From 82545225ca713aa1482c3b69b98ae9943f6c878a Mon Sep 17 00:00:00 2001 From: Jef Roosens Date: Tue, 31 Dec 2024 14:47:50 +0100 Subject: [PATCH] ch06 finally done --- 06_domain_domination.md | 354 +++++++++++++++++++++++++++++++++++++ img/ch06/kerberos_auth.png | Bin 0 -> 31078 bytes 2 files changed, 354 insertions(+) create mode 100644 06_domain_domination.md create mode 100644 img/ch06/kerberos_auth.png diff --git a/06_domain_domination.md b/06_domain_domination.md new file mode 100644 index 0000000..5ed2e52 --- /dev/null +++ b/06_domain_domination.md @@ -0,0 +1,354 @@ +# Domain domination + +## Kerberos + +* main modern authentication mechanism in an Active Directory domain +* protocol based on tickets +* allows client and server to communicate over insecure network + * requires both to trust the KDC third party +* main actors in transaction + * **KDC**: Kerberos Distribution Center + * **Authentication Server (AS)**: verifies uses and issues Ticket + Granting Tickets (TGTs) + * **Ticket Granting Server (TGS)**: issues service tickets based on TGT + * **client** requesting access + * **service / target** the client want to access +* Windows can fall back to NTLMv2 if Kerberos is not available + +### Authentication + +![Kerberos authentication](./img/ch06/kerberos_auth.png) + +* operation + 1. request to AS on KDS + * request includes timestamp encrypted using client password hash + * AS looks up client password hash and decrypts timestamp + * client gets ticket-granting ticket (TGT) including session key, + encrypted using client password hash + * session key encrypted with KDC secret + 2. client stores TGT for future use + 3. request to TGS on KDS for service access + * client sends TGT and request for service + * TGS decrypts and verifies TGT, and checks that user is authorised to + access service + * if yes, client receives + * service ticket (ST) encrypted with service's secret + * client-service (CS) session key: client and service use this for + secure communication during session +* 3 long-term keys + * client long-term secret key: based on password hash of client + * KDC long-term secret (domain key): based on password hash of **krbtgt** + account + * used to encrypt TGT + * used to sign the Privileged Attribute Certificate (PAC) inside TGT + * target long-term secret key + * based on password hash of target service + * used to encrypt service ticket +* short-term keys + * session key + * used to encrypt auth token sent to TGS + * used to ecrypt CS session key + * CS session key + * used to encrypt auth token sent to target +* if KDC long-term secret is leaked, full freedom over domain is acquired + * Kerberos uses highest encryption available +* AS request-response + 1. client uses password hash to encrypt initial request + * contains + * identify + * optional timestamp + * requested ticket lifetime + * ... + * hash can be NT hash but default is more secure hashes (PBKDF2 + AES) + 2. send request to AS + 3. AS attempts to decrypt message + 4. on success, reply with TGT and session key +* TGT consists of + * username + * start time and end time (validity of ticket) + * PAC (privilege attribute certificate): details user's privileges and + access rights, dual signed + * with target secret + * with KDC secret + * client/TGS session key + * encrypted using KDC secret +* TGS request + * authenticator (encrypted using client/TGS session key) + * client identify + * timestamp + * optional nonce + * service ticket request: reference Service Principle Name (SPN) client + wants to connect with + * TGT +* TGS response + * if TGS receives TGS request with valid TGT + * TGS checks client is authorized to use service + * if so, create service ticket (ST) and send it back + * KDC does not validate privileges + * ST has two parts + * client portion encrypted using client/TGS session key + * server portion encrypted using target secret + * includes PAC of user +* PAC validation + * KDC signature (server signature) + * generated by KDC using its private key + * ensures PAC was indeed issues by KDC + * service using KDC public key to verify signature + * service signature + * signature crated by service using session key shared between TGS and + service + * ensure PAC is valid within context of service + * service uses target secret to verify signature + * target service decrypts and validates server portion of ST and reads PAC + * PAC not always fully verified for performance reasons + +### Attacks + +#### Kerberoasting + +* comes down to cracking target service hash +* operation + 1. query AD for accounts with SPN + 2. request service tickets from KDC using identified SPNs + * a malconfigured Kerberos can be negotiated to use weaker encryption + 3. extract service tickets + 4. brute-force them offline to recover credential +* no communication required with target service +* no elevated credentials needed +* explicitely targets service account passwords + * these are chosen by humans -> probably easier to crack +* should focus on interesting services: elevated privileges +* mitigation + * frequent password rotation + * use safe passwords + * use managed service accounts (MSAs) or group maanged service accounts + (gMSAs) + * automatically manages password rotation and other security features + for service accounts + * monitoring and detection + * properly configure Kerberos to use strong encryption + +#### Silver ticket + +* forged service tickets + * no need to compromise krbtgt account + * relies on acquiring NTLM hash of service account + * relies on Kerberos not fully verifying PACs +* custom PAC + * escalated permissions + * encrypted using NTLM hash of service + * PAC not valid but often not checked for performance reasons +* mitigation + * stract PAC validationn: performance impact + * disable NTLM hash usage + * regular password rotation + * use safe passwords + * use MSAs or gMSAs + +#### Pass-the-ticket + +* extract ticket from memory of compromised system +* use this ticket to request service tickets + * if admin ticket, go straight for domain controller + * use `psexec` on services to pivot +* mitigation + * use Credential Guard (encrypted storage in memory) + * monitoring and detection + * least privilege: limit impact of compromised credentials or tickets + +#### Newer defenses + +* protected users + * sensitive users can be marked as "protected" + * keys are no longer stored in Local Security Authority Subsystem Service + (LSASS) + * strict limit on caching + * weaker encryption schemes not allowed +* credential guard + * CPU-hardware assisted memory isolation + +## NTLM attacks + +* 2 main strategies + * sniff challenge-response and bruteforce client password / NT hash + * relay SMB connection (relay attack) +* attackers want victims to connect with their machines + * manipulate NBT-NS (NetBios Name Server) or LLMNR (Link-Local Multicast + Name Resolution) protocols + * both allow hosts on subnet to resolve hostnames using multicast address + * attacker poisons the response to trick them + ([responder](https://github.com/lgandx/Responder) is a good tool for + this) + +### Spoofing attack + +* LLMNR or NTB-NS broadcast + * used if DNS resolution fails + * broadcast is unauthenticated UDP broadcast + * any host can answer claiming to be target + * attacker can listen for broadcasts for spoofing + * similar issues on Linux with mDNS +* web proxy auto-discovery (WPAD) + * most browsers support automatic proxy detection (WPAD protocol) + * protocol tries to resolve [http://wpad.internaldomainname/wpad.dat] + * attacker can pose as web proxy + * attacker can now see all web traffic and execute JavaScript + * mitigation + * ensure DNS entry is present + * disable link-local resolution + * disable autodetect proxy + * monitor network + +### Offline bruteforce + +* obtain NTLMv2 hash + * spoofing attack + * infected Word doc + * ... +* use hashcat to bruteforce hash + +### SMB relay attack + +* trick client into connecting with attacker +* relay authentication messages to KDC +* mitigation + * disable link-local resolution (as usual) + * SMB signing + * isolate clients using VLANs + * monitoring + +## Active directory recon + +* tools to automatically query and analyse AD information once host is + compromised + * look for excessive permissions (useful for lateral movement) + * BloodHound generates diagrams of active sessions and relationships in AD + * can find shortest path to domain admins from kerberoastable users + +## Windows privilege escalation + +* principle of least privilege (POLP) + * users should get exactly the permissions needed for their task, no more + * best practices + * make this default for all accounts + * use flexible ACL platform to security elevate and downgrade + credentials + * audit privileges regularly + * monitoring +* common flaws + * applications with known exploits + * DLL search order hijacking + * place malicious DLL in directory searched early when loading DLLs + * proxy original DLL requests to hide exploit + * loaded DLL gets same permissions as application using it + * unquoted paths with spaces + * `C:\Program Files\program.exe` + * if `C:\` writeable, trick Windows into executing `C:\Program` + * `wmic` tool lists services including vulnerable ones + * writeable windows service executables + * overwrite binaries with SYSTEM privileges + * privilege escalation + * persistence + * stealth + * mimic original behavior to avoid suspicion + * unattended install files + * used to perform automated installs + * can contain plaintext passwords, info about file locations... + * sometimes not cleaned up -> can be read by attacker + * group policy preferences (GPP) + * allows admins to create domain policies with embedded credentials + * insecure storage mechanism + * GPPs stored in XML file in SYSVOL (readable by all domain users) + * passwords encrypted using *known* 32-byte AES key +* [The C2 Matrix](https://howto.thec2matrix.com/) lists all known commercial + and open command-control tools "for testing" + +### User account control + +* separation of admin and non-admin functionality + * allow users to run common tasks as non-admin or admin without switching + user + * local admins run most stuff as non-admin + * user is asked for credentials if admin is needed + * access token is generated for users containing access level of user + * mean to improve security + * levels + * Vista: on or off + * later + 1. high: ask user for all changes + 2. medium: only notify when programs want to make changes; programs + can't interfere with prompt + 3. low: same as medium, but screen isn't dimmed and programs can + interfere with prompt + 4. never notify: never ask + * can be bypassed + * DLL search order hijacking + * Metasploit contains UAC bypass techniques + +## Domain dominance + +* gain privileged position within a domain +* typically done via + * credential harvesting + * privilege escalation + * lateral movement + * exploiting vulnerabilities +* implications + * widespread access + * persistence + * data exfiltration + * destructive actions: randsomware, data wiping... + +### Retrieving AD database + +* credentials stored in `ntds.dit` file + * encrypted with PEK key stored in registry (`syskey`) +* if admin access possible: use Volume Shadow Copy to create read-only copy of + file +* badly secured backups could also be exploited +* tools can extract key from registry + +### Kerberos golden ticket + +* golden ticket = TGT created by attacker + * needs target and KDC secret + * TGT, so secrets are identical (target service is the KDC itself) + * requires access to NTLM hash or AES key of krbtgt account + * tools allow extraction from memory or `ntds.dit` file + * typically for domain admin account with very long validity +* first interaction is TGS request using forged TGT + * Kerberos is stateless, so doesn't know no authentication was done +* mitigations + * try to detect tickets with long validity + * change krbtgt password *twice* + * KDC keeps track of last two passwords and allows either (bruh) + +### Skeleton key injection + +* only works for RC4 encryption +* tool patches memory of LSASS process on domain controller and injects single + password that works for ny account + * manipulates how encrypted timestamp is validated + * allows encryption to work with either user's NT hash or skeleton key NT + hash + * not persistent due to injection in memory + * simple if admin rights are acquired on domain controller + +### Domain replication attacks + +* dcsync + * impersonating domain controller + * requires domain replication privileges + * all domain accounts should be considered compromised +* dcshadow + * more intrusive + * register compromised host in domain as DC + * craft useful change in schema (e.g. changing passwords) + * trigger replication + * rogue DC can be demoted after as change has propogated + * stealthy: logging is usually done by DC starting the replication (bruh) + +### Creating a domain admin account + +* possible with any user that can create users with arbitrary groups +* noisy, will most likely be seen diff --git a/img/ch06/kerberos_auth.png b/img/ch06/kerberos_auth.png new file mode 100644 index 0000000000000000000000000000000000000000..559aff11ae4a6d2d4f890d05c870813f4bf960a5 GIT binary patch literal 31078 zcmbrm_al~l*gt-n2_Ye?5}}NYija(mmQ-d`HYFn~dyhz>VI(WNC?YF+wn>pal9|0n z_`clF^L+k+@Abodt1jntj`#aGUhBAm)zwsXP_t7L1hM0cs?ueGAeAKu5?3lx{Ef$H z&wcnGnZ4o}4Jsh;cFTCBZ7`4$Tw^>_X-^|<5x%DC=jEs#%Zj?WN`cyedo$takhv`0rW5?e0h$wI| z@Q^hN*B&2UnHyH(&V6rv?AS3)O-&NwMRIa+Q4#Hq9VCRXurT4BlOwuq+cr~E(<4WY zczSN&XtfOuuQD?i?6%`9#dMlVO76`(2ne8vP^G1z`FqGOGBPqh|ELuu4oF8AR$HsY z9YJ*^LqmXu=A1|rE`2B21DpNPjf0<~_MLFHU7GB!yT4n`eVKu1`uQ{8^fSw~Yu9$| zdMvm3@3CT%LCnK_a@Hm$CI$w!<88TnWSmk`Q>z?y?~WR7OsHvmbG^*Y$*KOZ%gpb( z=Ti1Zj~-tY*g zOH;bKy4Kd#(H10xg);7c9}OPMoC{8BcJQ;LRfmSI?sl*ByOUjPOicL(Riv`AvLYfP za&mIfbM+56+?FOaFJ00tvNd#eUdB^6d+uC+re2|SYI=H2BO4oAp>?-!!ra{4@YmRF zgifB>1t+J12M;dj>2VNT5)w{5r7q8(KmYsdO@g%JEl0;=f`Wp_R}gVdU|?t9;+Hk zN`Gbs8nUuBmn4R!rs&uGH#Rob^Gi!hISDR4zQDV?a8mV&8!SdTeSLl2FDQtE0s=4J zy!qAA5)c#^7?{83kcY=Q$6HPyU;2d*~VgaP3rG5JJY5!Ha0U-m) zOS-x-ss|W@mB`4*O7)n0i2V=&poC)+!B4hafYxUalj%RKX#kN3cV<>lq^-ijMnuGn{%IQr#i zDJhW?>X$AhrKJVl{fwmvc^4DY&!0cZ39iQ@xVfvVt4ZTmr~6OczMbXo@1LD*b@}q6m>9P6Q)6Qx z_wIf8^5p;n6+SKJ#j|J6%p2pMMn>Y}u^gKN4-E|tdaNy8P*yf=PC3(^y*@v>i=RI| zEsf90$kcQYYY6WwDk}Qf(sJR#g_}{02F@Q3@=KI$c$oRcruuVje{hSZUIH~eIpE8e z^Nx;=SGyHOBec)Fn~Zu}ETy~Wg0iIUxsd7H0jr&)VyfW@3_i;N7B|z$l_S>+nAZ9iyP2;Lo2wSaLJ7v%jrAA17Zdw78<)YpJ1-q>ej)g+3$Uza7gn z^X1F8xjUj%*wI#I&NW>teSdeV=bh#53D=}ATb&7qcx>M+!>h6~1;_@D?UadwWE^P>C3%CQaQZ0zsfi_eee=HyIIcE8_hw6)Wu#&lElnzWb7l=vJz zQEw=Um@ioQv3)osBt%YFSXhK|eD}reM44x1VHp}8K2m1OwC$lh7i&|qnoHEBgxR^> zW1{_}`X596{K#xhMbqn>Quc7!E3BjMD?AK2@GDU2(HyNmRhC~n4W$pO))o%9w@G%0 z#c1Bofo31)1tqidLp7b$wIWLHW`0ZSzSqSw&f2-Oooyf4zQ2lHw$x>=zNRL*q@?5P z*RMZ*JT~0x<+X_tYHw@HDd*{4dwa^oQ;WuN#*xiE(im+|GXWks(EInX9@X zjOCDg=mFkidt~DjJ+i)^adTU%4xj;iAtA0`zg|*Of(7N^^61ec3F|JZ^drJI%1?-h zTvSx_J$zAKz7kuHgh0hqQ&Y>#%yjN;S68^hMpgUfKCX*RJ5@XW8O;O#2#W_2Xo*P{ z3gw>b9kLf)U8N zEW5T4)jt8QI(B>2vuCT5GOtHVSaoFU6}mR&IiOITi~8*$d7kXQ)o$>jUZ&HMno+3s zIPu?K$p7ZZ&Vu zM3L*lt+c3zTTn67@M@=Y_ucN4%T>Gyrlq?^u3cV=cQ0`jJbdg`QC{9T=XMn-1;zYEe%mH8YfgKzY1Q9Rm#=^o&cxId z@CNH+t<>abQ%j37mnc6cXV04_Pnc+Eo-qdS@3d)tI;b4{e0-;kxW$i}-jpkuKY15j z(|$ZLq!tvs|LEVrRS89dhe~KH01$(}e^+;M4si(yx%XEGL`O%5hKBNAjBjffTXEc~ zt+dX|(@EzgSwybWHcocDJ9qZ%r;ZL+ymfVT72s`Z?$P(kAo_i(2QGscTsccaM;93p zk@@CL!&-soO@Wu}6=qC-)goG&!@qqK6gjw2A(`GxjEVpQZ(zmCml=t^pP5&Zl9Hx+E4C5gst1V52ON^_9v+2Oos`B2 zcJ}r(G&F7%CQrD8h083ybMM%(qjZOY=!0LmY#IVB@+v+L+P(YNuU|DZY|TG^GVR-ULt8uj_3N-h7qqp1H9XvRKO{s$Q#1X1 zjIU|h|P-oK^V*ON=T3rTv&~1dW(@)0w~VxEB|-gWwd4Tf!3)^3b77(PsLhdWNhs0 z`SXAC>mfUt$I(Ctqh~ZuhvuL|q50@Zp2S*JsB7!vemY zA>{4t=kjmzf;L#`UzvslJGc$;sVNR_5jACcVDAx?qVj+qNwT6bp+NP`P^k z-#>R=-qg%1=^$t_GBT*Q4Gj%To-!(7oH632XO)#Hh{TKx)e9HCe)@E){jDkRzHQZy z`FRIs=BI6KI?)v=DX3eAq@~$=)1~N~*CmWegEO-C%P3z9Nr;jWm+(_unVN`?y+4p( z|7tsVt6bR0F0X&zZA%v(((c)_r&}d#6s^nR=FL&ri<+9uG3V>otfRMhAaU^U;mPrF z4Rv+a)~j@TPki|NSr1!HPcJqqs^RO`9Rw8(&Hdou?ez3--n>~_T%@C-^49xvt=Nv2 zmv;~a<=wk?EiEm0!m_;0GY$K^@DccP%dcOt&z?>8l*KM)-M@bh%+AH77&|N~N?W9r zkDq@H;COjCBQukP`1V}t$M^4-badL9nhb8Xp@Azjt*b!HZc=-44x3^keg4BMwpYie~HNn8Z zkdv2(ax*y^CM_eQ{pPyWty^RL{XXqCO-(62>z27LJmNivJ;B7x42Y0Rr=_9sBq?eC zzJ2?88treB#rY4V-I}(I%ML^6z$fXmt+pv28;2yqIwRRsJ86k*Dg=bg`z}T8v zT9HqlWZkGJmn(T19^N-ONk>?qbB&MdzjqQQD!+e^P%FgBnCgDNd*@CPO=?n=mwo1j zhK7d^A6_0#fAeN)c=+z`+U;$5RcA-yRcS)E){ajQK(J_p(>#s1VYNRfNc`l7h6a8S zktvjLoulrChDnexta9K6Kf&MK#LK2orIcGT+BxFjgSAsx|MZXEOnmY78O<3)h$j}y4q(z z6kI;$pu8xh*c4|!{B5GAjALw<)+|bvTEfW(sq!)qQBb)+o1Z*=3UPyNvN&u+&P1G- z?<5D2<21aZWBzV%F_uo3K4*UL%Mha|_efzon(2xeGulxoL;1zUE+!@i2yZ2B;j8%> zZhOz2JGXuN_KfrF?CiAHl)!80QCsNppbtHC{7zc-x3$V|Tc*YsKp*s?O53&JnXf<6 zFG5qij6M$2CpO!9Ra$ZIk2_6smxy zC@3iI*x7+|v6SmJ8=9ER_tyk9HL0UzOvcyesy-~yym5nGMWnQ>%uC@rDFN9JhxHE% zYN)H*-|c(v{(W@N&E*;6dxNUy&MlR{C*k1e#6!l#3keG+ob)Jho-x8Fb#>{VI&~^= z#p?EL#$CGrcH9AyZ{M&F3}!f3*_Nh)ol6j`btkz{m5p!T9v>Q7oFBas&3*8oDt82H z$4%7djrBFu<@P-D=5j4obMBD_OGX+iQ?v>!ct z_UYrtb`OKZi>NC9*4JyQt2Z{*Y@%NzB}IgXSBmBV-=GQuU)eFz?J0WsW#0Z6`n-LrS^w|N1OCY&UiJ_je~mv7%rg2q7MNFKmahDry#a543A@{1SPrl6DV ztMfNWeYgY#W6>I)JR!fK#>UrN{qZ9Z&f2dVUcvY8@1pWIZU~b)ew^0YSPPpEIs>$g z*x1<5A3s8@71Dic0$gH0^aW(>%!La9{nrWN$dSCo#l`vg`J{{9Yjrm*Zl629v7fJ6 z=FGyT+pG8#f&KgIqn_zrzIxqjV(~qV!uQ7-ynNFPSMoyUW?vQE8|PmXsqAzj-^J=} zjXu7k;p~-UhTCn%N7Y-^D?e3pODj-DbpRtJ-8R6drxX{rH#XWd#zS+bpa=kSssZE1Oz zu5|eDYqle1z#TPL4__}WGOVF28u*SjEuvpU{1|=v@$=^+rF*t-55}7+k4MZ6H)?BY zUaRoz{_(>ea&Wp@9JXhP{V*NW+KKsFV380h0oiAACAq>(hM&fc2pZE2HUBPfUyWTJ z&+4)(%d}G@Jz?`Z?+}x~6#4H`sjESE+bv%{EQt&fQvfM*=BRcT5EQJM7Fw)t{&92` z+=-P}Uq|Plu<#C|t;F#!x*n7s!1BPmezY{`B-5>s75bTYfr_Djp^{WRpgbM@HqiIO z`1>2w$=Yh2lA52GriK(~nFXHWf%K1$kN^F9zfibFRnf_BAd?nQ|EbH7CmccgJ>iM! z8GGVPxQA7hnmh#i-!5oV5X&~|xvis9I-^(&QNnul)zyqFEE0Do^*K93irrUc>)P6i z%F5PJtQ;P%27UAX#gArmy~uWdkCnJkN_skd8AF=)A(jB?5LeH8`yV}ju7CY{7-ivU zMs(nao!JUUyf)k+Wj%k+iRJ?wJ83Ub&s|qnN5A)kg^kT_CMN$Lx*^}zmOa-%of`nq zb@cS;zXyk~nll8~dTp-%`taf2c|JMkX~M=n`U?uWSd`2zg_2`eBvwJsE)_N`6*C^`6fdAp157!TAxaB#T}Ae?Q5J+px21zk4ae{fyTDZqG$ zfY;wUP3Sx%Q78%E7bksb`CwBhb8}||+w;quDioo~{f?$)Nef%@%ntFG^Y7~=PigPJ zW|ZLa!NhJV&$^ymwQzddV%e&O2)WVih#NH#TAu<6nR!&Mw-_u|jZ$2?bP1qnr2TPJ zlzEZnOjofz2tOJDsT>-DQ)8ZCO(5`@hPE~tu{hZ+LzgDO)6Fi-wV)V!gf4LZ@S^&5 zDk@t$yO$Xm(MQbbx>9`UxFeP!?Clo0&Je5wz!8`ocRwaZcZ%(v((ivOb8d}10ss_XU^!3P@+wgxHm=gAP?$=|Yv+O7_K}6Vzm&+081SnTAE+~aLoD)PJ=~X} zX=u2=Cs1_X@vkutA3hxAeK>K@bIbVqfi6H0(8^a({QIqFjud-sdfvV*L{$EKvSRP7 z?zOeDY-{T4Pv5w)CHPfrZmhMu(oRiDnJ&1u9mJcLpP!8QGdQT7eYI|W_J7qU2xKQ+ z=RbV=HVK3U(Go9bz1pK#FYzZ_s%vU${!gchhXe+OebRk-8bpPenYl*$(z$b=L08aI z%)c?Quyyn)>NweAfK4OLxhYi-ri)04?6xC86N&WY0>)kM;6-~Wu^({yNc{XM@R?b+MzzGY!STWEEju|Q0N58D&S#o*!XV0jyGOi^Y*7D_0fe{SwhoA=RQ zV5_35U%7HcC96IsCr8SD=t)!*eJ&?VW3UawAeD!Euf4maDYCL{hJ5rTD+BCVt;u@O zj@&#rB>MXLI2Bke<>lob*L_*P3h5PuN*@FQ4Jw>iH>&ik4hsu|*H`*=FAG}Zj6{-3 z$o=~;J+m`mSfQ>sch;Febin=0ZIM&)hA0F81HvdKmYekC@#Dv*WDJjhipt8yolRXl zS|WOnUsb!#JNoz??&n8$v9mu554Q#LBfMci6MYboXm%eyDk@s!H1X`o6Ac)>Dk>^d z@SvB)4Z2;Irva`PP8dr4UlxFVM#AmOl^ZuM@;wgl_Yc%jyK-e$%z3k-{5h_~^|(~^ zgU|yY0(IvB41lpL*q82ZZfdHms!|Xv(~(in{JGKD3wzDd+<0xXyacETOOc#3sd4Q^ zO?P+M8oM=2p4+!?A7I>mZZ!26DR#K;Iws&8m$a+sHjyqrs}Ulm5yG1E^>SX|)0hYlU;h~Wg`Cm|u3 zp2PF%dq2^bAeWk&3bMw{!-F4gmR*DZ(my!J%)p?NYeeC$Vs);P0sV54qBp)PIOR^Icjs;bSM@S9A9|cl9EeNA~%3FusL&^v$C^+ zGw%LpdE*4&Y8$MA^`QttH{v@VodX8jqen)14l^z;uQiH3xH!oF~OX_QD`!VlJio;#{UIIcZ2%ska|tJfa}Ns%>A({Q(8Ydmdzl->r7a$#udZ&}S4pC$*ZEXXo0I@) zd&nte2VV{(6}S3!TTT`Ffszu^5p`d`UbuL13X2=dROap^)SrL=4J|Drk4$VnP}#*r zC+8x7QGgBDljwfTf?CdQZZ-X|FZmgRnfC0tz#Z{6FOP(P7`ls*5eupVaTZ)R$W?Y6 z01D{L{Kv=q5CUkZsUeyX1YCD$W6*2kf0U&bV zf2_$H6`rz0VtM&VZf+x}oP;+DDr{%!08%1R{b18eG-_LW`x^7_S1b(z*;rYZS62_; zDDQ%g+uF*a_9`ngv#S0JPOPiDdpA@B-~n7dcwooc%dD)fqB{d{$FPFXMm;^Teyggg z0Jw05AoFYRX=?;1R}B zDzT9IlJfKCR~P>Fn;$xq2}))pg*8*%(6G&hdeIra+~`&D{rgFX>ECrU9RjYmc1T+! z>?!>Lou|4HN+kHKjfF+x*M}|dp&3BO9v`=_Pa6b5 z5ForOE9C{AK70Il*QQ+Gx_BwMPi5TRb$=AhCd;EE3~9OF@Z9@F7M>is5`Enn$rGdm zqN7(i4%4(oeytexq9zs~<;U&o5R08?un*gi8*rWu2 z)|yZ@R9k-j24ofXIypL4_3vBW^nRW({Rs6r4u;vki}i35Ab~(Yniv`~v#?-gU`TxP zrq}!ufDL4>{G6QSfroO7Q@!-b90n_NbabNQ+`PQNL^1t?uCA`Q>)*eB2R8;9wpDr% z2Jl1>*N!S(%>M2*Ha6xOlC!+N)Cx&Q6z6yB7|ht>^?zqWx4UxmcD%FHK7G0#L9boR z%oKaXE7-9H9`2Pjnza3e)@_5h%tXgK-8?f?PLR$Wk7r2#dl3Xq6I%?aF3;<#sh3gz za&Fv$2?k|meB8U5D(TrRRPT%ogWze34=pVygN`+UJD~ac`1s)W%68X5m)W;(YIM}) z-|`G9yNa?hQWMp)=3k#ttet`ZsbjHyPgYhIHa9*BNe;Dh=lra7r27u;?%uK3!@lmL zm^A;>0`&*m5BgP31KBH3m4=tGa$cSn&xVSPY}>K1#6nu=_Zx>mzur41rGEC7^j?0g z9l7CR51tkzzGzdAz0(Bw9~l?wF)d9^psp5djr#W5_dO2xpFUl{&V}T-RVo7C2L=NV zp!y<~b6mQ67y2uRD&ehspJm6$HiyJ5p=@LXn78@{Ip6Hc+?E*5da56f4sJjkd#lWt z+%CTJ3`|U2dFJ%jq){jc5XJzoj!BJ+k*AiT%F4>1H816%fG3>vxcb)QBm9!xLOPXA zk5AK}N-aSmc3A#RQh2Htz_@~X8Bz4zk zW=A3I$MZ#s&yz1ch9~9b>bfXbf#wbF0)qs(znec$LP!W;O=)TAZejDHKmMpDGBR$b zPg9=iCMCcbU+Wc4qPM}Ze9U*j*XvqY?`SC7ku<;{vf~aDB&F&>xO@?`8BH2_W^ekhR~K*-_iaXI*aq>hHQlDb6K~7tyI!ZMn>NR z65`{>k7%F)Np;CA`L8EclV88a!S}MUNg3CNqCGcL@&WGj6x%};#zUr8>#Aa4X7<1_ zjf`HreLE|^{xh2XWdeE%Foemkt%T3Si_4i<>T^S12L=a^iHra4>qB4kfAhxX)TtU& zFNlnypUX;1K@`(3#4avQ=w%&5_Crwc6?Q!MYGq>R%a;N$X|U$*-Ma@#4vtV_A{U?* zByHzd!W$~~$&)9s7q7m8$=Nc&|Xwpt9oYKnD zA?am@(*OrFE;d%?o+7JV-DrAl^|ZCB+)GtK9_fwj6Z3Y_ittl$1k}Ef@$pdJcqx0c zhOj-TBiN|8XzWJ7P!B|JaW!YpQhynkn7F2^EA`3I^1PF7{ZZUVq$u%rs8|3fKYsqK zRf{{}@-{Q`Ce{TIo5Sl^xNCr99IULg)-pvT@NjT7F8$RM=)CB32>DdqaZ^xGKr{-A z48Ay?L-SSOpwlQ%$d!_i_~2<=9Ug;VkKmK%+JvN`VLx!b$MQ4@fizTicQ+mhb_Wlv zYcjHa`dsWAz)&dE?H;GU!%YFW0V@LFhWG`|n~v!F^JhynyK?z5iW7{}iScpBqi)5> zvA#lA-cni2vC~kMw*r936~1_3hZb@Ds$UqqBqSrZP!UH;9ZYrXV(^<&=lf;pqpB&`nSk%1mnh`2&_4|GY@G1ylix@F)0r4kv2> zr?LCN3p-ZoSdnOimdlfuuK+5orbg!@j|^q9V+0KG;lV*HTbs6=q>KzId$CIgpZxr( zfhB-tTcUC*^)ete4hYPXGctz^7P5h)K1hk2|K&CUn*nA_Ih7Vx)XkfjDJciK1zhle zaT@BgYn%uEK1Q=an?N({PMRqObl_Dch$C z^%LubjED8SGzsrbN@mMFUA{}O)A`RwZ#{!QA9syJdTVHC+zSq-*tShZN{VF5o3uwW z|McnXvLrJj<6DdGFR=e0Z=gBc-ABW!$tAa+4ieQO(}8;Mm%mCclI6Z{`{Jv_E#^>! z0Ew9X8=t37-=zmz!@Pr&i&s8mgIxZgy%45r64bVkukz8He`L=zTV>$xckfd`75+t9 zR%DAclRK!qO8%{i-GX^NrKn`RQD((wr)mCJU1Q@zWi_69Xrb-LF6j zSgnW%<6-XD@c_3CjTT17oR2QRgTU%Svx>)~8iome|)_tg@5XP*L-WvK6 z(MToxO?*?xv%cO ztdTnx)iSOtM40LgofQ^kG~)?%GT-^)E~=4M_SM0O30d=RoUjW)uOOmf9N@MYMa=m? z9z$Ec4Jd>#S~@(szg?ng7IrUMdp)Z$B2tz{7&%;4Z!iCwP?~30XVGQJX$#h#|&|*18C}ofPmPagCHe3j2R(R~Rljnlv zw$!)fc}ph_9QJ)xyo}!O-Ziq+uWg7v;v6eVG%Ydi(~1tx7Txt&sF;V zs?I$zl2s>o5GgtsDp?KVW~ex7teCsFmqu8~urzgSBfE7>fN|QswlmZ_)~3Q;FeBTt ze|Vs|HN3mnupl>{F>=Ltw($tbn*q7uV@C_lhRk*9smT`H-P#44J+6dNMX75G#v zNhdsg=Zzn4&$7l}egB1Nto7r$Hyg)S83?ZZ_31AUT-EzEJ7W4a>j_tyUXsY8$gKB@ zd{>kL_z!*xW_sG%Llvx2a*Tzoc*^q3nUA@~4bU&PTuk`RvwwhTKcct;!`igJr6AO` zweOBLL&D}STA1K+M&Y=>TLh#+)JQTwK2*6r+(_YavTT1)^iung-Er3~lI=Igq&sM1 zq)gY`_wJNxpQ0>k*Ha4!X4ZVLqTDiVuf5xJpvOQw#%^)?k?`w0RC$7EcNuiS=Bbx4{C%0$#(JeKhIvBa#<{(o8_zE3YklVu;mLQ*mSVy{ z%}ef(2kehSn|3b&WTSN3^p?k+^l-iC^5yGS$jA`xXRLRT8+D0aFs(lNG|76qEcJi> zy3Xxi1Fcao)Cs~+fw3o&JGzo;p%AM(J0qj*J|@#a9;}#PhJvycyGPK{;?}Ki(PBKH|7mW{&KL@*C@br3Z+Ah7E_!zm9)xa&#@JFR zHK~uL@e7lSE=(r=B*bWY>M_T!&YkyJ1$a{Q(9@^v`4@2eFz~|6vQc=e_gkEdpRX@O z!Nl}*bUB!F+kW(xxfOb>IYA?llq`fsgA`du$5ny=2hmUQ$7qo1NH(?4vS!9>D{IRs zCgyl~uK8s@zWw#)vgeXh-x)6yczv*Vm@D>;YE;YAG&Ql0V0o6Jeh@IO9q0rhgvK}- zNsKb|^%;z3foDP_L>dAp8s>OE)t0eRR)*MrdPT)1>YqvhTf+&sJ^+(8R#tnAqyV>Q z=;^1ta#7r%Z|_krbI_y>!@&S$4_!%%j)?&{-ob~cKctRtKq|;DAkxli#JnD)`+%Ov z$jaIZB@N{-D_h*0Ac$$(^+Mw7=aHkmpZnV?(uSO(C%ue{Gp7Cd`wtZeiX4@Ax1&Uw zd@?lL8gOcdMO{5qH3WOFb#Ioo00ZLGy7MqU;CaLDP>nr`)!&5tUU6-a&WwdUZMeAz6I$I*B6f^V#k7Cp&mWc;*H8zSj1eoN?LH z6UamPk*dxV`h)?Q#(Gjo2|F>3*@`WNT^_;#H1Yx&eo7yCg1~ZnpyT#H8_HHb%t)|y zu}kCXfJq29ib+a(t*;)l!UMVi?dSCAz$Z_BQpFyn*1LII!N8OPzr4OgWA7ZbE+J`8 zRB{)3cO`807R)0*v@d?*-3`Z?ny7tgbm=EgbnpeLO?C_r@h5d>$eHt z`PmDs%^uF-|G(ox_!C|k8ZR+2bY3YXEe)h`3lBFnO=IDS=BA6XKp%$avbBBD->{dr zfwFmRoY2xh8%nznOArVn$vBLtpZn}(lZKOl9s>>l$t9WtA*xOU9x)e$8VA`gHBW$# zufDxKMlq?Y+@rI-oz0rGDZxk#((v=RxLo;Igr4wO*PsD^{R)`+GF_l#4%C+B~< z0(qeO-Mw=s>0IO2uZYc!T+65YISal83I^*3pNezy4>l2RhwfZkYcl)i<9!xk-#r&f zv`{znV6H-aF#8e>HFSH{Vm$XF*B6ZH}lDfx7PO++8&jWlk=(zVMd~T z1u_y?QbtP3pUKHEt9wOoRe5-ldzMu6ktEe9k53dnAT8~RH-G&~Msp6pZ)Rbkjt=@J zW&mMT`WwIZ+4(~l)CFvNV;GT0QUdc=Whp+Y2Yxr7PNp8|K6~-v4J04I0|f;)-Qva% zg$}~zfv^F_2uN;XZvG}aJ9V9flAIg|BnTi$sCF&izmxm`l19Qz6le#;k#!MCFp#>a z=g(p1-9q&KcDs1V)M4~3+MxcvKCTGWCgCpgT-La_IEYHHEHE)be>fPhz7Pzp%8I;eXGcv(=LATJVMb3OH4LJd zH|~Y84-*`ZuT4BZTPaC>d}0Cy3p`g4ske|Bp-WX;x`n8Y1tSoF&v!;xOIG$IVl(Jc z@EWWC;ezJSj0Rryd>@J7?`J!@sRFIqKu!(;ds~`DLaHN4njp5=?jkk)XGFVim+hOs=GK85uOG}r$dPU>9xT*x{giu#k z_cs0!s`h(e0Aw>cIT@`zl(#uBmmt7e{rvnOlTbI76cv$^lUFtZW#eI>+aZ8;%f<%H zbsa5u^d-#cu+Y#_&vj|5^aC)nFcbIRgq9I76Sx{`zK@&RDaiVGfun9ojo{Ujkw=7B zYLKP|WZ>luz+NS6|F#Nag!Ek0VG=?|M+cHo6XXDM=5>;>3rh!+&;YUAOfezT-`|e| zpSryQ-t^&vDw0BNadplR1pxuvMt>ke!z(O2fs+FfBfNn~(HRbQ_Id3*vxQa#VTvM1 zD15EtiJ_F3m>8xeVKgu@GM1e<35*{e&ft6o6%s${v}eY#sL@I6Cy5{H7#iy^!w(z! z+`Ql3r0$>V|NIc?Be9+T?$-So8anAP5?)c^h5GT<^fN)=5$5x70ie3ik6gNTEv}?w z6`@5eS`7APYTSZiitq1c; zc&zbZgb2j)_U+IX_y|$($9C`L$IN1X|Na99YHNqslQtsD$~-VGfMM9aPJM8uEwc+r zPq0l#uR1JWWW2XiQ^SZR-O3DOVV$(xAE63maX{ugnUnZP2}M~@Zsj*Ylh!Oe_+r*t(xYbF?$u**v({{76(5yf%1+auk0<$e=%)$mU zpRh2Nu6x2oL}v{QtVipE3Dh?XDW%yI9kb?H1O%FQ*sUgJX6)?j;Ywx8zGbBH zpDdGv(*R0!{Y1~S9Z;1sMi#c|#fSCqJbD%z`zuQ~&*UTH`4(4KcdTYyXAV6(Gcy{n zBmUf)Pg!1fJQ$#2 zp#ulzX9iSC&Y@mmRB3CL5yBNbcyMc|$z;;K^j*v`%-?o%Y49h@r>^HxCf{kqTJgaLBcr099Si@-- z6XKsLSDb0_z8Zi3z9syHt$;8Bsm8`US|3`olUA${d;Op91<*q%Sk!HCJie#Kzz075 zw7RNl2D*q_0agIrzLQ-Y9n@~G%H+x+bs|zUz9z~dqZdwL|Bi%E*>G)b`f$9mtUQT1 z@bjs7|MV2or;nVEzdL3!U9i51Ia!0_@pjPe4jw@g5{0{OU_dY5;*yyepO1W7ncH0; zys?&7hTlMX;iNW{g-&KC>jhlVGFKX@Pv_=Mp{EIAY!?8@n5 zUI>y>Qc?omBkqQJ1R1`ysmVJEbrjpA++(c(S`_B#;N_=5sZMaR5W{0z8+`isF~X>b z4fOSoM!hi*s;;kR*|P_B{?LV3iEivUbYT=j9oBQYx@=!4Yjj4cMfPLwG+l)7)l!y6 zL3rDocKB5-uoa8*S^|9lcG+ekg(nWu-DcnLQcyqu9ka$dD5{X&JPf0uobRAFzIyo* zb~#7Q?VP3dD^J3)f6)3+1ht@r;3JdrQObuQZNgYWj}i_jDW_vBkwJP=9jr+J4bX)6dP$ zMz^W+6z1@ONle%6rVVZAmUXPFIR58yh#Frf&J? z-@o5MFU4Z2uhu~lWwo>mN^zwR88|o;cx;}rc#_E0=4MoPm8h+Jj6%gOQ6UyPWYJJL z)(2*diN=Zut zfPRaW#5X6<-zq>L71a~cI{YaVs&g_|DGBc?6(lF78&T<>sve+o&|k-AuOT*sLCrgJYA5i;UEWU<(-eqM-1>=ClA?@LOMU-l&l%!M?I zpfdP%%-K|NPAlKk?_aN>=S_Gq(;DgsIf)2rzwUZ#O2fI}-?F3RwdN}=Lj{j+AG;Pe zE|Gs%{CNy%vnRYh3m!TIFB2rDIjj*98Qd=<7GU2t4es8(d)rYmZK!@ZAtd|v@4tgC zxE04zXa>~49zaeCC(p{t>fn{iYGrXDGT0?&pfS#=`{K-;UBb-O=TUv#y0*o#n?@e3 z#f3>SOD;P0b~z-(pOgTMXWm-BleEwfu=wx(RQ&i}s}~d-OV65RJwPcs3#??E#-k%6 zS@O(kp-mY1l>3ow_!vlUW$W>B>pPhzUvjJ-!()MdFHFSo1shuvi?pJlz+qbx_J9Rw z8%c9t@!tmzcEm1`d7VN=8o#=g;;x8-gC^=7PsbSi^GXZt{kr3Bi$W2q`WUx4fv@uz zLQ>JNlpwsF@-w3ZxKN(TvieTkY=(lE3foEk0fYd+#Q#G7$8T-fyiil&VwD6}lHCHN zGt2To#YEvU(BGGKJ?F9xm9Xt;e*KoLf`Ua9g^KmXPOfr(K;DAP7J;Fg))yCL)p=yhA5_}9)kQ|WOy=`NYaLlsRdx&X4$=rO{ zyH#|Iu9TBQCFqFNX|t2F7T<*h5+i>ujS%aXz85SF(RX+a$FmGriJt_>y{f9J3UlD> zSC4k&%FfgySJ7gK!*Ci5?0x2$vIg8BhH6jS4!R*=@hJm?WY*yZF^KE?&AEM@BfE(XcQlnF~|MI0vKE=zx?3B4L$!M(_eg`70TU&eDLN4$7 z+dKNV&bT|9O;6?h(;>);55M_K<+-+5W|Z;S*5)0@=z_DY4|PT+?+ovPi`LjT!W)$f zkP~cwc5bfmxzw)uQ-1L^I_O0u6;;R%sVXS=NHC#Y@u83DsbG3$03jnFZU}L8?!oYu z-WC*~0NP)<@)$4@@wdB{I85H{_P4&iq!u~}beR4$5smL8ZUt1LFBE#c&XWP(Ag=!+>kxnn#b)n)NsU+yez|QJW;Na)_I3 z-`-55QXgMC&c|nl1p*u@A;Chq?*SpiGY~euM<8+aw6#EHqn^2)#)b25+yec_DI2b^ zU(xcK@1W=WM(2_x}wx zMEC1$kIJqPAS%85Lf)zMcHTgErltkwPJv7Z+%U7oczCIl>o({;m~RpN(+E_Az(iEk z65>z*w@}Td%Wk3D!4iRsE9JhNQ&QpzUIgxq)PlrA-vS0_By~HRnnW>Vfop`ZW1D8+ z;DA}QVjMCoObu%urQE^cD6I>=fZz|DXq4DIh;Hb0O_~_q#22x=gKGuGf{I+~zQR~; z)Z9u#7#JE#Igb5I{6#%NSB31uRKt!(_j~FGWhn@aV^OT18b{-kGD_Ar)&x43cAj(^ zW*cyNXqBO}>3M?f@mx+)HYLIJP4E@3Z1f#E#QU+zohG|h&}Va?1@GcVuD(f=WY5+FE!ZyH#{Ar_`~_0t%a<>dI}LyCT3#wV zsPXCJufLx;Ht#!h9A7UAxyN!X{ziI*a%aPf3o7tfL`iykF_jkmu2W#lW+AU4fc5C| zLmQ7np$%D!!fC~! z6|T*&H3YK5`mbsDp}3tfcU`4pwVsJyui14=Pr%4NfvF{|@%<@;!22l+H(J;BHU7OS z==PBz#__KHX-^v4`>(}jg{+p@;_nEi9uK3QPFQ*%PrL1Asy=z^jgi0W$+wuSg2l_L zR0=;_+jFUX$+dCr-SV}YH5a#EchMK(v_9ZGc#U?E2SX9YYD%j3jtV1p--p(9L$aAR z*^{#L%<4DHyLFQ)w(X`-q0G2m=U6OqWaEP1g%Ra44W<0?qrdvBM1E^4g}ZefKJUkx z+?S}g=TAY#_}co%82$OyvtM-`d>y>RA6`pYe!4o(X=fj9vaC5>z~nO$d#3qB;oS`S zvgf&{7Wf;kf?sOw#4+=DpX_-W&gU!08e`%pi8MZ;+4m)eK!3 zC;1Eh)6(%d*?Cf{YknKUoB9m8E1Mnf=W^0sm(us~Zzri{59f-#?fXKRJWHobnfz(N zSg7WEiwTRm!pn}=yQHNJETh=6JUU-wTgH`WrfS7-XP;BhO|ka=^x~MhMEkEC@(*^s za+60zY#75?e_xnha~X=^ms;ww|5j$TGAOjvRbW1%spl}?!MggcVvgzE8wV1?xn6dn z$Wht3AX(2ZTVn9ZiFc?|e%oK{Cgg467mp_e1TTEqdEYfnf9D3*;Wor)!<*X&k~%uA35#PbBP9wjFdakOLYbG)ff=6`z$)@4U|XkVQRoIk&^P{{9+ zKHMj-@@8?;e2I?mW{f%S1b+g%vc022En3v4!L9l!7x=so%YDzgQ6z>NvV3-DUq7if z6DznM)FUoguOvw@D5}Dw#jGq1&F0+M>gnle%wMd03<2>DMxF%V?8mPZwxI!*RK`Lb zp)Z)b&M0(U7(-!3;sD?7g<8_<={Dpf-O^YTu)#ujvjd_bqBqyOxv>OD#-O-(!lj>oK0el@udA)a zSHRT(a2#Mnx*Ke?dG0!h(a_wAVp90$!Ggj~`1 z{#9=(atr{Z!O6b+Y4LMNs_W{GgAqXAjVdze`gO?qP{iHh`X@Zx12Pp5nW!{<>5WIw z+W7n#U+gjgq(?Y`QPN5Kaq@*4hsUny8gjrriOgLTh=Yoh*TS-xD#k25;d*sWEyT%1J8d#o!;4tm!klHAOc0(Qp8!2YSG zc5P%BZTk1nZz<`;#U?sefck}2oit|cL_4D)N+$^7{uJb^>nMG?RpLHOgL}JuH+{T6aK50+= z8K{z3!4<4!U9N5N3L#!PI&1rCIt4W;gZT|{OGziJJ72k)NX#HpLQi96YHCN&JmbgH zjS-bSF5YVtpfZ5j2~1GfaE33(>rKLEatzy-2;ftJ1VpvvH(9%H^BOzA1wvs%kOUL_ zAF5dQdZn4V{bLX>pu4rTv#ST8DkhdW)^zw5pDTK2XzLr`4k;tDk`|d`0STxZ0PBc` zXrS5tYt*)8Bt;B=l_%4NCAN|Rm1&`&`Tw@L05YMoGQZTnp2|wAPz3M|ybpjcc4PpY zQDUd5gPd#DO#l9!M46nOhl)!y(%E2{ zx@J_{YzalG;T|TNg;<{U2_?BK(__+u=A$uI$5b8bT)8!f!FLJ2Z>gv}0n!wc;gumbY1h?~xk3`z@#-sD?Byopqc*o_$R}C!q%k;jW zkxw?M^bb<^SxMu!nu->9D~S)viBF{0_GTM#t7Dj&(cLgntsd%;C-2Pu?*r@2v{txR z;X3=D^hJ&=1ho&ckx1TEUY)w5&g8!zk?!Kp{_kzzsW82X`v|P`=oD&C;KCgxdiDi* z`Lkm%mw5!x-ul3=pt8)nt^2J!`M=LR;$Ee-4;Q8LH@mVkF-aSOx^DAW{rhjc0@#0i z!`&@ov~^n*f|5wA|6h;vzmNS#o=i*_m1V@j5=gdGbm}Rv#+8;gyK46PRS^$9P`r6eE+WQ(Ss=*q;H=e2lNH8;^#E%$EPu5;UtkZHkAJN zX73EYQhR2;l6dVCv*Q1~)?dy&et15KY)U_!Es2}h8j{rd*-p#P4j zSc?Nr_|b0B=ebFwA=%0*wul*F)qww=5BuDkWu(BJ7%GNQOE9LStX_H-#17t(#$c?E zgw-7md5{w@ib{QrT!Ok>8g+S_nNKZZb2jwLZq653g*P#-Ra0M|u;0@OC}i_$esu&l z-J#L;L*oJ2K;VWtuTJ9OA1DI9KAebs3l0MlQ_~oyMiSSmYryNE3&z$}Q&+cFX5%-N zcXWC3n+06;Cu91H^KjzSJ5I`9+wuTM^i>wl5+DqaHljH1M7A2sOBbeb)a6-ml9w$a ztkzONQL~(E5DEhJ=vIDnZO~mnI;*{UZdHl@guJjm8}>pfun2bCrxyh5+k$SYCM}VS z!Gj)OAcg{|Z_Xw)yQb{#XbHh&BgU;aIYI-~z9(7(Jd>{9d*tKg&jRE~duD|ypSYNNc z)#B_0K##Fy;?EapU$H*bNS0K#Ff8Im$% zg_V`f#CUnAA|V|G?!wJcawPiG(rdHgSBdl#U?>%B*r8y@kI{Of7FMW_>zkNp>4fjq zHosZX3jhy|0wFX^X2&3?WAuONviy@4`Enl8#wYzXlOP(El+e!A?VSnh`sQrR%&f=u|`flv2gEq8YAc5i_FiJ9@V zB#9!Z=<&XyLT%?guwU4C0N>32u8{<#0|?FFyZI}ZhY&*`Qx7zQpwe~B2nL0chsXKM z@+w+jXk~8Su7${Ym=5#-Qcr>t2DYOce zSJ9FC!JAmShR$bVTyg>@J~MUar6IMD#cpE5uG4rUfG(_xfC8{nzP zYq}F0+%w^Y4-bqeg=T;5TmfVdDk>!M0G%pxvmoJj>-2ow(qhN_ENkcauSoIPZiKx1G|Q3{1q zsgZqOxmAwV&PPQ8=qpgpDdi$v;2l^9I17XBqReRuhDRI_4%l;$*!Tq$4O(db;pC{H zM+yFnG^@V*=wV*Hl1Efoj|<-H85zKy(M>yiv8ssiIzT%BMQlhpw9vr8@xV9n^ZTK~ z#@Iom!s%kK93i4X0aDKj+?));w0Pu!joiiRT)XOg__+szW!x5&)xPo<4dgnrae=Hy$dASd?|cJqz(b zC}FY)PokX=p`*I<%td|+0`Gohg>L4`#{bM6XKf9L_zErCP7 zlK9NEZw}s>3R4w2UFdNRNu4GV2{JYzdb=WO`i&y1t#b4hmF^(Zwz`@e}Mbhix6~X*+_D69@(13^-YObV@HFS}6U~%l`Wa zAK>03N#2#ay?_2fNv*Z-Okj1to44DWt}g#F_9}UD>I60oLWP1U4OOPrv13fEl^68F z&}ssaBA0h{#aH#s&dp`i+MYW{2p2h(|9neWoG0?ku_a_>W)6w)adT7a4bb^PxRtK- zpw<>&K6(5Y`|WQGUi&CL{LEI-J|JGYWvUQO1VygcUkJ5H>= zwHUb{8&h8O%g2mf0S+Da8Hv&bSRf3MhJ zeqY+UGBBzhr753q%MrJN;(T)kHdSyn_MAC}nZjF+&wsnhiT5WMcOG*DwU)Su$kw0+ z=0D)2H<)?#-_POxNe#BLQ&Xf#Oe`Vt2yrcPYaX!0& zu^5C1HW+|LSS!uU;_+6o&_&fGo3G8#S#QxGzxg=O*w?XX_^j}%4fC#k4BgI9l40c_ z%5s~nPSVbpPnchDgU3UE2lTdnFdK?m_#2)fn+^gG@8qjjAV)!7=hTljSlsjnQyI37 zj-6GFP>4gvg+-wY&^SCKK#j>k$Y-stt8+qmhxUBAQFa6(uo%P{0h?sbs9(G|-SF^` z&!%%8$WoTI{fPB%0hmB)trUtoPRhI#gog-4$MDa{fa>9FSMepR*X<~BAOjQ$(KvPt zd1LWSLhRmukWo=OI60fHDbdQCAzujj?_j)-1Xy^iQ)t~mIHQ#X(Si*T*?9;OOnLfZ zY*$$#oi7~cRB%*0ejeEBabMb>;z8z%F5F(t#)fjpgHgK3bXHE#PH`{j1h}EQZVE}- z)c4qFB33;NU;x$;)in!XPGMo0&Qz0L#h@%sQar4XwcUG38^kvBz^wyW=B4p<&GlA3 zwuxi9RO(VS9qPkpc80p0?yb8l8WQb{Az_BzDcY$<1y3=#$`R8i0A;d$q?gjMFZaxy zhvx$v9_4@RptLmUiyGTL9LlR-<@4m0tE_g%K#fHWi&B9J>Orvx4Ge*ZEiGe1LxfPq z!$Z&X*l|{nUp;OG%Su)oLA{B}4Yf;CoMll_5sgMeyNzA)sP@`(kFdhQ#}38OVBc%Z z8sJUudJs`W-)qqh=M(^dFW-YYtXh*qU_VFQM?^B?n-}#1FME&XwUx~MDuN;kt4Yl8 zOAe`kfJN-!nWjaNW~R(M`mQ*xrM!Zwa* z098)=L}k8IOY&1lWcPkWA@}lKJ>55)*b2b+Dxk!AK zLSn(;ieabXT(W*e1YgOMRNUXe=U|@s1Uw$Xc6Rg9U^7X3A(~4?Dg?q!AO<@1)GX^o zPRd&-d;Aw>?I@H|e6{AvjnDiE-Map1TY(ECQuuC}!7BylS8~Fs&U|NcfB%vZv9uE+ z9II9(4c>)pGAcekn<2c1Otx%HQlk%oJv%tQN`jc~-J8yhqaQ765M@rJJZcLs?O&LR zOL|_Iozi?AQFcVDF!JLE80ExRVQFcdoN=yF&WWZaG3AHaN)`Xc+}+|s#$p`rH4wd?YJob%cF+v`A{bNfh4RcmVmpECN; z9EoKsg%#9{Ds)ZTgd%iCA1HP&9^Lh*qv%XWRP(;z@R6ZUm&CtvYjiUI?Elp8>4z0n z(VOX&YuUK{O{~K4x|xv@N|Fr>Y@PYUHDsOT11w_Xj2(Jg>3C5P=}N zqJZ+^F4x*Z8{~yf70VBu)~g4ppq;I4h^kQD*kxJOTUA-YzM)60k30_`>{ zja|Uy`V+|x<{s0}_O+I1?J$wZ4?X|j9P=~DrD3`F+n@8iY9exTZ>-VvbA;#}X5Q5o z+~~gVm!m@S`Aa*cK6mRD$q50LDEroK#3vpnO&>jdCpKPvvErV_1?BY&dgF#F7*2#YS&U*ewAeHcuh05pEEwZ zIWjLsC&O^3oyUwfiD_AG851`&e`HJBO&i;!$%j5X5?{hICXKWT9PjzJHHk-bd$o6X zZZT$mq~CL=#+IXXK(HKTVJTxI1M+XM*1y_w`f{8(q*zhkz$cG#Rg712!`PVZZ>61I zpJ&$we~6+F&u?F2?6*fL?9`VgY0~R+n(=FmXRd~wvb~@3?8vjcg1SYw9M+l-T7!Ad zPM80aGHI@}dGDp?f)yL3t#UselXkRdPme7$Zx3(&qO*zpQNEpmL_(T=xvnAfaxh;< zmsmYO&{0TesNlHORCZ}=m3)uG$+@YWz~KaX;x>tM@)x>AKI$)Hl2);?@n^a^RNmq* z6gf54%lpZOMC#L9ToV)L7I{pNQMWnevVcGI8fN)U0_5`A+R?9`-2$8EPP1NnD_Qa< z2|7}!uOX)gmb%PX`JSt0wyisLxj4zftiDuLF~sl%(Gun6Hh=gqg0_#o@%Eb@?EnT2 z$}mS)fH4her0lb6KMVrcX>3bW0*3ZjH6r4hjSQfEi`GFJmyFwYbu55r_(Wc=+@iu* zpFjTG8c3YUwrNJxeS;vy5pNw`VB6%!`7^fsd%SbYv$HREDSbHR-2!GYvfHa2FAE)!fXTC>PCzsA&G%5&o%$7b<^g8mi*cO8?POpN) zL~kUwj`lvgee3p%uNUuCekkQqZ%5DUgL=f6$bbPt@n^|tTDaPf+!a-}tG#j?c%{<#) zUZk9D$A9DZ?%<+&nYfD&78Kxr@8s;=@r;#LH9A(x*EPMM7#j`a3PvE}R(1xVNdX`L zkMpkn0P!0OrU3fN5e4wzlpGES2<*+pg=ni*+9LA()@1d%u4~TMJ+Wns<-~6sS?t(qfkkBA%}p zNE#YuU;J8im~dA#>N_sUW#d20 z9BZ$y^!e!Ls~p0u+3_MXL-Uj9J%_vp#aa@hkr(YhbL2ceRwM9d$8(9aOyfB2@8Q0r zCs8C)beT)1+W@Eex@VEYaU|`elTBn{quLW1Heb18PSrP^3_81b^@(x%DCfpBlMeA_ z2Fo$ejL01xHHDAevUoGz_v3PgU)aN5WJs+4^j>A2b})FysF9g^l%7~r&6WhtxcLJY zt`1Jcj)$)<+h$@UUbvEvLw@s`##&qTTaP3|O3E%@V~U~#?Hd?4%v#{j^fr!rxsAm; z`Q=MksiL@gdwQh5U6Y+Hu_guDbwZyF_pORf3rrkHA+fi!t0D^gzhZ4i_>ZG%P_Ccw zd#t5-6S%il2=IcRx%JUb*N&qB5r#8^f82@yQp+A|Q8pEst^08H|L5M(( zhnAs^0<_THo?5gE3ZO_y^W&@v5appr@h}KOB;ADzt){bvfG*1p?2Q|RZjz?Yu}XJ1 zAbw_iYD!>SAti;4z``xm3C5u8F2U~wk`HzQRzGy*6@dNg%Uyx>aog~x#Z|5w? zI30XZ-wi?khI8w|+W0=_K@8G5hkYL3Z}02EXK8)Tg}Vz(5k@oyT2A5StP_&JhJmrB z=p(&=fd2Wo0Y@xwb}Pl8i-K%OSYBrPNkYiI6FGNz#%(65^6ddNB>CNt44LUV(F4NW`MODYCvGe^@Fm0 z!o=ILV8!3Dk+FcJ-+-9`$O;kyaYP83WJ$$|qOlSh;v{IaNje?qw5zvwA&pi8bbII# za7N%OK$(N?;_NEILwP)^rhlwtE*pR*94EL2s8Uw4RnDK}C^H$j4Y&FkJ>jz-ZNST>C0f%Yw68WISDjGId)JBH2)F;K(2e1ndH6Lo8+n@`L)L z%!hIjCT(P9rfm6kIaM8fgVn<-+y>B00UjR0>Hf5Y@u9pthzpv$0Q^g|bAbF^3p#j{yiQHY_s?A}H{jnPNwBS`u%5HG*Zq!#%@)T- zF)tzD0ze!cLr8ND>gri5WD#C!7>a}qO_?>cc(!Cw$T?Z}an z0b<9%VE|wqbde9@0-OUNnSi2FZd|*D6U%DO$WRger~!1%J|2s5U?3?Ot|NKu*NjOd zZm^MG>rZ%CD3LLQr1tGwM9M$*`pM6B2|1sC;+1ey;pRj+zj}4@+qd8d;sFBJT&s& znf0)*t<8t4W%%@NedyRgZbSBowarAr6MoF}OW)lJMm`)0Ndg?cUSG`c8A51iZ{q%5 z&H~5TX(J3hKK@rpo7%j2Ate3Yp@49s&JG^~-Ht_Pw_%$xF zU>PeTAzv4``$3U)!10Nr)(j0BmLY?s*5UklfS`RCoKSlKgl($&-V8xBB8!lE*eda1 zYY^hEkmCkVN8$75GIDYe{{9Yt6M%Cd!1FA^9KbB;we?cYb7b3qy7MQ()_TXLu?+un z@80?wz-Wf2f`YjI?XNYyDtg71mcrlr+C;+OG2MivyQ^ypaIp;)wz>F$q9NS03T&$( z9msX5{Fzmztc|gW!^xf`C0(f>M7gtj>3YnyV?K zgXe(uLpcGDsP?Cy%D)RbXf7<@#G3X0TJQhwf8dp_44Ccu^_A3{>f06FzTY&F7#j?x zFzL-eT&V${=$&tfz2jS2NN_Mnt8GEBGzXwC!%Z>|09&3&N$^jiIC%fEAU2xB9Bf~Z z#V8019|_YnFc9XY;cP?a&R67n)eLpwgh+L5ZN#@FmtyUPePsevMoK9>z@~Vg6M1+x zh<4k~4XOp{Q_1e|47y;7<9sSchN@87--YS;(W4KoAEyJN2d<17ZMW`F{-&t#aDoZ? zm=-P(q45-jSy&jEm$v>A(pd7LX9m;KU~VJx8Q^QSNkP)hOi&;pkx(2r3^o~T=cPdm zIZTMBG4?|?WxSLq9z%C8OMTb?JRKU6L)SUbO_CqL5^RNd8_4ki>o8~Q1Ac7_d)EU^ zj_x{rL&NtyE<@!QK)=0;A>>oW_Oeb*0OV0sl^qyE3{`XAi4|%(keft8yqi!@G=`Wp z_3pqqt+A!yAH~MTqEBqvF*)mtP9N%n(?&+nKkPPri(bj=fEj`@66(93SuT4p^zEAz z&P7>s;~vbuvbnn6>gqQUfP_Q!Zm!)1Ocn$bf(1c6Az=w*=pr7p5^ zbXuTZhE+pL5IWeo;gkfC5S+R56u1?hvbk5!ijX9DUhtgoC&+T%qU@XcQX(XYs4w<3 zx3=zx&=3tlkjGv*xny(OQh25DCKHlUQA0MHhIDc3Lxv*Z>EUs}wRbr)CMgx_l)`K< zV1Tp&;6wzg@`SRxE~5GjhB?92h>Tq2RF1~H>`eu!Au`fxVD2~gz%yK;2U`N5#BFLi zcvcu6sD0O|trk$E12d#2PqoM@!R-6?Z4%}YjHE?H!rQlFiQE$EIocto)(5R6FfM4L zMMKcNeTL_u)u$5zU${>mHbd=!V?TB=axs0gXv#sZ5N+1-ZQA56k9Z7kgzgRuoC4dK zLI`KxqsYI(!B1sL@8XVtFa`P}@YQRnhGM+rasp>)u1@YICY6`~>V`+)55WZkr0Zm?@_dR+7zbRNUm4+%5)VK6O_ zVZq1x%uoz@1Aw$dHU?lnL;T1W6p4F}M&KpEeb1c5Qb|9SNYlmrpDAyrTq2R)wLqB) zR#go`s75!y@L@&4Pz^knShR6IWoD+> z`Bh{5R;{1Z{*Fz3Q&Vj8E_>t7W5xl?@CY}nN#UCt*{1Ubr<=?#N~j^-L|vVgth$v; z-Ep^(G2A1S&$~tBd0d-|_J9fTs$g zK1^~cwDjnKC=4*A-v%61V2IO|+6$!srzP@3s|ErJntMdKH)wM;V_8H2P_n>qfO?n! zZ6nV@P%$;q8vn@7SDCVP>sFYH;r4-;!DBt1p->o{qMBjnVH`%YJW}BHfD1t+i2sG7 zeG(|Qpu9`qor|Gz5MmIh!K+t)2(Clf_fz^F z*$UbhOc3O5!2VI>z{*H*AK>`<7-I_*ZZ|>^&;;a9G{H;X<(kuLunihs)DEIgI9>(uZb#0{SXnu&Bzc4DOfI}EQRfNz6S zr*;V_0dmBckC1qno=)h}!DynN)z;K}#Dh>h9C>Tn`a@p>pXe5L<_8aOz$Fe}i7^z5 zm$t^)ntY%a2tV`z94{*%XCDp~9?pURFfXF9D+2yAbhnOpbj~HS1K>5FC)3iJA6r~- zR;xxm4^O|Ft1Hgr*)1V)DvMTEnIsa@C@6tm;|&bKpc!#I!F0Q712>@+DZ879aUey) p(oBy3{KqfZ{M}ZuKy|glX7MWY^ueT{{f4K_YVL7 literal 0 HcmV?d00001