;HeOY+lM;C)hT;qWMS*o ztLgYs#t!7iF7Ztffg4v2g8lhj+Jp;J9*@VDh`T(cBM7|NLNikSUA~7t8eW{<^0LW7 zs7R)(tm+35_UQfAREt|`dzU;*>$B3kl4;^$J>H=6<{BzmaczTH7ck!=VD*$MbZea6 zahegr!g42_bH`8I&=K%@HeX>m-71jR;Uqu?iI`-l{+g;mx6dS{=?sF4P-Ic~K+f2ZZ*FK;KJ9zd=rf?UUali`+t{^$U{v2@XRRkn4d3l)P_?Vawwf@sJx2EKT)&D&n6dDHy zJfH8`{BI&6AfmvyTh7-C z6jxbS+~IRKR^11a<6pba%xwZ6@+_np>usR;(++*n*)r?AIsAtbVl_|e`kER0OVI=D7S{P zV3r+u&x^WK%cV!ng!gN165saKmI0KG7H+GC*6Vzut_i~YQ=#Er=}kO>&mPY-qh5NE zR}bHECITM4g9ELQs7$MWV#{JvhhYV%aW* zPmbVD?QfqymHe(24vot$>*F;|Mc1b^K>?`wU21z-euJ~qh=4wrxKV_ohn^FcI*i+b zAj*p~bfs5%=!@kZ@_4pkDiyzoxb4M41#`5#vGF!nt_HZ2s53Oxse6JKfytX}BBv;SOkCP-B*Eb4pv;4Bug;oA`p3A&{y zBIh}6DgI&Yn9^0PN1T=WOvdv#Kt3)=u=sn~d?opJ7B5Q&t`j-?6zjtVw=`|XZ1qTg z|4aV>%qw&!ej_x<%DgRBNpYkok96N`=i)Fqzx8PK9(p>5ui12{zQALc}a*_@hwIW_IC_@A ztPf6RDGnEl=kX-Fj0TjI8T~j?w3gq$1*d`}ylB|EiyFo&zcr+?W_X^DU4^ED?NlXX zY8UYrcP-bHp4P6+*kcgDrPw9kT??J>UA0xS1HDGETV|gZDl>Ucr>z+^tGk`{eSCyd zHkpP9bd5nb^5T5`uJUMMGNpOgH>1h3MA5NKi1!}HY^KxQL+SQ;5QgcOJaSROpP+TzHG7khm; zt(+_9z1HfS7x?zLP^GJ;rZ%0;4-;oOo!jMlh#IuG=!Arf9Gj33QBZBzgK7#0!*@zh z1PTW0FGC2Pf195xu6v)|`Ok=AyD#QTclY97r`(08zNcFBeAIWZ5|L-q7b*8 z5OcN}|NPLQfZqy7MZYSKc;k0|cP7%+fg%=V%X|xSq{pjDXYIP!Z*kh*S#Ed}^n>s` zT-?Uajf%OrD0%Gsphff6BS3|y+8DbS+!fsI-^~S`^)Gy1wbvn;l2ZTJFxc z8a0uk2w;HE?SiKA!hc;!3F(M`Jh2^ zwZBCFX9nR7n%Zztb83XIycdLd)cnu1rEf0FQ`GtRj_1dm9%s~*e@ zhQNo1*GXzjp^a@VFeM;u$!7lDu_7h#=&9+};Q<;Lp+`dfidPzp%`o297sC?N)3&07 z)K8G?VJ|dx$h4&Mr!UiS-|C8+`@ULRy*q(fX=yEY2BQK20isH`#m?Ry&=;I;Pv+fE z7nt?iZ-6ceG)u_q0N7x>Ty*?xwp;$5oqcw3p+u1cSoDMh2Ln#6KoQTIR+g283I}k) z^}m16X8|F_|C?p#snX!_#Dd?lhK_n!9K?_5K)yN>KB&H$*6l$4yH={-!V_+YfA;{~ z`d8<^SuLlC%rT$QpwsVo-yXq#M)?Q2U0u7>M}KryyYlh~-2(%&M*Gn52nY|xdeOU4 zoS0<_u6!OCG6F}&T!~y<;eyd&Z{^-YLE8!26@gZJU&?m#8?+pH>D?N18qEe$i5LB# z^J$UON45si(M)~}VvS@Nb&mH31FKP(7VNS6v2cdMrg+$MSW>30WxNiS}{cX;JV7UBtPxRyQ+DW)-+NisU z80AY-x;7O<+v(yDgL4TRBvMQJz}9v3cLPvIvOj3_djj++k}CB(Jb>lL-QhUG&mLz$ zhYctT-CkEawY2~=?zCIxpa`WTBLfd?UwU;u-~ScyxuN6a#7uk|1QKQwNaA8*uJ7(F zI5OBO;dp^@gAHOJ=87zXxJKcYjK+Jhl(^@X*kQTgKG8$!b=4zx(R!=8+K`0(X}I8Y zakU+pbg|$*EnH~0>F=xVeb6|~Bp{toMhyGwOJUJ*YdJn&2sj~l@zQr}K}2ZR)@oox z-yLVnKu3VA^+j}IM4xr(vw(PD&olbx`{m6x-0pkGAMcnnXu#{S<7daOve@>Mo*Ja zEBwfmwae8CA=KV*A-kg@9*Q?N6hLw~@`i8+UUpviIyAO7O^0M)JUWL}s$*u{g>qmGGXJTC%Jm{Olvj#s7-)WTbt(_*X_EFn5m4BXoAw17Q&vnO|v}V^&O2eiR zRvW)%;kU2rOld_t$k*_$dh{NAIEv0J>(`PmhYFk}Tyyi{RI5@Aqyq_g|J&1TaR4~( z^W}z-v9Ym%0hm!fM#j^z6h_yB34YfD1sR#qM(f#ThxK1DR>FCt1Oz9?$KHoiIeUA1 z00DGFL`wR1cUKK?XxGr7#)tydirzCAL{`es&I&rLXWXn7U#zz)A3;Wn zM$$j+UKtB955zKu#Ew)Q+ZivEKWiDrE;Wn@3kuY=O5DM%zR8Wv_jUkNs#7J`JF<_y zXJ~nXzQ3=EPgfLmk-Wc;hH`~7vK6=I z!OP?I9SNV;Ut=sq?Wejz&VqlL_aMmAKZR8Lf9UUC3J`Njid`+ZqY6CHEXN{={j{ht z8=tD_KBD3Am_j;i66X>;1eV|Hr>vpEyqMS?UuGgZqvbTtlV|mgc8OTj)UBgo=Sk{R zLnNsZ@MN*th(4`RDov#=Vx_2ykEg@5r7*-*@s9Kgz?+VxxNXg;OS!*peVUr2qK+z= zDbq+t??wNFg9_R-ZZ}MDWmERn;RlzFi`$*3`%s5Ju(tX_z$tH;or7lRQBzKpa$KO*gF(arCJ}hX}(Qct92th4MyLdsT z50E_n{A7S#3*XcU`A2HUbxl09BtQCn%~I+92_Z|SBAj}8{Rcm+{G*FIMUyHo>K#cv z)uI=1#ze)`w)%h`86UWVq&p4OU!bbsyY@Uq*b2MC1zxle)Y_z>ng0i0J+`9ldcn;( z)eKdkg{bS9%d7;|fwPCnbn&8n&{Gq#)w7Ni46=Vh;oB#0f>;5QP9s9Cc9o{Iv^49t zdRQ-?i?ue;NCq&5)@%=4t!v5jYQwSku9sVVKmZm{VNDjvL_NNKP3-CE0sO<#(iWpI zY4hJ-pYM(7jE(@E(V!>bm2yKd67(bvdqkipkB%X&`AEitPv(A*Zpd@{Fw^yn_BJfy zd-vdMxR^8x=hx(%Ga2{Uv!OhDapm%!C<QvuiA25Fujm8rmmO;iT#h+0A=S2aF$g8cu zQ9Bh)!B~6u;Wym%PS=hk{~2PXKYiP5ritk4Z7zkqnGEs6n~y3OlQS(6rj1Aqt{5RN zbCrV){1)+H5xOCKKN-^&G}dx8C`RLBKRVKNklfCPxv(~#&P$AxHN2yY7`KSqZv#|X zZC?G@Xq+bYJ(MX`lQh=fgubw=Eqesy9NO6*Go7QAI(2%*BPkf`$_o6UALGd>jI3Zz z?H&-|t@vZ@9?|aJrw&$;w(i*b+?MoiK`VY}%?D9sa+h1Fe)7^fY~>SPRd=!`F^yB1 zzVRPn?dsbi)2F=rq4esX2=3sZTPnk>AFSxTn+coWwmV{~*4YnRw(IpavCif{=v=-_ zJq~OVPa6k92^|^318_#3yM{(H8pWm zeqHXOh695DI5G%TtTs_=_Xe%!a#`l@8MTm`EJ>Wrs?3+ga<#)B^+>J%ezhPo z!QJV1SlgP3>8Nx3_IL-@$AAh}f;3JtTw=FTN2o-soc*oASsqFYxw9MC$@B+zd%fO` z-DWvF0rODLuwhVFoBp3ZB%U9WW`8Mw5o)0meb2hJSeD)VLY`u#v%IgpoTM;cv$ z7Xh;L{+8u9$*Y~-{zf2G(J&1OI&2)Z%IR8xDdO67$Kx}J*Ep@Dr)7f>`R9Yu(^-Dq zMWPct13sSW0G7Oq@kw0-lH>3$`-oE+((Dy2SrGgOE``o$qZ&j=4>|avF$kswZhZAX zpTh+WpOicfk94>WiK(xK+Ssa_YtxC}`{AOn&9crhI!6Te0Ffr8KTCGqb(BXhbKaUC z?sOq-neWN;uUM_%i;G~mgh=+&F0>W+fFCzZX?sS-#rl+?_}_3UtDTW}fvzfwnq~|b z?Y|)-3r=@?+x=SUsAJLJx_0*$bt0W^^DEaREqYV>xwrS7re)Lio32Ky7q0-u5*y9|LONYiCbTvI^e6 zr`Upf(9fDBZmzRl5d%k35THt@rR38LaQ)pQHyxM@4}D0ihz?Ynf`|zJ6^-s|8x8L$ zbbuzTqkT0R*jZp9Yu{tOoF|F3hO+zuY6eGoo)H^sH)_5b)U6Rw0v4`q-ILI?jv`EewOl_jnYk)xc-esoxt{l{(>w1$V3S*Me-jO%tG}9At)NvB z{XA7ThHe|m$6b9Rh=5TXgB2NG9!q6#7*z3z&em`Nr^nXRz=f?b19I5peqzM>)C(+M zFO&eG!>oxe%U3=HL}tIX=yZa=sR)#&p6zVw|E$p87`{h93Bf_y9@dXxxNx?GhLcEj zwZBwCk&HL%DgYh+ST9Hbj0PVr&vE~B6$87ZYCG3d_W_Y8pC9h}$JUjJYu{u)R;W{; z2o%K68>JG31pQ4ah}>(P5%F~wbQJKp4WOY=!(@b=tQ^R}a51I4wFQ?ZHgTQxcj7SJ zxI!bWnp)Pib$t%N0B6@{Fr3;?9qQ;mVdlV2E65uvU%6F3R%y!bQYFvhYoBX)_2Fh8$Ws`1wEOkRR zGo}#rBhrSE#g3X|IKwN|PLF3L3j(h%mqk~ya)5ZN)*o>?GT<10@`<|EwSn@T(Hi%S zIRa!&a^M9zW@p^U^wa%!L?oBykW}p)jP~NX2(^c-ff!h`aZ0??0T?^rMQPIw$uWTj zyzDp5W`}~x(`kLHZP~Yf(|}eMB9N4=vv33VHlV@Q+IVn~0HzS{kLdjWwvg%X`oTRV zy%MIV*o0Ly1D`=S<8>8AclZ-XsFWh6Ry)`w^UybCy54GQp`gio*D>LE)eT3}%$2f$ zHWXNKU-O7ER@OyUQkhW8qX<@U_#jbG9I%54KL+{2gfqVH@`_~6ks(7R z7N(xqr3?_#aG#J)f#3zcIwPNJ(_jWNow2Y|K)&FbZha>Ng zcxwINaXPlls-8wEHQV;MXmW1wZ6_>PDeWssA7rU%a8CX=gcRmz-0p0lw#}ufHeT7- zyEyTZE-a^6^qZXE|Flwm`VI}T0DW>EG#IT zIQ!b{F*AePGfubh0keGF^!r6hZyj*>=l)R+qy+1!0jSK9+iu6IETsD;n5Nwt9IPUZ zZ%)rnwng{*aVtMywyJ*)mh$L)*M^4#Tawrkn~D1tA2ZOa&ob&7>wvG2Ws6X+a+rS^9F zB-qV(Z(pkxAug$zzqLa^5(&ci^C?V4plTo+vfAl|XSNHnuV=^A5|YZl%x#IT{dqK^~3Cil}n$Gan(lOM&qt*SoA&= z-RBF$6v}4-cLkrJCx6 zH%}@ekof6{MK8M(Pr}ITEfkC#&3E@Bv=6&%845W?1i%#kJsjk6fT}_&J7SJP_2;PgmnP}KK-rLCaQtG5xQ6ByR?^ClXc4WDTW{x)V=6pNdYA6i)~23N6q1s(p$#e zC;;zUo@+de0#E|%h-}QR?36R`@J)(;-30L}8xMbQLBO7j6#=zY6v>Z8Fdmu|F~PB# zw7-B^S7t5w4(D>p36zG(&l1TTD=~!0)Fjh9^&CH)B3}G+*1^M%$K9r@+}MCAni3VQ zUuglgy6g0;_oiOuF4nSb?*!w}dLX}Ubz;D@W;Qa>_S{!eUlsLyb{LG8hd%8Z{C8A= z%z!x(@8~d1u@aN8;DUM^1}WsCHdkKsx}&`KwGNs~Tf!Lz`8-#%=%-XK5JwK>cKtzI z{@15-a(~f+=_>Sm!b<9mCu0IjO|YO~R~?TchYBiz4g%Q#9nQ3kf+$aJq&O>2i0H6D z?gBT)Ds0es>R!CiSh{a6quQ@3R`w=P)&6?$Q?3eAG)xw8>X%Pd3zXH9-Iek%|B#nY zdFV~bR>YWN+gDb+>dlDNFoMI-sg)w{VJipINrCjABO@Dy2ByS^$jYe@6RujW4JSJ4h-ZDl#Nr z5s7|H&TYFPpve66ZI~&dLf}^B>d?FH3df)V)+(4g4R?|8xXivlknvZ9irtr-9-ay% zfv=RE&EHn+JO`=0xDe48w2-=~w!v4_d_-5=s2E7U@tUE?w-JwlY+|InMKPco?f&MmqhF z*;5gy6K>0InjP8!El>GdBZc8+yigL@QoVDrf$4)J{3N(>N+bt6@PsTHh5E}(s=3u- z_)?4C6((u_+C{_uF%=od)0CTT9el`^Uo3*eLsm$p`Sp|xxn?8?`;M`?NY=$)#389# ziCoDs%smW_9lxq9%fV9c@60goOV_9L3RAgV(+jKts~5Pa2vMTbJdFFLt+{E3HktS8JpF&b=$o%K{fvf2B`<>W?uzWK z0ioNh^&vy$d+)7f*?brIQFqzj(O1EfT2MZ}V2!FuSpK6vp8UpTc)uXj6EUzq?RNc* z`=2;vS5vV@WUk@yyB~)2ywbKgXf}t(NjHQvvt*K5`crPTl1Pr7_T;7XsN^YUg8D$ zL|p@9;-GcE(&`})f(qG8maIV>1+T#>gGLh|G~M-?r_xH0vMDqWS}eoOgEEd+PH!k8 z7m+6De)ae#&OXe=F-eh@yLT?p#W!T0%|7Jt`2CGjoDBGVI^x<=t^j{Ty_{e&O*7e@yo%62n+JZ@l_P~hKB#muFV*Rye#$aE3D-MTRC$i@E}J&%j_BFT#QJg# zZ^dw{HeCsaw<4k(r$+)fFz`0ee+{rIUL3oReKX;Co;K33_cEaFy*VoCPl(O>Y`u zd>{qP@Vm*#?-IX}9E!wT&7WKNcDa2z`x(rT@Zci!V9~@94n#qaiKQ0NrFh(%u@0L0 zY1{HF_qDV$wS7`kI#|rlo76OO`*t1!LMe<)#3jIoK00XD>0E2UGv-pIeEv|8xOkkC zB~x&vRHeO3Pw1dEBL^kG)H1`XkFTq~pHk_SYA&WVwcEC}?$f;lNAar&k%1jF4}bO4 z^h$v6)q#ntjh^>zTr7_;F2aHvKelh7npC;`3vT&YFx3i?s{~yP&-usG*Y=XQmdiIm zR^eNjp!_xsU5<_*l(0iJn?bq3|4c7h0NX!d=9(`b1rkq6yrtL)NrSKC=Rvdb)v}ZK zm%2zoSr7@M^RP@~{B{h0{q^ zX{ax|Ue#?NAS3AbMsDAdF}3tR2Cezw>hdBro-Pqzd`LCx%zz=aUhGM>bM25QRhLd0 zw-R($0A5|{bD!GJuajbX?g76l`!>oG{jH>MD{83eMEue>d|T92G>||mIayWS!KyP*Nhnk-x6kinE1lU%XcqkEFHAHFC9c`FXzycbMr1AcfgcdIZ;QE9Z>Zt#5*$ zt+Ktcm6C}(5t91#eD+)Gw3F;NUI^T)N+_{eh;~K8-Z=HzBqEe5M$HW7_pQpCzZRlu zXw?}JUm#(e$%sSXIg)P?pmU=csK6fo7La%y7N`R z7V5IkhE`ZAz>_-WxJiHlKEeCYIc|c=LgN&I^4pKy&X?!ntuN?=Q6)g%#Xf)DHILDg zQS28jnKcKIWB^NoB=}IK5=};1$%dx#;N!IU;4gOo+GfBEIX?jl#0M0zYsH~L%3KqE z**PjWp7=IJI6b@+!;>qCNN;=G;-xh+dIoN(3Rk9_BLT6Y*JXaw1PCaNSUePu2&RgK z2CA9og|U^T7}gbUH|&+I#ygwHwr^CptF+)f=E{o#dYF4TaW{*iVi0o{6w@J0$F7rv zdJ4aj0H_<~#);J43m56|#6O93@`;6q{u_`!q($D$#ZINBJqRu!3Teelg6ZoC!z9SZ z*O-x#(k3d}MhW{TcjE|y57=RhCX(BZ-q=RB-eu|_$7y4Mr1yj-b zQ;;7Hf)`ACuaot$h?#G?lZd%buv^>M$!MW+yW{_3>aXMJ{{R1R{AiQYZJOz3dKjj= zySux)8Pik8ba!{h#L;cKYdVJCW6#&;{k{DDKRE7>`{S0^Kzh6){5{7$4%I=GMu&e+ z_%TT06uZRLh(4(DVUfxf6|@W?KrgO>Ib=iu|ZJ z5~r<`!AHm4!5oUfWfFm*?$=#dUPxSE{vEK4}P(=fD z9M(M0s$r{PASK_q>)_>7p67(CgA6UF7#oq!FeJl4gaquSBl<|Q7e%QL$2#ok_7DEd zLji%6$ZVFRU2(8+@t=u-k(;}}ZCj1>aJa@UZ7=TiS**Nh)LB+&&|xw@77``C@75wgG4L}G%gIO2K3zeiPFY&7Fmo7eA5TC zG`J~YW@DQV&dHHXN=9d%zL6$~q%fUa=;pvY*30n%ch%W>Da8a07xNw&t2e2Yn0i2O z=To{($Efl_oAe6ek3=pbKsuuQ2o=^j6qhVm;{VQIIZ}K3Ias?O)ssH|$AGd?)$Cpv zKAdrK)LCjwVe%ide=$}&aA-SE1&Wx7q!c&^n0jcx@98+8WJ-?%V18pJeTv>OxPS8m z%7(`0+k-_F>Vy8IZo2up*-&#jLnwEqACR}Mm$9%6f;nDY_f8j{oifeq_jeUX8AloJ%~;$^ zL+~hwiC?~pPfqWWQN0&6eGmO5*<})H&$oawJIiJAkq*JLyNr*I7%sF26TYMSq}lom z;9Y9Wf8tZieL89m$P9Y^b`;P>7W(?@=Mvh4y(~597 zT9Y(CPvOA^#^&l`bN*=$x+ok9inM+imb7vse)iB<0zo{+=89)bHDTf4)8_7**r2M} zs0I&-k;|nV`r$9@~y9`ML!%11kpOnWu2I4$*n}-U5<$#j;PW5Lwc@4y{(Mc|99JTaVxUZw^Y2XO(`Fx#BFzmNF=?(j?$F9bTzcvgL<^aoplS$rMkL`v*(N@zTpRdAr* z*Yis} zf7(`DnAi1(QL|^oKXvyB2za}^WQDdYAebIWDkg~i3Xd(icX=cFNk6Wwt-U=aI(nf> z?__7kWwR%Ugx?(`kt-aaU#XtY0tYM(0me*$hx&l-HfVM>`_&OoNaGHTZE_+X>$O$4 z12)fDx8-znVfCTvqZDE~4eQFDjC*^MR*d~e#I83+&G6^?(SaIK6fr%;U+xDrF0IjQ zWJCP435zL>FbFmj5hQHI&Ce)*tQ2d!S+_&=s$AQCeUjU}tw%dzzF<%7oWzP>7cw8B z8`!aw$M-LLTeP2?(fOGGZ3d&_z)5)90yb>a_VMVICH%g3%0Tih4y0F3Qlt33S!gi(XfHrl&{Eq%K#w z-#S^JpI>G^*q5^49ocB%maiYBuG=?nIr9>WOu@jwjJ(8h?kF$Qeo&NJ>`c$2EoAO7 zBQs1IEtoxOXc4DSa&d9lD*=cgcL0qI5KY_MG}M%nmj|?ho}X?{0I}qCJ8K&oE6yM8 zs_-FD{&1J~-?~^}A^)jfZE(FqRT-y_zoy$-roOz<>ikQPX^cvfZc{!dm&I)8H`Mq* zZr>U># zp_N_DlCOJQb|QI=sjI8A!UDl3qa_kFmY%BT=7$$ZR;j8Vv#9X-np{dOF84}gsuuxF zq$Pl(1vDgY2<8FGe@91$J`(sJj?#Lb-UHnR@KGrcay@*XG%79(`~S|?ABSQe^FE$6 zF6>BS;)rcXOhEhS$m$NIKizcri0mphi%Q+!q1uM#%vrrU-(lA*_a!njQU4o!L~hXx z5O|0eE=Q7%l<_)F=jY~Z*IF<<@3#kI9v>ggTDEs~JkC~bl|gc_p6}b!l9LC9hMu0E z0S1*po2!+fA;{0*pFRd482l2=nduVc6B_)!>NkP;b{faM?8>BnXt$I@gsq>#&ygfp zu|*llqOW>r5tP6IU*4~^x)|3k=~b)JU#zv(19BT&vsjSpAQ%KfBBFIc-t5Va4uM0j zi;YhD6eK^b|NARtM&1$!m>*DoK7>Is(!Uac2__2SZc?S~vwcO#hc8X}=FDm}x3{-J zE`S4i9H4EGBlTAoK$dd~rlh6K9^E7+T6E{XzP@6;o1M)=!Bw~@kweSBJTSN+<#vJ ztvr(FE2}HCS&PR%ffe9m|3vH@U}UF&IL2Y+0(@Dm0w{K2}u~bBR)^Dv!g4 z?jK(uM9WsH|M&g=6Q;3J=j?19D6Z=kF3=}7N2+ve_^RlyMO9#7ov0uLhRi(gnnCd~ zFxV{DnMI(H9G{;0M$rcSlp`8s!h%kT#=L&eutghOyXH=*&u%V6t8Ah@3=rK5zE{^2? zPP|&@zr1mNg#OMFjnRGX&+{|<^j{h&DHin$$Smv_6^h;fk^j>*Jcf{0qQHGNng|d& zz8218OuVwG9G{$oxP&xA|KBs-AXLH$!8tvWM~XC`k`TR0?s^^#xdTp~UzO59m5`ro zuKT&Y`}+Pq07h7h*NeBgr$^-f`&oOh;JV`9Hn4boKt5~c4F^(ScvATP-%~#MX#w8d z`uN3=^Qj^sLF9G@_yn}uvfyhi#}`8WFj2NutJD8J4lrg#y-98aLSuT&ehTo?|J-oF z$HJVc)}mC%F=vaQg?8oZ=K?z-1)iUuGXqSu>uY30MDXm9V*a!xsgUpCy{}$}r&9U6 z5IWds7SOH@k_7GyRO2vI!@M;rI=XPc>)(k?p1hfB`b`hO`53hru(QV;JC}o4h>Aip z<^>$$5(002e2jLuS_zf6I(-TR)7^aGc2IzrT2Uy?~O1Dq05#IskNRmwgeyBE}!FTrrSjJ@Rj{ z@XI@TBdk+oL6PO*;o&4FbYkAi4WA3Y%U*Cvi`PKx)?i?`7_075Nsk z;Hi&|@YIr!u%^tP6Ph#xawYd@37GSG5&*yum=!=SjS`<(Uq|Hv5-NR4^tCTk3N)tz ztR-LsAMkfL09KmD5lhqM&-NfFO_e?cWcfbO*1+I{Ex^$SMTZTE)52beQr7~23*qNe zjuIpG4ErItGG;nD&*RL!v!FC9p)2+eO9P4bYgNU zDzm(S;Vv+Y;Z%?audmI1NCO24_`CB#&;wT7|Lx^IiXEeMtCfqL z9n+mWed#R7-2sk|HXVNqFj~w}ltD~bM1|z~UX3Dr@D&McCxSo?N39D&5%Mmbad{xK zlF)C_L11bciJsnJ&;g2F{}WIH%AnOU`e`X3*3Lcc-db!uY(;!{y^Ii+T``~e94gKj zYB2$UBq-8V04EhnEda>@38E?I!F!W!5{;R%dr>U*IR$yYb63DG2QG*&@Y6dWZ-9KH zc;|}%0unz4>dMLr7!+~6CcVl3f5GBkgf0gX;mT8vfZu48syQqek6HJj`t7N@8Xlru z=|1s;OZ<=n@$fE5K`4VpJI1!qUGIFO%m&zg#Pdr&d-ShzQREp0LBVD9Fh>2SMxW z>v~#RUO?Fm6ce?}wk6X?u8^yqYqystw~$^|3~(Bg&fV(o*M)i)Iv8D2VSiuiK$;%x z&3P9Fw)c*FAUU$rmJuWh=unZZR+j^R;GA=o55XvSqEy?Lu$Co3&eGD+78-eZd5Rf{ ziBK#s-H#IviYWj4k~;Cdueg;0YCX*AmSuCe=o|`DLk+%+X{j8}GCIuP8aLl@rO9Nn zq&30{+joE6Iv}hxzWG81eC@Q1|@te-uOQF!?i8M+Kb@LviXZK3{aB_f)FVN2TgA--n~CmfBZ<^C;z`l?9I=~ z%dSj+aA8HKt)1%sUAA-d`)^|gN0sgHG_B}Ndlx&m%6RUf)%UlY`}1Q7zupD36Tjs$ z%a9=jbP@Adi~FtRhU~muThA1uyL2+FRBI8BX|%&8_2<=Un$N3BgediXU_8Ps zF}7jP%o&#y_J`{;LNoAZu*%_W_k&v}gi3l($0-NP?znp+2N@ z%+|t3`VCM5%NsJUf7u2JI??oPZ0Pg$e>A5EO`Xb&N+8<@xX}2T86zjYyCaFkvynkG zV>O}NA~WLAC?2A*c+d^}UK|O`?^(&JEpX9VB!2R24@4dwdtL8i%vQwyfe(K6 z2hhL8p!ldTHv|VMm2sJM5zq24{t%KKN7!h&c;$QZh8Fpf=A$Lk z_TWXS5dIq}P(4FdIv*pIK1s{2sbs=DWjU5fPLq1h5**8;*zOakS0lH7L@Xb7&uz8C z23qHOKf`tDD>T$>j0%PXxYea{z(J0!3|4f|AOji#PkIV1rl&4F!brCbP;K4u9E!sP zR8egvCvjcVPbv33C^r3ZnUuE-=f}9~_!cW)7U2*~Lb*sx*<0c9SUJJ?*g$s#c%=sA z88vowks|%4|5LW{35pZuVA_(CCg~$K(iY*C;1(XjVQ#e(2Zp+;>giG~48;958&-uKyG`YZ%(qvHo1N@?5!`1D5jWm0?#X zI9+U{lRVo`Ln;+{{uo(p3`{foI9%5QkF@~CvcZ~JR!F!9q|T!z_x_klL(^^5J9q1C z%53jWTtJHuaTQG7apNkG;czuKD}^by_TCQmdKAprl<0D+^z4kLC}#&fEF`l)S9}h4 zj;uZ_H%-5%J@W5>L$UjmV)ZH84EbY|-bc<4Qgy^~^*N)^93N!4KS(cBBO?T+&UrwI zV@6?^vS-YRVMYz;Dbisdd#HjYkaQIT=QH4zd0@c?Z#y7;nRwz)>}b_c$?IQ>EEEyY zh(|_80X0L;DAND3m_x(lxv=04uJaR8XUN^YflpBAwVVIxTJox4?mjIEnG*ETj0I={ zA06^}fM#(93oLn(_g$9H!1L7g=7Yr1V?cKFgTc~FNS=`wxApn_(r;>-mnzPk`?JTl zqGJIe_PP5an1-(g8fwYOsX19Wi5W@WM?)`H=FUpqfH&$FCH<#~b`P-&+9tN8Z^*L% zmDY=eIddGRoC%k^@Ks+^^YZrchdWZr1dW?JyZCoz_#{dk6;0xJO(`?BRXWvpS!pB4 zD&0+LQCalUj}wpltLR_a1isw4VmmQ|+WowNLTPHPXX+ch1@VF2>tXcE85EOYd^?2_ z{jJL9rN+~(KNl)_*qgK3yJ^d2?u`e|0WsZZY6}@yJR+0>da9r}8pA_izu{(Us%xZH zF7BXgiLHv8pCX#?l8&8|AY15K=Vi*5#Gpbq;UFx+U}YhH&QFY)kwy|=`0e-0_)i+b z`pTHT)Ujn~=GOc_LofVMM^S}wm2Ol>3XF$_E-QRrRo-sVqHg-xO#--nxqtj!^VH>J zQ$bm`fT6zEqH%=ibK0VF6kF;Ms>X?0-=|B}7?;EHn?0b}*w3%>QZ*?6TPF+FM%(&jV5T!OcJA-$=#3Dm9=B zd;BEEtbE_cL3g+QE^}UyhTdSThP3PMF6RKw>~~=%5&d!Q_H{cU3VhP206^B@51IXw zo8{b|D+qcbc61qE8wvfrSNPJ!^-QVXD>=6P4Hf6@9Q<;#8;4-oC_(%I4*|l+q0MP- zCv9u0?zA=U=Ss$L4b#C^J+e{k3L=(6*O^L(dqnnb(Y@1Ev;j! zIxqnNr=QM5p!d}yxtxpB?CuqY0}|#Dq2_66>#c6jpLHeFrBz*>`+80AOn#ECMM{7B z)|RGv(;`!mg9yoF8LSlcH&al3O_gEGoYGwfd}Pc^|j=9lTUq z*bBI=zRmdM%KYhq^0*iB?)XG^ZplsA;<69*V@?q>H~n30)$TSC@au_vRv`65EM zTVq-@m2lz$Bx2Bo+j2ipX!H3q?YE04DKA$hMhdE3X=^7hTicubr4bhm=7@+e@!}#~ zlvWL`92cf1C6S&jJWud)S&;Uf2ubl9+pIH1e+~0m3)fJ?b)uCc z9n&mB4g4FfWLnMpLV!wC7*x$X(DQO<4i~O`0hFU$URc zwn7h^Fo$pb=)ze*;ex#xxkID>`CnQ+lEVwUsA}ZDfcxEv3AS zjJBP32gHYXuusOr>;t+f{0g;#GgwP}FY?Ahp}HfxyB0I;axwJ6%&>RwmeE~&;8#HR zx}^J5+lpcUEu!)p8ql079Q_(Kc*{hbpcS%dDjD6jR>i6%#$@!A;0+DS#G<3XlhsK(s{$D>oovmt!{j9&P+YT11 z&OvXP#+6R*8>NQ_3e+SRHfRTQ;AS+s# z6mkySzP$K2&tw(tDW#HY6%&qM<-e|yNX^XQbWsJp_KQ`D(GYZzZHk=cQayTMNQhrI zi&bdjv-tyF`+6gkG!)?VIvxKg+gcCB@o$Bhec_=z7xsNmnEitg-?_Pfm5GXihHMiu z7tksAiA2x|weu5+A6)hwLs)p@RvR^sn~cLz+QtG4QDb4Vt8kljgN%I}6rum(r4Eh% zx>R*sTZOs}(Ci!9D=I<;z#F-go_IjH7@XsAvB8um1u_C&F07>uc3ipXX!e`0MpQG z_+5IBFFVNd2Q=Twtwf@f1mI{P%eYm34P;ir zQJ9>hV6z+$$!_#oLY(vUk|r847-p4dYVU%d4&*$sCMr&$9H;}Xt3 z($?B;427*tbj3ffCSTI~qQg6ON3Ivo)jVqFu;4NDM;zAh7VB69%mPFQ7j(RQ&do?C z%r82#>z@6~rovjpzD0X{Q9XsVjQ8$1(>|_kD6%v9Bw7EXIjiF|p!rm^-euny+-Mc` z^1S67X<5tNe4XatqSq6(Q0(jGp(~Gp zKORGWeDhmv`aUuA7jYj)iCYn2`S%G*H_*j03WqC1Yv8zj+3yGgS>v3 z5gVz$uP>Fw!2jXWs6{4U63`|ECZ-NhB0dxM`i-vnQ}-teEV}Kl?Tvwbj)2Cc#YdEY8?%-;)FB) zkbvxJOX9q7)8-}eoc5$sl%@<_c$LFuOw}z@^ib$CCejXXlv845^OZd*GBzU5>>)GD zvF?021q)H8+h}}A#fs&!G*u#Gs-OR zV`-rb7goI^Z1WH3%<-VxW3ai5V#vO225-%>d#hGJm8fr#EaqHEyQV{E<-rGrNwqN+ zu1x6Th69FHeg_NUUpufKcT<~WqRhFgE7KbyMUH094~}h10#WL;snMS>31rAN$C8nD z_}L;M1tyW=mu9up?C`m?ie)XLLK&kNC5`MUSwrS-tXhoZxs)o7p}zDn%f0*4EfuA2 z-qp!9O#=-N!%YuE4YoP)Uw9DAla|=mArJ`bOo{nCs&IVUrY0c3bLa&ORsi?0Z;_Fa zIqv}UJfIw5_bZhNaCC{7PiuRl{O8d16b5>VF%$N5&~JIW#AW%dSKf4?-D$E|M&h%0 zzESJEdd|h4SF`RzWOySJ=CTP|4>UQ6T(+&%wzF;ogjdT|wNs??Rjp-d>IaP}x4-`( zAJXCl8Ud zFn7v}k+ZkE5BQ@4f=IW#3Q?mgpwAaTw4X5wvm1ra)!7u)5bw)XJ`m>J=uuX||ZX5&858g7g28Be(e zi{@=zKhin~6}>443bdH_sswcujB4yWNO6B}@@iEQ3OxrfR&H-@M7_*eu+TW2c8zn= z!v;lYe^Y=6Qw?y7NbQUDym4!`+?m=bc?3dubh&y_mfcbXg7Zgk%YI;MS520vx*zeQ zWxlh&Gu?{<>D}FhI)bAB0k|nn5rIN3XyNIOWE?2@PO;bIvO11+1}IJvKu(C5)2@3fp(^l%MoJ1#Z1N4?X{Y ze;D5E{`Z4QD7+-{r6@W#B^2h;$unegWHXtY^TE{f@aQmL93CDXEI!Z>cMT_yp%_(y z{O(`c=7)x$?%gWn4U;NuM5O>tn5VPOFc}V9< zoFY&4X$6hv1>hCGi3Y+m!i&GsUl33$7}*Er^b(P6*7Yy1ug@Zn^U0_pIoeV*vjr>6 zvSg>v$VVsTN3>-F8$iBnv`nhOs%q6ld~G4NfM|*Q#H|_Y#u_(ui_8Bewg3M87%1<- zj=gfc3f;%~Xf*?$eoWijzbQ6dT5#p%`zHDCdiC)Kw*;qb_7)kyg$HDPqq=Mg;b-n9 z%9tV?dPXLtwsyuYY~B&P7!!*5om=x4NCv(+0n|92?@%fOu_QdO#E*VgB$Z z^_yJ5)ySUz&@jd;^X+8t_BbWU&2;iqPSE7lFBC6CG2GEaylAxvX(kN^h}O9LFo*pe zYo^M&t=)D1PhJ|)YhH(&)y*LF4mQ%mn#GGCZbGQ{#YX^ruh~;VyKBF{)Akvd#d#16 zcS~$ur$_K-W*{SL{l;d6D(z-6^wa6d5>BnOfB{F5{~9P6ScX0f@^>>+>TmmStP#MI zQu!E9>T29$9>!6-dIlfT`w2qnVl5}AUOWrDCx%x2^T1XERbK(k_TPr<-_}=-nQX`H zchz#E_ppC%X9Uj&frg`=JXD1EN0Q}k|BLvP)gIq2gJ!2hbj91bkG!DXMgR66mfScZ z!hU?V^+);n5#hP6qZPW9J8U`z6VoxMliY~}NL010Q8t#C_-d&e=6SU$=1_t5n*`BE zD_hH;!(gRAQnN$hgMo8vD|AyS!FoqslQGJcXq3D%=^`V`TkHB!<9cYmdv|`s%n^uu z{lE|+TiTnGbM>_j9HjdW-?E;-CoEkb`|4&V#iC%(MriFN5C-gZpT! z-2kP&$TCp3Qkm2J-H}NF3c}E>4}~Jg9Jh`QLgjhO3EJxF#qhZR=R1@HSPlRKp|JB; zays7U2>5UbFbezxcw>cwcjp^2G1w#*iqrl>@%nXXxu61;p7~gH-EQ;p6>QE=<+38n z8%#jep`Q0ly?nIf``Cz_9W?=5>z|CrsAV^5HC;lLe8rw3`!(A2vzn#B*8O8Ilb^gf zfH1NGE?VRADR;+^+GPoWN={2Ou&QYw0;i=JlOA&6=zZhS2qYrS#aoS#xZt(1-)yhBKRyqDXY7VAVAOUGEgwOx@JE-t@p__#AI zH(4CT?+|?pC4Cp)N~rWhX~d$Agd4fRwM1v4(tp41P4Me+Tk|Xo(_+bzC{)}pvv-fG zIU*I)QD(+Xs?5p1@CBH|C=)E*fH`IF9^`?d6m9iO>0%A+UuJHNl7*6S^OVtDX!}!x zzp#<*Nau2h-~eh+XY-GHFYkjif^35V5C2q&*PF0Z=?#^&K}h=WEe9(ru-6S_*{U+G zU*1dwD5BU%UpzeSM@Ay2EqAYLS+_qHS$lIpt=N--IgbjVIY6AcVeitGZNu4h_fNj2 z#{OHk{aY9vKywCOl|5>rwcq}(q+XlKOtZbwl1k>WHK=vVOnYm>dDTgKwtMgwY{<|j zY{!FfRZu|BoWMZ(a@oMZNN;av2go;%jgC?`HeVM=*Nvk@j;pVFX(OoFhq0>#G2!g% z#}D-?YiZHzq>WR|ee&d!ES`e~p(Zdb@P9-qhioPjwOcteXxJ5xRAPoCNX47a;%k#!X3g85xl4ZHw|7>)&2a(^Gt+uB_3x$mu zO7BvHW%cg4*R|?K)x?bc{1avi#r+H~MwLhq`@iQ_pZv$lH%3GKfahaDw}AEQ)Kbw~ zwB6IxN5NwlacLM&~&TFvj@zu%oMt0*Z!$!aMo)&TuAfC|eN^huSa0d#v1;NeO6 zTn_nd3#_)gf#T*{odEiy~ zVt(7^uxNXGwR+w;AJBSHHP0WI?oqYUx<1Te&<-}A1tfBYo2R@g{59LBXeQPlRctp1hO z@4(L0<+^BUF{D+)!}s8WhoE+GAE<4$toC|mTrF4r`*Z8*S>~8dCC>2hUSJf zbQF|=q9SNPz*pcs5&);TzxXZexG4gt;Dm_=WxfL_)cp}VJ3D}dhBqLJxH%aGijzxR zS$&3wcI~zknYH4S9;ZoqR|Th!V`$a9ig0=QLZx0yz(iQ!_Bxn$+aH{+l9B zz%YJKLvv3v<0?ynBIp+wK8%w)1<0Nf#tm6F9^ZOzf2igpl%v8d57fX$YSf-EuMaAo zCyZ02-~036*%2XMJln5d!=LsmX>`}RF`T6b)-G8ZM}TtBxB{Uh;tm3$-$R0%6Qd^n z1!62w7yFdBz}HRoWZ-iCqA}gi!jRup8TXP$ZttY>_bPS3rvpApivtau*S=(vxQh3L z@wy+vaJM1kCb*{$y%ZAY1GPGJ{^E3y!9)wHBT+{_uWjPPo=+{B->>_YgA8$)5~rt+ zqhe#LEeIM=q5EPjXZLmN1z}O)cVy{_G4fzVf#m(&2cZnTb!juVFA)ZUzBDBTVLw@Q zOaYf%`M$i62ouboVwB3HJRV3mV{?)ikMnMi%TbBb_skK+b3F4A>u8<6)R$wOE%5Y< zg12PQhaRM0yu$BysqEbQ?tY|;f78;3220P%*+)gjm)PrJY`wgnJ-$}v4sgmNK`t>T z_nhnN>zi$tfncTSwKIgu!cr|3fd<9-%d~D`L0!ZGz_kL#FgUol@;4&g;f%x~Fk*H% zbF(%MfJv_j5`W{9gsWld>>cBPR}UZ9W|rUqo`e}}(TDTm?K|~KMoSP&7TMGP7%m2#G3%yMj-6( za$OoX?5Rg^-@S%|G}YH58w$2n4wcjU`>T!L_LHdx!sROiue(Itd^V-aT0wv31yjeKWCybuXjcN)aw#URHbb?fh+zWQw zkrUr?nYB{yQRCp4p`ImAhC_Z?IMD1)7yP(uYMUvGMo^kgVJbKd|MC5*FX9`f4L<== zQrM^^OJ!+vd^DY>E^c;uYIe4k?xJ>jZibd7c5ZrBb{c#xL6kJZ$kfEhBz=XQ*{JFW z%!|#tEjp7|raZIH^hdu6nz{$L-WK!syN8;6e?X8@a^ne;g`*rEt6TQpd|?+FDAU9> zGKX3dwuZX^zYAz^Peu=h?f|;RiJsWmlWLx@9EWAHce301jGj_Q%poxT;;U|Bf z|5qDNu!{IhT|=|$zpby>>1!?xp7wJ)Bo zwXHc68G~~HucEMs&p@)pHUzqx^%!I%MRd5BdFxtDZ^zy;3!?2P=yLJ*h|}=ahF?!* zlGo$%sEOgUMWNKs+z|v~rA=iGl=qGCc-m264sQ!?CNb+ha(bFEKI7YR`0j zXQiW*6HK)RWv&}9&?ghN_U-x8n5))Wp9RCZ%v+dXI&~C+;!@mH;R~x8vp*&>ptdp7 z$B}=hmo;zIURd~SomV$Nm@Uq1ZRKEN;Vg-OQ8udTOqnsJVLhPynWHqDCVA{u8>uoz z+~V5IxJZ$4`mg}$D?@7%O#*$aIX27-1JvP*Tkuppoq?&6P;QZ#@?DA&!OEZY8B0!R z@D`7KqqZCkR)*|Gr_Vj$O2TZ=Mg0D~qK1aYf2i2tt;WYR&|zXQ(rt73$$`(JoDs76 z0!h2nHS8g2$Y)J;nqpiglKE|>k@`w1k-&i-@$*i#@!G-`CqkuHUvqE6I-RRmRlLzSKjdlv~VmnAUb zr+&4@cHE{GMT)dhxh5kpXHxtK;BYByS${6uPFpt;>hfjFS1$CBiccYhL4yeCqYTk4 zQzab!P?~MVAA~xgbaqgGj9uhpjt-GA0rZ*yIiHIYxn>0eTArrT0`??%8;;B@?h`7G zGTw2tFNK9xdsG~rY2E`ODvG3sX)-1rh3o#M^ZsFL!XJqv653fBHCY;$f>+yt@tzUE z%q_4ZIpp+h6)mFOz`B9Xh-FY2iNc5@1yynrggFyPGA0_D$ksCYJI6&=D~?GH3$`v zt>JXp4NBF2$U?4x{RA-aTD6ATlAU;T|0I;jV82kpTMG(+QZGU%>;1i|-Anw4`J{?$yn4o-ly3K6qdR34SdS}ye zM`8j1(;=5bgNRe0RkP%pRk)bdWi}H#E@$^oawx6GhB|_-+}+*#`oBpH^lmw(0|skU z#;h5{%o=pqP0h`-macR#bS|yBmQi6Ym!5_INQMfNBZCnKmv$n^n@$Xsw7xft@GwKP zuujvKIW1z)gH@|0rq?jAvL@Q%?S0YAkEVvAIB3`4VuYvR{Q;~7e%GoG@1a411^t2fffKDWx;{ z#I^I4i>s=~qvWR?4y1>s3q&ayJ_eoT@ zJ`WdUbSRWUp=r%ZO2GEv;mb=LN+good8an15Q)lSZ;M4V)L*V#JTC8@uBA1sL^LlU z_r>eAv)zbVF59@%N>oNo-&$4T3#v}xVmhZ94jcyhhtx*bDA%F`sD@C<=-9Zf7rK~n ztkPU$$o{aI);(n(#|IvlWbHVm7tz4GN?ZX$>&b@ERP6fhNs9{l17I%rJdfBkkN8p! zcS7HSjBJ1cxwO{P*GCg}6p_V@N(PLg5)u>ve5=E+%Q9VMPG%-@_e<1tKcF=q z^M-d42Wwfc1~E)vOOdA5MTQ7(ktmj`0@W}pu*CYWhxPv&c=tMHv+iNT{kmE2GJj{s z@Hc8Ru2SFs^_OpR^<}O+=Anj+$wB-;VDVx-VqBL{ME_@T1I|X_Bq~Ke&>)EkS zltB?0g%-?C+y&|T((viA4U2$oS}VqwK2Hl-^rIDWU!YF?LGI}0N%W;iYIt`4Tf{&h zne^*LEJ^)BpzFvvcxseL2m1VJV{Fw)@JI?!VP0R`dCc0Jgi;7h9eFIBzW3+zxn_%k za@ExMk@MZa_2h0nctwI7Qj8!{j-s8Kkd}d+n4lw(R`#f?eVWZ+A(l^Q8SLb5)y zOHI$*o=mUaxPU7$Feq8P-%#th1JbsetB0#7I2<`0qsbZSv1k^Ijruyy{1cH1ONU#1 z5AYKZ?kbP~e?YD_SJCjX+Z^?~pFt*&4p}kXjO4Yd#UR*2wM{Y7m7#BaoyiDkR&lm+ z&X$&Fy=UG3yqkaQ{zK8mmsDg{C;Edxv;uRP(N~-)ILmr&!H?WDYfi#)y6u1P%N3>cQDV5G_zCO#lB~&ya$#bHksevzx%Jorvjbb?y(!Q zi-Ha(Vt4?GsURZ{(+UW#Cav%Qko6PT9l(r|WnQ%8L<$q7Ny4z=1SRKz7f<3Ou-NW& z3zZqLr9I#Okfi|_rRsamt=g5Tzi{YNq#08;KND(F=k$ubYsW`{Ck5;dklNem#M2`r zLLMD9--ja8#;kW0GOfFuf{U@dwOoul5(;VwbMk8XX?9}j@@Ew6dH3(o!Vy@gGP24}(C*!NP&h$>(=I zU$;yxf^jsDLELXIO6TYG-CL-yv`B;GdM1Jp8p@;<&u4p4)F|fJ6Mh|r9TnxtT;5!D z<^Dy2;c!QMK5hEyP+d6|hfVr9_R6OGrbB&K^Bveg^~~7pf@8o;W3G-bUQ|ydioj$l z(UC4o5~K<^2~n-ZDcCY6%vsYF1BWgHgGj*)U{i`~c*ZS)e$zTIqUuC{ns{u42wAA! zp{skGqG|eZ2xz4 zeokZ8>yaK_e`@skN#y?9tAU^0L`-qJia$e=oq#_$|4v~1ruDrCD-E!_r+7ogcs90a z4x{-XS9RN-;!f4*eO)R;BziryphYtza{cKHJ%8qSwe(C+ui$R~s%<4=x>l_~zSKz; zF+z0`wcBe?LR^_4M)LTy0GV2EB1I|ckqKp*H!zg}4&5P4*Czqex7+0L{X^Pb(Qb;k zxCHKEGh#!yQ!i*T zg$yba@N|~k4q7(Klm(z1N9^@da6~gMs6?7497(^7ab?^ zu(7CH_@_-75ANjv=yyvj_bl{zIUadT@$HAj9l(17z@P8H$3wR#GPq1nrw#!=AD?fk z1722XbN}A51Q1v#z71OB#&P_7;eGx)tI+)bn5haskI#1f{d-;A{nuH@ULTNPMSYj2 zR9c^XHS0o=0))9IruFS+TV%#&=KHX{eQKg&4(m%bG2Y0?82yOZuT;OuoXy?`;VQzQ zi*6gFin}8CVxK1yp8FDtlOc4;Tv*mbFi7>Uqn{p5PHx5DJMw0kImfenbioE=31mT- zHEz_M-3x>58o#}>Id@;Gpb3d(IklxyJJ8r2Fby?mxt?w7?=ooJ=8Lc3Q_RY;;KBcnsx+VPXKxFDK7S&qGI%GTDZ z`eO6yT{Ox4nTOI3oeW#d($cuek}|(670tC?oVXYm@>ppbE2FwiwY-#GdvdM=+>{3P z$E#88wknx1CI*J_N?TWhBU5tXA!cV6cYS|7yri}1H3^HZ_dvhwu@JSOehEtJ{%H85 z{>NkfU7o)|r=`}rgYq<3fD8Z4JaTv=&y8;#`+lmoH?OPfm0Y08L>O{1jj0GP^-_Fy2NUUwdU;C!)+RXt zp+FW)%=UXkSW{Qgu%MivvW!LIQiY*iGtkld>fP> zCHu-2l3|V7SFRYN`;F>Bg8UWx_7U?&9Aa9;CD zqS<#xzf)1VS;=_duQB4Sh0ckAA}8yPD(p+AkjTEgyl%p&<^B9*03)(^z;MUx*BSu%`fKJYpv&AcZ8?vl}nfhGX)7|^h3m2qJTbf5dFJ3g%Et@vFTgy z)F0OAb9=nm?2swGTLmcn>^Dz&w6bFCHrwVm7d^^za=LRiHP&)rxQ+a~y1I0mT5PZO zSd21wdY!L;s1HA19=j!&uY9#$hW-x+o3Bm22Qz&^LCZ*19zc}3m%%A9vZjBuVkI1R zJ=aeh3Qe%(0hA`IcE5QQOQ5-fFpe{8I@YfY#GRR-o)-06J;(*RS6+}6muF2|PAPB@MwS8UlnDCHeJwwG zi24L4<9e4RRiy5BEx8{*cn`Uh+6NA5_)aW73zS|RLdGayvO-`RhEycN!_0nMaHsfl zA!YT-i|`~pXLOz{CFE@YcMgjLEvo&W1I%#<$_6|ld36%y1f`9qQe%wy;$`!nE`+eV zkpg7^5{Fn|HrK*K`QkfxOqfc})Z9|j`~ah#h;SDp z5P|1&*aW0zg&a&^6EWl?Mx4xp{JXTiy1Ki%o07C>1AeMkT<9-6)9qI9(bHq?#!pia zCI$x9Hq9dB$AcEr+To>`&u6YCl5kRu?(XtjZ5GFW47Thf@~Y^pwxaKy?^P%BF`U0= zDA3N8CQ-BUic%f5OyR=iVpp#jrl#6(6AQaI@hMU>ZKt5_P_2mLS_ACx4ZPLE>U~`M%<9u8?jg+T+;T!B8u$EX)11X zH>|D&su@Aq_df0nuAnMfqx zvO9(eyE@sR&Mja^;2YmJ&486b5&5q~+lcjXIQ7EkCAjs_g>sZ<9M}Kx?fmUTavro! z(AljLWkVxt#nv(edc^WG*N(u*b%u3MoW}ZVf|#)RB{e_0x&*eRTaI z#olhA3_TrUcDLvL-hA#Vc0z*bS=hR;&x3}vO&o|!n0`|3M0Cg59om5m*h9Ss z-BzAWQa0H?S)eCIjQWkae_W6F{`2EH78A@hCw;^EKOA17dcV1S(L{%An%CQI)Yog} zwYLZC%z$T>yPUUh=ew#LZ18nV*-})H1(IQfsyco#{a%WC^8Vj~zb|->`G2@Lx#&(I z(OXMvqkkKsmQriBLAblT-EWFCCK2%P)7(B|WdAyzH_NbEBE@kFAA95*9W;@R| zKpC3d0Of)5;<7=;mTxK^Z@=?Bay^WerUju;(jbXVm_7VM^1l@URtQWz3$J;-y;Ok? zOX#I{K5m{{-i#YN%4CT1a4fhRNJZX2tjC|`Q9xt3-{QL_5G%o)1^d~RuBgcokz zc6rMY*OfB9<=Zh=B8G`{y$;`=JvaHb_Htrh13*(ur7)g{@UM00=Iwk8)WB1o)J*2m z%94Ix7VX`7o%6G|zc2d%ThFr&{AX{QEfYjyU(MGlIy&MH+h#@&|MVS)90xVb6;#9r zWnlk1viWsZY(_g2He`;!iHfc)7l7x?#>30T!p?Mbnsq*!J{mqE$6ky5{W5aqYD@r- z1ELZ~le_-Mps`$sj~2{ccOo%_NTPO=u;A=!Pr#pewflbxbl38d81$n%c%Gv(3CnP; z7#v!GCr!Vrv`HUb;N3*G5I7EoPDh1=z&uvMTKz*>+1ykvR0V9e5r|%{`uTqfabO zLkRo2o*_oAP8=x36DiZo?##6C8z4_E4SmRVfuIv_Y`DRi)9KEjX>l_d_68*p{&OyM zxz_N`(zr}<|6xOFmUClggn4uc$H~_@wyx5byV*MI6qmOP_`tny-h;M9Fgm8}k>){d zgO56@DPpB2pW6;s1o%|t2ow4V(O0y|ngZ8l4{d3h7n>T?cpGP1nbE=}5C1s-{ewji zNrRg(T!6%(pR4A|!4DS-G)6e+A`X0KZr}m``j$<$>~0e5N`cK$$+AvLw~;l?qW$79 zX~xRL7uL_%*;%7lS*Bq_a#`z=|L-TVgR_zVczYaa%>4YsKY2cWl&)UvcIF!z9v=P+ zV+EIsj}|ILjT<3_hxU=3-RbT11yE~S+1ViupALn>x_+CsxfCY9oh>E^dev&E~K5ef{+V_WJyD_*f`! zvXWkObTm+>Pfo~hZf-cSz~_T-XN)W?ERG*Mx#7H#6dZp1h_)|X`>9yK5&A@&6JPW3 zLZn*GVxi5&X=#EkNo}z3^Dt(m;%?(a(#@PkUC0>k0hdzb2$kkCNm_D?&TJY+f1BgF zVKA3Vtj+5X?nI{KueUDHn{ogVIyeN`dtU*DOWrgb=8**+I={On8U3%4yD#*9{1Z^q zGRp6dn7l|SO)p48SlD)%fjk2X_*{rgbhL#312Y*9cbdL`4QIcNwW%f<&#+F$r-l5* z`|zsEqMH7^j&s+-dSqa9c?Sn=#sOB1X;L6Vz@}j`li%g-)ej_gjuy;=5)dW`Ljsd7 zt9XbN2vjyR4t{EC6TpWBkbN){louBxufPlUvmyoOLET`l>vl=kn%0ieSo%|#G;Cd~ zO`3eIue6)Y)-Ty=h@gXnuw1@nj7jOkvlug04IHhRW7~k-*wX=|3?ssur6l_KGmI{5 zsd1?agE5;YYV9gHL8RNGvS9hV%=iuFCfqe@j%av)D170xF0fXKg@sxsltnp7pqM35;A`p}nU?l)&s}wF|%UhYX6V<^>cU zwM&A3KLq~ozj&f@?ruh#FH^p(0m{YpV|I>?MZ_lg_kY`7K)rVdz%6osZ%tKIRR%9W zS$703!CiMBAr>YuT<1B0Fgnz6Ts%C0ZPeLnGaEOzdY%dlFFcKe4|ObQgRdRTi?tVz zL2BrBC=6x}b`D!fWhG7AilD%-t3a?!{x=3d7CrF&x6GCR05lf z*#PA>V9}(ye4XP?mykBMfn~@LAw})G0o-Ie#{YWE+1tzY=kePghiq&Y)2_+N59RZX zo5HO8=!eUSmO=hv&1B0PPC()@bU?Tcem%(C%ZY`6eNhy)VZn#|PX%vwsCO^e78toF z?zIwBi`MgWv&_UsOrY3$kDosPjrylA0kJcFSu<}}Cv=6);<<50uCx4Hw^YjAyVqSY z#6KR=vG3|m3{k)U3$=5UFY=eRRLd1Ghe=CUoH;$gCWlsh95|L9sB#LahXw!bOb4rM zsx;TFjy5UT@nly{fi2&=*O|t;8|Vu+I#Ils872I;-=hkARfoBro&Ih0p(!LJBrq@# z5I=8K9=s=w>p6XMIO`1FZkv>v;>}KLb{M=RU9Dqznm>N#bg=O#wmwonQJTm2G(!DR zJ1q^bl+13|_IrdjhRGzY*pAdrri*pRDU!fG;1!6wcD5lYfrARCh#Sao{xtvXD9mNb zjwjG1;O^R^+eIIS%L=eh0L)M(CMJNJ@9ut101!8f6(k$~J`Q5ZkscDUIya})_tJT5 zhtdgck5VOnl2X@{D8(4lq$8F+{^lAEc~6_EuUO zaF}n_IHomlIOg}7{a?gO8zzu);Cn0-&iWw98?q7m>z0lom zGv*q;(sup%GaT{$iooZ4!j#DfG}?);Ya)XNFexD>c-qf-^6Wt2@|R50%w24f7a^bS zTFduriIX?Ib1mOFAh_6`Q1kku{Y>j+hbuZyZLt19&lc2V6^!WfKv{A6?C7>gwj0^_ zlJ(KL|6Jvz$@22;0Kd6swl#@AKt^40i)Y&W?7p9{VKo)v;P$N&pYQH_W- zT!HTD`e4>D;KeN(G$A+{e982Vo}a0;tFfTcO+1sRZ9$6EouRF>yL zkpnX|A#k0yUBx36>*w+o=NtFoH%F(2l6DXMZ8z8zp`mVfm3g-!VwLe;-PIYzztuhf zixI1P&9AgGr>FKUaa$Mn2?+^+q0iKQLKIoeIK+8~VNjhhNv1s12OBFK{S@5|11TRM zzk&0}(F)&*2-Ir91Yj171RAH!QjkL8m7Nnj@PfjDC%Eo-vm?<|EUfQ!$HfA(SAv=(Phl#Yc@6>QS@0 zwY4?i1_LiW+La?#?c|J_wGvKJ;8>5kX_Cq@8T@^7&M9zvZ5} zgZ$gnFZTkibyJS17}LnP;W}F-+o}{VF_L~tcGZ$67apzB+US17W|>6cN(!ZM=SB}7 zARck}*6m?pa$5HS*KE4>$LME$j%Z!L0KH2}W=ag|Q|r3L!c}m4GuCltzAfoeYmVWT za>)5i)CUIem{cxmZih^MZENd84+tK}KnD&qFZzB9E6j>XEfAyadoe%=+(QnIj}bnG zWP7)rb+JAY9|qHJ=Zb$;)nLOB{HT9NSyT+{YrKJ4bMI_r(9Ppn5@+iSMdRbh-JETgzFFYG&0^uE@AX7hixynejW(1YPs0Rr7EINv+Hm#teO>Pz@H| z^eEQm5#t2wIqOJuJ1$u@`OuMyX6-GlIGyr({^SHPdJ~8WZMs6?J^@q>OzF7P>HbBC zC{r^xp;q=YnOwn)3%V;K36|$p_6#}Zm!fx@xX@BhE@&ZKUth1I0DGhuy~i2a@e*XU zmb2CpyCTfvIO=3Wm^(*IxiA4_#E>mJP6a;bevpHny-r@;1rR=sC{qVKd31HZJq;`S z$7g@Z&ALLnesNozO0N6M4(3E$*>TCSyzSESI7n*CAbI+PS=a8(Jl*=KmWr8MCv;9*B)r1Ib{-}r~*Bi=mFcAJak{dqf3|8#hq9VLE|(6Ijw~k($>k;k4`8^I_ym?6Ln&qX(t8vGj)lX%j^h^hNN{+_Q(mr)2CyN{5364%*t?b-?tXoGr>Jtm89VNO&_SJ!E8C+^SS z>FeucP+w#?8(uV;+1@TS_(LKRuBnlP(UtT*fmQc6;hA*eH>0;y4;w)FIG*=v+h8w}vnsaJvL$<;=OF1yEn zV>?w@{Q>^Ew<#wP4+sJ~JdHQEKNOPr5mp|s-R2}r!f5an-97~>bjLSrzo9{{UX@!j@MLf zJ30EuKIe(iprBprvw(M0N&dUPPP_7jPwi)@=ZgO{=U5I!Clmn;pO24iBcvpPvWr*K z{M~;?sVifP2Im7hWlznobYNxSmeULRZ0##>m?gzZ$4Q)J$)czT{BG-)W;;Jm^a}s# za1`XdN4$hMK?vcNE{I|>;1B)&McHgD#m399?wM%E-fsA--*(yC%d~p8PU9gEYDc?U zYAEaq;a%Oi>+-1wS^gW^b4Xa2s5qZ?Wq&)>e{onC@qc&<#kXqIQPI(HJ)CRZ+W^(g zJokrpiF{Yp^yA;ZeyEu8IAtkkeKdPIJ^pjq(bwm)ue`6ulZam_uwrYr- zsQ2Fg@68t?js}>-r3!>-16`bOSwD+S*o!qdM%3H%@<N_rwv6Sr|7|SS%31oSFP$NsldmEYqM9Yo0u<$Im~aXqEVYy%4>!%-q-u0jc@D9 zdpOXRsEd3Y=m8{3_nlR5i_2!lwuA77pvUqXR>D9{?*D%AbyhIKxoM?_uA164;ANLB z=z+Dv=XA2FJcApI92*mJy4nn+5E@R6j;fZ=&*IyY`DYWq9N+Y*&tt;rH;2Hz?DUgT zuHW~C4P|@ToiGJ#+#@AwE_NvNFh+l* zk@NXr?HFF!RWd-z-a<3ts&j^xA&l#(&L3oL34KyR^Kt<-F&YxH1av@-O|`>c?;k9& z9sIZR-W=d}C%O%UXETaZC|`HW*1I=)y6z^9LY6pu_=b>YwfQU%#0=NXpHI+74PQu? z>OCP6e4g9nt@w)ldJz(n{QlQli%%XW{O+Ibo-Z=fn_Tw0KAlF?Uzlh}k#&U``(GK>q*+I-dhMQDS-pQg~w?Lv>A2etUO* zMHw{m<*AH>Nm-xqhdraHrk0=8+2qXLp5zzhX6$I_`WQngxC4O^1vlhh}n{1s<<8}C>rizX0amkE4TZ2ZYG0BWS zdwU*{s+A1ByVGEpDH?5Lz>?4X z_;xup7%P(c%P*(+%o43ZuaCK^q};}qf{1jIjj__M;*7|+nKx0R>5dRDvz#2t=USB8 zS}IcAP}f!4miwowEibRI^>L>)=ye*>G4pS78nttMPLNAg)4TLf;jWrHq(|0p@w`Q) z)V`dV$>Efoh`6f!)2r`(O6ZMS$}f3F`8xUZw!^Y9>lFbd{ox}^MUvz=G5Ss&ko+0O z-#r4WoPiR}($-)a=Lms+*b_8h{{*p8r~7_jZU7gNA09z2|B5(##^l}Ll;o4Bn%+>N zi#&3DP_4a>hC6xw=hAPPQ@iPB_;5f^bJneS|2(FD=D)Mt>LUVDx{~s3pJfjhvk7=~ zc~A}*ZQIY86Mdo|40tQu+851v9+=8}yK&gZfi}q1Wg_a}3nZ3j2{v*j_Is_MmLemP zi2pZkRtFvjvF7kO{ew>D17HFmCTeYMH5viHN1lucTOLgf4WLw1x3r{=m;u~niAF$Z zz{|taXK=X&A)B6})eccA)|Cep^`(>|xF3CTC?Y56NK2e3=e74VT5n6TS*Y+mJiu3G z%@o@&DlUr3{>em?q66=&3nq>_S~u1z8qBa0FBFDi4k60q^pY>M^;sCISz{H&4-%czZ3abmwm5?J+AHWnD=mXMSUKO5Ms#Ue3~CGgXB(9*vLVV`Tro zvN_Y^X$a~ot;e7IVh4$``0|1*Vf~l)zDd(PJ5JI%og?Pv7x(W9eXU9yeotr;aVcc0 zRPmyPKFdX@+IZ+>Y7pcgbMMMKX})b0D44ry5!1l?F=x-17%E}o7Ma2}ixMdo>=8g+ zd-6l3+*Nnn9*g#Tetss$ZhZk+3Gp|JJuzGFIR~mw`RPcAGs!1@Zex8vfO*v{dZM+u7Sf8t{5?c`yt}I zBMa!wGA6JP;4VD%%I7sSH7No0;CLG6{$v(>n!S}3OhOS-lmwMXPEJBXJs_tzx6M;Q zY4g=T6yR7My*{r8Zt6%jHa690u8I>T=+|vei}ruQGI>SspiP7n0jGuZhMpG@`^Jy~ zz-%27v0t*|diNbQn@}US^hkqa_x8SoSfxWGYh&vI(HEp56vv@^GA$K9Nb8^8EeV#LeQfD8l zR-h)KTUa^Ga-0h7o8xQpTjOr8&+B;)8^v&quh-Pd^k!FH>z)1yONvKP3dC{Op&8Zx zrusSHm2$LFS0ZzSY4fNo;>Ypl==E5E==H1*U?*#4nrx+F$%vnQmP8&uQx`{D^!cpu zqm~i2Zyk7*_zH`DuM^4+bBSkAti~BbZ@Odg+1Vc9L01(Kg3__ZR zZ$!Kh2F&^oW{Zt`cb)Z95Yo-|VJ_55)i~?z6q;fDg#-l9ygLC2EnrJlss^~+St2S{QwbXac>idGb>3Rdf#6G8R7sqwod z@;+yV8cSg3da?w(dU?y?ePPbZ?_*88~zh<=J`Q=(+JPEIqC9z`d0kBql)d|3D>O#%MFk z;=8k)=9Z&FYOF6Z4pIFP6*@_;4sR^||NQr}P;zqI1ss?~(LmWxx2-8oA<_grLO>sDrGCyGiXq3T+J0$a=HXm&&0Prm#? z{};ZH>x&*89Sugt-rL&?f=G8)pZ@-W-J9(JkX!)cSEOL$=GEe0UfF9-z@Mkm2=bK) zJSP;Cq3N*pIBdZYI$9sFCV#p7t$&JXQRpQ{x$0r6c%jNuzy*|TL!AU**{_gVEoK~) z9#P6Fv6|3|uu`V4Aq5N(gQe)WdX@i1)c8ok%hjmU>iG2>AM#j#TuYaYBdp|Ks=$Zj#!|x6rP4ou}m{Z>^S5`vb*Q$dSl9u~80kA;F zduNuA&U1OqoB*j`YZ~SpJzj!1poLTg?{c?g!h6fx3}mJ?{KD6nRW|c3j;bW|Zcr~q zP5J~yyD&=9K9kCO|1{1YvsUaxnck6`Tn^Kz^GL<^3;F`6i*BvVo{+wdfwct_j!!J& zV;#~%#4eqW&gYwN!u=-e?TZuJh!cCHW3l?VmhU2DD&32F%|M#rV|EQ%EIi2i$F5F9 z6B_vg7ELRa?%@-V5IAmQ!Hzx|Yqsa919{)-Vsab=M3M(~RIZZwzkj7PG#27$z5u57 z(K4oVD_r49pcq}|WWcBgkhB7F#pbFiti%;XPT^+^d?Qmgx0`o^V%5tH*24IG7tn=$ z%FWw<2~*woe*tRmE3?&g@_YsZ=rvZC0NVS2K$3`eDzjwE(-9LBqom~AqDPT1GGpxq zAhSXglHRM})OURinh(cg&o zK>H;nC2e==OVn+&jBmq=LUSd?IPMEY7j!=!o}8qhq(mN}nVxb~)zV7WHEMeWukzlq?1Oo0Yuuc7S6Bf-{6^`#s8v9t8mJ4}_N=l@fNkz1l z;EI84j098-$Qwzt2E)5vf*KdTPYv*A2q76&a5fgfao(JcGSSI!I>9nVg0|mE=P6=6 zHrh)+l7a?_pp>Qk(-oiJc3Ex24Oe#$v+B8i*(~I zF9)qmOd4id9mrTxALA(^-_B1V!6qUnOzGppSPET?6KMbqG7Bk0msR@hw`ZH1D=THHrD6yXbfdeMhh=3z z^Gvegnc+X~$>tSlc|9asf0J81XOR)zR3(Txu%$h(?LmGA$e|<5_{hT4mky{i)roW1Guey!q|Q$Jgrc;RpYPTs2`IKE1-Aq z%}0*b*QUVUq>B_W-CJjPo0yom)e+J+o&N=}c0YE1s<3x0AJ60u6%s^IviMBY*4Ebb zu$Pe~=s|#w50t$uB}*<6@!axcmE7J`UXjm|xtc*@gxFGyW}zxK4-YGzM86th$`~RG1~w-j8CHfc>=58IU`0XzQ^Lt3 zqSQR{ogon}4~NI)Q^^uGV?%KN?)P3=y^?B;a)_2E>3NvLvv6xa!b&BNE{6LMvx#*x zye9SnkZV*Pwp2aKOJtQ=NEo9KGQoUjS$U>^GYpT{aO=i3Xnl!I0~Xh?BZE- ze@^WX`~V?JOQ%8jD(1k!1)m=4Qifh1pJ~g)?Y%Eg@$8}F{j>l7)?Zym2qcfk0`1>#e za#ckvDNcO_;VS1373dhPQ~-YlxQNj}U6lG|jGWjQ31vI3Z%|C6azOR1vu@9;=Gdl( zl#e^El|N1LNkOSN0jvM>3_B5B=LSsm99BKCh*_n^S8}D;i++0Sb|}1}BN``pgFLc- z>hLNIeb^|Sz*4{S4a3;HdSvL|Xt2Yt6}Uwwtx&-~rOREN`tl&2_DsfLgFmX};{=V< zFhS*?)8}P670U4$)#dZcD%yUePJBPSF-t)^EKyhOjAJv?)Wr9{nC}{mF;1E&#0WK!( znG}>QPp>%RgrsbnohCL z@K`lRU}U|!`L=pBEnFGF<;uY@H<(G2XVb%QWHc!ZpQ#1-W4$@PJD%f!AHjRnUW*nK zBb7hLt8tyn=DTu^Rxa-S^|wFFg9fEW8co9bGY$BFE0Y}uV}}30H#1ykfxiA%BRAK9uqJi%+GJp}Pja8(gCxQQtRlOKrlw@gFK?}dy7JvmVuWG4dW zXupwNOOWZ%K#0GQFcJy-yO~{X* z;7-xX@eHr9gEGz~qzWIS|kiR{Jg4Cn@i(12pDa)~qgC29esa{BL%bXXpm+ zw^}0!>mthswIwZGB1sN^O%g8N)*=d>f=eT%;cfH0T2Wj%{(WrGMWrAhC7XbPt zCov&wRFP@d_DRPIA8AyXRTU%ykV%WLD?5TWyGd?d4oL7yjIZJvu@I{{{4_H!g)YzB zCDu}M3TA%GAf5JmP=2l;wXsnRZktDVKctW<&ye;2=UN}k;kCgf#p$Qta@x+!CukcI zGbsrl-hU$eBTb2NCrGm+orVECjQs&TudWX6y}7%~5pX*MtaoZ)I_KfCLra$2fM1>d zlx_;knkyY(^W=YtwcqS|xxd&3U`pW4F<6R+pm3pPet;!X*(&~!Fk+na>mN>p5qfw( zKwIzyiBZQf;-Rso6swiq`@-f-g|nRJiHFwKve#;jo7CoUTUU$asxU}Xv&$8U5BQ&Z zs+MA${@l`|W=|@W6ti5yF^HbnimRV36{01HCcq*@lXhgzl*K5H8#RL6NY%*)q3Kj= zu%`4w90Bivrd}lS)a!}UtYp>PhwUr?l9f!LE_MC4G!4w;C(AxU^Z+FLRlU-3ilPi^ ze}Ac>#buzi?=agbd!=HcEp>i`h_fX{8Rbjg{}9=$ zXt81msuYcl`8ifRM$_JNAu2M1mjX3oT?LTR{(kFJ_7=HF(SwEN*&;IHmzbJc%KDsc z*C#l;!l7(_CQWONit}nM_9o}ub9u%;rda=BtO3k$n4Ro5nYD{UO+GT11WYff9M|LE zPoVnA7YvN!&?+M!ne34o+76u)1MkZMO703^NUdA871+nd4@VLv?NCxs0J9qjmGl&W zI>D8wKZ=T>)Pa=!g8;`3u#YW)-v_)E!{E~t=&nU-V1(ZpOyJ^KnaOEiP`=gfl@=?J zi5h5VG?@;?yr)+ZV?(kg)!`e??You=o^4YwLCqaQItf<7d6Y_$M|}Bk9R`Ff1OSma zo8Cv2EE&9_H#-Sq>bY_RSizu2gc2>xP70Ba?*?G+-qDJ|UC-@b9o-kW8$m$BpcJWy zFTr^Hb?_OCztu5Vj!TZ@J&e2&9O`Q-CZTBS`izu$*M`1<{SnMDtz|6jXKM2VzCSN~ z{&V=))?{pY~Lw_`v2{-&XGA)^X!=O2nN%{ zIh60kj0U2CX+Q|Ud#cJmRAh5S!(+(FNW9&&0?`0NkJ~<`<1o!7tnv>FzK^)*d;~la zh6vo%z^ucI)Jg2g-@?a*C``nULlRDbnw-bhSI!TBbD(#T-Z8zQQ(C+6YI(f{C;MXUpk$5w%3ueQbBT5h~Q zn4Q8!&oD&<$=lhvAg?lkMP1IUZ|^q7xJv57PR&5ww}s&lJ$501C0?EpvuN%{x2Q$?&tCjCN(Q8Yj%~%mp9NHfe z<5@#qLpE2I2k@A3PGT%m~bA2)Wf~>e-KZ70@N+Y+*>9IQsjC?ZI_g;k&{&nXu zvZlOlACF^f(oSn7?5>o)jo2Jl+|U#o5WmcZ#ue)lO?hy>^=;)4mUu_GyD-Fev|sf$@Y;c3ab^%P1&xQq+8q@$x7zGtu1c8$=3&PUJxp5;-`eh)N zZHlC2OYkC{X=dEbCXIt{c3dwibl&sp?OFNr!G5;i?Z>`IHvi&hoR0fG^b8(* zgw_D}qlI1&Xn+8E00YIuR#C>O>JB&=L|*(plBa36)ZtBYqd=t(d&_Ezf;{3RZV543 zvE`}MKqo|vlch}#0eZu-gI-P=HO1bht0ru()h1X>z3(gc$cTT^dnCnu~TMOtrLO^#o`{F+t{a-zpb= z4+%)->0)vH<#JCQw8sKq)gYj+$2E<> z2$5lZF9ksd>FMc>K_ezW$?jte?hRzcW!ptTV$R z{=IwPynYyUVzXG$TBUHN|8zauY}jPK?7VYseC1p3wcaHb{IUCf=W6x!emsY_`{HmV z#c=a{<$oNd{_^Syzk}%L>dsooji{aP%fv)L(BeMDYEvK_<^uW*#+%q>CoLZrQO$^1 z-SUY=J>vMh6-VzbEYFIq`?=8)BAs1u5lo1WfHYE?#DLLfol2g| zCCs#j(D8nW{mq*3%-@Jjl20`Q5J!o;Jq7l_bOG66MP`C8AQ|B4%1020i#bRvTIhd{ zv>~27^xd1zJI2iCr&RRS;HWJ$J&xFe%wuYDKgLE&Qerr*x@t_>2274u+kLBox^D_IKmEG1EpKb3*2gJwYp!Bhk?!Abq?D(`TL4Us~OzFV+Nao>0DCT6-hK^UkiHg7L6IU+7$&cSWxS{3Qwl0g- zic%PW!;ELZts~@#Pl!*3oFBBr9n>fM==qW3-m;!;gDPxN@QEWDUi%dy$!E(`zuI{m zIc<*&n#A6>q^|=Qtbd(7?I|u|Tk~f61+&gGc=02~bxYD~e#3qMf9#D{*sxBjFXPh^ zI;yf)k8aQNEi19w_;XTO?v7{a+~#f!x|$#?rttjG|Bv65fjUlsKZ`e68XsyVK;_2y z^=UF|*}(ZQB0HfRxo#m=E#U8waG_BODS}@URYawXc?W}906*Q@0{^RQ{|7#<;cJ`D zW4g)#!tU4U9yRAtQxrire<+o#qh=Uf)~mQUNJb?WcL#aP8fECkW?{YC{RQ4;@q6`= zSZUsGb*&|U9GO9}CRQm@;||b%2<)lx8TZ4qsEJ7_n^#Y21lZYow=bYD7>tO>sOK;v$)(WZhZIoDKB$v>D_AuRih|Y?0RH>-Aa6q@>P%vmGl1Aw#a;nQa7K zu-2%&U5th$I_A$Iy*_1WXop(*qURQGX5AyWUkfkZ1pE}ftBPFGiK3X zBL8GeFUJW@Qy!<4Mnx_E!2jA4Cbx&#-Y;I~s8uCnuHq&1>@PYO(g{u+fb+3cDn>7x zR&FHijp)r5Pa39WE^tCmO7B-xqDmU+iGaL-iFHfOK2XFW;~_KtzQ+mdkP~PK9^DfU zmkpCkF3%{8&G zH8kyYeYij|CgQtg_1I1&Pe!`UNn`yf3HT;;SE5@_#Npd8ooArRJ}FlO16A^U>w+}qYIXb3%H>g%8@?xy0^1c*tQPsm5>AJ7D8 zX}t-*)7~Kw9#I&@OY1&S*;i|~jnXZi(>)>lL{4K=ju-Tjshhl|B~=N}hO)nR4| z$V94|Sl${WK#JywimU|2rGW4mYFc#Y_>A+qN0wQdZ<lifAEflUn zF*a|EhN1W9p;bLuGrj{~EyG53ESo>GgBLVnb$q2Ovzx8d6VzWXqfBx!xvM7InC9n+ z3C^~R=Bzv6a;Boqoe;baNAWhDyj^X*vE z{^?_(1>U_FKr5!Qg;N3;7Nm%%;vkX$k2e5;#bYcmDEaYR^DSLzMsW*2))`Ufe_Jy1 zE?cw;==2B@`hLHgs$ExcWDielUe?+gMP$2afBK(j`_eq_eXVNIEa@0U}I2sU-iaVD`9H&g!}K zW-6TNd}K;3?>vQojX=dBsjGmsJARK97jUB6utMjpgUy$)Nb^XtviXt10dASVb8w$o z7(t1bx{)CMgmEK4XqBb)UPN!uHLWEfo7Db0XRm(fCK0Ooqbaq-@}|N$OQ~%3h#ZTt zvthN6=TO}O{k~kHI>FjaCu4ml#JqFRnp5C}gWR^3g%hMi_a{zEDCs}c@cXpv@X>`= z$Ay)xH9*_=XcDKz?8U;lLXGOGN*6I|_NkDO`rV^v$4|9n4VFMLdZy9f!jD}ubyCvO z1r_6ls_)86QXfGGI+VY&_x+^8a_a8`<{t){&*|Ss=j<_2+WbMvYj%tAfZCzYu#0U< z+iK+niqd}c{2V(((}nJT9JXnYKzu9F$h4R(*ijWK#X*b_YN?p{rA?lrmkKm2fWpPR zEyei1v!PA{))a!YOpsoLZPR%yokn^})XEAGM-2wYweS*srTw0#GJG1l^!zQ7zQQAX zJiBJ(y&P>k2!}buFE4fay*pBA{#tM9JmE#?whDc=Y+I+l)_G`Y^sD0 zmkl=I#)z4J{;hAF@U3Wi7?Te4TVG$j!DX>Goi%K9FA-&sO*5IIU8QF$LXjd?r<|E> zl-1^BSML4+ae1iz5{Zwx>!-`<^FVU%v>e6NQt8#Y>H8vcTJZOS0%>-3)-%! zZvhESq@!o!f5$y9XPj});~nEB4;k6X*eiRjm9^KL-~7JGGG|CW?mqO4A#g-KSOmH3 zq6Fw_j195tpkJKE-uu^y25~cN#B12eQQOaJe11EJr5Rry>W?k(o{y|L*`pXwK`DnL zqDZakO_?^ow)4uGgXwDg!6_CuAE`>0k*Lxo9w}9T2iO`g z5w*D!cCh0J&vUs7v#D=7oB;eKnQkD52C71~JKT7P(9+VLvzvC1Nix`z_qzN>=iq#s zH3cNyAfs=2aPT%Iz1Y)dFFsy#a106I?0>`|1w`O(ZLmjEI;Kp-KrGXox1NjGg7bV$ zH`zE_oN8WRkw1R&p(WP+AY%|l_-0DRsX>;z4T;ZGL0Khxh}%IplR2;6%xQ(YMNiwr zlZH6y*xD_h8wi=SOPsh_?ElzMrC_}8Tj(gPzJtT@yRyMEZNyG@X=Dpj$zw|`mM72H zjjo6{$I5>$`?I}M^tZKqS;7*BxZN5j2v<>}6tNa!goFp!dIb5jO{;${=I&9MY87p6 zC@#%aIySwdtFCQm(Y@`QAYtRPjJpu?xb@xFHOJQ8#XVxL)??G~`L6AP$cOzT(53b9 z-yJLNdKp@sR0Hm=ODQ9UUHNwnWiPe-u)eP!W{6ycM;(>sgnepwN)F-L?h*=ZvJP)p z0RD;#b0#vZtT)E|u_~Zv1DEl*H2Z#DA_)C9L@n_uo@OwvA*ZMw`&nrmIxJbl2}(l{ ztE$NBCGb@{J64CT%X14E`ijxjQhn(Hy*1Y5)n5S6-=IS_g%cfbv!Wtvadw%CD}yQ{ zy`tWQ7j7;%@;#nc=ud%yt0)egjcvpHorSh~X7`WhMlSSnDk&uCyF`x0WMQR;X9~xYWk>geq6JM&8LUp7g7zn_Dupo!ytb6lB+u zW2L|&cbv;^-^=?1e*Sh54r^*3C$JsY#!`2jE27;spEyo7+~Cij3M@{d>x>W8s>t7J z)vi8%VD&NjmvC*ocOa$n8xufK;A!hPI)9;KYA$5w^G&io_n@UzdHTu&CrR$!gRa3- z`|RGHWM6PB4H&<^QplRDy zVjWVG)422Xxo`hoB?Sy^=q^iOTV(wf_}rkf>EXkj>VC_*pF6c*YP1JN>KTQ_ihcL8 zd~EH==mjT>bsNW*v$ZipRYfxeD**>`Xwj^+t8oIW1Y{nemQa#xF%?zN0fzAEUxs}bmqwpCB;D0@tp=WZ5Hi?k_ zLhPejX5`lly|G&;{w#`_g`e&I^Fr1S&Vt^zQURIP5D*<{Vu(}osi%4}=t2esGFNm( zJScy5ozx43mf=TU<9zG!gf1lIFLdsux7p=>OP=wfkx?Jq>dk5d$kiDNdp0ma9J`0O z9>&az>yu&^`9yVEwmGF0*Ur4%WR! z+4!vUuKeJ9#lq$q|5I6=`IX!XQ0#O6(YG9EgjjQ4)a2Vc>5#Lrz*V0^cWzmro;8z&c^8{iWM5MH}qW$NDo&JOXX^2O#NIP-54Bk~F|!-Iok zLqih)$wl}5^i+%;%KTXDt9$dXB;JTSAiT1m%GE}Afll$KVPAyzxr82`1$|0w$~0z= zO;uyYSipeXW@NZ`_HmApx^u*LCbM!g#-}g*Q#@Y{Nhx%$BYZ`~MfAOG-qwK@(!Wk{G@{Od}SOFGrW1A~!)zuHH_hW~d7&z<|5T;(WI7xPQgf?sf zz2-Fm@YZ1VY#{U~`Mz(7rh_?A1b=Ni|5*=X_u^W4YAc}Kt$G~ie~u36=e9+w?4lvlm@CKODpGslwkMS9Up;I2`!J*V3bx|lNdUo|Z6s|4 z@c84BVNa|nb`T-ROrtvoRHM)ZyZevvSGYvmIJas`(F3R44q5bXRLgnU?XoC&AM!Da zr(9Q1Y5PlUCVmJdE>e_a#DCf{6zl+k8aT^SrFCwE(d|CS@f;w!F%bt6-Z-RjGq1vr zMY*e*rq{E{!y=0ux8A8Py^#38dp!J9!HqdKDL+pkIq=s({iLk41GGe#5wd9fLNvwo*TZEur5M$m z<=~k{D6JA84HO^3&s6!9g{wX2rN`(-VB?47xqQH5r5{lb#bn$mNz?#urMAup%hJjK z&s`_#w_URS-t)%%_)Gg0#mU)znquj{yFZz&_RxMjs=LTUl)e5`1bgq+o2W;h7x30V zI<@DxX{a}+-yj{ntZn)}T&G>)#mM&`hd!+HtLfA^IBQY<|Jkt9^Oc$ihbXne%9i~b zhpFFEn&Sa0)vh=@aTK~|2?!NbS%F!f1VXYjz!cHH_}b!UiLZDV(j>D7sIDahv}x*; z5WXz=13{?8?GXNN;402FJj*2=pbq~SouwGge2pe2*OD!i(vC9`D}%RpMz$1@YJ)rL;zTHGs+ zU;}Vq7Ble(x3+d6F@c?kbJ*&v)*&N3N&BJMtilyS&2x0)yG5(>jr4v5D;Ll^bQ_!; zWj>gBd0=>XYMR&=C6Yd=s@vZZ@&~iftNCi}s8UH0Rf(_ngqSwCn-%=Lh@UXl4HF4( z0N?@e7cZMFF>~O#pk`Zf)Xe79k8*8ZFQYRxz^g%FMOXWjhegd}DWqhBlOxx7U_ig8 z+vo#RvCoIm)L67B=N{r}lFkRM7oX{_#~L(ytVY{L9w~-O^`4I_%Dm)Q|Cz;DuxMzo zLa=;+;UXeoq~z=BTeq4)ANxH`_o@qUuG(MY#eM`5YRyD;q^|X%ml8dbs*4tbmbAlfbBbry509;VX<4e-Sd*;f9=561lJQLvu|}3>0D_eqFFd_$ z6Ld{Vth4GIT6bwL!&fX(5Rb#TylC|v>C$3C;E7VJmjiUNbfuuiVs9h{eZ09T!hSg~ z;A!5pgPx0b**j$bKB&!;XI=oT>n2f>rHTplmrJojmn}H82ZJvAHwJcd(|>rs@%u zYfuf$b%q23tm#@HDDU1F2b=PQ;E9P6-MLBGs;8x)@Q9QW&*`t8h_d?W$FflXvG04T z$&66=#`MyjIsDh^tiUYZUh10+E`a0+Ut1QTflgM1v~-^6NuZTf4m>5AXBKrNUPb`Y zhDVe#sL7C56UXq-M@-KtZnthV(kOR#$nT#k3f$;*XG}j-tj-h0TN`VB3kqEv8`)nSNkj99u>xZQ(5ivRU=G$WRih z*ud;2qpUpK>&{Ceuej|t9Loww_iexHlxuu{(s{;|a9&9M^#vi5%oCuJy_pJo&>EwZ zCg}xgR^|VTWPG(!I^CdtTm_J{3Uo;^5tXFK3~x#={0LDJMX z3+V`%nXvQ{Huu#HL*l=1sg!BvYUr2=^2hl^(@sAKXcHM#Qv4aHL1oiBTlB%Ayp=_2 z@BF5OdV=~N4%tpHx*$__i_iUmBa;el~^*18T5-a1+V~2Ou7xtvr{uy1_ zMe-ei?^k}}?{ir{#Ibkg=;FR|*nD`eLF5u+r=u1xx_&55*Yq0B8!e9DGpbH>Bt1=kL}^Zg9<<&zdZXFLSDK0;PpsWT;e_S#;Rpzofs%2Yf5`GJzvs+Ec{ z=A;RfoylejaX&mFzs}wK zZm?dwvn$&b4n5D&-Cbc&OL0LirZ_;=>8*%M=49^4#=Sf4mij*Z9pikIUjA>JngmPU zKEG~(-t>-sXb(j{k-lcptVY91T)K>ZAi;;by*k6SsD$iG_PxV*7Zh5BMjByEk78Ei zQ;iO4caKj6hbDLBZR>~Cq|ycLpHDT=X{5iYA{a(^Xt~i98sAbokO?lN^4<; zw$tER7lbs8KhjqWNs}>k0abeA#c%dkTmwWS$k6-h5y)@Ylk%kP)a53+l>v6Sz*Lq`VYYKXWZ(|LG)k_bs2uWJO?N6iPdh;GNg@cM zumiQlusEU+@5&OdRUSD5Bdvvrwi4;63ws{06t$5(IVwk+dt&l&cK78EfoHK^a4w1c z${^{EtWfk-cKfIAKRMhGM)llRdSfM)+U>%O8+MVJGOf^b!n8ehM|z?Agji|kSn&;j zsUyzZ51cH;=mPqiaubV+HtIO9V$CL8-Oi4Os4K+=Tg_D;H6R)N9_0yrOp!6L_N5H5&b>gbS<3SH#T$jgzG&(ALk=Ss3z=*c zWMyv2T#vdUeTwD^UCDSDRD6-0=VpWZz{v4Hs+=Ed@xx;9sE8yi2lwS&BC;hGkcN73 zaVEn_u*9l5{=&)v=LduEP{pX@R%MH4DTU%GbuyNjqNR|^;}U(8{ywkbkYc+`!{$2E za~v+ttp7HGbPmu;UctwifV+{Q`YuNmW68!`C;L>5oAmxFe9I&r4p$n2x?7<%2>wn* zFhvhYB2(p8Ei6ma&bMJoG9F8VS+huQGk3>={>AaYM4;_!MlT7ilS|*|t#in)6kMw>EeYn^UB$27R z=wokVR+teqQ4N@P<=B$oaHmD5J#0+!d{cQ&L2*pa^_IrQ!s27tepZ)namhP#Q^N50 zOE}Eh8g6Eh6txu+1c0Ub2F$az;qgA_SD6{}i79tUR|i)1F6`4A?_eReJxlY|4>!uE z`;+HOU(`iqz%3%hD=MqSpzjN6^Z5(w^1cs`t#3#cOh*)cR=ql@*Q&Qk-FX{>%2plV zd}-92d(ZiX6ZJz86u6s#bS@v=t9=e1)ExTm>E9Q+0#zU)pqHWawi>y!r@fCzchJxo>H(@VFsuZAUm! z9ZnYl;#y*D^VDu@2Wzk3i60!IkhZ5E;v8b6?ckPEqfqc|(Pl1n7JuxZ#~LpveYSEO zh6aUkfw2wlAvQ(Bm7g8zRXvbaJO$H9IW*}pJ+9y6WG>v(^o%XetD!KkEtURF%?G{! z?Grb?k*X1G*GYC7`&W~<92yDX?M?>3TcC`K+>n8jBIbML1gWOe`2k#A07!?Gn9*R@ zQGtfghgaM;1ya`mUdtxh2s;#cRK=;Lz_T3^k%Jj9sK3Y9(}EL1A=FFG%j$ zpSX+wJ3^!eH-gr~cCpsFr1S=$VL_i3wuN~Qi2GEj>y06-2v*{y3f1h3Rv&VtB{u1C z##ICmBSQoDY^N?39KCmV>T>XDHL#tmG{#2!{U%RaXZu{`z)Ie4$62iSKB05-D&8Sg9OZSNPA0wQ2I!eM7Dxb&`5QXiBWnp- z8iHRM+nKJ}eAjqrT%mNzTsobhdVFF@7T#nKfI=Y(fB{l@n1In o|Cjl%=gt52@&B#S4A}mCepII43$