From 38116e89fdb8a36db94a8d1453912bd71ea53013 Mon Sep 17 00:00:00 2001 From: gchaps <33642766+gchaps@users.noreply.github.com> Date: Mon, 10 May 2021 13:01:56 -0700 Subject: [PATCH 01/11] [DOCS] Adds link between security docs (#99669) --- docs/user/security/authentication/index.asciidoc | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index 805ae924a599e..54142a6fe39e3 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -7,6 +7,7 @@ {kib} supports the following authentication mechanisms: +- <<multiple-authentication-providers>> - <<basic-authentication>> - <<token-authentication>> - <<pki-authentication>> @@ -16,7 +17,12 @@ - <<anonymous-authentication>> - <<http-authentication>> -Enable multiple authentication mechanisms at the same time specifying a prioritized list of the authentication _providers_ (typically of various types) in the configuration. Providers are consulted in ascending order. Make sure each configured provider has a unique name (e.g. `basic1` or `saml1` in the configuration example) and `order` setting. In the event that two or more providers have the same name or `order`, {kib} will fail to start. +For an introduction to {kib}'s security features, including the login process, refer to <<tutorial-secure-access-to-kibana>>. + +[[multiple-authentication-providers]] +==== Multiple authentication providers + +Enable multiple authentication mechanisms at the same time by specifying a prioritized list of the authentication _providers_ (typically of various types) in the configuration. Providers are consulted in ascending order. Make sure each configured provider has a unique name (e.g. `basic1` or `saml1` in the configuration example) and `order` setting. In the event that two or more providers have the same name or `order`, {kib} will fail to start. When two or more providers are configured, you can choose the provider you want to use on the Login Selector UI. The order the providers appear is determined by the `order` setting. The appearance of the specific provider entry can be customized with the `description`, `hint`, and `icon` settings. @@ -24,7 +30,7 @@ TIP: To provide login instructions to users, use the `xpack.security.loginHelp` If you don't want a specific provider to show up at the Login Selector UI (e.g. to only support third-party initiated login) you can hide it with `showInSelector` setting set to `false`. However, in this case, the provider is presented in the provider chain and may be consulted during authentication based on its `order`. To disable the provider, use the `enabled` setting. -TIP: The Login Selector UI can also be disabled or enabled with `xpack.security.authc.selector.enabled` setting. +TIP: The Login Selector UI can also be disabled or enabled with `xpack.security.authc.selector.enabled` setting. Here is how your `kibana.yml` and Login Selector UI can look like if you deal with multiple authentication providers: @@ -292,9 +298,9 @@ xpack.security.authc.providers: order: 1 ----------------------------------------------- -IMPORTANT: {kib} uses SPNEGO, which wraps the Kerberos protocol for use with HTTP, extending it to web applications. +IMPORTANT: {kib} uses SPNEGO, which wraps the Kerberos protocol for use with HTTP, extending it to web applications. At the end of the Kerberos handshake, {kib} forwards the service ticket to {es}, then {es} unpacks the service ticket and responds with an access and refresh token, which are used for subsequent authentication. -On every {es} node that {kib} connects to, the keytab file should always contain the HTTP service principal for the {kib} host. +On every {es} node that {kib} connects to, the keytab file should always contain the HTTP service principal for the {kib} host. The HTTP service principal name must have the `HTTP/kibana.domain.local@KIBANA.DOMAIN.LOCAL` format. @@ -386,7 +392,7 @@ xpack.security.authc.providers: [[anonymous-access-and-embedding]] ===== Anonymous access and embedding -One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in to view it. +One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in to view it. If you configured {kib} to use anonymous access as the sole authentication mechanism, you don't need to do anything special while embedding {kib}. If you have multiple authentication providers enabled, and you want to automatically log in anonymous users when embedding dashboards and visualizations: From 7262ac53c2ade6cce273a4ca56ab0fbfc128c3b2 Mon Sep 17 00:00:00 2001 From: Brian Seeders <brian.seeders@elastic.co> Date: Mon, 10 May 2021 16:38:32 -0400 Subject: [PATCH 02/11] [CI] Don't do CI stats reporting/failures for feature branch PRs (#99668) --- Jenkinsfile | 2 +- vars/githubPr.groovy | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4c8f126b4883b..db5ae306e6e2e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,7 +6,7 @@ kibanaLibrary.load() kibanaPipeline(timeoutMinutes: 210, checkPrChanges: true, setCommitStatus: true) { slackNotifications.onFailure(disabled: !params.NOTIFY_ON_FAILURE) { githubPr.withDefaultPrComments { - ciStats.trackBuild(requireSuccess: githubPr.isPr()) { + ciStats.trackBuild(requireSuccess: githubPr.isTrackedBranchPr()) { catchError { retryable.enable() kibanaPipeline.allCiTasks() diff --git a/vars/githubPr.groovy b/vars/githubPr.groovy index a2a3a81f253a0..594d54f2c5b5e 100644 --- a/vars/githubPr.groovy +++ b/vars/githubPr.groovy @@ -64,6 +64,10 @@ def isPr() { return !!(env.ghprbPullId && env.ghprbPullLink && env.ghprbPullLink =~ /\/elastic\/kibana\//) } +def isTrackedBranchPr() { + return isPr() && (env.ghprbTargetBranch == 'master' || env.ghprbTargetBranch == '6.8' || env.ghprbTargetBranch =~ /[7-8]\.[x0-9]+/) +} + def getLatestBuildComment() { return getComments() .reverse() @@ -234,8 +238,10 @@ def getNextCommentMessage(previousCommentInfo = [:], isFinal = false) { messages << getTestFailuresMessage() - if (isFinal) { - messages << ciStats.getMetricsReport() + catchErrors { + if (isFinal && isTrackedBranchPr()) { + messages << ciStats.getMetricsReport() + } } if (info.builds && info.builds.size() > 0) { From 59f42ec148df30c60617e3c56794e2b938037e40 Mon Sep 17 00:00:00 2001 From: "Christiane (Tina) Heiligers" <christiane.heiligers@elastic.co> Date: Mon, 10 May 2021 14:12:24 -0700 Subject: [PATCH 03/11] [Saved object migrations] Collect all documents that fail to transform before stopping the migration (#96986) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../migrations/core/document_migrator.test.ts | 14 +- .../migrations/core/document_migrator.ts | 13 +- .../saved_objects/migrations/core/index.ts | 6 + .../migrations/core/migrate_raw_docs.test.ts | 162 +++++++++- .../migrations/core/migrate_raw_docs.ts | 121 +++++++- ...nsform_saved_object_document_error.test.ts | 60 ++++ .../transform_saved_object_document_error.ts | 32 ++ .../migrations/kibana/kibana_migrator.ts | 9 +- .../migrationsv2/actions/index.test.ts | 12 - .../migrationsv2/actions/index.ts | 30 +- .../integration_tests/actions.test.ts | 47 ++- ....0_migrated_with_corrupt_outdated_docs.zip | Bin 0 -> 444632 bytes .../integration_tests/cleanup.test.ts | 2 +- .../corrupt_outdated_docs.test.ts | 154 ++++++++++ .../migrations_state_action_machine.ts | 7 - .../saved_objects/migrationsv2/model.test.ts | 283 ++++++++++++++++-- .../saved_objects/migrationsv2/model.ts | 214 ++++++++++--- .../server/saved_objects/migrationsv2/next.ts | 16 +- .../saved_objects/migrationsv2/types.ts | 39 ++- 19 files changed, 1048 insertions(+), 173 deletions(-) create mode 100644 src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.test.ts create mode 100644 src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.ts create mode 100644 src/core/server/saved_objects/migrationsv2/integration_tests/archives/8.0.0_migrated_with_corrupt_outdated_docs.zip create mode 100644 src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts diff --git a/src/core/server/saved_objects/migrations/core/document_migrator.test.ts b/src/core/server/saved_objects/migrations/core/document_migrator.test.ts index 1cf408ea96a56..45286f158edb1 100644 --- a/src/core/server/saved_objects/migrations/core/document_migrator.test.ts +++ b/src/core/server/saved_objects/migrations/core/document_migrator.test.ts @@ -11,6 +11,7 @@ import { set } from '@elastic/safer-lodash-set'; import _ from 'lodash'; import { SavedObjectUnsanitizedDoc } from '../../serialization'; import { DocumentMigrator } from './document_migrator'; +import { TransformSavedObjectDocumentError } from './transform_saved_object_document_error'; import { loggingSystemMock } from '../../../logging/logging_system.mock'; import { SavedObjectsType } from '../../types'; import { SavedObjectTypeRegistry } from '../../saved_objects_type_registry'; @@ -724,6 +725,12 @@ describe('DocumentMigrator', () => { it('logs the original error and throws a transform error if a document transform fails', () => { const log = mockLogger; + const failedDoc = { + id: 'smelly', + type: 'dog', + attributes: {}, + migrationVersion: {}, + }; const migrator = new DocumentMigrator({ ...testOpts(), typeRegistry: createRegistry({ @@ -737,12 +744,6 @@ describe('DocumentMigrator', () => { log, }); migrator.prepareMigrations(); - const failedDoc = { - id: 'smelly', - type: 'dog', - attributes: {}, - migrationVersion: {}, - }; try { migrator.migrate(_.cloneDeep(failedDoc)); expect('Did not throw').toEqual('But it should have!'); @@ -751,6 +752,7 @@ describe('DocumentMigrator', () => { "Failed to transform document smelly. Transform: dog:1.2.3 Doc: {\\"id\\":\\"smelly\\",\\"type\\":\\"dog\\",\\"attributes\\":{},\\"migrationVersion\\":{}}" `); + expect(error).toBeInstanceOf(TransformSavedObjectDocumentError); expect(loggingSystemMock.collect(mockLoggerFactory).error[0][0]).toMatchInlineSnapshot( `[Error: Dang diggity!]` ); diff --git a/src/core/server/saved_objects/migrations/core/document_migrator.ts b/src/core/server/saved_objects/migrations/core/document_migrator.ts index 1dd4a8fbf6388..4f58397866cfb 100644 --- a/src/core/server/saved_objects/migrations/core/document_migrator.ts +++ b/src/core/server/saved_objects/migrations/core/document_migrator.ts @@ -62,6 +62,7 @@ import { SavedObjectsType, } from '../../types'; import { MigrationLogger } from './migration_logger'; +import { TransformSavedObjectDocumentError } from '.'; import { ISavedObjectTypeRegistry } from '../../saved_objects_type_registry'; import { SavedObjectMigrationFn, SavedObjectMigrationMap } from '../types'; import { DEFAULT_NAMESPACE_STRING } from '../../service/lib/utils'; @@ -679,9 +680,15 @@ function wrapWithTry( const failedTransform = `${type.name}:${version}`; const failedDoc = JSON.stringify(doc); log.error(error); - - throw new Error( - `Failed to transform document ${doc?.id}. Transform: ${failedTransform}\nDoc: ${failedDoc}` + // To make debugging failed migrations easier, we add items needed to convert the + // saved object id to the full raw id (the id only contains the uuid part) and the full error itself + throw new TransformSavedObjectDocumentError( + doc.id, + doc.type, + doc.namespace, + failedTransform, + failedDoc, + error ); } }; diff --git a/src/core/server/saved_objects/migrations/core/index.ts b/src/core/server/saved_objects/migrations/core/index.ts index 1e51983a0ffbd..ca54d6876ad75 100644 --- a/src/core/server/saved_objects/migrations/core/index.ts +++ b/src/core/server/saved_objects/migrations/core/index.ts @@ -15,3 +15,9 @@ export type { MigrationResult, MigrationStatus } from './migration_coordinator'; export { createMigrationEsClient } from './migration_es_client'; export type { MigrationEsClient } from './migration_es_client'; export { excludeUnusedTypesQuery } from './elastic_index'; +export { TransformSavedObjectDocumentError } from './transform_saved_object_document_error'; +export type { + DocumentsTransformFailed, + DocumentsTransformSuccess, + TransformErrorObjects, +} from './migrate_raw_docs'; diff --git a/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts b/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts index 45e73f7dfae30..1d43e2f54a726 100644 --- a/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts +++ b/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts @@ -7,10 +7,17 @@ */ import { set } from '@elastic/safer-lodash-set'; +import * as Either from 'fp-ts/lib/Either'; import _ from 'lodash'; import { SavedObjectTypeRegistry } from '../../saved_objects_type_registry'; import { SavedObjectsSerializer } from '../../serialization'; -import { migrateRawDocs } from './migrate_raw_docs'; +import { + DocumentsTransformFailed, + DocumentsTransformSuccess, + migrateRawDocs, + migrateRawDocsSafely, +} from './migrate_raw_docs'; +import { TransformSavedObjectDocumentError } from './transform_saved_object_document_error'; describe('migrateRawDocs', () => { test('converts raw docs to saved objects', async () => { @@ -120,3 +127,156 @@ describe('migrateRawDocs', () => { ).rejects.toThrowErrorMatchingInlineSnapshot(`"error during transform"`); }); }); + +describe('migrateRawDocsSafely', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + test('converts raw docs to saved objects', async () => { + const transform = jest.fn<any, any>((doc: any) => [ + set(_.cloneDeep(doc), 'attributes.name', 'HOI!'), + ]); + const task = migrateRawDocsSafely( + new SavedObjectsSerializer(new SavedObjectTypeRegistry()), + transform, + [ + { _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } }, + { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } }, + ] + ); + const result = (await task()) as Either.Right<DocumentsTransformSuccess>; + expect(result._tag).toEqual('Right'); + expect(result.right.processedDocs).toEqual([ + { + _id: 'a:b', + _source: { type: 'a', a: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + { + _id: 'c:d', + _source: { type: 'c', c: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + ]); + + const obj1 = { + id: 'b', + type: 'a', + attributes: { name: 'AAA' }, + migrationVersion: {}, + references: [], + }; + const obj2 = { + id: 'd', + type: 'c', + attributes: { name: 'DDD' }, + migrationVersion: {}, + references: [], + }; + expect(transform).toHaveBeenCalledTimes(2); + expect(transform).toHaveBeenNthCalledWith(1, obj1); + expect(transform).toHaveBeenNthCalledWith(2, obj2); + }); + + test('returns a `left` tag when encountering a corrupt saved object document', async () => { + const transform = jest.fn<any, any>((doc: any) => [ + set(_.cloneDeep(doc), 'attributes.name', 'TADA'), + ]); + const task = migrateRawDocsSafely( + new SavedObjectsSerializer(new SavedObjectTypeRegistry()), + transform, + [ + { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } }, + { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } }, + ] + ); + const result = (await task()) as Either.Left<DocumentsTransformFailed>; + expect(transform).toHaveBeenCalledTimes(1); + expect(result._tag).toEqual('Left'); + expect(Object.keys(result.left)).toEqual(['type', 'corruptDocumentIds', 'transformErrors']); + expect(result.left.corruptDocumentIds.length).toEqual(1); + expect(result.left.transformErrors.length).toEqual(0); + }); + + test('handles when one document is transformed into multiple documents', async () => { + const transform = jest.fn<any, any>((doc: any) => [ + set(_.cloneDeep(doc), 'attributes.name', 'HOI!'), + { id: 'bar', type: 'foo', attributes: { name: 'baz' } }, + ]); + const task = migrateRawDocsSafely( + new SavedObjectsSerializer(new SavedObjectTypeRegistry()), + transform, + [{ _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } }] + ); + const result = (await task()) as Either.Right<DocumentsTransformSuccess>; + expect(result._tag).toEqual('Right'); + expect(result.right.processedDocs).toEqual([ + { + _id: 'a:b', + _source: { type: 'a', a: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + { + _id: 'foo:bar', + _source: { type: 'foo', foo: { name: 'baz' }, references: [] }, + }, + ]); + + const obj = { + id: 'b', + type: 'a', + attributes: { name: 'AAA' }, + migrationVersion: {}, + references: [], + }; + expect(transform).toHaveBeenCalledTimes(1); + expect(transform).toHaveBeenCalledWith(obj); + }); + + test('instance of Either.left containing transform errors when the transform function throws a TransformSavedObjectDocument error', async () => { + const transform = jest.fn<any, any>((doc: any) => { + throw new TransformSavedObjectDocumentError( + `${doc.id}`, + `${doc.type}`, + `${doc.namespace}`, + `${doc.type}1.2.3`, + JSON.stringify(doc), + new Error('error during transform') + ); + }); + const task = migrateRawDocsSafely( + new SavedObjectsSerializer(new SavedObjectTypeRegistry()), + transform, + [{ _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } }] // this is the raw doc + ); + const result = (await task()) as Either.Left<DocumentsTransformFailed>; + expect(transform).toHaveBeenCalledTimes(1); + expect(result._tag).toEqual('Left'); + expect(result.left.corruptDocumentIds.length).toEqual(0); + expect(result.left.transformErrors.length).toEqual(1); + expect(result.left.transformErrors[0].err.message).toMatchInlineSnapshot(` + "Failed to transform document b. Transform: a1.2.3 + Doc: {\\"type\\":\\"a\\",\\"id\\":\\"b\\",\\"attributes\\":{\\"name\\":\\"AAA\\"},\\"references\\":[],\\"migrationVersion\\":{}}" + `); + }); + + test("instance of Either.left containing errors when the transform function throws an error that isn't a TransformSavedObjectDocument error", async () => { + const transform = jest.fn<any, any>((doc: any) => { + throw new Error('error during transform'); + }); + const task = migrateRawDocsSafely( + new SavedObjectsSerializer(new SavedObjectTypeRegistry()), + transform, + [{ _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } }] // this is the raw doc + ); + const result = (await task()) as Either.Left<DocumentsTransformFailed>; + expect(transform).toHaveBeenCalledTimes(1); + expect(result._tag).toEqual('Left'); + expect(result.left.corruptDocumentIds.length).toEqual(0); + expect(result.left.transformErrors.length).toEqual(1); + expect(result.left.transformErrors[0]).toMatchInlineSnapshot(` + Object { + "err": [Error: error during transform], + "rawId": "a:b", + } + `); + }); +}); diff --git a/src/core/server/saved_objects/migrations/core/migrate_raw_docs.ts b/src/core/server/saved_objects/migrations/core/migrate_raw_docs.ts index 102ec81646a92..461ae1df6bc3d 100644 --- a/src/core/server/saved_objects/migrations/core/migrate_raw_docs.ts +++ b/src/core/server/saved_objects/migrations/core/migrate_raw_docs.ts @@ -9,13 +9,32 @@ /* * This file provides logic for migrating raw documents. */ - +import * as TaskEither from 'fp-ts/lib/TaskEither'; +import * as Either from 'fp-ts/lib/Either'; import { + SavedObjectSanitizedDoc, SavedObjectsRawDoc, SavedObjectsSerializer, SavedObjectUnsanitizedDoc, } from '../../serialization'; import { MigrateAndConvertFn } from './document_migrator'; +import { TransformSavedObjectDocumentError } from '.'; + +export interface DocumentsTransformFailed { + readonly type: string; + readonly corruptDocumentIds: string[]; + readonly transformErrors: TransformErrorObjects[]; +} +export interface DocumentsTransformSuccess { + readonly processedDocs: SavedObjectsRawDoc[]; +} +export interface TransformErrorObjects { + readonly rawId: string; + readonly err: TransformSavedObjectDocumentError | Error; +} +type MigrateFn = ( + doc: SavedObjectUnsanitizedDoc<unknown> +) => Promise<Array<SavedObjectUnsanitizedDoc<unknown>>>; /** * Error thrown when saved object migrations encounter a corrupt saved object. @@ -37,7 +56,6 @@ export class CorruptSavedObjectError extends Error { /** * Applies the specified migration function to every saved object document in the list * of raw docs. Any raw docs that are not valid saved objects will simply be passed through. - * * @param {TransformFn} migrateDoc * @param {SavedObjectsRawDoc[]} rawDocs * @returns {SavedObjectsRawDoc[]} @@ -52,15 +70,9 @@ export async function migrateRawDocs( for (const raw of rawDocs) { const options = { namespaceTreatment: 'lax' as const }; if (serializer.isRawSavedObject(raw, options)) { - const savedObject = serializer.rawToSavedObject(raw, options); - savedObject.migrationVersion = savedObject.migrationVersion || {}; + const savedObject = convertToRawAddMigrationVersion(raw, options, serializer); processedDocs.push( - ...(await migrateDocWithoutBlocking(savedObject)).map((attrs) => - serializer.savedObjectToRaw({ - references: [], - ...attrs, - }) - ) + ...(await migrateMapToRawDoc(migrateDocWithoutBlocking, savedObject, serializer)) ); } else { throw new CorruptSavedObjectError(raw._id); @@ -69,6 +81,58 @@ export async function migrateRawDocs( return processedDocs; } +/** + * Applies the specified migration function to every saved object document provided + * and converts the saved object to a raw document. + * Captures the ids and errors from any documents that are not valid saved objects or + * for which the transformation function failed. + * @returns {TaskEither.TaskEither<DocumentsTransformFailed, DocumentsTransformSuccess>} + */ +export function migrateRawDocsSafely( + serializer: SavedObjectsSerializer, + migrateDoc: MigrateAndConvertFn, + rawDocs: SavedObjectsRawDoc[] +): TaskEither.TaskEither<DocumentsTransformFailed, DocumentsTransformSuccess> { + return async () => { + const migrateDocNonBlocking = transformNonBlocking(migrateDoc); + const processedDocs: SavedObjectsRawDoc[] = []; + const transformErrors: TransformErrorObjects[] = []; + const corruptSavedObjectIds: string[] = []; + const options = { namespaceTreatment: 'lax' as const }; + for (const raw of rawDocs) { + if (serializer.isRawSavedObject(raw, options)) { + try { + const savedObject = convertToRawAddMigrationVersion(raw, options, serializer); + processedDocs.push( + ...(await migrateMapToRawDoc(migrateDocNonBlocking, savedObject, serializer)) + ); + } catch (err) { + if (err instanceof TransformSavedObjectDocumentError) { + // the doc id we get from the error is only the uuid part + // we use the original raw document _id instead + transformErrors.push({ + rawId: raw._id, + err, + }); + } else { + transformErrors.push({ rawId: raw._id, err }); // cases we haven't accounted for yet + } + } + } else { + corruptSavedObjectIds.push(raw._id); + } + } + if (corruptSavedObjectIds.length > 0 || transformErrors.length > 0) { + return Either.left({ + type: 'documents_transform_failed', + corruptDocumentIds: [...corruptSavedObjectIds], + transformErrors, + }); + } + return Either.right({ processedDocs }); + }; +} + /** * Migration transform functions are potentially CPU heavy e.g. doing decryption/encryption * or (de)/serializing large JSON payloads. @@ -92,3 +156,40 @@ function transformNonBlocking( }); }); } + +/** + * Applies the specified migration function to every saved object document provided + * and converts the saved object to a raw document + * @param {MigrateFn} transformNonBlocking + * @param {SavedObjectsRawDoc[]} rawDoc + * @returns {Promise<SavedObjectsRawDoc[]>} + */ +async function migrateMapToRawDoc( + migrateMethod: MigrateFn, + savedObject: SavedObjectSanitizedDoc<unknown>, + serializer: SavedObjectsSerializer +): Promise<SavedObjectsRawDoc[]> { + return [...(await migrateMethod(savedObject))].map((attrs) => + serializer.savedObjectToRaw({ + references: [], + ...attrs, + }) + ); +} + +/** + * Sanitizes the raw saved object document + * @param {SavedObjectRawDoc} rawDoc + * @param options + * @param {SavedObjectsSerializer} serializer + * @returns {SavedObjectSanitizedDoc<unknown>} + */ +function convertToRawAddMigrationVersion( + rawDoc: SavedObjectsRawDoc, + options: { namespaceTreatment: 'lax' }, + serializer: SavedObjectsSerializer +): SavedObjectSanitizedDoc<unknown> { + const savedObject = serializer.rawToSavedObject(rawDoc, options); + savedObject.migrationVersion = savedObject.migrationVersion || {}; + return savedObject; +} diff --git a/src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.test.ts b/src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.test.ts new file mode 100644 index 0000000000000..80c670edd39ba --- /dev/null +++ b/src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.test.ts @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import { TransformSavedObjectDocumentError } from './transform_saved_object_document_error'; + +describe('TransformSavedObjectDocumentError', () => { + it('is a special error', () => { + const originalError = new Error('Dang diggity!'); + const err = new TransformSavedObjectDocumentError( + 'id', + 'type', + 'namespace', + 'failedTransform', + 'failedDoc', + originalError + ); + expect(err).toBeInstanceOf(TransformSavedObjectDocumentError); + expect(err.id).toEqual('id'); + expect(err.namespace).toEqual('namespace'); + expect(err.stack).not.toBeNull(); + }); + it('constructs an special error message', () => { + const originalError = new Error('Dang diggity!'); + const err = new TransformSavedObjectDocumentError( + 'id', + 'type', + 'namespace', + 'failedTransform', + 'failedDoc', + originalError + ); + expect(err.message).toMatchInlineSnapshot( + ` + "Failed to transform document id. Transform: failedTransform + Doc: failedDoc" + ` + ); + }); + it('handles undefined namespace', () => { + const originalError = new Error('Dang diggity!'); + const err = new TransformSavedObjectDocumentError( + 'id', + 'type', + undefined, + 'failedTransform', + 'failedDoc', + originalError + ); + expect(err.message).toMatchInlineSnapshot( + ` + "Failed to transform document id. Transform: failedTransform + Doc: failedDoc" + ` + ); + }); +}); diff --git a/src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.ts b/src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.ts new file mode 100644 index 0000000000000..6a6f87ea1eeb2 --- /dev/null +++ b/src/core/server/saved_objects/migrations/core/transform_saved_object_document_error.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Error thrown when saved object migrations encounter a transformation error. + * Transformation errors happen when a transform function throws an error for an unsanitized saved object + * The id (doc.id) reported in this error class is just the uuid part and doesn't tell users what the full elasticsearch id is. + * in order to convert the id to the serialized version further upstream using serializer.generateRawId, we need to provide the following items: + * - namespace: doc.namespace, + * - type: doc.type, + * - id: doc.id, + * The new error class helps with v2 migrations. + * For backward compatibility with v1 migrations, the error message is the same as what was previously thrown as a plain error + */ + +export class TransformSavedObjectDocumentError extends Error { + constructor( + public readonly id: string, + public readonly type: string, + public readonly namespace: string | undefined, + public readonly failedTransform: string, // created by document_migrator wrapWithTry as `${type.name}:${version}`; + public readonly failedDoc: string, + public readonly originalError: Error + ) { + super(`Failed to transform document ${id}. Transform: ${failedTransform}\nDoc: ${failedDoc}`); + } +} diff --git a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts index e09284b49c86e..f74fe7e7a6e1c 100644 --- a/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts +++ b/src/core/server/saved_objects/migrations/kibana/kibana_migrator.ts @@ -35,7 +35,7 @@ import { SavedObjectsMigrationConfigType } from '../../saved_objects_config'; import { ISavedObjectTypeRegistry } from '../../saved_objects_type_registry'; import { SavedObjectsType } from '../../types'; import { runResilientMigrator } from '../../migrationsv2'; -import { migrateRawDocs } from '../core/migrate_raw_docs'; +import { migrateRawDocsSafely } from '../core/migrate_raw_docs'; export interface KibanaMigratorOptions { client: ElasticsearchClient; @@ -135,7 +135,6 @@ export class KibanaMigrator { if (!rerun) { this.status$.next({ status: 'running' }); } - this.migrationResult = this.runMigrationsInternal().then((result) => { // Similar to above, don't publish status updates when rerunning in CI. if (!rerun) { @@ -185,7 +184,11 @@ export class KibanaMigrator { logger: this.log, preMigrationScript: indexMap[index].script, transformRawDocs: (rawDocs: SavedObjectsRawDoc[]) => - migrateRawDocs(this.serializer, this.documentMigrator.migrateAndConvert, rawDocs), + migrateRawDocsSafely( + this.serializer, + this.documentMigrator.migrateAndConvert, + rawDocs + ), migrationVersionPerType: this.documentMigrator.migrationVersion, indexPrefix: index, migrationsConfig: this.soMigrationsConfig, diff --git a/src/core/server/saved_objects/migrationsv2/actions/index.test.ts b/src/core/server/saved_objects/migrationsv2/actions/index.test.ts index ba6aafbb2f651..df74a4e1282e4 100644 --- a/src/core/server/saved_objects/migrationsv2/actions/index.test.ts +++ b/src/core/server/saved_objects/migrationsv2/actions/index.test.ts @@ -129,18 +129,6 @@ describe('actions', () => { }); }); - describe('transformDocs', () => { - it('calls catchRetryableEsClientErrors when the promise rejects', async () => { - const task = Actions.transformDocs(client, () => Promise.resolve([]), [], 'my_index', false); - try { - await task(); - } catch (e) { - /** ignore */ - } - expect(catchRetryableEsClientErrors).toHaveBeenCalledWith(retryableError); - }); - }); - describe('reindex', () => { it('calls catchRetryableEsClientErrors when the promise rejects', async () => { const task = Actions.reindex( diff --git a/src/core/server/saved_objects/migrationsv2/actions/index.ts b/src/core/server/saved_objects/migrationsv2/actions/index.ts index 79261aecf675c..d0623de51e4c3 100644 --- a/src/core/server/saved_objects/migrationsv2/actions/index.ts +++ b/src/core/server/saved_objects/migrationsv2/actions/index.ts @@ -22,6 +22,10 @@ import { catchRetryableEsClientErrors, RetryableEsClientError, } from './catch_retryable_es_client_errors'; +import { + DocumentsTransformFailed, + DocumentsTransformSuccess, +} from '../../migrations/core/migrate_raw_docs'; export type { RetryableEsClientError }; /** @@ -46,6 +50,7 @@ export interface ActionErrorTypeMap { incompatible_mapping_exception: IncompatibleMappingException; alias_not_found_exception: AliasNotFound; remove_index_not_a_concrete_index: RemoveIndexNotAConcreteIndex; + documents_transform_failed: DocumentsTransformFailed; } /** @@ -523,28 +528,13 @@ export const closePit = ( }; /* - * Transform outdated docs and write them to the index. + * Transform outdated docs * */ export const transformDocs = ( - client: ElasticsearchClient, transformRawDocs: TransformRawDocs, - outdatedDocuments: SavedObjectsRawDoc[], - index: string, - // used for testing purposes only - refresh: estypes.Refresh -): TaskEither.TaskEither< - RetryableEsClientError | IndexNotFound | TargetIndexHadWriteBlock, - 'bulk_index_succeeded' -> => - pipe( - TaskEither.tryCatch( - () => transformRawDocs(outdatedDocuments), - (e) => { - throw e; - } - ), - TaskEither.chain((docs) => bulkOverwriteTransformedDocuments(client, index, docs, refresh)) - ); + outdatedDocuments: SavedObjectsRawDoc[] +): TaskEither.TaskEither<DocumentsTransformFailed, DocumentsTransformSuccess> => + transformRawDocs(outdatedDocuments); /** @internal */ export interface ReindexResponse { @@ -747,8 +737,6 @@ export const waitForPickupUpdatedMappingsTask = flow( } ) ); - -/** @internal */ export interface AliasNotFound { type: 'alias_not_found_exception'; } diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/actions.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/actions.test.ts index 832d322037465..d0158a4c68f24 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/actions.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/actions.test.ts @@ -41,6 +41,8 @@ import { import * as Either from 'fp-ts/lib/Either'; import * as Option from 'fp-ts/lib/Option'; import { ResponseError } from '@elastic/elasticsearch/lib/errors'; +import { DocumentsTransformFailed, DocumentsTransformSuccess } from '../../migrations/core'; +import { TaskEither } from 'fp-ts/lib/TaskEither'; const { startES } = kbnTestServer.createTestServers({ adjustTimeout: (t: number) => jest.setTimeout(t), @@ -1014,41 +1016,30 @@ describe('migration actions', () => { }); describe('transformDocs', () => { - it('applies "transformRawDocs" and writes result into an index', async () => { - const index = 'transform_docs_index'; + it('applies "transformRawDocs" and returns the transformed documents', async () => { const originalDocs = [ { _id: 'foo:1', _source: { type: 'dashboard', value: 1 } }, { _id: 'foo:2', _source: { type: 'dashboard', value: 2 } }, ]; - const createIndexTask = createIndex(client, index, { - dynamic: true, - properties: {}, - }); - await createIndexTask(); - - async function tranformRawDocs(docs: SavedObjectsRawDoc[]): Promise<SavedObjectsRawDoc[]> { - for (const doc of docs) { - doc._source.value += 1; - } - return docs; + function innerTransformRawDocs( + docs: SavedObjectsRawDoc[] + ): TaskEither<DocumentsTransformFailed, DocumentsTransformSuccess> { + return async () => { + const processedDocs: SavedObjectsRawDoc[] = []; + for (const doc of docs) { + doc._source.value += 1; + processedDocs.push(doc); + } + return Either.right({ processedDocs }); + }; } + const transformTask = transformDocs(innerTransformRawDocs, originalDocs); - const transformTask = transformDocs(client, tranformRawDocs, originalDocs, index, 'wait_for'); - - const result = (await transformTask()) as Either.Right<'bulk_index_succeeded'>; - - expect(result.right).toBe('bulk_index_succeeded'); - - const { body } = await client.search<{ value: number }>({ - index, - }); - const hits = body.hits.hits; - - const foo1 = hits.find((h) => h._id === 'foo:1'); - expect(foo1?._source?.value).toBe(2); - - const foo2 = hits.find((h) => h._id === 'foo:2'); + const resultsWithProcessDocs = ((await transformTask()) as Either.Right<DocumentsTransformSuccess>) + .right.processedDocs; + expect(resultsWithProcessDocs.length).toEqual(2); + const foo2 = resultsWithProcessDocs.find((h) => h._id === 'foo:2'); expect(foo2?._source?.value).toBe(3); }); }); diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/archives/8.0.0_migrated_with_corrupt_outdated_docs.zip b/src/core/server/saved_objects/migrationsv2/integration_tests/archives/8.0.0_migrated_with_corrupt_outdated_docs.zip new file mode 100644 index 0000000000000000000000000000000000000000..726df7782cda3f4afdae7b214eaa482ece1fd725 GIT binary patch literal 444632 zcmd43W3Xl2k}kYi+cv7UZQHhO+qP}nwr$t8ZQJ%&@9Ep8`=0xri0*&iipUk~$C_iN zW<FzNJUL}0fI%Pu{`&lODv|%kkN@)p3V;n@sOP9hqofD{08G-9q#OH3oLr#*06`uB z0RTXd|NK$*pO>3B{@<5F|L5g84vu<`M*p!&Tz!&mz~8U(*J|JZf33oS>OO<{=LRvr z003zJvWkO|iItJHqk|5;`9IY9Yr((dU({;o$tIYR%S_MCNLP`c=<V$-qF#NE4BAf< zzmKZ&p`wwH)}<fY+tJ<A1pp=v2FD$RK-LYX5t4H|9cPBknLAkMRD`<!mIau*#ewl1 zM4xrM0?3%ewn+^mzg-N_B<OkTjhx_504G@g4W1geYKnMkOMvG$*bCkt7}ZHx3u|on zD?M(~u%jNv*bt?Ba69Y(^VNlZL6iWPF|5oGi|wazA(43~_*tCUfe{~YYMhxVS!;?W z0nvM(aQ)4}VM*a|N)alG$<cA020DOWQIV;%zMYt-zP-IUpO`tMWb$Z#CP`akDR^qy zo`igaJqFBbUpj-rAm`jX<tL{nc>p95)g~}`ef+*u*7!J_siZfc6chBZ!9zFDKLYk2 zu10Vuk<Xj+@=E#Rc+@}cM*0_5>(H}N8yFk?!_5e_NxFZ@-?*9jN+CTnJ;mI7Co@MQ zRwq4W?~lt9)6^#bK+fX3rd3(9%NVy;-j?s`bAJJYMQE#wLjZ%E@R5dy@%D9Uk{$yn z+N1bz4(dWBxB_>@OO|#Tpek}B8_I(!+VUvQ017FHd($g^@hEP=6+)QDC(tO`Qm0FS z%D$?|y1^;FZXk!&HXtZ|%>YJ?(&SnO4~El-{5Km#tV`tQ0NxBW{@7^sM=<`yMk_sQ zGh-tMM=Dxs2giR{`lB>S_b>SyOQ+N|<5lCw{$vw)zjC@}Wlwv8L`1m!z4$+Z04FIn zMMm|bey<O5e_TEyoZ<c+*0H$cs0fuP8DJHR#PF!7P<fC*Fx=<k!;9D84(bQ#OskIx z(tp!d>W{Xjy1pOD|0g1d|Dvsq(|-lzkBSI?ujc<aAaf~J(AXch@Q0|xw?Ev;UPqzf zbHR!}RUhW$$#XL?NiTi#%Lp0J$h*PBQ+yfuKrvu){qJWOQFsrh`3||{4jmM5`z7~e zoiuR;Byh2fg}^6`0gxvG)&?=a72N)^u(S-ClOn<i@UJ5AA310B$3p8lKuE|x`KI?r z{vQkJET|pK{t*c2Ki2&ve-jAmi~mSDJ=Fhr!uQfrlBfSQ-R72EW6{Bo8R+mGdVw@0 zUx%=}!$u*$`XCWD)WVFy+>OfI$X<mwqsd-DiM~L~+_b5;IAz1~_a;6#i3J$E!FkY# z2hB~3tt^LAfSnOFXZWZ2r$f1VRB7r+*#fHi`zg031VJhrN*QYi8CX!1I5h0M&E)LK zE!3sW?0%rhVree%PR~Rl73Q@P(zW<5&rJO89sJ!p(Lb@W5TC}iMXN!>MwJ93h-Sjy zHWYa`13(W)JxU`kWj8K4DMsczPBSJ&IXgZnBX($S4+9$p2W#u(q{o^|_X-M({Ly~= z4e{Ud<}a@rGrr|=g8cC+*xx+KbY_1N$KfAtmHK<PHYwRyA`2mJZ=Ns8&nT9D79i$T z0m5`y#x%EpMO9t8jjURfHLrl<B%fYsYI$&UTunU5@K2Cgg+VkTFbeY;0L8ta&8s5q zgN^153kv8P#NPDfB3MdBqCpnBp!qj+xa^A8+>EANOip$`dtXo5Y<aA|NmSNz>Wjno z5qAqHI86%L1Hkvnt}1$+h|7&8wSS@++q@iCU+b!uITaaDF@mC?C)lBn+BQP1!B!i= z-ZI44EB4KmByunLNW5H(H4dj4#Vas_1)?NXLq5shrcH_*Ib7RWtuj+|gfy(ax`!F_ zu8z`y(~f4FxrIZIcpp<kwypQ)$*#ngtSM(X*=Uq{S1x2_KLKb}rASILHgOl{<~<zH zGS=qj;gl%mo<m|HUz<o17t;|2THmM}U$ZFS7W*2)1glP9l4!Fq&d){sRuuXGqBYcP z!Q+mGz^xUS$7AOOWTqEGlkTZfjdb@FV?>BP+cBq#7Xm(`69Q_@s<C0cKo|W15~v?R zKNQNy=<zB{vrXyh1tVp%NGldBjOiO(D)jTX!f2r@%4goLyT~!#%z{;Ol5qJnn7Q(| zEGmNR?$rA97sjI$<N}8WI$Y=w<EV6h0WO*G*bD(;(B9dPNPb{^2<N#AUsAJBUO{aK z|BPb%YjMb4iri{F<desqhrOk&x~t8A$JYBa7VHd4yD73$E=W$49v%nWadz#_zMoJa z1khrT^IFe#Sj!;aX%=gRI#=rRTaUWs_W?-zZ{Rn-+-%M&XykifFJG;81}VC(xN5%M z9gd$N+DbdE%@^;9pom6D)bn|`>`LEH2Rj<X^jucut`<&TpL;qP6@!MSz1*!n;WSLP z%0@FYxmaFC1P5Kd9!Qi>dQ_T_-@$&hKFRr5zJIKa@LaLtY;clMH$Ii(h^IV%pK=rt z2lZSVrDm{bNt(}*gQ|m{PVjBYD(XgtfnbtrOBS9mg}XwF?NOoHu}{%l0qJr27fipt ze~b=)nVR;l`?Wv9yU{1HnVK#n%M*~3mKQM~xk4kAE=eN@1vMrsYB2&}2A+x`!Qfee zEE?0NeNcz>d|Y%c5?N$Xn;l(#fh*8jIvv+<*`mbJ{hWi%E3pgI*an7KuMin<9s*+$ z03AeXN{P38XR0;~o-|d&FmfyYO%82AeGq#ZSX-mrI2Q2E!+*q3=MsOfA*qO*YOLqh zxbrantb&8Ft^cZWoPX^9gaz5P>r1R=aP1sAm)Z1N<ZiZk8oSGSTY`fsD32SspSwaF zC|t0#`307?dV00rOOS+c{L(;E!%|+$+9L($zQ4uivR1!Z19RSZhng>qh?l{k;vAAN z=aYB?V&u-fl-7@VP>VFOp;59mf^u9L`A9ctnVX`TVr5<A_F7NtLTKuZUyd-^Xp>oM zs-|`!+Tj8l!bBy0TJUulOZoWvxv53*3+(?c?|LvrdXabl0JcPbSBNbBS&05keQ$Di zQcT=jdxjQpfxt(c!`<A(CE65+rVZ?cmYkv5jPji$CE64X!6hQX6%`ARpTnhj<2=@w zW;<rP?%1;N+IFgGd*-sxX{zb+dCxf~VYn0&tM;o8=EdXhgrqe=Lx(gk02lTLZ0Q$A zX^4*QntJdozEZdRSOLOysF1o1X)cYe2Ob>#kq6o2=UTev`cdT#rZGpnBSU6iZ1rg* z^H|cA%M9)3=(~m&xdST-u8CmmRRQv$g4X&y)4a0?0PuZA^TP+@IE6>vjU=_HfEycV zHl#NTAslw;_qy7|_b|dRd3wd1fj8R$L+vlgad9<X(fc}jNIi>Vh-Q}NSw!CxQg&Cq z#HNMJ*G}Zf3tCcN+*mjO;K9=yiz-}bT=tpcnzR!-2DZ<!gRdMs!G~B{*1@BgH_`xv z-#q6KZ!K>CGl0B6#R{hYd1jJvT#?F=ZWBG+1*z|ptZA%!7p>@MHLX8?R`$x)f+9xR zHrjT7)(7-b3AVYlxly^gy;AdU;@SoRL$hO?Lp#qpv{6-pLgdzxzyk7pRnwF8QlVZP z00{Gn0@Op;qK6~g08ayj+c)#B1ne?{6TkWDf*?i)lJ;ui&d>_=;++b;U4uFV$cd(c z4i11qH`VzHXl7zp_JRMw+HOJiUOYc0Y#`yS;ilTQro|nkqhpkVV-(a~G~^=*1AxMf zAGPh1NX8Vvv5ALLc|UT60AGw=^-BSmsBOVkE|)yUZg1CspEP%9S-`MDqd<`_py>=i z_WULQL(pwQsj&TPTWo!|ej%{bCSc>_&jHzXfa+S;&R=%70K;C}bMRJW$uh%RLlq8K zk)~*1fnx(T1($9YgEZF$Z?5sjA<(ys=F7q||M2N~9)$*w#g7flKwa_baLVs&!6$ac zPzK)U5fjYRGGHPlw*bh01j}>i98^hE>mKYfQ;^XefHMqBB!9!#*x6+Wt2ZbI*<^tV zG7hi}-k@8IA;@%g*4sk>u|DEPWQ~7J5>&y?JD6^&ObzN<-1|vGVX${tQiOs!ut5#F zQRp70(re8Llz$^+PbtaD)Ym$IgyN6Di;r0mYpy0K1yS#fvEbRly{w|mMm21ksYgMt zky73`;YiJ>KHHxfa+XvyQVUs_?0~zf>eIv<x+D1;eH{5^RdMHrfItBaPyvTXIQBd; zTz<@AV~$;*pP#YH*fg$4hL2Pr>w$DY0l03cqcey4erz~$&5_5ml|@#QYi}17BVFk7 zzSS;<&pht_=VMG_V5`O0Y{!HJA<yxY*93t#^K)w|RoA(MJY9b&@7o34PW6cIb$xM2 z{gZz=@?J0neHlX<O?<a>o{zTnx{p11ojZ`;Re6Xeq(#R7D-?)~wsFWTG)hnB4uiQ5 z2n8C+30*K7rP=$|zVodZ0S-O+^qq!Il|QEV=72Gd#e9C{>*<6dmYj@t;f80r`C@V4 z&NF1q1o2@T-52$ZEX&<zc8q_$UWV>k$cD=DoJpeA=JtKH6D8?yR4Ocx5`Fv|&msKi z=7AZcUnV_dlpIQ=49UWg0Yh-9Ta(nPJ6YJT8XDw<atqK#nrspt(52e@fB-BkxV>&C zIIVn|ghYV8^k^xki2%6j5IX?wc5WD69^qMiwlYu$HRH#X=bW>E=6*MU>KY&1IX!uP zt>8Oc47CCG?KgLBW~TyKQI3pyv>LT22X*hSMvU0b6>bq*>jKtL9j(xOuK2O=Cc~<Q z0SpJIaZ}W&wzLbd_6Xtr?EHFHvcu!!5}68hBD{AmDggX;xVI#BJ2<{7V5kqDpf{0R zbt(Xn-zm1o9YP%JH}Ly9ebki0-#viuEj~aUPnVzN_c*oHPyktgq^;+E-yW&opGIF$ zM|dr?B!E}IU*Y%b68B8D+efIU)BWCfUdxu$cG|4B?32?{X4}`g{oaqbYf%=_cFn|B zuw1<`ae0aCx<%ANt`2EIThn^5xuix<)<kTcQz$|)laAoWGNL?Nuln3>k6t7CHDI$6 zp||q}>=Xo~?;aZW*qi2qs!{&u`bF8%2$s&@M@Pb+y{g}e!Y`^KFO$JOhhdssJK}X+ zfp|kv(%jbtmBLT6A78EJvx|EtA17PQv+s?-_kxfD8*p0V`OQAL#XKwB(=!tAH*BkB z5T@kQobyUpQnRCb60(T}D5}`4;=_GwNJlaeWJr%)drO(Fb+-U9c7eemlJ-@u*9eJ2 z#>*MxN1uAwa!?3oroqYNlLokB2ia1nZG`@Q_A}&kAn1o~Ec}VGXIk_|yPRiUO;wAI zo7Jx_a19HC5Rfj)NKG#+*<Lasp|EU=P)~_#n%Z825c={KL*1w6cA?hzn(y7AkX3gQ zN<i7(X@t3$iwUcx`IVVG&Dtj9Q-pvc!L#VuA@`9v8`J)U3L&QPIzO%g<{-r?olqQ9 zoRX<IvzO7Aure@w<w`Nbq|Q5oKTe)M$a7CQyu-%T*|C#|%b20xb%Z*Owk!{h%Vx6q z(p+b4I6wL=qT^TQ>~Wam+vMq+b7!rR2-#LM=vq(i26f^2R41B2BFR@}tF_qrKuP_x zAHkeib=WQ$)k<&t6Kc1S(6<{Hnq?;rsNKM{-O(~OBh3c(k3NJ<J4BuR8Jg+VmmD^k z#s~1!CNj6ge}ENAfmGC0-^u*yGW7J5=n`cUS}G0T=_$Kt!!ZAfPYKy6#gWkl>224< zK%9<+J9C$(dW<TCwql-t&Rfc;%q2csX7|0b-GA(z6Og9LPz8kySwz+P&KX9Q@yenQ z#QP#rH<Co7-FI<ocVHUcQnt~5I*_!Wn6_)20P5Ih(g`OKjx&g>zrmT9|HdVP!L@MP zo)v&FX7H{nZy?)k!-Cd^tjbsRIpycn3#}&AHt#Rx?<6W_t2Cc1u&cU6nQl1L6RVBB zKj9UnGdayD*13`Bd#SNG_%z1s8J%w*HE{zamVP~hPL=v?^@Wbt1HCwUqj>q&FKk<7 zBVc($Pii%pRDhenD(1vj>JkB|Gc6_MYFz|#xw2U;EmlPlE*CgQlg?Yc81O_9t&u_< z<31w+7=?3INtREw!39?k?Ya+-+)ONib+k*nOhx1!zIP96KEPf>V{|_TKt|(JVWZ>o zwCymCS2`==@-l^(8p*(b*v}<9^K<v@?9lD<x14DpUcI0|b_l2lPd-*R`f}8C`+Uvs z!P+-^X8!8f50>Uoh^;$mTYpFMqmVNHoUxX%j1{{*CZYM~-y)7ANr$CIeS%FQCvr9; z6*wp`L}FViF5?{oHIrWUgT=4aA!%4q^)e*gWGN>4!K=3fQr6tUmKhA%J(On+@TUWc z>@FE5srDrIIC9E$#D(-^nFHLE4>-UK9jNZZkz{5NCIH){{lRzyRWE0|v5Qb2Nm&ie zFqF$3=KFxz7Z$LUMX6{t6UPVjE)I>vz$g&`aEOjGF$&XpyDVezINDy4=I%IKo|`H8 ziVHXk=Pgw0)$CR6pt9&u;|g(6f(e|y7FVO`{A66)sO@<hLz|uOv(D9FH;>QpVjrnz zI-e>J8BP05S}eh4rFPW&WHLH+wX{lvHb|ebQSq#kIX;yn`RUTjuNM~tc`GH?sfSo6 zP3uYuB9X}UN)%!c0K>)Qw!taUYJlt$F9?s?dc{v0Aju}v#~cnbR$@NTzr=zq<zjJ_ zLM~(+VVZKDpB6$8rN#H9Lic<hiIIo;)XXEmq;Q9b;_n;j0Ub0NccpJwhThTmqz2<8 z%jyK%dYwB`MAv*<#h79|%QvTd&vtOqwWJdD>l;4`CImxha_)UAh9rN5fg9?(2op<l zYu77i#p&Xb5Qae|TCXn~DP6k13R_l&uktdbX4R&LjT?$rb<ziIO(F*K6^>(eb|v1+ z2I0Q|N=*GaHQ<(?>Ii=>$R8%!H$M?D5j=+Kz&kQ}h*SBrV6P5mWxZEQA(Exi)L(~H z<|l#Kr~n%-JQ>0|2auc6)y75*f&ZYkejXDhX_Z<0>O=1KQnh4!?V`<#6*uBe;%D|d zzkV!$^}}nMAeLW{^Z!kgIjbdLQ9lOI#7jvhUS41M0$!}WoiE>L0%FUTu$;&XnX5b> zaI!4;BBqD%iJKkkk)91Y@Dgp3tElYz;YA6H08a#dnR!zh{4u~7yaRYoKaUvu>s{NU zc?>@M%T15OdmVWBHTSvhA?jdj%=}u5%B0HA@<OTO4V2Zl5*Ay9JcF3nKBXI+37@$H z8Q?9w5$kg^8+TD;Wnadzex^PN`BekSHa!rSKK#}GL6+ub;u=7{VXn4rk<KBMUmIxK zy^)Ty&kgB77*k9Vq!b(;PQRa+z&$U(*$+Y!@gPEM5cMWkB<C%P>PfG<hN~c}n!WW7 zAcWf!*8H^!^K%);6=02WD+7&Jh>=~;IsgS%crLt8{eCOGuvsr}mV<0c2y>)J`IU-O z?U&T544%voxJT$%t-lVF7*a&V^KuEc@lVTCDH4f;lcfa8+|YO4aPyQ{RK#GKdLAEd z&HU1?kx;fTPs3QZGC%r6*@3hftunS)O4itTt_ib6u598*0hL~J<>C?(z;3o`L7iAr z#Vh;61fiwPyR_eU>Yjjn(qg-+Y38fk&W52sYMGDei}<CTmDqNN1kzCEu_fi^Zug0K zDTcYZlBEt5;`A~nje=UA4hZox%`8HyzoMr=W61Lpa07T}fOBc?QE4*h{Io!Xg91ZK zi(jTYjy56(Y7V5i(ic!td>K?N4Xqvw$OO2QE{c!uf|5x_$1Q${2j<rsZ4U?`y#J`T z9-a;paZI%@$@sHfCCp}W?o{DqFjA|0__7bL8-5P>^&%U)8lS4mpl4eta<vOGJF&+( z>x?h+(VkT*{rho~0bU{$G9r=MlH_^Z9eIHkB_b#xHi}uh9~(vx;|w1!g-Eo1nvsoL z;qfe+<{B$jR++bU)N4i_U{5rF8`w4lzf9B7dYMgNSuTB;&k@$<_BUjfTbPXWV1P%g zSOAR{6QERwW1{MS2ESY|hZ{9X!xa^jC5kGJT7-|`D>P%n`ySV^=#(PSyJ<-W#y4jK z2!f18J_?2OLm<7>zPX4!uN9JMa|;*vO<1qhR@3RM$^3D=vcQT}I$y?FAPn$$GHdc3 zc`xm9-mpjxMP#;DbTkuf5qOO7Z(?v_ix42TYZ8V%4_R0JeM$^n?D8JbqRKZwi)W!W znL9cZ^0yZG_X+jEm+e@(*!9@gdDYERRTfywi{uN~pFcOZv>f$h(rU;ho^~LSboVQo zbP8Y4nVl}Vc(q=P0>S+06&SFguINThjJRZUF$Nj>xUSY+uDp$H>Uip-b35-h-ZIt2 zPc}@n%&$Of+?%pi4=D`K-@v*Cvh&#-Ld^ngKixGm%d<6Ycn{dqSSa>N%^8X_jki>$ zyXr5Scq?cM2(rwspn7mN_2Qt5k+*Z2IC-3P2XAc_g|3{}!JZQ|EZ1M>XQYBSVqn=+ zN3#-c5Duuc=U`#Y${=~X-?21;<H?|-JS#A0F#V$~X6fXQQ#V#bJ*khMO!P(_tQhtI zjRb&RvM4md)S8^KgI1Oq=S=mI06P_fPLXe<CIx^q!%U!G<PT_JHTBWnb-O22-^an_ zKceElE;3-+JP_db(%*Mh3U@k}!B<}I#jd(22ydmy`^5FR_BTQ8)4-rxh=h0!EaQ?9 zIk(7T(|FV&OxzBgN!l+OB6+1oU$W*7%iuMCavYbL4Ls0Ac%T!N89I`b&becN^Dy91 zK2R?1&OH-h7wIW)^tG>dO-dvLn_2LO)Tgb%rs_6Z9*`(b`P>6)gdV@xU&^{EdkW<R zm%h4=2{sZ<;bNlR5?F51%4U@Agf81IC)%yM7#k%WpE|m-swK2C0f1=ZSZs}U%GRJ0 z?y&B#;klZ|D34G`hE^c(N-BEkOn+IL1i6^!dCc<2W!G6WKI$Scr(ddNPCL6&CaN8P z`s<(~Cv!_y)mwEC@V7$Sc<WdpcGD&+ksExCroj$0M!cjez|qNfz!J)pm7Uv^W#eof zAQ`VtyUexE^W(<TqMKaZ0gtli2_s7#u#PXzmX2f3NeoB~z@NQr{7UFRQ5#F<n{n9; zlh*EfVr8j;)C<hU5PjRhx9VXEaPp35SP@~*WfEqHIv7-6`|i5&H4(XmYHU5MK#27| zEFb>3<6CqPRCB@9UOqjMN$M`UcAy4BOf(~rqCokC{XnBz*8!2FQYOEefI9Y(!?1HN zzmm>a>Ol*<xJn+iRk*pad~mNPj89=w+T~2)YlDgMBugf{b=PXO=hWcX&~-62IyITs zV#mf?XB9QhNA^c5xfiCf7$eOY0zg9!JM>yzGTz8Xi9G&>mgiBlEH`DQw`jF~#c%=B zkxU@EY$X}MdiE~1RNRi~dvTY^B?xn!>}$C){07Qh@i^qT^XHTbb0lddH&HM)ZVg~+ zgdj>XAyp2}64lBPN~iZ&4je8AbisovMkDAR_2Z`}Al+xMio(u}op^!kmr?Qd)w1L) z&W_&=Uker)mz9m9re3J6e>bDSVS1^yiAB5MJmoqBz*fI_&3WY;pr*O+J%Z-8G0IZ! z^+(TPmCRj;JHbgh57QlkJ8O1K8dm;jS60GNVDI$Ksnwj5!6rn{dYl}*U}**rpia@O z^mO*veq!wwzJz1ubZ%DPN%!FDdg+A|-0kVSf=~avc&(m4>{u<8I{)%SszhWih$$nF zH&Zi0KHoAta=dK}nt?+lD<RLymzUY5q<j9|nxU}a0}lrqm&r<G{t!-qGeStPhu4!g zrc6u6j$%t|S@-)1q46~wyIL%BQgOEL%2(t{_WJaq8^Q95E{80|_yL1)J|%6#vmc}4 z1~l!~2?%L`c`v;pW$Ez;p&nm6*~w4P2|O#@z2{rByJpEXaUGex(S*ZtYEA0=5n5V~ zNG#K!lG3*O;Dk=l?%H-JeZ*S5<GVD>0-3Ugsf_(5s$qHSfN@=#g7>587RsWjG9J0c zqdCEBFo=>S87w@ltz(eFBB=wN9MlSJZre@P$v7iIc47vK(LzgKi3&e$Y+<<*b2sj@ zF!?g1-_s-+4N#`@yG++?B%Y%(o^L@~6&vxCb<QF4B;3<?yJ<9D4T`0<js^C`XS<j_ z(UniN`Ta!*ekww*th6fb`_*G?p1sW=p6l%)9f`7Vs`%@W*)Kradk5n%loUN#hN z9s?Gmx?;|T)%29x6)sbSD<WWQD#n84r)UU@5322Kr+FhKV`Ur)qi?}+F5Z}Jdw~tP zjda`Kyz>@aX`Pi#k2W6sD3e=Ry=GS-*X|8YVX%(Wi*pA_QSM0O{8%pmojR4&I2;f= zJx+>uOV-HgZvHXCQSeIixJeO-39}l#);*$WUaX*>$0NlCieM~XakEH=w9V`4v~((i zbt>a?rf#Y~%EM(=oKx2*ibqj7$iPaCn)7phcg3{`j~;4~<EuBO)6($J$#P?M$c$~2 zk>I{fMarB+H-ovRLHH}sN&Kyp%I{JnxlO$p2<O#J#mP}UfxuCGre6ew0Yl#96@byQ zW6IdgYQMZ%3d_u$Ru4Ap#kg1NnU|#JlZr_|TQ0LmZLnohEG`|A8`I*5(t1jrp>XRB z(~9Jz#Ex;=2pywof`15YYpz#00}pibfCwoNhTBf&jSnp0*{_<z(ewsWrvQ`M;3K)x zkc2}_0<R76T>4d^S-%NF#1Fr1!R-NYIL$gS<RkKJzMl%u1nZX>UPDxxa1MGF<l^il z6I~N(r`xxOg?5*Ru`^ksjwn?u*2uKC!Fj^mu120w4Bc7M8;MzgsN%0L2WxxK+x&`# zkCpBb5snm^ig^j~^p4G>XdxapT2$d42sFJFRIXU1A8brwoC|h24>eL#zU8ncp8YHq zA<LajiR~6G0%}83cafVdr|ZUv>-xm7{Pxc?CHQZLA*awoUn1~J9Y$&Dvx=oqIobP< z6%H!fKY5U9p<uUTQ@c*_dfa!lBSy6RaZ9zGIN0Rc>(j9N1dzB8uqM!;%SCP+ihNIO z90trj<nCS(#uL;_3ObU_MQzlc*sF!NV?(uISs27VKLA9}o#ERHx-5vax$I2Bb#1Pu z;ogAR-zKLyUYQD8kLXo(BvWTqnVpgKYd5Td!Vo8<B)y8i;u2)-kG+2G^e4RH6Gusq z6()vQo_HJr-mZLM3oHn|u0!GgZUzmOfN=?#WgXKI%FiQB=Ac@bKZW}fLxRNFxl%#8 z@fYk1${><<-7j4Q`rIWWY}GPbJQwBGH7%EJE_)8@uV)|gTSS)hDv}EkU%&Qe3>a(_ zmLw$_n;H_`o|JcPSrZr-sn(d@Wk67V(iOMtmM-KUv<~}w3q?8(fVJIghCNt1jGqdd zeTNAa8cbkwl>(<->SFXv5(&3MMn-ugyT}*AWce^<nk$cKH?7KjO7j3KsHzFIlv&E| zd!$2LEB;{ZvY5avE9{cy#%e<96z4fdQcmon4pf-2b1x~8uIJ8s-7N_^8U*yt){Qtj z>|Acx2aGnv%_cFORoc^5(&V5*e#prCNKC@l#@WLumZ^H8mnHKM$Mc*5dk}vaSx-hg zAaZ!-(f6I|l}@c~08;R-aoC<diDsBe;MbV+2ydm4sZ=^@BtT}v50YM)lUAW$JdT`c z5qOnoO5Jwr_InvK6~DkPDD!j_G1>#ID1t;b^e&T3EmA*G2=zo}!0z_;sos9GvwmeH zl>9RHD#&zEH^*NKbt$)_3<9|=4<hBFh|rSEYi*RK;`9m`3dBt7{-IC(Nxf@o?{+v) z^vac8?AkueH}MpWsy3mS$>uManm^cf!e8R%xiuAcu<nYKQhQ-ool8QP`|<kHa<}mK zq}5MI%<VU&H{Jd-`M%k4ua9y&!FM?8C*^~0Dq3k^kxQS_mlvi6ay!pq)3kpm+EV_A zq`0>Ml(2dT6+fDb{Fkjg%@O`@)vO?1sL>;}V4OEX<*$)-cm$<&UR2WIfhaI?#7!fv zp&@#_Y0b(^LB9g4cy3z%*1cyE+q_L=S33crC}`@(M1)^o(v_`CoB1o#0hh0ccsPy~ zAxwf-Y+GhO4edq=wP_eu_`}r4Ym-cuNdx4ux-j*0j8C}Z<PFd8?3I`%CPExL!wcgM zg3UHt>x^Aw<8*GbCcD;-i7bTK&wo`gO)L0LX7+au=bpJe%7C_6fyR)%=q`=C;Pco9 zl@yf``W)!T5h<taE=ToTw0xT0)-82UVa8l*g^7Lwko2VigS6Nd?I}K<iX7Xd5ev^* z1;ce4TiE>M)LyXdAdx>Zhp%or2|Z+4kc7S3VYgmM1Q%6oI2uLgFc0-7r|?7|Y9*y9 z=?E*FCS%0MyU}!1DyVw!*oW&1`#ewrEV-u0V#q-67ImT8kZn~twk|eQo<Fj67w?tQ zRh;BZeq+3LveCCuybuG}Bkr~XYd>$cAomN-6NW#MbOv*>VnEl9aGd?Bm#*j{#%}?0 zZ%k9{LV(%qtn(bqStyy4VzZrT5vhs7+WFBiG*{pcmI9?+!`tsU^JDTZHD`#)dMp<e zP9R*eHsZR+dZj6j=P@hYrWEfd`xyVJr&$a$k^~CYi8C~c<|<z7k}9v7XH5VL=$f-y zAes;>^AeNT+_VnT+agtgUL_u#Q{!|{!P<6j_8ELL$+%^_H)SOC98HGxV+D6=j!lYO zPx+)Rw}Yk<rx8xY2u9H;HjtFIf*ni}l75{l)~kmumxi<g1Zk0B2%$~)H2K&IX-7Nu z?0FG^3s<9q3i|rzox3t&#+c|=t_|kuI-W4O?3q(=)S`|DsD4bWdf%{S!<#q#Ca%8r zVC_%MP*qIx>L!-@Tl(#zMdQ+3Y69wMPswLx+cNnX!Czd(m8oofM7BPH1$n0fD#5&! zG;s;_#S7Q>efOX+I#QyK5)SStG~(d=3PK&R*RE!|>}J!N$j{3rV@$?L(Zj|pA>0v& z3+pkeLF~%lob}RfRgGemAnt-GBV2~1qwH!m+p5uKludY>zk5O!bNd8n%#e;B<!Xk= zLtF(3H;lk*0+M)_Zx&Z&5CAPrHa{`|U*p{L&eWxs1~M{&RhX|dPCMitp_nz0A!~sB zKPp4<3^BGp#wqUy^oh-Bh;!DL<_A9+!C~17?~u+qUEH1$-;y%+WnyoX##y4Ul4RV% zRKYTFC@l;hr$x_SvE*ibNB2fEf<HsX6LZ9%A_kR(!HTN#_fSqutDQso5=+d|Z+S|q zbxb-uiA$C(a2g?M=K7zYwJ1?`<*h4YwbVWC@tP*52X&H9lX9L>t4>;W^K0HS6Dx{~ z3H9$i(2B69MeMg)j@-Dc-?U?@FF05p!96|`<Li`C$GU7gq7;R%!=l=mx)mCs(zbV8 z%FHX8gPW*5#K=ahdPqX_g6v(19SV@XV$Bc5?0Fx5WksFC)X<}DEoUMIJpQ;{W{(D$ z<!ox0x2a`S%(iY5+seo(+>b;D>5}?Q(cL2UxsQM5AgacvoVg8ze2Y<2?!pj-a0X)$ zr4HS6GJ3PD7=8rQ?Zlj3aU6*tiuzHW*vhiWQ<+2DQv%xK!zOpA2S1o&-{$Fm_%8l^ zac>?meH<^r9-n@MeKGQef_-muzbG;IGz)_ELz*XP#0F=fo2%?&t{5Eeu_Fi7_2LD@ zZS@H^Z(x$OXN4!tH+rVI`Mui@DP$OX4#412`2Ohr_&0Y$kxaRvnu6naF(`K3%X0iF zVAwq=Hm26Cw{$tmgbWY#v~GgbBZ|%TPLFo1)AeNdr{!rV{RPbN^Q5O!F8aB$DTQD* zCVG=}&e<9csgJp<+_HiJ1w2PsgxZPq@m29KkCWG18X1O`<v6S{JsF#!l)>+StAZmd zk?*Svxkg(P?~MB^r2tM12+Nt(c!Qs)a^^gnPA|6xUt+&QU>HAYhtM&3qOZ|FgoF&r z8Yuh<;X*#JrGsYS=C$}8a7cPN<dR$Y&&n1=G+7Th$&F;V0E&Xn9@vzufs=-uP^B7v zUJm-PpntDrLmzGlAhote4uj@i=3jDr)wCy+$53(#f>^#ja&ihe%1J9T-woStey?90 z=!_z$sJ7enm|^<F5(K*W%;PKCWZ_wx%zi~70`iNvxAOx0A&m@u;+Zn8!N1s4_|OU` z>e-sm#;-p;`+madkNC(7<XT$&<n-+Xc+iRB#|60Y;RFU~?a|0a?ZFH-{pR8SYC?R@ zsWSU62RYn^H~l5>1uQ_A8-Q`Cl4b4F>J!})_>3cM1o%z;or<jdgX>c!0S?@E_FJ$d zZtSY=HR<On&%Bwp$urN58Nhd=WDkYUQP1w-M_d2*)HDsnS&s?Wr}Hh(O#qOuY0KT~ zlho}qGF*6%4MfC8IF$U-e9vPHC<q|WHYx@<K>lLD%nYq}P7Kdh{&yu<`FGWGNa+`w z@E-;1f9`?$eAd`H%|Gh=7qLU?55ufvoGbS)-k$a!LHK`}iT{VT_ZKPg-w_l4N3^{Z zD_lBQQe%C=BLF%A0yG70x)2-vdVil<eh?RBeYJdTHFIroZ-f{Fac{mbA3pQ!ln53$ z#r#rM2A-JFnMj=e=^%(Y%ycuXjN3!sED*HDnT8n#{b`yd2}<!P-HKY;2o?qez;jCS zNs7@4DWSzF<xCy*#LThuWCiuiKG209DNHjAjQb#Fq|{;)R69(J4D_^g^t250OtiIz z#t}4&64DYuvO|@;<*W&EzcAU4`iNeI%E+wK%Gk(;tY3xN!ie14UdhTdrK|h!Zu<bM ztEr*E7>Rpyef`J7`<ee6ZSOCx^V*B<@Y^5S9u)ZBux03t|H+p5H$3MiMIT8d7vvrs z<hWDB-bB24j7Hj@jw;9?PQC>@>g<#}ioH9Bt=<wgjV_Pg07@pdN)w1D3%kvR?Fjv- z&6Y@+d#S?+TB;lQc6RJ@JhI=jQc{(zL@VJJ9xhhOU}riWqnpp&&s*=E&)nBuJwZJj z3CC)Ln6<beq(_?8()w1y;)U>}7-U&2`g_)tx6!|HCVCR*!jSpT4HwyIN)iF3Gj#Q> zav!B~S$F2K*MgnU6?1RGLSjCspb)g<`k4*W1rytbgHP9L5pjfLOoMg2zhi#;3@D$Q zvvm|MXJKzDP6ErqxTd84R2=zYX?U?kp%4v4hjE<Npd|$+;)X@8zA<C1S1~uVI0T8) z!wQn(BmmO(i*<7i_rMC*BRvw4Q#@Z;(8nXcP(wLiQX>+m*qpE#C$DntzfQ8(>})K@ z+?(dNTZkF;6d;5aVv5x4d7JXsfK|9uqzh7^OApIZQvs@%8Jl3jV0*(rQOlpTZQiYo zEY8yNlx$wY7@=D00nuTg7to1>rs6K3d7*POKC-0>*XMxeRM-VuCha&$#nO@bP!B8f zKSUItB3_yrog6Gaj2H?1#llOAoCXQi+zaVCM8U63Hqt>VXQPtbDw-@qk3`s!WhMkc zIQ(O}aHATWo>NwQt&ot8`QjTKV>0kq@6tIf3~gYGqCzkljJYYKC=oZfCi0X8z|eqR zSpmzUY_(M_IbHqyLieJ)=viTpsn6?;xY$phj9y0O1R@?6y6?%j7YceL`b{%&9p)Y% zDRwJo8_BnnFfH_gZNDHBn#dPqkgGoDm@p1wI>fm003Q@=Xg!c9V$B%}pU7W-3TCAX zVR;8Ih?Z*-SUeCxRFte1-M%3VWp%ZUEwC^4UJr8)&JGhm#@;y|CkJdpI=DCxe=qm! zy+$5J$&fYHKa!-?tvam^5NlMPS~p8s(T9Dmig1kijLf7LnnZP!ce=Jwp&pQnj2?b* z5}0ELP$Gc7ZJltk4qtc3WpTznhh>8Ew^q3j19&RR)dHfP#~nE7>uX+@9(7Qd*d(7p z8R%>I8KFmV>OJl2N6^?6s7Qv5RwIXZm!;O8&ccnlTw0lft9gW*MNzdU+EYta@$&Qh zs05(Hkj+;SFzD?$%})9zXhLyEMMXnLPtuj|akLLDdkaw#vI^IA7E`W}OwYW@gZ4+m ze(LjE6Sv7%$>Pe<x}6P-*t$#z5E6xFqjmIm&{ahN713|p{;IJXZK%|yvg4*`35(>M z3Z2%@`zt&ZB|C(#r|!6eOv=vXo*Q?cqe-0et0EkXs!n^7vg;%FfdPd*be5;pN|mEu zQlbsRroi6YzhkLOJVQ)&bu^OAa2_qyIJC=pGMy-NpB_^zmuFGfMb>XplyHh1(kkk# z0?G_}BGG|CN#ciL#hhAX7Eb57(~u0LJKo$rWA`nMM=iZ-ExfyIO-wFGwyINvljELn ziuZV~*m|=td&j%CgSp?X#P_S;?-{yTJAH^alH701X>CZTaip-_W~yOJ;4R@|_-Gdp zVnB{6=Ha1(*f%)$^IhS{#-5i4)4*&g#rg*32oDp%2yTKoG5KqwQdeph^_tYjD2K=F zWekw4$gPVsvJNe90@+<**ZLFq>2K&EgP*{E@qttiamU#Kvc6HXj4D_XfHzB6B8@lI zMhN7|KDbG9mRyEyu^>BNzWod7@ama6BjisRZTMUEv-v;E=)Yw@TUjC*VfR?H_yaRV zcD2&ZLI`Iywp}#=A1^hPEhTl?C>6A2y2x}GTy9=wb1d!kB98p-Pu0r>#uql!k(8Wa z{m@M%FzCx|B_)P^9>Qgvj8z32u5#LQpkW$vx*7Gcf8MzN(8<~UJ}fT=YE%1__5+)g z2-{P3$0*uP9x({dozmu8a&0Uvsz!&sN!9K)hPe__?AUy+Sso1v2-?vB8r%xB+}|#Y z|6rov$6)Vlg5R%04Lp9Gx^nR5K*S095)(2N6U_D7&0>ZaoDU*9?|QSlazw3SR4t4= z;o~DuPQ?#uh>29<AW&Zn+lyrBU@$D-QgfyoS$#Gh$6Ni_cuH<3wKAO!LpD0ncTY=j zl3K<eeI*;LdKjBoO0xJyX-3fBA>)RG+Dtv66rz<?5I2q@5#YQ~@B!-C@aqpcr1Xf| zqJdWRc{L&AKJs{7o3YvF9IJATOGM3Ksa^OKfO1TEii1BF2v~teX`}XCrLzVO57)F$ zERC_H9Nm^1)`6ZNJG|2N?T2b+7dQMbYI>ty8u`jN4M%<VPtAWcwp=>11rV3SY3LLg z61I~(YbiV4J))0i5NU%%E&)(Oin|X`R{1FEj!2rpoL&{L1rrCES6s81uXz^ighf8A z#0DYy8;`-Uj!NEV#ypPW6V-8|oo~VlhH_IwgOKs@p2S(y?%uNC#wwCB(CO*>Le?Tj zq5_DX_3wiTYAe4Gl7NY=NQXghyx10ki6??!cLKC_{pJNk?Lr%lF6C7vRofGTM<k8L z6T$^iO-~;WU<zDiFNK)FmnFcLlLC%usthG1!ymI8B3io36RFK0J~&0ejqjw%gRKZ- zS=NI&JJrNvU*0Q~Mn@L(<`@SEJ}AY#p$6*>F{U)1u`$R4D*Z~_FU@MG#r_$Kp^Ha^ z>IN^k1B}08DqF$$Gb~c{w`$IjgjvhdLXo{_Lg<>)MPo#M;u^Rh3d(I4`;D#l>`V6i zVIM4$che<hox93aT~^A}qLOwErwC`uDbd&SJCB=%)Hhr~{*HQ6h{v1f0{6?Rz|}=u z_g)JWT*mh0SY_Ks#WW#Y3U;NAQlb@B7Utx)F8+I2+tu|F3*6ImYEM|DE4}+p%V$DY z$fintr={z1v@Hc4*V3=+_wM%n_JJ><1#7DZsVs8N&)KMCFz2c0-N6_$5f}os>1%_s zo{4kd2H=U~0fOfIpYtr&SQTXr>h95KHC%PALp~o5CA)W17T1x};T7N3?{3el8fe{F zC#0!uh)u`yPg5&5O)sxi&CA`Hop1H*m60p_HR_50!+W3pzkiU?Ns5aPOvTXTe#FsE z%pUZd?&wnTPqesWkP5N5a1o#}X{^FOEX^}FS558fgg!@b#tVTbP^J&mz5GHCMg+G; zk6pp#Rl-0PjobUcU7~RKiM>5!6*{s%>ZLNx>|ObwrG2KhcW~Mvi6~Rwge2m=B||rz zNlCS7l#L;BvtVR6(Pt;XV!Tn9oIt0wN%ZchJ-8n}or%mN#eyXMnjp1g1CiuRbnVfS z`Eif)U;AxH+Y))=Te+G=Pyhf6h`-w!(*Coi8I&jK{w4o1DAT0m^{1wx`_yb=Gs3f= z2hh!2`i8D8S+qExgIh<^rAj_gk@xL8KRa`^)@*8xK*E;Oa)bP^1ZJXTkQ0O!29MW8 zZl(+bA;8I)h4A+m`~Xi4$I-ha?sl;fvjhIRv%0EwxxW9%uGzltbo1JHIY6X=0X@Mr zj_4$G2Q7}3C-Yr0DATAOifUzcnq(3Aq16?@!TT#-8b;#SFexm246<pAKTRo5lXOlL z_`N2aj9dzlNNZlh=SN(Vjft**Fmtgl(y5UWeV~%;Q4)W$^6Ztsvmc#zWZBkXbNm}x z1VyVnMl!SLq0oIYY6_MD?Zgc|ZMvGDAIz}pC)LtX$(>$+v4bbbgxny1v|KpTtx4Xm zdOOkIU)5$msAwJ2W{g605#(k#dC=?gGp72VK0K_3OANY(Rj<i?5~VG+ilFzk=;moH zx%3~g7|N{Dzg9XJ%FlUli*~4SuWAG`g2|)^1)c|H8|Q*cLSSzJ{9ot-02wrUX(^3f zAh-7&nvIuL71e@nkZ1{<`*Ihd@Gxj8wMhhCvK?A7@hH)>hvG^wGs1*O7!;*U<OfGC z#FY~9kf<dQib~^zF~%@;d$*XQR0E<ERYq&{rA}0iM>xGFc<!hauJ(&xbaCxslH@2U zM>IGq{dK)iLx!YRtd#rpi0Y|8etd<tfG#fzsObsiwWO60LKG!P0(o?_kjpMQaQs+c zQNWfUqlGxINfEk6hNq45Pa#2pBVrg^aQs#mDpF+CNX)fmu<}x*dnwLFpg2?#LSz<A z?2V;QWKAwk1nSqfa6{g}mKu+hkF$&C11DlG$@*Q7B&||BpWOrjw)rbrFPBy$sjJor z8l2F+5^Ih-JwVxSPtVEHbnV-(E<W_et0shsfW#tKGW?3e`9AEYSuW9qYj+h93J9@8 zz3Mc5EFRNfIv5dj%g+hGpQKRgp~~SMuZ;M$zx<L=OsB?qDaz`9ml6uFB<ArBw2?A~ zKZKqQ*Q#jKj4Q%T*E3@uSS*$T_$hKRgo3kys8g$$dKI#dRrR$d_va(dDAQH6WuT+T zf*s|wWyd-cAlq=Y8@`9#;Ur(tba;98#ov?d(<@U>cDC0&bp<_4V1#gx97(O;T!~ow zs7*f_LTfa#blr>|2oxis#dO=T-ELGHSc&m8<(Q92j<V9a-xRUGyuN#IzmQY(r7NzO zad7T`bVkyTAk|zX!Ezz;Xl){_dAUsuf|gYGw=0qOsP&jR@lMK^Y1^eUOSDNh#Ai?D zZ1TJ!Ld85jtG+2aMOAj(Jj$6Hdwe84p*>lBzbAkKZ-dcjU9`^4K2P*<n^llFO(FC* zx@%^9iZZw?by&EVjY!_AIBm5c6+bsVxuAku!P%UCTs1^yb!nNUB<uK?q`VL8Pnwht zeNV`=9&JAj`8CMoeYJY6zjPox^n{0_X;QesYeC75wWRanrWxjDpr}@frl{=c1@E-E zTBeBr8j#aw*nxo)?zB<ZWuu6eqvDhKtJpF~&lcgzi2)xQ#_bC#;%kw{@-yY~H*gZY z_iyr&UqDKY^DQjlGX1(#XcF6*#z+GRU}0uXzZGrRZDVevqOZ&lTA2SWgP*`TZdd95 zgzu&6vZfh5?6*v+evOcHs5eTu<6^YlkcCAgqYDYi@bM^p%u3&2&rC|52%oJXX#-g? z74_Cd3{#ra2sSrPIl7YzY8QEHwNz^S!-0uqjL&b$<FI!SsK=PNF?tUuf9Xq{wvi39 zvOH={WAl^hx7iTM4B?Q_J1@jrn8qULlVo$TzOs|jYkzwB*|FB+v=LkC+SklcDM7nO zpKQXOz|@^<11cycL8stYqAXOvd1pU8pC+{=L=b=7y}Wv+g8&a(|NWfUNkTokpIN~+ zt)V#PzG4o@Y^5MH1kJz!J?Xjn?0$i0qMLYA`{PLHiJlz|-O#yn0}MLgUgPkv<5dtE zd-o$MNfRo|2M)0T!|ur|70Z)X$&1l^&wn9=^`DMRk-DEb)Sqt5-%nCn|K}v7?4Op* zU-B;i@z;#>|8SDh_&+BpeN*G&BFK7D2UzIT`gm0F{5dG<DCKG>nP`Z5LPzL`dU6MQ zaG9pZhcdv(<rFj1az+eIhv9aQ`vX;BCL5zBU+jCO{h`!P)J`z!j?vDEP>D=xl~hxQ zGSWhQolujGk_?ZE^UX~trf8_drH!P<$*87wfXoBNF;6hk?fe;$QwWbxZ!ps_FjCPm zQq@#bG1cfBMzD@fiAsv<{Z95INn29?^kjJd7d;soZfx@Z)|2_mt&fRQE<S$_6D@yx zn6UmQ@ctXW{u!l|#QF<(i&)Qmc!}2;4F+(}+9~)&KEbG(3JN0Q=O(?_ZCq@2`ya15 zpJ7Qg^!I-_B+v!XWsP%F5j#*1v(8cphY%9K?|=zJI)F^lkM5yuzz`)fk9%HM!w9us zCR~ST*G%8Pb4|Z{d^PUU_p~#X(#!ff878172rB7%HSz;{mXE>d(5O0f*>BVAw`?dt zz4HP;Q8RaG73KtRV!`L*_g5#QbT0uBQS<5I^<GZYaU%HF`$2|@?gmO9pdF%DvE~mO zB#CM2c#yCZ3KwYN@c9Fwl8Ek<su=@ZWcK!Riz~4$-T4G&y1GBW#j?qG*D_aA)KLd) zAu0=E)c^SPYF23Y&`>=CQgJJmSJhR^*2#r#4i_?Dm6tysM5Aa?<g9VlT9C0W1;rSI zTQHW1IHCi;C+KHi{KF&HlZVyGj8#|yaVo|g*^|)?gl|Z+8NHKR@*X>?5i*qYqP&23 zJ3&Z^MZq7lKo*Uvq14_>pGV#llsOC$8CKU5bmkX-*?zD)th$mQ<daxquRMLCYjoc1 z$G*0Gg2SMruAwM}yKpN2?TO=JY!g#q#g>weOm_pIq_Z6*R1mR{^6vW(Z^K@1N1kNZ zEKxHU)+k+q#i;4g(g~*~tT9m<(qjh;n^-(H8ECrJ#jfgad7z&G9m!-5DzEfW^o{h9 zWAILLnYp}eAxB)&5388DNvZ0rrrBs1`>?Rmx~@q<u;RP6zv4M{U<zb|fq*q0zVgu# z6u`&$5>&1$!Ix=3weLatFE!d^V~`=7Xz56f+1de3K`|Dk!fY895(<xq#9BDKa1|I5 zJB`@R@4@=E2!6d2zW%OY5gx8690yhjOH1BqF<%Z5D!^I(`FXhvG|dpwoxO5zyj_h` zo$0~-=~eGq?dJEsaaHYMr+9xwbBm%y`nJl&(V&ar?(xPy^wD175g)Lh#IuQQEAuk_ z$@cJm`aAM@CfaJE(#hjeLy4wG(UaExvhzMe^zsM?$3aKziqoOq<!h71<~~Q>WX&dX zxf3LED|0^k^LTKzZt1SfKtm=JO@<ozblwOwB0$)HFHszBcWuy=O<GUSfRwE*G{c|Y z&Mz-nP^b(fEz-2+p+n=v*bHeNFmGXL^eM#o#yZ7>j*Bp21<fMp90^6?6cAYiGSUiL zxfOjd3nPIv4V7KbTo$Drv`%FuRl3B%MCMmT_MAx#C4-04(E{iLCg@6crv?QY&+?0K zPc+T#USbD_AvnjwI=ZVR^#{#L_9i?sL^6U`(<P=&<-nm})eQP)$L&dJ)9Ug?_i9+i zudyGX!ALHCB;cJpl=C2biH9~L93P!RF&2*@9JJqFfk~;&JFEZ<YT*6G53R3iJsZ>d zZ)qg4Zscv^*ct}si*$#t*9S;x9vh^o<IZP(*XEARi*Asa2rh@(Qj(lTfX3<0pVOoR zLdIfPh`K|gm|ERSNlTHlV@N*h_6-t|(j)hZn<I2%T;<k(4mCPx78rc0PeA7m!EeeL zx5-%Z&o^%oZP!*Q%og83{{<0Ne`=X*!B6df4-w}72@(IMFY>>D2-^RDLPTnM2F70y zVf+UoP#XRL5iCjnONhwQccA=l5b@X9%uh~)R_YHt9Q}E9%K!7;3_ACJLd3s2n<;zA zBAH-rOMOV*x~m5&Tr5yG4Vlj!a*X2Qh5=fJ^L0yCUHyN|-BWaA@%t|LBo*7XoeDa( zZQHifv2AwHNjkRGv2EM7olO7E;GCKHpINik+|0$k->dejT~EF1eLi2?`mEZdO@wwl zctvhiP%-pyFm0r!I7L`Bq)s%RrX{fB*ecSdY(?=32%YXyR!Br%sh+JXNP5DVFE<DC zhS9F+d+*=J&t22ko2A#4U0XlfVM=ZkHARxy*W`_~Q$#@hI+_iibF3P!I_j$`oJ1G- zl_5oMm%0dT%u3^Ws<81Cj9T{@bX^nV9Y-9rNq4CPzmjg#Z*;J4P6#5#peSSNMuB$c zyJeIXs(~I9a-fILL%(gHwzkMkIi{2Ku<6aQ6n<H$NAQp^pRzHohXGKLU(8%3_1Sh} zPR#PO;_~P#<IE*fR5AwFD`)FPidjr9%~^Lrj0|yy=BZS9!zPyHq3KE7c><-rh)9N6 z6A2EAurf4(M|?*qL&*43mR8BN#NRRzwiCF4kNdN@r-9aq%h+^wW0K~Myf_w;>M|Ms zhF5+7@t?44m2QQVFq5_9xIyp_Z;$GkEV#l9%0$R19RSJn=t9Yo=<lIndVHT1ngO5P z)r>v)_nf>QRzXJ=RTincg7(K2M{uU@e?Sb0UwEHSf`R$y4`gs(%45T*;ay?fGDezT z!?`fhy*8-%9-ibd(DGQPcRqBvP05}Yykve4Q?VAtQ)Ki)H(G3&CZ4Dgtei(yMg(Kd z1q=dp!LOKQS!D0vKK25dV1D3)XaW+w*1#G}Uf%ZtuCt>0)9PT@;|ut{2<1}z={_2H z`yvMCA~5wHXKe5<KE4^Xlu%ZBA(fmWa_fd$TT++6%rrjwsmO&X0PJ-7A9XOZ+qQuG zqL}>4ubv(kXfrAlb^<ftQ|jO=1bw)3YgqH{f;+>`gVQC}sA8UboVa5+LJ=^e_un7M zkb34?-Wy+|pPYU9KxWRd+g_9|RwrLWO=Nsj@NgQn-N5`qLTEapA-Ppby6QYdRD~SH z=-4Br2Bfh-l!W{$^~@SblzBNdYS04B(=JCtL&)5k#N0oV3TTmGbe|x>FAJ~S-y14& zjZ|FWeM2)^;9({a$Q}j8)~NYCXuX2p=e*2dMzARgedL%$#MH@)al5b~WG}?*kR1E) z^1p64AP9tI*#>V72bBc3@rC@ADYv~akPQ`~Z4N3?fnq~1pZOuL`O0lA@zuERo~BQr zRq{yql6G6(zIDsB4m#w=Q>RrPOpyr}3mMG}Hh+6b6uMU2Zvy|ecAU;sMFeHC<a|%| zCCE__@!M*-=4lYVPOH9qYk%X!7yc^gcn`;&b1{ny&ZO#^mdUDF8r(d~T-5h_eY#>f z%q4o;7*#_;(r&NGwTFvyxVR_ce~)_~jgMRM5YW68k$;~o*0)IYuc6$K(kJgNa?^Sy zTjQ{78Tv6%S@j%wZ;iWADC0&UXs1!_@9S<a`1vQrcj8hbcY5TRXVufqzmwr~Eb{|? zQQ@<S#sU9R!dYkaS>W^7A+Un!f)@)_#rO0@58<Z*$4(Ba``;30z3F@cs6U-HN!>cW zZF%Q&?ctcV5=SL9JdbP4t*s_s!OhbRF$j3l^5pqeJYVQ-TvPRR<bJ+J`z2kuVr&MJ z3<4$#p^YCoyjPXdfAjg%$ddj3QqKA!W?GH#s;RcKm48)W(f%y}Jf)r**1w$NscCR* z*#EwMrl#hrCg7IelCvW4!&hpXDp6s=iB#}@&4Q{&GM2X}SMNa2T6y-14y{{=-`H%W zHPaGPh~Hmy$y9#F;;6Yc|56L5U%bB0(Rz0|EvR`qVi;gFu;Qy1b&=~nob#QJKK`t9 z<B3j#(6^7zoA&W>)zVw74lF0K_PY>J#^6bEsbzf=-u52SetD0ji^E*lin_2Zjd{}c zE!*3ZzWC}lT9vW(y(m}6-oBcQV9@g~wkR#8l*>xM`7+C%*mZqy8$n~HCH`zY8Zy9m zxCk9mR2$eCq+`-JpJo-{*a-eMw!9cobief6x7B?-;<&v^riwXL9gZXm=jqbIP-;2u zW7;dDfe33xRi9HclsSGRrp!5d8UZ<m2k)N*7lZch;=#IeB|m^y7g2GgYs5zd9eNcy z(~Tgf25;I)zzvd0YY~!z3lymL6a3ON@djl_bt9%vL<3n7Hi}N<$b^zq?P=)+LLMF- zGK7bSOYLJ&J93H6VH;7tKw>sR?AA&3SyO0AeyW;pbnO}$<$Lw>C?!)1;|qP!3YQZX zv9xMVxPZ<eK|+R8d(`6F?<Y<??Da|RI9_P#uYZ6rj;6$Au^epmNO5iFYd$gND{%mf zd~POtw3TL20|jg$?l#2;f4HgFS9hw6MA>lklInzrAfOD6Y+r7fnLwkO)uYIB9ul^| z-?D_(uBO1esyS+E@PBYppy~X|%tO%5!tbW!=cVc`oui`6)Ie<W;9Hc)2TN~Hm^?Zs z$yd&|)$ftQ>&r`l@W5CtgOA!0zE#@Xk1t<BTEyKgz58{*$4clT`=-ymm3wY|MeyC7 zl}Gml_um80e?+T^IZm|yY2f)MTK(^93jYtF)&H9{g@2fpWDFqc7j`0-;KaztV2Z)S zZdOL+4pAj?Z%(RaTB$}_W_psrz<x%Of#RM)Lgw+|-XtKEns#bp+JuE|Km5kUNVqc0 zd~L|whs%(v7lPq|{vl@NKKc<gI*E0KmVRPyQdYEwJ6if)n#Dy$si^_uI31Isq`vqt z1=GS2w5it&;Q@Y<QwTRo2Gs@56Jat2UN$CXVj>m+AtqyWKbHP6X<j+sl^HLBamq9$ z95TVnQOZxrI!edfT3)(N$4|-LI8xu<PntG8*~U@Q$1$Ly0<Ql*h!%F9;ryGx=>HIS z{)1>Kv=mP${$r`M{#_XVm*o$82UD~EGoS_aUr!tUZ-Ca?-JOc^KC6l_-+w8WwfD}M zm5B}hdiA3Hi0ZTJ{*PqV3j#rf@5B8++}?j;E|!YI)c^FU|I?5Dx2OL9Ip%60{r@!P z;^Jnq{wL<1{hNdcpBl3x>t&BpBOwsq?<9TvSwL@@SjbK>Zu$7LF@V~+@sXm+NVU9^ z@UjD<p@9_!z)dy)3JTel@WK5LAM1a<O!|y6EcvYes6WyFBIf=#9`1idrT!;8T&NF> zC)#q;cUyzx9axe_gZ7HK#FOL@HZ=G(Hc-E3C@djncutbA5+U{=l%9So7Qvj#luW9j zWp#~S&Hyc`QLbf~-0p3zi%o8=%YIbGM!4^fROWXZ*{_7>wddz&7+bHSsm|ly?>bYR zcYj+twN9H*N-ol)L!$ziup?gdQk6BqKD0SaJ`}P~6<&S2e;(bdbxYC&xOqNatSr*W zG=~95R@JIT^wYH&%64D$F24W5Vb49oc%^1f`h|3`UP_GSlKa!04q7=-b#i@17v3IR zQyDPIzwCi&b#f-gBfcNhnz|Ut%=R*J71DzG^Se9?m2mtCJ50ciq^>@iG8|c7Z)$HC ztxmB+D{r<>XMZ2ZQ#j~<7PaU(R_QZZP4%G1W2EE+1SZJb${5*Fu7xAK=yP2S{$>om zFY~P0uJUB$SoYkgIJ36)Zn;QPuW~q9Jw%VD``ccFPZuIIdYTfvq7BM+f+a@>@~Emo zT=~KWCxm?X8|9?~dR?8#U^cA3p6MjDuO2st`bNrcl<eKqe`SeL#^}ddJVBz!@z|Y8 z(o`IsU-||aB*ld#^tByzNEn?+IsO)ed&eB)F_sw8J6V@IzGDwVIf3#>QQBI(RH7qD zE>6k^BQrTvXOxQaI7C+GHjd-y)SJ7O9C1-^LZ$eKX<RYFYoQ^sce(hxs74PCf$QTN zMebguazDu+4k1h!m=G7bdTqb&bZ;T^8a}}Vbg7XNjB(}9VCP?`3t{?H2Nnk(eZ^6Z z)TAxy5NjTzQ?=~GT>aAN_;ywHNZ=jy2g~A4&FC$p?V|8*HV{*Jl>{4drWWBB7pg2f zm+Bp@Dp!|7f|h2ZGjmvJyyXyE{F1?y<;I*dH17?!z88hIfk~fHHrzh%dH5GSoMGfO z83;7}-GPPYJG-Di=tIe9-Cw|6pT_mDkKi**A$?a6!w86o(!Be$w?$&=pt?$S7pPw< zY7gN2K+!VYHJ`%4^sjBr*N}Sitt60u_oVqP83o4e96J{S>Ke#4<eEZrdQG+d3ltSo z38)`X{ZAt5>-?JjAUyVv^LPo|JD~fzo^taYo@i4+9LQrq^vpQ2Jo&e>;f3lenorEN zDFU!n)@b4nH1(46e|MS?JN&>clzT^|P0XLW<>_$)nU3J4^~IE(gxM}N1DSR-97A{E z*E&Fv+zl=x?EBy|o1JzIFAp*45~jIyBJD;~Cujej1n?l=N$t)h4Y4&hb}ek}7_!E1 z3^?Phw8%int)p(@+Kt)8rQMTHy5QA?*$hR9eGs(u*%U+(&DX*KE>xJEw*t0Za2OMn zejvkena#$xg?73v2N%`kGHdUAMmkE~RrCr{(@Qfh!&N#V=2Y&u0yl*wr~>Ji8*j~4 z-k5&*{CLA|@8IHQLrX#oE`zBjXEJ>x5B97j!$;ggFnnY8w*I&7EYw7X{Cmobi_U0U zQ4wZLf6#$4c{DhKF$WqjyCmH~ioPViR#e*{qMFLbQCk=%2%F3@Gu?;dzMY_RyC--c znsy*K_9cfe6*LA2lx)pCAaL3o%tprOK2hn=KO{`5u@XCwy6mZDB#OIqB!9U!eN#q$ z^3I-SMdOUupSTq~0ZAc*_S72>oD2ZfJ&eFc`6e9U<^xQu2l&d&zj@yhAhDAy@I$=z z9f=0q&*WJ_`P>lznP*94gl4H8Hz1at^h*NWSZO58`;H=L+s#2$;7u`8_E25B2I>Yu zc#O8bdTb0mAjvqK-ocV&QXJ(zW9H!}XFuHy8r?*~58R^d9Ry)*-lJ6vS3$jL1zEwN zvVSWQqtY`s?sm3j<A2ODi?#sG+c@#y{ST`O5}SOYPtrdERR(C;ijpev(wNh_u2~jW zUgwc&i|RFC{lHkB#9>;ip-dPBL$U|dR#9L>`nLvSAV3!rAVyoje2CWA?2vc+O#)B? zM1U5xDVlMyiImx3S{M5y(MDpZoN+IESjS-THugYrlWx6tNyiZenk~uF2!%4w#5$yk z#BDtIGUNfntGJQGLEAH-KFTX&Svy|JIY&A;qPl)R-Ol<7t~XwX%k$Pa4tV5wBCQI= zFXlpxC+7RmDAAEp>5zvrQOUM@a_|8|(Mx1L+aR%*lxeIKR3IN{TJmCu7Shf3MWaSW zc0oh0Y83J6W5(#7uCQ}CKS+`vZ{$IQ0k&83Z|o&UE3z`f${m)Fd(M`v>p-&$=014T zJN)5mi1|k!8G-7|5w0r<lWM_20*R|c(%%k&W!TNoyOuVK#>7xK(T<S^a98@Z(A#@E z>V`*x;$^`t&@DGW!_vnQl1mn(R6}Ki;!VRhj9fRHj2~vq8HgKtFkCI2y)H6O;(W6C zGi^An_`5hehIN6-pf#97B6n?~JbebzeVwyHt4u~rx^470OKc1w#4MncFYd-^+{0`o zR){yOa!0Nz#_l1^MKSh(`Yq^3@>T@aJgT*~&x##-ah+t6=&p?y;nFU6PA+t38swSr z<z5Q;`JXrK!OA16`5{hiqQZByK!(6wk};BqU3E|S6=|nBzCWINba~!Au^0Q7a-k|B zDO5CuMIw8hwMaS|AH9;Tpj#z$^!O4aK9r_qbf?!)KA;){@2uHj063$_nRF;b-4!>( zpQ(GVc~LJ#oXf<#>%DA5Necbso_}_6rG-fczm}rNIis0z7DqL0Nvy2lMo+E4r+kQ{ z;K-a5r8nS_;MPx#?fd)*A$J4j`H;47BdTD0Z2U#dM)>)Z07h06ri2q9Ppn`R3EY}s z9sl&*{c*9a2tB?={G;pVV_{g~cV(kt<i^MFTmBlbQ?%9%to}&=|0)*r<5~~xLbuph zN0fqBdZoiP!nobc43Q8ck1Qt4FbC)Y;1#Ocr3q^}um-HWFRH=i2k9LNScvJ%9I{)l z^8xvd%`cx_RaW*0;#9wO977zo2a=r-mR?>W)Zg=s{DaqsJC=pdlCy&3tw`q3I{D7f z?MXwTkbLs9OwTbwXT5FUpd-;SobbAkz}S$^o)moOvhI)_LnvwFnhzGMvjUk9?w3qQ zc%6#^VG4}$w}k*6kQ?v6r4ogC(@!uW{5_7+Q?cX`f&u5ce6sLn7oDwN382B$d59=} zJnQVl;lhD4b~C^bI+@p?-5^IF$z!VS1G&IgVF^-f>E2LhC@U*Sc=%8yKS>e=SYB4# zTNyoQhE~WqBS-A{3O%PbelVN@{3~dm0IYXFh8v1M><SX?S9?AT59--tU)nA*r8HCj z74a2l2}j---HwngLr_a-3LlQ)FxNKtcc2LVASDn>>Es}wS19co$@MDeA-}|n5rWiH zZJ=f>9NCCS9h*NG=#dx`xIWs5&&d<yc@YyLT>mX(e0`p_R3FK2UUwsjR(xMzF6r+B zFY%1sx6<Mm5}y=fF-P(#_2KluKH_LE4({d7sDI<;bBq_^qCf#=oPM(bUFe?`b{Hxu z36{jo86D{7KAtDz?tRVrVU_I+lA5Q#dJQ80Kh%@~_nU8|I^li{L2!yN=0yppGWbHG z74FpyQsPBSE>kUwNu{*v!fN6f?;|lU|AMYo#C<?bZym=NK!uWl@>OOF_kq2mWX@4d z7&A5FO}t|kFFaKc4<?19gk3x%iZ=ySe3`(Aw}d@P3Y^-Z3^RG_qoPPm={4T>;W`M+ zCh`c(S9}?z2O5q@0EqJ@eAFC__zsTX1PFpEgCBeRp~~ME^A1>eIiqS1E(X$aR>SN7 zR|yBK=M6tbdhZSS!Ny})q`qGPt+@V)(51m|SKucgUuuS3Q)!4lQ=j0(L3#9hb1~k^ zz7WJdzMf$`(3XP`!u$Ng_8dV{<(MIL%q>Tt{z1uG?3FzwTLVSc*bvWo)smWfgs%B{ zh>T(RC>o+z$62vO5nf{ou@@xS1!PUcCe43XUtnas@3;U^0rA)ftE%YyX0+$mh%^<b z2o|x$MU55SXd~<;8i}7ug>eReZ#4V?2l3kcZDTOvT?9m^L|62teS#QqNkso#j*emr zvEdftPk|c15&Y4vRI-xb)@R@;=|uw>#bAW=x&za1NUisz-nC;QxyqrJuTfaIPys5D zBZH(sC!xsV%@?Est{;h$w9}yv)$jSmc>BpY8BG@a8KjYvI!UKcQlXhg0OP+{MXE6l zVQ@ZM@d)f=80FP!llOCq74`!yN_qEARooY98}$v#r>O<T<F>6C`4@?Hm!;l%?1SeG z5CH6sEhpMp0Cj+<9@?^6uPH7hwBDc~RJF}&4IXN_YZ*io&4!;7!fQrsnp!nIGAwv3 z?3PgnnJXcqy-igyr|{{MA{6bdqGF$EV!x^msf5&)VfcfYkG;nq8C5YK8bSd#C*z6d z0s3ilCHYpcO+O4h2<2{_KT&n~(ugA?CRk_+`LP&EsczvsqEU>b{L1j*rmKj@zf9~4 zNyugE^zI@u8mGdc{n54G_>!huAb0`#qsv#)fp8x*=<%dYkzIxv+~l;aIXx!gyh%vy z0HFhRGX=_3hOkl_4I~j`%F!6u0hSK19lV4p^By3s)NCvZJAj^w#V|Um3}*}Wf~iLn zEOr>ByuV}z>JOZ+eYhkJwJmXjf(~fnVs!I({MrdR>P@v^duc0T5)N5SvPlVzwWy=w zyAemZbqfcnMn6Zjb}y^Tju0)rS;~d}GKy?v$;Qn`DbX*nTh~S?;q;vwqXP%os~H#Y zxZDAs+x7$=_vGe`uvbLKeq=eZ3e1!u`9u~H$cprz=dJA6!suz8L_Kjr){1j^m&i{d zh@DW3dPU*OLjBknnL58hWIcClRfLIXm9go-$II9}p^T#HvrdW^qrGmD$*fCI;s1Dx zmGHt%{jAnr!NY;l=Z<X`RJ>G7jj<}Xi8`qvHu*r$N`UbGaf$5CKo8bPAV#nJ;nDYy zr6jy5vxcNZ>eAW2L#w)N#87|)v?EoEt;bnihaV!7UF(tE!GMM7ugDiG9P)-z<auG1 zNndzr;#d5A@HB8?urE8(kgB`4R(e?B@cpBQ26A4e2qO8~F;24VhSUPbKtkHdyq{1W z`o+ayuYT+~*vu5JZfvi;gBh)rkcCON0Z~v~V&Raa_*Y>lqsuexW|7(Bo{d8NmE|OC z0u-B_>}@;xz-Kp_%(nKCRR?CI;H^|EFft&&9pcwn4-T8q$i>f8k=e^xOO~l<Mn7kg zOHFPcqJ59WIJ1V*T}ahm(xXj|!SZ7^fpSpy+B<O%O%fdo$wY`kiP+FbcrWadeC&X{ zIN5Ft<@hO39+pKMNzW(-9#S_izg}4;(D4C!AQk|?lMx<D=Gnpr_5Dks(%pu#a9W1y z^+`8J_|mI^m`?!W?(*J5fT<@Ji?nDBi)4{;Xc<*>z3AjT3?!5z`X^ma4=Z^^oJHkR z8xQfTP%UD6y3;{cF;!;4uyK(52S`S}QJc(bYT&k*{_>&=vFPHxCJHbjlb3nJ#aWsz z47w#tTGzCPpR&JtHgn)aHw@d$6EFvdePK(IwCot3lnNBst2tyKb9oUB9L^dl&3O9( zr{m?q;Q0EqXUCa@5oyRTfhrTOx{Ai$YX@G;`XMvaD8e&}I@mp9$n`ZJB8=gSgT;vg zPfYtKMXJq(NXjGUcv7uL>&h{R*nQNW?H5O&5bu>lK0g*bM$7&O;{DNZfI{cKO4`Q{ z5-K*Lmqu1CsYgra;Mbn-Px+R);PC=InCNnReGs3ltB(z=m>YsVCez8o3)K5~%_(D> z;TYqG2)G8~asFgx|FJu`%eYrV8g0-a17p|pl7KdXo{scgXK7fYwAJZfbL#y4w@A#d zPijaa)xK_|Y@TfIZnHImO1)i_Q7X-t2Fv?41YOd%YGEpxzoDT`o?tWKqLq8<iN$g) z`suUJ22V9gepx?0F#pzNALfKF3*3Y2n^HZrQ8WN8tJR#3%8!~lB}-s&=F2`FK-A8E zO|lU8O%gUl?C?b}Td^Ry=1w*W?6f8V>(pQ40lR0D3v<1t(X><$R1-K0QDp{6f3X>} z5#iU)5+0C-s_6V1(rP6P2Q|lBWS21q!4?W<LSs9KK2=1+i!^)?(b?j|pCJQUL-U(x zJmIHLGUQ^C2K4E@%<bfdXlW0J#uxSrqima6DTh@6YjwXX_XN65h)IIIL!g`Iq>*{P zTlYH%>*!gujjq9}D<7HY_7G6*BKF^_@~>>``$!6Tu9%tDwzEAnSve#|w{(Vi6iVPD z{Ath-igpy6)9G2(j({jeX$C@IKlk>&vI0&^f0+Cro+qd>5)6<5Z-f}Exb{)Zcy%h+ z3<^n$qa$?6;uzb<S{OzYVZ*3I2g9u-47d*u(G@2SmAE^Ekl;6uo1#Q2UV?!2#9)~g z#|S=8dlPg1L5223)9jX=6c>HN8fXjNipFGJ4Hdikw8#=OV;uOa3Nzr`?UX_f>a@DO z*2#i2;S$*5%eB?A1)BDgkOkKc=rT^K>V&}h7|lTsF)n`LOMrCR)L?u_mW^qIHfC^S zR2v`0^Cc)9oB@){3>+;)ECxitKhvZ$06PMP%HpOI{AGME^CX@Mq}<d6m*m*_jVMf4 zaw$ONcy<!|*+)X2NuVqkA0rbh%uch2=?3{Heu+u)@vg{0RO0^xWvS}BenOeoHr|7I zNQ_3VQ4OE5&qqDiGnYIyFb{A`aC4zqXD=oDCf#8OtNe@4=@F6UnT^U27rl%Z!%5nn zJvece1;gTu2OH6}A<R=5V7se6al76so>S()a)rCN`K`0jNwrrj?EVSnEK)7JV;|-s zQTlR<u}(H6|C(XN<@`>+;*EajFPUlqNOqY)Jb1A(MM^=l_QdirYSq5XA-zr3r?CwU zG5GU)#tgtfG<K3MK2P#b=5e3)8yWndU;_UzuH>Ys=nf{4b=5Aht02CiQvPw_8b*GC zheXm>aObsQstfy$w72G(Un^q~vs&x1AxB~JEGxT`4<QS4Rs@~pUXIHcG>m6COm))a z7_uRs#LkS=B|ex#dyV-S2%6;7F8n%`;KYVhTmvxIFxHu%u91@MK%tZ`(4AA8+icb4 zbceagy;*HJ{-er4ek^oGptWNk->L+{XD5kI&T5~FbkIWns&2AWw%mgYPYB^o9w|eL zQ*s;_FtRbis5YoO;CeGiJ9SU|IABKhioC-p9yfcpO?<wEZ#a*wbd{L1ryMY+Vm+|h zm)1t6Uq_hK5OKI-6eg+}-55^s4pSp|lph~^@N?%YAmPP8Rv5SNH!q?r4Rbt*X$~PM zB#a3<u4^NI?&)mYyd#;>37lRG0;iAKK0$t-BVA!>TP?ot1^o(EFl1W^2ESDCIwSPB zN>Q(p2lY;Lcmp#3VWN8<$={Y+3Sy+1(9u(k#15{XmvP`toz}$Q2yauMf$7sT^nIeY zJZ87c5gap>5{EdBM9wnM9v%U&lslQ1!*wm|yTU_G6G%$i`H^OUoMOZt{%y$(DYf@` zLR1MHfm+f>J|-w3`!J7aV6ni?9MdfgFoS;1dAESTt8j9vhu=dO5sU{UmWy!YElHtI zSI$XSt1|WR-GC!P76vEEQEn#!L7e_<BU#!TBH;O{_?R8=J<cIP@8?lud~(XV0U1I$ z{rlh}y=sG%F~+zr)(-3`H^n=O5V!KmYv9c1ik~nzuDGQbdwksm7j$;I6c3kt>o)VJ zab+Bed*8*ry5(H2Kcnuh{2Z^4#ty29w!FF+9lF(8&ND~@Hep^Za)Y~ph?rM*7igjT zZ&S=Qo+DyZ31X7O94aoHDPY#*8GX>^uqzzn+bG!Jws@D6hO=ifK0GH6OP(B$eAOFY z&uU&&T9ZbDLLB$(zuEE_yNwi3KHD2+teJ^L<l99;On4JR-Hu}UqSUqt%u9@;lv$3! zKRhd&FvjMLrU0kSo#PM(vMX58j}w&*^!3L@7FZ6tr!G$r2V{p{;~WuTkGdjGXMgcH zOs$__Y->Y)s5<UAoupi@#;pTIx>kyfD;&dyw_D9VaFkXDq3RPo*MRchNT<<^{9Tge z)|K`$;y`9(<ETwh;W;2Jakcmwv?b~4VuH#PlV;)XSw?H7|0A9CmTO$TF`?K|uK>t5 z^FE6Fj+h&UsypI=(40PS6XYnkCrh~Sj$N131E@8{UJKuJFD#mxdnhM&a$^4*$&rI= z^ZEgjw2}QUNd4N8h-2-z1Ofao?l3&2Liem=K-KAb@DYHe`8&IaLbH>S{v+{wS@#WA z-!<i|@n=j3KuuBvH5;!Wi_$65sUdJORJx=5s7BOc(>{Q<H9y|I#WpO)e;s~0MlmFQ zb=6f{u#3P##K{ZZ4BF3_Fe4bG&!~+KiLxV55ScGYLwkTFKG+JqPzWP6tz%1bZ5aiT zC<LM}QKDxq{@|UH*-WsjI8wHY{eiP)8K4(+2LJL|e{Y|h53Y=4ebSl@s)1>AF3Ys< zIK2NTw>lAo1qpeYhNyf4QOX@~BY=>d=?;dMVFIE9b^&?Bry?z84VJ=k&|(W<C|UVS zBKAdr7pbPqZVGZw_LO~-sQ-z~9}~q8dh=ehq;Lm6*yq1o6@b33C>)hG#Y*$xCH|t* zSoyOkz@S3iN?4)Voz7=sQ!j7%z>;F?2q^@kWzPrLYpfG=f6fWXwVobCvg@}a?j?fd zGbXF1M!T7$kvfY|A;>i~^z*GV<L?&wPTz+M;BSF?0hI8Z(>%pd-k#7makMfIZG_J` z|0VA#t1Ly+Ne#PJBV2;ZF;Wi*xl@v8IEGrxqWc}txdb<YD>{#3gp`ZHl5xcEx9@M+ zY2pu|J_{1zz_6dM7V`nDiFQxR1y3CHMrEIq(WO=X{7~-JBBh-6yU-$zy>b3%gu)4V zrc@Qp{!q$8*yh50HBw_UE(a#T96OP5t)wJndbfLEl_?AQ-3`H93U6+#xCAbv_B4A4 z(bGwWzLnOFMu0e$qXRXDFle@cTWq<3mbJkO3ou5B_&Ga|?r`<g0nYQ%SwEsh{URC2 zeecKC4fB36)@IKlE@_TcvZUwn`i0$<28Yn-hCS~M5oo~H7N4`F2*+laklH~?Q{9T9 zx0vi?f-Xcls=U6+Xq1lX1eRDQ0%LJbY>BC?QRrYRWPxLqN}fVh`1NXy{n!d1GQr)H zB0F}`7uiX~-P18D^wPhTa85j3km6~;pU;$#3G|6<=GO^f>v3z)OGO^?8=qr3s<`9d z$F;7#_MwxNd@w&?RE}l*^bkpDF0|C<WRHM=^fdbp8*yJuua1Td8}-812W%yt&9yJ+ zO3W>e;1Ww1+0CPn1@Q`97$E)pTkuJ5Hi1YHidXgyLxYDJAP+-ghBxZ-9iGALzYa>r z_P$*rl<%tyHs_8@hLuEQ2CKK%*^{LK$l_+1BF~|S6}gJoULD8XGM$Sr>K9`6<L!af z5$AIjbWLJNc|fwB2r11vx3rnmB_4H*XAj#{&qmcI=`<F_c$^HG<mQD-vZpxO23dE9 z7qip!f}V)&QMUi#5WE2KghWJY6)XTMLQ63}Wl)=(&3={C|AyIA3g-&H&4i7W%K2o7 zJy|#12VLO2j8_=|+nxYKvvrib$`2ibfY<6FSnOhaCZ-<!`ce6cWUD?EOcyA*!fG+F zKGbhZ7}g4dKY)WSK;lK^k@6d1#$yEY7G|7l+=z))0m0#@oO-(xMqwlNVW|k5w7e9I z+0A8<lO*>e3dXtwMa%S9h1U+!#2;XqJra6u)=dWmZ??0HB=|u3BPI<LzV4&IXUG%N zR^*mE+)tV%ZW?52a{3%09>sXSf%52|A-u(m_Ch(r$qm)KXQC&~FpdKsc1|q$T)-?4 zgP&zH!r6p-R_0?#mEdbhNDnK)co#<0KPCx$F%gYb@JJMUik{CqMm_vBKI^?Y_(W%} z8Bg#X4LHj7Oy@|iEz=5@AwESAIijA@1l!$&RKYU+JpuK!t@Thj<R9>BUz2;K`zyOJ z_lz0)oY)F~F8(kuox3>U9J65Xi*OvILCu46Kj8*H>!&GYtyuyu+}guj9yZGavW3x> z?@fLn>o@L7%B_c7Emh!0>Mm|uBaeecmMh=^iA)zr$r}-73|jjP&@>9;L}FOF5(m;l zm{*}xb5PKSHnv;mYjH@l%hh6_Vg{Lv;I$48*o6-jEI6i6_DChmY@?iI3_a%#KBF59 zJhNmNuuv4nZVpxtwaQtv#JwfhDv;w&Ge26~uID7|a-OL~p=Ce}g;0&&q2xZ>72Hx@ z1ibN?9%od|jju6L-ZZo=%;F>*>?<Rg3zs2TSc!nOq%^FFSgc-rTSN7u!DuBwyvBL0 zj|xlpVPaF}@u{D=iMYSV&rtc1g9z~T`pRmgyA_8_&*V*j?xUCpBNqN14b<xG918If z`~yrZ9OhhBA_5C`4sFFCGB$iMYxY5R^I!&m5_*3e5uD_ff-Nf;$(cwoCA*?!VSJJ? z`r6^rdST)&&}Du$e782M-@mf8)-LgTwS8IVb0WTIG$yOg=3|yL8R|ZuYl1Piph%1& zb&Fo^Yv|cwu$>Q{QY2gzQU9ebjxqu2AialqNRaz$-b&vPIVB7KTKn3ze~AySi-{8A z{@eM5teyFLIbXEFpACVrsK6gaCh8lPn6L5=xQAG2=bVCM83fQ7SUfT4a<i0JrovGd z^$ajbt2*iv9&AFfSo)?p`%Q%U0_P*_s^f~`M9}O7+*V3}J`Ih`8={orh5umbyQB;b zcFJQ-xF_#oc2y9PtzX*;WI{c4qRf&{X{PZL#nJa}a|6BEj<rKkGHa-Uyo$tu-0g0u zg0N?idOvfYR-<51enVwD-Fs(!nFn2!LTRP9_D6dhk~-REy9A-|)IAZ%f@p!?dFGs; z_mrN06UHXg?)M8SE0Rq^YC+t)H|@?uKm*i$Zd-0=RYJ}Ri7~*17V7JHShe)y*TLk$ zE#>{52wTme0k$(h%!RSnHF#U}*m}TbxIpt#%-<P}lpHmyFED$+ILyj9tA=0qH4?sP z+g>Y+!lcPapF3aHw6_)ic3e>EhG1zF8DP2N2>UgadSLBLIAQM_as~6ZOU#^TI?OCC zOcnh=YC=0@Nug(JsnkSeLCKrWXe?ZDsPOh;GJ8^K9`-XspPRLXwFSWl*PVuur(xpj z2A7(j_+7?u4c7Ubm=VFE=b2poWj?-MA{-dc2U{Mco?(!#BOb@od}K{VB6jJM>0QNA zyZ}Y>+n=EM!Hx7&7wH36vjFC^Y(`KaG9=ThK8}t%fD#3MJRik(@(Q}YK3eK1f4zsa z+Vt*Em9OGSDI99D*$oHey#sazS;zPXVd8_9HkpP}V(Wm#tN7-2d?H?!lH3@QplQY# z^bgJvZ2cgskzcR?9f{N3cxRJ4-g*Z~4!5Z8nD?vFy^=%JhpRCJQO=M9^9~hNvdcHF zGTfb+v&mVyKMgtVoW)88&X7c%2{u9$rz^%52y(W3UEceI#>U;#C43uG-GR-RIZU*u zAL5t5P?HV1uM~gbMhT9?W7!4$Eqf@Ds82b+JzyVT^BXmn89(3ReC(q9CNX|9946*I z51e;K(@28(i`F0{?hfh$?^fj3<Sd!~;3u!ulLiTwe649rT{cW6B|^D&*hO(JHG_-$ z8(_1wnomNrYngL;Hc0~hcr<9qlI25gK8`NpN)DQavxd=<QxeHvcet`9aUm{shP^Zw z=H^$B+9l^`{+1J1q<97U8?K94W`u77g~39;_;6|BiQ-AKSWOit?UHtn^9j5JArM%T zsV+K*FpanN!~5~@WTXoG&B)t3P^PIWn8Oya*N6!@3N8dSOOSX{ANt0qZ}{lQv2a~~ zy~(5>)4^A=`Wl8^efeT-ru1KzzGz&Vv@__eO~qaK@1w8tMAYBjzxnPBk6IbB%|k8O zkS2pN8ow!hQaJwP`rEPNyB)$(xj6lSEWUmJ<IN<oj_VzS^=i0r`b;icTzMnLv+dAV zr@4O&Yi2`!0wYDeQ3>svm_7<2-ZXcX_+x`a2cT~XeQtnyxfH+yU}0bGx3|&ihqU2L zfT8ef^QMt?j+VyMS@*88JazKbT4%P*fg$GPDI9+ByI^caQ=|Z11U9?>lFk#iJZX|9 zc||Kt_cmQt+A+{;G<NE>s2l4ak&8U83Pjcp0o9WZyY>IH742l*P|0(E)?U{BM5)o3 z|Km$Iv1j>RG_X*Pw_*XcZxNw`iGiNTVawB=zJ^(&X-cR0*K<Ju`~eJZL?-q1Daq&I zNrO#}guFnMM8SlfoNljL<*JnGgAlBnOezazSt<mzVof+s#;Afvn4|Pv>fcC9iosMH zO(;w4to86NHTk9o<?px5qsdAyL_u8FiBYbsTbXtH&jU~DxQk<p(OHJpdVKU`or0>z z41ZU%uoB(`<mxyp88tFTlFk^)paPDX`_I<ndift^R1i5Npp-ZjT~C!N4@PRu{iaD+ z%iuZbgm}^cQ`2mh)nMr{qL(RKBCNXLsf{=D@YfOqfEB8DhkpsvaLC(`OS_(DH%sZ= zn|aEz$`Ajok?ijev}K`oeh9USod)ojKfdOSam9PIXzI$<G$lHmqlGgh3S<cdhp11E z5PS_4Tx$e^lyY_b&fb5j9weKJ<#H6ODURgGR~u6A0^AtuH2J7srPe&+{(KK4hA~rT zMZAh6Wwhmk@90x6G`@pkaWSI@z9LG>@MQP1tt15XIiS7(a59YLnN;M@HT(@9=64=1 z$XCAq9guVE?Di4xklFzJwBO0>;T<~A8X`C5M}WWgHs%Lyn0uZwDairpsa}Z~<PHDf z7;C64=RAO$=6gDRkFypHjP{Q|^bu@Ey>~Kac0n_muEl)Z?%5cpU_}A*rwB6&bD-2k zNKgUkk7@g5nrYs!(f%+)y*!=a>Hg-NRA5#cqJ#9onZdfkm9}4j(6VBz_`n92>ry7- z;G$098Az7Z$~$~h)9UrKeYN9UVB*!ItyK@Ld_I@Qyd%+%w;MCqV`qrxSi~6yOKb(0 zW`ekv-ZJ_<iT6Ap(@o>!U(#hl>g9nOq&^|JAmIf$WD+2pWX?bijF;kS90O{Zi)5c9 zc^4(naib!>tf3%%E{rdW5$GW}Ns*mNi=%^w7qqvHF<erg!9%r(pV4LNG%sUSBy~5) z^2D8C6J)ja+(3A^ZR_MHEZL5>w%rL;fv$|6x_5MHoLRapVvWY8juE!~^(&a}D)}>5 zz!g^$_%=~n=a1kBgv`ZmanQn8TTxw|Jt<u&y*OpOc5Yd3A7ARZ(qWNs%8&oXnH#Jc z3M<_gb$xigaB(7zU((;Q4Xds49L3ND?KZB@nq46WWKH@`e8;~P`?(eaDwB?3`tkn$ z8BAHOsNsn<<u;;={r*v${^#@-OzO7$8kZ3la^LLSM$}U80n{Yf(WQ~*8a7|YzZX#| zwd!Wgvg0OxjXVQ_CL9Ztp|1_2J88lZ6j_|21V>a4M?kdm+0F1bl=yfpR^~}yvLI__ zYq$fXi~(X7+;LlSR5{kRUE|rdOngEF%s>W|nF+O;pB3pj&OMFcFGgT4I2nU0zhF$2 zBgwDdFpIr0>R5oQaSi;gkL*tG=Pu2seO4HnyXb+LERYg3T522yL&Nx8UYRyY5l#`z zIm#2z(W_+=u@B6~(H9pX4>@66VYv}=gSg$TOi;M8rGs@G65YRhX8RLqsfG_gj$t@Y zzhd~^D^nEg7Eqnc1$A?S>K}(+!E}75%BoneA*};>3o=OZ!yn;qFdU-;%-zZ!AY?CS zQXL6_ijRJk-1QBHiC64cm-K>!n$F{YDt>gSI?{KUDRDKZZ)ySYqA;)NPlCp#ksp7X zL6*+;h`DUzc(PofoY+sa$faI_YFq~=oO?dNOE(Y42{P{ocjQ3$A>RlINp@3Yjca{S z3l5!1^wK_OBrVf`3hc=Qe|?M&)I1PxQC)-{!1q1=6j;%6415w(pjyjXvgtr_KZOqy z7FedgQWj1+i7{k+-`kDgCcGaI*Q*7khxo@B8ZvgJf&PMIcN#@p@q;k?W)@JjA4cy$ zU<_mr(-lDwoIsxpao~^$FV0q`ER474gP`>5Ikxt)@*$f@vFO3LqT>-Sl^{)O0Zrrl z%_efBqGJfRm<Z4S@jW#*>c+ubzrP{cHDaZ-dGxz^P$5)OG2FJ~9auG-09yf&1>b7v zi(sxBw4o$*%*=(Ot=H+-Y!t+EP$c6_t<JE=7#=E1{|aI6h@@mJkMdjLp;U4podPpX z+JSWe!FkLSJ85l-N_%{DV1e=O?Fcqya_7B=oS0#p@1Kx((93$x*A+c><XOk!s10^t zb`YgP@1DnVI+bwahv+4m@(%Gju`avz<ar7l!y8?_#q?WeXz>6C%h?Vte4kwuFhCf! z80B#Ic78qwFN~TNNlDdPz8HP1Pz~!jp2)zZlRpCwMf1Lbz>f5dk??$>iP<AFr(PvO z+<=JOyzr24g4t0i!?h2l|Ays^s_*2IR@l52*BM%PpqUaRWP4Q7;y}71&_OkdEG}Xd zdP`(%+)0J^h|{aGa^o3=x8<s^$F5&X>UB*DB)b`LM1Dth7VGOgCpIgL0`_OOWgkqt z{`fO?Pg^1-MSj2sUZg4;pL_r{ItH+gNZ11;wPZFvxaGan1PpLIB0)R-ASYNfI(y-e z3e)VrHL+b6g0I;73s^FuZ31hVx!uPBp_4?-6py^&c{9r`<a`~7o!I-F66lX{XMI3a z>RhLb1Husq;6kWy(7S$sIQ%7&T}J`G<{-zXj3(G-5s}NK_0Ed4f|}q>kgLpm;u`<R zX4a^civE|8^N2{+jzw1eV<h{d%Eb@jJzE1!5V2)43-*wD*}(6ATy9Ize7X*!4S}P` zj^8L<tM)og*w!pCdN1m0mRm8+eiq!~wVpfHIRMSq>EJVNy*7-8TPABABn1?SX`dZ8 z0JcLj$ivPXPhE^Og=sT61vMgFjz^#)&RuX5H1n@onfrk@j?WxUpCunip%RPR(7Gdn zPJ|^5G$ufZp*X1f#$X6q+7vIv;2j-{KpAp*ca^bHoWu7E8~I<>-yzRK)#~COb0Lw> zS&TrHgYbeVrDv1kg}Ph{N0G3P;tea9=&S;EmA5*Wew*7^zt4VDotR#s&OExy1J2b_ z>&$)EM#dH_tl>)t<U&l!JX)8CTXkhFeCRRrg5C9m$0ps(G64DIFo0Zwkhs>~=JM#1 ze3vxFrwo=RSs`4dnSvdE6Oi6g*gKFSYyX$&)KizQtXcLgGDeveIUR)FoOWfmUgIh> z`HRMG6F!Xe$V8rF+(2zw=2yx_(S%MPkl)%wH*Xu^^bvChvh>OHH8h|+QRbQ#!Im%2 zd16C=qQ!u%Xypl2&kk?3VWlSxj5f?p`C^%)S21ww5)W=}2X2YoP5!3bYXnsO+67TJ zvx;hH;M*O-U^F@-;3>egXu9raZ!I{b%J*m~e>=OzTU0(ePs<j#JN!X(f-(<6t3yE1 zDK$<;)J{duLGY<n#x$Y;!YP3Qz!v15lbppQA&EzPnvLKmN*6H7;I}2=99nc5*!8OL z3QMN-E3mDc<LpJ-RWMz^`T>Me!!-d@6UAZ-BKORbhMUc8i|c1lnw3cjt+xr$*TQs# z>I#Iy`;INhMYC@k+~!<cFXHD*ByOk7McZ$m2|um;ye2wui9?pQj+f6vx=b*$O|^5K zXzsr)EeoOL_->#j)9u4eTkEq|>&+$2gVmgLQHz%h;~b4^8g8xD&91f{o=LmX(pp|x zc^9lz7pZkCC4?uSS~1*e)mFuFO!(sihvY--&Dy1pEii-Z`Gun-m5i9`JnHC`jaZj6 zQ<$xt_4v(FQ_&Lz<qYC0<y8?6TvHMRL=ps8n0ZYf<lF<O|8}a>F=05BhX?OSNq&Jt z8P9p)Y_v!_8fD|>N;oKlONo3W1TsDrW7=*#lIL+TiV>t+Brmqb(P1iYyN;lI;u{)B z1uE8Chr917)N&va5%oXd4wqmI66ICDe#9fw=)Ud{1-7Ns{^{u|_Y8Mu(XU-F1FO=c ztef`_MZ9hh5Hc1*;g#zGrYuS!*3@?vwH7p$R<CF^4z6!$rXo7F0TuP@?9{H~mbh!? zyZhS<D%(0L;YGCcTV%>tu?OgaJ=2$0ZIB$E)5X@7H6&=Q*?;E5*>y5*H&2<agr_^u z(&@A>_0$t3od5d?98Pw5T8v8y!l0{lh>QPsa^f|JRJZ6o+t32~L5C+%M;s^<qb6g@ z#Z1WVJF#MhfG3e7+MpQcg$jSor3pLoIyvSF{QdRHT3;n#8~h5Uy+6(<zx0*Iy-mv` z;#I;2<(*c=lJ=XX_PLT;vkO+o)rT`42Az@jjA}!ME^VKn#5D#96^-+yqdrMCxGiu2 z3-h-hert(3Odp~t)X$&Cj(y}zbCZE*43lndcxOvCB0mFvEVFS<){*=q{?nR`m~PUh zM@w7RRN!69z?7udtQP6W?_`!Zf8{v-gmGo;Z9{RCallvXvZS={YmiyW+`q|l%}=;4 zoe5{hcbT~Af#mQ*{$!XPg*#3*_&((K;Ecc|?k$~>+t!V|WkKk>wwBa{TDDFM4PX_> zngY6p)dD{stNiKu^&a}t)QDGNEOTgY);Xu&*;yz??ce~<P<2}FP=!THmsRf0b=f}N z;=c5>#HhEbc(k3*c3oPts(4|qxu$Yhb+w_~*5nn64D*ccaC5a<Z+uP}KeM5=Iisl2 z+Nf=5S-#a#*4*0ur?6wOyW@}5dDPV3fLgMRnT@}jYL&J%jy&Tn4sdC9)d_kP+I{P( zBUgJYZXUH$*Vk8w;@TIzl9BC0TFQqt6<C>c?U~lNe}%7>h8WBO5uW<=2#X4}S8!>R zbznF1Q!BK+*{>~O)jU+I%2CF6L%+<YDcd`JG<@~cHeuZkn<ZtgVdG1Riz=&4WNM9{ z%lQT?`YsOxW7Xo)s@%-ly>Yd9GTGlb7`D|_$jbP>-kgh!6>`Xs6Z)^Xg`U!FHy9pV z?XMoB^W*M{)#$jJmsTpYqkc+*p-31>T3?h^Rom$<p4#7)hIS?KRg-$GET30xDt48z zZ`4V<FFKT3(_dSz)NM4lUs}{93;0t#r8m`4$Y!1xQSRZLXS&<Z)^!VhjK5a<WPXVS zEvy)jYm%J!M;ij(L@@lvKWe%~dK^^)0U|rmFIcQ4LWrjxKfqOgIxAHz2}tN6zjHRx ze3c-keOHVxM66dmApb)Kso<db-O9}ZY`m@8iv9>*TXFFXt)nL$QgR)r&|z3$``f(a z^2ufYtfsCVH^~h8f!w!omnu%>|IkCwI6LvOI9MkzSQ~hE3aK$I@CiU%-um98>WF># z!ckGk!qtW2i^D31=e#Ao^M9y%T3gcn(Q@0^ROvsLHF?+lGLHN{HED4oa+4}qLcf&; zTs-;fd(+)j?AP|^=k}@p<M<qa{Bdn6=S;sn!=3T6;&z$m`TJKuO~}QAM`y{`DDTkl zv;Pl~>&(Y#Ko!UBH_RiyZ~*XI3YvM~j^xV##xA{TYc1p%4@TxIIZ`ayZ*kz;q01ed zsJa?a_x-+v;hE{h|G!t~K>oFTM58*CdH(ggME;A8mjSbl0W+hmmHU4?ME<%a)$l*p ze<jN7sAOhmrdwO@Bx|LeCFSZ)fPkMRbxvz?{w`zNUU^%-n_Ko27lDK}<o(ZK_9>GI z#WhC=|3mNSKh*I1(m!1AU%lSuU%ejn|I#)yaQi>n_5TxVxJlhx6-@&-R|*88EF~O0 zDkvqqRuY#Q)tD<&P!<L*MLned4Lke*QatGwFn&a2T@#KPteJXkF-Y0S<J@G~T5MXI zcT8D*a5(6vBh3{ThSIVa9+^D}&G;5fel*5<_tVkD!N$h*yKndV`_*R`{pDikUh+^G zC=6y~GEHaTo@6YTg%fxj#Mcjx9P=%NO`rRLj7E!A3@zBIPpV3^Jr<fUiV+{ma7s-< zI_e(}g8pZF>{hXn^Hbs%t?`^gh6~xCgp<p4U6N8DIblkPxQdl?=n8ng<=+<k&)i=A zHRJ?Ej1zxAN5C3?D<NBBR{#BgN7zj-)y<?cS5YRvM(>I(siuoqlCVfAy$kK4rd<hu z#zN(V$#3vw|55zfc)-ekL^tm!59K}@GM&htgMfC^*E5X34+fRyiRxMg<7F?)I7GK* z%B1c3E8ZSO-mJy@u$_yS=h_0JuHhX*D#4<;tfQ@mJGL>7;0qt|8Uy%wTPyO>2g;le z21<J(qO{=g2H&}30Yjuws{0$_)*?^1QK9D?ArYMV%vRxOfM-{Wr#EDCK#{9!wM_cq z%O)@O`Pcalwbqm}+l*|XUL<Sf{vY04H_-sUy{k8xGxf-{g2fYaSEjX-mxThNwxxEa zI9Hcub-r6<X2D6JQ0YGuOR!{lI6<V-%V$o(pw{7DqzsqqI6Z5j55h4`t#Lg#JCP&& z#WalIIKM*^vk6UL9ku&IrZ{{@YB}MOXaK}?7!eRngtZR3A<3=PAtcxu0~e~WmMAm( zA@YS3u0U2YSi{@HV;XL2zPv?be;f%^F?{ULO@&U@%PHf7y5xu=SWu}RFWhh}6a1?F zkAwig?Fb9u55&3`JV(qw$rBMQ#)r78XQd-8r0O_hbL`?`w4~}*J35#oQBnAOm4Ymn zphLn&&`?xRLI4D8K|E0LSy6t_*d(n?z<Y7+Pk`56UmCVx7#VKy5CXkK@b(Zfrbb*5 zP|>zW3PBtY92cM?gDNq+06}7o^aH^W(>m5F&(Mnbwr;Og)5+%o57laeJ&29W2b@9d z+({j?JByevfk-!R&MRPu`ZC^<#mN^$nIpf8zIceJ%_I*dYTDd6Mw7n!UT6YrOwuv{ zlFW%uvWbcZ940cYkPOoT*K+p@78n#V5!)(H*pIIlgKcR1>Z+3#=}6EK;GRYrq<YSY zfNVq$N+YQEzcBZeVO1~P+jN&SsDMFtNk}6gz3J}m776L@?ru<N6p#)<I;Eu>>6Ci+ z20h2)Ie7Fu?}z`s954McGizqnTK8IO=Khtt!DQi|;SaRYGeh5d`fS~c?v9Y5yqK%Z zvpS#lWB!=nxXcZNhUO%&_<(F_mF)RG`Ug7Zb_ja-yGDmB`(`Dlqnj=B$f5+u%cO6d zHn}rs1{D%a*4z%>k*#)a-W4~fJ+d&t)8zAnFsG`k(Ard=@2_{LE9$i|QFn1xlg~Es z-2$dq*XVJ~Q41e)F_}8C9u}L~c4rX7Pk3@hhbD)#kgcEM+*yAy8E?FwcP!q~T@V)w zk<IcYD{;hUv7_asl}X!MwZ$=`+m9LE>6>ksh*+QyI1_z2<BQN(Q4M{cb<7{&z-tkb z^Yql0z0<(y^QW^=*GC+z7KJ-6cctAQbS`*|xef#QCL}nKt8HBl##{zJ!reb}VYTZz z$eJcF-Y=e>>lJ_vkg-{+X8ICjP+PTFUf)LOq#TGCqZsfgsY-r$-*8(EQJ$r4@9?cw z&ej%;I!6?adevILXpj5iBPAtMS0mA){L|H(h)TT0J(U5^8t(|R#}#E0E1d(Bp53)N zCI*HDAx_Yr^4X8vFI{DAXr{Rp3Tfp|<4meA`jT|IF7;spU2Rz>b+(&EY_NNfCY(64 z^EVU<w<<<9jq=`dI266B-TD&CeRgtKSaDvIf)urEY@U3qo%T{P(GtM5tSBCuljpSl z%-_WBmi%J%(d+Gxo=ZiC;o!m}C|tK#W?t+<9&yY+d`ih~t9a0GIu{T!i#c_wXWutD zQ;-9^93pvyScpB@{;rO^<RzO_eeRIcr|2-J0?JeKsTHP?c4@?meR!5HQ+77mf|{SQ z^V}J!PbX>PAbM2QUvJSoy`Z?fCD36~m4n#9-#G6R^|muMsV2&uwt8}`vMx(!B&;NZ z{@w26D<aX=^>CqHr1M&pgDr2=Enx!JySuzuw)4>=&mI*zoGh$%t&MPp#NT=pRhdcm za=oSSB>~Cmpig~RZRz_lyIf^jWyGQbI8R^Tw}BOO-bU=;X?SfRB(Q|sUqTJvvAV~g zOfLnEw;n_IGIv=2rH{R2=pZp}=i7wv!+v&;mN<0j;PWj4dilubx&n1|JaS2$i@JD` zBf`>=dyH&Ilo6rh1x5(UO{d^RSuv$R7GQKA=r3W)F@2DVN(V4O?>{(ezMg64i%^#I z88v;Af8KO5)NSjuoV0?oqwSOn;H9fOfKORR=Oe9q)~F7C#7qyh#{h12lwg`F;&jV; zC?h_ydsjdoDR&sXH4oQn4iR#Ck|ca~8r8|6;dqzm7|7yP;Pv^4vNoq@(X2@M^6Ei7 z(D4F)pqJlQ|M>bB_7A?;-rC4kkH*wO$K(nYzyP0pgW3<U;7^nRdaA8*`>jMgus>`d zaoyjkbBut_UGJ(h&|7U#`=PTdN}|ng7$YfFB}^kBb}m6dIx1fI?@&Vl6$S;nwmeD| z2CmO@V2{Ux7|??U*ZK+uv&*wU_W~*%uZo9)lITthH{dSH*$x`1VqDAZmFxvlelI1n zv|SgnUE+8EztX$3U1GysXuydpz(G>>WD?VlF7a`f6o}T}tw0Z;7~Y5Q9fAQ#nXL>* z9do0UCVxmN0hAEb{wFC%o?lCea3v*34n``mIplrm-N^Jg2LL;mK;1(|9Ev(r5qoze zYWHG1PNMP*DgYg7fiyW5#Rq6<cr4i-U*l9?eP{3|irzRBTmBTOi4f7Ko_LNtI=hH@ z%06HCns0w6B8UTN^X%g*q?_0W8R)*fxxaw|>DQ^Hrt|+Veh`9*p`3|<L03PNg`rPW zf>Ix{zcn6UPLavM<ksaWx*I4hGsz%hBONfc8)%Iox^KNFBVCoG>d8On38|{4hKq7d zWuSlhX&U0Ybp;)riFKycxEqfSh|By>1^M5P4&7fA#LdHju8|QfAUu$pK)cvmxW-*w zSRY*W3|}^xw7}UM;Ypk@K@Op=47^wKEBI_m024@6TE?*XkPrCFFxSZ5905+y!_u+P z9zB+2^t|GeNHg{MD1=Y^osgizBe>49b)$X&56?Fte|CC)*$PbOBi#Wi#UeJz4vZuD z$p<8~G}!EOz=9})P5K-&pxR4-mKvJm7+j<m5?-EXH0T9@7nUg!A#Ha#Z8s%vw~8E1 zi^M9AohB@u7!9TDzL!2T7{U_o>t#5v{Hq{lNY+P9sM7H}5ka5!_)<7AezS<6PkUVN z;|-to_$@<Ms!IzA8>p@<LIVl4!n^A5hY1j2Kunu6NGt!kds3JpHtFrTpiPTkNdI!q z6C=+9trhb)O$h<ZKp8Qb7TmbQ6M=!U$rK`97Gk#8ke`_LPG8&^L_wfd_{(g@??ePK zW!|^R61&-!gP1a}MZAG2^S4AC7}38vsx?=(91x_+(-?(L)&{}HIN}BcGU3$MCVb+` z^nv8w)%auk<W=It$##KTk7o7AKF@_aEE}*~BJPdQ13a}9z2->Kv~1VW=uAq){`a;V zw2^)7cojF2ivYjT@|9fVXZ!d|lrp-s{}(A`f{}x}sk=awG6VbnnNo(Rx!j)XyTb!A z0R=L8r8h1skVEh5vi{5h{K~QpO#A;|^&fPMT0sBtY5?dzd<ODOiK?%@DD)fbwGi{r z!r?zGtI1ISMeL3414K=Dt&=}n*I&1+{z!MI9F54Uu1xAOIP{*ThXE1h0~}Y57EQ#+ z=a98gXS#XE%z5nGm?sfpc`hVadCu?&&fu~xFtVR8<hWR%DK63Ux!bdWmUYhruKNxC zLq+geOL5PH1xpb0AWP&8pSFR%lJOdoJ^|Vtpm=}$P`+VO5Dn3vSQHEhszB`rU<JaW z*ZqL_ZT{#4_z&c7{TP|+8tLfS&|aZX5VK8W#ZS6{{-K+PKXzlNU@t}|rB5v-Bm}Ud zf37cL?MN*sb=~_HU=Ho4y@Slp_miaj#oje+Y_)9lt_K0xr5gsp1ojOF1{&m4CAXFc z5)3Q}*qDEBkgK7nS!ir*uT~5+Tm-QFu<#&T|2O_8k`+Az65=J|_bMxRD|jupad9t< zDMhJ4Bw6qJV-pntVezp9s93DS8cE915SU~>{&&_yyFQ3fNq8gPNmPu|K#)dHRY<t4 zkrb{NCH*R+uMgtQC>xN0y6CR{`y%0Z2l9L@#}5Me{=_`5cgT5&xqS2mVMqi8^>bi+ zd~ycwQMd^bXJfZ6=eFWxV=w5EkYYc^6%&Z{7+utaW3EUetEXZlW+vvMrDtIVYmU54 zRFD=j3>^Q1B+NTLT1Hy7Tqa^U+Pa4rhL*fi#>&Q0#_HAuEPW3CJ0DIQi1QtYlhHnB zXUCJL<IOH|!MGb$yKioSXZv6osSC(eo4d;pQKU6O?C2T?Bzl9RDJox>`@)#*gx0^3 zQJZwe{Rp+y^VqauPv~r;Dh;|cu|r+$X=mkgW}d|uzKGYJZw<EGFRj$Qc?(>E#WZB@ z$L!yoe!;fgLERnvO!Z<pPDy3s!m;ix3cYf1)xJ2z(MKbe=bhQ}qOXn<##jRAH%*jh z2b^d1dSjM+QRNpDdr-9kT)M+6%E}$5w@|sozC_45m<v-?x@JyBYu)Cri+0?Dq+c!5 z#)~xzl6>ERcT|@ed3$4{LG|%$TxCAZUWAG@D$5E7H~N8;*?Dl9iG`N}#}Ug}S?+@R zMQ!%RcugWyG=yRc*W}vcH!{ORMLE)&qDe8M^#WEQsUG`<YjtZAGs>?M?&Kx(TWZQ} zBUL!xHOVP38#t06v^mjyt9JY;X&`T8B2zZ{<4*B&@+l4McZ~DJA(XkFipZr)S}oQ_ zmzX8PxpS~m-&}H!YzRc|9+~PMev)fFwrH!^7d(izAx&65k4<sBj1{=c2-$pj*@eVC zktV#SaGUAS^?Z|87`EQ!a+92_qf4BsAc$6&x`X<{YK4^Upan-^iMZ{7^pl+;7*E1< zZ#-~tu1{Pvye`qJV;@p_us&e1xrA`L9$_v*%0XnZaWT?TUyf{joa>m27*buVi|Cq^ z)hy_x_M;W)5|un3mQRRHj@3xXJv%+xx+dOgY-Yyk0{_!6{b*50eo-Cie$l4v+x^w1 zQ2%oO-&+-Dpi%s(RRIlSYVh$qA82FV0vrGD4r8rnt7mR&WMNKis;6b6XG2Z@=$nlJ z4GwC*Vq>Zi0~l;D0x9N2r30-|E26Wpu?&`$^QjEGg~h2Ps4sS2(lZiQ5iwVg)sZo? z5t6CpZ-uAmuP)EZ;K{}rt`Y#kqwiR(sj72jl2tsUX9TJ}XB}%rF%vT_8#7lC6AO98 zQ*SF_Az^)UioV@R2syz-BH{WP=GUz!*#aN(xrj2cGzBj&PEOt4FW?{n`W~k)BYo$w zL7SasUT<p;T%i}h#`3$XbZvcs(e}0V1$h)u`<0a$N4Q>@=*NtE($bW3qM|@1KE|fb z7f29;wvba(kRr&G12q8!wo?#J=r-27kr<*3dwX+?GA_&zSlIedP{+?tE1^#0atuhF z*cBcsEF804T)Y5zZ5Xol)A$yc@4WW$4~LHSm*upz)-ty-wJ^9o-Jbt;>_7ueJeZFq z11_c_us#0$fxeAMqhn%u<<dZddfjl`l9JRKfWIy<@FgU;hBHEBo>t`kh0D93pecv^ zWsV)gce{NAoE+52D;FT89&o3@z_|YV<fs{GY=NtCH9rsF+`Mm?pOkb|oI+A$Y7cOd zNG;mw)zC`%g?h8@@v|;F?+dHd@AcHlEh3>cv_C7`xJKyL@aV@4qx$8k0`ZgH^FMbB zw0J+9#y=B+bHD`=eb?Kd4P1;AU}OBvQ8eiFY4ml?u2w-2I1s4)FxdA&rq)_ad_tu3 zMtp39@@%4VL_2U%UeS!526@lNi|hrzcBQ7Jl+-t5P3wS)3WL<9A%ZF4Z2%KtWOdPO z0HYITRJaGO8j&;`6gmo`q6Ejl38t8a{ce9j;>5?Cq;UX6;rY+vJpWg5mag-ke-S5M zy79+KYw51;S8~V3H{N@SS3c$%@_{CLnJuY*3e4XbApgg8H~;Cn565(x57A-zB#Vjg zi_%89r(;piNso(XDiJ|ZVyB5bz*2^nEh!UoW+)|jBcq|L-<=>w=x(6d>%pQ4E(zE{ zhnuu*%19_z)5NS1UKm~GUfxT6z<nNL5BzK?0tA5_3*JIGDMS7(zS;3P-%K*D>dTAM z+*HZBPmiC7Qg@LdK<=9`H7(u+Eau$JN5*(jOO8cK@}Wb>8U1Ldxms^rAI}NLw*TSB zVqb40G=vK%jr?bvv8yy6sDna3y;f83M)i0OgA-tt;WO$smyQ!ZPmv`@UVf*Rf`gC# z6Kr-oW;o$+I}&0XoM&FZUA1jlnuI2YTzi)Qvz{*jxNVw8P~MSYv4Hih+p8a0vvt9m zA@f&sGw*dPy=iPDiy_G`Z)$-Pe|~~9o-eyShnd?Mtk0;2D1rnK>x!bK>dYduj)?&j z4`-pqp~s+NuuNwTa!pn{=IH88PzG})L|5Y<;@#O_2|_hT?fLksq5Bd3WODU=r1>=D z+14c5mm|9vG4;?D$(%MCu#TT%FO-wH44Ux!Cg$V{z*^)a;h!W++h%T*6<!j{S~ooj zr8%}-|BPSKku!pCHkd6l7OJj}j$%ewzWH%ouA%TUv_buy%6PCV+=gNi#785h;=@V^ z^Dk?hWusFAjGp8RGs@lC8;jBx4(Hpj_`$RmFodp<f9iJ!@SMe*KzHr|&siHVwD@&{ zcWp&9=$SRd>~!?Z^;nrS=xA)sbgy)S3aI9w_JgXwi0C#S<iYfQky|24_E36HN5GF} z@@WG^r!cQ@w`5wn9;7re5*6?vpTGmv#~q_jH^LOl_|{5MrCJ_o55qpiN#o-2`U0j# zWEhV}TCQ`yrqYJ<q9@*j(7q1(%dQ~WiAB=A_b3FLeaozem;(LgLtGNpu_Onm)AeWS z+)OC6+@j8R<__<UtkDfujD3FgL<jwFb^V_I4nUEP?M&!`AVB2SUEY$sWW3;|gc7?L zKvAg0sT4W`sxfI+;+r?arJIjl>o;TfDk2+UYC4@}&qovsIg54kqQ6t;;TWH@p*F3x z96bpv1{3n@E`c&ELIOJ>a9MvZh1s`PNR8Oxq-qJ>XXU_EpE4WD=8Dzl;(a%4V&^GY z0JTo^ix8|hv&H*%wEXa89Eop~$@0tw8D5uvimfWZm4;+0EGQ_b=z5=EBpwTkXWP{; z!1K;A#+fYg3k~V;9sKp|h)rY|@SWPYC+U<PR!#))pRg9f*zpjp6qN)b6LO5cP~~xj zsOjqkxY5;eO)RIMW6V4lD}6K@gM}3=Ps7SJWxK@Qb52aq8AADBQxV$MxcHvj4u#QF z81H<PCwp3dL6@DLxg0JHB)e8pjAZ-%I`B)I3?3LXWZ>+1h;^s2sm~G_G`MGKBGiip zh>uRzyCu1EoH_=2Rq8Lkv%M?8qZXY<PPPuTyVJnq_WQ2H;E&vhF7RxD+7IXJdskvS z^Dnih(p_~J@Qdeu)>mneh)GOPaRv~yN#*FER|SwDmt{x>rkznqp2PAn_If1hf-#Y2 zBN?Nc;K|Cs1&BkRv;t0K01n(?;s9||bO5hOnm9QYpiwg~4YDAS5t!VJOyB)PBu)%y zbOJPfrg9u32e6b$dLtZW#zRFf1Kc~_Ugvoi74A(YB}c$xoq=Q7f-9ji`wzlUu%c$6 zuRZQj0r0w(6L}iX4S4m5seP?xRlZ(ry3V&;y9y9y>5;pq%?4c4+Yn%2kABld+vpjX z0dc&I2IC)C<sTryReC@wDIp~hSjy`Hy5;P@y5*N-boe%wbXIgcJhkLunlK1-ZMPFL z3S_IhX21Hv3qk~3G&gvEeS;^%`KHb7@JuwHp3+j&;*j;iwM2;B*Gzw&7Y_p}0O*mA zLfN>R3-dEtG049?6N2Qqr*8XJ4EiyKp)Pwui@J8OE)R<}_vq6{?n!40ElI}<K|>20 z9%o%O=p-1T@slk9#{)HUE#*VUEdvo}$6Zm!z#wmEE}~@;f<%q~Q$$8f&0Nyi{_(&- z7iI}y%7cn=q;$KX%d-Btj)Gbdn!$8|_3UI<&2h$1L`zrAP}K3<P}6aZvmj(jP}dxg zu35ydCl74i@0cews{vroGAP!2Xa1G6PM|GK*Z~?cPuo>O9$RBkMd8EuwIh(N9Svdn z^xv@*^B-911_S%O0{jJh+<>LjzG5jfnD4Mu&sQu(1H@8yM)0Of2|-wy#QeFIHOqJU z3=&5k|AWJS$5J41uCdh5#Q9Y$HK6wmOLgX(=l?L#=x6CuNB<d10VnzuOWiQh;h0{D zVIIu)xwQfm2xRg_XpKCwqkWUm^wrks_p1C6{Cz&_ZX|sYTj?4)ft;)`QQ$&UnSWf| z2TRuyOUE9ig0q0F$ePoW(`~!tynME_{(<9E*>+id90`hJ(~N=4P-8**fmhS;Nobpt z^Vv-E+vZfsQ2CHPK3K+pCa`n-U`wmpvK2-u#?37}79y?w!h37CQs2KQ?JpOb;4pyY zMHSaZ-YN+L=W9%z5j`lxVVJn*?Y-0Q6uiE+&5I^EFHJ8ogmxRiv47u2+Pj>>GbB^N zSBUJrQyNp`{oPFbcrADgEwtg1Owp7MJ(<dteHsb+S<^H>E2L)<QmpU}&~_Jf;hVuS zBKBI9v{=ce%vnmEAK7qQOPM0&<8agAX)pOAgrSRiEUU+jAIZGQY5{9)5j$xrecDl~ zsRRwJA`at5uGLCsxA(%a+gF7!g;Hta(D7xcety0WC(P*!_RpRZnS0D8mW;1q-cHJT zY27KmSCe$0cOdA}v}>RCW_NjWy|8Xp)U`r5l~D_Mg?fiX25c@T7b?S?xLW-{Y2;Fx zf=w$!a@o1^z{OM1Y*6L(o7JZH4I$bhc;6P-*U|d5_@kdMZ;h(hi@w`Kbx&RyZm50@ z6B9%^Q&{wg(Q}HLlO>K1yl}XyO`T>@<0IEOPi8n0m+K|+pEwGH*Euv5WbOhDFb42@ zu)mL^^uOUKIv|eHefCr6o-Ef(`9un{?x^<kebD>R9g{8ytpH5&+nA5Av7@j``e#0q zU@NA@m1ai;bMu@aM!oXmi^0~_$`%$u(7Q*!Rcll8*r4WAT|#`>#h~tVYAeNQtE)kr zJq1@ifquDbv#0SSzC_mXgDNgPj!ap8E2fT^iLj}j0Bho8CFk*4mH8)f!9!VtO_QFw zd$?YYU%l<niXpsXjk+LcRJTMbC_qO-%+-VAqTSSt7a;d^4|$6JHG$j!E2VBxw<6n~ zAL{~hdu<phu|&y;u1Hqp)7)W{_xEFpAn-N~n4s7K$HP)R@n6W#6ce>l0B`BTu=2;s z8-|sbYq~FDuu0G@%y+)HKZ+M}YHTeZgnfMYIS9N)z9Fss@xzb;Mu!#;e-F&W$sR>@ z8`=O`)VptAkDfT6Hh*wh4`X~*_dNN{UiM1a-tg+}1^dvzULkOytR5vqLD$DDv*Uin zO$NAWHpREh=k&pQJCU~&#QZU1*UG=RW<G~|>9*6($Q!JWSt%B#J;bSvlDypMiM*e^ z2js98(lyIgMQbATKq2yYN8mxv3+IY(*rrb4H<RM4nJt0G9HQ;l59jP30ya;~9?9BK z#wIgkoGjl@Ru}m=53#$K>}+M%slm>T+Y|p>cBWF|<>eOHq&YPV?!)rR7Ad^$2hysP zPfOm{ir#DGF8N3kIYXn=gI+0ugA`Gy=|A_zWS;d)%v`12@~w5XQ&LIpzaGlIb9lEG zAj1bdnE&&kyax9_i{sb6I{TT3)H^Y8G6~8X5sFt)eAZv#0;S}VM}82CrY`yn4%YlU zkj&!N!mZe_sEC;G=)u0B!4c-Zfsf$E*s@I0m<*Uu5K=<-h>6qu_zm*{{mbal;$SE! z5Fi9vFc1-}8NQ~yL<2DfW#(nj8Eq)ABG3cl3NQzD_il?Y+S$m61~5dTdSux}?uqV+ zNCyV+V$)gDSu$?ZZ8L1sZ!^Myo$w(wA>BusLqbQ2K$1opKw>~DJ-Ecfy|^@B9ARYo z$OvYv4X*tN<{69x42@sZI5-U542(9gQ~{%(hAtn64kHCa@5dmI$O%~t4mCuN>y1#I z#mEEx;7J%GaRpV~LvHR|T%{;t7J5chB{0-PEb|AGBs~LS22V9LV^P5o5Q&$Uv6h#! zl&jwPwBY2D0Kd9v3+3h0Vz88*C9gU19sxyb!&>6r-o1-CUPK5KOCq;Sh>TrO!m^m> zc-yd5_d9O~vP9&v0=|^MO-};0--p@yG$y(~-D&aADiKI<G@p9csqS?Ds_uMjg!j+o z3A{)B6cvvVq@>}Dd34gnAwKdE70pn>$)gwhX&a@Z5;aNy8as4YOorU+<Ft;K5*JUC zb&bz0UzRH<$4!t~Y{{X>cb>j$?GP!EZYeC;H<|!4Xi5_FaAR)?;v;1z(R+YBZ-nI3 z<RLt6K&{pEfaYECMf17`A?3$=2b~T~slAaX>mK~0NAs^|V|2;V(!O9xE8Y^ol2L_6 zCd-c+=pcKU1jC$F^Iopci-bAbsM}CJhH|BVja_Xm*YuTE2f|t1%<4wf#bx(h{+B)> zAGw0{XGaZ(r-#{Jj_2cz&?deQuF9Htsqol>kITSD@7RO(t<|c8j=Eq9VLeCwCh|+0 zhV)BeyQl?)ym$+a^E1gBE{$`Tzba#Lv^P{gF#MVN&-?OIw{V62zQJwmu+(@3>5UkT zs6@p%5d8ax<Wm@KCMN)=Eb=X4Soeqa(T1kR(FQOWx^W(fkXudKbRGlmdAfK34=5=q zF=U(d$jl&GR7aT@<Q?zy6+jH;qPot`x*MG#WOuv85xx_|Ik}5Omk@rdAiN*GpdZ2y z8jd~sR(d~SK|g{YbU$+`-6n?fC6w1KeC;%RQ#VD3TyZf#LTWH_4n0;u|0XvY&lotM zitQ@M381H9->Ad??o@-oCc79BsVQ*vqJZu9P1#@a6uK5VKg&~GE#&G~Q-&U<p&Ah% ztA0m4N-08lAtDtN{p9^%&eVYBEQDoSOVbNXpN_n}tGBDGvAw4qjzqE1?^c#ia(HrT zd~$d^ULHh~kUj`cdw?Tg>hCQ>{vhLF+mt&N@N`)HrxU{bhvwdZQ|&^zMVmEoTed#c zoeYu~F=q$@3M!OaKM2^u(FojOfP=O|uJBBwHiVi&K#`DeK{!H?K!1XB_X+z7DH)0j zbg(cJtHVU&6lcA`xt;6ePDtYGXC`)fFUv+yLLRaE!ny#CAPGy1F>oOBQ40(#Mp8}A zMF=0Dq(MSGOar4JiXdVlf?WVdq;rSR1mka@(}WaA%d*>{Tq4T{WD6!cU>g>98TAx5 zDao_7Ieg4x8w00Sqskd{rOfiPAF8w{ZOPc<j*5R2j7b45RXwvx!Z$0SCjLpdvqIHr zh~OPgFDfl*Xz46-jedC`X+NUVy?X}_HE5@azR>4C(O&p`cp{xeLbpSUHy+zQ+GRPr z%X#W(<*+<|`%fJOoieY-*%*EQSw}%TaIK>^?7(m8=z!io>L@rsSxqtS7KJuccCdRK zWUe4?cW+M*)G!^aNFo?L&ZFR<XaZPMy~h1jYS`mrO?*jSBgQa?QReFQEls!npddhS zPzN9wn}^D6Fkg%gKfNF9Pc20>8G+IAf>FtXxlI&9giFR@YDyPu4hVjB=?>O`;?{vh z015{w-WQ*HOq2X@e1|3`USI){Mj7zy%>Sc`+8X_I9h0RWTMPm)4|gi2M!f*lPo5&@ z31_>>s`LbA2?CxVJ|#mBhbyzQqWO#!a`(hN53{7Wsimo_3F5(HZt(o*l?FcwK^HKx z$x#R9R;<r=LpD!(_@~*HCyw<EVmC(%4_<w~H9(?1GMypcV3j0Wv%ds*dbhBS{rJq_ z1#NvU6MrCUmK5^=<@BDXbH1w98|8OBrnMzK8yFjSQ)+{aYE3n{g^v#`iwtBCVTbIx z`r0O1HZ+a5@bB(UBB_oX2A8VS<U5KFuX~0SsG&a}VxSt?QA@-<+Ik}{|5__iJM|bI zkE=1IVlPy4eKzxra574TUy*k$3W{I+WWfQe2nj9BEtz3!eo~?o3ol#73w%elB4qg6 zQdIFvcx!F^Nu~QOw<IUlyAW~Z1RpwTp)poc2}_e?F4>Ile!eX}Pq2V}8knKTgR>Cb zRM8<KMV+zq1nwye&x_fmJ1s}h<>ReGynLAT%m+T{6+Ss8?C4r}U-FbkM6i~GYnsyS zi|L_xW~V*R@QK^Qg`eH`&CJX#ecA(;raLeogvLs2WA3WOvHu8OzlaO5t?kYO&Jk2} zb0%SU&*uj=4gJ9sW7$ouNezB}%k>cTttEs-e7E!!yNz}#TQ2z7+MulFl6B<apy(@5 zIY=!x3QhVU!rOD%Y{5`TxUx<N-4gEIrN;fx9Hh~Qubrq9q<8K^t1x}BAh?B5bGD81 zS4~#1_Y)KVYO?<S?k_AYuD_%8Go}7#e*v{XPe(^rAbQB9Gy6Pez*%Qqqq9>awo0>L z9vRot9dyH>Vbq*v1N8?@60kE^5&}+K{(qmmt<iOr^k<Xbh>A>2x+@)(fFGe8rE*n& zYXrKvoWHrbU2<`WZqW)le-=$1=qqPklAB=Hb6rZlPDl;|t*Dd3!$L5iAut5iu735p z5*_WIH3f!0GA?|;G%u+Akm?<d?Ufwj!EDQ&x{n2osi5GeNkpM)_~<<@r$b+uX$D`$ zEIZ!gqD1)Qcy?|#PN&0`>89jMch67aegx-`K`46b?xyaLI%}%q<&4u?PN@zr;_Hqh z?Df?rFrhd;7t*&IN$P@9E{kKmLQ>BAGlL`N8oj8oD4uOL*TpL*)}|9=z+wUNRq=}C zs(2;peE)1ic#6raEa)?g8dC_fa|<5~9JFgIPJvvJZndyAV&?F>iam-GB0o~AbX-zn zH)Jvb#}c+4KILe>&e@j>w*qz^k#%SJomC3z0~!=@pF}^iZB(l=gj@dn>EzxUwslJF zJD%Mbm_2;zystZHvz#)MBB*gUo(i<xMm8ERl|vCMVG_>9A`vv~>U`TLk?p~f%c^F^ zlnAc^(00?-CUMq^Clv@UEBEqvP4c24s@OTKa+%YyTd0DIW3ZHBVm<g%f_L?uH+UQS zD_N-Kp*@GM8pN6LC$-hkeXRO?wzbC<@<GKbSFnndT3d^^`^Xv>opu*V@FqM(f%f?j zXe^x2Xm%ol!==5|7qNg3@EDxz^O?$9BXM$ijxYQ5*zGC4%yz3ZrGNJPC|#=oy>WO6 zw^92zd+NluA>^DwGg%PQBvj-o>Eb;_&dC_ZhXPExyl+3Zje1bi!hh1(@#!d?>dUk3 z`DMbts=AMqbD=6wQ$TlFem~%0rZIo^)4J7_(_Z-&+Qw=CH3Ssa{tZ!syfq>uEF`HX zm?x1Z;M^6)=kgM-AwzNO74RdJ4J{2_4Xq90)hpMZaZHOpXD0nY?Z<5U*&KjE-2RXF z&-`oR=x4hAM~r?Y2rx8=yHS|ikWhyFMz>&KB#2rO78&Ru=vku7P_rF~jB&$<xB13C zJs*PO9h(IxBW3s?D+R+vB?k%x<3>#diFUgZv4U=Fi)l*g_t1VPB`7{ESA3wo1eEa3 zf2uhCktw^XIDUl*HzXyZ!^KT7cyZh8m&T?ZiAoEH)e#YhL1LRWFLghpR4x{w1;>(h zjL=I8`aH8KF&eAQZ_ar%lz}7Z0w#%YpMc{8d_N7gw>49PXKhn|SDLfRck$>f^#rwd zFSXmEM|!sK!Ae<SuVU<pxn<}eKnnBxOUF(;yQ@6=my1pN)Acp~et)t(#h2!ZFD+<O zaZ=Hy3uH}NZw;>@3%`Ct{(-ZcbB;mD-!k<?MvIOf^_Am%PL}>lYNL-Fm4+@9UQDD+ z3|D`gIOcBCAij{Grl{dz?Q*Oftf(59kAhxw!5nXyeaIRLQQGz>&#xxz#2str^(|%n zK~vdo<5m%;NR>BR_MhEurEXrnl|yMr!9i|TY!7uksZhbLmd91^FjQDBTquvOO3E>t z9_>#X)Pa3Q=7qrna}PIT!d3XWU)lotrhCHSme|Xzicb`YdKgUQK|TPB7|M#u0V`p5 znQ}HP0DQerRVdGw7rrv+*0W=)=FdVcm+4$ukE!RJNyF7uIo?5m#Y5l4TgwOsn%}U9 zutS7UoN1l(F4I>JPjaR5ylV<5t21gFLT%%A#B44|>qb58?yBqD{Wy4!r&$U5)6A4` zaOp9mk3`F2SeUSc^ZQT?Gm}@Xxpgy=CZyb0C!EIz)<>v+8UxVj@@m4t7z6@P17IHZ z_l*JQzRLAgts9P1ww#$MhTfe^&d=;)!LNhh%5?g6F{8C6Ce?tcVaS+m{CQ1rcB1%) z2ZpGXqbys6?bTFu?*4>lOz4cwu*7~+^-qJO>UX-m(qR1iixP^_&~>QsNcOV1?5X=o zsL@t@4-0FTFP%;=FYjKkjZAP$_vAq{bHy<PRwqnl=2yKc5u)!>3&;nv<XU&Ie`D6V zk@ME&WOurS`I4y^D<q_U%k}(hUDa}Lzu|;XGWAq{fzNoROHYpLwv#bO<<hR5gMQXl zQrV@)yuG#OnYhaX?y!+hHZ`AF1qzaNZE9aZ?-k^m;Kh(*2Wd;_eSp+4GV76RH^v)= zi|)`@{$La^OHZ<DbNn*7R5*b=29ZQ>K-Mh*gE*Rj_G0qZjK=yJ*XOvxIOP&cz%cR! zFJ7>3OW0G$a@7usoCI;oGqPv_C4_+fG*(s;QK~!o;g)2#u-jHK;Xg)8ljrIk&K(BW zjsZgQS6^i;k|@e^hCd2yO=|QBKdhOL%R(RDhL+e{PVL>zP}xCfV@uC3Ds1HVK&k9L zouI7FEJm!6;Qlb6%YQ=B_euBzXv6d*?u@leA$#lcSY#S9o;~Gs(}MSg_oDmdq6cyK zrJsa|(0f$u5Lvk*#X9-Dk{IVRP9z}G%QN3Y9rv-~S5%r9^M8l|+e*fdy6(G9v{Yh$ zq&N=1;<TCEyBnX?9OtQL^TtrPIQp|^%gJUVp4@cNLe=~}$M{j^6sm)1#)6R7hz4SE zsb91(A-nht-NpKgN}lTW+qe7$*vzT|pDW>v@i1g5wil3cD#%9!3*YYNe<x+5q%i<y zhJar-xFwhvOwCfvh}?Z|AJ?U;jj)0=At>ufbGy|>@noX8)fSYh0>J>M^{oXG-OVX+ z)-O+++3j(x95dB)m$T_2*<`7Vd52X^KMZk|TTzE_JkmnjVmX`jo4|PxGV1X8eb-ct z1o&y6#OIooxf-My0of7G8YKm(EkpX3a*bcap+;0xXCvPQ&cL+G!7&<kqU~Z$8f=SU zooSwhw4NW7I#DO(nkk(<wVf^Qq;7Uu_in>Gd`ejW$Q23{Ao-xRHpWSQ?9BFR_n=7# zl2b92yTbyeczn4nDez=P^C`mK+F3rimdH#{z4tciWZBBLpnl2u0bL||x}}GP)5zZE z<9<$5iibwjZ0sX0l2ZGH_wgHEW4@pgw@;%M=R_74*sCnaMU+27HiA(on++*HQ!_e< z4$QV2S-q9rw2R?OSFT*?H~W<7kX*Y5(+76mA2UTvxyyOjPF^jww<$C5C7e7~t<fg- zL$fMKH$P(`H}00VQ|H=jr1l8OpAdvZ)~W9Jt2dz4`;oR_*5}blJoNtbaL;OC?LDlf z0<OV?tShQB7E9Xrn>){(x-0g_Rq5Oc_d+XKOuB2w7!NV-L{wBsM-k^hxN2tCGQQox zjuSfY&z7lwW4Wd+7UK2rLkfG{qbXs1sZGYIyn`_t-G1e~MJ^B3cvvlz`L-vKv$MpH zS`*KDft-AH-NWir2ko!NAKo>2Q!sq5TmBp>UQnJC$KLq0PE}sp?CT)@;!kIUwk!xs zqyuv4*$0W9OJy!uoo$!WkUEHKP1ca%Tu`}ht>Ii!0km2}#+yr;qsdjT=?S$5xSkp9 z?ISa3RQ1Z=IsOhzf$ZnxLL;gm5QEqN+wTYQfAP-W;-(u+=}+=({}?xQL|(^Deh}A@ z$GTE(8`uxn!Ue~X=D!C{f0_Na!0BhR|HZ&ba_Juer_{+kk?#X1Q2HsI0y{4P=)9KU z{)_VhRn)JY*9`zLJK93*w%(n#ddWuP6Gj*<ZStp_aGF_f*AF@>+U`??=vloo0E@j< z!8U&T@n>$Q5i>8eczs%DE$lLMelaFSbd3Uk;D6KU86|@0!6VQ8>8o`Ezaa4HKkWZ9 zX+;eeY?b+<e{%5M@`<x+{nnBFc`SxFwXZcjbGA>5)`MiZdC!Cdzje<5bB;n>1h)X1 zqn9j{TUBE_yV0Q+2(%1=JfwFDM`+bFsvXT@dbycS2TyUPT}mHM+ii9d9;w<fy$~uK z+`>Qcnk1TzG+BT+38P~Bkj^KeKq9L_l`M*9EFWt<?v{zaOf0eB!O?b_js1#Qw8U0K zl2leW1S#}Mg{*2|K6_$k3l@Jc1-y8_+|)T_yteKukMNwh=j{20`JPsS+9}?tt6Cv5 z)XYwb!UeX(0aFs-XYIOzZaks2I7))Ml1Frcj0L@5!c<!w1^nYr<mt<8*T@3|Tvt5r z#ptkAj}hz6Nwua?z9g%3R_$x^e}Ku17UhLT3B#|`#e_F0I=&{PbYJCFy}tE(_WV<X z#eMB6ZA4Nm0ztP;F1KO)#PWwuw)_WDtV)O}Qz)1B>D)bzQ@7XU%1*iwEap%Z&yuDW zTo)u8c9?ZvVxX^OLo<nJ%<j9NKj@FsE+#-v7tk;yHXk$oB%+hwAh0p_`kC*_tP}O_ zCbG3la?KiE*kN+mL^O{0ZXIIOS(*64)(qF`eXfsk#J3-BUif@;Md=JNTO@=y0c#Oo z!-u=$J8LSWMxAd6H-tVW8*MW@{}#OCmgqFSetQejj)(s$C0V=}U*KJy7yA#**)psI zM8!m`4xS7>&Bdr53e7vkYQvltT7(Q*Xv~AIMy2iJmoQxWz^V9vgu9lhJgeZg2m>Q5 zcbhQQai-@Yt9j5xbO&+Uu<61m80VTpvV4uNuyKA;`davqCDqG<sAL@nnmY?{pUS?_ z$EQ0^d+%*>-B-bnO|7Jk_E^}`gY>|Hd=ob4EIiz9T(V2f<<~2E>!Wx{XhI{aC#|W9 z3Y{5Q*lX`pp*<wCckM9ea~$Jw4l}0xRyKJ?^UHn2Dqb%yN_|RFnDA6O=@K4~`Sf?! zD9Z|o7c`I*)T@{`qd0Uao}+p-IlN-E$BNTgEsshH%IO-dJd%`isKwhjbez$1T<cG8 z4pHaugP|4o5#43DzmD2Ry{a}SHz?=D#a*Zy>K6NYxa`n6)wjCdW)BLhWQiiT6RAmY zjF(BbyNkC*DWDt+mhs)^+hd<Aazns5f{A-CQCsKgb8?8D^13gc)#_7bDO+Ef99GIm z4x^1Za!$&rV3!Rh#NIKl>gW|cz|^5<e6%MzBpuVpna7Si;66?GZtx*ax~Iyy4FSs= zW!QQ*DxNIpM1DQ)wcYJ*I4yZhLoS8exx%7VewbL5!Q?q+Q!h>}tH>HkQ*pfOlEoer zr2FwQFSuK<MD}K61b^9|jaT>2-E+s;&08lCFBL}TXO_>vBvJIx62X7QbkBRvh$OPC z;rPTYIcUE9d3VDrA)Ok`VB)qnhEMuvp`0GT9R;RaLM55Lb{T)MX)sD?RJ{HEyK*(i z`~hse2Oj|QMu`9E4#giep6~Ba++Yd+;(PuqSAPqKfyu8QOV-yl9^h?rhBIFX7&0C@ zZ{DUmNO^9zL{#{U=pUYoc_Hz$K*5}a4>j+Xp)mwO`*v#j?A%{9(0i|yK!*`^8#0?s zvEdmb9UR>Z*c^ZzS|pKY74NBWrKORef?tn;fglc+mgWr930O0(ARmgJ=YWZ(KL2WW z3%e~N0T(P{LK;*{vS#46K(CRmKpz}<RS?GJo+v;WS^GYr&pWs;cd!+?)0n6pUfj!X zT;FqjeymDm=wS?(>N(kgY^#~w2Ckw6S1S!8MmSgD-N%;!4BEvA*<3OCG+u!X=6bv! zvfXusLl)8J`LZ7a$;uZc1-(R<g$B*$1&f^#<OqO4ZOL943-v?ub`0xB(8r0|^0-4+ z$&^X?WO<K1GcaNcU`Rv{!*kM?)qpGVil2XH`$VY^$^lKP7Y^Csy$G;6xZ*?7r1(?{ zYBvB3F#&=K#smCSoX3a7IXXZXv^cmt<maaGihiV5Em~=GjMWJAe*UIND{d=KhENxq z(fh?7GC!Z!Cn2aKW2`3YN-ri-Ld7!BAzlFJ<%PTka4}WKhu!t<O&3#remvK;lCj`R z#svJpH_r*+LEMm^T^>F`9Tac@aqm-?%#zQ=n}%WW4x+c~MbN1vr6Jw(a;JJe4l8z# z?xX9&t5>a+$6m3u-vJBI(F8B8-L(NGEp-3WO^P3m=D(+#{>ak&+f544u?%9F(bQko z*3z5TospN74pWd(ke7m9L&KEC#I${eatjm8`og5O2myRx&L0|@E&hW)ar}wHPIjyR zYW@zne>__>g3-wda&~-mRX(vm{0CTG^y&{M*}ylF0<An|R7iJ_l8_*fJdpSfF5Pp^ zzuk!tDWNZhpnnXB3P}q|2+93KxqV{+7I-rP`s>XIJTz}rq{+MhCF*^o2EkkD9~;G< z+6kUez>sOW`&s8?#k9sQEH7g|2rOM7(O<fUIHOh8^cqGPp1GW95Dy(<bWsl1n-@GG zDODjUHPU!-6CWKFNujnSsjFpfXfAGUs3l_|h;S18qVe7i@Fi*dhx}H@Y-n<S;`|)| zb9B09{7}FtlIEDl0J<OMGeo7vTOMi>05(|k`&~S6AxM75pe&rG`|vhX)ZOp48gxxL z`TnwA6EHW`jPzeX80ebvb-Cb%Ys%g7;)WQ!m?`m7B<s?Rmv0n_Uj-0knO0mXQ!vAL z$Wh7*pz$RnuMCjLu-rDQ@OGOKhl5kEfxl0I1?2=l<9PmAxOh&OBad{4M%v(+!P*AN z#6F-AwzF%a=BSostJcB7Cx%4jO>mS=rQf^m`7Ant4gtz|yE3<di#P8y<UX%|njpk+ zIjW!DgF%woq;8IU$U?uQ$>EdCw~BfATt`cN3ik7QN1T{(u3|_;gb7Yj6b<{Ez`Lj( z0nKtPlmKY77anMjXm304!T330Jr>mL@3bY$x6#3*M8P_Sm+HcO(t8Ul@Zgy(!6w~F zAC7J|RTMKyKPu+Z2CCJCW|BA>ryP;&`!bd>7PJMa6b6EsL1C^>4o)+l?73j~0-aLm z;y<6cEg3b{8VWchSJ}r$y6xohVYrz}%G>Pq7iOxLJ2P|Ycf603uZ|<_n#vRO&CxYQ zB!ct0Uv7f=I3>(aF#tco?(y!YH2>o#CD9!xHNcn=tv71BLM)ueJR7!7<tef7Cf~Et zp!LkeaAybtJ~JKtjuJ#A0}_6W0=El){AUQ#&#V=9Ui9ju>lNzc>PBXKu_!Ot?7}qX z17MA=;b)f0W8e!EmH1B}9Ac5KOB1SYtMST(;Q~H#hmWrtt;IDkviRw=UYd}8VA&h< zZH?yvR}7!id%I*EplqlwCU5=RE`okb&1E}8>&<XcX=avGFtTEtqy<M)-y>KNSzVbh z0hZJktgTP%E&I)TX|rwnn+A<cs?*QjZk}*NPUD+0q&R!hG`HyG@fXe0;>tcYSmj(s zhgGTL%{Tq92rF&8PR+O62$P3s3^5%2QRZM=e8OMFkvW`h^neMb0N&H5l{JraC5Y6> zj#%{Nd!D(Nlr&jAG+VuW`C2&q{jCzV7ZRvhLVGa+`p+m?-Wf!V3d9;<TD-ASf!b&9 z-~RA0*}|<j!?<{k|5-rzA>ZsBE`k_Gk%&+OT^r@Wy=1#;mw}!t<hgW3Yft%vdr!)E zR(B&6{QI%l5n&dYC(I4Z<aU<a&0`$xjH1tSSn_yXLfZ|WT^=*yQO{_H8&_~~VYU}e ziFzVsW=mx3kqwi`FMj5NIxBo#7T8lF2F@-E&iwF^lTZB<3of5dtFdavBUhIYv5fXW zvCjif3ZMuudT};1N}DfYs8**+mB)5b)Gpzh;X3Lc^BZi$9(!{rQ{qDL7Qp5dk}5`` zyJKS?UiR5Tj>?ub3&XEUov@PatVlI!z29c93-Ni+cWlK)LYyLpEH3!ExmWqK-t=?L z*VHkW-<b<gz--F=NYV`$EZ6_<0rR(uDL)H2|GCh3!^ITPJ-e?LQ%D5O1$m$8<GPiy z#^Gs!b)Xw)YwJd7@<nKBLK?#$Fd)#CmQs|JQ83cOGcdxJLR3&P@VADKf<kRgH;>Ky zbLJo9ZWUraumj563~c`;(fY0G@-tz7q3W`$8x}_dth%s#b3~qCVYDqoT|`YpJw%N} zABb9sx`~>JR4!B9XD?mDtYHLSnaYE%?!jOaQFjmteyzu7Hmr|h{vcr~{}#n_pmhJO z9HS4cEB*V0tv?+7&&x4DDRHmMF`S@s3^CN#a?D-$Kg%)s&xab2sJ#ZX(U?u!ji01# zJmWBKN!zHZ96E#bxGFV69YcH>{7y(vtrqN5I!GBPqz<t0{O02k(EBfjzusKFhBh~p zZLd)G9}@pNw4o31%@1Y)qtMjR)Ymka(Vfwr(Vx+pd41X2uzh)XT}R_tT2IIOL8ixd z=ruv|r2YSq>3SD`Cet^i{KZHDBv&X<t}tCU2oo}DV67cquk;cYB97w$Bn6xg{l$ap zs{t*^50rAgza$2NCrG#*l;4PX7=C-h489Tf+<;E5w&+)gdw>t9!f;_R8R_raxW$Es z2a?yvHM7twHF7K7^LR{ILM2s1#Y{_F@7G38T%XngB>m{^Y)yovkdjS`Pi@mRe2+T2 z+~lQ*++7~reQezz;en{UqO^invW&A%47>naET<UPni%irW``ZU6s^0IlVNN?*+WY$ zBB3YVNlx7}17YmhiNAuEVCBJt8T)VvdmBFi4=)Zk9v3%J2^W{Xto3%zI+j7HXWl}& zESXvt87eZ--VE^d&JgC?uA!tT?YCzclP&1AlV?$~G^8UlVaGFI3JN%1-;jWhjGLui zovG{B)<1GS{O%*GABY%lU;+4R9ZMmm^^G|2`~raOznE7OU88?}sQm5N{^hnP==JqK zy;X+E><rStL#0nPsBYemTD>MrD3)cL|DG@b6e`7!Pf7pxnS<`oUC;biLib;o`G6iw zCR<Q0E)Jua=6I)V(ASw;mV~_czA_D(xs<n%ias#NdjbsdeqXhizp2&@6E_PJ6>a80 zYn#v{d~=}0%c1lHfEJq-8kh3K2$9R!`}sCD-!qlWsj1?3@SM;0Ha-+(z*@NY66|AO z)_WNym<Lv%AT@VcTrfU%I{u{An|g|Jzr9a<sL{_4V<4xb@7W^)Sew<x!{)Y5g^K!N z!jA(3(Z^d4_s{Gl(mAHelleNSRF};^H^6{vPi8;q-^W~R(C-m1HCTyJR}ZAy^S7kO ze@o2tq9}`$?I7M09k&Ff!>bft&OOIqQ5Ax`^Dgh2e~fRt(PvX5sO|mYR&(3&EJH9z z%)S1VoT+!)B^>dTr^=5gSWJZgIfiRz+eWIRqbhy-8Ok&<1wP8;_>?bW<VzM}qp7jr zMnt`d`+PX@1gvqZZfD!0UCKR=>g*xU@_~a<ESRjPc$z#mJa5kGNf(3$e=$bSXXc@Y z7-S*hqUkg8VAN6yXBS3q6dO#&kD<+OuY-Yh{Xluc>}Zvd#O&na<N)@sT7+~uM5Xti zck~bPI1olr`ujDc-!PUy|NYfiDsFP4%DB+`T4<MgxEAw4Ny=+0WvD9|OIhi=5JaZq zIk}XmYfD+fsCauT)x`V5DOTq(6+L8R!O965?h~6B4SLO5Urxpr&CF6k#u<&6hfHIV zW?=XpnVIEp=9ch&c%U(^2Fj?3B`+c;BIg6G;{G~+ESKym04)yVD!#R+_Y`_0kPb5r z37M5wf|5qKi+YBciIIVho`If@fu5xV4Ksj6EYKGw9>g^%;=)jk2B3Tl06yHzh7enh z&eo(L=fR<9rxnCz0E<_PL1YFq)>Nmt?MKrCWm6_2O=qX69GwVZCr%@aBgWDdO&qif zI9O`rna<6r)XQ1Q!hE-gvq%!NvbdC+WzALv1ALDKTUlLA2YNyYydwRHCeHkO?s*W} z4pbkRTLf-sGUWeUp8ED&{RRN~BAi=tf(Q5g3!FJ7CM$H(3b_jHw5PU43tkyeZ;5$C zlz8}>`ueStWgH7i9$fOus!`Z&qCXPk0#mW);>CtR)A51Zxl7?_FX2`O;H)|Na^{qB zRFU%0JF~+i#K4u&*$Zi53s!}!9EulhIrWl2oD;A6y!vd<e)Vj)e_vns0S+^;v>lkI zE~fsrmZ-&?<#=Nr?WD`2z0q}no0pfYkrF^5KHcL|;#@1Q5jSj+*|3(u@&>1>g|zR% zWQdBIiD97KYxTh~7U`)5o3OfClep2(Y0WTGqz6WAL^g~>(1k?tmzWLn9AHEfys-K! z4ic8r%nrO4aR}C6A-kb_qVO(HPB`3h(edaiEVN>=lH0Om0)$)S9iP^U0=lR~-%u}D zuj<RaG`4!tYXkiz3vMQjsIzo5?<01>`0;TV4=iRk*eET@2fY-kL-Kg+*)&$hOy$}X zPczDv6q8cAt`P6!Ep$RLO07m8IiihN0jVg`Sz9SXnD*VzMcE(ZXc6XX<e&R8sLbJc zHFrRI2HQO_vcx&2umIpmLqa!Tc)tqM4}5PI3>%GsPymL4m1085s!tXvCaWD6ynQ^q z^)9rAM{hO?yhaLdx^BL0%F&}fy#|fjX(!y#;qc3fqcbU0K}V=7$XZ<cc+($<>;A?R zC&4eMU@os@C8NtPt;1sf)Yz1ljhFYDNkt4uWp@MJ(sl13=2)O3|Ks;Jrnnn=|DMwc z#3p;gAlFwfL4&;Q4L2<Tx-Sl(e*Ep~<<AGX<|?B9##ICw?gj$ezcIz-072Wr8c9y> zQuGSR@^ZFbPAoQYjPBC%`4wRt3`5WUA_+F8?oxIeKQzh#PHs#T7<7QveW5StHVhbn zGP4lAB-o3w9#JjJ(M#`f3?5=<W4<I~DtG&A-$VPf+r&41$3$OWUBuX1UE4_5#o1VZ zS6f}gS<0AKLf=}uB+|Wb_MxAxwG_pu5|Bs^!x^bN2uUmmsf#K|9H~2(Ulz<vM1(q^ zSJKnOo-Qtc2HGkBvTMjA<E*qR3i!agre$)-QkAy^JOg))7?@#9I@2xoQrB0vmM{`2 zP<Iw4={xht7%Csi7^+#2wMe7Hn0NPy0z+Q+GNh&M7K1;qd4|}F7)XUAVTB^{i1w(x z!>ZiYHVHxs9GSyULq=wj3dyZuVAuXJ6GVXPnV$N>+)^_g@wVwlEyxu1ovI3!kdv{x z3Qql*Y>dduaMuZ@#*|a1K!nLkmAwrKiE+{`^6Kot=OG`Frl1%3Bv7ZbN}_4#<2QQE z9vYV%eNm5R7J6dFHLMzmm@>2{cBBpY?$FnN%c-}bd)t``Jw-`LK@QK@(!}-sR!<_z zm__nkNj#VwwdsNigZX7N|8a#=JY<5BF75IA=>5s@$3hA;%W@hWJH#qfK?UY7W+%25 z4Dv=w`xKw=XsqvhJ3W(2z^O~IUy-}jTVK2!?0cD7<@``(XG|wvx2;J-RQ-}`)kMnm z%VeaYX2#iNYW%FhZ6@aPFH<srsQ5%hSv(EU4db)<K1t1*)@$mv`{~CDo{gb>+fj27 z)<@Ern$2ASbC#F7fn9Xmsr#w*P64~_6z=zKr^d&|T&~-jSm{{_8y8w@fGEA_*p{$c zaEO<(bAil+-JLz1w7oJH=ch;4p`oT)$EW)5VEm6N{x|Bj8}#EVb=$uxxzi6y{x|Bj z8~guW&5i#}%|XMw`PkHx1GFaPz{dAu5cqGy{GGb(o6dvAHUYLDu3Lj}&fj$YpPAe4 z8s9+Nrt;gwZ7V$2v~5e*v~5~eAt@i{&IU3TWC_C>5$HT!FVDWxnLRHVTloG8J!qqE zSs%sQ16SuCY1{s7g?^xI1MU0`WcPntmVcyeJ5QQw+H1Ox=qZ!r8PVOzS!#WU`tIGo z)3*8KV#Y?ji^Ye&tuK%1drGRJ>vM9Fb@`39ZQDt@9P7IS{i9d;8*ST-a(*LGyLMk7 z+5XkD$j<G|5d#<WA8FhEeV}h6{z2OY8uTXr@>klneL`5C$V+<=bzNMJnfkj|-%(|O zmVhBzt?EY3wqKtaHN&5rZJ^0{{WIY2`GK=7rV9Fl9=O9SZ&kDuxcVk|p^LkqO9&EL zLuI$+<~3RMKO>C4akkw!)$cglKt~bOe$dcAqaM)Nhc`cnuLW)u=q20VauxqF${&O< z3|Hxc8^*h`2tOf&d10r+G&iF;r|AYJ5BEXkE6W{$hH^suef@ZqFjed@9D*nnJgk{T zf|)fO!-ZwCFyI@MIE>V!@Ps5a(CgKvER*)ga3$3U4O#epoan?2MZnB5{+zlJwqcyn zY{IM_o?K6KqT($e`7CZ~Eb7ob$hqhxEYh6p_oOi~3vC8DEwRA75jH3}1h#lZ2xoVv z`El@x!*>ewqeuAN#rh$!bHif&2{J*f?7%(w<M%g^Y2;`rtjH@YBPC=6cxEXFkkv7x zH~I=PC4t+1gO*+&FpD30{~O4>q4)2-kJQbBT!T!|AZQiK5@|q?De_Ms^XG&705U<t zf!Ytp*-l#RDW()A0VCnZT)O)n1PIWljb`s{$5wq+nOz4&K2$hYs~T)>swY)3b|ovR zAxHEvn+@*f((PpDqWeEZBBr?ILEz};*HRo7vDPZat85SdZv7PuFAj}rolTE@{a&(- zvEW#;pt#}vka=nJqtV9w^3k+1@DY9paDfOtO~w|2DD7ad|Hs^00QH$H{ld7rJA~lw z1b26r;BLV^xVyVsaF+xR?iL&ZBse5Ua3}ZA=A7M}By9FQ@BO~IR81AB+I@QH>FMe2 zU&|8=1mdSh9y1k!+WkF<aUG6`B87uM&4G?W;6kd+;7d#_)UhBTuRw5of~4!t8(zPl zpqO+N=49hA@J|^i9)zY<0xgyZ7KVVBM5htZ9N30xb5>_UVnOXP>XWBzw7+WATG@1N zTE2DSdg^109ZNh_J%Nv_?>+Yv)U2Jh3&iW=hZx#Q{ziRBM^H=Xr(s}O+b`J}X+w-j zKtWWLFT982mLQI?Lm+_2$e8@(kDyK!m<-a_0>bhnaQB}v#-d4y%IX;uikUVH@Cyr~ zm&-wsMA{+MP0_ufp?PUnr{guK<dxfurUve0qY_yFGe2cxO0xfES<pT-owYOEp!F$- zAkJOei~7cbxR#}LiR>+x44qH-<FlrV+e%whRN2pcTcX+_ukNyWtuOFCxpU6gzbZL6 z+naxPIc(Nvut4RNLAOPCX!%}aFU7GH6LU-TjYy?u%F^3fmv&Mdf^qjZOLVe{5qBXT zO^2D(d!;;2X$!K3Thcs_g++@lP6ED+q`Pd4(%G@O+Zi?5ZEnRoZ9c&&(Mb~*Xy5G3 z4)%tRM95e^Id|TTIX7^f>9qU&xnxQ6S(8SMYe1xEpePiBnhH*)j^PwAi!jNTIawUb z&HNRU8bQh_hXR~{(-W_zrcza8?W_jZo(XlblaR>1qTaQA7GaqJ6X$ew5i3>|e5{yD z1sbbZh&<M~5m#<rr<_BsWbTW0&$F-JwFCa~M*n0}K5`xYWmEq4PRrW-r^finrhN4K z-{0z!l1Ej?w_E){#>z{Q^--JhcVvFDDVhFlQ$EmsSU+6x|A|d${(sM=l>ZN#a&@tk z=g(Ha{^)uTf3*VEqq42}ex}aDL6^AQ8a`@M{*FUG*pv?^|FHfETYhO%GMB+{KgHwm z2VG_c9fA=A6^wI$Xa0pvsjA_=?TWTT7F<w>aamNP3?8tlp7vKOVAqP{Ta@pfL?giL zhd<vZz%M`9l#l+M|F-bH*_5zlzY)0yLiX(pjgPhh{ym|8Q~cAWd?5N*`?~+MDFLm3 z8FD~UZr^?bMrX!ncD@JN9ya%G^<3>yv+|#B?)z52f49FM%u2UiUj^S(ks|?-ratV- zd-I^sl~>5Va7Z0kOLI*ae{*0znU#-j^*gijVPg;L2WkAvtP}z$h;lw7_F;fXBm&~E zKfxovp#o@Y_3zOZD*$EiuzsNRM=<>#kG43xf@^(ftN3lS#f^Yps{EJ^#eP>_GKA9L z02F#gKOthxXcx%}KRqcQHWeQs)nPEPZXEQ~R}8AJSTgNE#3PQtREO}j^&nj)NkK52 zK44Nge(&V*32fux_~|J97kiqqO2@Edc)^Ls?BFeSSd^1D1UESxa_H_MVNi>STria5 z`6fu+<kK5n1Yb0No5TeYbcp(D?>qP8fo<=-H$`CpEYkrj#vgt4-?QysgI4~IYySkV zojknye{#@DH3Ksvo4!dnJ77+ilrgwsZz_^3BVbOK<Nshzmvhh%`FBizxV%<$N1-PG zS$*h>`IA-u8>av10)6X=`N-Y)oeOmLcGzsBv$LlY2sk5x-w&Ch1I@;#^vi_@LiXgw zbgMG#$ya%x$uETPK0R3P9O=MtN6CJ2fy{{FA3U5iwTzS`oNRT?IKu2y6y3PgbWN?e zl;<4)59vQ$tE6NCEc6r&G(zPB%Z$}e*(NDF+BnD*8R@B*x(R?%-_+zZlyCmhxLL=a z&eblq>ShV<o-v-0dWv!E=L18GM9r+MG4NV~!qo?ucS2sT+WXne_q8?;a(%?UCP)Ad z=nRhdU#f#|X_Ai!_Nbav#Cv75vpQzx+`M|Kz{%rShPSHHTv3_P%*7U_WSMegsUGB0 zsWKb$^!P>hB=;nCk|H_9En$)(dq^nR2O1OLpYmWaXkudKeZqPmN~rQmYXt?NAl}zJ zmm`xfrATxq-EPDD@N%W8>7w1mVNGnc<33<a5IQIXTcdoaxu+K^Qb5{m{o||Wyk9HS z=x<MFKD;BmzXs#bx8R$bDeN{+O=fXYRTUPM>H@|n1R91(*NI3yAqO(Mxy^}m?8OHL z8jElgwdh7OC2;7Qj_g*m=5pBBE?VKS0w&xOGZk3VtD`5J47WRf?=VLj0g51MmJ|$9 zv^X0jHjfc-9yuo;UVF92L^$0^tTlmJsYGC>8)P^z`({ik0Rq=h$2sv(jqk)AOM1Ap zPs(%}J#a1uC0-+3l>V)DrE{#f>$`JP-Zq2W{d5eYb1NNR21Im)$fI(Tc6@vg|78L8 zE_l|_o$9P)%j!f7*j19`wETjECnkc5KGCqE##xiQlst*tQTX6Mp17TTQV~OS^Wtx3 zZg|y+cahLd%m-|dYn2N@;W~vSnBXXzM?|II#2|;BhzqO7<$%6IkpYt=K{YVv6c-&N z>XBU(*THPqI($QmnZ2@?mk!tMQ9sfqpUj+Wtu8-)J{SRB>22Y*|KaAgLMZ7DHp-Kv zXb@(jnW8SDl!Np&Ya0?;o4-CVA*)wFZ6FDte+WW*JQUt74p;EknxfJHr!0RMUN?lf z2&x`(J1(fpXLO8f1RKX!b{X4XDcfI{s0B6VWLe8vyUbc?R^#L7pw=5Zl5;hU3xvcM zbzE$<1H;VWx3Qg;!8~lSxGul&r&+0MOy(4%+8WoeCBr-0mSQlMCN|i&BW;)NUQ32n zj$kcZfefqqOL?f4fw@&S$y%NW*9r`RhwXl>X!yj`KOAeu78_d7>q>`HT!b>y@T#uX zdO9#Q4DD&Ys4*u}-e9PfYw2X?9CkyR!TOct(^zQmIXQ*l#E@A7OD#4&%n@u&lA0lD z%;KrkDNC7G1R54jUv_HIw2Mbn8@nQ^nYt_bBAFFsH*g(a&}Cx8qpq?Kiki5QO2wXm zn>=Ztanu=;si>|Kt!qe%*#6vg9bhoRt_jUMI1=ja<|M&vAwY(joi*@DCeIF!?{GB# z!<g>dk367Ib)R4(a)f3$vm32Za{W=#t5I=@aHATFFN!*DoT`L*t}E}b*nr@z7~ixX zrH-!%T#~;$Pqpt$5;L76TG#1aVQto~dKvnL8}Q%leBC({ALq><n?K)yJ8R}K;yH#2 zX}+X;7yh2q-ELs<Lbu!DUB0(mE9unbcA`j`QPzSYQw?PD@L+ITlIR}l>ziHUv!l<S zg|k1;?J@;v%OuU5+&u?0HpX57tM^3&-jS*6=4{S??qRx!+|r*ux+%kE2n5PL`Wh+% z<P-<O=Yl+!{j>fYO&hY$%Kp3X^PS~}(>@^g8ORQy{+(Q4GWNO?ZIQ$6-8|;|Pm%X7 zgdTOzs$B@?U!=#}zfRxRX{29i`VyWgt=-6=e}N9GsG)kZ$-dSf#vPn<K@W1;%c5-c zls&guIVy3#^RRH7h*gC?`HGAPFvk|gQbYnmc4qM-eUs`1RTVuaqx^UvWXIbUbrsiG zg^0Y=L*i@k*EOv%PJw|~YdmLny`0L*b=b!|Y1%F=cMFVV9Jm6$<I6p7M!#4k5BqmD zqE@ONvR|t^cuv00i{hD8X3s=+;afc2J{?Ak-n;pu*Uh(}&yNo1|Mao@A%yjaTk=;3 z>&KAUPa!OQrf1eN&ep<89CjAWa#pgMrnC-H|C*>J1#o!&HiY$KMEj=@)+1m4-r4;} z(d?I$7#;?I5Y{GO{e+YLJ&_+mSdYZ9wE-b4WdXEyji5jg#5)=Rc}k;By3c9N&*KVf z6+c@To9uQoygb}v+i!CyN^QDt)!3EPqc%pqLs6G_E2@Xo)-x+44<#}GT$$twg@>Z% zCB44dp~XkvljF=okL?Vb!sEJT%4ArI7!rx$E&K7YnWiltNX1cFT&<n7=e;D>WQ)k_ z>g0rRI0b0&SOXv>z)=C!!0kS*GJ@zrQ5e3{B89jPX#8;SU*cmZTWu{}#&4H!GKnYO z<ml^k3kzftm_gy^$ijqzVC7LIJ*hfx4yWfZPJKdQWt=k)bJlCjduW~gX5^5Xp04c^ z!=40kj}L*iRn@VMhNiu0iKhH3X`6l+MIc`s3oVOI=HLXLUQiX4<n81ydc<Wxe%$<e z&y$(ZMBtFI1NZicVw{MPkhe3PyE`PAPp>2zGpE_WWwWWwm2ou<tqC|i7W9o|9IS;U zCk`8)B2{14_MM!5$iQvrbeDh&nA@@%M!YAWUlt(mzM5GbO`Y)1C0GRZ^mmD?(lKi9 zdEYJ)G{&;|I`i&?@|5mXxw>wOmJ_iJ=b?#>$mx1JEIg#r8?one+T+*+sm))HEtf>x z`?AKY+;op`XPrME?5OXF*?3;{44}^S9ae@V`VIu8iqU>rDPeCRn3DzzN6~9Ojyadl z;=ZW!P`_yqjRQ0glS&mnzmh4-W-1q$1qU<0kt<?){m#b)8T-~HI(>P?k(s-L%k@<K zqgf8ACg#yh41^~6xoNpq;d|-#C_WO(>=imIz2K8DaUhlh_k1|uaB)~ns1Tv3ZT@KL zNoUPwwvt1Amu>4}_umDfe!P=E1)&}h=zj&FetRo_3v536{qOIk`Qw-WTM+7jjQS33 z>7zlY-;wz#2=!+&!vpPy^$VZ#Cj{^RcVM&T6X_#CsOlFDBQ}5d`rkP8aL{&>a?{QL z&*qoF=I=Q4LlElW<bQ!C{W3Q9%ODhLB+aqM@UfO3Eo@!Hox^S3q*Hhs=#RjrADTNx zGG<YrMv!_?Q4={f$MzL^WAd}V#!;;e0UDz|{>J<igL?GO{C7m?w`n<l@$+wS&EFIH zH^o0=P!IfkcoTjlYX2F7`a4|n;iRXBCn+BdK>hQbeUEECZ0@lD*$)9I0yi>rY+mC* z->b2xPO>asf-Pi;ULp-7J!KoDbcDY-t)Bu=k8bt50MvsdKCB<O_E!Mvfgxjiy85jE z(f=i``5P*KI`!Xh%}40{&Z+loFnSc%+=?|-j9pbq!b>^a!?If2UDqdwRnDOM$*KPi z*PPilM?T!MOhZLcz>3w;i#3=3gcFN5@IQq$g?eftlK<vJezFOF!>b=`!bf=Z*M0pF zc>KvGlvi|Bkz=(qRgh<rx6#zJvavRhXZ_dAI7Psz|E*2<FpU^+=zsqFWD`E}_3z)F zhjF@(5c#GF9*C$!g#d8_0vi1gzpx4ap2#=73djKe)_>!X>AjvR@Y1L*XkwubD5!NZ z#!8rH@{pag)Y&hTkSPV<K@_WJV6|!;R_-s{P`IekFu*DC^Y;+xa(2>6VoBpSLYv6q zGhp&v#xU|T3wK7Bn5~KR2*5UTRq7SK^R^${Z2R!?@M7ib%Au+@DR)r~-iW@nwY5@! z*zP*xsKS$mj}R$-r0Ptfb|`*q5*v#0Fp~VM19%IASlw$ZGfMnjs?@TnM9H~s^x<}R zHhSbV+pu~d!5UVR6IufkY``E2Y$yh!4F0uJ7{*3Xb@EfH5sR#`-F84l@*{MCFYw^? zovEdBk^D8F@q8B;<cZ&tHzPy%1Lkc89Anql67ex~Ai~8_`x*O+5c_pRV#WC(r6l-C z(A-ySm9u0szgm-F5JCkToeJuE9^&0EKh(p}jth$TDl#5Ts56dT+n^;Eb)*6=Ga?@g z2D%>Q1K%kpV-G7g<%p6{-}|IBG{Jd!X&Ad_y1hesq7j`GV9)!<L4%Oe)-FAo3>rs+ z@~`L5oIRy;dJDqO!e61HK&3JDK%|9<1bj~GDKRh$&?>H!f9BFunTAi0u0TML>qH%G zL$$BX;xJvu6W~yYF#9aIv~a5=HnTm_6YunRZ!An~XeqBx=#6q}Vj!{(do9T8z58>! z6Tf2ti2=f+*HztZysoQRj`rtuv6>EP!Peq;lMYEQmDC!xW*ZQ>!WRz?C=<M|To3rn zhu%HOd;2DLnXmM|WNs(5DudqU{qr}6x^B!3C!*^)b2*%s&~B+2Yf727{4-4)9>Imq z?kb~Nqa%H}w8%$MW;t#77n7;ct(F)&!znGpCK^mz*~N#P@`jP0Lk6oU4!A96s-9in z1f6$%cDcWkczrIo(&SV9l(zq{Wc3Dl-1M_Q4um8dJl+r`Vy1S}>ZirmBbK!95j|hS zrWvj{9)}z1Szly`?Y||%wE%Q83-@Q=^1!K8F_c`wPmEFV9y-BPQBu=<XD%ene=@#t z)X2M8ql|c=#K^hLq33QjIk-oat-^}QM|psFMn@e1G`J+?3E9H-;YAwr*T8IzDQG<M z!`<g%!78NbTjyp)Q6ew2JT_zd@2i7IdWQmIn~QGJWFksT_H@>8+H8(Gd^{I8oP789 zB3F1ubZ26sUynGr&vg4?VoFVI=f1$N2u?2jI%{p|=Hubz#jB8+yiaZUS@~VjTfR@v zwNt*{ejFWoKaM~cfhSe51Kp-q3{pj2$(^R*L|styn#6HyF==hM>>XsZ7!L+jL#(Bj z>#=DGX)V#}X@|J+X5W{cf{!0q2+qmRi<VLFCEe0-r#<;3cd<|4d|_rLHlupQ>bFya z8!kF+3_iEe9$RuykC{bTX$PNW7c-}n95i=-aMIPtFI{=LicZg0rPI_Bxz_<b8EejZ zQi^O+*wnUegA|5s2ZPCbdC$VHrOprCYMAJ|*^#c`!vs%c2jeG$MF<&36YY!K*$q<} zs!bT&=^WCl1g=G7#`J~1lNjRKpCTqJs~yjFA37)D$Qq|N^4Z&dKM(;AWE66!jBzeX z(M|yY-`#vS0|76E!8yTKU*d=F97LMGx(wWcZg9{9Yg{FWx+^4M;d2N$6@3g78o@G% zm7XWLoz0`XI*b)&TzwChu|SvWoX{>5g7?xEW3lh!I_<II>Zaq?bL@<ORJ4$8tT=pY zg4IBH10@PD_X@f4r=WPV<hf<*`Q3N3HX&i5FtU+s6!n~$c4r~X-ik(n1o&e#Y=PwB zAmAWE_u2fKPaq1VQ=YyT)u3?4?NxJPbH`kEamXYk9Pa#9bo=Wxm!G_yM^yE{yq({^ zH$DJM<Il$i@XJq-`=j6g{>8C<{8{_<;yjQ^CXPdU)Z6(Tna91I2ikT&8&khD>mTuU z{y&4<_1#V=AMti<V>PbvzVmh-%!=@vPZW<r?!V*E58lqh$v><gY|LM><(J+Ls2`Q! zolM;nC};%8aekit@ktzr^wf{u4q*Cj;j^HtCM@tk*Xx&QYFDHh*I*EZe?ji@+b|X1 zX1IM5=pTo<{^agF`gi`@`S|AUJQ((WYveo-3PZ@Pe-v{6J)wV7{L|feAo`d`@t^L_ z@x%08>_4aPn)k1CgnoD050mWtHO`wK^?3gI=4e^|%H;F|?C&2=-|Yi#ie1@U==9y} zY!6(aJRoQ?4^nvWc+gBaW4`4V|N6jw@^~KI>USQ`BaHjY<FNyX{|45_!a0BrYWNl8 z{u?UaLGCI5sef3%kbJs-47tzM!Fl`zxyya&7aFMsbON8C9-t2j^Y)*-Cz44;V#}vi zo=6m-hc`hn#8kE=2$P_^8bs13gD-9+3<H!>DDwdZci)qyc>oKia1ay{8kvJD+tMme z0F$VLpnJeNDPS#;fW}A-<*?Oo3YlSOvs|HtJR_eL4Ppb}?_C?Y`duW@5AZu8pRy9% zAMm?tZ7y5oAKiwPfxFulKoGw}f*)jxGrlu?>Az(m<DXdz4|4Q~od07M)`oF|5_)qB zHw6kjl+$UzfP(D^?6P6B?V+W7#Gt_M&Pz^8hSg_=;WwK_w~d$fAxqp4WUblvnUIbn zif4L)7Zolaucg59YJ*%TfTK6(*sD0mM38nfplOG6f|OETfKIpgBRAT&@sxA&Zr(A4 zFi`35VW@V1><Okx4ycMhLbH5^CF<gq#TxSuAW-HT2ZI{TgRLzA>q4G~g|DuD$cEvE z*PE|Mt0nyIZa#?OlbhJgN7ER7FN*(4V|b84)kh@pAEhzO)&0Mi#=ua=!p6#G^1n=D zuu?$&j_D7=t3nxD`Cl^~5dHjCN&R=S`%jn-kX!Kx(6CgjSPnoZ^MT$3-I3Mwl=6>+ z<w%{GiRwwkYDsCyak@S0DRH{;Yq~LM+nZ~npotVzV<Y2+Of2icUmWxW%Y#f7`%FAI z^vFBGX-{cRBj!)S&rrhSnCGczM%G59g*!OIB~K)o9F!Cq>d?0V1!P6Fg_{W&rnbNh zoyPE|aHG!zaKfZe9AI7H|0wU0h8r27p@~RcSc5-{n+kiPOhp|-HD;6$92DhdE8(SJ z5%%1~LRPZoxtD^qL8y+kmn2nkyrr$UhpkUp8Ep5zYJ|2HRljc^@xb(|uddr50EHX= ztK5;_Ncx{)CYJxzJk?@`G}}MssRGfX#^`~-F!bW)P_&+&(FDtx+gs?A23~nn0GVG# zL+~3!m~qnkN1BAO3)g98Nu$!2QTWRkp$-hn$&Q4|jfu;Q(G84`Q0ucK49b*;(2r8f zN=rq`(a;V?k4uNr501#tK2-hcO|ov#Qc8|cj}6L2KUB3LGb0Q{p3;pYAkZM5)1J!O zT@1)DM@V9hjgExVOVUb=j7Z6Z(#z6Dj1QZ#Yzz+2&<)a;2JEoFQ`?=4OEE$rOtPL0 zune9Kj*ieHZh&YYPW{nZ&8(5B+PbOc`(m93-2&PoYVZZn_w*^sFH%W<!|^|!xo@c? zk34guYBE;1B4{hA4eQwfuffdHkMnEoeTA%MqxR<uW6M}l0t%3(p}<OwUhLVa&#bVv ze5O!99YjH2<8L}ucHabPQxQyb|CFm15D?%)z;8>j0Yc_SOqI(}$F&~8uG23Vnh-n7 zTzAuEv-0v}Yt-TX{imA#Z5+~q+yoERs+qGO)htCCk&gYVSn3PU&YReaw>N7a_U61j zDK{9e8~w)$ww+Y!M*OU&(LUoH$8^9WQQFx%!$b=Kv3Lqhpk?&A0|DWan(+k@db0~u zb9(M4s%gBXO)2uUhh^vVN<GIsXth04<HTT-y-y(Nc{&}n(Q2((`r4@7xEO=!O9aIR z8_CFohz1b%^5^3w8o9aEB<zX^)#hu`*lh{bm6Ub?@hF8jWdV_yTJvzFxiBt@G#6Qc zJSwlQOWy=3lLEIb?aG?y-8w>dFEH?G^p6cKD<gb!-G)l;=9tl=M^?$N3MJ-)$jjV! z*Zh1ZK$tAH5;SYS%=r?qtnK13$rwY20t0<aBdWx|+gv=Qa<wCN`K+*?KSa2uzkO%M zofJBl_aRj#HOT<UvzN%zH!0R+bax*!yKCAYFJf)iiiI&tLL`3h(m+`tRgoo2g8FDr z-JOwF2jeN*qBr*Zv5IFX@{K?LX%#eT&Qm6j-~%1<Al_MXittdKBt?j<{dGd`uRhiI z`zXZBn+F1Y!+>deRI%P+L($o996=NDll%-cPbUr|n1Q?Cfug!m%i#%uD<<@l55?Mn zlM9%W7GYLpY7;cIha{jmkfVo6in-fkVjL>usj|Y03?w*?qFAUFWE1R@3!2}-><(LC zW2*<efQO(U?JBgqq;;sT=cRgwWfu7CbdU|`<h3Aa{1>{X-O4ZQxbUiJlA4O?sL}*^ z(+4_24Dxf6NXyeVkU?lCkijOeIS*&bKIk?M6T)K?2C*kvfTnKDC*daxR%IsbXF_yg zyohjm33WMlkhJ+l+Kc~G50tBC5SP#^%Jm3R8&H+XH>lsG(`B9W65*y{vEq^>*!0-f zvpTJ!yF6=?fu|yCpYh_x`ORX}LaX>QH?EVz+)d;;%_1}1Z3Z6Ns*9AH`$Mle4(@ow z{oEO^IZn`e-7UcXrE{K!dUk1al<vI697mHiA4^l{EQcnL^x2PQPUO0&{?_?my<tE& zV7z7NZT-lO6E$)PdCMFSTi`?sjG12tk<W$gAVv;H#@V`auG+J=KG-1qU>8IS>_B|J zK#hmk7u-{n;l|ZgP#wYQvy3ZOqs_L6&~!i_WsrSdOTG8kBG+t{m;eRhCE7Wct?rbf zI|cPa0Cjy2$*<cojk)8vP1XM1D3K^2-3zKjQH741jC1u~rqPpIC;twD5G%GycIgYv z7oM*udP92g;H}JdDC%N6U#}|9-{3nUxM;rq9EDwBp!S|?O$Q4l+(N_Wz1mX`cLMC! zNU+>uRqDM5el#PkdM5db3Ti$yU}0qLRmHnLh4|^W*km)jvDyp9a(Mau?~cT4tczKD z)oIrp6#Q>$;c5hJut-T@JaphN%tzPXXRCBKw&%~_kEPvv+I@J!6=UesO$iN2WTu<i z&TE*X>*O4sxQx%VK_Nw@q792@rlL^^FKBm&I7390%82ta7j!>Je;biMqU^pKQgb!e zAkc%}0%oP7^KKx-Bg^Y%h%f#2cAK!k^egCJF2uuYW{G*&bo<}x)(89dn{Iu?h8R`< zmu@{<Y>_pS@_9{JAE-k0tjA=Z^R*!k_#_JpNeMCQEsS|XP5-;nqsj$sF?g8*@m=62 zz>wBjt6-1?k}9usb^<~3*aP@Q{7?fW(aOV4<)H&pm$6-1kK~j|6-6aYOt)TsXua4P zZN-khuXo)U+|@+ZFcar`p;qcVN)?Hl_2lER$5*j8PmlL~&$6rT*>Af$?DWy{vtcIO zUM$hI>(k7}NUbu!MKc#v4w^x0tkky=wPa~mq|J79On5X0C@!oDb0!l?8Znhz1^6EK z3R7jXDt43Cos?)vNRpmN?DxTD-&0N;ud0c)lWO7>E-h%hujh8@a;6HJQ?((2I@aU| zV)KVk=Y8q0UL})tlh%IBxq1NGShpAuiXj!Ry5RggmHafUSp$U#iOt+s%rtf#c66~a zII_T<bl8hjDU*3$&$>d3jUGfMWS7oe?u`}ysqsdCigNc6?Lx!rXQGHcw<$VKBVnsF zp9$=#Y}E>%sLrz%g$VEQh(>!>(Ld>DeL-EzRoAC`J_2LUldqTvCa{Qpv47Idq2aVg zS{IN(0fx*bXOzxZt?ks@E9nw^3NeHug2=`5x=1B*HP9gvoJ7cOn_UHws#yZ(<xrNh z&<AjbmFkFsaJ=#=owC$dmszTfYV`4T%S>ND&iDF42ePLcKD3uyZlBKQX}2<L6R`v% zGP*!q6?xZd;|%TK#JZ=kE-2e@lJSCh!o(4BhE(~gBl^4n0-}-E$b34o)^o)%f&@z3 zC=#U%+%ZlBbQ67Vce2OiYFA*pZ)cf*Ytxu%lhn(kt_u7GI0+s_?~C`dfS3HXj6hW( zm%;|-4Mz%QqTy;#oG>3f{j7})&yN(LJhOAwfpnsQsw<@1XeUaxG>GR0X_x{oNB|lk zd<k8@0Gn?4BoimWp}xHvvM(7jx=qgL`nfg&Sp`b-{IPQk!KOsk&2<ZQ76}@;E23j) zoO#v@(XV&b;p+J8;X29c=yLDoQ4E1P&;_)hdm|h9b_h@Ng%bQ`pPgh;Od-7PD_@6g z%xpk`^r&~lu6EMziHn#s5WxcWVL!b&3seiq4K4;3x_5T=teVQCv_86Bj6{`(!eEuH zR8NpHEXcR)O6r2BE8;Wbf+FiMiI}tYEZ5noF0ONaQ$f#yeKXq>9gW)TPaBa*(-6g^ z(|&o?I(d#E)z*;cTfAcvT2o?oTLDy!5ew|3klz<L7FT#CaZBES0(a0+?nUuT^0Tz9 z;mI(z=G)=-xmg@0sB7eD`ROkjWLIUdU0;vRRf=ATxL<Y=(NQ{i8zY@GrIQ)I@BnE~ zUl<x<06ZQFHSo{XpY3#FYOZ!9A!}|-aKlveKa+0Fw8g@*?iOoskLYH;nx|7A-O^W; zvrCCmm2)zaiak(;%w3KOh`$)m!LRoqVwr>1RO65q8!p3Nj1|*9qyl_+2tkuJa4U4u zJ+#}g-n~RSy||wc!~5`NlZk^SEB8I0%Ss)-G7Q2Rbhj}dgp~{@NPr8_Gq~vLNf)5$ z#4i=)U&U-CdgTV21qtIV1Y|6Cl?8Dn&6=7VOXby=ngq!*M~s*bi~UQp$!5Ap8$L}Z ze$);TQ9telItJ=~ig93EqO6UtY@Sp_jd#5O0dz8(m?!1BI|bf-8xU<=BmG5@sC&s! zptrf?MVtpd%PTi0r^Jg-(`C3WSLb{--p8N6J`RBX1i1djhW!C>eI!u%7rh6Y84%L= z^XDhP)zQg?QQBEkLeWaj-dN7nRzXzULgHUZcn|LPBVodC;jP~Su8(~E`|$Ta0$kZv zyqn(vYDoD3pzBXbcz;jip8>9s%9hf2Drh=+0pcu+1-+X2z6z+yCR{fG%Rvc>k|m_A zpB78s?JlRbv?Py(H!*iiPUK-wU|>>)FUq6%slHG$OfQ5cdyO=iGHn)1CRr*{BI5!6 z6~{R!%*EOHy=LSQS-kYv=bHnL4^6n+0gw(g5G*^k&+N<TFO9q^84orXBf(;$o|F$- zWSqaV?%TI#;w4v-WS+Id=BbeH6;Glg7tWy&539xQJ_QO&6NS4hBn1WoV`w$TQZ`<O z(I?e5vV$w;_G+#E%%3)7qT#D(^E${5OoH3W1w=buW4;n7)KsMyDg?AKE>}DF1$&WT zPV5kk9MyF5t##jLlUv~E5BoeuVm(OXLgsaapKJ$SLs5V<JtOBY0u#n+zU!KOON<(G z`QDjk6+4KETFlx{jiKA6c`sbqh=a0pDa>`CPW9@`*PUHTF8V24awM=+sSiV;B(f83 zJ4UR+IcVsjIWVLM)}(XbR?@TAd&=5k9^zB)wHhkutt?SKsi=RbWKo@Cv9Xk1L{5dC zhxhkzN)5z=N@+`_TziG<LReW^=|qywMp~HqGWm_J<_PsoTNX~*JdbPcQUBIDJoWZx zXI)BlrRjHjO)Hq5-sEcSt0NoDk#cw*hwI{M-Fs`FGBPlu(N%fct{v|K%TNz#xWCK{ zG;Ne-i_ts3gb9;faarHQxV#EpCvQLB;!snOX&$p`R8*S&`0`Vt;n1#_LwJM!$xc_2 zlM`lDcamrJ-Qr6#ZxMmKb*V~W=xZrk{gP)6x3O+u<F8D1n>>{+>OF2o!6*nv+t{ve zA^p8Q6yMzXGkQDiEzU177i}f@&I>&sW4gMTBUv^@?TX;FulFj~x|b=tvVL*2CvQ=! zD7o^rZ{s2xqs__f)9TghUKcT9!b~|W5c<0&p2MO__P5VC>au8hhlaGHrpt_+`+!MB zjkF}Ld1CGj-LM2uYDMd-lWW0+z)QT<P*en$Q-#4V6p7>1kpf8~kr_jQGd4Suq!L3x z20AA7b23NpL-`}$a~d*!s;>2rW|5wxd8^&m{YBZ-)D$`qn-$#=`OQc^6tQOgxj$(P zF$$Qld~Mm<c?(GU*yh{|*F5H<*Q``d$=5el$KEcN+$**I>i#g4*s-uJ`+F4{YgHPR z_*!uGFL%l#$-36p@4nVlJ9m0BF}!3N579q2eV!|z(jzrRS!+)dC589W(!BazFHIoT zG69<PBAWYaJJV-)i|A&aW1rXaDeL%#$w!wMTI@19!j!wZNDpI*tEpo0CU)Mv;)z=# z<1tCwQa+lXj~bEa=@0%2^0*582?cyafBXvt{H+r7`$5J2gaSVL{qNPF<Kw#a8w&V9 zrcRez=us5#cVr$%0Uu~TtX~BE|7p(S|3wr~`acS9^}+8RYvz*D=zRBmDdxjlr-3k$ z`6vqbI}ZJT0zRDlBN6DI*z!vhP)c$b-g79A+u!~+T=9+?24tDLmiwoiM-X&QY;039 zaE_oLupn~MKvDIiz|@q&znZyRmL+*Y{t@o|_Ud8*N~->R&;h^vgaSVLcm5lb`-TEW z14=6&dEUQ?+ykM@BJQ0>QNZ65`ZvWtQNRbHkM&FWPZSVPc+20b@h1vca@=40{JWs{ z!{%<*6k;Dm0sr~tzAwD}yZ!x;_t-fY1suB2yzt~z;EET9h7QE5qd>s?Afyhn`Qsy` zzd5j<P{2pG`W*`Ru(5~r!zKO8g?9jmKj=qn@-G09`0y(f@HbSxLjg4alK-%Np!I-% z|6>SilAR6$7ywu$XhA?t_{&GgU9CScQBUc?-9g{L6zWM0$o<5`pT?ByHzO}Vh|$K9 zA|c(M>vtkAEjcI`1jSq=xH%=iA;pw?ohm1!eH<@BUqu7nrOyL0V-#Lk0w~JugG#)B zY$^bu!U95f1cFZD2Pfw@!!T}?fFRmV6sXu<gj0C~DMRoHrPHH0w@N`f4mJ@p%nw2c zk0K|>kC-bb&DsAJtU&?|ryg#Xe|xhN%tpX0s_Bn`VN`l%5pt+t-wE3TZ)=tz!;k)3 z-u?v-Y6AHBu>N<vHGkl3Yc1LXZzr8^kC2#Y;MU+z6+a$xAcZl;h|qI^Qw=m?Qn_Io zDbfXuvcOWMi~%r1NOU8UfC)T@)xLC~NczFRv>qPBQVwV%53+!6NY;=}Oc5nO?@r|v zOe)=A3p285#r7$Ap*c|PI1qHSazBf-;Jgx|w^+n9B*2MPAm*h$FtUDtg6IrLR*4-H z7PPE94P78)%msv*jcAMl`MW$Tq_kx)BPHm7r-tCU8ea(k-8w-qfZkuL5qw`F`oLUz zDPIq0fYAQ3^!fLK`!D$FL1rK0?LUF905bdU?yDUjTGCg&c<rHsF!!A>$V(cb#-Z-U zC2o{gBHU4wSKy@g;3aN4bSvEQp?PZ~x7=hx%wAA@m}ET`W`!@T`jSDNQM4um#|6hj zc;2eh*HCcyS9EpJtc(bQmDl~NO{)smb2~3{1$!z>O<8k02uyigty%u@i3rq!+(r_{ zH$HO{55s^5Iz}d!rYHSUX#o}L9JGn(;^?M=&w3+{CngvX0a%KpjNP#Gs05|+F#V7W z&AZ`IIf+esdw7IUL<CzWC;dP0ZcsF>eMFUSnIzv-yEB022oN@d`~R&#GyREo>jIem zu>My9{l*Fc_}(?d9yZ<;v@PM*=nuK}dPpLml$V81$O_LZAz{WO9-)AK^~RsYSn!!N zW=>kG#_6PD4pr)_KlBEmyKK<VVZczoKT9J2JPnFGs%bYXw$G9l1Z%<z=7bf{S^}zp zbVR2qr5FixBm{4$X;(;=Xf*!KBL2-gjnm_yoc3*RIP`kaIsz(sBFIEth)J*posUq; z4EScA1j_RAxPlHjfrfO`B!j5((PV!JvjtGM%rf)d51OJ>3Yz~>EcSQ8{3jOscZ%Yl z3A6dXh1n-1_5YQ=>)0t8nkmoI9{R3-A}vA}Dppn{Qpp$uv|Y#l=WW*ohIhB$f5-F( zTcD)D>GVN^EdL6N{SDLq#A3hI@jvp^{x0SJ&cc9Y>su=`9TTEXI5fR5c7B!1$nfqW z77kYWnXX$tG#{2*F;F5#QI<>;z5LWQ_;)?82H6xaE%K1lT-g@Ll6-%O$R_^J5LsAR zXE^bZ*-->a+SBv8fnz3$NP1~|v|l2!AOA#T;RZ?^<wEHv;Mt(rhN+L(#vEZ7N1YxJ z*%`e*npT)eGmcQynF4>u_y^T3Z{>3*1O)^X3{dJnHT(Dt<G+JsAF(+`)jh57#L%-B zqTjcj^k-(0MZND4Nmm7%alXL&u+YBN^8$}rK?W5$8H5Qhxuv1*czNI0C9_9{wp?DQ zEKEE^)grGD1*G5>wFE?kNI?Ke8TnSMSU3^rF5Cyq8;^92xxRHFljHDUc?DmA)-CR= zCDrZl!sG#;UGK07^Sl_P+is{$Qbfdg6;`7~C%wIg=XZQ`U-bcF1CaZ?xy=5R%WnOU z(GjT8rFm(6*Dy%ubp>`e&E}q*`4bd*hS;@iS9=^UF-9F!qt>7$LCURX($7UHmLYZJ zo(i<uU#?wgBv-y|ec~E3sc_kRPuN*RDbq<F49^<pY(D+8QQRDdmr{DY`Ct;W(gvzh zo)bdXluKx{xI-!-syi79_4b%olpTy-DeVdg=8i{dH@b5FZYz7o#z=SMYa-Bv5_vQM zGtF~)dd=~a=89DLrw1_Z9DR*-rD&nUJlgn7BN!(hrZmK)!X!jbsGMJ(;qkOw6skqj zr$i;dE^2hCV9Gp&%+}FzgVycSDR=R{U6X@WCG3?P-O;Sk<Dg)nyW%WputY>%kD(W( zq@)7P6g&%bDl8hGcA1jZ$Gzu2jyeb)syk$<*{P4U(SN5AfIM%%P6+b0OE(+7{VqG3 zkVw-#n*!(R6^GK)7E7Ix%x5=T_op%+d$}49qcIVyK8leu^X*UqX5tzby`}2wj2(Xx z`_?}=`4qLu-ddciB5^-AujUyGZ#hDl5EZ3_7ZB_v$33l9zY1fRyI0_0H^`fy-fcUA zV`+uDhRtI?1sWVvVeFHx6Rgm+9f@u_OH<($^N!oBmN?DYxWUs9PR_i-{{G3`Y2Jny zMNGMk<JZ;+v|{09$jXWKrgcpskw{YBs?@v2MHXnM;M&wiupG~a1)odMV>p%BGntw% z_`S|acJkXqm?9D4tVsRx!A~@>U%Qnk6j>+kRlBfo(rd#IQ<6A71YZq-VI8akk}Fz0 zD9?z@>@1iqq$FR&@VA??DNXkG8}j!BNxC=&qFALVX(gGOv$P?w;i=;DLRJpF8qyBj z5EInA{a=kQvb|;SJ_zxY@){$(4JQ3!R;6~CdC~6R3uSX62LIf9v@1x!b+sHnR1UQf zA0A^ZR&X7CKat*>{tP1agUDuo)cc?kbghKc4C5*DnJN=oFiftq;F1tJPgz~g_WIL> zKttV2l&JWDN~$cqgRi{avhN0c5+YD=#<1?_O5muhxq;Tnk-Ygz^8}2CW~I`Mw<Xa@ z<30F9^6iP6<YeHRt4Wq}=vi|SsAlbXt2C10YDSIWOWB08<2Z_**+Et#?F{L$my&Ta zLXB>3m2A0@GFNqAl|{2@%AO2;Y!&oJdloMb8+rn)yu7Q;U&g@ha%ME>!B6^J7uEZ- zs?w)tsV#MEe#<TI-sV@5)Yl@Z3{2Nc(x(ljYg*HDN>7jH3|;o9GrfXSMdVm^Qjf}; zQNcspNWZrfd`?$t&r68h_h}n<UIMx?a+gq|u-`)#7h5K>-Wi94BJVs3MVufKZ=3Ln z?v&)Rm?_i?{H{YPe#+|<qTpG7y58c2Timo3L{cb`FiFxoJhQlaJYRhAL0aoz>w(Y{ zy%7~}aqfuH*q|qN+q`+i3)~b0!iNGz(X)B_>?lqB@+v-bNp;1a6TNw}6c)uTI%EZV z6clauG+`leXd2`f0%x^0%gR>Jj_Ukf2#*g6srIt72ho#R!}m_X+4*es-K3n3F+>R` zyX4uu><dyer_}Y&pe4bhJ)$RYMtH`WUfk+0ax4HvWC-R}0Qu(|Y}z5d#bg)@9(m(T zU>packNHt5C#E)dQYZmI!NT3uK)*|%Pp|E>j?5sxUm=>1sSZ1xL0BO(Va_SbD@4WX zu;8NI5nXe|<o78Yl(F?vSM(74e$2^>ESt>)K&@CH6!n_S<s4Xv$vn5x?I$|;qaA+v z;SF#{HjINwPsWt4wIz)utK41FIIk_@IbEtuT0gCt9*43q1-?YK0*#m_Jw~ofZuhCo zOlaR<HMi({lRn+@{5sw4%{lwYAw9+Zt5ek$&^B~c^6rxZ?e63Q@1Q;H_n*%zcV};A z(d-WkEWhlV8<tg6PhlhDn0eV5&ckH~GmrIuv|YrskA3RF)Lq4Jw^DL{d~l_Pt0lJk zqIIFoPn>7svUHC>XDfM=m8Sdbl5DHd^`j~-w@DPoAvtsZHjsj!<(W(f8jZmLXruO< zYPIkKJ3b~N5PL9(WUwe$W^?tM079uo;p%3N1E<(^3%Zz8SSBy)Bd0F>^+s6asHd`< zoh8v%Zp4^Sa$<-sPmlTe`nx5R^B@Q0Ah2wZ`koaZtTj3lSF^QB@BzA;lv1eUZ24|~ zS@QDseq%_FBQB=x_jNO}(gx4-lVvV_Y_6KFA5{e-Tw?;4wcUrI2{-PRC|!gXc9LL4 z`CeI0<!^ne*puQGs59sxJycrm5p@x4D?ew|S$1PiM`0`+#Ojs0Z8-O<nBFy6OqMzX z^MZKQ;%s7151XEWbQ*>=F88xcAsbjuG#q^K6Eb?e)-_+g83=wyqZ*sgP_ML5EAaXh z=MpHs)VL#P$AW^;zhC`eNL9Kmfmy9KhFEf`u=q(GL(*t#-_yfFO4D6MWHzy~9W7ZA zggG|%T$wlZTtTV_mOOnS=|#lP-D7GZA%UPP!P8NK-z`e{wQ5k2T(co>RyR6DF0XQ@ z!g0w#)X?H%aB)99Yu#`py3Zf?=c%L{hn3nk36$vKqRlI@tYdL<C!cA1<%#bQESZ(O z_S`+^{gUtX${<SmX2)faN{0CE0*%N@_h4@J(lP$_iihRb!>`{B`gkx`cJ)$}-~oX& z3F804T=^@@;SuY66x-Vhb?&O|r3-I==sF4bBofY!0vm;$1^H`K$jKmGWHV!7V#CRe zA=YzJj@9|j?Rq1Yie9}6VO&Yy%H?RqlI4P9ITe-XukJhN1J2j08kC2qNHn3HmV4&6 zjL~GCx9q=kIb1O9H+`=3^eAs?+vV`)tex<%{ctn)1NnP3Zf;aHC5wqSPkC4~vm{8J z`)V1%*30n6J*hbP+77u0?@z<OB)-qwdD3CcS_A2!D`#5h_<Z_x&}%8&@muH`JL4%r zYsF8A8SbW>UPMV53LKER8UEphqMk0@oSp=MrgxpvH0ar<edIHjPY$ImxHF{-2`^+# zrz6~5MW-6dOSeTFScT>Yl$ci{aHK~1^jsuZ%M@ifhDykDUp8zcxF}B5?T(bQ@9dwQ zUBC3`B+z|3Cl>tm@IYv>Q=Mu{g-}UJ!-k1x6@TaG>~j9tt`N&JX!S|_?p|}k^<}<v z4;A&x>zACF(`$8ZZqRBD`s@?W)}_bIEALr8yqd{L=9+a<^j{erLBo-;EGg#&kqtF| z(I$x0r9Q?;079nT)5j%-u)45JpC5lYVxGYl3`%Mv_pxq|b`K5o2@)3;CS?1^E(Zc` zEkVZUGY54yXm8c@8}Bblo?W-dpSSKk51+rK3B`CidtSPr-eqmdfb(@2!qo7dBt?dO zinS~Sldtg>ma1?R4fQzE%mUD?ro2KeOnh22PZOj(sF7$jOM%r8DYEdaJSk1@{1BVn zC%%NRT4>6&ufO5xeDFqbB|%i-WDXS_!{M58pjOGivT1n#g5jQ{SP}E0G7U5CXlW{? zzDCc4c7Z9AU1G{>({@|YCqYiMnJCF(r3J50J|RnV5S!A??gC~e7H_sMa&nH`IxoGG zY!0ehOei%qRGMNEoUHB9_g^hHvl4WoONP?O4((Ubwn3_P+{S4^-pf#VSx9c!{HZy= z+aOV7%1jV{PEix1wh5V+O!t~&-eM@Mw<Lf9zQ1r2CLZJS>td1%dkKqL>(Z;J^M+w% zmEcd^4r0{q$t7lZR9sJ$bLixsCk^{%<*7u7n`_ev%&u+3pLp{cqmjRl-@VMOi71UK zDTm5aN!D({3%RCHA<wpl^=1Z5wCmFY-e`nzL*PP2t~3zj#`pGcyP)yXGy9S`JAHMe z>&7Xy_4c4BZeZY^@gs#0ty|(OdK{4!Nx-y{w#%7vMJ1%<LVS2an-G$<RKUFQ>^@td zQ)5D+V|uLxS(j64j9};fhSRwo<!g^jgBJd3R5l1wUSAY%Daxp+kMoU+jq@Lu#Y1c) zlQm}Q8qjJw=L3VGs_K1XKbe`pe1cD8vUnNDWYN*p1ta(ci{NFoqi3(5-t?!w`F@yt z_6p?lZkv%-QFBhJ2BeoeF3kq7mbp*{N7m<#TIPrL0(}G9R85S1Aq8}w?h*7c<TNIA zOjSP#y+<bQVDOq!6W3D`%<-(2{Cd@X==oN#c5ixZ0cVi-1KLoYhm(0sa&PNiXWS)N z9LcUmO%zfU!Rp#I9WYKcxiHBx8kJbR41ajpqOanJKJs8PBO>w&<FR;Lrg~hIVF)KB zkR7Z(HL|2L-eUV`b|aDG-MxGj{lsV3v!L5mqHMU+V8KpaUE-beXJ%fn9fg1k3Cv7O z!LOxzBP^moR`hq`Yov)wEkCfW;K)m1i|+=oRhB@n*GF}=P|~JO10p9~OHV$)O6A`` zJGX>VNHN(Vxg{!D+t@ub77<1uA+Git@ZlF09(jWR%KHV500sQ|IS?4|{Rp8fiC}9d zq5vC^9+V7%LJS|dlacW&Scn7g{%iE<16cJK(n%K4oGEk+$*waOYAu^7+ZU#GSS-A7 z&9M%9KIBrzbS~zg`z_`Un}Q~Yvcb{J_ynR-5V~;t9;TVgd8h2RfmSot_s`!#t4eIX zbF82bp?Qf%U}{<RetCY!aWdhRcR|VEru{R`4GamUB~msP7O7Fy!JXK*dqr_-D%HbT z!kg;@l3(Mac?sUMq3H)zxH|bn);ZkFId>gGL^$N3ZqLUK=7_^wK()c0cTQ=B#;jOm za2s|x_!6%|`2)KyIR}uB(UC?lU<LG>7nQF2LGyHrbirNlao1+{xGe|JdqQl}Mgv3K zteTgaMrV9+g6RHIKab2i(@#Q3iPAp&5n~vBOb4P$Ba?>v<P^==Lv2@MoKJlQ;pJG@ zknD}eXE)1wOdB%V3z->fa^$-a)pqwhe=HT^xlDnBYzF_lz;>1Lt`QIE_4F@}1dQai zTOPJggwO-zMd4?_G;|$AJ*?_JKF4+siNuGI-AW)9!CW;LU^C?LZ^2p``#6PxmyB=6 zVQ{siogFHdQ8Cw(;noyN`aIlrC_W>uwsM%b2y3bHBRZ_CO1M@DlgsRDDEuf`>9GvJ zAL)#-Ix<X4JZF0CmYJ$0uxC|^TCew1ygV^}Gvcz*qI3IHM%P)^{>i3hiv`4pSVpZ$ z2Sax5XE;vmR{hQr90vB%k-)EWt?V?H8SSrTB?6FdtWyrTTZU2+)88pfMR;!}u#V1; zeI)kZqxJ)AfR#CkC}}+15<eAuZ&8fwg#I2T-KF-54X`zlHw&XB?z1*qz9-31?`*bk z&e8WiAinTTV<>BgO&R+N+)y79=%;0y8P#exduF)g3gL~(7p>dF*CChHb#f`@dZ41! z=rG_?<5j*+dsJ+og-h)p_JS|)9qZf4ij+1`B5Oe-R!v72>RzcA#xWP{tGqkT&E)d! z;jc-D^mOMjcU0%wYM4?+M~WF<CG!q_ROsE2^V!^}h}@+~RG6*mn0yBnkEa0fbO;51 zj>yKv2&xUS%xADU7xG=%gpWwVK?q7XpWou?%Xf?`@+|pqpEEtoaQC}zDf&4p#JxZh zftNLeQ`6HyEoPqpJMfKIrIpj2Mq^mIutVb3Xw`KQ+*-bCus!VHC;YI+W0w4uo}n6i zbGdp%MXA_WnW3=DJ;&RcYS&M%Z9_H6e#@`>?w%;WNO3Objf}5@!+hN}&`_1BjC22Z zNbjafi&X?K#nFuki-jKT0rmMrm<$@&&9%p}<SHLZ_2eP!OcbbDe&T^iJq1muZ@1Yr zln>sJ9iUy>eCP`G(PTvyl~)+r8MEf`D=*D(UIa+L`<1+O5`EZf%v=I}e2O|d+(l7s zWU(EMgmtfhmQk=Bcy(@tFOxW@X`Sir1yeRh12+bD1XtA~Pm7^r5x@!wyij&Wp!+Ax zDDXa=(5?{D*$LQ~5vhw&O$u9yUPW1$o2k6B1tnQkJ@t43oh|AL)uuKgpjR8B)ZC;q z(sMgBl#Ck$mzEB3<tZL2Q!eb*WN%>2?<OV^Z2GPuDGh-zP#zv`2?i5^uxxll903k( zN6%MR6D_`BL)MViOvydFv(_1M5tUUl3!jDmoEUN1Ex*Ivdd&US#`Pdl;Iqf^=!fg? z4bO*gJD2%985JZD5EtHmVR$}-+rOpPJ`!#p)zCHrBrs)h)um_NNw~1f#P=2QrK;A) z$dKP8?-iO$!kbGOMzT=R`Wi2%zUVtR=t-3kw*mp~OpYTGe@+D>&?6RDidHZ|7)Eiq z;V&r=!#k}?0+uKk$hN}eK>pIj*_1hn#%REHYm8@`Ydh=Z*d7NvDBrebdN4V&fk4C& z{ooa}TP+b>VYoSr4t+iCl1uf)Mcd8roE!=tFQ*th{{dTO3p*!qnMjGPs;5wFSRNCF zX$}}exGUTN8lT5WFCu~brKYvFH*)Ta{*xnQ4Jx#mCmMrA;YruPA~h$RJ`O5`KB<Ok zyv?$3bfRifRx)CtsjqNVnZl>a3hW@qGA==}=Nw7MO~)ds@}5yqxjD%Xp{-g8MY1y0 z?Z4IKU;{-sC9eX9)iu#Iz6F}7LpwoUCM|wKnT!}IWuc&IB3L7zg6QIMR72NJ-jiRJ zzEH;O4K6Nv%Kc=!U<7U|Zyb@zo{n5D6sG$V{bK(naktqxK3}zm&i+AE@ReCgbnyCe zsCodV!R-S3RB9dxrg8+V{>kpH@^yL0KmhUP)R43!z8tlnWa0|)iK0My0yrggsGy`c zW-ppYa<V;#L?)J8nSmryouYtXakFob_7}N8`U{4fSi458h_c=p95X%bN>Q9f^A5)m z#k-u_yy5IrIRO)`kqlVum?t9Au*}kR?Rp<5K<mlv-xGKbw~L9IX-MPKL#;W^<iH@p zWsjAf_yjaJc(_sfS@g=+JdqfIE`>O*EfyhH0%q|(al_dJYUTM-$cSO%gD|3mp3I0% zxa2%<5!Vi+s$JmZ35!@YCob|#lN??9UN1lS74ZHE3s^=%cUxe<*9<;aoX$6fzFA5P zI>G`jo${Kj$90pSXfj_n^bj}^ND<EfKVm45t{-i5p%b@--@oX0lNGGoh+AqluUXq{ zX_A#iWT4<@x}hkH)YRu{>K37-FYR^o@{_{J%~pp#6TK8Ks)XrfN{;AziISPYnK~F! zIz$>iQ~(t$g0-l1%v}V|stjBg`dMpXG}RwZHj}VBDZ*}$F`iZrk`?5GOH{>PDN^8` zJlb{w8EhTek^Sxn0adZH{8K!bv$xK9di_f(CyJ<|yKt{A6r>=u0(2K>BkUX;9FS1A z2{U$ro`$2Xh|nhTqI~5|4jC0-|NJ2Y&7NFqKaKij7mr;%w3!N53GyWw##IsPVhb5? zYNYgLjF?Cxaz<9?`;rf*8-b|Um+~G<5z0_$Q&LpKN499;#Ao}{0fmm%QE;PNH#0Ad zHcq~nZl5_?D=I6f!nkWqs>Y5Nxzh5f9U12&5ddE;noIVBb=nL-;(zwv<zr{-m`Lt^ z0V+>84|d9o@tGBL#|G~Ug7V16vV{Um+(L3_g6PER)OXz0^}9pi3e-qbLz%dZ$8BWV zHw-FJS!vX277-fhFIOC=VS4KAlV#NCmaCz6s?(WG=2SsXc`V1&HMSQzB2A>5@ls@w zxmnrWOZ!s1RM};bZ-YEK3UM)uUidr-gvZ_K!-%g`mBs{o(psySai!KbsFuuwy)bzX z$9>QuV&tiJOV)_9ht0zA$GqBFP7zCf#gSN4{{e2GEqt1kxhI(rfxQf~D19s-hkC36 zJaurID0m%cp4zw-VDzH!fPeI{1htwQTTChVCxOWs;sn1LmR$co%)Mn)oXfT~4Bd1$ z?iSqL-QC@jK!C;_f`s7i5*iPh;2Hu12m~iM1PksV4Fq=!_L05sId|W)@4iRI`{QF! zqv;=XJ+-Q8^{Q2K%{hVb@aDto^Nxj!!0A%+d9;I|)YY{*X|u>+Q1zQKBpi1}uG`m( z@Zr4!zF5O@KFq%GZ46{)Nw=$EUAp%AmNULj>4vQ(h|*nqqmAuS&!r0hBFqH})8*|9 z@{-rr^$;ZwBl$A^#(<2eXYafh97;eD^)FS=_S5;tlvpY6e9qqSu-1ccd!SQs$5kg+ zwmh58CK;dJ<{<yDUu$W2*N67>-BkG@(o}aLU2wi?5ksrHoE{%_!Q-zdZLAeI)3XY! z0xx*7Qi~Ban{>)AJ<F+pH;FSHFCXbR`05ele1!9^B0@=Ld@yHKHnu*MN>{)bQ{(!z z;P0`sy5eICBn)#58GjUZ&U2Q0-e{PuH*4K9TImIg&yot%C+6z3@5v}WFlNYJ7%q%V ztA?XdA~o8rF1C!E+i&6-8y@V<O`46%JW<K^_hPpG-X1D#Oyp|vt>W=(q<$-E_4u<1 zI4x1VmF_{kq96hJ%%xy`p3w{0`eerMi_BW@F;3H4^5s>kO=9}j3U8+wKj_~X2OGs0 z($gl*Yu{o&4Sj1*NjnNm1DqN^F}+s5Kj%vDtuy!iG0DVoh6vox|I~%@!^IY1HznND z%V+3?lw)ZD;@A*60wH}-&yJih?uR&7gA^U)v_(6-N}O(}iJaskWbCoo<A}kh9v7)6 zLhorPT!Pv*9Z?Y?Mk_d;U6Ju|FU!USNJ*XnwCYQ%e%7{=^<3lUH6q^jLoV#`<0x3( zT!`nZ_8hQ^AkOq-qvibk;CMs*;(p{eCCC511lQrU=lGBBY9FL4ey^MT^`&g~7kA+Q z(p~LG$N#>o{r`<d_M_LN#6~0!8ri+1TMrW1hyxE2*~t38B(ndFyV~Hj^<3lMt_*)i zul*w;{Z9z^e{yB`4+!|b0O|cV{L}g&^m+g}{Qc)o2zXa{bslLCdox`ZO>+faehqbn z7w*>oML8z*FsFY3k^6l#|CEOIFFyT`(9d7mW`EJi@9XqeCsz$*8YmCNS*;K4PYC$` zyOZBxjl6%O9Q)PXzp5v)v2A6;K)*rXn@&e))3*tDx>Y8BMCb$d0Uv?E5$*GXI<Yal zCnr^Z5bb<*`d^}*-)Q`!g)^di%8-Mj<*$mU=#RXMnvQxNMawhyu%KeFLmvxm5*2RL ze;&T%=jG+3ub1JhsiTvWsL!Y3=A>_9s;6S)6|R{bkeYdpD<{&##9xDC>*j|#hD0gL zOAExK1@gMn;_-fdU>cXoN(!Rr|AS^{s2QhR{#z#AcBT)76XRo0Ts69OHePyudI?T$ zL4LwOY-#le+zhJ<`$*J7#j`Ryi|Vi|AKNlQYA{lWiMfVG0MG1|Ploq^a1nEv&k=ow zQ~_#`k8Z5aNs?}B@SRGW<_IJ+@$m%8xXFV|8Lr`vZ3p<1q*UVUgEw$%$L-A>1H<ez z2~a+OWDz!|tnT`O3jv@yw6ZtG#Cms>?%y1ng(a)mztyq;1_X9*PN9<J1n`U8SLOrT zcYazJH^+)NtGPA)81TKkZ!M}RiA^CiIc<5a!6@FkRG$2it*STktMvl-PSVhc=F6RO zx%HF@UTvVukDOJHrID)u-#M4>JPQT%fy7wuC&w=riOg(RlQvpY9_@AdzB0p2{#3S^ zx%{O<r9s?snZCx!>|OH0>2kHI3TN{MM7hcY??v;wK6(imQ#WUso~H?u>>`XMa$#am z%?GbP^M#1V92uk>m7oo>M0)AJivA!#uzdJD=Tn@+*)&&Mk=kAJu>svAo1N~w{Yw*O zhRNf$u+I9G*y(5JD?}dKDU$=KStI%>FY3P}R~;=KnGBq_jZkcH>N1|+6G(FA{nR^L z*?Yt9nse_-&K%`my*X={@O=7=p8p`VG53r?rF7I$S8}jryy<@T=iI~x{Xq2qztr{V z&n1-k?M9MUY2`k)M%ykQf{y)i=owZvhF#LdKe&x>em=b2zuKwvN|1xwNFbM{POz3{ zaJVt}Ewy~I(G=JSpHp$QHCf!`Y`Ze88cZ8;qIt9A>Hj9JZnS>3wA|veANB3a-g#-` zzLgoF=I}k<i~##@i|wA0-B{!SAAh(&TV5aDhV3yt_7!b%U>B8ax3|goAsTo!!M~C- zBR5N6s#5o}w03i&)ob77%}z32c1f(01n-V!m2r>qX!{~M`u#mG?~P-q^`L2T4gGi1 zcAGVgrS^dPeZ-CU#qRt;FKGS<`<?3#My}BA-(^sB+>hRaLn-sN<iQ|tg#I11chk4v zfU7IJXyvlDb;-aB{B@u{Aeo8Frf~iK=aS*G2W7m>ip9qdVi2foC~jzLvA8D_x`Fkn z8&;d^>6^^=4?3v7#2e7H#zdM@en)rw?%e*-b^ZxC{}+DezmW6))Onsg6rKLvFF*Y8 zC*=HJe*PcbXTU!rGx{|Q^w=xgzr=<Avu^$Y7yfHpzuNx-c>C9I;b_MG@novCxS=Pv z$%}F7w+~sA*sl|RW``;!dW26*Y;Y9`Uyp$NT;D9AXDIra_IHubAFIYr$bSIi{4!_2 zt?gy`gDD#yn%qB1$o#W${<%Vc`|sZxzpNbm(EgP{|L;s;Wn7$pRV85hZ%e)^(YF*7 z{L;F&^>q$rDNu(Mwog_4UG#Mvm8;;tMPFxo;h+95Ql>xQ=l{}9e?znX8!TELLY2JC z50mk~ilP4Vj{er;-|_Q*K?e03Hto;&`LHI6f`NO{x7=4CwXf-FSgL<mF272?rQqU) ze+i)f*Prf>0Q!G}Mr+;5+WO9{>Z!E8!V$Fz{VVxb#aq_D0QCLc6g7XOdHzS<vp)go z|MF4)0HFU1%l$Wi{@4ETx9vegdq5CcJ~ZBcdH?+0iz&Cg#orDDzqZS-_P=Zwj(_Dq zP#eSb|4SmBpp;+`uVRatL9L0KA$MHjAf`3G4bPzL=YFw9x^^c19(G=S#-dsFb|%3Z zIZi=I`qZHTejz#up^mAk@ZU6o(6yjW*p0vIlKmduo<7+9seHrT#|N8>p&=mf{rh$| z=dgBm`i)1&@4@K5+CLcni+-odXDRHZy0YHsX+xt}h&YN5i+EHi5wnuCmKOH=p`;vJ zu7Tbq<$9aZ+#7<{Yb=UWv=~Y1OooQHdZ(*0=P)wQi`EQ5UYD0|TCMk}YN><1c+P+l z4j`|z!eEQ@6MG$X;0i%bESCk%3jK-fVpI-0sx{;9x9;l(ucR1=F2ei=Tafi0E4?ur zQVuXcZJW9~%8nuHYZaJ}FiW*#GJZ24ArEWI3y*kG2hnMw>EG!b)lJV54vou8SA6^` zOh!;BE3W0}YYq4Fa2<NGLNYNaEs(0}rE8)*ozv@>3b7Ez!Z<bKx`;Q)0mxs4Ka=fc z1gagp$GKzpeDDZA`3V6JQY`$w9kU2Y(lY7FUIEf+o*CqiDR%sJ9el)h`ug#3-L_pM zm)xPO9=!~z2wPWWz<9*V=LUGmsSSy7A(&||TvK}Ak(8+v4>_2NUASjp)_iNWNiy5r zEh+0{4A7tA&KtrjGb9>o$4wfwF)aSXPDd6H+n%-si`DM85Zp}p7P9R6xB)pY*N)p- z*A$R)iz(nSkXRd4fdH2<9j>EFO^j9{lR#ECP7<qHX-yh^ant7hyL{$<FB1DcCU?09 zU#j`g{<B45>GgjtlHclEHgq$yGt=$Ow$m~)lXZ48(vu9oW$1JwAZ;hLjy@5}E#q66 z{W)`78-oD+EC}Wr(?QVvRWt$(3ehE>a{GgS{pC&&vnD?Ltsdt;cw)=HgY5q=fAX*L z^3}#5g(Ae7nEcKrXXilJT9<;##E7RNTK&VS1TG`YN{#>B_yL9QM96Ri_MvamN`5{6 z_7oGQOplFOK^|uP4U&PRKd^<y?+R4HwkO&&EqyDv=mmUx#B8Ot(<Da4cWnYY(vqe& zC@uD;;_O5sk_F8ai12+tpkX6JO2tCROo2?%wIFZDT`^_q94Aw+)xOeF=eCWIIU5=Y zk9frq<0l=!E%$66U$0#<^Wv=;4JS%!;BU(9Oj&vLUx)rkzxDmWy7DV{br}z9q2fPU z4|Z-G4wk>CZwwzC#;^7dPUE-ru=QW-f$*2qw9amtX-d|UwO^~^&r9Oi5nKS)fC&Nn zL<!&Bl>sX7H_8R8dAPWE+&ya5h<?-|sqh;342w;F8LmmQN$((YiR$>KcrlB~ZGyUu zCz03Cj>{tO7{cVadn1r2NCGk7mO*+68OX+a`Xck__Yl3qFVg5Aedh^wT$0m+33C4< zGuS`)PRsw(cm8IE|5{}KV_ReyCiQo8bX0Q8UB`ug&rmsue;3HkS%J*ON2X<E4u#@@ zRNR8`xuk*+Q>>r68X{QmJeRWLCEgo(0pMUpDBA0!EBL|PJ2U)S(bYhp_fs#5KkT3N zhZ$DlXa;pZ+?j2mARtKp+g}TIZl*k@YA-CToUMeo9-!uyo|eCDf8&R#{?-0ry7>oX zgNPAukveksqn#ESoEAo`KYZ(bc>V2Hw8?jIsu|T7?G-_RUwX&e2I(eVA{U}3yi|>< zS|w|UIY0z1{cLVc@zbyH&?=X!<V~I0r{6vZ{JeKcd31<(uMU=Z9wwy}CSw~W{Ul7* zOYQ*@A!8{gttThz(JiIcE#ufN{j6Kok4{R4PR5*0T8B>7tx!s(P{zJc+OSa8$5Kkc zQpVa++Q3rQ6E39zmvM$mo4{oQ@TH{jWz6uUwee+LQ>2trWb9I;pQgxq>q*J$$yn)0 z>+8wBn3PhVlyRDrHlCFA=aZ7<ld(X0ivk$Om$r@AunkVL4WC9<Agz-Zty6?}$T4~- z5P8T8dMIL@%5k15P@c+5p7tT2cT=JFVx#wPq4y!jbu-2F636uj#q}Ynb<?T!;;Z%W zsr8``ce4%mk`4EW4fg@qx@p*YaoKu!*!oZ_yICrGNh*6pD*M2W-3*SsgpNG|j(wQB z-5k5U6uUhVyM2gc-PB~gIAlHCWPK>v-OSm&kFtA&v-?2Ly6K<w5<KhSf7XYw*v-D! zOTO46zSsv8>!ua!#S`n{73)K5>1J)|C2i>uZRvyfbu;?)68ZHA`t@PmbaUSHQr`4P zhGvXgI#aV1hS!b}_I4Qxp}F9&<;&Oh6ZYgA^2IuHvlaK$&Jy;m8H&Zaps?l9*LJ6M zCmHgnIy18s71d6r^-dUysJc92E3m2^PV1>P6c}<AW-D2*T}<mcHk2500ad;wsO>W7 zjxpqBb*8T@Os$<T=p8f^W_2N`%-63SH0UWe<gak%uPmOboj2&)HWaUL!KlpRuk9s- zs<Vw{8p8NLY)p3<8nQY#bx!xr8;Ux(kXIJGs2!Q^`D7@#<1AiTa#p)M-S^W_a>oVe z_!gtKQ=mIyo{Q9(*0C_Yc3hyhcV39p1<x^Gy>>vLr+A((%bC})_)G1aK;Oo^Se6T# zV;*~LPeXUwJdcqxt7Fl-+Np-#>3I<&7gEOpr`j(KJq_~$3(lgBC403?4SnbH5(_Sn z-M8empFO)@&2x)7Gwv4V)PD8s9hnyvbs^f#H?AG>?5UdPZ*~^kEncc!@a)^47jJgK z+RYQM?K|(zo#*v+=G-l6t(`gVU7i>9b)noX@UI;`?`fMCympq{ExD~-Iq$ohmkd$R z@rZybMVQ-0m_3QG@KS)vDVSR-nCU54c=STmdd(es&7SpI_%T3b7|hKX%ybwm+=`(p z#pd?KW`@NUKGskLYjbOBGXrZ2&kd-?hPm^GnaPGl03lSG(A<pBOq<ZcH4UnqW^R{e z_B74H+W;zWU~Xk#rf*>JVj8MGZSFK}W;|`-F94MlFt-3#qX6epq#b)V96Qq-d#2H? zNgJ$08*Ct+mW-a(M4ncHo;FzLmYnC-l;>8G=bH$aa4O6VY|M2o%uVE1aHdxq#IM$c zUTq?2!09wL@HN)?G&a#k;A|rsWFzZhBbxvYI1R@JF2_0#$0lkOoTX}mq-tHHY7^`X zXK>yibY2&5-o)I8bL?+W?5|7gZz58_sUP%IDAu_tHc@in%()wna@U1(H$f(FdXo(T zlXZTRO^jtY`|<|)^1Ar)CQt%SE3ttmvCb>8iPi>ZZQCGiTNiEHgap7D12%{P)&&DL zvF_lUcN>&<>ypw8DsJIgO5r-T;o48ab-m=Z<m7cM<+b(Xbv=5t)OvIrd$gbR==#xX z$<XVV(`)O{>$(+bsTAqh7ik+7>H1h{DOl-PTWK3u>3XhfX{_rwuWOsE>jn^LNfYRp z5ol`@=(?tADW~e#rD{J-)%DiblGoR<(%074*L^Xir9P$OG^K4krR&eHCCjg40V<6K zOzBD67jM|-rP&uvqZ*Lb>x<SuhP=>Yd|^QJLSOL3W2`eh&NBnbGkwXk83c?;DvW7t zj43XR8RYm$rub>%_$i_I86@>dI`wIM^(j8}8T2ocY+t6yzD$XInE|j*(y&kCvQP1_ z&!E1WWO+AD@@`7x-3-`ilEG=3&}mA*X$Es|l4Eb0VsA=fZw8TklA3%PhkS~gd<G?F zk~wGkQO=Zb&J4(SlHPclz<7$^cm`u>l6`5Kd}&I2X$B}hNh>~$CqBh1K7-ae$=W(i z+BzlLIs@^aWb~gV@}Cm)pTWAF<h-4xyq%Ja%=)^%Pc2p$c|1nZ``Jeb>i|bAU-7t~ zqNl)zFJYfsthn!ZmZI;wk66M1idY`wad&QavJa2uKC@U+$?;@v?^hoY&4Wi`1vbaS zxji3z1V;CT#Y#4h7jyegd?ZE>KrL^Hj=M~{V|}<e_vu>-(~l=idWU?3IS&Y0@*f`$ zn)Foo@W0>ZZz-NRo;T^+@ezN2fYFjCc-%{|sxCH`<pUEu*;wu}@?mw^>s;<#@DX)6 zAa5ync|5Y*)9fR7urJ<Ha&f%8+;{CGd2j&qdy944DbXGIlZ$en)~_((cwC~l@23#u z0iIvJ=J9|;PsvZdH~YMP#iPe_5`CLL#oipC`Q>pQ_q27V|Ku^<XZ0(3e>~OJJM&Y- z^nlc_z~%T$ThGUz0xSEXekBLTOKp7@*NBooB5$fGj|u{Y6RuGtw@QBA0`G1Y-uO(o z-;8!CNqYVfa`P*E;IR&0uzHA!-afSd7vaP2VbWiO5C0=tTupjImiAgV({T48NP3<0 z<hMYn@P7tMtfL#;F_C2nf(R^7s~~^_a*r@p6t!BK?tL%<!)SjHK**)*$$etSFaBBR zn(#;X`5&vMf2D7X#WO`c9!||157bD1x<~sbIgx*;dHf63zF&hH(az4y&B}bNGyD+j z75&dKR50<7xc}mx4GNwe*1eI60Wo#qy1afGR&L-e@COQ7s1yPN(igWF9Q92V1rC_^ zk%Et%caxNSoYe3j9V$+2WTri~%iDCFv=Dthq93`HbbKGtR^72^L#)3`yC=j5^@~4M zK8pCUj~Jad7pKn$g6CTD>4rypU;$}A`C4}DD=WAr2+fKQJXs2*M)lN0%`C&UY*xhF z&Be#RPzqW~4l(037=I=ZoP7iD&c1}lO~Q9WZiZWM32EKY+%p!tV=gCJ*1GE^FS{p_ zZZ3yYE|Z2AC)bj?7Xb{$vdc;N-7Ra`H>Z~q6T|p5$2`2e_gpiTZ&?a1vESqN(I|fP z;8py#INWlXKbh1$+%lPRxi;B#+2W@F%#9mfOS;Kdi5l^{Ku_RFxD27f<Na6~LN=O` zU)z=M!2vtN#(-{;{Z<)IWm@d1@<&FKUzw3Bm!DtlALdy9L4Wc;$Vi$0EhF_8i4iBQ zA&o96eD-)MKwC&}V-hHu#Nw+tZ%XPoLNr!)A;%)Wg-r(y@7Liv4Bwfm8^rd`?$-NN znf9PdJOx#|Xe4KzfeiP3@e9|RxfK?Zp900R2n_qUYOTEUW;(>p3!0z9cdKtM&(3wP zncl}YI^Mu1?-S^(1Om}`@a72XRGmI}82#u(U_spIGSi#xput0hpZi-w5zu~+CJy^= z3nMYw*<p~81;;@pKDuT?mwTG39rMd$z{fS5@^M5O*zT<jv0L7^<}cV_b{|p$>gL1v z@MX*JX?F<8o?X$IJnfG(l*rE-J10)(e__X$c}V4&&ab6?7E=Y#uh5@~O`C51u$Hxz zR_^sGi`*3zV~p5i49X4YQbu+`r@&SY;&qT4!!L;-Lsc@Dwnkk%T&p3?#KHNn8K<)0 zAvJKR%&MXz>Z&k>J{qk3wbP$2GY;<ua~O5DsMBk~H18$b$)bzaO&8`@GyYraSpPH8 zC~r~TwEN(eeld0Y2blqj|HqjDu3wn}LlutSc;>x-)!k=kjXYx7L%~%Gu6`t+7b5<^ zF|oj=_P{Zr;%0V?M$Pxtq_G82OQHzf9#54l%z9KhIdXeb0>mH4A9M8^lYg$x1CxLG zZHCr~H>T`TUIdLP%oH7G(;wyQXns1x9siB6-g9v-wPR?=C>39caHcv4+ZE+$X)yv! zS!+|Z129Q~|A|1W^C6aiXi3TFE42iPc%Ud*J&;LE0Wn&`9ti03P=iz)&*c6<<Nqt? zg0u`M*?TxII-&n3PT$_#l>2`>GyX*ahJR2ui2T=?F(WsZ=(mGnld{0yj*JVvOMS-v zkAofFS;(<26uCZMSj~PE+u-m_y!1u-s)l^12qYR=r<>#?h58KxxrhJIn`h}s3g}s7 zo%b%GaWuhP_v$RzcrmI{GD=D)v}W|Ra*3t5>iMeZ(abe;4c&>2xSDIK0A;3Vx*EE~ z!X&jMRa9l>GP?T0#JVJn303d_QwH4!%f!kg^;%WT0p=#UkMP8nB+X-0L}sS&!fO1) zd>yqIRTO6CqQbhA#9AGVK~+#0Q)*$YUShe9dbuh_8FPJM!(`$o9nEc3pdFL+gc6A= z9!gsAgj%L5njQ1I!uq<zh6#;%Rmc`oPT>cS#HtDPPpVj3%&mnVPZQfFG=B~uJYov9 ztVU1F<57zkLVm<tU|AQJSi_^yJA{<Mlx$h6mRQE4UOa@J!TiCpVK}jgM{{Ec@RTXm zvW6|Os8%g)2=ys*g=KwZVtuW~^bmNCDa-PMW8%A7^@btLIp$`|kGqMjwVLNch{8;f z@M^Ne0yni+Lny+`CGfiJ#1C#7BSWAjrgV7iv&0HF^{OF^CgzXuhQ-8YH_iPapf^(j zyhbds<XA0t2+f=MJ-ogp@#C?^@(|>T=?(mYU*h{?^|m3bE9Q3i$D73VV@-MeykfnX zpolRTiHfWPF-FBVz7~bCC=z8_2mJW*alTKzW3Ne6EgZ<=D~|Zu7{<afmGB&J)yoI? znu^C#GF5aPNYpE~_*$*U;xd(a9SFaa&+#>HjAdu4x;s#Oskq{6CmahgR6=vWVK48g zYfKwUGE`A@c*I_@Ue{tU7GtQ)>Ok<We5&r#^uwW1)xm-MUBy{lo4{BENnw0ljlek6 zsr*Y_Q^Q!=yo!+nsZ+&XU90EVt9fNn2co_5rMl+xvD|r8UkA#)ircz&%&}k*CCCmo zdHH9L##dvBA}WeI#N-v<Jz6xzqD7P$ckpw{zj}Nc8Osn+wb>!dsW|ay;}{G7q(roX zYg|6$(Nr~-`bp*S4vBHajz_EWSo|kt!5zY-@&%9P{jr=+sxNmamMX42+9}3DeUz|v zaKy{|P8)N_l6_P(cOHpXY@W85jK%sWbM6qdmd~7iS{}>tQFYlNZ>_jEZIc*_{Ha8_ zgXdp9dfL=Bmi|-4bcfWx;^4G3U@YOMvg8iYZTZS+^WE5+pQ?d7l(!Z4R9Xn&E*vT3 zFgd0$1>!Jyp)f@xIXOBx1$;SqJ~>77ZaKDY1+s2=v2H~Gog59F0xq3A51k@vp&U!0 z0!g8~NTDLwQjWn=fzVQ3z)}$tF2?~^pn%Iuz!eek<*4x$aPZ~1@fA^0<d{<w9;L_& zrznE-<mmMj2=wIn^%OBC<=7_`$S38+Cl!Hwa@Zt!+?iCw>f`8N#sTc(sPD$XPUDz+ z<A~(rC^_RG<8h3oaiI7(TI)E(e;n(U8v)3T9LkL(%Z>h-8$ipATEGpq;KuyUjflsM zlFSX#<;M8R4dmrU`@jux=f*mzK|rfPj;%pbtwA5E0kGDfR@8tUYA|<d5J_uLvT8s^ zH5dyuK+zhs<{F4^4c4_Q0>l+L(iKV36}`_D!03uv;tIBL#oTm7ByvSbcLhCm#h7sg z3c8|wbcMWh#kx2`z&b)sI6~4qLLWT>a2}z)KLWcPVICYIQXZkaIRcp;VXPbhC6CbB zk060ZqurBGYrc;`;ngt0K^Y@rG>30&E%Mb-gab52__6lmY@d3nUlR_Q8<E929I>_0 zSBItb;~L?r+7GZb6;-FC4eA(?s5)%1wOUojr48^H5f0hUu{Ez(XQvIh8Bq*5T(Pwi zREHS!qZ;9`+V@m8rdB5z45}DCVs%)rY|*cdF&JPmBB-#Rs{AxnooO&+Z$w_<a8}vI zUmZbc8DCk$Ujucp|5DjhU!68RXlO+0;ILQO`l9;P^ni#F(T@F6W%F5e?(~q45#^4< zZDl(~b+AA`cmbQ#{<C9ae08G0puz$%sl#{27WL|AfdPgE{4D#gj-S3%X9x^gFOX$9 zoH(|zSBE$B6E5Hy*$+83y{k@b7&KTQF>=^(Y;~%RZx|3*AY8CtaBSYI&S@C(T%cHR zxOQwOuMYL>$6UY>weQ<)%&AWH9Mo8NB<ira+hSZD>p8%&K+tSIv-@eOI?Hp&d4asy z;bON<ygKr{pJD;e*M4-jskJ)&e9&Zp)Ysu)x7EKo;e0@1f#}+PWw-gZ`px-Jzyjs9 z!#$H;h{D7pC~|})Q-n2fgq2W)4U&Q-oq{#Kf)$^F4SKI7Tdy@)ua#J@4S>OthQS(_ z!HS2$2DR9drP!LJ*h-|>25fD~U~NrkZ6#oBgSlbJv0+WIVI{F)gGgveO=yinXvIxv zgOX;+oM!zf%}O}U24rAKZ(vPeV8w4>gE4K%K5b1tZ6!W!0~D~tCavMl;(Dz<7x!f@ zgncgN-CTsz+^fC0VDh=>oVjr0x%j2IQ1Q9g*11UkxrAHcAfRwmsBoC9aNK9%5L)4w z0^tY?;aA^<gYkr;lZC@|h2y^phw=)?eh`jy7fv{73PNj&ifsy0ZHgOe3Sn)Esc4FD zXnM8N6inI_oz)a>)D*wa6e`*j+uRiC+mvwa9R%@?iu4Xs^p5NE4q^0;De;c5@qV@G z9ZcjMo$ej}*gJm4J5<m+_M>;?OYek>t01hasD!I9&8xW4s}RnsnD<u^E?2J(u7WAA zqTgJFn_k7QT!l(r#kOBX240Q!Onuw%xCn|ogi#F2`VwR9d=qO?JdC0kp!LO1*d7=A z)OYxrV#vamEMezJtc~$7EVm!e7guw8K&+|cFeP_T*Ox?dXG^Tr<}faIfY+CBbbC&$ zdGjzkcgWqBVsz(9texmE#H1h17l(7Zr=>CdFv(<4)%OwS&U#DB<HHz}0ajmv_uEq~ zpJom-O@<tN$=~mswX_KyMo_@xTWSQ4pf1~ATADr{rY#Q|`I5Tq?6tJMJbbl0AnHqW zu)WmMd~uk&Jml+3d9ZWa(vEc)EYT0S#-`l<?AMrZm?$x*cuh>X^WCpS^DtUsfbkmt z&GuKnPosw!5<@oEWN&s({MtAV!`u3au5nGbhy0q}AEveqKE5U~-P!SLbvcZ08xXuE zT-jdmYd$#4X&ZWZO|i0b?bl9u7#h%zb&Vsr-FMUY<}f*6Q1kkc<j&?zi|Ju(zyRkp zLHqX1&8L;atbiexYx4G;i<>sd!^pdS%4@v9?a`a2_QUkMLDOr}z@3Ae*1*Gry8+2- zqWkTYo96pN)4PTHOVfKISP&Sy8UaXwj3k331C{~FK)R5+z+Ip&2n`Yqm<B`x$v?ej zJU&>tOG(Zhy6=AG?+g$8!`;NMI1_($rRzUWF8n#p{5`qw7jfplom{9uJ|yn_JlRKz zKv2yi70e&Drfm*g4da^gx&tDr<t8G64!i%5T?i<X|N4hG`q#np<qrk<fCtzLdHjEL zLNR~1UHkpI<u6X2MXjJ``bI=&;?st{x-m>KG+-9<x3f#}=8)N?@ZhCc^4EM!?0Iz_ zXi-Z`F-yjrHqH%1>&u(|?JJuBEk8?%UPZc(X1d?>5jWqiKU$CT{X!`@?ra`weQT{= zpJlV+G`*N%vH9YWs0-V1`xIOIUSi=%>Ca5oL`lQk_a?X%bQWLUha!?;2O;$b5x&Lv zf$%AaLJOS<^9PU~0r-|q3$_2AXb8v<M6E?qikt!(L`)6h3Bu7rEJc5Uupt$HGm7yV zpdVxy^hk@m6hjYGj`$*oK}z>6;uv-*+7rN8&`&9cx1cdxTM!?B1n3lGE#>}}b&TQ% zf(K9pkQ2lqW%E`P3aSImBl-siOG&<kKrv1sK0yB<L@CX;L|n+k=;(;O2(-c4Qg?X# zWW<PZU`GTaC>a+%F<1@A07wpc)L{ul<-&W7I*a%<_^1O3N)5#t1`;BC2%77lfnstI zJwYFaq#-y2r*^PF$*akpAXXx#0fvIkf`HW|vj~ph1_aTd_zngrV>Q7nco)zBY(`Xs zQdUzQB4i^Hb>KY*Eh4;xVpS6z0x%IYf+VpYYIc`{u&@D0fXHC24x&R~NN{Ke^(rwo zq8y+`3LhJz8$mIsK#B|-90oj+0>hB#fPKMyROI~togh6bJS7C&V8>PT=Y);O*}xGX zQ4rZG(sL9cP&SwY*wmrCO7Wbs5pfZz3gO|r)bU~!=Q&y<h8UOv0V`N+74tcf7o-Iu zf%raXro(0xc!+ZeXhB>Ca0aD!;H@$rqI*?&7x9AA?nUk~ZxFtMze53R_x$&Gm!P!! zpZBPKKvqyO!~lI5yAtU&;uB>qaxUZQ320B}Y3E>&KA-~K08|NhB42$BWq>L`tvUyT zABF0JctO0t3a|lDCHRSYwGWgK`l4eybP7;`VU1!yK1^1L_=L538XDh862cE~K$`|s z(mx@sW`L@9&Ij`Y9WbZKD_Nfia<NvQL&-aQf?j}k0M;1OIF)!$G`UEt1E9B^j-5Y) z&OoF{(`c1~v(RcpD6lgkC>~4-6rgYvnnkXThFWy?2CD-|Q3OyO0kc}wX3%r!hYst| zFTgCI0Fk4}EPC|-RJWrzL>-ugC4e`K>4-S%R!soKgvNHJ1-(NwLTNyCWS`Zkwt`l4 z5{9q?7QhWCj=Zy;)fiCH&W4b8KqIUMpd;F>1{WijO?4~uy2CSAIAjmJ0Ng;?0B>M! zAU06$BD^MgjrN*#){HB#8lhUMIush&5z^t;dD9Wn+0yCPA=B|HSUy-jv?quhga(WS z#UjKap+V3<q5wij8Ym5rhVDtmM!<%{hQfxyM!|;2M$QIg!`l^`1y!>`i8?ugjlrTA zp5R@U*{9X+51L;Z!B(N`K{*IRpk|0CaF<~gSZxIT*hvwxgxHMcNx4fh`=VMAdeC7K z+zR%^ItT31&+=B^q+eK6i&Zm1H9IAOS`mHG&T-i8&u++f@n&tRIiaSVC#EOu$17*` z2GUmzc``jJsp=Ja@2m}$S`@w**0XO<zFT=~R?w@SDd4c2Z&fiZUg>+jy;S1Teg_0& z*4B`VS^lX0Myv3OMBI9}@d%GW!?0=4>@2f>XWC`9(e4D1(T3=;;7csc_o0z3{(iSN zKmZm56d6V#oSBrFmYe7;#wxlgw?E}D<FeTD;(BDs_kyzJ{_yDQCZ}n;|NYTP`UY!% zIGuyt&W~*Z)+*Dkx0cMGC#>QI(|9>tbPf_CCySk$&&fqRw-<{X1S|GISeC~rWnYU& zU)u>foM$(kpKNeGX|z2`y6LO4+G*Gm_1t$`Y_&OPyM=Uh(b5#;TfFM&?O~*2pf4%R z753e~36D+ZFlD|erI7H+zJPCi*yJ>6^SRyF6J3`+1~SOMVHyhbeHJJgQ#6$Jp6Q0~ z_6m0QU09c5S#orKK(_=<d|Hws=f`m$-bFj*_Z8F5l>|9n+{2rX-8UD#Z&q=Ifa#s8 zK|~NvP!(1cs0zawp$cMx-a^-i*~sDL{T%ObaFw8gHRLgX6X=ZOjB0`@cK<mI^uT0> zVM5vh_EJAIT-EQW2r&wJ3=xF92by3kqPK8(ksdaz?sXake+0WgmeE^;y(|tHR@FP% zJ9mO-AT9{Y*ey6-kVC>%_Ri*zm%sy%GiaH-h0#m#P-C^V(>KT{^aAk!eHr9ObxC#D zxq90P30erb03ARikQTvyOqX1T<Es`OeZdK!H^>qcesq^ihbXI`I~9X80dFuQ$o;^V zY=;A@x*eNAqevftZ_p$N{74$bF9C<)tE`>rL7X5{P#e0R@FnV@_v%R}c?VH2CwK+W zhU15KX?-}g>d^5q<UM2sp$)^2{Ziy`Z`HTsWzYfA3few$8<wBoCC4Ff^}18ML%b6! zxH+gf<T}VVm=fs%^b+_Iashq`cnQV=OQKQ$_96RN6sQ5jV#qhhUI<=PUc_E>Uie-# zm)wU>4(Ses4!sVM4xb+)A6g#T9ugmZUwyhdw<^5K*x}x(8B!8d5>gUe5^57<6Jm-a z2??OM0bDX4eqBxP7!7&@Y6k|8-+(Wj4u@7BcN~PQAhm-6ux?l``46vG6FMkE+W~>7 zcj!0#m+pr|tDK#bL6S&;z+A{3(hc6F&Ed`CGr_}yRm#qlkapl`An6St_de|scq4uZ zL4Fh>Yb&dinfHVXnH?E1515Chjhl}z_b6%&`zN*)H9ED5Y)U8-q8Wl2QXWJbJ)b9x zS&jhNBI+3XLDfh`FN7<UE4UOvn;>6APBzL1yPlejYFl<PxD?F{#SBv$n2#u@9%YCf zPemfj7i^0<PLYoxXB35r{f^2|wl35bJWiHRD~A@9)*mQ|ZA|SW>k;__aU9Y`lFul| z8Kr@pL;X|6BeXh%7}X4oo7fy#PBQ8a`!f|-dR7WOk{E#-+Z?IeHi{ctm#SA*E$B5W zH;y@Ow`Ei!b^%qfbX+(wgd5A8u-g&YH);!;muf?HIQTVM4T3pC7<so$)H*gR)wGO| zRAs~ya1F9KcehAXDs~0cv=m$L6Vw_4bJA|ls55L*Do+{5h*>}lnmKJZLlimoD{KyI z4eV>`XVlr$=Q6vYLI^da=2&5*VVq%%VMJk)-O^FA*ofH6*b>+Q*!$QN*umK2*oxF$ zROVD&)HGDDq~&Dfq{C#$f`!m=kZ{m(061ug;6#K(<V3_oq(t;Ylte%xY9b~M1P9BN zj0UoX)NL1)jBP`$Aq|(w4iy3>f)X)Yan^9V*`q43XQ-TIpG7tzy5g;gb%UZrvD2xm zq{JfnL%qPRlxv9HXi<#Vn$#vTVqsoLM`UXp-QrO<Gbf5s@39Z4mSz2dy+B7KYoy(b zQKQ%^)XP#W;e}|*Xh~X%fbr5FHK%=L8Rvb%$|WD+H#1wen@_K1GH!i~FW)C$AMl>M ziA<JM#~10j7b8TY{1(oD=IxZ%cTTArwt;iYJ*#&2{_FJ$BiR>=pV!rQ?rCGkmj_21 zf$D^T5@z@4W`Sa6fe8eGl6+@F7n@(tHp2>xw?`w>?!EYAgXyFvBD$$um9AW1l2idQ zgMo@SMcNpJ6EGDio*+wPWh@<TB`d1bFg?^HoWeEODRpYN9!Q5?DU~`yh6VB^@*Qd! zpfCnjF3o~9fRyy8kOXEgQyXT9ScX~X1GASd$0*|{+=dNPPeo25=&&k%p{@^_B+;=@ zQm3j9o5a?kRdS-@51&NWF;X&siAZmwmx&f~z&^=rgUiSZ&tX1N+X!W}bPh`5)Mp`< zXl0Uxh%iU0vxrH^1XKw~jS<3!q+_adON9~6hdx29^qD$7h>viBN$ERvd;}lvgpd** zm3kN-%7mrT2Ws_DKJtlYN}e!l>Dov>;DnlzJC%AcAHjs1QY;mFL>*uPpoB)v9?FL` z;itq(%^qBbKf$7uMdcJx2bv&Ja-en!twWqpP+FjV7g|R#VW5NwGmxD}v!kSARBEOY zmT?QNqntogs)BjS&WGOIYZQ^gJY__X21t`A>9CY?VF0QtspD{b<N>q^X{9^ZB2|;D z2r4tW4qYKsi5iwq9WEOagb!rKpTJSlhGEL0hNK`c<LICkK2dUo=}^;4t3=>qZ4noG zDA~a@q(m^7iFCk)YD$dMR<eV^9;g$pN>5=UQlG$EJcX>VDj5;9EwaKL7>CR!q%Cma z35-MP6Ur7v;Wf-z`V+<$W??fdSK0?@i@UG{Mj_>cyd_*Hrld*L8gz;|p{n$rs`Wwg zY69}GDgxe9`-hxr7X&JsQu~Ky|B5ZQAeM;C_eFPTZg;WwyoH=F`u-j&qR3~swGwb# z7zWi4tez@8q!R5ZRxP!qQ@;p|RZ1Y_8KE0}|2h?^Y!!Nw*n{3C0d;!BGjJ_4oCQ`P zQw5$wcYD!)Ml}=Rh&YE^D-0)r?Z{REn>gTLn1f6esEHYF4KtE)MsGra6T(PkoROLc z;2SU_S!ZAqFPsDRj_PCNBBC2szcKa8P)Cd=TDS(RS=Je?i5xBs^OfBP&Vk(m`+-zg zVT*Wfoc#^3YngqBHy2zRrYK7R@g|0UgE2}`0KM7Z(J)0R3KVZKI5jL%CKuBi7d`;9 zk;+B&W`NtlN~Cf@bC}0~{vj&P5HYM{zkW38(Fiffv3b8c^@6Mkz?&KV0`^$O1mq30 zg!ETXyM(oXuUs~cefo!}-v_mz9DDYQQXPcvB6|zM#bJW7%K&dmcn<8P^fHz=E8Gbt zPAw|y8SIB$D{6_=A4%0L;~BaOx<asI>|ciYQ$b|T!*?N9T$X|Tov=_Uh!kcx89*4_ zO$aX3&kakEeicau5+-qDgVVwiWHf@v5QTA%UHb=Mx>PpO8j;zE!gy{paJv3Em@ajR z^hmHD=vcl#o$5`5ANUxhzX_%(BLTYNfq#IFO1Gh2iNVoe@1@(Yt{C7(FiM#=v?~g@ zBFsg$4S0nJ-+{SE1)yIE!--%gRFc6r_{Y5clvM2zH(<BBid%O0OW2BR0Lm2sT$AMJ zajdi|sUevmz))l?=`DSQZ18zuAZCf=NdCP<%e@f8{UeH)-MaAey*KS1WcQKihnvDz zn~&~FgpM{tuil4WV+pSw2(P^<&=&l0|25j!>l2fo`F(=$rs-z1q)pXn+<k>YUYw{8 zZO7e?>m9f1&AaRy?(G|P^-@!QS_|9t_J!N9?EAJ$a<{t$xK00+OS~y{V5kAJEkUS( zt8Hpn8b{sfTPtLCf7{d`13TMCQWbFx#~~B49HIjnHD7npMTbUePIdv!{TwwzyQs~B zRW&=i;N}76nuT3VBYNp{0>AH9D}0hMA(R=Hn?zG9tTz^krc5{A+wTVg?`iLE4Dv=V zXBh8KR@g4TNJ{jsV4bx~-n2_(23`$q+=t!X$$~T|+HY%QC>wqN3lfg{DAQ3TKiz+1 zJbrJAbALzL9w@Ctp_Eus`om)I-Xdv3|Ah5Eyjpr^B{wbbF6sUn?dszF&DlWDifKxF z8zHEjImWN?K7D3{QWEF>r)bMq-~GvZol}>?hxfaqfm^2cEcbqPci%Iv(ns&wbH@U& zyzb9}?{}<@-fO-XpJBVdRpBcBpc1)k5%ZN)P1)y~yYOWu&wa8B32r5uD&Gel#KCeo z#xMG)b5UcKy!kLE6d_N#{@G9ja~GO8fo|+bTtPBrvgb5Mon>+eo7mXdnn5nY!IBUf zpDdJ3Cq|8r2~;_}oz0<gKm1T;LAWo`Xeo%~)!3u4jYy>Hp3&IaL{&1k>=L@x_=XMO zZ=A(Q&5Ev>n?`%z(joOmTW;a>vgECmqauA!i<X_DVzZJ)Do5!oCJZZ@$J5(Zn=B)$ zDGcaNh`{9~QAW0_j0v{JrOTAHwBZiUUGMgv#+jRw<5TPuypG;##BLK-66#I&QfJbB zjU2*r)crI`|Cw7R@u0Uk>kM+{B8^r)HjJoSak;erJERj+VZI&{Wu`|tmP2;J!#k<6 z0(Sf?r*Lbf%Z+y;*(i~4DG~pB6&>>hRcfPTS)TwMAb~E`i_NZGR~a=|Ic6V_<em;2 zZqBq^I4j)Qr%IeooP11#Yay<bbw=BC#<f-Rt*}ucd6DF?l7xQulx|^4F71m`mgpiu z<r6=-kWF1&nU$o%t7!ZY7dmS<9iB6#RyJw#V(P7A209G`2I+}xy1scjd6seuUR(mB z#O>MW!XD>BR>NedP|&1|Q4*qJGFT|Lu5+vK><i773y!k)kn)^66}by-w3m@`<AS>R zQb5wGm~!TcfqX*&U8j6fT$<FeA?kpYaA9r^oz*VQfcax(j%L-&S=priT-fYcMBRI= z!k4#Hoiu@oc!j$7jC1*P(KzeM(WP>@vKTsKY)V$PN^3H@6D0GACS%baVYzhJr}V8* zs%XGxyL-x_{d-;8lQ+^1_hN>-MB_XMQfN0K^UH$c6m7B7$E|fm&EqWl@>xw-PLrK= zP|70zYhv~(lsavjvGQ#7=F_M1k(?7<m5yClwvdqm;|qTFPjBo#+*Zw5^AD8^IF<L< zhO(=R+6&LCrm|0Frwz~7xeF9xd|-A;b+Sv|Rf@HGJdfr3)ou1oLz`J0(yRQO=eX>? zx_0lgR2`N9hO-6}G#?`b>fY5g?G@JVA+TFl)umod^b$x_=n?N}YuDM*Pq3t__@>lS z<q%v!IyJ@p@UL7fHe+4i-F%kL8pw9AyX)j%;a3D*7iAisZiz8TD~3?ypwdr;=DqG+ z?V8w<yo*4}&_U6IPq_Oi7VyDciZV|M8o@{Q%Ty#dQ7W{rU6XPzno0O+0^O&wxr_8j z<JXe7wVk+Q2#OiJP4P`**MjWiOH_&6YM63U11xp4vzcP_t?IV<wTGF$_WS31sS}n; zB=MI!SVHFH@HwN*30)uiQ^erVMP*aQw9+b^IWhIVLU(gx@{C6-NBNGE!#X<fIIodI zf`FI-m5d;%S4Mj^nW^j(O*!mZ`bdxo9Q6tArL~Ceq<0WPkU@ZN+C?>G|JDnqH~9*R z`UuUs)C93dZB=R?v4^HwA9Noh-ys`*8!UH0kWVRFqJ)a`^E*pYdu7*)@U|7&#au<Q z+a?v+ra_4_{ko^h>*@8#PguNaa|TI#%bCX0Fe6;MF&WD|o)dnP3cq63dLBM_C4e`( zAWwG?G`NW$^fD?cC*+4r)By9UI<-5B2N%4QZ7)P+#2Jr8*XuQ4*o3gU3czwM3o=d` ztio^9kFZS(d0$@IqVi2A4XKI*@0Cu!t|$Q;GrTMvH8}!XTn9U`3&v3Kq(4^(*5&me zgrZ<2wxC~H(2)g{dx<YoKt*P1E+E|veO21QVA#WsnxIUJkgQs{o{g%FKj@|lqC=JT zR_K?LrZv^`Hez7P|1lRq2W8E#XD*wJ!GC8v^+Nw!QxOaMOWiXIQhhE8Wz-`f{ZoCt zZ*z1&R>K1x{Wks6C3d<WEIjY>zl$V3ujsFdG1*ZByrXGm`Q%84QWJBWnLk+3R9M17 zvaOG+PVn@UIS0c<`I^q|gVc4H!Y-Q@ABJ9{jy5+d%&|-<DXn~MR)zqFAay*(QeIw^ ztaLCq#zg29QWtX}Xhes<J-j@rM9F_gX+amMMZBD$B+4_laDut^8P(SFnAze|*P8OG zv@%rdbbWd?+ElxDgMp(z_D_?I^fwI}7VVKglGt<EX0`2^OU%Y4xVXvB)=!Y(k=X4a zqF9eAiRsqWT!7pZgJp_~SV-yhKby;DcD+vy-9vdaVloDGQp@G)8Jc<>@x2V5?nd`@ zLSpJMzJ|LK$I}ps<mk<e?U}185yruZ!}NFgI|+Pm__dq1crr6W_+iJCZ}WnpEDGC7 zl82wgBUw}GKPZ50uj=Zc5+H6y+OO$}<;2W<pve#=7%E;{)yvMQ?;o_2X4UoQab*Fk z_cYFBvSr1P>mE6<SbwRqT&&ZHe;vd5fzz800&~zkdd6a+){`k5v6%5)?_^z%$9#nD zzG$slFFXBYAiOCGJzZ5VvdFwquO-!Cz`LmpHlV|8;LMo3&T(wOQmovgU-pDWyx(N2 zXr7)xvS=+2otm_0El#g8ImYFf*qiBlKS!AmEkOa?^;pHaqF1p8QbtTqkPeqWRx~MY z-6!#;A!si!Pt;R`B@95yX2}RB3)lQ_)Xo)qhDu+P>xUNf?v@IX5S-+j+q21o`zGL4 zd^Drx-cysdDjV{=Q+cJtggc2gHNo~$dU4S)W;N`O@Cd%<tx4;(L@y1b+P*WyB4Ern z7pbFGU4yz&vJlGlgqB`nGA5mAapSOf%Jw+eYPNm8g0t!EhQ_pO9pP6|8|AH$>s5vs z^&2$ikcElbZ7!;xOZSkJJ^_mlu$2-c5}3YSBN9{7=!8yzN*jR*iJV*-{5Q;Z?RvEc z*5e^QAuawf1DdXgEQB4bmUp^w{xKB?h{87%WdagCQze(@%ZaTAz(<!7c51#Pq;Gob z6e}vJeA6mFy~pP@aILj}1Y@m8*>2W}dm6)9!E;rEADg<?sFVGqejrpo(qIK_S)=2p z7jw4#5w9Y2J5%RIKc-2ATknkKff;Q|v1qp3vHvN*+?h7BHFJ+>kym+da<q!8BJ(+O z4-bFVuCBX2XNq~6PPPu~0RQ@1!?*Z~DQhY7G8AP_<+Ou|i`u>e`1PjzV$83YdO+*4 z3QRrAg^fAKANRG+UNhOvlxG=dNhLN}rH0Y+eAS_2jYlnF|2i7>leIliwPbZhxiSfD zl2!Y#K<`p>T+{N5QC@Q5z;vAbwCsn);f<<69oJHzL>v?LG-_a+BxT1NN&}W-JoYn} zi_w)6Q;Jjtb}Jc<Q&;c2_U-$hiL7tR4@)LlFJ}nqbyTlX!YQ0OP1yn?ufHD=-NngM z%62NUURr{%&P*lB3$KJZf6{BU>)qcdfB9Nj(89v=@rI`>()@JC@ZQhrk}`1Zp0JXu zIDRY)^U1m`dqFXyN`+`X4tX_U9ouvv?PFobit?>!7JH9;lAKlyTXZ|6$meJxUZiEB zR=grH3u85luSdRBZEG*8F9|J7)HuqAs)-s(T~A=nCtz;gc`#h)eZ`x8_-`We5sM#h z4JPmewv$9sUhTVj#4SuTh{V6zf3&?No=iBWT-QE7uHc}lc)@09xjAOm7KM3!<?(v7 z_{5K%e069Fp-0Ei^YPeRTbq`L`6H(e(aG=rB|cpT`SnktHFk^fmSx4^;&$2w25_Lq zhHu$7B1Xfvw{~`zI+}ObnV=N(9%;kkP&>Y;x5=g%0CT%337O^>#26q~`=B+Zy}3tx z_+$^HR|8sfW5+qlCo-OSO{+BTHiYY9-{f<D!&S#tiC7EE%xjc6>GCI$cbS;Ji;9SX z@bN5a1MxpTJR9r$YU<H9UJQJdpf!;%)tt6Vfy%LW3n2*dclqz<j#CF@vgoYnrH)dO z5Hb|7#537q##79cyiv&~fH7akv_EP2$fV1Ku<-e(%nXxXg?_NM7sxY{%aCSC3V<rC zNgHR%ZIA2aBQcdH=R=icW0G>Yid~zz;~58`<{IX*q$Ea$6WJ5ly~+E9Qgw`bdA#bZ z;<jPh0DN*K*blj6U&%~^pQYR}CUn}TMbg&K^AO}+bl7?;bcf|K9Ue@hrNhH8_L?`g znAj>mLs7KTLr1h2*210Kn|&2Nf%jEu@3~fAHb37b6JktwVMt}Muq~dt2<aq356y&p z!vs^EJbB=BvPf+#!`rgD@ZEyo{`iQux8={*WGoVi;+5|BAmmj1^stQr1d`a62V+rB zJodAd5K)j(MORlF=VRK-BVf!1mkLcl@evskBZ}Eb3Q`by4t{jIl2isHXgpRbX;Pz| zqR-5$wd)d5%+kf&Q?pTOX;S<=!%k9}LcK$+EGnox-lSSE{UY<j^7wF(C6k-ox{pHA zs5?pb@)*3RkTG}S<}BW`b~L5%QYG~D7?Ui?Q>Bdl6xTQfu5;bu&#R2?wdJ|@O9J=T zu$u$frmt_Eh6g;k-ANpKvwH>2uKGYPMFLHQjQtt2m*WUWD)HT?oBDIE1=dCic*0H! z*}J^M+nz5I(q><9z(=k%(Kg>+bO}os3YB2ljLcB-Y}&XtskWzgSq)0<*Y@i)R{D)R zYe<7~Tr+YJt&|MYe;|L^<Ym;j7>CV485dT8&-g6%0I$kgGR(ok<=eaui97l8jHXu$ zBgQYEx;`%X)^!$D@mzhs|JjFfo|(t`jYiS&i|=a7p7RFMEzWyFom(Y%K1vfcE@Vo5 z+qg+?2IUeun>mFUHMBo(o|kQ0dPlt|;exj>V$ij;`r-L|Vd+M}_sok6OYr^azKrH~ z{O)fqGn?K!bSzzD6YW<$4)YDGdagNyz0YWXa&gTccD<0(b-N?Buf0uuQu^tYZzWl$ zxBwg(>q6@r4v&hL+!Qti<6d~*7nZK?omk(F{CQ5;&Xc^;JS}o_o`r9YaW1;g^6U%q z%X^K?v55&j;vEHEWRz?=Zdj#s{ePUDRZtvJ8>asl5-dP~1b2dk;10pvWpIMS3<JR( zl91re;O@@g4intn83uyO;5InRzc;%VyR}tYees^|KBv!jx~p31eEmM{Bj^}VZ|H9T ziR0QV$5&6B{oXcNh`9-<loJ}rw~XAyTXQ=oIS~@p_C$Emw4LFG2Nu)glG29<_VxF4 zdaw3$y0`XrI&h!C#0k*lRyNUXKAWTOc<i9Vmd>T7Se=URwVjIHt(=NG-#8VI+Bg;8 zy>zmb7j&{!enkDD=*hX{=*>C2>!n%cyH~e-DGd2H*ha>`u@Vk?dz=xq46m&{xyqtx zi$C~-+H>x@yQN%vm{Rn7@}~FQ6zwXC6GWAW>R->O5Q(X{V`iCbciDJWoqU8TU$fnO z_T_UV6pNz!t@hVx&Bea`L?NZ$x6+a;s|`8QXk>Z>GLXDZUBX<oCj8^rc-z&8(pnRC z3Ova`sb7C4>GDuxJwh7C-B7x3bvQ;gQ(+PMw;Xki+Y+IM13*`xs-Jg}nH=|wa7-A{ zanovp^RnX|XuA=Ldp<lt=+95yw0eHlb&OD2Gqu-zM6s<op6Ol#T3PQ6*-0KnkDQ(! z`BR?EDUJd_VJA=D0k5mnM829Zzq}|q{juM#|CNx5@`PF9wJ#;xOB^<@Z(D5mdfmpa z8(4c^`efydgb@$cc-P%Satq`K3vEe;3bnHzim>+@wrnZ5W(QbF!3At!McF#sSw@{k zVs?36JC4#qYpv3_F_5f*GTBlTq`mm#U`Jw|K)vo-4uPiK^LG?_T#zBLLArOW^0F2p z+k4u&;I)=eNhjnH$XCD-I`GOihg9=Z!jzg$qFgC_<~wh4uI(tDZAGd|?m3$qELDmu zi9k6ew@|ZiGO=FMxK1~gucCM=-1gWxTg9FZtbeXhx}pr9XEbP;EA52v(wji@DD0zK zf(~`I?5zlezk-sn1{a68wxy6M1j<gd1@N>6UWVj#IdhbmVgY%<9~I2P>#`EaSM&T( zh+=5oH^nBF5IHSLh7?U^d=_Dq9PO~UkDAG)aq0?8+1?tn6CCf%Mb%0mwe%%6gtqNc zUAN${qUHQ=Lpr?4&N3<mMs#R*VVcb2%*kh8bym(l<(vg+GUF-ydXnvgG(r?_Bu^ox z^b_$s(7{4qYG>AXWe)tV+1%el$MSFK20O5=w6K{IG$mCEc4Hxq`GbWg9>6cX$*&*6 zAnGNu*8t2y2teoYt@ID121^0%8?6zYNf;x8HmN#GK~Pu-{8<uG6*Y>#3a|H7FegmK zQA?1l_q8*}nX8mQR9V<}Wltd;Zx*Rlz7%kWrZqs+_vEO}-fd|I;k)RrGe6AQ4}I+# z)B2Rg6}!$%r?c=S(V1oXc`baMIWOevf|k4$Zm*Vg=_%wRkgqpN{?b4bkc8i4qOu5K zU@6usu-2L*tXxp0Nyw0HNU$G5OE9yiZ90^Oz*E+lTXpiQqkl1nV>){h%nHb#LZo{B zz6$a3#NR*3u@6JfiL%XI=Y*()=6epA4Hdq|$HL4jR%FYGeVt3K08vq3^vqO<ppTu9 z2j+YmQWz@iDQlw-|HW*>oa`KBxfR~C;Hbg3CDf}mR`zL&YfJk`op0-9HR`TM`wXKC zMokUv(K;e<@KU8AV#qvGRVi+xy*SJK`oO<_r6{t++pG1uS4&TVK;r(>UvAROajZi2 z%mC7muW59&-}@|xo7jH6sm$nq*$oK$o1P|evP6mR39Z2JU5tF=FF1yaY&q>lGM#t( ztcG+u0D9I2GVj0N%D4;gCsX)WB~d&kQvXu)*p!&{m5%vS|K74%=e3*2;ICT_GYP4? zs_e*1nV4V>ytjv}zj7m`CrZF<ySgCa3;EzTNjJ2=*ukFP)8=TK&h79;+9EMB-DO_G zliqcvm7RSn(k4D2>Ipo@_BtuLq`d|N;A=W0Vw7-7{GK6Wm25!^eV0Z_`<#!2&o!>` zyS#!`vVjZV+4eIY=DY<>wVLNZya@i#y_YRBJ0*~OL=s+9J24p%ymS*j@y0@Cx8aU< z1}unmnetcCWxi%&XVh!Ak#{|$idas0ER2qLv^Q3kyEm3HyeF0>t0$Jz>tG<a<X|93 z?Lhw8-JO1)Pdv_39Vvf>?zE|C<+QoR>9qNWPMF2Ty)J@Vn6xUHN@Zm%I@69V%7poI zREGg=)FT(MnSq*&-qs}T$XOBw$UE-OrNela?D97=Lrt%RBT<o&ZoqGf&x~E>e)@Vq z5iFmYz+hzh&RQQ_#xnsy+a_a&?@({_8&yxV7T+a({mY%rSH_RH1I3DkvK#H1W;#8= zx|F`YJg2=!VB>eHg<!PH<7-r;hS(-E(i$9D<3E&Dhj8w(nS<Dgt1X117hsCd7H|ak zp>P@L?bpOk+)*-Z$-}g)xLdKa$gqLAVQEV>ZhXNiu4r<rUfLqTssV;RHs^YrXxGwl zx>xl0Ui1>u*0b+olg_0#4=ZTTv_SX;M0B}|<pdhrj?&s%{P?r(=^>=9s?sXSbh*~9 z+Zy5J(le<T`1P$M;m*v%xtgHb;?`QPnKT00{c{z3<0%8_G_iM+yjs$(cd4{3<93u_ zWN+>vW6kbXr-+a(e{@vx=Ug=-;>r1>)7`sB{fHHL%4z2p(R+HbJ=lu_7L4QsoLY5W zBjs6a)-amrLC;|e)y#LCcxmCuC@0$O);s~-K5cUDaFYIgWt)B>zi<6$<mUZB85aHI zbEg(*LLnBJOuf}~8@<)Z{s#+tJnjeXj_wCLCX|L<(mjb*v~$i;A>i}yUU#oP^P*L& z>Z?gwcO?KNGM&L3kMdo0HM_pOJ88IRtN7EsG5z{bJBbso$7$1T9<xY(p2lAu>H60) ze=abJNMp_mv75g`($zW5%WpTkN+hdhA<BXY%uL!QqnIDdXlMw}cJ<=)<pwcz0Cx6Z zUV2N_z6@Q<b&Xs}oX{yg8Z|XCUiz63dr@5o;l89sj(g8{VfAmt!Ea}T;t>6b7><tS zt*-_ixRcYrD#{l}lM;}s(&XS<Vv-tSyod%!NxscYlYQ^Wb@O{W&P*N?Q-$WMNN}!X z_$T_huQ-@043=#Xxspns=r4q6c(P7TiJeKng)tLCy!4x2^}JYR{xFsZ<{1A@K*gd4 z{`kr(s@kIC+t?^#F$>b*b&alAD!ru+kBcL8rXx6frsXj(y;uGq6hW>uxoM*5EEycC zE~jB2KZw~&kgrNFu2mYw96$S8o%|GO#3h)K|98TPmmZ=ZEgX)mHje=|Wq6t<dW)Iy z9P<u_yJ_}J?0UH7lw|aCY(FrrEou}*0UHu{gIt$U1d@)Q=<})1@KQZv&>#T?F%uq& z7!TC^3Dn+?kpz;kx4nTEyqGj9-{cu1DwQ;HG%edT2_y}qXIa%%i^&;&M?8OwrzHF6 zOCB=5$15$(HRN`-nx&(4RK-~NrEG9HSXIyy2rNF$?gL5|({SE0TCM>LtOH5$F^-gH zR>GVmjhSg?G*mF^8B$j>oF&_z*Miec_<C-A2$qkPG-wQYDQChDOuI2Io(ZE1ug`un zW9HCozWAUfn4<uBm#R!${c-c1y3q^nS<eZPFm!e;zn55pvV5lT?=;O#-eA)B)VwRF zhyQrB^;<W--JUMxt!`}6H*ii&4BhjVn9gr_DdX;1s<vgRgiDgvuhbN=nzd91bVe~L zs0n|O6#Rk2#1J;)zZ`_RC$oVh-V>c^NlE5d8imuLr^OKp<$4p*e)<CWN|TefX)mlQ znByAumLV>ZCgG*jB2fNQsH7xd;K4n0O0rq{WIS$m?R{@xWhrKki=|JK+G%z$1V>X+ za-Ny*;zzDz^dN;(oXCI12hUG_txHgSqPa+vlpG&;d77CknZ;v*5&7m<{HcMuh`gLd zq`ESG>W2Xj+riCG*OHwvj-|wj0i;z;4%KX9?tIb0u*`l0lx010h4|E0Fq(hH>~sry zdd+$1bzja+>z@-CvN|cz(~2JAx!O)EwiX^D-Ynl^n%=Vx<JiI67z+R0o95NUh!tCP zF06LaXo1Pu>(w>P6I(nR$3$vO5SnoBWqx@7v^pbA?;iRtwB0(q2lE%hQfpODLATy| zXQ&8g6;xhXkeOgy)iM+yTt$CjrBGNYGRPCnH0#I|m+C>R;5QeNuc0G7)q_WCcVih_ zr=moE82Vm8!dOOgnJyMW%n?_~|4u=zTYt(>Ez!tbMCmgunxWBiJihgqWbnZ{WOL9% z`mC#f&C3cakvyh5j$6d*tha^s##%7;-oI8pmQ7Ew`i`xjT1@HVm)}JZ51%v(WkcTw zU(s6ayh(JXh7{0SRYBm4B3lJn@;6P8qO(I<ou^RwiaOQ&)M$bdu(KBss?X-84#?d1 z{ZWM0@UFzno0ivyQ>`61qItY*S&~(oUq>n^Qeo|wId{-34<Z?#wnx_1g%)|HBE4gY zb4I79u1@O+AM}^tL?Z3`?=wwWBju03%jctzv{S(lqP^ONu#1Fx>DyaJT7+MeJRURi z6y0(7MSP(2Z6u2JL4r{&Ku;<^z>%3N%$Vq7!GpAH1`AuB4)*Zw<^b3B2=Pa<th0z$ zhSEVc!kPFPU0hLWW*_I#t0LrRL^ks32d?#XEJ?wHDcd;Gg#}Rq2Q^<UaaowSg2gvd zt`7CL_k|BUAInafentzJIFtyO9H$7ZID`wVR0Il$amkTq*)c_pk3ZeaeQ;WK%N95S z(@;d$e(T@3s@-5pJ>M`L^(6LTt{GB$uV3#UQjV4+t&0+)1)b=}@(O8KvfF>Enad*9 zhd)RsLOTY+BDVE0$@Fx)2oo>={b&4h`)?b-E?o^71<7JYLx?@dB35(`U^%`=Uqg~) zwkXVBWv|AaNoNz5u88BQiU83TDNv8^>BMefM{fv5olC3!70o1ENZ%nhWOCL_JxOO> z)mL4?_0L@<@b9Xt7nnR~5|{*&i%%Ab3Uk651=j3F)jat(n0{G0(SlP1oH}U5oel+u zt+Mowb~i*kYHA0J^^G<i@Q9o561M_ioz7COJo**psp`M`+VYiNgswySxboY6zhGdv z;4#CzDKogW&gSc|+h3s{4S<Pzq3)v@T6P!@2A|~m^6vwdn}%9;#7xtlqERY(sCam3 z$dQdNBNkG*NT=KefgX(+nEDQK|1`}7(6}7e{WQe|NLeVBq2Y)tc`N$_OaZA6SlmI0 zT)^6_N5}rnpJiCK%V)v_dnabp>e+C#4_gAmv_~SDH{lOu<__t=g9ii$zm(ghDu*U# zk*7b&`_g2?{3ZYJtKkY}P0mJ>dbHzD&#J|XB}`nBeEw;Z^s&r*OsSrTRkwtCmf$&Y zEIcq=dxS!(qM!4*t95NW=QaQ4wAZrn+LX6|VWWn9-46A9tD`ue;d8?ye0<F}(ZrR> zKFZlzoB~feoG1l1fFGlFY0L!7VEZj<IOQFgP6S}7l*!=p^T-szDXjYWR+V-8nU!ZY z!{pVIFU8&JX^C7SXA_%SdSr>Bbfw<p1-Om!s<$tI-|9EM4=~3fie{O!FQb)l5!J4B zAAi>A&=_2nDPDfPOV?<QXVtj$Q2R8+YXc?yYx90DHSNh}GW`|)2&`p$uK4O?R;FdU zq2%$j;#u8`Wt|Ib9UN)sZcJrd)=Hg5l<L#biT6^mG!J)Zo-3HYbsOz19lO9th+zqu z(0Z*vB$-;SIVs+{{k|{z#eX9+)`>hsg`}_)*L|N{e$|!1ul?l~FuzPUi~AJixoc|d zLiNa&diN+dnO-P*kd-TFbrBeEcarl@YLZc=Qe-QvTBB00LaSC4A?k)QhzGrxe@SWL zGlSHCQauD%3IpcY5$4)S``z`yjvqSArbY)}G2x}RIvqiqVSMcf5vTK>_C^%W0{>r- z?xP#PrPoMo4ygydX#Xf=)0ZiDtl5CPd`zKJjXvP1nQmh~uN-NuDcvkpF+8%T_|S4< z6zF2I)8??!G5e(Z#MGLlsKzj_SpME{e2!#%&ar59%ro}XWn<@(im%G<+q6)Pib|P; z?%uS6{qZ4B=U&USTUL!2(s!=6l?gJipGx$=JXn!h#s3lH+_@<ksmR;FAK|FosDYq- z@UdifHU>3X%tp-%o80wX&z_XwTa#RUIWWuBUq9+Wkl>lHc$6$7K6*e`+aD#5dxuC^ z5g-Mu0=cQYxH*Omr9MEDR&_w{V`MPj7%+Xd!^j7K9LXF#EIcNyWAy<vAYJ%{`Gud{ z9vvT68U0i;6GaZC^(wt8Z>*rKTa^%>o5$H1fEMgFfOSVh0hB%`QxPtuG<wu}uph)r zCT4$K1$S;7c1Zdw6|6-0`Qt1*%V(C)TW<RcGt~eRQ$P31MX9{tBPdlzwVwr2U$!WH ztZ*#wZshp9csx&`_YA5t#0zjdTH0y_>{d=7&Yh2&veeo}MheqJd3<aI=efqYpjMZO zcLqnu#(HsC*Fl&$&wOG}Oejr~<mcYR2)7Wofu@*6_FDL;0l%?h%eJVe`FYQFI}*Je z&l{a}w{ao>`qW_*;l#dSV68NgnIZ~GnD^F0nju8Wu`96Au?JzQEb}uFcE%jG0U2e@ zxGCpjB0>GT;>?`6Js9Udw^v7D{Py!-a?PaE@W4fl87qk9;K%HCz81a~3+(=K%35#l z`v^2{(sJhZKDS8Z6<iqY@WZC>NI{3v!<Xr*(G{Yl#wyl&X%m2XMz>J#{f<{0oc>Ao zvGcKW4NBW56CrHzeS0!R4scn?3!A$)*?vew8Tzwdx*_J>#N0NS45aFV63@QO@XtVv z+pdO|Skuz&oD1zpw)X$cR@?X21j2ArI4%3GPcSK%T+{2n&mr}p^QJ2kU@89o9|#?H zfK#Khnul7nF9k0b&~gZ>9UPybnt960`mo~q!!F1!sP|Pkx*OUjK#@YmXZMzcBE75x zKV967Zt@_(5q-{`#dMotG7gmK5sVWUzs0CD{x;JP>fy!q#P;OUKThGV<NE3n_>rA^ zh<m8aps`d=Cps~RE-3N?U%>&STMHKshl|$-v@CikH9riaIL0vq&(9CaYirLA&MJ3| z15B?T3Q=kP2o(QVmMvNmSxP{L=4b9j`=5)yyt9z-`Nm_u8hEG!6WR>LKY#y!hoow9 zBBGZU+CRj6M$k_sZZU5$8Q6FMUS($*TX~u20hDB)LjQwLtpi~p=p!P1Z}`nQVdh`t zV;1l4w`)4N0s(ICbXhc|Y)h@(-gA_j=RtLf11BU$PiEMsBo>awaV7s8ve0A&R8VSv z$Td$t)XxvBYD~qtE&DOiAdkNGj#q%E@>xCW1HWs=;&$o(5yIFhW~RHNrTEQ?)f@S^ zPwlFHE}s_e`p!Y8RssI3M>JJ;0Q5Eg`oNQz{iaI|I^`7^A&i6{S|RHl3|+{g8U#!T zgAj`$<GHP}Zl1d0i?vX3VGNG@@vBZHpt)iRWt+-xRGz_CPe7ywf<yD`b*XyhKJ;Z5 zKk%QT9o7Af+DvKokCUX-b@e6mgnbDGFqQU6CBYDjR=!_VIq3u!%amAgPh)BEVc_h{ zweBqKVc=!RIg30Bdew;r98xNww12X>`_}rronjU{SyObORUPf%d1nVuUb%#lT+-en z#o()e@@PclC(W+{1?rv$&z;)=TShwMU#$7^+BH-?>yl(FH+sS$iv($bpL%Ek7yw82 zC>^Y$kXb^{z&K+O@qj6MqDt)nm{orW;Fo}DkiX1Zj90UshCDwJc`SnuWk0@LJr9`Y zWh*Aj_(PfBNfT+X@TJXN_DlDKD~ST{6Wtu6Wz)kzkC}hznxfarU@G4n>zzyzJ1Xrs zH`A~>Jbx`Z_W&I{AoG{TZwA=U^C@^N9{>yLW>S$JyiD`y%eFpwrjh>o{8d-aOS3r~ ze9%+9)1PU20X&6Zgy*j*EGjG}nRD=WEMJ@4KJal=m}K6ZZ6P7u4Ax+Mp^3@9)0Pdl zMvkNSWu`ZlZ}_n66E%gm{-XFKbm|FR4fgBG)2)_9>Qep~QUqGhxiZ|lT#oHedv6qp z>Rgd8xcoagqNeQ0latO;m{u`NZa7(50#W@c`%s|W{>>U}jp%BT(G4#jTWuNH=PGlw zhb2B3sIG{}fWqdMnXb4GZ7RPT>RVf-_|;ztX7RS4o+AcP?5mCU^^fzxrc{z6;q9L& z^+jryaB5Ag+xJI{QB5lwy2KUBhRrCCkJ;j112+H0F4EN&kt(|-?^gkDN|VY=9KcPp zE@eB9{OEn;9|(n*FV-u<)kMWo{YLJRNeonBl^tarWlknHW(aT*B2&!rHs*~OmI`rd zIc4kZ^1h2|W5(Uh>+4h_o*UPDm!k2ED7}!i^?U)l2{<)^y1lP9wHt)%sGT#}CrbwJ z0P(jVY|{q$=ItvZc_~_b`npqIb$igS$hXDLsJU!4*;W#^47ovP+I3L6?I8jB$HQS9 z&?wT^mNK71jpAAbQ7%V2tYGMGBh2Qfwa$F>_zsmD_dR$)RoIgCl20A#g9!(s$dxKQ zllYYQbacXAxBs^)4u9opMs3kXW)!8NND7m%$o|RTF7c#9iJ9HDBiU2adk1UnDcknR zTb30akamTJM`J-pf&Wgeae1pAiUN+ZUQO#p;(AaXiSYNVxc2T6?F6c&@3}BOD&Jpv z@H4I?UtjC5B)4%s&mW&%Z{cew9Gh{bne$m8hCV{LivhVSVcx6;+x4U?v+af{6}2e2 z!)PIOEf<PZ*WJz>^lH?4P!G<a$akYBqi`4ISnDnJGLN!Mb<v#19W*U6<$C8shY7^D zZ^)m)au1}Uj`c|Q_(Mi9cE6XtFQfJ;jRRc$+SGn&{F?k@PLgP%=Y4mTvEtz^9`4<7 za8pxka37rfi7`>0)7Elgz%po%J>C%Kn0J4^*cAS7=nCJv+C|Vc$Q>llRO9sXrJM0@ zEJc9A_c@$RH#-=8z~>Y`9*UnIjN)9{Oe1`qwtG`JmQ0C#_1}S6tcFLowuuY@*ySJe z&cPLn_164iGt#h7f3@jMVV|QqQSK&W+zk@+8awnPjEzEHXpvEnUGUI(H=z$ey6VyN z^tn*eF2j0>0_kyau)An@)Lw<^!c<~vOFwaT55H&q=KiC<Z{{Q(rHUiK`wuu%pE?ih z;PkD%8eKX@1uQ&PiRzm4OU<j#Ph2Pv!C4yIqUOPqzV7G3tovXC*xq^JxR1|aB%F-I zm8;3(dw;SQr`I0EbT?&iukMUt2}=1`f05J*m4E<T>eR>1$~L4gpGg7^E5mmpO;Tz~ z*Ghx#l#V?Xj=!G_=HSyz<|O7MrdV;!`zKTN>$B^ISJhnCCTbQ@HyTbT*y$A~)<lqQ zup8zlPSvTiTj}twfpnkCHR>}csKL-JkhtlE*}85|(i5=IJ`e3T*1V=W>y+}MR3sj} zcofnAjL|A7ATRF=d)m*}uG;><3leFO7c7`k7Q7pG9%=?+d#T1c4{ZTez4V_o0r<^J z=~=-*PcKlcvm(RNL4KlEOY!qvkai2AxVfmtUWBdQJ@zOw#GLTSRb<V&AdAajR6>qu zuSi>SiWw+wRhk+%rgO(UJ>x$_$l@@jE^%(U1p#0sXqf;4XZgb+T4D@CM#U+b5{YlN zAmg*|-Pf##8lMj*P7KikN-pYP2nFcqpPN2F;+E9x)bq1yAgSAx|JAtEgG#;ptSRkC zf5S&PK`TFA%trvXRrqsY6*I-x$JUCh_31Uiq-4h?`RUFvsjO6b`RP--ILS{Ah2%wv zTB_>Z+Z)gQs{*EXr^6sxOC?(ntWYu5T`!XtPM<MKSw|trkb4L9jeTS|kCubx`GHRu zkJgb^;9;grDl=XwjR%x=6tV(*D;D#q7CMylptD>)quEFFw(ChpDJ7e6D?xRLyC;?V zxv_N_=51F!BneZ9wW;|#`<9MmpW;Nvb3v*;<xC>hdZ-^r`SgZn`?=0BCh^m(@=Xb~ zAJl9V=7M@N3VAbap007K-+N391G(3>xVa&3eaLnj9442<#TbVlud3kvj#L5Grz3|c za3<f>J39y8UIHnl^j*%$!Xa!vi>ru5EHw^bV=*E%zy5N5&V$ocA6YXu->tT)CT?%C zkXI$Qh;l~T!S2}gD;YtAViv%U$;x>@PpZNlej<Lkh0lo^qU-_P#$uJ@%d#zzZB%DN zN1&NTgH<4dE;kSVvSSl$>T;-^1y$<zSF&HS$nLl>l)}V~e8tHV3R%Gk7Qpu6-W)Aw zt!+JA>F{Zl8~)4wlj@bYtiIe<fN+X$DPp!6aLhD2DQL)4uL?xWrIvZ^Y_E-W3x|)L z3yqWU1uS%%;W5o-ZVC;$jpa25?%=M>cuse!priJWjaxiQY)S!iP+86j^Oxo?rz#5# ziwv`HMYV2}xB3&Pjy=;(Dotvf>TiuR-6&?=w8a}A(H?MQvB{i(J<NBzUb6t0J~u1< zR{4gYlj`z;ANQJd7a@X4DU(fsv(q-6<vBSBdfGH6EXVuN&2}cIB&$#*ozKa?>(?#T zzGGSK=;dGTqDg&<EPpS)o5js&|EwW@mNbJ<wJpHSEP;+vQxXhl4mJmOGzRJ7R0N5V zQi43oeH5c_L8`|Ko2`qe;N$2jT(car986P!A_mn~fqQcYgWk9@mImlvOn{$eWnTqZ zFdr@$)$#BF*)6K#oqCYEr8^(c{$%qsu22*YXJ`~&%P`zVqM)nO?5t_?nI?AzhaeSJ ze#DBa4;0bve|gK><1N1)(}O8QNUW;Y<T^RkR^UaJ3O<4V+qw2d?IQAC^}jK}XnSWx zUe69R9BQ7aEHQ?<H+x^~Pol3<jrj_kyKN!|__tG8^Ws!_DdZ^nr}&32xZFx|4P_d= zO15!bRFc&6{he-lMf<Pj77V*xijpw)-@PY)?|ZvuIPQUVjP1YlIC7toVwYc3WCOJ^ zb+ed->c9*dYOouy9ZsvaekT&%svLL}tR~<a&>b)_saB_(-{j9aottNctFepKFKbx1 zSh&;<S|^Qsu2%$RJiT{?TlJPN{HN^2<g45wMrDv_#pON2`T6#aAdic{=J(wnS@E&) zv8YeSwQ@rg`W|ABzW4ngectAe9-C3Oc!~>&RlJRyYW!-BC)I14LGkd-2JmddY<6Pc zOY}EU{=(MF$xhROHrlBgb}FO1s-X0S)uqV*xquy&G1ClKP-s=NnG0bY0a?eV6ypxd z;kRZ)Wjf`$wMwJEQ!x+S8<XI}bMX~WJ=5w6Go&Sw$0az!l8ODOL%^HD&?c+=iI=M= zZZ2Ij7$*`Z5;R}j4!!DN^hm`${x?<a*}qQ4c+BTcwU&v@B>PDGkyuB+S(8?CRQ0pq z&E{r2KO+-MVhOlq?4ovWN5~i{Jrlb7ezn<u=hn{})!ZmDe{Q9obkC~XoD1tyj!g0P zp4wwAf*L_x{R}IwLfqmxRQH4m${vXC9IsY+FpM-KnH9t32A^!%c(r{*AB$OaxYnA* z7q``XhdmpPKdd@-;#Cr&i`QCscpZFAT<hdgs;ZT`UL;Q>8O%&BJ2BiFE&d8=DKtpZ zkZXtQgI-R7G33bzSB@0zTgldJSYN`erBm++2PwZ^c)xSnBJPPx!#AKTI@?HjT~S0> z?VwcW`66e%LpsEVFp*Lr##3NzEk`;$fe*X#*A0dAADqzFYK&hFB*<I1UVQV&g<bV5 z?Yz6ip}AWAt;d1!KuMQMsYEUmbbaL9)q?w{6fYz6jFKsLIc4DJ#mn}^-_9KG`Y)Mk z{8RL5IC5MIuqS2Pb@V=%85iJK&~hS9e}`#>ybYlJ?h_?{L$cmE#NO%5ORpydtPg$7 zG5ggBC&TY+Rm1zq)yUUYO281dEBrqdn%@IB4ko_<aJGp^i4E1Ou4Sb<^!0HzKWA4> zsDp9bx1`O;)O8y;Cv`=CK@Tx*-I*ppGWPXxXr7>$QhfZmAky-(wPnHAPGFwbB#j{z z4YV^t$uWoTy6QGUi`*H4mQrF$MROLt_7Tn7pbrgbu|l@jpE3yuja9z7a!E{7kiIM( zL|si+8TvAqlr7tUc+Bk7y6PyUMdb)0#gtw7VxBD)U#3U(m`lwx^cP4A@#CLGFpQC^ zS_(x`gWM9F_-Klo%hX@<Krlc)xuuW4`TRm%O&EeomxYj-2H8$o$yV<<XUNw_pU=Ps z<`)>?IQsHu_L*G0fb-kVNqfoO=vlPEKRrM8qV!40J29mNG)m8jsxe-zXW#KINW2mg z2YrH~324(UsVCYVG2sBe!Fc}Z20oMZ(6PEm+(HayW~s5<Qx_z?BynJlAZ>|mD_)VD z^q?-_e<aoF4fD`A!+@mMrJZjYdfo=%7k-fYo=x=Ph0^*fb_@(x2Cgr`pL&db;a$Cc zA*AK$M)d6U)WvLwA#KlC4HL(_=gUV$GtN{63rKyOy7q|w3w1T3q_qoR8N5-FN0`b= zTjA#fKL45#Ou#B28Rkz*1EEjII-q73Pig8rCVS)cj-^>X``^pKa|ikzbixmU$~@o7 z4Z^*G>7U^F)2no`k3^Hv^Yk|`dWJ`GiD>Q~e*d^SSnBI*D*8qxQU(*-*cF&kUd?$L zeM{2pz<qAI>=KD=KC(3?{aE_en>P|tX*XM58au_y(m}<%n@D<-E+_duU-Mu2bkWvC zv`Zly)U#!!zBL;6k?l}Zl7HH^Vsfd))Zn#SN<;7Ezs7|@o8heXl*To`G}A0&rI}T* z70=fQWy*SI|LL1mfavmmJGjk5|Cl64&<TmazVLt?!>LQwPWY}6tI;Xdet|BatnrRh zOm0F}W7hzhR<dw<JBL5pL=N+w%LC&}3%5<%HG>qbR@(>}QxYF24noim0G_vm39m&d z1e$c*w@l`h>!LL2SW>iGG<>AuD^x&kyA$U-F{&GfOtzz?9h)mtpQ8fFqhHS{Ek2v^ z*!T(~?aJF#?#%WUhG5F*dcXP8rtgj>{0PyN+qi9pYi70zuIw+;Nwhh@i+dXL?%Spu zly3f5(6|;CHl<4t&;8}*Zo=gi`{fYM%12tN;gPR><=kdAT@KgJKun9v#CqW3P_^NW zgUcN{PBEAB#mtZv$tXu75IKj7{(V<#_r7T<#Vf^YC(aS4bt_=_spPRpEqG`jJtfJp zs&TYs(t^0B+@$LE(4DNPf6T(qC^|}nH1k`s8zcO_Ye_icxX?H3k*!TBWDso|?VM$% ztQywWEsG$tYCz6!T;}%pxO52kHLqFF1}CwY0A+fU4Z?wG4KR3)k6M4HD4Neg@92Jw z<>0M1@&O_8O7=}e7>{yEa_fyE{7&4o{lR(%lxy63;=V;i{E&JYW!Fv^Bs8AVXus1} zK$#}W=hI3_Np;EF;s`upZq=%sZxL@p4V;Z;QoZsQxJh7-x6XI8)VK0S)Enoo5pFxA z`gqGARZRIg;ACy6f~1W3l8b)+{QkjXf&ktJ-f39*ip8joz4~I~^Aip}S+O7=alpgi zyRz)HVn_-0s$0F8m{>?3+1fG4IQJ_hR8Iv19~SoE#ld-G;~@rLJnL70?cfyED6tA( zzTSWl1OLvW#dtM3aZyY*_PG?1ax;*Nr$)F8yZh_rh_kZySFBEQ>+$JPN#E^`5CbGG zrs@7pr&T6{!lJ?p9TXlt4(afJtSVI6K3jL}f&=nMh`U$!Y=W?El%03}URl(J4+lJ^ z#i#Qqn9}X#InVrBrG{Avou-<28-Y<xm`sM@DB_k>wWZel--<l6L?X$8ufPMA>6zER zA$UyMM)uA;f2Y!;`rrq!L5ootGX>zjRiKk_Wq7>mb7CWJZ#$?rt~^}Z=;$q`f0wh_ zADdGUYvAj4I&4i<>QQn$UwH6$X}Y{nhAnyTT_ZS1E2BKegIEl7f4WsvA~%%y!IZYE zr&#tdNDQ0-cC}&C_w<QGrt*Kj?NBf)BdDk~wFww_jB(jq?`*X=mZjvib(EN&$?UZ^ z24_VgEdWyvvOgS-ehfdNp#Eu8x(36O-*pb>DO7~U_S~EYw)IVug6xy4TSM<~qDg<k z^KPXDixR~PP`5swDO`Ppf`#+@_P`Zyt>gBE)<y2gGUbWP<Xg_N>7xuW&)dTdu4pFM z=&cuLZobKJjV?R-C0r~Q>etma#k%8A0%P!lT}ed8yr?eVjuLmGA*WQ`go>KMaDU$} z;oGxH*lKmA6k&{AGX9$nrZ(m1vS$STIacrTlnSZDVXEVkk>cUKFUMJ{vm=e@r^4rZ zo-+q`pqT*G7bVv%heIOWn6#}cUZmuvq3Hn^7HD5uG`#Lc!zXj0HAnCIwh<cEj9<*E z`rUyTe@Ku8J5Av~BR@U$sDJWX<i@>y1y}rV_TiLotIx3d_wp5?F{peBYW=&13-bpB zQ;%Cr$oxl1ka38>3T-x#sxK0^y3YUg`z-u^QiTJSP<7q6G~MLSA%q%R;Sb%)N}sf% zMJpKe^v!9#JLRforI7p)9eO27gS}l6o7Iaxl{5VAKQ8mdW9#v<zvsR~^XNseG_%Wq zJofnclWDyB^&j^}FXink)jT;=^DM)SG@*vEu8362Z9Y<mqS$y=yH6Ribq%z=Ey5); z2zialf){S2R!fQWK(fd%wxc-DWv#rA;edQXex^meJ)z8s$spd3N<MMLJ28~Ye|Y}k z(qlsDCA?`BV6PM~S7bFW+~fQ&<^3sToS|6Etz+~eNpvY*XbOAb^6NO%8qGp>ElTq1 z2<f3yp()oqg^ozt(I%R`o>qlU6^2Rv$U1m@K4BxB+gxyu0msxpbgZmT!t15H{P0z3 zg=@yWPCA{z`;UWl;|fHXvMlxln18k8FZ|@fjz!`uR^y0UgIrC~Bj?IAESqJK32!c~ z6iF2f^O{L*UjrhCTBY)86}{+Nb!pA&%{xc^>G2{XSla2q^<sAI4)oc&(-;fRN^d{Z zPwW<wI-$NW7b*g3KPwc8@|;z?S2C~@j8jFo(>7!dq@OCyPhN^s7EYd7OeIZdp(dC~ zubaZ850B!QDB>NmwTYyzz?W`~69dYz9MEc-ki=munT{@B%-T+oQn<b<$wczT6)}?3 zC()1lk<#eiDo<^H&=kUpdt`~v6%2i?${@;}P-nw{)Jomdk@?5NWX%2h{itUgz(S$R zNXomE&Tddxf!~dZW;%g>lTDMSR)Kqr#%m$#V)#FonL?cTRwfK87o-X~VFoEmzfS20 z*r?(q)0KbizMqoFDg$oW6ELpEvv|ekPbAQrWzG+@8!VAp0SNyzD+zwsD*V*Qn_4Mr z^r=LHc=HvhghZZ`Kh4kSq>ClGd|O3QQOP`sUC?{<$hSTX-~1!K9Y@QNR=?eH_!wQf z+Ujo)a#gAUihY~@RHmVeJ5BE3<#^RWiDLI(IsJD&J;o$b8^X2yd5c?xZG?o^ens@# z!~iGb^f~d7-nFwz(IL!z<h$6Ra6dnLxp&vYL3a47qnaIsEE^dzCAa)~G=A2(;^ypA zM))K*-k5Kz=f!$NhK<Lpi}A+lT!5PNasI^S7*n5VrL)(@0|5uD2Qr;%tyex(zjT=@ z0$Qq_FE%-q!tT$?Quj&>zdIUWWmaXzQ#)!d4RHG#n2)Xi1$2yw=_(d=*nQ2=$l$x$ z<13%8aw6Q=88KP;7JZiq&*YP^`eh&o^MR0nihXK<&{ARKBQSPGvrH-Cp>LGw3M?kT zeQhXzXF>CE%tm;n{ANY0l81$O_|sM1vScmsWk=oHbnnTZ!q|(XPJbW&Vjh#`pf*Gt zkYdJ<PEKt(kF7`TXrU7Aa{a2NJP4PZt^GD$ipEv}AEPE;rt2}(j)fTDK}0YozsaTw zPF*jVl)7|CtUurACFnjpR<RZxf1p<0y5oGjGQS>bwUw_q%*tDNS<_u;k`UyYHS3oM zzqKGs-f;E6@@V}r{equ1gU&SnLeS20Yd4TrA*c|G&4CAwC^2Q~7d!i6H}<Q0Cy!!U zC_PctqmB67b}f%iobtXr(Y_dI&NE^gJ6YS(oY-qnzCYD5+_Wagq^9R&b>16@;AR_d z8zH+~q3(Sr8qWT?v0x=y7tuPpA7HilGZs_JXPko*hAM?r?5(h`-#Z?9F7el6E6rt@ z`kP#m;heR2B(J!4HqO$(ZG-@)&4(awS8!MM>wbF#*7%X~(=zvH@h^qQ_{au+Mf>>~ zgPMk#P)ah<=^33>oz-K@>(cxv1(36esgU>H=&*w6=YphI4(+MRnO0rxcp?hYD_>sE zQO)klcyfwmF?4Bk5#^E$pN%kNU?vo&qrmEe9du5W18H>AZs&ppvyS&RrEKvsM};D6 z0*r|pm%nY4i(aCzFPpp;kW1}UD=9>-MSGNdrFvV6vqNsEhTTPTHE~X_)8#wXHh>7+ zz81RNfp4<dNfxL^0m^#h&D%)%M>g&7yQB58WA1dSH@$WHGC;T<UV2agMg`zye6%68 z!MBO^dhk4SIcmH`EZu1%yHBGTYKQh4XH3oR%e}u|df>?Newgh8x@Nt>FC!5Uy>t>5 zqRmmB+rt7Kxwh19FYc&mWUW}Gh1j9-;<ThKmsCUhnq@`dM8mKalzgK?=Ax~}UxVn3 z0;928F!piWwII`3=1qGFN2TxL)0VF4pk_loS6bcfg!A`Zw!BMSq=!Hk`{%#UDH1nM zmGfnEtEyR_EUv3viNZr~0P?kB8DVav0<N<Y6h1>fMwd-ao}RA9Jn4!pb4MECRA$Wu zZle*U070!SWyB$So$%9vkLz`Lvl@TnqL1@xM4)C1z@)%~66XFO<TsU_tRu+$R8!iJ zv(lyO)+&Y+x7rM;05wtyUWmC~vv+F=^{%>caC;wi#la7Kj~MF)mz+}<Bj&gnaa}S# z3@Z&Gc5P=wRdm%zCJOcNT9BEzj;^;R1>A>OS=GZr8{GQmFvsC>17(3{N|IV(pXVbK z9Au@?Sgssaz#N*Wqd=hD#m6p>XRo_U$pW4Yl8}ifSFYLou6Y$i+!8$GsY#k3Tr$EW z=p?x378cW_F-w3d;a6XjV#(E<EwT+l*BMoBPEm|w!DB4;P#dH%`vRyK*E-5S`@!?I zfLaY7^=VsUBA}mn;55OtjUYdQs3=DE4R5lUB5BeahR>z(dh;<5p)G3`V}<#B<$ZDm zFli_7KcV*B3T9*qLJ7_&$SS{<zN%0HZ3#QQ0{E4Jj^T_XzntdCRaw}ggyu+_0<o4u z9)Y67FX_16_iqmBN`Gv<e-4}1`5vZj{0MW*I}4|$lVwRHF3}U(M`%HWOFqO&>J)s< zXR(zB>JG5OCEI^0%4y~bm9fkDDS$K`vbo}Z7w+Y+jnG@!{q%m7;8j{)mkKGUr>7E( zo7LVUJfkfbP+-T=gyhQWFu!Fg*!6f7QzMq4b)4^<VV}uAxO5}m{&VORfiEN|vyuL+ zjmd}6mXlS%Fp@@}<8sCzBdpF_2hhmzJY<-#vq1^J)?V()*8)N>8n7MBN9opS+e<VS zy4eIfp$cVgI~u3#0uTe3P7yU?Z4gF2+ivTT<5S#3((*IRob28YFG0X<aIgSpC-*tf zbIS`YQX`1UcBR4eSy+URqph9U{;0O%M3ZTpdz>QAIv^V-9}P@hZ`<Vf6)s~zx}H|b zudd-xI2BJEx>6@|p#vh6o%|stQ6Z=99>iS7&6e%ti+P9%n$hW$sNhoP`%M8f{fWo^ z$^pnMArSc(JiGmq-he<gW|S@s?O}Lxt4aP5r?=rWM45C5ti2LLDAgVuX8l)((K#i^ z`A`z2&RlWJ0Gwu1I``;2LBwo3GPtfLFdj7Un4yY()<a3NsH6zb-;pL2P0^Ps4-SoL z`>#q_H4D9S)I~S9Newj~{Bm-~$705FCmV}SEt%m!XxGwyeW%L8Gq6H$8ITr*^Ji>F zt;})uL$v?Q1`MiI0j&=97iSS9nQrDjxTk+==1Ysay7j6*1roY^@>~9>L~@A#`8>6} zt$|_p0F@S;72!JDU9s*H(K?3*YVR7FDak<vUYF=IAi`2+xC3UsTSSKmx7<|XfKpCw za}kK`agLUx7$FE7fTp<Gt5tX|s<pI9_7<f!Bvid$gBZSso{PHHv+-Xz-M_ab(cxk^ z0?wm1ngn|TLE;C~PV3E~JKO1|V%BOA0H@mRM6iL#F~95YHH_{U*?tFWPlRWZ$L2#% zpwMmkGHLBt1#OGU$8TbPefP(tZrgr8YMh7R)WhlBvv_PTb`7WbD?8dn7rYK9MI1Bg z=Z)y@>$^8pSDT#oR-!ogeX%#IG`T^>;Pttlitdrly^W;t{hAfH)6Z53OW&c;cn06_ zlvIP)hOa$<Gk5C~(=Ohh`}<}o@%%;3rl*Z<XWEDE20ac89UH{sGv*Hv?WQ!3OIyIC zGUG#|_6UdV2XXNV3hL@F4=T55Lu9WL-<|jR#>?@>k>MPkF82A@KggUaY$wej;8#=s zl=jUAtHTUs{~m4PN%Yq9>$uk?&yC2tT&^_UZLP&lx@mHlAW6yrvlTMUWBPvcstp-r z4d(kRsN-~hoVUy-Y%K;~+Y{MWQCUJY>kv?xxBX3vIA7gb@O+L?ulNT!Wh}ifE^ZV> z)LC9x<k67#yf{PiA@<iz;2M=c&S)EQ6>NFzffNY0pv@Tq#K9L(Eyl8i+mh=dercHZ zMYIAC<WDTC;v(#@&^~VQ&n(=Q+0DxHlxx0hq+GbI)@RkbyJO6_DR(U8?feF%-2FYi zhB8On0nad!ovuX{4l{oWle#ny<m%5LjO{H=s?2iWwaXqWwx_xoNbqbuCvmtFHzd^g zWs|UAJym1&4PGs(+-ILMX}yNxjS`k^h6I>B-bmJEZt7_?T5E3T&#BoXXszkfOia9C z9uW?~YVBjnyL@Tm+e~<-#y7W1sBDWCp?H;U<blJA`}E&-SqXIWr9zVM*=eNNMd^NZ zVq|N&aWi-|BXErd_haKmU3eqsd6{@2FU<ISZzuZWsW(HZ%DBmHops*1$||!NMXl85 zu{KZ&^|(l5<?z^XrG_a5L3on4@nGv!Q=ye`&&3i~{!V$|Pd*J<CVmremZiFlQU?2| zlDiOR`C(7AizNT!g3F+bVFbi|_aax$%W<9w=^DDr?<dWEr&DGz9@SwN=kZyF#4YUM z!;K5@_8!MjoFc?G^~%Y=l+v;Isk{w(vm0d9;&@K+t}s5vc~V5BsL)LX*{9hmjr{ZI z7oV=WP(U{0Ftw=<)sTwlH`QD6dPN@nW-in>X5G8KC-7h%7YeZ1wS%!7Itmpm)^9~# zm7~ZB^6%XD$5~RAT1d*SYG)i`7oevn-0}S6942fP%bK-)6@2bwynny%_uXVreE(MI zF**U)zdiWlU*)xh#tgo~nIg^L@jKlIz#r1VQJJa>$rV~=b}E7H7Ug7%ZRvvMPJ8u5 zF0M-KrI!tZYq*5V?6gTTpOy5zYKAc>reC;W3xRj1`HDT&Pj@e-Rl+`k`euJcVTO8& z#(IxBmzN#%zd4p;TBvU`Y9DmC3gjy~HuR}l?exF#S)ZxZIZtGmU&;vn<=Dx6Xnjxh zzi2G~^*Xk$%Be&>(^!!Ie>9f=dL9425t?iNCz9xY8JhnGwyb<aCuMQ?;voFZz^0|8 z{kOGmcK-?ImY1@vMAz~vJPVQR`4Ev^$NA1B4`lTM^u}B^hB)LDn*cAzK;%a<dKx$) zfsz}cLw!;05TnZ(f@|efJcmKO-3y&H+!=I<(Pa+7?RF@h6QL&VD{wnB|Khh@z#?D9 zBOSa-Up$9PP24*%ggwVKJWgN@B9S9O=kavD%P}B%RV@&t%NSAt&y=$F)0iHe8tp=# zoP3Wt+p;14?(5<_wKnwNzp$!obL=Aaj{X<_n_>2UajljeX*nFvkkTCF|Bs>cGp^Oz z()EAxJO3}Z*3Ac-AMbUp#Bt{<N{{w^OTE3%uxCYo(u^tt_P<!ZmUtbMU7T<BL*mQd zFRy56U$S6?VZP@?lK$11k1)ptb)`EIO;@&9%K(gfF9XIZj#6HDz+gKM-B>N9g)J?m zN9|0$V>{{G7ZrqItbOch@P=ac_{<ttCpmbV6iGwI7wGxK+*kpfVN%1}U(~Y+nRlTF zclp~9qNw{szlvLD3BA0q0QV;f)XtOm!!tH?BL!qCbooGG`T&}(%Zk#k|F)#hZ`Anj z!RE0L{0P6o8c%U^+uvyKoXd?yjXuAAOWq&vS@|TX!8R9%Roh+fYLhY+yF3~rm)sb| z-7lwC4~_jtR4!Mu1pVOfd$PNvabM74$EXkLUd3=G4)*uHY#QC<-xS*6a#_~L`fw^k z<D0pfW0FyJL)6uFV#np`ILy7V8nq0%q4+mw<Nk0B%y8d9+?nsslp#-YlN?1=4I!}U z2Uj8yFT=-N*R$t@!EBgG!+mytYBQ4u7pzQ%8zth#el#Y2P%fsH1%dfIO8YGDxIwv| zmI9$?R~@5{jsd5CeFRTlI<mu8{Xo}L9rY=WlgD$Dcksu9N|pYEh$XkFHn6CP0xEvv z&5BVI>Mxe-s?K=Qbh{GC-<^m2esGhA+X<HNKe94Hbl+}@;l@T-3|TZN9F{jf^U&%_ z=9uAnox)zCrg@Esej1(^+vCLJgFTNHxeRI@AIAGz;+tr6Gk4VORGJRiZ}E-h96Ii3 zhwb=uo(fz}QRH0@9CWSjwtS7|zcCG3|AA%i4?}ewkGDII2l%0m98i{{cq?KS{Ub^~ z0HY#Q#c^i&>XVrR`Mosys`^nIC1EY{p*_o>sd1-u|8_9*_$I$w?V)Nnex{RuY~Bhq z+4ba}aKs#Qcj|?T?Ar1;=s0TK_doRAH*QFW4zt>+ppwM`(x2bJSPN&TUCfTfJypky z7qT;M#~K<@&z^5J;<#r4e)oaFPRCS$nWqmAnd5he6*mU{d%3pWyQC#YU}ouK#s1WO ze<@XEd+qk)K6+_Kg$m@cqptq^y3h$6E`(J3`(%*VkTKzI4xfr5>RT;H&|&&4(vau2 z*VP+d*x=^6E~hg+#3I#HR$9V>hylv$R*+`DH4pthgwMJJKl!I;rZ@YeG-|M`F?LPK zX;nE@)^DmrtuXpayh_xfr5=u5ce*Ys&u2qz_9|Z4_%$9q=2nC2Ie2qjy@efI<aRyR ziYfg|_FFu*!*?B*73mthHg8y(8$Mp2m!XXm?;E)vRD(0{Fdl^DAaCgm)qrX9hS$1# zdJV;d<MNeVhPIA}wxZR9$KR}^7m|$Hd^HUF&Cb80uK&0gkks=Dx{P>%Wmyaz3%OO> z!DKG`hHx$yWTbNG?0`XupsY8gNrB7JuLiGS)g}`RKlbZP!Xta*mb$~9s{&8N=Jc<Y z18uX>WkLgz%%<;?)%{hguPDIhaG@pQQE)d*ElV&PsDCHYw&TTKVUheVjd3JB+`#Al z^Hou)vJ`<S;zw!0Jogn3H-N#FkuhleaJ+Qi&`(k$oOWOMef4J%lXqg)-L`C$Ryl9c zUQ~ZC1~0te{3J5+&&xgEwekm5cfQ?)hVI;nh>z<LCb%LzvA%J{(b!Yc!1B0iF0mmV zzWw<wjF<GuJ6LDnIP4d|-)k+m08GJDpZNpYBY4V@`$YrdpY-j|J2aWP3kWS5$Xfd_ z;d4(?yX)!H9HBu2Cj0fL;iZ5WYexGGj+Ynsa#jEBFJ_m{K`^Jng1IC3R##l?Z*-i$ zR<mBteXtB8#tD1v#YH0<hPcA?$CXp1h=6kj-NN~{9+6cxTac*P-Y;U`d6#H@ci0fi zKUM|G7)5_}uMVq@-j}}Pq`@|%Q;Y8csouZwh(1eKk_+}MoRrgdLZH}|Zi?#)YpvF3 zeT)C_cE}kRz)2d&R~vGtJx}GV|2!R;J(*81hn!&D`T5oza~v4f6PhaZcNMUvK3@fp zX@q0G|4P@K1qu6+QOkD+oA}c|0mV+0_j+HrVhg<zir-dc5p|bHe!V6OT-ARHT}0!K zXEz%hYYq?i9{@Q(#=jA2rdKTyj46vx8173{%{-k!g(!Rftq3Kex3_4{s5(hzlW=y< zsH$dh{7-;^;waCv^uZrvpjZ|y!9%U>C)QuCsP(_$c<t#e<8m=8z2OrDNQg#1+ewH+ z@r)SGfKQn>APNxy{>4U1SJDTc2mfMa(ZYY>J+*cIE{RgGd0D&h&OT-xVWpDE&XKZI z?hPJKW74qLG#eZ{qsbzEX=$PPC;IYWuX_!6Q}fkaC^4_-6Qp}s_)bmu$SW-O!ZF&A zKsD3no~8snudCspFV@lK70Y}u!Ke5R5wxXuE5jGgJE84vQ8`A5Jgh*IqQS*11k4wb zE)(EB(Dm#7$|UxF1eQZkd6VfKy`WO==NAs~h06o*CaaKkM)0Gr_YeU;Rx$k6e27-P zC9ac%DNNX?NaspyW>A<M_H0*#n*y*upuj5Di!Be}M}HZ=wu-H8OiznJk^b`<77D%^ z@eGlK;l4n#4=N>DY5=&Fm3c}+_)&*<jUOxN<{pof==-l{K3E&^z)egSKa9W*_B)I9 z9TtH02<Q)7;+5ow!*Fv%6yBEM({M=K2k>UN7i^Yf_>9Fpi^6cB#IJdwMAvLwmFOFi z^^I>ZkAGqao@PwAG8nA&_@3~>HB9zQ4#6g=)LR#X>sW6;e(gGTip;<E7%2Ms8<`aO z0(>_yDFtvn)8&5xo>6KU*@j0V2Yv<RNdHF9_g)k_xaJovXhlghucfoCwPWsrmQr}6 zv*pCaix#5mU_8GLEZsN*1XzL#;v5K>$%gd!G8iBBwwfr8)5&uHE-zf{Jy!^95OJ%K zX2pl$P~h@HX+JAy+g$j)uW4ClTSq-g?1l4N=Ps>pZ=HL5>#=PeR~G8)uPn4GQ~MdL z7D6D47JIxHt|_bu3=YE9!kO${#vTzM<%*A#m;h5Q&_6Wglh>r0Y@@--Iw0e*@<_PU zJ63=Pf<Cyba3qV0><!r)6*Z%^M4absMrpt3qtdDt{EBT~rRy+SF4Hd`EuZdvi9x9t zWDOD?D#Txi!%TSz94@xQ4E&{E7J>v1`DEd+fbXSX@X&y?r%-r1stkxpfA)D7NW$Tj zQhx!~R?6P1B*+Bl4U4Z!AQdgem+Z*|;2|X>4f5%Ce;t%yun-dNWN<u0;aVjIkA-Dv zvk(5kdWj)9bW{L7EiPnZ8BNK5u+^%0QB0ZxXLhu;FYZ{{+2jrB-<>Q;!8(EDdArn0 zv#uzIb6DwYJKc~?XJ1obu|&VGFYPE@fxiwv_EYsYFJ_YXT%W+J{oqcY4^CmF?6+Fo zK85w8xo`@f3-Fm-p+E6Wz>>De%A8W@?*UjL7pSHjG#tmcm%&U=2yUyAVUZ{1`7I!R zTOqIVKuYm5@C42f<qD7m1@5XTpN;P~m9)MT;G@uJp*;pGD>dN-Cd~55eufVpInF2a z7NjG~;TfL-U$6qlXmY*@g)2ND%Rbn};=yx6LaiUS=D;0Z8MaEcc%@hQ6N~KgdM;z- zRYU8V(JsjTB^r^x@v!H^aGDeqHc6h_864JUAkINtTM};8(Ing|9SU#7%Hale#hP@J zk!r}=*?VNz6p@$UMeK%bYMG?GEkUO!cyRK3BWW;H9LPQhu<HcxP!Xm@l5}FaA(?#C z3q!<1b>nr<`i$9RzRsXV*5O>GIQSrg*FE)Y7fTvOW{-%sUWNx`5c}Eq*;ln+_aw5Z zoj$l(QiR(XJA<}@)!7F8#haxT?*$(G7^IqS)U&D(>|=($W=7D$jZzUO<-5#VXPWmg zT=yg4N=BcJlW+wZ)-Dk)V+QVbOiJPeuuHsfJM-2g?P&@g4A5%WB;6;xA!ykRGF=yU zSJxQH-<k3*6Cah}DW*yN1bC+~h<`bxC7Ee3k|oN6!!5kni6S1O3ySbWfWI6(8#f2S zH+T<E1gvH}E4!dvhkzensI&%t@G)tQ1O-Kk=a~pycazjQ3E#0{jPgQnPnjfE!o6h$ zFsgcGi=9HdZc!vI-M~<>t8lS25RQ&8pX!H8)Y{c%Q_{f)+|P6zK^c}tJ0@9aRBg|O zVS~pDF~10VSsQeC7=GH#W`kkwWe>F2r2g8JI39cyM);fHeyL-&oyCLcdJT8HtWS)g z2-_E^f=fID@yKY{qD+Es3pT(Ph4`RSG2Qn#e-MsP!mz450TY$MFi&k)o$!c6)_x^Q z_Y=38_JlNNm!xc!LVH5R7QUQ4p`GFzg4og*h6Ky-w`DxCDr#L;%J|!+7vm4A?pq1M zVV*F4CREEPOBlugZ+;v{B#nmbGjZIc`RQaDvYCJRmD^bahr%7rNl6pu;uiz*!ztVs z61#q3lXQ-nJSPOF7VnBXO*4zce|hOrjaCy4<0eTkahmY!>@v})961)Zp1^UVziny8 z(Kma0bbK3SFso{Xmf0Zbsc#GXL#?LdTWC(+ED6H8D&|gFxD&0b%Zrn$<%va;P>9FM zKoiS=6|GoeHCc8;+QMb{phv-@3_g&G;W%|5{EBm@CT6ub7XH}A@)V4Ywy(z1jfS+% zih@uZbVv3-p)kBxTsO%{H5m3bfVc7LS43p|Tc@7hi{`;ee%g76-RW&K%qhVX?sN$6 z6>Iiu0uHSgmiq_fhIkYXS3CjN`^V$Gt!EEt(d-?5_$)G-#<*bN+6i!)QOd^oqeep^ zbb88g_{(5saHVQ4iL!zq+#`8~NBe8(4PNCX7MU5OftVS*Z-kj`NS^1zryC8sr45Bv zFH!lGkvyP59*WPh8<!NGWH@C(9d~vJGb_dI5^j0fW##NEi7vOBkLzw+rRxmnACB`^ zh?j#WJ)(4t1gnZ1y3PocK*kkE!x?ycN>~PeSw}N!-fX{MNVus{{E>!)uXh@mVL=A3 zMonDz@bCJk@#*{d-6?{jJcuNSZ)p_b!RkpSzT9LmfQNUEKm#GWP=d6g2$cguqjcQj ziyo)SaP&TsZvf7?GCYcNqiChjGC;HbA>!RCzA+_msH4NvIJzg{qFEcOg$PVR+jr#% zoWSYkak%M)!*D$Ivx{-u2EsM5&Y`#{|851Kv9<w6ZXi5?-+WuDW7qbB8MS;cn;oYi zea5f=PTnavDVF<-@#w`u-+`LZs}k<S`$*!87+t#>ZKMIxcML9y24STX#`RY-6s6;3 zEG~`n!^Fcv(tQ))*2!z<*i9&Pvf1TuwBns)+YQO|9R>J@+G6Wi0ZtFfxPA9xs|j^! z@^EoH?D5!8Hg2?LD@;pY(gcoJNIuW^Q3-Srq@e-~k%Me=klA7HRU_b3Xq<#!HB3}} zdr;U7LHjOS09TZ)oaC6Oop*a7C3{<(WJA`u9DoL^R7UkSb_|P%?3F5SM1;Bma}utM zr1@eopI5IIt=H@y>cn0m99l3M9>m47TWS<`)`}ZLsAUr1^A*7US!-4Md=qXAhH+n) zF7m)@o?6%w9LP)&_IrGAPq=om*@RDQd?Us24>I^lJ0{`#&88prz=s}1c(yP5SXMrf z%Byak*xPEtd;8GS0`<7WKlE5QO_GxbLLa#dr+^H*!>fg7`sQZTi&DV9UEyL4g(hjI z$301!SN9*5muaf~(s;Izgp*fzDy(I8`+5qrT{u?B^M<Fn23g?YVr-g1XP+dLPJoi| zIJmK7g=#+=OQfB7q&U5JP(-CsjA~#Q%gA0a>^swgJGH7+HUmF1@SSSIZIenvLp-W| z?Ucr}^RGw{6^AQYT5+oFWqov8FdoD?fy*d8fHZ{y8$JE;b0Ge8wC?QmRKvRgnN)~y zzb!gz@vsuhd>2wi`0?N)?0%a)H4OCN-N{swQ+hOR`NfY*q^aw?bB~RD=%L5cgF7`F zo%M4IXz@r_7Qt)L0(hrvt>*k9h^q&}kCLq0H<rY?)%jovK)H7yd=_Q!qnbnuv^SJ_ z&(fUN{d)S2pdSX~d@1ujq}fl#M0per$Y}VrXf2w|1w(PpzF090qH;4j88-Y{@oqBP zWbdh9c(YTzUf~Ky%T5JlTp*J5(w!~#wXhm589Dz3sPUSOwy||UGk$LadrxDoD698! zQI;(Z(#-R{DCrAZ2gWt~4ixCCK=78qUPZ<~x6es6S*T881~+h$4QxsS4e`xVULt)C zq&-L?iABIQSGIT+dsURWG*`BGqiXLG6Go<^u1guBI?tW~G;!EKQe=>~Xl5id>q#}I z0@uV+zmsUYQrMfosZj@e>k8n>vK6Xx($R@@>dYjcGam&+nC>Zt_d>&h&j-lP_-9FN z!fv{G7;5ws1dH3*tSNZ<bT5rF&LZaOAs>BOjh1=u30baVW?v=#X#;L~p-rI)^=M<J zVFb>(iOOnW&H(Y<BHX%CXsHnW0r=ck1{ai+!MTzRabq;QvLs<x8$7uE0?U->#`i1^ z)77&Q>8A6R>ZvJhKGm6AUzN>%#9QtaU4zU0~!^L_BK<gUNfo>g<4CKJU(eF5%V z&Msq7<L_tkw>DjE*V4u;J$p-oUvqAnCf;`_jzs9w0#+G}x|;vK5oqQmn}&B85ceP9 zLF4lKLv(3>06KB7*Q4(3EKX?7xkrdgdv`5k<GiH|?TOPvGHX%2ZIXO|S%P+6(wVO1 z$D|?E@Pm&AwzGJn=De{$OYQBCS1OY(3BjiY1@PB_Cyg+glF9w2v&F?UZO~xI{uD>M z(l0zVNnB9Q=S{ehL9g<p=I9KzA2A+&E=0|9xcD_g=~&Kfik}O&sLrmrx}gk;!y_RX z&cmhuP_i$YKMyY#t4Nc0g{cd}wL#Zl^oQY%;#$?YY6z@3I)TSF3LmtHS1jTK+B-NP zxBkZrMPq16FwIy0!^^dd9pKYqxxYWxLY3pWJu##A`Xmm;t(({#eg!AwH6FfVK0|5K z>}S5k<+xcb+%-{rLPV1x0cR$+$5Tx^O5x~L0SJ^NBK6?S>7Fx_cWcfhCSEoS*L?zZ zgs=6YcolHzp43k~e}qydLvJze&klhi6cNYB3{Noyo!&$p`KfSUa;=s+afp^tz39&R zVSdGQR9VB=RhIY02H$yJ@Puk%OGR(^Mk|B&U<EXYg_YUS@<fiEvKIwmuD}jsa1@(7 z+jZ)H6L4qX8i%~>WY(HSyJgY-N3n1H{}nUnZ0j7zdcX!B9w}K#BiXr{3Fk9ussu{} zSwM$oiX>i3W8Y+>E;J7l@qmoKf+8fF%@i_aiWJ%+(&QID5FsiqE;bfQ+<jjl#c?fY z>HPv}M}4CvE)dH+Xj6I%9WJs&TY!(bPovMR^#o8mg@+Ni^tlKLPbuoo-qFI{QkOq{ zx1{g6j#(AfT~crXNh<Gc$tEY=<dDJhAFsa|A3b%m6!qqupO`W*=V?!ny$^YEB29C4 z%iQ|K#i_5^$6Cl~+axJ5i;Jbv+~T^!hnv-t@XAKI+ik0{EmVx?vkBvT;;jK(s@-PS zecVKG{^ZXuRMd`Q52vj}ah*0&>#2_d<MihTc`Oujjkn`7q?(LmLpozG@#cjeIa*F+ z7O1!aoJj3zoVIA1roJoCp-PeUCq7{o3cbEsDynLk2|m6a@*49Ei8N;22pl2fQxR=s zgY57YG~u$w{Zat+<^Xsn(Ci!Hr_*4kr+-1)C))pne7@7*duCUrwyA{p`2H0VFOlFm z^mtH@qFZ1;CKE!sCt5ST>bWQ(q<UGRYUWP>zZ66X7~K<{&4E$lr)b|9RS**|5a5%7 z5WB;}-Vb<R4f%e;M-A4Xgfvdl;AI?{bE0K%in<<uAW7EM4xch4D4oyH_fz>?IYpf< z+(3SN94;;{($`&D7!%53!X1V3!=exp@Zg}~IAe{as%BQ>QbS9oAskOT&w7*>SST1S zPK^~jqk^6dm4(KJN^hz}*qBh0w@YwR(PVFDvG-F6cBx76Cqc`6A;RZ)N6#0R=-*r7 zNJ3G@l!(4P9{-n&TLE8tV*X<V_FGVh`@}0nWr{fWgx1cbqfVX}UvtF56WcnMwx0N= zUNK|15I34mQPw0g(`Hl+m{FAxhL2p>dTh3Q;vtKdEm|6gd;K+K#wHP3ya20x1IfZS zLqWJ!?1We4BK_8}Aq$SJs1f^n;X#=NZxWRUWn4h`gVBzLD&4$MMgtmGg*OPRP~6P( z)#Ljk<2XAc45!GW^vh3?PZVb{cn_DxJUJ##5^xC$MKVl~3&bU?(Kc~I$Nwq`D?LmM zL9I-m^I@7Q!$*bfb23e2gf@9$u*ld<FE^A^{|+kUa_A5*f2k=k@D3x?`t<lnXjd8B z<0Gl3XFe*_rK>|w5D7_}BWM}fusPB%gjQji!+8qqi1Z2_OMsyYExwuXX@sF*-3oiv z^OoQWN0Zk6I*NNQXsIs+E!*UQ6{xI}UK!$Lt488X%nbG_WnSqT1s+x%c*ldLx6&xA zr?nf0FM~z;w_gU23mxlmVWmtmeYpxRqT~6nDh6Lb>8x(@m58vus1}{oM$_6U>2Q-; zqQBP|IuR0LJ&X!9v$L3PY*BZ>Ch<5Jfj_PLY<Rw+FWw+Z;Ed6`5YCak&=C@Y=g7i@ z5NL&yVXZd|3*}lh^?7eJCZ-hOm(X1emFeq`mo3~Fg!Z6@pS|!`0x&wX1PWwBb9z<4 ziqg2065*lxt8wOltXWnFOj!{g@6QgGl(Pe&Pxw2B>(v%^OoSb-!hJ=9_{+ZCr*p^j zkjnLQ(oIPmCD%d>$pK-Y*RwH70;xHcw-aH1uLS$24%><n+(c}Sp`^<Wh><K}x0JEl z!~@O4?-d4e)Dk*vkSld=<Y?*|=wHN5LrvY(m~7bO?*mhn0x<fmpx0yK>$!jnH&$YW zrYhVY__=Z*oaqU}hG1PY>MWybNSwn*ZQ+haBij~^bV;-h5A(Gu<OU2!A)EOniszJ( zHPC1odszf7E6iI0qv7eo8u&F(2G2IF(9G3My7g(JUrRsRq}kuZq1EpzPUB;=`di?6 zoFlFNB&n#(%qV=F14KgM4Z<CY=)SSnT?-);Zc)=)h9nI0JRgS(w|itf*sf;ZFNh{z zqwC39I@nM8yx#lt@K7i$77P?~Z|fnCYfL}eq^CpSr_}V00;z|lN&8`&nqZ4XeB@2i z1B9DpQ(kiNz0G7~r4==AvystmUZlZkDA2d5tHffTn6sq6O^H=5C{?0#2n*xlYXbM* zZW|TGkt<QUp+)%1fOsAOM87YayFjf0eWG!imrxU1p=OR863vwG@e+<45>6}9VIlaw zQ016V4)+@!t<};;4$+J=D{!33U_aX-#EUd@w8{a5#Sso5;308!7`Mt`GrqHUQM;O% zG)&JBCUhnm<ZnxD@L7n13HTCe1UrXk8#2~3ApB4Gtr*rReY(c>PGu5aVx<tS64#C8 zKeN*#c40g%@C?q(WjHh2hqCFz;W>2cpH|>yYrB@YrBQcYQbKUK(F<jaV50HDrHu?5 z>nM0&;jbo>lSt@{hGwq~5BKdSey^Zxlsi!D;U7~qaVTo27S5~nKHHxl1=M4D=M5z) zdnM{UvCiiYL1|%4Giqt{6UM<E{ns{Un#{};Uqskc32!^oV4ZIu>-2&t`e06=7QCs! z@I*m}P&`meRh2*qdW*l8$mLZZO&5=CqS=GeP0(e}t$k7d4uq2f4Bbuc-N&ZjRv8!( zLWxgg!>7048aJ$cEJP6Gb4<Q$Y-k@-Gq?Ab@G|?@PCm!c_$1ThC&h*xR$nc%!_us; zyzmdHoTTRdf>~&PF&{qjW1d=2D+hD;>5$&KrB(*<GyIZ7?h}Cpr;o=GF<^0N7nrjs z=z=+mf;Bh|tEF22wxGN7eC>KR#T(7;)}T-MX!frFyVnbK;iloJ>r<#lrbv&C%rqsP zkRQJ_8h3}YBgClnQ!)7-xLXEl;R?;#m)6stdHrf;M_n{KU<Ltk_XU_*NZ96mffm>y zG5B*R8O_|#o4vt}O_=9duVy!eqORnVzW2go0S@O@Dz4bu7QoE}+r<)w{f|;y)C3Ez zWEWJheF9t%lC{h)4N+%P44V5ZwC(v$f&nMafQU$-j>&{s%(ZKAZ#_KekqQ3WEuACG zii>wQav@P4-6%ZKTP$hg>*z&EGjB4KQ#_Gnd_68xTHp*n$p*_rp?2<Jd~`Y^tF+9U z$pZmEl%$P9G7g_tr(suNhcITS=IrZ5M(bc)!nZRH6=!o$@qNO26P~J!qnMDn!?-hq z4x@Z=G45;@nord13(E=Khg%|Lu&DnEExV{cbQA~B>Xf-y9#%dOo)0hrX*!B)walXa z;$|5a+Z)27{+j(r5QU#txUbf8ZwReGouh<ma3CxyZKq4=_C16B;zg0L8sv+6rk^iv zVPQ&qsFmZwixoM)%$>3%U*`A|FQF0%R&}lPA;E!s{@pZDca}wiFvmZDJUKYuKM9tg zgtFK98k6QukAF$F$)s@4eu@i)n!?5O7Mj8>a09;Er&KQ9(>V1}7{E2bGW_!TDcL3~ z+u#cLJ6!yCU`Y#31>HFEj5r@UoC<};b_uRiWHo!#hG=qP>4ESs`uHDvaqFWz@;k6( z<D4u-o{XyX{1Ow;OS~=CzQkyvC7UcMp;<5qHDT7ir>ZCZJ1>YrOW_Oqr2;+)Zi}sA zS9qlZLEw9%aG{=1vxK^&gMlue#K^i}-6V>ZrDv5K=#`MmIdXn}GH}R_f(OIVu}SVE ztfmady$tVu<p>+iq9^?1+&4H49|iba*n#qXYlP2*Ik8$bdu3nUd;;ed3VT9}Gcg~R z!ha78=$Z#>V;!nJs|ZTU{A%{y<0EG(J?BA<VHd51H$3@iz;Vq?3jK9L^wufeh@N?; zQjHsDie}a{8ZznS<k1U<3}atK&>bL1Zz#U9@^Av(0vgtp!h3zRY(+7@p<zX0q$%t@ zU@DlxEd%0q`n(Q47f96)EZHDDn;^LMC#gzG$atVtxFR9m;q6lLAFCZBEVCh5;Lz~t z=5|j{OXxBs50t^qb#ZP9eXOpov78<X{;LSyT=gWph?!Jq5$+TwUM!y5pW|ez!UlQ| z2pG||PV=Ps%H6Rp7c2VO3meNF@*jm?YT)_VY1H$b6ddXu=TW~ws0B#|w1~NjJljY7 zu@0|O22bGV&Mi8Ly&P#YlE=m(@Onsu$E0Go6^HiW5c8d+z}e9{p>>=1ipceJ46TE+ zqbIVxtTCCsRgIu!<XT}*d$?Z-M{zyfF~YDKG80<yZF=z#$JX@BWh0-}vVR*QUM9l` z|CPd7)4@J84a+6I+*9ur;-(^8+K2TUjec|$7|K96!ZR9l)Eo7F9*t6+%j%?OYVcMV z>r_S<PD66da%DgB4+)BOf>158Lq!x1EpP~q>eOhx2bW^+Y4~gTc-9&0cY&R+%dexL zPV3S(1&_^O_Y2LqIL&3d;%FVp@L8liX*MPIp8&U%dfAUcP15;dde2pvH{0;)Z(Nbb z3(&YYg}uuf4dWT3nUC%{5xjaYyt<kU-oS!|U0^5yY-q-%6$KykfE6iK!@GRkE{Uaa zco%qRcq!DiNovM#nXmSW<5g(6cIsJH<fm}a?L3a0zeJ0fY)Cp+k92MC5@oe8--5%{ ztJqdi7}pzKxNkgMUc6HHPrZ1m$?sqhdQ*g^_AuWbF05kvnQ-}0;squSxq<c^&h&Ic zW^Isz3D<;ZM5j;W+&*@`kV8_=7vM7?a~sEl$mmGl;MJprp9#N<d6Xs(Cq40sXvMA0 zUj!k*q*uh?0ztS|gr`K2y(SP;oIxA)DfA<&h1rIIhOIpj7pd4zXdZ<&Gf#;+Zl667 z=S@0uKf$`na1`{ZdNM<Hx6qri_p%2Tll;h7ds$!v$<|9f^w$v-Z~s(;HQusl|4Tgo z8vvW<t?6vJ)uVrStH&B(B>&<e&<jYdqzG_HCU;6Gwd6SlS28OA=V3|JgUV<^7sd*L z-zQw9urqzI*_TJ*9v8hgDaFQSABVs$^i|^g)KbUvfWQt3a0tx$0|Yi95a6cCgaAju zw)tReph(_@(=EN-lj7JH+Q@yAR+IT?fDQ2z5;ci)9k_=^0pEPwe{g6ZEO(6y3J0dH z^YJNslD`}BdY5_8&ppc{&@JRZDvEWxl!YW|h)fss)j1KhQ_5IE1cUPYOr#&$Bwail zEka{*pbOs5x|14R!Sl6T1bq&kV_MurA$_w$h$-SD0g|YVhLcvJ`9;^;Pb-DX)3m~a ztNQcf6$`!(nW#re;bhPE;$bfy5hWa(4<r?C^zb;f?_vcO<D{+)wvZOigk>Ep6lLpU z?W>I@8>dnB<w#K2C-wxFU60bp;QRU9!#zqKXCs%6^il6%mp&41io%p&9Op(EI$s;$ z8qWafD+$*4gRmUs;x@G!Iz11ck21x;?>nJzP|qfV{m`M^impjD?CMpduY0H>COlCt zyip-PQ%OM8u3m#^DWwR)Os9Wg!ATVIG`DI>zi`A$@e|MVpy!sFLi3gy?=)SwwGZ4{ zbF}A@UeHoBh|tN5`4=BtkNWT1UM@fdC+Gp_ED3tQ#MPvDm6RBtyZCdxi@j*nC8}nA zP%MWMFhz{zpsJ;HT~O68y-Q~d7rqraC`ss%Z61JE&8%|qs)jmmeSg(lobY~8LLlGt zcn;({CGOH6Hz!67Cj#XdkwaLcQ06{R&;hGOjaJeuKinf%3jbhUg_9ijv5_zx9UN6P zVT)YD<=O)Ut7{zVZZ9c7EdcL;3;w-U7T}WiPJn@d>K2E<?!SNzvwTJRtv6~G6xY>= z$1sR`W#92WxR)s&)2CaeFD|YTWYZ77^sa%o*);I_O7zRUzAjAcTZLm{^#S2e3j9q` z+0Rj7tfX6iQ(~(1q{sW32af__V^wlcH||hq<9z+wD)~77pZo-o6VC|;e`W}#iE^FM zG&TU){$5W;hT}qK5WEDjD$k1nv9u754~^2_Ym;4UX{9{Qa~6XmLoT#558u_vCGBvI zTmVx;Olt7LDFGEc1s4;>Y&tFFuuv|8%ZtijWZ#vleQ6LbDG9=1bz<mtxi|i-;Q5;` zu-Zp2c5-ASd|Slu(<CaLVc!>Wv7uYg_Bk=2p??JThZNy0=A9S7FL*v?WC%3}TrcTn z4{QrnPr`4S&ijRE@48meZ(2u<Wu9(=8So0xdhwmw0}-OxYM1i-tHlMwZ<=cs<>H5D zDC&Xorje{H^NUb7)Nao&<QRskXii=F02_&e=+<eT6t|LEO2ci%IXVprml{-vXA@n< zHH&k$QK8ihq8P?s{TxIgX=QL}MZQrB{>e0tYtT6i@<_iGt4)ICv&n{GUiLu|Dp5C# zO-l5NP#9i|Rk2Tnp{OSQ;bcgCHWRDs{A{QTw)!gI8cg2>x(uf5p%jSp;vsG@p*WdH zh|B6UVd+Wd<}!cWZ0Z{o&-5$nlu)a`*zAE;tx%KX-?sV_@U%im&3eabO1h5BPc9c~ zo5}|cKZ)QLH9zPJW$5+fd>Zd{9(c+l<4>&dYu2hE2l_N$7n4tOkW2ff${8*ANBoH6 z?pblWsU)V^#r;Ws`_GhM`~VNX&2DGL6z0T4e>!J2Z6ryRbbunjIMeD`p$J!cxTUp^ z-N%D0$%)0BuksgstOjjG+-ll2R(w<DqW<Kd2zR0J(x7co%^7j{Gd}*;k_?leUA3}P zqS+UQaf{`H+*{x6VZJkhczP{9r&6dHEfMZ_qA}5!Z6LVtInG0SL})J)<5O|VfYVA= zMa_jyXtM%OGyWp~6LArZs_FzQ4(R4(>{+%m%9{Pk0Ke4E;Kh)GbM=rBc=zT5M}dt$ zK;h$U>WU?VXrQ*dg+Um7oMWSMXq(DOXTJto;9WGuz6#Me>PD5T<M2!CRcmyMglloP z#CapW_kA$WL+}LZ=!pY#c*iHhFE#C|^PlO7q}d$DS1aTEbh7yF4vB^N<>~$J^0<fs zx-3Txg9kmX+4`+77rxJXC8XhX^KUb<xY0h+Mq$raiy~ZA%BCq4gH9`aOwnDTc=l9^ zhdqYgql_zT%TUzjx8O+h=1ygM(rHQ#>cd>}8m>1vv`H#<*V|5fPASH}jAo0mz7NYU zw+q;1_-w{4_3m;zx_IRXf;+bcIVmBnu!~~2+N$sm7Z1gyadh!RlZZiOaZ6BUKPRMx z<+#<(7unIpb+`a)aAnEhly<aOsDtfQkvMF`d6NqfbAn+PA8kaAk5;C^y5k>MZ8Z^j z!TzPuk8VW+eq{@^`|AtZ^!EQ57VFopuYYNzRhinckTanNPx6B-7DkQZ2k4!zj;t2e z4Dp^f1on*qNQnd4p+)Qy(fj;F-~CZ|L8)s-o7dbrCk-aJzQVtc!-*|Jfh<Q%PMk1- zN9hf7oQT_H(zY<%B!#3tGRzonLm#=Rx81~JCw|<i;IXJ7@)EeX#Dv4e8VH1B++Hmd zwTfe9cqLpV4G+M&M2l*DA>y3+SQ-a=gEo9D^%LhZcuA7kJ}GKE)d@c-M^J>$oDzZ; zl`zD5RSWBu!S^V}c645?WoC7Xu}WZ~tXVrcVb`G%KGL5lEkuh7j`hClhpRlM5FDhN zYYWH0dx;Ig5}RD?hdl1g-bPHjYSr`~iBf4C?5JHSEL3ttyF%l+T9iq!$}beBr_Kd= zO&8!MB--GHa9p}82=90bh;t|WZN7`rOUEhD(bviIt;qZ{?H#obsOA-&?B59zQ!^;K zXgoL|r=tja8(z$Hlx}{~xm)b#7x!27SR9SbCeCs2$Klq944+3kYE0B8dPnV9!bDW` zR?{>k{6wVNCEG;~$7yHaneKwSTIKOyR7Hb`2i%N8BJ)vT98^@T6qdG#_fMo*j!TJg zjnYvvEVwno0k@J`c0wgQ*pPr10)(lroJ5eWHD}O&!C7oL{q+8gc6L@g(uJkJ;&HL` zwXvE!!XnIEE<PIO_Uu<7F8ByrnFtp}Pfi%geQEK|^YEgw>RdNAVPv27DdBKvW{|U4 z2vgsKy8N>US3Hl;{#0`YWyAwCPI-lEDxB$uSw#u1bS4x)QP=<<3h4CL6|gT6RGl%6 zQDf_noS9G^?+Kr<?K*ot$jt;FtkRu-s1m93c#)GI4Z-q@XOHe?-J*1B`4hSbvT8pw zFq*v4>B*n|cpG#MjYDma!=J2UINMj^0%@D+o92xKd)+Hs*TTFtB(Ye;C*39~JWx`Y zbcb^yS_!H24Qunk{2{npfADeS42^_rTLt%IYGOCWou)w<&AHyi&8&t+5k8_du`R0o z{B+&Aaci15vv^udN_2>~B6ENxZywadYT2|A2{XOf%azpcJ`Ro&wlm%2XSXS?q<UgB z5O0YFv?ZmbZWp=Io3C{7X4!@jutj-SxT_MaiU4?H4LGa=p)nT5{aW^@3|1@w=ljdx zx8fC=aaXZ;^qKIpBx|YPiZ$!{05pYtJfKLBSrk{@<QO0I--<t_Q*xvJvJ060R!o3t z!gOBtq7OvI#f@sRITSVcLdMC|wjg1cr-sSGKv97boEsTCIXCF++VL>Gq07V=SmMBX z)LR2f8b{!XmZ5S(b8MIZxppmc?KnN#r`C^8kVrar72un8?~|s`87_EA{Ga)^rU^M! zQ`c2SlLzAGo1}WSScG^mftzPnn+-YY>|@*DKUHBZb^cMFyCm4`%;04CP3Sb6C@w5t z&PrS@JY7y0x^x`P0Nwo5cu-A`Ix3OOYt5r4vOPg%kcX)E)hT+^5@n}~kE$DcAI^iX zt2C!E(FN?2{?o0W+sDHfjVrX&)8*n~f*57!3^jlqyBMxP7d~9l9#1t%M~DxVajn-3 z(d29mZjq`u3->=h=KCrDT2Y;V=a?GK9)nMi>np{JdvgZVcLAns^h~5o$yIvQICex1 z$Jr;qIF`8`Wtl_Kb;~fO(UG!f;W+kRupC<=EN3PYPGpiz>>ELrpsys(=H9DS&r}Cp z=DrfaIg`lxaYl%^OK8q0qH*A|GXo@h41LdDwirz$g1fW#`SlL3M__x|Y!c8(TM(7K z%zvmX){$Tpw#Y&sT%R7O@JvP(#EOjy564x?J(cnsLej7^`vo@xgHVmXc;Q{9Z~)?6 z)(vaub9Z@NpK+I$BP-X)aF4f0CIck3Nz$YJ7ka)8{4a>8voI2CS?$q3yqyt5w8n*q zHh6r)45P`sg{jsi@(UDlYxfZ6JdeYCj6UVlzJWPh=qbUwQsH<EnryaCXBlV(cMvd~ z%#QbQ+xR)g9`)c>&NglVL8hRcNhcZh<3VmCOLCe1yd*DQOSl2091NC-*p0`Tw8H~; zhi1W767&5^n^o+04?#qx^Ro-?E(o5rB+W63%&RVS@@vVZPVV8K7J=&TDnzwAdpORN zj4Nl*cl+9-JV)T#BOJ<3z2W6Cz$wA57~qs(D@w(ID5W}4NE+6I5m+vjN9-W?y+-(V z(NT&*QqW<9zf9ja!oNTqFTt<)<jo4RLeSx<5@!i;Z(#@|e;94>8p04#%`P5)D{+19 zD2xe5#Dr%HWe?>i;lV-ZdgD-_<S@+*8oa=~lQ^6*)UUk2BF~V*_dFwcuBj}vuBr4+ zC=sqrz_pb}d(J6_UNA`bNzgMVDLVWkNAZE#B>^zCpztq>4;RPhE`G113qGlhC#q(S zjmbh;5BOw3H`C{9&h+^J@5X3IS_eWWlX6s_s<<~%qgr#zyhj!ibkba!gH9Hey3on` zvQdW<bkbA`FMuhaA8{=jcjtJ^;N^mq0<PSv#IT9x<LV-KU9J=)%0MMwU&EXKz)KXv zt#E~Jy@TVt&r9}EhYz07T=e9!Vi#k49PpHCVz1j)xB|Bi(Qlm;u;8#b2T#`fB>zn= zc+&3E?RFPDY4^i`xC@?)B=BTpH+a(E<KW5h0pSA$N_+)s>c_xPD`U{6{SS|Kp9hb2 zgD2l`@MJ!GsoaQ8S|TCNt%ez*q$j^a?_ofII2xWK#lSC|OZ263IqIQ=VNVT!<#l2H zFO?0d@k=2y6>z*9zIb19;S1CqQT+38?mMN<DA(c7#iaV$)$GUBjmhlsYDmaL*;(Z| z$W(ZwGM^)JWhsM8f=M;4vqr<&$5QafLA>XagHA3WTaWTPVWwV;!6<aHHc4lxnF)Q9 z$!xN|iVPE0<4+{BJhnsLP^!xtO7O++niZ>t;tF;na-<I6>UaWPK_~L^Dk9C0JCymW zk1K_IY<5HMW-=2muc`w<t3fFwgVfMIhZB&pKNfO>fe!W{&Nn6-+7xa#G?QC2zfXu0 z0CQfEo;tGk!@@%be9#zxeF4hu*aCX6HxH_{maS0Dp|PmB$wm`GR@0|cB#iVJbToo4 zjfTQ7yU;$|9WjM9<&exJ#4L-h*D|eT;sGI6O0l7t*XD-}B?)$(sN0`6-ajYH6CM83 zi>!3ZHX3RQ>6LvJ;n(kBBogLhS`Sz0C}${qvub3z$xe3-%(Cb?&3K0OV*fO-q7HJ) z4NijL;g@dci2LiAp?LmdY?jych_7tMgH~@Ibn7HE+rD-HK}R)?#qGkLW<LJ)w<0dV zD6n>HjJ$o~b|=4~6cDAsXm~vY<CS7~IWiE$U>MGh)-F!-#Ml31;<?ybdlJ7iU?hs( zAoSyb?Sb%Z0G<924Hz8dI;walN#mMEZnzU-aX*^(6dK>541^a$t5xUhq3mf%>4q$( zsX@4kh4qC;j)<%2-n|l5@=nT#D}y6E8--tnikCK1_zho3e>`%raQR_)y?8$EhCVRi z=2oZ2uVy}LmPQU&ZjnMmg2kEKK)dla3aE>3R&>#&SkZ<;({;mEdGNJzH_TV%hwUzW zVHw*!dLDnGDBDOvpy1_V`M_xUClwS;FEls?a^(oLA*{j>|K1XOXLm&xuQrmD0cyOJ z4$R4*z;7_dOgsp6bZtS;=VdPB80ry4pQ_}U6iE{&lCLK3Of;iyVht?{<LL)RVYO^L z)J3|V<;_v8T9T9r_gyc79y?>1e|d2pC^6^Yc|xi#J**z``FbVF=Eh{EM5%&Bkuqp2 zUnx8>PBX^Z<TX@V4Kw;EH%okh+p&Q#Uk$^C(mLV!MmWAVkF_`2>FuQ<{3G!&9#S*M z4TdWs891}NgGj!~YytWX3i^PqCU^N%wXC54T3wHUbCb<ThPw>w&}G=^aWN6{1Bp=O zsnwn0YQL8GqEWZMXbh{k5j75ARhhyUjhay|;h{1PKYm`iUd?{d=zX2Z&rHZO<u24+ z{PCh_BPkclJUrgTt@*T(p?C0<$2-YF8z_5qP&qYNQuWrtVQ55V61@wJ?<BbOxGs;M z@M<%;TlzTfC){0mj&NHaIBaPge|w|wexpXF7jbKD>!YQryOQe2yFbgHN1(OLcDV}( zn^m-0SnB@+yCyjlr9z|b#$9I>bqH6_6i19B8K7Fdb#?(KK&JCFx<)IL#*y5|Tn97d zXF@pVVB(*Q4g%FWgcq9JbWWa=+hb<E&;-NNPiq<cdyagEM^37YL!C<RbcLEdy9P%( z%<*Ol+R~KB1#QvNr#wdMiId<j0he-jcv>@6T5Vp{SvriJtHN{W9S}%xMT9#LYIc2} zX!6PsAN&7Kx$6-6WHoaDITgxKlmUOF+^taUt-Yk@iCiJWH^njm1la?o2S+r`Ne%Jb z+}I!llAedlacdhnik5l2k2{KgQe^@LG^77?&3>{kX*V_V(bT9hVY<@l=L-4rlk*DM z4Z>S7^J#ZUUlb*E95vkWo9*XQ?xac{MDXFNnVn8B{F*X2L(8)|(-5xYnB?tzsPc<b zh!??|El;t3s;>OMiVj@HXi2xL$@#-27s(XY*NBfqTm{bJv!!koZYH;BxTGJ$r7ctN z{;zQdcZYM2?yqr|MoFtGkc8vZ01l+w6*%Z3Pu9WNy=&0PlX1IqD2n<&4+_CQ;;u4q z8T@@fOEmG}`FXTvWqi=4D7~`{Llmf2DK@@U*m5C^?5E>cZ4{m{G^^Uj4S*N%qL+Bu z2or#tBZGNT%rge;JS+e&g*do5G~1NiAF76S9FX^lR~DM*4a4c+orFG&ne1B#<zb(i zZMZ;cItn*iU_CA-90WmU;uTBqh%5QuE8ZZSlYp0pjprhNL=Yy&s)bnzaq^)2k{7N$ zFNf^Gt)*h<V^z(b+U&(;{)}-K>JfPK{5byc9^z2JRqkk3lmzn`wAS3M90(vL)dgt3 z8S>@QG?z>#UmiZigQCCAOkGb$X7pfDnZgx(vg{~dEgb0+2PTzCelig*h;1bHly2R4 z1F<j8Mq{%z#0Gk!#?n)JNN<KydXqGoa#C3^o?GQ>C_BVm<6HFPGwA;tBl}6{{g)_S zVbTcCyg~9IF{0q?o=iwWiE<Bty5_W*xcP)IWCo!JIS2}mTR&dR@gtfiJ5U$wJWNdL zToq7`FfRHkzUV2)^jv8z`?(0l^hxm5e&q`BYq2N4Hn++<7E_4D%7|z9K*iU!!&A&B z(l2OL42|)n{)VT9GhcF+g|%}Kw=A?EPm$8iA;D@M+{VSOId2xiU&i}|v9p9b751s6 z+^Ga-28B9GNT;a4XOaA}Z<L5%x32-7@Q=o|zAlMc`VPhOI)hV#BXc1{ec>U;>*6jJ zwLZJPYi6vPCpHa2WgsPt<l6CC<|zda2XY2MGpc{{)aH)`Rl>Q!@^j<!(pkbiqHskU zyUNFB2AKw*m$s|st5K;}hR=*wqvD@0CQZP8)7Ze)o(wzPo_c*%P7RzYY?7+e4PEvl z39S1CG!3j-=h8B#tUDu@1*<Ar`mg;+1+ZXVik~!F{Po%{%7c-g9Giu$eKh9<KObHq zSk5YvCst7jE?-CxD+KU~UdpjD1*)py7q98Y8Crx3x^l5TWZ)IW+tII0Hd#(XlEWNc z(M4C#0LfI-ZhH<|xSe(~6oAf>7i>Ax=s;PtzgPU`Kvd%#CN~<-%d&-2$0j5w={VyU z&8JC*(_lEL-S@MnFTh_V`^(4%=x=4w!u{-wJS4P4YBVVOsKWY?XJNf9g^0}^A=Jl6 zi-ak(PvRKU84Ul}B<y7^Xkpp*UUt8mB2`bOtbz`#@dlm!9NJ2jb0xtEJ7?1@PFWmt zAhwTb+|T(u6bP|0r_t$U<e6~34sMuBc($97c1h>6EkX+nT_n2L8v(Y{kHaNY1%-P9 z?8+eA9Gpy4z+&U(AP15D93&8_(X_7jk8`OxGs6EPJMGx8>oy<jCaA3l!Q3!Wa}t() zkI1KDt6%P7=*%&R&|zFDbA}FOnP+x;x@}eB%}j+nLB}Mt!n9`wx^XO*orCVjK|of| zcsYH`a^`iHqM*R`gTQ|gr;M2#*CTJ+W$Ii+!EZC!80a!<zw~t%qu3G4h2&e&Z*M43 z9;&hJ|7O6rj+h&K?<yj)Njhf)xnIFzPAw)Q7hQ^G0%k@>BVD2MgyKpysjP}!6KY0N z#@;HC!$ve&%5zOEln<yFl8d0XSZ0HrOrh3W6>(Xk6f#Tw6ziGTn+x!DP_dO{+MPo% zU+LeYbjbTS*uND=z#ALDvGFa+=tkQp4_D=3aW%ERSHj3_2Li?uM$@JQE;;4%2oZ~o zKS1LN(=PVFHNnyN)%9#kAL#&y{Nr3Geo2gn;;jW$IpMcLb;i|5w~&!53n%xMKQC8a zVxiqqani-e`IW7w<b17)JjJ+Lqfk5n8@QRs<KwDT2NGu&%j{9P(KMbe53?m8{Q)31 zXIFE8oJj@Vdl>wEfKCjmsY)<!1UKVCOi$4tBo{dI=Q<u6IbD`cqT&)k*LK>ugor^n z{y*07+7dZrdn6vscFm*`h2k+}4mDaf*;OS<XSLbDClhzaLr(-89PjS%@~mPWUPf~& z9~rhXn<O1FQFJv>LH^Z39T&h|Ip-u@OoxbwT&2kPC$7;_FNrvJ6ga1Mf3Euo|9HB* z4({vivM&f|{cDiViZ&(hPLF9!HMn7wPJH}i`o)kR=ZqTx-lFuzxg&!f>=35()$Au? zcvx1A=>ro+>h==lrBFl<x^)BY6ZZ7clmDsLrFH&-wy}f%XVmz}!TRM#4vq=cgM||Z z%d>|FAwiimv@&(rU>-z1IqOfD6xLl{?PsN8)S5Yhk}D?<shM6iY6u~amySwQ&1|&f z3!{|1!rUYlf)N)C$-#(c4QZTFb@k9OY)KK@$Gneb;q;gr6Q+U$KdP%#<9jD+j+K=< z89wB5RiFEY6@dHjg}q@VRO1V=(Kb(y={$#hx6&0Q{-=kc#L~t>cu6W0Cke1i>P>|; zzGp$WK*D)e)JU@9dzOH6C0eI8Jmd5i`t;Q@yJYx?$?OhKWVa%%XK-muh3)=}n{iOA zODgLirG%t=6n*_Y%IQ=f0q#*MctYIO$`T)-Ig8$r_4Pz{PCp0~mPuYOWJVRhdx;fV z>P|&$b|^89Qg5>RgHU4|mpTyk%5aB&JiAW7k3obmTseX-sP_^ZN*wfA9}7}God07+ zYjv-p1|Q_Pa4-9-g^s?WdML*pC>?G)(CodRz<aN1-Yn_qiNixUfAf@!M{tGB2wTGC z<!rx?i`E(890z<x_$t`s?}v-)TDC!Augjd=@MDsNcsfCamV++X@-TZ!Adq4b%0$!t zPUF;>V^Ju*Rk1=dugYlYV*<p6QLP6(Y!Op5Q5vDZrQun5>f_vCEu|WubC|l$%c1^D z@!n5@&fz%iUH+_>JuR^x1<sl{gJT6Yn#)#Q30JEWeQXSFfF~qQY-|j+!dB@~;ix7p z)8@rZukc<NZY$~op@OaOS*#ilmBE|p3MbuU95Inckj<i*QDb_ove^?_<1&}l_-TE^ zcXci>xZShfF`K&KqT~Er=WO@zV4{_ELNHr#?ZZ7s<va)B3|q@yQFQ=SiHr@?e#y#9 zNa3~VIVwOd3FpS?a7<C0*WS4%)*iJ_OX2&cmp>e>l&k`I?Drqz^R8xPnBl2O&E)88 z8n;)mzpFK75=G^J5?;y6cYg#o6DXdf4XruYcO%*JMqeMt3XFG4LkCw`Fda8S#qC6w z@10`>93s@s)KZ)Jaa-|nbOp-MW!z`N4mF^e{YHg*q+pa6ji$d4Ux>Vbo%8kV^-(|m z$;E@rPe$w3eildfUWVe54xTBPozf5Yy@H#HL&}u60Y8-1s%C0n)bh^bSr}ANVds3& zogZksa7`*aIGp{5{<c$ia<-P7s&Sz?$KM}CqN_^J$L-Pm3t+#wR<la`ipL#~tJW*L zXo&kVP~TV>X$iA4%GlW<Xu%<v*?$QLnkjrPh+q16VVd`FW<OZOgBgd2;c+<U&5}5; zn6SJr%#;Vhw?T?y@REMu57^LYjb;mFY0hdmR4#;(z5pa;UexE&GL=o}>)l@q#}zb= zplX3%o(Qr$8g47uAT-yD8VU~$_fS0TVkg2aQUNquYgOz1x`bi89{`^(Bb_0^b!8Gf zE&+V#83tcSKKMCY3rA+_;ota>FBDMqg#w=Us-aBUtIY5<(3`K-%zyUPvQtI)!ZRAa z@vm&AAk?>72$)xld_&eJ6rwX86=&dIP2s&l7_~SK0*>{5WxZ<swU{Vh`;{x{d-k^- z_pA6{)O<~VHxzFR+Kr}lSr}M(2m82?Ptu<>j)xFh^`IvXw-=&vs$4D1_J}<aPNt!x zidPfRZC@5cnNr44t#nNX8@0$S?4yh{@P*eF$kVI3Q7saYrw#5|y#OG{4Vf2IUb=v+ zcRTq)Z$4isOz~c5Wiy3skKL%WprvOv<?0rE6OrKgzzhmhycep2XQOVQ;>MT_gAVN* zx0*hy6@NS*kCpc<S0L;u6{il!G4(d`ih0H@az2Pnfk$*tYbY)`l<E~pA=noffX0<O zA@$(Hai>WLz-xyG*oZQ;pY}?qphJ3)^ON)-x2i0wJOsCR%1}$gr6mP$ZG3I9joS7# zRBWXpOs{ZxRJWBZ=~2-~hU3Dk@UD*wi#>HF9&I7S$4-u{Lj_p?X9jKP7avVLDr-bF zZoYtuv3HjyYz?Cc(HhpRvAz5`J-9-GAutQ|;3&;H@hF%)eLPHvQ-Pqup85}#YR5@m z`0-B#FuB(XEpui+@$De|-R~7%KV7qj6f18i@RVQZZ8RJs!&g_#fXy`wm7WzdmgulQ zn7~O(-`pS^Unq7Zg8Ppzq=$If-<1XaR9S+3>W$iuZt6m8_f23qA-r{@xI5A<gP($y zE@IZ|v7q_taPu#DL-i+DtnZdug%dW2%_qCOVM1|wwX06$QBYA8RIPV=N6k+skgIN? z6_7{#f?dqvO;_^C*jrmIj5!;>a;<9Z5|ef^``a=3tb|zRUP`fXJ(RQ}Jh#A8?*|r~ zL5smelec78m#;J2ArR*0Y69%YLM5a3qd=oDV?Ivi@p%0en%&3HO?#lf(Q5kCHvraE zxQUQIGZ-4LWxag59rLH*fmjDs^)t-rRC2>BYzu{BeiSUlJ)t`^NNw}ZL-NHph@Y~p zD3o(m9$_=Luuo~LOqvse1!V;=zSmmKsi+XgTn!)MggLD&5nAsrw$Z$cq5%C%(GsW& zC)wvhqm}F<>o_yZV2EtPT@|C*(PF|%{~X2b7ufe~sBLD}gnLQfGk7vu0B^=th{xV3 zeiEQ+X6%L{c1<<(*L<p7eqNLoMyV|OA1H!)-#`f9DwAbX*q4I#vt50CP04!I*_ZOZ z&fwv&3+Fr)#G@3xi`s9G(&vu4w^TxZgbJHo(`&8jd^0O*99Ipm;*@!28?3LI2473V z*tS9N_6P~eLv_Nm0pcLW>%t1&YuPm#+v`E$>SaFwTTBIXI0Phkxi~uUey-pJ?|RJ+ z+Tm9!z=`ms_hwm(YM-2dwrevmwzypYd_aT0OYIvZ=0XASewuSlZ<<vC9?Z?EJtQ~% zBsZ-wt#Np!LdLH}C$1V$wX~HY%)c;i-0G|r1WS;9Vc!Y|@n3c``5PvpWP6)20%dGY zHppa9d%ev#W8rod$`Nbk(T>DXf>#8%g%yeS3lmWkJJwX%EsGZ3!h$AMf4)eva2}WX zS972z)x^2|lzGBI17h6&iQ*2Su|lyuRuGCL;bxItD8bdzWTGh*8&|t!cCL~t(atBg z+)D0asU8r55=;Mq3Ny&#Qeg%W3Aeh@wtomzMf-1({tp7owopOK>jWIR44A>30plCx z3AIW~cx5ZY-ayeS?`#L}+Ol7iICIxl22SDt)pQxo^hmg0C2p05qlQjS6L94iZWWsi zp1zA69@*RANl2$lp!sLzb;4{kWNg#;D=n3sJgF<=ql97I?os;<)xsqG!<X@G?(`Vv zn@I{|n(5C&Ug0YczJ&p1N()8=UPkS5MMGsgFkkwC7+OOuGxfF9i=q}T26T-Fev)Lz zAu|>3Q26kM!XfU;ukn*BpRiMVL^N6rDgm)3-GujLrW~AqIB<kpJ8I~_z+^6$kka-n z^CW)?zqg9b4tCQDX1fBD%1k)BM7(|(m5tuHIEf-GmE9x-xWSw18#o{hqA`h1@^dwY z(X*f^0hczf!nU)<AONRCIVc29D=S{esYDdRK0CUSLsZTw9*STKS9(IPhj@nQ!=YxM z7=&BZ+GeLI>3l6^@#GHGK0C@bhY#QmeajWJ4bOQv0;4)-N8u>cEPv-ogpW|NUfQyQ zDT-U?=|V4tT)NP5sgt7WH;3Q|kGICOR;j$+Yc4Z%D893sBM))3%PJv5lmlv3a#~c` z%X;|V6zIFC0yh%{ZF{Qzr~m!;D*f`mSH*-!tAt;xWV4X`@AqpeQ#Vy||ND+ge>~On z3(7@Nji=L}s^ootP>tUAYt`g^*Y!v5``NfG){>z>ZugJXIk&s82Ho!ZTJCn27kU3( zNp82mD@w#+O|=YnE0oW~O$h011r3aI=&9`NH(@j%MtAwy=jQ$Fgl!KB=RNIj(16+{ zk;SXeU0WR>ciUGLhPBlR)p<{bo-X&gL|-*ErZ{TcSw%i~qtmoo5y|JiPU1edutOJD z7sJcaXzp$cw<OTwP|@Nj=N88&5+|$!$YF>S)T(x+)M%StZ*RD$j$H1Q>`n!p@Zbns z?AEQlbH<0TUm;H_?{z<puhKtwsMTQI;g3UkF&c}B^_f&t^1nOY_>t7Dm;F`T;eIdC zL4{;(<4nMPFMCm9<7feK42n}iH12WZw6WLqhJA_~+no_!6YB<{cKHv=FiN7?nAQ3d z$)kfEMK(cDILQ><^y{8hu<nfU>$trYMumw7vH(iL{n1n?fG_nGTIwVd3j2ogHM*vI zRH{+P{;GJN54aX@tqV%qsl6I{YzBO%cF+&~i>efQ4=QU}hkw!SPLEqcmDa&2$xtpi z=n=T8s0JqH(&UK&n7*`$OFw5{pbOR19X(hL^HgHptWb@O-bOP!B<Sx*QH=vLb99Aw z@Ni;rq+AvUJ1Z8vNrBy*(4DaCf7HMZr7XwV*&xV+$U@A9^Wl6djh7?sOfDln2TZXa zP&2jV2{RMaDHlvlImNhhRKOK^7EbAdGN@nCHEX}X0S$sAmPJ=ZQ(uhiuCrVgJ~$VQ z=-wv|<3`@HX#125)tYl-F^!h9qgKt)sdzG%WnZA=Z9MjDgq=VT;+5=*2;)&0j*Sb; z$MlTFch|#VMVcM%)$N|2<KY2$JnWnr?h4TnlAUfcjN{Z0#d4*GeDJAH?aBkIiPf&= z*}}GSOhkvj1Sq6SoGc0<^=bZZcy^;@UYd04Q@%%LW8N@)6zxR&#Za36Wk(;FrY87A z*rMPBG(u9V3AglHtEI1~)Y7ko;9-xKJp+ugEgO!27nEUaxCSp)4i-uo+?hm^T)&ze z*J`6-S_y0m5-ngDyHMrO_rjvy@MN$Itg;oFdF*&`-2mt(%UXK<1TDLmDf?Nd9XJQ8 z9Zmgr&??_h#Hl~mPJ%bXqw#C&RXjIxT?6#>@u{-i<#*vH=}6ewF9YQT?P_+N9ku3? znNJK^Yk|Q{vpdG;O|zTAT_qGM`aaEWRJyg|IPDJ;<DH>mlf$7GU88~SKpmIkU|W8c z?fr-17g}ar4Ikg_MXT5>Z^TVZCOwHd$@WxrRb;2YaVA#Ed0(dWmsaS`C}<&+%pyGc zb({^CmaG)$B~_?|$Bj2oG3WH<%aJYg{&Z*VC>>70ss4Vf15Xu;7jk8JN{*g0#UI9t z)UxYJ8|~EFlFl)h=X>kP=R85(_`92;!C7ASOC2qQwkI#~1o40?6twU_)N-p;v#o*X zUyJ>D`q#~oIl@<i*!|qwh4=bI;_0T{y0~l!Uzw4-qI|E9W^IQqKmS>s%Q!mhB;5q< zUHFvemad#lU}7@+uV#2R;8jgyG9HAyN%KlEdQXMcP(0<kKpGx&%Vb!m5PMmH@%X4$ zdiXF9i}@cR&SED1z*&Ppl1JnDD_bacEi1`!A}z0qsd((-Mk9Ulp;-{a?UY1E6*HDr zqmfabCn)=%3{R`m%>_Z1B1iG8a}ADNE#Rfd9}&#{dU^`Vrd|Fra1t8|t*89TgfM*4 zoz^$c&wQ6juwY<9OFz?~ryGmNB3lh>qyhN+QLsI<_N!rvGzt9v6>4UdshgMf4#7e^ z!H)`bmI)NL`YFWqlw~{>fdQze!lyHTP&w2S`6)!N>8B7c=5h16acQ^$yBZ3htaWWX zgVu#+tSO|#t*BjtZ@Zze2a*pfk68jEpv!QmMOWoDG90q5;efI`%oCyEM6|D7Qw|Z9 zPldNUaSqj&hHd<f(cE@0KjA37bT{#HrJU_RNIe>!Y^wlslj!mLtMN!pm*r5_+86K7 zs)ai|Xf|hDr2a`J`M;Wmh69?-XqCUF)(II~+}{DW#1d#U6u_d?fsjQ{10p5XGXI!_ z?G(hg&$lR503VmF6sAvx#WMpaBgu$3QqCC>=t_`J`jlUWG4dE{3G#TzoA45rL8ioA ztKw3zkE0ob3)X9yvR2|5l(lYC)2|(#urpDL#J*8zZ<pZKuote=!~-aXurf?+le>sc z25%|>|7{*Fw}L8LDtXs?Kq+n%UY;)Mhjif;OA0!L+R5z9Aa^ZKZ4u9j!!o7I4tXfY zD@gu*!n5oOFPstXi)$&GmsT(}ObJFCg};s$T_L3#%6KYmAjIq;H8}|d6I#=7XN)6m zB%8pMdbxU`!o<<AM;{OCDpm@ou7cMSA-E+X=G!prP=|r)_u*%)n$~7@;S-I9eMfZ! z2G{qb6V<_S^)<P4q7Gr<h2kMmViXmphbVA7Clp;wt`y9Ptx&C7WH@<kP|YZF6PEdT z4SW^yaUv+CBF~A9Bu$VU3hzfKdG#(WGqXrswYCS@cZ~}x;j-efPy5$FT@`h<sf&ew z-Y8VBV+$&|0l|O6susxC4TagHx!yWKUpoK#JLyLvGr6Qfhe^%Y#T2(ZL(%z5PNNuo zPA4=z>bx+hOVzJ{+`C4tckz{ZDV|nZcxq2gEU9Lm-l3y3e^%J0c1ORTjdZ<r8od%F zDZD<0?Io)3PGRdH@jusaD#!~Bn%QnD2N%_QBH$L)qf#sbD-LMzARMmh*^3X=^R@M~ z>`h5={VJX=md&S&<xL5ysh1gQi!(aNKPEFm%_?)FW*e~}6mq6f*XOf;@)qRjHmr)c zCIc%H8;;`AkSN}J*;cYAcA|91S&?+YB~(8}X-qeq7U@f4PRFJULvxat6+47`%f<H! ziA;f8;Enak$H|4~YJjdpktNC>v(K6>9%b>cPxh7BXh~ilQ0`QE7T}^d`BOY&9sP&x zi^f6Afb|-lo5LW_4jvFC|ClGN>(1=<I91((B}Dj|8N`{fKFe3%=o|Fpj`A?u9?XTd z+g-qAnt!iQZ0r>{7V@r8`H0bEWXbljGS<67uV~@B|D`z1n!obmG+znAZ-Vq!UYzD4 zQQjqri$%CjWb6Z8l*Y1*4+Pxj7{DoF4~XX!u?ylkNi0I0JBi%x>{Qz2c)PymGS=ch zOuE)+G6^xlyE%+X2bTxO3Ux-7iX}_JGKo!>VWB)Zmv&~7qikFII2Dmci#X*N4?3xb zgEZ|oaty)VB!&Lq)5o)!*F9A7DcZk8`9IK{BOun&py<zE#4Fx3Djdv7E0L!ek2si` z7#fZf&93*MQBwuq`tun~e`0WwBH@85@f4-mX>gJoJgIyo;?l@o#_1)LpnZzsot<<V z>?GCnp=jegv<F@YHi&!KM6<z3o1Y3C=YNi8Ds(gwIVb{3cR6pcgD#bWs4*7KSn_&| z9SW1~55ZY5i^D$a{M-;iYi+Y1)_SU>@0dQfRtpdZ9*v=D!i${iML5D!Ce`~3+DiU+ ziQ{Tbzr0$D2`N<=sL6K&p#pkAWvbp!sDN745QW+T#$JsO@M~rI``{|cI|&UKJF~<~ z5J8-(9~bcI$H$f?s%Ac?$s-Dak0>cK*@TLHZjguQQ~65BM@AcGRGnBbhOP4B^6;+m zgA9%0=K{L?-^d)?y;`AAeS5L_5DG0(5`H8Q(KMWkeaf#AC?XLP$3PQL4_ku<z^TH! zEap_pBzSK1z*V_Q$!~dP3ik`m_|hF2dc)D4ko1-Z4Imr8!bAF35~1NyslX`>!($%G z;eneyT|xcRJsf4&t;BKn2z~u-WzFJb6Xk!Y1tC1FOS>6-DoJp+vczYKU}&{-c(qJt z76A$d6v#Fn?4z3?f-peBV|2q5)|f%bfKIl_nHAwU_}(A{3JdfPYYHsfFbvaa3KX!f ziy`Kfo0CmR>$wt&<O{+P1$m$$Dvn_ZZ!lg+1_I7mJGDR9U1sSCN-XmVzgEWxbhs<r zP3P(n?cb}^;N*68^y2DiMwkkRSeKR)lBXxv1P`dGq!l((@J-Kb?_HGx999c&6^U+~ zAHV1<qS8ort43d+^rVWL(k8=Y<YmvR4sMc!I-xiX8jS8e1OBNVBE2E#sR_WL20aPE z{-{2pIqfq*yo^bg)Ih#I-<SHy!h5tXO`DhKlW>pH$H@?QITvpGnZW~*TDDnEI*xNn zA(zxtPWORG#|ZLn4k1rd67~^GhV_WN^%;)q#JQ@J$9tbm@RmGu;{8%C@b;j9>-DOl zYR)sp6CB;obqvMd?h7@e>PQNE84wOZSwqXBD~0l)mi~7IsgW6E;bl)zgF}MCoynYq zw>#2;ryWXdg=}+&qIYEt8SOE$>6S$=qwE34x<`aFaT>j%x2u*`k+74y!`zcZw_|=E z<x(|tGm6lPJlBZ`b<22$ik5mP#tjET8w|aK9l#i;&PBOMDJvoiqR~ljl6I}(v^_iN zJWAc3T%0lMR>RojlCxa868a~EBCS%BlVaW8>Wym7TcxOA(n(X@_}(6>$lE>=FPw4# z2;phJ_=jW>iWPNr{OZA}+k}5{tXGwuNCc5QtOnCLjdMwOWw(R4<u$RIwJ3IM1GPq( z!>7UM=vkWaTyH%^P{S>f%a6)o5xVoXM1>YNlDsreqfvIt)8z7vRQuw=Xg{RjfztN4 z(eywmnf5gNBRHn<$WVM|dN3hvQQ%bcaW)QEJI5f>s(GOo-2z#B24Hi;H2BstkiDR= z(|UOa+wcMz&9Sm-s&9QuzXEvHzY-cm&8L>Ypdu<MI!sOe6v5BIu&}6xKY~@ZVkDs~ z@6|y+nKRXGV=;qv@Nr^ZJG8KfObt@d3)oP^TP-Z9b)#5TSy#KK99B_Y;KEwFJ+Qr~ znm9M9Bz|v8*dWY;`e9Mr;Wgf4fY_8))-_Md3;2)GTzftjsMMLBUI!`s-YV5-Q@iIw zdBH}uSd6CbDCB%%0xREY;#1(9;o?mb4nXn=`Ey>K76)5%Yql2qx^h%D(^pgX@T=5V zrpuy>W!;JeU00Y*3`slH5bkp9-8NyHRqHqv=Z|ZD9;dDxfzsJ*4j(jmw&1j)$VFy* zf0P*ptSD+%O=TMABG6dhBDtQ#*&*gz5y3ZF%LbP>Iu5}XZpi|)*0v=Y&2&wzpQ*hh z$x+&r{1g&y8VAd&$wX~uv&JUO^n-Ce%SeFSFI~*5KW<TOoMTd2m-%vEPH@k2G~N0I zbzsG6;L5p0`ntQvSh{oN+@#REm(Vd<x4iLy_@hV5{^(I&^F%UX%b`wvo=n(t!NS7S z1q;1H<_Q;`s3yP2!U-*ty({NJWyv7n`NK3L?Sa4g%i#67x#IqVC&R>fBK&2tUr(jP z3ixVVtVf#f(I<4J`M!62IWOp+y2E#Yojfqjclfbxns4+3uhw3c+9bk}htK5I{MixR z)%@p-ws50HoF0IkUfGwg<{!CH*3-F4{_mCXO8&mK5N=jO{rDO<MJ|E<N7><b(8iLB z{zozYXxub@l!w~s6xH)j|Cf6HRd@$fwk%lWjhp5TaritG9#25i4?gKSCNC(5_k6q@ zz8b6{npyvnIJC(n`g`yDR-ubu2`l9Z(pe0i^|=MhCKt%?Qlee88w+)7azQ{fdpF?$ zU@HnyG<)9j2F~zOnAKb|5*8HToJ(-@*|wgmf|=nm>1+)i>R$jK`)tTg>leD-t6QaF zEb8n=?{;=AYo&N`5R~vt_BSo~T7NW<7IH4*orN936Qi}vN)@WmTgOAeXM94b3}<SS zp$=`MGH+5dA1uO&`naKU;?c*AYgO~9I^C2-;B|8dv53k`@D~iWW_Z+DrNAt20?#Xe z&+1pG>2W^vUQ9U@vu2;Bm|Ex>FFQsig_CQ^ROEyH1x@6t&N-Gxt3Rt>ubG=p6Avi4 ze?)-9&f{tq*&<lLOQkrkjP2qXmW4XumEIt%ERk5in_88(J@O^@U-Db{_ucGOG4f*= zC5*f_Dx5}v4*8%!hk#ev<nPVv@4wP}g=Q|yiqHZZf(jmDdF)__ez7nxEuw}eSF<hL zX`)%TXANZ#i6tfB4W2F&Ay`x+{9e+SYG_juyzu__%!YHde#9F4n#t@kt-yZGfL{u$ z1NV9WWs7)$AfMF%_naxSqy52*2G4tvdgkRrtKevKlG6>V*v~cI-=pyAAe{ql7vhiX z3%HfT&y`?4-uHu%6>4T@dDLz^7A{AbdBY$rIk8@OEELjQMvoS3VLK!|ZzyTxo622L z|6pW&+-kbIPd6K|)r|usgRYx7k2n5|Iv*Vgw%@?>sWi(Er;EoFa3}NlQ^n#la^%3? z$%bn^@L1cOansU?SCKu}c~Z4v69|Qvs%)bKaL4*?9ES*gNyEHp0d~3!?;ZlG6`6p$ z57DgXdpMWK9|cya))lIk_XWMI(K2VR%Mvd-mKrshClMLL#DNOo4>aUY1X|#g5QEnX zld5&kgoK@1n8fcrAq;iGBM*~K3BdIMm%(y<AW23-W@o6&NO-+)g=&4-Ut;}8$PY$E znL`;~FWjP8Hw+SQ8_YGT9F^h20vj$`*;lpx)Dkr}Tms#dU)`a9y|7lbe!oa}M*NAo zbe=6dP_JfZg?rHMAHksk3R&DQp#U(Cjao}NSRvdtf!*Sz=4(XF-=dIRah4dar)Y<2 z`Bt;Xh|9HGxAun~Qd7ryb=!N5G7OCyd;O5eEs;<xMyv<e&--b?e1BY;6NJwjwii1t zUrQ_%wd|Xd@KCMT%EUFITg<-_;LhMM)!gBOr}{LZOT|%CB5}PIU8UL=hNQ7F$lfX` z=z}jxgU}HS!#$N`1H!k5B{+(@9lfIw2|`f|oWrlf&F2r`aSegK)S3`IdS^D=;R%S# zO5i$lloxtjfOH7dvO5CsKxKmWvRQ5tI$A{GRp~Mh1Pdk3X+DfVUwpTp2BOYy*TAHL zGO~ppsJ=Ryy;EV^s(Gi6x5I3Iv0}=wKPU*LlbMT+3N!0Go0Bj`9tgiD82nt46kqXa zsa)av2ddY{?WUczn(@1kr+T@e)*e)^m;E(pKsn=Ab_t*BD%!QwndNaKyEWuix_-Wa z;(5aBGsGS;C>N<Af-HJJ?79keKux(uVbLr-v)m+~=ImJVoUBWWRTVZ$J<#SIN|Eor z-E9QF_CigNQU~a(R4>cP{CaeXx3d^^m-s4`+VZlmF9{9u99Sxwkhff+d#cfNc?sD( zjmgaDIycq&f$A0XI!=Po6#>oue294N0wwLXA2~YGOy=@&YOQL2GhBBf$ERUcjF%3u z>LUk)?eb9DQ@4o6wZf_h=X6n2$UKfOg;f!EDLhb(R<T<n_Wkq<Htb^EUOhW-s!cGr zZT5{uTK&S?r-&R!t($1u#+-U6X7L=r@{r&yX2nJ^<4{%+tGu0-138e6nLS2;B5LPV z#QqO#=Oo{4UG2O!#@u#ZLzpmuNri4ZudhToDv8gCuwNu56FS*RbivY@-*Kh6FxP7$ zr@HuF6FI>3wg4}QJku#<M|rE{XyGo_)spKvmTSrNCl*{F_%37qKXJ&5cb&1#a~Y-H zF0ly`u#+#zIXV;d3d_pEixRtAhR5Z}Zob%LB50E)jc4pz#DlV-<dH-{`2(A&#Vzau zRN#rkarS$bLxS5^^QyX578N61-!>=ZJvlq)&`<EW&5_fJg%i%UUEFOIEB19;@v%Uc zSGQPfbW$bCu8~C5S}0MW!!>rUrFq34inzx!#(p7RKPr#yZ<5X-o|con)0c9k|61PZ zrN*%a@*dEIPS*uAhu2Mf0@j4MAy1J&Cv~S!htHr)fBuM&g&S3&ue>e?%QE%}oZwC~ zZJ;+_PvF+TK<J}};n!#t8=z83y_4B0<zTx3YTq?Z6K5q^|5Er&&L{^M`jmv+rsT^} zSmuj?F43Q}?aBRnF~qA3pjO+<06r;TIhj8(pQmT6wURtSZa-2;^|Wy?%{01H=rith zqqS6E;wFU`nBXPCsFcX{eu_hGD6w8=u(3j?y0p{^f@bFi1^>dkcchXHh453zpo;EP zGzA?ur#zT<+-&<yf6uD!xnd%OR65BVF@G5<2B)Vdzbv|u)38!Tck4HDj_qH{IWB;X zl5L$X9~f&UVAiqTkMNqbHD*`3@Mii$%68Msalrcz$ny|-N<(xGkB!CQk}5aZ*lo*m z6&`l#$~j{NJwHBG{>bIhvwvxD=_)i)N|enMh)r$nkETHxO%)2|5>#nfN!RQ9MRUEr z+l$?)aeFZ_R`8)x$xF(*P@~rhQ4->iuL|+t^<M)nXi%gwpC=04Rc+hV)VTf$E0?p` zGqWmRaFZalLmMDpt&SYNElN!;v#MRq)aZ?NdQqugO`YqF+P7EdXxphS+IFL3Ue(*p ztn%6a6T>aA^~($FnDB-v^ta{1O~P;?RhjzL<jk&xMo^d-)6?hrDX}WyIF*cmTh*zV zUL`pM+#WS3Q8ja|E#FjnP-azcCkNY(avEn;%}kA9Z}?IEz~x30S{G9w>9z5*pZGd@ zN?ut_*U1Sdb6<iw5EGuNi@iB*>jxtMKjPf|+7I8CC)oF_F=ZcHl7i20{-uW0Np1tP zb_T3$BTl=)uw1g?>)w6E^DHg3ONLXWT>cbJfnu~$wk%FjU?FvnGM<QBYYyg(`)=}3 z-V`j=YKT7m$)Ex_u6BiHydBh1S9{68Ak5Tx8<dYck*EB^v|gl`wks}!>jj7Mrl@Cv z^UEQwaeZ9vdM(vf=Q)_ewcMYFQ<wXzh24^7?Ga%}p+T8bG_%jt0&uQhMr)!lUnY1t z%827?lkrp&6<Rqo!WZJg;2Pn_KCF+VoW)rh3xk`QQ#dPUSJ2w&u<&6I4N~2{5h&yA zk0aj3(LEp(ijvHza~o%T=?en^CY!scTa$aOaNFToj++S7ReUoB1KC+o_D_$O_nFn_ z{%vf6?9fzp6#gv%50uD6;o|A7SGbEIkDt2TX6?pI!}O$EnXxf0Ht_(Qa7bVAfifuc zceS)(jd8S-bvO&HlAWHFg0F^hrv)(uS4P|@+fL7D*d3{XvnLnn>z;~PxM2)8nk?gi z@nXq%_!0e+N>Ti@NcmBUOb-g{hKp`}_*F+2rdJ*9?LS30ZHAhBOa)=WWbcB>-hV3K z2b0#mV{NI#?J{_5at`Wf>IH+Rh;VZ+AI|b#_}Lq#i22rqqo#Ku9nVdxm~oLPy(hM( z4nR2?rn)G{@6){hnN^nFB*L-9Gba(sk@>l>8|HX^P#4Vcpe*@&!W@|#%(1M{g*i3^ zaI>23Hs!3YppJ#mr~3Z^brh(n0m@J(YZ20s`9F}3P?1+nzcN(1_ZXNaN}BlvtF&CO z<M+Zm*zuHF%SI?srz#0;@+bm3PSs5p?V#3wD5ReCZRdE$Hhh!G_)1<q&ABQDf0mV) z@lICx$QSxSR#TH_5$f@qH}EHpdJLI868-`VP7M=_!TF-hT}{dOdM#bo;(DsV8@$3> z3|fKv@*Tb|OZ|aB&2XzBWt0qusopZED3;;+iVoE|b()_3b%KvolqT%#(Xk%wA82_U zS;+H*$c#?bX>Oa4>nm0ZfA)w+40pAhY>+ys?;=N{k{WV+SK|>}cXpZ}g#-0eW2)ix zV4|xgMovx9BDH&abe<G+O4$m0)5(OD3ixo1mGcrdr<7eh6ittT3o<aJS35h!)~#1l zApwr2%!#~#JzA?}^>Y#_=Ti}Ni`%ml6;RswE)d8&o9KwTN#6KfTv#D?WjSl3jNPhk zKI9gqA83O@aKWGrYUXk!YG<0@az$nzdSH4}MQCo2i9X2<%E8%{GuihlJGvaVn%L(; z)VXjJc)VrOdwvw@1w6;%f<csH5p|wC0XHedLQh>^8K(pbHlP6RDq5kMGs|^*bf18h z{-+&&xgJVop_(vA%B~P5YIx4&Y<gM3F<&hPS$6Yr?kd_KjGsY;ksV)^G$?=vcnhl3 z-&1jEw*(J)3gGX9)~e}&sKtXp@c9xHY%51Yejm#AV+!Hta2*^zpazaFkYQ$FyP9nt zsoNhJco&}z(lV79<r4`$^a$0QkV*aFjSz#+&|3^jTCzBdhg{z5%)(XdRUaV}Hw<#~ z94|l{sDd*qQb(PT&$SWu97EY-*M$|~khtn>r-}l(tngiWYT_^|pL~f>70iWNrYQlx z6{Oib!B0$<k%VI3cnU?dqzQgdf(3XlD}_T1E%R?)^E-yO&GQB(7Yt-xjomJIy;`nQ zJnQ9)rp7GlGES&rd|+%}Ej?is;R(W%gK#2I?tnKa`EQYWCgSM!;}yi0IGgO(%%tJG z=t-O67Jz?|3W0OzLd%RfMqIZH@-+j{O3_WUVBzN2O5y4X@zk>klpczH++B6Rs<o)y z!)T@Qck9lE31_%A>&>zCT4q*%3S@m28JXwLeio^w>b9x2LUjJfT<sA0tP<y(P0x;U z!9MYfNbhu0k4P5P3Pl6Zxz3j}Q&$UZgDKir7Os-crVF+TL*rug1-TJg9Ji8|KWaa= zfb7J<DD~0ZVMT0}zq@o%qho(jtMk<TchnUlGfkHB=?0vSGK^OmU}SJ0oTO0Q%{n+m zso}Y%FP$OYJB(-^jp?S5K~dV`fnU^Fcwn^fXn*+orZiMShv4la{<)gJyw7vGakiiN znyCd`A2b0{Pb=v>!`XToe_=|H`v@d;?w4GL`4@GCYF#lg;Uo(y$VY%X(Gq#WFH}1; zf1k*;Kxhspsgt4j<v6$}XyEQD_JQC%If#!l5;l3l_?cicgVEIA()_hFhdWgBhF<K+ zN*;PSd6JgdJV5z9(q%Zb<hd7QN~b1P>(Z4TIJvF>{yD}5r=EJ$s@b_S8y%xmjKJab z6`^B=;!KXLcOLH@xfR~=yB6S|{M0ZKrG<2A0@gIX!1jvK)JZy8hz9IdR$J%-)yQb& ziGm0(O0s`yoEAuFVM~|2=dJ3iW~P@!?O*$HgKxiCX}dhUkTwhM#>v(Q2K&cSJtY^` zar#|-;~z5y3Cx~8Ku^^>Z);Y)BmU<MGWTNX>}a(0IMWV&F?{@=JsM0bZl?ITFyj~| z2H|0)OxhoW-u(*T^!Ns$-l18%9Y(@Pjq9WBP_3GmPi2Gqap=g~hw|e)gye-<_DtXq z>P4$WV{lKOD~}tUa-q0pVb0K7t=j(HIZ3fi3E+`sRKO(lZfjoLRGSUfFzzaqhIww^ zxf`jn(vf$$xqW7XQ*q`2$*P;AEqFBb$R%C*sZ?zJCsSN^+X438^8pU~9MY>+%@hud zrlySU>U#E_+OA~-y~Wnc`Bc6(>iRq#d`erw;6_*wOXpk~J9=&pqSeL1x(zss-)_z} z8OFq0LyeiHD<f|F>Zynuzaq=-P9=9&hWN1qKTBRpqHy|dQNrO|7gMUNM8v7jB0LB3 zr-{6r8rcgMMNgk-Qigv!VK$CwoP&k}tCFr@`rN}<AcrB%L%S!Jes-<^qgWB4JQ>1} zQkl$DI#L$xKkENz3E%gCmhgwT7}5uVu!>0|T@0y0g5i>QH5#TC4>Avz6jsP)Sj2{T ziTT%xtWKc1J1>gDT#+3n!BNs=N)|0Pj&c*$rb=#8tl4rmTjK=6QyBYQpyE4J0g|AK zRC>3h|KBa({cb@L^bpBbQG`=GtjKdf_EnCwHP_?am2Uwr9wR`{4)8d4!hfh5ov)1I zyV{4FH7JTx+2Q$eJDtRtFx{Ml5%>enY2hCDCV@-m1qSAeiIW+YPIF}Q5)O8vZ*xQ_ z-x_No%D{}X+QZ|!c8<+XC{FeQF-Kq2JD+02C%K5rsDPiaqb^Jd|CFoSvlv~JRL0sQ z^&;p~fBqStg&W3NGfM!Go&1fU5HECw2EfHq7hT{st%^+xQ@L>$6uKtVXElC<m}rNq zA>Br2hcxRgk_x$+<FptELE)BKo5D+u*O<veDtJ&gw;*`3_Pbs6#%#kaB<<#|P{A?E zTamUX1#N?i|EEtsrdYpxOmR$jr%;$(EKeyRpMGR%Wr`KKysRlDFt(K4hEtKlOO7=w z>R*$k+TtlQeY=kw{83cAIa5Lo{w5tA{F4ghV@pHdM2fTBysYUZ`Q}w6=-_WI9mD>v zuyV8@qdbBzuH@}v8wJ&9S#G9oqfbT!Dpi1!cf6YXM8wZiV6POCX2`sA@C>=1__7}) zQ4$x*$&{U$&8TPrK><nGg#sp4Kv0o=;Q;&+OE4LAYx0+vE;V~$VnqQAEnDwoo2(<e zdgn?#fpWGuc$<{3UZAh{`Bu}A5~ONgtit1xBs>LZANC^q@b6*QJ~Tym1L}l?A70Vk zA#O#_>IEp5j3vBTX)2qM;0JVPzCaB;uxf>BQ}^3mK{b1NpDM@vQt>ix<Qsp9Q7yve z+8Im;1&4V-E>AK|)SU}@xvtE9WdnR36!RS+?&-n<?(tXSTCRZ)H5qQ}MMa)06x`O2 z<?x20z%Bm#GQ9vz@rOKP;Euws5W}_cG*p+b8i_B0DyeJ;cEuQo>X1&_^$}j%V3V{_ zHNT^}{y{3#X6=y=Mq;&0R|SsMs(Dy3>*}c)4@>^Zo*ry#Litjo68TQrjb`d!MQ~vA zMZ)TwCyKf|s&=z=&^tONmf$W_s>p_+@%~g;*nWRNK%5c|m$<mix{59Au*A?*Hv2E1 zlM5r*eihb+6j<o?C4xg0LJSrYXv$&q9JY3xCuf&l;;Duov@-C-R%nhVra2!GZYL$I zB<|R{sO$>_NBG@xeFP|vK;y|1J4Ad#NTiZe6JQ5jmEwu56TYnUz0Tyqs(i-RS0Oi0 zx<Va5CHv9^wOrA+qI&!))E+mRrh(>+)3{0{D6%`tl{y=FVvWKrBE7{c2Jm<ORp?aV z10wblcJIPEUxj$7y<|grORw%Ow)R(?*fIhYinFK=29<k-o8%m}I+XH9l?hO0oJ{Y8 z(0sc%M%k)^od#!&pJ(6Xjn`3$8eu|csMC;MHzv;0a1vpT-q`O1pl8zRJcaqDko(yO z)p>gU0C>*hc2BsE@XatB<>#Y8KW+yz_!3v^#`RKvH+R)-4)t0*E*#-O!>tJ)WDT@R z{qb`F*eG2!4|k%S=X^oIgT`m54?O1^2%Y$?uf27;xhwPt0kux?R6On##@bq{Af_yg zL`Ly`@4G_xQOaM+*e}8dzB1|C0?0HJz_8R>ac*xY6#;%R++r0I8kV4-q5@BoI1<@t z^O685il;Q%&!bbYy>B!v>FCRr!LJdt*Zix64Shszh)S#ca7OGL+{YVFa|^UR(I;UU zJ1aHkaw`5*o<keA;_O~7QN~9ZeC4dk#WcH3&gY^@!JF2zXVg|vB=g-YrAw|9J~~ni zABo1NSJ;;oe;MgQjr4%~(RaGPi0V|B!fR-P1?#w5{H4A@*mYPpc>>-Zpy#oWUIo>S zwjp@?;*2cdMS`w_e376>9r3NA18M}d5Ub00K07X7LJdDRH=5bqQWXpj%g`^*Yvwr< zc;p|BLMyX-F3&4;+n60c9^P5t76G+jHS6aOjVD~Ot1CCJQ}(dXXaiBQ|5nno(C_af zfC`9ilD6jR>=pP4k`%Tzz$4K(uMRn}cBOFXNU^?_7qR##;8w|dFFFwZ77C-NsB1LR zTN9MGcOwzB&?s;o3I3rI(7i>J2xU7{4yE}WbFS|NJ3MZVK(6aDTvSrS8Q1r!E40*! zww``G>1RK*S2?LhoJI8tr?ss?G4X|mk~TO!Cq<=@hE}+u;$C&VX3RJu-z)hS1+K1h z1x0_J;*m((t0w2`hN#KwJZ`CHSu+l857+k!jSch0g!$s0DY=nXe$ChWru_D_xyLP~ zD1i)XW9_Q-R%^mZpC09IMQOb_cfM=b3IDS5F=;CEyiBng?S^HFi%YHT(K}ljpupYL z8&zYM*qFA!ujk;c4mEjNf5wY8$!hY^qmoW4HF%_}H*y_-?xRz{jR>x0U;0>AJf|^f zmM9Oa$xF*&qw1Hg2!sx-5RZ0IRVM`eJz02Lgm8+z;_sqpgiBVahHzxmK71%O3+Sp4 zoUi_E$La`NOk3r}yz%-mLq#ptqwMPzcAl4401uaRG*ifnc%62xlKlEeuI6hkd$AFZ zJS3!s$5YweA%Z>zqkLVVqH*SiXsE~bn`ag2>&~8U;Rc7BQ-6(U*=NF36hrtx7iYC9 z!Ej`Hkcfkh3phV}ZeixxbG^$q2)i#-liLQsy=PAL-hCDve?m5H8N(SGJ*j~be2StX zydeiTPilva8$@`#-H%eM5<jcO87wj-4>@0WK^Np)d_nn)i^KwRhtO^vfH|LXj*B@T zet~!FMP->yA`G!|nDZH)Zp>L*;bP9Gd*MM@mYB%im%Cx-Yz}sQuEK?#H~C<kkzl9D z(e%{`jynH7<o`vm6VE4$ZGs%rv;Plvon;PQmasDeV$>0o&5$Z>7j-_TG><xe6{-<O zD2bFafaPK5E{>ge7Hf2}E9DqG>s!N-=Lv;n@L=^yA$S^YhJ;X4_|Gz7&c@;`-oGCK zKQF#hxKL>(!1%ERE~|Qd-FnTux0V*}-hdJ~i@Jh(7GEO0<mE7Pyf{o4vu+)G^n<GX zk3*u)g(tz0K7Z8tJ9#vrn<c8_=GhSt?qg7=O@?C%7~TP|_MJNKh%{VZu}U*5`gY|! z5w83c^Yx&l5zTs&#Nos=90MOw>96XI!ZjD=614`Sad61+&?ZSU{9DCts48V&R-xyx z=2h&Wa98f`Mt-TjV+l*-j(#$}LNm9Y=e884%Cb(iz^f=9RWT4$6oJP<4Ngq`D%jx3 zfZeNIHJ{pm!%|V&70$_*@5wPeROjlcEWo(T>~ynKhN3#&%OZ{0hK(LdoFav|)AKHm zGG~q|<&f2tk%oLENBE=`jAP^6<-aJpLQM}Tj;54Dd1lo&L&d3`lr1$g$c`n7B(I~M zcl%!%D~?O^cEqmRzd^NLKAe@wJxYuEz?Ho|XcQhBs-->0aU+fLrv7TStM(c{8hV_* ztmxLvAZ_IOQjyTy>Vk{pCCO^O?V5N%5ixM<C8Re=55;ngRE5Y{@nrJw-Z?)vmh2+( zq#7E#&EXuG=c4FF_WV-Vre?^HR;`CJ><!+lUU=FcK8VC4?rEYj*{b#Z@UHfdo2fEn z`uN+ri>Xg-5Z}5a$7pl9^5(Xv=9t5h>6F#W$BD~_#5&06c1R%hOuCO3)oSMO;o_D) zc<A1VXu~I++lj=W6kEFkaQA6?SEJ`E7Qr0d1%<8atMugNp?)|mLILcpaC3x*v|G?_ zFpT@90370Xz1?<yf0)-^0Jkkz8@HM|522D8;$7!K<Dw%_-suzD<}Ev+4Sp45w<ONZ z47aIdv&FgcX?vQ02g;)Te-#Sa_6h&fA^uI!FaJ%5iD3r+7QM+-va^~|CFx&8a)^b$ ziSRqG8*Oo7O3KRqi{TNX`dFOQp3bDJ1#*jjVdxfr#mFrl?nk%ybWyI5{4+#0Qt%!t z2seqs5RuhLUQ;3mSrsR72f0y1|9G@C2F8g@GoBQ*rK4R)=TNEA^SKbuIt`SzocKQ| zN;d|&DM}xX^jMX~;Ue#-b%^NKGlz)L;Y7wS4k#l$-A?v>%sW%&^#ENzTYo|mE$(P* z3i{SETPP>ePKk7|pFKedfPzAPg2EB8#U2=|6v?uj$Rte<RSDELe$Oo2s1m0$_=3rf z)#M!ERlb%82YQjo{yh?{w_Qv<$OS)r5?W)9d6x)pp;q?!cqSAv*mBNyHdr-`yxoL9 znX#>bUid~Dtv~;bv><eo(r7pJaLE0*aGdZ!_NfONWFJ)(Jl`TPBb~PQvtH4{rcf99 z^|oK%!%J^hhY0<8+3#QCG;uGXo<WeZBJkZ=$uL^kp*oS%WC`K@o(;@_V3(o<@eiWh zh__1OUGSH<&aF3X9n7zShjS3vCJ%-78!dB_^hh%rIMyXfsHa<;>jXa$|CBX8meA`W z$9yYGYc4<VDzr~C$trK&v8GajDeFlU26+x{kMRb5?C#2a#1k{gYeG8jHG4wThU)`; zm)PVMJJ!EF93Q?uAWB#HU~@!5CwdHg=L_Q}6<|we{~17^nnx0OjdHjFt>*WA%|1?J zs)JYEzRXmn)3MH#Iec{}r#3yJTh(r$aW?1mWG-+E2ak3`L$Fk-ktX*7rQ+(<E{<aE zXMVgdgP_R5kaCEhC@eOou(UwG7{gO}UQ%XiL07?*SlN2V&Q(LryWdm02~Ja^oZyts z-r=@C8xoXZccgue%li1Hijt?<N5zSheVcet{Pzf+oMKJH^RlU@ye<Q|@W579e<-_> z6m~~)Z7@1q(o$Lp#nJ~QnowcJbn-JQF!e;9=9H(l;h!=_iSmGz%rx-IQ(m&`Q|7mo z2V*j5AE)u}JuBzy$-~uZF6~dR;uWbJySWc{%?@t7T@$Naj8gyy_`Tu>Rf`p&qz@j{ zbi2=RR391C;M5YaCf1?atccxF!lQrPwZq1srmlu*s+><Yb?n>RfqpT>_%twb5+8ke z$G#um)k`6l!n8m1sPIUFGOB`XTRB_mSK`6QeqQ)tf9O8K8`2Myz(%Evc*|wU0;tNY z?d>#i^0JqL;qO|m|DH@PftI3f|6NOw|6Y~Oge%~vrWn-v0-%e$dc%E1LAE2zwxXlm zfIE#sq?cx;qTI9p+%H3uwwl1`R2P%zsn|KW8e2A0)b&-J_sSDa>Io6<@c0L$tS&0i z#loE_Jv#(+?%uzYJ}{!R#^V-rxXBZSrCKeTBSYZfffL~Ip(~c~{Ki!JE1moJuMgBx zc|K9j$)_p~PYK=!6!P@BQ)4!Gc$jIl4A0jV5MkMI@?Fe{RCHK<H>n6ecu&yGlT~~T zEXSv8jCZIGS{!>(2A%6aaNZZ@>!YTwt9X{`qTXNI)1+y}37V9`oQg;0&jn+78_@R? z?7uYnN>3TV`J4ZWQ2C86(C}Z8bBGw1+1}U{XljhFa7ma>YPOG?D5!gL<$I|()a^od zaVWOoutdf}b>AIyqViB$>Y5;rCtVvI(8CbzGZf`tKInu~aJpOZzR<Ngy4Vl|6*=jt zYFGH0Y!!-LFN>ZWx06kWMN>x|K|x&2acnK~wnv%cr=n0!E{MG>I+6_f^n<D!!Cn^K zU|HD)cTCQ6lO~r%d6DLfbN8rR0J~jHKXZ6A{m7BIl+4tRLe4>dWk}vZ&!uECV|-)U zIkv2;dz<F;nojjN|8WcnkIy39rq9eKmwc!2iK97Enp=x!4;Fu&06n_<CR5@=6T6Cf zw)XALlN0Q|R2(R$VrtCPe<}I2OSsI`vttH7$v*c-+=jlmvNPs`Sv{9v$?MWkxF#rE zHzM4lKEu%whJQ9xXV$1_W@AgPKm#xB^_}kkw)ok+gpb{fLub#gOy$R}&w!q36EK3e zUTW7;&rH%X8{J-<)6_h5wi-rpsYF%joy=0an-#~ybhQs^o`G<QXEb>u8`MOugU<@p znD2|Gzo{lKL`}`?klq=kJQoR-hdGV1yN3@i;nY|N>-_m1KI_%g+ojS0I_N##+ZT3A z@75%p(+}hLTGasYheZeAYXT=`eysM&<2bp5n+ms^udgu-dnP4NTcHZb)H!g5$L-g0 zL99KVY5J`QmMP(ebOUeWlZV}0IERPmKC0t`Tv4)0O?})aazHcRM&WM}Ev-a)pvSzS zuXh9*WvPo|%E4Izgu~^s1a!k~xVTx^b*Prw$qOY4yC#Y`C+BIuxZsE$^Nq?Wre9p# zm7AOY@}5cJClh-#@mVp4vkRTWBV94Jd<&oF8*Aa3&|uJtI_PV+Ea20C)K%W;%&Dwq zvmulEF2HNS34O+D$zyDOs#^|@YJ+8{0*4z^>kyU?5no!urwxVF+&s!hdFxYiAD1Ph z3)22gcsS6rO5zPR4u1lEZQdSFyQK~xn)&X0c<YS9$cL&oM{SrfW(hA~*dv4HxbSM$ zZ!|lg2=botAY6<dcBG_Qn3)w%4t3Qsym%5Xg`9cxn0y_gFG~-oL(~>#^U5JIRKmS! zUFkKyHuqK2tSpf-&bA4D&X*v1@i4BZ@CBY)L$wR>#Q$A(=n|+^oztSxjK7(e9r}EH z0X3RucPh*nK$@z>F&fgw`oUo}HELos{eji9=+LQZuILa-^mJ1RPpjEcyIxKI+Dw&j zf5~!A4@~aWDE!(C*|s<|74!Cn!n&C`Ji5lpUersuIvBYi+`U}%)Fne*P-eG;%kH8J zBTsq`EJPGs@1YL%&1fEEY)C^z6{@<jW;U5OA7I;*&{*iPTsDH++XHn~|CMpLG%Q1J zZA~mY@#tKr<%~a;*2_-BbMidD4&l7H;@^t+%>Q}5c;wWB?KJTpN8sWq%lEp2w@dPQ z4DgZKA8v^hP~l`X{XxHIYTcjt)W0QXt@Wr)q@}K#4Y|@p!bOx~82UpU#F7o-EmL#l zk~@U=M`~t(%6=$9TWjdM0GF5x%KD?dRsh@76{>mFq-gr0sa&U}AtUyiflA43N=hY) zZj3VcD#WGTNh5i$%5CahINi5I4{Tl^3Lj9XDEn>it_D@FC-bp|EBcEj^&bfJ4{Pby z2aCA@)tUIb+frgqtgDy#*f8~IIfQuAnK#w@TX-;fnG%UvKN>wrF}aph!kid8F~G?P zZ>kq{x2x>Ynov)n)5Sp;G*wJo(HGBkD^?1R4H9p1au`h74K-Yn6Hr_5P)6J7j`P>W z?P|7Sx#YraG2>opV;;b-d+w6-rLW#C_=i=(F(|E8dZ_k<>H1*L3fBcuL&M8eBXdP5 z8inO1{=w~3_;vA0;jV@7e7}H}9x;v-B@sP|S3ojPE2`Dfe?AnRuNjX+v{IP9SnOC% zO$r;$^mY#!Kab=)mkHxCaWiWk&PCl04^@C4$XgY-P0M;sZ0$V0YSkLwHc1cz%jexU z>ib1=kNs}n{HuE}<p1qmK6B5gU1v_e<k`zky>$C``<Ksr>!ia^{jlhh6z)E|fB7-n zPtq2(7JZ!m#?#;JUEb2S{`>h??)jUxsKq_DZ13{9{Wkt>^YsT_{>rzO?LGDSdtbOL zfB9!GTV09AHou=4wd>rgyT036^hy3wy%+AsQ~t|O($=-bctbPaT)3<IdUVh3Bjk5; zzp?4hb;pf8YeD`GbZq~p^26iqlpgf`+jp<;pMm>)=lIw9_9~AmpZUK{Bnp40K4VRP z=-n=@tU7Vwu^p{T7cO2jwXLHQKdPEmR@Do4RW((ix6qKRS~Wlwu31^tId=iascMAR z7cN@b)^Sqn33!UtSu3nOVnur!ZZ8nNEvgz&)zP-JW5w{Lc)(1WMt#z$Po|GBjV3Ei zWSo?hoK`C|E?ZPBNYvLoZJE_Vd*{;Dj-_q$>V#_+Ej!_a0aduav{U$S<tn^hduvDQ ziJf@4i10(-#mg79bsRPi_l{pUr*%<llQYMh*Jh-$^=3Nb)bp&l*0#*tdLxr+HL_M} zj**^+7x_eB^9BFy!tKc>$7pf^k8_1PTbC|vJF$H!UOl-{P?w!5teJa4>%tQkE;=^G zeh+lC&2Q^yTQs)~|2}=@fU0Hf^IGvPTUrB5B-cNaO-~bM&RyKmHvUrfr>aat5?|MV zs-?#=ww;-)68-nGZ=-FC=Cv=zH}*e3yC!3>Fx0qQ{+^lrQpq3K#HK3z2CNqR!ut$$ zm}dzmXr-MGY0pbd&@#5+=BIQBA55?6Y@55RW8u;jQx>1F>?I*lHS;VcC&WlALuIXZ zrbUj?6|fwM#bk{$s>X?9T%_@5!8=YQtWF#!a;WZbv1&GXR7uOl>b{5niPhmu>1=sZ zYBW9^BKHL9C?%edI@F=|BBr1tmqY4U*wcdz(~Z&<d2=XTRVF2gxE<?8>7sKF^}rM~ zF9@ic;>`nf&EE3Gc$--xCCi5&1k-s7lmEYgbTs=?mcvmxBCzIgx_!!7gwYKNpk^v% zT6PeF@0BiiPR$gDph1lE1n8PVJpsBkyrFY8naN1pjVq4G9GJt6K5K1G+DJPOdm$(* z6SMe^Y;=s!C$1B{-H062qd)OsFsWvArf2rCbPp&_9+~-Lvg3hZ9EDSoStGrb!i#ss zt?YFg$@kky9j*>*#%a0E<LoO<>H_FCi<B<rwr*QBG|hXDlRBU3m;9rY?&>v(Y?5F1 zUc!2Eg?H`rKh=VK!5TcAp6BnXn`?2@K3}s2XK&`QLT;O1A6R^Zm2K+5YD*g%3;$3) zZ*wFLTSIaWD(7b6vSpK5N^}3Y(1v8BPu$83E>EOvj`~riJmcWSd4Xo%st|-#0`?yz zr~dv@o`Caixme;?7J4|*`}Y_es-$^ARl-Z{&oxSCf3z{xa9b!Lu{i9kyn2bvVb@H( zMqbnsVtV0Y{xz(;Ermw-d09Im(!5>B;FAIhfJHNJc)PeXPn2`g)&bVV3bhN&^Tc>J z?5y)u$nA!`Cb7b?n+(^)pze$5RG)$an;el1VSXl4U+i3GjdqloB!<~Z49;Y-^cN;g z5MVmXMHPY~ZoA~q<pLbVO3&xuWY)?a#d?7);ViYKMHkqV-Gq;pdQG5%TGp20=}fht z*ivYzNDr!aj+Hu!jj=Acf0z`<r%h%o%4j{T2X8XpW#A9gNisM;m8ptS^<w;~tnFOJ z91gm;6Y6&6tufNPrcO@?`Au(gjxU)pa}5S{>s=<$%$n@U6DIM`SxPsN7W@8Rvg;Rr zqw)M83NkGAaqjA&0XRP3QL_*D6RA{8;lKsHdc2dHrF>xwvSBD_czmFCPL{ma?BpO+ zDZJe>PftpZ3{e<QHMe`%mDFo%H_<TkCq9xa7#ZoiCQFIOskC*J4|?`o&T%ms4ZGD( zwVx?BF7;K2S9sP<ip1{;kq@+ZwJSnWLxLgQ{5sU#b*VgDLuHo!qb-J2Q9oSb_mQ;0 zq`hOTD8bj}yKURHt+Q?0wr$(CZQHi(eYS1ebN=t0o5?$w`(<v@m0q26rz)vmJ^i6p ztw&4Jj2)~TizTIK#u!gk+^Ja%ei4UWSiuQK*@Oqp0x~IU4e8`ctcIYBBN4QmV{~-1 z{?$XJ)2^_d#hUH#nE8=#XT|ZTK0SOh<UkD1URZ)#vwD(D@8!_7`p*U<*BVuDoYBu- z+%$VNMC^jQuG*>xIY=Fd*d@O2e%oG1y+iLz)8-Op2ZMMI@gimyM}9X_F$h*Ba$o*E z)zo3oF8Y2LD^5zPPqjOMnS0+6ZNY;rqg~vCZ5JsV?oDbUvO)mIxfg{Uj{uM4)ALRv z<6V3iL%YC5J*OGVb3@>yfFPu%UO<_0ysx|bW#r)(POS=a2?Zi;!qyZM#TX-3X*&9k zjG5N_DM|{4%JJ9yP?Eum6c$E-=~m0r@|bU%{1)R#)rQUca5{R4zuzD9);O=gJ3|b$ zh(1v{o>?n}$D=CmVU?CJl*Ui-cyPWKh&Zo@3APF3g&LmjC*yrIk+z#9B705wWV(bs zZ;=N+vH^|UfGZGvWaC>%fHI2VClZ_E>9~1398fkE^jE|ercA%3``5>iio6$u^O{s# zA=rJU`O@luGR)Ji7RqO2IddUq#9qY7+0(~AmmIqgJ$oJw-=J*tkm-}f3c1|$iAP6D z57>yWxe85ok`dL&`t3<?yUmY%;ihI&5n>bOR@{QEqmNsw2(?N3m>RlPe`L0dJt92u zrQURno#T^2luNnKl0vvLX+2N99%$6ybZI?zlcHi?jp=${Cb?KCWpRm}<#HZ-?x>TP z!B|QB$-6r_q~hnE`%TP4<NJH3S%q9Z^{d*1w?Z=6Y<lQUb%wCAhF_$lb(4yTJ}JbZ zHR4W2lD}>dPM2+D*N(AvMoH71lkwqYi9Nm8TB6Q_BhI~KpVS#RmdS0ih=C)b2b7e1 zSY1CvB3{KV=qmY0hrdM?8_%uZ0MNW@ZLHP&K7SY4(Y7U)2PTZ&bi1ZF#5`zVo+9ad zFWETBJid72xyk(M8BK~)bWxV3mS(rf^1@(5c)k?~62_3j71A8c=n;t*&o_yA2DAcU znzD+`g2#lcQ`z-)VfvDEiVjexNIDRh7J$+^b0adHIL>LGjrIYLC(EN~8j6DtG9R}^ zvRhguxzgs0?@V4HwR!){Nf7=?ePz{o_XeFb(~V=zY2NJC=B*Myj~I74E>~b%(DCR+ zx~QsKz*!Ci)-M~gVP__JyF-csaUP|BSDcPF)(ZWInYj;h72`;;6_1}>Jv-k<)cIS` zAFCTxAp1JRH~FpbNIDt|_wca0p_oD9lHnU)tSc-0EOFe}c9k#v1pbs={*x73_!0Jo z@e-656Ct1=;zsuI>Y&EkSDP<gs$DF++FkwDZ~Sz&)dQ)nC-{Kr8?n-KtI)6DIxe=) z1o3IyUT(f3u8l3LMlhi^pOffoTJHy4rr#D?0Y))37B5a>+T`|jSIiVie12*6Qk(H_ zlR<Dk1VKCGXVwoxIf_Yx;0tO)@oyTPeTzEVdHYc?G`y>4FIm~CDA>?2MNepCcNKHI zb`J4l?W`CP4kg_3U19sr-K5x$9uPULs#~i!fA0)NBD+{;uT0RH-XYOyXh>7JK=LV8 zvTc$DLQm4sUWj6jO?)}0YOaX5LBklf$ms>6f|h4Bwe`tqunb>?)_StLhnhtpSL~x= z0&2%N@Cv7b(sg8J0p5H^xy7{NBJ`D-<8|>XH3{kqwGeZvPt%c5f>7eTcn2t?o$IAy zqH*{K#fwOMT5gBNB0K{0^2BSdwpoa6147Oxxop6dh5%`n$Oiv6>K3R>3qn$RG3-vN zWU6wA4#CM}IR+=CgGzjHu$D^_`y9!D;A5GXQQ@vPPo$9~`oj*EBA0Z<I~S&TyFsT3 z@e*AGwcb{9nSiN4%$*X(jKB5A6oFeeoBNSB;6bmHb`{$MHQFS1^J)zJ%f8{QnxWTi z@p4M@y=i*hNve=v_+Pm!*o|r4lsth2En>CfWJ}fdj*+5rV*6%WH|y&=<iA|0uB&ZS zf?iXDBIGT(^$bdH;!;+hgQ<s`s?J!Kd660pr^C<r+?YYK0s*rWf7wY$8rg-z)g+LJ zZG5Szn!XbRNNjn60xzN$59Izh=weR*GFPV3>HhT;B+TM~hbN(r8n6>d62oxcT|*sM zJtNpR10)MMT<9&O@KZRuN8wZ8vopACh(dFt)8S})Oe6XR*TR7;g8~$f(pXnQ2_ha| z*G#k6U~B7s8{}SV{LU)eD<QSCG+qG3oZ|Gi@d!F<q+N>~0k%Z|K8<8x%iH&h1@S}r zv+vR&{ySCaAA-$lSOt%lY9fKM@lUp-t)<opp*tIdVx<m2G4LP<Ei(q7HNUZ%C^Lo^ z#QClQoV-o!E42&t94ftu8fbUN-dT1{v~J7<BVdq^&9~UdCWV@09Sd=m9GVn6wf!3m zAufzRvgvb*E^Ok|=mIaPtXQl3I&5#F-&mdW<eBkl2ZBNhPP<1=8UoEq!Vl^akwDk~ zP<c(kNA)D{7Mc9vwr|iT!=)R{S^#RVa};sFQdxr2Se^c)I!wJci*rm(V}KhNl~Rr| z&K&0jiglLvQ&iO#s-r?|gB}s%CWyc}A4ghrXlm2sS79N5Q3Efh!Mmzj4um>}RM==O z4q!_2OxdZfi_4N>za$D{Eq=uOY6+*u$fI}Xzf{y{x^L1mE)i?*7G}PE9z1OK_2Fep zn3`hs2;j^CF$E0L!bDHU4$1D{BFyji&OQb)ZGwnvDs6GKeUKAMO8&+tdh`q>a^jAh zKD|wlH|CucH?CBXi@K{1X4*QMTASY4ZjlRIVw&gh#c&z-9Ys@ES{_Kk!4~^fVh8f= zAP3LUzBzXS>;x{)U{<ZwVNB7V!zf2i?xA^$)i%o_@w~lrHXl`KY<+@*Pit@U5<j@u zsPmfa7E1p8`$Na&){ag_!K!_PcN)?l8DWoU<$CAqIGnaoyjD{UUBZH0o{HuftSufK zyshuIL$cWD#r^&v%No3jpl89x>&Rr`vZ0pK023!T6=S*-P=b=FP+7WwLKMoe0JZaY zjD^tLn%_TTdguE@e)H5KEGo{uKhdaVOjj+1l3{4rR-})TVv12o<`95WdcIL$i8Jel ze4{C^sD9ov4Gzue@l41DwI@GPvv{Pc#WyR&ol5JjN3vD<{m%g>b3R={@8I4_wM9=V z1uS_Dr~sZPTU7P>^joRPR5NH$AJbdG9SKM62%Pxj6js?ztvtYzC<{xAAIjTw!B8!r z4dtC<!bD>M>5Vk;ib+wC)Q>@tDXFA8!LgX;l#*T!JjmJsaT6nCL<FfDUnX8~l8xj# zcv-~jU9#k*nvc>jt;10)zHfR;9U+&F+=N+XaKO+6^doF)2+cPA)C>Z1qF8Ya)W=-{ znAMl+i1_Q64nF2t<gFB%YP3o5?k0YZDo(;&dexnKSjJX{=F(B1%`=?!tg#)=UNFcy zH|$}L4ERPl=}DF@#_7ro4{lOKppe3vI=^})ee;_LeWS?2Rkb~1t%B%o7-uM|py0l@ zb7A^qFTP@uQyG}k;yKD$rsb$3TI@ktWa_F&QRV#sCT1d(gTzzOnNqkIJFB<=*+U<I z4ARG-IGj4(&2ZYdQ3mGK0a44?-)xa>XHT5boown;b7?r%&?qyC0-yLISu?dIOu`<f zbDR=W%|Ox?vG40vhN5JSGGbUK7!=8yet{@EJZj#dHFAsTP4~l(@K2e?mTz*(=&P;j zgDw2?c+}>qyd2ZDywz-4I#X=uiij&+>ceaSx}0?(xl|!YE6tO%lL=|(hr(<_d9P8X zRKblU-yAjZf`x6tgxQtJ>!Y|A)mlM1g$esR`=jvfXGu&GB(8YLcJdnHS&}gjo^G)* zeOLPe3*EgkVr&y{I|er)pLXpVYZ+I$$xUj7A=?7B1km^v=NqScJgv7egvh53pobR+ z3;Xz=Vcql7*@2RR?D#(VV8NdihB?EPpq)Nyd&hXsF|tOGcfaCf2bxo}kx;e48z%2! zFHF-oH24=(yzqW%fsD0UPcVDt2CU=eh`NAD!(JpB`}=IQz>{|zx+!Bt8C^Z3yuyj8 zc`>^OQAra!c#hL0g69lUOZ`<Y(Frx-^MLd5;OHL*fn)g`(fy116BLgwft*Juj&kG; zf&{G`SviWk)5{WWC>{A(J!q@F(>ny8xy>{1UO*r8vUX%O9Ed&lBp1`jNpi&_jM&B3 zeuvOPTW?J%rJUsQ?*Jm+t1y)k$aAv@U=C~+Ap1)4guS)}R4*Kx)9Zc*9HO35dl^>> zUDxuwzs)Z65?@-Y>KJE4OgtK^+pMOUM8}e4)`=%DWACPT`-f9R5FMSA)b_FVuYYNC zfJpc0j4*SIzVP8-KjuMdtq66juFbe^`(;d&<`r#6>9bY_<_FjunJ1AyD;jm29SS3h zNM!)u+K39+LZ}mTu%hqGAVkn>s}S(%xz>5{B8_sZG6Xl=GOj8d_<qtec)KOTuTF5s zJ(Hy^$i{s1n&E0+(f8DbBhD!4Y*3{EMIl5|Mj`eyZ$$hW=GQlvgi(g^F`fuJjFBG_ zCrm?^cwZ~*M}Bj`2knp@HbDoc{`vTk0@)2_NprqJw`aYb@b5E)BHlc)%0}r_Q@y3Q z2h2D)p#*71=MxT^u}=1<JzTp#&(?EK)mS39^7O@5Td|=Bfg2<red1Q*6@#0^0wpNg zkMDje?d*Og1uAlg)Jl^{*|;e1NDIFwu)?V#zEW;e4f0NW>g5xNq*vDef`Q^j%q}aJ zWKzd3uhMCWltVJKeb=YC@o<E1^JLq<`WECWmji2eaUL0QZtI|9!+u5pq?hx`rg{1E z54X<##k89{z~z*cDB9P?FHc0Ptfx?nuhY}7eBsd~$`PRF`d5z}2$8goHdEWmiOoKd zf3yZ^?0jNV(ri&J*pp;N#~T1D_;FDpk+6B_5Q&ZtI>g{#`6+$TeONixY}5oN44+Oi zv_%=(vs7A!Fpw&bo=o?JiPJw4c=+O@QQ;ABL<Cv?%&Rg4@Xb^e73Y{G)uf=PtlpcM zu=>P<)zo?iYJPGdd3u?@?G;!GIIX@sJ!A3|)#UI(k`^}T2C(=#W8RpW=p(nJBRcI5 zWoK41PV&7LaLEFN0@NvnPWPA(KH%H8Wx~B*Et4aS6I=4UYlG9EN!O3rEOV}RoZxLG znR8P-SwE89jop|7=~SUS_a~n0nQU%VmHeV$X2@#1R{R-aEhhfD*D{rAc|<mL{J?s; z8cJZ9qT<F&c?=-wVzOsoiJ((uiwnnrOrtwcPNSobTrYbwX2_J9F>sHraf1dY8Pm+5 z2eBv84kl$j%_>b`ajvw8sz%ZQHOU617{-wX97aeLa(KZ9Au@q`3n3*>)?yxr%TqY% z0i+3kFqKM$Jp4|9bd*kkP$qXkK9qp7)MeM_)bSJ^5PlkQ#i+GT0bmLYp3A|^Sr(Qx zD1?>bItM=_r3!np4J}A<Mm$<{iIEmGZ3|(T78(80s0^3}a+|~X-P{s)(-xp-Nbp{t zs*h$wQqS_e#-Z%o&09+QP(7fqUEBo73Y&)KY5g<d`!QFyD=no(aV@-sgKVukSy5_w ziO>JV30sz8i%FGamvKME2@AG;u))+#g!z}$Ny6GGGFGNkk%;#!Zba;UXD*lkbNFoU zcC3sdAJlymQI9xKu#wy&5$Q~dym!eq`N(AA5|c4=?6Zdtb2&24@jc`RMzf3-8enye z2DS_ORaN0mGvbn5YnzNO{6;n8W~zf>)GZbbsODL2S-BR64aH5?&{%1&00q0%V5>Cg z_gI>&$}DT_gikfDwu~$MJ;Nb0Kp@^ovEl1Z*oo{18`5m>b+b^wL33zvEu}p~$Vxrm z#7@dBpNg`xu&47QT9F`sQX^PP=x1Lg)TWNcyOg}g{0_H%D|T|nn}l5P{Fb~2M8sY# z5aQLIHv=a~!HxBUtk1g%Y?n&DUKb!bWGG^L$AMDH%Ru7UIHxR6A}IA;qdXTpNVnSt z0}5YB_9ea8Q)u3NyLcyM;_*<BWa)@pM_-oTyx)zsxR0I(BPUvZPX>85-Inbrt|7az z3@s4&l^cB*we<NzwU@de(v#lYHs!Gm>||IadQjp7_PZged+y)oOmw>UhB~^2{Z|l) zS|chFj^2R7JoMnLAH4a24*^|A-%MM0&?9MIAYuz?FpT*q)SCe8&@d;b(B+r7<`aM0 z<(FPTtS&n=35v7J$~S0w1Eqqmk+S%C@po<gIiyuZ^#1nb=hM+{kzN8hv)QtdZDml~ zvybF;XG>N)4Alptcw{W5)q32RYq0u*sA=1D48+77^}d9QjfTP*f;c}_Ih{cIr2n5o z9wX`&8Si-HnLS1B<91f_d1RB^Yb!kamM>?YlkdMPY=*L3U!vG{%NKGJYF2#CLI8Wj zfsoU~ybL*F!=+|J#6jJBc@^dhbBez1nAQ=&U)n;cGU0M-)F$??o939T?VQA=0ZVM? zr$0nFzMHVXR1PX(LKJ$qUS%_{-ZNBpxa4b~N1eWMv>*dee|H{zIuS+>k_mYcRPR0# z89msDfD?4?@x>yf2*x#FFj%cZTz=gy!uxo2Ds=bOLs+f>1v1)x^==`Nr1Dc>|0HH; z$$Y++yQV#qQjz`oKBi-mVv1i04XP-e3mjhR@qna}^+mb6e`n}8RuExGsssyX=9aGT z2MM5n6n2pMp@)l3-qIgDR;6oSuU;qXRbJGc{ZkG6@^rJ3Ybm5d9iq-%2?6mtPS?Mn zX+B0K+66qgW@3hezICDVMjg<V3G`~-1vQv*-k&@J4;;`xhNXJ;P{mu53*_G|Nc3c6 zm2mp&myX1Gts#^gR2B|Z#ydTc>%Lt{1qH8`gUqU-OL1rDFtqyN_0`AWnAEwf#hTqZ ze~j{+_vV+KdylH=zz6dmG&ET*`zas(mB~s7Q>M(%<d%LU8l23x5C>?V+tv-%VF~|X zIPv7k67GcN1Pma4P*#SK|6QQuF4UrRA^{xBDc&73G8t$a)ggqhhb{+<a#;g#MPFdR zdtD*yv#1H)yP<Xr;)k2Um7b>y2EmarjBof-G5SkFRG@M`lvO8opTx-?PH+$v@1)uL z4GW?iwYSm%dB3`&(i9P<yTrD4@VmU~c;AHOct2<LQT6X;oZU#QjM*9`q}ql@odeGb z`7U|hSouquVdnAxZ+SgY@oH|p=C(|J{O+mfo6tylk@V12(JI{ahJ+e$=9HOYmsCBJ zOoQ~)G;{DR^>=j9PjXZJV=MPBKSy8FD*)ywl^<G|BfP|<Nl{FvU$nM`!mIj~9XX#p zB9_f%--H(l#0RVedBi;;aa$Go&T~8G!P5I&b-|;Xun!j>mI<r~+;4gH{zDXRTHd-+ zczq2($Wo+mo2UqPUwPvgaYp*4Jo4Af*>Az~A0hDK0YeLAiP1<cl<P{cKBLQYpVY88 zXX?7EC}Wm!*?Qe(+of!8MMJ&?H*>P#lf!r6j@@xhO6IATLFBq?m6xWSc{Eq~ipIw$ z7BAvvxt;88wYTcBd;o1>LVG7gh=9+TJ6pQOQ;UrAPHq_T9bZnmnX%_f7Dvip`EsOf z4pJK5I!t2UeUCEa+OS}h)wPl3JFH53$!45&TZW6)&<%Hkm76w$@C><|*J|e`a3uka zHyhJE1Qeigrn@|$!3$dgx`+We6u@nO99z@Mt9_0S7%lv%jxMa0?3l`d4Ls}Rza%Sy zcUu@A`Z)uk%G1-{6v=SZjT8`FUZ=Ojhn|Zzs3CR*N9b;7%$JpdCY+MKMSmefZIS(! zRJd`D(sd4(wUu5E?;oCVmf^q5|89vtd!;_haimk@D^b%n)SVcHT+s^6tU8y%gF%AX z_^Mdyw_bkdiqIrZQog76cE(&u_}6rLn$#Qr=?J&C?hk$J{1|3?v&*~uS2%B`4<o%x zA~4Tx{qFS_NL~sU1O)&900Q92rA!eep#_;32mk;Y5&(b?00+R>z}bM_!q(Wr$i#`> zK}3d0z}eD3$xhBtl$ljlM%2a0)Qq0tKQEZL)9W!>8tO^A7@63ba4_gG&>6ehs3=1M z0DHHj=>Mm=xI+T~f;<BP0Q^^nO?|n<bmvN$*_mmU278HlIH~DMnVMHwnu+O&>WSn1 z{r$ys8=ui3hZ&NOF*Sa)^i>e{1IlCA4F3Io6#D)^97!@LB-2CwP#6Wxq`?QuqKk9l z;|$J1`Topc5<Jp;%o%h+n4t$us^wS(o)9xd0LlQY(b#cQM<+%On1A5P8X_9=FAPtB zI}k}I`u%|^_$fwO<S#P_nioAuShd?(il~R@$D_$6ivVBPu=$n?Jl6`~j!nsr<jo<l zcmp3w^1t|mxllw1x$?3?__d2fplLGqLUDx7%#cAJJnk?d8WGHeOU9(#P$_W1N{I8F zNrK_dL*@-q5V*841<AAc&$y{6Y=8^mT$=RV$`=SBW~ReV<aGsk(*)X4Hu#sI5j2<4 zXZU%uBmVu9x=jkeTmlurcQ{V{<$0&_y%{O|;1jXD9byX+a^~We3NTI>kQ^zXGvDWj zFP!4l!|;ZO(2EO&7H~(wj`7J?3&!s6Ld^H%)884wa!FSU%>F$>l6pdl7wUCkOmv8c zLU0z4dLpU|pwGdZT=^&8?#~P3!#{?R3<$%gg!=&;3nBY_v6HaAdH<(F_$osEKpe+A z&+riFgl)5Tfhx81Ic8x3mOQM%QyK!b@BwdK(-1=<=u%|J(GIrY$|(N_m;5iZ|Mz?P z*+8oCLV#CJWOl`DJFnOyZ31&mpn?r$1l}-nj(o;<(CH^I9wAnM|HbCvKQ`~=Z0fcC zv8n!l#ioVh|A|e_e_Z~j{r_c?dhR5!B9>hrAmCTN9{|*zYzi};0Unr2KX@?}A#xi< zf{&PRXdX5I=!Ki)nc-XdERjFWe(>p#xf&|UVA|Ld*%Tv^U8BJAZB@v8R>MB6A-n&O z2~v)R&d5wO=~x?pE#{a7I=Jo)Ns!qja0>znMZX^qg&<iHVcF9hp)!=9Vt=p%Q-?5A z)RaYGmJ%ThFN90^7IeA5;wl&i3RXafk3tV>a*klJfC6gaeT$|%a2@~@Fm)+kUMvbt zokhcm|J@03VaO3{{4@Z|yay#JfB-r`RM~UdSuJ4EK%NUoQcUnHUKava6|!I`h0wVX zGI+KraFGq+L!BMkHLSB!(7aTdCG0_vwY_d=-w85UDghQIcobL<Dl@>lo+EBI*pO(- z!hCTun3R<{Ub5Q(4tBd5jzSM+GB2zcOfS2LLiqHNxhP@~H_`x(m@rHbxM3J>GK_2$ z$&3g$@*i^a|5l=8fKUNkl@H8ulfXNDgfm5?pmQ$*b0)<xoXxGUi@6tH0-T6K_$<1q z04fRFg4}Z0JVt~r$jRe-Qb9By0y1?$gfHN<Cuv{=9#w-raWcHj6Lc(b#lWc(O30bF z0-CZwD@*%a#xnwM9w|QX3c&NbqYlK(M${c=6W+KB!#}zFhqO8pDnhiA4Md9$;N)7s zgHQbO-XrIK2EqYdNzeqhbsCMFaNs>-LUIZ;Pzwby(+Ioo6dnqUm891%-RHe^M)$ul zO_~wj_#q4cz}xqKqqqM%)5ia$xBnkZUwN4+Cuyv`SP(i35;(IugARZoAc%BE5{1fx zC{z?ggoB{a5HG@vQ$P{vV}dA$a}}<SGDQ--nANA5K^eL^gLTEm_MXZPPIJ#`?#A6} zU20u^2V8BP{#~Ox&F=B{veWt4nr1l(IU<#4B*_iz_mEJ4%<w?6&=<7*w`e!Ae81z% z`I;$vTYl#l)oR$y;oL_d33dTK9`w5zX;?yHFy1NytX<?wK(Sf`;^@x8{BJ>oamF3M z2;#%Z5(n?wcjNAW?c?Yp@W)P$%27+Jo@bS;=H#bxr@%6<a_iQ6J+4MauB<6Phk;yG zdOsrSSl?DIt}j^*)U5njFM3$9HpZGg<IHn7@>8}8jz4o$4}EEW2y1@+m4az&_VSzG z*Iu~qsoY*FLiW>v@1DQ@)?xoixQRIJRFQKLiF4W1yMPQk+r=FXA#T^g>Bu?x$a&d1 zZruW*uAL99x;0+sOfkc>Z8vS)hfdhfg&68G=&o1SJ%!nM*yw(5a<?jUr<asLO2yFA zH3f>24vv!f>SbEcGa$2O+-@9zv1RP(-f)&lvN&ZoHTW|_XUCk?w~5o5ac#lcMa{m( zXV*|RMRXNC@*sugHm3p6Ma$*4*A;J&#`lPbvl<-g;)~guW^z8)B+b%F!_;!*NUPKQ zuD1Nf>6t1Xv|Btvzu2;YZD@q5Pn>JKgkqk=JYZ@QT*EQFO0|4)?7UfMpG8fyIgGJc zs=k@jWc|5#oq2HGPU*@i;rip?DiYy(;1hc=6zlcMp^58Eb73zGj<bg6^5VDG{3>>u zJvO_=Th^<Wt>fz`3NJ?5i{0|FR9+ZY^zno9`~W|oqBB4pJMT|z&4w;16AZ|0&=SBf zF*wt|+hUY`$%Eepptn{9XuFRr+9le~Du)>}v{jt6RU6u=616QW^T;snKrido$3Dly zJ<>zGq?38Q!@XAI(GbS6dw8LS2k3#fq8L|9idRR)Q-|gSmh8or<{=5q0~^WxN0KM% z&nVb<57*x@tgDC4HMUjHvbC!3!^pXquGgXVyBh~w^f8I9QC7W&QMc|tbY5D&M?SZi zZf`QT2b(*!?A>xb50LJMNl$}gA3bu<x4dr|aZhdcYQJ|?jE}@0zP6#h6QjL#GGEs2 zzMrBWdQLBX*L!_)#QDRt1cDg)hj{$jz?KJO@xhR6O@TLKU@j3sTSP&LMM0LPAfU4F zY}(k_TIkZMvKN(*vFfbnF4x6YD@j&INnNfou2vb@TU?xmV@F$dLe{b&Ah~daIfNZ% zLYj2a9e&&-@9N?+BlA9UrI@`iv>r&FzpwMDVg+j-WgR_eJ^R5MSmCml!6FxtFPCAU zm?1nEXsVWYsb*-d+bmZsdSCj=98wg#*Caa^6ek)HkD*aP)+3kIBZ>9mo9787hzSV= zh<3t=YeU4Oj0$#*MXM&lIk|tf*{Ca>XPt9dLfhC(on@Y~DlsNL(p_K|*3?FXRY#L; z!?!(+$*P#yZso6@Z;jS)<5F;PEW9jL&#yJ$eKSx!j8=c}&5plWsLy7tSEK%UeLD#B zjWzs4d)+bKJcYH_*d0FXjEVS0sA1<ltuj}v(r?&WE4H~U0@WF}_@lH0qjZr>47Deh zCnp1EP@0@4-e^!FD=M|3mSU!q(5h#C*ehHF95h2tDRxCI7P6J~*-V62O4V)0@AQxk z*(!asj>5d&OoN&+TXiuN$(nZRjbHKRR;+TK?!QlC$2Cso8ryiqrz~cfJS}a7y*844 zF|~EkU-qAR+={y{=RLxCPqK+_-1r$ct(=r$&FR^({Z7xnFU_3RVX*z4P*7@7w75-r z9FgVRkn)@n>g-d=;1csN6S@_&Jt^4Vy!dZL^mdF2EV})4P$QwclhCK*_4RXb+4)=q zqBeM#nV$A!CAcw@`iXe_3`~BVQ$LWa9(g4n?`o^XclPRwxC{)-fX1z&th1xwXs7(v zR_;lEAE55idam`le*}n_xze`Ysz06W86Nsb+5L1s>D(>`@zKfjyr+Eklw97@<oI4v zAAU}u_3E+R&oCXPO||-Ir~d7mJ{)Rf_Cw2RNAc=J?LkLr;X>PX{AVspQHiaAbFJ~< zt~pT<uZZjrLDPP;I-IDgP+{h%;Vh})YnWkXx>57gxavW@e40GbsG43KKS5<2mO2%h zHeNVod@<74IT<<DMP1ld!?K~}U~U#tU30Md61n;^`PG!-a!Os)MLnlmseD`Qy{mM- zq2h67e0+FXg}1AR`t7_@AXa7UrUu*Bc5yYN@|-`3qT=DJ`z_E@nX8iWV)0x9U!}#T z3fg348@37pzS1mHL7A@1Ojb<B(|!_E%*IozO5EWpyx8f~WF=#^f>vF-Mo~pwUfrdm zyQZp*uC4hhtoo{B<0J4NdljGQ&<`i8%Q5TP-+6hv&I*AdFQb8tm}frg#rAHC;gT3R zTU)BW`unXG8OBrgn2v=re{Aw5tYb|rmS^nSGd4O!J8O9>?z%N@59g&Ng&EygnbVLN zI9VA-0Vh%ZDdW16p<Y_kof$cvOzP2Qj%ceNqnA}aqBhfETORtI3)G$#Lc`0PbFE|0 z&Et*Dnc_`m$JV*=-Cl~e=ktr!iOYZf!mX;wZ5cH-JxU9u8nk?UR$)S6UvaJ;qplu7 z+P>{7KhATpk7KUfJiS7`#$(aIe`aKF%HM3qj)MNM$^ow6N15mWygh*4E%1Q=&FTdL z<^cdI>H`U*ocZh0q0FOK;eq_k*Fkq|mXBke#EZqkHAsPs#1D{7AMoYnW(0xWVqggC zDPqursANePheP>54uA(_YhR0doBfx1ALvSWB4>s=tKR~xe$QB~i`#<iv~r-dQpse0 zh{39msrjisj}PGa4S8qOMsI+Qw)YcqB??zy_wLR%z9YW-gT+Hb@E3s7Fg0Jdh*7%8 zp1F!$mijXu&8#l<)>l=oJ9W<=E6f!lR5NC*xiZ$Wh1~Mlw29Mc#k1}VqV{swtnyiJ z^}c7KR&zL3uRQBpeeD%cE4hx^y<Dp$c>7Vgtw%5JF?;(*y6u;p$G5`si@Yb79w(e5 z5UJ;74#%f3L1!!^^=Z3iU#seOP?C5WP1(X;4}!mlj6(VJh0Xk`;cymzqK7+hQ+-b7 zrrg6Y%`|1peoA?UXCO333C7FKYQR1>FT4zYWa?-2E+ictEhd<8+zt%sdM$FdiZq%z zklBOBtNF{&qbIHTww75&-3Dqc6N)Z#OULNqGiWv<&$;p@eTc_2t&erHQOHa#OXJk` zku}VPHtymApRvzty89Q8qo79X4dm(Utd*~6-D$z_opYPkjHXq4amtquWe1n4n~&w^ zT7C*#=#+2u^1XWP&EYKSr@$%~?%KOn?b+ficb5awIyU~U!+bqgZs^8$U%fF@2QZs8 z^9#qNl={xhA(DYlA!xUv48Da^4Tk2MGgTY+M~7B6FSmsB+Ftr;jY~5J$F^luy>DWt zaw4M2&cw&0+a<QlWl5dRu}$|+EOoI?Jgge`0NL1DD7OBgnc4T^t|(4~oajC^qI+Dw zKXofAmxErY!)GaW^*xjLUHxO)`f)L4u*cty;&qjGjHgemz<V&aZ&)3ut1Ptjxz{H2 z)6Lr&Le<M~Db@veR&U0UyQ9i|`nBl#Y_2a!R74quK*(V`v^u*!qXS(rgKT2AJO#lE z@!zFbpE0ouDbYeD;+oDJkfdzypqw}47+vE(q&v=nX)zzZ_DH)-J59zYuO*K=X0twh z*z7zmy^C_KG_3d3sQMfilV$<+?#mPOKvqQMt1JnX86*uLQzn7$$AZ4)@(eQL8J3P7 zDHEwF%~gomi;SElr0rUEf3J=l=LSlKc1%2Sq!uC4W?@ZJXKE$zYFBh?bF{RFcy#`B zYXBM)y(iG9C2VYO7XcG(-^eg`ak(^GCBLT<-_$j3S21tN&9K(ZI@0G3Npe^cUKR30 zi;W@0c}>w&L-S;&X@<MY8w>lP>GPvjd9Yf|h(uNCdF}kmtRr%b{@E^A{TvO&$J=zU zzk1kds0ANY#m8O4zlB8_eIAAF`O0#8gSES?I+WGH^1Ntl+ubx+6g!N%jcxnc_+0tE zH?SK$^g2ZDy}Jj`JMqN_{`=DXobkIc_7Ni&LH8Z;;!{&ZwtC=p{<&fPp1b^Hvw!C$ zogUjWiE)CVDGGDnHTQao_2vTmcv@D)3fpic^LXp{;7413<@nS`-|W}`*?x;W-qO-| z58G~tZqA(YQwY(GU)btaywY-)&#!>6#(3AVUO6}N*Cd%W1Jjw7teljJLJR{15qFt) zu9Ii;LpaqXsmw)YHF(Ve+44mCOfqMlX^qTmvG@ozNt;Z%kut|vovETYaVAZ+vo&!h z$8w2%!*usTUy-+ha=p|l#pb|SD=mB?RA%6l4Q%&!bd`$fO_SJ~J&c@2zbNB+>Wz{$ ztc(P|xu?%hQXx=B!BbqAeaS5)yJ_kg29g_ju|2-W4e|5H&{avm{Gn(*v#da8PKX#U z?B>&^U23A)C$Dt-m#OAx$Ue($N%IG#fn}p-O8Ap?U5zSCZw--WFW5mXQuZ=LqXwI> z0V%E(qKj8L+H&v(9`(^0r(K5lqZe|Qi;a7ZncKV>c#2h<iL9`aq_BaduztP3B1}lu zYWTbYF);$}GLY!SmE)uB&x0YcoS0Z`RJ8QgwYXR7C~B+<)7U7}*kXqQJX7IInP>`` zm`JH`&6M+jF6PFokhHFj^n7Q6nx~=Y+NiQm&5qkrMZIIF@h40gHZzfyDGHDCY{x0i zGUw9E=Q_KXq1+3n7+%%{mk@YKM#=UCeIAG1bta~V@5#;>vshl1#~_kJHA0`KvcXJw zWlPb6Z;sE$fc3=T#^uf2tQQu(UR8rXt@&!C-&DlyYDC@2KNq7h{P~q~O9V1Zt7Hwb zzZ)c>k4P)k$VoK8YBC|4*+}?YBzX05G;D}?7zyr^tE3Z?BirN}Hqwi&4iaj#I%Lr@ zo)}~eS&810jPJQZ53mXkRSC6#MM_&qr0k|rts{#+^D923M>d6*EB6%&(2Cc^l-o{9 zJEmQ(W+hn1M0(gHjUqr+>{n@?`Vy8J0hgO06*E7PZRDIn_y`34fPgglVC($2<^VGJ zBD>LC{OD(ZaP#2W`T#J1@ECwb`aseFm<-@(`VbgUp@6*gAgcXX>i}B%;8z3o3_u(J zVhl(efMyI(5dH}50BU<+qQGu@fZPKZd!VC%4*l5C;Jp3lZ-9OX06+o==>TMb5(F61 zU`qTD=}>|LECfIX{4j$8AmJbi`dr~)jQU{Vpv(g_4A{c~?(qOf0!ZRuNbx|50$AeU znEG(zAWi~k>EMk6-toZ21n5Trp!$U4;Gp`5>M*JPC41EMFerh?`4A{UNb*pV{ZItJ z$N50jASruR^-$GdD*CYM(3JwP>fn|Gp7P)q0>JA4Y=JWR%x_>UfwcLMEJ0}XsMf%n z0@UWfj`hG-AYJ`!`t0W5Uj4fBfG+{xdjK2|Z~?dd2KFF0pkw{7dmJ2qTmusJP|g8M z`PkWjW&@n|c-jEy1EhEKcfe==iU_0HqiO@M4ZzwXZvnLp;NIEY5x+rx!T199?9rV8 zzxMmw0dRxF^&8!RaD(;*n(cAE!G6Jg3_#x@bpzE6VBev21K$pS-+{kD@CNV=nB9Q_ zK@bLFAdLrF#>1`@fGr1W%41*f>y(3Y%Hum00I~#gn}fs@K(d6G&f{qI6WUYYfW6Nn zX$n}G1KSkfHir%EL!1HN?u(y+<m^*W_zRu^=@ek&z-||SKLs1*qvJr23D|Mqeemm@ zfqxqSzyu4}17$;y59o7X$_5bHQ^ABR<wJxDFv5f(G9ZZ#oHJmJ_G2=j%?3B^Sz~}7 z8URTLOE6$c>O)C~STNw4_H!~I&xUB&<NfoYGJs1S)J_LS?+;<XN9z}{XVeBt8?4)7 zQin(zB2tHu(x;>eqRxj&9fE2{QXQ<@r)tMi9bmPmtqx_i$E^;zG{CJ6gS7|Vf?yw* zxx-$EXzM3ihtb+oZHKiDtEq>b+=pvNz6snN+^)yH3Ggxi-vWOf0=^^Q2I&h5+edUq z!3)|QI=ln93MSvDTnCjKvULZ`4LRNOa0k>4PTT9-gRckI4OQDyafj6nW8af;hu#Tw z+w0qpyCZ*N{sMg&?5c;~33}ZJena35jN3<kL-~Qq8#ujVfBSP4M!zTZ2GtvCx2N?6 z*Bgevhkr->1@ar5w~r2jAPiw3i~wCh$fhWUC5~)CXj2^IoPc*g;4>@&HjZ!~kH{oS zHja`(=wuuanqOd!aX>6(98#SC+bH5Xjt47791rX$Oq_u1C|VQ`0GR;oC}L~Q;wXkU zjvOPPYfgg|*1h0<^sj0R{(~4G1p;URq&ZP$aNvS53us7w1qF(X5D`k~Fa?fCzBo!q zX^}ZfkZHa;3-XL$lLAhp7$gNEX@N0`03`)#Nr7{6z)8L|3%W^x2L<+w7^iroqXM3$ zKU$%;vOikEh&iNYWUt_qJfUW6q&y>)KuI}F4L_4|EY-ZEazw9a)x4#0$ZCE|Io3+P zOF3GNm`gbxYd)+w@!w#!B0G8Fzk!+Z%$5RL3vA7}Ero0(Vt?jko1uN8T#H<r!LLPd z&GG-n!Q}^?A$-8$ii*uEIK%kF#TFr#Bj*U0$)j_{bS_{zqvZ&lE`T~C>InV{^5x?> zW9kT~EwDP{Zu7G*&^lvp3;c@m73R&)ouMyB-4yaV!*7eh&kH?4@QBLID?L$rhUOOS z&fk{f_wds%P(NYy2-q$BdBXGI_sfqvL;gVa5!GYpM<9-79H6NV-B8E1(wC_YX=#94 z9q~*LdS*n&))$%{5?#m0(pRz$ooN8Y3k*9jNROj!Ky4jmTSwb8@Z!da>xWxMj2o6+ z$BY{Uq8X-JNA22QSjY9!m*WQW+HY{jc^N%yfPWeBUB?IC<Hrdm--~cZf*Vb`N5Kg! zJCNswjk3o;JG93MAa+2>jV*G3$qg{Nm*$3^8+G8oBi|Fw4o+$SDce)d4qb8p%MD__ z*Uk<(-M8k(Kh>w49r+K;;g1ggh(<pob*KD+q8|!z=cF4PX$MI=VCn{%vgfSrr*<Iy z!KxdqazND$T05}R4qDsS?8aN$_uTSl--~fa-ihuTh;fIu9h_+gwHw*IbKQ#EtjD?S z|8r0GMY|KTd5_nP?zZRS&d2Kye<1Ys#~TBGK<u9Ji-$K>Zco-5DQ{5cjpb(4>`ucQ zE^iF|PQ)AX7y8%V>(0a*RBvSM&cz#ecew4&#vA+>`#0Qgknd2>p1wEg^Nz<GpRXVO zp7;xcZ$R$8?hVs7)^Diq(Dw_dZ@BKx>I<xI<o3?%3-C99??CQN?hDh8(4RjLf-JZ` z9LoUNrBHw+0&RheOE~Qe5pIE8+mQd?>2M50BSS&y2uwzDG-C)%$xuYz1`^fb%yk4U zL$Rv~d!|4R1Tm&W4n#AiNQm(Gb_BHpQBh>K0|D*{j02I;M2F$5XmZ}+v^PXQBz_<X zgbaSNL<y2~X)+~ohzv==2^JzE17Ybw36Ka91!JxVGDc&t2vX(=8m6q_1ouRKBnc!5 zGNeR7MF}hka!g~m2@)p>v<$Jv3GYOqVv@9@1W;qb335<lL=EZG_>v>)#%Pqp<Kl3X zBqT-2$#Ezm;^X4LYLb*AtH#J`G8JQ34XH{ASPe1D2~S0_3kl#2ezrszW9IizmPFd( z2$m$Y#uRJfO$llXV#mgyE0V79He+@Ra<6gSMS+)u?;`+CakzxraRbL-9MZ9I$VCa+ zM5W>==OpGM8cwm<svj=k_{ZP5oDF?Fw)HgF7n2~L{~o^hZKnCi#r_tt|M_-v6Q!g0 zY_e_;m=b6hh~0a7Vrl90%#c<U>oY!fY5ef~NJuGJV^Y@8;AtwRq-kkcR;H7BeV~$h zEDY^*6cP4-VqIHN8uQfPJRBHS;>%#N;v_yEsTrB6feP&WGNCSdM|F@)*~o;XDa*TP zy<jtCH;v;G(ItzqROn<Zkgj$#169-gbu-lP>A2uHKR<u|U9XMRjnzo5FtM;W2gXjB zn!HFM;StoqZK1HO=E@mVB$J~2rFW}zU&v%Yl~C%Wa;hXUaRHXn$Sll`Zad(ne72aB zW^wE<?eu>bk8E5Lj!x((x%e5GnTh;cKAEDZrB(J|qO4LH@KBZg(;3xh&eA81SX7PR zl-LQl$qz(d2Uv%)Vw19q@>|~Jh-_k`EK)Gl|6X|plAjl!oW)Bog_TA<kvyGpbb``N zkdc_Z^;Esw&LSabYOATOm`P$G`>yxGPGh0%xf&Qe{d5$pEuk&w>bZp@5%2^$oqPF| zmZW4G=q$@ePN|d_pOS`~mKdK)DG{r5gGxS;MsiH)dcBrpOlmeKH8=S@nI!3$jdV6j zxjaSrhtNV+u#%*VT<Kx1>G?#w@$~pevgc%WN^&kIZD}r563H=f@t_!~LfHW}WxqsK zQCHT}Heik4x9sRCc)8kRaqEfXTq49S`@-HC<)YANepe{|<ktZJ3&#&^EN|f6%>E1W zzlA@1F?_bQkhZm=G-y+3fYj9gPHV4DM#fbG<l|FoAx0Hg+W<C&qoScjWxlBrsi|o- zP_xeK&B4sY6`O*T6W1Rw<4JQrHz}GPGY_`8Hn_SdAS@r#XVK2og)3D~uSyf-`JT<S z`ftQ+08>6NStv&>#z2}Fru?Di;C=hkfVx)|ON<oJ&(|vS<Tza@Z9|F{1;%!uwE;vb z5$BKaKVdMmLY?>z4DE~mU_hkSN#RsUP&L<YK&76XaHpO{h8+Gsv9MZO`yUoiCkzQw z=!+_uV3YNZpVoAeMT*{QP#7nn7|8{ITLVC9Yk_qWDmSV6D1Q{(j>#tfmPZPv_05X? z>KE`|Twc&2h!-R?d(!RdFrZ6-;?V_m1pRU|ap1$uf(Jbg?0GZ%ukfzViWi_?xQQ{5 z6bb!Ly)e>lR3>*HSJ*LPW{hJh#byDEZY*x3rbppf1|oN#xGKn;nyiYRM}ujF_&ilS zcB^RRy*g2@p0^+fEOP-|f_j%i?dW5gRjXp$Dxz=Ui)z?tQVrr?xDu!^5CxJ|<HSXT zNwGq#P8MBfh8PCxWb_HvKj*w;h?Bp}EbH8GY;i#|hx(5k|1JEnv&1WK(N}JD*?Vg4 z>;zka%Fw2(%h!8Yh3b$N<$GxDbPTn$N@A1>8vI9=OwB`Qetv5xfn~Y5ig5F)l2b@D z*W^)6G&r){_t9i^O>}eXw0T5&0YUkcUMpLs9%7ktMomV)>IY>6U4*Ht(M!4fk;!5? zS_wAt<S><+s(npkAM%t*P37V8%F4t~gAQm9P7{UF6gJic7@K8E+eGp|4G;nSpVPib zR%iG9Z`wirqX8E3|D^%PsK8QMLH~~iJU4=wkYRD^E9vli7>jIJ5RHy+DZ2cohC_(h zC?8kS)7QzrGgVS8@xQCc`fZD7uw?4hhAXIsb4rZ(+YkuI&-<(OT(nNwMfxr4bVM|= zRTj>h?0JU-1@-R{FmOP?zybaD@V8Tdf1$7g;4k;WjRbiPVvl(KE2z3XO6l(rrG(6j zX#dU;U+$Em1ro(yK&m+Aw|f!uZqTQ?;ET?DC-`=oN%3FF$tq>g(6Y(>9JBgT<Qo?K z;7ZzpXbQ|qUEG+nKm6qdAa^F*iyU*o6e>`<qs+#8O5AAq?Y7Mq5F->W)S9ND!o4v0 z#Yi;FL%KH0GS4h?{Yf<qs^G1;gAk;YMam<1!WbcLulvjs?RRq8X(JFSZGMKr6Y|fa zVi%%YC*`@-)YD6;Qllw|Ij&&xqJZiz(Bg}5Xtt$=3)M0qCa*lCE1~O+qgK=&q(fMq z39K&cQgg8il%@V$TN3h1_69!d)us3|T)Pt&(E3M1rl@uODD&3VLFOODww6QGDsoi0 zxt6_~%evR5S~iN8Tyg<_M}S&B!xQ4(e+Rs$&CpL8+{_w>VwnlLVrijG$ATI7Cny+6 zE9T~AVct%dKJ!UG^|CPdB}yvw{~Z!loolbLebe?aCL<2OiXMi-)Rmx8juH2ZNhHLY zWy2DXiJpE~s*lnaClvxTK@nLpw_V|I6<|L@P3gnL+GLEmpQu?bZ`Q{k&F=;>x2;_6 zPA|z&nezvgV(Ig}W6y774Q=p+S>yf?dCa6Nq8g~{!uZL%V6J_r2*GXs0BXhw)?^$q zCjg$NGw;w3W$(&2L{aye61c__yGEw{%bsUhXR&BY94(*nAenN2Czg}a<^or@nDHJB zxYFc&ROf=$XTa~s3rtY~lHBoKG#kaALoVUR<FevbHB2I{fw>)l?t;GTa9g5Kz~6Qp zV=I|@vl!O7v<{OWjYQ*9PTpOI{wpr`_=l%TUv$*kBsftLM-)Rtr}))}=1_E?amw=& z7?a5dhgezV0cyIT{!p56-Ya(u;2JCTS*Ry3^LZy-v7j<h&G2HB(tQLoYXVWvl*9<g z#Z-BcIv~+nC_9TbnjG|*E&IiD_Q4iR9vM_pci@aX>|D+4GOpH;f7s@GTHVJE5jZ&- zN$J5j;0L<U&n@=nQ}5}O?J}=x2ttLjPMOkIpnWLUNr=9}|J$Zk4&eFJQ4pixqW+XB z<sfFQJ?q5jbp=})Uu{3fs^eF8mX_9Rxx@=2#qgt;*C-gwA{H!D0cMX2Bih_}SniS! zqf!;0UER)FeaC3Nrgj*{-N@RWU|?_2C1~aqlOL0`-FdrSTRI08+wTyyvg+<3CG<KX z^k4=iosc>E*B{XmOTMCP0SH%j=(XF)2j%gE+xSk>OjikA&NCBGStal_M)ZYLlwo!J zjeO_WaR+&P{NMJcu{fw*vRkGp^9R>52eVL!)M3oah{C9ORltI^UT854DAefsYvp}6 z@#wwwVTc|kbWk)oE2E&wB(+K;Gc!h>6m&G-2)5oFi?8eC+xi?8{{*15U}$>!EsKN5 za*W||k^xST%3LrwSwsREC}!z`2o?9xLa}xnqXI)mBB2f<aCs#_X}3^mK$eUc@KU_> z5+N##JhK_Vaf(0FzciTG^JAE$5tmY{IA$Wb|1c1GFuQG9z&<_5HBBNn9rP2{^9W=0 zp!@4CNDv>KE+Q`Yf@jRj;cy!O1*fd+$)8YAh^F8WR759S!4XJ7Cv0ChrhzI_6S;X% z-g2X3<>2t7{=D`2c$Dp@_pA3TQhT`>Huw67J^wVLlRL#WKej7Qgw`}5EPacx5PirD zP@FKeI?)xA%+5y~hfQVXlVC+|lph#IZo&nAkUP_Jyp}mGCzJ4tMWolD*jvO7c47J; zkzpl+g2W@-bPFA9DB@gFSTgoXvO}48OZgO`9`GC?8K=9DR+NoZT<u<P^(x9qCCYgj z+t^+P-~TI8DNV0(@>0nrVR<Z#&#se?#i)v^S2lSCg%`k%o7S)NEDXJp)msT(Q5pAK z$x~AKm%S1x7oLCc!cPPDQ<CSf(6d_VTc_i%qtrGXII}%47)iCFOSKg7MG4~dd?TKf z^(p15y{TnkQiH2}IiHTeL`DPv827schS7%r#cFk<rLXn;H2q34@9@<x8m!8zA2j== zxpmEcc<V0N7hRs5)re!X52m;tXs$|SO=gu2hi=yoC>RC|0LEU>cZ;4{KTl_9D_6wA zSa)tGn_-SqW33a9I0yrZ{~XLx&CgZPRa)nlLFe!UL_H<|38?<wY#i%HTG4Z=4a%h@ zenCOnnF-GJiccrHCWLb2!mZ3apJfFfQbnCs75$%B)Li)r^6@mo_W8T~<^J?rqlBIL z0LU@~j7M0+Tc6DzGs!tDx*N7=uh9BsTMBwsl2?YKt0Ddp?uq3vyPhsg!G;Ci36A0( z#*=mj_u>WzrT>hJ55vM6&7eBnn0uDNx9)CW2ItAIhFva`u7y=+hAGd|v^1`4z1bzR z;)Lr&mFeW!B#&@|+q$WPU>HZsSk}nURGOI`eh4ZTNHVuN^bajxG|TRdP{VuMX=-?t z`mSxLI!DZaJnDL4(~ctVW+Jwo#)kfR(|F<!1TZSM$^@yEQJjl=Ix7WOfl7XhUh7JH zQ2z>%e=&fxikH<2*=2@M>w^_9uj|^!7^c<!pJ3*&>ep)3TLJArD1bj+w2d-TjTKag znroW}VH?uS2<|u_lS-vunKqYu<1K)#S~(Q0E2-;v;x=CH5LNJm(+&jk+FFKdGA*wX zQQlg?1l>k$&(U8jVE#-fLCxr#xX{Sg9XVHjWcpv;5nmQVUL36E0g_f2AHc)bF3mkK z48s2hXZILfN%W`-KelaiV%v5yv8|aHJGLjbt%-MRd*Wnb?bx>O{LiU+&wX#z{c@}N zQ+I#q>aJC**6Qc?Y$R&#AL~S!q*JQqu_F%da9ca{n16Wwx&dVh3PND-2f^ADB%M!M zi5H27i-J;I<HopdQe2<3f8`Pi@S`sBH;xM6euM|f-;Bi7Mh%*l``r61?+Vm%t=8T_ z8bqMBpW4+nNJ1rmf#`XC;Q-#@(HkK>9Y@_@01whj<&N<2n}U*W*FA`rqi;^AqU{rY zZXrJ7=ukQk1%kGM#MYh-NkXO!=tY;_X1jtxq=LWH@P4P1KkGCfl?|zTE~w8fH2VMj z66%*=MkUM9qEM5)mnZvviCO7eG;U3ya|xLMd=(MakP#G--k3+LOGoGWlGFi&udE?J zVr$X2l@<!mTT#!DV-5Dxos7_F$);FQ5W)6U$%0)4z=HlS$2E^HELq$Yu&Z}jK|zUn z!H+)spcJw+`+M-8KQ>!|e^Ual?l8I(z-^44ce*&$zilq%9~l0SM-3hc=fYtwZ{av7 zOY499OGS=D#k;Fd9YuUJ#ZlT4!V<X^h}A}w>TnU*x!%ub<&Bntbt{U|I3~FzN}_W# zd?m%??Wdg>P~Q`w)MQ5WFNj3SKp*oCvAyjPaz&W1UXg#_i>pSsUf-i~s?4Q_F9@O4 zw~EE`&^VaxzSGl7+J<VqmatQt%)!nvQqs=xT{>R&PZp~c64qDsS-$&6V{O3F!%WAg z?y|_)tF_@*_1jaHJLHYXpCi)wcZsY3**jF*Px2{|l9ve1uY^O=`A;JWy?<l8dilCY z=}S51SIS}j{JVNqfc%|`?I-<|Na@E^S<|6%>;Ihi|K0W0sbu^0B?1!J1wUj7=*v&z z$AmNp`1Q!2^>`$X2WEqtw!j=dOCnJ=|6|_f?a$aR#a^hF)SlXeo;*1bG;tBu%pQ9( zzgNoF;M|fRJ>0$)SRl`AfUV5e0oaFv^=taaJ*`Kdd03;0IXSrVAmnZ>Ovxsy?3E0u zFO|vrpFlgUK2`g^*`h!kN(lZ=v<BT6<~O!lOJHW<)xa#NiL5e5$tE7N(4QwH7<=NS zTCGXcC%g!A{1+CyXiU89B>e1JRzL-w*90CW9i+RvNmVr33eid=$rw{#IW666GA11Z zT#BFN1~EP!5S|R^jw*}h$eT%sXC|D9ini94oIv&>ykXu!U~x%6<rwrJp{!Z}_aqpJ z>g|+`?-o0Lj_%e?b1a=*pnY4Qtq}6q1+B7Fs@Tt?IDuZqh4ILdN<K+LurjHkJOJl! z&AmGDt}*q_@yqLz|4tnBaB6ij`zj-#%X&%0v^F>R@EMNtK|S~g7mCFMn$|M}mIomZ z!0zeY2tqgQr?i5Vp(#Asgu&nc^zVODfyNz%!OcYyCPx&mC-eMCPZHXp6vJ0fR<gI8 zpgc^TRZhMZL_T#C+GG+sbcqn<8Xg%fuG6X(9Oc@8v0jhy)KJ7#eN3U1Pg&gqHIX^( zvSo47Yy;MJet9{Ox25qrKC!tnBUL0W^(!G2ec;cSb<KS7xZ%{FJy5R6E$?}Q<@pr( zd6dseGUK_foZXdss9MFjZaUj=<Ep#*ihJFPwN}FnOk<T*L)8}WDs%N|OdW`TEvWJ8 z`q;~DE*vVxE9rycoIe<O#OmOpxWHGo&DS+ev?bPtfaCxoMyiQKtl=f}7N)*`KbYle z6kqm*+pI#}>=btUVRr1XKGs3P?Ua78i(}hHpWjZ&?W8d3qHyJUw7ENdHB8JC_hygv zC)5p!H9p=spL3^&Wah(eFAq-gvx{V&?wsoBp-Q@5#y3jg+A_R)E+#Ct;X8rl$6uT4 zMrn!gqVs1Q@-tc^&Inw?DMXR}WVb^;F2N&tqoY;9X{-i_Wpk~=8!hPT`POUpzg<$J zUN6i>yZ%P=W<~%OBLEi(Y<zQ;qs<>4yPfW<@qb;iEX334OE-DAH%6?_Zo>J(xgJ^2 zdDROqAN%kAh%bgdH=QJV0e6&Nq_Hox<-Si~yeQ>peIXl~6LmkP@-0C#-wx8{UMvxx zqj|0oCEug|?bM_0AcMdWB!lNBpfVN3&Z2^sP@(0Pp~vfkFF&9+e?kco6BJ>xkLhI> zEHONP5cXfCL(5=7$y_1U3Sk<MQqd(M{Ao3Xu6;n5x(ZF>?3c*{nb)$O{sz`7;CU+J z{T2U>N2Xx_4nI2XEv17lR)(hTsSGSnzRo`w=>BeMN~E!~Au(`O6sq2EqpL>uV_X04 zCvBorfvl%;$@gdt=pq_KDJ5Y9($8=j9r3LAqVEEkv1o!^4%x?MO~<<gYDzi3%k(t7 zWSW{qYMDEORn>`Ge5o?^Gw|(A=<WKufYA8^FjpvqMaT-o=xN?ecCVT`0|Wx-m7Z$< z7UqO*q+2}qG<c~=zGQPYjk_9(JuOo`54D_YA%1#ei}Kd6=O~9ppdh1uNW7nM-qh6% zT?OD6+y9yc;z0-tUI|)h5l)VMYvc31$+;dz-q|YMsoEQq0f6CuDoJ>X2sr2vvz!2o z=ez4H{^lpm6;su4B`rl$eIQcbAju8sM2&}W<$()0&os9u{UoJ&5|F*TO3V3B`Ys@O z+s{C6tpLcEfO%1);hIUvIx7t_FZC60fEi>-gW0+f;>b50LFz+lqZ+SQh>((tuuqa6 zmMd14g{2BgX|YsTSMEo6YRaWhCrPi!8e8j5Y9^&=oKDdFN`Tj8-?2C$Wt&$q0OJG} zy42e-sBqVn+HEPXu0=G=n>P4yuX1+SZTNEPc*r0r)4C#3C{#oqe<w+lmn=z>@%5pi zU|=tbCRA$7MNiCkQqd|g=+vqGP~SQ!>vC0Te>T3oR%|a$-l%8Uwde5luYiU8_keL? zx5TXn+J}GY8ukg9|M1ZKLH*SCr!y43;}gcM5o_FQ5f=%Z)Qz-wG><Hr5Rds8)`coD zmsDYsS?si0@J;-PzQp+#GcwwNU9AhC_LkH-RZb}d+B!uci-DH<8?B+%Ba0fKGXld? z&K27k6>|}mvbVyH>3cK1Ml-T1_1ABLC7s3M-pbMVZ(cBr70-GbkPjPBi|sO%+It#x zB$bsMnv1QP`YDx6(3NNLnmoIj)aeOgTantRzQrUdMR}FlDuzW4??#&zZ5`!Wn~kbM zzS;az#Vym+O5{N4&DcqFMOg-&`A8fa$$U<w?kp=irE9*F_`$yq5zdg$AE_CT1aJ@I zHcJ(pX9%29^jSsxQ%lQP_HtQ{DnH6_O*Yd?u;b@`UD;k7HOHkng`_oqpRlrRhNuCQ z9V&DkPBAx3|7EV8W&UoXUGh_VW8R@RMzD$Rc9QC%|6q;S&n+i5Lls`~%>iYjBDrZ+ z4scw=;Xdc#-VtzeZ@Xq4?;IkG`~lVNAf8yOpl+BhZ+K~FXjIKiX_$V~SUV$NxXqd3 zgg~}uE%d=oQy>Ht|CLhE`HGe2eMuqoq_Uao-qGo67^1NZ6!qxH*@u3m9K4tDpU>Ak zonfBS);vW#eHe~-=sf759YaN8*UfmlcHFu^zLgE>()nuW{5&9sWSQvmDd=rQN(beo zN0?+6c1;6IBgl_RO<jTuB~9scZN{jOGS84*TksC$k%Vq%C2|?qM&1b*T&Y4|VNLCF ze%SdA@;XI3C#<a0*3@q@QzrjxIz{Uvb+i=h*=+MjbH4J~%X%7Vri?ivjKTdLyRA)l zBxM2}K)!fgx#ISd>kt=Z=vl{XZG`*c%5lxuyu)+Zt)lfruKGl-*>;nTQ>SXm7T~%@ zaF@V$NbWePOFFg3F_{Z>sLU~0V>XFG0O6UC&SF;E)K63$Ix*!alC>SnEwYf6&%_n5 zX<m3TS#Gs++F06`w!xGpSV}E2k@Pj2#5<X!V?EwumN`2&-&$I#fT9I@k66-Ts;+6# zYyYU(Ao#ibwB$fpeJNP=ma6&M|7}7PzfTOzwFEk|CSxk};2!HNGkvL1qGlNB=MB`) zO`J2X_U3auMpLF0h;_T0342I!yD}l}#;v7~xEh(5*s&(`-Zcv0_5I8x)SB4|xklR9 zNhLUv9CgP|Ba2S4R!y0e%A>VEh;|40_6pgnX<8<MRYz;~FM##(F_qH9fZOv*SAhFZ zAE#iUXS;o9#Eh|5Nt2Y)(Tg*<xA(2bmr+WFlShiQZkq<bH3Xjl!?$}A#W@R^CALw| z_~Jccnex22CRQ1}ddj7<NOQidY~m?x-l6(q@IJ<XXk9iWjy=SUa~<Qu6|~C?HMqrk zzu)F>)LjS;fynDDe2pIFG{<Z&R_s+|z*EJI%Z=5kcGr9kp2bX`!S;rc_CFVsveHHe zfGK%0S8#RiRn5nFcdO*H>J`n!0Zq-r+btLD(KZ@qXY7K?$y|=b+`En3Nq5?#V7JjH z=TTDE_^p%aza3GQm)!L_LGfDv?I#zO3J(_I%dKMPD|)xOTDNq%4OhMPBfGH1V{mz_ zyo}Yn43B?0VEp%ETc6d1+Tw_>NlLu^dZY)PADeYqg`;|Be7ys%<YSG8P1g1bD#M&J zTiki{#)(gtLmHfDO4*o7t!VI3lHyFJ+0rXU7!?1AVELvxN`5z*;CPA<s9G=i99gnF zxF}k$q2a|LY7{l^Kpku9M;Y`t9&{;uDn|&?;U5xKw4tw_QOnIk*~h<uJZifZyLZ03 zu8>}uBm>ztrvXoidvDz$59|KqOffjh$%(zGSK`sd52e)e((}>_G;?LMWr@8U`BK?? zZ%oe;YwByR-jw|L%q1RW9$zXx)&#hFpHDaKX_*xjtJ!|r)>(dfDGlKoSp1L8$hwuu z)Cv|N`?4*wyZ_dqzd4U3{h~yOh~v@^Jr|hU$*Y?98}s$mlfOCR*-h&8>Gx%D6|W7B zElRD5yaD9^?h$C+hX}%+#}`8ygWw}WZ3-ke31CIa*;?9}@2>%Iv!ZUmUqVFpVS?m< zl{I?Z5c>UfXk|5GiR&Fn1gGH8qTTD>DpZ`P@<BK)ni+OB3i>L12%8aE1v0E)609vX za${=*6570NHI$+Kkn2Cd=b<pFw>N1)$;VF*4IrVfQPO=GG6{5eb<DEig5DS(EzkFq zmhCtD51)^KRV6zC_=ea>R*aZxKTPM*V^)|>rXj+;kQ2Msp!=cwANnG}pA)xicpUd{ zhiot$D44dbZf@s9@c+8H5n&q~$R?ymD{u7QiW0-+MyuU**!cl57a7DEzLO3S2Sre> zV6L;K^}IoRt38@z3d4Mg#D~Fy;?Bsf#eUg9Cd?M4UA{x=L-#kFn+o%Yf6-3}AlRo! z3oL&hm=4&egJS|1yXX#(0}l+-1YGc9DJ;&u@aV~q9Pb!5bj==KBGB}L0iuCi5@N2; z)1+wAB>{{IVj(CK;M4DG0uCHArPYD2hR}lidA<}hC5n@<2ShlB0)YDvEd_orK;nfW z0<3_|ets=KJ;tYeMfXt`d`9fXFMYm=CQBU25Ps={gs$tmF9Ph(UeO}$Szc?&D!LDf zsYz>|#rL({Tb_Klj!{nij~}-R;tlJs9JJ5ozQ=35ih)=_36K9m$V7<Jyc#cZAgoT3 z_`jY_L$o1x7X<I@PJ9`!5<bSLR)N|6HkWbT-32wxxFMw`_@2iRJ#j4$3n2V!J0JBg z!Y-swNTX(k6OTS0kRNcoFu(ZXo#}b2Fspc&C>RK+$yr$%w*|!JoXw6V^2en)GnKUd z+%;0A9mBnKrQ5NAMhzA(_`G;{OMkqL)pBg|92LbZSb3b!1)~;UD9l9hBeY*vD6j-* z3LwizEPcvMNh>^Z)6LYH;)=f&e26stY|_sUR9?eABRD3~I8v>w6J0JKR1J~HmtMce zJjTB->Xz$`5Ef^e#f`v-)v~c(fu?C$w&uxzZzQg4EUDow?#8c}@?L?<HbspXiFrIA zaSD{sm9AvhOMxAfxX`=h<;92#A6<XgYij`rPSq05gdO$MUyFC@bwL=x*9B{@bM3|g z{5%=Dkf%dD20G7wUHi8|34@Wk9rxKl)`qKmsRkILyw??oWXiB(CA(o$st<<s^p&rR zDsebDQXM{BWUN?B2B&8zse#&yO&<NO`<%{0`3ve`LA_vb0nmzZLwSFOtx|&WIr`sd z$fCf{pAi^4kSt(=5(k|coItChbf55?b}(?7kojX|UgW=h5n(}vrY|OY5DabW2S7s9 zrD+(I(4f*)5Ff^SIc--FLsv7Dh!-)|JVHgC*k(vU;enG4_NO|S8`CyI56r-6gb9A^ z?B$Q&cH|mwODA^S*g1vZ>kRnJbfUZg3%}IO$>LIBwBdIol6NA=r}?aJ3J5$h<9sk8 za(iJrJ&?J%aI$?S+8-%uUFjdOaAxqscxHx3P)3ae<#_j{bVwrWdP4)2aB(LF?Sq{c z>UR852kk{p<`Ds=Xt`FdITSRzTg#w>Fi#Wwyv<-9B^Noti<G=GH?vCh&!4`}SI>Qf z&-JFynWF|hAE%7h9*<p@8>oHT4}+xUJ7?*8`Tl_5-KcZ+U=IrNl+!ie!3xWog;dY- zqo<tukSO(u8nj1CzKC;iau{KXp%{wld?{J~!|J@f$vWr9drB#gEKd8xJ9|13a-ocn zSX(@ZiK@o`^!w&{!&9)rprH5wy7(88cnk-*7q{sqCIhphNGGp#QXVM<ah-Fj5x{+% z;yqD{H(!wsPx*IssiZdg3=z3QEiI0U$3^bxsn4Rj3Gi%auXbUt!c@NUS^K*dmu*xY z=K<E-bLz2oEFCKKYicsV=I^knk~FN{N{*o^g{U`?gbIVK=o5jSsxfESaf!~Pwws}N zF{<x;a<)a?DuuIrSWoyVBo8J3X0fYcB|e%ZI4Z9Nt!{kj4I8oS1F1;~3gOw~Bu8T@ zxfWd6{^fx^U%ZPKWTh3Ew~m}%O8o6+1bo(LFMaSl^YTALncb<9EAMD~iR5d!60eRD zds*q4wl~V2JKe`i4oALgcNNoEsfOm#e}rL8S<A<dBQ+<lms_pbFx5Oc{CUu;RHrYs zr7nFST(l=Jx8<&Bj|5ntUL=va`(n5c+5RX(bsr`<4Nr`DV~c@QIHBPu1}&_1RxEB- zv=g1?GgRRA%zF&Y|ABAX+S1B^Cwi?Ev_kb*3#8@r<FfxtV)YZdv34Xj8)VfZx2`ST znW`j!q4M@dUgJg8tuskbpL)qNj_^||as7ta;l=8;#Q$ED%TJNUuME?C%DMHO&EXJ< z;oK;HRS}=EA%;!nw5;tECav8$H6}+bhs_nQa*t>a?XcrvvfUVeGX_aGXooG{HD$(S zZKCUw=Poua@guFiOu$^5zF53Ji^ZZ=U>d6nIB@Zn*t{eB?{}jzn)E0IEALqI$G2?Q zh(_A*20zSINP<iyg2M-@!zvlZa&$%>ZHBIUm2>^GmGY0(tGq^kdz08@;Nby~JAt=B zp$qegw|2a`MzeZAs=BhZ8qq69E_aolXEjum!B<T9N($Rr6@Szb>+DQ^X^L(syXyUH zYlC^S{a3WXJlrEXiqAIGW5v&N{h;&Fn&2BUkDDJ3TC@&w2<0>Iaf}grGW$qbGr8<J zJo~Ii5^30l7KAKuBWLXyh~X}mzuT!Ov=b@1pl^MSpPR^ftT3Nem@b9bTZeM>8>8N; z|NNqBi8J<y{fbBkV9mho%Hesyt2@)&N-)_vhnl-s(DJ1HRs-j~wU3%T@zd8@>fSU> zR3O4*F~oyeYTiB32}`9di6y5+h3waED*$~q8cHv!;D{h`j_TZ9&8dIk*FJ|4XZSyQ zgVu}~d&34tkP*!nTRvR~U8n*rRr}ZNu2gz=7-mB#B`JJ4GH%(@*zw-5oSd1fvGca% z&5GlIhuFX<J_VA|P!{!$W%QJx<bi(m*mSEb;|vv0RKrasr5xL^EYd-Hy!@s*a<Eq~ zF<vpbBwZfxfcEyq%x#GKgp3|9#Hc1UM*0>VT~)GD{#`7kZA7LknL@Zl(cnvMPKM0T zN3uhP8UJ0j2!g5~C#qDO4U%E7Hywdn_O@3?&0vk;t~Mbmn5q;y2~(X)+d+<CA*Bpi zzCe|Gh9a8p8zOSjcWYTAqy#gD(qLtF@8(+_mJ^&zY|Ayc_B*B3*yRQu^%B<}`DGee zk8Sm-4n`4d+U++f?sp&~7E82T617NbFCmS`CzZa)pI@hca5Vkf2M$uY3gub^WdJsX z)u1l^Z#ozFg)3Nfk%nbDv)`=m)1KxhsCC+B?2v`0f4w{Z#(tPM`*Y1A|HXA1&2xa9 zdFui7(u$zu64mhBz|NtnyP(bH9b4pDZ3beJItLpL{>JdfnqiZ}AcZ4ePc8LQBbTF! zp!M6}*LUU15`!lFO!~j_t(6f*YNJo;9`RaYe1AHf|HOM}><4|bjO|b^`XN}6RoPU; zlvU!-s=kR(HUCzTW~XI|saZ<TACPDDVmoyWnPrUq!@sKXpfZb~S}VP(lhBP6(cSvT zhR=h`@?s~)Yh_)HR=SebGWT!N&<;}NMFXd0B$dV@V|HZ`-tiB!=r`_4nzHgTTJ1ZA z5mD-6Ld!K_oSH)M34}$B9nQM^pVP}WBmjU2*B`WH5D8%H*W<jo{R`H`qrlp>`le6+ zC8c!-tuPz69|uX%nU}9nlS=1J@}pY_z$dfCpr$*ef`OR}nrQij<KcwzzA^83f8DK2 z)(~Xb*l+iW;}H3aJ5-R%b9!#`VLn;6qx|Y#HOACFQ1~lo3&UbqFv~pSZWh=nxqV<P z^wc1H94S0t!!}-x*8*e=B1AsL*NTD89NBl-^X>>Tw!OY*4?Sm{+O{?zJ!QKLt9Wg+ zb*!Y9a6ES&KW5^7G&YY3QmjxHdWlwa(4K<y$S?=r>t!2RmZGuFl<VquRsL-)8`DlV z*L9Qa)&DJ-d4+S{=C(h3z{+PwPq2=S>C+5xZia$|{bSY4+ig(8Z}x9NLynil_`Z)+ zFA%Ga`{{F3&?%QM4fNn0KMFEKwakU}N|DiyefggCa<6%J;eYrv+I@t2XA^VF`}T)& zeX-ar%Cfqb`kiN@L~Ej`Vry|&i&0=n_h#$tNbX{9&Sffzrrxf{oSwvlFWmlZd1*%F zGe7@bMC2vF|Mu&B|LbM^>+4~>E|-W9A02mYm0=!(*!=NvQJ??C^F&B!D)BWEFQ2Y^ zbyQ&B{A`EV_7cn9FJ^vyi)4Mm+{f9D1^IS>><aO=w!rb%1(%o+`aN`gH}P1usSi_v zHiQ?Y-BrkiCa@d2g{RNT|L-&RazLwZ=k`UegR56WznZH6|N7x6ii}6w>ft^L<~owy zokN5@`b1H9b2~QMw;$?5Mcg42my%Pqt~9&yf0MaI)^Z{{(3}gV0=Vy1eIq<k+;gVv zx%0_!B#^>aCajo;w7Iq2bt(syBU4o=b(QWn#UuUDo(iVL3`4xj23aDt?UcprgLQ_i z5>PzIrbYcs@1S;J{vvXdlHrIVn{>X%`N&*u0QN4HHvx++(Jh<oF8yO400U;1`s3!c zTC8r>w{=MejP|iOh4VJi^#k_}gV7pto+W@W;42X$M9zN5V&9x5#pL_G==t{oS8`Ta zg!@eReP~FI5wPr{Kxn4E<S?>X1Pp~BRKxyGT=Y1pkYUumth`xJ068|vDL*d4V??c> z#28EHbX37Sgy)lB=o&E`b{(jpaAn_iMa0M)lK?m&V2WsE&Oiu^z*<4vbRu-v8|fXO zw%Yk#;dx@Tu^!@SMR}QxFTzUVm=Q{P5qsqa6_6dxGP=uRKgg5s{>nR2u{CpYf?UoK zo%<#gAd`8CM4!VXl+$h*>L3LrPaGtY54s6QYt2K`6^C1u%vgv3mLU`Zh{$OZRTGs~ zh%X3Ohuz=JmX-NxO${So5o@>GB)2ss$6+bRV>4W$+gzBO&5d_^-i8j(=%`wF#<{|t zNmMGelOK7KrroGF$H}uB$4#(xoult>NZD;MUY=R@7cs}E>Gy}J_Zfv=+G$_5sBX&z z_8WENoiM{lMNg~>f5)lOnOC%#{aI{InYp5S!mOC<uIQaALdlj^3am(_I^~CKt_|ua zjq+wq#4#y^_M8=GuwAR*oU>e;qHh|IT+8oiLiBRmCJT)kJTBfn?iTLE50FT(FYm2# zADr|s7qX;FWA7Nl8*)Utvw=Bckv^m!na+$UQ5-q-P~4(~TGT3&A;%;cw6n9^(V49B zpTvc(el}RzP^-3K{COd^G|sq`rm>W_Wk(x%0oAAn3p_0Y8ckUnY6DR>O}E{wwC$~M z|L}Gr@FtlO86#PX8c%mhX|-jb)lMi)Z~AZCLR?-vZG3QE8l!jhaCjxVdVR)w_Re~Z z?xJ5FlD|{#EJDFS>G@AU26f1ZDq;L>Av0KKd3MphHmNMIt6;Utb$UVAxlSF(6CMb4 z9N@7)FYdgC(0ra%dA`D*+rgXLxhd*im&BcrY)2i2tU~Aaz#vQ-_Ji9k(zrRHxp{=# zb;*_V*E7>&g!g5J-=<x4CMxudEb$N9$5WEO{MIg@^XG#iEKNRdu0(eRy-a-mUGSuu za^8()b=E>xgH~6z*{%kvkWsaTQLjZniQ78AYgC^vm+a{=ac^*cK>ap?G4w8azpm<l zN19GLP9xNk!I$nAyvD&jBpl>kDy9en?oeeQ*}<ELhGh6{ixJleyf}ej^Y82*uDMzI zHCnY=emUhd-Kxg;)zc~(JQ$1Cu7684re>W&>8xYRbuhInP5=^j4I1idRqbC=>Yd{1 zBQ96HSmcE(er@SK@rIX|J8P$gYsfOq0o=B($!<N!{3lSkVrAxOr-qKl4$Y_F-L)@) zm)`@o_A7bNAN*6j0g1v+wLu!u1?O>SSe77WwhY3UcdAea!q`O3kp!pWQCLi-!Dp$T zzWCMyxm?I^HZHW8uWy-M(;1->ic0H>uqqj~JlO~)>IaN>&mV`%N{4~5hd|TA=$*q> z*U3fv!)}DTDW0^sK+B+M_8Z{v6X`_XXW9iNnwBsSE0KxNwWgy|wa({#(*W;wqzLs3 z@_!hi{}5M;@5wSO24G+-k^e8`%Ku4R{WrPte<7|eK0I_Vr*MU1W+pGgLkVP$!NtkY zynj=)s4_*uK%HY$n)Ji1=z~?X=%4{%B&F<DI;F9EqE-YRYt@E~wl+nvM7FQ4o<2W} zmiOFiH`}jVrzg+P`K?zY*2_m9*bdA5XsODr%3u%%N2o_><1!Pnh|@BX;lM<v)9&(i z@5|#}cmN;gzN?89Rk4a_1KubatKwX^Y+ka*kweO|-$Y%sHLl{E{n&J^6^R1>ipSuG zM)8|IsCnLjiBr*J_+7vDwDH5FkD~u740YipCsf>{!AuI`bS5ZFo6VrKDZ=Owm$p7! zkP36VVdQVkU^bjq)jDy}X8VhcG%RnZTEVbUy>3v<P`hltbh1>poN7OxYB#Hyzo^Z9 zj7a!EU4EZweJ@4(aNvQQm5rR)igZefPv=PRo0Q;J4<UUo-nf1&Rd3AS?HI}YSY~i5 z)_zXu$s0E->=8u^*7#F=+AIzhd;*px_VAIBExSD%N^>7XElu3Cdeoo31>=w`T0jv* zfRz_4uzPSNN=P@oqtTRgy@%n<k5|AWWwk|;<1Nvuo!)8=qcLpUD$0Da+jSCGnM)<d z0zkh&6vxv_YE2@vx_c}b4U5QFd8k9c(m-Tvny7DvZ(s$Ft4~9+(^pLNCb5JH(4{2- z3U_R-`P4lO<Sy+!trK<s-18f@+F>H}9H+VIi2bn7-l%GsQ?cLTSwHLnHV0S``pzsp zXWB2q3S7kl=6(q5wYFRtuabP&`J5zg4zP5g^?U$OW<ssMW~Y1B`g@`#6kHDMJ)A|i zP=x)vXjF{S0-yRfgO*ndJ0d7gPiL_}3E0PI3&T66Kn|AmlaRj^rq!;KlGe#{%BZe6 zjaG<eWqdsQ2%gEgxKnPQtePMWiNHfd;W0zSLxe1x&QL7)TY2bpMCfRo_92bVSB(yh zI)IddVS`p1r)FCgqlZ`9Tyx=)`<&i#2~+JNSFLWgp$L)t5wR;O-)@|8r#7jJkLPsv zNvO{f{ZmFGN!J947mtuxZF_*KSBAkgT>GWk<}UW_$lVSs%l%g4YpV4i;tXodfN!`H zn9?y=SRwxam-m2q2Ab=`>dvLBE~s&(pZ4!K?fS?Y`f|kZox{%Cp~s^w`YZqQD+=7T z*WdB<gQHHXwy)w)FuUJh_5GhecRw1FA$<4V?=T_74{~**`QN5d?JADD+Nxb|Z>Luk z`0I4hhbmG2)FLAouD>J}-5qd=jaPN@6P>x7t7<PL)~;Osv*tRg`DUrVoIJKiH*tH< z^WLik9t%1LKQ1BjJhtU94`!tl+@u89)bPm7DCe*TN#gyVR&FFhKd^|8!k*#9)0~3q zR>DB<30QBS(KvFxB33}_?5J3wfP{ny0NE7@G5Ufu?g_aQ13hg)zz$%svM0QAo`~K! zDlMoS6-kU;&%rdnLb?0gmZwnmI5hesC|q1_tUQw<CuD8?5R<z!!PdKco@7)XCM5F5 zyWaW{f#FoMvHD3_>WblC`<d?Co3lIVW6;>%I_1ZsH1jG!)YUJ=RUF+$4t5#r;U1h+ zSH5rOzT5FiYW289RwCy|9vqd2a=j@6YTB1igQSudUCS)zGG7e6udNVloy`G%jy@ZE zAM0M2l^4;|PkwzkI}>5xLLp_$y7y^rgYV?RRzHyTp%MYBeC))oz-x+D4E@Ys3hSNG z>oJ4P2j7M;qi!lF_w*u$F684-NlBilxN6yKP5M)UoEKn}$MD+#yL}`0AxqQv7Fj$t z;x~P?jWA)jNEGrgFSsZUnn+RlJfXc-PJ4g)RhCfMYVf}U?dbxJX4_&V2wIVBYe*Xa zcdB2=g9C&SrFle4l?2nhg4H+gzy^-Nyc~j-v-!y8I_V5yBIk#T$ZJ|k8bMOEM;po0 zpK^jq4f@94#}ar=li=twe>1dO<>}bay;!8St@F-B<>EP}$(mC$AJAm-Q7bjc`JN_V znWlRNr(?0mzEUa1p~`xnCN)jd^7RRwWEsypT%|;Hf3JN|(8bNfK+j8B60x-1)>s4m zb-$^=ge}1tDH)L|mqsGyb9Px<aHgDUkd{`I?c{c*V)EIaAI3+w#J5G{$dR94o>J;< zAq&yU>GAO&8G4<wI+MX(ie2mW`n%v>ENqYGZuWMJ86gdOPSox8bUa{K>~V$PefhdF zfM_nfNznN=uT#!ozE>ApYDm&~KhaitH8Q6+TG~C`^=N9)x9*I&9e-v^<~KsHt*+f6 zBcnG&<XFqX#6xh!IQGqBf`5F5V0_|qKgaSiqd718PFK*>#CLl9H~ciDOP-W6YkV%N z?fH=PYO=RHZDxE{oAu<-t#fh?t>P<VHmA#cNiqjbs!Hy?-EE0bdvflwQf`ygj~Qh3 zWrnh>y4>4#?;mp`Cx^%jKHSRdu1;%>lnd^UDxLmzuVcvz(bFmc059noj)kY+|4Ku$ zjr^U%?~*eq^Jf?X1YBpbGn0*`-`~BL8n@Z`Q*zl8pm!S(40Su=6bonxC1;2&(ilv} zdstngnOuGF5A`yRmiUjb*AM-jCkZX`X@S#1mdWYUQ;10Uxm#Rc(qrd+(=W|JRtuez zmy3QaVI{L>CSo_&!AJGbA>ml(u`JK*ZJ@uCMJ$-V=F72j|9nHpG0;d<cQgO4b}^6f zI*=rG_bZ=;`J}l(QdN!JOKLp!biQw~^!`s$ca=O-TI%B(NBQ$?&e7Y^`6i$B>?L2& z+hGnrJInQ-F0ti9UCya>A8VtVDX*EUnW}E#E9pCk*Ei@BCPbKSeX{4ag6F$|t+HFc z*IQg^L?)$uLY>>}$uN9wL}OmY(<ws>+aBQ1j~(IZ0r^fTW}|3)<><0D#x+pSF-^c6 zVt<j}R<xln?$e`j&Yb1V35c3GD4L;@<&&VvQ@)it=DC3$@{f1)1S4!ZavVJa{`VG^ za^LIY((=*t&JvcINrP8+4X>m6gBbh+7Mj%bv2Tp!X;;}sd2FTcKermP_0t}VI_(BW zEYlVz%KkE+b=m5UgdfD%PjCPjNxR(JC#DamebNFnYn}L7-tP+!QX|r@1Uia5_HL2m zwH|t!UA8w<S+cZsw+s$ktPhrHtCV|nFXkJ*?X6bUooc4CXkYmBoDRP&viR4LyxTtX zkX9-5)LwqLKBPDz80ugT)e>0h9{kYL{9)9*UFjXEzKEZF`aS)Jc0{G)#;I`2qSiE* zb<q#$hw2xaTHU2`s{l_W+umlaiZkh01MRG?+L_<(Z=<z7nQhZt=DC*{?%N1IWR#2p z80xrfv}!J!)`U5J*8Jj5(Q^2$-(#xbWvDt8u3vTPR&{EiZTH*)Xw+OdEMUm)so>u1 z09L5%l~t5;FXnE#9S)UQ^6)Ght_wa)AL>8xq#JE^eQn{0exREXBf%D-(3C>9GbbFY zc7=iuxfPg*mvL$6iMG?H;E7dWV`cVP5hSdMVS`g2s><TP3BR;J4;xUO|EhpswY664 zmrx8)T!MxlPp^|TSVc^aptMynKo7#olf4K}sSoAN0zD2clC;Sy!U>qNizq7gSW}x1 zfQjcyV!97zHM)iFx%ELQW>ySN&Lv8M<_-8g%Hq7a4T)-tljg$0+PY8;^%S)y3#+{6 z4qR_uU)uCy7>e<dTwrv@(3tzPaar3e_t%NY<Cd}O%ztBdY;c9z6fif2|0XS4@6yz6 z5o`6wEYzv1TB(MWp0}XqykYZ8{GOkwm`pTx#66Ey{IK}V@4(9s{$&>sP9suk9ME5| zH6UthTfn-Eeu&3TN-*X?z`4D=v&99q<i;Gq+*HJ2J=d>IDHWY~oSf)ZmiUa=?ayqe zHLy`O6H~_KitlDi-zXok)fM>CH^#g2cV#8if4mQ`AqKMs1o`uM3!@T;{d_9c)gCWl z@VaFYS`%sUo0c2c#8!Ht!4&(Wx!eVMdKE*psnBu%+EQxjy6&=YWT{@cKo6||PYf~f z<YBGlplVBrmP*SEBmdN-@G2vZgrjef?zJq(u&K}kcz5wW;kHd<ai-Pjhj;o&7NoUb znP~o532J$k;{;oLo<&}^eID<yf!B9qfPo1AHic*S3uGqrU55WIBjP3g$G;?=W*E-i z(J2cfa4gr{xdK8{v&jBH)_+yBgq_vM^2NWsv|+sAM`_T0$KtbI6{uNjWD#Z#f#J#> zh8^{<?>1VSKJ8`w<Cg8UNvHe0k@7u!+y|S)jd|RSvud3+o!_6JWj0Spj-K$pj>y}_ z^-(>2UIF9bZzC{9+!)OSY$7Wfn=S2bGjL5Sj9uo%kCqT3Gz+80epQAPFJ&*o4m&=b zpc%lTRYpm&Um87*z1g|Bt??8acRg_1!JNo`B-(lRhUk2|@q%>iPP{EcaO^pVIPK^N zZEySybYbGS7wD^0xj`fnNlaKog!{mz`**_GM<h8MUDSR^n}eJHB@0=1%U_vB?)_r$ z*(*f1i(DDVP({DaXOXh-Sg(v)Iz3{TLomX(9?_U=1wZR{R3-=*Qw);pA+v}pDAWP| z7EM@*&ef#)eL7Y9i~FF)%}eJpsddsadxg4U{@@sF;U+{eWX~XZsk7*tc0R#E$zp9+ zbD5@up~&A(ZaaXXhIPm9rGJ~<3*p@kh{>BR)a{lR9zS_4a0ExrzlZBScs)hXZr)9| zIV$k1`>%c2q_xlZskn_6pOm$a+s8+=PKMBCv*eiM-EX+gNvP!0=0zn7Dv|hD`Gp!_ zvalf{P)=pPWd+y-DVihh3D%un8R;4`&eGO}xhSMHKe4G_Ss-48A$Cbjbywl&(xmBo zv)sTR_=q%6ZksZ}t~{HdKyi%Rb_WMCFtWV8h9mgJYQHo+>qynz*~8Z(TwIP~yu5_# z+OJ!rcJ@2U825ss`@eM8j4Z!cKGkz?T?TlCeq|MYu7*_apnMGvR);+49F;>`C_w0p zgZFoS=qEuGd7$s1qPItklgjfSsGM+`n9)Yqou%F6iqksd<n2)9AsKMcvNn;ic4j2! zlV%tUc-5VDdFmeR-%j@^@W$h~lc<`S`!3SdkB_wSk9kNPO;m+|Ql|y9pz*hXx?OC? zD{BS&YXxD;A>zxhnwu0Fly)Q=v~gQ4d@VK6gJ}g%9wE%j>o6iGr#@W_fToFq!ImwR z&L+;4xB%PEJ-1~pT02}Gz?9z>*Bj%*9*XZa)0b5%v4`Duz;T*iRra@4<xI13`G)n! zMTe=0OMxx7fa}t?-Q`UYv<<4EhmX0vTSxTZjoB+95{Wsx@G<ngX__{^HoAxrLkqhZ zj(z_ogspLuI4;y_bC|bGXqJYCZ3hRDb?TB4a;iyss)<Q|coC}j33Cs4p-a-NUCdKl zypAzu&T4g=X2iNOm6ho{)5gI8GbmGkbkpb@VlxN|vxNZ>c?zOr;sI$%pgK`Qhk!4Y z@rbMUNZi%<*%Ic=WhRvi61)c|{E3&P)l8OcoWHs^N&X^Y)XRCp7Cm-%I^*fZLNAYx z+*OX{yOhN1U%PY6mKGIdrhvyRVR}M0Nldq-@SD2xNTl_RBWJ&o@mb-~R_WWMoOcvy z?ow%g*{BV#6?&=FR{w_SBv)nBQ9gT8%wdPqx91}Dhm{^}jcFQPH9nrAfm-Rs4ZsMC zOzB3<kBt4C^gW`t-^MzwB9EKDBUY#BpWbdPAd>N?<HyrqJw9$wKm5uB0(`ecN+eYc z=`so^nFGy)nd9iuuuOJKq?m;f4d5n@o2!qV8jq`An9IuM8Vu6A<oWyK<*<hszr|;Q z<d2v<Z0||>o?>j>U3Jgc0-Zc;E1hEzW07%(vjBwGPE&y+B=ueHz*U^e@$WW!YfaQG znna_dptTj2X-@7-xnTVtMfw}po)q+3*757G)Gw_rWNiKg0deb(gEuw0kmdv%AJ)he zWvE^J&Y)0w$f|f0#tiQ39r`D!*vks9kat8FYGRN41Od9PNFyypV}0>$|D|r{9h1)- zvDiCUKVA--i?06TUou25kV6gqomeEF3^1))$UB?VU*CPs*Z5ObSS>Ef$d!162zXGu zR?clZ{C<CJ6<T(N(`=Id=x{v_{m3Kzn}_Te{$`91co=ZnO*(pP9n{MXFE@JH-M(k< z=I;V6U0*O6vE@r&lOj9XlWbi(KPSV&IYsb%+`e9KR^41gE<M3_IT~qiQ=u`5<H)zY zGLUz1nO;1F!W)MUm4`Nv4%l_DrX)atFbJ?-=P`uIquLZbS6S!AH9QA+*@CIxEe<ax z9!Fv@^Vg^^52<kUyah68Ya4GIc4!v5k{9@?VV}K39^?VHD$GdMblPPlVQc_6-?T@0 zU4o?DvmCP}4$Iiqx{&gj@}P>a`U*%vUt7rU3osmd{3m8XF*4viKRZfFV-@xJ|9IH` z(Azn7Q)_k*73%>0VQHsrKZ^0?XV_$%VeyydUs`wk$7Pw?zFvCyhlQOe9F_6>+)A|R z*awGzVhx0Zm<>cJfD|e~RRlu>2GO%Z9`-@#Kromf^Y+24KnV0fKL)}Q1yX__X+cO( zeb8+XJRlUoK-y~vaS*a^Aj>u6CmEO<L{I?-9E72$_AIg+tWY2vR0tXx!hk4mB$$vG z%PiqNcwzxdB*cek02$0284MCwJsHYSNRSB{9#VK<p$Q%yigX|p8F&;KJXHu*0>XTs zYyt{<9~~<}47j-%4IXTXiQpK-DjBRI7-l~eE50JQdOs&C@g&$kgozBYoeXt9WVHYc zE0{tRNnVsb1M)D~%S2cQY~O@j2MQ;Ix&Vn0`k(+pBiPb}PX}BpSkr_{HSn7%@=_oH z5T_dQOpIv-?6glB2yX|Y->0RD+7fhO0=oha2--A3T|xZ+P^Cc-oN91!0XPxls2C+L zxN@*Mh?5s`I@lE?*apT7f!zj`)o1AhZ2-O8=l)Ltf@<xvcY@u3{wFBSB9R0}fY3dW z@&e02_?{?6f$1P@Pvot@RuHjj$P)<C2Aouk;TcLegayR#4AT=r3Zi|6_Ll%7mqZKU zr6NN<73H`1525t%A3sSt0sfz#WFf}=--ME=f(>*HIqaIKz71^qEXi#Fq+6)(KRl@r ztV2}$80Np+BqLS0?n2c2F#lOnm_B7zG(fl*5b+$Lv;PtZi`8#}2O(jK_YX`0(w;;6 z3<|SiJcg+ONzYM-|AQxiv*L{Od-9^81c&UP@nWHb`~#XYz^GZ#Y5FZPAk<9>h~O7Y zVThn*2HBh#CqwrNu;L<gSqTsO;GHOPplAo_oxbJ3ln>%N(d0l|vf>{0`|=Xv^oi?0 zMVrDihPi?acu}V#5DSQyL!&`vZBS|br9dLBKKV8z<_HFmd>cY-ID!sz)eeCU<nn;K zlTdXSp$YMS5lc>p8wh7R+-<~{fdV_sZG`_!r5)imQj$Q}9db`Rk|23cEbcz@YhJs5 zgpHghLSDEvNY@kPU(Y#6>UVIu31$~kU0>BTK^KZ+U-m!63i+z9^O~d!HT!=9l!QZO zb`YO2dV=eA2%m9!LVi4x_y;mwQ`&{)gRK9(p|EX`$1~(-XfMd|zZfMr8K@$1Vo4dK zlIZ&cVRq5*F*vqFHg++_A?dO)q)bXgi>T@Zu3a)hi|BJS+*L{v7ty%L_?!d|3^LsP zUmFPmx1xDti13L#w_-hGs4vA}f8n8vrs?3^#SGPW{t`ckQeef1tI{Dz?9f3xNOr3_ z{)Lq)>Y+n;koZW%lPbpJ1RE~m#fpb160>0?2o5hYwc#ZQ!bpIkE}}|_`L6m+UV>7M z|Bq<#tPLkjtW>5AQBu(j9inA15hu8kWb*7kl1WKwVb+Zka!Rr>0qLMfFeToq7(yfR zzd0ovl&t8(!WSFxq~b6ebiJ6g0`?}X)M5mUsI<ZZ8)&^Kt-?jwph{IPy^tTXdQB)b zGR-!Sl@f$=G)?&SV)|-AYvC=$#5S~RVSr*G8<w?*$70B1GX7AMVoKSlxFQ%gBx0G^ zV<`S8<-&zyB>w2>!n<RLj!2DTj346ZbJ%X!h7!wj$ZnXM;;nPUZn&EgPih?Afh0vT z$86rgc}3R8eBMDuMcT()-XU8>9<s4p#i+lb{UmGt$w@Ii1$D=SuW|kb`Nz1gvEWE% zaD%Kwl&l10A#-dnWzi?5uNmN0k@%*HlXx8cI(UQ}!;`G8lMszV)vP~bLRL*$GKl}F z<!mH}fqZ7Zlkl!1P#K7azuHYNGhh#+yiCO>3Ge!S*+eEu5&QT}gLJGJ;m(5HhdWF+ z>q#=;5J$v;s*Fg8qZGhA9hPdICD`bpS2Hyok!lf|k)nD$J20H+VbhxxQ9CqlJi=h) z;c(NzdUPEKntqIWDn@*T{_pjic2sF`mL|o(xfMJ+#<Zx|!IBkEM#PB`7a;tKq#Xt~ zes-|ZaGB{sJ^qTK9S+T)OT8c?X?85ONth10R!pi%=?ak@GdF5>JX7EPintwm3!Z*( zs;NS~OEpB*P@3sPJ@$&c9d-+Wx{0O^R|`y4|B~4m@Ii;E1-xpI+bkP6wSr^EpcQXF z*kUdK%w1u&<7t6ikG>duG=~L-tdO6x0-)5*Wa?qg@c=|Whm=id>(y6m&yfH)0ui~R z%qF;O*Z}yS1I*^yz^WClbAAA1XVm6^gSiK=b4BP}cqvAxkHjn<IJ$y)PXCDH6W85m zWL5`UULibZdPGq-zp6*oL3~92IV^0NU(d3leNOmD{1)^v<Zs&R94JAwgBQ04r99~F z#6R8V?kr?L%F~DJOqml!xJSc_XuVg~hVKxk4@zspc8GO#BHX}f9c*tCnjR!}lF5k| z*qLqv^XNBp=Gh>A>JxHiF^Kfp6K-R<jCk7v_oNj>yNZF`F}$wz<mnRFg2dhF_k<() z6|uA93AKfJ74|gp21@ia7DTv;cp4q{<Rl3}?K8jO6(k{zL>++LlejK?X7%M2hEVCF z_N2%QrQM_V{FWCUKeTXz<clRtKpGN1%yHw~hD920y|e0xA`G4%sWL#jr+!`W%<0Q7 z44EG_Ghpe-oELGl*LVZbg~l=veS^`3l^-%Qe6(|S1Kmbs9LX|(yQgr??n`eJrwvMd zX7}amfiRA$8_?cE=t8I)Sq5=E>-iG*kkk$HfZU&@eKC9Rw}Tyr&u;9W0lu(3nA>4j zBTpco8^34&cQAi6kx<f+c#!-%-Buv!VEkU}KMjz|A3-EGzkg=;==$y%`kkV7fMrMN z+43F1AG<f)c+?TZbEE%k|Bm91+Z(YxntcQNEb)&1i5CzoGMv9NbA$V=@Q(dS5D?Nk zyuI_|UFZ|sv0r4j=9%`L;}iPp*MA5tk?Z_tmUkX-I9W0XN~d5ln@|)nTD(x^LYZSs zm{4+4Nmh9Cflw24yMYu|%1L;{fg~VBH9U%`#0mxgDji7c849^0dks%Jkco!I9LlgG z-G)i>&(V{DgLfQ=xTb!G3!n%*mW0B{jUp>ToJ&2HcBA!1qoBxuBNvZi{nzhF=8e%E zxg|+Tk#wveiT)A!8JZDEV-^W6$%rm9gb5iXHe_N3$CiR8jYKPr1|J$KOO+I9K@lcP zJs+7U$)6||Lm`c69$7C*!xoo-u@}Wikv&FEgN7L;H)LUkz?PaJtw?Ky#u23(8Z$<H z8|iDtttN_vAtlMCCZ2-f8reQ1XeL}An1G2GB{gJb2CpW~Nc|@Yp(sg5nvqrujUh^N z=!dwN2KwR<K~cDlLN(<QX7dnCQQV5G9R)Y0eq@cLP<`x*@;Mm*qcd`Ih{TMgK7K`o zhztcIB64sDU0jZcnjq4A$hjzyS1gB08NED;V@P+G$T_b~)PPE3h`Q+C+|_`*7GpW` zYzTRm#yPr8X@mR{<0<k@lH(@OQ&y0I1XCrle28P0?<Uw&u8YD5(=oDjNI+bvi&hwo zX-K9h^;y!FrU%V9>S_pem-Z(5SqYL;R)RAod;yLiwoIaU0gqECOL!{KN|vLD&31$n zli=r)BbfhJ+6eFm3X%>gF++58G($84!>?$CUkV5dhzxSUP{Y*N1WAG|Z)57z!$}%Z z;pF6A)dd)wruM|PVAzW8s{ab`!omnToKEIjdOo9=lvQSa)78%2tLqwMl$k25jlM4s zt`cV|D=8wbmx)`dhctV%aGKk$-!nvqd|UT+AdNro5bEWv$shpQzYg1`o(u=fGX&rM z4Ea<H%o1BC%erYgoAvLuho}C_@0O$b=7J4-P^Yga_V93|x5hsIjbp7$Uv0yg_;VvT zCI;oKf>_!IbuBKS!$zg**eNWl*~ZwP{VsofS$MRUxY^^=!=KoZiEBCL(R943noiM? za6jMYHb4kFNkLD%=4N|3Bsh32uj<#Ymc%uZ(q7lat;$E(^D8@rPeyfp=3%IhH{WJs z!R8X|FGl_K+)obaa4Y-qqxuheM?wYZ&kVbqjGSaPW)1;zT6e|MmA^UF^j9}*6}o)* znUt9G>X@VZCI2>|%W2}7U-lfS8!*|~X=&odW#uO2l>SB8sbZ9KlRik~N4?+SZ^z^& zNouTU;^mYkbI6or6(;eLvyx`HwZu>N|L((QsVz!ZWYW(&<7e`TVK%5Y3Sx{0EsW8j z+M3-S4<%OUR<czPA1&piej`p#O(y097+6V9w=p&=1Adrkxp<2MegIky+1H3k?~`aP zEcX@R=O3>UlM;E^T@3)r(k_4y8ty_r7qD3*@YCzkKyWuMW5k%in*d{^&o{H{ZQPKr z9=!LbVNfp%%$FbA^Hp^J|8@yAfbIG5>vl@?>FfQ6sCla&&-I;>#hWx3NxV$Y10_lP z#NMs>b0C#$-yQ|B9Lc)hKD;WUoHG{^{5WON|9n_|3uMCib%ifbb4$x2^<5cwY%gnt zC$QJg&ID=e!iV`=W0zz9g1~w!+}Pi;397p}Zt;I+3xi&QTk_UNDLWlzj)rf3gRhs( zME@_&-Z4m%sOuIi+qP}nc6FD!y34k0+qP}nwr#tfvN`pB_nWzQB4&Qvn-S+<MrN$s z`|R8&&&stxnL7o~Mpybqo@c;Hu^Zv@u@yTI04p2Gy+zA;2Z8G;5hoYBibUl#f-CdM z$dH3p3*w#87dIyup+oq~%Dj<J1daILj&s?;JeqmN^y?`(lOHEfO*6MPl7Ou5ES(Vz z*(udc0Xny&P{IX{QNicKZ}<HK+3}*~7n_sr?ry6YbP+4kCVm;8lkzTA0OIP-n*H~G zrPIsTf2Y%Fj*&&jg3mCL#d5MI!A6cfKpjYTyWcX-#`jk$d_&roK^t&?9hJuFm?YOz z%Oty?+D?-Yp5$OU#7KJhxub;^x>Mk)>fEmkELje-;`VR>)w=fZ)?NQyE)lu-HZMn` z#WJE+qQYfy&5{7~1OGBd7S2B+>_Z3lqiFMg6rXg7p5`8;pSn2;mkF2t#a77|?{k&& zu4vX@RFp2O;MM3z!i&g@Wy*veFm3S_QBbS0a{tB$A9GtGHqy#2j)Aa`wp(OG5(=q( zk&f1P7P8aQ(z4UCGt<(t(gFk<;fDWI5vQi2|E?m;KUJjaKUIXT=zj+LSBWq#hvn=n zu8hq3+Z$!G^;&)Se7lmo;E)q84ZEe)d#aB+X$R>-S(usLhDxcWdF|7*42{fsv5qFD z_U5v~yQ|>};MFO~Y0=kep{9aPTkV;$i>=dG>LmyI7pp0*7;CmO{(4OdeO~gvkZ4qM zo$B_R^gi+;6&;`IBKm^*)_kk>A}9Qny&3w_($m`Pb-l*tT)<07#8cxu!k^N=5l=^y ztlw>30Edr_-ySDECo8whN)A<~gvp)b^Y9bv5U(fMA3BP-qvTcp752ToJ*yd2GqVjT ztC;znHgg-*chD!7<|d!yGWrz#{%^1Db;j&}^YcE*RRD!=>;jR7=EM8duf&$9BA|6a zfkPb+WS}n~%>>W@IG}$+y{DYMlENj(d8>gVA|M)|gTev?%mc1}US;CR6yYQO5P&{3 znAcvz&uS?nMq7izxv-aBfH(?B_vJ_Y)8Q>^kpZ8o0OAz|1Jwq4LM3j*g;r0qm*NB) z&M8cc;fWI{uEdt0n+pu(1R3#$NiClzx$hHEUr=0_2psDDs7GVqhM5co<tj)RmXwGm zgW&^z;S!2u^)<<tc+&3GtA=x9^#xU~CNGO6L}B{|vhAQ2&)5Nd_S0-sLD0Nroui{A za#gJnKMaF$qX*sYKtKJ(eZvPnI|4<-M<nKA4N}7dZ9WM?aB`#qwIquhCSM0E+>oeF z2svw(2NQ7y1~P7>K5V%AhrZDB3qc769H*?-V#m*v3$tSd$eoO)E`d6C!-C-{475F} z;@VfN1vtAC`QbS17Pv)dkOO<W2`SJ;dAERGh|w?fE+{+R)XS}bJx&szt=kCdLCyBo z3Y%zNE}C)Q;<pYevG+O5DPmwCfE!-PAorV%TkjC;Z5nlNiextCL+|`vfF>~9QWA8A zDJ;rB=#rkDxeI1c2MM(y#1D8%hQyjO6qkl%m~ZZFeJ*xOW?zj2>l`tZRkAPFmb?zc zuTO@dPPFni?hIhMN<m>|h%_qoYaRqt_+PU>hb@AXvV&Q^6OogBSF)w#K`h1H3pNvv zniMZ5xZ!5ff^(2L3e0=J0~)*4k-R)q*t*vN{~%ALFp))8;55}sfTjx1oTN~6mXwLD z4wH3^+{hsfdOqsM?*j+<0#6nHN@<DjEugy?wiePXkL>gXMeI>P$$VQa%4DW?&HW`^ zsuSoh0hqY%cy#->GW1;AhD>cY9JCtbg^F;YJ_HK>3ot7Clv&wN-Zv?G>#+DQH$1AQ z*!gE~@O!$U2a}b)OmO?RB9^EaIUC7)6REQv4?l3hR=5T)-ACKsy!rE(Md78L;Dknr zHhp63P9)O7C8X*`C9_7&zDM5X!vQwBMFpw1`2=)5$}^@gEAar+CHr2}E|6xtBc&1= z(md-J)?9PHUw=k{VU(+@#bMF&VGY;>&KreL>#u?|Ir~5=3Ck7%Y4FS4DZioF6WF@h zZxGY|LOau|T%b4kX31teqIme>YvyTR%hhJkFJx@$9NhOccJntZxqIOD?)6Qn^!v4G zc0D5O_Oc3zUtK^yBun*u(d8|#L=yxnLBDan`4)5?0;H~|)N|2T9}#5xh@q9Qalk@q z${I_jN(j?|6?p6(*T{EWeKmKUA-K9lixq`z8-EwiV1q?FC75{usA!=x>ypnYtAHt2 zKt4x>Z2MJ91yw80ju?5YhL(E1P%?9>W_>W>uK0eN&)M+LI);?h*n?s&Jwi01?#?R{ zqvzw0=6PZYuu#XtF=IX9Xtt3tOQpdvApXG>OZy!M@%79uuwh8=_UJ#q+s|~<9y6-@ z?P+UM7AxYCi4MVe?W>_74gs&+2Us@_Xpi}KH|N--=YxNP^asni9f|;r37$T`>D11D zmZ=k*FT0xU(oI2>05Pwfqtgq@bBAs*KV9vn*rH*tn040)YsGe0`G!QnNSy<(ldmM# z6OF{nyv3OGdPJoVnFnqg?-zD69K`j<kwp9ZSBQ#DA}*i@u3NCo#QGk*r#fOIZZ27L zS2BFCln>6+qlkqE8Q6Op<trlfG3i$fIh*!Oz#EGjufBGT-{fzZV`>PtmrC9392ofG z@W#^x+;Njj#t@2uz~QaI*jG)nNkNDx7S-WK`SgT6&8Qf@zeaZQYSAIdS-y4yXfW7} zErH9`A_vT(dE%IDc3%RfZSvNg>gB?PGq+9ShQl1E55LTneu2Ceh*P9Z&+Zk>l6jX5 zuaK(9^6VI=^V$1n1G6MZp3PP$SZBLHD?FV_xnCO9J04IIP7I>A6RQ3eXxX+;aNzi< zpuf8vIal2}6IBy|d3(_7{2z0Dm{ZuP5FtK{>xa8S{7~76(bl5>P3cKtB43noUfLCB zJAKhyW=|S^u0nZ;$!<t<Y=A&OPOK6O>bX`$0-jKU-O8v~4r~1ZwFxpS@yr#vt+K2g z0?-m(V3w+6mnl{HwA=loeCQrEkdgft)H;L%#`Nus{`(>N3)YS_eT%V(1*j^;1ZnA= zIzzSJ4ryg)iZp?rl^GcDzsBSw1%vEHGUOX@^(+&|9n}S~9IDpXE~|$ni(3+IL&%Gl zM)qd^#hsmntS=zB#GQSu*|r94J}5!UQGpxZ2I#r-F*#(zD=QxvBTMR@8|WH)V^TDg zPIk8UCC-^w)!+l<eABi?8YVLIjuqP0gekc=q>P%A!6ic~nnL;Fh>wR;^rHP{FOgxR zTaeQ=2tw8@>((l^e~n|N6{vH02Zh2Ad(7oavzEPAw|!ot;W<FMvdNkX7^7vrbZwJR zBPh5LUm=O)-J|X;HX7fHK9_>sJEh^+e{qI4QZf5G7>CiBAM9lkqC`*^=!WG@ihSWE zV@Ofy%qaz70A8U^Vyar$wko7u-EpUVs9OsETHIB;_}$lE&~IDkiqJ)8&gR$aSF83| z)bhnz{N+y<N!F`iqk6@r+o5c@qz#hokfm?9-;Gc3CHa$1UD>PK+Am|}=71MO7h@en zn_@m|F4|P|hF|GjQ;VaAfF8IxJ^`cVW!8LNDEV4>D)1|Arl~%o=CP^ZUsC^hue-X7 zrm>SH@#d_gRZ|(JrcaPXlVQd3ih}hfW0QLuj<p6vr9foBV?{<;;FLy2mG!5;M%H4Y zjk1X`WTP@&{S`Y5!A4(WHXF=UT4}BJ3gXo(RAox?z}7<Ba)X#HW?mz~TJCLFh?%qz zBKyb*DIc5AWS_U_5i<CQ9v5F>{9hkDu$aIJF87^Mq>BzmdLBJkuDgR9w1kN=sSrw< zqfAXO+_uNeNSP=`2}RlLWlXzhIzP<pv9iDh9r4VBf!)^?8k%dmMEmopy*6kWnnTAt zxrl8Azm)1yOStCVVpH~$Z8uluwzT^)UX?BLVow!!-1@pO{}lPa=IOp0nSe=S9AV<{ z!e4*5JJ$m&23i7A6hSk(LCRUfJDX(m97Lh7>Ec(}Y64rTjyOuPcBgQPrkcHe8X7kj zhT5eyD8ix%t8U%e*M@Kz)9inWSyvN*Ka&xA%9pX<sCk5EpybwkgFIk&fmUf_jd%B6 zDh~it@J*~kwdBmvunQ?loYDmD{jszeZ7Dcts-UxU)0H+l%?0kAT9P~JQX$M+zoCiX zlbyUa)d|$ImAH;x9il@B1yHNoeSSIqCU!CE*U?kzxK3f~cGzKe^HEH^wo?RqDs98& zM<P|6hL;g*95TOhbrECy?I6k(s!nl&u<h$8m#6||U9*_KyfI3qG{k=kjSXLOA`m4a z;ZnHCe-QVDi~iiNWte*R;|_EQxkv<y+2qwsU9ZmAh}a-m>>>7a6@knfXeP)8ndT8u z7K>2oMz`;+vMzY-f7vZ_sY+v*p<~m-h_QwRG;X3rF&|H6&z--Y<rcZ=Jmx0f5w{DL z(sB%B4^W!nWl}%L$S4%Q(hx)Nmml@1U(LgWeDyKrfeIn*(JTrmBDf=0Nu1Hpt|5oS z$n8~$8>sF}5A0W8G^<?I^A4r3*;kEX)ay)!^PF^o%gf6SW|7QcLu*z#UVVoM*QLd) z`uDpuA@B~|2HnCd%<I?AAI*^*d$c45d(V65$FzKBKK*c#oe2DzspXgDn&o_N2J?}S zin*IM5*p&;!o-=j7>GcbQa-!Nc*O_txs#>DnjJ4`-hD)Pi2(D|4?|A2T7_vw_~q<< zuk%-B&fL6+^VbM2Q`fjip93zOh5X|Rz^{F-BIOrRHj+PkhEJf<6s1{~jCo+C&hyf< z@c=3#uodbOVDb{EtbC08K~A|6-(QLL31^AsHMenYfbK@D;)Qf@)5-=4J(b*bvoHai zCdo6lE)b*8M3w&01(vFsC`SwgF;p$`X(n7FR3(!u;lwOjd-ocVd2$vL3C6^tlEt4U zkQgWZhkU`86J1<JHl49B`ykbHKY3;<<3HP02`=A7@zW^A=DP6H&=|o~rq5m;2_YFq z!O)$9yL(g31kvu&i@d5n{$x836HJl<223@1K6eMY|D9rKqbkiR57HDqDMsbYN-k=Y zX<Je#Ox(ya>_3aR&M@j$%s>pdxZmAwW<E%6B%+$}Yo+rFhw+#pG$|8W68z%mo^=zx zc#Vz`fp<wxC}v|pgmdFIC@Jq3v#fE0tRcnX72czoRu{80WG=6oerk$wZ8&GY3uPN3 zFsh<X+N0e9mvcTG!evD+7@)LFJaX5Ok}igcOTCe8VF%}qapG_TBAQnxG<&8+G$xj; zClS9zty%Y#;yPH9tU(KAul|^~5Uk8q<DsLsb^SV~kdox}mMKGmX?h=5In^y(r3bLD zbK<oc5eR!E_-W)J0Xl|03GI#8*H<Q&vYpfN7l@~<M_lqqv&5}qymLuAGN|u%sq;44 zJRMs@;_vW7F<MBUPvcI}80--R{BSU7HnraK5Aed?b!it(DVE~rlTOJ*kGvHL%NSs` zT6psAr(~XCu}}M<;@;1d9Gx@Ay`B{vugWwpEJO+3=uhu}i{2APPWM%-A>YZ&dH!90 zu|jB_(-!?yGG6-@iDya~{;aoL-XXb|8Pd6~Go_dvJVy_K6;XDiE%HKw83l7M!0DGq zQOO$51C#iicRmV1WW1}p{p<jw%nTRf1DOPXJ0mE&baW#piU1MA4WZ<xSuFjW%bg9# zIPIz)cX+pXSeCeI`-XEr7=5sWk+4Z|_zv-`%L;!uuS0GEO8PV7NizuBp8re^!<YxG zltI-=mux2T6`!LG)uncvn{4x_ofh%?LZfYE(D1>oe%4|TmVPZ-pai;$f+L?W3Z>?n zbZ!PIXr+Q3$8iY#bDgnp_IgW+_$@TA+;}f{2j|c{LeE)fl@~jpNi(kn2UMFRPc@q& zFw&9|K18N-?I?9yw)!Srz}QuEKgy>Mj!b4RLu8ziPqRvV@{8rVa3D3UW!9t?)mR&R zJ<dgq#Mnsfnm;M*@A_yb=}>B#2CI0z3o!j_2k)>4)w9}=fiwNo_Vu#v=I!G)=Opun zjR^f(u%}}s^A}0jj4kTqb;qR1G$uU?Ufk<tk3aXL!J8amAUEf@Cq~YEEHz@|XpQRe zh7Th~a_)n?N2R!T!cjMBQL0PXY>Nr>aRKQq-~sPGOZpAM%yTmgM=Tg@D6FhgA*QXH zRkU_mbg0{?qgH{`FPZH3EcrRBxt7-7&0U!`>whrn6Qzl~MShKJr-{k_^JHw}N<v29 zm6eICG_=5G3T7nb;z8|!g++}Gh6$0t(Md_6GP(UqvnZ7H32ew~2Ei0c(MqGb*o!3N zJ%iHvf2kWZ6Ddd%G!58MbAvhZBG082#ETEi0G8>a?B37?UTE9_lNt~nEmL}0>7(Yh zA#TN{{+XqDjtir?&A`+Odc|pK@0Vi9g%wuI7o`yi7N?H-Rw2<}fgN07Y!jsO=n10K zk>AmW`OyCBb{n1Ohx*~`CWT?itY6asnxcUCh*4Z&MS_G>W)4z^LMBopxpFcK5n~Ey z+w*6&FokU3Y!Q-K<x^^~Na=4udCtxNt8a_9v0g9Yn_Ryy4c}F0FlP`yT%c#X+G_=V zU@}DxDdSSKOIVQi^S-RFT?J6CFEBO)&<y3?<B{A4ASbfDc}<$!BRnI*4rK`m5TGdm zp?j5^PFmM)^g9GmNaDr&0C!v|so_|7*Bac;KZq^u1637!VG^$Mgd9;p><G0avHDam zXwV%bdl+m)sPL|V?WMn0#16R-`)EgRQ;I($?xs0~?@bE8C=+Y(RINoPE`Mu7jc-It zXo(kiD3hhha@;i=s4b<k<96|cYeVMGtexJAPTuhHET;KSIia!PM9F7|%X<e+H4hr6 z=o%mx7<APgY19hf(J6>GN!x=Hj?C<fK|L*@y{E_Uw?^<s_NTFAmJL^D4NZHJ6OSbz zJ@ZGsgYQrG*a;(S8<1@uAQ1Qj$u0KsCR*rHbu&Tgyr3)oi=oumr^UZXlD(O<c0I=E z)aBG3Es<gg4h-__Uk<IE8rXRp-pL}DgFvC6yp`Oz8Bus?33++`YP~}nQ@-)=AqgkS zw+|JT4DAyLoM7x{4}prN@K=mIGfalaCemVi!@(KwZ(Wny3@7#m**{U=m!`fwgso#v z&}V@71;{Zl%c?ic>Rt#woDJqH3JRVTahYBH&Gw|1zQLaE!B`JjF3%z5ZPPw{rKE-~ z!)BR}Pbkg%<@-bz|8xl@KPML77-61H6Q$Oi5dOR9%(5)svVz)-tbi1DCCw?0N3Cb} zFRP|WKXq0ZF^_}2({baen55}C{R2ba1H;DIo59)J^QkttV@-|YtWZd|BdksP5KflI zGMY_Yu)ajvyd?T8Y4^NGbfIFaLe6SL_AiMPG37IDoOsIw!zqUG<#r_w8$@nY_aQ|0 zBd)hjTa<akyHW)y%rU%5<3mQ1Ne<&d8Z5iwNa@GOu>kCNs9;0FAK65y;%o78`S=L| z*5nwH2CR({=H?v}yk<kZ>=E^6zdC`aI-=mZU9=@=H?qBe>PW~9$J?{^7uI21*5Qn{ z$O@(5rJD3gH<bXxQD2**_8ljuoyTP_7rEy*)2)l=2UD*{Q%T1e@-rG%X{kH1MO?Hz zPScj`4JrO-a(6G*$2Wn+gQz(NsHJ<C*?S$CC!t$3&GJ8od37}Nj+n{6|3-M9(N8bS ze&waG$k_Y~-frYo;aTbyy;U@IS2R8a7@q^Qi(D2Iua9xM+Wp*}N*<%N=PW|=--z8% zIK<8xLe3hl&lU<E&fXsv+1;-Jj{r60Hba=T;_H<Y_tP1u<yE!u`TQ|QFY)&7{phck zs<*#<pYqUe8CPeF+{HS_qQWe}mYRtd6;Pju36FxEvprMuJzC{Hm(5?d+A0{>avV|; z;#h_$ScczBSj7fRmA-OpSZ)hM{F_32b3z~My#?dB4k$}RX&tG3TX+EyNqu425bq7} z$C0e7^&ytZF16R<0icfK&6muRtBPw>oa6e=@%*?FhPV=Z?2*WEv$J}oc>~-7xedWu zAn^1Lr5tOe)XbHy)?CD6w*5u}n_L5$NqR%x12Vu#;w*-OWXjY`@#<!kiEQy~Khr%N zo;7^Sc+n~6Hz#Mo9J_>py2OY3Pp}QtCtcHri+?SPrcCN9AhVX>nM7yx;=QMGzoR$I z=#7gv!v-^3e5N&7q?)|5%y6){uray7q|qM#?kltyLWKX&+vMDCwJE6U>8kS~Pcx+} zXGVBp;@GyZ+&8?`x4tCdEJin5w>NO=tb0p^u9yv6GXDs$`7o%vJpc?Vf<(m#a0=)s zvP%WSQEBg3ldAzZyzBZRGz!z?zKvN7BE$S`@=KYpXDHngh}9@WlhYq63Zu!@=!ON7 zt05;ofhS0Z56|EdN~$OXmneEr)QipN7HBD245)+s|ESAC)+J{fBvqSC?KRkU{zYAG zD4+U!*8G#8<ta)}oxYDBtg??$PG)=-JFLrJhH3_2N#Yz*#kX)~m#31KsaQ{e)0fb= ztH{-tp+%R-UaQa)mLX@BHF;=c8-~5h?#^AP8qVo&lradAdW5Yb*&2h{?^#{PupP!| z;_+u>WE;=N4cDJ+K_hZ;i0?*%PZOe-#Tu6raVk7%Keq{nJ0)iY;9K+XY_jDIHeMhq z+YrJ~cotbc5G*jVEifj?DUvQMB*^KwuzPi_J^cE!Ale~UgU8WzZq#lGIh1fyp7M87 zyTSEO19jJA@g=)#C97;b=f#2PG2d9_jJdoA`_UHjmSxDg<&$B<n&M=1U@CqYXF|l( zA>`CDA!h|ZEY6St+JZODp}R3d{$B^S%krx6c<721=c1;e8AG}Of!ju>jgCW)oI_7X zVhY?-hs9p|WWW3jN%>rUPE8Pi6}E#b!WS#T*Wg(21%qdW{RRvD7vE<7OXiSn+R*MZ zhHNEW@??t?e52HsDRbAdelYp}cr1d5>L2z^Z0z-HQw8p>=a#pQN#q5SN-27`Uu{Dn z$YhPJkD-?8#y@W*&xtq#dXsYcfx~2dor$;@stopUmL=f{S&@nIf#fCO<S6&#s0I2I z_kRppHf?Q#_V*?<afj3|Yvan6M{Bz1{3|qXA*#O^D{@8EI-}GOlGTKSZVdwrgG1D( z;9Jr=R?0s*REJzE9&FUG4Jr)_stjAIf^AArs7uXy49zS#%$6~#mXixA@h2)@o0lQ@ zE8(60HW4(up~<;jXHnvk8FV%GyW?-U@8euZt1WK?|F!8b%)&Iua_Mist9YzuM&oWz z^q&~Etz|=a3Oz`iwrlTW7Qri^yO@!!>Y1&q@ocir7W+vB7^%i1GKSq3$D@};yWz~^ zNI?JD^uA-ySQu`9m_@D>OO`);CO9GY9osYl?{xHQ<{Cd&1E)jsik(`j@|ht9^cV-W z?Npe974*rJ@w5i6J<;@DLndh!7ovbI0fqha<Wc6Uf^dBZ>y8zPvLy-QhN0SO<PY2C z)R5ISOg`q5g9H&5SL#1crueC4ZC9@$Z{7IFF(b*w62@<8@m|GqkE&dl;7@nmV~+_g zQFGB}{Zia|x@C)zot4(3mDUjl=biNM@jC-NX^RzA!6jA{TZV&tbA-=2L$)mbAIi1r zZvBq;U_iFi#-hr`J{rtbSmOm_{YB3}^u|DR$I^6`(TTtYgJY)FDd@(tBGqtWnI6Gv zQf3P+z?kzeWNX&WnH3*UPf|)(pVbslpJt@FC9BzG+p!UIc{OM^rDiu3b(w8d>tU_; zys>okOcURzJT=#=x_O6Y{mO3bF2LCp#CyW!QqAeIihp&Zy_wm)nfbX%L>gYQ>uqfT z*5Z`YHRS3M0lA5(bQR&TNugoA;OQ~i98$E23OU9h9dGr%iTLDZ_H;jfd4l?c8gNNj z-9l(LEs)po=?n6nE&o$cAkc2w(Qn(m4y2v$QNa1G`S}PXwXgR&w=vx$iuq`hAhZiX zrd#i)=}x+^M?CI*U7`j$I8t0(!LD!Iw(lUe->`o!GEL`#Bm~*#x}8GUSyO<=#gE6u zi+>}FAVvi}CRQ)Z+zpQqbIi*pfv{4;vw3=S6W#cUFpdU!WE7&cjDQ<o1~GK)k_f>g z!^x#!;gp$uj`ibsKw~R6<{<ZaisiY?ETjl3$U|poM_2AZ*X;bWSZ#IhHVEi37{D1B z^1{cwcB<?+X{{q%0!>p8ssB7^JD36Xd~+8F7;@<tJz0;Pz5P^zX^(i>Jo-p;#;M4) zv?2Dn{^K3yuQPsVW4>>Lu$LnJVwCbC%1<2(N3<~`ahtQXyOVrx^L<Q+ctp4}W>a_2 zLYIp&=86*UIRR2)OIvcotzZnSV0@9qqv&w{u^v`(J(zJ^sBu*&N$Qd7%8xUo2{>_l z%v65lEMYguRH)5TIOIuswx<!?Z8VBmP~$AgY(rD*ud<#d#o(dToz`}m7NI>!4VVVq z%*5a3=9S6pDCBl&yMnW#&h}r)(s{J^cA9<Ft-SApIC&qMe(vE}VRYPv$W;8xos)jS zcMU(JY+EhFqCAU>`7rHF;3PInuRRNBC3*@ZVi3}83O7%HA9Lv|MD!mU^FM0#KXL$n zy#Q;N0y6*^Me9p_On-8pzwobdB!1A!d~S!*)J(l)m`w0zoB`7bfvRqUCEz2+B@+dg zYm;1CRG-Jo=_Hvl(rcXP7i9oPX9#*@pgm)trEDYHavIaj^Gnd|=C^+(I5CISlHb(Y zPHN@jkrYliN?eO}snWP^pIdiYr(QYB(u^o>!|1ZtDstB1pJX>@8j`xF3J&DN?AY$t z^1-wFJOjKHwp=6xRCg$Ax#-yO`z$?*a4mtZQQ#^fv^(KkE}uo>dimpi7U6D8L}>wz z)sBv>rHT{a(iE7<B5^J;%=7E`#^?Pv=Q&!F4BL}79dKDDtVVfTZgn>6=S!=l7@^0W zLO8AIQCdult!M7G7&zL?JU6|o9C-z@%ws2QwB|QWk~$_Fw}yB(3-C7^a#~N|91-8o z2n2?`R;8ZxXk4_RhLnFDb(61oMT~n*13hy~Zar&sTr)b=Slj9xC>ACBC6jJ`PH|W1 zd@RM=V;-M1P{|(Qiyq-?8wur#L8j!Rz<W+Ty_hS?+?SSWwlL>guIE?Ke&#Y2FN%#L z<5L%2E3=JJgya+OaL>n6e3(5zzq+OQ;Zo>__kfH#Z)}lmWWR#)-N$$gkMkMqxXJkQ zlk@UXT0Li4UY{9CGk5X+hJ$W-e%|yRyg#>`smS5OY;|RzdgiOVaC0p`X)nsY`0?VD z3bw?{J|8-CWj^r`INg8Mjlg8M?PqlF_C9|#CQAC!g-!Z0CKBiQ>u!YOW;A`5u5?8H z$Kw&}BB^oFq8#0btc_{x;__dOgJli+NSE51hZf<Ulh%>bVN(jrTm{EY#S^M{JhP!_ z8Wr6+1>HKWTpp}41r(+iGQ%{I!UU#*1u{ZAQ6x*ARDBoMK!$Z;omnCDP6w2{gj+*Y z*BXmW$B*(ERGvGbxIh|Fr(0(Dp2Uw4o5!EW8-njyUfSu7$@vb;>gP!F>$KtRyaXzW zs#x=c!y1}#Z`|J!6y=(pe8q3Boey*Prv)DUBVVbAGdcE6VoI?m*Y~%?Mpbr+TdMI4 zIhe)*jNzV7?=P1%PiCH14*Ib(Tk7-Tee{UZrxsrWEBcK!-Yz<y?m8h_-O<zCT5_d{ z%Ut1ky4oAp3d7&OF)lz2qIgzuf7s`JS~nn_AU3(!jlOCC^SL-C(CFZZU6fXpg1k*& z+`a#zq0j8XzQ`2lf8@=PrxP<C27JshN4a0I@znh8@ap$u5{z25;AuwQh_td=LHmu9 z=k+4|!R1Zp<10wg3KnBaR*Y=H?hcE7oB2ZtTc#rOZa%|@S@$M<*%547wDF;o8IfsF z-T+%pfQ-Z~n6n4<W&L9OzD$SK1!dK}jj>%P-~#&khAQ3|ocAUI0{cRieg^8pKb-3l zCJTKdjVKnI1MSmgLW8>|3Q_<k<qgdp@w+AJ2zYVB`Jw9iZTgVS6zN(+*4?AjqN(^A z>54=8IsC^qSy&75@4a&^>gAW@wC8_JkiX)Xb3ieDVc0%NwXIPZI0Hg<?I8Q?Gt^)C zO@XU?#Kr}C8KH>IiR71q-ezxn$i}Sf4KoCl3?)y&z-J!`fmz4}5q$laPGc^)u!8$< zd=7^{bFqd$NLdMBLI%K6Ut(HY<<<ERqOXalvq4Jwux-^KiS3Z-&WMPM!3M4N_hee} zsy|3^s{Jl>0fPE_RycV#R|q6~1K*@b#e;oT{kuQh&CWMTBu~igfT?d%Fl$uco`CD` zxbJ3ZAD{2I&v_*LGw0a%bfRX7Q;V?5Zz)f=QDp8<!g=kgQcfiBylS7p&O9o-A3iv* zlxxA9ui(CxOgk?g`3EvUDSiv?=S#z<WH~RgyoB=H0|Lm_S}79xH|gXj?F7AKk}3BO zYrCKvL1Yu&^nehWfxLGs=qcChwD)_|n!2w_&9Xv7-p8<+bI!`~na~ZO{D9XbR>K== zE@%$cq%-#{sI=ZA@=r#rA_iMuZn7}IaT(@7xA|MjIExu`5)h-3j4}?P>!*&i+!VmY z0T<EhuII%grEgHHPWMGfZ3&VbN^Vew4_0eXXSe#|6Ii3np1<-}{fe;7f>|wm>QnOg z-;?CN%$NqcI=kAvVEr<O^aX<DA4uj4;!7y!2SVhFGz5_4iB;7fIx%X;mT>(Wl!rh6 zfVLx2dH2Y_TD40DNVjtvy!}<ezvT?oF}VAaK7*ynt?btKF;Gj;n7h^Ap^9F1KAj7K z`O3&YR=J;~98vx62XimJ2q+7A_=iP_jcoXYK{0)-yra^T`w6#Y-=k9ZKP+4*#xo)U ztx(3{iJLow__-xl^lk{94PmNw?459%0hbR_#G=7G$@QSTs2Ayv2SQ;ga>%YoouQiV z7`R4xkT*1+ZQ+mCKX0$l-~K)WKD#|%aUSPLa3V2Gr$l#b<de`7-=dpil$p?&{Z#?E z3n@3>KQ60*nf#%;B#BVhL_3irZ>V$MqZ}bf1EI))g#qgKH7cwLu_%AVrUgN!um|Z# zQbxZeletq;6-UFw@dr~ULeU4yzmfI6l60+!&%*$N3i_ONEdi%W(rid0-;$PV6pfv7 zngF7@PT5ULf{&QSdU>@n3V{#O(#23}Gv8oS*AO4qv0b0<Ir3RXW%-mCP<{pW1WG#g z3ha0095F;p`YjRS&1wvFu&`Y$Mcwt3_*CErHK+#!;KPF9cXU62k)=><;LBs`y#Qig zZwUw*7T+sH@Yp7ht}dEGPq^A@=)N(j+#F@aQx>7cX=Ah=R4&h7zA0<HyX-(YoqjC= zNc{W2HBpaZ1`M_FP<q;|wUuVU8_~XGJ`8G!Fd*JxwZgBy8>)Vh;XpQ-D6f_vXB7JX z;9eE%W&HtHa6CO~`GY~dduIIM9k7|zrH*h<zI8T+tsACD$KbPZuDh>Ne$(l|ihg1y z4}3_}$_L?Ex!0V;%b37|o!GdpU|@}*jslzkSgQPb?gWERiTa$)z6=3mt8F^D9%8Id zp8}(}8**?~;GmyLVrSAs=_G@HnTZThQ4v$2!abzV>_Yl%4Y+>;V1pTy_sar=Q$aBa zI|&}xs!gzX171DJ>GK7pGHHt3wt>970$(8UXP@a&eRzQA{AAWQvxpwMQ#pvy2C<e8 z1aXBQfWY^<fd?U0Si7%*X&J(u0;_aA-B|0|K;Q(+h@OW0_uf$U-H1x7(Jv+mK`D%6 z9o>U`p#>A!`0v;+Ga`+xq2seBoU{=klz6$Vu7qN@sg|}_(GRbFU1)NH8*UXf!e}v- zS0p+UAx(~_T&My-6S9tY+?0C>6p26ou~KPm%L$5fH#uRPlfi){3`;%oL;92Ih(#Wj z>Dm=$&iw&0-WO?)LydJpIgfpAs*~<ZeZ!&C$kU}`fOwr!YF|Q)oxz;<$N>wYBR?3X zVEV3$7jUDcqEWq=VF#gAe}rq|rs{+`wfFdCFJ;JN2iwXbU)f;?zlua-0A=h~A0`s4 z!&z(S!%Dh_TzOukZ@3NC0ukmUh~+n>LDoLfFDx#@Z(z<{dPoCTJ?M`gWX|uw|Eou( zfAt7DIf;`sv8Hd_-+0)7^yW#ep<5I)cXMhH5e7ITyUdAGrk4US@2ZMGw<2kh%AU#f zTds&v79z?_<P(my_OV=Zh97H@5zKv)&sIvukc}Pga-CrrcO3F$IP76U(4RHOSGz>5 z_C7&{5kRqeA86({0O6@Y#=>L^dP2Bz(UJ}BflkuZHPhRzr{6X8g(SC+;|Tw=3r7wC zI^Mf?X5V#i(VJJG)RnAcn?XJ=Xa~-g&hl7LKwOXzpJorTNlFG$^5mDmFaCBW*+(rm zX{nA#P`reT!`%Cct@+6=+ILoF|5=s1tJyBnQ%2kBRkq#QL*L3GZP@xj;!2Rmf<!Wl zh5*-&2mZ%vNMh1vcMGQa_L#)>K%q<62)Wg&kd3Pqd{baSE~|SRBA9n@caA<uuVrdB zPsCc~6!9M=P{E|=Zl8Nl-k$Ug(_d?)ZX6!;u_)(9aKULRcn?Z{lLql%JI$L1wgp=b zu$^SkWgueHvthQoF0iv#`{G6dmTsBI)QsMcP2&QBd!dR%GtIjIvLv~b9i%F?hLOlX zHDj8Ct|=rN6xM(SVrHE|Z31Y308CU4Aee*4{MeCa@#pv7{Djy!5>5sWV1qmHVNJ}_ zO$~jNZs<Ez8G|<g)53V12FgBUU>UWUv%`uOf1^4A`~JgWkBMCPSZu)zFn}joWdQB& zD5y+>86@#{<htRi+PNVGd+?UOYGqS0(+w~avX5^xs0sx)g6*aogN8jmL=9#`7vVrH zOVQX?)9gUB*&PWu4E*6S`GM|Xgt2oKX=MCjgG5-~cZBh>7%7&ksO5MX#Ly@3`;-<} zmC$rKnGeh<qY=Jbke0&{hThIz>`<>G4JLxKsqy`F|L(ba^Ro<AbL?2ORbbJTNW`Tv z*FNfk3O77L4*2Tpg)UguSoQ<*(;Hb+s|t8R$oQmXK%OC;t_`D~*Raf5h{r%_p3GB# z9M@gpqW$2n)H!Lh^#M!?+6;NGd)-U5>LXf<){oNB%nR6&I$v%tUOdm=dhSmMcr22Z z<&Ht@4jEINE<wt{K=*0MOlE0=lQ|#Qhn=IAzlbYkZJN{B2&eCo(g?4iP4HsV(T#c= znab80`I!bJjfuTMTl|bIiitC8vDFXsxu!$SioF%HD!sb&<`j#?-AV8W={QO#2W|z6 z@G`1u`~O*EJK!=@#btc|12J)9p?56MBM33uV+PLNBt3l4g84I=PEX6fXCFMTuZ}mV zL)VB@;}_JXKaoB6D~YnMwGk;>r?UQ>15yp~k9wz&?UilQkQQ@iGFAP*Y%orDdwNoZ z{-F)AWM**NGxM;iIto`-8Oz5b%uN;gX7^awiI7ox3yfYE);6OdtC!hG3oRzxD{mDW zd>#0oUFakilTufry8W48MW`S^W!}v$a`9vM^NkSLii|$=ie{qvP;sAA2-<SD#a;$Q zU6ueS2L>%yUw5ru+v@qFbgLOQHxjNjee$a6&!2$Fv|NgVH<mK|Cm*=2C7Oo#gzzpq z#37HtJ(A^C!Eix;ItMwd9rp4pn;zHPZfgHDJaSU2P=vMCc|#4ATcOFgW>wTupCQJC z9pN27*5=9eBWDRY=1m@_L3d`&G`6XOD>~Mkz`+Dkc2jeSC*L%7Ob%NUvMfSowgVNK z&^EGrfm{n>+D9+<F3gZ;Y7rt`{Oz)8!V}n`XqnmuWAuvOc(?$~XqL4Up^05%5Bm&f zdKt!By?O_$;iR?<-o0sW8!Udo-ls=e^D*d)DIjwuMe6KOwVY^$zK%Lx|JWaZ3_y2& zV;Hpx-E=l1_KaiLL$CH1{48>2oEa!lUTj`NdGTx*ZRP=ay$wRB#1aEVxhfQUVUV*r znT0O*8=vMQ^me5@BH)QWwaLIAh9urH4AO#w^p->2fbWTN-$dosd<kB~ZGBp%MVipC za=8Zk=+-fGNdxy;lEIUuEV%JPc_)33D*~>qK_|XsOW}0~>4#0-41`#$5$e0h2)?Y5 zc4OnPN1A9Y=^*XGmAOjV8NDG(5EO=N(-?Jg${rokG9`S5sM|bx^74;OOX`<y#c{eK zb&=Zg=h6Co7wLfPlIm}=0LuOF`(8}i^Z|X>G{;{IrfC3@+1`!nh<;qSy27xtKs2_a ze0wcDiY3WhvQ7{ti}t|lJCN^~<9?Ap);4|B?offvAThSa1!L%?98VBILW@EcFPSVa zS5zd#K(BN|qK=3g1^$)%<Yazsm!!-f6%j_S93Rw(>XLK8?i2@YNC_I_H8+rq``Zwa z?E`*=c>_&c&X8xiGt9k&3hdfD_i#Z5bEAYxwb1#)3qd>!na7(=vH;Nbk+3mW??sbx z=JBhzd-Ti^F1({`cP1-nf8x+{?Qf%f*Z7(#2Tls3owIR4UPs$U_?78si~E<f2ir%` zEc+}dbuv}vNVF&_%Hs6aNiH(G5~VC>B2gR{wwy!;Oj@<9{48D2;;SVl+kz^9?UodW zU2{LN1=dI<Vk_Tb*4d>v*Or$il^Qt`H?lBmX<A@NYQ5aqxjh_#|986;eiVkYIR+nt z5NzVq^qnhPmH1g_Kb$;lBFwqmY+Zqj-wv3{v|20LwRjs%oY1VVu>r~R99!dl*Qn8q zeIr~MSlrC7J{5Z~3zbIfR-f(g<*PsK!H*(KCrAFcva_48a(xF}jk~&C5z}&x0FniR zNsq?E>QVA@n091h=Pgc1D-LsKX+YRGjX1->S!ur1@v$2`KNCiWxb2UUU)n?vtf^}F z>d}ey!+!HR>pcfgZOFy)1K5)1pN?tGfaNPQ=P9LvbtjP-hl@F8{_2h*D12>=YlNBH zc3ha1atqS~l(vd<pto8ASMQvF=o9EI)bZJ4)G2HCIaAr}@yBPHM)`7QR!$MhB9@jm z++P<cP49VPj^}BEUI5-kgQ&qNRz!eYY%9E?WDm+B!7_x@lK9mgsU#$8kTqoI95H6o zhAgVwNYh^|ca*Jk;>XlV2~Oyu4g-AiOSsLTg1KAlss3{5(<jNg5e-pCm&Sg6Mo4yV zl@3L|a0Pz-_8P5-zf?op18%46%7C^~ME5q$y*Yfz6$U9jcS6w>b&?s}q|`@@pptc{ zExyvbRLv-Bk+PAu*Hl2bag8tA!&la(YzfrX+UO$}$m~{J?*TF4)<KvTMX^D&vY58) z$85`|zG5HSgJJ&YLJh9Fr|((XrElA?Y+z*AX-LcX1*njqg=%(?*K7kk%8WSNL%rrv zgqt3L-c*0DD;zczzl&QzOP{9Vk;X%@(9vr(bl2zDqx_*>J12Sn!OW~AZrUFe@HevR z=Xip?_D-c2hSo4<7wJIy7^Z*({hFnUxswE$nxUGx7Og37Wdo*(zvkDdHB1#V_Itm4 z;1bwj-%s=!?MU_}9VdmUAELDbu-T}BTsE2Qk_SzC|3+etp$TvfJ&>yQCsRbWDWCVe zFk|fKTsf>GIW#1?hHx4jdlhZZ!Ax4_jcWXOrys+9?p*g;Y8GzGAE~2g0XFzi?g{^0 zgHjrBC=PB{MPWVH4=UQ?-+NI!aywx-<Y*Auj=<wOi66c{a$rnWKXV&~wpIQtOK=0F zTYv@Q1Th3uk2w(r_+p^E(mM>a7h1a|5YicszP&`hu5s^tc4EKZgFkjS55K#Kzn|e> zdu&GWdx$%trln*i<>2lV@1&(45l%1n7N}=;24-e>$4Hsknbrn)nTX~(8f=8(T}se^ zX1@VGAjMt@FYge-U7V&n*o`)@>n(vjHjwKrAb<_uCwd``_wVJ8o+fRLgQlcU8~&2> z*5+X4B@K<X?`2D?s$v>P4X5R0qiew?b&a5=re~X>A{r}=q)!d4Ce@_!;&qwwsyvmW z!gFJdu0r#|W&v|rQdPtab7ED{jq{x5yWi+FRoiB?S{hypYRx_D@){G3>~b0%Uutw# zMdlTXJ{R%L1fNx+J{O7_M{~=WJxRgkOzCg)+JC>)(5%Q`HH3N8qI=LqHK@OqA+5A> z%Y`-QXVriKS2bIYWnJA?IV)G!>sp`J-d`?+-yJ>{&sG5Ms;#0XkNX||za6OGTRu(i z)+6|TIu^dRbiS`De4ZD2-l>{=lsZbBcNVWw78%x>MVkSU>-e|V0;OBuJXdb(U02rx zC0iR`SEg3HY0i)fR~kMpv;c;sX4cQGxJF*&rtd}o|2lujy4kujwz<pP6&=7s=G`ae z?fZVD4@L|ONRgZ=27FGZZ@D1%41y~bdbtyV@jxm7VxgCxyfM=Ea3_^E$`+vDN(GZ` zF03%}`+8>7gruHBykX+^rZE|!Si(&HAaZIQtotft*J~KEoBFYhr8#=?CaT6^j8{zG zcGaLY*)9*<rfTE{#@?6BZE2tD+#k<cB%MxVMYF*Y7s}P7mjqa_Phjr~)-P`~WS*Q; zLSfs8P=!BXI}Cy5WOGVln|kwn0t<sZrdf(}jy1Ecq^26$znj0=0axVzUXj+rsCg{5 zs4}ohl+%h>B`OmnXS);^<|x|}x~EU1+V{NM4Z*uM<la*C9$abP?yeH)M~hB!N^Ev| zQ^$?Ocvx9Jv2RVVU`?3K1zDZdnAH@F(KJmo1^ZqQuw&F%roHF9W|q9{wVypBu3~82 zKc~;vdKO^KmKsc#94eMF>N4u%MY@QC+z$j#x3qIx%*wWhMBT$X+&w}rE(Dg}om8*W zgmxzX3ciCG$?lw&K%V~*T**N#^XXUmepURGop^jM!HQ&I3XQ{!lwu2gv9fim?(0(z zc&iDHM;dSU=Dc*8pS{b=bMYBC8V)Yd!B%KDY0d5U?a6NBHI4Hcj71Ke>UE;baYe!U z%IWYA!(oZ|c&=iyU3+q9c$l~)YHJzW1qExN19zi}#oK*GY-RRkfZ|{yOWxS6S;M(| zY`%(ulrufF;xAF;QLLW*pOM1@vE*%y<xR*+O=62hYqcSnWiQa>F+R0Vu4TW5OKpR- z0^C)tmIedWOQ)|(Y355S`b$sHr+U68Rg8C8Lg#y<r!%qz0=R|2`{LW+Vw;mR0%|s| zRnzu@z6Z<HzdCVit+2)co|9s@Q|G>GY`V=Ck$?B(8&tcd{x(ehWf^zGp@LO6Ac(iT zTG!XJu|dW#)8kq0|7;$bq{Pr~7ccAAFP$gZSlBlxEz%Ae%Bo849o~P%nurvc*dwH; zJXFtyYp6Uma}%=Wc8M{9pBTRlS7l_S-E*Ur6|4Y0sl1!kn3`#k8Er{_nJaJ0WV0wR zTVBSqsGK`@QoKNaS~l3KS`lo__FVZVF!6Tbfp7vJLRIf=F@fD0P0BSc9liHbwJRpD zi>7d7S-L03Km7M_g1aT|el?_lHrl}e<)pMs{suQgC0l+`BE$EJV;+~I!exU_m}4Qr zYHPvL8)KCP#Hvl!^7*f_+IS<qhh7JFA4BKd^kpl4O@FmRL>ApP!$0GchB1auJj~$@ z_NYA^uJx_^MvJZCtmpU)p_AjsBLu1aX!HGU9uu3FAdhd_=S7~Y6QieulGT~!X2OET zn23W{?0X33J!r8`f@jxpK&NDm>q)sQFCot=#@+T2Pip3&7vcUc&YtbW;$FXP2qh-I zbC10o?_nzY6tiR6!LQ&0ImVHCoRKa_JXr>AwIZ%&L!Pgv!+VI^sqz<Y_Czc8{Rzz% zi~Uyzg8S?41J1PD=bZf>^^--Tri3qHN@B-)^;0mb%xP`s@=SnZ?Y!BxTS-&jw4L#^ zLicpnKxP#MuSbu)w{4%>yVi+?+{xqdbO^e?Uu*7&r{6Wcupy!Fv0-1olYbe3e<7*= z^%Fz$mX>J?*tJB5R01_^`xVR9u+dLz?A1=&F`Cr9)il1rPCM>IarKX5Ox5UY9p%`) zW6Ws*cjaJUlaHYN>+P(#V<PJ0a@j3S<K)PCAi90Z+%BTHqv)i)3+vk1rD-EfszojP zU98$;X8NjtWwYb3ZKTtw#%(X#W2;MhPkU{}ppOi33?=4+CT5kFz~IfD&gGtqZ_>ac zX#_WJB!!Ux@z^!9?jh5Df;Ija+ozwkA;AOyKjYvy<6o7{i|JO~c%QH8rv1m=+vDn$ zYJt`$EJbBkm2Ie^Z_C22aOL$xyMxlTY8iQ&ivh3xmpY4RY7ym!sziE=bx_Ni?OwyL z>pR!$hq-MBv~6yXYc&Bgf#_Mt&BwaXJGUg^wa+Ah#||%q=*KqCl@+EL%&dndn7c;? z(hFau+LyLwio(rW!LM(i|EW`c@S{^6?q>RA^5f1{^E23h@PG{U9Q7E@tPRZ!j2sy4 z#N}Cp9nJNWZ4~t-SlJciC7c|LO&FQ}bApj8qYkr~J%hEgm8uFf5a_?AB;EfECs$Y? zV6aDEARsWbpKCVsWRo(SE2n3sr<m*QrsyPUTxR@>PmNcP9|ZzCkMEjM=gKZ)+gW{E zxvRgkjKzWk1v3?;ng$n|?CrHrM;;fP0>S_S?lxOpl1c@J28Pl|MwW+PbcGoH7P1vG zxPwjgJ$yf*`CmXi{(uTAUb+0yUI)tk8N&bDpv(<)n04fw42-OexR`X97!3a#q4y8E z|BU}HglGRZ!uTA#<W%MKfBz54-rnBAAJyl`po27-`=}}(dd3Q<d#vGs#SvT}^ibB1 z5D*9|Atvm&AZ+Yke(dq?TwJ-#ui$c?KMZb|{{_~6V#U?T7B>n71XM@ye;lj-Ate9* z6DvT95n8r5LeO=W^ww5s$N%fVG=oJiw3dqa<2z4Zdnp22)DgnaVbU|{w!=-CCe4!e z8b^8ksy0WGc)nR{modCHpJcX?=QJYn$h$P6ERAFEK#%B6JJ$=FL1-eFVSB8cl;iqF z3Kl>L<xhg;PYNbNf+j)=*H41iPYOapf<i(HlTU(^PYR(=f}u}}uunp;PYR4ef{a26 z9Z!NCPYSL?g04ggKTm=`PYTLHg33Y)TTg;pPYP*If@x2Rct=8bR{#W)j|5Wy6`qe3 zUH~SOk0w(9H=d6-UI0Rqk3v%bQ=X4gUI1a9k6~VbaGp<aUI2`fkBn0Qot}@KUI6|t zAN^ke{CYnAdI2a;J}OVa4_h3!y#UfZAJe@6@hzY5%>W2O9|^($Dp(&Y*Z@pIA5Fpl zZdf00*Z_n=ABDmIrdS`R*Z{&<AH&!H;aH#G*Z>$q9~r{{I$0k(*#KNkA6?A=epw%X z*#MM7AC<!Zwpkyy*#Od6AJf?Y@kyWX=>P~}9|_?ADtiCF<YD&Fv`27VQEm3vrg!PK zhk3a|?pu8$TrscrygYqnTO(;(!!25)aa+SQTBCShkO=n-JpDUbLlkeZ1x7GmP;~Yz zHb+4D21z{wY;N%h4m|jXrNSjlkRXhhAWVMPpH#udSiweI!6sl5hGY`PXc9(j5+-oN zhIHM-tC0h(ks~j1y@7IrgL3^pejA5!eTi~Ii*f^vaw89uy^)iHlau|Glf##jeVLO( zo09{blOrE=z5aBA{dE2Lbi?~}eerZd^K=9CbR&0_z2TLE<CXp8mBZ(ied(1$>y-oT zl_PJKy}_1)!<PNUmcz%EeaV(X%a#MpmLpG>z0sG0)0h3#m%~?=ec6{o+m{2~mm^<z zy?%IueR%zOc*A>meQ|h0b9e)Fcq6x&y<wSyW10PBnZsw9eQB9PYncOWnIo^7y+N9T zLz?|Xn!`t$eMy=_OPT{snj?>!y-}NkQ=9!&o5O(3zO2omt<8b1&5=*O-T=PA0lxkM zzTpGDz68FZl~;(JLk+$uR=$arSA>~cKE@l8og)v=9KstE#(S8WJDi$(2%9?$n|lPo zL&=ZSoEwJgTV?OznOE?h!#^MC&#%6Suc13P8r~x#AK8jvzvIWy#e~u2`p`v)(Pi?` zCG^l0_Rxiq(WT?i#ebvA&!LMlqs!J%H}6wb?^AdGU#y)|bR|H5remXHCmq|itxh`X z*tT<H+vyk`+t!V3r(@gBjizV!oY{Gqeb}>a^;qZBLw!~C*Z-l@<fGHpC()EA(YCA7 z6syuU&(l=T({{7b6tdAaHqcZy&~`f0lseP4-qF<F(e@ye{Xr<Niz+LNDsPi3E0Qa3 z8ZWCFFYlr&E1)ZHs3@zbDDSW?E3qzbIV-C<D+l72<>QyvXO@*`mbYt{6>FC_ua#A= zm3Q-%74nrgc9d0ily?HkN&)4qpt4#}c@K=`9~i5;Fw3$qt2QaiA}On;Vauvvt1c?b z0xGM963dDbs}6I^5_7ATBg>j2D<HOIKDJeTs%3eqRl9~|v4&OivSszMRX3MqA(vHS zi)CetRj0dUsk>F{ljXnkKo82vAC%L&xRbKD(>A4(BBfKe?tJdYRHgHn=`*|TLKnVT z#EvqL$K0(I*p8x!j)KaLlJk!Itd8RKjzZMOM4@Hsj!JKkTHdLPZ$9(mZ{V`8;H<dd zJU2*V`?Maof)PAtYHlyePzK$&gWWHtO@nA>#84I5c!S+XrcDuTtHMwr*?59I@K3nn zJ!Pyz7;SUQ0Hmx7NgYMkL6^54V`wj~OGzD9)xnpyIc4ZJtBXk;W7EN&u>Q-?d03a7 zI^nECJYn<7(1TSMq%n%1gGO&XRMqyoE=gltP6v<P=CG<uy)H^)j7|ru(t4??W2r7v zW5Qa8sM6-K3dmU(wmgcjgJEMmRn^{Hm%2QztwUgAb6M5xRu{KC#;1dGZoOI6`B;~` zJOR)lIk)+!>Ormx<Qj!p|3+XvVA~d3m&i3PwT??*vv1p_SQp7PMzxNaWxZhAF;$nr zHDSI^m}PTs3uLSdZ5hR0N7u2Qux+od``t3Gv5v1}b8g#hR~Oqd#<h;UZoO{Xd0Cg! zGU2{Xyl(Sm+e1_r>^_RJj>d02a?zGkm+U^S-^zWV=slsdj>m7~u+Hy3J-rUyX?eZo z{RH$iOuJ~%tFLsQs#!<wv}(O**{nysB!62Ks_%545o(^faCz$oHq~C(bUL73<O?=9 zT<E+_6R$r%4eq+Ow|jp>J?j%_3%^Mq9vAn<MLpjY=#svPARZ(4#*9Ck6X+PZNhh8# zxL+k6*#`*3U&9OJQ{N5d4kiQGl&@$7ic9YnbB7lIe9G5&0)-ZLlet5U0Ir!UUV+l% zyN%qDdw|f)HFVb>oV$Mg!Ds+0^A%-RQQF<S{_q5Vm-!m2t3dN^Tz{w%z*&36*;TS~ zx28XG4iK!pM()bzz8l^e%mT1GTrqYPx85yp4X*?E9j=MG3O(+ow}v_a+}BrvU8T== zTU#S<0O9LvNS{BbcYQ*G;UE^0D{`Nr_`5lw;SmrI$u)*gf%4s$&`>FeBkzjcr)1{t zuh7UbNFeVT(I=nzZU{J-24XX~qW3ATy;}kfuYmXrt_ge!9qy)pL#-gL?JItt((AiT z;K(ybX!{!W{SV3AfZt#|h*kKC`rUM!x;L3xG?&ZFb1j>6bo=-#LBJQB)IZa}>yJN- z_ir@)oUbpF*WEpRbt{A7>#ta-PlZ>+xI3Q@h%!8pDKKl8AM62{;EPCq%)vMz%U-ub zGKC*4g~?0&-u-Zy6>~sK+8@r_wYmZ}udFe-b6@k9d7<6Hd8fsxz=QtnsGGD=L^i+a zhbpli{|RQ-x7yOX?C|aG4U0$6h-cs{<>B9Zp~hE_iQ6E)4^bHAjn}<y!0p^;@4dXm zi}W&%K;m)bs}AbLVfKgjo$l3tP2<1M?A<|Z%6E)v>$Ux-jb9<?rU(505bl4%piC0P zp!h!!l>h$(gZ~?${%<h&U%2~UF!-Oi`#*x<FahCg`g;&K0+-``3D|#QzW?+HA(n!v z_BVlnEn|WIKk&J=F_XEe>;K~O|3My<(hcv4slF_v-&)a8`K+^adI7(bBPcSjXX6o0 zSrx<p1Eum;EZ{qhn2bnFL;zV(5W$~_H@5MJx1c??vy+IRw;FbyGo<OV{jfL?Z`qfN zy_*NRD{%YSpP0C#qqAdP?|I8*`#$$Md*S_QufGAF{-~MRN|~~h!C>vL&{w+TW%RKJ z(ZX`GkJ|bjSKPl+p*=>D=-l|qY478{y!l$qF~U}jBhT&E6|9f9>tm@ei;(M$N}F21 z^WAHwlK%&AzGKdN26)zT?9uOUK=O<CJjW!3vYIm*g}DuAjwayiJ(Sq!;B_*TLx0Rj z*zNHVL!WbxQZt$DT+vYSeu)K})`Uf9oW~QR>`@bm<+JfjXF-$k)B4t-%gy>}Q@c&A zwlqW7i{&jmccj$dT36Uax|SI}@1GsFQ=rEswxf21+P#6fsiFFq;9|mu%sX(B)?&NC zVvhU5;<4lIJzUzq(R7P8{LLr->)F7j+F{k}sn27}MF^($@pJkDgZ^0fA!+m2#DdT_ z?<*}2taOKZxYnUrxMig*V+G|2Sl^zvW<i6()F$-2)ZjpP>cV|<)aC2>{+9&X$M(5{ z*Ru(T1$=>adjoE*pVRgD8UW3M-wC!IhIS{uteN@R4u>aCNOZmKYA#56h_5HcdK_M0 zu9iC6^KL3TJEf|<pN64V^wp8K58H(d{)t&;6dQBB-0tk?*{-*=;FK+Ny<S#4-dFA` zW_(}qg`<;iswH_w;)&yd{+Ev1`Mp-VKDYQ?%;5mvw{7B&Lf}N_1@Pd?^9aa;XxrEP zb)Idi91mh*ud!B}{=EO{h#TMjeC+<J{=M-WZSc9Wc+#D5`>}LzX7=L-;Qi)vE0j#N z>=L+@43fD%9lg4*CiyxO`g%@0bsNtg*v7W!?>D&E(sj{)h#H?M<kryFck>?-rpt}e z!+NXW(|Dh_YpGetq-tV5wbnxVYG!gU*zg0q-A&tH!WyX$oklC2+Ufu;Pm`=JbM$V0 z%r#Yr?O)YeR>*Lz#YRRgLG}$|J6R}RURj3Yj5rO@!DzS=&-h~D0||4_;q`1}w2&hY z)CA{DDYFy`S#z37HC=A8<mq@DG;HRpqz1U?+vPh_Tiuu(@`QZ|M?#yObaT}w#wNI( z4ZJj_s?yhyrGUOv?~hB678<VAJclVyHJa_8dgM{<Ds~o4Gqt<GBtA`s(;#;A%3T82 zCbyQHEocKn^@umhde_6Gr)iVpfrSO^DLb9{Wz(sp<5nB@4pHTjDwu`EBd(_A(j!hw z+D=7zf+t-@UXq%5P6wm6cdTfVUEM3x_S%q^!-;j}Yb}(trJe3Wy9v$gDYsq&y#~uM zTKQ3C;PeypWzMDiQS$&EyE$@|)*LGd@Zo*AMSu*6n*amEz-B{itA}Ag#;sn2kKy<R zqrtE(KWY#G<SW6xso%W^B}avEp=!=*4_C&g-8T0{5<Zh>MC{*Eu{M<qW`(>b{^VER zGD**Th0Lcj=<ilK2|s|^HAf-tki!?IP@dM=*lIDAls*q?k&LFkIiR0kUh^}5>%tP) zuF|7{8C1Qc&y|m;WzcTu>b{R@8FF-}TF5(Uch@h&vEs%lGVAh2Ldy7P1`GF_pIi_v zpp)A(V*#5;V{*{h0N|`3^w>*E3p;5{F6Qo@d;`)mbA@bov~|1iZX}0sF~292m3@-Z zEknoemqmLlq-zyWne0(Q0WY>?)3hHw_CU@?-s^jZh&sFOGyIBg=fX00jF>}#?gcWg zio1gHyl1<DUK-t5?+kN)XpogTsTMAwP$sOp-y~M1JjFDPs>4w|eCet#t@WCq{N@YT z1(lmx+!(9{tGhep-?H+!gRt!P_N{P6ej*qYPwMSxE9~4%$=U`bCG&c!V%3zsGehe+ zHuB*xUfWw6u=SYGZj^+*Mz1OTYG|@~E%4G)#E;8$Pu|6ooH_E@NDGmA0Z*Qf1<-ZJ zP;?wI>Wyelm1zxI{Y+)rx{6ev)RrzAPHUqEw83l%Myyz9WV4E-BQ3a@OJ+(~Xs9{6 zq6@D*YWkcY;Pg4^jGQ7H$T<(pi0QuhBw2D$J!V|(oDw#B8EIKtlQru*x{wi3%k9s{ zmYCg7-9!R}hKWe+e;<nxKHi#yyxr#0XJ7A!yES{b!Gk+z_LxbAKm8sgNJipMJgIPU zV)ruYSog<ANf5E{j!HcP6q=R5L<;!4^!t1mb&ZCep^yl-nvF#bMN0#qz7PypuAcnm zUrc!IYcZ|31t0Q)XdaFiy@rTMd=tJ=)(=!OFh3#baQHjDX$mmjJjkDfeR3#Q`cgjd z{3|8;0%H{$3owjsl0>;L{RZlYhT0;(awc(bt`SCC(MhUMAFp7^EhNDZriDv{{kW=x z_G}0MK|-J9_*23Vs@+m!fKW&&BMSl^9E5#vbG<fgAaxbN1q(bw;R$`ypicPxd~`*& zA8^VwdrpOO@)S?rB=VJC$lpzsK&Tn5xHktU>?@MXN_wsU{;J!Bp6Q<!#25$6OX%gN z?DU3LrER-~hEzy@lBJmR>P@}e27PrCtGZ9z{PzolLFIMHg(G+1pb8QaoY_c9;>S1+ z1FFlr{`x`91jB?cuwmxEDKfo1!xCh-Nm+hW5+}V$&ZNH@fNrOFmpOLPINWIo@RUT= zQUz{)I?p!{Y|SAv$BV8)(jn$d2<{ysb)G`g@P$0u5I4_S(|Y~CtL%sBJvgCX_{5Zx zgI#^$OR3_XE#d2M&fx{Oeu}O94q3cD?wlx+71-8?QkL`s%m4XOBrrqY;XujvKFN}n zzP{N(qs-y?(zv0-<R|4#{{GuIPCGko@z9sDiAi@6`bSr%+txg#{MvEfu6FL$VVuhf z_UKU_Tz4;fdg>i(N8@+pZo%=i$itwoBpJ)xcm|4_g0#4uq1k%U4!sySA5xEG9sOH$ zJl00zQ!90&X9?~Pv50xM+_?ug^ulEMgBQh`<sj7=O$hFSfX?`~qcFid6#zHdDUAnm zkHHP0<E_#3SNhH3U1*Mc8neO1R)^2r>9MrY?;N0IBtN>mtKwbJ+B8q7^YW>kg=$<U zCEeD<!oO0aPSxy<wYjaoAe0$BvZySct2Z`3L0I}MgMqQgMxIZsID4$aglOCJp0Y~2 ztG%aJe~fl%PY~gDUZ?iM2*N4xGXzLgLbcU^4Bv4!9ylZaDJ-q4JenU){!Zg4B>{@4 zI<|qlKb3gi(PHyz%wl>-34zT<dmTpRht@iwL|iv~OW$5w+FIsyFtXvelh8arl}}>` z(y8=)p*AjC3q^}#+V`BXGv2xAW$PT9Cs=rLb+}=Q_bl_QDCWdJm6kgZluYs_lt%4a z{H!ybH6?0UJz(_nhzKtQRGI}`@_o}N?@ues!t^8c4;A?mmymamd)PmvC63I!wEh#1 z1`&VD>)26Js{B0n@vmRD%F@@udt`q4P)`vR?u?%sgWTFxaWYNm<^{*uwRK0&oQtw) zxapNo`kIvN;#vbC7jN5XUXbF(A^!(Scxkf|S27q>?$AD!Gc1Wb#Z&YH%iLmfxa_}v ze<<=JW(g2tU-3JGN^i{%<yGa{(CemOmf!hhbr=5WPjg*k*fJSx62Zdf9oq<w)JQ(d zr^HAD;NBS&<$_PrZu*K$o3vt2AGB)aW}G5#0+(F#<uQ*C9zNvoz6Q<n-OznZI-Q)r zeJeV$uP8h<EPiL0uXuC{@9y@6Kf5>Husl<h7NyBH$pGZ$K5^lgTz8AP5VOLm@i{M< zn0>lJrV&!gm<5hmPm&UZG#wx&G6iCK){vQR9?Vo_Ol}@);GuN-o*4ML%YhA&Hcc4P zqu%65jjZilqVeAn7vDk{8(gyxa|J|e;gMDIK4n;T{`fKK&RZ*3mtTDogxhvct4sva zBRSI(KZhk8CxZ!;t5<XD{cf6~@5jqYMn-l|`s?M$FlV1JD;?s_Lo6Q-qCfRjg^$H{ ztp#5<?eF3f>vD~kNAf{89^jhTmdi_q`=ChCg8VrY^y|R_&tk4dg9zsD=i;GVV6DkE z@sSupJh$vFiT&I{Y@~l^A<y43jV9LZ0NN*MhtNNrR`q+O%m{<`=@KM_xWP94?U^d_ zcAlk>R7v12gB==0sPbf8@U7%_A57?zN~9okpR^HOKqa^q-EErc?=2MJTaU!0!Urn$ zTSTQ4)(m(I67XZoH<$r8dA8s+thsE~L(@oM%@A4)Ik{IDg1_A?@#v9O#MucquE>+< z`Y-*+D_c!Sz;KlF{C~qfZhq<B508@Y!4Kt>l=k>s(lMcxz>x_ZHv+0rMj<Q<*o_o* za>GOlouHdaigfG{#pq-*TkT#G&Pf8szhzTXrJ8W~U9+SFIBG-5!wOnx9&nIGFEDd6 zzM`I0p|>>!25*jKonh1j$-}JnxJKMl&wEzur~i`ao)-y^u$BF?Rt$ul>b@aqv-EnG zj(e--=^bDA_{BQKIy$jbjB}nLQ04q=->9*=c*5`#soQnpRW7<;N;e(`Sx7n*hx2ss zebV2ovkP810l-#?7qL;BuaPzf0Y&<bHGTrHzs%aRTn=91((7FdYf4tv0s?WV+*yb2 zYNa-9V0xP;>M_(*v&KSYHnGd|5NW3K{_*tmi^`(C<ny)Rs(fmMQe6$5LUJ>-v!|YZ zY(yulyY<3fu@dnZl0)eNva+Ab#LX{0tJC0kE4@mx$G=BEui<<<zY}v$*#R<htE%vf z)?!cTR2uF=P{dFrnS$mBB{UJJy1P33nBE-&bTnU2{s#T?62`hF+I;K&D;!3wsVYg5 zBDaXF8B2#TLx^5Qf?Za(`}<Sv0L$}2+5pSv0brGJ{LIv$UT(jfIY|JkP>`oyOQwuW z_T~Ol&o#adJ@ynH{*+wvB!c96!!BtwL$M|~F5g75PEAzo`tfW~IDKn{B@n3DPHOuC zo9rjhi-G^mcS{^faY?RLAqC?3)Ne)}B3n&1l`Fw3pfiXSWPblBcQ=CTp9My>uIQlg zGV2%kmVI~A`h<wuni-&9ZDEDXFecz>B(CcK!ce#&fC6M~7ZB(|>BqzeG&cDoNf#>H zL>moB@VA@5R+g_B3wvY_ZcoWuw2K)Iv)SA_3Fp)I0)vz-s}j`GZ^<|fEw72D+4)fx z{2bj```uoCTk)(7Jdz9!%*)EzgSazL?Xa`m8q@BT5|jN~+0M-wai=(RW>)gemYy*S z&9H=$PAhW-wAGfXaYs-}uEQZ8NOA)oqJBhMbVpw$Rhs#xDUfer`f|*33Lx7UCCYGj z$XUtJnaY<a_EY|pek`DBiqZY*i*jNeq6DXp2p^%|p=1eA0pV!<V20+yJdbpyd`t;S z)nKhjoJcYm2t?Bd7LshOp=}AiADg`sb8kYMV><N0U7wZBEzVp65+Xk0OT9zI2-_<n z@^Y^b`c06YSk=90Z)6s&E7(sv03_K$-T~J3*p~6oDnAzvEwJ{xIW}Zpur(*7O7Y~2 z=mnaFi~Eii#`Jh1!pot(g>Y=)f=FH5{oCTF4Do!oD7u<8ln<^*)5T0?%N@1EN+&26 ztKI3#34EeBMMWW@QrSNI(%z;P3|-s%ihaxjR<JPuzl_AVQpX>jgN-M%^RTZpCTsCu zCsO+sRCg&!1c7QLI1|BOieN8DHc=|Ps?9Y?wx0FD3OQ)<+V&)!eM^2_eU}dwb&jQ> zm1g^WtgMXnWbuAybb-FHf0>CcR?K2A9@x8V1v2}dlx|B`EkBBt>WK#wXQrx?4S5#> z;R&FqY>}Qt{Q=P)WWMdj!Ny&>yL?0PnjzA2<t%IT{puA|)O06M%omfN_LPiDs>udw zo>(qMIhFP~FKqCWcQ~20jq8Q!BZ{gI(SojmG1Q;>TJ$bcRLD=Hs{_`jxSmElf93nv ze9c^$FCN7WzuJX2NY@7*Joz}K?~;-X8SLV#M>fq`4FlB2Hm2AO&+lfTzLNmdr(8^S z3b-Z{5p|nZXO2b#_cYQ8Sf{iN!p;X}C<u&l-Y2N<8ZdR$Gj(WDTPX}95aVOnL>6=t zAUUdck^WdEV@yGta$L!w23onf)1`M4C>_V2hD7e}>+|N!Ok%G-eqzVYm-<FPXgFO@ z9wvY6hDSfd2GHoz&Xz)D*ayuWeu(n1sZKC9ytwdzmDsq7wlzY#pC2$c`aUqonu@>u zj-Sm#;Jia3S(u#pxLM0Zqgq{}hHN8Ow~B1+ng_?}dZ%DWr_y4usX#vpM&FdC3#o+{ z$Rk)G&_rP6lU)ma;%j%~y6{J@Mh(8Ev@2fd=L8GSuI*^kl@*rSEzip0+%|g~syvvb zCiQ@6nhgE0lhg`tHKZY;KxbSX6=X>Xck)^0gvqb5XiM|cCPd6qWbJr9fM;o{9Ib;B zcsWfAwG`QmdyKIe^MKLpoeRc{J%V6Xr|Dcu1AN?^$y^2Dxw`k6WHZ;S3Tp%@rhFrC zL%p_P@<+;VUu^ID{XRqV;4g;Hh*+~5Vm+e8$1-pH<eZ6ltduK?BVF(iE|!?9vNe_? z7=InuId(=fU9%AqasG5sj5YZVwzu;H<^1&Qd=>9<axG1bSFpquk*d2-PLlEf?APbK z{d3!8J57M5eG+u6Gk26}0ek989A<tBnpfAo6dT&2VZmL;!j+jCbq9zWe(PG|?T3>0 z-g9lS=7!j47pIxrO>Vif1|3(BB86!OXkWHq>h$bmL-j~C-h@<KgBO8tU<`WK{5<gm zVESaxvMHy)GS!5|lF{W5rhhaY#BMMa2Z(hUoj3BFqCkc`)``Cmi5sm-OYb~|V!WUu z<0uA5HiO3xaYww^(td2!4;THxO0BCPs)*{p*%T0%Gc8_kp^;q`aDWN!XbTnQM0W5@ zS6OAgh|E-!{1@3VjL2k#Cukqf5m?W0g0*9Ebe}y6;%V=U>k4)+2w^e_%TLBAy${ct z9d)kN6YtpcT)#%OI3B$DJ{=ii``N^pI%{Lr^2Ui%wHuf9St-aNS_rnnjfgWkmIqPq z3eaR7$P<PhE$-U?NMIEWj6Ej4OBPOL@giY=k!|zpiFTb>J_vGjR^feziQMx41Ow@M ze#0&P^W1(zF>E|9rvxOt3jG_xV@L^xLoA@4^ELjQl}qO=?;!7SoV|o&yCq{8$rLCf zOH8PdSSY~hwW5t^<il3ZNP45DYtBjOh+-f`kxUY}IPZ>bmFBe;FYJeMuZ{8Sc;)BA zQy&Qlb<ie5XP^|9Fm{rf`L#0(6>=Y+kgWq^RmuBI$2A)!4PrVK-IET<-Jss7>0Y)q z-f{q-E0v>+AZ`X(AP-sPX2ykk?}fQ1%xY-0%6@$J@<LY-7<hpNLVuo;i_r_uNjjjd zwuX0q{{V-bp?mpDxX}luM+t?uzXUEXPB*(ljN;5~qhU>b3Ts{|@o__J+$;Jng$)0l z1I5Y_&VcG_tZthUJ$hq)V$i!a9EpmBwe8FE1j33|@7iu>`v7c^q6$)AGBt^K+m{t| zW$#*Ph)~e!GwPHU{`%3>PY{Bq{Wr?*w;*ZRyq|s|@1^69?Ic^aCX*DA{Kupn+aFgk z1B9q31>Q#J*VqqZb^BDVH&eF`1u7X-)#YrH*%=@Yn#LKH?F|=AFckV*@l0BnMkZC= z)+F>pd(>|ubK`jQt|9107~l{4E1qA6XthZEE!PETCuEl<S=*)$*Bty3dG|7|b(Je4 zbKMOSce~!d>l7>L_B>TJ=^VW`>TGW7%&_JKY8%beB`a36CX?j^(SCsAMct?#!!=3N zx=fM?$&=ZhXYQFzFT#N-t_gdxuu|SU1T}N15{#v^YZzHLAR`Cl*nYdub%OPlI7vq= z?d5ur0&n#9N99pUgLwY=SX<84JkdSx58;{<osqkl-_G*B#+RrBJ-e_Y*|=P7>481$ zRy}d}3uYy#y@F&v5DyLajJb*3-L5F@FK7BUxjSd>_eIv5KIEHHBGaULiM$X7sog3# z?wwW$hmUvkFjYg8-e@A{iahSrW$t^|wu97aw8J8FUVL238r6wC%!O!X+!{;LMyY?w z$#==U+G;e=1g*cHc^Cf?Rn|^PN%V$oa?p0dD%!LoTdGO2;i=XM9pNq;uD{!cwR6|L zJl+kf3ksLdT(bC$<Z;S($3Xb+1#X?ZDfRY_IG%+<-oLH5Kvk&d9mSropVsNT%o4b$ zjTCBPwM-Wp7t}Cir<D0LIlFX4#;dpWUkL^if~*18HRb_(VF5D2ljk9th7Vvk!mQtM zZyUUJdH%X>EQLPc{NsTW49Jv+b2>ZN+2m`x$?5R6O`iVfEFDdD1=u!(UOcodAKjMl z6P6pK{uT&)IZ8FHQu022e~DE&{;r=VZ=sdioHt6<C}5cW6UXAkq9fh*#RP^NF%e8Q z{`N(p74vSN=sdnAK$Kv=pXtC|g-X3*Kdze*>Aj6ktcoY|-v|p*MKj|$$>4z{$hgiF z!9vKp6-T-m`TD0wZtU5t72n}4YGYS@Wl{zm8&%}XK2AQrZP~b%&jaZDks`MSrVUph zpynX1DU=s-iOjf9`8tQ2lZ|L8=e@m-9)~zy*1%uBZCfzjo4eT4#?xtW;;|Zl+Wa20 z(<DeLa77H@dCy-`WH>*(hrR(yH=x59Ip>n~I{S~nHZ>^OyApr(SGX6Xd3m%={uIV( zaP#UN>Vns5Qs3FS+-o6l)fWxWC*$WBA(jXMb9oM5c09ED)MwrRo~wClDnjolhjE*^ zIL2I{&QIvsD-rg^GX!AaXCBV%P4Pp)IsnJ!2uv{0Y>sr|zJQX(;+Tw<g+q+VXr|5< zZ4GfC!g8GHs`&*S7}M;SSdRU?EKzg2XGFV=dy|vxxOfQD&B0Ah^|?27Qr!KH&G(L= z?VwDU=RNpAolN$9m7amXcLaxjTkf&F0Bxomib6f~i<J}gG09A$lT;1Ei`)(kBq6ft zE2I72A6t0#R}=7ZXWiqI=vPq`nyGuoPNUva81`ebJFP7H$~})aJF&XcQ~Vl=OKobI z2;}n@smT+_9X%|ghDY+RD3e{)ZQ@Eygb3HLeNoRt>F4q`?Z;GeSe#=>(5Z48r2Tgc zX5?41204s%D5{@hz_!gMk^bUVq92E*96c)Cr^7rmIY=0yYDvtoN3{Z?AhLjE?u>dM zY?O51R6gpWWZ#5DayMzFEuZR%Nbdzclo~B{9&fJDKcAH?6UsxKS4QB`C-4WWUkQ(e z^T1TMM^$D7_Cvt9chxq;Z)9iZ^Ow4(L=?xnK+BF((O}`ZP;zDSlHI_k;Uw573^~=I zzWDxIu1_e`?KI3Bq&G>j9AVs*12~FHlB|9o@wa@F;OFmpxp<}F)Q~drxMQ9$i8UHY zHYMgT9nf3zYs#_n_&36+m>wYuIwRyWp(P;VqhQC4K;tC5YsjHRndg{iMqnSy5jnii zL8e?=(7pj7jXoB)0y}y_@@wHlp9VYM;^b_;0p_wZ`^=7ml>WQozc7qJ!2?%X785dZ zNLtIhjhMJ)U0Ea6#$3viRXvWb5SmnD4)E;XiGb5f73%)j5zc{l!l5>BH*Imyq!DBh z%gqfy=vL0`C7f8In~|QaHPttqL6;^bOyvPzf#AI<?T(Z8GN<fFAs*M2>tH0L-lre4 z5beO;dY)C>r~`k;=4iz2SITOY{Z|E;Xo+&PHywRD{=>ad&=uLk<7+aEe`Mll8Sn6u zFxmaS{QVfGLA`|$X_@H4zG7>D46D%CHvzlV4Yzx5!&eU7&)I&ebez%Cfg+gK-yN=9 z(8P-iU_Z@Gx4KRbbse1uDYVKPRm6EPDYB#UF0X@DMqA2$3?YqbuZ?I}w^;7{9cPzE z-F?_zp)J)$AX4d9Qi!;DCpULs@`-sg?(+%*dFddbl>Mov<ch6%<2og91>x#@-?U@J zE`s?h`zI;GuAGR<uQQtF$|zq)7_G;{`R@Qqt;bkrtc&_KD|h-~UVOW@W$IF<E~-=+ z!m?D95QyTwezm-AuKXfPG0rV!fuf?^1yIfHKKWnY7H|O>z)T!2!-n3$Gd#q^`>(XJ zq7qFQRD(I2*x=@-I0J=|frnM~4)B<ch|0J5h|ob%dJzuB*Koe9RID7OBKme0j?X=_ z$%-D8k)G|jl?sC$GmUOMjhps59RvJdQ_s)D(32&yk=UyZc4z9R%HY^z_~0iT`>!s? zQC$-&9!VP<KRCa*P;pMyWXMJcnjm84t8yfYN&2RBH5M65^{-G$C;cXqyI(vGkg&qq zgRX*%QjON_n92_IuQV=kd@&3UtM*{H>4tFxm<sYUm)hh@V0-lkRMl0lkxCkbWmhEm zb}5!{)ea7O_JhtTx$w-ravlK~u>_#bpv+jq`g3r@a5MRtG{E;4UzT^+u~0C1)g#Lg zd(}a|cfNEiB1eHR0wCNlryO(OE{R%G6n}k^zcCJZjQdE?0D_nzk{M^;=ogCpWn;rM z7PZ=?5w)CLnj}}hi|+b1B36GMWt#*+t|3tp$?w?K@c!wYV<Ea@P3D(NEM$UVog5Va zR(gT>9e#(=ok&}~5trNqnUnLKDchj*GbVpuxtSxsIW7w8^lITqjVNriJc;;GM+Q-7 zp-7psD}u&-iK^~Y;f|u#pZI<(Oz#l(`LsvWtzX$Dp(ICs7B|l*;f1B`@)>qU0;sm# zA69xir}RlwtkpQ(NrMGaD*{R#Nj^hno98j%{s@yu{oDI5bpek*Pc3%Wb_`2d1~Xb> z<$TWi4hP|P7V?6RN%EpW_Ecluz3gGhbKr};$ZgtS+@IEc{-pmh>j+s;M1K0LKeHGx zHwt$K7w2ww03*i?3X6!7yMCFaoMM5amJ45SaG(K5_oT1TI?tK3l{JdNW}IGfk}^tr z?1VDItWzU<lr<LeX1pA`bm@sM+prPcV1Q-hWzaF~-Vb!F8s|Oo<hf=J&GvK*r_k?g z#1JS^-CypBE4*PMIFXa4cCKi<x`Ce;xr*DExIZKVs!o}|lYn~HIQTMYe?G%sTqxFn zcN0bn*5C?s{()A4m?7i9*e@tY)AziDKl0Qu=-kozx!peBoc^w2&i}^FfWU)iayyLO z+N6u%b3#@SA+$KA9||OEn%xWxBS?G~lcLIJAE}by*?yB((ExiiAoIdwTwEfNh;e@N zVMaW*yX}yrlZp0%rbT=sW|k}90G-7|RaIG!&kq&en_x8x_<@W@CGGU3WEU$J6D3Y5 zgc|ocXSME1(g+<pw;$$j-^sN1uuseTmI`<1GxsIRHHr#46KLaF#)UvE7eu8nCI<-# zvkLd9!~nR2X+RHr{Ku<T$mfFO%K(JJw1j^skf9E4Hw{et2?4V(Wc!<Nx7zpIr|*PH zr8-cAG|4T{=V`@RNVv$Af_Z)ta6LjY&%u@TfxX_S$}r3t@&cDZ{5(>dH-DNkH!jD9 zAWXXA{TP0LXl;L~A<ffUJ>uWQEW~EIQ>ur~bTyGPD}US&^nk<0pt5D;*<Zn{>S4;3 zr^rwz7biWGNW{P3;Ue}kwyp3d+M@OkB<wmmgKCBNqy{||atC0$2VVY=T_TeS9bON? z5~Y}anbfJs!M~)}DDUI42*P2Xa;?$Y<g)QR^*byX3SeyKzuuX>{u$8=KEd!4vw(36 z!|SutJZ^rZH_siM+`(6W16qnq|1nD_HV<k|bJ~^e8*DfbaNRmCNjEoZB+<7xB0V3B zhd(R}P{WwApt5V)zs8jHd~)>crqLQopwh><(xeOK@CcE-!Dn}Li%-&swC*PH#uh0# zdEv@RHy+eS&-?>qp|4|Er25lA*4RbxIE*yfwZI*bO_y9Q^ejsne*wLt8oRw>xj0?a zBsPC?CX<$_O9bBwf$dG2YF$9@YOE472R3S7XyMS_&+q``3mH8e^F+|FC+cnz5V7is zjpAY{uw=QH%$+r&RNu1Z7LI~kPvQxMyda&A3o?7~Ywvrc_0&p+cWakl1oy9IE|Ev< zP`9BVS&khZB=_Qw)T`+WS?*QS(RPeIS6tLxoX;>OwsXpI74Km+O~hS>Idg0?cn=F{ zHqVOM!{uu|5x7GfnPPOl#Ml{gzk^#ra&ce|sO1k4;A`FHJ&=y`<|<pQJ@^?<EqU%M z1klo!@`tl-;`kxnlPGu6`hc`Hiqp#)D106a&w*i^*XJw0^w1K8&sT3i{4u}Im_;(t zkEp+9Kyh#tHHQ1C<gwDv&jd`pSG!yMoh!R(B-Snxj3~><A|zcDABFDl&2xi^Ot8lw zVjdMMk@)9E{s{>;T_htkl2owQT&_gnC7D5In*^cwFJ)D<k_#=66tO+fQ?>)c-7mYU z_IJ*Ze{UeEl0XE88zwnpsl4lUfZscLc7?-(rs)GIkxMhxOUco5up?q@)|fZkaZbX> zm%gj{-;cd4-AOrHCc~5t4EsJCX(S8rVx{j6?oH}S*N5tFmn9VUA$G9(l^O=)6vi%a zow<Ru6MtSWP9!%<f6LJolJTi;aY86)o?$zX#ExE^EOS~7&#rH4tf?`xo#sv9-=Q+g z0aeG+UN6j(O=``hZL)SPn&sml9|Fe67`nM|V;U};6pPexDcZ!LECpu3aHU4kj2gf_ zbo_s%VD_|5$y@XOedi6V(aUPZnkGTv&h%eUe3mt_Y_c^;gdS)WCmv$CL*bpSPD?p> zpwJ>J;?Ouek7H*zM;$v*k7<1c7_#|~=5w+y!gf#J`fMfrim+pw|6300W!}qYc-lkh zLGeJfzW~*qdbyp9jB6<I9giRtdeQ)s41J%(B?Q`q+@f9SCWVsF;Dpf&vMLaJ5kA&k za?aGzM(GEVhj7@Rnyg_1N3u)ui~QrZq?iYqhlh|=?O6gkl4&6WvlH8@Vp7L-Ff4oc zM`K0R&be4XW_w>mcZ~osals9;hto&t{b`ucK=z~W?;r&9+c>cFd=i0BCl%?@Y8K^Y z2@?b#)dy7~W>0?W!Cu6xA5BBlx0m)@$TfkL`6OMW5&~0bm|=6=dg^#;o1BC#ZHwUH zBtPFF*%yqEz;q5qvuSKRW0Huop0~S=V#X*YspYb1f7FRCFC!zBdJ`JY*y9Mc`cpo~ zNjWe{*6M{c^0jv={lw^m7XGD5jEnVZcjJ>z(KnzcZjMSJ4d1D-YNekpF5Q_xyu|_W z>yRH2&yfp1wlfs?IhB=dP04<SiQ7RpvD<Uf17Yh|Jnoc-H<q(*Ap41kN)kmuXaVnD zvo)yhQZPr8l&e`CS`$O=tAbcXXQN?ACg@_>TGhRbC0}eFds=vZeh9sQXj5S*jJDh6 zg5s<~>%DI4e(nJG@DyUxhe153W$I`xBl`Uqx(Cxx0Q)(+r0D9Y(GDiEDh2|=Czp<A zE5xCc+=vUr3_DBN0g?8c*h?Pebm0ml%1}+b$bpL%&?enPLm-5Qd!G8HGw?7p#|}RK z4L{N_Juvg5u%CWNEjK~hhJU3Tz)F%|+nfS!8$F*1KjD0G@pyAq=e`bsX84dbOaoGG z6SEP86k${MUMPd6NR@WD&wLoBH5oM`Rqi~50&PaYbq`-p6x3Oe`>_QjjrTp&{DSc9 z;eau$qJkZ!LMk^X%%@}dO)S?9HXspVlow{!cBawruh%|p@JF8H7l#><ZPlxzZmPHu z*Y%&eLpjEe8F<K(`{Y{9i*Sn@YG!c9P~4p{T;Jshr)a7K`ukH<$!dzp<VIePN#q|B zy*aO2w+{<R=teQ4AwT0a><>O&*;FC6VKbQI(-#rVyZ01(JBx6}0Zk3!T*DfO=d_au ziCMydN~a_BmeIMfE#HU55QtgM>^L$dH8(2hgO6!>rk()au<Hp)$GLe(sPWG0srN%n zFrg4?7ZWquw-7AqN(Ua^J?a~OG=Oc0`zF@LRcWSXM1}7Iqg;K}-hz1uH$|!1kT7!? zR@9nq_&vnsYTV^~v7c~1aUz#}nZf{N<%<DCf0u$dHsUFT*sjlJn=5yIkI4Q^S5h%H z)U8Qq#>kY(jrJqP7550LZ4_1=v(p{Qvzse6q~x2jr+iJA>~X{D-k_9vEV)0vnW*Uv zSkY$20MvwbACh`u25xFBaE+|C+$3~~F86ekW;?#5PY?>3i_GR>IbYxyn=(h94*v|z z_$bk-A7ONS(M;6wCpX-9n3sBIe<RAd@q-N^-UVFq`_g!%z=u5Ml{SFeK^3+$&F80| zllfdi3<r04lD(P`5PH4XAvP40-y1Ic8c9tswh+@hC#xLey!tWK4<w71&~?bB8q$*4 ze!1&%+`HV~UuNyIRG?}dA02Y`PnRb)zQvIIX=G3qV?McR{mc7MmGper<b|PXiHnWT zP2xr4SI-Di=`;4ehgx&I4`HLExRJCMs_opYj2&Vx><5n<86$((llM(**LrxSNrybP ziv0$Xl-^V6j-8195z+hhw6Vqj5!~ahm34buQxb6ss<#|`jIEMQ_Oiz4B$zL;Ap_C# zs1F}&0ol)mY+D7?(B?16KWGft+BI_recu?7hePDM9>RwO06z>$aXlzrMq1}kjqJns z>P2i4ti*JJ$%yz2@eVO_Fw}rjk|9X$Wg)2$S48Epq|~=Ym-+uLI97UOQ0|=c-Ym?J zi4fX6MSV7PG2ysNYK74BW#;;bNvbi@yqLxdV}aVdx4#HhqwoP@;>3b#^F)eVQxS9; z_uoZ2?5~=_b|B5bs(E9U2EMnpNnUrrbo8-DU{8c_wa2DX@PustRt%W2KY+<Qg7{`y ziU%i_f3*2QHx|ndF0y{(M~xVj0V~GC<tSRsK~X(@-3)FWxB-L9&&(ESw(8V48WFWr z|NcD6{H~H6)AGbiHL^YIRO;04LgT;V{_WPO-!f%ABEU6vD<n5K<6ERFK?7}exWw8_ zu%rZwS2z>JCvQxV?9A~7qO6fIsnNlBC7~TPbU-3CCH|uX!o`|%V7>YoKfi1x_fXmQ zlGp`~OSiaOxQJVRdlbIpmT8EIKqo?-*^?i+G(1u77@;s)&bXRQuu;E+D&^#laL=4I zHHO2OigU-?Q*zWJQyMv2*+>EL#?DX;zkj~}x}=%1oy!W1P8eB?#ZSX0cFa5W-woy9 zod;!0`{t{NX`gtZ&Wq)03g*vjGMGMb;5$BB;lKY{my!F0+>`w87pJ^g?M|K8CeT@x zboY57Ha2djH$UX+4r}23IE*0Hsync5$tj#A;Ma1V;NX3GeB#bE!Y?8AYJ<~nqOV)v zcv#$!W@q8Ga4>`?6G=2V%DBfY@EcY<yo@gK^lG#n>^JYwy{dVzt}udqfF>_*S{V)b zU(oQ#P%a{N;kwZN+RCPmTtUqub;*&eRTzQ~#AHr8P`XtQlmZ@dw&UY4xM_LfTs}}{ zs3>mFMG3`M?xS{|q<WnY$ZO&>By|SIxbwsZ8XQ6)Vj)Ny{jbhdt<bsnjAdQh3<9P2 z8KRq{1|cbF_HEHx-w^*wNaIT%W0F9>UzGY<a{&^u_D0;^unnN2b<`v^SOE(B(ig$q z?0@kh*7mg7_7n@vp_Xi{y2B?-+;959ZtECgwAE)cSp(+kCk@9~K=MLT(xu#T=olS> zvMR@1k-x^6IA0^a6@>c=-Y7y(cB^+ZLqoq@V}+-Ge!>}nyw$nMe#aQTm)G%UT4$mk zF*Cwu(M!dakPoV>N{6r9niw+T<8cv)Ao*%2^?u?l>&wpuE+#g7s<n|Car~-HP3~s{ zMX8a#)6AJEi3~JuAv*9Al=;a8#C}fQsQc4hL})8s<J?SPyL20U>a3HsHK2}#N}0bu z^X<<}(eF4!G;n&#=qu_&>SXIIO#HJ<s|uN?udE#H4FIU9>IEm2(*Vf8<mh}W$Vz8c zbAOhT6ZAfk<u8fGr+~NRA5}9H%|AJKZt)E)>nbf??x%3j|ISR9n}ClwZ87c$op`LN za6#|H(H)hu8Sw1TYyj1{G!};+7A2^`O(^W&=OBhmEAn$s)XgE@)wGa<Z#8HG9&M5M z?366z%u>S=Z>!p9qC$vGl8_qx1%ZN?Eym%ac413_bcxa-)7UX*AI*I@+?j+KqwZ_F zIWeSFmL26hQ+dUPRUlW4A+c190XBBlswfET0Wm|DBbLeWQ5q?((W9Y4G{HV3r)BR> z9DVmNfm=J4=!`10<U<iEfJJ@8k1@wT=zWh(4CqtihK(qon)wzqFr4|)I8!gkPB~^= zvw>8Xe`~I3vb-c`(GJlG{Y2!g7LRm~g4c|iKbMNeBk%ruk3prGw2(Nly0n0Gb4#sX zpgs>m03pC!{+AcI4-Ta7Z9@TPiy4=Y%%F57n}|&FcvL~%4l`~jfIQrbS1x!q2+CeD zW~eK{r!NCqDM{#B%R=>nPH!m+4Y}^YPg|Qifp;JA;Je@t-F2jW&K4$^2`5eZh8vi$ ztf`1}ct^AD8>L@8b7ZFi9l7P-0Ny)Osmtl`QtWl6uAJ;y^V~H{UtbFS|FksYm+Fi$ zA;PsoS#_CBKRDZ&QMM9BN&X=e9dFUzOvYAPRF98Rm9a*jYymM+_Bk^LxIxZ2PGZ6} zcOed`uro-j-+S~&&zlHhH-D8&pw&Zqy^5Rw<wH}!RX>O4Jh@l-oV6`oKBoXeHFZ*{ z?+sXj3LG4}q?Ft==CA&^-spb^u!W20;W-ltsS#=kg;kZ~*sROKBpCsCR6T8tvCS<7 zixU;PD9WaqZK*pK#M<^v@*}vkZy@bJ=;UR8?iZ;8S5u}XWa62%vcIl#k?#g-AnEjW zV&xb=d0em4Ij;cy=4=*qRw~bvmIibXrNTmOiaOX;N};7f?0bHSQf<T>JEF>K_z%Vm zpLeJ;97?UZ05`FRc|R0Ml;K+f+%lL|Hlc@eM%=MeVIFuA-Rg8|=FvLwjEnf+`qH#s z<zV5zH_BL}cxPa};R>1C?vLi_rlhB_#0LuUGy1lyOvxXs;0XfD=n5OXoN6+A1xD3= zhT9r+%NTlnSBQr`s?}i6qU3vd$Z*BFP?1Ep|FT}YoGB4*fRB%~a|k6AE|Q6I;f6{X ztkh4{Y2dM)|8;-9!js`S++Kn+Eutq)>f2;VFW8eR+un|s^Ux^@Z2POmfNV+#d2unq z(-LpfY$b4Z-0~aBB7C;4kNBD5c^v+|T~zzj%>|XYv^t;9e32`>!jeK&thhm4cZ`Db zwPxq|3RmA83nx@fisKTcc|JJ`?jnw_6e)j9LCFZp@rk(^H*=H3*%U|o!|AG7+wY5o zhi+`lVH$U=v90SsPU9hQ%P_2989m0ln7bQUyQvrLaoerH7^pQ8v!=L%ZHMTQM6XOv z&tf!OjlYQq5dU*+CcVy_{f8ozx7~le-=^(Te<&!!5nLX96B`)8e+;GV-!Q<jR{Dp5 z!ekTh#Q3mz;#RD{BK{d_9i26r32!RqMs;5r-555{Na`;on>MEJqs7Ii1XZ-4quGr0 zC)wT}J3D3op0lzIRe8T>R66%UlVN|g!&<ev9N@eop#`%U_1FjhuqrDwBw#PpBU$1P z*_+aAmxt}KvmWIJM#+Uf@F)FbZZ6Bz_8w&%j&uQ57ED2B1{+Qjs4Nz^LASxx#Gakq zzkPsx3-vL5+eE3Aq_S?CP`#=KKKy~K8G6%#BkAUu<m4vIb+q1}#j>EJ)AiemMjtPn z*Cr0gN$=$fCk453p0@7-$l|Rb4pnH{DbQ$(u-~Rw=Q-2e4^p^-_PF*M)p!z_WXGB1 zk9u|)fJs8eMeI!VG)DtN;!%ZDHYXl2P)#gG_ZA8ZDSjG%$-cVnzoEN|$2cK(1E(^` zrNLtRyHC=K(e;z-L{nXT@iP2U>+0YtqgKm<dyaW0X<v;R9`mO?N>FgUs#z=HFu5RI zKUa!+(mwA+65*cXrBf7Vn3+MZybslz3(`-zYn1Atz^)BM`b%vj$FnimV1?YOzCFzk zA~{vuzC7Oa8cd11@%mkf9c`$<io8f~^)KS#C5kP2BQ(<`Wt)+sxtAh0pT9KPlRrUY zp5Z)%Z0>l1+(}@i-C-zblAsowW@94ms1;A7OZ{USN^wa)Ed^1)28}{0B==_mOW^c# z=EE-b!MD(HF&;oYs=U^=uJDRA+iq)ZSMXJuT&R7Z2F_TMfn%kuAS+w`d3o!|9BeV` z12dzqRsVUhnc7bzfFZ(8<!Xisqtn^n{=540rZHch(64nx+(^kd$5Dklo;Gb3{=(Pv zYOAJRWO)Pi5(Me@hviMLo732h8Cg)2hw<{g|Bw!}hx*r(^?17qM*2w1{A%JaMZ@zP zAIcSe1m`yfzw37)m4sG`yyqHPPfd3iqQ)l0y?cD3XC$hjhAt)N3{eL<aQQ}Y^spIc z<t#L9QnSl>s<Tx}k>DA=q$zx}f3GuP!anRfpgh<LT1<p|UOtOi!u4Ez*1DkakPV3G zki!I+JjWY|nHA@OzL|!R+YM;lBBFQ148op8Qe;y$8J}c%OYJk$bOf5yAEDbjv_TMe znAhmEG~Z>NzV$}-%0&6!LVSU1ro((&kv?~#&YJ^lj9HvUta}xa?_`~T{<TE?c}l;G zZrT!Gj9J~+@9zS24|>OnptwvvHhwa)WFvI)?@*kosJsy6_h499P>=*eKVJ`KAM9(O zQIfc@V4L7Av>R9n&GzL%=@(R6I3qUL8#8x@*HF&6cp5UvGsvXL@it3Wj`aC?>n1lS z0b7*h>we^YvMs0%#kyvtQKITG((W7~8w-8189?&x1hK|ZHIqoNpy0-gy}WX_rRO;W zj&*4oztSNGf@S3qP<AZqL`L=jDh3_+Y01uu0V(ugSM~ptL~R)gFT9{6*ObRa*4#=; z^VjsI7o^%zUB3w)I)z{<S3f3;+;y~)Fz$e9;1$Y4<Qzw^bc^^_o?^TI))@0&($?mJ zO7lgQc1P-oV_5O`>~QEe4!gWo2Un(Cj=ZPG;GFBIDgo<8N3?xHRV=tfIW{H#XWdlR zgk^dV)pocx%cn4vZa85?ODPRM@Fr0qNgCk%SzA!aQd2!DUF1h65$2Ly)toZdQAaZD zYKSsZc<!H|8!`N9B25|q6vnq0x!&f?pe^HS|MiFQ{B49>^u?6%#YMdz?e5<b8&fT0 z_|B*E(Ki9@EA=FD6Keoqurr2Kd+KQ81ogeTpjP<Cm*@qug>I_^MkpE4F5E%Vf2V6) z|FgFys@@br*>7h<Ot^zL>3g2D)09A|h?&4et3EaNmkP6DG#PIs><W6zolyJhS=V`m z&jWvYpabZ%p#b+4MxpD&*b#zAZ8<hjQ7g(pU8O&|f#}j8QD&X2yHHBP4>H-vkAln- z8lyfXg$Bj^jvn%2TDlJ%{0Rd{hsxC07i6#&pVo1gFx8`4Kk64aNq#k=mCEl`kn~Us ziHKjARTQvu%ko9~Q<L&FM#dm`H&D~t`<u9Lb5oi1H^KHgaarGUb#z5&Eu|=aio0`= zJPG21^eSl$?MUxSc#XyxB#$SYJ6zkkMoyV3^UjFbheq;>0G?6^km9AQRW|1M!U=_I zzz^K!C<Ou}t=VEOX#sTi;SGx4#qBZ7@RN4Z&3Scqklk_8m)?oqIBiA7<m^Bf*%PO% z+$-_b^$Wm;mgL%wpIJYnfIofam2EC_c-7_t-(NxG)^@(*`CUA1fxNl`JZom?mTKh; z<0ak`7&;)vwvM6Lu1s2^#4g>~uL!~eM&6p0&p7q9Wf{@)UR2JQ*<7Rab@|88+x(a( zoIsXN{A2E`N+w8Vn$UCRkGtJ^c7H+yR;u=e@0saTSu=X1+T3Tu0e|&L_Hx!Kp0lA0 z$@aqz6IW3j<!3cRX+Sp4A@{R1wCR)5C5m2%Zi17+tpv#Rl<q2vrl*nwGESKKw`-A1 z<}L!Ii%z+k*opKj$dn~rs^3vz+vKiV?rs<y0ig~HnBw;xbKY85KJ*!h{*OQMQk)3b zO=8~_Go2_&GJnBXiN)FPMLf^ejScq4zRK)$1QNo594yWGJVV}~@L4qmlF=$;5{iH2 z5Xlu~yfq>pbUdp8kap+{k){hI=dY}M42aK`b**DNJoN+DUx{s*REGqL$s5Ws{{etN zf4}3}r^<=HmeRzr$J1fs2z|??ah((M8ZWD&{{x$K{gq?H!*!9SL$RlOS37$zroR7P z%m~81aW)LmU+V+SusULVAsj}6L-|b6EMZEnXja$pWiuOn`~_sKq4%kpb>~E<YSwMX zyI+}BVyxt;UNNgmOTVDe`Beg)>#62lgfFk9o56z2_U)p#i;51r(&YhZX~4gj_bIHh z*>lH@f_KN@hGkkqidA+?%j-6(*2iRkAoKK|JU@M$1nG>5N?6=gv@jsjartW~2@Hg_ z6sGU^F*&i4z5xR?F27@08ilBuUL(@?yds$w4{Mi9kP@!IGKuAVT(7jUc*XS!Bh&8g zPlrn}wf$b>*22`w1W>J4)z8*S8LZvnokiYok<0SjTO8Tq+pcY+ke_FgMd3~t-Cnqf z91>!B>a98^QoJq?ETx5THl`bXHyrl`w8@(KWl5GVmv|PoZkIQ-U!pg|^g5|<5Pbk_ z>bZ(0Cr?O(b=yWEBAspg8rRyqMm8tt?DTtz9!c~4!mJbt1~E=)1y~ybSi38YaZ5n8 z<X$hCR0g<qFsH;7)8{A*XQ%H_lC#qo(R#H|<cjm?-Gw67ZX2$&%E@>5uwFa6m!`0* zGST>mlnrf-i=r4OKU=y7sg{{RgBvu0jHqB()W};+&r_IOZ)R|FJkhw>i_y?clQEo= z_!wO(x12~y<R`W7POn%;@bKv>P3y^YZ!!4w;~Cn(`WV~Od@t_rX&+Z;HcRUA#~0lP z>rcf`?9WhtmvcXxihU@_OyzauCG>$Ni~v5+q^6Po%TmHOga-jcAoNsOQ<4uf@t-ba zGY~UMS4TRzd9#(o`7~!RFJzHV6KN5L5(eMRrtMO1-PIT{m6PccTDPJ<zKD)KQzGU4 zM;Pfwt-DB4{Gm24_k9dU=ktIQ%juSNZkw*^p9fR~c(lD5(~urI0Y|4QvXeX0pa=6O zG9TjxmCq!zPi_f*liw#Ffm#K>B5}VcY~zlx_{bc3oL{4F$(;ykG<!hM&)v=Q57&Yd z(MMH<KE;ta{P*kFIDS#Mh8w@I$AkW&kcDUrqiST9?Z*Nn$em-^7i2Dy5?8Y*Q-eZ> zn-nb0k^OrDt_Q)?`bN=u7x8S7>79+SrO771amFvFMCq%Z5;`}ss>K5LYnL2=6M2@` ziJ1sjgb09j`h!(X`B)88N~M^%btBA9mjve!R!vI=6R<AQu_ncY&k2CK@RCF5I~hZ@ z&0rgLH^%6oq6_5Ip~>MytBJ`65laqI#a{s<mz7H4j@H=>yDf_9=CYDYSI|qm{pmRS zHYHtb@_#*+1+rJ^ERdbb1hRKGVjvswQ&_)bGhH4mq3?sc{a8VFq2X|<T;LR9=1Em< z<W;%X2hx8vp9H&1M^5Sal#NQyn2~S~gyR>9D5}QYMIT2~O?MaZQ{B=R0{zlaB;H-r z3ahk%$vm&M*TEUrEBy1PzzmS$cH?<XGXUTWBCje$H{BPR^i}YOe+X7Fz2}R0-L#R< z!__PNS)g^rGTgyogs(+}DyLpH!$u1Jju(}oB0ZsaX$%~L5j<ayq$zCs+A-^;k6hpi zb7*a0z`p~p^%d_}hLK+J8mj%snlyZFH4!B@jQa`2JIL=tF+=}gYHu+X=NrU-T!S*0 z9yylw@g>P@xR;K0xPx(iKbtm1Uix8Kj12CigJ#6QAZ+69u2jrFhS;?}DRO=776-d} zrAL5;Uq6qY<8r3pu@z2=1Wx8xec5m{_h=FSr(!mvktLlp26pklc7ARxGc!dJkIJNb zh)mZ72GMqyM=Q#z<<v2$n4T^khkH8aQ@whLPfm?LH?%H*dwN_?teaawkC8A@xI;<D zql$ik!W@KSBu7GQH{Km!S;djm-M?q#%^0To+RieZiozXHt?5HAzoec?G!7LDmkyAs zz|Zm*rs217jGBQzvq@3~cL5z-lt-H{TwALpoIQ;GT<S10qoNPM&NYQ5U}72lj^R(@ z^Yr5=-9ERHYb|i|69K(bVZMjn67<utB|(}{5V@;H(%2VEH+?V3>Bh695;vCCy4aD= z>?D5L9>hI&8LP52l-9xASnpR%TAJC>vNsH+TytB)##4LXtP&>Y`dVEJ`&of%++R7J z>9~IHVmhv707f5F9!LLPi-EflbWn#+Nq+}pdrm1<*McqW_<`9iEewu|=$4{1(k~&W zRTKw(P{;PQi>KY8q)#0ImQ(z`h&Hg40@%Zx<gVLFFu6-LHZF?Nwmi14Vb1=)R>K)? z*z0+$k`x(~75u#5b;6&u3;E#qT(a$LB^Uw~a_sM~bX;)~83fy?n#K9#sdM1QdohEu z7r^(g;lDcuccx1RI7OT1w|(XLFKoxs-o-dxBCHt4)tvM)qdmCW2z`NN?`R2T5{;A_ zUm+;sNH^iOW15wm^a5cuIT}c$eHWp7NVX=&7S6qgu$mluGHl30q@4VNn*-xvXvl^< zi`37v!v9v319S5qVd95L;J};d@9^c`6*-2Cz<uMNn0dd4r5%`qU5<YMc;0G2MZ|$g zun}n5Gq^f>N^|TZ$l++#P7!MfA<q%&TbIKx6_BZ}$%yy0S2LMHQ(f`-ZIdJ=Tc1N; z!%Br{sY#N5rlqk1@0e^^j;&5vjxuip%D{E=a?}Kl$ra?-F9@UI)?$QpKj5)U84kuy zk9TK_FysnxtkrSr(UN)+_d{VA41x6@U*Ig4ALiEEB+Iur6*=NO{y{yXCYvUm&3(W{ ztRA+-DZvrt9^rJjdvE)*DHzLGT}#b8ou^Jw20bwd3()vC3*7yJV@Mwq!1UcAXLet_ zGMZC<f|RA<zEV&XJB(wzn~^vsoD1M*OtWfU9_XXo_-me{^ufr|VFFIDZheuj(l;`S z3q~u>q1kdBs78D*e|Dx?M=kTOEbuR}#1zUdm|p5Bky*Yk1ZR_eM<AXlUZ$A2Q?8_c z3ouay7NRpR21szCmpM$xQW^F?crd4Xa9$<0Qf677bdodZ`Q9e*E7#IngaKH5O7+hL zJ5?z({NMARhF2Tq_GE`?IlI)0LRE056SKn}B<_$EvYp`T<!WED<<{z0#jL-S(Ge;y zYfqND0Tj%0qOW?i7u#~8I+m>Vf&q6wQ%cYD$GJuV3rDw-cjqyR06CWjC5LmlOQ5g2 z1VuZE4;wF49nHB+j5(ak6<&2wbBW4-Lt=*gga>?%7;P@Oewl@0BHeBaAn~#$(FFKi z*FAXw*eHHQx{zC9^lUl-KF2D1N<u!;EDLBxG|9BE`-M1GpfQcT;MDZcEay%}<(Ab$ zvIzSL{gwz>p5<~{OZQX`qO<Zl6#ZK-pI|hLBmM_V{;}YnmCuz+C<Dn*E$1tYYT@$y z7?M5=JI8uOr2B(sa}N@(AVB`)>r1!%(bb1;(HqS*r9EXm0aQ$5RSS?<(zW*5K6Hz$ ze^Nv?_K4PWBL{h>OSl$R$oe#eIyGu@X&*<450Je!%sQG${6OsiE-Z@`KPeHe4AWcW zJWBhmid*T|0wH+j_#eLLAaYHZz83P(8v<3_5L6u+skcHZy~~F#h)MJ7>*d6z>Tn|7 zobyAnB|_UJrv|8YxIa9GdS`zi;Y_bebT6}=Iyo0<C@vxOLt<L$fEzrKK%1B8WwV;H zZbw?A|GkQd{->kp|AZo;Pone=*`G-QVTsaLB_17RfWLhe>K@%Azy#>u*uR-Ji+V2o z{-zwWyhC0sYmbz|eaYPE9r7kw+sniBJ=HOEJLHb2(d5eGGf1&2q9i^l&IpPM6ZZ@B zU&CgisYGrq9_TF+#G4QH$w=y9hhj$3%ps5pwS4gHt6eo((>TmVV-Rt0MV3E8zY#Ym zBYkp^W$RQ$Fe?LgvV<chYqYWnW<5Co)h!rTi566_AsZ9!#Nw&RuRVP@WmE$)Nm*SB zY;?&@rL5)*lIe+aDjcpYD=F*6wSnnN-56v>a=Pr)v3$RfztK&%N^f!xmGX;Q0Iy4~ zssb3>4iuHewd4z<9+QoSN(GpV$V5#VD=g9J*2$s{7~#U<Jm<#xuBz1>tE4wgDNxT} zHPC<q4Ss}XQ$7Ma(x1H2zl6}9Fn85RKjmG2I62?^!^!TEQ@KxO$%(pZ8an=X`plH! zqFbOHm9cRB-U;HfR-|cfV;`>Ru1576gJ)Is>HW4B&|Wz_R?)d4f8NXrhiJNHW{zkI z%q*R`jgKbm`4c;hl!jbWhG{zHM2Be_Hq*UmPKmjhr)BY3BQ!8<XOvT)(L_cQdLtjB z*TUWJ&R@elGT3#dC_bM@FYvKRds&&E7KMVezJXQgG_Eg+(#7rq_0GW)4LD#G=i5D^ zXQU`ib7Qso7LRL~TeXI{qfWJXKP_|<&({<Vr_+eLi0&V32LDXpupnD@{%2RF>^%La ztAM}A#|?48QCPM9=_=3Gk$=MF)RBM8B~m-wA?rVutBLQYdbyX#5P&CZ1Bjd7?kCf) z@(0oXxPt1uF*7T<e{h(h5}b3a`qeM4Q~g`Ks`ewv51kf3Ixyc&PY9gn`8PIpsN(nf znoT45^ss((gu6(6e_CKQjloSn$$cDu0inYJzo(n|Q<+wVAFzrec}hAQqaS)i?q3Tu z*x!C%E<NE3d@IV@x)8SQaJ}d8t??j9_t5-Nv@oC06KkE|{iHcGTsQ`<vO&?Wo`FQg zvQSPKy(3Tsn8dK&YhduG1xDr5$`0B5eIll%uZ^(a%<mH<uv_2{&B&tdb|0Dv#{j+E z!WQ#S%4%6RV-D8#Yd&tCi_R}#(&j%0`_vCN>?eoi>W3#D4l*q<tXbVoN^&IOh|6S6 zC8|DsA^Mi9`G0xnLlmv`0=NLZkfJkrfoz=GAvks-qV4lagI$3li9FEZ$kQGsOBd2P zG?#Le<(o(5Wine^QRQZ~CMVLGX4KzXvy_z2gO*XYs_O$u34@R?gI^TRcTC53;i^te z!$_d9@Dwl}8vU}Mi>t0D|I^HteBXl5b#b%tT_HxhTp2|^K%ev<r?E4y>&L=Q&0sJN z^oya@l9OkrVJVOBU;==w4;Vu8CQzo@?y>hecl|V8Ifou_IZD#1$VP7M377{n(@*bp zJnyw$e=hAWeIoycn3E8Lfkrt|3J}H1g<eHpKZ}388|4Fmp1R%{4Kb(UgOlYD2*R*V z^9i{<c8LFI7YajyMg&J^4_DKyCS*Tc-abZ2-&%BZoP-*SQFn6%XPUhWZeAqoHO++8 zsCp=3Khuvs?UT4k3ka)S-)q-Kd0=BXR@Gg@-RuuOjn~>5vHyG?``hoe^6PwTHl*(s zj-o1UlAoitu3gltGUr)sd_xo4J3axQ_nyL4-0OMtp3{8vN5u)yd<QtXP7c!7^Q+12 z{;+YopD~WOcf6k8$y6jaqKr(U5wEj%bcdYX{%arG?G>Y;MoBOksssqYshBc?)y85T z?fX}<Ing(ZY%;yKp<7N#b;95B*px8#42bFJbz`Kt-oXA4lY?SSq~A*z4`HcdSb29# z@dnv=`%2-cl1R>+AO(m5!p4JGg-nBUJ7jCU1nxMiCknG}!lsy+oKc>wMVHHt%BXdQ zV|;arqb>d<gpM^*MMJbv*_<fEaZ{(}s>hi>jm|7j?q3FBL*ijm&C!m=En~CrEGwJ) z1vvD@7va53-%8=_2NG6O;&)N{yy?Zvbr|nlhPk1lOB1E1z?w0(R)n>@0(z~B70P8L z2eYNhE)3VgA86_io9n@qVeQKuNX*ddT#dA+Mp+#!r6xGj32L9YhMjW2C1xt~k0#6V zsp(JAmjY{=!CAj&REVx=T1O^HVbfm-L#TnL(#i55Cyjwa#Fzu=RM%E?q3P}r+}`B4 zu&ym+8~e-}#TaYB%N{m(s-M+hG_>8JXBDGL%S_3Hvy7k4_fts<(&Zy#V5P$56(U{4 zSg|gIPZ@}np24#P651W&zU-f+apC>)E;dI0_T-FSGQ5f0e0t1Gc=enTVAb4Al#c$+ z*LRij>lPecI3F>YbxbW=D6i&~(BDN@aaSzncdlbqI;`7mn(X1G|B*-Nk7X=-=5y0g z_Z{26TQ>f)IHu_{OLIZGdqYl;?xb?+ic}MtNB<d3(Tn9yE;ydI=Q%KooP-o=wqiA| zt4{%L)eO9VAAJg7(*UjM$(e12Uq8hkV`;N9YBq9DY~bIJ=+i=l@VUUi@Jd$@9xE}C z*IexeYdMB4l~!>NYl>c#hehRJ$q%Ft!qt8tSY)ma*4`v~wtp3O|4IC`9jt22{PFw; zk4XoFP%TS*IoqF}#JX0|6<lbkL({C_2Hg$#%s?JPPp#+G@PPIITLIU4PY-9bX`@rX z^#meqatgS%@!|%aiF7)6;YPSFQ=Eg_!$}=HCKA0$BJC4+I-O^`t;VzEUYO7v#m>7N zmI@GY<zK+lA!125e{WCG)|&}qL&}VskRS5wBwm)Sq@j8ozPomar%{o>L>mr%WMZ|D z$tN;1EJIWrl*w9pmV+lr{tkW;#vJsMxm;5bzEPlmA>t^kv2k=MnVxN=0VaC0X_`9; zM$S9dS}1_g4Z~??vdlnKucxv_cG()jF935Bll)TaP^9@3pG^tJN#B_z`&dP9Bb`fO z$~lGHK5wvZ%7fi#+L^WyMbheK7{N?gfX%{Y*nRAsB-+zhWLBUe&?d|^QKO~3j>$>V zBtT|HYPv*cxGMVg7kMdE4*N%ysXZuSE`uXix*<@H9|wnboj;e+(7UJ}7^z8SqiNcV zX?tim7Q}tVIW?1!j70^o;^iZ#&CwgR<u10-EMPkJ?W(m^dOvPh?+O9xjx=VISunNG zh{UialltNBB?AuhxoPw~^{W*618fH7$E7jd92$@=@rK^@W-BydPD^J|135mzl+n8* zEClAHwK&x<VcU7dv0;ZY&gZg7yh=+lZ78chz?Bzd>n^@f%=azQmEN4672aXRsz14q z)2LKfnJzieUO|s7u<6~A4%x1yG2ObOU#9k=Vs^WoGF_-C&6uGfj_j@#UNI6kvJb8% zLLO{d;?o%6%+~6P$MwWCse(>XFH}>+AL0hN`7>CoGe6Nw2EIAJSHX!jy@Q@riPUus z*_bEuUVDkbdq+3umJmXgE4d{hIc*lg;kB)Bx~bjgQE9DQLid%fVj>LV3O@thU4a4A zjBF*_t79h0JvPE75G?9aQ^BGDpd;ZzEE-agn=SiFtLeivOdF1x3au_2$n+n%B7-<O zF<V}HxiH8k2uh!v@{6mG-O<gDBJkWzUn%56Lzw`ir<%9X3@6Y;w)UdaPUc>zLdc`^ zKyjO_pBbg+$u=MZma3*(zteDVYQeL}7pr?$7jWvG>Ufr+MGNT^zeZPtooux%nF@a) zjwhIUAbNDJ5|O3ARdTOY+X5CR@z+p~00;0yF{`jQDx%NDdRu$qx=ji~RXP?X=$)X% z_TWUe6lPCy+LmG`ISuYi+)7tPLVbz}oD?D`Qmcy8($i|H=#|CDBXp_um~e=dUhiE; z;BeI8e60U8hqbG9K!v3=n}_y@aKTaw#XQ<bHPAZ|O*K@1C1#>6voK7cnH%~sfp)Ka zH0%e1jDumjnYxENCy7ZWv^40;G=-6^11@s2LW5L;r#&?nE_c@F6NP@d8Qj)I7aSXn znoX0Ey!Uvvzhg?orqVNGdg3;$qu`URY2#x?;*L_x+J07MVq+Y~>i`zMUx-d%+|b`I zwCSjV4mml+AJ+E`XQgAG5(q4p43Na`Qk;k{V9Jpph!bf)r8{ahO&O$^7fGz!fgp;) zE*I@Ckm*I<?bt5MOg<2?>2TUP83UIVQ*?@9(>k7Ty!3%9%R|%ugbgH`O{+7Y&b#4+ zV))1=&O2POzA9nn@PI2@$==4cA_(-R_*avS9`|XII5$T35vQJ&|3n|gE8xu-`D0$p z)Mtx;>>g@{AzCT;U_m!h4XpaRfDSqfs^K~{G!ZPJyJ|Kl){+tYkRWZ6uvl%F{y9KA ziUfyMfC<d#v8-wcI%A)NRyp#e{XsfV65$Rki|{2u%#8RxfJ66vpp}Ne(0<RdMrl89 zE<qww%odH}hXJ;^&B;W|_6u=tXNzh-K2go(U7VF|M8mzLs>%DqG-GH{4P|^XpZ?j^ zC*OX*a1jSfdmDi3X8=quj&yQ|8`RVVlfC4ea7?#b8_~k{sG5iQGo2I~`Ky|85w|^| zHTcTW^$_FuVkBFqy3@U&KW0E+FvOk|?&Bqrd-_u~!qy}AFAsluW!6)>r@x}JZW?=J zqp8#>bt-XUk{s2Cp#_6ij~Gsgn73+ztXSsd-0y4XExstLM%}L*OC!?H^Lq+qexC2- zmVKUIi&YNo6DV5-N64*;{kuB)pC%tmFUvFmqa|twxnW66v#u)1<(7RC2=>mpK&^%S zlCxD~=0#Ska39#)C{`QaRHvq9fvar4UZ)rZm2{Th!wQY}q+a0CiW$bqfoxe9#eSf? zZz;@Ai?KQaeX1%&w}m^Fr7#bi70&~gpRD)B4Rc#K$S&Kvu1nE4zS>|z7A@E&+po?O zdRg9R0Yb5`RS?RKmH`&ZF})Z#Fm#qB9M~3??RSzHvIQxFt>f9|7Re->f)UP?ImK2f z){%NvhKVEjB-07S8oQi7a6(@XA46x_xvXr)h2dS?EgG*EWE-L6{JTHE(mF$;cgnSJ z0zK54#H<YF!`)RydsmasRLdaS@>KI6d5nAdBsF<q*qaGeIo(g*DqT%(prL;Lj18dE z0k@zD2sOrF>DOQr6fSQLJOsE6i)nqh4tt=GJv{7*v0NJzUnT!80bjz+y;jcumBJwU zj_!dnY#==J^gtOlFjHpu8W;6YRx#cKU*cI;C3j1?Vol7a1wjWdb$4X((z7l;<8|ON z2DE0hZt0V#upcJ+sg?A#@MGNTwfxm5vzm&>N#wFv-y)`K{JD&TQ>)lSm|bv1m0|6i zarCks7UTN|*hH9J(8+CD$)7!uI@#j<Rpou@o!3{=Sj?e!LMQg3SU#MlnD1fFjE69) zkV&`d8;$|HY-F%eB-1Pj&NZ7+d{)AckuT9L+nwcMZO^qCWt)Ckh?R!y)dGdv(m@a1 zB9T|GVL&?DZYooq8s$NMu5xO_!)AghQAgLdePwD)OXmAv8_pqU?l}#%+bFAVyBn|# zrsbrM;OTBMZYCL6EiIRNsb$q!R0&4u@?8b$`B&UE3J#)Ct!cyU9OX%{ky2j5zfH~$ z$@Zr+VtRTU=c2sp(!27lOYd^$|DJpFK6=?*C($c*4I|HZz?Z8E*Dt*F|JD>YN8ev~ ztB2Zrzv#TBg}Zaja0lEQtC;oiZQ|-Fbgn1{rewvVOYY5a`tRRUHgh<qXxsR;sdOLp zXwe-Grysu8J?KH%itKhjw+rK>;X9l->4lk2y2;(6x#K0WxQrIw)<kv)s_~i#+lgDG z)m3X`>%DIBs$06tO&9u{?e_T-W+TUM-dvR7_!nPc&=2ln9RD=8;2kN_hlqsqzCFwx z<=1lb&by-YqoO!>$$Z#^qe$<oS4Z5ZA4TjB@^JScqo2o*6XFRS4rKdJ_(CzV`xT;J z)iU(HkQd2opX&Lq?ebbZbUbgC+vnWF;>&YAo(e5FvXxMY&gX@wW~X-x?Ki4j^Z7_1 z=0U~2>nxtCd^vp~G>AN3Ma~XV$uk5gcJr<iVG)g?FI24}`$BXiAE?n99|+KmJ`d-5 z09ETXyvUh6E%J>b3Qry;y%Ts}4m%0FPq^qYA|~*L&1v1){9PYd$Yg*Oa%yq=$#=vr zVaji!1rU_=-boYa6Ez#;<Sir0_48twy}POZMcmC6AO#qlAo`;wZMeNYnrs?#3V-rm zdbJ=5*Gj|%zE?ov&T_e5^kQ6LqiYmZOU7_xPN6r_D3wA5>Q_?e)WC8t{gLF+t_bnp zF1X4=bXMd%&s{D$sH~bi6%HHor_w!uEXIY3)c41QPNy+GI>~0TS}mnbW}*2u(l<1} zLW0@a#)%3Uj>Lz;@&Dm+VW^v=+>{MVB{NUqJ_3-8*VCP8o0+r|cxTccBe|FQWos;P zPa`;KkKvzWla{R-Hf>KMqrsWwyr+?H;(s`DT1H#5nDi4|Bw?88<pj2blJJ04!vDhJ zM7=#M&WCFR#^OxirM0ZOEq9VYR|}~8(OCyiJ)Jnr!7F4rCR;QmjHLvgVO>TriQKn* zq<twkPds?sW1adY&*IrBa)cWW&&-p#9@&c_X6ug9Q$&$_o6ti<MDb19705(+7!mX- zPi;UAdr88y%y(FEk#PQg;pn!qWybx2(^A%Rsg`D`2I&-IVcg^;fw1C!{){xn5e?15 zLij^4P-^WKSiq$h@8iyT$~~-)I`2;&UzRkU1Wul9WVnCa9gyv@u~@5~W=(4XXL>ET zK^ea10iPpldBE35&T*mVXB{SeQZLR5WN4qc$VWd}z_yT&d?o4&gIxw3XqUqM#?+;h z&Vs}uye4L2J=+DRlJ@(7>NPgfccyi+tYXDDhp>rw>n};NMx?3KLE_0(Bkgn%Pa9?s z)FFjrt(7yaYc7PlqNN`Z0^E%ObXiz-#^a>g19<Q_x<l@kjU95#&;cm!afxzjhg@Z7 zU*w6`hA`fr>J|TK^CHWyCfmG@?s$j1K~AkN7BZEwV`4V;<CKuWk`i$<wO+E}$<j;o z1Ve`UZ7%O96ysKMzgay70l{}=^eRciz)uUDnfwdkemm@g+v#TEacogw=qs>NmMACj z$7s`~qoOa#IL2k3uFCL#*-k_7N%Q$&mN=<Oq?}4>B;*mC`hmUMDH=}$dcQY>!GK)3 z2sKqCWsAsk%c-hJOxK)du8l@E@Lv_#swAr-N~)iS(I-`rj?9_=mY5$H@rpT-MpdL* zPX4_zW+wY#X#b&js_`HSC|SLj$K}+qWi-RJ#Z40x98Q@3Nj0@qIyeFu%8eQhB;(q) z0!(~Tq_@e8XQMwAuBy`0VEB&^x2&HLCSR7&CdXMvYHfG{7PMy`-|>-Xj#G2GOVMu} zxSuH$gPa-?HYV2M#101;myeVeki#5v`HoNXpQ6Ja5|v)nJ%jZ}S6RE;se#WJ@vEck zLXU?<c$taM4IS1x*X>sIPBqu!Vn|Oq>m>%GO7D)Wk&Qt`gvEY)!$)K!&9khYc2tSY zLWW;+`u_If#*$JrQyn3v>0yxv9o+hVH)i0Y0dC*ZzTbk6n}z+{l2E2Kg3783p|7{E zbQRZS07wk<>6aHQVqy-xPR_MK=uNxsE3KAO%iv}e#ON;`r&y4U<9!rhl+!!Q!uoF3 zS1~&mVBGtE75;x}*UlOl*RCcLjB<O<2nH=4AL_5N(l-sKBJajfm<iVZ>rwfkdH#$r zjovY87FiP^<#GDu&?Y&xZ-CH9=&8XH;e9WCfdqu{JRK@JIyAVC7B4DkiSX~IkCvg0 zZDukw`bjuG8SJcO+*-pVXxANcy<$FQDJIMz!h^F1pv8EjN*bsHibW=5{*j2>zESj^ zv7<<cCsS*wC^lj2afuSe#6PUg*j%zfNxSV{Jyc3IVR;)X;TnzQ0l^7nwL;EiNm&Pv zqpyK0n7Xx&dOW4MWWOUW`a`gqK2cx8>Vz~$SLIs=U9^$M1U$o-<&s=tfOE^KcLus^ z-F&o#JM5x+$BEP@52Bo#^@*9-<g6mjy^;P0hAklaxNnH-5EG#7_sXzAxgV2I0^uH9 zi3L=x#0dp(b_xBXBGUWII%Mq-jhTs!-b@W0!}!jPyCR9p==JUf!~9?#fiK6xuV;@= z!iO-s5DDfj!<muuTD^o1F)Mi!i*Cw^5#DTMbh<>o!#V6Bo4q}awbZmjNv<ZPVK*z7 zyaTHXS{t4G7|g!7zpPtHpOvC#)cTb4KaUB1B(nsJ7ksP<FYI6BMPH@|uSu_)Q14_~ z=|;ONCrisT{TQBrpY9`U$8s82vq*w|v6E)|HA^#mlGVRwTUOL;y1PtC?GIpJI+|`; zRKYJE1pAYRO%dF$b~t4tO*0V6CPKq&8@U_J411Aj0l7nFwH>WqmCkm^ow7cypPH<g z>Va!duTV^<h~3Btc}WVJyS=&nYKP2}3SSLRf)VQE<OE+>g1lo*y72%JD}tfJs2GO# z9RB_>H~qVSCzR0n!Bt#ge|mx6NAHqEVUvqK5tiZAt#bN~mbhj8DBJL6C-?9|#dzEW zKS3G-OCduy?uX5IIMwE+F>YhkIXnI1Y=>AH)e|Qa#dYJ+F<x@NC*(9)h1+iZgaKuZ zJ`h<=_mM^vx|)86W_Y1AMhbmkA@`2}P-3=trG9?Y@0Us${eBxtM{Iq>QfdksRa__< z&_|ZjFWgSR`G98-?Scy(4|`Yot%>k=VsxLcgsup$;)0d@&{4SIOtw(an~<bCgwQ*T zWqc>l3a1>yy+5BX71$`@Vp$PBpBv!C3ck+zUG0KVamb0sd~~=}374eX1JUe`lW%6I ziBXYWp&YDiY4#gXOWz)NSC*HEo7#<u3VJT=;1jWqTcXiOkMc1gBJ7*S3A2CQW~I46 zpM#{XY0oZ%9mgRUuMA;Dm)~f(0)t`wBR{9)XQ~uYp}(r_f|aJt$Is3d@nkHcQ_}}O zVqJfBwsJ_7Y4&JGdp^I^G#gDFkjK7k>nxN2SW}AF(!@RIm$Eat8&1dU$)b`z1<kS* ztjq|@p!jPAt6;^1m`|Sj8&#w`S?xvhgaM32TrcsgjC5b3k?CdiQT1%CcFRtZYKCN# zt=lSvr!enT;NHZ#ab}`hk%B@0EI(Jv6(+mV^!vg031GdRw4!X4ep<Ydo8HKOQqpUc zUZ(o#dcee=7DxHL@al*dE5+lX9kTv6BWBpg*W#}n3O}QC5DUTCNcel`gRmS_5;kvH zO_v0n(c2bAaXTwBaqK`ek!O@!H0ebRSS5;1t(O{)R<?5$Q~8T7lm@$KpEA&9xTq)Z z2up{-_`kX+nrTwd$$fWDM&8f@Gv9vNC+mQJGiYPgIsEO@vw22+Bn~6iun<V5pAvWK zGX5F0Pkn-_$mQIq+GeZKdSOl!M~^GDcx!v_!D|LAbxkNmM@Bk1y_G+iRhXl@T#h;n zM=x4X#dXW{O;=^M2soPNdE42E-2fx@xX@mV;eN2`P=7R627Jv3J`d$blIMT&#j9lc zNr>Z~lu6skjA)!6A#{6PoZqgf<}u?Y!g^js{!vQC2T|nD{Y~Xfp8hB^z^U*LbCVmv zKe)KEAFU8es8+O*`$$!sCYIFWq~d5rZQO$@57v1L4Bx|G;)<0{?#mkffmtl>x?ac# zP#$w-m+ebnmmhQKT)LLu;<S}0R@UIN9PrnQF5)gwY14I10j4)rs`l_o4?n@<zM_<l z_2v*^|6|};&m#Ti%*-N<8~Wp=f8e%ina=BMapoL_Nb1Um;niojV2QXXBrbHZ^@;2H zwfVV`)rz`h?WL<#-74sb0GtGCbCC>QToMjz;qLHdXEAygtA(Ew=^)Rwu@8_nVcBY- zG$lE4*G!Hnt*B&*F6J==8BTOmL}Rk8?>L&^Kd6Lfy^-Q1`c>XWx>_2Dxzk_ewb4mZ zl`z3ei<aim=*qSH#=XKTar!toMLVUiHFpvHY<Yg5EGTPImjI}+EGW{(rOW8Ckp%xK z#~-BhYHtbRz|qI#QCG>#Nu3n~D>|u3_!~9Y{*ibv6IDFCK%!dHGS?(9^hxtF4qnJo z54*WYdkt()xtyb$@!h2BO)hGqs$(SbAR~qUYj(!dV+12%C%PiMG*&>I%hd^Du_I?m z3c@htLu&X6OP7V{yrs7YeQBVFy|Ic}xA5XrA;WSZf72*Bq@$bE&#agtFi6{9@DYHt z*An-4L`iJm`2G&(0r;#|D8T+3))4_g?*GEy{Mpw_h4T$D%C&D;(iZ)U6!2Ggctw=H z5Rg3!IJI&264|MLw^jXcFInh)%|#w}VakH3jU@nc-CVmb_%h069QpeFg6O?YpkKQO zk$nPrmUHjJCk<r3fUeX$1$N1gP(uNa*Di(2SSjrcsb4t%3@Jy^obFQJc|b7Aj8+NN zI`dtDHes!SK*UI4D_tyyeGefoyE8H!%~_T`5}n<`V9ez)O)=M4*x_n^a5JtZ<9PK_ z=uDIRS#J(MX(f9q0Z(Sy1+cRB5H}VaHqxn2dX>gNx+W<(bWKt+hQrBrUaol-*ITOd zk<aSg!Ny8mm@6-uD>qDT#+ZM$*f5q9HZ#;ub`Q9G4hEW1i3;4cOJJVTS~<^=>eR{= ztcoyr=!_uf*^^PEgYo?JE{F6RmtRg!4q;1{%5aRyJUIZ+DAduIdUgbhwjUMduhaEL zYgSo?^x1?7Zo2)DlL_#(kIx1C@jY}qlMPNI<LR0G+NnRo<OWriQCq<{0&A{Uwsv`> zF9M;1QdW$Cg3tXSR!`7=Om=#t9Vp&l=}n0~(0WDKpRF&tzLX`vSqmcoAxe%$ZdFD) zQPrm`A1m%)ZVP8yVs7C6RW%p}*HPo#A7+FBhOjOB5sp>n%XC?1UTZLx(d4K`Cgj|^ z*eIOvn9H&1_lGl*gg%r(q6I)edbBHt<5;p_W(u&fMZeFJ`t-<*o92n-2dd0ujxv~o zc+4`c41)20h|vcuR-CELm~Z7chj>~)Oe|!SB2L+)Yq92>ov4+uXMOivR<c`vll>x^ z3Ogz82Z|jE;XrZ6GQEiv$6h4T-sNbKK{!xc+X~agPOJ{G)Dc#7DwXo|QUPaKgf7*_ zI>ecbk!(LyC3$XKHTJl?imo*&`sX23{tops0d0>ehq<14jZyf-{ZYN?g?L{F>i`Q6 zhwXJbV1)-pnXm_(A!A=o(&neb2GX4JJFCgTsGE7SC#&%t1$Q9bN0o!IVepV-zYR}1 z6f<P-zmK!A`Kp0;DoVl7++^@QK<$(W18NbYxiJ$L&WLl=L~;3Jve_+%O$Vw0WHx3E zaV!XTQsx>?^N>>_DqT}5_6BTRx{i+yp!a!7vQi!Hg*Z)>`(SN5+HF#>mH+byny)5V zp3j#JO4>5}xWA;J8gAR~41TM#cr$8!IF<L;;8;~A8#hY5i|SwjDFACnj%A{oaYJ3V z0frb8rjL#s%c|<E97<DlQC3Zgao9-(0b4Wd3hqc9yv*PsYVVv<(yPd&<@6cD8`GP9 zZXl1>N^iP)bwvEB@EFFQf`^tB+Wp+H0j3?eb7o(;-A{#W-0Ya*bmw7#V_E;5hIHVw zuF^g#JO0kpZ?S;b=XOw0LQQWS4}+qf7&j9IL%eWzU@0d$Rmz>xkn67CCv;yat7&eh z;%p<qY6?gLnl%&~#Y~fO709?BtN6=KWafNdDa(T}t-pC#0nC-<y*NO8$4Zpv>P=S} zR%T7Y8_9%Ie+->p^S3klFpjVrC&<&iTinKt)D*QMBd+V7YoMG;53&|kuFFD9rfEjD ztNIOrCM>GiVl*XmB>FC@ao{@ET-sO4Dp5RKlgbD?jKu2^)&;YtEIfmFagC9}3!G}K z4Bp|aywTtTVW!{uEn%H=8-Ea4&D2a|W5w7y9t*2p?5z+k@T0ztY#mRrMd>FfD{u40 zOl?0Sy1Ai#@>h!6{ceHmW)xD-dS=$aGkc$Gym>0pNaHF|))>w$<(-6XYkM?mHuW1x z4=nV>^`?6ZvBq;&rH>!qEbN0h;B3}TEe2=x4rf)K<I^!4qXRB+<#AX^wMde<8B^gQ zn7PJY)g}c8xDSuxb76h!PqSgcj$yYZG>~6Y!W^ujH3NQ2TX%QV$<e#KiFYS+RyG^i z&+NX<VDAq{lNm?KSTTWSOMb)P#I3}#d5^)!BcJ{65xIT$5#fofI`$dEQO9Braz|QM zCHyO&{^9I^Fl4oQ^{pEWI%IYKz<OCWcc?KVnd(nDQIw6VQ(;p%L+zTfIubaABfqFZ zrmo1M)s#-)hml=1G<rr8mS;1KWKj(r&*#xXk3-SIH?(*x&lWbT?7kE&T~;Lfzhkx8 z#QChkgEeMsR2VAKwxw8Fty@X$ov0=*E%GXca9lKDjy_4chSFk@<Nh*`I6N(lG>xT` z+=O0Qq;qpdL@n%t@;)5{AK%Cc$Mx{DmHAdiLY5c~pwkXXtSVcErd=x=!*o@@v)Ola zJ?C#}Eq!cw73JK!NLv><=%U0U(x!kI;@mjHIX9#A1Kl|qmdsp9U{Z7LYq|JJI{Kn0 zy*gi{m8CGFKbs(YFa@{SDotCk)`?AV1MB#w8`yNdHy@_6*HF!slb)B2+x<>D65S#B zyvzIyr8+5Q*imj;unJs#>rbobX0KD*xoQpn%DSv-<<sh4B_(y%JBVa(YBi~og_q9H zpwglslP_@}`RH3EPR*OU`>o<uPU4>oGf40c&p`T0WSE@jlHIRFvb^i+I@OAJlZ<#B zxwc+5My{o=>we^UyXxz6Rt4s*s+$+3(QuHd$IEG-z-$Wgt(#mpzpqeJo1+!X``=Np ziX49y>CR^<2=5-lf89?yUkbH(vu!5+5^>s09I#ZgM023q4tXP~UqbpIf<UHM&qfIj zD><VkYNg)5G_O6}m^eSjWQrl9M%KUkuMtAUde+U1bRf8f1LrM=;se2ph^vNVGJ>lj zo!s#8{DWg~XIHh`Pv-jGb=tNsY}{=IGCgqTOrXgNqErtv)F&GkjwL@XWP|p`SpNI5 zeN?;n@i)fqBO6s3Zmk#g2w?5~^g$1S$2go%TQiLXsv_Ow?=^6)UoiqRf=fae=lzFA z?$a3ijj>8{1lpAn#^>xfTS?#G@73AdVdF+dI*7VhHNF|^qq{O`M42*0y}G$|(mU)B zRs4-?Tj<rojhrD9k`K>He^p`GXf_Ze;WD{ZNlzb5_cr;$ruSH4@^nei!*VSYo*Cok z8$S-4&m_oZibMJbr>@Wz7}6I70*|a>inVb;G(*;OD7H8r6?Bieutc=6-H#i^W3F5e zfZblCYuGk1q<SBgN)hK}26G%ey5*Is+e5KeIV{)4F`4*9qtV!tkKyEX2~~3`Ro*1y zhsx>Q<xIRc)+=V)U7ZjdM9%=Lt<zd={80Mi9Z5Ls;>aj+3$6rFF$yN~*Glv{7t$;4 zNpl<8+Ea8rSAMGF!>;EF6YDw0RXd+6M?D2*k%C{En9k8{d`UQe8~^LVw@;tTW8vH5 zh;%NGg>R4N=}MldF-*2EBrwlpC69?Nli)_B)0LdGl4nI&rjkhe6rQ&6$HNyII~?{e z>rq7NCE)=F|F^QY1-?itSZ-tz25O0KowBz_2!9`;9}{sIOX4vTzi{x3l}hO+21X#` zGE8vy6FoZ}{^CWRmWl=Z4g4f<;8NxdPM`$K-LAdaDR;{c#u~gLrmCzJ2H=Huk^ntX zz_@x9og!2+M=IfRaLegD>MPcm4il7cy*SszL?7$909^?vE`hCWwg?6sRCw2W@cyta zm!_^Q5?LI<NW+r~k93SHlLo|<c<Bgf20b6(<IUa%GTy_fL`jbKFpN1|%88a&yXZzo zM9}JYqS(Ww268bUvr_+&j&4plSw|Y>bD@u8ipze#@Xua?Wn|GYrnn4?x||~!)bB42 zv<b3(V+at^OEMyh3Gj`zWnTEY<g-u~AI)(DkPMCD#`u`a;irEJtWLm;SXl7uShj3L z{c^g|*Q=PCk^W6JV+%l0b1W<Ad_^{^;W_}WR-Pk9xg%7<dK|%lu9#L>(KfM)47n<5 z=_02|*n@@DFi(&QO5TTV#OrfeI)L$bjPcEX^Eu`zQ%Fs=R_3XO?2oZ1L8duaT(^HH z#Ff>>D)yvIAKPRUf3E(WY7F(W)DTulL6188My7_En!3bW|9`H;!eh<b(^w@IPgi;1 zhk$Hv@id#J{-NOMw9r?!jPA(S;=HBUQL7KrcM2B1U8Pc?0-NaQR!`;IZz_7#VkxQ^ zOaAJ`%C|q3W92sfQ!bjuHofnA$I!<L&a5>OfD6U|IJ2&;4c!+DY~f*n@LPD)*0Hu2 zHw1pGEygR}Y+DS=`Yxb$9V14vy1Il&8O5m9u-+K-)Vv1r93QrqsjQ!GciD!h)$|;7 z?Gwa^8|lHji#BEJyfFl|*23I1Lr*^B?$a0Jj{?PtZ}c-*t3L#5xtLc;#k}-O@U=7b z-c;*%^=FbJ#D7ro`~$n2SIgGS>V##dQUW|1L%;N{%1^vYXn)boJzB3M^NF;hF!Uuu z1&3e@_|khLcY3X2Z7pG|@rbmM+mxo)G}H;Yn?C53=}Ur#mi3RpTB@N9;9jfc9m|ra z`7(_|tUFo@*a>~NAZKeKvDUs61Fvc-Ble=ZqpQiv;+`s78~s)mjBOUGaN-{$vOb|% zN(XsE!=ZEl?>SnZ-dYefJ<6X=++Q2%A$BlX%1*o*nE*Iz6^2U<GoD*G=<vT68b)QW z2VvMURz=D-r*lm9b1Q(cC+h2AEHEypr|%6iM<AQCo$V&QSEZQ_y;$|yFkUP3f*;YC ztJ0FmqGI7o!|DI2YQ0mbR)klvycKJI$j^Og(iQQLY`yLlGA`c*5k}uJK5pO;x(l58 zmi`!a-JsY5hN8<i%kT8k_#_nP+PsSXPR^glYMQK(hMNoY4-P8}d1x=gSUwPoPHu=> zO&D-p<v@exf;MFHtW+&k=~FUe>8eb#S!W#G-MnHwq)2DEdbehn?^s6s`BvgFmzv}1 z%%0|O%>@@>%+uc52!=5?tSG24&zaDRYU?$ksm;Q392d+4aahk*dB8-tQnzA%VJe1G zd7)1oNwk1-Bef`WvJ>Arc}Z7>5Tvp4RfhR-|KBu&wpR-qJDj#pSWptJ;g3GzxgSII zwHOStHy^{;o(yI~Zq6|8aGHv>Ic2L@P05Tu8H?mhVm3qn5-*l~5ou|#LrHyHqnbq} zUfI5N0KIGsW$6~BK?c~?`5o8dHhDE!>JOXn^GkzQqvNfDoz6DAW;JHbp9j)Ku2MKP zo9r%I*iJp=Wi>El>(FQ?O#?q3w%Zi?nh#v(5GHGND_TTSEpN4#o>VSkt&Z7JmaKVP z&ZcR>(-ghd)gh;DA1%1OsFjGMpL9u237Do;sDC(#zScIAmie<;T4wvyiS(}UD(;j1 zsws$3`faG4ehyIcRoS2$V^#DbxPjk>I=N%#Db`~H=odn1E+gw8G2?dQU!+(@1!-9G zi@fA1xA28aV!DXOW&2IHYW-NcFDr=%S2~i2KUsKdYUmVy2|ZA?LAJj=Cf_XZQ}@Un zq>GQ)`kzX`*LahAsF;6nI?JK5o9-_U0#qnr&^i!&n0o=!%yC6*<nF_q89Gj?py#>5 z^v}K^JXXd{?MVw?DWPx4tGNDiv$;~&k5%ml>Vh?PQ)X?goyKoC`RHV+*XtMy&W*2x zOE?KrmxMdH)`9#tL)h9nPEu0aRa{#uBo6%1EaDyvH}{gTj%U78lFOPJShQNUJ0~DV z6ZJd2(WlC=wyK81DzmQ0MO@r_+L=ovOMGA`?GagG&XbjGi(TCg%LubHMxu<z&L7OQ zbA5QTP?41BS%bWpWj>MZ+PEgiooyCIHN#4|_pFI@ILxo)XK}hD<cR1_s&kyD@W5)) zNU0fd;v~btkxx!9iW~Mxb^bn*x~#iv3*!*gUs#!H)HZ{mEzPmuj|iRIyYp51#pzzf z{`xGw-7CEm$i+yJ4%aW9%b)MTqFCYN&QkKOOFBZ34^Q?Aj7(!GQ}pec7!4OWL|XFd zIejVd<5UNHt_Y*I1e57Oo_-(5g+<)sX0T~+!DRmLeZwLx0GX`=#UH~I5OE3|DBdI| zyBk#d+he2jIKK$CtV2$h3~Dx0#tBnAWB?UrV?R3|=Q%067BgWGZp7)d$FyQwTH#lE z7ML^kJ<YxCYkp#1BdTl_`!+*KMuUCBAadeBG07As%&1zPO=R{>72bPXNlzZ^G&@3t zEiIB1?vA-V#ec08i;+9!UTwp|zkiGFAWaM6Ha6{KnwA5_tGIxrBu^}3tmFA7k>d@< zo_<m2Xj;A~tc4T!Z&zj7qwnH=>fl$L!1#*R>-cwv!qIc&VmC!;M6jrn`?`(avV<8{ z6AUX-Z;r5~n!H*@2UfC87*85|K`w_50BJncc%O6}Q$y5O^4|?$*Iymu3vZY9xI&+V zj%r?nN+fI8z#ehSgGOdLc<5j@54MHl@S<X$;$uqMZQ)Ja^(WF@m-yr)ZH!sk$b#SI zLAFoi&z_X)F*UR0C`Hm{Azy;*pS%OA)`BqY2MOr?8bn5aau2G36RRUvUJrcpi? zW#w`kjBGu%dHq$mmRzXcFVM@6y<bkAb~Sz47t84*_GuY{Rn<R>SFkCQD(~bv(oRhr zr}@z>%wA;5s7)OJ>-_1V08Q5h;OKJho*8uCIZ;*z=Z@lTCAHGvtE<?q{G-AjRSTz< zD;&mOa~bQ(_<DW^d3i>&kxEYhh@6rf;yhCYhuf*~cj7C1;3%Hf4+8M*5l4)L;e4eb z1|~pcCSc?|C7qf8yR1_W2fLFYsM=E8EgKDnYF%)jPloRmvl8wB(iZ_-|EY1ms)TdE z<z%U2H5@p*Z#A5ih7%Hdx|*(+FvzvE(@0<h-PBKDS(D#!Ve9-ye{;}LYGpmK6mEKC zQd`$)6|2{JZufA!Z^897iw-Zie&33ND`)H&z4z>^ZhL+w{P*?2m9ySHtSo6|@763j z0#8>QS)V&)P5Ij^4xW8u!J)&wE->qzz884sz42#%*!Pq+e0pQy^KiYl4(&YqmWN*4 z+3TVzoU(q#mFxnUzX6~4xYyT!*UnIuwDr2^*Z-$e=07}o@0Q%x==oOoH+HUx_5G5q z&pmtN8Mo}}+?@R`>~1{2bA4+q9G!gIioHjD=as$wnscvueS;(HcWk-7zG3HY-i_SX z_|4zZX8;ba?=wb6e)X*~w+`NT=Zq~2ZtS_<zOVZZPv-6({X6C@gs0a#*ZX?s`lDyW zQRDmeio=)x)n0UPOLiXo<}bhe!@?Kg-apr8=HS4yzt-y(_qiJf7p#3SaQ~mkh2mw( z1K~}|?Rih-Js$p9{xbZR@J)GN#bWtRIpbfoi4s;-oWAIk&bH-?mM)pr-q{5Y6-}!u z8o2u_nktfwc4MMq^+1`sVO2%fyoK%aS1fL?;@()aWO;k%8EuQ<6r-z}TQ#+t_03+$ zedR_KQv34G?%~TTnvhe2rz@5OxvwG>dP3J45>`VZIaLS0KZOx@Go@n>tghv4oy*(j z*K)kc4TC4kXK^2{S`BY>v~{+f-UXKqam$ykT+-fo?EKlBcpFECaNhacJ&7iZ)qrHJ zwC`<OzP$bPj^%KAVi^}*zG4cO>0|Xj!Or#t?VasQ=C#9{GiD8}SkW=R4gO$j8+^-Y zoYQjKHdE8MS@V{5wojZ!ZmLKj(E(p!c@-h^iMo0xaj`z!{@1xn4VGhLC7hBq?#UW# zJqbpm`^Ry$ddiW+d{tg?+M>B_OWK;Ox%&Ke%}zJy$&}S#ni}Ie=QU_4yG=_QHdYnt z&kKP5z9dD3+LvSv+_WW&mYi~!sNjD`t)xnhZrzQ${ZjOjZQCiN)1#lk+-)rO+&lc? zo;0um?jZjxesCK$ud>o_W-&yrgZHxpX*=O6K2(e}*I4WfVJE?-XZ4#m3txHv8wt8z zsO)NO65`qmHwnms-t6SUZD0k*qI&8LF=nLO@R@s#2Jk9j-OWq8g<jcMxx&|Uy(`n* zyF#kK-(n|U@@6~cILTQXU3KeV2BE$;k?9b8luV}u@Nn`Mk5kMOb-af?ztZSDB5aCV ziGzgF!@dDWb%ricH{Izn;GlxPM4(TDqq|x{&Q(0*rxRcgn+kvCod7nNu0lY`bYcEG z15v|#BM`Ur3108oG;0^EYfpHj30^iaP&J>e`EZ<_Q*b9iyN6@jwryjRjcxp6+qP{x z*=%fXY}>YNJ15_FbE?kex#)|onwqJ4t7fLF-~K&MZZvOt;>9Uiteg+qCfm?9Y8~$W zOewe=RoK=*dHc|%vyeiO6B)AZN&G)_sR@=LuoF!NMM+MvJyXwSq&>N*ap753$J=ak z7+eoyorJ7|MRx)JU$@z{No6VXrVa}gg*7LO(7JwXgtrH4Xh-LoZ9dd-JevdxJdmv> z;}-!%KTL1JjLWGBl?nU?MUmuu735GBN^oS$lZ8FqY?=-eJ*DK|%>XV?w;mtKvpiA9 zwJC9!_Ov4A&glu`K;}aRC72Y0VJq%*y{J_J*D-O&ln;b@IW`FhtM8jH8rq4`vxa$| z$R+~e{D7aAUX6m8F4uO9hgse5yY*L%rEkIEgAsE&vtLBkD1Y^qYPy(_t41*lDvc19 za=|v`E*>)z{qUB2(dw73BNAQr!9jRgS%AtUd4#4ot&l>FNy+sCP~o7!P7cJc*&ZPG zAx}QdvVtJ5jH6u%t5txeL$OcGyevci>xYUvG78^lM%Tto7WOK_@?4%Z^(m^FD0He# zA^h}g$U(fi6oA)wJ>o8hfD-#0?6)a)3f^TBcj=lq^@nlLLs-on$8$)PCFy(e;c9GA zby5T^SXOK_-C-8}A|9f~Kewb8dD>cWu7pUV(E)Iww<z)PyRG6~ReiS2jb9-QtW$qh zT^$fpY{PLPl0t)J7uU78doFs_J;)!F9%ZhedS%apfLog!w2CfEiAP+c)GNLAyvtc= z`@;@vHur*nQ(6E&OVo-f2_G@Ty|_;KF^cb;>CMyU4xy98fP(tX-8^Q6KtgHD=ah%B z_x|W?Yeo8eO?gg(oN#H<*zGqWw_vLPL5n#2Wb_A{gWTGg%#Tq~LN}i23tF4~a!YFL zMB~MO55%g><9xY~NR|N^=3DsC_TNZeG{RHRe}SlCGeEt@Z&^#vj*BG=)70Sp{rn-6 z+66DryawSeWqNymwt@MUAzKTB%i|e`=IU;e1d?X+M^k&m|E-{*OV^MK#_<rp=-kmT zr0kUFUor+{?f!K$E_`i2xU98?G{}#{Sg6A%`;iO~a{}ALVyURWRu_>DPc5V0ms?`V z1n^44(hSC6XitRu$lSAOKZCdxMO{Kcjvj6Z)~@vL*IzB0oB0tA^H3pmkJZyC#VsqE zjQOn4_bibd+8aWj1NljTQS?zG5BfF}HpL#wMI^5h1`ER=ikl~+GC`}MA-$znI`MXv zyGk9z|6PpkckBer${9x|U5jUIplGFkYF>q($@;|=h{t))H+=3234N2XiezPgjO^f` z9vGORe`yM|FG*}%1==~%4@0W%Cy(fgh6xJTV^sgDp^J#U9hx1{&|&g=V&d|on8!{Q zplN_^C{A{9&)-HH+E3LX`wTc|VyVh)IX-vi-{RE$4$n8Q7^`2SW24+gvy}nTZ)=Oq zbH`)dl3?*xKFJ%{A@>PV24d(K-JA&`x0LLtcqF2vU3050HL(ftnu4xpj<*XP)w!rH zQXZfKw1gFSy}$v|Y0A&xmbzKX1VOFRmKRD0chkn!Fo+ERrx4kASKKm_k(#q{H+@VA zTYc{@%A!ZZw&)pzxSUFmqlD?MYflFJQj)R)B-s(bY^g9GU{fu$xA4zOWY0GD$h+i? zC6fDM$W0(i?>*TQI5B}a^+WEvgP$6*WELOu$H7UsK6+2!O5N@QEl;~4i9);`JRGsX zh!m70XUNk_wY>fzlWml5mhfnv@(-`Qump0PJtN(?1Fq=MTJl}16+%PKjOV{Cxw!Yk zwX}O@UV*Q`yVrsx_QH04nd(kN@lP~<Aa&?t&&z6#wg;|)0Ga-|-bzS_We}}Kz7Kh4 z#;Vih_9_p^!E(fvfVPq#)efbxWiELVv&rMmPH}NOI24^CW4TW@?yRX%31f`Ljrc+2 zZjpcgD97q5_b4fP3uV_TN5vQjaO-j`;I3CaahMjlE4`Y3JKAD2HT7+B#^e<KP_`dK zGy_8NIr7o}L|Z)D@`%CU9sGhRH@SS7bD!%NH=BQk)nw*hF$VET?uKGDh-2+~TAc{& z>5$kWelp-iOpI-<d<=h8B#;a5b1qZo>(UFozWA2D{ife)6T-t^9A`#q4TUX5pZ`lB z%K5jPpZDVUh-S9XB@WWciVyGekDX171f3eQm2mRV3loHf_&_$06?R#+<}9}Anlk!> zs0G$3$a@XKu0ZlGF%92!5n_VB{{7h^habZ#0YzS$Mbb&}jTF^kKi*+QAW2RSW5Ki- z++rK8MlX*Mom-Z3&PpEPz=3W3mj{_?2?NHd#h%KSQo4{R3_h{v$t1ht*QWOw;y|z+ zl#Zh7K9qK1-l8F8bjy;n8Z;LniCnOuVqww->S%trS7KHqNx{nn{3k_U7#7M;PJ4L9 zjoRuXkc-M<sN<oLFD7?uyNt`%j~y_<0TG-SBH+GxNk^1DnWxB+b<9L&Z03Jn`N4iL zY3aC<v%aC0JlLwU=$s`eWg$pe8eyD!cmgcZnI~_cr)?*<9;tK_Ba^chb^31jryN}} z?n#nufWf0WSLXNn0!v0{Unvs#Y*dRCF8cYaFks)&`Y5vAR<oN1ox_gf?STCv67D_^ zO_=&H7A4gtT`%viQ6B|7#kt9+MV0^njn8sx$?+I-2K-;8qHc;Q%x_IVd(z#PF)Pp| zvTjL)Zl9V`)`kxYR(vt<@9Wg0k~H#46~JSDLgwFs2G*k0{IikYCaX;5VjXfwH)zW; zBE`O$TVMo4)~@^SA)SPnFwD$+cB-tOjfxXT%<&*}mOqlqIL}i$K?qsK_(=}C2`PEy z`V7W*=G4;~8TKb;IS4Tpgd{R;Lw0NwXO?m&lZx4p+K*S6%v<P<S&KOuTi4Fap@}qX z|H9%!sjW-rvyz{Tv@Nl0zbJk^w}<hBoO8?RKL$>>!@7?o2Ch2?7o!&kA1Q(+eZ1o~ zr4$%L=uh=@)mOIp%8UGgP4WaBMJ4y%hdFUlmX7We-2;4Km$e9PFw;!hdltYQn6=be zFV1xbX|KiN!B&8?VzlBRQ^XZv+*+)#O$(u`A3LPklPBeD-fvuP!`o?3O?KlJX~D2H zCRJ*S8rONbmJGo#1+bPTmerO4*!NqkVj{z$#NJd{t^k9t?-!m{Mnh-svEev^QgdkN z$@^ovtQWzqu-59IZl^d6^4ETW7Hab%mh2C5yYj#m!d|d_*21BQ{no!yp2E_RPcR|( zn0+^d`G8D-@ip%2!ORI}lMy}959aC~m;e5gZMRw^k?&tMRD7H>I49>6qJtSuc0}wi zo33R<JA<fxnq7QMo0*zndzu$FE0MRzaUBy2TpXrYC&6*W4-v~EJ5dFdpGf(S;aX!d zaA*f&we*tmfbZfnupr_G+Qz!`$e9JcYexkb%-P+;WrIVW1SXtZn%Fy;#Ub}?=Pjt& zMq19QH(Bj!eo0fdR<{9LcI3D`*kVTilw4?TGwZXi{Z}X2>AHBYzn81s7is;m$ENYZ z))C4ZFk1UgG2sj}BvDkNK0|Cg4QPP22~GV94Jzs5`7OR<w9W`~gSH9ZNcTHD4-@RI z!#%@)bBulkb3YJbT2s72Ci&Yl0VXicFLfvPGZiT_ln^WCvqWE@@M`4Y%2W5_dShDI z&_w-QifN1SLsjJJ7&O5_P(JD*?=P*j%u{>}!tMUXaJz@vWEJA!eKIfT9)O?b3&Z&) zal*zA6&)z`3DvZ}txh_<>T{ERgK7p8q)BWewq3k_W;ZPNF8pks5E=q+VSI?gZe^|C z9!I)V?7Vq?xKPQwQ29twquv40=nXqN>Eu-@PHn71e(WKnTYheI?AON9b4!OZT%(ge z!FAHde^%J;G&|LYCsY1m-E-qS14dlsVx|c50v3kVv>(rbD~A4??}$Q)NwHA%$?XlS zZ!NPdeRb|E|1i|<J%K(84rAFd=Ff}x7UEvXn|!Nywc?=fFJ1eeCz8+YAoyHUk_!pi zGAA598R79z`hkNqx53JGO+wzqGh$0PR>&zHC}^oi*JRXgnW-P8;1rSs$1IEW$1T&3 zTTQRCY8OONEJ)~F3=YwUtUq010|Z(O8LOz;C7PxN@4|af;C4of>;pttOn5E4*#Naa z=BhP((TOoi^2D+aw-QFmy%;SqO-1nW#i~fA=jk<7oR=!cHKy9p^`KRm&X#;5hi#dJ zgO(inqDf(=Y6&L8s#M@oHztzdbVN?Bfl7MQB2Av-A01em1z=yojz7B|-Tn;?D6|4^ za!h*zY!el@WZi{5f9{WRT5}4pGwI%e4_in&lsSI-&ND2hBj%t&#Z731u=|R1+_cI& zw*U%dgHbU1y}e2zp!lpWM;v{om=S)&B}J6i)k5AS@1S*Y!UGS8sH(CQ)GG#<hU4d` z*<z<{&&8#(fA1`?!BFm}&I)p!HqI#EPglNW@a*YBQG#!Vgp2%{z|r}pqN55b;x9G! zI)T>reghf%J~T<M7B?1RdC5hNQ6KXCk9g-)xjsE(GfKE~;1n78im5vPX$$MHe-9)v z4*o?hpc=Q}+4PW+6_U!yu~kNcn0snGib!v&o8SwSry-#FnG()vRzQ=cS7wV_dAyTX z3h<SJrw1N}TVJnqj3({nh>z-~$=jO|&dPgG5Cxr)uh~PxIE5}-J#>Qe`p@N$kpbh! zjdAo1lII2L_B0)#Ny}*gIz6-3YD#58l}OeXM1wB_At4#hyyuqPN&gzixe^2vx`-=O zUm9OX4)~NKRJ*kMjxGWbR&6VlF0oU98M;#iJ@7D^M<x3k_7T+v=CccHLe#@1`(=%P zH$Lz90is|1osX$1OMHd;EbG6x60C(B!;oW|kjt+Ml<eQ!K8hAj&y-ITCoYWpL<!|4 zv7nuHfCoKEQ^--hBV<Cp!aI#vTrBxlr@)t3<o0?TxPtT#Z7~el(1)n}nyt6|geO?O z`dFeudyeAEz(bY)kWAb~B?qpxlx-rF>MMmrC6zlk%)!q8sas|Pa&OLOu+5MPNXy(B z+Dam_CEs#ZH7*u1V|A}fe{m5&1<?ie>L<f{wSUu_9|_{&LoYC$Z_hM@FG~pQ)kEx> zs>+?{cE_`U=K1GXD`0Jb{M{CDzawX7O3>(F)frjWK~n;Gv7L@ip98>dwDi&p{H?~9 z&{bHcXQy>zaZ9nv=cvTxvYNhu_tKcI$>a5l$=^}xoqV@B8i-bkgQG4^u<a`Hm_I`< z8`Flpwr*x+z$8h7DB<ehZfR|zLt}|-1%jK{GTp8<m<1EhOmReRYI=ItBE}t?#bk5< z-Ck8U=ol`9t7t5Q6eOqLOfj4|_-YuD2nIM#pvZ)mXCWMa-1-N_b<T*;3zh5NEmp}s zk-N}W_>}q1sSK;^86ypk*dqUSt#ITD{bvI2XE>n<XB?A5m|Vr5R3ySOVL}MX%v*4C z;uUv(CH8QXrY}S#v~6Yqvl@NUY{Z3hajozPnXnhr^OkCa{SdosHbSMg)9Q+>q?U_s z9~{$;cGA{AAIGyVw><%3S)}KX(99o|SsNZg9L%bnlNR(~3~`G`@OV02Jg~Zrr5P)S z5bAifGwp%yO(9!pHrEcj7mc2ia+#Rw(VVUBbLP<XV?hY+t^C0%iNIc24SK{GY*cXi zL9JGe%!v8YT#w0fl*fDyxLa7yP`{*~(z@{M)!GHpOx`eGQn5hS8Ba?8Nny~o_8qTs zdxwjX^kN;B=Qj6cP=E5JN%>K={E{S~IxrHgEJd;&<ET(Q-M@>{_8;=4y1C&cfg{%0 zQBb3zl*8!{<N$Cw22v&$B|8E$KKLpTQptpXkBG@lFvL&tQb#FtqQ|a|<_WL*i=yyF zF|L+4(^;qUwKk@qN!K~fuDT0<H~xSQU#(krl6jNqTlHGu#Srkm`&1ghFm8mRYbjz{ zUp0r&WVK=cDz__{;NoF%r^7%+UG!_`fv{^TfI-A&csr>`swE6I4IGHosn=yzb)spW zSOFx9dZxiN%`X(#-zEJm>bvOk_wi*h>QU6@zW8>C-^W58b(bPG>pZ{Bj?OF{d^>e* z^-zscu5BYcOy1kRn0fiN^8M^v#SNoRwuXLAY}zdoit1p0{@BLkDoWCp`_G2R0+383 zL1^F2lE7%p)Hc-QuMrR_JHq&+H@_oirONl^<uiGXsABU=(5qN_1gYrqNj*59HR&>? za%rTD24<>>vZ4h;O?ag7g4x}l`=<B98vR)fs6N16j2Tv*K$SIykLWMV3)NPgjWd;s zY3fki)LTG=yR<gruLaU*7hd`qmdw$0d&MfQ1Fs*Wtgx%@En?eKSth1MZepa(eRqpZ zv4UyjXZ-WgQRaq)PktXY8zwEz0p*90^V=38NTb8WA7WPTR>!}LX}c|kb&9*FS2g{W zhA;N`7C1VI@so5O8C6486DXOh&`}~Q=-#Hoy3t|LIG5t&AI_uiYDnd+$;8_<N})|W zarajod~K#_LQ+>|EzQFK$G?g|tS4~}y0_#eMrfdm#FoB60~!uWF*yG>qey;IpQ8xe z0(xZ`w(Qx*Y}Dfk4^)vT-c3yL(faj~a&j0^NFkUy_ffw_e$b#Db6T6{gKWqiPv4!l zLHHzydb@ERNSUJXOsdKiFMv*y{{tcWP%%b_1un50Gy3?u_+XumC~LB}OBiv|xgxE@ z^hHcCg%@i^F?lF(G%tw0iu5nbvTg$8a*XP+?z!)%)KEOf)Qfi4>jUL1UfHZ@Z*)MV zd%uLcFRI6uSUviifT<djd1E+_IeaxzPq@P5y<#o8f<qw?Go3Z1-ioF{XHkqC|Co-t zZY`j<Pezc8HqB4G^V3kXTc&A?kYJ2k)$$A_1AP~=!=|Lcr{Eg)QS8`q?`RKZiTv#j zc(dN;G`J;2$zAX%-1PDJ8_E2(XCAljpK~5y@N9dFI?MTT#MANgr(JNT6m63L`&;AU zi7q1MR=v{yPr&T{LJsLkgf525pnLe^v*bkomllzhp?zBNU(yaM3&BdJorV3HNUrjm zatU%BYLz<A55m(A!r=x<RYKcf^`?1?-EtY`uPYNAQWz9eGB#&bPZaH}B9tqu)h8GY zYFNcIDYW)>|4W68`i~6H3XNnxt(7t_&J9=z-p~lkvV#F{jsbGtk`K)@`+t_(M=<f5 zE(cMDlyrf^&qsC0zB3W!`?R?G*1>Vl)v>Fx?dKvu)tKjvX&TAA6k_7-wG>Ms+Wk<8 z*t@+9Ut}p=EaO#J+qrN=7TQhQvU6AK4W_g&H)RLvx@zqRQKx55@D4|!*z)gpEZ!_? z(ib&*a9HeRAo)0*nW(SL(ENF*9JozR%Ts1D14>i!^j~bh0QCNiiHxxR@pNC^q=gU! zNORjzM1{9}B!$p&=k;9jC3g%Z*$pY7IcFv$vcS^WOt|h2<wkT*?Vij6@P-g%`1ZgO z^@6CVWrZ9$1)1rm=|vHb;~JOtyv(tp2deu-+(~a66S4YG)G6KwWv7rw6v#BIu-U#E z;=^u&NeT`y#W!NqwpMXaU)=f*Nzms6if=L?ad|0M!W-#Qx%;84(zUp8+1Y5(>k(Cn zdK_Em5&|rWm2r%B=UPP?El()dZM#wHylHOijgs2p=YPq~8tHWlA$4tS&NUW10bXut zu3aywdW8BpU#WSn4k(*@k0P=*QJlF8-KZZ21a>>(d*3rPSawGAkm@CRxfYOHSAmoC z{Pw1UcSYmt7~&&^uQz<Rc76&_H|rk@*92_BpgpyH$6rZly2AT?&v-s_gz(E&AK%kU zz#Ms@HqE>PYY=e#_&<)Ti<aK_mw-IEUDESxn2XDMF-O1ACH?E395=4v?&%s?ET1)q z4H7Q&mE~J-P`h29ERT)yG-Z|?(u`Q(YGo5oQbBhm9INK(<eiqNE((lNw<<U+dxgQg z{rt2SuxmZhwqg2KcY$hhThxLN9y#r*VBbVZ@$_6$lr?06ks1`EvIlbAwsB=)^$5{3 z_6m_D%$*vM{7bq#`L@wX^vFih2~s~N&JsA-SgC*AEvIA&FzQab9`AQ2Tw9`6q6h?- zGc+$0da4m65Rn^>ECdm&YwXEWJK(;lOfyn`$H=x6d&<b_NfLrL*~ip-r%sOSf>KJA zov+RTTmT=xfbhjD+>=#9*rx~noz+3lx2r<(voN=C2pcLeyy|I&Sn@}=sFTaT?i{Is zb~0zpQTfXrptbZ90ePDn;{u*?H}0N@<TvTRJkk@}isN-@S^5u&?o6(%vE3c4k(O_W zOZ?SKhVw2Td29K~vAiVtQZkR!PH()Cbx-5xKVd>*GzO%}`h9L>ukNMOz?jG@75v}@ z_wygeetJa$M(8fJ{Nsz+fQ#Le)ekH0SZy?RLY<>Kyg|mH$Dz7>>n3G&SehnX`kO?j zK?Ou+=ML%ogquHb!5mC_7eEzwaU_hvU8m~&s8m%ay8V&O>ucg&rGHva;MC=3pOh_J zXld7CP3+`PmQT^-K1&0|IuO=Q%I2!qE>XrKMRiuCyS5B}Ebya|-bVbGtm@O`q(^<6 z2Kma1-4Q88b=A%uk|xCN;`7;t>MNkZD!1R2`R%{uou*ZdO64C}#aXK=zMwT83sXeN z?J6I{l4RA5n3Sg8)>8$wHlqY7fosekm@_<1My<xZ2jF1nv}hmFFQ$Ui7*d!z4iqB% z)R>-xyMeW}gxW_jT{k$c&W;DG0nYi`k{dYq3nQ-bd^s=Rd=wK~fRiwr35Gyr#yc@D zO1oZm0?O|uqo!MC-Dz3QAY~?=mYl1}!mdy4j?nd!UBcwTadOY7-)f)Q8$%io2lRXw zV{%7hD(aNY7V(BMSn=lxZAvX5Un1l-H+{vppc4FKP+6~7Zy}UW)3ga4^21>dXX%Ud zxV=KRg^!XWxU%d%n!SDkAlx<ApvD7C2HMxDnw69;X9q&7P!o-4XJlJM5A)^trHL|D zPGsm?D}y<Ju!~U~Nfjl;h1)#RguU^mC83hLenpM=IFH;~?5<Ll>4xs@xR6A?ZrE8H zrD$&+n$)Gc$kpbH>)~QeY4rP`*}6h*WMY3d=qI%CuCXiJ<P8c|HBq@0*;ckc{P~N< zo?xU&^M%^RC`Uek`#Mt%nWEH2tc0s09@Q@SsQngGieAc|r9i@0iRy2qgaMfJ9r5|K zdGMQT7vVo?m^FI@rOFe$c$YKiVmG9O>rv}{Q&OJo#Q-@01x&f`{9JIY_;J?FF5S~q zt+ES3;Vc-99GxtB8qQ{VwB%2^?YXjOMOoM6UU(X4rZ%6lgM}r}PC0hisE$f0F<0rS z!at;9jl5)(Rj#(hEpy~sqs|JmG*`!{D(@&Yc?h&Szk?#{Ge@=q7{4nko$O@(Achq@ zK=?stcO)pEBmd3Ab0&Ht=8ioanx8J#m>VW;P5Q`B?NZoJQI5oyUZc<7mb+U;DS#(e z^n{>GHc4RL7)v+gjr~CK6SF+MR;=&Q$6kI8+7F{~xkxi{XI5mi)f7Yz<!Zia)BE#` z&`x+%qjj8u>U7bg>5^{$sJtu3Qiq`JupVF+0bV47d?P}nwTU+GN-_1f5l1;FHmlK7 zfAEf@ElT;N8`YDWl4?l0IzaN=5n_8P6q`4&w^<Sz>&=-xpyXN4k|I7u8i1i(n)W7s zqs=`U8msF_jEX6T4s%h_c`%0T@WcFbNrcCs>!oV`3CE{tf8)amoP#jAH^KJoZ0kTl zAhu#*c~6N7y0zj})!JAf*v*2N&y+te|3!Ag$=Lwgr#4a8@vbSyI_GB!yK-iA?-pDS zH|kdDW*fBM5mTqb+;7czbg5Q-bcH@fjr2qY1w7wWp7m0s^-r66GLD^6_)Ro@_m)2! zL{nP`?txgvIS;uG8-7z3vaCLb#a?J>nbj9}Now_;9ba){XgIEKkV=Y6)b#15N1-X~ zDUya*+%>zi0(UQ>T+IAUnM$_2SS<)i#`8>11cu3~1Vt<Elfn%{qX2<48jNJ`k{M{F zR)L_z-p|YT+J))NU{$FvVtdzQ#tf8WHyLSg&yCw6WEgv^oU}JBc7^zKGd@*G$15&) zbxwK&u}t!M>!=+Nji%0wDRa!c$U)p1kB}@qGTlX#A?N$YHQxV3_GDB7*qeSUwi?L= zq8_k?Up8zcuM$KltnnPu7i-Dhs-A02&}YEqQ(o}3EtHeJPSj!o<*UX$C&?FR-EM&8 z8Rb>HyEfF=M|t+8imwyRkiwb*0oVHp`o+=X=oYNRA+6EgYO&*M1!ru#Y65?{96kGg zw+oziS$1ytMw~XBXqBtW)l?LcFb0W#H-*nto@ExiRJpMGH$AIG5vt7RffM!}wp)3Y zHGBakw^1SD1;RUUDdg=JQ1QtqkI~9bX-O2{(3cqC+=l4iUr@$!G|)7V3zMjSt0z%6 zambzSkDZDuMcAt%e|91voryf2@!V=xrys{v6oPK*0x17V{N9n@-4QDMJ!sO%pr>AS z>rIXi!nB8DLht4V{VEY!aIVtM&>ctsGCuVxgY)okY?pE}9!OPkZ+WM*efr>K0pmwa z`PG%c0E%^&c#yw5P_R+&`+z%_*QJst4yo!qeiZA@XCZFc;jEzow{dMK3w9NjcZYc` za;Kc~&Zz5|6IJx+OR~uPZ>ZiE7v+>fwx-w6Fs^+l9^d!d2<YN2!K>dk{5%D16QV^- zI;+mu5jNkgWupqGa^Zl(FJ33_aFAE32BXj&xBTye#x)1G&&t&%46|}9hYbOnxe-%Z zc$6l*ByVe3<ZX{jW^LzJX<{MtXUWRFu`5NDy8DVarz)=&vp1U!U2h*2qNtKwH7LpT z)~#ZXJloZSutk!3(&%jb{6cUAEoni{T$2q;4*Ey|Sz9@H?@fArZf2V4EYsYHBkx>I zxi1!W9(uLDHgtJ6M9EoNy$mGpUd*FhOn_URz-353bMvviqFBuf7dJ(YjYrU&5AUn* z1S~~8Gh}$2<na8ES_H5bMYA+|N$nD`n?+~h7^Oz%(=s|Duk7Ff{{sf28t}%5j?#8X zg^BytUERa4y0i(>#!cED>XeNQ&mWCaXoCV&9m&O?J<2SfS?Brf&{Arp_zL!{Q^!$% z^SuS%3_!6}3pYcTnKi#2<W6m(GQ^Dkqy+PWHP+=`_1rvfpPX!>b*eWj3NSysWxY<Q zWUr`pcS89oTFJ!$170DS-N|V4BzTQULrXSXsWH$+^2oKJsbSZobm_3$ar!^q9C}7L zbt5lmAUZd>k8hmzCoak{C;nz*mJG6Ovi7XbB;$q)28Q;GQL>B-y4nknzT3X~ze=KQ zfsd}0_5S9_$o#6t=(LgHkBv=BUub@oWy6u86&hujJ)n=~QEG#M;?#h3(xxS~@?)Rv z4C4lkciL~Jq)9mr*6ru6X)mwbxo}i32~cZ~+p@YoPZEl%DL-`vla-@3+qlc8)~ZWZ z7)9O#6#a{0;L;LS*XKa)bb!{R>?P;~f`2DCHKvqdnwPMJ92J?<&@39zQ`LqR#+Fjb zjHl$ylZqa%c6o{duiU|L_Z)^x4<f^T#0Fjw;zr3lVKO1wBJ~O+Vre^Drl4$ZNi6&* zHLqVqHyuasaLs-fKcP6D?mxq^d<NG%MzQ>}V<D~q$*^eUmP%6QV(;L?sTsW8It_5$ zVFxDOWtAxZ94}^6f_{}~{jFE4Y=%2)FvzRv+}}oFUwn|g&(s~Z=bpKsxbzfGZ8WE; zmxZ@zv?&%+5j96D2BAGFXX%kg>UY)=`aRSZ*cx$nbKXLHMD^H*N+vm2t)Sc2>@wWs zbJnT=Z`oKLKl)<?neoWwbc8+P@z)l|2NR$zgE*wy;WHzZhLOO7GR`ArDC&{m9l|b2 zSJ4I>07r^cB}02q&N?muJ}O;BsuBO_C_lE;0MGncno+A5dhLd^P>*A5q(*fqN~#rv zcbOC?sOhhFP%Y9P9oi>grusbfz45n2CF)45Ndm;$q1v#MCQ+1)mR~iim)247z92_O zu-nkY+qtF_Nw1K#e2;w3O+c_?qkb3!^nM)m2v_XLmr1`Fypp+g<Z(P-)Ux;OEApf* zzD7p#<V@yJ+<+>qxB4KktSQ?w>IX(RO}U+ZOOP<7=3Sq;LtNPg%C8>r!Zj)Po5MSc zw&wW4Wg0bm9FATO@)I4Ou6r|fL11i{!BdZCVD`Aa1v7Wz*r2CT%zBFK%D+J%nFCul z-*d;AG54r7o5>zPL~KV`KFRIMbpcV5&6;Qy|ILja+*`&KhevQF({RMLY6ZXM@t{~o zhG`hiOxl>bL8>gso;`9Z5oyp+`NbW=>>9N~U{@h53Z6OCN-{!F*^R9EH>Xcpsz_xB zDDcf=5~f-9Q<&P(v=ZM-Hb+?RPh}|+>k)*PtOd%>o3HsqHbqqN1__6Lt!jc|&JsVd zy6gB0sNn;YMPsV}Dnu)KY|V1C3qH2A-(P|y{ctFK)T3F2OnBNAgMTD|6#{wVxVteF zoIkZO(Cl|t5~a*C+OGwhn$;`1Mk_fPYkKVvr`x*}?Y?IQZgaMNmq>?b7u08^7p{tf z9ep6Gf$~f}4A@@5enW<oqB>`XlQBA(y;;m9Gcbr7`sWp4m|1AmvNDkD`&k%T48uc- zYz9uL_<8YU4z<N?C~*>^UQ|F>U)RK2IW^|&j_*Na?J>lCI<iL0uys%5zf&GQzy~Wd z3l_F}^&=Zq&kjtWeR4)tWD_i})x)UHea%?W$;`Px75Uu?#hBj4e9p3P)o+fHlZ%!I z!rxojQZ;8&i?GcwSYjXhkJJl>Dh5lLi<LSP-VIoThcTWiiKN?2KI)`*?MxD`MZN-P z5L`_)hiYXF^h7}^FFw?6BuO_mpcVUV432Gc#;&2qqmoCe!=sc>kYyF!ERPHaWs7Uq zb?(9;4OFWj-C7@7ROYC3m*`aF139OHm#NFl%$DDJ@;G47%Yv0v4*<m&nF02RKFeWH z<5O}qL#Yn-AHoMv@>E8RTG?|RYAVKm*^(aX&}T0`DeDPGiMcQbCIz07#9}s~^zK0u z5aE{UU>BZbmR2<{^;zW21&A%RQwpIQ?BjskeWNH<_6{Fg%-S@Y@^|2yHCIXbO|lhG z=z8I{O;-w<2Rh;Opy?-6F$3~vkJk?mwhs4{z-H9s;E~n17Mqb_Su9*7bwJlwm^uEr zaqSg9eUYgbK7}((a`2wdm_a3UEAYOW3&c6*U+1Yrn(E|$s*GSw9Jje_rZ5+k9jj8q z`4AvsPXY5)?4DKsVSgu*0H#xGxF9sQow|G$k`DmNK4%qjtrMf}+J?kLIPC4=cAGn) z#*nrltKg;FBkbd;Z*9-@zyVper|i(cNz$XN?!PY?bE;b$%KFCzsje<$bG(k6?Q}JY zncL0wA|9L3fp*UJ%J|%s!{@#Yis!!VM~X3v8ZMfA{)2Mr0P8v+@f#cKBJas?m!0~h z=FaP-ki3g#J3%Hu1x4bO|6}r2&UJ~*CETJWzu~-b;2Jlv26DTn!L9?{plTtcJ)azc zpGzx79yY)r5`B#2_P5C9TXZ2LH5h0(B|bXQX{X9{yGk`Lukxw5CQKeU8eJEcHYDt# z%FKC<5`0t^y`bz;Amlo_Sodv`fB2y|8NLt1yDq`KBBl1ib*ezVXFHwi3vg?bH~4f3 z&;(xY?AErd6=oKEax!CQ&Cq%4zSpSqZYAO*TXPXBkXMG#7;sV*q|~}8Mw@1nOe!qI z9kfdu4jkvs4|WO^qj6M*FW*N^c!!|fqU#c0oC{wLJPP07szBi)+}(5gwyHz%%A4rH zKEUB<KsOk>CfQT31DSTxdXsbN7&L(9?2!<=$}yvPXop}TYt*X{O@0+~kReRmW!cB; z7^0V1R7x2Pzt_3_2zQRB;}6S#AK?>t1;f2|3v0*l{0QfT{oBfj`7Mh`E*gJ{lAoTF zs3yt)9R=#`b)6dRgHTb?N#b1aHTRw~E@V~n#@-(9q&FROj(7*ye;`%-Ix+v^6KG1@ zUneNKbj_+v%!T6P)$!vHsfyqtzP&#i9Mxvf%&T)6H$iWOnM7YXBVcRrq)zDKma;{1 zEiJgNAz4mQQNK-FP&t~FPjj(%Z*wrL6k+ujBjRK&SJ;`XFj-SudEl9AYWs6)Ip(9g zgDYDoPguLd<AT)uN$H>Kg{wy5`tPdB2r?)J%>AwN;dQF*7F53!M*Nktb@SGI%E>ro zw49JlF{v(P{n9clIUI&x>NGmxo9MtDX#^mV|K@5<Tikd=k|Z4dyvD3JMIQ;9-Gf0* zPfnFQvQ;@@AYHDLm+U83knQn%{Bgh6m`*-w*mz3bJm$<yWJP4@*Xlj_q7`?i?2U7X z;C(MFETog>%MoqG$citR&;l>c=d0^(&A;#s?mAibVkc{aP1yd{+@;c6-@hW%J<#aE zyVvHNf0^=a)y!cGM)?IhLk-Q9%X<E<Fzs2Nya^+k4Y8dcl*CW=PnNvAx&?Wcm6R1? zfC;)h@Vtg38gJ_}Y*(3S#w;_|Rjw@(F!bs%UX--*i+2alhVAW?4jaZZ<Es#el~*PV zp=ZA8GMgM44l9!C))gd$|Ik*(Ap5AF_5qn)yxpXO6qYDnt)UyXzFoWm&ryHYwFpX> zd6ImvoZtV<l#txu-^x~wXvFFJ1*L4O$p(3d2ZGs+?+I}(*6avoC)UG0=MUAg;fE=C zJ2cUv%uM8N&7I^7CxsNaP4(h5_um!2u}e0*EGN28fVe0{kotQ0v81qWTY*C<&v|Rl znxYf-DQHESE<c7$ThiUf+b-5a3+!$zauwU5e(52$6X&h#e6!MjYr<wN;~lBVL>&2T z5$WyzUX9c|MWJsPj^hN9UvnpW!t=w4EUU+i=5=Ssnx}khNUDHe!lf)CUcXETfXA~L z#}Hr7^W1MgVO|_fG8g&OuZ0!dI*aMf7|mQBB(auSA7JS<x7%3Ec)2E8iV0U)@+1)v z(cgY-@VE;ed$=P~m3OX8lKOCc2u@4m-tk*IlJZYqtr;Rkb4az+`X(>gog>wtY5>F* ztep}HugG=<bdMnti%V?~spn*6ek$%r&yAv*Q7*}3+i+lh`Qn%)vNohdYbFPmCo7xd zq-msP<RG|C8Zzc}_-~ipV6ND!$Q;<7W{h7&)kv%jc9Vy27SPeYwrY6>r<m0jFtd#J zTZhL%e~8Y1G6U<97Cr{m)QZkRI1~>Q=V^j>cQq|K3sm)qIy4NYxv`!L)5G7SrO_9n z-%{w;43+O1cdg{Znt7u?19|4tmx3*=IChH~LBH7how{y1O1l{73SN{BGtIY_Q9?;y z7s};}`KOg`*$0<2hBR;sKU$+%ck;C*p65_l_Zv3xVc(3z89zaRA$Erx-$C&C^RBwL zNL{n}cVcA2S+$;LDXAIM5CNr98#akE*yB1<yoyUR+RuT=d1sliw*EoFSQ+2@^@pgX z=LDU(7k}@qXD-VRMFaU1B(jfuC-N&!UUNx%WjnA1tr`q=P?vN}6h<aYra^1E8`}TY zU_0f)LjcrV(_1Q1CSeEsZqe=TRO7h+yU^TK5Mwg5*4!0Uk-T#UW0K&ePVWuq><|yU zYX*mq$joCT;4(q)s6Dx!Hk<INaU}J1?ftgQyRa`G*iI`(W4#)&4qQOyTbB!HWOK#` zdSEL8v^i>9!_bI&yeT!}Ch?mDEKcppRgqubVtSXAS6)$5_|yndc*mYh<dm24y|e<C z6N6UbH5+ogYy-!gf8_5jS#u0zc4^jBDH*byd|OJTZcC8a_;6_~w`MZiI=KMII4)h- zO@@Y4nf_*u%5V?j;S!55bd8mj+~i@@YoF>s?$kDMzx0T*Qn~q7F?>9GZ=XroRIZA; z)hnyfhaLAE6;HP(O|!<Y?p*2e>Z6s{#i&*nlE1#=1;s)@)~|uOVl8l=^fj=UyvDQ@ zSJz8OwPm3Cpy|MM;<1GzO{t)uuBon-PAocqaXA|<Ox|Y155FL-z-=>4<R{0rDpxy8 zC}h|wiyp>uGhI>0&aIrYz$$;kJT9k3{?(1M>5Cqk&&}kfsUz)Askqd}XcDfhYvzz) zql}BfMSTs<d~!ZjBg@${VplwF13Fu`;ugrQ%h5?-lC6(E)RX0Yb%#BCa$BxB>?$Hk z=E8G;y=^~lPi);27Ihb;krrT#gV&SY$8ECN77c9OIBP1s2S&*bMGzlDl_Z!2bKK;S z=V;p;4I{1i+giaV(L1HaciB$-65q?Q>w+h}HkL#1^RebcV&hU4z`#+6q+L{+^5Ub7 z*-JXCLvERQif3ApdjazoUb}Kd{n*&gG1%k64nn^}lpud<wCo=bavnel0nbm`$bQ|L zDs7PaMVev%bT^z5A_1rX&PIQBrGTM#1fB}Dn`*Z(+<(s(k-QG~Qp0${x#+FVCFh>d zJq367ZCUTs-*PzLSbV(}2jW)1UYE|GKg=zS;|b$|vbutX9xw>TZomd)fUGask-%K& zR;;h$o)JAw7UY+(S&1X!S}4Ctr$oelDOjDDhquMVg*MIgbA$z1i`XLhX@1wZefzOc zuWK{W-I>M~Enqy|T^K2%oPqBS!(fOpW_rsQJiLw~dHV=Ru5m+`j4*pEm8dj+Jj<AN zv&0?C!@v6#)#kTM$)O#wY+lpQcanHXNz=#jYXuseVG7D7Vhwm2GGg+USkY*0kltqX zpAGY6ZO!}(9x`yg&%ogjwbVC2<A|)DyNi2{O8UGoK!;W{y4bK!-;~#0Oj<oOjOE|j z&JPj-xM&OOVW|a&`RwY{w}hId4YIrD)f+JLDc1Hr10{N@*h*A-sB~pY3ggM)Xi7oV zSNOn5w_o_$n+K_0W;&2f%cHOU?t-Wzsx9uKc@lZU9qs7aOmn!a2|@4bPYZ0Jq$hl+ zJ4R!$G0<=(bl(q4NqY5Cd9iaOgiy^#Gm+1gsF}T6R(sdmEy}B)BLh!yb0-l|WqUN^ z`zSHHwB0YVIHY*;$_!;c-(Lk{(eKR#t~-&96uFx^d^s0gNiYj(_^laT!=R#P->^`y z0Fxo~5|Q9CA6IPaW~JKVVyZ8CbTT@J*|ZCcY5vVEoF!hZG?P6ArJg=-QOU3Y9bX-3 zl1SUiSt+uW_#01uq@6soWsQ&q7KkozUFT%!I`cQ#KSE3C)~I1vFE+NAJ-={$e0H^7 zS$J1fLLvR;lyy$_vsmAE_TP**n1=7yOyonR13HP#xUpgUXe2<fSzy2~cPpkc#@tVL z>1&A93kgSKH4z0x@?US3kG|Mh?~UHy*1m-SQqa{0Z#Y#qr~X_N4IMqWz=C+A`hUkq ze8%Mk8aWZRJvrWHyo?2(PyOwm2kJ%-1$Z<0wQav<?(z^sHY``9+%CM*TI`{+OAW42 zQ0@Qyg#CD)J}ji@w(G;c@h0tVR*?1G+az*tC9K)~visE03NnwpKR0R~b;{-TRxo^r zJe`MbI_`(6+`mTNvP1Ui5nQTldf`-a?_^tbq2;7S%jr94=rA?ot}!$~oS0~w_yFSs zXTSEIB)7!He5^e(67^HjJb=H0HKTf^akxL_e6=eZj`MbCQEwLw3Q4gFiwl*ty;Gj+ zSdsP6UBQSP9dY+UWq>q7)`N_)5+{_D=cEI`e9?ilLRWVf5!FqQr8`6EcYOgsQN8OC zT)J%z@wP9<%`XNt1h@fZ3f!=LYUig!_b*Tb72ehj(>fW%=%i7x0wwEABl31G>+2;g zGS15$<*4bip)*K}^Os!cK9Cl~U3Bh2=d8p-<{?=7dYseUG5#K1n#A`Vl8S8SH1tOo z5&r)Y8~cb;9WU};W~HW0hBZ#<;VK{Uq2x>)_CNI#XpFTrLR#fmcg1P4h#vo>kB9ny z(}&nZn6x}|v1z=ravj|#ML*gtln(^R8>1pb%WS1n4Ajz`WLJ){lCxtTQruR`LM2s? z^J|AxOB;%-FiH0@3`@^(tIY!K|L71<U1y6pSUzkPtp$@LmW#SfNuC4!Iqc2AQgkF* zp%DPVuY6v4X&1uG(m0G7r|bRFV-<T?=qFL*fsBCsA_kLnT=u58XQN9pB=f$}n&y5( zNxthO`*$GE^t8V<&mbKa7$g^@KnjY)r9dQaK`bdQ(k;3}jMRV7S??xkytc&y8As@M zxF7?m-um3TcSbuG-U{d_;FuVa@dvnwp4;6u?+-EmVXbzTc(NWwI1#8~Np@dgL+<(* zDATtSS@e$XnOD=&>kiqYDhy7^ae8<>1b?x?)=~O2tmysCRiUd){h$lz3rMR_;4w{6 zb9eionjNr-ES)i>e+-0_6PGJwYlAJg`Q^Co+@4PV(9Xgn@{4H=L4fCH3x>;WF`2^w z96a7@^{X-{4;#F&)UOPOPTkQ&@W{I&qB*{^$|V(N_$h3yRlH(lDxEhx6u_i4<U%r> zba_xM(U4ea49(0)KGvhnsF6AiN=7RwdF6;bw|@f=Mx|(SqUiUA^NSpsN?M2JGUNO; z(G8t@0GeO`G<Du5><mH<|Awp7R!2f1uPh9$-cFRi*W<gOnI%k*c*_&w(_S69nbT3c z1fih9NM-GtG@jj1WDEWNd_&c!DTol^WH@w$_U<ALk4p&U=^hF%qWWS%_>D|BuA4yw zRqzf>H>^fqAE_BWI!49=yCQ+zMF%JEZx{U4)1ns8q8f40htLHWV5p!66A69Pb^+;y z&C2P3s1$<7<MaV;*T(sz0ZHwOy|!2#YSQJeunULS34*^Fx@YxQBblZy7TTN<SCtat z8~))-^idKU<oD*@71zmOHxGq&KcVMN+V(G9rtdl@AX-~$=9`dOAZPC=uKG2_x)6<D zZdcC>qG>W}tQBAF?{>t!?J>%!jBVEIjSIDKLtE}oE%X^kHRz(Vgm%I%Y3OMfN|&c* z0xeXlM%W$z5)i|S)J6_#>4q1BW+U4Ajh<6f7cxfGnsHVc8%2Z{Y&6gvm$bJ<b~zo? zNZ$8Ut2w$6&uh(6io+BEWjD|6n%|{MzGz7rCNhHveSN-6N}|ubXG}`5LVMf;(e<K4 zilLKhDqooO-%k=ds04CD{b#uoxuv>iN37J(C&#X(ibe?XCisY8kC~f8MS%LsK)zcr z13<JZWc3G5QIjwv^(2H56?1Fix;a@rKRpbuAcaR@GGTD&3NEts(4V$rZFbGMf{W<@ zi#seiB^0kJ&3zj|E!wCN_Q4$Yz?&3ZS39sG@-#!~&|Du*S*d70Ym6@;OYG_xIL^}F z9tA3^8>&@GPRm12!8zn_vqe?KrzY--U&e43je57p%tS-h;GCxCoV#)zNz|BdKuza@ ziz&Jl=3nWAzfC~|N7p2qNLPAn!>c9^a$twVHRKHqO?a1o19;u+Vs+vr`gWnvF=KEI zY3?fmTNnnuHg?~<YN9GIC-$df8+IN0Gdo$c9P7)tvcys8<bRu+9;nnytaK%9(ov2Q z=|DnI=U3ZKn%JrC>@dW}-7ot~s`2Lpmhf_X#NL1Dv=;9UeM2fpgMy&}0Rce)?YopH z2}B5vUj59@fq{V7fbf8f4V(=aEo_Y~j7*#u9YkeWgq$r6l<njV#aP+pWW`*ZOwAaX z{&RteJEI=6g(HKNv5l$<G!Q7@UyA;JhKoBa5HQ%|&+Y#El!oqHQifgS%<RlGO9PDf zybN`vi&VYjERDS^K;j4x*jZxdv<6ph8Qb>C+wxugopn4`5WfOuLsBzr{OIV&N>5+! zMh_4$Qs(&$_7rP&paL@~l?~j$#tA^P2M~~c%XVxbryDM{+p0iMWWu*%ZB+S?ep(HZ zALkO(C~T8-8f*y<W~d7SVC35cw?Gd#QOE&Z%mi};0j@GL1SB-BU4&WEgBmKrRmten zHyjx0H&q*H4G%%iBA)>*u7MBiVF9p-o2pyk>e%0AMUEmSCXn#UD*gb>J|ID;yx4=s zjQIXAzk;ho_c}zaPyqdJZ6AMX`@u#SgbxJ-ghurLsja0kgORDze{1XeQ`i5D|5MvZ zO&x1oQG)G^&4KEq##8Y<HR?qJ^s(6iK)dV3%Sj4H{@=eLr7<l9GfvH0@c%5Yk6f2+ z{-Uu{#>b-K(St<9K?Wl+_WU>;fT0zHgeB1No{90@9<FwkR5o+o^wEQz5yfAoFQPl! zZ`Wc~q*u*9rzbwX2wA%`R$o`{RjJ!f^^5+T0ssV@W2|DL>Xc|&$UCcbhtKLoH;b2X zUzeTVai1pdrUr<AmU&Mqy=x3otA3pfuIIis_vEtvE-8sPBT|;VX0#+<<oQ#vb^+|t zRP<#xH93j&IVt1kJV$lb^p6lk;o>*o7uW$YV6V%IVrQEjieAE?@z*_Rl#FgK7BizH zg<J3XzIt*gNk?fl)08pHR)ARU%*LjlC*Kgcu(m_wC|gG-a3tdiH^VsrI)(Ud3<Q<$ z*QUVF44#7Z<_VlyH>=<-D!<<)&Maf1ubp{jpDszAc}QlLFUd&yruO^V;EtZN6;b<? zfFzXjf)+bOS-H4a)?%g(t7_91Kw61dc*in}v-fi{y*}!#e~EG8Z&k(uSZM*p8LW9s z@XhkClPPkoI=MrYlW`AO!Lk!@*-5QTLkzjV+RDHATCer_m^S^|&>X*Ut-q1`+@K;( ztjzHmfp?chquc8pxEXl6H5ui+b9Ua4b;0ni#s<WJCH#iHdqhFB<8EjZG1Kn%3e}-( zk!Wa%8}C(aga6XDK139jlZy?DC1zNAlBGyxV<|RT8;~X7tD+dSi^-F*oJrLR-oF;6 z#1MVRaSj;@H;s6OVa|Ud^i~eKBQq%}(pwNW{5}7*Z%Y`j#uj`dP8?kTT!o+f?Nn1W zBR;Ui6D$ZFq%2JFxw<bJB1lZNBua@NAhz-OB-rU!^xK~HTrq=mM_M_j%%<CL)!Gs* zO<pF^pEQo&JzonNpB9e>Eg3QvGZw!)<EipYe*Ho#!Y|^!&hgejxsLeVcXESb1ABaO zcqqips1@rHyiPpyJ*4@_NNu;USWOC0>4^oz<YakdQ3OV%55~l-^jX%54etn&Js4_K zY?|fdWz$1;Xly7V7dMhoW=xVMcce7hl08B|{%33sqZ61aWwhu|9_2ik@oJ=n)fs{i zk1)C$)MC7B_Ou{K5o=^wGCid#KOY|J)JdktuaM}UP~cvODnJJ#Hd~s~an#vcT}(hq zhpMS6#mw41^Uv%m`d;3n$lR}Dj;aitTHsei0^C?tQ-6{_ViwxUrK%K?mH>YQhf;Tb z0A)lY&B=@+BG9^pi!jg&ayftR!8Wl<zssH9F~#?KZswuKaB4efhxRqldWc=e#Wsz~ zEz40H6zhZ{`$ds%O|n$5ai@H#EkO6yxr%UsYKS@?hgfzkQ*YQktFcuwNvAM@d!S$A zQNKN#yq;ld&1ixjAMbNpz8bPx5ky_m8KCtCf~1e6E%3(FYz^6h;;-Hflb#SAvU@rs zY^tT`O<9Sk4jZ|5Z1tp1zz*#dRtb;+hK}f!yC1jns}ag|s@UyZie|rm(!O$}!&Arb zLcupa-z5jRJXXkiijrsnp~GSsFTxwjxJL#+(-5&4@Qs;d&4DS7p-GXKHJqNT{dPVG zWaaIk<QI+&z4c{6esOB($eFY$6Wh*|Kx85~lShE|+1gp#h;sH%OXv@8Mn~MJ0mbn; zymOaio492hfqaWCsjW|6pZ@^N6!R#JoD25U>4QMOd<)19L`1^~{6Tg@pU<tvbUTx5 z)}42fvt30o8W=}UQ1nYCOX(haP&Di<(fGlJebAM^0<BTtG?ZVi1(MDQgd@u1>*~Y- zE`yA++?ILb)=U6&(E2gz(E26Bn`@G@%AE-Z0mqHd4fbpN_dYI%j}4r)ncd03;P(~l z3E>LvI@`-8-S|Sr2UpKd8}10aU8j7;fwqpLL8hZqnWU$U{-2SsRQrlwzh%AxMg=Gs zn{iJL|A(`$3aTUM!o=M*xVr`o?r?E;ch}(VT-+f*fCT4W+}%QO3-0djF3bP#!`43R zR_)f*JWNm5obKtV>F?NgesLjAzFoZwd*KVU19`sXnEGAr3H*qNZBAk|!GpCH-<Q5{ zz`$f9&SlTUuNQYke8X^)d02Y+w~=xPCm5wvWhwQ?Jl}<g#7dFq$2;DaUFWeAWk<if z@b-Ux8NHe6<7k|AN^AFd-dBzCw+{Wi@gr$Jp`RPX(0DUg%ELo2m^XuR7f?xweJ-11 z$BSYbJ+kUYVwKe~_Z^9V^^7w!e|4#;aLz|3fBda8o7giYQ<Wxhr3$|(&5dYYBzQ6F zDwAt@FaN{qiW?X+JLSfRpv8$Y?yNBuI?vKVw=7(z54<t-L?~Rwp=&&9SpzjA)p*QE z+Elpz$5qJeYZFrMr@zBM;I6Saz%t?WBU#f>ISRWg`ZPpYj4m>E_QIBEarWMGNPUq4 z?S9|ytV`+Xu-qddrqNS#hABDVxlNN~TXe~5MARA>xG>dbIy0?^YWP>#_PaHTx?wjc z$5y=%ItvxdzYBP)ur)7@G^^%Z%}s3$nea80aSsE3GT2?WMiUF3Hx}mFVLe=*n#uai z1YGX5heI)m-!PSh)mVxFsJnM39R=<WN<Wr1^&ARxYV<3p{|0U1uBt{0B!^GL{J9NQ zKNZI^65VDO62@z<p#~=YUTfq^6He%PM@rc46~@Y!3~fnYg^V`YlAXQ7;48I+KTVNz zie-h6dxe07C4lWj2COO_)5s-x&(G-mKIrl<L&Qv#2Dgh|)V<u>S3BLE^4q<c7TlTA zF0FoRc1fuHE^oool9JO9v24`ykA~N}-);&v^LzB+Jh{#FbPkJIf>9NTHOqO`F|YC4 zF^$)ABHaddAk6;`MXdByC#yd(Sso$;1ke97%(F8${>p0Q^gn^#{|Ss}jm!13V<>ro z=M5J=JXEJrf0fpS0`n}yV8nXEyitE=+0{DQacJTzZ!e`zZm;E_Z;IuM`Xl~ZY>OR< zA!X)@x@XV2$a$jW9DbIV`m&*905mCXJ(3`AqExmM2iTfE9}m~%@3WCP8_k~|&>gA; z1lxYIO6Ib9ey)}K-u_E%67}f(h8(h!L38Ne)pUOD?`oc))l%%qn@O8gwe|tCy(oi5 zf>0z|R<3?4x?c@!g>J%+mix$HNm+c~rky&bPk<-pyt|j*<Pj48%Av}7OY|nN89tkI zLUr&~zmQ=1OR_Ry{F&;?Sp9>gXQQ~hsMc;5frlYTt{|JxtjfC#zFVh+1OEX-5-WH| zX5ZrH<uA2E!TM|$Nd)s*P4VYz8+`lQSe}9i3BIpOx?37pjWrqgGL3%Uu!IZ_uk~#B z9gC(Y<|RHvUAfeqM2I|(!oR%D>V5EJSox{($xI2S%f;d9mB?x{E<WLXc>k8DqON7X zQD;xU_G#Q!nLiH(t@ZhKF<)~*HPVzIu{^VLdR0d$h(aK=nPT63lf{1<%=~k<eRl)T zoYgAO?G63EK9B!s0r$Z%c3e^r5Rgv)KS=ezT7bp>O$#V~gVoVod3Z}qY@9Dqz`%iS z7pQ5+&}Y_gIE6xnb&yiU)W?Jo6NNlVkxoX#Zf_U(2VULa`($7vznFY@5}C~R_(w(e zu=SI3&_Dj`!r6E8TGP8Np89>A@uTIXG2f865!|qfOt!36x6QG1&fm{=dVii;i{3i^ zW#s$|YTM%#jEPtC=s_q$(tvgkb_+hH+Y3PwmHLJC3t0p1HkdJ3*aTu0!Vct&in19D zK`jbB1=9fG*n?39%LSheaTfvy5`ZIwiVq$Tb^L`kg;It*3(XHv89XoQ_lsl-ksWRs z!Z9R46!{m;6!IaGJM=SzP)MMt@h^cX=tER@xHgEe;P)N~lW*)WUyx9s;h<=H5PERF zpv1v22VVvAu_Jy#j)SI!#tx3|u`xkmM`DLAflv==?LiT}n;nN{4$<u)HsPs(_<^nf zT>{Mn$<*@+HZq`@f;D^8ObBYe=s+>U;6Z{R^-ZvA2x_2DL%4hNOz1Wd9N;}6^g|qb z@OmJ1;49#HAc!F8OxSABzagAL{S5ij6SxVn33Up04-pki)#JMPWfRRCQU+4H2lWz0 z5W<-p;~V5pm{3TO9x?<-s9<$bj7{iAsNbT@7?6@sS3S1mZ~%ycU>kBY1n9mH$xRd& zJOI2}hypn(04gN}g&g)9yal9oumL&x5c~u*e(<O$PZG2NEGtxIuzio=CWQ-G3*ssi zDMWLKK#$NSzYDZCOb7I5Ik^z!9_vlyOE_<2e`sL{vXIOkrcLh4FWyjsuz8S^A^4(@ zm)MWcuTbx>NFhP9Y(}qeUC<&uBO$iIwxQ|p*d|y%(7r(LnBev_^fdG`hH65AQA&_Y z;I&{Y@N_h5>`WSa?SkiEz|d9*S|no#3S?st6$CmGHPR-Ey~m+*(DrEaUn&rFkZYbz zP<!-38zJqH=V2?Tbm(fTOh|g-dilc|q3luTQ7cGv{A$ikgnE3#?qG-@=HV;wbwp~q zOx}9oLbHNVp*UfQP<UV*xE295swU<=kzw%=oX|u_JSYy#Klm15Y8Xtgduc-y;fUaQ zNF5k|z%Fvt9GQIY-49`bsfWpdZTjLMya-i8V^ZI{AIt)k1IdH!K=T9j2g{;bjit%G z3AjfqtP)ZmtqE!jZ47CQ(1B^us)og6rDs0O5#l?9K5`S<7^VZ&B5lo?$xF|D7zxC8 zs1;aG1PAm*qnbY^6DIAwXrX5iD~S7u`$+q6p2TC&r(b^XE~>J7v9qz`*HD=VoAjEz zn?Ra~nRJ=Z^@#T<g}{bJgyzEBKqEuP!o)(!!^A?y!pcL%LdU|(Lm<P)Lde6#!U>>e zpk}~lAZH+Ez-Az2z<I)*GV35M^3@R6xYwZ6+?Xu%vW6JKwIh1MGLxO+Eo#=-oACCq z1{=b(quxWDQY@0xw3|HioQHM7_`%&1pW-fJ*OZ#D^^k@L!TF)y!=5rNveh`7Z1ieW zJI=|sL7dVp($!3wko5?Mc0&3g-=m!heS<#OT;3$iCZY%`59Bof5N7Kw^Y4vlm+6$( zRT<$1gn{NzzzbzdZHkjdoiDd%3qd`isbVEz2jj*yF8{V^wC3eAS&VC^t>*0X1zx!A z7b?A$_d5J0*8^VAi3QykX(%}upWPK44E)8-)ULDY57-Pk+@Iv$=j<1pSN-o_|Bh-` zZ*&Aay#E<g&hM_#ZH%*9DA%tJ42z5><h5O{@QKZ+)I%rWcX$LQ7mi6M5(qeTJcUQ6 zGSez&@jJFXJMlQIHu%K;nRiU6a*|mSO7QU|dAPq4a-E(O+0-ymaRJ!qc-!guN?U1p zDmmpHI|aSnyeMyV`@eq#_)A6I1+DJIWo6V`O=f|G4{I*5WIPVeJ73UAg?(Rl%b&fw zKIk7AHc}ULpNGMgpWc*u?Q5sqoHyf1%PTRbjav1)4m`5#XUH_cwr#q*dB;0wwY-_? zjYCLT5;-BPJM5Jb$M$=YI04V&)nfZ*4tUTzDo6@)K_k=ip6C?41+4`lvqzIGJi_E7 zR2!-q#R%2_e-*+2y@S}>$0gtrX%n{>9Lft*4R1u&LF>(OX}1}<3DU2ET!&ai=-~0D zy5!&V=p_nkhINKq$Lc`!#=b1sJnPX9X@+w~Uq|WS^M-dZzs%b->}?NufVe<dN9@4& zw!UQD?Cfn1dw?WESSMS>S%vY3cr>{b+YIP^2|<S>gBHf~$7<nwgmFQ>blu$Pr3=jo zNrWRq6h`u=e`LSh+NA2S4x5B&hRKH&Ch$jkB)&Y_<m@>JRff%n6Gr!Ecoe^s+8ph{ z4`YLDjyx_N#1CeJZ-z34>_YSxdW3V)cM-Tu-{jc@_h^SX!!*MiLw6DQvpn)&vTU~Z zHiun6Y`~sFbm97=KPtJ<xmaI1ZYFH{^*)5OhmpZ~L3%-Npa(*%Lcb!kFg>bXhHXam zB!;{Mzl8dQ`h}3eKfs|wqQjs=p~Im=h`^r1pQ8sty;6JAdw=m3^rrU4@rLq7@n-fW z_WtG#<4x(!^=NxZeMx+2aQS_+d~<lyx@R)9H25H-G^8{vAAS;Q60RE}4>Aui5cQS+ z(ecv%61>^m!xm}`)eRj8{Yv|2csaVM-9r{4@|o-L4)e<Jh<xd{`Os?|A_5(R_D=W; z`6zJ-b?Lmh(Hj&T1oeUP4*5#;NOak}dC{YpA1cz@9UKJv0s9-3f}9$G1p%&?!kwIp zT*Em$XpS)R1NxoF;LejioE}~kR~%m)y?{f~2Z)3*M-CD_l=vd55ncvkil7Q#z%Pjk z^u^$&uoIh&U=Ou{P$eo5mQ)8?VW3hFig88SK>foj;FClKdSX;kEQ>Zo*&zNyDu9-x z15RLcQuvDAh95%zLoE=HWJ53qCSU|mw28V$ut$7B`HE!rrQZdC6NrgHMWH|rCw3cl zi2fDAjJ)3lNP!_i!Awpo{zF0`@(09MI5XycYM?8|4n>J5bFdCVErJ<ZzX31{BLhR7 zqC`v~>eF=(V@BHV5B!T!Pi`eq5ndBg6QP4ti_%AGhTCrk<i;4K&=Oq~(-G5=aEMw& zsf9Iz@8>~~0mftGkk5-(gz2EyLYmQqL-%VT&;cbd{3!0lh$9zKYvH%a`&kjJ5%7U; z81Uo?qAlV-!!JX>p>4r$p>9FDqV!?+p>ETM3xvami-fcFBLX3S03bWi1xODh2Y$w- z0@X1>F#cgsVEo1?rNAP`qA(*jqu3_jrkEz55d9eehya8FA^}l=kZ<tGkgkZ7_>}0| z9Q{5(WDI-?4vISRDp3oGUC~_$gQynBD~N5@ej#8KMl;2^=xS68k}K*qX1^j(AETOL zUDQ9+8~qCM(_oJb9K=v2&l496dqlXx+Q#j-1~y|{kiUmKqF%vo6ZL;uSnOZu`q?~? z=>kP@M9YlUjd4`TJ(yV!WaKh*Jj9gw9*omjG$*?4D&F)(UK5|ISS5;M9EbUJ)MSWN zHJ`Bf#XXv7M%KcjXuu@t#^YHknoZ|_xgV;rx@=sJu6>KrfR86F6Pb)xAoH{faeJBM z40>1h;$ypqZl*v27S)1=Oks^V^QY=5aANyzFNjR`XlE{O<+ZxNNX{hfn}e^Nd~}Rj z3PZtd2sm6S`cL2stMc3&usVrR90XI&QFNWeC^{WngcvQhodiRTn8Hd;0@x!z5}OV! zLM^AIh6ZR-5Qr5s7ZE1eNr2#nG1OQ9n&d|kAn0<$qWz?7aS(brWRX=8p_m;?IYm)h z(y^Ew<gm_NO!zFKnmxdg+#_U`R1F?rNYNNEi>77`V4-LX<w8&s0lZP%h0YSG@dDN; z?t*8rQxJ=Ulb*#nBDf%?MFC+Hs3BZ9)9iph6pEo-q$zww|B?no2_bE%i&T@w$aO`t zA#5p&hLZ-w3E^##iprBp#In(BA&Xj*_QkT%ZQ+WtlJLZ{QEkzRq>`8^#zPyBra1tk z6icFYp%$pN+(o!aTH<<0wqJ{Ak{l=;LmLRD@c{PZl@SfN({KPH3dgVpv}s=eTGA=` zl7w4i1JSfFK!E%#+#O<?6yQfe621##i(mAXL`>lrwF`BGP*j*?K;a|q7PSj^^o1H7 z5JgTB>5i2`RwN4ON>UQ#haE<qb_Iwfy;8u6B1P_^4#TVA6xje=lawT4LU527VASY~ zyaAX=loT|gNMSf=49L@bfbyg|3QN(EaCba4q#{XxY*GqEZb%w51F9N-k-=V=jQ&f& zzZG5U)u6V{v_RG;&*z}d9Kp`_C>_@3+Y6&jXIq1976Uz+%&DW|i`v=ta`&4;UwcQ5 zfWA5o<AOuB3BKG-DZ2NUoMAecmlw*9H%Xi|l((DidZ}UgOd-{Mc(vgmSEJ|S>$UXG zf>-Q2%hrCKESZmPrJ9cyy5dPJh1S2@H}5aWZYfNYYDZygH#%~HjJ+cU-DBThK3arx znHG($KRmt{qw5Q+t97@06yM9u7sFDE1>u&<=~{!*ON%mc?I=Ksj19!YqjJ>TcQ_Hc z=`f`fwxfE~v?obT6*9|eS}Ao+4r0@_sEDJU)U*OgDyIsJwF1LKM$`;1Nxo^^zbmld zQ<;gC+FWsLhyE2I4yFqK1Z+=*?r!5qL5^g*@ErYliZL)y7@5k(*+jw$2g_nFCzBf# zmI>%yI8uZh076~hWrgXmJp2HsB;;9MK#lxZ%1aAGy4bcI>Pw}h;~OeNe9;k>9~S!G zY+C^-p8txrE%s>bTP?7h4*=c8$=;*nJ{b~qig*s0fNn#Ia?kjpWtJ4{2f%M3^4@y@ zrb!*OpA`QYNpwRZ^`bBsT&@?4TQ;YiOwFWm@^$V&Qk5Y+7R;kLgCw^$S3CkzhMh|S z*(!nxr8TrpREix$HS51>&RA(^>8q$ZNO0GMsYwc`!=8a=rCQbQi$Q!zBfI3F<goNM z`b^PQ`h-F#zT}u<*mQ|jn291vUYYVx<T4o60+5v=t`lE6KM`X%xO{d=Jwji3PqE4e zP2;jj_205Aw*zl_Lx9E@nu?=91rDbdqsd@d5lQK`d+3M`1a6He$f#H2XJ0vo6ca8} z!iZ+5TKH~Vnw$rH>aiA&W{JVyhcd+ssen2Ty(Ig8k<76ZyGrhK_5~t7XeAb6LrQ%* z9K^IqhU{Su;Y%@eCQ{P9ZhtY7l0URKU_3DwHspVNAcXjP6+8-uU%nx%L}8XDQUdZN z1%)F_{CUJ4Zu%FhvDLd3ft^2MyD75YLsXu<3U<1IK+ez&LYNNAiAv@0m845g!@fDx zXrpFIv$X_z4;iy*p=gOr>M4n6-bCsG2c_Vp&~LRgraP^Y$(0DWY;<lNF%Xx&1>HG_ zC;XUuYZ6};BOcFHL)*I~?cNYqBe5&uY1N2IlNQ|jYL~(_*f8xnL6@^KFe>>BT({W& zW}GDzg1|=^*>OlNsFZrRK=&iY%MqZBrcj^yI8dvR5@IgPTf=Kx{tc0LcylODbmm)u zLTWUoA{~&+_>M2C&pQESz>UC2{--?$>Kqx!?sw($ycr>*)GvnoPm}+9Nf4f)LKm~4 zco>s*T2Muo!!Q%>MunR=_))U_Bu%iqxa|mQK?|2{&X}-BHRe1W|D%^nUWCUZ+FWCM z)|h`6Q;ROAhL|s654T?B9{+3zZbh<s{J;)b=Ixq5!RGjzDJZCn=UpDfq_a)9EaI76 zEphm`xnkM9Lh>T7(V|j_qWb{16D|s4<C=E<E~f?+f!aX@pP+G>ObP2Y?m3{^lhtFm zBW+wM;9An2(aF-hj&mhhc1hNi*iya@-zTZ=-#3LT9J+t){%Cv=u|u$FLVfAGP$R+{ zXn)59box3|6~8SNBU9@u-LF_kux1c{Te6Z@k82o>k@d_(sgH{JdS5)W%IMY|$P}58 zV5T^{uF1jywy*~=_^8%xQ46T$9_6m(RM0MIrc_dK{-w{Z@D{1#Ye-rpU)o7lB-eKf zu&^H#bG5e+IDmNKt>dN2;mzBf9~w}=;QLy)M)~p;F(y4lu}Ln^ENdul#DhciJjM80 z#Z|_L9uIh${Hg)bbQ)yCu&SpFIgN^QzZwasSIG36TJa^{+ND6E$iTdogoT@=d}azW zvWMMv((pcGEvV;6_Mn1cl9)Gv{WZYg!li7Q-;C4nB)*j?0#qMyP?HyngF`Y-gEa|= zAZemWr^6N_Ah@U8<V~{3jf1o7;1z@P;FwPRn~kz-VMaH~l{Mx_$3n~56b3UX2>3qi zz$_kORE{*?Rz}X0WxJ;Bl7>>Hp>~LTM4ly;45gL|6CIwY0B7M&Zcm(r!lmi!PXIL} zE`5HeSf<HK6+y|nd6Uk%B7Ky(7pbR3;AYIsJ5kr-LZi4<?%q|JHo&80YhDk))S!@3 ziSNU3J2k=3eEFJ2qyt$0u>0HRrSkK!(1PM5#m7HmwU-Md|1fmp2lm{bmCikF3${~2 z<xu8V5h4&P>6ha`azK2_rv{M8r3pm<+sB$j7!}&;`qFbSuSi7Oj3OH|sDG{j1jy7e ztSD>$Slj&rmGFm3mc<zpG9nc7QY5Pu!C2l>sK*w|T}zOB((YW3In~%x@H+M@j<+63 zI`Nn9e>*td_w*N+5C-p1In4!tG?f|t$j*IP&~BEw&0l4*Wel25oQ=0EuWvls&=UuM zy3?$b!U$PWpRlBYhFO@^mmT)fRGNbcM<%)6+rryY(htk`236fJW<N_qeQ5gc5Ymu| z4Kro%%hY^$#DZeV87rg?PSSi~Iu5_ZUPQ6JZWw}<ZE*6nXQA;8>mQ-iu1LO8yf38B z(KTo`>wi{$?I`?kD(k;XvsMkH-g_4yHF5`bJdSM_&N8%>JVTAJCFhy%J^jltW+qVj z0PQA);Tg&^c5ymtZ9k7lXq*>~)f-+TYB(8#AMw(RBdnsWMblauuRqqb%Qx`YUhG+Y zr(;PEH<XiK+g~qw-h(nE>wZ1uyA?f3$OPuh6<HM_!d4Kf4S<>oG>+94K?JZB$5T-n zOmcd|NG04JtOK)uhrWW9imZH97eRD?E85ftKxDSLPSmcxNry+u`R)?*R@_NAi3|~y z()5r_*vDSX07S)tqB)omo%n*_ImzdWG!gni)iFD`zZF($)?CWTiZk>M-1$&i$N<60 zBI)5sep)_r%~w7qWM=yqgC)lCw4V)bMZt4gSo$aQdX0up2A(Pfnk!|K%ToLfWZVW( z<xeRyniDbKRwP&!zdnn46}zXyOMyE8%|59%$VKzaKMFJ<)2gm1Xz(Qoz$zffF6w== za{JiQdqp&zh~&Q5!XKKhZH(zqpWf4_>9X$8Up47JtK>?gFOXm>Ce#NQb9Ogj?cS;w zk3hsJk-Q8h9<kZI@YDpBwce$YZO7QK6;4T^ui_-z)<`<Ts@$zXY35qW47PX4;rpD$ z5wC^klygU*AX(p$0_<7UjKcX8D6QiTTq*)a)lywCS#3=%5EY%HUaXlGH@%@{SrPbF zww_RRU?lk1Mq)%~j^=6^m_4&UTQ&j-_ARm@O8R*QfCQt-^?=eTT~<`5K}5x1J*II7 z=NR3)f?!Q!B%M3$SQ9>#d*f7rPf35$gVQS#$3NF3BfO5dCL2HicBRgwQ>7AYlx(vT zEI)|Asn1r11TV?;*uj+_OX1X~Kx@g%s;#JWJ1BS76W7#HHag0D1&`y@=vBj1RLBMi zsEpZB!B)h~Xr2IK$$qi=iNIF;Ob?zzn?8hRuxd<&X`}Pl7%WH4gw|p$TJEH`+LPd4 z&*#wUqTYZmlR*FNWQeAdt1_(_I9o%f*2b9d`PyUp6HAITIf}uQfD>!Ao@10^a2<fJ zSe1_a0fGUiazy3YDYFc_MVtWaZ};k~n(vae9A=MG(*{^RK`XCnpJfp&jGM!zG55%S zj>1oC@KuZtS3nF@?Ky_GtPo}(`AdYPgPRoRCl7U=+qS3j@P+U=E?sY~{8`yX<tzPe z6{GAfXj-z0QFYgjU)GJ}V9ZdnZAg<Q&cNCOr%G#0b3>>V<iNi0O1G-`lI;RskZ);x zqhD<c=V(?X`LWXAzQ6C5+`i^Bu(r;O?_}HtEZhtI`!74S{~ui2whb@5t2;o%bM{n7 zz-}d*Y)vzo%p+?&G0&eRA=2Wekf3wvpFMiZ%MYT}HMeFLV;h!L-dz0i9HOre0VQK= z9vohiAhuPq(}Q!eW5frt?6JaW&wbTW)`u_exqfl&jDmPxc%)7DpJkp%_iOiXZoYY_ z^7C+|l5vuaB#uAPC$RW1C+N0bnd`6An#12@m9BH1>jr@@9fXy=?}g|D$HyWL`WySc z-(zgqk_-s)DwyUa@U4Ph{mzRoC_40bFpbu3TD60`_AP5Od{_WmMlyLWY}LhmOth-r zmTgGYvGU;yH_m-0FGgFMHhqcOil&1^iCcrEhtWGs_t!i6guor8$|u*0t5fesvi;8f z48Ii=y!CdD@a7kTtup}`Z@O^Ai`BqBf$r*(hZE1f7Z1{#_r}mC0ND>^cdQ55Yb@af z_wdOX_N^Pw+{<)AB;&WYzGf}9t(7f~2kvub|CegKE(sZ=jV!Y8i@K|^g(`-dJHj3% zuKYpe)v--FqjgL=VIFL{#=1w@KdPq|YjUSW)vO`}hpb8^^B8p1ub6bs&SrEX+SY;0 zp-*%05B3N2uWb|ffrZyu8}3BIlS@fYXYWIAXw5i*y)O~QYLpN1Y=f`s^Cs_w7l<FQ z@-5xDO_v)#SY8vku;1VJB7zoCw(_qOAB{zZUoR%DAqk0eL<<#2r~YZe+@8`v4GhEt z>q<!V6u42E+!$fjbjKpNywO7S;l~8yNMI)2>A?sRGeZgUm_mxAESB@@zRoVw2acE) zfAhFa{Dy1uM_J0r<g<{_ZfT&^wI~TXW|=-cRL&V@h+$52PnS51k`5!(!BMm*ScKVS zMG(*X5F1&ceE|9<RBAI7iuCa|3E|Z(8~#1DKa}w2rWlLo)vtf|f;Q6t%myw+7)RpC zu%>29vEPM~Q)hI7hk@v%w+8w!Z%d4!OikOpa3Z=clcdaxcf{zzq|~81?vgHAWe8mj za(8d(u-z4Xp+OGj6v=zufLA8Wl%*KKFJcV5Bn5#SC`oeREA9*%S_zAyuyRcV^utZp zFpxx8copRdE#)iR5_Yq32oxH0DvJQwra4-z#f&L&qL`M(0vCNwnpLeZ{*IDx;%sb% zQ`yts@U?%P(wtAk!)tjV5woOkDQ0cN7hN%=Ru$4+^hL}PQW1nlo_IK6wNZ*)R=n-# zWmH=nxx|K-Bsr`w3mb}DRy1f<c_J1Exa>sn)%qPVBUUmnFKbHDa&Y%nv@kw&lrfvr zXN#6q`W>M$ljGCe^yRmB_?DU?Qykk7Q%?(kD@sVsj_Q4m;PUY`xySzGKF9NZ)m8dE z&+uzU_;mjjNJ^%tG>e>{ZpcM0`Vh4l*f{pcYR~)ZX6(OlJ~tc-eUylmzUV<o^?nxB z=te1(I+m;y$JSYwQmp#nLVta{zsnqHI{Ix`_M_S<j`-1s2F0Q)By#n`wN3Ik_VTJJ zj>`0_o{43X>LU%E1)@1W9om(Lo186(11ZUGBh4H)$}c_uSxs!a41u)zS4@`64Tyxc z$(3cld2nJmg4}*7@{n*3TkfXWf<e*<c7fz8@tQ+66@W6?eBwd5{-4JxzbZ*v6QwPL z=2bWxQR%1V(-0)7%+SZ90o=bu^#%Sr5Inh(N?h1wU-fLoghm3USrBqoTEKASDd5!Z zOIGq9hAAs)??SSW`1crVzHpS$e-=h)MWQQ`*9?Og=Y%p%d%IX!O|_EUc&cfRv_2Wo z2&p<Lg?x!)qq?7I(y8SPgUcCMMD@Q#bA*bQc6D-aO*sYJ_$#9u9cbN}6dkScXb|=k za!$SYla^XjA#$*N^8JQ4S1ZF;JTV<sB(iuiv1)m&V;Xa*M`v=zlz7efWTJ<kRDO*c z4>$Ozl(3{gIl9%I;b69#AT>xaWi^Q+HPB$-#n6!BC}%ZsnfaCPCYB^|GFmUEFwA&H zzy7<~jkChKAEj--jY+W`rR;Fe<#0r&pQ5E(sbVy^r1dFF98&0%4!#s3C{7%fcoQ}F zOlXlHAQt{yHtWB9figN*Wa805^fUK4eU2h&E-U!raS;|RpzjJ&b_(GJ1XSXrLRJ*j zMs+Geig<cLI^j+BV-hb#(Nn!d-iPi3;+3yHhtW%vTvzD`iguF{H^h>Mb9;ifj`(=b zlX#?7?ZHue?--_j9Fjkbtx54(bE0wsd-_s3eOllSw&0v7S8b{hcmpZ=;J*PcP2VJ2 z_GmD>{G$<?ohkbsBBC#M3MIXR(a_Or%(tw)>M!L71kEJLNWbn?0e_HCQqJ>iV=5i! z^oN8o_uWt@e#@k%bQ0RatiA^Vm6e#)1oEY{HpZzIn)i~U0;7khc)fR{Nhvv6C=(TO zMk%YCwp0s=F3SjPDebzVfXkN|GG}%Jh4-gcs;oplvz;)ccTTOq=OzP5?Qa8x@wByv z(v?Mrwk3kTTePH(#)gv4Z9Rp&iPrzB9Ch7;`;}I*uV-Yy(KDFyueYuH+wN!wrDQCY zr6QVUU-t*4;?h|YYqS5D&%?(4s6?Y2=nVb~Lt^q(HCAT~+Z^+TDSa>_htUkIfn7W9 zRk!E_)^QMl#uHeH`m2W@qa))*dZH%PPdbWGTRK>`cst2_@6Vce@)186e}(CaH|qWK zFD_>DDOKW1L;Byd!_ghqlIs?DD#=x3mhqN8IKiq*jM!?8)IoHAs%@DQ;3GqT_iKTS zV4xIAtk>xF)l#|OdtEFrNK>{SAEt~SLqCt5-iZ1~(-z{syi{KU1!eDm1hvB%E!Iy| z$<XR!cMa|2q_R=0>*m^Ux;tGnT*o|}ohE>TGbNVaI97B(er$iQweEIY6Z6046oCIr z9NoJST}qKEW%)c`@~m4MfaAR6d7UXG5-yq=Sv|u-H;m@YrZ?ra(p${|Hrai@3D9Or zo08XUE_<P_>o#}7-0H)qY~-3oS6w@$u->gleGxQ}+Idj3t6u1RUD-wXw4<tNN=P$d z!@FmF+*Z%&VO+=Q=y$`J-`TI5Yy9fasQc;=|7Y9bt@71jq5AaH1V7MILfiG;g;|6s ziE1LUVbgl1b8*SO(p&C{j<UGVB6)f$vh<5K4#V1a?~xzT%$ECJd2ZAiMd7wLX`Dxt zG&2dMf@Q;M>o2w6{dom=SF`hptSKj0-0%<P<M0ofxXce$6KcMfw$*)a2Hku|zli=0 z`~9&slsOs1B5AkxBG@R4Chy1}TI?A(sy4oIJ<EqLd5q<p+%_j#M2ccre!ik(cWj!G zEx@lm_XMtw!imI~1ghC5+5VF4{ezU2G^K_G#M+~SSwi4u2(*!0lHd#1iRg&X!zn70 zaFW30Ajnp`S5Z=$)vUu|8S-bRUHOd-i!PuRSWuZF>LBYWX+5HITX-qSi==r==f9rY z<HO{}s6g-hHFz4=?X{*lMU+@MI)*fSQ6@F#Yh(%@HoetXtzpt^hNVBM{hOugmoAW5 zq&Ez1-x5RdGvw}75-gbuXCrX4C`K7PTJ*La<QXz3;L$6Gsh7l)|BU1O)hV?=KN}Ks z{nZlrQ)pFeV%SNJg!I?Y@1H{M)asTZ#k?8xR}xExeB!+lUUDROGQ7Kwzdr|YOL?&e z1B)I;??FF^o|p+F%PT>VLCE67Ogjda&i*DAL7^F>jWr`9z}ZhyXLh?(QSvKNou!J3 z%QcV-EUPD%vjqhB8y9tb46BP&<Ck~GNoB9=W@rTo%iFJ~77N+;&9o0*-@d;{wZY;a zAq)CE*A+9r0kP#1Ww(y9Zls?7t_!|Re93zk3@;8M8{yEp-6F^#i;2s{myGlxOU8T` zwdnsF6F2&aymKT6{!k}hO-s>`aO+y_VGDBpjyPVCvapK08e3(h<m|2+@)t_9e775_ zTlC9F-yNz?F^aCR|7k5GL|M1)gtfFSJUZWOz0@duecG8IxB~t?bpOIoS7--3<=m0F z|0_rN@=TTd7FaR#eiOZCV^Q-{t66u#g({DePi%K=naXV*A-R4gXYbT_*iFg9l+RUP zcVc`)@Sym(BT-(eY92eo-e%J6<ldx}>g6+o-c)eGDtyRL+jy7MV9+f<pnjDcHN)?v za_CJk?4TAZx%9jG?i?BY^|BDIkD)o&jkF_%k5#4j`mI6+?_|8Ouin*%h$QRHm0fXE znk5qR&NVF(@rONiYnIvd=*>_VLNdNG4H1+2aOa2u&4Vf>L?>eQXp2FfTn04MA7IMp z{pJ@-MxSsjJbF^uJPk8OpSl$CAHO!QQ*MT0qthoDIMW4<v*cJwWt%8$Sk14xOH$+~ zs01(wHgtWdb!j^ikXSQkkb=gk$Y=~$m1)SdLQ$eV1(B({p`If#WyVi!`|O&~oMLEL zQS)iYO7vsVC#pO?8dD8N%SlpJ-U8}SM)oQshkbTOEu~Yc8D(QW`@hii;RMA~i>OWG z8IQzK2dSsvli_?bvck&Jq?D_o=9rx_7}(=V92;S{8RECxPiCUOir1srPnJicTF`<b zk+zIX-fNMW!TK{ap58Ar%JFB&P)<_holyF`<kJHuySqNZ?nY+$rBxeIOZYhml`1El zK$;XxEk~P4Ae{%YP{7L|kT$B=RmA&j&zPZa8ey;NOp&N%;*9IiL<D_HBarsgz+!?Q zL7^g3n`VL^MWMo1rX<t8W;Xhi9FW!{j}dasWl72>8QmG4o+YEioE-FIPs*o@I5hNU zsFkMRYZekK8(*A%UQ#o0L8}t*HAQ^jBU`4cGTfdNi{SIlYv`8;<C~%C^#1W`EZv;X zrQo2<{PT^5E?LZcNXmz}^}4UI%9d)5L%T8>#69dj{mt4ZYb9$%(dOIlt%`(te!Wjd z<UB2*FmBD!&nS+4%dt_EQj}7WC8s%$pYA_Vwn0sxWx2b(rIGqkaMcW4IEsV&t7_YQ z@hkp6HvJBVE6efBP&U|)rsstn<HSO4FdqTOr-9KktR3~dY0FWoLD#gdXLrJ;{vQF6 z*D2x2_Tlx~UVCD+a)q)(ne^fDV|e&HV&$6st%F@Q&)N9x-x+*1gO<y4#u?48V6&eW z-!_(n#5+?ME&m!+x_hk6c{n$9J>BoGB)*GGcpoClR@l_}0p?qPSMh_qd6-}8x5gry z#vRw1{nxLTdgVG32yR`;=Krp$Hohlk?rDs!WHe{`H|ts8e;&@%)j=pi;JHAf!MX&? z@9lUX&}_MKX_=DhpP+;qLQ`(n8|u!bN-MJ5fZ6AN)2jCHRh@UIKeVCGNS?b<Do`qp zpXb0v)xMd8h6x^g^B=>(h@&KEy1q0d7cLzVDhuS@<lVEGwy86;#&IpP&uS+EOy?aP zH`m{fGe6aM+$vUo4})fdYPa6KP#JT%)7R^pg)!s$-XQatc*R^oej2i_V~zpKIIr9Y zTAp@?z?Ii^E*JIFl0~XSgK@+00PC0a>rUKxMuod{A6l@Z*2-&`b|dKzVL)Kg>-T8i zH@zw&VP6SG=~IQaWI;h6?<R@+h0|*EAfao&-3Ok1L$FsRl7FDqi|%-{?;gxrMjMMg z2`9)*qxh(%<g22&@4@ZF(Trwi<TC1;&~5V*)Q#W%Lk4m4bbXF_wQIp^tKtEhkkHfE zVb;IFbh3>A|A&=Zujh-~)VAl9yKdhzBoJ8|W*X*qc2DusaO4R5OhW_Dm*d=!N%W4X zOR#R0F1WOkt}$<Ru2?@kgbKa{T_OK<die5^>dsA<j_m?zov4#{z%lU!^MR^U+ZPx# z{&ldV>qnExGE`0o4<Zj@&a#tl-O(_sh&8k|^oBs-R^ZleA5-W)IBI5j@082kk^0x# z2W3GUtf>yQ6VKYSoF?bx@3xbJLS*RY-yR<~cV<XR@fFx~ENbbURo9QN!Drel7e-Al zN9UzZ0juJx;z}LDd{?{uMNhI1spr<{6H4Pso!PFHqm8W2eqE^VS6wFi42Cyio;M_` zO?HlR%l7RLPwNMP-LKk@)xfxDyQ`vu7y0gec%B)Z((>Qszj@WzWZB9+BbM#$tIt|m zcNP+iUkD%W&Q1hQ|6G>;DV?axzjK`DJvp9Nx=&n)Q{+qW`gje$!FH<Zc-q>JO6=5R z(lh$leLpAA=(OBR7NV`px;34S;)C9o9E;W=s;jzhTVBa@{=ocxbl-en1xjbAo_wu8 zvtHS><7e{7I}|MEue2L6ZQfbvRP0a;^@8~f9Lc&DTH{!|R@>Zb^YQ{~{q~Ij{9eFn zz;?iPK-{yZr#DVenqwr?VMBU3N+;FHRP7>uW#X$`53Ui0d{dh_jt5SRKJ{$d-to}D z&95;07Te)~J}JaOSu5;c^kt*b`BpQw*cQ#vBpklk6?eB+dnZf75k)gNZ<);&g(Z(x zG0FI~URWlYVS<UX-br3`qit;Q*^OpgN3gytd8kX_Mt-8gnO2&Ojx^SK-Yfl!{zhRx z`9nH^{sUc_v0&5r?{MnG&ntA=1Y<WVL()++jUQb<%b59U^5k?xs>T+53sTyc^K>Vv zTG&$GQaDcz(slNYp--Ae#ws>c-Ex9ZE4s;9KNc3BnP^s?7RH{@EgcN4p7U`MjD4*P zHCPGt*|ITG2IoD}Y|5lD$Jw}RSi|-~Fjt@Ru#=Ol$>L~oDzlI~!I)=DNPp*UGRjv8 zoSEi4IRkd{Y6rg?o1b*bTc~^x>R*7vHTJUZRQn$+f&Y<q_}M9AWb7FR_B@A4$9STV zl~JgP)%=YQssAIN^TZ8pUMowtSsSay)6!~w&%Xl9QSkW}eOSRs`|mV$L?kgjszW^R zX%zGYD+A+#yR5T9JU*spj-!i9=cq<dDrA^`ucpi#mwya4__krKvhaZdYsVU%acSoD z1wrqjHi51!57i-eGIGz_d0HPDln*aPz0WkIb0T0}BUN#o&$dF8iVtvjIPxe;MG%8p zJjEUdtJVGZsh_2FR~p+|zSqa{2~V|<M7*62*R`ENv1@u>kZ;5T5^pE_qW|fD>+{a- z+L+QjN<L8_%d6h}U`66m#&z3qQ04xgvO&+pvp&$6V2wq^AJHh4sHsjuKkYL^53c3T za=)1&-(<guAA85U#~sc$Hxk}dog=<Pw>)29XL&%5vkp%6C*xHQvd1f6=W0{<$eS(y z(53KQ#9^)VdANDFd!{qv#qPy<tCd>EK|x}{E^mLt9~eovhGLDUg=bWDo=xW)Ml_s) zv_4~jJl4}cW#v0FkJx55j4WT8dTzdomB+IwbSDK-e6-HrI8HVPAbmKzTJPq6av(Du zS50cm?id`b?zC%wRg8M~ds}N0x26Ba$AIPouF1p78%xe}+MEL)Lw%8tD}Q!h-;b;) zb$hW0O>@<6r>AM>8$0`U9<3~2fbKcl2*H0mYYpe1?HWjlz6I=w`_1{%Rclgd|E-SM zST(C}{|@{<be`RApI5azWm)ZhdphhDnEFaf<1F`{{mNY$kZ{r1yijV8k7dr@+dsW@ z-Mr`QC)?;SYj1zsMEm0K(7FDw{Nd5lPiHKA`+{*rLD>|!FU(@|I|kh4Ns`O&>2b<W za$3>IWn$a2OlVKCz)#A~hY>)&T%Ub#ubv474~Hgb?aRthWdyD=Bu#i_w;L!U!0Syt zQK}N~s<jhJS!gS|b2Kw9ky>2}EZtP<jeTdM?9zDKzWn?9QhX~S2!4cVy=FxdTcAGt zU!_cQUR@A~OEY`JwrkQqAD2v9=^-m+%jM}cy-WLfeZ`~t(r9a;dcy(hn6fHY3H{@1 zmO01ZebPch`An5UdtJ@Ecxi-E&b=dEPDFjg4eSAO)tq6jL2jRC#2eyEs!jHn9GW^U zYC^4%O5Lvgw(JwaQtqS0BJ=9J&QL#C^mqQplO(=lZdP~y&J(!A&-hCnmo4l3{D2ff zxs@WaY4o+gw&b>CMe}TK+xdR)=&OL8mw;^0yy+c>h@jYvTbku{7q;rY>XGV^wZ~+Y zKszfhTeXZ)B3(d!cn8~~NxH)#gOB7(aoGH+!OdiL5V19%kw=H`uLQd@;hGnnJnLrU zPG=z>t(~O=Yk|Q0SM?p`c+R~>Ya3&pGTWLN6KgOj+r7W7x{dy0$K}(~@tkDi-dx6l zi28>@Skv*Guha=$WqyT2!{6od)YRtG=H_l??tD86D+-3I#+}@qT=h7Y-+i)wCL{B~ zpG>>@sZFYmg}$@rwO&)GGoRtKKi3RPUz~1OE?EGN8Q<7kjjW8cJ}VAuH&)r@g0+qo zlbUuMKDWdN|HywR2Luyf<wdR9$~w#Aj99-<+G1Ch3)LB!szieg;Q;IR3BfrPwU1}k z5qWKGFY`*lLg4@_o%!Zf>sIGsR3>#M_4a`KvAnaLmx{F=x7a4mDdzgZ5T~Ovl=tP) zUldCS(jz+Jl^g<uv#R@e*(q7%ehAmA;#7a7lWuN1ho#xI9Kz>g{4N&~;KI^u;j!It zEku6rdcu`h;0)cM|6L)7qagadTLQ;%neo6~L*H56Yb-!G##Ue6t7d5&7BQmp*Eol8 zF>P_dq>;n5R%&UXM=J|svFH)e9*1bFS`l>@F+O0V1P(rJDeldZhdYUmH-RySu!ZUK zWXK5ZDC{lg$RUJbC?p9wv%%1}QV;XCyr%+>mB1~HZ~?07%Egq9NKj{22yoJiXOT!N zuTh*7x?JA}o*ppCj)TfRMr9iVKb~_-%9r#xMLB<YI^+)I6P7Npe_6Lw|CogwfR2-? zB6@P#ZRaD~pZF>8U3c-iZBWY2UvIP_13%N)-?Q|NBvF8LGQX2O$TUyYdL#z*4^O`{ z&}&;sJ~x9@$<6j`n!m^%;0AD8oq4>v+L<ZjB(&gau`bhF*}da<(R`>T>JEH*rkUw^ za9f-YKS5m3BvWbN@UnVOeNujBpOYI??)Z4^ZGqqEVtWr10K2)poO*!nWR1{~$#g~P z0#B}#noaD)JjFac$47MA)=tfus$7~~gO1;4yF0t9yPYip(`3_z2`1}tzgzDbjdgne z*^Jyl9UR2hAd?RWLVd-}RhPid9_3fe(=pv%j<&Zho;(+9ufLN%d6>Uw4)FNdym29V z_Z>CA%ZKM}={C_Q-wp%<ykEQ;NW6K6?NgEIH#A;0TpH{*8hEvyw=tYtH{qY^)R>1X z&{jWq{mkD8_`3ZU*oPRQ8=>o?IhxMaT(#N;vIaF)&Nq1+%+u-RA3k@jG&s$`!DY>I zmD^gC>pfXLse=@k<lw?PW{y70z0{ZF*va94e_etn8RB54wf}|x1QjrhlOz)XpNy=M zc^Zrf^ZJt7Y9bcdM{V}blC~z}mlDRFx%f^D^&$cM$YIn7O0TOt^mgN?O%kh7Az;aP zOIQxSEyY~P^uqR_#5ZC1`sx{ej-KkXB|i23<?3}J{E%cgPe<mL(f$nu%z;GoeIiXC z8}!o}%+^};Fdf#kG95y`m{mB+N+m-53#Lc6oJkNS<o%4~#Uw_Vvg&Ho%PzMd`Q<yX z#h2Ce-WldNw)vq0;Q0p=>L{ZBAPAeUTXE~!3uclDBUMDT!In-KgQr@Nem$zEB{};i zSSW)18e#Xz8a4Ec>ov}y;4rd(EC-9-`FF`)3z&AdMM<Nho-i7mCE^;$jea2!+{q?( z_uStzh;d6QKlUMjd50!>y@FYlFTU!>7~&qVz0!%`#YP+675;b+5Z`MGuUo(vT$d|a z4q?CZ?AwP2$}3ajIf~i%vSPkJN&dB@>`bA*WelAb?(bQ_cra4d5cwhMg%NTX0F(cK z5vxSqvX=VeI~3%B87N==&}jW?I;`f#r(l&s=brA=Ki1|Rb$ggD`e5|?az=Os8NIg; zT=Fh{crquVE*s6hgOs2T%hz3|@U*>3=4!0)4KbW&7782fz9E$vkGsGKy%Ck>>g?wl zUOR*$G}9BXE`K#>VBc<+%2{zyblh8~Df^_xJycdaK4_7~OfVhczCpc^$}?n2DWV`A zVaYI*{|<P5t0qBp57bd25f`BCcaFqpttEGmXh*7JvvcYf#$>XS?y=(em(AB7wU33J zEhB0JQJd8jKA4GlS4+#znZN;-Ks0kyYr<RwP+QUd%RG|wiUZCtQy0|dh)%GEew`Tc z3{gbrte}J25tBTir}$|OQ)b~Zm){~^Q%AA+C6wO^#;pm{o=>4{pB%HqyMWm>Tn8$; z;wO0=^#$Ay8PPqc+5*mgB}&BNRSNd+nci{GrYZRS03)X4QRZ#dm*@loDuquwT&A+_ zAW=WSg2P>RJS3dwDn$kc;EvEX#4zY4X+VmBP_BT`FB&g2+rNiuns_b6y`orsp4O(W zcl_S@Ea1?6WOmBU{ON$?l<}b5$ZfX%dzm{NmFd$QFOckXHPYXSWi|p�pyPH0|Vh zfQw(oNnbpW6AQe3>sdhF(0G`#^jb3P0uMa&l9cA_aJe>a9gjAdP5wId)xPK?(IiLe zuN@fxzeuBXTJep7s=8N}<XZJW9*4gB@tuih8(uyef9q2sjZ4@6P+6_HI|M3llD{<= z$u)O)@k-=R_&*<*J62!k8b6?uEX@^M-_OAdz`+fS0V>~?+NLgBx|EdW2JT1~ybk%h z>`z6{R0*uK_dSf>-2yfz(4*{E4X@muGfRzEUQf0Se|Px!7)wmTwGz!FEQY@i6T6DM zc(gB^b?rTCSPA3$X$Ec3cUbS_$tYAOdJrtwCQI7esiiho`h)LTdDjD9BeKr$f{g0= zO%o(e*X?AgThZ@tqKS+2v{Qq2CG$UA12%T7E}ZhFZ0|dFLUlRsdB2t5ci#DrmePK# z@|PDn8y)z^lD(}capb-E9}S;zqwhXz&L6FU%(XiqOQm%ccz*KsEKM!3w<Lp#9ldPF zisjkBPudlp1@WfM2C0UHyiN_Pnj6+KWwzp-FY(3^{y7A{29N8Caqqwvm4T(nvI6T) z=|>~AirTGbRao~tUw7>);qf<4`HPuU80z-x?v?pJNk#?x{fG7lvOt5*&b%AH&+|kA z<%4*TD=0dr*uQ2wxHsuq?!=OSZ}~({fqP`&@q5(MOy}_pFP9DLbZ^es7(V;&JVKMZ z1F>}HWXz$UhQ(qds$)feZoiMyx9?mTXnNq*`77~a{nln~=gGI(kJQnNP?LbOFS*xn zUdKzGb6;xg(i){Ar3MV5_6p|%HnxInJlUtG+2%SL?u{#xVo-1Ox(}OL_4A@@m#ph2 z3)>Z*&fTg1@KL=BBhOVjO`BKQD$XpKJ1Kr&t~h90ZzdlT>ag0T*R0p&`}h~8XqxUL zx0BNuc~8jyIN8!qu!7gTZvK6ia@*Wu+$$dWI;aV)n$~fS<kx|XM)T2;75~6Z{K3lG zdYi{dX@KD;m&GD{TB6>UwF8H>)fZ*yfSzhj%r?z9`)-@_nNPa($Y^}49JaGF?@v?N z)2u$vB)_o0^~%9R)X>N>Hfm%;$I{0^Fb@?KGoDWWL}laYy<4Zpf){a@x&9$WvHqRR z9NC?6qtVp!ZI1wLWl75<*$K|s8|{0~o@3_4>dF1Jy*n;5NTpePE%NtFoVBpd<?Q}0 z2sFX{voc{fBHm9$rqQ>v>n33G2x&DgM-#O2F3I-w@g(jH>`c94Ebvri-uwRJy3rth z^g)=@eQoN5b3@m2iT~_v{lPCNt6yts7Ua0m?BWULhMuojzc&xM4RI?a%&&VBVwn&< zseg}dtLHa9Qw!LwYSn2rley6toL!9-a{6d{J5kD=j1{?HtI%KkRU_t~?k25So$bN# zo%<&D)h%zM1DT0gOUI$C&GdTf_4aS($$G%+_2xn?qMAheIc!)7njF&B+#IoHyxkwf z{CQdpri<YsRbSqcb-Rg*$bz<hzzbH2W6{9xS4xVh?2$-?Lc~8j8qgNpXpV|N4@%QH z#D0->%*#{pSM~K6+h{`XYh@S>84T`R=_K`a?_s6!cuTDc+Oi#-qSj!Wnz48<EH)2H z1z+IMrD<putEAislk2Xgq)ZO>DK{;iZ^~wAejR73$iFp+f?w^?d*^h%N7Abt;!8=g zpHD}*8rBF+{SK7%#YE1P+U3+*iaMe+9WIun`hyUthk29sU>ZZg`~>`VVAYqy@#C%N zbSzDt>zWgD!Vre%1H-{zJh(O~Y2R^#a9xAPqJZSbEcJb7wvk+%&YnoPeh?_DD4TvL z=~o9K7_=0O_B)hc5_4B5ix8v=LV@o0poBD>t<hL}(56FS2LeMo=u)HGM)9l5>zxbW zitI9`a)F2VcDH*%S<DD@3bf%<8DFGD#9^rrP?&#B7_G<K3Ua@xm+$bBo7Ki-KhDjb ztf*adrMLX$v70GXffvbqeh-+<)K_Ec%5Ra9w<IgE?5EIDLGFsqe({*~$yehsbt@4z z8o*MLB;PK(`5&ykV|<_6@;)4+u^KeCZQDj;+fEwWw%ypa8ndx&r?HbK?LOyo_Spyj zv-j_LF>PMmv)0`6ow;V#y5~x~(~WJ^u#-~}f_1!Vo*5pQ<n=O}GnOs%OijI{J?fl> zU@OD(tnyp%rf__~n<*%Ly3B3Kl+_KNOzu`Vr&+LMz%8@e1DU-XoNvjxX;;t1cGILQ z>M!ee#7JvsUAf}@&cMafteTFAoQe8A3q@cm@I-6zQ`~i0<eANQlh!%Xp0I=w6`QW| zES{ISqqD-@swWSDK7qcyx<==n=W`{(P{K`3s<SC~#r8!91Bpgjeb4L7>+F+qR@M*3 zef=b_j<+*sVeRAKIkIwvNBf(+BaHeo9x{)})fy}FbxXLV*ZU30%9au)I^w(9an;qw zr95sa&&J%%P)H6qOlB^NqjCgy_Hpj<eY@pWEgFxvF|kRiw{KM<ep!~j;7n`vF7tZ? zmL44ek0g|XjBR!#S)ER=x5w$!Ph;luv{ueF`@P+P`f&y4>7GuGL1QG&PugSd%QvSj zIM(u|!3taAyVCVWj6<fe4E719=F9U=EwBT((u=J_?Xg~d1BvIKI@c3Ft8Q1VMMrk@ zERUtqjf|+RtF6Bdzw%99$tSM3zcSu#-(QPo$lN?}O__|Jb?wt_%iqYmX$&^K6TBU} z%*(9vz>Q8|%d(QYTwV^9?$@_#JQ!|!-5DMwurSP6MNd^}q@k=XJ2hf?=v{{t$9+^( zPwAXI9K_A)otRGXs3ot3Io-Q0(|29GzFhFoucXlnlVr(SU7aoWYBHV*JrQ4I-<}`0 zsJ+kVad7StJswnGTYqO1Ixv@<qp*&jvJep2=FSStNT)UbELCcLD?Km_Y9Mkx=;mqv zJWVb$_O=+Su3BoJF@Z2{zeMv=6<%Jy$nE%~@m-lNjz;5))$`#E&Ksv+36pv=G$oH& zPZ3Pq{P;`F^Uxy!2MP9fSS{3ff^p_kfu$e`zNEF4j0d|ems93yzf_r3GX>l23I7LW z><(;CzOanq$?6Q}s3#}|4Vf1e&lnc;bK2|Jz{~;>#mtfEP#KCd1&_dwpeTl-xaU-J zp)FU;y}&KxwAl=Ret5(EdfUZNS=k`KVU5UX!mAA{yCVoZ&81FXE7T&-hwRUuik*4* z+gmA^&id3tA7o`Ho%eOc{W1l)TH5kem~Ymd6EyoO6d=x!n7VPqcUI%6`evvqSCncI zTSJwUT+Kbql8(tw?LOu6SP8vcysaono&^SxtA|G9c{)=w#oN_#2&BYn32{{<Ol?=> zgE`|cMY<Igukw*m!5yh;7U|yPTip=umhW&gr9aMC<WnTveWX~EKk-EjcNOM3$U{sE z@gNsx8&c>xnp2RSCO#)2KBxLzdEKu^RfHFp_O0T5f2#>peUI|zhSG_hDO=ayzg9?` z-R^K(bKkfeqXeyGJ~p4uC=X#R>zaMtiIh4^0UF{+intPezmr{zG9uUZgE1dC4t$AP ze#9|F<DFsLKtUn@ESH;1>jrg-U6RTnv@U@9VN6L>Ns)w4UvP@gDJG3Vz5q!q#flKO zg|tVD0QuM%!Ze<aP~l@VWwghN3nA1_45ey-id_48!HgTYko^h%7#;=WqRfqwLl4;$ zObw4~AoL{i6!`wo&FJTXB&)b$7X@^=*q4!{P>B1_gg`R^&G;@KYSOX=>eszX+?Yz5 zE{pgGYJhi&ftoEE6^EUiOA3I+CBX(KJb@A{(I>y>+p(q{UC@{KQWPm#=h~5?>TnPh zb_Ru3<i++nQ^={d$8V7<&%x(6W#&DS$DJ|~WeoUT`dzNpK{qr!PZGI$zl6bP2O@iN zlqgv0`Q4UZNwP;(oYIer(Cp|vGdrJ}(m}Nr5w=Cu%DkSk5O^uxPV6N0TP9a~-t1Eu zH>9%_m|7WG87=CGm1LA>lovXkPVD)yCw$6ew!JR{I-aOkY8yT-oU1>2uJdY|kHjTo zdfe*gXy@iYz2&KplQv!(gJI@a$GZJNZLQx?JQbs}ewzcDvV3LCMSH&})b7q0+g2mO zBk9%JtP@iyy<1+t$5cM~WOLplAT`=bS>3?Ejh9LNvasKHCMM-^)#XgbKx43e>&e|y zsZm;0VGlN!>i%dG?TXcj#X_t(plxhc7qQmw<wSLJ1ILv<aV);zaqKOA+HiZqjW#_% zY1VSIccx{fMuH#9ZlK)Sa#!9TwV)8&lip73nGyr*lfVdesKnATX{(~mOzD&uGE49@ z(H6(@<T-O+^zc0gw_J?ap1e%6z5Tm=-o9|wIJo)ob?MS&lkty(x*dtqGqsg^h{@p2 z*i9$Htrw@tj-Vq(wJC<_>%j%Q&C}Yg+O5ipFHLxoc13mjTaz~kl|2+kYm91(WtLf3 zJq6N5R)&V_#^yc)2i}2l^LbW+CNj_59D0X(1FfiP+#_#wuQKJLF#9b712{N18YIkw z;`YO}568+*4#Tb}Z<eBU%$dsC%~fyTUQ0_XACKCWTy9Jc4J0ooPQIB})2SsQonD?? zHdrmr&+}XgJg8uenJVqgbxfHKrxt>fW4XB>9k9JL*%540TI@MxEL*PLa^z{nKe<;< z<WCT3jf~n3&$zr*1h=2Ket$k*^uJtSG+Iygm`<hn(qI~DUrX@)8!_>bp_b@OiEVqe zJ<VyiF?beMV@nrNaW12HqsFvUzox6#>C3Epf#FyYnDN;zwu}6$hj7hY>P2MvUFX`{ zWAex}NoV<Yh*RcA8K|eM*$UT=4t<Y-Ij)S2cFtbXGsDnG-B?}uW%AW5xXVi>3DF^k zp+?R^rg4ME=~;<J#^skEn@Nq`#VGm2@^Qn?=2)o@t|5i1@$IN9jjJY?o@13Eox}yU zQm0F>hf6Pa;h5|sPK&8CmZ+`kudkepc`Jct95mQY(0m#;k9)0fXWZ^C2giew<sjcd zzK=paJU%?$33NJ-PYq(Ha$W1*E(d^0)i{#lIGyh+qaE5B@mXCRM`7c<D3OVX5Ey@p zP<<*7vXoe{&Wlxm@@gENom;0b)>-s*lxiq+i}-S;twJNCzHc_GS^j#8!C;fGYF;}R zhm&RLv|%{;)(*~e%*Au}2KdhtT1xkCA*H|p0Pf%c0C@iN03TC3ZAnLcLn}j8Mr~SZ z18e>NHmv0o)iV5($Sgzc_Nr=SW#+}*Dhi!`<*B{Q@aZo9*_6O6TT-++tk3FFag=<O zp9hzm+6iGOzK??`UoJm{W?rj_Izo38@&#}SFldo%4i1oyYywUKM)bX3N#?!J3{F13 zlA|w+x%Q`!0!1Z+(2erDF}JI=HkR|#4whq%3a;pJ>MXWJmnsI1tHU7a3@taCo0*W; zr9)}2i=4O|SqPNc^(DHpjAsI`rW%er`7=m2nJ0UNktS?j0@Y4H|3GhUPKZi%B4qM% zf)M`Wu1=im^Scm!mirhuxH3m`W-wvnc{$ji>$yR246DSlPa0kM$g%u`O^T}dI{cy) z{=rb)%^#>?aQ8UNA<6hmefC+y4K5ZGP4yPJ?CLbA_s=y(X{0C<T9M8s_4D(eW8_V% z-Hl%l^qSora%EX-cDP&oTRFz;)zen33ZK4QO^M$PN!!~S9&5~7KPI)_^e0AX-=y6+ zIz8KCc^Q^Z-@GlT99NVxf1*fY=NOAzKinE~onJp;d@kRMe0v$msF$dElu#c#`&|3r z_n2=F^ZfPgD0O}Di1V!SF^R_7G0oEh=Bwu0iZi?BgfN8pgxDt?J1ibTct|u{Prr|{ z2QE7~6AbM2-_5QiA~NSmhtc!*G<zkduF<5@;t}K4ga^U&u37U-PnZM`xy1)a#}JW% zJ)X$8tPo}7z10DFmMHU0_11(Xqfbfp_{6#R4*~T&KiKe|Op6OHHzg#?cn`fLYMZH+ z4V^V&zlgfH8}w#|sK$D%j8`qRF{GtnW~HY8(CA;_pCeaIOs}O}#;&$(bsuaf8&x#g z&AW<ZU~4`Zt>v(a5=L|xK-&%Z9Cju1qt$iUcxC6{@F`1rACaQn?crcmD*-1lW9?$A zn>;B9?#HwkB#q%SvUM|lv(1H7N5+mQ4<Qnr;ATt;aX*5AFg#PVSbZ1RSE6h^of8w- zfch^@!MdEjqqHC3jKETf!6MOv7prbtzlQR6lKl9nLhNsCNdNJvnF^QISVI+>RrFia zE^C;}fF9*H%)M$Auq|-3`cvCroZLnW>=Cs%_>NtbkV(<RF}_@A?5s!u7`q~B?EU7F zA8n6!YVr&KREs6V56jtMNMJ=g?I1c!4ENsLCqC$hkeT838H6%PB&hk2RCoSm-{M7y zai{U|>R8BJKA`D>gmRMFlWi}Z4*)G+z+i)SKNz?JekMEYUcsYA^^F+rX#?fgi3fC& z*O4bIac{D$NHF&GAiDnCRm<6l*QSd$lv#?xg~fCrxOS%N4+6|N`9mkWM{VWPo!J~3 zb(dQl;E?a8HALpTl4d=P`87#|))WMi0sM8}2FksA)ft1gHulU@2!Iz+SLf`(2%xD7 zkUqUna0G!ICLMwlzQc!YoNneRG?5z$A#YJ*Iw#2CuT|(hXx9VqV)#I{s)De-m!$YY zU4SvdJ0II^KoH_mM(KMJZQD@~L?+_8Ch34%(au@MJ6da#&pr!yMS5PW+p-1P?rFEP zqrtp*B5I%|^EFqQKY~O=@9Qw|K1;&!eC@WqpV_eRu&1>!x!wo#NZ|Ba<7IpVs!J<G zaQlGK!|V{$xY5CTKtT)rRj&NrYHJ=3bO(q8wVBy8R+BHYc5xlS1)*DOZTY(Llp^?4 z_|<12%>NlE21eZd^@E-@?kjOiXfCZ;BOr|Mx*S}cr=edfs>LPJ>1{d0BFu^iWN2rW zw-sT4uwE=&yg0Im?Xb3&%<+ViQH~!b)S^JJS%no_*vN<o=0Hddsoz|!fw}<vEndz{ zum@aG1TaoJ%@OMr18gm~d1LNVVtBT6TCs)WwmUP_4w?h{;uGEahUx(;Ekl2;&5E@E z)E3uxt#XNMg_7n*yBTp$v#lOduWB?=1B+{Rx%Gt9+9TS`oeB*)+D2Q67iv3$4y!6C zBFLxgXsN@{NN8)MoP+4EseIbgRCkqVW=@)SntAe)#fp5E#GB?{^O2)UQ)3gr+?$JP z>p>(Nd}3)o>WuDwX`LveSd>PN=d`&sP(`ElSfeP(m49*9x>Y*WofrkCP;9-eQtY#? zQ{vlMmX~%`%-0_LZXh@|R@zXcNKRe|4fq-#-F(O``T5dAuB_YFsbtINJhTM)qY_<H zf#yT9gFQ*NJ8`92?!r0E%=k`Ei((Kd=lv)|(}tp}l*prF4JvhnOEp^7$bCq!9{wgF z<~aVEhSA%UqUlN~+h<BD5Tr(9q0!K>J^)@4I&JB(tMq~Gi{|_IOh0u9xj=Qa(~i=X zk`LOBH97IEOGRAxhA^@6vR2iyegII>S-#Tx>yCyzO2-188qr<qipLUpn!u{+$MXTh zMN4&1(@Iqn@&R?np-vj6ZZJ$RnM)q3@Sqtu6H^bx^>i)NfWdmtmM{LD#d)i<-FbDo z2w`e)8#W_dcNp`$=h)$$p%>@yXMCw>uW&3|@K0}xo=91zZ`14fo1f+)4A&^VgtDkK z??=`?V`v||UT6Iyi~pPmY~R$&r~f`}Is0As{&W^MGtj2{dmg9#na7>}>qNd^qn8i= zHhOs@HVZQ`Ss_*J<bCdPa;!@1U{_bySL(&5@PO?U@vDe(FDjZ+(I062Ju?HJ08m6} zd3~7T_jGkO{OQr(fB_{lV*pW_deGitx&R}FXmqxQP#XdOemC#<`h9niZ{E1j@AHm@ z5&jBBG1L3|-hPi!+~3C@|CB$BK0Z~pe#a;%ccUk+#`DL7wcJ^!tpJVNt2awy`Ss_i zD*?c+#pilYzQYd=N%s)NH6eF9AL?sp;9te?ijj-UeVekAA4@Vrr{cl56-ki!_>|O3 za=|)e-|1X^@4X?YaCm)bARq%+TAisLfJKV}Xwa9f_u5^q_QtH&+R(j@l(S?EZ@o56 zt~U1;4veu?xz}93m_G0pI<_s6@z^mUhGc8(oiK%H)na=*U9JzT*EE=>Ey1nT;%LH+ z3`IP;?!5R~Dd)~7Foy0((<48ySG|EYJBlMe$Y|TO@>f!vF(0gX(EAX4V|~~tc>|_K zWRMzX6OdF)hoQ|59D>&INd{At{kHUe4gOQt2hjc|Ncy&g%hr7wrcdn!o$TjN<!kbd z%RlB*+l?ykP&!)$%g9E|l*khmsFBOmblI(yuOd%pR>b?LmTzaa>wUHDhdDkdkto*} zV(KjlEjLi?`hw<ja%m>79U>Q$Dmf2Vd>*lKY_UjKRqM_uS*&+wvexgMyn30{DxGXQ zaCQshZkp0KWvaaKgtM?78hG8bs@!}EdI5!hdd=-5Uf6e?SiZ(lJKYSZPxR`TJuYW{ z7J_fccC)pt-q$v}k2vc~j6zM_51=k9T|V;hIh#@|h4j$eNc+z88Bij;dI4!S{1r?X z;m(mU1fPaLAsRoljeJlB^eGj$65=uz_u~FV&;@D4PB?Mj;K7Ptt>)RAG77#gl8<P_ zPY|7WI5?Lx0tLU6LGYpG84Z8fujW}mauDKyT7JPw^|geu(|ZpGSDX&*DhE9gu3#F4 z-M~{}x(-yT5aZ<@Tl_pnzs1o+Pj8@zyQ0KMgNZ@bQX)#uQKxKu;zMe|USr>FZ(WF7 z$?+L!J;u_Ut>e>uljJI1N#y>(t-Inhx9OpK@S4!Wv!<WNa-)oFyNt}~T5f;;VzBrC zJ>$#0hvK&SHI?Egg;}>dMalWpZ2ZsH<s~J>CG2F?x!s6PdfMdGD^|5mIOblqHK|4+ z+qIO7$~62Cjd5k^j86H)%VfmJu}_h;#bgZ{lJuX&1&Q9jHRH2G9??@UB*attfI;q% zT@+0oj7wxO$WMjQE~g+Yh=>RHC=NaJi64QehIk1?h$dPUxtVehht3~Ls74~^>mh@8 z`CKJBMt=B|3I=@M@(rHmcW7Fs%8yFoz)~eJChEM7xG>An1&XsmhsU3QFq6CZ>H8i~ zf|zY_%Y+X7_AvE@7)Jc2VLHnWnD$Ee-$)@MtF{P%X@hsi)zADnHdzz5Ik1cu8Y&kW z^woP5<`(t8CpxRXN{<YoShPY8I1MMFalima=;-M(h~f&xr4ab+1Ou`SEX-!<<cZPI zarA{sI&>R|EOklnQ<&BWA|wy>BK(+>^nTObQuX=3O#5l+gGH^p-JHQ@cuE;9El*Y( zs?nl~<pH3gk!-CPa4KZ&!guD6JZ$W-qFo@s-<TH&r5A5B=Nrm0KnG|rN2Hk2s0PIY zHjVK{Q$P1D9kRBT5$)?mmsorX(Dl`^9x@VO%&#H?hxV6V0Q`hgH(0Qz1cLCRKore7 znDL^)<b^-F)c09(kQR`F2fqjun3kQQUuZHES@PD>|7#Iv_~2EvzeD&HS|L0}A8U{; zSPZgk_;&C$K~1C$b_}G3@Qzh@mTxyYqsReXxJ(Wv{vof-Byt2lYuejzF5X+*5H#Mp zcfQV0N5m#yIFHYT&o{S*7=NV%cxW85N2~a@fMDpXLfUB7W?nyuTTn@QuMjOEKBFbq znBhzISC|N%oE1{>K;_F)$V*^JPZ64p9jZKRg~1WXoBCeEXLE7AoyK@~@Hh}aeV<q1 zbtJk=d0$cx7*9c1o<_75A#a0fSh?3R@(Emwc-5o5YCAm6*3Pe~gJIEw<c!j&<Sp3q zcjrO175$esPP2==VODuzYQ<GT>N9#MtoL_()DzoTYdG^{MMY+kV-iXB`zkbXY~SY^ zYk!b}c8?>XJDJ%uv|p<BgQ54jxxL_;(`1~lp9Iy!8j%r~mw}wtcO$!1!{lX;$#da- zf|%w0IC1`FknwVF+JHU0G{hT4qyXKgGeX1$VOJK&rT|I$4SyN*#Rs!*Q-tq1ldvHN zm6nAJs<~q*fY`dK0<1w+d1pcaM0$jckI*yq3U;4@bJsQ~i<$lIQ`hY$whoqkHaD2s zv*eZSz&<v2mlFM}$R5itdoyfzd(cBw5|Lxg+QaO)_O)aamv#k^t5+);fqWSjYxDup zs4`Kmj`N#FvG%m)%Whoic1?}*x9nR=yUDOLY_em3)7*epzA~zl)5SCpEMF=>diS)q z0=s2?z<%A0-RbIG0b={^@{K~bNMYEekSl6GqbzPu3k&*6Y+NE8$Io%cuIdDq2UxnB zzY540MxV80k|%70h<Cp-*OAyCf_Nu00z|s%7BI8KPaP|dfh3zAI%vN85vUCWYx>Hi zQxg@K6)I;7KyCmy_~X6SrfG&-ahK4U_lV>7(X?+C<5tUng0$kv3=y&WU2zO7-`P?g zRuUv4C@RlO70H8!XR)-+pL0Gxtx1;OS~>0wOXjJSGkqKhS}*40X+Pf&n@#DQCG>%4 z?Dhmm<t5(tM$!VuwFNZX^nn~4x9b^6#lCmLACO@^7eGY0tMmqW69c#~fe^C=Mnq21 zBcvA5CWHfJlVSr0;0{5CnTDfo7T$6`yXSCzwmiS*fIEge*2QXnknG90=zObv34JPe zW-eTCzQp}Kp~X*#HT#)zN%9?DDgXZjv3{Ft`yYlL|AJUY{{pf8E4=FeMC;A>;sqA? z_6BDn>Ddhc3Pp3k2>b^uRTVQSH~hW@L+HOUk=IO*+REv-mH!6-^=st^e_wf$cD(w@ z&sF~mAx9_xFa<D_Y%*l9s!G#+lgbXdaJMWlrG`Ttq%Rl(FRO`7vpF&}r_Lr&w~rI3 z6RpZBD7d63A-AEVASni+Hzc&}mDp4`WuKrlM6?cvR{ny%cSsetgV_5#ZI;*+9TRv! z;;OV1v|tC+{E%dS13^vY=y=~lxE}`4H8s$9$MBm$0}i1*;ekHVZPmSrm|v!lAwdCv zdwzjXi^NZ_LBH#h{luW6W`Z^}AOHYh@4d1=-zWQL4C-L|8@~PzCJa!Nvi>B5w)U`~ zNpUei?5IY9C=S7gET5)X*<MYsbm;={KDSM4(yWc69<|cBJi}H|q#e%|$VWV0p|?6{ zLP6;ag}mLSco-0t3$K0)92Zvf>*z^~X}YYV5fje$r;|~RtBxy;XDUvHH%~OT7YfLH zWfOWG958HUWFa^Gi(?YjJA>1(b+6~fm*Z4Ad()lC;0BC}<|<{+VaQ|aj{OVVNR<SG z_7PK2@OYAK(^^z{#E8H%B}D%jXNCreN;&IzMB<ZZV$R?eC3^HGE^+=f`*!S`N183n z<x51Ar-19PGzP3i*!)V6hD|c8wx%-#F(exL@q}734&nLW7`<{`+k|;jgE;+sy(}W( z#7g+Lo#c`7ScsJ}EsTqGW=3P9MUYtikj7~WZ!(`9N#^CWD$3hiR8+OKRR9V<%!lQJ zIy#+QETj72NIFyy&GVD5RCXPIWN(zS-$6cAM!tdj(s6l#M~HTiXqF>Vh2tP9$efnZ zB12WES#DjIIxF0BqzGy0qExyIUuwyLW!@ulY%|csavdalqfpssg0I<AQn3mWdSAEt zZNIU5cM3}<Wz<P>vTCo3u5W<(XfK=8DG*{a1)QCmlzmAVAnBFt1?ar!-r9k~nQs~J zkpP!EBLtTO5QpcOW<VFi0cICE{6fn6oLXO_voN*5kXdSAWy4W{Sx<X}o@&JI$Y{03 za>NNELU@c`eR-^47TN0kRJA~}R(;NCx_DOIa*;_Au)+LO0aa__>PiJLL{16+qV6OB z7B3f-wPrFP3Mj=!9nfrUtit<2&Pb{PuNI#Qzn$wvWrFo)Ax|C)N>%For7R#te_1Zd z4QFO^WiE06#%Om+o67e=^C&1@K#b9F3{J1gt-5y}CWem>!tJb~MI@KL%>t=Srqpg1 zq+5s63%Tf9w?M?K`gd#|p)=^M?wns0(4yEN84QL`z{4GOmO1!EgW^c~SvLtjBKE&{ zJ7jSX#`HK3`vIc#cH8h)!1$7$k>mx_)d;=R*;-ED3?)lR)o9WedCaVFn??zJjJ0v4 zuZDvBA(F$I<)Axr`hjQXX|y8lE;jipglX4UMzV|^!{`ck311g?=#>KixBS`Fr9(E8 zYBWn2La*M2yxbmC|Ew&$eGnPlT~+8_NL~?yP<~$%5Lvz~*Zum%oFzKA3a=P!MyQPr zc@}=iM?$usw<HD}A_U~#02CFMm6D!?9((4_8#R_!!<gkqUwu@rD0DsMTs^P{OJmvy zP8pX!Pw{%!(><BW3WK!h>08OJn2RKW(+<7{J@g7UR&CtyJ$<`p2)y*jIUSk1&o}P4 zAc2_jVZm@c1mh?yr19aEZ_iWD!*<mUdkOMl!GnnX{9dr3aMwf{9fnW_DBD=k<T3GI zmFkG20;-TlXn3m5GGESQ4CN<Yjr+a+(Fyn&rwAOWm{i~6d*!?QdETX8@%_IBr+>~& zzvBDf3;%x;<3+=_d5~#&0h5P_haq;&fayp)nJi#=`2m73(2@`coq6>yp_04AB4@LH z7jAzJjz5&!xeNgY0H6f@E8+H^k0t&dZvO+5l!u~JFs2al*-=UH!%z(e2VJXh^gWU& zA%nop`E%74TxPGrDBaYIld@6jVOCD5>kw=+dar~uKWxhmZnG-_C}g+)3jP}Bfo=>Y zp?^Bi8jz94>{A{>z2}<S&Ev7_`E04O^-Fr0^P1E<fX#v5@+Fmj(846|p*={6o5zmr z@0rGVyFA6o%hGzwz2QR-m4sgPW~yYqLr$u_;0Pg&Ke-46wQcB&W8D%5amNN{sHVEp z&EE1EEZ~F^LKf`~v-u!7%=+CRdQY|NQV&Nh*ag-tB1=IWAyKHTVE{jD&n3NB3;9Yc zQ355%&f-Qji|PHk_61nUG{rhg`;FrYmKjk+%6wFsGV&ShV~5t(@c_&tfoJU%B>NN~ z2v6>Z^VHfeamMZ^mP;{J&vM_fq1!W$)zY}A19iV+Jg#7{y%sP9|6sFs4soAvGo8yF zeoZ8GVEp>IFe(Nx&(rO}{u(5KVjVY3Y`~cJYtkchAm#$4CfGD_|5wLKVJpnAK`Oz| zPVAj|g~=<uGKcXi!Z(_|`-i&MLC-y$WGD-{O_Rj_oWeV2Wc=JqnnvL_RLiQgVJ@S_ zz=jM`lp}hymLrXpM!=081J#%~`1Y$EeSuKU8?cX~^{AP<e2lOV((CAIP~Y#KJ4ST4 zj#`1W8LW3qm~~J-v1b|)L{U9=+tf9e*JjxiJNTBEBkUO#)Cp^Vz16RiO9v=&W}q4p z6Rji0P?8|Y9xhjP`VFJV_|hV9`avm--_3iiRvzG&q!p-^;$;)#)7}&vR|Hu>V4Rl4 zESb68xP##4nP(?nq)yTXSA!@_SMcSqKudZf08ff*)4c#5TT6f+P+u3t)}_0@94Wa! zNKZ4#_N+8nSD>3T_kULRPqh@6l46-tYYIrZC4C6RUzoAbbuBdYMNLkPc-r#;$>s{B zfC&C7b@SG{qOz=_z)a^@d7e$XX^UYT$Lgy<RSPY+gzM-E^_b*vI9)3<!SD?566z&D z;=IIJCe7e&5Ug0F*E$UPj3fyvGs6f`h@Xx{mKF43PShiGg4ONXLRoqpf3<-ag)}(T zF|<KCc3Gt|kdG`B<(DtveK^L3mKltX;B|M7<M@VS-TTH30=}`)Rf(!B<DhlaW@qMN z__CXTLW(Tx5V6YYRM|fW#lxCy3yG|%WZ80};jR`G5aNlD*<Su0$4+8wC)Cah=U;!v zEb=n~2yw_!$G-=$HK6}{1hBFGjqmI~M1X&4Xd*^yYs97`X<=%`tH!E<?9kED(w0cv za_et?DVTECKh_=@8Ln;CDcOcWGl4_{2b!1>X##*EKq7!(s6~QPRaHr@0{UoF<{g8C zUQ@-Zssadw)-?l|QdY*>I}C)!O9+&m3grt8ZJ`3_)XCt701SQ+9TF0Q&^n)z4Eqk- z0T~vJD>hL7fZC~=>~2KfjiK-^|9A9h^XruMKcLTF#yE+O%Sy+Rk59#jReMM9DM_(v z-S2(ff<N?iA#5Jvi3|7g)slNZ(c=05W5j89EvTO*aDx7B{XbvkKwL=lUtj+p!})LP z|8Fnze_KDr_q|IpDd{nZdfE^c9bO=CM&eHI>P}2<4xHbu|7TVuexk;2dAB{{UvkEO zM*n|z#{XvjzjxRF2WKP)(x9Ea0E7MtAbbQIdqM(RMN3ad&roYmPe%vr10SuYXEXq& znj8%P1;v1<1AeHdXRrgp5gQj12MQsJ35x(YT;&Uan}h<0i;sD70xkIs^F+REijuO1 zmtr9rpvJFxVR3O`F(rl10u~G+1eCtI%C`Ed%I*g(eJy>C_petDZ9WVU0{A<V{e0yy z4;&Xp@613-?<QmT(?=5T)Gzj?|Lrn?rR<1!4==KmfV#dqN-=H)B`Ikz9#T(og`g=E zw^=}w4JyBpT3$*DZJhs^W~<$ybJHF0O7jFw(W}2n8gbtgEVTVOoAI~@rpNv9Y}jBQ za@xc<E??6x;;oVxnHdoSd|K!hJnkLOGwY3+BFV8@Y<D~{U!Rw)g^c)3IjqX{XRXMc zrB90J_P*&Wg4y^$&TgJrR$KFb!Z3#%BfxM4F|Gmfb_1^>Rq55#z)ilhF}=6^W=8J4 zJClUpPcaY-s!P&!U1r-sPdr$+Sd$gb3@A0Lcw?rw>hzd|ASUwhlADyoX2e#Y-!Pjh zQVl6bz?TTXaclxcDk$}{wq}*jfYK(}kc7S>7N}E;V9(sl1XRBPYQXjeb`12P%usy} zW*?zKj--&06y&gC+*Ar#Mgqa!_+i*68TYbRm!K8H7+m=#JFS_^f=F&3t1W*5t-l0` z)bUb7Me11Kb<5K=RsOyN*elLIu;tGdNC|N$?GG>jfM?9Vge~>|-@KFRCd;4E=3?R( zY^fd34qX?`RvalqVldZp>&KP?CMKYK3a}iYWvZps5Y&eWo6D0ve!GQ7gIZoHtbn8P zI9L!E!FJN6RneX+42Nl$loMCg;>UU1paTogtg&|pF<i7m4#xA%)9xI9d)t3|vww<Y zyu@8zcBIVmK@4Z89BNi&qk+t8>qk0RYV@!TxUKYGe>xrU3i5(=MkEkznU9w48xTxJ znXwh~MvW5C^eK@|?rcmFL;*+uAiqb~4i^iFamn4PAxFxKNT@d=Vgvl_ai`Vt*z4MP zJyx2fd)|<?Mnr5NH#I}2I&_hGra$YQOCTaGHRL3){&MpIYEe{~iZ|bz4e%0J>$9uW zJCUr)wC4LQ2B)_H(Ozmxd~|BsH==pH!R&6AZ+#wVAt|y)m5qU+n3okYA>GWVb@EWC z%YiM?sA>*2EF)S;Dt^4Ak|GxjWfkNs4&&%5I|OV;0D$+cq`#CQ-5W?o;1H9>FgyA) zUZue}UT#S)W$|G;Wk_n7g&=bX*Vle&X?z)XZy>nI2>>kbHVMFq=uldO{-(m=-J(_% zYKTD;LU4@O7!bsn^B&l46v_qIL3M{_Ol4}3^>21uq$-5-JOt7gh~N7PbAb$ydi*90 z$hpzNsulb=B@MwA6@86^f)Euf<QIZZC?c6}bbv`0gaJqs<!l$Vsi%v;m%s)GMEkRb zF7;p?H<x+<gRb={PX#6)0S+9+nwOvab{pJXg&P1b8*l(H?utA=ktJQO6GxavR6_cB zqn`TRjdye#-=YtN52sAKGsE3nP@pk{IDGP#TuMGH-7{3B;sRPe?yAvGL2DRNe>{y3 zW8!6{c@7jNQjycwf{Ap(kYd-1gKQ$>0L^g!PRzb^Ud5v`g<cssKC_W#YQ4H`HB%5J zaCoaTp(4$N0d1j2P9~yWCuW!?Ii@(wbpO#hCa=9`ESSKqvFjA<rYO>t{-8Q9!?fIJ zv@yhE>e!_4`&TIDlvIxzS-<n59$($X#*g7bm66nQ8|v*a*#1l_;jCaXg(7};8CMfy z8x2yD`Ap|!4P`T0)k8Cqy9pTX%f#$Q&I{J`hmMtzTF%?mZny1DBA0p8ZSzjbC-r&9 z=e1zeOAwjeU;1FA(5j?@pv_JC&W>oFcvdZgKw%w1F-gqyr}dr8&n3BCaz5~5qcC8| zeZo_S8ieUmD!~D`MC5}xn3RJdE;NR<pCQ`vj_6B>8jLWQsp~|_;~V~hT|XuA5P`Z5 z#B%Nm<3kG@oa@-1nJ+VFJc+?3vck?rQ=14!<F3WLAU(L3BWS~cy*ad@tH$IK4Ou|| zoNm889@SlWji=X?rgLq7+{9QeqDe;=OpP;qzHBPi5WX3<!Uc$;X=`bOPV#NAPWt&X zwZ`tu^L5=jjVQ!eV}UUW-2g=ZqqryROg{RzEN(ayPVu70g~F*^-Z&y1-m@CTvTmhW zyHP2NF<SA?bY=Rgn5uL9@-HSLKP+o#p*#pxmUB#^VBBClxWMOSq<HU?X1~BZj@YQw zYSE2QxJz4-mmbn7((h+SfBzOtniFH2`5mmmAze7@M=F?oZR%3E)0V3wD!WSJr_Ja& z`NG6!;Q=z2!{|A+O6JsgFcB@w<*8K(bCZJi|EZn!duu;b<|v)jRWBS;2u?89Gh3=I zDb*JbLQ`r)qvUu<6c$quQ2c1>d5fevwZr8Jn*aeaXq!{5EMCx)bS@$b5KwdWP>-Pz zl|_GNlXI9ltvY<kn-PFcV;_mBzaeY?Sf|xv=Hzxo;?CGGuN8=)$y2nf#PjTSp<lM7 zu=~BIN%p0uL$lLndlhtE=5cS}x+GcYZJiH`n?1Ce4B)B`XY}|Sc;q8!7k{Q)9Bj_i ziQ-pBAr0{lb0p1Z<g2r4^c@bWbzi^qezjFp(?G5iOBa#|EtE{<&7T#rJv8mkCF&!K zBbGaKP-t5>nvBi8(Ihq$IN2tC=~@$+nx*mV3v^EPi02F$XOg9Lbq!Z8*QQD6OooVk z4$2KYVEq&Y1Jk!{8@M>#sRr%Fvr;WFqX9v4?ge%VWe}VOrAvTE{T1hgKMCBoSH>O> zDkS?+kJW&Wi7;T?N|e~ZNAbGA%&(7I6%xjO)Dc`vD20?`uopaK#~^-Jk1W!VpvU59 zR7($A0D<yiz<!rrj5=^UXYwB1074g1sHcgvSM0%}AtQOhW_iRuNiH9d8DUu%d3j6- z!ge;QpwDKuhs-L^zXKDNp^p~TxY>l0KHi{;<0Ce-ZTQ)zZ)~D{>?2zsWHv2mfgc1t zd`s58*yAdyols22>;xu5aD-c+X5m06Ee}OUdQyr+m<zAnShZT<XtS)b-`8ZUU#*|B z{PBRHv4}3M;~g+@LH#8vMZN!pN>NIphZla;GOvGb?opMK6dQyq;RC*FtS^MGFZe|Z z<zfg}oW)8;`R&PKTxVbFJu2q`4g8zGiKGRe-1P?kZ8WCS-B=n61I?l<L|U9%zaQG% zG6$f)9?NY$v44Exenlqco$2A_#h&4nXEC308i8aFdYEC0ls3<2(@g+HCwp~Q5l+Tz z=dYox4bLaLdk3FRalV^wKXrpzDjdzJ<oX7eVhhM3)FTEql|hMv(^D^Z)70{^5{ZLN zT)j|$%j?7Acty3{PFDlkWYAH07y$9}P6$wop$va~5qUI?$(O^1E^K;1hA76HFD$<s z(53N-L3Dg{8^@V`qUc#SxaaZ{?^hxau@QTCJC+^$fmHG3tB55?@)*(&Y2IXbHNJFd zfux`W{?bfm2oZl$K20Kn!9XF_2$`i|*htmTojuF1k}KV*<!G~fr5Ktt4lY=d`<`tR z$i}%FDz=gtFQhE@qm>xU#15~^vgHZ~84^UqAE>75NKj6^HhEM{hEd{zXU0IcSq+_6 z>Pe82sq4`6n`r<`w7`umhGIlw_UVc=>C{d5jy#Z*?qB&#mST6Db{`+MgThv*C{tPf zfyI8p>tgrV7R&dFB=cSVe4p<fUK{-n{OV_aJI6UnOi7KC|5XNV{-jrbF9pl~xfG=M zZe+rmJ>1*XWd}w&1S<bdtqvxe+AUNA*l)1mGxbq+Y4p^QQ9~X;oP)n;9tpj%3Tq<y z8Ho7JAZo_xca_7>Vym5aOT6=aTXTPDYws;gbA#VXhySI*`X}o6Uv=)kX=D1y0h5TP z`)H;JnLir%pnM25CWhi<w9o+!rK@$Qk=)xj*iAVHQ|wbYq`OjKIp$<8-Q{#6WPMa= ziNninz1d#eqkGi)LNb%b9A%3o68Gb4bGR&7rh7JW*eH7p2gVgzYeyy0VJA!id*@>C zDfo8MHn?Caqjdu<ABfDl>jmGAcmED5wCoShF~8kk#`^GX8UO$zt3vr-fBfyAKTE*s zY-j3VNNr)QZ~m*&;w?(h`6++667|o1x0!MfCH$^W?p^+(-+lRSb=|M_!`{E~yA=8E ze|a;P7Vn=&t3tzXSb-P(YM!9z4#qauVEoRZe*RWOcCVfX-Xm+~du07<YyKNW?SE)F zj45@>Y}2ASP66cPb9vU=08`@HD$D}nCCd`|`}c}rNtY#tbn*)7fj>dXel{W&euez# z^a>89qJr=SvNiR!+<|1mkyYX%8oFWK&GWTm|FqCX*NNwXw@cWZ#XI^OQrnC_xc&C! zan@E_xia&7y%Ag4YG?~&)<!%)(zrb8wJM1tyC#BTibF>i$W^%{Sa<rnrxk3+;-g)L zv^!5zm0IHNXVWs@;9_ba*%(9rz<9FZ1KB)eoitsWLv&IsQ8{`)?OZ@-i!kV%BrtV$ zd41eSZV|0FvqktO;o?MYd00H$1G@R(=elr%TuwBZV-o-wQIr&J(_8M&7COm=M22L0 zVa~Op4{wG&5Jd5&vxD#&@{ezKvO_=g3sk<6NWn8+0)H9kii1z}5q&xh57^~z%~XaE z@Fx}4#4{KbgkYQY`qHz^Y8X5;HX=%t8=<6tnV?%t-17P0*pc@1$vPlWCCZnek5=l| zk8`88EtPpPM<Pp}NhaHk8YPRYPU<RC@y8X-OKm`+hO}O00b3#T{%Aw%tpW5^0JA>% zcOu?dOa0Y&EVeLC)a=_Yc@u#%V0a}}ces?vH9MOFW1kMAM*2rqt^eWZKckR1*W%OJ zyVJ0|pF;efTW*&B^~^jWw%vT07cIz<WI#UPM6}<O3~LE*f}en(Ig)z?js=~)Ubd>+ zf!_E5;@cy{6j^jR;Rarv0jVmz0pvZ;0Y++Pj(|iqx|H#GetYfGrUt2^uUpKS%h|wc zdj`#B`I1xe{kB%9EnK18?FS@62>yrH)4SSO&UaF@$BUpl7fl7NJ?_ZrWsGDjv(<;I z2lgRR_;Z67MqE}+N<POQa4%G{5+B-tLhbHI_!gVmcjItF7=Te6d2NCTB&S~L^|*Uf zg-O6XgXPlC*(tT%Cr>9aA%izQOtoQn&mTd0D6a%A(uPg$iru8fV0afM#Q8d6FdL%g z4b&zm^dA9?laCm<g{0G65_?Y{#kdplV1f%E=iTmAv3*NCMVA^_WmKawH^Du54BTBB zyu@A<7(su5drFommsUN3fgo8zmgIBp)BBWoYcm{q1PN!31V(|#IT1ChuT(c$w!=7f zKo)ff4qX~%qjh{IRQJgg{np;K@@bWDba9n)J76gtvPOZs68K3z-OqXho7OQF9vSwX zfi9pM0)g|$CY4ZYDce)4z)Z<M4#ugY1}7Ic*Ml(M1#|i_U1mw;gjaqupxfr9^0TU@ zSuE8W3w3hmhmDk;XT;;uzN#_%arABft;3H(<X)~nHlNPD_@6TF_E7)fW<O(-@He?# zu=f_3#9wl=KXgX_=4SsPOeIWxH=ou)1OL%xJw<#d-Uurv*bw%OoSLavGp--Uk>iUz zyxI@6HDVe9Mi+&v4)h)3FBD%cnRUH*;ab@$wTQPOzr|xYVNUVr;-<1V>NvrVZhDB_ zyRYvLJ$1BOch~Qh<JyV%p=|?33OqtHygQo9>0=s$7+dSj<I_{tY9-6MQYJAq@q!tL zD~-fz(-#kHxxF~cNBmp#$Sa~6)_aj>lp=9NPQci@+b}%#8WvzohLRk2JNFttpmhOg z4wDlOg7m3ndy(oi110%SNY<DS{-&8x4UpDd`3;jZX)Qx;NLkn5s&Mr1-H@ZMs$f6r z+`nQM6NRNcn4lOw#E%dGI2%$km@{*vj15>#4!5q%0j3Wn<$H*YH?@7(P+X)rPdX2O z#={?6Lu=r)aA<iSWyD<Pw2Wp3p<ZF6f@R=v?id(&_!8BwT~;FLqJ;8I%n-~7muy#^ z;Cv(b5y3^aHvw`01zq|h?5uziqXT&g6_>k;0Tf#+{<kZ$)KC*lYRz<Eo)3tL<xfRu zMVVLLQ~uLSsQ2g%-de^80^QpC$2XxdYHQ9?{%#cR+9)i%p2@3JY|;=z?=!nQY6hA$ z0tQOc=VL~evtfGxVd=uAg+j^R^ao&Q@rS<DCTnx;JqQ87VQ|u1a3sR13(d1`NGJ2W zJSeKYEqr;}{?4+wTL|au^*e&@pDjJ$UUjPG_b3PUjwt>te9)%*d2#%I;ctI0I@W#_ z9d9MzT#&BhD1z67pa}0Hm8Xtt3`m%g4Ytn&sj#`+E>+v0xP8Gre5aD&HIdX6k-5+Y zv15Bq+!?OM#v5B-4!%pB4#4_XO)lJYp}OTzFyVczs<BzEKRLUcoj$#q>$&9AERCRr zDWr_=m(*TU);)w*+-fGs_;{y3(JBv$d2DrAt8hKmANAyL(y|6>DQl*z^0m#o6jneM zaEuVTdJ&!Ubf_vB#xus{8@VjKx7JB3rg((b!Yj7ROQ9vOjzDL40&q{@8#gN+%Fg50 z*ITwDL0b9j&+A4nbU(Bu-l)3Qi^+(ZfAP0_lIEtP;a7ag7U5AfD-N@V#=p%u3wY;m zx9yBSW}nV{=WoZKG2{=dK|?j)LSo4c(MK1mneH!Uwa_CfMceJ(40dFiKdqmTT>4U> zkPg$<uw|lHkr1kx3y*{&e7tU8da*2fgLIJoUS!xyO@|YpV7d=^k<XJQZHc12Act=| ze9mJ{jO55ZVzgymCcWeYsV6aOCT?GvCl0V?=SV^!QZhRGf|>$=1ApBnHA+CLdX1w^ z>Rigw?yNG^y3*za`j0sE(@}<wuw0<t9mU{X{(L*%%;4|s{Qq|0?c{H;?_+vuW?HK9 zR!UOh_kY2Bp&+8+z@aH<F>E@3)CJFau<N}Bpl><>5NBn*HG=ImGi~wD_}ByS&%TIn zzB8OOsMgp;f^xP-p4f3Y=sf;eP)K@AjML1_+arJ+kklqQ#yQ5lnc8JZD)H&vpLKOV zS{va5&8aG;D#xazg}#5H%-UH;%9g-HRanRB2UP?^ZJupx(hoT$s}Y;5-eqoLWT2yG zpr>PGU|`fcieR0bkeihLc@)+N+4viXJo;{qt^u}2tag0r)^8<LqIP_mN^VkGR_yTZ z4hAM74(7(u(Knl)_aMMX57?b5p?`;6ci-*)5qYp;^4;cHf2k|*o*&*PUH%QdYQBH& z@KgSP@5erK$!zn&YjW)AAtK_sqfV@diJ%BU<m9mn@r#P$%4Hw4%x+=%1+<$x4L}wj zO8W+0dV+Jk`2cwWw(!`tFgPKGAO$0r?NFWQIj^U=FkGFS!)?mz|HQAK|AAj$9Cwd~ zY_mEvxYu46JKmm0mQ<(}VD=RU9hM(CRBo5>ica<-uh}UjdC$dB=qw%=N5&>Q>(@97 zk=Eg;%MuNnnJ`Lm^-5$A6b;aG@K8eO+2=?>7mUy}mO%4?$;6F*NHA_hTE-w;AN?54 znL!JVn~z~xXJ-bgP$<cdiWh)@aQ#MP3R7d~rE_okX-LrJ2U#Ch0k0@b3b#2oPvj$A zyyXb`8Jm6qi<STR5UntjVYQh71T~q5J5~w0=O}X6^;byWK2E@M<S&T)4Dg3-j;bnT zbw@5iw1UBUGfMo#lF88wSNxyW`pE<&t=5Fe5iHA6wu&Ovm?m%dljge}&I+Nhw)m0L zNdt>(o$dU-Kb!UU`d4&_&vN>C%8+xbo22Y<6>n^G-hT>!ZI12bbhMX7A5Xz@J{>~a zgQDtJJd^M)S?>o`u-l=mA>lo}=;Mcy$4M>vwh#9$mQ3ty&e{{svuW@q>c>9M&mZn@ z1)}613Pi#`p2P96snR-#in7R=%jk-mnNV3$NxO&{)BGyX;NMHZxPNt*e>`344^OA~ zAD^ym@1W~o_?r@h|EvW0y~2b5_^Cv3U<82n{UQ*{``HuIpHuQn6%`$|y~D3P{Z#i; z{_qp<P&AiCQbvwcGrs`DU(!>G#zzkAg%Q$=&w<1xMwV0e&q0|dY8Lx^i*Sp81Rt^F zE$EMdpiYTP;82n+RJ@^R7>$pDKnWobwt$YKc#KQVPb5aBDdrx|vy!s9c$Klwb?3ex zXLZs(#OO!sJ+LkH<(B#`i+#~-Ynpdlo-_{*S&gCIJ6A5YDL#w<14g_^2Ye!01UPUL z;1M)7Oox=;FR6<=)F3OR3nZ+k4kHKoIyWG&vR^?s8iUt>D@vEk7x6>(HUWt5p=o@> z+gHF)I2(|@dvRoa0478>YB4%HsO%k$k_1Yhf|{<&m$Y_tdQf;$l7XsVSR*oM>;diX zrZQVUCUK!j;IBpF*ONZ=i2=TrJ~Nw4>C*!}6TC2!HdQV};cQqJyX!-LnDCwgO8zQ~ zGMpkviwq^cw)5?P33o2$Qz8LIV18F4EO;WGZuT^;KTv@;m_ReEzkm-=ttM3=z&9Js zAQTN}eGoi8SsQp{#OrEV<hB8;96~Zo-CjKKQ+#K#A#Y!?-7piqgRW!pr}7X`x6=<W z0kPkS3HSl{q953V&E!C3yFh&X4wM525W<1PE8xt~h?)dU5hU@mOEEE?zWhLdCfMEX zyOQINtp3mygdR`fZJv!N>mBVU)2x73mA<0~FWIn~VJO$<8bXSo_f>wgC7wz2+Q<<X z8?7{{`115)BwyVf7-?>zt&#wK4AltT==I=%qP>A4^m*(3@eGy8<3abtQErtFo|1{* z@#glW1LyllVK`txhC-IaxmK(-1<y3C9kxpIhluhkIMY&3`_)Ji8LFo?S9^^_h3(ek z%(H_p@v-}c6=yg#TxcFPYc;l}3pJcH^F;&JSg3+n2QNPq@3sp}$|d$tr`Dx>(Xn$Y zuqP{|xI^?vA*-3!Ea>_N3>YgcQxYc?T3SX+&$-`B?3<o)AE^5_@lax*INt$H?%FGH z-c^}j>+5st!7GvTG$lG~hdlk{gK|Dz!@+3Peu9M9O?#jP&&*vWjmvQHTzhn#Vhat= zFi&onbn=_i#YuG&O6&J=N4811JcS^b0;}>?BXX>RCkuGysNMCJL;Ww0Ndvo~2J2-o zzzoE0XqH>o*=u!|Rsv5yU_E{yZ-2X-&9sX1ce_j&-!J|wr>?DfcThm~LE(lnilYFE zWB-*TZQAwR7eOZOyVXMuC0}VvM;2d4#kJ$1c?YZU1qXK!dw%{Q4x6R<AQdG$?Y)7z zn}E!|%-gGbsgA<=Q$2R9U|+;EiFM;OX%bf4C|iA_K+IBR28qM4Sb&st(C3FaOgD!L z|729p(*>j=h{G7n=3@-Xomt6)%J^01*0v5?(NIg7P6oWm5ye#X&vfozwv-%|?e-%l z5^H4JXvZx1((W`>)rTS~h;8d02dq^_dd5X^s<DTZfvn~ek|eE}M@!A6zAeup>?;Bj z;td%}q~(#f^)pT}^;a!XR1Z$g6>L#G_WOET8rizf1(;^~nMypD9zDL9B)!z$cWZ8L zhplnE2%%fz?4VkwtGYQ^j>mfVl5xM}JSl9cNuz2w(gg>GdE&M7^^NZ_FeR0f&9f7` z!1PJDSAZEJ;Z>7(Kyjjm+e&<~ut5AC`#v0aZk6W1pnlPg^>z~?KZp%`^IFs|fB;wW z7?SNdmbY#eAfilp(=3HLMk;t(*y5wGNYPvkZ8~}Nf*omW?T$)!jGUO7rLdX|1Hj$5 zp)972Ir@ATGJlabQyh^zgdNnTW$oh8%kBC$TjnGGYRGRRB>sJdA^so3GwuJFW8D6b zW2pY;=l?#-nEk)9%uh8%bi>3&?>VR8UHJd38aqP=Ln{YUYbz=XLtT4Adn)?BrySFF z-RA$Aa(?zX$JI36zl|7v@1{e1`<$v#*4Y9TN^g%8M!qc}A7%$vpOF6%#dvQY%X~~s zic*^D^`exHfv6dmsh+fhl!*<8RK55-Ce!F}e^UWnG1=r0TQ(*E)A~q5i#w0Bp74FH z4Fe5V2Wx#5BNGi96L%#e3t7ErKyiK^Ap;AFiL;dtd7e~sm4%gzxvi(EoLvdrpb2R5 zWT)3FcQ)MvC@^vpPwNoK@6hN^Fo8=SPviV<ACGro`Lj0qEf>@N-7r7##ZUP|F8;TM zS^DssVG=kPuH@w@wj?AN6!@{I2w=oHIY)tOUy#~s=pF1GU&y(p-4N~VF5{3S=&!D} z7!*92fKUqdjlO&qObiT)XERQ5V=DxY?;k*Ae|`1%4Rt4b2D||MuB(n>{m)%>n*Vv9 z4tBa$_7>KE!%v~b{}Dg^25o*S>W)LaBz-rg%DZs<c}0KMNUd-F+oialO8x#7wEZ$_ zdb;Mjt96Y60PaCUbUow1@b+O%?!5gvh$$GN&wB>@-P``TxDnp@0ES<08UTR%uP=^@ zf!g8SD!%~Oe_NlNe0;KUdR*4{|Hs-}hQ--sY1>F}cL)|-g1ftWaCZuKclV%$y99R+ z?(XjH32wppNIyL@&-B|p)6-x7sDp!FweMAX$-S?0t^K}8_&&o|&esy%mWN<LNij(i z9|MRMA3i?veR$-q`(r^Z(*NNHqxq+oYHnj};`T=*`n|B<pTF6S|Me2=^uGPAvlhgr z-VKuY_g;ekK`qTd|HrrJF}l3-PbPn{g4X-C|NZ%!FZ+x3@mI~wVk;wCD^@Qpc_&Rx zF(FlR>~CL$XV}#sbzj}W9N+@oz}pjQ(IKIy0u?gSHEwE^aso1ta^qh=b<04fkAhGi zfw2#NFjJJIQ$|yR2?BswNJ$R|+qoeMvyMZge!$q1^@F_&R2FKu><C@K2S+XUv+HZm zrN&n{kr|c`8F3Zfe^FRZ&;Uv7gh||tBu8=%?_+@;uK=%SL8319f)=VX&Vj&D))j`M zp7i?dQpFJP<jgZ0e+B}78}E7g2HfD?c$x2?|K|kZe>I-{e+riWgz*gicfrz|+32@m z`5{38!jSG0WQ|}Kh!itNID<Y&%D2?jVb|}ZO3pZCe-V|?bRFcXQ2yi_zn^9p`vigK z{YeD=<)`^W2K%3$=AV?oX4siSesh@bqZMSVIdK1Gq1_Dw!Vm9@G<$De`<KlA*VBXl zX`y?69NYl5ejjrDKDN;td-vhLnF8@{@h#)%Ng0Fp1Cx6s2$@>Y5>b6w(1(7qRQKb4 zn+MV6a54{b{RnWw%3v5ell}s8^Hhwlknks${UyPd?hjw#;lJAT?(4T`Ujchj9i^0N z(rx^d@W<T5#1J>`1M<e!`tnBZ<LC0U$<x%quS9<*HEL#t8~p)h2D`rGKXPf!)PQPI z{78T@8@U)}$})|}0BnuiCv?xC%%Mzmg;-!}hB_EL#GT-&Vp3b*nsT(@smNWQu>uFC zBcg>G!MkJ~01AtGy_EDv!uTVO|K1K&vRnwG?^gcTB7^I{IWi#qH8KEyM}}wP-;rU) zhw_RnwOQfvBXqxVcV2RmBIv%CzZ6%FIkg`&bGpF3^!63xC+X3g5T>f2srO?T;p?1$ zld{|Z92$>hDk@~e7=}4gUlySLm81feN`4C|7WJen7PT#`1K%9EAW?DdwE&xm5Cppb zgpNP}Ln1@WU0{8(z>?6of?hf2?}9=ZwD(*73iF@(e16+)L@<#D>|Opqc`qmb`4saX z5!L?hP4@T)8?{2E-DZ^mxg(#9F)#O701}l%cq>nU82}vt7>Q>TZi>c%Ct*Nd@&ob- z9?E$G!PcMPHR7S519$`*!P@gB(&8mVqAT*x&bSFg2}CzC`PWX6=sRO5>V}hNtFBjD zk53-&Rt-JaHMGYDLHx2q__Ki(hcWyFZ_nJVzAxqFzvhR@th9c((~6v*(9^(F1yin7 ziHJ@$C3w(^#J!Syiy_7Nl#`W@)OxqdCzx7dQ5>sq5XORxIEMXA{DwuGmSGytpo_+U zLf1mm;N(I8)_gk!QxsQ3lXgJ?4KLV4Qvyoj3tn~=M+04$*tFRRrqiX{s_D8<mhe6& zC6W8F?0lfJ0oUzuwG7;LS79qUv|y2Bj)WC7iq_Cde-8<qW3I?<5{flX9;nc;W6{!# z_mV1gXpoIUw{Ndnh9;H>dZwKWoPl6%Am#F+wdmYT<Dk=IHc(_SIhp)LPf^?%Z#LX5 zG0eNwgm#Ic546<*vWy8w!&u(wyX#LR^#{10cbyGjnVZ7pwx!}LlvE;QfE4jVOgWAD znz|=|_OoQ7Ls8VEI5eA#!8`}u=aph=E|N-8ZSmWUABIwX@v*ciL0025=3hM14k1r_ zP`L4Cx^hQZ$&(8-FycGRSfc8wNYqyrtBz`0c;gfIx3P`M{SoYfdpa45ItM#-yLjZ6 z&yoH-_|E=)=jD@&<!HX=aiaI#$Mk=!81xv~{^LAb^*xRM{`^fUH~9lkw+{4PT7XqW zQF9@B$J0v;(%$iO*gx>}kTGQ=Ze|03VvFnPNYw>+U&ZE@Sd&cz|CS<)?4aUt@aR6z znZX%e+wJ0K)3_L_M*qkvn8K?R7Y*vl)2OFuA)k8ZU#~aoZZD76j_&iC9+-XYcS<uU zLruAQr{CwxW@zyQy#1P?vFBxCjf6tiI)@Rhw?Hjf<J?6|1TL~^jRMxaV=-uU_$H9Y zs_cn$(@R5a0`f)*!Y*fs40BI{QnFayhl+tc5UQS06v;|zHQj2Gh1>LQyNk>X3#~Fo z!mI~$7;7^}^<T~g1(9kq3657=K$@v1eW9;%BfpqS#>vXf2OaKD*eD?7&LU0`V99XS ztWiS!Mw&WCpqOrPr@%lMeV`bi(0oYR_w3FtX-lo`x;x8Y0r5RXB+?$NKn}Ynm}Id1 zW({u8yinJLfKRD3i!gJI{=ZjbMXZ$IlmBwub^bTUUDN+ok!k;>BBPP9b4QEy@?lb5 z11X(A673*GE6pxI6sofp1k(G3IpPZ5Cf6Pn><hBm(}!A2fWQ_CKtSB*QXkeFnG_id zK`aXWj;K@$-7yM+zRKK=xmN**$Z5k6#$FIXBx_*vdw!V63bH-opICn4#mXwMOOgw) z-UiB0`@?pGmbU$+!?GAG<d;@C{hvnx{PuufwfQk>?;e2kE-n1uV=vp^i@pEA8~#$* z{{5boz4+|kwL<ZK$H~0Chai;jZMS;6h9s~r1&K&VkeIo;Lm_6gGC|Opn64Oe(ZD2- zli%EOV&mc>Q8Kr>!C*>y@e}kzNiO{nMcASVD`6!O=;0DTXF(0^8H7N=h0p^SGD9*2 zYN2{L;*qgn+!Q_$sDJGyLA2CH%?$%UqM37B^u>+l%WuIeWGDorbPERO<iLLbMcpw4 zt!wsgMo$dy6D}gEodScCGeFnBA1Nma>H_T^4H)sOi<3;@D0L~172-b1P=U%PzUiA7 z?i+%Z+z#sj&Hkjy>BZyZ%_41Uc4v4sEqZZTP0F@|oL3N_n7>=LMg*;zN}}=uxi8oP zf?w)mXftX_iV&UBcWj(g1)(rXsOh{0P*EQEBZ3|rsB*Utf1T_QamfDhZ|iG;G`hWi z-4&ev&92}Hsf*cuk|6V!+Jlb9!<?#FK@KG$Ym^X)ajA!NL!gSZ4up7Y2q|$BX+{|o zg9i%3Nnko5J{ukduoF1)l#2t~kU#|~1g9M^itBfiTp-XFoJ*I82(F<C=Ijj@bf5=y zg*HdZO;RlTVn*J*ha_Z%2~bYn6S8*T0(1U?JETyYQ-(FC;G1*nt^m|F6_Op{_@fK~ zUj#<V{;5d*?F!l04~i$aARt@sCH?<TSNM-^<A2}^?VfNcTJz3los-ko5?oqUsc|f6 zIO9*-(`Hsky>1MUF$m6IYoe^-8Rv}Lop?yJNT@upx%WfZ?5W7sLLfVMG-uYNAIx%L zBt6i2pkQLzU=G;)KghVvVF^ijDb0XMg5WZY={(^{k|1353G-K;#5w759X?xD_`X=4 zdegaa&F^JOm=q$O44JPW(z2)PWoJ->RNp|pJ;4A^MHY*)9u`{5vfOq>O_c1Vq%Dm| zfW4#9RgXWaw9Yvn3YvV^9~;nIUv9ZSzg`}5A1*$74xZ>tj?;HMKkIpW{PKMAwDq!C zjtZsw{ubw(5@}jjvZve@JN7MqS^G+#sX*2e2o>+Sd+g>kbdR@L)DPF6!G<$Af!ME9 zQb3q6yAxi3pD1xq#01r_HZ!Tl>A;pMH!+|DBz(q7@>!m3c5?w7FIwR>-pm#-%{~-l z%ko<sQ;bqHAnE(O6xZ=DFQ2DQ4iwebu~*i#zFu?ER_!BNgqy|j<$E3rT>~F_9|G7~ z^?^wdhj7Cs5SCGd<-S3FjmVRe35|$u?$@08yJ&}*+-x3aN6p|h+Xn-7pMTo6El{rp z(v=OiO|-3T7)KA^xzr`<`JAgb%Fz<OsDBy7kDf-7#aB<CaR~OZilA%DVHIA9pHjRr z&yqRV^;9w#Vx(P%A5HQeb|Qv84lu7k_DiKo=@p;3fjg$M_Oy3l%i`vNCTncJP)eyv zr^T#qpyFCGT!Gp^q*9g918JRu?ZAvyXS)<lDFBRVEC7JXW}!t5GEUS$x<25s#`{1( zYVh-%_RirW;Wz^QHek}LB+c?A<u1xnze;`ga5ms;RZuAJq#OUqRi>d@@^MVplRo=f z^rekm2ZXMR5Z)MBdXUMLaA;mI4wy4JP-+VHMVU>KAH&-zDfuKPrc`N}bXU1vHRFeW zn$q;hiqa|LnU%Ps<9AMM>=WpwCKt9QS0^VIkrmZD*E?q<r<-}Y<_b)Y2Ws2sT+43k zz<at5>?&sZO0Ma<DC{o=!|{maSRqdO={DjNEe-YHmcbaO*twpy+q88yPY|l``IeqU z(T2kzaw%fnJV&1kS3i{~tV}1$dVPoom&g9afg^7k1_2jK5V#I?Y^red;=c3}D;LJ< z2H}FFI?K7fb?$#jCo$G@LNrv>vma{Cd?J{lg=72S-eIU5XwOw1w4Kts?X+ZVP&J$X zh)0k;d4B!9Rp?dUsE!_+ZCX0_T>whcvuIY)G`@Dv#`7M`+jmG^GmZu+>!}1yhj2mo zt~pqVf)0kzMFz%0xG)vv#;AtXMvxNHi1muN51oU{bn2IngAVeUNE-CQQJ-Lh{1sXe zT(|C{tNKv??8ALRPV%q_BNoNtb>Lx&NUjl(uluN%Zk_UZgxp(>X4#H=*SZ>J(<(S{ zQ{JE&%;rv5Y{LxLN#o+2hUovR2jHUtQh6mk?E0pJSDs|2!_2_IF*Vy@Ze{1>=A~c% zhC9>O_ZZGvhNiV>yHRazc%3)Z=#xEP{ypEtejaIYGC2M?5Pdv#Z97-0tv~+Qn=`LX z+g{4f73SRMyYs?v=%juos2lW^&;9#9!CGr(NM5&sgyMc~rexQNUkLp+otWL=Z314X zStJ9ue8WCnPQYDAz6@c5oWx~#QM_2kYkLLo4Uz`)51h0~TWk{z53bj55W7E^4?NhW zX7l%DJi8yPSh$(^z6to+PTpS#SlPMzmRHcuET9scg*&<4G&*x17%ii40yKG|)pYnd zioP)i?{z3f3=fJ(eKtV*;A9mLi(n<BA0&%Rj-O60pg#-U%*O^^jl%W@-~3e;ntYZZ z_8K~w2T7F*-iPlbXxwy&KhSNii#$6+Zcs@)1^P&y0c9%m{cnbPAbL8|5$_oEk&cG| z)Uua=Er*f-RA8>Y(yjpM9HtFYBQ04@ObXUAji1v5U`FzaGp|~Rk?=DBZdk**WVnJa zAz@<*+Gm|7sgu6by9IrtWHn_T{J3sR?3|sUOif?PQbAue+McV#VrvPsI&<u!--#h2 zy$r6tb%48!{z(2Ft;@lcvO>8mEkVp;?|igh(=g!;%RI*xeo{Za-Dpe*aMwt<SGae# z&tFB4qH357PSYL2<j9L$r6Gm4jaRP4cy!}sMVY9Rq)rDq$IIPQD18Kf0<*pkF~Cdp z^B!Vy(+SCglRH~tIK=?4Zds;MVL5iDUMS&%+9@ni$%v)XD<%E6_y?g54__nE+gEq% zQVDi@H&1dE^cocnc|M_;FOi3Z5>n<5Uh{0d<`zDM^-_Z*+(-%!Kb3jB8M5f<$t1E) z$NL<^A6QqqhlR+2X?kC%L2BpOHFc*NJQ^QEM&UvjXy^;-o%W%EX=r@2qf8Gw(JqEd zMs|caChC27vXJ``P@KJ{*9&*tPru@#X$sB)S8(L{`G7=$nf8{NpS6L*_#C?~{#)JO zT*h%+k;SCRW;OTGL-0RKhmLF_l3(|`Q9syQ*Y)<2<mL?iymA9K$llEL;I&B}E#S(O zBRH}?wu-8EEsiMCV$`4kL<*f4)iMMd4x4{Ts1EL+D!}q4<N%;NF{bv6FJW->cKjqb z;iMwl8J^o-+A#dl^-WNNAfv3Vm$Tn0520#QsYFIMeGCwP++)ndE6I))<lIhln~{Rd zQrP9i*=Ss=>4Cold`RVZa3^A>Dn;8lw`5crLf<KQRx`LZ{OXg@+kyK0lT=x#+S>0X zMue~HE#Sm&pSpOHST59oeh+d;{NkuhF}#Q%NNU-fU)iu9f%IqA2NLHYG{5IO1>Y03 zYR~OQr3-dY&kxbA21rIo>#*y~LE^U`GUfUSF1Xv*a2=ZQq^i3ytl%4;UUcP2Pmtop z>W45v9Z!pR++x71!``@}1gn>ElIdFPAGnj2DT#ojE~Su7pohnbHW)fz=;h`?n;@d` zmp*kl?;3(u!akLQo?$TX>ww#U6s}&V1v4%4LW!fPLn89e!CYhu*EV)Lv&ztS?_l&S z?S$+y+>h!fsdBu5Cn0~U+8SMEqG|^XZ|b2@L?xr~fuPaO?I{lR;}cmX>*DZ_VH=PH zyXXuq7ZYs;HxV)88KU22O|V=THsq7L{So3{>3=CfiuVyW8vYic;`m2IeI>!MCU1+! zYy^gIATEV!J^yFgfJa6XnBup_U*Enx4Tm02ELdLdN|uHo$pChn@2y_>ifI{4azeUX zk<A7TREz08cNu%*yNsOZyErV+qtt@}YF+(Z8Mjks?5&V-I)QO2V#laD)neW9;NO;L zv4kEWu$$MEoH&l@ijn+S1)HJ9Ld&-&mJ#r`qcQybHo4cZunBQCIe2(Ds<(T#B`BHJ zmX4f}ZdpcbrL0Zt`t=@6(tU5&09C=*&cC#NEp=&;uTReeTex|v7g*Lh9;b0#0`T3^ z4K{-!A=;=zV04jE&=$UfUKGS;mx6vrnUUq_cS4M&$b+zEOV68qhU1{3*iIppdN5(Q zMDvr<2S^HL1w`V-Gpd2#A9gDfIywu%FstF73?2zU7R4NAjitzPLhP$7$#p&YcExm$ zyg@jysS-nHuP&CC%83_$L4fMjk(EVwooFm9ZHWB-17V`h_5BL^yX<&Vh$Pk%1;F5! zmJFA+FHka>^z^9uE!A@Or4uP!34Qs47CBaaP9H*Np5kYf@75?v4SSVGDDT1jG}yo1 z=%grb38pyZ7bC&Rsdhl24L_w{oSTmnrfMh5c(SEty`rP33J~;xD-OesnWzi$L6`!O zUFCXV*Tkz`dr$xqjj*6<H8$SGt1=07PTsW2F8h}Kp`Je5<(=ZRcUbEiFVVbQiQxy4 zp7}xyUMYAqn<3)2e5rBYt_E-M607!#^~Mj27jN)xJvhZP*&NV=-LPj|^|@iLN2}xX zUO&hbg8k5~ZuML3;s@v83$IPLseaWi-I>P-{7nA%*uq7J_Y=+y+`F`N$wPDg?vX>q z`}DiYi}zExr%A6iWv(!@%^ES)p|?}^9?J0^AFW<5#LIr(vNxy>rM>E!UnAOLqMr^T zR%gDlyK8sBq5!_#g`Uv-v^PjMmc<l)5U{E+VxKT2a&rRxRrIkfmGy$(i0u{T@iP;g zJR@^<o~ApN<7je?l9WG-4P9!L#Hp0e8dYtglC~k#i&aFWs8QZf&860M0#n|oX~AQd zVou^4cElsh0F;3W9~l?kLM_~{UpMsUKYo}I5}ZWTi#(>45d1i`Iy*ax79*~p4fKxN z{MpmwJ~0qn)$&B*c;@87CPj&tqbwyV&Q~>m)$dh_=~tB(&=$@7OQBftj!xx9u{j9q zL2K|CdQNj}m8wt=jL?9bpa85Uly5af34vk0Hv`sj=qui0_oknU4@6OUXkmT%MgeA` z0t;W}MA+SxmIrXw%y{Ji9i4!<9EwtKLqPN=!)^kLJ;Cm{2r*JusV;d-3HiQ-0Wli; zbVuuOeKK>ZZQi7_%>J$u?I@1YQ`ln32!*&EqbDb+%jmg;N?x9nMY&#`&*1(2(NJU5 zu8RLmYwY0uBO8wUSSxl}{@EA8_Fprc!7@p72~@c&X59`?9}Z_52JKp+$KhL+NM#NN z#S9oT8Js-v{a*AePcTAmxfM2pcV&yK0*(eOC}^MY%H?~mNG=FtBRrAgk5}(gk|s<P zOO~@grOJvSnT2-Jr!isLvl^_JV>Q225q)$+?Zm_!9&-z`nI3iXQ$L{_K?{^I6EsOY z`p9t1e__W~^d-E~G{r4&FZ`7k<s-6)9$k&jhZy;17k;m2`K?1jiu`Cl;Mp(9CMK?^ zh&QUSiYwqnF;bXnQz@Pa4`c(nm71#Lb?MwRrp-@;U@%!;{M_!>?zoMOv&zJpjXUOo zgNX3K&RzZ|^!85%o4DzY*yQ5?iCuC_6W(povxKY7k1bdGZcWj$++C(!bgb`pGj&ux zn)eoJP!3vJt$-arNdO{(t!ng*SWBK<6X#x}d7b(7<ktD8m44+DI|D;nD*JHdnT`V` zi<q{9(}eI55cq68rG;NI+QY~n<z|<`edbqjHyg<6g+<&T@-9B2YzAE)KfZ9pRGQ;# zR0dY+9$BGpdDIB{l_hg=eYaQ7t^if5@{rRgYwejfWJ;SvcT`&O4gXGxwkoBp6P9K# zmG%u!5_0GZ0X4b=?>^Fzx6}JY%XMZ7RAZ(`gU4<@AK1*ZiK<voT$$c5X?`R~@YdF< z)pMI1vqUGgtbUmeSelsg<6{zNYz^CS`6?K$a3b(yn!AuT&*(=RVrk&=YL3L%hBn)e zv&Rp|_w43|w|$K@HE|eP>|YU(;PsYfXHhhmS7t5kXZa&nWo?}uH2b$m&ROTy9e)|x zFxbCLNnctuG^=>m5BXy_H3&WzMmOUceC*XUu;F&-S-S!MX;;GV3))A~$QnroW-U8L z)wt_$3pU_1r0m;d2g0xoa^>-$A-af%*bP+>pC`l^rvEkVl9RW~$omD9c`LbA)IbtW z(y^^6=fG+UIFuv8__QzvMj?u8{t%Uqs9D6@c!kmjRo&&4Xmb=)xc&NB%7{$!xoj(^ zs?vdjy8Z4dU`BDDo}?~L0%;!AXC<jH*0YzN3>Jn8Eo*$)fRu&xRWJfL{yY9g828=@ zp*;$XJvX1W!H+%jE{)P5eS<#OGH1NuIw&oRLzT6#`o!>$HIFW@_3@rNwk-S<js$(5 zH5c79KCRf<@L2icfx8yS$fd_Fx6o|)qWC7T#yTjvQ+XRXf9`=R!(Z0?lYFRYClZ6g z6E9k9y4c}<s|6%u#Le<^hMJHMCT6MMTjCWhI`uc*oX-UgyQ1nt{AYfr8YzUKr%-u9 zMpx{g-td=_{j|E?GNk-|Qj>LwU=T-j45-G0meC5v%%0t7RRDl7TB`@*pAQ;}`X%3J z<S5#2dDgTW2753CO!$S)zoE;T!mflKGh8*eCBTl=CxuxA>~xeQE6gUM{t&+=o3n2Z z@+i?3YPU&HD5|MPEp5S2$FNhm&lG*RS!R}ad8qoCt<HWJJ_%6LOqlqXeVAjxaJVd7 ze1C0FS+w&+DUO_-011@YpC;+1<SO<Bb*+dv{}yz~WkS>rNzGc4&j~v`er+zi0j&k% z<s`UcMoWRHB9Dg|$B|&W!)n<vw-^0U*!khe%7F{(S9~FfHQ$HiTe%ApWz`p)j}Iow znNf<6?MMhC?-wD@09r*EvZF@F1_|@h&hQ>z(P5tVs}qHMdV_bdZ1C}Q7~39pz6_cx zserY39L|?mud>;$bh@s3377Fbwl}dadR(uUpS`zrsl5%P&H?fh83T)xvg8U`@e9n> zLa{7ZbkThb3PB%p%G$v;JOEr!1h2C9&dj&n`ROI07w%ZP>oPI<1q(90cGqR8mQ3`J zNP7A{tDo*86|7#SSg-9dnWDl}n`8I~wH@g1>y-VRg(U#5EN~;AyL|^f?qSn#FD**; zC4>^Ho~+bZzAaRwvrU{Vd+axUHf6Kj_-?RyHf}wciu<#7;YL^b1+y#sEO}@4ZT^JE z`{0Cz%ubk-<`q>cHBq$XUaK~5q8qiD6RHEEZldeQub>aA1pdu1GZk)Pou=DK%xS7_ zLQX}<sSA}sbs~iH@5gvIL@$~dpjCp?$HLxPZXHbG@mS7^_87yeaU#<Fpz{nbO1%ai zW#zbTw6%URWp}0PwPzEujuq$vFtT%Zl8jfM#Ry>N6}vwqF(Ti+jY93yt1TVl09<2Z zcqOa9%oBekLt<_^lG}u(c;f=nqFi*E8X^ncNZw;%H^r`QjNv8mNf?C4_Hj@5Z993f zabnPxZIZM+I?I=BRV2LJA+zI^qIPNsKNlYK+x8%LdOBTdHOe`C@{rThlm9hjr>8Pm z(B9C_kB12H)Y20PU67wCT`YE{`w&frlR1JutNhh#NSNa(ifFdTxh8=ovcL$V<|c?P z$ww1YItJJ9n2{)H=w-0BdG5;>*pCKOw?s+OUp4{>LT1*@CJW94NRuCNYqsIKYPEmV z9gP*(^ms5z01f@04{vg)ZpoxdzoRnqFBl!9I*hgD4UTE4FxIt};w~>vvoEZCg#C)x zFw!)<J#dk;SjGj#)uytZeD=##ujgh`gi(=9b-+e*PPer*x@6t9pFW^y&ECjQ`~3AF zio8E`&EieS1o_p6V?=jH8{u`*PvsZP@fXGqp@eaca4`zmQ^%)N>R=|Mi$lJAJ)N~{ zmm9T}3zcyS#nYXJpOk|uLxVNc3q7;cIy=b>;UnMR>wSo%K4+<OE|!EJBTeV=y%Cin zjl~%iDHfEg$tRQxNN@<l3ktH>v&@scXP0Ynl(}&72(e7Fq%SiT09h`XP9bsH>5M?g z2k0k+8!F7lgur6#qtqM=bySmhMl7*-m#$^_S6)c9q8viWmSB{`UCo1=z&ElS8^8o2 z<sp;l=hr0=x>Q{f{+Z;ZOv;m$21jw5H@ZdH_59v^EF{Fc+j2c#vsaC>&MX_V*K`Ql zT;Xe6inH(uDk#3B(yA4{AU1;I#h-m2BFz}hNp$AGfE>bM(2DRhkKr_}xiK`TgYhB4 zK_vr2c`Ji+bd-TIQC$vr6LJ7sW4YF&*|dtPo=3Qp?11B9N@|&Bg0Zr#ALW=9$A}+3 z;<gZjHjU!jahx=gXB(lgc@x{+S$Pb<kWlPv7(rfya?fv}k77mamtc6jKD)3sNG1!w zz(Q8UuEKFOzicu!XJ%l1Fph3IeH1X38mq0um*t?=%%!_5%S<3(RuFv(W~t8f1*J1j zXEbt9%x08ypUWix80H8z>#Fq>=x>s}X=%+PS9%HOKZ7?trzrL(q|<FU-S+jR&9^qn z29-rL{klBt;txJxC)9D8@){2xlHPBu2T_G?$y_0#MhQc>z6_LmmdhH}Mw7=wN1H}n zjk;NnwsK*^lsD(3*Bs>SYCf8nKm@U|noYfXe-F@);!q4LVwx4DWs8~^eugg}KN_BB z`IL!NhWqptMu)(wLnw(4k7iuv%CLx!DtuQe6OY4Y2v5SyGjev8#7!hwR4Zy@D|<_b zQSyE0t3<UtdmcORR9KJN5#GD*lA$olOG<5d)J8%EaI<VE`(3_CpDme)>)Db=o7ef! z2LQ7T>s>1MxwV;z)ii1(a{@AE5a7s>rehN`IqGhtl&_}3E9)P-TC_;~^}CP(rnGrd z)ID)WL{sJ4v=S3UpWIEs#QP4i;<GO8`jW=+U88j%^k>tgu|x2vV+jbKe9|->8t9(z zxeNd!?o(EW&=`VNvLu#6s&WTTr+pX>VD+|j&E|%ix~{7-C~@x4MO&-qah8Ggi;G_r z&9!?<dv!(Nqy1VX?kDnt-0As&PgHh#*E(ytt0aIvqPuwNURyyqMQh;sPJN4AskOP4 zz$%?)S%sl4c{N&k-&l=3Lqw~=8V#nQ`(q7?URMztP|C)^U1vOE$BsIpY5wqf_0)&C zxh32WjX6Cm)4cmzedZCXmsVRM8(4j}x<MKTqg(CxQTLBJ%y@HZEmPQshT|Z<#dsbH zF&ie{iv26gC_n6;3@aJ8NR@R>T=jtqBI5YaQt}IL^ecwpRrvsx&&0uQBoP`dShWfG zt4>BGZo*p$(S&OWGK52sFq?8_AuQXhf_AdQin{31<X2k`>mRA<7PpJ!@%0*%5u*x& zvhc{BwY%D@zf*n<UTwA1c?vV*)g&lQ(_Mrb#3YK;G{{8mKlg<Vwq7TGzuikmM=cF( z5%DvfQ9cxKC39@v|L17pKA%X0M(2?pE1rWspDKCCO2BEZSgVDrL-t~RDYa{}_L;t( zrJ9zfIEAYliEd;y(28?*tzjbHdw?#WY@&L$*0aYE;h|JACwW3keGKVEqD6lU_B6m; z@vsRqrO7PZSg>9;$Y}QPTNVeRpog=#m!^V*47&d8G4hfaif=ZGFx3y8oppB#8PI2C zCl6_*Z;>$Ey3BAfw6eER$!+Fdc(sH`lb-F^YS;VV)$y^JU9=d*XC={A$Ddm$wc&!{ zwIePnJOtpK8d%s}Lxpk${Dk}z9l9zWm6Jbt!-53+)oZ53AdR85*?EdW$!B}FJ|FHT zN;4neA=0X|WqFrrsCYa^EFh3EDT(_3jMatczY$<vGB+Q@)&PVL9@P~jyTvByJ~DcE z8cK>QOz2&K-jcieRuiJsjU~H97L@Et^A~${OLNzzyb4gTAU^pO&E3vHaSo&`b!-jI zz#q(X!?7i0VV7&TO29WF;yCGB<p-9m5nJFaHkW=A90B@`I<|%HizcxpH8ym%SN%%l zWoCXdMfJ2bhWdpy6AFMm^mcK53om=!k|tz*b116&6(Y7d8Xenu7anA{<ofNdCa5a? zHBXpsj*o`2jD}{tUB=}s7DuUokj|1bkIoI!WqY>bHcLzABz&%AGOgpBYUUR|Vavtv z<S*XY<_q)jU%a7Iuhf%r6Z{xB2R6RnyLX*E*9d?*2IFT&qjPB#=;KXN&e`?l?qD-> zTk$=mURE0S+Z|dy!84<dZ@V$Ce`&<}FGNh{{(9hF*Jthi&HAj--$fOE>$DgO(V)sR zprq<x7&Lw}F2C_Fg;TtrIn+<v1L+`9^us~a2lc@t$$3LXdlbU^?1K9*Q#ZonhXGQ| z?c$C;up$|Uyg`5@C{Aj$9+a)X9}b|Lgck7v$jWvE5@gD)T~Nh2{H3?e3hsiQ#kbJ{ zz^fc`7<K`0;@#gvP87hgC+u1y{;X~P)@Resm(l)pc9iWu+0lO>%KjO={b$%w@1ZF> zfkYTeBG^7{0eHheKhOk#op!e$sD3=arm1Nwehf|DiR-uAEW@F`KjQr-wfQ&n1`pNn z$oq~Rp}+V1|KHW-{|3D|ng79k{{!evMN!ra?F+Jxtu7Ol&@zSrS<y#iRU}EcBn5C{ zH{>8<=v(!k7I#S_7xqyb)Cjeb?(E0eJpC9^hqye<QsVkogGf-`Bf$y<<lJKY?#NG+ z&KriL8Y#a30Mm|C+YLOQ!;=l?zLJ&18i5f;obTI=Ri7wujLgW3*p0l?JtsT#9vv^n zCr_fMTWEPXnKB3s-DM5^oXc~AQ6p3GS4lX7P0IBlXL((+45dgBH4x%Kydy5ErCNll zk6nfiffI`ctNK|B4@ITu(79;VK>DxM;A__i76Y#;Ln(CofclRQ${3Mc&?IwyOr!vv zSYu=1qv+Tpu`oWBA%$ev<-vR{2J;M_dgxrAX8~Mo?<GTStysw{4k%8?Fyh3o$h)Y{ zxmOs(>iWP@q9HsNsQr2y%N^ExNMFtlP?L3WpT%%UjR?y5R*6@_Va)#QTvFzW;5}=7 zmAbge@$mX?+jZnzDk?OatFq+aqS*^f0vKBmfMuWBbWjnI`SWQWC63o_$Hf@T2+~}> zxvp|9a}Z0WGnbC&!861cwk@<xT@=MoPugvyuB(XR^eGQ=3rTy%*RnB#!c=IbONh|x zb4wU@7{U?wh5JaHFLMT|{25qG5J*;#i}!PF)rv1wYaNq`OU_g|-mRUk2|qN*vI?C` zX3$~3u@{R=?@9-5ZGEz@66qy~dd`!iiCSWLwt-WNVci}qt-ig_M8#6$Bln2IC|gn< zx>t*IX>qmg-*x`NvIO+5(_891pSiBM?EEj%>bDEZ?DY}+>%jAG7yJWw{-0d%p9P*5 zL*akV>ecrHi_9rF_>*`2UT8}=e+Se%)`a-pG5UW8p5GVxSK#@7TIfFqJbMpy_2Xry z_H^|PT@b>i7=tTDcBO$`MZWi@%tWqVMLM8K-^_HOL-lFHp=pmqNYBnNea1$>UfPXR zg4?~m!ok7D-VPb<c52?E2qim6C^TeW2Pxu8x%~PSuk8{-G_^TgH1U$GM6_9kr3P{@ z@_8n2PZ^+p)cw^|e=Ce$nwENEY|<z<uA;;}T#~bds$Ax4Im50-*jH>r9YIPknAZ4$ zZ?&Hiqr&4%F5bsb)#QAlVCJm(fUR~CxKcpl9^PDn7q}9B5<Z+`M{|HTSIP57U(mC* z*~_14_}`r(5b-C`itje3c!$jYpD_~u3)}B#Vru=~JLRay{GS~nf2R@SFC8pj{um6P z_?s9j`0vEn%ZLHX!Iu7xzMtQ)%_lMe&;vJNX5~aZLWldmj;MYM1&fV-GXo(V2rIni zT(ZiE3ob_892;W2O2-%*0%L(Os*S1-!O;jJHxO)$b73HfoF=szVw*t$7{jCm@h*$C zbbX}}1=^9XO1P%PnV6wg8si>AFxTSA_5@mycpHeR=195$t&KsJB-s2jp7;7P?)SdV z?VSWXkF}waGb^R8^+nvzwC(iO&)xUU#6RDUCEUl4t<CMkzu(S8t|Pn=pV!y6lkt3W zKQl9i&iID+rcA&7+>=9^|Bb1$8cc_ukPzswy*Ac%pEnoZH`X?naKAIxbKmAA2A=hG zY$yIXPbzF;CPyF1wio$L;MWLsvYYhV$(GgOl>=SuEi!_@Al~nhYiWl#y4QHAe+#ge zyC>q!{>vbx<G;B&!Tn8-)wlhXpu~B;L}sRe-$A%h9Lc$&nayEgj?{ILf(`0rL@Qk; ztQ`JOTtbRP{stz*+yH7VMdfez{rXeA43$JRSkD(<c-CRi`EO%jVbvi_K>#Nx^MDpf zX1G#wx*^$A<VH+x<td2%Z|{_RaT~kx2GTfrajvEU|FEwZ9CUGZo5!d6Zm8G-1=)F4 z1>vW6`YyyH&0jF=wwdTpQRjC~@3a<g!Ndmv8Rz^r<n%vo;P?kQ{nXRb3wJ;D?0WpG z4T(9Qj<sac`4wx@KF0tDc~Bpsxm{+NY>xj9<xJlfV(C)S(4g_8q}uv*7c9z*q^w!% zNrNY&)ht?*)&zimaHE#yk>ZLF)zrS-am=_w3okNdtU&KU+vZo}(URtqvzV8%_=-4y zSX%0#_vWGZ#;>P?w!zxljv6aIXZ@DqpR*qJmGwkGYVc~8;J1?$Lw?MsrQJ;r$J^d2 zgfieY6>m`t{5ZU}o$Se-acRczq14N;)k1i3VqTUE#Vi!CIUy@+W^`Z1rV*kNWGe8q z#Q03V7N-{WgS`%y#!3@KHcg>$b&LI}HhFTYG{7_<b`GWZqi$Wo$U`2V(hRVFj!!c| z$|;AujdT*Lj+u%}K|}s0l<CNW*B#d-niX^9P=ew^phpb|8FW_AH<q3j+|@gPbGsK6 zDHKDrDN}QMzj29nhJ4~-qzAej;go-(<8Tjxz6%3=n}*z*4W63RaG;0B&#V`ZQtdRk ziHVt87XQV-nh%xq6iQGFrniRfA6*bxjGnx5Gg6<7_fh#h7?jfF0nBRHYG$oj=7K4U z1J73J_Mqt*l>!RRErHION?jEYxG#wFhfUn&jgQE`QgFdeyz#|pOfxN;Yio*n4Pi8& zlK_!M3)8#m+ZSBVN!6`<M-A#UHltrgkBxI<$G^q*kY5ThIx+y~O>a}dQ+bEAnKo?c z#D`VSZ3f$&qCZT3^&W((O2h$1Z}o7~ah}ddUm}hF?C%Yq0Rt-tGLM6l(3<r~N=izV zp=zeU4bGTyM5wk|PaiJmjh#rJA0<*xiJ1NVNxV~_l8Kd{J(-5!EHEvF`VBtm^Wnkh z<0Fmta_I?#ZE!-$WF}Oo$Wm1(^A`zU0?ZQ7qKcnzslR@Pn%;WxBu*v*Q`a)GKKo|+ zH%)IeF>4mj=zMLOEjkaEN95^pgTvdQN!#9uVH{BF9?ddrgF<}3tSQraAi1#Npy@Pe z1JAGxe!mt+?;u{M2lin@`0}bFPj@AGvd}!(p0d>#F9P#)ULJ8O??Az2m<PQABecbG zIM-}{M);Ji%Bm%oXayPZwn0=YeFax@b!BB$GfnNb-t{+PME^2ZHq|SIWU_s!n(YzO z_S0L9(DF51q?SRgrV0%=$USq(Kz%V7k@v9A!$1ov<Vfn&ZQanV52rDTm`z2_u)|OT zE5QK8eEqr^An|cdwGZ|f?i1%_wfjEvuyz)7F8nbO$8)R?XrgX*013!(ih3Z{)`cMg z{w(;btv(NAxJD`o*n{YIaD~P$l#qh(OD?~vps^L4qAHbGe0we(xlrC8j_$0Tvp;`9 zJ?qNTph7RQ-uIrI6t<GVUNw1TIL=?3mwVKt&`+SlBz+7DSRzJ--BAS3<%)fR^8W=F z_N*>l^t1Qagy=`m48O|jXXW;6Ijz)?I?%o6vQN@P7j^o_^xxi~6_E$651bPshqZ@| zw^MJt7$t46K<Jsmdj{ydQ>J@}UP>;gT5mKihojSRY(sSJP0%u)<zW2<-IkEB-Sc!_ z<Co?O@W9Rk)~_r<%Ldqio3H$rCKUl2D;paf8xu==5}OxYX6JU3hu>;y5R5DrzcpDe z)tV13CAogEyG3Hlh&FbBqSC(Z?|p#-O;jJ5z)<kqVl*p&@&T%PY?EnwA~Tp3z!BK9 zW?s<8oKOmh(3HK8RkNlC8*$!(af4o!R-nK2_eC}!PAb|?_K0P#a%kGy;Xd|Nbhu{J zjFzDG4dZl^vDiZyp5(3HpnkZg8h99`={h%|dqsD&WyUWrDrzb!b9BmKpKhw9m|k0( zS;NLZvN|^VX>k_Tp##FULEEk)qC4xVIle!d+K%x`M<#{S{=>(hOMn`FS%ex)Od>cJ zTVfs@tb}W5lw=-`o9GrPwoF1ahq6`hmALH!Z|NK5eX||1;$pmX$faMnG8J>WG@uGV ztjIqm@{PcdSTWKNq1K8~(UqB5(G@4|BOo%a<+y^F6)!sI=T8qU;_>MPyX$lD(&xr# zF}vo2t7iBI97YBAjs%9<`q%Su^-*v!PB`Z+H9F!uImw?&iQmV4{FmEe`Fc-o9$^62 zFneYQBVz-MQc&|U^(!Eaz-6J>^{@32wJ?ny>S7-pc;u4L^li?;RHd(j7k^$mRM75~ zAqBPH+MYWhjo8+?Kc}b1cs_>jKh`~H<laGtzdG@;(qCEoQuAkjrXc=a8(<El4Oy5l zBO}ATO)kSt839pvY6l}jHR`^={@MYLE#~J{opni_mw7>{7FgvMiJX}SathgrEGTqC zNJZhg^>olMdAx5(J|C0ZMojRCgdve}GimZPF5=)uUXkn!q~NZhW=zhE<(LkuSE2Em zsTYB|kRoJI-C+tJn)*CZ3kTW}qxg#xx{fovZT2&Jq)y-n!WQ_&`%iBi?7<fZEgeC> zD4iYu4V1^oBNaxa#J9*Ro;#YGoSdA3&1OiKr`d6}GCVVCvzk*+rLf3V&UV$oZgOJ1 zb!N8J)8~`MD#YHz0yEAHiA;f7SX61v&YID7a{Esus+oawiov>vc)qwzW}6g!?`X=N z94Ms9k43<t0-&hk{8flCXLC(TMm{fef&;k<tbtWkWf7~4^_cPK<0l%zu9x(>!pc<v zKt}MMKhx){dNw#qXod~xn;$)vK3oT4wbb4k*`-%^V)18GdG;%Jd`xg`31(kFw5J?m zsR#*>&kNuwy>#Qut7aAgvhvA}cLH%<u57&G0vgn_s1M=#5D^3jCpxNQ2@IXKOwBss zq&;rY7ne>6Xumb%r8Qr0v8qiKtXQ>mmvLqg1XIcN3s&7A+j8p?JuCQE*9NKQ&sFN( z+HNRm4R1%47St<LB$Tp>Q|VB#ecdr^OrbepR!pYKggK87L#L*eD%49ls3qfN)f-Dd zlHaepE;KpAmn{_C7k-GQCNXCg6dN&U-7bOoj$3V_*CAr{GRWEP<=)}um*b0^4k2K$ zM!xnrefYTGAposuoUk+r_c6yx1>c1lM&x9LRNk>VmkvEzoh&p)L#52nWPvF0i?QQp zrF7c{g+z*l8N)DGEKNOU?x~hbPcC_hV`Fkpjv7-w&m2W}cl$;`1=De?nQ`Op1iOw@ zAwJ;e_w#gSCkulmwiLr@(O1#e+#Uy_#)ILpUHzDZJF=2$%0p8r^uh$nXnnm@JT|RI zt`okmQ!$Pls{Wf|#FSu9<Pw{tui&qkwP*{{Io^@+P;=Zt%)@HC{-PKOV;kU6Gh04p zB4g<i*nD7OkMTvI?><Agd~J8X^@?_}2qF%bVcUb!Z_|R_Qp;F%fY7R4N`h|p@ST3g zg?rv^3cnJr2@;IYR+^=2p=r~=w>80tXX0%(v9oTX|G0-4J-cBE!ah0|Ol=ml)y@Iu z<l}b60J(oA6fT6zM?6Pz7p(59CDaokg$}<r-9qo+Z2VWU4CTy&ZFm7(a9_yy3Y;_P zTpp-0c}mkVsEOXKPRKg8?ps`SlGxXedeq8rr)or(<mw-8zew$2b&sf&7IDE03MX_5 zeMM_D11NuZ7rcyV=}Jk9g@p)&d=Lk}(9)P5NJ~;vv)>MQh-+!)#l`t2y`H@`)Tm3( zrsXcBZL<Oc17Ez+i~=jf3tVA-jOtL3_KutvFt0>!4KnW=A9u+RNy=z&!B(J15omt! zN@H+G#Y|Mx!ihM=;E?#}$2m0r8W0P|*pC7p!?>+B16(4-F3m(a>UD~+S=!ku0-3p5 zaE|qXIQT$NPzB@(biq>Rozv=mrc9YoUz)?T#)S_C>+nCDI+{A_>k`mAFLVZ{jZ5-x z;mR)RtdsLmwosw;h%&YYoNW5mXV!Mi^6etsc2r{Pij=fLYV)h&_MBRA<-3d!b|Tq; z;{lf_yXF}LwmiDEtI1^D*oA$ZVA`Bx`J#X_)fz;p(aE>XLP?0isTo1Z7hH;!Ufk$D z@KewuV8dfTJ75#z0b+nJqRch3EB73wBYW?q<0En4=p;P5$yjAp&?E85p#Bs87Jq2e z8_Awf9_pG;OsC+i_Jl+xCW5%p?QOS!r=$1y%Hzk3fCw>p(b=QmwmN`xRKB5o(dD9t z+=wGs7ult5L7f3tsA^jad;ny3COxu~k@oi@L3>Ca5ifqd06pZHd5(nD^wa_tPi6F; zLhm_)i&l_G1BB!A<9a{O9PFg24iX9F7dmv**X)6}@i@d0tlfkR*wnR?!4y9NG6iF4 zjHA@mAYDF~<RcfxWEkFGXbY!yVyR{B{*0Dp4(?u5-+lMo4!1g*cU`01s0r!E&%+~S z?sek}pCNb{^kyP2rNFNxNlX(k9R{u=Id{LuG3%Bbd{qKW<m5yNwcy^NRX=}pxoXG` z7*^(72fb6-g4<dIn<!IoZkKKJEcp0-9T6_x&$H-;3fyDF2ch+}!WHiHdRM5qd$@Et z@tJ{!n6yQOZx*q1K{RQjC-c(MVBd>0@jNH;nTgUQ)0P@`M_?U3Zy)GYDlaj9M~K>h zq<AwmgY<GGdcHxuf85%!ES7rM92>U<P`~leRv8Jt+5-*=3*X!U`x=04s?u;*#+bIu zOyyCJ8ilb0%#ST_IF?02goy!N{dG=sTxh{jnVZnb30S9Gxbq?j30BX83Jpli8&K(w zjMJ6XDmv9gb*3gX3kzIRSeE8i$2K`1i_6+`^D9U;W@hG=7T1M_HuikPjp-j&Ac}aK zd$hIZ5EELZE{#jR(IXu8?@?Z8%O>71O)N>qi5%A|Mo7=EXpzc*&y?lT2G=JFopD|e z6<%=6du7&J0qAJ^Sm+%~#;BMbcqn`^*d8D<>hYzHA@W_*$xgB5Ck`aY0g6?);}Uh- zM_W|IJVFY0iX)F7=5xWnDt+wb{K~HIbrT}JQOAiF<5tlCH28D<xruQzT<REwIp+im zpVVP(JYz-r_oNZW+PZYkQabO{XXz61$i=-o1WR_Am}o?#(-iCqdnecG5Fs_vq$Tjt zI?M50a91n7ig;OveT%ULO)_n3t1WG=<_~hTM(E606v47!DahoE#48L#pd7E};evV9 z>j<Z^9D0Fw#9>HQh^R50L8mC{gdaL%oThnW6Kr>dJt|Ws0f#;jGDK+nIfSnrX36UP z%Od7QI(v<8u+y@@dlYptxLp*6du$|>aj!(TmKYf4f=bLpKA=zFIeM|nNIHBrywt|M zT9~~bLrdf_)%LT`<tp#Rb&R652ZV+-bVg9EUQ67x0n0PJfqYc9pIWQ*O$O_&&j8vK zb+?0kR8mFm*@2m(8Yyb&xmD!N?G1vnvvZ#+S<8xrb>s8uYv{&E>}UsmCyD)v`ASVJ zMM;WAX*3L;y?cVw!pw1HU-~F^ErJ)}5}<BU^SIn1n+ZX~?{N=Rm`&)BkLlsT!Jxy+ zRQhV)7VB!CANS#^#G>Q5B#xdC`5}I8BoTwnElBc>F;3B>M8f+UE%wcmCT`#;#mIu| zht^Y*N$yj};rEfaE3=P8#5GJcXQ(CGF^<P4;2fb7W)K_dkXregDaccg)sh01b8wLL zl1o|YU=?4uGV15qtah(c-KhBWWRBmcnBvhJqmG*Jnzp{N2%AT3(JTI75JQ)S`pVb1 z+|{V%Y=*x4^iJeGJzFdlv=`=0ixv+*YgJoN#nBo&#~ksF%uucAnez;a((?A#$4;kG zjAqK`a`ogiDts6C!LpJZmFIojf|>^8Ov{xTn^s^wHW>wGU2B+IjW0#V#pQNer;9;) zKrJ}CG&YpupOvc_-Y6T^ETQgJNZ>6dtvkSJWx)?t9{bX16gQLu;5#`OB`7clq({{o z5l5gG;6}L=(31)Xu?GPL%S6vk;RfvrGvDjb^(1DpgSp{daMm!~Z>%K{fpUq2k)Tk= z_Fo#|+;6~A+94_z4cPalB_o$#!hVLrE_=oGMF^~!8#^0xiRBF<DOTDV7=DsDAoQ30 zfh9+@O#^_QvF*x>f-?lp!7u{IRq`brEu0ZU$3Nb1SzuR?zqDH1JVo41-dpm~#aKM& zKB6hIb?|o{w$sojk}UBj%TJo#+Cm>;>vUjE%x{TPWsBt61UeuQfgZQ!?HXi5yb)22 zLVox8(A@FE&70La!jBz!f9=$w_^@*2ip*)P(@Pb<v*8p$x{c|Zu4f5o{`pBiH2ybm zilk=c-RBJoy2M>C`;q~ikI60IBlJny7QB17mk$txk1!d|d9=GXz1{>IiS3Q#-|0f0 zKa?vozoL;z7b^$zAgD`@@xy&ieH*Rj2OX8y@03qqmwCk<@`bp=>O$DcCiVB;59lH& z^Us~oTim;Ks9-#C=F|pFAJ4mQuGr|fho&a-pw2~ZuP20Cu+oSh#dIMal9Ra9?kMj} zt|TJt23L;Xzj4yWf_HBHk~l`EOol|KN+$nNW!Q1PbPuDBnlso}PepO{v=k=q<CFvk zzw%pjk9%+LZc)1=_5Ll#i<LthhsCreynAlOWUvY6{+cYF9H{~h@JneRLjWZF+$&yI z!ANr^^b5uas+h)?<LZG(bR8{BbDb<d-Vc0UkTvWo;X2G=>(pU7?f8S%1yZ4GHqn-e zJC3Q#hBM+!kvDeyYmHicc0uXBc+Otj7(BfR+tI|uuQfvkE>8#nl_%N&A0PTeNz>^k zaY^N>pmx;u^o6L(Rkq))04BTD*9HaTg4!+DGbhpbTI9dZm%A5S@!%Fdy*+E~1@w(u z>N=R*G~f4th-*)d0~}iXg?Nq!XQk0q@jwkibTy}zwLfe+065@ueYn9wa9Xxm$EG9~ z-^jf}aC`y=3IN!Cp?V{0%w&uMcPwyAPhHu;7U%v%O4-IJCKC0IFVD$iw66aAf}*le zK~noMHPvmf&sa2+6#AKfrns<TmnJAz+4Gf7>(#x!j`dZ#4g1RuS}k(6({?NA>$mD^ zjNGQHu}dTTNix&7x?}shirM^x0g6&OAKtn52_Kkm(s}fOWMmE+h+c4*fg}y*ur(#G z$Vna&>^t_mk3o^Av$t2hc@F_e8ZU<5scT+oAWCt5&U8kQY;h=)EHtnOVU-n0Y8$3% zs|yFRqO6yT9F>R=-^?^dXIcMTn1)kIr7nBNDfpB-p9u_uLS88yls)h}O|G2Kf`v4( z679vlt|sn^W=;{eODbRhP1#I0rEP(o^<B&{%%Q-xV-&EcQt)Zfd&KK7o1am3m#ZmO z)}U{&XuP)5B3tZ?He^uk(VP|Qv3c;ozE77o+u9Cvzz8+xgZYq&n=y+m*@R3Nr3Av# zxKs!w007Gbu#%A4ijb<&Alt_7qw4BvIyfcZDl44VP|`s0F)FCl=*wb68q2zm^zId( zj*`00Rf9@r9bjjmx=hzAW)Sl(eOE08N0Urxo|<28iW&)5bKg{@;tEZvjEA%yw)sIK zH>F(<T@7&m|1tMYVVZT>wr<$AZJQakZ9BuZZQIJQBQk8;w#^JP<3!e~wO6e=Pwlho zKl@@`eD~ke=j>z5(OVmDlh_nTX-JCF56Zk}{fX9~Co0AGCQ`RcrZ2+yhWQh{A$JIj z(Id_zf6gp=r!?sa^`#X7n~%+K|CfbThyK9OIcuH0hRkwRdzI&pGD;+@E8B#c_(JDd z-ds7yho%>cb`)xD?9<b=mU!KO@MflAyGdPEPnh3SUUP{o;IPqTrlT~6+xsCmGSI+D zu6-KLK+9M+z5rGsqeb8YGw^sM^r&FVcx>ut3XEA=fEHC=cap#ReU80(>WWw7NfgmB zE}|Fw)JiG~O9U&w0?(s!ToUG7JU?P_#%(aX+!jw=ylq1iXTC{%8gtpefX6SJHYBq& zW=UcQ3#)Va*X~4;oTctZDvY&15nJ7e;5dWnRp!ym_ng7T<%q2-c5y%pyjVOU4X9gh zU{pp&B8D+i;gc#@r8#~hF~_O~ySZkPzm%mRl3-`pGr}>b26%o@zOXf@W-B#gRzv1B z>`NJ~O2)sC)=Qzg{<7w^wfLsKH9hY7??!ujZ)RgJ-D~h}jeHT|eu~>v%N!Ur56M-4 z^Cs!&GIfGm(<+9lMeLfFFI<vHmO`P6g&~xL*Hr=h(gKg_r7aLalK*ay!P!#e%uEZ` z7;8>j%L}Q-?YO|0D#SuY+k|fLhDsAF*s6Ep6uccF60MOKf<+vSn=h}!u!MBm!b4ax zZ&35ZtwUYO>!In*>tWtK`-BG4(lY;cjl)Gaot`May{>SYSgD*-6H|#jdb!?cMbe3H zp&qvdgwJDrGuy5Fax!38O}4Xbhq14_YJ4`q`}|P=d4krxCfiC4FXKcgZo%~|V<*Ku z5$?%6G{7V2AbZJxOzZG~C1j@x<d*8yR%hBF@54yI*MAsW&U(PsYJWRdSJ!Cia*0vl z8hmnEus3vAzdSpyt0qR@yF%+fNULYRWL3^MUS86di-?knfcyj3ZLyQy*PSzca(e1K z{OtWY*hL1Tt}hFjw(MY4d7L<VI=-v;^;b7-TnhT(m=zR!aWo{V%>_%}LbT;A_}pvG z%j&AnhS^D!wW(G`kh5W5Ffw|W#wwuG0W_nN>78q#BOPX+F0-}$f{98;@dN}>24dr= z^kRlG?_&d>#PmV*>87Q9wt2iDBOlZ`R7V7Jv1O1QuX}J87&?}c=alI(?No~$N1tr8 zCy$LQ0me;>wzf6gQZUP;mKbEFMpb#56JexlgtS!S;dg9nghX0pqdm~5R<xfgmrQ)` z1{Tx4-z}z>4Smzr8aNt{cURVBFEM>MZ?&B%MC1!f6I{+hPZY&7<@MWdw9@xpquw|* z6(}Z12Y#~QXNY$8te#LzJOJTk)fXo~+o>J_+04>E?PrvEzZkys8M2XF^|X9%C$Qmb zdpuNAk{mQbM|661<5i<WdWLn=Ky~$z#+>CaVJj;yZiQ!qP3wz~2<8P1mh2H&*^J`_ zkA#1;|E{(J#-oO5TRB{FqTLWeioAD)qLStR!*Km@FRyU6SiZEmYI47B!|WXABnmE8 zxbP!h-MEDtp|paTq&b?T*#h<2_?F3I{+@3=3KnRb2O68u^awJFzSZ&J38tjX@2n5O zzif|GRG-eEmO|FtY|6D7=KVyeAbg9YxF3j{k@A}jN|fTbUrX$v6Z1#PDjGYPm9az7 z#6_2bxi_7)Fx)C-U9O;Q!n-X~B6lrNH8O!-cJ^Xq(L=JQi`~lo$v`*%R~FiVz?k*Z z(uU(5;0W-*zM4RkrZwt2If(%0D!g9rAPw9FLzIMQcx|jPGKymBL9bGr=4{H=tI2}( zR?NB5OW!WE!{Pga560yad(_saDo-|LBwTDQ6s=j*fhWWqmwn-6BMm*~N1i=f+F zqoKIyTe+L_CJ<>*Zn%2cgjbFnx1VF06XzW%TwSaR*)v%?>Ga7P0l5B00f}$yDB;SQ ze^rYCVa`>#v&`u=OnApui^#Er=`SO#0%4A8NKl|U*6i#}-t8%=Ww;nv*!wRv>Pd&~ zbAGINc6T>CKR@3eFqeLgM_!G62I(@2ZM9Us;l-GHkhs$kW1l(YYysPO@$Ql#Eu1K^ z4lizpkWjL#kYbyqkub`($IHmee9>BFG{Qto>=pbKTr@FwqOZM`6yFqPTUR@oiP`2d zqHnisO)K+OsqbgeAkUmfxm%0;()_%NMq5jjgO>c{7E!D2_po<`-nh`38Idt{7f;h_ zez#>SCKArzlk|!xtx>ckOoRGo1sKoN6rXYJ#(OQtRfXG;!D+KOr^yr(8#b*C3$6uB zK3xrs-Zpuj=x?L(3j1Ak5%r~b0tDJT^u!Lw72U$ZWHDwwYb#!hBJopAu*7xF{n?u` z*_&0}=~$Zc>*yUe?G@+Y@)MuVS_9Ntv;hGloN1fo(zW3yff4zHRNg=pbKnkTa<%AK zc8x@-saq?gmR5ou`FHS7*B|Jc-OKJj&viC?T<b=Z7d@{kx6X}+4hnVRJ~L=N+jDS8 znDH)OWuIWD3vX9Gn{zu3KK~)s;*T0Di7E{Q_2ow}`1<|(a3{C_gga?}ft~*R{t52% zH@n#XNm#)gyKNi>I0`c(k)vPQ7pR7^JFTCcQKOenoiKo#x{gMnhK7}%v^#8=k+eH+ zpqqeodVDYwoJv7CD?NAE`1=t2?r~p`I_%`n=*ee?9@zkB%@d6i%(`Rrb5b-?vsxAP zw86~uFh6Is<fCNcqv8S!GwLaNT1i<GnQ=<msU0ATz;Ub-%nbVg7L-(yBeWZ=3{1>4 z49qla0Dn?u&kloNT?b97Bsx>z*}?Rv+Zg~Rc)C$~Ng4Zb=}8GnmvQ<r8JgMgNjZr_ z2M1WVaCkU7XJ>=IQB;6Y!mQ$;{}Cwkr|M~SDgl#!*+by)f7wF-{SOelgbAR(foORD z7#vCEWl@6+bpr}0N%=5|rij2*jzdkq(<$?UOVR^kY69-sLGiP4)}H(gzXY5YKu3@) zf0^|K)x6`U$`8;MmGAXw$p#}}PcGs={KC!@6DhMF3Ld&g=igR;f6YI-6UrX#1F1(T zm%zY6fcedTd?=s-l^aw(@gJ3=!Ld|#{m07v@hs`>=q9g!y{qD1uE2la5%}LwO#kT! z{1^5m83ms2C|{01W_sCo!mEOMhedY;^-L|rAUj>+@1!6VVTY|(Jo_GRk15{m34Nj> zpuP!vKWioOzgtD+QK)0kG$O%x3=ts(D_zh?6Ao~AQf>5LZ+YEKPCRYlT!?zQ;zz6r zSW>B2NEWT(glAfaLI~KLirRj+w7uU8Ex`ug`mMdrn+{H;+W2cI4WVwaIF9L-vM4KK zAusJW5ui~>A<_Ov-$WU0{;`GRNCVRlib&R78ZralA(RL*7AiP07&vBxQ@2qc@;8eI zZgQu0pec@FGPT(iF?jldreW_oTeMEa?4dN(EUZQI3{sRqk#^)<M#}zvaTc1va6vuZ zyp?O}@RJQLGC1uQ3gl)B%#dltbtnit{Y8KB@7f|2`Z&)}cTXl(Zy@wO<1H|jm=*NG z`&ql#_g5q4;65~CD?F1Al&*@Z8~DFIB~%_cJtrZi^iuKzV{eWsmD##9QzbCBAB?Z| z=2X&??SgYc{h%}Zi|b9kh#}jUOQhNmpj!b~p6+8qmN&2M%BUSE5YHgl!*ewk9VN|^ zjUhJF;d*Vv&aOAM5u}t{LgX*NSRLO6=^x5$U>yY48qHm3EZf$TZeKIwH{!=ddzkf5 z9vys-GoQ^AOq{0i|I4rUry2cj0+HmuUMbPP^h*7Alj+}crT&E><!{U3K~iFF7OrAa z23CS*lGerFQzDE1yGhHNdH<GDMs`xFks+MD7W^zB#2)zXcDVjXrZ4Dqk0?MR^WN-M z&&XKb7)!LAiprg@p@4v_se_?}sZWlLfP$%psjP*Eg_nz|qM_~=8$YN?a$?k;NY+Ht z!cf9o!NN<!)ZW}s)>Nfj*IYr?%K=fIV-e@T%Cvb0A@6PlGySEQk#T_BE@#j9N^87B zNl=BGk-QP&0GS$^2bc$#x^uyBvu|#pK=R|umUUny7H3t*J3z5jzffS9Cqy7w!d#Fx z(bv%wo4!jm&We^t`}xRNQGT1>h7|plf-3XY<vY;>a3F7z;|x}sj(OsV>Gj(qwEA;` z#uN-uflc&CkKm&~9T=|tJ2Q5hLN~vx0RXTmB80X3<9`G^B0L&-(EXFK2sr7@?@#c~ zU)#zY|8pz*-#xqkv#kvKf8<uCp_ze&#ndo}jdqS|Rv%b;@Y9eYdyE1emf&vZ%M!PM z(mb({m1NlbUa&EM)VcAVq)bP?yc74l1E8jc{&#F{FI*1g_CJ*U&x&jj=^^0vRd)Qp z)IR@xMgDvH{EHR&-)JB2k;A`7Bq7=A!!MA+?t>kmry3s>p@*WIr2Ihhj|Q+X8z}7b zkB=5eIz=liEuC3gb~x{v{&>)|`DjRP@Wr-n>yp0mRj{zPP|&c5u%V1wnjDp*r<0(W z3Zt*4p_7<o1z(-KK*It08JHcP{tFFxhHi=;XJXrhSuSB`UUou)7Kn3rOmLcix<`_} zQN6jArLj~I|GT(D6R~)cI$tXVYaK~)GfiVD2Qwdh!2-~rKHAadb{eJ+^QQrr=Is?5 zGd{lF|7u>*eH#OTd7n32<{5*^sELv*hK2^_5QY#dk*_!g6mdv!{JRov{=1iXKN~7q z$!Iy6kwvMA(OoJ!acS9T@HQ3`?2surf@~}432V7@5fKq&XebA!FZjEk&nzv)7|r;E zgpAyw2;|V^iRd?LV9Z_sFlju5wWD6Z=uvu%ydB;A|HeH3vusMFOK&ZHeZzo#J^O#( zJ#7D#J^LR~kN=|IXrsm@fdBzSrfDa|UVJ8^rX__u%aaqUH-r&dZqUK(5ug3Ao&?WT zeWc#H2!TF;PN6p-F`ZMur%q`?LRPaM!S@BmuViwDuEzTh+z(owV$N%e3_Gj7{Z@H# ze(5szt+tk((2ItDuLTCY>A{0=>4mn35P}J?19(FSMiACtH|-4|!H5fBF(v>69TC7A zlMf)m=|jYMGkr&t7dH?=QIWPMO;VOL$7C|0EUa`GtH>*tbuM<)IZ;$AFRKozb}rOn zH9421ZG2G3_WhJgx5n%C`G?N=Q^6uhqI`?53dVl@{#ph9xAw=swae~*CWXc2rmHDl z{4G^$@6Vp||E8of$6*xm$fGwTHbcivj*hJK^!2Xv0Dxu5uPLe|Bla0G1k4S6`U8x) z_{&FG{c)B1MKCgOEjs<PK~{&=C*ZHI!><3h4*&l<Qo#QYU57QXG?*HOu~W`TOHhSQ zmDvz<vPS>Sb=VZT`Jc-UQ#RTOj0ym-%=TB_CbzFMh2!6B<^SR+H=zmXq%_?6+w3a2 z!}GwqH^v&1J^>x_IwjiLe>JKX3>is04B>VV!dN2N7-&^|bnaVy5481TC*|bVS$U2I zRzi2ZvWA6LLl2tVou{Mgz9Z?eQ)r%K@H)5kNmAE%V4V9hoHJ`So16LRv+L#P^ElVj zbNd(S0i3KGO81<F9u5XP7}<N_$5j~iO-=F15VFH<_={TS+rT!Lud@Z|z2W(VNSB}4 za9dnKrIO(Ou1dsr%dAy472KbNgC@tFN2jU%{&oZB_|UoNx1vdL7(nfb%ud}27=ANP zkc8QZSNb!@4=u!7e%*u^w^#SCNsNPy{q2L7uIw!3MZ`aXl4oR17Fh9aJc<1gc&{R# ztd5tYq{No;lO=?Su9beW9dhJ*s^OCVn7&jJ#EC5|oZb5FI`G;$fSWqZjwqT{Z5^?W zzG@n|+3YSD!Chc{p)6?dQ{r-)@x!3vQ4u0I5u$TcO#H}6%S@YBve@-ubKp{%?4I}{ z0~uVcqwRVE=YW_uEPlplKj>i4gu&<1h#3rvZwMUd;o7}%gyWasW$(77v)u=)cP_MZ z+1-|@-kFM5A@#c!ur{7k3X&2@sw)bGzr<y13LG`ztc2Ri9RK$XT=Na82xA>NM^<P# ztIe}bk&CzkC~7_X7vS%7;cz}NTNQje8rP396u-opr&ne1bK(wQ&~I6;;4WSA8HP@` z4;gVp^ob4>NQ~w1@d#FnMrD4#eN&0KfTI$XH1@W7p)otOk`ZU|440A4BwG1F-&j<? z%~MU{TP7pz;K>oYn?&E3tn?wh9W#x8<U=Nh&$}iC?a`nejTe4F=lLy{vmbu=DHNld zWK~~UQdUAnYI?-Dxbh-vqvJiGuVBxewCFe~SuKtFSWRVlL9^2N0XCZLEui=)WvS^g zMpjJisV`@X_qbs2Ln?(%tIJUTaHo7xsNZrarjpzB!~NKH#jQ6ulg`1~#r9VemDX^R zd-L^8^c!$*O;BHacsBa=n)hf?s*cZK4t00iQ+Y*A>!aoJ$9&hhZOgCX5AfeFM}c~u zL$u9XE^oN5Th32BPg|~^z}sFoTA^JZGySpOUbBb0-a4;8cS89*-owdrUw_R{e|y`I z%i(+Pi=_V;m-BtROVx9KXk6ZYUe?2TIn3;SeVA?D@;Tmo+WKtXet*O`e)z<O&~Yw| zkn64A!v6ZByN!FtCbpZZHNFd~?8U-l*e2xomce{D_HR66BLf_+g+i0Wh&TlD?7WBy zS-jhLnOpk4n?ZUt+Iebli{N4}cW4}eTghWrqZbQ1L6$@pcuIR1DpgpE*$6rvjH0Y0 zi&zO3{y#E^>juQ;N{PyrqMJnHm51XN#Nro9#m`ttG)|ufa2*ZHW+AE<C(0Ej9Z34n zeC7R%LX7H$h7FbK7EVl;Md}s?YFUKq7RuGJoM;XsrlZd{kySScr`dRHT8BCfwAXXo zfX?P_oGqW*Sk~Hu%5=V$b0aP^_>#q-p+6X+I;X<bvPZO0hpb_WY*rPxoRu~-U*ot& zQ||+A;7+i{!eUK{!kPt!Gzjci?I;<>@{v~cwG4)<b0oqxq|E;g!Kgl>s1`+4Ylx{3 ze~2+-j;6)xP=(cv1gjD0vE02`+wVVDZMB`9Je|RYArtgMTN;$-DxlC(NrJ;Qq4V$= z#8=fGtIlI5G33YbV}s4p0scM@P%afgZCOvr+v9?oXN|V~R+6?{uJ%YS=xu6Au54G; zmPrE_wcE1Wpc!F}HQ)kkm<d)V!*8{Zz`ZYYp+ML)N#yCP1!L&y1h%F^+^#~bMj{wR z7W%T7guSx;5v#EKJEdV3;SO9hxpur^@)BQ3bYI<6g;ol~?ifc5UP=`<L508GK^*oM zA!}J&W!povg7^{!i6@F;Hq>af5LKj=(7c#VFMrSRoR_8eYIUjSFb4uI){9O?5!~XO zN;pC8gCmF`xL5}R@16*iVJKWRdBh5$&<485MiJ4~JVL6e-h>?c6imGm@aYV{i^cpb zWz@OwzV;`2hndHocJEkO!Nmd~ZB)TURDP6bEn#Rxy_!&Z%JHut?LHurR58dYP-W!G ziYw@|D;P;R{T}prOHB{AOm3DlC{OxubRTLK4pUg!V6YOwp0XXgqv22^h12R8+R`~} zr>SU$E=ooeRs|GORFUY2y+D0=Z0Trg*8z{*3AlE5IOLVS#)8IMkaw+4qb6G9E?hb| zLYdoVAPnpPz#6{2+gBaL>z27pGKS)CFct*m_xWqNu@Hy^=4xTV_QibVDJxFxNlpvl z^oc0;djw=!>isk{Y(<kUb|v-r(W;RsqrqR&vKf03Alkcm>xC^$i{SVv<bquoeFrTN ziGwSn1p--ha;DO5&O;1#&p<}VO5{g;A6MCdx}Pz%GA19olrGo7=H%Xwb0i~^)Kp`m z<7KozjeuBLB{rY;7YTEI99fo`RgBp7Q@<CERihTR@8M0#Ug|xrg@|r-3!lfnh471G zs)%VsXlc_fC!0nCCHc6FrnJv5^HSgzu+Lx5b>6Fb;C7~L3H!=^W@X=iuwnjAz`90h zJRwijw$O!;F%4}6JWyS+s%C%N+!umUy$68VFIu06BQL65wfA?&Qo8HGfhiX1B8H#@ z)n5ThM%IP?hEv#$33FJhXVwM71cROb?SdB)Peruw>;5O9RF<xnA?=TPNe0+olzL#8 ziE|e(HUTiHaT3f)F!sSVe$uy;N$zI^?dT?rV7KbH2Qc;~yZ{%^EQcRR2YzkUx@4z{ zsI|FBh01UjA_*ia0G>Gq5^Va@3GccnM^bTcruw115Jf#Xfg~K@EAw&S4?Q^`r&OCF z9Hjf%iYXNsylGv&T4dy#<R<GmpoXAJ@Mwv5SPZekHhEU8EV)6LT_<#yDEgs!nr$() z?fFx7kpn3Pbt<$zlhEes!Wn!L4eXK8akg53<Yi3~$~thl{iYl!jz(xZF7+yLc=Fx{ zOy4gCH-{a*uNA)30MCR?SpjGoa9+$>RT8p!P}dStynoya0TW*ihF6f0ErFMjl?1}s zhrZ$&*8%F^awEw1Zb~$)aET+$d*D=do&;_MgE5NSiSu|X8`cCQ(}6wKB~6QpBfUY4 z55^71ii3`5Bf&^r2vLT9{un1|Lc!9<ABk0Zlu;BLGHF7JcsxJ-ovGMc8#ZJs#|?5K zKq^*Pee;@?6;*biuHulwzjiP&iWxv<;Ki<NzpodpY2bxawwurnV_^>80&)zec!{*o zC0)+h(5XM0?j52`*dUuEM?d08*$#GwAi0Y$eY7l<bP0-l4o2LrK{fQs^5U!yj`+zS zesQiyrxkX{9+#?1W2+$5CSV9I&Uy*zg1w|2?P{~Ex#7?A#vkC0)UK2eGFTtV#X&mB zE2s`;JJgq|9;75*2G#_jm=FJWo<!qs@yg22iq^$#E%ZiaN2?u4;6XTe@DnjVn7A|; z^~;GJ%+og0OVn}!41Ih{TZ*oY7RNPpxF|1&ZmwNTrkXtNORhR~XqfdBjMR>kyi+8) zM!KuL*zZihCzu|pc@phcPn~6K#>?y`M<pa1sbDl{MVvG$5#$|W94!bamFl>P#Q+l- zvba7In=QG>hN(?E-wcv0Nat%}##?{^=x+nk#@QxR8yCaRzrN%r6x^KRwBE7nJX1)0 z$ZWS0RS8aB8Cl(XCyxGsR|}mNN0+>^{hi9p6GUwbYJ`y!Ua~2Eq=Y3jnm_;D>`MwC za&DGzEXfsQ=B7Aq(6S4#>2W}i{wZPF9cao0aRF7?3Vy9kbA@5#Au*qrxC#OT3G_op zTe*Qr9{OUL-LoPOa~8%QSXE@!3x@XIhrdL=WxK?r?n9XWOh}xXaQeVY3U%f)&u=Q& z@FlU-4=+^J|2u+atKV-Z+<-lkAK6M?=uR_>8GeuPY|@93cB<><Z0ls`dC=n_dg4~? zS^d6q%cNP?a4qo04FfSVs;{*A=lM6tOm{tp3c%QjiJ^mFH_Ep-p-kfj>Mdzh&*fJJ z8G9UQ0wXzx`b+y%J85V_Ji|^fRzOOm<_Bqy{?T-^4Aw-j<rchzuwDu@pzU;-d~qHm z9-J)wig9}R7X&Q%74#kI<8_}DIs^{qB_xDE3$Vbg>Pj$Df-dsZG{~!1Jxp?o5Y)3j z9i$D1A(kbJRq)W<ZgFL9@aN~BlWSFEwrTCUUBZaOTi7N02+~>?EAn)jUt>6KPl(#S z$reu}3#QEX-GB#472}gKgNTqF2V1<q;E*-|PQ{xPNF8yWpxna=k(Vs<w}E!H6mxXK z3$p7}%zDDx*Lp*^2OTv4i;qGa^p}XIO{A*wen<;4y7UVXz>6D39(a1LW%Mu@Nyfca z`=8ZLg83$}lvGdyik$=Bi?>?rwE!B&ShG5%XI=aEI776Jz7Ql*RGP`Z;w&LJ*{LTv zl}&|ka8!clMOM%1Z_0A1EW*smPJL>E*q1Cs-apO3y^2AWT?GgcJV{(AoCrMDXMaoN zrnE(J-?%n*>CEzv$&P<vYL_-G&C$L;wbGsv)SY9dPY4ysFs|*FNQ(zybL=rOb1A|w zW(vBD)R)AV!8yd%SBRb_ab`mVbGqyRLNm69Trsd$=H?tI7Y(=wH7r{TG%QRIP}IQ2 zkeMn(**ql6@F!%F@zHcmrOOD}BoR1`l#lVB9|*vZvK^{NF1%!tmF2tyaUos0=;KDO za2*r<c<%S#eQZvmR0R8!h?S2zO0GpdFc=#W2Xz-?;@G99%siWHxpuxYF?7-PaPLg- z&L5O<O;>1};fT_5y*pH54h1eLr*b=rWBwq9k9Q||9s}+f^cn*A4UMHUq)@nCiXk*) zJ=BLkC+;&8x}ZjqotIOv(Cih0Z&h+sqNvS^XqAWIz2Y=0wV=XmdXL?yj>;ffdvC;P z<AiZJB>Jlx*tde#aMScarZrVG#qJ!MwPG#gMOW7oztp>wiQ926H#ck=6|L%Gc$+dv zo02?{dXX^OLn7?=hhU;ATgCOlpkB8soD6G;@Tpriyf(@-PWIgDBZ~~K(M}+|i!`p$ z&=d0qpj<$W8CXe7)7uI1`My{G{Plw{(nR%r$bB$hemoaseyYH6;$>nnh%MlF4+WYj z=8u*E**u(tnZ{Isa&__|{R8R>5JfWBUoq+zap6*z-2@_f^@nj(p?)g<h-!34ZYWBX zs6AG_v%>_zDZRsI8O!Wf*NCbxL3oFtMPd+{p=veZlFyh1!30G7fFo&*h|=$hBZ)yO z0P#(C#bB$zl{jI$>p{teytB|{2T)s_<_)iDG4=Jg^>av`&hE*r#g*kPZo2jc0y={o zw~CJToaXeMFe4kj*(E7*M>&IU!IB4(!j959puu;9u#}ZS(gFscVbOA&NA32MR{mB$ z7=n#YP^N}I?ooSa;;4Yk&<15*u|@=-^n`h-cUhErCm%fWl9)CkW?ni*ik(r+#|vZ% zkhmx-f@y5zU=Qj|l4|KFh$<+x05lTf*(Vd>ff|HTdWAHAZ8CJ^C$6>f`Hz3rJNTH0 zxJNp76}45*88$9ySX#EBEv#Z^R6Y)5agjSt?+L%+Po5f}W<pH5vm~c0RJNi-DrX33 zkm{P;RiIpi2T1M0(+4^Y#r2qu5T&Dp%EsrAudoPpp~M}a2w@GH^gN3uWf82T50cMV zRkNg~vT9LTR#YCX34?Gw(&kRwXPq`WLWXe2>Of+soJk6Zo=N@$!EL_ZcqL*ODyaqx z#|!U(7R~0;R<B2&@saq^T-FlC=q@LAb_GaG>p$;KRmogpQiFh^0{8(-4|OUL5I~*B zbeQZmiIwlCwdfbFh3{|{#8e+s??Mr0(ZY5-+Tv&%2-FW4;gwpCD=&Msmo3FA`}U(y z0v9(XCZ#x93ipF&ocopCcB}rSFWNKQH`3P9u7Mu02Dh0eb3)>s4uh0ngjJ|bk`4-W zly(0xBoRAN)XPDETAYsbl&h7om7ul44qtb0+Mqsu<Cp-~`}kBEbsOhe3UfI-{OFD- zG9uV^4;r5u5ZwnhZ2%Ci7$|$B92iOh-)xe^Te8-?+6#b(ISuAmQ5F6r4Ic%O{5q?K z+PRI57OkSFc+H@B?F?PrDjY-Sc_blmfPEiSAFC1_G6?eVdsIPLfCBVEX;eX`peSt| zHAb{R*ffQqplGIqEWgRUW&)_{j2~eMdfvpDzmSk@tPosdkGX~j`=y%^vk3;&sfRAf ztU%XTv{QWPKvd%39zmvDYY4LhqsgLvQVszP+8s>pU2x76F&?LMts@tYsBT&Y)xA`x z(sH#<v&)0N@m*Ww)OP)2K~7E=p4jkFZ<qh?MIK-gUvWuctL0FhMA9`i2D3ZfQm8r5 zehS*;U5gR^kcyv)fs*3KGc$bYSxFO;I_m`JkaPsnsaC9M2Ni(CB3yIa0Z~gpWHRpJ z*XKR*-6i3YwpOk-`7qf?w8z2H&>WdalPJmhc{E4yE51f?V&KBOdojuhHb@3Kcf29Q zSu-eCo+H*E+$G<sE=OCa-1YVC^v%1k-+LeWvB8(*o<Jat=00tJx==a4&vQZW3L@^V z;%-pYN{8>L!bH$*)Vp2w;+PL}{|aPD6;{V}iJV0d0IU90PE1D=w}9+|Zwv%ogM{NB zA<sYJNdiWDrj4mv#L*Aqt_vH=V($;B7)}hpuh<eje9yAw&ecM)=7n3#AqYSABPse6 zlnfL$l>)mW44}pjgq@u{w1t7a9f3KKfEpN@Qd9}k%RQ?Vq;Y;=0{n`AaoS*D$rC9= zyxL%3?b8qqREqfN_UuB*Ho(JuPrVpEzf*rAy*mWBTpA`$<W)P*q*lHGMn7bY{XeoG zD>{McB=BfOS&fG!NH%Xou4ahPc3uUCDKT#7`#`yo>VDt?AxMiF8;G&6YY>%%o|+LY zF^GaG`%N;ync@`ZTZV+y0@MM7z@R`Bt`Y+kdB-o<?aoD2BV<p@iiF<gr%%Hd8HG82 zhr#28Zk<IA{DD`T8y(SwCek1VBZ*E})_Z<V^vz4wRFnqpkYDKqV%K2^p+zWrzfRo+ z{|djf4m}Gxw!?ok07f<l6C~d~|0T5sv|KdK&-b}_Z!fS?hz=-5#v|M_4eof0IS-rz zivWzH0ON^4F&H_0nx1|T?w_XjB6Y&w{`#2P<^SH8TkU`9m^%%N`Old9^lQxB;D53w zO~Ib5fQQ9@)JyszQbuW$UdBoJpJ|q@FO+54vemtWzj^_ytLgp@tqB;l7{B<3vj34A zMHC<fGrt6rKjG8=zG%YszhtL>p)s<KbHV`v0))(7o2AuV3z+E15-39zD02Aq38NrM z^_`GfBsZL73kX#pqRUIh-MlV$P0XeLHvOg{oe|yZ&}O&Pd1zt7t+QVDQfl(#+TWJy zy1ZZE?6W0q(gVy3;Roq+695Xd?79O6T!0Wt5JUjO7{-r;bd-WGLDy<BLR=%QaZ8<- z_eV}Dkff?8D7WBRgpc*blI1RB|1a0VpE^JT$1j`xW%1}w9sWZ+`WJQhH^rmnPy$9# z&pbL)a$9tQ%*6OQ|KPwne?XwTpKYZS#L5E@lGvZ%KoskslD6D`;5bQ>cE^hs=>PC+ z{|I7HlRudLdP_O{V@v%}75};!4f=m*OJ!huDMw!l{^?&=@J&BCN&l(rKzoX~I`9Ah zJT!l$rT&C9|A%t)FO=L%O-nl*wPfCA&xN}=X-iRCsg#3wW9o=X%mei%R7{POi|24K z<KY!Rva0lyjb9xboBJ#7qq05x1gd?+{78n#x*`yeK>-N5j8b*AWkm#Z6pE`08TgdI z-AiOUq@bCrj&F?f%<~D8Bq%QeY7!r9#~asKo>#8Ztvp8E5^U@jV}pY~TiBT5B}|xG zoeUM_L3@l;&b`rbs-bzFI-aXO*X^!u(J=a#qCL(Z;zy<5MG4c9Q42Yhwl<8KqC|k| zOT%sv84;yOjRc8Ei#|esU=q?+;w?-^3$kS<?FCSo%vChhI|)lhI1(X*I4{`ArmpW- zJ-ocM@z-|c*Oj#vIcsRW-NsB+qvl`bY$aE`R-bme=s)Ol+&1O2E?42|Hv9CCJQQMY z^ER1#-3=V1RIyvFcNra5Z(gTGblvI9dp>TpTyMU?Z`|iRb<w*tFd)l?H8_G7X~B^y zok~B}R+hFBH{<cRtY5lrxG%r|LU!H0`wgG<z7xvpbuGs0v0WDYhX1@W%=c>)obTau z`rG{tajy40i)N>Qctkx_(Xr?fyeJqku~>uP`;0ynC&dqDN<w#<6a*DU*~tiV+Ws<Q z4!Xzysv!>~LnOT+4^ojdiM`IW;^Vp;4a#hYr-^V2pJbyfC~G<D^0=7D`Br7gxL6rj z>55W<`NXlZJvS!KZ8J9YlhLBd(2t}3vMsBC$7Q~pWS59xx?dWj0NjzfTbVMZK?4vm z0=FyHd#YYY`y^4o8rFzVuu7xxEpd3U!y+Q9ot8P$B+L;l#LRbmQKn;VT-geZb(yZR zdFiJ?1jpGhuu)a@aeYsv+R1xkX|AdR1a^k(<rJaWrG{Ir++~<$2awVhc<#h!w?S4S zPYT?{DxBzQj`b_5HX}<>G((^wgOA6fumzeI@)~w&JXG$XGO0>*Yefn6C*D*>aLNV7 zBg(4MN}+M3G<fj?T4f~G>EyaNG#c5e%o^Ch?>{Hq>(#Icl|-2jSPH|6&8AFXpI?nN zQY1rA{HKa1CTKCVhsNE=c&I0X%^XIB7_q+TvdM;0rc8>Pvyv4Vl_w$1ny|EWXabW3 zmP&0O<FY~uaB?If9t2fO#xB|MNDiDiV$F1H%RZpg3^(e<TK<fFJSgFLvG(A)R)d48 z$53Ks1SN+ZI~@bJk`@x#n_bip5J@eO(q~mtp9HJSqpkG7{rW6NUC;-mtjxo$)W@vM z%irkzkx*efI+5h0C)QrWthvJFRjz8eYGRa}Ki%UT?9X{k+kZ&AqbMv8gI@`!Hld~S z<noBYA+60yWg#10?sbuiEI!TY;84$jtKBr;TXgDT5NK&dQvh{w6!sSO;~?mVQ>G}^ zXO>@wdLpw1?6M4Ddir>HOWQ$f2FBq7MiZhTnXH0O6>abWV<>QfYQLgp{1IIF*MnuW zsnj!o5iv>qQQH3FKL6N0p6b@yv06O$-rfI0g7eK0wC(8PWUX+P)og}UY&Dm<mQT6< zbGwQTKKa5o17+36J)P8KV;ZeBw{hR6Wa^`G^rLd<L*Icf$&rs{^n*A0EkEk546{Tc z{_QgkEoO#Lp^xjuwf^f?2Js3v(ULW!7+0p&*=8+e)XT_fSL`QV)c)Z3@6hjKONJzd z{R&uWP}M$^0y-?C!~oU%Z2@&(d~fR5+}6l)%SNT<Y^I-8U4#`eDRMly1zZ7{iRsVz zJoOY;h=)n_S_?gPkwtOKgG9>ZlO55fC|C_+yc&J}Gs<}!8iMZ}WxZCnq=F-D9oE&D z)H32?R7^|dhZGJj=l6KRCnR5_Ie{Nn%t7un4k2-8cVc=H2$l4gq_-Hrp(f-8IUVtF z_1f(hkM@dG9{Y(Xd65iHSHwS<>}$Mk7nwlcu8N>I`m{wsAHzF8=E=uUb&4aRMqd1V zZsFAX&CgtQ;1$zNjq;Xlk_U_hX9H%#D4U1~VskG|_|-1*og?$94XJRs;ZQ?g9NeUK zjs|txT;rcKdU+fi-k>98`G9o}o$^Om*sZoWC6bXGHg<`Qf>@?8hDGUxhTLWF;P*Y| zoMKU@u61LoizC)yInLu!j2ZJit*CDcdm+BEDnmG#7hF4vKO-lMCdLoA4>)g)-aV5y zhP@KCtvc5*AG)U^X3V`0t(!xuL-S|EPc-c+{cD231kFh#I`D%jwjh4dXd5TbjL76C z*x3fktCk0Uv#c_>uP*|&$Z1q&-i!n1InSLbhMlwI=9kv8T<c{N8TG_ip=>Ly0v*Pf zvxjN{Z4h38hPyRUXE=R<+<8Xb;nLZ8z_VjC^W)8AU*Q9(F0s>LTneKvcv3tdKk5^d zc?C6)jqmv(U5e6xnTFYt%ex$rH10geB%%lJED{Ws9p`$UqD)7*Y-q;q*Nqk+;unZu zyaj(Z<luk}wyZ010k9m<+UAQ)5a>2bKhIC(_5dNRpv2u<r{8x4a?7PvS04h0-~#sS zJ>c7?Ek2FN8~kluq6Kd!5#rcj?=ocQ0v`es2pnEIEL~X10q+QX=|>T$1s$i=TndF! z1E`Ny#@B70F5@%7#>~iXblDFKMf%{A82t)vs5e!tli0x>^Tka)%2ohC?^NH@3R+iD zKyIx}4B24((^9so0;?&xh=4#O;+%&1XIMfw*L=Po_RoA1neQmc|LrA#^#sKsiw;%A zha{#f#i?h>zcBa;ZJz{K9Ni`$v<S@0tt_-NuTbUh0=wvQV|EXMx*xFTLC#_rwqV(U z2i%3SOy6t2GP3Ur_l^!R{0OuS%KKYvU^E8!Q)q4^#Qzh|+(9_+h!<(G=TPes3Q$T@ zo1qXM7=h6#F!lnZ3;v7+!@QI>_!p*K7DM39bk94?&<r{s;1V+cX}@ARy)SS;u)=P) zq;?K8KN`d*lD#LwQ-j+Xcs>5f2twr&t8r>aa#{E48<^WBBHd(9*+`ry^`HmB?n6MR zhh#q+93Hk+E=WxbEl}0kigaM=J091*caKudMUZ|kDZC)<Cn^$$4n;u@K_gC+XM~+L z`;8njdA8v;k+ia-RaXg$Pu*jE8UMtrI&c=4(cv~O(U5NcbfdjFaU~*Y@ukwjeQX>+ z=Axhp%z3GApe6+1Cyre$&hvF3GM61k5B4I1o(08%)}z~L)>X)IZz;btl`V5x2P|e5 z(~EP@f=p=-J#Yw9D+ntnnO-c)O)F8NFQf%RU4wYi=8iF5u_}iQnI7O2d8D)tSXzVK znDGD|g!B~BTE;4fG|Y2zA+NSanu6bT&kK_7Z=~BDiJdpXofxER-Y|=!4plWpC3CcN ziEdLn^q?oI@m}XK<1=S61u?*!e(L!oIDKg8O~5!as<c-MQ_eajWo`hdpWd*IAZcU) z`G=|eb80yV3y{dhuuK<Z4zuRD>Ab=~bw1BHGE&Y>d;Z%1xCiF-;Wmm~kbHpN?iB02 z9r$gH@|gbo%Hy{5oYqX*3ur-+{?w$yZ~oYzw8~=nsiM~k>f!xyv(4Py(3_0bMh{H) zA*3e6l^N_V;@z;DyV@QwuLi^u*Z`kUJQI+m=|Rhz*SHY7AV?=3C|Io@Q~q%tG*ZZk ziP9*EnKRi-8<HL7$`wB|tZrv6A>Z0YsN~d78<ytED|^x>1`JMbO;c6Y_pPUO^VZI! zB54|gwaUkU#P5L6k40NZQu{s;ZRFpyVwaIp4@KS1kx{iGHfT3sQg;otfofvyfQExH zxp$Mv)3xVKpMW`smldO~Yix?D13zp<O9ST$9spe)gJgm^C<hm*_077cRW%Cg&LIr0 z{G!n{KQS1{Gh0U)6`F<>z+E#PC*f09$4Dwc+2$oqL(QW(Lh?-c-Y2qFoD3%k#r%Ok z-+KALwW0l7CU-tHTeM@nRVVbuLs(@sFv(EAnE+BQ=7KdL?jUrUl4#DpOROg|Jd(hW zod=3Re|v(nYX*er;W`*Thj4k<vTAN_*=0C$SbWiXZ?x(5fpYt3jBdm$NwkH2-qdyQ zKE~xw;R?aO^g$hCD|B~TG!VKN*AJNULvLZY$g><G@T!dajpO(9{o4%0a$yL8RZm$b z)HA%Hbqh|1r#^P}Ee3Ba@G-b6)N@VX8#^hr3N%A(Pb4Yi)_6~IK$8V4;LW<<4Tk#` zY7cqbCtW}Z;Evo5WWY7>&L_58+f4qzJRJMEr%nGmQ%y-D<4Q|M_0+YcZJDLDh0g2@ z!WXBVJ+ARmiqrJ2+4Faw>J<UFLFZA9!G%8P`>JWT9cD{YFPcR~%}!M&zm`EW;9Uh$ zAU2@mN1(^+15Atb;T7vwzS+)<GUGJBIdIQs1`(g`&wyi0EK!R0Q^CC(otuoD8eGud z!^P|Ap8#;3zjH&DKaTw@!KZ7?39xn7a1H{;y?D<ka}VeC*qHFz1QB-Y_5}Mi&f#om zwSPwDo303V?g6<J;R$uxRU3Og>g2t(p(@FFZ?F@|N`uLviu#~C)5Cpe7@fT6`CoTS ze$#^RuU<1vZ5ZXc%JzrS`aMWu3zb;;HV&&|8>>QCdOfU0T<Y6fC8+p$pcPC2`$9Fq z@Vg?h{tfN}jKv(kwjz#Qv6+fg=3ONWy{kfv_Dz&)IjzJ(fCmw+`et?ev9qg4_4fx( zLuCT|+~Aw?+!b}krYqHYXp>%b#I{xSZ(!9`SG@C>xCbN2!#m}A<6QepnhFQ57f6S! zQdiv0%n?^>EZtvz%@rn#ch$dnz`1?LgkMwQ?am8?hsuja$<LP+WgfrKtI)6~H8})L z8Z_&rolQq$+|3_v?zC!4i95StsxDS?)21iKaS`|jewon{koph@(SaIxs3tNaG#vMv zr@b1N2TY0QgBg^qs~V>i;eO1;VWCE+FuhDgc^&;pRPV|os-DKPF2x>#+Fcl20SU4& z4J{~l@TVb~@uQ>m@gmphXMoy_#3VSMX}Y*SYY#B?7@WDQ9h9rl`jSPj#}GPG!koH_ z;<-+aftR(g3Y2ElHSN2L6g1t3=;_}l+jtb-FSl)sLI+}OXu3ZO+tE`ni|_}f486aB z6%B()c`D_!YMOvZ!gHI@xgc5}_Prt-1C~~}8R7WXe^CeAONye+7<X?&4xgsj5lg$J z`E0Y`wP|O7r8c<BadUuE9*e&{k!fzKFUcj^Pid~vm^-_Kd$LPe`L&H{`gDb5Euj0! zI;}dn6zj+4KL&>bhx%G{6-BtFMMQ}`VTj|gtUXuj$G+V~Zq8p-qSUrkd{CZ$KsV=b zKYsq#Q0UJ9<&sD{>lYXR03X_4Imx^Jf1Ttf)pe|p#Sn5jnU5Q?S7Pq)k${exNjX&g z07Qx2e<b<RAY#q3ap_E9d+5JSY;r>FiIq`Byz;9wo*{ozK`k$ba-&exD<^u07K@M^ z6pExmRq+Nylw1ctxZ09)aOEXO<U=ASJ@3qZF*S8HbvXjNI?&2|OeWPHIG^WE5|p4s zcML3`19Dew(rdxrxu$>HNj;Zi-}I=527_>Jm*}+DQJr;abyLPxHNmY2j1cCCOC_~Z zf<E<TSM`1*SBH0W?01exS;<lRu`fh5B&1IJJ+S^qqKXX~#v_{+qEt}_O?X=+%5svj zyY|$6p*ja$Y=nrt%oq+c)lw~2jH4hSeOOU|Jed+(Ac7;-65nYSkOXDSsF<hN_{)Bu zLglbN6~Q4YEHtSI-C2M(ic_l}xBhUN_JoMvc`%P8B)XCx^b6~7(yW2L5dt=tJ~zO~ z06{ohe+k#rKG4!)qHTYBLWD>sCL1y!<cc!gp{n4;H~v~^BB5GpF^YWvJz(@;c|gNu z0w*y~Ipw-M>Ht-wA~t=x-q-q!PrN)hL%q08b5IW09^iH$LDCT{$?8aF;l9hE?jvDG zwQqP;Um%|4#@k-BpDw%R{Ea!Uo&t3wW^BcCWlqI$)8dBqnIr}>>)q3Dzhx?~6+~HO zerT0P;q@ojRHd3hc;W)&ETesLsIod(9Vvdx)_g%sJUitloLWd&+$<RpjRrRA7Va8e zHLmsv^x_GyW=qNTS#CPJK|FJ%O%bZvrrh_EUDuh|4c}~q)T?p5<@0%c!y4N@dDIH@ zg&PJP8JN?KDD=f{g(-1F3T-vopeV5eN+s?d=8QM`H2jGcZ~&E3GFUM+BbBJ{DK(K= z*Mxs=I2EN@oN~f~3JXECWK=lyE<ClY)%(RhnOT3I@amoUf~PitWu&fpArtuiDn~sx zza24e8UlvPu%k7l&v(W1@{bVZd1kc4Nv|m&ZkPa`_V`8&=aHG~>94vzY%p$KCpsy> zT(P)DbB7S=g>uM~BoTU)D@WaSsfTZ{xx;8Stidj@HpB>i-@wT<jLXuHzE9*dS%x?T zb3>?h#a1oFT>LgKy0)f+qg1M+k}vlt80XkC0m3t%JXqdqthdgM+DLF##%Q#2$)XY| zO&uFOicA43Aka@9R1iR;#?*tpsy!b*iq4~xI29rmR)a47n=b53!e1E`^r$E-UzNf{ zrH_WgI~%=no$|)v2iScg=>#K%z7hD5JJp?vLG^s5)?nB^5p36723Uk4;9bqn2mytH zx6)u;bJ}e8;+m(}NS5iJ8aE#rn$TJ_tm{At(9aUc`W4jHGFiCrN-am_eI|BS1x2GZ zdy#G9{ifS(@Cf~2Xm$d;C@~9*Vn)A0gpHIOr7X2Phx?|gMTBj%s>;;_RI^_hc9l*& zG(#kV9!@d9h<+NJL}P%!SYvLS!vmRq-efT(_XM1Z_6IR}z;3LIa|DUbS;R?@o`H8R z4FANWK^6_0I}#oSRuGD&P$51m9I{nV>lb{M9_0fOUuH5Qy0#>;)xQJthkxwXk6sc4 zJWsM|S%WM&Z<K@6zA<Mo?}cetK25UB_f53q@42wPBGKf3zot7iVVd45;RQbjE9Yy! zn?aam4pVnZ)y>bhIofZtQJ%j%*LiE1g;jWB1g`1C6P~Ez5X=F%mloU1`lY4J5t~L0 z3-L14a4j_&J!cnOU>DY!#XrKg_pyDn!4W<_A$_UVBv}nvGXK6Z^9gon{%{IMJ8e)= zzkLvW2$R<HbH#{;rkx|mfAnl@TK59~n_{O0ZGGyD%u?BAbJlZm1FRFNSvzpm)Rebu zRPM^%umzdh_<#k3MNVDn`V(BjHenDM@V9!UE*_-R<{$SO`<h~myx*h2v(H$pIF?2H zxoMr*aOO}^k0-3RDJ>qel{(LR7`B6794V5pN3XaT+}y7HkrQ18c%YVHaPWSIKZnS? z`Q|H)($1t#kSHOXgjS5^kW?{@cmc?#ObDCf@XjWryC$%x<MleV%rquwgTrs=Npb-c zyK(nGL^Ge-_(PqKZjnG%2k0-kDVblBD#6RC6cmp-VlJqyoK38PKP=-wHrJ2nra{k( z|E4CO!r-b38NxQ@Vt=8^ZsddoBmZRqf%n681S)LPWfM^-j#WOVX=2B%TDT-*oUjSw z3|`T)S>QQmePt|RO;sZ;Co(k21ogVPyT7M?++WLzI;FJjw#=y{iFBv=vJ(Lf#$H%_ zspq+U_Fed>1-c?hMz9jPFT_8S@OcHi8N43sL3w;aj6LAQu?Xp=z5~U_+1t@FR4m+F z4Chn=t+GaRbfS!zM`A4rfu0W#9#d|CWSYas`SxQ&<oJCI==Z`u?XHSeFWY}zo^bxZ zCr_CDPn9P!u^Im;erJFAVvGNKcbWD-$rG~lZyjb|ff_s}f90db{wq(z>2DWX{)Ifz z=<TYXB!czC%zWM9>}uxP(0-Z?mkArRl^GU+5O!G`M5;lUA?hMDtE7D4QBY#W>3Izb zT|hx(cx}ju>WQwfYvtzQH9Zj&v{7<!^>+2#@4h{HrFCT9y?ytsLDsF1v0Y!(Q>UDh z)j?RMxQJGTuZnO{JvS#s+N_w2Spq=c+wt?h%)ocea&Y_V&3S>E4+eY%{rk-%pO_1m znmcj!`NjN%=Y(UF&_waZt^OE0Ps`Bubl2+Elxx~>u-fzWEsqhO)wT_s3G|7^z0>UQ z`mT5Hcr-<K%;s23f!QU)GJEdiRg@3jZ^~Ei=hVu{+4Y90=nu-DoGm=kuh-H|O>Arn zq|C6ilfRalLIz=@%RtN43bBvKGZTM7VcXzjTUkwfoY=TnX@J5|V(X}ah~ht|B*Ri! z%CZ&N0e!}hkG28tYU#CE-RGM`(?Vlqi0yCeDQjWXaC;bwn24CrQ&?Kx^uifAd6!pP zYgm%0`0|%CE+&orq@@n&P9#<umG;!4ir$uLCOcQ`-);Nic!5%8eb0sa0YNnvuAOI) zHlJiMMY6=t!H95SZ%4}OjdZ=5Lj~~6J=k5eb|W)amZ4l<Wn-|XL}6>qgKbLxU8;$$ z13rpjCYT_hCkko@z9)HdbdVV<BUYCDwr6kgMwzRXLq%_$>9bT>=g2J$S8s04<sRG4 z#?Z%ef3^`?F}+t<*$?4^knMaV<mk%<^_tT3vpB<2OA9N5xe<1<F+HRhJKPN*pwT&+ z_H==QB6BgsHZ=f(l4#I5kkCxf)AD0Cjvg#fLq~zrLm-nI!*p@q0Vd$Y{WN&AN!hx% zs0nf4n|}NRis&@ZFF3|YAA&JL3LmnRR`#%K@dX^9Jxip9a{diDs|NTurLgBXjw61A z<~={;1_78LnqNpcySvOJ_jtU{7UmtS>AlGoKK{=e0tC8*#p~z;=K~JE$ZX?Fxp4;C zNtP6s=e&&j1K@jxJ@&t)Re}tV)v8m59TSWp5#WWc1U)tl!R`byA;kJY1{2@`K}P_f z6GFK?EcQGDl4%%#Ag5wJDv(73`UbsH=^yl^kfI`_8L5~iK!<4BF}V4%Bc&g-575)A zehvSi!rIgU70{^(VCcVxm4#S#z!k7R4~l==kixx<3~vF2`LqhGAvb0SGOc3BmBo+K z_Ty?LsB0m707C5ayJ6?QfVMFy?=t9!MyB(H5XQH|PB?Yy4>&55b=IkOx4-2d6Z7X> zghT<rKe_QDu=Q)-C;;VG)j-xve0XBWMF+QsW#!RsS}!|%0Iv%X?L;KND`eajN7$!X z$A&P@9Hm5^4@ZcV7sG)PRu+WAmm4f2c+U!_sujm4pUom<8SjxoI%9twCDgx974l~k zgbViiffK|i52sLwG%!vQW_BPSr#3K}XHW4A*(i!xo4fnD^&@q*UiejqIYs&_Yn9~& zSPNS#;Y+~F(9~MvWt*7%4Jk9a1P$At3jPihco@JD8<54FOcjqOm5icUmLM2GMLAK# z7!b=Dxh4;E08RABgu{<&UrJ2=lSP;_=MwZc4wWpq{Qtw*Ielju1Zh0BF|ln-Y@3s0 zV%xTp3BK62ZQGvMw)IWy&F<Ci-t0Mh@vDB{(|<r$b#*;YXBq!e%cb0YVYg70yqp%o zKE9FiVwtmaQi0k>`cRRCu8@sZXol=i$WVS+iY2~-5fO?9DdS+HZ=XNpUL_8K`KLFI zz_;=qB$SZDW8xpV#%P*+=U5xLVpd1CuCU-`$taWHn==%F`i~InmbFix-5X{y<RM{< z9^oaa;-A2jM>%V6N?qAxIV`Jm#(7qLiAk4`l(RL}aTh2||NNLRR*fLhRD|n+pGp1T z7{!L&VFFd$==Qe4f*WxSmP2?EH$oqTJr+?=hpq6Ift-Y5Oj@Uz0n0KWoDl5M;UsL- z_UF3+=!nD;LiMY7Gq(<ue>G$L{#kT+u`}EjHc#jKeHoxY&j$F1`_zJciJ^qe4)l@J zFzgY*9o~rHO9X!^x5aSnilK)qE72Yw;1Dh^%qFQ?tKfh6HSW1XO?0Ly5TU4)9qmrU z7Ac!!hjT?s-zZ7gmI}schmV!S1kZ1X;d47O=LJUrh;9*(TjNkX`;dkeId7G8o#B;N zHboZMTTxv9GKl@xZ&$!>e8=(NR!zI<3VY*8amI!gE?)LPGSI|Y^!;?PAy+B|8(=nE zjvNgLXMTY95mlDE8#cj*o&#fnEW;KDH{wG1hlsjRhGKlH*zK645(%O>DUP1QIB;fc z@ff$<vIyE<d}XU5BLWl$8BG#m#AwaNd|0qAUxf$T2kY7r!>=9LkRJddb#2k(uk2q{ zD9<YHU6lw0EUEx;_1t+r&m{1VFnAu$l%%H%_G^qp=?hVN2cPwWP0+CK$n+3a^@E;w z`eoN~2PpXPs!HDNrA2?fmWHI?7ahM!N0+xu!MC57ujBrp?^EI}@7AGb$iJUC+8@eu zT3JYQTJimcQsw$p1vgRe0M@F}iTFizQ-~lmLVyrDYZX~c5P@ak)<*F5Dc{He<y6R{ zh$B&sNOvQ{MwUa@_=UwO&?D(NYfzXk)=1pjGx3nuSja~NZnK`aB|ab##EBEN7i}+Z z#6JLBVG$IrSSab&-eRDjg6C}BhP2_U(BN2LdwFqr$0JQ>JaS$5`i;0lj6Rg+crb#S zd9A~+b@2vqBZ~0AK+4Fg7*FuIe^q=k;g%#qAQ<b92`kp(?qLmTU(;N(cWY<eijwYf z8t%H>HY}%APF4C~ogOC4L1OhON>d*WOi5uz0;oo+W{%5L+%^4YX$98`Zth;kFd8iq zcM)GvFRr91ORJe8O2iwcn$RpU?>i~#uswtO!qZhT+=wBrx*M%HD}Zs;6gghT6EKn) ze*fo-gA348WaKI!EF}#JDF*7i6kpyaZaTh4bl4c;R;jF<WlO*)-;c+EU|5tA+0jL5 zgTNwXhQush#0f5OMmbq#G<O^;#0;cR01Il{AG>X2nAop4B`x6f3!Ht37{524avcLR z*FB1;Z0?8s9v8+8r|Xnp*p4hnNN~AF7ON-qvLOUs)b{|;b6ogac@j-AO<frHm$s#} z_XQ{>s6Xl?=mB=`T4`B*JxR9o=o`iy#OeY;qkVi-=|==}&Omw0N~hq+!UOQt6owk_ zeE&?<tWp1c{{_h3PAq_K9|DXA$j&x;^^{o*p5-xxE}KP^&5U?EJN1t0o9tUhm2t9W zjh#8z_%x7Y5RdBbiPC_)ETYn%h6N&dPm011Jr({CkEYL~eQi?}&&_qY*OVA4<$2Xv zXL#LQ!tu?yThK21N@Ptzlu&EpQ$uIFjOzCS^=^x`N74hOG%~^YfPjtK>n|oc3Zp9# zDl<ZvQdBp=T>vmMi%28&spcUgqO#KRS#lfkiAAyNbeW`|68K!Q(k_b##HzS_zW6{Z z58`|NruA!X8>193T*sgB6<MXE4MASkARR6F7bjo>m{WqYHHb<kWh#&bX(sM%E-!8e z#Tjqx-+zp+!nU6nHu)Xy?h>6UJZ0c%gar3WoKo##MmRZqRB})Ko1xy%n81tBhaHrP zKAEMgpxYJRrj<5fo~)RTr$#qXSS(ioBft|5<z6B&FSeyo3kt^eDHP4tDpNQMsk^vb zK2&&pQNbjf);qskJ_JH8^oZb?Udmr=;8CE@pLKdkCIslq5=q&3^owZi7~8B66$bor z_>FVXmTl??N?NF(7*i8o3*%M=ffaWs8H$}{)kiWgD&X9uq`Lc>#?Ps%n<U51(!SDQ zA7XF_l6~$^<gnHt8V%pJg;??gzx@z%j>f*%pu_^}xOAw;jDth6yrW=@Qw8L0lN{)) zKvv`r=1w7B_|};MJIqDO*+>Q&s5h(Vy7;%nEa_p8x;+Xwd(G=PsJE1P@8|Uh##DFO zyb(`uZYyUuhhN_vBcGnY7(%$Hml6D<s{|x`BuZR+cCpnSgnlpX-tYqK$rlv<P2#Xm zBQ&cS2sBjmLl{(u3QCCvn9Z>1(Sm<*+lKp<k70>@T$vHUnnYe1N!s@lp~u7FmRjp6 zTSHL0e;bFk%BYv(jC}&fa>a*qqKFmiQ2aQk^^7!)i12sLu?2q{%lSkf(DQwj8|UDn z{y7xpN(7kCdhe6yjt?P}1;O|C8E6|l4;P~}nuGUB$O#RM@&)tRF$|LduI_A{BTn$( zyQc1r!1PA_TcUl0vrIN1jCX%!3JcV^c^mo4>b{j2Sc~h*^3IR(8O*@m_@e(SLcbfb z64f>!KwZI^02|Il4E^<x|I32T`WhQq#aQDq@_>tvXpLoOboRFgAG#uoX~?r3ht(g& zOv7F6vvOYxz$3)2@6an7RCi10R6|C}$YUd!1NN;yvoee)Rg|4DTy&Oc%FGnZ4n~>q zb(Zu8O8r%MFOi(iYQi)<`;ec3I!7t1^T0l#LvUf(A81YvwjKQb;zsBdiiHE8eJti$ zoa`!lD+`HCOK)B)0xXtZb|1w6f`fM~@OZCuUkKQD6yQ>TcaaIDaACRu2y8|qAY61- zASdqtxj_Y%)?(HlNqG3KM8bgb&w`|+1#1At1jg`b&3Z9o`T&ghnP)gy&_rPmo+{x( z9r0IMBwpVkma}rGTLC}q42v?T+}A&1y)4Bc>UEcP3OjN`bmd{)p~R{u&?xZm0nRu+ zbWmU;`Hl$2CoPa{CfNW;fX0lvz!xNn1@{FzgOp59<89R8>-R2AYiE>iq2owLq`o;Z zgV{Q95}}Qm7NHHvrFQ^Ds`*3xUgmb|EP3~};2m61373P#fw>}QI?vA;qzCzLDi*6{ zV2IFq0jM)d+y+1>)&?nsOL`0zLLnG6)PoBUCXk`KkfYE%TsS<2IDq8GDCdjxuZmjj zls1gkC0P-(gSG%p*OnYk%JA^no706|D4%ZVEdP9QzC-nbpvT}n)n`s0J##x_HOb0I zr3@fnL&>2mZ*xsdS_Jr;Y2t1)h*{s?%GAS}qca=zx}tP4&vz!*Xd%`^5c(@U@l<|N z-h>FVDK+HM7$Q0yW>}EKi1aUq<anoPrtal|65qn5u~7%fl8aM4P{Tl`tDWLbC>^_M zHvA6(<UWiTX|sn9c632BtF*B48p0tLhnE$l^r>*ToWySKzwbPRAgdf#5zoPkl7TnB zIlrA-jY!e--!Sgri9P}n<0&fJM!y<Y!ZBAH+~20ypNK<7>nmG$LqN6_9K<4&a-P4= zad`w$gBCd3z-!-OOpnko&ROhU%2y-4rKoLcOnYm4Io(t7v1*Lq(6Fdk(cCM*TO32w zAW%3X%<Tdo8OJas1YM81HVAPm#g3^+W|$V?uLUT~(gOA1k$Oi|RNuYlby4EtcLnjp z9a3vbl21x1CJJg{4UPYh*BXC>e7`gRcYMcd%8G_|qC~A-(6fmsdgwkJ0!W=25QBB; zAt3AL8$LP+w1-A^+w?BBX|t_$qMQ*_j7zf}Bc#eET*buk%{xMYc<MM&VX-Uti0W_y zp@m>g$%32+_}&Bmbj$h}K?C1z$$C*H!_4XvR|QP`F)(eD*b;06C5$q8dfEzL30-~5 zxNcC@6&ArFm=whv(2yIIfByRWP`yX8H`myZLiWhTs+meN)Qlgx&m@UiK2$GQF=~L1 zUPkzfAvE7hPE6+~)KVcFLXeUxT5{Q%5WD;0;@p^JzS!dK*&Npg^t!ug7tPwHg9$A^ z5j!^b%iJmEt>e$8*`ZPX7$mk*@bi9Rc;6KnEt43?pxH|!Et`TI&hM;xRJv+Ge>2$J z;~51Jr~T*%c>mVTF=XmQvz8Xa$xiQ4qLbuEG_rysvm;gwL!#cKR4)qCZrLm&+9B*= zsqP|VGruYj)!p^RzMg>t)@M^M7@D7p+Nt;l<ppIafotqr;u%4b+ZArtQfDt74;HIb zs0=>#J$SWp?P&fQgBT!Us;m8`+9G1e9aX6emmH@CM2Dq(ACtoIx>RzQ_e-#55OIR3 zzt*Wt24|do*{#c#TNDn!l9EH;r9xx3i5C?c?6WNKAb7_G-ws_y00n?Ti>Mm+IjLlU z_zeX(js*r9@JZ#ZVT6&b3K^*dZ|CogaaQl&11-26*{%}j1SA4%bwKy!*jl8=6lcWy z)dLnyurMKpObHIyt=NX;xsXQhczKR*hHpq}LtZeh7Jgy4^XqlPm7e!M2NIie9Aa63 zuaX6(b|jB4mz)_u8~$QQxc|HP-e`OedVpK1|29w8<{2XTCcH~7NgU}~Dk|RaV6H%_ zl%V5N)Q=4HM~lz)87jk$WOlCaK&W(M2TZS#bZL2c{`W@8R1unJfWQ?o1#+aC)XQ;! zA|4o2=)p!D9%(5mCn?D#lYWFF!YVQ24K~y7LYnDO<(_eFf;;owC#XHV<lO`ko_<ji z{x&(~H24t-Fwr#LIWbP_eQ$4PR@?F8dk%lctK7LV6ry+u^3WF06>wUs*)~Zpcr4`v zhTjJfh=Y#7|N2@y@{N6Dqd|c*F=L9uk1;R)`%e<2tKE?ie^tRKwTIG>l@qpve@~>5 zHf7YAq^`93?_yoFSu=s1Q9%)t;lQh+UHH*ccDoX#9H|DL4yy{3%OO+HM<|AXeji;v zKTg;9D1C8>k){m|`3lr!(td9WmypR3S3-Ar0w>l@oMlxS9M^VikbA{_3XhUy=SWlz z9A8kxr{(Td<%W;vs%CMZ6C}nB^-WX`ZfTuwF?4Tq_<4zXSqOKrBJ?K)$>v66vH&2X z!SzWI#u^-cDK#M8OuN1xk@F2^s+oQi9Q7R8GWzj|l3+X7+JN7`sNxL;1<}QY#6&r` zns@P&{&J4eyL^cj2-QOIaLNe&BWY<AgMD6e3gs{aKpQJRVxd$T(ZaguEK-CW$F-8Z z(^1-iMi%;}1~0`!?1!M~Xnod_{&Ma}MVy{-)4hM=3|d8siPZZv#qR(M6vxLx1}7(% z1&4ApRd}`%qAE@piXFI?-v3LSIJA!mGZ)Q9C(ws-QqP<b-1dhi%Z*)y>&mReVV(9H zaJjuEXMhJH$%G5(vYRNaAWCu&MbZu$N6qeMs`Hdi-pZdjPa!nji_6Ewt}G$cS-qlW zGecSJ<Gz;j0U_=<YxxWs`kMCjKj=R=i#8IY5l5%~vi6SQE~Q!NS!CFouO;_o2IQLU zuX|q-qX^;{L_v6Y3$(|KRYlO3-ir%hnx^o=D`l%PP(%)sPs9DxW>iU=trio5OV{am zI=hy|GH^P3r`{lf`G-x5a7}hZEI>&~0|w-%m#VK?5i@=LutZBtk9-)SEEb9(-uK&& z6Ch4G2tfCqERYbQoC41J3+!E_*Qa2V)NoAk?P6<&fdiLu!gqF|_x*>MBLjb+Sa%!N zFxONmmS9cWOSdfL8e(@rT#EAhh4x2+C<Q8l+FQXYM4+R*7KAJ0muNEb*P1>i1S$vi z!I#m>>58Zso*T$0lI{xykFPH}y0ori<Vpikb-%V$JFK7U=)Yf&xZ8Re(k6SxQ;)sU zD#ty@7Z6``iU}{r!W<w@WhtH#6n#ypR$=6BkKS$Z!4SUx^1Db%IhNCwHReFSyDhj2 z|57kh0Pn!B;>Fn~3JN5jwZc2O&k2U$+xn$!^!OvJ<cG1`JA9huMip4h5P|O9xWad5 zY%(4(8Xlt8R9Jg*?xFnU3jPOiU^(*;K#24~`Bt($8G0LOunU_u@gWj^vf^US>?dam zcVzgp2Ff<{uF3wEp$o>MkDt1kwmP#H8EP#n<<C0Kx~-peGpxyhz7fDuz+9@y(tSV5 zyJDUG-Z8!iCDg#ui^vqYz}Zo@4l^!Eh7XIX?#g^em6>wxY}K*=`T}&*V%E;6CDa{X zfOdadI@b}3N9^o_?=0MvVc+uOYYBh0PFw^XN0ybWJ@aDF|3HYe3-eDKrlt@<2BBI? zOG{-I#b*sX(U%aFj8xHHF6-Mx>Y@d-as-gS{_i#`H~!!ernYoT$mWsHMojZla=Ni} z)DZ1{hHu~^$VdrH#3noNmOU!7bQB%YwHA#e)e1dcHstqigI+?x5%Xees#Hy2s&Bjp zg6o9_>9wJqrzrl?mDRqnZt<)+P%c%ZdI_L()ma4@k|WKrJ@7$$amO8>PNecKMUN0f z$;zGm0{E5vawhJ23=L|Exs;x3)8TzAIW?%FN;oGnX?>B17(MyO;S<QFbPq1i7DlRQ zRn+bh{wLL!M&!BBLa^l4m{44+DL6cYEjK0sfic$&ScH*7lcQ?KO#v`5CS!0Km9@z@ z*f;-@a@Ivqq$0CSXQWg8=<+RsJtom7hh<~VxKT*poO16ZKJWG@Avp(?WU`7f7a)iM z>MR8_l~fS=(5gM`BB%-22&f5EWzZ5mQpdA{pY^rGZ4qD_d8x;LUq18wNr-*Hgk}DS zfY9(02P^o-2vi)*rk517MzT`vDBBxFW+tzDKmCRVjT7sOJ_by4<rncI=`Pnoh~XEd z^&CPCY5$00s2hIi?l3bhUlhCuMtt@H1K*IUhY$neR;~g^Ge^n(!?@f(1`%eC0>!hU zEOlmi?posvr|ki@Bb{lsqb&MJmkcMKEt-?<?4+Mf_@a_L+uL<aJ&Xe5Y*tVXh?FXH z%u*@31x|<(g?7=xZOmEgfpEl%l^0M-nf~N4SyEsXMm?v&iPD;0@Dyr+JiZB@iq;JR zInsNw<Uh^REF4N?vXDbbSuj{M2?%2)AXDTlNS8G4ELF|_qDIg3jpB#+(~c-BxR$M> zdPE2-IQ_Hb=;%@H(#4EE=<E_VHa<62)Ug_h(-ey%uUI5OlY_TM5jMlcY;@>Cx7R>a zu1B)xf+RH|#GE-uE<MPt8CF&}BTak8QJfjD3=1(MiIlPzRZA47$gcEIJ)yN*ZjZQg zsWD2QR_js_`*lJq)k<n}U85szk!fMCJDXCaIBe>wpMa@}wd_z*%)ay+rGTEehq8p! z_`m>!F^M8(_y8QpZ?@}!(Gzy4F<E}BQAn+oa;!0VdW{b+-Awk9{EUBgfG8Y94AjaX zD?ea%foGc2L8m!UX{zN`bBgp^)@#rvMg}5qCxmxe^Z>By6^>%1I>qw3zlDMRx{aHP z*mlV2zNy|%bKq!`^U89Ph9vC^WLNOOX7q+=jj=FV$A8s}9?J5H^(5x8SjVfoV!aG7 z#tW8MpL95M3qWtBBQw!jk5W1@kRtVG<|#yg-%_5+&5{h=YSPdqM$0OWZHURKBPq{& zNy--=!eK<zdt?lp#j`c({m$T}T|Lv`jGxf4d0w)WaN9I98U61|V%B`C;g<c+hC2>J zKLg>m$LCEA+ac1GNw#GA@KqW7)6uxcjb|Pfv3rglGmeQ_Wx7Bgv4|o}%?J|)6*lcP zilhZ#6G5pmEqX$AwfU?_lS0LmP|8%y62;FmjwNu;J;b6XE;M^CZ0eVUaIG$AH00#6 z1QmGlA9QGM`)6QTIU=G4SStncE5(ofm9Ybve}9!T<0b$4SuF}YS8<T57#+RYTZ-32 zRoR~H$7~$tl5dg1y=}s(s12SPk!bp1WoZ>fw8ZLPT?#iGrlLl@9abR%WUhc4F78me zTnX7%f$eZoqwYz+L{cH7L@U`fDQYP%?&$_Tg85_W;R(8z#>}~2VEg9A%vrlc=~WuL zWQ4n7N6q2s%`=Dyw$q7(x&Kowsm^C4P-GB?UQDryWU`ZD;0C;?MgJ2mz<RYNWe<wT z1?X5rplUByr@_$W%8lQNVdRf}*Jy5N>hi8_XX9L30Sl)kofWv=3vn(2=*@RH#o03` zS3XcyCkwK?x!wTk#p#o7JK*rOivX{uF4}lz6(VQp`R%!*i+%NuSTLNGSa~S!u&QYE zCxKF71-MnzMF6foDy9<oBJ~v#`>$*zG8c0+2DmLPQQh-E`rhchM<J_q>g}_|hIovq zd}Z%4xrq^SSjOU(E#$EWDbX_HQB#7QcywseOQF<m%$eI;Uo^}xGx0s<xYbMJkiXw| zc{E?#<H_keOwu_a@OPNNbQmy35^BU=!0R1${MoH;*)A`isMa0$UUIOsHYuC6a)F}P z7ZH?tOL2lVT|D!P>CY7VI=+3*;8WyJXNr_9Xo_DdN|wDW8k;asFL-Ie`46|krt;-- zP7=eOriHQmc1oINn%2I_o@U=#2v)z>98HGk)HJI)XjMBIs5F3nYWww{H)`S^#-Ke! zB3XV$)@n)gp;gbG<SFk(5rnxn1iwN|;Le5ce_^KB24bNK^vE3MgCLbVolXV)*uuNl zvJ*NV#zu@8wQ}H72tELY&PT$2Gn1BPLER05*Leo{MMoxmOsEnvA&i^;Y!Duse-QpH z)AX39=O!eKyhf<{^tC}a1ciw?T50Kr+%3GVqg9<jkPg0a74y3cskf`rnuZ@|C^>I% z#7N0dbQ3UyHiJq01~cPW10Rn_UXWIof4biYa~Iy0kkRl^ioE^^WySp#>>>7q#$V(O zQ21KWBPIH{(kqa3gO~pb_A5}S{<0OEtN3m$)Og)^sW)SMoQg0eH7~VlQxoQ%(`1AT zi9DibKYy(&Vz?u&_n|65lIKO3AU#CZvMKv3qd#=AD}O~&p3AZ;3#y_&cw^M0(trH5 zBPhysb&H!fM>r~&`}SL*b>fpzJ=Bo=M)tEhW;PL$JDH$he%c?C4Qd`!><=eQi|2RO zfwjB=>1XO}*TVFq=&=Bav$WLu%h;WWrraNeswIuK{R$<==Lsb?W+VewrA<^gJbTEq zUm$D=)&0zhAUERAmBR6{EVr3?qLSZ@OThA>Xo~*&1OC+w^2(=Q{^OJ7gqSHxk*$Be z?VFRRPqpn^`IfEryA^e=qG#H>oG4IzO3c};W6$_*cjw|{k$rUcrrBk}zzC^j42PDW zp%T-h(++aGLOW1!rMi#k?DuZ2X@wZ<zhk=~AE3KdV6LIJ4Wt<bQaRPWFmv&)Y+vnb z0M*qtG(s?bJ!lud48Q3DktZ|DXoEVh1V`UpOxr}du*{Z$csVc06VY5{mdKy}S>lsH z2{l3-@O~~CM}*r8`~*Y=Y>#eZM6!`)&w0%g@ZK5J4sX15z>_gj<l!Q1*oV9-_vM;a zU6^G*<7|*^A#0{#e5>(xX8SXe-&!gSHxUJB?T;;5Wj#(QxZxB&N&&E5m!gE<!%}^* z+uUK)Oc|2QS;rBg?Nr(E`Pp+wO4Fy--;jmJ%ZU1<yfw6ONDNW#&-oN&O}>d8uQ4R$ zhD;BOfS{{6?uc0XbD*IFOG|nF0gAcfTuZv7?vaRjhhRh;nUa&jlqyknH?ug|M&-Ih z3}+ppD+Wfa%>*@kVF|5$P3A2gt0isHVo@a@=FBH-<WW2+r5^UUjQytU0TA;%!bOIC zF(e2=)K6W+?=$JeV&IJF2|5oeF@1fVvmiZj<X#{`gD-;Q?g5!}1)|b!?#&!`J^Lg* zNwMSv(1-kL&Us>Bk2oaGY7Ue;E<BR1c?iW_Z=Q;Up&wJ*^eN)hp$N9)WqZiVoW?mJ zMZeryftz)g3Mg0!eK*axk#tgH??0(zg{n?jyS1Cnw({j~>}<U%dF5*}XcjulGSB$u zEWPY(Q|Pa@Wq9s}=XcGn%pBGLhe7F~_9B$+yYqo5I+5m0Qp-1J(oy^uyNF4bGfNHr zVy(yar>xS;jnXlVhGkbf*!}FGh^UqRkc4tc(*LyOfTINk`^qcaFP9$>+%?odm)mTq ze0IWJ1If*Oh-#F*8S+oU=am-KHJhEaR4))l?X3AD;*_75Z1nP+I`W+F8FmoLO|D2% zPwED=6F^MN_L2g8?dR(xG7H*?Jx<ZD`7|x=-QLACT5YPS5DsodH*hyNKDp#R0s=N+ z=)Xj~ke|(u&6ORnJ}RYsYm+}-$igqAO5c)%o#(HG(YNcpl9mF05cI<@?1V(&r&Yh2 z_SV3uju-5Ug1>Y3fvF-OVEu^Y`a2zVW6RUa3@p6C=!`q4tgRyx`Q!fR?)@Sj<yq#g z2U{s|$mvC1|5@DgGj(<Tji?|QNQ{<QICaLdMrtGzNeh*WEyTbh%!6R6a6v-p>Y5$% zihPFUq14-#p^#jyc6$PPJE`UY<EL#&mJZ#{760rRHoAVp$(JIA&2;MhQ8RjOZimjA zS;RbIKLC)WzeAnew36nkPc=2KSE*9Eq9kLxz&zO0-H@Q2xEhksPba{9+y5xhH0mN~ z@`KtjYqmDc7PkX^;zGjuxhCdF#BxN2859|~IFLsn%bqt-;il`JKH=(msnfo?dDMXs z=QnzI+SB3SGKRKkbexN=32uZ61%Nv+x>G|bMNRE3Xi}hEdl_=&y|*R%%op8xO+WM$ z%33bB4`VI1mpm1?C6Daq+b-<!HI73Y<PRhw<(#3%IacX3k16PMn|b!NdYa;*b)RWE z-THZwCO*6{&4NCOI<s{0Ij#ptLZtAhX-C&!Ko?DO(in7cewEtF5|9vF^ccAv=bt&w z#i2Fn?)Miok!SXT(=;mEBb9*%h(_rR7b3Cz)8>sM#RhEh?l?uxCXzTurjZT0R1E;$ zLNFEH!S_T5;Ha*N+&1flSt4b;QT=Bvfjrqi?B^|k6sPUspiOCU%_Qw~r|`YB1wOEF zZZ@Ehyggu$ye%RmFVjL6ZJ3J!xz%|Nd%u<19O$TZ+Av}7E@!8+)$XY&twfH7MKh<~ z=SxP$^M_J{Zye#zr~`ycu<_wW5|-M()cdxs0i=2A6q$+9lQGir))qbjp>%C!<&JDU zpGh=p$!{%Ff~e1XLh!_F&F)GVAeroy>`PhD^jxOq9N+F{1R9A9C+Z5;!V?K{<`DsN zc=>AA+I+0ZTDb?_aHqD!GW|Ubl!-QzizZrH-huM9znqhoY|Ec)l%XEmy-Qi2VNO*E zk=|;cUm>!1Db~`gY7|?N36jl|PS$M2{DKvrc!*Gr#w0`%jlwmd?@IF373C)i(OD5) zTftZ=P1TM1(&?UdAy3Eae7+<w?PEY$_xfBaU@nsr&(D9I-GBb{gQQ;L4T;bMFG9=R z^A?N4V6w%wBzF{|R1gj0%u!nzd)$eJ+>h-8x%pCr$qLWSS=`)A;I3C<0~KzU8McPV zOGT^2kLrZ~m%)K~tH+pokrDd?#pRV-=wxYv&-2Q$zS7DaGe*Vz7a{aT)qq;(@Tj~= zcT|jI^OWL@g_L;@QynMd%SDYh{jJTed)_+NZc4$EL#~S;bPoghz?hgRTruN*8(jcC zgEvd#3(>&7omhZ>^q=3?6^lJrFQ!$m18Pur^_2+6-$q$e+BFF3hg`Dw@qbMMc;bl{ zl~6B6>`*U4ro%B6%w@dcG+A|ONoaNa854bIb#j*(L_IcY5Ddpwr^lO1q#!Y7+Vt<D zTr<r1YRLXNizTOVpsE>ZmFFm@q!FI}HhK-cq-AkEWa*u=xpzhk5|{;fX81_TyjKw@ z&25O^tzJ~AxqM7=cNHk+rlRzIo4$s7cegHb&z119W}DaEz<FLdGwmwcU=>)yd~Q9y z$A0!cxjzj5yVMgH4Y(3!B0AL(<d-H)+kxuVsq2CD@)R<M8kWnuUe4o0qlWLR0;z&q zMgPbzkqq1>wzuIvnGgdlOr3xdqPz8+?L^9&3DN_deK43p#U5yX$Ipg&2j;m$%=&|Q zp)vX%WGXRV4d$gGHRRGA=8+I0_<50P#6opb?DpW@!}WVf3IN)<vBw}+!+iq!stodA zqCy~;f~DxCz!E{?bUp%X&ZF~MIfJP8H_`7W0(ykASYaq92h=PG(*y7Br-LF+X}1DZ z=(KYy3-Z@Nm69#2*bc<TI>b>mvFIzueK=8e%JiRpv*n;Din2sHIN~PV+Q>!?8#b1Q z0{>MR^A6O>C`(6BO$szU8FT5<Z_JJe>u-f}bpOH!9|k-g!!m=61kTCj>x*T<bib&g zL_%Zyh^3$T%VcT)pq9|n4#<>wJ*Iu^fE-hldv}#el6kaB?bF!JJ+8xV&Yrv=l0Oz1 zZAsfF!Pq-7>2gY{jkv`^Xyl+3RRRs)Q`TR(u5lNV!xaI84#LJlTtKZ$yzViTzzpsI zUKq{7$A}9M2SWDgF^h45Rlqz4qodn~3+klq9h}^Dx35zhds`JwX~fjjC=vLPB0CR7 z_Mp4~BDqyj%K)mV)a`~Phx(jTS=dSt=PL4fe%7r~q)Mq!pFhD|mvUe+IwkH6e(#-6 zL`=+Gnc7B=jisWgkdE}C3>Qt$@<zli%-WzDzI#N7=m-Y^sQN$QP1ovzU2LajFSLg> zn9?Zn$(^<U4Z;m@4H86fd@xO%>9v@@?SM3^wvmb?B;3SmugGF{!1zuMC4D9eBfcc} zl@&Zhp}m}ls%v4=m|!2j%=NpU()$A{50ANFOFcx@Ef<H|xqMp!+-U%WL)mTuSW_)~ zP6tP_!~E@-&~4^lZi~YDD)fN~TdiL{@?VKpg8OALEQJ!<__1UebzI%XpEJ+=QTxmR zfXOs^10_dry0|ST2U=`(Wk;;Z1pPd7&>iR&;11ZKD8F-!dCs-8kiaD_Q)IG7>>>yI zZ)$o^h3PB3MLfh?iVg`TdtSi?_!pOg>{2fORd4;^Y+VBbfxOPFFh_#;8I4ZrbZ9!> z06BirpyW=FaYhXXBnu7ZIV}3l`JYI@Q*mOJp?BTzL*=+|6DWx}U5!0;q9AOv4A#jj z5cvFZItEo|caHsp54;QRYG~t7rrPrHQGTM{aTeqU5~p46zR@=^4s0L&fCc;;GtLC= z4W?@cwT?$q%!xGyC-iu_Wn*eVm?3nFej13a9Y@%Xarhjo0<S1|HUw9XJV2NoR;0!? zx+T$D?Bj>KtG_S8x%Bo5wNInOp8ti|-kytfT$b=Kfv#o0xvSP~xdM;-KBEv@VC3Y3 zFK1xKjdtGk8)(^^A5wjc$M)b2;_M0}(m7e|MJ!*9;6D%bZDVI81XJ&0juq{~Ok8x+ z7zC~2Z!T;Khx)@!v3LpnTE^l76ft=CX0fJLY&49$JsN$WnT-H^>>lkg*i2&_LKO1X zKPq!vM4KCfy3ynt8<<sJ?BMgA5##RgS0%$MgDFQU=?DJ-?7;=<1w9T$XiMJUBB>Of zj#ehCZN~3mm^6f)(EORoftXN_VBsEzq@)eb1txGH9WUUGM+&VG_y>A3QXViQFKkvR z9@sLktxelve@U6m!HB?@)3UaJ=6~$YQ?fnbbxk=)aOyl4yT<SmCYq|jw`svq{J|jF zgpNUaLtU<8wF%MfU9MuuN>zZuQ56hMYC7snrOuQQ(ls8-&a($;CLQH6$@(4*s%PZ~ zBm%lES%>iHk}m*cQ2r|fghbbZVi_teuW~VXPpNPgzhzWBIo&*uHf<Y^M!I&6l^szh zh7np_RbG2VEhytH!ZYAU3GWQG)O*?uCfPG7b4S3Y{W@d{C&;cY(v;iRbzLTXhJM|f zK#!x)9pEXLe%?G$k-mPA<&aPS7>Ta5@u){?wXw}3dbPr<hOCXyY<n|^-)(#I@t<Mq zKSLgVJ-4L&MrQI|uKkAg0q2(Mp?|xx;xWZC1bpOZHSF=s@66V8RGA$tIiCz~{kqxA zsP~AvURa=uV3@Nc0^E=O&K8Y?-aF}60NvyGw&s;u=Uzlb0M3JEEelHrktpPSBChDF z0C*~^4GMyB3!wHm;(G?OB$V!-4WqkIC4Ym{rrkIT_4cqMLXM#E*~?POWu{ZVIUtyx z7I~OEg+XFJ$qGKKxTKSTxL0JM0d`2Qc_YT2jATIWJ&d=9cf{Yk)BOqRff+n-hL~u7 zLY1cm%^5Zp@YNr4Blu8vkXgv`aEJ9n@%&`Q{Y~s_78DR06#O3YybZDwP<9VpI6m{1 zSUztIK!$g}rpL^DwMA0_ch6k;5svlGL^((x4v!j6Eq0oCmV`*DUa+1F$A!c@F|FxK znw$e7e#3U`Z>N)WP{k&0VRni|U1ifwQs4$_h1&FuMas35B$3E2@vkkV)EX(X!QRz< zIxGKw8q|miJR${+?yv%1eb=WpouFaCZ730|mSXR)n~cU26zgdd09Hy=D#-b$F_?cF zFei=+n?@P!v`1VO6B9<2Qxoft%ZMW~h)&mt@+~H<B#gwE&Q*L~2(018LagB*RlyjR zLTwJ6G?s%P%nh@eneS|7HJt3WbqUMYpWAO({$E_7+A6?s{VC=bK!iCW;Py-~jVl*C z$Oo-ppHP8f+J8-n%RjLnB`(9L_-uAfYCs<HDwdr<w$LZJW7ERv`&n+@fw_v0E$b`p zSxfU5p<Y%`q(w$U;Au{?I^bIKE$RCsm&f02Y_92(>MBog0qOOjrem2kGtYDrB0FA` z687mjg`98Zy1u6Q&w@%hs+-T6ke!K=?I0TX_TDvLC;GwyssdKg%p=KD;e`(11U9IS z^?v(c4&A;P%xdz}iF8@S0c)fOJz~Q>U}QClI*Q@FNDj;<L4L@sv(Dq)t#gnJ47Sw2 z3B9tL=t_hr^aYw4&oDAwIP6PiSkn!)BG<h;H=n5y0kcy_lo3%=WQc?#xe}di@!SN* z37$W#7n}e0XB_cUoyaztv15ot><MJmQ+e6R`ol77+i1Xx@LZLjzvv=1s3TgN4JnWz zc#Gh0fIcb5Demw$jZ}Lue^E(M@H;{jqvWH2h2$e8wIropzw^D(p(YBihavEkfG^iJ za{k8CDEr1+&q5KTKAP$bc8gYc<<*74qCVe^H~tO~o}oJAcn(HZ!DCxHj2V%c#{)lE z$kD+~jOFO)+DD<Np}>z?3b`qyZg@(=H#oQgM)FEWO4<8siuwVT&P=xHjcyz(v9WPY zE^`sZ(H9HXFOZgPGf+-_A&q<OTA9+>dwE?VR!<UsfeI=LU!xpOI9+wk(aaE-b};o` z$+PD@d<6*@^&+tU!GkVL&q+3S2s)>W7wH7QI8vYpXTY?p2U-isl_!*hX#%9J^Mzd2 z7Vr|s;4YF|yOo6{!a8~zpFl2rBmFyV1j9J29$Em6b=H$G>8d~8jN85yHFp4yPG0T5 zquTUIPr1#E>GD?D&g<emraF5?_*3l0b-dmKa$eI^OHwuYOjx%`w>q-L{etN1S*Zkh zG1i6tCdI9-gzjo~^nGR?2|0nkgutMTqA^(AJ*0rWW6HU8nqpI8@y2LN=sR>H?b8;t z@HNM6wen?)s;0lX+&8!X{{4<G%V$)P(U0j>I{EjT?r+G%9#Z&4RllT1Q%Yr?|1u~x z$p2xS*4h@n6KcJ?S!BD(%{cz3P`+itE{n661N>o^6dMZM5$n%BysGo#s;qJ2eX;!q z71&^4tm3~F_yu`c4uf`asy}l>2T!T}VBUH@W4DyMwf?dOJ2o9A_U?qWn3?A$+zn%e zg@K!_bJ_eHUt&V{OO_@Px@ov-?uWC#`4LOJbj<fS3tg+0zftq&(0Ps1>zm;(1HfcQ z)Dx<_DKA}Olsfd^WsvG7S+f#_v)EVI%ZX1?<fu~Q6b4y>%$RBTj60ATj^M@%=PUgn zC+#Jt)#jPY#WpTDm@J}#){#c5X?OtU9*)E+Lh<iE=sU;NFtV~CKtm@>IXRi<=#4k0 zA+W+gCd6P{E|OjS5D!ci{VQulP(1{n+PZbXGDsk59~NkrOxLSXA=J>*^4;|bc3GLl zxDl)O_J-2hU15CK2dE3>2b!YkJkz5H8!l<4a)w0d-W6NY-iJzXfc~6*O$qTz{&er; z^RnduZ*?YcYu3`|mJQuc+g86*&R)M$)n5Ota=XV3@J;=84@aU@W#Yz)R>$|YkgY!Y zNg+!vN(#g3s0+>=`+A!F;)qWs$FW-WNS7Agoqh+--GT1NyV7&7)zq~z$(hZ1r^g9m zhWmCg!?m!BUTLV;VRo~hGq`H%IK!?UjES;uh=MlboaJQU!@^R+s!w!cj%45*KlPQt zqo=vN%-;S-+P7U~qX%Yubp*xuFfv;CNU(WpDI;f*-U7FacAlsyo`0j8-oRhW%_#?1 zlhUlg#<W;T>)bGBx<lk>HVQmz`+Y#7ll`GGz;oA9ly72i<acmx;bJ;ahV8;qN6aH- z@sJGWt8}h-+z8uU2{1lcvRdG~>Za?xm2X{}*Q%x^754*&m|$2jv;v3Ucy^`CV?;@t zuJ@-K9UgEaeH9^)G2H71))Oc^qgN83)-`vwv_tV!cZ=%21BsjIH16&X5;x7i8w>u| zg0GBaN!AnZXG=_TCMw!#y~3x3kCOG)xSYjL!3l`ag_T$D%eT&j3lbGH;}tKD<E!!u z(c_cI)f{h$UYF?hnCJD@SdS5P4Za5)eI0ikA1t5c)Bs<Q&r9@~7d;1PhkBjnws5NE z^{%R=V_V&ZFNpZ@RzhagUc#ukwp4&=;K^AmA!8$z>*4QevQ`U%cFl`1`BRz+ejhu< z2;c0OU&t5K4@%}qL2vXrlJ<(q5nDD7O$x`5da)q?q6k5YV0d--qArau2i@!~n$X+z zx6GfwlP<0vr(^uPhh__cRNSsOYiWa;bTi+Q-EG!3jx<MRN!1W_tg&#$9wk9*Y4<DP zUSwmqyEaAi)FHZ>q<GZ)P*{VB+rEq1(wc<v)^BEN5&(NN=@5LO#9*t4{W&HgoG|sM zNz8=c6bL@NG*Obgyz#4_pnNLoYk9T*(t0LFwmL|``56z0!1(uXZxD<lg#}M31Yj_J z+&l>r?^p!2z(v=ovq0A6UI~&skvdncNvay}KFK+1yRA~6Gd+R@Ba`o!ehR_CM@fR# zTv9+e{-pb)f$`6YHA8KO?@7JZlRv#)n(Od(WvY1E_xoM+xQ}E82WCfiz8<+zs&O?; zpfN>P2E;_9Kq|SP4BX3LD)*?jR|XzJ((i;HE*8<wo--0LleiZ;LeOD&AG9KypvFsr zPIHWnign5G1|O92oc(K2=;$i)2Yrm5*X;)iR|FmWv+D)%2E0OQI3hJaJOAnaDK$kf zTk0{d$wmaI^rd9jcA#WPSR-|W+VTtr(xa9xw6&2bc}y^ZIh%tB;3s*sG6x;j`tb;C zudx}`5DWo%)mqXKee42mOtsu0qf8BQe;L-mVT*$_f+{D9Nuq5!?3x!oH77%N$Ixl+ z3?x_G?8_`yw*SjRc03Y}Jum`SC%o6{>4f%8mPJ1Ik1Rxo<RQ7;p`cy(8ho`t78@p5 zR|&R^vI7EaoMV%J7>Cixc!@T@%G>aQWZUc#Q%(<EJS4YCY68n&8>kYoziZcM<0$S3 zsNLXcA;_3X#>lb)&_@4YC?DZZL|kUs>%tEhAAVo}v|%it(0=*SD_O53#Ah|7I8IFr zg*TGA-`l$a<!3dwlbO{xG2U7q#E^lff%^eM?%Fc>>W|r8`MH)$PSll?7#xSc^)+HT zD#%WatCb2(9EiNqRENL%Z)+}pbJ9KvkGl4dO*;*ad>{#85vPV@;SXQUQ2Im<HmCE6 z&dLqp#VinD>eLFaWb=3l<Q1M6e=o7qRFi=YuOP8ej*sC8o89<)caN(7?kKtU;cp+s zejG`*oX5U@XCzRPK1GE$H)l|6-2CGDIrb5MbzT67Jd}LJ#sl!#EF^6fX$*Q`kXX43 zb0;(ez8r26M8r9(sb1da!KOQ%{KGF&$1C(K!Z#Z)TQCn9RE*@_F-ll%$172Cw*Ue{ zi8lg0`-Z=CJ(iiJK_6J#(>4CC!^S<gaMLQiL38tIHLI;vtDZkQ$8uoye=?cL(Px+X z(G>zOjqYA9r9SWj(qVXI2anlyG5zjBe(?~yb$r%Gsp8G_OI|$&<7`gXGlA$a)d!v? z9;9JGiHQn{@1_KJ^*(-M41WHhfIuuWuKZG%DdXPWEnhrwrTe=hb3+C8w7M8yS0C%U zTBZCqiH(PUUjJ4>vTB@dPk3-epR`KYlycwl&j2ighKU}nM=9Si2erzBgNx)ztrF`d zQWnl0d;cw{?)2}Dfua&ZfXrCxS<Vxk>&zQ_$H|8mTM@Q9CW5BTdrzFb0e?aJpMG)6 zraF&*QdIuD<QG_z6XL#-Cle4<z?e+?(_1~Op(qU+!Tw_bqaIs4Y3f?}9Rv>7A=YL| z<m!2(MmWm-*Eza}LiICAq8cLI>miS*a<`9_E8P$OOq(T5_wH_Q^R1sP=T+YGNa-a& z{i~{An47?!pME)pS!UR<gmU;ZL*NR^z@&?3VvTFLv5&E?9Q84My3W8G9g9c9{an@Z zg8n27osuFHlk+*FsD7qJZ7o<8uLMZc#;k#ToYn@PPrErr@;08LxLy5FN++iFR7}9y zE+9;EiffIDamfDi;(4zse*`LE9dut30xMVe_xn#2XIV9|duy1qLK1`a&;ZP&@WG0* zDTM8cFCuVHxlPmZsonJD>-2s}dPqo4Ej|O_Bq|)C$l3YcUPf(MxR&@ns6OZynOwY3 zonab85UQ;8gfI+*EmYlVoFM7578c689C-g<T$rA!z+H3~EEJu}z+Kp_fL(od6dh^N zdozu8x_XBnf6EmZq>>3*dv;!6J|B7)>nmG6|Ci^m!5X!-FdPWT7SaD_rrGuX6l%e- zwZRyD_<Q~0Be2o>h~sY*><c9qRbM-@dJMBVQUeOTqCg^!GHd4B$`SVD#?<M}NGax+ zL|t9cqG}mjK&_^hBv>sav(#i&gknKQ>qoL=l|1oFc7cfcDi>SaYN70qr;*70&9%iE z4UjywIrWzIv_18P3$=}9#fd*Y<Qcz1K#=mwl7@^@f-4#Py?M$1q=w1CeG=aP^XP*= z@(VW<G)lMD_(@W-=y`>UWRUKlYl6ZBZ9*E2t$vLfifjy*2wVS?s)6wa`mJ>|$bMeM z+B9^zk6s9C_n3TH-RHS>0Fp%j-QZfqGRpWzmH~+oRe`hKJ2xDz)2(?Fa7YW1zkXn| zb^CzZu%GknBe!sQDaO|-O1WXTs;s$bpzDtWVGtC4TH=rK+7k%=+l*1OgIy(ak3D;C z;yr7^ZCBsht;Nv-ECw#Ra+Uil5$A%T=&PNt*(|1B;I^eT#A$jG20P6(_2^O2#3UCX zN;8~z03nCh(8SeZi+d()>n*5o#0+7g=O;E(X;Qq2&al!KoXu(L8GWh({5V%BC55B8 zmcldzq+h7Hd7?_z*wy9YXxbEA7vCt=YEqxstzrij$vIfoXVr~yxa_`*Q;9V#*;K>N zu8F?Uo;G3{zRZ+_f(c6T-|{8TP}n&N5rAK}?)_;=$HNL96#X>jCFBYUSrGo%X$u;w zlmVrEL_rCDF!F=B%#i+e<{2vWYD0}ERiF|>VY6VwqRa?KWGFnyJ~FGGzcYRXm<6DM zoI-&RTG&?3I`$PfJH1aiBKqh+6U_wc|Mm=21Xl3*qbUrV=BQK}GA)xKc(a~~;W6*@ z<rl!p#P;Vyj10A&lx76b7}SW2zfIsM9BZl>C9`4Gf}gvtX2*wEgP8W|j2zcOwh7fB zbt8&cK7Z)^8g~%+$5;PE5^?G*vtqtJTYAVRX9dMO%$5XoF({w^ZzLnd!L*TM>9ZV3 zol{M9_n{-AVO_{E8cIUZO&8?;%STlG$q|ex(HraHCdy61_@oZ5F`Fho5xp3LYN`=d z@95yrtPa;qUFMWDtPP3PX7)iDF@7gZT>NN=%bzV##_``fxC2jx6YWfKBGegM&y`{k zBtUlPmL2PO=C06#0$CBZo{I`;_@JvGipa4BIdNkE8BkDU^?C3ocK59T%?D#6;nH0- z`KKd0Sto};c=5C{9pSf4FR=jf8oY#6ta7@nA!wbM6{{YMWyT4*ULDJ&%JdNxhM&$X zJwVtJya*cb&PPFw5Bp<&QPT%$#Aw9ik1-;Z)K473Tv^JQ?nxty(T0U-q`HMEq`Juo zq_(XwJA>&FySR;^ZLW-vEn*{s(Td?7?(ng{1kw?WGO2dvPhK)<2d0p+wctpA0pwXQ z+$ba@LXRf@s@}%d_L?i)t?hRIFN3NlC3{Il7jN+Ol`gHWJT>nhd7@ggrTStuE=u{L zHN-PEBI?!#*3({%w#VoRjTM*N7tDaCN^*t(Z1e~B*Kz$`!DICgN5LDxi`;**e#^Oi zy(jNkxq1Z{zhX5wuY7MzL}ZhA8n;g^60p$1hApK*V<YfViEUUxReP38GAKPY$ym`J z%g9T)nw_=qz)IpmW|OAwUH;)mh_F=NDmE7UiGouw?inwdcmU7YEQAEgJ;FdvXxjLq z(P?IJt1MzQAkK+Qj5+2&Sp#qkqBl<8jNBf|?<}_!Npi<GT1QkgD`6_Lx6esav^Mje z^HUb7_D?ZA%Eal9n{;ZD_!fU@9ZU%dc0bYrel|nBZQ+&^Zc0VQDqE=6X|~lTgLS8q z$U~XlMr6oA|JWo5gS{kp5f?U?v%S|gNxm+xmsMFlE_6>=JPQ>u199usaM{33gK<G4 zbk*a76Yw(F0t@}|X8SR_HF-0{$Adlin~nlpq<OA0a$ciqUXme?RA>=R!L9qk`p>fT zvgBcjWGvy}KTI-QhIklVR)wt^d`aJns)<QkaiLz{u!#)}zInZ<vSGVFB5r5+3pBi@ zPo(h-0cEXjB&vI=L(M3yDmPw{N^hvH<<R+7irSvFl$SnUjLI((f`!PRt<~<QOhi7f zY9cBJdoE$<+wSW!`pc@lVyBh5wN7M}y<_cDyLIKQG0*37J*57QdE^>ezX^?KX$RHt zDy*$8&ha=nIBeH9H_<G&8eFwE9wpb^T`n&#BmBy})n~4^dp`N=yJN361ev*93_K1e z3!#w-2)!?1QXINDOReGUVjFA)YW1uOM6J`WSt{@4WFLRiMD}SmA5fSV=ZKG~W$y?- z2E7+BsRx+*CUx%Tz*sCj1jMQ?2#ThFdChI-CTZd&9o0!j?t6@nrOXo|<A4`ujLWb? zM0A;~?rDr|c1q-^jU}o{8Dq|)@M*r-A`^SM87jINM(b*b-Wp&5l{Ec%JcW`4|D7q) zBipnWY-&eM%Xr7^byhG#Y9~um-41Oephty{hoY?`S_5a<X1q)bcVO3YT$mMo4=#G5 z=nvTuJgl&1J)qejZor!bK=@As8L>P$mYN|utaLIveb6?)ZS(|Sk#dXf1f;!ROzN)_ zn~oC=faCsL8Eb!CWZDd6b!Hc(^ek=bUlzM7Mf#lv%g{FGvJd?jBJn+JAifxdE&8#9 z%s`D|xSsGjUGNSVCo}KDSrjyeU-m*DS6~k$M6-GdE6DF)`S+rnA~ZqUBl+^mb{5q> zGAepPYVt~ZLyk{+YI;I@04ctNkYhVn#bO|zx|g)%=lT`ilxV@%QuOmkJ$7wqXW?-P zgfmYA<T(zGs412dXx^+wKkp>MixN$5bA<vuw&94@$X+D^PNFy?q4JnAW^gn6-RHUx zGC>g&I`4Gb;yZaX{@8qE=#?@by9JCkTXR6k!RJ|ibl8DH5e-7LmsKmdar<YYDP{Yi z&yqi5dx&zPn<ca(wpLv$L1X=uRfiWBH@^K3*3KbVlpsp5&$ey-XWO=I+tz=!ZQHhO z+qP}Y?@h<_%%WpDW^s2F6&0CLStsw!x`)fkd8`lCYHobx0xtZ$3PVUU-!OpvRDfc3 z!FKj4#8K7hOlOW=Ac-B2Py*h9i$EGL1wT|G`te&7-40d`o)eD2wGRZ+e$%hr2wHKp zuho1Kg{}`k)e!JZADrH%P9V_*h_dm9;=##JqQRH3b2P<@`yjqmVQbx%D~SmWSSF6g z7X~|>PcXX3EP{`J{WU6!VbH7+Ds8imz*>{w%;c07;=(mX@c7Zx{2Nl6S)?6^cMxa_ z2?d<o?;W7B(#ExRs6AT(-~Y2e;Nn#P4M)O>3MAdMiY(p<A|RuqmLJy%xw0}9g)N`j z1_gcnBA|7$Pra~%Z=$$xaxWBuUPe92Eg$0r=n+m?2t4Tvij1XWb|UNwv_Vj4rux!< zqWzid>Yzl+4rr{yabU8of5@47tKQ=tqwmqQ=8a0f(QkjK8lj{3(;h?;T^e84c8J4Y zxV#yqhDUz9WzcEF=?8C3m4O7XGP!iHju<*-!Uae3w-Qx7ei1i5>7MU0evN6?Rd@^< zDJD*bqB?kOta0V+=OQ#RSN*iH@lo&n|DaXli6K2}8~^}B$^QwhI{$aHI;81gkF%Wp z)8SQedczhfno4TrJlP<YVB-xLCC1CJ7nnxuSFYeyLIa;MxyZ!JZukf8WaPfVpC2iX z5V9E*QVQ{a$T~p#k3J;H(g4_414ugsPFb~mT7!RG-rsLilISAxNp;_<3egOO-w&_b zzqg;b-#(28(e4`K!|h=yOK2`tlB5ge+Ke5V(-nDq)2MEEY#Om_SH6$swJF`6mY}Ng zml0jh3&WX8^~S1tnG+;SS0Bd8n}gjZ{rZ#Jw}p2`6*yJQ^b=4Rkt-uj?#gCvc5`ca z3nW23{i5-@2xpVBdWL|NMj*~2_+;Nv+S*;Ft4Ec=kw<{}E$)td9eTHHWT#q~aw48| z)8-q+nq>L0)G|5j3|<C^r$K-8GtPt)T{MytNyL#F$lSiQqmq3ttr*mlT=xMLYIQ!E z)5=_DJ_9kFR=-8Jbag(u%2YO!SBJy2n7_4^w_7riOW+F(-}0&(+l6csqgNH%m1ZUo zq1>vwWMsz;I3#y(3kJ^^vz6|j^t_t9D;d5O;aV>Xzo!56_?nNx(xKnpa%3ubvZh?k z*NzP}XqviE8d?unh_|(2*euUU(ST*Rai>=r#a}UNOVVYAEIV`JMV76rQ({V+8Fm^v zREt5sj<l3Zu&ky0Zno<vHMU2gtt{(kIxn_ZHH)k6^3y$;L(-(%OqyFNYtlg+z^eOr zkN^3D7)4rGA6C+8H#zJz$fLOusZ=7)U2L`AM0jjZjX5)dq{*^kTUr8TE#=@qSxuU{ zw^M~yTDCs5gBvHsUlUBR${!`<I_SWg#Ed5%>LN2O>>A`2I8|`)0r!_>zIX>jQFPbV zU-$-$mnpi6Dr@mvdQgD{try&wRoD?9gb}>p&L~du!-2~90b%TTU0F3cHL?hd>_Mrm zST!zJAkNf3$bc}mZ#!Edu><SAKqvYa2~7)mOzCdzB=8GcSPNGiE#ew}Z3@jTr&ZHI zC3&fB{7OT{q&T|qR9UrYscEJnYmvFPrbURo^#lx}^i#vV>m>;#st5^ed^c<o)`Rwy zq;=HutmnD!2zVWEoEcj&iWct0Nx+lvZ(I>q`UD8FGN`hzUB3#bBeC?1X&PLghAc<^ z3Li+!kuwdlGBH^8FNoHkF<b=eW(2stlVB^Bq)UBSKj%eM8^D!;o~ph9ppgJOR)vbn zjLFFiNvrN0zv?0D2gpaNQZoH*f0n`HaSAO1GoL$Y)|TuUKUr4H&6@Ld1;LDc<;S3< z!#xOG=)EoDI|X?1e9m=a`UYs*2X36BRtnPI0<I5=O}G7|Y);%|UQh}ME9Jo0e{D(z zN6U0K^bvCamP3LWPvvv^CH`q6N|wdxP*d@gU34Zd<W5lE%?0A&(Ww?}?L}<^7T<B% z&yp7UBqnphQcQc$W6#&~HWHbM1dcrEVe#@_TLyxJz$(fK1j#-82EG9z9Kp3e4SH+% zpEgcFpIsi)$1XN4O~KPo(mv8oFm4AjLM)h5(RUsvL#)gRAWjzUldxbJfAa;SMp;Vy z_9*xYz2?An>E)6q_l!2@pzw8k&Vxr-w_*w%WSCT?TyT{)_f~huA732(TT3H78f6Y- zcFIYaoLR#^=QCqKy_&n(0^}JIHucFK3DRys%S-TCJa3Wdab^A;8Ku01zHrE=k~Fge zrku+N|ABKhLVZB$cECh=%mmwyU{Kl&M+9u8vC3|Aj+)-^SXOab|COcNgHQFfEqV8& zB#}B!#xbb?$$bo~=m!OpqaI^ONl|jKo-OlaO^n3oXG@C&eO9JLo-a`jeSnb7D8mpd zlPNWah_d*Q6R4oT4LygQW^U&LP?Y66(b-(eoG@8zzamWgqK9Ax)!%_n1fQXe!;$`k zLLv_sXTd%)P1AAG|KZh6rT~#W#}{PpZx9IKlwTP$h8M_hf$uMx@(=eJ+oXiwZ`W}) zET7uht4VA5<Xt;U+Xc4<+%sKUOKaH*%Nre<Bnsu*b6BPS+o*SSm=5(Z*cVR8!qWl% zL}Lbh<{M3u=X>$EUIr)j#87P)lswW+MW|^-C~ANk?nOTRWJz5B-psS4!^o_RX?4j) zLXn_FaZ1w^#|fb*z^4n@_<*d92CtjB;fgK{YK%|QNNKJBJP-HC9cL$SCQ($--sXx) z0zcMDD5-)_8*&ujf@pmaMvYsHwm#d{(NSE`rBPnDIl-esds?+P;kciR=3^LbxgJ1l zHJ+oc2yJ?1FR&asI@%zOjH4Zz0}t+W#)&0n(PHGF5=vfWW)Xfzq^(Fi)?2820pJ0M zR*q&&u07#&miN%yhif;SVN6-c1FHr)MhBn<Y>z=(5eTcC*g9|zH7zVbgS7-xj8kBd zEVu<;YJ-;*YEUWKUwO?e1bw87g=!mkD7v;t+*Nn9v8I4+UTc1ry2RvWBFRZZ7x}|r zr>=l(F(H(ca+C!j=9VZ0v8^L2Zs3)E>w|5OB5r=doIp`6n)TeLW4{n^B3Kc2+b?|B zf;fJ3O>bw?`Ew~Aqw4FmuB#1MnM<l<<u?Jif@s#{Z9T7akF&|ivy!NM=t+-wIbNn5 z*%~+%oXpvtOdYc9IdtbjwGN+qsbjrjs7ch;<n$O26OC)7m7%IeLviog6mkJ{s)x7h ze&5`JA5jW#>dSeXgi?q}kXlrKMP1R61M-L%Ey0<Q>Rd!%Au=qXmqANZfvJ&nB9J^% z6NSb!aZb?9H(1ej8U5UDaR987iye!7>4berd^>>4_%cbnboCb+tsU=(#r=qNuFe)E zR<ws~cCN{A<PQVJcBV3Ny?7l$`4h1ybMjcCvP^Yc&}g(dC2E0%5t$F$2Gjjt1WTrS zT@c25s;JpYzhzO`CdmheH4SCIZnUt0nSuZt=0A-Wq3y?8!_zX6>ZYcIHdB9R=|h5T zGe7@4pst;PA$U)0`bkzXvi1SC<Dz3?&xJHQ&?I)_07bK>&i7LiXhRv09PGJs7Ld7> zGY4T-$ms%$VUD@>DS#L4-3e%b7vnEw{;I8IPdt@aD8wz7wU%jIqqPAMgz7s?2Os;W z3fLA7c)`#<&`;C92F^vw+cF4dyT{g?zbktKyPy~9q76wxID}a@v{Zxc(5C&BwHOB~ zQGE1GZmG7lRLAV_K0lCJ=Ni=^y?S^;eOma$mX%OY*{!E3HZ9l{Zbd(F@lsrBQ8FoU z1Bo`dWJa}=I9XWllG0;4SeO9J5~g17Wa35R>=`Y(-|k}mfLf5Z?dxHOO=r$tJVhgB zPy{YUWCsY=v@2=a0v%tmgE3%TocN|(V?$Bb*q+l+X;=2_5%!!P+*<QSPH%0<r*)nQ ze$=EZySnSxl)W6O^kI4hLE>`KR8Uv44;U2zRmIY#52mL*F@$xQ%8@$juwaqN4o5S` z2B0b;qqwZ^th)dw^b#m*nQ8*)j4<U2lopb#Rhnau)Z#L~UWN8bNBjlx!VSW?@(8{j z^lH~(;3*w3T4l)H9mV*P&FRM$!|1}(i<Ay_=)ff={gm}ry-<CarHA6AlKHb#Ssik^ zne(TvRiQ(}AR=L>F}bxp*&|A(gyI|&`q1He<#D#t(o^I8XSuk<C|hcibAywUxcq5{ zMr3w4wWI}uasHfGrJv{*0atEbd2>7`Z}5+)W?L4vNI`h0=5f=DA=Td}Ps6A1P9FGm z-g%<(n~t;yc{*+UZ@%C5?rnG5-C`5x3Fn<UXP3Tp?@rRDj>7;+|20vIxQ0V`5Rzb? zD=9v-*(2jTUc0ZfJ|3&MuPev<aM7z*wvH%dSl|7!0wWhn$9Ak)3(x&F>8uO+LgFn2 zUoa)b5xUXY>@){Bv^WID!p#6)Y%m-QXM-?^I|#sBga_zt6G6RTdU`30Dzp$w;iU+F zPlhE5SGLH%PDB3f2m10jmZ|i5P}E6+kwrJ8io1*!d)gNE?aWOBL9|Nx$$y$gmbzz_ zT6dW3<1Oq1EzA=!Q`3O8rt&AJw$;);Ynb7+ZScBAxKUE_C;Y>37LIQ4+UdyPpC$q! zJt$22Wu^FAgB(+Cwo`h#Q~WP!0@*Y}UNq+IV6R$3Y#Us6t*<+mIqf@L?qo0L1hC=O zf!sC)`RZJDtu8xfS?`E9_vEaF;5QuB@Z8t%KGM5C5xsVM*TC_b;eQ5rpW1-s*n#9Y z1?4z8V%a}(Tw%BmF}|ve&NRqlIDvcJLUNp3d-txq<~i;XobF<0^3}B8;MMk6)XrvW zZrHT{`Z~aN9b<WKvOL8E7)kEwkUr%se6tnb0-NmlCiVAH3E?Ap3j*aP%t<VKW1fEo zz<5i5^%4mU+6vgOO5V^mYBjfg+T0Any(*-BV%$UE$yLuT9>12E<orO*?rY=}F6S7r z=;p6zY2991K2=Qb{BZ0HI(3T$?igM38uZk<=GR)q%jq0k>YZ?T*W8{t?$)D{3aUw5 zS0vQ1kY02o{5+F}(ou4B<R7h(_1cH`x<>Y1GWL1~_x?)$?pJ<`)!ySnr(!KsW$xVT z;oiPxKF0jkryhPFFTB?Y9RwYq!Vx32a;5p34;|dE>M>xq|AiTv0j+03;9}bIgUO6u zj0zuh9kiuQ$>agJTTu$?w>^zEMkPmI9n`(y*JZV!W7-oKk9jI0&SaQ^qBR8_tkMVL zmX3^cvQ-b#92TiIEK^z1=SWRuMt6R=!%uDy8Y`eFJBd-79;q}1>rzQde-uj|iL>;E zsrHXt>6^n!1B9P8##F;c3!fexeq`XrXWHANIg(e#&^L7PIO&2{a}eb`%idQGHDRLB zAjcobA<aMzCSF&_8`h?MFp61w5T!IAPR1Zkz7uuS7|p$&QCDzvn#Z(9)Wk%uj>=DF z0N&|YD+yOyR+?Y%`CxyENv~%ejN`OMBIjd)q0*)Z7Wgye2dz?*z0dJ-o|Q<Rcy3?n zcp8{&Bs6mX#}Qd=fyT7Q8SFNJ{K#+yfX>;M2R!AM8H$rAw>(Ne*`9U`)0l-teK<b^ zcocVlhdn%qJ3J_QPY--E1^G+=`^yznePrM8otb?DKYI+voeImHih1|i@RsFkxR+*2 z7dpw229NZ&<kQ#<tpnUz_5G(G!#r#hO$+RncIT~e{jD+j-ppyVmf}W?ek3{u#LGyV z0*=FMv~!$uf65T1E(n@khmm3YeXuRO8^&jSWh~$R>w7WTC2038%>pVhJL_Z&!<-bo zDZyWr5g4xw_#JE_eHqN#cCATNzl0hOr$rFsaO%5CaI$Wjx88xtNPJy;YoFtB&IK+t z%|Tt;Aco5!^ZYSrT$erLP$0#TPzuxd57VBA-6e)!G_<}E0IO*qVA=j%0)?dstX6xO zYKWx?*j6b{;*8eex=OR@zob5^(5UC=REKdPg#aF+M`B~y9dE-?rZrR5%??8}pA64r zs9j<~Zp-VCS==ZDzF7u>X-fl93|n1pCmtX06BBUG*)>yjuZfZZ+f`Iohrd{eY7}Gf zYNz*C$;Mk_I@-+|jWr?7l%JGM@w`W7!9Hg_k>v^8{8Wg!DHu2DYTb$zqBJskNq9fA zLZAzGMM;h+U```@=5$!nm3}T3w#{}rnNn|i+b36u>ZnMik-5v1ANgPc=0zI1SEJ>u zv{9`_+Lf8vtF=YSsEdjz)~Jl4tz)7aZ>tG|<p_3YokJJ{-2SL;3Y}@!hsL5?wAn>( zao3>aO(M;$JQbTo0J7o3(rkajfZ*4V?K8||<LGqyThuWXIvz$kz)a88baZICX7WQ@ z&R&!i_ioV+p;@F=+Zqc@X9%W!9iOY*>g4ADs|oULAmnr>9Zu=_M*B$fbxJF1i>mwd zkhZ7o=|K!7TM|_NzB=!|)}$Mp_YYNJrK-wVGR?Z6lod_J@6CheN0*9ujm(cGyYT%O zuHc8%YKvJh-4Iu?+i>hK-Ei$tZ@69ft2lYrz=uVTsP(W}<IIuN5bEtNt+rk(BJ>64 z<xFTBT4ti<c2~#WC2;1CS{Zx068z;cPVcLwOU~Mw$ye30-;w)yzYgcA@Eq^R6M?7L zCR40^DYgM`s;_oZcIFO|-{=ne3mfVJ_UAitUcXkJpo|w${ok>YC8Iyx9heKeFvN^M zQT2$fNPdxjq069O3@jQLHw@sJ1YG(a=iT>z5oN^?j%MR<X$b5F57K}i@V;V534F!Q z0}Btl@nzFByP((KLMHVL;<5REfO@+Cj`$Qd;v&Cg^XO%vyMJBA&^(`E)v2Qi>;~*K z%-2-+81i}0JdlMg8EQ6)JO@{3Sul_(QXj-qq^5H2oD3<aG!eZ>&^3V4v+`;|pGYCl z8sdIjpnVoZepeu9GNWuq=txr=zz+=LEc3Oq;1x;VSR0Fd4l)|H1vs`NHta93u4vh3 zM1>z{5)dAuT=IFdr`ed`4%Z8GM|j_^PXnoikd1W3c+OEWu4nzKP$V~<(#iURIT1Pu z3bBra)akL0RNffik5(yQ8z;VN2Yy+cy6Y8i)V{j6ySuv|b53XOtN)ti&hloi5w^^N zz<?QM`sTxiUk4T`Pzh*5Ul}g@0tjuQ<g*KlkE0{0SXPRcpN0B}7Z*tsQ^;7T&{H5O z5}}03)hinmkoA}Msf*AmDAm}Ry57FbobpwK4N0tQa?N(7dpz#kc6%^2mIwy&L3bdX zmbP_Evefkos9S)!;#E1-93PWXyeKWl3cRj5rF(vp{4>OXz`k>;t2rs++~$o#>!k+Q zP7bUx1&fhBXbVuq9sOMduJoS{XJWo$4FbmY|HiID$Jv9vxT-K_C&%1Lg85B1fIxrR zn^V2zMFgMXmjsw`X0_aR7{HJoqxTOI3-C?(cZdjIPB|FhU$ydl3lj@4;~j|u)&@Z` zQ>sdlmq<k&oKi}VR7qUK^L$;5azTJOOcm=vQPGE4CZRs0L*l~|y^Bm@4=!k$l|aP_ zgc+EOPo5pNLz8AH9iO5L#vr-q1rSq=Ov+aRYczC$omT2FZ3;t-JlH0+|LDUWGKg0@ z?&EGXiudWR_&2vtxZ;=hO#JtY$(>;)nK;Tg-`C&VY_VQo(5Sz0&u$;>@O9DqFPMn; zzkS2OF31&j9o(juMnnz{2dBTL<kWz$YhtCZITKEc+5YF8pwlz(*@+2OUwXJ8!9hmk zL*<KTI?4|?!d%9ibO<D4MDsQd2PF$2fr}ZVm&GH(vV_)xd_|%M7DW*9faYK5IttBl zpPb$w#q?<zJ+XP?%YGqJ=N3_Ux_y9BgBFoFPD3P<;f&Q^D#2;ypu=&GvS@P1?i24w zlZ-;iv$Io8^7GhGEO!{mbxINPkm9OjtToA|NUSr$jab!N``!F{vJZb^6Dp{psC<4& z_>gXFg5hWT->jZFv&698QPgitaVyXTa>%;|jJM!5wm>x;GtyUt-Cw+*)3t%OX<Yq~ z__{^oO@g5liO<b&&81hkg3Iz-Ii$Z}*bM+X(JGu4W3tq%TK+EjL9-*CRjY0QR-%`n z>EKtmKhYnqtoW@PXup9iZ^$igm5c|iGqA>sS1`amp}`vWlYjIASIOsyuB?u83QK~~ zvP-$Is3=~!2l`2lEDluF4lGVQ6|Ox{(qd8?G!=RV)Uuch{Q(U&f{KiHD4FIHku)aT z#r>Tv1>*R|O7#(TW=y%c`bJ)5A+p`b*LH)OI_PPBl`LCf+fK{ToSuop>MfD_Z_isf zo0h)WDIZG_VeCo&q(~M>lC~eVEw0I3p<Gl#8A---0s$Hz`uo*|9sG+4zoxKj@5?al zC@~GmvT)t{O6E!wY;XZ&Lz?*@b^N&?bt`7ADywF`4#nSFFGZqzzI{km5dx1R{^-&m znEW)Bge<xE1GkNkI&v$B!*628(`!}z^6pl4$W*DXP?RcTR%nx98NVu2B*8Gg5O>0? zbwCFWmRNzZM4(R3sQ4|^gw~miaM3b7i2~B4TGs**^X`M8B^yap597dOLN{=*Rz=Gh z{bprXuKCb8tYnQ&S`~h-0>2k*qzyioJRU~MN2gTdvWI*a71~L86Gr3;Wqhuss$z7! zi*J~s<t-o!mLt8O<ur}T_v^i|#>qN0zQlFoH@XS?QY4c$<i<hV1~wzAq9NBI94A&1 zC~BmJ92Of6zeZzEXI$a7RTQQLXhcAPMETk7lXPjYtx&?6l?dg_-?4w`12RePWe!IA zt=gf{6NR88He+!QA+(--lp4<+UNw7U$@YMmgwed;T_R9)fq$*xXxVu)z5MjS29t@g z+feBfgYf(EBp8Z=RldwUaj4SNAcqt6gcP{nLDTM!P{T$NPxB4C#(CKg7S>DO0D7s} zMDU#O>*)HQ*zOgC-(8r6tu&4E899nMX!t6H8~#R2zF4$XcOt8$Q(pGbOmx|wu=~>r z<19%WX){xdro~n@VNH57kAP91j;d<i3GB-1+o;DQmDhJqpygmjQv96>4u4bU3K<iR zq&T5Aj79o}+jrrbCm$!}6>w&&iFYGbT+2hMdeV=UEW92GlDu{?i0ptavtMsZtRyk^ z48IE@ir_@yM;0DjB>;lX4SSx5(0!CYLZ=rwqBtnwpqEDE&@73<S$&Gd2|H7Bk_GEJ zhIH2=B=t#4G6TKBD2kkH!u~O#cC5=22_dy2=+F{(R(r|NAr~&@Z{`1s^)SP{6(p%6 zdPXvl#w!~8R`;WWnCF`%G4pVA31-4b{`%1-Xsg(<qC=r$)q1V@YOG!9GUKvS1uPRt zB4E3qKD@tcg`hkuw5C3~Dmh<;o)eO{GgipjD?9KFj&k324~;OB7KFWpuei<vK~dS3 z6LH*!N}q(~!!fN0!kX*?_l$q<0hG@>P!P!|+64fnI1gDTUxl-@VH8Mr`PPA#HXk^S z`5i-7U&|nXdv@6GWVm>b935Ubi(8;_&DPN|nOU&xco5{({4<gxxAL&;>5<R1_X2to z+#2=XZJ;Z){W1jS`9c_D1-9|pu!$QH=1LX2=4_L}`|=2v`O?<e=&&i}wXK%YDCXFC z#X#dko%#y1@G`oe@mKhD_B!r!{fzQ<NlkSEhVWG>EIprgfTp+MOQf)OFW`4AccaVo z!n$KtWu#aA_$%OjxBIoOaM<H3T_#j@V?Lj>$Lja?38sC5>-pJ>{lZ?CD@8`GV}hFF zB2miwwOl=~(9~9fH0!$k;Zj<xwU?=<uHNbk6~>U8bu)5Pt~XNw0(b})W?X#XK~GY1 z-aIv&mMJG9JM!=8bUR_*(>vR*?j8>?D;mvn4xnyj!CfaD2(<c#4fx?1pmGUBbIK%B z&6f-4Ys?~;e=Aq6XNKs$2x_VM#GIRq!VF$-$sW{9<mrjyrsFy;UuEB#f@hmo!bq;0 z9pUX|W}1@PV4|DKMWp}5Qlzp6DLS#L;z{+FsczQ6^jTRBugEk?kF>(uD&J8fr;Fya z<}-&xKyF*}-Ow%X0{U}gWRFa+I#!EE^C^Xk!s41h{!+sB2U<LwueY&&lGQO#s3_VF zmpedG6_t`9ibA+#jN#<JqydB>yJeSpeZ3Jda3J3x+TDWVjs5Ky#RkBiG&PQ9#+w#` z*A$USjw{4ye!B6$ZMS1iP5Ru7Ro+z7cM4(2@lduPY@Rl_t3BDOEO?UVP?m6ZHo=Vz z3$)a1UXyP1V<rGQpB<%GyEY6rm$aVOg~&ah9jUfi?_Y+qv)jAA_ai5-Kj8n>mnQ#p zZKeYV06+)?0Kf=<17K|6Y(QsWYiwa;;zTFFp+WB~F3zT4C1)UMX-;E9BkLhyMo0f2 z7nr!y=`lF`|1-KU{io4I{h1G5$%i4-&affCw@wg5PSsGOKv%<3!NJrAFEJm}%cow~ zP{9#QD>zuAD?J=Sy`zk|mV}87wIphJPI_}Ks+zsGiGm}Ug{_%_CmFg7mewlI%zOlv zg^iB1H*A!Fv^Q_4mw;t<ayS#8C_d5>Ll17v%3c7P2bzc2pl-e=9Mz||U7ik|=^V>3 zFnAj&QR*Qw4F;B7K$ePDVv1&ug_((wo`I3Rv5A?P?G!nJjXEk6EM1_>UsqBCic4Oc zj*ApjV*-RiB_VSFEP-+cq*8oxQba92AvY@j53-Pogel;VUlNq`rc-{)sbF#vzeSom zSs}M_w+H>4Rrw#=^m2|r!?y1t?ct=J?eBlewPkDi3Ge#>Yiej=z?sQ<_5FZiK;@JH z|La5|w8#pzf&&1&q5n@R)b{^fg?d_DD+*f;^JjL-*jsC}Q`f6|=cWalymPapvn6?w z%tb)9aYfQUFU=INSzfg9uyK;)CF(v(Ej&Y6N=sPaAeg|vfIBaYJcwUgFONv>7!<Nt z5GYvcaiI*5q=32zo!}&^ot^10{W+pVQM6&iY3A4W_cixXZ$|p~HQM?^SZn}_S6Ndr zlcu?Fsq&uzul>YPuXjAy?&j|~Jm2Rna_ue;04h;7Q*mrkMa7dv{e1rhc^&PF4C+WF zQgd-IQo86|Gi_bXr*FJd8_dlmWN26Q>=g>kH30P#Se{4nG-AwG$fs!))oDGG!L}TS zae=^uuE4F+88Au4-5z=M=Y?!|jqT&qckgE7MO^FiJN(>b)aXo_3*Tkj`pRYFCbyXS zkr4A${MM<yPqEn3T2X90N8MJv{4EU!S~_8GAZrW@Nv0dCX|xmYmO-Mx?9$e<7+sGE z-|tcOx>gfVlm^FNbB&Sc4p;5+!^Y9e5WByqgXO<F6URo%z6%R{-jZsYZMFr}kr}qj zxGnIY7$@NOXRq>CCeAnOhtF~<!)84}J%N-u^~;uH3GU=olNAkfmXp|yz_mvEQC*aj z2ZDq!cJQgIb!BcF>T!SOGs-U8s?9;`=f}QX&fdR}u4Ypo!Tr3DeA04fsSJ@5Pbu$M z9!MlJ?Y+b&Q~5IO$}Sre$&9eusu8V@iGvmMo6t3@Q|@20#}(I^rHnZnICN6Nq=Xv- zBWW+a_C{rh+G8@+=Oe`k-`Rt76^Ejc8yrQwU|Rh2%@4q8pf4^gsL!zoFdv|+7w@JI zEK40k)ki<Lm!j5h+KRMRV6dTS7RBSo+VoHSxY|X9@q*)ND_iP_nv^x>$2%Z8wuU0< z9fd5*ux?=8@EORswY_a5Y#PQs2}m)nBI2r@HJ{B0Y&o~GRirnJ<(J$*)JI{v;6-=m zdI%D#7gYqT!WT~cK0{>5GSuyIKcSSvLg|1jk|&Jqschh0+qaqcgI@gVfxHNBT7f<Z zX)&nm{Sergf0CQ4)A7LMSIzpJzZ@`%V|<Yqjl~XGgc`Yw*pbUN8}}TW0kqLcR5TJ- zy|{d!)Lp?677_GHbh$xUfX})uxYnfaeMY%cBK12o0^)aFH=^-=7W)M85|l_@&hIqc zGSu(QWKKV?r-aTpfIR?ToR1Ri2T`Af(X2%tXQxjySNsX}e0~PJb@^5cFx?<+iQUjn z>DVhrn{)Nr#4AVJRCv&=mKs{BS~3e{V+nemL(w!VhVee#lfPmKn#P0YOCU8`ZXwo} z-Fsd5_R98DE`1gxO8xc56!zwgU{yF97e?GcTQf}=NEW^41kMO}Ad(YFd-@i45qqXC zyM~N@n0qHGyZTnge_?fx*1e)cwGtQ4_6uiq9dr8OR+ME@lU=TvY|^P2IN}w2TN(Zi zgqQqYH?#fGoVXTLNqGXqtNS&$Uci=jpZ2mpH=%-HINdMrowD&L<c8GB>V(6rX91LA zJ~Qe=-#21@g1YOdH1^IBW|^MHS$6;uTDd7CL5+<2LgTk)Be?`1Hzz6q)D1L;I?xL_ zx+VA#Q`?XMdX#!|r6UI%X1pU2km{ckBY2l{{K*JdgQE8Z&w09T^^@Z-f(*y*lM{TB z>x%_;!i0;za!1vNNND<F1~`)lOjg&3U=g1olg*Kl6(-`;UcYtY%*n#YlRi_#s5Cej z{&w_sC(nw5C6v5<3TWdS-Gzi)ePYy#*C_FReCZdml<8(hEpj2l!I@$~12Ax7l#*1b zS5g{!qH7XEyCR89f!CsA?Bcdn2T9Diwwt#HFp*BQE7s#bW*TK-)|NVA>LWbJv-k?6 zg!}c708Nr$uQdC%060{)Mf=Y-C~PEjFYM?}!jdr)Wisl73@;<g^ELK#^Yu?c+88uc z=O$%!lCvZGepNy4)WNVq?m)?q!8V*m*!P5fO^fc(stY`0?KVt3kJMngc~kPWCl`a2 zAUI*|n4DxlBT`-LU4;tn>Z8Vsq&>;rdg)W@%!pGABSw=SL^oJ8PH(^<jRAw4WH1oA zj|~YQ7zFu4HM36DX|UT2r*swW7h+NNuHMDNO~JEk^6~hvedHI^bu2MdStIQ|yr@;M zTC3yqf~Mx%ys7CMxP3b$-nZymf}xSi22v^VihsjaJ2Ur+vEhI21!YuP39Gpt)H9i* zUDboYK8`vkGctZNL3g7A$1MQj^GMJ&fEL(r>2jv}VYT~gk(-jc*(_J_9OnzoMgYcq zFVhsclz3TWtGZ)`?$i4b8eO>jP>wpl9;EJ^ZH*T(#o%_}R8|`|th4VnRE_n|rDyah z7}lO7I;Nz^6I*FJ{X}ZX9F^87%+w|gJ}Zvb)rk@-HWg_E@vi3dJKuqAb|rH1Bjq#N z#qetnHn$+>`>jIkH&v}ejk)fqt)axyYYT#?8h6>Z^&2)Ky==cJ-w-$!bv%&a0KG|w zOj6>qvU1c|20|z>sE2}rs*!67a~En;t(*HKLI*mreg_eJ2&7R`vc^juXJW^QAAxxh zykQ}g2720BSf@XX`?{}weD(=FOE5EX;@U>VRZMUG3Z@jralrD#&vbltntBH;!$2bG zjN3d0JiVY{w$sy4ckKQ1n%N%t3;bUh!8+*L8|EME8T^a?ci6N4{|9?U{|S3(@$r#= zdea8k7&Q9%)CmK)sOqT|YN=WNFH{4kR8Y=J&mA>3AA#RL9SBl~oo<Sresk=T4S?1> z(>TMdKSjSJMI$w<Q&CSF&P)&Ub3sc!Nj5$yDX=u7nxUhSlr@o={6jOd2V@yIiFJmV z;Sj)#l1g%dc88ULiJ69hnWmwMrI|+GIE;;UhHBOjSa#H;OrbMH0S`;?xR>x%u!Pb& zwUm`)*!oqlHH6f?^_8SdOTM}n_qGS1riLB@jFqTI&);7uV|N4ezxn$d{z-`+Ht#w| zc>n+iZ2u>0#`>TBKGm{h{r?CTcW3}WkmrB12!a9t0I>WQ++9m#<t07ctF~rhS-gR? z{dFkZNW-<lh#-8iGdnFPM!|Ymfk-Qcq_j^EC}_vP;GEjTLMpU4xCJmpSBNg3HmI2N zYQf+!H$DCuLlDUOJ?Hn=1CP;7bb*G+Y{p~OYla8!*O6PDzO$5O1GO4|F+rB3@LI`e z-rdX6k|a3?M?wt1Pvs=%!Qa$J-r<SL_tW9(QLhJB9(3t(0z1Bz_;z#U(rS-d9elL^ z+#c-5cOlHAo%fbyB|OHar8UYTrcS}3{yJ#s@~NZGMPn6=)r1efi_KnQufA`6J=V;3 zpLpLU{^rKLiY6h3v_o)vd@Vwqdjru%2Tcp*JR-<a`YnUGsDs#Menp%+$7^}|s;(iP zzN;#~3aH8QO-jQ>L#>D@;#*-ZDqCC&q@_*K1QtAL7#X*|1`J0FQKsbX3ig?$nWY(3 zer5YQKwU_TaiMz%ya`wHj*F)rstxFtD4_QuJj9BBHgvIrh{|-dBc=GEZz*%XU)fls zshg$V+@gu5n=j5Z4P7%`oOTmnHVFNBD7D#Dc+tHC>+UWe!CVvP($dbq%7%I#_uBGW zcBo^ay1r(`xr#{>UZdLPUYL>-Z6YIKUYrwZy(kQ&by;BME$8MXkRW$ez*fnN8Lu1r z%d99xIAMOpx!_r7KntRiB>FIW-r2EPKxYJDj~})W=gn=XM2+7`T|2IpT-S*GZdSaH z73d9jh#3s{9qz4j$QB0pN6p$^AMef}Za8-s506*2%WhvsOf9&B_}rO!{h8T;qr#t0 z4n~ahE;Vf0U(GA}4Y$zWj>unFtH8>k>JZnyUVt4Aj0&&^(YgxdEpgAxU=LnM-&>Bc z2T)rc?8}Ef58;hRKagn8%^&~nsug(gm353agZvAHDHV$u;NyEq1^8JCiOOp4K^7$l z&U>fk>0Q){9rs*Z#az?D7`cAL=#+gLMvOCN>FVv)KojBDhAH4qY%h@|^abfoK>yy8 zJBtYZ*$Hw>K>PA3LtLyUpO0T0*FDpA5nt*W_nhD19HKT%B$uoUDC~#vE`6^ox@B|( zlYMXQ7LXSMr(T>A_3|vk+Rir8xjKwG??auQY;zkl55BQ*DK53&AyEL@@5%;y7uTXU zxjl<;@0DRNJn<Eyks}ny*Z)1+$gg)8;}@mvhr8co&$zPRiZFCn?t13a4+o&2G`5gk zD2uMiW4)aJhJH}TLa>pUn>0U#RhZe<rpz3wiJ{=n(xrcFV<vYf!j&g8_q@|kVK|k1 zuPU^oJ%)PF#)u`oRAUeGnVLMBtPLY2(Kb~zjWL7m0O<C;a8Wnm%6hhVPc5dM`XLwb z_NjRW75o#QB{lk+5X#V6y>iX9fpU!vTe1~)v7^mvDPVxxhOi6;-~-}*VmYq7>WE<= zu%&`K$4iM{ve5fI$OzqScud1q6VTiEP~LE#94Tu=fD7mSBG#T+f*(Q^A5vmUJ^=E+ zCPGR{GbpU=^uX+{{}SJsfGfkoz1jWdrrRTTA!jsGI-ofou?URIOS#5Yhx6u~LD+W! zt=BxF0e!sB7jEu6k-+*sNAw9L$?zYU(v!eFaRa9mc=O7fNoNvnuSH7u<t{pc#~rk# zjymwgjyka=fatUX<4ewPz>Jv>jSdnH2Wo~)Rc<ElGHYA_Rh<;HVb?TC_chLCT>caE zXe<^jP9(fw%~@|%fEQ@Jv_+sZ4t-SS`BvOFS`*oW3L6mkvOEU`uGaPhVBRn&j}~i# zgYC>_u$HqX?k}dA`ujcEax|52Z#zpiu;{ZY`Z54LbTrOv5yuBB;sn2BU;G#KBL~X= z1}?kJP<{g403Lp`+)c5mlPM@yuTbOP&zqDXf9dZemP|*-YfF7TDfS4l5IhT_GG6le zYe>1puU)nKqK9a~UI2B00e?_m?(U2ZNZrzR=I*iZCY*evk2v_q9<uO}J!WFVxlc!h za~@+sVvjg(aqVYfy=F1FNj8$DhYsD|<e)`5jPgz9mv`f+b>V|9mxjgkFALE|$&ZGa zbLECwGSKcM_!R`Vy_pdnIQEtPoO<nv1=gVoO#*fvcOiF9I=sna;p}8b-DGQRBy!iR zVQa$O$uk@YIy{i{inPk}f^L1qy0=5F=|-el4ZVPMX(P8>-aAgW&BY!Zllf;hDg6-T zxN-V8qqZ2Hk@VUA>)QNqVi;XpvYwKCe(EJoY#!N=4XAJCb+`LZ7Lryg3?ER<<O?0{ zk{_d)Aj{&~%r;Uu{<PR`R-9NL1J@K3-I{W574he9OBDWje1sQeVuTlcV#KDtqJu9# zu%OCUU`7>=IPbBVBA1W=ekd&56c8^6?6&gNG>{eju?t?_;NH)QGf8t*Ggm^Cv#x35 zTm;}Rm%}<d&<_eN)lI6JM9*LNy<Za07#@E+Qd=*KF`A%X@itu2A6#quJXm`LDEB|d zFRXQf%CF{6(28lAc@`XXzRoI5)n*AL$H3I3CtB<5C3+AV@xfSLom*;;hUco{bP}RU zQb_kN_LR{FzG*4R9nER*p+F7fNzFx4;P*WF&d^h51F@YO1vEU_+3`mga$jGpV+OfO zJy?#<=}EBx+Ptwz=Z_S6Q0>krO{}h?rXn<oYdF^t)DgZ`ceZ1=yLeL3Aqnr<Jm=<z zKSJ-YB;;F*D)7hjSWSc|_=SEYez%|}GPv`?5Y?ufNS7G~4)~9IJneNZd*ANOmw@m# z-jr+g%ksP;R(m>6%}+8D_#}Rz+HltldsM7Ra$MR1_i^Duo{%C2bRo1J*fK?NID<nr zQDG&5v8RuMgVC;Hr&zi^DC|v6{=ecj-rNztYRZSpYd*5DTZ&0`GflT+D@U~kTu7hT zOows@w*&kJ_!DyZ(l`&FWw@)k1B7|qQg67*)PIT<=*0qmBrPQ5UUyh*E5nZcT+2*g zXd_0A%AF~h+rmQnvuxQYBZDMx6@$o7W16|}YlIU&_{;vX40Nk&QJ~878r<V&q4Ac? zg#Xi#o<}kH;8CiUPR=H>Upau<H)3wxGTv`+whxx`4ZfL~E7uyb$0g2NeF#Up3C5@# z4u}9e_-8Z4f}(G(Tgh(uy?HN*DiA=IHSxhwUeB^k{8W*B0h{>JV(9zYUNrK_X+CLM zem6#e3SjTk#kROJGga3^>A%9cPLDG6fiP3U{u12qIL}tRKKx}#?9)<$jZ|bgcc;7p z7Nr;mOoMq^<fM%nAZF#l2VdXF=JZ`L&2zM`hyJ4n|Lz%9a5KBwOWKf5=UMzEmN^qR zGz_aW+7s!t$e(ZDpUs+M1odt|?`7QuC`kypkz+U>c_zvKXYBSy+Ie`6%6&j-OKCRZ zzJN1#4C+1t?wVt-Q3EeG7P>nQw0H_<z|o<@q11Sz$y&w-q-C+r*W2_<`fFPlC5mzc zz21+#$Y6wgke(f_iBHJ~dGdhV-(m*fTZz1TbbP}pI$AcXcz7Js3u889i`Osud0%~# zPY4TA$RS`E!;1iC2RL<21gp<`uH@9;-}6m0v$0QPq|eu!GW*Ix>XoE0KS!M+`Aou< zg`LlVl{mq!j9jB`nrsH|eZAF?VsKCaMAaYGt<c{VE?2x;v1~=b;gYo}iOd!+aLZ2| zq<7m7-^G9`1j%ok(TB+uSzp~v=^J;N0q6y`&{Pw$qY;Bv1p=#fZ9&ijHO(G3nCU5L zZk+;^P4SJ&CZ@UAl1M;ZZ?SfX)6bM4paZ)(t@K_$e}NhHd8E#UPsL((P@gsNUMWxe z7kSu(ay7K_L~<TR<-?l0T=|2#{Lw|8_GulYO!4DNjtqx?-Ul^bG82L@4PawD310|Y zDJ#liua{({87N+gsQtrIHMliy*iOL1JOt;OSoniF^ETG?0DmfS_xaAu!NN@cQ?ul+ zUJKw4W{b?)FBy|;vo**r9(%k)>Iq`#6Z44KAOt%&Gjlm<#xR|q9|!!?ch&h>V{uPC z=BN6R!6w!f1c4sdR5SS*xK@pJAF>8{<`DcB#UhFMg=#v?ga31yRvyp%3bA)&MvJhV z8fO;xm3iqSKk!3PhvUO0OY`amM6Y0?S9ESUgSHO3US;|BQnCenQg!U?kSpEQs@Vv* zm1Qq(|68H-4VyPNGU;G3YnE5!+&Jx)(~0}o&CY=bLGTF;rc|x1#E@6a(|~`T@2orF zQMHYD9$h4!Wa8vo;wlTICe}vb`Pr!Mqfadh2pP3R(LyCNFZ9$#jrj-Xj2&ob={~5O z688#fHf&8ti#X-}9-p6shEP#A(@HQF+k3(+>w?*v^D18-%-IJ#mf!>9qkevyJ2Xbj zFi3xe*d@}xRY6_A9fJD=5k#dc6jw^#lxL+JM0!x;I=EdvYXDp5N_G{B+o%pNJ9RH+ zuFEH4!nIQDVnzn9oD2Tx?Dq0YlK#obMK|PA<Xo0#lpmA6iUp6mofmN0<Wz*!2lXBk z0^gQMcK?1S7z=;@1uVgg;Nfq;(I$dzFF&=j4Jf5|VjC<7-K)_ed~0w24&cB$q^$Te zH58BF`|{K!yoA_9v6R@vLNRf2t&~_rUs>u-a?EL)Vw<9NEou$Q>Zcqf*s{d4TUM50 zu0L6Tf`=Pca}=dFUIv|P5N$pzVq<hiv?akRa!ki+8M0qkB%rYP*@F`~+(CXMn3kvF zyz!WVpRC_(%<iK?DlQKtUot&qs3b<R9BC9~0g@<>Fo~fc_Wdm&eTC!z1<29P$yr5< z`73PAN?cuwP`R@K*dO!~<#zhuiQsV++9<tt`m(LAiC~Xp>)U~|h2Z{Cx*igg^E1Ks z$Yu`n9DfX+NYltsp~^q*VFFEC{CtHWs%vwz7(&2c0XM!#y#8R(^#_&$g}bxt0A3Tb zX>k!ET&E~j@EzpA9Z2UlNV??yq5K%2U-}@p)$ZN|&xd3t1DnFxCHZVd1uLclyV_wL zZZJMcbf_Gc&oLSG*n|7+P1ZJURh3j5co8L!@7WoXnt-lZ^MMv~F^zR;Cu<I99cTKV z%6nAi#YR|n#O5{KfZ~M5qYK<z9fqI!iv-jhy4?wSQ9RsT31Cl?U$a34I%P2h`NneG zo-s_BU&#f}_64`6!rRwJzCykFbk?^e9&L8nXP>8q8BY0jHv8jQMd=Ttb1Z35_}L-V z7@SyjTGM*{H}mXYWYxAJ(YZGosW$g)2sMYyy|Pl6lA~5lQTvTul2+@|efUcj5Sw}> z$JRIq%xrY?P^^$|m}`4|@n^mL^dQctFz~shysmb<?b4@8(o$pF%@eI$;N2Wa$%W>9 zyqZ%|a}1(w(XL*oaiPJLNBr%FxyYdyYw-5z0byx4uH0V{Z&|19Z>>X)`)WP}tmw8e zHbc(&jbaKLBN5d|O;`YKA={`4y8elr+7vu?h@lwfpxT4nInjac7{d2quFY<IXfG_x zCZu!vv@uPnrtJzGOu8|KNFoXt5k!iiHW(tpVIveM@sJQkFZ_s@fLH>?8(|IdvH0)x z|5$J?Fc@hkVB3Vf3%^<$`69}B7)@;TjpL(liJ#mX(-OREpP7dFE(E@GFzVdzK;A|O z*A<I~@dYG6|4LiaI<IZCuHSzUFx7{m7uCz%9sb$!{^3FX;yMDBu%ANYpj_Up>hRu? zcgNJiw}r5SUI7lK2dwK1e?xw#JFM}W0$=xsns*e3nU!wONg9Ao0Qnng=MLrT49I$T zj=^sm!56=C)Nge|`uRY>zGM@N2ZqMLMysLJq3Lm(vMEr5CCFm{&Hj@<#C3MS<R@QJ z-z_r*Z-B3samx$fkzP2>wwpf>rPYTdetNWE{De*U{3g{;F9MeK9RD7C5a3JYtBo>3 z48=eIqQO9K?uN|%PCk@106$2|FJ_i#Yq5T~{)#73Ni44~)P8>@Up*F3sT1QZyiE*i z-k&==qX;a6RKnZ3fC?2&a^Km}nIte_03bN7O5v0<xn6S))}X23S)^c`OV}`LIqZGb zpE}qn1)&F{0d%H3&^y=(35yT80pTdhkEkp#Y(RmS!WXE)0%ppyY1+)9IsRrwV(5wA zh>CLyUJ2OQhTa_SulQ_5D$8K;BH`Xnfy0wH?&7}tR||+2IM8@V!dL`Xcn|!Z_Sr6^ zi(Hgo9&BFW<rm>L(A#l_Ib*tb3mNgbc^l*zMu=|9?BW}lfM06$eiCRivACc>C)a!- zC%B)^r2Im=taCr%zj9^_5b&2a*#{UOwAOxbF6C#R9KTsT7J#IE1!D9b;Rn;%z`KF( z93ByUmcRcCzu2(lo~!-LKh={?dF0f=3X{SU2uTNqnk5cVfL5@gJpl>h`!z*&Vcj-C zbM<)cOjGUn$~0de+P3VEi0N1FTc;;TC!4~OIuLF;cb_&y_*4|U;z&_$#aEoZj+Yz~ zZrZ1FX**63Z<(N+p<Ld89^L?uAPc;y#tUK}Ra#N_gtF4Wm%ElZUVY?69e?x*Lw+Z~ zy&c@+{yaZ9N2Ws#(0&zq?h4kqq_gNj<)eCir9f6Q3Jcvb9vYjxac<;Bm;}{UAJny% zzkReY6EaUx_Z`gRzgxNZvUEWBGQjPDNAUeq>*W}ezCZ$q`L#qm2x%bnO2vXXL7gS9 zpd}#nr>!XelU`~C$XJ%ZqXqJAxp7BWXY%{Ybwm-O(E&B!^66epLbnRaTB4mX{bf~t zpLNJXzSkg`6-p0=>K|F5*M(xmIN#6p>aN0eua{Hg`F)bCFpE?B4Z64LFUgIzM6t%K z5TirsTNvSc@YKUXAXdLQh6cbXyQu~G0bRo_+sYj*(fi#D+x8E&JwVL|h-L?Q_WE;o z%kS9l8+zTo$Hs5p|K)MFAZ4LiCV6N^pBqDQ%uOb+Q7j$MWR(VD!Nvr+aASy6lr8%f z2_aX4+~Wfv`5qx&kSzbLnd@3_+kM64=&yS+_ze<27ID^<W1c*#1JV@W+)6DV)j;rW z8-sm%;5fMHn69wpSPp2VHl)ZC?|wD+520flMn(#Cq+kwJ2Zc=*AwL|zXoC}JKz^FQ zG<oL8X&gZjufoG}l?!5?m@*3?<-3gk`2j#d#vT}yrV?Z4<RE)l#)h`KWm<E&*pQvf zG+^+7zA+|PwnZlVd*xshgF<rF#OopE-aw~+Fd!j94gd`k6bZnQeZcDz`}<b)1A!NX zzXoW^9Jrfih(3U&wd9}*Q!PdD&de3WfE{*93Ecy0!(4hzQGjU(TELkP&94()#4X1Q zgh|$Y0!sdUCOxvIggtn{vTl#hDQ2uxC@wHiBRJzXqM!^QN#8z+lLg8i%U}erh0Ya% z=;qSGgm7hBBZbbL{_JEAb_5p)0-4i342>o=m81w4o|}aQRnQ?os_2m-RoD_CRrH9Z z;Teq(3EB||or*#~+>hvZ_7KB!e{yH`dMXxBWlImC(_>?`&?Z_oVsZ^zbjIILI;6U0 zW}s1}#rn8Y*0;=I48e!hn9GpQfDxNu5%Y_U;wC?FdKGY`tK&qv*?(`u7#nJMIV;G4 zbEbdbnmT;O^E>mY`)sFx&)BgXYL`Vf)wY$@wd1zhc66-uWZk`T%sc$qDV;0v{$UBy z8%<kt5My#Kafs!3OP;bdO<N{UGgien`7jc$B+;M=3@886qt9K9eh-qi|IB#g$c@xQ zOzz@AZ(@HVo^{XMMB1*@;x67H)8!;=b}Kl(QuIQ{Fa!8PZTbu2#nHA))YOdfnjKDW zA$Weu^G6wv@cc_Ou^cud>*T)%jOu+a(TN>0h7uU*3Ot0xmsT)yj~I`nxa(DKz-n_4 z-4jhb&^;+bv_QZM?B3RcoWxwn%!Eb>=2<z2Bar~i3BOs`t~3r9Tob@XskOFEsDCJ3 z0c18e1&-Cf_q|`(jwB#lblt5EYCq+e9;Mk#q9(-5Cxjg{V%Z>wPevQ&--BC!9A?Yu z%MEkcNL6%IXQ~6Ga^r^URce{%!t|tLB)q(5h;M-ZW$PtEV#<;e33(KFVka7W2LX5F z4W*a~B{%m_@*+X|^(i}+1sty4m2jf?5OK(m3WdhekU*@XD;7!viSR(#&a;Em6MQ^Z z-)}fx^y#ID;5kQ6-kg{mjDM>RnZzxPaR3TEVZXcd&1;8aR=%8*OQ#)>6Ut&5x|tNh zj}LONoA(wgY%}dC#E;nt;Q<vZrPacN*HIO+McJ?79d@Bkj-Zk$KF|~{KCmpo940*g z6twzZoSjpQC}ER^$F^<T<{8_zZQHhO<BV<Fwr!lTb~f2;{<}>!>8h^2=-cnB6yC>2 zx@A=pVh<PT-s{|yzQ(67F?_d<<e*gp>HdQ@;uY97;#H;!{eJT|zFv6_-?gP2y3O1_ z6%l?fekl|oUm)Lx*__lDu=GL^xc#aSH*@2`vWzPxZl<Atyi|}zS~hQ#`D8mj)Bu== zIZh&t7=LBZ-iQGC8jU_QSBoX)s<d6tOFf@0(OoOj_bw-AL&gWRGo(VTOOq>Rb8Ci3 zdL4FR&F{Mk&@^RX-DVZQL+<D5^a{2QzBVKPqR@NuW_TtdQa*_p%XhRi`a0iEc$Vji zeBrl4X@{`K$4tDa2_oV{+E>NKW6xKIGBX8I;dxP}a<|=x-g8iZ-;HZyGV_AFx#h-| z1$B^Q^G2S)t}oI*_vUQj7*a#NRaFA<6XIoh$G%vGyLWfaM1xR4ax4pP!h#@axL+XL zvSafl0n%*JQ)8yL8`!tA7tQLQW#5O93$%7*-49~rJ{Yq0<&@3EP$Z=N#&wk&FyMY< za}n)O(o$#>4i~>i^i%U5VvUUB5V}XKLdCyF+D9A~iwArsZ%vE4vpweB#vK>;Vj($r z0-A^tul++8abx~~!QDG%zi<0|kcbVj*2NJsF{&AVU!Q8~UCoM#Z&jTym=f3QnIG4z z@TTs~OnZvI@p)4u;2u&thXZ_n(#WEAM;NytX~cwO#x)fBdLo+{))xX(^huU!N5E&D zM1y#aIOc@F75gR{cjw);DUIrCtHMA}NfT-Bspzmx3VPs9WrW{$ZbOmIg=I*J;x`5{ zOjQ|(zX@?;(7g4>ETSM<QzKAkh#}C<!@eFSqDtMl9ep_+T8?U<AI#G%_%;e%u>RQV zP((f?9}i;hOOY=ta$9)pGFUDxQr^~>69u)u@=p)BYY~UGTsM69o&y<0&V);F(YX_= zlx``XQ^xz0$pv#-#jN&!f5aGy>x9B~N&D=Yc<U(`EOaE*E91w{v?TOGm`Vn72ZPZg zN5XV_BjeNfuk8$h!yQC!9B1ci{Xs+CiJ6JC*CnGYD{+g69kqprJH(2Kb9T!UfOeo( z@>M1ya7~8_hwP@b>rMhA5o^YvSO1kBiMmtm0_(s}%t8{v1q%2@wXI$E?Msv!<ie&p zkEWg6pEd(&QzfxWJWmQEs=%!Rx<5;-i5^`a-rilE=_3kh&&4{KJ#;6}iYOAP%Lfct zi~WoU=by+pj|fR2N3C$1pu7@L74<QfM+3zbGC^rq7WSn^0^v)^r%h7au^N9++;t1< zqvA~2o=Z2q48c?EkyqWO9G11_2Z)}%v76-IDua1;GtE&B+$w>+cL9REC+GrSZ<dNJ zj;m`?q3DEAQDVx3sty%W#~G$Bo!la^PUaz&O!pE?W??H^IOQ#^B=d;4Bi5{9e41lB zj1|Bjb0CHpaYVm&@h39Ic!m&V=A+E3mxPB>i?B#j7DAPT+Y)!lQx>*@wc(iN5p9&V zip&KdE9};oW9RY)SJr$u^@<U}@~em!rBf9%vIMb+8pn_5Viw;+CZviH#4H4e6K{mE zbg_%t8x=%GHH+L%H2jjNq00>pHe}1#ko!;Zmh56tTF41L_Y^HNh5SE5ARaA4g@bqK zz|aV;1fISqf2-v-2dCi1Z~FoWeOEq^Q?KBWA-mGWrXT3zjr&91f3(5=_&-9_gqq~v z@rZ-`Y)3(U2l4(h?jd>)q<SzfX+2MvSXj!=3~U~7f+a6XfTu#VQzzQ3v<>H2s0HLh z`9cA-FxzWr>f!(?TOq3TR{+=g7gRaPRdgO+cWnY2hO4WSs=NKQ#IV^LhMBS~V-l8B zIdVbs>8f-?{3~Z&^(7B2P&u9|$yd6uzy{k{$h(oMy`2-=a?5K&Ar0i?$QnS^3GZB_ zi7)&*aAEOp<$)EG{KYa&I{49o32~-uT$m$|j4(kCIzN-ZOfA7D^xiLEGK6l8T)$1; zm=9RO(H5{5A%i}j-ROomh4H0jBHc^FWQun?jnT}zI3a?o7Yl~CF)SA>i&5rvc_GhJ zkaRgm$oOEnh^oRiNV2lCjK9LRSu{4EYRz4VmbWXK1@j-5Ov&7}MiHvmibBR8H;EYW z0`A%oU95ACs!+Y(stcUMEuB-ajg6h|7O?IkID&^mJ}mCW{8PMa5$lOM1Kxs2dM*rl zh8^x62OAC3F5ZIh$tDS^ZhDpLysssCbCr%W3F1s}3`}cC=R#iKl-UQ0G2dnx!Q(m~ zXvXX_CEr*;^a=7cfhi3JWEsrh*O)NU1_o8)Tq$x!a7$Wd)V}bH2x)?og20is`@Lps zkTi{#QJXYPC$_QSIxhk8<P9+9njb*zKb!!gh<lj%mi6;&$G`mrem3NSd-zCXj{R)N z3D9hT0NYFy1xWp>shz_@vI?>1+Q;cPML3H>OF|2iVC2fWtF(CRQ9)x@?|8<h=%fn~ z4agbm$AlqQ@IjG6e2Mf-%?%M#OHc?I6)8f-rK)(4>1HbSoi|7likXs$?`R~PKbYcy zm%I=Ny`pv)6LzzS70R~(pDSJ$TDMQWRRl@6%?tBsxXqx-u1j(G4MjM@CSsrw6S0*9 z)f%P!Tu}PdD*6T7nAb6ewI(}r=m0NFV<Eqbla@SD0Fm%To|*pFo#k^_h~GAYsQGx1 zXt>emf-%z5Aj3jfumZGHL6;G_us<``r!52gG8RaG*3%Z7R0c^4m;UlM>HsNTz&Xc( zzIbpZWRvs5{uP1P9F#AERNe`=Y|ID@#z<m8UPg&u#L%mNbPp~?&|)kuG(S=vF|)z~ zvfC50(&Z90m&fPVZmg#ydYdVvX6=deP;b1m%g~L{<wYrdHq(TgO2U+4ztBj4jLvvh z)rtWs<R4dzY^Yx1FW{H52(2HaDT$KFC~3-UQyrY%Bt@AXl@R#RCPDFmU@8!Q7GawY z%g+gAgK!gYd?FqqZuHd!&3GEj8@-JNujB<>-}d5?^z6XC)*y`Ak2~u7laYiBa*Y-? zHetaQt%YOQnRnWEJtKArlB#68N)zZ+IftN(;ssnlL&wexWK7rLhII&T@M6~iEW@qw zck(D5+Bqy?JP8qhZ-2QXZAS*I_{Cl3J5#3Q#hL)>pho~@=*yoX`~z0@F^;Py_$g>6 zFrV8Q<IlF!Kanbsj_L}$bg`h9A>;2U6x792C)QT!+;%8HQjC`f5~_u)2gfXhtw-AO zWOPyE3Fubwj4`+QKw-V|N#|sKryvhuF3A*DJVwdR8F7q(h#R80VE=QmOCnqoz;Nf} zd4N`>Q{I)>MFl+9N3#q<!hU-SQzeLA1jqK$HxX}~viak3@acu@pAu{QKkSVH(`l~c z2a@#tE_gJ&6-5N$AK`vMv6jrnjaiVp5V5|}Nm9nHU>?Z&?O@p2pE%{D6jg+ZeYK!* zY@uf&>xYLCvD4DTNoSSPc*CNm+1BV8D0xgN5&^y$WQpWAMaaT8L&!5XJxh?jLH$e- z$i_JPWk@nJkNDx)W<Hej&ZquIp{HN=tup+vFygl29x;9wH4=3KWb9K9L_;hlmO-NP zXcJ4J_>IbzgC8^3O4wBC;x-(O^v(N~G|qwPm&^iJMfh@Fk61HJKkr>&d}Cn#j^0I! zND{E*zcfq(mLv&SUbc*-x-l|iZBnZ0<yRvDWYk=6$OK*R45&N4F=5aq3#J!+hJD|g zKu3&ZD2YMx3Y#Xs4i@jk4YcRmECT402fsZ|OAs_Dg2Xxy)D~1@$$oVCy4EQq2$LlL zFn&n71Pb|>z@QV6VC^4hCO$!N0nl&sb)Ett?@t?(^j=Vl#vTxh#+JY)jl4f1eiT2{ z@dckY1VV3Q31@>+#uWIl3DGmNj#lk0WQaLpfGGuU0Jf_PE$eMMR-h2%R6MtYDL(zr zf@rlRbe9a6*7Sr-Yka|D`d+jN{m-6>wX?2p;d%IlW=Y-Q(Rp$tRK9#M<*#qng$JjP z;yIC_war>x8Dr+|$O-dz?ZTpirwEv^c`||40a@9yZ-dfcZPdzz^<iTGFYpAwTUmr> z-jb*ILD3p!dt0jUjF&(D(HefRfS94WYWr69Ypdl9&YBo=3gw^}h@4+on(nA!C&I%8 zU&ZfD(#o7F!N^>){%DwrHKa_%JgH;x55h=uj$OwEOXEF&3J0jV!iteS=@KYD0c%1F z=#LSF^k{{yIF}(xu-~FBWP@EF$e1TSWS#6&orGGU9&fu1+e9PS#4}pJ#t_B>4XbLX zW#4dAG#?OSbu@lZfPaYnTM(V~zSaM+ub6f6Fch0Dzgi#W0N?_>j|#6gGT+Z8yoP93 z$|VxcnhddaEGR&fB%r4FrYl-|tKK!HlXIEkO6vhE@uIZy3ZW8xvM1&FQyI&3U2z@s z;46zic*{9lBIo}}qz{6TAS%5dcRxCfPg(XgN9D?rZ4?rP;RnNHJi-@DK&XKy?4|E` z;T${LStTg)qPPmWb`oqv{OZq!B-(IwrOOL7t%eBa(`qE_;GqYA6rspAbV?EwxXy&B z-i9Np8xh+KEXH=PnJ(#u$}GkH>ml|G7PqtVZ@icd@7i)~G3<QAp(7k0HE2iN^H5AL zFdQFI4OXvMw<n?^&8}m4lAZe3#2}7<{B3Fcpp6C2NaFzu$^^iI@qjQ9G~?o*Sqp7K z3(bMA;rEpl5C<6L^gU6RqX6VzD-jk|O==~aLxkH*Iwp~z46}in7g5V|Y6Y$Xkd^{% z5q0wo`5@>;rp%DVBY&24@k7p=QC#q|%-D%kq)hxtdxW(%=?<wQ+GL-`^_?w=5ah$< z95a2ppz4K_6f9W=Hg*^$lbTI2F-8^W253(GpGl9!{G;onp;ek%Q{h;(`d#I5yRDTS z+!+uKsR&Y7rLsy6TO{3P0k*172#Z_1TqehfyJW~?;sX$G#eD(hr;IAXBZ~cd_=u2^ zJ!(t22R-5Fpv96{*Bz<wRAr|QCn7vVIT`8Y8Bs~NpXm|fok2bCiu@`y+`*0W4`t#5 zV$}%Ke3`;~ftc*?na28tr3ir0=>v~M=E@pvur6)3C7J5Osmmipya6K#2{P1!!ze=Y z(_s=4LKZwHyCp@@pdzAaP!KRR#>kl(;>AMOVB9#6=*{TdFdfF4Q~Lw=g+ZWKo_lgf zZV6JaIa&%-_<X9ij2uGwL9mh&0tV+6!OIZFX9XgU&<TW*dVqYHpP(wXq=7SH?is}= z@O#ZALMSPJe*B9+dqekPzPdi)^W8lX4IHCkk`AXBIPs9wgFZ+@1ja>3=53KAnyiG8 zt_4WuW8b-iT(RH(ZYFF?xn$q?o@~jWIOXOD#+wg)_werWs>M;Xe9$Q&@Gf{&kWYAJ zh!(#DdM?xJq)|YMuXw^GR6kKPYd|fV&P$ABg1L$a$GJWDNSBNUVan*{%pb-0WO_sB z*}ZR%N@#jeB{V&7i1b90C92jC2Iv__swoVkz|ZuZHT=?TF7kq5Hy?Y5v&{!k2``Bw z<53?~iN6Fz#;`~j{D-?mp~V(OPsIM`*^LWKds1q^oe{WX8fibKiG^Zg6F@1^2nJ%n z+Uyr*Y<M*e)cZ>ksYgo~sW&}676pLrMd=aHo||~{YKmW57D<cxNV&E!FjX-bVJH=r zC=mLgZ6Qt+iXbuMT^XLP<`t2?r7B?-N^1q;i;MmO+3b|3%Kg&5lY_m*DB;1XKypl; zZ~KHTU-<Va%9Wp|6<LB)kyK=tTKYLpR~l`NF-rYPo`z_Ah&l%ocmH+~G2og*uvf=1 zkSig3kDY+CKTgmwFpD70&-|T`$fCzhaKZbQ8s-B~Tw*gC>+4Y4(SB~zS-y^i^|ZH! zwkfUCihgp=LHFm}$9jv_qs2pTFok}tZKMCKy$&MN(at?y`Q#MXQ%LV9Avg|xoIi?h z|NMA86no)BCSS2%I{)`AUoZ-poWQu`;966~7w4rjqu1YPL&AN!UdiIySjdzo&vs=| z((Q*m>sq`s+K8(nEq9lY<lIrCes6s<;G1jXQLwk3iVBrWt2u@Y+RcMqv8q0BR<vQt z<yFxVC?FxW>gMVCLQeYc9!Id%N0I3BHii_l<61BV&Hq`2?uS)-v-)6npjjn#u$l7* zx#l`_L2tZyTU}7^(drGZTX~akm5n-mf1~BiZMxY9dCJ}<t6Im=Msud7z2%LwH`HqJ z;jJ@wd!`vR`~_;0R&O?hbZ0KRAYSROJ8Mk)8L4oO8b@sT3zQk+lkR?xaJL$U$lXt6 z3`qEMrc4*{Yo!dl|KGk1ApZS%Tk4*!JkhGV`v{d}KHa7-FYm01W+}95n=He5x*Am) z&9%Y2T2-12)Mb8?`I^e#sPwn~+C6YY_EeOjIU$n(c27J`4`;^F1PaW_A{KKrxACV3 zi}=H=_6-uqrll-TptDdE!JL%2BN8lcM=VbRPa+R@Si7pAg*ell)h$qewufzw`tB3S ziw(!cZs;Hm;X7(;-L$H>>|>xK&%vyOFLFU_OZrOt;+xaS)N+&AEcBT>y;15ty)lfs z(GT71MB~`$!x!6x4Jc(fb+<p$hkpd)5WRYxu}IR;=Je!@cZq|njrin>t~-wtI+o06 z?;qcR_1E2aAUieYWA9+rc@gz%t^U+Ozv=yhLdG?nrMKwuqK{M=H0?JR>x4j0M)1X> zRApPEsRc=D{mx6LEWp1>DNCaDx{#&MPnlxBKz9ubk|R&7Q%DEj%)P19pDWbb&Vul- z0A=Bh#wNh44OFZtaGw&gwPxZEU0kBT0Y!Sac9%z;>1LQrY>@6}3P$H`DsaKN-}|!v zne~!%%@WZsU)(jo!*sVwX!qjNP*Nuim_PS<!Rp4$MGg8>()F(d@Y~GXcBcDp;j{)) ziSUed3&K8V#3(fFK$l|`BH#HFE%4fk2UCIm<rAsh)!A<DfOu0DlkEvF_W0-)@eOZ= zonUtm5k|{g3?|F787$@9wqR`qGEydfs5jTBvp3C1$e1%-<44ZkTJM6+raQ{iyd`y4 ztZ`YSa|7KJGL`nRVf3k^nL6?B%W}+L*BLE{ZOqwH?xt$oUuLDLMI6H$Q>gyN$`xIy zO?+>jg;r9hQt36r4?Uxe9k}aM6Qdr2TX$)B%P8>3O8{=SZhm=7YtWBS<=?LEQ-Yjb z37pQ8jhaH)PtbM7-RH0^+(#R|FVP+ws~fmCwwIaL7W17SnI4<^X0Nvv=X<-;O|W9t z+jv{<MqyGGIjUwme<75~I{`o`wSNz`Zc?g71dk_iSEtGv<KSrphw5bGtuGT-rvV9p zzVFxX4KQD94Of04zClG)uPz=ph~*M)BYoQ}M{W%EKX_eIV07jo#P_#uQ+@YfM2jv8 zpc1*)C4}A+^5c!DlnTz23ZHPr6t<xNyc<WIDF#89XzR*_{A|%bSzK--^)A%0w9cj~ ze!i8PaWyGQfwIiNT-%s)?YPrmevY{7lMR1aPo+|)%TJ8fYzf!#)^d#=L$N`JPaNcs zKsFZvdm=gAfO}J?=B$EvzmNQQw{Evct6YCvt2Zcv8vVG7TC#uOM6a2AS{W^kI~I}i znnrI)m#XCoG*Hyb0r7>GPPI+9p}&v0kvOnMNd{Y@@4P;ea&}V3W$#+{3>wx;xDD3u z2<XlTZxRSNTUvf7M@@GTN69dh1$O_fK3elNDCJJ47e8t_pVpMOc*!VQxn~WGqzYKd z`e98y8*ln=wYs=&HoF=n>D1X6_0*f;wsT-1#wuRovB|-53~X*~Uim`PemJ?>I$3YF z{0&sw=ssK5FqVrM#pUXqwP1e+UMQYKnbOL3H6z1*G%2Hjf60C%Ki>Z=ZAw25RaW|6 zJL9w^s{4=}(y=B!W|MmrHl%y`mlBR0ceCWFrQq=8sYMCHG<s@lzhy)n*6qJ*)j7wQ znec>Fd*zpAp!Y;KNF+irLKzfP-Z&!!SI~maL)1~vESn&+g0R5hCP}eldM9R37EGjk z#&NcVSunPG=AuVOy^$JScv??H)o`b<6GELKDm<U5ne(SRtMjw2!FI`&8hPAR0oK92 zxUi;$$oH&#n0a6johE0c+1<g(aQI(J(nu3~Ng3Tmwaylc!$h^PoaJ-Rc0{a1Ra$A9 z9FMc?;@LX1@SD(^qBV+K@Quqqkx5??>qYt4*C%}R?Yk$DT_0`dLot(_)vgw}wU++H zL@7(H=N<AMdqp*!N?!^0qqF_%u$AiYDO>zbyX!HFB&Eku8uQ!Sbld2ESB;ewq%Gb* zK55gM-~s-2xY^JBtmxkSpQ&lJJaB8Nf<~pz<f65aG8g7}+%~>q-ajYjlZR54mM62a z%|p+4Ni{kwMz$Xl8cG|5VRYq}8ZGv}+D2JnddNfDX{clTa4qwGHe5f&K|h^M4@0Y= zIc=7o+i{;y&JKP`S!Olah<MC~w$q8qa<ffeVpsf*<3r|R+n>XOX)|_t%S-h?Tc8OV zP8+6l=~}xyjTY-`u`{X1f=FZZ<ps_vaJ8keHbI;4xLT`?=C55T!~;qvboialqFs2+ z;?tjuAF}w|>>DYWy$!z7M&82H=_QS3*R4D}4!gfy`x_@PkcY=v{}qw8N5wMWT+`m? z_tLi{ReIf>Zf^@Q@9%@s*qVPRUA5y*qVRfr7Ar$0tRJIT*e`!=?6fk|nO!UolQWVw zOLJn&AhY4D3h%@35Ne5E<(Xf!ws|UToVT~$m@locPiJi7%1)b?i?vc|vsKx>_M5&^ zSzE5Sz30OdjLd2*BUtIO`FtD>Czi<t^WFdXK7Wet3!8cjveWL2>XsK|we;c5;f-Mn zpiNDJH+61@%#~g+xSVnW=kuDco*qAD2sGDts}ZtDp&3*TZ3gwHlZXeqb)E3Ot!SI0 z;{1X766(j-PMQQSi04mRmBQ~c=g$M2@x9SE3h<zx%gSh<x2UGG@1{z02Fgh@^*P_M zDAc2!r)T*`4dqU~c8?VLrZzC2GiB4Jf(Unsx__5Xgp(^DJSZx{(M3lS@{PA2#?g=5 zo^j`5E5Y4mDH;0iqQtahmzh}LJ8Aq0sC?b(b?uB7-+7hj+}Ur{YEqf}%FzqU?>BJ? zihUe+5)MM>TVJW}{vXz+R$uNJ$lFSR-s~vQULIxAPH`_Y?x>yexOtI-Gjc^D;i~a) zB>1}&@3%2;OX>9ox_ci_SrDznxpkS3khp6KYoL4MrpEgrb`#lie%j4!Kgm?$7{tfh zZG|_$sF4hM<rE%o{9W6CYULE6QXOC6wb->4m5<YV&6eK#q2%Z9wM5Ar=S=la9#x(- z<<@qJ+=T-0&-VejCPb!D&b)hdTNJ|VhOX?L3=`fmHJ2V56f?1|V7yFW9=muK!nkpv zNBD#=^;EpEN+d}TW3ZoKx1x0@vkJ<vaV5n>PqLhTC55CvEJb94{}Zanxs;xk@T8lT zNV3`Qfk_d<cJA`nem&l1oSTz&PNi~CFvaclbJ#)Q&HRLAmVTs42<JmL_NLrpSFdVw zFnsa#wBFPj{$NiPMPY{{FZ}k^Lo|Uo=hZ?ccq>HJzIQ7eIQ$U~5_LIV3)Jnv?#!iP z{wD5LY7O1?PL=n$mu!8gEL0a`oeFIevAW11H3UT^GDmmUxOIPwW3Mp-#EmUBXW)2g zKt|o(Rdvw;gWheef^tK8S7Aumw*3s=N|DM0^I54r5r^lT`PW`f4Z=}Bo#JZ1j#SqZ z!CGzEq{vN8MQ2FsyR8<7BCU^pswr)JWlznB8|#DJc*JgScNwscD3VGjoMDbFvLOTf zI^Rd+mA^bRb9(O5Z+|;qsL{r6hD~=Y^?TlIUBk-jtH|izqGhmJ%7@~1+WLZ!C-Q6D zI^T7qwM{o~m5HAk7$$CE{5*aDh#>W|lwt|Ozn-DvM;N1o-dd_n9sS(1)=*>n`HH>t zIsZO$lT-lF4KVy!5?Z~g%QwJF7>-JGOkA^dFM*$pTD=G&40{>yN4QPZ%~-wQ*FRqO zWoKsyb4dYt`NX4kfMS1r^&!DEE{}q6LgV%R9j+IE=|$r`(}d}vz+_zN|8g=(x=aSo z1K&ufS^EjCOl$#^)^>V@{KpvldWM)~s@W}_*y{VaUXS~xHH^~&u-|EDZzXoJ8W+o9 zr>9H!&pIR5r;_pkS~uUwc6AW3%N;XE(LOiyr_X)*GbP}9R-A9BG#fXX9sCV))JM28 ztlUJcn|_W4&y(@x+%i$GEh!J#E#ACKCPh!=A3K;ZYcyJY+Cuqt3-_zJN}kr=Cke5N zI?~Y-7II1j{0@&*NH?EZd?^HgX%HQ>QL!}2p<<-vBY#tG{o6pDw^dIf=-jzxcIek~ zZ}x5#0(<(5+tWC-p|=Sf!mgHUV#bXu&aDi+8K3r$;Ue$$H)LUg;c`en-IH-zV_1MP zuyc8Ox0SZ0znq19$?nZuZk%}GND8;`%s11Bq=nx(N*j%m(x7MSfM0-?-nhkH{<+Yf zdi|QG-gCP!iH(AB0eB!^M0=~R{ppqW+A=(JB6lp%INtGO*9#0Xe6~3wuaJ9la?~gx z=OG42BFZahjx0hC@hJNRLA8{-u1ydKI+kY^rBDho6m@1nz5)9k^*9&#y>QEa4ct{a zE%Zg7ximr|)i7O~fTJOlt;R4AKQiz63GE}86+9*B6{a2MUp?xSM|oq<x|LCL8zfcs zE2t%3qevU>P|QjeK#Zy6bgVcesf%^(LcS-IQZ#&0%EYrD7O${AK|L?!c#SF(vkSkM z_Iqo;lY_?JmHxqX=s;>K_*#-e%wf`4-B!?TewCE5DJXbC?We5m{l<5lm5TprsrZiV zWFvdC?iJN;-3Hsn%wEt%u_4W%G*TYdX0Wt2y%JBEKXmg?5xRsc$`4x5l}#s#Y>Yp3 zDHPCt6bDxSRMfp5>W4SHVzUg9lA7O>=Xc|;YT;ea68Wl0#)0`v(5G)-I&VI97+?%s zu_a?@Xqne;U;i~$VV;8EPf#;~2ocE7d{79L^Ah^;fUO3GO$T~67V3n!@}0X5)iuEQ zz--}~i)#5{Mofz7vPX(kf(&}d5O^IAl_N+RM8)A&PO`TyA=|?!X2oM8!QZwVQ`-i| zd{B8QpE<=iKz03+j*(j___1;0l}ih$3&qk+I1bek<oH&j9Q~0ze*F>Q{8pnF{c%*G z^28sYS1Kt~gTMQtKY#l28>pEvNz~~U1P!oN6U_fm=6S#uPBrkz9Aly>L-<BYFj2q3 zkPkg(UeF31PPZZ-g*?cI-~Wyhmw5<a(z~tvoy)7Zoel0P{gxh60Y<o4^np;*U){_Y zs(Gnk>El+x+M}g{z2hSKxfx6m{@xBF8~Bkn{#y&O-m|h=A-wX=g_m#`&{93u@9LXM z_2^u0cvh=mkh`gze(Fnv`#7rdlqUU`ULn97yt!v6>ID<!`|kwccBTBQ7*t4ak^E~_ z@VOgzvkPXpPs!pK>V!kRmNHlt0aZ{pF$!1-{u3(L#}fG*wf5OVi}v1xCFkz2ToY83 zSf2SYJ5=biI`wD#kGfQyHN((>n1%-vrTHz*VJuC;gEK;(Z+@Q9JuxjeCVaQuI<9E+ zB<)J@TFe?<J>FI>P-mE3TK)^v-KX^*&%P_5FRaOBN|^9(g!f^(Y*X{pa|IJ`om;CA zyH|PorxLMy(y5UmcW(+Mho~flS=1!$j`;ftnt}%y#p20IAli;{s=ee<zXg?$04bN+ z`r4c}h}!d)WHKr_i(sZc)Cna`v&$4>ArHwHxcDNqkE8Hz<9Pn?n1v{olB}h+?ktcG z&beT2w+pgsi$1Lm6$(k7#oBy@<VD@utPn6tKzETKbl4Sxy2rpX8V@VmNA^kOs)Y3~ zdb)-J&R3Pg3jN#7C^@X(IcG<aj+7HPV<@^@WZ^J0?JMcP5i&jgoN=nl>B{!pal^~i z({jU0wd3-G*|d{i7sB}&h@)b?o%Yyhc=_%=loY$ZH>*d?n?PMhE^?-$p91IWm7v7k zfUenfV(+1EK3i!xC&u}YnDx*^3{0%+D4xTx+sF$Cu-0m(7e&5xhV{kc(*WSm7`t~U z9^-;Ov`?N!ZS>gXE(^A|9zi9X@InHp%kBzEjJD*?JK++9&QaEOVIJLa!Kxh(h^q$U z#x(7@C|qIqpHe)5A-@)V_+0MlD^3=n!_Y4a254$D(t~VTIN73tm9-7PH`BUsTccrd zwc{!+`Jt-3{*VUQkoc2U>lX_x(}VQTLhGG)X`@9**#f*XRKfNgOB<IxYQXX?$X2fb z59Y;r#%%Ncl6hYM+e+=X*?KL3*I>8FhJ<Fm@rHLwfgBRK>XB_<IWqf*@_;5RA+f|C zZhDHrq>(7cJP}DQ%ly!M>$tiCK@KnT^t62F#BMgt4)w;u;z<p`4-vD|xx9hmU!RX} zc-IZn$zTnR@eYhOQ!S)N!Ol5Nw`Zr>kbQVvIu=NHHf>W=XgJH#d6aA6z}U3I#(SJ} zj6Imzq&dykq)F%T+9iioci^A)tuBa%0JVm|R*k`r4rcu+2fOAZXwkP5qJzmW`h<GK zus52}6Q0GOCDW_l;@!!n)#~9^wSM5nVHa@NFf=(HRY7QsZI+5JYf~5YddQ<#m!{MN zS?bzY;d8dv9xnQm6arg>p7w~EJ8-}|5DSHIikbJ(;}mYhAPul)eOeMLg$tO|s+iG& zsANZ9ytD}&R;7RFkbIwXMPamOe9Gy|h$Lyp_9oO8XU~bJ9Px;)eDJyJg?tM9$?=5- zjQfDBY`%v=gj>L@9MIjkJd_>g`S_*-junOlunTvLDq6?6fk?~!89-<jK|}twTevBg z^Xc~=JLAs3JL7R>i^s<d007wD|DT<4r~gyW#|P3IdwBhuyKzCXlWU}bbUhIsx5sGG z@g^vKP1avK-X2vPD%Ox%RG6>MShDAj15i^_a%ai0TmT7*W{qP?(J?ird9MKFv2{U{ zH>YGkY71e>(cZ&P&Uy;Xy43*yWu6~@`u6h86!R_5qb_r2#)o6WTDNgN@eXp{22X8k zXRTX)nUgOKF7Rj7lg@qU_`B%xa4pZj`6=}0>Ckp}w*uFfrV}INd*joA+~sb{u9Vmg zwS*1i905p}bH65UjV?W&rfT*S*?-O@vDeqPu_almQ3I9B+(r}XttDWpwX)fAnf(j7 zk$Iati&6mMEf0}XN{?RLJt$IeLorr%c#l2OPr>TA*FIknH|jqd&(2-FS$GMi?)0AE z@7xDSlJrWv{>@)q?tWDBn?_tre=`@XJ`R{jOQp9<9bzZk32`j{!NJa>U0zC&aT!`9 z2Oj^hC@RTSbK8FL!_FgJ?m0?R{*)=$R&?Ib&i(Yf#L(03d5)x2@O>=Z-#b?;DajNq z#bma3c4PXHaWYGOVDpi*r<n<T?@ncZFwZXDtBQ^&WT;>jwIsk>sr?R|^q1@X>%9wi zrFwdp<a{YN;^lc5NjOcNMJ#s`{*tC&jYdDql;dFc+1S@ea`HRzcyqdHHWTL7?bc3n znk9es+$PVaMq&i8ob6q7UT1J@Oa$fXHJLmcp-UCKjnlo3dF+toWqqtd{o&?QN>F9n zs!W-7yL^%66!yz>i*=dFnp6S2Z9v~Wq{<i0TUtzgBJ*76SixB2?2pw1Z-z2GRdM@^ zrAf?_)?#conyK`Dc&{{94eb)xJ7H9jNO?W|S+Ou>A=;U<lJ_gfr`$jM0T~C6#EkGx zMQGeFAFB|R@8+OOgn1j;S}Rc<`7}f%qseLI!jp=37S~#4csk6TR>MWUlOT&5$L~Dc zdB}TSs?PM*uELV@BE$83q*MowMwFn|o>inxBc*mjh(1Yzb15~IIlr{E#8Xw&YIi-( z`INoj<)~Lpoa=a&8|k_k-SsYQJez{#Ex<>j{<6w149W3`7|ZcRiF^MVrYF`Lt{%~p z#gD`1>^I^tDO7~DK8>9a;e0*17CtK9FrtQ!r?LDi1-M=z8oM~r*V#^^{qXWraSWew z{+aIU*wM<rLkVMav8GNXWNm>`AF%M#9d<)1bPS(}dvZEmo7HR3v+Z5>#`@TO0$l2s z{-fe9?yF(Y>xWZ(r{e?vW%=r!j*^SYhb2AQ*S$Z&;O2Pu38FuFN3-I9+hrsdV)hq; z+^Z9bxA9IB53!P9E3Hl_Z6qs8Uni7)dGDes)MUC5A(`40(;cjIkaf+h+LQqAi!FH5 z>$Fd~x(117n_a-52^47Fa!H!E{xOxrbETNd0PMR1rZ`F;g3HrOmAs>{3M|oTqx0b0 zQeFcAM@o&{lS@kwH_`LsfcM%*+pdY+b7L{$#vNtpIo8;YY6qsL<clIIsb6#_P(Tc~ zt{vDXC#oQRS+IX$#+}KRca6PxCbpn%q5Hamz{Hm58dJQWoCp_#aQ{<oTkfg_qAm|{ zJrvcN6ith_t}J|%4R`Hv$SM!;%Ga=&6<|{&yT#NuD$vXrw9b^m0Q?>X9@1qyaRjXM z@cg?OAE`6i<(j-f8}dqTh)50a1N?q0$-i5qD|Ni@Te{j2Ha-e+lZKK>)fZghH3T_; zRRGZoZT9YNbx4IZ-d)j94!IN5;45?tt@;AfuwEJXgZBQeGM7~M5=DO&v8n`Zj6iTH zvIKE0uC5Q79M}qk-3#*fZ?_>>cBy&cQK?{w@OzO$@$h@lLP?dbUeW~;-IQ4psul@| z^C}Rn2B~ldVzfaF#H3<_CYGw2XZ$QLg)#A<rs4k5plIHdbrPBvWazBu5^3IQR4MqU z2DZ97DoYb3L9$NBENN6WXg{ivM7;}89@xed_l>ADFN@=a8Fiw!(BXY)z#OpZtkk)P zzQiRl#9J&)DJ}mTq03@beaMS4C4U@}D{D<jGoUE_0Q8Q4>0pGYLrgr^g^8qvuln4j z#u;;(w|r|ivI;J6^~}_AW&_ewy|#H&S)uaoR<L5jIv$YC4N#YjVW&&|F)S%ju}9{u zHUNAi7#)Zt5Fz@IO5OguSk>}FoNfdxd9<g%qFW&sII*u}Ucus(fNx_K>63$Kh@$cd zK~&}g3Lf1*ymvB3cu$EC`25r$0iSqlfQ0~w2ck501B`u@{r$e-X728o4$XPo2)BA4 zw1#CIGrMF=umGKj>gEV*%R@q0{yI`!iYRMt;VGdG@sORl6isOAP|#g<2pG9__<NXm zJJQ-&tJzu6XW6|u94f_Ia^cknGVsVzkz1bG?#eh-KZLq`X}(g`7a#;`2+v-H<!f`q z>U$x~{vrkGU&ym}_V^CheX%36asP%FIC#B$3D!NPKbkUMELd+BEqBV6yX30g$O6R* zPp&;!ZzorxiIFaEIlSVIT=sPEk=7Xj*AVJC;y05$amG-YpSa8b8x^aFfsOzNejDio z!>$M+dgkE8O?mD2M0jXQs~wL>6#?o@_j-1l>4PNs9p(NP#XyxYQ01yr`I!~|p49!% zAWLQs`FK-*Lg24K$34xwF0R~py7iP4z*$gT<dqa|t*9=5Wkh@^lu_OY4e$&8Se_)Y zi%E?Oq&XPP-(0}@D+5e&$R&aA;SycM!7biWq=$ES0KaaK4<bkncYGw?L%^>PX<Vl+ zFDvzhl}~~&Z}zt``%!(uuHjURP6f5gug;tbern$(upynL!=ZX(k=XOehWV$1(F;&= z2XwHxK8?Q5#Cn&s`pHB#fG*jJS+*#w$Li$D(7NK(TPzKBMl<`zt#uAridCp7l;N@t zWC`~(JCfB!gxADVx$-nEPR&Uz(fx9s#*vWx=<CG^YZ7_0U%A6qg9AT!>kCCme1fl2 zlr;s`T!icCz-$%QfXivoopi1{N|;l*yj1L}dmn9O)_1EYKfqZ`e&S27@RyUnjQ*@2 zdfPk7_zC5f?&dE4b6Tvg(L>@64RSAoIsSBjR=(rn_2=!%3di*8WIIela!n;M^|srI z?q%XWOd~twt*}Gl7F6H;a|>bBfwSEPkoS$JyNEh8dHR)dmK)+vLv%$|h%nR+7KQNQ zs}9SdKuhs?$90f_jVaz$<GBwbuORz^pfbGknZ3qw-in+T`FKKl(26@uTcTqF^gtZA zxKSW`VmjJSKLkK4NT~@B78z!6!PQE<;-pK1%E(#Bdp@0*?}3TR@}eN<M32fsUl@1- zsyz2;JAm`+k8v`+(n^ZPiq&~yxH!5}t!}{LC-$(q6Wkw=+UUbBM;%x$5cah%qg+fq za1r5x#qQpPDR2sloIkbnnR!95TFnH^=^VWn>$AB0lL^|h3euCjK&hazy_^t{3g8w8 zw<I980v{nxQDi|=-j6N1jBGuKZkq_CS^p-_C$i2{L2EKWKTVjgYnf;8BtaLe<FOf0 z-$|!4t~R{B;okEtcabMb7cV5JtHHzDb8%JV$N)3%5FTppm4LdS)ALq~B<uc?7Up5( z0GZe2*5GBJR%}dR&E4KeyDMaQuF>Q`>NNZaJds?$3!y8>5o`)l0?wQ@QNw%0A}t^h z>E`q9<zHfzHK%-SXt%6%VtlQQ^Xb>IFQbh=YmJ$DbRk6+Y)z0VQ#Rkclh+x~s+t6X zX@%P^?>Iv3(+u0u_UVA(H?12QJod;KkvoAMX#4VN`V;j!aPFEiu7?*V?;9*#X|H3S zN}dZZL^Qtyi<VVmRNc&*Iz)?>HDgqJ$=9;;Q48Ana^o)ea<jTE8fJ$jcavzn18+#E zHVJ<Lg?W8^&&k!gG5nUo9i>9%JjMs0*%2}XpnF8$)QZI6bk%K;X4Ue(4)TuP{`d!5 zAQtr4XF?`xm~lgjlsN0^a$F1etI@<v4SuK&BDDZFL`{OU+*o7~1HP!1un=CnjEtZ; z0R3x+23S=?3cWzuN1ivNloT%LmwgSO^g2-PSO#(j=OylMw3?h(>o>)yOtOz^<`F!o zU&0rMD87j+6OREl1ukeyJaI&|W&jrXSA3dO_^|4Bl)Vf9;q{q5_`mm=B})!Q@Tk)H z^G(%}*T<&PeN*^E@888|rks|vvnJdn3$Fm#%}19FI7H`lmJQjNvg>t?jSjY2QN+iJ zfctsOrGoq&u7C-siw=*a!u<MNLEZ`F8%odidN`#jMffAx0bIor3HR~O0SgZ1{z+UY zQ21Rk6OjaT<(4($R%d??q}C}qW+qtkg7%2noqP|r7vMkIP<WcgwqOs`flAvpBP~0` zw!VaLXZNX%5x;`;4sGV05vmzAk^i0yani%tGjY}^A#L)aM^p`+<ngA}Tk?5M^w&cl z(xJ)N@Q)cGNgAT+jOq^;@5_j2-bz61iKAkR29Vq_W3HAnc@B8Lra7Rw4Qg>Bo=AzT z4y=?kXv2rPBavHC8A#eFKl)&5Sb_pAb>wYP@|p$PM;blmD7to=<pooVelf=b+Vr_m zG#pS=pto*91Ys`{ks}Hl1@}Y?-0?Tq;xCHedEGf1SG+=5-Q?ztZn<n;{0jq(5UBg> zSswctyv#0Ap#VjztlE!fi7FMFgeY}`zqUw-VxJ*IvFAumwRfJ(DS!MOQfHe)^p(vK zj74XERJjinRvLOb{Lw+o%sDh0qj!AmeK9JRlCuKG02zpy3DO@a9jH&3M4-M#198G; z0&&6!8R#M14)U1p9QdW#-CN6F1G)qJ)w-^ozzTrB)(1ZSEo(|Wbbf1WMz~8SLhDKQ z@E3Jb%9;0*R|kGqf|b{s%cOVi=`O~@GhJJD-Lf;XV|g59oYgq)(Y~{mKOwT!YDV2l z^{;nyk}n#?m5#MDRjQpq(PEu9?5GDH4RY&^3FePdyp{13YENjA3!b>r9&e+9(x^Yd zAq>Pt!P>n1@Hq!TvRQNf;Vwb4&?q&emPj#YeNPW+uyUlnHIrf`q$KFqY;a;p_Lsti z;Vi&#`VzINF|VX4kvvmYoon(K%V!0Oly3!ej#{~X)Lj!a{cKT9Rq$g%w9BVFP#{?y z3Mm6}n<aF;k^&SYk8VI=UYH3Cc6yxR`2bjHP)fD1rlCyZeOb|Pa%&<A*SP#J-M}J> zZVw7?^^NgS_KwPYmco}}26wOEKcxAN2YC-F)Lgr8sM%G)kkb#e(~N;6V7KrifcczV zJ>zUWH#;}GQvoL5*3>_3YEpze`6UQ=3yKhNmXyJxO(=gN^QEX2A=r;f5L(QXAo>G( z@+gH^7TR0LS8~q6ji>slg_*(a5T<cHv&>KYFHZ6W*uhadIA4hkVmdhW-%j?V22b>b z3e8;nXi{$Q&t5CO(EeEx8$!OAC#ANj%QO#(pf4k#n_Wgk1?RSLh{<VtORr(^Ixuqb zJIp7^Xt(X5og&CM=f8OHdGdeVe~)=YysG80ueYnVlAblVi+QfV{5yZ);_MXL#$0AX z+`o17#0N)$_ZDDU=xm=)&3|v-TdlCgu|1amvKgQwS!j;PeYC&$_gw3fgV0FObpzd) zQSROw+Fx7hj?FUs0Z)4-+*+&cl;wJKu4^Uw(ou60UUER`{MMnC{-@$B<t)a41{+X; zwZBsCs5PQ8LY1{3<JUhudZ;8xFZV>T(EdVAzvam#mn{AO8x&5l1cYrKlT}NXqMl@E z>!GDHuyutIFr`@#f$uZHf=97+Q3Q(o<l^BZ?|egeTKR|%7$%ifgBPgCn~GVkE&zQP z<N2ztIY3Pp1BzkC$?H5<2z*Pd8ETq~p;sV5cjY4+vgYm^&@-KBCq;43vbh#niue&C z{5_&`0i=Z$&LfcR(2{E03J&ueIrcq(5w;`SfpgAIK#}0aJtEAO$r)qz;(HD_lJ6N- za`%1W_J)wOF-Q5P;!N2LC??IGlx+^ubE{M!aAyIXP>+v{LcG9|COz2phUz+Rqslmo z5cBk0l&a30Wz=}#EIsENm8PP<w7%7GnK4d|1Kzne%|$&2`PzRK|I(&YgmSb0K8T+N z%}Rwz2kE(QaN;#^J@CaFEhOK;jBtt--44uc9A;Mega7hJe09{ogud?4{BI=Uj>A&f z6wrd)+G>Sf2J{unZw{^rSCYCN{hNYwKef0TZn?KtfaYY^a4n91mG2R;XRYa!Z)^33 z&Q!yyRK@THmtL6D_{n}*Gp1%)P-+3WK1*Hf`4CT1ctO$bcz>Q#{T{DTfO6RL7Oo9Z z_YYQ0h`>$io&-<in$!i2_hMLy4CcNmp(X1)vKFam4(MKmkj>YVO^TVoN5&Jra#h71 zJcbnq=qm+QfUs90JcEPi=KK0xM)~{+y4dT+rg25kfsDVR61NV#p4jE3t4g(jJ!0^* zstJ>m^Y`flT_HvlmHDu1Ldqr_h$ROi3E@;tycR-GoL58!WDE2{Lzd`}%(XfsQ<1nt z2BmAvkj%?;NT!v%>;|P9&B5zK?sBI;9IjJH+Obb%$W=zT)K_pzxn$YQOb=7RXiI_2 z3qytF?(KHmDQLeVw(9rYpu9POY94WAMeFjHnllY=1TrB4-b~_}@gZb+k5;fVLOdv+ z@4U&!cUEu)bO)Q^kKN?;SUR)idhu3p%7w?}h)0rw#}R*y(H5heLneV=gW_fW9oVal zr2)NR^<$6|L<u_!<iZ~P*{jffCdl32_fuMRs+dwQ@k|1ymYEe(jHt;~XF@%fb$;Tv z91x#~4IK%|PE4?(gQ=rA(`Z|>lgE>)^M+d<yDv}I`y(_&+=7a7UI^;Iegf`LYZk<@ zdV=v@ww5F;#`A>JtVMn&FVj*eR2QIGeO9R}%Il3=0PhjFb9laF`4{*BqhDO8Ui39G zWPm<9QWH4k8IXrN1-vhJf6tzsGCskz7Fk7fqg&9LhyEE2k?~+Rd^fP^gS&omtN~lt zP+U}&H(;3I`a8x9>smYkmhwD*xeF|zWJjc$CAcxz-6Gj*YFLq34?%&#lR{#^S425- zS|?<<ZqgAy7c#BH-j->nb`7US9aRqlQKN1%B1ONu6_H+W@Lou9>ash9f+RYZ!yqeM zvJTs-9%IILH_!~a-+|cyJ~-zn4z6N=(v4fIaIE*-wQF!5=T@4BK6VN_U^xi*#z|Il zEvaXl6a9Q02JQiB40#{-F(YQ*)(2nOeMODl8m4UZnbs^-kc@XQb-43jAKD2W7u}}) znyu&TY#AN5%yKdY+Ji~o;Pfr@@~nM!bEB1iGLL>jj|+Vk-|!kIKWF%uj+3nH2(Vq} zCc*1CID6y~jwY$W0{Qxpi?7tD88LOB>U6xjS}1mJ+kx{Rql`zEl&_Q*)Gt#@%|cH9 zPv*#dSaBCi2>4`evChtnm4%#5_EY%Afn#eqZ{QDp-;diNs^b$I<vuBTFV(Qm(GGV> z4}iy&rbT}0*0UDnHSsPP`=_>K$keV(;y3w`Ek0JFQrcBf6?AG7kL+Q=A=dMJth^3P z_NoiD)@nN32x)^)r;(~n;}*%|kLg%rT|b=l8IA|4YmLs$(BY$Sm;zh7;T2^6U+w5& zu)%ygA&l-T?zWQ5z?Sl<R+YJ_mI&z*Cvezj^|Rw9Bi9`Ml{gcJgQ-pXr@LvnW81cg zO`8PF^LdtxWUWyda9jH6zeYo*5pUhNVQW<NB&{u&`1IZz`hz2%!eZ|T#Yw&v?_F%- z;?NKU=zU$IR?kX3;pMe@=46AQiwg7H22>ki0H0b|xSH>MO!y~GSq5QjwvfsUc~ArM z>EK7h2E+^Km-fJH&MoR7GTXo_f6@a|nC0iRy5Recz%POF;r)*Q+!1p8;??{g3FE!< z`Ct;ki>3A`dm74Zo}x(c!OP(HaO^!j1Z38t1eBNjbHp2T^4mO$OHl%WRlfKDNFiF{ z1So@2)=;lBvL??T)~_oSf4i>@e|iTElzi~QW-p=Jw?k_5GqRdO=>Z(WdyRTn?}0h3 z*d0Yq1B&Y0LKu)Yt3rUm3aP<2DeL^BY5-!73!MTN{zlxeF!W}VcOWr*0etJNBzHlz z7~b$~ZtV%*dXmda0pRF?EnX6!1Ni_S0o4`kKC=@zg0B6*HQ=9Z+e_(@?fAhDUP3WA zG3!PO?pk0(R|M0WBe?RVdz5aBy162#!j%6LbQFcC8iC{rsY94}ad8J{I$A{cL6<Ji zWT3{Nd7L$eV_RmOuBe1koyt{Y_1d^1O(J7urL)XJ@eGcYDt+|j-p`l#hw`<C6M@z* z9jpbgs8E<vH!DzBl1~$0)GnMe7mefsSRX`MI{wc+-Zzb0iGI#*FktFI)OCN~Lf?eI zVf=Njj34o<iX9-^9Q{L}5WFt{iEwBi@R^rjhUlOiq&b=cD8DNh9;pr;kx=qa^#!2( zi~kdBT^HCDX>@cRn8Z;l=T9V5q-2h4=k%>h>f1zRWEAhsgn+}$^8L7_-WOm+mK0T- zcSZ#(EH-q%7g!-u(lrJh75LQQ5%Qu81Qhwclt<tLKsU(DD)6|N;5ZD(>@qKyKAK@! zFF+FVo&y790(a{j<X>CRB=lmtLA^(zktoPC#$o^qQ5Q_)FfyZafVC)((d*1;4MeDB zBx{o)ys?>`Y)UJdF$am;HuQ_!)s>!qubV(ZktbYMn-NYXns8*YQ2b~RhFo)m!1b!c zJ1ptJ$T~nrAaokaa_oSph20Q1+z-Oo!n{A^S9l6tLp2D`gz2<ieGS-Cy}*k}+FfMN z$l3PT`_2h*TOg^?vMq&vZrJuu;aKV45aqagqXHq{E<2D-AWNP89n3`B{rBw1qI`{| zQ<_U#TO0<0QciRD*3X{M(3zH9`we%+iAZh+PCDbS<}b6LLcT@vMjWDJ3EI3U_T$U? z0qUuN%%zYuNKEwu!ae9hyGhC=c6LxkG_UCPQ0=^6J>KoChT@!A>T5bf{k#gUz^Q7; z@E>6H4Ym7zz`~{yhNief)2T^7=faKxxXj(}q&1sY8>UFyQbeg7`?g&vKHyhPX>|nZ z1TyjlnrqDYT#UgMAW@MdHNaA#2~Vs~$W@gC1t%kw`W|&PO-pKuS{j<THL)N;sK+rb z{SJ_>!#U7lP@W7(^Z&)%I|YjpL~EMcwvDsTwr$(CZQHhO+qP}nw(Y&=+}rce-P1i2 z-O&#dQCWz{h?SN3P*Lm4_5X?Y<njA6xm$xCnURhpvo6sj2Cy@fOGg3)Y@<O!&e}A8 zJ^m&2iLnMC-#F^Xhlc(H)nQQq58Y4^%AnU*4w2Y9Y^-_e#s5HpQ+Y`%x8b=*R)G5l z^Y5R@;Wxm^rQ;K```4=a3uHnLii3zEszfyTz);N~LyiEDJWqN7NKFO3<^%(~QpB$z zQJo@^W(KQ~ARSZ*qDrQrhpzJ{MImuZegIF?)3KYF{$#zEPGvA#Pl!jFNLyqrsi>-= z+N8^i%0%LLKsfx&xV^m*Dpy5dl7lqGb(QM)6(Y)@@GxP3P2;N%i1x!qz7asg3c>Va z$^E3Uf*9+)+uHq;|MTA43iQWSLvb?F0iBE__yt?5ofG4QTY7@X!oEGfl_u%T4Ge0b zdY04!jAPGW=rU)2c(UF@#56|tlbQ~CpYNsl3!{wG3H<Ctv|pl=EpFEa@y%&9u6`Hh zUPk#~_>>0VCAYfk{!c~$v9=R0VkqO$7cqy}@T>`S{uaS%1QPolf@9ssj-CE*4vfsR zcmQFgVlHm!>6<cp1*aTZ+4HAlgyq1`$j1nIbMvxtVqtSAr^F*(4BUE?{6cEYLkMK& zOn;$xdY~T3fGF4?3YZH^+~GT&yB<A$$saqN8dydAGT#a85{JCrprDp76Jqz3yX`9G zugJQP-^}`uSxCz_l-7_lC#|B{8+6ETrydcJ^S8)v{n*knI;ER;7!$kU&q$tzlPmJc zWF2~(=(8<5l$JGsTkJ6zww%beGbnvP^lUrs;4=fgcfp*qAaswu1a<Abd~p|d!k_dc zaOQYp1N9{sa5K+V2>TG#=~cVd<%!A~fJz*2(wWIdNLjwLHDbNuN@m}`Go%qictGpx z{mGq0HGit0LJtJp6lT97g+mj=8$nL=tnqS0fLH?ku!I_btM|S9917a{d=S~Jg&_ST z!WA+w8ycgMldLJNGq+t9qA(Rns5R*d-31&arKQ=}Of{zWWkOnNS-W%A4f3P&kV^;@ zu%!e5c-AcG0(9u6{Zx1Ypq?HPhoDaS@4Y}u`yAbY&wvz3zqpvYHm^PG-u$va;kY3@ zLCOlqxfdDrhQn@A@y_lEu5$UR`0MaNEHUSPLx4>Rk8v{TTD<Zm<ioSWN!Y~PY9tH- z_41{??#QKx2dul$r)J!>zU7<|^^^G+8wboCJy3`Lcxp++?2Ok>9A==#@1ot7ZXE0( zMukbE_pxs{?00KvfplI0ZA$6I7L?EeJ7cEdjqU(%PaGOpqSsyX6)DvHX8bFa^V~{9 zp6bxPVHm-ASuha6iWogR!TgL7Ob(Zs8?%lSl`@{_1?fyD!}s&1tz(^^^p4JCX0#ZZ z_CuZ-`lnBKQ|NJ$N=y5dcF8OKc}MVyZk7;KlP~Ki(GRVMnlaLjT!os~1F6DG<~qoU zmcxuzBW|<7rUEh08|EjtGu9jdOxhEQ8_DxmSN@m0E!l_XxH@IB&AO=}HZSfQB|DDX z?aOj$aawO0qY<ZCbB~OyejUZqKE8TQ8;6XFN)PpCU@T~CsiPy~f_ysk+F|Nb+>Lkn zpQbs%WfAmV`POkkZiJGADogT1=DyNIt`NoXvlPYgt_H=iV2(t;y45!PNv}WZ;pS;v zimcxgT^uKX55N@#z^2DoNGChYbb6x8@J)-_RLLI`Ox?bhzHq^sde&`=0W1}QEnXh1 zDUlz0Tm?Agh`ZSNJcwU4RSE$!RRR7UU#)PHz1_N1#8XQTFKQ{aATQ=9+N<#6IyJ<k zq76ugscAqd0M_m##+dqA<eteQzr`q<Jtjjt_)^S6CPy36t!xF|gH2$}PX_y@$md$z zA!}=p7HB0)ZivxK*&*AEfkb2BE9HYYi+7~z=v#HZ-pFn#uLYwX-qc(5I9bBiV=Atk zIfhE(^(OPge@NOT<EhO3oqTduy~S$0piz~E^SfwqmS;am7+NLQSzzzP{={^r%!hmB zSzTIcb&Vv%WxzPyzZ*=6b!uRPx!R3#WKw`q0f!9i4k0aA#mVM4Cba{1YM8GVxHink z5w-8twzqE)2H`3q7tSSnuQM(itN(nn3)Br<iQn$@b1SJ*@XXBLpL=}1CNz^G%k?uM zKSFk+j;z7F-2nFlk@Ue_&P?d2ob5@BlK+Uq4)V|C5R#A&+Qeh{RutD4Lwv|;u?}Gb zEc?@+2#{nBc;D7IAm|0OLR}a9_#=WkeB>Olqj}m-9(^y&ON)9R;YkQ8{#eVUktE5W zQRTT~5SUEk79{7ZcXl|{+!H(EP}~}s>3t1yoSLX3M-+3Jzql0;%c;rl-p<O#hcFeS zz67KUwoJJDf3Mj$SdvqNnPrWt-X+y7e*)@GW=*T!8#9=HsasFPwlKZF$4TAK@}$W$ z{$=m}UML|ThwVV-{~W;+uH|;6|K54~h5Q^f%dO{ru}qzsul*$#*QPzI2`%YROfmjs z47jc}TKkdhe+gu_;-w^w)kLq!l$YP9O<z$W?3SJEGL8-omiY{_+cym>kNs9X1{9Ah zi8UHg=m0?@Is85k<#z$35)B9sS`Wmyfl?&jo^>2N;$d>yl6&}zO%Axp%@^eC)l^IL z2{st`k6Q=LfMR<8Oaq|t!*pbuZtR=ua4!tJ7tG1f25KcpcPc9@N#B2V--siBv8%H@ z0!uISS~>`E)BKV3(0`CK_KNC0$lzvZ2utjnT}J@LUnQa^V_6_-?3>I1$(<uYyo2Ii z@M9@WLV?EY1>N`JW<cdyAU2{6%dQ=?EpF2H6K>C($)p05kOlN4_oYOj^ANrkIClnV zrqklPve8@BYx4xE59QC6xk9BYgQT8k6zyoQc&wUvdN|hQDE`elj;Rz}%qYd(TvJnJ z^mQqGk6EbK-fYPg3R%iht$pwgB#LX~r#<`gLjeiapz^1FpNXCmR5~g1?p4N*G+18M zU=4!*V2NR1h9e-qXG1Kj-=5gNu}3N9nEW+WH8shNTe&|0N7YHoNaO2~{Il5Req$3+ z=Yf+?;oN^JQg2{_JE5}R%s|dt3)v)j2`;~AXNs)+dyoV(_`4@z9hrk6@$;{1IZoG# z1d~Dc-jP4MrNH8&x7}P~kTB5GEYR6PF9ge}#!ZF#a_u9Rz(~6;&9-_9qipf+KVRN- zr|yix`xKncqe*LPM-y7!a%-&s8t>w_IotHnkB=wLrew|QV#9i?N!O%s?YM(ee=F&A z*9ga331i>e8Jb6tW{N_h+p#XYs^6S$n=Un+<2m$~BIdr(j`T$$@3GE<?C_`j8-5iR zybHYkcB+=H*Cxsn@ayJZ1&tF{THOY{{?zZHwRlz|1rFbFEr*C_yK_z_9LrPv>z&T< zeS@weMBY=HcV4@9ZkwK?Tg>O>)c4SzgGsiXZ~Xgiz{A#$caz9G5NZ=ObANtNmNmUd zU>61;8YHSe)OZaIX)qsSAqow}SywP}5c7J(*5xIXmgjoh+jD%aLT58&AjrjgM&-s8 zO%5GQY>FFpNlnLQ=BHZ7O&I}?Qq-eqDtM+?T4oz{YfZ;)i!;S0Z1Xr=>st;L?#JdQ z{ftxCDrv1*<~!>&f>LlUW7PKU#;IIsajaGGtxl7ip44_V#AyvpFls73!whXJ4f~ZT z)aV*6I!3|HD|^E$DU#Kcz52LcCC-D#E7YoLt~$ki%o2AT#mAi!6Sw4ntYp|WN-bMO zS6#xv(H3_q&BrXx$FWQOoJ+8-<(fD0t~-{2pVs~0*3|IpDm(_*U+LC^hAq^+b=O-~ zq17*Y$S*0n>#8=b@I1!5cTL`tj4#=<9DDAfcfz8Rw>Xr#E-*j+_4~0g)V1s`H+BOw zrgyV5DZOl}J?A)Im5zg(Gt|F!H(P^xw9q}18asxRuZ{hIR)gSHlcH9qa)5-Ogynh5 zS_q9ORf<q78&EAAP%iZ7_U!_~H7c=`Dpwk(j@DGp*3_=oP$&s<`ehAu%^h?qnr$^b zc7}rcD`NXKW{Bx(C>dHy9L;1b-DcZU1<|6Y*4!OttN&bNxANU@Rt&f554SGSI#_93 zY`J&3Ez3i*&LICOQFAXNb51wjz|4-I=2V+{xHNl;Phnr&wTyJv)7*9hxgKKOuGrkx z>=-!M*pn%5ame9(O5Are4`cUgbUhCoXrm{`ITPncN@~zjhkF+qZL><U=;$;&M<i&g zzK=2Y%sKb0+<qABK2~@3x895Fu4H<3+T15b|IAhYtZaVO<G-(N@9(;$`d)JXXuqZ; zd`b$!r?l`WVR;rgZO=-u@~Ct?qZfCwq{dep=aWuo_$s4q>a^UHH$=;(T6>pRtu`JX zy+6!F9#{8L#&&D<+`u1W|El#oH$P}|QjFC^%;i#Q{3;-NHX3Z}QnK`D*FWQ<cD{g& z?eLv#^IdxSul@9O1o}tggS7adtTCe${l!QLus+$NkhJSY+A@N+aRhN~L~srs5YA_j zHB+`X>!xigXKJeEYT`sF$+v4`*iymOQO4HM#ot*%*g=E5jZs+$Pu?F-wpOH6m9Ev| zZFE?aPu`5F+2U@EXi*71Rc^*rY`$o#c!sWIp|06*@mjtqUVa+7xEo)#E>)@JsP_2A zT+UQcvgK^_aP@?ZUJl~4*f?OW?66oNwP2|(UtiH~>}*ZR(ZrTnZh>8@`H;B&Xl~Bz z(dfJ$*w{v2o_BWMkG$NVsn&ds?s(p<+H`W?ZlSzz(N&hMEr-`t-F?~qP~NT7^%eXs z!M<$WR_gssfpj_yx~oRsu*s~u5Jg_urPp87MsC?=)PL=UefkNx3xu_XXRh)n(*K^t zV&Pt?yGDoYWMy5bj@~E5+Voj&v+z9pD8*vs-fp{2AK9K2IeU!1i;QpC6;|oSQU47c zE8!Js=|)@cE)2i1fckAOzowP0+_BR5T`iHeWwrhkUA*Cz?_kC9VcmGqaa#U4`v{zu z#usY!M%m_GqKZEuxahF=@;VOos%(>DjJ$P&fjK-&`=jAk!{_O5vKDFu_RkutTzhNX zX7OrS3;WfyfW^yZjOBy5{|!zv$2D;FJUP=J9NRsbv8reS;`A>2W3YmdAu~j3Ildey zeImYGWNZm>Yzc;;eb&xbVQDb<aQ>EpE@*Fo0Obq;YN(-0KGh*(4*)s}04)k24HLa` zeNHhJ&CzT4LpnI*ErQ7_n4?F4us|RtZw`Wg9|9!U<G7*Gb}7eCi)=bX8}AYmu2Z0P z-4tT8w*Te4&KsyDcJKwW|0UY*dXcgfC2B2z+2T`&X{bNw>2ngMKgm*Wf{9N4um+3e zuU@MCnz2aTq(~plqP|;s3osqLSsF0xrE3y4Q1zT&%B2D&`gH2!$z*f}E&jY$yUKf( zy)#{Q=j^|J+~69uz|{;O8r6W+3;rsQdCE9u$%u0mh<ue#6Veth-Cy#W`vt@}BH=!! z@q{p~ZH+T|y+jww_Gpk<!Z@b!h%*I<Y>^Be%RCO?+opwkTMdImD?|03Y*1-nhK~EC ziN>DurYOl)%es$P&HA=D1W}?4wF5D;;3e7%uOG*RM^F@%o?9UX4`$b$&oA2r-mJE} z)^k1gedf3m02uyr)vUL5$G4<k0ZHR=7PywJd3&}Zr_(r%rS7rVfYkGTXqSAEpmH`? zp%Kx3Xt4klo3qmsWUEEl-W<1u`c*v`UKi$8r9nqtD_6WXRq0dfTQ+z=Jc>~!>tUVG z8d)I->0tBaf=*CjGH~<eAoJ`%1&qM;Og3*6srx?@vX)6Dm`~4g(|9$Qn^&`fSVv-k z919A9MaEbQ3b^LwaeCyotxILw3y9Y#CQj9+Q{Or5VI|lTdkC=)GD?@%Ah4W>3mk|` zoQNpdd)cFVi+RZXh}mOeV^?2C)p-KO#?A8KgebXS#X^AwOx}lJ(GY!GWU$E?fHatZ zYOPwC&<}I&>>RZ*Gsa;xa)PG|pvOqp9d4a8g)Z7e8_wp**bM7#kr%!z?Bi;FvX>4R z<%M4{-YT!tC_GosMQ%;$hqf!0W^_ZlW#iTSp{oRY%yw?DB6nC1`^^|no>^>-il%Rw zEFoYYb)_>~39_u@ImYFKS*Xk+-S{^$EAyXGjV5BoA0h^Xg<Z5;XKIw}D-z!?P=bV@ zOjM{GDNz2!0fyyteGW@$+Kd4VK&~WJDw7Vcl#%!7)sMhGgAkoQL+cwmap_VmS+kG# zx+70{(M&62ro5ez-GkgAz}5;6J%8TYiFHV@ohW;Y2gfH-uxwF&0<yf*!(m4ZZ<%7j z-c<2niRn%fJ+^%W_lmLXdf~Qc{XW_4dJ*k@A@+W%7^|&Sc(=k9>8`5rI(^esc!Z(! zhgwS&bfc2-6mSb$Vov|io3y?pvkZ>@81@-k-uyhxvdoCAkbWL#?#JGEVd)BDIvS4n z(rjBMO)tONMgc~H<FB_3SVB~*1)ePDyMr>>oP~CY%ykjvo$vISSn70gSxt!qMd)`{ zyojt}XivO_MEDiju|*)_7=z#lTRO&;bN(s^lm!ww7$LoegrP_ysdSrHnr%#EwqP+^ zPuq5E<&l1f61pd%Nm@kFf6Nl!Pl1N)=3|+IZvf{OZA3p@jqJ8wym?vqrAK)r??2AA zVF*)xye^N34Xc&CJPej`NvUj!vP=tzT>DN)#xP?!iFqDC)U2gz<=$zZ+cR2Oo%WA` zvfA9+y%|Twe)EKzv3ORFBGjk`Ue51(fN1rIupiMQ<(PuNc@sJ|azyNlz(uC4j6e3p zn2pG{9CfWexTkR!1|MIUCJGUSc0*m<VfC^xS}1c55Q;vPUceBpTE<;EjX4WgIpZi~ zBNlZa#$7NJQTzs_Qj3H>iCB7;+pqL}E|sxrTCSCHRLeGd<XQ;lTDa$0M1Lr87W{iY z2CVSjqLMA*T9^WhXAYTOwU}Nto5rpt^Ab>fCILOdf@>dvaF~V|W5!$^<hj6h$xWr< zpdw=Ntdcn$nEZs&p^@TIT9=2w9;jN<3vo`<2TTM{6VxY4+ef5(CUa{1Ts-fAJUr8R zYAhe+E^+$F<kXE49pyJFX&ax@`#RMEXiRvmnLDi`%bcmbbJR#;9tRGotqVJnWvLy6 z5mwIQ*W&;oA+X~$4a4N4bMSE3!1IrV^>i5U{VoWpKS1UM`yE%YikFWamET2V^4_6$ z5mxpMX)ax{cYZ|P?yX0wFhc)zU((dmmBKO&ZRcf|7{|QU#2(vn1$ox(WUe%O_|dK= zN{*cTUG0S9MK@J=*jaiDXgNynGVDHz=f#g&I1BYiaQ)LbPNBCJp0^V2w-fGn2IA^C z=gD{`q$fn`q<fYfAlO}LFNgU^9Nin^#(tRR$z^K{Qwwp=N?9@TXc64QmQ-yZxwDCU zpDZb(X@8Mknmg|@6(l#^HQb10n(L*tYW{ty_0;UY_Vu1PxhxPSmBm@zF{PoTbZQ<G z`}XJPUw+3o=3Q3npNtL8_q6a2qVPRDd<%6>>?jmrAPMDsFEBf&B2vQpss!oz@llp9 zsZ);*&2%thvED_i!|bU-`SE}6emIEGcWes=0Kkv&zf)1+@c&s+p|)wesDi^Y$`ZY~ z@B|dBLsnRV3d$_K1Z}+-?l8`w-1G-&I}IfBl%q6$bqKCSu?(Qx&~uHXf6^x7g)Q!- zE>--{T}(_Y@r6zrd-Dw#;gGzqX>u?n+mN&W)d=`+3`+Le>8E$^?ON|-ys7Vm^=^k8 zN_-Rvl4z0_Klwy@QXVuw>_3^v8@j7(|5l%#m)ED)URi(js2vBk(y&TN3IR#6Y0F0k zu<YSAFxIwlqin2G<REA*e2-t6x{*}Ynr?wM7qztU!;XT2sjMIeOlz4rCrQ9-c>uBt z2SXuKUBOA(9wuKWdku=dK;wM5F>bRIA^ubpb``l|X7bR6Fx})7Q1!6ry1m$!BPgV& zf(W;8G8yQO7$tRV`S`f=pAhcR;y$v}qY=PIuC@tS$A5}VZy%s>EPKU1oq#&%LI;wE z38d{=3CTx)ds;)3V0WctqW_8@0sB#+umoa@D}w0INZ{@f4*dbOk{7a9gn(zc20M=z zVxZ+3(rF}%HR86x8phRtg-YZihqi=H=&HB|g$L}Zg|s9aq@1)RkjDqP1K2YNR=>0N zYERQVZWO}@GjB+ua!o%0v#ruY8l~?Wj^6^_t4EE(0=g!aASXztB}=F}3?02x=-~?5 z0`uuIkeQDgv_qo%1(1(dEwWPHB#$F0IS6!l?1{xn)Y<}tk^asrm-1xFXUkgzb9VoG zdC0+6ALH;AetF@cJd0o!e!yx_^}B8^ig4;f1>7e)OJ=6dU=+2F!H~1D0st$_tol6T zFJ_5vrt!DOL`-Y%SplEljr*+;HZU<{6N8Mohhs|rTmWnoCzZ=pKW%Xp`frskIPpj# z%@(L<jE@Uu776=?_V{5_!FfW~vP>D0PbazX5CKNQGqg*Kcl<Dr{-vEtY|`Hg<_Pd_ z7Q-V~JC{sHF`q?n!lIeL@Ldx6_~#@kB1Y$LgK5mdeu#gnxnPN@SY22bqn|I9CAwj6 z8txjITzZr_0}9BBt0P_NSWp$Vf-^&Kpi2&Ft0Y(Ecy(I2b^$PPQYiuF-3*nm!`mrU zU*$EY!E-xD=2B=A^GKtcSZ!-FJ^S5<fxw1=;Xm5<r!UVhSKG`>%Rr+Zv%nZkX4~nP zPD^5DAK(}XPuwIY&}W+5XEKKCI)!jr?x#HE^8cid81-{RqmXC3PO5Ih$82Q1le<l7 z(>@oE#4Q~oGSHtU*vBR5El$Ipf8QYY*KP{+5kYYxSZd%EiZBj!k>~a8i7AR2vHKV) zB0m*LyDC@yd;@k3tu22$oDFsgX{YYOQM>QJBAE|G@OUu=|FR0S_1Dcka44qVTefsX zX*{Z7!e9DMWW=r?3+>{5W+Aw0I3Tr=cT*ijh&9f{D#_`J--YMw&4qImRxh&p0Th{; zC<+EyTUqREAz52n-mWz?J8r(z*j%+uZ<{Tcl#)9y-7p`UY?Q)Gu_Q*tvSI_=hQlPM zgZ*CU-rN;m(w%X@_|f7XSGOOR(JC+HMHujX@uH2_VtPtbHTFDJ@y}ub;1?ISXfR*Z zu3!ycs;bU++>~j&gkksip0&-=k3fCb8N$?GJo8Fmq7Z!1H3PEl`*lVq9_=0Ggy3cB zEr^}8A4;k@f-Kyz(6H6jhjxrT@yYJBvgI5nEhe>#NfE_$titD0UTUQ-%1r)v4kZLH zNy81qDZ!~raA3A)2Gs*9w7LkM<v#qlnr3lz+RB@dlNk1ArBS{Ra4^gFSllAVPOKC- ztJKPOh*kMDFjG{;{s??tW2&0xw(L{BD0Lelu!Z7dN`lw5M^AIYl&9pNT0XUXJ!w29 zz%HT~U4eDf63NP$Ee-ElOdE6y498iX{Py6@ht#gIa`kJwc6?bio;YKZIIUh1u0}IG zAx?C}d9xhjD+l9!%#30}l8m~<WZ46aP;#As^fH@TtcO5u#sHtSk!04X0?>Oni|(;g z++AYtkap@LO|hLp-FknN%qL5Ad_x}2vC-C&6;-=YK>9RwB>^rKVhKDK$6H`1b0m@* z8x5zeN#H{Tm=7nTo>NKrLDc3ic2)6FGQd7$qgGmEKN`z|98f$VG*ENZbh`6vpV|}7 zD#{MSt_Le92@3&xUet9hPo$L|CKK+OV3Ca}wWV|HN^~Pxba!tcWm?11JxEa+kG*QX zq^Dri^ANJ~EK*!MllYXVHR$5UY;V7z|F_P*LcJp)(Er=czE1z=oP9n2f9mX;p^?GR zIEtNeMqFAfaBjeYpq(}Tzvk@gKR5pz`kzIbQ2#u40RW`_6>0wG&HsI30l)z;(s$CQ zHMcP`H#Byn<!4u?a}pC{mA91Dm#{FSwx*VG7dNG)`;QLBZnUlr=1#^mR<?$g%1V#` zzzF|*egC8Vciz7L?J~c0UwHHVizoE2G5#;c)1|kku{1LO&tRJW0{ut(?}9b<<`B`G zD`sS6q*~~s#pR}}DqN-LCS|G}q^Blm^aFrgBy`WJvE`IA?XG>SJ}j^@f))N3+hcz3 zx8C>vs)F@DT#pGP`5fM`0RWu;O%u=m@?cqXrJN0oZH(FIbm?e}T#Wv6-2W2;<m*gG zC(YsZ(b{J91Y`9~YWLJv<&_g|og-8TLLK!CfCj4VHHoHoo$<eO0fJ=5@)8D|+ip}c z0-6(rd&EtA=7tGLqU7)foW)k4;16WQTz3f$W_ZK5GgI9S#ai(o0&KTgCpe=iH(Tku zznzS`UXRmTAH3~L_t-!#TY;)r8Qm|HRy6=JESp~}FoSIF;k%xxq+YC^tCX?7jTSGr zq(f5TmHar=QSo|SH3Si(<6~13;<GC!#|C$~0Edda^Jxgk`UX@dDX1`->ft&7sR!0P zxs&Ft@7X%BGoozZ*)(17xg>T-q+s@;G<@GB5yJ|+@)+QU23%4C-U$ZwX)uX~P*UOL za^4HpGdh{0C6xTVv)3iOU-RrKrR2p>Bi8-aKLGxk);zA^)5jHrcA1Bep@~hN;PyaX zj~JuZPi)&PsmUL5vw*9&XGB&#K6dqRURyU0FY$Yd)L%jz_O5q{fM2XaA670nTe@&O zIoL#GdB+B5JS)i2u;F#}7*-r;nX!=rNAeoRNyI!AqPWaS7|ba+%-LAXxikF?Y#UTD z#G#9cqnH$XQK<GM&ROo<=!_1{CN;%Tn~MFo6$dfZhcc@Ur<d+(z_Ob|jZJqRH2bjH zBiNl;tlpruJ<+kwcg@;flgVE>mG6SPd$HChvbv+Wtx$BCe3s~HcKourdSm1mn<Qy2 z&?nvVYkW;9Q7s?^o;G248;IO4ice3i1*f)%2Ashg+5(fU!Q8uuaNn7BSDgdrw~(i< zk#+j<E=or4J!Pk%1^M`qBR|?q-nnK!fb=c0RonzEUqV}tjQ4Z1!-l_vIX}T}KmXqN zj|eBKp*vT}sVcpo>`2r%hsg&k{bT6gHAbXs#PDO+gq+``D|a1+pMaya$b?|S`i6D2 z!TYtBR73CDp&NH<m#^qGL)#IWDM@2nNm$b2>stx$Tk+Q}THIegk1N6R0f8(l@)<jd zn(srlT~d2bnbBxpEZ3{XHeo4})3GQn^-w+*f+W~TV`QZDD5Vy%#7R_#LW!Mt0{pqL z(8MET@`rS$_W~8dStX1{RNVFmf3IP?e1iftdc^`YCbDCa;`)C-ur)YkN^q)_q!vkx z&J)6s5<6uKER`G@%D|}=A*+=nEM+Dv6=<7>$JzHIH*YbO2jDf~_&X@P_SRoh&-ans zkPkZ`g+%#=k^_9c19vMykg5Ywr26xvDaaOuy4&<+cxyFyJ@VZ5($7=V7sG_nUn<e} zEYklrPWf{(4Z2#8+$>CORjY3$lHrRp-AG@(@gMZXB8A?HXSK1~pZp9B*Z+P0`Fj{B zj>{{J<wj=ywqF!3nqYz_t$`z(B1?h|PvZK;;Jz1rv|pM)nj@3*ZvAlJ6!B#jac?Fu z+DHyOTMWaS%Wy9+F%?N3IjV5nSUz%Cj!Rn#*OkEWrExKYUCwA*Li10Me^-VvN9xjz z)q1bHY5#SRghwp%ozB{xP`f9|hAVmJ-u|PH^n9>%k(5U|_npcca*={f16g*Hd=5$A zI!uj|e11lvS+W5p_|IU`#F^9>0TU*XIA$U_W}`W#<c5^6NeMY;BO`0#*enkDR2J1t z7WKFmgAuuuddWi7%mY;cgJltiWdn(23ytM?Lbcfx3$v+fiwSb7No>_@&Q=_EC%tDm zx9EJj;l<2(7e#0riK&s|%uzFY<LW8Z^AUxIqjb#H40XGZ@6FiCmbmIo6{+iZYAL~k z)KAw;KbL{$&RDd2;_g&tH@mGlnXbKM&w0z&%;sY_=Y#0YRBjig@5{|sF*j&LJka7! zzzjYL0xtzdd#T>TPQdynbjk=6>L;``Jetc-Q=D6w-O>KQxG0n<KD8DWt%4L<Ivkqw zPeYj7KSlZSg7MNw6JO0HChaOVEh`R<t#>Q>d#(Gi$Kga;l-VA&E+?tdwB_`eOAg%? z#M(0voki)M{7i4fRwms7x6UD_hN8!9q=W8+_*Y31Ub6J>IwN!bTD65tnR8Cw73ADA zQJG6p-sM@J65SCPiJ1N=Mkh#^qB%MW7AbKUM}@(LsWK&uX$nKtfcPa0(Znc4@{x9? z!-kcjDW>#BY3+6rhFvBNvkVHB>EyH&Sd-#$D;j3k<jir2N3&-4iV-eVQ=OJ13T(-L zx=Y&C#Ye@(g_n}0EJ-ugRN6MQiY_VXos%6k6hyV;*xO1h&erQ&&&HG7#}hjajfGv7 zlI-icJRQwm6UscN<hn1)WZ_Vay#<za0b4rs9)`n9tdu7<HEMVjN;?|nJ=G1DFA@(i z6Z4#ur8gB>ot+NuvdIob6J4zpm*C1ru@xe><ry8V7B@c?$MqJ+KNgRH%i6rvB={A0 z-fbQi@fYo)m8qkv<fN<V@HLko#~csg&V{nonI0b7Tehpzva4k9t7)+-PTZP;JgSTz zUeim^%#O4xRQQ$3Gb<Uft1jJIl06EX9~#$7*v*c%D>SpK<hwPDxmA}QtubD;Hc#Ij z<?t6LJXM-HWvVpGnX=2S-deIg3cMa2J{OB0?XwrM`e>-53KNY^&{RJ8#<gn>at7=) z%~=V|Whk)46(Ki4V7(>!whDv&Ng;>ku%%7W6;mS%S0guDBECL{I|Czu!_lLXShAQI zN+l%=3ne!XB)-OrI~OH^%+jNm88Ye_%F)xs)6?74(?61#uQj$jZTatSBPWX2)D<%+ z3pXh@l^S2GO;_7X4tE<VhpVkw7v{>(Eh!utovlqDpPH{W*4$?n+&AXj$DKmLS_XUi z*FaOHVGLyj8_hWCB%^Wz>U4I-%v*-eTfxs=_pn`tt9P$f2eGz@{}K|OU-Q?2^F5lu zA)7(ho<a?X@%ujW18Hh6VQ*`N2f?KVBe^l`E+}j-`MhE!<h4AGHZ<S9MbLBUxyy;U zas2o>WVwDdorLHfR^1A4xX(RUXSte6z<t!CqRs-gUF<$!9QvBPPu;*4L{9CqTQJ<$ zu1te{{Ujz=!9LGDL&9e=t~@Z^XG#v>PC29{`Lkc%6Ch5>u(X2k?<yHM93$TNe7<k5 zPk?)1%{XvRKJ**vXHOo?bF0Qi8F`VMT0q>I!YdGVX6xzGbFtd--5}em)tPy#4W}*w zrq3<#A7!}iiF3@%J8;|!H$b3HLZ7$6Kc}R@Aa<O>S>k8bKH5ys*;2QTbFEWnQgg*P zKFA&ky-863;03c>px-0B&y#c7S4e`i@g@f*=@|}Eg~BDSPbN0y>pI3fbu(RCavMtu z7P`6~Mb%N8@+;2H>;BWmq8<~CcMhJq?@65joO1EZYW0^T5k$KcN;efvzNHSU+R3*t zs>abO@w_!04!X;npOu+DD&3c-%Z{<tlNlPTPeUERz3Q(s`B;y)7B1gCCw-C4TkRVq zyelz1I-fI|&RdDjFTE?cZ<^Z=2HuOim)E72u~lkr@+miFba^p3)=cbB*s=<PrB&v% zSPZb!>(tXRk{Pz0Rqy?inXx+aUJcd3tMdul%L`t{k%t#4n?3UndnYM{tIZWx)jp<| zfj5#3;wZiOe$g>=a$+F{bQn(gWYEFNWHAE%$hhSBa}dJ<bZ_x$ImvH7%ryUT;KxR; zao0+co|Wc$zeQZNZaT2xvZrgaN2{JZ=_EG(c4W0yn@X+MuE_YOH}&h=SkPGVblf8i zR@NW-O0w|ebUltAedouzrMJLSr>D*>b?3kTb-%GhXv=WZj>wL)*p1it(cE}MKNos) zlNW_8V-#~1<g@PN?{*CJ*p<F8?J4H5k0h}uB{57b+21_Hw_0QoUw{8h^7a*TKj~GF z=}N+4PRyWB-MAZ7+RRmO?aAo4eO@yC@mhg+zl7-M(R4rZOuoIUIT*-UfASuA+bB82 zUIjy~Ze^#XugZR%WpYl##uT@D(?6KOC!OJnOR^^@-_I}d?iJ&>$M`;b4gQE0m&zPp zeG#!FHDqLah^nGxnuytg^~Bvi#&U0-CS83ojp&VI)R|%rIlw_)m7B1pJ^i3)_pE3? zB)h7=Gm7RCWUTE@KJ83u1sCSWc89+9QYYP=o3`zZxE17|Z~ih|eMI*FX(&v1X<xhV z1q&4^BJ=|q0E?KYuRkWkjQlpA=4<0PU9mm7+RbvrfGN<5k@kJd{b*H%*&-7}Tb&zX zT^j^;TdV<E^#8Mni0dRF;<$o2Yrk6A46akl{a|{=Ewf}?nRd6Z@I}B3;|U5Dnui<g zq6vCP(@!6(w;#M#ziJo@T0WpEizxcKb5sJp%8XlGJTQ-jhiTrCq$U81`q7n#pU8}B zYt7?+O$-KtHX<kssLvX(l3rryUCDD1HLUkWael>8G#XHGUsiK}<S~IByd*0t_2ktr zg`h7Z6>I~7$#etH%Js9JTyd-GQ_(up)o!MMWc!Xf)q%RM#kTM2@lio32}2xmft0lb z3u0#wn)9@IwTacItYAxOmx<p>!e)mq^R2=uu2~!T5#`x;`w>Jf6DycI7y7A+<bIbj z$+dKi$GL-Q*J(Wz)6zu4tL)F(k9&6rOS4KXF6F-s2?+ma4E1Q7xp4|`UCi{Bm3qjj zQh?&!rfT}?@x@X)8twUIWmgU{gF|!nXyZI5pkPi|E+<BTP+*Ln5ExX%FonraSY9d6 z5FoG+7gv>sP~qd%IkPLfXVklT{Dwog(j><w*j6`Nc|p12AI=AaLJC2vPh1A=aX}PV zTXe6?)RWLsjl@7sUQ$6vOyw+JtX7|h*pfh~1YVz9xfafEg*qTpRPS!@GjKv^?Gh)} z!T|&_MOGUetM}=6gR$QYFBZ9Wg5KC2V%hB8Ws_++s&R*d#gz&+o8Rw9;06aUYYM(f zn0P`5i%th>F)J?#F;n4JkmslMH!lp0;IPp(%Sj_3B_&QqQY;i{!9PgK1=3wi-~+Q| zGrMOZanMWM15I1s2~a3^(COQa!&i1${@`u{xUW2Ets8Kn*^d%kQ#z9+sFqnO3;PvW zhI8=p2}Yqw$3S$vV$;r}1%YKj7UW9LG_ap_;f(}qSL_g*um^E3wc${e(2Gb=18s=4 z=0FwXUK*k|fTfn{#>&V&jH=5u1S(n$^6>uAjN4sK7H>{*tVT5U=_q@?*7dadVjlGQ zh=`k`q*H7kEOzwL)h6GyPK^64BEB#mHd`#v96{}^3#S|{tQPQX{OV03sFvL@VY^y= zSQh$#^v@R)R_-iuwl`iTWs*8SBc-_ssI?SmQ9g;KFEO@{m~uRq7t(<;of#y*&M-wS z$ylXO7uLwu`KI?0l^W9Bd$tXZGg!mW^)p+!4!i|ioQG5NyaJykc~LXUoCZ{03XtBq zfy*Qop}BY3f}_oER83>2o^l=!Sseo8(jt(uypL*IP;K9`QdVFEGlA)=Br?xwMQ8Vn z2k`#Wp=Nnq)KkZuENBm|b_@U3{7NTk>*u(QE&3WDv8*FbTlU)i<6(@A1R=&gr;Mnz zea9W8H%;xd{I%0(SI{pBdd#P@UMDluRccKr(T_}O;!|SfZqA6<7G9pl_WZFkXdi$? zBWS$X#r~cOQY+$%&jq@;LMpz<g45m!3*6E6t!8rFxXmNX#+WA#OGEFfB@xb%^jqHY z?Q_SN^^?op2Q`2d_tv+tT;^PjV>9$?obZyC{B_Iw*z}k^@w%7P^L`Qju+k=uo@Tm( zq21N0<P{5&FW*644o6nw7>jss>cVBRo82$0j=?515+B{!knI{ZAcK|+yo`-Nf<enJ z``KS$mefa)uI!A4telHrH>9=Qi(q&^dC1C@SFnFx0A;1;#!9*k6LV2*NQ2FtU4Lz! z-Lvs}m(S}1CYs|Z3p_1hE~=mD>s&|tb}$F;KkQ`9gl&i8zF98H-?~+r@bLs$DbX~( zSsXH#O^K{*7(i%2_loC^m#o~Zu|V=m2$v89U<sC}5Q-6(gXn_dE6jm-z`!IR^#5(7 zFifgL8X*v%mnI7dGT<XKVN7JJvZr5c>pNYMZ{;ZWM+rcHM>votN6zeFeyzVBN6d{n zN#y65qgOGq@@k;tDS3r>_c4(Q-Sam^Y|0B*7MO@rH=C|9j3F>>CPw2E#>fk>(Ij}L zr}58bf{iPgFGf}uPed^PBb@;uj=ay2KCKe2PZsWUJkN0Q6v@oD@nKgvc;Xa1U?i8E z(m3%d+>=_v6P(PAT3<SMMIMJ6RhNvy@{&a7VuC?p_oc&|_Pn}a0<>tnK&+siDGRM0 zHxFIsh$PkuE~dCHrZ_03h#5+#r46#CMc73EQ-?Np+@S96h+xYyoeAsS2q?sYE#!hB z#G=hE8%2VKd*zUWa4SFdC%2l(Z+Y&STwPz8Q1Y2s@)4C7yNUruWqb+%iEj1H3eF;^ z-J3?Q{Eo+bnk`ml<i*R}-<0WTxZ{ve7$X0~AYEd#A_|Jx$)y&Xi~ZqpUnAa*TQkdB z&$#Jd)ki_Vj_B})4;PjC9eYPwgt-9fUnM{RRP20;C^=zPeC)&gix(sg3bhA$#Pi_$ zzvZVFcxxqNc>{I~CI+YR{yMm1&&=G)^$0lOON6>EJ@g9pLc@f~8?%%N9+J~|e{qq# zoA2dy{?hOBYtq?71mM1M4eqdv2SeJpf9(bQ2?B5eJUPcw`&+#;42B-MSHzTsG9V6^ zl>{q;1x9MTmtY?Yj8-ke?XN*-livZn{L4K<&34|a=V$^QIn>zfeUo^VUxXk>4Y0hB zH(r%T4#AWTCLNMDPIozA(sxwnl9(RHuoH{SGa!DDi?1HwWX)U&Ipe^)9h0Ig1csDf zENqq!K`mw87(N#gu17VLs({EW1};~R*4#%T&SmugRKtv+WUeNUB<P^~jO90gw!KFs z4X6i;T}J|w_R<t;MChcKI+4M*IIez<5+)<FIG&$>l&8(E+4)fCavYV9vU%MGpQ8>w z4v}3wD_A|B{nE^4MTz$HXv4W1cM&;qt;-@e!CguBjh?mXmQDa%1l@-c2N&|Sq;%zw zFBKN!Erbcs>tB-}mfVYRk3R208Q>-iP#XqYO9oR*_7LF#Eg|<TKbYz)@e=?HR_r}% zO4fxU>Qi6e_rkPV_UBpGp)Bms4xXP|kd-NZwtO?>7D9L$s7&4Io=IiN$*7PigBZ5K zPxwOu3tLiy40=;c2x)x|;|2xapD~`sgB!F3?gs#Uz~nx11zOdOp6(hVRr+qiJ>=EO z-rFtO383sF;htMIh^4`sg_pTA_yoIGior~{U!cEb0LGd}fkmv|1zQ~5?n2Dg52Eo> zwFd*z0}>FGEHO&<-d$U!laXo~eBo!sNvSJDnOPIoYHS>WJzPX4U`!l<Jsg&u9EP17 zgVht*M|TgX#%aBwv5Bgr{87SWE*`9tdzLf(KA6$uK#dZ0Nr3<a_4xhUl**l`_#^HK z;#CL6&OdHPd&NIG6#72RQO!7{$>HZd&}`F>QXtK)|66+Kih&l*3J8#QKw=<;Ho^{= z&jbwvvTE!iZc)=x){?l6kTi&J5paM|Kdij(fxe9arM`ty<T^sGlN|AHKARkfosbn< z0UZva#UoM9<_R=m1gKE`)C&-0JOm=7xg>=CqQG2JT(!Br+Ty_2I9FXFdcLA|R};K$ z$P1G5n+pX8Nty8jCb0c=Q(eLkRNxo)rqsDf^^fEX^cPvGO=aur0g2XH3;A|f;JV{} zTX&2fbZlCPdVGU}cA1tW3P-TJ&v?BPntB=DXYji6(YSc#rYLo9nQRNh_jgw3T6+iz zDpkcA{U2v~#Hp0Cv+D0!bEgrZwR?~bOeK|a2%l#YmJyI43|YnzL6N%UPNdlp4EzzX zTX1|N-8%iT6k!pGwSWe(cR7A04yb&hfzX5D%nCzfu@8cf7@qzjN6ybP$1KZuC#B`+ zss?jJ)5=gAx?E*xK!rrv%JEQ(hy8vT7Up+-i-+|3xQn6fj=gb23+K(#r@gtJs_}3G zy;Fma6E2m8ued<>Gcj${Ox&3rhPcF05>i?z89eEv8N&JUismW3ZX7MB(*}l9!V|3w zc61F!bf(<N6)zjL$9AbbB0xY)?>>>!`;Z$yEFw(*?-J;1Rw9}9dx6}=!+u;2FFLD8 z%$y(?EY?KSKhXR}f5I9Z=P?#=f@XqB7uNC^2lLLKp9qzOO52fUC*1Y53`in*daG|Q z!?{%7xK_xIvJMldSeW}MdX1(A(ECqezchJcK51{5GG|Mul0w7vL6la5z+3G91R);P z1elkzsfb`2L=|El5)g$=svN9g91c(ogV-wBK?<HfdWBiZ#x4k~8u!x0lk!fBN=v}u zT(z?GtIPDp^vTCWRS*v}nJ#PhwMSaN(%QkvA)0grLD-|O88@D2MNu>Q<7ln0ySQ1| zlxm~XR}LPfUZ}zL>5QtT&bmj+w$Y?z8cLFZmwn8RzJ{N5<FPsP)&MhdAv(IfOvUHL zAiOqg*~>dfLEbGTL3_Qne@^R7a=QUhXQPTo#+?<OoSCs}x;?T}1N}I${5;Y5aDZuq z!GX+1E$$OqY)|&LDiSgW_XC1>*z~@JEOLz!u({lv8GwPcIbl7vKlc}2)z!sOXhHu_ z<o~>}b7+H2Ua&8r|583|YVGs@)U?h&gFco)@?&*UtBswuJjmgy@Ni7^WTJCL?jJ9b z_HVk`k(Nh;x60umxV5t1?eOX1%XAF|%2eT6^TfeJv>@bJP|)2hMt1Qu<bdyxSAe(E zRDdS=xQDl{+#E@InVI45gMJnWp+TFx`8!a;yC-gU?eX9F+O6Uc`p<e0`3zDY)cDZu z_a@j~hgiGxDFNj+EJ_Yk_J_Zb)Q-x!X&*uHLgD1!2K?1FOaA6^#KTiZ-*VRA!w#|u zDDTdJj%X4t{BTzqN8L$Br3jqJV}4dbjq!*ol4#Yx^ZH4g>yknV>^CVaoBZ7i!oYm^ zs{Q-4{pX}f1AS|`9KAntc+UjSqmr@-;AzeSMoU%@($(#2;XGf(<=dyB|IjSYGdst_ zWKTR1whUg85XS?W4<G0_c`mk*uFOHY`w2JSmMl(%{387siGqN*^*yeEg@%F1&vU^L zdu#8>ib!AfxFF}F@1l^zcAs8$eA1AE65UyarpW{wy{BF8_)m}rjo5k(T(I7EU8aLR z>v6tK#{l<Xa%61MJ}pDpUL;Hf^S|p{Bn-ugFqrb4Fc@lM7D2VvlJBA0rmLfBXI+HW zBhol(<w~QcHz&>G+q@?6RDH}<UI>KiK3r)p9*&Fa+~!I@#SW6w<{Sd(yjboi1uT5` zUbh0DH<5=m#a<bazG;DO8sxn=rM!IQcH|4ovpj$96TH5h!CG7WgIwT6UdnPp9VLXS z=oOQ($eg8I|Jpq|v7jRTns-4?cR?_C0eTPR($37a_~^+Yoz&z!%fkls7I(8(RZL~| zUTkM@N~Um6r*Oz1{b6ImeXkh$u>GTNGL6^Y=WcRbUv&?GYOeVr3o>P@6pGyX5$syY zwN^pmT6yNMqQ_c843`|_U@S#NR_W8&p3wQ<noX~B-e36t7LK9<@}V#M1Eb0RIQaiM z9CiD*zsvYPA*0qmF!~?ue*{Nw{tFzn*vrb*jML3XJ;+d1NJ`h3`hTKPTQHp;w=f6j zL^t5>ge?>>h`B&HDSIjpbN6;R8TcTRaX(8201FB7KnsIUp#1j~Am(BvKDGkJd=d^n z5Xrm%Rzjv&)QabHPy~Bo{jw5oDvxz?xyxi40nktWfOLcw2Oy<6(BYz_FQc+Aq_Qsj z3~4#RWL|!=9aDl+eo$CjKIUoRM>3_IG88O?DS}i!Z(Fcuy1-w+=yBRStB`ZATEYJg z*M1`zhp_*fIwg?*1Gv`u{|(pvH<)=ZAr~hlO)*2`DpMmNEkP||tgo-Hh-UpWD)=y6 z;xW3~mzvhwdkj<&*A^hj#OMtk6h_WZFCrj_9YYR~D5)iA0ZHs59Rf4N1_B1;PkHFM zX?}@*6_r^65)4e190@1SAVWRI2;7j>6k8VQL|92;G~^W~7#JWJ4j+odsh~M388@al zEIQ5f8Pxpy)zn#m1w!qkKE|NfSUw#!XFd~e5)XfspzPkhBVA$S01i}Srz;)h8w9%& zn8dH&0x?1aeW+My0h!RLBLibWcmU1>Flr`9e(({--ac^`;EmjAnsuwbRT&&uIc**n z*b6+9a5=}QwQp1v6^_LmIfV5mt^hb*Pz7Ky4o%rfYK$j>P4LMM0Wg^^{zPo(!#W=a zoSBplpsQYDCGdZ>VE>^Iotj~3l7j~TfUNevvtaiBBfkDW*%vUJ<?f|<oPOJkv!1|O zy<`0kvD-FujnrokX<V_nWLX9zN)i@7)H@x7nKi~F4be$;1?4vxHvpvOQ?u#}T+?aM z80{~>3=T<RWSn1vH#{*&+1hp$d8Q*k6#Ju1yYD*27~%Fxh>0zHA#QTqK74bZdgs2n zvo`mfj?Y}daYEwPcXUkOe$}>-O2t{bL7d*Z0U6#T_6`m8GDUrFTKd{>yoM^1TS<sE z3y~|2GoqejHf()$4Oltz%cwX9msd12ZE2}!sy0^GJ1YuuD~pieLAY(na2>sTO8Mt` zrfv$tAYgKCf49N2D$nz}L&Y;h=4PknCKb*oqZ*;1LM1S3Wb05cjtwUyJ;4yBWQd@W z3~}ec2X8`hp}--*Z9zg2SC+wRzVidQY9n{J?DLTBUl0orw%YpnBmv=lXCuE}51hlh z?FHhu+c}8#;=_0Jnbtyd+vILWdg2i9Q;5w`fc%R7$45yqIUWSh=_b!7?yvH>zCPQT zJzF^n;lbbfNyLXwZl`^^Rpu#aj_=MeJycDqx27~u*LvA_VQ2$kU&qc+0)f0O=R7}N zsI8uB{wx^KK^ZxODmj>(tNQ~$wO@@p)l%@U4WP!qiElIm%ZtAV`!MmEcm9AAG<3Qg zZeKnSt~X5{VR~UD==_?&z=W--Ve1r$pu5K;gKeYVboSbr)T}bh@Lz|IOaeK=Lzj{# zu##?v<z44aJ6%b$iI2<@J;aH-snhr~$FZl6rO@w>!azAHdGpXz!vQ>ndTmm4I)rH~ zkSEguI?-~9q)ki^pIE_z(gXKs`%fDCUX&w^23VXX=A$1Rb^9__UPLV2keRoL_bic2 z-G3%k<afOb_CJLWH-#4ABTjI|xwym+r5X^#y@ACCZ;I}-#TR#q+<h5r>C^>DGzZ4L zI}<}g6GrjHb9|WGeQMKK|ExrXQ^$sX;-SOy65{=~xP6G<fB8V(<_SF}4Lw8^-Kvk@ zIVRlSikIZ3PT|Y!OBb1yC{WQBJ$(~2|4WVUCzc=D7RmIcbNEt3vnH0LOEz{Tue`c! z+@&|&<CjYR{<Z$ecG_8YntpehlwJJXk>tI*J+J-geRBQnecGliQgvf!=TiwBXCWO2 z8*T_BZzwcxXjEX=rCFsoUXfzYp~fFimOYv@g*t{7hU!ttU#6@YhT1B_AXk)9A~TVS z0BuarEnHe5uZETAl4oBi$}*FmsZyqCs(4dLUa4tlsl0<*7Av(dD6}w1w8$q->}6Nn z%rxK52;WU*ckn$KYMDw0XGF(Q_u`VgoN7Q)f8$#T<Fqs|U5R3~?9ZLXpIS*+U$JB9 z;q){j^E`;ZN*8TJe>u4mb!akVUm10{8+8=P8B2e2nVCvthyHYY2X}0iJ=Vw_AI_b| zb*FJX@N8$CJ*B~!Ig~vzFMX(@J=*6T!*-{)Jt*!<Pkltw89&9JUd5Yj?MaF4&Ea)m z@I8qBN@smUmqEQVg=%sHU1^27YlRk>L6Q1u(>oyrg}z03m_@UgMc44v2<ug4d+^yG znuRj;(P^`jpVpPLOkG;hExXq(7xgL3dCT@V0e&7h{_~Uk=Xz9lMK<D2Hd3SpRoY93 z>G8B6I83B(^(+YM|0?ZDpsDJ<_(PJSl&K;~lFVZWnTMpz4aiL9@sTD}hLXsXA!UkC z5k+OJl&MKFCQ7AJNP}7VpX+%q_j%8|_xoGxuGRY1x6W_x-`;2MefAmNMeSFq*Vn{5 z@)=3r>Pyzh-NW7XHO|y5yF|%MKKa_Er)|&KoY~J}sc-DQ+SU>7`$x0OG0DA1RmP=B zIC=Qw+KT+$9xjceGGDbW{*D!%=qR3eyyw(?=f)1k5<j)TFzef|#O}QmE33cRZY0!h ze*K$piJS0XRe}HSzwhha9^YEQCb~^$k^h<J`)xMrOwj3Qc5RB4-|0}X>1;rzRb$S^ zb0s$m1MhfY>tx4IdyN=;c;9XKKs(p{dh^IWr|Az_nR;=%1In-?^-Yie*q=OQUwXB{ z^+nvUlG)Y?^Nx?B4GyWIW(wvaiTrK5;yW$)zfY@-e>vM5D;ocz(!6p^C*+-D$e@47 zKymorHbG6jJ-U?!;*$=K-{<N)(9LqsZyMQSKiwIhc~D?;pt;;+Y{TP2x+ib(bsdf! zxSIWUR5$bcMZQ3X<UjYEe%QoYrR&@=wx856nJ&oF3^bA+FU#v#k;f)_k#_IX(x_)8 zdQbnPCTkTWZB~+b@wcOVbuQb_Yr_wn%W_^PnJe<;Ue>vBd1rw|OzV<f=_B^%6mQie z9gw_WCK+!jxp&_!V`IVQ*000GBkxVG7W!Sk?w6P0_uRP5E}yxzx$oQ8en#KtHKm2w zrMVYM?-l#*yfLimQqgVU;ZbnNuQ|%MRnP5uYNv5k^DFK*Z_>WI-Slwt>~0hD3#@J~ z3B5<hae?z%@R&e_PyD5Qy`1}`KUqi@`?RDSYKf^bkZsS|%rVfT`FXIWFuf*MYwc$) zH}ltJrm{t*N+qxVwmX0RaIN<8KE>gI79YKQi`Q>?722-^=GFhzjs4Y;UHCaUyRuDc z^w_JW9)}+FTLF0;e^qb&qI+g5x>c{DSz*-sSCgRd!%X3c55gmDrYQw?A}+Zm9m%vG ze0Cwr$R$|P<+qPZzsC))$_j`6r^&hN3z8=5ld}%BE`5>Tl4|KP-Dmpws7r0PrTp-% zVjm^TGOX7nPwPtoPM7|$e@m${l^MC{YgA<>Gy0%3>&cCWf;T3j%mz|#Z&PwxSJt|1 z`0%$ksb&d0Y!M#fON8Bc&I)!E>DkD|ILlpfzsFl_<9$uV$?eJQ(xMxa-Z!*<-nhE# zMnbr2Vyi=A=j(7ckxVzsqyg=af!p<d^{%zf{h`~Anw{!uaeUimr_^MlRM8rcTg-T? zWKF-D+kjhsWXbVMZdzMQE_F9Yy1C2zF1h38cBreZ^84SBjh(Ocl-fZrgsZxZBjsD? z>EZkn!;^2mMfIBpzApP4Q$@4PuQ_a6N&nX+1AYDzJ(0|B2NZt%dA@AA;@4OI1m~h_ zf3@2#OusDt{y2Z5sPCnKd*7M_ISMm57;9xpDoS1sPt+XWEW>r!_CueHjK#K=bI-6G zpGrHszxq{lReaZ-7<*xNSABb7P6@ST`Zeh<gTgOqclw4k_|^*ee&*ueJ~I5?=Pm!= zoC5WimWJO1?j1V1!&9q1JxnL^u+H;wo$X6kv#Qv-)%kxHvGt7l(O50h_4w1@!rn2Z z;*{yn7ox7V@gHn!zEsk`v(UWmrny^~rtBMg*^RFZg99%ex0lu0o@{hW^x&_z9~lCC zLM-ih;})l4x&pTt6gG1d`dv=!-_9iZW)Jly55etp@gv`ZsOioXEAQ>NSFQj2ZGxUE zYjFXUf8O!SbRnX2gXKE$Q<eQzrnl`v5B|s-?^a4Y6)3fS;_0z|y-z-t&0Gc76)jCB zy?iefmE`AF=8v|pDY}lQIK1U6;iS4zIPhD)Hd?EcK@_|GY3zF8^Qk6J3LIIyFJ;uE zwVP+G7Bb-!+RJ&vIOT?+dF~z;(OkN~8vz2*E58ny?dec^FnDTJhb~v_SmTGRuu7vN zgC5UD1D2Y<GPfUCHMCjyp{;PmbXmy9(*uLD;vL1ky2cK_Y70vEql%j^1)T|OkGc6( z(bXlQcb7hG{Lj?V6-({teiao&-0vAqdh_7>C$2x+>F)N9UA(_%agBce<e$knn(6aD zzfS8O9u3SoHs+kyzt4I2O!Lvd!hh~RX6RN8b=Xq<^K3+=r9HzmpY7D4HLup&J+-{> zGhbVJ{Z8Rj?aA%&%PnIg14S-H*Rk!J<eaLQ=nu>(IJS>>Iw$9o^UF_4o?#pt+6-jQ zTe|pvJrVlB(nEIoTxitfo-NEB!QV_?iwt9P{^osnXnDwdU3c2rF8wNx>I+pJOcS3% zuT~ZJJUX=1e5{jk?+R?*a^F^^u6w;zzM+5ffA!VpHzr+NQr&&7Zfw=K)n!AAYu9u4 zx?5y%n%_`pzpl_wxibIzAER&MqNW8ug#=Dyaouv=VN-txt6wd*wd+RmK)zC}#2@d5 zDZ##Kc1gRc=ZVw$0+ZUNe|D5JD(PENwc5%%?RmEPrb%@>O{4mm{>&2V`x0&mKvK|f z*sXA{r|IwRex@4};8!C1B#m8@Dl=@oPX!0B8>-75-mLIVbkT__-%I1+RDsujY|hEA z_6%jyxTcK>%z3)_rrZHcT2Tu2Xc~v|#4&Y0F|+Lt&c*IO^Z<Lm_18*SZi%eoJG5mC z1%9?ZU36mIiaW}Kzz>7Jf1A0o4tp|LVYkIdJne~#$p&h4@pbZEMN*h3?7L<A8GA2$ zI6BdgUt2fr)*{4kZFRz9#^A5<B@?A36WznZA44aumVS*2ykWgmUG{o)PsttW=j(6C z{S9n2-?wtHc~kpW#uDL?FIHWJy^~f}+Y)({>V{KI!UD{E`$tVa|IPfGx#C%P)Kgz` zfs*3Q-eZE!RcR#_E$znJ>hx`vxeZ9@x=E!BcK;OZN?%X4etUFThP7w)bJpr-jJnZv z(#0O>C(qfo-AF#XrP#;hrpRuMl!WJ4x9s-g^t#)|k6P(&lH~PbT>W;eBSFLL%t@B| zJuG$hAF!!g%YUtsK6z|I>U+)S-x#g)tj$zyp1j&}f!Rs_<kP%u=O%_Yy68fTTkc&< z4cV~NcGIBwbtQ|;_sl*_>PuuME8DZ5h*P)NRJH#7O>^n$=9gjzMQIq!s6)S1J_wfH z&RDiMgS}Qh(EW48;FFf=C&}VWBR*Qe6O$)y)3Dp^sb^GlzL=hQV0d_B*$X58zCA*% z0(T?pTG?LfZl-bic=l`Z&acm^f>#Ax+kQFc>h%)KuE%yN?47TBRAur;nCmosEk~(t z<_E{O7pxVkRXX4jnCn%)$M(Bf*4tL)l9rT7quz=a#?60kzVAMGE|x?3)T<6=+m2IQ zy+iCy1p#!+g08d5?i===T%5djugP8$nY}BoIEm>l3VUkjy6dT~sEu5ad2m=-fJ51i z^0#V#c8%SC(RzKrJ@rY7v~n=dz12^f`Z9|qQ`9}$zdb&sruem+$s|bW3CHr4d!i0{ zfGa71d)jLQ_T3L?k6q_^Vq)oas!>fF{)c-Rm;z#7eP7n&o|-TeqVE|ZWxj52<8V>w z>J1?g=T-TyFfDnR7Q*sMb?JTwH)CyU-P79z)ORg=sTHE%%Y0NfeVxk5H$9_w^EW<9 zj|{u^X=#~-!J&P0dMD}1P1MD{tk`z4nMQJW^VtHsArpqmm_ppa1HQ;r>idlac>T7Y zyJ1IvE3>^}wVykSnTG9WiS|S(mPf~VE35`RLr!_h1;`zv?hNb;ec*On+4SKyk7pxt zs&s?Dj(WXl^d7QVTpmm%>Tv(;27hsksK%*_j<IaFSQ85ATLX3od&!DZu^Lcqx*fDs zGe|esT~;Gv5#z@6)6x2iHnC9AZ@ax{qj0)o$iN8uWB>4u72iD4&Z@Cz_nqy?PVM_q zy^b|6LLlMon#H@b8v0fk<<lzM>vTRM<#p_v-1~BM{x5z-<?e4q!dusK=7rxoH&(&I z20hPgKjgA{YVB!DnxStm$972tFz$TK^tj+mkBsII7pE!Bn({SG9MNl>B;3D6uqWSS zYW={mMo}}TcFFI!%;7{Q#TwRuBUR$rwJa@0I^V<#pKUsYW$qS8Rr=Wd+;uwIVQ8h` z<}h)r2+akxQ(m>b>RHNDoI$BkHEoS!a)OIH{>X_R^JP&=sM#wy#<QW1YpCb4zXNUc zb-P5?2yxc)p=+<JT{9T-(%AHK=&)45NsTArKLu>c<qRw~J-b+)EbpNgw3hZ-`DK9` zK{<1lEnS5hVmrQB+pk`|=5YiA&Bkhs{puitbB>vNRO=if>qL#Ducb)|JYkA8;fgoW zeIjtsZd0%3C{GVpR@-+UqpsEZ!8;`XM3|V=<Om!zju+2sNXwH*%Ug9LFLdkij&Myk zjirB9X^T63%DL@rnw%7!{XR^=oIWr&8k6O+=D?J;r_{ShM(!2c{OGziyx$<u$oq%u zz21%!>D|2?&;MHFIi8%-eaDmXAYJ*ir&~HNb*l7lv0K-41HjKQoW4O7wf>Ow2V<=@ zM-unx9e=OweU#>})t8kw>D<HJe;!h)9TASY$PitqH{JEk$?yI4Yq5C|Z<;Ti(%R5R z=NFaATRQb8fwr+}&-z}&H2IE;u2&aLn){2z2w^^RwbFTs4yQa^V&GmZ?JKWxm$RNl z|MZgN*j%0wK98S`FCBtkxSSI0zsADe^Q+CsgPniSzGB$=gp#)GmhZb1_xfaE^_TOS zuD`e5R*-k&>WmsL@to-2w%B+(LCyFb6XS|h59#_JRBhJo_hv3r*?nH(p<Y(9p;$A= zPdcWlHQeC3?w)p@b_M-fYpNYLL&qbuRy`MM5eq%?=d#$lDf82^Ux!v;CnZj>C$h%Y zA6v@NYRBE$%9ZxQ^O(#L?^DNu6^|6g${D<*U7?F*T=e7q^3rq#<y0}JY*+O?`qny< zvRewzaY-5}3aUIA!kBFuHIN*n-prLF&YD~)eeQ_bqn_J2w>BPa@*B(D)2H`qWqQ}& zch4)Fg6Q`h3S4{squ1n;pH!w6UoU%T=o!6Hd#vYf`711G=z3`Nipk~IIN00<R~+?| z&=Pnm(Xc|+4tq7?%F;_|PV&?NcSJvWPI9IVU6x8TjJ>Py`lbG}m9iI%-|aJ`4anQ^ zD8WZO{>=%a0^yH`&Zn)HH%u}$dKAgDdl0+GGw<+uFDz|Pe$bADb61|ER~*<%6V14x z2%H~S$|KK}A(5UZ%NMHr=+wqWZ`Cc_aYZ`kgL9><m#QUF(;H!|mxhal*k-eo{Jav> zrf%<RWU*!W24-$MiCjDWV4JuG`z-N|p%EM6R8$)!cqCZTBh>1)t}o<&H1R=Jd1xzV zhb|9olV-!+M92LMEC$?5p3?t*l=qoQAh97<g8F)=a%LV?Uh<AhXVsr&8u+YfHb0%b zEWu5`rlB|OqeRH&C+)GWkz!|7FfC^v9C=jjNELBmch&MOazR2g8V9tE*u|P@&#%Q6 zXj6rk2B|$8c_5^6daaPc4@P}DSzq07)hjQXy##5V?4hnq5y>`O<hX(E_IY2n_w9Bp zqmOz{etBk4b48Nd>+A=c&fdc7RQAF&bPw;dL}oQ+M$nf?Tb6&u{9<HQRTNleba@s1 zwQw^D(-L(SgAA*9&V8G{O})A=#(e*PvCPlK3K($%+XxnJ6@9ns0)-D*Te@6b6tebN z>uWvl5;KWOT)ItncNKei`rS(X$hb0z;R9;Bm?uig=<Z)RelItuEc^%$Ytdib(g4;2 zRX?_swlC#QU&@rHA1tsuJv?{2VvAOM--_fMD*?>%*WFv+uG*sR#XGe6Oa2m;n4SRU zu>sNMcEd;3F-wvYX&UaZaiu@xG&MKxxWlGas5ZH!zUy2>_^LDEp)SYTw|WS7`(6on ze3Ok?<1?GrqBL4{OZUa$%27;gf@kSlC03U+oKBz`lF;{G!&%P2CYqZ3<-rxOhDrN0 z)R`Nq?5mb~R9+=?us_jB!?AoN(~&sEcy_Hksw-<lrPl8-RgV26d1d^()OwNWbfLr- zxiYEiXeDyxJh{K{o%vQ9XZ7~Jf$qVg4fdNw=t2szen>M^E`IOwE`RA#%jyRQ-8MF) z@i^Svqei>$3jO9CJOTWtM5Na0^>Pa*aom}Doy>ed+fB7ky*cdNvz{S|-6L^A%a`}Z zZYx?XE4OO5N_G7jS-Id?8u@wyzZjpd@wfa8`@L3C`S&im&YUzvwO(5Mko;bCt!w(p z1qq|sr*bc@X!p=N9h|IGBPjXy_s!70k}}2MEer`?b;X`uwV{s+v-m5PUS=r$uE0Sj zNBQU8rYTm2K-$}8wD+$m_n3GN31n29ve?3zc4V`6zeb|n(F`HW^o<(c`pxtcb@GNk zulcU39ySp-doS}g%<xLEsCI?9sMN0eZm)MRJkI<|m3MhZzGep7%N*w#P3JmlzW$Zc z;Tq4ZtsRC3=r=7sxrpOwlgv{qjd$!rL6YHbD=wVQddR9Rd*Gy=yKs!C+LupkPtWJM zi^tUR{&ot-aAj!T9`mi~tXzyWSgCg+IsMUxo7E*Y;}+Rl`nN{^^*nFeTDEoIG_Qe| zME#L-L2p0!mCAiPYIUu~;1TZ&wZgQNmC~`QaZeUS9cI9C1wW^0Jk0+^VL8@9%5x-4 z?S$B7tGfd}8DAfjwofpNIEY0retqT6-9)ct%N(}!Ef)yLQa)+ysb$Gqkt@C3bg)5U zklQ;ZQSPl3bs6KG0minCEssrnC3{ZUeNNk~66aZad>2*`T(mV)xgVCc<Ng)umeb51 zZP@om*L8T+(j}~Cf2z9Spx5~%v3GH@%bA{XWE!c`7j?6gTF@I6ENZ@(s?5wlvx%RR zo=!`(?eLmk?@!2PV3p&Z5At)L;gyO`+^|Y*=V_G|8{-z6-7PkLwA+)^tF|`taJBb+ z$gXtRsm!ycqSldTM8C)Td@^Ujmn0c3-XlLh98+?xcyjjoC$`!pE8p54se3z}u>bfL zjoe>}<pF!!)!uyc){XkT^~T+yKFJ4nZfl2{_Gg@(4DSq2OnFp6<;<t~CuFmytxVTl z_pLXTX~i6cO1yTw(>ZgdV`_St@Uv{b_Mt_knSZ#MHG;gwf4_eraYOg!g?fDlRh^ri z9QEo34&MAp!aYV?4wWp+C|xTY!jV!an7O0=_x>eD=R4PY@2<OaSwmv8xbD+4+hW@k z@23b_MA}hn^KIM9ZYZ$v)3)ApY~0IjI&0Qt>1%CKu!(3gXn1MR;1{ea(<7}BbuMwq z+n`P@<tID|!U88!bog$qbn0okyD{U*@<Z;*^;KTOOQba;*KVXS=H>3o^mr2eAWm)@ zhlmOfhttPZi|;MsNx;}%NQ>D2Ft;+8F{nvdw}vxce0(ZJxG`gqfzWNLZJ*cuP7<fv zxcu(%?GNpF{JcgJADEq8yEiPj@fFjy#j14Nm2q`<b$XmsS#C$tJbRj}m+RhSJ!03z zcF=##vK}uE)f_MB<d69w89WSfk#DfB85+4~*p8p|I;%}>DL3RQzr?0@Lui>qYsQ6w zoYo};3``GX`EGi$9*B+MNwSlQjkAtX<zqUlafP36OV}C4_8401qhl_jjK$BicG!eZ zg+IvFUYDl1o}Fr|>6>?H?sY7@Uxvl<;y5CFq78XR_Hq=pW_%2w*Y-0^;chjpEMt4g zeb3`n=>8Z^g{}8OkKJt>km~Z3qpP@Sd`gO@)b6v}{>FR!OOFipvv3qEv1AME`Z&P* z)O|&N*&%<%AKL`A`;$82FIgYv3}4Ie!Kb^PHe1MFr-5dB*&v@}yJOU4c|q0JyVN#{ zk5XUgqPfY<VsX`UQNT*N)FeTRo>NsBg8WwWzp6ia{(cnrCYQM?s9i0ji6s&9E-^%Y zs!XX`_U!|@&u3D9P+R!?Zlcl^%3h^5ZK(0*C(rRphHU9&IV-j&1bapWa_c5~WtV^1 z=Da7a=8P6IZTa#Dk?IW@1w8$=8J|U`cs}|2uULHN+!3+6XT4?Xt6pjR4x?Lq`knmh z-`1mzlgmH$Tp3W&ml`Wkxb<i~x0$$S?G09;;|9`=E+U4}n`3yrgA@(u5`WfIa*5`s zh=~N+ew61K3#V35s^cn8WC?68*IHDtOIGalGXSSy$?P2!KgDh{+8x)u?yr@jOXIEe zG%c>7*BE#jBEO&hPE-43Ai$FU%jo%)E7zw~e-DWtZDRfrXusm+t5&*u+jrV9)EGaw z&@HfN$Is07?V=J=wE~ZG`d7Nz3%A{DPokfoYT;6N@nF<?`N{9gKSmq3a&ak)1g@&& z_EYXv5!*gImdrgU{osg_-q|YQS}yl*A!h0~Rwc^O+SPnH8vcX+-O@@P0eU_v-nO58 ztt<4frN^5YytGc=o-p5&&3bYD&(YYfW~TOmk%97*oyAKUBeey))N+Q-SNdB;(u`ac z|32+)I%Tq?DO%;u;AQOCC$m>Mr!Tx&leTGOiPMLl{P}^yi3ta=9Z$}7yY^J?E$$c4 zS#?zM(dx)9ZmOgKG5gMj&UIUc{B&0N$Zw)I_uCO};n#Dcynoe=4Kcx`{Y6E0m#pyW z2w7j&?;YK?GO$czby*jWx^eUi1I=D{Tam2u0UM6?YAh)zA8HpARTzwC@AfSyzfvtI zT7IKZvFLDGa`jYud_wH@W9*LfyuUS6U$d`^^xfkvS~DW4G&zu_sM<btE0ZU~{{E-8 z8-r!`ajKSXDqh;-t+;sVJk!L6h#zW+n|aK=qI-*Cj#_Hae!rG;p=+<f%TW{K{^P7B zzbnJTFG<G83HCW&<$XNT&t5YX<2=rO&OO|B-Bl&A=DuYw*&o<!KDs19zFB~7U8>v( zrd>YbXU3BaC6|cP9gAcb{2`YpL*uz!*YY_-S?dXr$*7y(68i$oR!3Ipu_#Tck4+`6 zw_1E*PXKo89$)0r4|kR6YV?)0IyXk%d+pTVmnQhCID3CUqUrH{5`TmX?R6EZl#=df zng7X2{Jd-M)zGI{|6d9Lsk(L7Y6qPj=ea!un=?OzGsg8LzSGv1#pb@6PTBq^P%<=7 z_|=rbHqPjPv1nt#80W)F4~IEhU;OGA=Ivm#b+A5}{$t9(vu3}X#RK6#-e&LjSLoiQ zk+;8GNZ<*!B?_;kSZnZb{N)bLXvjkX!V?BEy!&3`(^K(s54JH|j}R~-E@2FVX6 zb0cLiI+7AoVbqKHmBma{9&$3|1g+FDQ*~nG{i7SqpeD0u@v7+N>fg8YUx{sX;LOgI zNTbob*~P#>y;?$_JKP~^b)1NnVRgt($x>D9c6ruy4Pg%3mEzntwx+xJk8#SbYdDc@ zs>a%t{=AjZ(<d=#A7g_BUHWPnm8?~1?}Zj|HpHC_dr|-N^y74e9Dxv?HSbh}ir5GB zug2?0T0zGYE*hnXO)H-(_KG|neQM^Af?m!R{lH)?)s`Th;AMH^@gLZN&C*ra1E?C> zLVixGj=OTNqm$yR3UX>cV#TL4=a2&Q2*9SqgG~SZ#e%Jb7YoST{D;{9!HWfLVGNp( zuvS6T6~*k;RFLoBo^#M5dd`6b|6+lUyS1l}qX*W~*4oz5UUcSQ%VKam=w$J{BSQZ? z5gILEa)4V8oJTSR9~YU?eC!Xp*}G$XEX4`qLSvISdi2~NCHeA2aNOuAI3JTmbUvog zO6ub~tM^tx7zeTXy4Zx&n6;J{OpQ~LQfu9<F^eu-m@$xmZQ_qin~gIT!YQpuq%=7( ziQcMM1Vn^BA~E%MQc-i!;6|?Vg};tLivh20&HOQ822`Mb%)FIhVoZyn*-VPbe?uL_ z!iQpj4W)!1%F+jGjfLz3MvN{ZBOD9(zn5U35#`yAG_D14B8mosVJD1;!CW~JLNp@5 zMiS0Q24CrO)iAy3`0)fV3>yGoh7CRh{>zN!v*KDx$l(s20jXEsTu^Grr<yPmc4lB; zH}I{24ctr(AK1;>-O0h;2P-Tl;)9)$n}lQGEQTXx7Z~2rDroA$tlX<$!=D5+!Q}S+ zCpI}xz>Vt$#&vI^TDlZyZVf*8xON~+!^RbNnR$!`(6O8HxDHYiX$oKjYdT_{OKFM6 zbpitW%n-4Q^1#-NS=JF7Fc{BG!~?4V|0Wg~KQIM}A%?F$QA~rFumImm7{i=GL<9Tc ziCDR?ypT7)9<!>M07NWXLM*SBFww9Q4g?}7OcTg*gQMFohJk@^&13kk1ku3a&V+#} zFuc_Bsv+MGgMt=dBo}&Oi6dl)29^*b3~ZaX;1qEO5@(s7aK=A{1oyRkMWTVl-SHIb zFHA8s?r_}mLxF&aJM);J1u+Qj67B?nDGUrzte?5gg0#Rd)rbdn#tV#q;S&a0V!ME_ zpMb~0gAl(4@wi6_0#jfZif&JvWSL0|{7{!@U=ZDWz>`DBf}7r*?5Fx5`s@cED{OA8 z*$p4p-NVivabSZuW;fD%PFm!<L_=GOJK;s9z%fLHg~(2cbV&?mkvcKQD}W|2r<e)! zxBx^U&||>B>fz;v@_+~60YqH<IYl(ExQnH@h^v#|49(vQ7MvhZ2%2m?yF?lIg$wWt z_yh?HCK?(F^0Ok7n;^J!Ph35*!OX`T0Uvj6IRRXQLSlmKXU1`7cM_mtenPb+8XL0T z%t>xAFa-lb1812o5yodc_$1kJ4lcAM$V~WwDFk{bz70;bUS|M7etyamiX<8s#JAZ= zLSgbj0(X9s>PsZaL~s<*xHAD6oN1@b1SGKLH|6i7nQ%H!H1JG7#tlqCVkkFF<afR% zJ+N*x@xV}S!VOFzH$f4Z$LESJX{Qj4AsQG&di=l?A~Ga#W8Io!($Ru7mS|v*O=oRK zL12jDJR|!e(&M_u5sfQ;1V1hXhM{p?M#BY2mz&k`^T)*#L3Uu=lvW1}13x4DEr(6% ztH7c&;SCDKv#;0zKf^2>CZLc>7!dq}kuWB-DuCQ?W=#AGdJ88GoS3vkL-N9g+zM!c z4e7Y|kgk}4gRp^?mcFmJzk`nV5n)XO+^S)MT<pXlL7p*JctIFa96}_N%alp8s}<a! z_D%txGyxD=ri`NloLL<S%itFSWWAL%t9%4#$WW&*B4bqy5wE|AmWskKtS^YM<}!PX z+>#QvCV?Pb54Qfv1@^oHJ~aX)#H?NlQuSsbz3s7J5%1*TF6?S=?PKpFEWQ=bGX+5) z?@e>B!X5%b90#8aOc38oC<Vb8nXuxc;Lu}4#ETNZAtN8Sj1(N}ZSC&k>TwWf?NbX= z4}o@W{E)y8v;`MeF!BUYi254zpm=l<TNlrnfI&fkQ6Rvg@#_JgY6EmbS7-2@2}l6j zRMcAI1rU}L!2%X$WFXlb`q$DRW?qOO1H}CDG^8@%UJ^y3^?RW8&axNxZGgsrV{k!k zuGUzTh?e3GA`W(-I|@SnzJ=`#0ViD;Pg4M(%JYEL($T4k1NKJ>Je{TIFbRsVgN(!) z_x~4QcSIUD0F5t<(?0nHfNMe6hC7(?6|@>l<8Nw7ftOIRZr~+Uz`D@FtbYMA#OG|` z{{|R;3*>;CyDA&43<nA2lik9=(Cm6{vcU$rNyq_OQd?nu#-4)?n9zEYoKc$WtinZg zi1_wMsczCfejfyTB&7iUeO^m(X@ZYaU>gG7v$p;)X&;Zu`!B#aA4dQj@0Z>+3fP|S z<FeQO1MsYmQvil$wSv`NqjkW<%%Fn<_wke)Xn`H@K8}0s7tuU}WN7?DA9Ng29>@Wg zLHy?bDFbevA&72Uj5Wdpfeb0&gU>U*BGfW~4G+Y?m*PVfy#y1yYaVdrt^Wdyh;_)< zx9M_kb_Kv-(L%)f)NQoDu;^yzVT&ZXK{AZgcAa1aihIpd{#`L@83?RXaC-<iSU!un zktFLjpp--#VO(ajC<5T-&d%ekz|U`iCM4X~Q}3b%#?QBzoZ^JDJOUZ^9y+ZFnui#N zd6pL{`@dxH^uYC*5Xhk6d+?JMz~3`ZhQ9w#2CNgVfTSQp3vhy?hk5fcz!r|6uz)Yi za>~*3AR*!~8+KI}&aROEg&G{oHwUUiYZrL9VXs0BE#eNntWLR}fPg!&FXavcP>%UC z?mqz|aylr;-`=;;<`V$roL5ZM+()Z1A<@ird;~#0_#r#<D=_g6f@BA0owpjb44|&S zZOI`3e)I9c3QfSe5BT7--mVTc@Z4FCpK%Ce2w*=VLVCvW)c;>H;Ab2K86fXV7hubY z0S5RCcDUdM=s_(5RM_DRKw+vw!1~ybR~x}pUj{4>H^95+Xq6`<ySZf!0vV`^Dt`Ka z8DKZB%sC1Q0F*fg?*up*5KVt*IdO^Sv;9Lb1FIQ`4dCz!tqjm|0vGQoEGMAp?<&1j zF9>))2r@(lh;Ks+44eM=YJ-CJK{7nnk{<R2_+YLRdEdEq)G`o)E&|{pweJG{0CaxP z_2~F7z=&!*D8peU4I`kFE4JWMhArZZU!w(<wv-^{bQF>uB!xVuxD_Np+B_-vJO6Jf za9mK30&;zZ)eVC9zP$vD3)(kmr8tQ1>y!0-(j8d%Li$)2I$WY1H?oaE+(H`i_`Me% zm+S(pgKbPAkMBo`4fSkhet3p*vj~c}Nw2#MNdsqhqf;7M!Q+7u1X+U+Ei(rYWYs~C zg<IL`EqdVDT_Fm%5Yr5k%|iAhaV2`t;u3bF5QLVq7H#i)0q!Lb)ZvMZ<^yV6{QREV zqarH<&cneId9eKy_|A=0FOdwp)in3I@7eEVWT$3mD|1NO*;PeOMFrP$)?Ikp3EDRW zZcO-t@7z=(M4G$5Kw$$I0=)Ag+O-h4k^-O?zC_sg37KlMfVif<IDSWgEHr6W;X5~K zeaN6^cWx-~dX$J)_|8oxVywB$I+HUcE;K=qC9MyigAOJJ^cpa#uyDNeD^m5y?%d#M zrXUC8yeqv&lSpse2!XyUtSTepykep-8xuBeDDY0~&+v^KmVTt*_?-*fBtmdn!ub7< z_nQFg`@jd^xH*m<6pv2WxIrL*MErq!q&IHZ2T*H`7eH9z-^LAD8A#7A_{Pmc#4^m; zxFKt6oWnzoM(;kHQ~@Z5+D`B~fPWCF);L5$LtSEK)lU|iw6<_;lke!TiE0oE*w6tF zpf2GLo*f<&V>=!3+_6t(hmnDnlfIv)iN3L|o4C_#cF-diQgB*&5Fx>{!^R;ZEy*Cw zjbR4l0C6UT0GWzE?@j~RL1$ieIE@aFC_9ja#_3ATDm*(R{6ePdY<8f)>uwLY1>xCY z6fxFZW`E@_c)SgQbPdpvCY>EDej`<nTy~JaX9o&$Ks4tbp0XvK9fF2Y%0aZPPl0zk za3Y8>ZNNX^*}-uHDL6hn;<CfCYYQ?DfqGYp-6g%P{}MeY9-WXK5D4(HXJjww?BG6% zT5G%jbGP-$%7B|)#LUC9!<sRqGR(;iWD#+pL=8CnbtOBQC&13oySMOlOCU-_u)mBy z9M-+?M1ycU1A8^`N7=<;Wmw5LI!yuY>~e_$EJU!Y$d5B1c3_|#W_UspoJ0ppNQSuG zWdv0Jka@4lMGH<)tRSX3ata;x4Ar<67+IZ3hitgctEs8rl_r_=gx}RBO2QOE$-+yt z)5O@;60+{Q{M^-z<h-0E^;~zG9u)T3IeWNnC%K%6(~`KPg(u-p2$ANd3bK_PZstIM zN4KyYvjIuC7kuy~+D;lGTFIz33rLiN$wK3FC1w?#ggF-@gPu*o6nI^DiFOPz)?8+t z$e9wyECjjli*O$4B>Vv_<ov^R_#{k04v1#2CcS1q5G;;^4}P|eb_r6NVKyc#(J1gv zY-4y5?nexc&q5UX96077Q1VMO6MCc?6F~9*AS7Y3Mf*Pinx8anA)SQ3|91iAF44%! zKzeq;lW;P~Sg@5jnTd^$mov*GvbO%G_49s9Yq0Z6Vu^+UonthJgsg;HqLIZWtt~t| z2!R_2Xt0U00|jj2g%f;<mO_lJZ|HBLC+%|3Kwm=N!_?H(!`((-diKz$A-Rx((-J!5 z4#*|^!L!2zLZrDdjO^ieoJk=-lgQH;1(57(7ZYa(OGYAE$*2a49Mbr(MHU*TD>19^ z?68y>8T4#+pulSo2p9xX!9U<jG-t$EbD8xdXG$Ei5M%;R3=8S(@DeQ~`RqVJ4v6Nn zlVABsFVTLnAf*{*V?uVIz&r8zUwC%t1m~JyvzCl|iHYLlGcG$&IQR^KhA&UQO?ru@ z4z5<A1jVBhvI7MHptGT;_K%d3&JI2QT>xRJe+@jcXGC$ci<o(Mc8CBkM<63%&JvA+ z*3c^m;MX9s+ra!Pp0`B%i4t+n63t}ci3YK~E%w1#utP}#S9%RPO~DmI{L+vt!?+0! z>APVv`V#4-;c;;19u33)mWBw_HQ5rKPa5_o*gr=F3$|Nu_f{!r3$a`<?f)4pP%vlb ztw;~9LkCO9{Zcb^2L)`1X__)kn;~#4X5%X26=??-I_x<sQUp}Huz$ZdMG{w<7bPy_ zS-6!jS$#=oMtH4rX$v}BqFRSS#D=(@n<?S74x<1OHrDr$xUQe+4ntQxZ+ks|PXkSD z=N+>vVdyE71zyfrxYlt&h%`4NlPx&@)jC_d1500mR<tsxci=1GMs$F<l`zs;hnQ7( zt-~aWjMdp%hXSuBi7W`ObvzMc&1Du#&XhQ2A;?>n3TmWloi?<P<ZB%YazHfiU*33$ zbgeTkhLmQ~wGIW|R}*amz-yfzairk*Y6Dm6L@nH(gh0oxDtsYb>*z?J2F0TjY8?au zOujdWCSB`%{_g_JZAX)p0T(ZcnTOXpF_K70m{aSJMZ`J04{$V^cWX9-Ev%VqNAPy^ z7)r!Bwa)&9CmMuX*hP2t2T5FGX>^*-sdY>#<BIM)aSSvzW?poGx4{dyqQoV%!6~Tg z2h?4@*rOh7H<O@wlPpSD2|{USNm<>zo%G72Ypej!k%!e-WRf7hwE}3Kt+6Pu4Eb?x zvF~q)W$3O8Jn#S7h7OicW8u2~2s~QfHRz8TICdPyMO<UKDxkxjQ)5vuG33#GR*6Q8 zU@Gt6A;#s<K#BXW#-hMA<XZAh?R)~@fe?94V%#`Al(>*<;c7byt_9&5N;->>b}fOu zsBvdqi!3ZIL=qPuaMw!RhYpsgq@<7-9e~Q@OUf1diLkvic1fsUovn>L^lUUGrFZYr z^!0I=ZJ#NVo3}VE7v5ZPLx?oD@F9B$4VMQX!0{5!-Sl9EPys%8N!f%B5LZ%4;@f9r zp>etrvkEUMb-=q@uoy*#)!CAg0<Xhh@i*6k@RBkQG1gpW0~Wpk1gXbxcHEJ4DYw!R zsd}VKIkNiV%nIon@W*j14=8;XeCn`W-*L3y^Xpl0f|beAfU`1j8wXxgZUB$&AhR;Q ztV7&D!^&Ql+yYdee*!KXJt!WXP*hTAB|*&w<&TP2NEem-HmJ463oy5+q_7AlW*%Nt zzCtX+oT8F~){xg7cYM4II)QHoKKSh)Ia{P!;}9*yoo(@T2U#b>xjXbq$bOBIzjpwr z!ZHj-3g+&GKo(?9MgX=U-1DRGEC__`T+8pH4m?c{d~oDea7rCLvK{V5IR#{hY^sY* zx9}A_9QpJ?)W~*(;*tW}9{{q(Tjtx)i%!?(>HNtNEwYn0;qbrd!Z8(M`xjG0j2l3O z-o}9IJm7>D*%{b*_F69mwtE4xwn!Q6BT#Mif%|1DFb}J9MvLs^P5P$IfrSZx#E@_Z z>9hyRr-2VH2A$9UF9z<a4Fxfv@OD5kSsn}Kn+Rw|!HcoaD8(SE^T~#_e{+4@W8xK{ z9Ag5GgTRB#6JN9x03VpGKq<HYG~qOC^X`H3(=%&1xbtNkLJe$-bizT%i@K?=4gkk< z1DE>XR-f`mjcj8nj=u&n_iiDDc@K%f^6u?J(#~gh>i-u5=X?~zfP%oGFPa(wAhWMK zM;rvygVBpYcvOIb2SCUUH`DV+fd_m8?g#e(F|guA9qjS13Q$0XLatrq#dJ{+_0qwW z1vqkiH(F#6a`6{y5rkZp=wfF4#abm;;FCB`jap~8=iy9_K>Z;-x0_~QzV8E*04~Jy zK(s=D=&S2%YwvC^JNJ4o1tuUHY)U#^Gy!t`c5uZNE=0!3|5pgy{ay+}KrYxa6{{s` zj={8_CKiIV4y_Q*HgG0zLLe|l_+iJ9gJ2#MfDi7C6}&VkeFAu+yC2RGD5wvGpflNR z{XlyX`7dS@T4ZNi;z)=n1VOGKTP_t{2YO9~e8dDe@u3xCh5$tNhX~M)p?;(W2-pce zcq&L0MT<P20Gt>IV(_x77{iCRF_>0x2m<Z_2gFc|0Tp7ni~b0FZ~GagdT^bFL<~OH zixzpN_(be`Q&Q_stpi49;U+eE-zT)l&QQUPYq?Qi8#20snZb(!kaI4B@CPrqu-{Q5 z1Ft76a429yu09eJ?kuH&!BDvqYaROoE%prGh+G{)zV>;99(oyjl!-XhNy{uk9cA#L z4!Zh^e^LNJ!11~JNW~VoTN?P_^KEiFS|Ob6{!_q#!hYm*5H|zxJ<XNGTy!X*7K0G> z=W;<|>OpSUvPbB(F5qGBJT5G>Q42AT3&gSKW;FQqE+B$EsD|OOXVVVUV%QL#d7wZ5 zWCd+!bx%>yC|wM^5?%ou&_Rzp*CVmBk2@g{VxzCH^nRfJ{Nzikhh7Lm@}+<bO~^ij zk3Y|V6`v3-vHDL@Bmb+y=05R5VM0PeXviCg!~ylYK{*Jw!E+<D>cfS=Kea<a2*?qH z?|Khw0U?aQ2N$B#7_AWhsxTZAxYw-^n4>oK%z4s6Tr@!|1e^){gFgtE;F}cTDFrO7 znr9BPJ!pl1Gl4e;0w$uz<$r)~8;O=c<X*HwfE<P2?_9VY14YC<zHqT2aPW8v?7_i9 zk@bGGz@XuYq9nMJBYv?GsH_M&p74^O$_h0yXbGSx3389cl#=Pf*`UP+bmO~l2)wO= z@4XK6z)&mr;C$EFqD2P1AN;c;WL=E(W)+<8VesQPXqNs&+m94BbD)sdlk_D@6KHHO zPiuR7blBi$7a+cIJ!T4gL&#dazou%T!V`EIobNRb{{?yW{X7cDP=wV{?3f$`$TA?` zz$5H#N3_WBxPpJ1m#oootwu<F&4&iPi$P%9IZudUXS6~PMcCN~f+;Wo#Tc4LX2SOX z6N`Z}!aYyQ4XqGR1&Va0L)i6S*BvIkp>x0kJvKhDQdo6BeQq|Ey8M?w>C}1Qt;G{9 zFkt@Q(~V@C+qkK&yWnm=n-3ATirjuNthTm{fs3BCj<ch%oAB<#J7#zLnHJvd-$jH3 zzbu1Ah%|RkdL=nPoI^u^#<fo{VxW4H0XYl4+uwl>kmxEUS!mL%!gu@q4<loBcDJ7b zuM1zLY)6bWmstw0%s`Mi;thN`AU>CX5B}PX(h;QU%|g!Ga3{QHK;bGS<h<MxaiXM8 z9oQa4DF@ERgv&A%cxPSk0O`(SNWt-&-MGE}@P!YMLZA;~SN-G%tk2);zl|Ogk51U@ zM<Box<+c#gd;JE-QEQDCVD4T&Ss8G%i<o)%UjGzg8RqQulSRaZ5-e~ux67@Xjez!e z5T)VUa5e!*wZ?C``w=$7pdWE1dFuWj@YKuSG}Zw468PZ2so;m-V3in|@ci#+qZgt0 zL;zgBx}Q-2fGW=eb_@D1z_=<50q}$38a41%0|pd6L>jZ5_z%FdMHm9$f?eAfp8(+b zHa>O|E$|^UHf~UfSD*%k*Gk~w@JH`%pF#^v__5%*-7X5sLkA8s`83l^fpc#Fa==eW zi-e+;0sPPm?w%6a!-oI-`>HfQ%?pyG{{}zth|a(N{ro2ag-44rqreGH%nDF*!ATc8 zgBEz}+~yX(-HJeY<z$hMq?MlzM=JvssmDRqPF+22*w2B%yaO{FuDpB%T40#+_|6^z z<#oq?)sR*`H3zK>o@kU${@%e%I;3{yq6OYc2&o7(W}qvcPz3Xf1uU@Otmo#T1%}OY zd<P4G+v|RO#6>!+Tiie^1Ef4ItW!`Pa=FqoN|khAzAXm@IXsck<^KoZ*|1Il7%CQM zWBMZv0q|y!Pv9%cqXp=IiB9hzC>yRHj^}(uGP)@iqQkZn_d)98P`y&+rd7(e4ug3n zN9=0Hi_iiSxf*T<k%Fs1GU%}CQbR}Qp<kPXr<7%lXl3xnrxbI_B~xOd$;oFVNk8!t zEv`3G(jgbOd}k5g36#|aa~wXu%bL&v6Gc^Ao1B8TL!<`{om!<2WYC-^!}1oiGQbT# z+rvR%c$&D$AgGTr-|(%iXl3xh8=e9##J}^|BPu}vcl|uwceSI%h4VkFI|BZ9B<Xgy z0OtcQ3K4}ljn`;p@FJYnqM$rv_$(csbY}n@1wMFu4eR_bz=)^$0qKB~q^)i71}*R* zgw}=>X2`9tpkc*e+O`ra+|q>>*B?xC-1!6q@kOIhU4gX18o$s2`yo^qa&HX-dew`- zx=_;vZsGFZXmPg^T#JHFL%_>uqT3FVbgf6j{{<N5S`>gG6GuF|B0-wz#1XW>gpDo) zbBX%B;kpAWz;=@mG1Du?(BeX?eVl6{03P5mPx%45l}c>Hz#Vk7C|5(!5)?78q3ift z(oD;&Knv`P(5E2_?-rdbKM3kkMSEg}^O?}%LhTLQ!72nyTXpcesDSl$*Lq^$le^FY z|NBL91i*F;k1Sm|!D3&B7+7o{T3~3+huFmWQv(MNfUGosg-`E`7T61giJ3}vtK9)d zNXFQS6>joFiwmvu5G(8&Ja7#EYv=I#b0h#g@N7$if`y@Q`LlDVtX2_&;Ra{O;BneL z2rVwO#KQSBf^Zpi^;K`L82DY5W5mE2m1u#X)dpgwtC{ZidVsK{vYHt9_jk0wP{oZH zSiPzylyul?96<|=rRdWjT!25~O*8nKQfmwyF46ut*=>h^9ka2Dug8^v9N=s=k$c@i ziESwkRhYO|9Rk1R-l^<82AW2`;C?B5d1E(@PH9VVLU}#+QU(GSXQfhRZvu+X@6k51 zE=HLkp`y=z=1n6CMISV&|E#hPl>^Ze9C#v9o|zpjFp=_z%b|p17l+H>zCSbA{DB+b z(Q33Z5Y~2c4M4#OpoHCMn-R<oc%Yfb!)vh3imqQvBm<%q2V{#)i3gcT&j2Smv@$@2 zFok9{ZrW=BVBmO!KNiC65a{Qz*|yCB`?y<s`Z#)EEp4rB9qn=3dW#qCSwJHPOb&4C zfw7@qx8fp<4E^}G9hs2{%_#917bc5=lU|cZdN{^1dD7Ao1*b)%^q>WCAA=F65~s2R MH<WC_NEpoj0CjrFvH$=8 literal 0 HcmV?d00001 diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts index 48bb282da18f6..1e494d4b55861 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/cleanup.test.ts @@ -100,7 +100,7 @@ describe('migration v2', () => { await root.setup(); await expect(root.start()).rejects.toThrow( - /Unable to migrate the corrupt saved object document with _id: 'index-pattern:test_index\*'/ + 'Unable to complete saved object migrations for the [.kibana] index: Migrations failed. Reason: Corrupt saved object documents: index-pattern:test_index*. To allow migrations to proceed, please delete these documents.' ); const logFileContent = await asyncReadFile(logFilePath, 'utf-8'); diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts new file mode 100644 index 0000000000000..e48f1e65c120f --- /dev/null +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/corrupt_outdated_docs.test.ts @@ -0,0 +1,154 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import Path from 'path'; +import Fs from 'fs'; +import Util from 'util'; +import * as kbnTestServer from '../../../../test_helpers/kbn_server'; +import { Root } from '../../../root'; + +const logFilePath = Path.join(__dirname, 'migration_test_corrupt_docs_kibana.log'); + +const asyncUnlink = Util.promisify(Fs.unlink); +async function removeLogFile() { + // ignore errors if it doesn't exist + await asyncUnlink(logFilePath).catch(() => void 0); +} + +describe('migration v2 with corrupt saved object documents', () => { + let esServer: kbnTestServer.TestElasticsearchUtils; + let root: Root; + + beforeAll(async () => { + await removeLogFile(); + }); + + afterAll(async () => { + if (root) { + await root.shutdown(); + } + if (esServer) { + await esServer.stop(); + } + + await new Promise((resolve) => setTimeout(resolve, 10000)); + }); + + it('collects corrupt saved object documents accross batches', async () => { + const { startES } = kbnTestServer.createTestServers({ + adjustTimeout: (t: number) => jest.setTimeout(t), + settings: { + es: { + license: 'basic', + // original uncorrupt SO: + // { + // type: 'foo', // 'bar', 'baz' + // foo: {}, // bar: {}, baz: {} + // migrationVersion: { + // foo: '7.13.0', + // }, + // }, + // original corrupt SO example: + // { + // id: 'bar:123' + // type: 'foo', + // foo: {}, + // migrationVersion: { + // foo: '7.13.0', + // }, + // }, + // contains migrated index with 8.0 aliases to skip migration, but run outdated doc search + dataArchive: Path.join( + __dirname, + 'archives', + '8.0.0_migrated_with_corrupt_outdated_docs.zip' + ), + }, + }, + }); + + root = createRoot(); + + esServer = await startES(); + const coreSetup = await root.setup(); + + coreSetup.savedObjects.registerType({ + name: 'foo', + hidden: false, + mappings: { properties: {} }, + namespaceType: 'agnostic', + migrations: { + '7.14.0': (doc) => doc, + }, + }); + coreSetup.savedObjects.registerType({ + name: 'bar', + hidden: false, + mappings: { properties: {} }, + namespaceType: 'agnostic', + migrations: { + '7.14.0': (doc) => doc, + }, + }); + coreSetup.savedObjects.registerType({ + name: 'baz', + hidden: false, + mappings: { properties: {} }, + namespaceType: 'agnostic', + migrations: { + '7.14.0': (doc) => doc, + }, + }); + try { + await root.start(); + } catch (err) { + const corruptFooSOs = /foo:/g; + const corruptBarSOs = /bar:/g; + const corruptBazSOs = /baz:/g; + expect( + [ + ...err.message.matchAll(corruptFooSOs), + ...err.message.matchAll(corruptBarSOs), + ...err.message.matchAll(corruptBazSOs), + ].length + ).toEqual(16); + } + }); +}); + +function createRoot() { + return kbnTestServer.createRootWithCorePlugins( + { + migrations: { + skip: false, + enableV2: true, + batchSize: 5, + }, + logging: { + appenders: { + file: { + type: 'file', + fileName: logFilePath, + layout: { + type: 'json', + }, + }, + }, + loggers: [ + { + name: 'root', + appenders: ['file'], + }, + ], + }, + }, + { + oss: true, + } + ); +} diff --git a/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.ts b/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.ts index 85cc86fe0a468..8443f837a7f1d 100644 --- a/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.ts +++ b/src/core/server/saved_objects/migrationsv2/migrations_state_action_machine.ts @@ -10,7 +10,6 @@ import { errors as EsErrors } from '@elastic/elasticsearch'; import * as Option from 'fp-ts/lib/Option'; import { Logger, LogMeta } from '../../logging'; import type { ElasticsearchClient } from '../../elasticsearch'; -import { CorruptSavedObjectError } from '../migrations/core/migrate_raw_docs'; import { Model, Next, stateActionMachine } from './state_action_machine'; import { cleanup } from './migrations_state_machine_cleanup'; import { State } from './types'; @@ -74,7 +73,6 @@ const logActionResponse = ( ) => { logger.debug(logMessagePrefix + `${state.controlState} RESPONSE`, res as LogMeta); }; - const dumpExecutionLog = (logger: Logger, logMessagePrefix: string, executionLog: ExecutionLog) => { logger.error(logMessagePrefix + 'migration failed, dumping execution log:'); executionLog.forEach((log) => { @@ -211,11 +209,6 @@ export async function migrationStateActionMachine({ logger.error(e); dumpExecutionLog(logger, logMessagePrefix, executionLog); - if (e instanceof CorruptSavedObjectError) { - throw new Error( - `${e.message} To allow migrations to proceed, please delete this document from the [${initialState.indexPrefix}_${initialState.kibanaVersion}_001] index.` - ); - } const newError = new Error( `Unable to complete saved object migrations for the [${initialState.indexPrefix}] index. ${e}` diff --git a/src/core/server/saved_objects/migrationsv2/model.test.ts b/src/core/server/saved_objects/migrationsv2/model.test.ts index 213e8b43c0ea0..bdaedba9c9ea3 100644 --- a/src/core/server/saved_objects/migrationsv2/model.test.ts +++ b/src/core/server/saved_objects/migrationsv2/model.test.ts @@ -36,12 +36,15 @@ import type { CloneTempToSource, SetTempWriteBlock, WaitForYellowSourceState, + TransformedDocumentsBulkIndex, + ReindexSourceToTempIndexBulk, } from './types'; import { SavedObjectsRawDoc } from '..'; import { AliasAction, RetryableEsClientError } from './actions'; import { createInitialState, model } from './model'; import { ResponseType } from './next'; import { SavedObjectsMigrationConfigType } from '../saved_objects_config'; +import { TransformErrorObjects, TransformSavedObjectDocumentError } from '../migrations/core'; describe('migrations v2 model', () => { const baseState: BaseState = { @@ -778,6 +781,8 @@ describe('migrations v2 model', () => { targetIndex: '.kibana_7.11.0_001', tempIndexMappings: { properties: {} }, lastHitSortValue: undefined, + corruptDocumentIds: [], + transformErrors: [], }; it('REINDEX_SOURCE_TO_TEMP_READ -> REINDEX_SOURCE_TO_TEMP_INDEX if the index has outdated documents to reindex', () => { @@ -802,6 +807,23 @@ describe('migrations v2 model', () => { expect(newState.controlState).toBe('REINDEX_SOURCE_TO_TEMP_CLOSE_PIT'); expect(newState.sourceIndexPitId).toBe('pit_id'); }); + + it('REINDEX_SOURCE_TO_TEMP_READ -> FATAL if no outdated documents to reindex and transform failures seen with previous outdated documents', () => { + const testState: ReindexSourceToTempRead = { + ...state, + corruptDocumentIds: ['a:b'], + transformErrors: [], + }; + const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_READ'> = Either.right({ + outdatedDocuments: [], + lastHitSortValue: undefined, + }); + const newState = model(testState, res) as FatalState; + expect(newState.controlState).toBe('FATAL'); + expect(newState.reason).toMatchInlineSnapshot( + `"Migrations failed. Reason: Corrupt saved object documents: a:b. To allow migrations to proceed, please delete these documents."` + ); + }); }); describe('REINDEX_SOURCE_TO_TEMP_CLOSE_PIT', () => { @@ -833,38 +855,89 @@ describe('migrations v2 model', () => { sourceIndexPitId: 'pit_id', targetIndex: '.kibana_7.11.0_001', lastHitSortValue: undefined, + corruptDocumentIds: [], + transformErrors: [], }; + const processedDocs = [ + { + _id: 'a:b', + _source: { type: 'a', a: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + ] as SavedObjectsRawDoc[]; - it('REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_READ if action succeeded', () => { - const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX'> = Either.right( - 'bulk_index_succeeded' - ); + it('REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_INDEX_BULK if action succeeded', () => { + const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX'> = Either.right({ + processedDocs, + }); const newState = model(state, res); + expect(newState.controlState).toEqual('REINDEX_SOURCE_TO_TEMP_INDEX_BULK'); + }); + + it('REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_READ if action succeeded but we have carried through previous failures', () => { + const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX'> = Either.right({ + processedDocs, + }); + const testState = { + ...state, + corruptDocumentIds: ['a:b'], + transformErrors: [], + }; + const newState = model(testState, res) as ReindexSourceToTempIndex; expect(newState.controlState).toEqual('REINDEX_SOURCE_TO_TEMP_READ'); - expect(newState.retryCount).toEqual(0); - expect(newState.retryDelay).toEqual(0); + expect(newState.corruptDocumentIds.length).toEqual(1); + expect(newState.transformErrors.length).toEqual(0); }); - it('REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_READ when response is left target_index_had_write_block', () => { + it('REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_READ when response is left documents_transform_failed', () => { const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX'> = Either.left({ - type: 'target_index_had_write_block', + type: 'documents_transform_failed', + corruptDocumentIds: ['a:b'], + transformErrors: [], }); const newState = model(state, res) as ReindexSourceToTempRead; expect(newState.controlState).toEqual('REINDEX_SOURCE_TO_TEMP_READ'); + expect(newState.corruptDocumentIds.length).toEqual(1); + expect(newState.transformErrors.length).toEqual(0); expect(newState.retryCount).toEqual(0); expect(newState.retryDelay).toEqual(0); }); - - it('REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_READ when response is left index_not_found_exception for temp index', () => { - const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX'> = Either.left({ - type: 'index_not_found_exception', - index: state.tempIndex, - }); - const newState = model(state, res) as ReindexSourceToTempRead; + }); + describe('REINDEX_SOURCE_TO_TEMP_INDEX_BULK', () => { + const transformedDocs = [ + { + _id: 'a:b', + _source: { type: 'a', a: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + ] as SavedObjectsRawDoc[]; + const reindexSourceToTempIndexBulkState: ReindexSourceToTempIndexBulk = { + ...baseState, + controlState: 'REINDEX_SOURCE_TO_TEMP_INDEX_BULK', + transformedDocs, + versionIndexReadyActions: Option.none, + sourceIndex: Option.some('.kibana') as Option.Some<string>, + sourceIndexPitId: 'pit_id', + targetIndex: '.kibana_7.11.0_001', + lastHitSortValue: undefined, + }; + test('REINDEX_SOURCE_TO_TEMP_INDEX_BULK -> REINDEX_SOURCE_TO_TEMP_READ if action succeeded', () => { + const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX_BULK'> = Either.right( + 'bulk_index_succeeded' + ); + const newState = model(reindexSourceToTempIndexBulkState, res); expect(newState.controlState).toEqual('REINDEX_SOURCE_TO_TEMP_READ'); expect(newState.retryCount).toEqual(0); expect(newState.retryDelay).toEqual(0); }); + test('REINDEX_SOURCE_TO_TEMP_INDEX_BULK should throw a throwBadResponse error if action failed', () => { + const res: ResponseType<'REINDEX_SOURCE_TO_TEMP_INDEX_BULK'> = Either.left({ + type: 'retryable_es_client_error', + message: 'random documents bulk index error', + }); + const newState = model(reindexSourceToTempIndexBulkState, res); + expect(newState.controlState).toEqual('REINDEX_SOURCE_TO_TEMP_INDEX_BULK'); + expect(newState.retryCount).toEqual(1); + expect(newState.retryDelay).toEqual(2000); + }); }); describe('SET_TEMP_WRITE_BLOCK', () => { @@ -943,6 +1016,8 @@ describe('migrations v2 model', () => { targetIndex: '.kibana_7.11.0_001', lastHitSortValue: undefined, hasTransformedDocs: false, + corruptDocumentIds: [], + transformErrors: [], }; it('OUTDATED_DOCUMENTS_SEARCH_READ -> OUTDATED_DOCUMENTS_TRANSFORM if found documents to transform', () => { @@ -967,6 +1042,37 @@ describe('migrations v2 model', () => { expect(newState.controlState).toBe('OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT'); expect(newState.pitId).toBe('pit_id'); }); + + it('OUTDATED_DOCUMENTS_SEARCH_READ -> FATAL if no outdated documents to transform and we have failed document migrations', () => { + const corruptDocumentIdsCarriedOver = ['a:somethingelse']; + const originalTransformError = new Error('something went wrong'); + const transFormErr = new TransformSavedObjectDocumentError( + '123', + 'vis', + undefined, + 'randomvis: 7.12.0', + 'failedDoc', + originalTransformError + ); + const transformationErrors = [ + { rawId: 'bob:tail', err: transFormErr }, + ] as TransformErrorObjects[]; + const res: ResponseType<'OUTDATED_DOCUMENTS_SEARCH_READ'> = Either.right({ + outdatedDocuments: [], + lastHitSortValue: undefined, + }); + const transformErrorsState: OutdatedDocumentsSearchRead = { + ...state, + corruptDocumentIds: [...corruptDocumentIdsCarriedOver], + transformErrors: [...transformationErrors], + }; + const newState = model(transformErrorsState, res) as FatalState; + expect(newState.controlState).toBe('FATAL'); + expect(newState.reason.includes('Migrations failed. Reason:')).toBe(true); + expect(newState.reason.includes('Corrupt saved object documents: ')).toBe(true); + expect(newState.reason.includes('Transformation errors: ')).toBe(true); + expect(newState.reason.includes('randomvis: 7.12.0')).toBe(true); + }); }); describe('OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT', () => { @@ -1006,9 +1112,20 @@ describe('migrations v2 model', () => { }); describe('OUTDATED_DOCUMENTS_TRANSFORM', () => { - const outdatedDocuments = ([ - Symbol('raw saved object doc'), - ] as unknown) as SavedObjectsRawDoc[]; + const outdatedDocuments = [{ _id: '1', _source: { type: 'vis' } }]; + const corruptDocumentIds = ['a:somethingelse']; + const originalTransformError = new Error('Dang diggity!'); + const transFormErr = new TransformSavedObjectDocumentError( + 'id', + 'type', + 'namespace', + 'failedTransform', + 'failedDoc', + originalTransformError + ); + const transformationErrors = [ + { rawId: 'bob:tail', err: transFormErr }, + ] as TransformErrorObjects[]; const outdatedDocumentsTransformState: OutdatedDocumentsTransform = { ...baseState, controlState: 'OUTDATED_DOCUMENTS_TRANSFORM', @@ -1016,18 +1133,132 @@ describe('migrations v2 model', () => { sourceIndex: Option.some('.kibana') as Option.Some<string>, targetIndex: '.kibana_7.11.0_001', outdatedDocuments, + corruptDocumentIds: [], + transformErrors: [], pitId: 'pit_id', lastHitSortValue: [3, 4], hasTransformedDocs: false, }; - test('OUTDATED_DOCUMENTS_TRANSFORM -> OUTDATED_DOCUMENTS_SEARCH_READ if action succeeds', () => { - const res: ResponseType<'OUTDATED_DOCUMENTS_TRANSFORM'> = Either.right( - 'bulk_index_succeeded' - ); - const newState = model(outdatedDocumentsTransformState, res); - expect(newState.controlState).toEqual('OUTDATED_DOCUMENTS_SEARCH_READ'); - expect(newState.retryCount).toEqual(0); - expect(newState.retryDelay).toEqual(0); + describe('OUTDATED_DOCUMENTS_TRANSFORM if action succeeds', () => { + const processedDocs = [ + { + _id: 'a:b', + _source: { type: 'a', a: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + ] as SavedObjectsRawDoc[]; + test('OUTDATED_DOCUMENTS_TRANSFORM -> TRANSFORMED_DOCUMENTS_BULK_INDEX if action succeeds', () => { + const res: ResponseType<'OUTDATED_DOCUMENTS_TRANSFORM'> = Either.right({ processedDocs }); + const newState = model( + outdatedDocumentsTransformState, + res + ) as TransformedDocumentsBulkIndex; + expect(newState.controlState).toEqual('TRANSFORMED_DOCUMENTS_BULK_INDEX'); + expect(newState.transformedDocs).toEqual(processedDocs); + expect(newState.retryCount).toEqual(0); + expect(newState.retryDelay).toEqual(0); + }); + test('OUTDATED_DOCUMENTS_TRANSFORM -> OUTDATED_DOCUMENTS_SEARCH_READ if there are are existing documents that failed transformation', () => { + const outdatedDocumentsTransformStateWithFailedDocuments: OutdatedDocumentsTransform = { + ...outdatedDocumentsTransformState, + corruptDocumentIds: [...corruptDocumentIds], + transformErrors: [], + }; + const res: ResponseType<'OUTDATED_DOCUMENTS_TRANSFORM'> = Either.right({ processedDocs }); + const newState = model( + outdatedDocumentsTransformStateWithFailedDocuments, + res + ) as OutdatedDocumentsSearchRead; + expect(newState.controlState).toEqual('OUTDATED_DOCUMENTS_SEARCH_READ'); + expect(newState.corruptDocumentIds).toEqual(corruptDocumentIds); + expect(newState.retryCount).toEqual(0); + expect(newState.retryDelay).toEqual(0); + }); + test('OUTDATED_DOCUMENTS_TRANSFORM -> OUTDATED_DOCUMENTS_SEARCH_READ if there are are existing documents that failed transformation because of transform errors', () => { + const outdatedDocumentsTransformStateWithFailedDocuments: OutdatedDocumentsTransform = { + ...outdatedDocumentsTransformState, + corruptDocumentIds: [], + transformErrors: [...transformationErrors], + }; + const res: ResponseType<'OUTDATED_DOCUMENTS_TRANSFORM'> = Either.right({ processedDocs }); + const newState = model( + outdatedDocumentsTransformStateWithFailedDocuments, + res + ) as OutdatedDocumentsSearchRead; + expect(newState.controlState).toEqual('OUTDATED_DOCUMENTS_SEARCH_READ'); + expect(newState.corruptDocumentIds.length).toEqual(0); + expect(newState.transformErrors.length).toEqual(1); + expect(newState.retryCount).toEqual(0); + expect(newState.retryDelay).toEqual(0); + }); + }); + describe('OUTDATED_DOCUMENTS_TRANSFORM if action fails', () => { + test('OUTDATED_DOCUMENTS_TRANSFORM -> OUTDATED_DOCUMENTS_SEARCH_READ adding newly failed documents to state if documents failed the transform', () => { + const res: ResponseType<'OUTDATED_DOCUMENTS_TRANSFORM'> = Either.left({ + type: 'documents_transform_failed', + corruptDocumentIds, + transformErrors: [], + }); + const newState = model( + outdatedDocumentsTransformState, + res + ) as OutdatedDocumentsSearchRead; + expect(newState.controlState).toEqual('OUTDATED_DOCUMENTS_SEARCH_READ'); + expect(newState.corruptDocumentIds).toEqual(corruptDocumentIds); + }); + test('OUTDATED_DOCUMENTS_TRANSFORM -> OUTDATED_DOCUMENTS_SEARCH_READ combines newly failed documents with those already on state if documents failed the transform', () => { + const newFailedTransformDocumentIds = ['b:other', 'c:__']; + const outdatedDocumentsTransformStateWithFailedDocuments: OutdatedDocumentsTransform = { + ...outdatedDocumentsTransformState, + corruptDocumentIds: [...corruptDocumentIds], + transformErrors: [...transformationErrors], + }; + const res: ResponseType<'OUTDATED_DOCUMENTS_TRANSFORM'> = Either.left({ + type: 'documents_transform_failed', + corruptDocumentIds: newFailedTransformDocumentIds, + transformErrors: transformationErrors, + }); + const newState = model( + outdatedDocumentsTransformStateWithFailedDocuments, + res + ) as OutdatedDocumentsSearchRead; + expect(newState.controlState).toEqual('OUTDATED_DOCUMENTS_SEARCH_READ'); + expect(newState.corruptDocumentIds).toEqual([ + ...corruptDocumentIds, + ...newFailedTransformDocumentIds, + ]); + }); + }); + }); + describe('TRANSFORMED_DOCUMENTS_BULK_INDEX', () => { + const transformedDocs = [ + { + _id: 'a:b', + _source: { type: 'a', a: { name: 'HOI!' }, migrationVersion: {}, references: [] }, + }, + ] as SavedObjectsRawDoc[]; + const transformedDocumentsBulkIndexState: TransformedDocumentsBulkIndex = { + ...baseState, + controlState: 'TRANSFORMED_DOCUMENTS_BULK_INDEX', + transformedDocs, + versionIndexReadyActions: Option.none, + sourceIndex: Option.some('.kibana') as Option.Some<string>, + targetIndex: '.kibana_7.11.0_001', + pitId: 'pit_id', + lastHitSortValue: [3, 4], + hasTransformedDocs: false, + }; + test('TRANSFORMED_DOCUMENTS_BULK_INDEX should throw a throwBadResponse error if action failed', () => { + const res: ResponseType<'TRANSFORMED_DOCUMENTS_BULK_INDEX'> = Either.left({ + type: 'retryable_es_client_error', + message: 'random documents bulk index error', + }); + const newState = model( + transformedDocumentsBulkIndexState, + res + ) as TransformedDocumentsBulkIndex; + expect(newState.controlState).toEqual('TRANSFORMED_DOCUMENTS_BULK_INDEX'); + expect(newState.retryCount).toEqual(1); + expect(newState.retryDelay).toEqual(2000); }); }); diff --git a/src/core/server/saved_objects/migrationsv2/model.ts b/src/core/server/saved_objects/migrationsv2/model.ts index 318eff19d5e24..cf9d6aec6b5b0 100644 --- a/src/core/server/saved_objects/migrationsv2/model.ts +++ b/src/core/server/saved_objects/migrationsv2/model.ts @@ -16,7 +16,7 @@ import { IndexMapping } from '../mappings'; import { ResponseType } from './next'; import { SavedObjectsMigrationVersion } from '../types'; import { disableUnknownTypeMappingFields } from '../migrations/core/migration_context'; -import { excludeUnusedTypesQuery } from '../migrations/core'; +import { excludeUnusedTypesQuery, TransformErrorObjects } from '../migrations/core'; import { SavedObjectsMigrationConfigType } from '../saved_objects_config'; /** @@ -97,6 +97,31 @@ function getAliases(indices: FetchIndexResponse) { }, {} as Record<string, string>); } +/** + * Constructs migration failure message strings from corrupt document ids and document transformation errors + */ +function extractTransformFailuresReason( + corruptDocumentIds: string[], + transformErrors: TransformErrorObjects[] +): { corruptDocsReason: string; transformErrsReason: string } { + const corruptDocumentIdReason = + corruptDocumentIds.length > 0 + ? ` Corrupt saved object documents: ${corruptDocumentIds.join(',')}` + : ''; + // we have both the saved object Id and the stack trace in each `transformErrors` item. + const transformErrorsReason = + transformErrors.length > 0 + ? ' Transformation errors: ' + + transformErrors + .map((errObj) => `${errObj.rawId}: ${errObj.err.message}\n ${errObj.err.stack ?? ''}`) + .join('/n') + : ''; + return { + corruptDocsReason: corruptDocumentIdReason, + transformErrsReason: transformErrorsReason, + }; +} + const delayRetryState = <S extends State>( state: S, errorMessage: string, @@ -481,11 +506,15 @@ export const model = (currentState: State, resW: ResponseType<AllActionStates>): controlState: 'REINDEX_SOURCE_TO_TEMP_READ', sourceIndexPitId: res.right.pitId, lastHitSortValue: undefined, + // placeholders to collect document transform problems + corruptDocumentIds: [], + transformErrors: [], }; } else { throwBadResponse(stateP, res); } } else if (stateP.controlState === 'REINDEX_SOURCE_TO_TEMP_READ') { + // we carry through any failures we've seen with transforming documents on state const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; if (Either.isRight(res)) { if (res.right.outdatedDocuments.length > 0) { @@ -495,11 +524,27 @@ export const model = (currentState: State, resW: ResponseType<AllActionStates>): outdatedDocuments: res.right.outdatedDocuments, lastHitSortValue: res.right.lastHitSortValue, }; + } else { + // we don't have any more outdated documents and need to either fail or move on to updating the target mappings. + if (stateP.corruptDocumentIds.length > 0 || stateP.transformErrors.length > 0) { + const { corruptDocsReason, transformErrsReason } = extractTransformFailuresReason( + stateP.corruptDocumentIds, + stateP.transformErrors + ); + return { + ...stateP, + controlState: 'FATAL', + reason: `Migrations failed. Reason:${corruptDocsReason}${transformErrsReason}. To allow migrations to proceed, please delete these documents.`, + }; + } else { + // we don't have any more outdated documents and we haven't encountered any document transformation issues. + // Close the PIT search and carry on with the happy path. + return { + ...stateP, + controlState: 'REINDEX_SOURCE_TO_TEMP_CLOSE_PIT', + }; + } } - return { - ...stateP, - controlState: 'REINDEX_SOURCE_TO_TEMP_CLOSE_PIT', - }; } else { throwBadResponse(stateP, res); } @@ -516,34 +561,55 @@ export const model = (currentState: State, resW: ResponseType<AllActionStates>): throwBadResponse(stateP, res); } } else if (stateP.controlState === 'REINDEX_SOURCE_TO_TEMP_INDEX') { + // We follow a similar control flow as for + // outdated document search -> outdated document transform -> transform documents bulk index + // collecting issues along the way rather than failing + // REINDEX_SOURCE_TO_TEMP_INDEX handles the document transforms const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; if (Either.isRight(res)) { - return { - ...stateP, - controlState: 'REINDEX_SOURCE_TO_TEMP_READ', - }; + if (stateP.corruptDocumentIds.length === 0 && stateP.transformErrors.length === 0) { + return { + ...stateP, + controlState: 'REINDEX_SOURCE_TO_TEMP_INDEX_BULK', // handles the actual bulk indexing into temp index + transformedDocs: [...res.right.processedDocs], + }; + } else { + // we don't have any transform issues with the current batch of outdated docs but + // we have carried through previous transformation issues. + // The migration will ultimately fail but before we do that, continue to + // search through remaining docs for more issues and pass the previous failures along on state + return { + ...stateP, + controlState: 'REINDEX_SOURCE_TO_TEMP_READ', + }; + } } else { + // we have failures from the current batch of documents and add them to the lists const left = res.left; - if ( - isLeftTypeof(left, 'target_index_had_write_block') || - (isLeftTypeof(left, 'index_not_found_exception') && left.index === stateP.tempIndex) - ) { - // index_not_found_exception: - // another instance completed the MARK_VERSION_INDEX_READY and - // removed the temp index. - // target_index_had_write_block - // another instance completed the SET_TEMP_WRITE_BLOCK step adding a - // write block to the temp index. - // - // For simplicity we continue linearly through the next steps even if - // we know another instance already completed these. + if (isLeftTypeof(left, 'documents_transform_failed')) { return { ...stateP, controlState: 'REINDEX_SOURCE_TO_TEMP_READ', + corruptDocumentIds: [...stateP.corruptDocumentIds, ...left.corruptDocumentIds], + transformErrors: [...stateP.transformErrors, ...left.transformErrors], }; + } else { + // should never happen + throwBadResponse(stateP, res as never); } - // should never happen - throwBadResponse(stateP, res as never); + } + } else if (stateP.controlState === 'REINDEX_SOURCE_TO_TEMP_INDEX_BULK') { + const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; + if (Either.isRight(res)) { + return { + ...stateP, + controlState: 'REINDEX_SOURCE_TO_TEMP_READ', + // we're still on the happy path with no transformation failures seen. + corruptDocumentIds: [], + transformErrors: [], + }; + } else { + throwBadResponse(stateP, res); } } else if (stateP.controlState === 'SET_TEMP_WRITE_BLOCK') { const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; @@ -611,6 +677,8 @@ export const model = (currentState: State, resW: ResponseType<AllActionStates>): pitId: res.right.pitId, lastHitSortValue: undefined, hasTransformedDocs: false, + corruptDocumentIds: [], + transformErrors: [], }; } else { throwBadResponse(stateP, res); @@ -626,59 +694,111 @@ export const model = (currentState: State, resW: ResponseType<AllActionStates>): lastHitSortValue: res.right.lastHitSortValue, }; } else { + // we don't have any more outdated documents and need to either fail or move on to updating the target mappings. + if (stateP.corruptDocumentIds.length > 0 || stateP.transformErrors.length > 0) { + const { corruptDocsReason, transformErrsReason } = extractTransformFailuresReason( + stateP.corruptDocumentIds, + stateP.transformErrors + ); + return { + ...stateP, + controlState: 'FATAL', + reason: `Migrations failed. Reason:${corruptDocsReason}${transformErrsReason}. To allow migrations to proceed, please delete these documents.`, + }; + } else { + // If there are no more results we have transformed all outdated + // documents and we didn't encounter any corrupt documents or transformation errors + // and can proceed to the next step + return { + ...stateP, + controlState: 'OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT', + }; + } + } + } else { + throwBadResponse(stateP, res); + } + } else if (stateP.controlState === 'OUTDATED_DOCUMENTS_TRANSFORM') { + const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; + if (Either.isRight(res)) { + // we haven't seen corrupt documents or any transformation errors thus far in the migration + // index the migrated docs + if (stateP.corruptDocumentIds.length === 0 && stateP.transformErrors.length === 0) { + return { + ...stateP, + controlState: 'TRANSFORMED_DOCUMENTS_BULK_INDEX', + transformedDocs: [...res.right.processedDocs], + hasTransformedDocs: true, + }; + } else { + // We have seen corrupt documents and/or transformation errors + // skip indexing and go straight to reading and transforming more docs return { ...stateP, - controlState: 'OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT', + controlState: 'OUTDATED_DOCUMENTS_SEARCH_READ', }; } } else { - throwBadResponse(stateP, res); + if (isLeftTypeof(res.left, 'documents_transform_failed')) { + // continue to build up any more transformation errors before failing the migration. + return { + ...stateP, + controlState: 'OUTDATED_DOCUMENTS_SEARCH_READ', + corruptDocumentIds: [...stateP.corruptDocumentIds, ...res.left.corruptDocumentIds], + transformErrors: [...stateP.transformErrors, ...res.left.transformErrors], + hasTransformedDocs: false, + }; + } else { + throwBadResponse(stateP, res as never); + } } - } else if (stateP.controlState === 'OUTDATED_DOCUMENTS_REFRESH') { + } else if (stateP.controlState === 'TRANSFORMED_DOCUMENTS_BULK_INDEX') { const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; if (Either.isRight(res)) { return { ...stateP, - controlState: 'UPDATE_TARGET_MAPPINGS', + controlState: 'OUTDATED_DOCUMENTS_SEARCH_READ', + corruptDocumentIds: [], + transformErrors: [], + hasTransformedDocs: true, }; } else { throwBadResponse(stateP, res); } - } else if (stateP.controlState === 'OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT') { + } else if (stateP.controlState === 'UPDATE_TARGET_MAPPINGS') { const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; if (Either.isRight(res)) { - const { pitId, hasTransformedDocs, ...state } = stateP; - if (hasTransformedDocs) { - return { - ...state, - controlState: 'OUTDATED_DOCUMENTS_REFRESH', - }; - } return { - ...state, - controlState: 'UPDATE_TARGET_MAPPINGS', + ...stateP, + controlState: 'UPDATE_TARGET_MAPPINGS_WAIT_FOR_TASK', + updateTargetMappingsTaskId: res.right.taskId, }; } else { - throwBadResponse(stateP, res); + throwBadResponse(stateP, res as never); } - } else if (stateP.controlState === 'OUTDATED_DOCUMENTS_TRANSFORM') { + } else if (stateP.controlState === 'OUTDATED_DOCUMENTS_REFRESH') { const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; if (Either.isRight(res)) { return { ...stateP, - controlState: 'OUTDATED_DOCUMENTS_SEARCH_READ', - hasTransformedDocs: true, + controlState: 'UPDATE_TARGET_MAPPINGS', }; } else { - throwBadResponse(stateP, res as never); + throwBadResponse(stateP, res); } - } else if (stateP.controlState === 'UPDATE_TARGET_MAPPINGS') { + } else if (stateP.controlState === 'OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT') { const res = resW as ExcludeRetryableEsError<ResponseType<typeof stateP.controlState>>; if (Either.isRight(res)) { + const { pitId, hasTransformedDocs, ...state } = stateP; + if (hasTransformedDocs) { + return { + ...state, + controlState: 'OUTDATED_DOCUMENTS_REFRESH', + }; + } return { - ...stateP, - controlState: 'UPDATE_TARGET_MAPPINGS_WAIT_FOR_TASK', - updateTargetMappingsTaskId: res.right.taskId, + ...state, + controlState: 'UPDATE_TARGET_MAPPINGS', }; } else { throwBadResponse(stateP, res); diff --git a/src/core/server/saved_objects/migrationsv2/next.ts b/src/core/server/saved_objects/migrationsv2/next.ts index 536c07d6a071d..07ebf80271d48 100644 --- a/src/core/server/saved_objects/migrationsv2/next.ts +++ b/src/core/server/saved_objects/migrationsv2/next.ts @@ -32,6 +32,8 @@ import type { SetTempWriteBlock, WaitForYellowSourceState, TransformRawDocs, + TransformedDocumentsBulkIndex, + ReindexSourceToTempIndexBulk, OutdatedDocumentsSearchOpenPit, OutdatedDocumentsSearchRead, OutdatedDocumentsSearchClosePit, @@ -82,11 +84,12 @@ export const nextActionMap = (client: ElasticsearchClient, transformRawDocs: Tra REINDEX_SOURCE_TO_TEMP_CLOSE_PIT: (state: ReindexSourceToTempClosePit) => Actions.closePit(client, state.sourceIndexPitId), REINDEX_SOURCE_TO_TEMP_INDEX: (state: ReindexSourceToTempIndex) => - Actions.transformDocs( + Actions.transformDocs(transformRawDocs, state.outdatedDocuments), + REINDEX_SOURCE_TO_TEMP_INDEX_BULK: (state: ReindexSourceToTempIndexBulk) => + Actions.bulkOverwriteTransformedDocuments( client, - transformRawDocs, - state.outdatedDocuments, state.tempIndex, + state.transformedDocs, /** * Since we don't run a search against the target index, we disable "refresh" to speed up * the migration process. @@ -121,11 +124,12 @@ export const nextActionMap = (client: ElasticsearchClient, transformRawDocs: Tra OUTDATED_DOCUMENTS_REFRESH: (state: OutdatedDocumentsRefresh) => Actions.refreshIndex(client, state.targetIndex), OUTDATED_DOCUMENTS_TRANSFORM: (state: OutdatedDocumentsTransform) => - Actions.transformDocs( + Actions.transformDocs(transformRawDocs, state.outdatedDocuments), + TRANSFORMED_DOCUMENTS_BULK_INDEX: (state: TransformedDocumentsBulkIndex) => + Actions.bulkOverwriteTransformedDocuments( client, - transformRawDocs, - state.outdatedDocuments, state.targetIndex, + state.transformedDocs, /** * Since we don't run a search against the target index, we disable "refresh" to speed up * the migration process. diff --git a/src/core/server/saved_objects/migrationsv2/types.ts b/src/core/server/saved_objects/migrationsv2/types.ts index ac807e9d61776..f5800a3cd9570 100644 --- a/src/core/server/saved_objects/migrationsv2/types.ts +++ b/src/core/server/saved_objects/migrationsv2/types.ts @@ -6,12 +6,18 @@ * Side Public License, v 1. */ +import * as TaskEither from 'fp-ts/lib/TaskEither'; import * as Option from 'fp-ts/lib/Option'; import { estypes } from '@elastic/elasticsearch'; import { ControlState } from './state_action_machine'; import { AliasAction } from './actions'; import { IndexMapping } from '../mappings'; import { SavedObjectsRawDoc } from '..'; +import { TransformErrorObjects } from '../migrations/core'; +import { + DocumentsTransformFailed, + DocumentsTransformSuccess, +} from '../migrations/core/migrate_raw_docs'; export type MigrationLogLevel = 'error' | 'info'; @@ -175,6 +181,8 @@ export interface ReindexSourceToTempRead extends PostInitState { readonly controlState: 'REINDEX_SOURCE_TO_TEMP_READ'; readonly sourceIndexPitId: string; readonly lastHitSortValue: number[] | undefined; + readonly corruptDocumentIds: string[]; + readonly transformErrors: TransformErrorObjects[]; } export interface ReindexSourceToTempClosePit extends PostInitState { @@ -187,6 +195,15 @@ export interface ReindexSourceToTempIndex extends PostInitState { readonly outdatedDocuments: SavedObjectsRawDoc[]; readonly sourceIndexPitId: string; readonly lastHitSortValue: number[] | undefined; + readonly corruptDocumentIds: string[]; + readonly transformErrors: TransformErrorObjects[]; +} + +export interface ReindexSourceToTempIndexBulk extends PostInitState { + readonly controlState: 'REINDEX_SOURCE_TO_TEMP_INDEX_BULK'; + readonly transformedDocs: SavedObjectsRawDoc[]; + readonly sourceIndexPitId: string; + readonly lastHitSortValue: number[] | undefined; } export type SetTempWriteBlock = PostInitState & { @@ -233,6 +250,8 @@ export interface OutdatedDocumentsSearchRead extends PostInitState { readonly pitId: string; readonly lastHitSortValue: number[] | undefined; readonly hasTransformedDocs: boolean; + readonly corruptDocumentIds: string[]; + readonly transformErrors: TransformErrorObjects[]; } export interface OutdatedDocumentsSearchClosePit extends PostInitState { @@ -249,12 +268,24 @@ export interface OutdatedDocumentsRefresh extends PostInitState { } export interface OutdatedDocumentsTransform extends PostInitState { - /** Transform a batch of outdated documents to their latest version and write them to the target index */ + /** Transform a batch of outdated documents to their latest version*/ readonly controlState: 'OUTDATED_DOCUMENTS_TRANSFORM'; readonly pitId: string; readonly outdatedDocuments: SavedObjectsRawDoc[]; readonly lastHitSortValue: number[] | undefined; readonly hasTransformedDocs: boolean; + readonly corruptDocumentIds: string[]; + readonly transformErrors: TransformErrorObjects[]; +} +export interface TransformedDocumentsBulkIndex extends PostInitState { + /** + * Write the up-to-date transformed documents to the target index + */ + readonly controlState: 'TRANSFORMED_DOCUMENTS_BULK_INDEX'; + readonly transformedDocs: SavedObjectsRawDoc[]; + readonly lastHitSortValue: number[] | undefined; + readonly hasTransformedDocs: boolean; + readonly pitId: string; } export interface MarkVersionIndexReady extends PostInitState { @@ -351,6 +382,7 @@ export type State = | ReindexSourceToTempRead | ReindexSourceToTempClosePit | ReindexSourceToTempIndex + | ReindexSourceToTempIndexBulk | SetTempWriteBlock | CloneTempToSource | UpdateTargetMappingsState @@ -363,6 +395,7 @@ export type State = | OutdatedDocumentsRefresh | MarkVersionIndexReady | MarkVersionIndexReadyConflict + | TransformedDocumentsBulkIndex | LegacyCreateReindexTargetState | LegacySetWriteBlockState | LegacyReindexState @@ -376,4 +409,6 @@ export type AllControlStates = State['controlState']; */ export type AllActionStates = Exclude<AllControlStates, 'FATAL' | 'DONE'>; -export type TransformRawDocs = (rawDocs: SavedObjectsRawDoc[]) => Promise<SavedObjectsRawDoc[]>; +export type TransformRawDocs = ( + rawDocs: SavedObjectsRawDoc[] +) => TaskEither.TaskEither<DocumentsTransformFailed, DocumentsTransformSuccess>; From e0c57e08fd13adf297c78da745ac1976289292d1 Mon Sep 17 00:00:00 2001 From: Clint Andrew Hall <clint.hall@elastic.co> Date: Mon, 10 May 2021 16:27:35 -0500 Subject: [PATCH 04/11] [labs] Fix reset overreach; add method for testing project (#99672) --- src/plugins/presentation_util/common/labs.ts | 5 ++-- .../public/services/kibana/labs.ts | 23 ++++++++++++++----- .../presentation_util/public/services/labs.ts | 1 + .../public/services/storybook/labs.ts | 4 ++++ .../public/services/stub/labs.ts | 2 ++ .../canvas/public/services/expressions.ts | 3 +-- .../canvas/public/services/stubs/labs.ts | 1 + 7 files changed, 29 insertions(+), 10 deletions(-) diff --git a/src/plugins/presentation_util/common/labs.ts b/src/plugins/presentation_util/common/labs.ts index d551b733ecb8a..902c22681e55e 100644 --- a/src/plugins/presentation_util/common/labs.ts +++ b/src/plugins/presentation_util/common/labs.ts @@ -8,8 +8,9 @@ import { i18n } from '@kbn/i18n'; -export const USE_DATA_SERVICE = 'labs:canvas:useDataService'; -export const TIME_TO_PRESENT = 'labs:presentation:timeToPresent'; +export const LABS_PROJECT_PREFIX = 'labs:'; +export const USE_DATA_SERVICE = `${LABS_PROJECT_PREFIX}canvas:useDataService` as const; +export const TIME_TO_PRESENT = `${LABS_PROJECT_PREFIX}presentation:timeToPresent` as const; export const projectIDs = [TIME_TO_PRESENT, USE_DATA_SERVICE] as const; export const environmentNames = ['kibana', 'browser', 'session'] as const; diff --git a/src/plugins/presentation_util/public/services/kibana/labs.ts b/src/plugins/presentation_util/public/services/kibana/labs.ts index db78103469880..fe0767ff09d8f 100644 --- a/src/plugins/presentation_util/public/services/kibana/labs.ts +++ b/src/plugins/presentation_util/public/services/kibana/labs.ts @@ -7,7 +7,6 @@ */ import { - environmentNames, EnvironmentName, projectIDs, projects, @@ -15,6 +14,7 @@ import { Project, getProjectIDs, SolutionName, + LABS_PROJECT_PREFIX, } from '../../../common'; import { PresentationUtilPluginStartDeps } from '../../types'; import { KibanaPluginServiceFactory } from '../create'; @@ -31,6 +31,16 @@ export type LabsServiceFactory = KibanaPluginServiceFactory< PresentationUtilPluginStartDeps >; +const clearLabsFromStorage = (storage: Storage) => { + projectIDs.forEach((projectID) => storage.removeItem(projectID)); + + // This is a redundancy, to catch any labs that may have been removed above. + // We could consider gathering telemetry to see how often this happens, or this may be unnecessary. + Object.keys(storage) + .filter((key) => key.startsWith(LABS_PROJECT_PREFIX)) + .forEach((key) => storage.removeItem(key)); +}; + export const labsServiceFactory: LabsServiceFactory = ({ coreStart }) => { const { uiSettings } = coreStart; const localStorage = window.localStorage; @@ -75,17 +85,18 @@ export const labsServiceFactory: LabsServiceFactory = ({ coreStart }) => { }; const reset = () => { - localStorage.clear(); - sessionStorage.clear(); - environmentNames.forEach((env) => - projectIDs.forEach((id) => setProjectStatus(id, env, projects[id].isActive)) - ); + clearLabsFromStorage(localStorage); + clearLabsFromStorage(sessionStorage); + projectIDs.forEach((id) => setProjectStatus(id, 'kibana', projects[id].isActive)); }; + const isProjectEnabled = (id: ProjectID) => getProject(id).status.isEnabled; + return { getProjectIDs, getProjects, getProject, + isProjectEnabled, reset, setProjectStatus, }; diff --git a/src/plugins/presentation_util/public/services/labs.ts b/src/plugins/presentation_util/public/services/labs.ts index ef583bd4189a9..70c40eaafa2ef 100644 --- a/src/plugins/presentation_util/public/services/labs.ts +++ b/src/plugins/presentation_util/public/services/labs.ts @@ -20,6 +20,7 @@ import { } from '../../common'; export interface PresentationLabsService { + isProjectEnabled: (id: ProjectID) => boolean; getProjectIDs: () => typeof projectIDs; getProject: (id: ProjectID) => Project; getProjects: (solutions?: SolutionName[]) => Record<ProjectID, Project>; diff --git a/src/plugins/presentation_util/public/services/storybook/labs.ts b/src/plugins/presentation_util/public/services/storybook/labs.ts index 396db52460053..8bc526987d95f 100644 --- a/src/plugins/presentation_util/public/services/storybook/labs.ts +++ b/src/plugins/presentation_util/public/services/storybook/labs.ts @@ -46,13 +46,17 @@ export const labsServiceFactory: LabsServiceFactory = () => { }; const reset = () => { + // This is normally not ok, but it's our isolated Storybook instance. storage.clear(); }; + const isProjectEnabled = (id: ProjectID) => getProject(id).status.isEnabled; + return { getProjectIDs, getProjects, getProject, + isProjectEnabled, reset, setProjectStatus, }; diff --git a/src/plugins/presentation_util/public/services/stub/labs.ts b/src/plugins/presentation_util/public/services/stub/labs.ts index c511ed26ef32e..aee7ce20bd86a 100644 --- a/src/plugins/presentation_util/public/services/stub/labs.ts +++ b/src/plugins/presentation_util/public/services/stub/labs.ts @@ -64,11 +64,13 @@ export const labsServiceFactory: LabsServiceFactory = () => { const setProjectStatus = (id: ProjectID, env: EnvironmentName, value: boolean) => { statuses[id] = { ...statuses[id], [env]: value }; }; + const isProjectEnabled = (id: ProjectID) => getProject(id).status.isEnabled; return { getProjectIDs, getProject, getProjects, + isProjectEnabled, setProjectStatus, reset: () => { statuses = reset(); diff --git a/x-pack/plugins/canvas/public/services/expressions.ts b/x-pack/plugins/canvas/public/services/expressions.ts index fd733862c4b67..35493341e0e88 100644 --- a/x-pack/plugins/canvas/public/services/expressions.ts +++ b/x-pack/plugins/canvas/public/services/expressions.ts @@ -25,8 +25,7 @@ export const expressionsServiceFactory: CanvasServiceFactory<ExpressionsService> if (!cached) { cached = (async () => { const labService = startPlugins.presentationUtil.labsService; - const useDataSearchProject = labService.getProject('labs:canvas:useDataService'); - const hasDataSearch = useDataSearchProject.status.isEnabled; + const hasDataSearch = labService.isProjectEnabled('labs:canvas:useDataService'); const dataSearchFns = ['essql', 'esdocs', 'escount']; const serverFunctionList = await coreSetup.http.get(API_ROUTE_FUNCTIONS); diff --git a/x-pack/plugins/canvas/public/services/stubs/labs.ts b/x-pack/plugins/canvas/public/services/stubs/labs.ts index 7caa1d0139a70..db89c5c35d5fb 100644 --- a/x-pack/plugins/canvas/public/services/stubs/labs.ts +++ b/x-pack/plugins/canvas/public/services/stubs/labs.ts @@ -14,6 +14,7 @@ export const labsService: CanvasLabsService = { getProject: noop, getProjects: noop, getProjectIDs: () => projectIDs, + isProjectEnabled: () => false, isLabsEnabled: () => true, projectIDs, reset: noop, From 6d269c5062b9dbc9d692265db56a85fa2d5431e1 Mon Sep 17 00:00:00 2001 From: Brian Seeders <brian.seeders@elastic.co> Date: Mon, 10 May 2021 17:42:39 -0400 Subject: [PATCH 05/11] Revert "[SecuritySolution] Get endpoint metadata (#99452)" (#99719) This reverts commit 5893d67b4b34c5fdc9446d5e63cd908d777c8b3b. --- .../common/endpoint/types/index.ts | 5 - .../security_solution/hosts/common/index.ts | 9 - .../ml/criteria/host_to_criteria.ts | 3 - .../hosts/containers/hosts/details/index.tsx | 8 +- .../public/hosts/pages/details/index.tsx | 10 +- .../pages/endpoint_hosts/view/index.tsx | 2 +- .../components/host_overview/index.tsx | 13 +- .../server/endpoint/mocks.ts | 10 +- .../endpoint/routes/metadata/handlers.ts | 163 +++++------------- .../endpoint/routes/metadata/metadata.test.ts | 87 ++++------ .../routes/metadata/metadata_v1.test.ts | 78 ++++----- .../routes/metadata/query_builders.test.ts | 5 +- .../routes/metadata/query_builders.ts | 7 +- .../routes/metadata/query_builders_v1.test.ts | 3 +- .../metadata/support/query_strategies.ts | 20 ++- .../endpoint/routes/policy/handlers.test.ts | 24 +-- .../server/endpoint/routes/policy/handlers.ts | 2 +- .../endpoint/routes/policy/service.test.ts | 8 +- .../server/endpoint/routes/policy/service.ts | 30 ++-- .../server/endpoint/types.ts | 3 +- .../security_solution/server/plugin.ts | 5 +- .../factory/hosts/authentications/index.tsx | 1 + .../factory/hosts/details/__mocks__/index.ts | 28 --- .../factory/hosts/details/helpers.ts | 66 +------ .../factory/hosts/details/index.test.tsx | 28 +-- .../factory/hosts/details/index.ts | 40 +---- .../hosts/details/query.host_details.dsl.ts | 19 +- .../security_solution/factory/types.ts | 12 +- .../security_solution/index.ts | 12 +- 29 files changed, 185 insertions(+), 516 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts index b9e72bcd625ec..c58e67b5d4fd4 100644 --- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts +++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts @@ -414,11 +414,6 @@ export type PolicyInfo = Immutable<{ id: string; }>; -export interface HostMetaDataInfo { - metadata: HostMetadata; - query_strategy_version: MetadataQueryStrategyVersions; -} - export type HostInfo = Immutable<{ metadata: HostMetadata; host_status: HostStatus; diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts index 3175876a8299c..a579d8f8d8ef3 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts @@ -25,16 +25,10 @@ export interface EndpointFields { endpointPolicy?: Maybe<string>; sensorVersion?: Maybe<string>; policyStatus?: Maybe<HostPolicyResponseActionStatus>; - id?: Maybe<string>; -} - -interface AgentFields { - id?: Maybe<string>; } export interface HostItem { _id?: Maybe<string>; - agent?: Maybe<AgentFields>; cloud?: Maybe<CloudEcs>; endpoint?: Maybe<EndpointFields>; host?: Maybe<HostEcs>; @@ -76,9 +70,6 @@ export interface HostAggEsItem { cloud_machine_type?: HostBuckets; cloud_provider?: HostBuckets; cloud_region?: HostBuckets; - endpoint?: { - id: HostBuckets; - }; host_architecture?: HostBuckets; host_id?: HostBuckets; host_ip?: HostBuckets; diff --git a/x-pack/plugins/security_solution/public/common/components/ml/criteria/host_to_criteria.ts b/x-pack/plugins/security_solution/public/common/components/ml/criteria/host_to_criteria.ts index ff454da7b1fcd..19eae99757849 100644 --- a/x-pack/plugins/security_solution/public/common/components/ml/criteria/host_to_criteria.ts +++ b/x-pack/plugins/security_solution/public/common/components/ml/criteria/host_to_criteria.ts @@ -9,9 +9,6 @@ import { HostItem } from '../../../../../common/search_strategy/security_solutio import { CriteriaFields } from '../types'; export const hostToCriteria = (hostItem: HostItem): CriteriaFields[] => { - if (hostItem == null) { - return []; - } if (hostItem.host != null && hostItem.host.name != null) { const criteria: CriteriaFields[] = [ { diff --git a/x-pack/plugins/security_solution/public/hosts/containers/hosts/details/index.tsx b/x-pack/plugins/security_solution/public/hosts/containers/hosts/details/index.tsx index a0f4386be59a4..dd55bdb4c6948 100644 --- a/x-pack/plugins/security_solution/public/hosts/containers/hosts/details/index.tsx +++ b/x-pack/plugins/security_solution/public/hosts/containers/hosts/details/index.tsx @@ -145,14 +145,14 @@ export const useHostDetails = ({ } return prevRequest; }); - }, [endDate, hostName, indexNames, startDate]); - - useEffect(() => { - hostDetailsSearch(hostDetailsRequest); return () => { searchSubscription$.current.unsubscribe(); abortCtrl.current.abort(); }; + }, [endDate, hostName, indexNames, startDate]); + + useEffect(() => { + hostDetailsSearch(hostDetailsRequest); }, [hostDetailsRequest, hostDetailsSearch]); return [loading, hostDetailsResponse]; diff --git a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx index d88e4f048f917..1ff4abb78b210 100644 --- a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx @@ -50,9 +50,6 @@ import { timelineDefaults } from '../../../timelines/store/timeline/defaults'; import { useSourcererScope } from '../../../common/containers/sourcerer'; import { useDeepEqualSelector, useShallowEqualSelector } from '../../../common/hooks/use_selector'; import { useHostDetails } from '../../containers/hosts/details'; -import { manageQuery } from '../../../common/components/page/manage_query'; - -const HostOverviewManage = manageQuery(HostOverview); const HostDetailsComponent: React.FC<HostDetailsProps> = ({ detailName, hostDetailsPagePath }) => { const dispatch = useDispatch(); @@ -96,12 +93,11 @@ const HostDetailsComponent: React.FC<HostDetailsProps> = ({ detailName, hostDeta ); const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope(); - const [loading, { hostDetails: hostOverview, id, refetch }] = useHostDetails({ + const [loading, { hostDetails: hostOverview, id }] = useHostDetails({ endDate: to, startDate: from, hostName: detailName, indexNames: selectedPatterns, - skip: selectedPatterns.length === 0, }); const filterQuery = convertToBuildEsQuery({ config: esQuery.getEsQueryConfig(kibana.services.uiSettings), @@ -145,7 +141,7 @@ const HostDetailsComponent: React.FC<HostDetailsProps> = ({ detailName, hostDeta skip={isInitializing} > {({ isLoadingAnomaliesData, anomaliesData }) => ( - <HostOverviewManage + <HostOverview docValueFields={docValueFields} id={id} isInDetailsSidePanel={false} @@ -164,8 +160,6 @@ const HostDetailsComponent: React.FC<HostDetailsProps> = ({ detailName, hostDeta to: fromTo.to, }); }} - setQuery={setQuery} - refetch={refetch} /> )} </AnomalyTableProvider> diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.tsx b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.tsx index f654efdd89ce1..d28bf6b38fd31 100644 --- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.tsx @@ -321,7 +321,7 @@ export const EndpointList = () => { render: (hostStatus: HostInfo['host_status']) => { return ( <EuiBadge - color={hostStatus != null ? HOST_STATUS_TO_BADGE_COLOR[hostStatus] : 'warning'} + color={HOST_STATUS_TO_BADGE_COLOR[hostStatus] || 'warning'} data-test-subj="rowHostStatus" className="eui-textTruncate" > diff --git a/x-pack/plugins/security_solution/public/overview/components/host_overview/index.tsx b/x-pack/plugins/security_solution/public/overview/components/host_overview/index.tsx index fa644d1cbcdac..c5d51a9466235 100644 --- a/x-pack/plugins/security_solution/public/overview/components/host_overview/index.tsx +++ b/x-pack/plugins/security_solution/public/overview/components/host_overview/index.tsx @@ -86,15 +86,14 @@ export const HostOverview = React.memo<HostSummaryProps>( () => [ { title: i18n.HOST_ID, - description: - data && data.host - ? hostIdRenderer({ host: data.host, noLink: true }) - : getEmptyTagValue(), + description: data.host + ? hostIdRenderer({ host: data.host, noLink: true }) + : getEmptyTagValue(), }, { title: i18n.FIRST_SEEN, description: - data && data.host != null && data.host.name && data.host.name.length ? ( + data.host != null && data.host.name && data.host.name.length ? ( <FirstLastSeenHost docValueFields={docValueFields} hostName={data.host.name[0]} @@ -108,7 +107,7 @@ export const HostOverview = React.memo<HostSummaryProps>( { title: i18n.LAST_SEEN, description: - data && data.host != null && data.host.name && data.host.name.length ? ( + data.host != null && data.host.name && data.host.name.length ? ( <FirstLastSeenHost docValueFields={docValueFields} hostName={data.host.name[0]} @@ -222,7 +221,7 @@ export const HostOverview = React.memo<HostSummaryProps>( )} </OverviewWrapper> </InspectButtonContainer> - {data && data.endpoint != null ? ( + {data.endpoint != null ? ( <> <EuiHorizontalRule /> <OverviewWrapper direction={isInDetailsSidePanel ? 'column' : 'row'}> diff --git a/x-pack/plugins/security_solution/server/endpoint/mocks.ts b/x-pack/plugins/security_solution/server/endpoint/mocks.ts index 23ea6cc29c3d2..40d4b1a877b2b 100644 --- a/x-pack/plugins/security_solution/server/endpoint/mocks.ts +++ b/x-pack/plugins/security_solution/server/endpoint/mocks.ts @@ -5,8 +5,8 @@ * 2.0. */ -import { loggingSystemMock, savedObjectsServiceMock } from '../../../../../src/core/server/mocks'; -import { IScopedClusterClient, SavedObjectsClientContract } from '../../../../../src/core/server'; +import { ILegacyScopedClusterClient, SavedObjectsClientContract } from 'kibana/server'; +import { loggingSystemMock, savedObjectsServiceMock } from 'src/core/server/mocks'; import { listMock } from '../../../lists/server/mocks'; import { securityMock } from '../../../security/server/mocks'; import { alertsMock } from '../../../alerting/server/mocks'; @@ -131,11 +131,11 @@ export const createMockMetadataRequestContext = (): jest.Mocked<MetadataRequestC }; export function createRouteHandlerContext( - dataClient: jest.Mocked<IScopedClusterClient>, + dataClient: jest.Mocked<ILegacyScopedClusterClient>, savedObjectsClient: jest.Mocked<SavedObjectsClientContract> ) { - const context = (xpackMocks.createRequestHandlerContext() as unknown) as jest.Mocked<SecuritySolutionRequestHandlerContext>; - context.core.elasticsearch.client = dataClient; + const context = xpackMocks.createRequestHandlerContext(); + context.core.elasticsearch.legacy.client = dataClient; context.core.savedObjects.client = savedObjectsClient; return context; } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/handlers.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/handlers.ts index 104383f398646..0d59ff2f4ed7b 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/handlers.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/handlers.ts @@ -6,18 +6,11 @@ */ import Boom from '@hapi/boom'; - +import type { Logger, RequestHandler } from 'kibana/server'; import { TypeOf } from '@kbn/config-schema'; -import { - IScopedClusterClient, - Logger, - RequestHandler, - SavedObjectsClientContract, -} from '../../../../../../../src/core/server'; import { HostInfo, HostMetadata, - HostMetaDataInfo, HostResultList, HostStatus, MetadataQueryStrategyVersions, @@ -34,11 +27,9 @@ import { findAgentIDsByStatus } from './support/agent_status'; import { EndpointAppContextService } from '../../endpoint_app_context_services'; export interface MetadataRequestContext { - esClient?: IScopedClusterClient; endpointAppContextService: EndpointAppContextService; logger: Logger; - requestHandlerContext?: SecuritySolutionRequestHandlerContext; - savedObjectsClient?: SavedObjectsClientContract; + requestHandlerContext: SecuritySolutionRequestHandlerContext; } const HOST_STATUS_MAPPING = new Map<AgentStatus, HostStatus>([ @@ -84,11 +75,9 @@ export const getMetadataListRequestHandler = function ( } const metadataRequestContext: MetadataRequestContext = { - esClient: context.core.elasticsearch.client, endpointAppContextService: endpointAppContext.service, logger, requestHandlerContext: context, - savedObjectsClient: context.core.savedObjects.client, }; const unenrolledAgentIds = await findAllUnenrolledAgentIds( @@ -121,10 +110,9 @@ export const getMetadataListRequestHandler = function ( } ); - const result = await context.core.elasticsearch.client.asCurrentUser.search<HostMetadata>( - queryParams + const hostListQueryResult = queryStrategy!.queryResponseToHostListResult( + await context.core.elasticsearch.legacy.client.callAsCurrentUser('search', queryParams) ); - const hostListQueryResult = queryStrategy!.queryResponseToHostListResult(result.body); return response.ok({ body: await mapToHostResultList(queryParams, hostListQueryResult, metadataRequestContext), }); @@ -148,11 +136,9 @@ export const getMetadataRequestHandler = function ( } const metadataRequestContext: MetadataRequestContext = { - esClient: context.core.elasticsearch.client, endpointAppContextService: endpointAppContext.service, logger, requestHandlerContext: context, - savedObjectsClient: context.core.savedObjects.client, }; try { @@ -178,86 +164,42 @@ export const getMetadataRequestHandler = function ( }; }; -export async function getHostMetaData( +export async function getHostData( metadataRequestContext: MetadataRequestContext, id: string, queryStrategyVersion?: MetadataQueryStrategyVersions -): Promise<HostMetaDataInfo | undefined> { - if ( - !metadataRequestContext.esClient && - !metadataRequestContext.requestHandlerContext?.core.elasticsearch.client - ) { - throw Boom.badRequest('esClient not found'); - } - - if ( - !metadataRequestContext.savedObjectsClient && - !metadataRequestContext.requestHandlerContext?.core.savedObjects - ) { - throw Boom.badRequest('savedObjectsClient not found'); - } - - const esClient = (metadataRequestContext?.esClient ?? - metadataRequestContext.requestHandlerContext?.core.elasticsearch - .client) as IScopedClusterClient; - - const esSavedObjectClient = - metadataRequestContext?.savedObjectsClient ?? - (metadataRequestContext.requestHandlerContext?.core.savedObjects - .client as SavedObjectsClientContract); - +): Promise<HostInfo | undefined> { const queryStrategy = await metadataRequestContext.endpointAppContextService ?.getMetadataService() - ?.queryStrategy(esSavedObjectClient, queryStrategyVersion); - const query = getESQueryHostMetadataByID(id, queryStrategy!); - - const response = await esClient.asCurrentUser.search<HostMetadata>(query); - - const hostResult = queryStrategy!.queryResponseToHostResult(response.body); + ?.queryStrategy( + metadataRequestContext.requestHandlerContext.core.savedObjects.client, + queryStrategyVersion + ); + const query = getESQueryHostMetadataByID(id, queryStrategy!); + const hostResult = queryStrategy!.queryResponseToHostResult( + await metadataRequestContext.requestHandlerContext.core.elasticsearch.legacy.client.callAsCurrentUser( + 'search', + query + ) + ); const hostMetadata = hostResult.result; if (!hostMetadata) { return undefined; } - return { metadata: hostMetadata, query_strategy_version: hostResult.queryStrategyVersion }; -} - -export async function getHostData( - metadataRequestContext: MetadataRequestContext, - id: string, - queryStrategyVersion?: MetadataQueryStrategyVersions -): Promise<HostInfo | undefined> { - if (!metadataRequestContext.savedObjectsClient) { - throw Boom.badRequest('savedObjectsClient not found'); - } - - if ( - !metadataRequestContext.esClient && - !metadataRequestContext.requestHandlerContext?.core.elasticsearch.client - ) { - throw Boom.badRequest('esClient not found'); - } - - const hostResult = await getHostMetaData(metadataRequestContext, id, queryStrategyVersion); - - if (!hostResult) { - return undefined; - } - - const agent = await findAgent(metadataRequestContext, hostResult.metadata); + const agent = await findAgent(metadataRequestContext, hostMetadata); if (agent && !agent.active) { throw Boom.badRequest('the requested endpoint is unenrolled'); } const metadata = await enrichHostMetadata( - hostResult.metadata, + hostMetadata, metadataRequestContext, - hostResult.query_strategy_version + hostResult.queryStrategyVersion ); - - return { ...metadata, query_strategy_version: hostResult.query_strategy_version }; + return { ...metadata, query_strategy_version: hostResult.queryStrategyVersion }; } async function findAgent( @@ -265,20 +207,12 @@ async function findAgent( hostMetadata: HostMetadata ): Promise<Agent | undefined> { try { - if ( - !metadataRequestContext.esClient && - !metadataRequestContext.requestHandlerContext?.core.elasticsearch.client - ) { - throw new Error('esClient not found'); - } - - const esClient = (metadataRequestContext?.esClient ?? - metadataRequestContext.requestHandlerContext?.core.elasticsearch - .client) as IScopedClusterClient; - return await metadataRequestContext.endpointAppContextService ?.getAgentService() - ?.getAgent(esClient.asCurrentUser, hostMetadata.elastic.agent.id); + ?.getAgent( + metadataRequestContext.requestHandlerContext.core.elasticsearch.client.asCurrentUser, + hostMetadata.elastic.agent.id + ); } catch (e) { if (e instanceof AgentNotFoundError) { metadataRequestContext.logger.warn( @@ -298,7 +232,7 @@ export async function mapToHostResultList( metadataRequestContext: MetadataRequestContext ): Promise<HostResultList> { const totalNumberOfHosts = hostListQueryResult.resultLength; - if ((hostListQueryResult.resultList?.length ?? 0) > 0) { + if (hostListQueryResult.resultList.length > 0) { return { request_page_size: queryParams.size, request_page_index: queryParams.from, @@ -333,35 +267,6 @@ export async function enrichHostMetadata( let hostStatus = HostStatus.UNHEALTHY; let elasticAgentId = hostMetadata?.elastic?.agent?.id; const log = metadataRequestContext.logger; - - try { - if ( - !metadataRequestContext.esClient && - !metadataRequestContext.requestHandlerContext?.core.elasticsearch.client - ) { - throw new Error('esClient not found'); - } - - if ( - !metadataRequestContext.savedObjectsClient && - !metadataRequestContext.requestHandlerContext?.core.savedObjects - ) { - throw new Error('esSavedObjectClient not found'); - } - } catch (e) { - log.error(e); - throw e; - } - - const esClient = (metadataRequestContext?.esClient ?? - metadataRequestContext.requestHandlerContext?.core.elasticsearch - .client) as IScopedClusterClient; - - const esSavedObjectClient = - metadataRequestContext?.savedObjectsClient ?? - (metadataRequestContext.requestHandlerContext?.core.savedObjects - .client as SavedObjectsClientContract); - try { /** * Get agent status by elastic agent id if available or use the endpoint-agent id. @@ -374,7 +279,10 @@ export async function enrichHostMetadata( const status = await metadataRequestContext.endpointAppContextService ?.getAgentService() - ?.getAgentStatusById(esClient.asCurrentUser, elasticAgentId); + ?.getAgentStatusById( + metadataRequestContext.requestHandlerContext.core.elasticsearch.client.asCurrentUser, + elasticAgentId + ); hostStatus = HOST_STATUS_MAPPING.get(status!) || HostStatus.UNHEALTHY; } catch (e) { if (e instanceof AgentNotFoundError) { @@ -389,10 +297,17 @@ export async function enrichHostMetadata( try { const agent = await metadataRequestContext.endpointAppContextService ?.getAgentService() - ?.getAgent(esClient.asCurrentUser, elasticAgentId); + ?.getAgent( + metadataRequestContext.requestHandlerContext.core.elasticsearch.client.asCurrentUser, + elasticAgentId + ); const agentPolicy = await metadataRequestContext.endpointAppContextService .getAgentPolicyService() - ?.get(esSavedObjectClient, agent?.policy_id!, true); + ?.get( + metadataRequestContext.requestHandlerContext.core.savedObjects.client, + agent?.policy_id!, + true + ); const endpointPolicy = ((agentPolicy?.package_policies || []) as PackagePolicy[]).find( (policy: PackagePolicy) => policy.package?.name === 'endpoint' ); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts index b916ec19da17f..f4698cbed6203 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts @@ -6,6 +6,8 @@ */ import { + ILegacyClusterClient, + ILegacyScopedClusterClient, KibanaResponseFactory, RequestHandler, RouteConfig, @@ -48,17 +50,12 @@ import { PackageService } from '../../../../../fleet/server/services'; import { metadataTransformPrefix } from '../../../../common/endpoint/constants'; import type { SecuritySolutionPluginRouter } from '../../../types'; import { PackagePolicyServiceInterface } from '../../../../../fleet/server'; -import { - ClusterClientMock, - ScopedClusterClientMock, - // eslint-disable-next-line @kbn/eslint/no-restricted-paths -} from '../../../../../../../src/core/server/elasticsearch/client/mocks'; describe('test endpoint route', () => { let routerMock: jest.Mocked<SecuritySolutionPluginRouter>; let mockResponse: jest.Mocked<KibanaResponseFactory>; - let mockClusterClient: ClusterClientMock; - let mockScopedClient: ScopedClusterClientMock; + let mockClusterClient: jest.Mocked<ILegacyClusterClient>; + let mockScopedClient: jest.Mocked<ILegacyScopedClusterClient>; let mockSavedObjectClient: jest.Mocked<SavedObjectsClientContract>; let mockPackageService: jest.Mocked<PackageService>; // eslint-disable-next-line @typescript-eslint/no-explicit-any @@ -79,8 +76,8 @@ describe('test endpoint route', () => { }; beforeEach(() => { - mockScopedClient = elasticsearchServiceMock.createScopedClusterClient(); - mockClusterClient = elasticsearchServiceMock.createClusterClient(); + mockScopedClient = elasticsearchServiceMock.createLegacyScopedClusterClient(); + mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient() as jest.Mocked<ILegacyClusterClient>; mockSavedObjectClient = savedObjectsClientMock.create(); mockClusterClient.asScoped.mockReturnValue(mockScopedClient); routerMock = httpServiceMock.createRouter(); @@ -122,9 +119,7 @@ describe('test endpoint route', () => { it('test find the latest of all endpoints', async () => { const mockRequest = httpServerMock.createKibanaRequest({}); const response = createV1SearchResponse(new EndpointDocGenerator().generateHostMetadata()); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) )!; @@ -136,7 +131,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -162,9 +157,7 @@ describe('test endpoint route', () => { mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: true, } as unknown) as Agent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) @@ -176,7 +169,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -221,9 +214,7 @@ describe('test endpoint route', () => { it('test find the latest of all endpoints', async () => { const mockRequest = httpServerMock.createKibanaRequest({}); const response = createV2SearchResponse(new EndpointDocGenerator().generateHostMetadata()); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) )!; @@ -235,7 +226,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -267,10 +258,8 @@ describe('test endpoint route', () => { mockAgentService.getAgentStatusById = jest.fn().mockReturnValue('error'); mockAgentService.listAgents = jest.fn().mockReturnValue(noUnenrolledAgent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ - body: createV2SearchResponse(new EndpointDocGenerator().generateHostMetadata()), - }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createV2SearchResponse(new EndpointDocGenerator().generateHostMetadata())) ); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) @@ -281,10 +270,10 @@ describe('test endpoint route', () => { mockRequest, mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect( - (mockScopedClient.asCurrentUser.search as jest.Mock).mock.calls[0][0]?.body?.query.bool - .must_not + mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query.bool.must_not ).toContainEqual({ terms: { 'elastic.agent.id': [ @@ -326,10 +315,8 @@ describe('test endpoint route', () => { mockAgentService.getAgentStatusById = jest.fn().mockReturnValue('error'); mockAgentService.listAgents = jest.fn().mockReturnValue(noUnenrolledAgent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ - body: createV2SearchResponse(new EndpointDocGenerator().generateHostMetadata()), - }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createV2SearchResponse(new EndpointDocGenerator().generateHostMetadata())) ); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) @@ -341,10 +328,10 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toBeCalled(); + expect(mockScopedClient.callAsCurrentUser).toBeCalled(); expect( // KQL filter to be passed through - (mockScopedClient.asCurrentUser.search as jest.Mock).mock.calls[0][0]?.body?.query.bool.must + mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query.bool.must ).toContainEqual({ bool: { must_not: { @@ -362,7 +349,7 @@ describe('test endpoint route', () => { }, }); expect( - (mockScopedClient.asCurrentUser.search as jest.Mock).mock.calls[0][0]?.body?.query.bool.must + mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query.bool.must ).toContainEqual({ bool: { must_not: [ @@ -406,8 +393,8 @@ describe('test endpoint route', () => { it('should return 404 on no results', async () => { const mockRequest = httpServerMock.createKibanaRequest({ params: { id: 'BADID' } }); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: createV2SearchResponse() }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createV2SearchResponse()) ); mockAgentService.getAgentStatusById = jest.fn().mockReturnValue('error'); @@ -424,7 +411,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -444,9 +431,7 @@ describe('test endpoint route', () => { mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: true, } as unknown) as Agent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) @@ -458,7 +443,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -485,9 +470,7 @@ describe('test endpoint route', () => { SavedObjectsErrorHelpers.createGenericNotFoundError(); }); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) @@ -499,7 +482,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -520,9 +503,7 @@ describe('test endpoint route', () => { mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: true, } as unknown) as Agent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_ROUTE}`) @@ -534,7 +515,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -550,9 +531,7 @@ describe('test endpoint route', () => { const mockRequest = httpServerMock.createKibanaRequest({ params: { id: response.hits.hits[0]._id }, }); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: false, } as unknown) as Agent); @@ -567,7 +546,7 @@ describe('test endpoint route', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(mockResponse.customError).toBeCalled(); }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata_v1.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata_v1.test.ts index 0d56514e7d395..e3f859c26601e 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata_v1.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata_v1.test.ts @@ -6,17 +6,14 @@ */ import { + ILegacyClusterClient, + ILegacyScopedClusterClient, KibanaResponseFactory, RequestHandler, RouteConfig, SavedObjectsClientContract, - SavedObjectsErrorHelpers, -} from '../../../../../../../src/core/server'; -import { - ClusterClientMock, - ScopedClusterClientMock, - // eslint-disable-next-line @kbn/eslint/no-restricted-paths -} from '../../../../../../../src/core/server/elasticsearch/client/mocks'; +} from 'kibana/server'; +import { SavedObjectsErrorHelpers } from '../../../../../../../src/core/server/'; import { elasticsearchServiceMock, httpServerMock, @@ -52,8 +49,8 @@ import { PackagePolicyServiceInterface } from '../../../../../fleet/server'; describe('test endpoint route v1', () => { let routerMock: jest.Mocked<SecuritySolutionPluginRouter>; let mockResponse: jest.Mocked<KibanaResponseFactory>; - let mockClusterClient: ClusterClientMock; - let mockScopedClient: ScopedClusterClientMock; + let mockClusterClient: jest.Mocked<ILegacyClusterClient>; + let mockScopedClient: jest.Mocked<ILegacyScopedClusterClient>; let mockSavedObjectClient: jest.Mocked<SavedObjectsClientContract>; let mockPackageService: jest.Mocked<PackageService>; // eslint-disable-next-line @typescript-eslint/no-explicit-any @@ -74,8 +71,8 @@ describe('test endpoint route v1', () => { }; beforeEach(() => { - mockClusterClient = elasticsearchServiceMock.createClusterClient(); - mockScopedClient = elasticsearchServiceMock.createScopedClusterClient(); + mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient() as jest.Mocked<ILegacyClusterClient>; + mockScopedClient = elasticsearchServiceMock.createLegacyScopedClusterClient(); mockSavedObjectClient = savedObjectsClientMock.create(); mockClusterClient.asScoped.mockReturnValue(mockScopedClient); routerMock = httpServiceMock.createRouter(); @@ -113,9 +110,7 @@ describe('test endpoint route v1', () => { it('test find the latest of all endpoints', async () => { const mockRequest = httpServerMock.createKibanaRequest({}); const response = createV1SearchResponse(new EndpointDocGenerator().generateHostMetadata()); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_V1_ROUTE}`) )!; @@ -127,7 +122,7 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'] }); expect(mockResponse.ok).toBeCalled(); const endpointResultList = mockResponse.ok.mock.calls[0][0]?.body as HostResultList; @@ -156,10 +151,8 @@ describe('test endpoint route v1', () => { mockAgentService.getAgentStatusById = jest.fn().mockReturnValue('error'); mockAgentService.listAgents = jest.fn().mockReturnValue(noUnenrolledAgent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ - body: createV1SearchResponse(new EndpointDocGenerator().generateHostMetadata()), - }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createV1SearchResponse(new EndpointDocGenerator().generateHostMetadata())) ); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_V1_ROUTE}`) @@ -171,10 +164,9 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect( - (mockScopedClient.asCurrentUser.search as jest.Mock).mock.calls[0][0]?.body?.query.bool - .must_not + mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query.bool.must_not ).toContainEqual({ terms: { 'elastic.agent.id': [ @@ -213,10 +205,8 @@ describe('test endpoint route v1', () => { mockAgentService.getAgentStatusById = jest.fn().mockReturnValue('error'); mockAgentService.listAgents = jest.fn().mockReturnValue(noUnenrolledAgent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ - body: createV1SearchResponse(new EndpointDocGenerator().generateHostMetadata()), - }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createV1SearchResponse(new EndpointDocGenerator().generateHostMetadata())) ); [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_V1_ROUTE}`) @@ -228,10 +218,10 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toBeCalled(); + expect(mockScopedClient.callAsCurrentUser).toBeCalled(); // needs to have the KQL filter passed through expect( - (mockScopedClient.asCurrentUser.search as jest.Mock).mock.calls[0][0]?.body?.query.bool.must + mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query.bool.must ).toContainEqual({ bool: { must_not: { @@ -250,7 +240,7 @@ describe('test endpoint route v1', () => { }); // and unenrolled should be filtered out. expect( - (mockScopedClient.asCurrentUser.search as jest.Mock).mock.calls[0][0]?.body?.query.bool.must + mockScopedClient.callAsCurrentUser.mock.calls[0][1]?.body?.query.bool.must ).toContainEqual({ bool: { must_not: [ @@ -291,8 +281,8 @@ describe('test endpoint route v1', () => { it('should return 404 on no results', async () => { const mockRequest = httpServerMock.createKibanaRequest({ params: { id: 'BADID' } }); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: createV1SearchResponse() }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createV1SearchResponse()) ); mockAgentService.getAgentStatusById = jest.fn().mockReturnValue('error'); @@ -309,7 +299,7 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -329,9 +319,7 @@ describe('test endpoint route v1', () => { mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: true, } as unknown) as Agent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_V1_ROUTE}`) @@ -343,7 +331,7 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -369,9 +357,7 @@ describe('test endpoint route v1', () => { SavedObjectsErrorHelpers.createGenericNotFoundError(); }); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_V1_ROUTE}`) @@ -383,7 +369,7 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -404,9 +390,7 @@ describe('test endpoint route v1', () => { mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: true, } as unknown) as Agent); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => path.startsWith(`${METADATA_REQUEST_V1_ROUTE}`) @@ -418,7 +402,7 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(routeConfig.options).toEqual({ authRequired: true, tags: ['access:securitySolution'], @@ -434,9 +418,7 @@ describe('test endpoint route v1', () => { const mockRequest = httpServerMock.createKibanaRequest({ params: { id: response.hits.hits[0]._id }, }); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); mockAgentService.getAgent = jest.fn().mockReturnValue(({ active: false, } as unknown) as Agent); @@ -451,7 +433,7 @@ describe('test endpoint route v1', () => { mockResponse ); - expect(mockScopedClient.asCurrentUser.search).toHaveBeenCalledTimes(1); + expect(mockScopedClient.callAsCurrentUser).toHaveBeenCalledTimes(1); expect(mockResponse.customError).toBeCalled(); }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.test.ts index e790c1de1a5b8..5c09fd5ce05e4 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.test.ts @@ -12,7 +12,6 @@ import { createMockConfig } from '../../../lib/detection_engine/routes/__mocks__ import { metadataCurrentIndexPattern } from '../../../../common/endpoint/constants'; import { parseExperimentalConfigValue } from '../../../../common/experimental_features'; import { metadataQueryStrategyV2 } from './support/query_strategies'; -import { get } from 'lodash'; describe('query builder', () => { describe('MetadataListESQuery', () => { @@ -205,7 +204,7 @@ describe('query builder', () => { const mockID = 'AABBCCDD-0011-2233-AA44-DEADBEEF8899'; const query = getESQueryHostMetadataByID(mockID, metadataQueryStrategyV2()); - expect(get(query, 'body.query.bool.filter.0.bool.should')).toContainEqual({ + expect(query.body.query.bool.filter[0].bool.should).toContainEqual({ term: { 'agent.id': mockID }, }); }); @@ -214,7 +213,7 @@ describe('query builder', () => { const mockID = 'AABBCCDD-0011-2233-AA44-DEADBEEF8899'; const query = getESQueryHostMetadataByID(mockID, metadataQueryStrategyV2()); - expect(get(query, 'body.query.bool.filter.0.bool.should')).toContainEqual({ + expect(query.body.query.bool.filter[0].bool.should).toContainEqual({ term: { 'HostDetails.agent.id': mockID }, }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.ts index 51e3495938606..a5259dd44cf2b 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.ts @@ -5,8 +5,7 @@ * 2.0. */ -import { SearchRequest, SortContainer } from '@elastic/elasticsearch/api/types'; -import { KibanaRequest } from '../../../../../../../src/core/server'; +import { KibanaRequest } from 'kibana/server'; import { esKuery } from '../../../../../../../src/plugins/data/server'; import { EndpointAppContext, MetadataQueryStrategy } from '../../types'; @@ -20,7 +19,7 @@ export interface QueryBuilderOptions { // using unmapped_type avoids errors when the given field doesn't exist, and sets to the 0-value for that type // effectively ignoring it // https://www.elastic.co/guide/en/elasticsearch/reference/current/sort-search-results.html#_ignoring_unmapped_fields -const MetadataSortMethod: SortContainer[] = [ +const MetadataSortMethod = [ { 'event.created': { order: 'desc', @@ -147,7 +146,7 @@ function buildQueryBody( export function getESQueryHostMetadataByID( agentID: string, metadataQueryStrategy: MetadataQueryStrategy -): SearchRequest { +) { return { body: { query: { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders_v1.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders_v1.test.ts index c18c585cd3d34..9ce6130ff7dd3 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders_v1.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders_v1.test.ts @@ -12,7 +12,6 @@ import { createMockConfig } from '../../../lib/detection_engine/routes/__mocks__ import { metadataIndexPattern } from '../../../../common/endpoint/constants'; import { parseExperimentalConfigValue } from '../../../../common/experimental_features'; import { metadataQueryStrategyV1 } from './support/query_strategies'; -import { get } from 'lodash'; describe('query builder v1', () => { describe('MetadataListESQuery', () => { @@ -180,7 +179,7 @@ describe('query builder v1', () => { const mockID = 'AABBCCDD-0011-2233-AA44-DEADBEEF8899'; const query = getESQueryHostMetadataByID(mockID, metadataQueryStrategyV1()); - expect(get(query, 'body.query.bool.filter.0.bool.should')).toContainEqual({ + expect(query.body.query.bool.filter[0].bool.should).toContainEqual({ term: { 'agent.id': mockID }, }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/query_strategies.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/query_strategies.ts index 506c02fc2f1ec..2f875ec2754a4 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/query_strategies.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/query_strategies.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { SearchResponse } from '@elastic/elasticsearch/api/types'; +import { SearchResponse } from 'elasticsearch'; import { metadataCurrentIndexPattern, metadataIndexPattern, @@ -13,6 +13,10 @@ import { import { HostMetadata, MetadataQueryStrategyVersions } from '../../../../../common/endpoint/types'; import { HostListQueryResult, HostQueryResult, MetadataQueryStrategy } from '../../../types'; +interface HitSource { + _source: HostMetadata; +} + export function metadataQueryStrategyV1(): MetadataQueryStrategy { return { index: metadataIndexPattern, @@ -38,13 +42,11 @@ export function metadataQueryStrategyV1(): MetadataQueryStrategy { ): HostListQueryResult => { const response = searchResponse as SearchResponse<HostMetadata>; return { - resultLength: - ((response?.aggregations?.total as unknown) as { value?: number; relation: string }) - ?.value || 0, + resultLength: response?.aggregations?.total?.value || 0, resultList: response.hits.hits - .map((hit) => hit.inner_hits?.most_recent.hits.hits) - .flatMap((data) => data) - .map((entry) => (entry?._source ?? {}) as HostMetadata), + .map((hit) => hit.inner_hits.most_recent.hits.hits) + .flatMap((data) => data as HitSource) + .map((entry) => entry._source), queryStrategyVersion: MetadataQueryStrategyVersions.VERSION_1, }; }, @@ -73,7 +75,7 @@ export function metadataQueryStrategyV2(): MetadataQueryStrategy { >; const list = response.hits.hits.length > 0 - ? response.hits.hits.map((entry) => stripHostDetails(entry?._source as HostMetadata)) + ? response.hits.hits.map((entry) => stripHostDetails(entry._source)) : []; return { @@ -93,7 +95,7 @@ export function metadataQueryStrategyV2(): MetadataQueryStrategy { resultLength: response.hits.hits.length, result: response.hits.hits.length > 0 - ? stripHostDetails(response.hits.hits[0]._source as HostMetadata) + ? stripHostDetails(response.hits.hits[0]._source) : undefined, queryStrategyVersion: MetadataQueryStrategyVersions.VERSION_2, }; diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.test.ts index c8b36a22b359a..ca9b8832bebd0 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.test.ts @@ -13,9 +13,10 @@ import { import { createMockAgentService } from '../../../../../fleet/server/mocks'; import { getHostPolicyResponseHandler, getAgentPolicySummaryHandler } from './handlers'; import { + ILegacyScopedClusterClient, KibanaResponseFactory, SavedObjectsClientContract, -} from '../../../../../../../src/core/server'; +} from 'kibana/server'; import { elasticsearchServiceMock, httpServerMock, @@ -29,19 +30,16 @@ import { parseExperimentalConfigValue } from '../../../../common/experimental_fe import { createMockConfig } from '../../../lib/detection_engine/routes/__mocks__'; import { Agent } from '../../../../../fleet/common/types/models'; import { AgentService } from '../../../../../fleet/server/services'; -import { get } from 'lodash'; -// eslint-disable-next-line @kbn/eslint/no-restricted-paths -import { ScopedClusterClientMock } from '../../../../../../../src/core/server/elasticsearch/client/mocks'; describe('test policy response handler', () => { let endpointAppContextService: EndpointAppContextService; - let mockScopedClient: ScopedClusterClientMock; + let mockScopedClient: jest.Mocked<ILegacyScopedClusterClient>; let mockSavedObjectClient: jest.Mocked<SavedObjectsClientContract>; let mockResponse: jest.Mocked<KibanaResponseFactory>; describe('test policy response handler', () => { beforeEach(() => { - mockScopedClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClient = elasticsearchServiceMock.createLegacyScopedClusterClient(); mockSavedObjectClient = savedObjectsClientMock.create(); mockResponse = httpServerMock.createResponseFactory(); endpointAppContextService = new EndpointAppContextService(); @@ -54,9 +52,7 @@ describe('test policy response handler', () => { const response = createSearchResponse(new EndpointDocGenerator().generatePolicyResponse()); const hostPolicyResponseHandler = getHostPolicyResponseHandler(); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: response }) - ); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); const mockRequest = httpServerMock.createKibanaRequest({ params: { agentId: 'id' }, }); @@ -69,16 +65,14 @@ describe('test policy response handler', () => { expect(mockResponse.ok).toBeCalled(); const result = mockResponse.ok.mock.calls[0][0]?.body as GetHostPolicyResponse; - expect(result.policy_response.agent.id).toEqual( - get(response, 'hits.hits.0._source.agent.id') - ); + expect(result.policy_response.agent.id).toEqual(response.hits.hits[0]._source.agent.id); }); it('should return not found when there is no response policy for host', async () => { const hostPolicyResponseHandler = getHostPolicyResponseHandler(); - (mockScopedClient.asCurrentUser.search as jest.Mock).mockImplementationOnce(() => - Promise.resolve({ body: createSearchResponse() }) + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => + Promise.resolve(createSearchResponse()) ); const mockRequest = httpServerMock.createKibanaRequest({ @@ -115,7 +109,7 @@ describe('test policy response handler', () => { }; beforeEach(() => { - mockScopedClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClient = elasticsearchServiceMock.createLegacyScopedClusterClient(); mockSavedObjectClient = savedObjectsClientMock.create(); mockResponse = httpServerMock.createResponseFactory(); endpointAppContextService = new EndpointAppContextService(); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.ts b/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.ts index 45b6201c47773..ec1fad80701b6 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/policy/handlers.ts @@ -25,7 +25,7 @@ export const getHostPolicyResponseHandler = function (): RequestHandler< const doc = await getPolicyResponseByAgentId( policyIndexPattern, request.query.agentId, - context.core.elasticsearch.client + context.core.elasticsearch.legacy.client ); if (doc) { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.test.ts index 8646a05900f80..8043eae20b30e 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.test.ts @@ -24,7 +24,7 @@ describe('test policy query', () => { it('queries for the correct host', async () => { const agentId = 'f757d3c0-e874-11ea-9ad9-015510b487f4'; const query = getESQueryPolicyResponseByAgentID(agentId, 'anyindex'); - expect(query.body?.query?.bool?.filter).toEqual({ term: { 'agent.id': agentId } }); + expect(query.body.query.bool.filter.term).toEqual({ 'agent.id': agentId }); }); it('filters out initial policy by ID', async () => { @@ -32,10 +32,8 @@ describe('test policy query', () => { 'f757d3c0-e874-11ea-9ad9-015510b487f4', 'anyindex' ); - expect(query.body?.query?.bool?.must_not).toEqual({ - term: { - 'Endpoint.policy.applied.id': '00000000-0000-0000-0000-000000000000', - }, + expect(query.body.query.bool.must_not.term).toEqual({ + 'Endpoint.policy.applied.id': '00000000-0000-0000-0000-000000000000', }); }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.ts b/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.ts index 987bef15afe98..af5a885b78040 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/policy/service.ts @@ -5,21 +5,18 @@ * 2.0. */ +import { SearchResponse } from 'elasticsearch'; import { ElasticsearchClient, - IScopedClusterClient, + ILegacyScopedClusterClient, SavedObjectsClientContract, -} from '../../../../../../../src/core/server'; +} from 'kibana/server'; import { GetHostPolicyResponse, HostPolicyResponse } from '../../../../common/endpoint/types'; import { INITIAL_POLICY_ID } from './index'; import { Agent } from '../../../../../fleet/common/types/models'; import { EndpointAppContext } from '../../types'; -import { ISearchRequestParams } from '../../../../../../../src/plugins/data/common'; -export const getESQueryPolicyResponseByAgentID = ( - agentID: string, - index: string -): ISearchRequestParams => { +export function getESQueryPolicyResponseByAgentID(agentID: string, index: string) { return { body: { query: { @@ -47,23 +44,26 @@ export const getESQueryPolicyResponseByAgentID = ( }, index, }; -}; +} export async function getPolicyResponseByAgentId( index: string, agentID: string, - dataClient: IScopedClusterClient + dataClient: ILegacyScopedClusterClient ): Promise<GetHostPolicyResponse | undefined> { const query = getESQueryPolicyResponseByAgentID(agentID, index); - const response = await dataClient.asCurrentUser.search<HostPolicyResponse>(query); + const response = (await dataClient.callAsCurrentUser( + 'search', + query + )) as SearchResponse<HostPolicyResponse>; - if (response.body.hits.hits.length > 0 && response.body.hits.hits[0]._source != null) { - return { - policy_response: response.body.hits.hits[0]._source, - }; + if (response.hits.hits.length === 0) { + return undefined; } - return undefined; + return { + policy_response: response.hits.hits[0]._source, + }; } const transformAgentVersionMap = (versionMap: Map<string, number>): { [key: string]: number } => { diff --git a/x-pack/plugins/security_solution/server/endpoint/types.ts b/x-pack/plugins/security_solution/server/endpoint/types.ts index b3c7e58afe991..8006bf20d4517 100644 --- a/x-pack/plugins/security_solution/server/endpoint/types.ts +++ b/x-pack/plugins/security_solution/server/endpoint/types.ts @@ -6,8 +6,7 @@ */ import { LoggerFactory } from 'kibana/server'; - -import { SearchResponse } from '@elastic/elasticsearch/api/types'; +import { SearchResponse } from 'elasticsearch'; import { ConfigType } from '../config'; import { EndpointAppContextService } from './endpoint_app_context_services'; import { JsonObject } from '../../../../../src/plugins/kibana_utils/common'; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 158c2e94b2d7a..46467a21ca7ab 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -305,10 +305,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S compose(core, plugins, endpointContext); core.getStartServices().then(([_, depsStart]) => { - const securitySolutionSearchStrategy = securitySolutionSearchStrategyProvider( - depsStart.data, - endpointContext - ); + const securitySolutionSearchStrategy = securitySolutionSearchStrategyProvider(depsStart.data); const securitySolutionTimelineSearchStrategy = securitySolutionTimelineSearchStrategyProvider( depsStart.data ); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx index fa78a8d59803d..9e85eefe21e8a 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx @@ -58,6 +58,7 @@ export const authentications: SecuritySolutionFactory<HostsQueries.authenticatio dsl: [inspectStringifyObject(buildAuthenticationQuery(options))], }; const showMorePagesIndicator = totalCount > fakeTotalCount; + return { ...response, inspect, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts index 9dfff5e11715d..7561682e070fc 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/__mocks__/index.ts @@ -1370,20 +1370,6 @@ export const formattedSearchStrategyResponse = { terms: { field: 'cloud.region', size: 10, order: { timestamp: 'desc' } }, aggs: { timestamp: { max: { field: '@timestamp' } } }, }, - endpoint_id: { - filter: { - term: { - 'agent.type': 'endpoint', - }, - }, - aggs: { - value: { - terms: { - field: 'agent.id', - }, - }, - }, - }, }, query: { bool: { @@ -1427,20 +1413,6 @@ export const expectedDsl = { track_total_hits: false, body: { aggregations: { - endpoint_id: { - filter: { - term: { - 'agent.type': 'endpoint', - }, - }, - aggs: { - value: { - terms: { - field: 'agent.id', - }, - }, - }, - }, host_architecture: { terms: { field: 'host.architecture', diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts index 1b6e927f33638..a581370cb5720 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts @@ -7,23 +7,16 @@ import { set } from '@elastic/safer-lodash-set/fp'; import { get, has, head } from 'lodash/fp'; -import { - IScopedClusterClient, - SavedObjectsClientContract, -} from '../../../../../../../../../src/core/server'; import { hostFieldsMap } from '../../../../../../common/ecs/ecs_fields'; +import { toObjectArrayOfStrings } from '../../../../../../common/utils/to_array'; import { Direction } from '../../../../../../common/search_strategy/common'; import { AggregationRequest, - EndpointFields, HostAggEsItem, HostBuckets, HostItem, HostValue, } from '../../../../../../common/search_strategy/security_solution/hosts'; -import { toObjectArrayOfStrings } from '../../../../../../common/utils/to_array'; -import { getHostMetaData } from '../../../../../endpoint/routes/metadata/handlers'; -import { EndpointAppContext } from '../../../../../endpoint/types'; export const HOST_FIELDS = [ '_id', @@ -45,8 +38,6 @@ export const HOST_FIELDS = [ 'endpoint.endpointPolicy', 'endpoint.policyStatus', 'endpoint.sensorVersion', - 'agent.type', - 'endpoint.id', ]; export const buildFieldsTermAggregation = (esFields: readonly string[]): AggregationRequest => @@ -108,8 +99,8 @@ const getTermsAggregationTypeFromField = (field: string): AggregationRequest => }; }; -export const formatHostItem = (bucket: HostAggEsItem): HostItem => { - return HOST_FIELDS.reduce<HostItem>((flattenedFields, fieldName) => { +export const formatHostItem = (bucket: HostAggEsItem): HostItem => + HOST_FIELDS.reduce<HostItem>((flattenedFields, fieldName) => { const fieldValue = getHostFieldValue(fieldName, bucket); if (fieldValue != null) { if (fieldName === '_id') { @@ -123,13 +114,11 @@ export const formatHostItem = (bucket: HostAggEsItem): HostItem => { } return flattenedFields; }, {}); -}; const getHostFieldValue = (fieldName: string, bucket: HostAggEsItem): string | string[] | null => { const aggField = hostFieldsMap[fieldName] ? hostFieldsMap[fieldName].replace(/\./g, '_') : fieldName.replace(/\./g, '_'); - if ( [ 'host.ip', @@ -145,7 +134,10 @@ const getHostFieldValue = (fieldName: string, bucket: HostAggEsItem): string | s return data.buckets.map((obj) => obj.key); } else if (has(`${aggField}.buckets`, bucket)) { return getFirstItem(get(`${aggField}`, bucket)); - } else if (['host.name', 'host.os.name', 'host.os.version', 'endpoint.id'].includes(fieldName)) { + } else if (has(aggField, bucket)) { + const valueObj: HostValue = get(aggField, bucket); + return valueObj.value_as_string; + } else if (['host.name', 'host.os.name', 'host.os.version'].includes(fieldName)) { switch (fieldName) { case 'host.name': return get('key', bucket) || null; @@ -153,12 +145,7 @@ const getHostFieldValue = (fieldName: string, bucket: HostAggEsItem): string | s return get('os.hits.hits[0]._source.host.os.name', bucket) || null; case 'host.os.version': return get('os.hits.hits[0]._source.host.os.version', bucket) || null; - case 'endpoint.id': - return get('endpoint_id.value.buckets[0].key', bucket) || null; } - } else if (has(aggField, bucket)) { - const valueObj: HostValue = get(aggField, bucket); - return valueObj.value_as_string; } else if (aggField === '_id') { const hostName = get(`host_name`, bucket); return hostName ? getFirstItem(hostName) : null; @@ -173,42 +160,3 @@ const getFirstItem = (data: HostBuckets): string | null => { } return firstItem.key; }; - -export const getHostEndpoint = async ( - id: string | null, - deps: { - esClient: IScopedClusterClient; - savedObjectsClient: SavedObjectsClientContract; - endpointContext: EndpointAppContext; - } -): Promise<EndpointFields | null> => { - const { esClient, endpointContext, savedObjectsClient } = deps; - const logger = endpointContext.logFactory.get('metadata'); - try { - const agentService = endpointContext.service.getAgentService(); - if (agentService === undefined) { - throw new Error('agentService not available'); - } - const metadataRequestContext = { - esClient, - endpointAppContextService: endpointContext.service, - logger, - savedObjectsClient, - }; - const endpointData = - id != null && metadataRequestContext.endpointAppContextService.getAgentService() != null - ? await getHostMetaData(metadataRequestContext, id, undefined) - : null; - - return endpointData != null && endpointData.metadata - ? { - endpointPolicy: endpointData.metadata.Endpoint.policy.applied.name, - policyStatus: endpointData.metadata.Endpoint.policy.applied.status, - sensorVersion: endpointData.metadata.agent.version, - } - : null; - } catch (err) { - logger.warn(JSON.stringify(err, null, 2)); - return null; - } -}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx index 4474b9f288570..244b826c7caeb 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.test.tsx @@ -12,32 +12,6 @@ import { mockSearchStrategyResponse, formattedSearchStrategyResponse, } from './__mocks__'; -import { - IScopedClusterClient, - SavedObjectsClientContract, -} from '../../../../../../../../../src/core/server'; -import { EndpointAppContext } from '../../../../../endpoint/types'; -import { EndpointAppContextService } from '../../../../../endpoint/endpoint_app_context_services'; - -const mockDeps = { - esClient: {} as IScopedClusterClient, - savedObjectsClient: {} as SavedObjectsClientContract, - endpointContext: { - logFactory: { - get: jest.fn().mockReturnValue({ - warn: jest.fn(), - }), - }, - config: jest.fn().mockResolvedValue({}), - experimentalFeatures: { - trustedAppsByPolicyEnabled: false, - metricsEntitiesEnabled: false, - eventFilteringEnabled: false, - hostIsolationEnabled: false, - }, - service: {} as EndpointAppContextService, - } as EndpointAppContext, -}; describe('hostDetails search strategy', () => { const buildHostDetailsQuery = jest.spyOn(buildQuery, 'buildHostDetailsQuery'); @@ -55,7 +29,7 @@ describe('hostDetails search strategy', () => { describe('parse', () => { test('should parse data correctly', async () => { - const result = await hostDetails.parse(mockOptions, mockSearchStrategyResponse, mockDeps); + const result = await hostDetails.parse(mockOptions, mockSearchStrategyResponse); expect(result).toMatchObject(formattedSearchStrategyResponse); }); }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.ts index 562b7e4fbc167..5da64cc8f7a90 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/index.ts @@ -10,58 +10,28 @@ import { get } from 'lodash/fp'; import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common'; import { HostAggEsData, + HostAggEsItem, HostDetailsStrategyResponse, HostsQueries, HostDetailsRequestOptions, - EndpointFields, } from '../../../../../../common/search_strategy/security_solution/hosts'; import { inspectStringifyObject } from '../../../../../utils/build_query'; import { SecuritySolutionFactory } from '../../types'; import { buildHostDetailsQuery } from './query.host_details.dsl'; -import { formatHostItem, getHostEndpoint } from './helpers'; -import { EndpointAppContext } from '../../../../../endpoint/types'; -import { - IScopedClusterClient, - SavedObjectsClientContract, -} from '../../../../../../../../../src/core/server'; +import { formatHostItem } from './helpers'; export const hostDetails: SecuritySolutionFactory<HostsQueries.details> = { buildDsl: (options: HostDetailsRequestOptions) => buildHostDetailsQuery(options), parse: async ( options: HostDetailsRequestOptions, - response: IEsSearchResponse<HostAggEsData>, - deps?: { - esClient: IScopedClusterClient; - savedObjectsClient: SavedObjectsClientContract; - endpointContext: EndpointAppContext; - } + response: IEsSearchResponse<HostAggEsData> ): Promise<HostDetailsStrategyResponse> => { - const aggregations = get('aggregations', response.rawResponse); - + const aggregations: HostAggEsItem = get('aggregations', response.rawResponse) || {}; const inspect = { dsl: [inspectStringifyObject(buildHostDetailsQuery(options))], }; - - if (aggregations == null) { - return { ...response, inspect, hostDetails: {} }; - } - const formattedHostItem = formatHostItem(aggregations); - const ident = // endpoint-generated ID, NOT elastic-agent-id - formattedHostItem.endpoint && formattedHostItem.endpoint.id - ? Array.isArray(formattedHostItem.endpoint.id) - ? formattedHostItem.endpoint.id[0] - : formattedHostItem.endpoint.id - : null; - if (deps == null) { - return { ...response, inspect, hostDetails: { ...formattedHostItem } }; - } - const endpoint: EndpointFields | null = await getHostEndpoint(ident, deps); - return { - ...response, - inspect, - hostDetails: endpoint != null ? { ...formattedHostItem, endpoint } : formattedHostItem, - }; + return { ...response, inspect, hostDetails: formattedHostItem }; }, }; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.ts index 45afed2526aa3..fb8296d6593b0 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/query.host_details.dsl.ts @@ -16,10 +16,7 @@ export const buildHostDetailsQuery = ({ defaultIndex, timerange: { from, to }, }: HostDetailsRequestOptions): ISearchRequestParams => { - const esFields = reduceFields(HOST_FIELDS, { - ...hostFieldsMap, - ...cloudFieldsMap, - }); + const esFields = reduceFields(HOST_FIELDS, { ...hostFieldsMap, ...cloudFieldsMap }); const filter = [ { term: { 'host.name': hostName } }, @@ -42,20 +39,6 @@ export const buildHostDetailsQuery = ({ body: { aggregations: { ...buildFieldsTermAggregation(esFields.filter((field) => !['@timestamp'].includes(field))), - endpoint_id: { - filter: { - term: { - 'agent.type': 'endpoint', - }, - }, - aggs: { - value: { - terms: { - field: 'agent.id', - }, - }, - }, - }, }, query: { bool: { filter } }, size: 0, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/types.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/types.ts index 4bdf97b489805..3455b627144bf 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/types.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/types.ts @@ -5,10 +5,6 @@ * 2.0. */ -import { - IScopedClusterClient, - SavedObjectsClientContract, -} from '../../../../../../../src/core/server'; import { IEsSearchResponse, ISearchRequestParams, @@ -18,17 +14,11 @@ import { StrategyRequestType, StrategyResponseType, } from '../../../../common/search_strategy/security_solution'; -import { EndpointAppContext } from '../../../endpoint/types'; export interface SecuritySolutionFactory<T extends FactoryQueryTypes> { buildDsl: (options: StrategyRequestType<T>) => ISearchRequestParams; parse: ( options: StrategyRequestType<T>, - response: IEsSearchResponse, - deps?: { - esClient: IScopedClusterClient; - savedObjectsClient: SavedObjectsClientContract; - endpointContext: EndpointAppContext; - } + response: IEsSearchResponse ) => Promise<StrategyResponseType<T>>; } diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/index.ts index 0883a144615bc..2980f63df8a67 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/index.ts @@ -19,11 +19,9 @@ import { } from '../../../common/search_strategy/security_solution'; import { securitySolutionFactory } from './factory'; import { SecuritySolutionFactory } from './factory/types'; -import { EndpointAppContext } from '../../endpoint/types'; export const securitySolutionSearchStrategyProvider = <T extends FactoryQueryTypes>( - data: PluginStart, - endpointContext: EndpointAppContext + data: PluginStart ): ISearchStrategy<StrategyRequestType<T>, StrategyResponseType<T>> => { const es = data.search.getSearchStrategy(ENHANCED_ES_SEARCH_STRATEGY); @@ -44,13 +42,7 @@ export const securitySolutionSearchStrategyProvider = <T extends FactoryQueryTyp }, }; }), - mergeMap((esSearchRes) => - queryFactory.parse(request, esSearchRes, { - esClient: deps.esClient, - savedObjectsClient: deps.savedObjectsClient, - endpointContext, - }) - ) + mergeMap((esSearchRes) => queryFactory.parse(request, esSearchRes)) ); }, cancel: async (id, options, deps) => { From fcc2ac5799d48444bc8c30ef25c26f49b0b7e76d Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko <jo.naumenko@gmail.com> Date: Mon, 10 May 2021 15:24:42 -0700 Subject: [PATCH 06/11] Fixed alerting health check behavior when alerting cannot find its health task in Task Manager. (#99564) * Fixed alerting health check behavior when alerting cannot find its health task in Task Manager. * fixed test * added unit tests --- .../alerting/server/health/get_health.test.ts | 74 +++++++- .../alerting/server/health/get_health.ts | 15 +- .../alerting/server/health/get_state.test.ts | 166 ++++++++++++++++-- .../alerting/server/health/get_state.ts | 61 +++++-- x-pack/plugins/alerting/server/health/task.ts | 13 +- x-pack/plugins/alerting/server/plugin.ts | 9 +- 6 files changed, 290 insertions(+), 48 deletions(-) diff --git a/x-pack/plugins/alerting/server/health/get_health.test.ts b/x-pack/plugins/alerting/server/health/get_health.test.ts index 3c494dac6785b..c31a71138248b 100644 --- a/x-pack/plugins/alerting/server/health/get_health.test.ts +++ b/x-pack/plugins/alerting/server/health/get_health.test.ts @@ -5,9 +5,12 @@ * 2.0. */ -import { savedObjectsRepositoryMock } from '../../../../../src/core/server/mocks'; +import { + savedObjectsRepositoryMock, + savedObjectsServiceMock, +} from '../../../../../src/core/server/mocks'; import { AlertExecutionStatusErrorReasons, HealthStatus } from '../types'; -import { getHealth } from './get_health'; +import { getAlertingHealthStatus, getHealth } from './get_health'; const savedObjectsRepository = savedObjectsRepositoryMock.create(); @@ -221,3 +224,70 @@ describe('getHealth()', () => { }); }); }); + +describe('getAlertingHealthStatus()', () => { + test('return the proper framework state if some of alerts has a decryption error', async () => { + const savedObjects = savedObjectsServiceMock.createStartContract(); + const lastExecutionDateError = new Date().toISOString(); + savedObjectsRepository.find.mockResolvedValueOnce({ + total: 1, + per_page: 1, + page: 1, + saved_objects: [ + { + id: '1', + type: 'alert', + attributes: { + alertTypeId: 'myType', + schedule: { interval: '10s' }, + params: { + bar: true, + }, + createdAt: new Date().toISOString(), + actions: [ + { + group: 'default', + actionRef: 'action_0', + params: { + foo: true, + }, + }, + ], + executionStatus: { + status: 'error', + lastExecutionDate: lastExecutionDateError, + error: { + reason: AlertExecutionStatusErrorReasons.Decrypt, + message: 'Failed decrypt', + }, + }, + }, + score: 1, + references: [ + { + name: 'action_0', + type: 'action', + id: '1', + }, + ], + }, + ], + }); + savedObjectsRepository.find.mockResolvedValue({ + total: 0, + per_page: 10, + page: 1, + saved_objects: [], + }); + const result = await getAlertingHealthStatus( + { ...savedObjects, createInternalRepository: () => savedObjectsRepository }, + 1 + ); + expect(result).toStrictEqual({ + state: { + runs: 2, + health_status: HealthStatus.Warning, + }, + }); + }); +}); diff --git a/x-pack/plugins/alerting/server/health/get_health.ts b/x-pack/plugins/alerting/server/health/get_health.ts index f00e79a0d96ea..4a0266c9b729f 100644 --- a/x-pack/plugins/alerting/server/health/get_health.ts +++ b/x-pack/plugins/alerting/server/health/get_health.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ISavedObjectsRepository } from 'src/core/server'; +import { ISavedObjectsRepository, SavedObjectsServiceStart } from 'src/core/server'; import { AlertsHealth, HealthStatus, RawAlert, AlertExecutionStatusErrorReasons } from '../types'; export const getHealth = async ( @@ -97,3 +97,16 @@ export const getHealth = async ( return healthStatuses; }; + +export const getAlertingHealthStatus = async ( + savedObjects: SavedObjectsServiceStart, + stateRuns?: number +) => { + const alertingHealthStatus = await getHealth(savedObjects.createInternalRepository(['alert'])); + return { + state: { + runs: (stateRuns || 0) + 1, + health_status: alertingHealthStatus.decryptionHealth.status, + }, + }; +}; diff --git a/x-pack/plugins/alerting/server/health/get_state.test.ts b/x-pack/plugins/alerting/server/health/get_state.test.ts index 7b36bf34377f7..643d966d1fad0 100644 --- a/x-pack/plugins/alerting/server/health/get_state.test.ts +++ b/x-pack/plugins/alerting/server/health/get_state.test.ts @@ -14,6 +14,16 @@ import { } from './get_state'; import { ConcreteTaskInstance, TaskStatus } from '../../../task_manager/server'; import { HealthStatus } from '../types'; +import { loggingSystemMock, savedObjectsServiceMock } from 'src/core/server/mocks'; + +jest.mock('./get_health', () => ({ + getAlertingHealthStatus: jest.fn().mockReturnValue({ + state: { + runs: 0, + health_status: 'warn', + }, + }), +})); const tick = () => new Promise((resolve) => setImmediate(resolve)); @@ -38,6 +48,9 @@ const getHealthCheckTask = (overrides = {}): ConcreteTaskInstance => ({ ...overrides, }); +const logger = loggingSystemMock.create().get(); +const savedObjects = savedObjectsServiceMock.createStartContract(); + describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { beforeEach(() => jest.useFakeTimers()); @@ -47,7 +60,21 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { const pollInterval = 100; const halfInterval = Math.floor(pollInterval / 2); - getHealthStatusStream(mockTaskManager, pollInterval).subscribe(); + getHealthStatusStream( + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }), + pollInterval + ).subscribe(); // shouldn't fire before poll interval passes // should fire once each poll interval @@ -68,7 +95,22 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { const pollInterval = 100; const halfInterval = Math.floor(pollInterval / 2); - getHealthStatusStream(mockTaskManager, pollInterval, retryDelay).subscribe(); + getHealthStatusStream( + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }), + pollInterval, + retryDelay + ).subscribe(); jest.advanceTimersByTime(halfInterval); expect(mockTaskManager.get).toHaveBeenCalledTimes(0); @@ -99,7 +141,18 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { mockTaskManager.get.mockResolvedValue(getHealthCheckTask()); const status = await getHealthServiceStatusWithRetryAndErrorHandling( - mockTaskManager + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }) ).toPromise(); expect(status.level).toEqual(ServiceStatusLevels.available); @@ -118,7 +171,18 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { ); const status = await getHealthServiceStatusWithRetryAndErrorHandling( - mockTaskManager + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }) ).toPromise(); expect(status.level).toEqual(ServiceStatusLevels.degraded); @@ -137,7 +201,18 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { ); const status = await getHealthServiceStatusWithRetryAndErrorHandling( - mockTaskManager + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }) ).toPromise(); expect(status.level).toEqual(ServiceStatusLevels.unavailable); @@ -152,12 +227,25 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { .mockRejectedValueOnce(new Error('Failure')) .mockResolvedValue(getHealthCheckTask()); - getHealthServiceStatusWithRetryAndErrorHandling(mockTaskManager, retryDelay).subscribe( - (status) => { - expect(status.level).toEqual(ServiceStatusLevels.available); - expect(status.summary).toEqual('Alerting framework is available'); - } - ); + getHealthServiceStatusWithRetryAndErrorHandling( + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }), + retryDelay + ).subscribe((status) => { + expect(status.level).toEqual(ServiceStatusLevels.available); + expect(logger.warn).toHaveBeenCalledTimes(1); + expect(status.summary).toEqual('Alerting framework is available'); + }); await tick(); jest.advanceTimersByTime(retryDelay * 2); @@ -169,13 +257,25 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { const mockTaskManager = taskManagerMock.createStart(); mockTaskManager.get.mockRejectedValue(err); - getHealthServiceStatusWithRetryAndErrorHandling(mockTaskManager, retryDelay).subscribe( - (status) => { - expect(status.level).toEqual(ServiceStatusLevels.unavailable); - expect(status.summary).toEqual('Alerting framework is unavailable'); - expect(status.meta).toEqual({ error: err }); - } - ); + getHealthServiceStatusWithRetryAndErrorHandling( + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }), + retryDelay + ).subscribe((status) => { + expect(status.level).toEqual(ServiceStatusLevels.unavailable); + expect(status.summary).toEqual('Alerting framework is unavailable'); + expect(status.meta).toEqual({ error: err }); + }); for (let i = 0; i < MAX_RETRY_ATTEMPTS + 1; i++) { await tick(); @@ -183,4 +283,34 @@ describe('getHealthServiceStatusWithRetryAndErrorHandling', () => { } expect(mockTaskManager.get).toHaveBeenCalledTimes(MAX_RETRY_ATTEMPTS + 1); }); + + it('should schedule a new health check task if it does not exist without throwing an error', async () => { + const mockTaskManager = taskManagerMock.createStart(); + mockTaskManager.get.mockRejectedValue({ + output: { + statusCode: 404, + message: 'Not Found', + }, + }); + + const status = await getHealthServiceStatusWithRetryAndErrorHandling( + mockTaskManager, + logger, + savedObjects, + Promise.resolve({ + healthCheck: { + interval: '5m', + }, + invalidateApiKeysTask: { + interval: '5m', + removalDelay: '1h', + }, + }) + ).toPromise(); + + expect(mockTaskManager.ensureScheduled).toHaveBeenCalledTimes(1); + expect(status.level).toEqual(ServiceStatusLevels.degraded); + expect(status.summary).toEqual('Alerting framework is degraded'); + expect(status.meta).toBeUndefined(); + }); }); diff --git a/x-pack/plugins/alerting/server/health/get_state.ts b/x-pack/plugins/alerting/server/health/get_state.ts index 5bd80f2c6d29f..30099614ea42b 100644 --- a/x-pack/plugins/alerting/server/health/get_state.ts +++ b/x-pack/plugins/alerting/server/health/get_state.ts @@ -8,27 +8,38 @@ import { i18n } from '@kbn/i18n'; import { defer, of, interval, Observable, throwError, timer } from 'rxjs'; import { catchError, mergeMap, retryWhen, switchMap } from 'rxjs/operators'; -import { ServiceStatus, ServiceStatusLevels } from '../../../../../src/core/server'; +import { + Logger, + SavedObjectsServiceStart, + ServiceStatus, + ServiceStatusLevels, +} from '../../../../../src/core/server'; import { TaskManagerStartContract } from '../../../task_manager/server'; -import { HEALTH_TASK_ID } from './task'; +import { HEALTH_TASK_ID, scheduleAlertingHealthCheck } from './task'; import { HealthStatus } from '../types'; +import { getAlertingHealthStatus } from './get_health'; +import { AlertsConfig } from '../config'; export const MAX_RETRY_ATTEMPTS = 3; const HEALTH_STATUS_INTERVAL = 60000 * 5; // Five minutes const RETRY_DELAY = 5000; // Wait 5 seconds before retrying on errors -async function getLatestTaskState(taskManager: TaskManagerStartContract) { +async function getLatestTaskState( + taskManager: TaskManagerStartContract, + logger: Logger, + savedObjects: SavedObjectsServiceStart, + config: Promise<AlertsConfig> +) { try { - const result = await taskManager.get(HEALTH_TASK_ID); - return result; + return await taskManager.get(HEALTH_TASK_ID); } catch (err) { - const errMessage = err && err.message ? err.message : err.toString(); - if (!errMessage.includes('NotInitialized')) { - throw err; + // if task is not found + if (err?.output?.statusCode === 404) { + await scheduleAlertingHealthCheck(logger, config, taskManager); + return await getAlertingHealthStatus(savedObjects); } + throw err; } - - return null; } const LEVEL_SUMMARY = { @@ -53,13 +64,16 @@ const LEVEL_SUMMARY = { }; const getHealthServiceStatus = async ( - taskManager: TaskManagerStartContract + taskManager: TaskManagerStartContract, + logger: Logger, + savedObjects: SavedObjectsServiceStart, + config: Promise<AlertsConfig> ): Promise<ServiceStatus<unknown>> => { - const doc = await getLatestTaskState(taskManager); + const doc = await getLatestTaskState(taskManager, logger, savedObjects, config); const level = - doc?.state?.health_status === HealthStatus.OK + doc.state?.health_status === HealthStatus.OK ? ServiceStatusLevels.available - : doc?.state?.health_status === HealthStatus.Warning + : doc.state?.health_status === HealthStatus.Warning ? ServiceStatusLevels.degraded : ServiceStatusLevels.unavailable; return { @@ -70,9 +84,12 @@ const getHealthServiceStatus = async ( export const getHealthServiceStatusWithRetryAndErrorHandling = ( taskManager: TaskManagerStartContract, + logger: Logger, + savedObjects: SavedObjectsServiceStart, + config: Promise<AlertsConfig>, retryDelay?: number ): Observable<ServiceStatus<unknown>> => { - return defer(() => getHealthServiceStatus(taskManager)).pipe( + return defer(() => getHealthServiceStatus(taskManager, logger, savedObjects, config)).pipe( retryWhen((errors) => { return errors.pipe( mergeMap((error, i) => { @@ -85,6 +102,7 @@ export const getHealthServiceStatusWithRetryAndErrorHandling = ( ); }), catchError((error) => { + logger.warn(`Alerting framework is unavailable due to the error: ${error}`); return of({ level: ServiceStatusLevels.unavailable, summary: LEVEL_SUMMARY[ServiceStatusLevels.unavailable.toString()], @@ -96,9 +114,20 @@ export const getHealthServiceStatusWithRetryAndErrorHandling = ( export const getHealthStatusStream = ( taskManager: TaskManagerStartContract, + logger: Logger, + savedObjects: SavedObjectsServiceStart, + config: Promise<AlertsConfig>, healthStatusInterval?: number, retryDelay?: number ): Observable<ServiceStatus<unknown>> => interval(healthStatusInterval ?? HEALTH_STATUS_INTERVAL).pipe( - switchMap(() => getHealthServiceStatusWithRetryAndErrorHandling(taskManager, retryDelay)) + switchMap(() => + getHealthServiceStatusWithRetryAndErrorHandling( + taskManager, + logger, + savedObjects, + config, + retryDelay + ) + ) ); diff --git a/x-pack/plugins/alerting/server/health/task.ts b/x-pack/plugins/alerting/server/health/task.ts index a6f1237c43583..999e76fde696e 100644 --- a/x-pack/plugins/alerting/server/health/task.ts +++ b/x-pack/plugins/alerting/server/health/task.ts @@ -14,7 +14,7 @@ import { import { AlertsConfig } from '../config'; import { AlertingPluginsStart } from '../plugin'; import { HealthStatus } from '../types'; -import { getHealth } from './get_health'; +import { getAlertingHealthStatus } from './get_health'; export const HEALTH_TASK_TYPE = 'alerting_health_check'; @@ -71,15 +71,10 @@ export function healthCheckTaskRunner( return { async run() { try { - const alertingHealthStatus = await getHealth( - (await coreStartServices)[0].savedObjects.createInternalRepository(['alert']) + return await getAlertingHealthStatus( + (await coreStartServices)[0].savedObjects, + state.runs ); - return { - state: { - runs: (state.runs || 0) + 1, - health_status: alertingHealthStatus.decryptionHealth.status, - }, - }; } catch (errMsg) { logger.warn(`Error executing alerting health check task: ${errMsg}`); return { diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts index 1155cfa93337d..3d3b478c6480c 100644 --- a/x-pack/plugins/alerting/server/plugin.ts +++ b/x-pack/plugins/alerting/server/plugin.ts @@ -220,11 +220,16 @@ export class AlertingPlugin { this.config ); - core.getStartServices().then(async ([, startPlugins]) => { + core.getStartServices().then(async ([coreStart, startPlugins]) => { core.status.set( combineLatest([ core.status.derivedStatus$, - getHealthStatusStream(startPlugins.taskManager), + getHealthStatusStream( + startPlugins.taskManager, + this.logger, + coreStart.savedObjects, + this.config + ), ]).pipe( map(([derivedStatus, healthStatus]) => { if (healthStatus.level > derivedStatus.level) { From 0b5d323613c35b9159224b5b650c07ad99de1fed Mon Sep 17 00:00:00 2001 From: Scotty Bollinger <scotty.bollinger@elastic.co> Date: Mon, 10 May 2021 17:30:57 -0500 Subject: [PATCH 07/11] [Workplace Search] Fix bug with updating a role mapping (#99688) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `id` is not needed by the server as a body prop, as it’s inferred from the params. --- .../server/routes/workplace_search/role_mappings.ts | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/x-pack/plugins/enterprise_search/server/routes/workplace_search/role_mappings.ts b/x-pack/plugins/enterprise_search/server/routes/workplace_search/role_mappings.ts index 8c7792f56fd6c..5a6359c1cd836 100644 --- a/x-pack/plugins/enterprise_search/server/routes/workplace_search/role_mappings.ts +++ b/x-pack/plugins/enterprise_search/server/routes/workplace_search/role_mappings.ts @@ -66,10 +66,7 @@ export function registerOrgRoleMappingRoute({ { path: '/api/workplace_search/org/role_mappings/{id}', validate: { - body: schema.object({ - ...roleMappingBaseSchema, - id: schema.string(), - }), + body: schema.object(roleMappingBaseSchema), params: schema.object({ id: schema.string(), }), From b5380697ccb9c2463d6ad96d1fa8e01a313093e5 Mon Sep 17 00:00:00 2001 From: Zacqary Adam Xeper <Zacqary@users.noreply.github.com> Date: Mon, 10 May 2021 18:16:03 -0500 Subject: [PATCH 08/11] [Fleet] Add keep_enabled flag to preconfiguration to prevent disabling certain inputs (#99656) * [Fleet] Add keep_enabled flag to prevent disabling inputs * Remove console.log * Fix missing key definition --- x-pack/plugins/fleet/common/types/models/package_policy.ts | 2 ++ .../components/package_policy_input_panel.tsx | 1 + .../components/package_policy_input_stream.tsx | 1 + x-pack/plugins/fleet/server/services/package_policy.test.ts | 4 +++- x-pack/plugins/fleet/server/services/package_policy.ts | 2 ++ x-pack/plugins/fleet/server/services/preconfiguration.ts | 2 ++ x-pack/plugins/fleet/server/types/models/package_policy.ts | 2 ++ x-pack/plugins/fleet/server/types/models/preconfiguration.ts | 2 ++ 8 files changed, 15 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/fleet/common/types/models/package_policy.ts b/x-pack/plugins/fleet/common/types/models/package_policy.ts index f30cc0f87d05b..04362e6ff9402 100644 --- a/x-pack/plugins/fleet/common/types/models/package_policy.ts +++ b/x-pack/plugins/fleet/common/types/models/package_policy.ts @@ -21,6 +21,7 @@ export type PackagePolicyConfigRecord = Record<string, PackagePolicyConfigRecord export interface NewPackagePolicyInputStream { enabled: boolean; + keep_enabled?: boolean; data_stream: { dataset: string; type: string; @@ -37,6 +38,7 @@ export interface PackagePolicyInputStream extends NewPackagePolicyInputStream { export interface NewPackagePolicyInput { type: string; enabled: boolean; + keep_enabled?: boolean; vars?: PackagePolicyConfigRecord; config?: PackagePolicyConfigRecord; streams: NewPackagePolicyInputStream[]; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_panel.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_panel.tsx index 75d7a7549f721..bce48d3108aa7 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_panel.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_panel.tsx @@ -120,6 +120,7 @@ export const PackagePolicyInputPanel: React.FunctionComponent<{ </EuiFlexGroup> } checked={packagePolicyInput.enabled} + disabled={packagePolicyInput.keep_enabled} onChange={(e) => { const enabled = e.target.checked; updatePackagePolicyInput({ diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_stream.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_stream.tsx index 84f097813d484..5cc1fc4130256 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_stream.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/package_policy_input_stream.tsx @@ -83,6 +83,7 @@ export const PackagePolicyInputStreamConfig: React.FunctionComponent<{ <EuiFlexItem grow={5}> <EuiSwitch label={packageInputStream.title} + disabled={packagePolicyInputStream.keep_enabled} checked={packagePolicyInputStream.enabled} onChange={(e) => { const enabled = e.target.checked; diff --git a/x-pack/plugins/fleet/server/services/package_policy.test.ts b/x-pack/plugins/fleet/server/services/package_policy.test.ts index 2516073793a8b..21241e6d5723f 100644 --- a/x-pack/plugins/fleet/server/services/package_policy.test.ts +++ b/x-pack/plugins/fleet/server/services/package_policy.test.ts @@ -390,6 +390,7 @@ describe('Package policy service', () => { { config: {}, enabled: true, + keep_enabled: true, type: 'endpoint', vars: { dog: { @@ -428,7 +429,7 @@ describe('Package policy service', () => { const inputsUpdate = [ { config: {}, - enabled: true, + enabled: false, type: 'endpoint', vars: { dog: { @@ -501,6 +502,7 @@ describe('Package policy service', () => { ); const [modifiedInput] = result.inputs; + expect(modifiedInput.enabled).toEqual(true); expect(modifiedInput.vars!.dog.value).toEqual('labrador'); expect(modifiedInput.vars!.cat.value).toEqual('siamese'); const [modifiedStream] = modifiedInput.streams; diff --git a/x-pack/plugins/fleet/server/services/package_policy.ts b/x-pack/plugins/fleet/server/services/package_policy.ts index 234fa4df51688..e4d34e551c95b 100644 --- a/x-pack/plugins/fleet/server/services/package_policy.ts +++ b/x-pack/plugins/fleet/server/services/package_policy.ts @@ -614,12 +614,14 @@ function enforceFrozenInputs(oldInputs: PackagePolicyInput[], newInputs: Package for (const input of resultInputs) { const oldInput = oldInputs.find((i) => i.type === input.type); + if (oldInput?.keep_enabled) input.enabled = oldInput.enabled; if (input.vars && oldInput?.vars) { input.vars = _enforceFrozenVars(oldInput.vars, input.vars); } if (input.streams && oldInput?.streams) { for (const stream of input.streams) { const oldStream = oldInput.streams.find((s) => s.id === stream.id); + if (oldStream?.keep_enabled) stream.enabled = oldStream.enabled; if (stream.vars && oldStream?.vars) { stream.vars = _enforceFrozenVars(oldStream.vars, stream.vars); } diff --git a/x-pack/plugins/fleet/server/services/preconfiguration.ts b/x-pack/plugins/fleet/server/services/preconfiguration.ts index 308abece9f4f5..a8be94ca61c0a 100644 --- a/x-pack/plugins/fleet/server/services/preconfiguration.ts +++ b/x-pack/plugins/fleet/server/services/preconfiguration.ts @@ -285,6 +285,8 @@ function overridePackageInputs( } if (typeof override.enabled !== 'undefined') originalInput.enabled = override.enabled; + if (typeof override.keep_enabled !== 'undefined') + originalInput.keep_enabled = override.keep_enabled; if (override.vars) { try { diff --git a/x-pack/plugins/fleet/server/types/models/package_policy.ts b/x-pack/plugins/fleet/server/types/models/package_policy.ts index 5a8fd70a9b84e..fa467a4185bd4 100644 --- a/x-pack/plugins/fleet/server/types/models/package_policy.ts +++ b/x-pack/plugins/fleet/server/types/models/package_policy.ts @@ -46,6 +46,7 @@ const PackagePolicyBaseSchema = { schema.object({ type: schema.string(), enabled: schema.boolean(), + keep_enabled: schema.maybe(schema.boolean()), vars: schema.maybe(ConfigRecordSchema), config: schema.maybe( schema.recordOf( @@ -60,6 +61,7 @@ const PackagePolicyBaseSchema = { schema.object({ id: schema.maybe(schema.string()), // BWC < 7.11 enabled: schema.boolean(), + keep_enabled: schema.maybe(schema.boolean()), data_stream: schema.object({ dataset: schema.string(), type: schema.string() }), vars: schema.maybe(ConfigRecordSchema), config: schema.maybe( diff --git a/x-pack/plugins/fleet/server/types/models/preconfiguration.ts b/x-pack/plugins/fleet/server/types/models/preconfiguration.ts index 5b871b80a6bbd..e988283c4aad9 100644 --- a/x-pack/plugins/fleet/server/types/models/preconfiguration.ts +++ b/x-pack/plugins/fleet/server/types/models/preconfiguration.ts @@ -67,6 +67,7 @@ export const PreconfiguredAgentPoliciesSchema = schema.arrayOf( schema.object({ type: schema.string(), enabled: schema.maybe(schema.boolean()), + keep_enabled: schema.maybe(schema.boolean()), vars: varsSchema, streams: schema.maybe( schema.arrayOf( @@ -76,6 +77,7 @@ export const PreconfiguredAgentPoliciesSchema = schema.arrayOf( dataset: schema.string(), }), enabled: schema.maybe(schema.boolean()), + keep_enabled: schema.maybe(schema.boolean()), vars: varsSchema, }) ) From b248472e82cd736a68170eca3d1d9e8115c2ee71 Mon Sep 17 00:00:00 2001 From: Nathan Reese <reese.nathan@gmail.com> Date: Mon, 10 May 2021 17:46:33 -0600 Subject: [PATCH 09/11] [Maps] show empty tooltips with actions on click (#99337) * [Maps] show tooltips with actions on click * clean up * call canShowTooltip in _getTooltipFeatures * move view into action * cleanup * i18n * add comment to clarify if statement * tslint * fix security tslint * fix jest tests * clean up Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../__stories__/MapTooltip.stories.tsx | 1 + .../common/descriptor_types/map_descriptor.ts | 12 ++ .../maps/public/actions/tooltip_actions.ts | 15 +- .../maps/public/classes/layers/layer.tsx | 5 - .../layers/vector_layer/vector_layer.tsx | 6 +- .../ems_file_source/ems_file_source.tsx | 2 +- .../es_geo_grid_source/es_geo_grid_source.tsx | 2 +- .../es_geo_line_source/es_geo_line_source.tsx | 2 +- .../es_pew_pew_source/es_pew_pew_source.js | 2 +- .../es_search_source/es_search_source.tsx | 2 +- .../geojson_file_source.ts | 2 +- .../kibana_regionmap_source.ts | 2 +- .../mvt_single_layer_vector_source.test.tsx | 6 +- .../mvt_single_layer_vector_source.tsx | 2 +- .../sources/table_source/table_source.ts | 2 +- .../sources/vector_source/vector_source.tsx | 4 +- .../features_tooltip/features_tooltip.tsx | 131 ++++----------- .../mb_map/features_tooltip/footer.test.tsx | 6 + .../mb_map/features_tooltip/index.ts | 9 ++ .../tooltip_control.test.js.snap | 30 +--- .../tooltip_popover.test.js.snap | 9 -- .../mb_map/tooltip_control/tooltip_control.js | 153 ++++++++++++++++-- .../tooltip_control/tooltip_control.test.js | 26 ++- .../mb_map/tooltip_control/tooltip_popover.js | 50 +----- .../map_tool_tip/map_tool_tip.test.tsx | 1 + .../translations/translations/ja-JP.json | 1 - .../translations/translations/zh-CN.json | 1 - 27 files changed, 247 insertions(+), 237 deletions(-) create mode 100644 x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/index.ts diff --git a/x-pack/plugins/apm/public/components/app/RumDashboard/VisitorBreakdownMap/__stories__/MapTooltip.stories.tsx b/x-pack/plugins/apm/public/components/app/RumDashboard/VisitorBreakdownMap/__stories__/MapTooltip.stories.tsx index b96fb42c3d1f4..1aad25fc89c0b 100644 --- a/x-pack/plugins/apm/public/components/app/RumDashboard/VisitorBreakdownMap/__stories__/MapTooltip.stories.tsx +++ b/x-pack/plugins/apm/public/components/app/RumDashboard/VisitorBreakdownMap/__stories__/MapTooltip.stories.tsx @@ -44,6 +44,7 @@ storiesOf('app/RumDashboard/VisitorsRegionMap', module) '__kbnjoin__count__3657625d-17b0-41ef-99ba-3a2b2938655c': 439145, '__kbnjoin__avg_of_transaction.duration.us__3657625d-17b0-41ef-99ba-3a2b2938655c': 2041665.6350131081, }, + actions: [], }, ]} /> diff --git a/x-pack/plugins/maps/common/descriptor_types/map_descriptor.ts b/x-pack/plugins/maps/common/descriptor_types/map_descriptor.ts index acb0d9329e065..0bb9c7cc6f02b 100644 --- a/x-pack/plugins/maps/common/descriptor_types/map_descriptor.ts +++ b/x-pack/plugins/maps/common/descriptor_types/map_descriptor.ts @@ -7,7 +7,9 @@ /* eslint-disable @typescript-eslint/consistent-type-definitions */ +import { ReactNode } from 'react'; import { GeoJsonProperties } from 'geojson'; +import { Geometry } from 'geojson'; import { Query } from '../../../../../src/plugins/data/common'; import { DRAW_TYPE, ES_GEO_FIELD_TYPE, ES_SPATIAL_RELATIONS } from '../constants'; @@ -41,10 +43,20 @@ export type Goto = { center?: MapCenterAndZoom; }; +export const GEOMETRY_FILTER_ACTION = 'GEOMETRY_FILTER_ACTION'; + +export type TooltipFeatureAction = { + label: string; + id: typeof GEOMETRY_FILTER_ACTION; + form: ReactNode; +}; + export type TooltipFeature = { id?: number | string; layerId: string; + geometry?: Geometry; mbProperties: GeoJsonProperties; + actions: TooltipFeatureAction[]; }; export type TooltipState = { diff --git a/x-pack/plugins/maps/public/actions/tooltip_actions.ts b/x-pack/plugins/maps/public/actions/tooltip_actions.ts index 365a906739991..c1b5f8190a73a 100644 --- a/x-pack/plugins/maps/public/actions/tooltip_actions.ts +++ b/x-pack/plugins/maps/public/actions/tooltip_actions.ts @@ -6,7 +6,6 @@ */ import _ from 'lodash'; -import uuid from 'uuid/v4'; import { Dispatch } from 'redux'; import { Feature } from 'geojson'; import { getOpenTooltips } from '../selectors/map_selectors'; @@ -36,11 +35,7 @@ export function openOnClickTooltip(tooltipState: TooltipState) { ); }); - openTooltips.push({ - ...tooltipState, - isLocked: true, - id: uuid(), - }); + openTooltips.push(tooltipState); dispatch({ type: SET_OPEN_TOOLTIPS, @@ -63,13 +58,7 @@ export function closeOnHoverTooltip() { export function openOnHoverTooltip(tooltipState: TooltipState) { return { type: SET_OPEN_TOOLTIPS, - openTooltips: [ - { - ...tooltipState, - isLocked: false, - id: uuid(), - }, - ], + openTooltips: [tooltipState], }; } diff --git a/x-pack/plugins/maps/public/classes/layers/layer.tsx b/x-pack/plugins/maps/public/classes/layers/layer.tsx index dee1a26efef42..4167ed4775219 100644 --- a/x-pack/plugins/maps/public/classes/layers/layer.tsx +++ b/x-pack/plugins/maps/public/classes/layers/layer.tsx @@ -77,7 +77,6 @@ export interface ILayer { getMbLayerIds(): string[]; ownsMbLayerId(mbLayerId: string): boolean; ownsMbSourceId(mbSourceId: string): boolean; - canShowTooltip(): boolean; syncLayerWithMB(mbMap: MbMap): void; getLayerTypeIconName(): string; isInitialDataLoadComplete(): boolean; @@ -452,10 +451,6 @@ export class AbstractLayer implements ILayer { throw new Error('Should implement AbstractLayer#ownsMbSourceId'); } - canShowTooltip() { - return false; - } - syncLayerWithMB(mbMap: MbMap) { throw new Error('Should implement AbstractLayer#syncLayerWithMB'); } diff --git a/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.tsx b/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.tsx index 104d0b56578d1..db781344eb6f8 100644 --- a/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.tsx +++ b/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.tsx @@ -88,6 +88,7 @@ export interface IVectorLayer extends ILayer { getFeatureById(id: string | number): Feature | null; getPropertiesForTooltip(properties: GeoJsonProperties): Promise<ITooltipProperty[]>; hasJoins(): boolean; + canShowTooltip(): boolean; } export class VectorLayer extends AbstractLayer implements IVectorLayer { @@ -1033,10 +1034,7 @@ export class VectorLayer extends AbstractLayer implements IVectorLayer { } canShowTooltip() { - return ( - this.isVisible() && - (this.getSource().canFormatFeatureProperties() || this.getJoins().length > 0) - ); + return this.getSource().hasTooltipProperties() || this.getJoins().length > 0; } getFeatureById(id: string | number) { diff --git a/x-pack/plugins/maps/public/classes/sources/ems_file_source/ems_file_source.tsx b/x-pack/plugins/maps/public/classes/sources/ems_file_source/ems_file_source.tsx index a61ae85c89ac6..209dc43f504d1 100644 --- a/x-pack/plugins/maps/public/classes/sources/ems_file_source/ems_file_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/ems_file_source/ems_file_source.tsx @@ -196,7 +196,7 @@ export class EMSFileSource extends AbstractVectorSource implements IEmsFileSourc return fields.map((f) => this.createField({ fieldName: f.name })); } - canFormatFeatureProperties() { + hasTooltipProperties() { return this._tooltipFields.length > 0; } diff --git a/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx index 7bca22df9b870..69ec0740948fc 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx @@ -471,7 +471,7 @@ export class ESGeoGridSource extends AbstractESAggSource implements ITiledSingle } } - canFormatFeatureProperties(): boolean { + hasTooltipProperties(): boolean { return true; } diff --git a/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx index 9a1f23e055af1..460c1228e50a8 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx @@ -359,7 +359,7 @@ export class ESGeoLineSource extends AbstractESAggSource { return true; } - canFormatFeatureProperties() { + hasTooltipProperties() { return true; } diff --git a/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.js b/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.js index 781cc7f8c36b0..7ed24b4805997 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.js +++ b/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.js @@ -226,7 +226,7 @@ export class ESPewPewSource extends AbstractESAggSource { return turfBboxToBounds(turfBbox(multiPoint(corners))); } - canFormatFeatureProperties() { + hasTooltipProperties() { return true; } } diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx index 3de98fd545827..8a6e97bf2a1af 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx @@ -464,7 +464,7 @@ export class ESSearchSource extends AbstractESSource implements ITiledSingleLaye }; } - canFormatFeatureProperties(): boolean { + hasTooltipProperties(): boolean { return this._tooltipFields.length > 0; } diff --git a/x-pack/plugins/maps/public/classes/sources/geojson_file_source/geojson_file_source.ts b/x-pack/plugins/maps/public/classes/sources/geojson_file_source/geojson_file_source.ts index 363e19fdb1587..592c2f852f0e7 100644 --- a/x-pack/plugins/maps/public/classes/sources/geojson_file_source/geojson_file_source.ts +++ b/x-pack/plugins/maps/public/classes/sources/geojson_file_source/geojson_file_source.ts @@ -121,7 +121,7 @@ export class GeoJsonFileSource extends AbstractVectorSource { return (this._descriptor as GeojsonFileSourceDescriptor).name; } - canFormatFeatureProperties() { + hasTooltipProperties() { return true; } diff --git a/x-pack/plugins/maps/public/classes/sources/kibana_regionmap_source/kibana_regionmap_source.ts b/x-pack/plugins/maps/public/classes/sources/kibana_regionmap_source/kibana_regionmap_source.ts index 12e4b00c3c7b9..b0241876e5728 100644 --- a/x-pack/plugins/maps/public/classes/sources/kibana_regionmap_source/kibana_regionmap_source.ts +++ b/x-pack/plugins/maps/public/classes/sources/kibana_regionmap_source/kibana_regionmap_source.ts @@ -104,7 +104,7 @@ export class KibanaRegionmapSource extends AbstractVectorSource { return this._descriptor.name; } - canFormatFeatureProperties() { + hasTooltipProperties() { return true; } } diff --git a/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.test.tsx b/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.test.tsx index b65536c2307d8..b265c4883323e 100644 --- a/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.test.tsx +++ b/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.test.tsx @@ -30,10 +30,10 @@ describe('getUrlTemplateWithMeta', () => { }); }); -describe('canFormatFeatureProperties', () => { +describe('hasTooltipProperties', () => { it('false if no tooltips', async () => { const source = new MVTSingleLayerVectorSource(descriptor); - expect(source.canFormatFeatureProperties()).toEqual(false); + expect(source.hasTooltipProperties()).toEqual(false); }); it('true if tooltip', async () => { const descriptorWithTooltips = { @@ -42,7 +42,7 @@ describe('canFormatFeatureProperties', () => { tooltipProperties: ['foobar'], }; const source = new MVTSingleLayerVectorSource(descriptorWithTooltips); - expect(source.canFormatFeatureProperties()).toEqual(true); + expect(source.hasTooltipProperties()).toEqual(true); }); }); diff --git a/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.tsx b/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.tsx index 92b643643ba2a..692e1fd18efaf 100644 --- a/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/mvt_single_layer_vector_source/mvt_single_layer_vector_source.tsx @@ -169,7 +169,7 @@ export class MVTSingleLayerVectorSource return [VECTOR_SHAPE_TYPE.POINT, VECTOR_SHAPE_TYPE.LINE, VECTOR_SHAPE_TYPE.POLYGON]; } - canFormatFeatureProperties(): boolean { + hasTooltipProperties(): boolean { return !!this._tooltipFields.length; } diff --git a/x-pack/plugins/maps/public/classes/sources/table_source/table_source.ts b/x-pack/plugins/maps/public/classes/sources/table_source/table_source.ts index d4c7a7474c57c..372fb4983d7cc 100644 --- a/x-pack/plugins/maps/public/classes/sources/table_source/table_source.ts +++ b/x-pack/plugins/maps/public/classes/sources/table_source/table_source.ts @@ -143,7 +143,7 @@ export class TableSource extends AbstractVectorSource implements ITermJoinSource }); } - canFormatFeatureProperties(): boolean { + hasTooltipProperties(): boolean { return false; } diff --git a/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx b/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx index b28cd7365d69e..da5a236a20936 100644 --- a/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx @@ -60,7 +60,7 @@ export interface IVectorSource extends ISource { getSyncMeta(): VectorSourceSyncMeta | null; getFieldNames(): string[]; createField({ fieldName }: { fieldName: string }): IField; - canFormatFeatureProperties(): boolean; + hasTooltipProperties(): boolean; getSupportedShapeTypes(): Promise<VECTOR_SHAPE_TYPE[]>; isBoundsAware(): boolean; getSourceTooltipContent(sourceDataRequest?: DataRequest): SourceTooltipConfig; @@ -115,7 +115,7 @@ export class AbstractVectorSource extends AbstractSource implements IVectorSourc throw new Error('Should implement VectorSource#getGeoJson'); } - canFormatFeatureProperties() { + hasTooltipProperties() { return false; } diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/features_tooltip.tsx b/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/features_tooltip.tsx index 41a2b98ab4b28..f85b1c5de3619 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/features_tooltip.tsx +++ b/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/features_tooltip.tsx @@ -8,26 +8,21 @@ import React, { Component, Fragment, ReactNode } from 'react'; import { EuiIcon, EuiLink } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { FormattedMessage } from '@kbn/i18n/react'; import { ActionExecutionContext, Action } from 'src/plugins/ui_actions/public'; import { GeoJsonProperties, Geometry } from 'geojson'; import { Filter } from 'src/plugins/data/public'; import { FeatureProperties } from './feature_properties'; -import { GEO_JSON_TYPE, ES_GEO_FIELD_TYPE, RawValue } from '../../../../common/constants'; -import { FeatureGeometryFilterForm } from './feature_geometry_filter_form'; +import { RawValue } from '../../../../common/constants'; import { Footer } from './footer'; import { Header } from './header'; -import { PreIndexedShape } from '../../../../common/elasticsearch_util'; -import { GeoFieldWithIndex } from '../../../components/geo_field_with_index'; -import { TooltipFeature } from '../../../../common/descriptor_types'; +import { GEOMETRY_FILTER_ACTION, TooltipFeature } from '../../../../common/descriptor_types'; import { ITooltipProperty } from '../../../classes/tooltips/tooltip_property'; import { ILayer } from '../../../classes/layers/layer'; -enum VIEWS { - PROPERTIES_VIEW = 'PROPERTIES_VIEW', - GEOMETRY_FILTER_VIEW = 'GEOMETRY_FILTER_VIEW', - FILTER_ACTIONS_VIEW = 'FILTER_ACTIONS_VIEW', -} +const PROPERTIES_VIEW = 'PROPERTIES_VIEW'; +const FILTER_ACTIONS_VIEW = 'FILTER_ACTIONS_VIEW'; + +type VIEWS = typeof PROPERTIES_VIEW | typeof FILTER_ACTIONS_VIEW | typeof GEOMETRY_FILTER_ACTION; interface Props { addFilters: ((filters: Filter[], actionId: string) => Promise<void>) | null; @@ -55,14 +50,6 @@ interface Props { }) => Geometry | null; getLayerName: (layerId: string) => Promise<string | null>; findLayerById: (layerId: string) => ILayer | undefined; - geoFields: GeoFieldWithIndex[]; - loadPreIndexedShape: ({ - layerId, - featureId, - }: { - layerId: string; - featureId?: string | number; - }) => Promise<PreIndexedShape | null>; } interface State { @@ -77,14 +64,14 @@ export class FeaturesTooltip extends Component<Props, State> { currentFeature: null, filterView: null, prevFeatures: [], - view: VIEWS.PROPERTIES_VIEW, + view: PROPERTIES_VIEW, }; static getDerivedStateFromProps(nextProps: Props, prevState: State) { if (nextProps.features !== prevState.prevFeatures) { return { currentFeature: nextProps.features ? nextProps.features[0] : null, - view: VIEWS.PROPERTIES_VIEW, + view: PROPERTIES_VIEW, prevFeatures: nextProps.features, }; } @@ -96,69 +83,37 @@ export class FeaturesTooltip extends Component<Props, State> { this.setState({ currentFeature: feature }); }; - _showGeometryFilterView = () => { - this.setState({ view: VIEWS.GEOMETRY_FILTER_VIEW }); - }; - _showPropertiesView = () => { - this.setState({ view: VIEWS.PROPERTIES_VIEW, filterView: null }); + this.setState({ view: PROPERTIES_VIEW, filterView: null }); }; _showFilterActionsView = (filterView: ReactNode) => { - this.setState({ view: VIEWS.FILTER_ACTIONS_VIEW, filterView }); + this.setState({ view: FILTER_ACTIONS_VIEW, filterView }); }; - _renderActions(geoFields: GeoFieldWithIndex[]) { - if (!this.props.isLocked || geoFields.length === 0) { - return null; - } - - return ( - <EuiLink className="mapFeatureTooltip_actionLinks" onClick={this._showGeometryFilterView}> - <FormattedMessage - id="xpack.maps.tooltip.showGeometryFilterViewLinkLabel" - defaultMessage="Filter by geometry" - /> - </EuiLink> - ); - } - - _filterGeoFields(featureGeometry: Geometry | null) { - if (!featureGeometry) { - return []; - } - - // line geometry can only create filters for geo_shape fields. + _renderActions() { if ( - featureGeometry.type === GEO_JSON_TYPE.LINE_STRING || - featureGeometry.type === GEO_JSON_TYPE.MULTI_LINE_STRING + !this.props.isLocked || + !this.state.currentFeature || + this.state.currentFeature.actions.length === 0 ) { - return this.props.geoFields.filter(({ geoFieldType }) => { - return geoFieldType === ES_GEO_FIELD_TYPE.GEO_SHAPE; - }); - } - - // TODO support geo distance filters for points - if ( - featureGeometry.type === GEO_JSON_TYPE.POINT || - featureGeometry.type === GEO_JSON_TYPE.MULTI_POINT - ) { - return []; - } - - return this.props.geoFields; - } - - _loadCurrentFeaturePreIndexedShape = async () => { - if (!this.state.currentFeature) { return null; } - return this.props.loadPreIndexedShape({ - layerId: this.state.currentFeature.layerId, - featureId: this.state.currentFeature.id, + return this.state.currentFeature.actions.map((action) => { + return ( + <EuiLink + className="mapFeatureTooltip_actionLinks" + onClick={() => { + this.setState({ view: action.id }); + }} + key={action.id} + > + {action.label} + </EuiLink> + ); }); - }; + } _renderBackButton(label: string) { return ( @@ -181,38 +136,20 @@ export class FeaturesTooltip extends Component<Props, State> { return null; } - const currentFeatureGeometry = this.props.loadFeatureGeometry({ - layerId: this.state.currentFeature.layerId, - featureId: this.state.currentFeature.id, + const action = this.state.currentFeature.actions.find(({ id }) => { + return id === this.state.view; }); - const geoFields = this._filterGeoFields(currentFeatureGeometry); - if ( - this.state.view === VIEWS.GEOMETRY_FILTER_VIEW && - currentFeatureGeometry && - this.props.addFilters - ) { + if (action) { return ( <Fragment> - {this._renderBackButton( - i18n.translate('xpack.maps.tooltip.showGeometryFilterViewLinkLabel', { - defaultMessage: 'Filter by geometry', - }) - )} - <FeatureGeometryFilterForm - onClose={this.props.closeTooltip} - geometry={currentFeatureGeometry} - geoFields={geoFields} - addFilters={this.props.addFilters} - getFilterActions={this.props.getFilterActions} - getActionContext={this.props.getActionContext} - loadPreIndexedShape={this._loadCurrentFeaturePreIndexedShape} - /> + {this._renderBackButton(action.label)} + {action.form} </Fragment> ); } - if (this.state.view === VIEWS.FILTER_ACTIONS_VIEW) { + if (this.state.view === FILTER_ACTIONS_VIEW) { return ( <Fragment> {this._renderBackButton( @@ -247,7 +184,7 @@ export class FeaturesTooltip extends Component<Props, State> { onSingleValueTrigger={this.props.onSingleValueTrigger} showFilterActions={this._showFilterActionsView} /> - {this._renderActions(geoFields)} + {this._renderActions()} <Footer features={this.props.features} isLocked={this.props.isLocked} diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/footer.test.tsx b/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/footer.test.tsx index f8e60c7e6cf97..96ecba4fa0243 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/footer.test.tsx +++ b/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/footer.test.tsx @@ -32,6 +32,7 @@ describe('Footer', () => { id: 'feature1', layerId: 'layer1', mbProperties: {}, + actions: [], }, ]; describe('mouseover (unlocked)', () => { @@ -54,11 +55,13 @@ describe('Footer', () => { id: 'feature1', layerId: 'layer1', mbProperties: {}, + actions: [], }, { id: 'feature2', layerId: 'layer1', mbProperties: {}, + actions: [], }, ]; describe('mouseover (unlocked)', () => { @@ -97,16 +100,19 @@ describe('Footer', () => { id: 'feature1', layerId: 'layer1', mbProperties: {}, + actions: [], }, { id: 'feature2', layerId: 'layer1', mbProperties: {}, + actions: [], }, { id: 'feature1', layerId: 'layer2', mbProperties: {}, + actions: [], }, ]; describe('mouseover (unlocked)', () => { diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/index.ts b/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/index.ts new file mode 100644 index 0000000000000..a6909dd43d42d --- /dev/null +++ b/x-pack/plugins/maps/public/connected_components/mb_map/features_tooltip/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { FeatureGeometryFilterForm } from './feature_geometry_filter_form'; +export { FeaturesTooltip } from './features_tooltip'; diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_control.test.js.snap b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_control.test.js.snap index cffa441d04ff5..030de04987ede 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_control.test.js.snap +++ b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_control.test.js.snap @@ -15,23 +15,10 @@ exports[`TooltipControl render should render hover tooltip 1`] = ` }, ] } - geoFields={ - Array [ - Object {}, - ] - } + findLayerById={[Function]} index={0} isLocked={false} key="1" - layerList={ - Array [ - Object { - "canShowTooltip": [Function], - "getId": [Function], - "getMbLayerIds": [Function], - }, - ] - } location={ Array [ -120, @@ -62,23 +49,10 @@ exports[`TooltipControl render should render locked tooltip 1`] = ` }, ] } - geoFields={ - Array [ - Object {}, - ] - } + findLayerById={[Function]} index={0} isLocked={true} key="2" - layerList={ - Array [ - Object { - "canShowTooltip": [Function], - "getId": [Function], - "getMbLayerIds": [Function], - }, - ] - } location={ Array [ -120, diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_popover.test.js.snap b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_popover.test.js.snap index a0ed4496c8281..3887d44bb5e72 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_popover.test.js.snap +++ b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/__snapshots__/tooltip_popover.test.js.snap @@ -48,17 +48,9 @@ exports[`TooltipPopover render should render tooltip popover 1`] = ` }, ] } - findLayerById={[Function]} - geoFields={ - Array [ - Object {}, - ] - } getLayerName={[Function]} isLocked={false} - loadFeatureGeometry={[Function]} loadFeatureProperties={[Function]} - loadPreIndexedShape={[Function]} /> </EuiText> </EuiPopover> @@ -106,7 +98,6 @@ exports[`TooltipPopover render should render tooltip popover with custom tooltip } getLayerName={[Function]} isLocked={false} - loadFeatureGeometry={[Function]} loadFeatureProperties={[Function]} > Custom tooltip content diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.js b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.js index 85c4fb2bca794..2c8ac1554903a 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.js +++ b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.js @@ -7,8 +7,17 @@ import _ from 'lodash'; import React from 'react'; -import { FEATURE_ID_PROPERTY_NAME, LON_INDEX } from '../../../../common/constants'; +import { i18n } from '@kbn/i18n'; +import uuid from 'uuid/v4'; +import { + ES_GEO_FIELD_TYPE, + FEATURE_ID_PROPERTY_NAME, + GEO_JSON_TYPE, + LON_INDEX, +} from '../../../../common/constants'; +import { GEOMETRY_FILTER_ACTION } from '../../../../common/descriptor_types'; import { TooltipPopover } from './tooltip_popover'; +import { FeatureGeometryFilterForm } from '../features_tooltip'; import { EXCLUDE_TOO_MANY_FEATURES_BOX } from '../../../classes/util/mb_filter_expressions'; function justifyAnchorLocation(mbLngLat, targetFeature) { @@ -48,6 +57,28 @@ export class TooltipControl extends React.Component { } }; + _findLayerById = (layerId) => { + return this.props.layerList.find((layer) => { + return layer.getId() === layerId; + }); + }; + + // Must load original geometry instead of using geometry from mapbox feature. + // Mapbox feature geometry is from vector tile and is not the same as the original geometry. + _getFeatureGeometry = ({ layerId, featureId }) => { + const tooltipLayer = this._findLayerById(layerId); + if (!tooltipLayer || featureId === undefined) { + return null; + } + + const targetFeature = tooltipLayer.getFeatureById(featureId); + if (!targetFeature) { + return null; + } + + return targetFeature.geometry; + }; + _getLayerByMbLayerId(mbLayerId) { return this.props.layerList.find((layer) => { const mbLayerIds = layer.getMbLayerIds(); @@ -55,7 +86,76 @@ export class TooltipControl extends React.Component { }); } - _getTooltipFeatures(mbFeatures) { + _loadPreIndexedShape = async ({ layerId, featureId }) => { + const tooltipLayer = this._findLayerById(layerId); + if (!tooltipLayer || typeof featureId === 'undefined') { + return null; + } + + const targetFeature = tooltipLayer.getFeatureById(featureId); + if (!targetFeature) { + return null; + } + + return await tooltipLayer.getSource().getPreIndexedShape(targetFeature.properties); + }; + + _getFeatureActions({ layerId, featureId, tooltipId }) { + const actions = []; + + const geometry = this._getFeatureGeometry({ layerId, featureId }); + const geoFieldsForFeature = this._filterGeoFieldsByFeatureGeometry(geometry); + if (geoFieldsForFeature.length && this.props.addFilters) { + actions.push({ + label: i18n.translate('xpack.maps.tooltip.action.filterByGeometryLabel', { + defaultMessage: 'Filter by geometry', + }), + id: GEOMETRY_FILTER_ACTION, + form: ( + <FeatureGeometryFilterForm + onClose={() => { + this.props.closeOnClickTooltip(tooltipId); + }} + geometry={geometry} + geoFields={geoFieldsForFeature} + addFilters={this.props.addFilters} + getFilterActions={this.props.getFilterActions} + getActionContext={this.props.getActionContext} + loadPreIndexedShape={async () => { + return this._loadPreIndexedShape({ layerId, featureId }); + }} + /> + ), + }); + } + + return actions; + } + + _filterGeoFieldsByFeatureGeometry(geometry) { + if (!geometry) { + return []; + } + + // line geometry can only create filters for geo_shape fields. + if ( + geometry.type === GEO_JSON_TYPE.LINE_STRING || + geometry.type === GEO_JSON_TYPE.MULTI_LINE_STRING + ) { + return this.props.geoFields.filter(({ geoFieldType }) => { + return geoFieldType === ES_GEO_FIELD_TYPE.GEO_SHAPE; + }); + } + + // TODO support geo distance filters for points + if (geometry.type === GEO_JSON_TYPE.POINT || geometry.type === GEO_JSON_TYPE.MULTI_POINT) { + return []; + } + + return this.props.geoFields; + } + + _getTooltipFeatures(mbFeatures, isLocked, tooltipId) { const uniqueFeatures = []; //there may be duplicates in the results from mapbox //this is because mapbox returns the results per tile @@ -81,12 +181,18 @@ export class TooltipControl extends React.Component { // - As empty object literal // To avoid ambiguity, normalize properties to empty object literal. const mbProperties = mbFeature.properties ? mbFeature.properties : {}; - //This keeps track of first properties (assuming these will be identical for features in different tiles) - uniqueFeatures.push({ - id: featureId, - layerId: layerId, - mbProperties, - }); + const actions = isLocked ? this._getFeatureActions({ layerId, featureId, tooltipId }) : []; + + const hasActions = isLocked && actions.length; + if (hasActions || layer.canShowTooltip()) { + //This keeps track of first feature (assuming these will be identical for features in different tiles) + uniqueFeatures.push({ + id: featureId, + layerId: layerId, + mbProperties, + actions, + }); + } } } return uniqueFeatures; @@ -109,10 +215,17 @@ export class TooltipControl extends React.Component { const targetMbFeataure = mbFeatures[0]; const popupAnchorLocation = justifyAnchorLocation(e.lngLat, targetMbFeataure); - const features = this._getTooltipFeatures(mbFeatures); + const isLocked = true; + const tooltipId = uuid(); + const features = this._getTooltipFeatures(mbFeatures, isLocked, tooltipId); + if (features.length === 0) { + return; + } this.props.openOnClickTooltip({ features, location: popupAnchorLocation, + isLocked, + id: tooltipId, }); }; @@ -129,25 +242,36 @@ export class TooltipControl extends React.Component { } const targetMbFeature = mbFeatures[0]; - if (this.props.openTooltips[0]) { + if (this.props.openTooltips[0] && this.props.openTooltips[0].features.length) { const firstFeature = this.props.openTooltips[0].features[0]; if (targetMbFeature.properties[FEATURE_ID_PROPERTY_NAME] === firstFeature.id) { // ignore hover events when hover tooltip is all ready opened for feature return; } } - const popupAnchorLocation = justifyAnchorLocation(e.lngLat, targetMbFeature); - const features = this._getTooltipFeatures(mbFeatures); + + const isLocked = false; + const tooltipId = uuid(); + const features = this._getTooltipFeatures(mbFeatures, isLocked, tooltipId); + if (features.length === 0) { + return; + } this.props.openOnHoverTooltip({ features: features, location: popupAnchorLocation, + isLocked, + id: tooltipId, }); }, 100); _getMbLayerIdsForTooltips() { const mbLayerIds = this.props.layerList.reduce((mbLayerIds, layer) => { - return layer.canShowTooltip() ? mbLayerIds.concat(layer.getMbLayerIds()) : mbLayerIds; + // tooltips are only supported for vector layers, filter out all other layer types + const isVectorLayer = layer.canShowTooltip !== undefined; + return layer.isVisible() && isVectorLayer + ? mbLayerIds.concat(layer.getMbLayerIds()) + : mbLayerIds; }, []); //Ensure that all layers are actually on the map. @@ -198,13 +322,12 @@ export class TooltipControl extends React.Component { <TooltipPopover key={id} mbMap={this.props.mbMap} - layerList={this.props.layerList} + findLayerById={this._findLayerById} addFilters={this.props.addFilters} getFilterActions={this.props.getFilterActions} getActionContext={this.props.getActionContext} onSingleValueTrigger={this.props.onSingleValueTrigger} renderTooltipContent={this.props.renderTooltipContent} - geoFields={this.props.geoFields} features={features} location={location} closeTooltip={closeTooltip} diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.test.js b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.test.js index 5d7b078ed9674..e33d83e2837fe 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.test.js +++ b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_control.test.js @@ -28,9 +28,28 @@ const mockLayer = { getId: () => { return layerId; }, + isVisible: () => { + return true; + }, canShowTooltip: () => { return true; }, + getFeatureById: () => { + return { + geometry: { + coordinates: [ + [ + [-67.5, 40.9799], + [-90, 40.9799], + [-90, 21.94305], + [-67.5, 21.94305], + [-67.5, 40.9799], + ], + ], + type: 'Polygon', + }, + }; + }, }; const mockMbMapHandlers = {}; @@ -236,10 +255,9 @@ describe('TooltipControl', () => { mockMbMapHandlers.click(mockMapMouseEvent); sinon.assert.notCalled(closeOnClickTooltipStub); - sinon.assert.calledWith(openOnClickTooltipStub, { - features: [{ id: 1, layerId: 'tfi3f', mbProperties: { __kbn__feature_id__: 1 } }], - location: [100, 30], - }); + const tooltipState = openOnClickTooltipStub.getCalls()[0].args[0]; + expect(tooltipState.features.length).toBe(1); + expect(tooltipState.location).toEqual([100, 30]); }); }); }); diff --git a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_popover.js b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_popover.js index 3a600eead4079..58084a498d7fb 100644 --- a/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_popover.js +++ b/x-pack/plugins/maps/public/connected_components/mb_map/tooltip_control/tooltip_popover.js @@ -7,7 +7,7 @@ import React, { Component } from 'react'; import { LAT_INDEX, LON_INDEX } from '../../../../common/constants'; -import { FeaturesTooltip } from '../features_tooltip/features_tooltip'; +import { FeaturesTooltip } from '../features_tooltip'; import { EuiPopover, EuiText } from '@elastic/eui'; const noop = () => {}; @@ -55,24 +55,8 @@ export class TooltipPopover extends Component { }); }; - // Must load original geometry instead of using geometry from mapbox feature. - // Mapbox feature geometry is from vector tile and is not the same as the original geometry. - _loadFeatureGeometry = ({ layerId, featureId }) => { - const tooltipLayer = this._findLayerById(layerId); - if (!tooltipLayer || typeof featureId === 'undefined') { - return null; - } - - const targetFeature = tooltipLayer.getFeatureById(featureId); - if (!targetFeature) { - return null; - } - - return targetFeature.geometry; - }; - _loadFeatureProperties = async ({ layerId, featureId, mbProperties }) => { - const tooltipLayer = this._findLayerById(layerId); + const tooltipLayer = this.props.findLayerById(layerId); if (!tooltipLayer) { return []; } @@ -86,28 +70,8 @@ export class TooltipPopover extends Component { return await tooltipLayer.getPropertiesForTooltip(properties); }; - _loadPreIndexedShape = async ({ layerId, featureId }) => { - const tooltipLayer = this._findLayerById(layerId); - if (!tooltipLayer || typeof featureId === 'undefined') { - return null; - } - - const targetFeature = tooltipLayer.getFeatureById(featureId); - if (!targetFeature) { - return null; - } - - return await tooltipLayer.getSource().getPreIndexedShape(targetFeature.properties); - }; - - _findLayerById = (layerId) => { - return this.props.layerList.find((layer) => { - return layer.getId() === layerId; - }); - }; - _getLayerName = async (layerId) => { - const layer = this._findLayerById(layerId); + const layer = this.props.findLayerById(layerId); if (!layer) { return null; } @@ -125,7 +89,6 @@ export class TooltipPopover extends Component { features: this.props.features, isLocked: this.props.isLocked, loadFeatureProperties: this._loadFeatureProperties, - loadFeatureGeometry: this._loadFeatureGeometry, getLayerName: this._getLayerName, }; @@ -135,12 +98,7 @@ export class TooltipPopover extends Component { return ( <EuiText size="xs" style={{ maxWidth: '425px' }}> - <FeaturesTooltip - {...publicProps} - findLayerById={this._findLayerById} - geoFields={this.props.geoFields} - loadPreIndexedShape={this._loadPreIndexedShape} - /> + <FeaturesTooltip {...publicProps} findLayerById={this.props.findLayerById} /> </EuiText> ); }; diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/map_tool_tip/map_tool_tip.test.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/map_tool_tip/map_tool_tip.test.tsx index 968361aea6780..bc869dead4556 100644 --- a/x-pack/plugins/security_solution/public/network/components/embeddables/map_tool_tip/map_tool_tip.test.tsx +++ b/x-pack/plugins/security_solution/public/network/components/embeddables/map_tool_tip/map_tool_tip.test.tsx @@ -25,6 +25,7 @@ describe('MapToolTip', () => { id: 1, layerId: 'layerId', mbProperties: {}, + actions: [], }, ]; const getLayerName = jest.fn(); diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 75f5c8c901807..a2eb51e929fd4 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -14088,7 +14088,6 @@ "xpack.maps.tooltip.loadingMsg": "読み込み中", "xpack.maps.tooltip.pageNumerText": "{total} 個中 {pageNumber} 個の機能", "xpack.maps.tooltip.showAddFilterActionsViewLabel": "フィルターアクション", - "xpack.maps.tooltip.showGeometryFilterViewLinkLabel": "ジオメトリでフィルタリング", "xpack.maps.tooltip.toolsControl.cancelDrawButtonLabel": "キャンセル", "xpack.maps.tooltip.unableToLoadContentTitle": "ツールヒントのコンテンツを読み込めません", "xpack.maps.tooltip.viewActionsTitle": "フィルターアクションを表示", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 2b562f4cd4410..b07661eaf5e26 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -14269,7 +14269,6 @@ "xpack.maps.tooltip.loadingMsg": "正在加载", "xpack.maps.tooltip.pageNumerText": "第 {pageNumber} 页,共 {total} 页", "xpack.maps.tooltip.showAddFilterActionsViewLabel": "筛选操作", - "xpack.maps.tooltip.showGeometryFilterViewLinkLabel": "按几何筛选", "xpack.maps.tooltip.toolsControl.cancelDrawButtonLabel": "取消", "xpack.maps.tooltip.unableToLoadContentTitle": "无法加载工具提示内容", "xpack.maps.tooltip.viewActionsTitle": "查看筛选操作", From 45c6ca42d0644a942e5761c86877744a8146a7d1 Mon Sep 17 00:00:00 2001 From: Justin Ibarra <brokensound77@users.noreply.github.com> Date: Mon, 10 May 2021 15:48:57 -0800 Subject: [PATCH 10/11] [Detection Rules] Add 7.13 rules (#99725) --- .../application_added_to_google_workspace_domain.json | 4 ++-- .../attempt_to_deactivate_okta_network_zone.json | 4 ++-- .../attempt_to_delete_okta_network_zone.json | 4 ++-- .../collection_cloudtrail_logging_created.json | 2 +- .../collection_gcp_pub_sub_subscription_creation.json | 4 ++-- .../collection_gcp_pub_sub_topic_creation.json | 4 ++-- .../collection_microsoft_365_new_inbox_rule.json | 2 +- .../collection_update_event_hub_auth_rule.json | 4 ++-- .../command_and_control_cobalt_strike_beacon.json | 4 ++-- ...and_and_control_cobalt_strike_default_teamserver_cert.json | 4 ++-- ...and_and_control_download_rar_powershell_from_internet.json | 4 ++-- .../command_and_control_fin7_c2_behavior.json | 4 ++-- .../command_and_control_halfbaked_beacon.json | 4 ++-- .../command_and_control_remote_file_copy_mpcmdrun.json | 2 +- .../command_and_control_sunburst_c2_activity_detected.json | 2 +- .../credential_access_attempted_bypass_of_okta_mfa.json | 4 ++-- ...tial_access_attempts_to_brute_force_okta_user_account.json | 4 ++-- .../credential_access_aws_iam_assume_role_brute_force.json | 4 ++-- .../credential_access_domain_backup_dpapi_private_keys.json | 2 +- .../credential_access_iam_user_addition_to_group.json | 2 +- .../credential_access_key_vault_modified.json | 4 ++-- ...access_microsoft_365_brute_force_user_account_attempt.json | 4 ++-- ...cess_microsoft_365_potential_password_spraying_attack.json | 4 ++-- ...edential_access_okta_brute_force_or_password_spraying.json | 4 ++-- .../credential_access_root_console_failure_brute_force.json | 4 ++-- .../credential_access_secretsmanager_getsecretvalue.json | 4 ++-- .../credential_access_storage_account_key_regenerated.json | 4 ++-- ...nse_evasion_azure_application_credential_modification.json | 4 ++-- .../defense_evasion_azure_diagnostic_settings_deletion.json | 4 ++-- .../defense_evasion_azure_service_principal_addition.json | 4 ++-- .../defense_evasion_cloudtrail_logging_deleted.json | 2 +- .../defense_evasion_cloudtrail_logging_suspended.json | 2 +- .../defense_evasion_cloudwatch_alarm_deletion.json | 2 +- .../defense_evasion_config_service_rule_deletion.json | 2 +- .../defense_evasion_configuration_recorder_stopped.json | 2 +- .../defense_evasion_defender_disabled_via_registry.json | 4 ++-- .../defense_evasion_ec2_flow_log_deletion.json | 2 +- .../defense_evasion_ec2_network_acl_deletion.json | 2 +- .../prepackaged_rules/defense_evasion_event_hub_deletion.json | 4 ++-- .../defense_evasion_firewall_policy_deletion.json | 4 ++-- .../defense_evasion_gcp_firewall_rule_created.json | 4 ++-- .../defense_evasion_gcp_firewall_rule_deleted.json | 4 ++-- .../defense_evasion_gcp_firewall_rule_modified.json | 4 ++-- .../defense_evasion_gcp_logging_bucket_deletion.json | 4 ++-- .../defense_evasion_gcp_logging_sink_deletion.json | 4 ++-- .../defense_evasion_gcp_pub_sub_subscription_deletion.json | 4 ++-- .../defense_evasion_gcp_pub_sub_topic_deletion.json | 4 ++-- ...nse_evasion_gcp_storage_bucket_configuration_modified.json | 2 +- ...fense_evasion_gcp_storage_bucket_permissions_modified.json | 2 +- .../defense_evasion_guardduty_detector_deletion.json | 2 +- ...nse_evasion_microsoft_365_exchange_dlp_policy_removed.json | 4 ++-- ...microsoft_365_exchange_malware_filter_policy_deletion.json | 4 ++-- ...vasion_microsoft_365_exchange_malware_filter_rule_mod.json | 4 ++-- ...sion_microsoft_365_exchange_safe_attach_rule_disabled.json | 4 ++-- .../defense_evasion_network_watcher_deletion.json | 4 ++-- .../defense_evasion_s3_bucket_configuration_deletion.json | 2 +- .../defense_evasion_sdelete_like_filename_rename.json | 4 ++-- ...uspicious_okta_user_password_reset_or_unlock_attempts.json | 4 ++-- .../prepackaged_rules/defense_evasion_waf_acl_deletion.json | 2 +- .../defense_evasion_waf_rule_or_rule_group_deletion.json | 4 ++-- .../prepackaged_rules/discovery_adfind_command_activity.json | 4 ++-- .../discovery_blob_container_access_mod.json | 4 ++-- .../domain_added_to_google_workspace_trusted_domains.json | 4 ++-- .../prepackaged_rules/execution_command_virtual_machine.json | 4 ++-- .../execution_from_unusual_path_cmdline.json | 2 +- .../execution_shared_modules_local_sxs_dll.json | 4 ++-- .../exfiltration_ec2_snapshot_change_activity.json | 4 ++-- .../exfiltration_gcp_logging_sink_modification.json | 4 ++-- ...ration_microsoft_365_exchange_transport_rule_creation.json | 4 ++-- ...xfiltration_microsoft_365_exchange_transport_rule_mod.json | 4 ++-- .../google_workspace_admin_role_deletion.json | 4 ++-- .../google_workspace_mfa_enforcement_disabled.json | 4 ++-- .../prepackaged_rules/google_workspace_policy_modified.json | 4 ++-- .../impact_attempt_to_revoke_okta_api_token.json | 4 ++-- .../impact_azure_automation_runbook_deleted.json | 4 ++-- .../prepackaged_rules/impact_cloudtrail_logging_updated.json | 2 +- .../impact_cloudwatch_log_group_deletion.json | 2 +- .../impact_cloudwatch_log_stream_deletion.json | 2 +- .../prepackaged_rules/impact_ec2_disable_ebs_encryption.json | 2 +- .../rules/prepackaged_rules/impact_gcp_iam_role_deletion.json | 4 ++-- .../prepackaged_rules/impact_gcp_service_account_deleted.json | 4 ++-- .../impact_gcp_service_account_disabled.json | 4 ++-- .../prepackaged_rules/impact_gcp_storage_bucket_deleted.json | 2 +- .../impact_gcp_virtual_private_cloud_network_deleted.json | 4 ++-- .../impact_gcp_virtual_private_cloud_route_created.json | 2 +- .../impact_gcp_virtual_private_cloud_route_deleted.json | 4 ++-- .../rules/prepackaged_rules/impact_hosts_file_modified.json | 2 +- .../prepackaged_rules/impact_iam_deactivate_mfa_device.json | 2 +- .../rules/prepackaged_rules/impact_iam_group_deletion.json | 2 +- .../prepackaged_rules/impact_possible_okta_dos_attack.json | 4 ++-- .../rules/prepackaged_rules/impact_rds_cluster_deletion.json | 2 +- .../impact_rds_instance_cluster_stoppage.json | 2 +- .../prepackaged_rules/impact_resource_group_deletion.json | 4 ++-- ...nitial_access_azure_active_directory_high_risk_signin.json | 4 ++-- ...itial_access_azure_active_directory_powershell_signin.json | 4 ++-- ...consent_grant_attack_via_azure_registered_application.json | 4 ++-- .../prepackaged_rules/initial_access_console_login_root.json | 2 +- .../initial_access_external_guest_user_invite.json | 4 ++-- .../initial_access_gcp_iam_custom_role_creation.json | 4 ++-- ...ess_microsoft_365_exchange_anti_phish_policy_deletion.json | 4 ++-- ...ial_access_microsoft_365_exchange_anti_phish_rule_mod.json | 4 ++-- ...tial_access_microsoft_365_exchange_safelinks_disabled.json | 4 ++-- .../prepackaged_rules/initial_access_password_recovery.json | 2 +- ...tial_access_suspicious_activity_reported_by_okta_user.json | 4 ++-- .../initial_access_suspicious_ms_exchange_files.json | 2 +- .../initial_access_unsecure_elasticsearch_node.json | 4 ++-- .../initial_access_unusual_dns_service_children.json | 2 +- .../initial_access_unusual_dns_service_file_writes.json | 2 +- .../prepackaged_rules/initial_access_via_system_manager.json | 4 ++-- .../initial_access_zoom_meeting_with_no_passcode.json | 4 ++-- .../lateral_movement_dns_server_overflow.json | 4 ++-- .../lateral_movement_scheduled_task_target.json | 4 ++-- .../mfa_disabled_for_google_workspace_organization.json | 4 ++-- .../microsoft_365_exchange_dkim_signing_config_disabled.json | 4 ++-- .../microsoft_365_teams_custom_app_interaction_allowed.json | 4 ++-- .../prepackaged_rules/ml_cloudtrail_error_message_spike.json | 4 ++-- .../prepackaged_rules/ml_cloudtrail_rare_error_code.json | 2 +- .../prepackaged_rules/ml_cloudtrail_rare_method_by_city.json | 2 +- .../ml_cloudtrail_rare_method_by_country.json | 2 +- .../prepackaged_rules/ml_cloudtrail_rare_method_by_user.json | 2 +- .../ml_linux_anomalous_network_activity.json | 4 ++-- .../ml_linux_anomalous_process_all_hosts.json | 4 ++-- .../rules/prepackaged_rules/ml_linux_anomalous_user_name.json | 4 ++-- .../prepackaged_rules/ml_rare_process_by_host_linux.json | 4 ++-- .../prepackaged_rules/ml_rare_process_by_host_windows.json | 4 ++-- .../ml_windows_anomalous_network_activity.json | 4 ++-- .../ml_windows_anomalous_process_all_hosts.json | 4 ++-- .../prepackaged_rules/ml_windows_anomalous_user_name.json | 4 ++-- .../ml_windows_rare_user_type10_remote_login.json | 4 ++-- .../okta_attempt_to_deactivate_okta_application.json | 4 ++-- .../okta_attempt_to_deactivate_okta_policy.json | 4 ++-- .../okta_attempt_to_deactivate_okta_policy_rule.json | 4 ++-- .../okta_attempt_to_delete_okta_application.json | 4 ++-- .../prepackaged_rules/okta_attempt_to_delete_okta_policy.json | 4 ++-- .../okta_attempt_to_delete_okta_policy_rule.json | 4 ++-- .../okta_attempt_to_modify_okta_application.json | 4 ++-- .../okta_attempt_to_modify_okta_network_zone.json | 4 ++-- .../prepackaged_rules/okta_attempt_to_modify_okta_policy.json | 4 ++-- .../okta_attempt_to_modify_okta_policy_rule.json | 4 ++-- ...ttempt_to_modify_or_delete_application_sign_on_policy.json | 4 ++-- .../okta_threat_detected_by_okta_threatinsight.json | 4 ++-- ...tence_administrator_privileges_assigned_to_okta_group.json | 4 ++-- .../persistence_administrator_role_assigned_to_okta_user.json | 4 ++-- .../persistence_attempt_to_create_okta_api_token.json | 4 ++-- ...tence_attempt_to_deactivate_mfa_for_okta_user_account.json | 4 ++-- ...ce_attempt_to_reset_mfa_factors_for_okta_user_account.json | 4 ++-- .../persistence_azure_automation_account_created.json | 4 ++-- ...sistence_azure_automation_runbook_created_or_modified.json | 4 ++-- .../persistence_azure_automation_webhook_created.json | 2 +- .../persistence_azure_conditional_access_policy_modified.json | 4 ++-- .../persistence_azure_pim_user_added_global_admin.json | 4 ++-- ...ce_azure_privileged_identity_management_role_modified.json | 4 ++-- .../persistence_ec2_network_acl_creation.json | 2 +- ...stence_evasion_registry_startup_shell_folder_modified.json | 2 +- .../persistence_gcp_iam_service_account_key_deletion.json | 4 ++-- .../persistence_gcp_key_created_for_service_account.json | 4 ++-- .../persistence_gcp_service_account_created.json | 4 ++-- ...sistence_google_workspace_admin_role_assigned_to_user.json | 4 ++-- ...ccess_granted_via_domain_wide_delegation_of_authority.json | 4 ++-- ...ersistence_google_workspace_custom_admin_role_created.json | 4 ++-- .../persistence_google_workspace_role_modified.json | 4 ++-- .../prepackaged_rules/persistence_iam_group_creation.json | 2 +- .../persistence_local_scheduled_task_scripting.json | 4 ++-- .../persistence_loginwindow_plist_modification.json | 4 ++-- .../persistence_mfa_disabled_for_azure_user.json | 4 ++-- ...nce_microsoft_365_exchange_management_role_assignment.json | 4 ++-- ...rsistence_microsoft_365_teams_external_access_enabled.json | 4 ++-- .../persistence_microsoft_365_teams_guest_access_enabled.json | 4 ++-- .../prepackaged_rules/persistence_rds_cluster_creation.json | 2 +- ...persistence_user_added_as_owner_for_azure_application.json | 4 ++-- ...tence_user_added_as_owner_for_azure_service_principal.json | 4 ++-- ...privilege_escalation_printspooler_suspicious_spl_file.json | 2 +- .../privilege_escalation_root_login_without_mfa.json | 4 ++-- .../privilege_escalation_updateassumerolepolicy.json | 4 ++-- .../rules/prepackaged_rules/threat_intel_module_match.json | 2 +- 175 files changed, 304 insertions(+), 304 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json index ef9daff745bc5..b447e59e71435 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION", "references": [ "https://support.google.com/a/answer/6328701?hl=en#" @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json index d2d5b53c99c33..fbdf3d58f2b81 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:zone.deactivate", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json index e566ae7ae598b..b0bd850c1d63c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:zone.delete", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json index 0287565be0d7c..3e2479369ebb2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json index 6a077053039df..d50013c90b122 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success", "references": [ "https://cloud.google.com/pubsub/docs/overview" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json index c33fb44b3f6ad..5438b8fb2a8c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success", "references": [ "https://cloud.google.com/pubsub/docs/admin" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json index 778b7ecc30192..5fcfbd797e9d3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 New Inbox Rule Created", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json index 52bab1651157d..a9fd96efcb383 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Authorization Rule Created or Updated", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" @@ -64,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json index e3505365af83e..eba26c7be6e94 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json @@ -12,7 +12,7 @@ "language": "lucene", "license": "Elastic License v2", "name": "Cobalt Strike Command and Control Beacon", - "note": "This activity has been observed in FIN7 campaigns.", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/", "references": [ "https://blog.morphisec.com/fin7-attacks-restaurant-industry", @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json index 13203b0534135..6fffa5c4634a0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json @@ -10,7 +10,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Default Cobalt Strike Team Server Certificate", - "note": "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.", + "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.", "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)", "references": [ "https://attack.mitre.org/software/S0154/", @@ -55,5 +55,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json index 1d54ab02f3476..7cfba90cf67c8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json @@ -12,7 +12,7 @@ "language": "lucene", "license": "Elastic License v2", "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "note": "This activity has been observed in FIN7 campaigns.", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)", "references": [ "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json index 300d72fa855fa..305612da0f47e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json @@ -12,7 +12,7 @@ "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", - "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", + "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us", "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" @@ -57,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json index ef46a882cc7b8..ed6fb726896ac 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json @@ -12,7 +12,7 @@ "language": "lucene", "license": "Elastic License v2", "name": "Halfbaked Command and Control Beacon", - "note": "This activity has been observed in FIN7 campaigns.", + "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)", "references": [ "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json index bbda3c0a4f49b..f026df5fd19b9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.", "query": "process where event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json index 1aede9216de12..96d87cc39d82d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json @@ -10,7 +10,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", - "note": "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.", + "note": "## Triage and analysis\n\nThe SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.", "query": "network where event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\")) and\n not http.request.body.content : \"*solarwinds.com*\"\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json index d6b6b7d06404c..c3614e0e69e9a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json @@ -10,7 +10,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json index 02de6e8f2b910..5556f3787fbdd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:user.account.lock", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -52,5 +52,5 @@ "value": 3 }, "type": "threshold", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json index d4fe403f5870a..3ea689aaa3570 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure", "references": [ "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", @@ -50,5 +50,5 @@ "value": 25 }, "type": "threshold", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json index 361b5f9e3e62e..c031fcbf464b1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", - "note": "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json index 20674ebe4490e..0d94ac36944a9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success", "references": [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json index 92675a3202547..27f76a13d657d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Key Vault Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", @@ -57,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json index ba3e7fd590a52..8e9c142929a05 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure", "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", @@ -51,5 +51,5 @@ "value": 10 }, "type": "threshold", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json index ba80bd5e8e962..14314feebb712 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure", "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", @@ -51,5 +51,5 @@ "value": 25 }, "type": "threshold", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json index 754d0f5ceb8c3..16c2816e30690 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -54,5 +54,5 @@ "value": 25 }, "type": "threshold", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json index 9920684706eb2..fb296d82b992b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" @@ -54,5 +54,5 @@ "value": 10 }, "type": "threshold", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json index d7499f7e6b4b4..8eebcc5c45096 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Access Secret in Secrets Manager", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue", "references": [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", @@ -52,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json index e2eeae45e1d3b..d6f5a05c86e1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Storage Account Key Regenerated", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json index 9f51301f86490..d695695e2c23b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Application Credential Modification", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)", "references": [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" @@ -56,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json index e43135223dd12..31eec6ee4d1c2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Diagnostic Settings Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" @@ -56,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json index 5c9effc2bc203..43557bfeb31ba 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Addition", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)", "references": [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", @@ -57,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json index 3ae05408ac81c..8daf17dc8c386 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json index 75e3e4f542c7d..c140a1f9b9734 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json index d05b043923482..b5984d5d624c3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json index 77d8deff1c191..a512cd8c842ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Config Service Tampering", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)", "references": [ "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json index 7de02c3a3875d..abadb416deec8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json index b84da1825dfc4..8e1a1bf005f5d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", - "note": "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized", + "note": "## Triage and analysis\n\nDetections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized", "query": "registry where event.type in (\"creation\", \"change\") and\n ((registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings:\"1\") or\n (registry.path:\"HKLM\\\\System\\\\ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\")))\n", "references": [ "https://thedfirreport.com/2020/12/13/defender-control/" @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json index 9a3eace06d5fb..f88b8b3589d93 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Flow Log Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json index 79222e3ef4cfb..06fc3a3f094a5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json index bffeeff6123bf..0ea25e05915c6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json index 38a207eadc36c..f8961a832ac1e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Firewall Policy Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" @@ -56,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json index c24c1dfde02f8..7fbe044738386 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert", "references": [ "https://cloud.google.com/vpc/docs/firewalls" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json index 4198753f104cb..4cc8fde077c3e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete", "references": [ "https://cloud.google.com/vpc/docs/firewalls" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json index 811a386614b20..614da7f79a46b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch", "references": [ "https://cloud.google.com/vpc/docs/firewalls" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json index 0ba5d1cfcf403..805f21f875f02 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Bucket Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success", "references": [ "https://cloud.google.com/logging/docs/buckets", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json index 7e90b357e9055..6fa62fe3a6313 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success", "references": [ "https://cloud.google.com/logging/docs/export" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json index f2e7c5a7ca706..4907e0f13e550 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success", "references": [ "https://cloud.google.com/pubsub/docs/overview" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json index 7603c0da2c959..7632a73ddfa90 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success", "references": [ "https://cloud.google.com/pubsub/docs/overview" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json index 6512c5ad473b4..abb6912f0828d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Configuration Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success", "references": [ "https://cloud.google.com/storage/docs/key-terms#buckets" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json index e79c14e76cba7..8eb238c9dc796 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Permissions Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success", "references": [ "https://cloud.google.com/storage/docs/access-control/iam-permissions" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json index a98f57a132ba4..8ededad39f415 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json index 0bb0d45e9c342..b39aee071a874 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json index 6e68369e16739..c4de503b66540 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json index 66e35150ec06b..c0dcec7e1b0d7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json index 2c744077756ef..5273115ead302 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json index f1c2575033fa3..27a590f49cb31 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Network Watcher Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" @@ -56,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json index 727bd4a579566..4eb3bb47beff5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.outcome:success", "references": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json index df9a50bb80bf0..116525ab3dfcd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", - "note": "Verify process details such as command line and hash to confirm this activity legitimacy.", + "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json index ae1419f1f561a..b1ab19a25d840 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -85,5 +85,5 @@ "value": 5 }, "type": "threshold", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json index ebe1cbf18d6a8..cc2d47812b48c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json index 5c20a8a434095..ee21d03f8464b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", @@ -58,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json index 86b1a156bcef2..97ba7da6c5f3b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", - "note": "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.", + "note": "## Triage and analysis\n\n`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.", "query": "process where event.type in (\"start\", \"process_started\") and \n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\", \n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": [ "http://www.joeware.net/freetools/tools/adfind/", @@ -75,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json index 7e4e8bfe69a0c..16eabb82de0f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Container Access Level Modification", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" @@ -64,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json index 79a0629f3fdc1..96f246f9403bf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Domain Added to Google Workspace Trusted Domains", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS", "references": [ "https://support.google.com/a/answer/6160020?hl=en" @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json index 3790c3c35fb19..8254e9e1c75e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Command Execution on Virtual Machine", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)", "references": [ "https://adsecurity.org/?p=4277", @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json index f05496fc641a1..d82313c758972 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "This is related to the Process Execution from an Unusual Directory rule", + "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\", \n \"cscript.exe\", \n \"rundll32.exe\", \n \"regsvr32.exe\", \n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\", \n \"powershell.exe\", \n \"pwsh.exe\", \n \"cmd.exe\") and\n \n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\", \n \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\Web\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n", "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json index bd938fd3f9979..4fd4c708eda99 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", - "note": "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", + "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": [ "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json index 7295094419406..7c67a3f037538 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json index 959f5f48d3ba3..ddff312a362ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Modification", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success", "references": [ "https://cloud.google.com/logging/docs/export#how_sinks_work" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json index f248e61e9e0ce..ec9373352254b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json index b7493914c9bfc..2503f679464f1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json index 517d2b8526abb..ba84d38d7e4ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Deletion", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE", "references": [ "https://support.google.com/a/answer/2406043?hl=en" @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json index 514d08172d04b..551133ed2a58d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace MFA Enforcement Disabled", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false", "references": [ "https://support.google.com/a/answer/9176657?hl=en#" @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json index 194228e119205..5893782912b35 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Password Policy Modified", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and gsuite.admin.setting.name:( \"Password Management - Enforce strong password\" or \"Password Management - Password reset frequency\" or \"Password Management - Enable password reuse\" or \"Password Management - Enforce password policy at next login\" or \"Password Management - Minimum password length\" or \"Password Management - Maximum password length\" )", "risk_score": 47, "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", @@ -30,5 +30,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json index 771d4363182ee..aebda3bb268d1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json index d0f482d80f657..fb468ff8f6d7d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Deleted", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json index 33534d777272d..9d1c0d3758a9d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json index 1fa046a285a4d..14f0419cb4073 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json index 800e576e22c10..6d37a106aa9ab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json index 944814f1b47d1..94b1839dfc5dd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success", "references": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json index c42c1d23fb486..5ed1aa4386de4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Role Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/understanding-roles" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json index af3ba32403bfd..134278f30abb6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/service-accounts" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json index 5dd70497b7ded..a7750fc586729 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Disabled", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/service-accounts" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json index e5875576c5190..c534dae963970 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"", "references": [ "https://cloud.google.com/storage/docs/key-terms#buckets" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json index 0994537218ad7..caad64c558863 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Network Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success", "references": [ "https://cloud.google.com/vpc/docs/vpc" @@ -31,5 +31,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json index 4e21cb82c4cd6..7e2090de29c62 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")", "references": [ "https://cloud.google.com/vpc/docs/routes", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json index 47b1a0af8cafe..a8b8b12b60960 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success", "references": [ "https://cloud.google.com/vpc/docs/routes", @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json index d202cc6e84ee9..56c943c85cb2a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", - "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.", + "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.", "query": "file where event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") \n", "references": [ "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json index 1f0d48e2ecbc4..7b77a414dd1e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json index ebe8df9c785ca..2c43b0560e660 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json index 98e77bb6cdb6c..649c859de8184 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json @@ -10,7 +10,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -51,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json index b8c81e467fabb..94837f665af75 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_cluster_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Deletion", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json index bd56daf3c6c9c..065c39f8f676b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json index e513e6573e756..221f1b1e46eb2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Resource Group Deletion", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" @@ -71,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json index 6aef51de63ff0..b18ab4090b1f8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk Sign-in", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.risk_level_during_signin:high and event.outcome:(success or Success)", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json index 73aae9f6983d1..7e77d851eac00 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory PowerShell Sign-in", - "note": "The Azure Fleet Integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)", "references": [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", @@ -57,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json index 10a0e1e20ad4c..f73c30f55eb3a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", - "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n", + "note": "## Triage and analysis\n\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n\n\n## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" or o365.audit.Operation:\"Consent to application.\" ) and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide" @@ -68,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json index c0884cf809e77..7d199f72a22bd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json index 9b4ce4e288e71..fa04b1f724ef7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure External Guest User Invitation", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" @@ -64,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json index e29e7584626d4..a823f162d405a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Custom Role Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/understanding-custom-roles" @@ -63,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json index 79d8d459a76fb..46c771e5b5ede 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json index f35d2cf28a78e..471a010338085 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json index f43aa8fd16790..d348d790f0c4e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json index 902abb51a6f99..fcbbcec5f06ac 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success", "references": [ "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json index 1bc04428c85ce..03fb7e44b200d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -94,5 +94,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json index bd3e6129fa3ab..2473b4c3d2b51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", - "note": "## Triage and analysis\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", + "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", "query": "file where event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json index d545a92e87ad2..41ab4386c6817 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json @@ -12,7 +12,7 @@ "language": "lucene", "license": "Elastic License v2", "name": "Inbound Connection to an Unsecure Elasticsearch Node", - "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", + "note": "## Config\n\nThis rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization", "references": [ "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json index 736090dd66003..3a58eb309f5b6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", - "note": "### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.", "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json index 495f4885f2145..3ccd4aa440b42 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", - "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", + "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json index 8ea2de6edd9f1..73370f48253a6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success", "references": [ "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" @@ -57,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json index 1e8c499a9b2a8..9ceb2d7143713 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json @@ -9,7 +9,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Zoom Meeting with no Passcode", - "note": "This rule requires the Zoom Filebeat module.", + "note": "## Config\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*", "references": [ "https://blog.zoom.us/a-message-to-our-users/", @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json index e4df5e0774dcd..51bf90ff1eaf0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Abnormally Large DNS Response", - "note": "### Investigating Large DNS Responses\nDetection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:\n- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.", + "note": "## Triage and analysis\n\n### Investigating Large DNS Responses\nDetection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:\n- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.", "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json index 5547c01a4afb2..b66b5a94fe27f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", - "note": "Decode the base64 encoded tasks actions registry value to investigate the task configured action.", + "note": "## Triage and analysis\n\nDecode the base64 encoded tasks actions registry value to investigate the task configured action.", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where process.name : \"svchost.exe\" and\n network.direction == \"incoming\" and source.port >= 49152 and destination.port >= 49152 and\n source.address != \"127.0.0.1\" and source.address != \"::1\"\n ]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", @@ -57,5 +57,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json index 678f85c562154..b393fa13db8c7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "MFA Disabled for Google Workspace Organization", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false", "risk_score": 47, "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", @@ -30,5 +30,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json index 5c2d08825eb79..280d40537e448 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json index 21baf5e4232d2..cb87e9f7cb257 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:\"Allow sideloading and interaction of custom apps\" and o365.audit.NewValue:True and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json index 81344ecdc2dd2..67524e7966f8d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", - "note": "### Investigating Spikes in CloudTrail Errors ###\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", + "note": "## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -26,5 +26,5 @@ "ML" ], "type": "machine_learning", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json index 4cd3583fa681f..db12d5a557ac2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", - "note": "### Investigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", + "note": "## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json index c516ae87e9be8..6c6f5b2a6019c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", - "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json index 8263b06cb6b2e..689b8a1fc02e3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", - "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json index 3228031911147..50a1c7c817131 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", - "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json index 03f422fe3ed93..fcfa402c11a6d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_network_activity.json @@ -9,7 +9,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "linux_anomalous_network_activity_ecs", "name": "Unusual Linux Network Activity", - "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -24,5 +24,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json index 2e586bc25e9ea..9243389de0d97 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", "name": "Anomalous Process For a Linux Population", - "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json index a378e7cf0a1d7..e77247dc0e931 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "linux_anomalous_user_name_ecs", "name": "Unusual Linux Username", - "note": "### Investigating an Unusual Linux User ###\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", + "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json index ba16e7f1fe79e..11f6c2605f6ad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_process_by_host_linux_ecs", "name": "Unusual Process For a Linux Host", - "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating an Unusual Linux Process\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json index ed35a35d32920..72db8ff93d4d4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_process_by_host_windows_ecs", "name": "Unusual Process For a Windows Host", - "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json index 03431adc0f555..5e3d5757b160d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_network_activity.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "windows_anomalous_network_activity_ecs", "name": "Unusual Windows Network Activity", - "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json index b874b0effdbea..b73637c1a7cdf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", "name": "Anomalous Process For a Windows Population", - "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows Process\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json index c4a209dad0448..d3cbc34bd1a3d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "windows_anomalous_user_name_ecs", "name": "Unusual Windows Username", - "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json index 2e29fbd15fd76..643a85d3af816 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "machine_learning_job_id": "windows_rare_user_type10_remote_login", "name": "Unusual Windows Remote User", - "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", + "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -27,5 +27,5 @@ "ML" ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json index 0040b559f46d3..bb4cdc6ded201 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate", "references": [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json index f3ce089c61a54..54dd1f0741488 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json index 71e3b4dee787e..495404ac9e108 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json index 8f4d45db88edb..950964c81458a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json index 031acd36fab14..43b146b1377b7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json index 5bbfa7460a970..3e32480d958ea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:policy.rule.delete", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json index cef2e3c157abe..47c0c836348d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:application.lifecycle.update", "references": [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json index a96988fe61d95..05e48c9175daf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json index 4890d5c6f96c6..78451913b110a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json index 666a4713be90c..3d89183e4a921 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:policy.rule.update", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json index 58c6828b70c44..ce68423ffa4a4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", @@ -33,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json index 3425a8f16e7bb..51be6cc2aba45 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json @@ -10,7 +10,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Detected by Okta ThreatInsight", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:security.threat.detected", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -29,5 +29,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json index 09be6c963d4b6..2284e08ba0caa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:group.privilege.grant", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json index 11fcfe1aab36c..8aa425e4faac6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json index 1e2467e5c33c0..df234db46fed2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:system.api_token.create", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json index 96e3acb487b55..df70b91b8c8a0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json index c5043862aa99e..a9bbbca91e2b7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", - "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json index b11804c881203..5ec70f2970d28 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Account Created", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", @@ -64,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json index 64b9b0103feea..f7ef529895222 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Created or Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\" ) and event.outcome:(Success or success)", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", @@ -32,5 +32,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json index f13f108cbd7a5..e77d1f91747e7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Webhook Created", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\" ) and event.outcome:(Success or success)", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json index 7fbb8fffc6e50..00826c3d6162e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Conditional Access Policy Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json index 4dc965e2dadbe..1d5332beed4f6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Global Administrator Role Addition to PIM User", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json index 7da98b3f179ab..0a75c0feaa516 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Privilege Identity Management Role Modified", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", @@ -62,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json index f1ece4525079a..79ff9080c8f23 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json index ec985807b3137..947c1c748af69 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "Verify file creation events in the new Windows Startup folder location.", + "note": "## Triage and analysis\n\nVerify file creation events in the new Windows Startup folder location.", "query": "registry where\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json index d067a66d6f525..34efe6e0b3d0e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Service Account Key Deletion", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/service-accounts", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json index 2214da96f7ec1..2c84a68b7603c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Key Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/service-accounts", @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json index 3d72eec6dfedb..54d4c01c66ea4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Creation", - "note": "The GCP Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success", "references": [ "https://cloud.google.com/iam/docs/service-accounts" @@ -48,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json index a7d1c67196d8f..681d9f4f7d4c8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Assigned to a User", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE", "references": [ "https://support.google.com/a/answer/172176?hl=en" @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json index d5a0236c186f1..819c047a2c64f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS", "references": [ "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json index b9e768834d72e..2a68fc2604f8b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Admin Role Created", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE", "references": [ "https://support.google.com/a/answer/2406043?hl=en" @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json index 16448bd6d2f71..daf5b9b97a522 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Role Modified", - "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", + "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html", "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)", "references": [ "https://support.google.com/a/answer/2406043?hl=en" @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json index 155be18fe8add..0930201f0422e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json index 280a5d528777d..712e98d4ac941 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", - "note": "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", + "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", @@ -45,5 +45,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json index 00b12ab60abd2..d6ffaa532a530 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", - "note": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", + "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:\"file\" and not event.type:\"deletion\" and file.name:\"com.apple.loginwindow.plist\" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))", "references": [ "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" @@ -52,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json index bb606d158c83b..e13975684a722 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Multi-Factor Authentication Disabled for an Azure User", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)", "risk_score": 47, "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", @@ -43,5 +43,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json index a040cc3a3172d..a0e51fa3b8eed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json index 737ff8a85c0af..570ac0323dfd1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json index 9af98a2598c04..492c3dcd5bc9d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", - "note": "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success", "references": [ "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" @@ -49,5 +49,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json index d0d3200d00058..3a13c02a368ad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json index a13c92f6d654b..ee2fdb5b75eac 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Application", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)", "risk_score": 21, "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", @@ -43,5 +43,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json index 560c674658e67..aacc17bb6be53 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Service Principal", - "note": "The Azure Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" @@ -46,5 +46,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json index 52a835b3d6fd9..652a9a9466f01 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler SPL File Created", - "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.", + "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.", "query": "file where event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json index 88f542f246863..5ab6b41582030 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json index 5f499601ba6aa..8f01db818dfb9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", - "note": "The AWS Filebeat module must be enabled to use this rule.", + "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success", "references": [ "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" @@ -50,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json index ab99f9c69c847..9a058b50683b6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Filebeat Module Indicator Match", - "note": "## Triage and Analysis\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation\n", + "note": "## Triage and Analysis\n\nIf an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n\n- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation\n", "query": "file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" From 4831826bae74f7927dc59ab2d9a4af265dc87ae0 Mon Sep 17 00:00:00 2001 From: Andrew Pease <7442091+peasead@users.noreply.github.com> Date: Mon, 10 May 2021 21:38:20 -0500 Subject: [PATCH 11/11] Update Timeline Template README.md (#95814) ## Summary `xpack.security_solution.signalsIndex` is listed to be added to `kibana.dev.yml`, however that generates: ``` FATAL Error: Unknown configuration key(s): "xpack.security_solution.signalsIndex". \ Check for spelling errors and ensure that expected plugins are installed. ``` I think this should be `xpack.securitySolution.signalsIndex` This is for the steps to create a timeline template. ### Checklist Delete any items that are not applicable to this PR. - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --- .../security_solution/server/lib/detection_engine/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/README.md index d383413088b9b..5806df1de0e3d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/README.md +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/README.md @@ -35,7 +35,7 @@ source ~/.zshrc Open your `kibana.dev.yml` file and add these lines: ```sh -xpack.security_solution.signalsIndex: .siem-signals-${your user id} +xpack.securitySolution.signalsIndex: .siem-signals-${your user id} ``` Restart Kibana and ensure that you are using `--no-base-path` as changing the base path is a feature but will