From ab149c81155a3138d9b3f2f2be548621e16efa2a Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Wed, 29 May 2024 15:45:21 +0200 Subject: [PATCH] Update-policy-doc (#1653) --- docs/wiki/ALZ-Deprecated-Services.md | 9 ++++++++- docs/wiki/ALZ-Policies.md | 6 +++--- .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 38074 -> 50030 bytes 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md index 808a48235b..9bf5810b54 100644 --- a/docs/wiki/ALZ-Deprecated-Services.md +++ b/docs/wiki/ALZ-Deprecated-Services.md @@ -23,7 +23,7 @@ Policies being deprecated: | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | Deploys NSG flow logs and traffic analytics
ID: `Deploy-Nsg-FlowLogs` | [`e920df7f-9a64-4066-9b58-52684c02a091`](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) | Custom policy replaced by built-in requires less administration overhead | | Deploys NSG flow logs and traffic analytics to Log Analytics
ID: `Deploy-Nsg-FlowLogs-to-LA` | [`e920df7f-9a64-4066-9b58-52684c02a091`](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) | Custom policy replaced by built-in requires less administration overhead | -|Deny the creation of public IP
ID: `Deny-PublicIP` | [`6c112d4e-5bc7-47ae-a041-ea2d9dccd749`](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html) | Custom policy replaced by built-in requires less administration overhead | +| Deny the creation of public IP
ID: `Deny-PublicIP` | [`6c112d4e-5bc7-47ae-a041-ea2d9dccd749`](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html) | Custom policy replaced by built-in requires less administration overhead | | Latest TLS version should be used in your API App
ID: `8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e` | [`f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b`](https://www.azadvertizer.net/azpolicyadvertizer/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b.html) | Deprecated policy in initiative removed as existing policy supersedes it | | SQL servers should use customer-managed keys to encrypt data at rest
ID: `0d134df8-db83-46fb-ad72-fe0c9428c8dd` | [`0a370ff3-6cab-4e85-8995-295fd854c5b8`](https://www.azadvertizer.net/azpolicyadvertizer/0a370ff3-6cab-4e85-8995-295fd854c5b8.html) | Deprecated policy in initiative replaced with new policy | | RDP access from the Internet should be blocked
ID: `Deny-RDP-From-Internet` | [`Deny-MgmtPorts-From-Internet`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html) | Deprecated policy as it is superseded by a more flexible policy | @@ -35,6 +35,13 @@ Policies being deprecated: | Deploy Microsoft Defender for Cloud configuration
ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes | | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
ID: [`Enforce-EncryptTransit`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) | Custom initiative replaced by updated custom initiative due to breaking changes | | Deploy SQL Database built-in SQL security configuration
ID: [`Deploy-SQL-Security`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security.html) | [`Deploy-SQL-Security_20240529`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security_20240529.html) | Custom initiative replaced by updated custom initiative due to breaking changes | +| Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW
ID: `Deploy-MDFC-DefenderSQL-AMA` | [`de01d381-bae9-4670-8870-786f89f49e26`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
ID: `Deploy-MDFC-SQL-DefenderSQL` | [`ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce`](https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: `Deploy-MDFC-SQL-DefenderSQL-DCR` | [`04754ef9-9ae3-4477-bf17-86ef50026304`](https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure SQL Virtual Machines to automatically install Azure Monitor Agent
ID: `Deploy-MDFC-SQL-AMA` | [`f91991d1-5383-4c95-8ee5-5ac423dd8bb1`](https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: `Deploy-MDFC-Arc-Sql-DefenderSQL-DCR` | [`63d03cbd-47fd-4ee1-8a1c-9ddf07303de0`](https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR
ID: `Deploy-MDFC-Arc-SQL-DCR-Association` | [`2227e1f1-23dd-4c3a-85a9-7024a401d8b2`](https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html) | Custom policy replaced by built-in requires less administration overhead | +| Deploy User Assigned Managed Identity for VM Insights
ID: `Deploy-UserAssignedManagedIdentity-VMInsights` | Deprecating as it's no longer required | User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. | >IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html) diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 6d13e3b473..6899fc826f 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -121,7 +121,8 @@ This management group contains all the platform child management groups, like ma | **Enable ChangeTracking and Inventory for virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | -| **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Custom** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. This is a custom inititave that enables more flexibility than the initiative that comes built-in. | DeployIfNotExists, Disabled | +| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | +| **Do not allow deletion of resource types**\* | **Do not allow deletion of resource types** | `Policy Definition`, **Built-in** | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Assigned to deny the deletion of the User Assignment Managed Identity that is used for AMA. | DenyAction | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. @@ -256,8 +257,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Enable ChangeTracking and Inventory for virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | -| **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Custom** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. This is a custom inititave that enables more flexibility than the initiative that comes built-in. | DeployIfNotExists, Disabled | -| **Deploy User Assigned Managed Identity for VM Insights**\* | **Deploy User Assigned Managed Identity for VM Insights** | `Policy Definition`, **Custom** | This policy enables a User Assigned Managed Identity for Virtual Machines that run the AMA agent. | DeployIfNotExists, AuditIfNotExists, Disabled | +| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx index 48178c17845f49ab10afca7d3575f3a5f3ee61f1..ad5bfd895d8bcd28e3051f8450f02a355a50a0fd 100644 GIT binary patch delta 21652 zcmXuJb8uhp^FI8FZCj14CQZ`Vwr$%wv2ELSV>C%)J8A63Zv6E9`Tm}N&Y3y0yZ4^! zzGin8ot5C1VGuZqG7ylMAZQRQ2m~Sn;ap3Dt%89-gN-=k;J~E%M$`risvq+`NsPWs z%{jI-t5dMa>s|foV6=0w>7S`n1Y(r>iU~6kN{f(!1&eEy1wXA(m za=lAhH^oJ%pt@(iu68JXL!tRc5h-+ezh`*rDp_Rp;RH_fhMpjua!awa>*Q{3imHcY zpft&BY2q&l1R#gsgdSqi#!^Xt`q;trf~a^O?+Mqq<8J_xEg}xdkJBgpF=<|~5 zIJq!kCgk||)b~50ndEoI6$^p-lwHJ1OYwY{Lu8je(tyz-e6&r(8;yvY=^b``-^es}#Kg3M5QamR zIrtR6Of9`%5~)(mR}2~o@fM+G*4I52_%+?)dctaE7a&>go;>5QV3Om?&w7+n-izbp zi}af-hTj`IFZGPV#5yZE8u_)ZMltqq>)4F#o!C4;_lSP<76p_Xh=7?~8H?OZ1*r-F zn0ds-e?ovjmhd1D%0CKt+A@1MINKOIIM^_G+S%5q+d1rUqkj0$zlZCpS_za!-a(6o zstKdpxn01|>HGKy3sbSiE`6C^D^pZ^-FCWAkvjTDc?}x@yfA@nLC6GYYtcwV= z+5H@1>Iv}CF3Sn{>S-|=nm-c+GKzK~kBdk})l02((j3$?mc7GKuT@x9ou$~(n{Cw+ zwcSZ`QZ&K+lxD@xXRFRJ+u`p<)J#lktU<;?GIaSmih9*eJGX`Agv`<`KEVK=-Qe!o zAd1%PYFD!1=}ASDc@A7#$}z~!y(IozA}w;30LM1Y&k;Y##`#uM4e_a_{Zn53gLndf z5?NL#CQDGSP6g#W$#Xc&Of5^`$Y>{Z$#>%0XU()LC(^mq4hd6zOZ`If=R0l_rx*Kx zhFnV#WzG8c?aQ+xOXg#^a4=wqpMi3hGtG3;8cumb`BO`)b#*@|Frt@TX>G*g>+rI+{A;H@j{F0FE#9~8L~ph~ZwFB~_Swia};MK&9u zkxOK`o+4+%!Eq`2R#X75A-iGQioW|?p+DjFwyQL%$bxBT!@)x*Pv@S5KJxfa`)P?@ zf|ZO}g0&Z|omk$U59wcxD5vsT6=7c#tD|UI6fEC{-3u+Nd8&O;nDzsCvJ8$SGrhqh z4nYwvAn+L<)K?f%4EdPi^uVbPvvReS>AV~UD>>)X4#Uj>OB-O{S7mwWnXiT-ZCBzkQ;o&I=!$Bf5d_M@zxH0Zr6I?2A+fSkZm)l}2na4J}LZwc} z;7|{<-Ts*SMbOauh1y>JO8z(Zhp(TH-`-aBfxCZxUMK0d?zp|{`}bW}eE$x)kKaT_ zAJrmV0o84(l^w}rCnW!i7VvK>UZs@(vVuQUb3Ot+7$7smf*N)e^jUadzu@ksXSUE2 z(V(F>U?W*hVw;>YS+fo}oD{Y;49T2QvS8fyqOfPKk@&k3_yrFB!XKFDHbTQSi~gk= zs=<<20SRF+W7Nver5iu`;r^?{@<^?|l57oMoWN~0;a_}wM03Yw9%jR+S|(JrTa zo>l8k2L3S6?`S32cDz;(+-91)GC;bF{Cv%Sndbehx0`5Ex;9=C3ofL`*40a>`B<#Q zNv#7%XNW6jaDa8i_A&iczhIkI^4xYA!wHh(FoAz|Y=#@)tJBNk5KXSt%`(iNPc;fk zU1Nd^Zgo}cPQJs4S{TVJ6|wWy#0+~`W)5-6Aa;xpd3=&tPc~p@=|CYPnKl&2Th7aN zih8!SIqLgA$U^xlb&E(qpwNcocO()ZRnK9a1vBi5`a(dompT$7992}?ZPt3pU8(l9 z{c9YAdNOyjT%g?R6|XzGp>S3Kx}&VK=d{<1M8@XjpK+frpa3X1?hQ4HLWk<26q){4+f*;YOCTKo*>-ZJuP<%3(C$UD7Xr8coKFZ#Af2%x761Y zbISM>HfKBP{r#oNV+P$$Qtg^wc@f@MI)d*PG2tr#ck~^^XBZf;@?)XNV4V!=L#*zS z?D0vn2N6v3+~UamFQ$A_7#zP}$$yY^Xx7%^?}@zF`2+bP-Gn?ig5Gee%#f2b0*WWHY;1SM{4I6Q&68?k|Mlr=Qcr2K4 zU~LwnYi?Qr#uA_n3`b9fc`;#9t#At*(SWW?vBtmF5-aD;)q$br3Jios_<)5C-)RSy~KI{uPe7s!G@^yPXudE0d!~rk0 z-`;1!!yk8nsUJY!+uO~^F$wT~^Kd-$=KnHt?e6P&w_W!6a`6NBVDPhhvlq( zV?7#b#yHDai7W+UByZFj(aUKCEt~7G%)>f=dqoC zeqcBt{AW*e-40JGAmS|_g!V1~K`szLM0$(h2`%am{)%^+wm0gq!$L85uX7cy=CaJS zaELqTYQ^Qi73$4H+4;}kLYQPM7E_n_{+rjT8w3iFBP&h9ifpMoFTJS@?eT*yiYPL zS^210nEO{Q{BWi-Af0j4hi|&YmmFBC(ljXFucJQ^aXGN<*E2 zFNUsmu0!zAY-3z)5aI|33G(zd=5Yp}9fvk%9o&<$N;xK?D%ODVh2UdS)D*mU*gxP^(ou)1e?hqCqT3dHP2aV1!kKyHXv?6`xzvKiANbT%BOup! zhi|*su(2!{N!n$c*jfMu9n)#YEB#foSU%A;D@ro6;|I`G%JM{-HGG|}p=mDsyC4PS zpbm2l!hNs-Tv{#^M<@mhkFr^QlZ=@SzQkWNN2!md>9_w0_Pb-9^pQXa-Ju(bxD)ML zIW(@$)3|IAx3v(+gcx$T(FP+Yp5bH$RYJy*WO6=y7M>4M#ddUKG6FV~PP^x{-S^>- z8inDy`WaC6j~i>lk+@wJygm>Ua6i;Y{3Qa<+ZdtdvB|;Bdi2Y~lmv(M>!)%eP^*s0 zI#C{?Uo{rOBFkyrnU40BKZa~06CEhQOdyz8)MZm-bYKl9=Zm@5g&>o$k{P~)8;%dB zbf9u!CeQ5FC9>O9e-+gMqYUWIu>LBj$d+7bjsieJHoamwEqk$6(i6{iWK2sR5vZ~e z>_Hd$maV)tC@``#vDwmRK*r#xgra~siFf?Gh?vWZ!?imN(!x&GHv8WRnWzs$dS}I* zHjw*o>vgjK?#s3g9kPiYgR=Qu6gjgThI+9^uKb(gCH7hsmxx&*8_s|B5j_fX@PN{j zA9k5i{q3^EBV{_{W-`P%@mLrv?q*q;H5szSnY1=3c&J>iDEuK^;?o&->uH&gF*cB8 z0rn0Bx_`RB_cw!&*)}-$7&zzM4p3#aDA)+BwVg=X^e9$+3+z_fY6H*(x4x@pAZ5sU zoGP)|4DZ&s<@fW0A8rO?UXm3!(*yGQB69SXgKc$_|NeFPFf|j>Nteoz;=B{G<6a#j zx7qi{%+P8O*YSAN7ulDw(R?6eTpB>q86B1-Auas6>mwwm(|SW_KF-2cGw(D z7Ox|tO8gJ_SNxi|9pC$}=(+Lsf62w2FM`K7=8^d_n#4`Nsk-ju#&7aP6qY)$eNo`fA$0)qqJ7E{cW1BQJK`?n8~| z#Xz(Ii0S|0WrsXg8w6Fe@vUI*&bML|lS>LM_bXipqJKfm^_VGqn%beBY8B2%qm(U~ zG`$*9{$C8!#GqG!lb3W@{0X-fyKb1aWXfe7Ov~(L%0p<={C001dNvz~(V)Ch_&@V4 zr-F|~h5#EUG3XXMoZIIv#JhDV(EjT+U|k@Za5+dJzR727OF}GcjY(GGt}nRq zvE69K)1J*tM>t8Ep7#->ipMpJUYjQ3nJz6`lj^tE*|#YCq~K+B}9J0 zlHVinX~@3R(~|#Ul5$<2cfTY}ctXaM{IV@k(CslRF%3>f?{>T#PAu-G0Z;0eV zDV-soT4ej;jb(g5-cf9-u7WvgZ5_r2l)7r{k^RHGb0Pf1sLZ1j^yh&XT5MjT8$-}P zv#NodC36cIa?~b@KWhsmMsR|uevX<58SLL3u^0VZJ2S%dDD5ZKJS}66_|JdmQo2c4 z9=lD_9*9u__`h$#_=jjT4m69jC>1rT=Hi4Sh2zv2-Wh-NXak^qnpL4vNP%2>H6!s^ zE0oS^Skii09vihFK=1u59)yPVFN7LDnouX zmVEjQJ*Yd~fphu{5f(G66Gl`l{yESqQcVQNnuoFIUv@3|fM8ueH)3NX4=EAMLz}l} zF7WMHutNn)EggRg*Sv~S0CJFa7&utv@CuyBJv}5NG!an?i3*G)`DqKvUACS)57a99-1kBgFr>0Qv~&@r@z%1E&Hz zh*EDS%aH9cls1nNX4_cA3v?DMMd623Rm7avQ{`xuvsYZSgQ!=!X1zbO+W;f=b0+(r z4poM%!=NIY3TBes{gEc*IM&hz3m6t=s4ET@rB5lJJ<#5<;~lhNRG&)#nrEc=4~w5V zg{GaQeiCD{3X)|ysZVG$D=Lro{)H-?UzRF9#>e2Qaiz-k59DwLe{X6`Q5D_t8-Yf-<0{B|>Q= zG^rL?aw?23>q4iU6@OBMN{KE-S%-4_5@|7IQezfw#IQU&MRETy4d%t7EkdX0Fkaj6IG4i*#6we8)-Iz_U?^f&hmdMLBjtI zB3G=d`0oVFo`C~Ag~z~NwuA|Y!Fo%<+CXLFX1SQbJugNL_hWBebME_AC zK@0rfR&dIINHto19t@cN|0lFUlFz!ykQM|Lab@sP zWb%p081hs#1Y%_T^FC-29W?q-)8I*ysRf=gdH*F^;)jlC!C4w8cYb(};;GDh)D>bd zI{u9S=&2P@7lb3lL1?R9O^`BAM9MUjTT77oh(*d|SH)$ss8IAxn8x(;_>d6${MUy5 ze}(Cgj*SDs3fen;Sm5JE>(y)GGVNuv8^#au%@)C4+}C!S#ze`$k{oWaPoEj-xNh|H z2-7+pZdg&uqv^}sZ!XiBYuj8JuX0+sz}4B~SQ|2Pp7-Mt*ZFC3ew%?_?F){==TuV> zxutl>ZIa{wA)LHpk_$F1-EedHr`OBd*>=8Pd(Fn((o6W}!EyGL?^r(nnm?!i=A&6W z^OZ)|#NE+gbh*Xr`{8Bv@eJ^Eq;@ToYLA)eN1Ws2Q4`0l=ptA~A+#|hiUDb%pm^mbTj||L z`va2VrDRLAXY{!yAr27%?)imjw6(}QO)F?)y=_aXs>0as5hSeE<4ACPF66B|<6h&1xKZH(1RUAoj0zF!W4*U!I3@FOWPi*_<>LRUG0SbZtKS#(k+kCI zhAYAwk>ijj?+#h(Nw)BvVCJ;2PKi$?PW{NNm5*3gSK_pRDrAg`z9Ys1bY25#I5pYt zYn`R_B;Lb&FFSEIkM^3@mIbc9o^5}{N$=yWAN&}0<9rwYyL}x599hHneUw)5=ic>Q zQ~pIkiQHlI5x=o`BUnk_tlP?cSE!qCsOP11w5nMg7TXIN*_V!rYrTMlAG{;2+50_{ zk6*R-xTts$UwzF>+VUX?=o_>KRHoNoQK#GF>lPoeGY`>`MU2A@SEHM8{OeMP zb|TH>;BRGDV_Qmpbgbvw)jb|CcR>`G{yZ46B^Uc5$afsYU53t@wZ`C#DmD#4nNME& zz0}-JL5E9|?H;*eHz09YUEX`{Yp|u&w$8g*^Y(Yrpdaqf=fJERu&Mhvg6^oxgqjtL zN5H-woE~UdU#vPja`4;Nd$+`X0imKx6qq7Te4-b&ve3hf za{L96_?6W-6K+V02x+SH3#&mxkUShDe~x-%pFa9r;8qCamuXlHDuRgEpXds)E?Uaz zi@sM_3t|1lQ*KnNfU#Y8)(OG9T6v`HoJy`Z3xr23Mwzq3={t<9QqxZ#ktUauRs1!h z$^uc|KeXlW7dcZ$A?<^+#B$zLMl$g3B8(KVY9NeCL@PSs9ekw~AsN>8SEG$0qT(7< zN=kc9MJZpwurGSj$Yfs{!k-(;1*heAd17k^Nhxu)js@FP0ct^)FziYzAydzKIg?%n z@b6!Oei(Z}de6EY5`t%@5bb|Oe@l=Ef?xgu!Hl z=y4HX3o%DwXQI@mHv==)S@lP#EtSRHJWbLN8?eAc{i<96JC2Z1Z8kRY&jY{A+@Fsj zm!;L%4R*XC0L!)Xy0*^{^1OtX&FXdN+Lj2p=WC=Jc^QgHNfrUW#L<+i+`mws_AqvKjL6b(pAAVVSNJsisga6_UfIsVFL z+w3+gcX%Y%s>j;HnEUTT36R1V76oiA%c@nkY+JoP}OWjM7kClMu!=tmfcBW8pl%OIi~U?j~)>Wmb*QOwhq3fn}EBJ2&d_) zgy=U?n;)yx-vrpLtV5mo;CdfN+q`dL?D$Hf@FUokGRaz_-K1M-b9Lc!KXgul^Ye^dcgEg3N-h zCIy0ya4uZae#a*DSwof^Eb}+gyDa(=Uo{ zHjThZV25Tx*I;F#obX-rApB*9G`F&`^a_|8NWDxD+`gOZp%gt<;THGT#kP@dXi*0l zI2pGeM7<`Zc3PbHw}_S7r7#~vtD8WN5(+`9NEl$sB2$t}uHaKzJ5(<|2#QIQu&EKR zBUUgJ<3H=93<*{#X?Cp>Oddy_Y0tTpk<~gfs^YKn@`+1SS*u=!4FD~d z;#{&BvdD_&`1U+c4CD?)liW)n2@xu@ZXu+=Guub9{ z@KjM(k{Su5S>QID=v2chn!oPWw6qzraRiH3<2KV7PD{Y9E-C;Vc6q>M>O$VSJldv> zRLlJLxrS_u z$K2=M!(WF!>dK#yz1)Q0rnsp5Xh_1-3UX&4lW1;h zlO5c}w~vM@UO$sS`M?nTLHPI(`0rFOIS4o@6yxT9LfhD!zLPv+!b`YZG{18IOZATj zCJWEl3wZb&PWO3=)yXnV zYI&#R3VXyd%9QpwI3V~8YHUnG|V%_=&Po_IcJ2^~Ms+wnUP!YDT!$UQ6w8VnZT1uXaQquy!?d>AW;jcP*C zp})2jyk?=sCOkBI>0|Icp;*#!7@nhkG=MkG z;=<1;1kX{mN*CF6Ynl*ipV59a^kDzO#DA$K+vB0A4yB`+T^GmHu_dEN29M8)Vpa$? zgF#Jpp71ncAtVi9YyUS|1vT)`_a$HDkWGoNWN%BsES>a76RF4-9p}AV`jKSOdDL;u8P2^O4(n}TY}VD zJOg~CnaqM=Fx4E%xt!{M9lu-=IvO*w;!I?qXxcW6gy1384^hV(+}hF2dRkjl)r%n> zN55Edf;-1V^3_0|h*h^0|I|l$QZNFclW=A?fKNei{AU;;15nu=9e^5Jd1#5M#nogl)Hj z!t@+sRz+JTP!yb9;2TJHxzjAUIuB!7Ocbd5{(7aK=&9aC(%W^u`$&@UCf|_4CJ0cM zXNcnm2Ev;X@y(yyfFQq&^2N@om{-axmF_!JK{*Ef*2dMY3oL}{Ci7KnCD>#Foxa%O8U~rT>wgy1z= zVq^Hh3Vr!)#{WLo*WiCLK{t^Ar6s9d!u~p6Fe?TJJZ?rZ?eau_+!3pUf=|8n|Adqq z#yHi*B+;SNrX>tCxC1I?9sj!BtP_6=wz^V7c-Wdb)x|Zg4Eate8}V~w3Al!}C7~(i zgZ_=YFs}t&UQTCIbNH!oOoz9Hf&B#HrGSw;G17#&6V*W_nGs8o01n!Fo3ncquik5> zu~Z=w%f5Jb|0P9Q7WDm zoTFU)tTunOZ{7Odq3w^eN9*?$`|jZtj!WQ*E1mgQen9hudEd6~+wE!1SHI1;e8=)Z za|ny~BM5zK{Jtl-O#?mtHCqkE^A+st=<;;OJ=UfT1p|tNeHq0W;I}QXn!D8b`SO3$ zemLZZ>!>n35U3~l4GAA$`)_k9C&l2uk^k^E^#!k}KXs%DHL7R@O{sS4ciDvxK7tXj zYNwpFvVbzbr_BsVI<@~s{)nu7K6O`8<{mI=Fw8$SE3?6OS;PY^+nLOoX=mfF;)~(n zYfR+EtT!XTi9*FZ?&3+zeeCis)M0Tzg^f__JS+0Wqqnt+z+_k_7Lsmdi_+wPMsuXC z4J7@0zA6!=Q;t~F7<4YIiVKp6M(V+y&|NNiEU!>ZMJB|jJG~C?EM^~cd4|_kD@C0e zLPTp#DX%vTJZ3(>9lqUaXIL*v1{*OUVmG>Ha$(HpyBsBD$DFzb6Qr~2?OWSB-#Epu znUWvx2B8BS0Nb9JJ4AOu(v#ND)67&|!-L$0bHuZ_30aROhFOwsX%pxCT{I~iS5dfW ziKlN;;?+x0d<+X5T8w*rmi+XTvh8PdEJbv);0glem|}OCD6_{j-Bu1bU!fN z^a?1&g>YtDmuEJosc8ry7NWGTndrbEywKk5;qg8%fNBQ6&=Xx_{;ryE=Xm~k13AU0 zs0-^Kix13Nopym#Mp^T=Z1QuC7uj0?x^uIeqr)8PpTFI*6Z^ppgy4v6!trXxXjcaXDrf=LMpU#Pe{(!fma z5N8L(0RL=+lT{2sAMiNlaMynWsAUR47>pY`s-`^9ItESe1I@4R5U!R7zXJP%7oWg* z+6#6)`Kaz+3XlGMHWc)?C!hSGubBdBPZymV9Hm574Y`w1fv3kx~ZpNI1gzPIYkQ9ZD6r#I5sHjGX3n-tHdfC84 z93i#tY%dx+P-U4u?R;748r(9Iz65JTi)~0Jjv^epJ+`an*yK=r$`nocW`U#u^58B# z?b|j@3bHa&HTzDwKX7OFj5p0D8XXlzOY9)Bq+L?aKXpg^PBU_`>V_LW;(Vmn6_#3j~q$7%xzC3A#8eq#gVC|V=sXyiAtW|_?)9!nuwr^*C zHp9|k5CT(#Z&m#GAdt5m2!#26JD@I>M$TrYDz45}_7*PxQRhJK%z5Ki(np`#E3(Q* zqm2e0x|lM0>i%C$#&Kl&q#91j*DpFcm1Ha>sDU7efTY9nZ!=8_Z3a(>Ohcjg<4rEs zcht1WLxyEn?`{fbOWOj>;7-+hL-9XJ@_~yB*E~3^&cx&JJCb}oyNi zDw6!o>VvgygU{E#9_b|2oi&!{n>DvACSY|_?zc^A!kB!EDp_x)*o|=6Ukko%xwOV4 zedk)$PFVM@-06W!;g?q=(-PHkDopiR_i0K%p`fCjib%#?d>*LCjO>RY1Ojo*L)ki zh;oKNWq;0WHT*||x;fK%;ZOP1+kN?xY6|k*GKw`bkw2dIj>I28sge6(F#8YNK8xCo zuvf2a>R(i`)~A?7wusB&%&T8Y=)jb6U~%>AptE5lH*!%bOlLSd&>Lm8@Hiq$?d!53 zocJd$ZpxSrjSW`RyLM>pACJ`F-}z!Owvbf{$qXrS9k8 zxZbe8w?ejjX}0nA(PG8?bfugqEkefovw6uJaTiuZGspZFd-BVozf@Y%KL8=@2;u!T zuarFB$7GJm8+Tv-y;;2bIi{k1k1K><7jJosnZ2BA!!FNaN8MX+YTC(GJ!N-7lyh|M zsqD9h-Av(=_AhiX=!Ckmh?`I}Y;R3bSo}uX%hO(77u3dM+g(Rj(J6Yqm*w_r>LHWvd^E^a~$@s1QaeZb}T@{D6ukxF}b%m?h z%+*)=sn}w%8iQ)(8la}c%1dK|> z3rS+qgW0~Tq~H(mDJ4%Dh?BtOY>{|A&aCO)xr)YM%qB^$Zn++@rFqDZWqB{%0Y5KG z7432nVNjInNXC~J?^ibP9hPp&CI2}gQuNhG&hl~cj$4~?Y*E3bPqJoIHe~0@ zK#=qRDa}sFKPj#>X19+(RZ?e=vs2^SoaAS`MQE=!>z?XVDd59Q*ce&!xLg!SA2x20 zH6CI8r3U`|(S7n|wNsXUa9Wdn95I`ZXwV&!uj)nUFS`>;I22i-Nur4s<8kACN?C8f z&-rji=vCyB3(9xh5O`-XWN`bVykR*%c{RyIT0hxaiCw4zRskaHOme3F5!2C08OV3y z!jm}M@V&pTH2~v~UJE=Q>oC5-&;_~Fwaw}`C>fdE+Ug|pzPlS+HZSi}tK)1tSx~gf z(-Y=4k{+ZzCSzjQTDYheqD78uFJhNtO>znBE>4TF5hTMPtC^;2%Mi$`s(bJw@MD*k(ZSF(!GsG|L&yZ7UAdXs#iWef46*l#0igcpu|)VSz;VA z`oZ!zHGV9Zm&<2hEqAt_%V{j#AskoZ0)Fbuqww`-DBUodAbRyul1l)erM;BVvItb} zC0RqTnL{jg16alfLBzhv-b9` zVVqGzrNr6TSIJE58^usi%D0sKuF<^UPgBXj9yXXgEk#Xgy041+f5)Dg+N=gA=1JC=B(%o!s@j+rqelPm@hxa%X-tOqEQ}c$-yWzQNk2|67h7^;err9y6h@w~8j;W-)8ypxzG6!A9gC zzKOK#0|&2zku)_BbO{E~N>K+O#8A`AF;Fk!vC!S6xjCR&GjqU=%;TJ}!L?`=OJpVG zg}HhyEK^0^HOUbwc5~7l;;M^g^YYmnTJxHIWR{`@0)x@f$#;pt6x^$gCXt+e)PS^R z0|UDyzmXEVVL`|69fvB|Mn0LlVQpzC`y75oQoXmw1;mD0OtjZoH2UAcQ<6d1YaW|= z$b`WRsiNYJ&yeB{^-CnMSVT^iy)o8;a*$2fx<{k?pt+-=_IdFdcN{Y+EIL&rhPIQV zOx0RDfiq3ixp&4S$k7EJV>m=U6L6%pKy+3S`6b@SRE>@nsi$UTw#u063X#FU*r)PI zMq3oo;$6Cej?1$)Q*z@ZKdPs}sNyfc4MxK)>ObAiD-!M)K$RXLydx%{r>`#?aHmTd z)i(AyG=QEE$i{h%Z4|{?t#YlD$Zq&8au+;fcTE87^H>U$giM;mmP#320B|M3iI85M zdL>hvQo@j`j@}S4oHF>%ASfy-UOz|TNK8;32;*R&50ONCF?~t6}^6+`awl06TU_6VBy?4KQwo>Wqpllre~p zV9ll*YH}My<676yiNeqn26aroGfX+g#64EZ6#oPhMIj=-hILeLNTkLy29Iu!SBL)d zw^U*ph}@85V9v*haevr$cs5*{p|SwN5wi_95^RrgQ6Lz$L1X%_dF?=2l;t0#om8yW zn%Qfhlv^)`yr`#+7$D1*!%TcZ-hvB+`}4%=Mvy|EN4ujSo|n0OVx3Us82-x*}fX(eI{9>rzbyI)0vN${p6;Logwz zIIiz#uXUVqL$t2xkiaohJP0T#8fFDc*E~a?#clFsFr`@|JB*PXefgn$A>lG7+;e7g zoM<<2t;+;&1fWHYi^j&%*fc3eV6F{#VzCX)wgeb#bLkCSBk5=y(r@UjMGR5)i}reo0d;-$Amf_D$BnI&^b1svoIY< z?o5(cFdKs9ubbNDR@f?@$L6eJYYI!z)d|%>J5D?E0T>^cMonO7d~Fpt%JR;zP8cOh zf6~E{OD^R|X9gZ~$!(^iBkvJ)|Mh{Bl~N2!8PPaPD6d(db;7%}$cHQ|Xs}nGBA;VZ zx4!3L>KL`l9S0AH1q`*NfoIP>i~3sq1fN)fkioYY1wo;-xXZT{`PjwQ3Oj2tt69<% zSVof>1I-rAqGyk|YZU2`)Hf7i>?By|^;Z?KJUaCKuc*T{+CTR2UpjgBs2KBiqrCg( zUL2@dY!^;k)G(w^6Fg*kPy(#ogw?9{mX#^2&)i%|$jNms8WLL$P9=!ajx%64YwYSr zoy$@CCkQeN&I3!Z=dK}`$p`*UXJXB}P|^|E1B1*IqE1(hYj7f|#av@F&Kj+X7aNKj zR2t@lyn4L~NptrErvCU%EEWF>Ej>GE=p47j7AZ&%;bpcH=Sx}S%nv=CTZJ7zqF2%OT>8}@ChNEJnX?_TeShQmys};Z18ZI)0IQ7WYp&L*^ysv5A!||Lz}wr%n?mV19Cn z*^-qgR;*AK4_+kN@Am7(fb#;@SQ_nqSftLgJnH&|Ym00lQ)pu;erID>ifm**<|VCW zy~(>q@lB~qp}3JT3Ec6f=$UNaI|twP_veP!n?2ph!cvc0f0@R$cH!mg*Xu&@5?Fyv z1(R*|PCK2~_Yz00YS+O-#&zsVprYyaZQ=SNI&2)##IqD;>(oUfRLOwAxB(4et=^=H z1K-Kki1_jK@-jKc?l^+`gGW5pKGc`~%2OD!j^>?4;uevcIOLsXY^Sm}%mU z(S;bWbga4Yem;(+7u!N_Wl)#^<)eLn=LxA0JjBFQmionDOPs&PyLfH+m~PurTf%bk z$(Jj#-X-fK8A8q4T2pZWpzTW_=xrCajIv#9jY;Ff32p7zJLlN`6UPm;JQ$0ii(cgb z@vg62Z&RnlIvx|A06Dm-?Y6}$@mgzVV-EuaQq@Ha}7C8R_ zPT!_WOKbN#sz07DR;=a4$Tblwg@lYN-rV=0HM5;lqvQIl*37vp_&ZbG4~*NkX7$jl zFKKks)gj(L0z~60fP4rK^JaRKTB42f{96YM_oC8pxz;vH*Ls-u=Ta*ZjqiH(lz-Fx z3B|Qm+A<2Ef_*l~o#Y;SK9v1*f;;`A-#OVkJRg4=tRFL=5N{CE&mm{W!R-YTAONkJ zCc^HS-5p?QEV3yGRSJ|`)jaU#>lYC@U#}1= zm5{x|i^JQwJGATqK`rx_iRWFEeaGQ_*+-=7EoqwCciVI? zE0sl~bJ<(^u{|zcVx?ZKm?V)PD)7oiYK$6N?`n3-F|Y6wj*SA&Z;Yykr`sk4YSsib z;=VaEej9XNw+Kc&VsVst%$*9hlO`tE%)ad>hN2z>qJyqLD6|7@GSSQLj$7bQHJ zP{38$9+G$k0 zXJyl$t=zkCo8pq%tQe^+)4yXl_uhAQdb56&(5U>YI@ruL*gc{x5N`iXAI)B`Z(g?3 zs@L0g3#cS%B@k-95MntAK!N+btm&E7za;iQEPMTRk-}ag+@n<(Gf4qKV@p2N)@}GL z{ootM)VJb7kFO-fk;5o@nXQ^d7vx99@>)&l>wB2R1m}ki5LnGq{6tU_{0~xXme{5l zuVna+;SySG#Phhs_bD?&4bN`ktl8UXZ6B&tT>#Z1<*?rCZ||s~L2n)O{`n2*eE!`o zXCsCl+Rt;i?Pl!9)Gf8NmT-ggeK*R8*icM^0KL*`faPZhcD(fInYQJ@ zoy?h@{ObMY{7d!4G1%_Ft>trl(L2lLn; z0%f zwE>E5ng6K1RZe6w(5%x;MlbG5z_TV{+K^l`(T0KSpNCk3IO9`GPp=#0>ra2)=aHM! zrIUjn3pdY80{&g?-Yz`+9~XOrVeql#7;si>n7Veh^{8+^ZnEOuQI-^l%(DUAtN3i6vF~%F#IjX0C-x!ILk&-G zwLy6PdA)*|!`@DLy_XrEllpz-mR!#R6N*8yh={Sp(X4F=GuRURoW6eR4q_}FUVT7v zjyIMSz!+e_)u+!xX~Z9ey|DFOd6?z3{&HHw59zezFc%KG0W|})(zf!cN-jWn2Y*D& zpIBYrf&ZHtjO(2{tZL`v0uKwRq&YD@bKu)tskdleELM$y$;%kdG2xb-9aw4?){xay z%4VLfKY?};o&WN{qNgCSpvfe2?0YiU#62QEEYoBzdXG$UL=5*ETwVTX zYpPeA>60)I#qppe?5W0Au)_MPW@w{}HmZ1LedwH(N4JQ51C~hCq=|)0SbV+R**^Js zI6noIwl)5{WDSSr2H{Iyr)5^N#=J&YPY|~;d}4MXBb|&uu{G+;up!^^ z(Jy3g&k^jTO5n}ZFW%M^^XPk7?cEctyu>uGu``GkK%B*T$OhB7I9eS2y>A*n<1rVX z$JC1wtr+cpcmuZt58Y=#Vu`#3bQ$(lDbjZxK-&*fxv1u{WbFko2fC@}XTswiCmEr@ z>sDnNBs|XTdy<8fF`p~NUz>421gskSKjeO`Ss3Soa3=dsebwx!T6! zWW=#mrwOL=v+y@-u4#qR@3lWsJ~?Dv)(xB&)ob3{j}Nx-{|3|F#3nKmtb zT8G*kY|4{ilIfEtAufgeP*#7LZds>OfQGBmXy$=qQi_NNY9`(x=MNs z3i74qO<^7!>A9+Y>-)>Tc-Z0n5$7U7k?kc8=hI1yN1r|8p)c(k%8o6rFTL7z;;EKT zsHWtOSLP8zJQ&o^l8$r3d2vJ#j6B4>MNYy^Cg~A*-WQJ5NTZ$^dawNm_+K!J?hPvEiR?p9P z(4W>QN0H!bt%BtM82>h5@V;RngcC><_whu#d}`X3Ri2|1#nCpzR&q1tJJW|vP= zF5}EAa|*uk>&z1k^e)U)*EnQsN{U_56F*v+Bp&@N6p4H%6J{9n>rhK`m;K`T#P_vy zA8iv&qAiE-TCuhSL>h)D9EQTr*M#ci?Ye)hF{EK?Kftkx^2tL`1O3GQZHNE;9mUt9am?jBi|f1y^0sQgQ=x< z{r2l;CX1lBC$k4XFR-ZRx9`LiX(H>Eym8Ts9kkFrdV0SIbY=1B?xjfR1`hue%Y z-=Pd%4j{9MTp{s}0%^<2vHT#BJ?MQ1?RnEK%>^=TPs;&MDQL>m%s(>d1VPd#B2&!K z+-gqUlYZS%`7obv9{#T2QcRBS$hqZ%)SeeYDI#m_R1!SPQh%V_$oJ0JVb=SscwfHC zr8}&PB#@&3%R~%$x5T;Lbyk0O8QQW2ZV140-rM!XC0|brav<#SY(fWZ?B6?a(1yoQ z`;ba4w2jGER9MI&Y95E)1_wcQ!i$2r$-yF@M7!8G| zhd!!6cJ@37dBUV0-Dkgbnz3bO;4vc|l;xY1y0lmIdBZr3?r7d;Z(QdJ5wkW~c$Js0 zLq*oseE66yuo=1n^SdBLqBHjeuNssKFOX4sKM*W3oj+0S;m5f_I~-xaJ>F#w$uFOh z!b%a{(oHIR*j3FLWMlE-r((77pVxvjuiLVav-%e+`{lfm#!=BW=I(LZ`-DS*N@>>c z%~XZyafsEUPe3j7g%Vz$@SXBP*;tX8rgA8uE*Qn0eAX`Oa<8)U8J8VPPj5L<4(hHY zy4I53mtDk|b)AiAr*HX*%^NFox{(2d_7FEdGd|eZW?a#Z>XCeA5n;onhqG+TYW@_` z!6PvCaB#;vFUeFVs;t4bKBSw#r{2Sp;=Nr6vTn>9Dbz{2rZ0cZ#al0}maXfPK$B}t zWrtZtxBb%e=#`plT0IWgF&AjXK=7R^XJAsugXhs>4nIn2ascN?kp}GPs)8ms(D`V% zt}VYZE)%3w&OjF@FAwVh0m4IgG#QHIZ6V}upep{5h%=iH9;MX|Rq;@C?(OpDfKbNO zBn29T;?}PvFVgYdS^p@+IiY|*%O*D%RRvb`tW?#8QL%mBu@3P0@OJ3Jif(0Nq-wc# zuA0bbylBEFEv>gvnNU7rI>cG}g+nwJBGEKjKx8}1&(Bnbf90 z-|#ZS+$;<6C+*HIBKYc=%$TH^Lqir}@am4DQr8Q4#WgzuR0YjpR7aYZ#tTkbd0c8L zzbYBqy9xz+ZUvl}$NC=Oqz)2XOZ@#*?*uSP?A8*WiKd2D2jz#Yy(lzF+UT35jv*%| zB{xbKuN_HYj~2EYk(^`ako2oXF7in=^%L@{jQBa<4J`J5!bIfGW&ah$p7TvFj7H|2 znz}0fq-uh>^8L331dmddZ)QCN&LqK|2Tm@KuBQSNhr{^lPArWCi4m7%HwPNaGj=$s zKBOOSND`L@O&(ny&;CG(NpO~w)DRhm<}t)OimLTIU{9oqe_w;`5EX6Whje|bK9~?T z@A~Vba_88q6!7DGHuji4OBHTCf$(#cF^ThQ4sm%M8$&i3ZK`SiGQ6hZ3)yJ8B_J#4 zYitin(QTYlsI7*RreSbG#gN&l`jKL9ZsMzN9xM6;82Mbdec6zlF$FF~sfCo2hgA92 z9Ff~Y>R7LceQ93cz39>ldXH??z-&!!3dDmRpMhRyjxOhe+)<8;wfRa6lQpSi*R4D7qVZrL;U74vyG4=X>!qd?2 zK5wU}>bRR$eR>F}1XW36$*|XGMJ+W{#L9Hx(WZ~5 z`APL)EQb-45Bk~6jNQtstP8}+YA}OY^f(J4Ka^L)`4v`eL{&G*YlmEHkWMZ|mN*f~ z%6>YOq7AP&@7mnarArrGxh|NuD4eyzNwwhm1k4cmMqRouGS3iU(U7~Hqw%iIWW>^^aBISkxk(wO&nm$0-4o#Ki9%#ds-vy>${S*g#ElL zI{^xMTN|*+Ch#_?F@VYx}7u&wW0A!b+Fz9agWPSK*yZZFwqa3X#5@m(ce+pzXAc$fx*Y%7?-w!_ zNZLxWJ6f`}^k*rdwMIrAY%)r)NEvjqNIX}4ZBNyGE+dhk-cxawrT2QaMLeKsYgNnx zZ$E~Yq<-i7#By`ZmB`Kcs>6-<%1rw$?&s##VDx`@I3Sh?pYZ8Wr=kTe2vj5l@Y>u* z*PCKsW5l2vEt4@ZgwUEc$#}q=qacPLn#4&B2bc|D0DRqf0JgwRfG-ILSn%h}rwGCT zjNKUkkK6WD04KV@U6=^i4CF!MASN(?{v*P7EaJv@A`N z6e`o+B>ZE~Z0@ubJt1p%^rBvr#`tU!qk#A28L;tDLlwhRY}4=`nk?bJ&b2`5a;%pbVe!PQ61joG$vGYQ(wd(p?y|jsvMo$bsmQ4i ziU?csYl~W)^gj8a;aAVd#4(^~v$d*z;iL884YVV%l?cIF=O*P;ToOAin@{T7p5ioa znz6`DQ1F)f%TpWTiA;vr!FJ zl#>0V##}zZT-7VPdYB(;uA!SVz8yV;gU^QWR%@W=%_4CCwU|mXG(|Ma|H5K=UgFH0*~>PfSbN z#>PhUo6A-1?7JM%c%fWSv-fgFCQHP7{Q|0=UHHw1$#LAzd{i$qw@*Hn{r##&a3uYD zy5shG)uF*Jm@tt2?zhOmCucb4q}XS5wo>?nFRhm)d0LdUv3zudrBdir6j*hZ`Cm*_ z9rUVFmZ*p>48~A9Fi;v6m)a8h2@kOc3dBobm6%j- zmiwkA@>8X_qkdOPm|c-7Hd!m~M-n};+Ezh^LdUKq4Ejt5$Lo>ll*}swe0t3;$VMzG zw7LnkC^3h$i|y>s9+I`j0BbAgjo=M$Hu$(^5H(6tCkXKDVk5w+>SXck$sw|+)}s~r z)rquU10%<$;u#rub-u!1Q{2EB?#P%#sYz8 z{>Xwr*dzc32_5h*4h;R*QXBPO(LB$shzeMYqk{f6IsRAFp!AQ(BZ&&|6$jt>J&UOk zKpHQLDPaL<$IB6)TK$7OgnRkB+Q9+OBueOi&2Ya*g6x68cy{RTFB1@m<&P`~VuXNEG8p>1UjA1Ijl30#0163om@RRCkHHWEw32CoH@6*r08o>liV05!t`a0} zE9#$XN2J_#vSJ7V%!#~Mp=luC(3ui&NaVuQehcK@p6UBUs@uX#Lh|RTeq{hNiEKc4 z5*_AB=07UFTV-n^9i~7QV41`QT;J}-mfU6(Fi~XyQ!oVZP69*!EyA}RQ?fsg2O28} zcmWpZzjytu;MQjPN1&?!H$WP*1O=1VF(&#T2cXuba1h){J;Fcf(g1bWq!Qo)R{o+n=CtTd!-Q9w_L(rGq_ulS) zTi^UKGgaMvrfPbod+Pl9Gzhk-7)+?D01Jl)LI5FwKp<+6ah+ZEBn${7^ox)N4D@I$ zTQ7@Yd9zl;i@fH-j_%aHePk^hEazTsd#)Nvp536+=2P3S`k})= zS6K7sn=s0}o+jABDm3i(l|0mfAAqM69b%1EO}2sIKTjED0SxCnxfGJDgjv}iNfmnc z*k0FIw29fnq9475HR#kM=4QgQidya-um@RrB8$a?J$@54^(2c~9fJlIx#+ti4iG{F zIPsifu3Q6ev5UX9?zeD|K{~bsau6Bhqecb|Eoj<|nln{rE8m~=P@gg+aR9{Vy|wb! zl7hDi_T^8wQy%zTP4CgU=EiJo4&pB`n^eyCMj5Y;wnii#p196s$&+5?5HFrVDOuCy z103VDQ8iHCy|(~@cT}Sq@-_O!sLlA>4TEE~cZcYo9NW_qf;#jHvA#B)$xKjS;t&hy zujklsWE(wPq*ZL5Y)f)}f>o;DJrk2>`E;44C<>e_EU@!{ z#B>S^0yQ9mK$w4B?qfmH!?BHPY*3HhgOvBD0R{-n9XX+UdLt{w=Ptg}E-t+@_ zMRUI5C++-NCd~&7fnH|AF_%>J*_S&~ND_TovqpudhBbGc`_sq>x8&XL0@fOfE_gEy z6`A?Oidbed;&KYlhqLLP^Y2QsfUa4CA^yPuyVO4Aqv-359`{R);jtX7ul)73?$A39 zrP$rPo~_i`JpT;3-*kzFmojQI=^KjMfdkbXcEgt=IMed$G;mKiXmz?%@lvdM33+i} zu#{0){n`es*lsP&Jdkxm|4f(gebSr*{mO<iNU(Ce(&CIFgl}jS2P*0|&#yKp zwK*0Z(+rP}OX3RBk?Z2;L3Z|XS%0EgadRM8wqqua#BnB0mx>w~m}L!j%9?91!=A8` zbC|i*F`BsvApbjMp1Y3GxyMyHwt;8OCX$My@dou2X6Nz_i9X^4+M@$Ij>Xh;)^iPE ztx2%UNu9-G)1v5rdrzk?uoC=(wxuf$O`A^KTIf)exfH=OnH%dDA3adc$e=1jMeT?v zosQr}Ev>b?6h5o+{5hOKqF>hBjNkW2d%s9KZlb|O#uYn30k#AgApyI3< z7qPV%D{|q^`GojmOC5e7FxxiNA*&r7>wK?M|Hqp_UbnVTdum)<;0ev$?-;hbz}A84 zyok5*6GiqPo9(8rE7F-p^^+5h@9gH!ml?U9Fh~Rf@*p+AFP|NQJjI93<#(IoS@tte z#eBx=PS4HT1Ii3PK>0~3=T65}ulT!t&PtuMcMD8 zqk>|Wo=Mc*B?-SWJf0)#!5hSy4hV&ml_URm~YQV zV88RW55_p%7>G%y6Irke$*?a+a@?wORp;RksuP2My|IyT0NR*JE$)%z+2jfF_V0(i5Wh8()IR)A%mVsW+--bd0j{V<_y(ob94Kp zE1-Mab-EdKe64T#kEGMV=D9uAkEATj{@>@rJTE4|54JziFst;sk&%j{t%?u8-$3yC z3Jdz5IY1muaDd`(4!D4W)}yk(05;tmXhCNI&%qm>ziC&SxDKzmP+INDkFCje0{UF4 zX6*jlar^P2;+^3*amsd`JyI<$owR=^_4e=XBk7zHFv2D>3-43+Z_UCeWebnVV=}ct zN1B7J_VxklJ%4D%wFiEmHrm!eL(#fz$>H4XUy2$xOWAbub4o+ZzxN_}2i;G< zpCaXAndeB*YQPm)I*xj~J0*xHGx1cG;OF3O-k<8z2wqU6USmNFW&)LB6NjRsa$5c# zUY>h81i|JY+wINXJX{nsl{Zf^de=yk=LWL+v@cn$I3W3JU|GIU3p?ROHh(Vyy zP{@P~F~qP19!QVZb6DcQ3p!&s5tV9V2sL5AlF~^?w4Qb0Jh@sDz|d0K8sURi|C>Y? zXnobK{N<_pX>Y%+{l0n!UDi`WWS1Ze8fRH*F?4a7&bHfb)V+O-2MShZ?5u*t8A^dB4Z^ zd?nyjtlJk$K2#toDWN6A409lvT!NJfPt~4qn5*W7E#FMqASuY=UkxcOfbID-H+3qE z2ald5Qm&J~SRK^ln#@IU%%h9^G!WA#3P6fuby;$mNx_2eEPcNCQ0!p;mYG_9VDB;{ zvAUqq17KB(w!PyVJxu8sh};=ig}PQ;4i2Of;XQi8dFZduqGdf~Wa2lxc*flH)n0dCk)h|ZBR+9WR1S0R~GENh!bH1A!t*7Woj(( z!@SFmJvH>FTpa5^@ym#iB-`ux6}c)D-bL2Nsmbf@vhocBZoiO0>=>CA8ClNQAEH1! zAq|ZC3KR`gs=?rUf_pN3e^1lvsUwBlAcX{k+`q%tR`FfHWo&a{=@W+CQXNP@_rol$ zgx$*a5BhzPJTaV>dWRMQ3;XmcTVjDgbC7Wv5(xTRL}1+^jRVVf zo#6x!^VtjT6ceM?m}b;jD=1#hBscNLk4QP;2`zX&6GF;MpsD?sPm8Fv?&^9Q`=?uu zZwz%_x~NWU0X3%kOM(34Da!Sg`^i|039FsLQc)t|{s_8l`1o@G(Wc!P7~(lDptBGkKTng)r%bE2rX6vcGX;XS8stN1YCnF!b!@FQsyUJIY6MTsq3@$wVbw7 z!p(C2RRAOEHGj9&lhn_VNbYJExtJfPtRcT1iP&+|h4Y8aQePy)-I+E5A1la4OTofh zUbwvj1|z{R4|MmFEsZV@?kmi-XM}t)44@yI=oZhW0=wh1+MB*3TRaC!FB&(u9#a*; zlg||yai6az7AOzzBY|)|yG>zg3ctjMl!4)^Fj9nWB*E6Ad9GPsSRZnxha?p9(99q= zy!>)hJY)8-E~+l02r?HA&B65~{P&lHIAexX)XJv2`Bo&cjNVy+=#;V{Z-|Z9d!U$A zrae?qS`oq$9LRB)@=7u|Te4f*ZJ#zV%^C5x)R~V@g$1Fpfye@}7tML1=_3I2Q4W_3 zXw$Xp=O+Mxa||wc@$DaP!)@JVr)AkV@AZ)9U=-owCF}xI zg|-3VItIqrYT`uGD5k~f)?b^9;14)#ScbWv!KwL?`jMp3!LlxLD)HLm#SrfUjPRl_ z=9>D-=5uN7J_Zk4Iv(Bz%FKBlxR&p(H|v)^73~6XJ#`OxPQjJq34z2`WTOQ0DRD@7#<30Fwi$U!pU6xEHPu!_z2O4>KrG)am3V_4w z!E}BNZjCbZ9Urg=TzKrQlAg4B;lNHB~^$hP{ZupCdI>Ygoq!#yx@c0LhA2}poQ>3b=pMdjm~ zh=k;-u75Vd3)jYbJL>e6QMtQuA91QZQdlNDjiYIb<$z}Z{Lzv}2*CWk>8jG-)VDnO zr%J|xLxwcCZEs~aV)Q1M9m~Z7m#Zwyu5%nDY8UiXE`iqBfx zb~?tU98HeG5$=OOxy26JiUwwWTp(`r56S&X3S z2;1CEkw&cjFu|!M1uF=?OZ~f%S_=O zR~>&u@Uc#|4uwiT0D{A3HVo3~C5_JZA5_ZT*tptF0v-4YJKU0HZoD`;@E)E*=H6Br z1qntLUff}5Y46FpUEoLjx$;6T-uZ8r=5%?K?k=t^9wT^^t{2A=}oN+fA3Sr*EbHK_FAq< zj8~gwv4aIhxKZxTXqY~7+`IDGxy@z`Ysd9OCaR9ap9*7ZlNtpV^)K!4YS9!?ip^qA z)$5oEBMeA}^**Ty8|bkZY=~B+j*_h4;3J;q0b&$!spQuq3rU^zy3o z0^cR23cZ-Uc7l}kaMP*DGFLT=oo}r;-uoH>gd^?&{iRgZ6cJawZ zYu>(WQ*8*2vpN(xuY2{Q#WzV$e}D%10$6+^n?o@_?iW8*`vgVoq0q^Op)g~q z5M(AN#wgOl--e>ZpA1V!qTCMg=0d~JX9Psvzt&pNla@bJpw78Q?#*Qsz_xCjitTm4 za5CFbS8n2je9Jx9@Lyaw6n2M_he+}nOXaLW&TZJEU z_M=)4M%hWxL0LUQfhly2^}S(p*jLW__e_4GWG|c}aHVQGIARzk^h<8vUeP6?s$=*t zk!ZXeTZ1Cmr63!GK9`G=pfSUKo^=_h6ItXY5)OSRuFKX&qWY1s{XjP3)RA8%%*HMj zeFRcQ_35WRqMm}ph)83-7C>H#mQUkHN>07v1iE20$Fu#jWK#$Y&peC1tl@s1==a}_ z7z5-o<;MDy=^#8ZDiMp7j2uZKF;ayErM(Av~D zJxXMF__WGZM%{8MLi&{KO`zlPjICuor-<||oK2!MySeecozgj?zqrt#P6CiYoBM67 zBS@CO(Jy$Gn=uS|QG{L%-_L#{LWyw8>5|NV8fOMDccSNYFj`xvt~Z2kpH9qXXB~KGoTqrn>^}WUugJ>-?^8g^1u2wz!dIVH0gDX=_ri3lo>nI%f0)H_q|Jia zIKB-PC3Pb~e5wZ2##5_OOlU^kHlIKl#u1-DvC?Fkk^)Y2g_$bE0+z^(gj}>7yLZ!s6TX<`Ty+@gbGpa1 z=?er}67tL?;uQpr$|moRUbgM4;jwk+icFXo0OG&~j48&MVPCna8TyzV!)N78-u_-G z4}^*^q{>LfFa=^IDR?Uqf(pxOqhp1+QiwvM z0iv;%Bn92IkEGx0+CW)gTIk=O3v}1t9XdYfP;}$pc;sHz<1*G+-M4z+qHM-^D%E28 zS}TcZ3~bFwyeT<6NqHybR@Z0v#&WPL`W@@I2zH6~a-ytBA*f?Gc1G5ds^|xQixD+W zL>8Gg_5061KW)ynlXiqZ297Edm5`Aghy(kyyq{0{Rht#cMg&}19`bGsA7E)jVYRi? zDY1eE`Cws{S*(|6{aL7Ou$?(w=mQjAE0q2?YXL)CfggDvYpmQSnPRxXhI^LvjS9Dr4z*Bm|7zC1j_-}`wM9MjjsBhO!2oRhkcndSB1 z6%jvi;Lys&DWq4zBP`cah4QD6+iwoNaQ(!4tA$kU)elLKRds;k*Bj~ZKy687WI1<8 z?&uI+(E`77(N2!0=1e9urwVfQcmVK}rj9spx<#z?_4z*sU4{l-eLXcjp_UtmSw7M? znN(G|U=pAtcin@f(^K?W**3HA{axI%GEIQw0;?$IKL}>YuJW?*_nrl0Z;1Srib3q)o z)1b8}h$o$M*vX`dUnX`)(baP@K^1f^b!AG%X;WH(K=u0{*b#HX*R;^VtE;$UC80x# z?JrBB>!dzwk6a>z-&Uqb-JA0l$}*_g?pM8vVDthp>!%04ovfawK0cRBq-pFs3W_gw zp_^$^c%Njww;vec2>MKPz6PW>Ge;EIg>*_Q&UjO#<#UFZpk7t2-|-vl*a}JZyv%bt zIU{eCmu(?aH2gfzO>X@y_3?{)#{;UlM0L65X6ZA2XzY2PTY@E^&^C|aPQq@|x)SU) zApccaKc<2>P?;wsMFlc4E=4L+P903wrl}}Z*Net4D^e?bz!IO{UjRgOt{6U&Dk-#~ zzFPsI&X(p{qCTPPuz1zy;A8|o3@@6gCRdUUt92jm+hcvF(qH$y zmsldrG`GYoep^tsY!twkDO}Wa?PaQ>c$>Zvuj)-&bQfo?zbxI$$c;da6jY%nYn{N% z)AP{?zOm;6NsX?FWPSYFs->P|p5TprET;?GK>W8fMtquGtwlUy=J=txG6A{yMK9v$ zNtI%i36+$n6Iv7Wx6!N(-`!oc!BvSyyki7b%Xz)Kb|=V(`iKDU`=7$xAI7cqS6?HP zQg;AAu5?N#)o7X+4#nJ`jnrz`4Trm~CLWJ(EwtnAy%M6s&6Qy~ef$|U z|DCzl_eJ%URH*K~hfT`Lso~w#Q8TjpvUaJ25{?4#o|M`NLCikP?6+(SK09~I@&)t9 z_~(+v5CVi{TRR~9NZ<7VT3}WBSr1Z4cb_DJ(N$ypWkl7#v(_$0E5@gi-MWdl=#YQi zfE#l4%fw+;*nH9L_*5&DbHP~=i*iNFW3aj>uqLIY5tPWGn1@=Dd#&+Frqi~OJQh0a zVQP_RnF_Zn@g0H1iI(Q{W!$;c44xIwJ9a0x6|}N9vD1IGj%~E`yPEbX&ckHBPP)1mC6UE7%J6jVa+vKi zF|+E$SOIRh@t|M$*VW1E_qfmkftAE*VfBy&qdhdXsy?>b^@XaeHTYs95O1$@mf$I=G1-5Un$7yr1qx#*!=bHNjbm_`Lp%m`|Z;r z867E%l#ji! zVjXD6a7t7k;AhE;{WA!1N<;d^rmPh~_a`HCH+gbO$eS`Zv^P!1Tu5kC4*_QCoXzJS1u!QnmwB6b$n~+3r zz1%S>Vg2>pSf#9OTRl7sYnkT#5o|>QvI$_6f9!zSpgefOQl=4KGdgVMrUzqeLfwnW z2(ksm(^GrMLrWYXgt-ins?ruyOy@<%Xm39OdFK?xtAf=vrlivd(ft5+Dm`-~&+i8j zeW@;5bM+l}qDViynOQ`WK#4*&YX`R*XM#Yb$Yv|R1;NfhCagJu{ z|5oXaUs%JoV8BgPdAIko?)W?LAt-7lz0R04_E{AyAzjNARzO2mSIoL!AOCEr&yql0 z# zneahJ1h%H0csGA7b-thnM(K z!Gm9BrsW~2bLbiRLV#h59n&|!40Fj(scFoz)-xDVBVy3m~~wec-c-iW+Dj+&dF^VC9n;gPq@a~>{O*ptc*Q~m6Qdaf1DMEeRyCbmZO-dR zh1|~M5xC{+%(m!33mBjaVR9;Qsn%aH3QZ(z8_A-;PH*joApv|mtP33v0|m!mN)nQ7gGot9QM0?rm9v1c<UInxS;spvVH)*b{dpduX3|t zuw!A{R-j5_Kw1(4SjMEJwnZ0ZEZ`S%bxI~(Z_w82PBuHZwM?cJhg8--4H&^hfLY5C^+OLJq630O*Yl5V4?;2&;DQn#j6d8>c-cZWcin9Uia<3 z$*Ny5E!^4{XmqkGEJQSu0z#Y41`W&PL51LCutATCXJH@+=@byX zOg6~J^iD`yFLlo|%vBa5y%{V&^m3q34jgaHWmMTwe(s?!TBBYWWMeiphA z#h|gcOf&LLS}XYX%v`L0uES+m^k0<{xxBaty$aUTqodpps59^Ep*2A!sgh5-@qgA5 z&Ua-+rj3kC;B7EuL%3DdHyG{2Hx%}{o6BK{qz+Z2$J-#VmE1-dgSGvecyU-1;nvG4 z>3SzB8v)4q+xdYj*5)1FIQ2N%GbA;Bu4>_Y|JW%z?^#^N4K1U{ATS|rXLM~~8wMe% z$97)z+)Pu$wEihmy*~_DsjGPO52b0vR4ev3hlEczJMN2>sn*l(@B>4Q{{B1~T4R4M zhz*P$A2Gq`2b>`ww|Gi<#hX^dYykR1zTD@5Z~Ul@_lS>hzVz{F!0(9_ zyOf1^pYG*2P5LJP*=DTWjeqQS@abC#xLLF z(~K6dP=_s+4V(hszhvCF+M|bhRGz&?@LTaIeEWr?-7k=q$w7fM^dd&Lx%A)?gK09e zUhy`^?JwD_S#3tXl{mca8dmvVPXXE%-DLG&p9MmPDyd-rJ)7l!;8es%Oo_YD71MZZ z(*)Ml{SU)vazb-LN+NY1><0IX=oc&3zbfiAw-Q~SdL8Ucy3@ITx3!)V7dz4$VoyZ2 z*oYV}XHoM3?tk465lf#q>3JeDiNaj6-28!z_&ZQbp$^D)84Z;ZEk|NmGF$SzEj}qy zyPw#XwPFN*u%p;)ET!!s=;D>qHsU!(Y&Z=No-hs|_9_vIGN*b@Uu|}8&frwVE!UNo zPsZ98pOzt0cw;Z#<@)J_S*hWyQjC17y2!&}Dkxqd)$5K5)X1@cW70>xL~w4eQC#+w zclkQ)7b?P016bLyjJ;R}QZVdfU}!eWYCSK+r2ht*dWmM(DKo3UA&l_oXuaPAGBWyZ z!*wzc8Iv(@!LUfYyCI0AHXT_X3M8K>FH(#)$Q|qIqgk(Nrf`>OmZolkXcXp}*Gq5k zJX<=pr3ef!e4K(F5Kfha^dz!{A|}W9%Uu|lBPYwhtGKOGJk>^>8&9?{-X&nfKuU9e zn258j#R%ol$2yp5v{$-|6f~69uuucBZtMH&%iZV2Grc=p+6>q6^t?>^?a>d2(A?@s zB;>e-pBQtD{RpmRsq`{t>JU5I~>;ZV>3rzoma?F1nERHd2T{8wq46>OU7E zF!`q-^sgWY@}Gh!3kX)bJb2U+@~fQ|;@gf7Icz5Z&sakcIz(Y}Z9x#bRAPu(3l`+Q zg9NN#4~gucgQOK>VEpH@h3=5C4(7k15CZ~qpn*p`A$Xm1km|n%wO$a7PAM?F4`i&A z6jIlT#qzJP__wM7`#(PdqW_DOO&v^Bog5s$v70zJnL&(N@W}pkCI9OG#mfKD{`f(t zyWWF010e=oqF||DNOqSzSU&XcKmY-E^MF5w|8uI`je|i7A_XZTf