From d59ae184ad95bed5383078e757ab8cb8f9a2b5ce Mon Sep 17 00:00:00 2001 From: Matt Fuller Date: Thu, 9 Jan 2020 12:46:10 -0500 Subject: [PATCH] adding new docs --- README.md | 74 +++++++++++++++--- .../activedirectory/ensure-no-guest-user.md | 22 ++++++ .../minimum-password-length.md | 1 + .../activedirectory/no-custom-owner-roles.md | 22 ++++++ .../password-requires-lowercase.md | 1 + .../password-requires-numbers.md | 1 + .../password-requires-symbols.md | 1 + .../password-requires-uppercase.md | 1 + en/azure/appservice/.net-framework-version.md | 1 + en/azure/appservice/authentication-enabled.md | 1 + .../appservice/client-certificates-enabled.md | 1 + en/azure/appservice/http-2.0-enabled.md | 1 + en/azure/appservice/https-only-enabled.md | 1 + en/azure/appservice/identity-enabled.md | 1 + en/azure/appservice/java-version.md | 1 + en/azure/appservice/php-version.md | 1 + en/azure/appservice/python-version.md | 1 + en/azure/appservice/tls-version-check.md | 1 + ...esource-location-matches-resource-group.md | 1 + .../resources-allowed-locations.md | 1 + .../blob-container-private-access.md | 1 + .../blobservice/blob-service-immutable.md | 1 + .../detect-insecure-custom-origin.md | 1 + .../cdnprofiles/endpoint-logging-enabled.md | 1 + en/azure/containerregistry/acr-admin-user.md | 22 ++++++ .../file-service-all-access-acl.md | 1 + en/azure/keyvaults/key-expiration-enabled.md | 22 ++++++ .../keyvaults/key-vault-recovery-enabled.md | 22 ++++++ .../keyvaults/secret-expiration-enabled.md | 22 ++++++ .../kubernetes-latest-version.md | 22 ++++++ .../kubernetes-rbac-enabled.md | 1 + en/azure/loadbalancer/lb-https-only.md | 1 + en/azure/loadbalancer/lb-no-instances.md | 1 + ...network-security-groups-logging-enabled.md | 5 +- ...rk-security-groups-rule-logging-enabled.md | 22 ++++++ .../policy-assignment-alerts-enabled.md | 22 ++++++ .../security-policy-alerts-enabled.md | 1 + .../logalerts/security-solution-logging.md | 1 + ...sql-server-firewall-rule-alerts-monitor.md | 1 + .../virtual-network-alerts-monitor.md | 1 + .../key-vault-log-analytics-enabled.md | 1 + .../load-balancer-log-analytics-enabled.md | 1 + en/azure/monitor/log-profile-archive-data.md | 1 + .../monitor/log-profile-retention-policy.md | 3 +- en/azure/monitor/nsg-log-analytics-enabled.md | 1 + .../enforce-mysql-ssl-connection.md | 22 ++++++ .../default-security-group.md | 1 + .../excessive-security-groups.md | 1 + .../network-watcher-enabled.md | 1 + .../networksecuritygroups/open-all-ports.md | 1 + en/azure/networksecuritygroups/open-cifs.md | 1 + en/azure/networksecuritygroups/open-dns.md | 1 + en/azure/networksecuritygroups/open-ftp.md | 1 + ...n-hadoop-hdfs-namenode-metadata-service.md | 1 + .../open-hadoop-hdfs-namenode-webui.md | 1 + en/azure/networksecuritygroups/open-kibana.md | 1 + en/azure/networksecuritygroups/open-mysql.md | 1 + .../networksecuritygroups/open-netbios.md | 1 + .../open-oracle-auto-data-warehouse.md | 1 + en/azure/networksecuritygroups/open-oracle.md | 1 + .../networksecuritygroups/open-postgresql.md | 1 + en/azure/networksecuritygroups/open-rdp.md | 1 + en/azure/networksecuritygroups/open-rpc.md | 1 + .../networksecuritygroups/open-smbotcp.md | 1 + en/azure/networksecuritygroups/open-smtp.md | 1 + .../networksecuritygroups/open-sqlserver.md | 1 + en/azure/networksecuritygroups/open-ssh.md | 1 + en/azure/networksecuritygroups/open-telnet.md | 1 + .../networksecuritygroups/open-vnc-client.md | 1 + .../networksecuritygroups/open-vnc-server.md | 1 + .../connection-throttling-enabled.md | 1 + .../enforce-postgresql-ssl-connection.md | 22 ++++++ .../log-checkpoints-enabled.md | 1 + .../log-connections-enabled.md | 1 + .../log-disconnections-enabled.md | 1 + .../postgresqlserver/log-duration-enabled.md | 1 + .../postgresqlserver/log-retention-period.md | 1 + .../queue-service-all-access-acl.md | 1 + en/azure/resources/management-lock-enabled.md | 1 + en/azure/resources/resources-usage-limits.md | 1 + .../admin-security-alerts-enabled.md | 1 + .../application-whitelisting-enabled.md | 1 + .../auto-provisioning-enabled.md | 1 + .../high-severity-alerts-enabled.md | 22 ++++++ .../securitycenter/monitor-blob-encryption.md | 1 + .../securitycenter/monitor-disk-encryption.md | 1 + .../monitor-endpoint-protection.md | 1 + .../monitor-jit-network-access.md | 1 + .../securitycenter/monitor-nsg-enabled.md | 1 + .../securitycenter/monitor-sql-auditing.md | 1 + .../securitycenter/monitor-sql-encryption.md | 1 + .../securitycenter/monitor-system-updates.md | 1 + .../monitor-vm-vulnerability.md | 1 + .../security-configuration-monitoring.md | 1 + .../security-contacts-enabled.md | 1 + .../standard-pricing-enabled.md | 22 ++++++ .../sqldatabases/database-auditing-enabled.md | 1 + en/azure/sqldatabases/db-restorable.md | 1 + en/azure/sqldatabases/sql-db-multiple-az.md | 1 + .../advanced-data-security-enabled.md | 1 + .../sqlserver/audit-action-groups-enabled.md | 1 + en/azure/sqlserver/audit-retention-policy.md | 22 ++++++ .../azure-active-directory-admin-enabled.md | 22 ++++++ .../sqlserver/email-account-admins-enabled.md | 22 ++++++ en/azure/sqlserver/send-alerts-enabled.md | 22 ++++++ en/azure/sqlserver/server-auditing-enabled.md | 22 ++++++ .../sqlserver/sql-server-public-access.md | 1 + en/azure/sqlserver/tde-protector-encrypted.md | 1 + .../blob-service-encryption.md | 1 + .../file-service-encryption.md | 1 + .../log-container-public-access.md | 1 + .../storageaccounts/log-storage-encryption.md | 1 + .../network-access-default-action.md | 1 + .../storage-accounts-aad-enabled.md | 1 + .../storage-accounts-encryption.md | 1 + .../storageaccounts/storage-accounts-https.md | 1 + .../trusted-ms-access-enabled.md | 1 + .../table-service-all-access-acl.md | 1 + en/azure/virtualmachines/classic-instances.md | 1 + .../virtualmachines/scale-set-multi-az.md | 1 + .../scale-sets-autoscale-enabled.md | 1 + en/azure/virtualmachines/vm-agent-enabled.md | 1 + .../virtualmachines/vm-auto-update-enabled.md | 1 + .../vm-availability-set-enabled.md | 1 + .../vm-availability-set-limit.md | 1 + .../vm-data-disk-encryption.md | 1 + .../virtualmachines/vm-endpoint-protection.md | 3 +- en/azure/virtualmachines/vm-instance-limit.md | 1 + .../virtualmachines/vm-os-disk-encryption.md | 1 + en/azure/virtualnetworks/multiple-subnets.md | 1 + en/google/clb/clb-cdn-enabled.md | 7 +- en/google/clb/clb-https-only.md | 5 +- en/google/clb/clb-no-instances.md | 3 +- en/google/clb/security-policy-enabled.md | 7 +- en/google/compute/autoscale-enabled.md | 7 +- .../compute/connect-serial-ports-disabled.md | 7 +- en/google/compute/csek-encryption-enabled.md | 7 +- en/google/compute/instance-level-ssh-only.md | 7 +- en/google/compute/instances-multi-az.md | 1 + en/google/compute/ip-forwarding-disabled.md | 9 ++- en/google/compute/os-login-enabled.md | 19 +++++ .../compute/vm-instances-least-privilege.md | 19 +++++ en/google/compute/vm-max-instances.md | 3 +- en/google/cryptographickeys/key-rotation.md | 7 +- en/google/dns/dns-security-enabled.md | 7 +- .../dns/dns-security-signing-algorithm.md | 18 +++++ en/google/iam/corporate-emails-only.md | 19 +++++ en/google/iam/kms-user-separation.md | 19 +++++ en/google/iam/service-account-admin.md | 19 +++++ en/google/iam/service-account-key-rotation.md | 19 +++++ en/google/iam/service-account-managed-keys.md | 19 +++++ en/google/iam/service-account-separation.md | 19 +++++ en/google/iam/service-account-user.md | 19 +++++ en/google/iam/service-limits.md | 3 +- .../kubernetes/alias-ip-ranges-enabled.md | 19 +++++ .../automatic-node-repair-enabled.md | 19 +++++ .../automatic-node-upgrades-enabled.md | 19 +++++ .../basic-authentication-disabled.md | 18 +++++ en/google/kubernetes/cluster-labels-added.md | 19 +++++ .../kubernetes/cluster-least-privilege.md | 19 +++++ en/google/kubernetes/cos-image-enabled.md | 19 +++++ .../kubernetes/default-service-account.md | 19 +++++ .../legacy-authorization-disabled.md | 19 +++++ en/google/kubernetes/logging-enabled.md | 19 +++++ .../kubernetes/master-authorized-network.md | 19 +++++ en/google/kubernetes/monitoring-enabled.md | 5 +- .../kubernetes/network-policy-enabled.md | 19 +++++ .../kubernetes/pod-security-policy-enabled.md | 18 +++++ .../kubernetes/private-cluster-enabled.md | 19 +++++ en/google/kubernetes/private-endpoint.md | 1 + .../kubernetes/web-dashboard-disabled.md | 19 +++++ .../logging/audit-configuration-logging.md | 18 +++++ en/google/logging/audit-logging-enabled.md | 18 +++++ en/google/logging/custom-role-logging.md | 18 +++++ en/google/logging/log-sinks-enabled.md | 18 +++++ .../logging/project-ownership-logging.md | 18 +++++ .../logging/sql-configuration-logging.md | 18 +++++ .../logging/storage-permissions-logging.md | 18 +++++ .../logging/vpc-firewall-rule-logging.md | 18 +++++ en/google/logging/vpc-network-logging.md | 18 +++++ .../logging/vpc-network-route-logging.md | 18 +++++ en/google/sql/any-host-root-access.md | 19 +++++ en/google/sql/database-ssl-enabled.md | 19 +++++ en/google/sql/db-automated-backups.md | 3 +- en/google/sql/db-multiple-az.md | 9 ++- en/google/sql/db-publicly-accessible.md | 1 + en/google/sql/db-restorable.md | 3 +- en/google/storage/bucket-logging.md | 3 +- en/google/storage/bucket-versioning.md | 1 + .../storage-bucket-all-users-policy.md | 3 +- en/google/vpcnetwork/default-vpc-in-use.md | 3 +- .../vpcnetwork/excessive-firewall-rules.md | 3 +- en/google/vpcnetwork/flow-logs-enabled.md | 1 + en/google/vpcnetwork/multiple-subnets.md | 1 + en/google/vpcnetwork/open-all-ports.md | 5 +- en/google/vpcnetwork/open-cifs.md | 5 +- en/google/vpcnetwork/open-dns.md | 5 +- en/google/vpcnetwork/open-ftp.md | 5 +- ...n-hadoop-hdfs-namenode-metadata-service.md | 3 +- .../open-hadoop-hdfs-namenode-webui.md | 3 +- en/google/vpcnetwork/open-kibana.md | 5 +- en/google/vpcnetwork/open-mysql.md | 5 +- en/google/vpcnetwork/open-netbios.md | 5 +- .../open-oracle-auto-data-warehouse.md | 5 +- en/google/vpcnetwork/open-oracle.md | 5 +- en/google/vpcnetwork/open-postgresql.md | 5 +- en/google/vpcnetwork/open-rdp.md | 5 +- en/google/vpcnetwork/open-rpc.md | 5 +- en/google/vpcnetwork/open-smbotcp.md | 5 +- en/google/vpcnetwork/open-smtp.md | 5 +- en/google/vpcnetwork/open-sqlserver.md | 5 +- en/google/vpcnetwork/open-ssh.md | 5 +- en/google/vpcnetwork/open-telnet.md | 5 +- en/google/vpcnetwork/open-vnc-client.md | 5 +- en/google/vpcnetwork/open-vnc-server.md | 5 +- .../vpcnetwork/private-access-enabled.md | 1 + .../google/vpcnetwork/open-rdp/README.md | 1 + .../google/vpcnetwork/open-rdp/step2.png | Bin 0 -> 40809 bytes .../google/vpcnetwork/open-rdp/step3.png | Bin 0 -> 71356 bytes .../google/vpcnetwork/open-rdp/step4.png | Bin 0 -> 24090 bytes .../google/vpcnetwork/open-rdp/step6.png | Bin 0 -> 93097 bytes .../google/vpcnetwork/open-rdp/step7.png | Bin 0 -> 29715 bytes .../google/vpcnetwork/open-rdp/step8.png | Bin 0 -> 9674 bytes 223 files changed, 1397 insertions(+), 102 deletions(-) create mode 100644 en/azure/activedirectory/ensure-no-guest-user.md create mode 100644 en/azure/activedirectory/no-custom-owner-roles.md create mode 100644 en/azure/containerregistry/acr-admin-user.md create mode 100644 en/azure/keyvaults/key-expiration-enabled.md create mode 100644 en/azure/keyvaults/key-vault-recovery-enabled.md create mode 100644 en/azure/keyvaults/secret-expiration-enabled.md create mode 100644 en/azure/kubernetesservice/kubernetes-latest-version.md create mode 100644 en/azure/logalerts/network-security-groups-rule-logging-enabled.md create mode 100644 en/azure/logalerts/policy-assignment-alerts-enabled.md create mode 100644 en/azure/mysqlserver/enforce-mysql-ssl-connection.md create mode 100644 en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md create mode 100644 en/azure/securitycenter/high-severity-alerts-enabled.md create mode 100644 en/azure/securitycenter/standard-pricing-enabled.md create mode 100644 en/azure/sqlserver/audit-retention-policy.md create mode 100644 en/azure/sqlserver/azure-active-directory-admin-enabled.md create mode 100644 en/azure/sqlserver/email-account-admins-enabled.md create mode 100644 en/azure/sqlserver/send-alerts-enabled.md create mode 100644 en/azure/sqlserver/server-auditing-enabled.md create mode 100644 en/google/compute/os-login-enabled.md create mode 100644 en/google/compute/vm-instances-least-privilege.md create mode 100644 en/google/dns/dns-security-signing-algorithm.md create mode 100644 en/google/iam/corporate-emails-only.md create mode 100644 en/google/iam/kms-user-separation.md create mode 100644 en/google/iam/service-account-admin.md create mode 100644 en/google/iam/service-account-key-rotation.md create mode 100644 en/google/iam/service-account-managed-keys.md create mode 100644 en/google/iam/service-account-separation.md create mode 100644 en/google/iam/service-account-user.md create mode 100644 en/google/kubernetes/alias-ip-ranges-enabled.md create mode 100644 en/google/kubernetes/automatic-node-repair-enabled.md create mode 100644 en/google/kubernetes/automatic-node-upgrades-enabled.md create mode 100644 en/google/kubernetes/basic-authentication-disabled.md create mode 100644 en/google/kubernetes/cluster-labels-added.md create mode 100644 en/google/kubernetes/cluster-least-privilege.md create mode 100644 en/google/kubernetes/cos-image-enabled.md create mode 100644 en/google/kubernetes/default-service-account.md create mode 100644 en/google/kubernetes/legacy-authorization-disabled.md create mode 100644 en/google/kubernetes/logging-enabled.md create mode 100644 en/google/kubernetes/master-authorized-network.md create mode 100644 en/google/kubernetes/network-policy-enabled.md create mode 100644 en/google/kubernetes/pod-security-policy-enabled.md create mode 100644 en/google/kubernetes/private-cluster-enabled.md create mode 100644 en/google/kubernetes/web-dashboard-disabled.md create mode 100644 en/google/logging/audit-configuration-logging.md create mode 100644 en/google/logging/audit-logging-enabled.md create mode 100644 en/google/logging/custom-role-logging.md create mode 100644 en/google/logging/log-sinks-enabled.md create mode 100644 en/google/logging/project-ownership-logging.md create mode 100644 en/google/logging/sql-configuration-logging.md create mode 100644 en/google/logging/storage-permissions-logging.md create mode 100644 en/google/logging/vpc-firewall-rule-logging.md create mode 100644 en/google/logging/vpc-network-logging.md create mode 100644 en/google/logging/vpc-network-route-logging.md create mode 100644 en/google/sql/any-host-root-access.md create mode 100644 en/google/sql/database-ssl-enabled.md create mode 100644 resources/google/vpcnetwork/open-rdp/README.md create mode 100644 resources/google/vpcnetwork/open-rdp/step2.png create mode 100644 resources/google/vpcnetwork/open-rdp/step3.png create mode 100644 resources/google/vpcnetwork/open-rdp/step4.png create mode 100644 resources/google/vpcnetwork/open-rdp/step6.png create mode 100644 resources/google/vpcnetwork/open-rdp/step7.png create mode 100644 resources/google/vpcnetwork/open-rdp/step8.png diff --git a/README.md b/README.md index 9e142819e..1a86026db 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,9 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Notebook Direct Internet Access](en/aws/sagemaker/notebook-direct-internet-access.md) * Azure * Active Directory + * [Ensure No Guest User](en/azure/activedirectory/ensure-no-guest-user.md) * [Minimum Password Length](en/azure/activedirectory/minimum-password-length.md) + * [No Custom Owner Roles](en/azure/activedirectory/no-custom-owner-roles.md) * [Password Requires Lowercase](en/azure/activedirectory/password-requires-lowercase.md) * [Password Requires Numbers](en/azure/activedirectory/password-requires-numbers.md) * [Password Requires Symbols](en/azure/activedirectory/password-requires-symbols.md) @@ -167,20 +169,24 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * CDN Profiles * [Detect Insecure Custom Origin](en/azure/cdnprofiles/detect-insecure-custom-origin.md) * [Endpoint Logging Enabled](en/azure/cdnprofiles/endpoint-logging-enabled.md) - * Disks - * [Unmanaged Disk Encryption](en/azure/disks/unmanaged-disk-encryption.md) + * Container Registry + * [ACR Admin User](en/azure/containerregistry/acr-admin-user.md) * File Service * [File Service All Access ACL](en/azure/fileservice/file-service-all-access-acl.md) - * Key Vault - * [Key Expiration Enabled](en/azure/keyvault/key-expiration-enabled.md) - * [Key Vault Recovery Enabled](en/azure/keyvault/key-vault-recovery-enabled.md) + * Key Vaults + * [Key Expiration Enabled](en/azure/keyvaults/key-expiration-enabled.md) + * [Key Vault Recovery Enabled](en/azure/keyvaults/key-vault-recovery-enabled.md) + * [Secret Expiration Enabled](en/azure/keyvaults/secret-expiration-enabled.md) * Kubernetes Service + * [Kubernetes Latest Version](en/azure/kubernetesservice/kubernetes-latest-version.md) * [Kubernetes RBAC Enabled](en/azure/kubernetesservice/kubernetes-rbac-enabled.md) * Load Balancer * [LB HTTPS Only](en/azure/loadbalancer/lb-https-only.md) * [LB No Instances](en/azure/loadbalancer/lb-no-instances.md) * Log Alerts * [Network Security Groups Logging Enabled](en/azure/logalerts/network-security-groups-logging-enabled.md) + * [Network Security Groups Rule Logging Enabled](en/azure/logalerts/network-security-groups-rule-logging-enabled.md) + * [Policy Assignment Alerts Enabled](en/azure/logalerts/policy-assignment-alerts-enabled.md) * [SQL Server Firewall Rule Alerts Monitor](en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md) * [Security Policy Alerts Enabled](en/azure/logalerts/security-policy-alerts-enabled.md) * [Security Solution Logging](en/azure/logalerts/security-solution-logging.md) @@ -191,9 +197,10 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Log Profile Archive Data](en/azure/monitor/log-profile-archive-data.md) * [Log Profile Retention Policy](en/azure/monitor/log-profile-retention-policy.md) * [NSG Log Analytics Enabled](en/azure/monitor/nsg-log-analytics-enabled.md) + * MySQL Server + * [Enforce MySQL SSL Connection](en/azure/mysqlserver/enforce-mysql-ssl-connection.md) * Network Security Groups * [Default Security Group](en/azure/networksecuritygroups/default-security-group.md) - * [Deny SSH Access](en/azure/networksecuritygroups/deny-ssh-access.md) * [Excessive Security Groups](en/azure/networksecuritygroups/excessive-security-groups.md) * [Network Watcher Enabled](en/azure/networksecuritygroups/network-watcher-enabled.md) * [Open All Ports](en/azure/networksecuritygroups/open-all-ports.md) @@ -219,7 +226,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Open VNC Server](en/azure/networksecuritygroups/open-vnc-server.md) * PostgreSQL Server * [Connection Throttling Enabled](en/azure/postgresqlserver/connection-throttling-enabled.md) - * [Enforce SSL Connection Enabled](en/azure/postgresqlserver/enforce-ssl-connection-enabled.md) + * [Enforce PostgreSQL SSL Connection](en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md) * [Log Checkpoints Enabled](en/azure/postgresqlserver/log-checkpoints-enabled.md) * [Log Connections Enabled](en/azure/postgresqlserver/log-connections-enabled.md) * [Log Disconnections Enabled](en/azure/postgresqlserver/log-disconnections-enabled.md) @@ -237,15 +244,18 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * SQL Server * [Advanced Data Security Enabled](en/azure/sqlserver/advanced-data-security-enabled.md) * [Audit Action Groups Enabled](en/azure/sqlserver/audit-action-groups-enabled.md) + * [Audit Retention Policy](en/azure/sqlserver/audit-retention-policy.md) + * [Azure Active Directory Admin Enabled](en/azure/sqlserver/azure-active-directory-admin-enabled.md) + * [Email Account Admins Enabled](en/azure/sqlserver/email-account-admins-enabled.md) * [SQL Server Public Access](en/azure/sqlserver/sql-server-public-access.md) + * [Send Alerts Enabled](en/azure/sqlserver/send-alerts-enabled.md) + * [Server Auditing Enabled](en/azure/sqlserver/server-auditing-enabled.md) * [TDE Protector Encrypted](en/azure/sqlserver/tde-protector-encrypted.md) - * SQL Servers - * [Audit Retention Policy](en/azure/sqlservers/audit-retention-policy.md) - * [Server Auditing Enabled](en/azure/sqlservers/server-auditing-enabled.md) * Security Center * [Admin Security Alerts Enabled](en/azure/securitycenter/admin-security-alerts-enabled.md) * [Application Whitelisting Enabled](en/azure/securitycenter/application-whitelisting-enabled.md) * [Auto Provisioning Enabled](en/azure/securitycenter/auto-provisioning-enabled.md) + * [High Severity Alerts Enabled](en/azure/securitycenter/high-severity-alerts-enabled.md) * [Monitor Blob Encryption](en/azure/securitycenter/monitor-blob-encryption.md) * [Monitor Disk Encryption](en/azure/securitycenter/monitor-disk-encryption.md) * [Monitor Endpoint Protection](en/azure/securitycenter/monitor-endpoint-protection.md) @@ -257,6 +267,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Monitor VM Vulnerability](en/azure/securitycenter/monitor-vm-vulnerability.md) * [Security Configuration Monitoring](en/azure/securitycenter/security-configuration-monitoring.md) * [Security Contacts Enabled](en/azure/securitycenter/security-contacts-enabled.md) + * [Standard Pricing Enabled](en/azure/securitycenter/standard-pricing-enabled.md) * Storage Accounts * [Blob Service Encryption](en/azure/storageaccounts/blob-service-encryption.md) * [File Service Encryption](en/azure/storageaccounts/file-service-encryption.md) @@ -293,25 +304,62 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Autoscale Enabled](en/google/compute/autoscale-enabled.md) * [CSEK Encryption Enabled](en/google/compute/csek-encryption-enabled.md) * [Connect Serial Ports Disabled](en/google/compute/connect-serial-ports-disabled.md) + * [IP Forwarding Disabled](en/google/compute/ip-forwarding-disabled.md) * [Instance Level SSH Only](en/google/compute/instance-level-ssh-only.md) * [Instances Multi AZ](en/google/compute/instances-multi-az.md) - * [Ip Forwarding Disabled](en/google/compute/ip-forwarding-disabled.md) - * [VM Instances with No Access](en/google/compute/vm-instances-with-no-access.md) + * [OS Login Enabled](en/google/compute/os-login-enabled.md) + * [VM Instances Least Privilege](en/google/compute/vm-instances-least-privilege.md) * [VM Max Instances](en/google/compute/vm-max-instances.md) * Cryptographic Keys * [Key Rotation](en/google/cryptographickeys/key-rotation.md) * DNS * [DNS Security Enabled](en/google/dns/dns-security-enabled.md) + * [DNS Security Signing Algorithm](en/google/dns/dns-security-signing-algorithm.md) * IAM + * [Corporate Emails Only](en/google/iam/corporate-emails-only.md) + * [KMS User Separation](en/google/iam/kms-user-separation.md) + * [Service Account Admin](en/google/iam/service-account-admin.md) + * [Service Account Key Rotation](en/google/iam/service-account-key-rotation.md) + * [Service Account Managed Keys](en/google/iam/service-account-managed-keys.md) + * [Service Account Separation](en/google/iam/service-account-separation.md) + * [Service Account User](en/google/iam/service-account-user.md) * [Service Limits](en/google/iam/service-limits.md) * Kubernetes + * [Alias IP Ranges Enabled](en/google/kubernetes/alias-ip-ranges-enabled.md) + * [Automatic Node Repair Enabled](en/google/kubernetes/automatic-node-repair-enabled.md) + * [Automatic Node Upgrades Enabled](en/google/kubernetes/automatic-node-upgrades-enabled.md) + * [Basic Authentication Disabled](en/google/kubernetes/basic-authentication-disabled.md) + * [COS Image Enabled](en/google/kubernetes/cos-image-enabled.md) + * [Cluster Labels Added](en/google/kubernetes/cluster-labels-added.md) + * [Cluster Least Privilege](en/google/kubernetes/cluster-least-privilege.md) + * [Default Service Account](en/google/kubernetes/default-service-account.md) + * [Legacy Authorization Disabled](en/google/kubernetes/legacy-authorization-disabled.md) + * [Logging Enabled](en/google/kubernetes/logging-enabled.md) + * [Master Authorized Network](en/google/kubernetes/master-authorized-network.md) * [Monitoring Enabled](en/google/kubernetes/monitoring-enabled.md) + * [Network Policy Enabled](en/google/kubernetes/network-policy-enabled.md) + * [Pod Security Policy Enabled](en/google/kubernetes/pod-security-policy-enabled.md) + * [Private Cluster Enabled](en/google/kubernetes/private-cluster-enabled.md) * [Private Endpoint](en/google/kubernetes/private-endpoint.md) + * [Web Dashboard Disabled](en/google/kubernetes/web-dashboard-disabled.md) + * Logging + * [Audit Configuration Logging](en/google/logging/audit-configuration-logging.md) + * [Audit Logging Enabled](en/google/logging/audit-logging-enabled.md) + * [Custom Role Logging](en/google/logging/custom-role-logging.md) + * [Log Sinks Enabled](en/google/logging/log-sinks-enabled.md) + * [Project Ownership Logging](en/google/logging/project-ownership-logging.md) + * [SQL Configuration Logging](en/google/logging/sql-configuration-logging.md) + * [Storage Permissions Logging](en/google/logging/storage-permissions-logging.md) + * [VPC Firewall Rule Logging](en/google/logging/vpc-firewall-rule-logging.md) + * [VPC Network Logging](en/google/logging/vpc-network-logging.md) + * [VPC Network Route Logging](en/google/logging/vpc-network-route-logging.md) * SQL + * [Any Host Root Access](en/google/sql/any-host-root-access.md) * [DB Automated Backups](en/google/sql/db-automated-backups.md) - * [DB Multiple Az](en/google/sql/db-multiple-az.md) + * [DB Multiple AZ](en/google/sql/db-multiple-az.md) * [DB Publicly Accessible](en/google/sql/db-publicly-accessible.md) * [DB Restorable](en/google/sql/db-restorable.md) + * [Database SSL Enabled](en/google/sql/database-ssl-enabled.md) * Storage * [Bucket Logging](en/google/storage/bucket-logging.md) * [Bucket Versioning](en/google/storage/bucket-versioning.md) diff --git a/en/azure/activedirectory/ensure-no-guest-user.md b/en/azure/activedirectory/ensure-no-guest-user.md new file mode 100644 index 000000000..c50dd4189 --- /dev/null +++ b/en/azure/activedirectory/ensure-no-guest-user.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Ensure No Guest User + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Ensure No Guest User | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that there are no guest users in the subscription | +| **More Info** | Guest users are usually users that are invited from outside the company structure, these users are not part of the onboarding/offboarding process and could be overlooked, causing security vulnerabilities. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator | +| **Recommended Action** | Remove all guest users unless they are required to be members of the Active Directory account. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/activedirectory/minimum-password-length.md b/en/azure/activedirectory/minimum-password-length.md index 2f9d2e5cd..30c99b240 100644 --- a/en/azure/activedirectory/minimum-password-length.md +++ b/en/azure/activedirectory/minimum-password-length.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/no-custom-owner-roles.md b/en/azure/activedirectory/no-custom-owner-roles.md new file mode 100644 index 000000000..b9705ac4d --- /dev/null +++ b/en/azure/activedirectory/no-custom-owner-roles.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / No Custom Owner Roles + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | No Custom Owner Roles | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that no custom owner roles exist. | +| **More Info** | Subscription owners should not include permissions to create custom owner roles. This follows the principle of least privilege. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles | +| **Recommended Action** | Remove roles that allow permissions to create custom owner roles. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/activedirectory/password-requires-lowercase.md b/en/azure/activedirectory/password-requires-lowercase.md index 3f58e8e93..a4d106388 100644 --- a/en/azure/activedirectory/password-requires-lowercase.md +++ b/en/azure/activedirectory/password-requires-lowercase.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/password-requires-numbers.md b/en/azure/activedirectory/password-requires-numbers.md index 90f92e075..6bda99e1f 100644 --- a/en/azure/activedirectory/password-requires-numbers.md +++ b/en/azure/activedirectory/password-requires-numbers.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/password-requires-symbols.md b/en/azure/activedirectory/password-requires-symbols.md index 4014bf32b..3aaf45f64 100644 --- a/en/azure/activedirectory/password-requires-symbols.md +++ b/en/azure/activedirectory/password-requires-symbols.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/password-requires-uppercase.md b/en/azure/activedirectory/password-requires-uppercase.md index 89c1a8ad1..811f990c1 100644 --- a/en/azure/activedirectory/password-requires-uppercase.md +++ b/en/azure/activedirectory/password-requires-uppercase.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/appservice/.net-framework-version.md b/en/azure/appservice/.net-framework-version.md index fe91f6aaa..0d0972bf8 100644 --- a/en/azure/appservice/.net-framework-version.md +++ b/en/azure/appservice/.net-framework-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of the .NET framework for all .NET-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the “Search resources, services, and docs” option at the top and search for App Services.
3. Select the “App Services” by clicking on the “Name” link to access the configuration changes.
diff --git a/en/azure/appservice/authentication-enabled.md b/en/azure/appservice/authentication-enabled.md index cbf662569..83f8c93eb 100644 --- a/en/azure/appservice/authentication-enabled.md +++ b/en/azure/appservice/authentication-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable App Service Authentication for all App Services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/client-certificates-enabled.md b/en/azure/appservice/client-certificates-enabled.md index a660ab337..f5fbe25a0 100644 --- a/en/azure/appservice/client-certificates-enabled.md +++ b/en/azure/appservice/client-certificates-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable incoming client certificate SSL setting for all App Services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/http-2.0-enabled.md b/en/azure/appservice/http-2.0-enabled.md index 80fbdd640..9fdc16dff 100644 --- a/en/azure/appservice/http-2.0-enabled.md +++ b/en/azure/appservice/http-2.0-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable HTTP 2.0 support in the general settings for all App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/https-only-enabled.md b/en/azure/appservice/https-only-enabled.md index a8ce6feed..1c9bce058 100644 --- a/en/azure/appservice/https-only-enabled.md +++ b/en/azure/appservice/https-only-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable HTTPS Only support SSL settings for all App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/identity-enabled.md b/en/azure/appservice/identity-enabled.md index aad569ee3..349827987 100644 --- a/en/azure/appservice/identity-enabled.md +++ b/en/azure/appservice/identity-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable system or user-assigned identities for all App Services and avoid storing credentials in code. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/java-version.md b/en/azure/appservice/java-version.md index b5d942905..6b6484a03 100644 --- a/en/azure/appservice/java-version.md +++ b/en/azure/appservice/java-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of Java for all Java-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/php-version.md b/en/azure/appservice/php-version.md index 882d21a2c..aaf90a6e6 100644 --- a/en/azure/appservice/php-version.md +++ b/en/azure/appservice/php-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of PHP for all PHP-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/python-version.md b/en/azure/appservice/python-version.md index 18e1a0cb6..5229f6e3a 100644 --- a/en/azure/appservice/python-version.md +++ b/en/azure/appservice/python-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of Python for all Python-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/tls-version-check.md b/en/azure/appservice/tls-version-check.md index 825adfbdd..766873fdf 100644 --- a/en/azure/appservice/tls-version-check.md +++ b/en/azure/appservice/tls-version-check.md @@ -15,6 +15,7 @@ | **Recommended Action** | Set the minimum TLS version to 1.2 for all App Services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/azurepolicy/resource-location-matches-resource-group.md b/en/azure/azurepolicy/resource-location-matches-resource-group.md index bd6d5bcb9..4ae3738df 100644 --- a/en/azure/azurepolicy/resource-location-matches-resource-group.md +++ b/en/azure/azurepolicy/resource-location-matches-resource-group.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable the built-in Azure Policy definition: Audit resource location matches resource group location | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Policy.
3. On the "Policy" page, scroll down the left navigation panel and choose "Assignments" under "Authoring."
diff --git a/en/azure/azurepolicy/resources-allowed-locations.md b/en/azure/azurepolicy/resources-allowed-locations.md index b12a9f6ee..0093c96c3 100644 --- a/en/azure/azurepolicy/resources-allowed-locations.md +++ b/en/azure/azurepolicy/resources-allowed-locations.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that all services contain policy definitions that defined allowed locations. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Policy.
3. On the "Policy" page, scroll down the left navigation panel and choose "Assignments" under "Authoring."
diff --git a/en/azure/blobservice/blob-container-private-access.md b/en/azure/blobservice/blob-container-private-access.md index 95cae6e18..e7ebe7890 100644 --- a/en/azure/blobservice/blob-container-private-access.md +++ b/en/azure/blobservice/blob-container-private-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure each blob container is configured to restrict anonymous access | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/blobservice/blob-service-immutable.md b/en/azure/blobservice/blob-service-immutable.md index a37220ae3..134a3a548 100644 --- a/en/azure/blobservice/blob-service-immutable.md +++ b/en/azure/blobservice/blob-service-immutable.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable a data immutability policy for all storage containers in the Azure storage account. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/cdnprofiles/detect-insecure-custom-origin.md b/en/azure/cdnprofiles/detect-insecure-custom-origin.md index d28d1624c..e8c93e553 100644 --- a/en/azure/cdnprofiles/detect-insecure-custom-origin.md +++ b/en/azure/cdnprofiles/detect-insecure-custom-origin.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/cdnprofiles/endpoint-logging-enabled.md b/en/azure/cdnprofiles/endpoint-logging-enabled.md index 812e35e6e..6552b84ac 100644 --- a/en/azure/cdnprofiles/endpoint-logging-enabled.md +++ b/en/azure/cdnprofiles/endpoint-logging-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/containerregistry/acr-admin-user.md b/en/azure/containerregistry/acr-admin-user.md new file mode 100644 index 000000000..780ed9e82 --- /dev/null +++ b/en/azure/containerregistry/acr-admin-user.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Container Registry / ACR Admin User + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | ACR Admin User | +| **Cloud** | AZURE | +| **Category** | Container Registry | +| **Description** | Ensures that the admin user is not enabled on container registries | +| **More Info** | Azure Container Registries have an admin user that is designed for testing. This should be disabled by default to avoid sharing confidential admin credentials. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication | +| **Recommended Action** | Ensure that the admin user is disabled for each container registry. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/fileservice/file-service-all-access-acl.md b/en/azure/fileservice/file-service-all-access-acl.md index 9215ebc64..4ca6f8421 100644 --- a/en/azure/fileservice/file-service-all-access-acl.md +++ b/en/azure/fileservice/file-service-all-access-acl.md @@ -15,6 +15,7 @@ | **Recommended Action** | Disable global read, write, and delete policies on all file shares and ensure the share ACL is configured with least privileges. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/keyvaults/key-expiration-enabled.md b/en/azure/keyvaults/key-expiration-enabled.md new file mode 100644 index 000000000..37cdf1654 --- /dev/null +++ b/en/azure/keyvaults/key-expiration-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vaults / Key Expiration Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Expiration Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vaults | +| **Description** | Ensure that all Keys in Azure Key Vault have an expiry time set. | +| **More Info** | Setting an expiry time on all keys forces key rotation and removes unused and forgotten keys from being used. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates | +| **Recommended Action** | Ensure each Key Vault has an expiry time set that provides for sufficient rotation. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/keyvaults/key-vault-recovery-enabled.md b/en/azure/keyvaults/key-vault-recovery-enabled.md new file mode 100644 index 000000000..5ef045396 --- /dev/null +++ b/en/azure/keyvaults/key-vault-recovery-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vaults / Key Vault Recovery Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Vault Recovery Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vaults | +| **Description** | Ensures that Purge Protection and Soft Delete are enabled on all Key Vaults | +| **More Info** | Purge Protection and Soft Delete are features that safeguard losing key access. With these setting enabled, key vaults have recovery actions available to restore deleted or compromised key vaults. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete | +| **Recommended Action** | Once Key Vaults are created, the Azure CLI must be used to update the vault Soft Delete and Purge Protection settings. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/keyvaults/secret-expiration-enabled.md b/en/azure/keyvaults/secret-expiration-enabled.md new file mode 100644 index 000000000..7cb9b1f99 --- /dev/null +++ b/en/azure/keyvaults/secret-expiration-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vaults / Secret Expiration Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Secret Expiration Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vaults | +| **Description** | Ensures that all secrets in Azure Key Vault have an expiry time set. | +| **More Info** | Setting an expiry time on all secrets forces secret rotation and removes unused and forgotten secrets from being used. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/secret-vault/about-secrets-secrets-and-certificates | +| **Recommended Action** | Ensure each Key Vault has an expiry time set that provides for sufficient rotation. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/kubernetesservice/kubernetes-latest-version.md b/en/azure/kubernetesservice/kubernetes-latest-version.md new file mode 100644 index 000000000..a38dfe57a --- /dev/null +++ b/en/azure/kubernetesservice/kubernetes-latest-version.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Kubernetes Service / Kubernetes Latest Version + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Kubernetes Latest Version | +| **Cloud** | AZURE | +| **Category** | Kubernetes Service | +| **Description** | Ensures the latest version of Kubernetes is installed on AKS clusters | +| **More Info** | AKS supports provisioning clusters from several versions of Kubernetes. Clusters should be kept up to date to ensure Kubernetes security patches are applied. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/aks/aad-integration | +| **Recommended Action** | Upgrade the version of Kubernetes on all AKS clusters to the latest available version. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/kubernetesservice/kubernetes-rbac-enabled.md b/en/azure/kubernetesservice/kubernetes-rbac-enabled.md index c733f2be3..66b6aa540 100644 --- a/en/azure/kubernetesservice/kubernetes-rbac-enabled.md +++ b/en/azure/kubernetesservice/kubernetes-rbac-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/loadbalancer/lb-https-only.md b/en/azure/loadbalancer/lb-https-only.md index 0e29519f4..7cfb3add1 100644 --- a/en/azure/loadbalancer/lb-https-only.md +++ b/en/azure/loadbalancer/lb-https-only.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that each load balancer only accepts connections on port 443. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Load balancers.
3. Select the "Load balancer" by clicking on the "Name" as a link which needs to be configured only to accept connections on HTTPS ports.
diff --git a/en/azure/loadbalancer/lb-no-instances.md b/en/azure/loadbalancer/lb-no-instances.md index 1c81a4419..74728d8b2 100644 --- a/en/azure/loadbalancer/lb-no-instances.md +++ b/en/azure/loadbalancer/lb-no-instances.md @@ -15,6 +15,7 @@ | **Recommended Action** | Delete old load balancers that no longer have backend resources. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Load balancers.
3. Select the "Load balancer" by clicking on the "Name" as a link which needs to be checked for active Instances.
diff --git a/en/azure/logalerts/network-security-groups-logging-enabled.md b/en/azure/logalerts/network-security-groups-logging-enabled.md index 502336f2d..2d6444313 100644 --- a/en/azure/logalerts/network-security-groups-logging-enabled.md +++ b/en/azure/logalerts/network-security-groups-logging-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Network Security Groups Logging Enabled | | **Cloud** | AZURE | | **Category** | Log Alerts | -| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group Rule events are enabled | +| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group events are enabled | | **More Info** | Monitoring for create or update and delete Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | -| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group Rule create or update and delete events. | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group create or update and delete events. | ## Detailed Remediation Steps + diff --git a/en/azure/logalerts/network-security-groups-rule-logging-enabled.md b/en/azure/logalerts/network-security-groups-rule-logging-enabled.md new file mode 100644 index 000000000..b31b341dc --- /dev/null +++ b/en/azure/logalerts/network-security-groups-rule-logging-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Network Security Groups Rule Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Network Security Groups Rule Logging Enabled | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group rule events are enabled | +| **More Info** | Monitoring for create or update and delete Network Security Group rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group rule create or update and delete events. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/logalerts/policy-assignment-alerts-enabled.md b/en/azure/logalerts/policy-assignment-alerts-enabled.md new file mode 100644 index 000000000..a6e342750 --- /dev/null +++ b/en/azure/logalerts/policy-assignment-alerts-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Policy Assignment Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Policy Assignment Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log alerts for create or update and delete Policy Assignment events are enabled | +| **More Info** | Monitoring for create or update and delete Policy Assignment events gives insight into policy changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Policy Assignment create or update and delete events. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/logalerts/security-policy-alerts-enabled.md b/en/azure/logalerts/security-policy-alerts-enabled.md index 671f68baf..5c40504c0 100644 --- a/en/azure/logalerts/security-policy-alerts-enabled.md +++ b/en/azure/logalerts/security-policy-alerts-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for Security Policy Rule create or update events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/logalerts/security-solution-logging.md b/en/azure/logalerts/security-solution-logging.md index ca85d4978..9babe9e69 100644 --- a/en/azure/logalerts/security-solution-logging.md +++ b/en/azure/logalerts/security-solution-logging.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for Security Solution create or update and delete events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md b/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md index 0e3f2c481..b44c3d96b 100644 --- a/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md +++ b/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for SQL Server Firewall Rules create or update and delete events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/logalerts/virtual-network-alerts-monitor.md b/en/azure/logalerts/virtual-network-alerts-monitor.md index 6c4c53193..cb68af119 100644 --- a/en/azure/logalerts/virtual-network-alerts-monitor.md +++ b/en/azure/logalerts/virtual-network-alerts-monitor.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for Virtual Networks create or update and delete events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/monitor/key-vault-log-analytics-enabled.md b/en/azure/monitor/key-vault-log-analytics-enabled.md index f958e00e3..155dd0898 100644 --- a/en/azure/monitor/key-vault-log-analytics-enabled.md +++ b/en/azure/monitor/key-vault-log-analytics-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Send all diagnostic logs for Key Vault from the Azure Monitor service to Log Analytics. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
3. On the "Monitor - Overview" page scroll down the left navigation panel and click on "Diagnostics" under Settings.
diff --git a/en/azure/monitor/load-balancer-log-analytics-enabled.md b/en/azure/monitor/load-balancer-log-analytics-enabled.md index e5cf84f6d..6e1729d97 100644 --- a/en/azure/monitor/load-balancer-log-analytics-enabled.md +++ b/en/azure/monitor/load-balancer-log-analytics-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Send all diagnostic logs for Load Balancers from the Azure Monitor service to Log Analytics. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Load balancer.
3. Select the "Load balancer" which needs to be verified.
diff --git a/en/azure/monitor/log-profile-archive-data.md b/en/azure/monitor/log-profile-archive-data.md index 5f8246268..13604a028 100644 --- a/en/azure/monitor/log-profile-archive-data.md +++ b/en/azure/monitor/log-profile-archive-data.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that all activity is logged to the Event Hub or storage account for archiving. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Log Analytics Workspace.
3. On the "Log Analytics workspaces" page select the resource accordingly.
diff --git a/en/azure/monitor/log-profile-retention-policy.md b/en/azure/monitor/log-profile-retention-policy.md index 41110a6ee..428219de4 100644 --- a/en/azure/monitor/log-profile-retention-policy.md +++ b/en/azure/monitor/log-profile-retention-policy.md @@ -12,9 +12,10 @@ | **Description** | Ensures that Log Profiles have a long retention policy. | | **More Info** | Log retention policies should be configured with sufficient retention to aid in investigation of prior security incidents and for compliance purposes. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile | -| **Recommended Action** | Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least 90 days. | +| **Recommended Action** | Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least 365 days. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
3. Scroll down the left navigation panel and choose "Activity Log" option in the "Monitor" page.
diff --git a/en/azure/monitor/nsg-log-analytics-enabled.md b/en/azure/monitor/nsg-log-analytics-enabled.md index ba0f7501f..d3bb48496 100644 --- a/en/azure/monitor/nsg-log-analytics-enabled.md +++ b/en/azure/monitor/nsg-log-analytics-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable sending of logs to Log Analytics for each Network Security Group resource in the Azure Monitor. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network Security Group.
3. Select the "Network Security Group" which needs to be verified.
diff --git a/en/azure/mysqlserver/enforce-mysql-ssl-connection.md b/en/azure/mysqlserver/enforce-mysql-ssl-connection.md new file mode 100644 index 000000000..32c488225 --- /dev/null +++ b/en/azure/mysqlserver/enforce-mysql-ssl-connection.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / MySQL Server / Enforce MySQL SSL Connection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce MySQL SSL Connection | +| **Cloud** | AZURE | +| **Category** | MySQL Server | +| **Description** | Ensures SSL connection is enforced on MySQL servers | +| **More Info** | MySQL servers should be set to use SSL for data transmission to ensure all data is encrypted in transit. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security | +| **Recommended Action** | Ensure the connection security of each Azure Database for MySQL is configured to enforce SSL connections. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/networksecuritygroups/default-security-group.md b/en/azure/networksecuritygroups/default-security-group.md index ea3056f71..9ffca5c51 100644 --- a/en/azure/networksecuritygroups/default-security-group.md +++ b/en/azure/networksecuritygroups/default-security-group.md @@ -15,6 +15,7 @@ | **Recommended Action** | Update the rules for the default security group to deny all traffic by default | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/excessive-security-groups.md b/en/azure/networksecuritygroups/excessive-security-groups.md index 136d1053a..783dc3de8 100644 --- a/en/azure/networksecuritygroups/excessive-security-groups.md +++ b/en/azure/networksecuritygroups/excessive-security-groups.md @@ -15,6 +15,7 @@ | **Recommended Action** | Limit the number of security groups to prevent accidental authorizations. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Verify the number of Security Groups which are having the same security rules and used separately.
diff --git a/en/azure/networksecuritygroups/network-watcher-enabled.md b/en/azure/networksecuritygroups/network-watcher-enabled.md index f9e7b5e72..b26c3d0a7 100644 --- a/en/azure/networksecuritygroups/network-watcher-enabled.md +++ b/en/azure/networksecuritygroups/network-watcher-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable the Network Watcher service in all locations. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network Watcher.
3. On the "Network Watcher" page, click on the Overview tab and check the status of the "Network Watcher."
diff --git a/en/azure/networksecuritygroups/open-all-ports.md b/en/azure/networksecuritygroups/open-all-ports.md index ecb77420c..8117eea38 100644 --- a/en/azure/networksecuritygroups/open-all-ports.md +++ b/en/azure/networksecuritygroups/open-all-ports.md @@ -15,6 +15,7 @@ | **Recommended Action** | Restrict ports to known IP addresses | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-cifs.md b/en/azure/networksecuritygroups/open-cifs.md index ff0fffb73..2c8435808 100644 --- a/en/azure/networksecuritygroups/open-cifs.md +++ b/en/azure/networksecuritygroups/open-cifs.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-dns.md b/en/azure/networksecuritygroups/open-dns.md index 52ace53fa..294ca7fb1 100644 --- a/en/azure/networksecuritygroups/open-dns.md +++ b/en/azure/networksecuritygroups/open-dns.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-ftp.md b/en/azure/networksecuritygroups/open-ftp.md index 76339bca9..b5e52a3fc 100644 --- a/en/azure/networksecuritygroups/open-ftp.md +++ b/en/azure/networksecuritygroups/open-ftp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md index a48a8ae6a..78aa91408 100644 --- a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md +++ b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md index dcfc3c087..6041cdc05 100644 --- a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md +++ b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-kibana.md b/en/azure/networksecuritygroups/open-kibana.md index a5345ba92..04fbfb934 100644 --- a/en/azure/networksecuritygroups/open-kibana.md +++ b/en/azure/networksecuritygroups/open-kibana.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-mysql.md b/en/azure/networksecuritygroups/open-mysql.md index ed5ff4cc9..e558dd59e 100644 --- a/en/azure/networksecuritygroups/open-mysql.md +++ b/en/azure/networksecuritygroups/open-mysql.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-netbios.md b/en/azure/networksecuritygroups/open-netbios.md index 14f23049b..d62f61b77 100644 --- a/en/azure/networksecuritygroups/open-netbios.md +++ b/en/azure/networksecuritygroups/open-netbios.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md b/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md index 79c15fa51..3a9e5bad3 100644 --- a/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md +++ b/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md @@ -15,6 +15,7 @@ | **Recommended Action** | Restrict TCP ports 1522 to known IP addresses | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-oracle.md b/en/azure/networksecuritygroups/open-oracle.md index 65c010852..6831b5ee1 100644 --- a/en/azure/networksecuritygroups/open-oracle.md +++ b/en/azure/networksecuritygroups/open-oracle.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-postgresql.md b/en/azure/networksecuritygroups/open-postgresql.md index 745bc84e8..48acdb393 100644 --- a/en/azure/networksecuritygroups/open-postgresql.md +++ b/en/azure/networksecuritygroups/open-postgresql.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-rdp.md b/en/azure/networksecuritygroups/open-rdp.md index 2990c2a8d..5c4114f16 100644 --- a/en/azure/networksecuritygroups/open-rdp.md +++ b/en/azure/networksecuritygroups/open-rdp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-rpc.md b/en/azure/networksecuritygroups/open-rpc.md index dc4cb968d..a24c38b5a 100644 --- a/en/azure/networksecuritygroups/open-rpc.md +++ b/en/azure/networksecuritygroups/open-rpc.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-smbotcp.md b/en/azure/networksecuritygroups/open-smbotcp.md index b5a6aae86..00d665275 100644 --- a/en/azure/networksecuritygroups/open-smbotcp.md +++ b/en/azure/networksecuritygroups/open-smbotcp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-smtp.md b/en/azure/networksecuritygroups/open-smtp.md index 28866fda6..b0ec80a5c 100644 --- a/en/azure/networksecuritygroups/open-smtp.md +++ b/en/azure/networksecuritygroups/open-smtp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-sqlserver.md b/en/azure/networksecuritygroups/open-sqlserver.md index 353bda272..85c1716fa 100644 --- a/en/azure/networksecuritygroups/open-sqlserver.md +++ b/en/azure/networksecuritygroups/open-sqlserver.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-ssh.md b/en/azure/networksecuritygroups/open-ssh.md index 3e52a34a8..f8237674f 100644 --- a/en/azure/networksecuritygroups/open-ssh.md +++ b/en/azure/networksecuritygroups/open-ssh.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-telnet.md b/en/azure/networksecuritygroups/open-telnet.md index 1931de5d7..5fbaaf4d7 100644 --- a/en/azure/networksecuritygroups/open-telnet.md +++ b/en/azure/networksecuritygroups/open-telnet.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-vnc-client.md b/en/azure/networksecuritygroups/open-vnc-client.md index 1c8cb9e75..5d872119b 100644 --- a/en/azure/networksecuritygroups/open-vnc-client.md +++ b/en/azure/networksecuritygroups/open-vnc-client.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-vnc-server.md b/en/azure/networksecuritygroups/open-vnc-server.md index 4e17ad072..739980b18 100644 --- a/en/azure/networksecuritygroups/open-vnc-server.md +++ b/en/azure/networksecuritygroups/open-vnc-server.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/postgresqlserver/connection-throttling-enabled.md b/en/azure/postgresqlserver/connection-throttling-enabled.md index 37fa77baf..dd3ffbb6f 100644 --- a/en/azure/postgresqlserver/connection-throttling-enabled.md +++ b/en/azure/postgresqlserver/connection-throttling-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the connection_throttling setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md b/en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md new file mode 100644 index 000000000..a7fd28eac --- /dev/null +++ b/en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Enforce PostgreSQL SSL Connection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce PostgreSQL SSL Connection | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures SSL connections are enforced on PostgreSQL Servers | +| **More Info** | SSL prevents infiltration attacks by encrypting the data stream between the server and application. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security | +| **Recommended Action** | Ensure the connection security settings of each PostgreSQL server are configured to enforce SSL connections. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/postgresqlserver/log-checkpoints-enabled.md b/en/azure/postgresqlserver/log-checkpoints-enabled.md index b47bb80bd..2ebf42fbb 100644 --- a/en/azure/postgresqlserver/log-checkpoints-enabled.md +++ b/en/azure/postgresqlserver/log-checkpoints-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_checkpoints setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-connections-enabled.md b/en/azure/postgresqlserver/log-connections-enabled.md index 2272a260c..d5577b2b0 100644 --- a/en/azure/postgresqlserver/log-connections-enabled.md +++ b/en/azure/postgresqlserver/log-connections-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_connections setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-disconnections-enabled.md b/en/azure/postgresqlserver/log-disconnections-enabled.md index 80b9b950d..542002c2a 100644 --- a/en/azure/postgresqlserver/log-disconnections-enabled.md +++ b/en/azure/postgresqlserver/log-disconnections-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_disconnections setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-duration-enabled.md b/en/azure/postgresqlserver/log-duration-enabled.md index 929cac1c9..7b21e4a2f 100644 --- a/en/azure/postgresqlserver/log-duration-enabled.md +++ b/en/azure/postgresqlserver/log-duration-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_duration setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-retention-period.md b/en/azure/postgresqlserver/log-retention-period.md index aac3cf5e5..df054f9b1 100644 --- a/en/azure/postgresqlserver/log-retention-period.md +++ b/en/azure/postgresqlserver/log-retention-period.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_retention_days setting set to 4 or more days. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/queueservice/queue-service-all-access-acl.md b/en/azure/queueservice/queue-service-all-access-acl.md index 30f924454..31bf6326a 100644 --- a/en/azure/queueservice/queue-service-all-access-acl.md +++ b/en/azure/queueservice/queue-service-all-access-acl.md @@ -15,6 +15,7 @@ | **Recommended Action** | Disable global read, write, delete policies on all queues and ensure the ACL is configured with least privileges. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/resources/management-lock-enabled.md b/en/azure/resources/management-lock-enabled.md index 318fc7ebd..fef1679e2 100644 --- a/en/azure/resources/management-lock-enabled.md +++ b/en/azure/resources/management-lock-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/resources/resources-usage-limits.md b/en/azure/resources/resources-usage-limits.md index 860be7de0..cc075ad04 100644 --- a/en/azure/resources/resources-usage-limits.md +++ b/en/azure/resources/resources-usage-limits.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/admin-security-alerts-enabled.md b/en/azure/securitycenter/admin-security-alerts-enabled.md index 35a02df4e..3bdab4d94 100644 --- a/en/azure/securitycenter/admin-security-alerts-enabled.md +++ b/en/azure/securitycenter/admin-security-alerts-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that security alerts are configured to be sent to subscription owners. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. On the "Security Center" page scroll down the left navigation panel and choose "Pricing and Settings."
diff --git a/en/azure/securitycenter/application-whitelisting-enabled.md b/en/azure/securitycenter/application-whitelisting-enabled.md index ee0dbd42c..f12807cb6 100644 --- a/en/azure/securitycenter/application-whitelisting-enabled.md +++ b/en/azure/securitycenter/application-whitelisting-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable Adaptive Application Controls for Virtual Machines from the Azure Security Center by ensuring AuditIfNotExists setting is used. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/auto-provisioning-enabled.md b/en/azure/securitycenter/auto-provisioning-enabled.md index 7c5134e7f..6794d7b08 100644 --- a/en/azure/securitycenter/auto-provisioning-enabled.md +++ b/en/azure/securitycenter/auto-provisioning-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that the data collection settings of the subscription have Auto Provisioning set to enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. On the "Security Center" page scroll down the left navigation panel and choose "Pricing and Settings."
diff --git a/en/azure/securitycenter/high-severity-alerts-enabled.md b/en/azure/securitycenter/high-severity-alerts-enabled.md new file mode 100644 index 000000000..7bd593acc --- /dev/null +++ b/en/azure/securitycenter/high-severity-alerts-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / High Severity Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | High Severity Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that high severity alerts are properly configured. | +| **More Info** | Enabling high severity alerts ensures that microsoft alerts for potential security issues are sent and allows for quick mitigation of the associated risks. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details | +| **Recommended Action** | Ensure that high severity alerts are configured to be sent. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/securitycenter/monitor-blob-encryption.md b/en/azure/securitycenter/monitor-blob-encryption.md index 611816324..fced65cec 100644 --- a/en/azure/securitycenter/monitor-blob-encryption.md +++ b/en/azure/securitycenter/monitor-blob-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable Adaptive Application Controls for Storage Accounts from the Azure Security Center by ensuring AuditIfNotExists setting is used for blob encryption. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-disk-encryption.md b/en/azure/securitycenter/monitor-disk-encryption.md index f14661906..04f968952 100644 --- a/en/azure/securitycenter/monitor-disk-encryption.md +++ b/en/azure/securitycenter/monitor-disk-encryption.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-endpoint-protection.md b/en/azure/securitycenter/monitor-endpoint-protection.md index 473479c37..c66870e56 100644 --- a/en/azure/securitycenter/monitor-endpoint-protection.md +++ b/en/azure/securitycenter/monitor-endpoint-protection.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable Adaptive Application Controls for Endpoint Protection from the Azure Security Center by ensuring AuditIfNotExists setting is used to monitor missing Endpoint Protection. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-jit-network-access.md b/en/azure/securitycenter/monitor-jit-network-access.md index 01f579703..7b786b444 100644 --- a/en/azure/securitycenter/monitor-jit-network-access.md +++ b/en/azure/securitycenter/monitor-jit-network-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure JIT Network Access monitoring is configured for compute and apps from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-nsg-enabled.md b/en/azure/securitycenter/monitor-nsg-enabled.md index e44217036..752dfc056 100644 --- a/en/azure/securitycenter/monitor-nsg-enabled.md +++ b/en/azure/securitycenter/monitor-nsg-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure Network Security Group monitoring is configured from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-sql-auditing.md b/en/azure/securitycenter/monitor-sql-auditing.md index fae891258..37404c729 100644 --- a/en/azure/securitycenter/monitor-sql-auditing.md +++ b/en/azure/securitycenter/monitor-sql-auditing.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-sql-encryption.md b/en/azure/securitycenter/monitor-sql-encryption.md index 366070e28..7de78a049 100644 --- a/en/azure/securitycenter/monitor-sql-encryption.md +++ b/en/azure/securitycenter/monitor-sql-encryption.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-system-updates.md b/en/azure/securitycenter/monitor-system-updates.md index 470a3f8dc..08d11644d 100644 --- a/en/azure/securitycenter/monitor-system-updates.md +++ b/en/azure/securitycenter/monitor-system-updates.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure System Update monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-vm-vulnerability.md b/en/azure/securitycenter/monitor-vm-vulnerability.md index 4b0cea29b..1ca68d6ff 100644 --- a/en/azure/securitycenter/monitor-vm-vulnerability.md +++ b/en/azure/securitycenter/monitor-vm-vulnerability.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure VM Vulnerability monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/security-configuration-monitoring.md b/en/azure/securitycenter/security-configuration-monitoring.md index 05cca0704..e26e04c62 100644 --- a/en/azure/securitycenter/security-configuration-monitoring.md +++ b/en/azure/securitycenter/security-configuration-monitoring.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure Security Configuration Monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/security-contacts-enabled.md b/en/azure/securitycenter/security-contacts-enabled.md index f90d0f877..cee6c0327 100644 --- a/en/azure/securitycenter/security-contacts-enabled.md +++ b/en/azure/securitycenter/security-contacts-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that email notifications are configured for the subscription from the Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. On the "Security Center" page scroll down the left navigation panel and choose "Pricing and Settings."
diff --git a/en/azure/securitycenter/standard-pricing-enabled.md b/en/azure/securitycenter/standard-pricing-enabled.md new file mode 100644 index 000000000..c558d02d4 --- /dev/null +++ b/en/azure/securitycenter/standard-pricing-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Standard Pricing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Standard Pricing Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that standard pricing is enabled in the security center | +| **More Info** | Enabling standard pricing increases the security posture of the subscription. This enables advanced security monitoring for the services covered under the security center. | +| **AZURE Link** | https://azure.microsoft.com/en-us/pricing/details/security-center/ | +| **Recommended Action** | Ensure that standard pricing is enabled in the security center. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqldatabases/database-auditing-enabled.md b/en/azure/sqldatabases/database-auditing-enabled.md index b1856fd45..8aa85fc03 100644 --- a/en/azure/sqldatabases/database-auditing-enabled.md +++ b/en/azure/sqldatabases/database-auditing-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that auditing is enabled for each SQL database. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL databases.
3. On the "SQL database" page, select the SQL database that needs to be examine.
diff --git a/en/azure/sqldatabases/db-restorable.md b/en/azure/sqldatabases/db-restorable.md index 9ed39aebb..e99eb0835 100644 --- a/en/azure/sqldatabases/db-restorable.md +++ b/en/azure/sqldatabases/db-restorable.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that each SQL database has automated backups configured with a sufficient retention period and that the last known backup operation completes successfully. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL databases.
3. On the "SQL database" page, select the SQL database that needs to be examine.
diff --git a/en/azure/sqldatabases/sql-db-multiple-az.md b/en/azure/sqldatabases/sql-db-multiple-az.md index 797f8e06c..e8acdf229 100644 --- a/en/azure/sqldatabases/sql-db-multiple-az.md +++ b/en/azure/sqldatabases/sql-db-multiple-az.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/sqlserver/advanced-data-security-enabled.md b/en/azure/sqlserver/advanced-data-security-enabled.md index f6d16dc74..a3703a23d 100644 --- a/en/azure/sqlserver/advanced-data-security-enabled.md +++ b/en/azure/sqlserver/advanced-data-security-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that Advanced Data Security is enabled for all SQL Servers. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, select the SQL server that needs to be examine.
diff --git a/en/azure/sqlserver/audit-action-groups-enabled.md b/en/azure/sqlserver/audit-action-groups-enabled.md index 46e9d4b3d..00c49b11e 100644 --- a/en/azure/sqlserver/audit-action-groups-enabled.md +++ b/en/azure/sqlserver/audit-action-groups-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | If SQL Server Audit Action and Groups is not configured properly when enabling Auditing, these settings must be configured in Powershell. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, click on the "Cloud shell" button at the top to access "Power Shell" as "Audit Action Groups Enabled" cannot be checked from A"zure UI Console".
diff --git a/en/azure/sqlserver/audit-retention-policy.md b/en/azure/sqlserver/audit-retention-policy.md new file mode 100644 index 000000000..2f08c7843 --- /dev/null +++ b/en/azure/sqlserver/audit-retention-policy.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Audit Retention Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Retention Policy | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that SQL Server Auditing retention policy is set to greater than 90 days | +| **More Info** | Enabling SQL Server Auditing ensures that all activities are being logged properly, including potentially-malicious activity. Having a long retention policy ensures that all logs are kept for auditing and legal purposes. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | Ensure that the storage account retention policy for each SQL server is set to greater than 90 days. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/azure-active-directory-admin-enabled.md b/en/azure/sqlserver/azure-active-directory-admin-enabled.md new file mode 100644 index 000000000..3bf3c6155 --- /dev/null +++ b/en/azure/sqlserver/azure-active-directory-admin-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Azure Active Directory Admin Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Azure Active Directory Admin Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that Active Directory admin is enabled on all SQL servers. | +| **More Info** | Enabling Active Directory admin allows users to manage account admins in a central location, allowing key rotation and permission management to be managed in one location for all servers and databases. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure | +| **Recommended Action** | Ensure Azure Active Directory admin is enabled on all SQL servers. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/email-account-admins-enabled.md b/en/azure/sqlserver/email-account-admins-enabled.md new file mode 100644 index 000000000..a7d35d3a6 --- /dev/null +++ b/en/azure/sqlserver/email-account-admins-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Email Account Admins Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Email Account Admins Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that email account admins is enabled in advanced data security for SQL servers. | +| **More Info** | Enabling email account admins in advanced data security on all SQL servers ensures that monitored data for unusual activity, vulnerabilities, and threats get sent to the account admins and subscription owners. | +| **AZURE Link** | https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-advanced-data-security | +| **Recommended Action** | Ensure that also send email notification to admins and subscription owners is enabled in advanced threat protections for all SQL servers. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/send-alerts-enabled.md b/en/azure/sqlserver/send-alerts-enabled.md new file mode 100644 index 000000000..7d6ac096d --- /dev/null +++ b/en/azure/sqlserver/send-alerts-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Send Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Send Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that send alerts is enabled in advanced data security for SQL servers. | +| **More Info** | Enabling send alerts in advanced data security on all SQL servers ensures that monitored data for unusual activity, vulnerabilities, and threats get sent to the email addresses configured in advanced data protections. | +| **AZURE Link** | https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-advanced-data-security | +| **Recommended Action** | Ensure that an email address is activated under send alerts in advanced data security for all SQL servers. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/server-auditing-enabled.md b/en/azure/sqlserver/server-auditing-enabled.md new file mode 100644 index 000000000..f16fef4f5 --- /dev/null +++ b/en/azure/sqlserver/server-auditing-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Server Auditing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Server Auditing Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that SQL Server Auditing is enabled for SQL servers | +| **More Info** | Enabling SQL Server Auditing ensures that all activities are being logged properly, including potentially-malicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | Ensure that auditing is enabled for each SQL server. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/sql-server-public-access.md b/en/azure/sqlserver/sql-server-public-access.md index 9ec9cda2c..18e01964c 100644 --- a/en/azure/sqlserver/sql-server-public-access.md +++ b/en/azure/sqlserver/sql-server-public-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, select the SQL server that needs to be examined.
diff --git a/en/azure/sqlserver/tde-protector-encrypted.md b/en/azure/sqlserver/tde-protector-encrypted.md index d0e9981c9..e18ed92ee 100644 --- a/en/azure/sqlserver/tde-protector-encrypted.md +++ b/en/azure/sqlserver/tde-protector-encrypted.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that a BYOK key is set for the Transparent Data Encryption of each SQL Server. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, select the SQL server that needs to be examine.
diff --git a/en/azure/storageaccounts/blob-service-encryption.md b/en/azure/storageaccounts/blob-service-encryption.md index 52fc73ba4..a3f0b79c5 100644 --- a/en/azure/storageaccounts/blob-service-encryption.md +++ b/en/azure/storageaccounts/blob-service-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that Blob Service is configured to use a customer-provided key vault key. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for "Storage account."
3. On the "Storage account" page, scroll down the left navigation panel and choose "Containers" under the "Blob services."
diff --git a/en/azure/storageaccounts/file-service-encryption.md b/en/azure/storageaccounts/file-service-encryption.md index 6ca5266d1..d4068a9fa 100644 --- a/en/azure/storageaccounts/file-service-encryption.md +++ b/en/azure/storageaccounts/file-service-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that data encryption is enabled for each File Service. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for "Storage account."
3. On the "Storage account" page, scroll down the left navigation panel and choose "File shares" under the "File Service."
diff --git a/en/azure/storageaccounts/log-container-public-access.md b/en/azure/storageaccounts/log-container-public-access.md index abbd1b04c..d68a4b6ff 100644 --- a/en/azure/storageaccounts/log-container-public-access.md +++ b/en/azure/storageaccounts/log-container-public-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the access level for the storage account containing Activity Log data is set to private. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage accounts.
3. Select the "Storage account" by clicking on the "Name" as a link to access the configuration.
diff --git a/en/azure/storageaccounts/log-storage-encryption.md b/en/azure/storageaccounts/log-storage-encryption.md index 38db19e8e..7ef502b9c 100644 --- a/en/azure/storageaccounts/log-storage-encryption.md +++ b/en/azure/storageaccounts/log-storage-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the Storage Account used by Activity Logs is configured with a BYOK key. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
3. Select the "Log Activity" on the "Monitor-Overview" page.
diff --git a/en/azure/storageaccounts/network-access-default-action.md b/en/azure/storageaccounts/network-access-default-action.md index 29ac271ff..ef83e4e47 100644 --- a/en/azure/storageaccounts/network-access-default-action.md +++ b/en/azure/storageaccounts/network-access-default-action.md @@ -15,6 +15,7 @@ | **Recommended Action** | Configure the firewall of each Storage Account to allow access only from known virtual networks. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/storageaccounts/storage-accounts-aad-enabled.md b/en/azure/storageaccounts/storage-accounts-aad-enabled.md index 05156dcab..3539de282 100644 --- a/en/azure/storageaccounts/storage-accounts-aad-enabled.md +++ b/en/azure/storageaccounts/storage-accounts-aad-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/storage-accounts-encryption.md b/en/azure/storageaccounts/storage-accounts-encryption.md index 53c468154..5c18a98bb 100644 --- a/en/azure/storageaccounts/storage-accounts-encryption.md +++ b/en/azure/storageaccounts/storage-accounts-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure all Storage Accounts are configured with a BYOK key. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/storageaccounts/storage-accounts-https.md b/en/azure/storageaccounts/storage-accounts-https.md index 42c09f9f2..1ab454285 100644 --- a/en/azure/storageaccounts/storage-accounts-https.md +++ b/en/azure/storageaccounts/storage-accounts-https.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/trusted-ms-access-enabled.md b/en/azure/storageaccounts/trusted-ms-access-enabled.md index 2c4fb4cfa..e45904235 100644 --- a/en/azure/storageaccounts/trusted-ms-access-enabled.md +++ b/en/azure/storageaccounts/trusted-ms-access-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | For each Storage Account, configure an exception for trusted Microsoft services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/tableservice/table-service-all-access-acl.md b/en/azure/tableservice/table-service-all-access-acl.md index f6405c9ac..d6a8e411f 100644 --- a/en/azure/tableservice/table-service-all-access-acl.md +++ b/en/azure/tableservice/table-service-all-access-acl.md @@ -15,6 +15,7 @@ | **Recommended Action** | Disable global read, write, and delete policies on all tables and ensure the ACL is configured with least privileges. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/virtualmachines/classic-instances.md b/en/azure/virtualmachines/classic-instances.md index e3a4cdb24..15b321609 100644 --- a/en/azure/virtualmachines/classic-instances.md +++ b/en/azure/virtualmachines/classic-instances.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/scale-set-multi-az.md b/en/azure/virtualmachines/scale-set-multi-az.md index 810cf2b7b..3562fd909 100644 --- a/en/azure/virtualmachines/scale-set-multi-az.md +++ b/en/azure/virtualmachines/scale-set-multi-az.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/scale-sets-autoscale-enabled.md b/en/azure/virtualmachines/scale-sets-autoscale-enabled.md index bf5ede200..c6c6f9caa 100644 --- a/en/azure/virtualmachines/scale-sets-autoscale-enabled.md +++ b/en/azure/virtualmachines/scale-sets-autoscale-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-agent-enabled.md b/en/azure/virtualmachines/vm-agent-enabled.md index a6ebf7972..0c0f779d3 100644 --- a/en/azure/virtualmachines/vm-agent-enabled.md +++ b/en/azure/virtualmachines/vm-agent-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable the VM agent for all virtual machines. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Click on the "Pricing & Settings" option and choose the "Subscription" and click on the "Name" option as a link to access the configurations.
diff --git a/en/azure/virtualmachines/vm-auto-update-enabled.md b/en/azure/virtualmachines/vm-auto-update-enabled.md index 102a4f0dc..256ed3465 100644 --- a/en/azure/virtualmachines/vm-auto-update-enabled.md +++ b/en/azure/virtualmachines/vm-auto-update-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable VM auto update on all virtual machines | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines.
3. Select the "Virtual machine" by clicking the "Name" as a link to get into the configuration chanegs.
diff --git a/en/azure/virtualmachines/vm-availability-set-enabled.md b/en/azure/virtualmachines/vm-availability-set-enabled.md index c5c7eb776..897344608 100644 --- a/en/azure/virtualmachines/vm-availability-set-enabled.md +++ b/en/azure/virtualmachines/vm-availability-set-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-availability-set-limit.md b/en/azure/virtualmachines/vm-availability-set-limit.md index 4436cd53b..c08f69cd3 100644 --- a/en/azure/virtualmachines/vm-availability-set-limit.md +++ b/en/azure/virtualmachines/vm-availability-set-limit.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-data-disk-encryption.md b/en/azure/virtualmachines/vm-data-disk-encryption.md index 8433e0c1d..5ac03b7a3 100644 --- a/en/azure/virtualmachines/vm-data-disk-encryption.md +++ b/en/azure/virtualmachines/vm-data-disk-encryption.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-endpoint-protection.md b/en/azure/virtualmachines/vm-endpoint-protection.md index 5ee6d6109..e9d1289e1 100644 --- a/en/azure/virtualmachines/vm-endpoint-protection.md +++ b/en/azure/virtualmachines/vm-endpoint-protection.md @@ -9,10 +9,11 @@ | **Plugin Title** | VM Endpoint Protection | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensures that VM Endpoint Protection is enabled for all virutal machines | +| **Description** | Ensures that VM Endpoint Protection is enabled for all virtual machines | | **More Info** | Installing endpoint protection systems provides for real-time protection capabilities that help identify and remove viruses, spyware, and other malicious software, with configurable alerts for malicious or unwanted software. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection | | **Recommended Action** | Install endpoint protection on all virtual machines. | ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-instance-limit.md b/en/azure/virtualmachines/vm-instance-limit.md index ae5aa378b..618c806f6 100644 --- a/en/azure/virtualmachines/vm-instance-limit.md +++ b/en/azure/virtualmachines/vm-instance-limit.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-os-disk-encryption.md b/en/azure/virtualmachines/vm-os-disk-encryption.md index 432ee7346..147d55769 100644 --- a/en/azure/virtualmachines/vm-os-disk-encryption.md +++ b/en/azure/virtualmachines/vm-os-disk-encryption.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualnetworks/multiple-subnets.md b/en/azure/virtualnetworks/multiple-subnets.md index f548abb78..ab358db71 100644 --- a/en/azure/virtualnetworks/multiple-subnets.md +++ b/en/azure/virtualnetworks/multiple-subnets.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/clb/clb-cdn-enabled.md b/en/google/clb/clb-cdn-enabled.md index 3b6c1b13b..ec264a0fd 100644 --- a/en/google/clb/clb-cdn-enabled.md +++ b/en/google/clb/clb-cdn-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | CLB CDN Enabled | | **Cloud** | GOOGLE | | **Category** | CLB | -| **Description** | Ensure that Cloud CDN is enabled on all Load Balancers | -| **More Info** | Cloud CDN increases speed and reliability as well as lowers server costs. Enabling CDN on load balancers creates a highly available system and is part of GCP Best Practices | +| **Description** | Ensures that Cloud CDN is enabled on all load balancers | +| **More Info** | Cloud CDN increases speed and reliability as well as lowers server costs. Enabling CDN on load balancers creates a highly available system and is part of GCP best practices. | | **GOOGLE Link** | https://cloud.google.com/cdn/docs/quickstart | -| **Recommended Action** | 1.Enter the Network Services Service. 2. Select Cloud CDN. 3. Select add origin and connect a backend service. | +| **Recommended Action** | Enable Cloud CDN on all load balancers from the network services console. | ## Detailed Remediation Steps + diff --git a/en/google/clb/clb-https-only.md b/en/google/clb/clb-https-only.md index 751794d23..77dddfd78 100644 --- a/en/google/clb/clb-https-only.md +++ b/en/google/clb/clb-https-only.md @@ -9,10 +9,11 @@ | **Plugin Title** | CLB HTTPS Only | | **Cloud** | GOOGLE | | **Category** | CLB | -| **Description** | Ensures CLBs are configured to only accept connections on HTTPS ports. | +| **Description** | Ensures CLBs are configured to only accept connections on HTTPS ports | | **More Info** | For maximum security, CLBs can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | -| **Recommended Action** | Remove non-HTTPS listeners from load balancer. | +| **Recommended Action** | Remove non-HTTPS listeners from the load balancer. | ## Detailed Remediation Steps + diff --git a/en/google/clb/clb-no-instances.md b/en/google/clb/clb-no-instances.md index e0f793f8d..236f5e225 100644 --- a/en/google/clb/clb-no-instances.md +++ b/en/google/clb/clb-no-instances.md @@ -12,7 +12,8 @@ | **Description** | Detects CLBs that have no backend instances attached | | **More Info** | GCP does not allow for Load Balancers to be configured without backend instances attached. | | **GOOGLE Link** | https://cloud.google.com/load-balancing/docs/load-balancing-overview | -| **Recommended Action** | This Security misconfiguration is Covered by GCP. No actions necessary. | +| **Recommended Action** | This security misconfiguration is covered by GCP. No action is necessary. | ## Detailed Remediation Steps + diff --git a/en/google/clb/security-policy-enabled.md b/en/google/clb/security-policy-enabled.md index 54fe05605..28a440927 100644 --- a/en/google/clb/security-policy-enabled.md +++ b/en/google/clb/security-policy-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Security Policy Enabled | | **Cloud** | GOOGLE | | **Category** | CLB | -| **Description** | Ensure that All Backend Services have an attached Security Policy | -| **More Info** | Security Policies on Backend Services control the traffic on the load balancer. This creates edge security and can deny or allow specified IP addresses. | +| **Description** | Ensures all backend services have an attached security policy | +| **More Info** | Security policies on backend services control the traffic on the load balancer. This creates edge security and can deny or allow specified IP addresses. | | **GOOGLE Link** | https://cloud.google.com/armor/docs/security-policy-concepts | -| **Recommended Action** | 1. Enter the Network Security Service. 2. Select Cloud Armor and create a new policy. 3. Attach the newly created policy to the backend. | +| **Recommended Action** | Ensure all load balancers have an attached Cloud Armor security policy. | ## Detailed Remediation Steps + diff --git a/en/google/compute/autoscale-enabled.md b/en/google/compute/autoscale-enabled.md index 869cdef7e..0f78864a7 100644 --- a/en/google/compute/autoscale-enabled.md +++ b/en/google/compute/autoscale-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Autoscale Enabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensures instance groups have auto-scale enabled for high availability. | -| **More Info** | Enabling auto-scale increases efficiency and improves cost management for resources. | +| **Description** | Ensures instance groups have autoscale enabled for high availability | +| **More Info** | Enabling autoscale increases efficiency and improves cost management for resources. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/autoscaler/ | -| **Recommended Action** | 1. Enter the Compute service 2. Enter Instance Groups. 3. Select the Instance Group. 4. Select Edit Group and Enable Autoscaling | +| **Recommended Action** | Ensure autoscaling is enabled for all instance groups. | ## Detailed Remediation Steps + diff --git a/en/google/compute/connect-serial-ports-disabled.md b/en/google/compute/connect-serial-ports-disabled.md index beeff9724..32305ce7e 100644 --- a/en/google/compute/connect-serial-ports-disabled.md +++ b/en/google/compute/connect-serial-ports-disabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Connect Serial Ports Disabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure Enable Connecting to Serial Ports is not enabled for VM Instance | -| **More Info** | The Serial Console does not allow restricting IP Addresses, which allows any IP address to connect to instance. | +| **Description** | Ensures connecting to serial ports is not enabled for VM instances | +| **More Info** | The serial console does not allow restricting IP Addresses, which allows any IP address to connect to instance and should therefore be disabled. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/interacting-with-serial-console | -| **Recommended Action** | 1.Enter the Compute Service. 2. Select the Instance. 3. Select Edit then deselect Enable Connecting to Serial Ports. | +| **Recommended Action** | Ensure the Enable Connecting to Serial Ports option is disabled for all compute instances. | ## Detailed Remediation Steps + diff --git a/en/google/compute/csek-encryption-enabled.md b/en/google/compute/csek-encryption-enabled.md index 0e50bc8bd..4a3a06c35 100644 --- a/en/google/compute/csek-encryption-enabled.md +++ b/en/google/compute/csek-encryption-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | CSEK Encryption Enabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure Customer Supplied Encryption Key Encryption is enabled on Disks | -| **More Info** | Google encrypts all disks at rest by default. By using CSEK only the users with the key can access the disk. Anyone else, including Google, cannot access the disk ensuring maximum security on the disk. | +| **Description** | Ensures Customer Supplied Encryption Key Encryption is enabled on disks | +| **More Info** | Google encrypts all disks at rest by default. By using CSEK only the users with the key can access the disk. Anyone else, including Google, cannot access the disk data. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/customer-supplied-encryption | -| **Recommended Action** | CSEK can only be configured when creating a disk, Delete the disk in question and redeploy with CSEK. | +| **Recommended Action** | CSEK can only be configured when creating a disk. Delete the disk and redeploy with CSEK. | ## Detailed Remediation Steps + diff --git a/en/google/compute/instance-level-ssh-only.md b/en/google/compute/instance-level-ssh-only.md index 59d77fd9f..63823c475 100644 --- a/en/google/compute/instance-level-ssh-only.md +++ b/en/google/compute/instance-level-ssh-only.md @@ -9,10 +9,11 @@ | **Plugin Title** | Instance Level SSH Only | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure that instances are not configured to allow Project Wide SSH keys. | -| **More Info** | To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not accessible from project wide SSH keys. These keys are accessible through metadata and can become comprimised. | +| **Description** | Ensures that instances are not configured to allow project-wide SSH keys | +| **More Info** | To support the principle of least privilege and prevent potential privilege escalation it is recommended that instances are not give access to project-wide SSH keys through instance metadata. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys | -| **Recommended Action** | 1. Enter the Compute Service. 2. Select the Instance in question. 3. Select Edit at the top of the page. 4. Under SSH Keys ensure that Block Project-Wide SSH Keys is enabled. | +| **Recommended Action** | Ensure project-wide SSH keys are blocked for all instances. | ## Detailed Remediation Steps + diff --git a/en/google/compute/instances-multi-az.md b/en/google/compute/instances-multi-az.md index 3fc9ead00..affc1a646 100644 --- a/en/google/compute/instances-multi-az.md +++ b/en/google/compute/instances-multi-az.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/compute/ip-forwarding-disabled.md b/en/google/compute/ip-forwarding-disabled.md index 265a5b56a..130038edb 100644 --- a/en/google/compute/ip-forwarding-disabled.md +++ b/en/google/compute/ip-forwarding-disabled.md @@ -1,18 +1,19 @@ [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) -# GOOGLE / Compute / Ip Forwarding Disabled +# GOOGLE / Compute / IP Forwarding Disabled ## Quick Info | | | |-|-| -| **Plugin Title** | Ip Forwarding Disabled | +| **Plugin Title** | IP Forwarding Disabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure that IP forwarding is disabled on all Instances | +| **Description** | Ensures that IP forwarding is disabled on all instances | | **More Info** | Disabling IP forwarding ensures that the instance only sends and receives packets with matching destination or source IPs. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-routes | -| **Recommended Action** | IP Forwarding settings can only be chosen when creating a new instance, Delete the affected instances and redeploy with IP Forwarding disabled | +| **Recommended Action** | IP forwarding settings can only be chosen when creating a new instance. Delete the affected instances and redeploy with IP forwarding disabled. | ## Detailed Remediation Steps + diff --git a/en/google/compute/os-login-enabled.md b/en/google/compute/os-login-enabled.md new file mode 100644 index 000000000..af6a81fc9 --- /dev/null +++ b/en/google/compute/os-login-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / OS Login Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | OS Login Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures OS login is enabled for the project | +| **More Info** | Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/managing-instance-access | +| **Recommended Action** | Set enable-oslogin in project-wide metadata so that it applies to all of the instances in the project. | + +## Detailed Remediation Steps + + diff --git a/en/google/compute/vm-instances-least-privilege.md b/en/google/compute/vm-instances-least-privilege.md new file mode 100644 index 000000000..ab1ff786a --- /dev/null +++ b/en/google/compute/vm-instances-least-privilege.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / VM Instances Least Privilege + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Instances Least Privilege | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures that instances are not configured to use the default service account with full access to all cloud APIs | +| **More Info** | To support the principle of least privilege and prevent potential privilege escalation, it is recommended that instances are not assigned to the default service account, Compute Engine default service account with a scope allowing full access to all cloud APIs. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances | +| **Recommended Action** | For all instances, if the default service account is used, ensure full access to all cloud APIs is not configured. | + +## Detailed Remediation Steps + + diff --git a/en/google/compute/vm-max-instances.md b/en/google/compute/vm-max-instances.md index 51e6f7e19..c2599b0f3 100644 --- a/en/google/compute/vm-max-instances.md +++ b/en/google/compute/vm-max-instances.md @@ -9,10 +9,11 @@ | **Plugin Title** | VM Max Instances | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensures the total number of VM instances does not exceed a set threshold. | +| **Description** | Ensures the total number of VM instances does not exceed a set threshold | | **More Info** | The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/ | | **Recommended Action** | Ensure that the number of running VM instances matches the expected count. If instances are launched above the threshold, investigate to ensure they are legitimate. | ## Detailed Remediation Steps + diff --git a/en/google/cryptographickeys/key-rotation.md b/en/google/cryptographickeys/key-rotation.md index 007249740..7c582bb27 100644 --- a/en/google/cryptographickeys/key-rotation.md +++ b/en/google/cryptographickeys/key-rotation.md @@ -9,10 +9,11 @@ | **Plugin Title** | Key Rotation | | **Cloud** | GOOGLE | | **Category** | Cryptographic Keys | -| **Description** | Ensures Cryptographic keys are set to rotate on a regular schedule | -| **More Info** | All Cryptographic keys should have key rotation enabled. Google will handle the rotation of the encryption key itself, as well as storage of previous keys, so previous data does not need to be re-encrypted before the rotation occurs. | +| **Description** | Ensures cryptographic keys are set to rotate on a regular schedule | +| **More Info** | All cryptographic keys should have key rotation enabled. Google will handle the rotation of the encryption key itself, as well as storage of previous keys, so previous data does not need to be re-encrypted before the rotation occurs. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-cryptoKeys | -| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | +| **Recommended Action** | Ensure that cryptographic keys are set to rotate. | ## Detailed Remediation Steps + diff --git a/en/google/dns/dns-security-enabled.md b/en/google/dns/dns-security-enabled.md index 8c4252644..e55918720 100644 --- a/en/google/dns/dns-security-enabled.md +++ b/en/google/dns/dns-security-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | DNS Security Enabled | | **Cloud** | GOOGLE | | **Category** | DNS | -| **Description** | Ensures that DNS Security is enabled on all managed zones. | +| **Description** | Ensures that DNS Security is enabled on all managed zones | | **More Info** | DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks. | -| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec?hl=en_US&_ga=2.190155811.-922741565.1560964300 | -| **Recommended Action** | 1. Enter the Cloud DNS Service. 2. Select the Managed Zone in question. 3. Enable DNSSEC. | +| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec | +| **Recommended Action** | Ensure DNSSEC is enabled for all managed zones in the cloud DNS service. | ## Detailed Remediation Steps + diff --git a/en/google/dns/dns-security-signing-algorithm.md b/en/google/dns/dns-security-signing-algorithm.md new file mode 100644 index 000000000..9d35f65f0 --- /dev/null +++ b/en/google/dns/dns-security-signing-algorithm.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / DNS / DNS Security Signing Algorithm + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DNS Security Signing Algorithm | +| **Cloud** | GOOGLE | +| **Category** | DNS | +| **Description** | Ensures that DNS Security is not using the RSASHA1 algorithm for key or zone signing | +| **More Info** | DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks. | +| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec | +| **Recommended Action** | Ensure that all managed zones using DNSSEC are not using the RSASHA1 algorithm for key or zone signing. | + +## Detailed Remediation Steps + diff --git a/en/google/iam/corporate-emails-only.md b/en/google/iam/corporate-emails-only.md new file mode 100644 index 000000000..0f7ce47db --- /dev/null +++ b/en/google/iam/corporate-emails-only.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Corporate Emails Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Corporate Emails Only | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users are using their Gmail accounts for access to GCP. | +| **More Info** | Gmail accounts are personally created and are not controlled by organizations. Fully managed accounts are recommended for increased visiblity, auditing and control over access to resources. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no users are actively using their Gmail accounts to access GCP. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/kms-user-separation.md b/en/google/iam/kms-user-separation.md new file mode 100644 index 000000000..877810934 --- /dev/null +++ b/en/google/iam/kms-user-separation.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / KMS User Separation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | KMS User Separation | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have the KMS admin role and any one of the CryptoKey roles. | +| **More Info** | Ensuring that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user should have access to resources out of the scope of duty. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have both the KMS admin role and any of CryptoKey roles attached. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-admin.md b/en/google/iam/service-account-admin.md new file mode 100644 index 000000000..920f8d5ea --- /dev/null +++ b/en/google/iam/service-account-admin.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Admin + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Admin | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that user managed service accounts do not have any admin, owner, or write privileges. | +| **More Info** | Service accounts are primarily used for API access to Google. It is recommended to not use admin access for service accounts. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have admin, owner, or write privileges. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-key-rotation.md b/en/google/iam/service-account-key-rotation.md new file mode 100644 index 000000000..c397956c6 --- /dev/null +++ b/en/google/iam/service-account-key-rotation.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Key Rotation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Key Rotation | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that service account keys are rotated within 90 days of creation. | +| **More Info** | Service account keys should be rotated so older keys that that might have been lost or compromised cannot be used to access Google services. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/creating-managing-service-account-keys | +| **Recommended Action** | Rotate service account keys that have not been rotated in over 90 days. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-managed-keys.md b/en/google/iam/service-account-managed-keys.md new file mode 100644 index 000000000..83278dc18 --- /dev/null +++ b/en/google/iam/service-account-managed-keys.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Managed Keys + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Managed Keys | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that service account keys are being managed by Google. | +| **More Info** | Service account keys should be managed by Google to ensure that they are as secure as possible, including key rotations and restrictions to the accessibility of the keys. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/creating-managing-service-account-keys | +| **Recommended Action** | Ensure all user service account keys are being managed by Google. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-separation.md b/en/google/iam/service-account-separation.md new file mode 100644 index 000000000..e94211205 --- /dev/null +++ b/en/google/iam/service-account-separation.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Separation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Separation | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have both the Service Account User and Service Account Admin role. | +| **More Info** | Ensuring that no users have both roles follows separation of duties, where no user should have access to resources out of the scope of duty. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have both the Service Account User and Service Account Admin role attached. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-user.md b/en/google/iam/service-account-user.md new file mode 100644 index 000000000..c5a4ea7aa --- /dev/null +++ b/en/google/iam/service-account-user.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account User + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account User | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have the Service Account User role. | +| **More Info** | The Service Account User role gives users the access to all service accounts of a project. This can result in an elevation of privileges and is not recommended. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have the Service Account User role attached. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-limits.md b/en/google/iam/service-limits.md index 89cc4b14a..2f0076bcd 100644 --- a/en/google/iam/service-limits.md +++ b/en/google/iam/service-limits.md @@ -9,10 +9,11 @@ | **Plugin Title** | Service Limits | | **Cloud** | GOOGLE | | **Category** | IAM | -| **Description** | Determine if the number of resources is close to the per-account limit. | +| **Description** | Determines if the number of resources is close to the per-account limit. | | **More Info** | Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching. | | **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/limits | | **Recommended Action** | Contact GCP support to increase the number of resources available | ## Detailed Remediation Steps + diff --git a/en/google/kubernetes/alias-ip-ranges-enabled.md b/en/google/kubernetes/alias-ip-ranges-enabled.md new file mode 100644 index 000000000..2df9f232a --- /dev/null +++ b/en/google/kubernetes/alias-ip-ranges-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Alias IP Ranges Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Alias IP Ranges Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have alias IP ranges enabled | +| **More Info** | Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface. | +| **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/ | +| **Recommended Action** | Ensure that Kubernetes clusters have alias IP ranges enabled. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/automatic-node-repair-enabled.md b/en/google/kubernetes/automatic-node-repair-enabled.md new file mode 100644 index 000000000..aeb159985 --- /dev/null +++ b/en/google/kubernetes/automatic-node-repair-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Automatic Node Repair Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automatic Node Repair Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have automatic repair enabled | +| **More Info** | When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair | +| **Recommended Action** | Ensure that automatic node repair is enabled on all node pools in Kubernetes clusters | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/automatic-node-upgrades-enabled.md b/en/google/kubernetes/automatic-node-upgrades-enabled.md new file mode 100644 index 000000000..bc28a0b8a --- /dev/null +++ b/en/google/kubernetes/automatic-node-upgrades-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Automatic Node Upgrades Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automatic Node Upgrades Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have automatic upgrades enabled | +| **More Info** | Enabling automatic upgrades on nodes ensures that each node stays current with the latest version of the master branch, also ensuring that the latest security patches are installed to provide the most secure environment. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades | +| **Recommended Action** | Ensure that automatic node upgrades are enabled on all node pools in Kubernetes clusters | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/basic-authentication-disabled.md b/en/google/kubernetes/basic-authentication-disabled.md new file mode 100644 index 000000000..d4b85e299 --- /dev/null +++ b/en/google/kubernetes/basic-authentication-disabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Basic Authentication Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Basic Authentication Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure basic authentication is set to disabled on Kubernetes clusters. | +| **More Info** | Basic authentication uses static passwords to authenticate, which is not the recommended method to authenticate into the Kubernetes API server. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster | +| **Recommended Action** | Disable basic authentication on all clusters | + +## Detailed Remediation Steps + diff --git a/en/google/kubernetes/cluster-labels-added.md b/en/google/kubernetes/cluster-labels-added.md new file mode 100644 index 000000000..b3c97baf0 --- /dev/null +++ b/en/google/kubernetes/cluster-labels-added.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Cluster Labels Added + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Cluster Labels Added | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have labels added | +| **More Info** | It is recommended to add labels to Kubernetes clusters to apply specific security settings and auto configure objects at creation. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/creating-managing-labels | +| **Recommended Action** | Ensure labels are added to Kubernetes clusters | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/cluster-least-privilege.md b/en/google/kubernetes/cluster-least-privilege.md new file mode 100644 index 000000000..34de39b6b --- /dev/null +++ b/en/google/kubernetes/cluster-least-privilege.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Cluster Least Privilege + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Cluster Least Privilege | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures Kubernetes clusters are created with limited service account access scopes | +| **More Info** | Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/access/service-accounts | +| **Recommended Action** | Ensure that all Kubernetes clusters are created with limited access scope. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/cos-image-enabled.md b/en/google/kubernetes/cos-image-enabled.md new file mode 100644 index 000000000..21bd47403 --- /dev/null +++ b/en/google/kubernetes/cos-image-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / COS Image Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | COS Image Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled | +| **More Info** | Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it. | +| **GOOGLE Link** | https://cloud.google.com/container-optimized-os/ | +| **Recommended Action** | Enable Container-Optimized OS on all Kubernetes cluster nodes | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/default-service-account.md b/en/google/kubernetes/default-service-account.md new file mode 100644 index 000000000..0bcf8b3f7 --- /dev/null +++ b/en/google/kubernetes/default-service-account.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Default Service Account + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Default Service Account | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes are not using the default service account. | +| **More Info** | Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster. | +| **GOOGLE Link** | https://cloud.google.com/container-optimized-os/ | +| **Recommended Action** | Ensure that no Kubernetes cluster nodes are using the default service account | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/legacy-authorization-disabled.md b/en/google/kubernetes/legacy-authorization-disabled.md new file mode 100644 index 000000000..6c2e8bcd2 --- /dev/null +++ b/en/google/kubernetes/legacy-authorization-disabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Legacy Authorization Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Legacy Authorization Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure legacy authorization is set to disabled on Kubernetes clusters | +| **More Info** | The legacy authorizer in Kubernetes grants broad, statically defined permissions. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster | +| **Recommended Action** | Disable legacy authorization on all clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/logging-enabled.md b/en/google/kubernetes/logging-enabled.md new file mode 100644 index 000000000..143f6387e --- /dev/null +++ b/en/google/kubernetes/logging-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Logging Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have logging enabled | +| **More Info** | This setting should be enabled to ensure Kubernetes control plane logs are properly recorded. | +| **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/legacy-stackdriver/logging | +| **Recommended Action** | Ensure that logging is enabled on all Kubernetes clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/master-authorized-network.md b/en/google/kubernetes/master-authorized-network.md new file mode 100644 index 000000000..c4570ad93 --- /dev/null +++ b/en/google/kubernetes/master-authorized-network.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Master Authorized Network + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Master Authorized Network | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures master authorized networks is set to enabled on Kubernetes clusters | +| **More Info** | Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container clusters Kubernetes master endpoint. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks | +| **Recommended Action** | Enable master authorized networks on all clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/monitoring-enabled.md b/en/google/kubernetes/monitoring-enabled.md index 8e33643ca..7edeed701 100644 --- a/en/google/kubernetes/monitoring-enabled.md +++ b/en/google/kubernetes/monitoring-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Monitoring Enabled | | **Cloud** | GOOGLE | | **Category** | Kubernetes | -| **Description** | Ensures all Kubernetes clusters have monitoring enabled | +| **Description** | Ensures all Kubernetes clusters have monitoring enabled | | **More Info** | Kubernetes supports monitoring through Stackdriver. | | **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/ | -| **Recommended Action** | 1. Enter the Kubernetes Service. 2. Select Clusters from the left blade. 3. Select edit on the cluster. 4. Enable Stackdriver Kubernetes Engine Monitoring or Legacy Stackdriver Monitoring. | +| **Recommended Action** | Ensure monitoring is enabled on all Kubernetes clusters. | ## Detailed Remediation Steps + diff --git a/en/google/kubernetes/network-policy-enabled.md b/en/google/kubernetes/network-policy-enabled.md new file mode 100644 index 000000000..75c893f92 --- /dev/null +++ b/en/google/kubernetes/network-policy-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Network Policy Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Network Policy Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have network policy enabled | +| **More Info** | Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy | +| **Recommended Action** | Enable network policy on all Kubernetes clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/pod-security-policy-enabled.md b/en/google/kubernetes/pod-security-policy-enabled.md new file mode 100644 index 000000000..0e02bd5bb --- /dev/null +++ b/en/google/kubernetes/pod-security-policy-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Pod Security Policy Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Pod Security Policy Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures pod security policy is enabled for all Kubernetes clusters | +| **More Info** | Kubernetes pod security policy is a resource that controls security sensitive aspects of the pod configuration. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies | +| **Recommended Action** | Ensure that all Kubernetes clusters have pod security policy enabled. | + +## Detailed Remediation Steps + diff --git a/en/google/kubernetes/private-cluster-enabled.md b/en/google/kubernetes/private-cluster-enabled.md new file mode 100644 index 000000000..2c6f72cd1 --- /dev/null +++ b/en/google/kubernetes/private-cluster-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Private Cluster Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Private Cluster Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures private cluster is enabled for all Kubernetes clusters | +| **More Info** | Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters | +| **Recommended Action** | Ensure that all Kubernetes clusters have private cluster enabled. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/private-endpoint.md b/en/google/kubernetes/private-endpoint.md index 1cb718b0a..819bc3466 100644 --- a/en/google/kubernetes/private-endpoint.md +++ b/en/google/kubernetes/private-endpoint.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/kubernetes/web-dashboard-disabled.md b/en/google/kubernetes/web-dashboard-disabled.md new file mode 100644 index 000000000..2efbae866 --- /dev/null +++ b/en/google/kubernetes/web-dashboard-disabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Web Dashboard Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Web Dashboard Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have the web dashboard disabled. | +| **More Info** | It is recommended to disable the web dashboard because it is backed by a highly privileged service account. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/concepts/dashboards | +| **Recommended Action** | Ensure that no Kubernetes clusters have the web dashboard enabled | + +## Detailed Remediation Steps + + diff --git a/en/google/logging/audit-configuration-logging.md b/en/google/logging/audit-configuration-logging.md new file mode 100644 index 000000000..430989d51 --- /dev/null +++ b/en/google/logging/audit-configuration-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Audit Configuration Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Configuration Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for audit configuration changes. | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for audit configuration changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/audit-logging-enabled.md b/en/google/logging/audit-logging-enabled.md new file mode 100644 index 000000000..0bdd66b50 --- /dev/null +++ b/en/google/logging/audit-logging-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Audit Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Logging Enabled | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that default audit logging is enabled on the project. | +| **More Info** | The default audit logs should be configured to log all admin activities and write and read access to data for all services. In addition, no exempted members should be added to the logs to ensure proper delivery of all audit logs. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/audit/ | +| **Recommended Action** | Ensure that the default audit logs are enabled to log all admin activities and write and read access to data for all services. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/custom-role-logging.md b/en/google/logging/custom-role-logging.md new file mode 100644 index 000000000..e8c4a2451 --- /dev/null +++ b/en/google/logging/custom-role-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Custom Role Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Custom Role Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for custom role creation and changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in custom role should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for custom role creation and changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/log-sinks-enabled.md b/en/google/logging/log-sinks-enabled.md new file mode 100644 index 000000000..f2e020400 --- /dev/null +++ b/en/google/logging/log-sinks-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Log Sinks Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Sinks Enabled | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures a log sink is enabled to export all logs | +| **More Info** | Log sinks send log data to a storage service for archival and compliance. A log sink with no filter is necessary to ensure that all logs are being properly sent. If logs are sent to a storage bucket, the bucket must exist and bucket versioning should exist. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/export/ | +| **Recommended Action** | Ensure a log sink is configured properly with an empty filter and a destination. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/project-ownership-logging.md b/en/google/logging/project-ownership-logging.md new file mode 100644 index 000000000..956b71819 --- /dev/null +++ b/en/google/logging/project-ownership-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Project Ownership Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Project Ownership Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for project ownership assignments and changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for project ownership assignments and changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/sql-configuration-logging.md b/en/google/logging/sql-configuration-logging.md new file mode 100644 index 000000000..15d8b039c --- /dev/null +++ b/en/google/logging/sql-configuration-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / SQL Configuration Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL Configuration Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for SQL configuration changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in SQL configurations should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for SQL configuration changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/storage-permissions-logging.md b/en/google/logging/storage-permissions-logging.md new file mode 100644 index 000000000..8715936a7 --- /dev/null +++ b/en/google/logging/storage-permissions-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Storage Permissions Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Storage Permissions Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for storage permission changes | +| **More Info** | Storage permissions include access to the buckets that store the logs, any changes in storage permissions should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for storage permission changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/vpc-firewall-rule-logging.md b/en/google/logging/vpc-firewall-rule-logging.md new file mode 100644 index 000000000..95f1a0270 --- /dev/null +++ b/en/google/logging/vpc-firewall-rule-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / VPC Firewall Rule Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Firewall Rule Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for firewall rule changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in firewall rule should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for firewall rule changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/vpc-network-logging.md b/en/google/logging/vpc-network-logging.md new file mode 100644 index 000000000..7bd957471 --- /dev/null +++ b/en/google/logging/vpc-network-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / VPC Network Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Network Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for VPC network changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in VPC network should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for VPC network changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/vpc-network-route-logging.md b/en/google/logging/vpc-network-route-logging.md new file mode 100644 index 000000000..9694e225d --- /dev/null +++ b/en/google/logging/vpc-network-route-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / VPC Network Route Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Network Route Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for VPC network route changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in VPC network route should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for VPC network route changes. | + +## Detailed Remediation Steps + diff --git a/en/google/sql/any-host-root-access.md b/en/google/sql/any-host-root-access.md new file mode 100644 index 000000000..922db482f --- /dev/null +++ b/en/google/sql/any-host-root-access.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / Any Host Root Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Any Host Root Access | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances root user cannot be accessed from any host | +| **More Info** | Root access for SQL instance should only be allowed from whitelisted IPs to ensure secure access only from trusted entities. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/create-manage-users | +| **Recommended Action** | Ensure that root access for SQL instances are not allowed from any host. | + +## Detailed Remediation Steps + + diff --git a/en/google/sql/database-ssl-enabled.md b/en/google/sql/database-ssl-enabled.md new file mode 100644 index 000000000..ca738f105 --- /dev/null +++ b/en/google/sql/database-ssl-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / Database SSL Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Database SSL Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL databases have SSL enabled | +| **More Info** | Enabling SSL ensures that the sensitive data being transferred from the database is encrypted. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | +| **Recommended Action** | Ensure that SSL is enabled on all SQL databases. | + +## Detailed Remediation Steps + + diff --git a/en/google/sql/db-automated-backups.md b/en/google/sql/db-automated-backups.md index ce8189582..3df41c22e 100644 --- a/en/google/sql/db-automated-backups.md +++ b/en/google/sql/db-automated-backups.md @@ -12,7 +12,8 @@ | **Description** | Ensures automated backups are enabled for SQL instances | | **More Info** | Google provides a simple method of backing up SQL instances at a regular interval. This should be enabled to provide an option for restoring data in the event of a database compromise or hardware failure. | | **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | -| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select Edit at the top of the section. 4. Enter the Enable auto Backups and ensure automate backups is checked. | +| **Recommended Action** | Ensure that all database instances are configured with automatic backups enabled. | ## Detailed Remediation Steps + diff --git a/en/google/sql/db-multiple-az.md b/en/google/sql/db-multiple-az.md index 711445cab..cbf45e413 100644 --- a/en/google/sql/db-multiple-az.md +++ b/en/google/sql/db-multiple-az.md @@ -1,18 +1,19 @@ [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) -# GOOGLE / SQL / DB Multiple Az +# GOOGLE / SQL / DB Multiple AZ ## Quick Info | | | |-|-| -| **Plugin Title** | DB Multiple Az | +| **Plugin Title** | DB Multiple AZ | | **Cloud** | GOOGLE | | **Category** | SQL | -| **Description** | Ensures that SQL instances have a failover replica to be cross-AZ for high availability. | +| **Description** | Ensures that SQL instances have a failover replica to be cross-AZ for high availability | | **More Info** | Creating SQL instances in with a single AZ creates a single point of failure for all systems relying on that database. All SQL instances should be created in multiple AZs to ensure proper failover. | | **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | -| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select the Replicas tab. 4. Select Create Failover Replica and follow the prompts. | +| **Recommended Action** | Ensure that all database instances have a DB replica enabled in a secondary AZ. | ## Detailed Remediation Steps + diff --git a/en/google/sql/db-publicly-accessible.md b/en/google/sql/db-publicly-accessible.md index 38c2ee23f..7b337009a 100644 --- a/en/google/sql/db-publicly-accessible.md +++ b/en/google/sql/db-publicly-accessible.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/sql/db-restorable.md b/en/google/sql/db-restorable.md index 0808f828e..475fac272 100644 --- a/en/google/sql/db-restorable.md +++ b/en/google/sql/db-restorable.md @@ -12,7 +12,8 @@ | **Description** | Ensures SQL instances can be restored to a recent point | | **More Info** | Google will maintain a point to which the database can be restored. This point should not drift too far into the past, or else the risk of irrecoverable data loss may occur. | | **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | -| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select Edit at the top of the section. 4. Enter the Enable auto Backups and ensure that Enable Binary Logging is checked. | +| **Recommended Action** | Ensure all database instances are configured with automatic backups and can be restored to a recent point with binary logging enabled. | ## Detailed Remediation Steps + diff --git a/en/google/storage/bucket-logging.md b/en/google/storage/bucket-logging.md index bd59dc07a..cb0b3dfbf 100644 --- a/en/google/storage/bucket-logging.md +++ b/en/google/storage/bucket-logging.md @@ -9,10 +9,11 @@ | **Plugin Title** | Bucket Logging | | **Cloud** | GOOGLE | | **Category** | Storage | -| **Description** | Ensures object Logging is enabled on storage buckets | +| **Description** | Ensures object logging is enabled on storage buckets | | **More Info** | Storage bucket logging helps maintain an audit trail of access that can be used in the event of a security incident. | | **GOOGLE Link** | https://cloud.google.com/storage/docs/access-logs | | **Recommended Action** | Bucket Logging can only be enabled by using the Command Line Interface and the log bucket must already be created. Use this command to enable Logging: gsutil logging set on -b gs://[LOG_BUCKET_NAME] -o AccessLog gs://[BUCKET_NAME] | ## Detailed Remediation Steps + diff --git a/en/google/storage/bucket-versioning.md b/en/google/storage/bucket-versioning.md index 4c8b2c61b..b1b0f3707 100644 --- a/en/google/storage/bucket-versioning.md +++ b/en/google/storage/bucket-versioning.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/storage/storage-bucket-all-users-policy.md b/en/google/storage/storage-bucket-all-users-policy.md index 1795f4398..0623e01e7 100644 --- a/en/google/storage/storage-bucket-all-users-policy.md +++ b/en/google/storage/storage-bucket-all-users-policy.md @@ -12,7 +12,8 @@ | **Description** | Ensures Storage bucket policies do not allow global write, delete, or read permissions | | **More Info** | Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts. | | **GOOGLE Link** | https://cloud.google.com/storage/docs/access-control/iam | -| **Recommended Action** | 1. Enter the Storage Service. 2. Select the ... next to the Bucket and choose Edit Bucket Permissions. 3. In each Permission, ensure that no member is allUsers or allAuthenticatedUsers | +| **Recommended Action** | Ensure that each storage bucket is configured so that no member is set to allUsers or allAuthenticatedUsers. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/default-vpc-in-use.md b/en/google/vpcnetwork/default-vpc-in-use.md index db029ec3d..2ea1b7f6d 100644 --- a/en/google/vpcnetwork/default-vpc-in-use.md +++ b/en/google/vpcnetwork/default-vpc-in-use.md @@ -9,10 +9,11 @@ | **Plugin Title** | Default VPC In Use | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determines whether the default VPC is being used for launching VM instances. | +| **Description** | Determines whether the default VPC is being used for launching VM instances | | **More Info** | The default VPC should not be used in order to avoid launching multiple services in the same network which may not require connectivity. Each application, or network tier, should use its own VPC. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | | **Recommended Action** | Move resources from the default VPC to a new VPC created for that application or resource group. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/excessive-firewall-rules.md b/en/google/vpcnetwork/excessive-firewall-rules.md index 418fb3bef..c632b964f 100644 --- a/en/google/vpcnetwork/excessive-firewall-rules.md +++ b/en/google/vpcnetwork/excessive-firewall-rules.md @@ -9,10 +9,11 @@ | **Plugin Title** | Excessive Firewall Rules | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if there are an excessive number of firewall rules in the account | +| **Description** | Determines if there are an excessive number of firewall rules in the account | | **More Info** | Keeping the number of firewall rules to a minimum helps reduce the attack surface of an account. Rather than creating new rules with the same rules for each project, common rules should be grouped under the same firewall rule. For example, instead of adding port 22 from a known IP to every firewall rule, create a single "SSH" firewall rule which can be used on multiple instances. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | | **Recommended Action** | Limit the number of firewall rules to prevent accidental authorizations | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/flow-logs-enabled.md b/en/google/vpcnetwork/flow-logs-enabled.md index 268fdaba1..8d14f1fbf 100644 --- a/en/google/vpcnetwork/flow-logs-enabled.md +++ b/en/google/vpcnetwork/flow-logs-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/multiple-subnets.md b/en/google/vpcnetwork/multiple-subnets.md index 8b45b1ae1..7fef1c291 100644 --- a/en/google/vpcnetwork/multiple-subnets.md +++ b/en/google/vpcnetwork/multiple-subnets.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-all-ports.md b/en/google/vpcnetwork/open-all-ports.md index c3be5ff5a..b95ee06e4 100644 --- a/en/google/vpcnetwork/open-all-ports.md +++ b/en/google/vpcnetwork/open-all-ports.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open All Ports | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if all ports are open to the public | +| **Description** | Determines if all ports are open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, services should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict ports to known IP addresses | +| **Recommended Action** | Restrict ports to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-cifs.md b/en/google/vpcnetwork/open-cifs.md index 4d39ee94a..14a872694 100644 --- a/en/google/vpcnetwork/open-cifs.md +++ b/en/google/vpcnetwork/open-cifs.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open CIFS | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if UDP port 445 for CIFS is open to the public | +| **Description** | Determines if UDP port 445 for CIFS is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as CIFS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict UDP port 445 to known IP addresses | +| **Recommended Action** | Restrict UDP port 445 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-dns.md b/en/google/vpcnetwork/open-dns.md index 4b6bb14c2..b64cdafd5 100644 --- a/en/google/vpcnetwork/open-dns.md +++ b/en/google/vpcnetwork/open-dns.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open DNS | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP or UDP port 53 for DNS is open to the public | +| **Description** | Determines if TCP or UDP port 53 for DNS is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as DNS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses | +| **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-ftp.md b/en/google/vpcnetwork/open-ftp.md index 09b0c6fbf..7423177e7 100644 --- a/en/google/vpcnetwork/open-ftp.md +++ b/en/google/vpcnetwork/open-ftp.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open FTP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 20 or 21 for FTP is open to the public | +| **Description** | Determines if TCP port 20 or 21 for FTP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as FTP should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses | +| **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md index 69868ec11..b918f9bcf 100644 --- a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md +++ b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Hadoop HDFS NameNode Metadata Service | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public. | +| **Description** | Determines if TCP port 8020 for HDFS NameNode metadata service is open to the public. | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | | **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md index fa11e743e..e8bca6677 100644 --- a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md +++ b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Hadoop HDFS NameNode WebUI | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public | +| **Description** | Determines if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | | **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-kibana.md b/en/google/vpcnetwork/open-kibana.md index 9f4c44687..def735a2b 100644 --- a/en/google/vpcnetwork/open-kibana.md +++ b/en/google/vpcnetwork/open-kibana.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Kibana | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5601 for Kibana is open to the public | +| **Description** | Determines if TCP port 5601 for Kibana is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Kibana should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5601 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5601 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-mysql.md b/en/google/vpcnetwork/open-mysql.md index aff65e67d..8bc591b7c 100644 --- a/en/google/vpcnetwork/open-mysql.md +++ b/en/google/vpcnetwork/open-mysql.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open MySQL | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 4333 or 3306 for MySQL is open to the public | +| **Description** | Determines if TCP port 4333 or 3306 for MySQL is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MySQL should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses | +| **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-netbios.md b/en/google/vpcnetwork/open-netbios.md index 2a61efca7..5e80e2b0d 100644 --- a/en/google/vpcnetwork/open-netbios.md +++ b/en/google/vpcnetwork/open-netbios.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open NetBIOS | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if UDP port 137 or 138 for NetBIOS is open to the public | +| **Description** | Determines if UDP port 137 or 138 for NetBIOS is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as NetBIOS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses | +| **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md b/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md index 512064255..91cea951a 100644 --- a/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md +++ b/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open Oracle Auto Data Warehouse | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 1522 for Oracle Auto Data Warehouse is open to the public | +| **Description** | Determines if TCP port 1522 for Oracle Auto Data Warehouse is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP ports 1522 to known IP addresses | +| **Recommended Action** | Restrict TCP ports 1522 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-oracle.md b/en/google/vpcnetwork/open-oracle.md index 36008a9d1..5ec2f9441 100644 --- a/en/google/vpcnetwork/open-oracle.md +++ b/en/google/vpcnetwork/open-oracle.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Oracle | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 1521 for Oracle is open to the public | +| **Description** | Determines if TCP port 1521 for Oracle is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP ports 1521 to known IP addresses | +| **Recommended Action** | Restrict TCP ports 1521 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-postgresql.md b/en/google/vpcnetwork/open-postgresql.md index e275959be..72904da2a 100644 --- a/en/google/vpcnetwork/open-postgresql.md +++ b/en/google/vpcnetwork/open-postgresql.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open PostgreSQL | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5432 for PostgreSQL is open to the public | +| **Description** | Determines if TCP port 5432 for PostgreSQL is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as PostgreSQL should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-rdp.md b/en/google/vpcnetwork/open-rdp.md index 8be192827..4a192ddd9 100644 --- a/en/google/vpcnetwork/open-rdp.md +++ b/en/google/vpcnetwork/open-rdp.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open RDP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 3389 for RDP is open to the public | +| **Description** | Determines if TCP port 3389 for RDP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RDP should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-rpc.md b/en/google/vpcnetwork/open-rpc.md index aed28eec4..dd4aa37f7 100644 --- a/en/google/vpcnetwork/open-rpc.md +++ b/en/google/vpcnetwork/open-rpc.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open RPC | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 135 for RPC is open to the public | +| **Description** | Determines if TCP port 135 for RPC is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RPC should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 135 to known IP addresses | +| **Recommended Action** | Restrict TCP port 135 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-smbotcp.md b/en/google/vpcnetwork/open-smbotcp.md index 5d60caa7d..04be42ac4 100644 --- a/en/google/vpcnetwork/open-smbotcp.md +++ b/en/google/vpcnetwork/open-smbotcp.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SMBoTCP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 445 for Windows SMB over TCP is open to the public | +| **Description** | Determines if TCP port 445 for Windows SMB over TCP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMB should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 445 to known IP addresses | +| **Recommended Action** | Restrict TCP port 445 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-smtp.md b/en/google/vpcnetwork/open-smtp.md index bf06cf457..d9c52bb1d 100644 --- a/en/google/vpcnetwork/open-smtp.md +++ b/en/google/vpcnetwork/open-smtp.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SMTP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 25 for SMTP is open to the public | +| **Description** | Determines if TCP port 25 for SMTP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMTP should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 25 to known IP addresses | +| **Recommended Action** | Restrict TCP port 25 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-sqlserver.md b/en/google/vpcnetwork/open-sqlserver.md index 0b7b4a1a4..58f25343c 100644 --- a/en/google/vpcnetwork/open-sqlserver.md +++ b/en/google/vpcnetwork/open-sqlserver.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SQLServer | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 1433 or UDP port 1434 for SQL Server is open to the public | +| **Description** | Determines if TCP port 1433 or UDP port 1434 for SQL Server is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SQL server should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses | +| **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-ssh.md b/en/google/vpcnetwork/open-ssh.md index ef97257ba..c0952d860 100644 --- a/en/google/vpcnetwork/open-ssh.md +++ b/en/google/vpcnetwork/open-ssh.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SSH | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 22 for FTP is open to the public | +| **Description** | Determines if TCP port 22 for FTP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SSH should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 22 to known IP addresses | +| **Recommended Action** | Restrict TCP port 22 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-telnet.md b/en/google/vpcnetwork/open-telnet.md index 741dc4f61..7293482a2 100644 --- a/en/google/vpcnetwork/open-telnet.md +++ b/en/google/vpcnetwork/open-telnet.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open Telnet | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 23 for Telnet is open to the public | +| **Description** | Determines if TCP port 23 for Telnet is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Telnet should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 23 to known IP addresses | +| **Recommended Action** | Restrict TCP port 23 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-vnc-client.md b/en/google/vpcnetwork/open-vnc-client.md index 07b8897a3..ad91a9d6f 100644 --- a/en/google/vpcnetwork/open-vnc-client.md +++ b/en/google/vpcnetwork/open-vnc-client.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open VNC Client | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5500 for VNC Client is open to the public | +| **Description** | Determines if TCP port 5500 for VNC Client is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Client should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5500 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5500 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-vnc-server.md b/en/google/vpcnetwork/open-vnc-server.md index 4ff765326..35457e75b 100644 --- a/en/google/vpcnetwork/open-vnc-server.md +++ b/en/google/vpcnetwork/open-vnc-server.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open VNC Server | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5900 for VNC Server is open to the public | +| **Description** | Determines if TCP port 5900 for VNC Server is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Server should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5900 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/private-access-enabled.md b/en/google/vpcnetwork/private-access-enabled.md index b75514385..69659ff6b 100644 --- a/en/google/vpcnetwork/private-access-enabled.md +++ b/en/google/vpcnetwork/private-access-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/resources/google/vpcnetwork/open-rdp/README.md b/resources/google/vpcnetwork/open-rdp/README.md new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/resources/google/vpcnetwork/open-rdp/README.md @@ -0,0 +1 @@ + diff --git a/resources/google/vpcnetwork/open-rdp/step2.png b/resources/google/vpcnetwork/open-rdp/step2.png new file mode 100644 index 0000000000000000000000000000000000000000..cab251b79b1a0f44f970c6388674d16085afacd6 GIT binary patch literal 40809 zcmZU41ymeM*DWr=EjSErfx+F~-Q6v?yIXK~g1ZL-!9BRULvVMuH@V;a<-Ip+^_rfN zQ&p#{tM=Ku=9{9t1kxwGPhenRNK%rb%3xsNeV|JQ4hED`VRrBp3=ButN<>6aN<;*p z=wxqhWn%^grWu-|1*@tmlXUJ)HOUx4a**vj!F50YZ8Ri;9u|!*hN+~gSbzhDhT1QR z2^oQlCWIDEO$u{M5*Yz^N^$7@^3K<0k>z~hqoSv$r>3{AHvrb1B^DDC6O;iS5i6C~ zrkM%n>G=Y;y#WUIWCA8CSOhaLh{waV3|{p1{(5ot0@oYWX!N9}^|AcX#h$tq{|EpB zP(i`M48n?$JwkvTX6I>oL4aw}hcIMjqqar*qK%15V2V1N(jw~&wp4OD5T;dM{c1@k z{RI!k3z;H~0vS*bnU6pL9ZKSaBay%_Ez3v`W0WIaC#1;9h6AS06(YgF?KMh!FI=a( zC9oUv#*q=|Z>n5w}JhK*?-`H1KM(4ro$yj8G&-n+Z}Q%Xrm4LRpjKg_n^^r| zAl}25ZgyDSii?T;um#crv(3-y0!Pt%*Q*xZf~^q?YK|sDx0>Q{Odd9!g#UD$`mLf9 z7@K$6@mK@MfBW|7&qXakVWh>>v(zieOuAJUP;y9n@oGbOA6MEN~{i0 za<){Td_#`NTj8ue36_U&>&8q6Cy9^X4KzfE0Ba09y0_Y0^@@YegW!gPBoXurzV;3| z&{jaac7wLs!Uz%;e9d*F{MtbRfX@fM<=1rW2_0(N&#Xj9UViSG?*1%FvWc-MKJc0` z4%se5-T0Bt2RF_3$y5F1J;^*;@syqVTi4zvrnmk6Oq20CbxnjS)=XI2fCaHt5__^; zC84kRKmEVHa0u+v?}P8N?W36!uLu&Cnvu&$K)2ux^|BFgzeec;CK3;txUxr*uG%hEx6^8m8_mdzTog zkoY*tb=8CX@R+|>cni-BPEc6&cP?$padY?e$PQ~3KdXuFf=XonnhU; z$%Q-xwuTHRT|`wqJ5>opbi!jK;fchD15*NoY8FAT1~4!}?03U(LU3#$v6J~BOZ>?| zPV8ZiN4gdSUqV3+{N#W+7vMF8I1%VJh2+(Z<|Mphz_bxgJI&Xfj22 z$j6HC7NW!mIRg@No-mPw`{!(U6t*awE{uw$Y_q!8t-So?*gr9VM|Z)uU81I(DTkK{S)ES3cb(eO=To&)$Wtgc{P(hvLxybBxi5(r=63CL;`_$P?kDvUX()5`IXU6|ofQ6loMe!+Z)x45kSNijazs z^ht$PBAOr?44eLdT8=mskq2NW;twqj0fz)|v~aO-s&RvHS#araS8>8|1X$40`!k|5 z*jb91QW$eAS|?e@Werme+09CrEf_VJ-I)c2TBKAhh-IP6_F=YFJ?WMFSH}^ z4gG}^Hc}+0FOw|Ngm{oE7A-b6`!)M_Hc9qVb}3gl=Ru1{OY|?{UvADn9r*q{57YPC zP7n_J2DIh8aG_*Mgbij;WgNgwx_-CPXV=%;0Bo$cA9&7jTTxdlt&Mq-jrozI-lpO0(AZ$!5( zy1mm2*&9WgNP14nMM_UPDfX>EyCA;+R?J(>q91DDbfD>54!Sp~JnAAk3N{d{i-sRa zLbFX%uTr4*Cx<+(=%;DsF3qrovMG&7IcK?bdH9T`75$Oq5$%x>uBNyirEZDxe&?4j zl_WAr)rr1<@PygasD#Q??=O=8`!BiV{?hL$5aB^N!m+|_y%u6jV#EWGksMfQDRU_W z$<`^~X;qSKlbw^>k}cFsRfAM%)rcw*)#z1O)Ob|8%7!aK%LtY5)hyJSH8#sPDm#nv z%Y_y>tFQD`WLX4n>h?|O+3BgO`LvrGnN}!QGFH}C5V-NU;kgf7-e*!4W9DqZP&?%Mr~L&fZ_cj}6}v;n$1i zO*d2rS=VnXa7V^wY?_w?xCYkN+k0O_LnFk}2WX;jWn4$AQ#Gm?)tl5|tB7=NbYQhO zG$)rVSBh3|mzkGZSJam}o094aS6!F;?%D4L?k5TQ35^L>2m=d$n$+(&Q%RL_mPSoz zT2LKGA2c(JFs$m@wf<;*Zewrtb7yf}J-DCK8{wPoSPUNSTP*A`*_a(`7;;{dnWkGm zso{v@7;o!?J=ob+IbdlX_LOX@uC^z0<_OZ21hYv#DIiCys-&K=G@_U8w~*utH{ zxr{oNtS*^=)`lfQ&W2}3qD6YfvBC6VeDsa*lT;c~E%UQfI&5QntNT;;upPEdu|3PG zq78i}6Qb5X9q}YNIFyt?r}SNke){n+;BW#*TGmu{^K&3QjSf-&$nX7u*ukTI!pN-r z)tQq&`5s-5u~6*fMi&an(rXEiw8MaM<|Bz864y_dsmbZd@2VMduXE+BQH>Zn(>lRT z_jVW?sU2r(t&Y!Eh}2|^g&ZoZEF8|vqs*23S?PoszCa0@QtE?Mx5+cTme&@o77U&* z?%5+IV}%EN8|7^`hYYt2D>Z>W^RL&hd+R-I7nsyo$(XMz7>x%L`g{u-$X}(frjU^NR{X7a$IQ))aL;(} zWz=6SM1!}2wcLhl%$@V&(nrl76f^8|YD6{z| z(N7Kq%N)zHopQP|9d2A_r}mBF&RU^{{QQJk$4#0?)j#DAa-DL); zoRAab-=7@Vw@!z+R-HQzeoo|e0{pfe=)RtuvzO8Tv@PLl_igWM+Yu_2v#?LI(>M_e zjiPD`ZKDI$8?3lzcyK*jkEArxIcu2I%0GnM$=*Ic@OSLHo*CsjZ+5$`o;2HOuKjYG zecVscd2VjCKUq6(FLW(^tNFd&pFg0ak6gt zGA4Wh<$~YI*YvjjV&`glYuepJ$;9A0IiHqK<{jdV&4cs)0R`|;U$raQZ<)D< z$?qs-x$=FnrZ!g|O3udz<70o(^jzn9HIb&LJj|W;qIFZJo%prxsBd?0DK2W(Ggp(J z@cql(Q?G%z|J|g=xU65kzgEWjP0Gv3u)X!B*FpBazE9kHCui3S>_gl$baiN!0H41+ zJ>^I58?8>F{;_tGo?jDs#}9OwVwFW@aLnuO{Cu#n?@$4!NMI)bWl9_E+8cJfPg49_ zZ2HWJ(}yH2>P$ER)bZG=D18pByn&yD#tRS_rPCd4uoxih#p40YiH0zk8KFw4!io=TE zm4s>+vmV7QdE;3b#rEb~hKDAYcG;$h7TU(@_8Vr7gV*2Yc}_fa8VMWta)XNs ze))rn`nwHkw92Yl9No+tYkUOsbP6W=N`XU$w2sXS!%~0%NTyW5R zBt3KPuN(?j;z-c*w3bmj-T0--&9=cA$g}Nite|Xlor;;IIz3n1IH;r3bS8~5G&N=_ zdcQDmT9AEt_S{m{a^a>sLAQb1DFe(U^DhVM7&NrM;jex>K>mV-K$Of^q*$O@pXh+DNWB~Q56~IgQKtXA{P8P82rTE zMs;$nd=-UN4b>;_1Lfy?qXZhswO+TFcbz82t*NG#B7J} zg3gkL>74DC4u7UQ66oUE#M=gIc#k~2p0q}9Ab|z?nbFR1lbv`z>s(47B~DHstAr}$ z7X_QJK6M{u+;SQ3k4L``R=TduNjo{mDtxh?DEST^-mX!KLxTkj-v8)dYuD&$X~kd& zLbOY!9tO=x%5Bk;!`lYd^tL-7^F~FAy$N3Q!kN^VU^smGRr{zfjK!3LIkqL{W_D}* z$yDByCU33*`N!K<{O;`z?SAK^%znepCK)3@^t0P%E&w;Rd?I6-Y+^-{AK*qVR!d)6 zNKQ#dN=HjgOj}JbMvGASqlD?(ntF31k1L)F-R-B_W;{_GJ7yzpJdb z*Kx?*vZ^`az{y~*psylsq2gi7;dC>amIh=*VohQxVx_-5Y^NiN`#a;>gn_Xr@`?)m zy2H2J=;Zolh@XG8faUmOPjA1)vG@9bc-pT zJmfwT?-~EC(`?t(C3CLPaljJq++}rnh3ckxmj6+>masDDTWFt)noG;??EU@u&(LVr z&P{C!)uH`_!i4;A2ZFc3&GsJa1y${2_($eb;;ourEVF`cfWP0Xt7Aq}{kv#4{B8i2 z@o@;+^t5!#Z6_T3+$y}b$DqdIrJtjFRWwz;O`#NORn^~wmzQV;#)XLl{;}!hO1~VMSE*>QA z{QHfPN|t4ecMR(b=bqHH?^&gpyr#ox zx#MImo~p*~e{VeTc(2o9;jX&BcOJd5mtbF~QxKrb*nF_O@ijE&1^IlEKVDZ97|Rz? z1Wn;s>}XcM$Ar~563|zp#x8Lh`%Eaqr?2MQv3~=9&pn>xcE^A;5tAivYuh^2zGUoK z@_0IW^8-6k+j~WduqMY$PoXUoD5lrxlJb+P;6a=C;w}UqvYFhjbklPQ=nS+lG@jb& z8FHBFYe~>6?N{Lp~D1Cuk zz{!f{i}4M|=y}?S-O}F@yWDx3X5NHMqU9wweta-DXzC5x#usrFU?ilT4x83VJ@08`#wY@w{H~A6)Ofrc5 z$PmoW%h*a(OmoPL2&5Lj?OZatl7#n_irj@Q=RdN}AXrA_;_C?;u6D0OTZmSLf}5skuE=Up&j54VvyOFWG^)gbU9c;FP{ zoYi&GoBY*rwRPokM|*p|DSGdEPq)mA*Db1s)QISWf{Z+j$cJ?wTSAaP$VEUOD!P%x zDd#2i8YengRI;m3o^2(qBiH0vYGLkTj`pL^`Fzj%v}|Lzk&ev2qT55^d}E>a>Ma_U zAaa60mB*!HF8@?NRBbPY_JB+vcDtvR#M~YOH3KN~ z(ax*!pW_n1vX9rhO50`svsYBeCIE7BfZZitugIr({A3t4vXpo1bbR(evTcz|wMR1L zhAh%%DXa?OpAo5IF9itGe1}}oh+&a5eZ1X?b*W2)OZ)_%ErM6W@du)|cdi!UeL_ro z;gqsGqD9Fml1gyean2LuhS#IDqitpJWOK&C#yH~fT%*y2Gt9<~OiU^*I82FmBzH}B zY<8}A648kxh21rdP^=w<=*~V)#Hgp+)4L}f;_ zW?Bld=d>>xVO_>t&yM%o=DY?PV9#yO3fH&VxEy#+YP3JX12cQ%M85QC5JB_76s9ON z=JNY@-V~2KjxKs{9Lmcp5PDu*8rgX*mWFm!S-AOd@$g*Utv9D!=-yNatbJ~Jv(bI6 zEBfhUY5P_jh(82{WQg-cWM=5tLP&0kIy!WIOYjkFE!Y&TfEq=W{}}z4P8*LffI$Mq zB%RSM9b!!H3+_n}{b1+s;hh=Bhb#0)n^(FZifsa=Xicd<07By}!!iIu;t5U)PFu!l zx<2U>42BHG!1wFWpV{Nlwy7OqeZfin%Y7-ot9#yZN|QK}CNpy}v`%D#!b1)vVG1Zm z$il?Wzr%lH8YU@!ku-akyboQIcru8@q~J2cHjbQt?#2 zz1?vR#tsGMb|w1fFfnn`JhPh}Z+K6mND`~ZIR9!{+-%!# z@H_lS*BW}4dh)bMsKaUIydT}wc&c@m$&}$qC1QwTm`%+}vrwN?S5{}JsqyzIs~B0i z17}JH3-GM}ajgacri%t91FNq7xl%(t)jFPZ2Nz7EaKT?hyX|W_IH!*-*1DuO*3HGH z(>nsNU=gR81=|!PH>jIwN}0>afzg8Q;lRMdt-zo_ci^B44|IWnK_-TQ!GgZgL6>MA z#DC?2_vJzU_r1*Df1R1TZg|@z<52lLASPME=B+kTN^uPZVx`ve@bwJ?*AqONdf;9arw$eswt-k5V3bM z1F$i$GBA?ze*ypiyiTU(+{&Wj|5gY6;v=9Z@r96DKPN7b|-^z+byY#`dl*e59m*8~X3hfBI?W zVf8;P**X6^EYJXfe{+CL42;14whgMv`!|(a(aOWjMpM+v7UUjK8~m(nOuYY;|NnCS zr^Wx&RC6|S60x@hRdnJ1AOHSa`G05rzZL&!QtN-3WMTQgn*3im|JLLM{vG-M^2C4K z{7)*#&-|Zwf&cx?_&+6j=of>534%$93aNU4pXR`(V+_0u8eCe=BrpJ|<%%LBBok<9 zBcU;&p{ic{!#eUHKG)H?siF=90RYBAHUPNKMKTy@;71+O)2|0C?^Ne|iMmc{YkLeA zFT7IhJPi#jo9j6j?PlgTuQ!tdoxGmc5s{>MaMTdXG2M_Tya3OeeXM74zxAdUg}3&X zM+NPz@He=Z90%Pzk6FmswGYYbU+vFX&S;X;2szHc?+dzUL$+|LWr{+v+{e@cXxx8x z7HwxOT5MM?-eK+9K5F8eyX?9i(#{nB@G+@mLN%E+UJlW2CriO?N_@`whlK91g z8!^`ab9E?8a4|tNMJOkHhzi{OCc26(%Zt5hfe$3xxlsP?%J;R%o5KOS~c_rn_`>Q zCb?Lib55-$n~dGbT!UDF_eWMwSBVKR0E6i-f8i#H5#&Z@&URVNwJ9 z-=9iPH#$~x&)F+9Y8kpd-rHW^9yaYXDmJa>D~6x%PWIA4*ir5MdT-Qr`RRJE;pyRG z6ZmzZDq-d4*Oxc}hpmA4TASq`%Js%#AAam*4Lnq4NrQAn&aw%lVy|tBHF{r((TUDH;dn!-Mb7RxMWb8qDSVaks7qiT#&gV_H8m=q}}!;71DnAf0OW zbpA-RvGh$~7)-@&Uu(d5T>HUGU`0b?)i!#z+PvylV$>Iw!S$0U3k8b5_C~JXUoJ*RQs`#m;H5b~jU|ME2tU{`z!% z+Auk??!IaJp~6nSRBIrx+-Q|#`}JTVr`Y@9oIM99o&)TBENH)9`RcY=qt~{ZVeuVp zLIU5w_fAdbuzAz3O)q!aKhF*{VFXi26gz!9X*BEdK78VtOf}0CNj~`5aU5pTPS@KO z`ERJf;Cu;RxMGFax^~UF@Ey`<)kgOB=rr*%so#3@MZ$|*j%Jz!NP%}t^(Nu;Q9^BL zdAO&}h$Apo*$+brWbFPK%x0Wx_ezK(T>f=8$^s*ToIo?q{H~P-i?}nYj$pTyIO9Gp zE_eA9%hOIM$sbYXVT)W}N|7+cdJZaEA|~Sy-n%&!X3Hr+RygqZ&k!qEH8N_osu^R%aMz8q@(5P)o(DPZRr_!x%+I^x?FZkz zO;;MNW!;c*AApk@LPXz$K3E3g8kT66*2gduoKUv6- zpY}zH+V86lU zfP;%hT&_0T8+=etWf?SMftISTr~#^nDvyE$`A{6F_R9gh4x0dKaK!INh4TDQrYCqp zZ6Z@8b-K{VHITCoB-7ZemQ#ZA+(+axtfpb9VW`GH_?NZ!;vYV9&p zHvDv!IId-iWgy%+_R6Fo(RB`&bIE#1ZAkpEj6slFSO7MqOruyWI&h`UWO2xDR zXgDE{WG?q}-7L|pY*JyOXNO}U-|XJ)ks+xrN0uZA;fsw9=#NE?O&=4sJV8T74(4Nr z-Uv!`=H1@`MN{v;lsLoi!Ou`sXo@1=h}ejXRI$ohogIgRk1wDEC`;t*Od~Ezvg{I# z2O?WcJ#WT2&iVpd$kA_@Q7|)!_O)2$YC*!@Ea@En?3bW#r0Gvfl*ehHf%ap8fA_4N zWXw#OuHE`@@9(ciwayEr(ane*tH>1U!m!{o4lpPbN0M>5#kCBYXoi*IA|`z+XufdT z3wbHtbR@@4N8z1PhJ-#tYq(gb)~PlY>XOQFD(H8e;mg#>yR*r zm;MFyFU~50Vd>1-xhO2)CCatml5dzYd#jGI7`ThXGckr9dl7(*ZXV*?flv#-98Em0 zhpB8u4Lj z%i`zCzf8|t`}mm6_-mjM4jkQ~&oC>{nN=7Uafn20L~u4_Z7KXN%2`<0(pR(g5rw2x zh#QY+h2lta`0!*XTu?n9syepSWTAK>o<89ml_%K!SkSi&yHjFh&r4At8A)LrQDmF+SwKX?zgwPXz4%JY&NHFS0(5tI^afmQW<9aqz z9L48yJXc-=_p(|bhVT^`@CR$w!Z4$p+56qFV2_eKVh|n@nspY0ZkF}bDpV8LZC5ng z+C~ez{_g!taGWPe_}v9RN%|q{9KcKu8-Ggb^a^Hl8ZA_5-HZ5#rNBD{r&HrAhcsq? zpgB`qAr|EWwr+yq>IUMqmmpbFc;$ z@@`i}j1}N@9wTZRdS<134zY^Zq$@X&+++Z8s&fd3s}`-E6AbwBf~ z>ETp<`96)?*^1hR_XVHO&aU~sw&2Y4GfhyA$^#8V3q1IDk!KoiOMW|^RNErm=MX~( zt}7t`9u+}fK&~HL;G@H$;g8z|v{{;5L-a35%AuC+B?_^7Yw09MbcdzcQx7d(P>DcC zEW}&LmnXvmB(=`30%y0W3jU*14qcTR^3O3kU@_QG;tCyJcZq2Re#>n-lnUQ%1U7Qw zWz^!T*RuB4_k#q3CiKr|exWf@dH9ATyZ0e+4E=K4*)2}f|1oV4{|8G$cN%7YqPrA>^A3e7UUhYF_t$Ky3TS-fTO2_r7W2 zhFLwBf$-Pc=ze<^a3?`c!?HxjC559xgJuc;51@_|ya%8fSQybZb}$HP@_V>ikR+C2~aKKgY@n@?a@!Y(|o_{RY+RHEIC??juZwuuVy+RjsY}S zr1gIz1W9SAIoZtQG(G(4|BQc23?Npj?y)^(3#t%70Wp0K+(mg+ByOIZr?1n!@V{sp zt?h~ggA38oR#>E*_Z9{D#5gt}Exvt~Ng&~K8JuWfKpS>&LP3oj9&~)B8Yp{4qT7}8 zwG~C8L#R99bJ6co(4Le* zBOj**WgOWpLF}6xiP`~~^D9G&2T?bz0*#G!|KY>G++ORW$(@XB&?9c~uVaSzp#Z`m z1`(Gaz`3k}%hy1P3I%>XoScl=m3lajd~J^OCXqH8Kgs-}68$b!1`W zHC!NCw&A|>vq+Ovxvo7y8BWjeE>c+ibNwK|kIQGx5Qu7k`%k zjT+<((y4M4s^vEKTJpD-ENM)BX-dB?jRkuJ{HOcnwYMLSaUxDO<(SL$55!ORX^>8` z(}hKuB+b&rDyBy(B2E{pI(ttFZqGnuzh#NvwrL3lXNl5-MMLFmpGIa}!*?sN*@rK( z{#bnWGydb|xl{Quv|>QAE=dj5Yvs2+^Jh6isZf0Qa=UL26p2P2ST)*+0Z7owv>HmX zeXfTSg;}k58~cDT8rK|aPjDhuAq<5)lryjAzs6phIP2qi(*)vVb=nPDn`!rf$M!qt zkN0VBGxWZ;zWMkG8~JXD9i}JM`fc&-tzK`%T;3?6bi$#gqBJjK!d} zR^85+C_>YdBA^98aoDbq+jl;d+@7!NeEKYFdo(1emd#}i3KMa;bmNqu{)7dzaX>1d z7K|c|rFws0vx+WV7ZvVhiNPwfp<^7>ynWy>^K#F>cMI4azh#{_b`q<r6DYb3~{RdSB{rWgY88Kd6Hpou)zB<=<& z@+;TqaxMRIETj;fN5y!uwp#xaDwx_n8DBPSNh(n|o~z|B!5RWve(A_O{@5o^ojYmm zZD&xo8Cv;45zRahi_Ti2_8T)Yj!|*KMs>+LRG)r!kISQ^lw3>jpiPo(+ed1CT3RYNHnB;>alD{Iy0O8rj=Z(n7***agJm;avTS|H zdanOVTyhCLKL9~iuQ`($HCDi3iprJt1OHW6OJ)Bot)>(^Vfu|uQpIGW<7T}2hucZl zzR7U}itAvfzo}ufNs-Y{h??hnY>1F5Z~PD15~GytV6ePfWhwP2q~| zQXqbei>eFj4#dXlZ!;)y)~>lK(Qs{`I^3*;7F}IIL(^ku8T%yN_zO^TeAf}S&Kepo zVMCBUP(c_?Zh493VvDQx?o8%YruNrw8>ir#-_3aW$lR`o3E!*j`&iQ^2uGu8 z2l{x1+{-ii%`%KfraMJRYGL5Gh_(G`A~Z37JqZ6|ckHn_P`uly4PBgkmBTF*>~r~M z``boWc7ko+I3+t=@EbY>6w)->pO=fS+#9@nHgzcGzyO9h+wNfA6%J~fA%`xKKx2q) zLe|~sCO>VAqi{+ubbq|_mKkyU)0wKWJF3IO986Wd>yGa*_!?}w^5nmX0 zBgLa%ty$eAUw1LyXAirf&K&l_MBWP!(z&6Y(I0TnoVL7Ip~ipdMET40yhFN>Awih@ zj+SbeJo|O^8-MTVAlKc$VQ&#BR^&R;1vaSZVq`?v*G_9HhVne^eds#dTftv#~E8|{Is-bndE zVKHN@$hD2!%e3jU2E$7*kj zrUd8drgA#%9*(VYn?Jv5w0aun1P0)a6}$?Eq|2C~DdC-XS$jqb@`8XISf&R%Al0my zgI{BH@l7)0uElybq7cZ&a4SL~7lXMz}Q)>C>w#{NTv7=I=M0G~dfBLMoL4*MR5A zXFy64PcKvO%QIwJG~FE9vijun50IGh2H|Ux@ST|6ZfV|Z??`HO@7jVReSUfXCTq<` zeVwF$l?);QsiQrb_io#*#dY_y48PjAXZs4BiXahDn;wIgOUE}Ddi$UJjY2Czg0UF; zYUo_jsIeM${LMw}mq+rRF1>DTEAniGLi~mW;vKac*ZU|=u0CvC!By&pF@k*-_a6q7`Yz2pZfh`M4yri7Z zw|evu@?YSarg?d2=j@qAj0P5l8;T$BMcV{o2*vaQb4;xQCUC!8rKjPXgB=X6jnGi^ zH~Y~w)GF1-k>qCCchR9h^d@!aC#)YAtS+@c7a^170^Bg|ZzvJMEjnj>9% z(7>eb>@if5JJBRioa6CSZxfzc3?~}Y-5ZKftXXetC5g3pTp$)zq}5>VmSDz_w>40W zgvVM(sBid$dK)M3PW^I!mh?LYf0SvE03)4Z`vXK>%X!@%k`Vh`24d1AGBwNeaxiDn zrqkCtjFdDTTVVx;2nSeUZu&mx3D46^)82rB#o9w>lJSZ{Ne0RaQs>qsoRB8^)8>j|EVArN!@rNLq{l|&@$ zFK4{I&GZ!7Se_<5AqudYF8b1X_O^B7oU5qldDC!qeIV*@RK|Yn_ct&g2uzaamO5Un z1?~*SJrF}J3puQ}y53ye*ctNoCv$>`q_&raN&cjnVwq7~i|p-5aj$_$tZK@G&8H81 z5X+THSj1|-p)1e14b^f|)ApK)^FHN$-Xa0w?I~Q3=g?SHL!Jub`0mqvKHeULbG}Vf zYt(+f%SuF6Vz-*@B?+v~Q?)52H7OnbY9as24AKP{7n0>B|n zdxD^^K`Z_0qP|gqUYB3TUmDnH)wWry_vNTGx5($|+RchbHghPP*pGTN4Vad}VzKgJ zSx5EVqhQ^fdmKgJ)o_x}WtSD+Fl(jAR|6A3sz<5TN6F z0NY^5by1IMQQy1z4#8O4HAL7!4y3%aFVC)rEdit(d09t}W=mHkwO*q^6kkK~7p)oV zDnf1-)YpWkn}Y`lY9im;E@x*Rw^Qm(pPLvy?EPiGw`VQ6IKpHJZhrZ(=H?BrN~Bk- z>4MOC=IP69#qcbH z*Y$RvCFt{40OIq$UnerjD;y zgF4FBsTg)yv8$Tkhg0cw7E)VGhtd7f zZVo1!DYtq7r7|~P}XVCNmxkwIfs@(l-W!_pj zU8E3gV?M$Fvezlfo%38G#6DuFjG$}GlbvOGD_Wb`kPM-5wGXm#n|rr8@zs#kB1bIOi9 z$Eb(hcZa$z#%1QDtvmh-n^$OpDu0rOM(gw0@?*@@;R8;o$)fsDkTX6)jnM$%5qH5Z2IfCr7-48QH}Y`nj`&Btbh5P3_(Hc;|VAa zud;tzJr@KqKrK7m)^z`pLLi`ABbNz(d8_zuvulBWn;mqWQ~xi*3nCCxFP0wT@F*W- z748rue`S>TKBB`1A z?_1UWu;IO-*IErH8r==jXZBX@yX5Ykt_F$8`1$ErIzhOd+2e96uXH!ZGmG8!hZRU8 zduX=!9gPc``l)$?rlto-9BTk#|5wK;5d;4>S5FYX8eBs0BCi)az6K6T`8k%&r6SLJ zCE9Y{dZN6J0ooWj!5Xtj+~tx%P+=R^@4h{DF!OC5!j46^OK9-;fI z?n-TT`W7qZ3&X4PBsfpc0g9zlt{1CyTb!8f);K>t4Do|ukP_)?ehGtg^IwL; zj>`|Ac~?8vFZ0BXT4BG15!HTLHac;AOB2_ z^T9+43=$sHc&GI|?Gs3Y4g!s0BDo685X68BDX=*H5pDYbX~-&1&0l$CdD+RlHV z=dZ+_9H}e3j{uX81=#6^80x7qW=N)g8}pxV)-F< zC>f9a42vR>aAYm%u%2TyYvN#gR{ap~ryf}1#?M4GVxWyzgs|jgCnTWr==~$m>~@$H zMSO7E6eLa06iT4b=(RRt(y7Z%K|P$W({;UGN3Dks@8q~|)UVQM)L@F&ffVYLuA#Pz zPMwt|+mnwj?*}^?ou(>*Nsx#BYTIrGe^qi=upaInf|W`Q;9uzGYslCP^@+@U0)M3a z1+?qy%#^;W$a9Gid7m-``s9pdaVSji-pJA@7e&w?e53k)nH8Vwd#~j^_VNB8kQMvw z9<+z0g%f!V5!(6VuD8;#SuP}R|D*Y~x_+h6{Z*IkwqkWXBLfuk@vAd;@$H4D(u~Hn zWkFXT=7i9dVFjL3z@a&f!S@xcYINNB-DL1|F_GEQtETwFgO2r;wt!(Yni%!3u-I5>h-ZE#~XtE1EdnTc)Y^S#g|?3fy?Uvirc zp&A8@J4a(7(CN;W$k|@qvfRogN2%i>lQH&%Aix(w3Fd*SRWM2#UV>|3^ba}@31W{i zfwNd@))@v8dVre!txt6mgUXpO+zVqGOS|DeWX zH}nR#U~6Bb?fMhP$6uNHXE(R&@lw&=XxeI42tMW})IJg`?LldGJE5Rbh%42zp;W;gJ^l!(CN3Z+!AZF*`-f z;Q2(HHM>jwE%37`9GdIV%mA|TQ5`l=-{!*Lpm5)Fmw#`WEXN|@15w*E3?P!0)&s`L zY19qhLdshhk7XL6-VcbDPxel;aJ}9gR!Sm)@|joDSiUaD|0svl&ep(z5}D&Ig<4@W z41XjcI<9lr7S`eTZWMuu?nL-XmFr_%%{&o41n4lr z&^g|sNucgHkEkaiY~?0TCJS6oNy6&l1*|Q_8|MXopGLusLyN&^Boen)WH}vfe1b>lTd~H)T;+-wgU?nsVOlf4Gj9$K%dwkv=B@Zm-GJPPt&w>R_XUr zcR%sWxise)gq}3@lTuKo)VUDJbl~ zw@I>Z1iS@Mb9S%L?Z0T16t)K$11ATI05AF*j6*x$#BI=suqS7$5zAg{4nYHA5<7=8 zSP4q*925f9El_c!-x0w&3g0K=OSju1hfkZO>6x<`V?vMYEjyoNHA&c8^KRGJR8t1}jACvRsROZ%R$;yfxo1BrUmZ}>3*x!xw7SSJC zsl$oI>?9ZABqi^*@omM>xVJmOIn(nv)9^L?^0c^r6PQ>$i@?6ZWI7i+dmv&qmZ3x% z$)!SzhiVT~JKiDgW+$&Z84%tRbeX{8W%KYH#yDe~=6fbFv*y~_(cGM9HfIqXBRq(V z>~O_gGGy9KUJ!nQ?ly{C(`L}FpYF?&qv)!MU)*%(c0FrC%>u(U7_l85 z_qIo-BoRhwdVz3qOG%57CtW+4L1GB?Er|z#0}D z)j!M=Bu+^Lo-q^lxyNEK%lCOlj66&U#;-sTc*;Ph5Y{cvl4dNMX6|dQ3B~1DkGK0G zd~9Dq*ypF^NAV!#C&l}?eMo;eKCLOncC%u{36^mvqvIr5!0~P>WOW;o~9ZkkKN#UaBq}B9q_ss`r^8U!C&sp%WF1K_@jaO9do=|`8x(#ZB zF0eI9tb1ht8ZUXfV9WfKLt@5=Q<9VF0r$-htW5MF*VAFywW>+I3T>Mm!wj#hU!vkIeXwfr+vg;R8!QUO^sDpBS3htkDei^+U&}>G2;lcZnxBT_{9$jD z7_nzxOm4=I5*|)0t$iAAR8Q;5tv}uNUYu&PeQS(tv-5==y7*#|qCN&BnpsXvauK~% z{1Z_859wql%_L$j_$)XeL4s3XQ6>Z^Won%`O(dN>XmwFDp~k%@P`cNAzRof1uO9_u z!l0=_T>2l36}$sY%wozE$}(Dn_X(l~`MH|gbt6`$HbhY$W?a`2*7171A#YL|dGX=W z@XSgECMrd35yrzH`YGoqiK0KlG-SX`MojcX<*HAv*UW}9W4Q8Wi&<#Qj9S4xm5%Vo zLQL-9#cvPO)4f46YU-3ObNM^ZcZn2}W(pY99!5&1Wb9)bJ#=$;-v?pd|OlIz#2pKp7b`?953=wGbeX^GvfbVt)o$BUJsUS8{J$ zmjl#+M_49KOs}|B_Vi)ph1QWtOQ(;Z&R9cxBmbehy*PM zVVC;9KL+rLjCg;}FORdTy?+J!14JgNpZNd&JdPUtIrA-hCc=M=3)%Lw|9pip=;8KL zrna0$l**%j|Clz@IPZ_|zplmzL#7&A+}#5egnu8c@7hRRaBSv3hoKH1SOs+@P1W!N z1b(HNHq$a|9`)acl8^RLs#m_!5l8&@^~$}3{(T%dV~FWsI(slKjgoo?m;=C7aloG; zK(WaK^YQbeXKZ(~9w+@H)z&(2A+r`KFdxHbH32uqdERepevHq5&bZaW>Uz8?Kay)z z0S8i9XzhTf0nB3J93WZlwkN);ztD5v<8$523eExA+5ymjSEJ>YM)M7>lFwp*V15Jq zzE4|fUEfm`G#Jq_!3#m>sOQ(h@3w%7++D0VfZD8_{By8JNHopZ2WW^N(6yord0SlI z)y3dJb=|hU9s`VUroPf*RK}+1);V9du3Y5LtfTV+U{StG_@k;;zte)d4y(ZIj_Xem zcyYEpZUTf2{~*wWjNprSuzUS|4;MjT&M<0YJ6rp*-g(b5TI}|8)MPC0rL%X=+n6&g zvow?5hd{PHD+Hnst{%Pd6Lm7&wps7J4`fQO;=MM9=<4>WXI29UK@dBUnDU!Qh=2pP(-ViW=^t-kO^vdY)sC`W_o zfohcCI%z@2+3wURfezUB|DC3QN1R#Vtn&ibEN6-lgDg`shuifO+Z$%Bb8H$>UCmTD zw$87K<`6D3BxL*Z?6p{njN4;v^Smoz$+>Fl6yA5gRlpyUstC4M?4o`=G;JtiznuNnt?H|V~xw+BM)@ko+%u745F}!0eS~hdzrmv z)=>TwcqBw2=Mg*urI)mwVARlRN!Ug8A$1%h?e%t#!oj4@x6@;{(YEpX#_Rox+z}iq zA;v*%*PyuDr+Z&8sH-vKupFN9*0J$K1w zu3js0BaE$Bu0&H2*H=7ja3ek?(0%=r&o-1E<+1uDv=Hre4CYW3jUE1I zxYMT*UR5@8+TaPQ8T3FM3C#vlS;3j$k-XeGp206ZUy19zTGmC)7E}1V6CV(Hon@m8 z@Q=AKe)DOl?ctc3a@7gZ5vC-ilAJ#*gkSne!=WU_@8w*(MV5Bh)oQ%*bC3;K8vs z(ilNQoxzZHo|kOkaX79@?CU}+uF;B?L7sIF+pF7x96f!TW5R7>2u@4Y2A3l_T={so z@scDYs_1Kqma9asJ{oU#CTrEP5t>^NCyI2?a1urI=vDXf`>~g@Q^=_%ufDy`iGB+c zgbt_iTPLS=5e*~0G;U>S_F#e2Y9Z8!A@n@3ZZaNsk5X+}$pA|5eo2QBy`;xNwLv{M z`DN#4w;_&hO5XiMF-A}*KoL#Y8@OskCpW-n#d#_nCVgX>c z#HTA!By}szU&@5{e_BagROqfHlxdGhXF$jDLHMTaH@@Lw~aSsI6ZSyK4G_U8-nMBYoOt3L-E z@MOz(DLUmFfW4$Y8a_c2L)pM(+WM+?4`zLVLbFdii8V#D_UGNW5XNFK6FqifokrruJl`GkPilaA-a8*)r-k-JjGJS}Wxg~PgjQpuV z*KP3tF5)*-1?d^7_BP=@lhz!>Kp`s81HH=>1(klCmWIU~m0i2CG}dv|Ad1jRP?aX& z&{5%6Wi&sqMTV=>_4Wwk)*4_nSx4OVQ$JLpkTBMIFsZBdXl-i=#x)rPnUpx1na3}s z(fawBRbC^tR4O(55WYsrntMDNh^nlY^Wk8g|6Q6jJ&INd0ih$9txv6y93OT18}QdDfzG`RilU&Ezaqb ztEU+F9+4}H`)xP+888|O71Bkf;z%uG5F}&zH;2CjqBp7KDwMsD8LlJDUtdkODlRis zlKeJ&;qnzzJEtJHw~OPN}1gz+A(?{Qir$NGOXbGG+$DX6YfIVCZspiz_LQze`-dq6Y0zRNzyO$i&Zg(sqveo%c(YT|WK)wg_#Q0f z(^dh3sjhFJms;QAq!Z%b3_7*OqYW_eE@lJf^5|)ykjz_$@M!fCc+2z4r$=;2c zMGZlm1B{Bpurvv}>5Fv}cD;t*al$!+7&kfo4Aw@iJSPo#XfNIjlYPOj*z@q-pEb`; z2uBUcJSxv+#Ndc`RTDjEF;bC)WeTVJA|caOz9%kw4dsQ&hUmptEPsJAA|u(m z*Odrx^Jwx~FfL}R8-J`Fr$!pw;1lC^C3#Cpj?Sziw9*V!?(^qt@uRAQf0=k-3v_=kCLL!KG=?>U%)x>^4ntpIuYTLsP}|2z$yVJY&YzX5{6S z=`wTf$td(eyl*|;(Aw+AiA>8)y7gb7tD+D|S-I85>L6?Uw6A{@r=L{pP|kWw-jeYV zUbH?ZT6*o7Ddmfhx-jq&fBSPo$Y(prH4`y%y4A4D!J@RyVoxE;WQyGTdl-F;0yJlc4mCL^4&BFm=6UdQJnRh9{^YMoy&E2O z3E}6h-n^x9kRn3g*`ZlHDBtWuDn&Lm;yNoaVr97n;;$2EX+6pnXk0&TME??XuSd*A1= z)F~+^_Ed*VCz$w#PsT$=W<5HptXuFxbPyCvbALoUi``7K2_daJh5xsV-m(#FrR5&A1rOryjbngl z2qhckWAuB_>>=tA3|0lKJn7CmN$$jCbUnJ|gwLOk<6g~I$>?KlnLAWQF4FZC#1Mqj z3#;+Ihkao>=1btmwqGtlA^gLCtk36+Ny9^%6)!vFcf{qe7n1uPLbZEgJRQuD7q?^awW#*FqL-11|h2#kcCB!vnv5>#B>fMvs$GK^h@az ziQl?)z0`A_Qj`JqVlDj)DvMrO{2q;RM55$DD654fC8%|(?~j&h~z zBb{NKO1z@{&_t+w$>5Vi4+Z7s*-h+I^uGA1dq}T-5EgN&B-Jpb|E2jbbeORX8zDQN z#$-vu=_!HM3mE$eDLScYC>7E`&LAJmQ8^*7-e^*io%I_7o@JH|{e6XqPv_5AdKSN) zwx}s=wagFCCG~Y^QvjZ|hQbimd;+=qHmb~#$vCo@+FbtSa`07*3QSHgM&%(reK*T% zSa;nJcN%BcAqcTnh?c2rd~iL}fU99NM7@KrY(p^npIpM+2Gow}?i*S}!B!LRU_OFT zeQyKu03eeP$v3RV2E+$FeN2q$2n+&ZDcVvym}Wr=WA!ZVKNI6aw#dbbpL^h`@K|`* zjjI|3i$COHH3MVomy47yPTmlG8!zM%N1(9~xy|9q%YKjrHlR}>J};fdRFfkwcJlwz z%m}^>FwyV-30$OK5kB7o|F0r`<11qe`FBvBBTL)6LB{-S83R7xh6N%VbQ;s4!4tmt zMMf0k=)4v5`gq-OYrlys{{97b7y=t=nGFZ#%hE-W-mWrKyHb>;FM?=0Wyea2di+J% z(7ZvF133R7=K`Syqv#(|>{b&v)FPUiTmjN^JPcrRP0#~iO>yxBr;@+odi5d1C5xvQ z=UDWmF_;88OE`Z*FkZTXoA(RUpBCJA%erpvwPa#DX0&2MP*${5(oy!ccBz*pe+tA) z{{dUg9kEXx2U-CcHx0DOft0TtaN+6lbgO)JfP^9;>Mfz*AFUI2M|{QCa{RDATL+&# zYoFx1cd-=Ulx_Zu2MpTGq|VTX?t3ySNXf8uy+qge5{ zCpt3_hm=!XCYqX^$84aIV<76>Gr1V&DkTxTYEG__@QLT(bP$1x!{CF?@v$KY9K!oS zdXp;X2#2xGZ_^(44D7VIq+n_5{^0nuSMy&Nfb*URQ_g$)#NUH5i&Vc;fRObUFFeRmwz? zpL1}8h`JnRzQDK+AH=7h1JK}i-0&YpmK~E&14F+w0o!z4z!w_yj<%-;`k)T27Vdnl zQisHmBle{L#H@6@$Hn&)KGUm`^fPv`;B_PryIdu#J8Z>dR|4tR>S;!f#?HZ~KzNIJ zC91pPbFI;urU2VT+heF<@m%wNwY zRduqVj3`Lv<{$(c4^}hiohXuJXB3sy+dOP^f~_eq2@XdQ6=U9}0q2@(zADqT=nFJe zuxR$^Mt^)dSI`&m`T37i>TffG6o}ZF zzosUYtxCWm06Z8xWJm&*5yC%<0^F0Szz23ms^@LxIrs|haB+!?^Rf|GN^9(q@{D{NLXwH_5X3By3m}0w9h4Y*{(p5@~c2^0W$riD|Hs!5^5B z8%e8PVq4;@lI zX4Wm-0uPz%yiv%yK#v7r?o^rvO<05a6<~rKew@OW=f5^v2qu#K+dPW+4Is1D z8cqh{0rxU)>7IpTVmgp&@wRE%npG4g_lk)ZX|Xq@R_i_RNV}gv%H6Z}cP(qu1vY47 ztTEqzITECy;-0juk z__14#MMbksJAJ!Xvk>&W8d1yh`uw9yn%HV6p9FYC4n#=yZ+uaC9v)Dw1g6G1S0*Y8 zcA~3shDb(!^8o(RF?jHq4@oHLW;Yi{$6#xZx{q@SPpCM6^(atba33NARQMj;iJ4#Y zgpbq#jJzkl3OtE$owG0!4x5E%Bs+wMQT1T+HH}+xKqg?5df4eu6a8V3?nubHaOTSz z9OwiI$UphSfZwzpW0#T=0c*hFG_l^d)*l_q?0DyIKFl%gn`CaKMGF|8*zj&|5G#C= zrFx(6K_jR-^f<7#^<#(oc(&)vd4uaoA?p=*snz5hA9nz%;I#Yu<=;Fgxm})fy-b$L zv3APoDnN9wl9?*jq}DxR;4T@e-tB?+eZ1S*_E({|c_-gA?)A51qbSRe8(y&tiNVj3 zFZdxdV`1QPs>*$(1^8Dc$(TSqkhmuK5JT4jh+_=qD!X#W4W$?KUtfH#eh(v@1*tD= z1jB_0G9JheUO0?XY1?-P%%>aadCxy{6S|wu`nit*iBl_r2X`6v8i8XwEnqKIs^rr9 zp+xUz4mb-{OZ6oX3&bUaAAxod$mnSvTWh$|&tqWOb;I+)N2cC+&T;49%+MZvlp`gW zXaO!3PH=Bl?i{mm9xV1RYMPhB4zo88OUZnSPx~Wycw6{R- zr<-ZG+#eT@kAT*V0o&W@hZDUVO(OkV=IC%7c`xCcLJ~c|cB+Pp%@dq5VLg(@iTm)Y zINZ-w`IE2qO?!bDrSbmm`ft664~c?H%mz5u;qdx7_Vh-EcOw%#j<04pmPZF?c7Y$< z8E5T_gi;udoAD?oOpyPODF=+e^3U#{0prr5Qe;5cY(7&08SV}5p7|nh(M^D9pI0|w z@!#%_H00+x1+VfA(GfEk3edTr;y+-d&H7%>kYAJ|;JP)#>m~et+j#JLDVS#3Q()H4 ze^CQmr^?Sf<8U5SB4;cDx7@tH9t)M5e*T1~7OElYsEa%kT$gHf1fY0%K!2=(2vZzz zc&0pJ>k+tBZJ)`2&sRCBFHxWU5pBEpiGgWyJXs`dGAIRzQzEON(?%x`)d0$c2~Hd{ z<^D%=^a9+vaKdiZzDvs*yWiJ(72IkfHk6QMdJkB|-2f>n^xg+(c6k6VfVW>b1C+ON z949odV^%geT)e!>YO*?wQ~RNxmK^}xoM*04ESx~d8x@zDQnjt4@HxfMZ`xuw!Qs3O zFub4eBw%&z>9joajRW2fo>&57m=?J7l`}t|jyNER!zG%=dH{f$Dr<(c7UZ+eQ(=H` zTY1S4ws|OCg9aNTSFl7deKFoFl44v#tByv*N*3~cm3Tnox{5D6WPtZI8(c30Y2cz_ zYu0M~`t&2!B{Exl+icCzwSPZrOwW zm`}z-q(=;TK)uB23A0iV*ulEJ{l1ba_>kQR@v=g>6Z?{Qx(rc%2^tJFqb=QF4beKY zn5W~JJZ6kLMxK!++66>Qp)Vg4QN}e=8wL+xNAsY^2zL zh1%5USoeT-t(}4J9zs7}_8~@la7I*Jv|iTedab@6dJ!VKHE4~9cO zSDo-p18#>%@M|(sUjOs-^jz#tI8blY zvjdJouY$4xt#458X{5fS9TD?_O6z4yUpUW97AKCnQr;~YYm;Ok1~*L3fEGe`)z-FS1(hWx`!MRQf zO+Vb|p<6kWQS#h6;PpaHzPuk|hGI5lraX5Tk!R6*o5I7V+L%%xk0AHdR|IM-;clQr zg~$(EL&Z2brhO4o3m+I6R|*xAz&;K;OXd`k2B71|TlFXN-LAO{3^`knc&&XmbwewE zH^p6`?uWkd?aA%c*$W=d(j=bCkFm#Oq+EEC?o6EBii!r_GW5ATQvo@Glw#bX)_)>u zg9sNp5@`2z(hEQv&~L`RZB0GDq>`gRBTu@JLiu=RK?gjkR3v}fLJcg_3Z2c#vMZGO zgz_JHWP;wa6U>3_o0(~x8hDHJ#6mCHZ)Mzc3y+_HdH=+#F632@PjBj-${NMLU1ml~ zJV}&H(;sOk3DO$FXQg@wAMo$fF@XX9F?_(UT-pr}Ht_NK8PgKyiUtr0Ay&#Nd`M&& z)^)K%3e3bkmP~}y;GjIvRH(d6EjfgGR8n_ox9j*ae?YlY)K7==hy52q7e9-rGi^bZFDr6^ zZYvr&g!ZugD5iSi3@TWZMZ!QT0&TWFof%`CbNw-rH`hnW9z5BHSsp_4cJyJyGz>5y z(6!?Z)#h2(E6r@g!b_C&i{^U}7kj)VURQnLkuNsf;2-fTWhak73{o3Rm(;waKFg*T zXM8A&K<0YH;pi>(3Hllh)i<%G2@rof$@<@MCV4->TZ}FbmNY-5berI#`4Y2hgdEW% z-En&vX484*t{i$R$i7oHZJqHnJv|UBBXhl0sI4DNOuM-zaBWivJ|w%>8G1y{eF9)o zR&(tf;r_N=p7m6@3bThaXQz7p`hfvfW~Dd7`#g8T8A+D-$E9Gec^!fJfcsem`tT>) zO3w_gUnb|3b;mAO1czMH;Xgkps%R-pTlA%iR+#%WJvO2~Bg6C?)Wq5q<)J+y^R5v~ z!{+JlGDCH9&Y%;`;OhGJT;R?%qs;I^f!F2x?Ty7;eboWT+?Qa3jY0_qf+9hgqc|;apJcu>#VT!l0A}FIU^l7m6_03wMZ~7os zoHe=0yhAU0wTO|!X%fQIaJo?DM>A%HlA=aMM`UU_))jQr8D%02y&% zYVjU$1_4u^k)%}4uvew(2-@JDj2w3b=tP?;j^^Z4s$B!%xO4~AhISsW%Uie`|# zyH*IOza{OT=wc~Oru%}@_jW)xY%XJMLerM0g0jG`7N6!tdJ?Abz0rdgPIN;|ny*;S zI>)+TSAEbsA5D~qfbVE$SgGGg69sgIkxxul#mH-UsL+JdS#gGo%LxlpRj#wyGahR2 zMFvUoh+YpPq>cOVa843hVdkEz_+d6*l9dI-EU;a8ClwR+mGq0e8t8H@Rnq_dbx;z@ zZPbFQ@bO}UtAFGz7k0=)o9uF~TchzM%2lb5;!e-yJGJ8QtmZeI?&t3)O1pI5YzGRG zv^4z^F?mpxsi-IM!*eB4z!)?^!H;KKcDwEyg&VU}dznYrPhJVz?H#J3(68ik?4yf9 zZ+UXf=r@K-Ls7d7{U1av)^sSmL&coPup&az5gW0ico{|KnG*Ch!mZKzHiH! zW_$0p9dzP6l95HDBT!kI7e$m)N_`tHPT-;S)W~1)rQPK}MiVBY!Ubf^;0}hQn6vw3 z#SAf2)bz;{MD4^EN7oEaBR2CTbNDSJrgk9&grbO!c(KE}j}b?vj3&Bfqc~_X$dLJk zTu>7ehw*i33tI#A&$~4C9wg}(b8Nw!o6aV5KFOiqwA>;YaGw1_e_so}al87O+iL({d>l?pZXG&g)Pe-u#*@pY^oI{SO0UF|~trezvg}?mkn3H))CE zi@Td$3d_YH@@b=zM{8^zhQ9QP*fb~86{Z_G0&zimZ-%QgB@@XuqiI4e1chE-r=J8p z7%)z<7H2#>6LE(^yTFMq)yPx-i~eDykg)fX4G7PXFr8@U>uW{&-gJIniG+TzXz|+e z-!jrt@vjfCL{m$LVx0`U&lNFzmM2V5D9TSq+rK13o^0!ee^eZ?d(}_CjrER_Bvv2t zPjd#n1cDkX;)@sv@{V{BWG_^1TVIm=Y;XV#`z*!>ljDv#yysRZo@ZqNCiyIURpWi92ke8Y2&uiF8uf{VngHcv0b)S&Y|y9 z`}0~>^~6{5{?8}(IiOixN=mSxQ1calQ@-Daxrz? z=4~FFWGUhmcH{B_krpPf8OiEJQ$L%LXUqjW?Q>>{R~AUhMK~Gi>*+jP{_wcN+jeY`c))@LmI>5cBd_P+KOu_JC-hnQuOJ$ zu!Lg{K*+(FCvepJl|`Y(@a)mVsR@^_I9-~Ac$q8V#rX1 z@g#g+!)@_v^khdz!j-Zo&N4emU8R-ZgUFJAco|`oDH3Jj9tA`m}-zn z8;anbL6>q)z&C%Mb9=Euf41hjl&RonXNdny5%QRvf$c)PG12(w8|w2s=a^_`@w}vt zo-{)C_;SvvayPtno14;>?X{@TGmhbUU7kwk4|)RP-48Mh3Mum7IvMyg=tzkeMs!&> zu1eB!#>M^@K=O%fGID}6JDuq87# zW-Rlge;poV;HEOSsZa3#`;7p2zmLJvFzjF7$XJ|~N26t!Dmpq#q+a z4{~Gp_vehykhXag{uc+O!ae5xA3~LnU%Qo?0{g|8Z;NQ%@Xr%R0CBHv&;KB;Q|RVc zSWXiP5yC(J9r0w@Kpp3d|39e822!rhBLYVHpcfOsSU&&3ShO?v-Jb;JY=4(ZxR{`_ z1!@#(zJza>Eq<3~B|Lc}G=n&d@!vC~L4wm%zsg@rdBxBgZ+-;c00!t{?9o&Of!1mP zt$&s(xU{IH$NSK4*A+$O#eN95CXAUxc+DlrTMs&5m=(R%c?@v=-$o$C1}qyfq{1wC z4`?sQDy}7{Da8WIWkzQ7Z3A3PgAjokD-^C@;n5TaKyO_Q?wnj2ulFUvx9##E0(x^j zrTNpX>fJ))8+ff?(lhsJYqaZdB346UAN?|lA0G~?*M=u@6;qxAqgfEfqy%kO=b?P& zR{2<~oY8o^K)t|J@eAlCHTy1dfxj`BVJik0lLpYL#;RU_2XBH~mCy&5x8uV$T+G`J zpy`c)TgvTq<6^PU`19R#r95~p@oV~hX~G)hyyh|64VqInb!!geCEV>p2V==42%fLb**Tx}OPZ0CQQ_KLZMOK6}snAGd8 zSe&8ldAd#aLJ`6k~cpaJp z=t_G|-)R30jPyhLk@pofNU!cgR(H^ZZZGt?zAw9wpuwDl(Rf~gS zdO(Y=eiiK8KuDT_4H!Xi;4N1Bw@Lt9=+9#PKkTPWK5NB4Ji=E3T9XYt z#RLGc)xOF1VpIRl2=`aswgCfA^!lBS8TW_=Ts^>@7y#MHs!|nr8wQK(^0nEGJ2k?1 z#S{=>38tU1D4(imrr@M_XP)j(sezzhMe`i`**)Bl1ci=ImxYF1;mM$pI!813CUp;i z^M%>BMdg-;N|&SM-NK-B;TF8+KS81RJj*e3QUSF{9_At?ARJgz#dLu~xC%GH(X9Z@ z?<^)N6C`IVIWKplaNpw?3yEF zYjf?NH0N1M(~$AbJ8%>@dM3;5p(F4FFhe`|AZn+3-?@U4RE-f`cMn1UWmzTPW;vg3 zjdqE`vPLT0#c&S;N%YJ;$$?w<5%Wo{I4H?|2&j|p*CQKr9Dv_jFhf!Tf&W-A%zpTT zuJ>$XqtW|(%Ix-2GR*1_L?2ne5AuKu!{YZKFm#L}RWqj6Zff^b58k*dxYk^`+GRu5oqUgvKDZkgIX|0(TeQX z`82aXUhp{+`?xTxA6$r{TQjHG79(@Rn17vuYOEeDZf4v7Z{RYyR_r)O;L*~KdIB4h zd0zPwHc#ymULUq^Yez8NRt}k#M2vZamLOfmzy&-TIj{#=PBBn+ku*3qcr`Yy2ZyYoWXdjm7yP3qi{^|DKivBD&a9W0^ z0p52A`WZhZ&Qw{k_}b&cQsKs+WgS-gPsc(!nabJq{*+*$!2M`sBrQYcwe{wRu5VV8 z#jX7szu9sicTE_zM zco9T#pPj};=KX-Xo^lzUPPDM$GDS1+3dJlY3X>v8xg>i&b7X{3qI2snE_)1C+ueqd z``!b;dxE9wCxnifAYFt6GA-yUez;boS=Q<`d#B%|P@|vxAbAQb5;nIsEyrci*Vu+P zi~hK~KSS1kp=BFBLL=96Q)|_aFtz z?ur^$_hNFPk0FK$k#}BDAn`G+@Sm2qo1*i>@gIaw`W2cWGHp(^0Bpj~4S*1OSUYVx zk*}`E1m6rjw2xWg?UIk;NwtQik6wtZ0`}TW*`|=!&KX?Slstwba*2rs+hRP?#iqaV?y}4qA;gAkETKCDqo7^ z)#4}f$? zr#(jVwCkFFRxbNbSsam$){YFekp~|RG9~Lgl?dFzN^Z64UkyHEmQF)9r0&lQ(nrVNl|9z536r%~`AaoUc-ZHG=# z0UXYm7yA0?-S8)T56q{3>{~|-=q@gy9JoX>E#~upEXB!Rs=s_LVwWf#+5Ze!ood)Mt>Cp0@;43_nw8z26vAc)kr zZ`p2fM86#UaI9X@l`^rzI*Wx=;u`GR(Wp z696wzu1%FA{g6+|9Z8#3As{#{n0JWCFTd-(YRf>2DAW(_!M!18(J+DNX8K)|}QzP||H;25yx#e3a&C{&n)`AZJFf;qQE4rO5u>|Bc4GRj?t4rj6q0LI#utotw= zS^+jvTI_f%LVkmY{p3xSpkFJ=HpDbiFc5*Fuguqv22vgn^0QG_p&gba>9kcvXw5g& zG8jTmNF;#>YvT$FY9}*b(4$1&A=>ihmFU~Nh~Qika&*t>vT9s}azfi=`#E4Cb-bix z5HamPkC5t+eQPa)L{wT@{pnx|u{l!CS(Rdy-yQH@ zQ#pV7#|*3zb_2^LGhOTr+<1eO5bOl-sX zw!RGrcYyIvQ4T+y&CSqi#^-SZ=zdG7HdWXkJZj%=V|yjmQ^x+df%z<-_;+jh1|bk5 z`9N`eQe(joDihn6?eTkQDmo`#i;aSI+h5;BA;&6raQ^hj;eE*I=PgpaN8}ZRPzv@$ zR%YLIY3Ajn5E_9IR}%O6 zw1DXmbT}kYEb*m5Jxa30!?(sVy=T<2&&U!WN`r^%=#xsv*7FTh)HD%^wC_CT$5%k-VJ5~ zFFqNy5s_OoV`Xxoam9wl2rVbz$^_&fI+%vUaBtqM$OjasZ{e%gI;*1YISCNo|7^wn ztamwo(^4(i#2~3q@;ImO6(O(Le+8=u!#%7KtII`Xs#?r5ZQTkQhp1yN6n;$@^nFp8 zWVX+ogpcr=>wR$X2_N507S@^(;-VDA0>#^o>07H*k6Xw){N=*85%gs7S|t#)bbHW$ zLxE5i+{aTOKH$>#Mb5VU2#vqi8=7E4IufTXR%7#1PjnT6h-D&jvl8==GI%ky=$mhe z1|#HZW?TNlRsaTrb-qsj=&3{=H(iJR$)e=i z2wFT=0R^#eYYs?QUO08YEX(laLKWj9yHiN8c0s{R)$3CT0f`|!VFSC$4N z3rHCMa4caUMm70AhQSto_iAcyg)_2ZKih_* zATYj@0W~b7Pjqre;bd1sTLtJ@&F@*Rat9QN!6!5%bT%cGWKjRWO33L=Y7({;t+wkehW)lrX@B7;i z*PUrD88pY1^9^<2?hyjx`7UhkfP33*)(1Ss2xynB1I&_fvkxM?U@fK7>NpitGtsCP zY4g=Bhq0{!P=-YB^B=%R)*0X4dV>O-yc$3FNdGYs=sQdRJck|t^qJuv1H9EE2#4ws zd;5@&8l*6I467V;2xyfXhw8o`SHIhh z*?>2W@tF1<9yn6OY=AZzI=BV|@g{UqH#90Zwl`LwG1zEK!EHh#d%KkjvG>N?Dz<29fpX94&S9zd1< zf!{77*FJ)dH)FWL1CShNbKqc$p7=SWJlMYp3h;pU^{~IGANvDj!c{V#)jE%{VKh&2 zQMBVexM$6u2_4%@pocbufrX}c;zhjPSKOka_o>fc#dDYX7J*nwP)nuhz8Je3*b%MXVD3OrSL`OCB8TXgZcWn#@mme z;;CfjkmYZcT2t8JH=@w3NWpq*;=IkRl3pa(l`= z(Kal<@4;|ueu7rqEKn<^8UIEPl0aJ29!GjtQs=laor%}yebL3agC81N8x>_OB<>OE zGz)KH1a0J6aUFv)W6Zg*9y`&eU#9F5iERaKXquJ=a4qy-Gj5_0vPrPv5&3Nqj?%9V z7rzm<8VR8EN4E}!fcv8!FR(cs!c#po18A|N*3+h3KFqs*y8);7 zr`?BGjs>49!P&v)d3B19eZIm?CF0wh;O^v#i05Lote%gMbmk#R&!je6dfJj

=u-t=I}ZeU(R{EGV1amXGW7U@GqO36rX$f<&GXO|g|M;|P8^1` zw$lVJ_WJGqK43@dXL*MH!OLj6()TeQ(jM(aus&@!0x;G-7z29--q=Nfznv=wNso71 zUXXGJ4sW4#i2&{yi)sRH!0H=A!h33KN#PR=3I0xzojH>lI`N(_#pZ5$>=gavii7BP z$~SR%PnH#V)_3o%4h9UFQX0j4GHCY9(gPDWSS4c)4I|L-{YVLyB&P9V%}?+c$*Fko zdHv)>@ECJwu($%-@gngmCPG{|+Z7ZfyzZ}djmPhu-jDCq|9L&9Q)5|_v!8T6Z+37X z_@Sg?LQhJXJ_uL7Fw091X$ClM#f2H#pWo%ZNg3qM8BqG&@$ zVvn%tloBNZt8vpdh*my)q@|kd1(G|pq*ayG(mk(&#J+KpW*fntDN1%AkWKSW=)U-I zC=9MK1t3mJ(nh7qpARqSdc4wwl`oSYaw|g9cMNE%N2mhTiMc|Dv{N5ii>sP`iYSS- z>18KbGr?aQKJAh{8KE7G-B zX*pV+&5-=yu3oHhCKMydoafuq@Z!uoir&1h%*EViD|IR}On zsr}%xHuH&zB8CPH$<=e>pZYC+-whbmwriuN47>_GHu_UE(#axr9kY(gM$msaREXYQ zDzC8R-LkyOuu1F(Z(6e*z5b)4FR1OBaU&k@7-B#|DZ?z&Q zapik?nH#J8bC&4J+++(9-#g~JaK0#vUYx3f1OA1#w z_fWwj4JUi@EBjk%7bzVkW0QWEn#*;AI(-b35xfiZLoog6M1u;ny7+&-j)5xhAXVh? zb!xv$e|ImGFO@GNMPErXmhYiEX#GEbWCfX?IX*vpl7%zQh*_jbQ5kuAwYR;tSHq^p zk#VgaI^8^6y?-h+S8F$6GRHE5P{8A*q|gvg;0vS0CxtOmPJ+dKMPLSV4$gLyY ze4^|njGWTsw&y zo$Yp6Gw?Yngnc>)3Lsj>>@YJ`kr$EidIol6P8x3-zBS>l%u;x)pC;U!Rq?l@EF=cR!JLil@WrRqMBpAn|R~ zisuf%Pn;MO&Bh=$uNmJO;Zx|~Gg0|*wI-Qyr|;+2k&M+zuT=iZXZcU8jhr97RLGO1 zR8l_=t=(`w^En0GR@$tPRXt34x^OIflczZ0yZfn7iky}1!CWPV_X?rAi)|7R^fGK6 zd0N9idon*U9X*NhrHpUYUu%60coRn3(Q1JHmGQ95A$yP^LMYob=ClyaIjrdSbd$_> zvMDp-q=;h@%G0ABQd*6)Zj!U#p{?SVrQD{s?{dm5_%R7BZ3g|+Y)|X7GRqi@Nz{uP zwRM>Gt`?!>1-B1*3THsbqX_o@db;v>rvE>Vmg_5w$U^QTIp)@Z+#7RC!mv5Yom)bV zjA>y*p+>pqs)QUR#2mSjtD!@pw&+Va(wFb=y}mtu`)}Ll+TQQa`}2A|pU>Cx#j&o6 z$tdu4kcJ0vDxWXmk2|>ozfSoDW%49u;vWs7@Jd^hfIOpB`t83Gc1^HCB>d4QM83LJ zG~y5zTBMbynT$=8wG`B1SKaymfG>}&G`WDK11E@Y%8XF`y~FPhQbG@%6FE*QZYNmx zdLMp&#z)k{f z9D=_a>V7#h8&Z%Vcl@)OP>1#_K=-u5FK^pfTp8;TIePM|rD>vn$ao`7Ee*Gm9rG^T zG~Qj#L~JpgY{JOs%7cwZe(h#KcX^c?5W~%~>YYiic0ppI#_Ip+C#ll(aNGqlMe~A9 zksU&B3)v;xk+TZ|*i``v`fm?LH0R^)uLvKJvSzD5JsQX?4nskLLH7@WZEb`G4! z#aS{P^&`HHL6TM{OSZZ&MEUw!>BDs%C5M$_HLTv9%8gPZMd)4+n~@udBYQM?hK5$I zU9G%-ET1T8Fz!c>ZG4CCiiLg_)g)xOlyT*Y;?uj?WjJzUa=2dkd@j;fCUHoMV>2DC zH*Q=gt5H~-B3Q?m!oyf@CF4O^^I|NAnN~u}fnwoQHMU z-O%`MaeqTDm@4aCf9QM7%v9&Dd_rJo=d{|h9~087X&)@-tD>xeKbQ3^jnbytXMq>& zjBAi_|E}qwVXw42IR%*iEKNLBa*R7d>YyeS#)nx<7ms%7D=?E};o%eRMniRR-dC6!v;|ieTyz?cwMt#^Jw)LFrq~1p*&g_BM|m zsw+clfbT))avBWV_^7x>ti%YF7KxI(6t02kQ1EYen+RoOI-$Dd?q(mJ5R%VG zmZ2)ba}@IfZfnH>rdq{!f!6SBI%0C7?pzz9HGTbs^xFdxmXj}eQr~AnEK_%66_K#4x_gXP%YuEEvv$o?6cXbMN z+Bob!HEa4wK}k6~+%|cwZn3K5X=w%8nh%{=Q*F-pc7yLgjrWRzrHBsIqG+qzh>W^9 zY%3tc>tG`xvI8k21TKX1A^YsyW_+i3^?Vi(;l`pd|U)URByiRBNNU_;ZdOcJ7 zGy-fuU}JOivp&V`wJai-YEKdIdTH|kuu$)EMsiYG9Mpj&32o!xNGGkxJJ+V{SL8+&*i_j_v2<`(?Sf&v78nt zFgBGL^P1X@iN0utOAqmiS%!tt2?*^uFqgHIyk^ism9rGout`3? z^Mm^kEDG&SREa9gh7jwjZ}r8Q)4x1;FIi*;>avbsE7ar(s6I`u%qx`pJGbB)5VSOV&KCn$H)v6DVXhSto70`-r!m}ukdBS zR6(HHU8|V0T8)&;Pbz4*w+D>s1Bs^UJi$%uA^bk?L7&>=#LAt4p(pbvD!yrUWDLzn#QU`L0+%+T#x!N~#>-j>fdn^> z-d1FGk0fciH~&z$&49(s9Fgzfo+LWllcd3G|BGbVC;S$S8#i^8&iAX$T~lmJ;qFH( z2#$pnMKx79BgIu;e2SnXkSke;JZo*)a~)w`r-TeQf{K(l;g*i}#fz*!FlWkTC$RkN zXFRxZu*Ap4oZ;f!gAbdZP4lO2dKU)4e|Y85U61s(rqVxsbWd=5t}4niX!rgqyV1*` zOvliRF58aQr|N8V`tvz?plp*jH5!?UBrCYFiELOKwKc5QVVRPUm;h7rIa_*+MT#t2l+P}qf7%9?5niy!8Uaz`%5^7y&%#q zo!UCoB&WnWMc8PLbcOXDfVOeT+j1|uDYC@#<8vW9%p$$>hgM+q@Ow;5!cv`dQRFVL z8^2Sjyrx}PziF{uN%t9kadsIX$Pcpg7BdF5+~^vUOb@I~)8JLRjxt1>pI)Y|e*axg z9xk?NE(+qO7&a03jay&v&ix5NYMY~nit@}V@P^ZCY;0d%0b~9TB{ECY-D0 z{i&-FhZ#s&67v0FT(9(v?gY)RZMNT&UB{+O3#zXT3LGz3hZ5=>Gr8QyP?~SHE?VyS zzjRf1WEo0iq6{&dsF>+YrbU+bTU#DNh2nvN5WJ8)Zl=g;QV&_U8AT15`)YP_`&MXk zC%ax@biH^F&Iu8m`N6xz-4b_`I^;@Z*Ltzl6mbUMl_5Po)I^7)WDg7hME@4{I<5D5 zDxi&mc>hk|f zVd18n<$-A~jw%hgB{-+X%%=Z)4_tb!PYu}`_80$m4m*B?UxAwOpW_e6}M=5P#i?PaF0OHjm2Ch^)qfh5y= zhMbWO7Mm*}Zvvzr20^HC3bzBt8{Gy3ejhv%pTwn*h;|;t;=A&s#=k6}1}_gCGkU8C z6%mJ^^nTvgKQ(r>k`P%J6F!ZCnQm!<6R=Ap@6dVucEI0%o>^bE34$hPrqmFYB-=&) z%*6arS~UFNOPx`Q=*sHM*vz)ugOj`tynQ;OE77t185e)O`*;6|DO` zmwJT(?g&b4%eymN>{poK=Bfo*uf@#1v(wY?Ja_ZY*VctPQyY^>lJ66`_@8Az_8U?9 zW_0HDEIq&ycVMHdQ54_xP|_=FGm=ocdwAJG93)J;ee~G(1_8aEtY3VSxl8O^uxTA2A+zMjyRKBi{(D zpHrNRGswQk&bGNSv-@_^B8P+#zd3IU1{EpewZVnEwDASUMYUG%u^EQTYpnKn#)Zwd zOZ2P5s5+xFPqt3mKl7;4xRU56HNI9jx>4HF0e_6U^~@UVZ)7aFoOjog{R_p%bMaYF zx~U~@)ow5X%z|-22(>7lws7|6`aez3Pj1_8*^C7I-mKCbzWw-XN=R|ZNlqW`s>1Je zja7eUWP6rS~twsmr zmui&=YtW-U;XY;Ep?`oPbc$JU8vJ-fN61jA^90x+(Oq?pNsjF<-cYLnWyOHns(mmN zdrNU#&#t7cZC~2+9upLN)OA8(!}iZTmM1xW#BT=_`Hb8HC~0{dQ0mrzMh9hspNG<@CCq*^MPLQT5N2n`-!6j%^YMUKu~4!`pUrL%y< zg`72!ZU;2l3BkSMt7{k9Rcm^IU!TJQxW*~7Bj`!7Q7(nMb|c059f+`z+?!-Ds2y-M zhdF>MxQGJ-wUL(veIvT>+|htdvGz;;iS;PJoM?N(0QxesX256ZsDZ{5>r){etIkTiEp%b?;7fZnXgQU}iY%T$9Wp8ZR*ESo{^2TopI4OFRcj;N^XZi!B+NIXY+Pg>|uVIO#4#IyM8`x0L-b>C3%TUZudmg-D?T^I-00 zF8S@LPESq(t3umabo3ivyx;XV{=TuGX933EyEu#r^9>HcbE|Mn)1yHpf8(v$aEh2~ zdOWZ;zeVyYQ}#m%@HE=W5sWzO`vHp7G2&T=q;Af-nv_rU`Isb#&HR7BB_R8JbEirU U$Lrq8U;!_rnT=_Ku~*9f02DYZ9smFU literal 0 HcmV?d00001 diff --git a/resources/google/vpcnetwork/open-rdp/step3.png b/resources/google/vpcnetwork/open-rdp/step3.png new file mode 100644 index 0000000000000000000000000000000000000000..0c655e7e4a58c7f97348e4aff17637407cb3f87f GIT binary patch literal 71356 zcmeFY1y@{6);5d=2=4B|gD1EJCs;_Z;4Zn+}+(FxYIPyc;hZ_XP%jR z=6mM;0pEJp%Q|PB;*_1*wX62t*Hs zgX_$YiHV5`OotB#D&)3ke?#^3yhjDC!J*!o!bwXMzUUhu6Bb;AFMND@fF9kWc1P73 z-)ek*UVQH0OWBCKp@E}eLPB{lfFeVGg8;XinXB!E0H@6!%<(M~rzO%CcT`r6K-%$; z6-#%ZsYJk$GPUfqu_=wN5e-fRG5I|<;@2v~Jah)+5L#yvxp=YnN?hzOjI(4b-+d5x zO9E#g7%ayjZyOj?$6$J z7kL_NDS_2t^I3~thk|%rTP<$Hz#>xwN(x-1cPH37CuHJ*#wLLLPnO-C1(8?a*%-kHW;F-Cp<$&8vRj9)p>v1tk2`m@3{XH5Kv)DRq{Ksx6QfNVEe%>8=VM-Z$M(Bj9f#jb z;qoU$T~nPz(zNUN^Rj&p>0^kk@0e?!(?n6H-oEtIynjlxi2iWM#~jhI{gV4}r}vxb zSf!>mdg+^QD0W}xWR__i=(p6~+2qyv+uZYu@38N{@4Vf?wV>eLQ60&9RwVZ30uDAT zR0^Er5EU@sr0-kd*NV|m#z*f+oWpt6lJUfHFX5zrrp)_hzuWeuW%AhwLXG|eI>!_X z#Diya#EVA#_)Im#-1GBEZupnn^InddKH@WA_Cj@{1H%6pmJ<}Oy6o?g@18eaV4v^x zp+Rl+r#nq>bKt(jWdTRora1S71$(I9#7^}O)mL<3SJdZf{5yJ=X05+jzF)uZ;JcHM zlz-p7|AKcFFXMetNC*=uDLs>ac$}M3TwrEgWI`k!T*>v|9rxv|`H|mOf#YZ8sD+nb zf6z#_Uh%V=A$=`}3{ELLWH44C3Sv#dtze`~o&sz)MGhnXg`x7~=u%lbBwen2y94 zfpQxxc;bm0^l9+xU35tA1i~?@Bv;~SUSSPMvc?ga!KF*N$DwawB1;&5z(_*13#ykw z{(!3vPZ>s*Tl0Zw25~i%O2TxKZCCUS`eU#f7vkuP^B%lPx>98Fp887iLzJ*CCr7eO zbmDGv$G0m;4PBxq`Zu^DSpLC~4{$P)PPxHqXUyzLEW^0lK`&*d)JT7>{=`#%yZ`1F z`sY348G$ckbzl4QKTk^m7aitJKY(voxD3@!afCWf(e%^2%&&&RL6iMR#!nFv-UXe*oXdzsQ#>Q;GIYAg^PY8)aSBDrIQ z^*DjeobCkVC~$>556jL(P`B~6t7N-bwsHk!r)emq8doEJ2)7bW*fE3ZW$!rWl4pX4OcG;fGQxG{gzygY$!&gW@Eg zNeM~HNP|duN!du3Ny13Pd2!Qv)1%Y*c)xQeb7fgJPrMmZGD<4ah3Vg3K zUS+)1Mbd@WdUNTe9v2vA@ZM4x}@sLr^E&vaJpH4D{D% z)>c~~fSi*qA08hLAKlw8H+Q!?H^?{ax2Crvw-u+V=#Ho)Xws+@1dXpx4B|8k zQr}@;eMA{C-Fru>EvwI{_v7PE`|H;ww2Fyk3BEL8@zW_$@g*tVuP106Ugx~>fB%$> z5Ehsv36yN`1 zhOm0a&!Jx-KPlD7H7qq6wAPE)O4u(l${!UQsR|3uiPJU!=pMzik^9zY6xPthRPPgoK34 zr1h~xkt({4l%;5uacS0TqLfnUp6jA~=GUHBuv#iyzF6d0XkOA>Xs=JKDp+<~?78B* z>bsht=%qBFSfUIls57ksyD%vf2^2+*Yg;lw-a{HVhB=n??3=5b?^^hp{XBS`mLXR& z`op4AZSz4xJ@W-!rfbuqHG?iIic@T>2j%>+{9`RWC=f8{6NI;6$Y(lFIkA1e-LswE zFTsz+uYv#E7P#aylrxmG?=J?2zd<@lauT&KU-n}hSqFs*D-(?elNIxh#FoH^>&7?S zPhM?M{imOm+HMQiW94S$H7FFs0GfXDNeB5zF<7H_D*RS{U@$SBO)XoEed=cS>+U$o zdnGfab)o=v7G0{|;r^XI;J{ulWn@O)^6!JqJV3_{5Q*=VF;q3_{Yv}|>kv&b&z@Yh z+}SNbN>Wf*NR)tcR4ONmdXQsW*^QTwpY7a zpajf>Ndyl|__dI6gY7nRZ>^V7=qOj#hr-p=E#el>gYZ3wmol$qtYz@~uKMgyLa>g- zZjR!f^OhODFvuxJe2@4JHg`9t+&0<1AMw`+))M*krr1_+)I;F;#7Dz%b`rOMz9{yL znqA=ToaAU>*J%W7H;XsR@OI%_;kSl5sycpEt1PRZ;9|C)xc(^0Y5YKrY&HkS zd_URi?0$&0`nLA8fZr79lW*1dZ@afdXl!vLBsbTgj z(a%2LE-}t+uU&Q^44gLx>K#dbi#+AretXG_B~SC^6*($M%052$&pY#G$GT_B2`pX3 zp&qQz=5^gx>W9j`o~?m}*r;jG9Bnbmr`MOa-G;LMmlJ?7CBHoX&*`h@$@d3C4qw*2 zAelP`KCw^j0v-1#*RglVWg!{jqW&uEjL+SVthxyX`#Sade)V{5)p&~EKh1xHCphcO z%Yz%uM*4b)33ovAkUB}%yGo(*gcMKL;_yE8_P%M zdY|TGOUQxXAR9-+lVJ3MAU#AaW$0V_xO3)Nrt(+OI4}kAH{q`k)*KrD_D*72aZpRX zkO|YPg;zC&Kg=l1bhk(e0|_SB*njQ*>Mx}u(wX}p46{V&&G{nYEFj5;* zi|33PJW;`OsNYLO(F7S?;-r7*;+k{RyP-RB=`9%yQ{#`<_xz%$ak$o~F7$RyAV3)8 zVxs!d`YeSYLw#!Id+mU(ZvD}F?7_)VGwG|jzQg>?lcT$)(k7_8-Z4 zl}aXT1SYjT_oY86x1(y>35` zoFj7P8+?m)iJfRC^H~*Cd;a0<{Jc#0sTi8Sj^b1K{8LCd{pn_}AF|YOWgC2+FTn5AYsYs4^6;ae{nqa^ zdMcTEnPi!wet_Ln`1juS*cM4nAhyZ})!tXYS6T8ZO5CdEidpi)4R38Sq=XFb!lKJZ z+dktiatK<;o9!M>4t`o8pQ5BQJeGVWANAw zoI^RV- z-6mXU_yKuT^}hQ1J-9ig*H=ABccN{5CHx3Y3KYg6st(4Iz^@eZp^%Y1k^oQ2kf4of z*m3~_TVmE_9BE$S5zAwf3Jo%mjHE}VT~`sPv1+SU)>W-<0=k+yl|k{4x{ZP}2YhBi z5%w9jhYw~SFA^6@Z!i+x#=O6LpA)ypaX??hj6HnUvm*nyynzCs>iCFs$^IM zF4rwVgl}k>ko&Din}!%hW@nXGj#}>7V_#0lbLu-JTz|^>l=0iA>_OmR%~tFnhtx=M zyHEuw8|yuKJ*qL9Cz%d05plVq)btCw_w9=&FERpAW1R|7|R%e`Q51=H3m zvR538bxZ?A%!RG0WyARD8)iyU_?eN#0at%JYL*N~yqNss} zZ`;l}+Lh2)qWdKW=6Fnoik)5aWb1;7=Z~Aik@ITe1Rd`s1r`=WKv1x^=EOCys>aMz&YWKUDPeu0STm}*RROzR+7ga6T;#q;v* zHA+#1zf%UauKx4o^K}_t=?gff*Kj8Ss9#I?0@2}dD&&r_Md30B;To+G(^@DbQcd8u z*e)SYIB@-gt5uXUfd_+o0W#y*Hq3ZS=yf!8Yy4^Wb0LqQBS%pYIDeVb+-Nn>&qw*k zM>1teo802vwq2DAf>26Rpn~+Ta<$ipb0itjqA|W<_+7VP;D*75%n9g*_l6;m5<~(L zo{CsdqDwT9m%`A&7#MoxjOQ6Rm0lI55K^3yp5ZBu9$=1w{9~)qMEiU(ZE<+9Z*jsU z%_-X19@OnJ>zv`-0a_elo460>Of&>Or%UAJrf(#CNOk-c9>6Sn(Y|1ODv#!?5V?g? zEVlP0onjG3P}tKB8Cgb#0nywenR)hTFn;|Pcj>KuhT*_Reuav6&);bq;)|S`h7@^O z&ZVQsHAUu(`NC`!j}i`J4z(z}D6R!$1g7=7H3+&*Hy0fEV8t4wZN_J zaXH@pa`}Tr`}8pyg(7mCLS5LkZ6@!~AVgz3h803D4qW}!uIF7| zUMp4>KUcd~drEp$Q!&opU{UXIe9_c+^zlA9#NeoXm%POxdA<0^fwWQN#>i?P_o?b> zVXbK0;3m33C62N9lRovybV5#-p@t!n#Yp?H7F4NqOJ>1k-5)DpAy{_jK&C!Wa$y< zOsGs*pj;56AhHZv4kPc20)bEG(R_l40K0MXK~7!rSww2~ahD-W$k>qOfrktt=3 zhK};bk-0_VNv4~R8Jn7xSn``ugXOo(z_#EsP-s&Ipw$ztb=Bu|P^SZ5fJGkvBhDSi z3VpTejG>Z7Ci9bQzE-s+tD%qqqr}|jaXkaocc0Ys6{J4P^-0ef*d=;J%Vt|-&G{ag z>%VPdzbnGDh^dWnQ4Sq@HO9-Ht+S`2wfK5baFJMe#pz+YbOZ0utM>@4y1(6EpiSKN z{~;$8j_MJX9@ZST0`?Ia)1(NUiu5=P51X;QC4?wLNA zcH^n$MX8o?{@8#G{V>e7ax1uQ>|xrqX;9E@cdv6jL6}acMNOA9sVFys$@&EgTvAU# zD)_^{wLG+puLH}wy7FD_sbr$>xwPW&=if~Q#4|e3S`^n&x1;@?mKm?U8kA$Zqk`3q z7C}ehgL0kcuz+t}%2Ka;w5X6pUlb&(*5-)$x1WC>z8RVKUfWesQKj^Ro*3JE%@>7q zlv=v`2nq|IT&^}GL-o#oiLVgVKicX&R2J6xSlK;(4Y+H?|LK zfeauDwP z`^&l>vx*Y=6DPjq;D0_)3=9k2m4A`XI7}ZZdz_6H!97GjAdrroKIMl_KonMEz<27VvlYa!}+P`|@~VUvKMu=kGNhs-|_iY51G7|69#+Wf>S?#o)x zziwMA$-5-b{UmuVA9a;Z58;BCazxjCuJ>?fb$ja`rT?q78}POb((`try`7wuKX(1c z%21oIKj)W?vE22bD&vW;Sh*Fdb*fLEA1^MzEFAZR0CR8U(IJwzO_5JQTkv z3a3zUL~%@~WTaYZ&S-wr%3`RF-nrkaqC@aIU!qTX4 z@L|?)NU#(<>?VWVFlHhl6b=RU#Dm?^xd{KtMZC;K{8t)&=ug3SpQIENV9!sc&gSO! zE>;e%R)|e2u%_m%)wNxCk!-5Tv^G^;ZHwPEzUv0yx ziu`#i^uZcnZmTVAZ3hz%tPe46E^c0te^mIdtbcd;KUFnc%$=ni>|ixr#r`eee^&m_ z%>P~SAANrQcb{+G^8aU-|B>_0nj)NkhW;O-_#Zj{<1I|kVlPEF|C%(hm#;KPYT@7{ z;1s0asRQ5-vyfW}H0}qen_J#V#>pZ_RaPRRS6f z_`SM1=HHGo!Q-*G+Ty(!(str4mebb4>#{Q{xX#P#;Ro>?Pe(YID_geW!Nr09uPeYu zF4wUu5cym`Ps8ZHa{rXC=|+A@fP?aPc>zB1683jK3s$VvsNrA#_az~bZvYAS-)~{% zwmu=?UEbD$)NTK!(YT-Uf;0$p|8?CaeU- z#h%Nf<@s#DW`z7N2E~-d?Hs>5mTHbwaakb69+2Dj?!wiw?BTx~b*DiHnf{zgCF-?s z5AC4l9~t3j83hXNkT7X?-0id7Urei(Nk`y0O?t zyQQq|j?)Q(bJp+vB^DZC)IyD!iEPnj*=Q1DN+H+Ev+WTFwVwCMe4@R{9QsRkoa#R( ziL7fSk*Xskeg$S%$EK$@;v0cwYn*sBmufw2N{!1l>lL?6;#p(AHUHKuH-M%n60n)Y zc(52Fqf7JY0`7O}ER+wDYVlMV`9DPVgYr3M-sDa z+-Q`1n3twaf)&Nj;G|j7X=nAOL57@s|-13SA zFI`;EpHvk9)=$qSzs?ZHujBzKX&X~89X=5f$uZd1o74Y&g{Ym zajfyaIHgr*lC>Xz$2p^wXuMivo>!a+?LhkAMmxoB+JCS#|YN|!up0Pl; z?&qH63~AsP_6_YDuLqBj`%n3HAfQ0*)=qvq8y@|802K^=or7>6g`%jYH^imq#0V7E6#kfL$y*HOgUrwsi=QJ;;>`J zp$Zeb_i;O5cVf(0*fPK2{$UBKHhwH#q|)uedv~X>eJ7de?(P50_wpP;x5clZ471mF zJC}ZMh@+)h<*mN~#&NqG5UajrJ=4~erq#(*%5aAAPWX;u$EzR+>JOR2l=fEB@|a*H zL%RNkzpOqweR;Z)jA>HeCjR2OVE5{Jx%*nRLuLJ+J6~K5s+sf*@3;xleDdf7?q7VoUUy(ne7gT2;9lx`z3Rbd+>K=OyD%clYrib^X7gwHlilc0bnzBy|-SNi#C(K2W8bbuNP+^!+xvrWS!;p%)k&w19~9!`GTXK&Xk z)ixG?I0?d}5SScJVlh2hZs3=^=&AoQ%X+^Ngss;r4eAalGapHrEB?d;Zg}mB)SAl5 z57oR0AJHstU_*r0DL2cL@R`BvwL|lM%n-c#lCwDH`TSn9XrHly$6zb9!j1&cGOt^a zL%akIkncb6@hwu8;(oYtTw{>TuB3i8_;Q|FUPBjxzL47W6h2@P5chOCCAz}l8^&IH z@1;~{85Fi5>b|=5i0S>i{b)|)M8pA@&q4%9FLaGk2(ng`>5P zsK72n3ZgredmQfFdLyPoD;My)5{{|0wkHr6vb>&lh}0w8@J2;y+@cCl$NZ^esl(HB*|ErPCax(esuVKY-_)JY#$W6GtSoc zvUO|O`1ys;8}u!A+FEk*>eC@u*u|admS?-j!CzHTE8RLsF}BQN9m~+x;X1=cKbyj` zVtsPbE%?T?w|O4NH!(w|f%6(Y-#npd;Pwien%?Ibqhj9SpSF0A6RAGx_x;tf!>WKA z=YALlsmX-Mc{I15@5SzvW|fJIZjD6@{w1~lL)9t(9K)g4VZYjZH6=&AnBmZF4Q;#5 z#y>Rek9MMj&l2{i-|XWL*`mwL@!Dr$df;roF_|Yq-9(`RbpAPW(-3{bke_SV;WyXn z>B4kH3VvR)srX!B&{q0o_Lrx958yIgz$u?itHxr?Is9(j|9Q2{vONHh?{|B)UCwJd z^HXi^mj)ZTxL<4A#cxF*rVF7_^mSNIp+aJ2nqi}39vG>_W8HUtmU|-kH&9pENPD9$ z8#jE)`}xzr6*>~TyD<$`DA3>w;*-vy$W(98CQUY0=HJ2QHBj66`L&EZtLRPC_60_Q{*jh7kX0YaE+rN3!Q- zYMbj^e0bFrDQcC5;&)b$<+J?yHK%8Eg;!9CMpMAHBCq`htsS)V=u zqILMkTzc?K5UXy^I?0nio&7N#9v&q;QEFFER37fi z*obs{qgtJnG~^05`9fOKRV+7woXBYk3_ct&BwA{E$5g=Yk9oUo)&Z`o=%8k3hG~iF zmG*n4zl@NCth8vL&*lEC;C^h8Km+#$V0PW>fc@MQdTO-pJi_k2WL>nl>al(#eSZS# zIoe88bx%BUJD3~865PURnBeSqFoEent}x@82e7Y!_!0n~FVltmP7IH@J9!en*$7g3 zU2_ccxjcFhaIT&oq5hxiG>G(b%7&sN?if|G4}~ap3ACG>zvEx5wslGTW9^J4- zD42cUe~2MfAfUZ3bTZN#+Qv_}`#EMH6Gu;Ee+@l0)vM$2$|avdP4z}_8P!v627hzh z%$HctG2pxzUsII{e$A!(7KTJ!OiJmKc#nO{=;x_9hS?2w<0HWHwDHvCkWF?J5xX-k zva3DKF83OlM57;ctxZ1|@lwCVeHxKN3Zs?V;~lI>G&9QL9B%k_*2{{Kv5{?LdBE=` zZ3Yv(w!~w~?f#4!)q_rSAB+339-bZK#PT-0;6rbzPA|1*jSaLOUEi5C!cxh-ZcRSa z%K_bqv^le*7zcr2#VC zXp4n(VHZU`QNnD+-rZCEM0l=)q;*3V{O>2wZ_IWzmj0UUQ8y zT36pyr?7A)Eb|2Z&1Ni@=FHJSUaTq%-Z@xe%XQ~c=$7E-X90}6WT0jDOq&2LVOUaW5q zBj;5FR8qgOic^%d5(nJ}Uv-?13y+gekofc;Qag6S@5FXB-UcG0FR@j$ZVJKgjHZJ{ zZULS173%~Rq+%8Ze)p!^=IbY7{!h0>y1k$LrqWtpC|oj13i5I8rs7E6wLj4+@qD4OoZrDDE4 zG_OSGq#bMr&NZr(;=?^Mu!6-pIBGM5=3T)ZzElzIq|_AI3gQMjk}EB)KdBa@i`cU% zCtFK#)lTfWaH(l8L0W8}pYXliXr=7A+ysQje7hfmQNB-T`ru|^Dt`$u5!1^3x zEph&?ZWk6GchzZ%`H5oe=&QbE>yC)}&K4@)RVMF>h!@0AKin*iIp_R)%hC&-|JcOu zvO6W~7+#4@9bV@ZqWP<23C*H8v>qALmu6ubKamXdumR;V;_iE}ghxHMPg{9aa!y=> zxf7wD^bU-1^hzCe%k}ouLZ~Od@hRh!Wj}N8z=vA|7+q5`zx^`fh<}Rv<@s{naQUcV z{a8#%0&q~)up{(9o3Wo6V~*y%*%l_&%F)1cz9e9~(727O7F%??D=fQoTE@1dA8<`3 zmBhO&QW1K0oAX`e4HaJS6OXPRo$1^IcUO>0odn?G!6{oYa^BCH#`O+)ZGRVKU)qzQ z1~XQ03T}vmH<7**aI`?#Rp{In1bjhFmt*z3AApj1*Lwa)ajhdN{(_oQ>;Mp>Kjts2 z82(Y4c=SE6@%qwo4j@_Tsc&eHix)ABYqM;PqUF9Bqc!W)T7zA-$p|f>0Jx&C8*DPN zm0my(?q#3vWrJ9|4w~K7$$4#*%V8UY@yOv*EQFjA9_Guj(?+&t^O}A8$7+;;VDdu6 zJUi?06AZ53FkDGQme<_(=EZ546xB=ndXZU ztCv78h(8JX&h&8exJ)J|av$)cp}_um*^@Al@KP$MY8XTcJy2(-@+8y%2JIMw(u{s~ zmiSsO*BFl0((Bk=W#e~KmE+I9U;dFHc}p4_r6o3MwJvLZnAmmhf`OU)G-~^3Z}q~< zVgw3Uw>r3-M&LIUlvxWjbS!m$red3_2h6rzqE?Zx)ts$0A9Gq{s~<#*g8Cd$ zqq)rAMUIk|m&0WTRR)&xCPs3*!bPnS?ci2WEZaP;wGg>v-(90{Vj7sI0@CE{!BEp# z+BLx*3PRB5qY)HJrO|`9((hirN18Q_Ie#TIhK_ z-d*bJJe>@Sbl>rA7guQ7C0a%fJqfw);s|miE;I00K#EF7$En%(K{fLR-c75dTH@xz z1ovknoU2OL8o!V#C|WjO@?!)vyd13OgtxHuJ50E9e-{3<5`7h1xEXQm<)_bdWtx0E zXq3>bb)QrT>BuzqqpM^Iu)K-1WZaT}`d!yTn*GJX7y_CnAAc+enmqRitn^@XEis^l z;1K6W-XL_GYvyRPlBA~7HsyXGA_vlc#t~<`|^tbPO!z+NP_MU zK6y9G2ua~wmSxyd)r>g=*I>6%zjgbL4sELk?+EfNG#S)ws_gR4WzWYMPdzYCJE%5{ zx@9QhfU)fsZodxON5AFu#*cSAux>%h;;+#QM%r|GwlF`u;^kYd@FALVv*@mq<6N7y z1Hxt=bUl#*jlyDgXbWX;Fn)*n1U6)^wTT@QtnE&%xlcvUyy2v54e9FWS#walp!6M| zK?RteV3JGmQZ@ZF0BDqVB(}91p!fftW|4h07}e#26}-l4D3ifxezZdWYllQC=ir@3 z0#arV;*;LtPQ#7r2~n(K;5er^e32Z^fq@hf645`jBE0=ckm%?D%J6#RpP(a62QD)X z>OyVbH~Q>!yR1p5H0U}S9lBUkgg*u6eK94s%661?2(0vSK(%e12GqmQMhkugiV9aS z$<{M$Ztn}{>TI+cqCKcMTls_SpPwGHNOoocYY(L-(Sp#0sse9J3TRc1sCWGV4NWw4 z6bBo49$RRa#+1)Xtm?IaF9}Cy99%o@GR&iQG55YdYS8BkcM_ro*im0@zjZCsZE#;s zn|jI%qpCKI6`dOwySF9w?8JEbgD7}^r^ZL+3G1ZvSTSxTi{(e+vXqFW64fh0okEwR z@-!>m{GyM5P#ioTR&xrv1-XINgZntK*Pt<6aYv0v0CIR2)XBUWdh)=hGc7*lwL$Ma zPO;id^s1t9+ny+KqnXIg0{zKs%uUIYH3q zRi)eB@4hjji5r*J_3w(Q^)?l4b7PDXNWK(o4O%B5=ZZW0YDlg=dj5}>R~^rf6Gzqe z$1Te;#QI4EL3El1sRmxf83b{UxaX+ujMP4-eZ;HY2aAwV-U-)(y-FiZAI5#t`sXle zKL9#M6)?|j83>oHg?48*;O$Kr5qFZ+g>x2uc^^1GPrJ$KZ9YphyQYRDN?1@}A@^p< z>ht7c+TgF$b;0pHX^dLsf1bvG|lq9HS1RQ!rXDr8~79w`b% z4}2=$APjNc9Q+G9uMU%F$Guz(QewdU8>ZoqhNeNmy*B7Q?cc!rEckIhRY}v`|Bj-7 zRaDENJj(s}cM$(D(yRSXvOg&Q`iOrgU@*A+jHR6LPlErZ6X@c2;3Mvm;;sLV*cilu z5fqD4Sgav`!(J3BN#u)}n=So?w*LnkQ5^&$DgJLCq67$+Ue-)bLH*_5&^I^%NvH%1 zB--!2nXCRrc;OP7I3I3&HQxli{5vfu{-Xt1=~sWJ1*LzqfN(5V^6#`@|Bn_}{t*55 z2lb0u1w%P{P+%ysYgGM@7Az}+n*$L@Hg=?{3HbUoHj z*?xa4e7{$evm)v~o++sLLy444rA!i~rRj26IWh-qS9dt|gQ zDI@rgZCO6zj~&VJe`@j`gupNPN5b6Bke7tjCVi3L)wvi{fSvTQA}0RNj~>nuiSo&q zcFCCL@(3EEuWFI)s^6v@-$5=Zx_JM5!&2MznvG?)=Z`q(&K?N*{@-Iv*< zU+MGCg|2Zwdu1XCxWzo{CdBSXZ_J_|Z@{tjW{e zCPjC@akM{Qk%Rk@LTo1#liYSNj<(;U_B8Gu=7Z~CxiJ^iEUa=J*hfsjqJ5yfZj5f*%LIM6Zo z$5J~0Zo>5j$98?t8Z=75cOoCl2L8aIQN*0?cG$Z6RaR4U12%^XRbtB&5cDIZCMFo% znTC6b%P0NDEod8ty2l4)s1nD%du`xH-3~sIYct-Dsa8(s>C2k0#eF#a;T5IT54a6m zrfIlydA*O_5rNMnTaNC3Xf}@PzZOzK+kFJX;&gR8{Mtq`uIMUYC`_~Y_=KY+o}Hl2 zjiU$Uoy|gO0Cd;65_o`Wpob2a29sj6KR|s3szL_o`3Z+s#*%R0y?4~T0h?%aHg(3(_$KU zAG7JvR}Dj^_y6+%0F5AmHSuK?)=1Fd0JZ-ipYP?YmizPLbqh)}%$pP9c3-w@AjO^x zPn4tfo%w!$cTho}4}$ZvCD)gM4D+?yPupii~4{XumOMlLEP)Ys^HMztN%$CitK_o_PxiNrzH?Y@2nSx z1|a5X<+mBZM5ng^=_hw^?M98=Wp7x)8zQz?ZFY0%4oA5>sOVUWAiwHbt~2UFxOR+& z07cMJujn8#{A-Sv5*L5)@3|t?9A)H)bN=Qs6H5MyO8_k3FY~@WR)GUQzH(S1eD|;! z#n}uZ-=gF|l+5xKdpMEGcw?Qg>ez!BKTgwFDQFMPh; z_g*%EZtjNW!(bxcDWzt_FbU_g*@0@a@Nr|00Cva2nc{qV_*Uh%JFvGUQ~0P%sWY~JXFg*Q~nqz1Jfw?M`2Vd(x!-GrNxZ$4)HpeMq7wy1Zr zOZuDFF21mBsHVS3nE)=!Wh(UMit_boIsH|H+mSQIQd08?xoP+mOcclEg5zy}j!%@S zx@J4GKV5e`zwLc9rL-bmDSeHXN|P$?$fPO+3O}a#)gARkn%_1&>7_0V{aqDJ0Y<{+ zT*Nt+Rv8v?&|Py54~h!jiAZb>*x(Dvlm6I>QDO84-nh-AR~tWNo-AMdi$(wA2gLCs zgq+vwKD6OjKE11c7xcpYw*r%0{LQ2kc3q;X*kT!^>#VW|s|H_HWD0Gzq@sN(Bo)SI z4#$wM!a{`1>(~#5R6GYW#bByR(wqq?5Nv;TDD3iK-uJsdf}|wgx^y8EYoG6oB`WOy zrolTYq|>W}?U4PR1pJbj`#N?jJ_X3ThD=% zem5Xo4%C!&zxy#Pfekp1%zC?J*?QdOVMN}0+Oz9*e}9{m#wz>%yx5J`jXg|PuB%Vn7}bMAR3QyPv=N67tfS95^P zl=XI?L_B*D94o#ikhR7*{eBShecdD3efLf z8zvzH6#)>^!DL>L;=o&ZIiz^3(_;n><4kcq?=6L-4=~>PXqc_Sm4$`gz;Pedzkm4N zyJ{j*r4PnoF0OJmT5Lo(QFZ13m9L65N>a{ua$qZ*$d`&{4ZkizT(i`Hj!A%NZxobq z_y09fK#3(8QH0g7mi`Rs63LL4@gMQuPe{>ab3~(fNb>2{+ghuNUM6`vZiCJjOk>>; zh^Bg_mBYEIw$R4_bnifeFec5BUk>!__DMHpJ^-<#uJ2FdqH_lZYZMY0<59eW zxs01pht1gMoM3h)8{&0SO)JYKjo0twV^yJxdl!UrvU8xK(>l;{RG+adO-=(>z>bT! zL^sOT>X84~y@&UxqTa857OUY89C_;k3L%z_>PJK>}jZopDoyvpvz-8u#?bxdxvHW`*yfH)t7J~;TO@G$fIh{>~Inuf=R4{_S&=LdMn+zk(ZsE4NUZirHT z?P>jYFqz56(GyQ1s5aJZJALl8Vnr+5BE1n1tVEr~uwjZs<{yN@CRE$3vA?gK~D z7G8rA3KAWy&;u1Vf8LWHp78L9)ElrSS~|l+GIxm*V_2#m%>ND72&Om~O!PG&HSj{h z?IGflj0S~!xZAwOzm%^NLG|oDKHa3V3Kz@8XI_Gdamp`~NjluI{IqLiFJ_#qHB&pE zhjDlvlDy0hp@Sq`|LTwGly?Odg30J8s3*8U8@0$%?@7Sab|7b*q3%iCa_UxS=6%(; z$M8TLIg%)NpxEX@gm`K|!A)?gPSN}BAPVd}_WMci83R#a#}ASESa&9|_2DEPaE&*t zx}|3S0v$=@nw+yU;*fSTz?*SO$+&+iu320kqr)^L zqhZeMK?<7F0KNQz&|JH(_qEZOfV-q5>HGncu`}AohaT!37V(ZF zEu(l0UB=$3y#7SoYLSEu-vfBGq908iI()FHW){Y7oJnuyDT2cWzvfM%<)^1i{4|A& zgB4&QPIW=bsf>h(fN$K3dZ`!xq?}MqNDf>nahEh{B>^5&Fzsr9V zki+E)=S5;Vf{ewYK{9i*z{%WdPhu4-?WZKX<=Hl2^-P&UDGWk#znw6he4TyzKf3_C z24Z=!Q)Z z`{^~CG*yL<-tbRRX2m6;aFdnrvgq+GMGO%N8d`bu|K#OFrWQiWhcc{yQKujeXki!k zB281cLnhrpW)yt2w|Gk+9ZuC>CSkG~wIx{W9F6t5vPYdT0=%iU1ACiDkvZgN=So*f~3+g3Ihlzh(ULV zbT>mwNK1*t(4ZhK-6l{-7xU&Iq!SU@toJczxDm`t##H}kHE}4vG?=r`?`PE zHKBo-ZX1>D4%jW@@EVg%XXHZf!LLH2$3T$qF_Iqa5);4bu z%DgO_FfQ~y%nX|$P9s~>Ug%8$)Ixf+2%0C5`M7sl)q+^7z_61l_kN$lp~*L{lZr|l z{d%jTQv}?z3_LL_m;IrqCHMMZZSd;Z8Us|=Fw6Fk45HBnd(hYxigWTtSe@*z`q+B` z$1pTo{FsqF6Wg58t36VHnR~&K}pfAysXuV?pAA!j`$*aK;j`CpD&Aa>Vf8goBhtg=-3Nx4Y=3o2t z*M@gD(8+q~4ccCCX_Rr;V!lp1;4_v{&f4;guPlFkaf2W;!_r{VIBa(Il7#p0#5j?m4?pFnRY-`|)V4_aBa zsJyrPxd^=&N3VbdM2-R2#klzlA=dM0WTeO-RISG)&Tda6|3wFDzX_eo0x^0mmf@?-tama<6=Nx%usMHasUhaQ)C?T7cM<-YL9;+|_ z8fT|cYprJ`)~4(0Ni+1`q4|?3(-zYaqH5=gQDY#*L_V!4HlJ$=;`can20ejI#$$#m z&!gD@YKD!$Tor+-$|McSEm7M<9Z%HY()R>oaDsxU!|8xdVQ&=AZ}AZY_;E`r6GV5s zL5=XcXU-wQ?x1kxtkobsI|fa2O|?%K5e$;+<5u+!n|kM9t*!Z9ui1YTs1p-bbwZBz zV(!}1Rt;X4^PBx_BgB=30u@rIYpQ{x(aQP2B~GO8a`fB4>qmqD$&8r=j1M$irCm)0qKq8rBdv7@OFeD6r65Nn%0Gl~_Mb`a7BdyR?dLq{og81KK0T zj9;s{uYKdNT|a?t;bO5D_e-x;ux8b<{7}`|#m5R!nVkn_0wXi@^@;%;g_OI)&@w5y z1pMH*f|996YIQVq--fO^LfX#4y%6<1KX!U*qGF}HxNSuzxXwY3h zBE9oKX3QQS(}Y;aP}}%*?E=!$VRKEIqm3PdaWyN!viNuxQ9Tdj!0HXB1bz!fwj5ti zEa6Q^Hb*p-jm*?N_0mE`@#B`01EkqvS6n$ER7Rm+&b;?WqdQRfI}^}2oxyNcstMl;R%xK*6 zXbk1RO%)y3Ai4&g7rmZPPpkXgg)~>JX{G*XF8CYIa!r~!8hxx*aNS>B%(u$#b#`AN znn|2b%qCp`xQr8WL*%-Ci~t#=hc3-f+hy@)dr*&P4^KX*;GO+-t<}vd6{o%?{ZrIv!OgnJwJ-4_MAmlqPXQ&_O}FqT;44eIRUU+g~a~L z5^8X_4Ivf9v{yuiFk3Weta(#nbVXDjPi%f9J^ePxcIJy90!-oWg?~tU0lO5zoLmxO zV2Cm>npgr9!AYE_V*%)mt2^Ji;ELC{3g5S0A7di7y4#K{P%KMLj~nv{l^?hH!mgf; zVi&T}<|bOE!!o&Wle_2iA*}JFOZcTzz1toiu!&qBTAW@q*rcWmnby(!zPhmfm|^>A z<9QyW2x+?JJk92Ys1MCEDRh6+W$QSc@M3+H)NG{PcS$7mqSK+e@+@IE2@zI%nx8pg zdo&_YE83v|(B>ph!>==OSPA_n$4#^VfuTG#uzb)$$J0|q&El=Q%;q* z%5;N9@<$@DP=H>+Su;f2swQ(v9cVY3^%r$o_I*;8uSPI}oN)pmQIM&LH^C~`nr60Z z+|ccppLUn6Ijpb=Mf3bJNNGcLVop<6G;63+Po{0j8 zEL0&B8vDfU2nB1$HOl(F?2IF0cYCf&=&6SDE{&4CM9W<(QIApq8q-8N3JXOy#NheI z(x$9#Eemon@g5@{<34qE?a~w)vcPrV=os{2`PJ-hd5tP*x z0D}$xP&$#-t6||QZF#Hs(K3Yg)L`Mu;nA-uugE>`8VECjm@~uCT-s z?X0AnOC+FNmBGT8ItN_=fdDqvCWeWnSy33G1$blV)IxJY`H$vT5Q50DuXYIrF>w4k zf?0yp<+JBnS&8<%Z)?BR888ZS)oj}v(yszf#S;Nd@7YVxB>K)3qQ{x{K4G;p=fQJu z=>|z)nz2zP;i{*7YGgDU$$`MzEUfG@zn#A8b8sC#T+|u2UPaGNzT+`P{EDeM8XJl# zj#)#NHJDuhTh)*t_NZsUg(hnmQxNY_y5*pL*?qyf^2$d65IB1jhD+|?l!+d~uJ?Clb;A_;HmAGmV*V*bLyD~I3(Yj_nw?60{Lg0Toz-Ia6gUqeE^0zdVDlTh> zr}_yupVYN~@bt&_6FZ#cEj3eayLMJNayRzQTqneQ!qyg0jk7tlqmmw|K%2 zgF0$!R45hMB_aw@V_(h29}H_oMUs71DM+Tm=ykU6!)PKVCbpQ`l@-FaBcM7>1V)TD zLrdpGoI~kv^rB~lzSbwI^~7Gra9G(S7{ivl+@fiIdfBFaf-l5bkiK{3o8sH)3)(82 z{n?(8b$;U|tItaj?hahF>zLoK~z24AWJ3TNo)YUlwm4T8T9i z>eVbr&T=)0rTelMYoe%r65#;3UYD~wop5i(fir?6=~ChBnZa|3F&ncG*&AHd>%4C3 zMeWqMoy~&wA(cddQ!|MbbMF8@@9$iEIBHB+PUGPh1?qg;xQ4X@!LVR~BKg=FYr|S*Ot2)T|*f?_VjSyuy4_kAWi1Q zT5)OR4Nvc{9I>oZDRtO~yVH z^n2SwC<5 zlnOCmSWMBBX}@w0T4ey2^Ynnq_-;4X8%=*1lx|5S4>FvblU@WJv${`KeVs#bLtz zaM7K|6UYur3T|C581S?nfcEk2YWe3YXn6+M3u|8$Xp6OH>o(Rfa6C)#ieXb~I#LLL z0shtzG`+@fxoT!wV8S~uY5zJ+e{GCDO|h;DE(Z<$Q$W<`Nd^$`lxUZk$205|DSuHH z(i5>;dQxr)K<Tvf_^m|a_-F9 za0n2hZ%e=i(|-5WXTvC#r@Wm%ijCyib?R!qs1`K=kOdLOqu+v^tN!&f5=a1%s3r&z zP@rrdJI9=gnGJEoDW*!iMT=BrpogOl=pM$E8!`wTEF{IC;yCb`S!?sBmlCZO)Pzp7Pc zu7);X4i@N4e+iD62KCf>r&gXSk1x+Ly2DL#O&o9-j!BetC^TOL?)U-QNeNGZ)x^fz z?1Q{>eUU-?E#!2DENLz%w8t?^fJPxAo~L^OngLY`X|2KJ)w=;zQsZbwhWi}g0wMgf zqV#D#yJ0m{{N@y+%-S#y)V_)e*$&&Q&(UTg)83?3biAR1Lx}?R_GmCG$uqIKdc9aa z1FtX(WLrNd=GikC{D?n(VZKVFUSgS!+Ub3sP;Z}vHvGKecrgemG-C1_dHkMgurlZt1YioN+kuVUOX3Sc!f9#Rb0uwh`= zo);F>hV8#n2|q`jRxbk1K$yj8!X_ZeeWxRTicoAXf^@3z1ZY@!&f9bT71;*9ENK(m zjNRv67zBaQmzBZ;GdIw!o3vV$0&TSAo7Mc&AuHT{&d&x+bj=FSyfd_p!CFCFJMF$3 zT6=!7<~U)~UisJuV9_Huntm%ppiy6G>68i#L%6(0?Xe{Bn#bFq1e6ai~C~bf7|n zHwKpQYhNrv$F4+qd)FV05(#a&y=Yfz4|C5|;iuogH8_y3AarRrH4~mz;09Uzh2GAJR21kk$Xh#ia=^k9SsBq?%8-Uq0Xx5BsiKIxFROxMtsSk{-L;1q5; zXunFkMD$Z&+P#Dn7HH$gJ$3#j9b@LBS$38X6478M97-#oVI3Pak845#5(DgLtM(5XzjC>u{`i8 zDp%gVZb1@p`2e7P?cIdL3K>_X^o3vM5Yk))a-t0lT`5KqFKEqpw4{enWF`krI!mJp zD(0@Mc9w}kQH|%(1*j9M6imdo{Sh{F4I%#83m?vZ^MX5@THzn)Cz(-t!`VdmvP{WsU=lCVP=B>gMG zn1ngsXn4~0nGn;~&D}lOgqw*BmBMbtmI29k#ANckXrGFIjMdjSCq(}$GBVi7;gh8& ztQeoBc3}18Ju>@CA8Or^mdaI71}cbM4D410DoewTT{$BKsa{*LPgC~IWxcum$Dh9X z|02!aXHxXYwB%K%jfv5q6c5zNV#*_I!6_Z9K)V*Rk=^bxA-kmtA{Wdr0xUDl&Fa8! zUw^kQs6BQPyco_VPQY+|VnW z+XoDwT*0>!JwKmF#qS_Y*WvS(--Q%3+`GL3vtkf3;vh3!a6N8Sx zpRP%Zj*}7Hy^5iv)9SKJyhpL(!#HxY_lb2EyNXqzQSOH)#jzSgbpPzNd7sJBGo{f+ zy02u$-C|h$o*>{fKiKG7xTEiH1dXT5?k*O9;;;3J9cq%7A%|sx&Fhn`FvS?A{CeG* zOB7_Tq)zlnA35fo5fxFxYtlmZwVh?Gg1>gFnnOkPxrL#k$|tI8f-I4Q9_}J0*lWGH ztzCpXvVNEO3g(p%k|W|vOiUCfTVUc;hmi^k(t_oLX7D3t(LPf96z&P1N{lzdg~a-b zw`vBl4SEt(rAJqEv1OEwW^We#M3ixI?FW@Brj=z)bR!xb%!WFAfDbnoDDG3GPF2ZL zifjgcj?|LJO!H_gPPFpWJ%WARkwPYyn92M+=7lOR2mI^KQpZH}*r%H!dDNFse8j~K zMZEPBeC3G>jZ$b_a?t_B93CNyzf(-1bK5-WwJyKejNXUK(c!dpLIPx=-@*hKH=8TEeTp4g_bKWe3o#7O#SG{qBFm& zW=t!7JCcP#lErrZDcy&G!i;doBOsVCr6qSvuwf*drLnMFjUr%ib)csabWV-u^H#Wm z>0y6_s&ZJ<6o>NtxGW*)StELf4sm&f4eQvoz)jmZL!B;+*a{A{_%8I&_$q>CaY>YA z?y|uMhTiFv8`|+!E#aBy3LdJo ze~S?V;r(!*FgwGOUAd2 zyH5ZfINO#_O3)){`jdC*Rxe{oX-OE*_7rx9v@WA`v;ScnPA`Q{CS7ppGfC`9j z9R#p^1#an|F3T$%vdnwpRZoI;B%S-kyPLv^hr&j7iSa?^ic?ww&rT_M)Lf%@avx8_ z_8W{H`jc57T+VNi)ZRTVO{%uSoLen?nDojBnQBL*rU;)jZLa_^?yL}jtzlw|#OHm6 zF6bXO$}G@_;dP>&>B~l;LpxL?gzJ_ks#ZVeYEJ6S6vW;BtShtmqVfCd>6JPq^h$##N3s{G)hIYvy;`fHc^T+)w7vF%4LSu1lQuH9fnv6#E2=OQQRtC{}eZ%^qy$% zTVUvT)i-BmVms`KH_c{&6nkyF44ZlkPa>PU#4XY`HzupAb1n%J2j1A4-LJ9yVm6#_ zNy69pHb8u^hLmPFj;;@Cf8|OX&q~p1G8*;~&qS-`pEu7Py>zo%H8Ytj_&CVy^we$2>Ud5 zG;LR2n8Lb0q^(#Z1&F|TrhwawHbEq@czrB|c?*5x;Qm3acr z?ZA@AbVH-efaICR<_F|w^?wZQhy0`?CQul^fKMmOFFN?21+NQ3#ObApnuX7>e|_$M z{>h8BzRU+YfbU59i%9r$;~O5Rpu4SK<^NR~{k;)k1N=0UGIW*w!fnt zLeR8>pgzr?)%LG@#VZMRhEFpl_n(*Oj}p}|5tQt0#A}!S-iJRAkuic2>`eUZXU%`D z-O=w&KM&kQd||3s|9gDEUWhLB@l+P?{^rC{vI2{eO^fiao#8*X4gJB+yso&b^1HJp z2+mpv)6nH#kLz9pq2Cy@f`JJzRqgVX@OZflL zCA^_9OpJDhu&d-hQE}{)`N#EQ#FUF>(*wm$AjjH&p63lLXq5x|gzTPr;6F!wMp6SH zHhv~&^P+t|-Zb7`O`A@B$}fN8jdYX)!(YUxB=_h4&J7SnSo(H)6Px?xKfRHGGP-E{ zliPtgNNU%rxvfqY@DTjqi~3hn&^CK3c&Ahy%$))-TzBOZPJg}OtiQx0+5_#@2Q0{_ zOlhynY?O*0oVF_u2B-bN&dC4Wqch=viM3Br^Dv80o z3ymlX{&Pa1?;;KLnEaL#%N{EtR@C;4;3G5OV3wW4-!ueX3g>d;%n@dy0NN zKv5D!W+(kRQytx}tPK~GZ_l@n|IC!Pdl_paj*S8aBvo)$Y|V##(6^=qfh*%$16EwR z^`QPG3$O&;=xst>Aey1Guc&wp0~7EvK|q>D#^A56O7C^%nX6)HwT{R!;$BgGkDnQ` z3L{behN$!|9soqeI3AO;C(AgH5lGY!p52K;{U8t1B!I^8gHGnJMT3znzFOYQwpbq~F-Y>f78cI^N~A_^0qqFH$ix_6xhi)>--$Aq1lWoB z$=*sC;ID>DG=L~q4g=P7OBl#0{Q_c2+5}A0>K&2laapgwe~hfrw_xJ+BEXoMl;yJB zo@>=|wH!g)yIclAIGBtK#)a2N0Ig2hu_t|vNQ@|VTPQ$cz6pBd&F{z&@5~4SaVVI* zdYtEo&uK$bqfpoTRj%^)&N!}3mFkmS#rL97D;8nvIdp$dlR|u)t(rLt;JRyLHJ1t| z3*~sve^ZHWl;?<;Y$VV47{GFly{h%VGj;opQVQB2s09#Q%Sk^RQgeW7DWgpbpt))% z8W8Da+|%fbr2(2$nkR*JCKDAl8>3;ykHh+^9L$=Vr|UgE4>eu8dD>OM<(l+>!w%wU zKzz;t&@j}1^D5DZIy{q2LO1`I;`W+MH;cB8#b_?JoA9(goe{8NVB3<@hY zSmQ&E%KQks^`LXoQ0z5SSRbB%m}?E5H1$J|2_z;@nhS89IkphXR3zLHP_;}%djWcz zVEsHqQ_>y_jcy{x2wvb2TLWnVq+2?${g^dP`uARXm-1w`6t6e6qWyL|fNrRtv>^l` zU&HfHgt=CavG#$)DtMU|rYTGf2o8DH?v;iVtYh>F*XRgXWy3QUp!kklD+D+(KoC?T`*D zaD5HoXaEaH!i!}#q?vK|W8aqdxjf9d0NDzw?+E~_7mCPsx~X^!C@-YzQ}9Gshl-@p zK2mgbbzHfJF77o0B=Zd34!;fW`r!+1HshePvhjY4P!H&MZ8pn^f`BTVv>6Sc5|c>Q z)@ySDiuPoXi?ER4-{Utz2YV*8ox$7JkLdWx=m#DHM*Rso-yTeH(Q1Ze;%z|%e)ADs zXqZ9*|97Ex?k5v)RPpra?T=-dmRCX0^Zi!rP326NR} z_ZFc^D3hbMqEFxkIaJYd zh+*ekYi`HBIN0Ad*zJIaT~C9^w)6HnNu_$G)6xD3Gn4A{nV-2O0}z4kLlN$+xBx)$LbhLb(PlB8!YHLKzr$u`^D zdD=5Z+3R@ZDTmRXqD;~ufqOI0uXRdRE`Mjyu{??npPB(kY}NGk&ams>5B-s3OrllM zF27LYyW)CG--iNE-f-RTLZ@{ETN-{~?h=if1nPH>h~mO+(s^`xq(bRDo1S?3!6P=0 z5%4ryV!RJ7*{bpd5HB}GhPIndrK||8a4)h%@i6Fx_W*Zko9Da~JO%0FZ4y`i!74{5 zUgrUpCK+)J3dm22S2N+NZzGP->~g5AKAxz-81aEQ>l5*t26#7{61SK|7o1Px_ws>7 zjI$-VMy;LyLh)Nb<8HXmlu}bU(H;dKd`IEs`6Hg!;wNpZU2Pv=5`{UqwJmm3SMd^FYLEGQ)%CE9WTr9%TW+(cU5J=JIqo^k5qFbr zQ=r!XSg`YOZ4g4i3ci5t_-7iLi?>2>7Y&4q*1XqO#^(_#C&4RBrYzWx~aERcSCd{=x!&d#OnnV7&(K|CJMoA!t= z-ZQK7i#xcf*phs!b`vrdS10+i1V%r%ypw#q$eT{424*8T0+Qwyo-s@5ih#m#n&5}S z5hHES&L6iTm*Uc7%CO<glc&)>Hu3she{92>m%n?!Uwuz)`n4iA zWcLP5$-GlCL47>YSKjXXppW3c9@Y$m&%3r9#ogy8R3=bMs7KFc5j0Gp1~v znw#RsNd59Bf0pgf(E%P;IGBG|;+r!@lx>}oFw2dA3a0pz<=x<44z__n!prz+{2xDQ zhy??#O-kU&BkuVC6{Z436Lr2L3 zQ^`o7Pu{=&^M-;#inOnf|9^gSnfRMNI0&@~!Mh)Sa}>83!D$W*EBoESlc5L6T$@tg z?~Z~P96i+jubiP@|D^Z>I0!Ot}9`KaKs9iUuz7bo!9(^--rNT zjv{Dx0_}ZA(CI}Si2~pgoyA?f@Lt{=c#ZjW8!owlU=FQGHChqJJP>867hsTjJu|@T zg08Lh6R7(fLD^7k$2K@oxkSdP`C-)(rypG?I)WFmKA9It1~lpcSf?MiemU{Sp}BtC zhYrn5hD?EnSjIa#%W}|%YXafA5g7+v2hdN6!{EiauRc9*J(`Zpd#kqCejzk(oL~F` z&`KZ@``t^IAJg*d1Nj%wSOb)5ooOvf$i`(0Vq}o_-9`IQ0R+9Hq9|RabVPvWWDdD9 ze*a87YH%Sn9xEs}zp4}6Ow4_j>VvMM&H-!jgjU%F!E{CR_HJSD$SQD`!%+Lf$|(;o z1Bbee_-Co9;Hocc5U{*I)a~?Dj^{Pn(ca>iu>1b;0l&lQ%WClO{Q@#a^8GU9Vu}IO zR_*pIh=kcT`c^m!y~sotP*PT1k6mhfvAvI6b6M*^1NU^zW}Dfa$a8R-3vw>@h@rv z&WC7rky{D~OCJCVMDwtN5a+p20cF}TfVfqG%Q`Aw{lhDdGkA$B@*0(hL5$d5<9)OK zjF6anYTsh>HQ~AC?gIlcj@uwWxn1V4@Odll?eFX_a856ZM#eVPIA4si>wtUXZ7}K- zVY%!cx^uD6$a^Sa^ zizRkH69>q-If!HDznjnt`tSPapw!%M za7NMS0Xo864bhW?1TJ|8!glccViah?L|)&G2ogX7<5!P>-ly$V9ng9A8*Xz!BpHKK zTeJIt#$iCI45Sc@HWNbD^WUOFHCXyYw|bm=X$iCK3t?b@<~N6;KwFYlFCOk`4cS(r zL$~HdkHlQ}3W2Re=5uQmSa)^Y1AdFiG9a)x>3ENVL=1iCjXv2z_hZ{~ylgNvCo?w( zbK^kvyu|^ia>hVxG?U9}dzie}+S|2tbn+aCu)n3fgAR%y5Z!u+c6_XZ&W3diB9Wd1 zo$p+PrWYKrCD%bGy9iA6p`;g@0SnE-X;Otid8%}m?XAV<;%O72V6PoN+Jr|k$p}Y| z0qvz4FDHcoPgUE_EPvTt7Jc~*Nsg0YW zaiU-W6=`5NA8y!Vc5X#u!pqw?ujQsuVc}9fiV+Rr=KrFasWCvcErRRaegq& zI-YZf9dGj-CYDw8Iq_nd;&dy(#ZjXWpGw@LQfma3Xn{w4R6>?l)L)GUo>0p6wx znDCUq811=r74hrv+A-s@$>XIP)oWkw94JL7jwD~$#%gVMV`|jhweh3$Id6+&rJVj_ z1uvtU5Pb4PCC1YanEw1hmOpoUsx$X3G1pR3Ge0K)X*gJl5Kf>=|J`d_*3B6AX$6~J zyF7CRCJD`N>wqzt7qtaeqYSifVW`Bom-^U@;ezDNWYt#@uC1(dzz<1d>yDRMOddB? zdJDuBnqZ0^fT}`R5kfeLRvVH4t$JL(^QePVi^};aaF3$xQP0phr5m+}+GuhY1q24p zQgJdu%ndX%Qn6(%Z%mbhA-V+;8QVw0h@_e^P5~B=5D!V!0amuPGwgs-6(Hw0+`cl8 z7N)>$MyL^O;AzhQrDA?mq~3METXxezfNe^;WFSbK6e(KDWVvkr9(jbxe@$@#z$0a7 zRqrwu^^7pu6Df1(8G1@|0jC9S!}O>?g+DS_$v9MJ@{N{%6n%%`dxssqzfimAopNcA zf0_q7$|V2v?(wUKj~+gh;uv{Yq&fbT{jT!*JA4r`j^U|%{30DUDOBD_H9bG35;2j| z$Dda-b{8oVAF$qbJD^q=odlH@O>x2#mMGS!j&T4oSrL zXfVs&{rXOx&OH52Z_Ja^Amf{`rLFEJAv##TF+2Pm>wZaG!1v;UHq`v>^e+W?a3exY z|HJrGfs)v@p~79dqgHkP&z7tkmB}J8>|vVIW92zUR-R(*fhYB(9G?uH=$;wO7(^6k zm4D`2_B?V()v|wsn^2;w)``On>v`@5YcbD#Ra@*ZnWJ#M_XS;dVfz$n@&r|F5`hz8 zem8`$7|+t#vKU$H0xMsrhGIff+_9rwPEf;67RsNEL4m2LeKcb5<%$oHie(uIwpzKt7czgTLg;E(+n_pTm;V&J;ip0MtUh}tqTY`npCw1sE#@?#c5Ka;_5NKkw{i# zf8h0PJO@vXN)LXJ6kLvs)v&Z#>kyW7hGSfN&}WeW6w4mUfXh!tlbohTh3F~Ut+Qr1 z7{%aj@oqK7y~#cFPwsBsMV&(0q>C?Ezxm0z3U$u1RSalvtk{mS@wIzbRtwUtuJ%L< zgB~n$gOJ)la6ZVH5PUO<&C1XhDyib<+(UW_)qVGVuz&Dqu4upiD9Z!wP?{VU+@)Y5 z&ew4MOw!Y6Ka81_1*Ras%Z?!;Wmd>fJSz0PZ2fD~#JDG?IAP8iK-j&SEM)z}HUHGW zu)nzZMuVbZ>CSDd%nIlQxOPRTz$npYQ;x3z7Q{;C)>Q5f4nA; zZ}QdjrK9xmau6=kS7|p-Cho*iNPv5)eC65j2gi%P<;tOphNZH>HV1Q*L+&_jT$pU; zkrho|^T;9ZL3zFT5uxWtJBm^c!ItiDXqeYQoyR&$QsIV7fBmUn_ z{exFaumc}b5iUXLk|CIZ%HX?XCZ#A`{98lsO(@m~wBai7G4AWlCNrlYyY%+xqnQ}r zHHJL%Km5Vn#vJ2x_2Qhcom$DZ_@y%)&ZsCh@hJ#|+u3}6m3(%aFRF}u!fj9>M5WDm zs;_YmGf`)hEhLJ2R(S5xY+dW}YuC#YmC4Cs1QGU-{e+EM{=GC>S0CwgD0gJ&1dMA> zc#!0$7b09M%=z8L9pG7IZ#rz$|lmE=a~labw4&znhLm zq}1JX#?-%U`r`#=Gc5+4qz>^Z#T#|zE16Gp2a~iqvF@y`1~HOo;njP`eG{fNPh0b- zGt07CY{O}2CeIAq6J*>6-apQ@{-4`&k(UTPMbDwDE>1q=SvD!U>E8hB*m(o1TMhJcTA)CV zH9v`%J|2UQA{ln%30j1Ia3f>3fAa&m9RJl9Z<}`GRK_2%@AzC&poZUxwwI`(4#6Yf z6?0CdCE(rQ@>}7Zu%nQIHphqY1GJcY_B9o;J~#e?gHBF;d}11EBSgAnw;)E;41c}v!Plx$vu_|Iaew-x{Sw* z9f@q}w|>NKw7S$;xLJNJ`~IPN;9#OS6=fEDjZ=L(O$k4pgV$>IE-O#lDV0ulS+dru zTDG#;==yQjI$|Z*JlD}7PfmCLa4fG*ev{Sp;;fxd)3Dwkf`*7y>d~bjG_PvE z@i$v?;wdSVW7j%gmWx%X`;weff7ncd|0h{F7KKJ30Fu=ZWUR_uib` zP?E`Fq z1x3zIiujoy*UEg5nHGN>I=xoR(^hk|@hBr1ir z4b{#HNA-%I@||`scA}H;Z;;(BF0q!Y_*D4ITXa4XJD(EHV4Dvqq1I)Nv-T&ulg(2BScm*42_9W z86Q00$dEYQ`?htWiP9XYZL}&(_j@1HfP3e7@KT67m#paHxP6Eclu|XnLu@%bE?EBP zt>@2t?xjQ~qh&YS+e>pdxhDB{MHz8hvUN_=iLbUfAHw`MXDi3*sA0h&krk-<&Qp}? zdj|=7N(R>+YB%bu+SjQdQDYm2hw>YgV~+=JF=({P7{cN;HKp6H^f0(iHX&l{@tciy zw(YV|x7|0+<4F%S3FEpld%Jw^AL&YmzQSD^40t=8tCPEQw^^)4e1(szNB(fGIs;Xz z4OEL$oaoWu9l5T@TzBUlJYX^WK_26L5Qkv>_-&mY;NU^&683jDt{Q1~gv9m^ZoZwQ zs>w{s5tkO*B&DCb5qq0O(Iju4kDqn((z9(FPB4204EeYnTr zSC;+yj2#b1>{JSZk84lGK=D$w@{(3jCk3L+P!sqt!CRtpZn|J7Jf!VcI7xiZe%*y@|K$ zaeJuZWXa?57#p}`xF@|1U$h7bx5%Qk9r~2*7pN3boZDiVZW2Dn57>| z!-7&@O8rK+dRB&MI1qQwispAppj^nqAd~{oCOmcYL!bZq<;OB9!2NOT^jw&Un9cYK z^FfrO9a%mb;zi%=-#w^5B+=sdhrVNSH+q)V(#sZEE>FIybeSCZ-9d6w?yqA0W-lYs z!CoSk-@YjM*E|0q-AUJ;{3&eyD(^0^fpab7Iy>;&FW*!u5dTZL{AEK(j@~TvMCU@) z+`vQaL%QnV?_SIXyYfo@f+#m^Yut~AlFqbglN~vf8k6S`^^t$3Ft$vg)|7HH*XK6} z@=OUkI$nwJ2k7nJ?A))W7xvt3Hn5n|c`f3Y&*fY9O#kjL`@;CF54#(Fkv*8B)c^U_ zi>=%=Ew`isY$%T5s}r$nC`w-zLErOkRKmE&cs{9xm9ht1Xr9pQWr3@5+0)Rwk7pL+ z{6`XnN^tY@yr%tOCq<#hmM?=6k2A^PR*>^8SkS<$0lD)tyX1YbCF^pHBRi$FI||3v zIwv!=PV2|U$+n&awL6~tMmtumpLlZ*)Joq()}HLhAAD;j9BHS6>4KhZh{ZHe&nH|U z+at{f&4(S7YRs=JHxh*o`mi=D%YI~qL)@poZhuwLE^d94u&YGtxxjE*PY!p=COc0I zM|@O7+z{yT;L)#`be{bfYGwastOxnt;!4w#37{Fvf|)##&>lt;F2@I z?3~DfgOP# z{ANQTFZ=B0u?U*nuqI8`__ce*xbiDab*-lhTzlVdxbaa-q|3m}bUX!m4n$^BZuHN2 zR3MkuLLot53BN(Y_9ES*$H&O=H2B4OsYv_yTqgVTfu?IHserOVE#aHBY6WN0!JKk? z8zNSj(Q-AFIxwLoT9@VXLB=3wNx17=U-U4=VhqeB0{oez=D0uM>A;<@y<)o=FDM|m zX$kdbygY*&htsg}EJgNZht~#G^I48V0k*7L`zksk;0t&yphRLbvlaTS5ST3x9XC>s zS6Jz;DtHMUd{@z_ItV*8$*W$XumJ%~Hfw0NPc!6nAjTNNH6WAW9bhHs^PzNVQ)R5H zppHV1%4vCdY;P??=Xn5=KJT67=?PqDGV8^GnJE=Q%xvk2FJ%wc2k6@>k8>9Z(+B%+ z@oV1Vk_nRWz3wUGl5w}RmVD+ht60nDlNWb8wJzL;cfKw3X~->Bqz2iVfaP?b<8o0H z@}NKrS%b^+lmI*8+xsOqnp$Np*BP0nGrP?K1ebxjg zgm_))JTgQ!k!907Lq+P(7b!G?JRGMj-G)O5eFI^e&8HOYV#fn~6P1~3lCx#T^N7U_ zS9gmL5y7C_mGbl^iBFxRZ44OZmq3qR0Vz%PW8hBIi|I;Fp0E-%^{(6PCza9HzMWSKn;(6s_*_t=-B)S=u*p zi0x4xEN=FPL-wS;0!;54&lRcifiL~a3URs^5XNux~^&JBH(uZs2g~uSZ8id1~U@*m8-T)NbGr|!=&;OfobPK5KX-p zLa};evi|vTe~O4z3G8sJHB+ny5098p1&*o2$fcrV^9fA5pPo7nwoNP%KBxO;g^Jnk6IBj8TrwumN zs0S)z;Egr}BhqdS)A8(a5v;bQZfVcd7~(?Xz9W8+V=Vle10t+&4Y7U*~#Q{_w6%wUdvJRhNtX_&0S?>yS;Kk*e$2BC_B8 z)9&4Vw7CHBfjqxhGKRM~{~Yk!2#)4*ndaHVCCN5X>bz@fY{%tu6`RI4pUAYMrfzO9 z8a`0Qt+;V69+`V_ROFLZ7OLs5%U0;oDJeDTart1yKKIel@@UWD1kjG!{Y_08NKDPd zc{R6O`s%wVc3BpViWk$)!7K+TbbH?QC;~d(TGbEF8o8-|Fq%EZAdSbw5t%9C?@O<|bEk+JEEF zj_~E$n4QXzSW!SC+SgpAZ*-J1#JcZ{8j<#pc|2|QIplm-adR2V{nWA6)=K#rtbOgG z&u`H$=YNDt_l-)eh@3P{Y&mPQR{?=uM;q?kh-8rItd-adYd@t*Tez#cmyLl- zX_>QdqLw6Je@Aq&hUDt`TbUU;YBOpPcib|+cX?FV&{|J_i+W93kEV|*f}D;LL%1=!Ry1KRt6b4 zVJGc)XVsW@Y70~Zy5Y-|w3Mw_H-Gaj&C9!#R}a<%U9qjdW@g=mz)Cx$Dt?~MU^?gG zdCOT9R$k4a*C=b$_|X%3ZQj7#d4HOMk{oU(A6HdawX&H#OO_T;Wmk1_bCX1dOW-#P zfG?bV0Gj=C;Gn5#(1;jw0;)k66-;;iYR+bAadU;ezWqiM$;SSm(+f4um;C|76r%zx zinDl>2T-i43F}n4FbB`fXYM$IWvMkow#@+(iCs>eYH8Z3!X8t-MxL7#BCD^P9tzb2 zG`4JllYAvvMgT(YVzJ>2SRGGlmH7oX@}?l$>s zI-f@_<0X)DIi0`QS4#5bstmb^B8p@>P(adsi{PwXo|t*;U^c!{k`wKIDxBTJ{_?|X z^%e6}_2FWzw=;}6WgOLaDn%CFKP*f{Zb~G{3MHNGNSvE@9*TW_p#Qe}{Y9zoN!iTn z?-O+|gXXikr}5bX)(!Lqlf9;9ND(^-JTx!eK&B%cQh`21nr2;T2{>Xg@!JPB)7K|z zqwhNRr)VC^m@IpY+LqU>IzKV2bIMYF`Mr}ao#(`Tn(zB{R!%Ij;1@sQmX=@4cV3!b zPPvd($5@ex8gsAaNOP|>wR(u;wKU8$N|j&sJ&Jkt%>#J3XUrNJG8{R35X!?ef&4~! zB4jR$8R0#Lfi`=B>_Q{%-2`z3YMY3CafWTrriH?oe0`o7;?KbMbKCfnhc$_2yq&(x<+;L(r3A; zWyZ)v77zEuL9o!P08B(J*-;M$+P4y^{;KNmrbQT>L{0b$_mk5!@8D@>n^z)7V|V$7 zMZU@Nhy~e(`CA@Vhuahz(lIg>;CJ&JFsdaY84HSK51oX;nnxLWom`>xT&T29w>A)i z(sVIo_H%D$sRDo`GZ{tK68eI zRH>!$cC3E?eKq72-K6wQJ`h9^7KSc3Jw=aJ7Zlf7G zy5-64jm-{+WMk*7y{4@aGj+@Ty=-Bj}=6BW9RCn!o$l*eC4tec@9bco4)A)vob;xb6FzQ1+u&D@UUG(fJRl z&@{4X9s~n;dir$t#9_(M-K7t1-Fm9`)y#`xW8dnV*7!Mg`Y^1~u=>%Boh30%mE@xC zOlb#Z%D5$t0NKm=P}nC|q{D-BE-re5P zIOeg%*RXM!b5FvD){au{Z@gv+eN`Ed>%aXtG%y4OywH}99s{)EnV&-Zvgi(L4)a5vH^)=y`r z?xY9iJ7zdRjJ(Ox-_7)x4)L7_9+AP_5u^5-XAku~s#UPzw6Z4FdeMOgN_pwC(Rr_Y zHp(5g%i2yiHnJR`InDOl_`%a5f}cAr@N(U|g9v&FmY4&V(*3|QzUerfb5qed4a|5Y z)Pvr3q^i(o$8bEec_7bs^{H0CdgWSkFq!q_tiM``btWD0&eM<5dQEps0@gM{?uZ@) zA5l~Jt?#%8#P>x>>wR#)D{>CIDAFVEKeOL|d09L482kAmzSPg{T@}s}>sE2QVDW*R zrM@C6E(zIDQ3gkNk(E#xmSUr!Ln903S1RX6w8@h#<8#TJhEFMmGYl&&0r(W`QV{M&R{WF8_b^xZaGd2NY4K3Nw3VZXEOW$Miz`!-51!L=et6nIH`JNi( zC`+oVlZD^;`r3kVE7iFS0kZmB$RXWlDap9_ElS@Y%qN|gz$_emQsvjzcEjrE%&zTq z#dr>-eudsbLQE0Yx`+dMp=QoI?JItIgON%L&v9LJc|K()>P#gwGTe9=c#d2yEAh@= zI1ux}A+-1@6_uboloHumkeBgtL~?Pkp3T)WAB?{p2MuGLbaJ-P*MxWvE}ZB!6xKV~@P#Oz5||+{n!g*xduRo~^fUSh zpXyIg^(~9DO=!Lqc^qz|IpI8RUoA7HLNSb}5Ha6DfX$!>6aDb!)ykvS4`Phk5ual4 zn!0nBu8;4nG^rm!S`^g>b;Vd;IUyRR(_?eE%HLndL?`r5eFfHaR6Vno;b1gQ`Yvfu z0M5+!3xU__s^%}etWR=9&s<(%O7IvvsBI%Q`V22p6t+}gkVVI05>;J#F>$4*7%ToL z#p>;}_CqaijMwUyhVfYa_b>*XbFkc2sP*{&l>S@Z5NYK4e>t{tAc_RazIg2OAO8rl zCP9IK%^a(9<9VQ!RUVb8eCPwg-&OQKzm|+8j@Qh{ zAyfPEA9DPEa=bvcNB){EKH2h(j6?IJgxpbN}?;-tVQtn96$WzsFGj zcq?UrfiUEq8XW6iBaQ#~(_oP>lw#sRc{9~O^|ILJg7s(>t9R6Er z=p8zZ%8z5*0MElf{T^taa_q%z|FQt!37{N=5!LGl*}_+p=d#biblJo5r}saAM2?b9 zp74JyH**L_(c>AN8jInIOCY@r_ha;YQ@C6IRcjA0EQfUGF>ljdI93O-QoJ^iBB*^`Y8Bm zTY%W=E^$RZL4kPv019md@8#eRR8yR31ofgdK>+95_8a*E6UkFvOVlV1_T;n*SED(I zrs@Zk)gCW^ZaQbPIaCN1g`O=msO3Gp2V#(meWzgRs|wiFoK+AGmG={HA(wR!L~`lO zx?d3^(B=nLC91Rk@H!~_sp_Qh>3zjzoW61Y!6`2jpD!Nh_U-4zkid|K1S`ptx*?oXl zvIY2`QXmdk=zr_35JP1RO-XgkrO?{0$mp@#NDZ`IL+}nWPb6zhIkDff8vG=*3@UbL zKtgcb8A<9;x59$z9JI}e5hw$sZT=rCwO~xN9^j$Vv>L%u#sE8?W^Ly7XJ_)Ap$G^C z?-c39T&tRh!8(G<`K5!GRd7?5bBeEqqS)a;;}a9*!UHoE6$Za z?>iW8n?dw}{48YvXtYG8C^vtx)Y?63JD&EOkJ$hX?9K>3>%3+ORO0)v4UcOC z7(Y3wyK_Er1BQEZPga;@GhsMMR!Bdq3=#rO(R$DwR+VKE9>#_VgZ7Pf>+Gu@q~cA1+Td);EHjv^{$p*oGFl z9w>fxYzIgX-{;9&Cpl;3#fk=>N}s@}IZ5?h-3u_X3efIkrA9V|l@t4fP0_W7(fUH(j({Nh{W7iL6#_`h)^V#yJnygWxh-HaYxJ=`>d9@}p;4{2Ib*6C2 zHVl%$!`0IgFUbteXWePLCxomfcz>g z=VB3KEbJGWUcsw#`EYoGY|%SeRtO z1~XR1{UJ}_CKIzM3tKnF!~pxx!-2TcTy$wH;eiybHJCuKo>2FYu$(_x(oao9jJhsS z2;Ss1a^yn#B;BE#*3FN03S1%&cc|(HDNh?w6*bYFPv75k)dY0WM?3LeihuxYALZ5gbUxiMK4X}8Xd5a3FY-3JOA4yhl?2Hq+%M$ogSHEW@7Z)c7QDyX_XGj?#RxPF)=h11riSvV+0Pa=l14Q@GFkWc3Zigf1Mt?>a=Ik7DT- zmf%r+2E&UX35tHshHYtZtDRxw)Nx}I=?Kfch$L2>gz`Fl^~!lIt~#C9SMrsU>fuyt z;QWi>YHJXe=f+iQMYC1EVwZ=+U8#yg+Olryt{hra9!spchf*3Lq_BTn5eg8s;9;~i3GoWAjV{T?bJsk9>d( zHxm!BlAQ6E7GpLHh|+g*xg+y;e(_vL15;v7w8p2^H1S^Zv=&JU_^xmkeT zTnBR{I@N;6wYZ_r{Iic44bYFB?ibZA-m2z2qdmGZ%3(y_9GTcIPDKRc=&Z|6(h(v( zLsbc^)+RsGu1It0jH_ZDZ=U~Y3V#Y=aNg=P&A8sd2UDegv<;iPH8|YG)V`cIO}DbS zWNR7Uv%z5tj}Z|}Ujn9XpDV91cevLmw=h1w=7r;%-Lognwl^4dpffnIuM$qmnU(_) zwE>^07#PEt=V|@O3^7=_y$Qm_&2EH?_ETRLF;QVc6-IBS?<#JG-j=zjeOYMWTVJN> zabWjN3zz}bI67Yn7g?%rGNxgNXT*hNuYD`xR`z;k0;AV{r|R_F>Rw^A9r-Re%O$Jq zFeUb*7t{nx{~`-arerAJqhzEGOZS>&>$;O;)qCMtk$SjoBBNM3KdXolp5#U93Xw~C z1fhZXtTG-Xe?$*x5}j$&e5REdHRx@YanJvv!4usD%$Rt5@O{h`9vW9s78FrJ28jau z*q4AWDQ_*~(877bvt=J%#VyxO;=bi;JokxhEzG}zf94IH0my{ZmV!%n{aSEHXukn= z((9T(jDr+~Yx@JLeHj;$)3UzC^L)5W_&i(#cF?pod9iT8KBjlYj*#qkXKzVh$=jqi z2azc1AEVi)Jo<78d2wYfHJ&08T-u(Jpp;FhMd|ernxcwpIdCgVC*n;BwtU(C&z`2n zq>r*!jZk~YUHBBuW`@#vg1F)x*9& zqio8U#77qE{L=oZ?@d1Hs)^(y$m2V|5^-~$D_p#9$o3}89v+OU>Tq$~Gmyew1+^_} z)20zZu?2vD`HkYhw`m7Kshx)q>njg~D2H0!?AJ-hGv_b>(?9lSpKhxjDiM@yDQ=( zm7rb73PIkH+mqw#71rwz$I0`q9rso^#K;il#2}E{H^(#raO|)l-)w&Jmr94^DvCLScn@8-bCvnO3pdydrOqJ!a`X~lj<3Q7l6ZvjP8EL6&bB8D@r05X-d(SeD{OA) zp5K?0YAFZ_T?zwJ#6zL}LG-Oj*I%2kk;u)mVyq~znHun|sy?PItiIPoq9m`xkR22f zB{4`LB$1I2EG?Ju)2Jm9R{^`WnJ|evyJOa_sS%nzl9A8t!j>aV`cfiEI5eM!>mvC2 zDUn4~v?E`CdN0u?7pcf0t90sGo7aE?IY|u`Nk{>a(aC*b!EATvI_OT)q7r!j0?9~$ z57qaSVmlJXD)oS5iYj1Y-dducr|&db-yKD(=szMuR`%nY+{rZb_ifXg?`%tCBU5WU z+IV|kcIz3VU*fZL_5K43XQ$6zJFqA0c)|0mRF%E^@WILclpk5na*Xkxp_IC2b*1sA zKc?5r9WxcS&z`0Ude5)+hPy2rRwPFXZ=8b(L<6LlnUEPo(=C|Hc0Og^Sibi-oDaSe zzC_f2t;#8GuZZ!oi7Z_OiaXPC8rl{AlbYm==O(w^faTq%=yA^|ouxcts`REo6te7v zYF)Nw=WMq{ zZs18Q!%ADy!9m0towb^4h97ElFHEp@nLOo+X#VSrULNkE7gIwpG$PJVZP7o$KJG<5Ct-h*{wsj{m1m}Z3x4&US?+fxJJRY><_Fv&T zW4@+&^_>8r6wCV<%^sOIs<=s9%`^zMoBQ8t4wMd(e|p0hsN_srYZ!4qoylgr?`iNP zm51D)%9_EHiM3)<<)Yh2AL`5}{JucWX0T3sBMDk%?AVIQNlk){OXNpIM@9RiHw}in zPV)FUQK56df5zNF=Z`RYe3S1(UX+IM7%ni zsxs|*ApGDG=aWKSeYi6nyry!N8i#B7mE zGo42#G4@L$cA5C3v(V4EvCIC@YszDRvxC|WPJ<6p&|#fv*c=qty(vAc^xcsO(#8y{ zsu;wK>`IYTIij+s5KSy(uwdQUh0@yj;qIe3ItCH6cCIl6%`V4RrX_OKa^u}egb;a$ z3AyS$>LxZ~Q^wMrse3!Q;-?QUN_WGYSDY#zd8K)P%D~Pkw3MTp!PP@sHOC z#l*+S`EtzkTxpAFhgn1gw6LxX8%{WrZ&c8q;YT>?=bYbexSK4&y3_yj*YUSr%)1~% z_pP+V_i^=8h5JYAinq`|`_6MAZQnA(EC(#t-c**H9rj^PR-P>{cY)Jo3gM$k>o4ZT zPm*pIB^V9Kyw!$zv5`Lg>e5gX5#gZl$m(D%TV*W1h&pA6sIWZuy7#KWC}*q`=vZr_ z*k>b@#g7biq)zFU8sbf3x_y(}=uD2;%CEw}%TIk+;YC#fbK5<#!ISf?SFDv1)=W>k z8ELP3lfR|p%7!QEcU(!AvIyXthLxI$ZL8yjCl%MueL&PQJq<}|NoP;2lg z+4Z7AOy70bU?yMSxuhJ6#?u7kbBGXae;TR5;^|V4C~}#fA-l!*$*WxUr4Ivy;tu{d zueZa6#x?2X;6vN4+C;D4x1G`|7WW@|r4Q`&RBrVOE}TQ4r!_|8SBZ&mNEAIJB6?Q9 zDA=Ew^-U6>u$~TUSpGe?{KwZCQrCWd8Qvul%H_pwU3T_atDiE(Rn~sIu{wD?>G{FLN^y=aaRPgs7??)r(T33E?3z>1=-#SbG z{Gs@9RJ#1|Kzr?f)8*{k;H}&^o?9FG-`AW|CBG+HUjV&D`91she-Jw2BQS1(A?gUr zx7x%(yUZF^7IX{a7}S674f!p(qjcdU|Nmb}(O^5`aR$Hn$4311-wt{(h5#L^i2J<{ z{4INLju!OZ;(It?WRtCEfIb>_Ew3B@;ui!xm(T2ldAB^Z&L{hhra?^htDF_+WI(I@ zuAD9Wo&LW*zqj&|bv6ZA4>}m)T`;%EWzFCl{V#DF=-5>Nw)BqU)zLT*Rm?sZH#fO$PI$%iA2jUsm7}^CgyS=eIGSx&jd1 zIK}}A9)$+(D^NyT1%fb_-P!Suy80$h&|MfXv zR5gKeMwFmlcMdv6tx#1}^%9=pL+>B-(DE+5N`co)6o6ui@#<;+we%De#o2fxJq7@_ zTvmNRHX6lY6bQKR^#KqM?X{DZk-91GHHzV<$J?`r$}J#!R@#jVxY>FBKz!HD%oaT% z7VLAr01%N^s5$P~!b>=79^CVm+=j6ZU}12LwuRwoyAhMmrN|iq1Ht+H<&NpM`+|md z>B`MN6VEqI0rLRv|MERkj|573Uts$#N|f)2!F~q!CM6)HAnlqX-yfiHnRFYb2pDAn zWtvsOZmYSZA94?~U|Htny$UG4zb(KQo_JbQWRQe|P_M)~WESSZo)ygY7~1-1u`cwK zxLZUmjOG3tXx^yU(S%v`q`SUa#xErF|ffzU<=R74itk z1d|D4EkWqi4v=>xz-quQa+v=(R}7vL?e~BbzX1qbPHSgXpgx5hpRz~<9}_OM{VDz+ zQ72VBC5jhA_)wm&c+*2Bn*xRF-k z$|z-jXKV#7n^}QluFzE#+7}zamOcr(`o?dk&RR!Z5b8Y%oCf%O*t2%Pe1tn`16nHM zsyiT7+)}=Vi}U;j%@p8y)>@-@0(m2ZFQpwZGBLs#)7YR!UMIk#z>|G9q1GC}mL(b* zX>E_v@^6i@DYDhb#zsCRLX-7;gsOT`%VL;|(b`}%%?P-tjg}>$-U+y19xsUW6856Yey2_*Kw^|D7bKPYWWf<)MrkF({X;iUpr zgG|FmJobcrsZHEYbFySvIvs)8;K=Qlfo*(SrH}93nXJQ`UuPc z6NVPkAVxppkObcS4$$`6g2Ku;@(lOm+HmxPB*@t3jfgA&^2Dymm*`}|!$^1Jw3}`E znV!q#D8BE4z(vrc>tFb1QE!|1E{&Nka|@J0jQdrKNe;xosi!Z&X)cO&w=(c+H30q) z3jT-?EJ-g7fkc!Lrdb*=qvOv~dD6IVO-=f#zwfu}&ACLm0D0sn7vSsgxtKET>{NCD z9SnUNvHj)YZMDm}h5_B|qkDdEpG2P*r-`S5wmgVi-HhhJ+&>cTVt%kqHu!2-o|ZKR z;!Y;7bQ6#=1Y$#+psay0I6QF~)53k&(8Eoc77I8-4tBjV(iGtO_FkI>6k%iM`9jFK zTlzrJVXCNC8Hz|NfGVK5o{;HyZw0VtenE?9+wOXe5D!ROod8W9xDR;GH`0AJSE>x% zzCQr=S481Mmby9caOnP=e`6fDXX}8;<0=;kT0TMHF`toj8N@eq;SZ%hhG-^EVO-;f z7tRx=ov%#n*sL&z(B&K5f)tSLHWSvm@V00TY~^uaXRaiD%@w|_58r#*Ja`ilfnw~W zF&dq3A24?#hqTox5O*z5$dO^H>}UfK(x*tm?n7`ytS50of*sAbx;cvPWosFTFr*ux zGg&o`Kf<~+4K(%LRXA-hp)&xSjm-=C?(W7w-l*ffr(&nZpfdD>g-g6Y&C|#n*u?^7 z2c{WhwyE7TxcoW|v;cbZ04ctFWEM52JYLhBpL~(=B{(RobS1`P`XM>E5*=((Ioi*} z&%Al%p=JZe{Z^sFhG6#Y{r{@9}V#op^KoP?XVQn^h2<| zOP`^WY8x&uaq$qrxNPmEoP>7NcD4tb;WI}0Bnfz%iVa6vGUD4!JJfOlC$oWLk@~f1 z=R+;OrYT=NmY8y-rQ~}zd0%l)os?oUhFFpW&-#Fi`^Q(_>8`NdN6jqf(L89ezy$JM zO>c2jP}rNtHlxG0bolBb>iV+D@AN5u@^)pH`y~IwLqBj|)n#`d$R~m8mD8INtzjXahEi!gh#pHzcZ5;Gsj9&4IUE4)8&g^3E)6EvmBALUWOf z@PYZ47P0E}>0XNzd6K)_Pie%utr7`KrLuA$&$q9!!c9PfSwV;j^&srk1Tknqj%)wR=aP33*UJrpn4nq{pTUVIuho>HL-;+8rIr`)o` zp=@sQlZ`t&nZpqUT|?TMP_0ZS6Whw~4~skvE^{4t-Q(wAj+Y6{K_)XD2MVh{-#8W$ z6``HguuN>p5p5E{9Jye2A30)8_MI|jllF=DH|ddNoikIjhOC-VHt0vRevIppksM_9 z94QaXjZb(I*D0x9%Zks2@Tjmz>ERq61vVIdZf&i#LO}U(HEaqU%?BJ!ej@AINWV*Y=kJrb(<6A+r}D!QJO_Soo*eEl9SzOT@zxD>nYh=oW3~d<7DN z*q^o9ls@y%y>-60$cxR!8OCh?if0z%fqUYX!bw5PgFJiG;bx&GrYE~Efv7-bUb3xb zo$O{_54eANiI+@|8~JTeB}3c~{sO%-cxy`*tw+X@jeGI*H1M|Qnb*!YFV97us+slK zF>fVd4`gI>F-6`C%xn?v(&wZ`+O!7?#&ip%egiFd{X9%FZZA@T3m~0~_;?$?p;@B$ zbHO{II9^6Pu`J)0);>pAn9kcy2!SLh1zBy=gvUM_oEO$ijuh`pWj5TD(}0}p zNmm5#n}MMCIwimLPr(k(s8^xJtKg!in~ZbqIZ44Q=(X4VYS!XJf-w2THj>$0J#?MT zoV8MH<#J;8-s^{Z2e*~$qYzKoWy_{PcA`;;<(~0f&n)3#+a!k>s@~p_4woLOT^c5qwKO&4t0cm?cewNVTYuj4FjZdP*~d1bvCA@5!1C>2w3*o50XmO0~c9$qmqCgm+LKKcdQu0 z9>6gDVc9fra=6ISeF+x2)(U9^wkxC2#|V<3k0PO&kbYq*G*fIHft_yPU!)%A-$e;> zBy9OYmQBV#UNSMXNcM-|&obK^X%KqRA@4m~q({~^HbGQqZuZ(RcgydG+~Xt_!2oAR zmg$qdPA5v4OH)Ut+fUYINHHw%=5aAQhiTt493(_?CWs_CVpv{D5XsKOk*NOU>o6#w z*RK+-m}c(hgy{f<`&JOTH{|0k#0)*FLDs%Vp~=Z#O0#Nw`ye)-8~3UjHIpcpsJCi1 z%RV0L7Ws(>AE8|9qb%C2P^T~Xd_eA-8a!5GqF|1S#KLE}P_+Dc<|~hjE8>^v)7pIe zwL0t+PwF=7W2)F&NZwx-Mo9qAt7$|c+wB1I>o^H=TCt|>{<3;tK!MzcTzA5l&3)Z? z$bT9CwZ)~A(LN;tqX;cLQLrfSjq(tF1od7s4_zCUyH)^GJDMflUIzsi_im%vm4#Y1 zY2!l*G+BsMH0=w=uS_ukvu2KI6gE-#5sXW+OB&rP1USQQ#KWWr$fngbxAhdLxlLd@ zqjxNP#1lN@}qY7szST$VjTh*9z3sEHTdND+ZiqtXCc zeZt7ReuR?l^z@g{Cvq&{l%WJp8MO|x1S&;*!_i%0Yu#l5h|2mBw~h^Cm;nXO?h(#i>^pP5S2(d0c7MPh?lumo>b*QcEn$*{^w(W<53&BrtbuBsr+nGMV@ zMKN@-=NMCuU{@iyG@dvvS9qj739})@E4y58t})KfwyS*g{2)r8IXDvKm}3r%kk4%; za#C3zizN)OHC?h#*W2N3C4|(BB!SpB_Ff2K-S$v&I7M8^xwDt3dB{ECbgzV_RYv`B zgJ98XwZPVwI>t43l`>|#POm5qGutIDU-C$?-vOSRT6VD~qMb`s`F&6EugA=8n`_2M z2!iW8teGhYQ=2l9j^wrs#UlNE7R>HsWAzM~(m;m^WG+(0Sxg=xul$I6Gx92r#DK!Y zYqGeu$gIy>{XVUZCbzDA!_%0GYLg4gzuhT0`{Xh|bErJcF*v z8}m!D92y1A^P)RprRbJd<$3$*wPvvKsg?(mDU91vj3;t(H|I>~ar+u?G^Hyo(Rhf< z@&fVbpfc`zm&pgQIP`WqW{BncemvDc! z1^}}~NjtI2Q4u@}s?A5vpM0VF(rqTfXHD_O(9!jbypt?J}XVr-((Yvld|HeqdX z<&bucy1Qc!N&SGMviygma@-VP(Ty&{wK)|lBF|Z9*2~u2h$(@jJb#{lV=J(wYZrJ6 zdIZfSyFH98#@NjPEGk75!;GRd$WA4v)o7X*Rq|V@&-73FUei$9L!S#7|aP%~4t#t*#kw>nwbhF<)fW#LcF5xtns$2{MO> ztZ}X_;hbztyjy3(>8L{~m&rhaT5q}VkDztnsx0a2;+{mE1!z0{Q6IZsbd=GP*L;>D z>}O233T9W{F>pT!JCaB`5dHZ~pQFuVF?H7;3+`vY1wm8lpqCsI)9zJn8-47QzoPo5 zBS9Actd0I@n-6^d3)k*)x$3odcq-bgCM@|eC}pI9gp#wl$` z`CorgGNtj{zmn1BuV0l+xE31lg!fz8$%=%3Rid%#$g`Z7k01#1q4Duz z>wW=zUfSj{Ag(|COIFsFFgyWzaBar>eae%L)V?$kN;kl4=>9%jYNl}HGk>9bheh?Z z3FrVms;{xwnrb8&e~_8k^j9n&G%IOkNM{lJ_H!~Y?Eef;!=)}kOZ6D2>>&5ac3JAH z1Xa0XAk4f9*>%h!5I=4K`0OSB>!HRN*DiBM;^}2z8F$RY0;U{+tP`;Tz>%dff>R^n z$Yn+!&{C`Qz#l~PithWV~ni<5`1tj^ERX`wp^WhX=xm}y7 z`w#yV)dGy~Tb}@Ns4k-j(;cQ5FQ~^AP}%PBJOWl?5OGm!t65c0ND{-^h;U?ldP+M^V#C~$C4cYl(klRZpj!S6% z@z~~VHwnMxB`D#h)O5dKllkcjY$ADYaf@`%xhS1F(FG6~wt0qSSse1uok1z#zml1*XQ;Z1%9xY=2A!?U5Pavgswr<9 z!Q@L+-Wo*c+d)l`b@c@h6O}f~!7efmkl7nl*Jo>y1y_-Od4BPVVCyp6vit44mN60v zRJAKGuQq`)_3ihc`g6;NKj;>>9HLrD1V>5iIw@Mte5uf&*r+ECol(&94xP`q=Nnp! zl--M(E9Y9-y{lj4I{rwDplt|^3L6~Z%65!t>B!geEh@W;fOuZg{?TE&X;rj?j8!{q9nMnmEP9Cq04;n{_#B9|f4tFn3beP=mI$S{f6l#tiI<9J z18o%jy>1Hr;2<6<6`1yQ5gevQr<_kGJt{fQNNHbYdEdP9F179p`8W<1bZ-P~I7&+?)Nr0;2n8b^oboA)Pu+Mi3V@T258%=&v?Tq-9O=;y`(uCb2{|70VO<7 zH*PcmPDc^Bgwhd^cWZEbKg?M8pgOe^s^UaJe7sLm;cZJn%hneXug-*)=&o0A1sHT0Cs063K!V66SLK%*UjzO+mrxLaC;$=5jX(QAf(BUwgN(pIa@A$= zTr+A&VJX!t(2VH_Foh}R&K@?9LDsh?e41V;$7veBHW`Xo!%b$rrLH5vu1Y%-cc{Qz zw9%xh<>z0I8pr$N-^#U*7eDVC8|nXL#Vbc$xxJ=D%)bn7U*tVU02XkXk7xNdWnr|N z(Hz9PD&cO6F+A7CN6XLY;91)5i(Jbp@cWDVWNrT3W$0LO_Lm3R->xpnntlJPv?NH2 zK6C$6tM$F|UyJ+CXjSI^wNFc*UtT!5Vf?-j{AU^tJdW@)(dGDGN3#Y9g};CQ*Vk-Z zC{|x|LoCPdefakZg4MJE2i^Itt3#WAu64;fjN{MMf6g{Fy?bC4@cSjvsJ&jmdWh`!WK*cH<3UvCz0-dw_f|EnBVD4#1?|YHq zxF4zqQ9sc=?w;+)S5&2i_#Umxej{NitA#Pc@BJV?02M@;=KoId$6No&9Rw~`0GWoT zyboCfGh2YneRn|k!5;-NAa^0@jv8>J9+oQny_@}FG9sckQFk0i=iuh01Y8PAyIesJ z<+@Q)HSpC@r>~gEX21>qBY#47iSta&@4`?!E#Z%k37=%9@DNpX4(^res;5XyQ9WqS z-Q-b>cvSoO&>4t76g_f##`@Q;xXzMUJ#Be(pt<(PA7y6?0@ts)j1PM*%hAC>)zfj* zB0n10;xek{@1FeU*6EB19ARe-MZz4vw_c0GFj;42TzVA*$wuTy_Q$akbjE=CxxcnD z8j+(zzcF|+l$HLy5}8*CHIROoHC@7Tzu(kf$6e4r7W3B&;ENz!Nz_5~fBhba!AKN; z=u`f^nExbpuA+uV(KyT0{$3IE=LVHP-H-RLy)XZ-rlens&A$RZVco#!kJ_l>(*OR~ zr4G&udwX@OAOCZn`Mp5)E2tRK48t1f|DKF?Uw{~ra3KZX(sZ`+Y9_TX-i@(g}y{{Qr*jfOnwhNHp|sCpN&u;|)WX*%Zy6$G;3%C;|vqlM9gYt~y!o&Zkz3+~v^8NqMNLEIa zgA*Yfkr|GWdF-+plI;+cnY}67=^!VRy%mv>vR971MMh?J_Uf45>(u-6e!R!;``>T< z@%5L7`?&A>+~c~g*YoupO+aC0527RZKh9XS2gm}75x}xo?P9XDJ)~ChG#;yana2t+<#CkZWSMHb8aYGzt+f0ISLb zVaxF4dABh~l^-88@7%7J#mvJKY!`q^cX=OzW~bczMfkD%0p{eg4Lv}W8hEg3FAO^p zOHpgxqL}dmG^aA4j%Z=rdy{m0ybdxEhA9N9O#5@RBJJ8D*7|@zS9l2sbP;5Dfo@ot zbha={y1Of2EZHj7Q&RMjq)Sn*d;KU15w#op3M%bMR6>QzGLz0nB5LWLx3}MzyQ6jT z{~L*}_8VPJhN-<~9GKF_YP|6^o-Jr;Zzt$#U@TY^z>504ZP_sPOY{h2DBK3pyP+VFDP>;tIQDnl;z`mkpmyW=T7qF{pLsi;wBc?)5|PsaEaG>FKZq2GWT zmpXzdA^xQ%4?DoqDr@CR`1yA8L0CvFm~r{dt3e%CzR32Hw{X)56dD~$rvzmxofpjk zZ>_}cTLt4$D#)qtA{)rQ$@~}?Oh!C;4i*-SPKK;0E=BmX9;48wwiS!nni2%Yef!0P z8Yc@N0XBl`1kmd=i{`%~Hbb4Cu;N!bJ4dls4JsZujxXnzpz*1zNox-hY#)GV3s{fE z(o<&aDFq)0?Y2vxjFJg9RPHyar>K5op%%inU9wQU>`HZc7BIWPCnNa4qRXzvjX8lZa&XBUljOF%T3B)@8Ow)$ob|gOA*VFh6d>dC^tj8 zeMxdLOGbkR1*!5m0Boc_W*FKB3hVbkR4;4TVWa|ORJrJaG3bUr>s=`<7wFjG4|{?N zK_Pz$abLr>K(y=+?9{uD<0ELPRX9@m#*$*q_2Ez7Yc4lFt2t%AFM&Lbr0%}zSKH&d zPlBc_xEM@@q-$T_v4F}>`V-lJ`{9(+zD4DV=M3VbQt?9C0hflB=AzE(_L7LB1v->L zPU4erW`@uo{U0?Y7c=Q=XgQQKmsH;koKeBMmxgfL@mW+&8gK8xd;*Iij{^j$)}f7n zyW;^MqvuwwVcf}|?$a^u;Zt{W5(34aj4vR8ephDofNh3#k6_q*+p3LY`wmvJShQqC zf>uW5M1sLtZ{qG%Fl83U$r&pxfdNY!pHzk-WeQJbzzl@~?gb(A%3s(ICD(98FQUGj>W$|a7E>9U?9FBdk2bE*--&MN-d;S@LO4a?)nA`90Vk(~J zKjJ<=2IAa;Bq+scYGXicLTzG_p09O%2P0y~;{=BA3McL> zEgu?H)2Qol(-8u$>I~7(95SPL7!hm>26*nG6S=-xRjC0Z0db#1emJ3VCP(&}#qQ9muy z?+(>8`=@SEKx!GSyy;VREOaNmIcDbY$uF~wLotrb%>oTOO%jtAZ%B_;%>;R!L&H~S z+Ugk3kndT5Svg7Zg)8oeCxkBIm@kYw>RJ~zuIzJBR8inYS0v|+SChkmsg+Se@~>>p zV=1>oLAG*bDn)nH`<^|)1`m?JTeJF+8H9gf=QO6OK!_GAfx*1HMcno;-EJV`hryCkSf%;4Hjn>=P(6i(h$;Egu z+=&iP0Vv?>3iRAk83|iiM~G3KYzZrNKbXG-!MZl$un|ove2|)%HPa-6@CCW)LNXPl z67(lPVK?a0opa*goSN7GQ6vjGg*>lB&~(a@tVzr!e+?`|f^|`*hxmdWpShMp>@}0L ztO?+3Xk#cT1gqTViNX}q6iBV4Q}G{(D?#oGZ9#%8Dk%zKoFc%FW1ZOPk#LG2Aa2;T0yPG|K4a{ZTRYr1`r1_k?+> zJt&%meG{cQ4{==cF z`<}ZHQwS2KUWGbiIn1l>u;mjLlatS|e}1S=CI3_Qk4Pd5z%6qd3c`5HI9=2>pB_Be zSNBr;5A%j+WBcZB=1ux-_b|K0MS8I%p(;l%A)g>5jp(dElIf?(&`pK=C;eKows^Xo zh{d5N${S;xXl}@ze$3ZMk}Y6htU>AdsgDcwB-{40+NYD$)N|Lld4qj)OdErB0hOx| z2jkrdIk3Xpb-&08EW(O5)M?DCZoa|Q9HF>F-Hw0mIL@Y9!VJ#MLgumPiwWu{*_wg> z(d`zPqK`t@y5iTmV{W@2S4F+@U++NL)DJg)cpl!}Q>WHmy_(}N1(5{s_&4_^CvwGz zH;<{$Y`s+5!3Km(X_C+ltHXmF`lb#uO*ZE<4tkMyx7R@X($O2pMNtukCW&3!0Vnor z(y5nu+D;kf#B(@2P`X{0NJp|RNO(oQBTNw$Puq0L{fenvQw}lFm8r0&61;PP;Sxv^ z%G6{Dm9fIf3B6J0?ylX=@!Q?LCthA6{b?2Zc}s6)@32x`#hOt1B)$=)P!`v$2PJ~I z)TdW^JpuO!RVVl_&cV@|60;bafvuzWjZ_J>qREbPu@1Q+R=sPl7#uY5ZZ{r>pBa_z z4ryCp_{FY%bAkQH&mq42KB}$*vIC)pOxZSk4lt|0w|v(4Go-ed=WA#-E-59E@{(I1 zxP+Dzimpbo?j$Xo@ng$mj9F5xkPbfro+(JZWp4GmI9+i{#;OX$c-Uanqp%o%(HEI> zbdHVI-;)RsAsmnW8+1t38JqH?(Q5-9oILihG6-sh^ysN*URHFFV&DoS8&MG-ua*K< z!q-cRhCcWtF59*UZJ)*5L`fLG2q^=jG$UBHArUrnj}RgIyr%xTS&yz3<*B9c z#2ipvkvc(dihsc4F&q1PHsO86V!mOt4(0Y-Gsle#K zUNl=|bWllX3->T_hX9HhP8KW4jdl`Hlzs39@GI7Gi=uXs!<0t>FtIMH;sA%k$;m?f z1uHnmPsIf%c&%e!eYoTG@ox>>M;FZUr}ZO+!hPUEpWIdxj#W=A7&*2GDrf};8^io( z$k%#^r@S@da)N<6Pv%%v;%~p<+bW=`J=<1Sn{iy`teb z``RV6s7xF^71R2(g;+-nqty3FFq0OemJU6f6DWvryKrLa;LKy5_$-d;G{a1Is3FFL zUg+fIpG=+b3p&~spn&M0rKi7Iw#9|i9sODpkD6{Ohbs)8V_89zuY6@avD%8Qg<5p%f2i&i%h12JB8g(xVVkg>Ki@nw&B1pc;G5Wlsb4->1 zDN-6uJI9rL6I%<}f<=f~*pa3AN>50C1Tp~)o82vM!WmSF?R(|tLDC;L^833=&uc=; zf_g{qJ~%ttQ<*E^gWliNRh}br=EOqMm*81nn-l2-I39R6GHRY!%B0s8MOr1gU2Hlq zj*oMouM5~C>z(&#CiX*}<}*O$H!-9GP*4uf7C`ZAoUrhnRzsquyycsn5L2i|8%G;UuoRl4jKh7wS*AMkb|YkQ!cwT=-QJPrC6M-7VPU zF29&Ts-nXKaYF>$OMxuzVZeeU^gJIw~6;^Q#$Ab7Z!DI*q?%ReMHHGPz zEPLIH@emrs8ApEypL->)#XMCSgqCL&1Lq_82nJ)zEGe#azr*dlE{E|ff72f)q)7fI z7J~GkHt4FR2=Gmp3Y+RP= zw*EfZn*&lL&kQ%uFe(K8&RVN$$_?@P-p5GcE~b^U*QqjM4lcjFL#}_vLcGV%k$mIn z?Io$(Wz^-ZQ5J=Y1b#r|Co<71V&qgbm7b;W5m^l9e$2$AWpz4n;5$m_z8_?j@A~b-UDrVk!gKdjO}~tpdL++QIvjlV zOY`Sb60AEQr2`t~gkKtFgviYzkEBqbVHOL5DZ${KJ{t*=+9cr)38-7jThfWd?PhhQ z8|FR&o>|Dc~ckH>I2@C{LMKS4yL>d~C=9v9s-V9Tg2OeLf#`ELKn# zd8}N^{-{an()7)FOz#)gVX9hPoF#dvtFB5z!^9QKK9w9cWL zm4dcah#lN2x3`|~sIlf4VR-nM2wGq<95pNdKpS_X^uyU%goigZ?f{DW@7iy7*C_An z=832aJhFpO6q;D zt#|iixq&-V1E&;icPqQHOvR)B82Uw}au?{Cg&B0+W=^iIRYYb-!}%lo+!wESg^n_K zQMG%qbH0X2=oqn=z;A?Q$AZUtv@A~9O`l|9c*rL2t1-*yps(%h?sYq`*b@+N3s|#t zsj8DF8t(C~sTlDeWenkNc5cn}9U9cDXmdRHPFnh5@wvqm;M?b?7C+?Any4)=BtS!9?~~)TbnjZVT3e4l zKAcm!51Gp!wj<}6&J2#cA6}<>e*8qv(`RK_I$=+|bRz$^yxF=?CwR1HwR4|e)4$X! zHr}Or-DTsPv;yI|D1YM1mjd+JQ*~rD-Yr(E%Kh;t0w(d;moNSCVf?Os{Yu0McGnYJGV*)(f8G4t^We{q{khdNmH67ynGuJ(27f;~ z_++Y%J?pP?{OeB0C^7!ZM{>+vk2L;uPS=)Ji2mI1f3^k$ocn5_yJHNp#xui!W0jf9)^VA8a}O-1PjvFQ5;HOsnl?BvyKX zFQA?_et6ppN~Bl2|E2j+)ESxefJLl$jicvK<+$kJM(4BSpP#w2=VecDot?;&<4$|u z7_s5+(kJRTpC5#=i**Oz)_fN~6#A?Pzm!Qb$Dd~o@G0BtFLzhcJNjWIn^3d!&i-bm zvX||>qV5N%!^?4S=|4(dKLPo(xIj1(>C`bkNaRV`KX} z%l)8HlOpKP?}ux*QrrYKfgMUcCJ*y?jTY4xBmEAMo`WUHFORoUPWZCiBaH&u&}+);LZ0RNxqEJGuALt&}$8Jg0z1>*t9ke%B)0H|YrrZEQ_Trp0l?&)QX& z!UUPESKSsfzQ>tcwUaHL^HLM9e0TCpMBO?++q(?CvR1ZNAf)4buhYNAeSa&qAs(^u z1Me?McDe-P2aYdM(RivBm~mzC8gGOza?9e>#O(N;UbSCNw*z>LO2vARK;k+y;~v11 zTpuRbmbEr{pBzkd({;bI_gOwyr z75nDgpT7{Rls=|YIB~S> zOYm}Q7(J@5VLPd7^aGy|P{}VBhz&7ZP?*P+YdZ`_Zg|8bj9orjP?1&tSn=iExuePA zxM~|$LL=~ScIAVouQt=(dxm*9KEsE7c^U|+OzaqTC$_W2JKM;rD$4BnVz(oi$0kW6 zUZY<4bv`y0F?p?eC0a8%11QaS_l_PL&M|yPSYNIRXpjM zv}|ZqBVEkCu-pQk?V+)_MGe?x{Hsdm6Sdsyw-_g0HFZ{C{l{F){BfEu)a^r_(bYZM z?o}Y7QDafRTpP3 zW=M@lQ)O3kJ3?pJNEU&iB_`q+yj;mF2Va}#9DkO5thV+1%)t^3p-!0b8_1Z`O4dl9 z-#+c$-wix%yy8DjdrYw`FvEqdr6@0Axn$aRGcT?>=SXFFeOorhl|8&Q$CB)}8$G4) z3Y7B8Vh8f$i?Y?E&d*CS$R7idk%0S!4BG_`l+QMGprgMBW#h-Y9?J$3uj4gXz#TJ5 z4M!b-f#j(FLxIb?(+8jIw~OZD6+S>}+57t~iR$6A!XOYZCx~RfZ zGam?f(9FsQcy>7@$0Q$q=gu)XoMu=A!>+v~PzyN;A>N`TmvUjk)r&Xn)wuzO@X)?S za2Sl*wVmXyB4479*1$m52lTy({g>2gBTCJ7U0QFY>_8BaW# z$7B)9>#?=-*VkG}^z_K>pt70WLsfI4i(r&c6YJSnid)gZ>|C|?&=9ke;EH9VIiI;A zsJoyD8}0VpEh*_!`ksoSFTVT?M(ne!rsb*YN?xDy_yB7jq7Vr>2|E<^a_(Rdk55Ti z^WCe&>4Rp%bj@%V4za7+%^!4pTllli-R#+nPp0=SNxQ*sIF!{Bai1SbH-wtply}Us zlQzLW6haFW=QIo$SVcNUFkJip%r`|q1$^-q~sZu)z}ue zBx5p$8F{kl#J9xIHxixA==*{C7o$(U(@@SpMFKtZK2nGaoz4|rIN&I) z0TF=@P6qbF3bYW^&GMr=?G*$2*OSRm&=HC>>i4DoxIjm)^q)3XHdvf8wzD0~FW%n6 z$sHyg7uh=8^vc`rY--K53NF0bgHyY(r2$j9vh zF6rBH4CSLCqxOn@Be158tLs24=|l-V(Rrjc!Tt!n$G|r7nfO<~V7oWc_nMb~n7N=? z;4e8ZYJrJlwLf{c)aLR$9Rn^T;FTz{MUiDQ%4R#TxMSxH!()g}c05Ywy>@bCU<(=f z#b(3lb8)JXo&yDLf>kI(%f;~f?@bBNu!>`A{D!QlXUaIYg9qSM<%ToXpexKjEC zWfv1r7XiQ8RA%l;T;ah`mY!Gf1;$1)#T*`Z>nCFo#XOJ1+Gg(ept8PuZp&lzo~m;~2LsBi zxV6X8A#^jOAA^h7dUQVVHoiBI>Nbgy>sFwi!Eri;+R)1|oIA0IrVCT&R1%(9YjfhZwd^8rodJh`ykgq!oFY; zTjp0GiE}HBxhnF_+K8~G$@)(@(z!)ti$yudW?p3cPB~h8dO`+NslAY;4 zZ+;`R+$K>ZbS<$MIP-@#m);aJs|}nz(*=5|pv(%j>1VC!0>x$zN5M*W5$#rmv}17J zNOF}6dpOE6dv%XH+5=M;`rye4-&(3Yd+*RsG+~$`UuHRV&aH>Pl)2_O@}bl<%n^4R zkF1cP10pDD(63L8J4;1oGkQyd?Q2MMWS@p?HjwB3vt$&Hfm7RFe0HJXei5I`(>7H2oW#jvtopa-wWe^~$F?A*fW? z3}oJS{TZtTkyzXJ7$KqLJ4?f^K4|9Grhy`JjZ|i2)P8IhT$egLP*>qz)}z^zHVwnd z;ZG9jniBzCeOQM^z%F9N*A5cUgdHyHQ^B_YN(D5n_D}tS>W^AJS@V_z+d{sB3R62gtX2MlA!6Oo0cr zE-{4<3)6vVEcJ5L+&QkY?F^A2Rz7v_ALh zFSOqG#$V9-@gJL6b`W8Am#`|jcWjpDxCxXcXbXmj~^FjR3uZuoQjjFKIx&ugGd-?79=YmI3nyf5s8UCv6$A|De+KW`#d z(P@<|)@X9eqfnQ6HUlWWh9;Mndgx_e8&DH0-j!Tghm zY(HzL`HVLgGift5)$!|~58HU4UiD=&?s*K=UDWc%>IE4_MH=jtACpSPbGCuG7SjdyVh7esV$gGyFe(pyjYynE5d;tr5E$Y>Kq&6uTQjKKi2D zm{1`Zw{6S{%r>*EsG7&Uc4POJtTC5TCKVOL>c*AKu^GsvtSwae_K%l*h#(yrhowui z73*9KcqJ_*S**?HO2*K1=^4iEmLpP5lvqYb!Aj?oxEb+i3(RG9CV2c$j-=>=2oyd2 zmHo@zgvz%W8NcHcv>QS%#2uv9z|-Nt4)hi4O}6khR`rVt7SR~wR|giI*fLV_AP5*p}C%EEF?3PA6DdWuKDGgJsp!J#5P*8k2`Em$-nw0ta(Z5iu^i?2S_a`o^F<~7`c&jhu%%h2Rk)KQsfcn=FGg!O|GWOM&qRGs^8AYO}}$)1m#^6xOb z5rE;((Zx_d46VA8tcJPfI(UBuXW5|CYThZZ*Z^gojkBZ?<*w+K$iF2Jg!cu#aXVjY zjwy4@rTPsc5elgvhbj)4LT9kC-*I2i=U~O2ZzmJ{G}4CDre*@Yb2(aN@z@2+@P&@9t2+SBGf=9xn=ZzF&PHjD^H z+!$ba8SzuKl6$9!2jNmqLe4NRewq_~bf{;LiJX>WOOJG{-!bbPY0X~eC&P#iPHr7W zbJmUYmDvQ$m5ZJjgNzho#S>7k$dpVn+Bm^u_ukKr{V9Ttxg2{DR7HOg!6FH|=)cl+ zUdi|XRdkLk@|V$&WpiOQce)`2f(0Fu)gJL8HQ@78wKVMM(m15?FT6mDV{FR-H zZv|c7TToc>ZqYE_2FjlHnQJo|uW(Hw>P!5Z=VP@tY+kOk8V1Cm<0>{82n&IkmRPrr z6ye)) zul{Q=9l1P^w`!#z0OD@ONbA%wQZD|jKgW@2(=h6ENT40Yuj8n(NSeWW@Cr)r!*aog z;u2%30fz*xCOR;-pdVk2`i5&_jy`*k&D>NO` zX740h`-aFemGomPfRei#)db0if<1L=%PP_Y`LNmgh5AP~F%%p@H3;Adb6NRz9F2ss zhxIOFI;9|W25;Be2+KjvM%c5^AHV+v4X3w4{&Eq=qt3# zu(JVEgS$2#jgYFN?p%xZGvtR0_S?MacdLj9IRrEFWQ#BQW^K09)2z_UH*+6AL=t9{ zwxA=CWjxK;`1@_e2P`4Init#L;E0Pjo86oz6FoIs-o47D0)2xd2-enOw)SV7*Jed} zZ4%PHov0VCeL_yrNIZWnRe_ZQQr6D$mj_nTkGtL}epg5;_rtbr>Z85nLvn%p?*306 z0$EN=&?fgN4X+%Ro;|h%jURUAa^1i+pJ?H$etw&mwzlc zU=F!iVqEf*`SjBkf@qqN=qxDWs)|~id4M@fn}>(*(C%jZLtoZE;r2eHy7(0?+S_UG6g)p@W$k!Y4wB|-KF$8PjeZyJIS0GX?d3Jg@nNpkINDo{KAwU z{mjiG<-0R=M4dS_RMS=B;iq`e>3M6s+rK1ow}D3cE)_xFs=hh)36IjB2r$6L&-@$O zCE~;b>Z~xoysQ60gcokgWz>jEYJs)OKmPGX900tXab7NegRb%Lwwyg7(@u4-NBTei zMb)$dpz1m86M6pz$vx?Ma@U@B(fu0(?#Dy-M#sjWTKg;53r?sf0l?Mv&dIQUopwBb zz)da}+|Kfl)>~M6^xsbYK~x=JJy@+5RB@8sh^u?+G;dLHXMO3PI|o?wHk;}G|8t=H z{~99yKL-MBr~l8pCjWDf{^uV3(Im_DuR9^o?}#EFXFMNr3jC-kX(9>~OrQQ2+&}py literal 0 HcmV?d00001 diff --git a/resources/google/vpcnetwork/open-rdp/step4.png b/resources/google/vpcnetwork/open-rdp/step4.png new file mode 100644 index 0000000000000000000000000000000000000000..797e593639db916bfb74b316fe3968686f230b91 GIT binary patch literal 24090 zcmc$^by!u)`v*!X4I5B8HldWXbT>$McZq$M3KA01-3`)>ba!{>U7RDH@AJF= z-|MrH#q2d}*3|oncY{G>LH14j7kb@-=>8$-!ms2MWizlL z&_EqRub=~Q(D>0pC`ewO5q}MY+k3O+a{IttZ<1_#=&GQlrKO}buhj|Bk}Mn=8tR=0 z85k!1y3(K zQp6P)0!$7A`?3pGnDhz?Vk_mlsxuUXDvd8~QVOX4s~cLsi0CUJt34_djjq~!HY%3LYv)Jl$OJ} zkLp68L~)6C&G())(aXb7K2Oi%sE)=A*-|7pJTxQwfp`Acqk1d1W6@R&j4H@B-)r>S zxWh6tQo~$@0opsq0Ez$~O_KizRs9H;*IQ5DF(dYtgSQ{+mF3qfBrC8gWx^-pU|k*< zjSeC9DT`rfK~u~LI1v&U>GU_M^%f!XuhA_J>WEM2-GYNxE%86FGB04eBz@3Hc8G1J zV;G%x6nyyT7@!%;KjQG$}rcya+yt|LCVlnGfS}?6#$KpkJ1|!b! zVthq?qO+ZE*=h@SgHQs$&#)El`bb0Bx4cS#B#sE=^3p{NgsAY^zA#;zbq;^=9f|`E znwZbs=fuT#Q(Xq>#Qufp5{9<`-(8yZTeC)DFnl`QeR@&zI{%is<>*YH*b!#yNDHPA z@gl~gNatPR0CWRCMa5$RH{1v_f|K&?L$q;->>dk6Q1dzh!~I4_lEFZUvMOT1`y^Nk z&k5mKVoTCBIexSBN)NMJR^APo4ag1V4K!nXrVW|C^hXIS7y7X7>Zua8qcqISH=x9w zj~Ep^Bm|Km8+@k_P8GO};S4jNL^Xo+q|aN8pX!GnbvKC+AC^y%dA!jf-&&!Ez{x)n z_E5CvK8W`I6n)%Iv(tipbo_lLGt|7vdLNMH6Dc$6VVhx}KA8DA!&$akZa&u@>|5u( z!*`xZTe!l@aAr*7?>@9qmMud@5^zCuD#yB^d2ZM+O8MjRLo>?_pMcnhww;$u^XSPR za{T1<~;F%2;Xt-ddF@*6f z+Uyb)l|J=8|aOExIh zC1e&-cNEc;M3ksjmI&k%KFBFl6fXp;SL2?}!$^Z(_QS}|Eyz|_NZz7Ll<2(COQZ>q zi>)Lu{A__pr2=yiU^0{*0jda0Lx@B{`v}A}z?eU>*mE)!+DKeh~tC9ghP!p ziyeT?%Y>HDkrVI7NcxN6M7X!2S#4wR0BODIb&3*(yeVsAaC@11VW__<#r%$84z%MmquI5a5NCOpOqR^70iyw_!88jo zi^S=t6*}+3?bjG}kABMr`&H1pJ&E+I0Z|uw7+P3b%3aE@6ylWYlpOW|w#{0{+K?K7 z8hhJHEAEw>9-0n|L4qDP&-!n-?5Ihi{#}XWiJNdkcB!V?EZSNN;Dz~yO~ zT33zhPgghB8&@x`Xs!*e`>u|5>nMBlbqSW(p4cFr zBAqdvCmlzRM~`}0XnC~_x-FO_isXQVorH#DNH{1%JtI8>R@g<@qywgNud^!X8@daL zG-whX6^rh5GbIllG37F4sX~U<$~Ut3tV+YAHOd|nc|%IUJhr?~c>$xUrZn4P+f>{9 zII1FAZ#A>!H=5qP%O{qIE{t*m2Skp=1xMz`xx5u7jmmtS1`=Hok^UTpF!ln<$&kd z{PHjwI~h7|G47T_o`;p8lFyn>mm%|;w}|&M*bt;^)vr4zI~DOs)#7SKY@A{$ckpAc z>I_?3P0v+%P!#-p)^EcF#jf}BXFqXz`$x^Ir#;y_=jI#Q?)>}$g%dg{gK;G6`U>Mz z3h9-rlwk`9HBL2P)mT-BrasPO&7Ms&PSwpQPc>CVmuAk|O}AgLTy$Ox;dc<|So)6+hg z*=n#b)?eOjJ0~$hJ-=JT8qPXU-wwOEx~#CtRNdn`mM#_DwA19&MCu;pPU&9FdTJgv zYwcSDRH938Dbay4)vH2*r;TeM8{U(Vo%H6nVM+zB{>FpKq-{d`0m(=GEN{ zM#bi!_Ijg{iwc4uBJ73f9%mU*J+JX&H)K2Xx$rw-Q(=tGi%ttzKa>NWtNn<_^w~F` z-iS&B{RsN8YGiLju&%#;+vlO=tHSm3eV#dczXRLjk*ku`?_sn|(wy)UA{w@vQ|$ez zE$hBji{I$K-!M-lWhGTt5>~RxeEjw?cQubXSAzq`)}~?MM^iC>d3t(evGpS5mEua? zrBsuY&w%j&LC(4ik>&D7N;c?0veauUmZiOJ_F3D;&C0>FCb0Xm6}8#!0ZT4TrA0P( zgIhy;{VIQsl!;~hXO&%HzhLruzj|uAQk@xxL`U|^lit`0YFib9V(ClYbIG%tOPacE6 zqk-tIWV?N>Ybrc=%qdNkhv4De`E{F)h{ySmTiDC+n-_(C$-LYi(ll=$+wQ3}qO^C^tF+v!&>PFpC4MMO%0s?7X-Q9q=ud_5 z+(U-g1slN2dW?ub=)HFZ0e*VfQP&yoQ{89UT;Cp)}b!N^FOXDToErVB|Qw*a_)b*7u z7mTdCPJ(`O?mB5y5R`ML`DA65MTeCK1y|<#BnQ{m2jt|$$5&T}hY!6a(jnqa8_<3r zgrrrx*$l;>n%U|_%IVs9?y8v|HUm3HA`FbWM9rqmLS?Rgccw_@51FwI zt2*rnDM;9EZky2vn(%zX;30C+E0L<>{+U@&Uby?vnRl?>hp!S-?0oj>ylJ<*PTOg9 zVL+wY_(1pY>!rp5B4J=N5%bmqpRJf~0$an8)yha?Bz1VbNPSlk*S3@MwOZdPG+l;v zQiyH%P!q1}JiFXuwvEl>EP+DaVa6h?Ysq6Shg9Oj)%LH=ndTE?k|wtPpKh<%J1XlC}sCc5o>3wR2xl05*y{Ki=^~mAxwKr zb}$EpbQFEOWYo`SckroHn40zneknN(aSb&kVRa?GP&ESi$83h6IpyjKPCMK$)Mp51 z)wn{~pBZiFSr|s%E74;xZIS~#q8oA3fS4%Fj>W) zFP(Hax*t1lxb9$ozvy@_lM-gLjjLT*HLFm z?qQ5Fnw}o+cXrl^RizI?E%0leujLP8yg5ObWxgnU7$rQe_`)Lle5=F4*zo;I=Ja9S z^`VQxR$v5lEHP9Zj&5@7zQnHym!+@ds8nT2DoYnv99wH!q?RK$E0;1)EHNlvbJ2`b z-^m)vpG8jj3-8$O7R-5e({OYp*0ZEx zQc*r2R>A4PJK?HhVPX|Y2#&oZ`9KPtk(JpbO(D84?!c@UZ>)b<8Kq%r$rtNO_sK>s2gsW(s#*^j{qnvQHy4D5@bUK$x#iq@vHN>m zDFL(Zd0UNJ(r2&y2@Jx-g?<*vy@Q^>P7dJ?bql~~yod#yxY^>jL6x_7#BddN1x zI>hGla+~dMn`E2j<>?;kq1!;ZXq~XfM85RziAzzk@m5KJUKAo{O;dWuV(@O_U)Nys zc(y+!;!lIvIh`zCybuB#<(L?MF-9wE zw>?<@w3oZkQ$bDY@w3HI=3rr>?f5;P^wK*-mv+fO`0x6 zMHM`SkrNf$6~{Oi<;8=n)y7qp2WPc4`|`K3e%kv@TX^-Bv5R^8mN+$BSGpf}&>l)3 zrWSG*wXZ^|r6bL}^J822?D4^$3_(&awho#$Ijd+gtVpsT`inwb_4c7q*Tv*hHB(CJQ ze*b>f2wb}mbb&;p0X+kQd=pkfqE)dq!&URulV$(fWXA?4_=b7c<8Jk43^qzJ40+HE z?Hp;D%(#xEQVPX`NQO$8GL;U8_FKLQwLwj78GZ#hEpb6L(N3Y?+7{8yAtI^9-zMDl zjkK5>X>M|mjYBI!ZKeDN$Of2bQq{NBRi@ufvrl7j&RO5B7c8OgId|;Cm;Gwe?rP*U zm%p4pVBMo51j+29XrfG@ilgqslMi!|NDB=De%QGA_3KTkL$M|4xwtbjVM;r*nIDC` zV|I*XOt59bHuBY|hqArYbJy&PdJYDyE83ZD7Psn`L$4EGs}PaI3`>aiAya)qS5}b}A&%t2SDji8Zc%SONQ`-)?_rqki1EvmExoVn1_! zsh-`6bGJzSF~BRSRZ8$(y9(h8?w6UdG8Jh&9!;k|dawE>T^6>arDX`54v+LcJ5T2L zH5ZuJyRvg~9-Yru#~x~){^Xs*thzVXyerA7bp2>?|HBKf8wOby`<>uu_l^m_)G$Se z-|r>9D~LHCL$nMER7IX0^c`w-Tmny8QB;Ejdiw;Zeyw*nyWTWiO}~0pN3Ac9(XY(! zsJ-7T=t1nlZ%*`D=j*FC z>_&KoqFDJ_%8yx;S?hUPfPd0ebZ9dCvF78R;pj&Z`tT}8b0Y({_KCsI<6avuDb!l$ zbJ{MioN=6oEI4*WFDKy=kPDFFkWEpd;fsSK0?h-JL$*UIL-0bwr90j#u=>$sr0|+2wp~eEw28nh7bUOr z+mzO2<3fJ=`6~?tfm5;Ii$u~*`b`7ckV>^G2YV_zX8T~RpABt}%#EAv%tK90cvP(6 zi`jEMjhr5IpOyx`FZz_~4F!aY&JivWDmclXovqsXVENIdHAi`TV_;yTykRlgS#TLa z6(=f|rt?sK=rjIx8+=*NuF`0kVOvu>xmdqZ?!NVypw|5$e(hu)S%O{7cG0({a$W2o zktD$xM@Sn?I~JE5Z=yV|EU!#kROI2B`?GiE9Fidc!qcg=>_iC)LK6)_0#;cWGhanH z?o$NGDh`B7=7fi!dc9c!B%7v=Jk*QbYzHV=q&8I#!6Ojw3Mxu6#1R0V>|kpsB2F#4hgcC;}6 zY|G)uP4dqj9KiKcF&zo`pIg3|ag(S@$$|wfZH&OowC`!@Nq7*zU@(`Bp)rTNkjS6v zz+c=XAHRID;-I5*aB!e?V4}6OF`;8%XJ@CQXQX3fqyg@rv32_VMbDAuvn}br4|#r$ zkddu{jj7caQ_Iibr|0VFTiSi$CLwuh=FNGH z8>q_lRLUW1>S$!HDr9N_3=hx-4>Kzh*FX3FzrOje#eZum*&5jhT3P@VzwrDwzJDtJ z@0b6#;y+EQ{nsSpdxrmQ@_)YhQ5D5Vv@$bhI{rlE3s@L-^;CFDcXTF^l#^mD9bts&#@W7Dh|9;>QpnL(@}>I1_qqiB1|Z@0fBQHD1BK3w zMXMPxQK%u|1@&TWx41bjhEm}}p?c*SP?kD`DdXa>H$@Bw-CAWnO=7n@5v$kkFFugO zygqG`7JIzf)io9iv-y6jPsii_M<{WK-_Sy%%eg_7HK+|XoeuYTI{3aoK?bD))qAc_ zH`kB5h~jaXKXnJ9k!GnBYeO->;BkD(jiJ#{UeZ&m`;vE%%w!T4_ZxXrB^Z-tE!nau z(hm{qCxz2)VRe>7JS|nquTVVl-#?WU^eUatKNWfhcw8RL|1j){8m+d}VRt^uHSOIk z6AD5f&6Oi{dbr*^S8u-A$)_-yA9A}sG2(`86AtG(2`td6SMEc_VH8SrzcIz3*Y%8{ z)6wR+-D8^f*q>qEo+wOS;;L~EEO;Xkw^dqeyZK>%rt*h&qw`5SDsRmoBHBw!aNm*fSSTDy0^R`2px1ixrOMw0r1><`AP&dxf(d7P(+Wf#ZZ~Ig zG96etuIUT0tP75UR4PU9q>|o80uS6VIo%j2LY!)Ht9Ld!g3u||_q#jkqZ=(X5KUw- z@IO0T)Om@5PazzP89Vrm6Y;I@;Yen{-NmdW7H@ihu`s!W|FqvnU(#TgaJXz}*ZE&(Z_vMpxJ?SBb3P+e3NM|qAdK(X=az~MhqBJhNHyzzNZ+LvTO+xeo;SUnw393>%9L!N= ze4eX8OaA#z;!mIS#KGW^a_d!**DsHpTk0W?PZwMcds=;9-!L-DGaC1Ac{>krU*^Vl zRg(I@_D!HCf%iX>YWGKeqgG~UvpGo6DoD7114ro_tM9zke0xxDvp2=?njV8(ItKV- zXmdJp52-blSny?@Y`S+>naEVjEewNy*@3^WX-s?N3Uqo5uZR0g_-Z$IL!R>Zlg=|UOQ7>2+ zBlm}E6E9Jibo#Xw%?3xgYHNJd&oVEG{p=&lp)FBhPy|@JiRx_DzdD=!R4FbZP1HY$ z0ydy@<2#W4!xRwJm=|B_v0&H>VD}^w)4|q$sCPKTbj$_!>()#F`_xne?vcNOxC@?L zcuM3ms6hwtL_*(c7i@Zq_RZ7FBc?Mt^rdpw-_m}LevaF0Pb-GrW_N&fG3N1ZlQ)XR zLY<)X90(Y@938UTqd$JAmg+-6`jF|8U6DXy6Bpa8_nLMioO9vKh@3F^CkwhF5pt=5 zwLv^S5Z+x`!1V7J9V_xixPiz(rk4vY#TysjX#!a-{U5;1*^b96P%`L9goK)#-I1is z9pD7LQHX zQZ2jPP7K%OobAr^S48ygWp?WoUx_=uJ#dyVs*L8aaq_>jZ%@KEf{|4p#6=pSD=0>1 zw=>TFDR$rwJVL<31OtdxB34H53M6 zaY#hSN8_am#gZa@9x5gpZ#&+}KR^vGMQ=$yK*W5Pph}lEx$ncrmjUaYqnIbple9_v zr@ELX41i8iHM9vTyR2TGLgB^bn)UWlz|JME{yaa5)9DsldCDLegNuVh*%M7Z2`|4t zr*iSk9|RKlhJ{f(P>fNVZ8xPUE;$#9knzC}M+{7b2KJ8s&G{WV+|R9A*XuIAvtcd_ zPY5Vd$7TSmS8G9+QP1nQ1K#U<=t9QQ@#6y@wl~&u6Jp>8IGD~cp8!WT7e`RtOtVKb zKD&(&5WRC8=nQ^^L{Y2I_N4JPZ=BXF${z_7p$cjp7}iMrnFeb?FhvGzE!FZTfL_Ef zn@x1bQmbTuTijjk59TP9ekw+qPnQX^hap>KZUy=KasB}vurwUZJLjd+KuS}b^b`hz zU%BL2`kh}#t1L8v0s{jlh&}oM_94@Bf1&Xj89?;to!|MQW{8}3l$Rr-MB+eXJa=xo zJ>Z6;RG+D$R0!zm-e?AKi=>X=xBTZxK^!)|BA$xT-etOxO=_ z6ixb8fIlzwFlZCRw6bssADyJ|dT58IOOIp-OJUT71nI=I&HZJTHD*wdF3$Q076cq$ z#J;|wTtQe~LLL+iC;Y89JCPqIRm*79Tk|uHR!bd)kZWs(h5F-=3OiiP?|c;r05zV7 zoXtuHJf%iefpUOqPdr^(m%Y@jm^zDp)e-**V+RV4D(kHjyBR?_-COr;{Qm~P3k^>7 ztmDfK5QoLHTm8#_!R~M!wOg$v=4No47yGj_Op<-N zl~Xb02=I;{=4J)zpSs~&HB)U_93S!CR9>r22Y75HxcM(5LMQNI!{VMUH;D(LbRPMO zFC}5sX!YT$U!~ZQpjrLx*5GULW=@qq1M6_dLSO*}DV3uCXT3oe%Dn$1tPwy4GG_Gy;-{)T}y_N=FAHXc5K9-;}?h*1`3lK`+BYKD;8amHkPmRQY^n}o_ggc z^%tqwYnLr|Gy%)o*verk1Z(}@wZ;fV%$K20l|BR8x(LRYX75e_kIA@y*i5s`FvvOl z>uYLb6j69(7xgDrirrg)0Vwzy9sU#$4u)rWY0koE`+Zovl=9F!n}t|NPqlOcowK;P-ug)VXL2I%8mLkDHU@gx`gyES*(+SvFJp^X+>}x zJqi|3Jo@-G`ONuMv6-|=o34f%=Ku*{bTC&tTJK<~K+}t!O5$5zU?D`QJAJgd?widf zpq0ANyGJ>0vSan{kb@p!j?CM|43h4jLeEh1mVvq? z@?U?5p!m_aySw;{kWNh7Mj~!~SZV5;EvB&$>DvQD{%87KQ5(N@GSjnmdZ>apmxTX& z0525(@mWG&rw@K+WW-|I_G_eAkNECoez9P}RF6cf=g7Sh%qJ_1N;~6g0orNXqVjEQ zQ-k2&;)5fB5h=yc;WbMQ_ycMg7;tr43_0{GUFNob*B>7g{1aXD$-|?s2!DPpdty%$ zyn$30C}){)?#L3AzcI_63{)|qVei|{^A|a%fPo2jJ9y(F@Z6^*AD{%4jZ5gcK$i%B z=!@F;J@{v_<%tTE@GKpH{ua0a06ev+T}J-5Egqoc%ClYYZ@~pIfZAy;J*j^g!WEcr zWEC0(_5YWb0hy*1m5?)_u{oV&rLfzI6lpj96ju08Pj@NCc0DtM5sVVQ96%9smVMcl zXLmTz>|Tt(WBuF>Y^e1vB99nS(Xg5#2SA8ZiD`0r*Vx=%SWE-j3W(@aZyblYI)=QU zVb8F8hyR48mcgf>0c?yoAg)QYdcRm-4j_vA#_8~jvlzfJ2>_ssfY5yGelV3-qHk3U;!7GHE4 z{Ac0peE?R7?Q+`-)A_o}R}`{*O%FF_;)#qu#(yeF0BC5Wq78X&))hvu6X{*!1xlpX z^X|F;=;T{!<$@!}cU7Edqc?zTufT0nz1o|vSK&3rgC%wa-DLckH&3l6P7Um2^39>N zcwjs^p9tS(NTMZp~{a-oWV*IZfuQZ#)gzpAw*t zU!3bjlgq>bn1;CHaw_Y3vz_BDJ5r!lezuHqytb=3TV)ZgkRxq++l@L?VH#aTdbu%c z+5CIghrCaLC_-ht!c?IrhBEpqZ;A`>y*iQ3gc%W&aR}pdgHw45x66dm%YOi5|4BR( zIxayT|3YiC7|)e^@;Pb`n{F$@a_Cmqt$6`RTsu~sZk-i;j(7FwaAIfRloysAQ>6wk zP^}yl!Ops4IWm)Xk%b!79{^tRKE?YSV0XRcLp=G~cwBd!0Bbu^#0N-Arw|}pe)oA< zCBjFyW{wr8F?l%{06;eL0BlS}L*2#t!>0V(xn}VDh4`)%SvC>0+kyKUK2l!rF#zmU7WEL|OgzUKC zuT|S;qu)qinqe>$kru>qI($AaBQ8yPj-bnYz?OlAgepe%g%y$EziR-Loz2k_|9Ni9 zE#x6;12Qx$iejp2m#nF37(Tn=9UrKL(Xjh_pUXk5=x%z`?J^Yso`9z#YJU3Fn*C*!b=5xQ*tJfyDzj+DOp+t0I$2nk)yzf-Nl z6AH&^`pmtNS8&euSF12!JPk83COa$O;Edtp`TBx2K`Z=(s3)o%U$(xdQ#!gVb@DCr zJ1n}9cUM1oPG8a1?ptn;fn8))v;O3C0g7Izht)bD1WoqnVh`ZwvJ27Nr~OR0P`7*K zL*vkX=_^fxes|vi*4+o#Z<&s!1r~zuopuEM5ME~iigu@!|06gW#%jr^O&F#0rj z7pIlLNSlWwaymeQV>caq2G*y;VyDF)qF#awC?-^q&yCj`$w_O$vPc5*L>_mg{ziap zlOEKJ{XsiV{>{K5B(tvps7hc9zLp~w6_3R{VWVxS)#YqUu2?_>k+T_CubG=(!!2Uu zzB6;clKOlyCc`WKD+FgfzqkpVjI13903`5jaDsKknzbtnDQ2@8MBtgFd+#klS_N}1 z#-d-}sNpv4wnv4de>PfI#9dZ~StSG7yI&G}U|bl-(evXUq|#LZn2goP;&BFqizDFX ziATScs!#@7fl^Du&;^Knz2=C1O&t~z;GY^U%#_BRPh{uZ*C@M6V)xI4-PTpxk`hn( z9?k7u)g#MbJK`>{g=X^Z6YJp!u30yh0PA@NeFfeBR<`1!oLhMK!4lRV2%U=H8x{&j zo}Ma_z|OM+2zmUK*OZq@C?VnO{3rXse?oZ+G$4&pWow=TyI6}m3{>xSDG|!Wzc&ER zb4$^a@^vD1gQ>c8JJg^nQJF06ZUakuDy>x5ExYjwM*#@+4H4Ex}+ z)C_xiwY2Edaemn{$4a{|3!}A4a1K_BNeIX#fiyY*dEI< z0^G66q+i$j;w1p>Y6JihqvZaKeffxE9w7n>SCS6j>~1Kx7(E)Y$kLh)F45Yf6q@p3E&I)bwR`tlY)uOC}M z0&)KgJSY_=B-a{?=M~rTwM)qb$I_9qWRZbw86@<}?oxxU_xOHp*$aTQ$>R5US+oy$ z_W1&=T@0{aDbtutq@Qeh|H`LG47j^0s3Y+@?%U`J*@W?5Op_Op;~yVfR+|wY>fz!& zP(f^fT@P26Z#*Biz37$K{sT}KonshdsBm2hSz^SQBB4=nG#XF#JafO_J&-Dx7=Ash zkJm71zk7;C?r$AkfvmBWr z9Q@(OhgcZzjpoPu;sA+z2do`~am*99Batm&5$lP-1FFg1tJVDv$!`I=Na1XL!xVUV6eq=Artx<_5lee!kat*u=)#}(A(#yaRNn28 zg?|NtFPoR=;+T)GfWh0+kXa85aCkGu+_lTnAtcPzq1PiJ`q*jP-Tca^HVo9snUIJ` zFTl6ee%hMv|2}j6uFQ;n9 zCCPy|9C1#s*YWwU)i&kH2Lvv>vox*0UJD$?Qx?xAb6V=ppusr+1Y967cJf7SA|LR5f3=__n_UfHZ*2LLuH$pTUot4zGKE!?~GwOSr$Yg@z!UFSe zG6qBlLxL||ZlHon$VHJOlNJZ;=3h>iET88naF~o^?ygU}u50yOyn&_CSEN<1so&Me z(;*W{B1{HsqJx0HUSt&sNY>G8ccM@}TN39!hFV2B)$Kw}t;$@j0J2cKQ5~T3Si8l2r{JD=1kb2>GCN<*!CJl>{dNhK@qOcYWBnTD{})qs)E19U`Ri5wpx zoRC{R704LXA5aOX*ND>lmL5&lI~2S3vxMpKR9Z_mG)U@=K zSuG3Xsg-9x`7!`^!lD8An(UJbsxTcB0o=Ktw_rzIx`rd~cj^^l08`B%#I5jg6X65I zpv0{3HLz|G8wBYs*Uy)Db)IOx{r-%2Pt+Tw?^;c+)6S}(7PmfIKL)YL;6>MSqE6T3$xMNOSuXkXo9dhdc#a@Z(b2+l&hdIBm`+i(;rJKc z%`o7M1$})1M>a)W+(3fLb>xXaxYqrobCROR(gk6;c?^CbZ7()ABjK~je#NAr0#x&a zEs5`XUW4+@=I(mDP8<+W`($|U$*5I|Vl11ke>tm86zdd2L2vq+`~Ya9^F3TGe+mJc z72lIFyJ7<9=DPcx{Ni4KPSSu(0F4?vO2`6!H|zlS4FJ9;0HXzxf>Ft=mOuFCPIVZr<-XUPCRIAQag zZ-L}QgX`U*apcnN#^BdRg&7#nQ+Ol%^%bMXgDdw%D=g90gD9bsP&M!4o$Zqt=X$(5 zt@{QT_+B7SdOkHrRfN}6WKO3WzXNX9dZK>-SEGQgdjff9xufqF%G!AMn~11Rj*-KJ zMTi#a`#`!r9v~FmKwjwGlX^u6S@d|+3I>m0Ens8Az`!5^$}>FT;s=wc`(T zj${`#(#TUjX>YMv=Y@ojkkEUI$jC^J zwjTT%V3lV0`2iJ4K?vCJFWRAr{EyHCE#lk2>5zk=GXbC znk*_*T3YrhY4ssU{a)Pspe{%UcfOj+ri z5s9M{zHxAe5pxA19YTYmh-!K&s}H$ZUmOi?lRyok{!lb=j2{=Ey)U}uO%jmK>3a*U zmfN6Yu!JxLEC8of?s#KCB() zYmubB_{m?kN1bRai{SNPdwu~jb#g?adyGFU{5QB8ECggXehLmPpSMtuTPkM=!ApgR zWH8#q$PPufuAT!M522UTbuvR3k;WhY8^Cbkd|wKsxP(QT=Bt$(+iZ`%ITs*?$0O!F zBeEdwnEa_ktuVfdjx^8B*3IAM;#A~neOLXPzyw=k!1cN~dqR-LF3t0$BG}04c60I%A_!1)x2OL#KO^`A(BQrTDW!}E zY(#6H^u>*P4zZO+t7Y%6#AL%smxpAECQjPVWXwn&p9uDyPBHDc-;^jFj^m>D!2jK5&=qn}#1{W3qmAPobByq}1f;eXmRi3;R*W(2b?lB#cpD0_qwV#x z9VEd|mgJ|;a<>=zT5T^eoKUdo`I5cCZS0Z{k)}ifTR<2c&%<4CJ(Y4hEo1-n=2`sm zt-JvZZ_$K|+F&6!$$l@unO-lP0}fZ%W!u7`_A4k=ep33jj*k)S%p|Ge6{#-~_iltF zA>XV&f#IYROGoTU76CqQ5~6S3n}=op}9m|xS6fsoCao!Ld7_DX2z z$sVoIl~?d>d(w8z_ZP_xM{S7NU(MKEudLYJ?`pJR{ij@#^5&EhsQ(i9ApfUKIUS+z z)RD^B_kv=07PM4vSzxn=B7z&?j6aIjANXs6`#+H_-0E{sip$3hhKT?t^5^4l1H9)i~0DajTN0ZOwF9>$Km^LX|Il2IQz8-4;hHQ`zQc*5L)f%6gNMEm7%&$S`oePO&j{R=c)T8`pk zUrzov-JyK4Z5sCChW=LVaP%IFoUcByMo$Vpuehaed@aCe84}PzcEq58kbsj+H?15O z%Ts^>`z0p+QsVj+F54}E)1j#0Y*gX|uruH{R=y(M0;aPeVC58L1KDu9r}F~t^dle5 zk?F)bG>T@0ojv`-F;&s~^6JTPT35cHtM`q+k>qQycm(~0 z0zkAn7uZ&F9-|PR5)w*kJUN$7f&qq3umRB6^DKDe=SQiTz{$rRK$CCzokSlErwdlD z0WRQ<2{Put;clNZvf1X;;{QkjIm-9Iift7&jNNTT3;c=@w zxdu)rJsrrD&y^((3JDqC=CmU89Ru$S^EQCcqBAqnbP*t5%HY10=@crcVM#&kKejiM z>;QZbHK<44>BYJmJ@$tSG+TH@>?%c?JJap&NfSQ6 zSS%C15swloGZ{Mg8MfF5@KU>n%KO{PK0s4-xJfh5xzOtXspSGdhSB#mUN`DK0(?J) z8Mo8Tf4M<9E}m8^3Sj3DN-@b{xQG!!s2>d<+zLk52v555n- z;rB3BYPGT~o{tQEFhWR3rytLOqldyh2I1VB}M3QXAK4U++nP0E`JIa0bM|5oe@J0=Kp=ByiAS*bHqm zS!VZuX%_=5husE~EeU{8cAOy-%T$El`d*KKNPKF`eG|M}IDuR@p&*XOji1e*1Gab= zRu6~QMFW&P_|k`=6CO)`y!h*>_XDf2UAh#(98LY#yiQ$$sN8E-52*9YuQ*Y1u7+2n zN0zJx9S^L&63^Q^3*iIS-K5>7rW(rToqAmuT~34*o2@;*G~}uk0uAhp?>8=|(d9E^ zwiE>=wiHzRuBRgc&12CkxpJBQMXP<=IKv#$bYI)qn-kh8#m*8=ArGtu`-^tznyxb1 zDZhUq(2*Wlw;J3y0M4CATL!gnQ;tfRO!Y6HrLak-@$B~pj2ZmsN?CX-`i;X* zlG&nq$%v4)%?N6 zD?gN+1iSrT_igvrfM13$jT*J9%_bb%zI{DvbMUUT9LTlaFd$!#(J919{7brA(BZnr zFtF4?dNjTkK$b-naUteONy+$uP~IZ>wIV_u`km_KYsUj*J~szu0o_p##Mox-8})Pq z!wyu$Kh>cj9f?`y+B)V9LT*6#h((A{f!IEJ&1WC$kA(<7m)h@Z0*d>oSzG4s`TrDh z?tx7G{~r&Nxx|p%*&^4B>4GemkxLi4NRew4B@v~$eB?5>5<@j4l1dl4=T4RtNu+WK zF^pVFa}UYybt?P*`TO_S9EZ2p<@tO(w_Dg9`zab!>&8tRh(!dP#!E*wvGi*G6SV5w z$iw0-W49qPh*AWZ%Rk4y@i7a*bV&>q46;5~8;X<*s9e(W~!+$_sy4 z*NOt%Ch~unBF5HNTP^EEWBJ`hWlqB>D0=cq{-o>gskem!dVd?t2@C9X^P}+?iYpsS z`Y`cfmn5-|PLQg147BYM?5D@_X^~9Q3G%rqf5=xmw7A2nQanbQY(h$B_Qva^5r`<< z=A8UXBAa}4D5)8E?ntid~}Aztoa3zp^iytgI}F{L)y#dImzENXTB#;iTKYDn!mYGpKhckJPCz@N`jG-??|5}|mMS4N?V!cbu7sys( zU9I-$J;}aP{WRJqPT#yybmEemzV`gliCk(YrN2E^ErP};6gJ&77u>tSYi02jt9^=OTN{omDN8H*NCMm&--tTsBzMUo*EdL}4<)lpOJNKnY{H zYM5=ttcu+mD)3N3+r_D)$oIYio)Y(-1|Hk7K(!tacy=8Gs7Wjix3a-X=Y*_ndhzf1 zdmay@XGIe}p*wSpF~W^u>VfUgzqLKgAudjR%uEz=hcRF?BE(ho*X^(K<<0BB+%q@E z*`G>gUY_v8SXf0_9J~*$I&;M;5!uunLWkf(nFwZNyl%GMY!D_Sa4`1nS$^)%IpL+n z^naFRs3`j9#fHHF3Px6?=cT+TO2nd_X(}+zOs3!W2r%2NkiGg>vZ9DNIl>=5D<{Ju zGo4zqFoAeVH2ZqRp-FqiZj@{81~hk~S`9md$oem4*57xChq$NiBEY=ss~J@u3v?xLckWy?&T#Oru1KbJ?0Pqd#U_P=bl)9{73r$6--oBkO}MksD!zZemX znM=!)FqR-5Z`7qhn2l}wd%HghvkM68WUiVooCRbC_+yWU3vaqPegPSj^?qKVvmDyH z9T?=~$}!c@|4qg*a79w5YZ-l2cGHGUex@wv+p6WEJ3bzWui(n!JwsWL2+v%_Ls%hr_;B#I0(xKB~#6`E2or2jz#VMg2>hbVe>QG<^mYls5mLrfI z?i={Vwc4e98>|zfz9Lu? zq%z*X&+Z93c1JgoBbpv*(RF``GJrv3R1V+{8l(#9^m@XS5GV!6rShbV%W!Dl0Fct4 z@;_1(w-d|S)-R<|MiNG2QL4A8SB6Pob0P!#hX>AvU~HBZxV~^X+K`R|oa<7q zSzJA`8?skQFMx?Q@a1gJWn}&buY(0ygh49)N9C-GLwQi)O(lI4xV zoy-O}1tk|yd zIcVtkZj?v|-0+cRLyWI$?62(g4q>X+3-@v`waBiA^zD%6)T>jV&yO6@mlFm9{XDko zKrV@Q7=Y9Ba&na2_w4Sbnyd!ObjK^PdU_SOs#=0jFC`gb%YdVpU?g>RN{VXn)2-aD z+m4{3bv0yc2iXttILdum?yV!gQJe_Y*{IN409BelHQoKi((m%sT8?(%i_-^86)>d3 zV@2nd!jW}!VGPw1OE%R%33^Pb`aYFumPx_&%;DS#+2J*@XH+Tw40BfgySk{vhTmHd$&laUy#8X|Ty5tR52C%6tSH?I%eE z1(3=?evnN~Xc&^UxMs?(eorF?Pk86xSXehV46*KjuAgE|M6}wLpl|7jnTFwB53KB! z7`Eo_>k$uBVf)&KHUHo5jwjN*f0&??rZQ*vgK?rZ=rh6*c_X&${h*=urU?Dqn+1-C z<*^5lbDO6^z#vIe^0niNwSC~YadTnrtrTg5nVkhr!AR*7m#>1_6<7dTKIp88{a%BO zcL^Slkgy_47@8{*4Rt7$yQ{#_h)VIXTH*KUPKrYRGM+-&5=oWZdTM-&f7VK$trP=;>RDRsSvuBUpJ->MfU$UviyJQe zn*H&t1h8$^ur;cH3S@^%$2)KFRROR1wgGRv~mJ z1fQggRTBpsb}FP6A5Xt32&mH$H$A`ZOG47RL*80w16E(Ux)F@J>*NiCE&;}Hcg4%0 zLRegnZ>@NCs;lHw=IBksELW+P7}}<_pJJ51Rs>IGnmHkEugMKn%*UQK^B%g+n90!V zBVs>qBeMlgll;pxI(HboqtK~z?**mRG5&H!P^!{EmGkx%=A&u5jtT5*0fgW3sOd&r zL7YdsmynF~n|D&Xpu4-EvF!0O=VJdKDu_a{*=4{vlj<=tvj^KK*==4uRirlSQ z4d1i}r`;wgJF98o-phL-TS!4(d40KT1yS#07bcDUJv^%uX(WI&J)T=Qeqd$LcgdPV zL6uLhga?Zg)%vX2ZpOrItBF|Cf3k@n07m6q)-%z|t+-khuH=x(RL%uF!WRXoeim6) zqPcS5N?2d7Dd$2t<~qZ&QhvyAQu< z#E)TX^axRPxi^_qh`W(ByHh49oSq9Wx}l1@GnvJ?GLA3=|Nm?9iu>e){cXtLVV8m^ z;xFUzuPEZV!Fx)D@v&|5fp2CIZ?ZiR=SkDpUvG3)B{tiH?FoQs>|Wx|KQj;J5VxvL zR=lso6*TA7b}758^>X`E zmf=|&2nK$?0fG_1p@RI_Clq?D?#V8FM9cS4v`3CH!T|vw^cHx^fuH03dy+hOdT)cg zx~;QGp7R^XHN_T~H~n5*xaHN9ji2}<-OhCQlvM_OcSNf7dgn5`kl8V<7r!Ph-0zB0 z3|9lJk9OqkmAgZCp>hL|*nCD#6SEy;y(^$!TYhfhFkq4Iv6u;it>ZD^&s%@Uw^c-F z!t5t|@+|uN^_}v6bXS&7jkN429))HFZ8`-a1SLs``pwY_pN@-0MB zd&_pfBhljH(QQG%yf}}t=fUn)J3n+vUg)s|T949yvZqQ5j(>pj7oc`{vmXLYv;!2$ zGh~(da^KF)@TK$j4pAQHHqo75j&vB%VwhtP-!0e(L$AugZ{B zl#;g*_8td7NG}nU(YXLIc%N$)VXZe^LC20k)`c~XJup1foYy>G6fm$I2}N&Wd94~Y z)xpiGgE^W?3=YUJ2)vCH`B5{schH!dPA$%#(ej$Uz0HvS?7!K;1jA3cJfseLo6(Sn zqEP|*K*7OY(q~{`rH#WYLJY9sU2)YA8vWt8hI@reuF9^=l95aaCAo$ml6LQ|U^boa zmQ~8yJ$T+ZD@-t=RD~RZ$5jG)p;Z?m#aCc{D>G6X9e&P**#T7~3I0!c$j1(Y>&;sL z1Ueqk=|QjX?$o!;CB;mIAi5_+W!Y+Xp6M({X|Q$3p=IJOR9pid!WslEBx87b;QMK) z<(A&PkxKxMZU;QsxwiTjcnKfC-BWjbc8AEW=FyNUnB~qZM|$Gkga)+ME$g(`AsJ;! zyX`<-JuRQTCh_po*y}raDL0tcknqvx0mmpFqQO{fAc!3*~a!o_#z9u$X33hOGTxwc0dlge4C**PM33DLaWvV1DBdR%&99EH`O83wjwPvUH zCs?zYnWBe5IEWoXravqx5vRxJZbE)F_F876Hx{P1HE2y`LnQ|p03^?0w*LZ8Yapx9x098bS$>dl|PfRp)Y&mkDWKF*3e zK+aI5VxyH+(nWe_%oa>?oyeBZnG;}XH>Fr}H)U+dSJ|z^$FV$4?ZS>T4)$$UQlW6^mC>?~$KZ>k&P*}*BK(PbV&{R>FRXck+lg@@1r!m4&cvYuL7lKO)&Sbko1OXP$qcewKBu~}g!x73zo_pgyMM0`pL!N-+SgXn5pR#`>q^fKlX$=D9f=W(}z3ujL>DS$nZAs{Kp**}%-q5LIGH;$KaoSVbj z;BEFL2RXhEIE-nZpB6-Q5tc@OTog+O*j$-P+1zYI70Hz^8DxF6;ZzxjqUEAwsh~khmv5kpse0lc4?)%^U@;m3gJKd+cy022-003BVF(Cy201zbr03a|3u&*2s%e52$01Pd2K|wijK|y>u2U`g`=aR1JVJ*V#I%RsAWL7 zyT3y0Yyv<$8v+RN6@m>8V{)>u02aP~yj`BZLi9y8>OU*1f3AG?u%v9qJ>di3lYxMP z4TB34Jpln6XZ=v~00K~>38Kx&Lg+)qlD8OZmVFk!%3~WZf#2=Y=s2i z0#25I2llH2&Vwca4JL5F5RK=NkfNsn)6W*E<(Fe)#sJV^4-%#2@EE6j5U5q!=G_l^ zXHEC_HBu9;U@TD<`#Bu z`@Hq5Z-Wa_3Isq{D&L(AKMk?h>N>u<`IL)1zR^xGbc^dwC{_7=5TOzk$7ViK{ zqQ!1yJ2pDz)0&QwF3aS+)_)wSZ=-VYJ&$wt-2v z4W|V@@sM}F&V1xD2y$w49aEjW4Az^OmsrvPr8Y<}*R^;xmf@@iq!?fIxais-DO+3B zX*gWik5#s+(?A&@m!BwUfCO=2T>g5{VE~Q(zaPx^*F0iDe*ken02A=}1m1WC9cjqI z+_-?6ZzBf?@V({QlUjBW;6vuoz2{Z;9Pl4&*#24#6T3p|o&AX>M6iXtBr^DxJ_+2( zPu}>M#tkvc4CSu!`jKc7C3nU`9^P{R#qfSOkYPAktD**7`8@;N+HX;Kjlh;@U!LDG zugTZ)m6i99<`D3Z`4G_ro9R$?JnvHy-IG3Mq-D95?J5_ofCM4^#0X7di zz`YTZF_vK!Azd9OFT>`z%c5iEQ||~5`eWx7mL~uSkkk$-3PRx%ca*%p^h0#4T=esI zuCq4qr`y7v>~zl&>w9Q!V7%;_uVcPT-c*52zK2|k{6?t@eo%YB3EzDIZPhL>!<`9D zh|lz4eX%StVdw+itvu_Y*1b{ZFN&f^i5`|0J^?X_z7sH}4WvwolHg!6h;Kw>zF~3B zQgH!UaS;g-NB|X&BQFg13&!U@ery+?(vizhe#Q6#oe!)uMj(FGMrAe!?FxFz)bnO%)om5gtbG52@u_;K;li@CQ1X`>Lmo>XA6U=6IhSK zCx#mppo~K^0!SBhiG$vU1?AJ1gGqw04r~?#l|xhl#0kax(I7`Q54;hA%V#)4bc92p*(@-d{D$(?X9djMi9@PpE{^e? zusMLcz_tCWMO*S-XZnv-kH6h9hD7c3j~F=7FJjP1VUT`H45jFu*VkZJir@Gi{v0!C zz+Ri6CT+y(VMtV~S?5`+yo`3HdrrrN8y?R~}YgzW{{jp+N0Hz>D{4k-p820J(TUJ&8;n}RiM?yvB{2m_hpo3zRGPMOo-CHFKKZV!tVW^M6wl(I(X@RygdYrmi56 zOsq=q#t)63ONorHNb#he#PRwGHc|>uqEyB$Pf(^&Vp8T*>M0#94=%-#$5J*`Zc*JT+pOp=%q!zx zVyn8=QIulhyRAJmq+y{UtK!yZX=GR>T}@xzScT@mI%PJdw#wGmI{MTQo&dQ~xL~xY zH2i(zuKe5B#4oFs6+iaD^^MNHx8UF~;j}@D$ZwL)<5elDRrD&&D&Up4nzx$Z>a1$h z%Vw*EYj-P*%k8Tw%iYb1bp>nAEBy~F4}%ZW*aJ8Q*sD1H1x;Q);GU zM-oRZv}3euS~l(V?JpfH?LMwd_G?EE^V(zFvt3Jpqy0+-y@s1}6AdGd>yoon8>iK* zv89sn%v<|) zx|`?L^ArQZLacu&n8U&i=bv|jY)86_ntE$Krkeg18}?0aM*vgWL2VDp0w z@@7icxpKSx%QXx+5q$xx;&&!iN5*l+3ZBd~oOEwGQHm1sqcxZ5bM3abHuW}SPHNYz zF~f<1Bks+zj@x6}JKEK1f3JnNo413F-i}KYa?~W0w^iiEqbZ$(E@MwsC_!lO2lF$| zdb|!^lg|;re&BmyYGHF>=UkRpI2VWb_+9z1wU39K)7{t~Z^n`vsT@@eYh)gS?xpTt9(lSBozL}i9k+fuubsBosI9lU%sm|@ zYreF!+n%mpbQU<5yjKrxH2d6tEP9?iYJh(STfMN{yu_HtJ@feSxP241BR5^UauprA z2!F}r;C81s;B9nQce!^xyFKe_C~v5nL(Hx2m2nSqYxU@Octk??q@&c6z9&EWGp zd8OiGsk$at21MG+3;FYK$>>7!W-WoDw=Be!^0IwPvlH*F_ILmO@N#VAoO`Ys56%bm z{d1qLi0}Qh+oY6Fp09fP#%=QJ>8P#6md8=np^jJVM>ku~EBIsV3uskvCNHM0wBuG&%8Wmvlwhi1pkljeY(IPxzQB3vuGxswz?~adSWurB z(-0onR1ugN+0hYNQj(h5(h?gxO^T>roHAS`gty_{Vm&msaplevq_LisW{Roa46&g2*yHGA)sa&gAqgo|T zr_4vKK;kHDa5m1+cv#eO*)m%8X<;x+s$$xbZAQ)gL`YH6@#wcDji4z{HZl*Mr+%$; zJ9l|OWkc2J$6(pT!8o>RQjNzQ%6<1~L%WXq-sYrgi^+xFWyGWACNyqX4<7UJ2cM&u zUK(5HmEG=aS3Fg0he*e8HP>%5N2@(ICWPH=6Xo8h&!pT(kMB3|MZtl*x*xkbHyYL2>gv(Rd_bLI zDaQfxV$$0*#E{nh)qS0Ia9oiQ!tZ>SeGrD#hRAkMtu;?N0;mkxC==VlF2;8TP)0IF z6hG!0;OgJE`A-LW1Xv2X1dD{Mgi`%dGt(u)6>b(z7A_fbvz`qr8t9Jg5TJ{JmywelAdVr< z7L$=;kTsUf7UOJTw#*dd(0vJws-EalM_i$0HxV;BKARa)T&3ucdNs zRM>g+)_s`9RU;q5+27zuoGyXdNktq zw(L(FIw0LKxt-gg@tkhVefQFN?~7RkKi`LYm(fst9_-klN?oWC(ylspcZn{VKIS+V z>75+XY_aL-k-SjtI%0}*>@mN(MsQI(&-*M`k6#`3F0jo-$fe|Q^vrqL9U0HuyRAtk zJGPyYost>tg7(zC-8uMvNmer*`kC>ZaHs4O!zioe=j-$4Y@gm-_aXEXa^DYC;W8_edP~?29|{Rw4E`I(2pPtBdPLe|9f~}q znrv-T-PW#KZ`)7lo%o}s?SdOyWO7t4nt7@>IU|L;#O2B-m;~l%iF=9MxE0z{q7riW zQFw}ZN>Zv7a%hU_3YgNxGUL(?%MtUwi~^0xRdx>CcE)x|kH8mZu+b0}kpL0Lp?6X; zDW(ao2~=u&v}tNOwex1U+Syu?m6)}r)g#U)0y5Ac^NF@mlJSKF>GkuDSDIL;X)!u& z+k{8OT*b^^UR7^wZ<|&;r@7zsBo7K@Kyu(DpqnA|A>A=G(9zJVB?afe2qlPs^9u{Q zg$M9*Sga3r~Pl)bwSZy_HzCKFxmXL&c<)+ z(GxU0SH*FvvyHW7JA&ziwY!~?o5=DXHSjL)gRp>Gh;2%?+?VMb=}h$uX7+kV>}LAg z;`@_SSrB)$fyCX*dY8WSOTB{ z5o$y);JE>^MgUsPfzvv$`BDu4_o?oWJ`ezgMmFkj<^xVge)|hg!CR6etwJ~9H*K<} zAuk5M@0{Cla{>4YU;l`b-zj|;dw<827O?zLcHDI=bB7XwV;CbYR9-Dl4ZMhv8O0s# z9g5uhyce^rvn_nJ^ThN-5`eRVvBNnVzAQzUXdosCqX9EKO6-8-9x$6;7b+fHmXe<7 z&I|2t3=UenUu&RtyOOptwlcUf?U-gCCm&YGD8}pgYm-i!m zJ3%hhE+fpJT;#5MS^ruL(px-YAH0m`w?#Vk3IaQ)yEQ1NurLX*v1>Bhjn=sp)mV@?m zYuEMmwbMQ2-NlyBgYyH`3K!;2A!XP`7zcPbxKS8x)Q6a2?06h@Y?@%9%|te75AnBH zq3Ocnec7@sa|uo9X7>_P6DJeI`hLfY1Bk2ho&AM7%K@<=tAI)zytWRq>0BzZfdgUm)DhOB__Lc2~>FFUU*rJP0nA(F3JuR^KIp+m~Is6M5oBg?NS zuPrX9E;=Z*pktlr5hapilD+7CZmiARMe|YuYZBcU?I;~GNj%9!lcVulLv@9Eg?$B` zbKU;!pmH1O%wymjvVN#rXSj>kO5t(ig7u6J7eV$MP77`kUL5`$l5B>HP)2C#iw~Q( zdPY5xz7*S*Sx>nm7N&5vTrH~NopWZaX9BMmc2H=6zmyxJT7PEW(swoN-PI}Rvwqch zoJLJYRmCGrnvoP8ho!WD+pB2C{>EPH+gTk_#nJ=kSzpWl<60om`&LMDO#N3|0s6eg zWh1!Lg!B2yVaL43U<3Gt^?AX@b_cs1=V`UZXQ+Qhue2a_zbY;$H&{WkY-28uZ})A{ z*wgru=jO4Dj4Y1(<(0mT$5KgfPo=4g7dt2C)%`|G@}<^oIqy1J^ShPSTWw*Jmzni@ zkw4Z52&^6kwcxLj6H|Wa8S<#$g>Akkfb~El#C&piC7u(c6Dkc%96wr7c*8V$mo%UW zZR&5Q0W`ziL!*1Y>>sa@o~+)e0!VhS<)hTZckyuyw)IN!p%YFqk}*2c&(d@VpTUqN zkq2{bf}64?qpVZ9Liz&}2Uhx%hpKwtvr7_L6Q?tBk=0Kn144t2#lZ4O$B05iE^;8l z8Ab`pUd4<*#2$jzMW1yeP)OK~v5Z8~E3{QU3n>Z@%Cx`uli})1(;2f?vooV#W+L>l z&2Co4hTi>)Q#SMdhag#0+V|@^o+uvQJf^KVPDLM=AkttfVNzht;SwQhBIClW!c?Mu zM>R!ZMaRkvkSdp8lyt9WB*aXTPZ*5TZqX*JWtDW?>iEb3HXbSEUHY8)j~Vy}hDz8K zjT$SW@+9{w>xg#aSeC+-4Q4NEKXz?aj_k9KkT(phXz{@4nv)1MBF6O!c}xvxVzhP3`7s6 z%k4?<&1PU=qj+I4KH2n~g%`)Gk)iWd`4~4DdX0Rn>{sow&39~VTiWV4Z16e$Oj95E z5Px>Jim%0JVS5d;5RueaomIk2wN<#nuhMEI_e5C-tZp^P6001~41OWW&8|mv7`T_KJDTvY! z;J?#Ae}pXn_!R}k#lOB44IPY)Z5+*Pom7^c{JyGMGFMV_Qj?bAFtoL%)i<&=Fs600 zw);Z_fXj{JD`{=)q>t}rZDr%g;l@q)uO~RZ(tl*r5#s;r5hqJ-LN#eQd_h|WV|-@X z@3i!UJW%-f_*@P~CL9VvB7cd0{l-mb=Hz6@K}YB6>PqX%L~H9{O2@#?&Q3?qNXN)X z^YsLcqq~ihz8j5=BhjCg{9TWbv7@1bxt)`_tquMk_39hgIy-R_68@p+pPxV5Y3yeH zZ%sCie|77tgLHqC&@s@`)BRKTmnhdCxg2ulZpKz>LgvZmxw$@*gPCWkx_%GrAEc|~3|D{v?-#VEY{*TK4DEUj0i|&uE{|6L*;{31N zFQ9p#xaj^d8V}SmnWZHF03U$35WkWe;8`|k8ulQXi0%4DFfjszIDTtKM}I%wRR4x{ zASZ|`1c4xw(pi_heqJ7 zC@ph3M3~?Iy7-1b%1t|qRZsvC5&qY81wvd}O7#CDn*w5C($=kl{xpv8zi+({e1DHwm}0r`JRX|$FCc?GAU6-Ys5c={f$A0i%Y5g zQpER6@Dmu$C(}4N(l5sBfFs8u`me^j0o_Q+i~iMA{~KYxp2>q#xBYw;BqaxadE@`t zP$dc=B&G8C9Th`iJ`kb*x*YiV0wie3%VGW(0{)c3U!}<$>lT&&6Fyo9F}YDt;bek; zb@R{8{_`nU^i^7>5ULrC`Zq-X3GxUiAS7kmk5b0}ZqrvzIf{RVa(NSE^hSZHw`PSm z&FOq)adb}mh={bdRp3X)QE?>FB5kI6w)O^`W{-b#PV;ikhl|P-)oh`T^XWo$Go9;D zC&|NH8Yuf#DAfP3um70Pk1;4p&uaNCo8^Xd0u|yF=S%5^)6LwRMzi2)!Lv5E;bNWR z(V`#q2b9j|`!tx}sPjY8=1pf{I$UQa-c}lH&dwft#)0>4kE)L0FSBNbn(drz+xB&kD_`8tfY$C}>aH!6$1d;6J}%fmU+2RU zJ5uy>A@66DK!osJL0C?dhCf~I%(TZb7piP(-nfQ!9DQ|Tb8_B*un=UR z!evgcnU((wHZ4+7$1Ag+)y(Yivm`h-nssb$YqD8h@rFxb(L#5PcBL*HoxXTl^CUR< z=^=TC6WB)xGYaq%t7qyymy@+(2Q($~!OAAIW^2a9+pbeOw_|{=LhO^Rx)(v8qr-5@ ze(P+iuIR!aSoLZ5Jdhj})m|W*^7O8_D+ARG6A0QDf{GCl!9PM4Anyrf$?gy}Dp;JuQW#;vA__Qo-GK07bXtLYj_?|1gZ+e=;E_5Pv z@C^Nx=Szorb26ux?Hfl47farNvw)i3%(UO<4>D4;6SbqIObb@_OPqnC2n%~zOfW#! zb{1|=Au7$i5MRmlN_aNi(PeYYYd5{6(ORDt1qzqaLr0Qbg;Umsc(BFvhtZsz8f zq$LNc0~|*veo$1-KpSiGHwI%9&yr_gN7s)ZweBo)?=kqrTE|^Cm@DA@hpV=G=qVoB zjlh2!!M|K`8<4ddKY~b+h_a}0h&X+TFmRO=mX>MRD!3X*EXpoNX@|+pNJ)huc*~_k_2o_QSf9MMf2KSSPH48yhsbJ}J+|_^ zjL8ln+qY;}Ro`>wH#v8oTn>02UQ!3b<7CX&W_+z@6b$sh)Ea|`YzvTc%Yzr#&)cyF zI;KHydR?xzhfD1DMWY`bAL0KjvwY?VBO+3eukePASKO*|Sx}U1PRj7 zo%A6bi{r_U4U*fdsd0Hh#LZ{WwxEkdJLe_7Q!T8aD7f@>xNTCUczL2pOKtAbr}K>> zt6a2sZ!{f?_kAOov{oghGZAr1!2A^AQsMQ}LQ?D#!Js=IIGyU`$Ss%MQ{!Y9J9KIa zG8u)&ji-byu;=-3wj8o~Jh?Q}M@VCnF71t1%gu6#jo>>Z#1y2DP_J;*0^a>0JDk?g zxqIVJxYnM<6Ji2UwW4iTMeqbp*Y9&Zhp(4*`8D_~2s#7T@Na!@rdqxlh(H8DB;EuU zMFQD%alpgA_ManF3QE3Jx)mABHM$#c>NWlw=%>I~uGNO8&J(x!V=9eh=ha?YpG;e~ zF!%Z#{oL-uaPAKI?;O=`vMZTOHTt=n1ZD+m!^?3&j0jW++KU~=QCsLhTRxTxEoAW4 z#-ViC$Byz(pz3e07W-bD+jWp6Xo|}R?rY3-DzFyI`m(YU`CuANln7=@WS3Hr5fphF zZWVVfx~r_!h$iNg|6Zt*bNG^xlpfSlyprEA_5HFY5lyxQFOtoWRC$nj9DA`8p$B3_ zZySTWv+9GN0rz`tYSA9>bZy6#Cyrk9*k2>z1_arqR_L7dabV)X>w@mZOEbsZ3J@1r z!EK=pKIe01^6*g*DTARGQ!3^e1j=jUDoDy`u8kWDa-qlbv>_lC*55f#gA9+LsfT*- z)#Od|@aRYzL!a*ugTiSxy5TibJcG}_EYkdsMOJYi;vtz%>~0Rn2g~sl>hM62)cV00 z;BD?8g8&|Sy#{CwuT#U_5Kpudem~d9(!?dDu;6FN@j9#sMI%r^IJtTw7n>Rf`W41nv8tk^UJw~!) zaS3NNrBmBY-+H-r(mZoYWr?=Hu!YRzaIJ%VvaZ(bo_8;vug7U$xRqWlQ3bYC^RzL@ zmuc*J^Ol|DRKcoL8a|>SY$F>!s~Lr^^2}Ua{Ncjvd6UWIpTHyj3?XpI3Gc6ud@F=^ z(qb{5!D1GqjsV9V>f&%dythxpy8O;?^FSL!2{LX|WwEj*c(j^3B?u;Xc6!0(gSl8{ zb4AjlBn<6+13TNJK=89oF3H&r9?0l#?*kE%_yAIJ0qy`+Qn>hJa=PpX(v3tCilKTi zTv53%MwCvypd#;#zFdr7fGR*B5*HW-HlrVGpeR@q2C#W2c1C+I>?wUMF)yU-`8RAt zpFje!yJx3j-AjX16xNTVt(wL&JYbSBQ;BD{weQZr8)eBP> zAL{OC?PY`XfDDGpmmKNptK? z1&2dB5syhT!&)ZuK1ia$Dmp{%_QQTJ*aC%{B}81=9kMU-DHFKtd!cKq&6IStu*h^O zGt}jfg^Aj0`do!Q%V#a&;4f;+U7B|f;kxML0(-xYl}>9~&LRrq_L7tA==@Y#a_Ny6 z`V27O?gM?wxJ;(H0~Rts2(ZQsp+sc>&xM?Ivgh{c+|70qMhjQiAM-)GA;7An0d> z%o&l9wdd03o(?5vYb_HsPfwPT_QKz8CLv@HM2OqX{Zj~%;;zuxA*W&36##FP`&d3{ zdaT@dzKe0IY)&N+nh-1=M%>KdeC96E>x7S%e5mExu`doSDY|gHXN7dg` zVLk|uW~w(Y*%8MWAVcJYZ`Q3~5J}$bu@Ujaq9oMCL;M2b1PIl6h)n3WkNUFt2~T`sZv@FPGOfaai}E?m92t-wCTI_psOBCsKFf_2np z>*2xYS|Vr1)u$r!(SxLkI9IsO5>+B+?*=r{)}W*FS$e2BCx6fn}NrPglL0zD4Nx-T(Wc9a$@av6KJ7nSj?#zv~nv zMvu3(dv*LErfnu%1cF=^Z}V3&_kxS7?dIxrxBUn6w(HqipJ!r_bsviT!Fc?w)vM?5 z^Gx>UrHmtx)TUKh1K(0pHDFfs=xd){|E^`PYaMlB~k{GFOrIv zmoi^yFd0=lG0UTrm^)o(7FME#*TMb@CApUo_>uk?W^Ld!R#iyM4Y?B=fj1urXia4N z!1Ib$-)DX~#vkgnWSw3N@AyVvh^Ae~$>#~Xx!({t79*b5OcVdt!Bfru|`fUJ|x8`CCItQYg#=8G;C z=jHv$CevA3H0HB=(?-2s&`#%7zg2E*(0+ZG*yTG99YZ?J+I+=9XF^sf5;gYe6*tHG z21!~p>EQdr<+Do?ba*d2bjBr@dGX47E}icIwYz*k z)ka=3y3AD=q=;tCdQn-&=Dzzt(6gJH^~FG;X_hM_?{_tvmYx_HJL}mW?bf>v)AYxK zub{7%H-wkkOqS{&7`zP_p8-qal(NbA^ymd<)(SEZUfdqtJ)`@h8{9IDlJ$x#wr73o zXhzAz9A(&(f19tK5CKiKQ|F=C2#8VcSjGp8^OLh83qU< zZBl<{;<{gT6LfZ7tS&RYGfy7D9@?_`pcmHYLiIYHmQ5<343zMqw><2GhpDs{FVDW1E9~uaQ9FnstRMuH z)egDb4_aG^d4+JtS!c%QED5Ffv;@emh&njdbO;A@_SmF2#RI|Af+JKi>KinCovOD1 z0-Ey?Q!;U-GK^5ArauppV)zK?Uw{+yQIa*drKzQ;6oH`fg_0eVs?Tlkg`J^jI_bpg1;AIp6ToGYbJ(dn&`*iD`6UoT`et( zd{<4V8d^ipWo_4{n!yt_1e@8jHx++#+e0k26! z)>50|I7e^I!fQZ&r43gVpO^TwId_Qb?4te@Ys^aUIfUibtkIa}vEShixMIV5MpHR6dUob@0QehjlMNYh3PG$TiU1TS?a-!%V7B@0UA@6< z*ETGv#?zPFlzyxCn~8jaVXe!Qn@%Y@Gu=Hq#a8=DQR@qSg*aK`r-!wtV3&QS;8%_u z3R&D$g?tHPwh@cKKZytUcX*6|pGe)78axo&Y6zR;V`{{1B?CmV0x{#iO7CwvuCSAG zDk6pe_kUPC3)9ODGYyiRILXc-2)gaT1|kKa^qC99Ac6hVxAVLDsfWdo-viCf=Bs{z za1#WgN|Z2WK%NHEr`}RGzVkDa5hE=zD#cq4PGE4Z8hBe`h_R1&Ip=`5NZQmbr4}bp zb+z|nq(I;Tr4#TMtll!+xcztu4l$QBlC+vk{%Gl|QlrdSqBoPBuoe^$az4l{{c1Gm zbWrPZ|C(d|kiA}yRV*7Ss;7k1E|CF_xUop!E0Mdp}C7#6YKUDh1+dZwLl|6;>Wl&msnt<~y+G{H%xg8qbPSj&JGM@M2PBS%A zs#LDmnS0DtNII$dl67~NEx-$FW7?$&&MC!UukT-b(R%y+)NL9;`1$Gumk3*a)nJ|7 zhSA#b(QZeON+MHQ!P2g=gQ<1uts zUkD_aMfX!U1Ccl9mZWh&f$!m%Indb|M_rW6FN;W859+LL1^Bf1Lij)Mn?ZVm>&0SL zU*9|FK~8>Zn%?LzWuasCawMS(BtGRB5my^?3Po%q_IZS%3uk}5hAluoUW4v(wTaK$ z!C@E%5hi8FFBjn%@szyIi*aLN6hsu1zRfHM0cN}(OmNV3f=U25jSG^NtOYT7OcA-k zbK*|h$lTclu1^-GlAAkA`?)YR9|~wFFD0-M!Bq4yPZFk=)Qgps(bi0Sp1LO%0~b^) zPs?u6epM%zYn2vkP5CRyCv*lKy(GXw>sK?qn&;*Lton2pZaOw;*%>=oX`E&dHc^o= zI4^rIE_-WHbh`n`r-n(wY{+d4eU@l8tMt}qbG>L!hVfBn^ZH&{>ped)d;TS{=S=qP zR?fy0$!!`mC!rqkS8|J-prm{V<*5UEdE)|^ru)O(G5691%D?ywaz&sh zK}BJt{jpi1L@*UgyN{7|-o8nr=>sF2fiRs5^D`A0Y&|~NWk_-Puamq2v$qZe>+%qS zuo~~^IIuo}TSqNzjVxR~^j91MR{#Xq4eT-uLy-1(TNiKrBci9P)t?o793x3Ix_ui} z;G6IQXFE>rN=g>`H9c$(-jOyE4#F%2qUEkWR+wfJPZnJMQy)=mQQ)IUyabO{rhDM~5zz>h=dG4&+z8w(EA)Uc;Y4P}l{ z9T`^|zfEXAp~9W_Qf$<{w7uziKz4TzBPuD5LI#ph#kF3M{>6ipl7nEZjYx>-O(;_x z#8NTQKwfknFfOSafF^4JPZo1^@*%*9a3Yd%ZJ2n1ow}J-miCh0L$Gc-H4@vCXSx(= zE=BTQh;WLlMcAMVkshKp**I}}SGR+>HPOFEUe&^Xq@C(gX`!0M1wAxYVXjPFG)-o< zF8PcL;UhpS-Ct=d{=;6?li~9h?GO8fhI6e?-RXcIa*@+T+Z!jtJX1UqOh`j^P9FA5 zIRe*2%g~}6M(ZBEXpythdMZkc@F!$;715GRGno#O7yah)&1W9CE&0yj<%IX5)dqop z_D~LO?>-)ExbY&tV^o=3(KN0Z=oh3q#e7-pQ!snebT9sYsAx(Sz@hM>9cu+_${RTf zxF&3ye&lx*JV|K_FsA*lQyP=vokg%N)_{DnuUAIN^50w8=w zIrX2k{cp$-!6FA7gU4S||GyCgmah-BdheuDfF zXK1&t_z5nj{AX~YR0-rs`mjY^r43@fQfpG)@*f@e^q##6k1cBS|KxlnB*Oi;lq4W4 zBmO6EU)uTAW2H^Qij@BeY7){HtzQJ9GWb6MQPTMeMo?bXDUbiB!hh0Vnn98kfGQ0B zXQ+ab&Oc+?>Z5>0J%5Q+c~h`5C7ch}KOC7%W3AabSn$74#0LklU@`witShJ9?qm)Z zp@jG~hz{a^cDmn2-D;Emn+p4zC~*K{&SbHs{F)Nj$^j5boNOticl{UcVeh_!LP32&@e73~5aJxP-0bH6 zH`e0M=5Iiz)ViM_xof;qD4qy4>ACF>4mBA$HKNQu%XqK;Uv~S~bdgB(L!wL~)lR1Q zFFXAaQKNwTiY+CDDo6jhr2c1M=_^ex{WZ)a60671{_fL%K2Vwj5|J%PqKMgXRv)R` z^kwAm%tosfM*D7)|2b&G_}oeG;lIpl^#7XoFC#lhenrXJxW6aY7zl>I)TQeBtQ<~d zYd&L^peb7bU3R}#Z@3?2KU-%p7>0a)EU4-pOpo7#PoY0NU-o<+wwooB{og*u0Rt7` z-rP=cUKUoF{IX1(vytlyuIYNn@P0jSdFc6kpH|T@FB+__K#qH6kZPyE`(&OXZ z@pdx~U8!27!ECwN+2(vQKkBk-PG-4WtM7l{^}G{`_qIjX^JV~zMqL|&!?}9VacN^& zStpX`Trn1vCm6a)RnuvpY1`GbP@!5={=H+Yslj%u`(fR2y2$ELoGja@OwP_ta<7Ji-tM~C9r?`ZOZb`JV&eTxVDGzOqO!Z4Hd_ueh;dp zra%_U{hqlgOPvg>)bp);#_w$k&Hje2{9ECmt1f%`RaU3C_s|n_=zq+k(i0E~Z8-{C zKUH;ORL`AY^t0P(-j+Z(j#9aM402d(wwZR<2{KnP?oS1b)JZ$3+S35H3KaKLOaPu>_~ z@->nOt6Zv0 zm#dEJTFoAeA7$JhD{Y-D=v=tHEG@gU*zO>m{ysEp*x-A7^gR?}rMPmRq=mKWYYe`q zvD+xqJuPm!S<03L>gtl4=dAs3rs=1-Dz}3St zY4OSu;+$5zSNA{(n_rRAF@5){i2KbpjI#HM%WZ(`^KtR9;jI2$V_7rMH1jh{K#rn( z8bu5D!Dz9OUwW(O*Zt)2v*P-#Wp92Fi`x^mrCdon??aR2LAGn2ZslB)ex75BW15db zj&-7>Xi=4pmfrKt>i%2UEYHMqokpmK%2r*3h8}A6uxT|j4b~F%;&YwFtB0`89vf@_ zJ#+iz(>+tWRPG=94?d3nf$R6*i{(P&i&~D-m)bW6sk)?4l&x1p`BrTQDWDn~MUv>8 zFUJMY6MK+1&P&>+k6XSyx%F2ixjyw|Ic|N;TRxtgC#3~2wrEk)tXp0Uz79Q`9;fPG zo6OtWuMbxHU7^>bTwe)K)~}%hg~)c^I9K`g5^(Tg=(k~9&&q2uWdCvzy@6JDm)#9t zkL&z)EGzt9pRTWqE{omg+z}NyxaVM?CS*rEKl4)$kLh&S<3_8Le>xEjc zQTk#H1Qga|&@05Q>3%cxjn1}AdVbGsIIjd3*|!~^-o?y5UE5h}YR+D=JqZpitT#KA z9(JiqynLR!V6#VEYgaYY9b$)%ZhV#@_jt|7`FL&VH(4=%{4n;GQ76%r2de5`MV z{u0k?3-{hb){7PfOW3m%)>~1zyenC{5Wq{kkFj0vUvF)-x|Pv5 z^+`yQ?QS^lj_J(6yzkzwEm7jz=v?oU3wFBit}h5EQ{8{x3}xR!P_5yvZ$Or^cx?t( zu}9FdeAp~>ubYZ}l{wFFJL~6Z#T|_GRYU9Y331Q(V`JeX1&N?3y}Q`x;CtS&=9!?T zoFHr0Z_L_FL8PfEorb{vT3_0_u7|K#yq@eXg^@PE@`_}#IhuDuutZGBd@fcRO74$m z`yq_enJrV`-wD3^*`)}=u@mb`>F<5*?rXT7XZpOKZw=m`?~iEKmW@}jydTS3T6-%u zqhz_uBk@GuZEH3iRZX_Jt_?VgN2G6G!}alCGM9HtMbnyj&8lJY&FAy&Ru<3UyU7Fw zo`X=Uz?WlHWw})Suwt6)KAmpn?sgzIOw+tfh;kW>0YZ8R3TU?3>HhGwCVIewa6vC0 ziC|eP{itfxpUoHEEI2BN<+;Iy_37-z+- zVR%`K7sdS@EIKu9S=}}ix>46xtKScES=00JGVU3N z8xN*8(eZ6N5dNWoEp{aSX2W%BWq&mBo!Q?yq0>^}Te_5DQz(z@@lKBCh5GgjliQV^ z@6_jG&u5d9EpH~1X^i*F?~={LYWV_@=1G<{41Iq2JudH$=c9LbjRq5GP19^=tDg4< zCZ2HzQGBj!nv*gcr`U!=+GfR#?H=)WOq=bc6-em&v+GCF zx2K7Ptkhux&)d^7mr!K#t7bOOp3bY9S}qNjt`X#I{+_AEQ6_Zts*Hs*nig*0#~hgf z45w2KpF~%1*`|uu59`Nvz!43qBX@40T>Kv2cg(3hgSJOCoFn;oqfo24F_{%dcQeK4 z0Qfv;s{poo_30rUv$iQ%2|CxniD*?@GiJ;EWE?u^o#5NK=)q2KsDQD;-_X|kPh7UC zzGQS)n>d0Zlh>y~F12$@Jy}*w+G~g^S2~b79H5j*fpm6#ocguM&b00ZNqCjqjyosp z%GvB-WM_** zo1Z@I-0wR=oY&Pm4^QkB?ue9UM87oxm(=Cac)PXeu8_v}G0|guo$zK)O`W=VBLA3C z@*w5=8_Ym}0Z_Y;`s}?JQt#KpcshKgnyk~wY}As>uz|E7umTt&tylOrg~Zl9FDDgi z>83g6RT?zDW9W3~`i5gk6h3~TV*P&MUbJ7{Sog-41H*GiZY5ZaE|ltWzPhqI82Qej z>vbKR{q=tmSgcpScYWabA`rcLd{2j&wyR&x z+u4#K{xCpl99$4e!Z;(jj^}yP`Q4ms%WBhY4#x}_SoFT6{-^v<_YdPwQt6ES{vQZ! z)vdb`$AsS1Kp@9+5Z?T9d6y5r=Y|nTe%I_%5Pl-KM~RtuU9=r}#0RR@_B`!Ic27T? zE=@<0WVP&D=gEdT!q4u0d36s*2VXE;hW`phw2x)mh4{qT0hG;v=Y5;WZGoW4!V5Z^ zeT2NHsxGpCUxGLZ#>e7j9qAbGx*0D-QZkv&v4#*2Ydx**s3yqbxtkHpfo(IV??c=1 z!-$MybUslEME0HLd96fGj94SJR&@Xh%x)RNAOq35-;!yLM@FtS-1vDmzGbpX#w+`n zLpf1#Q5^}ZbpiPiW4B2a+r`=Y;k3(FTg&AYE35lyQ15H7IqLrPC+!C)bfx%Ga=0O) zphEz}6Sqt$?-jZ&BK~A&v&OU25G>+rqDzpu{oNkyfT3hFtld{N@8^B)DmIyqo|)y; z>rcMU`H&&362Pjg0w&$>hAGa=jcvM%P1@R*UHu$xNBD#|t;&*ER~z3w&m$>{NJ~Lv zG&!fkq}y2;gDSPuDRJ8b zC5P#69=DKJ*zR$(y$IuKy=pr|+^!fqVdP}XI=z^5~TEksO= z@7Exi?ecVB8Za+?ip~k{gvHpd>-IdORKa(bTU$Bqhu;kGLrcb9PHSwxoZSw*ERn>| zUoH+>Ap9i6Q^IcgKSb0}hD^b{2!3B^yKWo|=2TR-Q}X6r{@@Sv8bQAQ+5)`aT;2@j zhLP=W%;?3UvD}SEC<4<2e{GpeW(=y%K0|1<3&*tLGhGhEh&|PfA&&^en1@Z5)EZvu+46i#kx5Ih>*CbXF|sudjJ9|B^~2)H z5tVUyM=Q14)5VH&CMMQk`N5$;nvVM8x`iW{;J$*lGd+!RvT=i&O%Nvks&Je#X-xr>;{xSi|o!~tQU^`AYe}X9ZjYy?6T2Hj;Q!164Jg> zS++T*x$AwmHA(8H&+6{l`x9x?x5{P_Nk zm86UkQ@R`{DzL&)2%eVTpj6IJ;`I`&KK7?OEKhF z+n_n%W+%N}6Vgl8@FISA2=!8(aV%Vc3toL|PE}l?IPzsY{3WBuoEj-g8{N$~NGOLb z7aB*A?0Uo9X&$B&B(?O~8U;3s%7#gJZl|Ga)N9;vS;01E);V1d9_AXe+%UI!+bPx5 z0&1X^8~r+j#9TE3y3CL%RhsgQ^cMLYk_gcv!$iAHE*-T?R;i@uZmzXeC(1J=G8Efe zCaXS5EwnS+@j+lHYHy)m_dtP9^WM_?e9m4Ttm%ck_B&=fez< zfe0O~w5&>7s2i~x4j>9oCoQrdGEb*bWf_-QsJH^t#H^PpyzSkdR13=WUKY-kI+T-m z=3M!bhB@m$W%AYpt!ljM(w<@knbX^rWsnWaLyW6xjVJaZO%=5(;*wfSUr*5#W=S2k zDUJ_jq`}ksED$6ODv*2pO&Mjp7_J7wyC0$bM@8x@wBI#~g!;fuHhzzJa$m5PA>c}{ z49k;AeBE-6SO(>DC_!echRu4b!>}}$tl+4PQl>IK;vpOF#rPR28 z-ynIfsodw?!((&02obE>jHk<+(^Jc*5S#aD@x)9g&Dr|vqz~NZwjB2;_K;#pj$f6n z8xxj{Q+_8GXP5~aZE5}xM&clwPA>G<;?WoU--(@&cjmSrbu|@>>d=H1+|1U=YC`*lvfP zQ=Iq~U8t4#O(BX({7&mteTBAUqKD2p&RJ#EhIMS@K;`LZ<7P z?6V~nVn6G?TDP2hYqM@-6islvfAhny#n;!YgjT0^6YPgbrlC@E%j6+UL2`DFgW!mn zHo4ct^d|6kGp-?rxG;eT(glp`%D>?EVb_?xeIq(2ks~R3z595OywQ)l8}lnmgdx0e zHdq->jNh<>IUoDDj>61C_Z7@=F~4i^E3Ynb;!G-OhM|6jkB|V6K{ov5aEK$#cJ)eU zcCSBz_(^|KQrjI#C3Hwz6C8^GVPWp*mk;RN=@*hPZuZFo$BbpXO`oNA_!mQ6u;uGh zT%Gdrm!Iatblu$5GtG;~2(o~? z|G<9NT&4xY7GZ5BdpFc2F;E>a|;tw0GXXJkhuQc`gWg{IG)|)y$<; z&HlHVXYL~G1bTqTmd_wDl8?aIWXFccg?fgB7SkI2RLJ4LBc{f6OC1H1{f$F!Ac2n8 z98Rq($bL-Fz>bG7uDNRU8Opb6_xna%UoeuBgw5W~)S+}9Y%mFX+y>7mHs^0=!M}^C z*h<&*&BUpawNH=7!7$!_WgXt|*jjF4!YZ6D%AF&FwzmD^vw3U^3--Q04Ekd$$Wr_efZ3Ar}`)zKPzmtl6aqUtx~lZhP*DLeO9 zm6OYOTm;X9?xH7teqQz~6_xtwRl8t#c~?qLZc#lYjp^h`me!Z`rMj)V<}D6&+iML8 z^a0+e$HyHG{R`@HwAS8R*3X$pvTxQgZ3I2uX7i`~~xI#_2BDk%xDa+J^K5%2x z;(D==+VInK)x|%R=qh@Ht-7FLL~SJrPsL`I3`dKQeto2&mZM<@Jt#puW#O}O@(?F6YQ-C+tSj-8w&e;=(JPzz5a^of1QVM-p&St?#B#3L zPwsgag7$5{op;pB?xx(JrO-|)OyU;MriW;vCRe225Ir^ z%*o4PQ35p)6^Ymgy^}Ko%l+_f(;;;4jH4i-WXSB`w@3nSpXSi9ILYshB_URxRy8ZX zH}F&x>rM=r8OqgtokK8b-XF^cXn8U9RT4)RQ)C$8Vd-rkwkNYY&T*KR8_K#ix6%$B9;eX8d)Hi7Y8uyY8!(Br_{A3kPAbTF zO3JG1xX^bIyq>ap=A~bB&f4Dvy}2m6$=7^NP4rOc{@xnLr=K%dLsN>02H;ut%W!LS zH1(`yIqe9m_~+K1)J%)m%8A>Mc(|<8%I+a_OCc}^EFR04y_*y&Tg?nA$yXY)&hAbw z3!W7Dnf$s;M^na|;ZdrMP)i0C|8c@G2VRu$#W+_aqyMxXQ%Q{iTas39bqq(=3WXW7 zz!o>}j^eYY&*YuWYm%*UKfGaMnMlTi@KH)?6#w4olP`5p2Q6 z3W^l1pTQRhF~x-=69-il)m9q1M5Z^Uy+ZhrhWJIC%IHzY^2sw^xPhRRCTi+6I9_t7A9tdFHzVPAji<}O6uKDBHK4oYvG&xR?LvA zmfrfg-h$r^j&3nYX{AEEzE!{xm_J5R#uq!#VK(#4fhsfKvqj&&3i1QnFbcH-xV1xn2`sE^yyjFSiX zUSFQEPNwQpaeWHHVj};1?e?UAMme`b)*3a1%!O5e=9M>*U2!EP-}DY&bd+cagzCeq zBJFhUE4;4+n$YWTGjg{q{SoVFw3Cfk9ja*P!s5YF3t4)UFEoJZS*l=7OtS*~S z1}$z9?{K9`)lrK#c9lLPXL`;UVu*X5aS_={%xih zSuryDf<1F(`lUiGNz*O2>lr>vsTW_wSQ>3C(g!N&#QnfcimNOEPUyUC?=d1jWl^s zi4P6CPwpU55t?zc=*Q^#e4t(m% z8xZIPxit(D2==E+WX#WY6y-iQekcxc5<0_PHVdZ}-4S}bIy|#JC zCE4B@e6uGYarNL=VL1DBbAE{OnawkJEzBjiy3A#2K0krrtLXTNLGJ#gUyl*ZQoQ36 z>(Af6IBI9SF*eV4XdkL#(wV~V^g!$^r>C^DE0{utzwL$XS*>U8Z)A5-=k06U-gf+a zeZMgcqU$hGx*%y0aU0GI%WnGD{Ss{ofmSUp%e(`;cUv0PMqBE@|-Q?_d9OsIugY;3clp zJ{HpbrvWgQ114r6Iq%;8hAFO`Y0N8PCKyq`_K$eMLNXZK#IC;mKMvjCIruK8OWcs+ zKMs9@G%h>dB$HF~pEfJ|Iy5f(KF*DAZ#e#G$HbX{qvzJ4_s?{cJ_hDc7%@X_>Ge`Q z&6~lTnwC3rKOekPCQ6g=c1l{xZoU%W|MNq(5Tfsn#SKEeIr(mi+3BRRI#j^&@!TBy zo<6KI^xvRH@Jpp^HtjDq|2S&!#Z)q#8%dqU_L~1RZVZzDk7zc4vhX!N|Mw>TYjd&5 z_y36t0f(wJ9_(%IV0+Jhe$lw>9O=IRoWFl!e03mL`M><3l>P59k?IfP{e?OG?Gr|I za1_2_=MMejC8Q`D^775*RcNg5U#!w#|r2!W6XiIfBrUr-2(ogcm6iQKfdz+8+QA!AaU{UE`YzC zUtnCa$yc=9|9N0#yZU8aM$Ei_jefN*;jA*N_VNNYpY8YP2miTuF?%4yh- zmF7Fv9xsI%-A@d4eEG2GeTPakwGA1&7Po$9x|sV05X?)iu#wjS)@Qc0#5BU4x44aT z>;j%}o1;bpFVDSCf#Kq~)S3EXJ@GJgu-bcjO4xY{wQFuL^oP9vU;Cq-DER)44*r+Z z>B|e-t~Ww^Q=ITGiFl_QB|RHGGMA+tywwG=o>KvbW~aLye4Al3PQ?`F@cN z&majg_HP6$ST_GUrxp96ebr*J$-~Qwb4TEw4FjC+>=P`vn0qug&FN`4ty{$9%R}6d z-uYM=CvfY}JhZGl-KyRMHRE41rTk7jrO(g`e!yyV=lpoKKVmU;`r$54Qm?tD5+emR zl<{fg=wYyL;Gy@W`AXJUdm_d%LmHOXZfz(_S@?ciMIFo zn)Kjdo4EJZMvbm~MujVDr)^1>FhR+64IifRpSMgXG4aB@@69(y@BO^F1Z$p&Mu@0S zK=S39Du4H@*HCl}Xv<`5lgLN(3HC@@+orpQWq1x72mWY2AjG!t+Y~wl`}^$7ejwKe zgB`h~lM=~W#Zi}@6?E~-3ALkK_pE(myu4^S26eYb>d^GUcRJuOW71M z;QJM|<^-^oGk$ib3EsLhH;Y>~-B~hqy~1x`n7Ww2jjs}N80{tgMrpUxVwtNPP5mHG zD`Vx;NjfuTdI|9ApT*oOadR!;bPJj_a?!Z=sM0CO^%Nq%^0}yX4R3-lN9K5eEJ#ZR z{R8X58;KDh{9wZOaY^h^)%T}EcP?H&JG-@KXztLPEhlW@=ia}F2-(J7-O-YKwpH>QIw z_bbhhF2DgY2E5ym9Yi=WXerfp4Cq7-;F~oyKwAVEJi@t-r=Pz(p|J4(nniI@vp;Mi z>@p)ee_I;MQjx78OG|P`k?#{BgY*Qt>D3EhZA002?%@OJ5SCkNKhW$<-SCT&vbU$$ zxa7&P`#jjIcjWu{Gr93dVlfm~F1g>y;9?{=0{+AO^kCe%q*l(BCi9@b9N#)(i_A5C z9c!RM;D@ZK&2zQMoG{gn%EYZPm1>!bBWoI&Kz|Rtp5QXHNJreX zS@OcjM7l3nEvdflUy#P>T$s3y2v)H#ITP|ydIG9*CBZT|!o`!1>`L1a4 z*_4Y`sJrN3usw>tb6zrpqDAO-9o4$!@8DSJlUA9> Wf&eOh^DVAzsY&$w{(j!v$ zqz~PkTjpKgvqaRb?Bmf7hR@R#d5os9f8ueX(2QA-b?lMD0Ubqb%! z1~KyCW&ion=4e0aVVh~)$ODxV@>|<@rC93XY$dimyo_7Lyoa>9)^uAhDhgdBg2jS$9SoxsY-Tn<#onBI%F~*b3-K;y_#aYXOJeGYfhYb__ZFoXGUG25G7J3i20q!;%-=isx zU~W=rAbdJpV88yQJX6LHey=mZwL3DLA#gNCe2pV0(==dzsH{(!=D7aYI#%k5_mofG zG%w=m@h)1_#3sqW0YM~;o+X6)xjJUok!>9|k!j!LczHaSBKPq8WWNRt2lvU-bW-Gn z0D5hzrkWT_G5h_6?z@19{D|rW=SOvbe$8S?Cy}rBy!Hxr`_8WTtIwEE2whs2o1SCG ze!X&jof`+tyGLBQa?aCBAaxsv6Tx1yp!5BJRHUryxvI^MbyBHCgVf7`8*bXJL~Fxe z(il{UDfxd`*dA-CVtBGx7?j?KV1Y}xX+Hb)?Ss_uLW0-k_YrE?br+x24=MfVzPU zBf+gAJR8>n(UyEZVl2^ZlCyVVvZ_9_R*+>{^9+}zvjy?~pNoR;7&fZ6Ys)6R#+5`4 z8}ODn1DJ+F0JC^^_lGuDKu~qSoV(xu(v5WW6s3@AFrY-b=_|sAp+SgYE-WQ3Iu6GX6_}B7; zlQZ}}iGI686nK32xQ3)TQ=k zGjZx36~Su!7|L$n=i{%eI*S`d18tY(s9bvU?5s;rL}KFFPE&XqGcJ35g_sid+>%g| z>%8J?+@N|(_ff0x<2ar&FawC@iMV4$2c{V>ejtdYU-Mz#8NFf}u77FHX8)ZBc1z$BnK&SAZ+7KfYFhtqkrE;m?` z^d-hAM9JN^46BwzkQZu8hAu@vH7$WRbpLp{O9j6ZH@_-0Le*s4u5zZv{_!Y7>4J4L zrHY~)uy8O-$9YmG=D|C??_Fl2y<4e3C9pW*Xw^|PTx7YuKbwK0G!21i0APsSEpKF3{3#xVYqQoRzJ{>c{}_f^S9YQgIBf%YU!p^?M^YF-&SMsMVf4wHV2t2VZn-i()DySNm z;vvE#Nxra@Tu+Ea+dh*|E7Aq;KzqdJX-zbRrWNV$5BihH(&9H*>c5YSf2)n#`1v`F zha?F})u(YOjoW9iq!d51FM7hsfDoLmX@H*w-y2b2>@LPf|i2nO+JUkTu|+MYYP{TGh*s z8>c)Yd;5ygaY3B2+=I|gA<@ud++$p6MEy|AjIQLiO#b;siu=;2b!=A=COvG{`*zTi zhH$$ych?)RtrUiG-PKyoFf7c-&_DL%Ky_&1wO8` zLSa>{4^EuUDy59-w~|QpEsVg^O%aROm3_7$*AVSNGGT}|d=gg6YNpyjiVhvwSn}>f64dM=hNm(i7fW%SjpXpfQ`&SBu$z|$D?A^S`yQJ z*L@q8mH|N{Q3{ce$IC5U88oW640Of$`y)DVH^^S67h zWbHb4cjRbDYr_DmlVl~y;%x)*`LH)5rt=|D>UXvK;164-lMKyQv#^<21U@ERP5LT~ zRnQ%Sl-JyNVT8EvE(OueG#Df#&cqk;(u}wklv}I6y-_#O+|^+As6g`b&3%fdevf8x zLhKzvNb_+NO!iJM%mI4n=f+3tv+&AF$U>!k+4TB2G8974he3$QTKRFOAf+quPNg!A zf`;5RUi->o^H-aY{a7s$VyKSgi#!ERE?z`VnR@#dvLb~l@mmIgsDk&~>9&2+38h-P zdv2~bNWPJ6+A3`(ESAbVJYzcGGfsao+qpUB z#lEZ@V$Ihnk5^;V*p`*8!YPh*KCNM?Gv506OB`qPW z+{|_N_!}rF@6O_CO8H!;#ZD>K>QAKMLD|5oekO3rW3?K~+F=A$u(xD+u_nC(0S+FF z6TYq0^w@}a$zvjsMeg}7IV4rD%4*NTXGq9(7{sAb&vrK=%7fnc_vIWlf~39aqe{Fk zJ2qJ%^G2GEgd_Ix2+$9SJM+(_19KK9uY ze&jcoE-k|rkHzqBFW>Z2tg6?iF(xhRR!PT4x}(t5o!|LoIr zzKF};=kG7H&X2n0%TxSerAd3NDal(Ci}0|$$aA-Dw==Oze5sBFUo3_~lhTB5@~!5d zp5Z$-&KGhZaOUtw(ij70`oi*vM>Oc06r;;}x8u91x>*$|3n@%TMw6v8ALqy5kC1oQ z$2qeN3ElKM3*EzZ{$NLG*e@;gZ+)bl`AQSH9ZRJ7X+T$nF6r(#d$qbLG_|dZ?(5nF zr7MEe=`qvig`g-If!OAwJ&zYIG)|lx%oU3z0tj_;fi^vvgJ6=dn?y?2U!0va*j%DL z>es{WRKn(RSt+-EoZ(nQ?=k(bZ2CA~Nfw2SoZxmNqgsO|gGQ`MCYM%N_|d`($>3(e zP?ywRZ7L4NyJ0LHa2r>x-kz_Hrt~*(g@E(t^{NHNBFU|F-WrVt_|IuQBNlNK#-l-b za~#tRpB(iJwfGl0awhPH8t0UfOfJpQy_lqL!wkRP_wLpk(=Z_s7V|!iQ8CqR_C+qh z8WbCOM`PBn9}8665U8-#@db&c+?prk-|LDcM>ZjgPXt+Ih+oLCI# zkCASlc@->Bhu62xeGYx6?UJrHBw%)&dglktOG%1!3EI;YXVuauj{p{mW#}^d>GJHg z077Y4k?JSkxR!AD7yk6f%^4j0l8SobB51>XpWYvpN>lv1Nek`$8P)KBxzG@uAC>no zkK$C5PZ+UT@O}EKT+>w_YXr?!BqSiGO)iwhgV_RkW~p1YMbFu(m2b8$__KQxj8H0m zTtRRZz5)v`y9=Sa4rIA3KW;1&hTLc&K(N;xb6eBzFTB-`{~*qmPPXuJwktH^j%jQ{ z)ZWe6@KXl*3l|3Ynvb!6O%X|hpLTDS%&5Zfz7rqccUflbqtQ+b;c~8;>ljFT-an+* zp_rXRB73v3k)x?AW#okY#q-o*a*6|eM4LtjWF3~x$dpUKY-LvQZ91+I=FpRf@u2@~ zMO>2HmXSh4lwa1i_f;AOI_~ZL|8iy2Sd?}j|$!Tr22Sm0pSRtg3ZXL7Scje$k z=#S63#(m1d=1mP@+U#%bhj1m=6~tAGfWqivRUJR`9+o43pAo8dg58qUiTk93Ahql#*VRN~Ub8 za>`6fk|r^|_i(MuLk}|Q3rsSWR}kKJOey^LC|Ae2?@W~{*b&XrEy&k*FoHibnRBAb z+YQ6*({-jhpect-iJGs*7>`QRtru(Y=Bl+YO%-aarRk@@#~VR4!?d&RBgIi+@pAxR zopUwsFshYHb@ZFr%1=ipXZ#i$5>OM8F~>cHNk&Mzfj%jZ-+!i`vzeeA|3lY~2QQ(vlvDYKI!=bUaP(T}*@Hl1lraKYFh}joc)RW3=VVdYe;Gp@ zszADzqdx&5WF1UQRKq^V5%TU~Ts|wRc{1M;%O|JqRDlc>Q3-CuDcrbyS7v}Jby&pACx7kMv|f zl%buisKngfPrCO=)jAPS@Nz%h!|VtrqIrVqS_H^$+1gM?(XGG^p7PPc>aC|&8PwpD zmb!&q%AXy)+S4S0#a9c#&QAsgMtDEY>rx+q=Cl%et|5YwyZ;kO555o63EXa1|4_*Z zT2r&{;xoSYSm~`NK3eWfwU#+UBQ!I_fzNkj&4;UaCO@PS^;GfqFT~U>L*WnIofgNRW~$XnW#mMYb<_Pdxdz?FrH1 zfZ<&8Mb2XQqV8~hjEa$nhS<~wqAZv6^8U^T!jn-DFxx&|%~6V!|B92_cfz(qz(q`T zhs9Bw6`^Zujg_t<0Hgm8REX-TuD*Rl1{YYJrL%;8-U1wVCBU z4nfN3av{pF?)4*UHojJiThk&0xjp8O&&|w0+UO0BhvTcivhs;M!PF^cUcZuTOmH^A zJt?~spWn!8=E~i;KRLAVt7NlZop0ZqiqOFs$muda8ci0!ic};su?V%>ZcbP^_mZpN z!Iy{4mb4_6pTCstB8soVY{c?ZaaS_Z@H-XaXMH)L3=>jk=*B=H(;PN zf1~rB=u1(H==$`za1C!Qf9=P$1Hc8Bv?Z{go=XE$=wgp8%^|)gLRd#8_lrsSf#=&P z!U7VEt5mArVv^woNWXp0)l3^B;6u&SxK{zu4ljWaJ6{4z8+QjiOX;!N|C6_Bg=rkz zT?#-}!wcjC{ep7?&rc430%rtN{Id&rB`6=ID)YnQEWrDW8yK1yWYb67xXP?r#K0SC zMJ7G;ESi8FvsG8Z2RLd1BxxNKLLXqPI06;1Ox$zrh@T@y_w$1<8$h={#Cjs> z3=AD9KIG=t7Wzz+?Wvj?XfR`wz!-q@1L)3TCS{tq*Gd2zd1{QFA1(aW&YAp)ul`yl zjZ?+jX6A?VdP^N} z2m__o%E3TRFWh&2QkXP`5uI1j)?r}b9_?M*xxH%CPYjF?U%qY~z9T(iBbfh{3snZ} zIm&a6r?dXgh0fVl;ff0Mi{eXm{z994szlB#SlI%$R6Ut?=0PZAM@^7R3TF-T(UIm=lIb`+4Z%q70EoMd0 zUjsy**$X|>FPV2@a0=3XXsLSB@bG+Gc)hRn;oU-;a@0|g)LAz?P00BxS5fW$xl71Z zh%Rlp{p38W(rfv%^+xgL!|J_SOUD?L&Fg^E7VgiRk~UK=OkLGl`m5U)PlpP&${9pF z-#Sjzyy|if>D&QvVTKGHLFWt7>ctO1j))=ZhiOl~6KwkJ#DDPm?bv9RI<%?I{sXnH zm^3Nu@W7?z>M8c88D1=p&#_<|Iyc;{n7u|K3QpY`TO2G0+?POn%-Fw5s^MR0K6ni? zB(b=-pCh;loB5IWO}B9KW>2r6S{Xr6>luGwUY=}2mok)K=V`Au$fZ zsav5KxCw;Hh*{m|vU|M>#K*znZ|}f;6&0R9-ws;@1@QH60N~$h;LMlt^;fCmhodpu zF2VRAH@uoiRN${LbQi9?%PX-o(j?+KL>#!TE`gQ)aA5KHPvRRlKsC`-YIEy`E|-vJ z^&O9Zh+Pgk9wz<1LYI&(&s(4%F!j-OzS)Y5@3$*A)I{_E&cj%2N$ZEi8VlVAAQgeB zT$ANg)q3GGVoCIK3dJ$tEcQTPjAj;(#`SMW)$VxC43^kxZ%cWCHG;1d_Rfo{Devik z+6=fo%!Sr-P*?d>paRw~>l4!Yyqr9fnbz-wc#hCf&71o+o@@LbRv$JAq>&6682*|n zrrZL0is!eMumwkIew1jS6Vq!oAw9ftuZ2R6cn7zh)bC2?o_@<r48&$9E5cvj8} zJnBv_6y=x6v_$Jubkl>1{H1@cjpRF((`FgQs?#&rSX>AX2tTZOyZP1CecXBPmN{kq zR@1AL$tsGoJj8TYtz~HZ#YhB1rnCEK6Df?5|+53Z9r$`Xv`2lDdimlb%l^6_R`oeF&A| zU!!tEUs-{X#=!mo0kor=4I277^&PlHOeiO)IP~_>yNlJ6cs~B0bw7mc1?c4|*IiIl z3wqiy(^uKK6xi#p+)fcNI3_F;x`j{;A0Y||^8vjCRTQT8>D0?U$b?&i+TlnRt||Mx z3_`iv88&W`4F__+bGm5-6^lMn=!w_qwc84XEL$r z*6-N6%jdT!w<2HjJH8$IVg?H7FjWAuyAig0xns_rkjq#4{XrYqU8AoC38-4CgYi4N z88&2QV#Bw&&7>WT%EK=E3w@>zGR6n@r+piR~(98pdlKq|I5If6C>+iMRQEW4fr=NyB~)d8c2ZZnUCDqlxQ}5 zV#3{bSh~3SMo=2JUxD(@@)s}T6C-UQvrxhqd{@RM4jKfGIX|la?jfN+)kHW3`$mY0 ztZTcL_^rPA=j=+lVf-PK%BN6ow3`^n?hrtj;0KDapgEqAaI0*hd5e(cU| zk9W$N2yuQl(?vebH!UbeuQm?TZ&q;V-_ab&OIS;L$D^G6cO$3WIw zo6+&JxBVg0a6nr4Uqm^yXUD+5#|0tF;w+OUnEHy}I<#Ax?H2vWns0ngy`AX7ZRf1Y zrg8DcZr9Q+qL@e-LNQA{7(2lZ=W%g(7v_BfytOZC#WhnSw1hd@3Y$6!pPXrh` z4vglELzjsg$U_X`byf+yF7JrZ_jw*iv0rZyS?l_F=HV|^hi}8A5pkgkHpJQJet_N% z0_PloW@?A|@YD0wuZaAj^wCviGbvH_1YIpL>es4!*|aPkGdK5mlZFupI2ewoYITTf z7$P@I&Gk;v;j6;ktW~Tn1XgOgu}OAx!t1|UrH}2agq-y|MuO1jU&`j>e^pD#{vzpp z7yZq;NGeh`iS@Y(#v@$$>)K{&@2Nni0KX+v>tpXdt}l-P_Mx2bvey40vd2e0@CL3U z;TYAApFEN~dGyE!iqVcY#8()ZT{$yvAz$-HJnp5C&&XM44|swOIGPO~zfzjXoagXm zS5(TBjd1pv<#;vPu;i!S%u)O3Kq7N^2VZTo=>0tETu;MaluNgaqm8m*d7*@a1ra*5 zEz4Jf4RWMO(y@rLju4`#B&~mkzS1gYS|*@pOnf!SV8@q(d2A?Oal=RB{yr-< za|W+?ia6$kKQL}eFNvok+hRy zlRwE7PnPr8qiMc?J&L=Q;xD?K>F4BNKV^trmJ_2g3WecF)2hU1r|XK>(yBBGp5O&w zO|itY-sLeu)#e{v_4s6R;oFmp%3Czj06Ff&AJTZ;MzH3hGH7EsrDdT<+&$}nH$}~z zp}!=n!&bh3Bp1}?Yqogqz@%6rCinX-%vQ9`o{gZ&&c(bcT@ox*Z~GfnI+~5!AacEA zx2Fq&2}mA(50I)}9qoSMCmyhU;Ps2_oxfC?XiuVNm2k0{h!K6@>xx(ZQzezi2?VXA z2eBge$iH5v2>!4e9AXKB=mFMOH*wboM_a~SMU&4VU} zYp+o_l~y}OL|$=}?IHa**}*HV_j5ej5pHt7@yGMVy+56VJ4Om>&S{T-Q~_hmFPIy= zU8^b1*5_%}EubdeY*pi7L!LLO=D0MG&FdQ2nHTtr+MI50;)^z-3Ma#32Rch6Zeun0 zVuUea-~$J<_dQJtQvJ_Q4jlPDIq>}TW;m@eKsDKb+dGncjKik2u9a>l2BBEGE0*WzSC zQKYCoWLzZ6cEkdYP&o?9ScfO3206xe=I7+|)RX#8(vDLE(27Z?N1r^IW`Iod*E{F@ zMMMTqkaCC{iIkt}{WE;aq%#YCFCQJQL-cn-@?Rp7Q6JzD3+(2`{yo?D8?Y!FdR4F3 zz#uR5kJ^!?5?NgKx11Nxg8nso{&Nof?|;cN!Qih4L58mVU9tLe2kKn6{J>YMjUpKIAiXZ_CX7^|P?_XT0FU_$G z+avi8zP$PFJUvA%^i47J!$I}VYC{TY^HuS*6xFeY- z;Z{mJ3RDA*0b-N1qZTMIj)3|*^gOu&w!p%@94rk^J=ry0TRM)HeFt*WI9N@0HEjxJ zhyl+URPgD|t!?1dt6T|mfsoD&i4oASV;IQ!{>^{x<_K9<7M-V{9M9GhtY^o?*9#I1 zgia5)w|~AMzy0yCo*e2vZ}rBVy0&;$^$l?Q{R&n;TKb~elc?_r*~7=G z0u@D$09`C`Ec?~`q&wZd#_zBUNGCsmr!QoUb_c|!Pf;A`kQmC<&T`V0K7M~C221~5 zieQc@zKRnaUx9s&z_UI8av7DQKY(-{0S;FJYDGH3TZ_2~bAZ9VfM;M4u%ARBEj((8 zB>||x=-v$Arj2Ztjdw?K5@JetZ5U;L1iah830TwLf>_jm) zB`z2fn;%AtOcm>CiT%W{gXjM-`}>buQ@=_!yyp4u5A4LLKa7gE@Ll~d zTwpAi2D&i?eEqw{mPdmw_88a;ijxVH@#13^0D?ImbB=B#7WP=t@h)JwTp5gKA2!Ax zdr8h^8u+>vDT|B?;a?yU_yFz?Uf`M+cg45*Nt3at6nRTbn^HN4T`S!V&T6Ti!t416 zH^WG|IYHnNH5v2X6&q^?NHk%9NFTMztT#u|NelxaN_<32k!3c}3S1}OP6L5(_ApC2 zz?8Ot0U@yX!qd8fPhz7OA$2fnt!!?S$}a133Hqf-!S&S;3Iun?!)1vJy*w=;WC~~s z5UcOZieik2kn=eZ4!ZDXA3NSevxl@};L*->6VNNHDBPsF^El#oKS(r21#e{OAtWHe z?FAtQa#`v~Ws)C=(S}a9KR0c5e25LVO|PhIzN%$hpn>67k;;YLB?NeRM$2(+=jonR z7-Qt?h!x7aYqZ^|l0M%)d(ZTE%b3OaHy(mh`8KT z^j~n!9~RBcEZItOeLDvrznt#K@KF~}wE~&X7M$uu0-Cd6&ghnr2`Fvxc8v_V_t^p( zwxL2Aqs^Z~V?wuGphti@@ysN>FcpVG?gC}86l5PKgsSkv%L(Q%)+>5-?WSvMs)bu# zK8g^9$D&pIBZ%L>1^OpWPQGd7w=~?rFD4=*ZKID9G#yMkxk6)Z1d*|6xGW&73&Xo1T+i|6&CM+XERdw!<0P~ zO|ud0HOm)1u;({6!PU7UK6+(B?1Rc4rSO>pU>StJ^BRx9lg#5@kaSyU#iY|$ywW=B zUkG}b@6gYWnWos^(w5p!B*Q=6DkArJ6_F9ak{+(px~G_Wa6D55grf4uwB-aB(}ZW! z;6J>=Wh9~upg5F0Yyy;$y1pWbiAY?C?iS6l>Rnkmt-`B~NYn7yZ7Apwc|_P_kaL84 zgO;)=1wO1=0%|rNlCXTVoeAUrQQ}>XLs7tt#vW+)ZqnLfu(y85Yc?G2d76r4^~bG zHrkijE0{YB3(BMqqsz+iy1r$p@Rd%LpW8-T5nTxfw7T{`lUX-IWykW)6oIX3FRQzpcp#md!ty521(1Z5I8Tjx z$zL(IQ%dDpZI5v8SRF0WVPEIwxQi@bMIXO1Yr@IJ?tA;RH#>M8c`RzGc>BWoQ?yKM zpL^hUj&$6t7;tC@DWjh}MmbGZZC&?Bw;L6)?|)235_Zj_X$AV>47LJTAvQO)>Xv1AV9Tb<+_Ljcs}C`3ojOTDMl%)=lx+32jv7>jvd;N~?HVk-oi1 zoo_(U7LC1wT@SSGu_T-<+}sF(pF|4qrnKjGV)=dBSW_rNm~%L762RM>yTPY?mVbKd zNeB4Sh&a(^6)Lhb%s&4f4P}SEGBQCf)Atl8dI6oX%3fCE|B?2VaZz^b`?sWYcZW!) zf)Wyv(g-Tu2uPO<-JQ}(gQRrFfHXKLE!`pA(jfmed+&RD@B8QT>UpE%M;&Ia>so7_ zah%^{RPqk}LTGMDfkb*>MIYicgzwxu`4V|wC=e;|-VuSoa`t>DUS#g_N;33d*2J9w zbl$T^V<6938*#@F&|U|&r_9TVHiKFFy4+vyd@@vy2Hir*j5_0SD-+hq%LUJ`Ha#oa z;;|*=IvLUE@0z@!&tO-ZFsFD8+IM=?{%tOx5-YqfyvOa2X=Shuu0hJkQk( zg)Ai)y+x$ST+SF|4j|_qd@>M5x*WP|yao8o$hF9WQOJhI=wU9Sq(#W`gftK@u6kXUNftouX9@1CXXU376wX1M)sqs&H=ICN|Lx2=1@~gpP=|6ThUAR)L%os7?3^3WR6_hw#i$Wvv~xMg8Oa{R^=}9;o+}a` z(FiLx8?L7FYm?y@FiPG{7`Pwtwc~nBUB$)dpr)M?ksfWr2da;kxWPi$+7J;WvnG2L zE_25Z(J#`x2+W8%7)22Ud|A7B(fc0thy}ehX;v2>@)et3iO#;cEsgeF`+y zgj5#B-B97yc_yqucZbr)7tfrPt2~sN4#ijBAM}V~4c|XkJYOmDW{7j1tBFpZ%yqa< zpx~7-JAK*}cUvD`+0U<4UaaR~-G8o}8GMf8^&k7)f2GuN@5M{VUy5Syql}Xt`b6R| z@C+52KTK4<1}&zQ*#+|K?hT?v{a@occ8xg1Tt-c zDM#&>EM8ZqE*vO8AFH{^}2+p6SQCy)Q)@n z%d}4wCtE|6&XyXxJ=$-VygE*xyqvfzp0Gi{e_gA?Cpc)x5~;4k{5;w1r1o4=N&>B2 zJ*441MsIDn@kjh@;z6Dix@-6HlANxU&ifHDCXh{DPE^03E8ja?D8wYrOxR=ZAeivc z#ISbJy#wZ_2riT-Scups77%bgaUIg#V-)2LLh}=Z$55nsF9^C`JY0$zHu!N7Pa~rn5G>yQlS9PiF$vY2>7@h&<0*rTZoGlw@}+aWKjT+j zBpT<2&8(rrgC04q&v8<{0ajNY?GDiAnv@LTxnc&H@0sn#)MN#D+c51C@B^`=1ot>+ zO4j|B-UZUDR%x0Yy~(UKJnv{_j=&ubxC&Sd<4p_}8t^!B-X8ykPJ@;_%boFxyGKSZ zStx4T0XGz>oEAFhAN=^Kpv0>5!yFvrX|;rdF2u!I^Kq&66(pK=ejES8{G*n_3;F@m z^?OYdq5flT2}lO640tA?(P$B&9jnx+zuX)UFfQr`>rQqDpDFANZQoYhKlwE6UduMM zTToZm7=aP~oRdPMb~}1z=<>;7{r6IG_JB%A`CiMo4vNY>XrZQx%-`#Uu@rt7m8cp! zvP23C*V8OTJ!wi-g&#k>4kGl^rT4WDnot?5Nv?t+<&aTtW*Pn%B_QdZ>{(%Dc{;R& zWqaim?{)Nv8`4R)NH=-G`sDf}H)ayUy*RGGrktMiohH#6XU#*HgsvfWTp^S>BBaIv zXI8#bo`BX39pgjM$Gd*_rkq*#6XP&QJK};(5A)*g)8;?E2oqvX^q}Ti5XGL2$!gd+ zE4ciESgT-C{!{xqrmLtPo{mqRvURq$oqikZH^=>z@q*uz+^g(N1dd|Fr$sc5a1$NxAvP)iN~{LV|Gt$Ik93f9Y(NhY?YP@gLC~mCwY&+2S_THMigkZ4K5-&YY*YgRN#vtQP|_4>&W1(*{+{q^llXf=7S9})_snYO ze=M`&`RyxZvaY+ukhv|5GFV>&FX<10f&I>^-JGb0M1H2I*y2 z*<=6nBmb>V^hH~}1FnpqeSE^7*$)3dzqI(;g~GV$tMCL0fXH~xT=6C`#uzPf9vRVmFV`zBK0zyKSA|I2*_3cR%iOp z>nvSR|9)O(_nGg{*bXX00vg9YfxlP)8sU;k>wmnA30B}1!A^Ex{rJaM`}YqDmjt)S zp>Xs6z)j%K8r(k!cz3kkz@Y#8O#Vkf>HuyaD-M79AD=tbGSD4hov1f>|KGmH-=AL= z9B_NPv-6$)@a2J^lHU)u*>~ezuM!n`dZX~6@g|5mMnp^akKaLxP66$swCa~QD3fAO zD7u36S}{LL^aMymrXQ8t=HBP7l{sP4xtV@1d#rkEIbNj4Ipc6FBydpBDB!h+A?!UU zgEFEu7Bv!HP&n}d@`roXXO3v8h7DzwXRr^VR&mz1-2J@Vh(4aBZ1zb#_qhlxDXMrn zC`6#1R4mg-*!E@b>D1en^GZc8@+W3RwbmNn^lYbhhy@&ast634YL;0Yo)Y=};d-v( z`_-VadCSL;Dqp`%(K&BezzI?4J+-_Ns4Pnz(`Vk=j?rFCZ4Iu47NTcs{iv%}E(PrSbUn6brUb0oF=lE_^n{&m z^Xnj+Y{F;54yP6ibv0pCw-s(o{H9+qLIac} zHN7vyAye>yK{mrb}4qU92LJ71}iCEuumU2MC_ih3)CGOPl%fB_tcrCe!zL8 z9zs$6sylizuU+Uocf_F95#73R9>2rCIal_b;d44le3s6+Oih#P3N&UbvqlrsAcR9d9p0%za>y zl;Lz-C*0iS&CYYMj!Gisn(ymT)O(XG`eZ&`y?p#uMJ$||ZMi>AbJ{x`{h^n;Kqa9^ ziJn1F?Mu0W`o@Tt+EFPLgmtEyvKHjzg#I)lpQ65{eeU4$^h_hP(0uhjNAq91C4*|L zIQW7Z1?NPH;ac~D5Bv1a#&Xg@D);KtNY}$)@y1S2=mc?hi!yxRE*~6urPxPWlqdloq z)8@oDgARN9g#!(TM~~EdjZ&rft+(d`+wPe}Z@sI2GSYBHgz+7dme;)fRy?ClT2ue# z#ji{iBZuvVKirrEW<*PT4M&7U;ue8WT}h_2Qw#(pgct&-GTwb?WdmohIqYU%Ig0aM z^Q_w^Kut?8fX>Su$6B2<^U~%`qkU%&N7Y2@2eSy1W$F0Inlv}eS5sTJu3QdA z7+0i<>PAKZz43XU&uF5orFW8JxZK|Oe=k!TcDH@CfHNDU{5smuR9|l`zzE{pSKhkB+ z!6|)1rcZ;^nrS2KQb>5UxyDwfzf+K`WoNcsSGzpVQ{N&wH85FTbQ0=TZ)h&U^ESO9 zya`Dq^w?|UF7JraZ;qV`@v}AAUf~t33S<1WO!@j%$n`qUp8^6 zO^k~EY4?7GNc?(0hvYahmN=-b_`8+y=i=&~H!lp%lAWJNnXB!*3YK^D9&;h-%HO5? zN%Z>5$me@?Akotd?2Y2^K`YU&g^_&Ch&vT5XfS#MQ~8xZxhD1d$gT<#7pUQf%j$tU zNKC12BVX#!s+2a{t1@e)4-YFZPqx>k+|{3%*04*mncqi`-y+JiCz=vn>n$Ly%zk+i zhmMoSnIBuH(M8n3q~H@(+)Wx5s`K~A{a@R|h5Q}fJm5~&gVB?Y#TDCsYCXge^z3Jh&mh4~>|?k5TX_E8K*ThqtwgIj z@^g0tX*2r-@L!{NXtDT_q0sXF- z+qm_j$shE2c*2f`zBV~HRpEQaN4CFcS`~;*H4M2pWK?IgOjMI-^GPooj-pHGT zTqwWi>jq6tLwFxY2VxDHWcth{Z~yz@zzb7u1nzvg6u7_H-aG$TKHJ&H%*A-Yrv{cY zK$mX~(#0~)#!ejJNzl78g!B--24vd2CxD(^2L!JqBpSWdZ~z%c1G+qL#B)V7Te9r% zoLKO_`UZ#tIzY6oeNCcKraSd5sPuWByl3Vu+#!OJ*EkTalk-j%{d+W16?-Qq>`d`+ z)B{h22l^Zu5`KG6vG~V?5Uj*crN%*rh{SKrzQRU49 zE}~bV3kHmA-aZ^#*VecyACA9(uzz$;Lmyn2aK$Xp$$tqx5#l;;jw%qfBVPR&%(RPV zR;d$o`q6+NHD0RIyaJ>FPFL(NODy1W@xy1Dr{$WJ9YL1B#YUv8&;-&&H_o9|)fJVY zQLaB1v~DH{T6LtaB1kwnSdI>k)~RHK9{(_yhcAPO0JIcl5dceCxm252Gv5vk*tV`{ zN9EcT&3^FuYsFNxxem}PTZ6XtakJhp%Pc%|wp@-w!V~G=>xxg#_cXkIbF_fcN8*!q z?HkYd3Tb?eW#*n%YLSgl_r64pu1R>IP?Y@hk{)&72tH$6HRReAL`(@8vhE2 ziRFm9JcvU-s2*Cx!o^Qqp7w@zKR1TUY-B0ptekhJzaLm%EJtwbHamldq!vumkbMG;qa`jj zT!vU?han#AZZ&B4&^VzDKfa}|zh!)b1)SEx@X<&Bb|V>XSJcu6 zX*?Wx16px09bODD04JZ@r z^kzX@u(^2;eA+!3ZL|;tcA1q$fGKiVmOXC@eFB>Ht%TBeF=T>*;BnQX@IGIv_gr-4PoiLj?{(AbR=8qc>xHMOWL%;k%1u zd)a8rIySY5m>m=xsn%7`uG4@PU@nPEZ!7u`(Zrb!=HH8Fdmu6e2rRlo<*k>n(uIyf zL>dO5#*a}j022=BhW=SkKcEkWqUIvQT?Gj}a>|HjNugY$>2D^=Z04F>T_qsoDk(he z4LBV`K%%i*)-MP(#aAQ4HWIZ1!khG1|F(O-C)(iU6;g}<2`pt^PG&t&vn_1ETQ2vD z?WDDN)J23$gj)KtT;B$wsPf_A7wnOXgCH+Hn>k#W5z+1$~YkgOjnSay|YfsfY{}6xnUlC^DArpythY82V!{ z#uJ<>ADGgK8C?N|;6LWczvNj92}XD-%ZI6-tVWJZZs$F$*G05^4Q74k=#N$@sRG** z6MDpfdt1rL=g|yLs>|OM13zo}wlULbO9@F;qb-#o;h+`i^d73TQ-a#p=!f6Z1V_V| zmsTLrix-gv+=o1RX$V}q~{e*Xn8?`v(2t{Az%i3dxQ`BA+!4n8zCQmw~f z1^fZVicB3kW?-t$UZ1I#)(1+d$>{Avv(UL|eg$S3T#V!%^wceo5{r^$3e(5@dZzj% zH?^n)JnKa1cWB6$_%)tK1(Eguo$^cZzP4{8+>j)Bk*;?4d(f}YN*=Ddm1tohUZl!Z zpWCax>2UOGpoUXtU{@oXSk3z?hm?zM?KA*P&*u8> zjQW#VE>0NEKTXO8%d=}m}Z3;f;2TO9qb{#9>*g{tB#ghfK8z%nVXd8WECfW%m^K zz*j%P-ms%N`~x#H)0$F^i6j3WCN0#v)iXInzIFE58qmej?IK?@yjJWK1QTR)R2t(V zM%aW>#L*A<3s`#6w50HL?;m2dcLt%n-kvDm&p*L?boKZL#6nk=M#dggl zFL2)P<@HgpE+v0Zp|q-5Jbk85Ms0+FKQEy8$T;x~zz0P{-&BFFL*qVN1c5mf_iEg0 zsp+qIWRQ&ay+o|(KcG6zV8g;f0pc9M>RY@BYaONW0HUk88j5KxGy%9*fhTn<@Dm;3 zL{%U|E!V6dL140|xy2K*2ze(H7$ddYwCGmkEw-NKv;$Xh1en(Bo*xEOBr6s>B(B>N z8|Ow_!5-XM(?fGxxB$!}2<*f5)aG(dX0OQKYyfK8vjm;UMO(gSKwX z736ohk26?58UcA~R5@qIBFR(P9F;Drz|_JOU=QmOVEkpEphdPh;_d4yd$q#?0-F1w zk81eU(G6y|&yNqP1`2-p1Iy&?&6gq|aaao$S5>4RRWp`VGrC7$O0diP%UZZDIYTOd*kRsLF^`0k!Q5?KAbFU02)Km+U7RVE}Xzq`OCtVz*!}&*Dj}#yT{u5V{Fh_u z@5;)5G^LU7N+|xD5mY_; zdvFWCHFW%lW?ldPq0z88U6`ry{QBb925dS^VNcipuCe*=JzBlvR|6>wJpQK53d!238C4E$Bd7x+ zttpU?;LWF3?!xt+ZoPCn5AEh>L5OJ%g0VFCBsQQ=QVVZn1?Wyc8v=)y0f3ffq~>>> z0*#Y7;2P%I)P8??3e>($MN*`?_I_|!CLB#iJ{r+?dw#eQg(9pXxJG310UxeBo&sT| zCEOPo4jw)D0oN=G=l@xkJ*7a$NyAn@>lguNM;@|@co(Yx>Z3K7dv)*$Y@ZxhbFxDmzF~9QMQdF@>qVMru!wM`-exgh-ofLi4 z9Tl6xRPn0)zH-{eNL0#lRFN=T1iYYl5pO99(5Tg5()eSWAf(KBXL1;T=52r`%s=%= z(%q2hcRc#<-R$4p8*fBQLJd3>JWM#p5MlY0sdS$jo(00ezjeT? zy1_;D+$94p1uu=^^SX4_Y4voQ9Yt3A2$-sAufe|bHiOAFH`WINrR!PTB@oERrq6*- zq1y7!f^@Y_0B7`{%CkuYI~IQe1mnb;&&b{Z{87+RD3*O9sXL!yXl;tIU@_ zgg^i4OvtL@$=~AH-2h2k9VjNuz$eS{e;s_1RBSg=n=fL1{T77Ov8y3i=fZEoi`t`Rekf?n3>Rnj_qHEW~3Orko^Uhtei*kAWaRHig z`_;G=o^z}e@c~6Ov-Uyy=ZZ>Pgxr#Gb)ZguHO=AunC}2verQKKcJ9j zKA0gxRstlk0>E9h{*Fy|IC1*j@Il7L9@P z=;(KTi*2H25#e0-il??2x1KYyen_v1TJeU`*S4W3q(Cx}O?tWT1{ zpZ)U#(5dFrur;B;Ly3sCgQd=hgeBnDPQnUB{2jpjr$3bsuQ3r>>VXbh8@}9&d#uIh z4A6fTFJqq}5)u*3XW>?Mxw00cb;V1`O0M&s;ulMNe}cc~%yw zs_gFr*J?K2iQl{)1TzX?kqDbm7kE|!<@6L&vhMT6ecJ#r-U4}ABcI0DhT9Lo*;XGLjSKbxTQ?Y2 zR92wqp%nphn(+F^aVpbgAiA+K7u>O3?`j2P7s{*`?N>mYel`W3pj)iyZgtxeW|yRcCubtHO`5k6O=P4Y^F4} zWW4XO8A1Mba7I1c%iB#vP2C%|qW3C8nob3M$S50s0=SjHRs7$@$qGGQ7FEnqxhCPgI5(^a?Cci&|C1PsezT9{R^ zZr6b-;!nHftO~nz6ZfZ1Q^zZt_}QoYnSdn)!G*~(f$;A9@aZ=_9qrOB;^#jS%X|&4 z`39S8UU2ITo4Y`dRKIM^9 zb^YAiI^abqxKH$a!1dR>_mzz>ymIvVWr?N{m|$vY0i5!;K;{b~E4?2=_W{?o;Rf*6 z53xqu%!w}Gj6?EQ=TaAT08%|-z5>`8HL|o`V^Kt4ier8pc)>S=s?}U|g<(5l@4c@9 zYR|-SlzQ(tRQufiQr=m;2GIiZ0AKQF)l7(80ier}XRzPi?EBbERhb=HSMCFU6#JP8 zU8g8cfRz8v&eII2-`FZb$REJCL!-@OJ%EPgy7omt+5w-aUdOKGdoT_)MU1+^QSzNZ z%)u!TxPTL*?)?(=zudmT*pV@ScEqQ99)00DPCysofg1r|fkNP{sLtZeu7rARQFbdYZpeGCT!1j&#-Z zl3$VX9*<){uvhj;2MD`FT(FVugS58slk4sI3a-yo$+ah_ckgsya@Vv6+?^>@%U!mV zq7w$`-t5&1{9GFJK5wNDb;D;Je$oi;X?m7|o<#F1ASOl|Fj9X0_`J-`Zt+4kqf!GF zW=`zAK2#UsUT)4vInuSL%rF>BDw=95+b#044DuFw!)sKz^xg5shq-N%P<5ZW6=H)a7LD%2cNULseBC^$x}!_AWEAa1z3INWyF=Q4+cSPthjN&5i}C1 z6RL=r^f*39vEDjehlq~Y6L zK4n3gso!2|Hp-+O?X|LYMu7%(=xcdbA8QuGGL#`Xpng=Na#einbGeb-ZLCL=tI zW}SLuR$HL>b+QQmytY8en}RdzPu%CQQSkO6+Eo@j&@L2qcvfq#QPS(SG> zOj(g!(4kWA?HHoBb0&hg+Z@##{GQ;E#?@H(ZdX$O&VPr*_BYtN>WCly*>k?vQT z^4$NS=X6CGU+Pidz8AlH^!me*`utwQ5j&!mxZ#GRP60o0!`%m$lFa8~w-+kc+6_3P z6-EzJ8oxb!+2Sw&7pn?Ah`ckhX*Bj;`2^fTi%8GKZ2!d$fxXE{hO6M*7}?CmXTDdn z`AU=%5-9*(1@F|1H#nFilk3)k!`;W~dvPK=p?bceLsSjCXW}Tao}!E!WlnM1Xz?Wj zTXX1L`v%pppQNr7R+f73um$#U7JmOvQY>zq{Kg@4NnNAB^mj)9PdZ3FxaQ+b!HPs? z#sVwWC^Cj17=cMHei&Z*9U*7}bv{<*BC`ulux|$uu8?A+Hhf64jH?NxN+qC`#1;8# zjT-^V$eY2Mze%42(kRNZG%pZF?o9&R(eCMrO<1Kjt}&`U^&~2#^gqe_9j=q#HT;*@d!Ot6wqc{`>@$C|D2N<%ij<*TDT7e z{7iDrnm)@2c-ht&DG9sR2fqcq^PP_^<8@+k3#6Y1s()<1;tvc5w_x()`+n=AlC|*~ z?-$9}*p#p8DZaA_Ntm8Dbf2!-9oy7%ZZ{6P@h+KOecK}IFY$chnQlD6?ejIN<_iKUkPWif6iv*p%RpQdo7tckGWMDXeKs|RzZ zNal65Z@+!I8}Q@gtjked-(2TC2vhr95g+Q>ljqTI?gFZf3$`4E=ZtlA)Pmk({D8s` z*$Z>2?ih>*-$K+L>Xuvj!j3}jMCr@u0w_PYS=**xT|YPo7l;fE<#DLqCtJf#PIqDG zTc$1&p==D(=nG4A~+)?0o>WwNn#)&A_fn;bhf2H(i0=6zI z@4MqWLvlOA@Nrb`bYVpDlnBdEC$m5?&-cZo)S!}J#ow?(CwW9(M1%1~A4%eCwDHWM zk1dN+R`qx|g_&CMVXSIsF;f;}@jOeS45Ej#3=p0?^u1Y?L7GF>Dfb6o_KbM;YhLh7 zvroM#O4v4>j?hu|cOW{|#|{1#yl+lD^figgz>K>m{~V&z_$G=_O7oT3W_SweRI8GS zSs$(5l@@Q^9Dm&}Sn9%nW3O@;I-fyLV2TkhZX&g@KgL>)V_vwe7s)`OwwaCF`})W3 z?dO6KFSV|I@b8prdVW$fVc_7%$3s>_aX@*OC*oFIl1Gm4tQj8S(r!>VHSFGX#~Ds}WLYUD-|27%69oi=VaBEk{bjR+6|9Rb=99yCGEr zhE84RSR_Fp>auqn%I!>I|7hTa!rD|;yE1d|<`c*(I#D-;u7GvCT%_LW20(QXw4=@M zJJ_i-G;!lycrU$SHkKfSJV*@9JW!po@5G*vXdk16QE%T_l0cD;b z)FZ6p%K2b+nb@y@XrA?&0DJTn?=I-pmAa4^L=}t0=gk@P`aBPTWTOqL9evfNSG;?a zfi7xY=eb;YR{_ddxNYcLk1@!%<2HV1D3R7H8S0|J$HV99aGgKbSHB_=0< z&`19uy|Yzn--T9mM%1cDM2YK3ah}e{@q$wG}CqlbqB7yre)Eg1$JQm^(}vF*Ur= zRZ8~AE3(HTK|1Pa@%cAhXCbjj3Se0z)1BwlC~*fDfdtY;{A43Y!epL1C!87M?U2M> z@(gt6`xbODK%l=n_}!;Sl#)aI%k-Uw0*}hLbvk_9@tZ|l1iwvDXSS4ae;wgbEdP!d zWmO9NbD<8`yi5Un-4?>5IhwTXD(M)#(o;EH#+M8k7-Qz`RpdD3yGN3D-eIfJ?%#)@ z&@lcof2(B|Xz8MeV62A?BS*x}Fbbt}7CIz4#&l*39VuE*enAj)W{Uqj<#~iF+UVr@ z_lM&ehug71L0N^D545IlT&|hbgAcM+1eezP@Es2umL{q+ogY$SSAGOVhaQH-S;k)w z1G<{Fh&p7e%%P;V&S8&fy zPwq|Ait!G%YJ{@FhP_4HlGMy(kzo%IWD@Kjac<-P%!!s^b_(G9a?>T;-Aqf$Oe2#4 zZMJn7m=K(L=8ON*yVifx*c*mB(@?RJ*yR)`>^YR;y`)zaaOHI3VKmqSlvR3neVYQi zGcR23A(PmJK^AlNeNf|hDmcD8*eFkq$aK!~7faP8b2^eEgJnp~>OxmGl^*OfLNl)u zaDDipw0O#%?~Q~T1VV6Sr#jTxwyp~geu;=4)^&VB?6eBxe}QKSC4T91U%pvv!RP2} ztPGT&2U-JV_Q#En$Xsgj6$yl2>@cwXDT;cl)TSXH?=1+b?VlJn=w7z637p&)h!`yH z8dpP~&dK{^9MMw-*bP^NUgqznO(VYE7gD(*Bpk}A37gsgod$7MLb+t|=VPWxHH^%l zozzt=CL)FuE=$N5e2pkMNtPI;jWzb@pmWK|rMbd9z#z9h6-6TG#DvTeTbqGKUy&Yg zMS?JU63Z6?j4|9eBHfCOjuMlP64S(U&eSxq(Cw}?2@^j{E#0_zy7LC@b7Z9U5q!@K z8=;A2zW%xzkn)tK^TODGZ|_UAgKevJ@!GuW{UI zVM1sMP)Qm#CYeGsDY`3k(})oH)A;8Y{p<)b)tZLyGPQnM>9rYyglR9CDJ6$NN5R*i z&p4cL8(%t1arqv+9e}5LQ{kPwx zVyq6b00rGP;a3BvfJ$Z7 zpUiE*EFui#QDz`EDS%fI>I~cc`*@~Wf!HFh2fE3EswhFMmb@24Mw0`~#nrNWq7+_3mRrdfC=?+Tm>mcnum}H0cjsWx>vq^ED6qoTC|pK^!UeUvAZ3Pns#EUnClv;#oVKM{=eG z%6H5}4}n0*#{6gjUW{@06GF9c0B8{TBZNpaJ0d@*9e@be(kugAG@qp{O zK!wSEGzyQrtnmj$Gw=?Y{Yf|qQ&p;|?1(sG6?J^Xu{DEtN!6aubJR4JfycGBt zNeHHPL5G-sAObXOr{J;+<8Q+&W=fCd#&$mgH5qjbye0)aqms3N{03f&w0$!PcW^uE zAmYf^w*gV(fI=Yv?{MkC!Nc$L^G)f6+G$?`DOGfVjsYygmsI^AczOkPC@nt(M!B?R z@?Y$3=_{3jVOnXSSAPFz!KWjSFch9EUjdgz-RaG*u6whB8Mq{QX4=>}81uBwdmtmd zMKoIW8$CcdL~`iFWCL~F^zD)fK+ReDE)z+HpSc&1G7L(|h(V?!l;x|OW z=k#L!0C&Jb=_0~$q_GqPG|8R9+~_J$^_iIa?6Kc6k)Fyz3tAr4&3jG#0`m})W{~Vs zg)nD&j_g5?m6=Z~GO!s&f%o-R7e5TkvPW|PMQsB-Y!9T0Wog{HTCa~3gaJ&@1`tVP zL{^dP7^H*(d4+bXb{O!8G~}j+Lh864`hAWuuOPoY*aJK)_k=cq;ogU1nKmm1 zbzpcLF$!b{K5Tc+vZ)YC3JeELBes!v!oa} zlx05?6krF}?w&#tD!8KRfdFp2RC?uj^Xxdx6?+@lf&qg}vJR497O6`k-+B-dQ?H(G z8@wfG3t)XwiOIV*E8Ei)nO3VpEnK0nyYp3p<;4T@0cSJb8l6-vxjPbM^!3o0EQx^S z{e-xx1^}B%Z!;Kyggc4uuL8Nxa5}}cep*AgyK)7`lI52%gJ0(_BvGF@&XFm$JN=xR zOfa7&f$rz-07piLi`U{Ir*aJJrS>A9Yjk)PQ0b%WnZI3FKrX8Ws7S6eV%)wJh)930 z#tN@`%?SRiauE%~41hsaM_tjhtK9wGik)B}9kwp?G+tcKj!w*2fhgT_cUl$wgxr#Ys%WSl5uaZjjceMe!+u5u> zb(JS(0PAk3Y>v;ZF<%cVnoiq;()`mGiBkEvj2|9M{sicuX4dYd$mG|LyQmjzrN#i; zIi>`RV#CMI>woB-PfwG;En<^SthH7jP4VN49Ih4&2CTQ%o1P#pbIfl-b^up-6Y0rW z#;i7PG{Wo4V90**Sc+O(X2}Nf2;bV>eL|=PnS@~}cB_XSai-L%0~R-4{xuIaOMFia z?f630VZgfNq%dNoA*kX;DH71oK%r`~ULlzfO(f(c-yRLN;EK+Rl2-&o;sogtJpK^B zN4V;RnhMAc=AZ?utl0i3h*h8~j3s~>O91G)*O&Z+H5nu~3@i1$8$*N324CeIT(jX> zr7pgR=b(kmv?UcO8uhee@DIBX?DlSl1^JpaO8A-wiCOREB)+{BR=3{TSvzghvMJS0 ztZlMYRczcT#NJ7I#oXw0?N+q<6LdM8a&tu(MM6Te(qaxmC&))T52lZL6hbqffL(cR zF5!U?PFlZ0+B>+x+N6?tZoD`Z=v34aavnx^AYtWF9hDqjqi{~S1T6h*u|~HyU}Xm5 zAoYO8D}+xyC=O=stz?E{O@P^t$b53irc_G^&#cg?f*oXk$x)#**wOcVw;$>0G7$Bp zAAA#1h3;2KUCp&)U7H9oF^B{pDGKLt_2R9QBWE+Vc?6!}>`O*^KA7}XRrWp%Uri@` zxV(Hb1gf6(spl4$=LqPicOcvcTqdSTkMWKgY0^?ozZ@s@VJ4iDK^9*jZLX4@mSN;` z5-t=O9F%l{Vj!-`7H4j8du>Y}5|wAKuOB7kIjWn=^YQB|KCO#1F`w2?pP?b_Y52qy zQfu!#6a<3=&jPCkZj5P9bcW=Z5m9y#MSS~Q7uE;Fu$x;Std%~E!1Eh- zfhjFD7kV?l%L%bu$Y-^)3j>urkyBRAZOGX%4cvmgWS zfXj>{Lfuw>1cZTZAeTsWd2QQ(beRmMxkNM?jGTuY=#6hMeUL0!4nt;0^hu}~u`tUn z2Yfmbl8z84pdZ&FxLa8cwnd9{UjzA$Gq#OPKBRKg-VFd+^xBnPC@u-1Q9(J#53>=T z>Vh(0*r$hr1Cmc?=OL;r*MZr?zVxWPFG8*jAG$9_^*v34lngB$FX?54`aDe0x|bsV z;XEg@0Z(lMEf!S>)tN1REdZ6+k|D-f{@kQei)JT|jGAz~YKaN)(RkOpHB`Up@9g9w zu$WvD?S+uuY0$IeMJIyGT2(%Ig#tJoTR=ex+*!ESIxA$~MprM%u_W#YI-B zghWLijG;U8gat$+_ntO} zGJbk=3Us=SXT%*HfGxd3g1Js+hT>{N;UBvB(6OxLRQpvAq+k{V38ENh(YX#!-He?F zCcL0mIj6lUipQid9(5i|XO#X29gJ4Gyc>S@5*PWr!SC!wluV+WH0}B$5JekHB8W}V z)B_3Z9#Y&SsEFQp_(9xM>^YaEp%|1WPv&z#lP`ioZQcgyRFN zUJAG2zbYSXnI$foIA#tH`AEalGOnEMO~ z2iroCM{dHv+CeYPnc)lbdWG^cqu{EjdaSZ$oUy|>9kk??0@s;HmQUv#P8=wq|rWKnQ=nt-vYwUS|t&#}mJ+)YqZ5m!uF>ZT4 z=i2i4L@+nRm(Aot@U!pW-j^cYB7+Tqw1ifL zDymZwN3hF=5o9&v-#E*ZL(rB2mD#ZAp@J5RL#%n;1%7=N>SNwpwTfgHAEC$dS;q>D z(eEVpUq}iK0wr29Q3k0@>9waVDv@RYW-g(M*80tQ)MI=Ey!(fkmbO?xWMj+i0 z6EUL4{l1~H-gNhhJsq)0tjy;gL;`eAw*`xAqAawufqB*{(&LWU-j~|SV8~>jqY)mnx<;1ABL|VQ|&{+y;EAWmY#fz387;f?aiB$zvUoa2~mI;nEaxC2Xn)y zP7*M!pa9s2f3^6a5R2q7-lX_Y)^Mk!(vr&fJKRCpW9%0> zx%8c(_)(I}2aFO_orxdbJsp!R^BWF5z(%jLRJ{m^w22HR#)d3QwH-v6Mjz&!`eV;L zJoR5+iIX*X46~@9%TWy@EO3orwg$o2SDs=y(a_H74i^!K&2sjGl_+^ei-$bt$1>9X z>v!b&86QVllXOe=_2v$KB`kcIXN;g0M3kVR7zRVxt4mP7jd+!9uf$O_B9quMwwAsj& znaU{A?6ypYf(C$*A$P#f$-?t-|1w69b7VFzkIw zR7AW!|Ir3VCS3V-ZN#AO)oN*R--ANGqZK8%Y{}hbNSGcPTWh3EwQ_5j9b49&$^ zo*JlM&p`R+W^mq0bMts%KI_RBy3AWMZ7Gkfu!Av$y$1n7ScZ&!i|xx#YO7nYRwXa_ z?iUWB9n-M+9&Z_!Nn#0bDa4W9;svcN`pLUwPaZUeEn|hSZ@pFhiJl3j5+0t*_mjP7 z2HAbOkV44aAQBZMw%1y=cxd5l)H>fe-kHniP^r_T35ZO7IT+f3&@I zRFu)aH!cPsjUe5qgh+Raz|cd3bV*5f4v2J%f^>Ixmo$>n(%k|QL&tB=dGC4eIrpC5 zpYK|;TrS{=+0TA6sg~rW|L`AakRaEXV+mJQaZK78&tgJ(K1)tI7e8e5-Ol6sQ! zZ-I_EQRe(A)&M8ArVZ{})rMTx0p;f^I8+vP2EkUGrwL&PEtv1uaao?%9$6VBVwc7) z>ZV3&l{*r?k}>8H_;273lO!$|*7-s_;s_x@!ENy|*33b+ z!a%}ygz-Bh9$&80=WAd8#Na)B7i6pyJi zN`xzhp&wlMJqnXmJ-MUsB97aqfQV6vyPF?q6mL+Wx`?HDDDtI&; z*)gpFStY*NTi{qUiL-In%y>lQKEs9&%BmbVDzc@{DB5 zkk)&XgF~xJHWU}1gj3Wwn{)TS9w`oa{WK`QChg5%=r@MQaIL(j3+M8}ImN;MJ7`cU z0MA{D(mop`Dwx5of@-tehH&+H2YLqqbO{SWOgMxRHkvU$)EpTBVIcc zDgJw7p!I?R&p$8Ou8nmULeTwTmm|WfpKFzROYs$0Vr+I?KG|Uqdx;tJDdGoS>N|+Q zr|K$Rp_C`N=v%unlm{Z@CjAf5AC4=T3ekYqgT6Rbo--oeGqspm{D&z&)gj%T+nIaW zdL>vjUbH{xa-4c;>>;xH(3#-7!iW(3wcfehUdDb%`Q}_KFE!Q2@x}FpzFRD4C;U9M zF)pAV8{{O=C9X|&q~oN9cLhD@_WX7gP%iB4Bb>&R^8-%gbc#NU9JS|Z^zgY+sCs+q z+tqS@8h~bGJtkVoWRo#|lR~gDvRUSYX68=5L^~XR>-{+eyG`Uq^S$88-`Qb`hcRX(6sV8gv{|o!m-N;PIfIEt zwa1&6Yf<%|znlB8%H_6kbU!E~^Y-A@>A|J7_%f=9PKlm(0^|yaV!n2rkHFN*niWTj zuNi9V`$EBdg?zl@AtFPJxabe=*qO^_ ze@rQagRXm9o=%0ej#7j-)vw^l;mm)wJiFjLeu^E5QubUhRd(s5CVXp5h<>0tSBvnw z35o3WtP=cl8}cFPF4JyPIe4E&1U_B8-n|V>e;ky5_VLTpm2!jYX-bwqE%Ll$KU&h6 znqP$hqS1*9k- zf(~Kump*ln!C&kp{lj?yQ%Vcy#&eE5ixooZr?cDx@mV@{M{+Wzi(*t{fyZQ%IC9k@ zUf!D4bg$P!BH5m!o_~NmN59@^vh#bRMxhijRB5D|IQ=FxzT=d{+k;qvN>J|aE3^}+ zDn-^A9Ue6=!Q@}eG(6|~4#Q=&dAooTdA!)3v1XBk@YnhSZm)%DIdGfab)R)Fy{4mEVtqtGiXnC1NViUr9sZS81 zMH*niASWr!efyNqxQmYe%0D(I>VaiED?G43VV;Hm#Xt3UKt6Ukk^43MEBZ^Q1-|dI zXY{h70ok5PPpAV#+D2ecZ%;a&W`^FMT)z{Yo>|X(RWH9{ZKP2$i8Alp$pG*T2Xi5v63`Kh$3oK8H>z z{!Deqi3xtIhxdi|>vWw4f;aTv1!rFeNh)~S5WTB;jN!lh_+S1c_!Y4CN(?*upS1e_ zBDuc<;;UzwqyKWif1ex)_y6s|S2OGW=1zcrk)Hn;$dc41RPgow9hyuh!_5bH!s5F6 zXPL!$858lx{i$z(=3+n?SLT12Abmi{)jm9^WTyU4>aZ{R2qUxUTUDF?24Vln*atsh zN0^NvQ|&$b4^Sc1!%GS9Tki#h4amRW-~TxQ6~ZI!|J8-l9lT8>8-Pl$&lF+s!lHZ( z!v5Z8|3zc^pWiY8VdSQg?Mx0jf+Uq%bawu#ti`f!xq+`5a9jW^L1mIr2CRSUB~qkF zHM--0+#A7M8+0bBXh1&r#qu$Z3CIQTi}{M61kMp?TNxe#1Vv`0(-)|!Edfpob93#V zLpU+?$4-BoZ$D&^{POMxpi(3B2S%?oO691X?vN1$DC^;5zRRR`e8)3DUi}UB`rnPV z*V_T@+~^trf?rW&#z!wtwzPr#MdwfZp+%#PueqPe4lrM?0-CXzTLfnuBw%DeG<38# z200IR zuF-Y$HG4HiFZvQM#u@Mpe2ZWG1towv;Qss(VK77+$(z|_(E>ojh&HP#fT(JL;(5ut z0JNF!)#15_(laEeSdcVAfxnGYmBX6T0hj7>&>8*vOMWOSKVWz|uYx+d@JApvu!Wi( z0Y!E-5J3!pR6ARsdh^a+Zgx8|YT8V+)CtN3u@;ClO36^m9AYe_fQ$0FMUMgDi{(cM zNW%)?>Mo$Lw!!4My9we$Vy^l5&1?3J6CIMKy3S?SN0n9nT`Ee&gLo%5H zTAlL_(1HmRSVnkKJMZGpsWxu|{sN^%(r?f&_Wffor0>1mL1N<{gwzVa^K@SHEVTo& zb6kWr>RO;Y&;NFXCG`1La%NXqIe61H{2pKuK{ydXfm!yHoRE8>$@PuK!`5ppAV{+Y zsC22ZCeR`pS6?E8k20~0#I&!%s}F#wHbSk?WPW#ZqHsR81n{bPZW;_s13~R(*!6zh zflh7P)$Z##K-<2}xS%7)CwYM2?;|kd0Pa*`-&+7l&-V=j_JlD)iETfs_#1#^x?+#Y z2m~MBz!7d2Mfz>6dmk>)Y4h#mkAv7c#CZL)Q-wVFP5<=DnjzqIgx$Ej&n)QF7;$3= zNA?Q9G=JT$BZ*!{xNG|!A-9~$5JPcg(zs)*tl7y;;#Y_OB2i+Mv1R|2pPlyncL+C_ z2nwNDgxgCN*+hx=hwVu@`ZU*#0`2kwY~=zF3!eM%yqZm8 zu$eyxZ`8cIQaA{c0B7A`jzB>=|F&fg;xi7s>#SzR$Z3}lT33*b*l=S5`Wp}x?md@c zw{I^2&gVxLe~~li4PyxVj|UStB6A)@>sh`;#xD zO}9?TID$7q=e`X~pc-(6bF>ShfL)Y8XWDYhC1quZO#?A?ewD{neMGHj6*wfT+2h&#~q~5Mkx+?0;3zBjg zl+~}I0gb?k)$#gI7eqQ4ZIs|@rlJ2C(14sN%_0=Nh%Cz0Ij@Wi4$CQ~>4pSedm~?C zD+~~c6GBMVxiPJv_MXnbp!W%(jzKS(W4J8kY7fAjwj-5o#}aS! zBVH<&J%|j-lok024t&Q5i8CdgK=l z%}V_M)IG}>1`@C9w-6~w2YM$I9bT<7BbUHyCt2FJ7)ylwW}UN;nU4OVORTk(C{R}&m}uJwDH^9y$>%j%F*6LoTGM=i0m z1kq7P2sXBH>g(fA;WNc7k|{=*78_&-qe@kDB|+G)W0wHIO2oM z@tkk%JSy#zTu7|VZRdSvvzuA+jc=S7o6`_kMjAY9pME&ngLtJT>s^N3H%v1pf66jO zPI09`CvG&#Z2Z#be>FV)vRdFqD0d%`xcLD-Ydb+)jZ2iD(R_^clw^eUA?o3$hBqw3!TqNc*a*FL?ydjpzd9*1hZNU_63&A87{UDM;!$_5Yx{i*-PZ#6J zk6$0I3^udAZ2kQMaZ1m^M^yoocbOi!YO*gt6n;E*X`-6IU##Ee4NbSBBRGzVqjB`F zSZwiZ!pb|$w}Xv!C+k5-El}AKrFvgRv#s`>K#6qP6$JJ<5i+!W5Hf3Tgnaq(mQy(& zyN`o*k@LrqcZTTa%fP@kEZQX?GD|JG=dA_njiw%qG@=M+!8b%l?R);w+>qXSZrUFR zxfi;mu9#53%CM|%6`+QR2%W5KX$;Xi5J# z@Me!Aas%niJy-m%p$kySU?>BeK?*Xxw{ugNOx`7}Is${*I zaq!o>6ewLP7KOZ`5;BwZCwMRV7U0!A)@lc37%p2EGfqy6aVw+j(48pR*_TM;O0K|3YrNKVkmyqg_#2`At|0O8r}f zK$^(xk@|8BA8IxM@7(!$X8o9Z*J77SP~A)DPs;=MpcQHq^hKq4v3?SY7*ysMQqXmi z_c0v!V2Hx4`x=Zwjgb9|Z!h7y$FS$KyuqV4)bCI3R-3K31Ql^ah+{InXi!IoGcitX zR@s8+2+}5eVsvL|PA$yOsVWsUMm5%2)~0*JvPI)J-`gc}-OA=NT%D`eIvnlv_tX|C zBnhj~D)QABbYn}bQTToyh3efAVIxOWr=w}!yvE;`BjH1=8ZDVT>R|k8;pJCK+nL?* zi@(Atyul3ggd{syST)^gz8UbjnhjKSIKLzuzwM0ke7hEdg%csb$O196=%N6DSi)$q z(6_^Q%bJ@FXD7BhAKWw)9wX`fcJi-aP|2-_ivEs`F%G6j=+PWsZ@I4}FqV!Id4o}N zey3RS6CujOrzs3w3jB0lV+A4XWAYy6ss{D&F;>I%XbXO)$nETL-}I`G@^@ZxJU`}o zw&HpueqDdIAe>;)GdJAD@mciRT10R0W<-M5pR-aiVN%&TtqudFXsNLxSM47DS>d{G9kVyju6gqJbN$KUxHs-MF7@v;rl+O`NTOOZ29L z^sgS{t9Cs`4*&F2Np&!jW|RrSinRKK&FG32Ef}fGA4!ST0Q}qaAT*Qyv!?1GaoRPr zPmRJ-tB|AF`S8K;AMcU98UYUS!XjZ^HP~>0%48~%TBCLCLh2sdC7FmX7rY9lK{iFW zOUS3pcQg5DSp1fS4qfu>1$q!l(4VTb+du5}%MI^PjQsMK_S?~*qAu7$p@%^f9@}!G z)%GI<(Vbl!100i%qA|nNL1fBT3fxioB^J@r6S{c;3)$M4Qi4oMh;iO@u1i^mLryG7`4A z916S4PlGy0cz!U+8`=ez7Z_`*OYBgk(wt}TTuSl@7T1IVLPQKABQmq(xBcXYG|{|0 zf+((FjbUVtJ-aCHIo~#k87dr{^<8{Z;d zlqGM#rVlsG#(X?eEyUJh4ENoWr!@~OhHBGFngihh$**#E3-FRL$?pFkogrNteGL%m zTKp@y{S=vkSE^#HY`Uh=Yga6|RYtoE76T)b>MxzAQ50WD;NN$D%TpQr1|`y5#pvx| zRb&eUC0RT{e8Kq{pS(jVGgn#yUZ#4=gVN6EF_+xmTk!$-6w2h$e1#ng3@<2poDC)2 zk65SPGLRh8Cx;WkE2f?r4|sWyBRz@QenIpagEHcM9{r!GQ<71dVcb}i=Muurquf zh-H!uZ7E+i6&TB;*b=oSf0Q+Fg$yI0L(b?U{dqp8-vSk?^JYIoX6P6mr64B6&>o&i z^cHHnW%%l=l87YEYsBjxarcef<#)!ZWUj*RQfu_Q8d&`M<|*@dToxlINs_APu!v~( z+l>6rT)M8cJ1kR2WY8E6EUqyET90m$aWBd`%o#Tct0p^@r*XNr}Ky!AAFZ^xppRoW?UZwo+**0etD11qC6|^A5RL!&AvDa zN0Y6BzI(p2P344^smW>8b{is|5wGY^{EnLz%Z8H$Hh)XUVCACr_&k%^6=+An6YP3FXONv98XGi~-Q z-TrFZ#e9o>XuOMIR)CA$kM(jo*=c{Kg6r0WBvYbVWXrCjwmY8{<@HO^u0%`o@kyjv z;VIXiGGmGU9Tm7rvY@m7RA0=QKBl%xJW-S1Skca2FK=L-Hs3u3x{o6)fY~Gso9XpX52>>{JHpBeK={ z^TERLM}m9wd*NP|o2rK5NsXp5-^}vt_DX|I?J)aGPnzEO*5131cw$vg4h_p<3MGP#}yFYc$1ccgL$3^Vr6_&n!K(mC?Y2oluds?8z= z*z<)QTy|xPqp}WHIdjoR&B}Q~=e)(TjJNG_MGC8SLw4SY>lfZn1Z`vUVJs+YUFb@F zmgpFhEyk^??G1US1ig~i-ge6Ln9#@K3yU5&tPXQ|m#0&~el=r|-kMW%9ii1Dy6--5 z;yC{YwYVT{e`+PMG5^94mf@WUJ-l33pk#fcltCk2JY-7#JklPJBS)sq>!5mG?-i2)R_WMLme)obF%K07e7yNnkQh%?w zxcR<{yCnJECT%L1Ut#xJb$=oLsc{L@9m&q;s?&20emEMW(SML5w;MJ1a+U z2|tc82Bp6MEA*WSzSLbIZyeiHoQu$_G})vFhpkGCX!}Mo5rITp*vXWRxY#E9H3|h& zsp2Ztb5cuOyL~)QT3{N+m?>0FmFZE!oNb!1+fzCNuy%$cZOezFD7C`5<$9! zHT|uuba*KT&g9Ec0>~n9xnCED@9I1=&+(A-aSsXJOdJD=# z#@<|sU>js(`Xjm6NA1SN@Y9k6ch#Pt-#QWNWl!+eWB60! zh==VzJN)JevKF|i-SKl2Q96v@EJ1FHzx{e1nAaC4%r@Km#acjBydQOhCvi!=@M?IZ z7Kez?w}D^E)brL55^`4k$}DsbE>v$RJc}&0Fm)RfWOzyRGQuWt%_Ub#UxbU$Ooqo+ zb|~SUI|qIGy$hv0rS>@fq^L~FRzO=R#_Xby4G^{$W%-@CmnLbMp+)oXVtgz06=sZ5 zN=@o46)3n4gcB|ZlKx>seeo<*c!hXrG7ovOw{_n-Nb+3k%=s|ZxN+-rq3wWeIBCxw zIVDh9pCX7{lw(!HwS;wU#usTGXmDTg%2}y<#wShw`4~w>`G1k*oRPWdInoOvfkQ zTV{uSHrM;hT2@e`872B5A|J26_6cJ|Pe|7e-X2XkSGw63VkDgA-XUT{8N2Rc{`@qk0^O%bM0uy1@RY-eO@Z z!C)bI;{^fN*)$!-Iai2TLJgGWMBx+k%htt>W9sH>49k&mozit7#DT9uet>6@nNEhf zpC9A0!iTq;^xCS-va~uXVdQYL&^{akegCjY7zHh_Cx4WjM$6yIg`7H5UA*yqxl2YD z{QJlEf8Mbr_w2<-2|TsTm!oZ3=R=(KUq4rP^0KP$fs<6nky`%FYc#p``7Cs{%>IYbZ{WEx+-E>F}NYQsy1Nc67h`w_lK46;mN9Ef-J-Vit7LN zKYZlSeR)-LH=r-m{=?BY5AnpPuwp|Rp8u5k56AldsKyBvGtoLwJtqE-7iW9Cxl!{I zPo?q03vkb(PZ8D>5Hmqd{)6U=6Ho4&Gr>1py3WV{ zKmNJ_w=X7b!=+bc5eL=xe}8IT;RN+-(aQa&JHmN55b>6babQ0(ulYZIUrTxLeQO}` z|9;7TKJf3Pps~Kskt?{1{qslv`eddO!MQCXSfBpKmS*C4XrIqiCy;s^_@5p`F_*9N zG=IR0e>_9lXS~39T2k=XCum`npe}y$h>!Pw-V#A5xEi_y|MXK|9Qwx)=dXiPm+V;0 zK3C&uiC~v^JY>S`m|*`Rj`Lq{@twgUs<>+k50DL$1@-skI~bsXr--{8GXoS^iD`GI zd6t7$0DYSG+IX#RfhBbMYjXwL=Yk~akm7H3o={1{R88q5ncK4Of-ddt-H@&KxXyXw zwDld(zwzuJ(xwQmiuzm*=qLJN@#nkm$m-7)HywO%x<65yGL#bj>x<2KUf(N}Sfqcu z+li%peBFA{&BCqGva6P)y?FfHQg>=gaEosULJyU9Mcd-_8Fi&(S* zO4K2EscTC@^X+k5o0ahO%n0}WMXyNW+|u3I5I{lMs>-f6wnXmTPdX{@%4dLn)70hm zyzSn)^?Kou8`u<@I9$3LSD(o>Xn+$_;F6iZSLb~R&Nr3p z(9bX=L8v=n)wq*81e{RjJm=}%g^s%Ll2Tk|3zF|kY+*&0Jv^;Svq5Hk&r9tBJbo5j zljZ!WQAEfU6K#F2=Qa{9KcNVw+c1yxP=XufXe)#5Tk@PYZwVy<_nMI*X}T27ss%#W z9`JDaRnG(3QiJsT&ZVwNw+h_+&^+nLZ0o7Iw0X$Q_MTbn{kOE64<{Xjt>xt9d5tEaTZtP~QG01A0@6nyeEIilF0UKTAJVqG336w9j=KfP>a;KH{-(D3H}H)U<7Z zo5swFUS^?k*m*HaT!IE))bTp%maQgl<+!9TACNU-BGZO*{Ex~-IvoO;$`s|4I_aE(<0DAOTYt4 zPPm1m2R+RitssM1^8raxQk3^;R`;(dl(wS?+vJ&j4>HE946v*z<+U+&scmiERV(}G z{nw8Y->hF!_&C}~u*M~>ENdM;?>O>i$8OdO^kJLDtEoC}puRJ7f7N_7S$6P>udFS0 zM_}o4_cO52+xr4Z--DsF4`eNx}lXiPSY0kuHV?i`7pD;_JSd>fav1e;)(|#qTZ|NqdLv5N^26FIo(5^@ zO#rHUD}h=18I%ak&C@^4LGyX<2#B383h(>=P5sXJf#QSk&84GASDh?BKZpK$R-=#j z(|tS{^xzwxGxQfrVI#|vBi+qTx2n^yhNG#kDB8mE&L%N4XRVxja5L=#k3}!< zRA6B@G-Tsa#Xjbo^IErn?J58d_ss{9PD)bRKM<`+zapIt#_r#ZqY*Z$ko|}Wl1YNg zwYv$_bcF5cJmGajdV(?p*_uUwa5?SDP*vgdyJrh<_lqrJ|8#eE-bN^P`5B#=-Z{-s zI!0TU7ZltF`cAEF9FsObYBXuhXxvMq^8~U+r}C@OYKTi04A7v_`vHL0#QxZ#Zujue z`@HGd&JU?WydAy+FfQCN(k{Y!nR~e9;Kb{C=ZzXCF?oVHr#z59Mf8uboF~-oGrYGI zs$V+~(GjbQ@Y#yH+I?l$swjd@reAF@0wcyHt5es5kj7y*byxTsU3*H(+il6XzS=Y4 z^T;)Gfa||WfPc2SDss$=fheioNET)j%$zvkP8eOJa1hU_vpY& zUEX5Mv=LgxjiQIaJcIVHu%ZFeJ2q4Q`K5GB`^jIZYop4g5PeIfffvqN<`m-yVbyN1E6l3dk;tI=*=H95lf1*@*plrGJA399#nHre0a*Cm)QxJEQ<6p zy_B88*OiHYDQAb;*=2iv{nG7$##sxPv1};d`I03ra;}|KsqkW>iM}P^h4dTYD!qY| z)sc2NXx8tV#gS>b+qVh^-}Om|36TNZ73*OaSj5utpTHF{Ti*6F{9?{*LR`JZX=$H<91BEoAS0EDnBEY zoX;aGGO^g4K;}nV=3n-nS=w13dbcy?oND11JEZs`IyW%<X<*VIq*ZgP zFYr3RCRU{+rW)H6=k892DyRlc!Yo_@zGaL^Ii~R`7uju3>_DB96rf4FI+nIP0T9nZ zDBAvKvGE#Saz3w#C&M4o$Y^xihw!s^y}qJ2XPx=NFSs_;8YY#7(P%J-T{>_$9@>0t zeKJfAyFQ@wkSnpF;8Ywf03$eUon|6IMN(Vp{-hD6^sZuseIN zbiaA?diOEttNh=rz#=VP`C&L77BX_cmk(&EN?b(#=g`qXFK}% zX=9%aDpn1LD)fi5HyoU#o;PO-Y8Rz%YQ6{*d>`hg%t1di^Svo$6#F3@PWp zM_(OFAd`K041D6AE4)Uk&!E!q2-a0%S4dBh)VGYhJGR2=CrbKi;f-rutS1F}iZN`Z z`y+4(jOwhSWEP(huT73H>XE;!{F>ydT({kK>;B#TD}G7N9e1NN(+)~>)hXor{Z$@1n!pWzHi-O-N1=U31JNLL-bx~4AKE~xl zr=InPe-w1B=7Vxa(_aM7S3o23gBtZBJZRf~Pf8`8-IA%gz;s~D7M{oiykfkNa)WYD zEDxwrfBQ?Bp1i99s6(w`Anqm^I|wH6+QGJrSppV(+V4Y&HaK5)j%lOzpgTt(kf+PP zO#6H25}5W-2d9wC>@_>c^%}0Nw-oRC$^Re}nl52_kz?S*rRYl?ml}N;<>fuAO7crs`62lLwPg0)AP!}7nz5B|r zu%M{CrDVGFH;^Z0hY4T4|A$Th%}s4xOG&Z~r&2Zw%2VThehPf0w3ub#XxqzzFdF4! zhF6dViAL5)q8)s*o>#r0r*b?7`4h*=%(KytN^@=|gU!qh$LNj?ROeQs{Ap1wBT135 zht-gC_~sm@PYG75D$Q=#{TT`%*~E-$(rUw6aq9&w=_MW;6!mmnLe6(!Al}*p1F>ZT zOD@vofiNrmRc+iiFog%>qty%IZSZt=2+`D(UP9fs!i&cidRL}h^6fnA*4dPG#XgAY zJBiAV&}CH!Sr4ny1QKuQaSf97ws$Nqe{o8qpA(+zsahjY;Z?DVrNfFA4RmX|W5udw z0d;Q^!HMn1CObuGyILubjd&OEC@CjJN8QP~4x*pvSYF5VSarb+V>CvmRfBXExOemJ zqT6+^8P6w47&EsfL}0T5i${^U0?$DoDxDdUT(aLc4)=B>(molNpP5kEX%?cg%@i<#=rkt(fGZdD_o3v=IOF#Yl@r^A zt(L#*sl7S9)lM2&Bsjr)dka{MlV8GWdO3`jLYVo&wV`yhXcpD2Nv za=usCJ0dl4`@!7#tXu*8UbeqPds)FA6+lf@X0%N5vnEC5)1y!onZ7f?2~@|}7oC%A zSezxxvQa!G9t&5`gmN$ziRGlUo@Fz^jP%n)ZAhYb$ohxgYkv!_Hm@oL0t{VkIg1Jf zr|-3|lRd}8h4L-)!xMRE2XpCnlO~#KEBNR!do8YEh=TiZu=z?g?oZRi=mJU0UB9c+ zj6?Q_lF+{7TH_iU{qej}ldSy_*ny)N7T3Z+OYhgF(!*Qry?Vq`{wvZ$=kJ)q9!~Jhl?63;->i; zbi^pndRZlfT4!~2Wq;C5t>45(+tBb8t^E|1JL(#-MJ}_*L}uVsLPeFvd9cOQm=i zF1qUuWKgV)`_1wrL*gQ?o|5ON;vwfnd$rw8?!}~(_=LBJ%9J~X-zhl}*TxJadcO`y zD5D_`f6ws=RWcmcGV8wUwNS|+wd%YJ`eU@|T3D$OK58DnOk|1#HN$YO@v_!df0ReW z%y-WTr>#BSQJjB5f1dJL0lQE9o@F%>M2(6CW_pMtx%~eEf8j3y@RuKkG2Lvg?=Sj7 zCR0dDFKXqnQ>%G!BdW>5mWtCS5oA)fOq;|<+`}A=zX@mBf0_RNs2}rjYowOqJ392Y z$cD1*>C*!w+8UBtzsir*iB%IGl;L%?j>d{G{F%;C6By3z6BJqJepVe*+FgeTe>P=i zmKudsGSZ3rnz9w)Jxd9RYLNLM!x21zvZ`04lFU#);n81TDNjPQZTxWpdJVRf8&VV8 zO*BHoB%>Tx%O8I^M&}8(8sAM&>xfr<@em1$Z6Ukxxj#Km zm4#fzE+j>=PEWCN&yE-xrwL~;50);i;nR{8AH)W8!Fpx&j=vI17F=m&{R+%E_nAq! zic-3oX?=&ahhC$7Q{j}hz=Hd__RWXeKLh89wL>-DJ4+bi<|Df?TmFrbk`=Wn1@&Ey zA$T|_<5d#>01#2%;+k_kw2^n$4Zj^vZ(>G{vuHG>QO(`4d07SuX<|>^`jl70-?8=) zImTcb4f8zu^6VWhPlq<4vnAbbyKTFY?MTLtcz)VSzt0LY8Osigidf{@l< zj)T;;VM>O$tTB)Gl7W_U6b?Jm2(VonXvpvwD0!2pQ7Zb)s587!<)OWx-?Q&+!Xb1FrP8WJ2WMlQOt1+h?^q`oy69;r3qtQ zcI;R4&qp7Yiq1HDYY?fPX@3i18*n@GYYnzc(yPo5ja$&; zLlD7ITAXk^ktbYJ{>$Y$xn-Z-s@Y+m6h25(wfihcJY|;`3^kSi#P+6g`IrH=r=9nu zx@_`Xm$DCcg+gZFkpIfknxH2NE`CI0ezjH8 zQq(AoKjEzt_c7N7`?>r-uno4)_h1uWTb$KlubE&8B1xeKMU8YHgZt91gPSayTx*6r zkv(*4QK^(3A21Mq*W)vIdZVo(B4AFE-Iw|g%n)zl8noj`wJtc*b_x zw$>?`M~KiWb<2T%xWX`>5?}biL5q=~BCR&a zMtk3Z)m;-@Js&hp1i+c~Wxj$dZ&IJl2D9_cF_?(dDV;a_ZTt9IhF-r)g4FYu|_?-UvOyLa-*2U=%ZDuXeHe)kT z!}Kk)Y3gR(QSBi*K}Lt)f%Dg{;6v7zmXl1I8lXv)saZ8pep(HP4ALLH)%(WL4Zot8 z=c2S;%dpw=?(Z!30$?Z4P=Hfzy^E{-SuR+tz>NzrRsVs)~ksvuy$~*2dht9~? zSzb)uhG%{xnzR;1v9_hGieCy^C=$IEmrVEv1m_PRI3z*FC}9)F-_E%vOXYW&+Q=&W z;ugWCIMKi{XCbc^qc93Kx3zn--DKt{UzBow1&e8J)T?9WYfFl<(UXrlJslMCtJ3UBMe3nk)>|?r91SUxgzev?+?u~rc<^zo%wERTR*|wc(oQ-An!k1 z;;<@OXzlTmEer%{$&etBiZwb`z-}Umr6G|}4ekCFtn~VtUN;Q4#Avhx_+(Yk2jZL1 z3T;}lfGCf1ZmnMfh1>6nw^aO#k_fFzedffhQk$IV{#4~B1?&}$KOuD#dSjq*X?Mq) zniXI?c)3Z$aw=%Uy<_`NFMzen4>c2GkzytV3!^b~|BfseQ~+!#Cd~!hMpdH{eYks= znkG!=G<33@kWov*zX!Obt0WUT$2ttB0M>Eypy)xMH1ioI$rgMF*1Je=e699F~xT2|tD~@m8i5J=7poYP7!x>$h<`()V(i-ygd9F#? zfS|S(#Zra~_h2?0xtju3N}ImeUIxq^JhNDTb&PQhdd6)@3a;XE zoOrgBw8zk)v;F*5mlZFzEm#&*li9{&Y*lys1{I!2&|e)zJ1mT=u;}o1q9n>|oi;+_ zX=pw!mkPOu-|w1}q{IIJTCt+}-nY0q#?YF%%SD{B63$s-@yUy4To@Zry3X5k*gnl4 zS18_KTk1esRr9$&yuWSR1UQGCy_}tt-P?G|5w@dUjkZRjzcg&kcSEOC9U&{vJ@wGH zxLlIoC6lW0O7R-R+%6n?yV~~!&;JcoHR<{6w*O))Oyh-vUA4(?xWs3vEolW0W&7Fp zk9tmD8YMaaW`+yXb_K^m0Hp&GqwFv0Dgq$bluf(=gL(%4+3- zGUUAb)}EzB{%flHL2_-(8ljv+S@Kx zqInizs6$TI>WI<2`n)XOT_3hIk**nItRAHGRNuePOyqiI6C|b3E8&s7$W)gLs^GQM z{bCD5NGv_>EuRXQ7k!~*EQJy;1~6^iI*+ef5VacdJUarx%byC&VF8+~f4n`q8| zdGsmxW$~R$^6L%{&Ov!o)(MO58!F+YG6XA`gh6H66!&GPVW&mM z(JDOqSf-icR}G)q`cGjfh0+_k6er~q00&miV_P+AO|?pbhR0<7K-A>$_AcQ6;*dXL zaLn6!ye62&HCsp)wA@bFqT8GwR3`|Nn2 z@>>lp>oUrrVHeNd7W@gy zAlTqj1;EXco5(#bb zjaYE&@on^~(uDmy3vuwIa%i?I=FNL^pznNU_h2%gw3ps5XfMAb8h{(kS-jkGNvjwI z7D@bFhH4wgJoTb$Bk$@LUoW|!si900w*C!R6)&`Go^TYJm)NwM3ZeG^dPIGS)z}eM z7p@4e|3-CxD8Kw$sL@imy*-7)DU_JXyxaI1Igd;>?m2vpAi4_~zbJCXTQ*lzMx{ia zkPiNQYl^uUn7D>5N=I>|%sF|`gwCkCLcjk5a+jk;G+%M7k%s~gWA_yU@V#^}e6jo1 z|B0lmfL8ar8m=qjR)gJoKD>{T%tm4#{DV=HuyTj2YG+J`PC!96y7C9ZN(mp0#O^7% zgAJ@^BiWcp+>GCW()xw%B({a7n*%X`nD;4TwlfP1+jYA!Pf zKt{!Hsh9YZhG-G=BxTyFi?w}X=SW)Tj&5%BjouLy6^Gp{-u4OJev;a}?%C&{s@`Pf zy(O^3$KkQ!JIGfBOclSwlIbZ{CyzepI~NA?v%QqlntJb!fGdROrX5;6HWux9HP1IT zSbW@18mC)Ii(#EelO|^T>VP%yPn?|~=>bY0e0!JE>S`*0Q13l*@cPhO{4KEs{gXX1 zKXv5CJE6!KAY(<0mxWBB*Lhxh>1rxdWX9IRIZdqFAa6QLWaX(seq8(|r=sZ_!AHT? z(XNjo7EaeiQ@6Eq7smN8*Y|;`$dx`d$b{!}KU!ymLeqE_SWVH74Q)0NOK$tiM z%wdG?TY`K*5obo=u~AY-Ra`(%_ITJ?2)mu@XZfDvCo+)b9e`^V7?ctecUmHvsRMZ= zZrmqEPQ9)7t+S(=X)nx)oNB?isZ9u#XUXeiwHPPX811W9!f>bI==1YwHi~?T&CHlx z&X?#D4tK#)_Tjh~P#kwcn$Uzgc6X^Ts!aS~n-#_ODfn%J2pMy-AOYXm&m)>Nw`GoC zU7of}^8cnvgo%C<{!m^Vx~HIsyxM*K9G|(LpDjD^2a2T#k?{u7Erkd2h(aXqGE2*o^ps&ByvZZILLvfL|&* zrpXNJf2u~9hbiYmPPh9rwHv1yQP%bUF;MXORzUJuQ{^{SR9D`PvL!mSD^Y88e$L4D zXm-xz_gJ*pQtR#aVm~pZ7?%(%7gu1dmxz8JC4MI%4$8k2LqO7}N%4^1YupN1el%JG z`m{&bO#Zp0_j{tVgb^>(1hi}`uFp9XQgDfQWQSNQczWUD7BG(lInjH`3DI zb>kE2>-+t8)>&t*<8rx>nYriAeeJz}vA=BR;aa6_})7`O`hWblXP0C46G>-Ahg{%`(-WqwaYeth3d?B)eVs6~566%pHdi%2?knH{oYQ z9~=RBLcK&ypdrdxg^MeOsk{^^)HHdSrP)C8tzflX)sm)&+|KJWP2Htjc1}5++_}1B$3AeA4 zIl>OAjhK-(;#FSkBhz)>v3|}_LSTyAd@L;M1-#UfrDN}N8DRMq-AaMEly-6_@Y;eEm)~AhOnh`PU%y81jx|lZj`*zKRxup;Vf88L<+_~CvaUHDiz!6 zEdBWl7(FF9Qt%se6jej~=A(YlIjv>K!e1h!M_jnyFESY4@Tf|mF@CLtu^uIT2OYEx1_za^i57(^tPf z(vyXu6=zp%y!CvLTv_=M-U+m~ zjSk2IFZuk7?{D!6pEB{(FEgY84%~an_&a%hm+KP>`c{ovaZV#@p7IrofQYM%uaoYQ zE0_1SjF_ZZye>i|PmLO-PVK&j&z7SWk^SSH2|b+f@lYxkgi_hThE^|esMc6~Cv^A` z%4nM<9<9lETzgl4VY*3Bb?pw+N1<}qQp|GWVTL|1n4#nmpHXaCl<3hiQl<1@*%~=` zPqI-v9=+}0{nma@OUda5DFFvfx@SyW>z{@7^dRug1FiZ9E1wZw>U7tSbI*besD098 zA=1CxISlNs*(Jj-5||>Feq@h_q^`#im0tk7`6n(O7QQ&()43WIQ2e`+|NPDSSLzdb zI;k}NNT++GLk8$}7ZY0oe%ZDvKAP6uLnvVbgsI~~=3Adter)p3^t;+&>~B6(cb|T} znpw4IzoOVa^rJl3lpr(Ti-a-1-N51Wqm2foZ}8HRN?FbhhH(HA(~Y? zu#z3h0(J{j?|S6~s-RS=CkD(&ZckxCEHr931FlXD2Vj+zMlS*GM>}AWJq|bkY0c0f z;K!MRIOoCvrMTRNb=NtG@6d4n$ZvF%(UuOOTx~7w(%c7dtP7N6PTxWOp$75J?0K%e zed_rmQ?I>2^Q}qXINxCsCw{OJu+#2Q@lASBL_svM_EXNvUF|)|p;A!fu!BjXPwH4c zrGN6a0%WG@uTJX+ASZf!N|PG`gXf}^WVutg0qrPCV{{UaiZ37nVn#s3qw;zQq&;+! z@+=_m+9Jz3<<|>9;kwzuo69}r#})-VE6RnlERvm8Otej$f;H{Nipu~Irw^Kd(9VCb z+*`So!UO|O*&(yw+#sx{gT(MWeWuWpAFLS5Z5BHK7#roZovH0Fl+x8)1APrXrfXIL zD@lL^)i1Y97a>l z`Dv6OJKrcq1^}l(1I1q-{yFUh$lm%5J6j<3SW~tpwvZq)I$$gUR2P9x|klM1K0Qq%z>3L30S&?glMI(G}8_lpe-_ z@tFn+>bY_|_uu~@@YdR2dDhx#??7Gr>*0WeU_dQ3(iiZP*SVC+g@16A8->V}oEz&{ z(*IerPZyectZ!lOuLCO?y^W9`OOGNY;M^)!X3{DB6fJ5CsPh2PisP94uP06nY;86W zrik&UV4<1_U~08Q&if6&o}s_?GeQ7FuFs?+$;AIAtN+&ddBRs1nhEK(`fY)a45#+V zKC12RNXej{?<`<=xoAz42;Wulx%r1rO2yW`7EZHBRyMr)etTEZGkW8f8|3c-nL!3^ zb5?#2oZX4<6o3F|*E*+9dN9~Xx(BjiW&V+-ch~oB{bBQ94{>C5#);|I0Ab_wVZl9d zL{(@3f7bBozV8&!4cj&csJ8=Lws&R#zfW)zl=r!Z(CpB5zz3Nqu0DiFxwBME4ifr~ zy?QNyE{9XIfRS5Q`Scis48yM+Ox`rzzg)~8fjEK{ZL{1%(qF!81!k^++;ajnFGl-& zfSt<;QA=8P8!R3|v_`WW+u}@)C*?iwqE0!p4Y#yMM^|l2O-KOqjB_c6my_}YoWy8g zx0VV8T((U5Z{R%C?18GU8+yzOd2-jjK&v!Fkc|Q(RZGlw)nNxMa?U-K+u7zYt-aPK zIVwEd|3RDwQ9BIHwafwYx!T5Qyo5L?k;eSasLSuvs5wgNKp$al_I_!ZjKrE<&4H$M z?b%E0s1J=Ct$Jnp70s8gMDA|^I;{x<#ydm4B{hntmS&z%-D`>be0{8dXDQM5p8De% z8QtF&m*-+S0Hlr|yMp7irFxq_e!nl(CrMaXQbT%yd-F3}G(?m#*aUM9`bI(aV@?8C zo~4*3!g*c;ALjVh%362!jz0#GcfvJq^*#>(QHZs{!0q~dqgB8Jf}yNtAJ5Vbz>GR7Eab63o1KhZC8wM=TMo0u_*SZ zwe~z|Z{TUbh1LSd(cnJ)3dEJ(cuu9j0$No>ty^R>xM~#HfRJoVZ8Z6#^)6$~v-+)6&Z-3&_X)6|9eJ>c zPIu%~tg3HBx=4lBDlQU-uWCxR{JhG8pBn|goRp3?y(M%TBXTNNOg-*fLGIa<4()=w zDF17yno+)o4~GgDMl%%mp04{mG1c0PLa~#p1#r(sOj72pF`7F_0e0jeQh3w?s}eN9 zV9tQ(KFmQuy4Ng5h!F@3849_Sn7`@_fi6ZA@QcsmqLURk+M3k)wm%OhwG=rt+||nW zVH45giUnb{VaR$u!Sg<6#ZY@xc+KHVJG6v)=uh$QmdRPJT5MoRpMdr1-CCkq=mMZ; zy|4@x2a`!U=sWx&LIM|8vV;5GrwQECZ-soU-&m*IBl}GEX=wAyC4moIF4F!P-Iro0 z@GTxz&5JO-AOY<%Ji}{ESbKmjJPIu}bP59av?os4D~k6b{?x3@t3BViD6jUVGPi$5 z*jJVPNpj=(%e65;bA1vSxk{n_EVpXs1w`1sQFiBsJKJQi)IB=ci`b-i!#B@vfR)I( zafn=qT!A07Snoqb-ZotF5zxJ2!cFxsx{ktD*zh-ZN)onx3Ruba0&o==5LRwPqwlkP z$zKak2RwMNtc!V9;VuX3449&_#9PcIVdmHyeIIH`4%L8pJNL;Yrl%mvtV^I{Us99_ zxKLDbi5grD8RFX00Y`{WLzFL`gLmHxVuBKbaC4%*h0{VmLs!b~Ic5EE% z-|+p9ZiTt{d?U|{VHB+eJ@XC|h*R&xu`ztk?gYb0gk|(PfD%;0NGm3jGLGQ9D~ z*`iIZ4yf!=XfbAX%F^Wd z^Z>%#x78ryD15B8HA}hFaR{C}?JajtR0i1}u`#=|V)8i4x1r9$kD~ zO7ADULrdfl^oK=8Rq}izVS-ie%dyOG|I)n({<@%t49|w)d4uB!-nX!8jL0(8C({sm zu-Rc(U6>W3=h(#rmZ0EwO?<1C?L-sb8)peR?M2lN>PK9-f`)x_)Vl^o5DYsnuH!6) zsZu^J6S1&JRAmUW=yC#Vebcz_^)&Z^NtbHmYh~Ndn*s`S13uhP1`I8W2J27FH@+UK zX#@paK(H{Uh}TOVtcaLIJ9l9IA>nAC&g*F9EIhR1XZ>1Srd772(lXHZEn3Ol0_ioG z=h1Xc>)Y$eqHlmIgnM;PJl;MUBlV4lf!IxxSTCmqB;5@_xLw(n7L~CkZYnEzkZs%^ zs*pPa6BzW8{rb=m#O5I{C$)K$ZeY~Jj73a2O%J`v2!m%uEbG5*;?p~f;XKs!vSE9A zOKW@hX-6msakDd6LG&e&z%pqej`vDUML?i!obVoxl$M};)ec;PFI)JjULW#b zM_p6!54!_irz;>BqxC`hWWk!UeGiS>GUJNhB4uRurU9{h)&a%q4vkFm zU!Gj%mh*`f_m0O1mJ*9rCRJ@p?megg1xTnSw5Cl3j?Rm6(#Nk%wR#*zJE9Fpu~apc zGw+slBBCJPzLGW)SBK|{MXM^UBQ8{yv_*;10OKNB&sjfN}L^>{^js_6FieVu;80 z-dicJx6m`yg2Xu;-9L+S`ZKjukSk`8+UZnC6KZ$uSrxbMYNisZe4w}$?EukHY)R7O zO3r8X=?V?|c*X~yQQ`n)-)lx z`UVEvFC>61nKAxgbWU=DE@~{kG~;o1wFm|Z!SQ-<(|4+&P2hA%Y?1`0u^QA(Oiah$ z`*WRDI2qGB=W{}=dFNoQaur^LpSb)&ZKL*p8WRf*ah{f0lsyONY;b3)5q=^GGGdz+ z+dJ7N+6Tk!km5*B)$t&#d)AYGE5RV&n1VWVxMFO@tX;;;DkS(bq~Y1<0-2$?wzKso z)pIQ)+-%Z>P&M+Q_17GcN{LcNhvJlCATrP<5>*PQ(n_ zzbAZJOl8x-R@w|bh$W2)$Jy(4ZY4~(O51hi&p}2hcPiv*NV9@b46c^h+I+llE3_O+ z5yDLAb~$n#+Gl}bAk$10XiXFj^BDDf%D(rCk?&$mxojUDd?=0Ezyf%?F_?Ij#qGD9 zQSQW_MUe9~IUK~5^W`-39prF?!y*>hyf{huXXxbUj{HlXN*6gU`~s_ z-I$uo)TeFaTkM}fvCj`FWF9olqlKK-k%XPW)hQ%fnt}H96h3A>9W_=OE(IfVX;Z}{ zizh|r6oMD65o%uL8M!zq4~#p#Z3&ikjk`2Ko>s==dcj*>?WkY~!~ra{O`$JAflkk$ zvMLnis#K84Ou33!dwI+46`R{6Y@BXpBD(p(2Y)j~E&q83j&e>4J}5KHy%ipSt)45B zJK4YZDP`nQ_uh)Ri-un`lwVb4Itc)M7Z@T^D%Wftn~^u{ntff%@_1fMpnTdKtOuqT z0*BuUP?-Y+IKqQ>o8Y(i63*C(89Y_8pNHz{#5`VetX!xuHQifGi?W9*6j?Pzt3Cy> zcbq{ilzz{P*K+4yLsH0w{4X$r@yB9*9u;=z!tl#;P+m@3Df)SsVjAg6fKV!}l#Iic z{-OIKbqoKxCU=~{+~N1ow=!=$vgBb9P4Q?6?}Wy_^cCaN>`VpUO0gvACapg@JaNqO zv8B!AN5OgZ9)rua?%ibO!{IjlClYv#j7{S3n7&HALm)X#40YA_W>b#r7rgjtr-M%9 zV!zzc5Y)%(x$o{tYSSe+bIfHZk9hVo%4|+^}ohn4g_95asp2cZd_wN%ek!k}3-|L3>(0V#o~j}VVs2?~eT&)39_n1j{!Bc>Jg5H6 z+fA-%{9^l8&=(C40?jV&xbNRM(p-_6za1y@W|dsAnI(jNAKkG&7NqB_UuFn;@Zf>x z>e(I=rRnj~Ul9L;yy5_oY$f!L7ik}=og#Zpl7q;nx7X3b1@)4HSy%AQZ@oO6BAs|J zFNpbK2h>NC-{iISZW(-ftMHs+Jk-3K3HOHL&Feup9SLNZQ!~UAaUiDhIx!}c`{h6y z&Y4}s{ic?B=GurLNrEZb_sI&av>ARrB}vl&4ivL2`C7ZKHs0#A&2;fXnx9-8u-t!Nc*u zG#l{FY;@)|7nLz_;MRpKH6y#{KrtSQZD`&~@k8BG2`V~0+zTM`)x;HPYN;^Ta-BC5hx}a z>F)xtNA;d_0r#6)sBee}P)3Pwg{65CGNz4t1y4z%NVs(OS5tW!bO1yEYa_zHdl4SU zl2f%<8Y7jwRF-<%QMP}Zzt3PrLxB2I$hkZo=ND0X02YAM2r&<$5B47^+>X&E#!jSN z;EL%!=E~x$p&m;3gx$1fEHC+n$rFpumjrp_6EU^CnVz$_3H4FJ#U&guX?&}Fa2l*r zbNrhm>dMTtUq%(X-tEO*vd#?Lri2k8eHp`6c_f^WcbJxBg{VUy87vmQ`qQ32M-FB{SUD@PVGCA$x$zJ=ZtqAV;h056g~myU~t4uKZB4Bm!^k zYKPG&5>B?G);(edbPNoMU5O&!&Js(3Wu9yKfovC^I80)(AX4Rqw>>S%UI?>CSQB8v zD2j8PGfX(jAMUU0bEolVxFv4lx2|GOIY!{*%3jLYL&d*cw9gzl2v{PS8nh%%jpqgQ zXG3I+c*s1CiN?Fm>ZR~=smr7^Ui>v-y<0>sD#FuPoevP##G+r0yd#XP7tF~QmXg3olcB11 znzoG#u+}^K->mgmS5(K$FdthCBLL<>i*a)Tm@aljCK^x0F(zhu8HPEomDRG?1Eb;4 z;}8mY_Nk&~W=+$4ppVw&q}%foGEiI<-oOS~@4$I{Gh#BtWI{V#9$1V!mdyfRbeKNf zYY>k&W+A^uy9O7I6V&wg*;%ivCfeS7($IJDYd>XX1{bU=&Jh}Q1|=5|8EuS11n?=NcKreE0t=63qo6}g>coc_&Q zv@;}BiQWpR=bA|w8Q5yM#;rk!#KI!YucINZPROB!znG#F58Kd`jB*V~G*Ml@@6cj}2w69qrrRrEt#M z_Un31kd3a4fg_6x{QF|DT@={knD(z@L=Exdh|#qbk+O|AmxS4=YR?}>W~B0ajeq%m z>q67Qa|?rD5x%L*8)ALj=P-$rRTof8>YDuh8i~0*116*fq?dvV?w0PSIY<3ti-(a) z%0f1))^tS(*y0iVc=WwvsJZ1%tXJf$FhWXCAO4_M;ux4}z^LxK)?Y?-%xjf7GxCA! z3xY7=j(JuQ&3W2Wr@FCC$f<5(grYh4q{a^!@h-fX7$MT!A*vQOAT zEgbuDwgA;;wGwYB9wQ=p(>q*EP0-j@=0};N6H0=8E-ASTX(HR^{I5<$<07O}p~%VM zt8Hd>G}?N?mw2Yau!p#)DtguF5KmB0kS(~WY)0JU z9h>+lZHLJ-Z~rx^L&_=8aNRK2jA5nnw5Ti=TkgM^h*3tGs3u+&Pfj8%@mPPrl7sMb zTJ?ghFli^<%uq6H@#IB34dZTCVT#Y8@x<^7fIZdQpkpyMF{K7gOxIi0JTZ0&YH+>7Hf(I-MVjA6f9ql*3d;S8o|ZGB-9- zw{p=E7hCde5F15Uo5(j6LoSlOTP|+(^AT_DgK$K>=zMS~v4wFb$~9w?`o4~rBINg{ zMmxx6l1;AF4bP|U&BG-F;Wr?2IdhrxPeyF;_E2gi#2XDe5q38dRlCML&4h;|Cm;>Z zee;TK+z*UX21=CKR=b8_L0kjT_d7H^jp}F!1=cZZn!R1yyGiG=%=IL1;|-g|7nW*z z_&>=(B*jIxCfs9r&ArRz8zb@?3 ztUK?_)3nBO!!#Dp<1GjGzz)~N8Y{wfn6J?z1-?Zl&zOeh89Q~63Eh4FdFIYLz2uLx zR27iY^V-AMfx~GFXvFGBmlr^AlCEi4;&9H#c41EiHTzY0^Qy*fpF^D5K5Zg~WugY> zH7P%nu`l)5L-l2JK7}s@knaw-Hmi`%wpeVwjF?N;wtHjV$H^UUo$bBBP5)>bASW<2 zF_E!#C#rp?ZGR;Z?F92eyxR)eB7ezGx>Xi8Rx8%V?ODzk#@pW64^bXVJ5=54%wH_+ zl(-2q?SZ2t48V$^ZfG!b6kp6j$1TYZ!4|Tw>?YFK+-+IhH#mvD9!B`u)4sIdq3ahd z@^6F-B~_r(DJF2g=itX?wi?)JA2DL~=)Bo#p*6PYoO&OLIh7w6zD?{$uAnO19dS}Q zT0hToPC=8E&}2IHe;1#a-A+NbR%Q)@#3vlr{qwc1FReP)tfxpn5wTMy@tdtK8ME^@ z9!B2I_}42gN?_anUJt%9DXb|MX3zY15ized!H;-e%Cr;#rP6ju>E%Qb0#!Xqu^YZMcCN#$+aNJoxW0Hqc%mvuR;F{8zHTwLyl16!(E&{B zMN8Uo-wb!#lX4g=)R)&(t~mk*a#m%bi$?MH9V=($dW!lY~EfAe_T{3>nfue(>|!p);ZYcBfP@64qBenj`aE^G5Qo%$^TR<{z& zipEE)M32QTt>D}?coDmRHvWZKy8PmP+Jj+_sl2UJ*hJK@Zp8znt``P&I~loap*pUh z#@`Nayw@jImc}#7s}QCWM@v$6IZd#__WLVs**jHCftk12sffx~OuG2wV-)Opp1(!U zv_rrRF|*RJl-{l=zah*ka9*z*D90ts$XKvsh-8P5Adjz612S3i+@BhB{ z1m}@YzJTr*zRExE@_=|$__51?^7aFm|Mg!IaH6&zwjlrbA{M?Vpik-A6fpgH+m7HS z=s8Cf{m+;E@&nj!E@hAImg+xmd;U(IS!apqDci!~j>XQ9VJH0<#04tk;lK13;pkrw z>=ASr3F31+pmF40nM)ZRgtCx74JR;oa(R4@*_1LAM>{0jxl zf-f*PKXwKO8D>Rl{h6iR4&VXf`liGv%Ujw`mYYMJ&LvO9;-+OtETQ>C{NMK5EH6EV z`Xy1Pu1$a-^x-NRd<$ySTes4sCd)l_|NPx~>!;@b4Ef61RK?;m#-7z*j z5}D7i+=lJ;`@$c0BS#Jv*`(AVC^Z@)7qk-?#&jPpX`f`Ies($rO(%x!0|-X=Tw?s4 zRi=E2{o7No2aO2@SfSSb;PQJ@e*?Yk;yr+Ak3r65*Drk)0jSxp_dZ9;#f0=SDA*SO4vv#U5=|ZoCPa zh{>q0hd|X)?9lD2rHmeB0*D0d5UXYBDbbuIF>Mb8#DUm^8015yh3!$mpyy>fWCE9N z$p4v+Bl?pjFa~Ug=pP>I4#k<8+4$=MpgSsgV=?n(@yClq?11k=8g;Ak%Y}C6at~3) z>!Tj(upA6=JcE6-%hU(>fDy3Z`JhNTLhv2(;o9$jh++PxR$Ocq#pXeEaBY9Gox@4{ zf1I^w1Kvf39IsuYnS^Y$W&s$XVuuR;etQgVWu}ijlnjey8j!XLZvO}nYpNmRxy77Fxrs{EEsi~Aq9!+=)93RmPSL{(5=7cTa~N<$q0-R{6sz))lo73G!iDRu%@ zc{O+EasXA4t-{|Y#$h(Hy$W2sSwKD-|7@#$iV%lxUILbU?eB7IQdD+iHZdtQAUcF( zvWHbEQu(}gEr#G6DPJEk0gISv3dK zMGWGtv;o<}v_s(JP}Bi9Z;jvra*CnxS6hhwNX^&%aFGW*eaDK61?9p7qgHK=xiqd0KQ`1h-e8pGs&qXtYD_aODz>_<#z z3!ud%Ch7rr@a3)yL7yK2%xh> zN4ljaxqA`Qax02`UgfV!9dmNKcJ0mjcM{PTFVY0RY-;Y~+%uh!+tmfW_pnnNAiavz zIKJTu1bIcWMBg>k%79w|+sUl3j=TUbLwpMAC1>Q@}jyluBtI z2I2gwjK2FvklwHzfI|hX{4>Zv_yIBeDd{dy)#Y!w47<{{0D^QCF;fskdr6V?Rg5c| ztEYEAtRV&B{+$`#kz+A3Z2I&oAlOU!)IuDa*;nTzEXv^p^-{I$SDqtwG25RNKNY4cGR+I_FEk$lP96(GifZ{+(Z*v z!fB|XzLxeGMDX2N&>v;I=&djZ5&vfF8(Tm(SW`4<%__Viw0pile?}mwPt={ z|A0XkKIbU@KwyqG3m#en%K-fL7Zcju7uJATw~ziu7WiUFx5aLNYuZ2NT7)bnfp4QP zKHriVa|GD27O~ZLbZ}!Y<13-NxNJOex7;ZRugWTlhs@wo80DuW7)w_=I1^!#;u?La zz+9_!N105LA}PSgE=Gko*4_fEJj{mscEu;7x11|d<%=hj*QUbslX+xcXt6j0mXbni zZGQdtC(p61{M1*fM6aS}#P1h^=WMTmyA|89OYqXWgDFC2h=K5MOfzwE|G%h0*3YN{ zOsLtiSUbJxJ6NcOZwLh|;m}}II3g&9V(ueQpv9wDgS!8*)~3dbM~5e5&f6I&nmd?d zKKmWlcqa-~i6ow=j*ruhyRGtIE$8LfQdoRk2ynP6n|rWKK6MIF*|-ZL5~_t=o*dk8 z^fbgtsDMne;^&Jewg@g-K^&iVXPG+RmKfC$lf|7~S>P_QzVX#)SRIBF!(dayLzav= zy<8gmVZ2+6bZog8rG?X;(yjx_Fk7un1RP4KV!6RMh|kaD zz#6fnj}JHXJ>=Vr>||(UtE-z&ruCP&A*(8l&;P;u281NU|BNIU>aGtD-UdVyH5_Juzy!%&zVwSFFJHyK+yIMNQEb(QCXta?(n1ZFQoecMo88+e zc#(v~(!@hweA2t1p_>?zs3lQq+rYN9?kkY}yj06(WiAtL|D8!+ibuFqw>{a0 zNj;0_!Z)c^xGr-GT$k+T<$5!(w#B^iq&|k0A%0%~5%-Z4!@m6L&uBr?>M$zqIqXa8 zD+Pp^41IW1E||DtGQPo02ohq^sn8^_t|MRlCsMEnmSHWw*JiZoK(7cfB_(k^vH5;A z!+M7P!wkz0=Pxs?1Z6DUDqNhTQDS;O3Q?YOuk%~-$@zM(`|%6_Gb}DEE-_jHO#9k% zK6R;tFmyI!0>Q+XQdF>UpgQYho`xjGyVkh%HY{W^D?bDr807VrPxEt?`25KT%O3b( z$&($FptfcYl!UKds0^6ATSI5CNSzLEw`=7!eD-dYAETy3$i3H%qBE2mC2u#por>%| ze#UNv_L$|}Dbo{xTTSiKKBFyxXU<@GN(c)o*AxW0xqnO`sgMhW#lxnmk@>3ez^$e= zq{JXYHNI#GbLwHAS2NojE6JjGmi576YWYB%VsB2o+hP(AEl;4^ARp_^Xa5_L;Jf)A zxu6uUI+EeEqd8&OOHE9+@3ib?>~@^t)qE$;VIMEx{%*-#Vgzw4Ql!s%ktH?OR^76v zPegHP$0_IbDUg&7^?ZC+nLKNFY9rH5W}c-7iJnfxz`(>9f~49879XwMF@#AKN=Mvo z5_iP|qL`0R!>$k}pAGWz@CQTR=DU-TDdR8idG$c7P05p%J4{iQ>d$V#|2tFw>$3&^ znz2J;B>gc%A2xi0s+;(C@~H}5ZD@&26ZG|`8IcMsR~TJzQIUo*&wRwaE!qz$5$v{| z2^)-=-nV+ON8OpMr%hpoVGv^62%-{=B3K^q!oI1HWbk4VsSlcxOmx_2NTMo`N5V*e z%qSFoiIx+ICNEqKXrkeW?aG-Qf7NEdMyN_<{i@X6JPIG~$74@RxLQ~|Hm)M$RC|LO<%edbSP{!E61~@V@2!pnr zlmeF7IAlgvh>UZa?hT|m%A@27I50&cWEA>1)9qkWdh&z;y*mfb9zyKXqzQ}W8 zMRW=$d`n!q^RGf^AwM(nREZ9y0r|-3ijYds5B}`)H%Rc$G@GA50(HM`1E2CP1zGe* zL7c&Br8SPR1%=yz`JCccYy-Lp8ZXohh}+22ysQ8GBnVwJi{RlKibk*EZkK{O4Bk+V zhi`mFWOeamO*sOtjyiG5j>qM)(2zuZcE4xmxLJz9RyNLCUdWMl2Jn?yyK%9}(j9%l9iPb^7u{ zMfx3zCQ;1d!x;X8+X~Mx#lq>F_pfz$Er#lTuyJ4iWSJ>oa~<)--zTU>UAu3I@TPv> z)9M!|^$L#*?Ild#ID)B@N|ul~id()ackuVK9C_2y3ND2~}{2s}Z5LlCR)yF(-E%D?L`gqw~vo9NQ7SlPQb39JS zl?C27Oep$*mKXP_$%BZ*FaH7o`kKKd_&4#+3Q6RVxSL$wyuBrQ6%3on77{##0n#ao zM3GtEia(~!AQpgkN*qy3ijzFMu;k^2n?s*IPCk$fpp$D;`xy{uCjAW%u*U4`tzL2K zA)T|mNJpdjw=jlm*6!~22j`Yy;kr}rOeTKJoZ(7aRBnPGL=|m41To@P zYJT-Aifb>EKCIAQX!3f|bt~vlG{tWkQoiti`9lfXT>`0@*IcVh>&?`s&62w`K9>!p3IMMowi08?oq%I66R4_Z0*(|Uu}Vd&1SK(3(=SXS%y?1 zqhBSP&LwZJD?S>f9Y!t@Puxo51dLve)!@g+SSMQHkB#w263nJOW3bzWZ@!q0{;w^6 znO|D|=-=qUI=u3|_&R2zWEJN2;l6P^f8mI>O{e9_XteFbJbsVt%bX_5h-RUe?Qv0J z@nidadiB3de1L^w1YyF z(AOMi9hk<7-rLAJ+;6qj$T3I|l779az8TV~awW@*E~{MNbV7xW>G|13vPjrP4+1KZ z<|HokAI4H{zZgqdaw#RJo4U1fUX3=Z4x2P@jmBo9c(t0epf9@Q*+P~QprCv`X=l%^ zq%=_N^I9G7y+R}=NoTXUHxm(iNT42)z7vZt;9lnGEihMg>1K4JyPYT`%;qKjB?~XT zJ4|ppAGAllcFWe;9hC28n3jiciG5xqOyX@{*WbmdD$EShPD)Q^7jK=ZuL z``JoAdecfy-kc(&GjQH7Sxw+m>H@Y@iw@EGIv$=F@`3qzAJl5p|JLC5#l}bK|gv* zKQi=}X7JxW8evyJ4jk6vFU#_KoBQ+~K&FWCZarUG5>)>G`M2#2*mT>pXllfNz6O3X z1wjViRjGfKi~im3Hh2U!ZD5t8^!bnd=ymA8ofty?k~#j;Muv_#ZK5x0v4qdU+2n11aRj zhfX?!U%%|f$*#o*2nVZZgarMcdha?8(Bu<`(Ya98Kfde-t{nlzXUacm4)1_(2H?qq zRcpyVk4+H;n1CPl^WZ-UAyrAB+k#}5I|cnuhyp$ZBy_#ZCh=z-BPQ51L*PM-;-7Dw zAaH&4-$W+=`PR7v-8xMOS-L;pI*`(k~2-8xhJsiA*-SsxOR;_FhU z|MA|K5d@o_v5Z%0{o~6lkVMyyIYjx7*KvakZ2JGT%Y2f1n-_T&*tOx$PH<3ve|(NI z6cg?GSx-rQL&hsuWDj4RIg57w^63w*Nw0)v0HfgF-<-Z=beT(;kk>@wr*}fXC%!;T zFD9+<*JuCU$U~vpgq}e)slT`R*YCg3ev#+a^CAEF>%dEdXc+GrJJfIdvKwd7#LjxQ zVk_bPz0JS&rwhv>joo%2__y8Ty2_;-5Rv%f5dQgytH&#$l>EZ5-*&H70f_SJaYcSR z7WVVR^!~BMl)vp>0N6bWB<*j<^8U^jdE@0Qs(-%g#}5{`7HPyRBG|tj%l|*szh1BZ dlc(DC?B3^k+qlQ(f@i=V2@zT0oJTsZ{|CiOpXim6Q$ip_x|U*M zN-|<%lu8b^=9X{FAP~)Z$_^J(wZz09v&W$ z1QQY=lhL603EAEK3VC4`f_z~D5f{lp?C2!n=beDbxw*aG+qpvi7Fua^p{{i|ao55X zKOc2Y38AEiM?&mGlAu0^g{-G!XnMdxG+ExVeoDb=_~4D*Cn<#|ZnymyL#MN@kjIWJ zq4=P-E|IDh1tI_!CyNQ^R}PnnMvD;i$bm>IT1fT}Z`g8XRx|c_y%Aq}VS+_c68iNrVH8jNP*0uK0xe2=Qz`oTJ-OYBDCiHV-uv zg4g*j&O2`X6Hd&MU=&%B3SJ?TRaaGj3wHuiQdTY%k`9zs(3>zkr8GyvTCrp-jYXdvg$7QoSX>5M61f8ayX(ES{i# z(}7ilk7Ht4!Ai06P`1WyVm>lF;?A1wF_m@|zfp;)N4C_<%A!`8RlZhN+`_9Yt1zq2RCdA^NXl}l&B9eA8;UrXI+;ZC%?^heEfKJ@8m zt%y9Z-185(sC_V`7Lzby+PI<~9E!k@&ran%vt-cMn4ex>x+-|>Q zYJbTiMT(!`*V`Vq^vO=cPOMgD8dCs;EkvVDXWo0C+L|wk}~JEn3j2u_TesvYcfbAxlmgY-cxp#2l|2NQ};-U#f7^pxwAA1RMgE>iM% zgL&5K-0H$=pVzuLR@n(IUUsv5w;mwt_V#N?z2e3EB=xQ{i9Tr!dC)n{QlCp-ZGG<;Chb!a2)@$wlu)>474e9WoJ$I5H_-E%Uy9l=@GRC^|Q# z{SWg5HeS`ZJN)yDd~q8N~{C3SJik z4{KVoY)EfB-Vi0$l+>fs{j9Ru%*EkNzDI{B9vbr!WJ z>ilXg`Q2ZF^2wARs#~bnXv`JN7B=T(7Ko1V6d&lTzIY;XRJLlu!o@;gET~;m$uUVc znKU^wiN;65hr+k!bUPe37CvG<;+;odK$xXb$eqcSrTAO8MA(MX6wA=A&v064JnFTk z_4%aq2*Y^(z^fk3NuF=D-REE5$DqvQ{5G9c>wG$M{DruuZ}?5kgdcCm^i1Qo>!6?z ziNp@ZP+~df-r{(TV)mESFOiDKb&hn9w74|~$6rn6OdU^fj@M7V9B;1vSe`xQJkfs2 zb=q+{Ncx@3m~@iNKfB7Le94hsCXXjCbU@RBeoc0*hP8)vO4p{oqW-dhtKP@;iT%{t z>4;vB;84?8V0ZgicALrUufDHcj?;2OOfy?0+>zY<4edy4OAD%NPinfoer3vkY~E~k zZ>IK%@nQ6-;XZm3G3nKv-krYbD+IxvC;myaAG#@B{CNOD8;Kkv1%>m$;|G^SZ}7a> z&%Hx@q?NnW@_k+@uQ#yYlr5H>ExcQxUHJ7>RU2VP?ydUwp^yvd&aRKqOv-7>EJNq( ze(M87vM)?u%n|srFzS$h@Ah<=Q2j~pc?AhF^PoHo* za`ti-3MD6!C3&++G3GI>O}Py2=+#}medp2V$O8_-{AGV|0x6+=ThwcO^fplA>_zw3f&hdYsAmavq-?KthQ zMhe2%6*}LEy33rReN8JR_dfT1?vj~{8QF^Q%2ltg`dbZwFHZ~J@bm3M(K`ot zuFm093}aitJJ-j1^>aFn6xU@N?aQ6xk)glb(=~<2ZkbOmz8OgRo(#J6zwpWQ)k>N< zio4qCwtYS4v6ix`?-hC5%+qp(bQXDuP#lyjEa420c49(h3<`Z=@AzRs*KS5GkwmOq4h^~FFA<(7@`Q(Fx%~( z3izXn_Gh87%O={t!DofFm5id~j4?#SOA1ns@BWlD;E-~dBJU>{wM0tziQjMSaXO`M zb1UH^;f01QK4W^Cahk6=pG`?kb(V?o1Mmi!SiY=(`B6xwzW2*5w=SbUqdl7`J1^JP zeBN-~1kWbLG{!>P_@(WvnSJNs```Rq?mCrZUj@?xbFwQwMtprAT2&aB9NN$joR^o7 zP*W2bIY>ugKp~vouYXGp!>V>A5=t3pc!HIr)W$w)r+ZGdD_EI3TF?Epoci`` zts396Sss7>1xI5=70bhTykxbZk=)8o9i8eOSDf>H@bwzc1F1iCu zv&7AEZ0Xd#1(2prL)#;v;+r)LW_&dASiu~nEVVDXpS4R~X6hICXlBc(!>nV5A- zS&dtTE1v)ENO@5>XvOnW(|uE1RnBp3!-_@BLMRnih{DsTOuk<5OLo!M;;q|`g58x~ zQjOSBk7K-(=B=;w`tD1!{TemqyM}uo&U9wc$U|Bvo~_@CI7%BP@-*(-EeAidccUZ{5%T{inV{q zw?;b*fzS^UHzIrAkWETVaP3fQOV9P6<8!3q_03DTm>nCVnktwwW{iBrsJNMrT0UNS zyxKe{xB7Kyj+&iPoWO;Emy(Y`A%;ESMa-9vK9ooD5nB4PqVmc*GCEr7658q_;aX%W zcb_@lPrt0GuBWW#f|2uuYf#qTr`G^x@GFE|v<{6X%Y>*Q$u;X@xF~hWE^Vm~aIP*3*9VFLe z_(8VJN28vl_4?(iT5|zaQH&2y)9bb9tnA>(RDoG#LA9@T&+7-yOhvt|+CTnSp<6IN z`nAB~Iarx~wI@-IEtdNSST347nRnUK(UYCt*|zCe>5qjRJ<~21yLywCj!NU`*KG$B2Nb%S z&^!%}7FM3_(U%Se-+j7>Iac?H;8fK0^YyuQwoj@qzZGvqS@y$M*^3R}$0DeBiy?wr zCgepbA-N;6^izTerBD40dqhA(_?(0tB`OY~G$t`$7d=sL(uc&eay;e7nu=vr<#UT} zZFQ~k3(;#;^Vx^CxD5CLEF(rs zU_fIWEJV*AEilV(u_9dO&Li;h8DjT4F3A8%#~(Lz^e>+D3H0GJ zvl9$5vuW;BW0Vb*(N086RZXt(pFg5U_+i;s*G=2|`?vh`PQw*TBLUx-w))Nolj+0Ejv-%YK{ zLukLBcJ5?OeP3ECrC+8Yp<$(~qVLRO$Z1q8mOq;7`FgTY{mrQmooC6xTrysr%lFiH z;QUml&can~b!9hfb|u=jOef1vm%V0fV%91s{0d`tP$)`QoGn5yBnN@kKG)u?e1!wQ zvd6EzM4d}&JK~Z|PEcRnyJ__Z<&>}gqss~FgMsj51#9d2pN-?j?w`-MdygszW3)Xd zWynfW&GZx-g4iVVnw{dR=(EnWDfUj@K7^~GvB{frA7^u9voJLNxzyHW_p`k&S}$9` zq+c;SExfUdq{esW()@1f;tVOT)Ym?lLPziJOXX3EJ%0=Bv~{3Ql3tr&17(W)q`X1Nn_M}uw_ zcI*TNAifd@8DYu``8U!xHze}UtuhMMo7NSM@!pY{M97GLDN$yI8zo8(6Abqb#%;S; zikR1*m)Ku8e{xP6K(;`%z(4eU`~}rVV`(vTZS>A=8V4NrfT5)FV40wT_@rcaVKjd; zB!th)WyYFE6NwW&6CD$Sj*0eR4mJzl9Dh3`JG3lJbTbWJg|K}zh`37<$;?Qak5Njn z`xN5OAbH$8Zge1x;w|%G8L2>M<8>101Qsv9yEOuWgaj>|nQI)w@13sbxi1_=7kbGC zohsZirJ{Gak7}ax?CZMao-iJXhdz8MFlxjV{6=mkW;=XagVclcj7Ng!m#%}}U~SXE z{DITS4yPQHGZe2 zk<4xVAoZ2-$7|HW5i?(!bv;W;Dus%pM=Lif4~S2{mJV>&m{;5G9@o|Gs9ePb>F+eJ zKWwm#n=9C{C9V}XH+;2;eOrDzKAShEe;!t&5Jgv@szvg6(&56p zx@5OTca+8%uY)e_7F-@iXJ6)ztf@afZujA{+&>MM$> zD(lIJX-Rd6|JJwu=n*EFW}Z6gyHZ%oDs5 zg#6R?*DFQyINKiIcTg&RH0yUZ3BOS}o7v^wW+TT^+`-Vr7{!#q+(DuLDL|zlJ^=i% zkvA9kYw~;2^9s}P$21a*&Q_DT#lpXwIV+wZRY*9f)L`x@^)O9e@Xi^znzSwIXMeN4 z(mor+Pr}!rpo;w|C)NAl@oS8w!fH}t-p{^`CGU#4S};5-%0x2`o`3W{5|``I8m`MG z9MRsZL~`nL-q~Dj81d-%inMFJlRY!vz-!09Rib?t?Ek4vUW~b2gB(E+F*{DNGF`~G z`6##Nym!oVc3nY1k<5K>-^j*eEH9{~$il^om!E(CWTqx=Pxt7H@H9d7%^Th8vYaZf zSJpSV{tvt09~crbiw$>eT8PU3WC#oTJuh+&nGQ6?&SJn+6WYYtWYQ)f^JA65G)ZK4 zNrdgwVhjq6nMC){+umulz4P zlP547i4Z^c@`^)sScon*L=NfYOM*g;m+`NosFsK!8rh@1V%iN>i7-4~*7!5hp7=+5 za}Kv?Y*}MOHBSglLEP}tOjE{OULNuoyhet=1Y1Jj!7CW>O9Fl&5V)9k5G3#y2mFd> z!2bId<~9TFKd(i=cMwrkF&P=~SJlM9%*@8|m93Ms4h}Ck)TpJJrjw@p3qBKDYgQvu zTVpd;H)}iSE)W4XKJe1o%*lw-&H9avBcGcf)t@c+z-#EoY*dtgHgU2Nq|%gEq7<`r zFr$3N`jnNON(hybl2X9I)SOR6T=IT*@J^8Gm6MYl9~+yit1GMP6INRX3pNg3US2kK zPBuRqnU%4tu@%uN$9`hd%yGl{PKU_@y{u>{(H(Nod3%y|Hn7?dkU~Y@BDv^ z#NT25^C=i-Ayfgj|2#7xRFSr&K?pmzMb}oXTmSzmAtQ1R0hlNjrgc3uJEE|;~>YxyF*56V&R@XEG{wJc`Gwejz83fUAdEfp z#w8A3+7J2zzI^!q!Iv@EqSrV)F58JI0`4lTdi6Q@c`_d*9hSQuX?-;hpF=C>y1!y% zf00<+gzcFc+w>xx8ifjrLDt`e8VRP|G2NFZTeN!hP7Z6SuJ8O9PpPMjXcbs19moK?&`=Dg3ktF5PSiWZt#pW4m} zsF!(P9%ENpt_`GqI+?IYk5kT;+_-HEL^5lC_n`R;@`k`A1{1}HCd0M>l>!yo8$*hK zr|9Sm_v2{CkMg$Yd@xOr$$F|f?pqLA?^_gH8uc$~DtQWIbv`$jJKK?7rxO;#MOsfL zs;m-H_?%^BV;Qis1x-35;%sK>J9sEIQEJcbu8$O1FcO4>YK4SWiQX&SCL(71z5b}y z9V)DfMFTKEDZGx7d`|0>Rj+@?U{gzWp|Lem5@CtFd+?BMr6=yA%g$u?Vn^u7bdlEA zr={eY2F2P{F@wT)x~qffY*kic@nia)^7XEJC4s>QOPzAzB+s1e${ki@SzuQtzgj3V z>eW{s@68!tknx#*8Q$q-Yhiw3F%Y}bo6xJOC`fDIeG&&9FYUDVxb!`V944l{@hsZh zI2MCxEY4e_aflB{x?JbH^DYFZ@QQIF199mUY6lIm%3OA|&ESNh@EBFZ)^TO5$twS_%gQ#V-hkfeo-%!{qcSHes$ z;C)jju;|dqC9uYU+0%8r@yo2$4~EljUW8GeYCmL^1){NbjwT+x2SKLyZej#b%Y{HY1)A~b{l|zW;$JK z|D{hZ?lG;>H5P*ngD1mCv-g#3nt;3MaE^@6)kjV<*(83~6789f^osHEEIMC$$peEi zh0aA-4VsHi2pE(^UY6>!OjMYCBz|JP?$@f8!lc0}ilrCNtVLrx+qmjf$ug`&u+w?X zZwzY~ZBXYRu>_-pv>7xG#ybXrF~2yNz?P0dRifWSB7$Q6=zitvD1s}D%y+NtG7@Z$ zi-c*_v2CIa$(O?OUhPYoDOOD7tJ1#S#Vy~~t+f-y=cy271Pe+thF+1C+jbU@LD>zN zJ#l>~JD9vvC3SAuYOF*ihDN4RVI;K9*9|TJ`*=__4Qn6C%%H+lhD%d%_%APVLBH9{a4#sGf%04~rL0$Zp_SQaH+e4HJP?pcLuYd)v?@bYF5rpa=j5 z-|^;ti+OlhwQGgi&~3Q;q6&`mL0CkoPxAiu6ey#ZM-&Wmg#@Zy8VuSWzP{3mxIf!A zeA%=Bc}q1LudSkMj}LetvJ`B62fF10jE3Wwf8pu71O%;Y!TX7V#`U9yOQQ|d4f+yc z)YEwAAyQsI_*gjH%Eew@*IuwD$oaxe$H4hwUVF~p!Q4{VeY=BEe~oeX;p1Y>oN0Ua z^}*3O8|?DIn6TI_`MD?P5E0zpYrAF(c{>-_RID%=`E`+-{T!)Z_|=h4YkUh5bffcN z$Q?P=*4{!o|5{&@o9gwz_jdj0Kj0DN_Z9gq>2C_;chGrqwmWl@dY0~W_!XGFYFaJNe5{PTN$ErB|Bt{Jl33kLSp=WsU`@Db4BI*`iGG)yk& zA>9^$U^Z5wr&4QYbS7Ly#_xhmfW+szo3d&(UY0pec7{g49QD+4SUOuW{FvjpuIuIT zhDzZ}7Oh&lOw+zZ~Cv&SqSKHzP- zw-TJ_fqJkykjey*Ic~Db%1Y1wH1gtHkyu#Z76W>vl!td1YVUc@nFc-xt8p=^evVZu zQ0Y#3Vv(f|({VLvRVs6^*s-z@OflMlm+^C|(vmuXRWBwl-A5as?`PSEfx*TdA7oB8 zf13g9;*RuumZR9sVV z;Me_2KbE^cNIi$oT;xO$0X(y7evvt zE^t`ssXzY)ict<6tma7+DX&8pKwT#a)SL27@{a)K3!LAz!F;APA4n+(4CkJ86FV{r zJ(~DxF=pcPcP70RhRGfmj1!K#6+YXIA2>+vB|2LJXl=GVUcRZ&0-)#jOoRa4%p1p* zo?Hq0Fwxcm)x43*;4AN~(PD?i?1)6kCwcrIQ2W@37$HNujj#%b;FtQE|A3go#v zIHkj%9Fp6eKf0%Qbgs)qpKkb#12S+%+T#CuxPSEMI)+wmIS^Aw$;`Wx%vHL< zW#?&V_nvjAm${wcuzV9hgCQ3~LqmAS%Mfh8V8gxHro)pl135rZO#44QixKv{)hrE0 zU*(&AwyWmUq#h z-GJ%8D=~xt)@jePMbD`8oWgw>o7Z7E1n;q$bl~y6q=*2@ydqXkut@W8u3T@^*=%8( zkKKt_S#@jpL+<19=P#(4_3G8)t^x1K_4iFY>Qsdw(}@fIB^KRm!Lq1{aj7>Gsz40z8z{ZMM8-GjljU8 zexKPK$19B@c(CyAgl;cd+FFp-t_3NP$rJ;5wHAxc+p#fLH?U745dr`W$!L3B|rwz5VoO-^I@RTdiSULwpzk3g6dTw za=6;hG*j=4Hnv)>_m8>iAoC0_wy@B+E8mmu5D2tx?b!R%)pi^wb^0PSM0Fa#pL@>l z`QNeKzRzBr6LY&0OuU;?n0fc+fO?ZG`t&~|0t>VLbe$_tu1l~l=}BJm0Y>PY(qAbd zO*xDrvLRN(tM}X|WpKlAT=@QUc2xdRdN&Gh+l2nr+FvM22mCh}Uw!W{(U4lC!#1!@ z@81r50Lb#@j7}r(q2&!gDQosxxql!;4^Zrwzwh?n@xmeaEe{Y~W&T!$)(xC$i~TnYC}C%Y7n{espcuPCc!4~m;!#T(&FPyEaX)? zQlh7m=5;6os`w&HlaH51MDz8? zWu!p$a-!BgyMb7z`i=4ysq7n22P>R5R5pflLtmr|=^>&MQNkf%!~!sp1JnQ^6S>Lb zB*wt^M*T+^arQ6NK*R?QWB5}TMW(uNJJq3URUGqvV}_HJmN9~!F7CT^YfrEI;gC#w zVi`9V+~)m}aum~rUYm(!0%@TBQ$urxXxVTd?o0p?189{DfvfGW!_D5FqGaGf4Eum` zsql&0mKCVXM%_Axj@g`7S3f2rU55EYlqgnjcU}sWDE{L`zVOdqUfb=kX_kp(v}W`f z9Xvk}%c#xV&OE<7-C=S+T#g1$=fWyD=S7kVARdLI2LPvY!3=(lEtcuC--ZO+OY%o1 z74L%~=nf-(;v_O(YV3xbm6Zi1=wpX5J=cPjy`(uGYjoCG_cb#ADhxEwjt}^|+eFI( zm+RTX#X8*1Ehh7@p=91c#=#xwG~EW$YyHW2qdc*ffML;Ul;}>*I&BPFdd~V>S%-(W zI>DDvgtd00vl$4HN$WOwJWI^#`&(_Ix}ds$tXL#@Z$0sIOYx%d~H z76aRo$$ZYQt4?R=jVJsY$f7r~YAYUc+c0;3q)$lZwnfDwD{?}on>UV>KWMsGO?Ein zH&S0T@Hz;Zw(lhKDUE=Lp!0E>_0Zrmy*&Oj#^CDqh@Datc>Y+A4l|3-4a<~(W+n3~ zGHB69Vo&tR*R89V6Y@*V6FD$ZGOjs|?$psAthlcj($jxNKDEYXMjK4dY}Vahd5VRw zeKEA5^)*H))PsQ6(3FL7u=v$oIIazBa13WQHliTn<`X)emu+S)FZ_@cXzK_i{QbIA z>+5I9+D>y8i>@fqVrz6s*k}shYvr{$juk`QeY=7yoW5VwE=E8j!73sk(qmPg07j`z z`1v`zooFANF}hutCXAb?&)v-#5$d!LiyM~!0`_$x*M2O}h#qPGv24Vtf#D$~ei!vf zY#9i*XrLXfOz*m)shug{0>Ge1zsI44mnHSLNA?g?BAvbi7KO%{V2?ZQNVuPXzy~A* z0k?faf7nhnSVWkz6n>ZO{L$)~LwjDN+%SLH-RU~#5(;M{$dcSoioTizW-XO@Wxv*8 zDSoL)^5Ub5aVe}v@G#*-q?A4oGmbcas|%cw9n0<|ZDgTJw8K_hk^j!;MKc(R+EotM z9mcX@Y&1jNB|5Trr#JC@hg1~IW`l>wZemS|4K3<8uO1E&e21C#KARzN17%I@0<7{Z zMk70RRl?6r&EttqR|Mop@MxbzgwbgzR|^msyx~P1U?}*X?SA~DLfoja*gnkZbi7|7 zCAShshh;v8S{P7rLLQ+rprzd((YRNWcP~%TgGfRr-Mf zmBKdl$zBfTS_J*)>IEM|%6F0Os+6-f(tn?>v={uM{K3-iMy2c6eL6o;$S!^($E1?sZ)?fTzl%>?qx-2+e@_2~TEP!ZPYx|cB`G1$793T+JLuR>|y36)|=nKq2hy8g` zUhm6FE(XWdz8G#>eMYtXsDVAtYMiqNj(1L1o-qr5>`I;lkraI4)iB1IgjRszroX?a zI{+2+>Oq^k7f?-fP!AMn4{^Cpm|Y5dUvy>xQ7Bi5pp81lmwUcJh9~B&@y>oLmH^!CG)SJMT0IG}H05C`|4p%~r!rO5u09$}cne7+GYOhm8 z39ls3KF4Zc|tr785$yl-M|}cWSnhF&~xO#!O*Ov36I+ za|~L10HEW$uO?Y6M+)ECSp;Y8j+bW}mcuioU+p#w3a$w_Z>qTidHY+!8|Wv?>DqFQ z4lbW-w<=S>h`#j9>D5&^UZ2}r{{9k&PV!V5ZsG+=z~rZ=mQ-tl=^7oApXDEtJxz4_ zD(JKxl`&iIyw%g{59cjZ09gsI4n)B7i6j>sx#T)AY%uR9(Q0rhemoBRKBzI81Fq{3 zEOA*NhIX`^?}}??W6owh6@f+}r0(~D9ebN=OQZVvMT~&EgJb>`j|IGY)65gwwHL%T ze-}!M1f@cW55v%S4#3pI^t)>*?HU_0mMu)-Yf9(Mk!Ywc9&D$&0sJZ#XyQXa7hWex zhLc#5Fl)OZWR&f|T9F059m)Ha5z2)}3B^5>O)Nrxqm*fL|sFxK}iu zFNO{sw#n{}6nxa4y(M@YKo94*9*BfFdPu~Qbz@iju#E$e7x{DGnGpa|*q|^`2_P#+ z4hIuCvd!npi~^xPo=T&ez3TKDL0_0B#mTcb<4TcjXaOdg=R87=t6`rr!z^a}r=`-v z4PpN*ZV_?pkdGY{T}PLx{H~*nFp7_ZF)89<5m0Lt#{hwg<5v(#dYJ3G^y7hlLzCUY zx7|kbJc&>OJ_*B!eu59%;C7TleSxp?<&`{1(P5M4Sr52T=kA4*t+B#It_}0hYNHIJ znhg0*-VMHYK8!lmMOS!ubu%i##y`~H8wuRJY=F%Fa;!WLh*bbY;6;+i&s{=&H_=;Q z4gavavqFqygFhs0bKV#ARysd7oJ--p*f#5{6WPt~?q&IV2d20o9~UF##uiXoQ+V)j z@n(TEn;u#}^_T;+q2OilC*bpZ_nF)iLd4IwXAfIxkUD0_^ ztSw~vnMFFjf)g6=kLx7lXGR`dceG0Qrs6w=xH)#88(nfLjv0 z5Z*mQcyid<=Faek^k5>Dc^wZ)9nQGUp~SKj)kOz&VS%x@aN>;uD8Dqjy!02Gr?IE zvp~lkPgHG}+XIrPKc#P^D7@7c zv(B*@Bk8fi426Nq;ZX~`o(HJR+Lie-qb!X?i5PCcrkYv94)udU`^+=HFkbIm2<4-k z_KV`KXNNZkrc77F?|~Vx&f; zr~tXb#;?3c?bS4WNbN!R^D}2Mfdu^q7i*SCdPFSg5PG!v7%Ap9u=bsX9_b$W-d&|b zQCu6J>iFQj{PxA`(V~JAqY{c=1a`$sBv=BR$b;|n_FqvR8vZoV=%SVk!xESck-FIz zg^(j6|DZN3ZQnMrC#NPNT`-xx`mtj>knDBJxvJ|mEu~6W^LHp0NQj$cfdh8B3YLoT2q7q&^XvRyaQL# zpIWNy2ouc*y8EUa<;5O66$N#$vMyvYxT3SujlYj$n6fLBGtIcxGi~i}u;zD!EUraR z&J=62klKM9`xU7oNJX*C%rN&#^4O#W*M+n3wMA2%w}dO1B}5j5I;nPiFzZ~tk#_uwFi6(5eIe zm1}Pi z#$r?s)k^38D-mdEL!b><-+!BS#67mg#SWYJtMeG0<)+n*gAiIwc)~>*8GZcxIoptI ze8p=`P$5G{u~Tx89`ZoW7f4DAbF-dph0sfH-GTC!Ij0}!kUoz4xdLX)0yKb12TG&u zDB?e63@R8qV8x)F^N^wc$IVcn!D3UsQGjp%kKKX`wObBKDirS*@q8dKKrq<_grMY?9U&d$0>>pBd z4stfeP(rqNAdrG@O8Hc^Gel&@%42*@HpA*2JGs@4G^;fzK}LS{}{zjPYdvvHI;xtoB#QDo`hQNL>yHY8ezq6u)O@jkMJ4ZX1A(NzRe^H$J7%5gJ}d1q`i0p$ zV5(FR{a>3kJn0}u^97^ju-Zqw@iQ}U^#nvihPN%QH;s&x*N-7Jt+;fZNM{gWztoH3Tw-WirmrQW}q2l3|H>Xmm)m|yhJy| z(%e^xwaN_rcRiQRTj4Of0Hw`OivUl?O32oLULnOU{RbsPAA9;A@RFH^B8|- zvY!cbxHGqb3&y1MQmIUd4r<;M0+;^%m-)=tP&`H|(2=0wSK55}MWg^~UGTL)B`MU> zZbeArvetG7NCx5~Mr{IwjG~syO(rs3)4?=7C2~&pL(?Q)$Ils!Y;w+kQ^VF=0HZ^# z%?Prvrwx1qXn1XP6G8|EGH};~^%gkbBd2ZI3&ofrPhO1{C4mkJ2_%u)Q$TL21e&+4 z?*KoG>jsV@)JNJC7>8yj?Qd?!D&7DG*$5yj4~~_kxlI%w>5J1SMapLJQ!Ym_d4*-H%pbnOuPtt$hc&6x4H7JZAXhfw*1 z2-0{ms#9S*Csb8rgwT!#DRi7~^_RuJatlL`0r@)_M1=7>v?VA9}`hkshUkZX;j&=74( zBhAjrf-NCn7DV_kCopNDcoaXDHsJkN3tM1;F{YMAciaaOafsKowllMFVfRO)&}tQ! z)kQWQnm1+U9FeymTtQo%Gw|4;RqqOc^TWR$lAZHDlrafi*&EMViX8@yrGB0@KH3 z=e@CvCTt}8LZ1ct@cg(V+ybbS4ptxd5yD5Fy8kZ$d#gXxR|;9D;4}?EY;I$DaCQwm zn%@#LU(}f%ylXdciDS|jz3?gvv?5{ks$Jl4jRgPKQG4*#G*9dxh*P~DJNCcv21QVz z6wWLZ+3f|tn=H^&%fS>rQ6NO#r>2D---Fbwz zR;2O=ZJMjQJ;h`%tey5|_23?O+gGlg)kGE`Daw)e^~DA-h6?P%-&f=mMamwB^t%<| zNHGI8-C9bheX0xxc=qqpb$inQxoOo$3yq~7QLFM^zfA_W3KeYEhF*I0#rido4|*Gn zNk*k44eT@Hu5$=b&08X3HuE5=Pz0RspHohv0bq%=;b;w*7s6xH*G)ef!@d5S(%3!q zcT>KOpj(a_coc94+9-BmAb3Io%$3Jv4uKO7pidq-3WD$JmysBLpJ}9sP%iWO&^x7h z|1)a7gPcLQe8&DX;V&~$204V{NKJa`-)0NxH}JRGf*^@XMuO?%>RRkmxJP3nnN|UL zvudM>E*`GOuYlJa8R>r9Puf{d#{6%Sns5l7ppYgl0Y!*voUhV{IRs_vt$5J0D3u4(jsY+Hs$oA-;6A!PKieNH zeYEPu;Y+b_akW3G_M6fUGWm((|*{JEUvjsIogGHD2Cp zCWQ~eQNFTBnB=jbk*hYYZo$&04?s>7m`c6eb6(V-8_jV|r`fA+d#=R*)V4fJ(82aI ziy?Rrta4~(T;YCXes&=;X;RW_{q2?`n%n(o?_*%1^o4MSY)6}c{mbj}a{pmyn6W+E z#4q`hIaaCJ%RT9tRs4%YcG1TgB}F|H#B-i|f_1=}Sh?D3NwEC&xm(Y5W`!IN+69*8 zb7?uz?A59V+pxbn-7y2jwcY?kA)=LLAW$;9K0kog-WfLKthZi( zMW}o=?|V8A#DaI9vl6KS;iFSbYTahbqkEEJ1&S*I_sPE=*8Cf=+$hPRkQ$ z@5emo`nYR&zpw{`dMkW)5xI%!H4$mD)zT0Z=(_mkpc4^$1KQfaVe&&7pnWcA*n?(b z>bsg-cc4anAiQAb+1GtIF=D$5L(tfj%w0NaF(mVwcZksnTO*UI2 z1=)^QWw#uD(rE&9MS2aRR{Ci)e{w+SM)-{D9XP-5a#S9JxGxTtDxkIveso`cAxP6M zt6M-GWMxPZd)ab(Qo7D^%=7JoY{+WowJ$g))HS*!k%)XF@b_4t)POunLGCo3Nkd^y z9bE#0&?{d@^SVGKSB2Y`{Uk-mTN~=`9Xg9yv-NiD_ejP|B?SdAQt%7%`2Gh)dJQ- zn8&x{$Q-Hn)r3@>GH2}^`xT7n&v0y9uePNYWDrNUrCkf|pFvKejn5DoV7tj>AEKYZ?H$}gpn&k*=kFEL zV8AL}{wI~#N@(X0SUdqC z&{sDS$?Ni%@-+0%t+rmkhaCog;~s5RWx3737q)3B-|Zj05JowT`djchu-JQM-=vPO zMd7vJikAJ8Yf(hVJgzv@9MgiQ(f4B(02CVq4ZHcjHauxM@V?tM()!;AltA(!p@dD` zmoUm0@E*88CR6`DkOq=X6xQUgR}Na4Ou_qTue0%gA0Wp7xQc2`{P&colE8bKIl=0G zAN;?#1o#{6S;{SoQ+7(b?QsrX_ro0BdM6nj5Y7HamZ58R()~62X=q@insY4Xn!TY- zFa>G_!z>ncHZy$PDZF1nJI8vw0n<1dprvBfwsX5L&(l^oAPj&H&XbM&<9k3MYutf& z_iq>uT@xp;VaYap*2K#NpH?*$V(aE75}>)PynO(lJr+jF6t<6mxtgKAE| zyq^Gcn-|@(!Fq~I{ZeTg0gYh99}7`zJh&Ck&mZP*ailzeQn)){%0hi5caSfywA|g4 zf;d$lYIA`Y3i*RRs8psv2#LnYpeKQt>`zlhU7_9H61nL7aHj>Z-Y+>ir2`K;pF-}B zY7af?LjjPK$9nG8NyYhg$Iv2-o&tH43mSe8p^a9cFYVb@nNd5`E*>t?49tfyYi)B2tFl)m@%wVrL%;&a(%0P1U0 zv{+(-a00bwHv8k4ea zB;G+&L{RdWLE;bxnus-e&#%6z1!JSbj+W>Zj&Y93MNGs)IemTYAwTe9!_b6%G3ar}PA^Y`=T-ElM5)m+!-JkR(0 z^*+lhUYel4&wY9D#(UOnKIoJ1{3IA;+q|EWyQXSWFBbKBv^DSJTX4Gn|MvOxOZ$Fz zdYa$LirdP3{~n9-pa}o~Dq$G!g&sRc6b7!P_|w~)eEr&9YjWIBdn+uf{;R+_jh#Ru zV;R&|mp&3;ieC)}kl9F9UFq(eeb$0KLvKLw(O)G%HppAm5MKbnWK`gE273xh?uA|z z%dgx*g0buvwC)U?IZweRV8fvN1*oxTCc&v4Bw2qdW#=br28-d>Hw%bK9Jg1UBs-=k<2A_%?a;ohQ`MkPX=QZPDZpWw#ZO+nRcURToYI)w&zz?JNS= z-ukiZae_~I!=0Y)JpM-A3-!KpuTHcSSVf^QU!MZ_z2W8k%!x2l$>l}1fUWK5`Ug&N zXA1!GI}ZJbsM_+>GsJxk`)60O{Pq%l36m^{+7qOKNg0DjlMY=&Vm~xANru%j@z%gDoi5mmR};HPXtuLcUb1=C)zLM zt&7cyH^^oaglyK<>syz*?QveftEK;gi9rIyV!Z?*9v&X1GnrSa6eikszk!D1e&7;Z zD9Z97&J`C*K&Rfx?T_;nsbq>!#B48~uq`hsiIwU)Y?^Ho=EfEz+3`oozLR1wl1|}# z-H8l&@h10S#KV5LQ`-nV49g+)pgIiJ1zY3n>3wTV+w3LN?NxYH8X5gd59&MMb`De7_(bC~ZSzy~Gw+P%G zd9YRJoTQpgG>Jd7PqM_C&FHs3oBDssDIQ`@xr@WzZsuo74b3sUV*Og3war=9&+;d_ z7Ahzek<<^tuJhoje7$V@m7#ZR>L}2T%mfa01=(TUA~#1Ns!QWjY2(8}Qqn+tSix$&a?83TpPOfJB|Kr3{j=-Ad31GrUHWh^`eM`gM8Z4m> zGyi@~XOPGx{`Y4006AM{rhy(6xysmE$U+iE&|0F}TX}d>6Mo5FQ@i{H=apHeUcSGN zTHjFUdRxhJrO<5`{<;4k#}ruj`L97W+ne09kI&6u!v7TY_M(#p!3DLE&3Nde?kx?9 zwrlQK*TEb%Zb9zC7kjC41db_gG<}awbgQka-TZJbClSlxEu+z9Uxk&xMNj^h@>a@w zhTt|JLd#-UxK3i(D`co`8e6@Bj>cxuLmx~B-}d^n&2?O=gk{Pn5$(;0MGtGH@8%uT z6I>hmkf@CYk7qp5#<4DSt~9Rt`9*cX`#TuayGnc1wbTShwzjM#a9Fg!e&0TJKi)6l zMx%HxbA(ygW+TJ}jnI?y4E%;_dTg)PA+?I&o4dS)E=u=(kQ3cPBPsNycbzRSByG0k zCp%}h`F|`6KIw`M)S&fb9GYBGLA8MEn#_bkhrQ^ZwDXMkg<9`nxS(^4f6#=jVm!S% zH{O#Us||vr!fC;$^K(QBdw+T}`vlQ0cA|{ebil@aX2~UsBRE6j-{K4@$3}QqF>thb z)~;ciEVFTStrEa--OHUdAGBa0n+9jc)t)>`_;dV4GddboIL;xH61QR6Gq8M-0kll5 zZ>p<(HgW3A`KMS{y}bwL;cRjYJ4|vGZV9x~Hs+HuEAo)4E@*Olw-rsmq-?iB+YOcm zc%4Z9QQ~?&O6kGAM%pTvOjBDZF7x=!+kbToRPbPR)o+7X3GgX0SV9#q_LoKud}~=; z3ZtQv$PHU%@@WF7@w%whNcq6(gEA`pvg`SR9A7R>LynhP zM2_AcVD;GhXx%*mI|AkP~As!xVwE?;Zn8D3{s_m%-6?g{EOtp_K(X+SUXe-FwDgX zGB7yt$8-+;Ch2Sp?@vzF;zYhT}xx7 z9Qj%MOnL$%P+im1+1A^^3O4m8A?}mr!^kd8LMq;23RRM#$ML)K#$oD5!Qjn4?;Ote z`grN#@>VzE?Ins=p;(WWY|LZlmYxr{piU%REgiCfQzg*jE{jRJPX*?Ypz2+6j0AOI zQg;avTYDezGMXEh!3Z}2760r0YLZ1jZq8`YY&3!=w0Ko;6cu&-hG~AZ*MQ>bYFFUk!HgQ{Mwk zmmKk~-_A1>PtYqTb# zvW5C+^voEpD@pJ5)HIDO$&mJGdN#ns&T&j|$UA;_q_lQ8PMR>h!;tXigM=%RXk+=EdoaCuKMOF&ZIj+jrzI3@hYr zK0sYs#2=~m64A5fW8mqdj3bD5?Zgc?^BTo0U#c4H2>qo;l*lH$r}s-poK`~&kYk`b)z#s&i-f~*Y!7a*Xx!2Rr*j8GYj;E7IgG8hUFt1z1QQ?(1)y91{( z9fvN`hMd4rlDU+5rFOC}>@#_+AK_z|@2C69VEEX0rR&S?%RZ;wDuG@*@Y~A+T46V# zO14ek1b+z<1>(-F4i9e1nZfWAqAa8gH+NnYTI{0hEuYQ=fY$&6!Ow)p4no@d%*=dN z%xj5-y13;pM>P3-saoE=Tf2IXTM48x_mP=7Wn>oMgB=IW7nSja)4VsvFJK7U$37F; zycZela0{$g+poY-@>?-W35>A6U9^yIWTzdDU4%WSLXLs=GbsJIgYDwcV}`T;e(eJ7 zDrkHwrtsp9Z@e-lQh?oZ7Yfxbnb_Y0G2<(LShwm?dt+t#WPkOLz;->g32q3uO)}TX ze6L)arR@(P^!Eu@Zw{$t$)=m->VCIR`XCXNrsCkIgQMGE7`bTa)9VyhDMEJk1poW} zbK$#V8pgrGt5iUpB_Sl(MAB6yM+&EPmkl|M-&a|hd|0+m`?ui2R)aU6o+B zINv86$*l2P#k4<$t8s5bz@hw4YK4q01;Uu^Pe35lf)L6Djp@Ok6)Ix2$6A^!f>rhc zgY*>ORvWdNo4C}6Go-1Sqla^8bf20ZO{Sj4SXD@PauzBw410(8#cts{WFF{+!t4TX zrioUbce`I9IBjJ?@-_47%I8pQyCuaIM5>=3t_-`%`hSkxQj66Nyz{SF@0ml;o(MpZ zB>1@FI$SK}(Iq@nELt)ar>}hR=X7hI90EF{L0_y#g=K)vB;)$R{XyaS;6>kAakG4e z?kX-;VV_s$6VF=nPoV2${=7y`2=#cP*`;$L4-+WH;XG-U$toY)FRWCV7TtS-(J%=e z7Y#q&Zv&Y}dS<;*_-E%!tmKb|0Y5E^#H%g0;HH{0gN%73{;Tn@z2Om&O(+@Zp`Uvz zZM(I@QrscpK(l?^*-Bv2jKVJrWv1MXNN6=$>*{l)Z1f>#dPmqa+%L&e%J#QqQ83j~ z-15xF(C2iw*D)h%KxjzY;^P+QGBE_{p?#DQi;otUzDv_BVjnbed($&xjS;UcPA&ZS zXeNpG?S zDk1QvG`-u&V|ltM-)2X2{q;5&b4Zc3BDP;u|L?uoaA z^rHnTW&C`3DU4Bz3M0HD)i4?xhl|oYWKz8R=o1txRh{rdzrc=Nejb1tjM$)m4n?U~ zZeRVt$3rXQ;60dfDR<8N!s<+mott>B|9FTHE=7-=5&l_k$Q=}18@W=O`vSueu~ph)tCDHF&`f1((vxQ=InTHaD<0j93VM|{e0X5+#e6}A}H;hmtXkt z0~t{X(PMM0Z%hftT}~pkr`6}Qhe)q?#?C*(D4&Bn) zEtEUJS&NNwguGtt&7k7;a7pCDFtd}u#PV_)?{ zebx5AY;R24zmBgJ?L$xDyHn#%*1PB5uJeL)^}?YCa6kM*O#&zB+3^AGx7uvv`-;rV zUQ$S6TS+@8cX3Y1#s#0Y9>$|_$C>RIQ2%6ID3?EHLv1Uu_#tpC?GmGn9 z(EXgm8;wFoXmm1D?;eO|P%ptdcWMPypa|%1YNfZPxncAht94?3g7=~1GUHMMi_N12 zy~!L}2Ll)wcI-rU0bt+s@C9%-s`AYZrKQOmbaj{xV7V0tamQ9=2Y!Rbpb|LpTG-_) zq(EeN>^p#wY`+Or%bEaIy^hrt7j@dp$VLUUqll0Wn|hbJ`SU@P>9B17 zxRDyS6bY|;E1g;aA%rT#50)@u$93MITnJbwV%hoQ!@OsdH`U^5`&)jn9>o#ATnB5^ zJ3!Yr^+;$C@r2jsfIkQ0Ltqb&DCpoin_Z6G1@Cjm&#SGPXx_`LOv_#qS>2-AneL0- zfihnKw@hVp<9h{Q;8AEH6KsjO`(6KaT4S|aVq^Hyy9hMpt~0WS)Xj*|byfg;VwgYw z^rld;1Q&JTQs24?_0KM5q#>GuFOOur35K1EX)xlN&^kY#$mRd@tH)JFVKJlqtAANo zPYXY7(%q{Y>xD~k->)CEl%8ZhuOUv|MzMAM@vf)#kP%%~^Li?C)1lDgN!`h$l+&I+ zak>F6bqv9TBenC9f7M%Rur9l0^+&|hjc8w{1e#8G_*;x|dk#-uC^x}IJB^jsMq{H{ zK5qA3E-YDYcA-sr(T*Xo>9fx7NB_*Xj5(^I=Qes?lr8ZX(|Q-2v}`7kYo} zX{AgI$+cokVi++=@&ay3-j(THd+L)wq zz0CxqXac2*!KB!UIrjXhSUSAj*30s-XWm-rCDT;hq$j-zu)AvL7?CfLrYJtqf=UVMCynCGc&hANb+(-PifA8$K?j#E_kHY+j zb;l83g7&Ue8F%mXP2P8%M-7jTZ@t&ye5##LV*KM0W~^uS>aD^$o!l5q+B$93c?`v= zQo)h1I;B}~VX&lGHH}0TjqGr*2W%P9e>+Ipo8FG-Hk^Bz=fsj@o>M7L4}mYi^XqBP zH%=ksu$9>kPZ@+N0W6~m0F3(5=7q;*WAa>#Pb}G=bn{5pN;N7N#MtOBq)!R7@wh93KA+0y z0A1r9$$8J^A=5e#hG?(O0^)87LY3R23WB?Kr%*E_oe<0Q_oo{}#h-p5p=m@}l{U&X zJL|9+^fT8XIz4g~D0m`$;hfiplBM|@e-$7yp zlwcWokA*vza&AVk3mnu2QhLuAE8h;KTW<=Xug^3u#Xx8N5O$K(?H)V`qj;vt#)nHcfa)4K&g`szOdwX$eh8lnCobg^Y~;3oT7d{W{3jwC9PEhi4~<_maq(jW?&B z*?dB@`Z2l7+-?9;wzf0ag_l$b-!#-dZf0Ns^vbz36BX;5!itI`V)N6)$< zS~+41J`4z`%YqU&FjWrAHjt$Fx%@lU&P|Zs*#!=12*hQ+{?t+12k@$MqQm-14Wc~G zH@l3(SNxf%UT;UH+xB0DtLF;EJn9Xztn_l|!WAp%$>m>}^BjUx`YTRvreRuBo&U3K z`X=#W7py&LxSDGu{m!H)-|X*esGxN)fM1w8`Nb>_qR-x58tsLyj#SFsCw9g2Cnhfw z8Fa81_6>stx7$qIJDuD1o{B+%v}sWn{~?E%p~yWIucIowuC?>+SW&Ho%u7?K`1z>; z;Ju{j)1%VLpzJjPNty8_9j#KUdsLZbXT>6sf$Saw~0gq=LE!!s- z(|zS)V!#HBDt#bONY1#7s9}}x8U50q?7NO+ghnA|h|gSzXmGJu&C2p(0yr<`J6azU zcUk*NUCOlbtcd^>+%^X0RcWvgYA0RZGmf)e4SNr3CRi>qlkU!?Bc7M65E2Xg9vE8* zDa4_BpgPw-O9#V7rEi_@)p23a@KEq$Di1IlU+B5HUQWQV1+H`W{8W}s=7Lc&*OilET zNRg!Pw|pW?tqgS})ePbt8R&|ym}&kl+719DEGRJb^*t(F_?uh@;+ku3nEn+o`$t6i z@Vt~nA^gv=`tv%21{kChU>8<3LWG@*o`4f%@oPa*+<@5q@hCmM>|-Ylx23$W_fwne z^a)YA-G?r?D$DzsQrU5PB^2`tDiy^fmV@I(nJHx z=>HcIQCZ=opHIL@##^8zT)RT9!QJ#kukeWJ5}&`_zouUL9`I^jDY@_1!*t!qB{GH4 zX=m|A70{u~lc$&lB?&Dv(*}xO4x-C*S9I6H4y_RKcq`brs$7q z^?HKTt5QT=-}6taq_dWf!*P+r!hv|#ZR8o3*{nqB?;MoC9+*%!GsBwOaDA(`Z@goZ z)y|C?QHEy{ru14P>ndDb*psF-yw?iQ56D`N7P@~WY#8?x9dLeCYh}GQ^r=^xP#s-o zLsizvCL&`DWVt-z&DTR605S&y3_Lj^?*2a*m}N}qUX0aeMaJ4Wmp{J$t8#Z$hPg}h z^NO;^l~!8lG5VXY9t_)q+Uq zGZXy{n@xiTi|l(f4Tp;Avd2Qody%km%vUnon)XA9R0nHlx8`HP5ev}~D9ju)4%r1G z`Sgdg6}B<4Qvlr!9(W|W{+o`7+D{GC*05=wtV+MI)XAG9&*Ah0-%@1Vlp3V~+i~2c z1~?5bzTH$Ck8ySidLC<&KDf581TMe(1hH0Z1r#4TC}wS0fT~D=$a6>74)mPzU}2ex zU}5K&(jTBEU4c?14mMjgcu zlh#62NZ-|p^PLv-JVJw)HVx55kj(Soo=Av5Nk`B<=7DDX3OlA^D_|af2AcLM$o#er zg1)hxov^t83qJzS!3Sjp=Mf{scx{`Nfb))vho@KdY>aA=yKv(wOz83A_na?3A2u8F ze)kYMjFV7J+CG5t@si4fAjRUku@u#O@0FWiM8ndbfgcZ|cApA42}gN+R4L=%R!G$X zt9^k=#}yLbr|L@K6g>q;hjxfrz9qGN;MD zGilA^R*0fm^wu@{%WDGo?~^1Urwac|&*d!xzQw4i85p53Oz?d*t;7rao5P+TZ^pB* zcBxhPi!`jG5IfNkE@LX)ad-03S|Jki@{ob|FbugPISpEUe(T_bcyqV&fxQWc^IbdDxV4>Vsx9f=&w;K1BzH!_7BoSocjM~avsY>uF7!0<5R72aJ>8Oe$l{(RD2{`x! zu-%Z*7ZP=nII}3EQSS+M|7VF@j+-+OpZ*p3Zqc6J1dRBsxkJw&ra-x!n_@_~=muci zck$Wnf@Zbutf?#s9JD(qZ^D_jvAvyqCTJJNAF$P_v1D`X;>yiNb2SLA0+lU>#LFf2 zEefiJUxUBj1cN0|Rv&2;!XuggoTK%3d#JdSq1dT!4>SW(46;x6ch`16Gh1#o1N!e9 zxS-n0LYJ>hIH06gVD;8%=r%z&Vc$M8(k2P4nqN8gzYhitDq>@LTQ-sjttgcFhdCAF zk?~qj@=EcS$hw^V>9jQYfV`@c7+g316QOa8K2nCGOeXri;wToh<`^{e6Js*)U%{ z^W0yYMiEN4uRiKS2iuwTs>fZhek@A&zpG2(M-CCPQdN>}9a zrs2t=NxXIUCricd-(hBP_vysl2Bk+xR0|jX)Dj3XG*S||{{=5}EdgK9@ZGKi-PaEv za$SwbLf93r@GwzyETidB_Ex+OB^UK=a+k~xz4e2bD_p(VV2LGAWZYax+K#&eP|{$7;+EKKW6`j25B^!f7ZoPrM>nckj_dY>5Ee8!#_zob_ITzImz{c8W$ zFgkbd`VmR=Lc&AMYFhPsYL2_U$mOJ3_>GSnn2_6DX7610e&+@I+YEl^*rf%IehKeL ziRj!n!brfr%E9WFUljg{9MZ%%9QFLecPB-){;f_&wJsiO&ruIm#hX(onhY5S)rs8@ z4Y~!XwgUyN>+@VI2KB0^WJ}Gi;SgM-k3h^uJ(`EpYu73v6T30w;bp;mrRd4++Aw*J zsltC(mOS{!xbX*QZJ=?@{`F)*$sTS6Lt5?~#gh zh|>2$QL4*zut12&>c!|?np@|QAgRlEx9a4feQ~gi4_OScL&56F&;0V0b>oSQ<_b&p zgo6|2!fhT{mG*;8i8{hN4qku0_<-WEn4v5ZhK5g=ExNvo{;S$Yh@24f8 z62jpzFhsu6OQQv&s#P&+C0W)#Pr#B45oD3XB(l=)u;bqWRqlTX{t7!mE{;-MW0n9R zN47TQdz--Nif(7Dgr9l?Y=0)S;YDWw-I^{ul?+o0vJdIpTWxWWqU(m?q+<37fg(`_ zp^`W7t8c+p9t~y0Vti*>QjDZ%pg8T@fA!lFXvM04>}PI*bW1X_l@hSv*d|&Y`wscs zv^=nGhV{YDcwJ-w(v!2fEw-II3vx3jV2KyOooj;x-U+&U#@y^^hYYkAdVw9Si7=m? z26hq&7$MQ`3$YLa3IVP5xfC+>&O=`JPlLW`SgLWsUso|p?QM4#1``kS=zcIbfDjIE zRc4wk>VR3j@VoLF?;GIS0)_yDl`><(fCI6_ibA2yvB!>2W5LC!1hZ{vp{B)U~CUuh-o7IC1mRz5s}mVKp) zs|^~WgduRO8$CAg&tuYF$1KK6FL(~rh~xoMoi+Xoc4Ia?5*~gtOa!gN4XvnXG?88o zL+L)qVf<&yAFlKmy89vNFlFbPv&H>q^Y08!{Rgwa8=Hprhm9%QpfvGl>Dls=@MB_p z$c&G;^q0kN-~I|#D(_E*F?6TpHrQCvRETT-h>=4=;M4XljluHK$R5i<2x4bJB%)J} zwt=hTf1$a)3nB%!UMP6}FNiZk#y&gCNJW;@SV!Jx04hx`JzHMZk(Of4LwtK$+@7Ml-zPeOSNnfdB*F*IVkFbm!ruHo^%J`GbK>iFieu(_nR?rmf zx43>Va-JmCl9zH7K_v-AQq`~~sos)9h9Q2e%jp48EDd@CenCZmt5o`j*}QInUe)A? z0g6wwv9*Le+0mX^e&~Ufr|l1uMC{lAkvlIj6c&NR;M5oKalzB<#SqE*et*g3Fr&s@ zBoj@(y>R%uF3jqV!##W&zIb$h+y{_C-jYA+A?afwg*kBhKFDY*6LV_<*lPM0lDup#CzpK--JTwDQ`Nlw1`EK%5Ka7J_H zdX=2hcW-sz%PuOC2!oTNNy5W&OxxT|$ba~_%~%;=yUO3v!s0|T2`VdLiZq-Pq_RJn zjLQn1xwWx^6Q_of%Ra`JE%%&f-rM?MAGJu_qn=Umu&Ng>^tu>pZDiQ!uv=0`f!%CJ`w&l4WWt*pb zt|R($V}s{V{kb}F0>(0dU=A@ wx?1Y(zVZKey1=OSxTNeKaidHw9qnAretIU7%X8)kvH|^sycXwxScXxMpcMTp~gKKcN1b2cA!QJIf-gCb1oOSP? zJ8Sh+?XIe)s;hT**WNo)QCS?ABQgDv*6c?D_z2S%mdRPp)7^ae{Vj(U7 z?c;zbCUgWInh;tH4cUil(x?cyW6A^Xr&qoX^K9oc9~E6)U6Ag&?jYbtwpeUzY)~dt zM4VK9hej5hr{@#g_67j%!5APaSo~pd7@vo08LIf@_4(}N39c`?(eMGJ`L_Jl!=AR4 za8Cjtp@xC|Fbpe3e*X?|kdv?B^$wuH5W<+1^RXk!7i~gZ0#nrCm<~mIxUG`YfiS)L zqO~o9tQ8)>3!N&B3LQ`nU4TgWK9tl6S0a<9%37gJG_Cosc3Y8!kYPD@1~k+iRTe zR=7@eOJFzTg(EZ2-$c3G(Eq%h!5Z0KJUTwM@Y}1v`h|bXLD|5jvm^Acy1 zeNm#ejXE=QP^s}dLIN~dp>tHNb9{jyLnDvE)F*C%2^>uOsCy&_5)Il6E3;?=ei-cm zQLZK18E6qp>;*V+G8p*+N{tTNm~||4`_p#PD<NK*+NfFk_@z7n~TJn<|AI3#6|~|@J-%p(R9$u;KwQ~ zbYsf~M&i9s(k%|lTk)}RZ?-@>V2;^IUEnx+-+I-;ORyDEVa=cE(5>bKT;sbC)}J6hfh^<6IyDW%sxMivwgC%b ztEBeiyGlaV1x^0ePaFdK4Es>~Z2M?t1g!fC;{|UrINnTgBP~mHoacGiMU)>i4=pen z`N;?qWA+8F0G^HbEb+`MA2T%x3$pAEx~w{8-VDIRh_BmM$oxU*P*e`+F>uOnM58qQ zWv>!r6%ucM@?3SH-#q586{dT@953N{!HEj1{?3JN1ye)e=h{-iCrlkQ=E6cm<}?mPUzx{jVLT^brn z4Tncg?H`fgDw`0LlMs~@g$}5^8+l~DnKwQ03*bC`lZ#$L2>3=K+ zekc;ZGf|Ry*%Od21)-KuQ34ShFy{iiW{{==-DZ%zejq#GAO%Tm(V`0^Z;@v}ZT6DE z2ysRr)eEmBkWiqE3ezQEn*cIJ+!7FXk>3j%Dk7!8*#vba=u$>FrUbB0>X zi;3%BA|K)gjkxNPG~`S;yo|}~wCla=Kug%ipkwG`7&nyge#adX$45>H0<83a@&44E zEC+Q5kyfcSR9<*sgnF;`mhU<9J%JB=H<~}5KuBI65IqC_Hw0A z1{Hj?D0U%*Qr>}h42c=WctmOBV&rs$z7$0goK*I%Y++)9q-im0v39X~@%s-5!AQZh z!9Wo*5z>CCuu3FjB>hp72AJiDV-a~0oTN`9izC1h0bETyEZl0mU_4eldc0NKa9jaa zw2Xnwm`rxo66RE>&+m?bq#x@2+9|cO8PhpF2<*{Zsa$S&O|C~*c&87{b4W-Sx3Rp$r3Du2V z59SN)N_s(m;)IP73F^-xk1{46=88j$%gcGr8OkBedB`c{3g-m3d9=l}3b(pBH#zYA zejH^Ou$>|t^$qCAed0pRk_a2lq|OAxO}l=z)MMAv-5}Xm?*x0~o%i~%_%QltKUm#A zKJ4GWzh`(bei(nKy-+}OfWw6sg(JXh{d}&M0Gbg@pz=^WkJ^GIbt5${pebM};4i>4 z7TwY?QalG1L|)~gii{?4UHFK#l)+NB*eS2m#)Dd#M=Di8muVaf1E@(Q_3I6x$T%l#Ud0kcn!LDjkTZA_>Hx$_nC9?I|0r2rVO2`UEluwWx2F zZ&Y>{7nBPva#mmHsmQVlUe)azGq5vISMzDLG%~MHtz@pOuOM>cbHj6kU0#2tF2>H; z&iR&7m*W(wS8@~p3l-)CY6R>^Og5lQub}a^v_AeIo8gKlX_&(yi zCNoRFepJH|&oSB24-4MeRsplNjQad4kW219?Dp&?_e=7l^=sj{vWZ*q8O+cHdangbgpvc#f=q|}h--uC!*uT(;U}pyqFUx>p>)u}^iub`?ruA5 zn{xZt7Zt7dCo&EXYM0%yKN({622LT6DxYDvFvYXg}47A!r17kz`gK@)u z1_-0F3s!#~{Vwq6xsQWkr!YKINReJkyr&x_DQEd3(I9d8fSHz(k@BjVIrltQ{w2B* zLwi;`xcSx&VMc!5Mi&Q!#q@`aVdnPr@%l0Q3xFw++(L0d`#UUi#3(QSKf z(`>`w`RtxEW;{^@=G!RmxH@3GW?ZQW^qGIYeBN8{?Ks1v!Aik=UcqPtPwDM-nR=@u zh#5O)Zey^TQiL*Iyf7PAz?7`z>{g$+eH<-b2kcq>??w4#)di7bgM*)er9 zCEPRGdm8r#g{bpZd?~l#nsDcQJNE%O%+H_|k(b6_5;Jf;Q_J9Tc9bk_=fFDOW?b=;)ASN&anC)X_(JZUybSh}Y` zY`<+m%LzS2@%6!hed~CHYt^|6+%%QfP2#uhKyQ6?%3j9MWc!V;)3>v~V@Ie|&fGrT zPW?zMG@802w1Xa4ufO7+>A`h(IhNW;@2qZID}NVqBYXXL$KSQ@dSaO8y!pd*^{B;8 zW3AQg*ZqE~_G3%C{n6TKXOU~^OU=-Fv)|3@g7@K_7VMV~E2q{QXSj1j$6on&TbBvj ziqmz==ds}nsAv369@ho~z9!f8XFC_OTeI%QO2+zMDfl#fvTl&BZ0?-*!IZ#zJ=LBR zzh#yhX1_nF%ayN-HMM#2FmgUV7;pQFCa2n$t4XxI-ze;^N8nw6D^aAJX>-ogLc60VT!QRC`zON3= z7U1)jXP|oPd!f@#(mT{@*7a*f?`lAoDN$KehQhr3QBVMw_zDwnj0`v;QKquds=Z>z zN08#*V$)+unmr(GQ)9*rph>_{MeTR^!W)PnG+BtqB%R@CgT?sHUOa(>CCT6eW@e~T z+GtkhlvB=Sj$8m=!VUpW7Eb_}E|0{&`v(rGz;;I=w-GhP6260zLzRS}vtJ%1ZTXY={YCUer6u-eTLuTln07fPN#DIc^E^kM+Kq(Y z`SOB`iyD&SzDGtkRR(8AcXWi8mZqn-w8Y0xQxWSE3*=4ey%Iq&sy+!ulLQ;we9Tnr zWm<61xhFeu9;h4%SK>(2^|X=!9dER%a8!0GTUZ!DYtIp1qG!AQPH=jtO zj?7G$h~6#?9v9}EpFFlzwVk=?Own)Pb;|(r$oZ*a2g^_Q#tGC@YQ3&8Z@Q1Zx9fTCY)q=Rn4KD&Mcrv{AQDCN z5VIY;3OY*~WN>z#JN%yQN~DkP5bqeS;r-+3^`JR^1r03J%ZhQ1pYF!@S?5xE`{v~I zwo0f{epa{%>r?ku#x0lmdjDq#ywY=NM%K+aQQ?dAK*a~Xd$~j{2@Mv|fBmg@sa2z^ zsTqqQ_^wkj?I37QQf`ZZ0^T;Trmxchg*Q4%>_zab56-y87{dXfwf0_57>hXMVCO>!m@QEWGCE)s4U`6Q-v*`$hOKawlC zI88liAvq;&DQ!)Vm=;JdR+CWq?HhCCnp#UEk1M_l{WZdM3%)3>9g7naJM-)p5EBL~ zxZa?7K#NgpQbS=SX61HOw^?9E@kHY|<%r-+*wxjE)gk?6>vF)u@4{=}cO3lut*HCK z?;`u!Bi$!lBb2uI$MNW|1mtKW}-_IZJCkFOw#1wcxFUpg|+X2K{G_S%S{0))U;CDSM4q*t4i|Y?6LwU78Zra=kjhS@u_}y z5N@BkGZFH&?oS@tquMsR`nApAJ>8i1;-mM{7qi*to%*I}#eVuk;fDTg&czMG*H1-MQbecawM-&*x z7g7A4(y_$Rw0@5nt8px#zXrrEaUAzZD8r`*^6lEcg1_aSOm@3rM4pPxmbbNSpXppO z^89vxJbu-HlceRnB1Kq}YpScz5egL3?RH6RqAtACB0jqb`2^iUVOP58xde0unj09+ z?DUQ}%=EV<>K5@DPb$QIjqM!4Z}C5QG<#cpxPvXN^>@rB*4BNydAqA-ulfL>{tP(h zgbS!-4?=|cSSxXg$_L090km2|XLJwVpf(0B0? z14|G!MWD*#(lu9btQQK}i=_jT3&gEgbnAH6)HL!}CoVMpX}rL@{a!o8(PGwYe|p{4 zdZPT48mf2FeekKnK6SJF#2&Ae_ujzb5bd@8b!nq?Q|~^eMLvP5Tt%1o{8v(5uRcg0 z#%#R%VzOyc0$BF;d{b$=?0@q75xSWKB_+V_9KTNlA>mWX2M~GcD^A8I_CWG&k#o>J zx$^gHvKA?<3gV`SG_j{b#96)rt{9}SDB6DBA4zp-ON2}O1lZ=mtKpvpqqlc17U6wD zO#0xIvOQu%DJYY_;dbJlCd!Sj$7sda%HqrBPJ~TxB;dQopbKZ3P8u2;SDJH}5bsFt zn(Wx@TyBT8WqWjb!gsFwT#RV-U~tk(Vkm!nWLzU}P?*z~1?AAZiWjOksL|rn|V zXin+qDF~@3=}L)cN(_q5>)9rI#fX13%U$q2G1X=3Vt6b?Hj8bHb(Ra8q?lx7_^S0s zOMUtCGS@N=&zj@&Uey-*vDd%}e8W(;-f)+Ijq=_4DaSF8=%d03iVn&Gsub!8JoOAO znY`!}x!#?o4t^el6{qLX6hcdZnaV;Fl{)11oHUn3Hk~>Y3sg{n`W9rlGrW z?{B@LKHDd)yJ@UUEOlbClo=U`ab!9xl%2|E0z9s7{+%^p)$Bbe-VJp^`4_^;zE`3$ zW12tPig4z%&KhA|CR|Sr_dDji2EW6e+MX1xZ*_1v@Ep}>y@dy6^~#BS?pG&z&-bAy zRiQDD-@p5+WbA%?(R<@SUS5IF^X%Nv&TFwWw5Q74&4-JJ=lo{9CG||_szP85yZOaN z=ee%9$;ZO>r6lmv2n@0T?q`voBZuZfax*kBq4QgU_kguv6SP7aR8{^%^h0_re8K=m z2~^_@Cbx`t6S|-Aj)EA5yN5=1emdS=px@g((+5#*6DY-KNc|=uG}OS*Sm8aJ}Jlc)Y|K(I%0K zr}Fjnj&m?hC@`-l$v>BwnUnUB-Slw7dlprSxKh3zfW1k z*vbtQa|R&5v%cXH^bVkd29SYOQ^T%QS4*=>AltzMs245xi)eLNXFzfK*kY|qdShLk zZ92Uo0t**$TUc>SAYU8QOf{s;bTDfpAceh7V}~0CZ9q02V^gAx$*@ z-Tz3TK>5)B!vnbgDhjEHNJ&Acim{WashzWhy~`<3h5`aLZ>g%`q9G^CZESDLXlP<@ zWXkAa>+shE!0W*cVQo!a3`sm}ZS0)6J^0A}(cp&gf4hNXB>$+mSo4u-$SIPD*gKh$ zurYpNWFq57AR!^)buuyIRu&ciw>jjBkIcfw#eo|Lba!`WbZ2F>cQOYub8&G2nOJ}< zEDR7024_z@7efyQJ7@BLf&34SsHwBDlcj@;rM(@=UtB{Ydsi1eGP1vp{`dE(aF zFH4ZKsgsDkEyU1;|3CTtxAA`q|8K*8Tx$NuB^&2|d;BlKzYTeTe+T|wiTGER|LKLK znIC}{_`g%ek5D}$oecmW>`RFXsd_-2GPxgqP*??tNOr|gBrgED35Puhi$D^;C@_vnjJsg)KJL)y z2?_0zad>})j!wtXzxC~yb02-1s575F<(lRPw;XMPbJpD#!GY2SWKifNQ0R3bf*dkc zGjQ+;0QiIeDnX^aP{DT;g72`=^UJj0lD|m?z(@uZj#>XDFrO&|m6|?M$t6N`0b;3( ze+j$>L~cbYoAnP~6kYAVU?K8(;fyb0f3Yw@de9I;VL%EMRT0W$8TA*7rlRx1U+^Eo z5ILgZPt3nqimIN-{{#{Wkz@B2)BX)Hzw8npLP($xA##QgDV4uikU-h~9q761;=*Qk zXC!5|v?6G6*G{FjjF@2ShXh`|hqr92`n?D>#7{dm6tR1c5*7=XhV1#PNJ1@N@LJZ8 z*_uU}#GpA);6`?%%^8-%ZcWhGct_=E$uzvS7Dz@$Hq+s5-_a^7AoXJbW-U&YQaBd= z+VZ5)hgEUmBzfHb0|-=8WP>*M`tn51#5A)&t)5d`T|HPLlTK67ERcL0pbOW^P|_ectkD%wRmEgsVX3p4r?XuuJF4hXlEBA3I$hxKnpN^HB63D237n$d z(kwm<)9+GEc{K6>ygtSsjjZ~KwLCMiqLfQ@UAOn>b39)(Sx|I-46&aA8I31qdp&vE z50lsrW9fA2m5!fH$Mv2T?cJ-vJ7-0CY%2CdR9IUK4f9B+DlQ&!=hicYOx4+@h>2cZ zT`}9PeCe{DD^tqgbR@$D>cs>E08-M^ceZ+i;Sdn|?k{#$iDp;YoT-&nR2&axNUsm) z5qE}SgZsB<*t4>-9FCWmQ&Lh4eilo?AtT#jxGlTwj-U+;4jN8mFo*HjKE)!3`76+W zTFp#`Bn|~Co*WcOr2RU;Y^>`fg*u)(A4}7*8jvaAPn7KU^Rn{mULNL7DkZgR7vJ*e z{SCcgnR<^)mH-#R5e{X3dkq>8^)S-YYE1Cwc?glmO{uR#M+HAC4!MaC2ifoBnE>A!uesh0UlF@!fp-@HQNkc;U(IWF_?a z+65B}ODOCaa$eZlwhF(a*wTgJjaC)=zT2jnTPX&+M|l*TzzQUy2M=tow`A3W_4hpd z$M4$L7tQJGZpO9mPo3EO?kaJZ+?7){UQ<`TW?>ehUM>L16blC0&Yh6?U-|`~JIWAx zCi&t4SbKii90Wz-A%ch5HxhU+dCG={q`!A|a{WqDl9CEfqRRI7_6#p~N85AK(!PQ9 z#AGQWGo%}7Z^UD83y7x#Tn|&Q_l_28k48W%$4m7hh<8En5$k-P+!z|2!Bc}Vc&v3c z%Ph9hh>#8EjBG2jEXs?|0tCW%SUx*5G+OXaKwl*6$y-sFtmTgnDHAmDxhIU0woYUf zK=BoMX_6n01u6~4de@NoYS5q;1u-d$ReR6P^khd>2166#rhSY_J`%S`QhrM(f7+^K zl~$E|D#>ow!R@yob_E#g;!A4!l~D9Q?eClIsc@9O1b;y88%?HWwqE$G)9Ilkkzs0T zYJ2l|ds4YbSzA>l>gw851N`-l1&d@jo5?WfHTf1D%iPq|(tqzBJe?8$h<8lXrGk+byh9}+bfms08o4#BQ52I3XveYIWTH*z~I_WSww2?;|bL=tkSFHj{F5L$gI&VY6N!;pEhaZjUh2(8y5HwS#Q@9=9;OIVx;t_wQXXXqma;{5`4B z>JtMa)X}V@ZJ4Z1IeKR&B?OXOzZVkq3Za-3-_3{l5_0Pd;z-+s58eKlzkEvIPBQUr zjZ!r|(ARR)k9P8RC9nGavq&kAKx8a2G0{uU<>m2)TPxL56-_BpXU|sA={qeuyP5zN z30eu#$tQe#opw&IYYR*q9BZMpsH27I{<(6M*;;*pfq?;ox7Qb3CW8R}W?s)NFnF=1 z>-O2Ug^VK!vceG{TQg`ddIgWQO*GN}u?jcx@bndYMrC{yW%8vW!dcUgxh7?P`@Ebd zBb6v}eHpmj-JT7kwG?#E^)D<`k;?P;l>s|-x-VcKdOgU%{+@vq5YPMSN27REpEPk_ zM6Xr1RA&fnx87b7DsQKZg^6jfH%3L1)zJ@<;h)s1gx}v6Z)?v(WzLaQ@LU zAP^eX=xTp*WO8yovAjwKlm4nzBphY_9m6kxEaZ^bkoa+OSI+Hsg&YPWki(YXzsf?v zkyPmK(R8Ohpt2(A>sckOtn2%oF}t3+86ThcAYxJ0*B8)~u#?-i8u4wiC`L}c zZOu2`Qz`N>hHJibZ%EhI-`~IVk&TV*F_Dhd4e9B3%*6MwkPy!0Hz{#n);74; z1X2+f9!ALN#hv~`#MR}9v#=1IwtTHs$+S?%u~ul_%GP|h!dJJeb90W*8|!ZO{ZHxZ z7&mddG2;2TLX!wf?|oiR-~5PT-kudbbRjm;#;%t&@plyG$M7Csp6wlOhn9?gf-5QVT++gCJNjU+ViZ(64uN-& zBUMA