From c5696cc0b825a0dab04a85f722db86bb59b09043 Mon Sep 17 00:00:00 2001 From: mk-amz <108624731+mk-amz@users.noreply.github.com> Date: Thu, 22 Aug 2024 16:34:23 -0500 Subject: [PATCH] Patch Management Solution Version 1 (#210) * Patch Management Solution Version 1 * Cleaning Code From Scans. * Fix Typings. * Flake8 Fixes and Formatting * Missed Flake8 Fixes. * Missed 2 Fixes. * Whitespace Removed * I sort CLI * Refactored to work with new methodology that scales. * Cleanup. * Fixed type. * Isort * Flake8 * Fix CFN Nag. * Fixed. * Rename and working with CFT * Fixed CFCT * Folder Fix * fix * Add missing role * README * Template Fixes * CKV * Update sra-easy-setup.yaml more windows * Update manifest.yaml more windows * Update app.py more windows * Update sra-patch_mgmt-configuration.yaml more windows * Update sra-patch_mgmt-org-main-ssm.yaml more windows * add validation * Update app.py * Update app.py * Update manifest.yaml * Update sra-easy-setup.yaml * Update manifest.yaml * Update sra-patch_mgmt-configuration.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update sra-patch_mgmt-configuration.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update README.md * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update manifest.yaml * added reboot option * added reboot option * added reboot option * added reboot option * added ec2 profile * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update sra-patch_mgmt-configuration-role.yaml * Update README.md * Update README.md * Add files via upload * Update README.md * Update README.md * Update README.md * Update app.py * Update README.md * Add files via upload * Update README.md * Delete aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patchmgr.png * Update README.md * Add files via upload * Delete aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-deployment.png * Add files via upload * Flake 8 Fixes * Fix Syntax * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-patch_mgmt-configuration.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update manifest.yaml * Poetry Fixes * Poetry * Fix * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update sra-patch_mgmt-configuration.yaml * Update sra-patch_mgmt-configuration.yaml * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-easy-setup.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update sra-patch_mgmt-org-main-ssm.yaml * Update sra-patch_mgmt-configuration.yaml * Update sra-easy-setup.yaml * Update manifest.yaml * CFQ001 * Black formatting * Isort * Easy Setup * Fix hash and parameters * Max parameter fix * Logging * Fix * Initial commit of refactors * Event Bridge * Few Bug Fixes * Fixed Roles * Mypy * Type Fixed * Typing * Target Types * My Py fixes * Flake8 Fixes * More Flake 8 * Silly Mistake * Slight Refactor * Flake 8 * Refactor function to be shorter and more readable * Comment Spacing * Fix * RegisterTaskWithMaintenanceWindowResultTypeDef * Black Format * Isort * Support Other Events * Type Error * Fix Invoke * Flake8 Issue * One more line * Whitespace * Thank you * Documentation * Fix parameters call * Timezones * init * updated disable patch mgmt workflow * mypy fixes * cfct fix * Documentation Updates * Proper Tracking Code * Flake8 * final fix * Wording Fix * remove --------- Co-authored-by: ThisIsHowieDeWitt <161866452+ThisIsHowieDeWitt@users.noreply.github.com> Co-authored-by: ievgeniia ieromenko --- .../manifest.yaml | 359 +++-- .../easy_setup/templates/sra-easy-setup.yaml | 1173 ++++++++++----- .../patch_mgmt/patch_mgmt_org/README.md | 249 ++++ .../documentation/missing-patch-summary.png | Bin 0 -> 187047 bytes .../documentation/node-compliance.png | Bin 0 -> 119233 bytes .../documentation/patch-mgr-deployment.png | Bin 0 -> 114377 bytes .../documentation/patch-mgr-solution.png | Bin 0 -> 52019 bytes .../patch_mgmt_org/lambda/src/app.py | 942 ++++++++++++ .../patch_mgmt_org/lambda/src/common.py | 212 +++ .../patch_mgmt_org/lambda/src/patchmgmt.py | 140 ++ .../lambda/src/requirements.txt | 2 + .../patch_mgmt_org/layer/boto3/package.txt | 1 + .../sra-patch_mgmt-configuration-role.yaml | 296 ++++ .../sra-patch_mgmt-configuration.yaml | 1302 +++++++++++++++++ ...a-patch_mgmt-default-host-config-role.yaml | 68 + .../sra-patch_mgmt-org-global-events.yaml | 68 + .../sra-patch_mgmt-org-main-ssm.yaml | 1029 +++++++++++++ 17 files changed, 5339 insertions(+), 502 deletions(-) create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/missing-patch-summary.png create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/node-compliance.png create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-deployment.png create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-solution.png create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/common.py create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/patchmgmt.py create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/requirements.txt create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/layer/boto3/package.txt create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration-role.yaml create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-default-host-config-role.yaml create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-global-events.yaml create mode 100644 aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-main-ssm.yaml diff --git a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml index 0c532cea..22148262 100644 --- a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml @@ -14,253 +14,382 @@ resources: parameters: # Deploy Solution Parameters (see other sections for solution-specific parameters) - parameter_key: pDeployAccountAlternateContactsSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployCloudTrailSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployConfigManagementSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployConfigConformancePackSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployDetectiveSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployEC2DefaultEBSEncryptionSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployFirewallManagerSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployGuardDutySolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployIAMAccessAnalyzerSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployIAMPasswordPolicySolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployInspectorSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployMacieSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeployS3BlockAccountPublicAccessSolution - parameter_value: 'No' + parameter_value: "No" - parameter_key: pDeploySecurityHubSolution - parameter_value: 'No' - + parameter_value: "No" + - parameter_key: pDeployPatchMgrSolution + parameter_value: "No" # Account Alternate Contacts Solution Parameters - parameter_key: pExcludeAlternateContactAccountTags - parameter_value: '' + parameter_value: "" - parameter_key: pBillingContactAction - parameter_value: 'add' + parameter_value: "add" - parameter_key: pBillingEmail - parameter_value: '' + parameter_value: "" - parameter_key: pBillingName - parameter_value: '' + parameter_value: "" - parameter_key: pBillingPhone - parameter_value: '' + parameter_value: "" - parameter_key: pBillingTitle - parameter_value: '' + parameter_value: "" - parameter_key: pOperationsContactAction - parameter_value: 'add' + parameter_value: "add" - parameter_key: pOperationsEmail - parameter_value: '' + parameter_value: "" - parameter_key: pOperationsName - parameter_value: '' + parameter_value: "" - parameter_key: pOperationsPhone - parameter_value: '' + parameter_value: "" - parameter_key: pOperationsTitle - parameter_value: '' + parameter_value: "" - parameter_key: pSecurityContactAction - parameter_value: 'add' + parameter_value: "add" - parameter_key: pSecurityEmail - parameter_value: '' + parameter_value: "" - parameter_key: pSecurityName - parameter_value: '' + parameter_value: "" - parameter_key: pSecurityPhone - parameter_value: '' + parameter_value: "" - parameter_key: pSecurityTitle - parameter_value: '' + parameter_value: "" # AWS CloudTrail Solution Parameters - parameter_key: pCloudTrailName - parameter_value: 'sra-org-trail' + parameter_value: "sra-org-trail" - parameter_key: pEnableDataEventsOnly - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableLambdaDataEvents - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableS3DataEvents - parameter_value: 'true' + parameter_value: "true" - parameter_key: pBucketNamePrefix - parameter_value: 'sra-org-trail-logs' + parameter_value: "sra-org-trail-logs" - parameter_key: pCloudTrailLogGroupKmsKey - parameter_value: '' + parameter_value: "" - parameter_key: pCloudTrailLogGroupRetention - parameter_value: '400' + parameter_value: "400" - parameter_key: pCreateCloudTrailLogGroup - parameter_value: 'true' + parameter_value: "true" - parameter_key: pOrganizationCloudTrailKeyAlias - parameter_value: 'sra-cloudtrail-org-key' + parameter_value: "sra-cloudtrail-org-key" # AWS Config Management Solution - parameter_key: pAllSupported - parameter_value: 'true' + parameter_value: "true" - parameter_key: pFrequency - parameter_value: '1hour' + parameter_value: "1hour" - parameter_key: pIncludeGlobalResourceTypes - parameter_value: 'true' + parameter_value: "true" - parameter_key: pKmsKeyArn - parameter_value: '' + parameter_value: "" - parameter_key: pResourceTypes - parameter_value: '' + parameter_value: "" # AWS Config Conformance Pack Solution - parameter_key: pConformancePackName - parameter_value: 'sra-operational-best-practices-for-encryption-and-keys' + parameter_value: "sra-operational-best-practices-for-encryption-and-keys" - parameter_key: pConformancePackTemplateName - parameter_value: 'Operational-Best-Practices-for-Encryption-and-Keys.yaml' + parameter_value: "Operational-Best-Practices-for-Encryption-and-Keys.yaml" - parameter_key: pDeliveryS3KeyPrefix - parameter_value: '' + parameter_value: "" - parameter_key: pConformancePackExcludedAccounts - parameter_value: '' - + parameter_value: "" + # Detective Solution - parameter_key: pDatasourcePackages - parameter_value: 'ASFF_SECURITYHUB_FINDING, EKS_AUDIT' + parameter_value: "ASFF_SECURITYHUB_FINDING, EKS_AUDIT" - parameter_key: pGuarddutyEnabledForMoreThan48Hours - parameter_value: 'false' + parameter_value: "false" # EC2 Default EBS Encryption Solution - parameter_key: pExcludeEC2DefaultEBSEncryptionTags - parameter_value: '' + parameter_value: "" # Firewall Manager Solution - parameter_key: pEnableRemediation - parameter_value: 'false' + parameter_value: "false" - parameter_key: pInternalNetCIDR - parameter_value: '192.168.1.0/24' + parameter_value: "192.168.1.0/24" - parameter_key: pCreateVpcForSG - parameter_value: 'true' + parameter_value: "true" - parameter_key: pVPCCidrBlock - parameter_value: '10.0.0.0/28' + parameter_value: "10.0.0.0/28" - parameter_key: pVpcId - parameter_value: '' + parameter_value: "" # GuardDuty Solution - parameter_key: pDisableGuardDuty - parameter_value: 'No' - - parameter_key: pGuardDutyCustomerGovernedRegionsOnly - parameter_value: 'false' - - parameter_key: pGuardDutyEnabledRegions - parameter_value: '' + parameter_value: "No" - parameter_key: pAutoEnableS3Logs - parameter_value: 'true' + parameter_value: "true" - parameter_key: pAutoEnableKubernetesAuditLogs - parameter_value: 'true' + parameter_value: "true" - parameter_key: pAutoEnableMalwareProtection - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableRdsLoginEvents - parameter_value: 'true' - - parameter_key: pEnableRuntimeMonitoring - parameter_value: 'true' + parameter_value: "true" + - parameter_key: pEnableEksRuntimeMonitoring + parameter_value: "true" - parameter_key: pEnableEksAddonManagement - parameter_value: 'true' - - parameter_key: pEnableEcsFargateAgentManagement - parameter_value: 'true' - - parameter_key: pEnableEc2AgentManagement - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableLambdaNetworkLogs - parameter_value: 'true' + parameter_value: "true" - parameter_key: pGuardDutyFindingPublishingFrequency - parameter_value: 'FIFTEEN_MINUTES' + parameter_value: "FIFTEEN_MINUTES" - parameter_key: pGuardDutyOrgDeliveryBucketPrefix - parameter_value: 'sra-guardduty-org-delivery' + parameter_value: "sra-guardduty-org-delivery" - parameter_key: pGuardDutyOrgDeliveryKeyAlias - parameter_value: 'sra-guardduty-org-delivery-key' + parameter_value: "sra-guardduty-org-delivery-key" # IAM Access Analyzer Solution - parameter_key: pAccessAnalyzerNamePrefix - parameter_value: 'sra-account-access-analyzer' + parameter_value: "sra-account-access-analyzer" - parameter_key: pOrganizationAccessAnalyzerName - parameter_value: 'sra-organization-access-analyzer' + parameter_value: "sra-organization-access-analyzer" - parameter_key: pAccessAnalyzerRegisterDelegatedAdminAccount - parameter_value: 'Yes' + parameter_value: "Yes" # IAM Password Policy Solution - parameter_key: pAllowUsersToChangePassword - parameter_value: 'true' + parameter_value: "true" - parameter_key: pHardExpiry - parameter_value: 'false' + parameter_value: "false" - parameter_key: pMaxPasswordAge - parameter_value: '90' + parameter_value: "90" - parameter_key: pMinimumPasswordLength - parameter_value: '14' + parameter_value: "14" - parameter_key: pPasswordReusePrevention - parameter_value: '24' + parameter_value: "24" - parameter_key: pRequireLowercaseCharacters - parameter_value: 'true' + parameter_value: "true" - parameter_key: pRequireNumbers - parameter_value: 'true' + parameter_value: "true" - parameter_key: pRequireSymbols - parameter_value: 'true' + parameter_value: "true" - parameter_key: pRequireUppercaseCharacters - parameter_value: 'true' + parameter_value: "true" # Inspector Solution - parameter_key: pScanComponents - parameter_value: 'EC2, ECR, LAMBDA, LAMBDA_CODE' + parameter_value: "EC2, ECR, LAMBDA, LAMBDA_CODE" - parameter_key: pEcrRescanDuration - parameter_value: 'LIFETIME' + parameter_value: "LIFETIME" # Macie Solution - parameter_key: pDisableMacie - parameter_value: 'No' + parameter_value: "No" - parameter_key: pMacieFindingPublishingFrequency - parameter_value: 'FIFTEEN_MINUTES' + parameter_value: "FIFTEEN_MINUTES" - parameter_key: pMacieOrgDeliveryBucketPrefix - parameter_value: 'sra-macie-org-delivery' + parameter_value: "sra-macie-org-delivery" - parameter_key: pMacieOrgDeliveryKeyAlias - parameter_value: 'sra-macie-org-delivery-key' + parameter_value: "sra-macie-org-delivery-key" # S3 Block Account Public Access Solution - parameter_key: pExcludeS3BlockAccountPublicAccessTags - parameter_value: '' + parameter_value: "" - parameter_key: pEnableBlockPublicAcls - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableBlockPublicPolicy - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableIgnorePublicAcls - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableRestrictPublicBuckets - parameter_value: 'true' + parameter_value: "true" # Security Hub Solution - parameter_key: pDisableSecurityHub - parameter_value: 'No' + parameter_value: "No" - parameter_key: pEnableCISStandard - parameter_value: 'false' + parameter_value: "false" - parameter_key: pEnablePCIStandard - parameter_value: 'false' + parameter_value: "false" - parameter_key: pEnableSecurityBestPracticesStandard - parameter_value: 'true' + parameter_value: "true" - parameter_key: pEnableNISTStandard - parameter_value: 'false' + parameter_value: "false" - parameter_key: pNISTStandardVersion - parameter_value: '5.0.0' + parameter_value: "5.0.0" - parameter_key: pRegionLinkingMode - parameter_value: 'SPECIFIED_REGIONS' + parameter_value: "SPECIFIED_REGIONS" + + # Patch Manager Solution + - parameter_key: pPatchMgmtRoleName + parameter_value: "sra-patch-mgmt-configuration" + # Window 1 + - parameter_key: pPatchMgmtMaintWindow1Name + parameter_value: "Update_SSM" + - parameter_key: pPatchMgmtMaintWindow1Desc + parameter_value: "Maintenance Window update the SSM Agent on managed Instances" + - parameter_key: pPatchMgmtMaintWindow1Schedule + parameter_value: "cron(0 0 1 ? * WED *)" + - parameter_key: pPatchMgmtMaintWindow1Duration + parameter_value: "6" + - parameter_key: pPatchMgmtMaintWindow1Cutoff + parameter_value: "1" + - parameter_key: pPatchMgmtMaintWindow1TZ + parameter_value: "America/New_York" + - parameter_key: pPatchMgmtTask1Name + parameter_value: "Update_SSM" + - parameter_key: pPatchMgmtTask1Desc + parameter_value: "Task to update SSM Agent" + - parameter_key: pPatchMgmtTask1RunCmd + parameter_value: "AWS-UpdateSSMAgent" + - parameter_key: pPatchMgmtTask1Operation + parameter_value: "Scan" + - parameter_key: pPatchMgmtTask1RebootOption + parameter_value: "RebootIfNeeded" + - parameter_key: pPatchMgmtTarget1Name + parameter_value: "Update_SSM" + - parameter_key: pPatchMgmtTarget1Desc + parameter_value: "Targets to update SSM Agent on" + - parameter_key: pPatchMgmtTarget1Value1 + parameter_value: "Linux" + - parameter_key: pPatchMgmtTarget1Value2 + parameter_value: "Windows" + # Window 2 + - parameter_key: pPatchMgmtMaintWindow2Name + parameter_value: "Windows_Scan" + - parameter_key: pPatchMgmtMaintWindow2Desc + parameter_value: "Maintenance Window to scan Windows Instances" + - parameter_key: pPatchMgmtMaintWindow2Schedule + parameter_value: "cron(0 0 1 ? * THU *)" + - parameter_key: pPatchMgmtMaintWindow2Duration + parameter_value: "6" + - parameter_key: pPatchMgmtMaintWindow2Cutoff + parameter_value: "1" + - parameter_key: pPatchMgmtMaintWindow2TZ + parameter_value: "America/New_York" + - parameter_key: pPatchMgmtTask2Name + parameter_value: "Windows_Scan" + - parameter_key: pPatchMgmtTask2Desc + parameter_value: "Task to scan Windows Instances" + - parameter_key: pPatchMgmtTask2RunCmd + parameter_value: "AWS-RunPatchBaseline" + - parameter_key: pPatchMgmtTask2Operation + parameter_value: "Scan" + - parameter_key: pPatchMgmtTask2RebootOption + parameter_value: "RebootIfNeeded" + - parameter_key: pPatchMgmtTarget2Name + parameter_value: "Windows_Scan" + - parameter_key: pPatchMgmtTarget2Desc + parameter_value: "Targets to run the command to scan for Windows updates" + - parameter_key: pPatchMgmtTarget2Value1 + parameter_value: "Windows" + # Window 3 + - parameter_key: pPatchMgmtMaintWindow3Name + parameter_value: "Linux_Scan" + - parameter_key: pPatchMgmtMaintWindow3Desc + parameter_value: "Maintenance Window scan Linux Instances" + - parameter_key: pPatchMgmtMaintWindow3Schedule + parameter_value: "cron(0 0 1 ? * FRI *)" + - parameter_key: pPatchMgmtMaintWindow3Duration + parameter_value: "6" + - parameter_key: pPatchMgmtMaintWindow3utoff + parameter_value: "1" + - parameter_key: pPatchMgmtMaintWindow3TZ + parameter_value: "America/New_York" + - parameter_key: pPatchMgmtTask3Name + parameter_value: "Linux_Scan" + - parameter_key: pPatchMgmtTask3Desc + parameter_value: "Task to scan Linux Instances" + - parameter_key: pPatchMgmtTask3RunCmd + parameter_value: "AWS-RunPatchBaseline" + - parameter_key: pPatchMgmtTask3Operation + parameter_value: "Scan" + - parameter_key: pPatchMgmtTask3RebootOption + parameter_value: "RebootIfNeeded" + - parameter_key: pPatchMgmtTarget3Name + parameter_value: "Linux_Scan" + - parameter_key: pPatchMgmtTarget3Desc + parameter_value: "Targets to run the command to scan for Linux updates" + - parameter_key: pPatchMgmtTarget3Value1 + parameter_value: "Linux" + + # Patch Manager Solution + - parameter_key: pDisablePatchMgmt + parameter_value: 'false' + # Window 1 + - parameter_key: pPatchMgmtMaintWindow1Schedule + parameter_value: 'cron(0 0 1 ? * THU *)' + - parameter_key: pPatchMgmtMaintWindow1Duration + parameter_value: '6' + - parameter_key: pPatchMgmtMaintWindow1Cutoff + parameter_value: '1' + - parameter_key: pPatchMgmtTask1RunCmd + parameter_value: 'AWS-UpdateSSMAgent' + - parameter_key: pPatchMgmtTarget1Value1 + parameter_value: 'Linux' + - parameter_key: pPatchMgmtTarget1Value2 + parameter_value: 'Windows' + - parameter_key: pPatchMgmtMaintWindow2Schedule + parameter_value: 'cron(0 0 1 ? * WED *)' + - parameter_key: pPatchMgmtMaintWindow2Duration + parameter_value: '6' + - parameter_key: pPatchMgmtMaintWindow2Cutoff + parameter_value: '1' + - parameter_key: pPatchMgmtMaintWindowTZ + parameter_value: 'America/New_York' + - parameter_key: pPatchMgmtTaskRebootOption + parameter_value: 'RebootIfNeeded' + - parameter_key: pPatchMgmtTask2RunCmd + parameter_value: 'AWS-RunPatchBaseline' + - parameter_key: pPatchMgmtTarget2Value1 + parameter_value: 'Windows' + - parameter_key: pPatchMgmtTaskOperation + parameter_value: 'Scan' + - parameter_key: pPatchMgmtMaintWindow3Schedule + parameter_value: 'cron(0 0 1 ? * FRI *)' + - parameter_key: pPatchMgmtMaintWindow3Duration + parameter_value: '6' + - parameter_key: pPatchMgmtMaintWindow3Cutoff + parameter_value: '1' + - parameter_key: pPatchMgmtTask3RunCmd + parameter_value: 'AWS-RunPatchBaseline' + - parameter_key: pPatchMgmtTarget3Value1 + parameter_value: 'Linux' # Common Properties - parameter_key: pSRAAlarmEmail - parameter_value: '' + parameter_value: "" - parameter_key: pCreateAWSControlTowerExecutionRole - parameter_value: 'false' + parameter_value: "false" # General Lambda Function and EventBridge Properties - parameter_key: pComplianceFrequency - parameter_value: '7' + parameter_value: "7" - parameter_key: pCreateLambdaLogGroup - parameter_value: 'No' + parameter_value: "No" - parameter_key: pLambdaLogGroupKmsKey - parameter_value: '' + parameter_value: "" - parameter_key: pLambdaLogGroupRetention - parameter_value: '14' + parameter_value: "14" - parameter_key: pLambdaLogLevel - parameter_value: 'INFO' + parameter_value: "INFO" deploy_method: stack_set deployment_targets: accounts: diff --git a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml index dd8cb417..103be485 100644 --- a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml +++ b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml @@ -2,7 +2,7 @@ # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## -AWSTemplateFormatVersion: '2010-09-09' +AWSTemplateFormatVersion: "2010-09-09" Description: Creates the SRA CodeBuild Project that deploys the staging, common prerequisites, and other components of the SRA. - 'easy_setup' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse7p) @@ -59,6 +59,7 @@ Metadata: - pDeploySecurityHubSolution - pDeployShieldSolution - pDeployInspectorSolution + - pDeployPatchMgrSolution - Label: default: Account Alternate Contacts Solution (optional parameters are required if solution is deployed) Parameters: @@ -256,6 +257,35 @@ Metadata: Parameters: - pScanComponents - pEcrRescanDuration + + - Label: + default: Patch Manager Solution + Parameters: + - pDisablePatchMgmt + # All Windows + - pPatchMgmtTaskOperation + - pPatchMgmtTaskRebootOption + - pPatchMgmtMaintWindowTZ + # Window 1 + - pPatchMgmtMaintWindow1Schedule + - pPatchMgmtMaintWindow1Duration + - pPatchMgmtMaintWindow1Cutoff + - pPatchMgmtTask1RunCmd + - pPatchMgmtTarget1Value1 + - pPatchMgmtTarget1Value2 + # Window 2 + - pPatchMgmtMaintWindow2Schedule + - pPatchMgmtMaintWindow2Duration + - pPatchMgmtMaintWindow2Cutoff + - pPatchMgmtTask2RunCmd + - pPatchMgmtTarget2Value1 + # Window 3 + - pPatchMgmtMaintWindow3Schedule + - pPatchMgmtMaintWindow3Duration + - pPatchMgmtMaintWindow3Cutoff + - pPatchMgmtTask3RunCmd + - pPatchMgmtTarget3Value1 + - Label: default: Common Properties Parameters: @@ -605,6 +635,53 @@ Metadata: pShieldProactiveEngagementNotes: default: Shield Proactive Engagement Notes + pDeployPatchMgrSolution: + default: Deploy the Patch Manager Solution + pDisablePatchMgmt: + default: Disable Patch Management Solution + # All Windows + pPatchMgmtTaskOperation: + default: Patch Management Task Operation + pPatchMgmtTaskRebootOption: + default: Patch Management Task Reboot Option + # Window 1 + pPatchMgmtMaintWindow1Schedule: + default: Patch Management Maintenance Window 1 Schedule + pPatchMgmtMaintWindow1Duration: + default: Patch Management Maintenance Window 1 Duration + pPatchMgmtMaintWindow1Cutoff: + default: Patch Management Maintenance Window 1 Cutoff + pPatchMgmtMaintWindowTZ: + default: Patch Management Maintenance Window Timezone For All Windows + pPatchMgmtTask1RunCmd: + default: Patch Management Task 1 Run Command + pPatchMgmtTarget1Value1: + default: Patch Management Target 1 Value 1 + pPatchMgmtTarget1Value2: + default: Patch Management Target 1 Value 2 + # Window 2 + pPatchMgmtMaintWindow2Schedule: + default: Patch Management Maintenance Window 2 Schedule + pPatchMgmtMaintWindow2Duration: + default: Patch Management Maintenance Window 2 Duration + pPatchMgmtMaintWindow2Cutoff: + default: Patch Management Maintenance Window 2 Cutoff + pPatchMgmtTask2RunCmd: + default: Patch Management Task 2 Run Command + pPatchMgmtTarget2Value1: + default: Patch Management Target 2 Value 1 + # Window 3 + pPatchMgmtMaintWindow3Schedule: + default: Patch Management Maintenance Window 3 Schedule + pPatchMgmtMaintWindow3Duration: + default: Patch Management Maintenance Window 3 Duration + pPatchMgmtMaintWindow3Cutoff: + default: Patch Management Maintenance Window 3 Cutoff + pPatchMgmtTask3RunCmd: + default: Patch Management Task 3 Run Command + pPatchMgmtTarget3Value1: + default: Patch Management Target 3 Value 1 + pCommonPrerequisitesRegionsOnly: default: Common Prerequisites Regions Only pConfigEnabledRegions: @@ -642,8 +719,8 @@ Parameters: Description: SRA Code Library Repository branch name Type: String pControlTower: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Indicates whether AWS Control Tower is deployed and being used for this AWS environment. Type: String pGovernedRegions: @@ -722,8 +799,8 @@ Parameters: Description: ECR Rescan Duration Type: String pDeployInspectorSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the Inspector solution Type: String @@ -732,74 +809,74 @@ Parameters: Description: Access Analyzer Name Prefix. The Account ID will be appended to the name. Type: String pAccessAnalyzerRegisterDelegatedAdminAccount: - AllowedValues: ['Yes', 'No'] - Default: 'Yes' + AllowedValues: ["Yes", "No"] + Default: "Yes" Description: Register a delegated administrator account using the Common Register Delegated Administrator solution. Type: String pAllowUsersToChangePassword: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: You can permit all IAM users in your account to use the IAM console to change their own passwords. Type: String pAllSupported: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Indicates whether to record all supported resource types. If set to 'false', then the 'Resource Types' parameter must have a value. Type: String pAutoEnableS3Logs: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable S3 logs Type: String pAutoEnableKubernetesAuditLogs: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable Kubernetes Audit Logs Type: String pAutoEnableMalwareProtection: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable Malware Protection Type: String pEnableRdsLoginEvents: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable RDS Login Events Type: String pEnableRuntimeMonitoring: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable Runtime Monitoring Type: String pEnableEksAddonManagement: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable EKS Add-on Management Type: String pEnableEcsFargateAgentManagement: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable ECS Fargate Agent Management Type: String pEnableEc2AgentManagement: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable EC2 Agent Management Type: String pEnableLambdaNetworkLogs: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Auto enable Lambda Network Logs Type: String pBillingContactAction: - AllowedValues: ['add', 'delete', 'ignore'] + AllowedValues: ["add", "delete", "ignore"] Default: add Description: Indicates whether to add, delete, or ignore the Billing alternate contact. Type: String pBillingEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. - Default: '' + Default: "" Description: (Optional) Email Address for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -807,7 +884,7 @@ Parameters: pBillingName: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' - Default: '' + Default: "" Description: (Optional) Full Name for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -815,7 +892,7 @@ Parameters: pBillingPhone: AllowedPattern: '^$|^[\s0-9()+-]+$' ConstraintDescription: Must be numbers, special characters [()+-], and/or whitespace - Default: '' + Default: "" Description: (Optional) Phone Number for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -823,15 +900,14 @@ Parameters: pBillingTitle: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' - Default: '' + Default: "" Description: (Optional) Title for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pBucketNamePrefix: AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ - ConstraintDescription: - S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-org-trail-logs Description: S3 bucket prefix. The account and region will get added to the end. e.g. bucket-prefix-123456789012-us-east-1 Type: String @@ -842,14 +918,33 @@ Parameters: Type: String pCloudTrailLogGroupKmsKey: AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ - ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' - Default: '' + ConstraintDescription: "Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + Default: "" Description: (Optional) KMS Key ARN to use for encrypting the CloudTrail log group data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pCloudTrailLogGroupRetention: - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + AllowedValues: + [ + 1, + 3, + 5, + 7, + 14, + 30, + 60, + 90, + 120, + 150, + 180, + 365, + 400, + 545, + 731, + 1827, + 3653, + ] Default: 400 Description: Specifies the number of days you want to retain log events Type: String @@ -872,13 +967,13 @@ Parameters: pConformancePackExcludedAccounts: AllowedPattern: '^$|^(\d{12})$|^((\d{12},)*\d{12})$' ConstraintDescription: AWS Account IDs separated by commas. (e.g. 123456789012,234567890123) - Default: '' + Default: "" Description: (Optional) Comma delimited list of account IDs to exclude from the Organization conformance pack. Accounts that do not have AWS Config enabled must be excluded. Type: String pConformancePackName: - AllowedPattern: '^[a-zA-Z][-a-zA-Z0-9]*$' + AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$" ConstraintDescription: Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Max length is 128 characters. @@ -890,154 +985,153 @@ Parameters: Description: Conformance pack template file name within the aws_config_conformance_packs folder. e.g. my-conformance-pack.yaml Type: String pCreateCloudTrailLogGroup: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Indicates whether a CloudWatch Log Group should be created for the CloudTrail, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pCreateLambdaLogGroup: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pCreateVpcForSG: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Create a new VPC for the Firewall Manager Security Groups Type: String pDatasourcePackages: - AllowedValues: [ASFF_SECURITYHUB_FINDING, EKS_AUDIT, ''] + AllowedValues: [ASFF_SECURITYHUB_FINDING, EKS_AUDIT, ""] Default: ASFF_SECURITYHUB_FINDING, EKS_AUDIT Description: Optional datasources used to populate the behavior graph. Valid values are ASFF_SECURITYHUB_FINDING and EKS_AUDIT Type: CommaDelimitedList pDeliveryS3KeyPrefix: - AllowedPattern: '^$|^[a-zA-Z][-a-zA-Z0-9]*$' - ConstraintDescription: - Delivery S3 prefix can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). - Default: '' + AllowedPattern: "^$|^[a-zA-Z][-a-zA-Z0-9]*$" + ConstraintDescription: Delivery S3 prefix can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: "" Description: (Optional) The prefix for the Amazon S3 bucket. Type: String pDeployAccountAlternateContactsSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the Account Alternate Contacts solution Type: String pDeployCloudTrailSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the CloudTrail solution Type: String pDeployConfigConformancePackSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the AWS Config Conformance Pack solution Type: String pDeployConfigSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the AWS Config solution (This solution is incompatible with the AWS Control Tower environment) Type: String pDeployConfigManagementSolution: - AllowedValues: ['Yes', 'No', 'Already Deployed'] - Default: 'No' + AllowedValues: ["Yes", "No", "Already Deployed"] + Default: "No" Description: Deploy the AWS Config Management solution. Note, if solution was previously deployed, choose 'Already Deployed'. Type: String pDeployDetectiveSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the Detective solution Type: String pDeployEC2DefaultEBSEncryptionSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the EC2 Default EBS Encryption solution Type: String pDeployFirewallManagerSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the Firewall Manager solution Type: String pDeployGuardDutySolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the GuardDuty solution Type: String pDeployIAMAccessAnalyzerSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the IAM Access Analyzer solution Type: String pDeployIAMPasswordPolicySolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the IAM Password Policy solution Type: String pDeployMacieSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the Macie solution Type: String pDeployS3BlockAccountPublicAccessSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the S3 Block Account Public Access solution Type: String pDeploySecurityHubSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the Security Hub solution Type: String pDisableGuardDuty: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Disable the GuardDuty solution in all accounts and regions before deleting the stack. Type: String pDisableMacie: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Disable the Macie solution in all accounts and regions before deleting the stack. Type: String pDisableSecurityHub: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Disable the Security Hub solution in all accounts and regions before deleting the stack. Type: String pEnableBlockPublicAcls: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: S3 Enable Block Public ACLs Type: String pEnableBlockPublicPolicy: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: S3 Enable Block Public Policy Type: String pEnableCISStandard: - AllowedValues: ['true', 'false'] - Default: 'false' + AllowedValues: ["true", "false"] + Default: "false" Description: Indicates whether to enable the CIS AWS Foundations Benchmark Standard. Type: String pEnableDataEventsOnly: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Only Enable Cloud Trail Data Events Type: String pEnableIgnorePublicAcls: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: S3 Enable Ignore Public ACLs Type: String pEnableLambdaDataEvents: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Enable Cloud Trail Data Events for all Lambda functions Type: String pEnablePCIStandard: - AllowedValues: ['true', 'false'] - Default: 'false' + AllowedValues: ["true", "false"] + Default: "false" Description: Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS). Type: String pEnableRemediation: @@ -1046,64 +1140,63 @@ Parameters: Description: Chose to enable auto-remediation on Security Groups that violate the rules in the template Type: String pEnableRestrictPublicBuckets: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: S3 Enable Restrict Public Buckets Type: String pEnableS3DataEvents: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Enable Cloud Trail S3 Data Events for all buckets Type: String pEnableSecurityBestPracticesStandard: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Indicates whether to enable the AWS Foundational Security Best Practices Standard. Type: String pExcludeAlternateContactAccountTags: - AllowedPattern: '^$|.*' - Default: '' + AllowedPattern: "^$|.*" + Default: "" Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-alternate-contacts", "Value": "true"}].' Type: String pExcludeEC2DefaultEBSEncryptionTags: - AllowedPattern: '^$|.*' - Default: '' + AllowedPattern: "^$|.*" + Default: "" Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-ec2-default-ebs-encryption", "Value": "true"}].' Type: String pExcludeS3BlockAccountPublicAccessTags: - AllowedPattern: '^$|.*' - Default: '' + AllowedPattern: "^$|.*" + Default: "" Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].' Type: String pGuardDutyCustomerGovernedRegionsOnly: - AllowedValues: ['true', 'false'] - Default: 'false' + AllowedValues: ["true", "false"] + Default: "false" Description: Indicates whether to enable GuardDuty in the customer's Goverened Regions only. Example - Control Tower regions, or Common Prerequisites regions. Type: String pGuardDutyEnabledRegions: - AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' + AllowedPattern: "^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$" ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) - Default: '' - Description: - (Optional) Enabled regions (AWS regions, separated by commas). + Default: "" + Description: (Optional) Enabled regions (AWS regions, separated by commas). Type: String - + pFrequency: AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours] Default: 1hour Description: The frequency with which AWS Config delivers configuration snapshots. Type: String pGuarddutyEnabledForMoreThan48Hours: - AllowedValues: ['true', 'false'] - Default: 'false' + AllowedValues: ["true", "false"] + Default: "false" Description: Has Guardduty been enabled in the Organization for more than 48 hours? Type: String pGuardDutyFindingPublishingFrequency: @@ -1112,25 +1205,23 @@ Parameters: Description: Finding publishing frequency Type: String pGuardDutyOrgDeliveryBucketPrefix: - AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' - ConstraintDescription: - S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + AllowedPattern: "^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" + ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-guardduty-org-delivery - Description: - GuardDuty Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-guardduty-delivery-123456789012-us-east-1 + Description: GuardDuty Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-guardduty-delivery-123456789012-us-east-1 Type: String pGuardDutyOrgDeliveryKeyAlias: Default: sra-guardduty-org-delivery-key Description: GuardDuty Delivery KMS Key Alias Type: String pHardExpiry: - AllowedValues: ['true', 'false'] - Default: 'false' - Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' + AllowedValues: ["true", "false"] + Default: "false" + Description: "You can prevent IAM users from choosing a new password after their current password has expired." Type: String pIncludeGlobalResourceTypes: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Indicates whether AWS Config records all supported global resource types. Type: String pInternalNetCIDR: @@ -1144,21 +1235,40 @@ Parameters: pKmsKeyArn: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: Key ARN example - arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Default: '' + Default: "" Description: (Optional) KMS key ARN to use for encrypting the AWS Config configuration snapshots and history files when storing in the S3 bucket in the Log Archive account. If empty, snapshots and history files will be encrypted based on the Default Encryption setting of the S3 bucket. Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' - ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' - Default: '' + ConstraintDescription: "Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + Default: "" Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: - AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + AllowedValues: + [ + 1, + 3, + 5, + 7, + 14, + 30, + 60, + 90, + 120, + 150, + 180, + 365, + 400, + 545, + 731, + 1827, + 3653, + ] Default: 14 Description: Specifies the number of days you want to retain log events Type: String @@ -1173,16 +1283,14 @@ Parameters: Description: Finding publishing frequency Type: String pMacieOrgDeliveryBucketPrefix: - AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' - ConstraintDescription: - S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + AllowedPattern: "^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" + ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-macie-org-delivery Description: Macie Delivery S3 bucket prefix. The account and region will get added to the end. e.g. macie-delivery-123456789012-us-east-1 Type: String pMacieOrgDeliveryKeyAlias: - AllowedPattern: '^[a-zA-Z0-9/_-]+$' - ConstraintDescription: - The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). + AllowedPattern: "^[a-zA-Z0-9/_-]+$" + ConstraintDescription: The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Default: sra-macie-org-delivery-key Description: Macie Delivery KMS Key Alias Type: String @@ -1201,8 +1309,8 @@ Parameters: MinValue: 6 Type: Number pEnableNISTStandard: - AllowedValues: ['true', 'false'] - Default: 'false' + AllowedValues: ["true", "false"] + Default: "false" Description: Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5. Type: String pNISTStandardVersion: @@ -1211,14 +1319,14 @@ Parameters: Description: NIST Standard Version Type: String pOperationsContactAction: - AllowedValues: ['add', 'delete', 'ignore'] + AllowedValues: ["add", "delete", "ignore"] Default: add Description: Indicates whether to add, delete, or ignore the Operations alternate contact. Type: String pOperationsEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. - Default: '' + Default: "" Description: (Optional) Email Address for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1226,7 +1334,7 @@ Parameters: pOperationsName: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' - Default: '' + Default: "" Description: (Optional) Full Name for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1234,7 +1342,7 @@ Parameters: pOperationsPhone: AllowedPattern: '^$|^[\s0-9()+-]+$' ConstraintDescription: Must be numbers, special characters [()+-], and/or whitespace - Default: '' + Default: "" Description: (Optional) Phone Number for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1242,7 +1350,7 @@ Parameters: pOperationsTitle: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' - Default: '' + Default: "" Description: (Optional) Title for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1270,31 +1378,30 @@ Parameters: aggregate findings from new Regions as Security Hub supports them and you opt into them. Type: String pRequireLowercaseCharacters: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). Type: String pRequireNumbers: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: You can require that IAM user passwords contain at least one numeric character (0 to 9). Type: String pRequireSymbols: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: "You can require that IAM user passwords contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '" Type: String pRequireUppercaseCharacters: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). Type: String pResourceTypes: - AllowedPattern: - '^$|^([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$|^(([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+(,|, ))*[0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$' - Default: '' + AllowedPattern: "^$|^([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$|^(([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+(,|, ))*[0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$" + Default: "" Description: (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is set to 'false', then this parameter becomes required. @@ -1303,19 +1410,19 @@ Parameters: Description: (Optional) Email address for receiving SRA alarms Type: String pCreateAWSControlTowerExecutionRole: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Indicates whether the AWS Control Tower Execution role should be created. Type: String pSecurityContactAction: - AllowedValues: ['add', 'delete', 'ignore'] + AllowedValues: ["add", "delete", "ignore"] Default: add Description: Indicates whether to add, delete, or ignore the Security alternate contact. Type: String pSecurityEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. - Default: '' + Default: "" Description: (Optional) Email Address for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1323,7 +1430,7 @@ Parameters: pSecurityName: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' - Default: '' + Default: "" Description: (Optional) Full Name for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1331,7 +1438,7 @@ Parameters: pSecurityPhone: AllowedPattern: '^$|^[\s0-9()+-]+$' ConstraintDescription: Must be numbers, special characters [()+-], and/or whitespace - Default: '' + Default: "" Description: (Optional) Phone Number for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1339,7 +1446,7 @@ Parameters: pSecurityTitle: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' - Default: '' + Default: "" Description: (Optional) Title for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. @@ -1351,20 +1458,20 @@ Parameters: Description: VPC CIDR Block to use for the new VPC. Only used if Create VPC is true. Type: String pVpcId: - AllowedPattern: '^$|^vpc-[0-9a-f]{17}$' + AllowedPattern: "^$|^vpc-[0-9a-f]{17}$" ConstraintDescription: Must have a prefix of "vpc-". Followed by 17 characters (numbers, letters "a-f") - Default: '' + Default: "" Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false". Type: String pDeployShieldSolution: - AllowedValues: ['Yes', 'No'] - Default: 'No' + AllowedValues: ["Yes", "No"] + Default: "No" Description: Deploy the AWS Shield Advanced solution. Type: String pConfigureDRTTeamAccess: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Allow the DDOS response team access to the AWS account(s) Type: String pResourcesToProtect: @@ -1372,7 +1479,7 @@ Parameters: Enables AWS Shield Advanced for a specific AWS resource. The resource can be an Amazon CloudFront distribution, Elastic Load Balancing load balancer, Elastic IP Address, or an Amazon Route 53 hosted zone. Type: CommaDelimitedList - Default: 'arn:aws:cloudfront::111111111111:distribution/ABCDEFGHIJKLMN' + Default: "arn:aws:cloudfront::111111111111:distribution/ABCDEFGHIJKLMN" pShieldAccountsToProtect: AllowedPattern: '^(ALL|(\d{12})(,(\d{12}))*?)$' ConstraintDescription: 'Enter "ALL" or a comma-separated list of AWS account numbers without spaces, e.g., "123456789012,234567890123"' @@ -1380,243 +1487,479 @@ Parameters: Accounts to enable shield advanced. Choose ALL to enable for all accounts in your AWS Organization to choose the accounts enter a comma seperated list of the AWS Account numbers Type: CommaDelimitedList - Default: '111111111111' + Default: "111111111111" pShieldDRTRoleName: - AllowedValues: ['DRT-Access-Role'] - Default: 'DRT-Access-Role' - ConstraintDescription: 'Enter a valid IAM role name (1-64 characters), using only alphanumeric characters and allowed special characters: +=,.@_-' + AllowedValues: ["DRT-Access-Role"] + Default: "DRT-Access-Role" + ConstraintDescription: "Enter a valid IAM role name (1-64 characters), using only alphanumeric characters and allowed special characters: +=,.@_-" Description: Name of the IAM role to create and grant access to the DRT Type: String pShieldAutoRenew: - AllowedValues: ['ENABLED', 'DISABLED'] - Default: 'ENABLED' + AllowedValues: ["ENABLED", "DISABLED"] + Default: "ENABLED" Description: Determines if Shield Advanced subscription is Auto Renewed Type: String pShieldDRTLogBuckets: - AllowedPattern: '^((?!xn--)(?!.*-s3alias$)[a-z0-9][a-z0-9-]{1,61}[a-z0-9])$' - ConstraintDescription: - 'A comma-separated list of AWS S3 buckets without spaces to give the DRT Team access to e.g., "samplebucket1,samplebucket2"' + AllowedPattern: "^((?!xn--)(?!.*-s3alias$)[a-z0-9][a-z0-9-]{1,61}[a-z0-9])$" + ConstraintDescription: 'A comma-separated list of AWS S3 buckets without spaces to give the DRT Team access to e.g., "samplebucket1,samplebucket2"' Description: A list of up to 10 S3 bucket names per account to give the DDOS Response team access to flow logs Type: CommaDelimitedList - Default: 'samplebucket1' + Default: "samplebucket1" pShieldWarning: - AllowedValues: ['Accept', 'Reject'] - Default: 'Reject' - Description: - Disclaimer Shield Advanced requires a 1 year commitment and cost $3000 per month. For details see https://aws.amazon.com/shield/pricing/ + AllowedValues: ["Accept", "Reject"] + Default: "Reject" + Description: Disclaimer Shield Advanced requires a 1 year commitment and cost $3000 per month. For details see https://aws.amazon.com/shield/pricing/ Type: String pProtectionGroup0AccountId: AllowedPattern: '^$|^\d{12}$' ConstraintDescription: 12 digit AWS Account Number - Default: '' + Default: "" Description: The 12 digit account number where the protection group is to be created Type: String pProtectionGroup0Id: AllowedPattern: "^[a-zA-Z0-9]{0,64}$|^$" ConstraintDescription: A valid name using alphanumeric characters - Default: '' + Default: "" Description: The name of the protection group Type: String pProtectionGroup0Aggregation: - AllowedValues: ['SUM','MEAN','MAX',''] - Default: '' + AllowedValues: ["SUM", "MEAN", "MAX", ""] + Default: "" Description: Defines how Shield combines resource data for the group in order to detect, mitigate, and report events. Type: String pProtectionGroup0Pattern: - AllowedValues: [ALL,ARBITRARY,BY_RESOURCE_TYPE,''] - Default: '' + AllowedValues: [ALL, ARBITRARY, BY_RESOURCE_TYPE, ""] + Default: "" Description: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource Amazon Resource Names (ARNs), or include all resources of a specified resource type. Type: String pProtectionGroup0ResourceType: - AllowedValues: [CLOUDFRONT_DISTRIBUTION,ROUTE_53_HOSTED_ZONE,ELASTIC_IP_ALLOCATION,CLASSIC_LOAD_BALANCER,APPLICATION_LOAD_BALANCER,GLOBAL_ACCELERATOR,''] - Default: '' + AllowedValues: + [ + CLOUDFRONT_DISTRIBUTION, + ROUTE_53_HOSTED_ZONE, + ELASTIC_IP_ALLOCATION, + CLASSIC_LOAD_BALANCER, + APPLICATION_LOAD_BALANCER, + GLOBAL_ACCELERATOR, + "", + ] + Default: "" Description: The resource type to include in the protection group. All protected resources of this type are included in the protection group. Newly protected resources of this type are automatically added to the group. You must set this when you set Pattern to BY_RESOURCE_TYPE and you must not set it for any other Pattern setting. Type: String pProtectionGroup0Members: AllowedPattern: "^arn:aws:.*$|^$" ConstraintDescription: List of ARNs of resources to include in the protection group. You must set this when you set Pattern to ARBITRARY and you must not set it for any other Pattern setting. - Default: '' + Default: "" Description: The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you set Pattern to ARBITRARY and you must not set it for any other Pattern setting. Type: CommaDelimitedList pProtectionGroup1AccountId: AllowedPattern: '^$|^\d{12}$' ConstraintDescription: 12 digit AWS Account Number - Default: '' + Default: "" Description: The 12 digit account number where the protection group is to be created Type: String pProtectionGroup1Id: AllowedPattern: "^[a-zA-Z0-9]{0,64}$|^$" ConstraintDescription: A valid name using alphanumeric characters - Default: '' + Default: "" Description: The name of the protection group Type: String pProtectionGroup1Aggregation: - AllowedValues: ['SUM','MEAN','MAX',''] - Default: '' + AllowedValues: ["SUM", "MEAN", "MAX", ""] + Default: "" Description: Defines how Shield combines resource data for the group in order to detect, mitigate, and report events. Type: String pProtectionGroup1Pattern: - AllowedValues: [ALL,ARBITRARY,BY_RESOURCE_TYPE,''] - Default: '' + AllowedValues: [ALL, ARBITRARY, BY_RESOURCE_TYPE, ""] + Default: "" Description: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource Amazon Resource Names (ARNs), or include all resources of a specified resource type. Type: String pProtectionGroup1ResourceType: - AllowedValues: [CLOUDFRONT_DISTRIBUTION,ROUTE_53_HOSTED_ZONE,ELASTIC_IP_ALLOCATION,CLASSIC_LOAD_BALANCER,APPLICATION_LOAD_BALANCER,GLOBAL_ACCELERATOR,''] - Default: '' + AllowedValues: + [ + CLOUDFRONT_DISTRIBUTION, + ROUTE_53_HOSTED_ZONE, + ELASTIC_IP_ALLOCATION, + CLASSIC_LOAD_BALANCER, + APPLICATION_LOAD_BALANCER, + GLOBAL_ACCELERATOR, + "", + ] + Default: "" Description: The resource type to include in the protection group. All protected resources of this type are included in the protection group. Newly protected resources of this type are automatically added to the group. You must set this when you set Pattern to BY_RESOURCE_TYPE and you must not set it for any other Pattern setting. Type: String pProtectionGroup1Members: AllowedPattern: "^arn:aws:.*$|^$" ConstraintDescription: Must be a valid arn or list of arns - Default: '' + Default: "" Description: The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you set Pattern to ARBITRARY and you must not set it for any other Pattern setting. Type: CommaDelimitedList pProtectionGroup2AccountId: AllowedPattern: '^$|^\d{12}$' ConstraintDescription: 12 digit AWS Account Number - Default: '' + Default: "" Description: The 12 digit account number where the protection group is to be created Type: String pProtectionGroup2Id: AllowedPattern: "^[a-zA-Z0-9]{0,64}$|^$" ConstraintDescription: A valid name using alphanumeric characters - Default: '' + Default: "" Description: The name of the protection group Type: String pProtectionGroup2Aggregation: - AllowedValues: ['SUM','MEAN','MAX',''] - Default: '' + AllowedValues: ["SUM", "MEAN", "MAX", ""] + Default: "" Description: Defines how Shield combines resource data for the group in order to detect, mitigate, and report events. Type: String pProtectionGroup2Pattern: - AllowedValues: [ALL,ARBITRARY,BY_RESOURCE_TYPE,''] - Default: '' + AllowedValues: [ALL, ARBITRARY, BY_RESOURCE_TYPE, ""] + Default: "" Description: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource Amazon Resource Names (ARNs), or include all resources of a specified resource type. Type: String pProtectionGroup2ResourceType: - AllowedValues: [CLOUDFRONT_DISTRIBUTION,ROUTE_53_HOSTED_ZONE,ELASTIC_IP_ALLOCATION,CLASSIC_LOAD_BALANCER,APPLICATION_LOAD_BALANCER,GLOBAL_ACCELERATOR,''] - Default: '' + AllowedValues: + [ + CLOUDFRONT_DISTRIBUTION, + ROUTE_53_HOSTED_ZONE, + ELASTIC_IP_ALLOCATION, + CLASSIC_LOAD_BALANCER, + APPLICATION_LOAD_BALANCER, + GLOBAL_ACCELERATOR, + "", + ] + Default: "" Description: The resource type to include in the protection group. All protected resources of this type are included in the protection group. Newly protected resources of this type are automatically added to the group. You must set this when you set Pattern to BY_RESOURCE_TYPE and you must not set it for any other Pattern setting. Type: String pProtectionGroup2Members: AllowedPattern: "^arn:aws:.*$|^$" ConstraintDescription: Must be a valid arn or list of arns - Default: '' + Default: "" Description: The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you set Pattern to ARBITRARY and you must not set it for any other Pattern setting. Type: CommaDelimitedList pProtectionGroup3AccountId: AllowedPattern: '^$|^\d{12}$' ConstraintDescription: 12 digit AWS Account Number - Default: '' + Default: "" Description: The 12 digit account number where the protection group is to be created Type: String pProtectionGroup3Id: AllowedPattern: "^[a-zA-Z0-9]{0,64}$|^$" ConstraintDescription: A valid name using alphanumeric characters - Default: '' + Default: "" Description: The name of the protection group Type: String pProtectionGroup3Aggregation: - AllowedValues: ['SUM','MEAN','MAX',''] - Default: '' + AllowedValues: ["SUM", "MEAN", "MAX", ""] + Default: "" Description: Defines how Shield combines resource data for the group in order to detect, mitigate, and report events. Type: String pProtectionGroup3Pattern: - AllowedValues: [ALL,ARBITRARY,BY_RESOURCE_TYPE, ''] - Default: '' + AllowedValues: [ALL, ARBITRARY, BY_RESOURCE_TYPE, ""] + Default: "" Description: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource Amazon Resource Names (ARNs), or include all resources of a specified resource type. Type: String pProtectionGroup3ResourceType: - AllowedValues: [CLOUDFRONT_DISTRIBUTION,ROUTE_53_HOSTED_ZONE,ELASTIC_IP_ALLOCATION,CLASSIC_LOAD_BALANCER,APPLICATION_LOAD_BALANCER,GLOBAL_ACCELERATOR,''] - Default: '' + AllowedValues: + [ + CLOUDFRONT_DISTRIBUTION, + ROUTE_53_HOSTED_ZONE, + ELASTIC_IP_ALLOCATION, + CLASSIC_LOAD_BALANCER, + APPLICATION_LOAD_BALANCER, + GLOBAL_ACCELERATOR, + "", + ] + Default: "" Description: The resource type to include in the protection group. All protected resources of this type are included in the protection group. Newly protected resources of this type are automatically added to the group. You must set this when you set Pattern to BY_RESOURCE_TYPE and you must not set it for any other Pattern setting. Type: String pProtectionGroup3Members: AllowedPattern: "^arn:aws:.*$|^$" ConstraintDescription: Must be a valid arn or list of arns - Default: '' + Default: "" Description: The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you set Pattern to ARBITRARY and you must not set it for any other Pattern setting. Type: CommaDelimitedList pProtectionGroup4AccountId: AllowedPattern: '^$|^\d{12}$' ConstraintDescription: 12 digit AWS Account Number - Default: '' + Default: "" Description: The 12 digit account number where the protection group is to be created Type: String pProtectionGroup4Id: AllowedPattern: "^[a-zA-Z0-9]{0,64}$|^$" ConstraintDescription: A valid name using alphanumeric characters - Default: '' + Default: "" Description: The name of the protection group Type: String pProtectionGroup4Aggregation: - AllowedValues: ['SUM','MEAN','MAX',''] - Default: '' + AllowedValues: ["SUM", "MEAN", "MAX", ""] + Default: "" Description: Defines how Shield combines resource data for the group in order to detect, mitigate, and report events. Type: String pProtectionGroup4Pattern: - AllowedValues: [ALL,ARBITRARY,BY_RESOURCE_TYPE,''] - Default: '' + AllowedValues: [ALL, ARBITRARY, BY_RESOURCE_TYPE, ""] + Default: "" Description: The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource Amazon Resource Names (ARNs), or include all resources of a specified resource type. Type: String pProtectionGroup4ResourceType: - AllowedValues: [CLOUDFRONT_DISTRIBUTION,ROUTE_53_HOSTED_ZONE,ELASTIC_IP_ALLOCATION,CLASSIC_LOAD_BALANCER,APPLICATION_LOAD_BALANCER,GLOBAL_ACCELERATOR,''] - Default: '' + AllowedValues: + [ + CLOUDFRONT_DISTRIBUTION, + ROUTE_53_HOSTED_ZONE, + ELASTIC_IP_ALLOCATION, + CLASSIC_LOAD_BALANCER, + APPLICATION_LOAD_BALANCER, + GLOBAL_ACCELERATOR, + "", + ] + Default: "" Description: The resource type to include in the protection group. All protected resources of this type are included in the protection group. Newly protected resources of this type are automatically added to the group. You must set this when you set Pattern to BY_RESOURCE_TYPE and you must not set it for any other Pattern setting. Type: String pProtectionGroup4Members: AllowedPattern: "^arn:aws:.*$|^$" ConstraintDescription: Must be a valid arn or list of arns - Default: '' + Default: "" Description: The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you set Pattern to ARBITRARY and you must not set it for any other Pattern setting. Type: CommaDelimitedList pShieldEnableProactiveEngagement: - AllowedValues: ['true', 'false'] - Default: 'false' + AllowedValues: ["true", "false"] + Default: "false" Description: Enable Shield Advanced Proactive Engagement Type: String pShieldProactiveEngagementEmail: AllowedPattern: '^$|^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$|^$' ConstraintDescription: Must be a valid email address - Default: '' + Default: "" Description: Shield Advanced Proactive Engagement Email Address Type: String pShieldProactiveEngagementPhoneNumber: - AllowedPattern: '^$|^[+][1-9][0-9]{1,14}$|^$' + AllowedPattern: "^$|^[+][1-9][0-9]{1,14}$|^$" ConstraintDescription: Must be a valid phone number - Default: '' - Description: 'Shield Advanced Proactive Engagement Phone Number (ex: +15555555555)' + Default: "" + Description: "Shield Advanced Proactive Engagement Phone Number (ex: +15555555555)" Type: String pShieldProactiveEngagementNotes: - AllowedPattern: '^$|^[a-zA-Z0-9_ ]+$|^$' + AllowedPattern: "^$|^[a-zA-Z0-9_ ]+$|^$" ConstraintDescription: Must be a valid string - Default: '' + Default: "" Description: Shield Advanced Proactive Engagement Notes Type: String + pDeployPatchMgrSolution: + AllowedValues: ["Yes", "No"] + Default: "No" + Description: Deploy the Patch Manager solution. + Type: String + pDisablePatchMgmt: + AllowedValues: ["true", "false"] + Default: "false" + Description: Update to 'true' to delete Maintenance Windows and Default Host Management Configuration in all accounts and regions. + Type: String + # All Windows + pPatchMgmtTaskOperation: + AllowedValues: ["Scan", "Install"] + ConstraintDescription: Maintenance Window Task Operation can be either Scan or Install. + Description: Patch Management Task can be configured to either scan for patches or install patches. + Default: Scan + Type: String + pPatchMgmtTaskRebootOption: + AllowedValues: ["RebootIfNeeded", "NoReboot"] + ConstraintDescription: Maintenance Window Task Reboot Option can be either Reboot If Needed or No Reboot. + Description: Patch Management Task can be configured to either Reboot or Not Reboot. + Default: RebootIfNeeded + Type: String + # Window 1 + pPatchMgmtMaintWindow1Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Patch Management Maintenance Window 1 schedule + Default: "cron(0 0 1 ? * THU *)" + Type: String + pPatchMgmtMaintWindow1Duration: + ConstraintDescription: Must be a number between 1 and 24. + Description: Patch Management Maintenance Window 1 Duration (hrs) + Default: 6 + Type: Number + MinValue: 1 + MaxValue: 24 + pPatchMgmtMaintWindow1Cutoff: + Description: Stop initiating tasks before maintenance window ends (hrs) + Default: 1 + Type: Number + MinValue: 0 + MaxValue: 23 + pPatchMgmtMaintWindowTZ: + Description: Patch Management Maintenance Window 1 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask1RunCmd: + AllowedValues: [AWS-UpdateSSMAgent] + Description: Patch Management Task 1 Run Command + Default: AWS-UpdateSSMAgent + Type: String + pPatchMgmtTarget1Value1: + AllowedValues: [Linux] + Description: Patch Management Tag Value of Target group 1 + Default: Linux + Type: String + pPatchMgmtTarget1Value2: + AllowedValues: [Windows] + Description: Patch Management Tag Value of Target group 1 + Default: Windows + Type: String + # Window 2 + pPatchMgmtMaintWindow2Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Patch Management Maintenance Window 2 schedule + Default: "cron(0 0 1 ? * WED *)" + Type: String + pPatchMgmtMaintWindow2Duration: + ConstraintDescription: Must be a number between 1 and 24. + Description: Patch Management Maintenance Window 2 Duration (hrs) + Default: 6 + Type: Number + MinValue: 1 + MaxValue: 24 + pPatchMgmtMaintWindow2Cutoff: + Description: Stop initiating tasks before maintenance window ends (hrs) + Default: 1 + Type: Number + MinValue: 0 + MaxValue: 23 + pPatchMgmtTask2RunCmd: + AllowedValues: [AWS-RunPatchBaseline] + Description: Patch Management Task 2 Run Command + Default: AWS-RunPatchBaseline + Type: String + pPatchMgmtTarget2Value1: + AllowedValues: [Windows] + Description: Patch Management Tag Value of Target group 2 + Default: Windows + Type: String + # Window 3 + pPatchMgmtMaintWindow3Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Patch Management Maintenance Window 3 schedule + Default: "cron(0 0 1 ? * FRI *)" + Type: String + pPatchMgmtMaintWindow3Duration: + ConstraintDescription: Must be a number between 1 and 24. + Description: Patch Management Maintenance Window 3 Duration (hrs) + Default: 6 + Type: Number + MinValue: 1 + MaxValue: 24 + pPatchMgmtMaintWindow3Cutoff: + Description: Stop initiating tasks before maintenance window ends (hrs) + Default: 1 + Type: Number + MinValue: 0 + MaxValue: 23 + pPatchMgmtTask3RunCmd: + AllowedValues: [AWS-RunPatchBaseline] + Description: Patch Management Task 3 Run Command + Default: AWS-RunPatchBaseline + Type: String + pPatchMgmtTarget3Value1: + AllowedValues: [Linux] + Description: Patch Management Tag Value of Target group 3 + Default: Linux + Type: String + pCommonPrerequisitesRegionsOnly: - AllowedValues: ['true', 'false'] - Default: 'true' + AllowedValues: ["true", "false"] + Default: "true" Description: Only enable in the customer regions specified in Common Prerequisites solution Type: String pRecorderName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' - ConstraintDescription: - Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. + ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: sra-ConfigRecorder Description: Config recorder name Type: String pDeliveryChannelName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' - ConstraintDescription: - Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. + ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: sra-config-s3-delivery Description: Config delivery channel name Type: String pConfigOrgDeliveryBucketPrefix: - AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' - ConstraintDescription: - S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + AllowedPattern: "^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" + ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-config-org-delivery Description: Config Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-config-delivery-123456789012-us-east-1 Type: String @@ -1638,8 +1981,8 @@ Parameters: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. Description: Email for receiving all AWS configuration events - Default: '' - Type: 'String' + Default: "" + Type: "String" pConfigOrgSnsKeyAlias: Default: sra-config-org-sns-key Description: Config SNS KMS Key Alias @@ -1657,16 +2000,16 @@ Parameters: Default: sra-config-aggregator-org Type: String pRegisterDelegatedAdminAccount: - AllowedValues: ['Yes', 'No'] - Default: 'Yes' + AllowedValues: ["Yes", "No"] + Default: "Yes" Description: Register a delegated administrator account using the Common Register Delegated Administrator solution. Type: String pConfigEnabledRegions: - AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' + AllowedPattern: "^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$" ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) - Default: '' + Default: "" Description: (Optional) Enabled regions (AWS regions, separated by commas). If 'Common Prerequisites Regions Only' parameter is set to 'false', then this parameter becomes required. @@ -1675,153 +2018,162 @@ Parameters: Rules: BillingContactValidation: RuleCondition: !And - - !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - - !Equals [!Ref pBillingContactAction, 'add'] + - !Equals [!Ref pDeployAccountAlternateContactsSolution, "Yes"] + - !Equals [!Ref pBillingContactAction, "add"] Assertions: - Assert: !And - - !Not [!Equals [!Ref pBillingName, '']] - - !Not [!Equals [!Ref pBillingTitle, '']] - - !Not [!Equals [!Ref pBillingEmail, '']] - - !Not [!Equals [!Ref pBillingPhone, '']] + - !Not [!Equals [!Ref pBillingName, ""]] + - !Not [!Equals [!Ref pBillingTitle, ""]] + - !Not [!Equals [!Ref pBillingEmail, ""]] + - !Not [!Equals [!Ref pBillingPhone, ""]] AssertDescription: "'Billing Full Name', 'Billing Title', 'Billing Email' and 'Billing Phone' parameters are required if the 'Billing Alternate Contact Action' parameter is set to 'add'." DeployConfigConformancePackSolutionValidation: - RuleCondition: !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes'] + RuleCondition: !Equals [!Ref pDeployConfigConformancePackSolution, "Yes"] Assertions: - Assert: !Or - - !Equals [!Ref pDeployConfigManagementSolution, 'Yes'] - - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed'] - - !Equals [!Ref pDeployConfigSolution, 'Yes'] + - !Equals [!Ref pDeployConfigManagementSolution, "Yes"] + - !Equals [!Ref pDeployConfigManagementSolution, "Already Deployed"] + - !Equals [!Ref pDeployConfigSolution, "Yes"] AssertDescription: "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the AWS Config Conformance Pack Solution' parameter is set to 'Yes'." DeploySecurityHubSolutionValidation: - RuleCondition: !Equals [!Ref pDeploySecurityHubSolution, 'Yes'] + RuleCondition: !Equals [!Ref pDeploySecurityHubSolution, "Yes"] Assertions: - Assert: !Or - - !Equals [!Ref pDeployConfigManagementSolution, 'Yes'] - - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed'] - - !Equals [!Ref pDeployConfigSolution, 'Yes'] + - !Equals [!Ref pDeployConfigManagementSolution, "Yes"] + - !Equals [!Ref pDeployConfigManagementSolution, "Already Deployed"] + - !Equals [!Ref pDeployConfigSolution, "Yes"] AssertDescription: "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the Security Hub Solution' parameter is set to 'Yes'." OperationsContactValidation: RuleCondition: !And - - !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - - !Equals [!Ref pOperationsContactAction, 'add'] + - !Equals [!Ref pDeployAccountAlternateContactsSolution, "Yes"] + - !Equals [!Ref pOperationsContactAction, "add"] Assertions: - Assert: !And - - !Not [!Equals [!Ref pOperationsName, '']] - - !Not [!Equals [!Ref pOperationsTitle, '']] - - !Not [!Equals [!Ref pOperationsEmail, '']] - - !Not [!Equals [!Ref pOperationsPhone, '']] + - !Not [!Equals [!Ref pOperationsName, ""]] + - !Not [!Equals [!Ref pOperationsTitle, ""]] + - !Not [!Equals [!Ref pOperationsEmail, ""]] + - !Not [!Equals [!Ref pOperationsPhone, ""]] AssertDescription: "'Operations Full Name', 'Operations Title', 'Operations Email' and 'Operations Phone' parameters are required if the 'Operations Alternate Contact Action' parameter is set to 'add'." SecurityContactValidation: RuleCondition: !And - - !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - - !Equals [!Ref pSecurityContactAction, 'add'] + - !Equals [!Ref pDeployAccountAlternateContactsSolution, "Yes"] + - !Equals [!Ref pSecurityContactAction, "add"] Assertions: - Assert: !And - - !Not [!Equals [!Ref pSecurityName, '']] - - !Not [!Equals [!Ref pSecurityTitle, '']] - - !Not [!Equals [!Ref pSecurityEmail, '']] - - !Not [!Equals [!Ref pSecurityPhone, '']] + - !Not [!Equals [!Ref pSecurityName, ""]] + - !Not [!Equals [!Ref pSecurityTitle, ""]] + - !Not [!Equals [!Ref pSecurityEmail, ""]] + - !Not [!Equals [!Ref pSecurityPhone, ""]] AssertDescription: "'Security Full Name', 'Security Title', 'Security Email' and 'Security Phone' parameters are required if the 'Security Alternate Contact Action' parameter is set to 'add'." EnabledRegionValidation: - RuleCondition: !Equals [!Ref pCommonPrerequisitesRegionsOnly, 'false'] + RuleCondition: !Equals [!Ref pCommonPrerequisitesRegionsOnly, "false"] Assertions: - - Assert: !Not [!Equals [!Ref pConfigEnabledRegions, '']] + - Assert: !Not [!Equals [!Ref pConfigEnabledRegions, ""]] AssertDescription: "'Enabled Regions' parameter has to have a value if 'Common Prerequisites Regions Only' parameter is set to 'false'." ResourceTypesValidation: - RuleCondition: !Equals [!Ref pAllSupported, 'false'] + RuleCondition: !Equals [!Ref pAllSupported, "false"] Assertions: - AssertDescription: "'Resource Types' parameter is required if 'All Supported' parameter is set to 'false'." - Assert: !Not [!Equals [!Ref pResourceTypes, '']] + Assert: !Not [!Equals [!Ref pResourceTypes, ""]] CheckGuardDutyRuntimeEnabled: - RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false'] + RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, "false"] Assertions: - - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']] + - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, "true"]] AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" - - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] + - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, "true"]] AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" - - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']] + - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, "true"]] AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled" Conditions: - cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] + cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, ""]] cUseGraviton: !Or - - !Equals [!Ref 'AWS::Region', ap-northeast-1] - - !Equals [!Ref 'AWS::Region', ap-south-1] - - !Equals [!Ref 'AWS::Region', ap-southeast-1] - - !Equals [!Ref 'AWS::Region', ap-southeast-2] - - !Equals [!Ref 'AWS::Region', eu-central-1] - - !Equals [!Ref 'AWS::Region', eu-west-1] - - !Equals [!Ref 'AWS::Region', eu-west-2] - - !Equals [!Ref 'AWS::Region', us-east-1] - - !Equals [!Ref 'AWS::Region', us-east-2] - - !Equals [!Ref 'AWS::Region', us-west-2] - - cDeployInspectorSolution: !Equals [!Ref pDeployInspectorSolution, 'Yes'] - - cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'Yes'] - cDeployAccountAlternateContactsSolution: !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - cDeployCloudTrailSolution: !Equals [!Ref pDeployCloudTrailSolution, 'Yes'] - cDeployConfigSolution: !Equals [!Ref pDeployConfigSolution, 'Yes'] - cDeployConfigManagementSolution: !Equals [!Ref pDeployConfigManagementSolution, 'Yes'] - cDeployConfigManagementSolutionAlreadyDeployed: !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed'] + - !Equals [!Ref "AWS::Region", ap-northeast-1] + - !Equals [!Ref "AWS::Region", ap-south-1] + - !Equals [!Ref "AWS::Region", ap-southeast-1] + - !Equals [!Ref "AWS::Region", ap-southeast-2] + - !Equals [!Ref "AWS::Region", eu-central-1] + - !Equals [!Ref "AWS::Region", eu-west-1] + - !Equals [!Ref "AWS::Region", eu-west-2] + - !Equals [!Ref "AWS::Region", us-east-1] + - !Equals [!Ref "AWS::Region", us-east-2] + - !Equals [!Ref "AWS::Region", us-west-2] + + cDeployInspectorSolution: !Equals [!Ref pDeployInspectorSolution, "Yes"] + + cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, "Yes"] + cDeployAccountAlternateContactsSolution: + !Equals [!Ref pDeployAccountAlternateContactsSolution, "Yes"] + cDeployCloudTrailSolution: !Equals [!Ref pDeployCloudTrailSolution, "Yes"] + cDeployConfigSolution: !Equals [!Ref pDeployConfigSolution, "Yes"] + cDeployConfigManagementSolution: + !Equals [!Ref pDeployConfigManagementSolution, "Yes"] + cDeployConfigManagementSolutionAlreadyDeployed: + !Equals [!Ref pDeployConfigManagementSolution, "Already Deployed"] cDeployConfigConformancePackSolution: !And - !Or - !Condition cDeployConfigManagementSolution - !Condition cDeployConfigManagementSolutionAlreadyDeployed - !Condition cDeployConfigSolution - - !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes'] - cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes'] - cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes'] - cDeployFirewallManagerSolution: !Equals [!Ref pDeployFirewallManagerSolution, 'Yes'] - cDeployGuardDutySolution: !Equals [!Ref pDeployGuardDutySolution, 'Yes'] - cDeployIAMAccessAnalyzerSolution: !Equals [!Ref pDeployIAMAccessAnalyzerSolution, 'Yes'] - cDeployIAMPasswordPolicySolution: !Equals [!Ref pDeployIAMPasswordPolicySolution, 'Yes'] - cDeployMacieSolution: !Equals [!Ref pDeployMacieSolution, 'Yes'] - cDeployS3BlockAccountPublicAccessSolution: !Equals [!Ref pDeployS3BlockAccountPublicAccessSolution, 'Yes'] + - !Equals [!Ref pDeployConfigConformancePackSolution, "Yes"] + cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, "Yes"] + cDeployEC2DefaultEBSEncryptionSolution: + !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, "Yes"] + cDeployFirewallManagerSolution: + !Equals [!Ref pDeployFirewallManagerSolution, "Yes"] + cDeployGuardDutySolution: !Equals [!Ref pDeployGuardDutySolution, "Yes"] + cDeployIAMAccessAnalyzerSolution: + !Equals [!Ref pDeployIAMAccessAnalyzerSolution, "Yes"] + cDeployIAMPasswordPolicySolution: + !Equals [!Ref pDeployIAMPasswordPolicySolution, "Yes"] + cDeployMacieSolution: !Equals [!Ref pDeployMacieSolution, "Yes"] + cDeployS3BlockAccountPublicAccessSolution: + !Equals [!Ref pDeployS3BlockAccountPublicAccessSolution, "Yes"] cDeploySecurityHubSolution: !And - !Or - !Condition cDeployConfigManagementSolution - !Condition cDeployConfigManagementSolutionAlreadyDeployed - - !Equals [!Ref pDeploySecurityHubSolution, 'Yes'] - cDeployShieldSolution: !Equals [!Ref pDeployShieldSolution, 'Yes'] - cDisableGuardDuty: !Equals [!Ref pDisableGuardDuty, 'Yes'] - cDisableMacie: !Equals [!Ref pDisableMacie, 'Yes'] - cDisableSecurityHub: !Equals [!Ref pDisableSecurityHub, 'Yes'] + - !Equals [!Ref pDeploySecurityHubSolution, "Yes"] + cDeployShieldSolution: !Equals [!Ref pDeployShieldSolution, "Yes"] + cDisableGuardDuty: !Equals [!Ref pDisableGuardDuty, "Yes"] + cDisableMacie: !Equals [!Ref pDisableMacie, "Yes"] + cDisableSecurityHub: !Equals [!Ref pDisableSecurityHub, "Yes"] + cDeployPatchMgrSolution: !Equals [!Ref pDeployPatchMgrSolution, "Yes"] Resources: rCodeBuildProject: Type: AWS::CodeBuild::Project Properties: - Name: !Sub '${pCodeBuildProjectName}' + Name: !Sub "${pCodeBuildProjectName}" Artifacts: Type: NO_ARTIFACTS - Description: 'Codebuild project to get SRA code from github' + Description: "Codebuild project to get SRA code from github" Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - Name: AWS_DEFAULT_REGION Value: !Ref AWS::Region - Name: AWS_ACCOUNT_ID - Value: !Ref 'AWS::AccountId' + Value: !Ref "AWS::AccountId" - Name: SRA_REPO_URL Value: !Ref pRepoURL - Name: SRA_REPO_BRANCH_NAME Value: !Ref pRepoBranch - Name: SRA_STAGING_S3_BUCKET_STACK_NAME Value: !Ref pSRAStagingS3BucketStackName - Image: 'aws/codebuild/standard:5.0' + Image: "aws/codebuild/standard:5.0" PrivilegedMode: true - Type: 'LINUX_CONTAINER' + Type: "LINUX_CONTAINER" ServiceRole: !GetAtt rCodeBuildRole.Arn TimeoutInMinutes: 120 Source: @@ -1895,20 +2247,20 @@ Resources: - id: W28 reason: The role name is defined to identify automation resources Properties: - RoleName: !Sub '${pCodeBuildRoleName}' + RoleName: !Sub "${pCodeBuildRoleName}" AssumeRolePolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - - 'sts:AssumeRole' + - "sts:AssumeRole" Policies: - - PolicyName: 'logs-access' + - PolicyName: "logs-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: @@ -1916,10 +2268,10 @@ Resources: - logs:CreateLogStream - logs:PutLogEvents Resource: - - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*' - - PolicyName: 'cloudformation-changeset-access' + - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*" + - PolicyName: "cloudformation-changeset-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: @@ -1927,19 +2279,19 @@ Resources: - cloudformation:DescribeChangeSet - cloudformation:ExecuteChangeSet Resource: - - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*' - - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:changeSet/*' - - PolicyName: 'cloudformation-describe-access' + - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" + - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:changeSet/*" + - PolicyName: "cloudformation-describe-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: - cloudformation:DescribeStacks - Resource: '*' - - PolicyName: 'IAM-Access-Policy' + Resource: "*" + - PolicyName: "IAM-Access-Policy" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: @@ -1952,10 +2304,10 @@ Resources: - iam:DeleteRole - iam:TagRole Resource: - - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra*' - - PolicyName: 'lambda-access' + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra*" + - PolicyName: "lambda-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: @@ -1967,12 +2319,12 @@ Resources: - lambda:TagResource - lambda:InvokeFunction Resource: - - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:sra*' - - PolicyName: 's3-staging-bucket-access' + - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:sra*" + - PolicyName: "s3-staging-bucket-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - - Effect: 'Allow' + - Effect: "Allow" Action: - s3:GetObject - s3:PutObject @@ -1981,13 +2333,13 @@ Resources: - s3:GetBucketPolicy - s3:DeleteBucket Resource: - - !Sub 'arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}' - - !Sub 'arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*' - - PolicyName: 's3-create-bucket-access' + - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}" + - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*" + - PolicyName: "s3-create-bucket-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - - Effect: 'Allow' + - Effect: "Allow" Action: - s3:PutBucketPolicy - s3:PutBucketTagging @@ -2002,24 +2354,24 @@ Resources: - s3:SetBucketEncryption - s3:PutBucketEncryption Resource: - - 'arn:aws:s3:::*' - - PolicyName: 'ssm-access' + - "arn:aws:s3:::*" + - PolicyName: "ssm-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - - Effect: 'Allow' + - Effect: "Allow" Action: - ssm:GetParameter - ssm:GetParameters - ssm:PutParameter - ssm:AddTagsToResource Resource: - - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*' + - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*" rStartCodeBuildProjectCustomResource: DependsOn: rCodeBuildProject Type: Custom::LambdaCustomResource - Version: '1.0' + Version: "1.0" Properties: ServiceToken: !GetAtt rStartCodeBuildProjectLambdaFunction.Arn @@ -2236,11 +2588,11 @@ Resources: - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pCodeBuildProjectLambdaFunctionName}:log-stream:* - - PolicyName: 's3-staging-bucket-access' + - PolicyName: "s3-staging-bucket-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - - Effect: 'Allow' + - Effect: "Allow" Action: - s3:GetObject - s3:PutObject @@ -2257,38 +2609,38 @@ Resources: - s3:ListBucketVersions - s3:PutBucketVersioning Resource: - - !Sub 'arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}' - - !Sub 'arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*' - - PolicyName: 'lambda-access' + - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}" + - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*" + - PolicyName: "lambda-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: - lambda:DeleteFunction - lambda:InvokeFunction Resource: - - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:sra*' - - PolicyName: 'cloudformation-stack-access' + - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:sra*" + - PolicyName: "cloudformation-stack-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: - cloudformation:DeleteStack - cloudformation:DescribeStacks Resource: - - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/sra*' - - PolicyName: 'IAM-access' + - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/sra*" + - PolicyName: "IAM-access" PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: - iam:DeleteRole - iam:DeleteRolePolicy Resource: - - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra*' + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra*" rAccountAlternateContactsSolutionStack: Type: AWS::CloudFormation::Stack @@ -2377,7 +2729,12 @@ Resources: pConformancePackTemplateName: !Ref pConformancePackTemplateName pDeliveryS3KeyPrefix: !Ref pDeliveryS3KeyPrefix pExcludedAccounts: !Ref pConformancePackExcludedAccounts - pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, ''] + pSourceStackName: + !If [ + cDeployConfigManagementSolution, + !Ref rConfigManagementSolutionStack, + "", + ] rDetectiveSolutionStack: Type: AWS::CloudFormation::Stack @@ -2391,7 +2748,7 @@ Resources: pComplianceFrequency: !Ref pComplianceFrequency pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDatasourcePackages: !Join - - ',' + - "," - !Ref pDatasourcePackages pGuarddutyEnabledForMoreThan48Hours: !Ref pGuarddutyEnabledForMoreThan48Hours pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey @@ -2561,7 +2918,12 @@ Resources: pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pRegionLinkingMode: !Ref pRegionLinkingMode - pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, ''] + pSourceStackName: + !If [ + cDeployConfigManagementSolution, + !Ref rConfigManagementSolutionStack, + "", + ] pSRAAlarmEmail: !Ref pSRAAlarmEmail pEnableNISTStandard: !Ref pEnableNISTStandard pNISTStandardVersion: !Ref pNISTStandardVersion @@ -2576,7 +2938,7 @@ Resources: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-inspector-org/templates/sra-inspector-org-main-ssm.yaml Parameters: pScanComponents: !Join - - ',' + - "," - !Ref pScanComponents pEcrRescanDuration: !Ref pEcrRescanDuration pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey @@ -2634,15 +2996,15 @@ Resources: pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pConfigureDRTTeamAccess: !Ref pConfigureDRTTeamAccess pResourcesToProtect: !Join - - ',' + - "," - !Ref pResourcesToProtect pShieldAccountsToProtect: !Join - - ',' + - "," - !Ref pShieldAccountsToProtect pShieldDRTRoleName: !Ref pShieldDRTRoleName pShieldAutoRenew: !Ref pShieldAutoRenew pShieldDRTLogBuckets: !Join - - ',' + - "," - !Ref pShieldDRTLogBuckets pProtectionGroup0AccountId: !Ref pProtectionGroup0AccountId pProtectionGroup0Id: !Ref pProtectionGroup0Id @@ -2650,7 +3012,7 @@ Resources: pProtectionGroup0Pattern: !Ref pProtectionGroup0Pattern pProtectionGroup0ResourceType: !Ref pProtectionGroup0ResourceType pProtectionGroup0Members: !Join - - ',' + - "," - !Ref pProtectionGroup0Members pProtectionGroup1AccountId: !Ref pProtectionGroup1AccountId pProtectionGroup1Id: !Ref pProtectionGroup1Id @@ -2658,7 +3020,7 @@ Resources: pProtectionGroup1Pattern: !Ref pProtectionGroup1Pattern pProtectionGroup1ResourceType: !Ref pProtectionGroup1ResourceType pProtectionGroup1Members: !Join - - ',' + - "," - !Ref pProtectionGroup1Members pProtectionGroup2AccountId: !Ref pProtectionGroup2AccountId pProtectionGroup2Id: !Ref pProtectionGroup2Id @@ -2666,7 +3028,7 @@ Resources: pProtectionGroup2Pattern: !Ref pProtectionGroup2Pattern pProtectionGroup2ResourceType: !Ref pProtectionGroup2ResourceType pProtectionGroup2Members: !Join - - ',' + - "," - !Ref pProtectionGroup2Members pProtectionGroup3AccountId: !Ref pProtectionGroup3AccountId pProtectionGroup3Id: !Ref pProtectionGroup3Id @@ -2674,7 +3036,7 @@ Resources: pProtectionGroup3Pattern: !Ref pProtectionGroup3Pattern pProtectionGroup3ResourceType: !Ref pProtectionGroup3ResourceType pProtectionGroup3Members: !Join - - ',' + - "," - !Ref pProtectionGroup3Members pProtectionGroup4AccountId: !Ref pProtectionGroup4AccountId pProtectionGroup4Id: !Ref pProtectionGroup4Id @@ -2682,9 +3044,46 @@ Resources: pProtectionGroup4Pattern: !Ref pProtectionGroup4Pattern pProtectionGroup4ResourceType: !Ref pProtectionGroup4ResourceType pProtectionGroup4Members: !Join - - ',' + - "," - !Ref pProtectionGroup4Members pShieldEnableProactiveEngagement: !Ref pShieldEnableProactiveEngagement pShieldProactiveEngagementEmail: !Ref pShieldProactiveEngagementEmail pShieldProactiveEngagementPhoneNumber: !Ref pShieldProactiveEngagementPhoneNumber pShieldProactiveEngagementNotes: !Ref pShieldProactiveEngagementNotes + + rPatchMgrSolutionStack: + Type: AWS::CloudFormation::Stack + DependsOn: rCommonPrerequisitesMainSsm + Condition: cDeployPatchMgrSolution + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + Properties: + TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-patch-mgmt-org/templates/sra-patch_mgmt-org-main-ssm.yaml + Parameters: + pDisablePatchMgmt: !Ref pDisablePatchMgmt + # Window 1 + pPatchMgmtMaintWindow1Schedule: !Ref pPatchMgmtMaintWindow1Schedule + pPatchMgmtMaintWindow1Duration: !Ref pPatchMgmtMaintWindow1Duration + pPatchMgmtMaintWindow1Cutoff: !Ref pPatchMgmtMaintWindow1Cutoff + pPatchMgmtMaintWindow1TZ: !Ref pPatchMgmtMaintWindowTZ + pPatchMgmtTask1RunCmd: !Ref pPatchMgmtTask1RunCmd + pPatchMgmtTarget1Value1: !Ref pPatchMgmtTarget1Value1 + pPatchMgmtTarget1Value2: !Ref pPatchMgmtTarget1Value2 + # Window 2 + pPatchMgmtMaintWindow2Schedule: !Ref pPatchMgmtMaintWindow2Schedule + pPatchMgmtMaintWindow2Duration: !Ref pPatchMgmtMaintWindow2Duration + pPatchMgmtMaintWindow2Cutoff: !Ref pPatchMgmtMaintWindow2Cutoff + pPatchMgmtMaintWindow2TZ: !Ref pPatchMgmtMaintWindowTZ + pPatchMgmtTask2Operation: !Ref pPatchMgmtTaskOperation + pPatchMgmtTask2RebootOption: !Ref pPatchMgmtTaskRebootOption + pPatchMgmtTask2RunCmd: !Ref pPatchMgmtTask2RunCmd + pPatchMgmtTarget2Value1: !Ref pPatchMgmtTarget2Value1 + # Window 3 + pPatchMgmtTask3Operation: !Ref pPatchMgmtTaskOperation + pPatchMgmtMaintWindow3Schedule: !Ref pPatchMgmtMaintWindow3Schedule + pPatchMgmtMaintWindow3Duration: !Ref pPatchMgmtMaintWindow3Duration + pPatchMgmtMaintWindow3Cutoff: !Ref pPatchMgmtMaintWindow3Cutoff + pPatchMgmtMaintWindow3TZ: !Ref pPatchMgmtMaintWindowTZ + pPatchMgmtTask3RebootOption: !Ref pPatchMgmtTaskRebootOption + pPatchMgmtTask3RunCmd: !Ref pPatchMgmtTask3RunCmd + pPatchMgmtTarget3Value1: !Ref pPatchMgmtTarget3Value1 diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md new file mode 100644 index 00000000..cac79d64 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md @@ -0,0 +1,249 @@ +# Patch Manager + +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0 + +## Table of Contents + +- [Table of Contents](#table-of-contents) +- [Introduction](#introduction) +- [Deployed Resource Details](#deployed-resource-details) +- [Implementation Instructions](#implementation-instructions) +- [References](#references) + +--- + +## Introduction + +The SRA Patch Manager Solution is a comprehensive AWS-based design to streamline the patch management process across multiple AWS accounts. The solution assumes a role in each member account to enable or disable the Patch Manager functionality, ensuring seamless management and control. It creates three distinct Maintenance Windows - one for updating the AWS Systems Manager (SSM) Agents on all Managed Instances, one for scanning and installing critical and important security patches and bug fixes on Windows-tagged instances, and another for the same on Linux-tagged instances. The solution also configures the Default Host Configuration feature, detecting the creation of new AWS accounts and automatically deploying the solution to those accounts. Additionally, the Patch Manager can be disabled across all accounts and regions through a parameter and CloudFormation update event, providing flexibility and control over the patch management process. + +**Key solution features:** +- Assumes a role in each member account to enable/disable the Patch Manager Solution. +- Creates 3 Maintenance Windows: + - One updates the SSM Agents on all Managed Instances. + - One scans for, or installs, missing **Security patches rated Critical or Important** and **Bugfixes** on Managed Instances tagged as Windows. + - One scans for, or installs, missing **Security patches rated Critical or Important** and **Bugfixes** on Managed Instances tagged as Linux. +- Configures the [Default Host Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-default-host-management-configuration.html) feature. +- Detects the creation of new AWS Accounts and deploys the solution into the account automatically. +- Ability to disable Patch Manager within all accounts and regions via a parameter and CloudFormation update event. + +--- + +## Prerequisites + +The Patch Manager solution requires: +- SSM Agent 3.0.502 or later to be installed on the managed node +- Internet connectivity from the managed node to the source patch repositories +- Supported OS +- A tag is applied to the Managed Instance. Key: InstanceOS Value: Linux or Windows + +--- + +## Deployed Resource Details + +![Architecture](./documentation/patch-mgr-deployment.png) + +## Solution Details + +![Solution](./documentation/patch-mgr-solution.png) + +### 1.0 Organization Management Account + +#### 1.1 AWS CloudFormation + +- All resources are deployed via AWS CloudFormation as a `StackSet` and `Stack Instance` within the management account or a CloudFormation `Stack` within a specific account. +- The [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution deploys all templates as a CloudFormation `StackSet`. +- For parameter details, review the [AWS CloudFormation templates](templates/). + + +#### 1.2 Lambda Execution IAM Role + +- The `Lambda IAM Role` is used by the Lambda function in the management account to enable the Patch Manager in the management account. + +#### 1.3 Patch Manager IAM Roles + +- The `Patch Management IAM Role` is assumed by the Lambda function in each of the member accounts to to configure Patch Manager. +- The `SSM Automation Role` is used by the Maintenance Window to execute the task. +- The `DefaultHostConfig Role` is used to enable the Default Host Configuration setting. +- The `Patch Mgr EC2 Profile` is used if there are issue with the Default Host Configuration setting. + +#### 1.4 AWS Lambda Function + +- The Lambda function includes logic to enable and configure Patch Manager + + +#### 1.5 AWS Lambda Layer + +- The python boto3 SDK lambda layer to enable capability for lambda to enable all elements of the Patch Manager Solution. +- This is downloaded during the deployment process and packaged into a layer that is used by the lambda function in this solution. + +#### 1.6 Lambda CloudWatch Log Group + +- All the `AWS Lambda Function` logs are sent to a CloudWatch Log Group `` to help with debugging and traceability of the actions performed. +- By default the `AWS Lambda Function` will create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key. + +#### 1.7 Regional Event Rules + +- The `AWS Control Tower Lifecycle Event Rule` triggers the `AWS Lambda Function` when a new AWS Account is provisioned through AWS Control Tower. +- The `Organization Compliance Scheduled Event Rule` triggers the `AWS Lambda Function` to capture AWS Account status updates (e.g. suspended to active). + - A parameter is provided to set the schedule frequency. +- The `AWS Organizations Event Rule` triggers the `AWS Lambda Function` when updates are made to accounts within the organization. + - When AWS Accounts are added to the AWS Organization outside of the AWS Control Tower Account Factory. (e.g. account created via AWS Organizations console, account invited from another AWS Organization). + - When tags are added or updated on AWS Accounts. + +#### 1.8 Dead Letter Queue (DLQ) + +- SQS dead letter queue used for retaining any failed Lambda events. + +#### 1.9 Alarm Topic + +- SNS Topic used to notify subscribers when messages hit the DLQ. + +#### 1.10 AWS Patch Manager + +- Patch Manager is enabled for each existing active account and region during the initial setup. + +#### 1.11 Global Event Rules + +- If the `Home Region` is different from the `Global Region (e.g. us-east-1)`, then global event rules are created within the `Global Region` to forward events to the `Home Region` default Event Bus. +- The `AWS Organizations Event Rule` forwards AWS Organization account update events. + +### 2.0 All Existing Active Accounts and Regions + +#### 2.1 AWS CloudFormation + +- All resources are deployed via AWS CloudFormation as a `StackSet` and `Stack Instance` within the management account or a CloudFormation `Stack` within a specific account. +- The [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution deploys all templates as a CloudFormation `StackSet`. +- For parameter details, review the [AWS CloudFormation templates](templates/). + +#### 2.2 IAM Roles + +- The `Patch Management IAM Role` is assumed by the Lambda function in each of the member accounts to to configure Patch Manager. +- The `SSM Automation Role` is used by the Maintenance Window to execute the task. +- The `DefaultHostConfig Role` is used to enable the Default Host Configuration setting. +- The `Patch Mgr EC2 Profile` is used if there are issue with the Default Host Configuration setting. + +### 3.0 Patch Manager Solution + +#### 3.1 Maintenance Windows + +##### Timezones + +- 74 popular [IANA](https://www.iana.org/time-zones) timezones from across the US and Europe are available to choose from. The default timezone is America/New_York (also known as Eastern or EST). + + +##### Maintenance Windows Window + +Three Maintenance Windows are created: +- `sra_ssm_agent_update` updates SSM Agent on all Managed Instances +- `sra_windows_maintenance` scans for missing patches on all Managed Instances Tagged as Windows +- `sra_linux_maintenance` scans for missing patches on all Managed Instances Tagged as Linux + +##### Maintenance Windows Tasks + +Three tasks are created and registered with each of the Maintenance Windows: +- `sra_ssm_agent_update` Runs an SSM Agent update on all Managed Instances +- `sra_windows_maintenance` Runs a scan or install task on all Managed Instances Tagged as Windows +- `sra_linux_maintenance` Runs a scan or install task on all Managed Instances Tagged as Linux + +##### Maintenance Window Targets + +Three target groups are created and registered with each of the Maintenance Windows: +- `sra_ssm_agent_update` which includes all instances with the tag InstanceOS:Windows or InstanceOS:Linux +- `sra_windows_maintenance` which includes all instances with the tag InstanceOS:Windows +- `sra_linux_maintenance` which includes all instances with the tag InstanceOS:Linux + +#### 3.2 Command Documents + +These AWS Managed SSM Documents are used by the tasks: +- `AWS-UpdateSSMAgent` +- `AWS-RunPatchBaseline` + +NOTE: The document hashes are dynamically fetched, so any managed document changes will be used by the solution and up-to-date. + +## Implementation Instructions + +### Prerequisites + +1. [Download and Stage the SRA Solutions](../../../docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md). **Note:** This only needs to be done once for all the solutions. +2. Verify that the [SRA Prerequisites Solution](../../common/common_prerequisites/) has been deployed. + +### Solution Deployment + +Choose a Deployment Method: + +- [AWS CloudFormation](#aws-cloudformation) +- [Customizations for AWS Control Tower](../../../docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md) + +#### AWS CloudFormation + +##### Example Install CLI Command + +``` +aws cloudformation deploy --template-file $PWD/aws-sra-examples/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-main-ssm.yaml --stack-name sra-patch-org-main-ssm --capabilities CAPABILITY_NAMED_IAM +``` + +Refer to the [AWS SRA Easy Setup](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/easy_setup#customizations-for-control-tower-implementation-instructions) Guide to pick the best installation type for you. + +Choose to deploy the Patch Manager solution from within the chosen deployment type. + +#### Verify Solution Deployment + +1. Log into the `management account` and navigate to the Systems Manager page. + 1. Select Maintenance Windows. + 2. Verify that there is now a maintnance window with registered tasks and targets. +2. Log into a member account and verify the maintenance windows also exist. + +#### Solution Update Instructions + +1. [Download and Stage the SRA Solutions](../../../docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md). **Note:** Get the latest code and run the staging script. +2. Update the existing CloudFormation Stack or CFCT configuration. **Note:** Make sure to update the `SRA Solution Version` parameter and any new added parameters. + +#### Solution Delete Instructions + +The delete workflows are: + +##### Keep Default Host Mgmt Config + +1. In the management account (home region), delete the AWS CloudFormation Stack (sra-patch-mgmt-main-ssm) + +##### Delete Default Host Mgmt Config + +1. Update "Disable Patch Management Solution" to 'true' to delete Maintenance Windows and Default Host Management Configuration in all accounts and regions. +2. In the management account (home region), delete the AWS CloudFormation Stack (sra-patch-mgmt-main-ssm) +3. Delete host management role: in the management account run cli command: + +``` +aws cloudformation delete-stack-instances --stack-set-name sra-patchmgmt-default-host-mgmt-role --no-retain-stacks --deployment-targets OrganizationalUnitIds= --regions +``` + +--- + +## Viewing Results + +### Viewing Node Compliance + +Navigate to `Systems Manager` then `Patch Manager`. From the Dashboard select the `Compliance Reporting` tab. This will show you all your managed instances, the Compliance Status, and the Non-Compliant Count of patches. + +![Node-Compliance](./documentation/node-compliance.png) + +### Viewing Missing Patches + +Selecting the link on Non-Compliant Count will show you the missing patches for that Managed Instance. Selecting `Patch Now` at the top right of the window will allow you to plan the installation of the patches. + +![Missing-Patch-Summary](./documentation/missing-patch-summary.png) + + +--- + +## Troubleshooting + +Q: Its been more than 24 hours and the Instances are still not appearing in Fleet Manager (and therefore not being scanned).\ +A: Attach the `patch-mgr-ec2-profile` to the EC2 instances. + +--- + +## References + +- [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) +- [Amazon Machine Images (AMIs) with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) +- [Troubleshooting managed node availability using ssm-cli](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-cli.html) diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/missing-patch-summary.png b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/missing-patch-summary.png new file mode 100644 index 0000000000000000000000000000000000000000..448d1bc02bd480fc2a2e86a4978b63cfeb971c2b GIT binary patch literal 187047 zcmeGDc|6qb_dkw{P)T~G2w7677|NQR6rreO8+(jxF!pWiic*%W*_G_eV9X50Sdw)N zSqEdy7GvxT#*DAm>%D${zvt`oe*g3R?>o2KTQ7Y`baWT$oisFFXlrN)yzqqBJGp@9=$?K^Nn?It zV9MFK0bPkry{zzd`s~Wtge!q}BD|~qO1%8&{7uGdiZyi+qA~B!6^k|qewzi-nTmcJ z<7j0XWi-8->{D&swykV^4o$(4gLksi70Kj2MRFE&dQx#GlTlj&y1|5Sp9piO6;b_roaKT$`bZ>@sW=K;ObkBQHF2bHv3gyJPRH-SMh3@JH z_Y3+xxJL&MC7V3kuW-@bc^kfUCEY&)`d6WL0;`~sWNU=BrvAd$f@cq0C5451*lbwn zHtjBH3DSkFy*=QnH$RgYeIv3e`@P83o91Cv#zsc6Y;(SE0SVV1{9r#!zZ=?p>%gq< z>Jz<7T6wc2mcpzX63H=A@>p7b|5h_V)Ii0e?IPELw6^>3RSgW+_}2>@1--Ff>~BI8 z_*S1MF?Z@o8Ly^Ey|Bz*WnPD*O#(O%p&G56|!(0;1+l8Gu4!`^~{CdD|x`l_`2f843+#%>= zn)cfWX|Bk3lL{)4fZr2+Zyt`x3y669zNF9lS#Gx*eSQGeci`D~X4dHKLq;i;xCeA1 zx%6tma`RFlu{U5ix~%ozJwo*cP2K3IGmrBwI;ye!VX(D6;}XW;eul4w`E1zb%i-RM z=Qz%Y59)Iac3-KYFK2w0cin}Fpe8iNx*x$Xd;j5ujMlsEeCG6cHO@K)zA%;h=Pbis zZeIGNartfJoy*q-BQ6RUba8uzeM#WFO7~9vNqt?}_zwYmHADzv&mV6euXD#I~+xynk{mu;riMNdIm$H~STQX-a)G?`? zm1|v|18?%yv4xz8|4JA0_FMkNm$G+Gd(yRVoks=VZWkLC3%-^wWf}={e&Uno_Vwt+ zt>Sn`v5Xk|Jl9`*f2_U5GCuaH!yZ8%8-HWV%lt+9WA-Ox_s)@MRK!5LiS6VAmuK{v zVWtsxet#Z^QpJ#Xa)=)9WIoS8yM4eqMj0-~p(P7*lI}8uTzzKVfArMomf2@&7fYAtwy-DQ@WvtEA?v$G5AqLQB;Jwi5!T^dq+fin7w@9$-UcfLlIr8H(+e7(%InvgAAZ?pUHt1>L`-^2?gcGSicU(8b_!q0 z1H;l%jPqOP)K$%q$Wr6i(ZlY}_ReRVl@Rm@j5FsjQ}LbB2P5%41(o^h`Ig@=4OU5e zac8FLi5Bt}`V4B0j0|TF&kv`S8kgi6ZRF?wvG)h6?$$itulLz$i5<{x_sxE3Wo06Bglew~F z{QF)wR9#R1bU{rETS1L5}Yn_kbokO4UXm_rSgn0KfraZh5~U3JTa zh9uiOi$H1DTozqY>9R zq-jXJ$kL(It8OQ7S$0`Myi)v18dI8$F+1K4?~LaYj^*l}>}p(#^4Re)Bl-4_^3fmB zz0_h#E}twP7ay~7)Y6y!x&CoEhnAtPr1|l+_l(oHl<6P8NxlVKkj~=&*9?znIcgaYSk7Bi zUygXt`nA<80y-AxB94wz=KjrHBl%r9`35&Hkn8An@4aVNM!7FVN56%zhCal5S30_R zoqcbu$&*?~sF(0pX_TD4Ka*tD6Pmi3 z4$M%vy?NE;+Qp)PqLiZ8bJVvfKa5veSI|Q<4v+1I?SrtN`dxZ|I0!jpUoH6{`It0* zG_DIrw~zjQcwpit%5}nyxNyWz1Q$3I zhr&wWLeb(O7T|Ep){Kbojfkc)iP!g%ukM$VO`0jtUGk3&MY)G=W7TuuzhHlyt1UbN zww7ZjV~s@R*1Epx zh0wJr_S&M7j`G4F317(ibP?tEzR&T`;}W;#ecErTmGcusF!Q%dwfOqc5#C{ClUHnb zEHRo5@Nn2??8IF+@_Ad1W}xlXU+#}X77qKnRcDmB18YgwcTCzmhUP~^ibY~F@(MxE z^KnkNV892!l!%5N5)oLNbI`t@HenD|RH|2&D=x30WZ=F;7;l8zF8^HC>|^O;s|C10 z-EYqQAngZ`vN<&*ESs+SuRLNdn_mOHx7dlQ>b-4f8=TXN=FpX2unRP27TdVDK zFKYxc(YAm7obKLf`W)SvXeYX}r>Qfi7x(E!N5_yDMaO*lymERy&ZGa2Qf62l!+)gd z1O8D_-9STI`}ApG>j?t6c{xJ7g>H)qowC9^y*BYSdHzhn7UC*yV+VNy68Cp?{|5=3 zlE1=f(iP-wBjE4q;^w8`uPpe_8VaZBe`HGt3jDK*H&|KFJ|$K9N3OyPCx4KO>0>9?Q}vw6P?43AQu=58|G$#|lK9^! zP5z7WfxN8Te<%HKMgPB~hF%~~4T$ThOmCI{GR?me|M$XwCsdO7N7MhCD*jE+|I9sA zw8{k~iT^a(X^}_nX(v*n(|)Y}+W*Yj6r=xDV|>dNgZ8=bvwnVeuSUOdy=!=Aq_iN)>z(1HQYyzMgpb+h(?x9DMxk)b;a&w2htHii(~NOLA}){k|+O z7ShL9<=fI{FRRg=`5$g^U)APp>ma_dboA#0!v62KFm?fdTc&qR$l<5Yahk8a(uW`u)Y%wRnLdB4~yke6?0BdqM`(*Z58n()#AEMZ@>kCFUi0egTiEswyri zKZOc(@-MW<73YRdbcjs&^!9~LmMU*A{oEVG*qEYLJF!h;4@)c&I&PO1iz~p(FCWfAJ^H7E zCI7^Ku5sEiDk(c@T6UoL{JNjs?EXR8`Gsnmiqys}AtA#weoHY&!hW`-|G^zD)kBH9 zmgQew-`Svqs1~0%DJ{@K(xR!(i_@xqn%AD5iZ8$JeB44I?B8Sg3vh$axnF>ibsQl{;>HEG#x9 zbhjk>`_soZPNwkh$KE5_(b*)eP}k&>SPO{{+~yZqL~n!M#B?p7f!cNlbD=+#T;`ui z6;@7(oWIMw_^F{l5^(nbWnU{LYbrc7q;v0a5wre2F#r(&ElhrYVTW?MQ&XE}s$5D+R_$p6Y?xxhchDy(Hrz?Zd<;cB@lO&?z$o-$lOq#prfV&3wu2 z?sitpxX3Oz#8NBr3;eF$`mt-eivgH2sdbGt?Ig!Qx6;MKo8Ci%gOsceM|DG$iD=^B z5{~PY0l&%hQ0PbYBZbAiS*cL|X;uGs$FktE;}BghrUpq*y`5B{uo#2 zfaEb=%ubV4mPquMBl0s&Z}4cXM=EhbzIQY_!gpg_6p$&??Kx$O_(dNT8BJaB4fRaY ze1*2(Q{wH3dY%c|%h($%ce-`g^xNZ{qb^u%$T8>zlH6B01zl*KT+|1D`r&>TvPG?{S_^w(BL2C18_g-=A5YykWkqxh9c(WzrS2!fo7F0XVOA% znK`O7v+@bUm-;waEVUj#e#)YpqbspGheQNGn(+Ou5Gi|{MIPQd_tSM5%S*R!*IE1R zm8L8f5-Z(1Rf0#&Nsv0iD8;bU?vqmBN%ndL;KZxfe;h7n6m#{%uZ?72Uy(p%Br4SM zufLtLXWhfiPe8lG6*D2zNPpG->D7%2=aO$VAmfNN`Gns~)cPQl*!X49W}LRwa&$dm z(zj?tTu36`Ley3|VYtru(=p1-b!DV6;^Gdv9U+98Xtt|QKouTn48hyTm(0%It zxyshwd+%<_VpHEp+&C?MFYdIrTh25jW)0P5Nvp(MJGVVgtGT$IoP5=^+8L3%+Y)|u zyv7HeIdiDGp5we@kVh&Aj_1)N`tYx~e zjjyM*@UtXNU|hl%A{e>`1aR%3N^VY6ZttS7yd-q1l3_aLFg2+2+ zoND{9t8adEz(QAI$#!$UL5a!9Yl_Sy)hbhgh7)7eIxpGX|j>{c4dH+`sRRQxVP z&txO@#PfNQm{hSA`10fgyTeE_);l+xboc-aLNf);kWBkkDXCVeIt1qjgX1LINU@14 zBC(=RuM35okD{9I#raABwvIyD0^GrQRQ{bU#C8OucA8%mtwG9Oh*iHYY0u2D17oFz-^8 zBU7=xd)2SXo+T^!=>g9BvbuuMaj??m*uZC_<^9=Eb}94Dud9^qT3n4O_C9CqxgU=k9boi7I8OM;{Os370Fz;f+SC)g&l44833&MEF8n>#nUBT@?)zc;6 z#~;A^4PYm(c_Y%SYH0Z&B>*;jmveFb<5EgKl>*-hb=YR|(=$30kOQbz&hs{lk63Ud zmXJ~1F9KQ=<5q~|6=mn#mD?p|m0ucz)h$pt%RZS*88f*x0|CB6{XgG{q#q3K^=-(>{$R)v4WV5*(!=PrrwG^~+sIVhsgk>CcxgpGpp#>@ zk+kC#Z9f3}1>OFZgw=h^1eo_}j?ev!hGLK7c4-O-TSYDz-)}56rXQA>_Ex*Bh8#@s z;)ELeJ?9$hfmaqe_Z0m|iQ9`kj&!1iOc!qmmf7-5X_vj_Hfu3=M3%kTm~kX$ZA|qlRBvpGZHOxF`eOPx$(d`Yxm)X z*r8$Mn@s5zhw;1uo#bS`slF>%7phH*0KWYU>l-q4LDy-#vBcXEKLJ_<(&1~KiW(IQ zO!cX>HH)%b0wUKN-+e52bGYs41lzHQ0vCJLBvCceC7$Gf6h$!-Pk!}8x8sz5T$-c*$S3cfV{UwbSQ~>NySRC?FtE z6XecP1wnFB(QPrz%D2Cr*v7))Pus{RqrF1rr{agf9~DP`w|}gsTdVtEAf1VNuM(6- z>z%#p3S12_JA%SnhzreyM2zuZ=ndU8Sn^zGToQHbD72&_cA;E6d*qk#^Pe?e0bVof z&(Zx*@|w68r&!|MP}~awrqT+nXNd@Z^YY~@m>$57A1Lc%ZPw^g4<+Oi#>L?$9~`Va za+B()9<-5HyHa+!pDUbSsc&G)D7&LXj>Yw|!2+E>4#m~avLtcMA+tY?XHM24dct?; zi$aIC=gLOQQ|>5hDq1S$z7o>ys(0}DETzA(V1&59oO;bQ7eY~r&%Qs7(|`8Nmut$G zda8+ewFe!c zHa4lDvhEgzf4>{avt}GTiOGnhHp+%zSk%n!cj@>yf980LoK0uE810nzYr>l~Z)B(? zo$)ZlqOJ{R1_xNKI&BUB{cw%7qjOYKNhMbvxm!c9k1}`Okh*V*E-14$nuhg(DbiSq zAC86$%aLJei5nL9txnYlhV?IDzh6Vkyf=Q93bqbtO{Gfu;8a-cC$7Jbwu3WWM*S3u zVf<2g;Mr6@^lYN0{bLsocS6t$sjn5L_6N7Pv(oGJuv$^?y6srs_ys|ujuC+{7R^ie zS*oZlzTPL2)DP&|E&Ix3?D}a+F=U7O`M?r)aTGQ9n4!lKPPaqP+F|r-`ww!Rle>!N zi~T`nYHNrFLy!?t*_@gNzD%t=!*TU0=a)-}sWR@}b=83UpH9}!?Qsm-c}!PG$K@ag zcOu)z1qarB@$n2AvkS`RQfNSU$t_&VrO9lN`x9W8hVDSTk%Z_?tDC~FG{G&~12$zK z)HIKj%ynmgHiNS-#&udTNw$lDdol}#U9;q_9wxiLt&jun@o^QfoxM8r%o;sPrZxSr zXLfa1q2?rfDQ$I_(YUS;)(m|&`1#5;t|hAzQC2~>L8{SE=~;pd4@I?Ef?f2lW*bQ2 zvmq!vK6M1uk~=lf+&g)X-|58wu$bgx8Xv#h^N6*QaHyi_87sP_q{+`+?R)6=(JpKq z{<`{HI{K!b__1BiZDQN4X_^=@pb-d|S{HR)lkI7T-NM9~?VX7LW(@F{NX`&2Adpol z-$&VwhW^p3!6x5^(A)_F(QJ+L%`513@hXg}I-I;~xxQDDIyFM%FC%-a2A^w*m>FGb zqN(B{tV+oB%EvY{=Z%A!y9kC+__+p`%{McCMtA%mCtoX#i=m~uGxFOgmEu?Rb}zZ| zW(=lOb{MN}V?}b#Sj?|Aw0{U0|@WR2@1x;1? zRh?9qi$5c(MfdAAdU$rfW(NeGlpCY0XQGqvBrkHI@{KuOv*Mlgy+wL1lz&l(*0t1d z79{p$*XFa;9_22K^mJW96z2lUs4zYM2F%d{A6>XT!=UgnRcy$!>!|7}@WpNgn~JYc zR7G+fqfYY?jg!*_nU_`JaApW+hU~6cER$}*SVmeMVZOFnnIT=Fef?5*?`q4sj<0rv zP1l3tnY`I81okrdLk6t(Wlie?D-`=8nb{f!m!}^zkq4ID(o>XC!4jsawBXv1d0{Tq z6^Zczs_A_{N8tF%i)A}5M83>Zba1CQ=K(y-VaYzd3f44YY*cQZuipP~yumdZdkz&% zUq1ez{3SD1c&5q&PV9^*M}wMyv;Bq9;L9_Tj(((RVr46tfvEwfLObTE zeg;He;#kXlxG0hSa1Ro?RGpmGrwkwdg4$WFg`^cwU!K4$nvH}{wxZWP z&e%|zt(Rm^y*C(R<3Ac4?Zd^6OYQ3z*n(dcWimK96=8{d<`gPHz^>OMAT(S7?CD=f;LAhbYt9DEW|0b2F!}Z=P#5aE2 zznh#3#KnRzn}6lL<25T{v+tG;uFIPidb!Sx5Avksy0_D?h<4!UoUB00mY+K z*IrMIhyqlLV(X`uvbkzr@dut8(KAXKIcm|EInVR`Enkx1t%HNXq(x2ET_~wjbf^=O zTOzaz1#b>YdK1A$wTR`w;UuE;&dfSL8r89~ybyxfH+6N${fgi7`fYf#YG-G{CD?!d zx6!q!>pQ6fGddf4Fd4_dSHSasL??_=(`4AmPl1-O{Oo)~n<{3>2t?6|`TRY>UjM3! zhObvSmg`gAARtqZhi?dZrU%&o^t{|XMpbN7KO?2U5^!`EB6pSou5 zUw*1Zoeas{uSd|Wn@PNSdAwCC>SH)oQ&pN@|Z*%dtAClG&ggbB#5r{bXy3U}W)wFR|*P zGmIK&Amvn%a<_b{U`8XonXMw@$r8s};|A&VbE7|zQbj8oPpyb#IAZA}Gbdokyt$u9 z1u52CG-uH?9k&H@oI}`~mZoPi+5;RxXDUVbF~;`286uIi>nk-6GadK$hMlC^Yn<3+ zF8@K)a|f}Li$5^_)G*FFSVf;Xvi_vvpEo`*dKzXc#IDhrwKj%~XWGo-Rd-^reHEsd zQu7cG{lmF5b%iCLWF_iBq#KVY$%V}{Mbr$q-mn)4n7>hAd#jL^0vLnaMuMf`dz-UgK>}t~gAtYbj+X}`a2&fgPF<#~ z-*Z-xC@Ul1DM=HnkR4@SC^VO%2Qir;Q&+9-cD;=?JYHxc*X22%z(T#%4b5Dw$~R6f z7Wp|#IQS_~DR0`J`MGQvfaMw=>u@!b@l&QPhbvmhHe$9U2>@#_*Y@Zml5L)SEb~s# zYP;N|FWYo*nSBQ5XHKh7eYp3sLzkzY=-J~My3&-K{S43?v?Q}N*@Nq0#-$2h+T9lnn3g+sQ zr5%DW&<5zwi*5tuHY^X#&Xd31(nK@!_Ldm3%$!&>+V&m?I>Gn?mDB2NH}7$pjD)q= z=cX^yHf+dh9g4xKUgYd?CKeMYA$^>!`FMS_o)iUMXzOp<pe-Jks zY&T2q_>1mQcXgFJBiFrb=G_VL>l2K-B=mffB4pdh2Np>?7@Eo-b=auAa3;0F6~`x7 z#jmK(lS$3MN{m7UUWvVMWosGJU>Ggm^)Fj8Mb}?DeE0XB>ce{p^Ro!h32?Kwryba_ zN&6ltF0hBNhXOD6(f8*%-Jj4Ip5T`PfG2un;z!7;&fRWcV{knXW|}?|UAwSH$aqPu zX7U2OS0)b_m~**7c%cX}(t13?FI*MtPEvHkydDrEfTdp;8%x!9g6YO4ym48s6^lPA zl-yyd*DQ>j+tLbSK;0qkHo>8n2^CrU;4gfcpxIIUUODgZiaUVHRX)xi!N49n8Tz5C>w~odw+g%e;EkbOp_jPBGKDPh#FS6|nnITExgL*}!pISjsT-**8NS5b_czggX1} z$kT0Rd^=(~iDMSEeHiZgiRqHna5P|arH=F&C_4#EwTBhdVq7yL!$>6;n)H?c$!oggnsQR{z}49(Nd$*`%>$y&UbepJF4bmkcpqTZ$A;Nx++XoV0wS(t$Ei+Z9gt~mONufRkmeph9vNvFm;gt}8#N76JqL z=s7sk&CqwGrXQ6vy)$$CwQ+%$=V6tplM6WIo{{@_8;OAQ3|E#ow{aQ(vaRs1{w;q0 z53YZGga&|b4_@m@!&W&v0CrqV=k}%a;N5`xZft^Q!TYmA7jaR~_4GXAkZ}P}z_3b0 z0LQ(nOA&iWQs&0qPQx$Hi4U|DYxYzw*E2RS)6E7rQ%VJ6+`P+(dU=Z2U-J^KQ{P`Q z$n{5*v`$ zIfCO+Mrc_$*yd3k#{FL(0%k&n5Yxgptw;*b2QP*w zj+Rl(7bM`*Wt{=1PUE{kUzJCN{aIz{`|Ohm^!r?hd-NQ2;)ar%eTwKZ(G*Df^u``h zf^E`Aw=1~%UqpnrtpunNzsGl{jHM`RY~hNv!~3_X)%F{z>Bs>_7{tY_n-P}FT|L1# z&z&N%)RDsX)wDTMdeZ{P(3dLDGgf|F4SJa-&MhwCeAzv$5(V}wueo@>dJD$Rk2VPO0%xw=}xd0Cy4;KKl~k+N_+BT zC}NPtCI6*sg;p-gvY;Gj|2)6~eq&=)pq%r@wy)O?9j}%VoICd+Dm8gjU^PF(B0DK{ z#FxX-3N5OPR;+41mOQs6HRG^){f7ZUx|XqqA(L?gLUHffJsmR&!aQ_8Bl>CC=zY{rSFnt*8 z+phfzlf2O|e&pjVcG_b?R9}no2w8mxNfV9=M#N26l;ogw9UUk86Fs%gmr@?tp`paZ zMT8z#?&7Cd4^ObA!nqpU=V>cnTB@mwP$@GTWr)<;5r1j)&7fo+;K1JYEVM$WAV&Nn zzK5G|y@Nvx9+oKs8-@dRB!e*|dMilN`UTFqOIc*X>|Et80_2f1h(z!>jAQBcMu*M- z8nvqhavbNP0ZwN?ClO-8H3~)dQbboxddc0FSsQ?bNJd5gVYuU9KZEmj{KuVOE0-Y; zSjDx`JTG-wp8mQLK5T+bzInR0DC6ni^~bU7nhBSu^diCbY>XyRwXwljNgTaHP3&u( ze6{ef`dGLN4jacd0t4yeVP=Hpy0=V480gQqPCi-q;FRUB=F-%meaRXW=z(ud$}n=P zmGq_I^jOv$Y8+y|!HBkuW|F=B5* zi`0eJzQ#|X$qiIOB+LGe?~Fd8mTE-aK&7l)a^YCmr{7(~9^P9$E6$cRU6^|dY;+Vf zp8%je*{{;3HgHi8@1~VafSu^mb6qb0I>mQ8;7^Vj9HZ&AERkpxa?+NKO*u-?OzL2@ zP~FEu4}KK(KdeYPE&*-fdUYuJ12HV4YhQpXe$gq9P}Nw>y-RL4oBtkmFk5`?YNVI_0qFUbZq;*)BcS(AI$*dG;DSCCy`Y!a-cx8*ItI zhYW;m+q3@3E=?bVvcLMCn_7w7Ypkxq>@7LZx)!H0td|p0MEP#^$6GFQ1lZc-&J>r6 zj#H-Vd|o~3EO&b;1iT{6;FAysB^2msSLbct6}5k#!htjrtEpOx(dFQ=l>;)YWP?)@ zH&74`Y;vvIfiQ2Te=7%Xkx9Q$5ul9vZncem_iMy1VMIt$(mW7c59W!M1B8pdHl`h( zo->4|i@>IM^s_Pqx?tIMu6k*N>stO)g=561LYyrnr}@SRfJ?uxCJ@#i1_#CV8jWv29(+HE;n0h%80z_FF%M&xrzI<&MmV%&(NTb=yWjx zUPqU3{l`Y=@jF#_J{K1|Nbcd*QLBiR^LX@Nx?y$C}L7DyTy zdPx1N!v^EMg#6jP&Y|+jk}h7-5L|&&yguS#02}tGni=q%>(8;!op8?UqtCar?vlI= zD0T^tPfat1 zvLt>LiV7WQ5(h74I?Pj59{9gw;hRv92&-JeIa zDD9UcDV9=d5+heSWG#0y-k<$2>fvXLxOh6Rn1y_2n%+9wv}CN-LzEJmZNvneth~~| z4sIk4$p|=q%$Ef1=T-_KJDt?X^t@UJTVCL9_6FKjR>6HdWh7*+37)t+8sWV`5?+Qm zg?p9Vao3!$aWmh#1i`t_$3nCJ0M>vsR#-X#aHy~8 zt@`2A^@4b!*$yGMtVaJawBEXX%&pv*T}7y zirN}b4lt^S^C1dsW~nP_T=7a<)@?!%Yg|6c-15!)#v04i15+d_6h0h zD1;0B`SX)W*>IF^aj?0!Iw~(`v?#Xu1`le6alJwVet!It;^D3gq_HqQsBp2Gojq86 z?~OubU97Teg;1XNR4xOn!K3lxM5Z2 zpH2`Id?e~vZn_-N#NpU9x7xmrp*F>ZJfs({0M0C5l;~+%#{B;zFP>oIf8p^SFVT!*^}c6+T%o+)p6 zbCwHvD$8}dE;X4y$jmEL-bXal74(BN-S_gtsN0FdoX73A1-Q8N@`F4nzd%C6R*FjKXvKnl$qQPxC+`+Ni`3) z{#nzD*=m%6aIRuv2V8@JOSSkKMLDznzJMZ?FM|!h^J%W@r`}STF|tjuj|L94Fl*=B83u2J&BZ70=B!-LvhpfJTt+ zD_SD+!z_}cr7v-e7a8K6VD|S2bpw`gYda5I3l3ZTZo9U+58&>c-V?BbSCoY!n6J7x zezG3#qRh`**n1e!!h;$02vnQk&c|B1?H3m5Ih{UG7{uY@J$}%6OM=Nbh0K4s>~;dd zzSD_~)owZ-AFte7?S*$E&%TqBXtqRcj4gJQpsWMcWhi1}3};fO_)DK12lD1lM=W#X z75zO7w`G9yVPPxrmb?Xa_}D~uCl24+JXEW6Xq*x7ltp|q%brO4%C$A3tJN(TY;7H% zDjW)gTR>cra#;C;u#LFv2hhrAS=*?|kRh3Mw!;A8y9!B`+F`Nv9)K^ZBeQCn3do1G^@sO@%+#oB6FKXS=S_=FD4)pY#Bjcc8AIn$t&GO}(~wisQ3u-)DGb(YYN`1CBLktR(H~{iKL?fowSb zHe&Q|qkJJ>ElvssR#BAa_tP~N`PMQ~q{zG1w$y|T-Odl@t&chkWsP6vi{GdED4Dst z{QcDMPZcC6hTmX@dEo)z|BFig(}SAe75+osDn;h+F$4dnd*sgbQ-C<*ybkRDBK<$C zP=8s#Kbu9&=*j=d;_q;h{~y~^Jm3FoN(kSKSV{dC0M-AnO`Jpc>EhRuU~>yJ(^NNq zc>m;Dr_r~^wdTL5H{{{ilAHZ>>f;SH5GeWShl>H(e+)_k}Rm4{K@tvjsL zEOrj&1phAv!T0kEr7j1XbGJalU#iu&PER@j1Q?%)bOq{S0(~MYy_9+<5nxogN%bJF z&YL%G>?4u6>N+|xO8Y-UsVor8p{CQXyrz@j;t$!1e%)AD(>jONTdgjGli)|+zQsfV zvk(8r0n?&tBw*Z11YwQ4TEZjY?R6_1#Kl(T_0L^hT`qW>+q*4x;hxC_#93JG8;mWD;sw=rR=xDyi_*oyMbNPP^#D6LJkr-1Jie<+Jua(t8+jFnpY>T{ z=aI6{>dlbR0wSD02Yf!EF5%36W;y;#asO2y7;wpQ#;ZSjaBZQG>*6xbN&q9#G>M}W z&lC-!{Uk~Z&_+={o)r6?)QbA4g*uZH9BTSAq?x9)P#yFOWz_`|`@31>|IDMg(w|CU zj;yiXSN5B^xq&(PYS!pJ_w8aUQ6u_Nci}0*ow84=v0c{F*4F!cv`5rFjeAG81XfP#XUbX#KhF?6?FLFNiiCbPRa(&4v9(lUQW6NmN9f~K{MpfUiG?jG6##r% z?+J>m;PbY0amgwNB6P$E=vM_XgH<+d35(r34b7)mk)ESH9=q}F#aF;iRhShlCt1u? z@XwZAjuXw-s@$Z$=MZ0Mh_yghRaNztF$L!)B-}aw;ruH>VNI084R2oifBiAcKl{ce zgroS_<%dm?>a4*5_&Y$$?MD+ICMF#PRMnLR`RE%AqdfRxq}BE}W;SxIkS<&+fts8FhXu>WJB=U4#!L=3^Ywq${A55?FQ!>c znB|17J9RtJjS%5xC@;`h)nDr*BBTkxtB6z;%R5>}^ZS?SlGm5J`9m*~o5{kyYh!mM z8V_PFaw+s?rp)b?!y9^dQ8R+L%z{jl%P1%Ks2e8DD$sIuxI_qs*;jSotgB8BI%q|6 z^<*rALM?N>mT_t5^(HH%T~A`OiPT1>tg?1a@VXFc_0vjH!RzkCY5Vm(@=SD>LBCSy zm(V0(k#4Mnil|8T@K`e~xg@k3fj_J~{PMERZn1P^dtY(mqw;MV5(UznfOI9)IfeZF z-s+zVaf_61pBFU-DAJX z%FIOKnJ?Yg){sN;Qklg*z5`nFA<_~2aEXdb&)@hvYpgPr?Y%t z^H|Lf3|$@Lcj$h@>%wQ;x31m0k)wQakfi?sgc|z0b?D#oX2)1g-AjmPIoqfcHRso` zd&^lPPxMIsF?NQ}@v`sZRRyH%`%{22r5|0>3@OkK7cPaMWETQ5a@NP_g}jOVsk408 zn&bz+)bqQ-=9TnuLTz#2i>5jyg&77^Cb^)iH2bcn=c3@NZ;q{u_L159wLa&?uTOq| z6*wt57AU*%!RFm<@#-q`33KUInPK3el3eCt*~-rg zpJxjc<@%Nqe?_i9 zW9mW!UbI!#G`D$#Qx$eEMOavld>r1Mt>2k#ItPW(Gfb19?)BB(IPD@FluPWLJkf4Y zvAXb7`-}X?wqcqH;`IJNNmU~1^XD)52)$lErU16Y!UFPYImZ4z(Szy6knsGj)Rz#% z`8ka@U`fj7-MdsZGuj0)h{0LTd5y4|fYX69ld0z1peS>SKWn9NRb(tcRZWzoS&G)j zR_)jDv||?5BXCv8XDP~3v?^d&!Z9$9fhb5L`U18y#vGW$L`U$UQ&Pl;!ZpJJbnhD@ zRdsb&i+h3i{$qYX-wTmJ6`eZUnO=1?%sPu8eNioPi;j-tcotabeMyDkV8Srs_VbZ% zp;99^hqzyZeX@8=;g-ev>$djE4Y*A{>65AmN7EX+uh~PV1ay>Df&F+1hsd0J^9_25 zF<}o2^`;18LZt<0X#uwkwl@1RPR~qmoM&!W`W0z>x?QozRzJH1ucEJO1oYF>$AJ#Z zCDS*XkEb7*zMD}gCAYtKlW>L@`+J5+KYk*e?{?9ogUpRUx!nV&(GXY&uD&+a7|U{njjX`G&?GYQ5+Q>Q&PDJ$h@ zuHyoanjh*}Nw&;ZTCQKGJM6kztWz3h>^6KQs7c~cL5ibhLTup~e>~2_?RBG2Ov0z{ z>)=`e5tiN}D`hv=s&Di|8VR5X^5ub;=as86C5PD$`BZBos!Mg1d<8i;lgz)f%7*-q z?wjR1sC$rr5o>gwseFv8;pMF9ebxO%=o-I&1Z)QeVC$_?bom;mJxvDRxvi+#<9pa9lJY8mwU*Uag%$ME}M^vwO{5bE-KmTKLX9E*0Lhj z?nYDw#3tW#e)tIEp5BM4JKd}Fw=StJefTKk9$Q3KjPdNZPt`DR%l5~&*ZAFC6SkyY zE2Y^|twdu!t5$rPZ}`b@T%h9ixqARlPAohH`XuA^!d(llW|Gdi@IHJgs!@K7{iW1} zxal_!TCeq^a$$#_OW-;V`2nZbuMFQtx*xdVxSqM-H$C20>QxQKzC{3c&w5K?gZrsw zfk&(n5fKA!j7ByVDta)}ek%ouG&m1EkCPr;E1N>@L_tFQL9#N*lb?j z2Ccqnx>XoaU(qGQ9f`~)JY4lk5t;Qydsw$)7@)1fFcVecauSbbV?~{G{oqg$6#g)xyV}W zGh!x+x$X!(n86Nl>}?yEE;twJmLPRzeS4;wwi!m0?f2#$+N6f_u_A{&PivU}S*ymcwge&)t z6pvK(EXZDj8fhn({j=MV7sMpgjAZ++%t z3FM_rEdRd8JApgXH`6^W0EHeIzl!C1Yp5sALJOkf1B#q|&l^s&^;fzrKnfc?J;`~c z7}jw6*OQcj-i&Z6MqL$9{Qy(-5USP7SbE?V_*CZeHoGwy&!-f0K*dS&&NTVvb83SJ zd~(j50s3a1P8PZacGr%tQpyx6;rDOte=pKs7oR-iE9-K54cHXI9W^SQ0(9S7yJ*qO zX!f}HSgDn8qaQv38Cpi=8)S>xf-j@gxfFX%K}zr2JbJX7#}+EaG7f!MHkU-b8SM%o zMm1lov+*$LToD&ZidQl8k_t$O(N4=%q7KQQySTV`Sr0LOI90O_?jrijz2mj*y0y&3 zS5lfQ@lO!&u||^B_XD)2|7*iI9CvY-{(tv_da2_ka5Q zb?Yo>@k;UQ7Pzs;Vy06)ijqO3=lf4p6L@cBskA@tZhsy@hwNNfKj7RWjsb=a-b4rq z_}2oWiR}5HhhzKJmB@Qdm21L_Wda%$HHbxDLRfS1{QUyfk}3^%2Qz`UPLlcMUt)P5 z=O(k;%!?UsV=}m@JtC4@bbc8RdH2+^&^nk9yi*yBrZnIOIM=iW#s&V2xrXwOTc2Y+ zcEYFMD1~(W6go-UAVEP&ZDp`$HsA^=Enb4Qpq#iY)Dh_YZ04*QFBJfYx-smqWE8;5 z9mreP*3^9^O(?*1^re`tyHEJ|?L}ZCMLJ zRo~_@Q^_HQ1%AmgN@cNEds^Nf@NBx@c@F@mxZ^xhwziQU9R9Yo)o|&s@#k{!LdE`i z^;Nn$PA#azEna7hXXx+ylUC#&K3eO9V!n4$9_ruRp_v}9y}kVH4Cf6kmmr}>3qjwu z?{^4^6T&>nmyasmr-fz}ftS7oZMul&13m*9tY@s}Pklz)Nl>+AmTywsOYVv#uQ;0B zgtaFD%L_03_Mh86h|4$rW_hhRzkRK!Xx^YC88p4K7-dxkEKhgPn}l0M24?abVi&ya zBz@fzsd1pk_p0lj6Vpj1cetQyiJ13>G8Y3)+lk7C+rMn8;ahyd!pK0Ih92*^2K$si zaSC(IOtJn8DWVG&JP4aVy5FBSTgfGhWnm!(#R$7FbzYa5LUq=L7RUU)@E?AEQMlyl zqqs7USeonX%8Ow~%NYWiDH@Fa*UUEsA3^7=%@Es?e)zy+O*NJ4!;$p~3$?pj0vcYE zQ^Jh;`Qs!D@88qE;VC>S1`d_E*F(%$US2LKE_RBnu~qi{lML8{jEdEGwQuV8!)uYt zV==^0W_0`t_g1)9uhVZuVa~p2(YZMHAj`0e z_6}p+i1BwJIkA_4W&GuQo8Cs#vc-BDOS#23tBGGP6N-AUMvMLiZ5)rx7dMYj`1h@y zKE}GQmViR-;#+2H4V+ZR)Q~cDeD!vVhSH+k14Ic6{^`nBNR&^J=__5EVrQd5 zzg#(98Ap4Ck5=waORbtZ1a(?p9zLQp4c|s2-x=;Ghlr2e7@e=_&U;(zCQo7ZdNP^F z({B>lGyAr)II=W(I6yF#Tt`KvRclw75+8*s934< z57WN58A6A*epN*kBA_b7cH{`uT~IZgMj)mnl{r6=l= z&wTZUc8mAN8)o$#n33R_y)(#})8N@YW(zX11B<>*_mGX4bfKR8t7lR=?27BwVZ`6n zgMSS&w(W7gTU17;qJsJ>lgt7ZB~$hs7LA>!;PPzh0uXumQ<8#BA-TpJ z!=Bq>6BWXI>rSOHME09x8mWPqHkCU4Wdw%i_a!DKE=P@uAy)cZdx^=O#=723NS+yA z_Fu5GWzeIST$zrGW+G3srDlOe2ORPDcDF|#D?=SKAFes%Ek2`8rR8&uiHtkYR6$l0 zbu5G9i=j)ND=l!<2Q;?rm^XU-=a8)RiX2YX5cVE2Y?V*;&O!)%zJJhmp<*ZELxa2^ zgM>kv?u`_NfE&hW5ex=3oAl}MiZ5zQ)W7)&xQZ2-Vr%leAdUiHgdE{GUO??g|MP_S`=AQES@RitT6>Bw@1gdR&IvO@U zhw;#$rwmLqfiR-6Xc*R>eMxiWcXX`Jm_5#MFT2YXEqJHKys%rGmW=viZ7JZ=_8Yp! z7shs9G)DH4DG((X@*^QNPo~|_ccsaP&D-iq)U|1`R)E-%-t8TAjRYM#mL48Vt_K{$ zqPOom|NWJ%A%~hUM*Jzp{*_XG>ihy?j`q$7_o_al$kZ7XN_&2`#ew>Z@|W6i8p|KI=Pr}9;L#^&@}qMK`ypu!!svL42?hfP zfL&IrJiStlkL5Blbh|q3X&ahDoSRDx?Iw5cifLf?uQud0ynTR`+*)wV9z`v3*kBle zokJ}mBH3njPDhf(<}E3!O zHE?xc@Y$f>XqkbIh%IZ!>HtMcOr4W#iz%`(L9MB z&*#W8H#oUL^}e?mvUI?u={5?gseVEE7g~`&$?VOXp!{Y@hEgTJlH{e@8(Usy0VS;M zB2DtM!X_FR=6u0Do=1;{t%PBNLRGg_DGHN0nVXT7`I zyCPs+FZ@{X+YYM;wChAF@*ZDtSqFF)*riUOD*I9|L}8i2VWMJK^J20&mRtK3JrcHA zp!vhB;P})^%gu@lF?|g7FboE$)|o7WCL|bBv4j(az!i&mvPMhDX#lZX^y` zPk0YMrWN8Tk)6MD>TP$cVG$*#U69IGzSUqh#XZ7P=de)6{!zK!^L+T{y&Uxw-IQ%E;y<}QN`TD(*LB}t7tPoJpbUIpIsXDo(MGtpkv++m-<7lFQ z2%JNi10Wm7;9ATfB*=6E(+GYmra;*{k{eBLXOa2l}5xDk4G;ec3Hft87&7d7$JD)6J?v zq#NVRnhTGJQjoeqy-U2`aetk3cfZIC^Q~J8{LZr^J_islOVCs*NxP>}lP6C_)CP}H zZSSg?KM$i=#y2yK3T?RlbJ6v@PU!i`dSNE#BD3$X7Ev!b?eS$Lov>mC51^j6P0|R^U!zbXVky7=%B#F zHVf*R#O3u_ATHVsla!+3e}0MbW}#ksP4u^K-pT)jX|Bb0cX;uu^a1c<#pZ4cO$#=nj)1Pe#tUg zOr{v2zuD!fHH&E1{@i%6Zb*sZhd$vcVfdd<}v@AGb}1zQmpo{$aJG1C#q&t(wytd@YA1fmH}z3=d!PNrvCW zQsPDY6$;v34bW}to)Igz(SENJ)Bzh5{w)@_e=y6m1N$?;ADFSr;M~&OMlAxvHLYxL z{Uq6%3pmad@6^ieJc%9e6sdb&ifIq&gE*!m-CTD}_YttmGagMlgm3}auUW6{v4tX1 zSje`7;|d+6Dk5hRz0`S0^$3AJb|1*^=O=Wejbpk0BEovfHE5x)eL*H=ZS7Z(^NhQ< z_sRSA?G9bB?{vCCsLJvSNPlqiUAZqCQ~>jKI|eUNeF~vDBNVab(hiScS~|$cMO^;_ znm?&(s_sg%fJnNIX~@p$unK^_ORRiQTdcMkPihYiId4byz%i1SEj*%}4^UA%+r@Mw zzuIf5Gmep=#g&hM$v*SfFOA---yW6Vd^a!*?gQ?MNsuqYnsv(i)~vGvw6lD$^3KVA z5R<0l^K7y##i$dVfU{H74Fp_-7+a3qnyL}#*jGv7RLK6PP^|W(4jSXt&UDpJhMDOK)=cP$Uh}f(fta43ve9IxfYWTBNF2ziu5R8@BN!Z7 zT`jxZn>4NIbnGetHEZz~t;o(D-vxfH;eS#z`6+I~2e`lEjITw}3n>KPFI4s!rcCjIZC}eA6B6B3?!FAnh z%F3c9Nk{+FNc=CqBP^51N8ag4l8FgH<(r$kjX&r54>-hgzbm(I(*Qm8ML8K-%=@Q| zJ$ifpG1&a}=)x&zx)Th%11ESTx?z8N**{KP;gQ*G%n4m*`rCl>`#FNyi1-yw-mW0| z_rsx#EO9pCwRwN0_#cdLx*v#;;;VlTDPCoMJw&WEO<|Zy_zwu>%Dcodmgg4NU%(!J zn{4h>6AM!Z-zy0Gi@^GSH%pKMani9?{c-&tE%@7`{~wx`SpqGjf9Ws!mQX>`p%4@Q zCmsR9{UTJXo@l!<616&IhZCXFF2xeqybx#KD#ftKBqvAM?2<#)~w#GrUfW6#Mae z*(@%r4hrp*mfv^ni-9ZLi)n2~t^x6fyIb@>I{}%DgEbNan1!xlx6pt}xRs(R^PjhR zNI~q*v3%$MpgSL2Bd(fm(Qy3*koR{h$@|kv{`z_I&=3`W$Gc-S?wZc9tI?pEhJJ}I{! zlmd%-ea(>cB2@Tn!RJ|Dvxx$&4mD z24hyMVjI(Ts(`9(9>?1=i8d>(1<{*`NIt=e|~T(JgHF|yIA4K)GTj~yFlZc#jW^=`N_$?af8y(gJ9kwqh;ds|1K zyh|gE*AL5h6K?@wt)4$h;?lF4XX;qOW{UsvI<2HMO?hgl#HN~PqD>IflEb9Ex zejhwT3{EB7e{TK>V8Ulm*@x}xLZL`2*e6z_vz?z-^fO)JVGwpopkxr9^rX1!udDLq z>B{vl=<6$}vp|vV{bjD@jGn7dUC8GzTt=Oi0bMS-VqqonX%8Hl= zaa%;gq1dbyx-@VU)pzC>L&VffZl}GU@R$@31x|qMum`O-PhoCRA1a z1~`uF^b)TnT2Jhpc2VK_->$k!om%4+z(UqR8Dbs^pYL$)zDTFiF^cS8%ezdDXH5g+ zRU!-a(Qym!r)C*Ay-s&^XmBrR%eX?wu|gH8`t8Z#$HByxiPVrcDwi>>YZBWAzQi&~ zu!Lsy^C@q~UfrxUe@YP^P0v?)ajG|vC26gAT_aH}|L}B!CgLtvGJLotGP;6v8t&O& zG6J{F{Sf)>2e4*?(4$uilg1K^wO{OI6T_xnbCnU@z|i4P&!Y%H1FGb$9NC3b z8!w94cTlsn9JAIiWHHQd^-CWW;1}qpXDArh!@F~Q@Q3}^F0A<|?N;T7R;mYL4rXNd z#i5m&dzVT>PmDw6=rfQEw>FSPj}xs)3D1TZ?wf-bmYu=WS@tNHsss>t`O0rCbf5Hd zItNqu4F(>RhH=WGR7*lTOMtC``R(tAe$&%~mUTc`J#I6F%5>5~_6E`$#`a{`q*A@y zrG6rxA8`1A9i<5K z&>7@4$A!5Swn%W*Dmvamz`FO{09r^KRIK4x(!TlX8cpiDHa>A*BYQ7)k5s*d0s?Y2 zOd+ya!)=(iz$oJMncPXaF|o~K+BlMR5JfjKnXYCCKY?e6f!KzIPG;R7T*7?=6U&ot zTgNIFR;dG=@`ls(u}m*4OKl$mUIM9V*51_ks{8P(l+Q5V4)k%uD4HKX#6h13c|&N! z0Q&a2^FxvNMqlQ1=oP`0tjWxBV6Y?$Fnrs?0 zwP6&muA|lW7fAUCU=|PBByPpha}a&L)6yL$1!9(=JP~%99y-6I&X4b9I0QR| zpweu&NTE$081B$MMmBQw55hkD7ivo~lzzJ}rPs_rHTnJigkP!`)CQSz4WmsvN}NF2 z!7fRB$d&+LptgPUgSwqdLx(tKt0MNHzyNfF*{#Xbxz_+lJ_c*Oc%Rar-a7P9)owJ4 zEb}1kREWq*KaIS{7k}$X*Tmv*6p%gLP-NsoBcUi7TcH&HJz*1^;b{h3=% z?=Ph9gBj5iJ^2SdpnmEo2{m}5;`wY#TO(r?rulFrlJu18uI57_h z_k4@~ew@fMEB4K3Ru@8Ve06Mkf6A2A4{`wWi8K9t|1g|b&4ALhEm;OBJT!TsWuFJQ_?fhg*(ln=4Eu5vH}J8b6&IuPoK3SHoSX(*3mqSJ_==T_xfTd#0p@KttDhg zfpo$%;t4li-I zV@i$RraG=DQ1Fh)+zom-@_hviEbZV7CzLSm8-<|O`(Mvs<_J5nqfy|C=w@k)4N_%u zDdw3Z+H~RMhck0^rO7;Ik0@w)D&)R2m8P?`G1wxKA=(YUfZE08SG?Xz8tT?*@T^Z4 zhd{*rPoAc`Lgd1|HqWG+9Hy$l-+;c^FI*q%`(fssxZak&xy=MzO{0N3ow^Ay6d}d^ zGv;e%ujLYxJwIa=vp0uU#ikp`U^NbN6*^g5W=JWo0Em90OeFxn1Fh3#vuIvr&o*KL zjXKZ%x@gZo$|e@poa7$L1!&kS+Y^SuYoY`@de<)6?(k{9-cNmRshcX2)s)bep+{-T zB;`x|SK`dczjNenaleM_1BJ_LI&Uez#(hFCovfVLC0trQe-n6k^ZXS34}L2Z+urc%jN4$||Q ziwxak+?WLVs*_({IY2YFl8p%J)1lPx#d}vX?cuf-7pd(fLYt1kX-JgJuZl&fk;PG% z)lxPgw><#+mT4F`|0N_mX6j(3*E?F==f)s@TYY{x}RA#^9FOk@Yn}+&{ehX#bhNOhenhR_68Lj zOikNo(dok8GY1Ddmawejde?KF{)UtM9h7ie>8kpo4?R5Vg;f~HtW<{!c+mcU#%A39 zE27EqGRJA^*LI;r$pSh@kub2r@lx?9AnPQNf4<9^Wc*-B9-1+UkveSj*_?rnlsl;x zYt3Pqr&?{DGM+A#T|X>BVY`}JY7l~xI)%~`c42QWs&Rf;{f@;c zVwP%~y_pxWR&kU4#e}OFowQG*q@HWvoerFu=V{_?IF;0W{~R5f7Cu2CGXZ~(`Ym4% zd&HK3PJU6(;ket@iK{JM!KlY5=aXem7W+gw>g$mMu}YJt2Zw-}yHe0*4w{|lTdaMP zf$8L{abVCj6$ru04I22)k!k}~(cAA*cVrkoF38_F2)kiO+_8YcU8@{bG2O@h)eC%u zhkgq+4~!TYR7O7V$$PoHAzMo7o5^i3A_HSU!d87D9g&+EbB4XCr(FW+z~dK@gbG7z zskPgzQO;6*!PJU`7sv8Ozjc^n^>TcZKG(|jw;*>4^ky|RN^D7#wm*{%2)aNnv1FRn z8G~;Ncb5eXU0+t2R2NLwU9Ir!Z44CYO~#00R10IO24->rqZ{Q-^dIO6U4v}Q>rC$$ ztx2Q}Gunp8O~krWTLWri)2AmwrkFK%hcznKdQ5=DShoe3|uqb zoL-v)O^!O{icpe1Ff|D$4=i-FA3jK6_tIFOJu)%UOo?TBu4D>2{V9Xnz%R24)9BOM z2}1-58v&&D!)H@Wl#O;DJeM~DxAs4@n%cY>%&3d3)s%^+z zYE%X%SN)C|t8@9*PLV{N%5$>8FBX(F8fBLwyYYe5ex+}J)meJ#IBRzLW|ta!sfgU# zs-k{m?M%TD0^10;3?6&ZsrCgmx9z~6DpH>|@_txIO9#Q%N}VJd7~>A1IC-_&kK9LY z@?flW_!p}|T}})c)I0WOvAG_lfR(hJr}EeDy7*x>mF^n4QI0EFR}A~{P@^RCgjUxl~wX(^4Qe(>8L3O z!~WW`H(xV|nbe}5)4V8|_XyMlLyO*OF~mIh{i0gAS1etlUWocsZL&Js{d-)=f!=bP z5=Ad$A2P1%giAtSL#z9*k3af+gtMlsw&&1i&IUyR0>kks06qI5L)Er6j|rpw79RT4 z8%T%akUbwaX$$dG7G-k*7Wd1pm1!Y>F}wT;wwrWlmS5`+R*5eE?f&k;^sYd^W^h|i z2I@mTnRx8%U^3ECXvko_q3uc6#(w!7$yVRR;N;JPNfpGTCBTwFv*@q+g(uoy{nuss zS)U)U9G`CJq)$S?9XRTTwcrzqKFXVE`DM$2j8ol5_9B*H5j2cq{%Q)*=`50s9@ob- z-uP<$w5-w05F4ec+Wz70t`G8B-hF=Yp_s8(vJLmPYRtpN1r)o{m=BoxgXhd3$6$BB zhAfGT?BYSa*ADasJ^xE#=b874<}J1gDno9F8-w^~^3FLN2Jj-fTL0QUlky+cKm=*= z#TRYX&r>TZDcp9ISe>*o*M8zoVgiHN&acHM;s`OJWObLx>OJgcc3ZHE>7=N*fgp>K za#NmD)Q`Tys)O-5vB@)7jem~;V?NUpp#w3N24ZZ2_~Ao|%t!bLJ_Ncy64}0bLn)Ox z$niTdfa8B+>?M>Uo^nB+P1b5X2(}LIMJ7=LQ^H1zOsCJfDqiiG^RLyJErm-F60m=2&4l);>6rQo;1jAzUvpXX z?K89+FLPp=!S{Z7)NJC9ofh>fl`~G}vZm^>**+Z3K4kj?Djh+Cn~TcvlFQdj>8!zw zbD_2l*fD`5#^l{Jzlkj~U%x(9W;luUU7CmxevyG96&L!j4rOVP<}4v=5bQvna%jQJ zd#TW`(Faf#cJt#-dx^PR==r> zXt_*|Sae7-ikqAB_ba+NL7t6CKNd z?)GzT;Q5nUjJN|s==Hl_ER_>gCP(re*lMv2`VnrmJMU+eUpVFfO*bXx6WP?0(g7MI zM>p&_?8B~Vrtm^G3xW&O=^6Acaw?l@E3Nw-XwB-~duBFnrU;ej2~3D(9vDi)vxE}+ z>jZ&$Hp2|0PGBFN!`PUC=$Ep;6U=t0F7*TOj@>SLo%WCoLc4=kGnWDUQ-9ppR^Kug zYN9Oxpkl3*JupCHf+Ph4Qg4ZSWG$M@U!RhhDBwYFdHq;cNpV5tan;*}Gl!7>VB~;$naINj(gEKAD5r^P`OjqcUG>7Jk=#CzLivz+`ZiB~i1gZNDAy&e zD$mgZ<-3n{R@4Z&P) zj1vQz`2Z(hbz<`GtZFJy&~m~CXSmwzMLXEwJuDsbgeDL5DgRCU`W5X$6eYiS2 zQxiDkUqIAsW@A3(DChWci#;GDzJ4rmV3>QMF}zSZbC(fe626A~1B-M-%U6LsG#m=o zh>1v?Z_AjY>CXn$zrq$fBkcKea#gpd8!X2@eH9)mLkQJFq(%Eot_JnuJxO>d7Ub!h zX*x(15=aMBL;L0^Ne;9>KInMcZw0QcZd`bt2cUg%v zULbnbsOtM>4n9B!e60Sn7!qXCqR!ryQF%$k|9lN6b`dZ^$vHNxy#n%tk6GO`q^ z0A1bAT4PEjU7_wDFGc;NOJLQP^b)7m?ZF360*c6aG~%XP=4pSYFU#anta+Uet_)h> zz7Ad{>&V!F=rV~C84|z_O*`ZfuI$mS6iWU9<=|I?{(|SrTxz1!)X&(Hr?Ub@(9;KTC z{Vb`0rr#vdwR_W=?5KA+k^a^A`;I0!dVuO0M1*y%CLd#OCOAP~J>Bd#NYHUaN1YQUPH|?u%>$)@arnas zc7@T&e|f`$jn{L)iMXeOMR4-B(Cnl;07FB`Iz!H6J`1K00`VDYXB13?hA?W^a**`y z1GZ964kdW`fp6`HTQ)?;(rMg%+P)!#stCjwkkvxMvhYM1Fx3llSPLn5B4$t4V#*-4 z(|EB5$22~F^3Es?Y|`c*Vo+No=>q#x3*a$`?a$K#GweSzU`zv1M<>o-FP zUmN_6W6)wLYAZWe1n$Ui0)sY<@5LG(I>mZV>(lA%_g5{J8s?7Z48^bTFe7F&`gsuI@HMEWt_cUJSE4ogFN6ON*`hV z4lD6WnVdi6YT6Zk>uWvcF|13u_T=Kzo9m2@2W!un80tsl#!p z19y^fv!5m40m^nr>QyMPY*oYgX1yn-vH8}IYp=;Algr`A;cFw{VvEdquQtb{4D!Ay zB=Dwyf?D0G7Ovo6ViRZR9OLR0a|nWhkPchqcW3GVi|iVy-9PA=9>jj`Cb}+1ApJd3IH7?HQ1eWDwwmA#BI z)V!ROMao6Nd&rfK;`!SY?-AGHBTi>L=hStyEGCRA9M`l zm&wuTJT#SACzEebt5|t;aIqGj75I+&kD?LbK06e16BlCHft@v|?-uLrfhy}Bm%cHTIwckzfzw97Q`bJk}n zUpK}uc2b~ecpFX%}?KuR;bP}A#J&}F750P_0Qi(A$y;0`~V}h3*Sa zTX1szo6=x^f~y}>i0I31LjHf!#IZy`%1=#R{@?dT&@K^!Wi+j33D4Ie7Ps@c#Qo{?J8y0?C4J zkN^FpGTub8hlaXGb|9aqEeddBLAtt$>tX#SXc&O^~eo|@dSE01Ozs*0QCI5Wn zOha_7TgHkEwK$Xb79CA;rA>Kner>m>H1^sYGbJul7nZr*f1had-xBIWh551dsu5ga z5Gjm_Y=>ix?PWM6D$1S&rFnX{YvK2n{ig*<43p4P!@n!_X&#DF!9pU3h;7M8iun(0 z@0BBwI@H3Q5C2u#`~Pi%`3Pd6QT(e61*+eI34b39K1~t(C>ML0d;E`2<2OfbG>>F< z&mvw#KOp_L9eT6oin*`-@$r^8bJYs(9ne_9V;^mfLx+H3qpFf0v9yCmP3phdwBqlN z_UFqyeA&h&0J9!2V3wvj=^%q<_r$9ouFf|5RobkpoSxybm$w=Ys9lRL9Njjtm0swKgp@Yod})%)laVbau;*U#8`K1ZA6(0L!Cp)UZV9Yn-^1}_^8U1=w+Qus7Ve=9e zF9Z6#)RX5APSCC~KP7i$Lwjx~lkP1tWUGBeW?DJ%zX;q5hELQ76dmdRKH2%+}GjEu3SGXgLsdR0VUPD4}V5@N=x6*r(lc)}Y*MtX?cvy+`dymwg)i*L}2Y4?74ifx-e0s~iBOwxwX*F6-=Uj0+2{_|J)e+S5I3U8BL z-yK4TXXdx8?<+M?|4hqa6XCD+ z!6>9RJocf`rR62;c3&SC*-!Jmm!Q1Ijm@XBv5$jxi}_!&Myzo)^e2?>~huxcaVvRr*g;CA^FlqOtqA%Qr`gZBd8sO)CEjG3O#uj_~ zkQ`2X zxka_tV&{U zRvv4*{U7$;`Y+0M?H(3HBqS6CX;exnX=xCYZt1Q;V(9KtL?o2%2C1QQ=#XaUp}U7} zhM4zaf1mw6`+45)z3=@8yuT6GXRdS3KGw0;I+n*Q?g*MYlXa3#^ZS4BEN3noxQ}%> ztIw$gjb}FgGD`pFQlwdQZbhv2{F)TCl*(H#z-F}yAz`zTQk!M99Vvw*3p);CrbB(M zzYL@U#kT7=52h14bxYK_p+#5b1~WUG$0V$Ya$Cc{02a(;tqy~ZVj#S(Uw4)aquF&o z70<=h;|dSjOpQd@e0|w$gTSPS)w$n)xY8A)D7Cy_78YpAYqt_!Ls68nL^0!Wij+n^Kqp-$Raf3*P0$XI|7#Irbu zI?r&}sg3BFZDP(>&52a$#7&~{v?ZDhr(ZbResQ?`C&m?e$|W9}7b63U`RRK*XZlt3 zJceq&(JE=I-%((;w&&O0zqHif|T}FTycU)(hSefKNRUkP5(vcaL zo$}Mvfi#U|_adF7jQW&JwB2iW$A^iE$o?tEYCOCN%SG+bLGcuhFTOmL6~)3-@0>a? zJC0X-El6w^s=AtNK9%GaYM(qGmiIgdh?~dNdXyh$^%k{xhZbFct^dawACaG;dGN;G zcvj&+eUsa;BH2W~#eF#0SQEJXk0S_XdG2_0k}rA;F3~)W*bU|cjNMIrC^_155O#|I zSH)rWJji>@@M`2)A)QN+CWp<)Bl22>Sgtb43Ed4cxY1~EIE6W9?=I%`-|MP=_`%Ke ztuRkOoQg*W>_ls|Fl>S5%GB2bwG%B>gCQxj(wT3~^##mnD_uvtK>dwv@C+4rJtf@a>!3n>i!YT$in#U$L?M+qAJ3zU3zp(ni62qy_|BZS zJ@_GWVt#RsXp`XCFy?ppMu22F2}kp_DAkrlS{FqpXh8Rcz?j{GNLayAhbN&f$B0A2!Y=R4NZD&XhOOCzf|Kf`!;3*#h-)o4H!3 z1zeaz%mPqop@YXMy`~NVYw6fcRzf#*UY7+DoC$OGD}R3S4(KipHvOWPW?nc&O5Kui z&x0)Uq*D7q4FceUzr9^6mfZDQR|JV-z0+qVQu*qGem>mneYU_In63E7?u@K1TKnao z%!KxT+*&Gy_?#0z2${DUb6Q_$4W}c%u}AHIa=w%N9LrY)NQyIXohh2*TIta>z}(nn z&myHuyCN?*EY)zMK*9K|xD);;B&Gk6?Ot>=Jys#wK{366PGCR(c?ISd;C^KomnWan ztL|K0<4m=gzSh#(POr+J%cQB_@C{W8l-p@N6c)j&^j~`OtgmibK90wE2!y`dg)Q~4 zD7)2+B{(bxB&C>mRVlQXNm4}Ewi-go%=`6uDaR&HtM0V<1dbL`~1-+ z4&Qc)rWn(&YLf!a|EX5kQuGSAtC6?tT`Q0e`?-GpP!SBboqah98mJiO3anSFAh9m3 z0*!xnq1qu3xtWHHUgk4JGqLb@RDs;jugfDyKMLfh81S2TpqM}7)$_MoBR-NjO^9Ah zpOUX-!I~>t4F^0X>avI!j$pGB9tv-DDw+d{@xCFv78H7tUkA>0Js~pGZ}5tlL!qW? z%362Rcll@DMR=Z5mwVflSEsBYHS67!6Zjn=n*;aAx(6d!i%E^Ie-&r8ZUljDcYOQp zi#Qz(tiIM$brDBx&28ivfK#&R5#CpWLTB!K<_?pRH_mI@+&$)B<>A0Z&pmpfxQyt}h7El%@F@d#-Cll2c85Zx-$_0+T0D9X<+r|i@Q z@W@rM8b05pOj=o_0gWCUk-P{Tt-okPh#nO0omJu6H|@8G4bwDmp41~h3joK56JFh( ziwW_+k9j04{A&bUgu%_kOB-vp19YXB7cF)i~t)X=i+)IFCN zoVDam0o2ZZl0i448;#g5wZd)7J7bS^Y00oNbAya`sV1WH8m(4fC+JS z|9qOVi!N-b?%E{iZ|kO%=0}P^LmX556;t+~SJ+e=e@4=V3DsP*od~G2M?H*6GUER| z>;HKo{qGP;@CEvC8c>S&?f>oW`@jB{Sqh*Gj9y2Z{C^jq&>UoA0eFb!2Rth9MDX9QmVY!{A`zH3Qd#C*|H0P^2Vf-00Lj1aD}O1XZ=^px z6-G^zCHBI-Uo1X(cj^2L?wCq*z=f-Oa2%B#@yCS<>2wjF!`8@J@N{a}O9dL> z`~z5OEctqYu%>US=8AvWsE9Xr7|iZY22kn6GHr^=|1GxZE<3N>Y5tFU=z9;i>;OK~ z9G%|u*d9~qm=%VXV)7k0D1I<)HHby|*J)x2KcjXbh^d-|Yd+ zQcVZ8#~rRO%7zMr?B>RqG^|A`+0cCJn^Cv-YrLaz(oT0?3(ccM_W-Yv7Eq=B=to%S z8Mk4bGa|NOq~VL#WL2S_pnIFdYwblXKKEsb7E1!JTcD+-M!e4;`i*aV@u}V*pKEKC z8Rt+4IdE0JDH6Zu&q!ZtI`xK>+vXRbIwO4{B;vhZ^oUwWtO;=yx-(fNIcQM(*??Mj z8Rhya^NQ%j!vTf=wORl3SAPb%#pSg=hYt8Twm^ZT2*nM=bL;zf#JmzlB_SvJ*`X42 zNc425Rh(Am%zEUvy$MmW;L9W)>q_ukt-W|6uf>~ZOlrSc+iyJ#uXK29W7P)|`yL9_ z_a%X6giC#-p6$gi9zs%}JKG#)ef0&M5hM$zg5_xxd=8pC;916Y6dC>Qyv6?ZU^X_9 z>1lzQO0CpmXwj_WS`IwUK&ChPwVtz}`%&qP`-saBzsbjl7&Ru1zQ>Mx3#ihhjtJ^m zt^08C;A^^`D26CukrVuBjFQKqEujy9extvSi5CMV2_OfITO+yH@T?(amiet&y}dc8`FRw_2ZuVVRG3bw1RybFS@1b5o4GC0hw49} zm7;loyNU)mddOIMp+-v_&Su>`E1&hn z9d2ixO)s8al$o&THXHc-^twET5;}Kp8~NT^80^nC>L9&Qfzc(JVjO0@v}EZ*Zj0%k zCtN~)(XHkXv#b{NOxkY{;>X5Mnp7 zk#GI4dF=eSeCxi@N+*7*G}zAWOUaz-k7GmeT3-}AV=_I={O|;jpuN_CBuBFt=$}1b zaCcnquB+HsoqGQO?2B%bH)tXm_KW{?yJrE=)?@?*XG`S&8c8=24|&X)JIh0jpY=5& z(%bV~rYez}_T$OsoyapTY&0&CDyil(2pulDwmEDvay28|iax2Z$gkhvHc~bUeZk%C zfI)ch9__}`eL{L% z)1hdoUbtG#bO*mR-T20Rdac^s;?GM&s#P{Zf-E>yiAq zGra}AT%Ms`JAd)Ynsc6_1sHed%Z)ePvr`p0yX3YqGiSE4l$>5}4pDe{?YgM3b4gs! zw(J`e_lcr(5^D+tpOdB!7us|(Oz_nPEG6m#F7f0&iOh}=(?69K)wk2*R;Du(#VSx6 zJuN6GtO35|`|ITg9O-1*vLED}e@yS)vUYwaiP~>MPEVBB29#=*gQ{SGx7x<&jS8;~ zG6FidTBq5BZ~8GyoG&xK;I8(Xp)#O4m6op=q-;ldtsv_Yc9jek$=?H~pu5VQ0?CZtLsw?E;%MTi=Zivptqg1#z$t45>E zKvv3ZsSI?2o#nm8E3@lt3m2*VBQqJ9f$bPN|I6e%BpkrpY^b~k2KaetZBxy&%_``B zb$H$0sbiS+t5s5Ml_a@Tr(v`1=Yu-MdRP2T7r*5a`P-W&oJDRqx}TL!{II4Tb@BId z*F8P$`9L&w>lly1ljCo2`!5xZbb?AJc;O$)p`;|6qqUwp<UC_6qFQIWWhL@b{pxn4bt~+iU#xynCKR5LM&*Ao-7>lfS(0ci6 zM8#*0joQN~Q$WncBkj1IZ4df1xR~`oq*oY~3RR+4ywZUr290IY+e`uEPq^!N#0aDU z9NSNtvk{z=YjpJsCf!qmR6skbe=V23M9wMU(qhz(I*0h??)AGnf~(60QG!;;NBPPX zxlUUX1NvSG6{hxs7NuQ0#Rje{I?ZMkc=~{0W-K@PglxHKPmXq{3`EXSV~sG?iT7CB zcMe)JAeel7zHqcRvuif>i>@^Q{#qs5%MfLpAnH*=0F}L}ng4|uMkbB&xmoSAZTk5t zm;gF=6)T?vR(DyUm!}o~^P@T(Bx`k`cmIaWj-dEQlJz=_Recu3%Bo+g1ehMttfhJ? zfaKCxh5GHQe2(#;ms6bP@2&pq^1Gt#IIQ*cOtP;?a6+(kp=Ks8(Dm6$&1PI?x^(#} zJfGIi*Pzn9X8T0iwNQDYfeSjWJHHg6%?y3&ke@MyaOv4v`_+l!napF=uD4U8yYpTj zs*{YGx&0b%eO#QcFAmWkl<->5zX`^tuJ9gawkwXiN}!-`@fx+s+a1UH<-LpWR8db5 zttB3yfrGiMpqfA5AKAoFx#;Y!Tz`-?yDZ@5Fg{@8aic7yuHPLLx>|)&`;@s3({Z&& zuxZ!72iU+e2io?Ge{sR}dx*Y7Su5;*6#bM*i&aU{W})fX=IM$XI{<;_Yv(tZ_9bfN z4#vM~msE@dqz6fwnzLQQ4d7P=7^RIoZpB(%D-4Pp;#zF6OX9)Pmx)kUPmvDMg2BL> z%e=H+5i6Aa+^*dyv!e#rntosfAdW~cROKqv>6@XPwXQm)mx>jv!!{1Z zi?#wafPRTsVw1Jd+ui)mw2ly6#Z4CQ9d^mo{24&y4C)VhT|KW;QWK2>5)OA=K)jf7 z-60+bzr(;AhDsqF;gqrp@u;6}=Zz6^qV7@osPBbf%6X{83i20!3~HmIBD1WgdxC%k z?<-<NUSp^9#IC1PwQV)ISeq=g=$b#_P+Z$W?%OH-%$^QUf7ctMBJNetl`%cte zX|=$9f-lrIE!KSUvle7&z{0=0Ng#rv*Qwc${?!>O_`a}}Hw*`DXR{T$DZPAnx{Zhk{n?}TrFB1Ei%U)Ow%jfcetT$R*D(YrFOy>eGI;+#8p7=u6!fML_N%=K`k*N|-jf0LQA&+*m zQfL;}BYc((WUZ#v$xk+7En|U{~1A8WKcMA9Q9Q|hS{;D83a7L-qyhMlBuT)x$cC(3`#{g<3*|s3;*|Rl! zW+y;{78|~tPiHWHa49^4ZP>;8iUL6~3CN7Aua094^po7@iXBPFljWl5iz$S?x`E}> zQYVqG;?Re|RLN{mFXwY(=BK4Tf~n`Mwa%On_#m|c)K^ew+MC_u;xMf;P>Vnpij{TJ{}73jh$#e7EZa{Cyj7s_ci$Xu-NJ&xG{OBG_$ z<97in+m-jW-hZg)oV-|l=DxZ3qTFF{OK>~j`yssTyc&TslE^FMP+0DVUsEP!Wf z&VT#XgAaevfkme+7_z(CgYl<~V4;bR5E}-cnVI6);$BIHPyYB*G*#Y%0MAE1ZvPqr zvq!baN$q0jroOW`eyv(v^yqqxgxrwd)W_9#?MKN^w;yQ8n2GVQrPx}6nv8a>aYDmRCBtFim%h}Z)jT@_FDD_mN2r!8M! z3z_8NeMcR_m87lc{nISg2lXpFoYRF(dlJV%KM`jha ze75MO>Kyat!YV{kIJK{iXZ-x13}DEd)Io3gym1fNMNujI^%1~&k0?q(P$VaPD4(Fr(5)#?nwU116*A91(5x!q{tRi;+G0jl`Rp~UbKd)*Y3s7t z`g%d14Ybl_4pZQy@7XbF?9_=~UksC1YF(%Ci@yji0r0INr0dy092~P$;~FZ)MI=xV zH<}0Q1*%rXOU!&a`cuf#c53HCDcFw*x$`H;9o?aTT;W))0Na6(+oXZR(lsAY4YbI# zJ5p?Uj@o#FuVs(Ed%Dg_Lx7^1h)~b=>r=RU>}V2_?5T^4VAPqg!;WU1$J+M}Zdi)5 zFFv&mCr~4OF%Wc2U+-)FC(##GHPu$H*OKXf+(?frn0;j38c^;vU|HvOm^rWvQLZbe zXt*{wJ1z0Oe!*YjVjQ(p4E7zJ@r`!?mw>Noay}HsIt*a2t0e90`>l0?1|)*TBObr{ zdV`(sTOUScE|udQjGrl@T>vjy;wK&;^Q}{3Iy^mOZ>P@Y7V|{)y^mNM>xr7^JS3>q z`}&Af5B%;bncY16cnnnRd%4SdRt1XN@THF<9TBp&^#kBpxdhIsGcLcIxf*X>w4L(- zD@yI;fP3i5;-VYrxBdOc*CqhhCV=#EdD5PG=5Q7C9L(Zur4|L4eoU?LM>t1qAo?Ic z*`%2>Jr3K}Cprv1UMScm3E4RJu`EGUh$=`bd9nc{27(3YPyMB1q@NS1HaVhFEnf&L%i#eCb7Cu zA3YxH={KmNh0pN9o&fT1Wq`EqTjUaWevYIS#@g} z=i~$8eBjpu=5u;w{Ri)e@pRb?>eQ24syGMC-F6U0(?48#U@+g8Yf9DgcS)GH`706H zBPW`)!A(B3Mp@L(3qQ*m@${22+BI$~cr-=%IgmudSJ!KKY5jOuB(!zd-OP8FWB|y~ zaoNLidG%iE2IsZi?ij!-!!x87@Q~w3VD64YpVac~kBKtSu;*EM?4PH-7?74m>)rk0 zlas<0K(=<<@u{(y`=z=b&Ve`oC!Dfx{B{oNx~u0%7U}XG6Tlz_KUoTe@jg|C6=_{dg0L!= z*_*KPMZ{b)vP^?=*vJ-h|1UX#|1*IElSL)W478JWQNQ1aF7g+o@*%_iU2aH_3XQ?f8+m=%MOEt~DDkl^XiaWtcH+rx>hf8);FpSOog!K!!swJdo!vme9X~51FN+L4c8+kNh9~r%merK~j*=27S1_ z*o^G&2JG%7E#g2XjOxAezbhE=Ux*0JHPGw9X)G*%dH4G7rQ*g2q{74*3;xQ5;$ODl zptL(qbw!TZznk^{m3t+)<5XjP;QsqZ{SSx$PPI>UC6Ghm zKPq~0$Eg<4(f$u6!hw?CVpXuxr+?>l|6je1CE_2S%H!P%gN+u9{RhvB(#WAxJuHc$ zmwB4|^)9FPcjIwzfmlejl0~7%hwD4T&f_Kl|I^ z^Yg2@bLp(+eDC|O9sf`I#Q*r4e;zRJPF3AT_)PzHO}ESd`;X@gX@&?E&A}&}yM$!E zpbb89i%_%LIP6EtTQwjx>{0Zv0ie&43i*83ZSv|Ihp>{r+hijJ%%60Rpw{qx-aaaG ztuiEa0*}?+iuF;5En;vE`qSaZ9^|Lg7M8%NjQ`zL6_z`oQ!{g`S8JyXcnmO0hEqk1 z-Rd_u^_*GFx8*F2L>$&gH@`IgHCWe>^6&4EZ{wmPf#>wY zn{cHPwwt|TpA@oI9$ch%a?Q2C3r)#?RDK8w^sBkXd+A2`C(845`xyXN#LaDY`P{4> z>))c%1>6oIt>@O$sviHL&kw(c{+MQHH79P@({*oQw1M7F$o$s$(sS=UdGr|D*N9*igeS86 zRe7m?vdOUq&_9e&StN4h(|S~Ho+S>68c94T3A~$>8?RC^OJ)S$=#qSQxjF-HUCeg@ zI_Q#9+tj8SK&p_-_NsV{y;V-+*tJGG2IuEQ@bBuC-wp#?1AZP+66M*_tLw!&M=)gA znYj{5I0KV1a|C7ZrE8%jxRHw2W*T$kb(OI~cvDJBv@UA@a-1pR%`ROh(?@rM1b zxy6H@56wQ1-I1@kf8|ZSZDHqnD-Kv7Y6utaliLbNDsKs8pay#q>9VjVFBd+qdmeqN zU2r4ON8JwXQ=izbo#&bLkxU=)FFIM!RqzcgqdmuNDPVa8!DKaYZ4w~= zdNmAg5L0(d(w!@>Lu)WEcqCIu{EJrl2~cP%r*CzC>b5$ibqZ!{|%yK&?kB~}Uv zR?y3#^R6^K-V~=jWJZ6IkWlpW;~LA19;I=WIWOs3?Y=nlUAJG@@s|lNBC4(rj`!)M zV#T({3+PuEV1$iV((oK^1KP&1?4Q|hUByt`mJP+8t+PS}r+rD*;DPYTihV!1WDZqU z-3CT8*_cvN-NO}0o3D^v#%4j{A?R!rojmgfn{K(*DWC_cn6doRp~6W~Lp*>J-e2yy z@1wC;?>_obr4W#?{J_aqOscjfp~OFr#%8t}F8Tr>BvmkOao54?55Ti%cSKb%B7tIR zha{IwVxoV;i{1p1fK5Zqt2GQ@06Yf2Q{w{Z1w7ivV(_pZ*UP16u;X+#V;cCFU{ zreg#&Ll+XyW_7gY^D&VNVrwHjvsEp^1TO*%6I~~F>E)ANGs&elj0%8PgGg_$%P$`y zPZ7Lwk;0J19@BWzT;2P&*hGKgrpF6w%kLvmXL+Bi?LRusb1~@!x_Fq^G>K5>NPI!O z*Q?5wkJ3i^TqSr@oxn45n9O?0V_eEGAN9q&emy!6x$_X8sw^!G;DZ1s5L@@q;}u$; z>)NBUq>`@}bv&J>162H8pY9AkH_bm+7bScM)^>tCZd3?Ng&mp6_B?SM72nh4+c7V4 zStW?F&lDeQ9%+z{zWT)qEHcX?-@X%0=C3_|y8wA0>9h!-Qfz?RvbW0JXYd^Zpdj1G1m*wO;w}21AbQ zN?j=ER_Luo;*N-$rb;5rFAN`Gp34F+LO{OQ?!Z*n`DW!Bn9u|7bGWrDAFzT*!mUmVFV>u3oe%h&ele}nV z{SIgOcZig($Z4#tX*d$;p0nX{I(>RJ-5bLRt#sRR=hSYQe|U>G_NYmD-DAr1HmqPj z4j}G#zc_Y9pmtIocs=bR>7w4-+f$jgWoK z>m*#5sH>BON;NWBtFht2Pp3lj!7f$jZxVfi)kIc%f66mN=nrqKrgwx8$&z_r_!nKc zhE;Pj^q=w;oi}yBr3nZ%!0NOqZbYB36=8VWTTAz^p5qRIiUkt+NtQH+P}sdUiU}|4 z4ue)^A685r)?qhpV4lM+NsBch*=JugWSPAct#5j|)~j1Mdwhy@WB{R89xRm;{P|X} z&h)ama4r8<3-;uR$==O@pf2vil@a*dEY_XyYxcW(?{Dm*r#mt zzVDj*3?*$5&$`YDMASI4e4|8cS$BPPM{j%eIr$3bA9C+TSs9p8-1ByIE9TE5uDTx_ z&OsE=g}N?u+MjLJEj%Td5vrnu%p-b6H0;|UM0Wv@=+vBHoW@-YV|a+>GemKt+0 zvJD0|S%1jg%p*!x<~l-aD&uERyczFDb{#F? z5|f^{g0*WR>wE{|VAH-vPiO5{I%BptLA@Q=CfN=-8+wUAMFDi|NWYYpChse=cn@j6 z#T@%)eA@R3bNMS9XIv$gXn|&SIgjY5_>s@!yZqi@96H%IMeg$FKd8vSUF|EDY4nx9 z@$=_kydAo1%NpqO->@jZN;#4w%eDRVFJ zLnq~8nj-UVI9y{+H>2V;F97lM6TVEDJz#IihdRPHD(nt9pk|vrs^+_p zl8muG6)pxsR5YKYf(M1dUe44Hwimp!JUa|lX_AvZw$|S8H!*fUxk$@VYV~@OjAn~? zzLcT6s@}<|TehU{HCmB2R&c9-FXx6rjrhe!(mktHsh?)E9R~f`_ZV-gcPDesM-|f> z^eb$#F2h<`XKh_ir;%Yg@+sfN*zCUcsn(X(^mYRto~h6@wej&+;Z-^@+3_?%Xf3{K z3E^+?LxjObOZdDCz$@?3r&>tG%8{n2>Y8{Ps4*||m1DrDqgxDIt(hjg=gYx)uLUC1 zrhcF~V)Z`p$zpEQqe-hvt8Ko}gi&t?1Nnf$4c?TZo!y1sM3HBJYIOb5S%cS5Y4A|6 zs6knAZK6j)3CHJF&DAr-Nf$=R!oSV;$SEs4kV%2jequ`kPzd1Hqy-j!c}PH2Kf9kd zEdGQ0DWvY>xC}jWJ2k)2ZiY57{3`wH$(G0`LN;!Xlg}U7ad`*ZxueCUWZYgm?mhrw)O3s~@1G{B(Z98e;P6NGDG#MN#&oq9 zWzEHU*FJD%g(=mpcpq&Z5}h5bL-2xB%!Wsvt#b_p2bJGH5&=JC$Hs6^6LwTjZ}^CM z+6+q-v89jGS`#w7@tC3G)kJ7zyo_W+=EN{X;}3z_ufEp6>N-a}nv%7&H@@<>s!fwt ztZ#PIe zQfMu>X_X41d*-Tndw$WE*_3td1KW(@GF~qyGLKLWKhUte2-x4KG0$W8kn`)?di0E^ z-&d|4A`8P$Nx~zfD-Za&f7`l70QH?u)$MHA>zs1uQ2-4_sD>PQu{Vw1KveHhB3ok9 zJ$L$LC>M{Md!C|edsN7Eh}ZOkn+JW7&J)c#3c+PbRi5F6dO-8Fl_wcNby|1Mxw-+_ z{is6~UyDFx3U5yrHg5%I4Rl?75wPc`A`yETe`M3h@a{~c=xBQ{1;ZQLb!~o*&rS$C z@*Z}>8+0Q;&gPg`*0?xVaxBL3TEFObkxsK1FW>NS6SOVrV* z)YaC_+41w^C*R#v?QBE9QC$&l55*1x{KNuF_$#@$GD<%pKc0%bCFazeYOwbva^|>B1u`*QyDwpx)VibJQ7Ye4ckF@Jz~r(LfefP zGbVi0tc7=5TH!C@A{Ix;L2TyAL@-dtHmyb@>igkkQbP;QMcB5q!@3 zUQ#BMeKI0WqPC85h|aTQ?W)G#L8lJ>Jy@lmgBGdUPPMyiJrbmOHETo}9*Qo0CA{w$ z={x>pMg@Zc;Eph6@NUySz`|5D!p1uMRFaWQV{;U|ozSMNI|u709ZjljQ_^gGZ`P;(Q9Wv$c>OjS%L7 zna;i|8z`6<5aDS)%zWS<_e3^*Ry-x}nnp=QCrYLthZi+Fju+lzlo5*j^BsZPDOmJ- zQTVZagYQLC$<%!H2coQ^kCeeZpFhWi60@3a6LgFn(<(VYrwPoe{X854MA2|RaQAXF z2+;_$_^eEK-Mp33=C!pRF>2G5l67NroZu!PWmnhsLgtj!|EW(bI0^3Di#`;Im&OoB zo^wcN#ET1BYuqpu`ncN27Maw(A)4Sp%&1WvY%a-9!F~!AS|}E52a#j-M(~1Z=-tJJ zQZv{rgakl2aVQFehU={Gn0cmL&oaFvFet}M)`$DMj(d2rh_Shx8>0i)bqe}0N>Bs! z;#3VYT^ZZ-zCo4Z(4U3rr)BHIlA@INTOBd&;h==D)(aB-RB}enVHaMD@zybMM&8;q zu|^c6R}g6!TMPA_aPfln2ExMPLm0z%O$?d!gtFpIk6l`?G0!d4dfPIIZ*&9+N-3(d z%|<_J`~Fa2lhPV^bFy$KO!j0~-p!rX^{uj!#cr>Z!Z{}SS6TOJf= z-gZe<#}ub=-3S@?ZvL7s|JAv<5ZEb5G-r0btxxY=DqVk3kY=AztM|Lqb2RVzZPS=J4h?e?YK^$u=gGkwkM3s< z26z}Pk8Sui9##xT?!NbdeLhDn0r-R-`_qDWnq%+Z$vk6)d~?QLh|is>*9@mvITH zZ~Xe~0kaR~gI-z+Hp}SW4(EqLUGi*|6tR5|SRdIm6#`n~?RU{LvT=~-8eqMq>;6aI zU&>#VcrNx~6|F9%J|prp6hr5QJUQp@q4y z+tHXs1wKwHt+X|Y8#OMXa9Im}0-`R5y%9{#1L5flqEMc#+I z`7C84b$5$d(cMkwY}i-AGXOhu9%qpJlnq1X&8u5)lNo~jTY-rZv8DB7Xbqg~xonr$ zT+WBNa64MplX($uWXDc`a4?yD-AR65n4nOS)HQsmg#Fvvq z2ci(RKvB)lfs;gT{sKuXI_egO(yEsh%cgbddtl}Sp$#^ZDXq0e8I=+n@YZNeb3LXn z=*B1qcZZzq!MEVB+9^BvaDU-%IS2UGzBUa0ya_D;G_||e#M?>uMQ6av0wjU;OvENA^9hsC5i5f z*wvX~Gq){%-#-`GAk)x)HBPq_c`FpQwrD`6aYijfXnfG>z|I&@9zl@$m@%1!>FxEI zlkf!lTceJcj#KKLCYPJ~DKBZgbTL8#HZEG`I9vqsF_faL&u$^z>npkKEN&l8BRKSr zHrrH@*~+EjvN$Cc92Vu&hQIgtsr)2E_BMCdRfvgE8=7&Z@d(;eVs)&C2(q>rS4}pO ztxCC;@m2klWIIG`iT4rxI~}uoWv^b?!7QqrCwMAeJV(jt-^vuWJoTNQz=J5fQm{_q zzW9KWHdQB+<%@mcP3GSGQO&AKvXlFX`!oRzqnBA1jGS)*rxFD*zuQ3BpqqI^V_`^s zJ2adc_zM=J#(pjMOqOidM(TdXtFD9|j&F*0QeUW*i50b1mZ0ct6&)xm4mG=G6tf?v zd}iN&K^A~x)3Ef1>JY9MVluaB30>j0tra@dAQspQUW;=t4)1#J8Cc5ahHn^#Q-WpZ zP4Nj$L=mj6bX+kK9K3-E$5Z4Rd=h=N59t@!*xIUr3hINjJcv@syUd>wJ!GGHV)S4F zvS4i^xprixJ0IJ3yGu@QqlNh#GEE*Q;HgQ;YZHo{w>k2};1J}3N9 z4PLy7G=4=$m5Obe6tT$?e6ppIghv0U_9YeT(-@W{9w$%X zZj#tUx7IIa5189@xKWHPOY_Q1v>hF76_~D-!9VEowT;c4i(3dv9kFh(3fIu>O-QaQ zboX`Mggk$dX+2lgr_26yn2@pR@fF443@*tVnkGvjTsjI+dzPGhGRIu0p$Wm>M|&ajv5I?7dnZIWk7SaEK+2)V zw}|~t|2>V|F{pMkE06Qr=wI>KU$N0kBLme)jO||jc}xFjk%GfqDxy8!9RCtk;$e1t z^#S!|jbmeL`t6HH0nbY|CHcM=-o_MGuU1S9P`KhcO#zqEPe$&fSo!7qZh*DV1~&w8 zg->RK{PnqlMLLouRjcDPYp-f~L}y0N+jIFVk`nz3zOls1oxrSgA>RbJB_(dJ2NrYD z5N|6+#Nzin9;RA%<7W6_oxL+kFUDP%7Y#wKF-y^>E+xzh3ID=R$Xc2QOSGCNm2aN$ zRmpIsihopYa!y6mPK8+9`lIR@*yN)`S0qAo;Bz**YB4Q&%6_A%ON}hWo^j6NzQ{(_YeB)JA6Jn{6(CGEhf{TxcC)7|sDhFCU zb2(*q9p=)hhvF@%&q@=r&2Xo_@VR)-NxZlx(mR{%PAxo(}1Vct^j+0bppj=oTt@vGU}%Q5AXNwbvArP`&Mm z%a+d6j2awH*~hL#IH}-icgehG70N7Y4%})JqOA{ec$ihKJ{5n)M4s)5FskMbaHRlN z!4mTKaXI?%XfZpCZje3$Z~oLj#W?`%p2!QkysyAGM?+81wX~&+W`YJ@Na(iEj5|%h>dfUPzBUGwyxbGf=K^nt0#J zYIu2f&!@VkZ7=8kST6IUBz= z(g|Gv@v=(g%;q(o(?#SRi?27&Bd4>=M(rscNjTpi9V_bHe!i!lXL*l9!{x80a6qXi zj&v&^FY?-b_7jD}xNT_k0QRK&VPNU!4cNA`p?5Kvnw(56=u4Y>*IpxfAHAf1q5W9i zZ(H?ZE$U65@OkY5wd&W{>~?T5A*x048>}FPsZxtVSQJz392-KrNcFgL=5okwUx20Fr(SA4!=H?lO|CqKyoCbcSQ*>g9` z3Lv5%bcpw|Nv?foprN$iT*v|2pf~g;N`!?Knk-SZo5ZQPHfUrN9fNsq>`oBrP63^! zbt80g0xOV4ch>uC8bNF3=-}h#LU>a3GaR1|w5}_^JXdGeeU8-aXKu=^jiSFFZ=4h0 zW;x!N6`vP0ThqB*RBuCr3({+5zhr?$<-i*HA%azuK*T9{`o+>};kDKJk6bVCm`~E0 z_sG)Ig~`shmvXgrgt+R(`w59k1>9a)A&slg1I#{I|`rNPMz@| zZC^Pp#&#)0RX8VaB%(a`W>{JZ>&UUd{Z726x$aKB*cATRI9IoOnH;A#_JJLFX+nlV zFPb#JJ%-zd02_kB+qqGhX@PvJHLhVDf?nGYDCf zA|G5UffvVNSQ75mP-8Opw6g|%PdT%~2`!9`K3rGJl){H4zKec4(eTGpc8)ckl^QRd zg}_sEYxaZtWF9;jm2X97>pkh|3pX7)x-b2a85YtICtFltzEW&_b!t6UzC`SPQlN=|K zEL*{|Pvlr(Gio=V4vuzi5FtD#fU6FwmHjWtDQ2ew1DSwp#W;&WQ_srnj-9=9pA5T( zC;xmh6vD0Zfu^GIw1tk@dAC0Z##7zAudSTEUUY1Khhe|)dK*sai&`}5w0LjE z8r-nmKMe<}Z3PbZs*$mkF}EL%N1O=-H0)a#I8R#e1jwblo#^!)fM1vD7;rv*X+-Y? z8KM1IPv&T&82vE&9aM>l-K2DJgFH1*$r1hha5n+fDj~FaeC9?*i4ZZ>%`I%WTRp5n zDGe08iQ1?nBXRjeJAW*EHsT*g*6-t7bCXQ24mk|~vRcqopWUPs{V|i>9h3-*&4~*H zus3)0PP^$E-nh*lmMnVCM=eM{m`hwJt1o{T4VB{*wc~-%FB3n$ohSgr@xS(LSw?ZJ zB;1?lCa$FMKbCtm!Z4b(9N&GSx|9sOY0v^?f2M9Bb2th z33v7#+0*DH^f%%qzl$|Lc(g5gFy2USREPo~<;ADY!h^HdUg=RNkT?NI`R94w9o}+b zmf85jN@7Zq0HXdii9PN;A7iB|+X2>o7OJuF1lbS3?NKPD_#?C4+H&9s)_7YPG}1Dl zHr(GpBh-3xO_%)L7P02iYVwRb;cWDWisB3uXb>+#_%iMAz$bFxJ705YTueV7qUx9H z&EmxsFMAP2VOxMwOUp1-KDfh0f%EPP?Dn{;L2T!xKLO5dBX#k(uHhmHU5(a&!>y0j z?5^8O=GIjD?ezYIm2S(rwo!q$0<^I|+S+5O^3+YsY{$jdjwI_RYdeg%kLggVVpna6 zQEmx3C)mLIzI|Yguf4Sq*=y1Evqsgs4gr+lp|FdjcA>(e#_!Xfq^HoSq7zr7gr@BQ zXQSXpw55eW&YU?9k-D)N)rEswn|JpYAIWp}-Se9J-J6M`>c-gKtz-^+JDhF^|KZ;Q z;XEtGa$l-Soc&{~{c!D%;|}?)-y;Y=F5i(F^FWAjmDZ4SHh%sy&Q(h#D0i!={;TKB zG)j8kfA;va@I1Eh$4N9_k7LEoM6AZ3e~{eZ+4(Uo?-$YsCS#Uj;PSb(tg|N9XAgzZLUtRGCP zL>Bhvv;Xyy|LH`Ox|qF+3Y+LZp7Wp2{HyaeE2NM5ox1{E8*zX2_rEjrAOAi}m}N%( zFIDkp{r}~~s`N(*vsJhF$A7yVeu#=SC!~0cXqLZqxIqvJd>~DJbpLBc{%h_a+~EHx z(_a?!-xs@>=rHFNIGfk@_H0!Oss3KJ9&+zbfpx6yon|69BNm-fM=Mv4iH=SRjlTC7tpDc-)E5X6e|m2?78P<-Z}~$bAO@diLGQN3y1gV9wE=Qjw{3 z-(E8neh4MiA=3xh+-J0zp#tW!Axwg@WT}56Pm+cM%ighk-uzX-7cNa}X!vYN2vKX9 zrmA^j6mHyEOig`_GF|<7u6xZwg?sU_VhNrgWPKF>B1NI`?PoTvt)E{V`W&8az-9v< z;m!sVsd0wx^+Jh;bk5XeGu3WrwgX0E?ZE)Rq={e4kF)PL;GmO0gR5NfYh848vM6u+ z;Ylfszy>y;N8PiwP|)F6hQKL89hw)7t11y$x=UeIZA#!G@U#CP1)8jG=cX?ii&LKRifqHxNm^)G%nzV$S6TvWGJPjH`Q7z; zWRoand1vm;^OtEs!JAD7Ih=N0@I&$I4}3NPo}67JZl5zByRKsV`57UGm}hDT$VSl7 zgkpyF^djhKFg9`GtdgOsG{rmQOhNZIdo#At!5D#spIQ-NRLB+F-CR6;M{jh7(E32Fkl5<&GOLQ1$HlI7B*7vN#gxJYx&S6ZQYNrUTdY=hvDsa<(SGH+l#M}` z+_y(jL^e$QAhY%9c@jRGmiY`2mRt9+N=wJf+kRnEuhVDgyd;uLz-}f($WwvHdvWA^ z)M<->J|e9VlU|(S7y0#CpjUt74dBO0fMIP|!{~|UE?Z~HfzsD|KF`XXJxYUfwARbt zCXLYF(2Dcjvka}}2G1z47n!gZ^>Y3K0&Dzk`)9p7)3y6B+hbVvmf`ImYm^-6u9i%j zAH^Xh1nfp{-}1Ta)@wrRi|QAej-n$oIxgbBEJ#xAiCx7lTUQv^6plhO`J2b&l{mcu$GU`={X=doENogPv$5zD3`8hhy{5oh|o zry#Ix3aqkr+rV@972v0B3tyDj_ZjdE=i`LFi!Y$J?gy4Bwb$35%T6cNKc{X|P2fJU!qgmw1J)u!>?w0|j-*ApD2_n36GTk;S;TpkGH9!pn}k zjJ3a;y<@IllOY+ldGQ=M$S-Q##l2I(dk$n-kq?NQ-_!FY5qO`-YCx$YY~rK(RR#d93mc&a8Qm-g|!7CpK}N%?(fUU!vicG&pY-kx~ih=%WZN<}?quG~l{F~*&=2)>997pIfWe|NGue@p1( zc_Rs!y+MV))POjOcV95$Y#~27J07NS&n06SJKtmGBe1QrZ*8}2zp`64^%3#DmCm&o zrVZKSiNAuB&QH3vMz^`3hQtUpH4UX4qEq>SDs?WGClD|&mD=7`r^7`)wKl<5+%KNM zyqO3&@_7f)?1&9rw>mND{2E84@FM@{&gBN3KjSY+7kJus!7rKyI=!w#_ZOP(Th3NG z@3Y(6(gj^)cG3%7&P>Wej^`&BZ%rt(`#tRx8qAC}u=arAFkgGxRWAE^O<^m| z75Z52sn|JJ*g0Vc$=t;Y6nmAy?HhkMHA1PxT;NV36j!+okVGp_#8(anY_i)7iUQ*4 zW7Z}LtQECN<4Aq8?!tr=Ss$is(N8#{OXpgxJSzFe3r@d}v33>7C~ z=Mg?laMNEu-XF#y@Gfm9$cZFvjN*wT3Hv1*fHhJgb!b=mrt2xzG&iC3ni6-=t z;{&KVF3E;^G6?b~nk#B=_AKC3Kmo;hw;7xHg@P}=;n+j;E0=n;(4=ak$&$2Mt%@cS zsW9pk?7sM!g2}Y=na-N~%=q9an@kMU%6F_xmwJg+j21KXHTmDOJPZ0p+G{t!>*}YX zodc!NoBr>!av-TFZUZ*Swwz<~`m18Y^>wHK29nTI?097}Xae!&W|@rEX6fPC*{-UJ z^{K1YRBp7!4JX#0>l{BIa@(ijcJN@@M~i7Zx73f*?EtHFLjzSBQ_Z+CjjADX-?12z z0mWjoqbDUw9qAv-V3~ZQ5U_?!uXIfB__*Rsr4Cz-abGM?h4x@##e(Uu|9uV^;i0i7lGG9KepE^SjqQOwk zmhhT-xx*yM@c7`nM?*yHG&`I1H6j*<`6K&?ObuF;T|%QWKLec7UM1{7st-W(0yfZ*$W zvK*ghvdmWiaYZt*y&(nid-&KteJMUqZn4z5?73Plm)CrVB3oJ{zO|dnO<~rlK}3mQ zWpF?Hh3jkvj!#UuujClso3@@AIu!CW1NU>gZt;C?gSe%zCLvUtXvn#(D6)L#`ysC7 zUtC7XpqE(;CQm~!DFYUq7ms0B&F#~LSJLa`VAy^%*?QCGU=mBHKXtjf)EEXi#W!E? z`&-Kpz2fHH;Ut4wR~sPu8)Ia5H%RIgGfWj*y~K7RedjXaTjgw%{@G2*j8>HWO6-8P z)cfqkj?)2Lcjtr9URI?Ku}v_Q%;i?5Bn!EC9qUBE)W;oa$Bce#0RtoVe7o=DEA`Vu z7O22Dw}O>89b%1;l?!=nA#roS@+n$Ks$j#=K$b7_bw?0p&B=oD;7>{3iIYJ>3vq8tXW>icae#Zy5kV5OZ++~^sKywMa z2aNYgnX0reI*lIXe25~_f)xi$C3MMnuJ?1UU#`}C9Lv<)C6K1PJQRuV@0*l~3QZZM zlOIpu01imBo)RTaED?~#obevXW`1-u{V>{OdRamo%VTLnc-A4`t=D(tul&fM_3Vew zFEuIe{4DK|jnr24L27O%TJF%@KGe!&E~w93$&1}Vjy$aX>)3@$@C{r$1e-6no;h`< z{Bv8P3tc6+7&1^`$*z;NZ?C3HWt-&0lX-Tb7u(m$I(NqJF|7z<7G$QYTuO*SLpX}- zyyLXG;5&Tx(Y>Kq61P*MP4}4Db6dNh9Hrooq@C0IpLG&`L~c0V|879PzWhQcQ<5N1 z0toXBc2Vh;AQuWYwuGcP@tBn9ZF`wbVv%#sQ5Yjf?#vlE{$oerhpZp%H_Ek!!g=Bf z%-Z9nQSL$3r;!3x7q=~!slTa40_4o##ZXDbY_ZG_cEC|bxYuZkeZKc|I8NY(;0Q#% zno^9@bw?Y*$n%L$W;Yp5uGugf{6Q|K4ZL3L1g^a7FnM%0Rl<3y*ZKamsl(6c!n9%@ zYIgi%P4cmz?;VnV+SKQ}nr^9G_Tl(4=DO{%xL-9UfUFL<+2R*~oz_M=%xl4bW!hQE zAffvP8iX;7s!1>qMlehNl*e|NXmiiWr3H8ino2=K4|)6?B27pakC4tqun)Xv?$Aj6mMLEQ zJ=GaZVA6n`r*N7-Ezruj=P(i4?kW`L{MeSDIOsf>3 z=`&6jMPcpS0x)%y{gM(&lYF<&L6oJFNgq<&Yy%%BL~}vX$>gVQNIs5=*Ig!)Mdy)S z8<668nJ^8-uAJbKhI;NFiOo=Lf&Gtc2A}0@6cpKo_jMjV;{^{6e;WG zp|fZe<}R({C)QLf_}I}3QLwB;$4o;mXi@RI1ia&xN^fLc{0$0DnkTR0euA2J%>xbcvu#F!9!}YTaI;e z+#o`UY6aesYTFwHBym^z^WeEq^%L@YUq__$Mgcv-F*H?L^~GB%DBrvts%i8H>G1^B zxe@V-iahdeU#A%!#`f0ebUjFQ+odx+UD)UIox|{tHZk!bvG+lpxvxIz4dRXLO4+*% zr}^AU*b0ec46j-Q*)tanREgMHtd+g^p^p~zsY=vz!I7MS&p6LJ?W{*j&5u?Y&05yb zmXyVcdd~NxQOo7*kSYWD^aF^MpBe39A--3AzWbhx_YefkY@>{F$%Tn6kx3;CL=%@9 zHd1>IzjK%2jP2c>SgS)CKctEJ^=J>t6`2>?}U zTZlV)%O$MHPc>X7ER?PadyCsG)f@oT=X9Ih$N9@`eT9|@)y`+!1=ReYGf`|?q+G){ zhY-#*HRvhLY)uOttg;fn+>duyM|Hd(DIa`kmG!g;abTIFhRRH6nqagDGk$ zSCTEJz+~=aWLe*m3l-M7`-&35YF#P>qk4R6lD8m6Tjl8I5j}sm;p)W3#R2gYoG;&_ z(&EJdhZR;-NW(k(KU(gOjldvQHPlXwRV0efY$(3lT4U9LP`|>-J?gqWG(zbEzqU*H zPyY*F4LDsQo?T0Aff=lxVQb3E%gZ#2F(`>S)xt-_9rgkL2BRDV-kxl%F#F+mB-;T`c?I@FntQ((20VG%&!*R5!~DdTL`Y27?cP_CVP$LbqMxJ9%~9?4 zC86EK*-D!DYK=DAhftgWpKb@d%xVuk6UT@I<%aV2H8#&1J!9*If`_~L@itFK08Wsk z8f;DtyO4y|Y~2jLgO(*S{SHIsTAUdx3V;=FjeVyt?8^rQOhpyoE=$aM3s5$3wcRTA zaN(zUXCM?jlp!QAQag^6CNQH5c9r=;uiOWmwBozi8MwG@IrhNzLpftpr5)zg^LULy zRc`acwOa-s3iB1ApwiuZMb19#wq89Cu-`EqOP@1?>r@-wZO=cV zuLl();U0)>L=g}7NQ6b8&@#6&|pVUsL$lcJ_rSR@|;D9 z$alWN|Md;>qPyct^oNGH`}ch0XRz>PnHb}O1AuSlJB3p95}W&jW~DlHy&J`5>Z6sa zD0tI`7$Pv~Xg**Y5EW_JEcaj+$$9_iX!EteyX?5i?Hy#;V|XX`ur=`LO0V-;hA#Pt zb9t-W6?@o7lXv{ewltnab=YS<5eX4%dDNVPZ{1YmPk-- z2Pd0psz+(Mj?i;)mV#|8+_PWInZ6pfwu#D>B;~zj$=v9xMxRyC2Wt11pg5SK18Vor zdSZFabO~!t^OcU6MVbof|RnIWwNVo%8%1uDA)r+vJ}z4l4`#NLROQV-fJ>UUKN4456E3 z=daYzrjWrHq^ytXIuCTtzAk4(Yj2o%#oQUa7^&4&tzD^K*Ej_~rs6EStVwImbes+# zWItjK!MV{2rmyx|eS`O;t`mM*7cz@V@HP7O`ZU?TdAt{m)SN{JTT9PQC*VDsYMiaNm-PutxiebmCumQD(TM6lIY2F%Gh*Sy9F+K(2Gtc7VQR3JG=@(l1?GLBn04u zrd}iKC||6=>Qv1lt$}p$8znxax!Lwu2AJLR<}?81z8LR9%)RIn;7qIN$xO0@Eg=6} z){x0w?-O=hgCgFl;y!lV05L_N%M@StK(NZ;%HT#MT7BsNt_ zWJ63){*uye@;jc}J`xIKF?+eTNlgDl>+NK|{9H${;Asn`CnJ8mNfvLs)NB=Kget%z zvzpo|z~aemlR8`6;4a^jQ0w6|iAR+LO*Yz8lZCsRAxs+K*u<2K+09?4)W(U5$3-mX z`fnx6f3@FSq&T3POJLsR_^#TmM}Ow29{WNpU0?PG4U|@1xHdS>L1BC)N2*KJx96I9 zz3g<3o?v=@S%tL+y@V$D?b@e;U3tQ8%jLT)@(QZCw=*(47K{jD z#oQ0`Nb2uUz*;d!ze{AS%|MZH+q@iqJZpli4wJPSZBu25N3#IXJE~ppF&{)2>zFz~ zZ7$>!=xh?wtbVrNm90+{N%9COATt!p?B7IX4nB>@Kre}73leH?c*L|*Vyy_UZ8#o_ zVUAp!Jjc`w75VAYUbgp@1{gRbKwZF?+R2=u>~$o0I6M`WI06lXJv?=&U#=ihms7WR@98m!gAdm|6vc$ky*Xg@0Ar4WG-p-7LY#O z8Z$E1ZWWlC+VPd1i|zZKe@b-N!oGJY)i4uMQ1eOWMrQ}qiVxfqg4B86C|F)$;4ibc6HowqfC*Mjwrh4HVh~5qr7_5sxkY*K9%G5T@!gev_J8z5Dl0Tl-p{ z+fdHTiJN|Z=Thg?Z4p}|!gUl@zjZs=%!^7xsIvpi23H?D$)aLulwP74Z!aha+GiT&*25Q~Sj!BGHIku{e z9~j2qvW}uVs?Ew|WElk)$_V53e^d#kR5B+}3lksF46Y@zgJ9)x%U&#Afc?vyo9VNJ zZ9~0D3G@w+9G*nJo>kJOD^*@;{w*19-TWfB4;qtrL`<+s;nzG1j3SAphcUayPU)cz z#q>{8H!6sQ#4w~S3V>E@Pe(Q^!d8|KobG}*L-jho=;}-XROJfcaW~+9*=Hy^C^_%f|nFSsev+2_5THCbIz%NbiZ}pC!Q!B=d zEGnMo#a=Oe0`6Bs5wu3{jtuJ)0Otl#o5fKFD@Lg2N|6R|E^qv@(}RsAtn1Va+}vO% zDXHx2l$%HFSPo95;p{Ml?l!38d8pNq{1WN?aY4JqO`F9}KCZTW{PxjM!X&=$gc?!h z1A@W-2gQ#zt&QznF}ZWAyc`6|YNM6Es9dWqd78j^!fs2BP><%MnYG&S$#zEj4&6Hi z_0P*ICru{z-yMaL0FRKpKF*~Mb|cNk4BNS+p)+Js`iB7YxRyBCtjubuV}oug2i;M5 zC!0Rby|CUtw-P#F{+33{B>8b}%U&%UBHLtx-xX=8+8e>TF~zYM>)d|VkYzv{VcmXm z+_1gQAvO7K^4pS4pM52}Wg3a{lbG_-WFS8M*R^3mi_l+VX-KzUX}GomU#accSaiEo zswS=SP4p5p%QTq=_jmcweSR}kxgDZ7kIY`MGeydwS5X-^P$M56%ybr;l1aF0xDsQn zkZJ-9e)k`l1Jw0Oz@$0tkV9;lKPj7amITj`k} z9*2!(&GYcI-X5#DYaFqd=5;#3A+e25j8)gWAk4IeG2YI`NKEsk4cGHI=q)$ zifgl&9r==2sM~8B3@=v=D)aAyvT@#V)l@EUVWioakEio75l+M1JK9=M?23$jVv#r| zVLUY!v6|2oF4xdm{+TjFz^Xq*7#tJfX+vU>-VeRKJ!`BrALY-J3(~3Vq8`v02foGv zKMxF4TP`zQ|6<&Q$(id|4qRrXcG+vQFNc(0`T3K6pFi|sZrdjnaqMYcl^obQLP4v@ zr`5+VACS6zt1XbG2pOI(tMwSwcDdFX%4g78*V|Zbn7Owq4WP>EuM%cbR+}SErj|3^ z6MeIcZ|+Dpd$lS46;9FT-|98>rxw6RN8S8E0a{_#QKISm1km#;mG(rwOo*^+|505y zlVh`)L7QpG=1>N>cjN1glx8uNYa-$1oqdC{AQd?fDG2>=Bb>1A{Pv6(d>~>z9zz>J zoYFnfP^M8Fa5PtbT9{R@et|L#DHug5ZS`uogHlH4zn5)r%cR==3QhPG6emm7E<3Qlkri$af4wQ;*vN^&MoyupR-WFL9EbQ*TAs8F{F1t;W2wIbeni=pd z7N;%>IcjF^auRdPdjRH(8~R7}X)mJ|%z>z>Ilcj3)U3mfU=2=JdBfOEA5czG?CXAC zxcU~NWg%x{O5Uo!ROpevtePxLdoIlPdGqbExPzL*b(jaQ_W39CiHU_EY$AdVZ`cK= zi}xCEdFI_WjR&2fLT|C=aP0=G!5NkXIo;mH7NiTp#TcjQr)>oX6uO~JHcMk}%g;h% zCzl+Xg`J<>^1y-beGMbEN5mg|7=Soxb~E%GVa%QMOD$IYK4Xw|kZ+sOx%m1( z)V3=&%7shfm))hO!%mtRMsJ8|kyQdDvo(LdF%Le1VZydG6FlU}Z$~OoM(vo+J z1t^kjLVV7`1_2q*t`U41rm~L=S@O;As`QJzxYGx{GB&Ty;ti;!BKO(6+6eeG4rL#f zAcxNk#hO}yUi*R7XvdhrHQ}H5EsI3&yb65=JVj_DjIb3)lE+(>U4eqV2-#=5)i&~e zz8^fzdvw%*bj`ce`=*di^jXO3Sx0;gIL0>DE!-UYb=^gH{>OqnUm{MTlUNakgymQ3 zk)Zj*hRtvBBgsmz+t0n43`wdI+?yHo0JLl3STzOix)H_>f|iprSEQJh`qC;l$&8jBH3JlAsi zhzHgvaE{E!R>u34$d%P1mAY4R!_ovziB1ymhn`L>B~fR9)_uT3q`Vi`=G~N>cf7?O zGmo^oay`p9^a^FxYyc)h$M*`!2Phx4(gh?)t{oxIubnS^2(Nu!X}NBe3T<(hH;J&t zEN9LhmF{QeR?ckKd+3DbN3j8nr92NoXnP+5`m*L=xxaoMbyHm%-l|_~R+WW;u*f@L z`Ht3iYgGc=N6s8J(*Vyq6x9Ko=3w$pSp3J4L`~Lf;pqEUx-sP?>+^cq3pkxyXpZZ> zJZtItXW&i9Kek70Vn{iqZT&7{Mj5{+k&*UxgJjiTquDgOehA;=+>LyJKUkXYe~UzrQxjFSU0Sxv~Uup0WN!g-*oHUUpw}0%Dg&1H=fnTsPiH%qCrZ873ZKuz&iPz9c97 zYuRyL#jZ3+|2v`(AP@QqBS-Jsu)=;Z0rigC*!uTO)^)&@NN9lBb5hFO#ib^31?X?n z`02rCcEdQG_c0_^O79P^F*d(LfvI-zOws{LHt$CVd!&15$avhDHz{#W2jd2i`TZ4Y zZP3g9Aot$lpZhy42$!dyr_PsP(HoR*>f#fTNbI&B>ra|G4g`D{9t^0B;%ndD&2n3P zRKuVE7o;dG`*%Ul+FI(k%n#^Jp}b4s#xLT&#g-2EKf4o#Ej9quV-PMvSGxt%v7DiS zh>=a2X3U~5tp3l8%h(o|1QacvSbwT-$2>=4mN<#ZlS;mOZEPa;ws`59DXj=!W57|3 z_3h&dg?34E-!Hf|$c~AWkuGT_B6(s6CxH`jq+Y4%^AzY!)lB8>MeHM5fn5FHGkHnv zonb!9`C0ubN^dJ`{nOlki)EJiyrWVhA0S>+0ce4Wl*XntQqhWkqW^BxZ;EDHl%aWsMbfVx4UWli~!z zs^>b67kT55@_-2wi}Ndku~Y+ZG4`gX-KXSeDel7Vc*q+wk zy6FfUjMGGnVuREGx&wuerakg#jZu64l4cL#0~_5tO-kTs4f=v$6?aA?|GZk&E3}<^ zDXAQmaX0mAT2<{iT1fu5B$-<8-En8r$kB4@(e8I)T6~^$qX8w24Q^Os0wIyFXLYBw z0 zt+#8K9?qPZFD+P+W*Fc#93r3Ol9$CuW?j}c%W>!|71OC-&i8#BI;0nw8lo{M>FHQj zYz(>j$z{$<`;?-eH{bE3{uB(GJiWVO*>w`iO?mAHt>zgRh>h5-Bsq;_EY67s0+){H z(PRzLUk#;l6;g-c$UjvdrMCB!uN1Zm`$$|jR~}jP;#4GUo>qXr za05X(`-d&3D-7#f_Q~RHEBzrSf2m#KnWyE+rf|}BlcT4M_VrvmS;4au9Y`fb*;N7P+i^s8CFwn{Sb;7)XfLedr9Nax@)yD^|M zAS7cWL82b?4pfH<4#Jib76~CZT!n58j2EWWTjDlTUATQ0q_+fya8!a-OlE{=%#w2( zoVOL;(;k6E1(NN+AQz66wIYqW3d3B)kbCDqGgoVd2X=XP8eXn09vMffd+^-_(Gk!# zP{9QuCL?_V!v>6?J>1~*KyCRDsVQ073XXfkCYP>oN%2Ig| z4&_w#OQ(3fBmE!pR==4L`@t*XCGw+lVTSM(;y@i-cK(*jAI+38f1e~^jyq`M{sg!}O@8NoG&^}ADF ztlBWsVavw9?H0S{?YupA=`@d^uT31%qc`R6zYk}v*yH=V?9PB-QE6swOX(_XzA`Q4 zGB(>+KPdvd!<{y(B zv-Juv4na&!~!p1=JFFMNOJ@FN-Nhg zpRvdH3W1AH96GpD3R?aN zVntwuC6EJ3+g|Za&TBY#3))=KD&>grT?41B=E~|=S1YYIzvZk+I-;LCD7UzO-#zxm zal0@I5Dm9!p$02{{@&ZtHVF72o1ng~QOw$rHZwSR1Ed)Wj-Y{9Ea_9rBG#O2A66r^ zUF_#T^7D;$45O(&w_@&&+drrfL{#(Za=o-40u)gn{smVwfBt2r`SA_8QRB0=Qyf`B zwp7zuw}D7}aMf+T+n;wKppC~wIN1=Wwby5N%YPyr|B8apO&5J!M$^5L;@QED?DbT` z!=y5SK<1y1c~2t>-pj@|@%VRL{CD1i!+Sp&0D)3-=%0N60VsIm|Ba2^-dz4avh!Cj z|Id8sV`ZPtGs(&QtDyf^0_tOq=SuEyjvWsB|1Ep}HN#cUl-v*SXldX4Z9KhO$^(NV z#W{ud&jI;Q6Z=2M=l}lGPXm$U;sp-QzpU~9vk>%l`*!Oms7P?8m~b>){+7ag$9F0<;6>&LWQG z{wxVVIGjFKd{i**|F&k!^AEY1Ds+GF%Q2K}F(NVFdl5|-UHOxUHN+i~e;K)cu9C4aE}q8lcCpv6$cKU);4 z*HD1&P+Ufma7%^%1^L5_J_8Fw{Qn-n*cARn{^0z33M1_BSa92*v0I`%V||EOYC;xgxF@nqrnm<_6|3SB)a9 zbZ=eAcNc2R%;%zx-o?t?dCdyCRWWVc_6?g_4F*oEznHHZ)8n~>o+g6@MA|xaUyED? zu|Z?T>-eeZQ-m(s85GHdUJkR$-F(G%!*lU;SXkyg$3LkBtTs>`Gwx>0zIwyg9=cN~4&DCFE9QMKYtpG6;RYhnNN9iIIdXVVUp zmLoQgdax4JvQ(YfRVCx^r$jIItLgtqMR4`BvL|4m6!L_+v@R_@73mb1I0+j=fP41F zDx;#J=6tqBwBq`XIPc?`=ROmgHJ$MQ2cC_=9-zm8lJeB!A5*#Vt(sN2%5Aq;))2Ro-QzvfHHN}W(QoXfXA|!0ua*kFgyFWFFEeCS|ZlNlGIqw!x zESr!9^o5G?YBjp@QPxfj{SFqb4jmc*KO1+}Zd@b4@Wsr7pR6^HN9K(X>VA^-5A7C* zz04us!%SHYPcUE7K+kYHfp-DazIF3AjR>C)G%}v3eaNSBh7Z9|Z@=4gNm}55>Y0sq zUc{5e<}NsWCJXvnkyK%U#29w)+{Ng0ev-rN>}*>dQdF_^?(!VemT;s&#(N{Tu%%7t zGj!Q8qWr2X>N=VEggCtmZBb^|C6Mah%VE>!U#v#<(9@a-HP-z5>c4^=G(UY$co#pn z26%dYqmF=o+)pUBd@KPzV1}px>%EAmt3gRlf^Er-RyQfm2qdo8LQzpTv52y;^$K97 zQlAowN;19xoG4qylLct1%rHYNKG(| zsl2w#d?=4?65jG!!vUKhNn@yzk4TBY0T$P}D!qwu6=H5i_V<+44DGeRDpX(92G~ z%Z;-=t!O>#{vs&?CE>OCO#uWnXCg1VA<4edPoR{Il)0EX$sZD6FdH1knJ|a3A{<&B z`Jo5_61@}7(CtPuj$c{{!|6Xd_N{XE2S-n@PE2-`gyWcnoaJYB*yrzEL?x$(*BD#0 zG;G&-__AfzF~ah(Ry?Cj*T&FPEEm=1;Ly6enAQwB+j_#;{R0&-W62QH_@f)vIhgD( zi~mkIK^?T(@1%pQQKcmf_%lU^Wy2}lw#+-n+xnL5pR4w-YTf+21>vvDW{!w4 z3^)N~LNi|NuTQ@A`2JYW3ve9R1CqH7FLzXgGnQ2?Hq#lX4ZqQF$;#5miq(#50_Wlf z?OQhgYyE$`{=hdexTR2k^-sP@MHX4-n!;`BE74#zKF8DiF~K|8iuYax-N7yozKgAo z_A4DM4jbtH(@qE|E~Fcddb*O@fQ^ulF44GrG89WwH}|UGVA0(d4HrZcO2E0-21k{( zU0E3C5Bi0H|4X${A+DYOwPuU4JA*+-`OqN(vs>%%)40WTRO%E0rfLu=Hj5ws^$d*p zatksVrxQxRX62(eku=(bhBtLJchi`d|NpwLvnF zhCrQ_$1QnY3@1idQ`^pSnJ1<5Ex)MVLxkDMmtVLzJ#6iJpvHh$#QY8rvt$*T|ALNf zXcYBbP5Jn%9ZDYo;9!h8xpa?}%jWIzB%`WYP^D=t%6@)#vo5d|&^B>2R1s0uYkxxN+WIi6wtUFh-DUNqZBcUuM*61HJQ zFbOl!nqK~gkad+BF}@HyrbIxk)J6tkMjrWs%b=cLZP{v=pjH3LXefiJ2=GKUtCwG^ z%((=+&^7{JD7En=mMMZxb2>yP->}rspi$kE&bOynH=aMFI*MHNl1LU(*fi zo*zaykfqs$p3CMD}~3hp;^)?;Mm| z_vcv{RP&XBHdI20xJ$Xp4HRq5z*Y*cpU74JUanT&%l`cn(mtG!|0xDI!b37p6aKM8 z1%S_@ZQQ5@$wkn8YIi%iw**=BK+HQ0=@j?z464syl%2P*w5f7^`7L<6r~-)yg9O*n zrS)|D|G*E)k%B?_R6x#_qnm(py$V%v@Dm}PyGFk=Sx|Qwtem(z zeJ}kZc;KJR5X-DNWra*ZvqM{hjOMvo3C;m|yCm5XBoZ_Fw~i@?-)yVa`$AI%88u1` zI~IKA->aAF(m;k2Uoq?0(LFfflO!n=Gj$8e`hFqxqplJn#VxRFeL^s$P%_ty`@(4u z?%OI8ba%)DNo1pc^i-N|tOrdorspWR=0Pib@PP#u2r}6HSdwo(YIX5hGA+sx%k5K{ zenn`!+oii1UO&qN!HWK;^0w5(U2h=jWrL#D@;RaF;j&3&ox_@l%KMuX`<<)sR-c|+ z-^65i1&kbLJBn0*72Rc#s`@S%p5JoZkM+)bqq07&-GB&Rn!#jhmmqW*bR8$Fp@zF4 zVbDrvtAb|J(4&CK85&-drpiGbZn?7Ge0(sGr~Qg*5OyIkvRld*D|2{s7nd0pHJI7Obt!(^nw(Xab1WVQjzops_9U@dwZ6|(lYXtnLd3RUH4!1KX9-<=Rnuj^(d88w~--V~I@tjseE zK>2IsUd1J^n{hL)1zkN}+}-HXjiyv@yE1Hku`d=TQU5D#gm4u0Z`w$%IN3$UzsF@v zW+be@293AC(-t39Y#O=M>1Anx#DrOd_BeN_bu$mMT4U@IlIi|ch&cr=K}gaYO~T7- zJHHPR*lJsBn)F$X_dU8I^#y(FzdEPr=)ON;0C$s_abN~%}g4+VXzH0*)6#rL82}L zr86Hv(#2t8!)q$9*W-^?e7ophek`d<^w8Gu9psl;@p%%%Crj(Rv-p!eWdI=yiFJG? zXdXZL|1kEJVR3wEw|7EF2oT&Mc#xnWxLa@wt_{K6-9vB>?(XjH?(Xi|c;ot3M*cI; zdC#0@uB$&_)pYHuT~+(Oe`_s^lUhRC1d%bm;$l_FM^g#w6!QzNChGHfcC#QZL!!){ z;BdCPi>=9iuW>CK$GT#_7hj1?Hwzv5Qn>vk>gVX|a9rPd+q|MQwo&fS-#Z^zb-k#I@ z1g;l}J*!3ui3$?lcQx17hi4H7jO)F&SVq^c&(}kVzgK>PwWTXGo9G!{2NqAR!wH;g zDgrNGETCLGR{PLpceHb;n9GeOP$67PmF7)iggiP5$aTYQqlvoFvxx;`v%9oQxQ?xy z->eJpx{D3VsEF;~#0`exv06WOzFo!=GM=+&88(zs4koVo=t7RyM;Rf(*VZH~m8iXV zi4#D7Q=HH?EU@Yr^y4TT4H>ZN4M}6eAr%Q__U3RovP8?xky$GX*;L!Z(H~T<7^|E9 zTI=37Hk=DX`_R^iF#M}Q3DF}|qtTA6+dgB^67)?OUNdEhMza~({Q-%|eXYfIZn$C^ z|0#mhhCa$OMgO^0YI!2<@}jaSXLbZtxr|3kfidQeLI8HZ_m$%AA$OPcb74w;j(tI7 zPsR;;OI!X|PNoTjJSqzdi))?63i-XV`$~zCXu6gnxXKDV=65m-Vru$i#g`dS9KztaJ#67^nA4={UIuZhH3 zk<_xcN@u#duVmPOmHn!k=$7*u3f4MA4fBJX;muu>5moH8{|>jG*%$2E-D>U^dTY;8 zIqFkeUkB%kfVnkH4vT+@O1e?XM=VH6TfVCglEV#@H$u(XFc&Gp)wH~Pwe717&3!nj z1ha{pKz+xGjLoUqsvnH~9O~TmViH-|e`l&;>gnl8qw(lpG0x-Q6r=jhbm9nYdsMl< z!lXWYZzRFD)7LzTE_4kDwh{)glle>eCIf`Lttn{^&qY~}?Glls+LRF2UiP+;Z#o5e z7m95>w~xWC2E;17Wtt7sk1C3e;Z!Ayc3*;9=SsC$pCqwa-x1C}r486#??qA`b92ii z62=1QMY}4FMq@ATn5Y3m=YT8bz$V1RY@r_0=YdmTw)e6;bN2@D8YZVPLa*fWE>P1|y_shE=7C%c_U zWZ@-ij&i^8cm-h$YF`)Q zdc|06x-@w5T7XsT&|Uac5C{w78^JxrGxZ4FDa^FL%E?T^zI2h-4-RsHdS8T2uR5xE znP(jJJ5!@1Qz33!(EmfFrvsO0B2(bP5l(DqM%b0p-!vd7QhY6;`HB~7 zn~ z0%wgKyqrm%Z0e`5n&D|{ZcwD)9sXe80VvRfYfqIxdAwB51;XyJ9M8sD-psBvbjV;T zgX3#pV4Z-kK@cdwlH+}$2GI@B9!lX0-t(z2AFAQC;ZylQ>_bqbFT+JdXuS(qD}9)k#yTPAe%l-h3&x zpliaYtE|gzN?xj2@=&=mW;jCkZOy9ZI1SaTljJ%bqtX{XiDn^dP_#T#vnNGNjz0aW zUA+H&Zj(%8o<%hcOQels7kQZ(PUd|UYfRP!14#={Flp<`b=wGyG4G{6at0uo%rV7^hnd6hhT)LDn|`}J zAxJO}SgshWmxxcpsh3PN-5k*dM|=M!5wcmZH&$0saQrbCA^>HH>ovb%L)6}3BBT3v zjYe%FvL^}V6xGem$$Jd`;*f>k=?XZ;x&hY2sikY8aXWxxMYDjfwecYvCBJquI&yW2^Ya zD#@l+;J1T2;XIm`W-qc+$jo4WKbHHs?@qWnzm`3Dv@G(IY%p9AYwHUh^hZ`iw%Rln zbKDR6YkianWkW4JvUV0Fwz8qTtJPwpZnUdmjHlXnRXh!O9u>woADRicCn@m!Zyn*N5hi{H)T>l)zHL zd~|BH?q-;mEV_0@yR3vDmny4hpnZg6dg69>!9niNrqoj-uCfbDOw}Z6mF!th*|}X8 z!Z%GhCc_50s6T5yf^cH~*8NfNUYova=VmSU%=EA@**tMHGQHuBkFm~Mdv zm0CaEYqX5PY$)>Pf!KN zJ0)*wB2ycVKOP49Is$1m=idj5@^fzG6Ph_Wf$ojPBgCUVIJ3d9VYq(JvdPg{>oqF% zlEiI~O|UlloD%P>>mgrGO_sX-X*&YU0n~!3{@UeD9H_}-s^RSM@9kBRFus1(Z{0Qc znPfHDCl6Ov%~AAq-L17x z1fMaR&L;GH4F%}u;u)LeAO<$$PNe=+>b5{U<6|eKxMHfpVLIYjyGA_q72h6YvKmI& zxt+tx8Jnm4^U@jShLdEaBJxnI)f{yhNadm7XehPV0u13)$ zhw-s+uTWiYy^`{ViM4yBIcN(?V@!Ta^C5-H3;T0gQ=W~(v+=`+z5xSfl(Ko(fD|$q z0vCK+rQvM-lxAe4u%oV>3U6zV@0Q(?Dbmqv7!j6T{LAq-jHS|dD4NHI#Cy$BbW873 zGptLWn!6PjrziqY^KW4_{nFMnpzdkL*}ScVU{&|J{Md*9^~H#EmEj1oB~h)A7+Jb_ zUZ*eI0v5Knymd}LoF*Mj8uRMa_U9?7N0rbqZrk4Jas}N4<$#}CZqy#@y>Ev`su1Nt z(S<_pDng*)BE?ug%7gg~S{Cy~C?upLn85Pd4jXzIBE`dKgXdyM+qM_n;?o0C;yd}= z_jk#rQ;j*+2+uR^9nzdLryk=!Jy4?_-?I!l8mmGp6@FjMv9DsuhA4`#ZYIWZt1G#8 z#nLVf_ew!F-g+|mIjHDpnjT%RKe3ytadQ-GkLV^1aZ-0N{b|(%e1IxZV}ZA(pAOZ; z|70g3eh2z$(_MEK5h?&?HM3#=2vYyvK$7H8WiW75nOyW?g)cWVV`_S7Ecg=*1iEj; zB%@}J?d5&RN64x))M}=g)Zq^=u;|9``VpniF`p{{83sw0ExpN36Y5_9RPz3`@Mwko&mPKUdc zUc$z`1vcw&&#MZeN&WON)ax~bD#GdBX0L?tLG>iCB+rsGqkE*4z)0JC>;o5N{A{i9 zkCZ*BW{S0v!BM`Q`y~T=d=%3;FO@ste{?#fVZRk#aD=JwGMj1;X7x!ioW8x_PE$D8 zpWeKWV~3Y41|yc3ak`|0-D8M8nqQw%%HMO-pu*F|oT-Hs%+%0j%e**~7b+AQIS!SW z_k;*dkkvstde}7DL}WUaDbvI*{HL z$^0?PCi8Uf=5@^Z{Ph5DwxqkROE_JA&qAf*2?r;Ldp#QJlM3?7IA*0pe0*RiQF!>cq#Ak!}Kz@D9U?HzE^THVisK7Kup=g3w zqqbuXJC<0QMoLj&xe&^C(QDqb>5M`bN)X~CBu?CwP8jkxL4^4riS6Ja-J{*juG4)x zR>7hJEQa7PdO?I?j!3>f)6~o0TWF1@kb2Z>BB`;CGcz?b4@0hVNtW$y$vBkHiM4U{ z3#J>Mi(p@Kc1%&ZEP|8c`FCUCMa29EgJ+s1Rr?M!U0bZ-KdF3}J&Ne03zJT?3`bb- zqU_KVf#T#aY|+q~gSlD51ssj3F?7-i1q#Xt^w z6Wvn+q%Eb%MbRq~7qQ4iOcbWwOtlLjoE){mW`_wceX;h`XE27!M`GYE^Ev+I6xE7l z4G3dzXqaWfZ1f|T02=_l7<3?J@Oy79thzT_2u13X-vUt^m%nWs9YyxP`=%IMG?QS_ zE)g?npt@B|GnI@+soKdh_GGaC#m;E%9n$t4i_Y|opJ4~oouGmoJ--PVsOsAPnrmgf z@^WlvSItT$1&-hWu|L@%uVS(m%caAMO77CN`Wx#!I+a5EFu3XJcDY-jjz#A1vGM*v zu_TlJ%0r38ipS$(d5|jf0fK;a=(V5fgQiM_$M2bV4sWwJdKdoSTEJh4`iFmN{`u45 z8?XCr$oXRKU@&hSEs~sI7oCv?m|D3k$aE{7Qlb23Lt8iw=cpO(loXfsrjK3L$7~dT zBwR!Fv^h1cm{Hd4hBkdL3oORwV`?!(G$pDrkpgi2`rt|PG}XN}JHOQAaB9Cl;;?V_ zjFO3rwki&_RR{XnLmn75K1Zw@MU z8_ia!eF+Nmf3ntgOm031UUZgQU%JZsE`FFF>D*ozHIBV3XtKw6Y)_d$;F(e%*r;P& z?5=U{>@%5wraKS;4j_X&S}xes88@MqrCIydu>2WW5q&R*YY-UStJ`|IG zb&)7I_nTkCdJk?lOdaf2apZI7$QNn`Pk0+}?UaU4A4 zW^CRvSOi^2_O`mm14-BMb0#fMss|z0wH{ddHy^BPTJu+$C{r0wBKvINtyg>WNIMEg z$L2H$xd5*biqjqn8%?bsyz|q#WM+#I-utVc)hVyDSW{~1wAjoA@?CES)JHSK!}RJM zPElB1+}|ureJXF_tHbi>LP{$-R+KCHss{3Pttkrs@J1Mqtk&M5uv#e?JjJbs z4S!t!7LG({%R$LuezgQIGP+h>KqL^ZE$hL$)YCDmc-C)P%DJ+UaO>OFpc8ie@3PXi zsVn@8WqB{Uwo_TYu1&Q)o$^Yzv_LZ8_w#rtBM1P93p%xONHS6 zBv#9WC`P<$@<$^U-Ggv7dvK8^bFWOi*@fapzIB-CT&Z@aaJAXWYIYHLk1TjkjH_#w z+{~9M_hN4-7+q%pjci;*>&&o7XsYqk6?+z5=3+Hi4^te;>FDd$_#SAFjynY2x(IQN z)SnN1{sgPEwP{>9V|ILWR~@Z4l)s1t{|G_=nm$=6@;4q-3?qXR+`-^Tro2k6OQJfR}_#(UM8y7^pXL zl(L4tsL74W^i`Ks zK=~cK8NnL)5Ep~fk}Uoc11Ae*pFDY3*SI$67s#9{<(agHDzBBl-zRz41!)Bz7Ma`f zlb5rH<~wr9Bp%lwbh=L)WWVS_8xlR^5%2a&$gRMwygZ4uW0XJ8f@iMwcFb3y?P~Er z(d~tLPu45O5ZeaBnPNIs<7G4Zwi1Rcpq{DEq13O3UZZC0)m@tUSzIN?=)#k-*x$=7G76wkg-q{H96s^*UTU>3N+9bR*{6bz<;lO#x+{qRFmw*zy6IPB5h! z^^nBNS}|DeBkqH90i~P1n*OJ7$^}DK_r8x{PchoM!+r#sRo8{=7V6oFw?eXDaVE{n zsJyW+`%h-l!8GWshXdU$4q~#EoP+cC&Jz;o*9duwESpVY!xk&p=?txki812gS`Nt~ zD+8|GJ1z=MoOU%Vb8%#xJ)j10S=sMJa;r1WSQwbG`ONj=*XY*2zqaD}&GdVXpt`EZ zoZX9mG7hW!u46rySPjG6cgivVE5zTLF2vtQ!bSd1GBw~8ly?fds9urv5a(; zRbUz1c^`XY4jD{kuChjZ=ICyyWm|4=RVELt=-hrDD@1z)ZF%v;*0Y3(FRkl;-p=HRw&aQ8k!Oj5>bRij}AKG2=w_GGza5Uy@!Q+(xNq8Ns9?vgi=_?zmZ4KZ`x* zk=hs9Q$tnC7@n#xNqa*q z9WG@kukCw^;qZnK%D2X^T0K=+RC9iR$G+#XLN^?vBTRE0H_VRp#F=2he@I|-Gu@;M~l*1y+D37|-47@R>Ht{F1yxu2O+nScSBM}rb6mfd0aLphy{xBb6>=MKv? zmN_w+gfU;`Uv(I(_cTbb%n%iw0?lZler!?N*(s&vsk3tD%l(MJzC<2Sx240hsU+*p zCuHTTjsp;LL7B z0$w$KqvRblR7O>hXkP&N;u==J`wPXq<9TUCC8DOLE+ZkT@E z4J@$QPrFexJ}#`OsBm74W6urX)xov()aa5%I32k@ei^+2`vB#vjfooSGj12`z`|+1 z-i|F2YxE;P)qpmRplCX0-X2dlt*B2?Z9aA3OdhVO3KbUIS9V0i{^g$#yq75P7n4hs z#R|i3@TgcoCl1 z(PF!%Y*+npc8RZDnWp^a=!&oJ+I*t2hr+V!a~sNDJdiVKcQU;Z%7&E+{ZEj-otN}` zgN=~ca`ju0ZZ*Lbw--Q$;zM0(@00BLSao_JReGE{j=)Z~T9MUrk>u9O#rn^Ee2scr z20MOn-}d}&p7)<`_fMAouUhBtc4{#qv9g)6?RvI+<=~$;0fl9=KiP2q@h(oj?}4|# zxc|!bCuQS5yu9Y(Ud2R~ojUeK{1rpdoC=-Un%cFS|KD5euYUT&_lvEOkNw340#oS! z`O=jCvq`SjNB{p?Mq&BK`+qIlGHUNHck90>s{ims+2=pr|5Nl~U4LC>|KnKveT=+V z|Ku20PSy?B{KJC8-@n1*j|9{+opR^}^BXUuZ+4U-;cO&HaU}_!v z-$z?GNx*gkAknfRfx(XbGMjZe{hzL!%&+$s|MUX*&!^1){4n2`UN<6y8)cdS@#Fu` zgY~c95-kJb4@B0lO8?6+{@V!`U<4d#5hmH%{}~zc@9LQU^J`=aU=x2l9P0mN82@c| zfPJAVBTb}S`tJwwJu9$DS7->vzjp6`8wHX-q74+O=;Qxh8sd`#Y_cKT3-^ESi$0@61E$Oo_g`w!OnXA>(@-M<@P{M+dN$K&J`K#t6viKplK_s>NyvVMOwP=8v1 z2He@twpY2kM^n)%Y`6I@gw5A?Q=fNm^=bdZMdaW9o0HW0N5etz8~<>fy;S#lr-QE+ z&TIVF#R(BCQYO>+YADt^eI8P0*71M->Dd_UZ3^2jTkpor4KeyDmFaqGWLixwuKBjH z=H?fT00r|VV9`gh$hY(-oG*ic<+6Xq*(vyavyu4@tw4vo`ih8Ik~Jb7EpTsy!e zyw33EyZEqI$-DUVK~zyU>F34X8L{v(24~i6MGrj}Xt(BT`i80~sSZo@uS$Hq`+A!A z7ZHcpycO1A{&^_9tWW|rZBJL>l@nS!34jqnBt9K%adMi4PaWamJCt!H(XW#6j&_~!_wK18l5Twj zZuaNFL0?~J$-W%t;oKhNB>k5_Ya=(K9kfVqD_ z^z%ZXDU@Q7=T9JAa?6u&+6F|4YD03-SZ{knC!NNjyQ>@V<&w2B_%mQmmfAuP&*AL$ z8$zvBfa`K|=w+fvo#h(7%JzAzZ=uS7$m7u|cNsA3maX$3Ent1ETBX<96C8IYl=ggU zx<}U?DOD~6ht>JB?4HCnHzfD@*}K+v8n9r^0P0$@dD7a65q>fEmB|xVl$-^A`)fhccWzf^yJoRq`keIXAMgUfs(R3iVG$!+q{fQSw3RU9KKv-asSz^6j`F-k?HqGqc zXwUQIW|9r4e!*=mH$dM1zIRDOl+vuOMO6dsMzj|R6TLVtSBzdqPd(uX7J=H19|ne)x=_JZdfNtYI!hYAq-Za7pb zk$mB8yaF#$P__hiW*B+)qYdqap{P&I@ft#;miwWmQ*vvltv5AEYzPI-#fsk)cFi@q z@XU~RuCHLJAoW}%X>FG0$kDzM3tH(4M5G7S)oN$y-|p%qDIl5Mc547!)AWjZ|CVT09YZmpiS|9sN^T> zYOlDsC(y)CjDIwf$9#+Py*<>_=@9G>FX%!#28ZOj>K=|?U*{Tk_joj*+dUZhW&oFo zKQoB=NWatNccHs-_h{Tut`r%6gS9@mx@ z^T84zbB-9)SRKLg&S5*b9mpKmpoQyuQ3GZMV0WF@uzKVAc%_v#Yr6Du1!lFn+^<01 z;&nKxe{x}WJ^AQxx)2TDi%U8jY$MBt84M+G63O{$Mk3=OI*dDf)nOkMHr37o|jvsjE*4 z7e~L&?3UTNF=JYe>S3@-dFjq#9vP@$tjmJS`2re5t>2M|R#y(X-@oWvyRDG6h`Tb8h9LJ`f!q|h@K3niLUv$E z(+{&-*e>rNcM(N{Q;wQUsv@m4p==D9{3Ye#nyx3rHggS4^R$EePMPszkxYn-aYNYI z1%Y^DL7S@vGR%_Ew|HTiB4sA3Ic6GmAS-C|U4oA1RN_$AUrd{4+Le)LGm$9sHxg`a@`xr1a~O1&EcdsD5gjcD=$eU$?fNI zgUx1XIFiTR6{{|B>-LyFo9#W#AB}^999Sorj*?Ej0#!sWi(m7O?pe8s9Ply!1@PWK zcIn$XB%;ktP~>uKgt`I3v;X(Y^8?#8A(s!->9&94S*z_HqRC9LMIHHEPp_6oN@!a+ zp~&HM0YcN|!BheZi`jCB`I6&$qDq`WG(NTzF0)UQtI2~C*j)u?NV)jyULGd9zkXit zA+xFe>nS9%U@XBLaSTb$-nUKl4mW4>;WP=18-P9K@U8cUXhP9-3?eJfGO6+K%NW;eu<)5YOKsB-*UT17kd%_KRZN2&vV6`ACWelB}k>IDTK%hvU1ABh6B!1R%Ub zu$8Zj-XtMPlEpNJT78jAeMP5XfZ&F5zQz?vEw~N=yilYRZ@WkP1q5^oa~IZQ#8N37 zcT`vMwcQ_n8w@A=9xYU5WMA?JazSy>2jS8tCdlkVH20A47i$l zcIju`IzhW|MM`D-!|@Cw%|w7#mO;A-P7&n8(B}1%iK48)?pLbC@GWM!78k{0m5Rk} z)j1*mYx8nr$n5t${6jH{Tdsrh;m~J|TBx`(4TixHJL9QmKux#Xy*kbd1P%3N4@{-o z@_{{mq!gz4kjV86&b@iq0^V7&a+UO>P)U5rU52Iv0-pPalrHd1?!_qQ-S--CvOX#{ zYJxlkYi_4;Wuv8B{oh>5go8m)8hfSmsChfmizYEts-4vtwi@O|TX~=gk1leB;_oLy zBVW`0tmK}Vq3(c$^&8oixYekdur!0mUlt(Fq!EE3{gjPP-{1f|3Oc|`I~eNiYR90W zX}SC?5y4QeY73CsrG$Qp`T2t(7-Kg5DxnNa(lLiv?BaIIW z>^C(pgo6*l`rrbMRa{^}esPU$XT znC|BJlF<4iKChjc(+4TI2HnS6i15Tx`VXp06rl>xw&Bes27t9hUI3MSIH6orP@yVWW9`nRhr8}ge3(K|~p5o<-c4;97{Nmu) zWpWqc$*U~fz^@PvC!Xy$m&j%{4%@4I8a98dKVedft{xe9M(?SKeX7h1-HXhcD?eOk zc2(D8C0rlcNoBJgLP|ro#?r6i9{RX{1DTmb3&7)iM-Y&7+TIdEKDOXoBmm0sQ}H%U zdC2q$Llv5phSJYTUg{4u9F`MLar<1X=QNo6t7!GBU*y5LkkFFLRfoh)IXJs+!7Lr~ z^skzaR{$|GvrZzcIyDwO2(gOV${xon!cA5mY(9J zh^%`>{>RIax&Rzf@>n|cFqx*yFV1oFTKqM*gzMqFv4aAhOdlRBqQ#Jao2{ECqh5Ul zwCqmZ^;F9qR=qPM*195pmcXRs0wC1aPfzKiR6L{0R7SQ}02+N-k#$=n>?2wq-`Kcn zZ;g4ARK#qvqB=mVPg5?;{Ms2*T=J<9D!T4<&s3{?`a6VA(QU=NYFBrXHsqAJ{@n5) zJOPrS;hyQqJ$Y3kUxp$aa=-f64r;VZu=e#3D}~2UY%Q`;#~2O9qUT?Gek0Y$ym~XJ z;6uf9xop?bAQywHQf(BdU9P|6Ag}cDfskRb-bDc`%KIHsPxj}jV`naaT@U=3w#Sf_ z>|k5>6hFk}@=iy8L}yb=JqT_6VwN`)C%4C!7^x)#xq^{KU(n%)E z!&)&X`}Xn}!&Cf0BvfFzNEeN((F&7cWvat)iGvFsnblCszPHABYdw}2KJ|7P&^b%j3q;+`R#?a!3titlyxTa`?$S{*-EE~a0IET z#Zjp)4~xyT)KOIlqODjJZj$41&`y+db0E#k&6w8Sl{P{t!-f~RrbvL@G_(M#X6>sy zaa?7&QZt;WoK$$qzZDk>kib3<@8$bz&|;@m)IaM>uZ0sBIFFq>km!P-m>N`6)H7#iEf}&k=4T$r4@%c` z7oacD-Ibhl78sHu=czb#wv4M^j)@SHTf8YMW!)RL`>=K@2JvOTs7Fq5^E^WF61LhP z>5H7U&u+0I6CGRd?t~^GJ(3N}G2L>zXy#Sc<0`YeEwETlZoShX!Pklskp<%a(zImcr2yq2uX!^@}rjJKc zb#4`^G<}RYL5795KnuQ7*AZvvX#VT!x%wCmOW3huQoTrsLuS^0tu-jCsQG>^@~C{2e{JY5v4P%zj|I02p8iE=k0;Q_*7a9T5UR!;;bCAX!w36aspz^MT5JG1 zf@mi<{o@%Xa;+_4gb->$DTSMm#&mUxFDKiTIq)MVdMSD(s!as0++2Fir#L-=MX@8H zHGwBaN)tjaBkHv}b73RjO@D9d92CR%9BzKcLh>HUcxoE4FnA&^;w700QpdWsLpcc- zf`r&dpR`KHF*K<*pFno@;@MVff0UR5=@Sz);+%9)VYm##t-o*iQ{EXE-W*~`R68Lb zEakECJXCv&O<7YD!ofBJy^??{f$H1yV?lZ44KWkuFPL+Q*i$Pjl(8jHiG+#SFDB?= zb7di5+q|t_dNdRYOP=l#Wo*{HQ8-!J^?MB6h?Hz;-A`q6%c-ZH&mS@=fIyfP7!oxg zj%EP0O$!aDmB8@Oc-dmD>tUqg<|`02(QJxD6lAv8P-hA+?S3EF;!e<<06qQdE)Hkv ztS9a%^p|XjSu5T(!n8O`^_MlXWG z7@zG=9;p)#>Xa*Kxa3p<)5nD4dj4YI4XIOKf7d3AN+FKE-8jxcpXkVzL~(VrI-@c5 zZ+e5;%m26Dz~$&)dV?(!@W1H|l3reLhZKdthY~`pGKW{WNvI0bXnZO;P6IaAnY>a- zKDaYQ3%r~J`;RlI_F_DC{X}5h-#0*%CiW>{)jCF$@c6gVWrXNI)CPSrKLX8oUL5x4 zdO2kG)MKa1l(BqQX#)lQ!_vpFTJ*dhWw(TST%-$a<`-OiEyR_rYaPy3UB|em4uEe< zm1Xc;!j&f;T&x!A3}Ge%P<$)`<`6D3M$mrEAv`ZEJa#R($eg)6KJKDnf3}WLN0%~{ zR@kB&yQu%=pyOMF%4;F%I&4}~Oh9TKt(cLZs$l?NiQwc(e&>=qhVJqm>GU4k&iUG% z#k9J#zE2ge!sv*_W<8WXoYqsc$0HbqW?pZqF=ThC@?)O4Sr#{3CftMQXiTBo321!M_1XEB1RU`v^Ot@@kcUc&W-rX zqQ6DtU6vxTyy0l;P^J%3dwFBSk<#+uYUGKH#hk^1_D)_;xjg!P*ydp~tINu-u%{~V zgb2d}Zr6?6uhJ0IaExshCA)#RHpa18#pr z!hd_+`a_egN{%wV@@NZ$-oq zAmIMKQ5x8ID?;q09K&~H#*V!Hqb84`ls4FO2ud9kz>5-W9P{An=;K0F@zp@^mz;if zC~>c^Q=Zak+m$LBS1Z1awkW)C zAVJrv!)5mv)~$POv5?(@TQ(2^u_VL?qCZ)v!KgAA+zrHI4MA1!V)MCve1EJ-fXltI zj;UdNT-a<;F30-&&_zSP!imdx^-{ypjn5X_ zT4i+bq2Dy>%Ae>5+*s3XAqb)&@*7{qtMHkQ`tDeB=* z9-o+=ouq*8lR zl+GI*$C~|j#(p`sY43$e?P4t3H|RcegQN7SB4f>MuXCX%7 z`_m77>cI%O6qZ{*QB|8+EJYV4O~ZV+?|pPQomtwAkOKK~qA7zhlvE8(VU$u^)3_Z+ zRc!Z$;^r9GyDO+l6+6Gmyq8@N`nC1gC4@rWrVpJd?CjBb5ZULur=PY5izs4$k;9Z` z;H)9Mr3w>q31PlgZi`73mOZAxTnQn-Oku^EO@TSrc?tl1k#C@5?GEj`u7a{iygYRXi^KpEn|qAU|0NOl9Jv&pf^W1ejbVS9!YpCn8iCEAyWZ9K!pIp` z@(tAOSSztGIOiCO0#emcI}mu;)4F6MLovwlILhoCJx*TZghh>*kZ4xiAahC}a$R!l7RQSXaX1qbd|dD!(uLW2 zOkWL1;7Fltqb6DN^R8z&HPlGCAZ=cp5gc_+(x^q@65P^wa1Jc0&XYkVv+|Za`wHAh zP{*C-a1FndQWAsR=8<7O8Kh&pSz3UQR=YM(3(XFVPdUv+k@}5-P!-Hj@?~S8B|^&lXRa98R;BPUQN|-{kqiFVC(Y z^n0vtgt*{KsWbL#E#3{NBsK68~9fXmY3%#bo<&bK5Y8C}1p4IXvLN(VgNci|5 z!|Cy-b=tw%Y(&iZFm%MgC9@d01k|MXX|k_eHT)!^E^p$5GRy-16Y)=&^tN1g zVH#FPJ5t3@JyN?}_~EuvR0EunS|`x0?-0c{h1;|cw5H+O2qPUNEAf9L{v9Z@x;Z%O z_nj@U;?^6c$bK~fxeIOG?R1IEpKS)&u3~tsKUT*#5LWdZawxhj^*Y(>Ym!TRe-lGk zo677yf(5pASB(UNrLYxwk&;tx)DG6PSP(U0*%l8TN~#Kf^xMdoal7NelD)gW;)6GJ zHCX5GsIIjiu}@_^Pj#!K;(QYWwoIC_cbY4GgK`o24``rMa=oEJBEG2Ets`-UO8aTo zyq<{DQ7|f@YA;J5L9VR&;=XR7O%S6Du!UpD+Z=?OpK&gnsp-v2eTGO*h3TW@?l3D= zHFj5PF6hPCO0q8LNo_fr(0ms8tWf@HvnM#1LANh~(C*MfVu=or3TzQv`Q*iI_j%tO zbJ8nlfWsLTS-OLE{A746%rr0$oiS<7!Vcs>EbpMXgcT|*lyX|EcdE8!9=W!Z`-s`O zYiY8{rBV$x;Y^CfLb=t1HDZdu-!W>srK2e~;4!8SudR0qXLcViHNu1O7=g!a3+PBz z3sW6UEnMz-$~?vo_pjLv$^?!+I`^bF3FswN_BUVNKK`WpL-zl{ovxU4b45eBsJVY@ zug`xUy3>kKX@_wjmcHf^otn!1aK^c1yzBY;(4Ozuu0es0kbdj#Dc$wm>sJ1^tHW<9t3xKw2;k8%-m-jD8Cs z`i%Y%pb(9c)yjH(c+~R0zusEOQx6|Ie^`FoEBM<5c5?j9i^Aw&^W34t8vd4@R_w!!wsj4s z-o91!=_L-p<_8|0DnI3cDtZ1kgW0?&WK!3G;8Lf(l*jKozNJ`fL4Kg|huxSW<&jf2 zU=26Hfh8>{TKftE|qE7J%Tp7tXWn00_S3qNg7~;2&9^mj-6J zE29sz0ow3;c9QdAaB!tl(==@yCwpcP)Ka99Et0Okikv6qd8uMGt#anq~2X-oz662$TG>}i*gyzMt-@JrmB!)h8Gm!H(8l7@3W zDoCiLPT8K$!jqX^A8#qs;WSg0*pYE|eGeqbg330lIzPG#00r!21DR)Z6qs9Tds$jY z@sN|c&Flk-7j)^Q@p}KX=AGmLb+=pG{|&XDAgyX+)45s#dYvHztUb+G{WoqR>0yGj zrJe~@?cI$h=WPmj|5f&4r33W{QsYsZ{#nRqLyzf`&$a1MVlXz`s_laAYj=1ynE=q9`8UD(3Wixe03rMNM^l4Q;-DB&FK~lMh0>!ee1R z2;-u$2s5861qp82l?e{b9!ojfV>RlXbJ-rLjGoWyT_C|W3qUU~PmwAv(e*0UD>vQu zfBC_*iSb#VFoUXOX7k=I921BZu<-gNI#Hj(%_|9m_%e1JJ1(2qdAjeB3|_+@gWB>a zOuEps=j{#bjXD30IjuN-<=EINnCiGS9{Xrmm&f_cE1|LDdDdoyS%>);qz>;1Sg1$> z*#gt?7S|VCPLTKcuIl#q1;Ib58u=yC1n<3-v`SM6OHX!=7i(Ekd6_PSp52@y1ZZ3{ zp?PF}@v74%&XOg3))j_u8Bdi)ITH|^&FlA$KSt&5-sRGD1I0rkII|mgnt)OHJed?dfd#e#s1@jf(hkEXmOedj=H|BrWaEb5xx3Ro zDZHe+{HpuWNk5MV{7e17(Uc~~hYwNRE%koK6V7F1joJb+103`mQhhPY~TJRf(S^L zw1RX=BQ1h-jC4y$w{!_emx^?UbPe4gH86B{$I#tFyc@5&<9Y7)e!u)b{nz5duxGKD z9kb&+kMsCpya^0%>D4ny|3ud}H#di^)L@eP*^-t)G?6yfxo!d0#{-OfOl59U4Xq}T zc8p!OfuBS!$Rkwm!B;ZP@=d)0+6^3UTwN2--z4w8C1hMjA?aU)IOg;Xtfi=w*L}{i zD<8Y5>eLyJy^Yyae~x?fBf@5j>C5C8M|CO>WN6h{@ir{@<(YSFFU)6nk3hi&7fowL zA3~tEQi-hALK@sGNI6(pQ#GNzEXl)c>5!wRgg0C}LfcLNs!)xIy=~T*_`%D0cKi-( z9W%oAO#*MXJaIZq?F1GZqvg2zh#>Tv)|w7Df`u+bQ!V2#BUQjN;Pt+VgQih>4M>4z zuTthig%xiVYIsp9VWXJ-f^B}Flzmj(Tv5*lPPQhl^mw`--cxqujQi_s3` z^GZ?*6xDz<<%>Yd^hMB>(vZjjK>@duE~XcJ<3qQsdQD+?%TR5dF9o@kRcA%Tgl&|X zx4v}sjuIb}cMD~;@QaiJ{Boj~> z>9Gj6+l9H#s%sZ4^Br#x(Fjrw94}pt1U+XfPytzYj|6%hG=H40A*&wNJ-fM{n6otr zr+ZfI+GL4acutJ1sMecb3ZDIqA7gInxDD#;#5w`{B1CoSdd!|-r8z)fBy6(hak4Fp z1&Jhoe0;oRd}W**^gNB+jL&f|z#?`4O4>QmYvEh3HC`L2S^0Z{De|Q?T$Gb&|-vudk^r=F;bBviX9Hj#jr)2RzO~B2|AQHo5%V zE~`p7%$5;+c8+AfaEEdhO#KlBwEl>-1RReUT(GlDloGh-V7a&M_uB=ua)%c~r9B_t zkqsnTFw9?*yS@K!biKl|0e=+7e3K*&ZT1N7U_Z3kavI&P!|V8G=ChUZ>0y^qJ`59< zz9RPG`Q+s4f-==BD{z)K-GWc1{Va6k+z)48+t95*%lR*ZPD?1t4xx>M2FC{%yPqvM zcfm(|y_truf3bfukMF_AP%1bHngv7&n6}tr5SS&HhzJ*32JauX@lKTB8kqF>OH35E zoNwsA$ba{c2stve9aPGQ<08LUXxXAwZ~d_I`Xz=ApR*{Cc$aE&v=L3cSmSaH#rXE{ zFG4m54UuM-hk*DW@X^IEk#D*M$P>&BFiQ_76b6k^sT`_;Yvm|Mq|WeYtJ~fEKet!Ylv%t^aKa z<(GSa`Eiuoe-AJ>klr)&5hND>{hx>d++hh77ER*+LlD8M`*{FTp7H-Li<@Uk&p=%f5dd1pod5Alg5YkPnGX zk^gqfMkPDR-*7}8z~L@sqV0!|J=S_4>@-)i`DOP}CP4;NJPz90Rce-09`E(X3&AY)K; z^b5jm4~LCskDB~;G&rcN5=L`Dm6Xfv5jP2oD=&YIrlsN@@Y^B69yxZjMd@aPbM021 zX*RgHlzOMSy57}d0fqtbkWQ;RR})L0KW~Ko`IPmKn@$&m@O6)Sc47eY_)b0GGW1UD z&>1aVrzeu_5N;Db%;!|7z5ys!at+`r(Lmqc;B5a`8)IN%f-sUo*eQOWVP&Z;Fiy~f zrC7UhD_^o^gbZ>7`6g_4GP$s1O;v$9kRs?1Po|mDBmM2L>{Qeu%Jszo1FmAnX>c}I z_%feHTXt8a5!#UrUw}Z5Q)Wv_x#Yy17RPnZ0%k{aH`VQ7p1@htC27=9&Y6Ra5KIq^O)5MU2G{qDqKLHJtSpj%~5=HYoWSgl5g*A$7thTxeKubiJukF!OwOj0E(rabh^GnW~JbPpU!$c)a9UsaL(-{AaAz8YG|FH*=nNs0IwHnum%Jwe11z=Osp?iz=oA3v`%G`t=RV8RC{z}Qj z2@N?-n2YW^&mxqWeJwa3{&eRVpQ)nJeipp(Bg8kn)slTbt-zsp)OfTmR6Gzw0Z|C! zB#s!U&rwJH#4@Y4sW8v%>?Yc?o`-#OTl!cSSd(9 zwnP~nfbqCC=Ztl=xBc8|ocEg=?-}`YV<7CE+l-J^S9C-{Gr`p)<=TI!P@E)}T}*u2 zLc`OHAD33nzn>bgF6BkTE`*L_7i60l+JGqq%XRQ{@%#)hNNRL+g?T~z@R6rs1SUD( zPDS#kPmsqlwGWXoC|yW^4EHt#4lmcdzS0kh*S~@>utlC-c$V3Xtgkoal04FT0R*^L zFXX&oglAMn4{osom@gMXRFz&!RuQa?t1x|A{`p$0#n+uA3}Qd8w%kLci}y;cSL^UJ^UUd#TNpcyR1SU=xFEK z_S3O6_cZ&iH~-@j3ryRqY*uK*j4?$4*9XrDyM12w88h9OpNTuW6NzAoJa{q33LU!} z@|o`Ae5NYG?|!M($&j$Q=MYr@ULP5F^Qxp2>P#Y^$X70qRPsiz9u_Iys^3FzGm_<{ zDi4*ZjsAM98u8Z!&?kr*E6=)ZEaNJzLD_B>%2mSvPUI@K!JGU?Dn0B(e}58;dp~LJ z71_Mwc}HS6Rcgo4M9ljXum*{Q;B^ndd%T{)+gzU9osn#`+IoUXRpJjv@LouLL!^B; z_iP4vZB?YG4`5#du1>cMI#NTinKhMXYqxQ;va04PwOBVO^`fQmeOC`3qBImEa(14+ znJUd7m_X@K;|bXe&1@1~2MJSYUVpBs{D`r)KNI}qAq2YZ4kG9ASvN^6qwAtao~;SU zDWl(L{W9NG-rAPpykLmDw>xhvBH5yAy ziDX=l?2c8}bvgC|_p!BFF_L+gf`M+ZyF;ZH;BFZ#yQHo0I;P2%hj-I;#xhm8Dh@ko zR$E4}8_$n>e``@N5nRGAZ&R%pV*D5qfaf>F-5*GOWK)^L;`B=(ib`vK^$ z^Ofo4nr??`E!Cj_x{r~|;1q~i^v*6(EyfGm_RGD&)!h&8@4SO75!`IH zX7e6~{0_S(EZpYD?F|W@I1Y|o%t-3H zy3B6K@h5ggygMS?J*F(A`M~oJ+#M?DMY$WG-=T$n+otA9#41$nNzqt}$*idReT-*M zK&&Kx%2sLXx?+uV>$(AxaT*Ur$&=u(Th+%TJ}(8JZR3jS(l?be4}q~M`@EW}X~j^> z%E7Y}KEPt2wOKL@k1sbdh83``kvNdov| z`KmuX!IGB_Q>cayiejuchqF8GgmS4@T!dm4cdfr37DgX-*gL%09R3kj_LCt~l_@lq zNgNPrQYm$Y)p%T@60qDpymycQjQTSmWFS{PJ&9iTuC49^2oya5^dKPVZ4#v>Fx4!D z)c#c%kR#m?cm{(JHB-I`IC%=cd91M$x?Yj1nMNvPkEg+IBKn;UloX>+dEY?U+po0Z zmLh-JbG6)c>tg#}SiTC5C1pMiF-FNtJ1n_jO_lfuQr-1!xbG*D>cvKb2j7%SOhN!z zA=;OZmtz(}!e}m^Y0o_mR(*EKe?WIhj!hO1i%5dha(UlXZU>uS-q?Efb6!~LgvOb% zKhwDR5Tus&lst6ifY#XxH8+&%ic-J!e5u?4mwac&Up>A|T6T{-C?1+kcQOTjFkvDu za$-dPB}0mTHjW=XkN@;FplC|QNDeL$e$aScaDuf~`D4^hpa9vvFHbzvjc~|BJ{pRT z&10>tB(}c`WF2tnYDg2X21u8^mMUVG`A!$$;d&g$ZvG&iNrV0SpBVe|kn5RyioM!e z-+O-Z*kZ2%DZBq9)r7Kk6i~H1+=G_af!eOlp7+JQ>JjLXmZtdLMU@5+Do05Z+pl4` zZs_-xB;e8c{Y(|v5gD!cN+|;lK1Lnyb6oxn(V~Dx0p7I4w)RsZ{_gCMHF+}%*PhmS# z4sZX2+Pi(Zsg2ya-bpEB-Pk|+194X?ZuLha#O9IL=FHV2L_%%wi!K;{59^H`J4$H#0lJ@o^y?36SMG)1i?lSz~E*d(j4wB)*734rvX<>wo7BJc=w;%Q7BL<9fy7$ICMLjb#FdyO5L8{ze(ADMa$fD zk&)k6f7LtTiha7QTC@eDyX-E2GMoZNwsDHL!Nunu$viIC7hl8ZdlK2&(y1im_<>&B zTO=Z&{&39kGaOg7NY?_Yb$+K)f47G-Iz4lo9Z98ios<@{Y?;=&E`kSvN;`2Itf<3jVnr1>`*oj@BU3Z%`&TdW-xCXXtVVWHv!^+C z6s|`#4bU*Xa+xb`P?g!#Ets`C?WbCmN&L;Q>EbsDmWyX^q)lXV&6I4tZx_L!-`p>+ zW)kOimcm~H6g}+P(4Q$ch5rXgx#ZQR+0p3D%@?{{Lj&tJOk?57#@Rq&n>U4VLqkU^ zPuAmBYAuDGNmh80#7CB^*rx13+7|QVYnB4BZN95a-Kgxf;&#<+@a_h5-T1*$Ow4;cve~z#wm@bxrRu$ zYF?MsAXLwO4pe=6>>7MJI>UfY%nd{WI9gqpO-VbUeUW1SnT?yyaP=-Lrt8L=*mn|a zU^o>LZMpysl~VGzU1M05KHfKGAEJ2p#+%$M0{I*kqaJq6Y5KHSuNr-R6i4HH&IqZZ zJ}_`jJVSm~%as(qtX{%ERG}A)L(Lgg54d6-WVvyx`O@K5km9#e^QUm~PNV{Pnpj4q z>55nOqw1HiH|c-60FLczwfm)LomDW%1&qEw$S+l66i5ymj~yK}N?jcZ=2J1J<8XYw z_q6_CG;gFc!)7Z>53taN4CWj1p)_zHUeC%uUHeE%IMbuO4&qq)&J`N$ZAD*PE*Ed( zOij)cDEF0c6s6Nv{*#OA@e(x1i})JXxvH=uQ$|hfa<(N!2OoGaVvfCvB=N72n0e&l zu_<6sp9Pt-A~~2{pdh^Zh;_c&{7k-+$;E8~`CQM%;Xv~xi4cieTwMdfKwEqj`ck>H z0Cks9bhV3Y&9wt-)Y%3UDQS07wy;Y4sj4|r3T_XhPl`{yds8d` zpMUN^FioH4A3lGy_Ci=P!}G|-()E**2LI4lmZc^-=`n}Ey@K41FK+0rECV3vRh+?v zy@E&KY(TKxi!biug$pKB1A+c*PS;{UoB}2;joi4)6me+q13K&4E`nY$G74y%$Nv@=sU&zW=f*!o}YyxFYT=feUS%4 z_*JBCU`E^vajpT z!RLJQppI@qXC6Mr?@wL1#r+cP$WbUQ#wB?8fYisht8{5&ET=i1e@HyC?y1?-kqS*> z#KVt;Y8gfvh0(5$Sy@>>bIL3JILqkpo=F_E<-nzp2T%OaU-l*Oo&cz6P1ll4CW=oep%Sls#A_WH;>lqXun@@J9rE>==ij-5^Kz0r0^kxqS2g$XH%XG+^^bk zN(A!a!Je2;IT!!w3D}7|t=3r35-ps`HT$NaGVZZrLt6Ec)4xHAl38RFh}JwyjsSyy z-KA0}{uu{g@Gp#Iy~Xdbn;7km-Nj!?in}N- zELhP;be>O;T5*L3p&eZIp(4_i!7oloMu6>NqKyJQz|Cz?{i|6ZL9Il0#!iIV9F2%@Lf7uqVMDaCX z@UJ6&RqCOc|6={_H1Jgtb!b7b#m&YLm0@=w!8C0|Fj!APq1)8Bp%vFfhSWE{L)Geo6WDrq-bw9r+vHQ(eI{~?Hs{DHKB%jJT}O{tM_aqMs<=t_V8Zf+Y}~U+>tufC2Q&VuO(OZ< z^z@uac+B5xzho%j-sKl%&XWF)wH8z%^W5j$zeNcU_khqeMOzwgm@2_LZg%ZcH=->9QP7)nfpdiG zTrk+8UWnH9-(XRJ4y?Psd8pzOAzvFnldtkgJtE0DXXY6#_tcLIg+H4f-CfS_G4qZz zeQorzZb-c+<Hjn2un&P*n-iy*=Vk3w%pOOpq zKmc-$xYH#njBRXeNMn&K#`o`bE;$OZLzyK|%o~0fVppyYFQ^waD{pnX7>9jk12fq^ z)T5GWw+PpLIPREkOe6QSK<}-#4hNBOP3DnZN11qMhzxD!c+o@Z~x zTbQ6uGaP>X5T33$gcHZ%oN~y!sy-2B7By(o@+`ArgE|zG&-sb~Q0!K_e;V}v?v^?P zA8bHE3s-wy*)pzP%%G_%%upBfx`aoiDtF^4PvN^l7c=*9y&Q$N(F2S#=VUxhxgbbW z0ZTVB=9bNZ^Q>eHQ=SG^e#q~+6Ae-bTUKI4-xQ#}M?ZR0-*+uO_@FBS(TXv>U`^)d zwO@Veb)BBbbj@eokgM*1n@_5`y_T2-WJ? zy*zoM--`IS^SOu+q)s{)5nI~wuOa7DD4{eu>B0i;ma5HBIV!`SJ)D--IJG6vK_ zE|NNcS%{S>1-GM8ZsNA;hLR=}$yOFcs_b?q@*rJCG;HeQJY8K0Is--8^r+N|!IY0h z?lYF6l~79UqI_fH`tA|qc;evS0^MRn1KRC&*MtCTzdvB@ACx>Si(?S_+uFZAi26Y( zy4*j|y5oB?AzQwieCFVI+~jM(+F!AnRjc;ob{4Sq=gTw?xWZd^p*qU9FDpS9+u$>5 zj%7lS^nTP?C3>arZGEj(#K%3Kf{f4Skii6s$)cL*M(X6XS?k%ewyiS?{aCsaGU}S+ zTS!|^`|)j+$A?vEVt22VPzJ9#a)ajc84pUkW_H+T!FOA&GqO&>r)rA#vi=uR21>Kr zJrj9K)^wU#w!dv-GNuB6J&+i33qsot`fjcw%z^6PO5y2iqglzZhx>4%gw^xr>V(r; zpm~3Ks=>oN1(XSiC!D~QzAk_lgn-QHaKq7Y_<9*v;{W$H59BlQDlnQe_Tjo3ZZ4&V+GkipOjJ1yMF7rGJr66CnjEPYib`h69 z^gOsDoX4vuAzqm-tEplt9rM3X0>`P=HV>?i{oFx3gwQK-zhDAMZ#^~A4$9f*q72fm zdb5Q(Tl@aGHqkgHgu&zSKK`++uMA|~WqH>x6CZ7X1ZIY|G<0o?m_i`~*E!yBOFAigj!OiX<&S6j^+5>W(!`u6xOQ)lV>mAn*b zAd^esn@bVbX(@o^JY^?Oz1&uojpv+C$tI}_T3@amSub}T(TvIlto?iQ^(IYiM;~TL}by~RVWS(FKFVb?ir_R$m&nyCA(i$EIb4r8@GgC`2E2^Czt7X zdlj7uexE1&&L|~)u5LzPE4SbvO{|S8*F(9Y^b+G5f=ZT+)~7t0=%1O?Z2ObRb|8@_ za%D-a$`RuYHPgyxHB@AW7Q1U~SpxD11H=poch}ZUrS`y?v3gcaUdyqrMCeZ6yf^-- z3B}v8{fQ~zM%8*E@yb+nTmF!{s2s^fBliK_p$sg5#817!QPPC{yed9?IW;EeA`db^ zjtSol$#5E~;B`2DF#2v*<9850gDxfccWr+p0OId6ngAevAOPYgv;!bMrr1|9b!C*2 z(;^|F6H=e(y8v}S9*DLUSw<}`3c7t16Y&;|{-h+PEk)UNOK285bdPLKI?el(bXcAf z4~P1U3fwtQ4=z_Rhbb5i*jVL8pA=dVD#|c5IQ)?Q6!=X~oVg>ldr>g=SXE~4s+sI_ zC|yE*On;brq~$q_Rga#5vHN4;9A0qP^0YbRO8!{XYMEF8rj zO6k5xySQOKd5Ae(s7b6$aN>P8=qM45S7AVZ9M{M?+Y2V+c-Zci*6z&t?BZ8PtC1Ggf7(W;4j+$iKTYW6Pvusj0b*c1ozO`b(7 z)9ZQmdyZtp+o8|rEVMi$8Cz)bUeE=E{ZDVdE)17FX40#YEgkRE1Tks2Y;L^Ojx-*K zQE4tU?%`H0QSGn{Jd^kx-S4!Y+M6&TDl+3}<$S~Ew{q~p?r8rM)0!EX)s^$3D38hiS- zqicHYUi4RVT30ResHK7__R4HI>gm=WhB5?WkB z0RY6mn)VCgC$g6oK8<=VCBT{Nh~?0}#pj4H(|Ql_17Xcx@1seoPaDiEeAFYiA>S|` zS$1|!*J6*lmc*V>bhr8x0NVaHCFrWyPc%0JicD;%z5?3*%huNElnaAQ5x$uWA9U;L zgW&5bhI(DPiOhsCM@5GT)|ZE&f3%1xKZ|5BloY74M5a6pSZZsi6%F$gwCG3p&I|~> zRCVuO!C1dDT%r(!BE?F(FhfSSG--!TuDQ|hdty0?nTqr{Un7`gKCL=C)uPo<`A8{8 zd&(ITmH7hSxJ-U_3)NKRsfCBRL@+)-0cU?z-C&*Fadx3Wm>E;^_GqzL;W8)2Vg(Tg zNE;8bm0>X&cX)u!v#-TtBjOKLVKbV1ypk;wjqc5=^I`V+meI<$A3bs$W+Sy}(q+)6 z7bA+edQe%!PBvsq$Q|AkjP0(_(FbE)K)e;a>}8% zoX)veTQZ8T@|C{h<;+&%de90UL{^A^K4}z)_Y}7MVz+h!8luEOJ|wVT@6}In;CI>+ z4JRH0+w6O-1XJ0h#Nx6&$Cgd#$s(SvFMki7`qH4!M;I4Im9NXHj%Vq z+x1p>mV2lQ#iQ@7%mxo~2?Xo%Y+(rTs`X9xv`lpD5*`LP_D1pAWxOW@Avy-6hu8Wt zv>84?!Mm%8dv!3fm~J|f za20aB8iq0y_4FVS^2s;TE{VkiYt8GK+(u~E+TX&?bPJ-Ge(_c5Sc4r~CIiWDIzrac zp`mMxs*mW>^$9tPPb;@4Ix6if@tD3W%q~E}ZaSEVN5lmVmm9ap>(ysZnUfoZZ4Xi2NYGX!2~Og+(QUsyvs9boVe0m z9Br}9tCIGxahGmpp*|znB4cqCyx379uUBfwyRshqj)gYFJUW9&mt}eE#zw|iEEWkO zH@jwStUaVzrLr_rZ$Kc|>Fk}_4vGKv%zGL!u5urBPex#ukKzZ1nXx@hTZrF;tiVnQ zT5Zcs3~N42KKMDwK-%Z;AZmvNu03F6z%PI1$?IvnfltXfHtE^wq!uI-dqQu!d!ZlGShJ|QnK`~&cS0{?CxyOvoUod~*B~B;%HJVLtshRMAz7O3XT_9{L?PL`f0tN> z8NS-!7DRG5q}5MSy?%Pj`@+$rJ+}|GdrBxB+XV~~l&v8!tV>3aoRhCCM5T14aHr29 z)d?QEH(`&?p1ONM1q6TLfj*KnSb5NG7lYcF8ZWD`E93mj{#2etu?kJ?J0a)vV8^*^ z*G$Q`*j4L*w7)5=Pp|Z8a{cXlRLA|Z;i4+?(oUD5cIv!Lt#^>!d=;TL+p5e5h67FO zO11C&vG~&p61ZZ%*R2mnYWn7W(}ZWfOV`#|?MZ~R2ib>}Tb-_L2k50)_eg+%tB#Y}4Fp-}PYqb+&QjYXeqj6Ra2YrQ^JyT!%V9(QjPh`OOrW$*?$4fx&Z zEYpubm2oNEk5M5AbM`;2$zVJv4WWq2QbkZxNBq5^d~WtLGGjmhUzxcL^!-#zqgx+dWsUG{#u|l;neRG+qTPQ!IlN4h@g2`vH;}3~a>}^46dLT|c$3@& zON-s*9W`zqGHb+uL@8h6M6x6YPP7UyR&FS?cW;<$$4Nwz!HflG-S+QC2Rymw>eh_= z`F_>sUV8>Fm~_%Mn5B;<$7j z8meCf_@G$#;t#vNWPawOU6v-ck0$7T-l2C)kRV2;HxS1?Rbz@7H&c~ky*$Qsu_Fvi zc$nW3$7x(Qr_*rjeOIUN$r)Yxn?61n<~9U}Y{dC?PfM2Ie3{RB93DfR{}{AZsY@}= zW$@#bF5@^j?Px6e041W#Xh;CgQSr9OjfUQ^^GU8&JwcuGzQMWnl6t_*ubZ2AMBlpR zJhfzUoS8b460fIh_F*6c{?3o*A?#t^*D#9PgyxpdW+NsF zOQJ~B4Pq^M;KfdgY@lj9jM%UzEZVq<9EQLhtghp&*SRhyB2mvKj#4N+eweX3<{Sm| z=pXe+uY4$gTZI!9QS>cT6&8R-&C~sH>fK`K^i>SH?!rAXg2>=&$RCY#A8%#YzEsx?;F6<7AHz4Z*<-TZyTJ{&M_Y($RB5#|g2Ek8(2?KV} z1+)|@X$>kHFuO>f8o&FNVAIE@z%=DNM#@MDIQzvwBuSb|?2VdVTBTzQ<9NVl^sU(VbfNd-Ky>woIJP&L!0eCV}chs~9`&jTIyoVrH;{M3=e&A zDqWP;J}NHn--*pqP3uBOHP=E8D=wTHtRNr@t@Nu+0G~e=i^3zf}I# zIY74Qy~;nqEJ9-SQnAQ5W^_c;dj zJu=F)0XmgQb?Z-L^~D1L_uuj#pIaYaCk?{}486T`jl-#(_vihDsJQO7B^O~!v#w}^ z1;{qI?y7B;h_Vl z-exU~48gh$(lg%B&>4Wc>^d-86 zb#%1pHTjqxH~z{IX1~5__>VW>^$`m=v~HK=`pMP(JQp$vD~%&{IW*CisS~veT8`VE z!k*bXaYBxi`6@TFeAiHC$rVJ4eo?}0eilj8o{N>}0N~n>HOXRKbRVTVC`$}m+E|s!S`qT? zK{WWgp|CQx`_7f1#|vpw6*pvpN~jR+9+a#oLuIM~o`HGvL+Y_fa46aLq~kO3VHdDp z*h4bq+X=yS`r=6&K^M|AZ&e-QNKH8QcNqsp1>1$!$d$=7WH-gGR&7^8k^N^&;Er_HMQQoYyyQ zosN@?C;}n~ps-I1n}#(48P(uYCjrNByW|Y7;{z>iepQ^{nWmhGWziC+pv2vW0!`1; zQ6nhCmqS#(m@Tq?okZgnM_@%sibZk(lGR${?6&gD$TYo1c8n>j=QR-`q98U_v{P(< zVg7*CA81_8HtiY`43x~2Vw)3r_OFQ5%ti+O$Rzdt?Eh}GcO|#MTKk30=;xO5zh&+| zcOuUkpcaYUyWXZ>#HF4wA$le1JK&SVH1xhf0DTpiC3XE`HT})`c624H?^8Q|{?hzj zk;`otCjAyyfDAGUiU^S1B_{Ib+s<4yg_TydSb4UMiR3q)&+A3j+*(zI8-vAtT5}Rk z5r2ZT&+H#7=PF{{S$!ROAtSU(7yd1)O8)IW4nMuhXvjxv^0I5G8&a-lq zKeyb!&4|MHfY_`SBhLoXTjD=+u2 za|`lz(~)3;!Oz$M<$j`G=kHFRS}6zcv^H@V!@$7nW1tpL_m4f2>c48I(S8`huIt zO-%=$7cUE^;{PA4`XM+$uvNT04$Sf+KCcFsLCpU;M*-L*0QNo?00{QS|NHreKLz_} z|FYWu;nzO}``dqw5B<}g{PRfr$Ay0i_L2TzDE@C-@b`83CD=dx?}ttP6zu=s82dj@ zfWV>gr(pl;zyDx=3ikh}_58n%Ts(>{I5;}{rSWI6B38~*#yDK=^prRNC*H5Y!2+Q17YabT z;a^Ix56ok7yLJg$+6hBO#*B+RKN6RmE5m&^ZgaUnVu=3lEBvoZ?gw)|RxdSqd8r?q zqcW+Nk#>aOi4}a%GaTM{4p{srx={p?pZGCUE%4O3pU>Z|eoqnhCO2qI|ADM>;Rr=k z!Hfh}@3TB0=+7Zh5cLbI$h`FLCeEa9zJ6l0I$-HVG;zVFgIl)AJc&xY`tE{IG{88~=I&LH0b`7l@Oz5H6o=$Ta4Wytq4WSUHM~N6!EzH{gEN5pY$1BcbLsTl!-!ab97X0k z<`<`I9UTE)Cq!4({kFDaa$AdQq~VJF5asY07li!uyIPqlH<_$;;0YmM4g=UmacQ{a z3m1fFp*sXC&B~ToJ!Lc@r59OZtBy;6t+_wtRiH1@v4rTr!oWRb4aE8F@)#OIIGB{0 z*z26PeSxUUG>6zd+jCyOSLG&@K!G!A_iT42R|C#S&x3t0><84h2W^p!V2257-fqfC zAR;%zCN-sNC!zbhu*)R(*DcZoqEv5H6fSdRiTgB8gILt)0zPi5szlB!;&2kKPr!@< z^DPM=Gj7RK%IT}Awu~RXFnh0evd911P^N^$T~nj&MHlGf*6ePy+jx<#&jVp}46cO@ z>^3a9E&IZIc$ZG243U_tFfxvf>PBTZ+F=PeL;2)Ni7dd$_M^<+<-F}9){ApDYj8Of z{cOL~Dt;m3+Ncot0vUs}-8s2g;>OKU6xzv&<3jsbcHRrc+2dv?Q#)J~FSAw2N4ry}zgG{FGH&bAGxEhcISSythmZEba{+OE!@iK{iRq9clRG<; zmFl1+a@R)bvE(!hj~S-CZXKgUDwSN>h5ADF%i$LvTfb%Ul$!42%NF3;-u`6p0&amT zZjWE$&<6R{qogj5=sB&7;uq1TnKp+SONS9FogvA75rnybZL^)t92&-Z{U%vZk0G}T zO9^}rXeRo@TQ_kV-@V1WuG*zMGL{W{g!HhV#9PRU;w-f>9PMGxPx=p&JC$DZ9|@=? zQh#=7)(({_wp>*d0p%rqux(c|gAnQu8Kbivx!F()UCb9;#P)#u|FkIdnf%k45x#%C zaSj?K!mi8}VoGfZv4B|TBh=g7OviDVJa7y4g?oMh%+Cfu0f+7kH1zltS>;QMv8snn z+oKNv_1I4!D0wK|(8O}4Y)JOo4X4Y~+c-gFsz6NO1l1GEO6ApX@x01&_sa1*y&6%a z#aMg(nhX}z+m9Esu8xDR^q27p)ob}$`>EUI*}fvqJ0K9RT&2tQ{;B>y>JsV_IO1uS z{PI{=2DW(nbFORBrqJVUTc+H@s1&QM<=>311#K4NODI^-w<2Z>&SpmT_7{BI-JKF| zU<#=%^fDMPN=AMQ?(z4=mfIRn1~j$0?sK!x9!MZ;kK2e0=-v!o*4u#cS7~eP*Fxw5 zQ}{kyrdneXasF0Z94|{UKhM23-ZVG!MaYxSAWQps(;8zc15JKe{B5lLz8O z#6xUHy)(EuVjc7x`W~OT1RC=}j(BOkNGp!}MhzI!AeV`qEWEBrA?Qm;Q_fS6^}5NF zwuyf2=iLbyI|duf3_a!+88dg9+y~ahH$=M=VJccZ)amix(+rDvnS>1W#~DdUONyHO-6?&LR#uL41>Tx`QM z_N`_E$cjDlRX|gxK)5e~v)zG--x@PT$TLKKt^EC*8LMS1H{Y!%&Wgnp-QQ}=SZ*-CD82x3D|tH)3jEc_mtrUVgon+lf zsvKLbeztbhIPLP;uR+c5n(l7v$JFI#Yg}>RXM2I6?fce44fKH6(})JBQq@EPZQF#s z0xrmcOzcdNm{5T>3I!or?xd>BH)@&Kbo1zeG=dSe65X~8YVXYPyRk39ubgLNV}Aym zZa=qMZZ{pT_zF_ht8u}WGV&f?HH#ClOPYhyPawZ~({VP_EBuAc@KG3Iwc%&rM^P(B;}&PBaN*7oxbxwOPchab<=Wla z_cSRkuC2B2*|Mz1@CPWameyxCYw8^Z4RZQ|Rx3%`UfoH!Py(*~c`)GG$J`GVGkDGL0*SwuazCpL==CWaMW;A`ExyPBX%e-W(cGqPmx&W?fA;IH&hDH3>BtB$|=F;eGZ`1#U`GcF?jGm`&N&0H+ z{c~n6e)+tT@`+|Xd~8B7Qu3-k&*MU0S2@gn#mSA!0NJ-$3UZ*$uuiv@71C{cSJrOmq&5%+^4X78 zl)odGR{LVNj{M32ksnqDgs3RZ*WK+;HzJ$#Cy76d*F&+o#;(zujpRdQxw=T7%fRg% zcJ@`j$w`wd4_v7yp4|G~ zKewIMDmA6gHP<2voXMZ-O(Q-%?m*_X|A|cWj?Yk3F3}f$j2sz`F!{^W|3A$bxQ-a* z!QsyVjZFJ&00q>`yx^(OwJV81FqeH#BuAX#&6+mTl-C}2rwwmtc88T=*;+=;ctgzE z)$j^W>G}aWBfo&Pph#r2H7{%}@U6d&*p#ILJINLNM8k>raHX^Lq22L~0duAl+E#-~ zdht8)!k?ABo*+?)(6etRTTv-b4+maxM8Bi5k&aTktLe`0-JTx~TqZhrQ`@_KvBY>@ zIx{!J#H|?mw-7|69V>{OZR~SVOpjV|z!ZK>-IH^i?YwHakG{t%3etw7adu^*g9|m2 zUeCrUt`L-)^>LZ-epJ;lDSJdEJ%c=SiADkG%Mu7$1MVACPU8W_(G4aR?_kpfoh(Q zEzW@hzt6_u%JYcOU1NFX;^eXqY=bY9<{$yf&t|t>&j|7F1+5?3!i8CicBKu})s8H5uUFhZG2G zS6R+jM_`f&;Q+VK>@!y|pjjV2tXX~PI+LX#bFG(rHTk^QmqOSrOe$lRU0PB@Bzu50 zS}Ud67DS`GADU4y;ykxV4`(oE%Zhn3kSfRlzs7Y%JgJ7~zc!RjeQuq$mcq4tKGk)s zuOCJxjJ@Uiu{Dbx=m`~Wez}d2bVnS)8inTs4{`SxO^;uzVKm@O4=?O=?R znAli5!D2K$U|{7YrcPanTA+Auj9nT|SQB{`plfMLG9BY(y>Nz-WVyh4V@6+I^rw`c z8*320L57m}RgwT!;A^rXoERR6qGP)MJVcKy_Ohq`^Zc6T7 z8CER3IL^$<0ZW^wXUbD5N!JM4c;1PYpwQ-k81uX>AX6>%woH;eK;tAg^lJ>Wo^jb` z+-ry%wRB8}=Ha7N>hrTNohW?X8R^fNhFl3wU*_OUU$il_?dM7?4(|qbeyg3Er8>a( z2j|qRtM+Wt^IIN!NUx^QiNK3L#{M7n-tsBVcU!|ukPrfa;0f+7!Cit&aQEQB-7N(7 z;DN^7T^c92ySp{+?mcgQd+&43)YMeXRLy)lRQ~~Vb-(?rXRUQzcMMs#a~-F20*1__{7Ax8<@k5zncALA8Q6 z1W}&+1EeY}n)-L0_dQd1DkI`L)g!G$#Y$H}j?1@08u>e!)}=AGtyzBwbW@r)PlWB% zWcRcoCH8U90~w?Po_|FBtbnMWw7ix7RIv9XTmXD%i3id}bi#)E{^a4&l3c zi@%OFT;#Tf9AYA^B>=N3(CPZ9HU@ioLo^sJW35!^2a6};>KBo!Tmjm(Dr3JtcoN9xx2f)=AmTm@7lWky;JkoWTo%(g^kovux)Pp-6`clFB^}Hrajd=W$Nu{ zy%C^q4Y(6VxH7iOduY@uwE-HTY%ENEOAR(`Okq;7-jzlX~gWy`8?i%=ieR&Q0 zhODUe(fX0&BURim4_7YmcAhw48vb za7ue55zk&Cp- zsb1H`re80yVR+Wp24vn9en&&bWBI_{b0C(`3$YCPth8lK9)t#G(gIPF`5@xMrd=rZkgv`6DC{W-?8bs9o9C*~Zzt#~NI zYXVd#8<1Y>dxf|&oJNJjV2wSiR>GPuD=PRY=iuk4p7$G}ia5a9yTmWFxB0boY&rgM z{3m>PgqS{V)jvD|>>CtjqLoql@Q*H5D*<%s6$j<#aNjsO&kF9SOpY2&zk&j2Gt}!( zd2PJzeVvb+54g?Gl>?q|N*TUBj|$7c;cDcjAZ4W4OoKgp<3s2?u4aY%%DtaNiwlCe#UlwNe`2%`)bR^QVl@ZMU$=r_(nEM9-bN_yo zv3<}OQuuDSz0n|)J@mNcnKa)@z^pU7^z;l(;4A2Z5l0$l*ome8AVMLBY&BTJWgV9` zOy=+|`>lG3g}VW#dlNmc$%9v+8I7?d{+wQUmeyWo&VQnKrqPN?N+S*TY%L#|VNnbL|8j7oYE%|NG@g8fQ ziXt5}FcuT~L-f0!Zv?6?7)h9Ro1b3 zoYx%(ljgATTu$4(U&l^Q3XAEQX=az#{;Vz?AGmI7^<|qiUTJb+VfvwEdN_N$_aeen zs^1L5YogTPQAb-nc~57AXxwNyQ!9(7)+J)N$HU#z!&c?+PHNgCPcKc2%i}u}N*LYN zAHnM`di&%erg$C$Uggpppowa#CVLpL##+UwIQQ2;E`kmMNUcDC+Jg+5;uP+b_b`9E&OGt;4CGtoFB2SFKZb5Gg%z@@!dV8=hgV3ty% zDAl_Uz>i6C3nPK&R%ioilp1{i>l#N#+!BZ7Ob3=&_@^NsYE$&311tW_lU}32O)^y- zcfpGyN++S*(!DQGgyiEy0&;#xO zc{WVK`uEZ4d|h&(X=O^hzPO$~mPXMUKgJeaUe|SZYA1}NQnU}QNU+$_Y&~R-YBTKO zg}}RO-9H0eW#BhKRuMW5{X`h9+SE6K&`F!9sH1(Xv1YDET{ctJOtH#@ji2lLXO!oq z&6fzUO*CF&Rr^kFQU7OTN*XKFp(rXki!Z9XPmbcG5kJ{xNa3t$$QL{#%^Q;cVir6d zW;HZxZ3?49#p;jYyjuno%!#iw(aCEyHF=tnTRe_aLc4H?bB+of++I4xHc9yee3CS> zBHL|Vr3L7>IV6NWn)kd+-OVlt_M7Px6_e^fCLu$1&LhTy7GLFoKYsjDp!gW=epNdv z#jvFUaJP}#vMY>avrbX50?IDSV2{=F4-LQ!sq>4_$`3&ZNkArB ziCrCdc7D!upklh{f3O7jAeIKQ`?!<7EIV7B_oIe+*qn|iia#>!hOxi#9>$Bg*&V$q zk0J;Oe{Plm?Z;G#a&NCVeN4af?Yb`7+L$QDb{Jj5&(!&mCUpDf_kfbLV2|ozO+g4Y zzxa>RWp^mz9t>@y*)hFzKdzxcVL4fun5v`c7$z!Vy_6J1mUMwIJklc7N7$(R7sYfEg`WLUkmwf>SDxGVzhGORd4I1&~pWK;?X|`_vlo z#WhK*$Hq(S%xG$9U@a>DWUhfK3ZFmB_hseh&9N1>A7m&2akfeG5Lhke*yIAE%^3mV z%Ixj!QMb;1-@j+ih4qfBjiHl-?t~NU&fL^SY+dI+9=w;La6Qr40r~zN0I$oUeV=GS z1a^M-gf5%LOCkfl$WWY8kQt+m>uOTh0tTp8?)cYZz-Wope9m~nMh(#wTW}WM&t5kZFjfvMFEND%MlVoK3>a;Wki5l5OT|=LJ}zW5hjdMKHA% zCZOe=3~r@^caAMD_K4~X)hv&`O6hBfX@?fGMGwc%K6*kyy9yJcq#d2)2<8uI+T>qTNt}^uMI{L{-ib|Br3zW40|n+V2apx!v9GAvYmmRbAW3)`p~7p1sTg21NW#{S{>$;H(d-A z?{*=$2CGm^0pBlSl3&?AG8mT+gN1%>PRHmhH$=hszU5zl)uaz(28PC19Kd!ko(%!$6yySy_;o#FvuJ@bR8W5-{0Jxivx548mF1u z9YVE(r>6OM3Mg0A;*;yPjlOzs-GE@Y(o=Ji82EY>os0B@M0Fwusb;!q=PzBbSp;O@ zW(mEZj<}Z$>HBI<5a})p7o#gBu&b7MQEo8JrtD@4Xv>GnNMm`coy<25b@MG(8pNH$ z7@~KcQJJ$Wk#~Lx#qw0e?kqxo@<(;Z{^s}eeW3|fB^g2*#yHsgWqpj>cVjYd2p!e4 zc)wEXAebZZ-N7)7J`V1ohS*9hrCciYo*3qrwVhuoIy{FOQhoMO;b{IANqs*l6`r;X zDK`rKh>Sozb-6x!ZGU%Mqb4>Q>&PatW}EJ)w`Su1wFk8(;Is_ECn6%s;aXsnUUL8} zUG#**w%<+0KXX6uY7se`=mTg$jpS7`zvizWqK^4i~d#+mqAIOk|jTD|$vbY3b))O+K$ zt{J`p0^TG(cNWLfY53=zHd>?4y1yzMF^hkwo!ao6AeE3y{~qV7sCydLtbw>Q_eSvg z(-AFlk%(Pvo2C|dbJ?x`N=87`QCHZC?r;Yau_Jz6c0oLpUlX>iN(WE^RecQ&x=4gg zi{?`;S1Zh<>1Xw3JUWO&b|GU52{TXpurYL7D(%%;;vn_lff?mVHAq9+_x|uTkUyZy z9R9k*rU6(oK#@J9v0h1XTU5PRC~X|t{%X2x45c2NjpIBqTCfM1r2r(sw{Y;Y9@X=s z+mRfG|6^a6rmVMhcU|L)Z~6Vwm!ozsiOuhxn^DxUzH6>CwT@pmHRrHR&RuA`&XIel|o*2?b-o60BZDmFn?2>hEs z&{pBv92hR(^YQtVJ5Em_zDIwjD$Vs#jH*&|IgAcfHM;~L6=5xTFl&5M;w!JM?Mq1S ziZjFaE!Qt!B(c%C5;dm>cd)W!Qs*!g-I7KVRaQwda#o3ghuwiLvCZP7VBjPWh!UJZ z&p4Ve0F0Q=PNn3Haa>PuiFj$He!`7XGj61oMtkgK{<~EnB#IuQG6diQ?92a+58Oh+ zg!pOdz%Sk>!Wf55vX|m$?&)Z1>QVR$S?6hQLbQdS_re!?uS<@u$Ix#Vn+`PeNAue> z{IH(`^|QWj8Yvmw%08JOr}$3wb~{e~-b5;%}!$ z3V2ZUOBsAFw-0O3ag4h!YQclAjOWKQA{_o`?OP>GB}owE=E|Ai32F7+0}IL@1YqoS zScsj6qQE>JAsSqB;=OG->pI|oR&-UZlAh}YM%lvHurJ z;GM5LlV~(SUpmmhAbRa=TLP36q5aun?~De!&v!Jl#=@&|Br>;Lb(w(yx8udVSXSA; zP=PEOj!aD?P(rQ;s%DdM8()Lg@7);2w#gnPnx1N^lxzBg-9iBw*l=g5Cey(HregIT z&a%a1vvVMEQC1M>)C5QAj%WI`c8E1X1t~MPh!Vd4d2%6PuaF)Y)iwD>I@zji_Bc0rx>m$bJEyZh5Wa6lq6yp_t)=#*sa%OL!UfgA? zWe}L1V;X7L`AwA=604mTq9K9vLCo6jZ#qHPW&_l0;pcF*Yu&h26k>jE~uc5?6R zsJ~5iWd*NwJ2$3;p-aOZ8-{?_24QOz5Kr(Qd|-3pU-1NjiAU&x)qmp&c%|Cb|3^GQ zM6imXlwhqi%F`i9_$yJwii~cQ+3OTr#mk?C|KbO7nkBdK5s*OGpZ|yZ;DbF}_DZYk zn7tl#e+vJozK|c^YpjtkrpQ}g>RQweEePQ9lE9(|ggPsshxT<~HKgMP-D&Um=rID; ziG1(l<-F#qHpPZQ04NaJ;?SxB{p7(R*ee#(SO&|zrrfX9lT}8F8yCH_K&Dl-LBKBY zac(WNe^Fs09DuDFN1-p8%B|N9d3<;fE=PRawp(vm24<5XZa@wJa$n>=hpWsv5+>%* z;j%(cT`%~?k=KO2T-83!efp~-AF1cr*`{W9?C+Vybc!*;hmDDZ@DLD1u=8GBI}^$s ziol`h>&B7ey2EdOT!Vi!8L9^OM5w^r{W>aCfrwj!rR|@$xQLO1{u2S*Nd9^Q|@P zvxt0&?}|A6D#DiOy=4zbW?V!)ngp5+Yk(x=>fTX=@6EnW*w)Y7$_PRHrFEBSl1klWDRmGSA?I*g zdQWWKB*Mgv z-cDhk?(A!t}$2x9q@|m~H zf9dr@p@kk2USg^rH4yTlj0=`9LJP*So-1`ywEMa)2&UbG)lTX)CI#cyIuyB2G0|*Mh9qlqKx5)Oou{ZeA0vf#0lc zNyLB+v5ax=hL*J2Fz=y4w;)35fF+>Hca(+}6T>4JCdF zk$-qwalw;mn=84u{h%VE}QnB1cSf0z}3HT0jZ;- z|A`Ao{4Xx>f3uqWzqr8v;sXEuxB;zFw!aY&Db)Xq3;aJM2L2Zp`2Q0Zpg|K^zrWo5 zqlT%ZRT)UW;XD+mLNz5xT#ODx5$p%40#O9+D?xYP_OZ8@ykHvDkG{OL?#8s;e(>Kp z*!u(KFuC*Xz3P6PwVXM>S|#A~-GpkHXi{6CxnYdG)z{bObH5X*(zA5(kbjrbTJX$4XSudCh7FgGUsZ)jxtRP*xPw0XPXY1{K}4in)YQ`Gm|R+OtI}B0 z4BhATfIPRv!!&SoQ(&6qXBabp`4&=G*;8x_Tp9tMgZs}|GYyMl1q z9Q}b`iw$!q9a#p1#kTaCh3AMbwth%<(LXNfWN>0vGLBwgwt*&s4Kb~9d+$B{q9^>+ z0bHtYWf)Pj4{8~dFQOZ9bKRzs>h3COh09s&5RrQE6c9}0^u~L?#xNe^)}v3|*ImS~ zV80};5AS@cf+~aa<$es*Ip)|sh*rc;z_wdAhj@L$$ocZ;$7OGZ{8I3Kk{%f<()oM0u^q7?b)`z{V5*qaQ4h3P+!u#mS&kh*3n<;a!QjtN+pU@4w z4@pBXdT(mw{#hOP`?kxJ8X2?IZQ`1f9PeeM-6TsTZ1x} z8a(kP3*>Q3F+nf)INlHM+2Xuul=Fpd30ptAEW;t=UBo3%S1`<`(X#rcg#l{*&ga0A z&0n}+muH^A_>zdlIt#;@3yKglG9IrJIQ;m7ZaYBLyfL2DRjAQsB{>6pP?ACbP<R4m%cH@Eu&DG3YKHyMK7Fa`A7zgpyA$r;sq(y2=EinLvYms8!lQqu0TKfcyQ zo~cn6bOJ;Of5kxMI*p`*Sp_lT2K||@{|>_zJy*;MXodyRoYH$ z<92rDnYP5q$^!^^ycgdyi+(E2hNvz~mP(N=w>TqBQ>wsisTthAfm^Kk+$zP%4l!nY@mU zitCDH@_x9oi?av+zrg`O?(nK#UH9=X_#zpuS zi&HOyM*tNFJ!f}-*DgP}dd>#7`Fr$CZmo7vX}Is<(#oy|ldZMm6Tz#y^_CA&?rTKH zhTzb>nSS?p_kPJu3d2Po?9ZPa;ey@cm1ulE-sD6XxAwrgpK+NDZg3CBrj)D1(2yN?>Hu5lb%c6Uu{ zbd=}yUXq#de2jXG>E{f0G zUQ$Oh94UE6k5_U$)ul5S2?7IJ@?^E^CuiswuVVSL0bEB0;Ka!_jdj}%;&?`|+AFew zw0Ole0saJp;3G_V497lRpG|Ts>UAM!i@EsX=>rh9#fE(RoJ4e5CY`$O-txXtJdn<; zs#hy%a80<7v8Mj=rO|OWyRoL=@}~|0bTTl9Aytvx`b%yO-9^)Qa>0$$(VR#?wYe%C?n{#yMHqc*&F6+l@eUY>t6y z&FFD})YE2gx|lVOQ8i}OVgAgu!s%UM-;{(B&&{h_e(&EfjFk-_Z=cZt{s4L_XK{`; zD%6Qf)o^O}eERr25!(x$_SEWYqA%E*P7_4af6jNqNr`WS7*ySG^xKKVgZg(yHb*Sv`^KB`46S=Wh0d74x7=kz=eOSk4xT z1Dm(m@rg7Gz5Ix2+@4XuNjRt|`lL#Z*2syw#(R9Zov&W%WHFbYa3J$is#7PvLRE6c zOl&V9)YhEK7yN6@e^_;!b37>r9D;CizD0G6Oa@pOLW^+xXaXPMyW>`_44Aaqs41f z?hC#eyR4t4yNJ!ug_1?fIVg}dHo4M#TPX5aUtH0@Lj;94x=Q~17JLt<2pySAC^!|q zdB760J)Ep(`-#=#vC(&eWkwj|W?=R$+OS|&Y+$w5DfcJhqt3nS?*KWJ(%ckI+StG_ zXlE3)=gD{&N6!EqaR5C-?3A0@uM~7eOeVqS5SZ1LoHv0iip?wwd(L)moy$|g#pi}9 z^tk)*v&(QY_7mndY4|N}2^@T}zEV^dWO0wYn@R{4h^LdW(3%%6Shx9jCQkFCbv|4t zuB&{NEwr^8k}AQqlanu2LoIflj+b664Vp>P_>z`7>r6k8VO?jcaxu3R|Fbp5Q*|`& z=2QAm=p&Q)i=XFoU6_qry+78RlKQ32n#+j)jn2*ZE#!gphtH}r=)@C#q5*QGu~5pS zgm>{AvEUP4TBfA%D)=6y&P2r|e^eXufHZO*PiOJ227S?v;F3t7;S+RKU4~{P+)U9K zGG@&|>$WpuR2UoXQyiy$-2T)ZJ-U3Z*867j9Od=v53l}tg%H3<85Mx`t}pIFJ!?h$ zWcuxx)Yf}BW8mi&qx9pDnCbyuB(%xpvCj$s%}y~w2k_7o!E11@_k<@+|7;bLM#AFI!H$4@VWH(7yEbN) z#YA-wKo?&A+@2Yrg3oP%&!F4#qtQ63m^a@4)!Wa0nM-pC4m^2jCkBkCr3uE#f*FIp zWi;gksT{x5Y*ZBr`dQ(bG!NKlOK;;oZILtcxAHV4{UqWyfH)#}J1YvcFSq(Xw&!DR zmOt~1gCtPEE&Y25?O9`BO}zw^O(3c{{&kcrRAKS_J>T1zY>c3{FngJlbqyx4g5 zy#D078TG@<^_a&gA4124%%)!hq>hO6NGIkrUgE?A5bJ{HLrsTMOWrsgKfK41cIxhD zmbPagteLT#neto?GqcL@fsLQ=pMKU4pSAd-gNp|h2Y7i42RVxHz0E&#;;z~aHaRgl zeMLs?7w%&1UsJ@Ns9hXhnzC&1j0#* z7P5_%+|OLQ6&l-{I$f%$izT%U^Y-nJS8uy3=M`|<1gv5@m#WNODdQoq-A&@-M@4rD*A?KjnpmEVz zYive`$ylnpZQNKA1z9y0#oy)}?5H;{##gIuOi}pW@K*@&bf$0J)EB905(lGIFyBU8 z4A*a-GxFUiR82g@-o6PRv){YkW-F|3-LPSCT~(60aDTLuJbS+)9c<}1dyM65EPqh) zl>YNQa{ftk0h8dhP=nk`uEuZSW^B*yp@+f6Y zl1?P|kra-6eY0UTChp$BwM3d)`FS!O%%zKOW@csu^*zEKTl$vN){AV#QAL8cr-CYt zLS4~mm-D48 zA@&Sq40q5%>O}UKi+=LC-^orj31s~G?LYa{netV7!s49ItFH{7Q{IjUrwghQE^v%2 zDeoleUP1oY+|sxQImH{DaY-kRdTCT6>vQHWV_+A$a4yYcb(G-D)ZfbKa?Kh(GAW|B zsokYHh8eMGa(OtdFWF)&X707U$IRn+5pqFU+PylH z{XPCeW6kccx*m_Gt8F;i@2C4qP>XE>gEmiRt1_mRU=554W{ShwVx4F7MF-}XjpQ=M z=TuaHE|_BH2%2hx-V&`&5#G$R#K-kPRf!O4lGOi@=1B^>4Dm^{G#dMmuj-RpyPvQJ zE9ZVE1oyVbAn#8}{8nbr<5I6n5WKl@k7rp{xCc8vnnHRg!WAEHh;lDSN7qKu9PW4u< z(TKYxmCIQj2(;Smb0TELCf@%&PyNQEgt8+;)Gyw1sIAp|Q^_XteJQi= z*9xSJ)%rU7rCi583r+C35c%1<#&l+lN{pL+b>#3xM+`6ljHl2*8oa;`=cN|`*c9MW zWw2d*Tt!=Pb_Lb#Mwxa)i6ovwB+f(x`gMZaR%c^ed|DcD_h;Go^_US14Bo2H%GfGRFn*70+)ZxOcOu@q( z*aL^DGeYhR5Sn?eE~@D*?z9A(#+zFVo7w>WA90S-vCpuyN>a_WY`f#Id3!!QMK)j? zYwObQkAVf-{Ul{&nrMuAGqHVI#{Dk#LL^OW)jSYs+q|2BjG!acmi;3PTHZJ^E(f{Y zxFZvWi`dpAc6WgpMeD)Fc#ua#s$AnlX?|e5u(pFC=-u&i*DT(F7IR}3qebj&Qp?&c zO72oBUh@|z?L7QM?={sSStJb_@APP%cTpRIe5AWo^KmN;E6E921Ur3Z0~@8LjvO@}=-l|QDGI8*(NdUm$@>@iAz zvGbepb2c&@I_qn?;GdX=>vdGzw#BNivbbZ@k^MkfW{- zFWwo@tkay2++-*%jl4|C3T8QyZ(*fC&J7^MS$Md0Ihf3g6L=qNplj8~;8(jpd12^0 zufisKaE2rilp{4ZXqKmAZ0jl8NNpg=j^>Xj!Zfq@Bpy{&0Ck0Z6KC|?TWi>1?kf z$YPjDO&V^-!Lg~BC9pZ>E7~z`*Kzg%V9X1El_YA4OUJhQkJ3TNpSbcykl8tp=d%c8 z?@Zn?Xg2BSiwSqgY!?`}d~CUB$lI=UYis+;(H+uz{K9a}G1i#B@OTuw|z!N`Q!EBTcUBFWK`BGTnSm#K4gJF(p)z4N1iP>?}*mpGL3c z_r}TFrD_3E^fY(jfL>FVkE4RaDt}Hy#fi;hD=|is7gB7RAA^oR&s*s6l|0n;E~G71 zG=BXQd_2`I{_LntQ|v$Qzoa0%+LptX*tC0;#y=QKT>ya$bLW{vTGQ{EV#l1V2Wo^` z(<3~pXR2XUPp#~}CQsii;&y7JZWUYBIJX+es(z0(SFL|xfNHs(*;2vecyeg9@4UJm zs2O8TpB<3&^3rJF5h+x1`e$`GX~t!7B7T6jUKwB9;`PG_BSQBjL)LI*fa+%@t zHJ!9kix0~dUpAIv&LIA53819&r;Ex|sfTTO>(nO2;k^N&XRP=9126R{a{G3ZwR zc*nK9J02W9;AS9aY4&7u0(cQ^)R3+>>qu6mfQd?0iZkvwpc7JUvqnrV4%CbHnq$#Z zP8geC0#~=Qc#eijg2fOY_fLt0Py(H#-4}ds@aY=4Mei5c=^$i4?a%@D z8WEO}yIjmXt;(DiD_h$^N2bv39Nacl68P>lqb$X#^LUzeJgKFI8!d*eQWVxScmww5d*la*;V%^#wDyd7v5zJZ8vVXdel1!G~U=q z1#;kXECt*9Z8xGgKorbR*A!zFdZO(Kyj~m-CEF|qSig@*_wTILX33=1Xbkx=+`@v8 zo5Z9@h@}gvO$PUHK1LS(RyO`L7d~n>;Cfu^6gWskci*U9HZ4XLDyKaiN(9$Ud~(wI zxZUBH$CediSo?X5MHo?$mauLD3z3;gPZPHNRO0#JCc7&*I<}^U@u#TMqfl!!)i)4B z$%BB&3yry(D5G9W>1vH>s9VP2LJmlp|Fh|`sA}I`wAbxcU({ymHsckOZ&HfHH(=y7 z?7=BRL^EGF^*I836n78qp8)PH=5gW{yv2gCBD_4@6%?+`=jUIq8PMK{hGES>GT2lR z9{(N%#Efs9PG`A0>lBb%9~=&%N}qICj2Pa(*x<#YZ%F$2((5b5{J0 z@PaPr>9kpK-PUoHz?}v)V#SMQ3fx6> zyC~t=YC|Ms$4xs@C#4Fr-AM^$n~`b3tp$-{7pB_Un!g+i)vK&L?}AXL7_6)F>T)TL zK9x(I06{u^Nzs>D8EwZ{ButLdqpS>#pt`3KS#_={0*+<+jxcv4w4TZU7N(SumOn+c zX!75gA5sTa7kWu|-G7Sw#2H9VCs%2r#NkG834Hog^dVYVuaPA;yS#*PQtPIvUN(m{ zB1vIq=5oIrL95xlkFe0l+W6Go-CW77(;#J`m^zu~^x5m_8wbAKF5hCKIKgD(P^#IVq_Ex>eb~Y@LLiR`<7>NAUYccsuibF0;B7i)P=IPg-AHP( zym`$KW`@X0nEX_sshsx<+tyN(Sg-K_)fpvEIw5mQ0(G+IvfzpdQDn8mj8lut*Tq=( z?^(?6H+<|_lsYGGDyuTMzr3}p_@~aZzxW$73RQX(exi*c(}D{g@2^z^IHjGNCI$DM zbxq>|aWSZU{_@sNN=fz&f}pqPOVX%9F^m|^qe2=B@!pFy)(&rXAE?^tNJK60onrsx zZp@95&iARpymt~l&C0MIP21{fVW=$SKgaZmUn{;P;&(|EO{QLD_bt^dLCy)orV-A& zPbVh51^xQf5YMK`;!K2PJKG!Cw!_!ssY-1-;O7=6q7)W#aj;!9McW$m(f!komGw`)Uy-#iiRkY0vM&9bw;fa-oSHM;Zr-3aMx$StYp69$RSq9 zbD&V&N*Yj}fqF9I{}ynpZ?cKsY0Rt2{kEle9y`0!p~QG;IH2v3CNd`T@?9}C^;@28 znihK`2=q)JhIvm|mlROVq?{ig_Llj3|K|tGXUYW7b=09QmdmP@#00(D*|@APJ$JrA zx{Yi4p}uotue(-(V#W(>p=6Bk^x5IV#L=gjf1dr5w;?1?t&g`w#slc&gGi0?cwxD^ zzYg<19+w?<8S2$-F~ zz9-a75T4S)@?UiP-uevDFRH^F@81`uYeU=;TZS6AIj^8T&6)9)IfoEs9fW6Ze-0gw z{6X=HsweIYmmG8++Y_xomg3I~v8azh!GhN9`JSd34rh!65S`gao7T)hNBNlTbwWjX zv-r6r5m5MqIMNN5i_eoZWWuK>Y(^4%+E4|C;(_dy~pcq_xcH#dLW@8g9wCySlLmOcw{p z^DtZ3YiJkJ{q8j7h?&uP@x@*$?Y3~mb-HR>egS`9#m%iC2UT@pwuI1WJBSLaKV6Lo zMpyqHX-zVYvd-Z*dI60)ccnizaCrVRT{4Ulx|lzrFK$z^-y0o0)}APZ2gX%Jn+DiG zNz7NSUa^$xpnH4#Vy&{`o#=4h!R0!t2@#uqGhX0|`k+5WNn5ZgKFVNemK2FIpFh!{ z>#>*6qomFkZ(<vQ$mbrf)M$44QasW))wkei z)i}6eY;A3Q!eN@M%n-k@iYt?FH)M&tOb)vs0hL*UO%qF}8w}u^s3%B(U(p@J+}a_r`qnqa z3LE9E+KMMtHPp_H#Sd??Yq6sbJw=*mQLTYd5{=B`>cho%Ye0o{z@HUIo|kEfv%j(T z=Zb_))-Ql&Y&sib#o|=5!u^Y`sIc!YJ~z$L=QrNxzCO=BjVRw^vsR(hcN4G|i&qHl z)-Q2NJN4=$!*N=<)5Yu0NaVyD))Y>;^&d2|yto~-*fO^L)b!A2UDq?SYVBg;csv`K zq|&$YW%2A8H(;mBB#7$tg#~Swn*1DRZxn7p$Gk3zp_@I_NS-(3h>;UX zS?8^nv6r9NgBaIba)Az`VvJNE73l1e()?FIyi}$ENMSJ~MXPRj7iZie>#Dq7HOlB-2gMx-7LFP1( zyiq`>WjKe|*-BoQn?cCQa(*vOC}MS^Qlx4_`2GFN$RYpQao->B=QDTvNM8F^N8N~6wFGzK_!p_oS=%9cr5a4 zC%i=ld^>jh=zm-1l$W@{rD^eod5vjl1X9v$F(J?7dHp+x)%E9dL6Nl6Wy_v`%BpLh zqLV2y8RYx%JrWTH$!jL)H;ZN+%n>4LSWjJ4AQ^*_xMpShsHbIb+&jg0oe;_x8ZGp0&38ENWrJ@=OWVvMCDATSXtA#2};j`;Z{NID4G znw^>o5KxF|PPEnMjNWOy$Vj*HGp5%jBrKCc7I>T3=qyG;x5IsIUtlAli+_w0M)1Y? zF@opHW2v4zHkQ?T_9WEi8#H%H7xT7LSNJWq6}j6?B+S&LD+Kn%8B#~>`>%5!?Dl{i zX(m~@npoXj7`j4+#`MO^@(y}7G+VnE7)>R`SvDGTi=3ZM0SVi{9Z20{)r=a%jpG_e zv0HfFS!3baG)-f!JU1DnTKWFJdYMRYv33FtXNZAcoemz>NfHCT9bHc6CcLlC?R%dqnmi&RH;wz<_67sXr(uIXJ**PK`424~VzE<-Lx;I_ zaSm0lI98b;4)g;HMb_F{TC^?}66C%xu&|mF1i9F-ktLzGAUF4+JN6haiq}Vh*7WrY zRtwoY(Tfb;(kMbpr949tTTOS!K%>^Jjvdk$;%uC4|2_;O#H3(O%78J-yE!kd~op%oQGQlnNyP-a87)A$=e zN|_6!IZljNCaDyzNAF`;14E2$>Qm@5@r9jlX2gxLk1@WDCieRt?U}*B$IJY^sO6&RQ7?@E27$*G?G9)9mgk|xS$zVL<7B(WDU={`spDhBdV{5nPU8C|_ ztu=?0vE+hR4EjwWDQq@{$5Cg53w&R+QPKKfMf`L3h6PFS-}0iv`(fbEHVtIgur)g? zS|~3@rPrV@arxH%_{BHWz-3k)@JlWxqOM&r#P^K1sUv+nK{MG>N8f=}e?ws*!67(L zkLBn@Oz18A1#994mna&Y-ZYjbB7?N8QOx+-Ew@f%mU=BUXbgO>5Nc&k!@k?YL2=s( zJ3yHbIKVfaf8cv0AP?odB3+jSpPPG230QmzF8Z~jMc{avKf0u&YYmmT$@Lvs^UHG3 zp^Lj6NPdJy=}U@V`9s=cq@ zwZWZph6p`*v0{QUuoUOU=@#5@%F&fgPtkYcz2BP0~AiY?-|1*j+2sw$!f> z$bWrC{&nuKeZ+Nw^{b`0Roe2kdPvEoberuFCn)^&8q8mLOMDm>)1jPrCa)O7d(bm@ zDc&q-lYSnMuGTR3yOLP&Oh-JT4gl{BZ#YnNsk9|L-a3DO{H#I?Dmdo0k6#&ar!^RE zx3u>b7dTfBhaTU&(Bp($^2>iig$0SiL~YF(&Q8PnSkP2$WuAu1ak`wpyM9F=nmF(L zrU}Zm_yiV~AN{G6l>K2d%h}#UXrohDI*k-RdXlS`CVb%Ssn-MO$o(4*!DC|Tx3OG! zW$Rch@<7Bd&A4AeY6#jIO2pj@vE)J@6jmMEay?elOTfD*(>3*gMo*vvUe}34-1S7Quv3-m8$M^i6HU3Y}zFm?}zO#G+6b|nB! z-iZf1|CbK`hqu77fcIwJgxvohbW9d#fEE5@p9Mdm12eETI8)&7cMRvTNl)MCKhNa<{FzrY|X`XWZ-(3BQ4&Isvs3Q_-;Bl|aRzY8LGvTvN_6hXF68<0*f zgL&NCZWMiQ-Do7vKTYO)6H1$y#0vg0On7YjYX|m=b;D@qk-+F4PibLQ_H+TY*6t*R z?a>!^H|UIPZHxC0`U4NI>-N!S|9$YfRAB6g*m>Vl2eIF`M6+8j3dMrsGnN*)$5v-m zV#epd<5A-B3F4VE@&*d-D@lB=JWXs!%gTb@FI|HnzO1jItGnzD| zEHyil{&j>oXn|!aW2vSElMV1O4yPDS9fws^6DoN->7K_nEuEzb?{@Z6m+7v5u~WQ} zQ{;$5yCi@#x3vkn-<(^KQHD=EfBFjegisOww~OwQ6~?YY{Meja)bdpjzpoe-(Rj>P zm#pQsADcJS)0r;|#Vt>aZdj~ceuZP7E&N2=dB>saE`F9WtaQT`PhNr@ExcxzU~w~1 zs&l#p=b|E30fL$+BAmTP8ICaU-{aw4dkJ|${MU8!L6l@T7Q%Bu@T0Ab1n+81kXEgk zdSlQ!?>T)MBn*Et2ejClqh`r5PJZ4eZ?<}HAon%kWu8O?QBlT2jW;?M2Cck8Iv=oM zWgP#}-g!TvGFNZMQgUgPbC0t|C7Vkw5xygUZ-WEjV2p@J&*ILDz^#giKn2ix+E^M5 z|3Xi-(2v7O`0|Kk8(uf4*|%_^O6pC#r*eDeW8B}U=PakJ1Z!sx3LIy_)h^4v2nT6y zu8Ma7LuO~hmgF&p600P?Y!?KbGS6EXGYLd|f?pBw8cjH>+8z)|N3tQg(Hlr+?z6{H zRrQX?;`#Sqh;}W{ECT!e*_*Z}FPgm*b$8>*Bh-+-H3c14g&N`7AIx)u-SfY@BGPZ& zMCgiaByDN7z8f;A=Nx_?Q>Gf$^DQ+${Nn!3gWGNu!{4uMhHM!0SrUcfg0q3x+d6n? z*?*)+gSV{dv_XMJh}dVRaycIe1-u>>+LZG+Kh(H^KS^nns)}3R+A1r%INp$9tFv$M zP&n|oy+m}ntxZnK!emg2<90ca%6$1c@_anKIXk^uCN6TYNwjN5jE=?ApypaZjS>6{ zz%~oH(og9iwZQ7RsB+ARYINqPHU9vxn@!rMqF84T%UjBkiSMtEcwE2P&}jrFhZcTa zL4CZex=5d{?HS*M>rFZ-y?mY(6^Obh*(5Ka&cQe>Nyftu79?Ruq~|&ciX(6cRf>;B zUC1dGfab||o<}a`KcfhFFIUY>1JSQSS%!qjftEcF6;N6UatAvv3N)fIhcRNmuw5Q_ zTwC0mgZqrWJ9p<2=H-FP)E;!o+($PZ6l95HoEv#hviN=U-)KZUX}lo&Zb8qPMO?)G z(JkIC-SgMDu@)#e@a(Qm*DbO#jQ2;6lJ&F{_XBlvrKUk7hqu6?INgXifljB%)|8$8 ziJO>)H=m*Hcfz?&ri9wJfmtpsYVpTfoQO;->Zv0-oR6a0-ya|11ycf$u_JZ| zZqd4H8b*I+b{#H&VwK-Vthys=SxjDr#aGQdmto6&%HVfJ!7PEDU)O5&3`sHvyQxicrwfsG?oO70be(}+LW1_XtLNJ_-nFjjYjptIE5W7#XJj&)U_!R0H8t5iN<99=Ks=ua@S zWlMMzuerlcoidvY=eOW1KNt}pAS95HK$;`7dd7YVJV21ce{uYCMTFbqkasA7EwCqoFlQI+B(`e?j+WPJEV3N>;#Sok zGJ&$#=#(5qIW@ZpRPm^-oh%usJH72j(yqPb$iZ2zRl`P^0_SNj%+Ty=W5$a9@x%|GWd5Gw!c-Sc~|ubUi9 z9|{}iAg&E8i|;Az=B2s%p=UaCPCGPH2KH&CFOiao6D^xptB37+H?}NdXvLUwJX<$2 zl9{BESx^new9c30Q<-r$1`i@G29e|)cNLUu zo#{e_u>;kSA#W;CLuYU9POX^KHV$|WIq>L~GJmDl_QrPE9+~`1?rVg^Pkk_{$s4h} zt^hr2`N`f&=p{Mi(<<2H5jO#8fBxq$a9bXFP*2J21Zw7)?e7BpuHsegA}XTU)eNus zvox@O$w34YRHL+UGypl7#$i)-vf7+{u3?Y3rrd-V^!c;k@d;{jz0}nmJnGDcE1Pq& zqpWi)9hD4WxU->isDNbNNJ^G!L2tnQ%G318aji$L(e>&@EUlKXn?f*^eRL0U z!JI~;RQ5OXjY5IRX9p1EU8PFn{_UaU_k~-U@hAkGqEfD}$JVYKxP68b_c_blA`bOv zyc!)(SN*ZA7OMRZmzqY1>}~ogtO+d^wk_{2%Nli!Y&Pz|Dy`BvA*v9`cDj|>hq>}d za2%tY2{=X>DXKR-JzKZ9_`4kj_0J#By}?-r$NO8j-K7#1Eqm8%hpp79Eq%VGvHP!q z`RYTvs+E57?=+g!<+x9whB?jr?)$L)7hZ>_@4&HidAnt1ksa6GLso++eCgakpb;oQ zVp$q;To~yv7!OH{qLBJfOY{Py3v<8a6cRC*(NIi0f+P1do^d>NY5BX{n)>=M4JO5d zQ+X494x>hFu}rKwSGgRTRFa=CZ%d!Y#hXg=8D%v$)*T75r4fae-4pnGpY!46_$4^l z{E^Is^M(4TC3iRFUFO)n+6%?&U)(`yWjgYp-t%a&^M#lKHB)K5Lb8^P@)fB54u)bx zUPQJdTkD(Ui9nj49k`X%BO_c5f#3a0bony9^X99i1ZD+|skvSgi(ou{$qC zUJ{lHQq3W}sYx%&9205jj)(QRr7Q`J4lVSKj9#&<4OJ zcN`U%1#G)SO8yZ~gLz<>sU*P;uvdJ2o+94QygV*cFV@#QABJOS$ZKqt13m%Ltr5Qc zN|Uvl8~)1ja>bLVFK|ftPX}P4T^-Z8hae=NGM~jC{A#7DLb3gJFMY_7@u%|ufqNnI zfy-E(f&%y8n7QnbhyK;Iy=aU;fmU=+wN>ZGnNh$AwJGE~JY%>f_$7dH^)_Q5gxIbEB{Awg_Hv5N$x&>|LG81ej!aLS_< z>aDo*d3UlDSFMivakc6D@J%ont$Wf*HLd#*8i*u)e)p?|8Efurgb34Vm^+rO#(L_D zbS$mZ!~U#99#`tD4tq*0HE%4f`j6uc@bPsU{@K1ybl5k0;}Q9xB(~`Yt!ez)W4=Y# zR3QUj4l*5w@8|KQx@x_%-Igrjyd(63d-R)|zo7xs^woP0J1nLv7vtF@>T8KdtHfMhj}*CIfq%1<@mkO zC)aKet41iM=yF_@kx3Ou(yH%*<>L)QWv#T(Q-V#N$vCChL~a|U{7_bV?y}$M0KLP% zO$SI-)aIE2;_ct}|Cg#T+z>y71InZWVh3tl23c2Cx$HD-4~1@y*Zu{5BC&7|h&fY0 z=H}XDob?>-DEO`F(P%7lCvOTNx3gM^C1S82 zGK|1K%J1(Lby8AbP?nQUjR#&x;1Pdil)4< zlopH8yzQAv{2rOoV5ynaa+o)X%_9xZ1yJ74bexp9n^}$LlioF)Go9JekuHnb>D9?w zP2B0<=d*W%2mFPP98H(rjnfZ~2%_))dh*A7-kCIW(5~~&I`&Jed;c1lkX=~qol6OTEPSjl9|Uv;c`?)D zl81Em$nh8`R9bddZ!VD;K5oS2`o(yJ1}&5=67iAwsK-dhAYIXu5s9pFov!c+H_?#T zT}ptOoC&!njxp(IkpDs!R4#1ab?E#7EQn_h@ri#U$ijfwGnMEUrFkz=q*VaSt>SZQ z|b)lHH%6a$y-e4mxdVgBmSlkz7%e|h-J!=Nmi$EMLA}v5=|%{ ziI(t3h<8img*RB=i^Fk+Yei8P_qSJwwagM_!RI}tGHLS;48zSSdBZSN%wo22Of;MH zb?}*SsYZ>q)!e|yzP`SGv-}6|G!p59A)Wha7p9$$0ED2No|WXYjc-Uk_S*IIxaQdS zu=Vf-TxG}11c#=ZJWs0QMAa`Nxa}D|7gu$`b0`-UaKt~zuS+o#KYsd>dX94pyxBE10t5>yfS^uz^R(8HNFpGHbuv?od*#9m$S|)G*F4Dp)%(h z8j}G_N2uEUzK6cAqaR=Ift5;8W!rZbRii`PjYO;NH9gn;j1O67lu%@>baI)GZ~rHO zfbhQ)2;D0qVo4ZCDrS%m5w32v-|a;Hu}h5jZ0(HhaVIthWJ@$+#@>izJ5>u8U=zne zB*KYQL~czX%iyNsryiHnr8hO~`_#({L=PHMxP#MRxX>6fL_RHl>?Mkk<2LBcSWtSP z*j%71C2qhgjGP8P%$V;%>9nEPyI9|Hh&^t2EtF<#Umt?ItE6Y?u8P*%NBvtO3e`&n zLkboZ@rc;e4;#e7cN`50YYcvs^htqx3PBGZ)xSzjO7x*!4jrCO!I;#%Btu zTv%%INVYJ&lo0l*HNPl1UW)Tp$*Wb58%II8Dj29soiy#du4Gui8cxr$Cr#t>NIRaJ zR}naGMBACF;tBpB+Tj@*1ZmoQdf#7&9!$4see3sEWO$9MVsKlpkyaDU zd?wbjVg^L}&goI6k`i3cBeINl1_LPvemNO|`3!w6T&na4Uo^WbS$RMgek_F^w2De8 zYkpr&%yPVFQfTGhfe#9El@jDl&?wWD7r5iqrorhR*n||ces}E;8P_~aHI*k)TJnqK zj0&K}qZG9^hFtf_v-;fMzA5W88Hme;UY{v}2hszOmB98&W_N=x6qU@J?`xkO%(Vn| zJyYRrBDGU!vy~?aFoVp@$TmS*AAY5sm-ohHBqVbLbHsc0uHI3O*WT5!nl1^qz?UA` zP>5Wgu6SdQzbSMZ89qpk#g3;JKbZIVKFq^2G1@MWzkKQtu1sEFNbGZ3s?Cx!VoHjub*Z(pbYu?Z zkJU;&(LFs80ZzZCuI+^WL>xd%e;^JtWhS5;siHWBeAz2nNB^wOu*)3@_S?qX%zU#8 zDJ7Ipmy<>T4W$EZw(5`WaJ2)K|&y$c?oufQ5Wlvos+kn zoM?pvGk0>|{5tG}hEq zWFBCrMUe+q*M1bMcU7x0X)0tfzLDD~@iaGf0>>^%FPD;fVA`xMjG36GWy5Hd0HP4tFMN!?OPO{2USS zLZ>4xm^-X=r^wxaclX|I&aoS6esX+>@f1yejWha%431qU&#hi=m8?9Pb~E@Cy>RCL zhGy8VSOX7;=wO5nHzX8Br(r8ik>PrTnIoyFaq9lakd!R_T|E6ohG@a~=ueJ8-8)^G zs4L(=)++SFbUD*dQ&)K@bwn%vTTQn(CY_@u+Nd>ivXwS5S-5JvB}A3lM&+*m%Nd}x+liQ>qn5*4q^R;~ zT>{WVCt9ssn8)C-N8Mhr8uEPTRycVePc-~iFnZ6n$h`CRWNhb*dIr3U&1lN(1m*+~ z-73h%qEY_tSKRE}ofuBIqyT?@psYW&>Te}qz1*`f%Q8u}U9uOihG2ixft|?i6;~-5 z52s!skNwQo<#rrPdFU+k&VcCOF%)ax7s>9o6vSV&Ge*pIYx<;n+umnWc99I?X?YQBXiLm%t9ubO4CEb~e?{8`j)2v^F zuQW@kFiPVn%XPi)7?ok;ZjGeg;*)YZA=2Wls(2mo;=s)Hfe8TzPZsYyom|2hkH_6l znOR`VGBg9QyZ1E)QC{`(IGahJdnXFZ#4$oNBF%Wwu4r(Xo|oNP(Qq-Ol`%ylzst01 z@{wslA)YG&Q$VYO;?}gif>uXzk$uK@q64P}M&C}dDx}R5dJcSrf>e z#(lXb>M|sR0U;Ypq{2BTo~>QEC9ia+mf?ksdV|OVNl7f(sco{ELHSy;*=b~F5UmXiW?v6$#(nB2a59RoIn-EAq^toHqt1$2k{Eyc#Rjqfw#mu5l(f;M2(;pL<)}=#t+qG_2^X zy~uQ@mx+m6%3^7mW^nDccKiEMXEj`~ORLMrb)R6iN{lYTiNr&S?_&gH+ui&jP$YcR zDQ-|J1`VR6X-R8puouqV`430U7Dhs*(&!D-q$K0)e#0giwwQmf}-u z9-HC|G^s)_Tv|ab+rL(_*7u7~vL|;F+~d1- zUn52mr7mOuNhFoClcR<~qwX3_MWzoCHkQMC^Hh^3TC{*)lK8`D0Upk+`K6N=8u^!g z6>l|th01*TtHRWgG{rQfR$J;bi3nmk@#jO5_Be;8-m3+7_*=rM9HzM+7{U9I!YNXcT3V_x1dC`N)REL^^jF69kpwJfT5B1Wn90ye)kR}wV`nE6>8HfB7z~xW z(dRP&@eY#{g=eE5wL#Oz98W(AG#Iq!y7s!E@|iB`03y*^HHW!26rPXh@PM%Pwy zY3~P59ktjredKumyAODaI|~WQ8n+?E$C%lWQpnKs2(&s8MwjvX%|h@xyEmtn@jyQq z%B^}kYI3~ri-%8#J6+eKE?XEMCHbJUUhr5KzQI1f`U1+i+#-Kuqzj+kstaS^63zQ{ zy4dg2y&QgH7tLGNuS5-?S>sV$0mP?D++xlp9C>}$IPUgVF4~R48xgU$3q|UTHwo6G zn=EK=Q#f)E!#qEj1yMOrALWOYdhRz zg(2#_<|9hJG@NJmGC8Z4X_SRY0TF ziw;eB)+BuYO*N>Orc4)CSqY+sZO-7KH=jF(+ap7LvU}yYXZ3%~S)6?QkDNtZP~0Dw z1s9Ss*{qy-q#YD}unq6o7ln!3rkvGH^Y21X=mT$!e`Hf+fm4B4OuTnly z*a)*qr-}g2QxUZ$o!Oc>M7^CRv)`8>m>&J=utkY@Mijj^K=uD+5SBtLUHiFsW5?ZoM+4lkwi3676t~NavKoeW6;cnC4*A@P#jx+3LQ|ex}wCinq36jj7P#)>@)A1FK;Loh?ZI$-VE208i5HsUMlI9JpTglG0Jl7$fL|;WBLm3H?PgP01nK&y zXy>XvSJ)Vs&3^>~g75Zx0&cskY&J_VfT5DQA!R5wiFrZU;ts!l%(JAxn9xe&$U}cArD~*SXy)C1TMU>t82!uM?laZ$A$=UDqnqLla z5KOp5lrrI)+`iE_{V@75S#3)Tz0Mfze5_ElG+X{B0EHCTK+`bVF6w|dFb1vUe5}`m=aIKVGo>MUP#_9%LIVUp}tUT%ARiDH#b>LVs5dn6kwrrK938 z%WeSc&cGlX3o!4A%KB4$QIHq*rb+A~&3*3_d1D@Y9_iB@GO-t4$4C4o#b!v4 z0g+)$J6Qh%osf>qXg723=A{)!j4j$RlWH09jY74Fc0k%#)1s03QN7T94 zk*|X*3xGl*@Z3&GV7MmFXIfnH-SzSD9!3Z^a&!YRr^qnv{c(@LTTiDPCccM3RF^i0 zEoW7Tm$3Yy+wND{3C{r@gm$Z6FbA-*QQJ!YF0eIWt@kdFwn&Yd{Gj<#b))l8bvpd8 z86g`muo(r!Bn7l}uPIMv_*^9IZ51pE9g?;OGKLfu-Gvxt)-=P9CNGfH29kYi8+fT? z)Zb%Q)Z`v{=xJ5lezCyn7naiUEs+AikOCfJkMXCADN@(WRI4q`&=B~IO~nQOuns$! zcBtNd*KJTM#{t?-WDrKN(mSvLHI%q$axtN|YjRBc~+c6z9@0q$;LoIv* zZ64if#)2L^ojT5MJlbtzQaCD$6lZd@oMt9 zF-Se3I-@hBp{FUGu*+n$EsA;>sSn$eDvEujb95Q_4SL1fqsJXu$0NaD2S#y<_ch7 zFBBK|5x?h6Ib7T;>S&S~dq`qa3azRvp|LmC>53v=vYL6O)clGxIP^1hffz2JCD!w( z%Um!rrJ<}97mAq%)>bx>8XFl_dWEbe=F2*C;Y&^J4+bq%j#1edjt69X1bmt_MLFb% zDrp5`RE<+hk@|s*>oVKW6mlwm!rmWDp!}T+e0_4}$+hM~AZiZD73i}(NsnQ!Yk6Uq zHc6HP;%5i(!k{gw3rm1pS90X#OUL9xH;X1wjuq()z2H&sq>-?>3hb3QrPGWYAlFMR z?xO&kLkm=wKsPZQNu$WPAbK~$jCmz`BL#NSIWz@a$22ZdWQI*AIU7Cam2lrlA=pVS zp#9YP&i$hS%2+ujiGibXk_#{^`COt?7By-PO2ViQc0sdi3D znt8R%_R&U=eEl%?+p|D*zY8<8S6R}(F)DHQ+O1MGQEtZ}CNio)&MJ#RN11-l4LTic zUmqpu>{sg&GwN?908=QhGzE*Kkxa>RJtuf@2p$zrP{y^C$-(RqQ3-jaq(1-^xd}5f z324Q%N-uD?;`I8G@oBMHpO3r`w8`KEd6U>%Yd#effJ&Shp=&tveEzqUTRg0+-g1}b zjp?uzpZz3f(mNo2^#MP;z$$r~7j^GXK7~?iFM-VnZ+RrJ=6eqXj{ zSmQVbYh0V065Ez(oH`<{@5YX+EzqhZ8O5Q~VIwna<|cLLU2_ndsg7s0x-eCwiAWdq zE&Z!>Ihpg}!;7Mkwfg0(x)wFYPyK;b-5EW}^2Ks{oDb)xqob?i2H5J&&c++Hl51p% z1(KzXjxm@e;kQu_9PrQ8$@=e_Q!zoAoY*vA>GK*wnL;bK+bDMrU0(A&H+>PytLq^@g6HFh@)Q8m%f17GAV|&MoEafqoGa= zk*Vyoc|?)jf${K-%&^j$zv9{WKFdp=BG!%;kQQ@j4wsX2*V)Uq-7nnvI6hV@`=Z7v5DMZq&^4Nw;$q zZMY^i`w)t@D=eta*jX+2f|}%TMEO(bKwW>~ENCHG80^|O?>jRFoF*3+^>APHd-W*F z>g{=X-AUSi3~e9l4LUVx@e7|$PD+up2^p?%TQdm79Rm=xN_Ts(Nca;q0m6gOk8 zdzXeEe5~B8wy{*=j}d0!2T&{ui5EB*m{S!>M3J9$v55rS21CEoP~&?j;E!06*9O%~ zZ2Ck+uxShvRFv+=E+^n@WN#>*^|ZDIk+%~)W^N^QVY?)C)21f!kUYXi5hNX7N+p`O z9!!=Nus7eIyn}d@*sQU^TeTi}7@xo%T=Z3#YVN$3 zIhk8c$Y)AfYjfJ!NSaE9Yw45q>fxu0X%?xdy6@)TV!;&IO&#LRCM6epLSYy#q(A*+|uOOJMkn{ zM&1T-@1Gp)lG?=LEn@@}4)f^(rZ4Hidu9=gMCvik{n0ZbS#JZ&v2yk|8GI%_LvMCn-u|ie_T?mf zHJc>z3FXO2#7y>;$(c!h^P#RjHt1%6TO!AaF+ISMxys; zds8`pBY6?8>!Sn0ZBL`(GU9nQzunL9aHs9%PKkbh20#ls-OR;uwlu)Tl~Wa5e41uHoWUN zS^hkM|E;a$TYwgke`|pG{Kem8J`5NE>Y{Z4ie>uz?>0dU01yhq&7uy$zYFC29H4x% zaTb5GxH|Y(?(@IAAZdREU6VslKsjquKaE%#IlB=ukY?Y01-W(9+QPc$$32k`LU`uW&-!EeCHB{VWN z10qv@^YLo_5e2f!+(!LFWBgx6@KJ->^VsAaGwXkaZ~poR;8+y(d)bvv|2{SJ%IL8P z4ldrmJuCnA!!Gtm*605fJcz{YlS|MabP#`d+ewZ5I@B}ii?u=)F|$J>do0@W+W0e_L0QD0)ob3;>dGZrRb6$Sezws=uUy#op4MQ=# zT=CJQkTHBehqrCjmp*^~d>p9Vb%Y7bFA8Ot^tHxlNu{;w-;nlcg!f?-(~6l{u7dB! zf&*DMelAAf^#eRh(}%g8-gDE1!=HpqyAAD>kEjBV-IfWQ~tjubXSmI3SF7YA(x=9uMq2TudiyM zs}eYIQ65>7w+x>nUk2F8%M?vpXG`oyrjB;a&nG`e#+8pC;!_uS0GvbYsZ~?b_&vn2 z8FjOPLZXz_D%bmKEp}^fkO^30j>0uFMRfuU9Pz4zFk0&H#M#_U0_SD=*OsUUiLw|uZH9@~QY@<-cVe1DEN*Rf_z zTYV_CKoe&iDFjrKRUG&tIKJ(8SzS4{%%Whg0x(Bo^;ucv{Hg>}X2WA~&g5RYxq$9; z1*>47!5D>d-oTJ?Jpwe6hf}}F`&UkOF-P_oy$)5RM|%w#_c?ZFn|%BnzH==CwGpT8 z+j;Y>$BQYiuCDg>T0F0mhlX^aODZ=+0^Y)etp~ZA!D2EoIm3D$QPd)$*)6A3OgpAW zQ6{H@og%UQ3-bR!R%{a;yeAs@q+0E*@Y&p(Y4Q1-VZsO>Lgzr98-@Me!oo|+j=Mlo zGx6Ka_FN0cU9COaOM48%TR>8EsSEq9Ec($W0wVSf=bJRqeR@mP=TO?4)yoROZWLHq z)%`c4Bab=5XlPwp>zhD>aFw3d@KZ%A(xxHO?Rck$d}`XZapNaAie;mx zDyNgs5(}SsHibF+m5P2)`NT$|z}fZQiw3vn-Zp{;M-=ppNC z*XPM4jiR+#s6}=$Ne7bhsN}SvXK-$75h_I0ySKeYMHfxcyITzD8jc%vS%-zg+NKkG zqiOd-)v;VD^?OB0U8c4$OtwWGTgc&L!h#40Pf1B&{RH>Xf+osWe&vHYn5avK{GSJ+ zH5nyuO8fE!40sJG*H};{@txrl!Iq`?cCjbEB)Fkt(US6*xO<7hTi7niI`1&haj;tI%4`gC5)RgAN z&+Rs;6TDXIw}vuMCypZ)6i?M+n)M@4MO?AHW%$~tES0eT;g;*{N@SZyI*E?S#B3~X zd@{d`34IYcS^pUgF8*2&!c!GkTRtMbk1)tYlj%TASu}!J;A6K;enI9#Kd39YLPmd zCgn^&?s?tGx|)g%##HW62OFDfukMGK51zg3dK47Z6D2ZKg~~Zm-UM6+4*3T(t@pVv zZ5y2r0ZaQ@^$=qLA3at|)QG?s&Wgj=FP=A;ZPl5p^!2=n2BnGyqbWOrO@@+Ub-7Fs z<`VcE@PLepz8x;$o=s@{b+8q3S74*U?)UlCD;PVuClFu(@1fFAnX^;7M~L^%{-w}6 zK4aVUJ=V8oFMsAcR+-90?2*d&2>&c1wfz~#F~s{*{HiiLR~`^!Z;p9PdMsiVnxzLY z=gCXgwZO!zHYl)p+;OQ5rOH3@FW0vx7GZ!|K>S%BWv{s zKki5`&5k9gsh*c=q)WzvHLH4a#;&R(B_?s0o2lEC#D0}v=dIRTTmT|T zRuA#V-e*ZjRtxq1%pV5@!|EthpLX3zuo$mz@{HcK2svA2QLiEJ1?2T8JQ;v@`l z&li7I-uLWQ;|XZTFhtGqOh>DBOT2DoBcQv}>oZG>mU%kcb!-o!3?Mu?9nw{mcb) zZ`yFf9@l9f$kQ7enhUiHwV#gks~DRbN-^l%N}`}NOxYcb#Ffm?iX0NwSj@^E2zwx+ zQT!-WqeI7Pfk(a!Ca~Yi1PYUnuhXdPtkX!SIZvm+?ebnfOzK$Df-eA|hjt`6Cv#HCJn6gyIkce-F0NgS}AoDbyX)HBO zK)Lbx&<Q4!=zdY7c^bHNAjcJfcLuO2{N*1y-va10R^=*>Fy1T>5(?McP+=M-hg zbbYl@>dNw3HZI56t26XAuh-0ev5+L?-e1KqmmKgB;vDSL`9OW0sZzDC#l?=|A`snD zhskduyGv@mVbK=T#qz(v^ah~fdwvAezL%d6&Iy;XZEY%KE&4S!VI2E!dRXtp4V{T-*SME3>le0p1$7ZV^>jf* zrzE>2l23J3ZS`H^Ynp(gGIeSl`cBGMV?LogWInmD0amN5sxk3j69UMWAGIYq%1g~| zlb->hG0wgC?o^S8#|4q%S@p6Q;IF)MDL^&F$;+3nf^whw!;6PUXM9sQ44?f6VUzO& z-^Gn;_!fJDhMp1mpkC7j+NMYl<99Y0tUFJ#L&=`>w92ZdYvU$#`Lhvnr;uj{`^(K^ zG~rZoI0Gjma~2#xp^PYU4`(O2cK+Kq?ON-y&DF~#60uOM=@IiOlzWGV`)6m1@@bsm z?vBvRgYeT9TDrC){19o`xTdTkwF+UkDe*<_nn{oJ^ylM|S-oyccY3NrV7td(!ZsiA zAAt4SE_cXPqCgor33JyE-@BNKSJPNT{FAs}>dcm6fI4c@kM`45rXv$P>?z$|mAbRc zs*S2r%ryZS$aojGR?W{po1O&#OxcDsFsuFbaW}2X%3(HE(+idR+^;|6Gb7QR!D59i6Ja z>EOy0-Uor^*Q`OT{w-a0!&w#^nc{FIv6=1{La7PUb#&l#tJAZPd*_fS z3VBIBu&K(;%aM)K7VPSu6`PJ@$fA{i(Jt%FiiZbQ;$#Ud7!5hGTc z6&@BeIZ}p}RvZnLO6@ELL?Zs5P94HhEFNNe?;Q`r%b3|E%|-)2QJ;Qa6g~bVri%)0 zCH<08Gt%FA9S8&I@RLx(-|(FA*p)$FuM+1}rB5J_QGYDN5Kl8PE3>{KA=1*BhQav} z$GOp}X;|7W?0b+}5oF9G{FdDTrDks?meHU^8bQL%pEyAlu|uETlxe74#OIBT4RK>< z$P-uR_d+KUQY$2|im}<<^~hlkH!pu~-(|t51eQ>FMEf-_yU!9?w(>1q zQeiHq1~e=N1z4?w(nivYZWlQvQdlscoDV3ejWlpi@xGb@Mpk#R<4^B?5D{sTx>9#( zQr$Dh(no2I4ljCa=RFmfeAg-PD@4fbS61)664K1C+}fI&4Aue_6~Kqs3_Q6UgLadS zo~J4F`o}pb0X@dNW_DL5hb#Z)vWBYtNn8=Fatd*=Lb))Z*O$7CZ$vD<_M4S?Pw%dA z4&$syU+uvz)h{W6&1HBNJ9UR=i>PVvEt)qh19R)0HEWfKrFpgVC!RClXl7#2(73IT zow{zqYQ~Nhp~F*euNbNG*G)y>zu3n1aIw3A#0oEzDCoTKc1@?>uZ&tQ=sfj(FyO<1 zM07?oQ4H)iP)|ZBTTo8uPiL#+^oeFm=8k6@eGkvgC73R(vqTAM+FT&)?x*uOPW0PH z&+Lf-IenkatLBzP_c~>-09XG&!3k7Jb`UNMpvTbIf-ynjB@WARfaq6ycfQ#`JKGd6*knDNQ{{5TIPzY%xBVn-?%`uB{bqMkI(>kaoZB!Oz6y z+C`G6^j${S+;$avv;E9#1&%U|>#EcO(+R;r@AYqY(RkrDXe@D#e5^E$Yd8T<=``uS z!@44AN94z+BinD20(~_`=SgZle)cGAV0(GcoK*8kri@Dr_8UR6T@3ZwmP1T3x7YJ9 zT#m>v3Urz*2^{i+g&GYuU#@4H?wE8MdCv%t`+9q+#+_bJ*BAwNdGT`yNl0O+OZp7s%X8DNrhlV@@`9qs&O3b%d9_Z#%Ge<-82nKnfXKrdY{ zM!x~j3u1E#0|VMvm}%KmsfNu`#Uu1m1BrEB9;FGcsbmRnD6(CQhqh)bva2q4_Nr7K z;~Ym}4koQv$w=9B@EdsSDyVT`T=eVcV{{y(ZN8dWdMXq{Aw}knPN1Kso_1PzT|?FA zhR$F89{P#86k2)QgdTW)?mqOwIwF1@JHO~6XqMOOOnpyXBmKssFJx&mhecwh%nPS- zElznUqM*RR+FWZeprw4d=yvvy-}e;NBYb{7Te16@h;YGfvjdog2RFiHtRFrkY#M86 zkFh~eDzW{??s-5{|HA*r+*^jlwYBNG34sI%8Z0;jcL)xJySsaEcemh#;O_1k+}$C# zySux?nPh$ITfKMh-lzNgI=}0xnqz9sG2Z8XZ|5w8bLZAggjLK&Ssu~)8FKB3*LB)OKGj(4{oy6Ke3^cs{y ziOp!^lx@yE1~a&N4d>o?|yj7xpf5| zW=T3+zFXFxs6bJ`|Kr<0|x1!RM(P|>8-cfa(ETP?ZgNT}qmEUHU+yk@8i%vY8$r(84m;>g}&mfWVX^Ei6$ zr(0?jwmpX|?OP#w)RYB_6n zRH_jkL$&?1TbfrW)CDBD4a3Wd^EWTgov!n^25<60#FH97k0fORFNrULR9_E{anou5YlsfX(h>Q=X3cfJou$;QSZH^b)xIbYxo$dK3MbHq#Rn=g-`b5;cI z_jcrLzDz5OAmWABX`WXd;ddi~Q_&XZgBlmb)cXU%oTeT(F(iI#3Yi8ljplvcEDxMq zn0-Wa$wnz&Rx=aWcY?R!MRCIvQbwEo{$TTdS;=_NiNtmAmJ2mim$u%@o7g;`%eW@zO3-ck(8qnyv83N+@^ReN9X- zQ>Sd=IBCWY#Y9+=NZ&1?xH&J2;eS% z$vbv_GFP4CRoKP;CGQBUzsq-9elp$821~FLwJBNNxx?1*m+Zp1(7%?pz9Zb;fUi$p%zMSeK|}H5FHjFKk-_gN4AahejnU@NCaQUmgjs(6<}Vxbk{gtaFwl zYp))G9D*1_U9Ea@nn8W24rd|jh&DXMpo;~%14ypR`uaI{zssJknMT{^)zR4{0vj}v z7|)$Tr%o>|Uu{1J{DT9c7&?adG%P{}ojqJO7W)Nu55xiRhJG(~P*HOoE@7!JKtXnj zcjE|CDc?Hly{L}mV$GW2kt@5K6+Fes&4k9x0r}!x5Q^t$6p7SamOD62q$Hu~L9p3X zLFE@elEwl$%o>UX-c>nBLfbwu{P&u!ebyz;>ZUlekoY(QI1}MBlA#d}Q49g^atf9G z7UDB`0}Zk1C(N7y?T1VzAxA2wm%0fG5%4sTS805!yO(kz)}Yu(xOB7F**#Q4aBDfRSRR@6*=hB2!Q^$=e!*9~QV zI;$4U2N{iercAE-q_FEVGR$I?tBQQgTFMXFa7YfgIRGUC@@1MiQ-Ou0STB}P*`g^y zXhofQnPhVO$+n-bEm$mrh93z4R3++g??vvVoxI`q3B`-_68iE964B(44y~3b&>|ki zpCIyRmRQ?}MSIpEmNLQkaaKmO|1r6Y%HO-5XxqDwYdO?bPHNqVODwKz6paVciQhxC z>tYOOK_m%8qepQ&-v=9kj+Ye6fF|zwx_#`hXBRh0Cu4V&&Kp{G(`R)q=mFHs#h&N4 z`0k!ab9fWUcvUS$2iOB`WI_CY*3itM3J!mKU562Sn)EB_fRO)ly($Z01WF3+QG8 zU2RpvI*F8VUVTq24{-DnC)=Zn3uu#jz&TR| zx(p5k&Gq}uFiSwwUWY_ifha%5uEv@6x4E8-QpQxB&2_wBm+{ibPjBlEJfyZfdor=W z*Q#N1Buf&b!!G1ay*~(o>UdHsIzF*Y?2G&sNOC_J)NYOm=(tS(=m$8>N9wk8n?IgS7w5D zOgPL7{%3DD>peDlGRBt!WW8wtd(&aOO&DJHhW|366Cav1o;l8OEc|^ z?SDq%y~&a5|3q~8F}O$mH(5pSpui6Oxdx3|i|kgIfXDGvkw=&$BiRK6BEXq+_dLEE zGgyuBL&kS^xk(4?(BZFgk1jO3`ISRyGc)=EXIjwCSAQ}i8jXg`Vdki--kbX4rH1^` zRoZV1MDZ&USX}FhL!r!UhWT#iGDq^?H6ZaxY6ay zAP@>m!j?+~!R^PNVffEM3x3e%e$S)I#Q*R^G?QM6mO=4nF-PZ}klxm&@+0Bu;K20d zdz?CdM zUeo=@boorRglLKmh&Ms0Kc^AL=xRHysqB8fYk9-TIMQ?6I&rEA5Ab>LEqWqg!hzO6 z^K(5|(}kna9Hn;SPY^(2Yi^_yRDAWJlPSn>3>_BB;VM`3afx@>pKN9$X~td>Ao<<* zGHJi^qt8JJ^Z#9AGW!%Lw`K3sz-WA#y(eE~{-M>M!JS_}^z&yt6v*Gi4r+{H(*FnTAyc2lRTG*2>1 zGg1Y_Z3fqCGxEb29e3Y-{|@`(CO?yQl#kkdNGe5w_VX>aanO7gop+ftkJXyhImKZ# zpKB0Y7nIezd`N8~P&cr~mzS4C%PpzpGj&F!aqvba<7K#Pot$vtNH~-EeoNvzC30J< z7kqQRE}W2no;k0tGCL!nIOga(`>kTqJzz!(tfra?9?V$kZ3$U-n@q%(Ocv;}R|c70 zYE>EO}&x}7WGWx^ZPqRr7!g_T;-@7Pnn%v{@( zDQu~3Hp=acnJWv{v~qyeGnBpTFEXA;l7jB}^&> zk#hsHH^PT$r+sG7xAh=H$Uo78(PH^No*yvmFIBRS^nw}p6te~yo_!PGG=UKeK8>^( z-4%MG`&_3D7jO`YJ>s51qnSHVeCZeGU=u^T*7n}mmX@n`5gG9d!-fE<1jB|% ziJSNeU7WjNcq4nIMqN9}mp4GyuZR@0z#qF}5YU?sGf&-iZnB!MS1|%MScV(6ZL4FL z$xNw;wC3S_GYKzawnp8CLmcdJnzfPcM{=2__kN?)vojW)%O z6&V9k`S1efaXeSy6#5fFiH{qznxajAWn#z@tJNXWaNd+frudsRl%7+=7a2%3J7Gev z0Bg2uw6OCYQ3E@|V%=Z!vZo}&_80-^Lq@TdT7gQ-W!`LKa|eOI)Qdx!UY@T1cY5BfWSBFdtdNBaN0tFTE3( z{_OkOT%d-O_&t0@=$-1COxBmhP7Ct(f%T3WGUKx`*UO1mOomqDw`_L3YH1f3%L`8w zJJR}RJC*?Qu`Yd}<{F!8!#XbAgB**S;-~^3A1hMKXaXtUR~;`mzLM;>?J!0HDL__h zEk8!f>g}(!DJcfHtzm#^&OoH3qmzdH?7PX%5O?Y`P_~kw8Hi$y;RJ6`yjJrR%9hOb zLjL>Z;ZzIp^FPAYr;7OUM0$QWl~u#9cDc&A$OTfp#_26ACR;d%@?wDqkWQvV-Bx-k zSEpJuU2DGziJx1Q*>CR8D)iYn1qp>3Z>9)ZkVE2-3&CJ!)*zi)^PSjr9=%p5fGSF~ z;qPCFS*$B|9zYqedVsOs2klF{QRh9E@ou;mgJ=79P_bJz?&C+>+WxmkUFxuT!zJAyGk8} z`ZS(&5VzYt+b*gS;*XFE;+wd(Ym}gJ!K?`n8(mQml7c$vO{e+`(x4fie)jUlStdyv zGVL=Q)Y3~>()6R1GSVrap}}0idFxv%uq#Xn#yb#AEl|h2=7mb*d*!Dyp4mM(Y5f_5 zKVl68u~_%Jb@sX0t%a4^HSrf zux;81)6Irj_A7OVZjvDxasdvLmTd?qyy`^+C)Rv#E_^q55;a67U{9tkgl174-8Ta>| zY3#W=ZU#Io!5Oy*+!mt;?z|;`k>Rb{*mVN=OymT~=Ybk3%t?B%Yhzod&t)}c%fW)d zpTAs4@hMkO0mUvueC_>vf5ZKVAP(U?%Gf7af58+`Mr1z;c-+4Lx47{wDjV<% zahvUDnRLqPpEBmySxH4iRmD28|JH5Fu4uuBf!rqyQIV62RBTkzP4n2w3QEVqzqyc9 zygjcH72#2=C^J=(H{WO_95`}3%QTminrsA1f3M;r0BmH)I_PpW4V{f| zQU*{2MC(8>MxSpFH^Nkof-kRzgQok**ob-!JO@BxHWqZaciZMG4F8jk;6p2m@^{+Mbs7 z5Ry{t5b-)$ZPxX8IH`B?J(xxSJ%Wn_7=ZQIOFlR#=e!Q}1IN$iO>S2~Byl1V{;<9~ z7@+bjXtF>Ec2cO-A0=CXyv%(_uqP-^>X=+z=&%ISoZl!HBQ`s23v@&OZ5CtxKyD^j=}ks10mj1RW$-Diu7HvrgCI97p@wDrRv>EVsJz@q}^w zfiLn}T*Wc?X;^#RBIHWb=6xq0f*|pb>Hh^^Y%Jey_9NL-^|}vBua;o{Cc~{dUCm9JiuoQ5s2(|hge5aN;xi*40U;l;e{kSu_CVRDMAuy3p zBxyLQJ2o7O5JJykHj^GPs|Kt)buUgXE)|~^nY?*q?Y40Z*rVUAFnCP>_K>yp3x+%a z9ut+tf7wGA-r$X#n-3=hBaDl%SlY^;vynzqbGqa-6^9HGFkdLZ#b{8w@|T&HNSu5} zfZklGSYt^Kw0GW?(pQ0k&8aPKqjth)z*A)Ghlep&JO)rjejWvcrssw9dpYGxWS# zHzzYney7i10hlxaz96r6tdm(}taYAo{Q;(O`ub@Ifns2m7LB7>3A!->)jF+x)+yx@ zGx4tKm`tAn7QAXp$9(AA$rAWHps(FTy=KZ}66deTdN=*7S)lhsA$@_E#RE_TYL!(bX7y@7vsb31Lp>wnQ zKz0$f8yV!e1rsxaEq2i1*vkcN)ALsd2nY=TXWI^pPC@hMpfQX}=euIbqeNe~zCIsj z>&MT-&BY(Dusd_JZ$0_nuqq9wv7X^p1NVp5i$8ZolV9K3jrohjhV^Wr{zFkQ7_bxkgx{kH(UOx3q{?t6b1vc%A_><6w~!!NST@W!DMk=3_{dhr9spW;prdh&YGi?*Xj9ygh4r zHfRxL{Zk11`?>Y@@6Z3{`~Vvml#-PQ)rx4 zV{+BM5A8pn{&U>^y`4YjXm#*QI7>q(6eLV`Tdif5n)(3Le>!LXm$7n#h{8d}efrNs1?UXmJnHJn^8633G(13h@;b(({Hi~H4FB)f=D*Gs9Wmakk|YZH ze{>`P=mZ$!0{=g^{=YrE*PjI(D8LwJiOG-tXID$`>&@5Gm;HZ# z(){lO?_%=mDql+f`!J>nuHH51U(VlAHd{CIWIR7dQ%Z4)#@6ELn=PeK9#y!jX32{E zw@#E6l-EdZQ;XXXTS~K41P+G>FJ}u4nbdJ|G*KnhRGFMlB#GE{%xaVl^y@wG%;Cjc ztFhbO<#l--nq)$mpK4WZM9lQZrt-f=1c0LF=0Zb7! zOD9Wt_MVoLCvhPoe5;)S@DUDJQ`T}ZTsffy4tiRTgm1d9jvQd4*V*_69ilyZp~!6> z-=i$Lrv_=%NvZToDrl$vzKcnvPC6^YZ@z$SY74{UNiw_b?*|@9j-xfjPO+RfEK3 zI7dY*)7jNk4iBH;DBz5q9DP~-m4J1QlAAY@I@bL&&S-RXO>2SdX=lUzZXczx{xR*Q z((F#OP$BQ_*05S25V4U0;;&OTP=39a=#>Rd{pWg7bE)K>N@<*{(1q(oCn_?Zh1*-y%5C>U;;&d0F^2@bxk-tivbIax(F} zbU{kwt4h>PkN~)TZ8<2FKDAVFNXjD*9uqgS(Os=j_vGC>($gLkn*zBYkP^*fzPdcS zx=9RP?J`v+IdSg>ofpcBng9y9g4_(hx+NN=>L)`6(YPYK79Od zW{8Gb+=SR`ICbv5rNW|JLm9J=8eLP1L>7H+shY7b&s_V~MQO;x4d-ifa> zI=C&@QT*D&KG%zEZwAatlRoCtY$j}mhWf%E9ZCo`*N+~lM*(xKdY2(Rc6|I3QnoE> ztrp%MbGzgDsOQ>!DY`xx->tCMtLo?XGy4jOM#=pKNT2rn&GvWjPxfpT6%~S?(6L#s zs}Yr5?(wNO_7JmlUR-Xe^)Z|Szrt_{JLtk8A-5+Q^;)UB4sm)&v74PgO<&Axo(@_M zu&k%MFsko~%aAGiEH~$gejJu{!FjijlIRhXdf%*YWZAeaqDBp3nnQaPkK}23YTz@E zys^1~%P#ylve#P}f`0P3cH;?+IBYA?O?}0qQX#I-;Zlb&RJIbke@};Bzq|#{^3i(0 zM=|Ba$?VF*QTC~6>msQ1(P2_!O6B0yJ2Jr)So1Xi$J~W;~FcxDd91cj_v+O}` zCHJq)>3ZUuQVBqHpKGHpHeo))zR!vgw1@9Qpq1zKmw$xA)I}X$Vk^7ntH`CsOjUDLst1Ztl!J!lLdHZ zH=0*_1Y;SOVo1!CCe6zDFE+T%A^T^?^|y?78()r&G)1)p|AJNiync8};bGLCd#?PL z?nt;8o@^4~0}3uBSfGlvjHCVSQX3u9ht}wuq8W7~zylvmr~BSyGN1Ekxl)SC3_Xkn z4=?;tD?n<|3Ja$>sn*Pp=94F&+lAN~j8oD&8qFZEyIzD4O$DJ(m1;ymqmk!x8Ps|G z+N5|+GSf~!`OE7hFU66u!W8j6mGgvuS`la{CG z$??cUD@=fY$g28{u9Sz*x63p@pcJ&RTO zP$;4atQ3C^Ee->>%3kRM$949{TvbL>X`lNQp%{~|eM{H!ZijR4*0{mNiSB?AmbQH#tQ-B3~5p2NAyF(8L{U{RrYdK2= zg`(6(J1IMs_N|}OUHHlJP;{v#y~5^Nv<`n$TAIt$4*cT_$z?UJ-+MqbB5mPnt}1Zi z)>ukJi^feJwW_tQBCQtOAsBs%!LrOL)cv}Crez7=a1lZjlSIlTdX zX4Z!O915lW;pteE&=36`9o~TSM#TAITSm773<;2{CvTY|j8L_dsRayNJVJbX#4J!M zgF9Ms<;I@yKm&S(=WVCCN4#>yQuFS@gF7 zXp5Y>RFE~+)$VflY53exVey+@OHy(=mE+J-MIc44fN6g)DSP7XfswzxKL5yAShH34 zI>}pY#gon!#<$1re*B%bqvq6u&G0J?u#0q#JO#3S=sZCkN|G)ACSbhs>|+-@1HN3o zMwxmx7(>Mew0g^4UDdu4_xu?W{4Wk_6dnyAFWjVhE1f&vU*+56gvBTX8kPTxyuck< zZExoRt{}MUtUU1s&<$uzBCnWU6gsvb?7OH9Qnlg$Y620r1-%C%GL{*kE&KcKQX0Iz&KLAj-f9!J$kliy%cq=bv9YMwT;b9a8ozV zk;Xik5sgiebQLi9z9r3?-7-p{f)Ke)r=`;jeTq(Q2iA`*`}r%0!VV)v2JFny^;!K8 z$U%xKhk?wjWMDmv0uu#vu|+4}C&)F^S8%Q6d?>YZd`qtD;|ryCBn2<_@8|lX*sF5H zb57Wc*3ye7aA^%eeCP(HoEAE z?EezF7{F;N+l8i?O^iYIpaTK%}zyl2I78hV#u{1F-& zdR@de{9L@HGbl)%)pi^JTaB-i@Aenj?DyKIV@~=~V#bbdj*BLIJJ#mtm%8kpy}K{n zeQ@QqfLL7AN7wCibG2(Dkz^Jq`=jNg(v`Y`ePhpGv%vzp&+q&TF97-=8yfQ`#3{y9 z3xQG%avESFalu=zb`6uA&N?1aD=qx7{+RB*zDedC$8;-1Bw75ucl`@8oztxVq%~!> zsm;N(`IcXuTR$(8O<(>|tRp^xR~zOGrYNhqah_}ZAge11(NK!mU(%65rhUF2B!i~& z=@22rq7jjiXw9-gf zAzY{b70tMF>G-K=(X3X$$=B4um%jIb5OW2_3wmp?$kwX@A~mdMyxx>XwN)nykdCxk z(ZOPKilVgJHyRw>SJ@xH*&lIQ?^n%px%U)9k`YZ8Ym^~JvILq^9}__C9P|YZuBL0N zb_`IF@@4pTalG?(jqB|UxJ*RJ3G~ib8eFAAo@*9Yh~;{L0-(5(1&3?^Igk-;F(`Sq zr9vTB4cb0)=K_o(RYv_^6Io4D_c3prfAjnWX2dfq`~fq(4b5J$o3VET-=4i7Yy;0M zH_tZmaG$8HM*MZKKu$V(HRcO&7#t4Xg}8HzyP-)*{q;W!Nj<-%ya~pjTj^kYm&)%C zCIw{M))T!CK1R<)K*0#%$C_yu{0Ix95ejn3)C80xzGwdFC%e$wBY|~3N_yU$RnO_! zbR;VZC7E#eHeP{$p0Q&1tGy9DvU#F8$UvPKTM3a^nj#L$-y zbR{nh8DbruT+QH$s;!0B33)R{#$Y^MLDjsCjObKj(Ib;7&JiY+!s*i!oYZ&l_DA#> zL2!h_@qAHY8|aN~b5Kmt#M{vKn;RQ^5kpAnlRfi+#KO##MrU8$)gp$ts@TqPULZkk zXNt~WZ!|n(z*KY&x6radd2y^RyE?a(V0MqG>>vs}8;6@5a@&#pFmy}MHwYua>tEC0 z%hR!_KX!X6XG~^_m``RQH#tJ)4@4U+ccZ&h=g@l>73z)$Z?t4dF$+)DHpo<*VVwJ+ z4J6Lza0k>jEbEefr!Yg~r`?Fby=^HMJA4nDthm4-ebrwmaS(+BMYdcdN^mlLEUdVgL!#bxj}pT1WHFO6hHj0m z4`)?!czCkbQA#wTLzL>hqtS~0_2E)kQ^*>uq3G(5$z1!7C~Szmh;W}i_OX-!{S6C2 zzCij#28fI8cj8E$4*PsvW2L}cg)k>AQL9Nm+Yr3qSG_@Eyv%0p9|+OyeHn92%+lm# zDoW-uB#t4~@KUYWOXsyu<8+qiQ1-Fh5QL5XhCATyWYSWYgs9f?%N_SVU z{hIPe>;`eD+ZX?rdL+A>Jh=O7{fz|xJiziSRpsFd!zw}!KCQSjpQjlRL!EJ6WFKLD z&T4`hEO%r?4uOndH#`R0%CXfx3H|KVpTf>;e(y?^BZ~6;@&PuQQYG1Ae?n}@)dPo< zpKLH=6r&$ndNIr@rKcGNCw}`_pAI7sIh5|LQ$(p+qv+Jd)-LtT+^yKd^NOdF)I%ro zsA}i-w#4anha=1hjW9*a&B#_XUg95ZiFqOeq6b=jrQR5*iLAVKBqMswe?UmiHVYs) z5>py?RU=!=Mc!OAl0}h7zv3I%LI{OwLOVJoSLNq7L<~CP$bhlrAB3Zjm3RPe9=?>m z4$geGN=0C|{l#L)OcRNXh5vIiovIEi_+dObRti3Kb>F+FD%p zn$CUwKVd-|p@rJW7RW-lvlh#kE!0FI7{8lw3N(n$r|H5(qhXOXaPV$xfQ()R9)2(f z3G+;hFW+zK0}%& z;FY{gQC{a5y-~lcdj@I4b|(AnOm#eyuhVl5-zLY)MPlu1#RkpiWY!CvPzc;ikTDW4 zm_|{f11)@`O{|4YDHMG>ixR086cX^+*Q|K#ob6BsVu=%4G&!!xmw(r1i4Cs@`Xvbw{}kijS&NXpADJA5U)F z-t}LV<4#eTWJPz*-pFkoR)xomOD=NVe@DB#E+w)GoYr#d5WPi6oMvcU{)u_Wi2i$L z`)(cf=%IizMc=O_BcA<4*MgHg&G99XwSb#AB~rbJ`3|8Y5NT=c-dhuk<<3IH;VDX*hs>z{Gzl_&Q$Z%H6q|eG}r(>{F zUU_miIZlxnmL{`M;OjNU1Zpn1RUJ1Uk8r8Cfat!~DX9&}RuW~5*B3LEc?OO$elVIk z2YH6HjI250qjVHM6jFhNIKo7Z&lFz4xjBn(u0c$b^8wRqU`iJG=5R@hi#ixFm9WwA zME78aLmq${uDor~6h{!8h9=hoI6zgBsSMPj9;exWv+Y-tzmg)bn3^w8bX_A)L5!F3NJ9dl$>kMSWe1Qshg~9togX^&aOS#&0IA= zb2WVH#?3cTj3g2hEm38Xd;hj?CZt=)x69AE9axu+$zes6)^QK@JC*h@{+MHc8T0Ne zl>2Ky6Y?ii>o+7}STl*e)!SYn2 z@2U(ltTXiL)zl5NTLwrD}FvGp`5%$AaLA z>N4&`yM2os@3G>#!Y%%?|JWkyxY7$&Pn^3gI8Wys<__lX|IWX}us<^4 z)jJ&hd*p8Z8>#U`?iMmNJ(O*^gSpy7wpQ-=_!h;bKse5ah_p{<-%bl(sPgp1P}CRmjyFVY_W8Tm`1ePOE2~+`z+7L-0?; zkX&oU=p}tuKeTQEp$V}ceSwr|N}6<1wG!#msn7jPynCsr%#;6LLX&z~;wcWplViom z^yHqw1Y1#E3FH6o9LR1{`$grK1?6;KA=d|sL`{Ox0oMxV3;k

Vxo5+4A!lWk7q( zG#2ddd=;=y?U<=_ICjKR{6)enI_^P)n+VXEbS=*svN$qjJJYGTJDb1L950gMNH;iK z)4-Dxbs5~kKSlN&xo`nylTyb_p6Xv-Z6;6DBzGV7N;P&Vd~Nj`=~}a6MWWYL4}@H6 zVdYdY{S|It=~?ka;-uYk6H*ZA+4-~tgB-e(n@Ml*ikfw(^d^pgk&=^Jrz*x*059F2Z7FGC z!C{C}Cd|N1dQPWIu6`$t!Hr<^2xL+Qq8>bx1MHp`Ra7HLR}clUVyA!3@eKrByj*|l zt|#NcDG5oc&F4f2LSA0q_3X^0619FygX*M1V?c9yVlufkdN>n(gFWxkSKsi8SKCtn z&ANMjX7xO^i!CfYwN$+CEhh7UAuGp{D*OS<78TDaPXLA2$Db*1@d zT<+8ZW(zFxBX?3FNctc;YJ#*@4KP|r-c%k6MP8=6aw3gwEw(2zGewMHUNIz(Q1>N?Zi#dvw)>{-d#MpUkJVXRypG9ncLrVSl|x>`7?NqmyY zECL}I(@G06Pdso(yPHjd#}1vpwzlU5{=g*-k5StL{T@KM7-%UXk!~6nimUNaXLl+| z&QWiDCo+LPHxd^U8k^N+@lg7F(^|SWwPLIk^=`;a2kC>hI{g0+5R<&v|A3g7LvQdQ za&{tNT&GvgvM(rGrRK2`I(ZcvLuQOK)_1Y~8r+nWx^qf)(iclgW-DvqKbSq3C(aqB z#mV?xv^lN;U*&QkwXEcB{_VsXAey-LScXhA!^Kl>@Q=9yVLzl=;T)Oi!kH=<4d5uT z?LB+T+AbgN=-^D>`{-bHSMCPChii0^BYL*LH|&f)I2$^^kYV)HY9I}Ukr6Z%Nyrbt z$NVcSfItDhF7LdQZXtoeVa$d?rH(hgI8!uZp1H3;?h!F?kjPks$g2QUJpTh^!t@6+ z*_@?RXL0K=x|MjUKDI2Bt^Z`MKSBcu8cx?1P&Rcs?!d$pmG@;GO65p`cGXvI$)oa;(qYIhA$g?iMx<3)s}LfK;q;x~S@=e6IgKi!l8ZBYtLUE0AQ`lfpXQ_y*z*KxG} zPq0ej1)d8m5md4p~M)tbQDA3q`| z>fG=CGL{t68_2gZZt~J77U$nDX+P^w%hL;*JvKTa##(;X5z*Pqb2b*(In1PY{2|GH zRu2OMf#3Sb7UFVqIDApYok(XI+F*gaQy*Q9hXLP|9dRv)1n?@u{s*BcC9teoO~tYe zZDQ;VU;@zF=>V>h3qGPl$A!zFS2s`)YWe|OG|FXVW-Q2K{Nd>XPSY;tv3^X#PG2HO zr&GgIlB6Q4^Zd)btQXkbv%RP40+7cC;!VK+-#^ewfvh)RsU+dO5N`b5G!0m_Hb#3; zUkx_)?!ENP!9ChtQJ}kCooE7vZ>MjaYph!Z-APk)g2Muxl;voN;)T|iwJlP^Bhnsf zPZo2|EeUKA*Aj!KQvqj*gZT0WvzI^~P9!#k#>-mrSYO;?i3uD>I5%81$8#HYVI)1a z#G<2+Gue!`0AsdzjTM2W+p!iAJM5gD#+C+-;!vu~8544guIWyP4o1}zam+|WY>>XB zNKp#Tgz0eJQl=TIeX(lGW!1yDTnv1py9j&32DWerwCcnpfn&j!8Lvp^$7gn5tVKDD zy<~D1TcZp5+U5c>SFEhCJdbvHRzubKwe#f23b4lSAt(}{)t(@I%lp#rj6`}6HN+as z>RF|WH_@F9tVr`;NlrC6ou;BHY)OwF1=s3ic6OF(r(QPpU^}txf8pXRN&db>pzym; zRU1q8Jl0{3(bl)tS%|K>-Q~D99)wL?sd|Imuu(GN4103)9AlebaeKi`(Wqpde^tUE zCRdMTOsWe#7&hEUiTUa9BroY_rsSKQ$7kyVB>UA1jDDT2o#eW*j>KA3+k}N-$;z-5 zAvz+W%5258wYU@~?&=EzJgFD$`<-00t^QoqvVQ(!#it z$;+ZDBWr+0jts7AHdmUzh1)-d9dON9D%O{}Iv$O$RdSgEX1RjafSmtFh)hK0YRoBZFIai^xM*8@60*66q5&8j5vlc5&FC zP4Vfwdo(Uo$ZC)cC8$-HB9AfNSTU7v^xyERc2qKmB2eGr8n|;q?E{J?mv*`=c2s(>^}FUIn%BCyn8akmbtKJc~&}| zAPlu5S%~urx+3yhKL|D{yG+XGKS+m%`hwes($uFL(B;ipGZUM)->XP3?IwFC3NBddK{$x%` zV}gb~O-^@rG9%?{HZP=gL>*CECEirVA5F<0;>Gx^qu#{g``tV6pYs6QB(sovPj}VW zc9QKp=ujBC=C1YNj;^@?vm>~@O)mCqb2)o-?#LQBaR=01DbXI1-)1=je`dv zkd~c2jCv5v({-){)r`p3$0l>OOV^msrH8FgWG5WYgKtd54ke8RBJy2EP{17Yz2?_= z@u;EV8(Q!ShlK$_iOX+rU>U#kkDx?h5ET%V@O6tuX8~HkLPls%8axi0cgRa^;T`(+ zj~;V?vh6jS#j~W*stEVkGQ6KMoh~%=WM^luSlvYr4_gos1{Q!$DPL}SB*+)3jyVAF z&g$hS#JHZ{LtOF!=Omg)r_R{?C5r0u7vWWh_8d*BlHKnrm%56<{Uhz)QaGQPeXWwT zs4Na=#$2n7pvRzzK9O6}Br}mQrr#;m91>L){_@-^Rce8g1)!w1X~<+u0v;%-pc6+ zx>%1n+Ii^X7_H)L?W2Zapk+U6qt55=SS#VLmCLkHoJqSm2)O!GX|l$0+~sX2W1HB{ z7`}mD-Wa0JwmTaBDn?+IR>C+3o6%%BL=r`5anEau3(_4MG5$B`1E|B@OICXjCck!@ z=2H?;Hj~&7g0W!-`~RG^KT+P(6G*~UH;XmuOoMrwjqs7~ti3b6+#isQxHiYEPD;9; zqGK*T;e%Lg)OEQ)rE3{a)qU$kgHvA;Hwtv`@dJFDCU#7xPZ(yo;db=?pYpykDvoAd zHz6c}5F|iw0t5{j+$ABnyF*}b7~I|6WpD_=g1fuByUQ>T+#QBH$==_$_dWNXvvYr6 zR{v<$>YA>qx4OHk-bch@lV9T_jIuh(icn?~CpYzJQ>?OIdzWZ(<*D@OwdOm(J$u%F zc4Ipb!zqys7JTp|{fS>MnfWE6q)h>J8z_xdf<#jPCV5D&=StA>eLeNA*LxfgG5cy~avtIfi;Y~whE&HLn29QG2*41X_9IGKcD;?cLEQ@Vv4 ziU z$t6sc*G+id|6=H3Gfdr+{yR6O!+w1nEYgIK>nt*o3&xlAX){4FTedoJPM-WuTuo~s zGO88~Oy$QTjxxGo+m;kY*dYs6y~Fo!LV1-F8maw(!3=!bH|!QKXpk`YZrn`6Y=WEE z5ALScoCD>zQHg?@@@K&vAnox$OYiysa`X30bH449n2@>L@0g%BX=+usu+7j9S~f_r z&flt;%1;h2xDuP5`H+Umm|@@iU_?4)>kY*vG>IuL9NdOA$1O~k5o8T zIc;1>iyD9D<$jN4G*)kkRCG?qh^aF#WCQc*=>1!3C-*lb z$4Lmp`f#K=BK!As*A)n4_Z0!8|4-Br1n+B680F;TL?gi#3+}I4{M{q}w+8&iXS?ab zI0p~@?j%eEe~0&9ZTuI6`+xr>0XH%jdEolGc#!kohQ)s@*YXj@Z-I8Spy5XR`jr32 z>;G|6Vm@>j7V+5HeC8GT-DTr?%=IYqDgsj|m9Rgo4zMXP?53b-r zCw}^8hqu+QB1?UV-hbAEu;#$pBI`^z{zdKGpVbOhd4alLMJ)7({v4ps+I;{%PZ%q6ZnnDQb(b$bm%ubQqAKS-^?};^Q*^X;hvdeqr&Rd!t1> zNcuY{PJD2)Mlztr!^Q5$t~bth+Yw}au`=kJbW|qEH3?1@YU!o2Tkrp4{Jd5C+9VXT zkGP#wYmOF3u^F_mWEd>_V`&2Q2NFM-&i;6hh(YEgbX=bFYsejMz~4s_#hm#z3^vE+ zN$N6UkjJS8V}u^9@NR)GWdO^fC-Jntnf5JU^U?hRP{m<&vtIhsc*}Ll^Fo}W3iW^CM??Wl}Q>v24+8+SS z+5D8MsCx-Ev1nwG?6rzCdAnK8{w2@Eonr`5OFT`iNR!nzk<0Vtj1GmlEbdxJf2Y^6 zzV3pt_?p4e+5P?fCd`>-JdUGL3f3h|huqoHzvF(a2mjtQVzXPleTfW>5uU=Fm!Wee z-J_)A9Y27cy2+o<(s|@&CjC6_@(jga{h`TSCFgciYr=d6Dm&@F{mqtJ6Y^klV}0X3 zYM>JM-fflc@rg+u!4ks?in4?10xs<{&%XzYU#LJfO=&{0CaH%9bmFSgLcYrCQ-A9C zFbfW7*4|V(euStt4!3f9@OgEg$8^`=poGi$?Pq$;I^$$$@6z)aZXMlvn~MS%kXXg# z{Qlm*aZ|Gw3HzsF+qd@Bfu8V`w9A$iei++?V%g;!r0I;*?|Okh=;I&iYkwW|&T{Nn zP%MM7adSvPRyYg~W52GDNcQ_{B1UzXLILnJzED+aB%S+8aiW|*B0*fqOn&DSGwEj~ z_`b~|w{pHUgE+|r)p>x|slY{w{AfQOol;A^p3S~VVE%wM!2^f*CG{qDMzL8cYX1(s z)KGb^N6Utzek(!2Nv>uJ<6*wt=z{eRb!*P)`jg6-6DJmmj~59$@>^-*Tj?sr!h|;_ z_g$h{C(8LYrx#w9lI}1U2~e@dW4zZB`kJ6B3^Z{eR?}umRh+8|^7o}kM~k)gnzcs; zjyv%so&%$;qIVHm>ATN*zR*0X0WYtn810v@@CMSj9S?RamKzLur1GRQ81Lw{o5<+Y zYghqwuw=GqA=|<80W^fuEFL%6kuEX*!D+MEA;z%DB0$6{v&Y>sK_C+WxE&Rb9V0H( zRihQ^J5&yR_F@o*b{x8dK6|MJ!azHg?TE2hZF$(x6i$ic9$=XC1ka73Z4sdpdnX9B z-SEv937OgIbosO!_1~Pm(_79Hl)#s>CCi*{2autu!BYU6iDTJZ{R$f_XH!9TI>n%= zj8gPk4>S0XuM$N74hwf-OAa$aha30(TdjUxec$XGz4)7{v@QBk`LY$yYt@w-lg8`` zHe#L3b&buCQCeXPrS&Pk9ZiXUGZRd(|;qbL^V{KX^ z z+*l(}hY}(rJt1} zZmu|)mFd;KNAjT(=+)bm==IJ3(d4Oo9f(EKCGe;uHf6rTFgl(Fgy%1kP{NySmtRYs zMPJm`;VZ6WDxMX9tlzB@O0Ha#xZ%FIog^9H#;s{Ml1!H+>_!O#5Q1Q9De>=q!9I}1 z7C@fcUD|LA2urYi>`Mw!khS~Kl!liP#0 zVw%K(uE}K<*+)}a=s)!cULn@K|D{g9vuOG4eE%drj^Qdov%ya6EkmRx`Gd?QOn^qU z!f4cR;PSMA92t)_ewn*QbZaPSh!5)Q4F4_lOx_~5$HrA zg!u;PbypP+3qfD+OiC=y&_Qm8Q%=vObi(x9`t?#M$>JtUfMy?bpoFg6Hu|H6HGv*? z&1zm})+x%Ta%Z{1(fhW&TT=ax9M#&wQAGwd&WC<*QBLi-(c@P3NKfMS^Bh`sYT2F6AVg7Xz48? z=47)=0H2KS^YE74c#HEN>(R^lGa_)Muf07ZmgAxyQ)AqcV#M}hESPMT)pmGXTjPe) zHJKN^%vOH`OWu#3NPwONT* z56RuSF_?7Df82YgHV&0?#k2VP3(>^k{gG!trwP5#&(pC%BJ0*(P*GE3=W8@F(g8-^ zNTTZ84D`pT``Q{w61!z)wpgq>%rSy)5cCM7s7YPi-rJ*eJbZx+Bje1}B4I)EmB}2l z=L5sZby}J(&0!wv@vuaeSce~Cw#!9B{6+nBT0@g!^+~7KG!oMtv7rwNiVoExkRI#!zOLuT_{E_d#ob zPj@?YeXbl_;nppFa(+H>8Y0?>x|`zAM!n@|pXYINYS5oT8ChjIuZd1BPR4HOVmg2J zx)JuZPYG@hj`aj3vld7kYH~tmcbId`ljPx6673GhT8is-Wr|eG^~X2J0|-x>ue1rp zGU$!r-W+Jw{gkQhaHS$*Gcis^rYXZ=)D!i81%b!d<862tol2rHLb);g`EkCCmW>!@;BKw&d9qxqBJFT5AU|V5mcW_~x1qDzx=#|kN=p+Qg2l{O zrZo|aD+p)d6fzs~Jf;G4z}5QkocYaisbw?8V64~6)1M`gJf|0|t(i+LjGhfV=S?t2 z?u3|gLf64qSE!Bqh~mk7llq3?5OqF&bxfDgDkyN5?S34X0=K&n)Dly)(YR6R?t6VW zPjXVZJ(0N7OlIMd@_o!`k*l5$;L|0YraZxRM8&=(9sgSER&=QfSCcJ`TgM%)PDaor z|8zlqm*a9krIb^ZW#dMnL{lwayEw!dg&1a@5D3XoDja4m3Zo||P_M3Nqpq~usXZ9| zq$-d**0F$bEX87;|iR@MU{?GVmDyE z(jb2Eb_lqT9o;Mj)AeUU3LP*ejO!!yvc*=&$f%y;ypsRI9RfLxTTiJWlwD~ zQxxnR&`C3}^6;{YPVj{iM@dYbHCX&CSBlJXg(tT?5vGrQzk1+;8bYMAQmiJ3ogUB9 zn_3#JUTxYJ^7b(iFk?Snui!fWE!}V|!fdugf~{Fvwk1X5MLY9tZBpx?tNmVIOe?5= zo_RYv4itVe{YlI3X13z3&CS5utfisU53vtwM9yScGEz9cQpr5iVIR_ZyP;6F?vpj| zhl_g^c3G=Pt2o$JT(aw{%XM|riE~nBtX^l|rW0Y^{7is_2&dy=6KCz}>)VAeUcyNK zDy>g%*Xjb&$>}H4svy)Fxm6#s48u*g?qVP96RP*vMB@kEW+>4{#=@3I|MW`P;tM&M zCnU6NXZ{j-s5PudqGJ2Xvs9COvGyn~u)zvT+ey4xOMbb9tm|3C?Uv3?ETC)c?t}`;Z#P#R*S_T&)sKWK zPFfp!q!}Taq?T=$bh z7h}GwkZaL)md|DVK%3t36rJC~95?%wyb2u6LH;5`(2=i*JhP6ei8_z(QX>&@@ql48 zblNsaW~+3zf1_FDV8BdO{7S=Go_@83L5PVWn(+vd@NB!8TwX)%Z|AlwGiu=!sDof7|!`w0y@(YuIV`= znKQ+ZI9;+A z2bIL0ep?5jxL2!>9#MD;l9NIk#XFQ`)J0KI2QJ#jkO&4A#s^&~Nb%-_FgXJ3KrEKy zJya#@=;fawcn*WnMWv=0pC<&BEEVe6)Z0`$O3lkob%tl= zU|Lz=V~$tvu|}P}d$$2%^fg~-nl8HbgV^{FOoyN1gq+Iphs9svvoK0p6uffDEfuk*V@|$CR>n^H1aQ(dYmQ7eX z{fYh49^Ph0)sVfV*zI|(V9GxHQy-9OaI9!YhtTFkpSKTt{bC9<`VN~u|Fph7jT&>T zR{1^$Ld5p!L?MGE;U)Hnm}c$J2299`2N5CaOvh2_Y7J@YEp$->=QA4#7%_%9I*^xpTKa2f~B?KF9 zLrXMvZG1Qb@dP$^7;6Uswgqn~NcRT&h{ z^SgEZ_-c`4G?EO6o8bs@wce{C4C7t}7Sy>}J$g$jLO?lwJebDA!Q0in{zx_|83xO) zZWPzZ?cZrtQFzCVP{?f%*Opj;E8@A*DfD9J>8#*dHTj?6>;^@AM;H{6RA5SJ*gUi+ zS(uQ|X39@vXY$G{tFEUm-z{hN(i(#n!0mpTuXgTLb;NE=oA@!1Lx(hhUhB>F9^9x6 z?V;~;%MpTkgK~PGy+zM&{ho_=HMo&&gb$g5F0e(ER^!El*}e{^^KRTS9V?cEDgY-o z+Vg$t6Rf9t1OcuuXoCr!gJy6_*VBFcL9&K{6sjDrg0UIWd2z8cwI{AH+-MUvtiZ_S zSi}n$ffe3n@L*N9&lpp>(=W-TMCD<|RkjF7w7=IYXi5mzKVDYAQdoG;WkhXXxn8vR zKi9rGT4oP@bt2i_TpsO`ygPpsB<= z`ne*R-0MQt9nVRv)@OJD{YwTTPfry5PmnY2dTd-y*-*K|xC@>TmfdGZy!x^<>Lhl< zxOmW;%1&PZ#}cltssU%V=VT4&k1li^E?I=4+P~=o>{M>}(Q@l4plg_j6!8O=?2ov& z=_2hiZ*6$fzr^>VSt=E1#EjAfU%!O%IYA;6WmT3^BA26{&^Z=1w6*NG>TGlclS5H` zP8A1Z2lV-!IQ!7@%GHeo)jZYXSBs~sufiJ()-I2+i1;;HLI<`64qTP1Ywp!opDUfS zxzGU09%dr7B_ePk?yUv&LnRbKlY31N00#eESYC#?;^4{t4n_*V<7s4e#~fh~6SsGb zg5G@1pUWr zi)q}u6VK@f&TNZJVt)tn>Y(1n=L=FKe{GosalqA#OLfI#n~G`IT1XVcefTT|ApFws z<44md;7EPgW9zDhZci#Xy+NJR()&ByY^;IZ25{*}hV%&#+=nw`)PC`_vJ59c5Y#>mUsKV%lalj;LRv-Cx^nrL1`x}<= z(a&C@hy|m!zciQKq>zeH^hn{GR+a4y!Ic2fYFQ|gEg~T-3D81Nb0n?4Qo7OR!)IuCb;sDLo}T77wU!9;RQ4pTn;W(_0BP z)9%vcM7fG0=~q&k6D&|HC0DD^XDcDbpp+)_q*J3RYtycX0ymSrxPDZP!ivE_K zgnfI&g<7NSf~My^x50y9OfF1A;N{Ip4YZM@M;uEW zz{3qgVHg)7O61$aC_Gltcb$nDVcU_O%Cv~siJJ8`{rCKaViVb)9zA8BqywCKJ~`h& zwws5V2}b=(6`zK<*LijdBG7)+otFxBgHxhbiJPy?O$lLi;3x|1C^~z*?gyyh{_v_% z$C{`^oYCayEra^F%@yT@-B>p*!_D5{iDkaiCMZSPOycmMZ3)vKO&_M}B#e(71ktl7 zYbJ*MvIg9Da7=*t0H*k(&Dwhtf9{lpYQPU4}ITB zoim_VMfqT`O9n3PYw6SlH{XUIw64Y6FJ}7gw-U0$7U(8Tf&$~epAqi_u_r6SU*p{r zn~TnatNw6^Y^yY~%f(=vg&l>2|^TDe7v17Wo$y zO;XlX zQOjTKomLw)gH-AqN3(|?&y>eJJv0dd^+(bN3;a-{j_@{XHLQJ`$$6_SXDx09S07z9 zY6?HE%6;Cwx>ZQ0NWaQcvK95VV;8%ZueoCj-q z(A{jmT@WbC2nN62!x0^44@tD_B6%I!=1z$@i>C6>j>JG)&3F>T){#sICxK_wKDgKH zdNm|&URUGaM(DD9#WyxL)wy{sXHQfTyQYJBFRWtCz}|~N7G${;D0mYw2TIiU+tb(+ zS|qc%1!&=$Dbpofm?;nJU<8IsOy(9R&9*odFM zk0N%|MnpL0@k%G{sWz|%s(tPBzb36t3|Lxj9(D^nr}U^N&NFi^yBivQ?F+XA4 z^Q9^i*Os9HhPe=x_WqL)z7C@>GZ8KEM_w+pZdyT9~a2w z>)lxScEGV4b=!;juiZRjk5c^!uXevJ5A$Urb#)4lI<p090^2Wvq(S~6&-<=h3dGr${lbNQ|;px}bZ$5ye zU&uTfgh-}e$3Eb&l?C;H_pQ(7%MOWbUt8yq@HrkP9+lmzeLQlUZvpz=a5U084z)UW zn!39C+Lh~z!X1g=tmZ0@ieUcAJ~}1Aqtzf?jl*8T1Gm*QIY6_;?^9(XAHE$Rq`h!% z)F0chsU$s)e4CDhG)#PKxK5SG?Zx_wvP0m=U!5k`eD$e=N!p3p7J-|fmxzRH{m@vL z*f8uHijj1zsI=xK;=+2FQmYl$nHlKLz=X}LHT%{r{$cXy2t!!zpcHE<0{!?nnk?AT zbyRz%#7}@TJhHJT&LjKX>leo6h6qc(+Y010l|={g@_6w>RC%R$uV}k53ioWNnn~Uj zI7O6}R1m(Mor`pu%a|Pk7L{I^?eD$r2hObBC`BL8%64QmwMI6ila@{BD41=zn`YiS z9LB{c#ACqRVIk(Z zNe%q6nDlZ;6N@6!5!_BpAFmXucg{6{u&HsEowh#Zp+RLyaeS#!52fCAm5m{=0ggra z@&g2$Uz;GSu4cEqg&Cf@m~gqk^*KF9A3@)U_+5i%V=}(S^4$Io=n%Dv*a$z(RGvPR<9$_;V;c&gXjUr(%Wht#}tSSTRG zP9(N*c+&;qeBp0^h}t-r2v(SqWm?LPi6GTO8pfw#P7AU%fcG;Y%RUDqyN1kK4OL9? zZ)^Ct@@pNIU(mRg9nBT61o#kwL_l33gc^cBd*U)E!)qPH@RT|}2cY0m0T-&`bUc!D zmANdZ#M)r{fc+zBjl+?s# zeqJ)KYagz+b`L+bcREwdyct$4Koe6wBr7gyFzz7>r{4B4} znTIrJ+0~fNW035;Lc(_yw!(dZw-;*7%rt!g-kCJ* z^}VXc-=L4$rP~t~2u14k@Eu;r-QFatL%8NcoCiQD_G-wpO=vOKig%)muGW*g%R6eH$%)| z8gG*q0|~V3GkD29$yZ?R&+5Qdo$i3uH7p%RTvGQ^{Vm`wS?0L@(`J7ZON*rZpp`@g zimIihj&!(L^Ml{Ef^`zuB-NzLqGp4AHf4*R(th3Wozf6D5@x5Bf%Zp1y=}pEk4|*F zNw=&iu0^%6(c)e7CV{O@IF%jH{xr@Uxou92+k&)PMYbpv&~QI~-qb#gFBquHqnVU2 zYSKugdgHO=HZsMkQ`~z}PWHHl%v2!v$$I)|TK&;oi^EC{Y;3es+cWT9Fd-vq*vLYR zDLloUcdTQ<Ka4@zc;ArUUJeVB6{a<67vSumuK5;=Uz_ zf2fPY(_cB{YW&(hf1|p#6h_w;MS2}Jaq7}SqST5h8&98l!D zZi*D5PBoXg*8OGi;U#KV42f7w*CksfuwE%2#ekmn3rv4YZ^<@GvdD@4N?MIMlLv+o zpfJ4X5@Yj!T2!7{=k?VF?FO5pD~;)8Dzt7FH4dy+X~>9WpZG**NV4el)!7xZ^7O+k zDwBH`ykn$x2EOBJ*^2iD&VdA;aXbq4-cM#dby5ols9Vja%e$lL*tAB66kFfmlO1M5 zycU@0wY90%*eLr7l{v*&Zy2G`fbXEVs!eCHGc1QOxU&4Xzz=#pb_v8kPsK!`_R|>m z5lA*9lpNZV$ZBOA*eUY$h-<1;5%+2GpGtFL>gP3xzWKTc5MX!S-=j21p4Wu&y*#(b3d1hW^J-WZo_$-SLh{Q1oD4Sm`|sp z*!oWI=ZntM8erbG@eO8sEXrzsgY%9&PjGz64G~^5JjKfW>wALoG2NTzD%o`b1xkek zdPr%dp(%K%7;v@OI1;ML>LgfeR>V0Cc0Gwt?76AO2xF|yaN)~-pfYVP9t}OZ(h}e> z?!L5LrP|U9d(Oa97PC@ekkYJwzbd>WAGVCfj~B{VyX#aZo)dD(GP>aP{`vO!ZCkwi z$%at42tpYCV`8HKI5mTfs4mS@jx!JJT1fB4-Ln(mm=2RYG)tXXpU5A~lm8~bmw#aq zj$IscBlZig)Pcz3a!xhH`P@&dtr^1>ZL3AS=tq4k_yOmYaoFC+L!`pCSc3G~KA6f4 zt-E#@BX}h0l;12hio)KMdE^WJ<^DV+x5Ep%n%V(7R%lto3AYOdPAkNxNV%K5DDMqJ zz4SMK)*sjTg$GX`Q{$>Bc@4%^DZ}G!-YO|348>?RfCdd8F~u{!@X=*VcR2|!K``*} zZy$6namdXdcR7*Q-g&-@cfKo02Dn$3G~&rLI=o3?bg01dD52#wcQqoa zxvVmuP@O4^SdE(iJihH(J5*S%p(?daqU|Zm@m42j)M)~47_TY|omw_Bq`07%@azc} z(5@6X(_o2a3DYp{Q{IB>UmB#S%X@x1DIuYvA@jaCEqFFdR@ksHa|3DN(OAHRsM zI_X5rqq%ysk7fpvV_@HeI_ER&{KcOPQtmo#Gn1R`k%!Ar%7X<*kjoJ}Q!iTO?b(V9 zjeF|eb&;c^5?pHZEiymL%|{achuIGlhKegq&S8-LHImLSe4(i~-+JesJbAq)_T`ge ztHZ^s8*#Ag#R0pl@UDc;#jcVR-`=PQU2<~bd|A-WQhD?K0>na3K)v@3J06H`#D~pp ze`?x-7lj-M8F(wz%I#>%!0X~+G0FtZBidIUl>OP^&&gM27Z6`zKpycrVv*#+=+rL* zrp_hZBSd%FrcO{oV$Iu*Z0xLsz^DMQ#O}+`8RM69pqDdX8tGi(Y!y4wUWSN-6G9C# zpt(>-vl+Cmt^l{OHTU^S$5J<_fexX;UV)m@4C*XLNyGsYA|bSE#!PoN4soJFiW@@$ z-~F?B2`np{B=qDOHUms0fu)-&G$_@3uODtPg0?|I6OKO(HT^So=R_+|aOhx3P_rYB zxS6s#zRAMy@-b<}szey5Y}|uK5+8*j%|XKWB7M!%sWkOyRUsX|p(HTnbPAa-20UEQ z&zmM2*mmK#)gtIyU`-|Qh%tA?4fPb2dvLG!Tu*hPPyCRM0_QpbYhzTV-^-I8M>Tb0H9=LUy8 z1I?gT4;h~c4VpI=^iJD*?`6xy zVo{)`kAqax?Fo*6<SP=ze&t|IY)zM8Kn2o6e4 zl=F3LaJclh`yf)qTDz;x2E~t_sFz>Xi_d=Pq~sWYS&1G1#LZ|Ug_5N3SmPL4es-5< zlG0khvW`uda3zP9POHd3>Ge*EaC?HwU`#q~@s``~wMlz8yf$@+8LTi205e}F$9VmI zVgxiX&4t@wgX8A1@eLDTixwkfXn0s^qu}aw-z20f4z}gv)cXinal?3pJetlffjN7O z-k#U<8PAi0HIzS#tOy%8jj)o5tX<_NF; zGnrrAyj5#>;`sHN)>iDme2!HB8O11ExE3# z_6C*Py8*BCO3EN9>!el$z5z?bxtKM=E)<>3@z!3EM2lF0X+Aq-#`L!RF@<$m98r&- zL21wMAR^kQz&K;Mqvjgtkv!T0l8IlT8ov}(JH^$INNp;J-WBR`ejWVUg}ru=3~4&t z#nir3iy{TsULJ33p7r@OiF!Zfe&52OdopqPfLfoKv86mKo;t^Kaf<|*;z&MWkMZDe zOcxjtNxrDmkMbe^)$VmNeYQt}A{M9(k06E;_*pE0EZt3oyVP8foHOqDnrzlRqCys6 zJ)2e~u^YB(;y@`uAcIx)VJp#Z@n6^~0pfrjTi4vtErsn7iSp0wZ-*J=*=b94wZcEi z8djqPxLVa=^m?djc7DE7dZWq;KnE^@E-ooLD~3WQ%~yBIo=Q}}pMV?f@DT>zsOs?# z=6tgy3|ihVR8A_ZbMSEXEu^tLS~Qd&GksAMM)bqp=~VyIGq$}%+xfCr-mX%0?7g9; z#&Aevb?|}DtFpeen3=XCk{2`M$AzEETKNfSUc6*L`N7?y9;AV_Ooep8RZE`D_4Nd9 z&q2lg3ulmfQ1>&m)I3s=ht^9I6)VKwk2lJ7`na~CvED5;e- z=}M9C2F<$aF8Qs8R5b;y(*WmomHh8NEuV3aTC*6kVnRSXE!zxN49+ld>6w=8hfAC# z!6sIyYcw5YdM(11t3Se;2a10<n*3IUk>+ z=^pKE`be>T3;jor4tsQ+UW4_w+Z7!t89UuhfI6q0@6w-pqF>`qq;w~&Lr$Nhd!G}& zm)Hu@K?pK?9cmL(Q0TI~$Ix`3@A7-6WEsJaEzj#Y_*i(`>8R>3|ARfWH^laVN78C_ zG?gw=?W1)j|0R4+jW~Vf3Aq^>sQSCbIZ0JnY5z)Qi*DI7Dzm z*s}xbhqJ>*>nrc2b9b~NcV)F8k#L7P8xxBh#GOT@RzY#IgVr3-`PDfA2X${T;CiL> zWaP~xzQyvt(1N2BWh%|XkO9!eJmNEjCQOKZq6YSJjC2JdsBHCEU+GD9Cau{N29 zqbngq3hn~70$xJgTIpkm9X*__4nnR8`KbB}XF=wxVWC~hWz^^h@4dD!cUkxJha$n} zYRf`gRhIa6Q5td}FYu;y9FPoO_%Db!+6Q=;NMWIFd(*Jby^`6?E848lbT0HQ|6N@m zSuc?;`P+vHPU=#P=J*e{PrpX~nuGr1SbL7>r{YZ5fO~+%wq-wrf>ee#U6{<#2SWn) z_+JJ}nU}Qa^g=6SN)U->u0}lB>-qYc$&Lx&(YCp+Mnf}5jiv_B830&f+QlV3BP+Br zhj$Xms2afxa^~9fZq*8V-ox*#8pyY4$3hf~Lh!*;n}^aNn-OOg8<%k$s#QrFwK0{TpI@;g0*p<@eN=zCen< zvTMZND*jLCN_FCyyB%Wwdt$;DYVWv=2aNoS@(Pt$uh}5HQp3)9(|?i@g5cq*nj+x) zihTa+n!o$#?~}C)N`aisJrV1d z%gBX2iJz6*_bcQ4`s zoabG!)dgR`Xd1UnN4#(FzaE(Xa{d4LFR{-rUJd*+1MB|~qJJAG>y$8F&2jZf4;k0X43+)KRs{5CrYt!#B;1mDN^x4!c=Kl-+0L151JZHBJvCXB@VezI@X ztL_8&SGQVlBUs2`R=O+}J1UF)61+Gsdk7_Xp(FL$le>)QS*iy22eJboCnvYChcW@N z4*|&o0`4e2+L}ik-2|^E50SeIRs_1k4X)f?cpUD^r9`ehnVjJM2M;p+!I9^uQX=hM zJ=6>YkKcsvQ>O<+1m7#v{6z6cPNXYBQ%!&MYk`h1ScIEvV9%aX{SiUf&YM$) zCQHJ^sE3h1vflIDXSWRdVQOL`LAC7nM&Q!};h!{T>AcVZj#I$seN{b5_1vXmYi7mQ9vHcDKK0^ho?mG;tVwxUP_m$fiX1|ir6%5CIc3^jxVcFJABJI-?HQi1V z8kM|-oHHqd_Ov-7$(@wX!LMCO9;DNpw8bVb!g3{A7|mF^Yo&wjiJ zbQa#9{K6NLDLXO|vpJsrK=G~3qj-az93irUtYW6`oATP{X`ydjdo0W?bbfsEA056t zdj!+bbB=iJF4qq2)X^z>WX*qQJVouO_T2(Po-9L}s{_w@& zF7ZUz!}kPKd*L_o!(2bzwhtq`2*0Zl{vhxV!K&22sWy;i{ruim9j3M&vyo^Gm zz@NF%*HSamY&@QSDD{~WB##DKZvU=9^ z;0yZCAXk%N`#{S(LY3S*PS40UiS1qyx`q*Z5VCZV-Uz#UH{2)j79FABgg)KG0QC=| zGLpBs4_t2|o^j1koJ0^WJ(VKM=;HNYu_S^&qi-Z;2~&7_%R21k9%YR3-8Yes@6t|0 z++j29XY>mD{E7ZP!CR%5FCHb|xy^QuGs@%{D);sG`z3Eqp81ZCjcabo`H*bCLo4CO zpB^!u-^hCH;8*W-gI6-c-0D*|o6@+GB2{3MGvH zO7QW`x4b(qB_3aM5^cEF^MY@j-;KXNGLkO2IUVMr>YMBK_520L_jo7%jE@ev;Bl7C zS3dk1(W6S0&)ro_zft98j_+;)HbajdpYy$o_}yb>H!tj}L!=gF9>M!7+3v(n@0H+d z^sAe~m>*{R%%C{mo||?wRa-M_GqE#SGip21u9AKPvhTW=Ydv66`j$81B9oTMJY_wi zJRChGJtG^b0;m@WFkw``c$QU9Lqeo4*)H!~a$hope#w3Ql&g{E(Ji^3BF}HzvVKkR zhL%Mavaccv(g@Ok5tKBa%IVZs4O z!1t5)dmV6l37kDVV>zRE`&>Bh^hM%hkwI=P<~5=<;k8I=;{lTo<-ZIq%8d%9@_h`q z3PhAgM;yCBoD3g9R0N=sfFu%84Ih-i(>4dVGbN z50mJW`JVA9gQ87pU>xAu`jiv7U9P#7S|OMC&2b+&pGFx~8FgPY>Swb_^ULNTU+lIu zoOyB*PCh|{+8uAnmHeg;$Ntub3r#BKDY`xr-xImZn9T4+JYe*N@3!4cW4C@P53ytp;S<-3F zhU9iy`vZ*+v(;wR%inLmFH{qXQ+R+E?3FC!TvsYnEt9Jk(35skvb37V1zep@oVLH2 zz0F5c!R5k3MgvIn(Dc;ACH1b84kIO?9^r=(KS})QGlVRg_XZ#Bs-{Ql37J?An}_f- zBt6Utd3q+w6JglRplw@ZR21WdZ$vZ+1t_$NEIvgh*$hHcx6>^$WH|TkyVBk%3M@(~ zioJz@lk(Gat81%e66vU7KjjcI6f@>J{L_)kG3$Qu2N9Ls+4EWLnwB2epXZ)7alxbY zUtVf{x9_;0D41N|@ATfRS+L;~lm|0*JXk)6|H0`tP*qT(t*TuqRAW(ZJ6qG**_xA@ zm*$<;Q2x}i%1`x53pOZUnrqBkI%mREDQG6&$n7)|UiYhx0R$as7!n$Rwg`q=fx@l3 zG9tn;5$&ZyMo*IOpOj(EI&i^9*q<0#Nh!CPs%6l<%1xIlE6>3FjoA5EQ|OPYuYaQ4 zGYuqtQyY_a=3*B3=R*9Wv8lubB?W;6#DMMwi4@_%kAsVDfYx2DCc`uI?yud0T?nl$ zt$?hKpX=g&lSui2UW&W1U7g$UyKSs&psYLkV0QWkz}0;r^WXUi`W!cI!B~{DZe~QLTfJexs~~H^HWvr{v8HsNh4WC@KM|Dc_kZ5A8_Z z?rgOnyZw6}Dxs@qV*`pvdB&jH-3Nze-JX*x(>&jKK4#<=0(J97oJSx69|RV7l=bTC zf@-r*drs2k4Br)%=#}OON-N75daNU6TWjn#er>3Yl8;i=3b+M(urL4IJqg^+qE{BO zZoeO}^_;YHWd}GmR8-MuBORC$Sa+5&R9A=^h3j8zU!XqdrHvLcRY+Pi&o^7NZ206f zZ9xt%1g-#SZZ+;UEuvUG?7~b-n>=~Yc~D@RGFAlB)|?Xzz39q_`W&SiZ^V+K2!mK2 zX0Ex%LIfd2I6SUW@k8jrt1#KUKmJ>o98&UZgX~mA(Et<4)u%o#QXY+{vx|*LpSR|h@OkG2Jwq$d^NT=;n61xV%Ib6joC)dFRt!NM)r0xHcJ^D!{8up13QiEIy@a!> z6~l`n#}#db6$R6fs*8zp@gr2XyE(G`gEaMM{{3g{#Cp0UOTGdG$to(cK7`M{C>B)l zP-L77edgTD3DAnt&mbqLQy}_=p&cVFwWCO|Vy2VGr)C)ep) z1cXt}1UIfzgx3$_^+P~FocNA_^!j_P@Dixx68)=`v?7=IUumM-{{Si(Dr;(9e+})t zfIv5ICwHHnjmqm1Lb$V$nU9&Sj*Oi-0a_LXX(~1H=a;|Hw@D1)H+F7m!Ut@TuU_M+#(YY;1B~_6{-zDr*0Q ze*I7Wk&};)hm4SrzrVkrzo?+Qm!pudw6wI)QxPE%5rJz60q;OJAKL%{H*b#rB=Rph zDnM^LFJ})QXLmQYf9Tr2cK7v>fAr{|ivI8KKidfmaQ^R_+`Rv*Th|>F`lm!lSn#RP z|D}D6D)&#W%nRoLpsTrxGx&OVuIo?`7ZH~G5BUFI$$!`QKQPVy8&g{dcxkm^MDYE5DwI%lj?wX_+2r z+~Xyh2*$KwDQ~l9UA4KVk8pF^($Em%+r1OBvH}m+M;s*s;{4H&CQ5ZR78*vPTWnzj z|K?Ss!G`5+7EDtmAiQz++23ECx9>KtNB>)rx7a+iNN!o?7=#MO{k!UKu{~SL!2Elt zuufiDHV=r_S(DVi>CiuY4hOXp|G)IzD6I3CckK#m6@rM%67lc)21Ul=`_S*l_7zXU zy<7f9qLY{ImV6I<kufcJNcy0+X7&Ap5MN@9!c?!j=) zSi4UNccPCDr)fo!jr>d~59e_7g8moCv$jz zWt77^={WR_YpB3)Wc#WZx9)K7f1mHAsay6>R?c@dGYgPYU@zT6k%PG&?qq0~+$Jee39$+WCb{M=N5Mes3n^soE$mAbftV@Qa+kHL%HdTr0iRrGt}`B}vY< zsX%k>=fTkNvEJQN*L8_Aqz!=6ggBa=y(!vXGi3q3PYBQ4tgm5%v)ZI$bov83ns*h3Ysx#(@@;nhrN;C#v*>&%Ob`?pOwVMpjOqlIv`< zRp^7G%!e{QX4EuEoc#PcbM-FVX;vYZitA$Fbyw+t#}o28wpdB8;Q;e$*8WOVP^PdN(9HlZ0EsJBn?M<>zlXHLsXig}3!3r)#$12_-3f*>RH&dVgV^Jt69T zqZHmdrL96PxC|eL>M+r=}30#S)c4?4TGB?0^8GX z%D6-6+NM@^%q;tmz7ZFL9IY7hTv;zaSl+N1y2O*>l~DQloU?VoW4z)rSMz=bR(v-s zgO&q}d{~OQd(`7tFhtX(a5s<1fpV&MwV+9ZZFo7C@e^Yy=EDAme-Ug;HiCD3dXKBE z)K~Wsq?&4NH5uvx;>~V)XAZtywV;q2`yDfBLx)Liu}Dd}$A^`!Rv9U*_udArAJ0sa zTK4+jO5Uz53;^c$yCh*_PrZX$Z+4c;2P*-$zQXUgR_e`g28+$$l+qY47yK!$xdfiv zPxeDI0)S_ukBb3?VRDG7#Ebm!Ljl~kwa;p-!52R)W#GJmlHz>3=w)$c)Q_7Q!4iT3 z{`LH*b)Tp>-OO6dyBD{nAMJ76`QQX^pY2mQ*c1N(uh9W=t{cHt%mlEw-{xowYH< zSli$*i@ulP9BM?|lxNEF>BqR`!KpOu+RqGCuDrvY`LsT8vT(-oV(V-6trz9*FDi0= zo0{T8B6q!Y#&Y}23s%R(alkYSD7+?)g4X9SB6~I=5EAWhDp@;bP;(4w6E|VUJ3>KZiWs5aHLxg{BRj7kw~Zr>s!Rw3JSxztx)r$g?MWic(J5=!J49RFeNx)IMi|TdQFmWD&Il>w zu=|NQ%8tw3?EO5vu=Qwa2?tXaKA6Fv)~ZfuSD}XWgQ>*o1-dCeCjcGVfyXtv7`c`> zNN-!H4Ue!494Gc(5xByRHMb~iG?ot7jz2z!C~!_|sWf6#^QuWM;59gmEV#6Vr!?SG zdMb0yihhPOSinZby6Lz#+o0+7;IqxI-BG}$Pxq=F$E*i3B`Y0XOQuN(K+Jc$)#4Js zvVNMVbzS?3+H`7W=5q6{;{uiaZz2$w<%jrq_@%(=mm0tTS{}Cw|JtDqq^Na6R2lk# zUbPwxBzh^2RU`@_KR}a$PtcRkg1(XG0!;S5D_$kimcsfIIDWsTvNBtOt-mfuN-8$$ ztX3Cj59|bzi*ZP6R?b>jG&pU?sjIW5bakr_j9RtS-U(E4M%JfHl^PnFl$-P9U4411 z{_Pm~v)Okwf^wG=dYNoYus&?V>AfzHOfFNOb{3sF_&ZO14aO8y7+m3K&|pH5E(-nH z61rq5kO$fOkx(7F!i{}fZrqk(>3hb7cIPMuO_#jXl>n)=*6k-14qm*~UPU9^K0$C; zl;!Jr{p5_#VCJ^M6f>Ka(8xvg(58z-^8CSlS699s1-lc=+Y}VOcnSB}^^gn+g`wCH zp}%P=Y#iaaq7}&O+8&Y|#ir`iV8})Q!5onz9sk1urRN}Tu>ce0NC&zlrfSzpM1!Y) z?bLW@UY(wW-mFDt{QA)5%0?q|aj38C5PexF8e4bp_2vS<)J9!*#)7;~O}oHn$B~Fi zJMpm3`3YNm9hQ#_;Vk0>)(Yl%N^1qO@%=HeQR1Hhb%^18_E9&f{MC8}(ch(-P7qwx z=Aur~8)F<8r>6(PBVqLp49of#^%m>kxMVqYb`f3T889-3PgL@uS9t$##zyF2Bp|0AErbZp`Nn!MKCw6Qaa8W=gE!@K@Dv{>D}#;;MpL&gNsh!?^@Q(EOgH00bX* zbF|zj_Dss|>*eH%F z=4sb-g$*mM#}6?M)}+=`5njt**{CM}gI##> zb>|Cp?ng_3Evq%@?YXu=8?&8RIDteUqgewE61bywrduhj#QLDhZzO(b%@kt8Y4e$X zj*;uyOf>s*+;tBVWO`!5nKb1xot;+!b%5d*#(oca13<9+-?x=OOyi#*kS3u@9n zQd*Jy!D|io@__R;hV#-xCS{4Snf3i+kx`%*0r4nN;5k3Mk7yc4^)L~s9zPj&^0Mk# zEzlo8;JXk6VdFY@f748I(9wp%!>-`6&Mi`b^Bdl@>;SSzQ#9-WS7fB&3&t{kvgPR0 zig5$f?5_)$?Nrn`VnY4r*PW4lZ{DbE;n7hRej#s1Z98tpNDkRkR9BieD79ap9qCo# zVFY`%>E5f+?ob_hiZ(2T8w(5`(F;1ZV8}wHo8>}s9I6nOQI`s8^=^m8j{>fegzPIu zr(OAnAnRYw4m>;D7knq1VaW_N3&aGlu5-jidAUW+;s_tN1k7DFXkLY4UdYD|aE8qZ zW!^roux?pQv2FmN5zuECXsRqc#`!PmNZ7NdL`sg9`jdAy-!awNs66orfBD58z& zFdJm4%K%p$gb)nZgw9%w=bV)B#Zy}C64hgLXZZbd43)Ac_-Bj6Bd3T;QtRd_K>}wl zh+8G%5rE_*N%8NdmCxDF3WJ$%PZCs$lUGP?iUP>CEhY@nhd_*)Ck z;?w~f!mi;O5N#4`WjSiJ@?_hmI4^ud(d`gO2@8O{8=eW7S?C~9H?$ecO5Qg8K8m5U z%53Twoh3S3#!u;XD66LU(GNwRCzQ! zgoXL2ZBR^y`PNG#Yj;20bVU;km!htd@q?j;BW^$KJ#HdD3c%$vXEY1Dy&c5jQw2qJLx+FrYe}dSlPaXWiSm5%KHc)c$F7 zpycimDl~PzP${&MqE#@k?Ih4bq63u{ZROynJMymnL~Dc5tH$91fsBVVaBm|AIL@0K zeX{Ws$G06eiqd@F19bQZ4+PPMK% zm$vAwkbnBR+?+AJfreYxI~*w&_;YpEn(8Bon!vcr>~w1QP96D}th(S7cB})Y{@QM3 zer{%?9wac^8Wft0`97~rV9K(16nHUzhD18IT}c1OCHgv#MXEN%K9X$AgJ z;xT!lf-l?{26qwM&@q;Fj32LINwOU7AQRnQ?}|W2410R+pFh)oFXx41HfT1wZN2851~VaD6b?+ck2T|N-)V%9@hVp_F@ zcD~~g{kWVX|CQ0t^7^A-c<(~xaaB`Bin07mt8eBICw7#gH8q78x;BFSRbA3zGi`1m z243}*U7m(nmif9Rd0o0kGw3LT=cpY(B19;Tyk;=fw&cgvo=2nP+F z*L9|+nAPhnb9icII0xw5bV@BES>oTkD7g8pe5#7%JwIShOYEuuL+X<529gvzPBEzm z^PSCW4_S6prcdF;K7j~#RQ2n<3L17B;ry~Klau9E<6|NK#q>tiL1(|+SjPO)3WoV4 zu~QH@&S6+$l6sl$dwaE}b6TuL3-(SLGj5+&98c)#ZW+v6;9WC}$e0_mNOX&Om(QGA zcWf;XIS(=^L}Z{T&x2rBO>rr}u+&fOj!R_z<)%UvPvpe`Fi@(h>sl^7=!Yn$znf%H zr;c|^He3s2QZGIvGPc>ujI%5Fkea7gnl+s3`gN~^wzeKb`A}q@q8BW{e8gj%uI&Xl2Qqd>(TAWs?f%0Mck z8K6M$B0X$c=gMca#sCWwl(jDJWa_ha+$O$%(jaYiMMn%zK^6iB+d7ZUw~ze+CW?Kx z1gOyBe3@1iuFjb9;DxFoe|KQ*jfRxN`UwQxjk;$ZucF7P|G*BMmZl=A0uSG{U~L%* z>dSUJ9cbBh`XYAe*y>}PhHfdC*O2nL%AcH`-hlp)7o48q`ba-X;Oj=8ucx8mq3ni0 z5BUh%RK$>5AoR$y0k?fXcD?#uis;zOkCVB6PMaSJhP2b3Y-wc!6#0(90_ENdgm|Em zeTzOH5=`jHhqNmHSb5PVf9n<2eS~P+gnEIG)D1^e3B*K#PcVrPy#lRN4bQ=K0l)&z zLcF9IK0g=#?r&Zjdo?z^hE3<=oZ%TX5od5+>xmJ*%7HLR$N}sfjzU-@dxoRvd!1l; zH~;W6!C(n2d9&@^;+s}Rkt3T<)7Mrfu)V zf`U`|vcTb}J~7;RdpO@h#;hmf3oHx`xjJBUqj&|_n5lqvP&%2<7H0yT5SD%Oh+ojh znEkL?sQO)|F6*&()z8+FHcV3$nk!C-8N-f=J}&~%r@nP%)6`32)|RRtT?mdfM@lFQ zfj-$Jvy!{|quZ1Zg<9?q_1&4Tf3?v{qWz29BDkxsQ=!Wh>aEM%(ChmOsgNYu5_5h{KXpg8ZO*JNdAzbgjHXHI_^F={DikTC&SFpS3LVy->0d#qfV;9k%%9=WHYQru z6yG|&B73Y7JP%HCn21~Qo3eff(vssMYLj5B2WfNIoBQp`rYPhu`R0>4_~4c@Y4mYR zGV?AbG|uG7V#G*2i?{5ETzyz6{9xk{_*Pw&xpF2KWeFIH>nuvyuV)2uX`en(nDMii zg{M}53t9!n!RhnlbOQG(e>G(#y&R%nCV$Q<}Y0YUzb1t}A`Eh!ESOQ*Bu3}N1X zv$qw6JSIBpfaaBpEWEmEkb^2hO>^l@8{nzwa1<(p>23 zd+Qh4`NY4k*L5-KEPm~3J;`8)JmywXfO}2D#sIiERD(vO8;9vmlHXjV%H`8Q-wOx- zegN)Vgdzs8wL!(>mioL|&3DC%gi}paKMKUKLpeIT;3+OSIiqHm z4 zPKSWjx8oMhroo$#=d{KGH)?_g>_-&ecAebh(NHAt4e5d z+?seUdOl--^%$o%++%$<6FLl7t{cUd+`xw>qoBA#bk>>3XO`5 z*n9S(C~>f5N{ZXGt;o!nhuFv02D%_p{&C4wM6{cKNSTuc8>^|ScDteCk4d2-zOgyqk z`1#hVcu#nR=VSR-2#P{}5|y!jnX1dw;yXysZ}9{Kt4QN$UYDZyn=89Nrc;v`j&}gV zm*V@|%9CoOcZsOBf=1w5&2UJa%IOfjNdg^XeogLolKgUW?(ZbYRL<{C%1081-T<6e zln(tgS(%J7%RM2;CfXhm6=DQTx$2;x!V2G%N`37<`CX4b@{LW36v`TV!XD{c#-aSey+%Cdb#2#8>*L#9{MO{w7c*~iy5ibe)#U@OO$`8A;EyhvJhKK{7)D_2U} zalXLk(CXCR$9jGh{&IUF*c_|HlpMEjp!-qIYC*5oyvTpe#lwjX;i58_A`nUwi%Dxb z{wn#dMW+e&jpMW$DV?B>m8gu_ zu`TSP78+2~k)j_wHC+ZlHgJ}sxNM~HNVMWcqWG!=VwlP1ftz>G&9!`}|G>tR7ug-sD;i$xIb-+SH(LU2F=D zSJ?P;5k7N{fW|Njy?psw zELtu>gNF9{SUawtW0>(#ia^~4!Gpu4 zWwa6@!q$9M(t2_li&1BUS1W8}AxuI~f!|xMj6tv#=pneHt}~Ft4HtJF3fK!RNR6b20SgK3mEn@#$G^Oj-s?0-%t!OsVNm(WwKf+gqxTd}O4+BMu6?}WahwbEz z@0;C+0Qcb2pH|g6#GlT@HFm`TNJ$Zi-zogqliAX8dN9hHelT+$9x=w}udaPaMq;)1 z^au0@V#`Ws=8zcI<5G{FgQyo=?hhY#+A)AhgRO}vKGMVQtZHJ#PN>qDZ!W%?rQJE| zm7OgG8o>q9uijLn{1)$7!DWm(?C9>FWGtY5pZ?MT!h$y()_pMvQVrZ81&_KM_YkLD zU$84b7Y<@l6Iea{IiRAV$6SWW0_{HX_+u2`-bqszyBfMgqaki2zhd5^;a9LEAdu`f9 z(fLYkb7<>U@s2iOS3$p#PxI^y4i>@qHdCBy1TQc87;A0!+HRry_I31x8WDP2-tM-$ z?`G$=0W}fJJa3R)@XwnT_&eg4PD< z6N~4i6!rxL{?;@ji-M&fD<0=(UUjK0W0eJG#F&NGohE{cEf#u^xU<8J$<80{R;bP< z3zHu}3P)4&-(DoekuZsRlA+0K&2rxhsEyE0%>Z(w2^#--<1Ikkq*nKYXNSt6Z(y|U znWx3by1`e=*;-0qqY$4Gh-qA8kQ9H?0?3??SU<5dM+wxv`MYesrM8qzQW2SM83Z{| z<>{xUSgiXk4#D}BrdUg!ly(9w>Vs-ht!x^_4ai(1(B%SrL*S7l?FL6lgG27vU!hL3 zd>-Yg-K-raxjV4B875;ven^Ya*dlp8HirLXaEd(@|X${DQ5ha^&;W@Z9)-a6cV>J_KxE(H2zutr#B+VEF<6kjiLT4ko!#U_UdSHI0OCP zcDVnF>V?0$am$i4Plfew-qQaJ_=Z2EVe`nctGyHR@7r)Uh9DgEDtR;V--CX#Bf3%H z9g`aVmq6pcBF+)_*gTkHs3Ct*9sdRDr4!ca8~0n}>A#NzUpuC5R7Ae~M)m&y8h0Jt z9u>B@srIjW{`aQbQoC-!Q>`PVe-GL(Oh^QmRvYU4H$3pq1b5wfb93^8!rvjUSi(J_ zx(P`2*p%+5yi0jW-*=0eU!Rk#9_Y~zoH5T81(Pn*xF?K*wI}6A32*30hQB$W;H>YK zOwXVTN9lO}X80TLNF9>!JK^WZ$24X|3Pvw7rMoe&`bHNH=7-$vA6y^Pg1m$FUv+IE z{3Rrku)4*2IuXB_|4MI?gnu$4_jqfccW&b@gXTJJYv1{4v?1?a4w)tNs$1Vnvxskg ztYjLbS0D@je;9hH>u_E1-tWA=!N%Lrg4?ELPA`is>OR&wE$X;Teb08tnY7)w4j0<* z&iT4Msj5oX)zimOQd3i}ZaL;)SzA$Yh;_j;CUNU0NPDk0y*f=X zwG6FB7p(?7fBu>*tviaN0O`n@5ez<+SVm0EZ%F+5xn zS=B9VP-Z6Fz$eW6Qo?PXpPXLM3)6A2&2*cbJf$yKo;pA)wZ1Rr%rKNeOeI4c{HO@D zBy$|A`}yh1^)Z{rx|tGskp8RCzPPN{dSd@xFc2p2lT@&V>?t@0m_*(WjZWiFsaUA+ z#3|rfJA8J73XDoExKwk7+h?o1O&#>51~SZ|*YPu!*%tR4&R;wlBN^iPLB}r6 z6dNbth2|0H@F>=z!m_D#gvQz*vnT*)a7#N_8`9jGDA1G24pM*p`r8ST8zt$QJm2KK z^`%s+=Oe9w|Iif9yk@RiizECja4DDOq^OQVLBYCybN*y^fv=w1Ps8cG znDe}uR`TO)6Ra3kRZVT+{20|!-8z)aD^Lf5>osr&npCDGCvyVoT~n?(LgS?srqv;q z(V)@etJp?TP|+Cz`+B$ec(lVMtX&5aFY!Im^ht*@exD?RI{qLxz$$8LgGD(I_Ect;fH-E% z@3zv`^TB9p*S#sG!wGGn)R%d^jSY}Rh|OF*81nq-aU_+(Nwap5URpmZH0GoOD{+Ee z;Hhl8EWA+gN^aomL6OjZ;lVC?7m2xic707af0H7!Db)Qa)VRdB^pSf9UeS?0pgKL| ze4mt8E8TG|Xz_D2olpXfH9*C$a4-&2$bh9_oJvZw+1hO$%@Wo9cwcZQYu!4E0%v6% zur*C{fr3}^xVK(bPnDX&ks_b|H;TvzcBV~th$ScYKbw%(gVVfEV_ zKuhPFzw<5wHwIQ(ULy9V;mC7r(c%y4m3W1d{A3~1Q4&L}i{E}S@1%jh_Pzo)_t^&m z^3T@6_>oIC|5xfm2A9gj1I{EB?(J)%ofW+GU@P#DE4qSkXSgM2S=e=cadwD{CvkH{)Q=#?5blsR0$igfjeS?dTM@q_jI)D; z;^EHWqBBox#(;AC5jFW`P|iz}N=dtQ{-*sxgnr|@-3M~^-*K9Ux#-%klQ0bQh_&9; zL+BLTwJB)om$qfdqfu3Hs{=;GFI`4oymH_k573)_}Z1ISx+Fj#g*UC2lJ_V%*I>w z)!(-4)b~<3e|v73c8taa=1Z#8hsvtOvYy13m&2tdjfotGo2fLaXv(a?vpiB7j0^ToXq6~OJY791!Co)<8$Yb=_}Fn zBe+?*lxh*BJjZ_dBE8zFi$7i5uKG)`Ua;gF zl3d3TJ;eY}`VL+J*Pmqv%L$o>x73o~1q^sq0@s2}ST05y7LVV3YC*T^t`BECDm4{M z{Q!+k2uAB&brB3roJ7FDbG3=ihTQ#A11k&uE6Y)6Y<&8n#S&d@{j+vpuOfbGNJcXlcRUe&wShd5_}SgP_LUSvBP8VvdI;b% z`kpK1Ru(UELyX*@aM3Z!w9Jyr#BDAExI@WsQKJ|=b7K7c(`AyhBK}i#txw96l(jg7 zd%`k@+FY?4*tsELz(xYj!va;Y4m$Il&Fxx7zN1VlZLwO@^1BlEtY#WP%jWr(@R?TR zcg^tVH&!<(94)o|A(<}!5@azF(M8;j7wP#LEhuMG_Nx&H0@R3C3XHo8@WE?bL6tfU zB$GKIe}pAd@g*3+JvrD z4>^uxqcHT1o{NFZs{$0;h@iQ@E^7H3f^DZEP4&1Gk&x8~411H6BCe}W&PC?%Lwdmk z;g!oos}^kIhkEeB^B|wyM<6)((^rm=p+Z5+TBF5Kj9pW^qh$F6K&>8(O?N$g$>HJxSGyOhKPj%)m$qVX?XAsry`#eJ7hEk%bD11 zo03FbH^8weo~0}KfbLet;kcykDormNM1EQi4DGw;_ zUbQa0=bsJKIobT!J{=uBKhIxj#7oCLDcRekx9=-1MktS^d{GOo{0Ifm6@3T zdfC!THPWNl^!!(ule?h6legPV`_+6RX+CA?fC}mC6xZ2#VtVEjUz`eM&->a6PA_Fc zr2p3|SAeyYj){xf8Gzva z#HKEW5EkocA-2vN_uXZaAMf9Ogp1?UtO_|N2)FiFJ#b2|;(hsCIZm^0J8+6er#+il zfaHi8i`uXSPYvc(2Lwl0n(@VpmET3508dO`jR*CQuzP9LjOrT?87!SQGr0|Tv_lrR z1xU#0`hUbT*NW%!nUpPw6bd}Zo~`#Oc8A!>j#U@6O~AWiXtE{GqF0V94U6gLox%hm{!cYn$DB*hWX^_uLV9^6PMn0c9WscIV%2sNQ7Aa|-zt7t{;|xgPVJx5QEGAln?HuLI{HcC1ti8%>1h|Jow=qukO|f% zaQRO`wbOuze@J()fS?n&3pE8kA8xu7F0*eMDaG*M3xJ1(j8KhaQkLM}obS#X6_#x# z=$M$qLz!A{@2X4q@#d3B$I%4oL%L=N+!9g{g9B9u+qBN4r@xYfW&#zWG}gX-m?*gX zKzId|rCG)E+D<_IT2n_Ue^Vp-R!2?x@(v#(wg#p45jy5M z+6tdDIHQBOw2Fz?c@@;$1?y{6F7M6;bE**cJUV-x=ZikGpLl0Rp@r+6WzEvQw4{B+ z-jrvR+c0L+?s~8r<&A24KPvPx!&r*j6v8ABU4QmGpG2(t^z*O6Tb4FcLYic6q8h80 z?M%4_e_HqHJTeqlU1D-m;OU+bCbMsKHDc zYT$A9)2&%4Apc13ox%c23(3b!f>B3=Z*AP;(mtx{#T48WT}N&u6?FOr(YwNGKeS#P z9A4@yc81cuc_1JP6JwfFs=DnU?k;PX4_vi|L^bG7CN>lAP{ zXpdOV12P9aSYL1dci?)^wW)JVW&AZn`s!prf^rKQAcy2NEEvczD&Y^ zl8D=FxFcVsbr)m4f#@+g^dBa=;rd}G&@l>@x{(vA6Z$~POzlG0B(>6V_oN7miuAWm zGT_o4JZ@OnNDWwM2Dk77ss?*X`Ag3yvB;@A+lp&&q*{L`d-uZmJe`?M9>X%Z7$9UZ zqQ}jN++N74{b$Pa24;F6Ii5D{Y#6SArFymZu7GxyXQCZy@Pn6W>AXSpGZuyhZna3* z*Mk==*OtlGun-aXL6R6#bewlMOnmH3V_p7kF9LGEfB|7ESkr`|eQOW($q&B5?KX*d ze6b;}{2=JGP!@61&YhRdyWy8sgS)C|jooVDI?v4suucnFbb~$_DNcSis?@YLCQj!= z-(*?S(<0tq08-wVcHOz*e9>`Zr~+|}nVrlQuNjiYH_<=l>6($`j4 z%PGNw;>Lr?69Qsylhl*Mzir0HB4hoO{_JK@SXF7vu}|l?-IZ<#3JtXN$v?`W<)(r6 z4f@6^Umt>Y$ON?SB;@xUY873!zdDPFt(vHC=_Ony{{5jZ686XrGgwYVx$5hEXS(bZ z0N~cl>3A-NlQR+RSG^vRi4v~}hXzMEhb4RmJNdK#D5o2x33z}=yCpsqPNMArS9gRD|U~?P^cNjz+ z&XCvk)&XXgwlO=GVd_7Q)qg&{Lk!OuokvH&1txin*`ALWclJ<2m#O*GT3M$)bgUFvG^2)3`~3ei9pVNZ)MEWCV| ztz=As1m^vv1$w}m8T*W@CnP3dX4Hn7YSZ!cWr-?++7v;3_xlNT7K?~;pAzq3lA>}) zGYze%KNcmjDxyc)v{HrPsH47WjzAwqKflaDcE(1!^k#*Z72qB6$B2DzF{dm=eK!gd z)=9RS{$Bj;X0ZB%I}_EZTc-$O>wOSTZ>=<$ z#T<;k5nK*wfgSWnD)v7Vuwh|k6=EK9=8^TglkmZ?u*G#RbtI!P)bUSc1{Y*mi7yR| zvVuQJZ*BJu!WwP{{Ah7pk!mV7_xe;5SJ85T`r{Pn|N66~iI6osn=&P>m%CX6QQUW+ z@F!xKZbr`s_!Egrd`SMpRBHFeY^SH+!xQ;{7sc;|`tg5eoX&h-vWyVLr`;@2UW0{) zw?Pn#zPnamJ#0StuXNGi@LBS*91sRr0r|RDxGUcWH{gi>b_giBUjRXgYe&94DCFPD zx+vFgZ{DbJb9ZZ?YXn*ZmmBcMlL7=Ns!vmXXe`E-IfmX^vP6Oa-d3dzb*QC<4!HxOq z3%70tbuGkpWE4ACrLLx`dAvP+v2tO^r0uUd&}*fhkNr$xP_5CpBYU5(GIoKjO~%A) z7A6rd1$oXRBluDwt4eqA(mU@BibGWMTnItjQI>oGhbJAnd`U-{Tp0FRlK$_$dYbpK zv6ELF*{dS|9IY!TsIQCjes)-$>bNyg+@vtZWhK~RmLcxUnJM9(^3sl{A1xnj_4Mrd z$kOO2tQjbJ20mrA2n{K1Jwr#iK|o9$qx-+w-nRx881x)miZ=oz-2cED>+iUN=)d^K z1z z((lfON@-e{k|l|dOj24=0y4B~GC6#+oS0;dhM>XlYQFbIg0De}fV~;|m^w(x$2qfo z5zlhq2lcHw2UJb;{A4d2bIxt?B&56|x{X_>!p%PA9fT?3Yh|FHL- zQBAH}+o*~xR8(9R5D~B}L~4{OU2Lc{rAiHgq4y3UiHLv=P-)T;q>})Fgib(Iq=q7d z5JHhoNJ0w%0?B#SyWf3&d}A-y`uUwR_D=@SNS@5Q%{i}fa~}1ljRArX_RS;@;nP)E zu7d}g#P987uxIa>l?gnOWS5lT;zQO1K7DBSwV8U{mm?;z5#n`5$$dfzskfQ))rGmT zJv;3d=LmT+6wz({KvhZh9>L|ZI74dlzDO86z+-;B9P|zt%8VQt? zLY^<(rlr@WuBZdz7#m)-4zQ!Oa>FFdAul-SXPOC_d~LAU#Fsd!#Anqy@>2{FaBzT! z-bmJZn#fn}sJ&!=`}N&{Z%(z$$&l5%)YL)pM#^UAdK2yU^8`iA8=H3vLaoy!#K-8s zI8f}<K4g!JU^^7NB{cJA-p&S3>-qUxaB8hNAgvi?wZ!>=D0<6AYOiJKy%{ktX;7 z(T_fMWmLFYdXgy~eYf!Fj)gLB&!r9l`L*w@szX*MK0nFgRVNJ^xIe6@oniPq_Jl3I zrhIV`bORq_#wI;By54D{^~oVjY3c)MqX%GM;pm=I^=-=EqB~yM9HeP#Hc0j{SU&I% z4cks1+*Rj0$2NNWBnH^ZO-2)Yy^P&aeG_YGszIG7Y$<)sZF?UFpP7tDB0czc!amIm zdc=a6>a%=Z<7Cxjl2aZ*=Hh6j+}f4ya`w*R11HCph2(F~JE~$djq5ifF&B22#Ky{scVL`ye%CcI@e>f%24L|q@QNC&1d{+8lP;qI9NitADabq z7gH2MUQq_9i*7S7#YGa&43^ZRk5C9+Z;uEmcgQG@pEl{ehE&-ZVC|EC?*UtCk1x1i zALwE80RHn!`zjVCkeMM#lyA{ZUlm?A6Gs!3?;dpBF@jpxmk+P=OBYN999~r{3pSo)v z13?Z&x;gsWeYg5#yPz(|2v0SqA)Sc{JWKlE*;B0coyDS^U zne=#_yHGb`&x3^xkCC?b%N0da3Ll%-7dxK9}_tJ;T*(I9Jujj;xH z8Bvt7l`>v9Ntijk>0cSzDCAXRAYH?5jpHJpZHq~p$SOfPdAga9Zt@gay`JsSly^B}O(A1z68BN8}+j^Shd3kh=u zonQ71VtafoWg2&F!60X9V|BT+Bg!M3TJ?;S^fA2;BU6}ON6dVGCKw-Uc5Se3Fx-K^ z4=7E=kx8n}S!P*3<}|M<7!lT$5Z&vvgbx=^XAW(Jv&QN#JjCYr$nq^6EBDZ*WX4?B zx3MFiW^u?m`nQLxBWX>LTev@wkN(awX#FUl2Q;1LD9o!nc4e)0W}lac4e_GYGYyD1 z1o+hyq$458b+9GnjVtWAT?Xp%hPB*>8qBLRdNdxjzq+Us zTf&cO7EvxR#q%^PEspn6R0&o1aP?W1aGC z2Cn(-%F71^GP(n<$;s7T4h@V+{dVo)!-r@C-5?zu9o_CTil1&Bw4thh=NA>F@5=@t zo_Ei<2Mjx_8NW-n1_8*w(QVxXfdTYUCtp&fQ3Li6!X6;wSeiqK_IBU_q+3x>nOe$N62fPWh>J zC)WNiP3b?hbG+rkNwg4?-(d8TP$;_TEIuThraUSEh9$9mE4C2cn0i0>1?#=x?kBJL z?vCokB;~!K=-EsLJ6Yjs9^M?!VWen`@2hUvFX!i?5`l(v)?{_rPWdl^(N7LmWFd+n za}2ZjGlOP#MlH#zn1M!atCF93n_aKw)EYCV?+GOQogGAa_&&~~iS5Hxk2}PFKh2s8 zCe{aK{V1~01xO{b0PFo^XJ{7A?xXr{*BZOht7+jkj*`$X7URF#0@qyu?oZL}V9~1P zKQYwrUadR3Yjb$S=g>jyPyle6?ZSrt+JfQV+#)01X@kZH=7IfEy|g7IiTgF8D!zYw zEdn(ym#&A@2fczd{5=iHi1)2ehUIgnHZRc5wvZ*fSu`yne8(b5PyQ@S%k8v_jB3#) zNJ|T8uC!n2ItsF`15~3Y03*l|c>6fohY~MPu@#Mxi zbCk7bjGNV5>aRY}DXMuUL-zfgE&S$%i@7~-4su>QxoA^llWo!`g)b#|o%={iavYA1 zIFN3zZzH4Iy%U)9tB)KFbF_ZBu>N=c5yhI%5Qt*!*Zy{-_UyAb4lv-vlnieCJM4eW zTlp>v4C{YC_P;?m_TQNR^b`KS7KHF#yWd{De9fCL^iRm9$KE!CtUkFv`6--&5mLSv zF@lj(yqxj39KpT&+4cK$&5=oGOeJ}aTrXPAE}DPwACATUqksJN#Gj1W8;Mu{!52K^ z2N<&or-c8(qrNu)zN$f?+@-(YHLv&n$(YU0x%dwrH8=n;W)GTvyY=^b<^fCK4SG%d z|G}f*5B|xR{n+v0AMD!NyvJ&eroM{(2al?pzdoTVZX$T%uUlaMF7eJe18<;h-1qxG zcvKu9SwFFHCkvsZ|o__3ZNIxs4T7K){t{<5vj1#Zm z=7Y5+Vha4}Arb5FO1xIkik`L01SsN@MQ0`1@JvI+fpx_N^#^RR;l5Bf42 z`8qySOc`7&xV7?AE^Pi>kx9|dgKY+bM|rKi0IIMJeD|Avf$JGTfEn8aTkY}#)o5<0 zWRS5jKTtMOt$ygK2`EhKy$1=~uCHt@encoUQTXO|+j5t(`)DDb!XI~?=e4#mO#GBT z`C90Dp*rWMlxHZYaXFn03)-w#lkU#UsVv~CusM5bD>^lD&p=!1AD=xb62s)%S9v_9F*2k0}G>X)V5;LE(_?qPE>|N+!AfUf+e=pI)#P z3c;WldE(#5F|KbM*vSp2?6UZ3CZ>~+RyKAa0L#NSWX`~MFwsU%*g8`kQoJMQTy9*0 zbqWeui!m4be0aDM+aA!TAO!6aU1BvRZVTN_lRi7%&6Z;EgU<$QWgm%!uGB^f>~03KYVA)26r#MV6jF`VPfp={Um9L6XN=T z1f*?asSlCSRgfJ|n%8M{Wu4Ys+atidb7PKHkODbp`c@N59iPRCi>%_R1 z(AZhuxuZVXlK^%SA3z~c(xvVZp5o*9;6Y-=p3L-ep8^A zL2D9FLT!nt&-+#5TSxNs(;$mg3!XiS#pcQU-D&rMR>JySU$wJ>Ga|1Z)%s#gN*`(e zNxVsrG9L_3%S*LF~`^sHU#bPu&;Lo`?ma0T>d8drOIFl!;xIMd2e>f_^OM+D{c z4xN&`9OzY1;bTw0WEEc2*+FnsR8+{hZ{B4#8tCc0uM2Q(KV>5;z*2AIzn1kTjLL#! z;gAKkwZ395qvanJ+=fg!@^j^wbmQ%jL)C~Uqz@k2|F|AEs*;d@N*d*zyYSgZpuK^42ggK=IW-(iac4@tn zXNxRy>sWAh9_Q%usONQfD&6e;vf-;EzdB$hwElQY@qRL0@rD+JOsevHtDl!M4&~h3 z@|ZtxWCSHpU&tLRT{D~?P@?AqX6`PZSXk?UdM>Wb>1lm@xT_i(SwwV3BaIIo7yYm3IyKV29|HaSAU&!bbz}Tx@C2pz8?JA>S!Ptl+{vzv}Uj zGBwYZ@&Jlb&7QC{B_tqaHKF=Kf`U5KyqHOD3LiYF08i{)yK(+KjH@YR73`4bGcZI; zr=X}3UbwAP%G#CyxTB=3aRJMPh!NJf!SzIEy4aIYLl%W?W?B>TDj&Vw{HP-m#M0cF zhb{PSLF_3;P_d@DuJreg6WbK8rh)gpWxv^e_F#rCJq}r)d3fRRIwDZHua8;k`T8m67RYe{Se32}jc)GiqKH+&fiOHbDlHJt;>H)$rIjCcU#KpY<3*5W; zG}e5v^@u2JS*yCOUepisifc%O&Uld^V|?i*hesq-FY2h!*&3%g8Hi8U z?BiaL@g}W}q&;DzV#3Mf@$ZIOVH8j|y<7a^xR`EodtS0liv3xryu%`xR`2&YTyLqI z=Z-9;e=y_SHp@lLLvSzj%4d<%;BBHn|IQn6!yV(E1@DhSts>7im*V-R6A5E);oz{D z4UNs_#?>Du;_^1n&MgGRHe;qH1%8pA?zC|yxf;0~(LZ?@yVb84LCuKSl_vC|)2hA3 z&*$EW>pM5Shu9zn*>g3wQ^vaHyD--7iKQDolvu}aSLyx`^wwSMi}_i+C8o>4jei*Z zemFvr^ur27dX@}^uN0{{hIa$BTR&JMxY7|Hu-BQlE3v=Jt@9~nq6*`4;!+)NqTI-EUXK~3u;B37#^doWpYv-A7{N(WC?|A4UUD|kOS{DZ7jc3 ztRH&n#p-NZWDQ^ByU(5)JTlrM&9-c^kL2h<3qNa)vv3?EL`$VRt0xH zQZ<4ww158`bBQ>GE^P!1Xe#LRBpIt+j^l8|{{2V|4clMUO5t4xcXIPS8yj{@4GR7K z&d}Alh6{1jFG-!j7`>i_ zy?Y&bUGoM@r)w3{(h`s3kuyC=>6P@_wI^R+CCWMsZvbQx9rODm+m`oy%Jhez6-v;J zvrO0U?^Pq8rU(@dqOM6O?lc)S=4h-yEp1A1*t5mh&9)rN8Z_s|jIC3v$v?x&2onw6 zL^+qX7*=P@U`1=Kz1C2v0`%e$6RW@)45ZV%#%Lzw^XE^T}f(4&@gXyK((7Uh$UkE$Q_I#?@udi9fs&PTSsUHk2R7$z^c$s6_Fzo z9qy!?qGmZHc2YyqJ1=e-Q!kJDq_J@{Bn{4~cWz(l87q>orPAB)XBK!OtuP5MUcC4L z?0dZ=mlin7z#@{nEHWx`F(@FBQ&~lack*}7MKbd7DpEAE0)I79=FEJ z4|F4dNw+$M#|7W~6P}zHcjWquO!r?c-E)5X3NBBnCinEiZ$;ehR$x^pqtu`=s4eTy zRNh(hh;4?oGH+aoV^_dn-s zyo*>B*%(F8ciPx|+0NE#-T_Mzy971=Q#eptj&9xQtS==ss!H1K9+J+6w|vbYD~`kH zT-A71z{+jl+L|OAH|@t(e$@kc0`*VxAax_#!?v{)KngIfCiAr z=SfNuOBY7gq72=;pM3)g4Nutg960#4WtAt$w3zVDPj#Cn_Q7pe3mUZ7(==t*C#)~y z0$EJ#oY4hI`^Vw-YE#z&-`GrD`!-A_w+`Qj zzDmkDr*Eg5r%e&=|2VT1A)W=t=6cb!!AG!x!gbHr%(PtsgtMcKe$cV0sIocRU=?dn z=!5JhFW+Ooh))P(pKku8Tjic`>w`;oJG%zm5#IK380w5gMjJG6xuR`- zxpd5|R+g{SE(NW1YTd}O5G|IA4WO8@=BEr>trCM}EvxPZ!&dK!kCeb{T(`<}WCR*!)crEI0MjgiBwc;3xVIxIq9bQh>ckI8_ z+_w?OE)Et)R`dANPUHE_54vDvZB(P#EvLHRv$X=PS3Iia0^>1X4zB|SyN>|vhelz8 z#HP#kp_xwcG#NrGzicezvy_|p-XB6+!6ije9d zl&Mr`y%pPRti(4=BlLQXS@)wT?=ZVdAodH)hP>-ymL=caTl&QHj9u%y?vf9)OzUT` zYO70GKD94NXm=udbN*Ckkh>qzI$>)Fqr6$NcSDPAZbQfu`ChY?L_*eqbsi4Es^0$; zdu0VAfVtHxI6$`;hl{nH-zIR0xYn_G1!6U_at~7q72U9Lu=RGQKGK!O;>+obWceE| ztity2`jI1HBdab%Uw)_%Je@a!I66(irRi9c_mA zF8S4}F%;u3n4?18HaI9)Lm+#{H!d&5=iB{ARdid@3K~5DIsyCgm^}5`eZX=2ZCQuge>d?tf}>m1mZ+~F*&v{Ziukq{~5QI_tt#f-uF z&J<_tBfQMZoa;&v03&km9Qj#hYP<8QQ}&2OdB+8VbaBmxufVtX6r3v-Nn1N>>`WA5 zrOPbYiUJf-!$3OI>Juwc(~C}{4*aoHfPR1K$6zfi6|CIX)cNs4vIV|)<_pe$K{yXP zhqpQgI+f{DYgx8EVYX2r()DPu#Vs);uHy~G8efXO{tdFwxS?Y)ylBpPwuY~ez0VVg|W^CxzN}>K4tq#$n5<-nJ zoS5yiggw-(XG2GXhWPlxZfUzElJTYe+F{xazlP+#8`)L=hT@waZ3l+wg za#?kelM%BzXAIx4t)W%uCQxEi9~fp)S8W~4uKj38+q{nO>FidXb;X^Sn^F8ld2#OP zb-nCm+VkN~T~Lrpw%_+>I~TPn&S`O~tKQH)u6jwHQhsjasgt-RQ2`Q+If^m9UNpDT zcB|5gk8hS{1JS{au!1KRF`A%AyP``*&6Zk+l7>njUepAeff9s~b^$-+etZ7I|*H@S0`Ty4wC64EcCdiGcOtShmVC3%EJ-!A7outY3& z933kX^Sl-H&N4r?dnVcDc+XXa6ujFsxvfBQa;796GipiM>GydP+y0nbPmGV#Iv!h* zgcvCjkDhR@lFbl3WZ9|efa`;Q)`^eAsjQeo!rdBwV6Znm24?lmMsyRzHz>9>50=6- zR-R`D&IwmXEgVOXgIh7@Uu*e13eI>8J>C|ivHY~0uh=&mK7-LRw`KDoUgVhnd{PV7 zIFF=b9GPxc0dMEH%PQ43slOuB6%;~@MyWO)d{Vijl{QPQm77r?U zv3JVBp&!nHJVrMU4o!V{^t1wB0tzKExo#{tC;A&44!+ZwIRn_liA&-{j^H=VNoFW( zVsNk08Jx?&C98(udk4=4((J=t=!E%J)NQw+5)ixVj;6!xY!hV;^g^cHX6MP?lPqzr0Z7 zP)_r;IIXR3 zRpPi|u~}O&Mq)|hix(zeHk_IMf^+W6Q8{GkCWMgzj02eFh=yH3g5^)M5?^i4?OB8L zWWujc`=Z}3UkRuD@Gd{Ozn{0%5+j)qXXfbt!{inFT{Nw-v?E?;VD)bede8!wujGBM z95>Cso7X&oaib>xezEm}RY(!#OVelL+Dt8|g`|)cbR)f&UejTr44hyr7y6U0?-|J% zoiW1lj-@i-iVF$(o;XCkbx-&7uiyBz?0?jpDsJRT_2z5{0#CWB(h3e@&?WD`vt2 z1@W{-SL#T*-ZzE6S#JLWt4>><(+Q_2vk*^olghp`KBw&c+Zlg-f|GoGuu+oKlA${7 zTEL66sNY~(cei}`C*Sw!!Bb6?@r(AHzg>g?ya)nTA=9zzS9S~k`<-uZ0ARSpmnRSZ z!8_Cn0QfRge)iWH^#A<#?neM$K537>{3}%9Ur=`VD1h?!Gz$9tHCp}u(kOr+GzT2I zYH{*!_qeCmX#j9OH}*#5AH>TD;I*knevm%&_d|G&`6q?L>)Y9X5HE?7K)i0~@&66h z_&-}R6c~nDWrw5xAYLaA9jh@of9dr<;j%RX!!Vk5mFFMC>ktsHf@ATwf9YBIuU|cF z3k(CT`@^qWWdAd~=OTf4{dd~_ciM*kYue7zEPp(GJWfTKR*3BP6>F|dkwWcLxjJ`! z@u*Z%QRPl$@|TL8%D6ogoqz2P|Hq09-vMrvQ`I^vhW&f?&gJGm^Oofn2;pzHfd5~A zEcXR(4alND6vq))3LO3NDcW_IPb+!_-~s5X!p)DKRS9)}#9UHY3!HI1)P>I4hBw)4 zOq#F)ChN)#E6qL8fEk0mR=0(*-Nw~KwbjwMHERA|d869zoaD~!iK)Gls=L(caWt7T zs+UInj7~W>RR`Z(5McQ?XS>hZ``hl9vz&tncAYr!ohC0>@Z-=9n?+BGhnjm5R2^pB zp=IN3SkK+<(VmX=zt~c*XYPMB>w?m{Vw|NshRKSGJFI)zr0}h2>4Py#rSUccjiTgJ zGM0ZB>WWOZOoDLR-;!jlJXu)RrUAL%4xe=gAanEx#`O`y6-rkCe(&jZ#)C8kNNS?2 zO~>LOvQf&M5uL1I&$g`pM1Nw1b$snH&aOWNG8^t$deG{rmBSXb4Kxr~?!fbUY%O+U zy)be^`FAW>_-u;}#`75^*D*`h3VPSC?!!J6@;ov&Q((lf&{#KyfT z)yq(wXZ4g_R7~ScEX!l-RpMjkcb{*U5;gUALRE)T6+AyY?#LJil&&Kk39=plT1gIh z^7-wOX8eguGc%&cKG4Ev;G$u!#s&CtfH-7T>kFX{i$q7W9L!#KFO7Xz*=$-~q+p-4 z%K;uNA2Phd;!643ul>cLbxv%bg^sfk`qetG1wh;YoT7+axww$1UOLvh@3@e{rd54Q zgmL`^hs(PoA;~FEU?2KPp~wBLl)N$&lX?rRyP^gFJ)S-9_{Av^v7L422YL z?px2Za;i{79cDV*bs>_M2v!{|k4Q7c8U*m#_FAgdlI61laJ`0Gt26EqJh=h58di8) zrG^PER#);n*u2WhbRcK1qGWv?-JeA957EsRRtL0}1?Tr$XX1>jkeJ7${SKV9NG-g z;+gP1z|PNsOT(?M?f2-B)1a+g#@ol4+KtkBV->sbAxh07EPnp#l*fFzs5^1>)KIy$ zhT6(zZtm^v~ZJ?{Zm5@k8wsomDtzK*2J z0J}+VX>CUb$#k1Sx)SZp3T_-^Iq%4^y5-HwG;2^XD~Bh`3XtV;Vy{MIq6aH!F;YZI zE#O0WVyT4>n`$t_^;KmK6&`C_vP;&TJsw~UX*0pjLu}dQH#AsrQbihH ziJN{&!p01;3fh$EAf@b%$=xV&Cx}>+iW4Lh0FO<_NiNcxvOwp{>-To{!o^u3_JWNUM4#)Szw(nU(uw z2B0>+RQpkPuj*1GDy@imh+ezye2*5N6fe%8s39M=(%b_}cS51>=e;Hg>kL)*hztkD zJ_y{Mvv4adR+A`!B`$N zZ`KRjeDQEHGgr?%#+dbu?lKN%It0V!TWqLL4OnUW1_ep>bei36)DdiZ#ETKO^7w)i zlIihy1WZW_~Z0a~Bj3fWh@*f&`HCE9vxdivyo z*m-!lqUVouQ;Qpg%#;i+Hv-adJLKaYTS@$0!KN)wM4B=p9C1_un;SdtI9N>ca3i32 zvuqCiW_B4orW)YxWWzUKqeB!UeUOsX7+)lmI50JKKIyNlv0sCtpSzQv%y|K7e`-uM zE9z^hZRI6v!wfZ=D2fku2fn;AhxK2OE1Bz5qs?FZS<*?9w>Ys_7d*Giw`-Z|3^gyZ zKe9-uQ1P3KcDp|n5KA9N#dr|WU)KfU3y}zAQ`_%L@>XKwb3JKv0wDTrH0K@Y2AB65 zERYA}qhCkONYsaIEY&KJ2)P~HP8^1b)C}|ej=yw)L7E_2ypJOhH->=rvu>j)2tdrH zW+R{@8uDSBuj%*dajT%SV94yBJ-zkvR@+1=;u>fdFUcBDRV-#{P*_(C)`|~BjYuoQ zI?LY0uyG%H;(#%<$c*U{XQG4@ctjU*8lz)Skj!uUlY6G3mh{y_JkJm zJUV&JY+{>>Z>MYZsdtf)SgSzgp+m}r=E?~zVLwxnZ(O&SxsThWiIWgGrM{dS$6Nq6 zw#nDtuoWAuyC4U>y}20-TR=`k%WY<^f$S17g&-^)u_*zps9-zXq}L3bUb4VzpGfcG1I}le z$MVo>BD5fz5rxDN&l|>8AxZYT9LbZ2XdcI8X!d&4&Bc+sd~dfsqw_(1r(SF(GmVk6 zUb~GvjVwdV3L&WKqr5rk8lE;}s6gepC}0(N{I+^?o!`U~%c5f8)cjzb?G`*7#0ZjF zY_nt3jW5a4$G3hAnIgm5FRV~E|7aQ;4$Q=W6@@CDGcwj!KWqldT2{2H4oW!jHb`&R zdg=A%hhF*gqH!Uw1Cd%e)YRnM7Lw=F7nrs7ZL|Dv;zLn62h;quqv_}i3F@M0+ z&DIfutdoaZ5{8D4L#ya2yY_u-RJMN?!??~An8O&ThucJgC+?PMdiX zNL1q!f)h~=awGeXr4pW6Msw$+NV+hcd74{v(4Q?)p3`6V5IQV>Iv2Q7B^kWN(xrUb zdtSdR`iTOv?tBe}-L_OKPOHAne)_tO=Rq}3WaHt=I?#jit?+uU6&}mqwz*`vK5G;P zzx+8VlG}_C@$b{P$;`iS`}IgCZ0vB0OX5xZF#N3Mg;8Uy`jG)7qHkO@TWi=Cb+@)fCHxYmPJEGsT0GA7gUhu!Yb* zL;no7EOVr-hq5g+q)9dD&;cEmH$%&-GItkIaFb8v%1+q@agCaHOWR%#a5Mu#q)1L* zYoP1PHgmD>4BXo~KbN0;*qx<;TW#kpgZ#68Gz76=w>jViHWQA39k;s1U&rK6fEo-- z!2feO-zm@C99jnM($gyqDp5A7#E3Wz2Y@=o+o`@j z!8HYbI_}5P&j-=HaC4K(GqrMO;#3>bgoC<%9~<|(%6DJ7Qb;5Cs%7{EK5HHQ-R|N9 zM@2j;YysyL)q>F2{ev=wEJ66})Ho^jyt+ib$U%+N$gm;nMItpl!y>zZo(C+Y%2`v1 zED||0W2cG763l+Aec+PL0D>~rv8g~6*-<%sW+r?wzzR#!j*BY~5Scb`m(j>&Rr)b8 zRy;jbnoa3=aT&uiH3sQAWzp7SJ&Wd&g1?Ebjyk8!w2Ue1fY7fsDpg%YZHB*D2Hy#Y zuSXnUDfY8yO^^v`gojz9?>$ymMC&PC{v#=)ZB24YU4dI41E?49W3+jas>6yZX-Rwg z`0b#cV3|3=E`gvTmm`wNXf>Yh9{(|CE7XSGn$*!!kLboLBaYIRULX#-SC(!hB~mqn zMXhD8rNF*LUSCBsDxOx&8d?*s+8zxXkB%ap5k*ux-Q^5MtfVM%4j06%@*tt^QIM*3=`51z+zX@2uEGK0B{G7Fx{%F^~4GS?t8r@>nf~at7N` z_%@LS`2;Q zd5Q1ROEtEZ$!4GK{$9TU<{ac3?pkI$Cbn#UX$^{eT0UF5`3ezrJzwrvVo?d!t7JB? zr51rHG+CSD;)$MQj`_r&VouDN62^a;iov_EStD2CIsIIkd}OHAfjeYMxGVS1AKUOv zmrYhRF5TWn6~o6w-80UQ^f2wU3}4liRad)qr={>ptH`!grQf+q{A*p=Yif|Wr~BA) zZltX16o@!^2MdcxJf594d6dOP{3D+S=g+V>&LB@26x+L*WZ zjE}J25=_~(J0I}5T_hfQtzy^OyfNrGw6r+J8o|&~ceYgb-z(Q9pE-zT=?y6yiYm78 zSqPz#I#BCt;1v8z{k?O>>JfFtPBmVu%>nD#7HIs^mn}Icl1E7dF>ipVaZe%plQfj% zW!~`p+Y5lKl^bwmy1=1mV%fqe)7`6KP&s&k^NG#g(-jH#>f=&QvEdM`eIE8xa#A^3 zi7T69A>$YC9gHW7o1-jG&{9IPwV7yo<7&4QZ0yh)Wu!fhnf^%)fBipK7{ht{ptmMM zXG=;MI!;jSe5P=|blu{hy*BBmZIlTZUEEOEVXwKfS*e7WwC6MW zioLz-Cywp0J!1wwNqJ4LU9)c~iWRnpe1FYPy!hgTa!>)`lrDAnTUq1bAj%?SKwtjx zJ?Zkka#xoU>$(paJG5lTYwRg$W*C7y zGU7LO;&@BP%XHO)7hs>-jxW3KCat&KB({Eib#k?I>4u1RoPO06kF5f1k?V+oBIEbQ zKV%A7(-SKBS%pX@OqajL(;Abo+scJ^IyYd;4xH?f?_U$OccOJOJfG#*^ zvuJi8mvQcT+L^0v9uy_Kq^Jr4rcfe=lG41w13JVy6p)^3LVU=!GV4H_Q3mbH&Pqe@ zX}4NRLW%U! z)cig!8NkBu;BHrO&P^M7PBxxGCvLuszp=*<)>G_3s_Ty3pdB9kgKR>_*7r8@=5czbiAVt&ymLLYvR{=Oza~FrXs58U)}u@4mw7Nufap zLifzI=wwxNBuWMcyyTTX(yOyZJ&1_U;7Wnn{y`dR$mCk%mp=4*pkko)z(cFLu#n3! z$kp%L3zRIwxgDxMC1L2uZ3S}XW>9X{xN4Betc75OqsjFxF39GzUOJMM*N}+D> z(;H>G=vUQ1cOgJMXRRvIiBT-Z%Sx8CxZs}qjdHpWvXLTu$8k-Ud3P6-jSqu#P{I{W z!4Hyx;HpXF(MB86&_-?0>t%-Wcw}_wIv`9EeQ7Ok%dzUG-6I}@sHhTQMoc9|h(D#N zn8zU}pND&uq9H!Q!~V|_yk^?(cSTG`H7G~j9^yX6HzM>g0O2)ig6@#{HE&6k;f7pl z`Lnw;rMsO>=#W0UO6B`FjY9LVpyR2v-QLEtRjEydWe+s@rOm#cP?$^Q6G3)f!QVFhKWO6AmpdyMY9d6)ff*WGBd<_q%ts~;+c%@ryO3+Zp@Rn(NatXXbO`E{_gaY_U>9je%yvq)1 zr}TGm#YLiaiTgyaE}HYbFg+5E4PwDh;<6OnAK*ox69zzg@0`#z=NGVrnRkgTC9r{A zS{SGe_<03`9f_~W$)AOG?~|f8S!WwAQ?=n%G(P>{ExUmBV{VZ*-m(rMCY&0AN|tRo zajm;lq5x}{%-J$OnzTKq|9YXb>m163&@$Z1Hf5jSz_LNFO~TEnubpq5(lxcl{N!j{^#9B|w<7?f6Hdu$ z9CzlP5{$v;l$Eaq|avrub~(=q6^6O^GApts>HQ3@}KE zHH;tRWvpzMI9YJso28mq+zV*<;hpdp7M*;+9Gveei7PRhei)TMB*0yWw$!1fD&Ek_ zGF0DvpS<7GaiB5G8}4i_Y}7^*y4LxF>Gv9nC{NAAGz`jjQcNTv1Q8RG=K53Ywk~aQ z_ZI$cXS3%68UC*JPIgR2{g45pDNhF~+Upuq+?JFl?ZKT3-t?I?fO(W?xneG4W?1LC zU$w$Xu$pguXh8&cJnGwqf=430fhuzwwdn6NS74seX9C~y(beoLU}Ob)G3T$rU zmyJeC=^PfUySBvsV$ab$5GKG1M9%JtN% zXroEKBPkA92DYAF8GRRg{IO+fN`=lhFUeNF9#3(GkX3LA2l1|L=sL~ZgEZ;Zdj3)qHqZ}^?aaPVu~&o+<1F*FIu(Ugy*7MsuhD!X|zh4^KbXo%`H zRQrQV>QlbJJeQr@#gxRkF)B(q^8OhRcemX$1FdJ)G~#XfwC2~EjJ_V)c&=5L1dh$y zSZRvRtO{jciQF#Cx^i^`_g)e-|FNM9h0u_WU#hzs7$#o_VKil!`}A@=7Hzd>#+1cO zN_$~t*`t1FIlHs}8DiY=314?XA;Ln4vf5zx;)PDY{PonP%VLTub9{^bAkZA51~g<4 zn{pQ5SkP)0M6o*`bffJ}+A%qj$)c55i=kGYc|(dSXP;`*nFci4NR?EYHIv6Z&7f^5k`g<)MEM{6B-qT0|2Ms+d#rcSKL9E?0G zT`1x)mBnDb=W-?Hkr$soEtV(lK!k2)TRQR#mDxE3mi`{w@+HJgU+l9~l9VUR;5GW% zz{&nt4}*s@PJsusfNt?y{lh7(FPj3s`E{o89jKX zZ|3nn7{R!ANh=dqV@mIJqtE*Ud>&O)>gQ_LZSddN)lpu}4k7kNGYKb>NCFPYBh!&; z$u46RvBGVt;%lh!szLaQo{tJPpp9}A1zbz{d1KN+Rrd3^XOGZsb-c@aO#i&tD>FOC_wkABxfmC3og6nzpNCR|H1k&XO-T0Bzj{2gk zTtZoE=2Cs`Zomz}u^!hTm#^aiYqAsfUEMxx+X<_|b9R#+Y$N6vRP|d@1en8YY3-l5 z(c7!AZ$&^a+a`9w=TS}a1-&x~i&av0 zMXzWg{KL2`H%%|^fP(r$oFbtX2RVph?OoN!Z;E@}nLPW}1~i=7;46PYK?tnA{!!75 zKzjkF(lAaHn%r1G;d~m6k~hdV8W+>3DK#3a^;o=U3Tu#@csIQMm6h{V_hyk7#8O;| zTij&39_y4Y#zJfPjLc*12e`6+f_Ls*G+GX7E~l635V(xXKTW@WG%MC3P)fF!DM@wzPJL~2mr+E0U$S!1BB_kkjzk8u*`uZ^O#xha0GepdAml0oMPO`CdTEIL31 z1kNmtv8a+=H_k}*7@lTbfe?Rln@E{{*$Kw@q`B0ZYFrs}r;lp5zjYrAjN3gf*XE^K z94<_1KqrD8c6C6DXkYSgQLc*oVU8G;@q5?UWY_IjlETB;(gfH3yxkh;430yv3FRs$ zyj0KGxNHJvJ(Xeu^SngLTteX)nWo4I_n(;hzWU#K8?O^zzHE(`(JFa-h+o23eo8K3 zp_J{%xUOeE0CS`@aGN!T4lZXK{Jh4E#i%Drn{AC3N|Zbz_6rhzkHOQ*_7N6+wJlO! z?%KI=2+(iUSouUM{u&Q@yP>x!Z}IGdJq8waz(rF>_#|(&m@W zajV2fHR}-ciqUSpjy~Bz8X)pn^9tg(oKw5li^GX`S$byWTY&E8#3dNJo#)0Cg~~1T zcGpmZL}yZ270|KGQxl0V&|`Md3O+L!-*>A?_xW}t?b3!<2PzU;>=6?XYF)rkFDogw zr|rvb`_eW+p&j-536PtFSTvdq!4f5*kvxJT@SnABxySO1S-nS|&5}%+>8040KK~hD zeT&=At}>b=UX}2UKizOIUDLr%#m73Z%rr;Y!npin6i@tnMM$Jnyo9oTp6Z%giBW#d zg1Cd!WJ+yElYy!6Ic0|{=ACAjyzL*TOl@02qx@~t(68gW!4)PC)rNIl=JFuQUerSs za65TftCT(u4PNzX8IZOca;nbIX_#qj_S}d<8rc5fX;T)~@ocD;9A~1RMP{UwO6_HI z3o-C49qdJiUMWj6MC{Xew5 zXIPWl);20ADj?!g5D_K1T#A57N9n~SC<=)5-lPTyy$1vYM4E#1E)q%zy_W=}N$G5^SdWTsrn+9K^MbBS_P;w%7UR z9{5mgVHtsQoYF;uoYmo7n|^iLu~H886W30h+o$qoDskoRN&8hFyUlwz#d~k=E}BTK zi3vKpVMomR@i`*^rDnaII?kTN{Nu}ozgZNZ0Wi*}1pnUs3jnh(>0_ZGhZF#DzpAa&B$5`T^^k-f%B8$4EMNb=#i*edw9as0zjzl0xSANNu-=lt;z z&0hx{@BvV(RAIl#_$wH%aKIA{c>=#8g4uQCiHI1we+t%L7Km?;08bc=B>opp>Hi(a zHH#yRmqKUYFL+_+cL2Y`XWR2D`l5nI(8TPQa(}VvpF-#b=!>SYiLCsbEAQOnB-z0a zcf;r~?g8z}`WU=hnf!^e^NFGs23pzdq5qvaNA^X4JRn0(mRd`E9dJAZny?j>@C(+R zetB;o8y%1o{Y>x{02=*cSK#zNlJ7IUs!klcN_s9j@AVF z8;rjY*)Q;;nb0Kw`UQU}9nFN-?}Pv9#D6gSo959>SWf(fB@95k05jq97y17+|G&6+ zhX)8lv2)K)Qttow>-^D7FnxLb7sBAh3WPyhY~|q(@pFH(=W&?qVCo%<;rP2^Nf9=` zVDh<=n6~g$rR&p8xC-5J#Hh5gOXc%hztBPeygT?Ec38j$D5EHv+pOv4Jhy&pzcuQxU+E)yS)%`zw5DQAhJC@h$z2k9hv(WA|Xd1jDQ@ z!C!dR`3?~L4vlBOKpI!V3#2NRK{NgrXuaN<1BoIAGn4<{rTK3L{w=}*h5%!lw{~9H zuaJ;kIf7^luwMA_!Rp`U%?1NtLcM&P#VwnXWc3 z3uR>Ce$k3A&>7_Ua5rTw-dR#8XYz)^w{MsHq_@DNtznuf%icOEvy{mz4Y>5>W<36np(;E7e4tJaGo{s_Q(Ab-e1`K{ zi3M6KMGRsT9{`S8<#fy}n|Pgi=l?( zk2Y$aEJ{rct#^iSvm$xjbVdImKcCCeeXvm;5cj`ga5Z;Ba7irP2VdILDWCxpkwZ(7 z9#~eoiMxZxEz|Dy3-l?ybIL#WrPC|%E$(I28QSrrPW~%@o7sPTjr{8mCe^@FI(N6H z@K+XoAs~wXH$FCimZQd~(zf!hQ9~;rOZt8ixf;I6A!>Jqlm$IF!jaCb0NTocwCr?w zs-HspTiDSKTWt-xrmB5gSLK-LW)3;s=iPFe_7G|FeHQ!>Mk*%6vx8~ zN=RTEC-2_k;5W%E&Q5}gEi5(MF^f)IP4k#9*LSEFvg_U#KP!=gcZT~qXk-FZp;P#6 z-p)EM->mnY*QNP!Vtq3XAe{6q9d7qPPc-9!hQgRg@LQ zR)<4!&$iMrvV|=7riyfz7gg&Heyqn0P_m$d4;cY2G)0|ue+P1P++BUqj&A)rJ4N^1 z^Zxwu0cZ_j3w>T|!v;?$^iV!j=bJv(-&*ES^7q-Vz_GY(Ec9@V3s-R#Gd1A@@-^FC z;j4HQo}h=b&7X{S<^9I=XdGIW0m4Q&nu_gpPphevfm-> z|M5Tl-*!;1 zbt2a_F%76R2M-EKT%yFqE;VoxMdc**Zw~~Sv9DtB{U}|^_SF@-9}cGeiR^swqxsUC zMS@QIzpI+DOS>1^&z0SDiuuquR;Qqnc*(B}T_vE&t2t1opBuHEar+Iz6bBw>kVF3- zOa>py=j$zP>Z*KodTL<)b&GyDclvu+Yz!x%)$0Y$8|a~5oajqNUDFJY;8R@f{z8Aj zZhd3YbOMi=w*QdvbSYOkT(u?q@Mfm@V<8UWZ1fm4yPv}H7T}1O;K1%x(ioqODmE_V zV46lsp^MzyiaQ;W_vO7x73mN2ZEB+>@t@M1ogr}bTzA;*6sdOyi;5XjtxsYE96e5bm?CW+qG~+uoiQ*B$Vp#bnf^+>4JDA7MJ+cx zvGZP~_OoT9b*^i6idVhkm2mMKT(zelXJ#E6r=4for}Bz%mYbn4)=7Xgo*&bI1FTvMGTJH$%X z)b&d%x0HCyqgTmh5a#JD3@3h;xypCaS>kYO)7>QDxMY*zA9@w!yx@y%2;T$eu}YxLT@%1>UM9m654zB5eOoF7ftdYf7a*Y0+Bp-yc zSXA1<{F1+STyv^ErKf*+wzzg%6wp6xQz21@grYqwhjiRtr73KFrja?^3-?zvZr7`} zO?SP!%XX)1O~^_&1*)${7cKNH2j{gk``pXzV2AbklM;Ys2fr{|om_A|)niTMIwiJd zCR-}Rv7MXikF#BD#TK|?eeBt3;`ieoulGadB2xG}IX%CvIr?V!@5miNbX$b&^{dNH z;?N=E_2_ZmXsYkl_AAFbK3ANqb?l9cz2W^4>M9#HkKS(hCZr46hcx1h09_(w#?dfV zh&TZM#?)j-pQhQTfS~CPyNs;&UP6sLf1fRp+ExZm)6;8uy=GxDcO3yRX41JYjk}wq zjo{UEr8@HZ1yY3&#ZrApy6IzBx;IhG2OTNB{i;0h<7%phn($P**FCRWgk3(QoyVM; zv9EZe=T?@YeI_Ab_A}{o-^2%Y=q%Iy;O0TR!muRu@F{*f6dQWXnaV7EmdvBLv`0XA z%rOScB&7RKjWF*r-JiPxB2S?qlVE(jp?7ESbw{$_JjH!fWQ`P5wA#FfMUus(qm8aO znpC@DGraJ0q~%qt{4pZgkNj}VIr8%8Llf-_MlQ25EqkicIJ?tt6opVzt0F!N$oh>Q zAr;1;Ij?F+9manNgw6+@U$M=_8Lot z)-aeXly70T7kXRiK<3szaK(NxkPYam6R~}5f+#c1Zo>UuJe3c_uCW|$l+F894WNV^ zK3tsW^9?)jd1f}Cmo%;<+NG-8QSdVCtC68gc&~oNM6!t8IZ^+<&pI%d$VT{Ub8nM+ zvONB9^R(XT7$iJ}H%MuqB9!p^Xw#CsU z)AzlGVZHb-vHjC?n)os+&ZnT&FwvD+Bxs7jIfGnW_tyy}n?DH}tVum2Z-f_b#P*}k zbd&%cDOG+g?E`o7zS1!mB<$9VT~syD&|haZ%i}%}l&R7afu{skarlBz?D!zurq{EH z$mV%pwkR)*o``(IQjfZ71%S`gC3|;XkR^PAYKP!vnI$jcpU|L{Sa~O6Zgxvvchj2a zc`^5>)C_71;J|nPoajCH>fPH}3vw@bbx0hh9jDf9dy@#g)Y5)w>hCW%w03h-1*=YR z`U-PaNH0~W7k)ZL!|JN3wS)1PGY8mR?DhwcYb(>A3&j_UYBq)(KT1(Qcf*{&sR6GU zOG#_!S{vJh9Od=gjcDoL%Dh;8HEY)jlLfP*rC_0vm&B&#pv4d!{F17)JwU=yOn@8Q zJP{DbWCZY3k-WFgsXKZ%y$ZMv)+g&`_|MH_auTQTo|!*+Zut9 zS^lJRk|>U{7OZjzy~0wKbBdYLjwE_No(TEvhJs$MN@>g}dv5d`ZbasEn68_!gX}GCAl5maA^C5aez|OnO&apvmsM^)d`r1LU-4vVOL&+*{kP&f==Mks zuQ8lFmXXxA)zmToL6rlvQ^R*AMWvt@=nxkEbs0|?+3uF*JdMAV=7CT3GWE=Vp?fOL zcw^TxvB)$eH$o|adpT(tY!9!1#?%u;(Bb1wqMXZ zwrEk=>xu{`*PGKdp*@|SYAK_iKLOi^D}B($%RVM)Aqpc-$&Rd$%KX!WC#yVv4=3hm zy{j#QWQ?UG!~=9=LyJl=Yh$HBaVq*&M)CFat2W>Iy7I;Z!fD4{q~0LLYK$7UJh}=e z7a?iuqb(lIT_vE+q-AkYi^KX!7;ar(sy`y0dcNOpv=pK1hJ9}2J33W4R;4Qh|K6Mr z@n`?7FX^oKy&Ut7n|CJsm6JreZ}q3L(k?SdTiUrCN?4^a^V~4%ho^`VZ1cnkewU=g zpViF?<%S+g&VXQf7K3sALbMcFem~u~dCpjYa#_%_pFGVDGbu@? zjewx$=M|#a*@`fD%#`;@%=RK~>$hzCtpV)DpUj_lx;1FpQR#kVjWKxWp;ECWsVQ4^ zS`L8!(xgpw5g>)TgH<1ep4JklGN~JqRd7RR_g*Y#p zcnve2V9d-^90lNlfwV~q%l?e+;C$2e!U%7#c3_L?*R@J*7-3Vapa%vdDzH6+opJIf z`7Vs($>*26+;&ep#ja6*N-Xr$q-zB{j=q5|WOG6DsLldRh_{)7S9} z#|f{;!H385At+{feht;K+Z_59pGJ#n*WaGY97X?T6t5Ssl*dGN*YV6>aKv8l(KV$W zQ+r|;mo+B(a=cH1fW7{lm>{IeJRFT<9*_$<89G@3C8|wV+1FQY%U05k+b(fEs|c!d zFa7El6h%AU=*r4a;Q}aeOTHP$KRSufZaFz@TX@22n_H?$=lM+iaGD9zom^=E9a@S6kA1p>sSPCLY^2vZ zCN^5i&VFixqy6O>1LkME%h{PeBs?k9M!W(72@3T!XYlKGNivR5ThODy^U#AfRHe2b zCn^^4*i&pX#_ii9l0>_ru>c`au+t=YNLeYsF^xC2@dNQ9_0;aSIj)f9n<*an8Jz`j z_>13-NvCqV0@(PBX6{L@@~vG|?~Hy=J6^up$K{x&5_12CC#`?5i+hV4*Jx*Qm#$%|!$slQUAc^MZv=F8Dg zFGp9D+naQ?EMVH3esd!^a7Yc+maIiH!q*`2*=Uv-=aj=lOj12pgkOFxyXX`wE|qfgD&J|RUJ zaJYW&oW1#1afU8*MniWGospg%LKz*e)eE}z{G4(?SIkYN*AX-Hb8TzfbB(Ymf(+$+ z&z@d~WxCA1)37~Z0$nVLki%!xgDRe=o8^4P`2k>)>%4g5aYNH3E)`L_V%DvA9~=Km zi~P}iw`28`S7Y04IL;p*2SM?VPV3oTz6L!^YuCN7+1^Da4DQ^YFYH&mGuwx8iI ze7M>R^w3x}MoD!=Nfzo)j9F7gDPqpEC}98SzMQkFPja{asJ2E~pFtkrNuT*OuXuI` zq0Jj3i1ySv_k=VOg8^4MNw2nV>E$Y=;eZh{>jw%p*Zjp+ zysr-AS0S|lTvys)2oN^QVbKs~Lu#mEGvRC+a~Ux*d9pc_^Zim=U#bYNw7nG{DJE76 zW|x%uEZ+4p&M^YNpU7n`0sv zpQVlXB)f*P0@gR$uQZpN<7}>qAXXb`j3@SOBxs?7HBz`@+WJ8!{cp{eEN;L@;krU= zgwKPegC6anL<%-m%g7*S3GK=5Re6&FZJ=FbP|D|?hUQpN3N(vfSmZ7%pf##0h$EXN zSfuIHckMmdK*1*FwE^iX(>Zg@Rb^{&i$$;(i(LDqqwa8&ZQAh;Pt>fUyA=P4$-Q&I zv{Q7A-0w(V{pU~1WcyuZb0@Te?=g-KzJs9dL#>QjcrT|;)mw?b)z0wgAvWy)d0HB7 z7C@WM(Dz6V&Ba;Qy@^7{^Y?!lG$#iHGi@Jeo<9V!rI}OraKh8MrDSwncgq7Ne?leO z#s(_&a)uTF4MLB-qbVHk`UtJ>ck#CAI-xbZH^oV3z?w?l49#fSYBlCcb4*QWExLM= z`+?umU61KTW~tu-QwLqiGEunqg&T|AMda#JP>)unk2X8q#&L|r2Kn+eFc$vNQVno9 zgi)qSB9u8UztCK#ub2_%QnZu}>zQwA&Xl!DDSVT^Tv4@c9o3%WO#ltR%uh%@AEfD>ip;`62Am=IT2ha45}~f zw zhq_jz3904e{8IVtjrB9-n|oER`9s^L-DJ?aDas#Hn|5)-M9VR8tG@KB{i%Hp96a8& zDS2xr4Trn){s4EK(+1DYbhD&->D4{?AeOGFZVA=+O8PX%_1dk0I8U`mqEDaP(O4me zno<^tJN}qBZPM#IP+W$zZ7cH}mqMIt`KYQ-pbIW}LPjd=2JZUaXaD&#_jk%wWIB_D zZQnf*Z!oGA#|s-l`TXVnVP2-v-)?%~wbJu^NaFTW=K%)4 zg8q%9bYG$NuLW!CgJ0 ztasF_CztoNSxUyvgvp_=@R=~DmV}*pJ*v95LAU$Ry-ZY~E4{y_mWQnnW-ihM4^dEN zroa8}3IOmK+Op+IDKe>63V^T8bWW_~YFja4CGgr@eJbR7D~`_t9hzyO52@d!G0L$VLd$`ee;^ z>_$h1qRy^m=|Nmufk}08U>t*8zjAlX7(bm@{ne32e7iHQcSdDOrmmm5dX9MCK?h}Y zx}tyYWk*oGyGpg4rYUr5b6Q@ZS}-KHKh>Tgk9p_(*De*U`t>qKyW#d;e5pr}1Q;*r zvy_H(AI53J^i}-4hiA(t=cx;^&-I{#Uv=Wb&7;KctljHTd1`%TdAgsh=zG~B7k;It zY)ND@1>%2t>9S}ZN7=kZp8NOfr$SI+C_gIszR%+F_{MnY1^G_&ce!^6qZkQ3%$v;s%R=wLWzg3jh7i>sbbr2}s`kW&E)4F?eR_8PBYrzKBXnnwhpBul1NPVsVE2ng z*#kE>SDhWlw~X%J!*Tikf zM1N~GW7hzQqVSV#R8fZ!{txCEXjK_bjB2*#Q*^y-4yxK=_B?F3_m1uE>fJX93{*?& z4G;@mBglWRnZGl$_@tHolwpUlGW)hTk{Ie#c`6pYFT>|?xN0eZO+`%xoa%6BSid33 zGtFtaV~iUjPELFWNrx%tuyOj}mmPN{$)AkIuE(A~&oKr$1I$U%HC2O?#Xr8jyjCl# zi*?aTs$($gd)y5x!a}cbfq6hzE05#BV4s|u19>c!dQjDKFBZI;V{{V2F#44hSuOtb za#oR$=MpI=ey17Zq^|sRZwa-BoXK0GRt}^pkW~O0xoL{GqC|$JwUc`3*-5I)o21Af+ zG9W>flzoav_ueSoIeutla2_AJfTu(7b?X@3V%>#=BYh#_ze zi%ItZJs!`kAew8bQ^x@1k|Z346kxwCC}hmcc|L@T@?xMOE8%|9BFN#0csQSVZLZO0 z5;tzdI$s1F%FgX&XZm)YziGes1$2R}^r;aq_^{01z-~Q-sEzGk8X4~I8uS+Tsq)=3 z35c3i@0Uyvo`6!k{O{v5i)8mHSDDWwjq3#vS+!S4^HjXHL`ip)xsP4{+;vANR?5h` zkxYSQ*1#H%sEUbuYm+Atm3F%w0U$OE$f2{{;t}d(8+|`!8CG33odVo-hOi$g z%$OSK#xYUFoF1X5@Hu$&^5Mj{>@&D!o94tk7T+@Hpi_8MKfkKz)HH7}&yBi#uB_1s zAE3+K@WzQEk>aQ)BdS$%a4Pop0D_=4?8{)syHI%Qk|@k#PGJeG4d*1@$ykC~K(_yY z14r8-g}!mN+5`H^y2SbYQpksQ2Plhat(3;+yDyD?mt<%~`?5>f#8lc>-T3W}p1&WF zv<`;odoiCZSR<;vA};lx3_-q$)0FV1e0-NA>AZIdJYMDIJFa1=Ph*7BErcDb2^`;1 zD8M_Uat>eg)rT&JOR|$}mqG)h$_8Et`B&{&(I3f~g zJJ1KHEhNthw`}_FKk+w|`A|Am(bd&Ek?yyssh-iz@Ub9uU#I`Pw#51yhwGDDAno~= z0C9(a<|pz&!h2JL@D=5j`9tEDzm<2 z?I~7kEVw#HUN~1X2CcH#g%$>ZvJ*%R?3?v&Ql|WqWM4PES}Ko^CIkGLug;&VZ5w#XA!{ah(|wzGcrRHcX})^y;1wvlZt;3>=@OT%oG(ofVl?2AAON)> zxSO2Ctto%o7-=`bmR3%eg?aF?-V}0PHM4b;yCy%=d4z%Ot^HUS*ItDLwnpUg6)Ieo zFyBA-n+bHknN%2h3YHDC;7%;m5=MNANDuS`?t-r8_5usR=NAd zD3Be%2S=pSR|mxKu3rGnZHO|Nc648x)UZOc99ET zq?UTHIlj>J2X!!CX9|49Fmx^RGs6t%YEAGTY5HnHa0dlHdnXIxExT}T93^})P>^44|hG`*RbizDX(F>kdFs8 zH4wk{1lir;n(+mtmmI(?bO^dglrSsQJ>C0yH_XNg99fmCOl{kkHUsT`TYC6Vq=_tf z2#3%fW~-u{jq_i}%a}UMR800H?1SfN(0rjFXV7cCQ zq4_|;r#N%(I~EmvU<@_pjpI(!B|VsG7}_RD9VhWOh(UCDxW5;Yojx&LBIynI-!b?` zOQa+f5|iD?Lj_ z*_wf8wWgDk8BE~MfgNoZhn@_`XMl1qX%tk_pY2_QRMevELbFKA7h&4|sdoT?j0g^~ zg48_jmBd7B#E;13Q%U9| z%gcZ2Bb6Skg({-2-d#IU_L-tnSaNel&kf$ghwh@fO|J}}?qih1*!X)~KOgzMuhPa&`6G$mk zZ$nRrllCU;j;8dElOXt+@KpZ1ek7BsF6$}m2|iCeRKOJjoK{3u{M zp%KGDg@8#i{u@&`WlDWc=ZL@Jz7nLQO8bHQked9NVv34Ql{RcuTJ*Ca# z8^JVzOP{(auF!COu#}5R8)XC;E&|H%XZaMhdQfiL*^x5ttmi%;lTHxBw5a#jjx^wQ zhPQioR6E4BBNz>zZ!cSgCb@~46dtpzLDT?BSi^j59%#gz3HRip9P-UVP1}2!w2&Pwz!ZeuZQ{g zi=_!VBa@$6q{oozi?5WcVlr%NNeiwcaZ%)EWQ&XpSnpkXP zY-i&qAEYqwyXrGF0~!1gEJFm1#1flybUYmRAHa4tq#bV+V{EYcJA{B>3{E zs~qsZw@}Uy>lUVGG3&CK>iNhh7OC0P!n$BLQ6d)w&dPMExaR6;Mi(4Qe};EKm+Sdg zz6Yv}kaJwV6~`cAJ^|Sac7D0&B2=g7@zU0fa>5**7Lwvcm?g~ecWnt-LjH$%Ny8$_wZnNT*^m;xlKNczbVooDP*sX-@+N$X(cn;{%jPaq;-r2ur z=o0}?@K1XTN}m8HD01XJ@WUpPtD^FiraVetd_3TK-w;1sW{%KSy9A3j1CPBiXnrbc z`%!$5<&23!im0SDVw>et1lRL?hUkK2j=Qx}`)v(vniz?BRafEMKT!~ql!mDI&xG3I z(W^GTh?KxJBIxd;0(+3X!QFbNmXm`g70J>vJIE@Lc>R&Mr@J)4zdNR_garHHlqSMo z37B`(Q~k_YDmX>=Oi9@%kMtA6vp)kK-<%;OzI1) zNwaX57rQrSB|x0_A}Fzc14RGpO`GX?S_AQ-4WDL^<7szCKTI~27OA@UK+#J0 z#M_8tUNVIGm?pO~4@E?vt&5>;m$JW~dC|KLP#>|TF_}I6@kjpq<()Zj`cqN%8~O6i z!rMQD{rznrkrhAc1Ile|uKRhPLfa8Hw!qAqo!~!w?mPW}7dc8vz(GYX#x7ABbfO}o z0%dj+Z*?av5OlF$y6{C#jBcIXqvql};CCNh;SHC&;>=XKrK37qnpjS^#xkpyB<7W8 zMx*nD&-@Tzd^E~8x1KlJY6^J_{$36UwOD6wL6cA4zKtNW@|Mb&1L&0!PrNBMeYUsP zV-74RIL3C!P=1o0@wWBs>i127Tys#zH&YXa6JI++xpkh6=zh>ic)tx9$#QQ>_1aYq zw^TNd{LKI3H2S+m^0dQNeS*rDN0^~~YfQ?)tADgQ{`~&}B#)XWavOSn0Zo04>j-L3 zFYqgmsvb2FaPtZMnA7-QiFf3`FHe9ds>q-Dl}FV93%t6zdwzTh^zWPlesVq!3@r9s z%P%~-qXAfuz9Z=J3;s$4S`+?nxHe!&Eb?8!Vs?ize}+FUQWs@vUSQej`?JY)jrjzR zW}!))yLitPzb|rL{2rF@t)i@zAw?eGY5=4MIzut zAr&!cQ1DlMjVZb!0N?qPtzv8)J6V%8{Zy2$>cr>6_0vxNlHsdp_4%br|c{~xBI75QW#+WJP^P^2on)Sw%`y$6T zIqc^Aun!4o6rf-kH1MS)W%aLZ-9pfgBVm=aV{9273RP31vGxPRVC{K9J|w=1$;kNK zS@*)@|FFjYTPZ>Inxu7F*8&!}H0jOFfI1j?ABdED_g;4CH}pt6K2`OkS-fpG!Vz0Q^J=hp6Gz_Dj zKd)DP@5Y|ACS>TkCsY=#W!e0>?VdFvbFWKAJ4sa1)CsF5u%#ZnAxJwz_0STd6jqcVgpJj@Y* z_x9G%7oDuCv!J-G*zLA%u>}F*Mg+h$_Z*qD{&zueSzGqgJ$wnsE*Q9O@3~YnbIEd+K^#?7e!6~PaXEn)Z$EhlzSHIFuC5e>r3Hyx9NwGAXRcZNodZf}WLX99Z z4PrSQg5MV9EC&xKVZ-l3b6t^Z=PJfdrg^Q?!^}h79j5WNRk`S0V)J#?#O8+?&H%!M zxyTc41Zgbw*Bh-GQ_3}r1aq-3MKc@0S8(q`-QNh@3i?Z+|6W1<&mS`R>GzYzdB+O{ zSb^gQ7PwKlp2)6tyZ7)QzCX1UX*(6DMDL{^tpn20YEi=aMIDRY+tsn64BjlQ<+` zf*I$tPhlYNe&PMu3jmNY9K3kV(XfKRr~mU7<4;FIF%|QV3a|b2bDviL)hru^+&%WQ zKD%SIHb+847?0n0f8OWHVjln$XW9ii%>em+fi<|y?I%uRp`mHR@l5S=(gz%#znx~x zxIVSUFSPZ(qX!Tq-37nD^Hb)6m~%jnr%!H6Y+}rlbB|T7&C`yDf}GzC`k())6JE)_ z3@C`>Rpfl$it4R~eGad=k@9mdUwiinaPuFFiD&*+^ZzjMu8ADAk}rKR_*sSmi$Tnh z(9j=OVt*cx)1MT8>fZKB65}rnF$S<8_O-d-&lYf?1|2!-(vQ61@(W%1k6!>5#5g|t z2l)42qyFwPu*1oBdU@}!zx-E;^Y<Y@9EC_Diyc=B1` z=c0PAWNnWq1=`=&{@t!0n*Im(bMf@GG0T^&LYJ3*;rVOtN@NWJ&_Kp68NW6k-r!$TR`{L zcfs3UL7|{G5kxCMM>O=;?^!(aXJ!q(<1?0OsXqKIo+g2qyh}@LiZoHNUu(w0S43kI z!dLuyFV~+IYaBKM6o0g>m=boCd6^#UK2y-!;}%3atXRU|*q7cSz4-Y~VrAi*zoO+L=hM{w>U z4)(f>dp|#VIulWVebH;+Hz)>MOOJH9zw{utk2|AHj6I*W-dj{Z#$S)Ef**hlLv*)S3w-qt zQg?Kbh|`Q+w@R$HU%0GF1w{mo7uXw?n$eY8VvJW}`xR?n$b?v}9fWUcgp;2SIH8FqKvSwQ`;&32>gqLs`v*AjP8BMfI1Dm zW20n}K?iA>;+%o+E{0h~uCL@3DJDblwkz$!NMG~T$GfDN16T+mXBM&h8_aoG2}pj$ zWN$YDKi3|{g5?l+gaiwiH3n*Z8vqD!K?u+)aaj+88Vc<)af}Grs)%bzOMF{!x7?ec zhv^QtA8kk+CRJq!Z+Txi!4L=f<(9YsZ_)uTHR^CnJq4mQ{h1BX>r}N;921X=H_YH3 zwn{vIGs0%LAP2!Z(}DzgCz6Fn@8%9Kh9=U_lfPHNZDJKxMq-J{Ku=sqyqdwBr1YT| zM+v0^(>?9bFm+X1h9cP}DZKYY$l)^q);~DgYf#VE($A=E%sR#MF&$1Y}&ar15w7ID4o6q^~ zwoha0UD`M6M=Ms7kyVdEryMxN`|}?Ki2IB<-&M`KcrYkccNt}rMYnzOUx@`AfS;?m zCtUxQ^*<$quc@2td|2Cz3>;+`d7T?JPyLpRhf)kyn=ZOlZFj)HcKVKX zQ6bZF2e*L2m@1nc#y+v$UcM<19bCkpOt3-PmwCo9eVUh9xG1!f-Ea5G_7mtE?UIaY zx@Gz$!2vpinKDOmULs0Ojt=93$>xC6Pw!QdgfF$$@1~zJjMT?S0GcFNlj#ayCjBp2 z^KR9NOjS*^gp2Y$IYj%IhVql*`I2T4 zeGqR3PO>08r9*?mPHRE$;44~SNqKE3M;X^mWsI?vIy@Z3)&&mgg%C~W$3-E<*Y;kK zI0efssaa}(7D6ma9`gp;Ns|4 zitV0`kl$Cr%4El>P<(TLY;GMi*Mjc&xLDc+mdB{&KGH*Yrms}n#Ts_keoPTBt$+IP zX+IDN_jbfk-ddsI-&NsbeVSwj)oH_)xBpqIp3^nSXIi+OujO3$X)1Tz&@JDloa#5J zP`?_LVi2hh^-@NK-@x0D*Hf@HCh9FG-Fmk=IEDFScJst)4E42rNC#XXrvPrccOU%9 z0`fg$1GW1l@$YJvVBncQo+em0gxikrq&a|RrE%YnD>Q4;z2JIw*bFU}8H5=k&2ktk z;0h%aINs6eS%DN{WiD>SVE;xm(|t0eVfKrToV>^dL=)yh^bF*lH1^K@xm9DRIk-03 zW6YxagFy6|D<(!>?uoT~f#tJXo|K9i5701mhq1S_gU~7J{mFOiliG1@3FBbSqiy%e zTp>bnU>?u0-?;M?P-C6r6`GMwqhmNZ^eJp(%M7%GI`gTZ6Xj%XnRNzQ>ah!3X4I7e(6J7335E8LdAC>05lw*=GlvNd9ob2rI9948+zj8&Wf2^y>;kdEVd)O$U zdLAd6R}6tl?~YtB*j@8Bo*BBinqlGXj<%bFQq6Z85%~=>qGZa<)8bG`pq?@5Lw+wf z7f#!ha^LDCk#!%h?8X%X5wDPGx?%#JZ%?Va;*|#%L%8MT)3C?rHnHosTmN-(lDT!X zq)L+Biu~u2+C(p0DuR%qcGc*Wtryo#rbouchiMIKG+X36s`C17;_dk5f`YOyXu{op zxWVSa?pHX3?o>U2S{DNI*cV@Cvt1b<|7u_vq^WF&SP-e2H^@nYYlMlXfgC?!I&{dJ z#F0-<52;l;$O2VcobqAkYIe`lDy*ry} zNr80l0W%Ikj>2$}J2JTHVQugUWW{Kx_wP2Vh0>$Y0YkDOuQlRZ=%bW*m8z}QX3VrD zhrxATlohG$H1xTnF`Z%igmeM3cuC~6ph#omJ@ZCDmJBg^GhHWd;5NM*~H_3V^9#^k79-QC`D6w7;$YKg7Lx zJd|(W|6fWAl{OTi5<;kK*_9U5*mnk{Y-8-(U{*hxZ`v5&#nWh`Ti z3+~o_}Oi(z^SRJ?_t5J(7@jwi^YW<3Nf9~(ydvN*1_hT>}Gn9xZ zP=6{s+k1MF!LI5U9Njak?B?NLBB4LWIz|RKLE26Qt_$O3$9zzM}?e+q{H)G?SJl1WFxeVM28dTQ7gs>DW{z znS+p?p3x}r)qJy$HjRvKt)%VxASINxM444Y{h0K7#NmuBhW5(X5G^@-tg7e^eXih6 z)}oX)F2_(urwKCIg>GQWi)~6^IaRgRPX%9SWobobz9`uTdyKFy8JC-{fDH9%Y z!F?=SZcN|GzAQWK&)GHZlUd(onx8%uGGshrHq2tVzeak7kKcMj3G{r+Ht4hJ2KSTq zU}T6KYWOwOZ78-d?%jEc>0n`8m}WRo@#f^qyC04#?^FU6uz5*oR`g)4oh+?LWxSU6 zoFCtx$V`VJRWYmW;(d0`YDGn#i3i51CKc^yN>Cx;Ok>pZxMRlBGhf1&l7I>x;lSU9 za_~}O>kTv#J-&2gcXJ=iBOjGbmZ*NiS2Nnyp#YCwoF4X!(y`izTmFL#tjH#Zy3X3S zRjj=qG6$tWCJ2@LHlrif-j&^9cBzkYHacXO_|E>if3*?SEaNgVvy!d+mHBPBO>Eiz zY4vUE}?l_8H9;ekN6xRMGn=EB>^hc*$+vcl0;s9?QElNklS`Pb=fdl()d#ya)Tznqd^)8Ydn}D}PMdyvT zZzdV~)5g0r+GyQ|7v9R19B*dLSGBxy!SV}A>5M#K@6R9*xVcRXd)v4t?}0I`_bXX+ z?L9mlS_&WX18{1sSe-t`&ZceQs{8XOFLXSP`haI#$3;F)|b z*Q+-g|9Imw7rxc|C(lBAg$#xJOZB8Fo|)Pr(HEe|TbThw0ZB&EWS5}1iMsUWW*J*6 z-74^TgDx=PF2188S@a4eMmU~h+aEs=?cSD-4ciyT!A5$F*+L9G%;-?6(anl%!prJmJvtWG1oDQBZkDsXJ-tM3G+H8#D3HRKi;Go}>XUYO_A&no=-q<*?YNb2VwUh;Xk=z#Kz4UJzS z=Ns`Jp#ZR~hKaeB@Z-!;a;THOD zCRK=j?_g4)s~cTt(rxyIrJ!aq>QEo6w$gbI63ddANWylf%jcTxtt)Q%8Sq6fV6kql8 zqBv1g+$Kv-txqQ6xeMyZ)P}^3XtB9v72`5Ci9uSL%a_#|YR|1ttUYxy)_aTBrlLQr z0dM@ZxlV*BMp%P^Zz%}Df9nSp?>^h*S3{h>4T%OMJDQX79un58PN$KsmGbU(r8a(5 zWqJ3emOLJyJphzd>1WF=w~DB8r;mor+u@@0o=5gLQBf>1N}H?jJ9yXr--|0d#II^+ z?mGUEOdpW75vsxs)L8niETZy;-RZR^XW5jmSEs`|PNIl2fM}y7Y?JdU*Yj}8OIwz_ zjap)&4oR{IR`59$ab4_J{K~vB?rguygM*scwa}H0nDAW$zpmyJ9o}xxcX6X$GtnYM zNt0R6j#gU~!Z9koT)F*NiL?r{`bK7a+Uw28ovNrr&-BY;jrJy31kNYf;BfPpU}leJ zy}!f$ezjnybPuq*6*DdylFxs^aIZN3*6GE@xpaM%zQCZCS_c+`CkjG86{78D6Dk?e zK({2na@ZfZ_u>6wedf!0F+V7L`geNjlAmn(<;{AT=vF7{LBQHdv{FLk4qOj_VhO!# zTtGFkeFJCyw(}!kuI6)GK`r`xJJ_r_^BA17o9i%yd7tSdZvvyudEPiapVo64=LM3Z zFS~Y>UtZa_38i4EkWO9nvEc(&{*W8Fmbld1urv>4-36IC9M%z2BoP$C&KsljsOgplV z@=<4WW)$r^=+A;>pVYa?^LVTO)awiyPCPf^ONSeGK7g&nU)Xu)*tvLZwoIbVmN@!3 z3GxC$$2jE_VOPJ1UCXn5c2I&`9H}2T!>O zh!DV$*9PZj3;Jd)B5z2ySE8Ze)a|5+6Xg1Qs3>1k&S<%Uap4S+0j&P3&F;+i_VyC$G!M2lG8O!kKXBZWzbKC%Pl#A(ja*7C(^Bd)DA1X}&Gb?-G%-aS$%tKp z=Sk{`d$M;&t7^XSJWu7vA-lX9(4)}=th0zOMx(BkTEIB#Vke zgfO_M{6Jvv*vdLyYi8{-GKm31x#1A5)^Z12f5E#_US&v1Hq_OOQBWk47}b{t;!4ri zUV;QNpqSJoB05AA@Xd5cblmzTuw_oJj3%rYTL!f~!w|j%d{*Y3ANibv&@c@2WsqZ5 zg7;3s{i}aGcNyO3l}<*eZ)|I{eT)izhbb?2JX%0MgwxXRhdr9@kcuU|NYw`7rnanS zicd{aaV!gObgYzHA22gwa%Gr&{e zlU8ulM_0SX$T&-%M+k2T`%teuDnt-OzI&ksqfTu?!NH&2qArj7<(Vh(cllF-UL=m# zd?|q+$_umV=#-x%Wqsi77q+4}LA=tuMn7bc%BMoSl-Ly;TRkQ`wp(S|Yx;+xoPw+& zv(ZiVZD7TD6%dk1!tZlF*G+$dVpiB~fTfdX4ov$GKt18b{tfE*f?1(G>%37QkMll;58;MMjTeP-a&;~%_ftOt+Dw&^pp8;n zZ-slgKZt$xRGxZU`%`qZD_A(qqg4YX!0k2uXOS~|T!|F3xktM|XvtnlM;@py-G)V; zh3`pM$d=uFY#)B|g^(-^CTL$18VwFV6RQw@mtE&p3V#>B00S`#&sK-U5?IW)o~M>9 z=O!|HTBVaMRemTDg6ON2#q>Y?W1fFjLida?IN3CKmD{W zk$7*7-bvCgzE08z+nigo0LikR5Tg~TqVs1pvYD7hq?N9X+H*QXqm93Tb194m% zzS4aXA{wCiy7~@Id|zmN0y;sj+o%36+#IXx2X}4Mt|aPwXi;&pe)c4cA^`%;o`&yU zmbGG-zB;0_BzQg9Gv=}b@2k#)NSKAlr73(HgJbwK4A4@suL;hc@Nb-?OObU`DY&9J=HC`#F!rl;1~krt1cx(IW0Xiv>wmox0I! z_0?W?aI!?*`FOeW95IX9Ka!uh;57O5zG|jtMjv+Mg4(f_)!KZwi&YUX3yFq@wyjHKEe_8PV;O`7ffn1&upX?Hc;v!_KPQVN@@db^xY$HM(-OGIT-G)g~!cW8Y{P5&^_n(Ll# zG9BFS!{yWTHcf^2F3NoT?2=E< z{QN1xqmQV#i^;oy5;0ciC6@Q#f+l>q211u|DGB5KDok0Rei3+TaeH(=pD!q5hKOY1 zpA`(S8}!N3loFjPRG#M^vEF)S{zWb})v-#nw~nHW1y9k7xSd&XA_IQ*wLMDImjm1H z)yn3q8cX;S174a9JA@{7Oip(Kk@vMh2k{=7d{IR0eK={HZLHMbgzDj)RU5VW3O}z+ z*ZD973arp zzS;-eqZy^II%;P18goZE1aKyJxfinLH-FdZeZL z7Pe9){Kpv`e&s0l8&w2r-Np+2T+qBBcTg{XbS=bR=_!}ern&KZ>3)XISHhL?wibWz zG8#Ek?G3KCEvbE{*+#b@&!jpxwki1xNT;sALWD;*EX(O-K&{21AcLJ`38Kwww($<| z8(e<+_BG({%;?=?o!H-oqe-^oK|JHxPrK}X@A=Ug#evN<$hS&t+$=wFJX)D?eQ+su z^KD~ee?=Y2t#a6(n3e(hS%W{N%!*@J=gdB&f&Ik4{J_DZR-7LLx>t(wtgP{8Qg9fb z2Q9{L<=cyvOlL4)ue#uto;}{VJ$s+VuDN1)?eT6?q`}es0tYDjvt&r>TVqFO)@e}z zKTD)e)&mQg4x%z6=@*=UDe0qZ9HBXlY-V98@?ipgDkwV(KaSO*TE3cD4VXs4%Mjrd z|F0%)g(lzLO}WFORh^G&5^ZN@!rlv@srNJ$9HnGoUthM0g`9pHC5Y zhN{8oC2^Y1QM|qAa`v8-WqD?g-0Vx)a7Q*_xP8#G1l}5&7U$Lw9SuG0r1$57j#vQL z{^s!K3Pg z*0f!D327?y%-Y$}kScVL0b7VH{)m60YROXYx_8cazvq~cB(;$(M``Uln3w zep$xLxV43ZXv+)HbEa8Tk-tA9M*3hoF~LX1Jd-S4F?`tZt4h>iwau(i=@kX`2Q1os z#B-#oQ{8HCENPeG(xo{%J4UlZbF-Hq_ek~HjwNccfklsY>P`n(1Wcp^>WraTd@~)M z%3DqD-}U*!OZE|sHQ##hcvLT2Ge6V44z|>He5|I!E2RDpRYNva&Xg#H(gdmO|K>+o zN3sxa3ZLM9w!>rCNN6xs8(AnzMCT0Y=)opf#TCXUM57Bb=gK5%I@0G~eL3IQcg1jR z>%E#n6;_8z=yRw6Ga#C$w*hu#W~hPEGC68Y$tZ6YaEOQEHq^;J>GKr z0M2soGz(w(keh2I`ROx_!^B98ZKby3$m343!&6PsMcN{U8-0e^v*+u!Rwo{E8?<{( z@_Qa}GCmrfaUv>iz#sR+FsMz4km!M`UDKnkNk${4qm>rSBzntj$RJm#%Bea->chs8 zn!N$H&#y~kD>r64*5+-ePq<+0Y&?Lz>@}1PRjs!1#r!KtNSkKttyQ6Z_amXOh<{XXwr`y!bD7}NG;0lz zj>pFQ>TAVyScBxoRa*VQY0DK5`HA@@gf>2~h7Y##p@|q=>(Ytg%mz~))okJ!rqBJ2 zibL8p{qnN>FJ{L3tlxU9(WIO?=vlckjoV3x1-Jz*W#ctH{ToHZb7GVUk2Vm>7D+7h ze*W?xsA#l4QQOg zFnK@nD7B{$*t*w{@ZN@!A>d}vw)du7qAFjD=B$?~?9X<6{+-UGLrtPmo%FY;LjuxFOui=meQ_?84a8Ow%Pj*`Nl##=Ecf6f%=A6>+#?_sC)!p%~at zdGS!HuE(_ee$q(cM}X+);i@x8i*t(8)f7obaBxFlASU4?hf zM^ti*`}r|bE9M~N8KtW9LW6H#9R5*s!{74QD7Gz~`L_P_gA6M00)>~cyN$oL(KUQJxAiond%{%q!;vK=Aul!iy2YHWr+OX` zEGqQ?Si`v7BhYl=y8AmQhkWwOLOG;Hm3m^6TPVe!woG*V5x75lgD|5_{FcSR8KUua zsC=TtoNQ;iE8n@GI0NxO!j`6_Uo%xcQYsv*>poXTT)3v2)DhwHW=+m##%bdX`fceyB@#m$y&l!$YMKW)Bcj!3{XE&~D!mo+kTwUU( zya{~Ixc8@SY5EH~*k_U1Zsd4+%Jh+qh$kW$OpYSD@acDWTO*ZHO;IPTFwHUbp`qSs zk^NNz&NnqxYixw^6PwWzidn2VK$UQ@QR|+4$w_ttW4(rPC?2t*6m<5N=wYx);Zeui zg_i|4=8LUEG$o5<$`Oey+IuECg^vX`o*J9q?A>~C-i{n**biYs6plT3LUBkq za;VrXG?5@U86U#TH_mx-_oO(oft+eCo9}oYK2|wdTkT0nGrcVkkSJQ(?IU781yNi` zgN?kMfAe@edvhg=_GkmdsPV5N3F91%RU#%H5J*%j%ikcZ6`OCu4D9pSor9GgP_ zG44xf1sr?+m`9P?PH}X<;p`z;K>wYr_*5JIeiwuCIYEz=KctSo9ql)S&XRmAo1Rp3 zeBm18cf#LyB$}3-EHsqJl&VK{h6?wQW_;0LhLXLj>7sk4c^^lzfgZU-T{wfJ6hxNj z`LS7Cl~KR4NsFHx4nJ082)IeUYK~^8)A*E67yDl_JXX6MSEoWV}wb!;F9-Ws_G;S-eCP7gIKvv5EY`$WG8 zxU+GPEoNDh9!5yts9E_Ktttg5ntd;4wk!|Nb)p*DmCFBQBVFVL_HR29HupnD1Jiu1 zHfB+K7oQ9V5=Vi4j}UXTPcGU(GumMH==xVH0WvSl$rlreXa2bJczdf1J*GzD3q<^W zC)#t9ZJQ6l?Ofk^EZ*ld^D(K|9m{~pO$IU$JeV25)XfTYcnp@>`EHJR`)JD*|2+(B z{XOaDlD}s(kF(bGXRXF3ax7HuiwGpV7>azODRwN5BD$Ax{9P5%oiG}kv~)y+!8-0p z=PuE&O)P{&rvR_irbYhx=)Yz}&i0M9bYQc0OZaAxTO*0w;$SPRt`ZF_@M~<7ac$J2 z1inQ?MT&T!?-oR>(R|vu#C(sluD6a$+Gz^0sW%A%K&@;zPo>YGPMxy~0V(YPn_%Yx zG%w$lhOKhpJ&Hitm}iP$Vs@Zp{9sb)Y17)kSgt|zEb7s^>Ld6YWa2722A2XjfQo9q z>585#ii|NmvSWo;3P(SOQ`2dq4_>EK%o{?K+23Z4E>HGLv#NYgEEFoLF*QBWIjhDfHR{oT0jDJX5++bg#sboQY;>lu~aAr76Opq&yUD;-I&n3egF zT8G&wd$;=N@>@I?{0`-CofJtI^9Z`IY*+L^DbC4ic*);fL!gJf4%g5}sjRWGcVulT za7~Lk2es4H${#uZdy)`?&vOrQev=Rq#@?d99I+N7qG>On&X2{c5#>)Yrd@Y zs0q@KueD*K)V*WD-YNsS{FG&kXPUan?&YlpaiG1tOr`2w+iGR%yj(<;*{*;fRhuoT$J~uW#AM!$hQ|`;HZQ z>Sph8Y@9W3DgokDFH*0IKvVHx$H09X=K{9NAT(cDL)**Eib4mRG5Lmn%oc4j1vEx~ zwY=&$Pl`ia8Gn)b!ibzvrmZ48=#$UaEy`4QakcFY;@25%5skvYO!m)QfJL{6B~eb( zD3FZHj!+OBeE7-nsmMNZGbic-ZfFl+r-2F}xWkgH3zS z=l-Nd-R=u=8`XeEGKGq~ zF>JI1S1O(!aQnidseHM()}>o& zBp#b;QNME(AVOkauelvjX-U(-km^-mDvVV^RA!Y}qT+edk=S0|8`yTNc; zFA7nTrz~>aXNJi0O!SctzRvghrMfMY*iE_VT0S+|`liK*QGaQrAkt|DI1rC1y!we0 zwI8fq*vX$O%0Oi`}TjrrsO%_(gJG@T`gc5B>#_s*d2#}QzX@TG$oO6ujitNVH?vsZ`(dWfe< z60$X0e;Bup3H5=pSj-=4IyM*vL&00i&Jw5K`ly)JIfbL=*?&=N9vn6Y4?mH&TCxow z4M9S6&nVsA`vNNrknz^NYDRHt!1ym*Md#|_jFNYmk4(HVb=fh=Ee!723DxRvXyu5=m+GFE2H#7R$ zr~*HemllPes*0I-BEK>tx9>n_SJ$CESxQw%E^iQcn#ckN>@Ekd)*<&$l1}pEyrHG| zi3=NUvQrIBD`|PeIb6Wp;yif8Xf8ux&yH(2M4??U-6beP5sNva+s0TCQphyW$|r;W zVectSD@irh?cf~!JVl8HFwMTTtVUM|wQXnahd;c7^HT?U&s*T3AGA_AXXjs8iaBo2 z4qRF3x+tUCD0 z>H@mY<67}E847w{WP~`adej!|f;4YjjUU*s+^T5I>*=&>fu%IY+YK)1far?+$szN{ zD`d7SMSeY85SNT0M&6l%=Pd+<9K7C`?m;p(#^P&wxW*6H8fR>)Gr#XWQ z5wcWad8VCU1F=$jVY6PdSyAgx9g5sgo-JM=((<0e03b@;Q`-;KkY$>d1vO3osRI_R zX;GcNL>`AUQFJ42{QFJyT&{St2HvAPIjmr5zBKi4uQTs|b11u{+q_7(`_ZONEYq}a zGwXRsG)?RAmyzkThj^8EAHyjToCatP$<7Q#@*Wi~Y%Nfx$1k{V zOx@^jzM#^m?i`qGnJ|BTG5qR1=oWpdbkB#bgu3h=IY3*;$olNHCDn%#s9@7GwZ9rr zy|`xzyRK)c4xhL+?Re|Snof{opPp75qS@(-$8Icvy(v@-t+^c-(b$69^!Mq zMg|>(j?AD%r{hy|!ce1ZMdNZWd%@Kyh8=mJwmL*M`>&B|Fx z9;#z$>$kx9Y_J;9bN^D0ms=4EY{TH4E6=$56bDCPwT!9RF?|2+bE=&8{8O1rdd#pD-nVt|(heZhDw}98Atg)m4pr(9i_>#Q- zSuMAbFf2$M9JIb&p(IZrFfGb;HqZs+BiIzX;po0!B{)#&9u%_S6lQ-1VNRoWfk zc<`46w6GYzH-tYDDag-5;CO!c5eD;W*bgE|VA{zg%=BC1iP8$g)DZ_G1Yj?)?MY(C zE@CJ&bOSHMcEpyA`;4xSV0N3~DYK@A6TmmWCe zLSym|w#RPu{)lr!CX7B&2lx`6z>k*>st%V$b%|JxLsyFqS`hd z_YmdCCbFoQZKL0gep1?IcbBlY>Ca~t*Ft=0e)Wl%Y2oDD+lWLiY5%$bt=#cyDOnf} zdMT*%q$?Q_nQa2M2c&(x-e4eoIboBKPVmRdS3pJ(6}8pMGhX9reWHF>Bn~*58$Tv8tO@*@2UW z$lrh;Pij(Yw-3HIo!`D$8;kPp?QP4vv$3>1ZI?+lWMm>g42xlGmzOFaSilECHmlW@ zy}fMe7in$GC9l+K-!j(m*gLG zntyeTVYPrLY{2?r1;p=hj2Sg*v6vuTd^QMT+yW&%;R&JxGOi^*o-t6hEgNh_8;s^- z=nCR1s7J$Sk8-;W;6JnNRjRBF`E;RiU${In&`Rar?~}4MG@X*6EVhYs=>E3bT*?TW z9cSbFUL@k#-uR|RJy2T)>2s&~lCeG())o~(20GKa+)}i|s^kj{nnshs#-#5`O8%vi z?AW#B&1Pq5$Q!2O9pw?|{$85~VoX39Mo|%UO()bX&8MD01G{7ox&`SAyvXLh*a-`- zW+;XbE|z7OCQS!G=cS7QKeNvD94>+u{H8GuI2u63KY_eEL;V=i582!49P^&VWo^@C z%jS2dH#aa)^YPLNKN_5S)pB7i24T$y0G9>|p2L%5-Teau%g7>!a;$e_!n|CANp~>P znK;PaU9i(>H)fPaoN@hO^ayj6H+DrgO_>LXe`N2!y*9ULNmVzu*WTCoD;M0ytofMl z=h=TwM4VNB5^M}z)ovOD+8rDe%j_)!iMqz2dKGUIv{dGNse{>UReMilhY|P-PC6q( z8|QZWSF?!cxzmjF;yy@>_ROcbmC_XfT`EMQq`q!zU8js@2^z-(=6UgZ_h#rj8%v1% zcgoiJ+%Gc970|reed8EFKuE`k8a59gTo9R8XQifm&nj3kJlF7?_ zjIJKpoC>&JZ~Roo%ogA+j!ywk*(FR4h>33HFx`~rQ}U(otcWrfz?;}qv~uu3ySG75J~c(+ z^`$_R263y4jCo>aybmsg;k0}HmRGO7{vHKL>poJ`-2Z%M`^{8AR-#_=#o5TLg1ksW z{ZV|H;`)^LV}ODccz%8afmC)-WS}joOX)@BC7=?sKINOaf=!_s440x~uOI}m;Qk!p zfsj!ChJE~y1<&3OB(d%(N@m`|Ghy4GWF$LbWNtnr#N1V3!F>IK25_&^5)bm-&KIRY z;7bEQ7o#yp2fLSuFs(n<gwn(QpAG7T1BCdvZBUcT+(;(DpFU&WUI$F zP0F-o(5(o&z%%-B`?Zd78%%J@b_xzkOV9@<}!4`cF zDOqX{xjaGC(7kMxKG}nQVD#PXEm^^=oyK20`mGvNbgm>PuQ61(?$Dceh3&2z?8PCc zijuk zlA*{zDptN^SN~P$8os%BgpJJui(9TsKJ#}F z_@+41x*OPHQ;P86?_lA7TqB*AN6jin@teA}!vULf_MC5S*`&T(c}aifH25_b*&@FX z(*^<(;$XfXqxQ@p0cRC-k1}%!fzoXUjopZKW+_~?FNb2gf0?*U(5LhV0IcMQEgfHT zidMZNo+6!G35{0S(nmYn@{KN;*S=xkNd@A0-MkeKsM@v!oE<6_QOmoxi+l`vEfjl@ zD3*avIIX~}-$U-!0|q#OyRe2x0tO^X-D}INRc?0Sx!pTh2<{xL$XHS^U_1)i9WfSf z1ZW92Dz(U?7%jhXLG5&BUcS8$k{VdjVW|8=sxdAdS=G?@SNzL5^&^|$hB+!{x9HE^ zAvD{WsO<^aNfi9va{K%%qZtbGYvX%sUu> z(T1@irgs^cTYug^U0K^eh=iJEQDefYmB$ifk16d|rO3_uRAyiiGFpCcFRe>!TaqZW zAG5Qexj&Fk1Z@;2vgeI9;6g#oko)F)dxQ;t)DPLe_yKeHl#^mALw{11F~)#@nz0r>SzdG32g*1Ex;CAF2Bm_v746U!%=^*@{+;X8fP3^2HH2xtmon-R2qnp0}vkQkvyg|7F^zA((& zo)Us^+zja2`XDn57}$2>M!cE-_z+6+QhWXq_e`ZD88vS>&SLZeebKz&v|J{~QgwVz z12UR4Fi?VYlns(}4l#Y1YP~XEmg-PVnRs0BB*C~`g7A-=5+VL;aSYUCD-24&q<))i z^ng2dVkQOVYjh6?b;979a#l;^2Y2nFx`GGCYln)T$E$=X|0#}4x0Qa%XX5I+x87-3 zG7hJ;I}!cr$YpTia@SQPU&b?vJVdjC)vps+ovF+F8D+zCXHt;nN>@oALt!noRdGhP?Yz5;2t97S#7uTVr(WGy& zEY-I#CHHTB4j9;Aj1};VR(gRFkZ0R-gj41PPxsatm|J1vNdb8ePCiW(?@5Diz4)O_ zXIvm{J@Y2`dyJ6Uc& zB(+TVL3KMoZz6E(y3?kRq4L|T>t*n}r!Q{>y@g#c@j0pouvB97v}}!zGT(a~KBe_4 zPEY*1TdcdDt%)iVEGCKly}?yYX)ePETz&=SgDcJtrJs)>JsAzk{6+GTWpi!H2lAzD z<-_?Y!jRCX)7bkin2JxGBU1+DIf%3+l1!CzU+d}pK*qb%S$nn3VT&Gj2@O9t7mJCV z@XY!cA~#t<%;i88lbEufy+MUr{$^!9w7=_7A#9bEMk0-&@p+(BZ2w#*2w1REzDh9e z$<;Tkj}i`u87T)05Y7z$8d9cw9iNkQyExjO4sKEu8yg}MD!DiAfXAJK?$RGp830945>Snt zcbA3n5#q@PpYI1laWz^}Egk`aHRRMvC%3jfAW!UbfB7L^I3IXk z@9u8F5@dIGVPX?ZztJ=G`>ZcW?Hy=Kk)bEa@U?GE7{fiiN_RcA%gS!FFPm~_By$nKTJI-Mc| zVPm?yA<3{~WncY11gioFHO&{Lv}Ig*d;X*>U_@Px*9!N_3&y&4AU||Pxc&W537)yG zb8n?8ymP`@;qSlw{X$W{5bS+?*@d`ki5o0R@FllNjT|-NXFG}@j|}5}PD&t0RuoN+ zmfd>8gmb!|0w5*k9I2c?aCQm*b)f!-0N4nze8T9+-v|8%YAM+B{Jn|IY|w+N7E`JO zSq!kXI>A!F!HC3LoZAim@1VsSw{(8ftF%nsocue=`cH@Y@4vbWe6r`m3wTsW2|oTm z`Az>L;^}GTK&N(`#3uebgsE`kcff*tVbl}ARs8?Vqyng7X7Stq%**&6uH%gx zz!kqH{`lXx=js)}JvWHBtMYGL@i)Ld7y8-q>tBb%f8M~qPo@wc4yHTm68{|(-Y4J; z-c((>{NE?UzuxbIPp{&Daj!4dvHL%N{C~`x^9P{ovz+|@Q2+kr4FB7g$T0(Ed(op5 zzW*nO>$U0w;0*pBAT{-b?*JjH3wUYhN!RAgXK!3$U`;%F;A}vq=1RhPz!y+*DtUJ` zTf6JGuzofcK>_Aa@O1!1SMzIGQ|9RZ^)dv9aO!;8eBV8e#o@=kHg|MwGuUL8w>d4n zn^Dy(j|U2$M)S0GQY4i3XGA^vh3%4YNPO~JAkfnSbjcjw-JUPvF?!XRD3#XY8{S_IN-7S6l-9NKJRZwu9?}v7*_r(5pHDZL~iM%kQ_ydTQD&hd^7su1& z_+Q(XfBqMc!?*3)!q%;gauex%fn694wo_bAQcfdlb1U?+9>wM{cWUHFtMGfa?8eJB zXB5h_FH5cRdUTK2RT)+-hwouHHj{ab@|{LX^E$c>yXbrYm$>pqN268#l*9ag)@D&2 z!x@pL-(KVvf@>2slE|k@uDAf>AXw_+&GdJqpCbRuyimOc^lL8sQcceYw*6h}QX`fk z!{DS&{9^mqKohoszZbA=adfrHQdB%CN+jAu#2U1h(R9%|)h5__}P)Vlt zsI)B`)BqvLTw^S{kzwnID|)4+wEa*YZ3&jmoD58LP~O?n2jZ}f14Xz%;@0dAB39rj z;t@u$B4qJt;;lQt>RZ|_9fknx=U-Cyb2Rk3tVlyCSCFB{ue?+0L^G?S;i_jX7w zwz1HiTEk98TH9y^WZajBZE-3OTxJ^yBawZubpSWNhj$$7Z62zWY;Z{x8`fC>uRYTB z4eoCqmSQ`I&&D3KZ1Ns;5Xv5%nf!PeB7To@MIU7$#~&xr!1YSJdVxvOuA6cW9@06b z1k4njvrL0k;wQWk|7qLy_aoq7*qr06n#<$H{-iWi9>%$hB~GZU-uL+Nrwx%vCv%Uk zNi^<^)~(Kn0v2a6pOw*pI%>CiHnFwsBS0t!+HJQZE_+BwwWa$OZ4VuLFY7Yuw8I+| z4x4If%6sv4-;Q$YJF*IKdv}_5OspxQR_zaqS^34laPvP*xoi!q;WFUhJG zHAa4*a*AIyT#6sQ`R;cZ8{dP-9==56n`$aYva(uO^utKRM%O*Z--g*<)~cWHI9qY@ z&^IZv9&4MMGOrwOc*o!6OT3%!Pa7SDj+I}Y+*o)gY1fk?H&)}->6>VL(|D-dqpq9( zNpzM+(n^6o`fva|Ao5zZ_xQ0YF&pM%%AX+6xA#NCu6r*JC(A=?`WzxlwkwfF=*Z?5 zQ*0+z!~EVt-mfjZC|4qxPIgQu6 z_;VVWHgShee)?a2zAI>c$70z_%w(Fi8OI;g$4YBcyP@2D+oTmOwC~pY$)9TSY)0bd zThHKm&r)vt6Q!!Eel`ovELo&qK;sUt{{t#G?w4gvd%v zuKnnwWJ|=3_!+)oC~18{wJ95R11y(%^<($fL zztZI5{(PUn*c|WA(SUx$oo?8=(ip`RT2J5n@NGB7!L-;UW(rK6KTab*jK8V-8P@nT zUL>qJEJ{_W6F1!GJALJ%xIu5Zk_hi;;>TU+Db0%#;V=(d#P#$ru7bvu{&SZlt1e4G zUX{L>6On8bBVe+t%B{Y+OCzMW_1t|Y?_LR^ep{!e9#wyR^m^mG$mE{?h`NE%@{_jWXHhGwI!2v%&pQcW-x_b!$B?`oV9T#aY>d zk@E1yVXlAoYXkS__U9nJ3%qq|bWE0|L-6i4$Ye!_TO&6jBErF)JnH2?5Wy)ia{4=i zzR{Wpg2ag0ov}aRjHRSqy}x_420dBze5dATgdP4*-SJj+vF$u#lv!xM_L@E?yURQP z^hX2?ATsGNf#*NoH2JYh76Qzpyx6Wv*JA%{;EgMf1Z|Sn)a~&U+?AN^S=0#_U|1}L(>&ur8*K7 znseG;16niz;=_+O6GowBlHck+wnb*XM`mOsE7|c5W>|a?|wRz3=C{_YDw&Z+#>;qlc*x3C4Kfc~Ns10xJ8vWIwI23m; zUL;VQLb2jdoIoMPU4ly~#UZ#m6f5o;+}+(Bf&~lCP0xAHxpVJ)-^=6=V1^m?p1mJg z&suAThHMWSZXW>V8o^EQ-;b~pVusJI2UCTo?QiD8q?-ctX33TY1U;^-qB%T>EW9+9 z_fUc(y#D#m^1ne~D8ELtWPkiU+yB?kninlLQ>9}@qs25cD2~WDh1b?P@*SHh5!&wP z&)SGXq@Bl~SR&CYzG{m}3ZHxa?rQ7tV$?tCB~~5Ibr#DjM1?itou&yany;g1B*jx^ z*v1+LC+`<>d`KZq`x6%2`4fc_f)}@0SUpPDFV0Oy#e#9We^yVHZzBEb+L+<>>|gr` zD)0QPv=vA(f{%9&NPa`X*^c(HeNh?d`CrVNYRj4~+g70E?j2FDmGVtU}t=J0GnivAm$$dAvk&iCE#cjOb8{cG*uO~1wF!huNdH?%B-~~DL z_U_u7IeuhopgEKMi1GG+50p*PYw*q9o`T)O0sZQcq|)*MaZ;AzmXQOANkW}8ZXl}% z^yU5iJvKH`(6y5I&p@7Azc*NR@CkZ4rFe8?^2VHyhyDhjyPi5+rd~BWW0E22Xqr(>aw;jYogqOW;m{0uBy(#9GxI(ki zqCD5)gSl9~h#&4;fyUJ{+C`k&&}2W-{2F%2vn|EJnvyHjh;g0E&!GfIHKZlrrS~e? zzs#y<+=u2UW!6_`#M;3=Ku_OI444G2l z7JG}fnf?1PSEdLGVe$NtW%-*+*erR`PqIM3%=REfPf@irqO{zb%XH-3=fKVW;(14f zJEY$oXspdU@$`;vD3yPaXTI7EO~Cm$-fQ-9gXdZkaKAagOb0yiRsXq31z4Lz8&_A)&W}@GGcln zT?8b`BC%2c4-+DM)&QiRX)&5&p-=zU0E3J@Ys1vo!tNJTueXPFYqRaLelpOV6;7H)(#aZus%uS( zU&A&T6%*A4%}N;GV3Khe-;jsR^hRWejp{==4G-VbDI`x#1zsST2rkVhZL+PPYWl(v0!h2fKhRKVg<(hlc+4btpT5dl5=Z0Wcyfmwa zXg!jp{pa8RKgC6w*tUzLs?3Jp9#3PFL!Eh|6f}eJs0f|JKyZ()@aqt;gfH=CTw%YpZ0&WtkZ`<43dtIfM_rDjoED?Fe%ZNTq|8FH+8&Y{Pdn~-Slq-09KZo|} z?H2cB*zU&j6G4}s^7FH^g#9t}RSD+$d(PyIZKEe5Qs@ue$53Ij(+}6H2_Z zlwt6LvUfF9mDp84}&)#8?w_gE0?Ds3**sL^$vnFv-DICNW+^e{CLGWRhYHLA% zcjGhwM`p@;o0~g%wGmrnC=mq$j-V8cCm$Bef17mLDP5b;YbsFr-=n%l{M?%nbJH_J zvEJvPx-gWCkvF?5JhbWVDmgwk?zMg*^cICQ^D28(J8L#<@j)N&7HrC;lOyUP>)qF+cvPr-4 z9-VSKPA-$7A5(>@Mt2Y((t`z03X{^v=^cyC#~^lL?P^!1zd`b(pa z4A=ybOJJu(RyEnC+yUsM<~^E9R{u@ZVqJKyB>^yxGwdp-?bbP;(+>xp8u-E8%4r%D zUlr3uEWO>Y$bWIP7Wg$cID8f&9{Ja{(Iko;CXSze`cr?UO&4T*7Xze{5La_P8u8L= zZYPs>78ClPAna?0tDJKg9H1@_qq`)bDJ04#hZfngC;JX|djIS_eYW9$6dqgB=�| z5`|1dZHv-BPRMOnPr|qvd=n(U9W`R~aJzR8Opj5@y}mf{Gf`;isxI`&Hq2qz`1DX$ zcrdrl;z`#~tp0fI7;xY?HxN6VF1YH6MRbjJ(Tj_LLqUWcq-fyMdvi`GZ-3)p{NZ5M zPy^5VznACp2VWT%PtSB4A4jgF$>ZH9rH=e&^dx{!MZcTsZWXhlaMAP+;j4(ky@}FX zPP5i9PFmH#9qVx+_6q&BP|yB}ZJ8Jbz}Zeec~rvb(A;9}Nf)w~&BOx7YAUTg`bnQ& z`UKJ0XZ!Qd(ZZX&gAbj7De@GgvLToG#zWH5=MNoT`p!2<^&%pwD= zOGsmfWAph>K5uOgf&mYin&Q6r!@`P>LJ#DNdRHwGzEA1h6-6y(n#{r?gZK`R-(x-M zqi+DpWj5!BBZlO*1Eq3%LNFAg&!Ol~ZGji{&iC}EiO56~hx^fE1lUaGyb(GIYniYw zNPVeK@4I<9xcRuxZFgskzLD@SwXgh0L1@=#Z2i(*Ut-2wj?U8+$;Dln?kMsJ6H86K z!6}n5cMQg|Sr(i6EW0v2=mjeqB=Be4a`CNueD3y)<1>}eiGt^eD|NLknDG(nTIAz} z!{vs7T1qj{A5AYgl*nnYPlhZNKb$@j5*8kI-ycluQXj`>bSCQxMQm7#aeydJLLo@2 zVI?!9-csOUIba6ib+g>cH0vfw_M^qXp2WasF9a)EbhY)aJiV~vj}I~W&oX}4rR%EC z58FXgPvQf=JrwidTXo=W(FEyMwkvMd%PVq`pYo;qox*{$JN6~(?O1(Eqc-GeBqiV; z5-vUA(tP=haQ%s61zaB=pRa`)Xn*_c@K!6cJm>WeN%>?U{5a8vxpWpJaA>`E38Iuw z;X-XiCk_BMU44V?fJeQU{9a>8)clE~?XoL*jR>LCbTb+03`FlZoOjH^a(?Qz^IBXa zH62Zrc)WMZAnvUA7XFL!;OTr47zF`e!loq$2^7dfJA`J^VtpN~ljy3)7HM7u+H?ar zMD^|(jDplC%6HJELb7<2!%8_ppWA~L_*MAIhKY_ij5Flt!Xru5ga{~F0@CG_HU@^9 zxJ-DahBBVFdc`k`^e)683_~w4u>Jn%hPV=GGQN467jAp7d|TWLz4N`QwFgOeCY=l> zo}a|0b!F(Xw~4N0-KPZw?9fkSBczj#tR*Hb0ShiSm?Gp=cyZrL)eaVUy|u!Md2b)W ze@!2&_6)yMCvU=wqLmhJq_Z!F53zZE^h^P%IUar-MXP%lGhE?3jI4!hnsp|}T&-W= zQ+}7hAvCpJ@sNrD`EJ(N9Sa+8%=OGy7*}hI28pP1Yxq^wn!p-geQdcKg}EOHAV+1mEg&;q ztQL7SqIhft3?(W}`swN+Xi11;oQ@|=z0Rl}zP}(MKqf zb%5sQieB3f3{sz-EL`p_*R`Vh>ST(Epp(pvrdOSBhl#P-()yOK6m@tYuM!GJVO`Gh za+3=jSVoxz!L{(5QV3dgdLmKDX{pU^uY2*%^akCxFN#(|!m1S$)w!EUKp#J? zE9J=#t1`)86xnJ!9X+POuSOHwF$`SxgLDAa>5qY3DBLm~d$x-$FOa1aH}8w#hEm*k z{mCH8vb47O6z{}37}u8udX&2Lg~?vZ?cPH!%QZ2&Eg3?}BKkNGx;9ADTzD5{=LG%% zcGejGpqV4|K7|SHXprI_AD?h}NJ|LyyI_mw=Oo~%feOAda7?c}=V~?<=BMifn^~R; z^zAt6@9{hlvFo>n8df^5Qaw$+!)%`|?%epMphMmnP%7e=RpXdx=$n7bVAC4pt9s0G zE<9UDW+WYI)Ht-@gTKlu1QB$3z>z!#bXN&M_2o=mTc_tr&oS8r8{>XhW{=Hw{zR<1 zAv3A9QvRazG3R=F=YU~}VMju-7Dzm>i26<;iU@b2hrT6rOGev>PY>x=j|%F2usN%L z$E?*RuP$+DRvP;?+A$Z2rpsQZMq)s02Wt3JddG8m$D7STvFyMJ{WRXAK{uJ@MzEm! z)j_zIM>+s=;Z2Mm67|n^?7hk}8!+(M+~}6uyIkhmSsEUm_7olM?UIeLpVfTC#v;EE zTBfPCMw}7bZ8X{jIcmAxzYZuC3b!)f$gyAlN>q78wjeJ`l|F?UDc~(1OAf_jWcSEX zfjhltYly;fUHTMVKQ2CHsy-y_ir=)obJ?109;J*vm@|_mk>4PF6absy#_W(B$me7G z(R!uVv#QIn;p4!~oXY;pn}GIqfp&K6Xj8r~@gt_dFn<`q6IoA7DSenb6lYs813Q;{ zzC)rr0)8<%c0#(Oq9PQFmJ4n#2;YUL>{%EL;0GHQmtXvG0F2BgmiH31lr6#Q*rkb9 z04uB3gA3@>I`Ax_6ZMO{JgFxG3u9@=27M@wf%9IGbx)~d0`D!#vmwE~V1mi3l$3qH zzzDnUyZw(kJ~NYVy0;jbem5N1{*333S=$t_+$KI-j^2? zE00CI?{$7-E2awh+qN7T>vvqz3-Y*;p2TDUv0zAO{CP{0^=Kvuh2Hi=Q?2f6`3H-Xu+6#?a!%Ag<}lKq13 z6J~JCa^*G)90>vhkuqZ5UXTVo;_7%WOv&O(UOuy!`4dsB%?%p=IX}m)BC}Wv`_8NM zj!6%tGvFyC6*sq5ebB_Hc_p}IqV6+1yDx$PP?3_dRSviu>|s}E@T$pBu$gwhHHe^lV#8Hx z(fwus#Am0PT2;vq0n)_r9BwUcGWm}efHuZ#mMk&|u$fZ!knK~_y1%Pp_wM9tD;=0m z24DG-N^E@t3waL{`gP?1bI@H;S>zlr7tkX}UBV^OO55Lr#E_*YGPVFc$x3C7a&(d| zv>dhscqy77=9M^Y<9pWos4&5tJ#%2sG>@98h!+Kfgq{nx8$zL>In(ON3AHKy7 zyox+sRqq6Z>_A)G23hp14NP+)x>1&4fg(N1CF`wV={Tf5ME7t~tI1pVkH*c^(ho0B zFL^EN5+Ucqk5}X$&4db&9L=!BI@=WI+%F4ZZb(QA37v{8(epI9+ljs#{U$x%U|Bbh z@1aD{>qM;s&4-YS`qsc^a=?Q-K?H0hm=pqG7^Hkzl2r^Qh(r5AgNG9xr1|3Wd}9^R zekK0cn}B9FM>&eb(XP&^TJAo3vffQ0H;4K2nUC>;6fg*I*fHl;E{@sv3;rN2WNA-* z%F(h%v?^;hZ}w}mmWt!1e)D%?p;Ene+nin+>tvp>Wvh|T61lL55D~KLka2D37#pg& z)$+&k@AD31@qrPkl{nc_HOzArj&+Eqw61#xl`n2~PPdAeclY z`*X((L~{6o#Z)Ok?}2wM5I=vcN?eMp^*gr?RvFy45R0OAf#Vd%on17TKCqNp^T72w zN1xphR1zons)aRnfx_LhZ0S888PrDH+>!|QGN@EjKv-lT{w01DgVe+eO-@-GXN!7$ zRw>KN!&+w#HldAR{5L|w*A`mw9tp0$7^PEi_cK0uH!AUWMVQ}J#maos@a4)>qK!nSxV*sOcK>=26^Jf9PwN>QH?TKMSgySD2s5R8XFXQ^R+_7A5sHA^o@39j$aK6n|A{rDS{5ME_yu`1PCC-1o zNsAUkLY?QBfA!IRgD#%kz>wF^T&uYeY>`X|+h)<=hbkQ?!jaI!di{l5i~!(|rVmM! zWQO&Qpj)2(?=p_NnEZQV^t}vEJ=tSzmG6j#Rw0hBKcqB*akvBSYan!peW2M&GpgQ3 zx1R{(K6kwPbFVYF^m~o!a+N}~w+pKSh573PqpAFs&b39QGG}_5Zbu}}a@8qc3)Qk4 zgs|v?Y(uZsKQdCp{8;VJ>G@#2T|M%_ic7JkIQXtI$b`6rJ0imv@e>jU2;{U9q$QMn z%EGWyYJUIG=kclCv2j>^-_YU+RfOY=tk< z=IO>$3EXp}bxsG(UuX-Xb2gUv6}| zhJo08JMwW2H^{c1-SwUdo6kfE$9DH0I?E{ncF94p#oHhV^1`pzeCMT+jIh}u;Pa`V zavX~Z6mgL+we^bhV0{WGlPCJw^u{@*vi?;FjWNtNtgbPaTYntO-mB-cP`wwLtOai* z#)V&tS45;R1 zDJ1|^qU{HI>;(^X*Md_htx)VrDKFB-lxx&!v*$j zEr^b_X5ms9fO416CI)qHv zq{CvSaQ2@Tk(Qn@-6oqCW^-1+DddbD|1}1MMTaYL>Ph}*5*HX&q66i{ltaM<9zOi> zGR4DWZzL+ZyQKWJjKt;g1me?m&r{gZh~?r-v1uFlnEyTQPxN03H!}0NKF!J%={k`< z>pdUOk=~JZ8Tc5(Fswtm>9kO7ehMq#Wbh2BoqQAFfG^7FsF=)yn#^PA?_)CDUO1U= zf0f##l6zxcs$WCQqtNc?{fozW(}a!F=aJ_7NNPXpm_ZchmF!0nK>Xb*g3ryZ*}s30 zs%rc7N86KW?0k1wn{?UjJhNbTZJ1(VPPBnrHyoCyg^@2Yo54*ncwF~0pmc?4z1j2x zpB;V)dg$9TabMTQYKLdPU<_Cq@AaTjZ9Q~Dd zCixn<@Fw|!LkvcnFZFi1E0HW4!^LN1OKU#SDTCm^Wj!4m;*v|(Qdi!huftJ8o`HFq zq^!6(=gj-(pg7jbs7?Z#E~i*5z+;h1b-<7=&1+Y=k)_j4em4{qIF28JzU;0RXrS@p z=2533Zcjp{>}_oz5r$i-6l~3bZ|zxa|BI+EnWtZYE4a8`r;Sx+Y*-R^xr&rXTa)W` zV!nEB(@^OJhEK%>*UHXU4Gh`q0w1~4k$}}4$`ZWA@0y(*`2v!`{ApgH;*uWFUMH*t zIjW)_rS?@kiMd5rmKJAn*zB9j28Zl+KKwo$u*h zHhUXMS7|jTf3FQ(N(7K2I8wdx<}c@C)*r3kEQvY}5P1swQ2KKp9c*TukS{G)Emv!H zy0qn@_4FMUv^{O`lNG6B>JJhUcUF-kQC_=l%I80=A6!Sd9-h2;ax}GT(KH3Un`voj zs$09A3hqJE8$HPof>a%mc0%tod(4hpE=;ZvR3xjmHnbtXrhAAJ=@X!+GfR2jZ3pf^eE0xbtZi;r?SjB96-dVA*>)e$Gh zC9ZU%8)q~|rF^G5lctqxn{Xk|mrgkj>*BAD!U58z$9nu(p{22i6fv_Cb;BrRy{`3Z zWyIYDfo8JdcD7Y(Aol3#Hq4zaprQPCCbXuG-Iu@-p|YsZVGR>#Yyk;;k+E!Qgsc=g z^2NSa$7IngDR}Zvl)~+&1D}E*w2R7aP8`77W-6ri_KPQBzKwj4( z2S~}LEC6=coozH-@R6eWf(ph=uTtsxra zLndyBUf_EJG2VACFUZGV+S!<274nZIuBuT#)D+|6Z)B6)?4&X`<69{31hEUD{pTSjDROAp?+oHC(EhFoHWi`DW!nzF_EU!4>7pP!dgi^|=Yz>^)?r~2{2O@;~TNdW7-!%oM%uReK*MufAz0h7EQDt@)aqb0f(s#dbi`rUtez&Y$t8MeyxXVw-t(ho~nFqSEakON# z@C=U&Dq*gPu0!s${;`F~MV-gz>LX`0OT_e1XkwZcDo9!qx{CNFHf?paw3b)lnTjXT z8en{*xlBFE4O#0Di&yhGIy!`3YnX}s8+bV`?=7e`CHM7TxM#$FQ_RMQ|b<^2e zck$VDArS8d4ZpYDFK}2&Xqjr)HDgLS`qqzHP^{P*h=@uGU1twroJXjaAo)sE(O}BZXlQz)Z0GiATjJJ%P}_fqVKg)j2KK{ z@!OwdNNKDz{*tqvFg*17lRHqb`%<5wIjAvpR&Ouzpz)CbXQfCcH1)FOxFPC`pOR+~|$g^+;tBRBgZ(Vtfqwt|XpeX?Q%0 z)SJ0W6;%lBhL8tsL}SmIDs*hOdu2)4%N5r?n=M^4+cv7NaS(}~v9VGYJugW=;EzA9 zOvtcO#a|)SpjALTyQ*B$RisjlEl~DD6z0{eHGycSsvgXyX&l&shieu|&)57>_e@UE zZEQZ>GRh~85oP~;ceVwkUps^{^AI5+((sW*U_OL^8NRW=8waZp@hRL}#eG=(M2%#s z`6eicww)Qe5xIibbpk&gnw*8>+0t$Q@cb;W`N!p*0<8rUOLzMKX<`N<{QBqX zGvwI2D&%Oj{c?fD^>hHGD-@4>*CPRNJI$hrk=oc}*^jL~Yjf7c#B}3Q#0gC8NtJvJ zrBak-F6^>gjQ(z)lOl1scdRjk0q$aAwS2;OpG-{+32xWv?tSw8d?kd{dgr_MXm6sm zvXG}L(im6cW(#whpeXtPMi@`U*OJAduG|Hk(m;C|v=)<+5mRPrdu6PvhG@ZN34ipy^!t6s0KbI~SOBnT zgj;W<*x^4%-L;u#y;p-WX><_b2eV|#nGMbLWYO@@xev{eEMCv8%m}A2UDj(UG5cRX zi&K(15%W*&KO+4{o?3K;^o>wQ+kt&*1A-9R}C&5onA2a-IB??KG! zBJBYfDeF52AxN=IN}A^OU|hFi|GL-HqgO14W)B6kpiD0#V>~s$@aN0C&p(eoIeHZA z9lM%3T+DIC)D8WqIx{cotqi!=Z+1$$nSlf3mojjpt2Bm57``I%alIv>SpWmDpOiwl zVY5fwNV#~du0Wa>;@~E{|5G*?z9Dk?rDEYvyIyXot5V@!xQ-g8p+rtPY0C5%JLNmtCjfekGy?C|v@_A39Kbyvio(mcj&6pb)6IhuI;wa574A<-etRhexRXnP zYYP6#L#Pp}O&MxzHY2B#W)Sr!FV2~wgnCemxtFqv-)%%RspluPlur*#{+ZI`^v$7M zBzgeLv5?)5O(&FQ4(_7T38u+^G;2tT)ycwVMtMB3-a2e~H}+F|-8x+nh9K4^+=A&& z^$i*cORqs*mdh{0;N8yjPsC;Y^63eF|n)8T_G4(smzyyLE z;t15001FKG3F5*t<=s4@4(zp1#81*bdFqh>dkZA zS%YKhsBFq~Y|>ueXn<;>WNLRi3gFheBiT%nO7XZ+pwGQ&7)9a$J(%Cjw#vgg)S|*w zd6kcPj9hpQECkRg`mAvFYjHDk1&|j_`IPj7J?~b;?M+pz+bUd&V17@Y+Bb5gNSwA4 z0U6tCUIxSQy7&m~PF5!UJuER8>kW5~T2x2Ukp-gyZ6uqn#%3{i?-U39*0^B)TXBye z%xiMKu@a0CKdv)sIsM1*Oy*>+Vo>O*E1b0Vciz-gBJ=t*h~&-P*oUpOCMW3(N{=it zU(Y<=bRko>!K&t*>n~e*Tm8|Cp*+7`n=pZNC3{|BM7MI-C)Ul%iL?)kZ@q)>`4cvuQ=))S^{W$b_ z2&2;92c3O?CWkil?a6?yxWORfX~iXz$e+XG zZXVw}D7*`v-6`R$vJYl5y%f^mu&V2-hy<9EO*)tTqEtaH|0QGe2Rac<{;CqBySor= z7Jx?xg72Wy8S6>wvxfGC=%69o8q0dYW@rbk=fl13@L>>bIx?>j@Cvq>oHQ7r&o*ur z+Vynx#j}>)$R>Q?O_rZ$Y?>81Y?}WX5kOPMgoU-Jv=U1;rup4eS72|rDb>}x7lMP~ z(REtFFUyMTSa!}dI>E=@q{TaPwCR1?+j=f@+Md;_4c)=`U5C`e;R`vM3*TVQ-$I36R&%b1U4wffe&eRl&HRFk2aaC&eE_Gi} zl{9Ox`H4i+bEmhG#vHCfzP-^bT}Y4PYH4fsE8N%@l%XngWmwhW!b%8y_=Q9eX}wOO zP7(FrM$M7aXJ(a+#x<*i9#^`oX0_@=B4*U#Su#c!3ccGKX}2*ii{Ig70Fvir?sIpy z1`d3^D!2=eUUMv|WL*QP-@eY8M)F;uk@i|GD_)#X$7b*Q9G^Pbkuj# z<&?>K84vlW(&^dOgbh1CH`g^N$9<^AN%DjJ@#gQM15EGBONVQ$-@V>-Qpt=z84WJM)Hh z4=vY5X5!L-5mIl|-jqnn#czy|Q%)7Bks_b75I3{z8o7AMF=@9!vR|Y-izLzhX@ClN z3CIT1j%(O{=?dvmTCt8G<7a?a)nfc4xoU25jYbM8u>X=#H@ZG$oJdSqQvP^T=HJ%N z!u!GjmC>*Q{ID5MB#sw)9y_2kU6qWz>Q2Te_0^uDlK-rPAN+#8J4XjeWxCvwH!4t9 z!7_eO0mjhHUI@q<7vAKI25ruYb5c=azi`eiR+{A?l@~P2_P8pH#}77=mJam6Bo&^K zMz?QMRlz#UcoGhERBEm-xm{arj4uPh-ZnyVaqo4~O4?Hb*6;fmDMpw_KGw^TsQK9c zIgf-X%vy#6K~K4i75l}SiHaZ+RcPeaTnlY$puhE7V%?v>V7;%6zwO}>exMYt7&%@C zRV(6lN$r9Py|gnP7uTd1T~0+u%h@a>>{G<|a9=}Q3K|UG8ss?mHdlbUBWPQiiAHl^ zE)4D=!^_blND!rj&%ZzyAA3%8r(Vnn>B!aLgbPI)Kjg&e_^duj7{o z65gb@_ysJtL#?%14tU3;`VFZ^iQ)vk#$%R*rd{NMkm{BXo_kbPL}|hvyr7}S!U$`{ zgQH@;1#}}Bo9S%g$3&i23G4=#lXlkOC)eb_<_|ovgKVhuaY|>-dz8JcruQK6A3g7A zC;HV)yNU#(P=O-G2Rv}a)n8xmS=xGcAr}oH*YK*86e#=8jCeh2`|j&>n(oOo3kb;H znQUV2=DcC;G%BYrmXr2zwp=7nAtN|6ft^@g7Af-p=|@SP?r~|tvS_RASAGi&tCQ;q z#41LVnNog|L)~4jDJEU$t01xSP#+2!GOB+xIaWc}^}sAW>%GnUb=Sf~v8a&#Yf%~K z@!e&X(m_rA1)KryIYQM?aA{I|KL@V9z58dQH{4f|ve76hwdlJn32A@&(va?mNZ9(c zXqyS=*VRTms@M997*xr>)>qhWBs79siu*UdT?aVkl?A{Pefse7>GGWOK#JOCaY22A)6pV+EeATfppROnUv>NIs$@lwM8LDFPsL>S z@RF2IUcX97)xtlHuFz=8$5VkUOZ6J&;eCa&Q;Kmztzzlikt_! zU<)^1H#$s{#4H#O&7qpS0KVp%rLuMvfBr>G0$4=70J;`SwE+_D`;eKS&o$Pl8r)2O zD+xHPGT`H+?%qV6dBb{Le^ic#OjKNprUKLxYXBsToA8)oE<$&3hf1muy`KM$<8wUE zrwT3;ZUvhDs{7>!L3+_E;?Hu4UB4LWZW$hnshc%e+iyhDqV5OFPTOD%NG2_HLoR52 zM-R2apqcD>sa_Y9RvKF{@VrkUzI3dGBjPahbH+@-?$^a8h3r2Wi^4oKS9Ah_e?6~$5}cx1Eahq{T>oj#Rz6os_T{Yuz@D^c-5Kcsd>Y`F&yNk z5P5c4+D#?G&6X=~1aY#Cmv61%7BXwg)R~GpcUWXRDsr1$5bM-1C$1`F%222RU0 zFV3cgBQBDCW{u8%qvk0fnXHKbdxe;NMrVwpqS+X2n$=%_}4RXF8v zT|?}_e#KFy3P(m^Ie%;;KB}q5e@)1#OYL1dtrv`}pkQ*wH zArmAi4R%zM=M0%0P8lF-oVK$JCixQ+9HYa;8OD!28pRm}y_R>5vMZ{aO zZO5Z{X{K_mw}bD;X4c5>0(Z5baS|J+@HevM+0f<}qBz67K+Ag@9_Dn+)h~Oe<-dbm zbqsKIKY5rJF%q1bYfYp1~f0v3zDj@KNGisLpw4COnrBK;)m5xM^LGz)Z zP>C*IjenZA8s~vx>6bX>Z*i<)1k7LCH#}3F{haT<)RhUYBUyz7>bq!@l2B-VpTfl3@j`y)%k3Oj&PB@Lw`W`q z7klr?p!|8EiwIW{0`UOPzRSW z{!*Bnwue(lS>oAw^z}(FbFG^cuQ)IK-%CRd3zS>Pcz&7oW3jABxGCQtS>9K?)Z{NS zLMxqluUPwI=Cjl^@BE~YdbhD=ZBWi%Cmyr$Tb3;rt);EesSg{rO=cnx{Ae`y^sSDu z$d!TpA_tqkxQSZY!vvlAafPti;rwGhusdj4nObVgr~Q59i^8TU(Rh#FJ5VCM;o6|v zUWi@MnNZ>e6a$Dr)6pxkOuh7MEHI##lQ#(-scD zu?q`9>0s8-eAMnW>m%=!rW58on;N$e7+@EN_6o(#3`JpQptPRO0k7J@C2)qfT3}cZ z3ZG&NODN~O#gl99FWO}#)FJd(W}0WxlsMB2l;$a>{Fg$9^?CbAicYEEcq?oiL%8)M zJgd_O@Y<@^dE_`oqKjKMLuqFSNR=|Yk+_TBEAnR+o+LF&Zrm}aLUelmP5#C*nN!Mg zA#x8lPEryBc#BxT6`mn89@eb}jH2k2qMoJCr9%*%ha8bm?FvhWrLAkq>AiG9|7X|h@!r?hxp;*J_M=odet~z%~ zXXp}7=o5UuWAdhR@fNkr z&Ejy+u=sJa8Dihb%oHh$y}+au_}yzwctlQ_<$%xZ7#nc38D`nQBE*6gL? zHa*~bt?T>KY`?h`DMkkdlL~RA^geXX&+x-7{!A3uJDyv6xw_W}7S37>o@h#ct0ao@(RG|D7IlfM z(Z&ZaO!cu<`h&Yl(n9x%iy1JN`8n>7eA3? z3|n#Cz-ZoKN$CtHQE6pOqEPFSDYb;%J~^4%^T23sN?Hw^$h6(d0G4nPcD<*VT(=?7 zz2M0WYMX~NdB$=1Ckr#j0f)rs2j#R;Ct;tVMn|Pm0B)oAcaMZglw#_V_C@?Y-!qhm zUtQGB)$cd#OdL(rgd2%f>E$ZtWFEV2hTruCR%MNdz=LL2rzh*oZpbknQ6{@*l+7;` zJvr7VE~RJFNrG{7FlI@TG$aar5Ol+)B21Pn&AlZqz3=D$$*hIUapn-GeEt-GTIc=B zcG~5)poqxr3C(BzBX5cuy4c=90)WQqJLGdH5CvMwHOjCf0089RMghUm09^A1|`b-9XDTTeaie$JAp5O?pW<%%A0!0jNft z53rA?=w9d;%9Gt05MrH>o>85CIy1erXsL0noMatF`?ZFtP_}v99&sXza_MJ;!k(;8 zph+ucBO?;);fs~oz}rEq<_zq((M5DlzO$&d`T9Qm22=A5FAY-0TZU?8BLOAsAsp>p z+c*>{bP(S#Gn5=mL(>0%d1mr4)Dms8afLhUyJ%-pr) zA1=(Eu0y0w*bRJMc#R~9SaaD7R>dBNJ#jeJ^lT!Ul-f?Z3_*#|CLe>y(CO3}Sr{Ki zLOwVWLY?|j@4QW-U)V~h#IFQX=&Y3^z{;&QzI+2oD|3CL*J^=fY_rhUiYE%!fzYU6 zXXm2`hlFvb={OtTe{)qN3vX^(3fHXJ$%T-y{^{8K$LDhhMQ35i9pMO#)Pa*TZS$m* z;#*2l_n_WrQo(C2#pKHOsV^^VZ;i3Aek;TT_}q2$hYhFWu6gvT5u6N0iEwv^5Krz` zt=)C}m?e(=QF_j%Ux|(+NYMv$qcddZOpDXZ)#}HmUx95XF)+Fj!3=v6w;WmLRG#njkW?kYDfq1wAK3AfX*o-5S z1**3rs;!?uzhz?>+9={_*u5!N(slr!qg>4B9kA&ekSBHUVpfScnMb$nmnbQu1w#cD?zKjX<6!tpvAhT5WGmo>7r1a$Xx=j2D`UHP zBt<{EJN%eu`giGI26mYtxU}+27^ZVC3+JjO8zs9ed~*dst5cCt)zmp6hozAVl6G1k z3})8Y$RVp)_I6eXu87eu$zOq*E9h)uHC%}tKsy7bgh>UZPK{>SNp5ZMUYh- z>2Is+w0&E23Jx;dAs;%yGI&NeFzRwJ%-QL-v1zhhqeLt0r6NI98t-F-e`8UJUbj-J z1@YP7KQUE{=JaU)6=|=yK9>j#|CKOnT@__Do$OO#Ix3PX=rv`P?U5AY!lTzJ51qR7 z#yMSvcI(*{7xVl5I`r0L`bbi`I&HZH{wqrQ*XNg_Son;8NNfjr@aIk3(QYEEznmw5 zR|7kD9g=dg0vSVlONGKn`x@U2daJXJn=0kscGUSHwkys46UHpb;brH$L!aRrlEZ>+ z2MZX1hK+*X8pS%$ z_+ZxTae4rw{VaRh&!X~-qV&UtGg8J(8=#;>_;LJH@k7J!?@N%s$}h;#qE2^Dl?KKo zQpwm^*?oSr{a20UDv0uTQ4nIsc)C+>Y*+ox%gGXylQ)$5+j!4!*XkV?dr)?>45e3p zxqbeKqWB+m+{<`1BdI?s{bLX>lYAce6MW294u76>&^zBqF%h{^HM{{Kb}j;@;j0 zM}Oo$r`3l?pN!+5tNwTYQ*nqsW|nP!)4(C}HmfjP|s9KMf2ketlhif{sT|(giV={^oDI&Bb_x%#>I4{>+ z$n^IoKBS|=>hUV2=@SI+ueMOo+rL@J^d(Qkn}1bmE3cj-9V4oDDLmq4)k-Y3H4D=l zW!KW^)>N~FE&|1ol0+LE*K`+|7MEt-Ru6p))Mgal0+pPN%?M_JBlm*~Vmy9XqyXNH^pt?>ZsX#HWO>-B~mcmXiUNgH`2v0%HazEaXHU$%58J9S^{hgqBu3yr@#_^g)<) zygqfkqyiF(EHo&mNqjT~Pj#H;^^dmqb15(NnVvnWc;&hlrv68%`riY@^xQMhGv7O{ znFu#X`8krh9CWgQ`yCT00Ji&d_EkER0D}=i{voTirv0ya&suY9d?$OhdF^)H1->xuQZUVDekNe-D-Dt}eR%D1x#7&CCml|Jzlyje2v4c~tkAzG{Cy4u{l=JTY1ulU4Et-icBeqi5%!!)-Cg~ZNK(&4VV-R*_> zA<~P6`zcCqZl9Z0Z6-CZMG+dn;8T-M7UiAcGmf&{=qwJ?7*_C-p|n7cAm+~NZ%X6z zTSOx+H62RyM^0fulRG6^bv7@If<@xir0g(!R-}a*9e4VCA4MO6{@M`mu*LsZLfQQP zu=kchadq9+Xh=v1!6ir<3GNWw-66PpaCi3*+}+(Bg1ZFw4(=|EyX)O~Uir@X>aFK| zx9ZmYb8poys%t|xd#&DktvSaWV@%T5@E@O3`0TO%rSJVu<}fax_ljk*h_;)3zrY>v z!Z#IKS$LDBBrlg+;%Fn6-q;K{y`dQVD1)Fj>l>B_k~^5&T$3{fEY=+r#S&FKz{W+S z?o*vywUDi1sXR8BOa_BxEUA=Udm!S&AFm!k!1v>)$(g*taEh=%AX#5Z-GR-{Av@aG zVg(ltOn(G!|1ZJ7s&6aQ=v4Pig;%&|c$v)Zv}THxpM*jKkaXC*m7^Fk{+Im#&L7K{ z2yW58bGq?)PnNaPAA!p0Wbrlip6nBg*$)bZ7ZxR4P7nV`N~NgNH6JWqUBct#mcSU2 zP|2jDxa$fisCwCT3i&*~G&b9x%3K+qo+l}3lPS&%F;GtrSpYNa_9>EAuGs-LHq@=F zM|`fvIMXy|Wd?A+3JAFH!b|S3p^qUJ59{*(0KKOyd9K=U@cS*`rvmic<%Jz1aN!33 zd!g2*`AgS|7s%3MdUG+5$S7(er7HS&cNFny1d7Y$E()zybC|(kObYVK%(iK}3Bul! z4nmvRqcTww$@B9wVC|xetly~gU&P!Ek)7?`qEUm)o{ePEkq0)pdV+s@BY3|Tion6% zBVKj13I0f>e42yF;mo97`U8tz@3+a50P$+8G!h;cUvFgT99aUF8pGCDJeuWVt z*u!lC+@4YPhSlQVdnurXj zUZ=_x&|EKeezkkT{B#*)aM5h~u__WNyuf5Cdp9Zb#dyU7hrm2X=#KG6Mm~^6K?DGRKhOtbQ*Cc>*@6IwR^Mk!xP#{Y zj~WGQK0RD3*G*}u&3$&uo!9do9)O|#NI_D$j?HJvgu{~Pk;R`EtL!mTSgn5mWK-)w z>%hss#?Bh~XY8%3u*O1vdmr(=K0)_kGL`=$QlD!wk8G;&o-Ob9hr|3s@t8Co%TZpY z156fz6bfZF580h3MeNIT+V)|s0jDC_u#ry%JmtH4yx)+G#!~bb$^dQMM@pr>R#&)e zf+1F`6}=&E5H}+4^mhS=Y zomuKB%_qv3jUE|6rjrG~Ds%g?%x_Lcu!a*Vg*FRlMwc3_R()Q*yiyoL`s=O*U~<05 z1I*1n?LX!Ne|v!W`2+*$v|C3mO=j!s+Kkf|n4>#nZE?^e_W^0fI^h1&xZ{f8`|i4? zA(`E?%k>*JaR z_C{+mpysF-wnHKj-@Ps|q&GZ7?Kaf^3gJIWU^5ohE zD!3vQ<{y_$C-Obu|9l{}WRe*pm$GyR9R*T>J8=M?JD9@#^wdYe5^!7S3j?ASgFU<3 zpu|hSYBZWbNn-N)G@8f+5Hv=4?GJhau=3^cBED~6#LwB~R@Y&#G7OBiBIqU)$%Z)_oBxQ{JPoJV{*CNg|GOYUWfjGz@k>AHx%;2KNMpT+-?7DF9pbIQAujCo9cAB{9wB$(=GoI zDP;J*ve)E=p=KfZPdnRxb*Ood4~0-uo-vI^CM8k_-cOM}>M+x{lgi|FMg*XDk$0@D znyoGrL0v+@XumdxK2F}06av~zP5LYR1lnMjn8F2xA?jlJJ2YyYDpbkD^3HG&tL@`0 ztUj_#CQmvnW`%taE+-41LF?r1a93_X?(mIFr?bYJbh;1oCWg6rBZMJy1ZV~b?``gXf5Ar%eSZylKZ;-OTEu8L@|`AihR|_eQI>AU z+TEcW8Fn)rus@>KY2pY<0IatNoGa1_tOFyo2g zpe9Ttdi?r!XYoYpc>he_t2-F2P`25EBo7>gP`+3j2vGtX!;eK1!7%f|;AA5Jb%j)UW>H@d?6&*6P4BO(R}tY8 zbm>PFZpj^2Pt6z0;Od!KU~zFrfTS}Bhaf-rDWhnr)SAd;ugv~)xGJLG>8Z7GHO&4l z4*Bo5+E|5uURD_lNyoP{@Bc-#JX$DZ5UWN`Cck zz~n#t)qnp0E==Gi%7nuN{W~rAAK%hy0VFyd7CBRYAC~^tEf`=GnlyURYFd2#AGYTI zwQ-+T!~V8;st%UN|DP9$e_nE@{ht-H$)<|_|NJe(qyd16Na%9ab8e=PrkGwhv3%bRtQnm0&> z^^RNLUN-~wwpqHl1p{%+WVKe8NoUs_{l0+BV#ge`e@0~2gi#(Qy-%Rg2|jUi=w4MITQ9;Ye?WTd4a3K} zeZ_1(Em~V7S7q|cVyaXFWVz_r6_MWZ_37t&2chv8P7;^tYqP1MfcB?%dN0p!_;;Rn z$B7*Fmqz1sI=r~W(l^Cb^|jg$eOjDPvH|zL>rB8bjJ@Q&9hdpF=A_rw&tF(fKk-Q) zd0+wOV-`!G11LY9NJ z+aB`C58e3_u^4?IlSvoJ%zTGMbPUAKYqr}TFzC{JflMOzpC*2A3A#W2 zHg}&{0l-JN@+~9GzsLGtCj_RS&G8-{$lfi&W@f^s zT|6IqVC~HSnc-Hak6;0Hhwu3P?HStcd?_nw7_L76{HNSU@pOGUh`7Q1Q!)f#XPb?l z!KkUZVO+@0=B9aT4;&`#w|xMqqFb4BK093(w9oi|&eRX?OiS~}$RJ7kFylLI=GP4; zb8q8&K+QlpQqb1X!Mjj<5X4fhF*p2!{DTwfj4DUPP*8O4pV%%|LBrlSP_+H%&iAa{ zYNfWyRJ#qxHXCix!c*&hxcLF1snxiLyE}hT+{J(I5UqNDb^^UlMVY@_)~zXhv|4Vm z0H^3(0Cqzsj{<*X%)lydJ6VEdFa&@*z*clbyTCPj(Q)@RZ^r``{Uv70&2`qV?ltdK zd@T+~zHi??GtFKJ-i=?IQIAEpe19^&3sHJ+UWRzI@NK)=U$xB+RvL%%6;R*%;(Yv? z5lK`lQ~7Cxhm{+P)r-&woNR2TMkW^3Ib~>L-NW_J%g(Ab3+B^H<1Q&g&KT z{uOu0uX@2E;Z>sHB2S=}zLl0LOpB_U6*wn;l#l4Lin0`h-|oPz`jMM#h(F(Mv3ea_ z-PCzLaJMd}yE4WOvyi3pcqZ6EhVq9jEf|VrT76!<|NhtU*Z>^`DDAc*bAA7H>L0)O zZ$CS|1=bRB(L86fi4gFnbhf|GkVZ3#I&CK(Zf*+hP2?-|Ml7-Dw6~gRgpCV6V@a!2 zY8T?ZSP`0=Yk`V2o6N#L9Hm!&qn}n@q19{^0va9VQ^bS_KZK99`^<-UrjZ3AEaL_%5`BfV-DM=6SvDrqL&6HylgNj+CMJX@A&RN)oO{ z48o;f>mii1vY#!a)j2(W{A&;%p0B@XdVB7$5&mM2G}YDBdE(wOxdguNVq6UIxg3OC=_GSeh(sqBu0W>KA^C^4xJCD*Vo`k9^)l&f zBYj&)_pr`;GqLu@iMmLKJaH_R>O(2aq3zNvIUF+`i_Y>HTul__2_p{2kHQ>Y8^oh2 z^h)7!#d>!(`h#P@>R7z`o&OT@lOT?yCj7b8?kD~8-lXx?@i9MugKXJKk5BE@Or7_hAyGJQqS-`;|Yqtc<+ppxA4*z}d}NSsS>98tw}w66%+9?hW7K^#*@j9Fnc9oIL_44%2%@*`3^n*o{ zFQBeRxfl0IEHw8!-=SHI)(SUc`VQz`f}8Z~tY&?r(>ZdRjRw<_7wRp0`!1p4*s4r3 z%Q88fa{-a6Fk778dn8!I?2L{p64r*ml6EH=&J%G;@bGO6Qy_DHvHHBJDHV0?rPkX1PO6~6cuLaV$3-W_{nX|HZ z-KKpdJ2&`^=Mr6TQ|m2GnM`!)^r7WywqG~)TX`{eSgluMy?=8`SSJ$?5v|CU}6L%@NcS@x(>TqYKRItPQQVVKxyGRI_9=lM3pe)-;jf#`%d0)ZOaK8j~ zB<9r~_oLo73D0P+c8-WR+!u&t_OnzfDIbIAB&Vyytq8_&V#o|W4WxjUa899Du^TjW24Q%J$y7gre|vw z^kzKDpiUJ}5SCOJ`Y=7s-gf0G9Xy%;Vl;N5!5Mw~ymVRanOU{xaSD%`+8z#O#C+8D zz>8QNBIj;)CUF%e-5B+_xklK|P6H^x62Sf4UQF?(u6@Ep|AEClHzufMC!(&`3l}ov zB?*8qaWon;LFwTV$~Bmc>`gY;(A?`))C#KdLvgxp81|mBFs}>V-`?NL0j-Usl(MN4 zP+UgbCZiuTcW*w`E0QaWJgCo*dmWv@O_ystNPfMliJ&0(ZZw)K z8WGXJo+o3J!emQ5U8w@8!6TxDS9V&!cDpBx%8)Jr?KzO)G>g{UZlHCE9B&Pxj*qYi z7i)=6VwQMIbLVZaPm*^#UccaGuSGed^l?AA8xEzeFbLcgq6a}egSDJZa=Z1brIX_- zkcvz2tsX`TnLHX8xvvq|?#Qy0^DRxJhr3F=*7rm&_Z`LZ0?h3<_mMh5;R%|Afe&;8 zmKK&08Egc?%*UDTX?vNINEGC^xG%~i*;Yz`Casz^^HvUAH%l%xWU!UGU(ONMbiHt+ z&z8wMhvt^0MXSVg{T+^m`y%M^^^ZXgM}|+zbaYReJgK_&PxV;kNY9_>p%dcDTX&`3 z99qj&6T?yr^xTx-LxX^YY?aBU!FpAG`5lLTTAGOw2-L1(Djoi5rVt>TCviKUvAth^ zc4ddoWWS4ZN3-9|L4HE8Q8p}%lDuKrs&l~0uQDH4 z?+y(xhtTVzyS|vq)T8almQd>66ib(v$S(9*4i=cd*c?e6-Da>03|d?SFs7se9ECVn znsiB15Q|cPIrt83Z;v;$Xsy6EZs~gSBT^;MJOqh=VCeI+PTFLH%Sg9q#JG-rUnz2t z;ZR)8AX@*Py^~icB-B2H$0r|xH{RoWGmx2Ch!<8YOc6sI@_YW4okHLZZ6{+81*L5b z_21$_C{|VD(x@>- z0;+AC3PjGT$WG4_z6G~&-;!+!G|TR~L>=Vm3~#x;@?cciXq@7`&!U}Q`|b^+HFG1! z4_FEAW9uZM{f@(HCr?rrcAM@nEbUJfn>{3FI4k#6f0*smu}mxK)bGcTAuM{OzP?ix zznyzBgB0){Y{^}jkMR(y)Z+^oHCoj@erV#l&Rt?rc9`l-b*pHpz*kxPy`!an?Am;^ zUi$HXmszWxox8o=cDFC4=J+xSw=4`{R>kE}&RHMfnj>8jHZ#geUqrpTJ%7z^B z)cH$rYIBx{Yjua1z+-1LnO}`9P|72YzyswzUu25_{d(0)TH&Te7B4l9saT1idLwkX z@}MHREH6ajex^1*!%4StN?CmREn~RwL{W2Jk#^Ydd?0>KyfL1<&8dbPP|vCG24BtI zHJ+F(gAI#}_|4UaMV8=@bOOxv&B#h@>v-Vi%pcNf8aNsnPIydujd&Arobyxs8Ga9t z-o+ERi~&pC=m-30L&(xJWK?&0SMx=}Y*F)p6Z~3C*$KP4BAPXQ|7L_Y$>_Yx7j<4? zJiy9uAO_(^uz_Qo)0a!OL>JvUWn8_LppThupnTMQMU)<=g#Q)v1{;*xrBVyf#FfY4 zy;8Ae@G}<64-9He)NM5yt@a-~U>$TrPNr8rjnaH}>K(RCq8p|(BIal9?Tc;k=Vb}@ zXx8TR7NIasV;x3Cla86!9q$Wq&qqR6E-ri)PunloEt9GV{VqrYTwFy=tV=o_P3X?& z4XsNkmE-fxr$o*q5=O6McedH}nOwhOpNZ>d*<<;%JUUZLtS!_Xnn12c)4Zst>P)61 zfF1$epLD6TQOP;(&=KZ0io#}c%HZhFa4zY=;sIaI0PzWtmBkCa1#vo?Z3+VQh3UpE zJ(K(K>y$wEj>fZX-GtA`{ji#CZs7)1%X^HFT`mZDr1|+{6YH{_L)aI~rkfNdU23H= z1rQ3u->Der1#Z4%AccMBFJ&F;X4PffS)pyk#rim%*OSLbr)(?-~y zzaN5I6kwgG50t19?I_JVE*XM#Sr}}Mmd{^3fGldI!~{V*MD$Lf+-p<5n9+`~DqgF@ zk(ApF1)*=KCT&=pK>J08snauMth0c+zBGkV)05(QE5Tiy$|(WuPL;czg<#yZLG>^z ztrzd%ooTO}*9UuitCJ(ll?r6FewnIdAr{i14qBhe9b3=qAHE-u@RShEVbN$a=23Yx z;peO5fJ&c4HKh#KcRC}VAi|C!1wR>%n-rcrl9d|r_t<>o#P%52`o;+HN zOXdzV6fP~3*SrQxP$u#6Dix!e-KyUseWXsx1iDt_NV{&A)Wz|73t0yMeNiT7EEm~5 zZiR;uS&^8nSA<5l<16X#jcMvkmt%l_JB4u=h=?jhK##(fYs;x5puz6@zzYhhX#gRR z0IEjWUH)+Li!9{>{_*%NH^;f6kxNRAX-;X31qOqtdEu+Arf3W8_L$s_V5%WD%_tY! z!Tlw{zzEq1191vA@}!7NF5$r#(%kDKb%k~h*J=9RQ1hogsmqOCIJ2c9D5VNTxm7x~ za{~(_Nj?ajW}ek@^Y2=0``to(PTAF!j(}8ak0sX~e4)zMj@oSnW8U!Y2c!~l-^VUX zi%LM4V`9C1xP>oAEt10vm_&&XD5kKsWc<^R>IlP{BDiRlv9%Q4mkyz5`j_1|luaFljBBlW}f3(;;z$riA;-1TE*M89jZ==?xh%NbZQnlIHxI zpzXr*)(=u&i#pEzU4pc%s#BdaxIDYU_K|M8=(I?dEP>ykOi$Sm@pq;i*&o-|`$bULu$T$+^L`bK~pU>q_n2&u+- z(>9i#7#M{L#4U2Xeaqw`s^z*Adx&d=X|{xz`g4y)(0}|`XZZZ)uYK)x zmYdi>yQY)hJ%f8JmYeS>=ycli3Zy>mo#@uO-No5>Q7KmxaE>__>-xHx8G72-AWxTS zh%R$tt-i^VNRA=iADXv^#FNQ(zq=9_co%Xw-=cFhOZZcaG9D=BOd8WrgQ7g>qN zEPn=4{A``!pgg(_$yfGl4*zzNZ`RSyP?h4Xl{E+%-&FHgyS zJ?s6>uDR{wQ0*F}4|Y}+7Vc@3czFXEHNE`GLK5>KsVZknkAnpde1@vt?WQE|oG=P~ z5pCp3!kjVnUR)v*hxM0wv!oJHOvNdwN~X&f!RtaRcX#{n4`tK0oiBm-bQuy*v$Vww zr3@b_?7_U`azj)1^a{#l{NNe7{02Hta?euyBy)GSW-I!)D^6SPnMhkKB}n-dpgao)O0d4UMd5<9^ktK~~Kl1-ohn38?x z6O`XPB=3DW5yl!eF=6bS_QvLB?(rVRSf*5+*^KOD{6kHzWTL_OZyt_IWkHBpiSnl@SpQ;efmx%xD{y?*JcS}$A zyR_Kh^xUG!^?;@M7loM4DWge~o#Aealcl0T)zQ+;damgDXD0Ir)n&5aV{JmIAVKxs z58FU{39g52*XyCW14V!?bOmpA+{Cif`3}(fk7S-S^u}rmS-kmpi=|i8;j#T`d(5!( z@_gfwG+L96T~oPfGrxRy;Z~X(vuq9K38cuq1}nc>?f+*1bI$O9`VK6i3HvxN_|Wbl)>H{F!2vF@8bw zgUj7nuE*U+E&T1go=9ei%EgHO+d2v9^3>1-%vF2O4pWN5*j!xv1uVCR_ zWx8)TCM!TP#i}!LL$sg!PP1E%e{;?}tlHe<7YySRNj6!mJ4_X-z3@VQd+y7#r+yN} z?41^|9M%Z#kfA_2IgYoJRdn-UU+Khc*n>Z)Gq28mWIlKd--g*a26No^1fy14@s6Ag zp_ihn$rm4+)45X?G6jd2k?%xc#*g;c;8^razYZ`;qvH^CMgp4zz9h8Hu2|fL!=0b^ zO15EM9I{^&>&9XX)$Hw*Ydq$jMyS`{WfXi(%?|6dgQ8Wb`sDg06zFnLb;yDc1hB)K6>D4h=Jjv0UNglgcJv+2(i$-A@lUJ)hYqdXm zMTim?IB)8(VgBYQa87}o73 zW|L-6??6TH>cO{9bq};Jy(obX*V+4w;9^SqO*2mrb>qN#KicFgmNby0!KMV~s0q!Y zMuqzz3^Pqk^jH;HBVA@q&_gKeCEHXDclGszGzQ*#XIQfKVYz;ZAz`6p;(MRw5yh^& z5svi|+NJ4>ylLj3jb&9`VoV2D%gxlxi0x{TanLldT%7rTKcUi*NT-aK7ZY(x@909B z$w7bbhL(3eJLsr`F+5o3xt5hpxgF$kJ^18LYPs;j_k1`_7P_)f`{1M9?v}5#$4e%i zk#lT|N+vA?s3sMo&72OGa`(eepbX9yZ(+R^z}lYi^6Lq?vFAAGxy?aXwG9?eDwe~G zrtL7}t$qe&h`de(qphE1&X0owU1xQEzLG|Q1FgS@=HR64u1%QaxViio$7PM@WazM%!jgBf_J?NRRX*#@t#$xHySC)c zMBB>hB&WB|2bs>topfV|s>;ZI8v9`xhY@jL{q< zejoJ9?G`$9L|g4-V6) z=V=`3*yV33v`G^2xLA1ts-Tx_vM}A9O6Y%Nx}T*z=lfw$kelutT71@#iNyS>tW`^Y zaOLAR)7k5X~Me9(^@FbOxUj9i)+2QGqn=C;8JyBz7WSqQsqxeg+Vo zK=Z9hqD1xnKA1Tm^a*)0)qHg=p+en1c{z$oFM>f3`g{+u;x4v&A|=*sH0;oaST!3f zdaW#tf&EaWnB42j9uL`)S^V}BGu_=wS#tDOtMnTtq5)3;Ho&WXMPx6}5bDa>^IZ`- zm7Rs_O5A0dW$u|K)sa*%R<|(z$+heah^pQvr4AH@wO?LFt@HuxADUQP@dp-%MSGb+ zA_C7$um)xN_MR?RNwUT}dydECo6)--FV)}I&js;7Jy6M*e1KG~3>Q?;k2ivFFv1GS82TVQj42cu7U7dDGe@And8Ep12imw1XYt+B0D! znmrcoxmT5g{w*uDdkhB-Y$bbm^<+VTc6_HA9K#%LD8WvY&4()QbVu_aoe_Cy11?b< z2|t}!+qj>C`e&O7tTnB6YmSh1J2Kq}xj}tM2^AOS7_0Kf^a(9n6c``b`pBl>R1W zP?o2IEUiA1#v2~{&wsWCmU!baBR#fv_4;&B>5}UzNtxhK6@zqIw>~UW%v6L~z!)t* zPFdMuW6QMJ`2~tbolQmN^x^u*1ijKFv6Tua@hOYUc{eOjSratL8aIr}06ghz(r{1- zT$P_K+MC)fTMRG({doq5r-;@Pkdcg(ZaW|JCxipehQ%MRHgIX!%PcR@2?K{!;%4in zWKtP|)tRg*Q-_Ad;~HWhZVQ)cQ^lJ|f1vlF2b0l-t1YmI9%OMgo9!=+{S=7(R{a@=$!vvJmqu>~BUOei*FDHp-YL=JNLzv$61%1_ znlse~liQ*YE~;}5zpZ{4>ZES!0VR%nZK*i@Fp=CW{Mo*pu3%0SYpJL+u1hQ>Z+&z6 z{S#hz^EXUrzR!3lf5@QcB2Id_0cAXyY`S3#nxanWFZR3NuD;Nr7!vcA1YreiuNXWn z#JhoUC}zWEXDc;j@qSnTE|;iNcZgN!QrvdOl-knPU987t+Nq45%5_&!vS^JOJH_M6 znF?ySksYgJ14Nb6&n<|!zq z5{UJzJf#E`+B6p&#f_^E#TX5CRUWF>ofFTTB+U)5xZt$Sb;N4IIOqQWMFyC!*SWkS z*)dMdd2ocg@0nDE@7!Qcx1M)uRv$|!(|F0^D(-gN!Uemc1t*@{uZD7oyi=kPG3;P0 zB$rx#m!{#KP1!Qthyz*Akir(^9?1WBOJS@;mNBkJP1k(F1<*VbGUn+Zvdj8nVH+tX zmcE%hr2T#I1I8~bL%$1ZlyTP;;Gcz^bfywHolPYwBk=Pq1W9*?Lo(Y1VNpp)>0MTz znwal0dHJjPI;%|I@?e@f9^d!P-I}~UA4%g>sjzvPERZUNms|f(_2%_E=o~j`29r;^ zXyDH%Q9a48&l)jMv=T^jd{LrTQSXj`#)$8~cP4(extxQ|_r(C4(lquNiA|1sb{`~SuYa5Ay_*{}ba66Y1Iay{FLb6` z0J~l5G`|$&vWg zCDt!OQR8a9Fc!;hjRrTiX5~i6h{JCvvFGeYR2Z7z9n1*R@#gXKv^CU+MF%?mvYa2# z{Pt*DlEg{FUInGqL$_<0=jI$7$6@z?yFVhwQHmi39+wtm`$5qm(B&atYCkmW?M++W zSHkdsqou3mvZFW{|GeNf097*f#PX;pKW%Q^)su`{{3-5dHgPbjN$%_*CBd9W zd-%PcOAI(;v}Fh7%+23bsADU)%R9Cs&#FwXtTe+Q&ksg(e;p*f*u64$ZiaYBZZ9I! zdnw4agRPJ;9kIwvuJM$Tw+IVw6gGM|oNA1|<}(&XOyKsLPqnI{IVxnIAj`0B z{UF8sbmTZXse)bn#&^}9h>)sC-cIbG#)`u_x!wYcnQWL{^C~q9`4i5kbD@Rft)GN? z4)u2zpAE6xzSB0lT)aJ_(Q?ZJ)rg~{pHJCn4vx#YY`_AI z$X_t1?J_{ZXn(ykKSRc^y{I4b0*X)a+Z*YY(zIM2!c=$fvJooZQ>9Um4EBB%3LA^D zUQh*!v0K|R%Pv-?bKlyE6>i~LY`y0r%bsZ4ReAArMB8v~aaPZ&o8?;1WrUJ~$KBSE zNKD`YovNhMzha+8GFaOau6G8W*pLpI(yafg`%N(cx#h-}V0GaQpMSA*TR^AK4yaYh z1(@o(0=Vyc%wNYK3gs*V8&6;a-iqk?7dq5w#}(w1G8@cd+4iz~CNIezf*9e60`XiP zl24)8jm=HP2i|}~EkbCw<*=Uc5guP0JRvHo6x!fNQr#In%3k)7l!0EjM7@QNN1ISk zp&oC^w}NSNLeeU>YG=B9%`;|ESu`)WFl2P?W4`AiY~wKct}Jyy3X=vv#nk!l0Aj8f@!f`{pQ|XK(tH)^D0B`_pWP-h0+q!CotNbiZ?2ZcCVv4Vxhho(yy& z^LVdQS=S9IM2RwPdWFboO^#}(@Sw#)-Ouv=y-yMk8Mb^V82mW^XJg-KpQ(6y$}l^N z6bk1|ut$|HZ+a8$PobO##s?vdLtZ}haG@sA>3Ai#p4AS^MuBi#AHFvv7Zg0uR@&NQ z-_jkK9*=pI%xF9x%JkKkX6zfUj}_F|Fw{c+rxAQyF8Xb+7x27$y`P28c`|?CY{X_hJWU&3RKsB zU@VeMCRJjODa_kJ@29h$kijkpE?}ZT&Q2E6ZyUmcd_2$JoJwvs=CpTvL@SHLDDH>< zDo*4SviZ_wu-Zg?2h*mon3Ic{?rBig<1-q5bph8wSAoa6S`DSs7xgTMD}(buSd*NT zfw9T_P3Uyvfn#}cSo!7ZeIVA;?EAJrdp`-^ABx!`x^j4u z+UC&!EL?21EkXGrQd1DVcN(o<>%8i9?QqP0GxyVbV~e7$!(vdtH`*aJMb7!M2xXo2 z8^wI;9X%+32n|+hBL6~$vf~nPwNctV`SBL6NPkdRN8^ZevBS<~>}xW^#1sYEU}8KT zLx)U!kH^`^6VtPq8DhC2AN9pqo;tYZghZjSCi&hELmFQN63E0+c@lkQ=y*J&E!3m9 zwD*)L2Ja+xSr6jG2PfAEiSIre2uIWC99lF=Z@tqYXO=Nj`gX|@P4^mATk~Asgiw2; zI%RL_L^s2JFqW8Da%`Gxat>o*=PD@nXz#O2k0g>OQ7J;5Y2@F1K8&p}Tarqn($G#p|70Il zP=}ylk`oV#JQ$)HGdtU_MaOaK)wPKyZ|lol)D|dFRVOA1ltnsK!sH&L6qb)C(%ji# z3%k%pOjLX*Mm1*sQ52-$t z%9$`BgdpRNV+?HTc5_2Rhrx>NS_A9bJM#mh)!2@1wT~Q{UB01(SIfuc4ueCDxm!($ z2Hh5@?Yt~xF_rVxF0gi)Od$^e*rsU25?vzaUr5BGTC8-KC9qnPK zg@_T4Ft?6NGNr#jI;4>Y+v?iom{^EkuG|roOlX;!;V&#Ec`0$4q$+(p#ti3u-J#p` zt+57X$)c!Kr1RINBB)W?H8nMh5D1k_#ZFCyK9@j@#!-XY|I zb8KwLg!m%yv4U{Vg@6G1FUk!xRPgm@yvdCLM?gsC7<4#aW9u*$yESR%^b#q63gx} zSbv>bU-G_eLzp(geBt6Yk;}*fYf%+q?lH#m{L28>EDLY3^}F3x3`;_qTeVO^T*(~) z1fs~Si0Mf?CHFPQ(jwuven>T)`00AIR`_CRz;B3 zzA5EjQ%E4rZAOinEjmRv$#!2vx^sEEOlhDndd!8;QKWp}zW5aXsq&U>`Q&>X=g+E^ zS0_l7nf=72(}xyh6C_Ny#S7~VIITr%@COINgq#`dslod}4XQGH#{TyoCM_ni5E1Yh zlO@opELdi*h8$Cil&>hO7Hn{}G#4moVQE$xtm!xgvwN49@M8Qn(W8;cIxcUewo3t8 z8SiwFoYeLavS5uLJ<51%Mel)lYq6n!iXR*%o%MXeqanL}%JZklQv{zfMKr@2kh{6{ zCfDaW^LdI*YhO1)1 zm-u0qZ)2gFxqYlOiGiE=$|zhNk9vGD;vJ zlwv=Iq-J|f&J-6y$#juGf7wNIkvZRroW2on#MAyuk=%W5weO%4`BU8str9pLaPw#@ zh2O8{7)=|HsA`|KxRPSAnY;X0h(9rdw_TKD`6)$Yf!IvYc+uZfaO=yV#0g6In95IqlWK zWT-)vSP1&gBomgjc&oDzKfzP)+T-D!eVs{#uJ3)o=;dNEgOMTlt)jg(`S#Z7{BRtXY45Rt5F?lMg(O z{G#!!@_7a?s9rn3b5b3Mem z(VNqE1jf{%A9KH(s|*^S7)c}$A-P(s=eMTNobRIp-8zVf*7o1V<8z9uAK2&)PBv^U zojo{3FYZ3a728|89bBXVgvRxyiNQg4xWakelcR6+Wt=O7pM@s1R(L!y(N2=N1%?Q`TU}wpMa@lOQa7=OR}ZO)xy<2JH7b~HBJUqv*=7+EZ5Y+5Bzdt5wC#oilCZ=yzW+yJIZ{i z!~mdiTG5Hy;jOqjP`Ku>Goh18V-nupSgASC@l;gt6toZu>+B|SH{VIE{d>{MWn61)Q#0`Z z&%XUI80MtdW1KgBv|vB5O4Obg0O`%;#9V0#C8PZSgJK4dEy!MdsHv<}dzd|&WTCL& zfF<9VE`gmy3R0B5YOAOeJi)&G`weq1Z1{)W!u_@T5aJR_nNaEKS!Y@hRZTH@;Bj;A zB~xtb&TM41WsnrVog8GuK-m8_KbW1{>sOd^bJU6oz5;VS6|~LnMIer8yx2{eOO~~; zHhNZg4-52IV7hPki@7)DSUofxL$4X@!CCKdmiTIU#8zMH%_XIb94uBK&Ze;BOA^H0)=4aIL*2H}E zt^hjqFM)10E>=yqL5~x4p(}4n3bYWElnd)=`$hdfY)^TG?u=fFsMFtv_%!Poa-O^F z3WV-}<(jI12eEJ=MBb_Qy!Sq|WBn`=kF!FcXh2vlPpvgnZqq};cKm24 zzO`E^R=t?M#KCAKa6#+HcF{2>4i?>~n8g&WDH34=6Drz-Z|9OI0}jLwVVCWf9Ub|j z&*fV;4!`Jp+3Mo3YN$akhO1ck;>P%#$>;}hOS*6y=>6F_O=k9-JfZ$OAfoyA(gY7Z zSOfml9&uUa%6A{a{3%{=78Earh~#Q&7a^D$6bG5M8g%8d-^AOBw*{=?gMt#AHR>nN z_gmbFjtm&ngr>bNw)<;itc8SnV%yk2W5#C)p#wvRy+z|Wk|Eo_%cV=&;dPcoXF^>f zCbX5iO|xYUR^v305Ulk}5DouSO9H>IU#WANtKneGJ8Ca@%(mmw6&(nZNUG%Ndc)^D zKedW$~I!8ZGZzHzCpEaT2`L3zLRoj^x8WuC>`+eWFy$VOs^+93S5t#0FUvW4-`wuA>l}KkXmnPj6YLlQHvqNaWR36OQn zrmLH@t!ZNGzk&DzPZq})96^e1Vib(6tnr@u(f3ADpkm0-Ykx<$GD*LJz?gc#Mqfn> zUSX(QyGe1oxgF?KT4#}~kwh`xs{B}^N;5~#Q_uua$JV?&aH?|*Et&pxJG!@HSZ8WN z^#y0vX0bxV(U8e{F3*3TC_;nq8E50Mf#=C|?R&c-;B<8FKH);CRF6v6r!Dk!|6H)J zMzaI0oaPvrC5h2i7S!O4T&J^v&k8pJ%FI(p$mk-1R9@a_%72qXRJd$Vg?_bk>-X5_-Jy#!T& zy7GuD`gt0tb9hc8^_mWfvpVujNay6yZhK5`7~}`1Eq-<~K|=v`D!!31Ee~IZU|he$ z)bcWPs%J>3g3*eD-0cQ5lY6LpD!M)9^TuaYlvYkyTd+o5#G@ysR5imx>RHgoU-Gu^ z%rk&~V&O#~ZQhI!qA1c0d%BPN$yUcMa`Ru|AwQ1h#6Ls1cX)kaWyTzv)C_5J=S}3= z@Ce;dqTyYdcXf>2VgUjJdD@JbjpV2DL5;D7vw`LGo>(yrEsR)ubUKo=7*zk7phHQl z(XGR~yzQ6>3oh7rLT&M!)+o>${phAPk2?uhPjknZ3-Y9HyFzi?XBgqqmpK_VImq@^ z9I;Tm6YWl4%+fNd5zbx0h}^`qxD||AIY~xa^~SKQ0NYFV8${3aOnavu#f%!Vx=l3R zk|;(5lFiVJY_SY@^Y+F9#8G!lcG_aQNKHxD znVC)Wxg`(so1gG+m;=p9SWT;9j!U1DA#q7i;SN3Bvb6KFH6oebM>WV-s)eyS8>SZO|( z2?(r|#9vjj{kDl->Rf%1y%9N>DU+o-B)MEH98u!LJLP?^u+TWMH4K`8{# zj7bU|vo0*R0Y>7%(xi&th2Jw4Lm`~w#mlEyzf(l7 zzG&pRwF=Bs$ZnX!&7VHIZ9LCN$l!nY5-NWb{wKASQ;=_0VM{De4G zm$6@pxO8*aFXFG*OEX@p((@!V@f0!2@Od?G-@2*`SZ_3dxu~Z4!d_+Y>-AAp)GFWS zZ4L6ajFDBO@$TH<}+M|9*dCo4f0flBu5-$<1@$>-qW|L^|H6X9vFcK?MEQ2A$-r z_PO%q8IM~J1a+`iM_y|C0t(hLmVG=?xD07aS$-}lzFeP|*GQTok;L2ozSa=u+vb@| zG&?6JMrbVYNlf2%!z6{Gi5BE;3l!a(AyjznapRQ5gI|^z0w~%Z0AAQoadA=jnC|GU zYK{&D=(`J%w<&#Lzq3*0F4qi2&et|muKod4>;}daR_8we@}}+27eiRhCfCsOg`Kc# z{`Tf|js-?R!GCCJxP9U=mj_27;a;mt0b7{|srr#DJ}N1cyuy5jot~4&LvH?RW7DKIbVEjukbp z!dw#t`x!_RAD-=2ZJNFlwWd_7h8}!91MrL{OQsJLKL`hx&1G_n!+qR%>q#m!K}`z? zRmL)SWf%*d$_ZJ;YX%hxCflE2x~@znOGut(sLlu26biwLdw~gbT4GHWmRFwJck3(= zkJVaT1hsPkJ}CqGIcHvn91DxJG-mx0<*+{q3!6aaZyQ|Ef-ut`e66366}s!j{8_cL zeu@8)Gx05v{0>GKNB%R3LFRz>bGejgWO`O=Yqh+9J2->=s0LK-ADph`cz$saYVPu7 zRh5rV;2T7vng(NJ>pOni?kU^#MMvC^YaHaKQASVz!fvpg{A4f5$2xRw@!{ z_d1kHV)!TyO)5paAXhrGYTx|Jqjqyu%HeqF?f!I2M@XJ(wg-E;TBA&G2Dxq|iQeSF ztWU{tU${oC@rl=c>?E3cRkRCJAq@`inYDV2L}E#g%_~@%W$(^!l-gzF>>Mkk-n`zP zj=uMfS0aZ%08hE;6!AQNb=3#r=jX5ewvPI7Lrp+DbX*Hfg_X6g$Z799eyUQ2t~`n5 z^sHBm?*D4+N`RU?_IMN&2xq~An^=QTEf^~IApu1WIVFG*3=)nYqTxmhybuRNsSrV) z1d+3`h`@u&@xV459l(@B0|7Z50#cA8fE-Z{gKtwML-U?IGCP_5cD^t3Klj`0{(iet zhA=Q13B7}?vz(gR6XSXc1kG#xUGimP@7^a45XOYDidnNt^sn$v44fVJdd!?*C@^fT z19G3^;u@1#dU@=4oM^K2Zk93;zFTG$8maQn)f?u)=6{b}>1vvlDU$mGjH*T=woW$`58FsTbLGy{g%3(D1!gdcntPdpXK zY5Vz~I=-ZkIEm=yTCLp9n5gM<)izSWbR|mbpmB~*rA>`T*@Y5I0^@#7{43Ry4@ZMT z{$2fCp@3V7V;HHuvlzrSkSqLNluGnI(8r78Y8|uTIw^j5_6zf9kGlKRxQAgF7<9oZ+UE7)AN@sR^E619Yt+CP%5oZ{a_RW z!<__p=_2r-3JQg~bMP!uCtzMLbB|-foS)5hQO_i_A5ytUt(MRYo`fyNM%*DQ51#ES zW97G;{d%G`Bg!OtK26%+nL-=DhIm&-)j>tdj#{!%!@>Hw20?>&EBsn5Z7lq3M20}_ z@XA}3O#J9t!zh``r(Fsfo!5Vr!czfP^!trh4`O3umzTmLB7TZpU7UXJ-_+7_s|-_j zMoB+Ro1ML?i6{P4Tz_?4&21xS;AsoDex@@GEblsjjkH`jYD-5(TjbR3nr~EzyX0KZ zyS)D5;*msj!*K568-_JNe-r>1c>10<9R~&oBhIz&#AM<5T~v~5*Vk5oANpN_*dda? z2=O_QFU4S}6%T8&(6)lJ)tvNDD%@=H&*&bc)X`@Rt`;14{(v-d z_(pjRzEawQr1F`k3L$s>CQOY)Nf?j&D{r!gs%p3)TdC#pUajY!s-OL>+3? z(qfj+<53M56{wh4fz@pabEdESanQ>)FZTI2MRx(U~Y>eHEz zY6=&}+a}xnP7S`FGfAbcGH?ZaRw^Kmeyscs(}(ajUb>@UK+&m7U4{$ zJangKM8YO`rZ+mVED$Q&T&^U8M>diXI{UVL*ZnOfI>dk>!viLF?O2<)3g8j0f)7@6 q=LXD_0~s;V(J8cJ^+!&~u9)kRGc7`+p7=t*$JWa6beZL)oBshX$d*R{ literal 0 HcmV?d00001 diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-deployment.png b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-deployment.png new file mode 100644 index 0000000000000000000000000000000000000000..1a240187f69edf0dc8a32c7bf508ee74ad752df8 GIT binary patch literal 114377 zcmZsCV_>Ag5^Zd4GD$YJosDhV8{6F2wr$(Cy-7B9HnwfP?A5#P?fp4lf74x6-Bo?2 z&Y4g-8Bur`Oc)>_Ab4>xAq5~H&~P9ikZmZ4&nLFog2F&RFfC?+f^y=5g7|VjY>dq; zjevl}LKBlAl@yoJf+jnUB9oB95~kAeGl3KY5OeTxECYxGpuXKKxZ8AQIxf7|UGThQcrLPAyrBbyF^E#j z1SeLf;>#1!@(2cD4YWz-P21zspBVOiYbzJ1*6hO>s}nH?+I!e7Z=sv_qq=Bx zN3s=&Zwrd-s$dl^K$dU^OO-kn*hk>&SDN@xvKB18G_Ym-K0y@f6vJB~9Q7H%EUA4S zp~n{%NFdpLTVfEPpHX5NvE!)tjz8t0euudTeCd0FayK?KyhgGXUcw&vLc}GXoqC(h z;nzJcr7*W^3kH*QY&3J}B~Z$i8Gqy574>0-addseEEUTy6ALCR#W0tdgpsE!Kl55+ zhIUs0XAWFFF*JX52N$`y-7c^-EY|97$J& z*}jX+o7M1Yrra1c-91$epJEP^-5 zZh887`_AtJNeMv%pcb-o>Ghn}vU9H^rO+Efn#1OLVl^#!On z8MFYdH-X;-Tsh)@oKDF^)4=L;YSD$ z#B*PrULtZI!rVi0&;;hN&}-qqTx7Wsa%gkrG9=}&GJ*NrG$v*)nPZ zTce*topYVDRN*~*k?lL#IlBUW1nYpx4yGH#8_MqA80zkc{-Oj$3dSn%)mQW}-bY5%XnQY2MGNncJvl0&0IFT{xB2u2bce29rFNfKkDVyoiZ#It{z z8%oyExqkUBvo2Lds)Nsq-<>ZPe>*|piHLBmg_3yDiDxkP`*;$DydK@m1D1*DP+u(P;OL&R~(mHD{xc0 zOFQ<#lo?kV*NH4ns&3Lbi&Mu#6=u$RR%o5On**I2oAbgMn93+TsvKFQo~u~w zD1Q1Lp1W6_Skx$8E`JirqW)XK-S?jHjC&=yG1z$8xOH-Sf-=L=V?hu{ZCHU!z$9?O zD>I#gsLid-w@rUdt1a0f`1a6k-L2G(#O>e~;;!^L>sjCp`R(SJ4&xXOjVM!o$kYf9 z>+mZW#!vWrj0UU-j5G`ptbL3HEFK0zOoqs~NQnsbh@i;3$ODXOrYdGHQvrItw1SjV zCbMr(y5`217Hz!^(+)jSvk_KF7Ah9^OBwp-Mp;JMMqY~`7QGE(^-EUMde9mi-;2~# z)Yj|#Dl;krRN5;!Obm?MC(y>L($}TIoV7w+;;B=thiw|Gw`g*=urZr#tgh)k;j@FXRoj``y&RezjlF0YuKgW)%rt4{ zuNXe7YJzSOYM*(N6J9HsCs`0o+iMR2V}6OF9DQzQ z1}8*U?0Yx8i{s9T7vQ`JIypMII_=$Q-VNTZAG1LHK>U1GJ+?WDn_)e${3$sxIad5y zmRc;yTK%{PPSDz@tC#`^p>Pz4u4v{Ml+adLkdv@k&7SK!Poy`(H(33AUpXz^m*Q>f zFDou}&~(uQ=t|Tsx%z1Jjf6CanSYq=ZvC7l&n}^nkIoy<- zz8@G5)j)M7(&p6ux{=@`86wV>LSHxKy%iPs7M_8IO5N7IWO;QxxR_*0C$96usq|W5 zVg@BNWngKbKU9ZJFN1PI44Jc((JbX;Y;DAI@Mb^p65RsTKQFnV`;7uYvgw_TTh zkgAZ$NbHb`8of&#USci%nSh46lEaFNo28QnG&?rMPQ8Fs0;SRT*ob!W6rd3bJHY+j z`a5S`5D7t?zk*ns+6r+#f&Nj^s^)uU2kY-|?SwBobty(POH-Vc_%24KQ-^0Grd~dzFX+0374WWb60%)FEd|$afR9G!+uY^_q zO&6@$7mPbyCy5-RYU*#%%}w01KWq(>m*U{%BG0Y~l>QS<{-?vBinW zdE$)A`S;2FAg7me)vD1(r=87v=funOLwh@#ClFY<3A3 zg=g7K!!c|4#<6>b`^5e8-MRG6IwKvLE*5Xtr+XJJ0}st#v9_dzKrk4#KNx{*%7JqRh*okz zfwuc7BDu|`=A3(peLn^iIXq@EfJ^Qn@ZD&DazjLx{ozmoMnbY<#O2q4oNVPH%(%Hq z*T~?)Jq7{kW?wDhSNz+1c&#KBKa4g$ZgumH10p`!KhRmB;nz%&q7Q+9_<+QP_?29M zPctDs0K(`!I&L<^1whcb=z@sK1r*Y~+NOR!uY=rAk@@of_-29YodP->(YtJRSycfm=Q(S z^*njj)YdxSpqa9ukNmZC$pBbY#%lRAC%oP#5|tdY+YyNlu*=t(F$L54UyCk(DcPu# ztR4Lh-}n_d>fh`Aw@YYfPn`e#`QQEyLe?QkX>)G{2>-1|>NBfDoI|h6H_JTyl4o2`m({?q>Ih+m$&GNemb}j+$6Sg-I zcx%h0w^?xb%5wPqaHC@gQL5YEECri201=%Ywo>rb9Wc&1rf(Tw_3($+#;E;|JhN< zE`O-Y|BM}|m?5&fJUqm`<%7?3E{FEl)Bd-m_sQaQ8Nok-?4!EDMhbzJjHb zR3tSq_Sc!BM+fet3a3eD4y5C8gY?RL;BK&51If_J*xGmt_EnM>?`&{YLs4t7L~ZCr z9gaFv@1Nj)*}Pw4V{^DAwp8y#;_-0inuCXDXss-s(Dqq+1p6rnZ2h~+Tligt1{Z0# ze^@4L=k4V|?_%rEUoPDL98oG-`8#!9(X!Lrc z!(rtSvt94NUK-6`(B9cVX|tC=KdiJM5gpADiL}$fYVEFCMqTi(Z?1(sUxWXXng2eN za?8+%05tBY`^#ow-acM;#GV*=8<^Zku%e0zOE$M{IIgvB)`8VFf4?ngC0VN=%3>?} zGp}BY%dwpt$g0c1L6Q(gQ=_Sb%ik;T0)dTV{%3mg7g)k7=q4tnGc{c$(S#G)Env&b z>{D;KQ8loEN-$(H*(k#kI4c6b&N#O_q|5g=_xE84dYL!-orn5k(6a*I0F-+K+}xl^ zZ%qiKk)GgfTuTU+mX`SRIUF9Le%A(_?ohyLSv*hLFdak)u-(+!1lEe| zTF+d;jvJ_pW=BWcX<#}q77I2(6P?*#?5I>e2(}*)|0+c}T*y-t)N%QkKg{j7Z@=3L zqD}^LG=d@m+Q?7eAMiUEJ?OD{oM32mA_F)Y{d1o{Be!&v<_j8t-@Rhe(t<$twQcR} zKvdBa!%7%{#BdyTHaIt*ieK{iRv-~@*?}Jv6oggGLFdJN1Jugu=~fgK+{vf76>vy; zV^)L?s-;~Jhq_-FEFUef42_L?MHScm()fW1J8utGBGb1MMw1~GtTLaTAg4f7<@WSe ze=EwXMfz0pcp{Q^vtxEWpOY=M+0*Uj!Ee(j^^*`J3E)-<%{W?HXQ^FfTu&z>MfIJG z^+Sa5jE?Qv|GQlMCujLw33FzRV^!b}=-%L)-ma)LTfIQh=yX7}RsN*ZkOq}*M^BwxpO*wgj=~l;R+_Wv5Sur7v-iNuxqAY5iPVFU1CznTP#|7nX8{|Ght1W&#x)tfHZWj!m zmrJXXb5-e*h`9W8l;Vlr;*WIVnJLP=^mN#&*G@_vVkug+HW)M-9e6EHXP;qt(*yxi zF&aAws`!-&8?nKJCZJdlSMfqV4S%s*Yg76R9(VaRB|I}>d6@POPN*%@2Z}%^D+kyl z1xy~szi!phFuv*QG!@u17V8{TgB7Ejnj!kF#@HI$3AkDq6RC56k`_sIzD*Pc@HgHU zK99o;u>ST#$NA}L;J!2#KO659GOmIkW;61zv!K2Wy6_}e0!0N9EnfkX7hGWwvSs`( z-Y57i<~#KQi8Cd0MR+C2#^!p#d6mSoe1JEqs*?DiQdc!`X|qC%CE-y~ z08oOxwHnb%BAlC_y@Kglr5UcYv4iqIjvP^rqT21%y$%3;oo9mFP^g-gjl70Goz%H_pwBnFl$pI@Pn@I z?qSLzVJAyfku^BP%99xxnz=L25BF<*l9bCFqoAb)T~8}edZI1Q54^tE^PeCSN84-1 z%G4KE&uk2yA_j+O@a=I78Q)P&-K+q0Jh+`3N;?ZTuhN3`m1gwOthZW$rB-#1eU;V# zeMKEP9o1r?{Nf7w?+ViKWvVo&?P61&Ef`mH#22=5^o*a35i$xJ1;Ogp(NE^?prs0p2b;3m=TVyci0 zo$PrPbQuwB(ln822CQSRN~X=rXKj5Gbd*mhjHu_Stv6 z4L0XlZ;OMTEL*G+%{^E=-aI(TkBw5nruaFpS_r1ZVg)Jy!Up+2&Jn&`w-I{Fj~~?{ ziV?_Yh1e4lG9~NF>TJ%X=O?i5Ey5zW9Cod)CoDpFIGesi!-3C53ED@dR(kTK@YutD zUF^Cb!e9vj!kOkJ!pmV3b#--v??Da21b;6Kgi_K0=D^WX+M%_d#qd{hruYziVpmMU zfrr%p4+-mnD93!FLFLO_`{cjJf<7UnX$aDW$$x|Ae_YW@{2=NG*6008s-kKD!FCoJ zYIPp;iT~k1Az2Oq^-R(AXXa~vwuQj{irJ^>Q($WFjRL$p)?9xb;vU9NMA`tSN}KpM zM978y1h~0)c&u4}jp<^1`l}v9l|1^FNq<&TtC)(8#+v+VtOgDk4UMKhQPSvdhfP0c zR5=_Tj{G|qYC)eNOxhYP{JShtG6BEDHN2bVs{&a{#LWh9Jup-jp3vvAXC(Z`XmUa% zudC!d*vfCXWTwDdl7B+Phk-KnkX~7BMuLo1NiYE3xsGTa<*upo`w90yF_MD-i((lP zH}LF*iSOi+nR)>wT;nw^<1c7}JlJrwj-ZnB*AW)YTl-{G63P%J#voEa z_>7Fm+HOZAEpB&|F}CEDxM_W)1O&i`f?Frm-9g~6Xi$1~BXJ~1*w~g5@)=2g<_F@E z*`x#h3>PwR)~_TnrHK6R0m2Vxj+?LFW+TpPGmEK!IBG^@l}mf%hl)<#O&q*reuAa= zF#2BY4EJ}q-r#@xhH}0^Mkim0NNhP1tb&8ZYz|i4^-SsUa@Jf(mm>L@2|1%kn|1<; zu5+vMq&e|Gvc@Muid8l#MkjEJkcEw;ys(YyUMiqcwTzY(x;WL-AYHm3sOfy+Xf(R# ztE~bxRQDeva9a6{;!uSg>P?nrLCCF8pW9ys1FYyB?~);>+=a0^Stj5^T0er=x8CVa zz`@Zbq%ONsVM>@jy3*<1oboG+UeC`7xr+r9xE?CJsG*-=3Npj|DHJi&{*QSMV5UeS zR9+?%8NL}A88fKHLg%NamRtD6X0t`c8l6me>N0(wrwx^$XD5L2I;S;VIq1^~)l*R` zM?HqaMlai!gYH2x(_4eWBGs5gSTnLJewouwh2%kSdfzay9KHS^+oKthau{pk9PJic z-_Amn0Xn$mROkeIkbPXTgq!mpH)Z6$FRiYLT?bsLTI{&BpL>ulkSJd~1!QY8o3kV; zAY31~3q^Lf34Uc)iVlY0m9^cZ6qJA_+I6g07~iq$z_$27#I}Cz*ur)x$+l+1h;8%E zLHzEiMA5pub3M!GdrvLSi}F3M?i->0=6weZq0Q^X%a+jqDu;nP(T_6m!7-`CF4ini4*FY%d6TS5qp!SA(Jvs~7A?H%sy391XL(u~ zooF+>j}^~MBTqQPn*^WP=WUu9j+hy-Tyy7aw7&0MjLk&ZILzxwxH}~3ox8Ypk83q` zT`M4J`5BCBQzh+sdGXg?V0t>6MZ|fnw>W#&3NZAo?no7KBy77dYJ^G*hJOpMA$M#) zS0(Dr_ausxy=2+d&UB>E1cf-@!MVQ!sDAbBQ|Z(1qsl3 z#87`_6`XUo>Z6P4cxf0BPD|@u7=%8azy_ai1d$r2oGHeQ^7&oQ8frf|fylRZ0cUBe z>8HNEa6bFf(PmiO&NI6MR@pZuIS$x)-^O?K5s=y08BS+e)98D8=<+j4-t}WHbt#N> zcLPyte!bOR6v{D3N!I=09KPOo+>gOv2&mNW5awjDIv8EYL;mnX5x0&irxX1SyiV_R zFIfklheun7vFjgqClXi%iwya0=8sLnT@yoKz-n-dW1TZ$6wx_4AVjGzOTo;q?NWL9 z_5qRaWe1?3b%0XIP=puYK`(aT*~WkIk>GhCjA<})LL;?RG~q>6P)PptQrED9RY)mi z6|I1g6cYdN8+k9e;a6IGmaj2q7gDy!7^xtw`J|Ssqmy_zsAS}~JLaD$BbLadsugO$ z!_j!?2B8Qz9OP&t@ylUq6=-H?HYIW`b*2V3kj)3LrPD6z(giLsQS+Vnrb0GXvB-PH z=vB`tn^UCk(V#KO2@sK9o>*LcC*gUffpxuf23v;3p-69c9G7n7a57FFuw~s-sQTV( z;PB|(;1BioTPp*uG1*Dr>(LDX5%sZhHVa@&bCss+PA&w9)ZH50f_3K~k%t@?>0X>cKzpD1=cqo1Sf~RRq8DYB*S8e$KHO&ore{|p z`^EWpv(Ba6GAX$?&=6m6kf`ixVlMdXW)}A>i~t`?;UTOemS?1Crg!kI@iZqn%Io4G zvN$!xxIM`_JWC{GuTLN~J zb_hqIYs)&le`vEPxLT)W%S(sH)gHjl4XC*|*ge|)v1OJRybe3*0U^yQ4PKnqm52S5 z9RLs6<1L36@?yohs?~-fP{c)Nt%##)x4pH_TiiR;i|dhn3e{MQfb2*$bmC%tn<29k zp&PHPI4}TG8IpZ;$HVlt1Nt)}L}mB%>u&kg8`SSSF2T1o=M8@CEIsBV@pw}HlZDE? zHCm_jZf|eXg$fKfJRWQ`I&CP}=LL=Vg=Z5&frsUn#?mXog6bQrDVobZRqI&CScWQiocZQr~(Z@qDtgvxm65=p%i;tDw!-+XvP= zU`oe~FKD@*iH5kC6%8GXp4bchD1~#>=I%2%&V_p2a+ZS)yXMNuOcR)(S#`la881#O z1lQ;(w@9%qu{XL!EV(}hXCC54p!moFS0Exl6|QrScygn8yfuTp^LCMj%9F>VLm%8< zmFW4%AqxchZtxl(gXN4EINkV|O@eogJUf6GtGZ~+$AWfiSA{};>Ib3G+_aGqx+7ZXc! zZT4~1hYo#5N5?L`8m83>`GN$-A|reQsyh4z=9FcfH#t!vfc^BY&>IPsM!ovLxbrGq z@^*y;NIJ#82JHwY0AD7{eMYE-db9jmfYV7GK;2dxZgW5Gl4EkAPz}+gBnstw^*T!l z9P<2G(m{B#k2jgzkjh`_oG4;KF`}e&Xmn?L12jomS*-T;(D4pyG zSQQ`z(6K}6B(~LukiW)OK-}2WGci<@w$VQ)BEt|xnZeulvktR$REjvGB{b374R z%@qtDkPlNOQ)0_alt!jz|3|mo;Y-Z=)r>q*CioDv63^TE3}+yzjc2we6dAG2j=RRg zrb51SUATt*JIE86-VQ;HqaE0W2`*TgtrVx%XZn%DN>dwegrHtbSz?C^?Qs6`ULr!` zu==_yG$?rcix=NkNrxfm%Buz3#lbR9ruxE@boALgGNs|Jze}$3d#tlzB{j$VqK$%g zL~1R9NA@99Z_Bed%1AT1CCY^ZrSE$3y|(r76+Am}gifcbmJ3%`xcKA3gSILeEfEP?swU2B(o;@i%O28!-Y%=Ags;=yHz?IiCxo!UK{- zG91T9|J!-NB9ei%MsX-5yaLP++2gOCU ziiRC2bvCg+r@2%HWHHH@q0$ky)GDg4-%{5qHCPD-;BhzrVn80J42gL0u|%Tg04izY z_z_q$-syWSU|?WK$WA8N z*7a+|*fFU8(w2BC%-6V)BbXbkd_wdSx$8~rK|y-_fk&V#VJ3!ugEuAo>ql#56)eTe zq{Wg0(|2y+3c0u*l)I~HLacGk*k_t?N_lUyBsv@u)^Bzss^~gDOohtrBa>tR^>R^c zC@ywA=rO3MWTOoacA~z@M)l(5J?q@+e36T|D7+ELI+=m>!L9m5lQh(Tz{OrdMCiT* z6&MN45E}4p@kve2DXHSiU*S|y@1X4<(wa!JX=~DI-FO~ujX^&AYeFo@m!Cj(8pGzW z)ohWbdtv`GZ(@oQv#~77$tUwqI%G0Awv(77(Xp^#ckkw6Fw2zI?@ksA75~{q4Esl} z)T)7e4`Bby7R|mOe*w9YcS{qyj;AA-mUeyCIgkAA3YPxj+o~8y%*z*^b?u5Kk{ol3 zftpml2?@+<4^`7;F*8_O<#3QnMiuXO0)oxY>%rfBj6=U}snN{JwoG1HqKb#Ib5e}Y zu40Qyg@J+~(*KaV5O90|D%jRC17{R*N-O%{O90=!=QonPAgAT0j-6DTw9*^UlFUpOI*saS_{KQ`L^jy$Vx! z`DV8&>2W<ET@H7Lod^h~d{KDlDMhOyD89PrUag|LlQO)gUT9<96UbG2SP{bVV^uadrm10 z+sc+>yh<4nxF?AU-T4=75;aUp)it1H=t_syW}AvA0%f_@VQPig!cTBV8#NP_*fRCJ zGvCQxmWK;e4T* zuk(3dR^TTf_E8j12f3~UQ8c}zMa=cb^nL(^ger47~&l z@?3UB(xjMD#or=C_(c}owKUYI#oZ@(IFxHM0T(kZVl+#Iv7=-`Q{=P9e7;G|@+4K) z)I&UUT08iq)P-*6XYBB_(qSuSfnAih(BX#lYLzx@2r58zRjYnu)o(!Z*%f^8NzRT@ z!MBn91x?en#5=!wVmobtx1of(+K~u1Gy)7BgG$~tR{5iqq8Z|s7pt`VWqF>240Cr9 zC=~G-7~~)IV@7j{WR1tn62@Cy0|o^WryJ^Hr%Y?j7lhVv>LlSrH0ZB+L?|NwVn07Q zIkpfNJBTV{qkKa-rpx35WsZl#DX49gGv9!5QRY)bF;?yaYvji%@0vb*_!9BAILmu6 zG5i+}_4Q;BnxlAWE&uG{+%L9@4Lcfzyi8%F7;z)&J|3d?ZK`z2xYkdE<5B^i&a!sQ znIGR;M*;K(Z6XEWNs%l5>fr$ASph2}z`e|L#DmIFMfWS>zve01& zo1{_khflrdi<9Z^CYq%!dv?d;1cv2#-hC00eW6djOoFixn|K^hdW!9#8n+-}rTK+Wqa}S-wI4o%n9QBmlmEz5 zge7^GmmlVuAp#&OD)?3eeHbA?SCNo~4H8#`@I)mC!=!yJ#0w(MMw+KA&j_BI^Uz64 zRZ?&^Juicd@QrR&X_0S56~MK^3|J9i8j1&5KANU%1SGUbJRF*y-pnu~#EmMH1xtA{ z?w)lak&viz!K4og@WS>Pe<6E2;uPUubRowXn`53p#en_zidjwGn5{x{;>C-3;sl_a zYVO(qYW8|W@wDb5qf_^!jqIHN!XaZmUk3iW$;zKpI;|%Phg0`*vlritP5k?3w}VjL zNmRpLNxJ+SAg}1XOfQ;znanu9Ef=y1P27*Lkfhz$y@f*z1PHto&W_(300wb{JKhw7 z34WABmP<)iSryCk_*7gJig&i@9OmuXc{v=VGHmVDh&E5IKyaNYtYF7x;eVWPxHea> zXt1T1XbHSaS$7=3A!9wh23IOd7%;&*-Y|_wR~c|blRRe>o9;0m6Go=dKOh|(5N@bm zDYfbW#U(#jPyE@45xm0VG#g`h^}WcE7ovrk2fR*o`Kb+i+_bkOeN2TxRq{5p9Yiz* z6O+gJXHYkc=Wsngx;feqsIX9QyW$omir4iw)Uv*x9IUtTFm@3usotC$~i@SPap2dLhKZ1TLvG~wrx9d zvqHXRDP&*d8Q>}y72>Jo`$b&@b6xC2^CHN|$Xt`hPmJ*B-t3R_@h-GG>AlG16jn0- zw4h{fCD0IJ7Q1k(M2*EBrnX{PP&n7zWqIo zzGeZS6&(fo`%dkd`$O|$JdWQZebA0(=}aRT0hVGT0U@M@Bi%retcS~AVXnPSJhkim z93uS<#lte6w_v{6ktJ#(-|ncM(IkoJ1PJOfD}kz*kse_p9$^KKj4d#0#}-fXM8DnP zwFHE70zjst{WFWhgO=l*+|qur0Dk`3>+uCe`uY{>v)>MOU5#(XGIBFYR!@;dR=?*^ zVQ-z4C``0cR*As({XCxr`zlTS0R|1+Gma^t-@2Mgju5PAZ|*0Xo`8= z1NnS=J*ZaF3F?3%VH|?n6CzI<588BCy@OVQP`0cf@9W**abFxWB1;|1tm|r+w-88c zRIB@#8`AThZRXx{ey=CfKF72ZSAd7wu0AJ{V{iOBN5#FA2-Oe%e7t!}pI3t@vYaIswh+#e%Z1R&jHdfwiY9kDaq3cWcP911rvkP6bIj#zbpa9#(lnnqj@2idPe z9-<>raiFV$#xvMaOnHYYDyVC{^JWm6ou-?bnh2|%xO6^GZV#9g zf$oGINNM`aOK69yq_2vhCRT9H@&LgqVp|p5*tFaE(0c1qNbsbHURCSXz}8{` z!XW~k))MI?w>~kXSBD?2swt#G4L7wn#vAOqMf`&EIVPSJX7`B8=?FpdNr7EwwjJ63 zq8_uFHwb0AdC)y!h_%2@DJGFd|SP4VW99hX7*q>10$7uf78eGh9_I!Hxx6D97XmBj)Pz z722H~5jdPG#D!K&9i5$9cZ)i~s@kr?28``qZ_j)hKQ0ZMXv>m9oB1_p5*aX)bpFAX z&Rkjs2d#bG&&Nx;3G{c-8n0m90~h0URqkvv4L0|JKj;hveM;457Hx;SrdCH$b%O&} zuoL687j%Jigu7fw&6q<&v8};n>nKK2FdI73{D{sOUv8z$1!sui0A***#lukdEI<#> z)QCOHo9Me+n^L5$q?|b|F!Uxz6{K=B924iA*hNskA|WNA-HSDb4Nb2Z6mk#nc#VlE zq??kUt;}j;;qQgi3DNf!(1ezJy{WP8Qo}DC3zgv``dHZ>ET~2pbpIKr5@R+v-zi)& zt$Dc2`HWtgN1jwk6sJUYXe6-#?ke{Ob{@V6@mIl6)5#ubE!&50&OtM4Ef<)_*bq#j? zK6!1DW$2j~74@~ajaeR9PFJmz5~Y*h5RfNLNdD@SOe1Tr*>sKZn2yrrVZm9l^)IeS=G`SdtB`CHr~_fP6A0+&dR$FeL~MJ9eDmqJkBRk~gMlY)nj;2G77MdaD&C zmyfrH@U{1&;_QIX@rMoX>U9x=)fPK_#&i#gDZ~2!XcV6r448?D2|n|R`7+ceT!w_= zx^>pubecO2akPfC8dHA+rDLx^1na3AG@4#mNY;yd|8#-QvpAS=g#$PovrXx8mxkCX zNRAi+WyO`M+@p)Z?vkLRYc^MLGGVGqSG z@4GkclaEZfW?HakzZct)=r zcJ5=nNvLBV%o6r^H2SDrUC$IsBB7x{986@^>sJDer!o7-lgX+#%2Y)_)BBD}=2Q$r z@1<5)%<7hW%wm(e(uZCBaB~yr5AB;T8l9HUM(h7+2PI!lUIfbMO@0oy|53j$^dX_#`j8%1YUPQz za)rw$%P5bx{SJx!hgDVtA(P4Q2}L36TWz(!TY*j}iY@q%9op0JeseSn+v@lOQW-$F zWJ>fAGup?%V4yDzod!QBP1`ie9^bZbKi87>=}6UX{Q>^`aDm8du>gjAE`e17cdaI} zK3=8MJ>jQs=KI6z4I(QeLSiCr#PKeN-#_5J zTRxTj%YSI~9xy{NQ^xd$Y>{YO_y%qf0Rg{DOG-)oYYONPFE6jDHb;xcr-SUltVmMy zJ`6Zy^3+c8jSuGcMf7BTgGCue6ub2IZgJho!c@#D~AxlqWL<9g=N>M=p zpPO4t=~G<@k(HIzhZei4<$SvIrLVs~SDxtITkV>xhdq@KmGloG`+C`WBE^^b$;eXK zQ(V-NprG01s~g<&QD0;p+%x!o62k#J&u|!w1!WGYFQ1BAzVFDNZ1ne;gSJ$@R?<&e zeed}SV4*n@FsMIh3-(_g{v(=FJuVQ&L@P(*0#n4mL{73zYv{*LPkT zKfC;3$z+b`X0IhM=Jmtso35Ei(f!k4#CHzFjk7M87eW*QN(#{XovUS?rf$~t}U#p(r5VSmmqX#bgJsXhk-o4$Rube&IpwHfr3F})cc0ohHLFX39 z!;AkkS(hDT=$({m#E<2HK}@=QqYhS+y;Zes&XsHB5f!TYF?`}hg4Nu+L78Hu!p@+5 zAy9k`E2UA2_A_(;p|{~vCgAhC9k9NGcUqic>zVTON3{j{=fS1N0yglDPc-B&KdWD2 znS+cHB2BHF)kOM_|GL^B^>Q!6U-hOt8qpG+fS9AiPC`J;pd6{^khfjt&FSrR5nez1 zyzvS)fS;Um4^`)0O;k|OIOmM@reC9@B@O>2(2#S5dUfK$T*&UC;b4NTqI9ZgxY}y$ z3`9~dPzC2Zh|5DAE(c7cfZA_LmNai)6tELj76ozaWRKCiPcjcS z@hWW~7I7~KEup^K9Vh8y8W4VmpZ_Y65%e#2KV=eiDuVN@DstAfN3~ok^qCk3e*_2m zDCCitW%C`mxE;9~;LP7x@vdRd1+9Twvo`;)NIe1Ew@!(lCj9+J=0AgVRv*n$LHYKg{6)x&TkdoTZ7?9&b(Xs`%nLFQbsdXh7A zG$@>@t;l$PoL{T1%a(gT`2W22sc!IbN~;MP&zlbzbaE`~-8!K}6p=tA#;X*)8z)!D z!sMZys*mM`)BK@S3RP1}5E~ErpZ%0W1~EE=SJp}Q=5>V?ajbwhSj=2Vj=1=zGRp@8 zT1{Gw*rwz;Kv>Z8hh2mJ@+4C*>m^BSR;CHLYwb(1&6@vvH+Fz4s0KeBfUS_;d>(qq zlO31#qq-PilxR?Y)Q(T`O*Nm^!jBLabY@y^`4M|2wmN)5jF`CHh99(BXWG` z=%0D+1Dya1vg;wTIADkN%$oDCnqi{xb$;PjhX;XLkx43#F?|`xADr>2UjPBCAf-<8 zFZ8z>QAJQjhzV~7c{@%J&oRe>bnU4qP7i;+$lVn4ySzP1)|ER^-;8X+D1wkRaZg!k zhUP-rG&5I``M0bJXvnc#wFm%b2DP_~p5rwA#oy}neR;oT>z9=rG5~&Fuf|qJjsp6$ zJqsxAo5<6<<4l&*oLN*ghdZ`P09`Ayl3b|&e1Px~udeu($^LGC3Ul%1!GT5}Y)iG6 zxC%P_d}g{g9>j+m;O7>?S?LV^6pjj_6>L+<`pSL!+Ei;5-DxK>;=NPT<+Grp-f}Ft zp5evC5txRkGcw3};F8kUrdPIs+^bGb7@G!?pD23#Van~C%YymG=f~~^+TW}s!8Ai< zgD-V$^aehrH_&~baSzYnsI)CX9m`sM=O%XKM>eCqzd30IvGi(h z?i_>9UU|H~i%IDK@mNRIxX4+U%J)k`6;3}e1`6i3Khz0foQO2|LwE^W$+L#Z{&SB$ zg+wKA>vB4-^nj{ucL!CWjBWe)dqt&=kyz!V9zJXh2^8qUwJ}A%5-o&_tM7LAOo>?p zc$MVTmVxu9N!ha{PiOpdP;Hu3G@vU~&^jq<=zBE6OOL@6)#4iTIdoY8O zo!|wFBA4oV6BAtW*g}ZVaK{W}wJF)#BUH}kDKbb^MVT4A8(d;~!~o}X=fol)7a1t* z-Mur(<@e#NVuI+e=v3XR%|`5dqCo6#cCQL?La@-mqFt2^^j}0KfC?Pp0yv3>bOlqg za?%d=W^^v*=;c6mL>zVX+#~R5Oxj=E`=lgDvHALuF30k$%;BNog!nzYw*grMH7Ykp z{wsby&}!*G%TmX%5Adfo!YKJfmzj%O>DKKC0w&y465y_%hh71mxz|XS`U^caw!~Ro_#tW&Z zuZgy&LFH+2wl25EjH^hB%@xgisRDp5W%cs9i5FzyW|Mj_SZ9Ma`!+S?h|iaE=w6fK_h6xeF#9VqI(Vt?=ATo#u(=ABUBd3`L+8v?WBvQ9ylqJzbh%*D-9e=TWsv zwFC88l&LFOm3G<`+msqsoU}+CGW!yR=@tn^zZGbg(LJ`61`JzO^FqzTPC9Ev`J*u> z;!MPh=NXcT4JS_jU@5%%Vo~PrW<6eOI#I)@QWbLk%XVPW974H;Y6!t{&Rbk<>w=Mi9+qBP zBxy;;x*KL(y7Y>gk+323z7W{;omnWcjDce?;&CxaRZC{Q=@}db(Wi!GI;(s;C{?z8 zKQ2AQEX9o4TpJW`y|G6OH>S++s!s29Z!IYA2CZOXz%f;MRCRhwW=t$RH`a5%cmtJY zw0VszE21Ck2OFrUytK1!d75eVA;?D#k{cVPcm zrT6?su81^$!`->{eexk)43&6ni4*vFU0FC{dgCSsh3IDilDj8iN@fN1W%q+G(t?Is z^HXERxG?U5zk_=e8ssgXpAcdj6uEWa8&zGs&RFKD0gq_<@3MBV5z+_N{lnfmNO*M` z88hXdTy|zKOQOL-7Knm#p$odGyHX&H`dxu?KUp8hmZXFEx4Y__%jx|aUH^|F-YcID zw@CZ5Cezhj*nc9A5@aw+e^w=XE^?Oddhw`F4P4iS(HFGovy&-5*zN;Lr z0>kOmjgGU~vgL$mh-}0fBc)m()#f?g;pQ0|w%=3%e95tThZ+3*ZzXI7Dvjv(oXaq^0#IwM>DDN^ zhSI%CG=TJ3FdfJLVe6}+;)<4SL*woe+}#u08h3&Rm*DQf-Q6|8-Q6{Ka1HJdToc^h zCgHXU%LBgaEJp| zex|b)$TJOm=>rMmYI_UCL5UBD{jV4B9ef;@D#`==u)O*(A8&d^5bWc@BxSoSH3QbL zaq#+hB(WlSpMw_Zei?oM zY`h^`&nbxDW$nPRg+vdc|CZI;x8y$zHDzX8VcXgpp8I-$ph<6xWiv1QtU=a+QP-T2|2&fQZog-kfn z8AjEcICc%=-xBTNpW?fr-In5W zTWA#r9nr2*h~Wkabx3V^)WL!km1A=Fd>{(IDWs}AoDGr(`SOsPll87*OV51)o9)FJ zYOU45tFBV+=RhWBI{y^5@;?rVoCI`QE4z}mk3p6XE#SD~dix^@$gQ9#!WQNgyTzoT zoN^SEkrFtICF6mPPvJLrIu^Uc*?}^(LuQ1_aeDGnxS*Bp1&l2yUXF^>a>tarwJe63 z8#koCBJB(62iiu16Qitd_iP%0rykzpbQeRf6tRt^@Uo~IL2?Zy@)Ki$+|G_^K_m#6 zT;KisT5iq%KcLF^vF&h-2ydfPu!0vI8Q2)1vvbURS|^eIVC>D%BS4f_G7|p~0KLhD z6q}%I*E`?=X+CqsVVH+*y17JzK(B7y5 zm0|^x75l2pH@Zd`ocdlyisLifkXjNG?pdCz9Z4A2jEM>xryNS^gz{TO+O0IfF;I?F zhN$Y&oj*OtZ&R@B{~5}N7^RZ56@f#D`J<=kepNg#igBT^))rbG0$pR{Ok>|?vvIT| z^T$}nWDeyG^+X!j-9a}S+Ix#>~R|-L@*iW9URlA0$>d?vctBEw?%GJ6A zATtW#M38|ja)HJWru^+2j7Qikfa4tGMkf+&)zT^4 zMJs8`O8yGeNN875Gsc|iRqJ&5m5nuL^J!7Rcib#n)c}23GE!=)^sYAF^K}7^W|PsB zA0fyDJqruCUC%e#ZhxmG=Wp+VfG75!6r+w3v5H8o=m;{dr(McU7~kHeP_l1S+*>AY zcC{khg_eaWy%~y8m;it4cjkWYgz9*8HE@&%SvIOC?x|KtdIOhiGwq1*$9;=qTHKd1dx4mB6XR9lKtN;?J(-Jpq-qa8vY1?w%;4UrVY<284pk=w@`ayB3bP> z!3VR&sH)g2BsMsJ&Vio6pZzvuxv^@|IHTi9^GHQAo9MRO5d+TNHGp50t#AtO^9%F3 zf;h*CYS^dIfK+wD(8G3SQM=XHZ>ktSf5?w@%GIJaV<0b6I8P?Kal28Vo6pBh^iBJt z1lPTESI_Ci%znxlaTA@7^*;x!G6o0`80&i8*J^fX=o|kt3qYgQu~3nS>RL%QC@Bex z6kE;A%q%P{%x`K+QC79j*E<*{LGl^yeDCc5h{_xe-gfs|Z@3B(mpOSeJ48vYq@E=`CwX%W-s&Y! z4q_Na`jOX(KIDGl{pFh^%CJQ(S^Vh(hb27?QGl%xsBi|tuAC^Sl^8Fz4{8L`e>z_h z@v$GUQQsfmn{Ay2@W4n2|fb zeFp%5;`K8WNjqv$>SYo^)rHS+&PvknH-qR4_KW#JyJ7pvI`sTJ=V%SWWOWo()G_X? zs>XH!oDusQ-cTswQ~{BJL=9z!g*b54pH8XN$YOqBh<&8ri*%IkvE+=jhE-zD7UC+y zK*!^kt4xT0C;^Lyqi2cWfB*Lpw?qg89#(ZFf_<)u(-}N=P zEMM6Hf_S24R}t&U<%PKc{w9D3-2p91Plc#a9fz)y2MD~QJ)?QjoK`_yj)$>MV^DHT z&%^bx;e46e7epk{%x@peP`vKCsSPM*;23DhF#W^)e2Ay6?dwP0sFGU(<9#LguH6~?tVo+8gvtA!GG(i9U=|{ zTm(HSOxn&xROh7)x`W-XFNmLno^hXURqgfg{q)4BDC-M=B~rwVF`ExiYltEo^p{uAN#K; zq=$j{1uDav4A-{s0a2nk0;VL3-VvbKTOJ`_5x(#RQv(LN-S9b`uV}=?#9vqjfY|0Q4pzVTQn6<^N0?SIul^^BHTr;UMHmkvJQ3&@pdHMW zVnRVdC6N}>Bf3kib+~_sJ1RAvl!~!2PgcUfS*Xx7QoTQ2ZZz@~&zEu_r&bh%kHbOx zFWva&E-Nq1ts@Ew`W`FS(*b2Jiv(nYd_=0r(gv11thbHZ`|$?a*Vp$B=!N+OP10n0 zDO=YI6D#Zkd*JTfpdzW~P_5C>e;q^yAYS;3qZoycUO+1b00-1>gj|aBd5bc&qBxuv z&{Si!oTCl&WWqp^o>vw5VD*bJCl)INg@|5(#Op$MvDq#g%jROSKpL}_CjUp!_kUng z*00fTEc&d0~MSZ@}~Q?|zr zJWEGhSdc<<2Fd7y0+CQezdurAl9fLQOKijDTLC*cR z;@@5Rmvm&G%Q^jl2d4I(VeVmzv8i*G6>dSZD8 z-h2s{DA=Wx11G*a53l$cSe@oa2gR>TXkfl#pyAC9^F^gj{^y7V(AuGTO9)MYw9Ok3 zwi;BFtZo+uxe*V5xC^_#GCJ#5mtxgqdsAuyGSG7`C>N5q!@brfEZB1MOS<1RyoQa*^n>mWK9CIW z00ZY1AO#93luhjg%#nUgy;4$Aet=KQpN%1g(wLW<8!qmXz%^FK-x=92R?+mrzts17 zda9a8?z}F=f)B2q$8@CdT2<$NiNGRZ=WVSHJBq$V<#_&Ph(@|!EoWr?tSTXD!U9ppP+-Gx;PiN7!|k{mcK4mf z2?kIZLzkA8#-*gd09`tfFiLEdWluJ4ZjF-qkkC-k_OGWScCbwIb)e*P7HuvX`yX2?;k{kqF3w1uV z?|ro<0!;|uYh}SNym^-kNexbp6bcU*UGqdRSPRH4jlgCsbONv`#Ni+}U)qeI~kQ^Toskf6b9}=u}YSB$Y&eFSUldXwI{4ajKNd>4&Pj z(G5&G)Rz6ek@5cY_`bfzTz(U$jDeXMWtdFa+M1D)h9(kKZSVAyN$}<6Wvav7X^Zlw zi2UZ4N-^N6RzPKx)44)LHKsB}`_Z^~Omr_8zU2Ix%2#p`S5p-Q(IxMkpCLt;wMUX4 zF7o!n#;i#tl=+1dO!f}WHs`*}%;c!vgD%&zMvS>>s$n9>S=aK#shfWPiMvWfFGe=d zouxsnaSM&N*~mbR~d^*|6!^l#74)sP^5-+FZLjynReQCq;Q==HdIMJu9A#$Ue8 zZ~dzSj_&HDii(Qw-kRG)d|%(7O;EFrzP^6#wTzw~v9VdXdgIU8s?JUUHxG{pCe7hQ z+iXGa9J9$Ru&1|UiQ5~j*%tU<>u^uLX>Nwd5ZcI5rWCjg)%RmqY*^>!fL5xb&M*p+YgsW#&&+-o2RC%~iL)jkkhp&1eKSpDJ;9D;oTPgT= z7k}XYRYc7w;DyQVbVbJV0d;iLpYlmDtz`>|aPaH3CB{1<%g=!p+AO^_$wP*he!t>^ z54kd1A$QsrLe*&UwqjM9Hxs+$duEp`$%D-)UTcXV$^|r=0&CVq_cG|Y{2zlsY2J{p zj-7>p(d87YL+PUk1PHg9j9{0Iljj8nF)s6LaTnSjf|0n)I(~<<#gX1T77WREcW&R+ z)Zw3iit{M15EFxtZmKI2ix&Cxu+{yKDIU8qTofS>2KA>bq-cB&jN5xuOjfa;#d#vp zy$f$@MRlmC>yWZ)@4*Vji479?zwx1yBv$mysf4ZYWVGB9p1H{_MgOUtdj(P)dfitJ z6gGdG!(KnH8nRchTZUHR8s&=Da6Mgl$vPZ={Jj#ErCoS2L4j;9^i$ETN*vjo%ZZCH zQX%B*`nh1mtHStg$5&^!T_vJcG=%RL=tjF@-U!aYRGIUZdfCX1dpQ<{<9}jayf2^A znn@uF@g%W^>Ne?ffUeKtwMpg?4u!zFvg;Rp%7HG6jQG0%Wyl8T4d7h)T+g6*X&~ZN zKgnY3y5j=wItk=FvDolHxq@xzq_!8~S4;0**vRqmbMa482hy^r znWxKiZ8}zq=l5w>3+{{09%fPl$-QDaR7swr1)qDbjHXK>ENP&`Er&2mM9L@`6Cx}n z)APR%LJ)s}RSS)pXD(D}~z|?!oSiJz)l+veo^MNR$!*MrOLw;>6 z6ZUcbB5qzKL6Aven}_qjVN0ts_Kgd5-Sb?aHloD7T~(=IA_JIP03dEYC|KCORDB;h zbply6TC*lv0M*tJuBT1CYF61($X31Q86QsiUeSR``fUKFgE(M;IO9Z~d5TKjRWpS*$ULSjRb3jnoiq6>jVWYNfsfsZ)095Y0&w zDbA;e&XXActMrt#Y$7$na|DVW5&|Ip;h)YcN2ahdy%$>?DCE*ug)69!>xOSoVHA(Xi&PB34H*XSfQn1zdHdK%s_B=#*v6qa#0|2rQSOa8?cMBwdW?JY|mx zq}rcWr|SQh&~X?wNWV|TEtfWe<~e{eU!%@Ays>Q8LyodX3rr2#*-Z}d(=k!eFCNcGvwT zw80JsGq>T!o(jl*Tr#_PXMajUJ)z>e1WT9w$~19Gu;Ay%R9)JRJ$qmT_TAlHwxe72 z_^PzzQRH=tTHw>H($CifAAEGI$2>xzB46Hhqh^nUigSA=FUnHz=M{5*VvQj1JdbR< z;GctZ{dSH9Z^Up^&C z`T;{IBV>bV_K5;G57-(hstEs6>~Eiw%@9V&K;gpjnXApp?iPPrcCpfr1l@fqB>ztU z($C+9@Tr7ASzm~g1>7`{OPD@8y~mKKe%GB18>rI!Fxae|ft9pGwkWkXy8RJhOa$_Q zOI_IZFW_pE&V(_;w{hN6qoMDn;VCv6vD-mvV0=}_*c~c5Y|!@F4yTzTmUF?LZ+EqG zJE@qM4V-W&fa= zi585X{%^tv;7SODoyRUWLY&Qb(PEmTLb5VGxL>8dF~MQe=|?P_2A zjI6fv@J@jv!qkO;?bMgyb~i+89l}EMaf-6a)zsu-_u0D7E6sMeBC-~iwbf@34G89; zO(Y6L$0d=Dr?@aNh8+Ek$YsyNfg3Z12ZCzQv$+;I4=KkVDtk(GOIn%+o-22M*bPWs z7m8B&Ubn8qecfCYZQKj0jI}&xY_m8%1zqvq)cx>#3{!}6WfD#@%)huQCb0Td;XgJe z7ca4q{a-`(HI;v=o`>{F?Hy3N^i}D$_j9;|Pp9)?tru&A?ew$^p8#mRSz4Sm^DV|s zD-~=4l;wt`JDN92EVE)!0NwpQ5G#xxM zMM{JJ1suSSkKNAFUl4n0mCj_8EU{fc*3a%=j}n%>|7Sta!slxx9Hb=>r{ z=N=$is#>@!JDR}g4<3>#matU)O(iQb3+hOd0=M5aPBS=dG8CH`rRN*iwRH_$epQ9w zmbrV-;T+BhsH5MVeYI-bZ`6{*mGAv2K&fNa~r`d3A|uwnc%*v8OMNul9nk|7^QQG8u!&fD0` zo@feY#%C4M-OLtZaVgwN`>#*>)z1yZIOW~ix|41JwRUK-c^$Hj6kO|8zZ<_?!2=!Y z%KqLwD(Qa=Pd?T0P91}w|Mu|&&JpH{um&6>uJ#^W$>%5g5Y5jQna?2ZhBD+*q0``g zw(dh2b$-1jtD$Qza{(I!zk7s=L z_V#|LLQiNqy1IryxtUU45s>V)JB(i6c(| zd=U2)OaHS2Xt3%GFEE^te%e^<%?j8b)Bs!Z&^(?df-o!Pewd&>`BVKi-7E{jBA`Dg zFG}Hv?Zwc(-}~=2aW>-n<4+c&>lKi0j#If#4k>w8W zhgK#`h1W*;a7*u$mG>mT`>H;iR1%7T^2k}l#V=JirX@qmpaE5ytYW!z z5MYhE045%U+py7EiHQX%0cJ(ZvP=Bra7@i4u*ozi?^zW1G6ag?UY`_I#c}M0TU4sa z-rp!F5JctCJk>$3xSBbXlve3#jdWq6ED0i>9QcOtdnR(d26J(9(x!w_{$Uk~BBSkU#dM zA@yhq>vqeN5gfA4OH{Sa<=3DNyNNK%LmL802roi9_%-tY8dRgCHKDA$P_Usoo2blM zDK1Dt>)zw}dclOL)T4MeYEUN^n9UVUfmS{ zj8XUjkeb)nxm^pnqOjLI*{l%cidvz_4I^9tmrEP@Eb4o=1^YJqLJ4)o+l}TT! zf^OP-74_UU)lSKXRFmSJNfRe|9*egCRNRyb+-mLZDd59Ny#J!dxqd<+g{cSD;XhrmecZCGo*sa~J3X#*>^8bK z&(BefUt28a>G3|A$6W;B1ODep!N&^T$}UV25)wRK=aMc;uWBSXfZ8t^JRw=GF%-?& z2po(ifGpH+vCm!qi7fgUB@;V5_bh7jyh>_;aTeKz!|^c+&WAxVAi5aQFQuj=lf!J% zfUa$uTHy+hx)M#j)kjlA-0i&@r0{oU! z(A2ma1C5RiY7nnr&L@c_JyS!Lo00WLPf%UlMGHkv93VIRx(C6%R^`ssT3`Om*>LF8 zYpP6*fJ(U&xaJZN!k0>Tv)MhH7kT@RcYF*&1Nji{o6m&x3S_48DnAf@TTpElcvLJH z{Pn(J96FeP6_4k&Xath3@`Wb|I^69cvGcX`!c^2Hz z2G2gwPpT5%ppLIPKsd6LcNnzuuM-k|uZ-i0p9Fxk0f-tC;CM9N19z@y^nIEiG~9u< zCZ!?U1(;5K%D6nN4Vdhq>*(-qLtJz&bwI&BS!M0l7cM4(T90eXgLzpKea)GStFt2T zM6Fc(TI(d_=CY97cQb2VNIHFM^!=OY08#_1cx2zQ0B=E?Ej*`f(~>e6b=#{~0boTE2{l1yh+sqUEZ5GGJ@<XXjDav=YM&h3}z{fJ0|&9{XkMTFQaynSa0 zay0o3CZa?}R>^ATue|RH{>|_ckj>m@j8Xkl#s0;lt;~@stw-cu_oHTp#@34NremsymN-f<<3QA{PdM@Rr2c>!)Yn=!Lq;a6VIA=rfXjQ+9>^DY$;m|m>CS+ z(TgFndNjX_r#Qy4$op(t+Iv|hX@HCZD8sQQd$3+0aY+0V0z3>&W9;_dt{}dMJV${IFG@tjgf< zXNy|)aYfem+R>c9MDV&_y}ktf)khWC+;aUfv7y^v%*2OuE4T>fGa3>IFhz3~(E_cH z!`6mem@Q@P|2so_YZGRA1!RYAx5vOo#u+liU6N4OUb{0}LEP z2VaElcQI>E5i6@gLqZ}>Ig;43g?x!^S6d8cT$?1K@zF3bRVuibXCx4^5sbj-Mp^yq#?&{Hde89IT=jhkVc${tm@KGP?BA zyM2j5lhTNi<^tsAU#i7rzfk5HE8oJTR0NDxi9tm@%d00q1JWH0pkSn*b`5R^nyK$F z6)_Jsy1Nx&sbD#ZkQ(Np)9gjGt>QfFQ<-(;h6kj}@ga<0wq@j^)`S|=E46BDRyfUP z3gAx`Yeh>667U;&0!tr5+XUwc3AIC$O5oj_6Uc0C^e(*0Lx;2f{>C4URfCU=*&>T` zy0i@+*^>im5LSqP@TXMdKZ7dhLH5r*X{Q`&91CZb$bLQM$2e8xUap=0$V`rtc_`4ei^PE^j**^%9Nu=pU&NH1m`dBIs8TwR0=|X&!Lm&L;4t?YnFKIfIGK0HvB$2QLL$n~b;BFi zyd4<@I}j{B4`MfcRb0LbR>!drkH0YlSkwwP+Fkhhl@;wyUvpNjXmqb%#L{F@v0=H?Fe_3kJ;lrC)zSpdA9XUG?5f&C%`69R|Kxs7am7S8lW~{%B?N{9JI?x4Pr$1iv(pTtc2rGa+IVtlJTxQ z>P9Qjn31(^j*f!{JI0OKc=fkK6AQ@0PNljzp&n}S^bY@OR{BTMWnNL@rxcXgMPAXi z{RcS)drMq;=Dh$C@w-Yqy6wZ*hBB#rThZmM8=B|?)xNCork%L`Ts1Meme_-!8(H}6 znZc^5m1yVLFrz>iWP_Kd`|WziJ(l){)9H-(^lHb?YKDU^5BLqq5&p= z{HULvoCnWiD;PJbBtDT9LLM|&v26ZZQ5Ttj6A9^*WEr5`imaat46Y8%#KqOG>hqkjpwbMj6uJD}g%>x7~>L{Mip z%wD)Gq2E34GU3hFaz^R8ww>Vr;P?Q638%Um{~bPaw?HmO8NH?+drdmC9d;h&HtD!( zX<>FtsX?b%Yo5E<_Bxl>ry)=mnI$Jy+1`?*3=8?y?3{P=TUpy(xATm!HZ7BwnR0HtjHe>6hwCRmraKsT1q1(d!Ap68vgymIkAFN#c`9{BT@JygsF z?nMXM32A7?&D>X6MuK2${B{ope7|L69Xt8?DWAq*2qFj?jbL%;704k(%J)9uCP9}( z$|}SMn8y0L~fK77j6>|9wICn>WF$#6Sj#(3#~%C5E9{fqU?dtXOA zQvN>pi+bwlle$EfM{% zY>M(44WEU=PC%p2co5}eq+V)X63sQs7yLCa{%P5<6kb;_=y65dpyt>nL=9z%olE`k z_l}j~FYbJ^I+0&%$@B{P$a2K2j1aIUNGuWFS2asQNpLa*miOwv+(wc~q-Lx6I_3x3 zQ&Hr+g8*t)Xe&b;2|siLC_D(@+psv)$r^$=Aj_EfsCD|3n}ibrIxr6X5}lSSG5$=^ zr>ON|4hdPu5FIMX(lzNKK7jIrjO=)YTH2jwtD#2zj5$AzXBD+HokhvTC3B$k!F{en z_pu5=be7l@r-7ngvu1VPmKE z)o9>?P6#1lIg^b^-@h&ioS4#J@rMR%Ol|2D_^nlZ!?omtOM8sB;$z_G#ISjpA{UQH zGp$oZygz<k&}&z-hoj?1Sy54DF2R z@1i?T0~e0d;Ap3pX@x`ngwhL#yIa5azxUN0`a-tZSgEsELRW^7Jpi^tRb{TYC(d`$ zMHhHnl$ZBoUw#Z?GOOMD>nnwgQp+KGx4oZ=-!o1{@>SO>teG zd6)jJ$6(6V??#gVKg-@P)K;6+{~oS2ihoe&XEYwyYPrm9*>ue zzPDh<%mjbjK-52P4{#Ye&l8;o&(Up#vWQI#`IpC#X;fIrUC=>AoR?KyM;Hxkt%PB^ z3-#?Jpkri)u{xm1FM7d*4z%%xofi!jB7Pa1K*X#2&7IPzfqNO?dz}90Rxc0z@qy-8L}9D$H*! zb%v}Ooc#I__GBE&*sjVPk&|g;och76SDi*mf`unX z+ewQ&R5R7@GMkYs4!6?Jn$6d|Y-;Y#`~cRjTX)3ZQ!7{s>vpScc`&iz%hb)h zu0|U5@J8~%I*>P96xI>2aAMvb5{!J`vxVRZ28aKmrg^MMe#)H|B78?A7v;x+PMSUN z(rf%tEiF8&6*oNm+l0YLlhYz!5l>!F(M9bP#?j;G^uk1$k!uiLSv?k(g^fTERTP_H zyqxN{1L%=bj9m(ju;ph}hHZ*S;ZGGNdD$IO^G$!2e9+!fEs2y{VbnW{IAZ@tR1q|6 zqG(4GnIB6$m=HAHl6+lX%T+)Fc4Naez|mym;7~StABVPDODwngX#OY;{BMDGUK_`h zv46dX8|GC>UMD^MQK%(I+u^tqu+jEW$Iny}xE|@|&uF*mlfg>6^%_d%FyX^y4(V_i zP8^gHdhOhNxiU)n6?lrD^fusQ2e7vi-L`GHF%ne@KIN5fwo;F2M8~JLBUTB;%yYy` z%q+~Rxt;55{( z2YomB1E?ty9M{a35FAdYWRiQ|exZ-WEEpvsB?k(r5R6&s))gtH_h&a4*Y2gc%o<*M zTy9g5;F@cZ6F%uAj1VR7k&j|cT&EeimVF@D+Z!1}pISIGok-`aEQ619pGGBjwS7N1 z0!J%JO2q-)r*{+z+0JF4eZkJZ&6ML^F&t`zH7CE~Pau`rCCe)~n(c4Gj-x-( zetfaVn>Rfbj(`i7@rfu3%PU}Cq5)ZlSZ3cwe;$XUmB{gn#RVb44(~kw+?guzv588* zAg)?#$vni%_WdKU++-b*e*S6ZlEX$7HQSpXJAbG<(g~M2UkiIyAE`}2=WWYv7xt_4 zJNd1CDZ&)x_b)g8^-cPw<-tzEakFjmwfQJVRJM4-HZY%D%k}$(khM}(oSdfv10&8^ zZ_wY>q^~(({#22?DW_?&IZSkwZ*Vr-2c{;*w`Kl<3Hwu(L&Gdj=f_yL$qsa*;H2r5GSDj&}@YN!%N+lfLBVHqcGvUNmueJQ6zlB*Ua+>9@Nv0}a>y!Q9e zf#;k&C!;3Km25YY4RjL>mMWpn^@=V_mSk1Rl5bo2ur^#AHrltm-<6&t?X^TuD0<#d zylHq4-cU(*KaT#C>#ECZ?6QzF+A&QI!I`7w5QgJ2>xwHovfsS8puK9>U||l$_&EuV zf9u7H|8zLF^asXXjaC~U6Kawco#Q(5FnfD^Atcg%g-)ZxD|(ke$dsF3;19vyEyRDT z%rOF3W%3I9n=e4h?15tiji3WLRJDupw=odRvSgdzC*KQIZqTFR*Bf8vxq0s@M&Z9C z*dkznJW)N=T;+rJ$i*eve~p{$&X$sl4YrN1xSRr0D(~E%S=_oj&9Im-O3IsWdkZW+ z)H)n1RA};|A|L%qTFGr7Ptv|hZ4}CpDZEl&+0OL5oo%i{& zyZSg)7P*#idzvMR%5fAsNj>vb~5PNH$qkJl;{^2(C0l?+~h6h=~d&~U#5+%tI zs}>VtiR1%(9BUGPuU?(T4m1p_g$kI67@28BnphHO8#Ka|4gY)WvzHw^?sjgY?Uwk( zreoJQiD^7Xj!o|W?3yQNO#CxAU_riw z;^V?E`1rs#l{P2gq#V>yP+&ZE_e8*tf|%-gznNHV%vb4sc00Oz_Y{g=BMvo(uxJqJ zxzE7{0z$_i60U@rae4c#WH@B^SmVCJ48NId#T8uBf@LC;4BmlpDPV2+JCuDX5<6kOT+@Yi^LzU|FqCbl zGh8|D(eX@Vpoc~C64U3&LO=rLH1=M9qW`SZ7ctj9>%{l>24ar;V63}%#j%T~pwCeS z7FzX2N3;gecf;^05~^GYm=w&2sI5jx7A#+|T~+57`oN0=B1E3=I_DBEM?s9OIhWs^ zIZA#jg)U`db=tyFI4iX#(*eECqcHa(=Gck})CrXTMVJ&Jw=aRS31pFb#-ifC$bmFTk|kvx&F;|a*= zeR8)#$~vAQo)lW(2{cvW3XAU@$>z-aR9!W*kn|gm2C56l+{fIZopY#byaJK_-ky1) zD>#d_p4nB=2*3vz^y})JYBbWG%AjqTKIOYba=QyapCSiViWcP@AD7JnqFRvM$IcS+ zyvcloM(ypHAdmpyAWJ(M@Nnx$#J<|0-x>k0T9MZ{9Ha0&4Lc+%6}y{#Z?}K{`0@a&rSj=? zRWB<`qrsYke!(U>MgVrpP^zR!I*VYw+Q?p4%lv)#)xK-$KK?xY&-(Uuh6HgatwOOs zbJh9qEu!8dNzCxiBvB9kt|KYT!H}V`_(<~4$kiW%zjvu=t$~Pl=23Bfhw7l<}G-C8^^Dv{wtfU$ZB}qJ}ft3g@>9cBn~y} zPs9nWem!BEoAMU$WwTvx3*2a``Vnm83w{h#Xs_}*B%h9>p7EP$Bxo>k1P%^!SZ%${ zj@h}IKNh(w&uNdr@(*or{=Eu)heMmwnY5ok6|uGc4BOU*EW$15_|$Ngff(f{2(pGQ zhz+?O1%i}OenFelDkz)FIv(@)?M2+{PH2qf)n*npkFE6aVv#uJQ3L{~qhnfw0J0P?10dT8 ztYPwg5UdFlo{mtL$ffz86UkZ)-4y5=o~rqUnill){lg|Ga& zDZjES_=+vWyOG5y3zsCgdM`(^DI)clJ56GP+BzkfZ`BIlIin zQl5n--ooIgfp6ztwBDsV+dG#( zlA4X<7?=EC-*)zK@|={ZRNZ%~vYEm@Xirp0Yb*T#_af1Q4+mwp3M14FDpAWX`*9)A z=G-G$-~H>^-YEc60`bo{mzWIV6;oaV8BvxE^o)#hmoz!ehYV4CQCTcQb-HUzAxdAI zR(8G{e9Cq#28}FomK1L%3FY(>0 zo-aM(E;n2FD{dQq6LUb#v)?Q!8p<}GczyNZb_ntyLS#_w?lq}Q9|9Kc)pKv zjZdB=Sc-pLXd*Hc&xK z9Wf&dmbnaO>fFliVy5E~D>CvMh7DN^@89^N8eFLD9n6`a5El8Tnna*9!N^GYp77;* zZvKE~#sl}M;c&j(0$IRv0lZ3+oO??=`rUTyXatz` zmaj*ry;Pd;u(=mF(z0;+ocTehC~#!$5jk;c>XlwM(m?&n>tO@2u1hm?f3{z??Bf<+ zX4BU`mO5rmW@aXOUM<)|-&>NR@jL6PqSq$fHV@{KP`|=#qugKx?b)I)TBezwSM;l(o0x>`uLoI`U1Nlr>rKOwC;dvLO7^ad zX1KqtD*0v9VD;nQ(X|($YBSXta%$n~)oYZ0x-CEJQI@c-Xa3~{Kw9AJuDMd}{N?HH z^2+lVP*D6Bi2RiAwn9ViZZ|LUWZ>kq@ar}CkFl$DK*qP`^nD=3`*(!(l=s0Pkk!fQ zt>T~m6h^nl!c-lZmJzOz2!A!K?EYKMVkI}gW&NzS{+uFDuywQc3XV@{WC_=bB;`_- z{QZX#3xmT#;}cBJ{YF6HOm(`PmhW2UX9;O4eM#y^QNN%ry-tr@rF;oxFjg6T+#y|N zz07jg+&OTX5Ex+KrvRZ{KVrA~KcoaCCK;SQ{{O|IcpTPf^hpf)9gt4!Ak(+3@!_3j ziDp`yOt;zRh2mwOnWw}i`?aD|N1V#vad|nGrKM;{;aUi<;!H}mi*$CKA*~xMqKzSw zc?nYIAKV{k*e4m_^W;X*6wB6>dQ%fqiGlN|MAF$!YAj}{0bqFeq?vq5?!@d74>q!0 ztbyoN#gi`jJV7c0v@$P8R<4m0RUpb}+Wdx4pQ zcRH`N-sKv=x&6tBzDHH1;G)9A;}V~{P2B0%VB!{!9UO!^x6zVu)k$Ohe_gDMs07pL zWh{LB2(EQE$lhvnpf6p2CCm=- z4nAQLPDoPbywBJdE-u9m=y=Y+Dpk%WDlP*jsQ@lWok}`)Vm>i2FeU?~c8dz&bN&PN zQG(y?i+wFw8UHpf`VUp>tLu9Z3V5i()P%>x{L+p$tW_?Q(dhKxh#?V*2}Z=tbJ!US zLHbms)odFL46@$=jB$Y7r|PfL$C0~&gx`dK=~5w!Km9#H^AagY(|e+>9s13^5;%Ou zwC(fXH;wY+g{#4iIl1lDj^hNxePai0$%z907CLEH}KVVw9R~bs;%N zs#^emvGc(c1aJ(AD4^yqIM0VjjE@A`fc&?svrnB88jO0$HLn>1Lk$ZM^B50xk+J{q zn(-};gV4V!=PmWKp(*Ay)>31{5{GU*4KRc?)lH@ie>0ozq59PyG}Ocl`tjpOSY+g= zGsX-K3=|Z2S5s^#hG-g)5&RVLy0Z`T+4W2l^7VNy-UyfpfS&{-uo*&{Y*z3u-nWw? z1BzIJXb#N|X3KTKAQYX5u-K3BzD$A;sOCygKw-kvW=S0NKa{)y6l08Ez7~X%Pai1P`ywCj8Zb?m(xLCqNfc`u}=Rg(BKOYfI|{J=#_pVA|yNa{uD~ZrY?kQw}{My&qSl$ zuLyiWH8+=L8wbQ;C%Y}PE}SX{^PLo5ZM0168!U^^;l`XBHU5;=@3S3`x;yftqPjAs z-||G@GJUDNbSK?`Bjj=HcMH@zZM0grn3g2@*?{Y;*XB$|Eab!Zhx(}Y=S`>Q?Ka>m z9oim*^-5;23L zEOd!P{{OM{j^TB!QM+)H#&#Opb{pGfZaO!waJ`<-)rzuG^& zy4GCJe8w2JMhv;f0VFBQOk_Jmj$}K#$wCR@D{t{b4WIP}^T@LniG>2eklW{{vNMA_ zU`T+&y1_VPJ)<3q>Ou7Ipx!@=0ixV)ZF{Y2Y*4kH!^?X}X$p`U8vjK{6_KdGU4FY*cejwS zx?a{=e{ew%5u--1GV2m46+nSt&h9$XDSps*GjoBBNjZxM2T&!M-wpin^xD`}?YF5+ z4RF9JV=JsfS{3Aa#=PueJWZJJDYgfZddGvY3$8KPh;4kAXe^pI*Y}3Hw2>?`1UU4y zz8`kfiCNGeQF8Z9rGZ;uy$R}bE;_l(wU_mt`v z3z#w<({nsGTDj=gg){_&VMSZV4`KJmTP4ZYeU$FEH%^LB!W!78D_(^D6X5%c7wTx# z+YD8v;TQTk$e>j$ebUZ|Ko^~S^SX4uHvnz%;24E_HN#Pqo!v>0NSEvvx-5qqF)&U*9cLF!^M ztexrmzz2)9n^q*=in5H@wCXN`f<-(scXgM8nCR$lUX4E}|H}gS!I6)Z@69d}iWXBs zzu0Kaz!rGG6&v*(keQcvI2@qxzFaG*llv$@lL1>N^@f?{t|$G1(+!Ii9LjWOzoqZ* zKq9?%^uaA=Zw!j0BVpw2p3LB`y%>h~ZXDKLrtg5^0@t$Gjo-lF=tf7lcRey;MeZzE zVEPhp<(Z#QxwyY~etKZI6EKv5!oI+EU{wdT*ZZpv16kHPxomne9(9 zw-i@19)jMkZzmj#z;H`@Z$_?_o&kR^m;Q)p-=Uq)1)wRu!2^`<6EjOud&FK#UB5Rk z&$zM)H^)n@(%fAJwEp?)w(U7hHWN$w!z=0a!3_GxCtd~@-nV=0=yA=TuIO6Lu0pdi z&K{(^FXwp5m0xA2)xg1T2KUktXUbH4(~y#nW;{hXc+pi~>l7j%9tUz1KjYsW%3G{f zUVO>B{r#dF{p5O8uScm$3Z+)Hl5IvF05x5uyGCmaoO*%OUj6>a9Gi`<%huG6sx&rp za=#UMFlDo~W_yaZ-k;JwW|Vf+&{4u=suj#!kW9&v{W--yp$n7Q!~%44bCCAgnxJ8- za3VqDxUjE7)oqbB&di>f;ju681K#OhJ%>T7{_*1q-iuJtstSBnajLCA zxQ9@EQrFdA1SOiLgDbx0^?V}y%P!^q=xQh8X1yB3(dh_$&KFwcaRPAnOqitJFm&Y9 zUNKI5OClx(RNTGI9dp76gKpP)!?>SFXf)6QGFgFe$8iE-4`&Zju_C(8BuX<=#ti!{ z?5@m(4ZgR6@w)f8hgET`frEmY;%FH7k%cF2gKQ7ZZi6i&uhFx0o*Ai}iOdC3l0NF1 z3Z({2mdG7~CJ}1cR8x-Ypn-5$ppsz%yupRVMl$fPfG_+bp2j0!@wa(>c8O+`FlAx4 zUZw5N6)$#(?j+vP$iEnk>0}HjG$~8WPtJ-Yavvi1Ba)E6eiBC=oiTQRUBLMAbO0Nj ztP&KR7!CKv;EHv<6}BwI&o=t~)H25S9e>b=+BZjsMWgg~f4G$R9aA6HH@?aFUd(NT zX|l~!s5kZYNw}Rqnc2j3rZ*yO!xqb_&;ZQVIkBUsOFkRv)l}e(nM6apasb{zB$mL5!IU&z_gefU#!Gnioe(1EEFXbIwPPoVeEFL zz@D77-{AwBN11Wa%-7SbJ7R7Y2_1pFVX=qH9ffvRM=)@3Js=f&v4olD>G9F`l1C%n zzfU8pO~)b|6|Me;l<~2n3K_rNvF0d}$Rd~1l)KJ;aqA0El4Wm=oiXj1V^caJ_aXHl zP^^r=?9f3bsZk~{m-G=j_(`@k8 zS=0!nbfs2@p(10}o+;dsUj&}4S{CQ|Q(L3K%`w?f7B;46dk~wgiH`z6RSxp7^yQ^i z?+1G#^?ld_&ISfjliMAArB<^qU|bsN87HOvlfokQ_(k5oK7mGUv5VOS{=Ei$duRK< zVxz!-3Yij%yUph8@lTu0LT8PnL^<_Ev7fKyVVa|X86Owt+;64@6t7m}0dT7>m_HUB zN%4=Pd08`DQ(${k8dQZ*^z75@5sA%uR-Vat3)gDe#TQ8o25Q~ul%?VOxxis>rW;L1 zp`*%|amDpEC^BmFoA!a*j5r!KS=w$#uoW3t9rc(?;VzZi4 z;)vh(^&~!rhmJp9qwnL=*nPoK@E^CtA=-^;ANur3ahoc+;2_pv!wA<&r70)t zNE8(3X(-;NbyB$rDwt7j7-(4+tjc{lK3Hhmu{T%&a5XLnNN72`%cVgEgD^024v+@C z7j|4&kXlg1Ty56BgFTh9{Z*syY<@hkcOrwPWU>P`M9zdROF>-|9jnLAaD1$Wgr#Pw zIE(Gst58f9Bc&gsxR0&XYI7Kjp_FlOTj`1QF)k)SlsU1hnfy0Bu;AjN#B2bMht3k^ z!=g**qsWq!#1RxEI?-LDh}+G(#+vhoE^AF|9nYplb)c(}b;BcR9b+=R1Jbk^>Xw*F zEmo$cP=SS#alBEb(#79mlU2loqtixXrv{fk2FykIoA2=Zx7UNz;6xrBhGlrjB}ycR z>s(G#{Jfuu^5PR5&15Oa8tgOpJrc1**Tg4w?N?3c&W%QrO$|y*Sqj4; z*9SEZ2WkMGFZ{JG1zgjHC?A=Ih}Bav7>tH<67|6|2?@kH962T7@aYk2i%B&}cY7mG zydaVEC7YF%7f(1|pSe9-{Kg*F0bAix<7)tQ7sPzJa1K_s87fVGu#GSH3;GKSLB~gIX34|RFp>FhV;?Zkss~! zk4i&UBOiC-a5xh7-uaxrUG6b5NCSUue`}w411aeHq!od~aoz>XFu?lh8njCh(5d|C zub@hom{r# zY=0i}e{*HHx8(bXC&_=s${zH=)G0n1r6axL8pxIqv$0{M>^c}`=%kfNrRx0t<5{3Y zj-TH<+?m&6o-zHit)Lm2M3_ZlrfX@6VLhu5uWm%c(tgw9(If+^y=3VGy-N*q(O8P2 zG#WRRWYAE$TnT~jZk`Rze}g!n>wyJn0IkKS<)$Zzb_AnVEf4Mu!yMKJ0_W%3-8g<6 z&-+wYGg5sJ6%mo(oARe3HZ5?5)k#?etXF@wPwkCA3#C zk9M27oc%OQ&lUzyISb%gz#JX(LRjl&-$d}=f4nXZHQ#a;NwNaFT4qVa?_<4BNUV1O zglIV5pXbm{vBh+Dc5)98)EJGXo?l(X-7LIpDHdicbaov_8rOI}78X4kwnHnPiV{BT z>T5^1Dcv^D_{8-30+Jt$x!&XdMrQzNV15URnb)~9MhXAYmSc+yJmQoVGo=Zm--;du zuVv(JhU<`+h0s02YSLthF0Zs(3edl>qyGuucARs``F64=9TxLi13E(Cj<&k(DIxgM$(`L}2`baVgxCEAhyBH1x3nt$Ql ze?)Kn{J&;BoN%}3&*|~tLFP&YvPtB|<34b>d}m;W z4u*>i^0yb4lvcq*)?fW;h%A5fMM>u8fG1L-2fs7x|KJFd?+>Z~dFSF2$dUk|>!5(J zd)p{A>}A#zWaijh?a;i7hrDKEF~Fi4@CCQM7GJ&o_Y8c}-(`GpKd~}z5ul-er?40s ze7^#~*>M5kkdXr@IJo$b(T|{@nLjpB{{Acofq>#G*KcD8Af5hucM*KrEWqPaQ$vA0 z26|(eJo7dBkhytz3dQn7!lI(YU%p^LLqlJBHn+BR_x6H=!=U{Fwi~Q(ZTSI~qZ}ZN z=hJ7K?3EQIooeQP^nN7|lR^up$utcA{0P+p6Y^J^`a^E-^F8pD2c)33MQE~t9ryY` z;?mce@8IH6p8%Yyu8!4Z>ASu@%Q7ztZU_)Uvz_8xdqZ zdeZ|t1_ue1KD=@@FQZK&F4c&0*D;44!#o_IO4mxyl-6O#qOR1;j2v zr|=*>;QyaNHsN^tK+hK*d&N$<71dYpV)&4iruW&7WQ6%Yy>Y? zNYm;Mn`jRIx3AzJWEwaHsQo=X;v1)pYn~qyB=||ErjDaM*9biCK>){9LaOMbva7SR zfw8!VM=U`A(QOuLFrPgLbdnVz8Lbv>jCfd7(9ceW%ZJBb1=$3b9Od9yw{#mC+)=`H z%Kiu}hUg%TEo1^gJh4&%AI4*RGTZJaX6#v&@z4^fKZhXlj~=lxeFtPawmaKdM*X}R zhNOqOUriF_vVO*socLH#Z8AYDox!PMhAcB`7~(pq?D=?5q_|`fa#5!*eD(^v z@p}o$>(RGCa$=$0LgK!29uM5rLB3~9dRE|<;#iHNYLe}A@{HJqY8jYTnWh?7vh8mA zobU(|`A*o|EWGk_ADnvRON5Dq;_kc!{u3CbD~yL>6amcKhpSYIe+=RV^3xc9*;N8(zHmw@B zHnwst@r8gvH%gG?vAf9r2)8N(a$pInr<~LG+=-+6e+&B4;<-{rlF`bKV)c>G@gy7$ zF*ZE~bJYZ#wCyi{ank{4P=g;sUEgJqMsPf?d9{* z>~XX;VzNZrR{`QJj+ltN&)5@B2ss0g)?I_$EAvQNd+SibZ|8`_yw4)J(HMA9(U=%S zCVNLV^t{-9RtDtThZlfBhxRVMHOf$&H9JdYEnI*L+fnx zQ$e{+KF1fD4a{FtXLJy*%A@udNZFT?0l+_D@XT!GK&biU6?}Ude~+ zCwZ92y-YWRMyr*{sy}t<*m!(KGtG;RHs%^>+BDg^{Ny@B(xIa5jknR_zurSH55E=VAQN6WdcoKh#eiC4Qc#iW?YJdzlgYX{G^cP&ueRHgRaU=(L1fwE-L z5m%4Xy$n>yZ(L9YM!v4fP_a2oAx#7+-j8y*`Kg)@%}+7GGU81AeJAXJ-aN31><|Tm zI|g%36hPFRt*tG2e?j1Eh34=yRy<8iU06O(8xT7OCo7aHN=LObb$OH}(cJ{>MZZ3r zk?LGDcv!uUa`Yu;BGYN1chL@o=qgg8X-cG}CQirjF^}PI0s|*JIQ_UWc8_FB%xShf zXs?JA?-}}Ym&js96fN^JO1?HJ@$06pT)!XI8sTBmnyu5cGTNICRCqzy@Q>H6WGG>} z<){JmPHc-+bAFQh(L*bFV+PFA3TkfzvUvBG8d-VLS765f@Nl_svYK$bfWi$tgT$}2 zQNRB=&&2%dnW@2qpLdHrCE&-R6Z%JL00nL|4b*%Y`Z!<>4z6aL!uSA2Zu(p(mlX-b zB}!W0u$hsLkun~}De}JXE;3j6%;pMzZDVi;2E#yJ7k13W3|?(v{xr_VnHJ`PzHE|C zs2@V{*vJ9Fcuz>L-5R7TZDDTuMR~tqwUH?OMd@NB%FwEsA$R0P*K?XO zOUaeOBTq{!B@Ou2gbC;)$1^bd1IRf`=2@$LwsGxOxad57GePQ!1&aVds! zL^P7oxGZd;pXNJS1~T8QOE@Y=8Yi0{;dZjR~Bp3Q|IR9){Z9SzDHb4*8K})J#*s%$UtUo#app5MIy^q3VNJxmSi7!rpp|{#0b(bQE;)~bzLDy* z7MO1du8RFi&fe!KPw6&6n_AO5BZ^pmvNHBNOh$)9e(lI1C<5{Os0#qroQ!>Kj(;1y z_0*_v6?@VDA8$b|kI9^wPx3;$M#GbRe_N1uy9Nju6vznf!~Oj_z&}$e<_AkVPIP#< z0h|P*5J!PK7AJ3sxU@9u4Czt#+)HSDH58s)&PCO)A|conM_HH$a}|*baF&=VZ^Z9! zoZ(_&UX$>93)Spx0R*H9^Qm+I$qlIfl58c#p>==gx>Ba_m2nq>iLBkh2NaY?nx8$d zlBE9Li)esYBJ^SUo>;s0D_fslyZ9y@&?X*2?Q%6=m!H?Y-$I69%wd7028T^OXyFLF z0cTIMqMe3fwFTPwE}$Zl+d~2EJMj*cnnMKr*Q{Zv4e7m!Q*T5n$-T3*8(~?xW*<0` z+~*xHh*lRJFrbO;Xuvm`aZw^fUd*=4OlUjqw_qTq=|CoR5VTy-(5i!oW7KFjBkKKd z2(uWYEdMW0!yIL3m7A%1Vf-;))%oA|;Q3?*rWja~$Eho<^mMY^%p(4?$#@JOjb7^$ zfXpV8qb>K1jUnpyh5sIiA(^N%Rf=;*Bb&iZ0f5*O%x0Iy2B@gTnS890$}UjwP-l(f zvO8Pjds2UBy@@h)4`<~Wun$z%Lt()fypa>FuY&9M8=NdEu+qaq^Ms%wLDmM0JdPDA zFnwUXb@QacqiaP=0b;{2Hs)VNoh+@v?;r}+f!1}U_Ub@P+Cx$Eo4aPuS+jq>*V+Dk zF6JvZU}#xi%`dO~vj|@A-*J2@1k8pyz-$Oh`>vGoY4hVZdJV0UGA5D-db>Zzfh7Lq zHlA4;j2P?WbRLzIBzXbC6zhk1pQx%|98Z{Jmtn*X1T$l=jy%+=Pw%xIim`(^$)3-9 zt&^B+W|+VbO}&`}<>6`9ef~8^5N@z>(_;}$gg~J}PWX=++uZl*Pw+uSNMZJbXJ9fK zjM~z=)zEK(zs<7TT^Oao+&}c-S#Ucd5;#_dg5sBY1Prk4-V(T>=iA{lmXFA3q#Zxo zU<2k#@n{kPVI}3CMluW2mD*h6IR$4OPY6J4CnR*7kB`ql_*i*BIqzgqY;q|^-08d0cqN>VRcUST~<9} zo!C&Jbq@g4UP?`Q_@QybSKni5={#b+0Km|_Ux*3OY=P|MkzWv~NiQwmhi zD;2@&hM&Si!9=nq5}BaYKC0Dcvb<9}jB5&8zt_J2Lma;c*a+ax`6eBV){Hxb)>1ZwgmIQ0e}w3G~g2Ddn%j|MgyY@c2WQ{O7&6{MUQI zqw?2#!Fzg%n-Rg!vsiO{V^QU+ta{!6bf^G`n+=So!QtT}Ly2^KM<*wivuNzE+np^B zFb;02YV4}wo@jyjTz4_ggkXb+1VkeFgW?Dt;nUUP`F;J}3uBm-WTC&v7(ZBTrt2ox zndN0oIzy{j|1LAs7k;h-*BhSm16_-j(|^@S#gx7`ObqJGC)2FMp5WdD^f`Yelj=jNoch^XjC{I7*$Ax5(a8-=7wJ3T|b zpqN1wu9%|g%)fs#^jw15mIF6rkZO`*Lgicw)u_C0K&s8KILn`v6~g!I_?eLmd@+*>qgC_-;9y+4O+JbH3)C0arm=wl_;3 zqFw*T=D6WtJ@4s0_jQe;!r)(`;UuPdhllD+|K%rZ2zP(CKQJ z;i6iHCP@@X?cX;=J0VAd>gSF#DiS|Z2p^D$cZ(m8;s%66hjyGf1>9AWM}i6@-jx92 z_?-mX_mK_2J$$5*p)P;)_dcaoza<3ho~^aUG~F}8fVVF*8r;}6L4#P!j$wbb-N#r( z;SEt*ROvE5lEuRNX`A9Z@AgHxaI;vU?!#>e^9<7$4A5IEaN$?qZH{?BXVTO2$&2ax z0oUQdK?v~eC9}lr^^5$?>oO~QLz4|0X|O55MJUwNni8q#*@EZ=Ky0YAFG?MrOtY{jiyK{F>ss8|E(l^f^II#zMm6>Di9wle<)DV8*qFU;y}Ya2>v2Onnhdgtgd=OM zlYr#l%Mh$8|9jx~ZuUnAxL?31lVHKM#4R8opePUc*9#Vy6tkd0d-hS32S_`OyEQ1$ zxe2Vu!cw-GW}_YMKyrVa2yHWTk~~xzt$|dvgH>U`lRdSEupmF(A(QH~R372~JVW~a z%1t_=f;Wby0O{+8F8)m#)e5raC~7$4$zu|g-Vl~}XF_Q>_BtAnc8IC%tX9)5YbMTV zFG&$uY>M_&av4=?t(gkuedfMn3kA?kh_tb;0015YTD^@*#&=wG9u2hF(pPdfudhSe z$f*p0v(Dl1g#EKC7q0DQ5Pz6mfWcyzre2K=CU&2_(jt)pSW7b+NiTpG>taDw1#s)~S71sZM9`mo2&#kXBW~(}Qa*I$CV}Ja6 zt2um;TNlPl`>c%+o#8FAmoPDncbj)F{tWtq0z z!_U@{&^>Pc)1Q0n) zOi1_v0H+0ab3gSBg@DSVQ!9&$YT~h5d|Gwc!;5FI)@hA>ro`17_C>D0lFJu0lkPK} z9f;tHA@^77>{wZ+e}=rFx*dlWhKmLBVdmr%ECAQzqB?Bx_$zg$J!#IxrICpCH*Wv$l?l6{xkz?o5 zRV`u6B_@GUDc$b^AS0ls`VP>SmtTJx!T&g0rK^w7)6-LQ4i8095RHqAiOxnI5+5M7 z%!!JMLZgMnprx!2#^ZG0@AQ0;7BH62!oUd%vd18jO!hY$tXF2b@3_bP?zzVB0+Yvn z27&hn{AFELVcVZZ6Q%|-N}^NHl7N#7@?HvmQWT|1>KoDLkedS0Uc!xM^q#C{@B6qt z8(rK=val|%0oZew1}w>nvUW4azW28n2QS1o7 zovQeoek%(+w@`+}pOJooH=h&gh>qzz5u2{^BHTD8<4$M7B(leVwV&pNcu@*qOn2A= zi4~Sl_lH$8{DzC&J-8yng_ecoQv}6rE99MFj$tZPneb8JzDOdu>zHdc7eC4OH$pnL0{{kaV0amCi7nI$>U>_vBxN1@1I%kzcC0 zIlS7)Np>GW#E|mmVFsAxRDUacytr>w30|#1RO^Ys+M!v8?|dEm?ZuCnvtvINK4Xz) z{F0hYaqlmF!R*_YWn+PSpj265I5*SToC$-9|3lz|o;)IF^9?e-96Ca}JZ-@QLI3 zb92}SSjE|XU0`H>EE{-$0}s0OQQK+>e%SkrB3v5UgX0t}JRuEkYERITNR5#7V^pAo znO3H<*H_*o`MfIMF9aC?K2uCEgn}yKJ-u1m_O2W^`1T&sM+|DMuVX)oKQJsCxc$Jn zM89r;)?;ctQY*^>mAP z&OJeDRI*t!mP>y6Kdcl(RonFdbmsEhBh>pS`nTpr-VnfM`n+S`AAM{shy3a#n|<0W zM-QNU(KJC8W?A~nfSc2&E$VM-LX0wCdn3?TXct+IdjBUlAg|9uCtTlfu6`04zC67* zSuZN*aPNby6cpN*&l8D>TQ=r{$q5S^gzNDCqi_xX@a`LX#{EnUn!lnTD0zQh5QIXS zLQ(YhV->19fL&#zuR5HL0SHb*$OkXag ze@9G5v@qFCtV?9=+_^lzxus#o|Ni1vssXvUqfWJMVSfq1ZFW#ezRt{-AAFVmCU%80 z3|mp;1ur|3h^uhj6BNiQ_F7)r!bXmhCf;>?#}df}Y$!4O-8Zwpea>gh(CvI#BDxK5 zK{W4Hm^#cV4Z$uMK~sc<>aQ#FcHctknuMhgVUz59*y(6B+`BRG$EjqZe~i4Fdxi%2 z>XXRF#LB{jUtnQn8gR_l89wM2+u)IW!-1-^Uc(2LPly6p@D}<4>`w{_RUbQzO8Mph?#bq^{DlMKnIJu+u zSaPB_62@7gm#*3wPwp4@wG+~+vzcVQiD|66QcnXmJ*NFT+ZLYfg#Qn9;Qn44D5|*K z+Yo``z$naru&4GhN5+qdmY2QcaTgJh(0{6n)v9{hpJo2z zDC>31n}eQSXI8Cbt}i>2f!6OI=Z%~D!G_iVDo9z-5yDtzJ?k$cjP*W=&*LmR*nhn^ zrWgs20^8V|+)O0vzo6joxjzBKnf*5~=Czi|u_`ZNLL4Quq6916uNd9GD`;Ewrn1}@@Fs-$*gKg(;M7<^*}Z>BF|-?eEUR82qkMTD8Ued0Mj{o` zN3rE&2D!-+mSAh#vcDriPW#0NH@acKa6%iL(y62lJ^#(K?${O#gPzpC*By!$uI=?u z{`q1~;Mr}1*=(jbRBm^qzfku_C?+43$xIzGZ`uVtyY*5)#S$Bzr?J-!9(g2=PZZx1 z#P76*-%G==en8~qS0;ps?s2hCjPAIy89YIkhEn?c14W9jb5wOa{+8VSFaV$CNk zWlZjNH;1m=9rN?47P|Z6yb?w6XTZGC^kb_beY5;io>ofi{kI{_Ccx#_feD((Wanfb zr!h3T^kaCp>E8L6&lzonvvH~>O#_h$aDbuej_HOb=^RHO3qgE)s$9F+dljlZ104SX z0$zNynv7ylVTO#Ri_+2T_Dg@(Y7X}zoZXfwr#%a?6Dyyw_UN@@J?eZnr$h9a?DqMk z(=Gzgaz(_JTi-tX?9}kC#LGel{XsNn9pzQGnBm8P@ArzhpIw_+cf$wIR>h zZg*^fRY)cxn4^PD&3NlZE6osW8t6xX#23E@nZz>`r@w{?{`Wh_j~QIVJFSS1e$p?F z*z@b?iW8kj{cp#2oL=_}(n}HnTk)LE=bETs4476RjK=uSXvF)Qwu@cC;{=HG9hJZ! z(7Gt5D5N6N0jDsACksvl&h&4*oE4hwvnZA~ogTnyoa0`S8CNo5inh+e7!#j!qS-@c1ID_z1sOI z@cN9;Nk>v+*nn?Fu>1yIGLwH9NY}Y}SdU{el?zSY#*3oOSqI{gI9;xTj?;K5>@EoU zi7tL{$Cy(dz2ZlSJ>?u*xYasssHUxnB4f-_6wmahg1~yisldxeJR*KXymMdL zr6+>g^66AiC3UGq*LG@4rBznme?oguP z`p&M~$-^u!M(|3_52U9TUPlpiK2 z@2;0K()sCi)rj96(gl7R^;3XR&3yz`Bto3_i7tQ&SITen{#8gtOF=b-{=)uJupuLr zr;9flHOaMM`{`i{8V<96VNlKs%E&OXat3rGEvu8h);Fd7l6oe0>F71SJk1??(3pwm zuL%`qY638!#t0g`=~WdO$IOvQp~V%ZEcU?*j?<`Xku=4y%TvWz6G9u9b66yh=hI+% z`JD$tX*<~;F(u~ujVSGnXwudtSOZ>T`X+}RPFKLqA9=8Q7^>-Xde}Dy6Vf4AOqO~z z_+&CynnJsVlB#Izan+OVWie=bvJr(s7fsi8UHvI>lUFHTneGeb)eJ@eVe&;^KLkON zZ*C$0Opc0&$@$)$7cNrA?fLu7Z2%bg;14UH>{sm3ZWZNhaMJ$h^+dw(Q$&czCU>W1 z&k((ai9qx<6x*A42Q3NS4-=$)vOW_%6L_AVoZc&J{rXO(#|G{A(#Hf?x8bdY&;W(T z_|9`L_tKK|>K$6@Kl2fng0KrmK|LSoccY8{_Vq$Y2I*EzSC$?;$VNLfan?@afzX7sqXSYS#Xd?!$ z>7VA1<;bs5R$bP$Iw#l=LIw@^A4S_?VN!*rD`i-=?T3OM!qf(iSdmMb0oireoL$*< z6}Rgq+z;q1X<`%&s%nG>J#um~3EkliAzjqMVn_q7x4|bU`FQ1%4dP`w2ZJ8CnY(t` zbNAnj#HKy{OUUi4S7@wyTXQ6JZzw%rS>y0$lz&NyO#lEC-{p`_6e4`M)%S02#y~!^ zX5%vH@;MR@lVlw3|Jz36zCZF^Y59y^&H0)N;qz4K$USom5r3qP-MbP)2PO?&?7Rp$ zYN1?In;Qi<`XEvLgAL8kME>oQ#6cJnb5E7uRxVmiw3$AjE~@sFEFphtI!v~}Apuia zd#-eDwxvpM!iz*gZvKDxim&&E4P_|7rWvK{Lw+W3>h@ZN;31e@r|*1)=n)L%ZV~~G z+)A8a{_%jxP&uU41r(QL)3Z(%bCT>%rd1bA`LGo~n19~n6U0@T zE(3bp!EZctTsHzYq9^MKe4TLXEN0Kj?$@Va6ROa7t_VHR3R?jLM#xPqW;z-kJWn67 zcf{korEj|0`e=So9vRUjb^l+!qi z2F;`6<6iJ`v>a}=^R91>cYidZ*wF!l8v&g>dAl$-k0!?rg{AX=K8+a4H{X#08ee%> z5SZ|6;iuxA3kRn^s>0K~kXGIZ9;q|+scl-G+w79izikydIWHgW#Ou(`WkbedNRbD= z%@r4(qjbcfgSIi5PN}~T8MqWdX~~!66JXrV+|&G}He9fWyzE*-KTYJrJx)^x2I`*n z)^Kf@C=n5Mf7a3icxoXed~>3?N=JLG_hgO@F5V@SB820fl{frsivtwJd)Kp*nrv3g zdUI7FSmfj0?iFnq-T1N?-*qqy1n;!8GTb=g>_b!$6*f_lAOs|2F~|Y(N%6y~kXh%A zd4gKHpEuDZ<-C^Kt;$Z#rZ>dPEgo{^OLAuLRFl*X42t=xk|7r}6jM9+fe|VGr3o~H zp7HG4_gPCe>R^Kx$OrtAP%?Rm*Ku7joRgz7Ua3$PXIVc&(ryB^rLVXFx#>Fx`*0+^cqywikw$ z+0f4+o1R;bUK#`_mmaau_qZz$9y2sHYFhGOOgWir&>dyy%NT6olgv`|iR2~l2b0VU z6P_zIx~RO&69J?xLhcm4jCfH$MO~AS+yXPI_L7ng{(_yF>n}fV4A_%A&(ogq@w5Fd znL5}vc;Ju~WV*ZmYSoGD4xv^U(awwhni%LAL3fb|eI_KDlzYlu51G-wxD`Qhz}~mb zf^M8y4--;8dMpla*pUHrN=mD4;o`fS?zwN8Zs2Q{^CNv%k%dSO*~fLQe16eD3O4$J zkJ0WAys_52>?KU$I(52sZa0--?j88#{hJVw0{l?^5}2?2lNS}@?QZl}GObO&n=N>n zRLxDdk&enycocI>-I4i+i#TCbs))rOgPc-s%#AA$+F9bcLFx0LL} z+N4`huxUI{QR9^Se=xyU`tGGN>a&S%OS!z%ID_2yi<2B2l}x0|CzN@P!_uKW0vU58nauRfhs1ioI+2s347tYHgSQBR*gfC91Ya1W!$2o%U5 zY_1DR1akvp!YzsINiojzj0y2)kSn;d@~j`TWLN=uX|c!Z!~j{(x?Je;28kQH2Es>E zm#x`M?czt4e=nNeu3yl5!1!_nE3OaG2zAm;)}FX zMtX4kFyzigoi)?4CcGChYwDZbfPh()sRnxet1f)dt;0+~)#qvbKiP_z6dLjNkCLItaZ)IYbrz(Kb8qfb?_Xs?W*= z^ASoOZ2mMODwpbk}S_X}98?2GTd^%Jq}8sZRmuLEU%03ZMJu6nTc zBMg#0=Ye~RmCLT;!Cunr9AhI#ChwD|cVk+(v+KR;rw()%TpoY9&9LFf?C!=VWE$T| zdBzMQL)eW1(Squ&<&Uf>KM|R7GY7hR&&|JoUxFc)XbcX1?AB98osd)VH>G=^O3ihL zS>;YUOq)9d-Xx_`kumeTz`Jf>=292?wRfXR$yk%Y&CRJg>hNI=vGtc*GWm_9t0?f- zumM5TR4wme+J&PGd zy6$(rf2)#vBOjKZjlo#ZI(#V$ zR==elSeu9u2OdGQN%3r7_=wnnlyN>3W1ig4R+Xe1coCQgl#T~mfRTa1pGBh4DGj<( z$`olw@oYlJfOX2zW;Z3CB4zfkmkxzMq6fugK$f1#Dv(Pq^=f<99*p#-xg0uXHNA(k#Ij&&BLa z;t~`u;e64lD$Dej8K+vEv>`!FxjkTjPqLhrbDK6@#nSa?1>4Of8GF3cL|&L?td4x0 z*D?Z|7XEej@&^k{bj?X*C0f*s-fwS+7!**9scR*5|8)CNmGcw?lhuMHVf;4i4K2d& zh`jhAZ+pWxH;4jOpjLMmS~fr)>vk4`+vJKZRwnr;HeMEuCBDx*K|j&Mc4YXG!<}$P z?3lslXkFA~Qhmto)Vg4#o>xYg5~9Ekh(IlO!(piChA96Q)t!&R!JZN7w*N9T81`>n zOPXVViAqdCQCP-Nsz^QGBSwBv%l$T*u;j#g_-Ut}N(?~Bv>$?9(pcD3;_{Tek|c;R zH)c=V3_`=!BRcmv4u-hyj;9hzs$J5c9*G8$&&3>jL%}wFox)$v-2ynv$7xbBj_5b9#?!zi%& zD-77Ky)mPvD*~i{%jXJ1-#=9=yV3hbAyllLP!;~xdu5^ zK#ar*+85!C4@|24C0oczKH})Oa z{0Jy;!gGXza)I5=5HGcMF%AxRimxka3G}gZH!1Yu_m(k~VQLeSl;of_K!U>@<3#_8 zrUYW^j>6-^Oj8{}cuMYVl`iO*3Pb3j0C=^L_($BP3n=?LLpc_689ESCoSRYcliR?B z{VpI|?ExnbfZaXgmv`<>UoadF#vyoG9lMHj>3(%|BIa0@6}E^t9xWrlV!QCE8gxu zYqx(b-&tI~@PR43M^eW~*rO$={lxV2_)|viKEwh63VCLRZ9JA3M(uCxFrmv~XJhv$ zQmW74jXIdThd`WP0+Nlj>K{pxtLjA2_r!}y*s()r4y)y8zOE{rcIp73N4-oHVi0eH z+%dj4Tp->friOm;!~x9>Oi5qn*cHM_#OKPbnGh!@OLfs-2%L^r z!+=k3bqLikC;kKvJOdt(gEoghMV3C5Mk7 ziE{QQYv4T}H#B>C`-eGSf`x|T%||8UTL zSICMC1_JDZf}s>g1*^H^`^t-k)9Wi2DvmyhE*Ar4b!y6QYbvKuBOq+OhkY|JR`=zK+9 zlCb#>MoY8~EnMF8Dy!KwGIf~*V=pV2N5M_wB?0TazK&cn2n##Bbkua0;RK~L&1SM% zha3#GYWq~7I!OFLOaFRFvS6fP#<`mI5<=+8w=sP{R@zqhUlzbmAbKmFG%LSgTJgco z(3XgZLGiH}M`JjtNE#APgE+#dAasXOHMzcn>j>3_wO9?uy8Y3YysH!7#@4@sT@!nV zWCU9AhV|}1PBhu-AE1i%{6XKVsv)2-<7A|$2 zhZk^hIpAU(;jsdH3sM(QvF}vAV9&0buUa8 zL6b>MDl#B`S#esE@alhGvPnzto?!>Bt_fe*8vrX~*TWn3g~Dlw#O;mKAZzf-60V$x zH6_%?DxA*9m^ebb6q91+Zmv&X8l(N5$;R1Cy2nCj|Fnav!RUM@*Kps#97o#2GMC#( zHY1!?&qr`KtFUA)BjaLi*Ye(OLy@&q7m{g$OgaoULn^DcNpZ3&W?$nFAKYOy@V!$G$sVn7A<}VyYH}BOEhCb~ef30B6#XkcJ4b))NehcP3h9}4?*oE`S znm1We9O6#*E<;Tsu{`0e!FsX+^!#kJMvfdHaH*D?l@ z$GAb#FT1&a5$C*D|CVFx*T%Dl%~1}d@KTwr>1an(u%a!tCMToZZyxm~UmxrDxzC_R zXpxgqn3 z-xB5V#t>}%;@ksPuJznZ*ivz^w}w+~xu>K4e|WkIhN`-zD+o$RBb}G-?pC_HyStTc z>F(}ELb|(=?(RlFy5T$U_z=-dEwq~6a|%KKkXYk3b6B^4+bD_CfZXML^;l;Xyoh|Xgp zv-)_BNkc_jBmSUhAjvj1+P7yA7u`Rnj90o=CNH@mXS8uD%Mj?}{OE5hoLb|v@dEMy)oDXrt-5Wvt?RF|||eRM2eE!t^YlNWC`H|yEm-3`I;h~flYwoYUau#tYV zs~a%y7R{VY$IYSLB-$ZUy0N0#l5w{CyTR+yz;q(J(6Y{K>mGyGFe~g?dJk2Kg_sz_ zkoMsuwLr`~0x4g_6=66Qsl3MFhP?*Z$}WvyOJ++h6`riCF4Xi+ssg*cn6_}lQ?))|M_+q>BdahygLH@EEcoyHEYZS%KG5ab*O zg*(Pim0}1`%r3IfJ}-IQVNggAKV-HUvs4Y7h^y-dpnPebGO{Pc&wuqIhm^8QsU5^G zmx=CnSlkvnV%OP1!axU>Sx0mWScvv|ewhu{2l_tF0DoUSz^jL#UD$!*ON*p|J|Gnf zAq zH7mJMguuIma}XS>kmqgxRLRARQpo&PVNhaGz8*(8kDhrnA*`gtb{J}OLuQ8p-@&8_YDdA%s zv7-eAm4xNPW$MAz>3lC;f22>Ke&O-wcJ(s-N-ycg54P&^Mi{4j4aP}XsL zs!1Z*cQQ0q*OcrGGf%tG)5NtoyzNUoyzyH-MS~ps(P0_CVGCO|2uC`+2wimyj<}aVMpu&6DaAce&HtyJ({KV zX>Z4miBVuMI{c{mvSw`g;#S*PIP+zvkgP4BrpB@5?eDWNo%qdoiFtqi5-#L6szTCBhO4BNoIZxCw5{?of|vw`_hBJNo)Ogy~}wJd7f9qpgwB)Sp@UtZrZ9Os+t21 z%;LWYtfy24mbZO_R2410fT?+-Zr#FB1TNQR{n{t0NcCSIkf{$Fl_RO&4N!+ZIuE#~ zMUZ7UgTJcU6>J-S>`o5zj)2++EIL)}ONh3YKNGD3(Wqu$j~-Ct&S) z(R<|qeu!UEp}>Ru`bd*#Sgd*?dt}7f;yhHf?wqXjb^;N5W8?sTqZm5(ua`}0pwL={ zV4m$5mc5J)H)t{2abuI@6LPd;{pq6Lp%T?rZ1O2Vd0eNuFwF98q2i#bW|OSwo1QyBr0U$H5O&_*6nfw zHrtv{W4>{&x**`;Fuue0sCsv?H*9M$^%g(f(FXqrN9F-i^3`-O$_nM094%)7-;|n( zJa$PWhz!%8`alZvzyfJohm%*q-(}D8BB% z7bph>=`inRP*yT!^UW@4DdZ8i^XYGI61n z$43FuU7z2 ztPC%Olx#3@0;Q7pJ@x9hIW3{Xb|BlE2kw>8hiIjOuvmuo?1lq~21wCDFhP0eVbN$| z0|jP7@K6DVUb`IyP9a52pTlRW$8hZv$J?Q1?{QhQzrZ&a#dF5P*-F+K_v(6@* ztUvOD72nsj_u+?gy_27T0xw#m%F83RFdsX{`v=Ur5JEU&k}7ib%cn@+b>0Xtk56{k zv(I<+)4wM1^5Qa3AYA9Ons+!}-tPmn99T=xdrBWs>hMC5NIZM0_fwH}A)ZZu?W%;* z@NVpBEQyrd?AdQowWiOQ*zkl$roPeS_x-{cEqPMvVICuhQ6%4HXe;rz>|&AUG7BoW zd_%jf5qq(W5ZeWBsS;qEJo=^geI7p_WFYCiY=+YD&k2!)Fyk=# za2$(@iAC=g8RGqnf%#A${jCco)g#GDA}J`~J4Sp3xyO~_*0UscF14)jlOlrhXfiX;3F_dvU#dDIKJ_Hn4D~ku^ zqFo!)>u$ycb5g%lt=)D2{3Gz&%WtucywoUfcJd}fegsNL85|qeXIo?vHbm+2`tt3} zmBpLjvK#k2?T?=rL-X&5yTHzE>%U5PA4EtW3klv?$mcdX_L^TZPEg9@YHSrNR;E=R z>?6y?AjwC5;8{?EOpeF8>>R`IS~pBwQw784)8@re8Xl1 zZRl%fb)=^5(WGEwJ9eW0X{(aak8Z?+T2Aq2;Tn8I=3Gi#Z!n`d1Yh%fI+{TAnb|^8Wf}d|D|F0gT;Bs_tpusJg6%z^zuAK?=Q^Y6 zAjQc;Ck3(5a2Z8UhUjDEdzc`y%!bg#$N8e|E`2&33^(bKw_mH(tg6MyutEgJ>wC(|jqY@*wQ1?Gdp|J)X!Kj$a`xRUV5qn*omMHD{>_8K#>@ z%DPed(jG$Y4`4GI1P{Ng$_}r*MVI5|Vl*-*hCo)8xlP_#uUjy8KOvzeH1$XDp^#pT z=ZQL}`f^Z=IqU$>UO6F&*705C3|b-+I52<0uQFlWAHmK^@@yu3&H4f_Y&DZ2kb{Zg zHaxof(NUx4K2ya3ye0JwC*OS~Y8wLUJUB(EZR~mRs9!ei8iZ1!?P)i7$U->KGz(Y= zcVuXih8dj4elA}$?l3-FwxWE5#}#@ZL=dagJv;W?oHjG~98N5}7G%U=HAL)qGOnDE ziI_6^Zez?;(%fQO*iJ;|6%E5Jgk}`7`cjsm{WDkaoZOzo>{=1|xYD#K9UMtY-pB^< z6;*yYs%YQ7>c{sgolJ{^M*qoD<3)7$HCduFoGNR3*iCjbSQ_ed39561GKC~WePv&z zC(upy9pg=g@Hty*t!4h&&x(r9_`*aOg*glHbK_0+gtId6nqPQSMtHtY@v#T)9J)gT`NOGr8x3p4z6I>AI8S;R;ZV- zVTQ-0cOh96y)6V%VYd$d!bmO)8;Y;rn^FpC^2x4JF7fU~L#2kS~(E7=T0=oUu~Irz&_F3!PqRuTWllh%)ahkND(Qd)EJczI4b=0X#R zRBxpKz?nb?WwtL?W_;V%cUSgsxsv9w*J&v5qAhB!vFl5r(3CL1bn?HfSg!d-=84Rk z92ZohOzjnW**%O1Lv&t?!~RFF^vR)>dd~}nC<|MSdb#$<-W0!SD4wdh{5=)Tln6Pb zTr#Uw%4dp)5L27(B8K`Q@wwG|%tnf2aX7;n2fp>o*4J)`Sx&=rC7)87=ySCU@|9hAnSHEH|uSl!9dqPvt$V)I2Tl+ z@!Gp=0Oj13)32&0Ee=s4eG!4d@r=1_=l0RP))ceuc;2tBzNW`3wO+4_iO%3}$0~9d zZR88n#b~Vu7ORiW(@aF2VbV7)v;wdSr1YctrkivKg~K= z)PogyIhY6r(flF@DE$389Y5)KDTd59B6$569EZ2M5UNXmp)zAAjyhi$$zD#Q;ks^? zyNP6dA2G+^B_8`cAT#mQx7=_!Jaxn|1@Q7uXC~f%g!jJYSZ;Nz&$xjDtWbLZLF}|u zlVB0+ujjtun?$_ObH=4Ym#|t^*U`6=;uI*;HH=+uJ35_}iVJ+KpX?k0*B49M5nm1v z^{Oxo#iq$F%znc%isjQN4ooXn2x49MPH4eimf04lW?VEBXJUglrHs@&1$nwq#8;vyj?g#hnm)EOy zeW$oL_UE83-}iq#UxYE*4L`AEv#L0i{l-wmrw zZ0pai_5Yov`)GTa&n0PpH$8<&aNMv8F*8NKdBzBy;myCdwAi`$?5}0h{&{JxqVu47 zPp;M;QmpOyW|%0;iZ+G0B=8zEFJUSgM66SzLIl}KflEgn=L@&yj|w)!ET^dCV0QUS z0JK>II79?9#}pXkFq|w|Lj5wa;x?qTNKtlw2tGT1sMy`?8D!F5W{|fK^^83@z+{xC zvI=JK7?QAu@9yUbZ>qHzbVXG)`JG8+Ckrtcj4W_M`AU$I>@VDDyiXL(0(WBScJMQii3$vYz;3egTqvTl(ZSA$CKQTn&OnXgj@bF&tkx)vPsq) z_N%%wTES03mmSE_stBzw_xK-lYUT%9VdB)=KOM-vKigb4#PflKMH9vE26Q%uOn>g? zr^QN8nJ_RgF!IY78s^Oi|6Kk~$NE$YH8OV2zj*5KBiT-y06P}sl2U6> zOAwmd%Yi9`CR+1N#QWBOa9EW>OKe0?(m}7}u=foush2Z-#FY}z_cIci3Sy17lbM34 zN>&Ii#&{Z04nyoOHwi5uJdvwl&gpi1h~3=3U0HB%;80Nw_Krt`B1{3tu{93!CF}MscKfRp%e zCP#2-+1(RzxId7d#+DNt{pABeDOh}!K2$P1QS}ciquTZiD>xU4c|TshmRq3ae)0uE zo~epKIVp1#Zyw^ty{=MpQ3y->U_f>{f{mJg+@@N*a^AA)<96(CC%r~`rxB#k_u-U+ z1{+T_NYvouPc<*#8MmJ3lS13dFkKGxgwPJBX1?9%3V%m!0_ls?AfvAB|0bsLgSnYn zWg9Pux^WBIx6*nK!HWrPAlxtX>>^+2^h@`!DN@goyb#0<|CX zj?Q%-s?NXsmBvX_`rP=8-y__wJMkDP+g>hEZJHg@Z*+8(w&Nk!gpsqUiJRX+EQn$D z8yrUStK0HKn|TB=D5&O2pxStZ-tF2lj^>D+@HZ;HOrkJs*$k#%w{>56_1yp{ob9`- z7cpzvP(4M|a(g`hdU@Bl=YfU|c8`%R@Ts z4o8nA@*J}?>`|0@JUcDBD|iP58;oe90!bj%5 zaXL2in0&ZktNb5%jyP>`)X+;hBD4la!Gelyl`NxSeDHc_2~!QZ)@ICQh<;9O#)O0v?^SvP4hD_5&N9cdRtZ6TYx0f6q!kN+ z**Z3zCO52KQ=)V#FL3aVRNuqaXT&^+wJo;NiYHOq&SP;UHp7E`K5jU2-Aj0rQ?rE! zNBx?oaoo%YG&{O?SJHO41 z^(ytd^blVMJYTS8dR;jlmgTb|llC7c z_A1#n@efvkNQ;#PA>_a3eL6nkyAw#_APc0npmY+&nz$B_k2z|fNl3{vE5fA2Mo0Sq zvGHZMD1CPAKtoB>#T{Bc!CGkApgy<905_e})B4k7MHF+G ze85Kh;*ssDUyw2?h1$omGP%p@2FSFB!z{3 z*!|&lfRpiPM;WVF_FL<(?f#Zc(L!DGqab?LbVILmSD_1)g&!!2<<`>^vWTD!3f9(& zWuY;cK9ns{nfZZjSg zfABvzX#7L(=zKz?=V{KfA5nczee(Scs7ew3)vzbX8_MEu9EE&G?MYfU$C0M1N)C%k zI{eK#qz~OM<@dQlFap7JSO~?MEo%l@JczeuF>PP(*G*{4aSA)x2X(29Tg!k`PYHi4|B>zKrc^0M z^u6@G;d@%R7aa7!5jL*p;;YF^SnCE_~6GG z4-iI6SDkD9<(q~%2E0wo%@$^Aw|hNGnxCkHM=Lx-2kd87Y$j>3q7NS=ghnwZWVIMZ z81?yPsP**4i|fW8kGb4%ALukizSwgHc-BJNJiESIIgCpHv&cZ?4K^vy-`MEgy>V&D z7Z-c<{0n;ij5TSvk$W4+ZX?Gq`?>r2o>gpWPhxPz!^!*C(F%lf=+6>JQh43(B0yRVpN^h)ArW_XrpJGa zYj>^;@i@NklZdF0k5@`zL8!xj%!XVHb)vi&z7H4WW37>L2X$_O$-y3RFP zR=<8d5X#!#gg1z8u%*WPz4UyUl&p+2sE=e_*G966moIXb8FtH}ND0+tyIIqOhV|#5 z6cVRF!8IqR%WCv2QGk1N*#~{_yw9xUy`xYUMbYrkJNv)hR>_vS?Q3QX(x zC=o$m0a++_B!Z~DAtWSf!`ybzgyfQF!59hmhETN2916&NJ%c}yF3cl+NB-6(63QOT zf{`!fq11Uk!_+<3qj8Ph5%DrY83CgJn%5DO%I`+-@#V>buHpxioUFFD6Nvf>3M%e; zDU~b}-nU<43MxCnX&0CAQ+>^<=j7d~Q47CEpVT(;(c4^?B5>B!Y$Zp`J2J|xzFg0U z4_eVlYl;a3Icr~YuVG?ta&Sc1;(F{pQ;89KK!jUq2q{-+aEcE-x@|Ic`GSwvxYv}* z_(ML>I@4gUdxgLOhmLb4Tm+Xf1UDcWDOn~|$OGy`Bxnaw+Zdm9np>SxD!v{WNZG_z(fOAnel&Kcg&)E*NH8_-@^I~YMZB6+ zC5!lWRC2<=>ukYv@o$@Qn;m8!3Bb$>3)?@_)4QqSzX z`f$9qE?z(ty%vxKR+vL~14kPvq4LTXiGo2rA)Y z5K{qPstNq9(r)M~`+3|eL_`}k6b#uxM1GKjW%&reZu94ttQF4ki?squQ~+MT{ZpTI zWiAK&q{Iv5Fppicd z_?p+Cq62wN?`8_Y&2K2wkKjf_ah*W@?;xfeP-zZd^L&shK8_)g(0{l-7Ox_{1TZ;3 z^rT{ZqC|;mhgA{sE{&`yfK_P9myxB zrqWjftFhiT_E~>J^$AS<7R>8;TfPr4oBmVzv6X>1Z~LId%?r$?7B{YS1`;_VxI%%X zz|;Me09My)p>knip{gvJNM!SBPN)C4evS4w@53Lamh&O1BGpRJVy#7Bci_b^Iza7q zqxgy?88fjsUu%(A`3zLXegKSY?0&Oiom}rhF@O`I=Nd<)0uS(k0mm^wKRnM+UOuJ; z@Yn75vrx@oHc7nf_41U(u;Q|pp5-pCQm)zQakCPLOd>u|`2xKgDy!76;OKnZN;Ml@6O{6FnCW6 zKy&rVm2NNDx3{4-Fu}5!1sCI^8q2fQQKh+<{W2MSIr&s0tV~9Wf&P6HHCj%RnRk^^ zYfW>7qdnscGD%i**i23*%fXmT#-j3~#HO9Tkg9F&jcJE~VccJ!OrZ}5Mm20jaQ$8P zLlCbX2gU|OMD+f&#V=$KNcau7##gjQ> zLA#E})#tY7dy6f*gGrJDszyLsH}^x-BjEuj6O#h+z{^AX%U8feKwxX7#Rcf>NFhnZ zVKNRQZUPvuJ-}dwRT}i?0L=XT)mE-o4}s^WhpnDq6d+S?kHZIS@t&VqLS6z?Z?AdU+zV`sUeSYE?6r%OA*Tvhx8?$;(eAe=|$H=k3o07AemJat9 zKd%umGph#VtTvk9_iwfvh(6_VOHAqv8-kC?Y74inXZFKs4;<=%=j`_~4YU%2 zVS4Cb>*0&d*p3eVVkM$U$HQp~#d1wduJ3>N*V;UGO2x3*^?P1j+92@V|N0R73Ks3V z0_+)KLp--X47rhOfLR5?6rdDf{JscYDCaXJ1+pC zME*#0QAr%%<1(5!WE#y3GZL3802uTEMwO?x5}^Wv63r0ztBBO#B~a3~J>M3)(~LIe zAnE-Dg@%V00nqlD&8MN_DV1VwfCYgjFQF0l+z{ae;$O6Dg)VUd4gNcCxDdyss`stE z+&8zxa~$1qhT94gS`QMNxhp3tZV2AY9&ApB zaFazVZ0_9BY21Em&yUy=i51cM!73Gc^YdhYX|l*dU)oq(%w6%9_x1oVD=#5>Rs7_V z=~c!;vy|&T`HAxEFmRNgWlu&V%g;0$YW*_vvls#jD^mw1-UGQ>2pb8TP$J~Vm# zNEmv2qz*qFsEl8g2@GNQNMezM=sizW`I8F{!|xL~9c zOJbV5@(;aZBduqqExB9?nX!NTL80e%rJmuEZ#n(-IXEmV&MNF<<<% z3nms8r584{DS_9ZNffiQ`eYD_7GTw=nBx8nSn(Ap{Y)SZiId6Wm#Dj+*{)dwe2~Pe zM1DlVPt`Fe`$j7dQY%VKOiaW;A)93jlGewWuG+MmeHcmv3|e8Ia|cn*W{{%?t4+qt z6Jrb~A(8OKU2i!{USSbMNu`}0)aPusueoxUV5Ta?AwW zHl$q?g^jz3m#R%<6pLg9XvJ~3on^B{&?d0KW-kxI*>B#I)q!$i$m`)dCB3r2y|HQZ z!{2`>vIt;7^-gS&0s0dj_NH{Lyq|x1-My#dz6!csm+I~rJk7F9c6PK}!^*{TLHl+z z-BF}>v+)$k+dDXA5}lR;@*G>A51y)e{$ZlsmGSiPZ1$zqn^+)@6go$#Q6I7f9jlIM zZ`5FxOlPw;cuaS&3jeI{QVqjhMhAz}9!H1v5xzpk^#jA^*M|)<9YGDkHJ~Q_(^jj& z7D{licV?$_F~z!kxMpSYWH3>Wo=|6H3?T|t+`20w_V%b zeT0!jLmMV+h&K7%qW%T!<0y?!>TJ~ z^bsD1Kb6%gFOo1Fg(2&^s6#P{#*?`{WqXQOp75U}+H~=&+pbJOucNH% z!*P9nLc(wm-^-%|5n+8HPr^62*PI48hD(_8JzCk{1cN%DoLRx|+9kEv(N&VQKYtrY zcU?)XFfWd&+@IQlHv`r0Kj5F8Uql-4XL98at7o%3J_oWCsg=Rd>WKA}npOBo@`(Ad znfCl}KaT3Ncxq2&a5yw{Y<*HztGiEJGx7k1#;v+u2{|^^vZ&Xa2N)lpq7q-Ag7*eq z|39UGAS++rpwi*SbIDN7bdNXf#@|xqVK4jR$E|0#hissTqT0BtB8H~&c+0f7Itd<) zwDF6X4|pz2#OaqVlIaQ!*v>BWa=@@$o$byu__6k6nM_AJG2%GCFP6Ei4mlc1Vyi^E zSNGYOcLQ|tXAx=5of9Pw^4pCd{-vRQNq$felo;yZWuz!-vU$07Ym+ExoMDc53h}v6 zUI+a&e67SHE8`RnuY1FUNz^@=@1bcsYF5BvA$dV0_j%Bz)by_LK_YWXtLs%vm7prc zFF42=LOx+o4LY6nuu8ln$>8ZZ&@9nCUHm1LW|-W}dW`qMl9!{E?k%T}@C=KEX1r^T zfv#}5aD12`tP=Ye?Kla}cRBubl5YArp&_7BB^ou7`XMqqi#?A;<6-ZE-lmE?vJf(e zMypd$FfxXs7{oMj!M2!RCH~nu2R|+-B(D9y3^NE3f6&3d(fohZ0D_=sadX)U*4Z+( zm{WorQ8WIv4Ee9(f|gemUh8<-xHYVNWqb}>Q$y5GF=L<&v5$I7g?qTSclGVWXEdsX zS;EmnW#K>Nd+jl(hSk^7ub@+Ejw7JQ+K6w!sOQU@wPIa#0SDOdkC5M!>Ggc4ml4mf z=yko98GRq$(;WMomZ&kW4Ec^0!%a3IVdj$O13X0MlIG1lOnhoPpJp0 zAhLL#t7!$sU+~fVFii$DW?T7LJgDAeq@*8E$fV=IJcGz%5Qy%Wkk9h+2Kj)Ljxlq4 zup+vqLMjCVjdA$O#A3*UP zfup5qd%WN9pV~PFn2iWO+el6`m>6%UVSu>V-wxiSt21{%=Le#-X@&NpKq~piDDI~M z8#3v10e)}3I?FX0X2QgLIz8`O)wy9>BY*6ds8gbRzW8G?F}HYzlU7jIBM@Rd)Ld z$G zMpIv+0F93Vts33v)rIJmeOBdTnQXTvDcFcs6aq^!ib&7Ff{sCofZvCF43|`f`?%!b zJ0vMiax)Fns5`-Jj!8-1GxCMiXD59P2rlrg#ATO*&q7m}&*hdDb8#`if_l+({jWU$OLgb|pQt@;+CnRN#@@MtmP@fmV=74kZeO6-v$x`QAc) zY>)d702mW|o1lt_1fX*0eq2uUCCLmZo1?TLO>i^y1hOXw!Q)*28mBBrU+nrYfb6y@ zCyT{c=6;-h1G{qd_b)v&8m}MIo;$6P=v0GJ)bNtc?~6uCMKMDhB;HuKqq%rNyNkN? zD(UavJu`V7uF7>}z=bGTc)p)3&iwOTCWKYhQL=+{9*tqS6)g14ls;^jQcdA0ZFZrY%g%?Iu?!Fr(pU6>0Lu<~GWwh|nF4OvW86 z6IKd0UaQSs={w+<7{|=i)Q^wn!}s#6GPFFqg}1zTZ7jB!7nSVw`1nNsz31sxEGb03 zW-NLuvlF-8DaywJsM!-)pgs<;GH;QA8Zv|dlFAO(Jv^4tA0yq&jPo=}*;+$0Pj#10 z9W0$#;Q)j_4VYUJv^bVl(#^-IMLrS%4CY@I#0%j|-(&Np$jMIpSlJ}DK(X4OR@9N& z=aKZY?vz^Rd$|jr?_tO1&_wHk|A8ylo?$?z28cG)gM5T!5o_nP{Ut%&&|ybCgQO9- zSYrZ*C{x?R376Su>0s(}%xPJH6zj;Ig9jq{(55dh(U$hxjYAj09UM#`BCObT>$=au zf(+XtvP${SXQQqbIu$|Y5gwPrFgxC^3I-Jjy}{3my_!f1OgFc|Q;k28$LlbSYGUK2 zrR7JIvp^HtOoGk*ifbNzTk^ zac5&{?VxFF%IObkmD2(ArCua!QsQTPKY87!!Oy$(`fT#sT!LBInn?Qq=o2zjr(S27 zT%j3TPs(Pq%6(Uk1Qu#vZ?%*l@p99Xkzu@ql(MR+*H_AIEdo(3O}4AO&&I}f6n5q0 zPvqe&ujQ73ZZdq7z6MXpvIV;aCeHs0@jn3lhc^dpQL6F8l(NX6Ww~`3RuO@ue61ju z*=iCm3cwG9$sB(9@Kuae$NGUfTJcm`Y`@u6^xKEQVS=Mmoe=Jx0Q)hblT>-LPJh+6nhB zPooECLxeIU{`1v4CtVtYX}C?CdgK)j;zvUKwf$4|N5Q#Lv08OO3*d4b!|<{_7|W<$ z#*o`FIFTy?yUl(okKF5-C&r8@RAv-T-$#cV?w$Hcpt^=p=dRYot`jpU>bvGCZ#sju zwco!Kg9Qp8O>WP~%`Nj=$0ON(05^EN1_25wq)k1RA_|+8l&|1E!=sl-Jh=JW(5rw07FRz<6(?2JRU5*$G`6ZN$nk0 zoL$NfA3x?gov!YNgrp@pkj$*-IzQ%A!U26*K{|{ugk?W{C1sN7!LO-lF?<}?1p)k$ z|3WkV-zJ&{h=N=Rpj2jykC%T^R=!~f~ zKh%+zOtSz`Z!!Oog$!uMW>;ecYVwY!tGIbu&%3EM=QC5Zjm;9ZSd)T6ixY)Gjg@LlQpcs4sm2bbCiH_9&OB69ReI*Fg9Y6_IAd2ks#n7MQx? zc=RhaV|zLXWu{xn`+lgL24__8pZz-)5kUrzHwZg(^dSW7+gtloKPEDI{oU8kAm5@4 z@Ve^|5ROEl(il{1olwps;DEJ8KhR7S3BVPviHGy`f{6gBZ*g()Yrm1oXfj!T#5*2r zfLNnkp<76NM>jc(xr=OudXSt3aN!#D1J54~y7G4Ei_DCAXt4aVQqGK*VzK(bNsBoW z%ZakbLft(koBlrry1p@Iay6&QXEJy zDPY+wKrZcHrb_bj=$=1&Mqh*lCXBTwAOWFCqkM$q-;}KaSop&$W8lz=Eo5&i9V!f$ zOZfx6T9acjGh~bF6{Wp{0}?K7I8g2%=OR1yseUWXPxLp0XbL2mGGqgmLG#T{6=87r;Qru|Zb#ONyLP^M;glPnQZaIWzX&P&*7$ncN|oD1Cd_~F+{K1+aS`t z3kX@l5KWE;;GEx?cxVH9U8oDjVTYP>Z4!(}dF(xK~4yWH3CoQ%na28_Tgf?$TY; z=ZN~z9d3Sk4*sbF6bffF48;EBgfb%h^(3=7N!l))4cwlu(E8%mtKs2SfNNDcStx@) zQ$k(%9{iR4$sxkmS16qx0<7L_0OTdtY2yxB=13_DhxttDU3bXtdRZiuL;k=tvCgsB z&T|z^uMPlfQ3nl@W5r?2p=qU{4t2?&e{Bih7B6ogu*m@bQ}>gFO=v0*zhLyR>}w-* zr{BllkuQ4P0Ti>w3_SnE0*)<%7R^R`0ITJAzTHCLetEoz*;gu2ES5!8w3r`n3sEf8 z?+tN2>qR%x0Bi%l0w7|U(iUSnlC7hiz}|+v)4x@s9q=wS+jRkM=fD{ayg)EonAiQ* zmRhqRN=laJh!t(g6iC=3#9~PY4PKs~vIYvUSuHyNMAlF@1qeEX92{y9bRZBoiFjO8 zTM+Q~0su9_sAdHKz|qYf331J{9xDfhN`A*rBiZ(C`nuY@dk|gpL;L-fKCVB#!rLz2 zrXTQ0GqOFPP>Dkno3&eA*Q>l+=CP1nFNPzkA-!=lg#x&)RkV5+wpBSfrM*iAZPVwF0b8`ng; zH!WHyM7a6M}xa~^i%}poVp$(Blz8H$}8=VYLc^GS? zJ}maK{Bbd;Z|A$?+jga`3GC8l-IQhG|KgQ*Dkw|C8#|ud$2tTFAr#3L3tSR4{X>2^ zT=8r2a%-SDr_rCj5d0dCM@iMv{{5lf>mQZ~LSO3Qxa@~{OTGT*j{z&lH`L&f;iRs9 zf#zdhD6F-MhO_M3RNsCAw+uLBs!t(PPlKYDqn5sGv=KpsI-SFCw57y@xYX9v#UI>k z99#a+^7rHo%+tpGHYeiUzhe$OzX?lkuD;^+1`MFU-=4x6J_>hmzjDzpSU3{@y%shS z0P7ar92T*yQfI{O5q1bpT%05~A_0S~xV>+nDKxswu9=)zxkEfTd*UR9uE&D~Dze5* ztT{douPPW@I;9_b6(z?2yAkGRtJ+_s|GSR?wnqd!<}S%TwEQc9!4XBG5D#1_+L&Qw zP`&hNFCy{CGeJkf^7g^Q> z>k;ZUZ5;o0K<~d@7jjDKFm?~>5R}ttx!RZdSCtuUHvrlQ5SLqq!gKAlKYDt)>^Y)k zEoHVmK5^RihQh*o_x~@5;Rt(=$l?Y>Ve3MiBkJZP1wv-Jpn*pdsr$jpNXl(lL*n|& zTU$Su{=tbP3Uj5S{S|5WED})hUmp1l!coI`XGTuPYr4hjSrQenxPKco0Ha-j9!%>| zbi#s+2+MNNo^ugz;bJqXNlhgeLz` z)p5i5ygq3de6G3Id*H2s7dXy@oO}CwApcc-J#1Sz4~rwAB9~s*ZdvvgkI`Fbl)1$q z%W<~r;6{|2mOrd`i1ye``F@bx4g+Q_nwrvh(_%6@2A%tQVrFAo`~G{OumAfX!rKda z9t_}v@Z2x{;55B4U{?70@`Wo;)7%9o=s0oCLPdzO+-uSY8k5-p5uq67>ZKn(7f~+s zogsOiLK(jrvhcB%QT}bS)z=Tb%D@1?>IP)sspW!+OSH5QRdmFJ0*JkTP|(A_66C15 z4w^#DP*@FL#KrChugE>m8*b@Y9eoNXk6~rGaV;4y9sLH|RdloI3+zUP6TZmUe{XH~ zZxn7vHqn;f1CKwk!@tDwe|u>yzCIGUKTKTsK<*hHCCKngI4#5WXf<&;Lheshv_+1~ zuo$tza^nD}tJuvMs!1T_;@Kt+{>@wN4%kxDy&jA}4fM)C+U?>qFh%!6>7#ryZ+S15 zXBc+yW-?V@Fp6B5&OKsFI{D-eit(RbmKd9fVPE+DV}w5i(UV@%X?N|Hhr$X+-TrUh zf4&7QmJn`^On&d+9GPX~%v8hc1q)Gva3DzzqtYV?Q92KbrF(~hNCtK8)WtRxN3V@m z&?tx@vyEiNQ#tNtCjjKn?k^j9r&5s>z3Q-)DNuxeGJbGZH?D$v?q1f6R~z?lXttZx_}oZf6Lfh>;nZNh*6 zgyQaDfl;gy{rn&z`n+y^2Wxi>7aW|!wk*`Y`<84vBu3g1$#Ex|LiFpHqe9A+CW*v_ z`SUu0pmXWPt|IC5(!NRij(5Po8C+v}tXZ7YH0VP3$@~i#?jL;kGm|M~rj4MsHTfdL zywE`wM+p4JO@GK7p5_LYZ*jp>uLb{(+;s4jg#EsEGU}E@)e5Gq*GhxhHa6aa-3Rq= ze!PVY@`52=l-|<3ms1_sUixf5LII*LWf<2(Tq0iRZcIYk~Q{!EQALXcuHiB zW!+AafJn5ZwZYH`k^^#9-Fw%`H(2&#y1J*kfKu;-FT;|`gY=_h#j>m{8GRr~c=u6eqx znHbou_GHTzIB!AA=@Emh3!`2X!jXX_tRK=2`3J+Ec!}G}C-m@upiTd0hhY>UB*Gb$ z7$5?u{91SU2ZRNA1YLm(0QaNT-JOvqL)=yGI66Gx!$;@=jFjE)s16@~BYMPwTI2pEN8xuOs||<0R9cXP zRwp95E7F@pO7*p$fK&gzbt`4n?;TR#t&IpsZ=D;WM^gV++rhme5(-?=mQ-#c>#0reAm z?^Vxw)>=ladTaAG$Kq{i9rD}g*B{uH%BT|1<)tc}QLQ2egMUQ{MYv!|uEee4Bir%} zI9qy_E;*g%GG$B?{yoElko6Om-n?|X>8M5Y-@ipxLy01|*4#2&Z{4dgg@-mU`7>_} z37DT_WY3n4Q>+0&g3VK5`Tp0XcqOw33h?-^*vNu~1~yg24%eGrULK7I0F4<)-18w! z*q%7B6(%3Rx9n}Lu7B4Z3k|mVI&&?mYq6?{)%mxC=<4Wh1lJZ%#_b-Z6_UK)HfY-)zw_qwrhk z5ijWYk_Q7Zvt&d6x~90&(HQrF)9d+|9(?Ts7+&6%Ui4k82u8ak<)N%iE>m?)IW-@P z(IRkgdpCoo{*Jh^aEH<`0T6J>^_XLRuh9SQTn_(Jehxag)zPcj>N!7)?HdJhpTYlEV7u z7ZqX7uP(}A$a8eg8xu_CVyCsud{gNQ&|gz;@cvU0AY(Gn|JA)yY`S!XBfG-b+#7ft zcgWLrtIx{c9XJxaw=@?sN;OWH@U&v+Z7HkQ;Z<8yx+bdg*!*T!63XbhcJyBO(innerOKDOY_+3!ylbQ*yz(bnEVy6MJ7!; zbcaj@x{RRlFk)T)kR73x^>fHJll+doYD+Z1cack4g4ULn15fH#A<{ddlr8&0^d;A-S(H`GUpyw8eDpw%_g_6)Yweniw3q|iu5jS30jGi$bFdP>lJ5LEa$ zgQB~>xS~+xV8I<@dese{%>1=8%C5<)K^`(3eU%L{J zCh^=U3ZBpZu%x=6%hTOICvi#e*O7% zJ2B(Z^a#}4lAMh$Kq_-zhsTHXB<4lzkLefh9wpBTwl&NxZ`HhajWVVTq<#?>BQ7N+ zBqbGmEd3|YxHbVq0txB_Vxzs{(@-GRh0@n0+3^Bc@khZm!lFmz= zh5j_}I6mXRK_zqj<)XWLE{I;2P+M-2i1cL4!-)``G_B|&rXY#xmA`>p`g77)X_eHG zD}DnO6d#srzl!jmZZHCz!F)i=3(V3LhK7^?j@Dvf!;OGuLVutYwNE4XxgQYw9ux5p z6xJRD{!E~EJ{k}mC^yxp1xkpI<8WI^?{oEPIC!*q70tHh+Gh0V+g6q6p2#@mFC{si?44(q9Y^sW~+$K?U! z3P(e>0`c}M2|w0w@Mxs?{BX;2A&}y6Y>c|1Svs=pUxujxSFmbt+#g!~IAeL_-om#K zhC6)%bJqT~V*GVn;zO2gvVipI-j8+kpX*%k4JEZd-(H+UcIYuZStivA%oP{`<{3%D z^U9yE%4%iVTClGNK-()E+}R+({&n&XhxIDfkHw*}JL7(Xd%7XoxlL7=MreO2zW3m- zLP-Ef*&Voy9{#U`=Y=xZ4cM@8=Jl0gmOUB&<2={ zF$3~Ic?s%su61V9G!}9|z|`|d0R8klVb{*i)#xX%vQh?ZhJ~K2)44p+EB1czE%dYh zdjox)wh_A*gSXfCYBg^B@4b5=Rp&gQx?O3w{_xpS>i$ZGCd=?sbqUC=giI(IpXZkj zEL+g!Rv}*Om57iKAPn+Y)LNP~fwV-w=_!Q}w+oHcP~xroT!T`E#vIMPw`PWdix&Df zipqt$qpqg5r2rCUw^^`2^G^XdyNZb9Oo@J&@P6aNndK8)#+2XHbm7(~#DlH; zll)Jal!8!@Kj2zT;X0~*m4DgM>of3}Wh3y%f_C+HdcmjlK`c{wrHzb%kZ`*Q<^VwQ zEEe&8h@zTj@bJxD7)9k4e2H*QR_XYZj1gw#sTYx&dJ$v!hdJ?KvWf{6&&(hnfWFj< zp;%M=1qj1H(zqDF90r!N(BZ^TKB9!+8Q|e$zFn(YOJbtA?P2N@+YU2a0Bi6fJ?GnM zT#_O^;Uk5EotoWmpVoM(ZW}4>1H`gt5Ew4C&YnNI<>T)ebax`cyY&~#Fn!r59p(aK zcEC38MN?(kE+Hs1YK&A2*YITp-71eb;Mfdj47)V*HEv)bv-qSiX;8*H-TbtbngXcR zK5PlIyv0lfxrSnTzKOT6njD?HH5S?RQA+_q$n~~<4&`?S&VdaYR_^*TnA?F0vR~QB zZbn0*KLMn-K9G*s7D^a2lBcr9A~$a`-{|Qd5)y^~3sxALuG239_N!C^`+yy@+y)Ul zA9}l1$9O3&-m`lC0%D_$ysUsj1XAivxusD&>^C;0jhaHEnESr@O!&4jQ+Di=2xAq& z4-9b(Z)HZQ)!Y0fZ3Kv!o@E=?FMsJ3V={`~tIhxj-uL_H+OcFQ`d{2Y2m>0zyXe{4 zv<2gJ06;?Ja9B~c(-qT{n;07J0)Dy_)|g_daS03$NbBc=B+n= zzdXV%s-hm6YDaK6LyGNgb@yybCrSumu}nluCASrMOKttMedzV-K5~(^xtW5N#U^=8 zon_#xST_40#d15B8^1Z2AN`vZ?+w7PP=ObF1OEIgW&M8vi|^8MyK{i2Ix$Q=7z^-g zFTlc58^IM378cK6{Q6RHc{VujZN30t$VO!e4XDJ>X%~>k%f6sjMK8xaL--tMGPz2o zA|%c2U8+|I{5`mi$%+#Zw|aFut>rGe9B!kSNjB9V0XG@Rkq)$pe|B}(9=OU}0e&pJ z@Xm_vbC~UGVWGli5}jWUbJebHE_Vm=HQ0Wrm9%|&0@|XK zz5Iwp?A}Dki+_bss1-ipHlT+N+UOP+CW(x$5`{bOlMmKABiv**pf`Q;4SLU1fuEO` zq)T}91kc^YD*>6U4V%C>Mx~P_oC^L;BcQOp3?BYh#^BLSUHL;7b zb*Li_AR=3vMtQ=O+Vt4O4M$*#>;1GAS&o{yuGuXN-qz|fv2=Rr->MA{NU#vf%%}zs z5i5TpF(YHqz*6sWm|x=d;ZT$*baGw&Hoz{dua*G(t1eC#7@W&K;b~HS+$FN$V+pR2 z35Q;)3$l4+_v~ZQDCawRe4{lKzkybRYF1=`gZ5ThavKjPLhwLwy4JBI*zLP%t0nNH zGCzHPn{T8RDz;dV49{@+xJsp0oTH&bHAqAMOt_7tbZV%>(3+R=Cc*DVVuQqDO!=PU zSxg>Tc{e(di?TZQCf((@NX9J>8i)P~URMiGfTwgdS;mZa3hN<7VE<$(niu|Y#}wz% zfnmlg*QYmIYsjXnV(_B|F@=w`LCVm_qszH>il;5gt8H3!4T)%+pmWX)J0fOi*|eK8 z+5;ZEAWqP!sA2ad;U`ckM?*&|I-M;DDy~*#DyCOH?w7YB#K5%?{;gQM&&d^0bGwVDM>SyvE=JREVUj@C8XDQaiDBgH> z>?a?gdG#=es9nkHHZ~Tj?%DtBP!+AMM(Da2KsCQxh-&=l)2I6NT%egnPj_bIt8EMo z-7Z>jv^~lvQr@$Gk-ZPLyB+2mVdCwR+W0=c{0eXAO&r|O$%=h08pE1^2>T_{Q+=9C?Om1!&iV>?Oaa-9e3Vr-L+s_peu0wxo_^BET+yUNOQc`&!WoxW9Jvj8$rrJPn2qs55ao~ zwTI&SP1s=xC5RC>TcToag=mbeT0tGX%n{{opz4`W$G#!7XrTl{t}cq7{nwrjj@%Nq zPe^P~kz3?~_V?mrUnxo9yKpWfsBKNVnpyx+O607F1Cld6t@N!A52k{jZ-pCFX$bsM ztznjMKb3PsS<3AeTaOpTEeX~7g5Nrw_p7&`%Wql9UMNW{q}XujFj@c_-lD#o96@?EUGD_vTO z+siBe0^k$uk}V~hqfbY}PWy*3l4O5@?Hc7D=Qbz19JbRn(;#t0gX?0G%l$?rh@n_xJ7u1If!zS7|cX2z`h;R9#PPdfYha(1sGG}59 zGZXFOpQD>ft{V-5bLOE&qh_DuDNqCYdq}LB16Bqv2}HAsoYe#V0QQQzw$%6=CGUhl zDc{-}gcOSMlYcaKhl_LsLDE{WP6O&5oFTpzvdESvWi-UHLXel#W)7^C?bta{dP}@kf@shwm=9h{u&d} z5(gW>)BFcAJ`6WC16~hAa5Fo|j~BT~U%VAa5;x*oVgLEtmpG8((1kGM=~+uIG+B~3 zNy654Ullb!3dzY0NuWmnXnG>Ou3tQ;2EzHqYD%4+o|T>bW;&_tA(+O%cgbirS=#w6 zcBQyc4nAm`!7Kh)u+1I0mB(+6lx?4DaOLEwHfhGS_rpOEp0HjCEED}cI2CBnnK1ulhqvd>gmvVSDc$o`z^?#qL@bX|j=;0;A!GM8}Ks8HdUj7927vjx#NfzgS@K-77xpC-?NY!FPyOZ0Z)bt4<>~EqCKjE4F&LIRtHo9NIg^U95Jpr=|$+! zaj3Ubc$bvx&P!L!mOh5^t1Ad+m|^4;CD)uKVu zet?Q-TcM#0dNNjBw=Vqh`}w{JwkPq8irLQy5I1$l(9xi-=`Zb|wuxU}hRtN$<70bhXCpJ{BqL~5 z++`Q8#ab0zfV5oOQKyn6)`zwpX zOoc9XNmX0pTzwgT%6@nsxdXw-Dj24uS|hb^9o6oTwhMJPSzfpMpe;3e#CeKpX2hryj^Ml!Appk8e3xG8XAq^ z&fIzVGYegjh11ga#RgO!z)QNpt$3n@J@yo4^uy*OHv4y`N8)Hxhu$+`xSN8*q(O;FSy>bC!OMiwj6eA>JNbG?$ShqmylLu*^I5Bid! z5`UM}`~6{GCepdWr}66iQ2yr!VaZn1m1IuaM}TWDCMj7m(VM_wO>Z&J7jH$ILIgXO zRoGgEt!QDoNhkKMOcK3qs6$#p(9GyzF{(D-=H|OfPD_s7viQJ^zS|M=_aHqx4>Di* z8;S#=m*`hq%6Dt!0@60a>;PiA{ga6J9;+3<{q`j}ycmRVLu|K>Y%pRLKJx`vI4Qt$ z`T5adb@j2~M*gy=If3xX?Nm|7akf`l^xvj03n2DQs*)Z|z za))LqVfWjg30wk#KMCHF@adcmdntO(UqOB5!kqhU>r9RP{(KW0cMaA{h4nfnFqkG3 z5HwZGMPDjph$Va?s=W;U1!Fc{%e|mXd4YzoaO!P&9WnvAxh#DySp0<}{Ge=5-FrQH z5IJmzOK5$8#-Z|<{5kD8qK&<>e*xf&q6lglv1E0J_DBxY?#4*RJAp# zPn0@c8Jb`G-h`+m*(RPZHJ4y6ACmLIf={17BeTxF+QUx$WHe8p;RTsL0&-#V#!&Wt z+cWbN(D6oneF|9howrEqthZW`NTd_c2gE2# zP=RSOS5F8O?&l+tZ@Sao6CQo3uVhK!&Mg68f7{Q@L&SEZ<4P z>v52~0&3M62qDXg*o{YN{dztt+UBN73){l|ys|u%#mH|@QcWyzZp-AqYe_I2P2Bpi!fJcIC$cs)Hq)YFu7xy1PE~vQKKsPi^>h8|gbRDf0*q z`Au{ft272aN)vUy?JdZdp=}LV{r*>_NNlkV;BDqQJc*}zu^2%O^TMO zT9HfU2t`Ym#4QQg^)ZQIFvY&ZOFh9p-^$sl`#^ehyfGw-{PLw@*6U7HGkU`}oLKHIHP9nkztz48wrKbjf0 zhf?vFpIq32UPb0}^|7E94i*lMB&%*eLTLP}U}-4ABP>2pq`C*@aJ7z?nxB4Wh;CPU zq5i8TlC|lTvQ>G#l>P=f-^7MVd^u?TjBI=;zQohBDXEnyf${B; zp)9=gKte$DKu3%|H5lwemH1(6EN6{&4OEoBKUnTmFJh{{YFiu6kj4XVmw4qOebK{)~8~=@&fiD9U)ln7@N`+ZW$#&S$EtIf#H4b1Ekw)1s=iE>EKiRfBj(Zvz;#r9EAG{X%XY2~!V`+BTe< zW$7`h6e6aWuJKg==-f)Q#U|_XNULpb@f$H-by#Bi#~H)VC-fZ(K7r@w0f1c=5%!SGBLT|eYqWh5_*uq z$3Y8vmXpWeC(NfI9Wi_iZ=TKx?N_{UKKUVx%dCDRNBJQ%Bc3hUMf_?l*JCG=6ON0}% zRfzuZ?`M3y30tTzkwzl@mKJ%iZ#yTs>Uu-sI@o*+qQkHkMx}j~&fW1in`Dpg8nQpn zPu!bO<6+oEK0GyrER39If6+h|%jC}R@N_reXEJKjciZ^AtzBceTusBTuhkw4DWlpK^M2 zomQN>zZQ{U=SK-`l*(XQte$L7sjEsQab7U*>h%WYN6OSs0Sf--w1cH>MdMb z!92w~h6tc)3m1Fgg?#7YrJR@2Zj*eQYpxa(yfLJ6)V{lw!n{bsZrhBjM62>>jZRab zn%S`Eb{?bD0Qg;>Ix~LD9oEMpCptYAni~BbwWp+5VZA%co$$t8UVE)4>1i@5UQXfd z>?v?GD(WUK)AvLTCR1LEgkC=soZIydaX0e|lePN#LcN2rJhqK2YS!eCda?m~;jq?W zLL!0P5uZityU$HsbsGN+J~d_Jvp}4eJ`~+5OQ{#9pGJtD^&h)$_g4#(&G;D*Q*<_% zBS#m=!J6@w8jbR;<$?@N<)V=5^~F}y?s}`t~u6ykH{5@#cu6u?8Vt82p1TKPAzLG{n!k z5&%a29YKE|;T>o~k^eoK3n}Zc_s#A+=ulF=%)Ry5eq}nEQi$)UsJa4cymBvBLku~H z-#xLvIZY*1N?rBw8+-5OG!!kM;$2qK)Gn;oHa3tjc7neum~JqBy3(~-AC*OnV>n1p zD%7e86*xasEv~V56Vx_8vqrXBbw~?|w&#*Fe6XEa&7wW1&O1Q-T0W~FB)>H9K+0sP zGlDxPb7L4_^2A?*<15TktrAx!Ye(6XedfxR%@w}2KeQ!-*Q}z`t|mt%dK22MQrMZ# zn*a1roh*v(u;r@8Yots*DO_Lw0!$iP>ny)_^b#V0qnBnalbr4ZT2qqv<&(pv!7F2! zYG+Bsm7Yf%Jk&GiGiK@l88LoTvg?Cxy0*;Bq(2O?B8F4|_s#6qa#%p{7ymAV8r8^h zpf@N+%096<_QHKuA0t{XK79Nn`zz!pDSX5A$&_lDQPhmi?b%Y;B$W-2n{Tb42I<2H zK_IItX&)*cBmBk?FA}+R?vcJxP>{3TrPHVvu$pAYdytTzfoT0u<_pH74?gs}Nemxe z{VJfCW)H4+bYq2ev|1Z({xJL&=#fySE*qPfgXA*wi7ds!9OWa|6BD&k!z}q1JRuV$ zA`r7Q6dUGDsW@2D@atlSDprz2CRbRqm)#G^T3MfKXxR8WZdL{iMU@xRsk4|r*k>@A zsE;=rq)}r`;JziVE+iq(a=Y5?uN)ARzg+P*=+%$P8vgaG>*G@A?)$bq%p;SNFyvBL ziT)McC8%khxBBbCbk{v|Y6R5`WsfyWKa(=IQRwwOcRjQp_~hT0oR6h_J!y2Qb_fPB z6;`17=O@CzJxsCL7-V?+WUIi`O2LZBpe?NQ-)k5sF!Oj9oaJ*%86d`)U)Ygy`@cfnoVIgTJ-v%`$5$OLl>f+ z1a@n+GzNxz=Fix+kA)>3&oJr-%Z!ygYvSKfN+;*%`SLyzolt0vDqOLuRj7FgqLa@o zT~sA56JO9%m0`F1iLzo7wQ6k;3TgPO^kdkfZuL-|-%)&bQHP=UzOt+fbg|fc98xSL z?YHZ#b*4xiIP&*?9%m|TVCt4As6a^9@E2cyGAAhhVexV^uW<94R=+3K6X@ZstJs?k zTp?t`SF~A)qpVq?m>IMd%09apDii*6L#d(#>uy|DLO8TfbRWDP&7pC@bJvKAtUsJ> zf1#S?dqVU>V@vOxd05!!_(-Ri0)a#YRja+~;*ow03C%A~7e?7E{~r+OcY!7GYOe>Kd5-`kiq zr*C^ql#!O|7E=9ta-;T#8Y7unvHvYWC=t_RbDQm;Vmi??rf6z;_{7PIQPU10wqstV zNSdq4_mpTS!q9kw{QYYfHa!_!Gn=>yT^545iiyfH=h=5fG+ob=j4Bck$iriiI+7xb zZ&TC7eOj6HdksA4H<>Wmmj zUSt{;4vrL(MUJh^NwJ*V&O2%N6%C{K5*f;dqNHV6`?4rVgJiI}*-3EnmG9jiug?gx zQ6#s2q!tS;yl~MAD*h}gE4gMewgtHLp2;$6Ruvr+nSKWkkK&wZW{3&L0;`)troj z^QY|7>jzEn#if>!SNble5rjW-eM&M!(4{oJ-|1f2MrI}@75X}>n-xZTA29B3R2wT> zHrdRqU1nAT2>j8>(|rc1i3Wu)z+BnfTsacfYcu>F*&ehYJU;)bWAva@)Tuw6N6K3-F6`0 zBIR&zJ>Se{B3Cd0jhB>{h0%KAn5agx>V`k9ViL4-&Lke-H1Bek_7*#D?`NZI?Wu~fDIWi-7>Eq$oZSMDlYvx0#2O7pcH}1eIai!woV0ZD^5+;t zFUVFpBSkOiKJ~=PTYo(v|DJ0R$qd+N027$WF*~Kzc34r{vN4~;=6dAsFJqKwzBNe} zG}+Z6q573G7XQ%as#R7LH>VA^h9r4%sR9@3%m$!F4T_4BJR1wj$_LJajI6Q`7sEi5D=J|?pn956 zfS5HV|B(840+%D>GU%X|HmcgC75$T9VoTu)KfeMuLVwWpl(X5JsP&}swf$k}&Az>4 z#ACcw`{v_b>oU7NtEvI@2U7d$h7K_uzPiHNMWuvCW8z$@r8sEOf6A6WziaT@LnPUA z&aQrBwd6e|7_;Q$7q@qtMxjt1cm~s?z!9Le*X@A$?u=a~p7(VN1_2S-UHs;c13S?0 zs!g)Qg#70dT+nC*wS%;YP9mB%02HEqf8otbisKDF}(A*9>b=>9l`cy>ul^8x- z6butM%tWuzMGjnii*Rp;K@&g0#_+4pr|E>15dNIrJ3j}g6c~rvXpLu>E}Pan$yzS z>6VagHjBOWiTP+!^gY@|p-P4r1Cw4_mH86LW#wBLrcBT}#enx0c<59B@}Q@7(wFr_ zzj_8m*sjrVUa9*)`wWI@^iZ@G4)l}H);d0kq2rwhZG!aeGDq525Pxu@p{xMG+2A*2 zM4})?mWfa44*QGabWR@M4Jim*<4VN%1mX7xYTvb7rjh5R2z=J`bs|Uca5pNrbpzl0r05LGY+sdqb^~BZ1W$&<$Hy!xv z=tLbAvraS$yahHxVB#eAZewF3Jf59Z8LuW7fw%_}_vB)i`!nmm-GWG6@S?PJi@ns) z5Bk&`s7-aVSn3vQXv#%l$(%j!6v(V=+rk63 zleTE7?aUYI&HCbo^+rg2I73Ulq$*$h7C@~YTuSifZs%kp7JytDSQF}dg3e5 zVZgJ#Zt)Sc4fil1r(4Y|_N;}7Se;#78uN?$5HQF-Z4e;~z`O)jXi}5O{pQNT7G@w; zWw<1EBe0)#@-31GnY>PG`%uJJN@@J95rTF!*LSmQ<1ZKu61|qC%{SZGPGF zSD82nt!G}Hc4Ce2u%)n!FpM=oyA#9UkiP$h_dVSW{dG&IU>QH(iHylaaVDzE$8`2i zy?}lyQP8JTI<97SiY{&t?F|WlXA|Iq`6L6Z?Gm2e>6FGHsAOgkwG6!uF&;Gs(cc8)65|0p%_?-oZy3P+_)M4WI<6Q49wuOHG zpSNnU2wvV@pKp*H=$4GCodg!>&*Nn8zZHq`LYyTVT`(jKf*} zI9?wh11;rR_ctneu`w|*PyNox?=Exyuza=9hYLQ9DB;HxBZY?sK;?;-DGn=623P7- zO5bN5hiKS0f0k5X_LTqFAndoZ+x9FZm$#>NE73`3E0nuKqZmK*Ij^2!jpXjBZ4#tF z^-#8d|$Cq4Q$bh_Py&E^6rRRPdbJISd*s+`vsf55^J-VuqGWwgN@qI;H*2 zM0Vd`I~b*RRAz|^;CZIC*C|Gs2X-|L_P0DDA&LI+6}#j4zhJ>et^u7)yrzm6>IL1% z1gLL7dQF_5*U5pZLRw_ljS9K~p+>fa2qjH(9Q7lw_IV>EqlxaPeYUv0@fI7Z%7iZt zH9r+?Vq}r~ZsaPJcpmwBF0It()ue6N@U`*O>sLM!zOjj@w||Vk=FdVTWlk zcse7~xY|^IELG5Rz0~%9K!TFbwLQy4>Y=El~eS03h7LDO!b8)^BCoUcWW$ zHjB#>owuy>*g${y;|G6kcOgR0UVb#0TOlNPvoBe>b2B)i2rgolU$ z7jAANw69&ZY11~|QUfWXT{iLOaGmQ~0V5rE?(Q1h4GJ%vYM@>Iw{-QD!11FoRLQy+ z>X`Ok?%VZCl=zBNhX}76?TUx2H&yS}#N*7rf9;6iMy@_4^eHvGVz547U+#`XhVu&^ z#_zLt7KY@)&2IQEYt1@byL0b9^lf1$oUMUJhXjvFyw7etu}y+-US=da<6`*~X9jK@JkpcY=?3%qxc(%L8prk^XgEyEhyefrPw9scd4)Bu9kRK^q z)3vt9QCrNS8!`Crr&|o8Pkzw#CcHs&cjwIzTSza_b4llMn^U0BKlyPnImQ;ngUJ23 z{OkUmko?tBjhe7oNI|PIL3I&)i^OvD+RwQ$_TQDt0CfDMnLqbmF95_e zqS=vzDXr>74Jxy>9Kz3tdA3n;X1_HhjSnK5tE*W-Lcd-(rcq$MN{{_6@%>%;qv@Gx z2Ez*zSE8F21kay8zqlC9pUP4H32bW}{A|QFBhR%9?8$Z* zH^ge5JI`EI)~K(9{yUXCz{@D3Yo&X=+bFD}=Y>kO&nVwp=gg<%_(l>$MEL=K05Ei= zc*)-*nYnEY!?tI(`x-Y-%0O?f1MZfv)nisRtrUOznLgVoWMQ~+E$)Am5@>i}X0*%P z{m`@+rsB^Mw#MW=7KE?C5)Iz9h0JpchOO*26%y(Tu*Fs3ONWDDHQlaQ5`{h7TpE5u z@(;POG3rzd$lP{|%*D0gNN!=*2>IQFbv$`J8bg`KWAf^H1ZlsqbmRx6Gu4=TJ_+Z& zaEqbS?Oit*`T@Mb_pmSwg0{=;@7&Pnbr{C)+^blr#%NlDZ{FeQw=j%xNHt_IF(kzD zg85{Alg}#uguT!(9+&vQXhai`oAYPx?1y-HKmC_rK~yq4ue9l)qGyqf#$3Ocz&2IE z6JTKdCd6>QkGdR^;H8)ZGl^ObH9wt5|1;`$Y73lESy5;re#5tQ^4>SNa}VA#E0qM4 z@IrkJ3p1#s1^aGJ)4__0!pb9QRyh$adUt^MKHLV<|LDcW4;Fn1=v71i+Dx+UCQfqn zH!uOL7r-j~R0;lwGQpXyG;)!nP=R2?>PCprJ=`ctR?jz{E^28K5e7B5|2~zZFhj7@ zm81lr09%M^jKpo*f7AStN+xw_>Utpe+IW2`J<`l2axyUev@w;s%TWDjYl6e=jjl1c zzl^ZQTRxdG0)ofT>v7q`W*K5{Ans3(eS;HQh8H?yI|vGJx)m7UIU(YL_4GtL{-HPZ z2m@C5<9PlqvCH1RzUt3Ug3P334GI1rpYUPNBPrTH^LQjFl*qjwr>Tjg`UcI~t*Jla z<3Q%=r9;h}pZbzP;hYRNqR6Ib+g`gbujTQi?Xck_>Jrs&zKP9{qn|D-)dovC5AU|b z073V)`H2X0p?YQRjYaPbwS`N8%>3oV;aA5^QXn@EBilk-h@Rax=lpzfT)Ir_Oow_~ z)G&K#u~0~3u|K$CpvVL4qtRH7Q70M_(tyCC@hkkL87&O;R?s_nAseA#llz$li@8ti z1-H``Ijq@qX{r6yvf*^Cqeg|}W)BCgRyn4&+XaSJ?lI#-x1*OCy#G?GcfREsG4R~h z35Hf)h!O8&#xj{B0r=iu>)o5hmG4jcvo%Dosu$6?7s{U9G>=CRrHWrq#qo2I-VNou<+>{!NeCd1qC}ae zLhC3`_vhGnm?)AW-+@-hsj>c(_ z$Yo%m^Ne{BQPo19WcQ}<&wPt*SZB)@|N5ReC?;P3n1X$Q)nHE5-x(VvmP@Ozdaevf zTBe8J;`i6YkBUemDh}$Dp>#UJ$M6zuY180a8N-4O*V$gd(n9zMmX;_M&?x$;~Hrx z_BwSkV9&K$PMvtv~nQE|j`Z3}}6-Q{hc^|NRBeu?ZjBc$+M`yld z*pI9iaYA>|m z9!CH0UAkm_R$xah`sjzauzi`$BwDJhIfU(kn3GOZ1(a zNQYl()jv|Ei552E|Il?d034f)-$}w#RP~{`3Yi{|#Ge$-*Im~9{7vd5 zu`fS5Nisq6#K*pcI;UB47HhrSx?;(1L3N1IJW%Q$ickEzPak9_p(6sN57zd9MsbSa zH{k;+5c)a5rU^59wW*$#zuh)H+a6YPC{u$onL20V;^LP3VF9y69Z|sjHH*$&Yl`23 zRN2MlBiKRgWN~BufeXh0xj=35C*Tg&&Q|m`akh^1l%Wj%Ep2S>Z^>jFx^Ftl1nd`(_&HEc@hFys7&7QWcsAN@E|})7jmz89d)+hW`{d_-35s{kKm8GPgbd zooNe95F1;4`8-d5=VOXPeat{2c<|Ks`rhLZ6FmE20gC9IUhMlDxhAzA6w5+w&;Ne> zp8@x&wGt&v_CI?O3sv}^B0llnDGmI;N&}w`Ui3b64Yxsp+NT0;z&!x}r2Maoi|w}h z-zEM%2#AoSRc(4Vtp7&H;GaW-UOaM#`=M zL-ThiLiqhVpB4XoEDvj_Gi_an2AmLZmH!_hjQ`upyAx@_13e49Y__5P|1HZmuw6e4 z_rBfz;{KgoCjM?xV-+}s9aUp~>33UD0$o%PX#L65bN|29xZ8Ddbl|ff1z8f2CX@d= z{Pf=7(mg3XJa-ag`}YXjYCQ`5dUrEoLm)zOgPQiecQ^loac{QjDBkn@Th@QR6+00$ z09lLY6ur;QKu;F*6pu1H+8i87#hY4F7jo z?wBR5m1q&NK$G0d)c?0dzjGGJ!ZH&2o24-zJjQf4lHcH!-AAiAakG zJdvq9A$(WEsMkg8eDddoN&!Kc98v{=?92fm-a<<$!B9h3QUd(RU)hE)0EBKOb^-D! zdmwFRtYZo0w>te!&U!UUaYrRmhiOeDygR6#En?uz%U=;MYSgTM|Mu9Pmng%j2LFpn zx1XpzEDRc(Ptv2ty4`Z(qves7vn1j8p%PG~*uZ;rbp>tr`1)P79P-nU0!KX8%ahhp z!y$BBT>rhjJ%QXI-wnh$k={s z^i>DR27vk7L5Bx_C}$H?3U`3fED7yxh{>TI^t^y13kndEclZ&FgZ5qutb^SDPf$<` zk~DoyRB9prb5x0Wphvi^{e32i%BU`sN;uQQW|2Nd2jQ^b!Tcg>|9oB~Sv%a!$k_+c zZ{eozO~j8zWJrw-au{g8j1X|-fjmpzG8sT`2}ZFb@VY+-CEO#s?Vva2mw6ijI5X0- z^_M=gm7j~^D=-RNwx_RM7UCvxo^K2`W-BeC43i3If`LDlpgD-c5M^8Gd(h>RlTT)$ z`7;S+x0#t4gR=Yg;*8o*S%ko-$j6>OMX(Z#d+hR1ff4h83ii@3wB`{Oyre3o`5UyU zG^D`jQ|dn$X7x4bcx)%1&FAnTHBLBYNjsHq+_+&?2uqc$TZ4SG-VB&^GPqqi{Lrey z2a|97?WNG{uDzYN%IBLxT_JT?B~{>Y*%U@|e3VAINR)q5@AE{jO}xLkI=8$!vsCmW zhTQ}sNNq}oLHml`xQkUzo+ms!2^~l+*-zz2MO!zZiihtDG%7ixbwe*m>)h*!N8&j~ zZogPOJ1I!rGC)}j&X=HhYUC(V>d!W(=D(Lh55LO}!$v2Yp*@X4(q2e*boNw|TcwKL zd0W@{;Y3y{7`ZxL&EnSMxJ#=M6mK0vyeuWOEaUBZ@a6MD91jZDV3ucm7+dq#a)v*v zgg%e}563u4Dh1Y3 zjRSV5~Ookn+KTFL)k5f19_x4T=m^f7mD%cz2WDzqcSJ^-SKR6(1A4U zAJJ2HyV{rbEN(God^HZ1_e@pca=%A=%WkAu9G(nu6)#_XBd`Rr$s zP>Ij|{rz=85gS^CZW#oeFVzjQ?_)|FqndHY0RL)D&pP+i2swsPjE^KtL`qi54R_nR zPV$5QhEfj2rGO|N?*>_B9J{-KyxoM8B|K18dQiHcSLQMMf&M;&V z+03;5!Bs%Uo@&Y&P{5pF)vuWwJANB9RP$=A8#ED^YS)975PiTsFx}$WxDYJLB#BB1 z?coGn7hP7|?r_di*TE$uW_OlZo?Xd{;FG)To4 zmKfCqgZhgI;$gspy_W@9mZ~JsX_1DlbWrrAvw)nR!%1LO*W8D}lrh^3gJ1gD@^?RO zk&!|+F1vy%Cd}&NQWokOgTm0iyv|*aNaYT2)JDePKq9s&MQeo5>3dWsc4C~uIQASP zhL)*)!1pQ=OCCP?vHAR0sG2$D6&*O1Yw0O|>PFJ!;QAA)YR$*+ed zXl7?}qzI6BuMc3Sf}T@t?Vd{jX?X@wuj>jV@CpLOLw=?o5xL;lDLnwwW>8w==n4w- zC;cMrdodZ^FHCV4?SwNhDmoh!J3;5iS^JG0} zD8*KZD29HWO1G-P3J%d=ugKS8dEid?c?TwloQOFF9b~5_V*XGxnB+shUO!ra8?R!m zvlMKqGah%diO2l}Mau7}RjjMYZA-VzbbA?sC0I^$ZC3RVzd&z%;aO$zSt`5YrgIHW zR5_m8bA1|Z{H%C@B=O7Gi6%j9`OF}B4X`BO;JYGzbIfmNgmlQ*xDfV(?2G6IRqpe* zj~Vj+{#lltzgeZ9m;b1@xn|zCbVxm~RgIR+vma=n`hH6|7L(S8MjNryzmE6E9$YK+ zcLwxPN7GmGRZ{X8nd(Ydv0#N`00$|6$Mfliin14I}&{06Xs*1_TA}KU}dh>MBS9$A=Y!zMuaR<-Ij50h zKKOAFeR#8v^ek6YiKQixd0W8+9^7JULe-{{@t>9O8PdhO<_aAA;eX?^X>}e@z0tS%E2-lDUu$ z$7(@;Xwu=I9~9PmM;}}3qY2|LMx^dc*{*`^yBN@1hKamtGWZG~E8D-FbCnpzldAy_ zYou^Cj7xFI%;j5`ZEHo)v!8dkOXi8R>MQ^v@bnjJoztG0r4&tm*kOE`Cp&ti6|d<~ zqYRJ1)#JsG;g1p4kU5&TQ zH1K)w**6Lygj{K}RBr&{%ol$DL*E@EohWf`$mv($kGRnffTmzv@dTRh0K*jq!2LVq zVDI3Xk7@P&t^>eamK|F>OFdn31U3mmIwd|N*1?d65z`5`Ra+O>9)3cR45%V?PYLT; zwSO{xN7kDW^u1B4(}kQk?^_y8EA-g)181eqSPE_vh}>#Y*%M^y+&YIGM0fU>c)G<2NOOD{4X!XX=U zmonqBea#w?p3MKgA<@Wp?OO#8PM!B=6RPNAx9N07EaQCOB7vv zg>3yOa(Bx?YrUC3Z5#UpGPGsX9K7tgVFNjF`24K9#q&dML`J)$M_D>NR%HMh`+LBl z?RLjAGtev+PgOA}u}FZBjV9l~>|LKX{j(nzFkU>Xi{nXXGH&kqv#;H$j*zi5@o!NXq6;pz7_m4?Ul3TR7fU6*dz@{{LOcy1FNz0qD!C%427Pg& zSF~zWbM;XsMcL63;B0_u9F1-hk)->~#lzeV3A7dclo50%)P9F235?KSCa<+Axf!>( zZ~6-`(Kl99p4{RL&UPKp#Y)WsOXV0fWdkfZko27n3}`HWyvtz$=iozU|PzDm6H zDKqLjTNb~_bfMwsSAD#r^`4l5S9NYDW&j$ti*3T?sxY92CwaskXDJVcin)hcrq4t= zK7ei_PWV_g;cIoAHV+!^lPdzJHDwafu|*%N|2ozyNaf3RTAc7=z7tKgBJ*HVRh zY^Bq)dMFO#in4CdR=viNm3wl>qtk1D8VVqZUkrL z275;vLj=}Fp%EWr&J2N>uTVnfvF(!UR!;srEB2vVdiDEhGd#PuC|)9}+erh56`{u7 ziV1c7)kU!<`up|*3x?cMH4GlI=llbtMf5AL_kYN^P*+J5Ll$ecj_$b_9I7C(B`)XD77no~lO^71ftuGzgVC-SS- zOIQINCiA@xi*GvL{W!3sUh-GI_UDR_q9QNM*t({@n8ZYO+Ee!OuPUvgnF7IEVNib2 zN(Lj`kFuq4n6(^EXH?SeEd6gMt9l}M!C^Rd+i7d{f0hYr^150tqa=nf8HvyLxw&L! zJL44lRkzu%{7tL`b#@n<8<8|#p`iE#I(;?~-XMn2yZpNarIqmjx{c$xmBo-9o<2#3 z9YEvoX+V75n5Wk~Bv&-Tp_!HQ4_rImpVLHRSIl1AG<8#(Pt{p#H*^2U5spMNU_-lb zX!CgtMQif!1ul7KBOVW+pvF&5etJtCFXy);{--bY)na|+_xJKoT@1vKhnR{i6@`2J z`{Csto9|oBm(~4-fAI~0oiuN65s9bs`S#8u^v(5^Tas^#e?{9cW+EB7n}Ywy-Fy@4 ziy?afLhk?oM&vscg_5W&>a8v|yMMD?4YoFtI0k1IAR2_m+0=9f?Y2(?(!)T>r1}Vk zXhZD(&vbR9g8}Ky2Vz}_f`uo5kACom=p6`9n*jHo+6ywZIlvuZzS0(LtY1v>5ge<4 z&Hxa?fz>iX>bl687IX(ipLyLyVe1Am|JEtLq1Bd|^SOB-OXq|D-rv7E{8Kl-OL;{cMKfsPd^27$bL04a!eR<98wH@Tht}HbunJIcg?9 ziW-a;Onel*$`b2$wq8)0zp#YlHAYooqPnd$jN;5<;P6{73VlWUg^$naznnvX>Tr~X zaZ7_(_=452C5^_}={$}mOo3k6M><cQFoH{0;_7(TeMULDOf-m1LWnZ1l&lw4y4 z6FlM031uLWaEw#53fqF3B^?1g0}2&sjc!=}{(#tbzULs_@Z+4#@jl()08KY!PQXrJ zTx{g^er3k!b^m%!a6V3NQO>4zdqdz%ygOcFav@5zYC1^=4x#|l#$$noT?fv{upRv< z`g>IUIAQgazEu^)Jy$x%6VVX4V@z`CqgWo|-?!Rmy~i5?&iik^wK}p|4QfN9R@$NI z#wc1gfv7nCOOaDOq+HJ`GHA?}*=%pv&0mw49X%i8`lC*YnU)gAm8)CIX9tUuWb*&B zo4)7J`~w!jr|=@g_e|IfC-jC{-Q~;stjc;NT}PC#11gQsgvU{!G_jc*=D>?Pmhctz z14G#TD`aIM3BJN3<|cZtfbF1^`KG4${IBpanDm97=-i{1C2cII!j&}14kyCS2dgVt ztKaHepY4|~Wiv-A2YCAX6xpxL6=ICmng_&9^a)$yMDFwYBxR@_G-E-~-ZMQeBhiLM z6H$RVG=&2#mxenJ#@GnOM*cAwO+b{ZxKjI}XR7|5v-9^dN_Q8t(vwnZQYBt^<7p)R zQ)`2eFT0QzreZe2!N9g2fAT(A3_L9+r0rQ(l};9vUiWmb43$c*&6wE-^D&`Zj{p^x80}uI* ze1nMxQ>?+Sv93kmi9tx*vtu(8Iphq0Abwz`({u2I%(EI!2+ zn5WkKBx!SGiez^GPa<3-1$I7mz51cv0v)<UTqWgjyKmm=q_3Tff!~5?an=t6z_1kr6)nUt?&3F7%ud_sFpwB=6 z^?A1OU%>XDU|_7vXex=R!01+DYy*5Inu`-i?7KMySolJ3kM;_x5p&m{$<{mBzowCY z0!p%%o-+;l$VZ_3o6{|=x|m7VyfozsFav5wX3SQf@DIES5ALS_P~g;V2Zhw6WNVys zMOCg*PpNK`cZSaJ(hD8-ouCtLLE(rpr5C^9v7N`3Lk zDy3o#Ps`=0`{%$wb>(m;ZnNFG&EcB`lZ&#b3a3@=gbSQwtC2G5N$W+7oj-NpVDZ-4 zy^xByFkFvy$tBr0lQ(TJB1pm5jWO!cE{P_NWG)RzAkK4GCEj%TkMfz8$*H$gK-bWR<1#*4mwJ zR$d}tb5JnHGjCEr*kKj)P+b7{Q%$8BJ$8+64yxLTZx!DFt_r@0UDbDgZ(2<5)ZTN+ zd?b^1fYB?XhH;91UQ>hNbXl6|NH+2s3JYt=;ChmMh>o}iP@^L){hSSDX@WAWqe?ekw|%DDZRnRp}NK4ydx6d zTz=t*9IfM1HELS@+C0SG)gLi|5C^qYBJaRaNJTGW@uFNXws_GJs!bNd%N@EkH#8E-z)AgB-Rc<%_?KTU7E^mi?? zbKRXkj%-={BJl?_r3YO)n(M4)&N*hpUF3@u!L`q`SMBWJ-#pDZc-DRhNDiu9e}DaO z@bUA@{7qOPkJ}o?WA5OCu1KM7C&*vSqZf%~gx9icbXqNbnHbk0UffH51qILCPVYos ztmFi=6ikUs4v6fqT7LSSNT~*YfQaocZ#?)m>yGuhN$2fsjah_QJhk4KHfPwj7|Pd$ z@;tu@K@ky3fG^LAj4c>i>9@|`9u-^bH(A-LxjXq>SI3$!ef@@B8RApt)*M(eRi<9^ z$b-v_MhUX;`TG;M9P@4`tfQ^O=|9H1>Yn%KQe-P?Vb?80MnlAg$q-qu{k~k(6Kh$@;ZS; zB+ClDpKfHYg_>S0Tq1p(Wx7pbcYSlT*6Z)fFJxx<=b&UtfB%}yrCi!Mjz$UV{rW(+ zcVOi9?QU7#=*NCeP9cPN#GMJbk4_x@=Pn;$5JU;zg83#DuD!3e2K)OIsJ;@V@?BR`?k2Sj z*080erAyVWNsR8A;Kkzt1ZShht3Tj*9Bu{LII~I)PTe&8$jnFF&Q_j6>WQW;!GJX! z5RS+gR@17-XLlepQ!X$5yie$neLdfTbx3sWA+I|r{lfOT!xWr)CRD83bLIJWmPrXl zKzFU3GG&Q3en|sJDemix>eNg#{m0EjT=$zn2cWYu*>cC~m6q?(cJI1pM?KL(yCS&{NS(Aa@8L2m*Re!ZMm~9=2BcV zSMPj)KbYQHSZ;4L6e1n?a(v4B;0jYXBJ=BCL(fCX>u9a=X#G~%luMq=KpcY1-dD#8)r{oQaf{3S;@~W;(l-d;H=4GqX z_Oo1}OY9Lou@F<*k|KfxQqM22n-P}U6H{OxKRA8h^Bxbu6 z%bx6q-WHmm__0M8>`KeD^2a>Jmlw z2%r%U+vm08x{8QXD6^v9GCpQ?W_8#+Ejz`OjQ&Akm(}pf_hXE-o%P;(3cqa95gXO3 z5=A979#P_`4Oa#V06P3}n(nRNp|2~@M-@j4@prF}fM^%#lOC#Suo;K6cw%9FMp*hO z)Ff%9Ioy-U;YBa5&C?P`?X_~N!_gQ(<9xVQ6uY3!A%N1mRZsD(^Er*aD^^rnzZ z6O=U&4$8K10BQmT1XejSUTs>Gz8m0g$ka>OLx?b5JSMUHm-C^Q`hoLde^^b)#@CT~ zz1RL1VU$9t4_ddGEe2HD02~M6mri8j3UkbZ`Q`%8fkoHGS0S$l%9RhkFtWa~ucuZn zCz0>^JG;AI5Y`gJEiU#{ITWI;d3Z>$S5;VTCUj|{LqJOtBCVEnePN?+nr=v!Z5!)DgGr|~ z=^Or1er;R~C5FlBugthteMk#WNwqmX{$RQ3U@T{WWcc~H=$NgLtybN&F|9yt#VbP= z_gb1+CV6SK8`R9MT~!iT){&wDdKTh=QlQw1+j@3%1Z`S^^0iGm~0pzb_6O+@(t7pR$(TNm+ETbVfBcc#`njC4WHxg zbui)QNR8XKg{N|qIE7Q$INNsvjOR)7d4Gc9hvIeGu=8l+v&9>g950usIIJl-=`ipA zxb0|&P?u4FpC%yqI@|BdIOK#e=B=b(bW>A|spZPYHDmJL;WuhmiP%Pw6LELh(a$jl z0zVv_4xRthucAoIcUDI!76%}dO? z2DBev&wR3wh|qZ7lkDA``9zqoAN2=A!P$)Jk`YttECH|uMN5@WQfghr;okK^{9)d@ zCwS#aGbC$Pc~yB?yEz{O(NjnWMjzEoOrr50YAw~(+)<7H31ff~Iy^(d`!JJ;`+?XS zqvwp6qsH3u<KB7deuPbuOdVu^_89~9P342DQ+a`^ZsQC+yDYawf zOAka7bw4jc+Ax?Acu88d_7WX!KXIV)1lZ}DQ0U`GkF%_4&C-Hyf?Av?_{)Ed3VFpvHZ?#-GtY3Y7Mi4 z$Ew|@bht(YOLgp%x(9UA=!VGB;WZhK{<%52No8S{%k%i@qh|(F9N2 zoJSiZ!Ri5D_9z3pK>3jZQZHD4~XjO+9D9T*0SZ)Y^J(aDN z>KvbZED?c<^0-|j`!G243+0gdGX{p)V;S;jI0#HB)`eXJ7z!D!gN&@C^;_?0DDi`L zIs6CNSrH3!aQNZze-^#QJ@bzFua!b*)U-SUUv0H0BkZxz zk};Fq_nZRYTn~rhXragqa3EeIcu*!R*qV??Gib9Xp;mE#v6W{_s3=CMSpi3^4BiuzY#|vKQ{i~=mrNxPMVQB%J^)@0B$J?^jyYM*rXob8M*!Bu3{g#yM z<8TN~X+Jbj?Jwoc$t#}hR$lTd|3soX748NNQ>j3eLbl3P8ir2VXGBKR3xWMUE)PaUY%I8mU%XRW9*28yJ z_6Dtm%vkN;5ZeoxEx)xkp#LGOPmvvelq!}nkGmudj)T$exsHQ;UhZ%YW!^7^gX zq6b<0r3VH!?u6c%gJ@PWn_B4@DwJ@o?X3+dxAYt&qZeP7P&r>U(4-I$9Jx{5)4tfN zR&CfTHXD*^6zz388hUkv8pWV7b=y%R0#O68P_t;>$0_Y9ydBw>5WgY{K5B#Ko1 zO_0-vYE(OErq^5vG0cHawMYn z_x77v}tue^S$*SCV6yegKDy#M@>{d=&0zNn=Ii0Vr7GBmE;mwB7(zgfJa1AQ}fTSq(x zo~5jccOD%&FFgu4c?fs~U-*hC`T~Pbsq4UqGg;yfI@mYeU2C<6>J)-Jk^d?Xoy$|v zZWU%7=w6jItJK;-tf~Opofz9m_dxIJc)(#j;ksKgW3IefLYJF$-Pxtnly;ePI(y(V zv9{O8a|9c-AEzQL-|f z6D(*BDdKTHh7hbVBLM2`Dv+x~di3l8v5OK6rP(tQ<_Ddy5u+HtBbZd(S#epc{m+ko zCZE=@$f6&=KRi|k>6m8WYJ^#GGQMyS*Z@ANXO>!)e#C3$!o{s;nV;NN9Z0G?w$Law zvngx$r$1SDdxf~w6mMk%_CLKX>k`>UH+0Xt4|f@xg{KCw45B#f4qvEBLfQg9oEr?d zcrg6p=N?q$rR}h-5pBu^vCB67Xl0$wA+i5ggA227?%#G$ZnVU7=;SMt^0U^|MHbXfp)pcck1yU3pM!P2on5uHFMM!$Dg+MREvpN%8i{Mpr7o7Jr@?SUXo z{WHs>_wTW!VNoWtxRFLPhE6>zUB_>UQPey#l<-^=I?~>Ny^G`K!t!ulyxE$N{7x>H z%|beim7gMd*_Q{t?On7~TvlT}QS~B6vOIy4t8wA&`~<1LfZ>9+$4==VNyd-5jPI*f z=NpQ1A71puzjr6q9d)y}oq2r&0>p({(5-_YsT0h&5jS2lbahFSKapMZ>b-^ePu;Pn zj`44|&EjMaYT^AHCy*H#5JG2-Z3ka3thcujo_y+kNwx|3e(@r4xu+Glep+KgNVqrX zzu(1NHxg!M)y1opBt`ejR@*%Gxb4-+c|P-ZhxHM1*>SomjStOhs#~p)zN+S zI__-*RPKTzUyxofZ!B9a}D~*2ud{El=MUgoV!ggg1iFj>>*k zJOM2@iYf)0#I>+_B}t@B6+Y;#6QIszaQcnn8Dym8MTvSWy)*vpgXQjg6*6dSlEpdo zo7J9a;M%S^Rh7t;x?&EoIU8x?Y3LhSJ#r1YSb{4`nw?UfB4Bl+yj^HeBWS%jdJ=%V z9|+n%M-)`?-pp5EfRw=Zn=9n%p|4&(-Xd+H2=8!;W9eQ7-V=)rfjx=lJL83NXFi34 zCL!c;(Sa%2QW%_>an9a6v2r5vjaoSfWjw!#?>!n*`#B8N4?V!8_vftTNdqDR@$t~@ z-QTKg|2X=bC8<aUJ5Z}M+w1l1c{W~i70ilevx1i+^G z`gnMCPSqALzD2K+XYcr|&LiAPDX*}jAYpm{TIb$fZTQdDjWi5Io8OIlHOw|&ouQ7k zz7SIX#Y^MsxL)*y<%m6&AWY49*Y~8aTGJyPx8^eQQg*!(&4D^gtdkMLTWr-eL$qxM zo@fjtXE}i*|E?vLr-=7j9DQ!mH&IeWQAvd_$PBW3pjlW5 z`HF8tQNc?!RhedZim_u#VLA08G+{?1Jm&4X3+P@OS*yKeW29FfVu*zO^|5V1tcv!w zo%m4#r5dH2yq+BuPm|DR*;PEtTtEI`BU!%{tX|6Z`}!RH8y-I|f6ijgEVjNlLS>$P z!)t^ESX42)HdJ}~p`3JgWj!?l=m|qPN&Q~jMlKSXRbl_{EvAKlSfV~GN@o14f&DgU zTUG~#Ph|6&tEz-$`J4MmCndQ4)a_9s?IHXgZPv-^K#x~1y^2Dxw z$-hlO8=>mEhIlgOSu!+o7fGlzH#fyUonZKIX4>6xNxHlZ3$|8SwNZ|?L^6fbdzJZy%k*G9I}`m1lRF2B&3kyi*Xj^^4sT>ih{7FqaUAd z$!C4cc=YJ~XHkI<3b}X2i;jtsm9)M4jeD$Ts;9J2K2qn?sEu^j4Z%l`VSjvVtJYzl zVX7B_Md1U#`>FWM$b9;CSjYhbPq_T#@tB`rl`;Q`FS;PH&m-^^$|y`2%=4}FwO`=R zeK}qvVbG*-+Dv4M;4@9@t@8@Z0!R})T>7x07+7e+xZ>@muc17G+o!AiWqa7FrI zZ8;E(3Vklh9}yo}K758~1n_To(DvphnDGfdb?G%`2=uY{w*VhRgy61NFiILQ4_^|| zwo!hGveKeM0+$t5`Ivqu9{Mm|Z~5=r$ird58BnoO@PkLdXn~GdioB|qk5_q}l|d8{>_wWi~x=W;!A-p}0r zw0-Ale%@yccKaO36?O#*#V?HTb)V2Ba=`h3d>Y$0$Y#R`>5HOHo(47iGAFRrXc;kf z6XA4y9IE|$MzNJ+cCE(Jn`1+uegj#vNeLegx~zZ%rC>OsTCU~?t?27{?vQNMDY5UR zc1^WRiD7_MteyHf_WntPC~PqACpHPt9we;2H;xUe^DSy$_!cbVHWS?QyAa zHQK*Wb=;V-Gc0F$JScebFdy)mzP%ex&lf^h`|iKkrUCnDv)HK95M54ImCP{SZ5!dA zr@)`{x5aLt-^kJr21DO=nZVbiN@|Y2Ihk!oQ=>ef&q=?e-agqkX(ym*qVIa{Ks&X$xjh!fN1<;41_^ZNDs4Hm;a ze`_#rMN~Q5?w02Yek^Tb-G6DUYG#?)XqCxzbSPc9v+|;NZ_L+tLpV`sE`N2~sQ7wj zDudkEjg6*G?Xj8Rq;lh0@7kPsdbttL`28}TDXIAtdQN%^S4 ze0U}Kx+E*7uDMZEt7#tqf1EYb-7%H-d*Yf^1&_|xxD8x}CIb$z@ltv@^{@KQ>sYaT zSC?Oreyb9@^j`Ra0+wz z&w4$uDBI$FOv?v{tFjuzWT|W}#@Hzut~DIZ%zJ6+Vlm71*1i@};UTb#YVY+io@#iz zsjsTH7W4Bq7JjO}Tjb&!+*0tI-a6V7{_Q`}D&`gno9yK(P14h##Z6uGi8(!@Fj?Kb z)|7ba%#E>4bdo zj$`#Vjfg@WW?@f<2KPe@)kaSB04MR-K)PLWP9)5p>AF@{EoD0iY>#hiQS+`=#-?LT zT0GMZd`A%z)=A~IjJN-7CVZn%-a(8<7Ay)mVAZQQyJ?G=rB}Zdax`=3J4;oJ#OAw? zIW!!!^7j2W@Ty9;<||k~y6jo3JxSKye|?koyHfob&fI9sFN3rcU&r=a4SmgnvF2co zt>xV@0%Yud4wt6Y(pO>jkhw$>Uc8=I7-X%(EcbUO-8?s|G5cNHTqjNX&(PUgn0`6v zYo6h6Ke8V4)ySE$FDlmeE0*5C2+saAk+M}~i9K54DW9Caa&lD+Zb8N2$ipJ^b@fyV# z$3(X^;Si6bb|U?61zy^}+X|F%H$uwVEs8FaJEP5d3b+5n(NeWF8INGpYr|DjAFzoZ zDZVQXtZ_;^P2Nl6Sof5NYpfWN75Y->ytz^n;U~x~;OMg;z`meHj?Eo3`J>^^i~IexG6e9Lw8k1C7WD^Q z%+V36E0vS0yR9cS({#ngGQ8z3;oB=aMSf%LR5}x)V22iNyk;#Fb@{u|9(*(LvaCQX z&CRHyy6FeJoMVgj#5*Nn(J9MBx319?hsa#7jL{UmY>6vu73l|4#`oyCO4lN+PG{l0 z74p%Bl?X*^V!$=y{~VAJM@6gP^NsJMYs;rX<)pT`+Nkbj>P^idm)_4xM|$l9w+NZm zqmKocw{_xjX!>NLa9SLDgEVn>MH_@CVZ{V@HY!r)nKW19H2ECidsA8tLrZ_rTd{W5 z8XCVw6dCHJ#gzm*I*c|a&5iHycn$U>lK7J`DsdCAdv-e2%W!`xB*;q3&Jg8_a+a|2 zwvKJD`m6lmuuq$DO?|??By&t7FX5`z`Q~L&yWe!s{dyXO@#d(L7ttob421qJ!}@qE zAZrq$*3!%E?Lbh!a&lsK_Dnr2l1JQ}nX5+L%x`*0a-zT8y*7qo-2FL$690z+&+D97 z0-~|Nv#*LYQq4yCaVdX9u)vV4Ca=;>cX_dOllIa;>z5#iq+#LF%>nwIhy9$>7w0pu( zwUwYR_HKCZ=i3-dY&gcv&+D}tH)-j{J6T-43hlBdQHtEVV?0}`{B=c(EiGn8SXYn4 zc`;|QO!ZAOP|OEtQk3P$_hMG}kRivFhY|(bo#Wiu#wE%go5x!_!?8>A&WoaQ#co7( z1igvWT9-;*u75m8d}?@uy*#_>+^fj6;OZ|g#IG)AH}tU|{AXvFlM82`M#h=Qdq+q6 zv2eu~Q|?eV76s++*~v_ooA@IslM+l+`u1_`_2H3Y=9m$23lrYB47^~Tt1iQ z;}KNX%Q|>4W;dt&=zd3W4F$)L3eUB;Nzr2E3K=>@eq-f%7D~!;f3bT{@LZd3C_wDv zy?5S5HT;K;-dxnGWvVdo2d5axRc&m)TXn)dZE8>IcC){^lW}iViI-#C#2!l{YK_%# zfY{T8IhCqz28FWloqLV`PT425cHPaM1-u#IFdT@IprO7D2rs zdhnHf_;j9c&d6Yg;3Qe{L!ff>hEHO7skj6o{r3-+p?Yt*7Lgem>|GOq7wKtCy&h>w zd-WjrA-E*O343ZgsC&5rjU#&&`fSeGZNu-!@tvj(Wn9OKdm9>cxM)K|#m4wWYc8>S zKj}aA59m|qg<{&wL~9Qb@iN}yb<95zBzaJ2WD$e^#-h^E_$OA%qH4Q_$(pUyz=SFQ zUT9dmuQXZi%Ld&#|G6p3pFn8j>P&s}-)~EvIoEqU@cY3}bA@`WQHj4{9y~^PJMd8W zqo=u-P`@n^I&<~vTWbk9Q0d*Tj)x@@2$kbJ>uFq8*g*Vy^O6WVC_T);)BfBg*I7KD2D1NX9mhmGXxP2|io z84-G`+N?GDiyQ%|IpXui;wAD z_NtZP6ZMdGR1+V*E$1sz{pqThlkN-RJajAZVwRVV*0np==<#xY*44x_k|;&r6!-}O z(*>LN==cS!VU?^YkVcy^RLne$FwcQSu7hDeqg8q}@mlm^pCsn}$&G+=fL#uv@C*WTB(0ds*%1}e^rTx#0D!;PVf)z*^s{cSbc=RSK zW3BoR9V^_-hXAIlzdg1&o!xJ05tf$Izi z*?sB3+V))%8b<+Z`JFu2F(U(^zcj!)SO0Qo$W6A=wL0|5NYX>R__?^b@wKP;w)-nm z%R>QCuTA0t*FNw5=%5avuGYlHva7k@JU*=|!kY1oh5edE|k$cTvsrxjW_#i{HgXAa7y>{k1w zZQV6yCO^g4t{lr%x-~}ES+wK7y)deqTkQd2Tt|4<>f<_@cAu|$3f-MLZC@hbKY!wL zXv`nIzKBM1mQpso7_mf4w!jwJ?l-4TYn5UwbCab)QdykAN{*o{dSM;&?RKk$i`J0D zhYt@d-!Bn52GHgAQG;-{bZ5+&dP|c@JoT7xS&eXielVMtN4mR@>}vlk@4Qvrq9BB` zF*KJ8ur?4*ILU$i^Y6C5kLe2!l+b7<>pj^BAHgBvb5Q~^b4aOns}_spEGg*ljK041 zcuPYQS6$82J2;r|`7`X+bVW|J^^(>g#}3UFIP2~uI9!&PnApQf5MB5=8P&v5L+E9O zK&yO(UU}Zx&={khdyQhdnm(SEvhW=6#WZ{wP}d1H;< zmlf5E!v#Xf9B z%j(SWo(%iDdj9QqlGJ6?hW$nZa0W{>!U$E&kh5`U!XBs_>f%&rvcfzJ{@;Q_km@ zR#AOn8gJFAWzmE(-&T0e&KZ?xs@UqV7P@f@SQQC~F zUxxt$2Ajv%-td0grnjlF2ua1@q@-=UNZt_e`*c+W8z~A%`&GFfuRqPCI~}j>vKgLC z#g8LD)25W&OT{%LpLYout2{2Ck1f{guSyiHLpo)X8HZzODNYn{wxmTBJ&a-7mnhh< zspm(OmQ>&lnT)%d?w0$u%(+9g^zVEEql5@R^!{?Gl~ApS#jr$aFe`FQF;#Svw})QZ&ZZ|pkb+W?G2K-I7b_4Ps^3!aq&gj$$%)ZT{|LU+Mm&|IN@fsbSy=fX#%jH9c%P)k$t6f%({yK{p#`^t+ zo!u%Wbvin_gco$*zRa>%mv*F&&1{jf3Qr8nnu~e;A+C!ZRym&a?oOMp{NS5iQ<@w6 ziS&ZL7^$@&2bm@&`_7`W>8z1 z+3dB@3Ft7^YUiwCwVK@~W~~>NX_i1k*5G(3KCv#{OCEW)5VL2XXBmUlHo!J$Qg($ZDTx zyk4m^yVbmY{hE#Ij{9t$1hAFZeH-%1sq(l)$G%J!kdE=<&B;*d-Y9C4v%9^F-eZ!? z#IjO9J^NVWBO5OHGx<8=je5h+rHNnH@SpvGwf-#l-aZ=YnRUbDb60KJhW7;d5Wr5B zX;NcjV#&Wi2g9GdF+X@dWGu*L$1aoX4@7fZ`(K~9H&am zAwF4PhULN5Gz<9(b!b1=K`q{a)$;=awJ+K?fV8GV{XouQvxdcNTm-OGtlL@}Xbvey ztD3kg3JG|WG9{ZK1Zc*`-u+6Hi&x&I3LQE#TsX?FUOdMPw!k?!wzq`=di@`Zg9^gh z?Z$XgSQHz28CBISp4dS4K4$~q*ooH6cit_S?T}e`I9dlwm}*#he<>5lCk+u0fHgZQ z#DpOt0%o3QBuoS9jxK|vMcgo&mGqx~YN5Fhm_s9)N0W-|+vL^7uW%vJl8Rr>7X^a%e>WPld3p%G zz7IZuX8|;ok7>J1y*hSWYvk9W>I_IV=mMrIuPZH;=& z%lg0Ot~?&fwf&cLh-^uON=1%cWGBj&b!=nbqRg>x$!_9w$eyufCuA%M!^k?Mvc=fR zUfGvq8T<0ykLjG=^T+S=`}du{=9y=i`?|O5dws9(bKf?%7d2&S`wqPpAMdSzSN+@h zDo3qwtrOj!{-FPIs#q=Q3o4P?;gmusR|u9y9Kg&KUt3acm>|JRuSb9- zgp{aR#V1R+MJ7t$`tLm^kee+d=ImyA|C*kiRnyapYjRr_Ti6oROcn1Ah;5&qqfb#A ztuj;Gx}fCgz<-k)9j0oKaf{%W5q`e^+8xw))@$A{Kf5W(-N_Kt?x6;Mlpw-jv%|Ty zRDkzQYgeGvLQo3(%v8cmYAOZ{E4ITR%XRGNg{9<>{T&#u(w z$tI>sO~COg#^%l1vm_f`z1{0MUP;pg_Ub`lk4Dna`OgKNimsrc{`SX)KY z;;Luxnu<}L8uwjcIM}5S)^&3$a~P}c_j2kfUsqCA#o)~Bq|ClsXAC7QmSu7dwPsWp zhh1<+H8IK51|8QH`@U=x})B|1}2L(}GkW3YKLE1euH zO`!oc>SYfNEe>(>QR5Z@JEnt;M(0PXFqL5&Z&?pedqd;%N{4MtRVcA@fvCXF!SHbpB6(iq9 zK9s#C<0x>{4RyF+v8>=jlJt~r0nWTqM9;;QxFmH!b@a)GopXij+ z#baa3JvpDDXBn1tW66S5x=|WBa8qudGM0mUwJ?d?y7v}682*swi~y2q0Yc!b*j0UE5r|m7N{c12d)!@%d@X2>xC&2b5RjCCC*vMxD`a$ya;S|a>>hmSG;P z2T1JxXh!YMh==~c`mOcq)SVN7C+H@qyit@c0U-D`(Ad9wUI%%HvU!I}r#9@CBpz5G3S9l6q9!%F>&`1yhR881!@ z^|48lo^!tZpr&gogg+*ZQR&(Hn(tqZ1LOcn2dUzE%5F0qj%$r;1uWiJV zSpokWK-;xW`JCu8ODF(NHioqTzJ6O@4o8tazfs8U(dvj2zyCy;vsXCR#&o0TfvJ!Q z2u8ghMP#dYUrJVKi?DaBal3M0sEV6Fm>@tNlf*<0FCh0f8A#-%cqAssx6Rq^D>#SB zz%}&0-Qk{y=i{(Aw3;g7=3$f(hA^ai@PmmpEUV<6Em!KB@zyzZ5lLJMyQcIAR%~(L zG!=!M2^%Pw? zQU{X1CAxuCa)iA%9>?m|<26dqs(m{txJTLd6rR4PUgAA-U2g|~ zm7nk>Fq4iryLIi~K>xvX=6vmD5L@&}OjJa! z!JJKpu%YOwDlE!z(Cz=`Whc|vs+XKm{Rn|wY;)G?Cy@=s+S`yb0^q?$2Bn*T z8}uWI41P>_+f$lX9H*DfsuawEuHNb ze++zs)Q^Z)+;!Zz{(yvtRyxfFXn=`*1^g2JQr@OX?n zQvio8Cc*{!IxTs?&z^b|{TI(4Z{^_d_}aBylKJr!X$j=^?-vC(C?pPw!l%-X{2uV^ zzbtHK_I6-l<=vl851A_E%4!+n(C(1nXwisiKnyb_@naMjQsFK7s0W>-yFfckY); zZ_nwvjT{{)VvCHpS63tLE?MIm6P-3^?_UhmVgMab%h9M9swy-f=48SNg_o7D(i)RQ zAMJT3iGTm?VnFNZbC)jh@gSBE+UYH!h%G{%vn-MnCOpWkp;gGQJH~qZFM=IJp%Co#xg&9h)Z#KILdm|f3 zZd<3KhpBhIlu1~)~9wkQ9d4!d&tSxfh zQ?g0epKXFoH$^A5m*H`7^DsO%-WK=##d9{>e7=b2VtmIpCFUB!D!wC$2Z>yeFxf;{ zq%M}QA_zT7o?~0jwDW{R&L(nX@K(lu0Ae16GPHWOd=~Y}@ zT$}eSb(xvJt!+|Ve0=+#TbiOi%#KohL7h@o`;K*$OcZ zuA6rxvCceuG^{9@y#UOmyi-dP)T|}17f+AX%oUlx=|mblKCD)r=?E|mw(tv7uR3xL zcCR2Ygr-H}=ochaX9;ej)eCU_!tXNqoWl}Bz1(-QuY^Z=1T5+(dFQq_GTreYyx)T5 zP!(R6oGqraf4wdYXeXiT`Vtchdf8xix_0E`lngeM;NhM3k3!%( zlTCO94ta=sGAgpfI(l{GM_v*IxF zDt^J}lhE2{*>z95=-6D-(=tB6ea~9RFZ#Bhw;n=#`?%WQ_NYSW{suwlVUGqiX3o4L z`nDOrWJ7yfr#7B}Iu>u>?>N;@PZ-Mkq^^cXglsxGq=4bCvRZ15^)R6PC>-uNX7ix6 zwKZPFPAG#D@d*_(XllMFI3{c&ygXbtI5dSeN9s>6WR)6>yI{IacAC4dv)-06!l)0> zkuyT+ti*&FNobnFA2+T8I$eak>aIa%?!xErs4!H&g}=RNPJm5m@0m-HunswGg!oPl zKdLaDvb_G9Jk6WFCPDmMZ@aiTnd3mYJV9q6T{`Xi{`#%?k($J!1FKMn-38rmsRMq5 zgZjtY9A&EgzTL_ht@Cw0hCzlRXW@Bo5)PF`kq1eu-h2JCQw3ibSw^z2Wk;-3AKsV7 z485$%$%hT{bGDgP!k+I3-8CsO()O<9blIvus0efZ`qEsY&Am0qU}~L)v1OY@xkVUb z&TwG*`_G&&=(U+x$la_s6-43_ew=&u?AdeKG09FZs`qyZ1rcArTEFBB@5Xl=l(`%5 zMFb)?MX`0aw)m{kQ+e$M7Z(RCwYQe$zipzQ%tuyE7~t=wbL8gc>J+4VNSja@IVO)P z%+wRcS7f4^PZb$+?)om5q;;xK~p!{X6H*H;4(l#(5G!veQyk5xA*W#B9KfZs@)Hp4R=#06D z$61m3(~Qcrl7D)nBx8*ZsLU)a^7-;Hs@C``iwLUJPA6sWN)kVf%qGnGt^Jmh*%WMR zA0A+6pR^-<_gaLt-C-7IY4?@AK4lH1_0G}R$ZFHfbhCZ0`B}Hsomplh9h01vi6hB= zujS??1KuWELZO&XsvoMhrltOTyW4}O)8l=ahYO$E6{DX8gnawNnb+UOwCa0%G0H|G zg*lu@-=8CqnuQx<;jhd8)+%o9Dt2I8&)$4_roh~DR9gRr<{@Uz(k$=lpJZVoZ_5)J z#Yn#JHmrwz8QnF7vgleSY(DeKngFVGpQJ)#Ci1i^p` zetS5A`QP%D+l*|68xl7;f7R0e)WvMo^>FhEM=O7t>3@qr04c(VHYgeL97#Qa<1IMW zqCs7O81r<|o(#?sRfx9!cT>?qg8lB`>9YSC70_rSr{(=0zW7A*V( vr`|jLdjztcCcn^B+Fxb!ub&$t8;(w$|74$({r?$l literal 0 HcmV?d00001 diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-solution.png b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-solution.png new file mode 100644 index 0000000000000000000000000000000000000000..7bafef7dc2d040f65bfbbc999f1b88276785620f GIT binary patch literal 52019 zcmZ5{18`;A)^(DO?R3nJ(?Q3!ZQD-AI6+4p+qT)UZQHhO{JHPF@BTNpYFFyiuARB( zni^w`bxx41vnC@L(X2aLBKhQ%WW$4;aWqyfqEn*yWe`i4dNA&Ns%6fVSdB7Kz; z6y(L7L_z}V2N_UB>Scyxu7n@R%nbDf!;W|M5lT#|Uvob`tsP_6ak^W4K4~6nJZ=Y) zm25;711|;V%~$;%276`DLq@`2>k9-y$BQ-sYWiJ83-%GW-)yK z>Hht_r05!q0S`zPv}@12*kiSrPQkM@Fc*yR0BJi0G01 z`mcY)yhn>X)Ta&(rD~ST4#u=feqGZci7~WIc+H5|_R=s8&@T>PV;Cr!+87WEaGUzW zA4e^nj?LXm^rpx;6H^Qso}`~1n#S7eQSMdv)2eT!l0q5@>}Ra&PU-;#`T$6FzG^aB zQE42J(VzT8s32YY5P%I5z!(Ct=>mBXfG`m7dD;R0Ox^jF zcXhe9pcZW;A4R7$rb}2a-Ldi8)#(Rj_+9vb7*2b4jK~fgV9T2SrewP9#2%;tgFt$- zCc*-wW3T{7c3tXOQk%Hn;s;Oxhby$%Sgy@hxgHRbE6ap8JRJ~e2l4`l$Obg04=p4R zApy=I2{1JXXKsdMZp=4bFjbf=Q7E4n12`MjwR@&IZtOA8A_%PM}s@ zpcWwF4cxE31dtGN1eCd7F!_xm;dUVD32n%MpnZw5K*^zy`SnGC%e?0V{AHmOflqzR zvof+`CR`7oXTVl{pE3y#m~NniI}H=TkGuCSs1u?7Y{;@=X+y$nTC!q{`LcBG+A?`S zTKkQ6&u?(p(!PM;2?3)*35j54S;|SGVxxtN3+83!7Ah5jC}I|4DMgs`)#g}dxyf}G zMwn732ODQvO{O2{I>06ejtN)rV`NcHKum-kFyGKP;Jbmoq6u^!=vmU?eT65*BkrN@ z+%XuUd!{F&!=QJj`;zFaN*y0w+tH-wTLrbic=FQ{$%(8E*d2b^|Fl1R%a#>46>ba$ zBYb;nr@>i+_PRLDA zZavJb#L9>X{sz9U1ffW?LFj_C`i%5p4e_edrDWP9+$3#;QKEe$&QqMxziR>%rP=wL zB#(#zBo>ingO*ny)xTPTGzGXt+C)4BvSddn+F}KRQ>%mIB^r5MB_A{Sm8ujr3on$E zOB9P4i&qp~i^OG_6pV_#%a1D2C~)Pw2{@{TWg3_FDQ_2-$(JZ{6wQ?}7fUNS%Oa?Z zE7HpI6nY8)WWN;Xl_O<#&JRp4l-Tj*WCUj?%PuP7IdVDT-x4``2jr4lywQJ>d(wI$qXE#w$Mag`D7Vf@mEAA>r~%Z1 zErBh;Ejicl9MU;}I7~U#9WWkpP6-{WACFCIWj9OQXP;fbF2RmtwqSz&2p?;xfH+n= z7CNGtUoLUhvQb>;wibTwnqf6{RiI)SPLvH}H{dL>153Vml@;9ku3~G#gjB*T;g1|IeK9%IL=vsW=!18fQ(e>XWLmhO)+5U6(q2*;JX6x}$pc z-1oVnxwttNOI>Ug?5I)cl=7s+q_ZErKT1rTmZPoI>e%WW>i|v;&2-IpTT810@ z{f`*>jeI3ahA~uFREjKGk0VoxG@>=)G+1K#LUqyUX`2mJURP9_Gk(4wY#tHbvmRX* z6qK1X?emRyE~5Vd`*S~fcF%CP<#u{`bZhKF=K6lHdTg-MeOq+rx@EC7e7}1B9BR}n zZh))bdh_Q#<|*yMef&PE0*)=uL3=>$GDJS#@ zN7EjT-VLn9a}mMCoh9&9`&S#Y!68Y^qs0fGqXO90*y7mm<9oid)hPmsTn=xI=7yQS zyT@ZEK2QI=`MGvAhbBxlSAL)|sNQITRzvBkbZj0o>skUa2U^Bf8Q;JRIITE7nU5=V zZ|1fJNThqNCAYkt|7t54RvAp#bGEryseE?7xz9f5U}m>ksk*cPZr?D^0_dr2?h|QG z&f?>ElD}^*=f_In_LlcHGaImku&l3c{n_OWauc%_d!J*|z?Q(w1Ix3ir&)8#8)>w> zciM95y<5AgyxPOf=U_g6(2P>IE10UN&JwRMH<*1+dr4z)empB)FKchMy)VEQ;<-D4 zTAEh1($=cOXl5}vp9WMtFL~*|DK_gkdu_haGHoTVeTjltGG8^fKsdssF84h~brc9h z$2sCW@oH#XtMiok(wcPv$(qf2^|GIvagGPawd5A+TKd+ocv*}xg8~*NyItKEl|Pfe zw&%B39z#f`p~0yk{i1&_F-no65Ldt?gONd)KFD!>YI(LeX&-Ihz3;#OtbtL_-GJz| z>9pKZ7ao#@L8}AZ;*ga#>v>l_zpJ3aS)ST5)UxC-daJ(em~c$y>G*gn7-%7~4Ofpn zns$~(qxGkGY~`lW^)3FrOroBxzG5}Wz2Mk-WHtQ^Y_*l^CB4%f^Im&(ypiWlcT`}c z``9I?b-(;8pELb(W~%X?sn>G_mT(j-olN{!*C(~bhLb&&BAVDzQ*2eg&X!2@bdk7 zb>aCJ0y{puhoPtCJL>)6;zIOz!}zXFXwLU=`))sd(gaLv_SM0K#&5AL*ES(2_=R1?2=GVVRXsJ zb`z(%QI-HJl>;i0LH_YY-;0QIv0tW19ba|sUdJ&*O>h$~y)xdxl&awxzUHN^0Riy> zi3##4x&WV~LAWR=VfU|>=eqL_uW8%~BSsQtg21C{vdVpYI+NM8-$3WlEF=#m{|yad z4T>ZSyokN%o^Te&Xw`O|9=+^7O(HcFn*W-y-#E&)pZ+MZw8nDI%4Zw}2?fdv^y%Uh zBv=sG*8PeI1pMiW1SK%s@C5=P_~*4D2ZG4J8I0oV0|e>)kBfJp!{oDB-i{nl{xT7Z zmGXo_=<4!2+eJw}zP0r3ZiznIPbPstzCq%w)a46mK@s|b!P@Y=%XrwLN_kwQBZu&T zeR_*G?*^jjR9pRMZvL?DBgj}Ah5W9-9AIM6(2ZQXk&7;oKNN#5ZK|QNoLA_Xi!bDXSQ1L);GxB zZIwP%n%bc_qB%^GG^SZ=^7HbCz5!$J8=B6unZFo_3)$Mz!D0VodcE9NCp297 ze$3%)Dq=EDCLtwq)f<9}jKgm-mY&nr+N?0{!xH3<5&Kqd?562RoR^zFc~?6uS}{Ml zs6%|*8fRh8~oBTy3*8XD>N8n`Arn!=o&WYa1*{QeMQJd!H) z4386ke>7hv71O^eBT#Xuqt8aI*~0k>c=CAT-_@3MKyBp#VBH?f1-+@)NA*d120Oj~ z;cwK59~t9%KImJ-pbtm*rdpSzjBS zzElmOrtsBT0Wbkiz4J3-rmRiQr=sl@Zz*G`&AjiHOTs)J*A!BKpA1aqvg5m4*6Xzi zV`LvYB$tbKtKE!huRy1=o#TMf<(-m6%lukw=HZrICKi^6@HAE-u4d=F)KpEZ=Zoo? z0u$$@xBH5kt3a@sS_KZbhoXHebEf>(OFSCY8!o`pTZ)73vH6q5BGJ)o4)!X`nH;+p zp_(bvh@viKHaRJ>GWJ0qvZhs zyW>+SB6%J3k7DL7#^M;$X5}%5{#TTuj0tkh23xuC&SXfHsbBsQc|}U+R85of>j2tj zVZXp>qtWDn#|HiRwO2#BuSGT$XEpMWEU9&83p6_J+H3yOX>3&2Y3wz5g@vNUD)s16 z0DXqAmR;~6q^{rWMkf0c7%=FQIVi#kA4Y=}#(fKgZ%N#gAXR-KZexDMGy&Azz*m3V zA(>AW(K;Tu!i^^X&{^BFbJO9{905qj|Ed0Clmtd9z5e|%$ql|qY;N@3xT>@p;Zu_o zih|-mW1e)3j;(1ppJbEk1<#a-s01S+9H%P3Hl_=&yF*wlw4}k~u#3YT&*#;ZsZV5d z<^En)u80>+N>byeQxiZ!atjV6XE6E+j+a6McprwwqPHwWG%U}*#jclk6V5*wve;l_ ztGej6*Cu`ua^XsSz)NAR;_bB9dT9uJ7l_I5NRNNJ!QS25owS#c%35M78NQ3h4~$5Q zRKwFrTL86q8XlMD$f}Yn2#R=Dfn<9=xW#xEh>&uN)XumhqWxO>cYkJ?Rn*VAkE&a(rbbrRkQ+h19*!ibs_(H;rbbL9ZyQc?v8>mK9zuF+iH zRQ}9N(X!WpeAO6rztC{833MGm= zMhOH41WZ+|1NiLQ)dfSm9^zbJrRQ}xyw?)%7^@9LP$^GF<0k}}s-IdpMmd&R6~(K@8Mi#?s7a3xWY+UM%vigxd;%69UXl&j zfepCUr#VSiHRk*2>No~>enD-06iNxV*V71UHSxAYA`im1oLH^Vk!Rzeo8E?&_gnG# ziuPwdXiOaOglVizjOzXMFE>*&{S*{c!Hib=5Eo_3&eI{|oRrIzb3~Ms{H9oa10nvA zi}vmL<9h%BmAjVIa+I!sZ%l# zv%h=>Oqa20Dm6EL>i&V!D!cPesieQZ5d0RIbXuJv6vV?*GB*SQzS0@tmruT<`Fjfx z5)*QV<0V}HDM=I`&3V$26ij5Fdqw3-;nZjr{;H8JqzVa+m6VjkD45k2rL5b(HJ&-iYsOF@ttI8SrY3o^dPYZu z7}&(~O}2-$KSL2ryvzGKLC5_zEe?9Q%jl+ zEy2u5Q=>*D^@TSn?3s8ns0hbZGaeCwLQA*$dj))}BHb&Z*ginhyShCSu{UIbfy_B; zQi7(9cZyfxe%@ZVRJh5&&`!XZzjnp8(YeZkg#V6g+K|q~NbT*=_7f7LNaq}{htNsw zpb^j$b~CuIGdR43-(|%*LJLEdL&n`Hl$3z^^0`N#1qnn=(HPDB`%c|LAa92E;k4zW2!AJyWQ4C>RG@Qe)$C5h~(J7?)(7)_7oZlS9~5G++aGQpGM*b z>C~0#$l9)VG>GN<7qiS{{9tb4#D35J`j78O-jSQg-x4VGc*W;0LYimfQ5TERTq<**vQW~^r*OBl~Ode z&0@hG`;{0nE057z_H%;)5p2*)1yH%el|=DAu?L}&_(6{CXGl5baV-67QxR(bf;Vm0 zP~ES-9XOSw);>_Ox6oPcaOFEsuy}_7Ke)v=)>`e&G~P2{;X{_b9cl; zvhD$`B*)OzKjWILRtqN9G_>P(cZ9sA@3bQ(!?|T9!q*~@);aEX@x?VXl3wpeBMtH^ zmduXp){n+K>r$(o@$Z*k62JZP3x#05j1$DZtaj*D!2Qs*!wA@nuy0g>a zDJO$^^zbH-2Wh@Bg<3{)VY}hYE(O@mXfb5e>oCzB4F}BK+R?ZeN?OESw zl5=-wKgroEGqn9aHfB~A^Pg=T7v{b1!9Xp&v~@c&g3pAb=8oiW_}f-Xo_e;$CbES( z47!@u41?N0)tdFv?QD9Tyv0rmdd`2!zd~8=HVQz&DlgM?1SPM*j}jo?7w~Gxj3#S1 z{1p3iY%JbV6?lc1PM7&*7nh67B>2=0({82&(vB&aJ~^E85)%ztPw+R*H|6LS7aA}y z2!&dX=jlgU&xCCV|9}A}%=eR=?id~-1vh4YmQp@Aoz{fxB}M}G+oTkPsm&mKc~5gv ze?bx1*L@NBI16@#qiPz5t1$l=Eg$ znICBFxwjFaU!_%eBKk~P+K4vj3A?vs^jsZld@6HUgAoz#x}XH6O9ge}Y_rW=ifru; z-6#@CR##$>Z5lM^(o@>S+el%L2s{{JV>43u4lSJIEi2|?Z5_!TX}s1hVYae7c!cW8 zX_vwM{pCwC(hG_OXbVzT`ww=gbR^nC0b85vnzAIEg8>Pi7m1A!(h9fDPchP_W)4gx z6aKD3qzZ#PFU0=gd-esgaTd+8+s=LRg%jipW$)TG<1BK+z2l;%LNQ6(yVMx%Iu+?t z#_9J88m8u0lFbU{x~hf2XA{3wbGp>A0cDiT&sm?9iN8|KAMhgtcIvoC;NDm9y_dru zQ$}X1`<_T+&OX0nlzHDT3He#y^7xL<>iq4urTt~Jj_?VZkSC_4z9DA}5g4rJfw6sV zEIy0uTGch`e0|wTw|YQiBBc4lQtOP~FvrYOeF8aOB9&43d%_r0n7<=C86$2gJQPX+ zjaC2fAqyz%hB-2I;YGtB=>_<>O1)%6bL-BECVz!XF(qf({FjXGD)@_hj0~ zC=AK1&?z;7LNch#fJFWT1rI6S{Q!n)C)~U}`(V6>*%X8JkS3Wh0?z{(G>n1?O8Oax zIYGVboBSDeRSV{s*Rt#U8tS3fdy;RfbAb!^J_>ht-BYyPwnRxcjwoU(C6sBd?+}lp zo|f~*)lv=#`3|0E&=jd8uty}v(yi~rY409jj!U;b)PeI7*?sTWQYk8yIW4aRMrltX zSJ^yy1};+rp4G`rNd4()5*Tf-A=&D)IoGbjy&}Zt2d?a7*<3=-mX?3Gg-efL61oZm zOeKHu`;Cy*u$&Ad%{Qa%{y9t#PcdNiP;L#)zDveJ{RD6w@1UIdgOv{oIPd2PSY9w8 z@BVy=52rI24+9Pctj-z`{r9Vn22s13+fOGk=g-J;l7R1(R82BaM`aK20BEoc^> zp>&62b7@U6_CRNVDyY}pG*?2>L4DyEVxMEKr0b+;v*DmX#R1$&P>u{IAiV6iYZH$q zX8T9@vG1O+5zeIv)#793kEAfR6d;;MlRqBMl7L}Um7`RAkCiL=7;+Rw=d70X+;7Eq zKOaykXksl`-$yg5acFC(H~AGhJ;_ci^bp&=jwQ+tj_G?cAM%6zlXd`mAzq}Cb_dO3 z1lzon#V`URBlMP&GKYK=v)`{X*-lf}s+9-=o;f3#@l#+Sa%mD{>AzZcuR&-PqjH!XPi z<94cLPR&c_dc+Yo7z1lI_(g#cn&1{oKAf@)wJWJrdP-1JPb=QRggjY;3S zrZx8Qz||s@XO)u=*3ncf*fyq6FMC%f5X?+W!X2Cp;0(H3WztHPP>YbWUqLM9x@jdOyZEqzj0UV=^whUVCs z!zq#nEfMN37Dp`F@NtO!x5g^_3y5dm`OR55$V~(7&JZHQoIzUZJshjm6JH4}%W(09 zOgI&GEO5gPweTu(fr2w%BkE9DZNA&!(kSg@_787ILYX1`akb;Pc3QbxORGj9#HSQi zAYT+k>M`$46WWR5rU2Qg&ZE$JmDyR|9ZA!(e(GFrZy87z$$1Xjq0dPM9`x$wCX`imVR zJ=A@$PVH4G%lSQRTzubuTTSxyb@4p@iuBob2R5kg_g%Q+ub*i;CH)66 zj(ZsGpZmndKb|Hqbn&I^1N~==e8eSz_=UfDURODOBI6g}A4b+PgXurn$V5i@VDv%j z9+tSDTxsF^(4tui^(8;qDD3%oqv93|zQ*UY*dRi>N|W4noO?WAekkACj&Y+ehxeYD z>IiVPuH)LfNnv2I*@ufx3HcB}*c?@#5s^M=)Bs3_t?XGm-VSFdjGuLrs(!QGj}a%W@QCc{q6*~|mnKfMbGWH;4Y#y|A7U;cD!V3aoV z7ypl4jOq}?&k*Fzs|F=`GTl%r&@jt0Q>Jb0wB$0=7Fi_*Nieu5%$}l`IVPQ~bjp^( z#|9qm0T#{xZE{qEzrYzQgzEuqgT~F71n5eix7R?RtWB{z zHJIFJ3?Cne33F;9`24>6t+f`>aMhSX7-381G11!bw0B5KX}?G*j5CPw$A)v`tfe=x zndRqU@}hD-Jd?M!>GR+|p7S1Skbi0(?{!F9hazZNLziFHsfCwqo?}cli*DUqgDkwQ?GMZ$zwco^ zVBc&gTFVeIs&awtwZotK=^_5kft)RH?PZ%_b*&1%s%|HomIaBU`daNs%0h6O#n~}S zH;du$YL2q0&dBk}ZeES;ZeotftS`(eb&-APlP2Un3`!~FP&6f($KT`o;75fW2TjYx zl3@&QBT|RcKKf#)Bi>FBT&Kg_>!?$he`e}x$234X60uvxVCZ_`%F*) zix&^C^T@K~`r4|09}IATx+N>znPSSGH7g(WP3~^;0e^gyd~fezR33*}_ay3MJG+*4 zJG7L>9qsDtEPArNg~$-fsn>#QJn6j^zm5%;SV(z@YzyuD-_ z2nrPW>gDOyYMiS31S4g;2D)Y_MF@6Oey3y>5y(16H&+|+)enz-D2g(WIQZ*ReDP`; zoxeKorVsfg(IAkBKAq|PC95fXRN#TUWqOaXu#wo9V1j-|=(3+#4C`}* zQ~Fq@NWw{Of#;GyN#A|0WLA%t4=;6k+ zXT~cKz^FE2VlJ`0}<~Ex4*kr&Q=16pav}6>GZqd5Ar0`I{~7DrL5c9W=%pM#jpl z4?7gu1xNF2PKEy>sz`b<9)`Aqj$oR6fygsc7868_S&s>J@L9;)NuVCB-3$fEKb8ZG z_<>J?30L4sCG?9UhYR+;rRG7}*i+)#@z@-A=MpK>xpL(f6$i70#jrf?oJ@f?T{C9m z3Mx@@rd)SA1G(7TZz9n6tNwTTCunen_rt}#1I+I@GFiVX5szd!r0@1q=Ik{Rc7Yy% zKg~xxBJTrvJdnd6J=Nw3rPQ=6=~;uW!)vebX&Lu1xq>FU8vS*!VybM}%SX()ApfLv zxDs`h9N14b;(qZCk{Qxkr{qY0nNPv!>A$U}6-kYL&FUSoTYe;vrO1|el+aS(UehoA?7N3Vht3%^_pIRqI)(AS)Y}UP;C11I zqv?el_mx(67ORzpsJSu?5i;r2Ok55pSz}|;-JP8QS0Z9!3R2R5r8+B#+mGYVv(;vW z{jsznr4nU4EeP;WHhr!{|7u4MN<$ZZtv@#F+{r99cz~-xvfSyzT-m7TX#H!h(SZSi zHt96>Z|Ag{4YJU2zrl0^frG4Cc?GWkKBYET^%xb$MzI;Q8(h!7u%vWlkVF2Kmsf7>pFFVNc=t zU^AHwhRbT}-9o6T+Wrpi%f}vGZ@Cz~ki|((KF|a;gq8{f0;PDt@^$&|*j``)XFy|? z7g{7USqMWQ;N4(CrvLU&YIVOCpDyKczk6`7mfXV!fh5_$KTAaWKMLEy0{VicHB`Wj zIaX|e=XOBI?)lOna0Pg}$r1`dpA3M*K3H{L&-<>`v|zbjC`ase-gOw(N74w)Y79(yE@C+>Jy>9RZtK~SW#0YqDV7K3c{U{Mha5P&d4IDx5{>=j;9MMdj zcF(IV+o6A)0m$M(J{;3oemFno&Fy|yiV7YooU^(&Tdb6m;q{gT4v!;RAd`{5*&R3? z{Y}EMZvTnnyhVZC6#2vsL{z9zZ|%?x$1*XJ^rJ|*O#Mp3(6K*DAW%Mq*(z80 z7g!j*L7(hLMIW9upDVNcNus5u&V7G9_hLTJVz7lGh~(X9b5>>hzwMOwF{q}UiY>t5 znd_sxS#!$Onj9$Drt~kA+g|T9j+W~yICtG=3gxa|VCT3?H5=vsD1?}yrYPAx?PqxH zl;mlnpS)}^d3;p5(^)qA1Y~79Tp;CIqrFK{2CdAA6s~9oh7Sy9m2v3bqgnP6lJ&TJ z<1p=c=5jfyH(@WN)4hN2$)vqWbz)#e_JSB-H@$t8he?ZR#0rZQrV8s-Jb|AHZ|5w37A^*qit z3m^8kGBm^jY_fvZQuQU{$&mGr&vAKk_>Eg@cm8lZP0qoAsd|eGeb`rees)j$K-cTN z$&F55qn#pl$0JevuwTDGDEux2HdEQ`bGhEuz1~l4J=%(<4-cM>D`;!e3a~_hw|8|I zyZI(2Hf&2a26;hRyhZQ!A!jUv)UcG_Of4l`EajDaMJH;oGqk(bB?+X*Q(K zzH1u3v7x&-FNZC&I-L9`ouL#Ic6fo>)b^(#dtALGEv7SiQUI8LpxlUnih7gElZwd~ zC>(B&h8bQESo;od;OL@~Kqhq%sFs^432lJPFN1ET?RoAiqM+?#CP!wNF8VjcZj(5T zPCF!VyuS&XPsg{7(B@w(PWuW{0Y8qg?lLxh%aw}R#=6~|h=pOZ#247xtE!`aXRV@u zd3Lm1tQMkBDU$bZaz6jwz2^C_8CbnG88I**Y6jo^+LBhyttE0e{#uwMJYVFKKk`es zZ@Glg@rb`1k%3`dL&*UEi9*GMtpWlCi_I(vj;#BG4P7t|4ly%*Ty71+2lSVIje18H ztZ&XYihJnk>sU^ck2_t#d!*2RmmRRc|Im!}*}77>YpK0US?BF;G07%&(aYfV>9#I_ zT&^DrmiyaFS^XNN-S{-xqK;Me4Tk3wEViSHv$(ngkI=fae?IrM7u7~i7U7m==PWM> z&feYY{dz(M4?M}ncuz(|EX1C|*|>YEws2*ft?t-Q`GHDvlQJZ`8t+tmr$I;K@%5dL z$@e$pD-!)R?=HclrJ^`9`V2GQFwUsx$?O3Qo%wWFu;e4w)3?W_$Rz0 z0*=pv$-Y1}a5vWlQu%;RrE601;5QE6%MLX>_GDnV52jk>rsi=_7@dF&xg0x7{po@& z3*fg`P@*d^TQ+K`(j0kassifVUY2MnpMiq;J)d-!@h$erb~1_aZYc-vZ?vfgO=W{! z#-_UZKi!Fex>4=tnmQF4tLI_t@q|AY}{TJ6d1}byPakk(uVU zYwi^2nFXpmgK}bucDzyNt=oNz@#XqttIWk0kS zdKH2MWm8TL(ItDKcbP!6;=m)j-%peG-ndlg^AO4x7(6=63+VkgHc@MdQ|0~tA}BdN zXsVscMW1-BOw(FoR;YpXYLimB4-(QQm&nY;h3z3?n_0}OO~`OV81ib4utV;{eBj{I z05*s0OGzEE+9EPzwef2ZL?g1Gl}hC{Pf7=y_z^FNj@K)bFsPn=NOK{9N{5UN1JRiz#5cwqqo0ShAlkQ;ecswbu3?<@?moE?_Lu_wt1Av54gW&N5y90C9$0>s;@4XJ%V zjYpHebz>|qvp^v0>fpR-7QTA0Mgr-~4KDs*XuyX+{`$ihHV$3X8-L_a`xNw7z0+g4 zx4P}2n?dJMnxZnGWYw=BAb@`pj>}x&6dR*g}wzhVnm$j&1y6{&pclrp6fbifC| zIvh+8y5jZq<9kuJXN?UFWyi*%O8f|{fP#Wz(2rE}JI3L1V_fxoKE3Lk(j%i?pK*3R z>*To$0ybn$BtM?c{=xk#yPM)FKm3~t*`2Z2qRxwe+Mkdmd#zIeTF5_N``3>&o|JP{ z;7K}6N^n?hJ2vZBBfSe^{`}Qjk5zu&Q5SbKsICC)Cb|=p545FBQ0~GJp8@X`l-*$} zqu5$f&OM*bmDJGf>>*0sDO-_g|U zDF_Y@&R$qhHD9iyVKSZI4X8R@Y5ZXanpI8OedHVKai3ZZZ}7)!L;yg3H(4USVh{#i zaAL!(Fx54QI@iUfkcj+6sS6sOWTMH@VyV@=UdDOc2UPs}ItrvOVd=mG>U>Q+N1oCm2pe8<3>MpML5}dUP%*!}BD{>>+CE+9@&YzuPWxV)H z1VP9q7`V~{AV^U7h)$sOxt7eY$c~rO0jk9pSU{k#CGgR9^ArsGyAU1bAqijU8{n!A z@sS~8F+c_tuwoPPT&!?|Y;bRv7QV86sMv3VJ-`SuB^Iix8x}hQQSipMQ#5gE(Fw+t zY}7DV9t+yGaiS^rOb``n6;;UQ^fQsHk-UNMxTfc8t%h`}Y@#LDZUi4oQ*EFb9q-Tg zzD!4?3qXbX+JXvCmcsgu$4(0x*0lo*9UPXqK=DfPls?Q=DNh#g8#1RbN^2+Xc2M2U zco^SsY$R{P+%EQEl-#V&1T#;Ru1Sf?R1-Oqz*LnyZe8W>zLC6(bpM=9$rIyH*T_R# z_NI`E{A@9s))0rWm*%hfE@b@gB&G8(=h&uo3}fkt8loPg+UEE=Q|{dfm^qf;f7Iq9 zd@r3T;siq$byt7TRW+k4_HYRl?x<{0BdpyjT%z6fucQw)f4TjA{sHVD-&=*(*9FGL zk2h}p6hrFF2|Z-}zyt2Hq+4XxXyqSCZ8zf=fvI#=2daZipRRc{f?fU^E~0c*ZBw{p5~ZQ|=Cw(f5UAk zv4^ zd-9gZdhE)U8ahi~awM)HL=C*akwsIUVw5`&M~Xci0tJA(aZ7Q|<|-dScWv1C`c4Z3 z4;E{XyZvTD$+Vi;QRk|@A9BnQYwb6ETWZkg1W}kxsz(Z3t0kdO{m|o5p$r-$RNj&3 zUK~Y#xZd*Q%bIpmCO2Ja4m>&F=CxnMRQJ5RVvv`rMav6={{@DWRKPOLRIJ03fA!~w z#@d`EzAkM=lsER{D{}(!FX6H1)7Z;C8|Y%Jly?C_rPBu&@-j-}zIh)|2ICjLMf-U( zUFFvuY3TOilTJvNiI(-Zywu)ha_3!cB7sBcW-yZ}@`MT<=Ru|qdKOfxNlKL9n0e7A z#dPdYfXFRs%IF7_hs42|*+%HYdi9nT<;Z|T0msurl6U(G+Q+WvA*o7Z z`VSP}QLN4Ck%oFfg9!u-S?^gMQ#Sw~=|YIWrv+_mQzwo;WuE#r6;;W;S?w*gTEMBZ z%COlgwXt*3@2A%aVZ}uLEQPVWP6{{CSg4U%&iP^@f66S$^xKbk$|0>PeEtCb92~=+ zy_?Y@!8r+sOS9i0LVj97l~yT4v#R{A9Tg>zRf9ZWzsWnm*3Nl}(dfaDRKr`ZYg}HZbT2miUnG1KMYp(C$yW$3Vh>GWep}N*=HcrrUlv=sj3sa#6B!ckP}g zhUdy28HDtTZHVC9%{p3(Hc2~@lT!BRv1HUN&pT}3zdH4w+`o+7ZgQy2G|bV5z5jIX7586wSX&!#_gXRdardNzN! zM%;x;d1+CC_zi~d$nfImJ$9SIXGaU0SGb8gQ;)L;GiD@zMUxTFx=w6eJh8F5I;y9$ zazg{WtsIBWD_M5F!M2X0bCSEE5092Ep^`u42+2t(rpC$e7c1V-1Non$ddA$C-%qNs zv_pvez5KXcVTM;ps7*opMa)Mo78G~8DkF-XsxMJd%V-@(DelKnNJZQwYNqeaq%Yrb zPpY|E+Y%6kd(iG@c=ZDpYfQXIwt0HPJ3P9amkdG%8a4}O%wrQ5in~(HB7Z4#9x9He z`PByqgk%xQyZQJtO=ndnbuK3Rj|Q-; zBl$iLCH@Y`qBveCS{<1uZYkilo7jkVaR z{SgYi#RxGd<(TeYWTr#1i&xw=Pk8JFr<5F3X2$)IRRMcitf*>~>wPI9SE$y8hFXLH zu@-hC>Ofgi6ss>A8@^QlhZK0ulpSlwfBcieXjF~LACkGEI_`nwB9Xq8;yNwv%1KWh z-pKO}p_fzjX0)-4yYLzTc$>7WD9THDvr)|vSC?{^E%_^jEaX?`7aJA|Fl^qfyN=Nkq+W$@=}b%0qKWBM5J~nzi0YSvk2vIRN7!3_B|c z@s}%ZalFT(>YCDsxyW)W8vU@qGE|Pbgb8m*zN6?yrMW;0^1bxopf13ZN&nmwNU`*M zU7gBH*G<}y1pMQ2jr6(_4;}@-Qv4Z)qBg-EKBvr~f|qQ3&atYwcVj@kt@}emZc@J)ZJbwU;9bdhLPaBmVe_{|?O>?K!qd zcPznfB~hsqjh?W|uwF{_3Zo@go&!QTp2+4Gb@E-_fy8jrv@OR|5Gn>`0=hn|R~dpD zbp>dP6^(};|ENV(hY54l(>c^RS@$_*(^l!^-hdfvvNvuE1ZB9g^*HE1V`fWiD&C~s zY|^_GasNe|Se}z!sx46&dW2hw@(bN?Vnx>~)u@3&ul;PMGBz=XwBG?R@=W^FtmQZFWkhw9onT`_+iVuR2_n0s3w4zX4S z?2Fo81Pu|iG#wn!*Ym%spO|qhmGA)5hqj6q^@tOlLx=+NM`RS|y#jz)kj{|Vi-aAR z&ij#@97+#i?3=10;}>K6XsgdVSSqQVFw=7SS@SSofnj2fqnItSOT8*RiExu!ImaXs zP9T|+ZG9xFmH~qgA0-(${*hFB?)k1*&9CM=&vtZ4BW&Pc!m7<3KbRP-Y0(+@kI3X@ zB{ve?C^n*ifgwPjH`t>&TPXlU(GI}$2k z%i6k>)=4S;Iw&C43iLEwX_}gv4N^&zU;{4FWWM~Xru<>OiY$h%!cE541=%knSW4rZ zYmto9h@ZgGeNt`e&CzjO0q#<26p)1U+hM!nQ9mwebqXk&6)Vx%%Z9(hqTk;Th-0?% z9!6cxoh#l>M~SPY1vQk15gFQY1x|*!-(fkT?7Rwg=sH4Xlq+!Yl=Y07*&W3I4$aND65Dqx?Q!6Y?m8|%Ize`WU%7c&Gn$X_P}Z}RgE*UTn>y7Z}x zcR42`_bZt0N5;LtSd^cum?!{B1YmU8AKDbJ`20P*&(d{lAvIVC@OB#M$Q&gF(&Tf- zJJgHPRWVi-^d22Xv0Tn+n%p8OLr*&u$Qqj{eZB_WL9g7A9s(T=TAaB$;#pFDN&aaY zUtaF%?)$ec2IINg+@xHdjiJj>bo85$-@fu^3W4|pi*`6{MzTT}MD*7gf2VV^q=r>| z`v+!}x4pi2nil8trQ7xvMG#h zYugP3hu{)CKyVH2?(QxjxVyVsaCe8`?(R--cMa}tr^#A-Kkxnl=LmB13yKNP@i97O%>>qsR|Cu@*7iz&b5N{nJ^WfCerHgCORF zxNh1>)r{k)VIK45-HVeIgSwaCy#B}CtjWv{{rdepgKe~^CR?8y@5zuBkwDzf zFCh0qmWD7sns*HMchsUR@7^dU#pq~!)i`dto$mcpmSO+-niS*irTm1>q$(1%R0wrEB0QI5;W}3PH|?0EH-S|MA*%!x}D%Hi^#0lRQIEEs!XkHZ zAX#UpM^9^?b&f)?2L0yLF7^n|;^u+zjcARyofWg5CU2A$@8&Trsq+r(dAIzZ2sdSF zZG1G@OTPbTgmH`_)?0VcdB!5Wui=D5-0M_CLMd8U07LwO7EbvviU5n-ofQ)fB8Axk zi|cZbD4$49sFS>{idAN70z6+$Rbd&yOZ=k|!<<Ix1lciav+t2;xPxr7bkDR=zJ>T%-=%uE<2q*560WRv;M(gV=@`mB3?EpuS+L8gS3 zUYm)-VuCl4$2uA+OPy{1MP&QFEj>0Y8Bi!el}z}>i^z!j_0q?Bt2YEl_$#{JE*c&5 zVd&UD%k=kIR|Q}HWwsmNU#469ajH6QP7WZx763he@ggYxjLY^FwLlLu2S^98#1 zN>oUl9?PmdO4~(0wql*Bl0h^OWChd8kk}RQ`Qy-_>z}ZDXguisX)$F|$xV|7`J@g=-LU8+n<&d00xvLOX(V`KAPj&prHC=4-?gZK{%ApMEwd);TP z7RtUeM+PYipJ2j1$Q|;Cbq6f@=Qtil3r>0O?FJD#h~Y0lctr+7yFnxlnDT{XJTSOr z{rghiB(WDp7PSdcFSU}BNycCL0dA*FLD#M}dqUFiyL)@$x zyzNk9H)|p)X1hs2uMOg;nnN#?JG=OoSpY_jCU&2InYG2#<*e&eo|r8kkR`kZ>S%I6 zsoZ3x(dM#dw=7>Rn?HUkGD%2hq*y-i9gO>)9#}B$7k}>Pn0h{JJ&;8H~!61AmZeYRyB4vrW)H(%g{kWpfW#`^_T#qM7aIUWvR^ zJ}!J-?OR7T9D9sK$I*~L7-~ze!i=#z;=aU8Xh`hERN?3;hZL2;2}F2Qh` z)-zo`-qddEEEeldDJ6Mp<_V;vo%RLGZ@z3A3X!ro``!4qp=W`I2a$eta&$r|lGxT6 zmvV)~lihR^Cm?BW1LbKHJ+4{8gC>bFt|KIP`ka+=!kXn&8?>W zj9d|X>WE>vYmeH{ghLQ{B{P;0-%>(-eHYz=dUTkPjECyV2x*AhM{giPj6v-+rfcraZ)Z$q z`9SkI-?t1RR3@+iemghk!2-7*gUO!afCgLfhuVW%Li{fQq3?+Qi~-z0hy1HcF4g!b z7M}ns*OjjQF__jOG8o+c+Qm>T=|~WN1Wi6VP1=!`Ysp65=W153)QH0PwXP6!_aDy3 zdLPNHc0Ebe6U~w3IokE}e+}`Z!>6Cs8iHuB~9PW?AKhqRp(LhU+ zCgl$6j_E$e=~n5+-@Xh?pwV_=I_2E01li2^-d>lRPzwiGtZaW>$+t2ka`$kHtDBkZHWB2T*i2vf==em3#haH#scI`78c>C zj6eBvyC5gD#ButWfSf67shNRTJ=jkmqp5KH>ogwRXZq=RFV)I;gV$}YUK&BKL02`m zSpV^^w$+MV-kmOa6<&HR7;`=K{!*VFmx{Rs#%wEDwj@JS#|4j)l2XF7*Kj;dELS+Z zx@pGOE?J*lQ9r?`hL1eHxxS8!OueF(-jdRjcVGPJ^>a`>H$9Or(&st6$vKzGxTh=2 zF=N0?G|Ih>qljy0arl=jegCqp0E*Ln`)4wjzB!Af-Td;VFb*Kn9TkKjvPgB5`cSS9nQ5Le$HJ$Ohg!jO5F>r0V!m9(Qw+ExP4gDGX>JL{Py- zv9~Tdk}Du6rX=-Dt+@)rJMFf3g9)rF7Hi@;i?d6)y4)38yd8&~pc)+j-!9Ng!E{-5 zj6JuYH|G-LlhaK>={Tvc0AtC?%{3W{A%=HK0a9GzZmvZ=%n_C(9xTFX1aikUS#Bv?PS+Mpt8&?5AlVhu?xdHG zgNT_;A?0BX4F*Tsp=PusP5JGk2t!G|y?uyl`GiKgZQ9)(K}%4~B2K4Byo;AUQY2C5!WFw%t-8lgB-!b2KHaAxqTDvMM>GdB|ld(0vTqr>MV z>asrs?mV=*Q_x^NAD;ZZBD?auEBCK)ms+ui$MN%PuN+8#1hZoy<0;vt(iTLvR7sdl z99@fr&Bwoz1Mk6iVIvwn&dACA=lc|1<5g#Ib=DM`6;26HJ@`+7`)eTZpJkJxNeS6- zv$BF^H~q3OYzA(o7>W0nsm1N_nOQ>9r+)ACM)xdH0>1trvQeYr!@Xmw#fw}r!CbC% zbPva`uoU;Tlpi$|+=&FX&LW$cKeG6dG7@R+%0mbt7z=-Ch)?2~3YXyoL>+$XO(czR z_@h!+5$O7iXcNkzvr7Zrfj7Om#S6uLuNT+S00sNE4-59+I9-)FY(55Tp_SOA>t##h zG8WarZ8s!ODaL=_Y@u~1Aq0g-Qv(!k$BIiBhih<7An!F)7BH4@Cwn(!PXzzc&-BOCn6<{XK(pi6_S$<9@Bydx7v<^QX2i= zvv|j!UHm+1C>(fpxMVsj%Tx!U%!nn=y7@VILNG+AvO}tDpfWKE2PVF3@PS4Ek?(S1 zlvtV+60$~mx7&)$qp}KYxO3Hko*D)+vd&JV!NSeQWa-nW9<;PojXB-Pjx^+dPix!Z zwHJdBE6@|-?Z8~1UHAnFx(Hn$TbrHd%h7g65gph38vRN+0&)S@H$AteReanNlnEy* z(JrN&B06FTW*{_Y=#xH`sNaeYLNF)rMPwxI$rR%LRQfQ8YAF5QsNe!v80D+>6phwshC*mf$jkxQ@QND6il+!wFA`v4wtF=S$(vE1iVRKc{!1zluO`ZS#liE$ z=KdP1cvD6stzm8P_A?1$dfA=Ih`94PIyb2i#mt)nb_&+*2Oh*{L^y(6NvrUl@o0f% z`MG^FgVgS;ZV(+DLG*8pbz|Jn(^fflFNS29h3^u*S{q~`&E+XWH!EesF*TXRt57Bs z0;VnU*M~00!cpyNt$S@$*sf@n`nqLwmR2B4*E0U5Son0vK6iEMul;$o@ga%6xV-M3 zL>UJ$82GAWZ?<*811lW~xt@aP_8VF8Oov?7@To5iIBfT7FlCD=^xRECe27e2xXHg? z4S&d`9_i#v_&3LW+o#Ewx=zoGV&jOX-(UF%B9JX##qe(F-;`Q0oNJmP0R6T%*<)7* z7F;s^OBs0yEWvCJ`D@?Nj8YuECHL-gqlCi#3IE)2UEFKhoFv8ONowDwD|?HAk;m8e z@S3k$WJ2o|s|~y8+HEqOzitN*rx!W=e?L*$SOxkrV2XEw;qlG4KMShcS&95nYJz5^ z{en@DAIsJz3TwjN8g_{Q{l;mNY$s^n!5=HX$Bw)N-5$r>bdVFmM~+c9L{vlI2SbBu zmPdK#CU@a0IT=$^} zfjX;|Ck^(K8COQh?(st^*-Kw0(`wGZHHk+9L<+lukJN)?P$&_I(CShEe@xDdRMZ^- zNL`VfY@RkA<6+Oi2xoj<6zUva(0M#21;k$+J1w9LZ;As-o!UG5ciCp8ZZl_QouDg3 zhz!{c=PG2(T;iFx3;{Z;G5p9DJi#h1R$%!_FywdhKR)&Mx$zVNvE?y)L`y^UmbM|1 zHnYc41(t|IJGO@tLa3YRcN>8c&8`P3aWB250%k*ZD=AFyb!0kAT5b!jFH-sSCPWek z9Q=dlC!|m{E(zXx16D^(aBc~5e0wf7s@CnclvY;_`kadTj%G!pFK+e3lsccV_nUOHtIM72wuoaPP( zHOMb*OOQXM{wNdKTc#v;I*=B3esPUtSK6mqBdEhbhjbXp`9X3=Ypd9xxZuoW$xWkp zOR@`pHl3!YI6Qct@F7TwhBY}y5)0U){T6-v$eDG3gDSmr2N8BDY0WN^JD+S@w#!g56H6b5d|=NaLB0^iXnSe357 zkND0!WaG=uE)wCUs4ik7+!zpjU-;_Jtpp<~)qlIi)u||cV@L=Kstm?&I-Bb+GA}z9 zLkj4s=9Qh~N`HcBqL^@r48BL>MP{5qBc@*=C-Y0y6Pl9P?7~^m7O&R9f|!dT2y#cy zBFsMO(=JE?<)Jxy7>gvq5ZF_@KZ0eao%^Q#%tgXQDCoaRh8i!R@`EW^#qQmMr)zrL zSjd%HbjOECdmf3l>@Qy~{cSWdYqFA{#M3-PiuBabQNBvE$~>Neh_~M;5U-T6QAWmC zJ@{{}H-_Zkq`_NaeyqqK`d-V-bSU3Uchs~v!Y%*Gy}6wG7(+afHa8;uf#|(S%=_v8 zRt?tOI{Gyj$ZzDqls4(4FE4qRjHLz^;%Qz8-~%GYhZ2;6@D|k4<{6UY3g}225hV(n z0dT|aR`IQk8FerO4#;G+%2eQC#!3N%@-nX>jJo`>;wy7n6pO6(YeNGwA=?vmje)9auc^-jqK*>tYkF_Lf zUf-KY*<4vUVybXV^g{MryvHnTUmglhy0-p+&4Uivl`hBr4H60y2EM}R(kV@G52{z- z{&E(mDy08mpOL%ugZnF8=Y9D4Z*K82WUWqVc8O!Q4&GRc2KxM?+w1s`vX7aa=J!X4 z0SL{dl1JgqWi?PC%W4_v(NC+)x{uct8rwF;)4@K8ay#b{fXpCTLr>L-zLcvJiSFK0 z5EBgJ=t9m>vhypWa)1e&crLFyFUzmAc7a1;h%^#mpGY_;O+wiu&(Q0#K-rc1COji# zR3zE~DoN^B+pg`{@15R+8~+$jAlnsp6N@O%B%f6CQ$7&7Oedf0Z192u$`u>@Gd+wC zAP65!i^)y99b=)1NEZ1kHS(d3b38R945}q*7ZofA;t{@nYSLdDsuaoN1qxk@k`$8Y zD&pwir2X=uW2`V`cv4+Vy=J+^c^Hn5x)!EQ9Cc%!E*&qFI4d19E8FJ{-w?EliUhjc zz;?vei#Hu`4~xV>qR=u8raKDb0}eT6lmS)^Zx-_4>nWy9=NcPKktI(`R*M_usC0Je z86NTWc*iO(=nKW?e@}3zojb|(+-$QEmQ*b>uOf&3RLYe@6?M}3fym}M1(PxBbx5$S zj1FZ%7!i*6DwBD+n z+uIjCgZ9bIPn*p-n0_GWnU)=)(|#_QhYbovv>Cp8%#rIgI@tQvq-d~rf@)Lta$a-X ziM_-c4M@93=-d{Y(G7P(Vq0Tzm-_Z!TZ82L)u2BU(H7pD2n;i`xwc4tDOF>V%DkE% zn~D2ahUl5U-|_H?5ki&reGxYDzx$S5A5O6gi3YNRik_%favS)f#PhHkRM|J8GH+0 zSG%T>ADdY2`H1Ba56|$Q7Io_|Z<(?D_p)TzPYm`dZ=20Mwad8uTBC$v%p74y@(eL! zdQ<##WliC7dBjRiZ^{CNAM-*%$E)J*=)#v=I%JSbMLvMUqu_eqGw)}ECkEu112Tbb zOV}0N){N9}oDsFq?aEEJlRiT-Ll`*pO;&5*j$22bX&8Q#Z}iQkHzM6k?Qa{tqz0>2>58w* zGw|z0KMi=&hcZC_Ocl~EmJ&I3gbsyQ;U0O=h@5;lGLn0}-Ey!U__f@^=ck*Pb!K%A z;y&r*aP_CRf|J=>Tl=<2WT5x^KeGM|VxWI3WA~tD@>n>%T9*b5s7;%w$JAKYRJUJa zc%eUhAuzUAIV@!;LZHn_>(dA*>ZA+Bnw)%O9!B%$eI5}I0?2)kM`*BErXYR|$@hy| zs1!IZHHOgH{7H1lcD2!dKe6FabkYD#Ti#(uc%qAuXBsxA0;_#y!*bm3iH(ofIcFWd zl0mdEWh)}$%gCVp7W|zXFJIpE{k+5^QTKC`;;nAxZLL5OF27X9gI-ljp(u93@@uOL zk%Vfo7xZE3Q=~qgc$T;cVr*dSm=5Ysu zL9HX3#?hmFkH0Skyw?Y)`^j09h8Gk7j@R%w z9Ab-?A(MW8&a0ise!=z`Se=4V{{bt!{SEMLhq_1Lfc-L@Ys%@VZpr;^A&!t#)( z?tV)XGq0$Su2OhZxc0b}x~H;m(Q;qVIIVCK11Kt0GH{hE-IV|7`~qg>U;SxEYX>t< zN7+2m+mtK}GE#o^Ua690RaSJvq4y6Jt0q8F#i{@T8VD|u?;P%7n>F&Z<99hj&ZN+4= zow;b45=pc@_lZb#4X^Z>Pf4@h`2zJBK5J7M8g$QGFNEER0;Y_AyO{yv(K)blWAjcn z_O^{l<*X!V`jV&Chj5sEc`DO0cZB^e*HgeMza(f?$f5-yZ_%!JE1-4*Q@#oLJnnk{7!RO4U( zXNkSk%dp+ZPP>%&RhA6iq*Zs2SH0z#!{w!3A8)ouE4H8enQ?c|)Wcf**0J1h_pt7I zaC-VrNYKF4T6o8FeTP@{gUVWp*oddj_R1Gya8SSwgh_kk%VuUo7cEYjy*mc~i&l~WWTQHoh;G$2|iPYg{P6}`oC9e7np=SO`% zxs#|EOA-U1$JuTo5m9>n0RcnLeKYpMqr(XfZg;qOLo(bV0}+`qW-bpMkt2@?JTEcu zc--Pc7z!pMw_1#qI<$v#O+*(-X&G*px>&XjUbgkPce?-4587z8@4Be7l4kT$YDilT+_I!eQ9iAqPO zvU}X(08(+hK0y(=m*%>II7B>}f;@6;ZjU`G1B3m+%WR?nlFnA34)C_HM>9k z*?zwOVzRi~c;$xmvh_(aspi`sf5`g)I0&Lu+cRfV*$Q}%%e5o^ma3FfuV12rtZt{R zh)|xn(G4rST+I$S^G5EX9aK6(zd4zsmCIjKGtzGhQ0dbw2D-Zwb-YAqWjxZhwzrH| zh-9YG_&;DVUz^(2X0`~+6tLHsPNBs1i~9)E;PCKvN`X2A)LUOfc2Mv`z)n%ks7RC+ z|7>(wmVR(quXDm@vRH{K`03^CsxztN`6`{sCNdzMmLsL%B)c7WvwQaG&OkTKi*&B^ zCCD_`3eK|SfxY?dba^MK{@T^8Mhs0Xy8?WQVZ^T^6eRHJw8 zaK1#!s^gaPWYNjn^WG%@C!~(;8C=*z2h5$eePN?R>X4TC-pQ?6m2%$cbRpsOX-9wP z29FA&^^CU@aIf!os-(+q%9kzCK|8}4T~<64ON1TRzv3m#gjh5_XuK`_ zF?OgUc?&{Rw6(Q80Qlhv>-v`h-t1MCS1Sq%#@Ad8vDy{6NG$O22r_!7*yKzE4-Z1o zw`nFA6nJTdZC6;In)WD6Wjo-Nq(rmQTkgoG7ngp&`UUNB0vzDjz;)K7HTMI|d@lMg z8}J~n&lhKE!iEXQ?brLe04m%q^xn&D9|T|M;`V}+i{Pt&#Pu5g8R(Ro2)j5E*ufMM zqM%8RyrAoo0@yWpQ79ugpCCBcL7Shw=&yq_PL$h5*u)kI+r_4q=YAR6mKueOhg0yo z#loNKC6ey=a5!QIQxKC=P1C(Sww74ThJ;mp-e`wPX3Q|VgbmLv-*=tYw&HEmE_B?b zo;}ie^ynQt3O{*pd(f;R!ayhDy@<%pvCxaD^qufW?>}U6dkJgQpXEU7jON{zrA}jP zi%ha#oOSh97>;n~a;Ni?N@wO1ytu_gHZ;igRt&pJbWjbk81EEr?FuQYGkdWcpo&k5 zY;zZ~j3j2$=Z7j-Px8+cyL_C|2K$LMl~^GCSwJJ86lc0GVE*xDg?OgPgYs}PKR4<{ zWvS+jwg{&VgO=iQZ=C$C{b45UDx)Vju z%VpX6&}WwoeAgDWkFjRv(ZQ%R=qztfkyC{d5;)i7#)yMM7+aN|*>bA%QBeGxU8#3Cwo~cXme73U5(#@3#8-wR? zGQUKTfeOLwC9Xe|9n%w|&WCra&!72~GwP^<)Y9ka$e1ctkTiwZZ$77QCxR@k1IiIL zVxQ9Qh$j}VwaUxIj+O`ny}Hey|Ya5xpX!+pC5vi%o=oi(y3o-nhh|#bZ}b+ zZgpzSnP!WXlOe7TDV7nASJU^Xv}sB)Uk+F$0uk4YV~57B~B#M4U6TLpVzYqvvvHzP_MKhe_x zU=($hSHCa&AX?O`gyPVkU$OTatA$3CCjk>0QdYyUSMfEW$nl1v7iM*Q_34+xRp4BL z&k-}SY`m7Z3b8B!o>8OPXr)z{o~kV7R0+TOi1~Qs({!^l6tB?!pdSDn*8-gPD~tzzD2SqPK6~Lu z&?=o}iskk;4_`EOda*GnF-uVu%b%D7f`TN3R-NJX3|Q&D@U{=_AC*SgBf&7X@LcxP zD|@ciWYR+st4UyMH49cchLnduKID>0EBH*!esXwra^71Jde|68N2k$LspQobz?Oi# z7`n?3_QGP_QYfCQ{8VL|-L^u9H?kG>p^AIEYC5>CX3Ih8xuusDw3caqEZvU;de?aD zF>`0)M!nUHGr*d%#mY7!HV;V_t$ZVcu?l5QBfg15S3Za7-SuQe2f28&h>anx34TT2 zJ(%8)6KJ*Jq*{y9Mzur+kl?vqk?F3p%$5TxDv}YxpAJaZa=7zsVhh89GN0`CPr0z@ zo>4B&Q3)6{l*(m=IdPGwQLPkR-k|HPdvisSex@eHhN+Z8ONb&pki^gTn1%gxH%SjM z;=-vNcl$A_)ym(WJIds`oc0-W0un5VS7DR><}TYy=;wrMGA}{6v*;X53%FEfTd*)x zLtpMw!{pnZ^eoMgjORwAMvnj1>!!%I|CD^p>!Sk^?!(Kzs#&`6pfZm#XDtSVIvjdr zw7M#%dV{ebaBNX{IlkPdTWh5eXqM2AkXr_`Qk7|(mNvolUq7m^E|r6tNDu;7b4MXjr)K!xg4Bm^F3;bTXS2IXKJ_MPl3X+;AN( zl9^_mb3tWscPK&E!a-uOHMmy%Pu920S`>D;ziiTSsm`&n>&(MiK0e#7j^NJ2{u{F} zD#=O3w-f1^wspGAt26;^J+qH*sb-g&G!$DAec=-EWE8%1kdsb4<_T7YB{OD1Ue6A} z38Swu&+Z-}HBvWkS(H*Qh6HFOiZbeQfngtx7P|e~IZ^S=`>a`pwfn3rSM#6i>yD<| zP%PdY5YWhVH1r3s_-@Qp5^Zr`?*vXtTQ%06nB2>5?~WP!BWa|;FrK2LFc_FG^(%c^YcI_icm@qTx-b5ur*0$;j>LJXc0&rROd0=|{*$ zH>2C8?PAbs9qU||dWa17>3o%&7m`So2H9hPP<23{e0wldRaL%hN-Y>lVsF?7M+Ch@ z3V6?XZLsqWwu^X*_+c^1ZQp##zL97n#?6uBt$;yj%#E=(VUMR(*COi^Wb|}k8&9vc zROBR$PUU5QFdihJ%*SEY;K2FnPYtE$%lzLg2ram9GD zD?dI@LRWr&HTLf?J;cfY@7os>swsjRVn03F+V1(`L~^md-n*7&Ys#%DNmZ@|tgfed zYjco3mo-D7RJ2>*9uq`Jvq&_|f(5B6<4sV;?+dEz9>y5q_*`-A=%MtGf@UXY(2+A^M`1#Tc7i1F?;E8dYQjJsJ?2ivJWZF z5^*PgRamp_hI-YgkT2paTRbnSw2sKtUR}>e=p(gS8~UbtW2#g*YsMm$-|H-WlC-~v z0YXJ-l$pwG7OmOSiW#eqGwc7Y$K={b=W}(p!`X_qx?Jt+y(Ihl32e!K#rRNsF<#yO zb`@%60ttJUXIqHT>%=BBf2AQrV`Dd2XiTQc38nf4@#&Vfe}nydHaQI&B8aDR@KpyQ zWDI=H*Z2>o6%M{C6|1N))`&KUECZrdBS-^ysubqnoA=qH$@GIAnH*bXZHbAb7aGs# zgnf)>MqMUaW=s|`M*f#wsil)N;Dd{vFfVaYbu3F z)`|3vC0k?A9v<#_^xa2{o=BZtTWL7mOLhn&!`s%aK{mQa5G~@DVaSe){8h9*n%ni0 z@isRojK=&KSKHILk{0LCDQhm+XDcr)D|NBi#ynOX(+WGW>sAhO^~bJkp2Kj5T-I^3 zRp?Y&#QSg8R|_o2>X2)FiMv}`B68ORQ8T#Oi-~O->$=JTS`98Gk{3pG*&mrUTL0KM zg;L8kaWk3E_I=rnEtJ`HN?13XwOsOfC0+S|EbqJ?bZZ0ZjxvRB@xI!5!9n0{=c)y( z^1D-fyXY@_SSdeiszz_?jju4fJenWQ8Ie(|UEsDYZwoYKhTlg0K3U+G7X@>?s!0pOX8#K6bqd@Zqf8Q=f&B8y$ z`jt)n(ZgrUo>@GOrMV~A%ELUxuRZ;PS;7+Zm*t7;6>hum-;2uX%$Bfu$F+4eSsk!3 zs84b)m~cpGLDn{B8yA{;DECkCZ#N*Uv}A_Oa_-TB$7>rgW>UM0?B3EB8j#z4u{N_u&zUF%>f2W_V1pigTg_e9DfkCg)5Qd9+iP0nhM*#1E&ZpCjH*e|AQZu)UTDXfOO0 z+g~7eEgRIA?{_wj(uA%0(}-ut$4^t-soPgYy_Rk%%TRsHdmyiK5uAMTHsa9q=3FR0j1CLs_3Yb&l9mhq0(#1cZFviNQ9A_ zs{FEq1-c^FS@G^Zy1B#K`7STP@88*6Uh-sT*uabP9o#!kMbz62KekO55G$2vhIl@` z%;J4YW52mCVz4z@*2TY#@$p^uTohQWY1h5ySZsN-dhl4O+m~S@rF=UcY1vt3`mtR| zS!=##za>=x5&10H&KVVc4*OU7^lma(K${KUkIaxr!y<}`OS&2!g0qw%?trvnV0@^; zo!XA)j6OS{B1EKl_>RPq%KTZnS&+)I-5nH0>F<5~^Jce0md@tYRr-1I+vKIL@z#vh z&S_T5-79$wQzcKHGSyIz#ez~0Lyxsu1G%HqSc+Af*u{x(v%>(*;lmoo%>V=X#te|YS2P|&B` z7DPaB8PGLI;PFd69wxB$iiCgjKjdS1C=jK^eEYwSO2`>UZxKO5nGRovxwe$ov8K!z z)@;1gi$Z=(LO8#HsjNp8EOAFXlS*T|XqSqoWt*Vq-JufYa6yx;A&WgU-O|altcks> z%rW8PAGu%d5^dUz`WFzq{e3B%BrRs4om6XDu_HYqt=J|K58mt+bNoF~tu?epg%jcd z^!YoRz<2DDws@O>Ty&iAd|`o_S~5lGTxu%uxLiKF;V=3ThN@x7nqFWN5?N$}%^h); zVSHk)o6g`?I)VcX2(%lLbjSnEIs614U&UFi>%pZGo8{`>+2GSy%TV>mMw?rO*Sgx! zMv&WDq7Pa+GC#B-ERL6z)A6HLKZ4D1VABsvT(8#`1SKk!{s~Qvb{fa}UHRMmFm(JH zq4WBCOG6AA|5kX%=pPLN|LuNtnHQ2%AQh!%k< z22lPn9kQ-XO_j-WV_0Jpj|H~7kiAeNYt>~JdI| z^zq_OwyHN7u(&fMn9hbU!_f3^0&uHkLwYp1A6t&CX%4H1AVM21!-Mt6)Z4JJlSW+{ zDnjj@)F<(rr=bjjM{0-kiXyCoHf@z!%Wluy#1H88j);M~daBrtPVfNiAK>WTfJzi$91HjdJW znVXT^KpbM^iq>#6A7)ovEDYZWWYhg5Qzn%f|Mg)(^IHS_n%`!@Bu(AEc5}+m^W_i3 zwJv6X$6DJ)20|!#1^xy80qp(&Sc6|7m0xV1Cyv2K;1cSC2s8Aiox*kteCu zzFc{kb>h1COPhN0@)E^nE*+(CeCqsLY_LKraRJajAp@c22K(l;_AuS38Z*$Ceo%DWtJ1cRaM$axobl>u-CLxcoe_IbIZk;Z^U$eDlGzv)h;`xVRI?AB?9v*M9_$2y9s7&&28_Iq#;tKhzbPZ3C)-O7#R z{79}u62etBns#af-^j`S9lj`e=wC1@6G}s}2IXRZ5{nzG-L@dD#(S?kJ2txw3fRlk zYoa4?xX7K_c7m|RxAM4pD_fv7pq(4k^jN-byST87H3nQsnBCj}ouG->vt=fO9A#<( zR6{6ElHB_?b*rLm9}$d}F7B>kJrCO;!ehF6`$Ez4T&dTxY1$x$(mh;=zR)lf{EX#m z*ezy>R;yY7&tGn_*kyX%C3&@*&DnjjBm`Y<>TT#LVJlc!OH=xJ)MTuuQXwDGp3>w! zSNb+YakP+8;n~vEBKM;m*0yl=mCN{$1vccafz|Vp>Ju8rpy6m#1W5$0^c8wVRt}o! zbP!R02yWW;x=FmjevZem9@6tzz-p1CcpB$v|GYD9YmL32VBU&Zu1nC}?s&t}dUqE0 zYQ7NQNHAeF#Oft_nutwmRu{KpV(V*{*&esf>Wu$xk-u6uy%4|oCBE7qBq?D)p)jRr z!jb?!@b4gR9RA(%&D%~t9B~vKwy94Hhq{WE$`h&ZJ1lk;8=vVCHTz;X6ZRMzu*sjQ z3O|VpJY4N1ghE;os?=KZU2H50z@uSeitW>A7ku#YI)Jn?d5&`)!%@&{pfHnM7)Jei zUn8OPLzVQlWy6@GtomuL2{w_uWDq95FWvZf;nDhHN~uarN!V{W&T(vs^v%Oom}TuH zfm)bsNW?qd$f6^2Cl#EigwXq`B$RUx9OMSM}J^eMKK2%FIZAdxH5Z9p{sF6ls(o}=5B8dm#m#KZDokXyYXcis>|9|kjym=Iw zd@2$UmbH3_8w)-KKO#Y2`TplNDiAjmXD+P8HHOdO`&5hhKLz^<{!{<_>#DO-|4qzN zypMqNQ z(YIVYkisrp>kRdOS+XFc1X=HIP23}P3f}uaaDNa)QP6)Ln)3CWPvyT%u=iiA)j^B9 z(d?Dz6_d@-iP;3+MtOCZP!#K1hj9SVA5%-!5mfTNg#TTBF~1 zCh?*_eUY5XD=X=mU2iBX7OMkb&?p4)y`F7WNLb%r%4Z(RIk8-VE1S8VDIt-V9BPS+VfN?0;>uaDvnAmMmm#Q>Ub*-hnR#!SX~I{0u(lz zFV6>j>lios)^thu#cw3Q@9v0?@$pdL?}AT& z(@&h*AMsZMLaLac4?NE`0h|xDVeeusg z)bOPb<RgC{kWCyb2{1dr*dsBlcS_GE;eYoDpCtmFLy%!wWS*FqO$LsAWQwXC7 zXwVw+K5@M{oE%GKDFV>WwYohJH3Fy04Uz9GX{WQbd;n)W%*8YuN3K_2raa`cTVwRQ zfWzt3Sn2-nei!@lIQc2Gu`-B^(~&1*rz zR&X#>n1u0E9yHJdE7uo_Rs@U%qtQ6da0(M803064!`I-T*B|6f=Wr?jnv)f_`@?r{ z0Gf4bErZkLRv&B%w?}i6#QPP8qFrF!k+0GOH5>{vZEi!NUDTKZ{S)P)9~Sd9FUo&N z0o%oqxDr6xmWcNQpYUg^FU&U4O8K+%8yx(~>&?85l>R1aU8egbw8dJh+FXr%cL2+E zO@66PM+QKgHaEt4J#%oq7*QkKl+QQ17)-|_cf0|MXp(0HS#Ma1kqIG@j|Q?NOveJ+ zYJTMQHacaY@(q}jk(s3rlAez&*n+1fb`#qMexEEr*B;VxGP&{!j|x8@nsay)_b^LG z%!~hHREx)Wan2kC2!WX~BJ2$Hsk;O$#5=%mr7G3wb+6k76$Avt7Sg(mhmtVU1O4ek zXC}Z6j!V6$;z*$0U8*w+G^BM*D|q5+XG%MA+0Y`#4}Y_4&3M;fh*p7dGN65_aGxC< zTMqlttyfm8y%-v;lEEUCd0q>1s@VUM{(yp;*M<6z5rr4#RgriyaR7XD&1o@ReILmnn?2Pa%8 zou0SrJH6uh`mjIKV5L)J{Mku=q#pnX53R3fvfKaRUH7<4zc45nD9!pD8c}5b$<7pV z(mH)Yb^`@0Ce~Z!b!#V@f%%)i)d`-UTvYxn78^P6)ExaT(JQD}J1H0H3 zt1J`jx7wUc7MH|wq0JzvRkk{tQLinlHBO9y3Z**C`hSkP?R8I4C;+B42nH-3l5Ohl z?(Qu#JAjQk)8b^cl@tO%j;CAB+9{XI0gN<+Q%(0|jgd^TW)po?PNm(x^l;KQqMNgI zo%(J2`ZR}O^-0javAPjgcetkf+iy%XeYG;16oT$WD6jU$YKrym@9!sm$>rA4yzgIY zIZ#iBmRP5*LqTp3`7Y;nHdRkDh&e<5ARGCV9w{ax?IInR8;(In!u{|%^@c@ue!hAj;xbl z_9_sM7w>nneq44A3t)wgSPynV?l``PNFId6W1EgKy3G>26=ne*s|OnGL>ufuCyk{- ze85T~-r)rs^OcN!Il%jGedyg+X;~qF0|oq=9Oz0VU#%RVDc30aqfunFlZ}&8A*ajb zM52yo@~>>G`BbTBBfWKH5>szMdl($~AkfEoQ9&7dU=Y8DfxbEK4NCC&AtSFtA@co) z1;C<9#L=+O%JbW4EU%JBZ`wrT%)|{8?no~?AmiOR`O*@X;e=@i6u()SK;Zwt!^6*c zd?J=e$lD%>BsE-t0>(RHp>Me02g$Ocq+*F(}QKxvSc5Trpsx*N{gY>e;wopH|Z-f{oA}VKLWEo=`E2>RSOT5$>8p1O`y1BuR zSYI|$>_Z(^|XH+aOE{t;uOq z64*`R@rzz=gmMC7@e>}<%a^1w#RCLp!|~YyfYRo4GPCw(Q>TL--CjnMi}dLdtG7K77o z9aBW9Y_bcIQDYbbktrIU!()BRFH-%lkE98k#LLIOpkJ@ZPx>5TDL_-;27s3 z(*oAXoY>@GCtwQa*gT}^u>cWx}@cpF?Ukz7pTXkw7K?GgV9BbEpu z9)ZFLvO<_J633d%Fj9{iUaR!9bJi$>_N<8{%AXgZ0>*1g*^_b?0SezFvG9>Y0}!yg zxt}V%X6r`N(x3$_x#$)vHl>Qh<>h6+qB*Cd#mo3Sw?N5mipbUQ?T0M*y|wtHorAVE zY=XCWCcVwl*OMy|+_X0e$|=$JW-0#z8`|CRx+(r%iS>gx^Lbs>jOC(}gb$S*ZOE!8fCAk2JU}h|;P^OhBadTMG@KnF@i^DN?@KE_6N-l-x&}(p zLma2ehyJ&8ReG6T!cg$wetqoqAPH<4XvoPJ2#jqS6lj|u-*bw-|3})+o z&|T`^Qu%=)V)vSk{6@qc`%i!AuFCp2f&4_TG0dQ4N{r!hIDxdM%4kiu&3t?A4d$VU7`^sfnOhHlw*kM4~%emU;D4ewIid%Q# zN=c{iB7=gg9ajthHXm^ae-8%J+n~JP=r2@dMK$GH66n-f@TXn&eKs;u(*+-!7!(K* zNLN4uyxtR>ARcfqnc@pUM{tum&yJ205`ch`0&XiB5ce25AS2$#%^gx?>(yOK>`T7B z7g%Cm(5-B8&2l2X(OmtifJt28=f@oiUP`(PM+suQw^Yi`S38RU^C{ex2BSH$aNv0E z(Ov-$$Cc6MEsGY^ZM(NR{rP5AILg=-F|zH;iq84l0|Xo49mvG3x>u1ITdztgmXiVT zC1n>Pr_I>eu5RH7iTmi<uWj2@}sP z9%o=txHfq_ln`<^9Wr9UfycX_5qRpM(4hSo!W#x1KD9EGWax}ig+G&zZ!7 zvyEHiAnP%Aa+kaTkxW@W!s(oynjqse!JKZ{X3FlVIxrL=4G+0I+k!dDyO zgX?ewdKP5ReBdVWZou(xSWD{YI+kS8dOQDxK|ge2So_-*?Pa3ncKmd=ob^)C=bJ`E zN(%e+VL*DX-+SJ^6N#@eJd0$WMU&<1B2>(Z=IS#km3;cH&dXOMC#N#64i#-xPThxy zSQJV++gG3zfF<(VgGsoaFf;;8Gv>A{rcXbB1kmBPYgR>#s0!7#~F$c;_==DQy5+m1;o`Xz?BN$aJ1)%n8N+aePX0{b7wCA~#hzgtxobGl#Pej#BCZ(y>-Y~Cr_Vakj-H_rMy93n-V zND6(hIjv;LaKHeMF|ZT|&sY7v0)3|-+QyB%EgLoaeHpK0pe9N_d@~$lUR>W(Tv?+t z&j2x0ah1Qany|k>i9`+=>M7-(<7~IF@5h;ys77IxK-W^wqp=4^rn5?jLUp^fRt3_D z_ux~`7oE^&AZcqa1(+|U(ILUfKgQ(ekP8CPcYCx6G_cgeuNmP; z3ACqasml~>&F=qQxVY<9Ab)f{6NLRQ^pUI?s|6bL#f2v@Uvl0!0e0ivYQVKq;^&hz zMd<|bS|_BVY_GIu^r!Mm+VrRq#dqHYn`ID7Lh_kkvz3Q+#S>5yn8^*PI<3MId9z8> zQQJ=pvbw8Z>sTjzh1*FS)6`&%Zivt63%a@cg)kU30k?L&KKxdOcldwJX$TmgbHHIB z^kJaIeG@>-6c*2I?8hJx6$e!4Z zLyN_#XY390mtWVe2LoKCc-Ox=pgk+o47fPndO<$XcRM2-lQ)=!>AB5bSbw}S1RY2V z=!zA!Xw6M9TC53!x_N4^ya`&_=RRAqkI9T#jfQzznwQA=N_hF=y@u)=b5!yh`ygZb zY%zG4N4kk^b*Zh&Gxf=M@eTX=)(6~$_6h-zPW*<6+2q+60?Vk$b;F^!MoO$0^2}zh z!wy5}Tpj_g-Q(RNX5L@Z!;22RCu$p6`*vBqJ$lgKgPiluY`z@+DB({OVu1D5bdtLe z;#45fO;YoGe*R$k1LgeaRIqBHZ26}H?dp?RGlP~lyEkG#1uSYx%4ch!8MN!BndgF4 zpBEYxGpbdpJ0$U2qd2WkM3(6{)0Q*o)y6-Ww0sI8-T`b%^kxZr7c7h?Ym2UFyEncM zs^&(SWDkgWT%&nklM25aD4ajg11b@qN@qUAaoT=+%I7gF`*L9M^Fd|G>I?SFN7-Gf zU;7jA1s=GISL4vrwwqrm*vvP`Yh0|& zFISPYZb{u6Spdk{a!zLceITk=F{Z_61q$)m8jZi82YEu1eLqT(QXLk6dlAInd}@n| zWwb_PNaYJhTJTH|g_(l{|Zj2V?%S8WsR|ylVc8sU@#^jcN1> zKc;Y#&wBlE!(pS#vwpSqo;^MiB=XVnlBu=#f5smV4!p5u-!J}FHB_LOKO8*v+*0~B zZDo0z;YZVxO@`~L$MYFc=_+MJT9)6gHe!`&)JVfGQ|9Om0{UW~D14GYQZD|192Dno z+iD<{9dMLeh}ku){%Er+y{@0urPN?ZPc(I=KI^pE5v}U>No;xR`gths*PD+mv0Tmy z+RP4!z`2* zPW!g0rh`${TAMR3T*wC39!1aM=GHh4R)6W8hd`n7$D|Iokyv;}(ap~GTYy>Kc){QJ zY8a?5UD*ft+v``IQ}rhUgyS*GD__#WudY>lH=p~}dd(7$^1F*WzZ9x)c225(!xN4_m+payx)&paF9MJTa#2c?mH#^ecm7~XLWpSY zLGH#y_$|%b=^Dqa4t&>UOK2YJwUg3~+1CuYP?a8I>P=)N!dow}0irT?uv+02O>+en z1I9i>U<6Tqa=p!1#5rBCS&`mH#7fb6hf~29vmY{R%@&$`F~Lbs`#m>^{ok7~Q5Xar z%%4=u@ZlHiCPa1(IWy@h9uT^atuO8R1e3maGp=$mGdlOHbUh2CsKj(u%fL*;h?SzPk z_}F^D#bGVusVI+j^$qp6k2Z(SasiFbyJ@{V3el2Y?bvFXY#=|9p4qY<_T%q_kP5kX zUii;pfIEa+CbH?Do5c*9i@MxpPNaZkv2wF-@wDnHX?6pVd_O5zWn zP}2Ol_DMB=>;61LUo=lPe~bHZ)5O41KF|5oXxl`x$z{E4LV-(YYwn^6wem-8+r%&q zlR@$(@*n4Bhc6bjVS=(Kjm|$@0AWYGCdtV(U*b3SJ_$F1uqMY58mr#PnlUR zY0TrfI!sRyH+$yaikEZ)M918$&!`vPkcGJiYyg4Sl?Ds-_2iOfU`{N`?s0ay^HzK% zdZ}MC#`BzzprBZs&`VU3-b^O_M#)ZpH#|B#qAQQHc}!84pc-!LahcT>Jf!%tXx3L@ zy-_CA4{?&QMWYUnj&k(ePGxgfcV;hfy4xkz$N=CH>{4J8sE)1r z6(c?lBO1^d~-}lUxe2Goe)YF!U3IA&<%Ujo|?ZOzlA=l(HNcYhx z^n;594*}rtL{yb?0{M+)1Otrcouj5)IBmMA`%dwSee)k<)Qq{uR9hdJSQw_;jCK~v zT=~sM(GLK#%dre!aX7Q2jVPZkECKJdai5jZFj_{`b}gAS!uWfo^(4I=`%# zM1`y5A~~o1mK{1?t51k}0mItPT%!OiF0F+P%~#4hsDLX9;gk5bd3x)i)QP5E*Qd_{ zh2J+|)o1XzdN^zd_3$<38xXs}Jr(>I?P6TPmEWp9(|Kaqq=%t4axn$+ zpQ8#^Vuf>zmfVvlH*|+Q5<)=(Im?p;+_}kP3e79b=`4z$*Uc;U;as3D#xvS7>tLG* zco*Bup|0%k*3duwXrax0l>c5nolzRj-T{shplrV`X6^PaC5!qj`i@5xuJ<%Ti2yi| zE_j($o3oUu^uZR&vtmm(UI&YWu-b*owlbx~MRc`)(0^TC1>1l4BA=MS8^3!opraqb@2+8dDw_sV4a*H3geav205P2LL}E@*u0O?`N(auz%_(9900_fx*6a8XZ(Tu`KK1Hq2}bCQ{Z#7jv8UWO`3 zr_JvXKNQl}k2XI;5&7OZ-wXhrxr%4NDGkDd31Gfo$?IjW6p4q(Eid6rzI`NU*rvt#R6zHEGsY5!xe*lG|h#)y8IuGb!1 zdkwhLML;-lM`^%mSiW%U`$+OfRu$$v%CpBlDIOyrdQ&;*~M98Lqg zbLoQuRS0KVci7)M8F;$}=oH{Im|n0EGw4n1?4gG0iLwbBBOA}2RPuxVB#nO`EP?1v z_y&(k?#3!wxJ_^JmiV!VQg+!OO?A{6_Z`R~01qT1NMZq%nLC6_3rb(2`hBVMicC5y z53v@1&s|_mo8$$~9ME2%nCyez-w@i{v3hzmM#2-V^V^4^fHIk+H$R5N1vw7r5(#5K z0h$-veZ~o7xR2ueN`TvFgT34`m|#)L;-cfjYC+!;4gn#~pAb^*R69-~L&3PqF90B) z5}esyu5o_g1B#`8U&0vhb`3ruS$DbVY$*C4|GaS==AE9*F>%`!=vDu^UO&nxzN=+p z%wdNA>*oOQ2LBH^L*YcvtKsk4K!F>Ga3XJHg{y)G=8CpaL7kHF=kPi2szz+tD!uUZ zOupbY&MqjRdF9|h;k>oC9aR5-Rg28d*3Je=LvL9HAc*LhJks=^y<0?p3E<;+c(+H=tF+e*@P5B&>k;pfUY< z+kKU8*t?0q0_D6bkWoLs@ibQ!X6)0vN6y#-&s?*^{ILn*X3HyFHocd%nke95=D2s9 zw+9#QLNIQ0Zx`7XN?TIfBu>kRE-o%ldyCcRWmN?UpHdHX{E+bk!XpMk5Fr!@KvZ^5 z`ILvsh&KRVU9DAu`o;K%M{jT2&0Va|+U9DOnn~C9Mle$+8+~&GjQRA|^=Xd8@{5xn*~8*k&|+ zbf}O#vv2xWRjyxjRB}LgqBIK&i{s`AF^^&kf1~C1o==X8qu5FHZ*pU8zvip1cWhL% z=Xfd}?4RIFmi4(_fgu`c?z>UaW}VW7PAK&A;=6)R{)!n2aG9FQ$dAmxaO2JWj430b&^*$@^N=gR`KD*p${cPoI#rZeNB{d9wN> zaTLiCYjb5UAUZvCSOV>c{E+i6wtM&*9yL;m`S=ywDvVX9&MVcNokDk>!xy-oOg!tg zYng!x1{tEZM);M!sPG%XH!B>OJb3P>yO)KoaWV(m-&8u0t%1tlN4hZzgo7>*89iDA zV+HlJ3k~-gBkkHluoBa1jAfexBT1B3n;2;6=~JLolFb|X5-Ex~W8YH!f$(*kYc}g9}opF> zjTHyyMyV)gl}dnVLS}|Zqul@jRNgVowm3wxKJPR1VsV;)IygDVDo z)@R~TQLb4QmRTAYXnku{F%hAckvE|IxC9%zP`+Q%@#Ko~#qrLA@*no6%tTfXwB~#0 zQMFp=6WRKf0j{f6!af3E2m`#_gsHSHSDL-CoW^c;{O_qi=H`-dY-kI1u-Fq1odp&P zG&9mR+jT*UHzTRdZMP;Dh}ul)J39L(*EhzV*StA*KAPF}9J$n+?zf^0#m)VO6yFQ6 zxyf~t-F};vG0jmlrRO-8?<))Nb9-h7X5R(Gn+Pq@ZN)z$Z(ttKZ%82#M2y;bHk2k1 zSMS@S4t+<@E($jopvLUKi|wy(sg+^CGNUquP1QwnM}P{;9o zYy%EGgaZ=MU91auAU{F{3i2lZx@$n^XzLs)iiDHe{-v+|qGK(t#6%uYMMm&FFRXm# z@a$)8GIIHHilgiAC!Z!@B+a#JX4JB9xDST$v?2aLi zr}vY6TX?9J7d6JC2lSp$v4)A})w*xT8+GqazT?)FFiva5JV+r;-!V*HE={$2)Et{C zY>Wporxl`Jq-fPhNW$)&Lz4+Up;%$NReGD@&>vj%Zz|QNR*R)ST}>n{0@l-u4DEUy zPC^%rDX2Z2k^(ixd9;@sHK2~`-bSAU1pJA$g~@U;;e{^v_7x9sW^^fIG~mK^fHW8K z6`%?A{NjZ$peJ{aeoK)pT&e?VSI&*WG#<#8N`|N3sGJIC!YFS>LOiQQu!hZ&UOy3n z2G~JYIuXo;)!Q)f4`;Y}^y!`@8*Sd@PPyl{1H}LAV}^u~LvpY^bOs!+4o_Ge_xjYs zJ{+iXrW|@dAFMi%Dn9B_kLGvK_^Pm)|GW%wC6VGaDM1X9x}srkMM#ebA>bzX&fx{! zQBDUXGmJ}rrakU5oCUqnJ54C%5#_I?s(h}k4t$l9;xuo8Vw(Nx;4=Nzr?TdriBm>#N0&xp zIIfRWHbr}td`M$>At1}II(sReZ-tpaGCk)zPxaVYWS~l7bf?8!wC%{rZT(}HL$FSEew-DBIRjPwrW*7VfECmTjbF}mbFiX@6@x0iuCz@h5`jzh|{lfrQlf;p}D(AcvScd6E6O79Pxlw=2~N7{BxX4$%tKbA7N* zzBD4$IGpMi!W>;@AYn6U`(2=t(m6w|1>Sgwbz|&8wFuL|&3K%L3tpI3O;t8ONfq!M z>44q5>g+$-GlJjWndP#b%>z^{Mu%?%EJqH;RT3A8JE+5n6~rVJGvtMKbLtofRc9FA z(g@QC87SgQwcgYzrjcH4OEo!NMr_SDidnrF%|HoH<`4hDp#M~$17+1r20OoE&n~lr z-Hv4H9TrTqbX&QN^8uq~Y7e#W6TBhkp`1NTofz()#XBTgh{`|J$7r4MVX-hT(m$Yi zoN&3enCurzazlAP#<(Z`lT(0UlYHuoZTU~hi=e9I7ZfBHm&aRACOH-WsRxG}6$0J` zXi%+Op<#uJO0J4l2u_*C?QD~Y(=}!{N;WS?(Wt}X^wGCi{G-*g5iGoSN%5uHvTIDb zd16u#vSy~;S8=h_8Ymzn&iZ?m7!CjB%9L(54lbjVAMDCir|gkryj(1UmH7r^oRF=J z3v#P486`&02RD%|U;9xT*~nnT`Wa2Up8Y@d3iekss0eqf$_3&3$5UYir4s2!O%A6d zaddj0nT>4ry@vQ+R>S(rF8a8vQtx62x_p;9;NB?@3X+Z~(&ee@br3Qjt!%Eh>qJ9@ z!zCrP4Z&j6N?+mf$NSygm6HR&p~$ z5Q38{(Bpvg%chpPjWCah)i zVb5q94!--#zH+vX7+?4tA6lZtibN;L4%)q@Yb@wDvpaYa-oMAgoTM!~+^e{1jcIFx zu#vp1E6?`&dUJ3F0ADKcJV*&qfz5#>?Mz@pIZ2kWDTrUh32h&)2V47#Z*mzSzQIXpSZ zl8!4DhD?8}jucWtX&&Gqs6@Q99afz2h&q;4ceiaOW72u$#g%|PUrw#4s5o8gECk9a z?96?TQhv~ADcd?phEMmI`WIKP|*NXhjsKQV)$&)DVyMA|~v#O>ulBS}9~uNT9ierN6( z=Z^ySsCc6@-O3yaD~9BH+kxr>&`|fQR_T8usM2spO|fOS>|r2?u@p(`6?8 zpNx(5NGW#H*h~|aco=ZEVvG_|%ewAEM@;7tFc~~n!D}`T2tG`3pdYvsJ}|Zl=MLg4 z^U2h!J|3GF0uGJV>6!RZrI(bjPlWK(uZ!&67Z~8^95I)Jl}rGO9edAWVsUl0kD$W& zK~|kQ@=IR)2bw5}5Uw6J7?0;eVj{lI-#jVduj+(UACM>mnOD8p-2X_7Qd2SmCm9_a z9AvExrH@Tjewdegvczje>6ENUQ_;`5B!3X*>E2(;jB7(8(W;7S_9TeWx0$;U zoztZ31BePKKEH?x$==+ZTo9t5a38q5pwR*PDBM1(%oPkknIfOf&guw=xgm#T_lzLq ziU>d?2q;tcTFEGEu3Q6uVw^$Dc27vowbtBU?ajm z_PQ^VfO?Zb`v(;OD3i1=nG9O!t7Re_XY9YEU>npF4*m8u1NOCc|!M!|&fvrnwL-w|du;6qs*j<$E=?+s)m3vCmQq z2F}7LJ1W7r%ci+I$SUSBL79TB(J#N!?H-mfV$#HW0CK+nTy6FUV0IWcqlffwMg;^^ z9t`&$A7Ci3*lAp<`R#|fhT4VrsY9$VK;ezVi5nUcaLNLjVeo&? zbz!nZ1V7U2ROzb*7nf)aJFx>sf=iPjOOwy(qhrS=G#85$ZYZIZ!fnC;ECvS@LN+Y_ z)gXF|px~gKcjbgpw=rZ$KO13X;BUn#jRxvTbzHL$M13B32i*X zo-Unc>7cYeIvBuN$j6ZNJ|A^sf3!@A`JtNb<$b0WprBiMI#uxgcGTC%4SD=a_qDS~ z{gvc;7__im_PIO#r2auY0uGb>-%^jP7V0r$8W5l@V7L$2hV4)1a--ZahgKi{ zf505N1IGX=`DGkF+XY7;-vO$M#$ z2HD1wQ^aDBn%mtaEds+|^&|FD|4iKt8!gQzJ~EdV?XGqUSovtSL14`4?n%HDZ@Qm< zpMDVhst*1&HQ(O5qr(p<%|R~2UzgHT;mI~zV4lT!v2gwA3OvjpltvN3Px3VK^Q&Fs zuX$brbf0B$fbNs9&m44!dB?E0D;qfU6sUmu{gWDxKs=tKCDbv;>Jx39KOCMReKBJq zYU(?yA{!7hPZ4wnj)RxxQ!2FUJ#+yrKEd8)LkKiGQz$^i?44d;R4d{;U$awH=D4D>Yb^^=&al|is`Xi}h7USrj zG@vyq;FTf2<)&P^L2vwCK18v?0PIMt#tMXOy^7$eB!6Ji@$iqS0fq&jOo58C|7S5H zC{(+;|Mant2cQt|kahovN z`MnAH*VA4gh)YN)J37{AKVoifzn?2fIK(nd>XED)mjz}Zj1tbe%+CH*Q23R+YwJ(n7!rD0 z^Lesa-mzNvsi?Yg=I|9Xe-!i-h=*RZ=P?{zHw^^uL`KlY+?(gV54DJ zOTe1}{*z__!5jx%#@pJRh}M9>&o=OYsTC$xFqNb1J98|T&99+x3{#mJ1I4WKd^xEO`f;s$L_tw z)(L{2IT&JF(pV#8aOgzc2m3HXu0e)luLd}N<2Mrsz|n-f$zcywFB~m{_41}`Udj=A zepk45eVuuJ8~P0AjlbB%agOBii|FKJ!nnT}Eoc7)qlHXT6N=>jJ*5S9W{GhrCX#gL zn{f=An|jjm_?tqsk5QDEX8lQt`XAu4uUs6)3fb0jvy=+mEt@=+g=Eq>8HoAp1Lka| zh5IHO-&(oW>&X@hm(171F~ZZKogyP4C4`6ceX@&rkUgCejXdyyvO-TS&9$d1O z;eg#76Vl^*8U&CP@WS>v7P85%%9ZVTu;^M_oJfO@N-B`m=cLmYxCVriRGP04t-REs zprKZh-36T;oU<88AI75|Tve3D8JuqAKg1t>3hTSs7fYX~msQMVGdhBqZ#LYhzOk_= z@_bM))}h+pKQyp_PLr&BqGRc~`@vftBlfr4#zY^-GdRo!qP4W2EupNWKf#tyWYH)w zL8~OP58a=#go4ib?+7hm0|~S&!}RfXsL$MQqtvUI0Z3QWtjz5CTMfG!71GFwSVAGk zROt-YXodRK8fR2EvSZj@F)0^23o+}S+Ie0tCNJZhLAFSabNLgF3(FA3286^GQ(m5( zy&3!HhH84{6WGi*i`}h_uy>l@#8HIU-x*l-^HVn3VziS+gSuJ#8rMy;gcj@b*zSaK z{mCY+D|Tv99fB!WhnKgnH!wJC_v_i+w;mU1Y%;`Dnt#y}*XZB}1XCDvi>rF4(3jzM z%qR4jJq2BlXw<@2M&%Wxa=(oLa5i)P#}P5o!sFHTZWybQ z&cAnRG&>%sPKk$5t#1ulTp4ODFg6i$7!CmK)`JR#fhQ|FKWwB42{DO1e-!TR*&*Vh z9@u`=(tiRlS%_(&8vcXIVxg-1Y{a8`XMRHneRF?hL$$DA&)36H_(kE>7Z8Y!*y#(B z!+S)V+wOL~zDC?^_EMZ~v8)5X5Xi;lb}rrcO1)YK1+VstBwdJb4_Zlq7+i^joIydS zR)vSB%O|%uCydDC)yfotZ>PDx(h9$TfaT=ewTfk<+i6SZzTF7VJ>8zWyYx4g1p+EU z*lU@-fxXZ`$K%zOzxtUr2y=h0BwEB_K~YU}etC|rL*a@{kjue#ZYt3M0MboChPzSZ zn#~sH(=|5BLuxg4kUxbSOTzyDM`qblu_4Fw37#Gx90sWX{$xeL*?GFEz*I4fg8bW^ z0JOdl>_WaBZTOg?aXnWuPM`o(ARMgB>7;Wi&`bwoMc}07(PexAojH45$^N|K++(lV z%oiY;Ih5__N}Q_#KxXd0C7Qf(5H%nrEezY^<)Kqg)BTo9PeeahroQ#ltgxblALT&| zVM4xQI=YT@6#_2v;FQ0y0aRm`bvE7dPil){KmN7ud_I7e9+fek$@0g6<7S3jCVO6| zwigLV(k^Q+)?byp6ql3?ajg6Am?ex4?17Sc5~2^K*vr>qHM|b#^u;(=*6yin)|GAq zAy()WC9kGkN&(ODwLV z8HB4W zRetNhBJ^ic0bXXoujl>8ZDjwqEB~WU{*Ug;PbMieUGV0Em!!z+$7%L)-xw~s=zo1DUa^@U!%^lC-Ay7cly-QR_{A#Q7h z{&_=urp+HIk?5jOts#(hdgQq?p4PbRCdj3c{%-B+%<(}zo^sfOA%h}?X0qpsYT?Y^jpa}Ny3XhQBtcZp)?OMmf!r$R5_-h!V5HgaY7MTqHnD|~^&!Ci8 zOUOmRMQguJfwv!;S9BDbwgu8Z4U1tMMC`-jpy9vZA<)m0J%Rx|EI*v-dvx+wB&kUW zLD~LIT6r|9|akA zWnF&;gKPxU83e?<|LTnQ6hLPXVSoJ{XM>~d$4L;eVdB|hQva~T5ReYQue{Ip`Gb(% zeeNxe2@H&d`MLdXPIrwk+htA8YchrfjJztcPaYZU6x zy`qf>scZg;y`WV@0Zkwj$;AIPC^$w;yATi%s87X3)W9>!%Npi}w2ISbAdOdz6Zi str: + """Get the Account ID. + + Returns: + str: Account ID + """ + client = boto3.client("sts") + return client.get_caller_identity()["Account"] + + +def get_document_hash(session: boto3.Session, region: str, document_name: str) -> str: + """ + Get the latest document hash for a given document name and region. + + Args: + session (boto3.session.Session): The AWS session object + region (str): The AWS region + document_name (str): The name of the SSM document + + Returns: + str: The latest document hash + """ + ssm_client = session.client("ssm", region_name=region, config=boto3_config) + response = ssm_client.describe_document(Name=document_name) + return response["Document"]["Hash"] + + +def create_maintenance_window_1(account_id: str, session: boto3.Session, region: str, params: dict) -> dict: + """Create windows patch maintenance window 1. + + Args: + account_id (str): Account ID + session (boto3.Session): Boto3 Session + region (str): Region + params (dict): Parameters + + Returns: + dict: Maintenance Info Created + """ + LOGGER.info(f"Setting up Default Host Management and Creating a Maint Window for Window 1 in region {region}") + ssmclient = session.client("ssm", region_name=region, config=boto3_config) + ssmclient.update_service_setting( + SettingId="/ssm/managed-instance/default-ec2-instance-management-role", + SettingValue="service-role/AWSSystemsManagerDefaultEC2InstanceManagementRoleCustom", + ) + + maintenance_window_name = params["MAINTENANCE_WINDOW1_NAME"] + maintenance_window_description = params["MAINTENANCE_WINDOW1_DESCRIPTION"] + maintenance_window_schedule = params["MAINTENANCE_WINDOW1_SCHEDULE"] + maintenance_window_duration = int(params["MAINTENANCE_WINDOW1_DURATION"]) + maintenance_window_cutoff = int(params["MAINTENANCE_WINDOW1_CUTOFF"]) + maintenance_window_timezone = params["MAINTENANCE_WINDOW1_TIMEZONE"] + document_name = params["TASK1_RUN_COMMAND"] + document_hash = get_document_hash(session, region, document_name) + + maintenance_window = ssmclient.create_maintenance_window( + Name=maintenance_window_name, + Description=maintenance_window_description, + Schedule=maintenance_window_schedule, + Duration=maintenance_window_duration, + Cutoff=maintenance_window_cutoff, + ScheduleTimezone=maintenance_window_timezone, + AllowUnassociatedTargets=False, + Tags=[{"Key": "createdBy", "Value": "SRA_Patch_Management"}], + ) + return { + "region": region, + "window1Id": maintenance_window["WindowId"], + "account_id": account_id, + "document_hash": document_hash, + } + + +def create_maintenance_window_2(account_id: str, session: boto3.Session, region: str, params: dict) -> dict: + """Create windows patch scan maintenance window 2. + + Args: + account_id (str): Account ID + session (boto3.Session): Boto3 Session + region (str): Region + params (dict): Parameters + + Returns: + dict: Maintenance Info Created + """ + LOGGER.info(f"Setting up Default Host Management and Creating a Maint Window for Window 2 in region {region}") + ssmclient = session.client("ssm", region_name=region, config=boto3_config) + ssmclient.update_service_setting( + SettingId="/ssm/managed-instance/default-ec2-instance-management-role", + SettingValue="service-role/AWSSystemsManagerDefaultEC2InstanceManagementRoleCustom", + ) + + maintenance_window_name = params["MAINTENANCE_WINDOW2_NAME"] + maintenance_window_description = params["MAINTENANCE_WINDOW2_DESCRIPTION"] + maintenance_window_schedule = params["MAINTENANCE_WINDOW2_SCHEDULE"] + maintenance_window_duration = int(params["MAINTENANCE_WINDOW2_DURATION"]) + maintenance_window_cutoff = int(params["MAINTENANCE_WINDOW2_CUTOFF"]) + maintenance_window_timezone = params["MAINTENANCE_WINDOW2_TIMEZONE"] + document_name = params["TASK2_RUN_COMMAND"] + document_hash = get_document_hash(session, region, document_name) + + maintenance_window = ssmclient.create_maintenance_window( + Name=maintenance_window_name, + Description=maintenance_window_description, + Schedule=maintenance_window_schedule, + Duration=maintenance_window_duration, + Cutoff=maintenance_window_cutoff, + ScheduleTimezone=maintenance_window_timezone, + AllowUnassociatedTargets=False, + Tags=[{"Key": "createdBy", "Value": "SRA_Patch_Management"}], + ) + return { + "region": region, + "window2Id": maintenance_window["WindowId"], + "account_id": account_id, + "document_hash": document_hash, + } + + +def create_maintenance_window_3(account_id: str, session: boto3.Session, region: str, params: dict) -> dict: + """Create Linux Patch Scan Window 3. + + Args: + account_id (str): Account ID + session (boto3.Session): Boto3 Session + region (str): Region + params (dict): Parameters + + Returns: + dict: Maintenance Info Created + """ + LOGGER.info(f"Setting up Default Host Management and Creating a Maint Window for Window 3 in region {region}") + ssmclient = session.client("ssm", region_name=region, config=boto3_config) + ssmclient.update_service_setting( + SettingId="/ssm/managed-instance/default-ec2-instance-management-role", + SettingValue="service-role/AWSSystemsManagerDefaultEC2InstanceManagementRoleCustom", + ) + + maintenance_window_name = params["MAINTENANCE_WINDOW3_NAME"] + maintenance_window_description = params["MAINTENANCE_WINDOW3_DESCRIPTION"] + maintenance_window_schedule = params["MAINTENANCE_WINDOW3_SCHEDULE"] + maintenance_window_duration = int(params["MAINTENANCE_WINDOW3_DURATION"]) + maintenance_window_cutoff = int(params["MAINTENANCE_WINDOW3_CUTOFF"]) + maintenance_window_timezone = params["MAINTENANCE_WINDOW3_TIMEZONE"] + document_name = params["TASK3_RUN_COMMAND"] + document_hash = get_document_hash(session, region, document_name) + + maintenance_window = ssmclient.create_maintenance_window( + Name=maintenance_window_name, + Description=maintenance_window_description, + Schedule=maintenance_window_schedule, + Duration=maintenance_window_duration, + Cutoff=maintenance_window_cutoff, + ScheduleTimezone=maintenance_window_timezone, + AllowUnassociatedTargets=False, + Tags=[{"Key": "createdBy", "Value": "SRA_Patch_Management"}], + ) + return { + "region": region, + "window3Id": maintenance_window["WindowId"], + "account_id": account_id, + "document_hash": document_hash, + } + + +def create_maint_window(params: dict, account_id: str, regions: list) -> dict: + """Create all maintenance windows in all regions in an account. + + Args: + params (dict): Parameters + account_id (str): Account ID + regions (list): Regions to do this in + + Returns: + dict: Maintenance Info Created + """ + session = common.assume_role( + params["ROLE_NAME_TO_ASSUME"], + "sra-patch-mgmt-lambda", + account_id, + ) + + window1_ids = [] + window2_ids = [] + window3_ids = [] + + for region in regions: + LOGGER.info(f"Creating Maintenance Windows in {account_id} account {region} region") + window1_ids.append(create_maintenance_window_1(account_id, session, region, params)) + window2_ids.append(create_maintenance_window_2(account_id, session, region, params)) + window3_ids.append(create_maintenance_window_3(account_id, session, region, params)) + + return {"window1_ids": window1_ids, "window2_ids": window2_ids, "window3_ids": window3_ids} + + +def define_mw_targets(params: dict, win1_id_resp: list, win2_id_resp: list, win3_id_resp: list, account_id: str) -> dict[str, list]: + """Define Maintenance Window Targets. + + Args: + params (dict): Cloudformation Params + win1_id_resp (list): Previous Window 1 IDs for the Targets + win2_id_resp (list): Previous Window 2 IDs for the Targets + win3_id_resp (list): Previous Window 3 IDs for the Targets + account_id (str): Account ID for the targets to live in + + Returns: + list[dict[str, Any]]: _description_ + """ + session = common.assume_role( + params["ROLE_NAME_TO_ASSUME"], + "sra-patch-mgmt-lambda", + account_id, + ) + window1_targets = [] + window2_targets = [] + window3_targets = [] + for response in win1_id_resp: + ssmclient = session.client("ssm", region_name=response["region"], config=boto3_config) + + # Window 1 + target_name = params["TARGET1_NAME"] + target_description = params["TARGET1_DESCRIPTION"] + target_key_value_1 = params["TARGET1_VALUE_1"] + target_key_value_2 = params["TARGET1_VALUE_2"] + LOGGER.info(f"Registering target in {response['region']} for '{target_name}' window (ID {response['window1Id']})") + maintenance_window_targets = ssmclient.register_target_with_maintenance_window( + Name=target_name, + Description=target_description, + WindowId=response["window1Id"], + ResourceType="INSTANCE", + Targets=[ + { + "Key": "tag:InstanceOS", + "Values": [ + target_key_value_1, + target_key_value_2, + ], + }, + ], + ) + window1_targets.append( + { + "region": response["region"], + "Window1TargetId": maintenance_window_targets["WindowTargetId"], + "window1Id": response["window1Id"], + "account_id": account_id, + } + ) + for response in win2_id_resp: + LOGGER.info(f"Maintenance Window Targets {response['region']}") + ssmclient = session.client("ssm", region_name=response["region"], config=boto3_config) + # Window 2 + target_name = params["TARGET2_NAME"] + target_description = params["TARGET2_DESCRIPTION"] + target_key_value_1 = params["TARGET2_VALUE_1"] + LOGGER.info(f"Registering target in {response['region']} for '{target_name}' window (ID {response['window2Id']})") + + maintenance_window_targets = ssmclient.register_target_with_maintenance_window( + Name=target_name, + Description=target_description, + WindowId=response["window2Id"], + ResourceType="INSTANCE", + Targets=[ + { + "Key": "tag:InstanceOS", + "Values": [target_key_value_1], + }, + ], + ) + window2_targets.append( + { + "region": response["region"], + "Window2TargetId": maintenance_window_targets["WindowTargetId"], + "window2Id": response["window2Id"], + "account_id": account_id, + } + ) + for response in win3_id_resp: + # Window 3 + target_name = params["TARGET3_NAME"] + target_description = params["TARGET3_DESCRIPTION"] + target_key_value_1 = params["TARGET3_VALUE_1"] + ssmclient = session.client("ssm", region_name=response["region"], config=boto3_config) + LOGGER.info(f"Registering target in {response['region']} for '{target_name}' window (ID {response['window3Id']})") + + maintenance_window_targets = ssmclient.register_target_with_maintenance_window( + Name=target_name, + Description=target_description, + WindowId=response["window3Id"], + ResourceType="INSTANCE", + Targets=[ + { + "Key": "tag:InstanceOS", + "Values": [target_key_value_1], + }, + ], + ) + window3_targets.append( + { + "region": response["region"], + "Window3TargetId": maintenance_window_targets["WindowTargetId"], + "window3Id": response["window3Id"], + "account_id": account_id, + } + ) + return {"window1_targets": window1_targets, "window2_targets": window2_targets, "window3_targets": window3_targets} + + +def manage_task_params( + task_operation: str | None, task_name: str, document_hash: str, task_reboot_option: str | None +) -> MaintenanceWindowTaskInvocationParametersTypeDef: + """Manage task parameters. + + Args: + task_operation (str | None): The task operation + task_name (str): The task name + document_hash (str): The document hash + task_reboot_option (str | None): The task reboot option + + Returns: + MaintenanceWindowTaskInvocationParametersTypeDef: The response from the register_task_with_maintenance_window API call + """ + if task_operation is None and task_reboot_option is None: + no_param_response: MaintenanceWindowTaskInvocationParametersTypeDef = { + "RunCommand": { + "Parameters": {}, + "DocumentVersion": "$DEFAULT", + "TimeoutSeconds": 3600, + "Comment": f"Run {task_operation} for {task_name}", + "DocumentHash": document_hash, + "DocumentHashType": "Sha256", + }, + } + return no_param_response + task_operation_final: str = "INVALID_TASK_OPERATION_PROVIDED" if task_operation is None else task_operation + task_reboot_option_final: str = "INVALID_TASK_REBOOT_OPTION_PROVIDED" if task_reboot_option is None else task_reboot_option + with_params_response: MaintenanceWindowTaskInvocationParametersTypeDef = { + "RunCommand": { + "Parameters": { + "Operation": [task_operation_final], + "RebootOption": [task_reboot_option_final], + }, + "DocumentVersion": "$DEFAULT", + "TimeoutSeconds": 3600, + "Comment": f"Run {task_operation} for {task_name}", + "DocumentHash": document_hash, + "DocumentHashType": "Sha256", + }, + } + return with_params_response + + +def register_task( + session: boto3.Session, + response: dict, + window_id: str, + account_id: str, + window_target_id: str, + task_details: dict, + document_hash: str, +) -> RegisterTaskWithMaintenanceWindowResultTypeDef: # noqa: DAR203, DAR103 + """Register task with maintenance window. + + Args: + session (boto3.Session): The Session + response (dict): The response from maintenance windows + window_id (str): The ID of the maintenance window + account_id (str): The Account ID + window_target_id (str): The ID of the maintenance window target + task_details (dict): The task details + document_hash (str): The hash of the SSM document + + Returns: + RegisterTaskWithMaintenanceWindowResultTypeDef: The response from the register_task_with_maintenance_window API call + """ + task_name = task_details["name"] + task_description = task_details["description"] + task_run_command = task_details["run_command"] + task_operation = task_details["operation"] + task_reboot_option = task_details["reboot_option"] + + ssmclient = session.client("ssm", region_name=response["region"], config=boto3_config) + task_params: MaintenanceWindowTaskInvocationParametersTypeDef = manage_task_params(task_operation, task_name, document_hash, task_reboot_option) + target_type: TargetTypeDef = { + "Key": "WindowTargetIds", + "Values": [window_target_id], + } + return ssmclient.register_task_with_maintenance_window( + Name=task_name, + Description=task_description, + WindowId=window_id, + Targets=[target_type], + TaskArn=task_run_command, + TaskType="RUN_COMMAND", + Priority=1, + ServiceRoleArn=f"arn:aws:iam::{account_id}:role/sra-patch-mgmt-automation", + CutoffBehavior="CONTINUE_TASK", + MaxConcurrency="100", + MaxErrors="1", + TaskInvocationParameters=task_params, + ) + + +def register_window_tasks( + session: boto3.Session, + window_id_response: dict, + window_target_response: dict, + account_id: str, + window_num: int, + task_details: Dict[str, str | None], +) -> List[Dict[str, str]]: + """Register tasks for a specific maintenance window. + + Args: + session (boto3.Session): The AWS session object. + window_id_response (dict): The Window IDs we made. + window_target_response (dict): The window Targets we made. + account_id (str): The Account #. + window_num (int): The window number (1, 2, or 3). + task_details (Dict[str, str | None]): The task details. + + Returns: + List[Dict[str, str]]: A list of window tasks created. + """ + window_tasks: List[Dict[str, str]] = [] + window_id_key = f"window{window_num}_ids" + window_target_key = f"window{window_num}_targets" + + for response in window_id_response[window_id_key]: + LOGGER.info(f"Maintenance Window Tasks in {response['region']}") + for response2 in window_target_response[window_target_key]: + if response2["region"] == response["region"]: + task_response = register_task( + session, + response, + response[f"window{window_num}Id"], + account_id, + response2[f"Window{window_num}TargetId"], + task_details, + response["document_hash"], + ) + window_tasks.append( + { + "region": response["region"], + f"window{window_num}Id": response[f"window{window_num}Id"], + "windowTaskId": task_response["WindowTaskId"], + "account_id": account_id, + } + ) + + return window_tasks + + +def def_mw_tasks( + params: dict, + window_id_response: dict, + window_target_response: dict, + account_id: str, +) -> dict: + """Define maintenance window tasks. + + Args: + params (dict): Parameters CFN + window_id_response (dict): The Window IDs we made + window_target_response (dict): The window Targets we made + account_id (str): The Account # + + Returns: + dict: Window Tasks Created Information + """ + session = common.assume_role( + params["ROLE_NAME_TO_ASSUME"], + "sra-patch-mgmt-lambda", + account_id, + ) + + window1_tasks = register_window_tasks( + session, + window_id_response, + window_target_response, + account_id, + 1, + { + "name": params["TASK1_NAME"], + "description": params["TASK1_DESCRIPTION"], + "run_command": params["TASK1_RUN_COMMAND"], + "operation": None, + "reboot_option": None, + }, + ) + + window2_tasks = register_window_tasks( + session, + window_id_response, + window_target_response, + account_id, + 2, + { + "name": params["TASK2_NAME"], + "description": params["TASK2_DESCRIPTION"], + "run_command": params["TASK2_RUN_COMMAND"], + "operation": params["TASK2_OPERATION"], + "reboot_option": params["TASK2_REBOOTOPTION"], + }, + ) + + window3_tasks = register_window_tasks( + session, + window_id_response, + window_target_response, + account_id, + 3, + { + "name": params["TASK3_NAME"], + "description": params["TASK3_DESCRIPTION"], + "run_command": params["TASK3_RUN_COMMAND"], + "operation": params["TASK3_OPERATION"], + "reboot_option": params["TASK3_REBOOTOPTION"], + }, + ) + + return { + "window1_tasks": window1_tasks, + "window2_tasks": window2_tasks, + "window3_tasks": window3_tasks, + } + + +def parameter_pattern_validator(parameter_name: str, parameter_value: str, pattern: str) -> None: + """Validate CloudFormation Custom Resource Parameters. + + Args: + parameter_name: CloudFormation custom resource parameter name + parameter_value: CloudFormation custom resource parameter value + pattern: REGEX pattern to validate against. + + Raises: + ValueError: Parameter does not follow the allowed pattern + """ + if not parameter_value: + raise ValueError(f"'{parameter_name}' parameter is missing.") + elif not re.match(pattern, parameter_value): + raise ValueError(f"'{parameter_name}' parameter with value of '{parameter_value}' does not follow the allowed pattern: {pattern}.") + + +def process_create_update_event(params: dict, regions: list) -> Dict: + """Process create update events. + + Args: + params (dict): Cloudformation Params + regions (list): Regions to perform our work in. + + Returns: + Dict: Dictionary of Window IDs, Targets, and Tasks + """ + account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"]) + all_window_ids = [] + all_window_targets = [] + all_window_tasks = [] + if (params.get("DISABLE_PATCHMGMT", "false")).lower() in "true" and params["action"] == "Update": + LOGGER.info("Deleting Maintenance Windows and Default Host Management Configuration...") + patchmgmt.disable_patchmgmt(params, boto3_config) + + else: + for account_id in account_ids: + window_ids_raw = create_maint_window(params, account_id, regions) + all_window_ids.append(window_ids_raw["window1_ids"]) + all_window_ids.append(window_ids_raw["window2_ids"]) + all_window_ids.append(window_ids_raw["window3_ids"]) + window_target_response = define_mw_targets( + params, window_ids_raw["window1_ids"], window_ids_raw["window2_ids"], window_ids_raw["window3_ids"], account_id + ) + all_window_targets.append(window_target_response) + all_window_tasks.append(def_mw_tasks(params, window_ids_raw, window_target_response, account_id)) + return {"window_ids": all_window_ids, "window_targets": all_window_targets, "window_tasks": all_window_tasks} + + +def process_account(account_id: str, params: dict, regions: list) -> Dict: + """Process create event on Organizations event trigger. + + Args: + account_id (str): AWS account id + params (dict): Cloudformation Params + regions (list): Regions to perform our work in. + + Returns: + Dict: Dictionary of Window IDs, Targets, and Tasks + """ + all_window_ids = [] + all_window_targets = [] + all_window_tasks = [] + + window_ids_raw = create_maint_window(params, account_id, regions) + all_window_ids.append(window_ids_raw["window1_ids"]) + all_window_ids.append(window_ids_raw["window2_ids"]) + all_window_ids.append(window_ids_raw["window3_ids"]) + window_target_response = define_mw_targets( + params, window_ids_raw["window1_ids"], window_ids_raw["window2_ids"], window_ids_raw["window3_ids"], account_id + ) + all_window_targets.append(window_target_response) + all_window_tasks.append(def_mw_tasks(params, window_ids_raw, window_target_response, account_id)) + return {"window_ids": all_window_ids, "window_targets": all_window_targets, "window_tasks": all_window_tasks} + + +def check_and_update_maintenance_window(params: dict, regions: list, account_id: str) -> None: + """ + Check if a maintenance window with the same name already exists, and update it if necessary. + + Args: + params (dict): CloudFormation parameters + regions (list): List of AWS regions + account_id (str): AWS account ID + """ + session = common.assume_role( + params["ROLE_NAME_TO_ASSUME"], + "sra-patch-mgmt-lambda", + account_id, + ) + for region in regions: + ssmclient = session.client("ssm", region_name=region, config=boto3_config) + + # Check if Window 1 exists + window1_name = params["MAINTENANCE_WINDOW1_NAME"] + existing_window1 = ssmclient.describe_maintenance_windows(Filters=[{"Key": "Name", "Values": [window1_name]}]) + if existing_window1["WindowIdentities"]: + window1_id = existing_window1["WindowIdentities"][0]["WindowId"] + LOGGER.info(f"Maintenance window '{window1_name}' already exists in {account_id}/{region} with ID {window1_id}. Updating...") + update_maintenance_window(ssmclient, window1_id, params, "MAINTENANCE_WINDOW1") + else: + LOGGER.info(f"Maintenance window '{window1_name}' does not exist in {account_id}/{region}. Creating...") + process_account(account_id, params, [region]) + + # Check if Window 2 exists + window2_name = params["MAINTENANCE_WINDOW2_NAME"] + existing_window2 = ssmclient.describe_maintenance_windows(Filters=[{"Key": "Name", "Values": [window2_name]}]) + if existing_window2["WindowIdentities"]: + window2_id = existing_window2["WindowIdentities"][0]["WindowId"] + LOGGER.info(f"Maintenance window '{window2_name}' already exists in {account_id}/{region} with ID {window2_id}. Updating...") + update_maintenance_window(ssmclient, window2_id, params, "MAINTENANCE_WINDOW2") + else: + LOGGER.info(f"Maintenance window '{window2_name}' does not exist in {account_id}/{region}. Creating...") + process_account(account_id, params, [region]) + + # Check if Window 3 exists + window3_name = params["MAINTENANCE_WINDOW3_NAME"] + existing_window3 = ssmclient.describe_maintenance_windows(Filters=[{"Key": "Name", "Values": [window3_name]}]) + if existing_window3["WindowIdentities"]: + window3_id = existing_window3["WindowIdentities"][0]["WindowId"] + LOGGER.info(f"Maintenance window '{window3_name}' already exists in {account_id}/{region} with ID {window3_id}. Updating...") + update_maintenance_window(ssmclient, window3_id, params, "MAINTENANCE_WINDOW3") + else: + LOGGER.info(f"Maintenance window '{window3_name}' does not exist in {account_id}/{region}. Creating...") + process_account(account_id, params, [region]) + + +def update_maintenance_window(ssmclient: SSMClient, window_id: str, params: dict, window_prefix: str) -> None: + """ + Update an existing maintenance window with the provided parameters. + + Args: + ssmclient (SSMClient): AWS Systems Manager client + window_id (str): ID of the maintenance window to update + params (dict): CloudFormation parameters + window_prefix (str): Prefix for the maintenance window parameters (e.g., "MAINTENANCE_WINDOW1") + """ + window_name: str = params[f"{window_prefix}_NAME"] + window_description: str = params[f"{window_prefix}_DESCRIPTION"] + window_schedule: str = params[f"{window_prefix}_SCHEDULE"] + window_duration = int(params[f"{window_prefix}_DURATION"]) + window_cutoff = int(params[f"{window_prefix}_CUTOFF"]) + window_timezone = params[f"{window_prefix}_TIMEZONE"] + + ssmclient.update_maintenance_window( + WindowId=window_id, + Name=window_name, + Description=window_description, + Schedule=window_schedule, + Duration=window_duration, + Cutoff=window_cutoff, + ScheduleTimezone=window_timezone, + AllowUnassociatedTargets=False, + ) + + +def get_validated_parameters(event: Dict[str, Any]) -> dict: # noqa: CCR001, CFQ001 + """Validate AWS CloudFormation parameters. + + Args: + event (Dict[str, Any]): event data + + Returns: + dict: Validated Parameters + + """ + params = event["ResourceProperties"].copy() + actions = {"Create": "Add", "Update": "Update", "Delete": "Remove"} + params["action"] = actions[event["RequestType"]] + + # Validate parameters based on patterns + true_false_pattern = r"(?i)^true|false$" + text_pattern = r"^[a-zA-Z0-9-_\s]{3,128}$" + cron_pattern = r"^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*(\d+)\s+(\d+)\s+(\d+)\s+\?\s+\*\s+(MON|TUE|WED|THU|FRI|SAT|SUN)*\s*\*\))$" # noqa: E501, B950 + + parameter_pattern_validator("CONTROL_TOWER_REGIONS_ONLY", params.get("CONTROL_TOWER_REGIONS_ONLY", ""), pattern=true_false_pattern) + parameter_pattern_validator("DELEGATED_ADMIN_ACCOUNT_ID", params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), pattern=r"^\d{12}$") + parameter_pattern_validator("ROLE_NAME_TO_ASSUME", params.get("ROLE_NAME_TO_ASSUME", ""), pattern=r"^[\w+=,.@-]{1,64}$") + parameter_pattern_validator("MANAGEMENT_ACCOUNT_ID", params.get("MANAGEMENT_ACCOUNT_ID", ""), pattern=r"^\d{12}$") + parameter_pattern_validator("MAINTENANCE_WINDOW1_NAME", params.get("MAINTENANCE_WINDOW1_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW2_NAME", params.get("MAINTENANCE_WINDOW2_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW3_NAME", params.get("MAINTENANCE_WINDOW3_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW1_DESCRIPTION", params.get("MAINTENANCE_WINDOW1_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW2_DESCRIPTION", params.get("MAINTENANCE_WINDOW2_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW3_DESCRIPTION", params.get("MAINTENANCE_WINDOW3_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW1_SCHEDULE", params.get("MAINTENANCE_WINDOW1_SCHEDULE", ""), pattern=cron_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW2_SCHEDULE", params.get("MAINTENANCE_WINDOW2_SCHEDULE", ""), pattern=cron_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW3_SCHEDULE", params.get("MAINTENANCE_WINDOW3_SCHEDULE", ""), pattern=cron_pattern) + parameter_pattern_validator("MAINTENANCE_WINDOW1_DURATION", params.get("MAINTENANCE_WINDOW1_DURATION", ""), pattern=r"^(1[0-9]|2[0-4]|[1-9])$") + parameter_pattern_validator("MAINTENANCE_WINDOW2_DURATION", params.get("MAINTENANCE_WINDOW2_DURATION", ""), pattern=r"^(1[0-9]|2[0-4]|[1-9])$") + parameter_pattern_validator("MAINTENANCE_WINDOW3_DURATION", params.get("MAINTENANCE_WINDOW3_DURATION", ""), pattern=r"^(1[0-9]|2[0-4]|[1-9])$") + parameter_pattern_validator("MAINTENANCE_WINDOW1_CUTOFF", params.get("MAINTENANCE_WINDOW1_CUTOFF", ""), pattern=r"^([0-9]|1[0-9]|2[0-3])$") + parameter_pattern_validator("MAINTENANCE_WINDOW2_CUTOFF", params.get("MAINTENANCE_WINDOW2_CUTOFF", ""), pattern=r"^([0-9]|1[0-9]|2[0-3])$") + parameter_pattern_validator("MAINTENANCE_WINDOW3_CUTOFF", params.get("MAINTENANCE_WINDOW3_CUTOFF", ""), pattern=r"^([0-9]|1[0-9]|2[0-3])$") + parameter_pattern_validator("MAINTENANCE_WINDOW1_TIMEZONE", params.get("MAINTENANCE_WINDOW1_TIMEZONE", ""), pattern=r"^[a-zA-Z]+(/[a-zA-Z_]+)+$") + parameter_pattern_validator("MAINTENANCE_WINDOW2_TIMEZONE", params.get("MAINTENANCE_WINDOW2_TIMEZONE", ""), pattern=r"^[a-zA-Z]+(/[a-zA-Z_]+)+$") + parameter_pattern_validator("MAINTENANCE_WINDOW3_TIMEZONE", params.get("MAINTENANCE_WINDOW3_TIMEZONE", ""), pattern=r"^[a-zA-Z]+(/[a-zA-Z_]+)+$") + parameter_pattern_validator("TASK1_NAME", params.get("TASK1_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("TASK2_NAME", params.get("TASK2_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("TASK3_NAME", params.get("TASK3_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("TASK1_DESCRIPTION", params.get("TASK1_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("TASK2_DESCRIPTION", params.get("TASK2_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("TASK3_DESCRIPTION", params.get("TASK3_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("TASK1_RUN_COMMAND", params.get("TASK1_RUN_COMMAND", ""), pattern=r"^AWS-UpdateSSMAgent$") + parameter_pattern_validator("TASK2_RUN_COMMAND", params.get("TASK2_RUN_COMMAND", ""), pattern=r"^AWS-RunPatchBaseline$") + parameter_pattern_validator("TASK3_RUN_COMMAND", params.get("TASK3_RUN_COMMAND", ""), pattern=r"^AWS-RunPatchBaseline$") + parameter_pattern_validator("TARGET1_NAME", params.get("TARGET1_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("TARGET2_NAME", params.get("TARGET2_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("TARGET3_NAME", params.get("TARGET3_NAME", ""), pattern=text_pattern) + parameter_pattern_validator("TARGET1_DESCRIPTION", params.get("TARGET1_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("TARGET2_DESCRIPTION", params.get("TARGET2_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("TARGET3_DESCRIPTION", params.get("TARGET3_DESCRIPTION", ""), pattern=text_pattern) + parameter_pattern_validator("TARGET1_VALUE_1", params.get("TARGET1_VALUE_1", ""), pattern=r"^Linux$") + parameter_pattern_validator("TARGET1_VALUE_2", params.get("TARGET1_VALUE_2", ""), pattern=r"^Windows$") + parameter_pattern_validator("TARGET2_VALUE_1", params.get("TARGET2_VALUE_1", ""), pattern=r"^Windows$") + parameter_pattern_validator("TARGET3_VALUE_1", params.get("TARGET3_VALUE_1", ""), pattern=r"^Linux$") + parameter_pattern_validator("DISABLE_PATCHMGMT", params.get("DISABLE_PATCHMGMT", ""), pattern=true_false_pattern) + + return params + + +@helper.create +@helper.update +def process_cloudformation_event(event: CloudFormationCustomResourceEvent, context: Context) -> str: + """Process Event from AWS CloudFormation. + + Args: + event: event data + context: runtime information + + Returns: + AWS CloudFormation physical resource id + """ + request_type = event["RequestType"] + if request_type.isalnum(): + LOGGER.info(f"{request_type} Event") + LOGGER.debug(f"Lambda Context: {context}") + + params = get_validated_parameters({"RequestType": event["RequestType"], "ResourceProperties": event["ResourceProperties"]}) + regions = common.get_enabled_regions( + params.get("ENABLED_REGIONS", ""), + (params.get("CONTROL_TOWER_REGIONS_ONLY", "false")).lower() in "true", + ) + account_id = params["DELEGATED_ADMIN_ACCOUNT_ID"] + + # Check and update existing maintenance windows + if params["action"] == "Update": + account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"]) + + if (params.get("DISABLE_PATCHMGMT", "false")).lower() in "true" and params["action"] == "Update": + LOGGER.info("Deleting Maintenance Windows and Default Host Management Configuration...") + patchmgmt.disable_patchmgmt(params, boto3_config) + else: + for account in account_ids: + check_and_update_maintenance_window(params, regions, account) + + if params["action"] == "Add": + process_create_update_event(params, regions) + + return f"sra-patch_mgmt-{account_id}" + + +@helper.delete +def process_cloudformation_delete_event(event: CloudFormationCustomResourceEvent, context: Context) -> str: + """Process delete event from AWS CloudFormation. + + Args: + event: event data + context: runtime information + + Returns: + AWS CloudFormation physical resource id + """ + request_type = event["RequestType"] + if request_type.isalnum(): + LOGGER.info(f"{request_type} Event") + LOGGER.debug(f"Lambda Context: {context}") + + params = get_validated_parameters({"RequestType": event["RequestType"], "ResourceProperties": event["ResourceProperties"]}) + account_id = params["DELEGATED_ADMIN_ACCOUNT_ID"] + + if params["action"] == "Remove": + patchmgmt.cleanup_patchmgmt(params, boto3_config) + + return f"sra-patch_mgmt-{account_id}" + + +def process_event(event: dict) -> None: + """Process Event. + + Args: + event: event data + """ + event_info = {"Event": event} + LOGGER.info(event_info) + params = get_validated_parameters({"RequestType": "Update", "ResourceProperties": os.environ}) + + regions = common.get_enabled_regions(params["ENABLED_REGIONS"], params["CONTROL_TOWER_REGIONS_ONLY"] == "true") + account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"]) + for account in account_ids: + check_and_update_maintenance_window(params, regions, account) + + +def process_event_organizations(event: dict) -> None: + """Process Event from AWS Organizations. + + Args: + event: event data + """ + event_info = {"Event": event} + LOGGER.info(event_info) + params = get_validated_parameters({"RequestType": "Create", "ResourceProperties": os.environ}) + regions = common.get_enabled_regions(params["ENABLED_REGIONS"], params["CONTROL_TOWER_REGIONS_ONLY"] == "true") + + if event["detail"]["eventName"] == "AcceptHandshake" and event["detail"]["responseElements"]["handshake"]["state"] == "ACCEPTED": + for party in event["detail"]["responseElements"]["handshake"]["parties"]: + if party["type"] == "ACCOUNT": + aws_account_id = party["id"] + process_account(aws_account_id, params, regions) + break + elif event["detail"]["eventName"] == "CreateAccountResult": + aws_account_id = event["detail"]["serviceEventDetails"]["createAccountStatus"]["accountId"] + process_account(aws_account_id, params, regions) + else: + LOGGER.info("Organization event does not match expected values.") + + +def orchestrator(event: Dict[str, Any], context: Any) -> None: + """Orchestration. + + Args: + event: event data + context: runtime information + """ + if event.get("RequestType"): + LOGGER.info("...calling helper...") + helper(event, context) + elif event.get("source") == "aws.organizations": + process_event_organizations(event) + else: + LOGGER.info("...else...just calling process_event...") + process_event(event) + + +def lambda_handler(event: Dict[str, Any], context: Context) -> None: + """Lambda Handler. + + Args: + event: event data + context: runtime information + + Returns: + Response is Handled by CR Helper + + Raises: + ValueError: Unexpected error executing Lambda function + """ + LOGGER.info("....Lambda Handler Started....") + boto3_version = boto3.__version__ + LOGGER.info(f"boto3 version: {boto3_version}") + event_info = {"Event": event} + LOGGER.info(event_info) + try: + orchestrator(event, context) + except Exception: + LOGGER.exception(UNEXPECTED) + raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs ({context.log_group_name}) for details.") from None diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/common.py b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/common.py new file mode 100644 index 00000000..5dd51a22 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/common.py @@ -0,0 +1,212 @@ +"""This script includes common functions. + +Version: 1.0 + +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: MIT-0 +""" + +from __future__ import annotations + +import logging +import os +from time import sleep +from typing import TYPE_CHECKING + +import boto3 +from botocore.config import Config +from botocore.exceptions import ClientError + +if TYPE_CHECKING: + from mypy_boto3_iam.client import IAMClient + from mypy_boto3_organizations import OrganizationsClient + from mypy_boto3_ssm.client import SSMClient + from mypy_boto3_sts.client import STSClient + +# Setup Default Logger +LOGGER = logging.getLogger("sra") +log_level = os.environ.get("LOG_LEVEL", logging.INFO) +LOGGER.setLevel(log_level) + +# Global variables +CLOUDFORMATION_PAGE_SIZE = 20 +CLOUDFORMATION_THROTTLE_PERIOD = 0.2 +ORG_PAGE_SIZE = 20 # Max page size for list_accounts +ORG_THROTTLE_PERIOD = 0.2 +boto3_config = Config(retries={"max_attempts": 10, "mode": "standard"}) +UNEXPECTED = "Unexpected!" + + +try: + MANAGEMENT_ACCOUNT_SESSION = boto3.Session() + SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm") +except Exception: + LOGGER.exception(UNEXPECTED) + raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None + + +def assume_role(role: str, role_session_name: str, account: str) -> boto3.Session: + """Assume a Role in an Account. + + Args: + role (str): Role + role_session_name (str): Name for Role Session + account (str): Account ID to assume role in + + Returns: + boto3.Session: Assumes the provided role in the given account and returns a session. + """ + session = boto3.Session() + sts_client: STSClient = session.client("sts", config=boto3_config) + sts_arn = sts_client.get_caller_identity()["Arn"] + LOGGER.info(f"USER: {sts_arn}") + if not account: + account = sts_arn.split(":")[4] + partition = sts_arn.split(":")[1] + role_arn = f"arn:{partition}:iam::{account}:role/{role}" + + response = sts_client.assume_role(RoleArn=role_arn, RoleSessionName=role_session_name) + LOGGER.info(f"ASSUMED ROLE: {response['AssumedRoleUser']['Arn']}") + return boto3.Session( + aws_access_key_id=response["Credentials"]["AccessKeyId"], + aws_secret_access_key=response["Credentials"]["SecretAccessKey"], + aws_session_token=response["Credentials"]["SessionToken"], + ) + + +def get_all_organization_accounts(exclude_accounts: list) -> list: + """Get all the active AWS Organization accounts. + + Args: + exclude_accounts: list of account IDs to exclude + + Returns: + List of active account IDs + """ + if exclude_accounts is None: + exclude_accounts = ["00000000000"] + accounts = [] + management_account_session = boto3.Session() + org_client: OrganizationsClient = management_account_session.client("organizations", config=boto3_config) + paginator = org_client.get_paginator("list_accounts") + + for page in paginator.paginate(PaginationConfig={"PageSize": ORG_PAGE_SIZE}): + for acct in page["Accounts"]: + if acct["Status"] == "ACTIVE" and acct["Id"] not in exclude_accounts: # Store active accounts in a dict + account_record = {"AccountId": acct["Id"], "Email": acct["Email"]} + accounts.append(account_record) + sleep(ORG_THROTTLE_PERIOD) + + return accounts + + +def get_account_ids(accounts: list, exclude_accounts: list) -> list: + """Get Account IDs from account list dictionary. + + Args: + accounts: List of accounts. {'AccountId': '', 'Email': ''} + exclude_accounts: List of account IDs to exclude. + + Returns: + Account ID list of strings + """ + account_ids: list[str] = [] + if not accounts: + accounts = get_all_organization_accounts(exclude_accounts) + + for account in accounts: + account_ids.append(account["AccountId"]) + return account_ids + + +def get_control_tower_regions() -> list: # noqa: CCR001 + """Query SSM Parameter Store to identify customer regions. + + Returns: + Customer regions chosen in Control Tower + """ + customer_regions = [] + ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions") + customer_regions = ssm_response["Parameter"]["Value"].split(",") + return list(customer_regions) + + +def get_enabled_regions(customer_regions: str, control_tower_regions_only: bool = False) -> list: # noqa: CCR001 + """Query STS to identify enabled regions. + + Args: + customer_regions: customer provided comma delimited string of regions + control_tower_regions_only: Use the Control Tower governed regions. Defaults to False. + + Returns: + Enabled regions + """ + if customer_regions.strip(): + LOGGER.debug(f"CUSTOMER PROVIDED REGIONS: {str(customer_regions)}") + region_list = [value.strip() for value in customer_regions.split(",") if value != ""] + elif control_tower_regions_only: + region_list = get_control_tower_regions() + else: + default_available_regions = [ + "ap-northeast-1", + "ap-northeast-2", + "ap-northeast-3", + "ap-south-1", + "ap-southeast-1", + "ap-southeast-2", + "ca-central-1", + "eu-central-1", + "eu-north-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "sa-east-1", + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2", + ] + LOGGER.info({"Default_Available_Regions": default_available_regions}) + region_list = default_available_regions + + enabled_regions = [] + disabled_regions = [] + invalid_regions = [] + region_session = boto3.Session() + for region in region_list: + try: + sts_client = region_session.client( + "sts", + endpoint_url=f"https://sts.{region}.amazonaws.com", + region_name=region, + config=boto3_config, + ) + sts_client.get_caller_identity() + enabled_regions.append(region) + except ClientError as error: + if error.response["Error"]["Code"] == "InvalidClientTokenId": + disabled_regions.append(region) + LOGGER.error(f"Error {error.response['Error']} occurred testing region {region}") + except Exception as error: + if "Could not connect to the endpoint URL" in str(error): + invalid_regions.append(region) + LOGGER.error(f"Region: '{region}' is not valid") + LOGGER.error(f"{error}") + LOGGER.info({"Disabled_Regions": disabled_regions}) + LOGGER.info({"Invalid_Regions": invalid_regions}) + return enabled_regions + + +def create_service_linked_role(service_linked_role_name: str, service_name: str, description: str = "") -> None: + """Create the service linked role, if it does not exist. + + Args: + service_linked_role_name: Service Linked Role Name + service_name: AWS Service Name + description: Description + """ + iam_client: IAMClient = boto3.client("iam", config=boto3_config) + try: + iam_client.get_role(RoleName=service_linked_role_name) + except iam_client.exceptions.NoSuchEntityException: + iam_client.create_service_linked_role(AWSServiceName=service_name, Description=description) diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/patchmgmt.py b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/patchmgmt.py new file mode 100644 index 00000000..0ed6895e --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/patchmgmt.py @@ -0,0 +1,140 @@ +"""This script provides logic for removing Maintenance Windows with tag 'createdBy' with a value of 'SRA_Patch_Management. + +Version: 1.0 + +'patch_mgmt' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: MIT-0 +""" + +from __future__ import annotations + +import logging +import os +from typing import TYPE_CHECKING + +import boto3 +import common +from botocore.config import Config +from botocore.exceptions import ClientError + +if TYPE_CHECKING: + from mypy_boto3_ssm.client import SSMClient + +# Setup Default Logger +LOGGER = logging.getLogger("sra") +log_level: str = os.environ.get("LOG_LEVEL", "ERROR") +LOGGER.setLevel(log_level) +boto3_config = Config(retries={"max_attempts": 10, "mode": "standard"}) + +try: + MANAGEMENT_ACCOUNT_SESSION = boto3.Session() + SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm") +except Exception: + LOGGER.exception("UNEXPECTED") + raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None + + +def delete_window_with_sratag(ssmclient: SSMClient, response: dict) -> bool: + """Delete Maintenance Windows with tag 'createdBy' with a value of 'SRA_Patch_Management. + + Args: + ssmclient (SSMClient): Boto3 Client + response (dict): Describe Maintenance Windows response + + Returns: + Boolean of success or failure + """ + for window in response["WindowIdentities"]: + response2 = ssmclient.list_tags_for_resource(ResourceType="MaintenanceWindow", ResourceId=window["WindowId"]) + # For tag in tag list then check if the tag is 'createdBy' and if it is then delete the window + for tag in response2["TagList"]: + if tag["Key"] == "createdBy" and tag["Value"] == "SRA_Patch_Management": + ssmclient.delete_maintenance_window(WindowId=window["WindowId"]) + LOGGER.info(f"Deleted Maintenance Window {window['Name']} with ID {window['WindowId']}") + break + return True + + +def delete_default_host_mgmt(ssmclient: SSMClient) -> None: + """Delete Default Host Management Configuration. + + Args: + ssmclient (SSMClient): boto3 client + """ + setting_id = "/ssm/managed-instance/default-ec2-instance-management-role" + try: + ssmclient.reset_service_setting(SettingId=setting_id) + except ClientError as e: + LOGGER.error(e) + + +def disable_patchmgmt(params: dict, boto3_config: Config) -> bool: + """Clean up patch management created resources. + + Args: + params (dict): The parameters of our function + boto3_config (Config): Boto3 Configuration + + Returns: + Boolean of success or failure + """ + account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"]) + regions = common.get_enabled_regions( + params.get("ENABLED_REGIONS", ""), + (params.get("CONTROL_TOWER_REGIONS_ONLY", "false")).lower() in "true", + ) + for region in regions: + for account in account_ids: + session = common.assume_role( + params["ROLE_NAME_TO_ASSUME"], + "sra-disable-patch-mgmt", + account, + ) + LOGGER.info(f"Deleting Maintenance Windows in {account} in {region}") + ssmclient = session.client("ssm", region_name=region, config=boto3_config) + response = ssmclient.describe_maintenance_windows() + delete_window_with_sratag(ssmclient, response) + + while "NextToken" in response: + response = ssmclient.describe_maintenance_windows(NextToken=response["NextToken"]) + delete_window_with_sratag(ssmclient, response) + LOGGER.info(f"Deleting Default Host Management Configuration in {account} in {region}") + delete_default_host_mgmt(ssmclient) + + return True + + +def cleanup_patchmgmt(params: dict, boto3_config: Config) -> bool: + """Clean up patch management created resources. + + Args: + params (dict): The parameters of our function + boto3_config (Config): Boto3 Configuration + + Returns: + Boolean of success or failure + """ + account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"]) + regions = common.get_enabled_regions( + params.get("ENABLED_REGIONS", ""), + (params.get("CONTROL_TOWER_REGIONS_ONLY", "false")).lower() in "true", + ) + for region in regions: + for account in account_ids: + session = common.assume_role( + params["ROLE_NAME_TO_ASSUME"], + "sra-patch-mgmt-cleanup", + account, + ) + LOGGER.info(f"Deleting Maintenance Windows in {account} in {region}") + ssmclient = session.client("ssm", region_name=region, config=boto3_config) + response = ssmclient.describe_maintenance_windows() + delete_window_with_sratag(ssmclient, response) + + while "NextToken" in response: + response = ssmclient.describe_maintenance_windows(NextToken=response["NextToken"]) + delete_window_with_sratag(ssmclient, response) + + return True diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/requirements.txt b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/requirements.txt new file mode 100644 index 00000000..4c9cd1b9 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/requirements.txt @@ -0,0 +1,2 @@ +#install latest +crhelper diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/layer/boto3/package.txt b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/layer/boto3/package.txt new file mode 100644 index 00000000..1db657b6 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/layer/boto3/package.txt @@ -0,0 +1 @@ +boto3 \ No newline at end of file diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration-role.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration-role.yaml new file mode 100644 index 00000000..eee74144 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration-role.yaml @@ -0,0 +1,296 @@ +######################################################################## +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: MIT-0 +######################################################################## +AWSTemplateFormatVersion: 2010-09-09 +Description: + This template creates an IAM role to be distributed into all accounts to be assumed by the configuration Lambda Function in the Management Account - - 'patch_mgmt' solution in the repo, + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8r) + +Metadata: + SRA: + Version: 1.0 + Order: 2 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Properties + Parameters: + - pSRASolutionName + + - Label: + default: Role Properties + Parameters: + - pPatchMgmtRoleName + - pPatchMgmtLambdaRoleName + - pManagementAccountId + + ParameterLabels: + pManagementAccountId: + default: Organization Management Account ID + pPatchMgmtLambdaRoleName: + default: Lambda Role Name + pPatchMgmtRoleName: + default: Patch Management Role Name + pSSMAutomationRoleName: + default: SSM Automation Role Name + pSRASolutionName: + default: SRA Solution Name + pDefaultHostConfigRoleName: + default: Default Host Config Role Name + +Parameters: + pManagementAccountId: + AllowedPattern: '^\d{12}$' + ConstraintDescription: Must be 12 digits + Description: Organization Management Account ID + Type: String + pPatchMgmtLambdaRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] + Default: sra-patch-mgmt-lambda + Description: Lambda Role Name + Type: String + pPatchMgmtRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] + Default: sra-patch-mgmt-configuration + Description: Patch Management IAM Role Name + Type: String + pSSMAutomationRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] + Default: sra-patch-mgmt-automation + Description: SSM Automation IAM Role Name + Type: String + pSRASolutionName: + AllowedValues: [sra-patch-mgmt-org] + Default: sra-patch-mgmt-org + Description: The SRA solution name. The default value is the folder name of the solution + Type: String + pPatchMgrEC2Profile: + Default: patch-mgr-ec2-profile + Description: An instance profile that can be used if facing issues with the Default Host Configuration setting. + Type: String + pPatchMgrEC2ProfileRole: + Default: patch-mgr-ec2-profile-role + Description: The Role that the patch-mgr-ec2-profile will use. + Type: String + +Resources: + rConfigurationRole: + Type: AWS::IAM::Role + Metadata: + checkov: + skip: + - id: "CKV_AWS_111" + comment: "Ensure IAM policies does not allow write access without constraints" + cfn_nag: + rules_to_suppress: + - id: W11 + reason: Actions require * in resource + - id: W28 + reason: Explicit role name provided + Properties: + RoleName: !Ref pPatchMgmtRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: sts:AssumeRole + Condition: + StringEquals: + aws:PrincipalArn: + - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:role/${pPatchMgmtLambdaRoleName} + Principal: + AWS: + - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root + Path: "/" + Policies: + - PolicyName: sra-patch-mgmt-passrole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: AllowPassRoleSimple + Effect: Allow + Action: iam:PassRole + Resource: + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSSystemsManagerDefaultEC2InstanceManagementRoleCustom + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra-patch-mgmt-automation + - PolicyName: sra-patch-mgmt-ssm-general + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - sts:GetCallerIdentity + - ssm:UpdateServiceSetting + - ssm:CreateMaintenanceWindow + - ssm:DeleteMaintenanceWindow + - ssm:RegisterTargetWithMaintenanceWindow + - ssm:RegisterTaskWithMaintenanceWindow + - ssm:DeregisterTaskFromMaintenanceWindow + - ssm:UpdateMaintenanceWindow + - ssm:UpdateMaintenanceWindowTarget + - ssm:UpdateMaintenanceWindowTask + - ssm:AddTagsToResource + - ssm:DeregisterTargetFromMaintenanceWindow + - ssm:DescribeMaintenanceWindows + - ssm:ListTagsForResource + - ssm:DescribeMaintenanceWindowSchedule + - ssm:DescribeMaintenanceWindowTargets + - ssm:DescribeMaintenanceWindowTasks + - ssm:DescribeDocument + Resource: + - "*" + - PolicyName: sra-patch-mgmt-reset-default-host + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - ssm:ResetServiceSetting + Resource: + - !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:servicesetting/ssm/managed-instance/default-ec2-instance-management-role + - PolicyName: sra-patch-mgmt-policy-organizations + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: OrganizationsListAccounts + Effect: Allow + Action: + - organizations:ListAccounts + - organizations:DescribeOrganization + Resource: "*" + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rSSMAutomationRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: F3 + reason: Actions require * in permissions policy + - id: W11 + reason: Actions require * in resource + - id: W28 + reason: Explicit role name provided + Properties: + RoleName: !Ref pSSMAutomationRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: + - ssm.amazonaws.com + Path: "/" + Policies: + - PolicyName: sra-patch-mgmt-automation-passrole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: AllowPassRoleSimple + Effect: Allow + Action: iam:PassRole + Resource: + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra-patch-mgmt-automation + - PolicyName: sra-patch-mgmt-lambda-automation-policy + PolicyDocument: + Version: 2012-10-17 + Statement: + Effect: Allow + Action: lambda:InvokeFunction + Resource: + - arn:aws:lambda:*:*:function:Automation* + - PolicyName: sra-patch-mgmt-automation-ec2-policy + PolicyDocument: + Version: 2012-10-17 + Statement: + Effect: Allow + Action: + - ec2:CreateImage, + - ec2:CopyImage, + - ec2:DeregisterImage + - ec2:DescribeImages + - ec2:DeleteSnapshot + - ec2:StartInstances + - ec2:RunInstances + - ec2:StopInstances + - ec2:TerminateInstances + - ec2:DescribeInstanceStatus + - ec2:CreateTags + - ec2:DeleteTags + - ec2:DescribeTags + - cloudformation:CreateStack + - cloudformation:DescribeStackEvents + - cloudformation:DescribeStacks + - cloudformation:UpdateStack + - cloudformation:DeleteStack + Resource: "*" + - PolicyName: sra-patch-mgmt-ssm-automation-policy + PolicyDocument: + Version: 2012-10-17 + Statement: + Effect: Allow + Action: ssm:* + Resource: "*" + - PolicyName: sra-patch-mgmt-automation-sns-policy + PolicyDocument: + Version: 2012-10-17 + Statement: + Effect: Allow + Action: sns:Publish + Resource: + - arn:aws:sns:*:*:Automation* + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + rPatchMgrEC2ProfileRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: F3 + reason: Actions require * in permissions policy + - id: W11 + reason: Actions require * in resource + - id: W28 + reason: Explicit role name provided + Properties: + RoleName: !Ref pPatchMgrEC2ProfileRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Path: "/" + ManagedPolicyArns: + - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/AmazonSSMManagedInstanceCore + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rPatchMgrEC2Profile: + Type: AWS::IAM::InstanceProfile + Metadata: + cfn_nag: + rules_to_suppress: + - id: F3 + reason: Actions require * in permissions policy + - id: W11 + reason: Actions require * in resource + - id: W28 + reason: Explicit role name provided + Properties: + InstanceProfileName: !Ref pPatchMgrEC2Profile + Path: "/" + Roles: + - !Ref pPatchMgrEC2ProfileRole + DependsOn: rPatchMgrEC2ProfileRole diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml new file mode 100644 index 00000000..27e09a52 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-configuration.yaml @@ -0,0 +1,1302 @@ +######################################################################## +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: MIT-0 +######################################################################## +AWSTemplateFormatVersion: 2010-09-09 +Description: + This template creates a custom resource Lambda to configure Patch Management within an AWS Organization - 'patch_mgmt' solution in + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8r) + +Metadata: + SRA: + Version: 1.0 + Order: 3 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Properties + Parameters: + - pSRASolutionName + - pSRAStagingS3BucketName + - pSRAAlarmEmail + + - Label: + default: Lambda Function Properties + Parameters: + - pPatchMgmtLambdaRoleName + - pPatchMgmtLambdaFunctionName + - pOrganizationId + + - Label: + default: Custom Resource Properties + Parameters: + - pPatchMgmtRoleName + - pDelegatedAdminAccountId + - pControlTowerRegionsOnly + - pEnabledRegions + + - Label: + default: General Lambda Function Properties + Parameters: + - pCreateLambdaLogGroup + - pLambdaLogGroupRetention + - pLambdaLogGroupKmsKey + - pLambdaLogLevel + + - Label: + default: EventBridge Rule Properties + Parameters: + - pComplianceFrequency + - pControlTowerLifeCycleRuleName + - pEventRuleRoleName + + - Label: + default: Patch Management Solution Properties + Parameters: + - pDisablePatchMgmt + # Window 1 + - pPatchMgmtMaintWindow1Name + - pPatchMgmtMaintWindow1Desc + - pPatchMgmtMaintWindow1Schedule + - pPatchMgmtMaintWindow1Duration + - pPatchMgmtMaintWindow1Cutoff + - pPatchMgmtMaintWindow1TZ + - pPatchMgmtTask1Name + - pPatchMgmtTask1Desc + - pPatchMgmtTask1RunCmd + - pPatchMgmtTarget1Name + - pPatchMgmtTarget1Desc + - pPatchMgmtTarget1Value1 + - pPatchMgmtTarget1Value2 + # Window 2 + - pPatchMgmtMaintWindow2Name + - pPatchMgmtMaintWindow2Desc + - pPatchMgmtMaintWindow2Schedule + - pPatchMgmtMaintWindow2Duration + - pPatchMgmtMaintWindow2Cutoff + - pPatchMgmtMaintWindow2TZ + - pPatchMgmtTask2Name + - pPatchMgmtTask2Desc + - pPatchMgmtTask2Operation + - pPatchMgmtTask2RebootOption + - pPatchMgmtTask2RunCmd + - pPatchMgmtTarget2Name + - pPatchMgmtTarget2Desc + - pPatchMgmtTarget2Value1 + # Window 3 + - pPatchMgmtMaintWindow3Name + - pPatchMgmtMaintWindow3Desc + - pPatchMgmtMaintWindow3Schedule + - pPatchMgmtMaintWindow3Duration + - pPatchMgmtMaintWindow3Cutoff + - pPatchMgmtMaintWindow3TZ + - pPatchMgmtTask3Name + - pPatchMgmtTask3Desc + - pPatchMgmtTask3Operation + - pPatchMgmtTask3RebootOption + - pPatchMgmtTask3RunCmd + - pPatchMgmtTarget3Name + - pPatchMgmtTarget3Desc + - pPatchMgmtTarget3Value1 + + ParameterLabels: + pControlTowerRegionsOnly: + default: Control Tower Regions Only + pCreateLambdaLogGroup: + default: Create Lambda Log Group + pDelegatedAdminAccountId: + default: Delegated Admin Account ID + pEnabledRegions: + default: (Optional) Enabled Regions + pLambdaLogGroupKmsKey: + default: (Optional) Lambda Logs KMS Key + pLambdaLogGroupRetention: + default: Lambda Log Group Retention + pLambdaLogLevel: + default: Lambda Log Level + pOrganizationId: + default: Organization ID + pSRAAlarmEmail: + default: (Optional) SRA Alarm Email + pEventRuleRoleName: + default: Event Rule Role Name + pSRASolutionName: + default: SRA Solution Name + pSRAStagingS3BucketName: + default: SRA Staging S3 Bucket Name + pPatchMgmtLambdaFunctionName: + default: Lambda Function Name + pPatchMgmtLambdaRoleName: + default: Lambda Role Name + pPatchMgmtRoleName: + default: Patch Management Role Name + pDisablePatchMgmt: + default: Disable Patch Management Solution + pComplianceFrequency: + default: Frequency to Check for Organizational Compliance + pControlTowerLifeCycleRuleName: + default: Control Tower Lifecycle Rule Name + pPatchMgmtMaintWindow1Name: + default: Patch Management Maintenance Window 1 Name + pPatchMgmtMaintWindow1Desc: + default: Patch Management Maintenance Window 1 Description + pPatchMgmtMaintWindow1Schedule: + default: Patch Management Maintenance Window 1 Schedule + pPatchMgmtMaintWindow1Duration: + default: Patch Management Maintenance Window 1 Duration + pPatchMgmtMaintWindow1Cutoff: + default: Patch Management Maintenance Window 1 Cutoff + pPatchMgmtMaintWindow1TZ: + default: Patch Management Maintenance Window 1 Timezone + pPatchMgmtTask1Name: + default: Patch Management Task 1 Name + pPatchMgmtTask1Desc: + default: Patch Management Task 1 Description + pPatchMgmtTask1RunCmd: + default: Patch Management Task 1 Run Command + pPatchMgmtTarget1Name: + default: Patch Management Target 1 Name + pPatchMgmtTarget1Desc: + default: Patch Management Target 1 Description + pPatchMgmtTarget1Value1: + default: Patch Management Target 1 Tag 1 + pPatchMgmtTarget1Value2: + default: Patch Management Target 1 Tag 2 + # Window 2 - main title of parameter + pPatchMgmtMaintWindow2Name: + default: Patch Management Maintenance Window 2 Name + pPatchMgmtMaintWindow2Desc: + default: Patch Management Maintenance Window 2 Description + pPatchMgmtMaintWindow2Schedule: + default: Patch Management Maintenance Window 2 Schedule + pPatchMgmtMaintWindow2Duration: + default: Patch Management Maintenance Window 2 Duration + pPatchMgmtMaintWindow2Cutoff: + default: Patch Management Maintenance Window 2 Cutoff + pPatchMgmtMaintWindow2TZ: + default: Patch Management Maintenance Window 2 Timezone + pPatchMgmtTask2Name: + default: Patch Management Task 2 Name + pPatchMgmtTask2Desc: + default: Patch Management Task 2 Description + pPatchMgmtTask2Operation: + default: Patch Management Task 2 Operation + pPatchMgmtTask2RebootOption: + default: Patch Management Task 2 Reboot Option + pPatchMgmtTask2RunCmd: + default: Patch Management Task 2 Run Command + pPatchMgmtTarget2Name: + default: Patch Management Target 2 Name + pPatchMgmtTarget2Desc: + default: Patch Management Target 2 Description + pPatchMgmtTarget2Value1: + default: Patch Management Target 2 Tag + # Window 3 - main title of parameter + pPatchMgmtMaintWindow3Name: + default: Patch Management Maintenance Window 3 Name + pPatchMgmtMaintWindow3Desc: + default: Patch Management Maintenance Window 3 Description + pPatchMgmtMaintWindow3Schedule: + default: Patch Management Maintenance Window 3 Schedule + pPatchMgmtMaintWindow3Duration: + default: Patch Management Maintenance Window 3 Duration + pPatchMgmtMaintWindow3Cutoff: + default: Patch Management Maintenance Window 3 Cutoff + pPatchMgmtMaintWindow3TZ: + default: Patch Management Maintenance Window 3 Timezone + pPatchMgmtTask3Name: + default: Patch Management Task 3 Name + pPatchMgmtTask3Desc: + default: Patch Management Task 3 Description + pPatchMgmtTask3Operation: + default: Patch Management Task 3 Operation + pPatchMgmtTask3RebootOption: + default: Patch Management Task 3 Reboot Option + pPatchMgmtTask3RunCmd: + default: Patch Management Task 3 Run Command + pPatchMgmtTarget3Name: + default: Patch Management Target 3 Name + pPatchMgmtTarget3Desc: + default: Patch Management Target 3 Description + pPatchMgmtTarget3Value1: + default: Patch Management Target 3 Tag + +Parameters: + pDisablePatchMgmt: + AllowedValues: ["true", "false"] + Default: "false" + Description: Update to 'true' to disable Patch Management in all accounts and regions before deleting the stack. + Type: String + pControlTowerRegionsOnly: + AllowedValues: [true, false] + Default: true + Description: Only enable in the Control Tower governed regions + Type: String + pCreateLambdaLogGroup: + AllowedValues: ["true", "false"] + Default: "false" + Description: + Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS + Key for encryption. + Type: String + pDelegatedAdminAccountId: + AllowedPattern: '^\d{12}$' + ConstraintDescription: Must be 12 digits + Description: Delegated administrator account ID + Type: String + pEventRuleRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]. + Default: sra-patch-mgmt-global-events + Description: Event rule role name for putting events on the home region event bus + Type: String + pComplianceFrequency: + ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive. + Default: 7 + Description: Frequency (in days between 1 and 30, default is 7) to check organizational compliance + MinValue: 1 + MaxValue: 30 + Type: Number + pControlTowerLifeCycleRuleName: + AllowedPattern: '^[\w.-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric and underscore characters. Also special characters supported [., -] + Default: sra-patch-mgmt-org-trigger + Description: The name of the AWS Control Tower Life Cycle Rule. + Type: String + pEnabledRegions: + AllowedPattern: "^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$" + ConstraintDescription: + Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. + us-east-1,ap-southeast-2) + Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. + Type: String + pPatchMgmtLambdaFunctionName: + AllowedPattern: '^[\w-]{0,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -] + Default: sra-patch-mgmt + Description: Lambda function name + Type: String + pPatchMgmtLambdaRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] + Default: sra-patch-mgmt-lambda + Description: Sample configuration Lambda role name + Type: String + pPatchMgmtRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] + Default: sra-patch-mgmt-configuration + Description: Patch Management Configuration role to assume in the delegated administrator account + Type: String + pLambdaLogGroupKmsKey: + AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' + ConstraintDescription: "Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + Description: + (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side + encryption keys. + Type: String + pLambdaLogGroupRetention: + AllowedValues: + [ + 1, + 3, + 5, + 7, + 14, + 30, + 60, + 90, + 120, + 150, + 180, + 365, + 400, + 545, + 731, + 1827, + 3653, + ] + Default: 14 + Description: Specifies the number of days you want to retain log events + Type: String + pLambdaLogLevel: + AllowedValues: [INFO, ERROR, DEBUG] + Default: INFO + Description: Lambda Function Logging Level + Type: String + pOrganizationId: + AllowedPattern: "^o-[a-z0-9]{10,32}$" + ConstraintDescription: The Organization ID must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters + Description: AWS Organizations ID + Type: String + pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Description: (Optional) Email address for receiving DLQ alarms + Type: String + pSRASolutionName: + AllowedValues: [sra-patch-mgmt-org] + Default: sra-patch-mgmt-org + Description: The SRA solution name. The default value is the folder name of the solution + Type: String + pSRAStagingS3BucketName: + AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)' + ConstraintDescription: SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: + SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include + numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + # Window 1 - parameter sub-description and default value + pPatchMgmtMaintWindow1Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name for first Maintenance Window + Default: sra_ssm_agent_update + Type: String + pPatchMgmtMaintWindow1Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Description for first Maintenance Window + Default: Maintenance Window To Update The SSM Agent On Managed Instances + Type: String + pPatchMgmtMaintWindow1Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Scheduled start time of the first Maintenance Window + Default: "cron(0 0 1 ? * WED *)" + Type: String + pPatchMgmtMaintWindow1Duration: + ConstraintDescription: Must be a number between 1 and 24. + Description: Duration (hours) of the Maintenance Window + Default: 6 + Type: Number + MinValue: 1 + MaxValue: 24 + pPatchMgmtMaintWindow1Cutoff: + Description: Stop initiating tasks (hours) before maintenance window ends + Default: 1 + Type: Number + MinValue: 0 + MaxValue: 23 + pPatchMgmtMaintWindow1TZ: + Description: Patch Management Maintenance Window 1 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask1Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name of the first Task to Update SSM Agent + Type: String + Default: Update_SSMAgent + pPatchMgmtTask1Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Description of the Task to Update SSM Agent + Default: Task To Update SSMAgent On Managed Instances + Type: String + pPatchMgmtTask1RunCmd: + AllowedValues: [AWS-UpdateSSMAgent] + Description: Patch Management Task 1 Run Command + Default: AWS-UpdateSSMAgent + Type: String + pPatchMgmtTarget1Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name of Target Group for first Maintenance Window + Default: Update_SSMAgent + Type: String + pPatchMgmtTarget1Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Desription can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Description of Target Group for first Maintenance Window + Default: Targets To Update SSMAgent On Managed Instances + Type: String + pPatchMgmtTarget1Value1: + AllowedValues: [Linux] + Description: Patch Management Tag 1 Value of Target + Default: Linux + Type: String + pPatchMgmtTarget1Value2: + AllowedValues: [Windows] + Description: Patch Management Tag 2 Value of Target + Default: Windows + Type: String + # Window 2 - parameter sub-description and default value + pPatchMgmtMaintWindow2Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name for second Maintenance Window + Default: sra_windows_maintenance + Type: String + pPatchMgmtMaintWindow2Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Description for second Maintenance Window + Default: Maintenance Window to scan Windows Instances + Type: String + pPatchMgmtMaintWindow2Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Scheduled start time of the second Maintenance Window + Default: "cron(0 0 1 ? * THU *)" + Type: String + pPatchMgmtMaintWindow2Duration: + ConstraintDescription: Must be a number between 1 and 24. + Description: Duration (hours) of the Maintenance Window + Default: 6 + Type: Number + MinValue: 1 + MaxValue: 24 + pPatchMgmtMaintWindow2Cutoff: + Description: Stop initiating tasks (hours) before maintenance window ends + Default: 1 + Type: Number + MinValue: 0 + MaxValue: 23 + pPatchMgmtMaintWindow2TZ: + Description: Patch Management Maintenance Window 2 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask2Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name of the first Task to Scan Windows + Type: String + Default: Windows_Scan + pPatchMgmtTask2Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Description of the Task to Scan for Windows Patches + Default: Task To Scan For Patches On Managed Windows Instances + Type: String + pPatchMgmtTask2Operation: + AllowedValues: ["Scan", "Install"] + ConstraintDescription: Task Operation can be either Scan or Install. + Description: Patch Management Task 2 Operation (Scan Only, or Install Patches) + Default: Scan + Type: String + pPatchMgmtTask2RebootOption: + AllowedValues: ["RebootIfNeeded", "NoReboot"] + ConstraintDescription: Task Reboot Option can be either Reboot or No Reboot. + Description: Patch Management Task 2 Reboot Option (Reboot, or No Reboot) + Default: RebootIfNeeded + Type: String + pPatchMgmtTask2RunCmd: + AllowedValues: [AWS-RunPatchBaseline] + Description: Patch Management Task 2 Run Command + Default: AWS-RunPatchBaseline + Type: String + pPatchMgmtTarget2Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name of Target Group for second Maintenance Window + Default: Update_Windows + Type: String + pPatchMgmtTarget2Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Desription can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Patch Management Target 2 Description + Default: Targets To Scan For Windows Updates On Managed Instances + Type: String + pPatchMgmtTarget2Value1: + AllowedValues: [Windows] + Description: Patch Management Tag Value of Target + Default: Windows + Type: String + # Window 3 - parameter sub-description and default value + pPatchMgmtMaintWindow3Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name for third Maintenance Window + Default: sra_linux_maintenance + Type: String + pPatchMgmtMaintWindow3Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Description for third Maintenance Window + Default: Maintenance Window to scan Linux Instances + Type: String + pPatchMgmtMaintWindow3Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Scheduled start time of the third Maintenance Window + Default: "cron(0 0 1 ? * FRI *)" + Type: String + pPatchMgmtMaintWindow3Duration: + ConstraintDescription: Must be a number between 1 and 24. + Description: Duration (hours) of the Maintenance Window + Default: 6 + Type: Number + MinValue: 1 + MaxValue: 24 + pPatchMgmtMaintWindow3Cutoff: + Description: Stop initiating tasks (hours) before maintenance window ends + Default: 1 + Type: Number + MinValue: 0 + MaxValue: 23 + pPatchMgmtMaintWindow3TZ: + Description: Patch Management Maintenance Window 3 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask3Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name of the third Task to Scan Linux + Type: String + Default: Linux_Scan + pPatchMgmtTask3Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Patch Management Task 3 Description + Default: Task To Scan For Patches On Managed Linux Instances + Type: String + pPatchMgmtTask3Operation: + AllowedValues: ["Scan", "Install"] + ConstraintDescription: Task Operation can be either Scan or Install. + Description: Patch Management Task 3 Operation (Scan Only, or Install Patches) + Default: Scan + Type: String + pPatchMgmtTask3RebootOption: + AllowedValues: ["RebootIfNeeded", "NoReboot"] + ConstraintDescription: Task Reboot Option can be either Reboot or No Reboot. + Description: Patch Management Task 3 Reboot Option (Reboot, or No Reboot) + Default: RebootIfNeeded + Type: String + pPatchMgmtTask3RunCmd: + AllowedValues: [AWS-RunPatchBaseline] + Description: Patch Management Task 3 Run Command + Default: AWS-RunPatchBaseline + Type: String + pPatchMgmtTarget3Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Name of Target Group for third Maintenance Window + Default: Update_Linux + Type: String + pPatchMgmtTarget3Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Desription can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Description: Patch Management Target 3 Description + Default: Targets To Scan For Linux Updates On Managed Instances + Type: String + pPatchMgmtTarget3Value1: + AllowedValues: [Linux] + Description: Patch Management Tag Value of Target + Default: Linux + Type: String + +Conditions: + cComplianceFrequencySingleDay: !Equals [!Ref pComplianceFrequency, 1] + cCreateDLQAlarm: !Not [!Equals [!Ref pSRAAlarmEmail, ""]] + cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, "true"] + cUseGraviton: !Or + - !Equals [!Ref "AWS::Region", ap-northeast-1] + - !Equals [!Ref "AWS::Region", ap-south-1] + - !Equals [!Ref "AWS::Region", ap-southeast-1] + - !Equals [!Ref "AWS::Region", ap-southeast-2] + - !Equals [!Ref "AWS::Region", eu-central-1] + - !Equals [!Ref "AWS::Region", eu-west-1] + - !Equals [!Ref "AWS::Region", eu-west-2] + - !Equals [!Ref "AWS::Region", us-east-1] + - !Equals [!Ref "AWS::Region", us-east-2] + - !Equals [!Ref "AWS::Region", us-west-2] + cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, ""]] + cNotGlobalRegionUsEast1: !Not [!Equals [!Ref "AWS::Region", us-east-1]] + +Resources: + rPatchMgmtLambdaLogGroup: + Type: AWS::Logs::LogGroup + Condition: cCreateLambdaLogGroup + DeletionPolicy: Retain + UpdateReplacePolicy: Retain + Properties: + LogGroupName: !Sub /aws/lambda/${pPatchMgmtLambdaRoleName} + KmsKeyId: !If + - cUseKmsKey + - !Ref pLambdaLogGroupKmsKey + - !Ref AWS::NoValue + RetentionInDays: !Ref pLambdaLogGroupRetention + + rPatchMgmtLambdaRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W11 + reason: Actions require wildcard in resource + - id: W28 + reason: The role name is defined + checkov: + skip: + - id: CKV_AWS_111 + comment: IAM write actions require wildcard in resource + Properties: + RoleName: !Ref pPatchMgmtLambdaRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Path: "/" + Policies: + - PolicyName: sra-patch-mgmt-passrole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: AllowPassRoleSimple + Effect: Allow + Action: iam:PassRole + Resource: + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSSystemsManagerDefaultEC2InstanceManagementRoleCustom + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra-patch-mgmt-automation + - PolicyName: sra-patch-mgmt-ssm-general + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - sts:GetCallerIdentity + - ssm:UpdateServiceSetting + - ssm:CreateMaintenanceWindow + - ssm:DeleteMaintenanceWindow + - ssm:RegisterTargetWithMaintenanceWindow + - ssm:RegisterTaskWithMaintenanceWindow + - ssm:UpdateMaintenanceWindow + - ssm:UpdateMaintenanceWindowTarget + - ssm:UpdateMaintenanceWindowTask + - ssm:DescribeMaintenanceWindows + - ssm:AddTagsToResource + - ssm:ListTagsForResource + - ssm:DescribeMaintenanceWindowSchedule + - ssm:DescribeMaintenanceWindowTargets + - ssm:DescribeMaintenanceWindowTasks + - ssm:DescribeDocument + Resource: + - "*" + - PolicyName: sra-patch-mgmt-policy-cloudformation + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: CloudFormation + Effect: Allow + Action: cloudformation:ListStackInstances + Resource: !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/AWSControlTowerBP-* + - PolicyName: "ssm-access" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - ssm:GetParameter + - ssm:GetParameters + Resource: + - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*" + - PolicyName: "ssm-putaccess-patching" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - ssm:PutParameter + - ssm:LabelParameterVersion + - ssm:UnlabelParameterVersion + Resource: + - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra/patch_mgmt/windowInformation" + - PolicyName: sra-patch-mgmt-policy-iam + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: AssumeRole + Effect: Allow + Action: sts:AssumeRole + Condition: + StringEquals: + aws:PrincipalOrgId: !Ref pOrganizationId + Resource: + - !Sub arn:${AWS::Partition}:iam::*:role/${pPatchMgmtRoleName} + + - Sid: AllowReadIamActions + Effect: Allow + Action: iam:GetRole + Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/* + + - PolicyName: sra-patch-mgmt-policy-logs + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: CreateLogGroupAndEvents + Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pPatchMgmtLambdaFunctionName}:log-stream:* + + - PolicyName: sra-patch-mgmt-policy-organizations + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: OrganizationsReadAccess + Effect: Allow + Action: + - organizations:DescribeOrganization + - organizations:ListAWSServiceAccessForOrganization + - organizations:ListAccounts + - organizations:ListDelegatedAdministrators + Resource: "*" + - PolicyName: sra-patch-mgmt-policy-sqs + PolicyDocument: + Version: 2012-10-17 + Statement: + - Sid: SQSSendMessage + Effect: Allow + Action: sqs:SendMessage + Resource: !GetAtt rpatchMgmtDLQ.Arn + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rPatchMgmtLambdaFunction: + Type: AWS::Lambda::Function + Metadata: + cfn_nag: + rules_to_suppress: + - id: W58 + reason: CloudWatch access provided by the attached IAM role + - id: W89 + reason: Lambda is not deployed within a VPC + - id: W92 + reason: Lambda does not need reserved concurrent executions. + checkov: + skip: + - id: CKV_AWS_115 + comment: Lambda does not need reserved concurrent executions. + - id: CKV_AWS_117 + comment: Lambda does not need to communicate with VPC resources. + - id: CKV_AWS_173 + comment: Environment variables are not sensitive. + Properties: + FunctionName: !Ref pPatchMgmtLambdaFunctionName + Description: Patch Management SRA Setup Functions + Architectures: !If + - cUseGraviton + - [arm64] + - !Ref AWS::NoValue + Handler: app.lambda_handler + Role: !GetAtt rPatchMgmtLambdaRole.Arn + MemorySize: 512 + Runtime: python3.9 + Timeout: 900 + Code: + S3Bucket: !Ref pSRAStagingS3BucketName + S3Key: !Sub ${pSRASolutionName}/lambda_code/${pSRASolutionName}.zip + Layers: + - !Ref rPatchMgmtLambdaLayer + DeadLetterConfig: + TargetArn: !GetAtt rpatchMgmtDLQ.Arn + Environment: + Variables: + LOG_LEVEL: !Ref pLambdaLogLevel + CONTROL_TOWER_REGIONS_ONLY: !Ref pControlTowerRegionsOnly + DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId + ENABLED_REGIONS: !Ref pEnabledRegions + ROLE_NAME_TO_ASSUME: !Ref pPatchMgmtRoleName + MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId + # Window 1 + MAINTENANCE_WINDOW1_NAME: !Ref pPatchMgmtMaintWindow1Name + MAINTENANCE_WINDOW1_DESCRIPTION: !Ref pPatchMgmtMaintWindow1Desc + MAINTENANCE_WINDOW1_SCHEDULE: !Ref pPatchMgmtMaintWindow1Schedule + MAINTENANCE_WINDOW1_DURATION: !Ref pPatchMgmtMaintWindow1Duration + MAINTENANCE_WINDOW1_CUTOFF: !Ref pPatchMgmtMaintWindow1Cutoff + MAINTENANCE_WINDOW1_TIMEZONE: !Ref pPatchMgmtMaintWindow1TZ + TASK1_NAME: !Ref pPatchMgmtTask1Name + TASK1_DESCRIPTION: !Ref pPatchMgmtTask1Name + TASK1_RUN_COMMAND: !Ref pPatchMgmtTask1RunCmd + TARGET1_NAME: !Ref pPatchMgmtTarget1Name + TARGET1_DESCRIPTION: !Ref pPatchMgmtTarget1Desc + TARGET1_VALUE_1: !Ref pPatchMgmtTarget1Value1 + TARGET1_VALUE_2: !Ref pPatchMgmtTarget1Value2 + # Window 2 + MAINTENANCE_WINDOW2_NAME: !Ref pPatchMgmtMaintWindow2Name + MAINTENANCE_WINDOW2_DESCRIPTION: !Ref pPatchMgmtMaintWindow2Desc + MAINTENANCE_WINDOW2_SCHEDULE: !Ref pPatchMgmtMaintWindow2Schedule + MAINTENANCE_WINDOW2_DURATION: !Ref pPatchMgmtMaintWindow2Duration + MAINTENANCE_WINDOW2_CUTOFF: !Ref pPatchMgmtMaintWindow2Cutoff + MAINTENANCE_WINDOW2_TIMEZONE: !Ref pPatchMgmtMaintWindow2TZ + TASK2_NAME: !Ref pPatchMgmtTask2Name + TASK2_DESCRIPTION: !Ref pPatchMgmtTask2Desc + TASK2_OPERATION: !Ref pPatchMgmtTask2Operation + TASK2_REBOOTOPTION: !Ref pPatchMgmtTask2RebootOption + TASK2_RUN_COMMAND: !Ref pPatchMgmtTask2RunCmd + TARGET2_NAME: !Ref pPatchMgmtTarget2Name + TARGET2_DESCRIPTION: !Ref pPatchMgmtTarget2Desc + TARGET2_VALUE_1: !Ref pPatchMgmtTarget2Value1 + # Window 3 + MAINTENANCE_WINDOW3_NAME: !Ref pPatchMgmtMaintWindow3Name + MAINTENANCE_WINDOW3_DESCRIPTION: !Ref pPatchMgmtMaintWindow3Desc + MAINTENANCE_WINDOW3_SCHEDULE: !Ref pPatchMgmtMaintWindow3Schedule + MAINTENANCE_WINDOW3_DURATION: !Ref pPatchMgmtMaintWindow3Duration + MAINTENANCE_WINDOW3_CUTOFF: !Ref pPatchMgmtMaintWindow3Cutoff + MAINTENANCE_WINDOW3_TIMEZONE: !Ref pPatchMgmtMaintWindow3TZ + TASK3_NAME: !Ref pPatchMgmtTask3Name + TASK3_DESCRIPTION: !Ref pPatchMgmtTask3Desc + TASK3_OPERATION: !Ref pPatchMgmtTask3Operation + TASK3_REBOOTOPTION: !Ref pPatchMgmtTask3RebootOption + TASK3_RUN_COMMAND: !Ref pPatchMgmtTask3RunCmd + TARGET3_NAME: !Ref pPatchMgmtTarget3Name + TARGET3_DESCRIPTION: !Ref pPatchMgmtTarget3Desc + TARGET3_VALUE_1: !Ref pPatchMgmtTarget3Value1 + DISABLE_PATCHMGMT: !Ref pDisablePatchMgmt + + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rPatchMgmtLambdaLayer: + Type: AWS::Lambda::LayerVersion + Properties: + Content: + S3Bucket: !Ref pSRAStagingS3BucketName + S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip + Description: Boto3 version 1.26.24 layer to enable newer API of sample + LayerName: !Sub ${pPatchMgmtLambdaFunctionName}-updated-boto3-layer + + rPatchmgmtLambdaCustomResource: + Type: Custom::LambdaCustomResource + Version: "1.0" + Properties: + ServiceToken: !GetAtt rPatchMgmtLambdaFunction.Arn + DISABLE_PATCHMGMT: !Ref pDisablePatchMgmt + CONTROL_TOWER_REGIONS_ONLY: !Ref pControlTowerRegionsOnly + DELEGATED_ADMIN_ACCOUNT_ID: !Ref pDelegatedAdminAccountId + ROLE_NAME_TO_ASSUME: !Ref pPatchMgmtRoleName + ENABLED_REGIONS: !Ref pEnabledRegions + MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId + # Window 1 + MAINTENANCE_WINDOW1_NAME: !Ref pPatchMgmtMaintWindow1Name + MAINTENANCE_WINDOW1_DESCRIPTION: !Ref pPatchMgmtMaintWindow1Desc + MAINTENANCE_WINDOW1_SCHEDULE: !Ref pPatchMgmtMaintWindow1Schedule + MAINTENANCE_WINDOW1_DURATION: !Ref pPatchMgmtMaintWindow1Duration + MAINTENANCE_WINDOW1_CUTOFF: !Ref pPatchMgmtMaintWindow1Cutoff + MAINTENANCE_WINDOW1_TIMEZONE: !Ref pPatchMgmtMaintWindow1TZ + TASK1_NAME: !Ref pPatchMgmtTask1Name + TASK1_DESCRIPTION: !Ref pPatchMgmtTask1Desc + TASK1_RUN_COMMAND: !Ref pPatchMgmtTask1RunCmd + TARGET1_NAME: !Ref pPatchMgmtTarget1Name + TARGET1_DESCRIPTION: !Ref pPatchMgmtTarget1Desc + TARGET1_VALUE_1: !Ref pPatchMgmtTarget1Value1 + TARGET1_VALUE_2: !Ref pPatchMgmtTarget1Value2 + # Window 2 + MAINTENANCE_WINDOW2_NAME: !Ref pPatchMgmtMaintWindow2Name + MAINTENANCE_WINDOW2_DESCRIPTION: !Ref pPatchMgmtMaintWindow2Desc + MAINTENANCE_WINDOW2_SCHEDULE: !Ref pPatchMgmtMaintWindow2Schedule + MAINTENANCE_WINDOW2_DURATION: !Ref pPatchMgmtMaintWindow2Duration + MAINTENANCE_WINDOW2_CUTOFF: !Ref pPatchMgmtMaintWindow2Cutoff + MAINTENANCE_WINDOW2_TIMEZONE: !Ref pPatchMgmtMaintWindow2TZ + TASK2_NAME: !Ref pPatchMgmtTask2Name + TASK2_DESCRIPTION: !Ref pPatchMgmtTask2Desc + TASK2_OPERATION: !Ref pPatchMgmtTask2Operation + TASK2_REBOOTOPTION: !Ref pPatchMgmtTask2RebootOption + TASK2_RUN_COMMAND: !Ref pPatchMgmtTask2RunCmd + TARGET2_NAME: !Ref pPatchMgmtTarget2Name + TARGET2_DESCRIPTION: !Ref pPatchMgmtTarget2Desc + TARGET2_VALUE_1: !Ref pPatchMgmtTarget2Value1 + # Window 3 + MAINTENANCE_WINDOW3_NAME: !Ref pPatchMgmtMaintWindow3Name + MAINTENANCE_WINDOW3_DESCRIPTION: !Ref pPatchMgmtMaintWindow3Desc + MAINTENANCE_WINDOW3_SCHEDULE: !Ref pPatchMgmtMaintWindow3Schedule + MAINTENANCE_WINDOW3_DURATION: !Ref pPatchMgmtMaintWindow3Duration + MAINTENANCE_WINDOW3_CUTOFF: !Ref pPatchMgmtMaintWindow3Cutoff + MAINTENANCE_WINDOW3_TIMEZONE: !Ref pPatchMgmtMaintWindow3TZ + TASK3_NAME: !Ref pPatchMgmtTask3Name + TASK3_DESCRIPTION: !Ref pPatchMgmtTask3Desc + TASK3_OPERATION: !Ref pPatchMgmtTask3Operation + TASK3_REBOOTOPTION: !Ref pPatchMgmtTask3RebootOption + TASK3_RUN_COMMAND: !Ref pPatchMgmtTask3RunCmd + TARGET3_NAME: !Ref pPatchMgmtTarget3Name + TARGET3_DESCRIPTION: !Ref pPatchMgmtTarget3Desc + TARGET3_VALUE_1: !Ref pPatchMgmtTarget3Value1 + + rpatchMgmtDLQ: + Type: AWS::SQS::Queue + Properties: + KmsMasterKeyId: alias/aws/sqs + QueueName: !Sub ${pSRASolutionName}-dlq + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + MessageRetentionPeriod: 345600 + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + + rpatchmgmtDLQPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - !Ref rpatchMgmtDLQ + PolicyDocument: + Statement: + - Action: SQS:SendMessage + Condition: + ArnEquals: + aws:SourceArn: + - !GetAtt rPatchMgmtLambdaFunction.Arn + Effect: Allow + Principal: + Service: events.amazonaws.com + Resource: + - !GetAtt rpatchMgmtDLQ.Arn + + rpatchMgmtDLQAlarmTopic: + Condition: cCreateDLQAlarm + Type: AWS::SNS::Topic + Properties: + DisplayName: !Sub ${pSRASolutionName}-dlq-alarm + KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns + TopicName: !Sub ${pSRASolutionName}-dlq-alarm + Subscription: + - Endpoint: !Ref pSRAAlarmEmail + Protocol: email + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rpatchMgmtDLQAlarm: + Condition: cCreateDLQAlarm + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: SRA DLQ alarm if the queue depth is 1 + Namespace: AWS/SQS + MetricName: ApproximateNumberOfMessagesVisible + Dimensions: + - Name: QueueName + Value: !GetAtt rpatchMgmtDLQ.QueueName + Statistic: Sum + Period: 300 + EvaluationPeriods: 1 + Threshold: 1 + ComparisonOperator: GreaterThanThreshold + AlarmActions: + - !Ref rpatchMgmtDLQAlarmTopic + InsufficientDataActions: + - !Ref rpatchMgmtDLQAlarmTopic + + rPermissionForScheduledComplianceRuleToInvokeLambda: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt rPatchMgmtLambdaFunction.Arn + Action: lambda:InvokeFunction + Principal: events.amazonaws.com + SourceArn: !GetAtt rScheduledComplianceRule.Arn + + rScheduledComplianceRule: + Type: AWS::Events::Rule + Properties: + Name: !Sub ${pControlTowerLifeCycleRuleName}-organization-compliance + Description: SRA Patch Manager Trigger for scheduled organization compliance + ScheduleExpression: !If + - cComplianceFrequencySingleDay + - !Sub rate(${pComplianceFrequency} day) + - !Sub rate(${pComplianceFrequency} days) + State: ENABLED + Targets: + - Arn: !GetAtt rPatchMgmtLambdaFunction.Arn + Id: !Ref pPatchMgmtLambdaFunctionName + + rCrossRegionEventRuleRole: + Type: AWS::IAM::Role + Condition: cNotGlobalRegionUsEast1 + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: Specific role name provided + Properties: + RoleName: !Ref pEventRuleRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principal: + Service: + - events.amazonaws.com + Policies: + - PolicyName: sra-account-org-patch-mgmt-policy-events + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: events:PutEvents + Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default + + rPermissionForOrganizationsRuleToInvokeLambda: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt rPatchMgmtLambdaFunction.Arn + Action: lambda:InvokeFunction + Principal: events.amazonaws.com + SourceArn: !GetAtt rOrganizationsRule.Arn + + rOrganizationsRule: + Type: AWS::Events::Rule + Properties: + Name: !Sub ${pSRASolutionName}-update + Description: SRA Patch Manager Trigger on Organizations events. + EventPattern: + source: + - aws.organizations + detail-type: + - AWS API Call via CloudTrail + - AWS Service Event via CloudTrail + detail: + eventSource: + - organizations.amazonaws.com + eventName: + - AcceptHandshake + - CreateAccountResult + State: ENABLED + Targets: + - Arn: !GetAtt rPatchMgmtLambdaFunction.Arn + Id: !Ref pPatchMgmtLambdaFunctionName + +Outputs: + oPatchMgmtLambdaFunctionArn: + Description: SRA Sample Lambda Function ARN + Value: !GetAtt rPatchMgmtLambdaFunction.Arn + oPatchMgmtLambdaLogGroupArn: + Condition: cCreateLambdaLogGroup + Description: SRA Patch Mgmt Lambda Log Group ARN + Value: !GetAtt rPatchMgmtLambdaLogGroup.Arn + oPatchMgmtLambdaRoleArn: + Description: SRA Patch Mgmt Lambda Role ARN + Value: !GetAtt rPatchMgmtLambdaRole.Arn diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-default-host-config-role.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-default-host-config-role.yaml new file mode 100644 index 00000000..6e532fff --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-default-host-config-role.yaml @@ -0,0 +1,68 @@ +######################################################################## +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: MIT-0 +######################################################################## +AWSTemplateFormatVersion: 2010-09-09 +Description: + This template creates a Default Host Configiguration IAM role to be distributed into all accounts for Configuring Default Host Management Configuration - - 'patch_mgmt' solution in the repo, + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8r) + +Metadata: + SRA: + Version: 1.0 + Order: 2 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Properties + Parameters: + - pSRASolutionName + + - Label: + default: Role Properties + Parameters: + - pDefaultHostConfigRoleName + + ParameterLabels: + pSRASolutionName: + default: SRA Solution Name + pDefaultHostConfigRoleName: + default: Default Host Config Role Name + +Parameters: + pDefaultHostConfigRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] + Default: AWSSystemsManagerDefaultEC2InstanceManagementRoleCustom + Description: Default Host Config IAM Role Name + Type: String + pSRASolutionName: + AllowedValues: [sra-patch-mgmt-org] + Default: sra-patch-mgmt-org + Description: The SRA solution name. The default value is the folder name of the solution + Type: String + +Resources: + rDefaultHostConfigRoleName: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: Explicit role name provided + Properties: + RoleName: !Ref pDefaultHostConfigRoleName + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: + - ssm.amazonaws.com + Path: "/service-role/" + ManagedPolicyArns: + - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/AmazonSSMManagedEC2InstanceDefaultPolicy + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-global-events.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-global-events.yaml new file mode 100644 index 00000000..fcef2102 --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-global-events.yaml @@ -0,0 +1,68 @@ +######################################################################## +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: MIT-0 +######################################################################## +AWSTemplateFormatVersion: 2010-09-09 +Description: + This template creates an event rule to send organization events to the home region. - 'patch_mgmt_org' solution in the repo, + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8r) +Metadata: + SRA: + Version: 1.0 + Order: 4 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Properties + Parameters: + - pSRASolutionName + - pHomeRegion + - Label: + default: Event Rule Properties + Parameters: + - pEventRuleRoleName + ParameterLabels: + pSRASolutionName: + default: SRA Solution Name + +Parameters: + pEventRuleRoleName: + AllowedPattern: '^[\w+=,.@-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]. + Default: sra-patch-mgmt-global-events + Description: Event rule role name for putting events on the home region event bus + Type: String + pHomeRegion: + AllowedPattern: "^[a-z0-9-]{1,64}$" + ConstraintDescription: AWS Region Example - 'us-east-1' + Description: Name of the Control Tower home region + Type: String + pSRASolutionName: + AllowedValues: [sra-patch-mgmt-org] + Default: sra-patch-mgmt-org + Description: The SRA solution name. The default value is the folder name of the solution. + Type: String + +Resources: + rOrganizationsRule: + Type: AWS::Events::Rule + Properties: + Name: !Sub ${pSRASolutionName}-forward-org-events + Description: SRA Patch Manager Forward Organizations events to home region. + EventPattern: + source: + - aws.organizations + detail-type: + - AWS API Call via CloudTrail + - AWS Service Event via CloudTrail + detail: + eventSource: + - organizations.amazonaws.com + eventName: + - AcceptHandshake + - CreateAccountResult + State: ENABLED + Targets: + - Arn: !Sub arn:${AWS::Partition}:events:${pHomeRegion}:${AWS::AccountId}:event-bus/default + Id: !Sub ${pSRASolutionName}-org-events-to-home-region + RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pEventRuleRoleName} diff --git a/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-main-ssm.yaml b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-main-ssm.yaml new file mode 100644 index 00000000..143faaca --- /dev/null +++ b/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-main-ssm.yaml @@ -0,0 +1,1029 @@ +######################################################################## +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: MIT-0 +######################################################################## +AWSTemplateFormatVersion: 2010-09-09 +Description: This template creates a SSM Patch management solution within an AWS Organization. (sra-1u3sd7f8r) + +Metadata: + SRA: + Version: 1.0 + Entry: Parameters for deploying the solution resolving SSM parameters + Order: 1 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: IAM Properties + Parameters: + - pStackExecutionRole + - pStackSetAdminRole + - Label: + default: General Properties + Parameters: + - pSRASolutionName + - pSRASolutionVersion + - pSRAStagingS3BucketName + - pSRAAlarmEmail + - pAuditAccountId + - pRootOrganizationalUnitId + - pOrganizationId + - Label: + default: Custom Resource Properties + Parameters: + - pControlTowerRegionsOnly + - pEnabledRegions + - Label: + default: Patch Management Solution Properties + Parameters: + - pPatchMgmtRoleName + - pDisablePatchMgmt + - Label: + default: Patch Management Solution Properties - Maintenance Window 1 + Parameters: + # Window 1 + - pPatchMgmtMaintWindow1Name + - pPatchMgmtMaintWindow1Desc + - pPatchMgmtMaintWindow1Schedule + - pPatchMgmtMaintWindow1Duration + - pPatchMgmtMaintWindow1Cutoff + - pPatchMgmtMaintWindow1TZ + - pPatchMgmtTask1Name + - pPatchMgmtTask1Desc + - pPatchMgmtTask1RunCmd + - pPatchMgmtTarget1Name + - pPatchMgmtTarget1Desc + - pPatchMgmtTarget1Value1 + - pPatchMgmtTarget1Value2 + # Window 2 + - Label: + default: Patch Management Solution Properties - Maintenance Window 2 + Parameters: + - pPatchMgmtMaintWindow2Name + - pPatchMgmtMaintWindow2Desc + - pPatchMgmtMaintWindow2Schedule + - pPatchMgmtMaintWindow2Duration + - pPatchMgmtMaintWindow2Cutoff + - pPatchMgmtMaintWindow2TZ + - pPatchMgmtTask2Name + - pPatchMgmtTask2Desc + - pPatchMgmtTask2Operation + - pPatchMgmtTask2RebootOption + - pPatchMgmtTask2RunCmd + - pPatchMgmtTarget2Name + - pPatchMgmtTarget2Desc + - pPatchMgmtTarget2Value1 + # Window 3 + - Label: + default: Patch Management Solution Properties - Maintenance Window 3 + Parameters: + - pPatchMgmtMaintWindow3Name + - pPatchMgmtMaintWindow3Desc + - pPatchMgmtMaintWindow3Schedule + - pPatchMgmtMaintWindow3Duration + - pPatchMgmtMaintWindow3Cutoff + - pPatchMgmtMaintWindow3TZ + - pPatchMgmtTask3Name + - pPatchMgmtTask3Desc + - pPatchMgmtTask3Operation + - pPatchMgmtTask3RebootOption + - pPatchMgmtTask3RunCmd + - pPatchMgmtTarget3Name + - pPatchMgmtTarget3Desc + - pPatchMgmtTarget3Value1 + - Label: + default: General Lambda Function Properties + Parameters: + - pCreateLambdaLogGroup + - pLambdaLogGroupRetention + - pLambdaLogGroupKmsKey + - pLambdaLogLevel + - Label: + default: EventBridge Rule Properties + Parameters: + - pControlTowerLifeCycleRuleName + - pComplianceFrequency + + ParameterLabels: + pDisablePatchMgmt: + default: Disable Patch Management Solution + pStackExecutionRole: + default: Stack execution role + pStackSetAdminRole: + default: Stack Set Role + pAuditAccountId: + default: Audit Account ID + pComplianceFrequency: + default: Frequency to Check for Organizational Compliance + pControlTowerLifeCycleRuleName: + default: Control Tower Lifecycle Rule Name + pControlTowerRegionsOnly: + default: Control Tower Regions Only + pCreateLambdaLogGroup: + default: Create Lambda Log Group + pEnabledRegions: + default: (Optional) Enabled Regions + pLambdaLogGroupKmsKey: + default: (Optional) Lambda Logs KMS Key + pLambdaLogGroupRetention: + default: Lambda Log Group Retention + pLambdaLogLevel: + default: Lambda Log Level + pOrganizationId: + default: Organization ID + pRootOrganizationalUnitId: + default: Root Organizational Unit ID + pSRAAlarmEmail: + default: (Optional) SRA Alarm Email + pSRASolutionName: + default: SRA Solution Name + pSRASolutionVersion: + default: SRA Solution Version + pSRAStagingS3BucketName: + default: SRA Staging S3 Bucket Name + # Window 1 - main title of parameter + pPatchMgmtMaintWindow1Name: + default: Patch Management Maintenance Window 1 Name + pPatchMgmtMaintWindow1Desc: + default: Patch Management Maintenance Window 1 Description + pPatchMgmtMaintWindow1Schedule: + default: Patch Management Maintenance Window 1 Schedule + pPatchMgmtMaintWindow1Duration: + default: Patch Management Maintenance Window 1 Duration + pPatchMgmtMaintWindow1Cutoff: + default: Patch Management Maintenance Window 1 Cutoff + pPatchMgmtMaintWindow1TZ: + default: Patch Management Maintenance Window 1 Timezone + pPatchMgmtTask1Name: + default: Patch Management Task 1 Name + pPatchMgmtTask1Desc: + default: Patch Management Task 1 Description + pPatchMgmtTask1RunCmd: + default: Patch Management Task 1 Run Command + pPatchMgmtTarget1Name: + default: Patch Management Target 1 Name + pPatchMgmtTarget1Desc: + default: Patch Management Target 1 Description + pPatchMgmtTarget1Value1: + default: Patch Management Target 1 Value 1 + pPatchMgmtTarget1Value2: + default: Patch Management Target 1 Value 2 + # Window 2 - main title of parameter + pPatchMgmtMaintWindow2Name: + default: Patch Management Maintenance Window 2 Name + pPatchMgmtMaintWindow2Desc: + default: Patch Management Maintenance Window 2 Description + pPatchMgmtMaintWindow2Schedule: + default: Patch Management Maintenance Window 2 Schedule + pPatchMgmtMaintWindow2Duration: + default: Patch Management Maintenance Window 2 Duration + pPatchMgmtMaintWindow2Cutoff: + default: Patch Management Maintenance Window 2 Cutoff + pPatchMgmtMaintWindow2TZ: + default: Patch Management Maintenance Window 2 Timezone + pPatchMgmtTask2Name: + default: Patch Management Task 2 Name + pPatchMgmtTask2Desc: + default: Patch Management Task 2 Description + pPatchMgmtTask2Operation: + default: Patch Management Task 2 Operation + pPatchMgmtTask2RebootOption: + default: Patch Management Task 2 Reboot Option + pPatchMgmtTask2RunCmd: + default: Patch Management Task 2 Run Command + pPatchMgmtTarget2Name: + default: Patch Management Target 2 Name + pPatchMgmtTarget2Desc: + default: Patch Management Target 2 Description + pPatchMgmtTarget2Value1: + default: Patch Management Target 2 Value 1 + # Window 3 - main title of parameter + pPatchMgmtMaintWindow3Name: + default: Patch Management Maintenance Window 3 Name + pPatchMgmtMaintWindow3Desc: + default: Patch Management Maintenance Window 3 Description + pPatchMgmtMaintWindow3Schedule: + default: Patch Management Maintenance Window 3 Schedule + pPatchMgmtMaintWindow3Duration: + default: Patch Management Maintenance Window 3 Duration + pPatchMgmtMaintWindow3Cutoff: + default: Patch Management Maintenance Window 3 Cutoff + pPatchMgmtMaintWindow3TZ: + default: Patch Management Maintenance Window 3 Timezone + pPatchMgmtTask3Name: + default: Patch Management Task 3 Name + pPatchMgmtTask3Desc: + default: Patch Management Task 3 Description + pPatchMgmtTask3Operation: + default: Patch Management Task 3 Operation + pPatchMgmtTask3RebootOption: + default: Patch Management Task 3 Reboot Option + pPatchMgmtTask3RunCmd: + default: Patch Management Task 3 Run Command + pPatchMgmtTarget3Name: + default: Patch Management Target 3 Name + pPatchMgmtTarget3Desc: + default: Patch Management Target 3 Description + pPatchMgmtTarget3Value1: + default: Patch Management Target 3 Value 1 + pPatchMgmtRoleName: + default: Configuration role name + +Parameters: + pDisablePatchMgmt: + AllowedValues: ["true", "false"] + Default: "false" + Description: Update to 'true' to delete Maintenance Windows and Default Host Management Configuration in all accounts and regions. + Type: String + pStackExecutionRole: + AllowedValues: [sra-execution] + Default: sra-execution + Description: The execution role name that is used in the stack. + Type: String + pStackSetAdminRole: + AllowedValues: [sra-stackset] + Default: sra-stackset + Description: The administration role name that is used in the stackset. + Type: String + pAuditAccountId: + AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' + ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. + Default: /sra/control-tower/audit-account-id + Description: SSM Parameter for AWS Account ID of the Control Tower account to delegate administration. + Type: AWS::SSM::Parameter::Value + pComplianceFrequency: + ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive. + Default: 7 + Description: Frequency (in days between 1 and 30, default is 7) to check organizational compliance by invoking the Lambda Function. + MinValue: 1 + MaxValue: 30 + Type: Number + pControlTowerLifeCycleRuleName: + AllowedPattern: '^[\w.-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric and underscore characters. Also special characters supported [., -] + Default: sra-patch-mgmt-org-trigger + Description: The name of the AWS Control Tower Life Cycle Rule. + Type: String + pControlTowerRegionsOnly: + AllowedValues: ["true", "false"] + Default: "true" + Description: Only enable in the Control Tower governed regions + Type: String + pCreateLambdaLogGroup: + AllowedValues: ["true", "false"] + Default: "false" + Description: + Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS + Key for encryption. + Type: String + pEnabledRegions: + AllowedPattern: "^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$" + ConstraintDescription: + Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. + us-east-1,ap-southeast-2) + Default: "" + Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. + Type: String + pPatchMgmtRoleName: + AllowedValues: ["sra-patch-mgmt-configuration"] + Default: "sra-patch-mgmt-configuration" + Description: Patch Management Role Name + Type: String + pLambdaLogGroupKmsKey: + AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' + ConstraintDescription: "Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + Default: "" + Description: + (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side + encryption keys. + Type: String + pLambdaLogGroupRetention: + AllowedValues: + [ + 1, + 3, + 5, + 7, + 14, + 30, + 60, + 90, + 120, + 150, + 180, + 365, + 400, + 545, + 731, + 1827, + 3653, + ] + Default: 14 + Description: Specifies the number of days you want to retain log events + Type: String + pLambdaLogLevel: + AllowedValues: [INFO, ERROR, DEBUG] + Default: INFO + Description: Lambda Function Logging Level + Type: String + pOrganizationId: + AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' + ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. + Default: /sra/control-tower/organization-id + Description: SSM Parameter for AWS Organizations ID + Type: AWS::SSM::Parameter::Value + pRootOrganizationalUnitId: + AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' + ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. + Default: /sra/control-tower/root-organizational-unit-id + Description: SSM Parameter for Root Organizational Unit ID + Type: AWS::SSM::Parameter::Value + pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Default: "" + Description: (Optional) Email address for receiving SRA alarms + Type: String + pSRASolutionName: + AllowedValues: [sra-patch-mgmt-org] + Default: sra-patch-mgmt-org + Description: The SRA solution name. The default value is the folder name of the solution + Type: String + pSRAStagingS3BucketName: + AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' + ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. + Default: /sra/staging-s3-bucket-name + Description: + SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket + name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: AWS::SSM::Parameter::Value + pSRASolutionVersion: + AllowedValues: [v1.0] + Default: v1.0 + Description: The SRA solution version. Used to trigger updates on the nested StackSets. + Type: String + # Window 1 - parameter sub-description and default value + pPatchMgmtMaintWindow1Name: + Description: Maintenance Window To Manage The SSM Agent + Default: sra_ssm_agent_update + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtMaintWindow1Desc: + Description: Description for first Maintenance Window + Default: Maintenance Window To Update The SSM Agent On Managed Instances + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtMaintWindow1Schedule: + Description: Scheduled start time of the first Maintenance Window + Default: "cron(0 0 1 ? * WED *)" + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Type: String + pPatchMgmtMaintWindow1Duration: + Description: Duration (hours) of the Maintenance Window + Default: 6 + MinValue: 1 + MaxValue: 24 + ConstraintDescription: Must be a number between 1 and 24. + Type: Number + pPatchMgmtMaintWindow1Cutoff: + Description: Stop initiating tasks (hours) before maintenance window ends + Default: 1 + MinValue: 0 + MaxValue: 23 + ConstraintDescription: Must be a number between 0 and 23. + Type: Number + pPatchMgmtMaintWindow1TZ: + Description: Patch Management Maintenance Window 1 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask1Name: + Description: Name of the first Task to Update SSM Agent + Type: String + Default: sra_ssm_agent_update + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + pPatchMgmtTask1Desc: + Description: Description of the Task to Update SSM Agent + Default: Task To Update SSMAgent On Managed Instances + Type: String + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Task Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + pPatchMgmtTask1RunCmd: + Description: Patch Management Task 1 Run Command + Default: AWS-UpdateSSMAgent + Type: String + AllowedValues: [AWS-UpdateSSMAgent] + pPatchMgmtTarget1Name: + Description: Name of Target Group for first Maintenance Window + Default: sra_ssm_agent_update + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTarget1Desc: + Description: Description of Target Group for first Maintenance Window + Default: Targets To Update SSMAgent On Managed Instances + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window Target Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTarget1Value1: + Description: Patch Management Tag 1 Value of Target + Default: Linux + AllowedValues: [Linux] + Type: String + pPatchMgmtTarget1Value2: + Description: Patch Management Tag 2 Value of Target + Default: Windows + AllowedValues: [Windows] + Type: String + # Window 2 - parameter sub-description and default value + pPatchMgmtMaintWindow2Name: + Description: Maintenance Window To Manage Windows Instances + Default: sra_windows_maintenance + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtMaintWindow2Desc: + Description: Description for second Maintenance Window + Default: Maintenance Window to Maintain Windows Instances + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + ConstraintDescription: Maintenance Window description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtMaintWindow2Schedule: + Description: Scheduled start time of the second Maintenance Window + Default: "cron(0 0 1 ? * THU *)" + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Type: String + pPatchMgmtMaintWindow2Duration: + Description: Duration (hours) of the Maintenance Window + Default: 6 + MinValue: 1 + MaxValue: 24 + ConstraintDescription: Must be a number between 1 and 24. + Type: Number + pPatchMgmtMaintWindow2Cutoff: + Description: Stop initiating tasks (hours) before maintenance window ends + Default: 1 + MinValue: 0 + MaxValue: 23 + ConstraintDescription: Must be a number between 0 and 23. + Type: Number + pPatchMgmtMaintWindow2TZ: + Description: Patch Management Maintenance Window 2 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask2Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Name of the Task to Maintain Windows Instances + Type: String + Default: sra_windows_maintenance + ConstraintDescription: Maintenance Window Task Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + pPatchMgmtTask2Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Description of the Task to Maintain Windows Instances + Default: Task To Maintain Windows Instances + Type: String + ConstraintDescription: Maintenance Window Task Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + pPatchMgmtTask2Operation: + Description: Patch Management Task 2 Operation (Scan Only, or Install Patches) + Default: Scan + AllowedValues: + - "Scan" + - "Install" + ConstraintDescription: Maintenance Window Task Operation can be either Scan or Install. + Type: String + pPatchMgmtTask2RebootOption: + Description: Patch Management Task 2 Reboot Option (Reboot, or No Reboot) + Default: RebootIfNeeded + AllowedValues: + - "NoReboot" + - "RebootIfNeeded" + ConstraintDescription: Maintenance Window Task Reboot Option can be either Reboot If Needed or No Reboot. + Type: String + pPatchMgmtTask2RunCmd: + AllowedValues: [AWS-RunPatchBaseline] + Description: Patch Management Task 2 Run Command + Default: AWS-RunPatchBaseline + Type: String + pPatchMgmtTarget2Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Name of Target Group for second Maintenance Window + Default: sra_windows_maintenance + ConstraintDescription: Maintenance Window Target Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTarget2Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Patch Management Target Group 2 Description + Default: Targets To Maintain Windows Managed Instances + ConstraintDescription: Maintenance Window Target Desription can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTarget2Value1: + AllowedValues: [Windows] + Description: Patch Management Tag Value of Target + Default: Windows + Type: String + # Window 3 - parameter sub-description and default value + pPatchMgmtMaintWindow3Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Maintenance Window To Manage Linux Instances + Default: sra_linux_maintenance + ConstraintDescription: Maintenance Window name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtMaintWindow3Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Description for third Maintenance Window + Default: Maintenance Window To Maintain Linux Instances + ConstraintDescription: Maintenance Window description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtMaintWindow3Schedule: + AllowedPattern: '^(rate\(((1 (hour|minute|day))|(\d+(hours|minutes|days)))\))|(cron\(\s*($|#|\w+\s*=|(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?(?:,(?:[0-5]?\d)(?:(?:-|/|\,)(?:[0-5]?\d))?)*)\s+(\?|\*|(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?(?:,(?:[01]?\d|2[0-3])(?:(?:-|/|\,)(?:[01]?\d|2[0-3]))?)*)\s+(\?|\*|(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?(?:,(?:0?[1-9]|[12]\d|3[01])(?:(?:-|/|\,)(?:0?[1-9]|[12]\d|3[01]))?)*)\s+(\?|\*|(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?(?:,(?:[1-9]|1[012])(?:(?:-|/|\,)(?:[1-9]|1[012]))?(?:L|W)?)*|\?|\*|(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?(?:,(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(?:(?:-)(?:JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))?)*)\s+(\?|\*|(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?(?:,(?:[0-6])(?:(?:-|/|\,|#)(?:[0-6]))?(?:L)?)*|\?|\*|(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?(?:,(?:MON|TUE|WED|THU|FRI|SAT|SUN)(?:(?:-)(?:MON|TUE|WED|THU|FRI|SAT|SUN))?)*)(|\s)+(\?|\*|(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?(?:,(?:|\d{4})(?:(?:-|/|\,)(?:|\d{4}))?)*))\))$' + Description: Scheduled start time of the third Maintenance Window + Default: "cron(0 0 1 ? * FRI *)" + Type: String + pPatchMgmtMaintWindow3Duration: + Description: Duration (hours) of the Maintenance Window + Default: 6 + MinValue: 1 + MaxValue: 24 + ConstraintDescription: Must be a number between 1 and 24. + Type: Number + pPatchMgmtMaintWindow3Cutoff: + Description: Stop initiating tasks (hours) before maintenance window ends + Default: 1 + MinValue: 0 + MaxValue: 23 + ConstraintDescription: Must be a number between 0 and 23. + Type: Number + pPatchMgmtMaintWindow3TZ: + Description: Patch Management Maintenance Window 3 Timezone + Default: America/New_York + AllowedValues: + - America/New_York + - America/Chicago + - America/Los_Angeles + - America/Denver + - America/Phoenix + - America/Edmonton + - America/Halifax + - America/Whitehorse + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - America/Edmonton + - America/Yellowknife + - America/Nipigon + - America/Indiana/Indianapolis + - America/Indiana/Knox + - America/Indiana/Muncie + - America/Indiana/Portage + - America/Indiana/Vincennes + - America/Indiana/Winamac + - America/Indiana/Terre_Haute + - America/Monterey + - America/Louisville + - America/Montreal + - America/Nassau + - America/New_York + - America/Detroit + - America/Tijuana + - America/Toronto + - America/Vancouver + - Europe/Amsterdam + - Europe/Belgrade + - Europe/Berlin + - Europe/Brussels + - Europe/Dublin + - Europe/Gibraltar + - Europe/Helsinki + - Europe/Kyiv + - Europe/Lisbon + - Europe/London + - Europe/Luxembourg + - Europe/Madrid + - Europe/Malta + - Europe/Monaco + - Europe/Moscow + - Europe/Oslo + - Europe/Paris + - Europe/Podgorica + - Europe/Prague + - Europe/Rome + - Europe/Sarajevo + - Europe/Skopje + - Europe/Stockholm + - Europe/Tirane + - Europe/Tromsø + - Europe/Vatican + - Europe/Vienna + - Europe/Warsaw + - Europe/Zagreb + - Europe/Zurich + Type: String + pPatchMgmtTask3Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Name of the third Task to Maintain Linux + Type: String + ConstraintDescription: Maintenance Window Task Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: sra_linux_maintenance + pPatchMgmtTask3Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Patch Management Task 3 Description + Default: Task To Maintain Linux Managed Instances + ConstraintDescription: Maintenance Window Task Description can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTask3Operation: + Description: Patch Management Task 3 Operation (Scan Only, or Install Patches) + Default: Scan + AllowedValues: ["Scan", "Install"] + ConstraintDescription: Maintenance Window Task Operation can be either Scan or Install. + Type: String + pPatchMgmtTask3RebootOption: + AllowedValues: ["RebootIfNeeded", "NoReboot"] + Description: Patch Management Task 3 Reboot Option (Reboot, or No Reboot) + Default: RebootIfNeeded + ConstraintDescription: Maintenance Window Task Reboot Option can be either Reboot If Needed or No Reboot. + Type: String + pPatchMgmtTask3RunCmd: + AllowedValues: [AWS-RunPatchBaseline] + Description: Patch Management Task 3 Run Command + Default: AWS-RunPatchBaseline + Type: String + pPatchMgmtTarget3Name: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Name of Target Group for third Maintenance Window + Default: sra_linux_maintenance + ConstraintDescription: Maintenance Window Target Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTarget3Desc: + AllowedPattern: '^[a-zA-Z0-9-_\s]{3,128}$' + Description: Patch Management Target 3 Description + Default: Targets To Scan For Linux Updates On Managed Instances + ConstraintDescription: Maintenance Window Target Desription can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Type: String + pPatchMgmtTarget3Value1: + AllowedValues: [Linux] + Description: Patch Management Tag Value of Target + Default: Linux + Type: String + +Conditions: + cNotGlobalRegionUsEast1: !Not [!Equals [!Ref "AWS::Region", us-east-1]] + +Resources: + rpatchmgmtConfigurationIAMRoleStackSet: + Type: AWS::CloudFormation::StackSet + Properties: + StackSetName: sra-patchmgmt-configuration-role + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + CallAs: SELF + Capabilities: + - CAPABILITY_NAMED_IAM + Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring SSM across regions and accounts. + OperationPreferences: + FailureTolerancePercentage: 100 + MaxConcurrentPercentage: 100 + RegionConcurrencyType: PARALLEL + PermissionModel: SERVICE_MANAGED + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + - !Ref pRootOrganizationalUnitId + Regions: + - !Ref AWS::Region + TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-patch_mgmt-configuration-role.yaml + Parameters: + - ParameterKey: pManagementAccountId + ParameterValue: !Ref AWS::AccountId + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rpatchmgmtDefaultHostMgmtRoleStackSet: + Type: AWS::CloudFormation::StackSet + DeletionPolicy: Retain + UpdateReplacePolicy: Delete + Properties: + StackSetName: sra-patchmgmt-default-host-mgmt-role + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + CallAs: SELF + Capabilities: + - CAPABILITY_NAMED_IAM + Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring Default Host Management Configuration across accounts. + OperationPreferences: + FailureTolerancePercentage: 100 + MaxConcurrentPercentage: 100 + RegionConcurrencyType: PARALLEL + PermissionModel: SERVICE_MANAGED + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + - !Ref pRootOrganizationalUnitId + Regions: + - !Ref AWS::Region + TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-patch_mgmt-default-host-config-role.yaml + Parameters: + - ParameterKey: pSRASolutionName + ParameterValue: !Ref pSRASolutionName + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rpatchmgmtDefaultHostMgmtRoleStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-patch_mgmt-default-host-config-role.yaml + Parameters: + pSRASolutionName: !Ref pSRASolutionName + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + DeletionPolicy: Retain + UpdateReplacePolicy: Delete + + rpatchmgmtConfigurationIAMRoleStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-patch_mgmt-configuration-role.yaml + Parameters: + pManagementAccountId: !Ref AWS::AccountId + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + + rpatchmgmtConfigurationStack: + Type: AWS::CloudFormation::Stack + DependsOn: + - rpatchmgmtConfigurationIAMRoleStackSet + - rpatchmgmtConfigurationIAMRoleStack + Properties: + TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-patch_mgmt-configuration.yaml + Parameters: + pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly + pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup + pEnabledRegions: !Ref pEnabledRegions + pPatchMgmtRoleName: !Ref pPatchMgmtRoleName + pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey + pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention + pLambdaLogLevel: !Ref pLambdaLogLevel + pOrganizationId: !Ref pOrganizationId + pSRAAlarmEmail: !Ref pSRAAlarmEmail + pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName + pDelegatedAdminAccountId: !Ref pAuditAccountId + pComplianceFrequency: !Ref pComplianceFrequency + pControlTowerLifeCycleRuleName: !Ref pControlTowerLifeCycleRuleName + # Window 1 + pPatchMgmtMaintWindow1Name: !Ref pPatchMgmtMaintWindow1Name + pPatchMgmtMaintWindow1Desc: !Ref pPatchMgmtMaintWindow1Desc + pPatchMgmtMaintWindow1Schedule: !Ref pPatchMgmtMaintWindow1Schedule + pPatchMgmtMaintWindow1Duration: !Ref pPatchMgmtMaintWindow1Duration + pPatchMgmtMaintWindow1Cutoff: !Ref pPatchMgmtMaintWindow1Cutoff + pPatchMgmtMaintWindow1TZ: !Ref pPatchMgmtMaintWindow1TZ + pPatchMgmtTask1Name: !Ref pPatchMgmtTask1Name + pPatchMgmtTask1Desc: !Ref pPatchMgmtTask1Desc + pPatchMgmtTask1RunCmd: !Ref pPatchMgmtTask1RunCmd + pPatchMgmtTarget1Name: !Ref pPatchMgmtTarget1Name + pPatchMgmtTarget1Desc: !Ref pPatchMgmtTarget1Desc + pPatchMgmtTarget1Value1: !Ref pPatchMgmtTarget1Value1 + pPatchMgmtTarget1Value2: !Ref pPatchMgmtTarget1Value2 + # Window 2 + pPatchMgmtMaintWindow2Name: !Ref pPatchMgmtMaintWindow2Name + pPatchMgmtMaintWindow2Desc: !Ref pPatchMgmtMaintWindow2Desc + pPatchMgmtMaintWindow2Schedule: !Ref pPatchMgmtMaintWindow2Schedule + pPatchMgmtMaintWindow2Duration: !Ref pPatchMgmtMaintWindow2Duration + pPatchMgmtMaintWindow2Cutoff: !Ref pPatchMgmtMaintWindow2Cutoff + pPatchMgmtMaintWindow2TZ: !Ref pPatchMgmtMaintWindow2TZ + pPatchMgmtTask2Name: !Ref pPatchMgmtTask2Name + pPatchMgmtTask2Desc: !Ref pPatchMgmtTask2Desc + pPatchMgmtTask2Operation: !Ref pPatchMgmtTask2Operation + pPatchMgmtTask2RebootOption: !Ref pPatchMgmtTask2RebootOption + pPatchMgmtTask2RunCmd: !Ref pPatchMgmtTask2RunCmd + pPatchMgmtTarget2Name: !Ref pPatchMgmtTarget2Name + pPatchMgmtTarget2Desc: !Ref pPatchMgmtTarget2Desc + pPatchMgmtTarget2Value1: !Ref pPatchMgmtTarget2Value1 + # Window 3 + pPatchMgmtMaintWindow3Name: !Ref pPatchMgmtMaintWindow3Name + pPatchMgmtMaintWindow3Desc: !Ref pPatchMgmtMaintWindow3Desc + pPatchMgmtMaintWindow3Schedule: !Ref pPatchMgmtMaintWindow3Schedule + pPatchMgmtMaintWindow3Duration: !Ref pPatchMgmtMaintWindow3Duration + pPatchMgmtMaintWindow3Cutoff: !Ref pPatchMgmtMaintWindow3Cutoff + pPatchMgmtMaintWindow3TZ: !Ref pPatchMgmtMaintWindow3TZ + pPatchMgmtTask3Name: !Ref pPatchMgmtTask3Name + pPatchMgmtTask3Desc: !Ref pPatchMgmtTask3Desc + pPatchMgmtTask3Operation: !Ref pPatchMgmtTask3Operation + pPatchMgmtTask3RebootOption: !Ref pPatchMgmtTask3RebootOption + pPatchMgmtTask3RunCmd: !Ref pPatchMgmtTask3RunCmd + pPatchMgmtTarget3Name: !Ref pPatchMgmtTarget3Name + pPatchMgmtTarget3Desc: !Ref pPatchMgmtTarget3Desc + pPatchMgmtTarget3Value1: !Ref pPatchMgmtTarget3Value1 + pDisablePatchMgmt: !Ref pDisablePatchMgmt + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + + rPatchMgmtGlobalEventsStackSet: + Type: AWS::CloudFormation::StackSet + Condition: cNotGlobalRegionUsEast1 + DependsOn: rpatchmgmtConfigurationStack + Properties: + StackSetName: sra-patch-mgmt-global-events + AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole} + CallAs: SELF + Capabilities: + - CAPABILITY_NAMED_IAM + Description: !Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region. + ExecutionRoleName: !Ref pStackExecutionRole + ManagedExecution: + Active: true + OperationPreferences: + FailureTolerancePercentage: 0 + MaxConcurrentPercentage: 100 + RegionConcurrencyType: PARALLEL + PermissionModel: SELF_MANAGED + StackInstancesGroup: + - DeploymentTargets: + Accounts: + - !Ref AWS::AccountId + Regions: + - us-east-1 + TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-patch_mgmt-org-global-events.yaml + Parameters: + - ParameterKey: pHomeRegion + ParameterValue: !Ref AWS::Region + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName