From 98fde783791f231773fec22126d595153f1a5796 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 13 May 2026 14:22:20 -0500 Subject: [PATCH 1/2] Add dirtyfrag module for CVE-2026-43284 and CVE-2026-43500 Detects Dirty Frag kernel page-cache write vulnerabilities (xfrm-ESP and RxRPC) and optionally applies mitigation via modprobe.d module blacklisting. --- cfbs.json | 41 +++ security/dirtyfrag/README.md | 138 ++++++++ security/dirtyfrag/dirtyfrag.cf | 402 ++++++++++++++++++++++++ security/dirtyfrag/inventory-status.png | Bin 0 -> 50761 bytes security/dirtyfrag/patched-kernels.json | 66 ++++ 5 files changed, 647 insertions(+) create mode 100644 security/dirtyfrag/README.md create mode 100644 security/dirtyfrag/dirtyfrag.cf create mode 100644 security/dirtyfrag/inventory-status.png create mode 100644 security/dirtyfrag/patched-kernels.json diff --git a/cfbs.json b/cfbs.json index 549f89d..7d7c609 100644 --- a/cfbs.json +++ b/cfbs.json @@ -142,6 +142,47 @@ "bundles delete_home_dotshosts:main" ] }, + "dirtyfrag": { + "description": "Detect and optionally mitigate CVE-2026-43284 (DirtyFrag) and CVE-2026-43500 in the Linux kernel.", + "tags": ["security", "inventory", "detection", "mitigation"], + "subdirectory": "security/dirtyfrag", + "steps": [ + "copy dirtyfrag.cf services/cfbs/modules/dirtyfrag/dirtyfrag.cf", + "copy patched-kernels.json services/cfbs/modules/dirtyfrag/patched-kernels.json", + "policy_files services/cfbs/modules/dirtyfrag/dirtyfrag.cf", + "bundles dirtyfrag:main", + "input ./input.json def.json" + ], + "input": [ + { + "type": "string", + "variable": "mitigate_esp", + "namespace": "dirtyfrag", + "bundle": "main", + "label": "Mitigate CVE-2026-43284 (ESP/IPComp)", + "question": "Blacklist esp4, esp6, ipcomp4, ipcomp6 kernel modules? (breaks IPsec) [true/false]", + "default": "false" + }, + { + "type": "string", + "variable": "mitigate_rxrpc", + "namespace": "dirtyfrag", + "bundle": "main", + "label": "Mitigate CVE-2026-43500 (RxRPC)", + "question": "Blacklist rxrpc kernel module? (breaks AFS/RxRPC) [true/false]", + "default": "false" + }, + { + "type": "string", + "variable": "mitigate_userns", + "namespace": "dirtyfrag", + "bundle": "main", + "label": "Mitigate CVE-2026-43284 via user namespaces", + "question": "Set user.max_user_namespaces=0? (blocks ESP exploit without disabling IPsec, may break rootless containers) [true/false]", + "default": "false" + } + ] + }, "demo": { "description": "Enables convenient and insecure settings for demoing CFEngine.", "subdirectory": "management/demo", diff --git a/security/dirtyfrag/README.md b/security/dirtyfrag/README.md new file mode 100644 index 0000000..8d4b3d6 --- /dev/null +++ b/security/dirtyfrag/README.md @@ -0,0 +1,138 @@ +Dirty Frag is a pair of kernel page-cache write vulnerabilities affecting Linux kernel modules that use nonlinear sk_buff (skb) fragments. An unprivileged local attacker with access to a network namespace can trigger out-of-bounds memory writes, potentially leading to privilege escalation. + +- **CVE-2026-43284** (xfrm-ESP/IPComp): Affects `esp4.ko`, `esp6.ko`, `ipcomp.ko`, and `ipcomp6.ko` modules when unprivileged user namespaces are enabled. Patched in stable kernel trees as of May 2026. +- **CVE-2026-43500** (RxRPC): Affects `rxrpc.ko` module. Patches available for some distros as of May 2026; mitigation via module blacklisting where unpatched. + +## Vulnerability conditions + +- **CVE-2026-43284**: Requires `esp4`, `esp6`, `ipcomp`, or `ipcomp6` kernel modules present AND `/proc/sys/kernel/unprivileged_userns_clone` set to `1` +- **CVE-2026-43500**: Requires `rxrpc` kernel module present (no additional prerequisites) + +## Inventory + +After adding this module you can view Dirty Frag vulnerability status in Mission Portal Inventory Report: + +[![Inventory showing Dirty Frag status](https://raw.githubusercontent.com/cfengine/modules/master/security/dirtyfrag/inventory-status.png)](https://raw.githubusercontent.com/cfengine/modules/master/security/dirtyfrag/inventory-status.png) + +- **Dirty Frag CVE-2026-43284 (xfrm-ESP) status**: + - `VULNERABLE (esp4, esp6 loaded)` -- vulnerable modules currently in memory (names vary by host) + - `VULNERABLE (modules on disk, none loaded)` -- modules present but not loaded; latent risk + - `PATCHED (kernel fix applied)` -- running kernel version includes the fix (auto-detected or admin-declared) + - `MITIGATED (blacklist in place)` -- modprobe blacklist or userns restriction active + - `NOT AFFECTED` -- vulnerable modules not present on this host +- **Dirty Frag CVE-2026-43500 (RxRPC) status**: + - `VULNERABLE (rxrpc loaded)` -- module currently in memory + - `VULNERABLE (module on disk, not loaded)` -- module present but not loaded; latent risk + - `PATCHED (kernel fix applied)` -- running kernel version includes the fix (auto-detected or admin-declared) + - `MITIGATED (blacklist in place)` -- modprobe blacklist active + - `NOT AFFECTED` -- rxrpc module not present on this host + +## Mitigation + +Each CVE has an independent toggle and separate conf file: + +**CVE-2026-43284** (ESP/IPComp) -- `/etc/modprobe.d/dirtyfrag-esp.conf`: + +``` +# Dirty Frag CVE-2026-43284 mitigation: block xfrm-ESP and IPComp +install esp4 /bin/false +install esp6 /bin/false +install ipcomp4 /bin/false +install ipcomp6 /bin/false +``` + +**CVE-2026-43500** (RxRPC) -- `/etc/modprobe.d/dirtyfrag-rxrpc.conf`: + +``` +# Dirty Frag CVE-2026-43500 mitigation: block RxRPC +install rxrpc /bin/false +``` + +This prevents the vulnerable modules from loading. When mitigation is first applied, already-loaded modules are unloaded via `rmmod`. + +**CVE-2026-43284 alternative** (user namespaces) -- `/etc/sysctl.d/dirtyfrag-userns.conf`: + +``` +# Dirty Frag CVE-2026-43284 mitigation: disable unprivileged user namespaces +# Blocks ESP/IPComp exploit without disabling IPsec. +# WARNING: May affect rootless containers and sandboxed applications. +user.max_user_namespaces = 0 +``` + +This blocks the ESP/IPComp exploit path without blacklisting the modules, preserving IPsec functionality. Use this instead of `mitigate_esp` on hosts that require IPsec. Note: this does **not** mitigate CVE-2026-43500 (RxRPC) and may break rootless containers (Podman, Docker rootless), Flatpak, and browser sandboxes. Applied via `sysctl --system` on first write. + +All mitigations are **disabled by default** -- the module only reports status unless the corresponding CMDB variable is set to `"true"`. + +## Usage + +Add the policy to your inputs: + +``` +inputs "security/dirtyfrag/dirtyfrag.cf" +``` + +To enable mitigation, set one or both variables in your site's `def.json` (Augments): + +```json +{ + "variables": { + "dirtyfrag:main.mitigate_esp": { "value": "true" }, + "dirtyfrag:main.mitigate_rxrpc": { "value": "true" }, + "dirtyfrag:main.mitigate_userns": { "value": "true" }, + "dirtyfrag:main.esp_patched": { "value": "true" }, + "dirtyfrag:main.rxrpc_patched": { "value": "true" } + } +} +``` + +| Variable | What it does | Trade-off | +|----------|-------------|-----------| +| `mitigate_esp` | Blacklists esp4, esp6, ipcomp4, ipcomp6 | Breaks IPsec | +| `mitigate_rxrpc` | Blacklists rxrpc | Breaks AFS/RxRPC | +| `mitigate_userns` | Sets `user.max_user_namespaces=0` | May break rootless containers/sandboxes | +| `esp_patched` | Declare CVE-2026-43284 as patched | Admin must verify kernel is actually patched | +| `rxrpc_patched` | Declare CVE-2026-43500 as patched | Admin must verify kernel is actually patched | + +Typical combinations: +- **Most hosts**: `mitigate_esp` + `mitigate_rxrpc` (full protection) +- **IPsec hosts**: `mitigate_userns` + `mitigate_rxrpc` (preserves IPsec) +- **Container hosts needing IPsec**: `mitigate_rxrpc` only (partial, accept ESP risk until patched kernel) + +Default behavior (variables unset) is status-only reporting. + +## Detection details + +The module checks for vulnerable modules in three ways: + +1. **On-disk `.ko` files** under `/lib/modules/$(kernel_version)/` +2. **Compressed variants** (`.ko.zst`, `.ko.xz`) on distros that compress modules +3. **Currently loaded modules** via `/sys/module/` entries + +For CVE-2026-43284, the module also checks whether unprivileged user namespaces are enabled (`/proc/sys/kernel/unprivileged_userns_clone`), since the exploit requires namespace access. + +## Kernel patch detection + +The module automatically detects whether the running kernel includes fixes for the Dirty Frag CVEs by comparing the kernel version (`uname -r`) against known-patched versions from distro security advisories. This data is maintained in `patched-kernels.json`, shipped alongside the policy. + +Currently tracked distros: + +| Distro | CVE-2026-43284 | CVE-2026-43500 | +|--------|---------------|---------------| +| RHEL/CentOS/Alma/Rocky 8 | 4.18.0-553.123.2 | 4.18.0-553.123.2 | +| RHEL/CentOS/Alma/Rocky 9 | 5.14.0-611.54.1 | 5.14.0-611.54.3 | +| RHEL/CentOS/Alma/Rocky 10 | 6.12.0-124.55.2 | 6.12.0-124.55.3 | +| Debian 11 (Bullseye) | 5.10.251-4 | 5.10.251-4 | +| Debian 12 (Bookworm) | 6.1.170-3 | 6.1.170-3 | +| Debian 13 (Trixie) | 6.12.86-1 | 6.12.86-1 | +| SLES 15 SP7 | 6.4.0-150700.53.45.1 | 6.4.0-150700.53.45.1 | + +When a patched kernel is detected, the status reports `PATCHED (kernel fix applied)` instead of `VULNERABLE`. The module uses `sort -V` (version sort from coreutils) to compare kernel versions. + +For distros not in the data file, or hosts running custom/backported kernels, set the admin override variables `esp_patched` and/or `rxrpc_patched` to `"true"` via augments. + +To update the patched kernel data, edit `patched-kernels.json` and redeploy. The data file is intentionally separate from the policy so it can be updated independently. + +## Adding exceptions + +To exclude specific hosts from mitigation, use conditional augments to override them to a value other than `"true"`. + diff --git a/security/dirtyfrag/dirtyfrag.cf b/security/dirtyfrag/dirtyfrag.cf new file mode 100644 index 0000000..4795ca9 --- /dev/null +++ b/security/dirtyfrag/dirtyfrag.cf @@ -0,0 +1,402 @@ +body file control +{ + namespace => "dirtyfrag"; +} + +bundle agent kernel_patch_check +# @brief Checks whether the running kernel includes fixes for Dirty Frag CVEs +# by comparing the kernel package version against known-patched versions +# from distro security advisories. +# +# Sets classes: +# dirtyfrag:_esp_kernel_patched +# dirtyfrag:_rxrpc_kernel_patched +# dirtyfrag:_patch_data_matched +{ + vars: + "_data_file" + string => "$(this.promise_dirname)/patched-kernels.json"; + + "_data" + data => readjson("${_data_file}"), + if => fileexists("${_data_file}"); + + "_entries_idx" + slist => getindices("_data[entries]"), + if => isvariable("_data[entries]"); + + "_os_id" + string => "$(default:sys.os_release[ID])", + if => isvariable("default:sys.os_release[ID]"); + + "_os_ver" + string => "$(default:sys.os_release[VERSION_ID])", + if => isvariable("default:sys.os_release[VERSION_ID]"); + + # Find matching entry: the entry whose id_match and version_match + # both match this host's os-release ID and VERSION_ID. + "_matched_idx" + string => "${_entries_idx}", + if => and( + regcmp("${_data[entries][${_entries_idx}][id_match]}", "${_os_id}"), + regcmp("${_data[entries][${_entries_idx}][version_match]}", "${_os_ver}") + ); + + "_esp_patched_ver" + string => "${_data[entries][${_matched_idx}][cve_2026_43284]}", + if => isvariable("_data[entries][${_matched_idx}][cve_2026_43284]"); + + "_rxrpc_patched_ver" + string => "${_data[entries][${_matched_idx}][cve_2026_43500]}", + if => isvariable("_data[entries][${_matched_idx}][cve_2026_43500]"); + + classes: + "_patch_data_matched" + expression => isvariable("_matched_idx"); + + # Use sort -V to check: if the patched version sorts <= running version, + # then the running kernel is patched. We test by checking that the + # patched version comes first (or equal) in version-sorted order. + # printf '%s\n' "$patched" "$running" | sort -V | head -1 + # If result == patched, then running >= patched. + "_esp_kernel_patched" + expression => returnszero( + "/usr/bin/test \"$(const.dollar)(/usr/bin/printf '%s\n' '${_esp_patched_ver}' '$(default:sys.release)' | /usr/bin/sort -V | /usr/bin/head -1)\" = '${_esp_patched_ver}'", + "useshell" + ), + if => isvariable("_esp_patched_ver"); + + "_rxrpc_kernel_patched" + expression => returnszero( + "/usr/bin/test \"$(const.dollar)(/usr/bin/printf '%s\n' '${_rxrpc_patched_ver}' '$(default:sys.release)' | /usr/bin/sort -V | /usr/bin/head -1)\" = '${_rxrpc_patched_ver}'", + "useshell" + ), + if => isvariable("_rxrpc_patched_ver"); + + reports: + inform_mode._patch_data_matched:: + "Dirty Frag: matched distro ${_os_id} ${_os_ver} (entry ${_matched_idx})"; + + inform_mode._esp_kernel_patched:: + "Dirty Frag CVE-2026-43284: kernel $(default:sys.release) >= ${_esp_patched_ver} (PATCHED)"; + + inform_mode._rxrpc_kernel_patched:: + "Dirty Frag CVE-2026-43500: kernel $(default:sys.release) >= ${_rxrpc_patched_ver} (PATCHED)"; +} + +bundle agent main +# @brief Detects Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability +# and applies CMDB-toggleable mitigations via module blacklisting. +# +# Usage: +# inputs "security/dirtyfrag/dirtyfrag.cf" +# +# CMDB variables (set via def.json augments): +# { +# "variables": { +# "dirtyfrag:main.mitigate_esp": { "value": "true" }, +# "dirtyfrag:main.mitigate_rxrpc": { "value": "true" }, +# "dirtyfrag:main.mitigate_userns": { "value": "true" }, +# "dirtyfrag:main.esp_patched": { "value": "true" }, +# "dirtyfrag:main.rxrpc_patched": { "value": "true" } +# } +# } +# +# Mitigation toggles (each independently controls a mitigation strategy): +# mitigate_esp -> blacklists esp4, esp6, ipcomp4, ipcomp6 +# mitigate_rxrpc -> blacklists rxrpc +# mitigate_userns -> sets user.max_user_namespaces=0 via sysctl +# (blocks CVE-2026-43284 without disabling IPsec, +# but may affect rootless containers/sandboxes; +# does NOT mitigate CVE-2026-43500) +# +# Admin patch overrides (suppress false positives on patched kernels): +# esp_patched -> declare CVE-2026-43284 as patched on this host +# rxrpc_patched -> declare CVE-2026-43500 as patched on this host +# +# Kernel patch detection is automatic for known distro versions +# (see patched-kernels.json). The admin overrides are for distros +# not yet in the data file, or custom/backported kernels. +# +# When disabled (default), the module only reports vulnerability status. +{ + methods: + # Run kernel patch check before evaluating status + "kernel_patch_check" usebundle => "dirtyfrag:kernel_patch_check"; + + vars: + # --- Constants --- + "_esp_conf_path" string => "/etc/modprobe.d/dirtyfrag-esp.conf"; + "_rxrpc_conf_path" string => "/etc/modprobe.d/dirtyfrag-rxrpc.conf"; + + "_esp_conf_content" + string => concat( + "# Dirty Frag CVE-2026-43284 mitigation: block xfrm-ESP and IPComp$(const.n)", + "install esp4 /bin/false$(const.n)", + "install esp6 /bin/false$(const.n)", + "install ipcomp4 /bin/false$(const.n)", + "install ipcomp6 /bin/false$(const.n)" + ); + + "_rxrpc_conf_content" + string => concat( + "# Dirty Frag CVE-2026-43500 mitigation: block RxRPC$(const.n)", + "install rxrpc /bin/false$(const.n)" + ); + + "_userns_conf_path" string => "/etc/sysctl.d/dirtyfrag-userns.conf"; + + "_userns_conf_content" + string => concat( + "# Dirty Frag CVE-2026-43284 mitigation: disable unprivileged user namespaces$(const.n)", + "# Blocks ESP/IPComp exploit without disabling IPsec.$(const.n)", + "# WARNING: May affect rootless containers and sandboxed applications.$(const.n)", + "user.max_user_namespaces = 0$(const.n)" + ); + + # --- Read kernel version --- + "_kver" string => "$(default:sys.release)"; + + # --- Module paths --- + "_esp4_path" string => "/lib/modules/$(_kver)/kernel/net/ipv4/esp4.ko"; + "_esp6_path" string => "/lib/modules/$(_kver)/kernel/net/ipv6/esp6.ko"; + "_ipcomp4_path" string => "/lib/modules/$(_kver)/kernel/net/ipv4/ipcomp.ko"; + + "_ipcomp6_path" + string => "/lib/modules/$(_kver)/kernel/net/ipv6/ipcomp6.ko"; + + "_rxrpc_path" string => "/lib/modules/$(_kver)/kernel/net/rxrpc/rxrpc.ko"; + "_ns_proc" string => "/proc/sys/kernel/unprivileged_userns_clone"; + + # --- Read the unprivileged user namespace setting --- + "_ns_val" + string => readfile("${_ns_proc}"), + if => fileexists("${_ns_proc}"); + + # --- Loaded-module detail for inventory --- + "_esp_loaded_csv" + string => format( + "%s%s%s%s", + ifelse("_esp4_loaded", "esp4, ", ""), + ifelse("_esp6_loaded", "esp6, ", ""), + ifelse("_ipcomp4_loaded", "ipcomp, ", ""), + ifelse("_ipcomp6_loaded", "ipcomp6, ", "") + ); + + # Trim trailing ", " + "_esp_loaded_names" + string => regex_replace("${_esp_loaded_csv}", ",\s*$", "", ""); + + # --- Status strings --- + "_esp_status" + string => ifelse( + "dirtyfrag_esp_needs_mitigation._esp_any_loaded", + "VULNERABLE (${_esp_loaded_names} loaded)", + "dirtyfrag_esp_needs_mitigation", + "VULNERABLE (modules on disk, none loaded)", + "dirtyfrag:kernel_patch_check._esp_kernel_patched|_esp_admin_patched", + "PATCHED (kernel fix applied)", + "dirtyfrag_esp_present._esp_mitigated", + "MITIGATED (blacklist in place)", + "NOT AFFECTED" + ); + + "_rxrpc_status" + string => ifelse( + "dirtyfrag_rxrpc_needs_mitigation._rxrpc_loaded", + "VULNERABLE (rxrpc loaded)", + "dirtyfrag_rxrpc_needs_mitigation", + "VULNERABLE (module on disk, not loaded)", + "dirtyfrag:kernel_patch_check._rxrpc_kernel_patched|_rxrpc_admin_patched", + "PATCHED (kernel fix applied)", + "dirtyfrag_rxrpc_present._rxrpc_mitigated", + "MITIGATED (blacklist in place)", + "NOT AFFECTED" + ); + + # --- Inventory output for Mission Portal --- + "inventory_dirtyfrag_esp" + string => "CVE-2026-43284 (xfrm-ESP): $(_esp_status)", + meta => { + "inventory", + "attribute_name=Dirty Frag CVE-2026-43284 (xfrm-ESP) status", + }, + comment => "CVE-2026-43284 xfrm-ESP mitigation status"; + + "inventory_dirtyfrag_rxrpc" + string => "CVE-2026-43500 (RxRPC): $(_rxrpc_status)", + meta => { + "inventory", + "attribute_name=Dirty Frag CVE-2026-43500 (RxRPC) status", + }, + comment => "CVE-2026-43500 RxRPC mitigation status"; + + classes: + # --- CMDB toggles --- + "_mitigate_esp" expression => strcmp("true", "$(mitigate_esp)"); + "_mitigate_rxrpc" expression => strcmp("true", "$(mitigate_rxrpc)"); + "_mitigate_userns" expression => strcmp("true", "$(mitigate_userns)"); + + # --- Admin override: manually declare host as patched --- + "_esp_admin_patched" expression => strcmp("true", "$(esp_patched)"); + "_rxrpc_admin_patched" expression => strcmp("true", "$(rxrpc_patched)"); + + # --- Unprivileged user namespace enabled? --- + "_ns_proc_file_exists" expression => fileexists("${_ns_proc}"); + "_ns_val_is_1" expression => strcmp("${_ns_val}", "1"); + "_userns_enabled" and => { "_ns_proc_file_exists", "_ns_val_is_1" }; + + # --- xfrm-ESP/IPComp modules present? --- + "_esp4_on_disk" expression => fileexists("${_esp4_path}"); + "_esp6_on_disk" expression => fileexists("${_esp6_path}"); + "_ipcomp4_on_disk" expression => fileexists("${_ipcomp4_path}"); + "_ipcomp6_on_disk" expression => fileexists("${_ipcomp6_path}"); + + # Compressed variants (.ko.zst, .ko.xz) + "_esp4_on_disk_z" expression => fileexists("${_esp4_path}.zst"); + "_esp6_on_disk_z" expression => fileexists("${_esp6_path}.zst"); + "_ipcomp4_on_disk_z" expression => fileexists("${_ipcomp4_path}.zst"); + "_ipcomp6_on_disk_z" expression => fileexists("${_ipcomp6_path}.zst"); + "_esp4_on_disk_xz" expression => fileexists("${_esp4_path}.xz"); + "_esp6_on_disk_xz" expression => fileexists("${_esp6_path}.xz"); + "_ipcomp4_on_disk_xz" expression => fileexists("${_ipcomp4_path}.xz"); + "_ipcomp6_on_disk_xz" expression => fileexists("${_ipcomp6_path}.xz"); + + # Currently loaded + "_esp4_loaded" expression => isdir("/sys/module/esp4"); + "_esp6_loaded" expression => isdir("/sys/module/esp6"); + "_ipcomp4_loaded" expression => isdir("/sys/module/ipcomp"); + "_ipcomp6_loaded" expression => isdir("/sys/module/ipcomp6"); + + "_esp_any_loaded" + or => { + "_esp4_loaded", "_esp6_loaded", "_ipcomp4_loaded", "_ipcomp6_loaded" + }; + + "dirtyfrag_esp_present" + or => { + "_esp4_on_disk", + "_esp6_on_disk", + "_ipcomp4_on_disk", + "_ipcomp6_on_disk", + "_esp4_on_disk_z", + "_esp6_on_disk_z", + "_ipcomp4_on_disk_z", + "_ipcomp6_on_disk_z", + "_esp4_on_disk_xz", + "_esp6_on_disk_xz", + "_ipcomp4_on_disk_xz", + "_ipcomp6_on_disk_xz", + "_esp4_loaded", + "_esp6_loaded", + "_ipcomp4_loaded", + "_ipcomp6_loaded", + }; + + # --- RxRPC module present? --- + "_rxrpc_on_disk" expression => fileexists("${_rxrpc_path}"); + "_rxrpc_on_disk_z" expression => fileexists("${_rxrpc_path}.zst"); + "_rxrpc_on_disk_xz" expression => fileexists("${_rxrpc_path}.xz"); + "_rxrpc_loaded" expression => isdir("/sys/module/rxrpc"); + + "dirtyfrag_rxrpc_present" + or => { + "_rxrpc_on_disk", + "_rxrpc_on_disk_z", + "_rxrpc_on_disk_xz", + "_rxrpc_loaded", + }; + + # --- Mitigation conf files in place? --- + "_esp_conf_exists" expression => fileexists("${_esp_conf_path}"); + "_rxrpc_conf_exists" expression => fileexists("${_rxrpc_conf_path}"); + "_userns_conf_exists" expression => fileexists("${_userns_conf_path}"); + + # ESP is mitigated by modprobe blacklist, disabled userns, patched kernel, + # or admin override + "_esp_mitigated" + or => { + "_esp_conf_exists", + "_userns_conf_exists", + "!_userns_enabled", + "dirtyfrag:kernel_patch_check._esp_kernel_patched", + "_esp_admin_patched", + }; + + # RxRPC is mitigated by the modprobe blacklist, patched kernel, + # or admin override + "_rxrpc_mitigated" + or => { + "_rxrpc_conf_exists", + "dirtyfrag:kernel_patch_check._rxrpc_kernel_patched", + "_rxrpc_admin_patched", + }; + + # --- Per-CVE vulnerability checks --- + "dirtyfrag_esp_needs_mitigation" + and => { "dirtyfrag_esp_present", "!_esp_mitigated" }; + + "dirtyfrag_rxrpc_needs_mitigation" + and => { "dirtyfrag_rxrpc_present", "!_rxrpc_mitigated" }; + + files: + # --- CVE-2026-43284: ESP/IPComp mitigation --- + _mitigate_esp:: + "${_esp_conf_path}" + create => "true", + content => "${_esp_conf_content}", + classes => default:results("bundle", "dirtyfrag_esp_conf"); + + # --- CVE-2026-43500: RxRPC mitigation --- + _mitigate_rxrpc:: + "${_rxrpc_conf_path}" + create => "true", + content => "${_rxrpc_conf_content}", + classes => default:results("bundle", "dirtyfrag_rxrpc_conf"); + + # --- CVE-2026-43284 alternative: disable unprivileged user namespaces --- + _mitigate_userns:: + "${_userns_conf_path}" + create => "true", + content => "${_userns_conf_content}", + classes => default:results("bundle", "dirtyfrag_userns_conf"); + + commands: + # --- Unload ESP/IPComp modules after conf written --- + _mitigate_esp.dirtyfrag_esp_conf_repaired:: + "/sbin/rmmod" + arglist => { "esp4", "esp6", "ipcomp", "ipcomp6" }, + comment => "Unload ESP/IPComp modules already in memory"; + + # --- Unload RxRPC module after conf written --- + _mitigate_rxrpc.dirtyfrag_rxrpc_conf_repaired:: + "/sbin/rmmod" + arglist => { "rxrpc" }, + comment => "Unload RxRPC module already in memory"; + + # --- Apply sysctl after writing userns conf --- + _mitigate_userns.dirtyfrag_userns_conf_repaired:: + "/sbin/sysctl" + arglist => { "--system" }, + comment => "Apply user.max_user_namespaces=0 without reboot"; + + reports: + inform_mode:: + + "Dirty Frag CVE-2026-43284 (xfrm-ESP/IPComp): $(_esp_status)" + if => "dirtyfrag_esp_present"; + + "Dirty Frag CVE-2026-43500 (RxRPC): $(_rxrpc_status)" + if => "dirtyfrag_rxrpc_present"; +} + +body file control +{ + namespace => "default"; +} + +bundle agent __main__ +{ + methods: + "dirtyfrag:main"; +} diff --git a/security/dirtyfrag/inventory-status.png b/security/dirtyfrag/inventory-status.png new file mode 100644 index 0000000000000000000000000000000000000000..4adcd0b7c3421558ea1dfd480ddd9cdf079912a8 GIT binary patch literal 50761 zcmdRVWpEu!u%2yMk}b5w%*@Qp%*@PSF-sP+WHB={Gcz+CF&r@-G3&%PRe5>$CHa>h z$yV*`RM%9`bl2?e*VFxlE69n%!(hRD`t%82QbI)O(#I#tLV>T}2nqX0ErgIZHve8l z77mn`)qR_rRkUgmXw*s@lC|!R>^=NODUpJ(jk}M&*`Y_4=8tsDUJbX?=jYQ_iApep zK|h4P{YMifB4wRU@GsG~xYSXT(EmK>8zB;F+WEgFBKc$qxc^DfUzHMzCiTMqQ}sW+ z@N^m1e@loInVDsuPzVVLz2BbVdV2*HWdE(@hkkHT5$W>sa%x6~xbzA|kxFCY*Px&v z(96BGjjgR@Hc#7$8DV#s`Aqii{=P{%jYwzVR#=VTX_7=`;pIQ(ZIg#z|JB*8?(6H@ z=?BL1@_MyE#>?r7S{jMPH_iVqOWfAE*&nNGYB~Up#Lmt0d({&&Fes35{o5tiH4@o8 z9#Jbc-VguPHG_WP|ErA&V+jA@;{R?xi51i8za?QJvSi%52%4o*E;uoxMf|AkpO>P%H*1F z4|0&BDz%(d!xx9+9mh#3KAltTyPFh;Y8V}j*@aWefiSk@^*hJLZv_{W-R7r5Vpbe& z@nu((0mMk~_JHjkvNBvLMYn6)FH!uUG$F9Y%+8p$M#nE2WQ3P=yO<2mskP>!U)6_0 zxC_tU-fhVe$3j(4dE&s8xIAMDrLPWXe4lgSmh)H2|R-1rK8esOD%)eR4em-@zg@4vYzWt_l;SY}ndTjvj$$z!?X z@M0<2%)IS{0Y}V2dtox4e0vPc_W`=m?rDVJrgQ>0P=|}0$vvm|r-%!H2JUsSuGvGB zTrX}&=_5<8J-cbKCz2q`{3G%g{tmKr&`09KWh4XWAyzl)bT-qQ6UHc|nqgJiHTUd} zc;i9&YgSfRMIg0@FOU3>?(?iWs?Jr4!FMM-k{LBWX~}RS)k5Dd zagCK))LM@yerGu;-l*aCXEyN7eb~(cl_!svpk{O+>tfUUHnXgMR2wl?-_dg#wXBuauH5U%inmn0pd9 zYTjDA%n7s37KyaU5YL&C`U{3XiP?9LaYK+fYz6JY4taDT9;wL{Dz4seaCQLyl+eM8 zT^_|;ld|5&O;q^hyI#k0aG;Y|msP{9dXJQ5eI$1GqetAHLXd~93~g;C*}Tt)#Qgk% zpJim0gMc!row_IoIi^;R{H~@4v=zZarYXrzDN&zqQe&-8!k^xN&%j(TB!C6BpHRhk z500C_#Sy$KyM6$mRx0rd$LB-Z9zP^y-dPx5aTUQfj?w!T48OBW$dl*l#8jDzXT;0l zhQ^eek#)(hcJtjd@QgFHA3P+}^5B9qrVJh-PN>7K0@Eyo_K+q&@QN%w8v?O}KMy2}P*HBC44rQS!EnwM?mk zGx}WE-Tm;}I@z7!tA92QKru38b%oL8QO_4QJBP@nV%GtP+rXt# z>ks?M46~HGmbFM36I~$GI4^PcLPVyUoLsSKjBawAwRn4fqY%_KIo<|qxwX-|OUw&m zQ1|BH4NQ+-1~m&1L&=Q?54{`Hq^_rwKax3k8=~U)Jj@lX8N_g^4a3;L`I@nRnh9V!BXHmWeb#w+Lcg5b)l_`cV zYCpi83v?7bEZVOJC#S`O4(IXEXs|@8)Fq#6^*kyezI>l8EZUOipJ#DWxtP~7CCES^ z*mW#k`tm|vc@7BKD!C|KxQA{pxd*n~Q)4KA$+ozYnE|}b^Az4Q^tpBkqC9j@5cgcD z#HgRJDkB=M{A^zSmmsBfv*;_DFeJYXIn3q+O|er%OYv2e-!OZt ztGJVoSYo_>+S8L%!cy>Gw{+wq#gI9Uvyf)2SdUMPrb4;R0d=lSE^gUI!+Fn*b00&` zfsq)kM?dvC#FQtloo2dwm_L*{^;WVv-?L{gc3i~{UmJl$K~Kv_5w}>4lJN=Sbfj#_ z*ZNW~bbFmQyP#TxMjdZxCiFbtjByT2J%`<1!D1Kg@o8$ zk)1pn4??c6nwzIY3<7*0yA?7KcQ4EP8g-v>V1XZXU`R3c(`l(&rp7D2KbdU48-RwG zAqcJ;fsSZeT4g6ze@Cq?9Xa5zle=Cat#JFc(Q~`CH-nCu#X_2UCWgSAMOqXweqFdJ zT%3XrJZDRM-vphZW(Ru%mD%tVU7ox*B~~R2yRpnb<=joFWO`Dj*^ZwbnoBzEk?NL~ zGv;ax%M1Gkk5i^Cb7<{jaWbslQtjtnxR&I=<9*A|7$7hA2-C?57yZ6|E^A~lJ-Lt?7Lwt7i! z08!K`so+i}bH8V0pQx8wi9x=iEsSh?g{6fVTM7N%<@-k(; zB(GygRGW6$!87I4BqhSrBf*12*)^>4U%TGp)i+Eo+<#{(;t>s^U zHPi(;ii6ZDo4WIAMY7tu_k4TEtJBbzrzJ}3=<1Nt$*Rq19p$Ps#9X8wr-Qvx<7~<< z2Pf(3MU{10yz>%DZ)axm)jClBkZ;HRDrl8OJk8@?{5%2Q7e)93ciYG~MUf6x)2*aqOPI-xH=%bn3MV6$I9$(uwbQsDy*)ca)5J zWgL5_V3$nx(vfT-Q!!k`47IB8RP9Z#fwSNajTK zsug=>-rLslO8(54sJPFuR~4bdDW4%`O1G*#RMQbcRenpAW zm(`K&Fh-J}Zhz{Y8;1pby~NGMnNL*WjrHqL6wrB(p&&d>={rc0U6ZpK!Uo1;ERL+3 zFQttbj!--}QLE@?=;#+oD68GSlU527`9Q{{rVh8yWM#j?-0|?YCAz9o?Vg_tu6ajW za6X&k1@rToy8Fb8*<%0UEr7Pvp;D~8)Agl96dHOsUunaMlgTrt z(TE(_vJDoW*bMU{c;XBdk2Su8=cU69WhxDep2J1vnpedi1gud${qm-@wma+N`7Y@K zdU*t9wt^Y0zGE_b!KD1^qk34U9ek95bn;sIg!SPZILT|)(ALAv7I#n3eXBcj@V!ZL zcQI}(qga_$|1*x()xe4${#2&!*rpF5|1zAH$jV#+yzoO0!408e7kke%whU)%KY$Z` zsOeCmv)We%q;!}_(C|j2M*p~SF7NM?n_dEE(r#`AaD8xwk`s%vzWz(*dl6^ zS!5g(5d(!EpYgLD%+6*um;j3HGSeV(4Hf{})!1TkSsRBvB{YAk_Xjwbj5C`TYL>9V zU)!4P+KJ%D*6;zQYuq1=^}bCUY_)I|(xYFbBtZ+p)P@Obf$bIGh@u!sCo>IGn=CBm z`-dZ5F??4&l>DWB-Meay2o?`92O1D5`C)Xi@AJ6H*uKARazx@;bMp4KcvH16yBlM! zAUu-^g-lF6FD73nHs%6K{wCjoDZJ3L&k&XzB*(0gj$b(^*0ztC)nFc@y zKgXtHfoPVxOy->aE3Aa|*d2>z-%4y{oP`VmR<)DSLklPa+uU2IRYZ3dGjh2alJIv%9Xl>bIUm*}z=#4I5 z)uCkUq^6JAF-8n5b6~Wq`e*1r4TRpp(d`OGyb*IA7yK5WleLTrREB@adir6m!ydg} zH?L)!GY%*81q7@3l%+EailaE9a$WXL;OgxsXM`AzW0WgDzG-?vP0NjP zg+&h4gm|hds@=B_l-FrUQh>UGKEX8f_Nv6|^t$Ah50}#!*N{6`Ka(yQlSTjxJmD;u z*G(ShsHMeKrSd!k@_UkUpii9=iiBsVZH2tk#a)>^# z9H0HGjMfJ`**blCrEUmP%`lO&tTTWfLMcxt2|Zu`*dY>f#xmEX@K^z zK6-0X5yZqwbbj0ve6owZq*l@H;Tj{{#v2yoQ+B#o7Mq^V1RzXPdYHNP z4?A^-OFnqFG*V_yn-OHQ$&gOh-7g-9;I(o-=nk5pX@;YfkSegI$#L!u)id6t zv*5I5)P6le^!uuDy?69(!wHT@?Bh}j)iczq89N6l3Vc&HcP;p6-L5TX|4{?!Q(7J~ zSF;;i>Gcwh{Q1S;ZOd=}{WZ4J%Oyvc8NFdaJ5+ispb+?750`u1&5hvzT6WM{$W|#U zOY(i0x(#&#mI#T;*xR;r_e0F{VO`eZqV9Z)G4w!>Hwru9dVDub}pVbNh})t;r4HWV`qHkr}x)_*>9ITjm68i^&u zDK=uBF_o4PyQx(fU}uiSjy1T+%^Af)Cvam}RGH8l zgg`%2!QOfE{psB8@kvihXy*BGbgLMb^@8OXpMS585OTGlD8d&(%Z$W}3w{QVC$et3 z^@ekxv`^a|xSDQ9O8dRbDT80Q>emz~d5AY7fjyGEtU)c``$%4AMiU%R<@3q}^pQ=b zvyh5$CxZ)+m+xiu5oAii9O8_Pv%%K?q77dv;P-Yvv&vQrSxxsWnN-d3Y!z)XR#Yn) zC{I=5ITI+}ZNY5Hrs*puK75W@`^{(EXFywEtN7J(IzV>Mt3aq!M=XNd-v^edb;FnvZM75YX-n1#=bL%-a-shAav~o zMzFtXaqscyTgqxkb>;XZ9ZQ5##|GNDq202aSEzS>kk?RC2-HmyTa>*`-0ZN&Xxjdv zkB#^EBps?+${(`Pgu!G=6e+Gg^f654>8w8_n`yyj&57-`KcsUc(~w5Z(dh&yJ3qpc zJU5gTTf_AmRY>IVy91wAPMxFGhEe1#tJFeaGjhmTC;;xkS>i+`9lR z|9#nvAXGAnX(lt6MvEVhC+y>cHf&Y>sl-9gBgaf4qilnQGk%G`b;v29H2Z7;8dl0lWvcBG+Gjc7OOfD%ma~D^6}yu8et1t z>_u)KI4)RS!aTrJi!oKvE{#<0fMOh2W>9?3fmp9O9fI@8#;f(YlxcY9dHPkCm6CHv zHB$>G39qc{q0wfFQRt4t(>vg;<4n-5unD=G_=oGJ<=@Q1#XD9Ut?^%kYb%u%159gv z=d#aNWf85lchBix4-G|cW_Fx|6taO;80O7KC;S_nxDPS0f)0XoG$jtcz{)20gCvUi zYTf$8K4f%LXt6^S=U{TFJnovxy6hm=UpnH(=`o4|o5cbnMM39aqc zE&F&_+h9DESemKPerrBh-C62|;c$)emeN@x((k@RuV6?O38xg{F&~LtXzRJ9;p$d9 z9%SR;MDuOuGjKXX;b_?#Pch(^yIBf^cXD9>0-~uy94}skg_0n>(CiL;*Fw%U0l`Sg z0!cbSTh#-tL!lUYd4w_FS(^8x=Z&%`nIF~~c;+$;kw>zA&ykiW@Y7c>clYKcq_lYg z>Da6FO^-H!m3qwyhU@AKqrA)6sZVm23EIZCb~}B~$~r#U0XMF@_Yz(5JKitQU_xRgD|B689(X{;j4T!VIC%YNThqAaE1KQ2*Jj#|j|s z1fO0Y3)o)Kmi^cqpT7Vn$!DmaK z6Ninoz6?*LL8edoJp=(lpM}4Dd=6Ni%hqo4)DGo_*hg-%ze zU=#FX`1j*5pUDKnxC>l()(D-&&gX`nSL~NEQrcek*lsEr^_YDcW`#5)C zv*w^_?VpM$O7(cgxL1q1alI@|=JY?R&@0Bt6uy#<$|O0M)HUGn7Dsj~WuWx{5YJC@ z>3k+W{pYq~x(a)&g4ckoU5JJfeGRl3dgYwemtU^;g%*6cKgJ8fHjPpJ`2Obh<%Asg z#B$V}{HK&g&3J9BbBybU38GCTU-@?C167+C>n9PaWyhB#{aC$I}PV}lhlw_6`s zWwllv?al=8G*EIM%?CY%Yx%oBzgSeYX)002Ym1l&%@kY^mx6(+jtF{_iBx5?gI?fv z7;yD*a9C9hD0Z*&;b&wAf>E@nGTXaK2#Wv5Q^;4Oa)DqdAU;MwT9L<-!)#p9kO)GG z$H*=0ItF(g?9^0pLz}Q#LHG+`{QGCW%6yj*mnYTp5sllbC~fc$-FoOKYxdAiZBOO- zn-BASh&^oKLG+G--DHjmNthowiJ1L!^N0rnkxP@<6G*`9w(Yq;dkn|I=`pKT)`A3 zc3ks!31P2-mwyh!B!*m6cOn^_$|f4~OeKw-tAjFc^9MRJ48g|kL+|4LsirfL+9t8v z@!oi=4BGc$p)>LGMgaF0xU7*kybH|Tn%ZBZ;u8+YX-e$x;$fBo*6-X?2}AJgp|PtlkA5De2q+qf0!oRbQb zT^3>))e3_$|e$hVPrW*uBGM~h|LqCR6u&~bdO#p`TQ-dAI1_Hv;P(y5 zwh_}u;?{k^lF3>6gsw|)WQJ%oSvJ`SuKQU%MsR$hoP8ST!I6)4A|~$LFHovB0UY@- z;8~3`z(iGJ-?I~T;mlyRK35K*%alnd!v8);My_2XH<`1JFcWm6NOHbpxy=q=R_X8w2ehqt>_#lyUfaO7cXd~Day1t0#?qYy{Jt&F?|d)?K_m9IQa2de{UvkpENOG_FfS=MsT}FM*1o_kaVH$zdZT+K zK^R^rI3ABDoUUMQ$j$t&T_)FbmDV<{d|sC{WAnE%UAFFU3;1T#Qw8cNLAIx5;J$~~ zp$dNQrK3x!@k_sWgH2=3Y7W*eglv_I7*og(#P=2uT^t9Xy ziWtJcYr@nJ3(ibQbv7g29Dpsaa~q@CTH8Tx4q#TJ&7#HqY*A_N` z6>0O+8mM(xzi(reEr}2L@n$_iAfB`1kLppZ5)@orP?`L#+YMpR)1D0QO?d&==!AK= zZ=(q++L7M8|5AA4_`L5WYo@krBjrVoQG0~}Y?RsZtB*JZle;?euuxtYOLPN-MqR+s zbI%ZaYH9+^M%PF>yTx?a>J2QyrDWJ+QiO#{Q?{BHd}wqNi1beh9Z~LC`96QA*Bg@U zQ48}5mC4LyXy-nd<99-6uVT-#|KW3qT}cr~X=?Ho(NF_I+xpTKfzBuXR+)l*McQx2}>~T=xeea_57BePbqHR zGPKZ1dLj0d|JoYKHDu1<>tyVTwsx!e9OefX_v<`HSI9??nTB?1Rzyz3f0*gJB#Y-A z6u}e9`;D7F{bI{F+_GfwSOs&eZLTu4&m*J!lc!m`nLa%#CTnHkZ)MI3`C6?&d4#glSvZyQZ9?n(d(KG<}T7VWRl0;D^9B{ zV?k_|Fy{$WTbM$QgKpoa&ovkVZMjjV)NRZ`CS(m=1rlI{bg?Xq-) zLSvjTy2`LRBFO&4g3--Zj~8oTBG>f`UBT@p%jv_+w3zjU0~<7?J`a_~5|^pA3LuDu z#HSM`6N11)iWGWYVSN?|u3pd{REoZZg!T~Uo5LAEL!s1Awcex3XkxsHgcD65=2Es4 z%Ql}l%44|I=#fE5Y+ZR~Kz6{gXE7rlsLotp>Z0+Qsj$f$$D)Z8W^e2DiH35miT7aT zeQ@F-tJJiFa4Tass*K=EAPN;n*yw@%XO&OBA0k`duE8TY6SpO`Pt8y%m(dgniO061 zR*1z9ir@l zXy4J!?7@<_0CDpH&BXkdrzqQvkgP-G^7jsZF8+$)Kn`f@u_pCWS}yS#1Cb`hqvmVk zlB;=L7@yIZBXr71-jkVz)iH%EL#5;om0>Ur7>cA6FjBiF6ZRgbTAtS%d_T^?FS1XF z%Nzv+Ug*(|X0TY{+rA*FjPVABpS3tuiKc)aHIF?yZK*@O7v?Lao;oZ7@axO1(L=x| zeT}w2%S=kE)Z7WZOc+e`dYc(Wyk-j-GTh%p1Oz_|VRxuXJ^<}hRX-lHjQA;tk2=;Q6{JzGZ{W%0(q2m^io z0Evj`qzB}Qw4nZ^hy=%hpUL>gVr6T)(hJYJW(URmbrfsA>x*OUk7*>$^4t%w!@eXq z=?1nLBSfInhe2j@xbXIN|IA2jZR5<)7LjTF>gaKa(wWT_&)bElEhbYWn5U@11_Qbt zx)_y2u3}wa`t$i>~1mR&$P{& zN_nE!4~sHbt{c&&9h^2;$Nskak5;vmnjw2=#(>6$FI{9P{a6BB2Rr4$JWaG>P5p+* zLf7}GACj5!m*>OtS)}(ixynp&jJOeLqzjEn5 zEo5CMDr0_wfe{V<`qShS!vL8J%pITLSIS^Q4iw#HsGL8D1-66iArc&}eyE3+cltdM zYJ_5#QbzLGqlCFoP9>d*^!hx>MeeBhe%b?f8QFK1N#v)1wDmm$^UqpNG?T>KsDL9H zk=6O{S=#gJKf)K(v(6>{42PWRVkb0Q!f>(A%~vSeIkP`7SuasDHDL;GE(+?T&&B5X zwJmfOLu=CLgYIk@%;e+>mp)t6Hp@X>`I=wMZ@QOE2&`f~Kixf2S~4zJF+6o0EoHQH zKKP79du`>kndSeCW?gD$CwIFjYP7@UYRUg`$qkSz}%FjMD>cB8#1SQ6v5&>I-G zD8Wr{{_$01Td*{NPUp83jIIQMCh0e(HnTLdZi8H6h)EWUIfu4Gu=MZ>)k`)3ien{3iV>SuRK0}$Z3UMT*YJY_!ICX6q-bpXbmn6PT z+Xd@TYx=28dN#Ff?qSIN27O+^dR}HYG1{Hc-Jr8>{pmvdvwHHZ*$yM$eyKQX2lx59 z3v{E}K7}UBM>{%g_UW(b^v}}U9Xei>B}QrsWhoR|M_6#DuMz4~x_h=0OCw%5n{}~0 z&O!9XO);D;1jeB^B6P;E7<${gFVwi2^_(NApl805Ha};G+pW|Bp)IGQ6dxOokD$V# zm)cUlZg;YAqj?QY!=gDS<0~$;qG>^{$8wcXGdrabo;1MVL8OZstC^Pb*W0;QTKi7g zZ>^8$vEHa0pDe~yYA{ug;LP+oE`uJbrF|#NadaL20Pu3Z%$iz`2b8IoE_qQ;N$ci& zPbs-`P-N@!^u;8^GEm25QVpfY=|UR_<_#~6b(%0Li-Y~^s|4Qb>);sR?KwJJkR|hV zap#PV^uoC=r(4lo*`yE)I%gOfPYBd{?hSSb&^u>7#tlC;a-q8c*T9|zhPD{Be(WVjofFR*d@X04P3PhpQyyA-{ zUZIkUHqTLd_fAI7Ad=f7Jpzvt#l`7d(Sm4RzfYRHyrWpOq<@ZFwOIIK_NjM-v@VR% z?k@XwurW*5yZMqF0XuH56tL(zgqn5umVY*Tm(sFITM2?-WUUpJr@~EY=xeiZ8DQB){hkvjLmI(}j!EF9r*b zhOkPxe;D+9*5z!+no8_ibTV7c^E`j-@yi?82_bmzMVJ;QHSnsa=sJ;^J}F(bzwRB1 ztGTYQYQja$zSF;k?6>-|Xqxf>rY@6hz;l@I1$Q;0$d|fT>tTXuc+K04hqV46QE}0o zi-byzYm%D~s87x(l-n%q>?<{f%jsp68oF_ZO|bC;)4d7I9U6_#xF^``dBaC?%M$v6 zBue^LZ%-|x)QcGx)>W8XhRDhx=K`zdB|<%`Z;K`0*wO`T99!cb0CXX4nKNFtF!d;v zGkf7xV`UHwCGI8Ji#-e(o5mqdg#z>lYBSRY^UuIVxiQBm3Nj5UZYyp(rZp&2Kk<~zTLYoGsA3QcfmHA>jB1U`(q52%zB>rsh zVH@~fS?o=lWsH)=0D*d|F>m!oaj`{iy8FZr?5%!9S9iVdb9t82Fu~h1hlb0^HD#7^ zAR{)ZKarc|OCp&OdWt*$W4#FU)$+V_y@he%?=kXjqj00XTJ-R3=d4WTaHGq@@wJ?I zy3UY=Dke!fw2 zx-p;siJ8;6m`SC#LmvK-CMo*k6fOg%0zS~XngF2+PXcs0@B&n>!JiBRj)#A}R`&K4MMc=5qH@$;LSv$v3e zW{u?F!9@4P@~DQn$@1koELe7E24@hGS~N!A@Hy#;Lf)sc>TKp0G-EC%_RPWX^PyBm zYh>=ns-vJB%(8~|IfMNlFK!fqVg>%mnwO5P+O&I@UbCs1BlRXZS**{rjI^yjd9eYQo!`jF5C9Su>+rx&=JUlR3pb`D8BI|K+J|#TZTRVlX_U)0EE7;Gq!n_3r##t^gpnGxK9IsG zJ_4(SB?1Q@Hm`M}Pmz+We+eYLG{hI3$qC+jEXDLWlhv`35=V;u;Tf;9tGvmPcI}fY z6d5s+XAe&Mx|UX=Rr06_sy{v5u1yBQY@_to19 zIkM#<9UB@NPSAfyZ&aJKi)Yf@vY0Q-;kZxT8Qu52({SL3AcfkXSaU`dbzv(^9!rUW z?gP(Tvl8chHVcv&VbTBQVPBsrNP)%r#jk*H6^bu%!Bz^ZWG{7%)qvza)GH?20r&PR z`hh#7qF)vKK^`d~AYe$`BHy2AtIcwy$qx;a_gH>>p)mTZvk?#5H5e93-e@4SFvWZ) zf?XYCbI(cSh(|Q8Dp}>B$Q-JSrsHqoisV~8V_~tsxa;9mVg}1lUR{h~LN}1iZUVz& zPT--vi4tp_@%5ae=4ghOoAYs6;CM*Y*{+?+DnV4RIO{RL!3l}yh0ee&0uxTZG1DI# zqHg?L@>UZWV~zvaOaMfFhuUqHxdKo({&0nFFt0K{tGuRhx9=q@z-}6*F;fZUArYKu z3L4k+A@NG#Vsw0vBcpYX>G{l}W(T**nWpB)99S1knD{vMWbD>*UaWr$Pw72VRg`0y zB&(Fh8eObxzGfzutTm9S8VX>!#i)UBE*wuxp%Om2HBQ+BSoXSm5)%Fc!jr_xTJ@Mw zJN`Sp5M?5LUFZ!KsXX={jvTq&q1}TR+|}{VTSld8KgvAMTiIiMM~g%6=1!-Qqn-BF zVMk!Bgw6-@{b>a=$VSzi2Wq3JFa6@~R=+Q?0IU4&LM&_2&*|nM5_B|}+rGG&opcg< zILmgv`dTv%^2V>ChTGL?(|lv=h?;wO3!m|;xWrni>zb^a@wfoMk@SAYDHr2#ormvDl5z z9>D|LI{8J7(ttmOyzxJ@8S!?Axw+MgmJAWm-qExsHg<{H@vAFBC=p%NrF5xO;qLc05LVYe+QTICtHD zjoo}JmQ;-j&oDQbv&0j(^Ul>noACRUqVA1?Z}-vf5t;68izyP#vhA7s@&597roq7X zxv!J6F8;F~{q=V_F|OE~C~el?P}^?-QBU@a14S2buI0PV+mGC_9qtB?Ez8Mok0;wY zz+PD|&+7F4+WciOxisiI;fD`YHooRy?@6o!)m$*7aD;(r`-D2VgWllX#qf{t(7&Vv zBk~E2a1q(lf+z0(0}Ixzxb70{)35Yz8g6*z|G%VFtfE9F*{GQY^BI|he-mg4yD7=Z zOGd$L%u-;JVSR$Zo|DxEb0z#C^8`=gZm2SKqPqBY>VMd&IV8h>X{t|KX?&@K6B^(D zMa?Br{NFQW|25bDEA-v}vZxDcIai9iym1!AH|qVCCr7xiPf$Os(rJRiQeYki*hg7Z z|Jet7{1TABGjyYLEOu0>Q9qa8pf=Ob0zcnANNc>o9mWzq5)@DigY?JJce=vw@86!% z)Be6i*M7YM617__*O4zrj8{D_Rd;7Hu0fp!AF&-LbpxR__f8lAU#=gRFE}Z-HoGP^ zPM|GUy~w9R@r=i_k2+aS)`MR<4HoKw&M$`K(XaR>qvPvu*L>x~=x@^*1>7@pZoLSe z=iaYN;~-h@!0o*rxh{YNd&io!2tAc1H7C!d@plcb=4dG%cCvnKxg7F zL>i3|fK6Quz~*Lk*TdRo6P4@lO7l7^ zvOszAV)Ehcy`9XsMJny@k^Kh_)jQ%P`tsLG2gxiVBu9Rh{%L8{Lt=WQ9ooJ(3Hb89 zCU$y29gvGSzl_qI;!6(o!vNjUY|AZSs0hiU>vV~3)fxchA-`7K3F}UOVpV<>rl7|^ zzQzyFNNOgg6`ej*a`%Qq^+d7++)obeM-j23Xk4SWSj?SJ8sOl_s^dW0d#WJ8c&zI!goKp0IdddXC}qn z)%yn#F&Ns5<{R*wmiKj+gEu=ko-X5FlqT!RnvZ+TI!fKELb%p$RP^rt0hMf3r#Zf3 zW0`W3mw4!RRX!A(1~?PdK2uE1gDVBjREH7S9;lvQ&C1ANH)q|C-< zCS_v;`*(k)rkT>VWLsLwa6=5+fD^K(PZe6%@d>A%g&er(NFlMCvX0DJCurVZ#8;N+z_#=M%VXTt;0rUH* z|7x?`XyF&c%nfrR_{-{AHKdT>Y`!ai1Ac&C2SowxUH?XZ?)G^M0%=RnYFM76U{BH1p1DsGfq|-fBrWBdO(H0cD7zvm2OO(UaL6vHit1;Ab%;IXZx4% z>)}uNn3^yE4ivmUx1L^&8(?Saj&YGnl&;a6 zescr39hO|itogX0Z(W`ewMQ`T!k6Uw7ifI`v=#pKwu0gnYuZ%Dq49eD{4Y$6#h+)8 zn-5;o?&ZrS`78WwotJ5@RQ@`UX>(3x^-2Cg)G{Z07nE|MViZ{h$oE3|=_%u81)0-8xGXiNaT5=$ zl@VM#9mMp-aZDKHj=NR@=eJ&BQSUjo^;e`&crG*h6_l&3UfGZd`?aJI? zw#45##KO7#X%M`KvkR(YnqJud6GTERu?m%e6aR=s?Rqfzfd$Qa^rwrRg!i{jaw-(` zvh>>|o^KgTx6L2X$a3u`Kl$g#Tju6xoC{)OZ^7 z)}7WXKU2!LBU5^qlKAQ-`>sc#uKPU)zk=ZX6KFCpfM8uG>No9(uUQhoS5L8T)=>5z z8^o~#O=;t_o%x3Yx%5jpYH6qcTKVP#{?`(*>d>6p`fv+Ctq3hfccGfGYB^>xZAPnZed%PcN$8ybR<0gH(-2K=EU!hOxOn0uRrM@0KqTcXGuk?$1|)?)X5ZS~ zjPLLX*~xYEb4=}1f=>YlIT5Lap7uA6`ky1TVUsL&gUqTX6DK#oK?chBFmCVO$g1gs zh%`RPu8tPjlrbmNaP2sP9-b*3DmAr;D;ZN#P<&wbfUfjCQHahi9q8z6k*_}Xw-E`% z#47Sw5KKqJeIqm`|M&l+WT=Y-4P66FjrGyVOO7cN`I`j&5hUGZLZvROE-{nWTN760 z(r`&6K7M}88DvKMgFqIq8bga%L$1xMfYzgpv~9bTk3QX*xzPv9sC%rRwTcdHq6j=U ziV7JDSrC6Ikw@!>&}iZViVm$nzs8niXr63Hy1tpQ>+hh|YzT|%IN)aTPxas2^lj)s4p?-V|gLDcq zK7ZN@|9V@Ym^wO!Mwn{qpppNF{(Diz5Ed5qL+5n=zRpvfD;0#ldc>JETiNz-GDp|9 z#4%5~^aBtDApD2a;UD7%x5fW8`RR|!k2^&pD;Hrm^pZ$OPZgo(XN&UIrGbWN(Dy=Ik zMcD6sg^8uFnE&)2F5v$d`RO+z>VoL+;wo%>cZwHDnJ=oM6cMkUir}bEVoh^*VbpMw zc&W&Ai~Obdt&WE9q&Rb2U?(x!=b#Q1Wq!m95X z5wCbFmNs-3Mh!QMmua^oi6_fD33H3aV$$tg3;&OhaCWjNYF?uYU5sOI|WJU*lXZo-b`L zOx%AJ7t?H&T*!wUO1QN^cv*Uh>hps{Z03vkBtLyu@#=Tcz|KV&SDY#WKdS1OIPuhf zftVinK_m&ec(S;yFfywwdL4~cxkoM@FK8nSEgFdNHxh*qN#eqonnK^oPb_<#SzzYD zcWH-2@%-|2@j^xP%AcRH?-ts46W;HiqP+_6CrBZBV=t0rezO*oDvs--5 z>qX@&j~x1j;*(g@!c*wk4Hx^Pg%Al3#f)kmqL5uXG3Dwvl{Qj}$h+IcgoW3{mz19? zKAjZ3J>7(D`+eeVHucSbGDK`{TUHb*(pPL&t&sAw*wCho&@VAg1V#xVVgf~b>(au! z=LwNfgDb>~KIgn7>s zB2EaQ41XX_-~Os1+u}svfJ(x^Yqq$Os1zSJ_7KLI-e2VIfx^VHm6#Qz+CByIm*Vd( z6BVt?h$^%0WtY&yexWIDZX8rBfM?Oh?+~E z|FCkal3CZ~wq*IY5eeTovE?j1h8?8iFBjQ(Ph~YqB=Yq9Z6;0*pzYv;bf0mB&9|b` zj(5epe!=2-$LKiZAe|W3=plfN56}P=5W)&9_jZ zqCF02t40#c$~xes9m}oz5h#=q+;|X!W+?}%nWZoBsax4oyO@OF`=9uvlwoG2hfW@E zCgIaNHZDI&*P#b!KkhWM4}ao|0utXnVeIhzbX)U=Pyr~TIl44}*5hw*>6;+_{adzf zxWM4?0kj)*kgn4&v*liF^3E9%OTdByw4QmF1N$!1f5bsLOgPV)KO%X3<1P~?9maR) z5k~+1mXC4(!OO#^Xg&A>>yH1ym!0vvdVHHqC<*y9h&i*4(thwkx=g#w z#y_I6KSm}Jd3xbClcprMQMc)rS##+t$)Q^X;g6rNaNaTeh8&>dgtN>G{KS`(V`B10 zcjz|o5Hkawvv~Fq+7At2@am^L{QQM|YfsZ{=t2CZTw%}i#Q&pRP!de44rEFzQ{w*E z#g_XidzTbpTv|Ssnx5q`v8jM-lgVtjAC;kuA~Be~6MEoQ%nP&P&G7y89Kk6sF!9_J z94)-*ek2i)^Wx|V`m}06Dd)176t09@v*~PqoO0|i_6QwpTq!kRJ-_v8g<}yfth~B1 z?r7HIq!JScN?B@TTn(3+<5SHUy|hFnpFV`5&@{u^IFAnelRSyJ5Wt}?=J*b5PSIQs z>PXPHccO?+=Ja%w?=EuWfuMZH*0`l@N03pZRcq=M`pB_kk8(Yds9Va13RdYmdqs2z z@4rc~ur@=cj3FXgpl)W0Y1%DnIJIetk2IL$Ctv0oH&KM&WBr67)GS{eYa352U0T!e zw`(cKO%>do)eJ-Hu1s7tjXECQm^n6}>5L0Jy|a@(^=e^h<4wt?^Emo3eXl|6lR!qd zZcLFP<#DRkpUKBRlJ?mkMKJsK{fY4D$k2*~a^2yP_{^UkefFa}U;)coSpPG-Ie+q# zoXA7w=69UO#>Rn`7OEQnb0Tj!BR7r)N!onO;MHY zVF{l;6G|bht+bI8Ku+aI%me23n8fK~!`VKq5}7waO7sd-%u)@M3K9}x`SS2A$NrRK zSEnkjY9Qj`iANJ1t?Zwkzj`Kc?bt=a%1;1R)7zzT3DNWi|!65EB{sEuU{1)ZgllWgwz@}+)YG&DH{(VsQ z=*C<>YhG=b#Dr5RVaBrEt@+o`GBd_NDu{`ROKS_o;{dkb5_q+2LdRCMu}i$gj{R@5 z*r6yDBqk&fpO8RYN5%!qVN3Vf&x)V9yNdm+`^WwmQ{^1@I!xxl!=({5rbVuZxY1CsyvhbeemC zH!9ALh{Xy(gx{>QQIlW-f=OJW=_XbIYgFs#ZOU z+IwPBv<@}<|IQyOVXSktT_GQBnndvNCA6zr6$`tnlxaDGUC%O>I;$-DHzEIT>G?eJ z5TWPrKO0L)zn(NU|BD_*9(rD@usubzK**DbkB#8@xwG8(YC@fQZfF1!qtev$G)$NA z%5Qx57>CTl5(}9Gvx-$ItNo09Td(jcMo!$v+pOPnADMF%YO0+0EReq>zH(^M?*!R* z^p)tWhv5>sSJFXrxAKm+%(Sadl;bn5u; zw}#nWnqg;K7RQ?7Sby&&N2d41%h?Mv=N5F?@Th>H!m>kxrj{lW#Y;{H2Jtx|wKGc4 zb1IKdVbwmI6%Au!^rcE-W0L16vyRW7w!;6stx#(XPZXr-CD-0d8Q-okc7?qtT&@Qr z_q-rgt%HJ(7uVCXL9#BkbZbq!DMtv35y{tb(bH*qFTedhwR|-vGizj5TphE{E9Oof z<@qOco+6BkOGi=7%^M5n`qUY;gF6{w+Db5}G>G|~Ou4;$9mgY8F8xE~DhvM}f^QE$ z5K^oJ{W>^PQW?tOZTGp7+`7CueU+)Z-xKHPM9+4v)G&@BaN|Xm{t=H*er4b0Ke?-0 zlo3NJGqRNf_R2&O)nwS!D9^Mm_E<}$*w-k}uOq6^)kOml7R?u-fwhHZ#(}P`hmEm> z(9jr?6tR2`2U82ZjK`lO>R4N7LU;^c@^LmuM80RmlAE0TW=sn|Z~9f!3(nKQ%tds0RF8^^YsXVD`A+V`%+;7Z!Oy>f^3H{w+~+E?zrEkvXC-VAPJj`Cp; zGgm+3O*VCjd-{NBYn~Bo;y~Z-WoTVAo>QAIv-UyeMF%BsPG4iH|69VW9O&ZfLVX80 zw=ccpRUE{>c*xY1LEM*F(x$Bk?cCLPbo3gN_k@sU9}5M~UL{iAw*sT<8xeK?0n-;h zA+DSkzw|AQOVVd{Y<5HLYInFT+mRw=g*)>1WDXq)Sp%}ZlKq4G#ge9rGYrZ z@HXSw{yzO>DxO{9Jk=OGX96Q@%DA+6D6M|Its*E>k)bD#MOmsTqxAysT?N2n?O=thk@if)E$MV5*IgqOtkv-9O)-q_t3!J)kr%C!*%Afp2f*-vg zTINh~X&}Q}Hlj#jPb^(q(|+b@UgqU-WkT`x4R4i(I2AL_D0H>#a4Ia}!|M-uI&ob*w|pKI^%V z8qhWkMc#5qd?V;l2vR2}bk8oJO_i#cTbHG16IUcZS(YVVNg__z!^ry^*`-}6evz5zh_ znPUO>kW^_+hoad`6etpjiHIU1B8qPzuQ;)24F|(yI9Dl$tzkJPuk1^i(ESXVaEce# zR?u(JbDRgyWO{Y|bo)G)JPM~)M#zbY_(oXRSHeO+asS|Aemfb5mZuLsg_OL$`dyVQgqp@ic*Y+Ogb;`p3%Yy;j zP}tF?omYXvn-mOvYD}I^U&qgE899qXAp#`QY$q_3u@PzG=JS_uA~SbtKqSTz5fMd1 zL?mBc-(=O?gFF)!RI8dCt^$(y!~ZZrQV-fRu|?anKFu8z+}ahWVy7k}f4+g*c3zm; zcwttw4)tcwtP7wNQewmDSKp&A8$^$af%}$Hnj1ph<>Jr$Y0*#anYV^ z+&%?g{UFv4=tPe*PE6dqhSi3c1y?ZlacL*iBj9~8QrZ@!M;9hRKP;w=I{zNKymJdM0bMsml^?zN#!KE#+ ze6o)rqxO&`w0i;TqI~7gpy7v+H=EAk14~)ZuPo|eF{o>*zHlX9&djAnuK=`rEN0&% z?>s}^SD_YeVJ#z#DswlaB<$b2fz^t<9UxNt$PwV;2dB~qV z<%wJm*CJn8GpHjjMZGX}tV^vv`TTA}zV*Crgp_w|Gh>uRTDZ;+;>E%sU&Du?n(u^uqQtgPW_tNU^z>io_wq-V zxnb0d*{kL-qq!c}m*h0Bn2|io^TTys689Gmp!M|g#Fp>Mtm(aIY!Jl7EEBuhRP<{~ ziHHjvyb_n`+K(sOeS+Ty2}YhJ@vCTx3`>ece__DhNM45uDr^o{BT70Zf3rjJDZ|4v zl36xogUHWK00=_n(>!ja;Jd_K9$PQ=h;~n>^a9%p~SLI z6}ps4-jy#gx2I3%^xQmT;auGq&dbjN43g8NmbNsnWJY1Bz_4;KXZFNXuBJVu3rnD} zBNr~+;`RGzl&MQLGEFt1-1gKn;)=CL7NfH-MzvP{s9TWR| z;Hd>r7(3-Dre1xKVxH3D5ZRjgnTz*-SFzK>U-PbnUo`x0NRnINmF3Y}=m{nE1E^g!~Q*r)kl-$9Q&) zQ|JA~ZA_Uzg4XftxiqZ|xw`_H$w9`bBqzm15v#hIFOj0Dr;AqF&?c-4SchSY?)a9oMp~vXU4IW` z@}nobQ&dH3&sO$-v17pDRm>=tZ05Cb2<3d+BguIsB@izceA=~`Wi2`|dUY2}W1g`4 zx5bQV{{_vn%jjbEnl=5#uuY>qyMC>XVSFsnN%6=92zes0@kyv@sb}LT{NyM94B5%t z*Rn!fak{Yuene=;Zl03ZNKL_t(a zhkxJ~+I2SI`rhNb)+o!67KJm8+oV7FwQdc5P5D>dWgwSM_oK87P$Uo?lZa~gSc!%< z`r7HH>tAmNm87V9%;`Lw4G9fdzqTu-HGt@R$SJF&9Lkr#&EJMG@T?7EcMZZvD~{-x z1QO(cGKtvO1muM@QA=qQb@y)UI@*YDZ?3a)`gEH0SLfL3hFCk*rhgY5l%;&AI?@#7 z+iR?zy@nC(zM+3%5iNmiD+JjlXGuy)$kI3D&$<6t;M~_W-6mAM{9-c=if>L&kZ9xB zWDIKul|&6tbM48Rskf;)W+K&3#-l7Zg44s@GJFFs_dHT&Cz9?nt!5RbrQIV%g$ z7q-Ju1`o5=D0ehV;p48x=7&!R6CPMLoyFs(nQux#*M| zq~(TdY-yr89jqkGe<%+A=_wKo3u=y;!{jO{Q!sHi*}nfRYGv9{%P5}cM0@JjE5ef1 zf$Y4~iy39pmyu*enz4LkTbyNpJep@G*73`#(ey61mESvL8rQj!$jQ+Sa2%cTuZ9nc zZm*-KW#(Ec`S9=wVcITuyJU4&)tnkK)UQ0nWlAi%>|@)+a2oY(O=TAujP}ES(*zzo z3`QHykZ4n_dvBV0X@J)dh6e7V>!l|=lY^Z~v&;W1SY1SX z9C1RR5fe$2u*0*(K$>((e&5OFsFJV?3ux(o09ofn?3?7H5}Q6Za`A6;Z?I~`U8MD9 zvVUolWFOPl3(Y#d%wKkZ=S_R#?fnHyO^_Pd_hhL-Q&EAdpe<;e}V@sLrp#ij@ zX^|Mb`u@)H)7@C#P>&j;W+nTl0QHLS?u0K39z5lX(vzgTY}dTnbeJiDtM~EJxG6h! zPo<%O1Za#`{9URqO?_wznPpMF-se9Suuc6lVmClD{MjHYclpRt-DTzqT9d z6r=y%?R2|Vo}PUw;h_N~2i9OshhzNtQ~^%p=%Xf=FL!+>wQb0n3+3o{?h=>oJ|*b! zQ|?~b!;}O5tZOxwGb`$0nUYV~?%_D?PRR$5XqZuX*j%R8RPpFDkI$dB!vD0bkP!)m zTMuPsS1;6odNu5buiAqR>rODaZhbDU^yjgDeKzl%MROAg(1t#v6{xAju&Z0{db*ol za{l@5_m0UWQY+=l?6EBICy zZkhazz%~`p__G1yGp*FfoIEINu!dU?-l3@PltJ$NX!7b2e-BA&XOy6$t%ihnlmbLt z44-2pSQIg&Q0gtRLKG`3Lp+G#i^Q4Mok|gL@D;0Kb(sVUBe?T9ngk5fCn`lEA3rC8i7t7cVibgi#i3Nj zvu}O?2hx(2NQEXLkpj%L@M%yKhuaT%p>9EgYQ||RyK!${vEKg)*WSjX(AK4>kpj68 zD6?Iul%S!JvPzpOA=PE5143jcG65tQ+8Sa?C?Vkr$gtQEPsmp#%CE1PIrdF@vOCV)+~c<_^XxyLTkWq<}Jx&tXbrmPXj8?P5@)sGUBtOEG-T5)uKB$k0$D zgQQnimjTM;g@*qV;<$eK0ZCFTN|z`E5g&Q;P4F#n0;L=$rro7Tl2YjH2Na}C{Gy^v zB!-mrc0hLQBf+7W8!?e*`{pxrb|5$2#iL{6jH4_TA(T0`x2~=>5|k*iy`DWuuMg9w z-5hSaj^xnl);Q(1_30=1#>&PVnN*W*i{~+>M2g%g=Zf}=x^y^vf;+#Ip;F%4Ndb@* zw#8N&!L#S#D66UL=7|sH={tdSH5)XEVt3DK^ggb#pj6?U|PfmgW$E)h*YCQX$RC2FEgaf0JeswcPy!8I}YFe zg{o11uyFJoR-JxEn8cW3rHu(!fT1Gu%6u{sO)az}sxn9eZA~Cni2^0>fdXXV*z_VBPU98pZ9(%h-D+oDLoVti2FUjC=!)N^Qva`)&QPztM{` z7lz{XV>Q@Mev&OY$=v*nb18aNyE3P4WOCq=$Kq{i}doDK1#m{sa8rTLIUgR!>M zMEbrS^EM5qa*9qaU&e$FH#@U&{~s)BQ2V=tw{ml}M0)uyXRgN5tVV82y%G#+H>auj zadz%K$(xpT_y>GKujWviXa3-$S}}So8cE}n(4x{pcG#udBEPqs$_>}^TxDmTR@2{j zyP-bX{M~j)A?_(FyANdEhf1v2H-%=_DepKxa>`{(_T^ip&z6l3i2ADJmpT>sCH*q6 zp4uhuFz4!K2BcI}Qpg66GB!}g1COK!I1gFNmPhrNP`W1L=hRI9skaB^jXvVmK9GQG z3AAy~M?ED5*cZ`5dFB-_lfX8u;tF0re?y|04GuP$+C(13*BA*#rUuzMr83*bELhwc zXIVVgmyBWBWe0kU_r*1>OUQ6+-wjsqfZeaKR zXAG=&j6IKKcu#AT?2rP;3^3N0AP@P%7bWQ@Qc&{cQz%NQ5hjK?O>tz85CS1Ur%WGK zj<`mhIkOpDvN>5zLJ0=72C=Sp>10PvBE`}*vqF?$P-i&X2D+jqf6n^BGdZBwn27_t zFideQB2FLRz$Yc~ALiicFh}LLQug@YVnSJ;G}$51GN)7-_cXohUCx?M7n?JE@hjbvX=aI*7Mg%kDL@&* zt2gneIl17Lw&JFRyJs=fw!9(ugA&F2x4ac5bSh)}T^wVPr$3>x*pZL&Wkn4g9d#rk z>j%UY?+R8IS&5D;p8lQ*tLD;fT@*=DU5eH1&5C8+liO4zaB+)2a&-@8_?1ly4OcKS z`ZprtJ+Hq?ad0o0?qjMu;N_x&^5i?-D4=+DT_Q)6ynFo~xrQg6B~yis1Vi`I6qTOl zO>j6$MHDAyPvw_wH+T`Hj-|6BdY=UtDp2ObcFnU*m4erA6HqJePMO@d7E>@;^baC2 z{!i-p9P_ZW#8N6S9lVegUCfews&ekQE1pntFr&+Aw_Q_dRjc0=n) zU3?es;7aF-RMP-Z^7-UUS`9vj`H+?D98@~R=7{3R!WCRHY|rT>ok@-i=8Cs-0uL%I zWajR+9P}=@zod+aBof0E{iI6Xx;uNc(ACMDmnv##X{jM0eQU8qOA}3rB6+?e@iN16 z@==rT&RgGUn&DZm1)lX%{!e<(#?Gx7a>$>6$#v){f#g0rlui9gqlN^jhAvi4&N!Q9 zK9W1rifo%%u_xix+3a=;8=@5?|iE=lAt@*m%T>%DoDw zEgYy$l1q#&C|md;{?~$eU8w{PY5;;Sf4t^)ybjgf43J4Blr62p!K<&i5Nbnx)8vjU z{}{}v=K{O>mRRJ~SV%B8(?urLp!x9Xw9V`!0w|+7x#tOJUEff7rKuFftFOFDaKK0lK+enHNEB*?ur!jStm^-p5rkh_ z#-!aLXqFj4XHPXGa$Aa;NV)Gbom*?_W!<@?{Fo^L5Ru%y^%{jvdF)K3@LJ_k*ij}9 z^XGHBCES`^5wrMr>>1UCKi;O_^LJ5vJk79nlR0NMko_C{aQPlHT0a56yjo>Eq)Ryx z@SLF~iYFV*B9Yj*BqW-eWH{lU2U6S0)GxJ=**o_0z^`vgd|3r=_wD6Gv=trdmp~mg z>Q3Ik$w4X_P@+v?M;Q>u-Q`1Qw>*O8t2Qvdj%l`&P@2XzI2!}vE5}ys;l55qRx~n4 zs;-asnFUqPm#mQxH#gGVy>xMcVL?6CIs^P}8MQhVL^-@*#(Gs8qWwIsunB z_(u$tE2UVyia27EKto$ITUqf}DBGnY6*kRb+k`pP**%HIX`4?Hd39(r0Y&q`sJo#jW0-yjv)bU^!23qtfwaB>sG>O=P5QG z>rd5YDPaU+?y`B;6ErHcrbcGxQKp5Ch9D$5Ib3SyCX;Ae;aRa9UTRQYw=KIGtYhiI z^K@QTGsQ8E=kBt3YplWjPACe5d{_Y~@>7*%=a0Z0qs9zwSi;t}f}Ds!$LclK|Su3-)=T?%ITQr8n~H{{5^DKgSEL z@(gKilRlo*OH!r0E}Kv6W5eC%O!7*e7*u{a%eq4!z_t#R?PO4pfGvU)r&trWfz$cr zTnEN4+=fgJr8C?pLEYMgTD2~md5&DYC=NDKWWpM2$!TuidW*bb%4vv9 zNF)*vaYV-n$aP{5BnEl-6RPB+e007{`^RS}6;!om_jCQCW>A^3WE z5p8-MMyvZ$c8&H-j(7qflq4j`5lIOosJMnAA%O%TP$tU%lD{O;(ngy&VzM}TdF$>U zg1SczK5FVex#>GW)QxQ{c;v;<&ZX1eow@-QCK@1BM?+nbqJ|}?Ta~0*wF=qfqe{WX z=TBSVf6P`;)hV$Lxe=6vn!OD+>J~WKYoWMui|b$8(K4mqD-}wl`O(wg0};s`)p^C7 z$VYkN&n)|~IxpcOh4q#E@y7!~lupSfJ90wA5fe+=#*}}OJZ+#Kf|@A}YngEIz&)mI zj-{THI-l-6C-8#?6}s7BO*F^X-{yh2EtQ@1(T$BIB2j{&v3ByuoV3)@Mi6}W1*h~3 zFtsa;r-eTCn-}H$ipTuAJdvi}2B?4eNZ^?ew7kmF!ZBIWm#E`HrMoxTwCoz8)vd8o zMsn%Q3tpKxFrm7B4wC{39_%~A>^sH`98-q!-pk$!l~ zflKjNRP~}_A(dzTYY@aeI>oA0FOVq{2zhi7|Gl^QY*v$nOZ<`z0a-cv4fJC7q{%dv zy`)zSOX8nh;cQrCex2P6=M<$Y58BCyNm_I$Ye2|_?fiBy8s`CiDM!dukg6e-3gRQe z2@MTL@%05yKV}ms@h>96t}>zh7`A@(Wb_zk!meH7Bmhz@TzzoMbD8xgxgm3C!?a$9 zXz^QLnum9%OF08VF8i|}P=VKkCb+A`b8%7|+6B0>;^eP1GgAGvAT(eCRfjyF`4)d> zRw_!bN$uF#eid!ne`8SVl4!g-!^+iH&}%xIVdaxo9!;G+FjdV4NRHt;k~TB$V(L4Z z#@f#~bNU$oQoSOS_b!6=`@{4fcnag%l_+hTz|&*?tUi%Iy?LYYHJ1STIF|8DJu#_* z0+~z-NwI`~`AV3f;N_!td{y!nQfUZ@q&HJHu2cJ9usTpBh@j$qrA0h#*mnVzlH=23n#qYtaCBie)5wa zL*6nsALCs4j`cm-FfrJJ4sEMYwx~W)cMq~?^Cyb5|AqR72^r-|o^nWndW*q~+SY}s z-MSMyr~@^vWB6nHdbWhv)3<%u^ivFf6Is#rtek(3rbG79vFaUaHK~fHh2X>Oa~wGT z2DQq%)UVh9CmDbS-fbIGeBEjm&3c5wx;1_^vT<0HpeAf929NSK zD(T65mv&Hm;=r&z3_UKR!NjK61mECfFn|QD!lkKP+%RuBrE8FF`2ZZfGRxa|KAK38 zgj?cX))_15TUHJk$k?DFwCK@_y2bU0d3u^vEAOFGaXhV^l-ys`n>s6#sNKFXHQcPx z`ErYmOO6v)q9H;xEE(P zG|O<`txX$>Ve6F z`SVF4h1~41kY?7=+3XaNIpEvYlQ|Ronf_Kmp@zd~nzAz)0ErPzNA{%L`9;ic(}AGY zHE_`hal0pe&QRAnkT1sbqrw0f%8+Nnu^)YOBv ztx`joDG0u}mvzw@C6mmm48HY>sf0U|VdGc?t?1`Gc&ngJiXT^CB>FV!*On43Hqob@ zl)=8GkOc*@cuNTOU8m8)RDzmuOM3hGGiFXd{33hMvbf;c(XE_LB*i9^QM7b1bmUiA z`RgHyceCf~xosQ`$zf(iGY@}4wd(mOUqMiF%d0LKQGPzo;NFMPZ_As;@kB1J|bQDI*R4bvd*#Y^5q3$RH3eV(>!o^5JCqaIBu z(tbDn+G;SOn>Qw5x7o7wC5q&Sq?17wWxVu%&3{SH=beWugC;d$f6qBI>GXlYtxBL3 ze4Z7{ZlPOk3eAd0kw~*IALOm)Ex!ih*Lf_bOsdhdb1mG>6}&#Xi=`*zxQ=K_S#^lM zvyOIMHuB8bkNK68xP9hQa#m6UN>p^AZil*9_Si|UuG)<3lx5o$^8yxFbciHp1>$NZC;LFUV1vq;$i-fKitmH2^w_tHX`(5 zF7t}2@8tL`t-9a4E@z7S6b5Bfru~j<*LO(XpWCU>^+k1#vpy4o8(5SUcO& zQb$VMi$^Rz@(uHvmFQeb18w0!ub{L1cK9Yc9jejB*NvCIKW6dl*QlA9Q@fZ3vXrQ( ze;KJhrL1B&x&H<46Ev`Mb74Z8Vx)#nR7JzSB)<$$XUpN2?B5woqLvQDy__&qPpe&u zFqB|h(}&6G57>I<4ci|jw^8+aHWbkW&7!6GrLQ`h55Hp1?qDcnfJXx#y4EvCM^d1* z>3;}8%pbcL{|889n&?|OQmNZ73?JGWAG6e9C!=`pB^=UP#H1C!Gv;6nnpUN0)YCje z2oSa6K9r3-$?P#fe3liV#_&bV8{vTtsqt--kr>rw#)7*Hm_D1@K49(Ln0oquZ3;O% zlI|X1M^GFJ9>;ji#(* zdLJj$i3f?4>^}zvAVDfky(+<=>L>zsnlWMKE@qGNM{Zn{8hw6a#>m>auZAl_IPQO$ zkMblwZl8|t_Vi0?CHr#W>>wN?1%|qx2wXOoHL=>*x>aW6wt)<;ZIg$Pm*LTW3X`5s zXKCl=EYWqOe!JorNXhbHzx*P#XuwMUXvU6P%jQXw*x^utZgt9FeE&w;Ju+T%2Jfv85T|?0P3TXUDIVH8F_r~?;EMCvX zJ;#zuwQCe+&i14KkG;E&j#_yeIR0I!0Y&N* zD-?>9Qo#zv-QC??io5&8-QC??FYfN{McM*&+nx81+IB0n_riOD-+a#D9GYZjv&qOa znPkGTucfIKZ>kF&3UliAY0UH^%UCr12<`q##poXEc2HxJW5?!fIi8ypvsSS7@Ie+H4aLYhC&gP1XIbwC6xX?u7hB51Ob=U)Ay3z zVx!8eYn0Fh3?Pj=y}P)vY2*$ju5ZeWfZbdQx1?o*qI&N`P?D*7bxMxD%<;{~@Tye+ z0FBoP#&kIWfI^|d#3DN-I!|HBup*=;_M%jDtgXu+e-BF4Ef6&sYy@}KPr-A2+-(d? z4ySU(oTSz{XsL^pq=eCEcJ6sW&ptU5tPheSRgvE8TyM&-Nn4mYWEa9R7Zv)>VS=Z7 z6w02El&AHw__Lm0Yg6txfKq*}MC6t_H~ zS9e8xsEh*u03ZNKL_t(bUVkFm_x3MEy~OYS7CmZfT=HsJId3#eK8BLYHV+j?%wlpC zQ}{c2BL%6QJFtGqXR5VYLG$(&>|a-(XPZ{C@o{Uq$GesPd(`CZGKXD;GZ?ve4TE=w zkuGNuIxiZ)usW8J7ol^yA%MN76LPPpa+Rd0g zhp=_8MZ=O=xD=<*$FGZiEq_isAC`=H(IaKs1=clYh)(pN1J*VoXw>6+LN8y05z zl@)ZZK8pRzY#B9YFT*=5Bgn{t-0lsSzqlLC|KScQEQ(U0fMC+D6TENIfJ{mdK7TVP zskXaYF8yTwA0^e^&7jWot^8eT9dp+lVau!&d=6G&W|yBT!xk{KiwEY4==Ldj^vkD= z75=1HL5X$Y0vMiJg6EabsIwNN)54*Qt`s>nc&frZ*}2h_;S)EpWZcQfwzzqBD%q(? zWt4O~{ZFZ~7sT2BFys0>wf7)bRL)E&kv55P^m8ag;xB(l(EIoAv9;A3L6-g_g6DgWGw`ShohNuu z@t1s};^&h2QTiujzL9J}>P{^I13W(U~v&w-fw=jh;OjdBv7)GdfdLUcC5?q@whoQM9+b$e`w9 z*!Da`e*@`167l3R=llxNOm}X2DQU7Ul70yaENc&BT20v6vj@YEeT*~f`Ts0gK7Y-9 zW0WX8w`SwCecHBdTc>T??mlhXwr$(CZQHgr{oZ@OJF~v~duC1jNwRCL+0fcyvPX?+4$gfRPuW|AY}&KxU4$Hf8u6AmG97p2+&`pxv+I zGxSaqjH5bdKlytIg)z~&=F1q#crdlYkp!E8>tMyRJLOqf;+wkBz?p_iM_`@kSTE6G zwC&HE5m{v^uQPhMITTHnm#}Wwk?Skt=-sP(d~IK~$jGx2@ZKgRh?HN>R-Cp~>w=Wyi=`j^fA3o?;dH#7SR{(l+r zzlC!)Qm{^c{=4{JnFoz{f9!u35`8Wm=m!74t2Pi`;DlCk?B~^fME!TzKWcW@H8w`R zcB`AX)}4~ziG3G7UvH0pkQJs(u+B~6-6uY@$GNKfqr;bEU1ahAC?2kYfphc z4b8|1{4RNv-g@2VUJ^exk!K(xReq7P%Khp6EO||82tRJJ*8wW1E@y_sthsoI#m zIOxG>St#O57_%~Pu;vXWAa=ZH8^DIxM6WP)!5RH*Et_e?SYBP8bRO||(Q_gUd|D}# z=+rSSHCY>yuVld1Pu;U8eC&5BKY%f_CaYCwwK)9{4&Q<*^}I@Q*_b zyHwSSLGKQ46aMT(oC-~Sq5d&N6nncRc=0#~h;L^hHYtj8;KWhN5!kNtt|KMR4A;*p zC378nG`{Fk`8E7WmuoXcU$26>afdQASA_&Z;bby%H2lkBRoF9=g?x(lJPf)eMWw?Ibj;dmx@ z#MKPe@kSv1v}S@PG3Siq5IqhUqyVk-(C8Y(aIQ*-N~0NXO@lW7+!4+IPB-`zG>r_$ z=k`wsPz)$k3Tm(90g&l~2G8wk8{q6rUGZk+mIImq*CPFcYMy{rRL^}c8}YMJA+y^x z)_@Q6`}nQ{O>5E1B5;?fs%}uZQd6-CE3H~bYoYjAFc)~FR_%LBb|c0!Tujk9)a=2> zl;XTBU#ZzWh|ZoMW}F zC3dzJ6q%D|Zzet9JSX8XS-_>v9v1P*>yLItiR9R_9a z@b}b|f$w00K-^W7uK`ux5P&V$S5npCLbghzSKr}dPOo59{>tv1;2Dt}+!C>y1CnSw zCZX`B7_QIo^CcsaTSTie%tKk^s2pFXR0&Tg7$fEH%!e`86JPVSb6fx~9Kh z<$dSKn2nFn|5#*XJjBs{jCq_na|Nt1q{Nh5!@ameDy3iWYgN&EevgT|ZKqdcHHREc zHezuv0jv18nEfFyJlyx4RlKN)o*{TV_ofVtRGIY_UIW6>lWqd(4*#i== zMf5?Q5=WQtHV)wj8%F~-H4Fdil;_E5$=+;M;>6`l8d&{OeU%uABHutbc0(0=8X^ht z$&5XntE5M(;|tq$pS)gN5%_2FRDn^(mm*rTvXt&nr6$ryl>)lyR$ZF`rdu{^vGlT+ z!!+8+PcS(&*>6Cec4dZ@!IYbKO4GH!^gK9^r(9*kD7)3{ZRXhh>0E>tCvI=YN`pnu z)ut|u_GrxR7yC+Qnu?{186ru$9c_Oju;aN_T}w!Vofh--s$eA7+q3HlAr-cWp61t< zMOQrNBO)fxWbvsrfn`k!uX>geSmrAW6jzW&a}F()9>#U0QW zLb!%-*;@5M`qRC7b_N*Q3{?tivcxraCJP%bJmacKIJ*CM=xz7FHgH;teKu*CnwbPV zM|x6ea)qd8N3?Kta~1XC|Dt4&x9O8jGmhpC9%E7)E%h^OrW_p+yoCU&qAIYCAM7CC zh<3{iGq6T#6*1BZ`|=-)7Y1C5nburwi%Rt5+>JNqv^Y~EIj1Qrm>+>}jpe|63~tD; zK*tks^|nQYQid+pmgS(Cpb-QG3E*1!6D|_Zb`cNQY|eagsvEW)4|Spbjq2!}ZEzF| z(jdokJhnRsz44re>^>wrPQvaEjtB1D638B`UfW^ZR`Nmi(&A2Rp=0hVG?qw#`3MR} ztl|T}#I-@6Y_wcy##TTstN;v&{3K2BqVesIp?!%a9+~y-8o%aS)~GSJz!iXsDqUl7 z_Tx0z)xRVNOm0wy=*hJ{{WgwJAa2leuI0|g-GGN|DL&^cpx)8wvlI?ouWUP3gY?<% zs$2L=kp)QxH8TjK_~_I08pF{pKiSx^4?ORU!u*c)R8Rv|utBeji>ozTDxahN_z$j= zwP~`mI z!Fxjx=ZU=Jx?p=VdwwcC z>s1>=Y}g#4F(Oo~CKIl0C`Dvb%}O@tX%j4t)C%wU*-CfRC#pm7N>@Vy%39`}uaVuW zrP;JMAuB0hV{`gK*uMlbAuC)VT<=4dI1+PuaJ&;6QKijb-#h#;9%Z&7m-k%;CPy_R zQ&P;EJOXUoO~La;%gzNQ-vS16FC**Mk6+8=&LJyZ)n@uCa=k*2W;f`E8d3rIT0||( z<^Dn|B%=FW3I55P_bSOyVoN=yrPVbvd#buG&el7JZxBvfhc-(PDfl>yUlG<_RIu_;e4->zWZjH9Eh zecufyN!wzE<_%(8P|G@{5|mw?E>zmD-tZD!+Jewrxkodj;rt>{^ViG9_R<_BDi^AiydDRbl^rIY3Onn+NYAv+iBsf zeU-iEudvz0pJR`L4+ai^Uz^q!gmR9ZGV@t^mFs5slXA4lB1bCs$PqYP4`69Tic=bJQoctS=; zxofSq;$)Ie3NkL?lly5Ceed4w5xV}y*E4~pP>5(fW;k>bvCyzTAji5;NH8Nt*u#?2 z;LNz5K*(QPH(B;r76T~yYoog;xrpmV&(SiQ{(*V>SEkQt9yfsw9!6 zn;r)bz(O02N8d6>Ck1WIKBu6j{Xm3{+$;wDPZ|huLPHCoLL3H-!z?)3D<8M0G1l23 z?}Ic3hp(|q3=3obY|VK5Jp8sWrq#EwOhAE<8FzgTGgQ5_%1|`V-SR2+ImqsG%z>Iz z)WPGDXbT=JP|C2ltLTRkOrJ!3WT2QGAyAD-5G{mhay>TbFp z1|O_9_+}4oO;&XW?Y}ZF=Tyi9nwpq8f(7Gq{1fVHGKRGjG;0^LKlql&T#>F-Rw24tVs zaq~k^x516~+YELbaBd=ExUd z-x@{J6t z29s_`fvrxx%dq(ejJ9YJZs&R94fdrC$gmAsgn=&fc2l}rl6I$ze2wl+Cd?;RiK@5T zyF00%=nV*qv$^$RP?hlKJv-wXczrw zAF08++5(xI^X>A6g6r?W6s8)5$ApM+K@o8T;Dd^4<7kE*2dA&Om) z9sByEBZs!yz%O9~01>!2TYRP-&*P?Z;g3?e$zzEMj07TDdAiz4na=By(*rZ9<9h zSRxojgu5UYvqXcchS*_%ANO>L4!ePjWVPi3M9(T*GNRrMm?+iB=5PY|CewW;o;jVV zk8UvhCEP>0<*B4=Wf3ZlInoT^>sttdLZ4nTx>$p9HKu~a^Ty>X%4h(wtwDvmlx`yKeLsh*%&*iL^|gGygbKG>9K{L#eB^?{D)mrB<5NSLZno`8TG~FX ztF5)};w&dVCsWu!b`64$(s^5E|I%dXZl%Zeh;)i1&D0kJW(_b;C1w6wiNP zHS3F^JUZIgn~~n0ut3z+VG%g9P@zJdpslA1#aw3A*1B7# zczidPD-=n*OvSd@ZwG&*XQi9KtE$weTXikcqR&N*&RY&Co$uwS&eCYFHhpuK)w(Z{ zhlnj^8f+cQ3~%;lju2x#Gqc5FF`99JPjssfciX5lqMTpi#(32|XsZewTNzYMD8#qS z`_HGiUk+N4aW|`q+L zeQy<@+*^Z}tgBWQHAZ1R*$MOXZHIT4Aw+L3-`qHqOMR?JSQ$8%i`1u$uw0P`0(TSX zDA|)Wc6T#yl|vg)sur}0S&ghR8uIpwnYDYAGKS!On;=p_3=JTE}n9&HP zFW_nXtcRgm%Y0i+hor62R9)lXf_u99*;--5txq9Cy^AMYw)g z*bc7M;z*HxOI=K`LC(287^+J^RZZ&*>2;?N74oVNWG_y6lSU@|%%)$YIc+jlqbi2* z2>Ku(-iGECNLxP!Gr|&~biv6O*yN{}JuTl0KgZmwbrqLbRLhZ6QD}wn<4G@6-Lp`A z5q`OAnY=cwmtcv@OCN_$BRwV$pgv8gPkXi>NnY)h*wOX(B!jjct1oV1U+?w%f=IhiQIld8&VF_C`jausA`oTF&`1tOxIpHSNe z_rQxz8GzuXi^tMrrTU;OG2-jHqIy7TupDn&{PDAj|DBGj{;~Jlqw_gShW&n~F%{Ug zaqB|MIsN_(ofKjX4!2cM1cSw?h@S`K8CFOC11H<%UJ$a|nJUFTFkfe~WIYdDOQLvp zvQ{Eu``mxzg74Z*+0AwQrKONYO?; zKzp%rW~+UAU{J;-vnPMGH~N~vX%taA)udRW-H&Mmp|5uFSk;Y{O4}FK)hW6b>dKaQ z!!PYI)9fq@^cs`47@fAqx z4JDPRu5EHfpP9Kr&?n(NT3o>TN%mJ-&Bz)ftm(U#buR9tUfIE0Y7?@cvSQ1nIL*^Y zJ#2-j^n149 z72(!SqZ2k~?gjjb8)XClg&J8TlM4VVjouUE|5b}A%(eHSp)ypFHat+LEaL%(~vV8gCAiXA02&cGdLxKc^lC#^DFgUwo@A3rOK9TApGqCeKf(`PQoLUgc}Q~H!LgF1*KeI!HlN&>aWPCDba`lD_y_JG=^ z+`^(D5=WT zInZ=@t4aB~CWpj+(ioimoEVJ zS5V`9G`wsHv*%dRs|m1fC_-25;W)RGbV>|uw#)Yy;dS1(t0ys=xihfzrT+1|VnVeJ zhJ=FinF1f zSZmO_M<;Fv9_`Uykzln?Qb0Ool9Aw$y;a7dMN`>*4^2)Tt30Vq3e||9zqHe&GD+&$ z;4eg?Zw1k3SE5+moBy7qTA!i>bo1~vgXXg*HiE4$H}o<$PMLcmJg3ZBQIIk)87)p7 zR$#Bg7l%{_pkc;#?@Pi`nes_DViZd=ve(%VBT}Bj))5oz;hSi)(d#cVC_j#bE?;$@ zaD2-VJZ9`Xo>B&=+!~I?%egJ#PKZ~3Jft!vvSVMk&{e}dl5Q@Xj;F|W2vgsAa86#`-yX@uehIZb z&fu<0ofpT>sZwVdHs51hO`1kXE$y{5afeOTfKXZMX7&iT(BV|0_Xj{7F`X&JUx>@H zHyG}x6@@5ik?S7&Dfuc(dT0a{V!F!`olT`6Jtu$A)SN5AS4o}kqBKs2HHbBA9^TEG zZ&AQP(@Ikqag;@C49;rpn^~he#t~lC>A^K*bOv00LWykF5Wf69xrxX`}J zx2e3Ukl2nx)-c&gy=LSLj@Gkf(3vTKc`KTie%(X0w^Ks0T+S46>bkgC56M^!iz`=E zICIDtdB}XeSsFJbAi`rPx_RvjK2}j>GNXKMOiG|a#}*w?#n)p{4k4UX<&V^>wZ2$o zj^Icd8~MK07{B_mMmsCcl^KHM6^?tR{N{vYXgMkrwuMq$iDBMh+-!coozvLSE9$oD zOGv#u-M}MNOW@0mFofnEo4B8D(Vo;ai4y27E|+1y&W;k{-Ym(K16^tmK{#zU zhi@^V;tRfi7nniuYV8lx&>2f-<_Y=7!{Z3OhkLeyj`cP_H4B420SO7K$N=Nk+b_KwKnN&z6q67zd~gYm<5A-((G zh_!T_8$7H#5v%xGbIP`a>0m%tv{gM`jbQHGDGTby$=@v_F(EOc>8A4@2sYx-Cf~Bn zF809U21)*J>jj{8KAM^P~?53iq|IBFtdfujG|KSMl_y2^L z^Q@4_9Uzl3k1(M5da?5`L~X;86kTpaG>sL8K$AD@aVYA<9T~BPQLO@W4BB8qSI;&- zHntm@0hocmz!gf7j>wV4h#6ZzYm6o2HjWNe)1Ie}Q4l4uzus~uC_9eOEOE+9G=T}z zAS2sTi#K{titV!I#6WHmR;z)sTDmq_@E7e^Oz3l2S9kK75_#?nN7G@e%d<||Oz+0T z4UweeN{9jP4W_P7RcS^CMr|G~Z0Bf@H|{l1)}AYG2~mcbIBu$^mGMnst()y+(bhwLBP)q z2+@U=$_y{Fk~nIv!{1vKGmgrZ*k6K_zP#q^IysSev3D7Qq``2ZW1UjKwjC_z&O;e6 zD@{CF$f`>M;_2F0ZS|qAY|qIIyF#nKOuvBQA5fafOy}Xm?7;c`LLJsfki`KCaT&V|1`4K;uB9)zIx{IRO>=j=01AY7Vg{>i zFwtJ{St|vW7}6}>$k|O`$M9?V%NzAf?PJ|df6A2C=Cs?4u2Dr~V9+ENN220rJZ0(E z33)a6EiA@37TjK+w)l**OQ=~>${ZTp_`o`6u)}xUg{-z_1~Y%WvA^QTm}Xfb1G~uo zN&VfJqJwy!O$Q5CArhY1OCOFjl&JdYK=K&T^;dTvqGP`0M^}7bUq8P@?wS=B9~e%Z z`Kn?qhGSpY{ga-u6}X7E`I$_$<>Xm>bWealAU>g?>9(K$xiCdVT%JI^MQGo%1!ozl zRB;Kljzjdx_Y=`7Gcr!y-$wc06&Z=mq8Rl1R|Y&5cDB~L#yCZleP@^PB?eUh7;~;U zppCv^C)zFp>jn?z4XOF5ZFQbjoRD7E6gl7|bVA`QR58{3=9-)5^tDc9B?hM{o!e+kz&Q-oM-lcPLJ2swKvV9oK z2NI9%uf|DSvfNSSMKu>jR#u`xg)G$QYizffRUA#6;3EES_5=S}kh)Zr><-(0Rx-}CUE$by z@Xir50TQ_4zD>5m)Np$alP@zo3X$6^iTO;!4*M8 zRd8fIpGqPPdvD4B=73<9$Nb>S>~@pKr(-=|1w+nePO z!$3AXujY7Dx}xCOU8b{MuA>9J)dr{*NMsZKHz+62PQUI)MZ@QYGB!B4MH0mU*K~Q_ zOyyP$duWcTfSB3q3WXh6Vxo0^$u)Ms5(j}oB89Ak&GH4RupA=c*iP>>mBsK!~5K%bSxNplm{IB=2J=zPQU&;(TKg@h)uG2BfKw zQ7?d3gEOIMUN4gqW&swOy(v=fRSEB-m97 zo+p9Lg*+O%LB&kvJv2Q%kY9u8%-z$XJ5vx15>3pAkp>~9%R{CT-r3mxR6w>JK z^yBaQ6|cTzW14qWx3%P+5M;&aW`e8ZWyk(2J5lM3r-94kCf&FMy#5QNRL24WgRRb8 zK^KlX!%3g-HyTO#m07Z8dyl?hFdqVJC$;$;?pwd(-5BB`&*huDQ;WWZ)R8Q)XGZf1tc)6_Dhdf0;|XgYe~JJJdr;VOcJTpR+sV-J9J7bp5S-LnC*NGU^^vR*ND z_jP5`qJictX3TkS?;OF)Hms4BR&^SEue!i_uvbTtz!l2emwJ?rjVePK$VPfvxo>g0 zQ@5m&cBejjywRRk``nMkL?-b3G9mh-B= z6w>Ja;q~pih_*aNlEK{79TFX2la?!S$9UW7zU`9y$8k|#fd*H1kRwKU3Lng`5E}{Y$ zS==(?0fUWDLX&cNu+eT|d-qy(wG6QH+0uBsB+NmU&oJxJP)S8}flL;oh{S*f42$Xk zcQm$Ez@uBfB8Kp4tYA&xXSDG2_yW@pG&H)#l?H^wqheAkri}wXUL6N$5J^%U91Vc1 zpi;<}$B-|!LB}|EUIScd1)JM^8Wm3VAH10vhKmBHl}@Ttd$;G7$1o!3GEPsE6=u zEN})A2@=tgD#29SV^`SJi2)5*=;k947o(A!WwbQn>loZ)ddlEnNd^u1LX=X4IV^xv=lvIz1p!vXa= zXv5K2`ij*Tb>y<`8x#6qsU`PHYaYm};~Dwsb}fY#5bB{O?1g)nN!CUzfBnxSoDC~5 z7D43gl@MZ#int`sh9sW#>cBdjM(%#x+@;=tQxu3{u0k9KT2{eq0W#`o0sT}yC1zC{ z#}<_5@R^iig| zfmy!(#@BpwXAZ>u=gd4$8fG5Wq}hfmgRfQp5OK?T)qF_zk;HZUg($Z=LRer?iezS! z!CFGB`zk){@Dbor7+8{D#L6O|C3Y;jt5?72qj!LET8A^5yltya09c?)eEO>w;>5rG z7YfD`xbFaGdeSAeozOMi=joau6PNrUS5ay`wjs0|O(QZP`QWjz{FL=V#2zLw`jWNg zmu$xie%=4}DC-Z&OXM1nsv*i1zf zwS~%s!Q+_Z#e0VDnbeqWQ8(jQ0~^wPj{ZX;9Cq18q*`OUWQH4`UKX%Hob`L0$~KT* zwd#B$6d_J4gXgdi#`cQoAN`w-*a)3z{9uKj|NZ|(~4}MiXyxf!+mPm%wZpKvCKgnY$ia|fI zykh6;&$1Z;#Y8m2QHP{pgcVqgB^He)GGAFMj}i&**2KVBkEM(TIWg^wZjIJQ%$Ud+ z(#AOW7k_%}grWnAJ?Yh7cc6S{4AiFC&+rPU(MBGnff08j@bfgF8{4BF60IjoB)qj+ zpfLQtxw^mEb+awcG91n{0*NoH723VE>L^1ybMJ!X6iTG*xs;`hKSR(Jw|N4@l_@GR z#bpP{{gyd{=dLp$hrJeUnP+bFhiRq))#qJ?3^@jvg4DIGafFv)-d9~J89~ClykEc) zR5?)c^>2hOpAGg5vSb)(5R z-6@C9R|q<$80zG3vw+AdYnvHG?7uLQyO?sd6}RTh8_1MqTlsvg;(Z(3>9cEr-5D6} z?S_(Hwi*<~E5w})7k8sVWO=o>ImcFD4bT`WnP60u!(G!@XW!Soer*o;U)jETv6;6^ z8p`($uP}?@;wBhQ#zOetfMv9!2zCCJbFW&=Q=%A6BV+_UgLb)E?}_mcJ3vH`)P+aG z#PmFF5%UIp#9f{uO$?$~el}oMN)mdaRlDryIp1UFVMiHeZ^Qr1|MC*xCyxBM5WF+q zs>XEDg1YZyzsfL^=rB7hV+sKi$rlj(yKJ5rDK|F&(wBv55BD({X^12RUQ)LsYU_FZ zD!Z?TIF`r!0T&Y5@?N25aNTj+F%Hnl}m$t2#3?(K{XxIZw^2Z7$g=hf`V=& zC3&teoH!HwsPmPIjUIn-6y6~CQNTz0_LEUZ@{+87q1Zf#|~OJ3b$Y(%;CI0qve)YW^~eF z3VX4zAzluJEGO(tFtY1%^+@7cCjSAw^=H z{v09h6<|fjvx8m!V#4x93>N_|)w>Ho9L@&Fk&I8w6Ry+0v!>m2!|Jc_1B)`w<>F~b z9TXKP<#NP}tU%&Zzkq7f$7R*y^A|4+xWV(__3kC@+W{Hctk0~uWYL{-Qerd5V^Y3F9coL5cd)8kC!Z!Zjbbnz;WZ6jFpQ~+|H>#l zmH8A9<7c=hOXnjMJD(i9)SwHqcN7Y3l^{NAG3+ZeCCNOD?b?1K&hJ|E&{fHva=}rS zb9A9*=xm#qRRMsEVC0l1aDKa9Rw$h(Zt(_qvVMEC0@pqgN9tl>L$$-pzk`8tf7ZSE ztXQzp$rf*&|NZj97LKw-pmdwdG*Wo@R3WXXi6$Lb#7w5qlcbnkU2FGq=JMVlr!g46 zB<_~ex8cVP*S4fSW*jzZ(_0)oHGYCOXo~to#f%Z#nZ{7ASsvO+ao5|6CexU!FL#;Z zX|Yv$-+caLX*n{U(tOypg7n^gKrA6J%EPf+KKX>HY`8%pg*=aqn}D{q!SsL8Ip{7ySJ#>azG&Cm2CYn z2}WWEeCG}{9&1N7BbBy+in}}nIQ}Aj>c-;ReyXzVt&_N^UZj9^>xZn*d0W0Zbm*F zzs0Y;UKihfs!HWbx_s}vUv^9;e>Rvhrx+X+p3anUO(|n&XKnOt5F)TWmJ8zp|7;3J zkW{MN4djB%iwD?$4y=w8B%F>YaPcOlDfJb7l5jN9=Xy(^RsiADxIQshr=l20M@p8+ zlPhfK$eT<{I}M^-alZupjcfx1igj53WTXTT*7saE=>_5++3!|sJhPJA{N+Odb(ns% z-#g?uq0JhpWI;LC;iPAmZsF>#2N&M#MJ%yTvOu?7&ebhC1PSqys2|t@3@+9b_$^oA zL%?jNKndRM>eGtZ%TrGI$n9mwNnsFp@FoMwDVr+St>o3Q#H&9ZSC7>^Ekgan<)%H{ z312Z`DqOYWY`OW7NL#jmRI(=>Y<`563y4HdC>o}?f-9YUgmwxD|*ISIOrU#5^JPpcvE!eR;=_*A8g$#A9+?q!NH$Owg=BGlx0w(UuZn zm_Ue2*oI!?Hf;}kbq6%>(1J7_o?iHyu#u3k4XwuQ8mh_46S=jjjMIujBlaLZ@SE|M zuSzrB0|l9)NWr9OwCFm*!=t57yOBe!Vr=_7))U&a{(;{k^cr@EoQPsFL#7Q|91;7fk`dRZ1LzAo0+2i`cVmeCZBsld!ogyH!Wo7cSI~eIuX! zXH97tO812`nMD?~-Lk$duBYNEAS zFsqA2pf!+HQRNBA!87~e?SSr~#G)}<%grAS%#cW>Gm&yz%@c8B7}))mjQ~7+f>YdS ztNE4Cdwo3Zd;~l0dhF@#oR#X#@M&>n!kr)~#mvSf#eQ|(Kt-)q->e-Q?@k*TDJky| z6O3_EX2@`U^(>Wc$g;g*E`P6g|1d;@N*%SDpLp+du3k=qfrC_hnA=sS(^-_USMA{N zjO+NN9y@g%u{6&q!OH%10MhA6p{jLnWj=c#f$heuOs;}a+Ib8gXgo1zx!r^eeFuA& zhF*H(Eo{+WojvzPqQ&fH=giD{-h}$Dl(c$@D!%5a28Ck1)O7RL$PuTYl<=)=aeJ$? zFg}%Ok4CJihe2mtz;OKQYvBR?a4ohpnV#Tn~ zCXMD>)F!Hxq%|sZAvOXwO!YG@&)7yOx6vO|Izo0Y4}!Rn?-t}TY_m`X18!F2y_jPx ziZTlO(c=w;Sq;7Tg}T=5GcJDZ@pf^n6Cd)9;#F~e_x|y%iA6o$<4@@B`-7t%VdFhk zh4A_@#lW!JGD6uI)`IIEMds7Z(wd`tf<2o=F%;HfTX``M0Sbk~8@wZx!Xd|#hkQKu zJkqUpE!W4eh3xC~AL1&{s*4m;qht#Q+3VNn@#*qc?BVLM2~Xsx=GWFSj+;Qp@Pdqx z(G-K|&bfiy%Nj&C?N!zgvZN{d8(%UvBtJP*X{9`CX^HsI2X%TWO-|jY!6ho*m zIeEFdxVmO@TlFr>$+hzB64^@~ro*9dF-rDo#XPvg{Ta2c84sVo001EMVnY0i{p)6n zQ-mD1nbAX=O$);4Bqp!ZsRbXB zaqbkPBVPb*muT~IB5T*SDoMjYjmL)0g`@=*!?Qm@G`{>ZHrhttRU{JL?0h;l#Yva@ zqNC1wcriy!qLMR+v}jmGReEZ}z1nNSJuP7DWrrc?Ireue0|GYJvOA@0w4G$frMa1n zd&?o+XGOKB=HRXmOqWUJpVJPfjyxvWh5{&RGSw*TkL!roUpop4c4(2CoYLN^EK7OzMM|wwN#8M_;gp?{lqB?>$cf() zENO7=U_8VKIoZoDv@DL2fE&0N)lrA26<-nt?IvA?xy4zNP3lX|WjM)9jzuO{ZYsml z8CZv%{rjmQkE>VXtQ7XGg2C24reFmq+*#cYJzUCgL3#-Whg z8A7FASPzz;d>fdvOO`*AjxZC*ak30q=m4`mqI0X&2epjl3S(Aob!%6}Vm1=8h^JSx zsx^q1xk_i3 z<60o|^Od8s{VR0t@KE>9#4VZ8{NRP`r{xhCMr@nLs6poW2FMs#kos;{o^lDOd7yh; z_IVj9#1AijgTICtYpAVO~Ulp`v?Nxf%e?QOR9*>4;Ah)vejQq{*)L1vPK2Le! zaMSO2zdG$O-^e|60(jkj@s-kt)*q(UvrBWt&pQ@m79in(8vSh1^Obec zDbX-K5f=Ho`K@wvdP`2)0RR?cCT; Date: Mon, 18 May 2026 13:41:49 -0500 Subject: [PATCH 2/2] Fixups after review Addresses Roberto and Craigs reviews and a cross-distro hardening pass (centos7/rocky8/9, alma10, debian12/13, ubuntu24). - ipcomp4 -> ipcomp - namespace references in kernel_patch_check; widen class scope - version_match patterns - sourced kernel version from package metadata on Debian/Ubuntu - Dropped /usr/bin/ paths and useshell pipelines where CFEngine primitives suffice (string_split, sort -V -C, packagesmatching) - Collapsed module-file presence checks into one findfiles per CVE - Collapse kernel_patch_check into bundle main; drop _kver alias - Use packagesmatching() instead of a dpkg-query subprocess - New status: MITIGATED (userns disabled) when user.max_user_namespaces=0 - Composite classes (dirtyfrag_vulnerable, dirtyfrag_esp_mitigated, dirtyfrag_rxrpc_mitigated) tagged meta=>{"report"} and namespace- scoped, so cf-hub collects them for reports without cluttering the default Inventory column set - CMDB toggle variables default-disabled with explicit opt-in --- cfbs.json | 2 +- security/dirtyfrag/README.md | 60 ++- security/dirtyfrag/dirtyfrag.cf | 516 +++++++++++++----------- security/dirtyfrag/inventory-status.png | Bin 50761 -> 127073 bytes security/dirtyfrag/patched-kernels.json | 49 ++- 5 files changed, 368 insertions(+), 259 deletions(-) diff --git a/cfbs.json b/cfbs.json index 7d7c609..c225a1d 100644 --- a/cfbs.json +++ b/cfbs.json @@ -160,7 +160,7 @@ "namespace": "dirtyfrag", "bundle": "main", "label": "Mitigate CVE-2026-43284 (ESP/IPComp)", - "question": "Blacklist esp4, esp6, ipcomp4, ipcomp6 kernel modules? (breaks IPsec) [true/false]", + "question": "Blacklist esp4, esp6, ipcomp, ipcomp6 kernel modules? (breaks IPsec) [true/false]", "default": "false" }, { diff --git a/security/dirtyfrag/README.md b/security/dirtyfrag/README.md index 8d4b3d6..5c529a7 100644 --- a/security/dirtyfrag/README.md +++ b/security/dirtyfrag/README.md @@ -18,7 +18,8 @@ After adding this module you can view Dirty Frag vulnerability status in Mission - `VULNERABLE (esp4, esp6 loaded)` -- vulnerable modules currently in memory (names vary by host) - `VULNERABLE (modules on disk, none loaded)` -- modules present but not loaded; latent risk - `PATCHED (kernel fix applied)` -- running kernel version includes the fix (auto-detected or admin-declared) - - `MITIGATED (blacklist in place)` -- modprobe blacklist or userns restriction active + - `MITIGATED (blacklist in place)` -- modprobe blacklist active for esp4/esp6/ipcomp/ipcomp6 + - `MITIGATED (userns disabled)` -- `user.max_user_namespaces=0` sysctl active, blocking the exploit path without unloading IPsec - `NOT AFFECTED` -- vulnerable modules not present on this host - **Dirty Frag CVE-2026-43500 (RxRPC) status**: - `VULNERABLE (rxrpc loaded)` -- module currently in memory @@ -37,7 +38,7 @@ Each CVE has an independent toggle and separate conf file: # Dirty Frag CVE-2026-43284 mitigation: block xfrm-ESP and IPComp install esp4 /bin/false install esp6 /bin/false -install ipcomp4 /bin/false +install ipcomp /bin/false install ipcomp6 /bin/false ``` @@ -61,7 +62,7 @@ user.max_user_namespaces = 0 This blocks the ESP/IPComp exploit path without blacklisting the modules, preserving IPsec functionality. Use this instead of `mitigate_esp` on hosts that require IPsec. Note: this does **not** mitigate CVE-2026-43500 (RxRPC) and may break rootless containers (Podman, Docker rootless), Flatpak, and browser sandboxes. Applied via `sysctl --system` on first write. -All mitigations are **disabled by default** -- the module only reports status unless the corresponding CMDB variable is set to `"true"`. +All mitigations are **disabled by default** -- the module only reports status unless the corresponding CMDB variable (`dirtyfrag:main.mitigate_esp`, `dirtyfrag:main.mitigate_rxrpc`, or `dirtyfrag:main.mitigate_userns`) is set to `"true"`. See the table below for the full set of toggles. ## Usage @@ -87,7 +88,7 @@ To enable mitigation, set one or both variables in your site's `def.json` (Augme | Variable | What it does | Trade-off | |----------|-------------|-----------| -| `mitigate_esp` | Blacklists esp4, esp6, ipcomp4, ipcomp6 | Breaks IPsec | +| `mitigate_esp` | Blacklists esp4, esp6, ipcomp, ipcomp6 | Breaks IPsec | | `mitigate_rxrpc` | Blacklists rxrpc | Breaks AFS/RxRPC | | `mitigate_userns` | Sets `user.max_user_namespaces=0` | May break rootless containers/sandboxes | | `esp_patched` | Declare CVE-2026-43284 as patched | Admin must verify kernel is actually patched | @@ -136,3 +137,54 @@ To update the patched kernel data, edit `patched-kernels.json` and redeploy. The To exclude specific hosts from mitigation, use conditional augments to override them to a value other than `"true"`. +## Mission Portal — operator reference + +The module is structured to give Mission Portal operators four things: inventory columns for at-a-glance state, a filterable mitigation-method enum, queryable classes for targeting, and CVE-linked promise stakeholders for audit traceability. + +### Inventory columns + +| Attribute name | Values | Filterable as | +|---|---|---| +| `Dirty Frag CVE-2026-43284 (xfrm-ESP) status` | `VULNERABLE (...)`, `PATCHED (kernel fix applied)`, `MITIGATED (blacklist in place)`, `MITIGATED (userns disabled)`, `NOT AFFECTED` | starts-with regex (`^VULNERABLE`, `^PATCHED`, `^MITIGATED`) | +| `Dirty Frag CVE-2026-43500 (RxRPC) status` | same shape, no userns option | same | +| `Dirty Frag CVE-2026-43284 mitigation method` | `kernel-patch`, `modprobe`, `userns`, `admin-override`, `none`, `not-applicable` | exact match | +| `Dirty Frag CVE-2026-43500 mitigation method` | `kernel-patch`, `modprobe`, `admin-override`, `none`, `not-applicable` | exact match | + +The detailed status strings are for humans; the method enums are for dashboards and filters. + +### Queryable classes (collected as `report`, not in default inventory columns) + +| Class | Meaning | Use case | +|---|---|---| +| `dirtyfrag_vulnerable` | Any tracked CVE is unmitigated on this host | Targeting: "patch these now" | +| `dirtyfrag_esp_mitigated` | ESP mitigation path is active (any of blacklist / userns / patched) | Audit: confirm coverage | +| `dirtyfrag_rxrpc_mitigated` | RxRPC mitigation path is active | Same | +| `dirtyfrag_esp_needs_mitigation` | ESP exposure exists and no mitigation in place | Targeting fragments | +| `dirtyfrag_rxrpc_needs_mitigation` | Same for RxRPC | Same | +| `dirtyfrag_esp_present`, `dirtyfrag_rxrpc_present` | Module is loadable or loaded | Scoping | + +Tagged with `meta => { "report" }` so cf-hub collects them for queries but they don't add columns to the default inventory view. + +### Recommended alerts + +Configure in Mission Portal → **Alerts**. The module ships no alerts itself; operators wire conditions appropriate to their fleet's risk tolerance: + +- **Inventory condition** — alert when `Dirty Frag CVE-2026-43284 (xfrm-ESP) status` matches regex `^VULNERABLE`. Catches new unmitigated hosts as they join the fleet or as kernels regress. +- **Inventory condition** — alert when `Dirty Frag CVE-2026-43284 mitigation method` equals `userns` on more than N hosts. The userns path is fragile (breaks rootless containers); knowing how many hosts depend on it informs upgrade prioritization. +- **Policy condition** — alert on any **promises not kept** for handles `dirtyfrag_esp_modprobe_blacklist`, `dirtyfrag_rxrpc_modprobe_blacklist`, `dirtyfrag_esp_modprobe_unload`, `dirtyfrag_rxrpc_modprobe_unload`, `dirtyfrag_userns_sysctl_conf`, `dirtyfrag_userns_sysctl_reapply`. These are the file/command promises that enforce mitigation; a failure means the conf wasn't written or the module wasn't unloaded. + +### Promise handles (for report filtering) + +| Handle | What | When it fails | +|---|---|---| +| `dirtyfrag_esp_modprobe_blacklist` | Writes `/etc/modprobe.d/dirtyfrag-esp.conf` | Filesystem error, conflicting writes | +| `dirtyfrag_rxrpc_modprobe_blacklist` | Writes `/etc/modprobe.d/dirtyfrag-rxrpc.conf` | Same | +| `dirtyfrag_userns_sysctl_conf` | Writes `/etc/sysctl.d/dirtyfrag-userns.conf` | Same | +| `dirtyfrag_esp_modprobe_unload` | `modprobe -r` on currently-loaded ESP/IPComp modules | Module busy (existing IPsec tunnel) | +| `dirtyfrag_rxrpc_modprobe_unload` | `modprobe -r rxrpc` | Module busy | +| `dirtyfrag_userns_sysctl_reapply` | `sysctl --system` to load the userns conf | sysctl conf rejected | + +### Compliance traceability + +Every file and command promise carries a **promisee arrow** linking to its CVE: `"${path}" -> { "CVE-2026-43284" }` and `"${path}" -> { "CVE-2026-43500" }`. In Mission Portal's promise detail view, this surfaces as the stakeholder / linked identifier. Searching the audit history for `CVE-2026-43284` returns every policy artifact addressing it. + diff --git a/security/dirtyfrag/dirtyfrag.cf b/security/dirtyfrag/dirtyfrag.cf index 4795ca9..80bbdf1 100644 --- a/security/dirtyfrag/dirtyfrag.cf +++ b/security/dirtyfrag/dirtyfrag.cf @@ -3,17 +3,24 @@ body file control namespace => "dirtyfrag"; } -bundle agent kernel_patch_check -# @brief Checks whether the running kernel includes fixes for Dirty Frag CVEs -# by comparing the kernel package version against known-patched versions -# from distro security advisories. +bundle agent main +# @brief Detects Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability +# and applies CMDB-toggleable mitigations. CMDB variables, mitigation +# trade-offs and inventory states are documented in README.md. # -# Sets classes: -# dirtyfrag:_esp_kernel_patched -# dirtyfrag:_rxrpc_kernel_patched -# dirtyfrag:_patch_data_matched +# @inventory Dirty Frag CVE-2026-43284 (xfrm-ESP) status - Vulnerability/mitigation state for the xfrm-ESP/IPComp CVE. +# @inventory Dirty Frag CVE-2026-43500 (RxRPC) status - Vulnerability/mitigation state for the RxRPC CVE. +# @inventory Dirty Frag CVE-2026-43284 mitigation method - Which mitigation strategy is currently active for ESP (kernel-patch, modprobe, userns, admin-override, none, not-applicable). +# @inventory Dirty Frag CVE-2026-43500 mitigation method - Which mitigation strategy is currently active for RxRPC (kernel-patch, modprobe, admin-override, none, not-applicable). +# @class dirtyfrag_vulnerable - true if any tracked CVE is unmitigated on this host (queryable; not in default inventory column set). +# @class dirtyfrag_esp_mitigated - true if any ESP mitigation path is active on this host. +# @class dirtyfrag_rxrpc_mitigated - true if any RxRPC mitigation path is active on this host. { vars: + # --- Patched-kernel data lookup --------------------------------- + # Minimum patched kernel package versions per distro live in + # patched-kernels.json next to this policy. The data file is + # walked here; comparison happens in the classes:: block below. "_data_file" string => "$(this.promise_dirname)/patched-kernels.json"; @@ -21,9 +28,10 @@ bundle agent kernel_patch_check data => readjson("${_data_file}"), if => fileexists("${_data_file}"); + # Indexing goes inside ${...}; see lessons-learned/data-indexing.md. "_entries_idx" slist => getindices("_data[entries]"), - if => isvariable("_data[entries]"); + if => isvariable("_data"); "_os_id" string => "$(default:sys.os_release[ID])", @@ -44,97 +52,44 @@ bundle agent kernel_patch_check "_esp_patched_ver" string => "${_data[entries][${_matched_idx}][cve_2026_43284]}", - if => isvariable("_data[entries][${_matched_idx}][cve_2026_43284]"); + if => isvariable("_matched_idx"); "_rxrpc_patched_ver" string => "${_data[entries][${_matched_idx}][cve_2026_43500]}", - if => isvariable("_data[entries][${_matched_idx}][cve_2026_43500]"); - - classes: - "_patch_data_matched" - expression => isvariable("_matched_idx"); - - # Use sort -V to check: if the patched version sorts <= running version, - # then the running kernel is patched. We test by checking that the - # patched version comes first (or equal) in version-sorted order. - # printf '%s\n' "$patched" "$running" | sort -V | head -1 - # If result == patched, then running >= patched. - "_esp_kernel_patched" - expression => returnszero( - "/usr/bin/test \"$(const.dollar)(/usr/bin/printf '%s\n' '${_esp_patched_ver}' '$(default:sys.release)' | /usr/bin/sort -V | /usr/bin/head -1)\" = '${_esp_patched_ver}'", - "useshell" - ), - if => isvariable("_esp_patched_ver"); - - "_rxrpc_kernel_patched" - expression => returnszero( - "/usr/bin/test \"$(const.dollar)(/usr/bin/printf '%s\n' '${_rxrpc_patched_ver}' '$(default:sys.release)' | /usr/bin/sort -V | /usr/bin/head -1)\" = '${_rxrpc_patched_ver}'", - "useshell" + if => isvariable("_matched_idx"); + + # --- Installed kernel package version -------------------------- + # RHEL family: sys.release is the package NEVR -- compare directly. + # Debian/Ubuntu: sys.release is an ABI version; the package version + # lives in package metadata. packagesmatching() reads the + # package_inventory cache populated by the standard masterfiles + # apt_get inventory. See lessons-learned/packagesmatching.md. + # Other: fall back to sys.release as best-effort. + "_kernel_pkgs" + data => packagesmatching( + "linux-image-$(default:sys.release)", ".*", ".*", "apt_get" ), - if => isvariable("_rxrpc_patched_ver"); + if => regcmp("debian|ubuntu", "$(default:sys.os_release[ID])"); - reports: - inform_mode._patch_data_matched:: - "Dirty Frag: matched distro ${_os_id} ${_os_ver} (entry ${_matched_idx})"; - - inform_mode._esp_kernel_patched:: - "Dirty Frag CVE-2026-43284: kernel $(default:sys.release) >= ${_esp_patched_ver} (PATCHED)"; - - inform_mode._rxrpc_kernel_patched:: - "Dirty Frag CVE-2026-43500: kernel $(default:sys.release) >= ${_rxrpc_patched_ver} (PATCHED)"; -} + "_kernel_pkg_ver" + string => "$(_kernel_pkgs[0][version])", + if => isvariable("_kernel_pkgs[0][version]"); -bundle agent main -# @brief Detects Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability -# and applies CMDB-toggleable mitigations via module blacklisting. -# -# Usage: -# inputs "security/dirtyfrag/dirtyfrag.cf" -# -# CMDB variables (set via def.json augments): -# { -# "variables": { -# "dirtyfrag:main.mitigate_esp": { "value": "true" }, -# "dirtyfrag:main.mitigate_rxrpc": { "value": "true" }, -# "dirtyfrag:main.mitigate_userns": { "value": "true" }, -# "dirtyfrag:main.esp_patched": { "value": "true" }, -# "dirtyfrag:main.rxrpc_patched": { "value": "true" } -# } -# } -# -# Mitigation toggles (each independently controls a mitigation strategy): -# mitigate_esp -> blacklists esp4, esp6, ipcomp4, ipcomp6 -# mitigate_rxrpc -> blacklists rxrpc -# mitigate_userns -> sets user.max_user_namespaces=0 via sysctl -# (blocks CVE-2026-43284 without disabling IPsec, -# but may affect rootless containers/sandboxes; -# does NOT mitigate CVE-2026-43500) -# -# Admin patch overrides (suppress false positives on patched kernels): -# esp_patched -> declare CVE-2026-43284 as patched on this host -# rxrpc_patched -> declare CVE-2026-43500 as patched on this host -# -# Kernel patch detection is automatic for known distro versions -# (see patched-kernels.json). The admin overrides are for distros -# not yet in the data file, or custom/backported kernels. -# -# When disabled (default), the module only reports vulnerability status. -{ - methods: - # Run kernel patch check before evaluating status - "kernel_patch_check" usebundle => "dirtyfrag:kernel_patch_check"; + "_kernel_pkg_ver" + string => "$(default:sys.release)", + if => not(regcmp("debian|ubuntu", "$(default:sys.os_release[ID])")); - vars: - # --- Constants --- - "_esp_conf_path" string => "/etc/modprobe.d/dirtyfrag-esp.conf"; - "_rxrpc_conf_path" string => "/etc/modprobe.d/dirtyfrag-rxrpc.conf"; + # --- Mitigation-conf paths and contents ----------------------- + "_esp_conf_path" string => "/etc/modprobe.d/dirtyfrag-esp.conf"; + "_rxrpc_conf_path" string => "/etc/modprobe.d/dirtyfrag-rxrpc.conf"; + "_userns_conf_path" string => "/etc/sysctl.d/dirtyfrag-userns.conf"; "_esp_conf_content" string => concat( "# Dirty Frag CVE-2026-43284 mitigation: block xfrm-ESP and IPComp$(const.n)", "install esp4 /bin/false$(const.n)", "install esp6 /bin/false$(const.n)", - "install ipcomp4 /bin/false$(const.n)", + "install ipcomp /bin/false$(const.n)", "install ipcomp6 /bin/false$(const.n)" ); @@ -144,8 +99,6 @@ bundle agent main "install rxrpc /bin/false$(const.n)" ); - "_userns_conf_path" string => "/etc/sysctl.d/dirtyfrag-userns.conf"; - "_userns_conf_content" string => concat( "# Dirty Frag CVE-2026-43284 mitigation: disable unprivileged user namespaces$(const.n)", @@ -154,50 +107,57 @@ bundle agent main "user.max_user_namespaces = 0$(const.n)" ); - # --- Read kernel version --- - "_kver" string => "$(default:sys.release)"; - - # --- Module paths --- - "_esp4_path" string => "/lib/modules/$(_kver)/kernel/net/ipv4/esp4.ko"; - "_esp6_path" string => "/lib/modules/$(_kver)/kernel/net/ipv6/esp6.ko"; - "_ipcomp4_path" string => "/lib/modules/$(_kver)/kernel/net/ipv4/ipcomp.ko"; - - "_ipcomp6_path" - string => "/lib/modules/$(_kver)/kernel/net/ipv6/ipcomp6.ko"; - - "_rxrpc_path" string => "/lib/modules/$(_kver)/kernel/net/rxrpc/rxrpc.ko"; - "_ns_proc" string => "/proc/sys/kernel/unprivileged_userns_clone"; - - # --- Read the unprivileged user namespace setting --- - "_ns_val" - string => readfile("${_ns_proc}"), - if => fileexists("${_ns_proc}"); - - # --- Loaded-module detail for inventory --- - "_esp_loaded_csv" - string => format( - "%s%s%s%s", - ifelse("_esp4_loaded", "esp4, ", ""), - ifelse("_esp6_loaded", "esp6, ", ""), - ifelse("_ipcomp4_loaded", "ipcomp, ", ""), - ifelse("_ipcomp6_loaded", "ipcomp6, ", "") + # --- Module files on disk ------------------------------------- + # Single findfiles glob covers .ko, .ko.xz, .ko.zst and any future + # compression scheme. Empty list means the modules aren't shipped + # for this kernel build. + "_esp_module_files" + slist => findfiles( + "/lib/modules/$(default:sys.release)/kernel/net/ipv4/esp4.ko*", + "/lib/modules/$(default:sys.release)/kernel/net/ipv6/esp6.ko*", + "/lib/modules/$(default:sys.release)/kernel/net/ipv4/ipcomp.ko*", + "/lib/modules/$(default:sys.release)/kernel/net/ipv6/ipcomp6.ko*" + ); + + "_rxrpc_module_files" + slist => findfiles( + "/lib/modules/$(default:sys.release)/kernel/net/rxrpc/rxrpc.ko*" ); - # Trim trailing ", " + # --- Unprivileged user namespace setting ---------------------- + # sysctlvalue works across RHEL/SLES/Debian regardless of the + # /proc/sys/kernel/unprivileged_userns_clone vs user.max_user_namespaces + # path differences. + "_max_userns" string => sysctlvalue("user.max_user_namespaces"); + + # --- Loaded-module names for the VULNERABLE status string ----- + # Each slot is the module name when loaded, "" otherwise. + # filter(".+", ...) drops the empties; join glues with ", ". + "_esp_loaded_list" + slist => { + ifelse("_esp4_loaded", "esp4", ""), + ifelse("_esp6_loaded", "esp6", ""), + ifelse("_ipcomp_loaded", "ipcomp", ""), + ifelse("_ipcomp6_loaded", "ipcomp6", ""), + }; + "_esp_loaded_names" - string => regex_replace("${_esp_loaded_csv}", ",\s*$", "", ""); + string => join(", ", + filter(".+", "_esp_loaded_list", "false", "false", "10")); - # --- Status strings --- + # --- Status strings ------------------------------------------- "_esp_status" string => ifelse( "dirtyfrag_esp_needs_mitigation._esp_any_loaded", - "VULNERABLE (${_esp_loaded_names} loaded)", + "VULNERABLE ($(_esp_loaded_names) loaded)", "dirtyfrag_esp_needs_mitigation", "VULNERABLE (modules on disk, none loaded)", - "dirtyfrag:kernel_patch_check._esp_kernel_patched|_esp_admin_patched", + "_esp_kernel_patched|_esp_admin_patched", "PATCHED (kernel fix applied)", "dirtyfrag_esp_present._esp_mitigated", "MITIGATED (blacklist in place)", + "dirtyfrag_esp_present._userns_conf_exists", + "MITIGATED (userns disabled)", "NOT AFFECTED" ); @@ -207,16 +167,41 @@ bundle agent main "VULNERABLE (rxrpc loaded)", "dirtyfrag_rxrpc_needs_mitigation", "VULNERABLE (module on disk, not loaded)", - "dirtyfrag:kernel_patch_check._rxrpc_kernel_patched|_rxrpc_admin_patched", + "_rxrpc_kernel_patched|_rxrpc_admin_patched", "PATCHED (kernel fix applied)", "dirtyfrag_rxrpc_present._rxrpc_mitigated", "MITIGATED (blacklist in place)", "NOT AFFECTED" ); - # --- Inventory output for Mission Portal --- + # --- Per-CVE mitigation method (one-word enum) ----------------- + # Single keyword per CVE so MP can filter "show me all hosts where + # mitigation method is `userns`" -- much cleaner than regex-matching + # the long _esp_status string. ifelse takes first-match order. + "_esp_mitigation_method" + string => ifelse( + "dirtyfrag_esp_needs_mitigation", "none", + "_esp_kernel_patched", "kernel-patch", + "_esp_admin_patched", "admin-override", + "_esp_conf_exists", "modprobe", + "_userns_conf_exists", "userns", + "not-applicable" + ); + + "_rxrpc_mitigation_method" + string => ifelse( + "dirtyfrag_rxrpc_needs_mitigation", "none", + "_rxrpc_kernel_patched", "kernel-patch", + "_rxrpc_admin_patched", "admin-override", + "_rxrpc_conf_exists", "modprobe", + "not-applicable" + ); + + # --- Inventory output for Mission Portal ---------------------- + # The CVE id and module family live in attribute_name (the column + # header); the value is just the state so it's easy to filter on. "inventory_dirtyfrag_esp" - string => "CVE-2026-43284 (xfrm-ESP): $(_esp_status)", + string => "$(_esp_status)", meta => { "inventory", "attribute_name=Dirty Frag CVE-2026-43284 (xfrm-ESP) status", @@ -224,179 +209,230 @@ bundle agent main comment => "CVE-2026-43284 xfrm-ESP mitigation status"; "inventory_dirtyfrag_rxrpc" - string => "CVE-2026-43500 (RxRPC): $(_rxrpc_status)", + string => "$(_rxrpc_status)", meta => { "inventory", "attribute_name=Dirty Frag CVE-2026-43500 (RxRPC) status", }, comment => "CVE-2026-43500 RxRPC mitigation status"; + "inventory_dirtyfrag_esp_method" + string => "$(_esp_mitigation_method)", + meta => { + "inventory", + "attribute_name=Dirty Frag CVE-2026-43284 mitigation method", + }, + comment => "Active mitigation strategy for CVE-2026-43284 (filterable enum)"; + + "inventory_dirtyfrag_rxrpc_method" + string => "$(_rxrpc_mitigation_method)", + meta => { + "inventory", + "attribute_name=Dirty Frag CVE-2026-43500 mitigation method", + }, + comment => "Active mitigation strategy for CVE-2026-43500 (filterable enum)"; + classes: - # --- CMDB toggles --- - "_mitigate_esp" expression => strcmp("true", "$(mitigate_esp)"); - "_mitigate_rxrpc" expression => strcmp("true", "$(mitigate_rxrpc)"); + # --- CMDB toggles --------------------------------------------- + "_mitigate_esp" expression => strcmp("true", "$(mitigate_esp)"); + "_mitigate_rxrpc" expression => strcmp("true", "$(mitigate_rxrpc)"); "_mitigate_userns" expression => strcmp("true", "$(mitigate_userns)"); - # --- Admin override: manually declare host as patched --- - "_esp_admin_patched" expression => strcmp("true", "$(esp_patched)"); + # --- Admin override: manually declare host as patched --------- + "_esp_admin_patched" expression => strcmp("true", "$(esp_patched)"); "_rxrpc_admin_patched" expression => strcmp("true", "$(rxrpc_patched)"); - # --- Unprivileged user namespace enabled? --- - "_ns_proc_file_exists" expression => fileexists("${_ns_proc}"); - "_ns_val_is_1" expression => strcmp("${_ns_val}", "1"); - "_userns_enabled" and => { "_ns_proc_file_exists", "_ns_val_is_1" }; - - # --- xfrm-ESP/IPComp modules present? --- - "_esp4_on_disk" expression => fileexists("${_esp4_path}"); - "_esp6_on_disk" expression => fileexists("${_esp6_path}"); - "_ipcomp4_on_disk" expression => fileexists("${_ipcomp4_path}"); - "_ipcomp6_on_disk" expression => fileexists("${_ipcomp6_path}"); - - # Compressed variants (.ko.zst, .ko.xz) - "_esp4_on_disk_z" expression => fileexists("${_esp4_path}.zst"); - "_esp6_on_disk_z" expression => fileexists("${_esp6_path}.zst"); - "_ipcomp4_on_disk_z" expression => fileexists("${_ipcomp4_path}.zst"); - "_ipcomp6_on_disk_z" expression => fileexists("${_ipcomp6_path}.zst"); - "_esp4_on_disk_xz" expression => fileexists("${_esp4_path}.xz"); - "_esp6_on_disk_xz" expression => fileexists("${_esp6_path}.xz"); - "_ipcomp4_on_disk_xz" expression => fileexists("${_ipcomp4_path}.xz"); - "_ipcomp6_on_disk_xz" expression => fileexists("${_ipcomp6_path}.xz"); - - # Currently loaded - "_esp4_loaded" expression => isdir("/sys/module/esp4"); - "_esp6_loaded" expression => isdir("/sys/module/esp6"); - "_ipcomp4_loaded" expression => isdir("/sys/module/ipcomp"); + # --- Kernel-patch comparison ---------------------------------- + # sort -V -C exits 0 iff stdin is already version-sorted, so the + # pipeline below answers "is installed >= patched?" in one fork. + # This keeps useshell despite the noshell preference elsewhere: + # CFEngine has no semantic-version comparison primitive, sort -V + # needs stdin (no single-arg form), and the noshell alternatives + # (tempfile + commands:, or a bundled wrapper script) are heavier + # for no real safety gain on a static, internally-built string. + # See lessons-learned/version-compare-shell-exception.md. + "_patch_data_matched" + expression => isvariable("_matched_idx"); + + "_esp_kernel_patched" + expression => returnszero( + "printf '%s\\n%s\\n' '$(_esp_patched_ver)' '$(_kernel_pkg_ver)' | sort -V -C", + "useshell" + ), + if => and( + isvariable("_esp_patched_ver"), + isvariable("_kernel_pkg_ver") + ); + + "_rxrpc_kernel_patched" + expression => returnszero( + "printf '%s\\n%s\\n' '$(_rxrpc_patched_ver)' '$(_kernel_pkg_ver)' | sort -V -C", + "useshell" + ), + if => and( + isvariable("_rxrpc_patched_ver"), + isvariable("_kernel_pkg_ver") + ); + + # --- Unprivileged user namespace enabled? --------------------- + "_userns_disabled" expression => strcmp("0", "${_max_userns}"); + "_userns_enabled" not => "_userns_disabled"; + + # --- xfrm-ESP/IPComp modules ---------------------------------- + # On-disk presence collapses to: did findfiles return anything? + # some(".+", slist) is true when the list has any non-empty element. + "_esp_files_present" expression => some(".+", "_esp_module_files"); + + "_esp4_loaded" expression => isdir("/sys/module/esp4"); + "_esp6_loaded" expression => isdir("/sys/module/esp6"); + "_ipcomp_loaded" expression => isdir("/sys/module/ipcomp"); "_ipcomp6_loaded" expression => isdir("/sys/module/ipcomp6"); "_esp_any_loaded" or => { - "_esp4_loaded", "_esp6_loaded", "_ipcomp4_loaded", "_ipcomp6_loaded" + "_esp4_loaded", "_esp6_loaded", "_ipcomp_loaded", "_ipcomp6_loaded" }; "dirtyfrag_esp_present" - or => { - "_esp4_on_disk", - "_esp6_on_disk", - "_ipcomp4_on_disk", - "_ipcomp6_on_disk", - "_esp4_on_disk_z", - "_esp6_on_disk_z", - "_ipcomp4_on_disk_z", - "_ipcomp6_on_disk_z", - "_esp4_on_disk_xz", - "_esp6_on_disk_xz", - "_ipcomp4_on_disk_xz", - "_ipcomp6_on_disk_xz", - "_esp4_loaded", - "_esp6_loaded", - "_ipcomp4_loaded", - "_ipcomp6_loaded", - }; + or => { "_esp_files_present", "_esp_any_loaded" }; - # --- RxRPC module present? --- - "_rxrpc_on_disk" expression => fileexists("${_rxrpc_path}"); - "_rxrpc_on_disk_z" expression => fileexists("${_rxrpc_path}.zst"); - "_rxrpc_on_disk_xz" expression => fileexists("${_rxrpc_path}.xz"); - "_rxrpc_loaded" expression => isdir("/sys/module/rxrpc"); + # --- RxRPC module --------------------------------------------- + "_rxrpc_files_present" expression => some(".+", "_rxrpc_module_files"); + "_rxrpc_loaded" expression => isdir("/sys/module/rxrpc"); "dirtyfrag_rxrpc_present" - or => { - "_rxrpc_on_disk", - "_rxrpc_on_disk_z", - "_rxrpc_on_disk_xz", - "_rxrpc_loaded", - }; + or => { "_rxrpc_files_present", "_rxrpc_loaded" }; - # --- Mitigation conf files in place? --- - "_esp_conf_exists" expression => fileexists("${_esp_conf_path}"); - "_rxrpc_conf_exists" expression => fileexists("${_rxrpc_conf_path}"); + # --- Mitigation conf files in place? -------------------------- + "_esp_conf_exists" expression => fileexists("${_esp_conf_path}"); + "_rxrpc_conf_exists" expression => fileexists("${_rxrpc_conf_path}"); "_userns_conf_exists" expression => fileexists("${_userns_conf_path}"); - # ESP is mitigated by modprobe blacklist, disabled userns, patched kernel, - # or admin override + # ESP is mitigated by modprobe blacklist, patched kernel, or + # admin override. Userns mitigation is handled in the + # vulnerability condition (see dirtyfrag_esp_needs_mitigation). "_esp_mitigated" or => { "_esp_conf_exists", - "_userns_conf_exists", - "!_userns_enabled", - "dirtyfrag:kernel_patch_check._esp_kernel_patched", + "_esp_kernel_patched", "_esp_admin_patched", }; # RxRPC is mitigated by the modprobe blacklist, patched kernel, - # or admin override + # or admin override. "_rxrpc_mitigated" or => { "_rxrpc_conf_exists", - "dirtyfrag:kernel_patch_check._rxrpc_kernel_patched", + "_rxrpc_kernel_patched", "_rxrpc_admin_patched", }; - # --- Per-CVE vulnerability checks --- + # --- Per-CVE vulnerability checks ----------------------------- + # ESP is vulnerable if modules are present, not mitigated, + # AND userns mitigation conf is not in place. Userns conf is + # not in _esp_mitigated (which tracks blacklist/mitigation + # confs); it's tracked here so disabling userns blocks the + # exploit vector directly. "dirtyfrag_esp_needs_mitigation" - and => { "dirtyfrag_esp_present", "!_esp_mitigated" }; + and => { "dirtyfrag_esp_present", "!_esp_mitigated", "!_userns_conf_exists" }, + meta => { "report" }, + scope => "namespace"; "dirtyfrag_rxrpc_needs_mitigation" - and => { "dirtyfrag_rxrpc_present", "!_rxrpc_mitigated" }; + and => { "dirtyfrag_rxrpc_present", "!_rxrpc_mitigated" }, + meta => { "report" }, + scope => "namespace"; + + # --- Composite roll-ups for targeting and querying ------------ + # Tagged `report` (not `inventory`) so cf-hub collects them but they + # don't clutter the default Mission Portal inventory columns. Use + # for class filters in reports, alerts, and CMDB-style targeting. + "dirtyfrag_vulnerable" + or => { "dirtyfrag_esp_needs_mitigation", "dirtyfrag_rxrpc_needs_mitigation" }, + meta => { "report" }, + scope => "namespace"; + + "dirtyfrag_esp_mitigated" + or => { "_esp_mitigated", "_userns_conf_exists" }, + meta => { "report" }, + scope => "namespace"; + + "dirtyfrag_rxrpc_mitigated" + or => { "_rxrpc_mitigated" }, + meta => { "report" }, + scope => "namespace"; files: - # --- CVE-2026-43284: ESP/IPComp mitigation --- + # CVE refs go in the promisee slot (-> { ... }); Mission Portal + # surfaces this as the "stakeholder / linked identifier" on the + # promise detail page so operators can search "CVE-2026-43284" + # and find every policy artifact addressing it. + # handle gives each promise a stable, queryable name in reports. + _mitigate_esp:: - "${_esp_conf_path}" - create => "true", + "${_esp_conf_path}" -> { "CVE-2026-43284" } + handle => "dirtyfrag_esp_modprobe_blacklist", + create => "true", content => "${_esp_conf_content}", - classes => default:results("bundle", "dirtyfrag_esp_conf"); + comment => "Blacklist xfrm-ESP/IPComp modules to mitigate Dirty Frag CVE-2026-43284"; - # --- CVE-2026-43500: RxRPC mitigation --- _mitigate_rxrpc:: - "${_rxrpc_conf_path}" - create => "true", + "${_rxrpc_conf_path}" -> { "CVE-2026-43500" } + handle => "dirtyfrag_rxrpc_modprobe_blacklist", + create => "true", content => "${_rxrpc_conf_content}", - classes => default:results("bundle", "dirtyfrag_rxrpc_conf"); + comment => "Blacklist RxRPC module to mitigate Dirty Frag CVE-2026-43500"; - # --- CVE-2026-43284 alternative: disable unprivileged user namespaces --- _mitigate_userns:: - "${_userns_conf_path}" - create => "true", + "${_userns_conf_path}" -> { "CVE-2026-43284" } + handle => "dirtyfrag_userns_sysctl_conf", + create => "true", content => "${_userns_conf_content}", - classes => default:results("bundle", "dirtyfrag_userns_conf"); + comment => "Disable unprivileged user namespaces to block CVE-2026-43284 ESP exploit path"; commands: - # --- Unload ESP/IPComp modules after conf written --- - _mitigate_esp.dirtyfrag_esp_conf_repaired:: - "/sbin/rmmod" - arglist => { "esp4", "esp6", "ipcomp", "ipcomp6" }, - comment => "Unload ESP/IPComp modules already in memory"; - - # --- Unload RxRPC module after conf written --- - _mitigate_rxrpc.dirtyfrag_rxrpc_conf_repaired:: - "/sbin/rmmod" - arglist => { "rxrpc" }, - comment => "Unload RxRPC module already in memory"; - - # --- Apply sysctl after writing userns conf --- - _mitigate_userns.dirtyfrag_userns_conf_repaired:: - "/sbin/sysctl" + # Key off "module is loaded + mitigation desired", not "conf was + # just written". The previous _conf_repaired guard missed the + # case where the conf file exists from a prior run and the module + # got loaded since -- the agent would never re-run the unload. + # modprobe -r (vs rmmod) tolerates "some of the named modules + # aren't loaded", which simplifies the per-module gating to a + # single class. + + _mitigate_esp._esp_any_loaded:: + "/sbin/modprobe" -> { "CVE-2026-43284" } + handle => "dirtyfrag_esp_modprobe_unload", + arglist => { "-r", "esp4", "esp6", "ipcomp", "ipcomp6" }, + comment => "Unload ESP/IPComp modules while ESP mitigation is active"; + + _mitigate_rxrpc._rxrpc_loaded:: + "/sbin/modprobe" -> { "CVE-2026-43500" } + handle => "dirtyfrag_rxrpc_modprobe_unload", + arglist => { "-r", "rxrpc" }, + comment => "Unload RxRPC module while RxRPC mitigation is active"; + + # sysctl --system is idempotent; re-running it when the conf says + # 0 but the live value isn't 0 picks up cases where the conf was + # written but never applied (e.g. between writing and the next + # boot). + _mitigate_userns._userns_enabled:: + "/sbin/sysctl" -> { "CVE-2026-43284" } + handle => "dirtyfrag_userns_sysctl_reapply", arglist => { "--system" }, - comment => "Apply user.max_user_namespaces=0 without reboot"; + comment => "Re-apply user.max_user_namespaces=0 while userns is enabled"; reports: - inform_mode:: + inform_mode._patch_data_matched:: + "Dirty Frag: matched distro $(_os_id) $(_os_ver) (entry $(_matched_idx)); kernel package version=$(_kernel_pkg_ver)"; - "Dirty Frag CVE-2026-43284 (xfrm-ESP/IPComp): $(_esp_status)" - if => "dirtyfrag_esp_present"; + inform_mode._esp_kernel_patched:: + "Dirty Frag CVE-2026-43284: kernel $(_kernel_pkg_ver) >= $(_esp_patched_ver) (PATCHED)"; - "Dirty Frag CVE-2026-43500 (RxRPC): $(_rxrpc_status)" - if => "dirtyfrag_rxrpc_present"; -} + inform_mode._rxrpc_kernel_patched:: + "Dirty Frag CVE-2026-43500: kernel $(_kernel_pkg_ver) >= $(_rxrpc_patched_ver) (PATCHED)"; -body file control -{ - namespace => "default"; -} + inform_mode:: -bundle agent __main__ -{ - methods: - "dirtyfrag:main"; + "Dirty Frag CVE-2026-43284 (xfrm-ESP/IPComp): $(_esp_status)"; + "Dirty Frag CVE-2026-43500 (RxRPC): $(_rxrpc_status)"; } diff --git a/security/dirtyfrag/inventory-status.png b/security/dirtyfrag/inventory-status.png index 4adcd0b7c3421558ea1dfd480ddd9cdf079912a8..9bb816508403eef72e851d72bf14bdf871073c8b 100644 GIT binary patch literal 127073 zcmd43WmHyO`!9MUDkI!zyGuMhcotj zKA&d{2V>l|)|&I0SN!6MP*RY5gGhh~fk56!ONpsKAaDy12#gZ^Yw!w5E3qy3gWxEo z?E--+=czq|+iLb*}a(SQ5yPs2^jzjGu1x1asbwIl?`x8O=e7;wlrIkAoFQb~IL z>qmP@qB=VTqobp9YidU0RKju4(S?-IjqC8FrKMTe*@FTDVHz77Z=~^_B|ALNUpF^5 zKN$8tlQJ+v@6asx)Zq8oJMe%Hys5oxc*vo~se<57Z%xP^1N2pbaCm%td?^Km(2$T2 z38G_yQCmfM`H-|Ud_)|E{y5|Rx;z_k;A0=%MWq0@X@)CoHtTnEKL3n7zU6Wuqo=&{!@V$l+x2;;!nR|6b z897*F^w75W&4uLE8{}2JP7d7U)Ejivg6tpVj-=c?^FxJCmtuYVzdutRu(%p}Bs$ZO z;^Llje zBY)VIEwHMypNkUx4@FXOjd14qe=ed7L*XSth|56NsrTU|Xh z6x&V=BENr~k_w_@>x=z!tbvF1_4Nr?6m$KYgBU$#Q<3&x**+p8BcmUOwX z!^nm0wq!C9rWG;6oj`EJf3DwRju(j%`hCrbq`KXdm3Yk*y!gTOk17_1POh94T&ud% z+QiwYk);;embk*$4D*i={qKHo%O9&39eTUq3}&KZUeTyeph!r(NK^Z9GjQ&7Gs~mL z)552?IQlt9vk;5H5;8M5@~~ge{Fp3oCKgbTm;b%jkaD_zsf*Rr zB=Puddh-E7_G`&IzSZfRDf6vtzPmj0?(S}XCQSeEu(+kxOZ(+-aNhUErP@oFFMfY^ zwwlV5S_y~0{!Owrf2lM(ua##{M1qHa3W!U{6ihTm8+|g!e*(`j`|i)z}|*`L}e8Uxk^a*ygsB55$_@TUS`rl`mpMAel|_GFJSm~sf}&dS_(^B0o^?4o-8v?4>2zKf1a#kfoChJz z6Y~q2eFSv$D!qo7O4-)Q9@+P%iq{MI(!>;BcR8NhWZS2T6G}u|IZl@Q65J3xblS`_ z{=|E>flT0b%o^RjF6Wo1ljsW@s3hinO|nD%Ovzx-6hiMY(M5)m-RLy*(d+b#6JIx3 z)3RXkJFYOe>ExPu5wXaXvJW)*<(#^wu@Ai<5A9F5aHlP(DG=7zyO6Wn z;Ldm0387nE*|Kj}zB3s*+f*;0RKKv413zTBFcPHK!C*0JKneB2E=5qV)iKN)4`aSNz$H9ji1TxWC<42 z((b8Cf1MBGU_aW>+pLs$6N~ZWBe;lT;fUsH+8+$`yrz*H89O}@_b^YOzf9BhvnS7NkYn4~m5)^2W zrMmy5Mtc1pw~5+rZ&dQgl1jbwh3M1@G1SZE6F+u(iHeCCU6YrA7whXhs84jNq~9eb zP6r25923OlXDdyoSM@g+!cAAMB+FH0?&TB{wSAITDs)&wA6F~L7Q$vamf<{Tp#+Pp zmfwg9T>vuar5=A=5E}}ao&8yw>W}d`96p6Jou2o^=(Hmi;&1t_F7Jps$gv9|goF>U93ja`xD2Lw1gUAc--!&+X)7GAw>KuB90Z;i&b8$SwR@Q3_>}I$WJKu@L?nXsx zOXd;XW!&^$0q>FD?f#pj8oiuI?oTR5p-26LBQe&Gm>+V4N}Oks%m$--pzD_BK<%g2 zsk~`$$|<6pP9hwyui41LTZ*J;E@mI7!15MR}aciAZIG)IBcNgE;xmui3=KhPMoAiqO(+79T3%P!5Wq#3J@-`9SPpu``}3vo<9UUk=dXJ<&Dn|Q+Z$4s3`7dFC;hCWuFn_D2GFQ1S02rAAt-wD34E?p zCyUE@PqS)iv7O?#{J@;`?D($AdhO#XqZ7Ow0wRk}6P%;(e`x>dngP%J$|S8VIE+-gl|?VS>4h z7tF3g59m!+Ga1%X=Oxh0vbK_NnCU~q&MtdAyJlkkb*vd9<@pA7n1ht=jux6H8zPqd zrQU&TJ2laTi!M!o`AP&mCW||c&wR1a6NJvL-wnBpyllx|n4cFMSCr`Jz61TaOafu5 zYwOjS1s#S1y!DKG!ZY@Zlw{I7?Uk672#>GjbFJOxzktWl^aDLB`SX?Uo@hs*)4Gc_ zK@$o*Rh}KCjO=s%)toW05IG18Lavi|z2I<=TNIPU>30TXmB$s!QccvYr#jdXf(Q8) z3QV%W;6K=FA8gJl8mQuA@2sXxS3l71iR5`^#Lfn4p`V{zU1P3=v^TaXpF{7f{Cz-k;Ebz-T_<72~=(Zan#c z@XdV#6fjRd!3|7|fvLeX8?=osRrx(3Q;ZUiwzjrL+bwgjQ?8H2h3uuGEu_$MkM=g%NRgHYYsX{ZLR2bR|23%T;{W(w4drAQ~=cLu5d$tNt$G7^7OVzU)jS zn4T-Q0u3ME*ReYUKMgv3q9_$%Lxu-0cB3yfXAvpk0Hh`3#j5hdbwgVb$Wg2KmIG$j+6skL#=hZn9> zc`RNT8+8Bt^XH|#y587G7d|2aqazq*<#HO{e)oR8wir_J>HZjY{`UUY@2VHuOnN~x z4$I^}YVZjjRTJ8mAOA_tb{?>N>H&Po(hc|0gT&o>2_(0Wr)Q2lJT#mUv!xywLL*%ko*w#1pm(_GAu58bzpL5w#^LTHFDa^ys@`TTSJDUfg80g z^r1f=+nt9dO)Yi|k3zFr-Org`hQ1nabkc7-tDxQ9E>7ike}}`QAIInM8-1$!m0&lu zF<76kW>!a$WHh<2O4xnWiqwmw2OGy~b73H>{iiP6PWxnnCB;AchOn1-?{~C$!%r>V z>ECjf>dRIx)FK7lxrL~&iGZ0R5;jaB&qc|ma-mVzKEl*&>lH+k%eIoy>GVtQq#J?KJj?RsJ%~@f!mdh^_8I+MB zwVn%phjadK2{lIpl`NUsq@|L-&NrW-Vo; z$T3f4Wlq`3Vfi*xz7N4YL+{BbDX{?*qBPxr2*ON6Q!_upVY#y}{gMwI`wK$i6OyHy?AR6aGPLw~BM^!7eQrTj)zzG< zD`j=Wp}X3|vzuFI8{@zLt>rx@iH@!|+2)x%Q|#!)+>oK2Sp*Neq$oHNprJIpNlp9b zu=Mf>Hl6(adt8CL=+Lq<)^yJ5s5YdTcdV@VB_kh2CN-AO77GOa$jhJYuCBr?p^fDU z>9kmegC=DaOpX68N`pJU^BVsAdfDpD{6bxz{9UW$D(cLzV$SyuZS}F4!xUKQ1-jJ! zt_Pc=vbQm8MMNy7h8}N)+|WIaLq*m8qF3o~bhky#u-Hx^b2!|gY6=$8Odf!KVvBY% zV`k(x$R}9I?H3oWFWrfQ|Akwc?wA%>RoItqAB8dzE#$hyt-&9UXE*ejj~ax4;$U)F zk8gdH-GzXJ#O{h{9g{d(h9}^M0^qBd?csfw&ckE7A*{b$O*URee>>Fs2M2qXVW}N= z?76*M?ZVzxbVRw{O- zeNb&7u%4+LBx(WmGn3y1AX9?5JkV^06394SY(~!X24cJ91etMI?1}7A9S3jX60go6 zzd4xMJj77emOPyG#e={9WhIT* zB@g)=Utsp31PA##K|Ty%^su-pp&}D-y*fpZwp=Kt_27p9yhnIEp9_2*4pRBC3zH;4 zmBo8r%06u;U%c|%wj>W({Z6AG9nME9$kv>bm7w&MGOPD z4?G@wt``e;WIt-s^fDPxD38Y8x56r9BM1XL20G(dpLV2SEGXfKKjD!KiQuHN8L=c+ zF9!4Fp^jB0boF{FWC_wuQk&VS@$$|i`gXkV@PTn?5WhgRfk+Z$1;CCquA4R>@$9VF9|WFjrA@ie&x5LIdvaWDrg zzE>}a+i%p>)PxHO-d>y-rK0L(!N3!dl=Pe18mooBAmV`01wdS}-TjxuLial(k4)xM@uS?^phVtkUn_weUurr2stUX zm~n>$=neKf^c*G-&>v7ks(Uc6^OjAn>TGQ05nwb*S-%N zK&6gU#zAiB>~n`L@1wC_$-nsBme)NoSxq;ma*V_1zHR>_6{vF@c&!J}#k*ICxhmr5 zI(J-O7K*i0`CP%QB6a(KZxL%3YC=13^|rTH0`Gk}$=xfDV1O2bc(^fhFa1%QDaLR)O3O95hs#B8 z`F(VZgpen7-uY*6TK15dJ6R`4W+iUpS;_)t$aLj?hye{-WxaA?>G4l0M9QW{Ndpuhf&<%bH8S#0zgSI`JogcoPNWKk1JAba$haV!pik4 z3b$sw^ZWxc5f2enZ!Z9P0}TvG^u99<*p9P~j*YcoDrBPsg8o3O&WnD&@gN8cO2>Xr zIXu3{Y;y83<0C>flS`L28>a3x4mXNRL9(ICXU^b*ryzj4uPSykpz4ukXhw&1&KH zf&(>PcaH|yKLEWDx9=4j9^P(&ma?u|wH7gWJ{K#9;q5*ngd*!hy(qqUVc!Gtv%tgUR?I=!May!|-^C~K$jDoxzPha2N?aq&* zQY(Dy-We@plYG+0!$%kc)go9@g8cZBPa)2r%MXYk=)O++Lksp1;($? z4@UtrU$zV~-43#={30)Ky4|+~W7-MrIUWVPp+D}40J(0^y8(V)%0AZ9_S zn6ZO6M3 zgd4O|(D#mWKBZPL5EC)R_&h(rw>oOjk=ziG)7zOCrPd!6->`%RNI^6$^DKcNwaBqpk;IFO*k_R!Gs(}A~qw$GwSczu?%bZnY0@TY9=?)XWp0>;}t7-Z+X35BSc8EN$!M% zJMP;QBostbT^;^K0rj~R%{dDxAz!WrI|4OEpo=_wL7mF?{8z$gX_ zzK>Pc^f{yrKbc`AxRPNYx7MU@bOS7M>1zHbk~wf3UGBU#WFk%?a5Eqnb&tJN6ta?T!s=n`ilq3yLUK(E zWyQpLSC79-G1(5q!a}1S^arghA38giJM6mjGN~B!z7b!!iz^Q=yg^4bfk37^mNqBU zs%hpLwBmb@K@T%(Z1Ahg4HNPsCc~(7UmHIeUW4?1YXR2c$9DluFz-eX0PsXBQ+msC z2Lm=XM{xggX>~6FQoKeG)MaYA3Kr_(kdL6#?wd*XthV!sQo@~R0!KYK3P^wm`Vd!> zMKlQAZGeft04oKUy^lpW^q)`SXg2^^1KPfATVeV0x4AkbNqY(PTy$oF*=)WqDY8D* zd+&F8lf)sB&XD3*tW6~8?v9zE>17V(g2N7F1p#dFv*?k~sp=3}F;0ftV~q~t>8n<# z9(gf7KZrpoi_-`2W2cS30+6qPW}tkEN~bl$YlllIkmPiQ!{*+k2Uz+P-buCp5Y7-A+p*)h*k%2{7uUuTk1_#5d<vd}!IumfWR8XkSd`@2R zN;@feE(LG5I$v@TaF&LEd`(t*V0f|1j@W)hEN*Yl^gPCIX&nZQf^*!OJewMH(7-vv zqCFw;adh30P4k#}eKn|3PZHuB*O6Z^k&KQzoGh02Cv*_8t}8{Ty#*?l0pfie82Eu;gLFcL3*$#BK^~ zN}}AKt_l_W&I^Hn<|qJ+sf5jk;u*;?$}P<;hgLkUu5ONw*VaG+kU#xBwDjW)Dmbja z!HME1)fBbgRtS9Y%5i<_Ra!wH=qA^WbztNPXM~%0{Yv#4=y+c?2ZN$d&!?FQT4_K8 zrwUr|R3hrG&-Z+%u`~?u`_A`kxDOXDE;H1iqStxn!JmSb7N6^HNM2Qzhn%F5EGgt2 zDJueiQ)attC~=sy<3LYqyWB|vtu28syr4+P-SshrKg&j3a5&oi12!P};&KCUoQaMg zYRM)3`x5b{F0W|W@$3Ei^IU_X2Ha%H!rxr%W#=%d%yhhuZ zTb5c~R48wGL*7)FyO3WM#UPXqMm0V;F=?jLGe<}dgolT(n(MT%E+IYGpP&rJcTq8J zM$vES_AZFuTM5?JH`IA7`GCG-Y*!mvjNub{Q4*07%zmZ9lxlY|UJ-EzhRDtoxP)=Z z@FD#sFF1YJvOz<)Uq%#Fub~^8O!)KTiwaN;gvO;sl%`rZR-6srJS=?qJ9ml@!J@&U zG6#~9*ybh{blXK=yYKMwa1OJpypBs9d^A|rp=LM8 z;|>M>3QDPG>pWT0xyoT7U?Rl%>#)e^4G($8s?5eG?rz>h24?c{W_eWx-KMk*?M9mu zW$whrp^djfei-yKvl}{dY4kP+Tt~?+K1WB919L4vSCR`r+^Nd#z}O>71=~=qKfajS z(a|qG30mtLT*iuK94P>HlcpL5`(+mf0*#6!y6~})6k3X*l9jc5%k1ng~g{Qqv&S* zT9mSa?7si>V)=VqUymvu)_iI`zu(ljfOrRKbL2#x4sr~Gedzu+dF8h+~3(mqx1pQ*og}ABe8`yBBHMFSoZlV zDX!m<1kD|CdceR2TwY^B;ZGsfJ#q{TA!EQdddAQzZZc;oL$d7DuU;{ zOu3hu1W$ZI@7>k*5!~@Tr@c~ChSl!Jq8G-*eZT4w1qh}p0tMh=3jn{B$y<*A@*lx8 zNqS*C<=L7EsC*xiWWI(PY6JR^Y)27+@lPE%!PR*>NjR|OkF0YXDoe5o3c}z#H`+~N z`Fg#A8RH*?DZf-s6Qs2%P}$zV$Kg;ajoXKh3y0R`w?r~f4NeGAy+1iX1@(d&$!>It zq)3PkqfBl}@wr_uI6C<0oEq5LU2T68QOml!$7Tw~65vF$l6P`aoY$1ekH@x9vNw{=rQds^@$P| zkTxu=tY3L#K9@zHcNPvE6p-;Jtx>EE*HP zVZQd`Se-^YAJ2OFpU4J|J{kcI>H7ewGzqCA1={_yWVSai5*OU+|D-m&*fuY2^>Y#e zxg$O;Erd=z!x*$BdW4DP%^rg3ok%tnB6JIaX>K&j%Mij`#01NBjx7O5v{G z_9=W^^^t;%F)Mwr*XSS=V@mB2AxEbE|Ac}hQqam0pz?Sz;MTn~H zcNM$uf}wsKaH6~W`?(%*@8Cl)3?92`MPY_7#kmw88LAje9}X?BD7@C@0I#>btMTEBV(2oqo1I~T*+5k7dZ zgf_BmBV4035)MH0^SQkx%wNf1$_C>l=y<0pj)Ib8OMcdWd6n`J8vt>78(;p}Y-Fm{ z0iz6TpMurtt{w{X1NP=Vf&E8jSq4B*vC-#4@1wRhAazx|&| zzYgXCC`7^MPLeFZ2pvRu7oI;9!k$G?G*|<`5wYvacTKOFL+9oxsA6WzBD0*1S*6eo zAEK3-;XDI@AhD}%Zf}z@a_ZYyKbAxtU0nTgMKSfRB)yw&~mpvD%I z2WnXd9s&+xqau3xHa@LItiAGl-cZ*zkS4L3|I!2C!S96zL^ihWMHOpS#cY78em<~- z+dM$gmPt-b3<9EoPpqDMSW}3gQ|qf1kX&0SMu^Sg&aseIf|P3Z!NIv#t;4}WxNPTx z4&M$SLm;K5Yex#^QFhR!96JYfa7dYO_D^uJ4F!%`Sw%E@XM5{C>QT zb9@+kZC|E5Srb!O5c;|x>t=@=00ISt*M4jHU7wFv*`}?niv;ScB(b@C@{5~%p;mjZ5itRV? zSy@5QmI(9`!5@V_11j4X)Kbvjg>F?)nz3F0mFCy2e!gZ0N=>-lK3NVq_aWL3#*>O~ z`Oso?U4^YmzV6O;Ch2vs-SEQu=q`T*TnI=?&g_+-PNNgjYY%KM2ZceYEL=DUkZEp> zl+oott6iXPyP@F<6C~g!n1VsO6CDf(qThK17o%BSTvP#|_u`9>YFBa$mc5msgMpmA zdmEOSS5;-5xO&??apIgn`dxrO8FV&vc1D!xx2@=wRPNkREzwYiqE%}J7Hb+kuPjEu ze9MZJN7n`8X?F~CHHOE(IHjZ>!gV+)V#2M;_C7t6!T^i`kCP!)7o#;d&)D}>0Kgw> zJ^X`3o|SL_H3y}q+OOXBOd*KYnp_(Jf$Q2rA+b=|#5WQBw1q}D5-LUAXkR`J$F1J^ zd5i$lfEZi2;R^17LmF*ggm#h$4Vdra1+u!;wlBWI#6abnuI{)krujD5xN0>AVe~V{ zKW4SQ>~#K-lLzcyRb3~~EUu)r2*o<)R~DZOtVu(4fsbgh42;OAsN8hpt1rzbL$ zPCKtvpdQe1e z#hu!!BALz&4`X$#SpU^jg-eqQ*Fwh>9v;0tQEKhIQ?S<_F7xyffc@EQBq(1h`KfyV zFS?FA@I6>k3ZI1vwf0-AgX z92GRLBY1N;e3XQmp+G-W5hQj%fQVX)6fUlaVK?kQP&>bL3Z-DZgI%^u zIonu~rIl4)dJAE>XS>nVzhx;Pd|o#rgpoRK$_*4;?p;pgJ4q|}N*QmaoT8CLMLQ`1 z>Im}1C9AV#4gY9wPRP%ja{xQ!`{yVCIz!~4zkOqI`DJ5tFKWyiV5>HM#Nsf8@E7(_}jK~L7O^g-ZpkKYd? zil`m6K=?ZW0ndE-7{};lN@b<(OLqcz<~SMnE?*3R_NJh#nQ36^*>RreGo>iUt79%Q zjW7ln->Zt5qwc7bnyqyp*7`!YsXUnX5_lK7lZoJJJ)RME_jmJs7q;0XOLst<){5>N zaG${{&Q>k}Oand(u3=zcKAdZovq!kvUp{X29Yk|Mx|iKuctcgHLD*Pl-aAG28f z6dWSHev|jcnFtj-bLbb4S`gD|9jop)(zY{uw;MY$n8j7hoH+Vx&&@4nZv{M9I+6#H zrgK$CT`=Rf-n!jtsE@jD%@bj9j7iF_ydImF_?(^1^q?bsH~?g)!jh73P1c{*K!0(3 zH({q;z0#3kfv-|V{%0i}$Oqwo=qW5B0zKa(+jnN7{I*CojLZ4tLZUyAzv6+0{LrsZ zZ==YJ6sZyQ3wPNB%qs{GnZrw<9EHS-dP9-u5Tc_1v34w;=Jb8e+|ET>U=hH`DJvw^ zNLxC8Pp;3an4q4bmRD63^P{0F*yl}LxCEdVSl!ix7Tdh=>KkaH zV_uH^{X0^SGWg{#Y|@-*OLA?!h|oDm9eVr#k`JnWTvmHrewIIb$bvGBsCwE07zRUQ zGeZRyQt~w3FdyS7<4Z!T66j|1@E}lT8w_`7N%0JXMCkZI+jd_0-WL9H#6nt3RqZyf zpmXlqy2Oi28|U<{fnuSkL$H690qLVlim3 z#P!Osa&m4zlnDw1IUbDows}-2M5*7JsJOZ|@+=X~wnXXq!fi5-!VF%rcHI>Y_Nj(~ z?yoy7@^T#D^&&My!s`btnS$T&Me;neV@tbY07(UOfn|e%Y3b`=-u>9+8AnOaMM}o@ zI;(3W^-)=EkNh1i>?pP^XG!?OraG9u4YkHV#(vvV{asSIOoS(Cf&SkuF+fw(Ir*I) zHea>X0?z77M#j*vp}N_QZ;hb2Y53aF79x;@D3F{8eR}y}LK*$qZ3rKT!Q|RqoSmWU z+Wyqp_Ix}bBtjI`HSGzNL3;pr4@p3td!Qm9NZ%x$@hEz4cLDM2r2qj%R7e}Gu|a>% zGf*GNv^?KwKUnf*lNDwO*Rh?*>U8O7r8+f)8+1(kNxsdv!8{yuBlIu=x@qoO8*Fz6 z-B1ko6)MQ)0*c)Oh0t(K%oG=(9RqQs0E)!}9CJXAlX1_Bva z0MKsTc)YYbO~V1t401GQov7;MMB5b$Fq7m7kd7-(7S&0AdOq%)r!x1?ci+*uK+a{TIA$ zmTweWB0&vYlc2%()$hCz>37>bzzxW#i27xQmk4#|0A~l_JwK{OMq5}xe+BWO?Ke<0PK@sL`dB=B zD!VUKV(=p%Wv^lDPqV@uS`}$Ro(Zd`X`p&znlO+TI+8CW( z^ssPY0O87g&c|$^jtB_T6~DmeCT=K+1Jg4raNK-o8L>06qr_({r3F?Z02IFdYrhyG z{0LfhNg)R9I{YVt>jN?}y>HG)1!30%lTL+9Rdn(y#UbF)cIT>ywi$JhDt?7PWg}u@ z62E)ekl&wWo?1*6*g&9UuES&pduu?B?sI8HLXwfSH8Niu!#dtuZdXLW@2no{2ygHw7_c?e|63D%;p%p2Xl)(sOh#?#pT!6Z$@)BRIQ@-i zci95#_2oh24)c1g**#1edw+xN8pV{&B8J@Jf~jk8Jf{+b7ayaFgK^dW3Oi} z9?^QCOK6kmTnkkeId0zY{K?@=Zciq=I@0@z`Z+5B^+ET2Zz{U4)7~KCOV`7=k4rC< zfo8_p#RcF^DA4MVG&o|NQ&nzZCYM3k`;V1ou(;T$cX11p#?Lqe1#+?vC5m5OwOVgt1pXJ?_q}f|Oh| z8t`!Wb{WMq)Xpk4&@z}zd-Sfw7wg?zLWlLRMk>D_3ux!mDuD87p`@Ii%YF_CG|Qj9 zsdo>slYV{N?y8R3It% zoFZwa*Nz_9eofX^6y%Sc-ndcb{oV)abk)Vijn1hL$cPZKnkW0zsww71;<358`K!nW zKbqh@;Wu91e#&2!Z9>l(Pbd$_d}_*B7P&RgLx)OxFZscc4^^Q23JKBE^E(w@VbVv zLLrIVQQ zjW|k~LNJ#)_ur4|gd(XP5%-U?P$%bWzJzx8J*JZ+hTX5l0W;kAH~IEkWi?=%;dLkc z^|%aXc5R$0Ibh%bF0E;sw_?EQfrdWbU4}FOuj3&ngz{Ct z`(vOV%?BB!KQrQ#FW>5;qmzx)@S~Swmy3%_nM<4z^cIeK^~DN1_$mL7UB|f(6J5RL zKoUxxcC{SG79%$OZ!G|~6nNzS@fe`~Dv(kuBlhStj#ak;i9sx}rDJFUfUIl{?(s-e zfl=%Y?s-57<1%CVAZV!~QRw*|=x>+~fsgk3xrn|6x)&i|4)jv%&qNYiY=N34c2K>1 z^zmb-H4?ZUuxyZ#O}o{X*E<8%4S31Z_Z&1WZ@Trc&oostab`Z?UTG05(&7)_tWlJ>`c z7^%_-k}4m!!iZ9ubg4}2(_6K1C21HjGz!Y`}cQJpE4=7cZlX`mBRaH2kMmzkbE z<3C!~i>y_lKF;g=zghRD z)?0D_e4`}G2Y`IpXK!-nOZ#4{AYek-7y3lz5lu$4nevKk;QAQIO|SWC&p(vwG+}V_bPhK8*n;`Xv!}cKdSeIQ!;AAvm|+?_x-SOOkGVRk~rj ziXu>{JBd}?cFr$gv4V4FM7wiPhy&;j+wL;LEddxvfhOac5tr{#zMJ*0?BfixqF3O* z45ANWjrNoFbjtH#V2_e$j(*?LiG6kG7SaHxT69H0FWuv0V}Q996?aFqT|WCx6!YdT z`O6ovM>xgA$`tmsCkLxZx$NvT9P7XYj66KaDZ7;b z1mplg5A1+XKY#u%ftsU^36l5;RRJ1w?9)Y`zFRN_OosHwyYiUD3||`N%mAyVflfQq z=ajGwbrp&aarwyp5mnDtahF%WlM-tLzAfmA0jKFy!6*&Xtfm9^5=1bu{23kk_+H%yC46 zyR*{iknKS)3oQ1|^UO$HcIhh`l;59&!W8NM==#JcB}%9-tCR>w9`bg^O*@ReY`bQ4 zoW){_efEi*A1(SfS?+}^R=#i=&f)$3;VKT4vDO`IU@`_SFE2FWo*p63tIq&XmwAy_ z_(%FYsPKgt#rKLE114g>LCIbi?65@XD3tnW)$r9aH)0U;FB_-ATR zOmL0Nxqmx!sVb#x7IsC$IT}O2fTyV6vzPS5$*c@#hPn=IH zP08U>QQQBp(G%(42!Mu~^zca(s5XB$)w4IMG32D@G}f0+{(?hSzPZ?A2jsQVH;Z>0U0W6@ z=-Phfp33Uf^cz4#Zi$Ts#kW^;yryr*-vaY}FJRl18pGcl%5FMnQ_`mMA7r(!LA4cB zaU{{e*>hIl4-~GU1@1xaK)$ld-1Rr^jQ-rvZ=7TF!5S*~133J;Q}BaIst;%q#Dx4_ z_o-0&?e(vpY#s3p_?f5MNBp1$M2N?UxQM0E(~_AgzGAkZq|Yx&pvNCz-_Roh8;9og z{w?o3uVd02^O?6+hYvZFBWvhu`8lb7u1(lQ4%k}wxad%z%>fh|2HOJ!t;OW$+c_jZ&h zPkxNU)2Tkn<^GnA1?MQ@3NlFa0@WM)W9sZTk z?G5y`h#yaUyK;8Yc8o@O*!d1e954G8kcLtCcr^?4tS^LN_Q{nB*z5a1SgwuVUR_sLV%sjd`}}zYDJdw{w~y|D;#p)XGFIog`3cjn=!Sc3 z^j7P12Iu8nc34Qrwv~oo=)T)Ru4VjZtrqKMe%YRu*lB|vlP>E1oE56+?5}0FCF>?S z53ryAUFp-CozioEFKO@mO}pVqjP)YM=?0}0*I|3%$f2UYoh|Dsz_ zL22n05J6J9K`9la8!17$MUV!Sl2lq!y1S7QB&18aJEgns+TU}|%=w*r|G0DK%$d2& zd}cmu_kMWx`+1)AUhB19uh-H@-fW=p&1fscH@TKQRG_{^DU2myy%9gKGtv+il;tPl zLhe6WRfSPl`rGX+2&DM5def7n&z&#E4*QZ=I1RRrCqug#NTv#Qt|=|9`&%8)j^}ru zK6YZpN&na26!N=`UjJ&o9NACWTj~6){JbLV{6<*UGQS6*TK<^tQeZ}7T{qR*BJf%>;TiV-y>-E)2_}d0%o3ewF`Q*-1f6IrIy8(HPO|UP8`0G_mY3+C5tRN z2i{}vUghe$bqO_yxna2NVSw(N8s=RH$$Mb3rbE_f1^DKs)2T(wJ^(T-l;Xl^Kq1@7D zcX85lWF_TQzA?x}v8wa;GFbCI0Kr z?^Z{e|N3K9T$})OwEyYng^Z;o{eOMazM?cqbKop?&&iI@Y|eqX=hP-5TmYP+eZ3{2?2BPUNq;Z?77 zVGzpFMg#<&CV#4Ew=m3CSwH{X+VZB$n?Fmljw6;ko2_>^*7GS&k51J+T3Yd;d>wA_ zqi;$du0K+VNJu5e%G?fKSwhkCBqk+=ped#l%QG|Bsa}ZWl*9K-abg#Q2Bhr5Im7t@ zKVhZyOf)^M&GcjuQw$ZbGR0@ZSN1F;7&Y;uqQ(#iMMWyRs{w~ws145uR`wV+6qM9R ztCsc=Nh0o1^e6~MKK{nhb~FeqKrgwMDC~Lrr&xulLZtu(W@&pM3PMb`LDIJUHEb2M zz0!Z7?t})G-9@>jZ^V%Z7kOrnHk7dsbJX*1`3Seq6cD&W zFQ@anb9SWNB%BO$UDfaV_iW4VgD-)BZEN=GI5@=K9O*JYj1N2d{;Im`GV}A3RJu{l zjvop#s4$3{|F!jfsb(0-F>{}c$gfk~dTuTi5y4~;nxh&&RDq2UL(@L0zst#~96ZBv z`SWp-j9Ee^Hr4HnSR2c?w-Cq>Rq5{b#=_!rO?ht9(8Juk_v6L%EyusPt+X4QiR|ol z8I)^oF*B=d=xk5>{p!7b+|}Jcd9GeC{VCGOaj`QRwbGq3D?;7)`_#?!&A?yB$)YKS zBFXPs-Z7p=*V#0&JwPi?GE}S%qwR=%d{C zM7D#CA@-_^9>1tNaGX2-jdg*4_u3ctjEqNnZxM|NuGqV~h8P`!QEIvL=@(e-BxGdC zV$P`L8-hl30YpgiFzd-$`rey}(ZxSLO^&zIMy_r=t6H+Bf+bDXCUI3MP{ES&^+h1I zEks_tdKJ;Z2$B<@z|wH7NwsC|Ke%`9oH1U9LYrxCd{OGk&6#U>*MGIaqDAjD4haEf z?_AxICJ9ac85M57r>23yeW~EMFXpO@jpdr+&W^q>w$7scSEH#19`o^OBu1>U&Unzp z9*;3yd}>i7P#r$5s)u<)EU^% zo3^6yRnTF%q^QUd=aJeG4K=kQ-S){J^rrsmVmK%f$iTw}%1;vkDSWg?=tx*0nR_o< zi^T^HZo5zXV18an^m=>RGtIF!R%0v>s;0Zt-XKsb)k=hSK*um1b~k*eFY)>J1Ohk+ z$nLtfoi+XL(8VC;P&}0N{(AIsaPLC02n{_DC!{CX$EW;rmTqPFlTJ;oq0{^Xcv)er zXYfaKO0k9d8v`S@4t2AXuxQHEwq8OW$H?@NHhEo~YD*@6r4USs?lUXo=ZU#4s}IObGKTWG)1cgSgcWb&h$S_?|D{x-^LXbAfI$_lzqy$NMDNEC}){3C{Tc#K>Qr}t!xOzHoig_9!Fi#sEf zG4PYZ>d!GR=j6|84dnU*YwAy_zlVm4fu%J0JF5wqL^{h&Mszq(+Q{9zUz+L$pO(j{ zlxPd*8zepY_Dzw-q<#T_XsC{^1MBqv#U3&69?C9kLmYVZ*ej5uOk;DG4hSl&nr5b4$HOR^6RnZ zHN5|RV(aKoSbm?lwJ$aDE7mL+=Yoe+m;Pc&@^N^AP%TM+ay=S$_2-5tS-<1*i5MZP zZ?&VMG!LGjDVwnV0`02Z(xmQ*wr~(=Y~Sqch~knF(X+{sG(z02IUwEbo;HFDbyD}n z3ZL<-JRM8jjIyORxeGRN;5(zu-PM1OwMBlSx>m5Y&9wCx9M)_x8Z8;5h~7Zx-gcoC z7*f~DctxJmetkf))ETMtClKqf#pck02KFP5D|x%c#ygXB9=DFI$y-*xxfcU)18p1C zQ!CrkP0HX2P-)yl)-1h^c2By(ZhIW}%r<4~RN0!-U))SI7#Q+loN&HeW_kB|MdGu| zU)6zzk;XUSJI@zfoNUkedJ;xI>b#D61MU-5PN%-LSpm?~ORf8vD?Pq?*B*z2#3z^N zc;Vs?cv!3sYqX8QejPGoo1t|nCLeiNGt)nKio8-bsCm&;}l z59D{x`ceb=T-^jICj~z84?gd#Nc%S)END8BEGmV$f!W|{GVAU^C3jVK`_k1Rf~e)6 z`}3lULKa)**V2iS*Y9F`(#v`V%l0b4!^4oicVRsJlF#0fEKx`(w8;m((f-0R{e#*I zrlX4&+JkCQ%y%>z?4qS@excT1!QONcS690wLl}8<+Dry0XnmbfTG>_{Vdt;{Tvyy9 z7Yd)1o#`t3Et^_r50o}+D{p8d4_l41u!YD@9Q{gGv3twS(**W7HxOiMy^+%<2mT@m zuN9Bzw6eXW`ozM=hqz1WnuCR@3xGDrtbMQ{m#k#9V)xi{>x%!W#7N6)Ii!O0EATri z=;t&4RXDr3yER&7oG7FTxax6{#rDh#!asY=h_#uX!uI6%c9z=0M27S|EtG|{dzL9l z%fGV&HEImPrDNT^!@ejJ&d$y$?~qTEeJG@Q);^d!T49H4V7Sm%u&?iSMxLv>sa)Yc zLj9ZmVdI}-t_sWjFcTES`bd5TAyc7_0!!}W#ESP;50~Ugc{Nx(kGSL!jl1DQPYk*+ zxboB~R^&Dte@0i@!o6Lk!V1lJM_OuXTzSgG=;2(&{QDgO5fQq6LUoVoLf=iQ>E`8? z$QUVICAC)`+y48Fh0kW}7xmBG_G*4)3+KNj#FzdU6jIZ?5Aa`Ooux>AHmGu1AYd*f zNw!Bvm5^*(===Uu$erYdy|Q>!L~mdKmUG&nNGro0O49R2E(^j4##j{09D<9QIX1{_ zfBiG`Fdg|#x!oi>Hxy|?ygKJCRE^(!pQ?e_+kQk(|2><@>iSw^*F*G!1N>gRn77xqatRNTJ9!{SAO*km6elg zZDl#P9Xo#nEW=qyl5~W$a;G9(z;EpiR)V({cRcW_IfdGKrH)yx(y5o-|D72$C80mD zRQNEIGsm2tnOVqpdvCFaE}Lz^FgSn3!xw7mw2 zmMe+zD+)Ty)3y1{TSO-GpwA@e)w?A#p?n0DtXknj$T{|f!jGpSPE|is-e()^86Xf~ zbh`K_LD?l?k0kSVzYV{KDJ?uFEwP6Im)Pimjk<-YFJNCB`wdkf8t1}AVZGSw*-q0mwb;9cBao8RG9r^sRWRYer;wH#K6FxDX*?3c_mvS zeSSDnL*ajd;{&B{dTXPbvpo_c8E|#$%yVV}T8-wx`m~(13`wHa7)uiBs_0vqioDle z@a)hCU3{)Zy9`WU(GE+>e7ENYyc*!mHwk1CAS4Z?0fjj^Vb^lzMwqoFQhl))hnncw zeg>xP=AtvRMhPKjX3$MUm*xpk00E14El>5g_`GUrwbzg{#(*7CjZ;|@U+)bim%oez zwg-)OV!mg$ju#c7flmGYAblt@8!dK@BLZ!~!xo<)wW_Zy#&RS+CcV0E{xvo9r5iFu z&OAUkoiHFk#MHVcsjSeU%Uy7GD*CHO*l%}F6)i_K+beNu{F$DfyXl1m??3(BJxu?A z04ZHEiz+_BWSt3PB~8)mOh^kwFD{ZAdwK|iNr%L`*CUNy-vHL2S73C3;h#?sIKae% zL``js{Y}@?T917!=o~cWPaMCoh$F(>P<@_H+C$7|$-$~qeHUT6G))9$*bwP(WaWbU zAx}oHW=L`Bnc;Qvg45|b_vFL{($6U?4+R0T?=~=1>6^~yKiU$#gE&cjDSXjim6(^- zH2fdZog(BHKq{v()hHBLAA0v~Px<^676pGWq;zwJ?=g^H4zxeg4joYi!M10U1VO~Y zV0^$cbmER<6cr&u6zW(2!IwHmJvYlvAl9q#0kc*GCB;Og!k1uAt^!nhPGv5$e$2pV ztCN4pUq>uQzW{sV$Fr$*r2OjNq^m#dqf0Fu!8kXYrDVnb+?Omen{qSjh=c-8zipY$ z|I2BFnVpWjJT^gxp#H|0PnJp@zYy3B9G|-H8Au$2rw=_oJK95f@*v#{$}A=@BAKFE zAoW4st^cg98n-bmUT(zmIpBIy34cC*GY6&Wec_s_mxDDo8lme`Yb*?-8>L#=KI8}bWj=_b&N>Fbqb zmC0$@ITns6k_$TDK=c)CQ7H+0b&QuCOM;!P2z=P8c&xk#yFHr$(j2YrMwkDr+gR|G zMQFS_MPj$9Bd!&szQwTXAchJbmselEl!zcvvU%38^!7bDrRd$}iqF{J=mJ^aX&Orc zsL;w*>t#rk_#o~(uGqAc;n_VK?W(K$UIw~{cLP}sw(UeUVn}EhA7NP>Pd4v=Wr(yo zNA)or)*Des`ASC~up-g_X>1p~$a`iKEKw0y@mPpk`qt+DA>A^xJgj%^hqarBKi8kw z|Djv_V-#R~*l=ar*BklutG|xxb?YJ7hxF?7=OGDqdy7lK?Zn&rw*`ZabJ)|A-A-*1dQPP63|*nEe3-E#hf^ z({0np-0M5AkN!@IQ8P+_-*+l_u#mW zDAo%+5U;e3ez9ja?74Tay7C1w)L$)QFLk+8u_+m)aI$sFQ>0x^-=*JRAkB&>x12@; zOr}5gni!B~WY&o0e2HbH#SH?=eR8kW82Q!y4_si}diOX41#Da>&JIkm5y*{`wP(q0 zW&|4|`}3bYpNrm}N(BeUc6j4dy+6I2vXAlOzV48RC?JrUTbOcD}>P2To0_qcRY=QLbeq2RH;m34~OdkJG`Mwj|(R!3NeWULb z|EyGOSV2)pBJ;reDPT%cAqijl@rIsrA-o_pYaV*YlmiLU&JOmfpsCQ6)=x~t&f=Oq zm+1g5=zM$=5?Bg!8a}^C92{C!)~z(-eI%>n587y&%EJ-V45i8HW1LV*)SHN!z3KVXfRpsq>z&b-V&m`~ulbLu0ZRmjTt*!ecLPtnN>}RG&GQU;YD1|E zXP4QL=3|Pww-GyBt8}1Y_j?KYeG@F1$vtN;$Amj?K#H)Jg7DID#ZJ}e7qfl$zOj5m z?@A}vo7695H17Y=Qk97e=}jz z{gs-KJJgp5Zfiuw#<5fa=TXqej6D7p`Y8QNcJ^JZ$`cCs_zvSquuz=8M@fW03tUMg z)qkb;bANKDK12sBdrnR_NF{i-&gV)h=aU=jbf5P(<@4T55_#T3t_GL}y7t6Tm{hIn z>_+G#mYTW7_9XL-{WqUc61RKLI@TflBAA7*VidA6c`sQz}ReK~S z>IKT@+3||#A^!-P^0S$~Z_2aKi2>sM?&c{|nc2*CoC7sYO3(pZl%Dwg)_%N|ubh5# za!GYJkL5lWSuQ@d5X^b@;3OOq(OCt59j3P>>mhr}U%p*Qu-zGKq1<%H;eSBrNi zJ-ENZrqc#y6AFDiRA5?!d$LGE%C+UckjeT$uU?4HaZd>OD_EAvOk6@kv-O%^Z-J-0 z?mzLIW2t!es9QQ&%uF)0so5lHc4>owIbjsRqv!IYSJxeL<9JFuSo+j%UI{0$F5q`j zL8L;rfJ8R~*_>u$I!8}>${kDUR z)|A6Nfi!^x$>mM2dEZ@F{JzZRuE-9`X-@a*RH`tjLQxPW_7^xBTE^lkL(dTb(_XOr zzq*EQ305*kx|COZu<(`a9A0SlV<09WGnlzru(cUfS;x)F`(Y*Wke=S~Jmj-~$my*( zp=y=H;nW~@{Z$E2sZy?l*r;1bybL|?khin5Yme#{vpPWGR91$M(6X{(!F^@hxl%9f zk-HqMQ1ny;nPAt{2(13CqhQsp31O|1dNBKkGl+Z~Ju<$dN%R4lWFUSMROJShBe+9Z zBX^)|R3Rbs1WX*6`sOj08V*$b%D!rVaL@{wqN+=02=O?2_r!s>%$6F1ejE`5vlPY8 zu}~pDOB-3v*LB+IqvB%*s7K2Vk+k>kU-56uGV$PPrx zi*KLy49uj>&`O^0D!=5t9#B3UT+xVpkAmWEsUeL0cfCSvN@{Cv<@y%XbYFYa#haNS zgSq+h=nC`vz9h0&i1BZRKtNAqq-X~XP+|R{s_(0l$poO71lJv&O;NX-nOD;(j?8KP zAtApqdyA22C=yqwd(C-E#61K;n=SMQkSRXw5vGInRPjuL2CI$Md$N7kcV$r;lwC$j@%W*z5kMy7;J$g;7`k`u}1| z%8ax^$pe>eFD~iJ$B!bwsYE^I@zg(j*MfpT#$VX6iH8c&_r^6)5Kx~ZJI_1ri@koC zt5jeJ=XdDY{ZVEsY6q}KE3SYYw3c@M4qD8|r9F`-y-5vW^qHN&vHIHFalheOjSS## z(+gJ$%ZY4a%@?Qf4IcZfNG!Teq}C>1%Z)_9Jm=s;uz95I+iRC}?b(AdCh*1DXy*Nl z`u-!NKTSRC>VTFY ztc9dWBk%`j(&A_SZd81mMtz}I_cne7F_fR5HJCS5g)Z`es%d3>W}w{)SV;zxi_WI~ z7rbT(Hh-_7y@`a&n020zz=3Wc&M?URvP+}P^U!f|jktu}h1aHCbmJy>$VJh0f2#c| z(DxWB(7YY2^K(9`7iB10mF_R!1f1%t_!1m20B!ESB>PGicmt05ts!fjTVKnL=P~=; zpB2oJQrKH?Yn7OkdL380BL`l%x!sJ{jzvn<2M!aGlc`w~$J6cN#;32LiHouR0hQCM z+Kg~*+vFFOzOexVcNvP8J1&#c`7K%+M#A1tv~S*KvB8UaBl2s4~-KKxhgnoh_=l_wS zd?Wp(sPR>v9mws`pyL;yxv!QI{+#J;r*Q~~kWdiuOzvCRD@vNX6f*$(u4|6}s;iDj z8mNjLD7L;z`RgAX*j7jOT$OZSqTI^28eP44WA<)L-1i4u%;dr~S;vV#olfrv)nK;x z{hP@lQxml;r-53TuW=9JfTdKz{MNZl1{2BUPD9!?jPMc1!ClRTW#efzxXy zjba4Ibqt65T@Vjs4!o{NQ6`yeu){!RabUs_%WLH|b&lWskU%B2Q-me-GU)-JuuHiN zF8-PAiBn=r+&@-ZhH4$ysw%Aln$L%u+WT-Ib4pEjrHc6;`$M*~bx*ba@o_ZSZ|cIC z9E{V0y}uTSz7riH#u#jOS7-g!%_Z3M>N<8*bzFlbl$7o#o+SE3syc$j-MwzDgW#F$$O08ikn=e+N~fmqJSII%yY z2_l=KGHmT_ZEm|^s!&+NWn=$zmecL*fCOmbt)K=>J6vs8d%a?&b&7le=rDG>L#z=c zY`$4pp{qbo*Qz=G6)c0QLfQ0^=_rl9z~~nBtp~SWm5>^?Hv*z$@qPYdgaf*gyXmUy zsC%{I+RC-cda$s$hRyqpNy0B*zL-uGQ0=X#zT$s>RLct!i?D!$&t)}6;Whs&6*8Dv zAcl-Cs~@z>b^d9NQ*6;JXZ;@K)o6n7`gHrR;r4mo6P0(2O!9XS#AHkv=LoNmt=IaX zQiBXai80xBWm-HafsY8bY=ysLcZ-YdpxnQO*m1`P^M;%Uo+2$PKT=auRj}{F>)!v| zh34k|<=CA#$_n`%{{m0NBK<#FF|o0YsR>LVv_G7hDeR9<%yw~cX;17HTi<$+nVHEX zjALdVMgZ2bO+jOw+#wxBBO46BdJ6`-qM?FpQ?9@-a+jRW=dAchQ{W>V)MEFMXJ)Ux z47doEW)j4F_7LITavIjT_Pk{cBy01~zJO!9Kdjd+r5*`F%bf$4EYa;BFNQrcB; z_Ovef4I!8n&2q@LWz*PBXDCD#n8X#ws=J%`g zE&Ef+Ob(~n4f@EJR&nE#$neNK^T9+G-T0BO|7pBeOz&N#@r`5lzQMoG)M!y+z7x~1 zir{{u`fJmZKIv$x^z(@rt;m~GwU*lH$L4A!KG4dQ)4lhpQXXx+8s9sy04pr~_C=y^ za%~-Vmn?z&+Debv&2t+5ohMIJjL0HR$)yRNALbCSyS=~$wD!x`K0c<}W8R?85x(zV zl1#S@aKuGiLz^)oi6-4%&-H^k*r56Ta~Fo>j*v+UO*Os~iKLB!ZDdZhiUfdCX&3k) zs`D=XMymRsEIi!q;DkT&0QmSR!_jd^I)W9gfA@761NVGNIfQkD0VHsee=aDrrfxsI1FZL|E`g>2s!-n71v^)=*5Y z{XB$6FAPcRFTghnKNnCVdr)$e)68rEKaZ)XnT2iwbQj^m`xmxDD2ZlEj#)IQH$b>(IlWAWsTvQd57Gqyy{e zZsRlV=z9YSpCTC}T1truaW2!@r8F(`&TM2r8Y#@D{?2X~n@;uA>mNfs%Ci$l21E+<_sv*s?Cm+ZuJXZ9Eh!^6S)Ttt zv8!xac)Yo*3qM_kpfiG!H<)zT+sEg7O6Fd4{}bsbhEMCNOf)-xI00x&mSt)Y7m2H2 zbTO>3`g=KzKAYDq zHXMFO#xU4#5}RFfFQz5^&T|shW#`HR6I`%3`Bmxj;us(1z-tu2)l;(7){ilh(hwZ zGcryA<^vjZ+wdTlXZv!9Kh?*9@e2Mk>mw?Goe~EYoZQ?WAwf-iJS86B@Be$^L$VTW z9W1l7hl^XTZden?&)ZE+A}?r}Zw5G&yk+;wHd9Lv(|bH}tyEx$y`__?CjUlU5cg6V z;(~DoQtPFf+m=ozY{#=&ZN7=+w)ZL^DVD)TIqp13LgKrmy?5tRS#zS+855LZ(`H$& z0v+PHZ^e8Lrz9S^Z%~_=T>>ub<)3`mawt2?=bQFzojr(LA)crVC<7<1)341OOv9Ts zftJfsrq_PLh(@klpa?CtCYQ=Xk{&c;F@6I9g^)to4>~z*58s>4EDAZMSlSI_H*J#i zRUGCAH?HvwX=x8Owmu?_P=RIvd#nJEjDC4PMo*)f_%leD{4V`n7CgL&AHdKd<~5_l zC}nWjV*!lYQ;rziQ10DC+#@P!nWkXsOOxb9!eYQWOy{qi(&B9?ViPAX&=R1Ct>TMr zE7P}|LQbTAwd?lmbggp6iPp#@k+0P0#<P2Vwlo9dDm>zq>)bf<2w(__m5w?%xONo~wV@oZROf|3DIiEAB!Ad}YH&JfB(cO4D>83v0UG^*>s#bPHPOO13WUiZAB=5FepN!@l;a6I5$2T@`&)zR#8Kwj#X* z7SW{0;Ti?9WV6$s+cZiHJ|C!5z3Y5AMdwp_T`zmuTe`hvni9s#4=bDx>E3k z0FR5Kj1rjW!OxnnB_N(TZ4&u|m4sPP;hQ;J;ClOl0v`Ey(`=tbUJQwZ>rPF)nU40O zmBwfLgj(;xu%IAjwD{fITjG|m=NC6UmsY$>OBiloSa}1iBBdg=Sa2x|h_xsbez!Vv zwxyUfu-jTqpu4*`dS$;H1U_MGtzP6Sgwt6tIy;o@H2gCGo?yVdD* zmf^ga8|Pt?Z{lX|Z18SH*+^~hO%#53j*M7HY%=|wGm`UNxqV`A%+oUT;OY9r(DD^M zuA=dugI32}%huKL9E{1iZw7`0ZH783A|fk^j)2fpIl%M-)z|Cq{@Otil-g z+{*f}wfr6}4F{oXh_Dooy*O8aDltOg=erx)b$FlN(dB;|+}prQ|16-|*o4XZWTP-w zNvk?+cy;>Gf;D;Ak;{9BHt67i7yCW1>POi(3H=<`hPddLX7Bo8st-`;)D}*)9{iylN__un!&Sifj0W65 zKSHwA2sZ_@9@lM%6CYjMZk&*lp~9Nl+4ho_w?3)9S#kO`B0h-pa4K#32)c-^C+sK) z1PECSKyeu(>`4bKeSKr&0O0!nfFOcsyck|D6h zu?R+jK-q6(FO%}>hT-!g<=X17=wF3%4m-D&Syj4Tziz1(3ZWQhz*M|!JTC6I&V9w- z3tW-qUeZ8n+Ds%x4-w!?cg!QJSoVTC^036DvhhsS9?1~_E*}NrL2fZF$n-x|=#iF} z_h*aCJfx#HoR7HeL`50`djq>kEAjiSQBtpU59{e=A4q6-D@R*fPe03&Gk>b^NK722O>F#h(n^wTc(yj-KEgx@A)zfq*-u$c0IB!$v zK>Xw_4cH3bf=2c@8v2T@9K908?d$w~{1?KWFdqWV<>(%*lziLloaaqMM`UpuOwE9? zF{$_W0d7Rp3l?1Z7bHxiIb&V=s}(fRdWw*N;u(!n#}7%Zf@{fcG_QcMK5`pTWHuoJ z+2BjzvB+|Zb5!K62ehx;L)~Es=a4!4+$g!|3YMhv%2*jmFuuRr6IqXyoS6sN?dpL2 zEhMK+%>>Yao5JV8txzd(S!huOuH;~m++(nQ+m*miC@v-U3zS9*4c6R|W;Z=-G|+{A zR)b?cH?jk{x6~b6kT9Mlr11kh4!D_&lYL&>l&$qq`5os+?k&zQ;Msz|&a1d`SgfhJ z&#o`T`*@+bjKohV-Jhox>D&Nzn1u5om4QJRfv>M7>}%M-+%`Cwr6gS`DpYMI0anXg zrKkW30y^Ldf8@6~Nx1XC4YWR#nwDUu6mmGw%;yb^)?fGCm5`LoowTJt`|i!97@M-v zSEE|0SgGimem?-!cOT>^km;n#y0&b~K=t?pR_|bYN-^Ei1<7azXq4SGHd6>4pf-d4 zl0%IKXoCflG520sBMA`#W5FYU^%#sbi6U<^Bp+^pz83}z*yG~u-))uhh3ttVLzXh} zpRXeVxVlQ;^+bHOx9|p ze!}zr98L>?V9_C)GupA}(y1avkIMV(3OaP)ojc>L6-1}ChYJ!xniM>jI9OzJ&5rO2 zEX9+;Qq?}rJW;!phin~v<(1d#wi~wl3Pam0ETzdRe++D`h83LgBqXk@%H}uA{xt8N z+B4t5NI(ud#`srADOw&}DogtJ*+@wK?#e;o;Kt$VdWaOJxpX0X9t?n<1W$B@3#!*_ zdjc9tNb!v$N{3WTOibS}yq=$(`wLXLjVridXY%yh&2@3F-)?e^;Y7F$YJK;meAhhh z%$`k+#1wasrMjv;&}|Y@rIEt2s5^&h0C*g%^@j zlr{5v7l79bB{gbWN&2Fu=)=?=+_MiZfXx7r=LvUr&O1x90B5rn%GvYz@rF6#pr8vF zKBSu(;oh$T)@cuy2TdY!4+N#78KagjT1Dqi1NCd&i308|QPjIyI~V~|Y5~xy#m+cX zAFeLRq<&D|A>CqV7T36)hd;<{aaJGCveVFtBFPnu4eV5+Qq9%I=n>4iw_Gbcx2T^T zq;hb!`uce`{ycu8)pFq(URC9Ea$5+-H{a$woMWXqGkI(5R_l6=3n)){z47HYmzU7@ zf;KHNz<%bKCu`rJdIr-vFdDrpw?vVK%jfT3KjO*KlcAlP;W)#_{U4k}y6~WNJZX3| zu^+Bo@qRmPd=>sJ*k)sRYYMnRd5!Azww%6B6ggwVR4FecEwb7rM%>;gMekDMM^Jx; zyC^)f@`*tZP=0t)ZMkY*zPcT#9!-A(;b^53o80`+6aBxbj=F?k(%DDYSCK6|nPqt; z*DQaJO=B4;Pzp)p!Z46ky9Wh2qoEh%Qi&WmhRnF%j2jHxE(q4?BqT_D?4tY`_S1QX z%}2JjiNYe7cOE>z_t`TMH&I9BDGNt}4ItdY1rkQ9uVV_v6W23Sw<~fcd8wZGwe9a$ z^87CPbwYO$3SP>RIQ`h>kX-W=CWIm{20J^bZb(N7Izr8*#jCIJ3>N0~f7p06)D0IW zgVHH__9FU!Z~<1YM++6$sA)h-7EhOQt$sb8xOLF`KQwnCD`=O4P8jfLQnqT)&~y`1 zeevfYT3`m*kc>^O8 zPz*GRK0#w=Pf}>)VKX1G^{uY{F8v)iIee~Hi~u`5@Qb8_$|DFMO_h%SOg6yXJ4+BE zK`4~Hcm}BAWBEtlkxof4VFQ_CCTOv?NAp(Jf-(By;cL(~sGd@$q#A+)zho_jN3a`D zbwA*-G2g#4=BKYO<&N-q?vg^s3Ct}ifKPUZf`Y=Cog2hF%_}`9Ad5nWf*!%Ojg3G? z%ZrxWC*0i6{(}X!X?5UsXP)(x1p%(fV==W$~ zFcfHqYGV?FPUGh1=k0*=ck9-j?*4$p?Yb056sbf6VoPfT33uWz`{0mn?k{Lzw?(W?xmnqcaf17 z(J;|R&V-~{dfb?J+zTN-A{#|U($QW%KI=A15NkoRbkBajaHTUcw-QO|Io(_OWtD`= zxD=^rT>13zxxo(L+R(ht(k_mdzJl+(gN`P)xuT&`un6ozX)$^EI@U+tjpG{Gv9)tl3Y_SO zXX0;ae5$u}-46qMpkdmc#1`7>LXCU*A^*ezohCJ9j=#22h)Fz6^_mvKtjw!dO&}Cd z%$L4h#bd$H+k=y>bA2E8l0!n^HY#doxCdjBpUv+s)oD;Iy-Z9m_XwBwUv@t-*Piy4 z>I@9OvnEUltqMF<^9rQ2iBTq;aOyX7h@9>6kz$`SEK)W|UJJt#zkX$y6vR|x~ZqB!c=umDK{N?2B7ef(AKU6QH6Eg^Dju%5{QhP z2ric6&hbb{=%8mx@ZY6G-+t=Tealp!!-bc<705j)YOrwO?>42Y$-H@8mQz%m%Z&7x zx1#mA5DrbMeL$W-hWuXawyO`F?LY^lY|KoEJWs{ao;_yx-Svn97nlTulG1yfB4X}9nNDa@PY_p6SJ$ThJs=np!>VE-ke~pN~zKHY}`O=Qt=-9w(s&8_!2tg@`KEP-Q;jk=asa^h%W`jeN57 z-dk$#GuI*W*++2cA|sVP{A*I}Phau3xl+scAUGbjZDU;Z;rc)7JD})?o8Vp+9sC}R z;9G>-Pe^8TRFyDs!T4q2pgl!+;%Mf}w{IibzZcdb?-Z~Z{c0l9fU=jabhs?$UwG}8 zVbohsJ3qFsZoc-o6TsB8V@(j}y`PFKL0%i6TGD#sG!?wXEI(9^iWtp&Y@NxRoIEFn z)_pAx$^P$Ryp?o!>XfeV#FG=wA)8HVt?J`%^d>P$iqX_G1B>eZrLh11NAuR;6fDHl zoaT55yZhJxnZ-4C=zCF@`@Xp!#J)0ng9cHCe#mcRkB~7?d^euqjmd2brfy-x3s;~t zn~pf+B;KlP1kT2+=QW1z9qnHb*ML+d!m3@%swZhts9Oj63RjSZWQU0WCJ03Ob&9K)0i}D79GM&qD+^fe1Wf5zsckc>j}^_mc+E zf}lzCdwDf8mtZ$BvOl@6xlmz6V#pVOpgWmYIhl$VWSc_|g$a-u3GE6WswbaIPr z42X;_ji7JesOv|B_&moWy?&Z#aCzQ8TO0Vs{yB1(XQjvXkx-xd#^HGy?x==I8cey+ za`35W4^{N`d%n}S!etV&{d?w^>u^J5VWfX>==yeJ?ubo$6gMXf6=xq`+O^MTgJynOEB*%02nMAY9o8V z9Tec_&uZ}8+CNwqz2kY^cA{;+ve<7WRJ-seq}wwmH5jH$ewh&Y;ApMWTCMyO=5g>X zbwvD_ncZ~@I@>!I8#s2GrFsfPyY^^$lN2pImkY^JtM35lb`t?`|y#h+?f zp5a2erP*MYIc)ljYUaFZ%l>+u!RDud&rrk4rA4=Y>&MHQtj-D>t&~#V)*+HWI|so} z`&n0$RZjjR@~jIU`m}`0#(5KIr@Hqi%B-;I0*R>WvhR}d{JdH8=FsiXy)}dq(TLYj zx?b|msGfWQCOOOPT~=C7KV{+N;!=p7sde+#6&~lbTfYfpl;q)l?sr}9CqrHB8XYi~ zjn^CkuLROtmM;G2MLWUEWMt;OMA4+#=Zp>ZLAp z($UNrS66%el85g1+qQnQk;Mg>CwMo|A9S<82LT=T80W)m9Ng%1glGq`5<=egZu4Nf zr@#MP<4ezrByau1Y5#d2j{YJS-GhUJ9nbqsyZfQec*HNSwAIS8)X|vGWpk=p$O`q1 z-n{xaNwQOW5M=qi%hpl}L&lz#u%Mx9%I_KCmDZw9dNupP9hDoi1NrJsdY;cToVZTy zjnbT_K54{S4Ah>9-km#0&#ZOBlcRhsW3JXATOU78k%i#hu3xH{5i}0X$$$N@zBy{k z+DWgfRZk{ka4b8rX7W$*?O?KDHD!i+ccS0GSgGDxc%CT4zc#=4^vk@@4UIZ$!8W;g zqsf?OdD^9zl8VHW4P>ASH*Q(aui6wqm|Bmr=~g5z1!m$B5VXu2ZLE!FbK}MPWo=KS zn7K2vbeRp;5XnSYH9D(!!r%wsV)y_!go@zdAz1_Xz3ykF`p9|g*RKkMm(?L)`}63f zEL+)9QFlP+a{Br<+#K1E=4J}9{YYX6HdH;|Qz>Wb^=BV+-aELBc=n9Cs)piChxeSh zOZSDdJ^T7d{e^%F>GsXff8zgWP5HLju_cPQ{uysr{yIH$%S(@RC`C3`Z*;vR^x0*& zW9=hb(IQ;+O4>Zl?VAs;oom^2SN#3xtp(L`lu^@oxs#>J1J)gRZ0x~Zd!5Tng$w~! zobZ%q7#v1bxyC1h%b>Z=)bXnmw>G&%)s2V9hwfK{oN;H3kLBdLwC#@T6eEH;QS{}d zro4QpvF!Tp#K{;`h>vm(TRt|^^UZt2V$b2K6e@j$Mml|5ljaD(blE^SQq$6n)@jG5_ja@!Ipg!NFA3eP43nS2WZ`Yt%GcPU zS|8o2kq3hrMJ87%st2p%QJZ5WrhlvLk8c2eX>dAkhF>{Y_WJ(GlxKU$6sq&l1>N6V zl^-^RA;iQFr%+jS>wkqUk)ffZ)B9Pe<%~yX8lFd)>olB)LOYes)%D+l#7f1w5QpLJ0G60yw*9gI~=!qx6<=0^^7}9XD~6D zHuD|KCPa)2VE!H#5DyDE{5`Q-ZyWr5KZ?_%OaF+{b_G%eKK_aqM{~`v#n_K;&_GMT zpm#bIQD&-^L@2wlF*F314SS^Sxqo0_Dp((=uDRP!(&gAMHL@XBiV(>D1IbAlH zwYY5}Hm}9~ljxE~>tvpzf&;EZ@H#&YpBQ_t%fP@G83v zEF z&P4dH*1}p=2UAgohe?L^m`1D@N;VLMx((@e&1@UbI<~^RdpY0hf0#V_8O~y13>Y-> zj#n%EFt@z*^KC_OhGw`6G&6;FGaAOO&JP}kaBt`!t8C*nS+nV~`r(;}-Z-K%O?8JL z;3#%q@qj{^nBxbTVm~`Pj$+!{u8w)h39TFnu^KvI}LnsANp0*va3@v?q7cYAv zgmUiiW~()UkIUx8hFXJd?>2Q@W%Vw@>|-DoXTW*}5I+9uH0VTrY>>G@{a}rIsq&1- z8)rUgNBnt3+wWF(vtpuxe;yi|#CU|b-Q!c0PJ0|dnQYB5MLQVk?z-W>24b2MLt{!7 znUh4!tj9%MjwpL&N`^Wn^$ zAQ1IEw`0r8V_qFfPPhIx-hai;7@)Rwwl}h#|F%2qODbg|m)$BTL3$BR_&Y)2nRO(h z&LYDkoVE+Y6r?=cO%orUE%rvog|!4C^wsko{LN8$09$mMoas@V?w|KDBL!yi#VNOU z`3lT%hVpd3(^4i5Sqyx+5^pWto@KxJ`IE!2^z`Iyrhf75xP(fYYyf16tOr@6m}eT> z=iG<*zc#e4^tdDPdn`dn!)5<8L_Yk(Ba6GZ2+dw{ z-z9|^$@mOkQCGg$+ir6CL-wn>F$tjke2T5mhSF8bN}D-j_>0AzA?_ZIb)nl8M4`XueIiH&SyTs z$jqwO^?e*VLYZ<^Oh`j)+L+P@p=efVwN!S?cTYEH+^m|Kn!w5Pu12l%58X)vB*{<2 zf{t&=-H-$I;o0W2BNF`8aE9NPfra#xK_er}jmzTV9Gn8*LNnVkutadSOUk=9NuEUg z(6CoMz5SKlSb-CVx^qC{PGTV>7`@N7*>$NEC4Ii+##s;G2&dCIZ_Rm7{S+OaI#21y zOYeLVQJUtcg!YDpSipRX0Fs%hMq7-Z6`DG(Sl|_Bv6ef#h41y+=GUXXDnpbw%z~n# zcgzXfUi5ho962{uMzf{LK|#&=9efRqhQ->;h%R7Lc@GSDwFXCq>Hr3Y0eSHjW8^e=}m_3)x2stip6%}zr|0RIV|@Td6tT;5N_*%`1V3Q>B>F#T_v z&x25nBP~EkSJFRVyvQxzf=y6J;Gf-g(Yf;tzhwEta<{9Y{qGAbO!+nuLykPa0p@q} zyTfX=xHq_BySAEWUqbaRf`JGZcUiSl4)f{L{3HI1-j98`!QVkh4cB9?ET04-mPhDu z1uq*hC$J~&HyZ~UVyR>_`YKvKiE#Bc4K#c`*=a=F<~B3Y-nZ4K1N$n4JT6K2NNp$y z!tD|Lv~RT&xR`=IBs6m~ z=TCwL^?LNWp}1SEv-|7Qvj3teMjN%9NwVrBHi>za##v?cgLeAdf4*lL1&;iG<$Dt< zqVj&lLAT@QoQ^SVp5~BSZpVI5QJKHlWkQQ_Xudkdw_fh*>DP^CHJb^8DdYEKfd6G% z)9h37s_xMLuBRjfC!7R-7gmz|H&uMsaad`7Ha6%MuyW`uKeVLl4p8CFywxIdUSfXu zC225d!EOoPZu0=?C)tmC^4`XB$p&T8z2R=P)u@4~Dsf+3p=%EGcuo|J)7bW&MEHwc zm8E=*ptQ*GkgW+{uBMOnV35uHB^ILYDo7IEvoRz$v`5Vf>&*@`Skn#MM5Uda2W!n)=(@Tg@0tUyf13NW3DR9}Bauvl-ta>&me(V6QI7i+jXLLx zzs3xDzh;aISNEtZS#p+IPWp#=^jxn0&Y+UfEO3rP#cDxsp{vQXC_MGjxN6xwU9*9k zSTgt71kpgd*s4OoKs&M4nbVN&JnJD+e}BJTn^qV(MTTbu*WTXVTTxM)$x#SLu`~@U zHy@7l#}6^6?Zd&w{#xk!gsAdSl2xN>iRoY{{p9qAni)?C4VU(x^?s+Pj&$@PGjt_I ztSh>yP*?+YecloBpf%K5tB5=rCT5EXhQY8v`@jPIPo7xtZEk-4_y_XW;A(L%JHnJ( z(qy#6@NeG(U?d4;Tj+qK>yqE*0qkAV1uKG8^}W21%|2YA3~!XCX)H)1dNgBJj>+(kiQY_!oA*{vzYb?I>To;Omo zjrCXHpcGDS`JB7pTv!9a0AE;kti%ojZDaU(NC2CisWRLyO7K>G2z82>T!ljDt=d&Z zmfM*g$>+W>iXUi5U%o{5#zgL@dzg$C$=G8ruP+r3ncai>KbNnlc53%dCQg;n>5?&b zwo}=>r<9-;36d54S0nLy;-`f3V#kML%3E4Qpw5GWs1*iTNLP*n#gklBdd)~#u+3Ha ztD4HvR(KEY#_uJrHeobcxw>GKj^*x!6PS@{L@!>vJ;%6CcDR-ouFE2=QivN$pmBhp zjFyp6+c;JgY<~5sfqpn-qt`N}uNtL+xj9*?dQ~CQi;n$L);oLDjat2EOt}tANa&ko ze6RJGNnq3f#gAXmy}9npM4;p~d3>*}<=;^5PBDpN=L|}SBPS46&C?w)IVj`PD=I`B zhm5SOiN+z7W|K+nBB7^|bzp=Rpk}Y^A@Il0JouDZr_1(eC3=|F%5mrXZ5nJ_oTOvV z_jkK@N%?@IO+`&Tw=>v-z3gA;;|L8SWHPJVIXDZ@f0sKYg0_nC&9Aq zvxP#|`{-q<4cU}$Gz#!-!!yD8io%^BC78wcHJ?XB)%YQa` zUxS566q^TEV$?O|+-aU{udEx%JM}8PuLqCUhx<#6As(b1^nQQb_kKp3=bs=MQc7NZ z8_9K-9X(UMctuVgY8PX_x6+VlyEB0M8HDhRZaoR@WuDMDiVkx08G^tE2}-xuK@-=X zt&d{Y)fKZ{;QhT~ ziW;6%BI3IH%}rykw~SDRLbrQ0-TtY6A}8|Nk?%wz7Pw&^E&J6U5!n6xNJk*Zbrc5^ zR~YaC;R92K&|B7%syfCNZ~q>gT*|SKEcqGguPtXowj%!A&{SXx+d=lx!uhlh@r$}G=d-ko$5@0B7Ezhy9JEvjnXijp><0XlTG+g zmJ{W4!2T0hj=8c2a3(jjaFYQU0@$+NK*S|iMO`1si_Yq?r=>-O9^li$yf&Mg8-x?m zC?uoDlvU0FhRHsH?{u`DJK_v(h}Et~?Cnq@t*}j#Y<8T(dFM8reD8EqUwy; zQoK(3RfKdGaFyK?3h$0?c^IetmfmGxjD$lKF|(BIOyw)4$1puFlv0}p7uZ{-H_<6- zcVE|5bK#HWqZThSWI$4wYUXd}jQHopp3WeznTP4;HCw@_!dCaJ(j`qwfY~ z&r;VOk;(e(!zBsX;#xApUQIE3TmIMQhv|6u_;SE#I=X%P@4!^-tRaIz!&tq?g$wqJ z!qDTnyU=zbrk(9GzEt2VHZ`}h7*^1A8PvHU^byU7 zSm~31yH`f9Mler=!CQOrK%yy0D58}=>ejy8=pyYeUkxm~?oj?W7obcEz9b**-S_#&Fl3yj;C!+nTJ7FbCu&{qv_c4Fb+D%cDoEC$2dxCIX2jW@g{R(kSMh{DO@nI2c*}Rw(pW z)c}mK$gnfnpsDKS`DX|(G2(ltdwy2Gb2rmCg1naFpUVpWc(J|`&%~`w+K6WT(OWb3 z+}r(6OOG|*|6ES$MqpCA`60vHiTDATF>6BiN!?4n8}Iy+aFu9Njo5W@bbRY)b=*Dq z8m2&e9_P=`M5P9)0<>wGRmgOON>hkfRitRcU!~35a4<8c>YT})o}Opg)s}V-9lp9x z+SGe|vYq1wiUg*9riA-fKMzG>JS(1f?i)0jJDKJx2bGBpDx`}zW8E1@8(cW5x^Fk` z?Ssevwnvu-jaca2A5xyiD z>Kp0MK(pu`CsYc@^4r`JmMtjk`3xaY`L`J`iC430;f~Cy63=2gOJi43!UYS8k5Vd; zT4x>I)qtS4vP<3SzMtPjbP~m)GC1CT>$Ag7und(4jLskJiL?}+iMT)Lma4rAa3f$7 z{J%(2{y46QB&&*zRT`JYkeOdt$W-B5 z>c6aHHYiCJDHZ=%v)#zGLmPWgE2yQ#n50dzTl-0>oI6nrL!iS6xvGplMLPFoW%Fms zfOOwNrk<2@QzDPKFSVLPdrzO7{ZcsyAIuUK5)bc_Tu9t#?&QeP*!Y^3#szptrm;7a z_T9tEcQxF@1%>VRU(fJzfmO-ZXxsuh&jCnTkKOGhqV*LPrr;|l2aQ8(t=zcY%`1|W zWUz0&QJYP9?3-plf*$0f(8~u>J_O|CwI)N+^~IhsH-aghKrxT9;9=tQ*>>#ifj#2 zf2W|wsJYlM8l}^AZEa24AUwWD8r^JWyQTJ9t8F&9>FVF@?R?doQe*H{;yx|aB3!TGO}QjABKd&2Ya4JACQ zKsFyplZZ$qiU=NR8vjf+Q8;-sr_1I}NwvrBA#(Hev0$p={*!G>6Qv9!Z)pL&>j{aH ztF-%;x5+rIt{*I*DAgyu(O%A}{JWn!`df*gisXgPee{52;pwlHF=FAFzRT?t`JKH5 z-6n4eZ?m&z#bX2&-@$GqXcp2Uyef@DlrpJ#Y1yJY1t)(UemirLBzEBFP;NiH#E?)MCg<k9P-Wg^nLEG3@d+-=;EbtMx0byE4hD^eTBG)^KVgk{zu)_^z5oHgK zk&q?d=^B^dv?CC|nTh+Yn8FM*SkA{PB6%#`jtE-clje<_>4I1y_&c8w6Zpv0;X*vXpd zT?_tUVa6kW7y#!n=#eypJ&8)G1y4Qc&aiC@B-N!!r=Uy5Rw9c1V;r1rP!+B9<#9D{ zJv>-8e-1}y26$O1^hc@jbIDU(XI1(10G*xllrN9L;})ay6di;drmL;6Z;rc!!up-b z^%DkYSa!J`@PSNJ9Ksc6+h2D~!N3q`6|(Y+$^kt~S>l?70`FwU-*{TRVvIm={N z|8Rnn6((ilEExD|g*7z=n%(}`1kJq_5kYu$G3ysCgCuNI!1gv(>#G!GdG0_tEJJs8 zEL~lZM_a<%Q_-^F0;-e*rntQcZ+qQ!ji!?X++4V{VJ@m~q(TgNL=$W)5y++YA3j8o z`42a@BlX_ajaGD;&6J_6$X?ZPH^0>ZoahugW7JY}0SFeqX@TmA|_Ns1v z2AHz0V5xJN74I(^@2|yDNk;XyX}g``;WXzsbs9tPAk4q=#YIR>O)dM!=FgFly`T)f zpUPug<2O7+!ecJr35-K#a+(kXdRY(GPIf}CKFct-#C4>kqvKt^^FV{yykX7m>t9+U z)pgXWoC5SQ9El%fr3j|R-X8o*tcY4RD1_SeaIrUq|8S2CgqAF3LpvpQMqPXY9&m=e zW2Z#9=lz(3Bq%J63l2bRx}VC~mujh+RQ0r z4Os|%DxfUoHqy~GL5z8WN*tShI6BKaDW%~ar;mGJn}^u5Ik{_9dz>G7PFzd=WRswL z__U+7NLb#uuY?u>W`Q3EHce;(;xgK`V8VU&$J!zxdYYQTFPYql$7oL(c732hj!BCn+9){IeH|1CwJD_W9xJU%+8Mlp8;VA+Ud)?nd=OMi%>} zGF>CAOd@$~=#;{79i7!7{Sw{8i;DF7DaSjSo@i(vt3+K!avbX6_O)Iq(!WYqhcagq zOEgqR3)qVG_SZ0l%#VQwPxGv|yk1q68K)zEv9vsJxj^g?L{F3Aw%G9{*A_nbDKcs;YwT%4`5^H@Y-n)`4yAEKUqf?D1$ zniQIBL)LU%8=h^xhdO&A-A2rJu51sDHJ`;iO6T>s`ZDRh!)c`v@}g&`=`*Q%r*6m_ zmf+^4K6QQ(w_w>Vf$^_gSk%htcO`Bneg{S)3Q(QQvp29GK|qCHZXj?r{b7@bv#DPXqlE}$ivx1H)$U?%tBng(Q0DBqik%WYFdC=G9Ww|+tpzSoS z+c9*V3E329Lw`XiP!u**VP++;++KT!_|fVlmzW_BBD2%yN08xuiDxzHBT5@e)8+1G zqP=-rNV|JA8Ku|z&4YLxPQ=pc-n&dMp8-cb;ipxtgH}|^mn`6 zzN`-QkwJgLh7mL{o~UkI{8%10&}CWmTs-ui8VP|C$DXhLI!;8|-#We?KF5d3PcOfD zNhPbdepx^7em1H`M6E+)VD7`u%jFoApLmnWI=UOZaB!y-jiZBx5 z(N1<^76>`DlAG{0l*DfiUHh@hruB%4sSx~dS*$kSA5DcsFHoC?OVYGNc?kAy2htEb z%%X5IDGI=0e~$MXV~z~zBJ+K_EGRt$_ZsD<@Y zzIwgk_dc_u2RI$i;~YHAH2`ZDcxGh=+@;N{$lt&O0(2m{lvu+8!yVbzHbD#JPuxn^ z-EyyBP;O0j3R&&5yAM_C*53*4JIz0Eu3L#yaRhya#A$kZBDwuQ8jQ!R!wky9^`RW! zG`1dgICkUJC-*M8DAtSk`QnVG3c}B;O6`zmYEi}QV_=p%%e%e@werbf==YEIG>&Kc z6lGL2Wh?T^bZ2#3Qn7z5P?|~`U)cWD!a=TAd zrag+0pvv_}`~t=c>pSwU2_>5t4?xA$oB?Lr5(YDaySw-EW~;yX`ZD2kgh>wHFCBV_ z?%oS~Ow|Lo4Zolu1U>*DjRLjuzGbiac^!4`#n+q0Rwx=tFomkhJf*Zv_K<+**xmIPy_Lko*?kV0v-w@y?he(C4x(ck-kyiY$h^&Q?5_2hpX-?cZpVJVLwr z3rjp|3*}YsvRm%yK5apvnM2<(n^7}3>-J7yP`C$Z#C5@OJFqDo&o?RHS&=D|I!+0Q zx{vb&R9V+4oOMB)~M_6R1}Kd#i?T~kKqX{vxMh!9t&Q&W(JfR6TGAbO4TI_(RjIr z!xJPYTRBct(k6iIx+L`%-yh#}llMF%y;g2-v)?OkyMB(@R{OlEydAFIpdJY};Lf5t@OQ~&=2PG= ze#A8Nd_2D*VV-k!?MveMe{;M3L-6`9me&o_z&OKybH4u9&r^Td0;=;rer`-2xAkB2 zu>bX6?~}fLCT3XmKVJI&FOmQ6UphXS+HbpIvD)=a&f(Ypd`o+pts^5!4zifYm8i88 zYy{Xh1RAxjG#B5H^fVv8ps@D$xnUhgL40Gs@Myn3ZVx$y>n0G*xYo&NPgEm%LD}3E)h$@gDZKNQtipW-4IDETd-a8*bX4rJeG*n- zuHP28|K4MC@Ecfghcq5v++YA4;vd5bQjM2`MJjiu=UD-5S%B$t>iCFE!hir!Z1M0e z_R8TVhssZD$c2T4s-0ckgYrN-&DBSO$T!H(=1`#16feIoEX%p#b`KTR2EkKQ%c%rt zH6nlNZlY_2TqteGp_^@u^A+xmw~Xym`RWg(f-~OxkXJnY0_h=6mjs~cw;TalkJoq# zu}^95<}MNL1K<=B$Mzh$E9Ly@5p~Hx!tu5Qj;Bb_cR0pXA;t{=8B<)xF}X|GUc3;n zzVgDr>5OO@8+%uNntiz~pabx%|FaqIulM$EL-v-bbV3DUi~`DFl2Sm&1Z~>C>u*TB zH4HEni@*?E*nNExcw#f7{KtMeVyeO%_;1e;l+f(Qn3x@FEKfoC;R8l8Fi90ygz3TF z$Obko5C;rqogattjDu91((-iL+z8tjO zzy?Yz9w|Se5|;e~{!%M7`8qLtv;ghO*lS8l@qQj^ji}og2#W!*;Cy^nPFtB&w8vKRX)N-pGuAcFeY z-VzPyxZ?r)d-Zr&+n?<(H?*}e%5E*v_%(R`7|qntln%%y^FB(4M!r%pB%sQpRr_QR zn7oEZ`zn>fVlyf3gFTDwVc$w=msgdfLP$!9)GHHC47pa^Jb{|G%78mh^6QhjLXqPW zX1#);mj}RXqf=p#eXePdyQHzgU^6T58Sr-S*?$ukef&YyM90QNCjnGg+d8iYMXq;A zzgp`{kQ?8S$D-IqMMu9+`q)lB>fnn*FNcJR%EF*ok*0R{v-vR{gcONhUBNZZ)2IVF z$D2?ZeGt9qgYp*n@5Q_wzuS50h?JzJ0FmNWCzbD{@3`{IA4y4HMrKp;69Ng##=#Ai zXKkQ8@($^B#AT@oYLfOGXV7}S+M!VD&@~p!j0Oq(%}fRjW?9OapJ7v5*(}ghp63CT zM^i{F?ddCxRfhAm9(9+zl4t+2PVe1a!%b^Dspm7? zwr?E`+XYZ!U2s?ks>t(O=&NXf;WnHbPq{PeO=G}r-w~`&VEbc$oS$D~4T5iV40JOT za;HVwgR8#E{ml!9;V{TTaStbR{3#G{te<9u>uLVJkPyw~22KSH>;+%KYlv68>@MlR z1d`6%>7ZJJ_98UDsDL=RqJ~%E?GNjy5r5@UINL6pqR@3|nLMGtt3{e?-bxjp&q679 z=|O%jgA0zZEVfMk5And;$Ku<9!=YKFlZamv_ht|Zg#$m%K`u0=e1~#85MGyAyMx3p znYv?}&pS+zVx9Wlk5MIYWs~H{@iCej6i!+|wNxk9hCTd)X+%|;;cq!X4x*BZI65JJ z65{_T=bIio?EDxFqpP5$9zRf&+cf3=&wB*i#CAkn!^kLdAZ_%1b4yu{T*j}EV0udm z3YS`Oarn8#u%(}$pVEXaUZMq+X8$ws+GI9t5>0_pX;;^3W|wPC@s`cBFcZ6pmxwpj zWwseQXvjc5A-BIhbD*3xVv#booS!pfG4`ggLsiars5-`i4LdGlVdlZPAQ!!Kh6LSfp{+R)_*<-YzN=d zF-N@L$IZ-}s&tbvCGZQj=6xSp()?6Ca~efL(JTk?;p+kta@A68x6iV53{r?(%ny{6 z&e4c7PG>3-7K^Fe?N*uJ%3=$z_1XQFOa3TicO{d+PowS+-_DrOMM#i#K<0}|h zXW0>-qEN$Cm=0DE*xOjQOUN%1MSR|x3qH6{LV=A%Nz)mcl2fGB{tN&zhW?B`Tr8|? zkV(n4E0=iflk&b0`#2mX=VZbq6Pcpdt1RYFm`p7;n_}OHE*_ylW@|!Wciwd`O?0+j zb2>w=Dz0SUs#>5Cnon#N0v>%BQEh*GKefp8Eqq|r2Egd_i)MBY{br{I!lM%)xBJPL zCyD9E6*38$5^?Jc)1Y0N62v zPR22Sm_x!XVTqQ578g=o!&a!Z^3BGo)!=Js*UT{pKEl#?Q246iPu%XqM~{@SDbDIL z-ep#Hz}Dla7#2_QLy#yc_$^&Mv`qSr?b92^o40Br_ep~fEPaY$>F}R-Umwg?DJ;-9}e;d*kbpA)I%lsBS@50h_1_Elt1p93%?}fylKga~x0{fUW!4;)vY&h~!({ zjV^51ZT45$iD&loT9*ZepM1zHHE(qfBtBT2AFo-re~8`o?Vzc`B(Ax0q!^%c=$%(K z+tsJ)+=8bkBQiK23jCimDi(@x<|m8R^)o-*_xQeTWefh9?gRoc0tP`V$HOTgS`k}8 z&pov}WW7x+fFd`O@b#+@wQTi$nH|#}CVu5r#Wa3xD0!hx8{o=n;!~069PaP!G}qi;uib8&nZiK2n_9MYH z3GjX(uyPShDR$HPx_X+EEi=^v@9lYV2F;pg=~1C3+PzBQ*X!j6mI_60pRnh}_X1Qu zzGeTR{DY5&KOkh+m!=^j%+rr3;4aa-sb7GjthZaj8|Jy&lk5zXFJDH3VLa9u(@Uws zSA`(-d5lFMaaKezR@5z3j`tb)D2vKB>}jvjs1!qdnUzsaxJ(oyuh`iXeh<a9cL^ZE{#5`)cgO z8X9ytKMf>^_6h>QFWsbqP=PK=U42LBd-~Lk*!|_T0BQ|tEHr)6vGxDv0%WgT70vbL zoz)tQ$_j9^7cZE9B5&;#FffYP*Xz|m|6HYvl<|r$ElAh6flN13l^vx;B$_ofz+`b@ zb9m*C3tzHE*sHaTCV|$rwx8fvTBLuW!Js)jsu6HU8|P`)=&(SE z@*f@&9!ngs{fxrYVTt=sld4#MT9Dns4%RU>N={$t87zR**Zzm;&aggKD>{N92Z9ob zGF`SeZ{IE|%Ui5JeDDBKuR&Hr3t|pfal``6qUboE3t;kF|6pffG`Rk>ta4NL{Y{?g zhUi=OyMG7du#AI&kYrfI-a-tGq;yY)*@OhvI; zP{Zk@pWVryr%@%fJ;jB1`~mo6v0YT?iLbl;S}o%XFniw(6vjL9%skCwvYD}N3BvE1 zxwFj+yl2=|!^%zBl<4#SbNPx;Hs5jX&Z62%72uOxR_DAa;Fqd+Akuy<@cmQ;lR>@G z)>doXUwG)Z2GjW3PiTA!9LJq2?M-rV2-H|}gVH>?5NjgndOdh>_M_2w5Dw+Qxzy_0 z6+`g0K)q?3eZ}gR%xK;9$Pb6UE!_@vh}{q_s?~UPsEM6uB1d0L{ z9N4XWeVO6s~IVZI42!c=v!vLAwdfw7g6Juf#1Divr=0r>6#GqOBTX`xnKV%b6XwK<)l@z zq}Wd}a1xKNbCiOq36G`7BN$axoxk>^F#m&6jT1_=>?;sgS*>h;d&?Gb4r^W5DuRz6 zA^qeLBGUO|)m*k3+UE*XrDX5;iT0%h7pR`Pn*t6FM^I{TK^wJShbh8fa%>fWGFv?S_t6Bips;5DWDCBT07wwJ$DC6$VEGSOWiR zNF$Jps`UZdtggQP8>r{NW+Kkzd87p(4`SJqr+K2tb7e7IEBfIBCtH>xIOi{w?C?g) z>Ka;KHz>wAh_5#^Z@|IUYOX1Oj2`o@b-VFHrEAK>FN|o;;lc|>pvBcM?lofO(qBiA zcM-&$x*lAf(L#p>OsA=z(N_;xt(rlT15pnhdm)DS?7zL0xKar*2A*lwdV6|uHKLs8 zZJiTUI}x<;)p^5L)9Mszu(&v?qoC?Ucyc?@p%FXWuqUOClVbQT0(Erbo=}Ny#h@Yqy%a`A zVBVgYUz)W@p9ja06@r8cw2~R(OV*H+ZTPRiHwOZS`gjlf3sjWBIse`DWkrSK8Zud& zA$gRH({#Ez;=6ovRh5OoOJNUGF_=#L(aBR1v-r5J*WnP-OuGO9g5`=)gOoTp2YDl~892U3gE{^Gqj zmq&)72adWRXWl2n^3eRb$u1xw+@Gbcd97L#mZQRKHPjeFiO%PE zcq&l`Ap51603-@Y)Bli9`fi{%S}%{`bo|m^fQqB(_~8CwMfR&A_g;EXa(lLp1IHUf zU$0kOA^#`V=Ym~45Y{*zDcLlhk9RVTRLrD1pT*jms$+hh8mFiE$#Z8VpD#mbP-n^w zuPM8HuEbIf`^whY)o;Rn8^2$cm48{#e3n|j-SBsN z`_FQz?Ay)l?QM&~g^B6uX?on>k<_wIGp0=?% z(e4=~?{$aKT|r=T)9n7EN4Hs1ZV|BUe1)DtZRC}L=+nv)qrcU{*|6eyEYE^vzs>)( zSl-RR4}6p7aGSU!(1dv)ZwvqP?L7Y@FqDBV8IY#U|8 zmaTp}=~jU<@M~a4-!Q%=6JBNf>@D;%Qspyb3#_O3&z><_CT;TS|RF{~(QA+pq9$f=~O0 z!X_i8-N#ZE4+1}(-0VIPxCwfM&lOgd8=ah=-#ZXSFkW**-HMST3Nm-d8aQ1 z>9(?gTbka<)IiV+i5`CWb6_SgE3ES;KS-x7C!|u4J$^4?6+2JcADtAX{m8VUBF&UH z&7*R6x7r9gA>jv8@qs<}lg{b%-=hKO>fVU{_58>rU*3;1&e<<4H{X6gn$`S?_S{^o zKt+Hg{$M7CrIe&UoK8aUfw!vAnYG&9j^swCgjKA#SWH*Qc(ZqlB`~0snkdN4y0n&c z!|nSMD}#YK(UMA1ij|3j3AhF6W@|cN1Nw{JQWz4uaV?delaZ12B#a@Lf@EIDse)`& zlv0{+8wE_)arJx4ERViQZ>jzJS@)2`qC)=n>zN&QDiIN{2O2xfsiPmgAL6u0Ot5DD zx#=V8?{N{lL`OzO&e351R-_osXxlWzIZn;*Iy7W6kQOj$h0MxyAj}(wAEE=Sp45_Z z1h*I=GANf;WVaY^Y%07{(sKr0Ilo8gKVR`ExA?w-BnkzO{13I{C=U67rMQp{*ybxg z%RPIzHH`jF)DmlFjc`sn&v4_{xE)SHd7f? zmM0a(Jc!mO>49bAuKasBwHBQ`SA*Hw=v9_t|B$iLb!nKI1M#Pgj$77xosW#T83PG9 zezc&OW=^{1U!UyhA_1vXcP`ed#LoQTYj~cbIL)=I?MR_nAAa-*ZOCu~e;`AD^|$fn zL}lnEtVGh}@YmT*dIQw96>>jP)^komApi+mnnHU6;Y1BGSo-n1KYAYW?U+wX$BO+W zvtRDU)2wk}9$TWXxdChu(mPFnRRFsI?wwvRq#e58!NS7oA)0-*!#`?1=6P`kBTsWo zg2CGiqB~@vf-KX2%njpGfDuP;5};AbhYq{`hl9!zbx*mB9$ zPsArmxZY?yZWNWa*-AHfc?XHW)Ks;KH63J;svMmG&o1A9o(inqQZzRyJSV$OJBSXLl5$q(-v);tNPMl9APnvZY)dzd}gCjLy2CrEV>0#Pf@eOB%js8l|I?mdZF5Y;t zDKWKcP-!W}ty^!VYOQ}N&}<F#Rha>1XzQc@;2ZrBo+D9EI1Lgi zxY2ruXOq)$7&LO8<7D$#UC-OiIM(T2rB8G6T=`BGp&?D3I>$;T)P%CrgtScMeQQkX#w~0V!AgS+V|wJ9HL0VSRtxPHsUw!{W?UYbdR{ zKe$BMRf5EbFH^PRQ53UDEeaoB&4;7so#!0|+@TBuC{IbN`98RRU+03M`$}#BH`+PsM2+P3op0kc zC%;E*->_wc8IFdht(ZvT6jdMs75xw6CC61ph^1DK)0{CldQmQy*<7L=VQi}`% z2_``i@JL9gdqIq6($d)PmZYSAVOh}&&PA3Tw=1WGt(34rMu)u3REZeXZpqcTHR0}c zoD%MV$hAk6@5F1GMn+U&e|raGAWbR_s!u3`;`i>!4OHqv0fdw z^jAe@O<}TQaRV7pzJb>6misHp+Gf4nA7?zAoaFtS8wWEO0yh}IJd_GZF`$`mDQKF{ zDfIm{V)N((g*cR2>HXFt3p2B~zB>1;>TW*JhxGB2IPp?&b4MrZuV*g3;Ry$-&(5)~ z%t&zkz|{AjubzB&^?e^vbA(p^S~CbcUF1V_%wt?)vDfdXylt3*h}IR`zs$Dw{xR?C z+8|1iYwv=j=qU{Uht$7QY6=sH)k9W-;`{v*#nr9GxLJF;TXW}ULUM-QG`ELhk^1m_42nqk9Jzuc04{V3-}Emu|MEsIcC`<=oD2!$Y1f1^RU-7+oo#LJP2&$I9Y_kCCi#)q{V%iOv<5*rA-A=v zI`SuYieGw|)4lWmQhTeup43D%1l}jY*Rag|q}y>?PY2Ff>Mnt+xEEX1)f(D{hFDaz zfB8;YOE#Dze>FOTtK1A{%3|F~9Qlg#3D+VjjSkJ#WDcXsvE8|7tNFShsp=8^UdkGE}4ocanNnr{JNGz=alB4H}2jLC1mlx*@Gg@S?MxRoiLUMra#dVgaTfdo~N%bG4pskQ#$FxdqIo5e8|6Q%suP^<9yv;&RpEz_%ZpY~t1hq2Hm;xqlxJupp;a34Ld&{AOC;uD3ZPj)$tJUH?seJR^9QZ~ zqVoY0FJUdM$HmL^8PKOd?ffaBYykm`xL~~WJ4_BwYwEYVs>huYli45)68=K?v#(js zC$GMsuux(&4yPf~RuUz8=N_%5;LEbuY%>?>_4s5NShrp*5HO%*p5jX>`io183y z#J#-fKb@MLhFSWM$tvCQ$hbdFf+azhAvW$>55jjq?5C@v)78JQf_RKNagF7Oo81#8 z9f%hHCdq?$F%b;Q0C3Piu1U*q8q@jt`R0^cWDlR$V7Va=xIA$=%soSjVorzXu+S&E z1_MdvHXW;7bB`E}PO}3Z*GCg?$BxT#1{C}5HpCl zE(JwJsbC)p0Nd9Qh5#D%BF5t7T&?D4dT{CrsoDyy8=hp z5h9DeU7F2_B833@`8w?-O|`<(vWAh7XxhHsOWf7Ic1S zB4gpbc^CO!vC$g${z|8?xXYwo^S9Kd2+i)HrtjA^JU_V(cG~xYVa9c05gn}UeEh6@ zReS}#2WB{g(d>xDnAi`4BY1c*udhkKgq3`2lDoM**lN3h4cso<`@X0zq>csk)?5Vn z4n@77j1Xc!s>EUevD53<Jp&KI`IU#lja&DiO`OYnO7YC&d&*LqVD`Eac%qVIir z*C(*Jeu(|@XM}Qo9UHc{=-b`v8WJxr5hy;vy-ZKfHH*oS4%cUJsUnEMrPF&|vD0R5 zARzzdz|t=IthnVdA)z1y+m98SS47Lsxqx@5WIRj&@9VrK9`rA6uoB@eM|(F{9TSp@ z9@CkKW@(Z#GDh;>X&nRvfSAv{0djTcYich%PTv7mGNOcw__HjcO1Vc5+^EDVW`vX16!weutFYid!E7e)B?JY(AtEbqxJV3etcTRC#4 z%*)GTWT@jjOaU@b8<_I%fMeZ&Dls;87XVO*ZIX(+cD2XZet@b&z%NQWaceF;-To=7 zq2H6y&H+3S{J>+)qu07p^9m&Du=M%4@$~pNzAk18wRr64Enqw(PS6~m{opV$^8n2_ z%)8G$qi9%a)8%jkFK@Kt8~pQ#)IZcZquxVZB$ZlMpi{4SVsn69VtU2K=OX%a!uHv3 zMW9G7pbuw<%AbS`Ig9zDo5vJu?WsB+lSpLP)5F2p3AC`)nQ_JJ!b_JU0byBc#bic= zvg~|O`-7T_HTVm0mzgFRID%b}$2aK20FWn|WHW4D@8(>#dv23{n4^&$SAh{sV(4OP zE(H|}F){#+(HcHHSV8xe1w?1Qc|PY>X1UPxwb|5od*TOdwvrK6S(^HggR)O2bAPY= zY%5^vnBAbnQuSxp{^GzV&}m_myE)tzEldU?C_X9U{^K(j5j}(j_9@ zAl)E}(jbj=cSv_gN=r9Oy1V;~wZHS8`rh;NJJ)r7ZZ|B}ob#E_GsZpc(CK+z#yK*= z8Z|Ky)z_Z&q>~+?wSK;bM~MHn=q-0%FdvF7-O^tjLFx%ifyUMjPf%*0yiHTUVL%+F zf1GAbEjk-c8Qf~ZW#4ocee(tz?bHdoGa-VZN9d<$@cv0)OTkE1Eep#MgTZQ7%eidI z)8dSv)UPItm!{c9*xj)-d~}oP*_ho+U3fxpfvlFB-=G~C$_`T`oYujn3rT=ZzCTfw zirbE`F*|JlP`eDHrg3z9{&4I?eb!vktIQgiglm0n`&jleNC_ zu5FonQkSx|PXS*MFBx(8At$6#twja7!APVO@^mK`r4q$b#!-m)+yWt3mdRo`%3(>` zK8C|%Mo0heWEHOFtEP`#YYo#Ibc3uXg$RR)E_@%~z;x{ZoK^3Y>8S~3V+TgTfx>4{ zS_2mqsCeQBY~Sv$3U3Hx|8(Ax6%VJzhVMp8>kGTW&h$tEG>R{D1#tlr7peah9f*XQ z_BW^5r&|v>ruo5nCE@Si2jF~uTx@QeE=Ay5TAF4qOAq?+Ty-|DzBz+|`~g9J_d6}q zJrO`3k;@c(pLaBv`2Ie(4e_fyg2yWZDa7!@Fb)ZR*_81%Uy=!;ar{U2M$ie^f7D%X zyZ*K!k=zdy7IUu>NH(C()>;Q{655wS^0WRd*U7A>+7fXc@jADL`;bw}?8caa!LLq6 z3ymz3+rAxdIj--Zm#0O)|6^yzzP~;k4L)p{YtYz^mz%e)jacBbXknnDM$5kFk#=Xc zTt@+ZLC9mwCp*WxJS7%u`|7;`=>e^<*6Wq(>>=JC4LIFsm^k0#IFN2~|ZAk^C zAU*f>M!9eHbS(D<>(-rXgVC36idH+&eGNP%Q!?nZdGFwd4<~?Lufkv4b};a z^$9Vlmzo9AY>UrT#43RyVUFdDtNgDGbz|B-tfApU-mT47=W*D!$t4y8&lPhn%+#L#vBB#JV!&^GYm$C)$~GVR}Xk5tE>}NLcgu%C+C?wLY76Vr4x8OMFpFyq-Eemr?kTB zU^b9_$8RyPjm&_ZA$Ghc)3O+kNuQF8EP;uI4Jq=GB;a__4gtB4o~O3g*;e7cmpSg( zu;&v=Fwre3m8o7$8`^q5B+J9|*xmT|r~G%dZeC?^tZ`m)Q9qcSPpSLUhI9)}L4{T@ zU84uH&MwuTcMUR5;q>A-WC(f3=o8FfW~?tsf(*tQtvq{yq9=i?^YN-jZJ|#2Y5?Sh zoBn+zhEskx`O&AffLjA8TaG6Kn$mh9ZA-iU3J;ePEO98oA=V+yqPJp)rP8ttvf@fC zru=t8>!tqLi%L!0Vrct&dW84hF~z&4OTpwz= z9-PfIQCZ>Uio+R*Cs0+tX&jzR4PiBy68Efk=Z9@(ABaUx>ioK>y9Ky6Hhrv2&aZ}% zttL!^N8bMaPpPRnrD=bcZ?RgJw<+8XrRC)G9Icj)H|-L~3YH!*-hFJ-%qz4z zu6Ye~MM9Ufinp;m+31{EGFpYhP&Iy|DO-VNu#XGxW?TR(pYVVFw=_j$J6?1b!xFeR3GPNokSsHvm+!wEt;?4`>rPT609 zxafdKXWa`k!C`AHAvfykN(=zVAiji|?<{K;8;LViDT-8GHE$vCNU!c6U;!$xh?HqHZ$%EOoH={#T?ote-QA3L z)9uuKJt2HEHA%y;(t7J5O_!u<)yEKMEO+i<)5Ipcc2-(rxEwJW$oApRursA``w&(K zVy<*}A9K~YV(Qt~pD;6v6HLqn^QlvIw6WN>BWPHkqm#cT$5>aRxQ`TPH6w*$?~y{W z&VPhrIhTk)Q{1cPTqJMMxo|v1qyFRa5@B%5kEQeV!BaOZ5Qfbjg>Zu6sa{h~XQNl< z94S}(UnO2h^;(;#&c9Q6N%oKa8v)s~P^2x;fBKa6X953CK*lWg|NNt!fY@GjZ*Fd5 zBd;39>i_3AJx&PacXgT)vcy|u5EYfPqrN1psjXdbc<_nn-m7QAJr8$eLUrE4u!Gd6 z@YU^y0zN^o^*M{hf?^fHn0396BB16!-ND_BK60q3;IY4=e*ibB}cyG+L zp&}-t@G4V7chg(uI#BQ@1arETLiwDj;>Q5XCoO>^rNaEk?_Jr~GSni!jP{S0% z*ZN#oNJPg(2NXwJm99%KV-Emmf;1lEjeD$HYruuJTQJ!?-Gf7DlB1$-bPpYU z7GmIIxn1v&>!dgYm8X)F7g8MH)i_;X^wzx3+G*>(A_vsW___DY!8sdr8aX3|p8yyF zD$W`w)A|CP1x$j-L;ucrJ@!T1DU&H7H4ayBHn!%EMW z$?1GOp$ZL&?Lr|hS7&MotmY|U%2zHja&)6SCz~yw#s+NF6Tn946dY(imzHZ&n&WoK(-tgf@OmGHe|UwhNH?aB(K*~r=#NL zk}d94iBTs5os{#Y9D&_LQq2)2NO5E#Eh^l{95?LSlpQr+E3u;5;Y3Qwa1H0Uo2wcJju99l|m_HQ5xm6tPmDWy_U&oSuWSZBBe@r zL1_>~ft# z@7q)HmQ`u-4s@X~ZM`)*SUzhwLskIcrirdpAuq5WI!7VdkfW+LnfGsV2e98FzdFbt zr-oLU^3IT8u8?e9+`TFRQ0EMfg(k0$xl6VyCi;f3**m5ww0uK;hFoD)C>9=Gsyge- z1pb?}i-&=r<1<0(yMRPOO~ZmMi~LZqiUb|i9AfFHr#RK=q(i-3vm`x)3|yp)HzLHN zpHqaPSmnc~?PJ zT-h`=YJ!LMQ3m}WeLCpOB%_!$naW3+^GSmTt>2tm&-(FznqN-NfFVD%Q%R0b*y)fs zuXur@stu~n3gnC+g!%QuG@BM-aeXf*%K}csBJ)yV zEn(r~XMxuLMbBwt+A1yV(sFQb-i;q9T0PE8-sBLL^sl*Ucr6>2I&#luWPw3N5e)Jq z*EQN;fXznXdMMWcA{^x1gj|NKgqZ|((?J{LKUevI95U?FC&3nODbzHfwdsy5mdG$D z*~4a145(qiPMwsbRn>CE1aR#?kCm`|GTffOP8_Z+oC3_uaU?=Oqeq8)Uf@O?4)gOC zGWW+VX&Raoyu7c^Hu8>lDqASQSAwu)JcH^{ z0j7frzescHAH*F-dBu|9n)oklLa^|&vSRe@s55Mqx!<_f;xTNT(vIyZDZsA*`IvZ# zP1_CaegX(Ij|5~!-jlldcW08;~m8@_Iwnt=q#=<7T%3wH^5nr$MC*Y6}3opzp z0>9>knG`Ak;(E78akgkWdbK0?A}1>*f&o?e;_^%8@OpHBnOYdoI9e<1A3Y@#^9d?k zyLnYozg8Q|@2mn_})}D)L3FRsqo+_CGs}yK=0?$%vBP{_$9q-(0u~G1O+T z)xb@@r0V~D=5{REg7u>$f|&EbbM0uFDb?BtCoun4c9v~>bl*2ecMYoNyy7{z$F)Gg z5`obnzXL*lEV&)&aAFy{xPl`Q2H8-*+>YkXM<=KXj`k+(`BSAreZeF+vlBL9{A9JE5VXdc5N=k6~#m`?zpU^7->; zd}ga`K&#?qYBKjk9v8I`R7MYuxWc3bhM)>nT(kYkK&-x+FU}5>h(mMD zo|WQA{1>{(o5p09kF_`bTr?3MRvOzUE6=_&JzC6M<1m{Nad>m1#dqG|qE!RM#&|2Y zwH)|v$V97mwyFi2W)2sN#64!G- zWl`3&+TFcpd)3CsPnGamTpV{em7a}>J<-ov>r{&S*HHDe0(JfrC!?DH5aN(VP^VJW zm3DLao2&IwWBo12$ubZJ=V7w^4{i-aAJs|+0-CyXwOp7@Nf8WdH!bq*FQ1wavRs%Z%Ow1oc&*n3PrH4RShM}I0n+>%>K?e>4TC%|vFTT}I%rr-=Xv#@cd z$C=1O{d+Kl77M2a${=e()vH(hI$B!!)tv7yoNWJ`R;z^<0pTODpdfCQt2NFUlqY(O zjPGmG1wD9eR{lzgpH(25f?eGUbwfT|V+?n*(Ij?S-z&Z<%eLMva-j2MX_j;Ar$?K7Ht7^z zA9wa-TeJI?>04Kbq5KcmoPfy5XK3M)OO8l|7SLU?4C*~%c_LsC^SVwLat+3AH@cFff^dm?OIALyC8O`Sc z9_za*m(X^W$>ph9`szaxGWfCmt$~M2!?ghQFo74!!uSCXjB{fdh&2Xvp28;aIETY} zr$eesK1#OU+;;U`R`pD3S*1i5ex3N{hn~;jQ27#;J3iuc*=L1lGlR8nLePDLLNof) zYQ+YA&2qijaj`m2tIL}on^8^B#2tJtwZPF5$=9W_m%hw=?*a7UYkv$HIOQ_LeBuJw zmKffXzdkLgC@~bA`5cJyT(i_?U@8A^e=-@5Jt^AXUZ{FuEx?e z1h-|rO7T~Sl#(k}yXmw~+zl9{shB*@2AE;=s#4gd13=>aH?k<{~`{5;34 zwccIDn2M##sOPH8v#XQd=O?TahxjiroSoJCGh~`($PJ>HwI0CDTO9S-LnrP3l19f4 zGeN%UGTCwuPaR1Y;L0Z2wxL4md{{%`hgFUhQDER8mrwv;6Z5*;-dUhU4FcLPK$_{` z`3VzUW|P(1c^8iL2U?);cBplL1^XCDB-h&$fCe$+Jx7(D)eIy(*X+27AQ#GH5(V__ z#$Bf40QJ9jw!ZS9f{zBeXQV^MqFSACsMGyV%>|55itFr^xz@NI#gDVq(+4q`^*`v* ztZDVky7v!&X-wwkBX7XK1miIz4+>hbdgq?jSj-;j1IO*{J2LV7276UEjZLYe1TaAg z@Ju~Ia(`>;C7s63(W<#vxQYgK(q4^0JyR^yd7sjIrV5LTwKjZJQHTT_JwVSg2Xwf$ z8Vo@Em36oqHfu%d&whA5c$yXBByg5u$zFIWEO%}g%f`;!n5H4HSt&rtOe>dHet#43 z6-XkNYW1OzcM3N70DuRUSevC!ABoWQb;Z{+PdnR?d5ZdKg5Gc5`Uapup&ZqG_ycNI zr>hdeUHlTdx|7qW;`_n&wG5obEm%*H0khd`9%C zv%Hpxg{hgzK>YLPCe@-99A_CrVbv9I^>DagpzfL6R%KDqG1YC@8$ng;Y(bDeeHxO- zgYofToLGFh%cNYp8z;TzUGinFYPp69pP+(5iPDd#KDYYMXReq)i=fUM_$ZtDk$;lZ z;Q_>zmcDz|JLMb%!VhG+h-Cbx@SYMMKBp-&R2F~eqo2X3^Qn4-KN!HhGN}aC^e4_v zKb#&+Lz3MK^r?{mZ|_vS34RF2@?auAT@D*QJn6&*ehD78F*guQQ%wpULR{w!Az2hD zFHfld!45GNt(%)kcb*ld*#*V8W?L>UT#lztL45qH5r|qE1Zy}mg>5Xx9EP3njsWCE z0St}|)lL#fDqY42n6r0FfMbgin7IsmUXLKU1i0ioZf7JJ=?5ryTqU>wrL7FQ;=vO7 zRcXtJtZ2%mqx;&xk15%7B^ksoQIJ5=S7b(tQ*j~m_U*^@NT1iT*gcvR!f|SfD#hkJ z`NXFKm2EE|gG9z=zuaU9G>C>E>VPS`T#DL>it~f3n=Ae4tw8z(-{7oHm=t)!d<8P8 zSBvI}s6bWxT%+(INMDAeHFjVO>JO5*KKJb#*-8vxD$o+@GI?nXX3Ee8qYzo?A|2tn z)sJQdOBgV?ie*7WF`SD?DpouX1fvGQHamKo;ZFep;Yv+*Z$EkuAGiU17bdn$!#D&2 za*RKJzQ_Ps2lATWtuo5Hhk-EzLo{I6`)2w03|Aq2oONJo3ju%8B}Q_EKue5OKMH?n zyz?(EK*E}X6Ae44+nf$v@t^fepR;CTGjpQ=?2mWCEv~6<(8b^vs@U?f9PJRM0c5*=%K%#tMe~Gli z5o$$WL6&lWY%Gn91Q!F!VY&RvB0J0u%6{oicGuYpbS6X_p#|xa9TTOkOC5Ze zU(RSfbU7jF@T5W1mE+Mz4^aV6(QaMZt?UNbrE~$JX6|t67U;zue}Z;$Z@ceNEWt<` zjQ69Wqkg&#m~RBkLi`xu4(a-(chv%znQREhN%@_ys9K%)9rG2@{!V_)QPZ<2E^5wj zC8XLvIG76<<2fQ~1=P?WL%>!UbsHvo1gvY4hANzK<2-v5tYP1}xr@ODzdu#F9Ts-x zKxQ0)3E*fA;5{)`yoCp$>R`E?VDP>G^31S+QQh1#{0;8I+u}Mps4+a6VHfxJ4*M9UNiSOqy*2nDq(N_kF^e^npr|gu=Z%VcO!Z3^Fv^lm(wlybnYX-eWiRnaS zNXtFhe94^~y<<^(TEjJu;gImsd4Egr5g{vawS6elYi@7|@(VSQIbg%euBK4bwoUTv z*=zht)E=VBLY)caXBc(1BYPS0h~&0i1ZHlLe)sR;jayNCnxWk{Sc$*Z9sS3?ZT-)_ zodo;#1?=0b{eu&xW_g8$MRIFqD6d7NG9cguka2B2qhHXKgSolqDGWZUIZ)+4*uq$M-HQnhNbUJafsnH#PiIf6DG~LnSHDFz_Kx`bw;h zSsLG~{th`7?ejfcsV{cx9oT|nazgbyjg-PJ1rv}e4m4t`)8CY~`zuGVZ3lx`4NzT? z$Uu57=S$j+D)h#^6>GGktyk^ZUx6dv2y=1cq0HtojaykNQ$FNpm#5}Vr;vcySKCVs z8$EEH9y^~^@J&$lek2FZ)H~i`wqPC~A(msC$z_jmL{ zF|}qM&5&{R_UIf$plv^_&bYA6~y*B-l(@-u@nup^A2<6F1$Hpuhf06;Yy&cr}= zU%NvSVGOFAhvu_L;aqW=Or)BD)H@H4Ut(2-7ky4IyOsqs1>EyY@#19?V5jgm))e{J z2HCIwyRz*ykVBw4(}$A-Bqi-up^2in$ zRqEZi{q_xLj~75npp-Y&3VpHR+Bo(n_$6k`@kY*+H##}c2aXl%x0e`4SluLD z8t&1}LZvBLbVQrx#u_neVbnhWQjFZRzLtaDkHe-=(k3qodw>bmeoG4PSsq z2)qhH;2eb&jQcy@Q_dO7fbKP|H5m`>8`}DG6;c8cJ(({BfOjmnwGW8@De!dalo`u_ z*$8A$aBxR*-O-6hA0OlN>iClmL8P4dK#`OMi8C*f;4CP}OoQK0M$@8>naAN@irEFXxR4@py?3Rva0p|ErP z!7LvdurwGfwOU#T>P6c#JmA&oKzYx*>wuGSz4n2?)5W?CV3z``_$An7;IZZ6e*ake zWHHw4Z2=mD9w;5%`rb(v6Rkz7b6SE<$QK7(GZ3lJirJRq(Or#a4;8XO#jQ}Fh9O$P z5cbD$y3ov;-}UZ%bCw@;tam`Y0J*rpw?&ep$F_c`j<-j=^8C+>XvrCcvB7kD}wjK>mbJY@EjS#|#E4BJBJE4ok zIs>x~goy*`L%PM=ZfmdOClPX;bzm9#365H%kT=| zyVFPIdW0wymhvoojr(H~NZQ44fW@zK$I%kIx>I}LV#9u=0~Yh>(7zzHm^3!11Z>A& zpqVVxZE1B7pc6ESY^^9WZBA*Eu{0Wq%v?51ml|XhY({d&0h|>LFN_-Ag$ZT-*;^)I z*uoPas7@FuV(ze!s_Ke*UxczzjSdc4z8OcoA1o|7_izi0{^YW}{6*Fk!$m+x*ZpO+ zxUD>s=E@hBP89ia)I0F?7@p(N$VF*^=;$DOVel^dr|_>g!PpM+IOEa(hwktiRPd+` zd+pZz?w5_A_rf1753PzjMhsdZi&BWYmcMjfzw5FiKOXwyar3!E4iRhI9bPS z@tfm#Fu5uWY(HliqeAX<7wmhLPi^=f9cjaE3?CkJed6&a@^8IArnKCHKqgzPqZ8Do0&8dJV6-%LnQ znveUOJeCGq%ymzC(In@DCJDynPo(C|h8sh~jd=k9?d`>PJOJ zYwz>Sv^n<2$6Mp1X%4SCdwRb8d@Hq-E)tY*?N2cR&*^Z${Pq>r=^SyaHcWcC!)e22 zVag9Q8p1v7oe>}V|4jymfll@dk^a_)Z=?vytd4M+K(8eh+aDetb>mFk&{s(jjsU_` z{)Xiyg-y4wBOW4Kh}_okZt*d~J>7q$gy0Tf9Ms<#Iq;cN;nZQFa_X{q0tbmH!qyvG zKb_S)$&q>)X0AX&wAxClt1 zl+`^*oe=B|&rBB4t8%sv_A+z}U#WH0Q95WJ)-1rh-uftdkq5pEt%H?=OV!%k90eaMS1#*}Z0cf^#*d1a&MyR*p&<#3 z=M-^kd*}Jp3s9?M#n$IarY0NxQJ{6717#iXQd!sPr7f@jsnXLqMaPR=z7i;0^Mlz1 zTaNOdRZo2!8Or!BO_BLJ*Q56a0S^QyDF@UOQ0GJw`00x?jJTh??C()kkEyVHa>#`h zI?T!X{CPX)fkJ>hoTJd$AbpP|!wpbY+q(K)vblbqz~eAdXR)Hh!3fMtFM#8(RKscfE>;TOYfEsinZXYv3T%;a*Y6yjM(ejDL_#hFtlQ5)${oO7s zPL+v7YvaX$y6WSJfBG+Kn!2MZ01Oqf6uv>f52~}9te8Tm3>uYUb7<};ciISm`SAJ6 zYbbI9?R9H{gSBEES6;Ft4-YnjFy}h3SAIh`131&XDeqp(#KhP+sk1$?;?OSp$8!k| zYBJwZ@WRl3kB$hxV$lM7JBvg0qhQ}~*aOho7T5#KcOa{ac$&o=e zy+NBn;fhXz5Al(?6|radcZ)$D@4zr2Xt+Fb!-UVvi^@%UWqJ86Xbm?n(Su15<=eM` z-3V@qpJ~H8tTu$-Eq5g*K5%;@OzH5D{<0jf#n)qf+b~f*+!T;5@9Ft8tLJXDBqk|| zUVF=bt~H=~{YX`6__;6cV6@BWzK|os+RBPto;cS!^EfC69)s2_blovV2`q|oi7to{ z*X!GW?r^g${eW8G$@Jf6^g?`GX8nJj-AZT6)FcK&;Pgsoxukbu;T~q-%SC3fx!xgt zA+R!&f>KkqneG;6e24p&4$tGpIyd1l8fLR}D%&*$sXsGrZ6lZ? zn@!tl90?td#jXEti?N%@x}IQZDkxxs#YL(LQ%kPB)U|8zIz~Sj#;9M4O%-cLK6N-f zPwP1CjCQ%e3AB8A{f_4`RjJWX*xiN4!BevnRXU7XTAC}9zr@lmRSTV12szH4jg4Xa zDRO*0$rn)sRL5{OCUWu=;QKfwe|a#Vw%(7i$`UEKBd5eiE4SWtSk@Eha7L6Y0f5wW z-8CKZ*SXIJ!1$>l^elskMIL?fLPKnbslC)M^btOO3#+|MSGUy8o_iydn`{g_tPafz zjga2EaZd8S)~(Z%#(Kyv(*Y~-c4W3&ukYjIeS^AhxHCHx_U@3SPQGnmIGpNoUmm^0 zFHVoKdCQkra->{YM88M1^^fepj|-Mr5jD-?EVJr3zB;LerRL1?uX4_DG11YGx!AcE z>H88mhQSeT2abozt7G%yggcKJ)n2r08Mv3n2W+UgAD)L>P1(b?Vj@<*Bc2wNfQ{L^ z(sjSEmHDW4Sbm7cuA-=!&7>%CDbYO zyzmbvudZ$Vn7#9uHVW4ugVH~alMraGkR1lx0rVh}TScb9tCHNoP7rqCPtxZFvEv^i zX~;pDKL>(RAaS5$mNTKC1J=-ZbI&;TW|8&C%c=vCmQVco%d4xjyxWgT@Zhv|ArI|GeI17awLNu)uR`=1d8?jrP=q>s#4u7I`!{kc^do2Ij+>|(NtA& zg9piVg!5%rEPKcX*y7m#y^-?m;3-U1c(gNc!gIOGlIR-itK<3A(^^X`)wXgmf?>2!NQxGdr_%qfYaZ zE#@eBk+Kh_x}wn1sTRBOfZiy{<;N@$ua)n{^ew}SJ+;m8_8)M3^$pviyuM{e4h5F% zoIwbL1k)<_6Ww_-oT*i7xH;)JqcdqZ|27oH1#^pqo{NDPQFw$*mg|BCQidZ&Psqqf z#|j+_og$7&ZNW`y^Y~OY^TT_RV?KS4B?4x>60PG8LLxTeJ)v4Ki~vhd90$pHz2dzFIrTz4!kqNu0h_bR* z<)%(J<{uOxzxlQ-GmA23(zoAy2Aan^LL7@*k*R^vCClPL3}#>fF+aRB)R9{Totokq5G!pSxV!)fJ-|F|^0o`8jn2U!8BWq7xf`BtG&`B!n2z`6Y7LX^) zrpEXS=jpqqEGnVk$mg7>!LC`V1@{5Tlzh>|#yNi-c%Uj#G1^*M!eED?xQhx9Z0EJ! zQfx-0?{WNI4u`Yh%==HMBd#qA=wi_m5j*@n@&-7%PYVA{?C>YGE*xT6J zcnA9YGK*N`=6dp1_4DnUug+ugCYGfj4?Bw8C{z42k};`Ey(Ai-wh*Z%(;b!9w`}LY zv&CkW-=ClFU8Y(k(Zh!b)t?UZ;AuMFn&vv+k>uSKA_s?<E6q zDVcX~Eit^CgUWD!W6Z-!4@;P*-PE8HnwG&()ZgLcbUf^g>9WN=C3Y*FJ>3$^gTH*h z_q(qnjS+m{o={SLL$)`@Dq9NWFLfvs+s+y6gVNwF@N=EcQ7y5FV}4fRM15kv^#v@; z8YjELY;YC{ZlMMIc;N@ZRJ-)Nu`4WmS?bkyAqM4b-TwP3?MHS$m_L}AwJVeh>6R6@ zjAi+ZzgK{Lab+xx9x#3_Fo7P-SN#D~1c>zT0*@zx-BU7vRLgh#_>SJn%w32JEG#e!y?OL4u^ z-${IynaW=@sxjeOnP|i4kUoSUM$?DeUxRrUx#|5F5b4Wu?R0RK{E_OmwLIfG8$P%W zi|}2AO`OpquMqkiJ_yKA$Qy`e)O>}yJd#7MBSIq_q(rU!*_P0LcC*m)_iyU1F3Fu( zjvuh`+zIR*yz@Hhg&qSK1T38$k-}E~!cJGdYGFa>dk0WDwPu+hf*I@l)f4ZlN5on)MQnjEnTTyH3MN1~ZqszCV;l{*jy3lt38d zR4ZFao2(0dEkzkbdV_lS9ei{lR zw*>Er+*<4*%21L!kF0e$i0~O$1jlvI9g@H>snu-N`$jM}*51khE)L@air^7{HgUDH zeSY)gq-5IW?nhF;vvrE|g;W*tF7_{Mgvz~XMswT^0?yOIZ(Q0;I!Oq)2NhNfZ)Iv` z(Bhk!jaIZ!wfES4!U??pTic?oIcpCY4TaoYRMXqCgvcp_vGicHO@YDM#jWEYTU+kV-WOI$#9J)C&83I(@bF zhYtjMaD9l@OuPGE3QP zNKjVFn`q6p%`WEVDKY6ut_%$m0K;946IUSXsPMYqWiXqKaPlrt3J`}QLHzFku5NF7 zmH#clEUd3%Ra#_H>UL?Mvd>jp4fL8Y1P9Gz)3t@}(CY>nt@G`~BQpsEQ0djrb(Bt2 zI6v1qU%rId=I5thcjYQ09s!!M*j1QEt0hJiNbGHW=BA>@@G?Jkj5VpRA;Ug*2EgD?7FW-KEh>I!Zf_RNWei?1JyPk`8TmFmQd7X~jn&++#`6Jn!&rJ~4_iTz*&aic(Q%c!a_s4P z(F#uMKYL?k_3V7oi;$ws?Uj2_l=K}thlVP($qyKWV_$ipLI(Gn;pcWfJ^sirI(pZXY01J><*rk-_NUE$;s`Z?-<8b0?%f^! z0ZpXL3)VAI=B3d7l$Mz7s>IkMkL88P zN^CrA(d5Z=9dEFp*s1Knom9n(W2*cygi$rc2+k>S`Q~KX?>}$RN^XWP_| z8Q3-_$DgY+UT0&wVQXU(qA_qFGcYtH_M-ERj7(%v+M}SKTE@o7mN&A}=XA79-+Z<5 zeK4?NL>tq>KVb3IS#sS$zgJm^@6M+@LR{l>0XA19F<1{LKUju=i>02m$&uzB>0~HF zHd|a+CV9XWLlAu!7lJsc|2VCt5|zd&-hjwb=D@XcAWekYyv$53Y!>xClw8U(r}W(1 z+yrY!SH7B+20|htEFXS9J0#_9hx4PqkKwWyT3c$BCqYiT0zGgwTq&8#SB1~FqrNAj z#zKo?RJV9uFvxU8=XP*u1<$`{11T~@Jv~^>jHhoVJ%D>zVqTs0Sn44Kh=yb&*0^_+ zCkWl6^Ya5+sqLUs!?}F)PpsIb|8@SHp-`0H>14dih!w=CJxB zEzK(YR-t%8AlSfv(9c%sRgDYG#{lo(KNZ*=2{>50!LZ1SK5nLJ`o5uTz6zNie+BY4 zx1hmdi0TQte55rmG#1rFUvOyevjm7*OmakSEhn&;N@HU<(33L&^hW?3$`v zFYoRTRE-q*^> zVEvyO!P{h)OF%iyqM}I5iT@rJw*K~<1NKVso?EEDE1$fvnkRU8#ma>YSnCbuh6jot$^NG(FZI9jivA04*1!MgR2Hp9&pWF=(Jm*uH(6L% z4(4?=D)*uTs<&jb!fKtAuJyim)o&?N*X`B~tjzLoVmBzL{jfecFyE;KF3p8bcG)*w zk6VjJ5(=eB%M0v(X>z$PaLL5GH#c^nJR+}kQ1@1$;Ua|;%-PoNYB0?A1!oJSi43I4 z!ZbsfF*qSenYqCR5-M}*-)8HZ^Gm{$TM*&dVQBwL^&+jcU z67kzbJfdPu%qS2MRwpdYyL6VbVrV`BiUtM=e+#s{Ow6oLz@NzJVL;m@)UH6W@wx6L zotTpHMI#;ESl!4D5G^>2bi1{^A|fJ~r{Ej{#_Rm%g%^MW+UEKM7CD2eHKx~r$(R9H z;i~E#H+)kgM4YaZ5!tt!?srsM6JRw<@W9lAE;PkB{toS~4v zew~{~kLqwfPXig83e$75?)Z4iI>yGY09SlH_TgPHkwd9PWs$lKUp+kTXT4YLAl!d2HCt79}}01E;-*q^Fpc946co;+_{%&3&qcGZ0=!D_Qnu}HsAUIu5jJS{aa zz?I>2|Kwg7e(q2)Qi&;ZEnZ8@{2R=p-7aM~-FA7$ipF5J(AW+3xr3U8nsDF%N?d4g z#RQxj(S)8?l?ZR|Eu@zsxk&HdqZcTEW#{H%4NIY*dN6L+u6f1BGwAE5L)jCNT%}Qa z>3^jc*&aa}EC6`rH|7lpLf+q>9Y1cboLlpPt^fe^_Og^E=X@l=5-GLdqiYFqhTr0G zIV4H4EM|brV%}f1^lX60CCYW~&d0q%=GM?Zjh&f*HhdG+$&*DD#oELsaf^uX|V$?pu zwCdN_n1Y|ZhOIG)FCxr*($#Zj2XjJRyW&2*36P4&5r4{HsHM@I_e9uCR1B5-XJJow zgE4VNaOX>oPs4tU-xBm&^k5#r47~!le7Bq>K2Tz?OgYiSaOl$fB^i`9I;ICKjSwJ( zKm#kW=q&jb@y_tUqeow=+vFzo8I!=83#!Iupf!yx)%qGMcF=TYk)A2h6BIVV+tSwk zjFJ)!rdQvBEStu%?sVcvNfd>y0B;srnU}h{*rbR_CA)XMQKgqUN9mW$&u8m zdrOk3QaS0y&Z78RQ(lFlT1!V5Th~YReAj-H%~KMv z&P)OOzHy^2aVv2L>CXa*l}O|ng*P(aV00N@x7WD0eEZ`oeiw!J&JxN_GnF>AWkjTGqH_xBiZs}kqt}ZV~6rFKdjoCig!#zchZn(ToMXmNs0DdYZ z?Ixx$V#<%{M;Bu2&&G z4R;ncus1^;dSmq_Y$)^-hv}AI)b`hg9(tt{D|WPvfV8D%xZA*Y;;D-(>BpsUGC`)F z+44a%>)ZT^a{S;a1=ZI-t!RHx9A~el^b|^kqY)_p#BFAWSY^8|bPB8b<7%KjHJg1%D=Z}7W8^D^hrV9^*jxkpW(i9Uqak*M!$3P;UPVYkV$vUU+ zI&HnoA4kI+oaNbE`(My1(@KHS%QgTOv15;WrJxBhoUCD~v%gU6PzK}@{xA~84c`YA zDpF$ypsMbWoP9jMYcOmK@)!7PSqRlvO?AeTGGOVj6U*bnTlvU+7`c&3Z=8Z3kTTfx z#G3Lr!LF_={#1bCKeh#+MmdsV`v=Q5`dnKT4zz`&`I-{zO9{SvutCF05#Oy`R8DJQ z66;Yo5<-ID`FRqd=PuBqX9|?3m)57ylY`@eQm||=uvb^g(MTw%vX(SK*)R!ux_X`k>ckbVxOWG2XCY|a?siw-( zNWp^IU~#Q{+d=)Z7|Bk61q_=g2kKGpN4ToG5eydVanXZhA2;?_=ko9C9VMXXfHc`; z$!a);foJ>S(7$i8((Xb1M4QpbDI*$2oTT92dy^S~Pgs}pJ4RA1zx*tclp*(uzTxGP z2tgFQdjdy$PMpZYu&J%f`zU4(xp#;JUE8U3^PaoKv2#34QJZJzwQ{xQZ;UyH=GePYi4!xgZDQd9XL8O77LJ1(o-b1rYy4f#HKJ$(JAt^Xq?d zs{NR|O{QE*>9HxLFG8aZmxR^e~C zss+oVs>Lo5yGQ;+)<3#pms-Sz6?6Jnsm&|eF5ebe?P#{iWE(OWMY+<2l=?Scc8 zL+$D#w*ynMOLhPz!9_@p!t6A+MGS*`eY{;&m1AQnYt(LTwX&lGlAbcnlA^Q*({hjecmq4a>3cv20P^&x>?%ID3;Zj(%jc(e zbkH6U*hJd*78IJSF;CYx2ECS74nLD}fz@g_R>lD-L^^^A(yL=vcQI^pc6PeWd>_*! z#)mhAJSKEJpU-k)MuB3&k@%y}rpBea-JoMnoF|NcprOCaiI@5BJ;Ll($Rf+c7k(F= z-W?HM_lqCAWBq# zG)XLv7Y=^QBdrI7c8E0liI7nP*15~M4|YVmGVWI)cvN~NG+$1 z?r%inXde}dG(Y&F6IV0e6%yF!Xht17^6e{O{to{!9SVCytN)g|*a-)y+2mN=(Kh+- z3aj&Mh(ulCssgx}B5@Cd^m>C8Ki0=xqw1pvZ+_^#)FI-u31LjqQpkTB4Wkx?SLJS} z=RdN{@9osC$#|SsuJo1WF`qkJ{rYdby=7F@?bj{}VpEDBC7`6z-J#L~Qqm2=0%@0Y znRF=KsDvUV-6h@K&7!+I&RqYq_jvbv&i=5+`Eb^khsU9dU*7ke*Sz8$ddya$e2z|g z;xc2UpI*l9P38I}pZ>GJV&JMJlN>C3v*T4%6r((-k=-FQAH0=FuCG#V>?&Ky{f>ls z$V`)u$;D85Cz`1{o7O(m(^LBc+|SD0=mp0V>H#_rh8h6EEkMdZfMIT7fws*p480X1 zQd6OY3ZJsHu;}^yj0N31XhzSTs2y&j5Zc9?J{fY@oTH<5F!MJ}49@;J+7`~iisP|% zSSI*KZ59gM<1@Nfbhy({om)*7`9KXkqf}hx%8M?p`ywZVJx)GSgJDu-J|G$X-F@Gq z=d0Z#h#6iQ(B|t&jTYIw*#3D9lfMALB2-#khn==KA|I>ks#viNmEk={Gh~cTd>c}wKt<28yXB03@%7YE`E;F+V!K|6zo^Kl34}z0ciOA# z_e?vCrF;Gz-x^S|MF-ko`6$j*nx=C~l;?hXq{bMb9BCg{`5B$=P~jVrrP${W0w^z@ z>^3l{h|V{p* zIu}=%bLu1hBdqd6N~6*GALA7sA^UL^q+(@auC5l7;nyB&1ZTEK3&+>g5Vyyc;|v|J zyxJhgINT6>Jy2%t+!-hT9I-Hd>~@T|%8?7V(bTnc})E?dOM85WezmkI#isG5?$pU92hlaW1)p?FuVl&(dXd(9dRs65tcF<2Cy-|f*BQT1 zUl34{*S!gj2BujQPyo)nqSoLTKoDh69=0lta+n96HhY&o-p z?x9QEHjO?a=8r;M)xGOOWXs+yRJc*K@2KfRF-N1r>!uq|@kCd~ev^xb$7tlI1)8|) zKp%!;x$>053sGb zee%g&z}V(N(zx2`VU@{j(f|Fv!yC2W>Q&k?FX*H)H7jFwqq5PUC*%gIT`)l5q#BvC zGuxb-|8BGQeoj_7RMy~5hxb|99qsiA_r9mPm0tW+)K=whPWJd&hAu08&C&(BK(GM9jV-I*2Fpe zI1u%#- zTQ`+5v&gsht^otGvArL=6VRv-3sz*Q*>wu8Jk6TAy<*+yIMv%y9`gIL)fT;u@= zONSsvV0S=*I5QZBUwL>`Ck=riHEArO(Qz?5d&_d8rFe$Tz83I*+px#Qj~*j& z$$$wa>oK9XhH!$blZM@zw|e?8k9Oz+2U$HLtjmuQuL>`M9uJIRh{-MGpc_wB@VS7x zNwe}X2E4U&wuukI8I?cFMcHD!p;pcWxD{7Grbod2e1dtL*0fGaNMXhuZ>+@reM~lJ*Oj4iUn>8Q9gI zJ?8RRs-^Qhzb* zNk*szy=b^y~Q0yp=T%Ro>=NL?AQcSdPR}W@ON0`c-MZ06;FXlu}XjZt>z$=7) zlW-sCsRg?MUngCom{G``kZs_LOnSd))W(+RQ<$AQ@6A2o9aMK_op^7OvC;b2p+%&a zeu&lY+%2t??H`x{FdsO6mX??v{v#x(VMYBZi02~Yik;Pf-iRL|Q~JTwccU;;jzL@z zJw50nYSOJYCB|T~@+}g5XOCL2!6k(N?rd-Ze+bg&f>}E+7>8FK@>KDC(z4ypj!0#y z67|ZBZUFCPW)h%c?KG2N^MNIgmVtc07m+J#rT|Wcie!jD?ip-`G82vK0`K;?4-R6` zc4rRc#TtIM_x4x$8ei^omvn^}sQqXD)VKWfMwjqR$0@tF;}hwIP=B83Nau;^VHe2; zlC4>QxkZuzapQm0cI$o9A114Dj}XRG)Sv|UoOUGjF(LkU^twN%`|u?$fwvjbT3=#* zkZ!frs1R!vV9i} zkUbMsy=MX(Nf)ZK574)x=`>JBCnlaZc2^f?aMG^UR3(t`{ucVKIhAuc z?RT^$@*K!|;iuPtED_skWdSyzVA*yz=d*Fg(GM&l%PMbgZ#1k*A4vLLh5iXthJWqz z@zo=jW7y4}e#FE4rexPFjR64FFNxfb=rS1SXsW;oFLHBv6F-v}4fud2FzVbKGrLK8 zOW>KUa5+s3^Qj;>x5`5lGQgZLr=$E9?x{Zj`>l6lfm0fRzavIX14#ONh7VmWaY8~E zeF&E;{&r=#`9&H1Z>a|hViJeV{?44WtfMKC#TqwSU)i)mt!Mvc^3MC6`4@SJrrQ|c z>ix2TtRtq{92bcQR@;yc>zp83{Xxtc9t8*_V;}Uje|l#kX>{(t8OjX*E?)ksp%I*3 zHR!USDgZP$5ab!ksgd`9lAhu*W+nl|5?&n(c(N3sAPzgP{vYm7{a}g^ z!$EUuXl#`ddIW~aOCplq$5iZWY#dGnPuX0z^;fKD6bbe72KeLK?i<{DOZy z!-`#d4DLVpX`a(yP+S5|9gM3v8jlS^Y21b&j;jvXwdpz;w_yO>pQ(>oE?;D|HTuP* z&$V@@MXS=YeCHJ11XWq*JD0|qHh+&MB_SjnstR;CyrB7`!IWd~c>cC)xiytj@Q|c) z)|8wCBqG{RLNkB;Dr2FZJ#~UaCMg(Zv_=(!haz00AE~JgK=Q<)6#W8;T(p`f{V*V> z^p=V;qR6oJG1KLlY|4|Fn|jn8GJ z=6c(KlC9a?vTow^;+9$Rt!*cEKE70g&EWRvWk2zW6`21R@2fb?Tdfq3brU`~`+!55 z`D#?B^tQU{tr1bc|KQE2fqEJCL8T&99YJ2maDD=Yf?+$R0ZeTSfKh6jV(db^lFBOv z)4#bYc(Z<+fQnXqkyeru_XzEEd{UHVQ$q^!tva8DUS zo=oTtOi&>6>)LyuE5L#Xn$CMgR+_)JOKGZvs_?;UnNBf#ZLTXSpeQSjaaU@t?aSC& z1DbhxSKPIJjL{yf9}LInB~QmDS!rmRN_Qc5$JFD#fwnNy>9LsXUNp1L@|R5!uk6Gz zg-Kz7n<2j6-*!Z{>y&8IUD1Meh*W@{l`Q^F`nS-E@Mb`%{~3hy%r|Dajh7UJ=nCXr@y84_q3=wC3OZtp zcJSg9Y60{fKNIf<{}%HpSh_^d7AcvalSzAHgR_HoE)t-vi$$1T1J=kseOG$N+b zLhnC#j^{WZtlYzBD;j@2a=(GONAvC!N?(_pq`reTM@QfWv2E4tv1P;3pCd|<^O~Kk zV&{t!u4AP3-EEo|rXCK~)+{h8V9I=cTO=qj078S@#OO&kOo8+#cFz(R_#x z1gxBd;h1dbReI)aQ;k@L+j%)9k~ z?!*peeA?xEYA(n4{xRdgTbfx&Js;L&dR}@lP{Io9kKu%rEtshI!zdgqhEzl!VnxTr za$1ZEHwLbS&35*rz8SJog9lPcW#l3mfT1X zDgsZR&`4|7FgheX2D;UNBD!aAFwK6K6$34oSz5A46!DS-rj~yKJ*s(f|J7py6%heh ze5z|#zKWDrzPY|7`Zzi-b#?=P8}t>0S@yR(C8P!L zMA;$+)RY1ER{V=A-b6(Jk0W4RJj72~LQ@l3G?=+4r6`F$h#N$We=!I+2#?kk$j`HG z@3|3iA2YEBVkD&SR9rbdk&Uz_~U21<4ayx>>Qy#tUn|fn1C2 z%r&om9^9g>>q9 zdEP9z_1 z|LPsw{0}B|e=&zOb-)bg8d&)J+EKwH9KwIBKbMY;j}Lr#pB+;<^Y%+%vA=pX>K%Gx zsi%+ym=A=k;fEpZCBRC@g=MTkem=>l2Yaqd0UbBD$B#bEc774e;| z2T-(RG10)d_a2cuX04w*&_+@TyNT%?K=tV5{f^FpXf!^1=FwxRQbp-;; zsQNs4+h=xL(x!9RN><ufq@%SiN1NLxe-Q>q>t2sS|YWDJhdnGQH6hUw1{xRx}%jHCj+4S{35}Wdp$Thw6 zfVtNrr=q;t=YIsA=+{IpMUxyn z@cNt`%zONn(JaQ#Apd_aoDq|5aoFtj9uYGz1O5>CRJkW1OQ?bA!cH$y+~2lvOh_+G zgRUY!A*+!`1(wXl`r(@Zh4gAgn`GYaJk)>^=(};y!mA7wyk84J?Cjlu5A0qQb$j+D zkFGxeo9F*T3)lNY4_TOH1e1M8>h{O<(Crx*P{XrpHcq+)Q+%nAB+13#Ec21fXCLkS z0-~(JfN9y;Rtpqoc<6k_KRQ=1E6kE+7f+p~1DUuC{K*^vdnXGaPiEAQ= z6%wSqsh4yg2Nwq>4qRIKjgm|+40D6;3x&*bbyrQ+Mr%)7hB1n z3l7}GyQqN>+~xkBC(o89xE8a)N9v^%&hihO+W2rGr*q#|I#(V7KE(u;$?IplUYV!Sx5v7{Xi1-n*od6>>o2&e6#|~C#`EQ#b%umc9!>xY_o#?VHv+p z4_17EXU@34k=*owS%+Ie%j{xp8*ci{sP$uLKUG1hZJJ2mhhU}mnvCbR*7dn^jKnfD z{7phjAf(ejws@!Xt(lyi;u!@@8hgE(X`xf!s@X(OhKy#1Kddy|#8YPGcx`0k4_gk9 zax_{LSE5r=M2=C?w3v!XOo+YP+ltGBBQc;H?U8*f+CK%@3$5Lie*zU3zjX?I0v2ycv!hQ zIQ_6%o`v8u<2!776<@U2R%$gO!>Z~55PzrN!aDbC@ zjB=f8#)B{bjGC`9i>iOiXN-a~zy+hJG-Vpp`Hy70VfYpq4N_<8FX zU9O;$Rl~=I)g>1w#lHe zQ)5lXlHKG=wI+g@R9J68zDQWm6Y=tJ(}qDE`Dm|5U9CRl$00l#n-!RZ$@Qlt;l?{Z zciVM6Zz;7u>@u=_Ho$3bSriwu#AUm#1~u=mS2KZomPzco1^;h7+_}`e7Jm|Mu*0tX z^qz?$g<5-6hmCFR-lKuPg)fdis-@_j@u=+1b=J-vtJ+zhe#=8^Aq2v7qv^j--Wv}( zSL;)#=?5<~fBRy=B?8*(=U`wvoM-f-krW5aTvvnTK z8~IUNQDMfFPB0g>(iJ%jsiZwM=!4-}T}QLFB}>$iK2INvRQ4WbE~Zku;OzB4#H zA`0w6@Ics(t|kZpsmn5r&q4hUeO$+NQF*YO{H?@#`~e?rozq+L3{5)>o%gp}aE!6i z;&=Ml8c3{^>GC_fG#RVQpvr9Ue@0q0!b|!zX6n1XLz$CB9r%DpoaX4|6ReN%Hq|`c zp8W&P0^klC{S7tV63N5G6jfqzruSV_!x=oL0hS{z9`S$q9m+BLy_!Z^afUch@>({c z@#Fcn#Fc8<*!#wNXS)nvS-x= z0^x{b7;w&jGPFHTM6^~rJ7KhVt|4FuHUMeT1au>}OU`99lT8KUPF=Zw?=|ZLPCs)?X~>HtQt|IlpxT8Nj1^6 zh<}3(x8(%ZFGr8za;^=^^bMeN>sC6(rQ7(&WP=_GhqPOb^kbFsCv7xbnO!Lr3UX2# zy-6ys-6?nj13}#e8nT9(n)hJ(_(r#`%5`9;q^#h(XIL=Cp33THx&JJOrIuYrqF#7v zE;Fq4Vzu2h?-O(g*UQ8j>a20-0*K9OXA3irkA>9>>^uRRMx%?=)K#cLQ+!bT(MR*V zs(z^koRh!y0gC>DV_;kmKGTOPcRT;Pa|*urNHD*}06KFYP(En95Bi5iJ7PqzAqva5 z?|#x%>$&ivWH$%o%+fY;j!_d=91Cl-!R?~|MC@QgFneV+1a%Z}{T9*M#zu6d(&9oI zQn1|2sXdw}p^TIZ(H=X&;^^e`^U8I4M&n11A8((cf|(9Ke*U-M=_W=Ma_ZbHu;|I= zc|6&57{B=h8{3nL%h$W3Y)3CS7_whjLw~I7 z;;Lt|z2hLC$VN5xq#;j22~Q4IYG8hB-g6+05h^gu z<+=9|RTEz_nsw*WRW@aBxfd(~yj%~-J7WuVFvW!`6&369f5_NoTtZSVyHR@=x7B0> zoW&LIB1y1E3dFLMln^DfZy1>ociY`DW!H1VYpktJq$-mLNxBu3&+|tkO>NipjB{3D zBHcPe>Q&Bx*_g7%5aE%CJ0Xe#rK)lFuI!upcfXOptFIjziozkCoXico1O8*WRTsWn ze{b$A*fk6;ObE4v{hK)Lav>vmUiH96v$DzR_!8mgA|fHUIn$Dl=xT}L`(@uXir*uC z+2ri1m+ahgg`@M`X^!kt;T=j!Fi$78M=Ho3Ja(G~Oq!6Gc+rW>{;2!X{$ox|RBdg% zpa&+C9McQQ5#qn2uRbKT~Q=0b>ow+LHH zm{8oDWZ9Za1jP41o|$>TetZS_>~IdehgzFCeVC7|A1ow{RU3%^A|LLw83M~pixt<$8Y%LG(a+d4NyDs#HK z*|Ep~9@OPt%^M|35IaUis$E_!{k6RP;SJQ;Em!fI+B zg0aQt%1VmV7lgc}2GSRmj<$NCznPMot94Wwn~=n;_wL-00kV^wyc;;ZSVhsm)k0e#P*O^@5PV6tenv+fs&r{<&zqMOONYFkS5?R8mOG#(Au*}u zZn7>0Qm0GLGD_Oe>}%hKmxZV=x%EEDB2bYN+*X4T3koajE@xkz$i8l0Zg@}@(MB>T zCMp-pGO)Vo&ktV|z8>V<3H2p336nB6CsF&uw~)PwrOp~du!(7QNhjMga={7)=n|)_ zSmqNyF-@fL*t;Sx|Kf9qdfwb8xcjaCCqEN)=-w>3<&>8zSXBD@HhU=rtwd%JFzLj7@!2N0XrMp&`nVDHf zYhiC+w|^ZJUbUU~m>1L&^6Y9hIEhC1x!Z|;cJ=dZzT|4qx_g|{+wSPX@c%exYHC?& z4s{7yGyf3yQO+KITyEeSd}CIQKCu7#$XrR!*MmF$zkFyv^pCJo|F=)*(-kY?yZ`MY z`_Q2%;J>~H{S)n1!7<1r{$D=?G70Pd?VG5nZ>4lP{Aaju(TtH_n1=k7gW0J-z6S@XPB41_pZgSC+Kz_ytta>?ro}Jf;qPM`$7` zVVrgZKNb)oBqc)i-5GvblDhnVJD~sHuTvfw=j-M>yYWZfQe< z+~n)lXgs+#K9nG(m}e`{2khR;OXa=BgK=FRI4qUhtnHl56bFU|&L(g9+CJLK?NPbPs`N0i0q23fnF19OAWty3a zHU(=ItlgZCIin#3%=m6w)W+JeoYimv*!~Is{ri{Jql|k&(s*xWz!Hx_putb1ZFGN`anE!@d-*k-&!{7b7tZeBqOXoVL>cKBW_IZ0e-!5cQc?2!QR zUSxfpZq9j*=Z^57SwmaJKd-WtCynkrAovHV5+ens5D-_1cA-+Rc+|J(dUn}EA3Dw=ZwLK}gEt}BUQyb6rFR^YqY<&dO9>tx?JIf=)%xeD$Wa8J2rE|)k! zK^T0$n%Y2JT^+)&a*cLbAA|~g<&=DjvKN1@pKEgX%yCWl{SXn=+WNX3GJrA;!`)`Q z7WI>umv@j~Na*g~tZ9XDxyxDLN$XcpmK<>dGRA12AzW;#Wc~X)m4L|K?cbB)Zh&cB~7<~WM`h`ms!FYdt zGV+eBmaSqSl7JWvTT@$edfL!7k?zud+b_h+$HI%%cqp;%6*Cob&Dp?y;8H>&wAJSh z0$}wc`x+VjtCh5%R$mzLqb@qg@s&{tu+1#wRg`(LD00p}Z$Bk0pnP7s#yrAF_e;BB zZ9$7;)amR#Qa#~DP3K_j7fX@H2Glf_I#GUuF`m6BQJOT0N7U3G)x7!}TPxm2NAn;^ z!+v!vUUb~!mvo7Kd)68 za*Sv}lSdw&CqY(PoZFoI(ePIx1?NsIPqwxDW?Gip(x?eLJT)b0^3N`lr2DEB83YS# zt`s)3wuWZLaJ`-RNz4*AV7jv@p8R0{ykNaQ z$#TdRm9ycd2JjU_e7E$J8Lu#@pMzV2k zEwpcPS&NDnD~*7O`(N{A?a@LTD}BO;oo7dac3b>$MH{?|*ME9RX_}Mdh>Lf;kR;ad zcv96Q`*?SX?}_f#)@(rR6qmcXEqtX#B1`C;dp$%=b9!<4FLf$#cOAAWeo zW-R=&G>rQPcA@C{pmj&b(RFOtYiwqr7b^AZLJyPF-AEr+d}X1y6#RzD^(wHEO7(s zC*QdjB|5J}z{?nWQPJuLqIeMJV&4h2yI5jA`}GqAxY>Roi(w&uFjam3&O%i+>kXaBC^UadyM4BSr|S$5QRY8% zJi%>!!~!Qrltk`?!S6WBj2r9t!!`%cIbo{fn};PN(cje@!;RLYc8HZTcQO#96@^RdOrPvy|R;flxPmN(6Guk*K0;atx z{!YnK&}o@9hhxnZ!sev0qf0l}Dfaids;6d+1@PX*RMw%dOQz%0^Xf?oemARohqj4^ zW8TO7LIRwK+84XC%$j-L;B^<;UYqEGjY}c4YZlDo`SOxV=!%!a##w|qkmpgSPFA`k z>zm3M3vpVbu!1!1AsLFmu@vh%E=8BE$uIJ@=+yxyk}*e0!@3nMdMs=)TDKw=)7nh? zg_fRrH3R=mdr=866*0YN&pqRIX3iMri$esQS^xW2ckHoa6;|-gesy%&E#Ha6jD*LgCjlBrPE^RzLD#jmo*0Z|p; z?nh`U%Gh`kB;;~-Wbx71t^bI0pUC0<`PUC(cb2^FR*(JCET2`}nDUZ=1y5mvPuay_ z`-gs5XaDg6w&zlBtMKV3rOHtT;YzPW7+uF9B)NdlnypuDk%)74y1K5)aP~3Ggp-VS zwKX8Bc46fIuB0yy2^`E$mje#9N(TZcSzd%Sc5Kzy*B8*twQRhYVA~~YqY(27scf>r zRQe$y#Td@b{E2MnbZE1x)gt7SJ4@~Bet9;*v#W(-UE;y*Pxv?In|gzyZsCVaPp1nx zPdUqHF_z{Q<_7LZPsCPhz3ljRr8TO#`HB<1{?+Q3(t9L({zj_!s)g>nx?y9e_1)oU z20sW~`51$Y%tKr%bDGIWhj|x1R!_meSQk8G0CaM1d4!UknSyJ*OS1hO32e>-?l+S` zn{k6PgX?bb{4T-&;j}5-gU)KH*M$8Be$v(NHpwqb%F+zsX690IMU2JGf7pfXCZ04o zNbHyFx>QVWL&@8HZw}n)5DV<#5>viYr|j?l5Dp4ESM{&o;Bq~~87+Jx0k|b5l&sTj zU1A(e7GT0A$ygjdJWTRDJRpGUWpK;iJbzJ9^Bztol@vRpr&BK*3!a^q1CUIApVc1G z?t7v9B5tLpu&|{|O_V7l!}2yW3ogEJv2}FUn?n|m*tDmNkD)tj2*gskx)2U+B#ImH{5-m?plq2R5Q+v~vvF7s)yBs9`F zKFVe*gY` zaA)9HD8|gxst%Hrn;`A4W=d{USWH%tRG|DS-B=oZCTejX5?kJ_j{l<-DJogqyu4cN z6Y~4mLG8gBu3Q1Hr7k&?Fww-xR@%H7Z8e^HLCY{1Hf}3(;TMX_Hr`q4xi@G#UhDfq z?CrrB9s1gDDNY0}GUd*L0oau1dRq{=6N%7_qBd_1xiv%&M&+=>B7)xBK3?02o^x?A zFggAcG+u>*D8N+np)&ix1PhQ5nD+L&K+r`fhq!iY6bqQ`76zJDR^;Tv)?87M^NmLO z{vVA~?#5?t06sz0)S@`D-`#QXI(B)=w=r=D9^noECw+i;sU69I7w#waT4noWWF{WV z)=hpDn`iyS*p_@&sDlJI?mw5f0FUvy;McSZ$c?y7lPHjRwxLnCqco|3Vphx&=Mh2m zoQda}nk2_N3$p=#B7UD)xR`iaExxW>(6bsTidy{e>=mXv zbLk!H4mRU6H(%O_=38wYWJ5*=_y>5PS>MG9BTz|C!I zkke>RVk4#)<@K}AV4ZTqKeBG;cDI>)Bzc<{&EiL0pCTEfu@z!?qEa$_xOEq#3G>i` zXyu#z)Jh&DWHc{16c7;DSq#4$eqMryeLpKre2iXMOr2K!+f?$)^|)Niu19d^lR>#3 z{zNZ4_nz6?p+n4|6)%$=bhaW!T+!OXOmY(;OMFrh3wf-&So_$#a)TP1U%K`A?t2?y zC@W%+QT7}EOjXKDRZtm>?)s_5{o+m9mjPKKY}BFQV0YUZtarm=D(#k>MrKoEV{A4> zH3R<~5m=(3!LyA79hHY(HYm4Q|9ogA&^bUDWPHx5L!V1fR&$$uaMR4X44$pW4*cF- zj{g`*fTd`~$cxb>rM!6pHuIN6Ms5u6~o-R<%(bVA*3KiOo`1d_}D1TNMYs z(;Bvde=6N6k%zTNR9B9^50~x!H5L9b`~8J`jh&*MAHs@1luUU|vE2z_x@gz6$3rma zWKX!ZzPCSh-eHcOdwD?Ens6H%TPC9S!}C(rnb?1#ohGq5r49Fn<_-wk5YFGpAfG%( z6+f(zg_Nb5$x2hTUE0r%x;&p;s}!F@uf^J9rB{1(_oAC;lr;lh(wL+m(sb-p=dpqwgU`d_a_E0`yy(- z6Qf&-sm7PTly|cs)ZkMvhj7Vu$r3svGKfOSFj`MFQwB`Bs|Zr(#wNVBz5-s~S0-){ z{~)ZVLY88e+8$~kg&@H!tzx4aq+BT`lRwqk4N6*%gq&Rrez|7dx0 z$73{daE8WVchD?)iv{srXuubI1rkp>Caom9^Sg4Oj=xQAX^F;6&gm1h$~}cJLV!}< zRYem>B67{mO^6fGYItTdzVCriGrB)^T;wVAGGY6nPLX`3W})A9m^?z=&o>>Yc$nUJ z6*5j6<1{g!u!z}Q$Pey_z5AF`b%xI9=*e_Y9Cg@$=sa?hwQ$d+%jlNA``uYc><3{2 z(Q^&=4|{*feF_M;7gxN&5s81(xf2Z?m)i-nDo-Zm=id{1XVI`$+U7F7XuEcEWoV4u zQka_h-x|fH*=Z*h21pOOnQws5Cb-Dz6g)(8|Ni~%IgyjDv1myt;`y)fu~*cQW}Z7m zbx=YlRB!o)+hn_IB!wqcqJZ+4O?@y~(1Lt6BEF$;dJ3&?o)iKxP^2dcyGQ|0kbK!? zdwoN)(BV`RZUE#c-2xcw#jlM|N5}($8usC2?Vtsi7=C*okY~4cq~*F#{t}?9Fcb7N z>rowjH?)ngd0L0w@IGyWo(`j6c{l{c(AisJ#DbokEF6lt?4RuGtjZ}%ioBfj__e7> zgXw%Bj2`pkxoyt;wncZ))1w+>3VOH}&s-t`ciQ+Bd<=vw=B8OhUn`HAhRYSdZ;b!24@qQHT?9v%m9Q0jv&yltte*3 zzT}0iy7A~_YU+<-b%AI^*A;-OjQdMS=?~r5GvBIb=nH)m*Y7D( zqX`pszK5N3qskDvTyEQePt;#_m9t*ZIj)H|!@DIrzW_7#)V~DkCCTy|L% zbS|E5deXq*FD&`ek$jj6!8sUfIYe; zcjRI}AZPqW=Z4Q`rSfNPX6@R~WBb#$s#e6;udfFs$b2)-xNI0qB)%*AV#vcLAI9a7 zgD1E0DjQP#qNS#s5UqRH(AXg?{lE1y=oFK#W7s#107kIu0nUeI?$=;Qws*W-{F{mx z5ns81jPtk=g04>?Dnepsjuky|dczZ!Z@uWrY5JmTkmB^WdVXokpQoTUeBI54G7&a& zUtxs70EQy1){nBE{uo1~u(b zR7P<{Q7V<{s^^(8H^;6|&b7@*h1ue?c~6!SBY(Ndt6T3IZ}#ZmY-r!Lw5$`KytS*i z!~HON8|#k*`8=!NFRK^=D@_sX_xBa5lg|)S92Tv@ptE?b&S?gP$U+mPw}&nk)~DgW zF2v&3FP_HT$8|p8eh*W_zEz*19?C)5dcXp!EQh}-GDXasrg?X2LbuOt+ZWbDbE=wc zbt~UVCgnfD9+!(fkY@V65%&#H5sdx}n0Nk3RZZ@&E6&ePHJ@=ux9wMs-y$dL!l=p$ z{!x32AU}yeH;ylznVa*Ss*`?iBxXA0=Ix__;aF5ePq8xQMEPCy@EMf3J?VN};8u$W zk^soqsKCc=zAgN_;RoTs2SP;b%=zR3OFva2P8#3RG|JOi$MyqR@b(Qiw=&0*#9kuH zTrf~u@jB$eaCwVB%oEhvbDGLX1AK*qia;?*)C36EXWOSr+T2{3@!h#&PrZXqKG{~M zo1F!II4@I~=c-$)Ms!WqSHTkI`G7qXhK_%&>#kT?TayguF!2t0ow7WgGe~{cLfxOS zOGHtQ`x^Ge3Qr1uXfpC%w>*VX5g_RbXVUhcsg^B}Jq4b;vn%^?dn5T}0)F+R&20J_N zV`F18Gc#+>SH-}|pP=Ke z-j5$1*5tBl<|iAt^o~)*#ljFhFJXo|lH#@)`MTY3SiA%T_vm^!AgVICL+akKP)P}Y z5A2zqN;J%|B;(n@O~Ijn*|Uf^ug zR;@R3r%&*goOVRgLUc)rX*pG?{VpDiBVaZAif0|i?g*BZo}~R)u+&_=O0v=ovltav z%i8f;ib=6Hj?^-_h2R zSfVlix9dA=Q{CJw-4TL!n>^tTRcB}S!W^TrvRHJANU!fe+vT+?aEv@q z5oUEk?sU7NJ3c#^n?y`QCbLw?82$qUYMaqZJMjWbn$+vQtS=P1=teXB*nx;qEnRV5 zv8@j(sprr2zwuf=fgEA^<2*W2c4r&~a*sB^%`unyv!Bql4ZR-m$1N~d=j(J7sL#iQUyxMtvh7?RZR+b!{<7~gIkoJ@r=Y+H5(_|g(FSu&x{MNGWkp)0FH zBCh6dEL=$*D#1CH#k2jS_;6sXgZyJ~0M{=CKX6hJnY4|%0BpH6*TTiQ$eWelK!m7! zUZi&ei_r?Rnmf_@AEvPZcXDiyp?f!W%2Y#Y^0Ys|&9~TpO2I@~Gt_HU}SnA0lqLEVIz@d-cbt{Nj*ko!lz-I*X zfgEwPzdrC`kcI3H8QF`<#)Ou54iOBf24_b1$iQfC_E)X9NH|kC zi>#g9&1cWpFiM<{Z%2r+NH55H?;64+q=FBQ^bX0ej9mA9dBA*4tcb-w)(^4PmU0Z&d@*2@cOb$3K_Q2NekssGBJeP*!dph!?S+=T+V{9>C z(lcOLi1A(Khr9d(zUW@Mb} z2T!R;-aayGyhi+zZ%n=_>*8?fn^E_|*yyfubsdzAk5-D}ziqR;{fe0Df|A0%aRlxQ zaG&G>YbQhf7SCJaV9w^Zv_zP!ncvtdnNtAM`M^)LU~Y}J-p=*Bl1s%^1jAD$YWaxX0+VuQ z{vB#N-%vRF2xZ@pbmPL?$0I8HXm{3h@5bjHsktgf09ANprz))3o)(-d(0uvw#eR1| z4~5&)+Z*~-!*9$b@vF)8tHQt3D~sTKy(0pC86pst?QMxXT)@L#gn?A!&}z35ni+6N zuyA<|+^-n`)QS>LPP(`2BL$B-dTtId7(3o@b0p6_kOgqEQV*i^Pc~R3G!vbxAEw|#wGQC zQTNtSRj%!~Fp7$SpduwDN+}`Tp&(rnf^>IDcPOF~f^>s)gLJb*x{+?AyJOLO*Lvd{ z?{B>4{PT@*zA?@oWA6mMv{;?*5*~Rw z|1o~j)9`t)IJs7U|E?`8Cpa`JA>iFP;%j3=3$8%2Y|mjBR9b9nWj3%+!P*Q8563kS zc;4NFAl(!`VCHNDf5snL9@LO62A%a|iD%wN&9z`f(trA;Y~U>WHj<22e{OM7@q*$c z7tz?8WPuYGA5WvmC>zpQk#*5TO(DB!9+h=AT(k@#$z&KGLUkITRa+fq>nu|L>GaK- zYaY%DP>wvC3#f1E7$OXc9)Snb5JViQ(xHB`dLz`6^-~EDdXDMj61&F#+11-w=<;Cg zO-#uV#H#q&&NM2Gm74?@guM+@SD;!t+=!Yh^YOVJ7}#bEf%kVJtBNh>u=buXtqx^f z2ga$=&Jg3N=So9~0RBv!Wvp`{#nPND5tJ-{l&)9&oe}OhbSD@=&{AXPwYWu`jd%No zhCV%XaM)j)Bp-9{bGvcs|09yZf0t2xers_)D!?*c4Yh&s^Nl0+v?E6b^3HMLK)}4* zz}8a*+&@b(iB&W(zPYU}*s3nyFJqVujE!GysA>_+tu4KMF1MJXi|WvSA-Huzf6p4M zZSPl!O^FZcGK)L{f-mEUPXQC-MsO-<`S`B zoeGG@M)BIQGUv0nYyBCL4Zw#x*839K#PeN5-vtmZHSnCJU{T#4B4rJnEJUqz#FBGF~b-J_$;l zxetkm!chKv2WP1%r5C>QG0a>+qX#us*nFip8&{4x_ zVzW0iNwejr<~Ez#qh%i@2B#Tgb5GQ3K0~)PR8#qE@g_2`FO4}sOtpA2*5R(7&3wR% zD<9HHOvnp z0WW@bP1aV&z@UvwwgD6D;RD^2sO}_&GsQENIeg*Ro8%)H+SALuSZ$4rdRuUK3#FEA z{dtSm8Sf=13P-`D1w~_=rcXyh?QM&EMI{?ATbO(u(&xdC;OJ4LZ(9T<#2k|vg75&3aJE2yF=8AM$euEw9 z!p|(ev&jlS8aR(hJQ0~z-a@p)vypgWuQSrxrZ1Kl2-u6wdZP-v`Bc-99QqZMlmz1c z8j#Tc>K@C(Aif_AjVP4aF_mqOv^+=Bv!0oyc|o5)XWbUd^z@`ZSKK1KOI->m`{lt} zdNe)iGw~t1XvjS)+j0CV-X9^bJuA#eGR_XZaLNGlH9%geu_7Yf`46YPdH<)a@k7Jy z0)#@TjW9}91(rdXCo0#$_2(?%M4G$5`tqjf;87fCD`uCL$mTAB7Wu(Cl{wA-&+(T; zLcU~yHjOw4^`fy*We+G@(vt!}uNV4XK%6BYkr>rM+AbFS5ImMIu^@Cu=-+qNgZQgd zsZGK5ur@A-SzpOP2MCTB4W3kf?*Id<97vAS{@g- z;28%OoXHYXIf1dhY7DG+?U@iZ)P|s`cCKErENmRLVk!n5I>(Uc6D08sr$aig$}Wkl&l7$?RTMBZ>S*v zhc9wo-ne-N8Q89+AXPGS@2C{>_dl~mQ z18&#Xym2H@<4cPwzRB%I3ns%=_kqWH`q%lfy{UUWq}PJ+3Y#mE%wYE@358D`i5ElA znC|c8S5(+6{tvrFQ84pDT~o!pwK>qr&_aE3W=@l=jUIIW+iN}dco+n~#h@x_k9a1t zbl4SO@WkNEOk@?PII%>AZ{nKf8_k(d%0ngM$HD>TCM>^xrGXs>dP%*%->pYRAKj3b z1^I-Q$EJ9K`Y0NzPs@pvP7#S8LaBS%I@0wl&Z$IV_jc>LYkYE+2kHnx_$9)O;kuqo z$Co(KXO=OshLoIVi5cL{dqWTgQzsQ-scja+`c(8!O8s_$Wn%GnN(;SifCvz z8XaU*-L(=?p!N?HWl+e!eEs?wXsV1}CU#RT&7XWz1CcKK&>qDuKWc#_N#huHYsduu zK8C1bHWtGd^?#TM>0>WTd0mM&Y`%KdQpm62-Hqb4xT4{Lm1NQJ8CB1s@@HUWg?8_j z4_?BJo5}%hXV=k}wwoK+igW{X2)Ggfi_d?oIsBT@GHQ9jIrAl~E|Za5S{U;9p&tE! znBT<@@Q+9310P0$2&b$3K&2)z(0zEuHF;EFXLy)c(N$Pnr{b8M?yTQS z+v9xho|008n*ta90iqp$3)zyU>SLZe>Fh%uiq)4TZp~ltoo`4le`-_s^)>Se+wgC$ zQ|tK3r+d7hjA=b8rigzw#jQzyiXp_;lg0fFpAvH^yH|rGq%)Zm6;yQ@7}0J67c9y;be5Cy_$UV zklvg??ArDqeqvvpv|f6Tdgp$${}o7=yV@1&W>lmqCj zkf1YcIOnF|3z#HKzVL1U zJb1LYmJMFsK>*HwTfkAv!8@1>NZCrU+$aFaD7w%W*;JLB1n4G0$=y{wNG3voGQ9dz zyY10OAwj9bx^Dv&^&I=lECKP=*ut^3#Gwi9U!tj*K)}+h7rVu!Ug&00manxvWDu6) zrc_^XX*EC?svXrdkZ&u5Zyphgzu!>kWYR`P9+=L z1A7TtL*HUfgvMhz6*vNdLIXc-*rQxRY#!YQyyj_pgBL)lYQ? zrhl8p{9Ov_5+swiF|6%rw$-m`X_O!pv0B#;R4j5LSE4)dRy`Q&OV`s{>?E)VAq$5x z6z_#r%e=|nl?Ltnv^{FVJ+<=89*`W4)*^qRHoGtyxv$nZM%I9L2T9->948Ct#%&1L zy}^FOw)I)9d3L@tIQ**T-KvixJ>n;JCIrB&gYK_+xb$uzkL>0;Yqr)u{0cu`!3P_} zRMl{aW<5U&AMk&E4?%aTCFl1U%^|(vAG1Q48@togJxL%Mq59Wuhk8MlWP#e#yGC7O zd1xqX73%BgFjuwn7ffS&Po8*2R?Mz%C)GNGIviA>C6%KycN2nZ(+!v1SrQqNC_wOPm3)Yb>TVKtm0{EEMT?zZ{||rUl&$ z@N|r0LaDCEyR-^XJzl<&z5bDLh`-{H;;lPDw5#zpTRsu`rfA-%YWF2l4$up@R}K6z zTyLWMAM+~TSoCpbCww}f77wK^e;(@@`N>0czQOij>~6yKYx22b9=XY#yzGvnd(WZI z0Lr45msSM(oGg?(JV$(Ne3q1;U8{0c=+Beux)aEAi;KI%e_@`f(tT+Pk)81Wbqwer zs@&KaAEt9)3W?YCFb*Eb7&kDWNs(?2O(ZwOL5hIef|9vO0dq3!~za$zKSXSa|Gy7|K9hbuX*`Tp6uqs;LYGD z!`ACz@7H~$+s$A9C=`~LKXuGEH=nBd;v+c`&3I@uR`Rt@wD`<%`F}kb^bSMsOu4qF zA);{?kj+*0l}6xoiN_J_au`FtG|g1sU3@2NG*1&|m71>AIcWTcv#R#8>#=(>HaO`vmvzlhe^*g7Xd@ou&|YYk@kTYkB5; z;19!-UC&&RgLb+&K2ngO1i0S!&mtaWQDAD9-@N<;J+^tS#mGFrD9Of?%LhQr=s*7r$*A!6$lATcQfv`-$eG>O88Y5yK%V*9^lHt2sbii3w5>RI$< z+BrC2lLhAKKmR#Kgpv#0*h@9e?ZVN;Nknh=^e!kU$j7*1NB^}^7>4#TRvtaPFV5{( z_~Z$bf*X9O>Q@Y{?Tb2`KcxXR|8wr?|E3wL+|QVV%#FNER6U6TEu*8Oyj(KW3=?`g zCz6UZ(QUl6F(7g7RCNxdThVxLUBuF}2x&7rB#-JFG7yUFrex{;AY{zv`9LbPJ3W*zEM- z&bc$Lb^!GVI9;e-Bkr(ftxFd;bHl~qe|YsuzboWEkdmRyOuk!e5Gut5k}E1o!w&jX_@8F(V2kzGsDjdfjJ8>F01|6hJsEwmsRR z=VxLs(%7f_%LNJy<{p%S9!9DRa&v(8GeS-^=y%23x)cophbEhnBi!Snq9W9=>|Jo_ z`QG^f#S{b)J=palsm3nSTe?z{f23_?^(9tqf8^R<+c_+lIQdyvh?+J5aDNVWylc*A zK>72&i8IMb%+r=`f_~DYV?DjSL+-jtV7uW&)-f__0b%@z<6i>Y_UIwsr_wO@c8(FG zkfbiYm+R!8b53}`GGsCFs*Bs=C{wY}7+LnI0>~-c=fh3yeIfFc{!vDV$VN_T>z&=Y zz%-xh@D?qq?2_Rp9vwM4skw3&Hom>Yxi9{lOfc>)gqyTndFp(BKLk3WXd`OBkud~H zfKgXCG{#F_=ydCFFz4fNprt`xn#Ck8iDwwWDKbvZJN!88c8`-1R zSH;DAKK#Pz!M)DJj&2+HDdu$B#m#ew)Kg*kso=c36fi|dV?ADZdJke&8D-Of91D0f zgpVIt@uK(pU*$6{*Jq=}hU`7ex9{AYvp3Fk-gS-UG+@A?>Y0Hj*-(~Dc*Ckr8f za)ttcHRIY7M0Ogay}#`NJyz@4#shD7tp2w%M9nsfOLfo}$pz{%Id3!bk4r{Ayk^C^LJ2T}j@UICLwl@6x-ch`G?f@nP& z7fWrgWDcjYupzPqp|t?rj*s|p=6??jX%kHJW(#R4Ra-GVO9Tsa2v~kVuekxjAFH); z^uOzc((~=n-{j`fi`&=F{Ss0D+8V!zw$qO2#O9>Zby)xbyVa z+IA4|Twc*cV5M1Pz_mNY!R(IB!q{CrdJW0yp>JLOR~w_rv@ozpjrxZs7u#O$_k6YD zGl4x9UM2?I*7VHG^b$z6<|x9Bw_+bMI63VIcWn{!mvBIj&Dw(}ZWFxm1jadeWvn<> z-Xj6i4quhNiH*%MH0ZF-ErxiN!s%&4TkSxWDw?Px7iee-Wk=?_q=$gQ>8v(twFP(e zS^~8g6*FDhJeOQ9ek_42!Q#IAzR0l6IAp4>0}YFePxySR&JgSkCTg6iH4FLDj|f-N zhhKqSx6vui#z2zM{`ZUd?(j+8j^+P3E`*u}fi>RcPnf4t9ll>U-y*8M(UX~|V`kPN zbScWo*~k}F`k$jhzyCFNW`?FANZHKg+p+ye0bu&(F0kNea6?;!9tq`$LafZ2)m%!~E!&C&_|GAK^*g>vQd9wr2o__$BdbC1U?j3DKY2s*WlRBICbexobcJI4PAGz9b7g3 z@@ZHzGP3*yc)RMfdRb1?Iz&}N?2?@}2bHwOFO7mPRZVZ7)qa5=g+}nYjB}Os%z$N$ zl}pGAD~2j0p|ssTVvTQe$n{|mnLxu@IyH5W`CQvM%lb$S>nqXI@}G=xRhY?QGgnnt z1iyZI;LqoNBM?G#??)?zi_FCM>Xlz{_|UW<0%#Thv%8x(+6mz7X=&aFiFEwN)<-Z}V2%2S?r^ zi?KAdIO*|2`6_*;02V{-21DtV?$3jJ0|*ww*JOVSy5kXj&%^wQ=y27@d@uWxRVL^x z(9zx5&bvz+>}*XsK0VuuX0!596&e01*T2o{5$NqYq#e_)5_4HHFcg|US<%tW=lLL| zaoO-nmH=cit;jcxRJf4NQFZB+pOQ~P78BDSCMFnfQlhn3tXc5Qk9v?JI(%qqzB`h` z<*;_*V>;$l7jGZf+sU}vYj6)d>Lr^TJIDOHDc=+X zRN1T=|6XX=7hmG86AjJwS672itsn>O2VAqV-T4*UNqw{;qvF}TX+@qwb`bQa#RG4R`w_a5Gj1bQ18II z=!WMuy-W3~m#?*mgN5zeJr)8&xdItBnB;ie0$2S#~R1qs;)O9f=n46+V=Aev{ujg_VLd zqC7hKD1L)$cP~`g%PludR|~5`PA4=Vw1Lo8V`aP}8YhEc`!HUBWULI#7mI+niUHTF z{;5JP1bcQ~!q!QbtNFD3_wuc?LMwtutoJMJ^suXYp9Y4n%6B&tvb;%gq0F=KOYW`h zF~trJ8f-wx;k{|Z`43zDOd(&Iinq{DmMIn!m`qrHhC@zR&fzsk5GyuJUW$*+^m?< z4KV&pHok8LV1KWBW@#_94#XJ<*|2sY+f>y;qA z&M4-OV_a0n@OldamN^hBu>QD>v zncBqR%-rdxkJtBfrhhtod}aDWh3aVHIEPM!QJ6zACt)A%w_5quQgfHPi^j3bZ4r=NueF%SyjbU1ZtGCCGT9nYH@hdEJGeH1itCfv zP%UztzK<5ek(W6Czzbf{sHd*swWz2<%{!e(g9S;DWw9AUp`3WuRiA*9@q$^mQ%aTH zENuCdys_tj+I8E_Ucb^cN619vKrQd29-IlJ>+I}AOev9Lx{8K{e=JWV!?b?sn$#E% zyK=v$?avI&_*MPx+*;hBbc@Y*DylzqcUaq%E!qz?FyK*A$&pfJ>W=zwVxLp&F{p0J zVcr4=D^4DwC#pCADn(|;p?7&}$uzffhAXWhya8_82Zd_9Fj_sFEwOJux8LJ2sPyH9gViH&xo@U-t%R7A`@z9sFU-9CZDX%()sH(~U=nAmSb+1pjH+{C z;rokq>xa+G^DKGxcKVIXJ0jD&tPs0LZ7hbDg(0o2G!E5di|{PNaG_kzCfT@*J*@wn zh;M^VYUzsB4wYoTxji+(>N!F?=iA7fD$fWQt`pU42}txpct$1r9SV18SaB_vLXS}w z-_!Bs?0E0*#MB3QN;V`vxRol=$G#ej$r~v#z^-+r;CrunQ^PZ()@}cY>w?!U1pC7) z*ik={GHjI8k+qd(C}c-A)+Ky!um0=tD-?BStk++D{K#MEa_+D>;rdcZ@=nZ!YS4`X z4`0t!{WVWG%wYmA-e1{LS2r%$P9)3d#~i}3ct z9zmT_khN0kY`KV(6luaKat?H zg^=GvW>Rde{DNG)>ijeJTh@+Bzmopa;-|1j%+0U(qoKB`!}uGs$aP9^?gVR0e^gxFhItyHxwxu_U|{V~jGJnI)=CJ}*@wJXJtC1oMK0ZETHI5{(u)B7{y>YJhRvz=SQJC;6Ud+=T zs=+lMt5W9Rk<;Me0ZHKcXYJF0ujWzosC>o!f2c} z`cc5^(+MfGI=5SC@q1{cmiW^Oh)Ci?-mZC*J8h;0_21Mq?Us4Jg1^ox-gWIIQfxoG z!gP>%p;8zZ^IYFAO`$*jN$Z;MZ!N&FSxC%@e!(Wm(Y?kvK%dF$3fPXqM|?CzK%W0EC_oc15iNn2nPiJHg3 zwYM>eRyNT@Ko;#L7FIpHG1*ECqJN$YRcvs6b-#mOdY8-PH}MV3_{OE4dWghgJ`D;d z9;ht1cHKQ$I5y#vk0?cz{X28Ivj@B3@TB!+t=$9fFqsAyHdGWJSh6;^_kCP-C`*-$ z420}L`N?kfSGj=}8Fe0eq`i&f8`W4vuq;7M;XB@q&dH4&=Dsl-NW`auC7VzuR+2}o zWn+OSb`s-u=T3@2YyzEDZTR|VF6zBUa90>>AbRm6W%T323M({j!T zF|La{{Y(0#MUD0gc*J9ePw04w#VYyYT&S46F%4|V)ddjI~Dr4?dNPX0+uQubWaW_O1s9m}T22hUf zMv{FpT4ze*L8vyH;i+WW2t(f!Jry~P$>>t?vuv@fd6%=z9Y zJ}R?zO}=ZNCAFd(b7Oh^Z6ue&3}GOGNU;%onKU-FvEJVA z4G9^u;l1mG0=i!fdxl{n!Xo9apWpE=ZKt4q{yZkXR`kLC4oh+Rw}CD^-I2@aj>Q&JGf*C zIuOM&ddXs{gG{-e;HuJ`KW$mKU{a{xW7XlSfS+Y))Y0i2Gm3=9eBeCLbih`z2Z!M3 zehTJiXpOww8&pe<^KPk4Oh6P5k8;n(Q|0dU^^uMG-M4C-4#szsBJgUQ*9u5qd=jg@ zFXZ~CuaJ6hwS>yEZlVT>{i`l%v6_^GBtCmfFL&vMX0gkpLvzqd5cCUdB=Y#fx+Hua zfpy+gKME2P>iFUdO9m1aBJfTQHXDm@V^x0Y({D|=L-g@kiNjB$J$A>*WKT8i@9A}T zp3}1oe4ouW5SGfNS6g`5Q)q63)l8aB?IS4X-jtV-z_gE%|2RLfDyw`)hW`2DbXyofSsFQ}$;E5R)!nI8@$^4NO|_4+=~2d@84sl%afq!U z{RU&K_sTdR4C=*Gh``*Vb`0i_l{uKn3l1iSW@dS1rEvWGUW16V-d@%9TZa|0oq0S{ zU?dO$z+^uJpdXYvZuLdTCVu3yUVYMV11Z*986Fm`AS$0{Dh$T6g$#0`0O^`^2?iNJ z8q6_HH6tsl_QdkVK;}~GK3B&8Zs6=V!mRXUi&SG=E>)4la$+~xeC2_-CJs9Kx&B&c zrL9Swzky`rW6{H0CxLBgMk492o*yeKpP`@H>kO$YLnqwqj-Xys?v^uB$QblW|Me?K zzr!$#?S0mFY5F|M@h{k$sHb#v!z1d~k08#Ap=)03SO{jj0agaBTIs>|g@N5RSQ>vG z{o>UX>rreIV;7SJtCAT`OL&E)rBI1 z()qKt3VQMONLpXXp8LEo#3C&BUZXO4iZ3pT!F+>#$U$b}Oh^oR7i((jx&5d#(t$!TjUtX9b` zb+8zi4A0CD9LeiMO~*PwAg8~cT4`rK9fB*Fj^0~tB>G&*tobk=15O<7rbE`$d`)JL zeYDlVKaD@2=tS+2mKw*Qf*|PD`+$KtvkAi2%G5FMz-py}VK$kMVxo`DM-otbj~&HN2N*Wm*|nc?7V*)&N*u`(2`qLRUSbGse;w0{LOyk_GoCD)+pEPKR?OH+|;~m^rR%cW(2W zwut!~-rc^u*9yA{BBz)S)`+hIDZ=GEP~DTyjeFKP#*Bl_Rq`s#;fZf3im&pqa&XN3 zZkt>mbtJgN{=iyTAnEjulVzzQM4*5wJ#V_gKXbW)Kp`WYh&Wzt7KA&i#J=Uuk#9=mIp4(e`F;QppHCHKSc&bQ6$S*9rAw6%i z#H>FIQd1O0%ZR`5^}HY13*Z*=gnAE5@C$QPU-2d0dtws)JYr_5^eJq(ubKl0!TEx` z`p`6jj`q8NtlxCY5%xevx4K}ul%X#}UQA2{UQVb2Z5$8hcJI9D7hr_**U1hNdVmvtx>{rzIAs4x7ZTWA z?7sC2Dmtg#eJQBh5AO4`;cfnBDPVV*u&Y7f50&(r#0QfY?Gkt#zkZKPo= zwmUpu>-nf4<&{tn)0* zn1=|1Aei*Me{vAZ{mZQ5#0Tz@^=182ND-GwK-7sAqGv&ia?RNA?iKU#x)+1-8;~~V z=H@EO!6gh&1o+?0ygb4t`-nEM<>FT8U3kS@;$c!%yhZZH@2Dt(bf_-DHm)sVP`+0A z(B;)0Z9W71DU0Zwjc~o?~9|7FXFr_S3q9;P_EbD4^SAIxk&C;Fdg;WU- zBK@W>zPVe7H;t4S)4DpJqWNlteyNlF>g${IG5%2EmP(O+-wB^qg1Xx|UNc~-IP)b3en2D$w~$WfvWK(e5}db?qak*S)-3)4RH zLS9swulf!Uzg~9z=(-T1`UBwsrI^Nsdd-(u5c|{fkJz6bdWY{u>s#dHNza-`p{u%f z?FJKo(QJW+tTF@*@_xmiMQ)gi@)#>U%u_53;0DsE*GmGoBl7@9>>@5JFXtw_&^|ID zm$JTb#LG%2_}UkWDG2?^X>b)pm{wGm^_?&=OSw%qmV0hQTN>(ShC`Xru)h%b^O<>5 zw#gxDj#`wRz{m^I6Z#PAy`GRJUi46mi;qdKW(&m6qOw@nib+-3t-gYdK4Ab%;n#2g zvaBi~-o@#1s9tXT-v(2mF2-SDF@vX8`}_Ul4Qs zydrkY#|o{qMyw$udHV9t~L8ypo2|DI-^C zrhMrv$nfw)-o4`-+%RW?Xb}J$A!R0>$C0gL%Viq5Fc|B|EqaSQL{BF;nxBuS4?si+ zz%d`G!5F`t29FkV6I5X%3))|(ne;f>tm!HCY31Z%u6RQo6Go#M1$X~Fd+s?*8h{pJl9+&M-O{gf2ZPwnaciyraKCNl>!tY0*7f}9$PUThs9(L!x#0*?g(g( zRs-rm^^mh9Wu}GjVe8Z7%IGhwMUS1F7~Qg#Di=$>akwEU=EZ@uBGFsi zda6=qdS~;L&))ys&cowH;m_7M?YCa8n*0^}kJ^ry&?`JB71s#e%98cCd;ZzF z=F5!WSwAEv6OI(zNlMZptsEPEBrsdxP&tp-Zo73z#+)uQ96F!$GPEh{#i#Bmi_ z&&|HNsx>{E*+NA}Ure#AcuIXXS!QE1+}QVog^-0{XK2e$$&GKZP$frw{pHrz7hMO*~kQeZp7Bwp~HVW8`B zsl%|w*a$xL6XqC_FQjj>jg@XM^?daFZm4wUrM@C2dD8vmjNyiX5wEMx%)y%&F5?Iv zVJ4k=mAX$Ne^Ws&D_F<5E!QoE|jAI*20x36v?06(_*%X{eDbjU0UUWBKq_V<=9YIx zSyN<8HWPGkXlb{dJ>&JV}elcy@QSR@oL`wsz8K}w+kAh)y(tVr4H}nQ19;G zu@G16t}f|lZrfW3#hlmriWFb45_KojH9F7SQ@Qono|zn1uJup)cJqB^Fezx`JxkK8xoYj;yJ@NC z9MV@vp)@t)p5Rl)?Wd9vR;hr2gHIS}-(}p~5@%=Xu*8l}3Cub_ae)fk+frjJ+hm$( zn7aydac!9KWdHr|_V$l3WNZDm2dBi*JUxMh-hh!=clnp)dRIZBDz7(rU=Qd}$WwlZCbait=K`r<&onT$9{NsDA$qGUS+DoVFD6 zUfcDIf5}9YUH5%k^0l-o%zZtf0WDDg!*;im5-#tjbr+dx%BJ2zcX&K3#1$%ZM(}q2 ze0Q}TI9kJQ`!vV}LLt+U1rUw%^vTm5B=$?KX)mehP8t)1FuRqx8!lMO5{c^U61qgZj%8!B4`*eg@sCtX!NZqo=I z7@&qshi%sj`S?Gyjh+%cmK$6E_|V6&^>#_%06UaoRDMY3F!>TVJRk~QYxh#KTaGpW zRj0!239YIsGsL&-AM_W$@4lAzB^oA8S^zk$p2W_PB&8OWd)Tc}ksd2WIbNYMxx}FU z7USDwCDIEAqL2YFJ2|jX>S$~~9}XBW>d_2l5oOP-0jK)nM*F7=?PEV35!5d!PLf&lN(S{cE!n>cd;`8KJ~Gk&2tQ3!iA?3x>e&B z#0M`Q3MWaV+3XYX26M4Ae{Y)zU|C}5pG=Fd`W<>t@QetyJ85a@<;}hbwzYCSh2)#y zQ>S~LUSZ*?>uwddFuR~cPx2-RPb200+-()sy z{gvdt23fEnRZ@B>Cv03LRvJYqzZG1tJHnoKca3XyYW%$2OJ`j(W^b5`oo$!4u(Zj6 z;i_5Z(E;olKs_WIB(ZX3cDLBHfG6!*!(-e*9#`xWbVH}|PE}uLX(&x~;nO{V&4sn{ z3Np_28lM=x)QxPVzpeG(MwDporf!}(0m%akqB&WB%47q1QfqB-GCw1gQ1;!@T?E9n zzI7fhVCExsITb%(n_il)K^*!mMWrdu&8QhcZ1W`theg9Wd>Q}d~qNE%u&t07K!pV~`QB#qx};RgiFD%qTr%2~KL znDvnP4{f(3v!S-&{CJYm8+a(JnXSX9KU>3!nCGxXZ%dU;Rv8-nVXFy)6Z0;qVY`(+ zCb#$4_P0*b5kq?QA*K7vJf9(W!**#k>FCSlJscdpfB;OBKj|1EA|jY%6Hou}t(y(! z`uW?MJ>uB9`cf-irUKTb>1yaH7AYks=j*i()%Pw@Me#_r5KG09QM7<7FUq*GZTFk` zQ4XIHif62@gghkr-wjXSk6VAII<&{>d}KQDg9=Qy4b}qBvsTT6{QQ)*w04}Qd9yE0 z8?*f5IPLGFfhJ~uW1(~TzI(~6W-ho`%GbOjFWVSN)IJS@va+~mjs}E0)IM>3Lf>${R>PRYFB!bB>3#&UCHNa zP3%htHLgmt5ZERcdq`Wp2lpG#{_vd?_J0Q=0z%>2YUnXn@W&mUdw*))J%|%L!-QUW z5%woA;kb&1qFe-wK5{csrvXM(r}=;unyAirrq44e8O11WJNs>3Yikl;X*=cH%l`g; zy_pH$k~LN@_&tE;c|a-oaPZL&T3{t_JZl}meGbZL{BBO_gRh$K! z^AO#%eHu_vr4W?A0Wya2jZA>f&IGOjy7MngyV_B>|mcyzwoYo?uE6`WYX`A(X zl(CQQb$b2E!%IPvW9P5-!)xS;0-i}ug@VtzDex{yr%zR&O`KV@u%e?c(k8LOp7`-Y zHYzrjl6#gBplb*veZb4=aw=2YQn(oqiI9|gm_J?fB|7UCIP>&%T?`+e&<6l*M`NH6 z0B5dUaTB5u=^@&Pkc1WiW=~R#gFm)S#nvHDj~wSzm*Ls1MSkb4w56zuw9vgE;`fG& znL%aGmOKl|R$0Bgk)(x?%ik>sd#>^jNkVI1+}{bB2`AOh9C-KbeL5SBpZvF|B*q4i;LR@Dgv5!j9M|BtU<6Up(k!^d<`jj$FIlPOjclz zoM%uBk46OPznt!_8ugU48K$712vc+13?=uz4=k10WP#pvL8xe1+DbdkEMmMTAjol( z?=dImCy4XXvrMp=RQzZoKScC4T)h3vZ+@GqyXstvm*=oWNY z%1Jb?)D_8re|*{e+_h~G#h7eKSmd4u*_HWUdh9yiE1WNW3|?wHPcHiBS&sIci222N zmaf>@m^OtRhl-O~5jrL9JjGV)Yll|fWMd!_1DnitVZBZfTk-xAHj3s8VxZ#(ino5P zacqs2S`dP9?g0JnEuKQPuOT4auTce# zzhikKGfy{{fP4RtO;j%hV1pM!MmC7Z}w5Tj$Zw3pCCs|f3Wh0^+k)(+t z>^msBZvW3jW&w98g*--6Z#@ z8)#OI9%cCS&rAH5yo($@b)#M}$N!JdZ=$|!nT`mf!`9F5;|Nr0eeR~{_Mt_d_b?)8oWr&E!vREvW>kl{hXN6wt zvy#M&E*tt@3T~aFZ@bTDTv!?!3eJ2yW@2OWRetUaBx^uCXQV1yc5ku?`lLC^aZ&7| zrc$L^x6E<~+cz)}rOtVW-zr&_8-eC_^00G9Vd;4P_|Dzc3&9JwO8dYE&yIonN0G@O z!a*n&r=?2EO+N9}bk#sfImQln&=hmudL-T;eXjyo7d6*V0mAw2u;H&~yW25v`%r)ErjMCgDLn0RBjfJ#0Fy zdjZPBEcvWBr3+9}?Ksbij+Db>8-r{mGiAxebm2qcnKOvbTwD8xs1Tc!pX%{;icA~l zLdO`;NU=)p6m?Kh=opxM*m^23b&8R>0(VbWsy`yD9bIo$E?C{bpi|M)1J!KT<1cED+D3s&$OKKCFxNp#w zLXoOU<^dJ?g++*|Y({w4swbp3Bj}(Q0143!=t{BZAFUW>_|A_Z;13FtQv2413+zK5 zRJ`8{??4DHR({4wbVzX^VS5n=BG_bxlJ5W+1(++d+j<)r51f zqVN;GmO`gl_KHLDZM6E0m)V)m4_fz0h7ma)S=_oQY^1aLMCx1od29%MVxD|!dW6kh zS!8$gh4bAQPFj=)h3DlN*E{P?cE!TZx0+e~nYAG)FAXR&>=#}mlwWAozAZQa;sgpI zfybq&BWk9~#`fcBm~YxQo1CC~jrY}6}l zw_bhRi-GH!qrObKIDc2Z=|l^1)aP7zw6ue3B}#g7FJFF#J%1P4(lkY%&k~!0Z^Nq& zNy64ahhhJyR2kGgf4CF`v(7Oivh)j3zaglN`nu$~9Y~TUyWtvppR+4i$Aj@%@ zMoMpc23+=cJA1*4_T~4#M7`+h4n#A9-EhN$uorI&<&t++M|}58qeX+xAHr?!_9Z5} zTxzB-pjdlK6~W#P>SJ8^GI046t;Ovcn$ZZSZx2XFNVeV@LkycDwU$S_r|%dHj#=EA zRX9t8sCOC;D_8gi_I40r4(y$H-c-yUFpvJ>Hn$ib4ts3Yf-al!>^~j{20l?5zvNWz zGHN^lJMpn^Y*hQGt@1KIUpHC#73#! z9ecjPeRn|mg5g=Iz})3Gp@fWZsZmK<*x-ksh4(J+6o+?>PuPc|?w8}101ek|MI{LC z%Z@#0=$nm6ZG^`^t?vbW7*t0qa1<@cn>%E$_p>%nqz6E*fhv`a|al}=5!&G;X0{hI?4nG-WJmz_lYQt4F75@1x}sNbD$ zNp|x$a!MSUKlvOH+&r7A|5LLU4{dEXqBEy||9-#9{Pl^?9pkh+3_|~oM zp%asdA9$$1U{E2QF_{q~Es5)wHpRKi%-X)+SJ-hqeBM;?;L$FwmvYbxlX%zF)FkeL ztI!K3SvQQ;xY-4RhQqqO|L#9ft0D|9==_5j++EH{+?vfE*J5nB59J5$vQrLa}5m-g)2A%4NU~hG8(0cA} z9<%XcTQ-6i6BO7hct-tYwSXdHLZ>+LQ^i(;JvSlaA|4!+(6%R*YGUv_2SZ0r#Lg1& zy8fT;&N8UVu-*3yL;>jr5m1m&q+3$DyF+40Hz}3JxgC94a6EtES_95(m3J{KKe}vz)Ynzb0>~Uz z9soz6&?`;K9}Cvqt?sy zGJCtbo}&lot)0(2LKix9x5~6d8nRz6u*h8QJPBvI&>;`aMeiqVLfAus6jDE zC%XJiLOdw>n;7ofq^`v2u1%qHdr?~4Ee*682=2)GyX`fgY2L5sK4N&A!$D+pXV|)w zI8D>!)bLzJ!8mqlvX@sJpYz*K^No+CG9X_W%|Jv%OYqDv#HR`+=}xFRh+}i)avRVM z=PKg@Mf+5tnRTE=!o2s`Q+{i%uvj_(8Y#W$d`d_x zq4DPlb~QGBuW&4o7KTpD3keI0QgMDVxxvTp1oFDAsfvc$(;^s*G=z9`_-)+b^v-nY zT+-jTJ|gbiqIh=wzXFd@8!#+!+)(NIVOz!T7@!y=T0%aqoU8r}LMw%mDM$3ti;9HH ze*gJbb2X)~v8dUNec%B8jopz1m=Va)cmO^E$p4?Jyo)jfCG&c>6WDoZ-xWwsow)#O z1O=yXz3WDpYg_e~A0Y7u#uF0FI_AFtvI+>H@m~QjOtk#Z+d#n!zH}y5=FiisOQZP* z{-CI@O7t25)bwTSoFgawmMyh7MC9Zi)oOo}*rFQ{d8U@v`vLzE5kdgoWtK4V_ z$vXDFa%(-)iQw(qe*BL$qfvi_&7->qTT2R#LV-r6`^qIKutfgQMfo-Na=h*0+-@6a?NV3sGIe>bA0b+3N&FJ z8Unq?Rbv6JVKV0xSx40~Mh%#VjrOgeU_zEiK&Vh&yCEHwwX3!ya+e$IU6TMgTnJFA ze%m}j0DM|CXO+=jXOgL^+6;JXpqD=Ik0Ze<89N0U-yF59@1B-E?3VUjKr4$El%>#U zrUZs-ii7o~X*e8c+le|_q?H7Qiz@<0Z=Fs%$>h$pGtqFh8x~bl)@i0gAfoVi14_mW zpyfY$;&cV*9OXST=;Py8X4CT>xZR=Qsjt_1rv`IHppv)@r~=Z`sKiyfYoHVk_KRX; zJ{o<$C3Za`2zFR(Hb0w9QRDlS_IOgVc{>g?RsCgkrn}+cg zR(SCOSFh#fJ{`ew?J~l=OkjB8jlGdQ$jFs`Pf9S-c(`@4u{sdQiHLVj29?9S=)M%Q zK2?k9QtG~#R)U9_ds*izFuVH}Py}S~UNk_+3Cb9zuKW?^a#_j@0j|7HZX8`y{*acIrcvg`O;9x3-p)zU7e6|2&5sO% zcW@oVU?@cYl|HfWTcgc5x8}g~?!81(vrzZV-@<2a1_$%C(g_%xQ zZi~wyYU+ke>$f3l(&{$R0E;kdygZor_jm|l`1po8G9DLHlk>4N=leh)M~ID!XM~2* zdig$}3w%*#1!Ae?3nHm++ZXVlWG)(#ob)-%$_|7{>NQ5hp-pTpoX}@;7O5-y4SooS zegFzHH2Q0sVcB($O2*;^YWAD>GU0$XRiTZdhWb|TSOK+N4Kq9FkVf;VXLYO5&*%AC z*G4$mqne8Oo{W{nvVQ+2*EB$4-=5&|2nYP{1~Z{|Kze?Bdu0x4t46?pg1;RBjdiH( zUA2wGNY4^L^gw-W(*2OI#(qt&EqZRYmZVB|J%g5`NAI(6s^Aq7uRc5YbS$$g7Ep65 z_Cg*@93cB@J5w!gxkwwBrXq@zN`!g}{9@qUO9ip>60*6m1K;;a_Kg@B&lf?uhwU*f zfQhzqhgYW%t2Mga_=3_15QqzvE!2)UH**4hDs#K88mP~KKzy+Bs}cklO#$&uweP1S zZNM2ZSulkFrONBXZuC-lO6Ww=WKbNm!#edW*C3@R~i62J`#?DPMDoWNB5e~=S3 zkm5W=m?R$SlY!+Rci5!!Otx)2@5%ocI`MDd67mPHkG34j{rtp=T{k{Hq9>s8x0|af zucjhVu(?Ud*4Q6kkuBZgv)i}hq91_$19kZnvo$-Qkqwy%^_r}*QJDD&q^bJNgAy+HFN161 z-j+S6=X`BKM0$QL43-qYvr+)ztLcPEfYRjcvbKAb_htKoH)!xS0tzIdNjw9fh7E=w zrvOzo&<;{q!x90TB!ig;oyjR$s7GWyasbZ6 zZAse|qn+?HqLB&&0wzC8?W`jWS;2%TPYq5&jnSk2TUd2iS-#(cyJ4lEfC zZ26`092%T%Pq{P--rMTbJoT$=Kth?|QIpR39{^0;ydClQ&KaGdJe1$wPV?oZ+s_k@ zPYNZ!jMl$PJ}2mI{i`28Rd~*Z!u(}j!h!5aUmz>+17(LhE%2g2vEd5yG92VaI_2)Y zz-g_qm+Pdb1#r!4)RzM(ZuHv``9jaW7_JU}f=sFuG^gk*O&-_=vlqCj44@2xT3^A` zu&=K#z=ZIM5I7xe^xA*Ieyo4&ZxN!7<#8)kjavn3$dQT*aZf%sqw(_a+9`4@kB`X^ zLKa(ekdp(Ano(o{1k;w8G`Y7PzlnPB+uO&F`h!y2=qLiHB|~nVR&lN8%}7<@2#H<{ z11Rg-+2BBbLe_G!as`4G{{eKMMFwHG$@Fj1>+7vC!&Q)I%VEnK0kq@xL;);!U=C!k zfcPL9P=yNVFbd$`rUT_EFzns1g=oMA16U_I?u51Mvz$|HICT}3)p+(sHjEl*VMK{g zO*eQTH@+1nCt5g_)iq@RUo3>phykV0<2G5#tF+l2#0TTbznzTh@_s@}EwJk-eGH(% zE(EHU4*CnBM>lt)B?PSS44FLLEfyOdKqFxi5&3{L>+xD|l%8`y`?93Rty8hJdcv2j zQ_w5-3CJjPWK1BD@;YVCk6_z_gzYt2T>AlzpM1W_M+m6d0$&c$8*^97(^S}L{Q1jbiuEGl z2c&N&WZ%T45fqckdv&0>150J>?NdM>4_`MJR2XgRg@N6U1?1UR zk#&GY%DO%r@9xF~oZRW@>Exc9zkYgViPIcB@Wyh#7PimUuEjxtI-Hcq5`W^l-KE9K3!<(OopT+*h`fsssm z>d#1Vmq_n>*IGEpb&YEP71PB3YZem2gE{Dr83e#S z3ed+u=Q?!=_t*$~Z;jz0>jN+Z^PLEB2`5B>lD^;>h;?jGpN-x{yi1j$LM@IH+4{Nx z=cJksRK^+A;oxog)mXV$^YNL<{3x=Ul2~3ntvlPxUGHr!Jj-7F&P2*@SMOB)jdKGH z@?Vmi&@7mjn(puk&xf>}N%5!odXc;#A~G3EB~vY$3LWcRN7~pK?0?E)^c0C72hW#& z#V`gxgvowi5tV2Xg&3Xy4&ow;_7NIG`sfew@LuC{!k&HEiTQg>92UBV$7Hh8?}Zdr z9dww--!fmw4C#RH)HsPwcPuJwbw1vCproXPYRNN>=O-e{g*8HcFyVl?oz3w)H-f^# zA_d+bk(X{7JT18{`_Kh|iX>aL0(-jZt0+g+QZ*K70Qz2HMdwtimos$VQ^jQdFEVx5 z{tp2CL_|a=^n7d>P?b-Nk}%|~b`Fs@v}xbmDt>1gK-)y(0Wb|dmu_Kj&6jRd&-7iW zu>)+Dc3XG`YRu*QWnJ;e)0ThTZ0TV!GAn*o*xuP``P+`En6pnQCL_$%q&OBBZIf;0 zLr@Y3$8g78f6sz$y^sk`=I8!$-@N#tD?LmxE-2<(w82>uI zASd5n65e!3T_rU&j?)oz>KtWiZ5JOPO~N8b_OBpzz%wgt(4HE0k|k~Wc13MbM#h)) z;f}b~>fL!X!jFjP=+@toZpo=WK3w!k+}@xO7&$#3)|@u?E1?Lu2g)7!j0gkT;5}}y z*HIEaCzaMK!LlTp+g}!l2x$xwDx$t$iG_CqE*4+Bj~V5jgIsB?8K^IGvvgs;WU@Dm+n2zVY6O5c zO7oK-+OwSxxqGHFa}`fc&(4b7M)qB(XWA&z28~lNMA018X3`z1s~A2r6OoE0`Gthw z!N3Gu*q!K-j+tgS8tIxH*Q=PezoQ6|RH$9cKPtW@)3@wf(%KuwyXTrsVZ2L+k|Gni zjbsIPA`QU(l+4)VFnRw@g$4t1c?M=ngL%r=*Vmgv#%~}3RFO-kQx8j^ER(I>qiQ=0 zpUBmiH+Xc=LM8`+sN|_CTSG9DfBGAR;N9WMP*G8}KKP;Uhdl8MrC4u)Mp58e%{2yD zZ@fE~x0*_0dJ}=Fzw;y88DlUtiRGP&vi2joocbkMn_f(F+Bx{;3SyXtl~c6!K+wV{ zQ!JP9Th(V)KI#_F!aiCdsdL_?^Xsnc-fIM4Q|hSUNBGb8HA9zIL5|B)LY1; z9#|$yE>y91OMcLqV!CqOYG6Y_A;fB_t-F~FnI6b7*Y)ww=5(EntO)yEl!cfheGzbx z|DJ0ZNPBAH!i{k5yyyqR@;TV(AOtjrq>AaqdDs2@a770X(5Nq5khmx!ph3}!?}qxc5wyS zx$e(o{oM}({!`V!lTSPZ`3|2Ro(ArYrPUt*YjGqj6-TiK|Epe7UFr?C_!}aVtyu(6 z?ydf^_JLlfCe(i>@VHLF5qh{hmi*#?oLmO{tks+Pae^mmV`Rh9Y#LUmH>`Dsf5m%u z&T~016Z@L-XMBA0#{5RO0@LQ$0P&}`XL|REJ*_*;ai|*%+9F-&box-}Q-N@{g+Cbq z@``2IA?Ghp?d>0De<-{s;waRaZXF)h4$n!{!EcC$el53}!gc3yftL_{c737pS>xFr z7x^zCD{z@~NeM_qUe4!!&o|zi9gI+_mwZP7E$Dq5oOUCv3@m~#wy^tR?43?I>lV_O z1_%EBGAP~<=H#&U=hn|!*RXKlNSy|eCvQeZmA1(xvt42ndgv^6zb>}{>PA`f2 zgpOHTx^Qxk6{?Bdp533gmbi^rd3(dgdGaTD-ELowk5k&KJgvqd3elf$jAeuJ6zX0x zsYScEP5frO>$x!9VpMS=ls#3$Nr*E5e$DTU2ET*P2VtLf(`0n37+&{uH>Vv;AQf@N zVmYrvAQ-w5!XK5v)s537EdLoxzzpg;RH>4!CcDEVVDM`xFeZ52=&(Qe0@z=D_d}-N zX79l`cX0E|Zl^-0yWuz7qFhYT(Y!~=WO35IS#rATfkhB778q`K${qJLBKz_ptRh>J z(s<~X9rhJ4l&$8He;9ebr4Z*ANE-YOOO`EZbg5ykw!I?6*7aT4SosLLF8*Q5Iaj-! zEGextH-PG3Q+1NpySb>)HNv@21kq092vM+1Dex0ofLmu-pZM!n@MJZDenex+ z(U(uhJ25mGS{md`M+Nd%@bdLtz_~TB?T3G*l6%K*_;5G5L|1eDHqnGSZ9w9q?YOqZ zGgntv9@lflHJzs;lwiK_ejCl*(P024|4G_+S)H4A!onSI50KQP|3ovl-JD8$CkC{{ zSnk1J3;&l1&Vk}R6NpRA>UM9S`z#gryZIkTtfrorz(>F9lQ!22aJy2p= z8QuO)n7|q&`<+)`y&rIk-BU07K%Sna&;(1DcSC^yDLKl_v7vnKFE;$A`65qeN}cw@ zUl1fCfu3RNu|W#M!|<6?aW6$$E@lpF!2ya;80!a=DbGoQzJE1apT7Ay8qi^MId1(D z{~EEi(uGSInB+YDDx2MQ26Ze(6bPebCja($p+}M5>Cm?-1OAlmIwtknZ_jw1)#(E< z@*yb)j#A?hJmkGr1u~fb;oYUj5#pFTa!#bF?qAZ(k6EA{Pp%XnfJ5!xQJJE5IdFl; z+tZf8-0P@fLK#Sgv6DWOw}RXkrUM0h(sUI9q}+1u<(v*TX#ZG)q`r%YV$Z~G zIpfD6VZAh7hVs&U8YP1*%1UhBPpXa&NHR-hDR~3#rKqmxg|`&P4@sFY+1XV&aqZys zIjo=?>xK|qLkiGYN)OBr&C|yMV~TNV>l_5C3isel!f1`%8~l@H?*ro+`E0VS{BDLY zN}LxIzM<};fyY}hi4Q!M@8>6iLRr(Bvn6cw+RvY)&~VMBe4;D2Gxa2?Lr-;}Lo7Gh z_Es|PUy<*YsNN_cvsM6Rl+mdbNx3jTdskspa!MU~R?0=V&r8xUCk7q$_W<~J`w>pl zE0Y1N>WdwZ!lW5;CMM)Axx_Y`f%_WCgHP4CzB}sQ)EO#ie z`HRuJLC(g82B>!-lS3n5*OX0qgC2&@Z1NS*c%8q9(sgY^AmJrx%VEq~tZz{=o8HAb$87oyb>2;D zhB=s;&BVFf&wFdPPp-*o?O!ra+R7w}SIVN8%;V$%&g<-oBwj}>j~$2BoR5|-k$FRm z89pJeiKx7-ig~9q{lc*K7k1@SINTX&R_kqVjRiWtZt;?0_p|9eund{al#8B2imUR1 z+ioV(!8Bc)3&Jpp8xAo3fLhc%Fx1H#ESHw9nJ2)fZ5eGRB##+NUuqYSP<(+-Na(xaqcrYm! zVL}y|z}@#y8m&xLcB?rQ78WH`;&>fc!;d4@6z3*kQ|}E3LLo+Lb3@V1jT&Tf@M@_k8vyy z3*mYn%-chVx;ax&Xi_cDb9xFRf?vh%m^*)=oEWmmYn7=vb3~!V<&ooM-HGm1p(5c@ zWfS!?>V7Ui;PAyhIyi{P!jeB~yBNSC_nKf$p0sM#21oU#j7;pE0qHZ0R?FI{($E-L zOPl3Q_JX`tlxx(TiLdQ_TH)%ob~q4`fR(O0(Zbq##?R2#1RXV(y77F-tBE_fQwLggH7tkV4V!52y&r5 z)HY4G!UJn;p+WXzem@<6$eb_vOI1upPM3tJ3KyzFMBoCY)xZa&lQt=Tr5xNFishru zK4(ZKDlSreiZvmd-FO!XP*=e>%z^`MpD+W2V?PYh4)E^IRG50`le!L_(aJ%7gmu12 ztTa!PatHdx%vn*h}4T9m}xgQgS`u{f~((UMEe4^OEN2PGI?+7YI%C zTZV@p!GW&cLL3w5HKo3_4pv^ESuAwGLq3UWCPOi9kUxuEwL(}bdqQ^fFJ*eeV zGHZ-W8RB&Oi(dd6K@-AVK2v_%w@) z=I}eov3#?G`Oi*Ii|w{7s-1(yl0Bd)MMWT2qT?-Ll+lT{1EvnMZB7lKP;^OmRfb57 zPOHp?x%u-V3Sw2eQA0Wm3SGJFD09g`Xv~Vr*3-q!|5%&RB0cI=0HUfpf7&5T6?0H$g-(?vb zIP?X_gi*%y0s@N!q|O%AM?RHZm7VbEcphqngK;>3=>ttgQaC==sET-@Dz$jb;c~NO{NPa-0ph7-3+B!T94*xkocXieHO=b&2<+H zb_EKzRXZmStt1y&H}$F~EF14Trf{5(bxu!nfE8*j6id;p_#+Zw3X6N&0SxiaC`zG| zOth1i6Sx_xtB%=v3-BP=V4B}B?^_Q`+lzm^b)IGV;1Cg$;cVFSMaA*S2S+pOa8=P% z_sZqqFf7OY*OZiaXxm(^t%4UNhgqjmii-2#x8<68tgPSjnHh8-CDzbjX0=kr=p+~U z`kFi~?94i->`#fAKFl$DcpN<4YxUYrP1(v3v86i!$$A3+@|6XoySZ-|_{ji%Y?*`d z_=1ELg7v6#v{Eyz1%xk?Qf9uT?rA7Aso z-}$unIQ+x+fVXLa??yk@Y12=*{L8=I)Jz7aD!k-;Z1LN5bkcSvEkk7I7IF z5g?&9`j?v-;*S=8;|V^>Rn{Q?pKe0gpZWM-?(28+f4;Bf&)olf9SW~)OaIG$-NO%X Xehv(9UsVz!b;;Z literal 50761 zcmdRVWpEu!u%2yMk}b5w%*@Qp%*@PSF-sP+WHB={Gcz+CF&r@-G3&%PRe5>$CHa>h z$yV*`RM%9`bl2?e*VFxlE69n%!(hRD`t%82QbI)O(#I#tLV>T}2nqX0ErgIZHve8l z77mn`)qR_rRkUgmXw*s@lC|!R>^=NODUpJ(jk}M&*`Y_4=8tsDUJbX?=jYQ_iApep zK|h4P{YMifB4wRU@GsG~xYSXT(EmK>8zB;F+WEgFBKc$qxc^DfUzHMzCiTMqQ}sW+ z@N^m1e@loInVDsuPzVVLz2BbVdV2*HWdE(@hkkHT5$W>sa%x6~xbzA|kxFCY*Px&v z(96BGjjgR@Hc#7$8DV#s`Aqii{=P{%jYwzVR#=VTX_7=`;pIQ(ZIg#z|JB*8?(6H@ z=?BL1@_MyE#>?r7S{jMPH_iVqOWfAE*&nNGYB~Up#Lmt0d({&&Fes35{o5tiH4@o8 z9#Jbc-VguPHG_WP|ErA&V+jA@;{R?xi51i8za?QJvSi%52%4o*E;uoxMf|AkpO>P%H*1F z4|0&BDz%(d!xx9+9mh#3KAltTyPFh;Y8V}j*@aWefiSk@^*hJLZv_{W-R7r5Vpbe& z@nu((0mMk~_JHjkvNBvLMYn6)FH!uUG$F9Y%+8p$M#nE2WQ3P=yO<2mskP>!U)6_0 zxC_tU-fhVe$3j(4dE&s8xIAMDrLPWXe4lgSmh)H2|R-1rK8esOD%)eR4em-@zg@4vYzWt_l;SY}ndTjvj$$z!?X z@M0<2%)IS{0Y}V2dtox4e0vPc_W`=m?rDVJrgQ>0P=|}0$vvm|r-%!H2JUsSuGvGB zTrX}&=_5<8J-cbKCz2q`{3G%g{tmKr&`09KWh4XWAyzl)bT-qQ6UHc|nqgJiHTUd} zc;i9&YgSfRMIg0@FOU3>?(?iWs?Jr4!FMM-k{LBWX~}RS)k5Dd zagCK))LM@yerGu;-l*aCXEyN7eb~(cl_!svpk{O+>tfUUHnXgMR2wl?-_dg#wXBuauH5U%inmn0pd9 zYTjDA%n7s37KyaU5YL&C`U{3XiP?9LaYK+fYz6JY4taDT9;wL{Dz4seaCQLyl+eM8 zT^_|;ld|5&O;q^hyI#k0aG;Y|msP{9dXJQ5eI$1GqetAHLXd~93~g;C*}Tt)#Qgk% zpJim0gMc!row_IoIi^;R{H~@4v=zZarYXrzDN&zqQe&-8!k^xN&%j(TB!C6BpHRhk z500C_#Sy$KyM6$mRx0rd$LB-Z9zP^y-dPx5aTUQfj?w!T48OBW$dl*l#8jDzXT;0l zhQ^eek#)(hcJtjd@QgFHA3P+}^5B9qrVJh-PN>7K0@Eyo_K+q&@QN%w8v?O}KMy2}P*HBC44rQS!EnwM?mk zGx}WE-Tm;}I@z7!tA92QKru38b%oL8QO_4QJBP@nV%GtP+rXt# z>ks?M46~HGmbFM36I~$GI4^PcLPVyUoLsSKjBawAwRn4fqY%_KIo<|qxwX-|OUw&m zQ1|BH4NQ+-1~m&1L&=Q?54{`Hq^_rwKax3k8=~U)Jj@lX8N_g^4a3;L`I@nRnh9V!BXHmWeb#w+Lcg5b)l_`cV zYCpi83v?7bEZVOJC#S`O4(IXEXs|@8)Fq#6^*kyezI>l8EZUOipJ#DWxtP~7CCES^ z*mW#k`tm|vc@7BKD!C|KxQA{pxd*n~Q)4KA$+ozYnE|}b^Az4Q^tpBkqC9j@5cgcD z#HgRJDkB=M{A^zSmmsBfv*;_DFeJYXIn3q+O|er%OYv2e-!OZt ztGJVoSYo_>+S8L%!cy>Gw{+wq#gI9Uvyf)2SdUMPrb4;R0d=lSE^gUI!+Fn*b00&` zfsq)kM?dvC#FQtloo2dwm_L*{^;WVv-?L{gc3i~{UmJl$K~Kv_5w}>4lJN=Sbfj#_ z*ZNW~bbFmQyP#TxMjdZxCiFbtjByT2J%`<1!D1Kg@o8$ zk)1pn4??c6nwzIY3<7*0yA?7KcQ4EP8g-v>V1XZXU`R3c(`l(&rp7D2KbdU48-RwG zAqcJ;fsSZeT4g6ze@Cq?9Xa5zle=Cat#JFc(Q~`CH-nCu#X_2UCWgSAMOqXweqFdJ zT%3XrJZDRM-vphZW(Ru%mD%tVU7ox*B~~R2yRpnb<=joFWO`Dj*^ZwbnoBzEk?NL~ zGv;ax%M1Gkk5i^Cb7<{jaWbslQtjtnxR&I=<9*A|7$7hA2-C?57yZ6|E^A~lJ-Lt?7Lwt7i! z08!K`so+i}bH8V0pQx8wi9x=iEsSh?g{6fVTM7N%<@-k(; zB(GygRGW6$!87I4BqhSrBf*12*)^>4U%TGp)i+Eo+<#{(;t>s^U zHPi(;ii6ZDo4WIAMY7tu_k4TEtJBbzrzJ}3=<1Nt$*Rq19p$Ps#9X8wr-Qvx<7~<< z2Pf(3MU{10yz>%DZ)axm)jClBkZ;HRDrl8OJk8@?{5%2Q7e)93ciYG~MUf6x)2*aqOPI-xH=%bn3MV6$I9$(uwbQsDy*)ca)5J zWgL5_V3$nx(vfT-Q!!k`47IB8RP9Z#fwSNajTK zsug=>-rLslO8(54sJPFuR~4bdDW4%`O1G*#RMQbcRenpAW zm(`K&Fh-J}Zhz{Y8;1pby~NGMnNL*WjrHqL6wrB(p&&d>={rc0U6ZpK!Uo1;ERL+3 zFQttbj!--}QLE@?=;#+oD68GSlU527`9Q{{rVh8yWM#j?-0|?YCAz9o?Vg_tu6ajW za6X&k1@rToy8Fb8*<%0UEr7Pvp;D~8)Agl96dHOsUunaMlgTrt z(TE(_vJDoW*bMU{c;XBdk2Su8=cU69WhxDep2J1vnpedi1gud${qm-@wma+N`7Y@K zdU*t9wt^Y0zGE_b!KD1^qk34U9ek95bn;sIg!SPZILT|)(ALAv7I#n3eXBcj@V!ZL zcQI}(qga_$|1*x()xe4${#2&!*rpF5|1zAH$jV#+yzoO0!408e7kke%whU)%KY$Z` zsOeCmv)We%q;!}_(C|j2M*p~SF7NM?n_dEE(r#`AaD8xwk`s%vzWz(*dl6^ zS!5g(5d(!EpYgLD%+6*um;j3HGSeV(4Hf{})!1TkSsRBvB{YAk_Xjwbj5C`TYL>9V zU)!4P+KJ%D*6;zQYuq1=^}bCUY_)I|(xYFbBtZ+p)P@Obf$bIGh@u!sCo>IGn=CBm z`-dZ5F??4&l>DWB-Meay2o?`92O1D5`C)Xi@AJ6H*uKARazx@;bMp4KcvH16yBlM! zAUu-^g-lF6FD73nHs%6K{wCjoDZJ3L&k&XzB*(0gj$b(^*0ztC)nFc@y zKgXtHfoPVxOy->aE3Aa|*d2>z-%4y{oP`VmR<)DSLklPa+uU2IRYZ3dGjh2alJIv%9Xl>bIUm*}z=#4I5 z)uCkUq^6JAF-8n5b6~Wq`e*1r4TRpp(d`OGyb*IA7yK5WleLTrREB@adir6m!ydg} zH?L)!GY%*81q7@3l%+EailaE9a$WXL;OgxsXM`AzW0WgDzG-?vP0NjP zg+&h4gm|hds@=B_l-FrUQh>UGKEX8f_Nv6|^t$Ah50}#!*N{6`Ka(yQlSTjxJmD;u z*G(ShsHMeKrSd!k@_UkUpii9=iiBsVZH2tk#a)>^# z9H0HGjMfJ`**blCrEUmP%`lO&tTTWfLMcxt2|Zu`*dY>f#xmEX@K^z zK6-0X5yZqwbbj0ve6owZq*l@H;Tj{{#v2yoQ+B#o7Mq^V1RzXPdYHNP z4?A^-OFnqFG*V_yn-OHQ$&gOh-7g-9;I(o-=nk5pX@;YfkSegI$#L!u)id6t zv*5I5)P6le^!uuDy?69(!wHT@?Bh}j)iczq89N6l3Vc&HcP;p6-L5TX|4{?!Q(7J~ zSF;;i>Gcwh{Q1S;ZOd=}{WZ4J%Oyvc8NFdaJ5+ispb+?750`u1&5hvzT6WM{$W|#U zOY(i0x(#&#mI#T;*xR;r_e0F{VO`eZqV9Z)G4w!>Hwru9dVDub}pVbNh})t;r4HWV`qHkr}x)_*>9ITjm68i^&u zDK=uBF_o4PyQx(fU}uiSjy1T+%^Af)Cvam}RGH8l zgg`%2!QOfE{psB8@kvihXy*BGbgLMb^@8OXpMS585OTGlD8d&(%Z$W}3w{QVC$et3 z^@ekxv`^a|xSDQ9O8dRbDT80Q>emz~d5AY7fjyGEtU)c``$%4AMiU%R<@3q}^pQ=b zvyh5$CxZ)+m+xiu5oAii9O8_Pv%%K?q77dv;P-Yvv&vQrSxxsWnN-d3Y!z)XR#Yn) zC{I=5ITI+}ZNY5Hrs*puK75W@`^{(EXFywEtN7J(IzV>Mt3aq!M=XNd-v^edb;FnvZM75YX-n1#=bL%-a-shAav~o zMzFtXaqscyTgqxkb>;XZ9ZQ5##|GNDq202aSEzS>kk?RC2-HmyTa>*`-0ZN&Xxjdv zkB#^EBps?+${(`Pgu!G=6e+Gg^f654>8w8_n`yyj&57-`KcsUc(~w5Z(dh&yJ3qpc zJU5gTTf_AmRY>IVy91wAPMxFGhEe1#tJFeaGjhmTC;;xkS>i+`9lR z|9#nvAXGAnX(lt6MvEVhC+y>cHf&Y>sl-9gBgaf4qilnQGk%G`b;v29H2Z7;8dl0lWvcBG+Gjc7OOfD%ma~D^6}yu8et1t z>_u)KI4)RS!aTrJi!oKvE{#<0fMOh2W>9?3fmp9O9fI@8#;f(YlxcY9dHPkCm6CHv zHB$>G39qc{q0wfFQRt4t(>vg;<4n-5unD=G_=oGJ<=@Q1#XD9Ut?^%kYb%u%159gv z=d#aNWf85lchBix4-G|cW_Fx|6taO;80O7KC;S_nxDPS0f)0XoG$jtcz{)20gCvUi zYTf$8K4f%LXt6^S=U{TFJnovxy6hm=UpnH(=`o4|o5cbnMM39aqc zE&F&_+h9DESemKPerrBh-C62|;c$)emeN@x((k@RuV6?O38xg{F&~LtXzRJ9;p$d9 z9%SR;MDuOuGjKXX;b_?#Pch(^yIBf^cXD9>0-~uy94}skg_0n>(CiL;*Fw%U0l`Sg z0!cbSTh#-tL!lUYd4w_FS(^8x=Z&%`nIF~~c;+$;kw>zA&ykiW@Y7c>clYKcq_lYg z>Da6FO^-H!m3qwyhU@AKqrA)6sZVm23EIZCb~}B~$~r#U0XMF@_Yz(5JKitQU_xRgD|B689(X{;j4T!VIC%YNThqAaE1KQ2*Jj#|j|s z1fO0Y3)o)Kmi^cqpT7Vn$!DmaK z6Ninoz6?*LL8edoJp=(lpM}4Dd=6Ni%hqo4)DGo_*hg-%ze zU=#FX`1j*5pUDKnxC>l()(D-&&gX`nSL~NEQrcek*lsEr^_YDcW`#5)C zv*w^_?VpM$O7(cgxL1q1alI@|=JY?R&@0Bt6uy#<$|O0M)HUGn7Dsj~WuWx{5YJC@ z>3k+W{pYq~x(a)&g4ckoU5JJfeGRl3dgYwemtU^;g%*6cKgJ8fHjPpJ`2Obh<%Asg z#B$V}{HK&g&3J9BbBybU38GCTU-@?C167+C>n9PaWyhB#{aC$I}PV}lhlw_6`s zWwllv?al=8G*EIM%?CY%Yx%oBzgSeYX)002Ym1l&%@kY^mx6(+jtF{_iBx5?gI?fv z7;yD*a9C9hD0Z*&;b&wAf>E@nGTXaK2#Wv5Q^;4Oa)DqdAU;MwT9L<-!)#p9kO)GG z$H*=0ItF(g?9^0pLz}Q#LHG+`{QGCW%6yj*mnYTp5sllbC~fc$-FoOKYxdAiZBOO- zn-BASh&^oKLG+G--DHjmNthowiJ1L!^N0rnkxP@<6G*`9w(Yq;dkn|I=`pKT)`A3 zc3ks!31P2-mwyh!B!*m6cOn^_$|f4~OeKw-tAjFc^9MRJ48g|kL+|4LsirfL+9t8v z@!oi=4BGc$p)>LGMgaF0xU7*kybH|Tn%ZBZ;u8+YX-e$x;$fBo*6-X?2}AJgp|PtlkA5De2q+qf0!oRbQb zT^3>))e3_$|e$hVPrW*uBGM~h|LqCR6u&~bdO#p`TQ-dAI1_Hv;P(y5 zwh_}u;?{k^lF3>6gsw|)WQJ%oSvJ`SuKQU%MsR$hoP8ST!I6)4A|~$LFHovB0UY@- z;8~3`z(iGJ-?I~T;mlyRK35K*%alnd!v8);My_2XH<`1JFcWm6NOHbpxy=q=R_X8w2ehqt>_#lyUfaO7cXd~Day1t0#?qYy{Jt&F?|d)?K_m9IQa2de{UvkpENOG_FfS=MsT}FM*1o_kaVH$zdZT+K zK^R^rI3ABDoUUMQ$j$t&T_)FbmDV<{d|sC{WAnE%UAFFU3;1T#Qw8cNLAIx5;J$~~ zp$dNQrK3x!@k_sWgH2=3Y7W*eglv_I7*og(#P=2uT^t9Xy ziWtJcYr@nJ3(ibQbv7g29Dpsaa~q@CTH8Tx4q#TJ&7#HqY*A_N` z6>0O+8mM(xzi(reEr}2L@n$_iAfB`1kLppZ5)@orP?`L#+YMpR)1D0QO?d&==!AK= zZ=(q++L7M8|5AA4_`L5WYo@krBjrVoQG0~}Y?RsZtB*JZle;?euuxtYOLPN-MqR+s zbI%ZaYH9+^M%PF>yTx?a>J2QyrDWJ+QiO#{Q?{BHd}wqNi1beh9Z~LC`96QA*Bg@U zQ48}5mC4LyXy-nd<99-6uVT-#|KW3qT}cr~X=?Ho(NF_I+xpTKfzBuXR+)l*McQx2}>~T=xeea_57BePbqHR zGPKZ1dLj0d|JoYKHDu1<>tyVTwsx!e9OefX_v<`HSI9??nTB?1Rzyz3f0*gJB#Y-A z6u}e9`;D7F{bI{F+_GfwSOs&eZLTu4&m*J!lc!m`nLa%#CTnHkZ)MI3`C6?&d4#glSvZyQZ9?n(d(KG<}T7VWRl0;D^9B{ zV?k_|Fy{$WTbM$QgKpoa&ovkVZMjjV)NRZ`CS(m=1rlI{bg?Xq-) zLSvjTy2`LRBFO&4g3--Zj~8oTBG>f`UBT@p%jv_+w3zjU0~<7?J`a_~5|^pA3LuDu z#HSM`6N11)iWGWYVSN?|u3pd{REoZZg!T~Uo5LAEL!s1Awcex3XkxsHgcD65=2Es4 z%Ql}l%44|I=#fE5Y+ZR~Kz6{gXE7rlsLotp>Z0+Qsj$f$$D)Z8W^e2DiH35miT7aT zeQ@F-tJJiFa4Tass*K=EAPN;n*yw@%XO&OBA0k`duE8TY6SpO`Pt8y%m(dgniO061 zR*1z9ir@l zXy4J!?7@<_0CDpH&BXkdrzqQvkgP-G^7jsZF8+$)Kn`f@u_pCWS}yS#1Cb`hqvmVk zlB;=L7@yIZBXr71-jkVz)iH%EL#5;om0>Ur7>cA6FjBiF6ZRgbTAtS%d_T^?FS1XF z%Nzv+Ug*(|X0TY{+rA*FjPVABpS3tuiKc)aHIF?yZK*@O7v?Lao;oZ7@axO1(L=x| zeT}w2%S=kE)Z7WZOc+e`dYc(Wyk-j-GTh%p1Oz_|VRxuXJ^<}hRX-lHjQA;tk2=;Q6{JzGZ{W%0(q2m^io z0Evj`qzB}Qw4nZ^hy=%hpUL>gVr6T)(hJYJW(URmbrfsA>x*OUk7*>$^4t%w!@eXq z=?1nLBSfInhe2j@xbXIN|IA2jZR5<)7LjTF>gaKa(wWT_&)bElEhbYWn5U@11_Qbt zx)_y2u3}wa`t$i>~1mR&$P{& zN_nE!4~sHbt{c&&9h^2;$Nskak5;vmnjw2=#(>6$FI{9P{a6BB2Rr4$JWaG>P5p+* zLf7}GACj5!m*>OtS)}(ixynp&jJOeLqzjEn5 zEo5CMDr0_wfe{V<`qShS!vL8J%pITLSIS^Q4iw#HsGL8D1-66iArc&}eyE3+cltdM zYJ_5#QbzLGqlCFoP9>d*^!hx>MeeBhe%b?f8QFK1N#v)1wDmm$^UqpNG?T>KsDL9H zk=6O{S=#gJKf)K(v(6>{42PWRVkb0Q!f>(A%~vSeIkP`7SuasDHDL;GE(+?T&&B5X zwJmfOLu=CLgYIk@%;e+>mp)t6Hp@X>`I=wMZ@QOE2&`f~Kixf2S~4zJF+6o0EoHQH zKKP79du`>kndSeCW?gD$CwIFjYP7@UYRUg`$qkSz}%FjMD>cB8#1SQ6v5&>I-G zD8Wr{{_$01Td*{NPUp83jIIQMCh0e(HnTLdZi8H6h)EWUIfu4Gu=MZ>)k`)3ien{3iV>SuRK0}$Z3UMT*YJY_!ICX6q-bpXbmn6PT z+Xd@TYx=28dN#Ff?qSIN27O+^dR}HYG1{Hc-Jr8>{pmvdvwHHZ*$yM$eyKQX2lx59 z3v{E}K7}UBM>{%g_UW(b^v}}U9Xei>B}QrsWhoR|M_6#DuMz4~x_h=0OCw%5n{}~0 z&O!9XO);D;1jeB^B6P;E7<${gFVwi2^_(NApl805Ha};G+pW|Bp)IGQ6dxOokD$V# zm)cUlZg;YAqj?QY!=gDS<0~$;qG>^{$8wcXGdrabo;1MVL8OZstC^Pb*W0;QTKi7g zZ>^8$vEHa0pDe~yYA{ug;LP+oE`uJbrF|#NadaL20Pu3Z%$iz`2b8IoE_qQ;N$ci& zPbs-`P-N@!^u;8^GEm25QVpfY=|UR_<_#~6b(%0Li-Y~^s|4Qb>);sR?KwJJkR|hV zap#PV^uoC=r(4lo*`yE)I%gOfPYBd{?hSSb&^u>7#tlC;a-q8c*T9|zhPD{Be(WVjofFR*d@X04P3PhpQyyA-{ zUZIkUHqTLd_fAI7Ad=f7Jpzvt#l`7d(Sm4RzfYRHyrWpOq<@ZFwOIIK_NjM-v@VR% z?k@XwurW*5yZMqF0XuH56tL(zgqn5umVY*Tm(sFITM2?-WUUpJr@~EY=xeiZ8DQB){hkvjLmI(}j!EF9r*b zhOkPxe;D+9*5z!+no8_ibTV7c^E`j-@yi?82_bmzMVJ;QHSnsa=sJ;^J}F(bzwRB1 ztGTYQYQja$zSF;k?6>-|Xqxf>rY@6hz;l@I1$Q;0$d|fT>tTXuc+K04hqV46QE}0o zi-byzYm%D~s87x(l-n%q>?<{f%jsp68oF_ZO|bC;)4d7I9U6_#xF^``dBaC?%M$v6 zBue^LZ%-|x)QcGx)>W8XhRDhx=K`zdB|<%`Z;K`0*wO`T99!cb0CXX4nKNFtF!d;v zGkf7xV`UHwCGI8Ji#-e(o5mqdg#z>lYBSRY^UuIVxiQBm3Nj5UZYyp(rZp&2Kk<~zTLYoGsA3QcfmHA>jB1U`(q52%zB>rsh zVH@~fS?o=lWsH)=0D*d|F>m!oaj`{iy8FZr?5%!9S9iVdb9t82Fu~h1hlb0^HD#7^ zAR{)ZKarc|OCp&OdWt*$W4#FU)$+V_y@he%?=kXjqj00XTJ-R3=d4WTaHGq@@wJ?I zy3UY=Dke!fw2 zx-p;siJ8;6m`SC#LmvK-CMo*k6fOg%0zS~XngF2+PXcs0@B&n>!JiBRj)#A}R`&K4MMc=5qH@$;LSv$v3e zW{u?F!9@4P@~DQn$@1koELe7E24@hGS~N!A@Hy#;Lf)sc>TKp0G-EC%_RPWX^PyBm zYh>=ns-vJB%(8~|IfMNlFK!fqVg>%mnwO5P+O&I@UbCs1BlRXZS**{rjI^yjd9eYQo!`jF5C9Su>+rx&=JUlR3pb`D8BI|K+J|#TZTRVlX_U)0EE7;Gq!n_3r##t^gpnGxK9IsG zJ_4(SB?1Q@Hm`M}Pmz+We+eYLG{hI3$qC+jEXDLWlhv`35=V;u;Tf;9tGvmPcI}fY z6d5s+XAe&Mx|UX=Rr06_sy{v5u1yBQY@_to19 zIkM#<9UB@NPSAfyZ&aJKi)Yf@vY0Q-;kZxT8Qu52({SL3AcfkXSaU`dbzv(^9!rUW z?gP(Tvl8chHVcv&VbTBQVPBsrNP)%r#jk*H6^bu%!Bz^ZWG{7%)qvza)GH?20r&PR z`hh#7qF)vKK^`d~AYe$`BHy2AtIcwy$qx;a_gH>>p)mTZvk?#5H5e93-e@4SFvWZ) zf?XYCbI(cSh(|Q8Dp}>B$Q-JSrsHqoisV~8V_~tsxa;9mVg}1lUR{h~LN}1iZUVz& zPT--vi4tp_@%5ae=4ghOoAYs6;CM*Y*{+?+DnV4RIO{RL!3l}yh0ee&0uxTZG1DI# zqHg?L@>UZWV~zvaOaMfFhuUqHxdKo({&0nFFt0K{tGuRhx9=q@z-}6*F;fZUArYKu z3L4k+A@NG#Vsw0vBcpYX>G{l}W(T**nWpB)99S1knD{vMWbD>*UaWr$Pw72VRg`0y zB&(Fh8eObxzGfzutTm9S8VX>!#i)UBE*wuxp%Om2HBQ+BSoXSm5)%Fc!jr_xTJ@Mw zJN`Sp5M?5LUFZ!KsXX={jvTq&q1}TR+|}{VTSld8KgvAMTiIiMM~g%6=1!-Qqn-BF zVMk!Bgw6-@{b>a=$VSzi2Wq3JFa6@~R=+Q?0IU4&LM&_2&*|nM5_B|}+rGG&opcg< zILmgv`dTv%^2V>ChTGL?(|lv=h?;wO3!m|;xWrni>zb^a@wfoMk@SAYDHr2#ormvDl5z z9>D|LI{8J7(ttmOyzxJ@8S!?Axw+MgmJAWm-qExsHg<{H@vAFBC=p%NrF5xO;qLc05LVYe+QTICtHD zjoo}JmQ;-j&oDQbv&0j(^Ul>noACRUqVA1?Z}-vf5t;68izyP#vhA7s@&597roq7X zxv!J6F8;F~{q=V_F|OE~C~el?P}^?-QBU@a14S2buI0PV+mGC_9qtB?Ez8Mok0;wY zz+PD|&+7F4+WciOxisiI;fD`YHooRy?@6o!)m$*7aD;(r`-D2VgWllX#qf{t(7&Vv zBk~E2a1q(lf+z0(0}Ixzxb70{)35Yz8g6*z|G%VFtfE9F*{GQY^BI|he-mg4yD7=Z zOGd$L%u-;JVSR$Zo|DxEb0z#C^8`=gZm2SKqPqBY>VMd&IV8h>X{t|KX?&@K6B^(D zMa?Br{NFQW|25bDEA-v}vZxDcIai9iym1!AH|qVCCr7xiPf$Os(rJRiQeYki*hg7Z z|Jet7{1TABGjyYLEOu0>Q9qa8pf=Ob0zcnANNc>o9mWzq5)@DigY?JJce=vw@86!% z)Be6i*M7YM617__*O4zrj8{D_Rd;7Hu0fp!AF&-LbpxR__f8lAU#=gRFE}Z-HoGP^ zPM|GUy~w9R@r=i_k2+aS)`MR<4HoKw&M$`K(XaR>qvPvu*L>x~=x@^*1>7@pZoLSe z=iaYN;~-h@!0o*rxh{YNd&io!2tAc1H7C!d@plcb=4dG%cCvnKxg7F zL>i3|fK6Quz~*Lk*TdRo6P4@lO7l7^ zvOszAV)Ehcy`9XsMJny@k^Kh_)jQ%P`tsLG2gxiVBu9Rh{%L8{Lt=WQ9ooJ(3Hb89 zCU$y29gvGSzl_qI;!6(o!vNjUY|AZSs0hiU>vV~3)fxchA-`7K3F}UOVpV<>rl7|^ zzQzyFNNOgg6`ej*a`%Qq^+d7++)obeM-j23Xk4SWSj?SJ8sOl_s^dW0d#WJ8c&zI!goKp0IdddXC}qn z)%yn#F&Ns5<{R*wmiKj+gEu=ko-X5FlqT!RnvZ+TI!fKELb%p$RP^rt0hMf3r#Zf3 zW0`W3mw4!RRX!A(1~?PdK2uE1gDVBjREH7S9;lvQ&C1ANH)q|C-< zCS_v;`*(k)rkT>VWLsLwa6=5+fD^K(PZe6%@d>A%g&er(NFlMCvX0DJCurVZ#8;N+z_#=M%VXTt;0rUH* z|7x?`XyF&c%nfrR_{-{AHKdT>Y`!ai1Ac&C2SowxUH?XZ?)G^M0%=RnYFM76U{BH1p1DsGfq|-fBrWBdO(H0cD7zvm2OO(UaL6vHit1;Ab%;IXZx4% z>)}uNn3^yE4ivmUx1L^&8(?Saj&YGnl&;a6 zescr39hO|itogX0Z(W`ewMQ`T!k6Uw7ifI`v=#pKwu0gnYuZ%Dq49eD{4Y$6#h+)8 zn-5;o?&ZrS`78WwotJ5@RQ@`UX>(3x^-2Cg)G{Z07nE|MViZ{h$oE3|=_%u81)0-8xGXiNaT5=$ zl@VM#9mMp-aZDKHj=NR@=eJ&BQSUjo^;e`&crG*h6_l&3UfGZd`?aJI? zw#45##KO7#X%M`KvkR(YnqJud6GTERu?m%e6aR=s?Rqfzfd$Qa^rwrRg!i{jaw-(` zvh>>|o^KgTx6L2X$a3u`Kl$g#Tju6xoC{)OZ^7 z)}7WXKU2!LBU5^qlKAQ-`>sc#uKPU)zk=ZX6KFCpfM8uG>No9(uUQhoS5L8T)=>5z z8^o~#O=;t_o%x3Yx%5jpYH6qcTKVP#{?`(*>d>6p`fv+Ctq3hfccGfGYB^>xZAPnZed%PcN$8ybR<0gH(-2K=EU!hOxOn0uRrM@0KqTcXGuk?$1|)?)X5ZS~ zjPLLX*~xYEb4=}1f=>YlIT5Lap7uA6`ky1TVUsL&gUqTX6DK#oK?chBFmCVO$g1gs zh%`RPu8tPjlrbmNaP2sP9-b*3DmAr;D;ZN#P<&wbfUfjCQHahi9q8z6k*_}Xw-E`% z#47Sw5KKqJeIqm`|M&l+WT=Y-4P66FjrGyVOO7cN`I`j&5hUGZLZvROE-{nWTN760 z(r`&6K7M}88DvKMgFqIq8bga%L$1xMfYzgpv~9bTk3QX*xzPv9sC%rRwTcdHq6j=U ziV7JDSrC6Ikw@!>&}iZViVm$nzs8niXr63Hy1tpQ>+hh|YzT|%IN)aTPxas2^lj)s4p?-V|gLDcq zK7ZN@|9V@Ym^wO!Mwn{qpppNF{(Diz5Ed5qL+5n=zRpvfD;0#ldc>JETiNz-GDp|9 z#4%5~^aBtDApD2a;UD7%x5fW8`RR|!k2^&pD;Hrm^pZ$OPZgo(XN&UIrGbWN(Dy=Ik zMcD6sg^8uFnE&)2F5v$d`RO+z>VoL+;wo%>cZwHDnJ=oM6cMkUir}bEVoh^*VbpMw zc&W&Ai~Obdt&WE9q&Rb2U?(x!=b#Q1Wq!m95X z5wCbFmNs-3Mh!QMmua^oi6_fD33H3aV$$tg3;&OhaCWjNYF?uYU5sOI|WJU*lXZo-b`L zOx%AJ7t?H&T*!wUO1QN^cv*Uh>hps{Z03vkBtLyu@#=Tcz|KV&SDY#WKdS1OIPuhf zftVinK_m&ec(S;yFfywwdL4~cxkoM@FK8nSEgFdNHxh*qN#eqonnK^oPb_<#SzzYD zcWH-2@%-|2@j^xP%AcRH?-ts46W;HiqP+_6CrBZBV=t0rezO*oDvs--5 z>qX@&j~x1j;*(g@!c*wk4Hx^Pg%Al3#f)kmqL5uXG3Dwvl{Qj}$h+IcgoW3{mz19? zKAjZ3J>7(D`+eeVHucSbGDK`{TUHb*(pPL&t&sAw*wCho&@VAg1V#xVVgf~b>(au! z=LwNfgDb>~KIgn7>s zB2EaQ41XX_-~Os1+u}svfJ(x^Yqq$Os1zSJ_7KLI-e2VIfx^VHm6#Qz+CByIm*Vd( z6BVt?h$^%0WtY&yexWIDZX8rBfM?Oh?+~E z|FCkal3CZ~wq*IY5eeTovE?j1h8?8iFBjQ(Ph~YqB=Yq9Z6;0*pzYv;bf0mB&9|b` zj(5epe!=2-$LKiZAe|W3=plfN56}P=5W)&9_jZ zqCF02t40#c$~xes9m}oz5h#=q+;|X!W+?}%nWZoBsax4oyO@OF`=9uvlwoG2hfW@E zCgIaNHZDI&*P#b!KkhWM4}ao|0utXnVeIhzbX)U=Pyr~TIl44}*5hw*>6;+_{adzf zxWM4?0kj)*kgn4&v*liF^3E9%OTdByw4QmF1N$!1f5bsLOgPV)KO%X3<1P~?9maR) z5k~+1mXC4(!OO#^Xg&A>>yH1ym!0vvdVHHqC<*y9h&i*4(thwkx=g#w z#y_I6KSm}Jd3xbClcprMQMc)rS##+t$)Q^X;g6rNaNaTeh8&>dgtN>G{KS`(V`B10 zcjz|o5Hkawvv~Fq+7At2@am^L{QQM|YfsZ{=t2CZTw%}i#Q&pRP!de44rEFzQ{w*E z#g_XidzTbpTv|Ssnx5q`v8jM-lgVtjAC;kuA~Be~6MEoQ%nP&P&G7y89Kk6sF!9_J z94)-*ek2i)^Wx|V`m}06Dd)176t09@v*~PqoO0|i_6QwpTq!kRJ-_v8g<}yfth~B1 z?r7HIq!JScN?B@TTn(3+<5SHUy|hFnpFV`5&@{u^IFAnelRSyJ5Wt}?=J*b5PSIQs z>PXPHccO?+=Ja%w?=EuWfuMZH*0`l@N03pZRcq=M`pB_kk8(Yds9Va13RdYmdqs2z z@4rc~ur@=cj3FXgpl)W0Y1%DnIJIetk2IL$Ctv0oH&KM&WBr67)GS{eYa352U0T!e zw`(cKO%>do)eJ-Hu1s7tjXECQm^n6}>5L0Jy|a@(^=e^h<4wt?^Emo3eXl|6lR!qd zZcLFP<#DRkpUKBRlJ?mkMKJsK{fY4D$k2*~a^2yP_{^UkefFa}U;)coSpPG-Ie+q# zoXA7w=69UO#>Rn`7OEQnb0Tj!BR7r)N!onO;MHY zVF{l;6G|bht+bI8Ku+aI%me23n8fK~!`VKq5}7waO7sd-%u)@M3K9}x`SS2A$NrRK zSEnkjY9Qj`iANJ1t?Zwkzj`Kc?bt=a%1;1R)7zzT3DNWi|!65EB{sEuU{1)ZgllWgwz@}+)YG&DH{(VsQ z=*C<>YhG=b#Dr5RVaBrEt@+o`GBd_NDu{`ROKS_o;{dkb5_q+2LdRCMu}i$gj{R@5 z*r6yDBqk&fpO8RYN5%!qVN3Vf&x)V9yNdm+`^WwmQ{^1@I!xxl!=({5rbVuZxY1CsyvhbeemC zH!9ALh{Xy(gx{>QQIlW-f=OJW=_XbIYgFs#ZOU z+IwPBv<@}<|IQyOVXSktT_GQBnndvNCA6zr6$`tnlxaDGUC%O>I;$-DHzEIT>G?eJ z5TWPrKO0L)zn(NU|BD_*9(rD@usubzK**DbkB#8@xwG8(YC@fQZfF1!qtev$G)$NA z%5Qx57>CTl5(}9Gvx-$ItNo09Td(jcMo!$v+pOPnADMF%YO0+0EReq>zH(^M?*!R* z^p)tWhv5>sSJFXrxAKm+%(Sadl;bn5u; zw}#nWnqg;K7RQ?7Sby&&N2d41%h?Mv=N5F?@Th>H!m>kxrj{lW#Y;{H2Jtx|wKGc4 zb1IKdVbwmI6%Au!^rcE-W0L16vyRW7w!;6stx#(XPZXr-CD-0d8Q-okc7?qtT&@Qr z_q-rgt%HJ(7uVCXL9#BkbZbq!DMtv35y{tb(bH*qFTedhwR|-vGizj5TphE{E9Oof z<@qOco+6BkOGi=7%^M5n`qUY;gF6{w+Db5}G>G|~Ou4;$9mgY8F8xE~DhvM}f^QE$ z5K^oJ{W>^PQW?tOZTGp7+`7CueU+)Z-xKHPM9+4v)G&@BaN|Xm{t=H*er4b0Ke?-0 zlo3NJGqRNf_R2&O)nwS!D9^Mm_E<}$*w-k}uOq6^)kOml7R?u-fwhHZ#(}P`hmEm> z(9jr?6tR2`2U82ZjK`lO>R4N7LU;^c@^LmuM80RmlAE0TW=sn|Z~9f!3(nKQ%tds0RF8^^YsXVD`A+V`%+;7Z!Oy>f^3H{w+~+E?zrEkvXC-VAPJj`Cp; zGgm+3O*VCjd-{NBYn~Bo;y~Z-WoTVAo>QAIv-UyeMF%BsPG4iH|69VW9O&ZfLVX80 zw=ccpRUE{>c*xY1LEM*F(x$Bk?cCLPbo3gN_k@sU9}5M~UL{iAw*sT<8xeK?0n-;h zA+DSkzw|AQOVVd{Y<5HLYInFT+mRw=g*)>1WDXq)Sp%}ZlKq4G#ge9rGYrZ z@HXSw{yzO>DxO{9Jk=OGX96Q@%DA+6D6M|Its*E>k)bD#MOmsTqxAysT?N2n?O=thk@if)E$MV5*IgqOtkv-9O)-q_t3!J)kr%C!*%Afp2f*-vg zTINh~X&}Q}Hlj#jPb^(q(|+b@UgqU-WkT`x4R4i(I2AL_D0H>#a4Ia}!|M-uI&ob*w|pKI^%V z8qhWkMc#5qd?V;l2vR2}bk8oJO_i#cTbHG16IUcZS(YVVNg__z!^ry^*`-}6evz5zh_ znPUO>kW^_+hoad`6etpjiHIU1B8qPzuQ;)24F|(yI9Dl$tzkJPuk1^i(ESXVaEce# zR?u(JbDRgyWO{Y|bo)G)JPM~)M#zbY_(oXRSHeO+asS|Aemfb5mZuLsg_OL$`dyVQgqp@ic*Y+Ogb;`p3%Yy;j zP}tF?omYXvn-mOvYD}I^U&qgE899qXAp#`QY$q_3u@PzG=JS_uA~SbtKqSTz5fMd1 zL?mBc-(=O?gFF)!RI8dCt^$(y!~ZZrQV-fRu|?anKFu8z+}ahWVy7k}f4+g*c3zm; zcwttw4)tcwtP7wNQewmDSKp&A8$^$af%}$Hnj1ph<>Jr$Y0*#anYV^ z+&%?g{UFv4=tPe*PE6dqhSi3c1y?ZlacL*iBj9~8QrZ@!M;9hRKP;w=I{zNKymJdM0bMsml^?zN#!KE#+ ze6o)rqxO&`w0i;TqI~7gpy7v+H=EAk14~)ZuPo|eF{o>*zHlX9&djAnuK=`rEN0&% z?>s}^SD_YeVJ#z#DswlaB<$b2fz^t<9UxNt$PwV;2dB~qV z<%wJm*CJn8GpHjjMZGX}tV^vv`TTA}zV*Crgp_w|Gh>uRTDZ;+;>E%sU&Du?n(u^uqQtgPW_tNU^z>io_wq-V zxnb0d*{kL-qq!c}m*h0Bn2|io^TTys689Gmp!M|g#Fp>Mtm(aIY!Jl7EEBuhRP<{~ ziHHjvyb_n`+K(sOeS+Ty2}YhJ@vCTx3`>ece__DhNM45uDr^o{BT70Zf3rjJDZ|4v zl36xogUHWK00=_n(>!ja;Jd_K9$PQ=h;~n>^a9%p~SLI z6}ps4-jy#gx2I3%^xQmT;auGq&dbjN43g8NmbNsnWJY1Bz_4;KXZFNXuBJVu3rnD} zBNr~+;`RGzl&MQLGEFt1-1gKn;)=CL7NfH-MzvP{s9TWR| z;Hd>r7(3-Dre1xKVxH3D5ZRjgnTz*-SFzK>U-PbnUo`x0NRnINmF3Y}=m{nE1E^g!~Q*r)kl-$9Q&) zQ|JA~ZA_Uzg4XftxiqZ|xw`_H$w9`bBqzm15v#hIFOj0Dr;AqF&?c-4SchSY?)a9oMp~vXU4IW` z@}nobQ&dH3&sO$-v17pDRm>=tZ05Cb2<3d+BguIsB@izceA=~`Wi2`|dUY2}W1g`4 zx5bQV{{_vn%jjbEnl=5#uuY>qyMC>XVSFsnN%6=92zes0@kyv@sb}LT{NyM94B5%t z*Rn!fak{Yuene=;Zl03ZNKL_t(a zhkxJ~+I2SI`rhNb)+o!67KJm8+oV7FwQdc5P5D>dWgwSM_oK87P$Uo?lZa~gSc!%< z`r7HH>tAmNm87V9%;`Lw4G9fdzqTu-HGt@R$SJF&9Lkr#&EJMG@T?7EcMZZvD~{-x z1QO(cGKtvO1muM@QA=qQb@y)UI@*YDZ?3a)`gEH0SLfL3hFCk*rhgY5l%;&AI?@#7 z+iR?zy@nC(zM+3%5iNmiD+JjlXGuy)$kI3D&$<6t;M~_W-6mAM{9-c=if>L&kZ9xB zWDIKul|&6tbM48Rskf;)W+K&3#-l7Zg44s@GJFFs_dHT&Cz9?nt!5RbrQIV%g$ z7q-Ju1`o5=D0ehV;p48x=7&!R6CPMLoyFs(nQux#*M| zq~(TdY-yr89jqkGe<%+A=_wKo3u=y;!{jO{Q!sHi*}nfRYGv9{%P5}cM0@JjE5ef1 zf$Y4~iy39pmyu*enz4LkTbyNpJep@G*73`#(ey61mESvL8rQj!$jQ+Sa2%cTuZ9nc zZm*-KW#(Ec`S9=wVcITuyJU4&)tnkK)UQ0nWlAi%>|@)+a2oY(O=TAujP}ES(*zzo z3`QHykZ4n_dvBV0X@J)dh6e7V>!l|=lY^Z~v&;W1SY1SX z9C1RR5fe$2u*0*(K$>((e&5OFsFJV?3ux(o09ofn?3?7H5}Q6Za`A6;Z?I~`U8MD9 zvVUolWFOPl3(Y#d%wKkZ=S_R#?fnHyO^_Pd_hhL-Q&EAdpe<;e}V@sLrp#ij@ zX^|Mb`u@)H)7@C#P>&j;W+nTl0QHLS?u0K39z5lX(vzgTY}dTnbeJiDtM~EJxG6h! zPo<%O1Za#`{9URqO?_wznPpMF-se9Suuc6lVmClD{MjHYclpRt-DTzqT9d z6r=y%?R2|Vo}PUw;h_N~2i9OshhzNtQ~^%p=%Xf=FL!+>wQb0n3+3o{?h=>oJ|*b! zQ|?~b!;}O5tZOxwGb`$0nUYV~?%_D?PRR$5XqZuX*j%R8RPpFDkI$dB!vD0bkP!)m zTMuPsS1;6odNu5buiAqR>rODaZhbDU^yjgDeKzl%MROAg(1t#v6{xAju&Z0{db*ol za{l@5_m0UWQY+=l?6EBICy zZkhazz%~`p__G1yGp*FfoIEINu!dU?-l3@PltJ$NX!7b2e-BA&XOy6$t%ihnlmbLt z44-2pSQIg&Q0gtRLKG`3Lp+G#i^Q4Mok|gL@D;0Kb(sVUBe?T9ngk5fCn`lEA3rC8i7t7cVibgi#i3Nj zvu}O?2hx(2NQEXLkpj%L@M%yKhuaT%p>9EgYQ||RyK!${vEKg)*WSjX(AK4>kpj68 zD6?Iul%S!JvPzpOA=PE5143jcG65tQ+8Sa?C?Vkr$gtQEPsmp#%CE1PIrdF@vOCV)+~c<_^XxyLTkWq<}Jx&tXbrmPXj8?P5@)sGUBtOEG-T5)uKB$k0$D zgQQnimjTM;g@*qV;<$eK0ZCFTN|z`E5g&Q;P4F#n0;L=$rro7Tl2YjH2Na}C{Gy^v zB!-mrc0hLQBf+7W8!?e*`{pxrb|5$2#iL{6jH4_TA(T0`x2~=>5|k*iy`DWuuMg9w z-5hSaj^xnl);Q(1_30=1#>&PVnN*W*i{~+>M2g%g=Zf}=x^y^vf;+#Ip;F%4Ndb@* zw#8N&!L#S#D66UL=7|sH={tdSH5)XEVt3DK^ggb#pj6?U|PfmgW$E)h*YCQX$RC2FEgaf0JeswcPy!8I}YFe zg{o11uyFJoR-JxEn8cW3rHu(!fT1Gu%6u{sO)az}sxn9eZA~Cni2^0>fdXXV*z_VBPU98pZ9(%h-D+oDLoVti2FUjC=!)N^Qva`)&QPztM{` z7lz{XV>Q@Mev&OY$=v*nb18aNyE3P4WOCq=$Kq{i}doDK1#m{sa8rTLIUgR!>M zMEbrS^EM5qa*9qaU&e$FH#@U&{~s)BQ2V=tw{ml}M0)uyXRgN5tVV82y%G#+H>auj zadz%K$(xpT_y>GKujWviXa3-$S}}So8cE}n(4x{pcG#udBEPqs$_>}^TxDmTR@2{j zyP-bX{M~j)A?_(FyANdEhf1v2H-%=_DepKxa>`{(_T^ip&z6l3i2ADJmpT>sCH*q6 zp4uhuFz4!K2BcI}Qpg66GB!}g1COK!I1gFNmPhrNP`W1L=hRI9skaB^jXvVmK9GQG z3AAy~M?ED5*cZ`5dFB-_lfX8u;tF0re?y|04GuP$+C(13*BA*#rUuzMr83*bELhwc zXIVVgmyBWBWe0kU_r*1>OUQ6+-wjsqfZeaKR zXAG=&j6IKKcu#AT?2rP;3^3N0AP@P%7bWQ@Qc&{cQz%NQ5hjK?O>tz85CS1Ur%WGK zj<`mhIkOpDvN>5zLJ0=72C=Sp>10PvBE`}*vqF?$P-i&X2D+jqf6n^BGdZBwn27_t zFideQB2FLRz$Yc~ALiicFh}LLQug@YVnSJ;G}$51GN)7-_cXohUCx?M7n?JE@hjbvX=aI*7Mg%kDL@&* zt2gneIl17Lw&JFRyJs=fw!9(ugA&F2x4ac5bSh)}T^wVPr$3>x*pZL&Wkn4g9d#rk z>j%UY?+R8IS&5D;p8lQ*tLD;fT@*=DU5eH1&5C8+liO4zaB+)2a&-@8_?1ly4OcKS z`ZprtJ+Hq?ad0o0?qjMu;N_x&^5i?-D4=+DT_Q)6ynFo~xrQg6B~yis1Vi`I6qTOl zO>j6$MHDAyPvw_wH+T`Hj-|6BdY=UtDp2ObcFnU*m4erA6HqJePMO@d7E>@;^baC2 z{!i-p9P_ZW#8N6S9lVegUCfews&ekQE1pntFr&+Aw_Q_dRjc0=n) zU3?es;7aF-RMP-Z^7-UUS`9vj`H+?D98@~R=7{3R!WCRHY|rT>ok@-i=8Cs-0uL%I zWajR+9P}=@zod+aBof0E{iI6Xx;uNc(ACMDmnv##X{jM0eQU8qOA}3rB6+?e@iN16 z@==rT&RgGUn&DZm1)lX%{!e<(#?Gx7a>$>6$#v){f#g0rlui9gqlN^jhAvi4&N!Q9 zK9W1rifo%%u_xix+3a=;8=@5?|iE=lAt@*m%T>%DoDw zEgYy$l1q#&C|md;{?~$eU8w{PY5;;Sf4t^)ybjgf43J4Blr62p!K<&i5Nbnx)8vjU z{}{}v=K{O>mRRJ~SV%B8(?urLp!x9Xw9V`!0w|+7x#tOJUEff7rKuFftFOFDaKK0lK+enHNEB*?ur!jStm^-p5rkh_ z#-!aLXqFj4XHPXGa$Aa;NV)Gbom*?_W!<@?{Fo^L5Ru%y^%{jvdF)K3@LJ_k*ij}9 z^XGHBCES`^5wrMr>>1UCKi;O_^LJ5vJk79nlR0NMko_C{aQPlHT0a56yjo>Eq)Ryx z@SLF~iYFV*B9Yj*BqW-eWH{lU2U6S0)GxJ=**o_0z^`vgd|3r=_wD6Gv=trdmp~mg z>Q3Ik$w4X_P@+v?M;Q>u-Q`1Qw>*O8t2Qvdj%l`&P@2XzI2!}vE5}ys;l55qRx~n4 zs;-asnFUqPm#mQxH#gGVy>xMcVL?6CIs^P}8MQhVL^-@*#(Gs8qWwIsunB z_(u$tE2UVyia27EKto$ITUqf}DBGnY6*kRb+k`pP**%HIX`4?Hd39(r0Y&q`sJo#jW0-yjv)bU^!23qtfwaB>sG>O=P5QG z>rd5YDPaU+?y`B;6ErHcrbcGxQKp5Ch9D$5Ib3SyCX;Ae;aRa9UTRQYw=KIGtYhiI z^K@QTGsQ8E=kBt3YplWjPACe5d{_Y~@>7*%=a0Z0qs9zwSi;t}f}Ds!$LclK|Su3-)=T?%ITQr8n~H{{5^DKgSEL z@(gKilRlo*OH!r0E}Kv6W5eC%O!7*e7*u{a%eq4!z_t#R?PO4pfGvU)r&trWfz$cr zTnEN4+=fgJr8C?pLEYMgTD2~md5&DYC=NDKWWpM2$!TuidW*bb%4vv9 zNF)*vaYV-n$aP{5BnEl-6RPB+e007{`^RS}6;!om_jCQCW>A^3WE z5p8-MMyvZ$c8&H-j(7qflq4j`5lIOosJMnAA%O%TP$tU%lD{O;(ngy&VzM}TdF$>U zg1SczK5FVex#>GW)QxQ{c;v;<&ZX1eow@-QCK@1BM?+nbqJ|}?Ta~0*wF=qfqe{WX z=TBSVf6P`;)hV$Lxe=6vn!OD+>J~WKYoWMui|b$8(K4mqD-}wl`O(wg0};s`)p^C7 z$VYkN&n)|~IxpcOh4q#E@y7!~lupSfJ90wA5fe+=#*}}OJZ+#Kf|@A}YngEIz&)mI zj-{THI-l-6C-8#?6}s7BO*F^X-{yh2EtQ@1(T$BIB2j{&v3ByuoV3)@Mi6}W1*h~3 zFtsa;r-eTCn-}H$ipTuAJdvi}2B?4eNZ^?ew7kmF!ZBIWm#E`HrMoxTwCoz8)vd8o zMsn%Q3tpKxFrm7B4wC{39_%~A>^sH`98-q!-pk$!l~ zflKjNRP~}_A(dzTYY@aeI>oA0FOVq{2zhi7|Gl^QY*v$nOZ<`z0a-cv4fJC7q{%dv zy`)zSOX8nh;cQrCex2P6=M<$Y58BCyNm_I$Ye2|_?fiBy8s`CiDM!dukg6e-3gRQe z2@MTL@%05yKV}ms@h>96t}>zh7`A@(Wb_zk!meH7Bmhz@TzzoMbD8xgxgm3C!?a$9 zXz^QLnum9%OF08VF8i|}P=VKkCb+A`b8%7|+6B0>;^eP1GgAGvAT(eCRfjyF`4)d> zRw_!bN$uF#eid!ne`8SVl4!g-!^+iH&}%xIVdaxo9!;G+FjdV4NRHt;k~TB$V(L4Z z#@f#~bNU$oQoSOS_b!6=`@{4fcnag%l_+hTz|&*?tUi%Iy?LYYHJ1STIF|8DJu#_* z0+~z-NwI`~`AV3f;N_!td{y!nQfUZ@q&HJHu2cJ9usTpBh@j$qrA0h#*mnVzlH=23n#qYtaCBie)5wa zL*6nsALCs4j`cm-FfrJJ4sEMYwx~W)cMq~?^Cyb5|AqR72^r-|o^nWndW*q~+SY}s z-MSMyr~@^vWB6nHdbWhv)3<%u^ivFf6Is#rtek(3rbG79vFaUaHK~fHh2X>Oa~wGT z2DQq%)UVh9CmDbS-fbIGeBEjm&3c5wx;1_^vT<0HpeAf929NSK zD(T65mv&Hm;=r&z3_UKR!NjK61mECfFn|QD!lkKP+%RuBrE8FF`2ZZfGRxa|KAK38 zgj?cX))_15TUHJk$k?DFwCK@_y2bU0d3u^vEAOFGaXhV^l-ys`n>s6#sNKFXHQcPx z`ErYmOO6v)q9H;xEE(P zG|O<`txX$>Ve6F z`SVF4h1~41kY?7=+3XaNIpEvYlQ|Ronf_Kmp@zd~nzAz)0ErPzNA{%L`9;ic(}AGY zHE_`hal0pe&QRAnkT1sbqrw0f%8+Nnu^)YOBv ztx`joDG0u}mvzw@C6mmm48HY>sf0U|VdGc?t?1`Gc&ngJiXT^CB>FV!*On43Hqob@ zl)=8GkOc*@cuNTOU8m8)RDzmuOM3hGGiFXd{33hMvbf;c(XE_LB*i9^QM7b1bmUiA z`RgHyceCf~xosQ`$zf(iGY@}4wd(mOUqMiF%d0LKQGPzo;NFMPZ_As;@kB1J|bQDI*R4bvd*#Y^5q3$RH3eV(>!o^5JCqaIBu z(tbDn+G;SOn>Qw5x7o7wC5q&Sq?17wWxVu%&3{SH=beWugC;d$f6qBI>GXlYtxBL3 ze4Z7{ZlPOk3eAd0kw~*IALOm)Ex!ih*Lf_bOsdhdb1mG>6}&#Xi=`*zxQ=K_S#^lM zvyOIMHuB8bkNK68xP9hQa#m6UN>p^AZil*9_Si|UuG)<3lx5o$^8yxFbciHp1>$NZC;LFUV1vq;$i-fKitmH2^w_tHX`(5 zF7t}2@8tL`t-9a4E@z7S6b5Bfru~j<*LO(XpWCU>^+k1#vpy4o8(5SUcO& zQb$VMi$^Rz@(uHvmFQeb18w0!ub{L1cK9Yc9jejB*NvCIKW6dl*QlA9Q@fZ3vXrQ( ze;KJhrL1B&x&H<46Ev`Mb74Z8Vx)#nR7JzSB)<$$XUpN2?B5woqLvQDy__&qPpe&u zFqB|h(}&6G57>I<4ci|jw^8+aHWbkW&7!6GrLQ`h55Hp1?qDcnfJXx#y4EvCM^d1* z>3;}8%pbcL{|889n&?|OQmNZ73?JGWAG6e9C!=`pB^=UP#H1C!Gv;6nnpUN0)YCje z2oSa6K9r3-$?P#fe3liV#_&bV8{vTtsqt--kr>rw#)7*Hm_D1@K49(Ln0oquZ3;O% zlI|X1M^GFJ9>;ji#(* zdLJj$i3f?4>^}zvAVDfky(+<=>L>zsnlWMKE@qGNM{Zn{8hw6a#>m>auZAl_IPQO$ zkMblwZl8|t_Vi0?CHr#W>>wN?1%|qx2wXOoHL=>*x>aW6wt)<;ZIg$Pm*LTW3X`5s zXKCl=EYWqOe!JorNXhbHzx*P#XuwMUXvU6P%jQXw*x^utZgt9FeE&w;Ju+T%2Jfv85T|?0P3TXUDIVH8F_r~?;EMCvX zJ;#zuwQCe+&i14KkG;E&j#_yeIR0I!0Y&N* zD-?>9Qo#zv-QC??io5&8-QC??FYfN{McM*&+nx81+IB0n_riOD-+a#D9GYZjv&qOa znPkGTucfIKZ>kF&3UliAY0UH^%UCr12<`q##poXEc2HxJW5?!fIi8ypvsSS7@Ie+H4aLYhC&gP1XIbwC6xX?u7hB51Ob=U)Ay3z zVx!8eYn0Fh3?Pj=y}P)vY2*$ju5ZeWfZbdQx1?o*qI&N`P?D*7bxMxD%<;{~@Tye+ z0FBoP#&kIWfI^|d#3DN-I!|HBup*=;_M%jDtgXu+e-BF4Ef6&sYy@}KPr-A2+-(d? z4ySU(oTSz{XsL^pq=eCEcJ6sW&ptU5tPheSRgvE8TyM&-Nn4mYWEa9R7Zv)>VS=Z7 z6w02El&AHw__Lm0Yg6txfKq*}MC6t_H~ zS9e8xsEh*u03ZNKL_t(bUVkFm_x3MEy~OYS7CmZfT=HsJId3#eK8BLYHV+j?%wlpC zQ}{c2BL%6QJFtGqXR5VYLG$(&>|a-(XPZ{C@o{Uq$GesPd(`CZGKXD;GZ?ve4TE=w zkuGNuIxiZ)usW8J7ol^yA%MN76LPPpa+Rd0g zhp=_8MZ=O=xD=<*$FGZiEq_isAC`=H(IaKs1=clYh)(pN1J*VoXw>6+LN8y05z zl@)ZZK8pRzY#B9YFT*=5Bgn{t-0lsSzqlLC|KScQEQ(U0fMC+D6TENIfJ{mdK7TVP zskXaYF8yTwA0^e^&7jWot^8eT9dp+lVau!&d=6G&W|yBT!xk{KiwEY4==Ldj^vkD= z75=1HL5X$Y0vMiJg6EabsIwNN)54*Qt`s>nc&frZ*}2h_;S)EpWZcQfwzzqBD%q(? zWt4O~{ZFZ~7sT2BFys0>wf7)bRL)E&kv55P^m8ag;xB(l(EIoAv9;A3L6-g_g6DgWGw`ShohNuu z@t1s};^&h2QTiujzL9J}>P{^I13W(U~v&w-fw=jh;OjdBv7)GdfdLUcC5?q@whoQM9+b$e`w9 z*!Da`e*@`167l3R=llxNOm}X2DQU7Ul70yaENc&BT20v6vj@YEeT*~f`Ts0gK7Y-9 zW0WX8w`SwCecHBdTc>T??mlhXwr$(CZQHgr{oZ@OJF~v~duC1jNwRCL+0fcyvPX?+4$gfRPuW|AY}&KxU4$Hf8u6AmG97p2+&`pxv+I zGxSaqjH5bdKlytIg)z~&=F1q#crdlYkp!E8>tMyRJLOqf;+wkBz?p_iM_`@kSTE6G zwC&HE5m{v^uQPhMITTHnm#}Wwk?Skt=-sP(d~IK~$jGx2@ZKgRh?HN>R-Cp~>w=Wyi=`j^fA3o?;dH#7SR{(l+r zzlC!)Qm{^c{=4{JnFoz{f9!u35`8Wm=m!74t2Pi`;DlCk?B~^fME!TzKWcW@H8w`R zcB`AX)}4~ziG3G7UvH0pkQJs(u+B~6-6uY@$GNKfqr;bEU1ahAC?2kYfphc z4b8|1{4RNv-g@2VUJ^exk!K(xReq7P%Khp6EO||82tRJJ*8wW1E@y_sthsoI#m zIOxG>St#O57_%~Pu;vXWAa=ZH8^DIxM6WP)!5RH*Et_e?SYBP8bRO||(Q_gUd|D}# z=+rSSHCY>yuVld1Pu;U8eC&5BKY%f_CaYCwwK)9{4&Q<*^}I@Q*_b zyHwSSLGKQ46aMT(oC-~Sq5d&N6nncRc=0#~h;L^hHYtj8;KWhN5!kNtt|KMR4A;*p zC378nG`{Fk`8E7WmuoXcU$26>afdQASA_&Z;bby%H2lkBRoF9=g?x(lJPf)eMWw?Ibj;dmx@ z#MKPe@kSv1v}S@PG3Siq5IqhUqyVk-(C8Y(aIQ*-N~0NXO@lW7+!4+IPB-`zG>r_$ z=k`wsPz)$k3Tm(90g&l~2G8wk8{q6rUGZk+mIImq*CPFcYMy{rRL^}c8}YMJA+y^x z)_@Q6`}nQ{O>5E1B5;?fs%}uZQd6-CE3H~bYoYjAFc)~FR_%LBb|c0!Tujk9)a=2> zl;XTBU#ZzWh|ZoMW}F zC3dzJ6q%D|Zzet9JSX8XS-_>v9v1P*>yLItiR9R_9a z@b}b|f$w00K-^W7uK`ux5P&V$S5npCLbghzSKr}dPOo59{>tv1;2Dt}+!C>y1CnSw zCZX`B7_QIo^CcsaTSTie%tKk^s2pFXR0&Tg7$fEH%!e`86JPVSb6fx~9Kh z<$dSKn2nFn|5#*XJjBs{jCq_na|Nt1q{Nh5!@ameDy3iWYgN&EevgT|ZKqdcHHREc zHezuv0jv18nEfFyJlyx4RlKN)o*{TV_ofVtRGIY_UIW6>lWqd(4*#i== zMf5?Q5=WQtHV)wj8%F~-H4Fdil;_E5$=+;M;>6`l8d&{OeU%uABHutbc0(0=8X^ht z$&5XntE5M(;|tq$pS)gN5%_2FRDn^(mm*rTvXt&nr6$ryl>)lyR$ZF`rdu{^vGlT+ z!!+8+PcS(&*>6Cec4dZ@!IYbKO4GH!^gK9^r(9*kD7)3{ZRXhh>0E>tCvI=YN`pnu z)ut|u_GrxR7yC+Qnu?{186ru$9c_Oju;aN_T}w!Vofh--s$eA7+q3HlAr-cWp61t< zMOQrNBO)fxWbvsrfn`k!uX>geSmrAW6jzW&a}F()9>#U0QW zLb!%-*;@5M`qRC7b_N*Q3{?tivcxraCJP%bJmacKIJ*CM=xz7FHgH;teKu*CnwbPV zM|x6ea)qd8N3?Kta~1XC|Dt4&x9O8jGmhpC9%E7)E%h^OrW_p+yoCU&qAIYCAM7CC zh<3{iGq6T#6*1BZ`|=-)7Y1C5nburwi%Rt5+>JNqv^Y~EIj1Qrm>+>}jpe|63~tD; zK*tks^|nQYQid+pmgS(Cpb-QG3E*1!6D|_Zb`cNQY|eagsvEW)4|Spbjq2!}ZEzF| z(jdokJhnRsz44re>^>wrPQvaEjtB1D638B`UfW^ZR`Nmi(&A2Rp=0hVG?qw#`3MR} ztl|T}#I-@6Y_wcy##TTstN;v&{3K2BqVesIp?!%a9+~y-8o%aS)~GSJz!iXsDqUl7 z_Tx0z)xRVNOm0wy=*hJ{{WgwJAa2leuI0|g-GGN|DL&^cpx)8wvlI?ouWUP3gY?<% zs$2L=kp)QxH8TjK_~_I08pF{pKiSx^4?ORU!u*c)R8Rv|utBeji>ozTDxahN_z$j= zwP~`mI z!Fxjx=ZU=Jx?p=VdwwcC z>s1>=Y}g#4F(Oo~CKIl0C`Dvb%}O@tX%j4t)C%wU*-CfRC#pm7N>@Vy%39`}uaVuW zrP;JMAuB0hV{`gK*uMlbAuC)VT<=4dI1+PuaJ&;6QKijb-#h#;9%Z&7m-k%;CPy_R zQ&P;EJOXUoO~La;%gzNQ-vS16FC**Mk6+8=&LJyZ)n@uCa=k*2W;f`E8d3rIT0||( z<^Dn|B%=FW3I55P_bSOyVoN=yrPVbvd#buG&el7JZxBvfhc-(PDfl>yUlG<_RIu_;e4->zWZjH9Eh zecufyN!wzE<_%(8P|G@{5|mw?E>zmD-tZD!+Jewrxkodj;rt>{^ViG9_R<_BDi^AiydDRbl^rIY3Onn+NYAv+iBsf zeU-iEudvz0pJR`L4+ai^Uz^q!gmR9ZGV@t^mFs5slXA4lB1bCs$PqYP4`69Tic=bJQoctS=; zxofSq;$)Ie3NkL?lly5Ceed4w5xV}y*E4~pP>5(fW;k>bvCyzTAji5;NH8Nt*u#?2 z;LNz5K*(QPH(B;r76T~yYoog;xrpmV&(SiQ{(*V>SEkQt9yfsw9!6 zn;r)bz(O02N8d6>Ck1WIKBu6j{Xm3{+$;wDPZ|huLPHCoLL3H-!z?)3D<8M0G1l23 z?}Ic3hp(|q3=3obY|VK5Jp8sWrq#EwOhAE<8FzgTGgQ5_%1|`V-SR2+ImqsG%z>Iz z)WPGDXbT=JP|C2ltLTRkOrJ!3WT2QGAyAD-5G{mhay>TbFp z1|O_9_+}4oO;&XW?Y}ZF=Tyi9nwpq8f(7Gq{1fVHGKRGjG;0^LKlql&T#>F-Rw24tVs zaq~k^x516~+YELbaBd=ExUd z-x@{J6t z29s_`fvrxx%dq(ejJ9YJZs&R94fdrC$gmAsgn=&fc2l}rl6I$ze2wl+Cd?;RiK@5T zyF00%=nV*qv$^$RP?hlKJv-wXczrw zAF08++5(xI^X>A6g6r?W6s8)5$ApM+K@o8T;Dd^4<7kE*2dA&Om) z9sByEBZs!yz%O9~01>!2TYRP-&*P?Z;g3?e$zzEMj07TDdAiz4na=By(*rZ9<9h zSRxojgu5UYvqXcchS*_%ANO>L4!ePjWVPi3M9(T*GNRrMm?+iB=5PY|CewW;o;jVV zk8UvhCEP>0<*B4=Wf3ZlInoT^>sttdLZ4nTx>$p9HKu~a^Ty>X%4h(wtwDvmlx`yKeLsh*%&*iL^|gGygbKG>9K{L#eB^?{D)mrB<5NSLZno`8TG~FX ztF5)};w&dVCsWu!b`64$(s^5E|I%dXZl%Zeh;)i1&D0kJW(_b;C1w6wiNP zHS3F^JUZIgn~~n0ut3z+VG%g9P@zJdpslA1#aw3A*1B7# zczidPD-=n*OvSd@ZwG&*XQi9KtE$weTXikcqR&N*&RY&Co$uwS&eCYFHhpuK)w(Z{ zhlnj^8f+cQ3~%;lju2x#Gqc5FF`99JPjssfciX5lqMTpi#(32|XsZewTNzYMD8#qS z`_HGiUk+N4aW|`q+L zeQy<@+*^Z}tgBWQHAZ1R*$MOXZHIT4Aw+L3-`qHqOMR?JSQ$8%i`1u$uw0P`0(TSX zDA|)Wc6T#yl|vg)sur}0S&ghR8uIpwnYDYAGKS!On;=p_3=JTE}n9&HP zFW_nXtcRgm%Y0i+hor62R9)lXf_u99*;--5txq9Cy^AMYw)g z*bc7M;z*HxOI=K`LC(287^+J^RZZ&*>2;?N74oVNWG_y6lSU@|%%)$YIc+jlqbi2* z2>Ku(-iGECNLxP!Gr|&~biv6O*yN{}JuTl0KgZmwbrqLbRLhZ6QD}wn<4G@6-Lp`A z5q`OAnY=cwmtcv@OCN_$BRwV$pgv8gPkXi>NnY)h*wOX(B!jjct1oV1U+?w%f=IhiQIld8&VF_C`jausA`oTF&`1tOxIpHSNe z_rQxz8GzuXi^tMrrTU;OG2-jHqIy7TupDn&{PDAj|DBGj{;~Jlqw_gShW&n~F%{Ug zaqB|MIsN_(ofKjX4!2cM1cSw?h@S`K8CFOC11H<%UJ$a|nJUFTFkfe~WIYdDOQLvp zvQ{Eu``mxzg74Z*+0AwQrKONYO?; zKzp%rW~+UAU{J;-vnPMGH~N~vX%taA)udRW-H&Mmp|5uFSk;Y{O4}FK)hW6b>dKaQ z!!PYI)9fq@^cs`47@fAqx z4JDPRu5EHfpP9Kr&?n(NT3o>TN%mJ-&Bz)ftm(U#buR9tUfIE0Y7?@cvSQ1nIL*^Y zJ#2-j^n149 z72(!SqZ2k~?gjjb8)XClg&J8TlM4VVjouUE|5b}A%(eHSp)ypFHat+LEaL%(~vV8gCAiXA02&cGdLxKc^lC#^DFgUwo@A3rOK9TApGqCeKf(`PQoLUgc}Q~H!LgF1*KeI!HlN&>aWPCDba`lD_y_JG=^ z+`^(D5=WT zInZ=@t4aB~CWpj+(ioimoEVJ zS5V`9G`wsHv*%dRs|m1fC_-25;W)RGbV>|uw#)Yy;dS1(t0ys=xihfzrT+1|VnVeJ zhJ=FinF1f zSZmO_M<;Fv9_`Uykzln?Qb0Ool9Aw$y;a7dMN`>*4^2)Tt30Vq3e||9zqHe&GD+&$ z;4eg?Zw1k3SE5+moBy7qTA!i>bo1~vgXXg*HiE4$H}o<$PMLcmJg3ZBQIIk)87)p7 zR$#Bg7l%{_pkc;#?@Pi`nes_DViZd=ve(%VBT}Bj))5oz;hSi)(d#cVC_j#bE?;$@ zaD2-VJZ9`Xo>B&=+!~I?%egJ#PKZ~3Jft!vvSVMk&{e}dl5Q@Xj;F|W2vgsAa86#`-yX@uehIZb z&fu<0ofpT>sZwVdHs51hO`1kXE$y{5afeOTfKXZMX7&iT(BV|0_Xj{7F`X&JUx>@H zHyG}x6@@5ik?S7&Dfuc(dT0a{V!F!`olT`6Jtu$A)SN5AS4o}kqBKs2HHbBA9^TEG zZ&AQP(@Ikqag;@C49;rpn^~he#t~lC>A^K*bOv00LWykF5Wf69xrxX`}J zx2e3Ukl2nx)-c&gy=LSLj@Gkf(3vTKc`KTie%(X0w^Ks0T+S46>bkgC56M^!iz`=E zICIDtdB}XeSsFJbAi`rPx_RvjK2}j>GNXKMOiG|a#}*w?#n)p{4k4UX<&V^>wZ2$o zj^Icd8~MK07{B_mMmsCcl^KHM6^?tR{N{vYXgMkrwuMq$iDBMh+-!coozvLSE9$oD zOGv#u-M}MNOW@0mFofnEo4B8D(Vo;ai4y27E|+1y&W;k{-Ym(K16^tmK{#zU zhi@^V;tRfi7nniuYV8lx&>2f-<_Y=7!{Z3OhkLeyj`cP_H4B420SO7K$N=Nk+b_KwKnN&z6q67zd~gYm<5A-((G zh_!T_8$7H#5v%xGbIP`a>0m%tv{gM`jbQHGDGTby$=@v_F(EOc>8A4@2sYx-Cf~Bn zF809U21)*J>jj{8KAM^P~?53iq|IBFtdfujG|KSMl_y2^L z^Q@4_9Uzl3k1(M5da?5`L~X;86kTpaG>sL8K$AD@aVYA<9T~BPQLO@W4BB8qSI;&- zHntm@0hocmz!gf7j>wV4h#6ZzYm6o2HjWNe)1Ie}Q4l4uzus~uC_9eOEOE+9G=T}z zAS2sTi#K{titV!I#6WHmR;z)sTDmq_@E7e^Oz3l2S9kK75_#?nN7G@e%d<||Oz+0T z4UweeN{9jP4W_P7RcS^CMr|G~Z0Bf@H|{l1)}AYG2~mcbIBu$^mGMnst()y+(bhwLBP)q z2+@U=$_y{Fk~nIv!{1vKGmgrZ*k6K_zP#q^IysSev3D7Qq``2ZW1UjKwjC_z&O;e6 zD@{CF$f`>M;_2F0ZS|qAY|qIIyF#nKOuvBQA5fafOy}Xm?7;c`LLJsfki`KCaT&V|1`4K;uB9)zIx{IRO>=j=01AY7Vg{>i zFwtJ{St|vW7}6}>$k|O`$M9?V%NzAf?PJ|df6A2C=Cs?4u2Dr~V9+ENN220rJZ0(E z33)a6EiA@37TjK+w)l**OQ=~>${ZTp_`o`6u)}xUg{-z_1~Y%WvA^QTm}Xfb1G~uo zN&VfJqJwy!O$Q5CArhY1OCOFjl&JdYK=K&T^;dTvqGP`0M^}7bUq8P@?wS=B9~e%Z z`Kn?qhGSpY{ga-u6}X7E`I$_$<>Xm>bWealAU>g?>9(K$xiCdVT%JI^MQGo%1!ozl zRB;Kljzjdx_Y=`7Gcr!y-$wc06&Z=mq8Rl1R|Y&5cDB~L#yCZleP@^PB?eUh7;~;U zppCv^C)zFp>jn?z4XOF5ZFQbjoRD7E6gl7|bVA`QR58{3=9-)5^tDc9B?hM{o!e+kz&Q-oM-lcPLJ2swKvV9oK z2NI9%uf|DSvfNSSMKu>jR#u`xg)G$QYizffRUA#6;3EES_5=S}kh)Zr><-(0Rx-}CUE$by z@Xir50TQ_4zD>5m)Np$alP@zo3X$6^iTO;!4*M8 zRd8fIpGqPPdvD4B=73<9$Nb>S>~@pKr(-=|1w+nePO z!$3AXujY7Dx}xCOU8b{MuA>9J)dr{*NMsZKHz+62PQUI)MZ@QYGB!B4MH0mU*K~Q_ zOyyP$duWcTfSB3q3WXh6Vxo0^$u)Ms5(j}oB89Ak&GH4RupA=c*iP>>mBsK!~5K%bSxNplm{IB=2J=zPQU&;(TKg@h)uG2BfKw zQ7?d3gEOIMUN4gqW&swOy(v=fRSEB-m97 zo+p9Lg*+O%LB&kvJv2Q%kY9u8%-z$XJ5vx15>3pAkp>~9%R{CT-r3mxR6w>JK z^yBaQ6|cTzW14qWx3%P+5M;&aW`e8ZWyk(2J5lM3r-94kCf&FMy#5QNRL24WgRRb8 zK^KlX!%3g-HyTO#m07Z8dyl?hFdqVJC$;$;?pwd(-5BB`&*huDQ;WWZ)R8Q)XGZf1tc)6_Dhdf0;|XgYe~JJJdr;VOcJTpR+sV-J9J7bp5S-LnC*NGU^^vR*ND z_jP5`qJictX3TkS?;OF)Hms4BR&^SEue!i_uvbTtz!l2emwJ?rjVePK$VPfvxo>g0 zQ@5m&cBejjywRRk``nMkL?-b3G9mh-B= z6w>Ja;q~pih_*aNlEK{79TFX2la?!S$9UW7zU`9y$8k|#fd*H1kRwKU3Lng`5E}{Y$ zS==(?0fUWDLX&cNu+eT|d-qy(wG6QH+0uBsB+NmU&oJxJP)S8}flL;oh{S*f42$Xk zcQm$Ez@uBfB8Kp4tYA&xXSDG2_yW@pG&H)#l?H^wqheAkri}wXUL6N$5J^%U91Vc1 zpi;<}$B-|!LB}|EUIScd1)JM^8Wm3VAH10vhKmBHl}@Ttd$;G7$1o!3GEPsE6=u zEN})A2@=tgD#29SV^`SJi2)5*=;k947o(A!WwbQn>loZ)ddlEnNd^u1LX=X4IV^xv=lvIz1p!vXa= zXv5K2`ij*Tb>y<`8x#6qsU`PHYaYm};~Dwsb}fY#5bB{O?1g)nN!CUzfBnxSoDC~5 z7D43gl@MZ#int`sh9sW#>cBdjM(%#x+@;=tQxu3{u0k9KT2{eq0W#`o0sT}yC1zC{ z#}<_5@R^iig| zfmy!(#@BpwXAZ>u=gd4$8fG5Wq}hfmgRfQp5OK?T)qF_zk;HZUg($Z=LRer?iezS! z!CFGB`zk){@Dbor7+8{D#L6O|C3Y;jt5?72qj!LET8A^5yltya09c?)eEO>w;>5rG z7YfD`xbFaGdeSAeozOMi=joau6PNrUS5ay`wjs0|O(QZP`QWjz{FL=V#2zLw`jWNg zmu$xie%=4}DC-Z&OXM1nsv*i1zf zwS~%s!Q+_Z#e0VDnbeqWQ8(jQ0~^wPj{ZX;9Cq18q*`OUWQH4`UKX%Hob`L0$~KT* zwd#B$6d_J4gXgdi#`cQoAN`w-*a)3z{9uKj|NZ|(~4}MiXyxf!+mPm%wZpKvCKgnY$ia|fI zykh6;&$1Z;#Y8m2QHP{pgcVqgB^He)GGAFMj}i&**2KVBkEM(TIWg^wZjIJQ%$Ud+ z(#AOW7k_%}grWnAJ?Yh7cc6S{4AiFC&+rPU(MBGnff08j@bfgF8{4BF60IjoB)qj+ zpfLQtxw^mEb+awcG91n{0*NoH723VE>L^1ybMJ!X6iTG*xs;`hKSR(Jw|N4@l_@GR z#bpP{{gyd{=dLp$hrJeUnP+bFhiRq))#qJ?3^@jvg4DIGafFv)-d9~J89~ClykEc) zR5?)c^>2hOpAGg5vSb)(5R z-6@C9R|q<$80zG3vw+AdYnvHG?7uLQyO?sd6}RTh8_1MqTlsvg;(Z(3>9cEr-5D6} z?S_(Hwi*<~E5w})7k8sVWO=o>ImcFD4bT`WnP60u!(G!@XW!Soer*o;U)jETv6;6^ z8p`($uP}?@;wBhQ#zOetfMv9!2zCCJbFW&=Q=%A6BV+_UgLb)E?}_mcJ3vH`)P+aG z#PmFF5%UIp#9f{uO$?$~el}oMN)mdaRlDryIp1UFVMiHeZ^Qr1|MC*xCyxBM5WF+q zs>XEDg1YZyzsfL^=rB7hV+sKi$rlj(yKJ5rDK|F&(wBv55BD({X^12RUQ)LsYU_FZ zD!Z?TIF`r!0T&Y5@?N25aNTj+F%Hnl}m$t2#3?(K{XxIZw^2Z7$g=hf`V=& zC3&teoH!HwsPmPIjUIn-6y6~CQNTz0_LEUZ@{+87q1Zf#|~OJ3b$Y(%;CI0qve)YW^~eF z3VX4zAzluJEGO(tFtY1%^+@7cCjSAw^=H z{v09h6<|fjvx8m!V#4x93>N_|)w>Ho9L@&Fk&I8w6Ry+0v!>m2!|Jc_1B)`w<>F~b z9TXKP<#NP}tU%&Zzkq7f$7R*y^A|4+xWV(__3kC@+W{Hctk0~uWYL{-Qerd5V^Y3F9coL5cd)8kC!Z!Zjbbnz;WZ6jFpQ~+|H>#l zmH8A9<7c=hOXnjMJD(i9)SwHqcN7Y3l^{NAG3+ZeCCNOD?b?1K&hJ|E&{fHva=}rS zb9A9*=xm#qRRMsEVC0l1aDKa9Rw$h(Zt(_qvVMEC0@pqgN9tl>L$$-pzk`8tf7ZSE ztXQzp$rf*&|NZj97LKw-pmdwdG*Wo@R3WXXi6$Lb#7w5qlcbnkU2FGq=JMVlr!g46 zB<_~ex8cVP*S4fSW*jzZ(_0)oHGYCOXo~to#f%Z#nZ{7ASsvO+ao5|6CexU!FL#;Z zX|Yv$-+caLX*n{U(tOypg7n^gKrA6J%EPf+KKX>HY`8%pg*=aqn}D{q!SsL8Ip{7ySJ#>azG&Cm2CYn z2}WWEeCG}{9&1N7BbBy+in}}nIQ}Aj>c-;ReyXzVt&_N^UZj9^>xZn*d0W0Zbm*F zzs0Y;UKihfs!HWbx_s}vUv^9;e>Rvhrx+X+p3anUO(|n&XKnOt5F)TWmJ8zp|7;3J zkW{MN4djB%iwD?$4y=w8B%F>YaPcOlDfJb7l5jN9=Xy(^RsiADxIQshr=l20M@p8+ zlPhfK$eT<{I}M^-alZupjcfx1igj53WTXTT*7saE=>_5++3!|sJhPJA{N+Odb(ns% z-#g?uq0JhpWI;LC;iPAmZsF>#2N&M#MJ%yTvOu?7&ebhC1PSqys2|t@3@+9b_$^oA zL%?jNKndRM>eGtZ%TrGI$n9mwNnsFp@FoMwDVr+St>o3Q#H&9ZSC7>^Ekgan<)%H{ z312Z`DqOYWY`OW7NL#jmRI(=>Y<`563y4HdC>o}?f-9YUgmwxD|*ISIOrU#5^JPpcvE!eR;=_*A8g$#A9+?q!NH$Owg=BGlx0w(UuZn zm_Ue2*oI!?Hf;}kbq6%>(1J7_o?iHyu#u3k4XwuQ8mh_46S=jjjMIujBlaLZ@SE|M zuSzrB0|l9)NWr9OwCFm*!=t57yOBe!Vr=_7))U&a{(;{k^cr@EoQPsFL#7Q|91;7fk`dRZ1LzAo0+2i`cVmeCZBsld!ogyH!Wo7cSI~eIuX! zXH97tO812`nMD?~-Lk$duBYNEAS zFsqA2pf!+HQRNBA!87~e?SSr~#G)}<%grAS%#cW>Gm&yz%@c8B7}))mjQ~7+f>YdS ztNE4Cdwo3Zd;~l0dhF@#oR#X#@M&>n!kr)~#mvSf#eQ|(Kt-)q->e-Q?@k*TDJky| z6O3_EX2@`U^(>Wc$g;g*E`P6g|1d;@N*%SDpLp+du3k=qfrC_hnA=sS(^-_USMA{N zjO+NN9y@g%u{6&q!OH%10MhA6p{jLnWj=c#f$heuOs;}a+Ib8gXgo1zx!r^eeFuA& zhF*H(Eo{+WojvzPqQ&fH=giD{-h}$Dl(c$@D!%5a28Ck1)O7RL$PuTYl<=)=aeJ$? zFg}%Ok4CJihe2mtz;OKQYvBR?a4ohpnV#Tn~ zCXMD>)F!Hxq%|sZAvOXwO!YG@&)7yOx6vO|Izo0Y4}!Rn?-t}TY_m`X18!F2y_jPx ziZTlO(c=w;Sq;7Tg}T=5GcJDZ@pf^n6Cd)9;#F~e_x|y%iA6o$<4@@B`-7t%VdFhk zh4A_@#lW!JGD6uI)`IIEMds7Z(wd`tf<2o=F%;HfTX``M0Sbk~8@wZx!Xd|#hkQKu zJkqUpE!W4eh3xC~AL1&{s*4m;qht#Q+3VNn@#*qc?BVLM2~Xsx=GWFSj+;Qp@Pdqx z(G-K|&bfiy%Nj&C?N!zgvZN{d8(%UvBtJP*X{9`CX^HsI2X%TWO-|jY!6ho*m zIeEFdxVmO@TlFr>$+hzB64^@~ro*9dF-rDo#XPvg{Ta2c84sVo001EMVnY0i{p)6n zQ-mD1nbAX=O$);4Bqp!ZsRbXB zaqbkPBVPb*muT~IB5T*SDoMjYjmL)0g`@=*!?Qm@G`{>ZHrhttRU{JL?0h;l#Yva@ zqNC1wcriy!qLMR+v}jmGReEZ}z1nNSJuP7DWrrc?Ireue0|GYJvOA@0w4G$frMa1n zd&?o+XGOKB=HRXmOqWUJpVJPfjyxvWh5{&RGSw*TkL!roUpop4c4(2CoYLN^EK7OzMM|wwN#8M_;gp?{lqB?>$cf() zENO7=U_8VKIoZoDv@DL2fE&0N)lrA26<-nt?IvA?xy4zNP3lX|WjM)9jzuO{ZYsml z8CZv%{rjmQkE>VXtQ7XGg2C24reFmq+*#cYJzUCgL3#-Whg z8A7FASPzz;d>fdvOO`*AjxZC*ak30q=m4`mqI0X&2epjl3S(Aob!%6}Vm1=8h^JSx zsx^q1xk_i3 z<60o|^Od8s{VR0t@KE>9#4VZ8{NRP`r{xhCMr@nLs6poW2FMs#kos;{o^lDOd7yh; z_IVj9#1AijgTICtYpAVO~Ulp`v?Nxf%e?QOR9*>4;Ah)vejQq{*)L1vPK2Le! zaMSO2zdG$O-^e|60(jkj@s-kt)*q(UvrBWt&pQ@m79in(8vSh1^Obec zDbX-K5f=Ho`K@wvdP`2)0RR?cCT;