From fc0ca4c9353b8d17fe19fdad7414da8296429681 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Fri, 22 Mar 2024 16:48:40 +0100 Subject: [PATCH] continue with documentation cleanup preview related folders fix typos / errors --- .../ISSUE_TEMPLATE/bug-report-for-t-pot.md | 43 +- .../feature-request-for-t-pot.md | 4 +- .../ISSUE_TEMPLATE/general-issue-for-t-pot.md | 45 +- CITATION.cff | 10 +- PREVIEW.md | 203 - README.md | 339 +- SECURITY.md | 21 +- _deprecated/bin/2fa.sh | 77 - _deprecated/bin/backup_es_folders.sh | 61 - _deprecated/bin/blackhole.sh | 109 - _deprecated/bin/change_ews_config.sh | 89 - _deprecated/bin/clean.sh | 372 -- _deprecated/bin/deploy.sh | 182 - .../bin/deprecated/export_kibana-objects.sh | 94 - _deprecated/bin/deprecated/hptest.sh | 122 - .../bin/deprecated/import_kibana-objects.sh | 126 - _deprecated/bin/dps.sh | 73 - _deprecated/bin/dump_es.sh | 45 - _deprecated/bin/hpfeeds_optin.sh | 134 - _deprecated/bin/hptest.sh | 68 - _deprecated/bin/myip.sh | 103 - _deprecated/bin/mytopips.sh | 27 - _deprecated/bin/restore_es.sh | 95 - _deprecated/bin/rules.sh | 107 - _deprecated/bin/tpdclean.sh | 29 - _deprecated/bin/tped.sh | 56 - _deprecated/bin/unlock_es.sh | 19 - _deprecated/bin/updateip.sh | 89 - _deprecated/cloud/.gitignore | 10 - _deprecated/cloud/ansible/README.md | 257 - .../cloud/ansible/doc/otc_1_project.gif | Bin 209197 -> 0 bytes _deprecated/cloud/ansible/doc/otc_2_user.gif | Bin 904313 -> 0 bytes _deprecated/cloud/ansible/doc/otc_3_login.gif | Bin 151617 -> 0 bytes .../cloud/ansible/doc/otc_4_import_key.gif | Bin 197465 -> 0 bytes .../ansible/doc/putty_agent_forwarding.png | Bin 23705 -> 0 bytes .../cloud/ansible/openstack/ansible.cfg | 6 - .../cloud/ansible/openstack/deploy_tpot.yaml | 30 - .../cloud/ansible/openstack/my_os_cloud.yaml | 2 - .../cloud/ansible/openstack/requirements.yaml | 2 - .../openstack/roles/check/tasks/main.yaml | 19 - .../roles/create_net/tasks/main.yaml | 33 - .../openstack/roles/create_vm/tasks/main.yaml | 24 - .../openstack/roles/create_vm/vars/main.yaml | 5 - .../roles/custom_ews/tasks/main.yaml | 13 - .../roles/custom_ews/templates/ews.cfg | 137 - .../roles/custom_hpfeeds/files/hpfeeds.cfg | 8 - .../roles/custom_hpfeeds/tasks/main.yaml | 12 - .../openstack/roles/install/tasks/main.yaml | 48 - .../openstack/roles/install/vars/main.yaml | 1 - .../openstack/roles/reboot/tasks/main.yaml | 16 - _deprecated/cloud/terraform/README.md | 129 - .../cloud/terraform/aws/.terraform.lock.hcl | 20 - _deprecated/cloud/terraform/aws/main.tf | 66 - _deprecated/cloud/terraform/aws/outputs.tf | 12 - _deprecated/cloud/terraform/aws/variables.tf | 93 - _deprecated/cloud/terraform/aws/versions.tf | 9 - .../terraform/aws_multi_region/_provider.tf | 9 - .../cloud/terraform/aws_multi_region/main.tf | 27 - .../modules/multi-region/main.tf | 69 - .../modules/multi-region/outputs.tf | 12 - .../modules/multi-region/variables.tf | 57 - .../modules/multi-region/versions.tf | 9 - .../terraform/aws_multi_region/outputs.tf | 7 - .../terraform/aws_multi_region/variables.tf | 19 - _deprecated/cloud/terraform/cloud-init.yaml | 26 - .../cloud/terraform/otc/.terraform.lock.hcl | 38 - _deprecated/cloud/terraform/otc/main.tf | 68 - _deprecated/cloud/terraform/otc/outputs.tf | 11 - _deprecated/cloud/terraform/otc/provider.tf | 3 - _deprecated/cloud/terraform/otc/variables.tf | 98 - _deprecated/cloud/terraform/otc/versions.tf | 13 - _deprecated/etc/compose/collector.yml | 260 - _deprecated/etc/compose/hive.yml | 141 - _deprecated/etc/compose/hive_sensor.yml | 548 -- _deprecated/etc/compose/industrial.yml | 431 -- _deprecated/etc/compose/log4j.yml | 250 - _deprecated/etc/compose/medical.yml | 244 - _deprecated/etc/compose/mini.yml | 271 - _deprecated/etc/compose/nextgen.yml | 575 --- _deprecated/etc/compose/sensor.yml | 535 -- _deprecated/etc/compose/standard.yml | 662 --- _deprecated/etc/compose/tarpit.yml | 287 -- _deprecated/etc/logrotate/logrotate.conf | 69 - _deprecated/etc/objects/elkbase.tgz | Bin 5489220 -> 0 bytes .../etc/objects/kibana_export.ndjson.zip | Bin 73540 -> 0 bytes _deprecated/host/etc/rc.local | 3 - _deprecated/host/etc/systemd/tpot.service | 42 - _deprecated/host/usr/share/dict/a.txt | 1466 ------ _deprecated/host/usr/share/dict/n.txt | 4401 ----------------- _deprecated/host/usr/share/dict/names | 3947 --------------- _deprecated/install.sh | 3 - _deprecated/installer/debian/install.sh | 77 - _deprecated/installer/debian/sudo-install.sh | 10 - _deprecated/installer/debian/uninstall.sh | 59 - _deprecated/installer/fedora/install.sh | 85 - _deprecated/installer/fedora/uninstall.sh | 78 - _deprecated/installer/suse/install.sh | 70 - _deprecated/installer/suse/uninstall.sh | 63 - _deprecated/installer/ubuntu/install.sh | 85 - _deprecated/installer/ubuntu/uninstall.sh | 66 - _deprecated/iso/installer/install.sh | 922 ---- _deprecated/iso/installer/iso.conf.dist | 12 - _deprecated/iso/installer/rc.local.install | 4 - _deprecated/iso/installer/tpot.conf.dist | 5 - _deprecated/iso/installer/wrapper.sh | 3 - _deprecated/iso/isolinux/txt.cfg | 7 - _deprecated/iso/preseed/tpot_amd64.seed | 148 - _deprecated/iso/preseed/tpot_arm64.seed | 107 - _deprecated/makeiso.sh | 310 -- _deprecated/packages.txt | 61 - _deprecated/update.sh | 392 -- compose/README | 9 - compose/customizer.py | 8 +- 113 files changed, 236 insertions(+), 20640 deletions(-) delete mode 100644 PREVIEW.md delete mode 100755 _deprecated/bin/2fa.sh delete mode 100755 _deprecated/bin/backup_es_folders.sh delete mode 100755 _deprecated/bin/blackhole.sh delete mode 100755 _deprecated/bin/change_ews_config.sh delete mode 100755 _deprecated/bin/clean.sh delete mode 100755 _deprecated/bin/deploy.sh delete mode 100755 _deprecated/bin/deprecated/export_kibana-objects.sh delete mode 100755 _deprecated/bin/deprecated/hptest.sh delete mode 100755 _deprecated/bin/deprecated/import_kibana-objects.sh delete mode 100755 _deprecated/bin/dps.sh delete mode 100755 _deprecated/bin/dump_es.sh delete mode 100755 _deprecated/bin/hpfeeds_optin.sh delete mode 100755 _deprecated/bin/hptest.sh delete mode 100755 _deprecated/bin/myip.sh delete mode 100755 _deprecated/bin/mytopips.sh delete mode 100755 _deprecated/bin/restore_es.sh delete mode 100755 _deprecated/bin/rules.sh delete mode 100755 _deprecated/bin/tpdclean.sh delete mode 100755 _deprecated/bin/tped.sh delete mode 100755 _deprecated/bin/unlock_es.sh delete mode 100755 _deprecated/bin/updateip.sh delete mode 100644 _deprecated/cloud/.gitignore delete mode 100644 _deprecated/cloud/ansible/README.md delete mode 100644 _deprecated/cloud/ansible/doc/otc_1_project.gif delete mode 100644 _deprecated/cloud/ansible/doc/otc_2_user.gif delete mode 100644 _deprecated/cloud/ansible/doc/otc_3_login.gif delete mode 100644 _deprecated/cloud/ansible/doc/otc_4_import_key.gif delete mode 100644 _deprecated/cloud/ansible/doc/putty_agent_forwarding.png delete mode 100644 _deprecated/cloud/ansible/openstack/ansible.cfg delete mode 100644 _deprecated/cloud/ansible/openstack/deploy_tpot.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/my_os_cloud.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/requirements.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/check/tasks/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/create_net/tasks/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/create_vm/vars/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg delete mode 100644 _deprecated/cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg delete mode 100644 _deprecated/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/install/tasks/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/install/vars/main.yaml delete mode 100644 _deprecated/cloud/ansible/openstack/roles/reboot/tasks/main.yaml delete mode 100644 _deprecated/cloud/terraform/README.md delete mode 100644 _deprecated/cloud/terraform/aws/.terraform.lock.hcl delete mode 100644 _deprecated/cloud/terraform/aws/main.tf delete mode 100644 _deprecated/cloud/terraform/aws/outputs.tf delete mode 100644 _deprecated/cloud/terraform/aws/variables.tf delete mode 100644 _deprecated/cloud/terraform/aws/versions.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/_provider.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/main.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/modules/multi-region/main.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/outputs.tf delete mode 100644 _deprecated/cloud/terraform/aws_multi_region/variables.tf delete mode 100644 _deprecated/cloud/terraform/cloud-init.yaml delete mode 100644 _deprecated/cloud/terraform/otc/.terraform.lock.hcl delete mode 100644 _deprecated/cloud/terraform/otc/main.tf delete mode 100644 _deprecated/cloud/terraform/otc/outputs.tf delete mode 100644 _deprecated/cloud/terraform/otc/provider.tf delete mode 100644 _deprecated/cloud/terraform/otc/variables.tf delete mode 100644 _deprecated/cloud/terraform/otc/versions.tf delete mode 100644 _deprecated/etc/compose/collector.yml delete mode 100644 _deprecated/etc/compose/hive.yml delete mode 100644 _deprecated/etc/compose/hive_sensor.yml delete mode 100644 _deprecated/etc/compose/industrial.yml delete mode 100644 _deprecated/etc/compose/log4j.yml delete mode 100644 _deprecated/etc/compose/medical.yml delete mode 100644 _deprecated/etc/compose/mini.yml delete mode 100644 _deprecated/etc/compose/nextgen.yml delete mode 100644 _deprecated/etc/compose/sensor.yml delete mode 100644 _deprecated/etc/compose/standard.yml delete mode 100644 _deprecated/etc/compose/tarpit.yml delete mode 100644 _deprecated/etc/logrotate/logrotate.conf delete mode 100644 _deprecated/etc/objects/elkbase.tgz delete mode 100644 _deprecated/etc/objects/kibana_export.ndjson.zip delete mode 100755 _deprecated/host/etc/rc.local delete mode 100644 _deprecated/host/etc/systemd/tpot.service delete mode 100644 _deprecated/host/usr/share/dict/a.txt delete mode 100644 _deprecated/host/usr/share/dict/n.txt delete mode 100644 _deprecated/host/usr/share/dict/names delete mode 100755 _deprecated/install.sh delete mode 100755 _deprecated/installer/debian/install.sh delete mode 100755 _deprecated/installer/debian/sudo-install.sh delete mode 100755 _deprecated/installer/debian/uninstall.sh delete mode 100755 _deprecated/installer/fedora/install.sh delete mode 100755 _deprecated/installer/fedora/uninstall.sh delete mode 100755 _deprecated/installer/suse/install.sh delete mode 100755 _deprecated/installer/suse/uninstall.sh delete mode 100755 _deprecated/installer/ubuntu/install.sh delete mode 100755 _deprecated/installer/ubuntu/uninstall.sh delete mode 100755 _deprecated/iso/installer/install.sh delete mode 100644 _deprecated/iso/installer/iso.conf.dist delete mode 100755 _deprecated/iso/installer/rc.local.install delete mode 100644 _deprecated/iso/installer/tpot.conf.dist delete mode 100755 _deprecated/iso/installer/wrapper.sh delete mode 100755 _deprecated/iso/isolinux/txt.cfg delete mode 100755 _deprecated/iso/preseed/tpot_amd64.seed delete mode 100755 _deprecated/iso/preseed/tpot_arm64.seed delete mode 100755 _deprecated/makeiso.sh delete mode 100644 _deprecated/packages.txt delete mode 100755 _deprecated/update.sh delete mode 100644 compose/README diff --git a/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md b/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md index 6eaabdc4..cdba5ea0 100644 --- a/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md +++ b/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md @@ -1,37 +1,44 @@ --- -name: Bug report for T-Pot -about: Bug report for T-Pot +name: Bug report for T-Pot 24.04.x +about: Bug report for T-Pot 24.04.x title: '' labels: '' assignees: '' --- -Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue. +# Successfully raise an issue +Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue. - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first -- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki) -- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md). -- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice** +- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions) +- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md). +- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.
-
-
-
+Questions such as **"Not seeing any attacks, containers are running fine"** or **"Cannot connect to the T-Pot WebUI, containers are running just fine"** are most likely caused by failures in routing and / or firewall setup and belong into the T-Pot [discussions](https://github.com/telekom-security/tpotce/discussions). - -## ⚠️ Basic support information (commands are expected to run as `root`) +# ⚠️ Basic support information (commands are expected to run as `root`) -- What version of the OS are you currently using `lsb_release -a` and `uname -a`? -- What T-Pot version are you currently using? -- What edition (Standard, Nextgen, etc.) of T-Pot are you running? +**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** + +- What OS are you T-Pot running on? +- What is the version of the OS `lsb_release -a` and `uname -a`? +- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)? - What architecture are you running on (i.e. hardware, cloud, VM, etc.)? -- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`. +- Review the `~/tpotce/install_tpot.log`, attach the log and highlight the errors. - How long has your installation been running? + - If it is a fresh install consult the documentation first. + - Most likely it is a port conflict or a remote dependency was unavailable. + - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue). - Did you install upgrades, packages or use the update script? - Did you modify any scripts or configs? If yes, please attach the changes. -- Please provide a screenshot of `glances` and `htop`. +- Please provide a screenshot of `htop` and `docker stats`. - How much free disk space is available (`df -h`)? - What is the current container status (`dps.sh`)? -- What is the status of the T-Pot service (`systemctl status tpot`)? -- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen` +- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)? +- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen` + - Stop T-Pot `systemctl stop tpot` + - Run `grc netstat -tulpen` + - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors + - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v` - If a single container shows as `DOWN` you can run `docker logs ` for the latest log entries diff --git a/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md b/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md index ff1ba956..81063643 100644 --- a/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md +++ b/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md @@ -1,6 +1,6 @@ --- -name: Feature request for T-Pot -about: Suggest an idea for T-Pot +name: Feature request for T-Pot 24.04.x +about: Suggest an idea for T-Pot 24.04.x title: '' labels: '' assignees: '' diff --git a/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md index e86a858b..fe2abd7f 100644 --- a/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md +++ b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md @@ -1,39 +1,44 @@ --- -name: General issue for T-Pot -about: General issue for T-Pot +name: General issue for T-Pot 24.04.x +about: General issue for T-Pot 24.04.x title: '' labels: '' assignees: '' --- -🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.
- -Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue. +# Successfully raise an issue +Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue. - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first -- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki) -- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md). -- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice** +- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions) +- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md). +- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.
-
-
-
+Questions such as **"Not seeing any attacks, containers are running fine"** or **"Cannot connect to the T-Pot WebUI, containers are running just fine"** are most likely caused by failures in routing and / or firewall setup and belong into the T-Pot [discussions](https://github.com/telekom-security/tpotce/discussions). - -## ⚠️ Basic support information (commands are expected to run as `root`) +# ⚠️ Basic support information (commands are expected to run as `root`) -- What version of the OS are you currently using `lsb_release -a` and `uname -a`? -- What T-Pot version are you currently using? -- What edition (Standard, Nextgen, etc.) of T-Pot are you running? +**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** + +- What OS are you T-Pot running on? +- What is the version of the OS `lsb_release -a` and `uname -a`? +- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)? - What architecture are you running on (i.e. hardware, cloud, VM, etc.)? -- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`. +- Review the `~/tpotce/install_tpot.log`, attach the log and highlight the errors. - How long has your installation been running? + - If it is a fresh install consult the documentation first. + - Most likely it is a port conflict or a remote dependency was unavailable. + - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue). - Did you install upgrades, packages or use the update script? - Did you modify any scripts or configs? If yes, please attach the changes. -- Please provide a screenshot of `glances` and `htop`. +- Please provide a screenshot of `htop` and `docker stats`. - How much free disk space is available (`df -h`)? - What is the current container status (`dps.sh`)? -- What is the status of the T-Pot service (`systemctl status tpot`)? -- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen` +- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)? +- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen` + - Stop T-Pot `systemctl stop tpot` + - Run `grc netstat -tulpen` + - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors + - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v` - If a single container shows as `DOWN` you can run `docker logs ` for the latest log entries diff --git a/CITATION.cff b/CITATION.cff index b06dd254..8da04519 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -2,7 +2,7 @@ # Visit https://bit.ly/cffinit to generate yours today! cff-version: 1.2.0 -title: T-Pot DEV +title: T-Pot 24.04.0 message: >- If you use this software, please cite it using the metadata from this file. @@ -20,8 +20,8 @@ authors: identifiers: - type: url value: >- - https://github.com/telekom-security/tpotce/releases/tag/22.04.0 - description: T-Pot Release 22.04.0 + https://github.com/telekom-security/tpotce/releases/tag/24.04.0 + description: T-Pot Release 24.04.0 repository-code: 'https://github.com/telekom-security/tpotce' abstract: >- T-Pot is the all in one, optionally distributed, multiarch @@ -39,5 +39,5 @@ keywords: - elk license: GPL-3.0 commit: unreleased, under heavy development -version: 2x.yy.z -date-released: '202x-yy-zz' \ No newline at end of file +version: 24.04.0 +date-released: '2024-04-22' \ No newline at end of file diff --git a/PREVIEW.md b/PREVIEW.md deleted file mode 100644 index 84b24fd6..00000000 --- a/PREVIEW.md +++ /dev/null @@ -1,203 +0,0 @@ -# T-Pot - Dev Preview - -T-Pot will be turning 10 years next year and this milestone will be celebrated when the time comes, which brings us today to the best time to reflect on how technology advanced, what this means for the project and how we can ensure T-Pot will meet the current and future requirements of the community. -

- -# TL;DR -1. [Download](#choose-your-distro) or use a running, supported distribution -2. Install the ISO with as minimal packages / services as possible (SSH required!) -3. Install curl: `$ sudo [apt, dnf, zypper] install curl` if not installed already -4. Run installer as non-root: -``` -/bin/bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/dev/install.sh)" -``` - * Follow instructions, read messages, check for possible port conflicts and reboot -5. [Start](#start-t-pot) T-Pot as non-root for the first time: -``` -cd tpotce/preview/ -docker compose up -``` - - -# Table of Contents -- [Disclaimer](#disclaimer) -- [Last Time Departed](#last-time-departed) -- [Present Time](#present-time) -- [Destination Time](#destination-time) -- [Technical Preview](#technical-preview) - - [Architecture](#architecture) -- [Installation](#installation) - - [Choose your distro](#choose-your-distro) - - [Get and Install T-Pot](#get-and-install-t-pot) - - [T-Pot Config File](#t-pot-config-file) - - [macOS & Windows](#macos--windows) -- [Start T-Pot](#start-t-pot) -- [Stop T-Pot](#stop-t-pot) -- [Uninstall T-Pot](#uninstall-t-pot) -- [Feedback](#uninstall-t-pot) - -

- -# Disclaimer -- This is a Technical Preview, a very very early stage in the development T-Pot. You have been warned - there will be dragons steering flying time machines possibly causing paradoxes. -- The T-Pot [disclaimer](https://github.com/telekom-security/tpotce/blob/master/README.md#disclaimer) and [documentation](https://github.com/telekom-security/tpotce/blob/master/README.md) apply. -

- -# Last Time Departed -Jumping back to 2014 T-Pot was born as the direct ancestor of our Raspberry Pi images we used to offer for download (which probably by now only insiders will remember 😅). Docker was just the new kid on the block with the shiny new container engine everyone desperately unknowingly waited for and thus taking the dev-world by storm. At that point we wanted to ensure that T-Pot was something tangible, tethered to a physical device (Hello NUC my old friend 👋) while using latest technologies ensuring an easy transition should we ever leave hardware based installations (or VMs for that matter). And Oh-My-Zsh as you all know that day came faster than anticipated! (Special thanks @vorband, @shaderecker and @tmariuss for all of their contributions!) -

- -# Present Time -Flash Forward to today, T-Pot offers support for Debian, both as an ISO based installation or a post installation method (install your own Debian Server), support for OTC, AWS and other clouds through Ansible and Terraform Support. All of this in many different flavors and even a distributed installation. At the same time we are still relying on the same base concept we originally started with which does not seem fit for the foreseeable future.
-In the last couple of years being independent of a certain platform was the one feature that stood out by far. The reason for this, until today, is the simple fact that T-Pot, although relying heavily on Docker, still relies on a fully controlled environment. This has its advantages but can not meet a demand where cloud based installations need different settings than we can provide (we can only run limited platform tests), companies follow different guidelines for allowed distributions or hosters simply offer Debian images slightly adjusted to their environments causing issues with the setting T-Pot relies on. Roll the dice or ask the Magic-8-Ball. -

- -# Destination Time -Back to the future of T-Pot. For a brief time we had the idea of T-Pot Light which should compensate for the missing platform support. A concept was whipped up to support all of T-Pot's dockered services on minimal installations of Debian, Fedora, OpenSuse and Ubuntu Server. And it worked! It worked so good that we have almost achieved feature parity for this Technical Preview and decided that this is the best candidate for the future of the development of T-Pot
-We are thrilled to share this now, so you can test, provide us with feedback, open issues and discussions and give us the chance to make the next T-Pot the best T-Pot we have ever released! -

- -## Technical Preview -For the purpose of the Technical Preview T-Pot will still use the 22.04 images and for a great part rely on the 22.04 release. This will lay the groundwork though for the next T-Pot release by just relying on the latest Docker package repositories (yes, the distros mostly do not offer Docker's bleeding edge features), some tiny modifications on the host (installer and uninstaller provided!) and move all of T-Pot's core in its own Docker image with a simple, user adjustable, configuration.
-

- -## Architecture -While the basic architecture still remains, the Technical Preview of T-Pot is mostly independent of the underlying OS with only some basic requirements: -1. Underlying OS is available as supported distribution: - * Only the bare minimum of services and packages are installed to avoid possible port conflicts with T-Pot's services - * Debian, Fedora, OpenSuse and Ubuntu Server are currently supported, others might follow if the requirements will be met -2. Latest Docker Engine from Docker's repositories is supported - * Only the latest Docker Engine packages offer all the features needed for T-Pot - * Docker Desktop does not offer host network capabilities and thus only a limited T-Pot experience (not available for the Technical Preview, but planned to even get started faster!) -3. Changes to the host - * Some changes to the host are necessary but will be kept as minimalistic as possible, just enough T-Pot will be able to run - * There are uninstallers available this time 😁 -

- -# System Requirements -The known T-Pot hardware (CPU, RAM, SSD) requirements and recommendations still apply. -

- -# Installation -[Download](#choose-your-distro) one of the supported Linux distro images, `git clone` the T-Pot repository and run the installer specific to your system. Running T-Pot on top of a running and supported Linux system is possible, but a clean installation is recommended to avoid port conflicts with running services. -

- -## Choose your distro -Choose a supported distro of your choice. It is recommended to use the minimum / netiso installers linked below and only install a minimalistic set of packages. SSH is mandatory or you will not be able to connect to the machine remotely. - -| Distribution Name | x64 | arm64 -|:-----------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------|:-------------- -| [Alma Linux](https://almalinux.org) | [download](https://mirrors.almalinux.org/isos/x86_64/9.3.html) | [download](https://mirrors.almalinux.org/isos/aarch64/9.3.html) -| [Debian](https://www.debian.org/index.en.html) | [download](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.5.0-amd64-netinst.iso) | [download](https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.5.0-arm64-netinst.iso) -| [Fedora](https://fedoraproject.org) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/x86_64/iso/Fedora-Server-netinst-x86_64-39-1.5.iso) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/aarch64/iso/Fedora-Server-netinst-aarch64-39-1.5.iso) -| [OpenSuse](https://www.opensuse.org) | [download](https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-Current.iso) | [download](https://download.opensuse.org/ports/aarch64/tumbleweed/iso/openSUSE-Tumbleweed-NET-aarch64-Current.iso) -| [Rocky Linux](https://rockylinux.org) | [download](https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.3-x86_64-minimal.iso) | [download](https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.3-aarch64-minimal.iso) -| [Ubuntu](https://ubuntu.com) | [download](https://releases.ubuntu.com/22.04.4/ubuntu-22.04.4-live-server-amd64.iso) | [download](https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04.4-live-server-arm64.iso) - -## Raspberry Pi 4 (8GB) Support -| Distribution Name | arm64 -|:-----------------------------------------------------------------|:----- -| [Raspberry Pi OS (**64Bit, Lite**)](https://www.raspberrypi.com) | [download](https://downloads.raspberrypi.com/raspios_lite_arm64/images/raspios_lite_arm64-2024-03-15/2024-03-15-raspios-bookworm-arm64-lite.img.xz) - -

- -## Get and install T-Pot -1. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce` -2. Change into the **tpotce/preview/installer** folder: `$ cd tpotce/preview/installer` -3. Locate your distribution, i.e. `fedora`: `$ cd fedora` -4. Run the installer as non-root: `$ ./install.sh`: - * ⚠️ ***Depending on your Linux distribution of choice the installer will:*** - * Change the SSH port to `tcp/64295` - * Disable the DNS Stub Listener to avoid port conflicts with honeypots - * Set SELinux to Monitor Mode - * Set the firewall target for the public zone to ACCEPT - * Add Docker's repository and install Docker - * Install recommended packages - * Remove package known to cause issues - * Add the current user to the docker group (allow docker interaction without `sudo`) - * Add `dps` and `dpsw` aliases (`grc docker ps -a`, `watch -c "grc --colour=on docker ps -a`) - * Display open ports on the host (compare with T-Pot [required](https://github.com/telekom-security/tpotce#required-ports) ports) -5. Follow the installer instructions, you will have to enter your password at least once -6. Check the installer messages for errors and open ports that might cause port conflicts -7. Reboot: `$ sudo reboot` -

- -## T-Pot Config File -T-Pot offers a configuration file providing environment variables not only for the docker services (i.e. honeypots and tools) but also for the docker compose environment. The configuration file is hidden in the `preview` folder and is called `.env`. There is however an example file (`env.example`) which holds the default configuration.
Before the first start set the `WEB_USER` and `WEB_PW`. Once T-Pot was initialized it is recommended to remove the password and set `WEB_PW=`. Other settings are available also, these however should only be changed if you are comfortable with possible errors 🫠 as some of the features are not fully integrated and tested yet. -``` -# T-Pot config file. Do not remove. - -# Set Web username and password here, only required for first run -# Removing the password after first run is recommended -# You can always add or remove users as you see fit using htpasswd: -# htpasswd -b -c //nginx/conf/nginxpasswd -WEB_USER= -WEB_PW= - -# T-Pot Blackhole -# ENABLED: T-Pot will download a db of known mass scanners and nullroute them -# Be aware, this will put T-Pot off the map for stealth reasons and -# you will get less traffic. Routes will active until reboot and will -# be re-added with every T-Pot start until disabled. -# DISABLED: This is the default and no stealth efforts are in place. -TPOT_BLACKHOLE=DISABLED -``` - -## macOS & Windows -Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. While Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on Linux.
-To get things up and running just follow these steps: -1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/) -2. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce` -2. Change into the **tpotce/preview/compose** folder: `$ cd tpotce/preview/compose` -3. Copy **mac_win.yml** to the **tpotce/preview** folder by overwriting **docker-compose.yml**: `$ cp mac_win.yml ../docker-compose.yml` -4. Adjust the **.env** file by changing **TPOT_OSTYPE** to either **mac** or **win**: -``` -# OSType (linux, mac, win) -# Most docker features are available on linux -TPOT_OSTYPE=mac -``` -5. You have to ensure on your own there are no port conflicts keeping T-Pot from starting up. -You can follow the README on how to [Start T-Pot](#start-t-pot), however you may skip the **crontab**. - - -# Start T-Pot -1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/` -2. Run: `$ docker compose up` (notice the missing dash, `docker-compose` no longer exists with the latest Docker installation) - * You can also run `$ docker compose -f //tpotce/preview/docker-compose.yml up` directly if you want to avoid to change into the `preview` folder or add an alias of your choice. -3. `docker compose` will now download all the necessary images to run the T-Pot Docker containers -4. On the first run T-Pot (`tpotinit`) will initialize and create the `data` folder in the path specified (by default it is located in `tpotce/preview/data/`): - * It takes about 2-3 minutes to bring all the containers up (should port conflicts arise `docker compose` will simply abort) - * Once all containers have started successfully for the first time you can access T-Pot as described [here](https://github.com/telekom-security/tpotce#remote-access-and-tools) or cancel with `CTRL-C` ... -5. ... and run T-Pot in the background: `$ docker compose up -d` - * Unless you run `docker compose down -v` T-Pot's Docker service will remain persistent and restart with a reboot - * You can however add a crontab entry with `crontab -e` which will also add some container and image management. -``` -@reboot docker compose -f //tpotce/preview/docker-compose.yml down -v; \ -docker container prune -f; \ -docker image prune -f; \ -docker compose -f //tpotce/preview/docker-compose.yml up -d -``` -6. By default Docker will always check if the local and remote docker images match, if not, Docker will either revert to a fitting locally cached image or download the image from remote. This ensures T-Pot images will always be up-to-date - -# Stop T-Pot -1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/` -2. Run: `$ docker compose down -v` (notice the missing dash, `docker-compose` no longer exists with the latest docker installation) -3. Docker will now stop all running T-Pot containers and disable reboot persistence (unless you made a [crontab entry](#start-t-pot) - * You can also run `$ docker compose -f //tpotce/preview/docker-compose.yml down -v` directly if you want to avoid to change into the `preview` folder or add an alias of your choice. - -# Uninstall T-Pot -1. Change into the **tpotce/preview/uninstaller/** folder: `$ cd tpotce/preview/uninstaller/` -2. Locate your distribution, i.e. `fedora`: `$ cd fedora` -3. Run the installer as non-root: `$ ./uninstall.sh`: - * The uninstaller will reverse the installation steps -4. Follow the uninstaller instructions, you will have to enter your password at least once -5. Check the uninstaller messages for errors -6. Reboot: `$ sudo reboot` -

- -# Feedback -To ensure the next T-Pot release will be everything we and you - The T-Pot Community - have in mind please feel free to leave comments in the `Technical Preview` [discussion](https://github.com/telekom-security/tpotce/discussions/1325) pinned on our GitHub [Discussions](https://github.com/telekom-security/tpotce/discussions) section. Please bear in mind that this Technical Preview is made public in the earliest stage of the T-Pot development process at your convenience for ***your*** valuable input. -

-Thank you for testing 💖 - -Special thanks to all the [contributors](https://github.com/telekom-security/tpotce/graphs/contributors) and [developers](https://github.com/telekom-security/tpotce#credits) making this project possible! diff --git a/README.md b/README.md index e2c37383..97e289b4 100644 --- a/README.md +++ b/README.md @@ -17,76 +17,74 @@ env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/alpha/ins * Follow instructions, read messages, check for possible port conflicts and reboot # Table of Contents -- [Disclaimer](#disclaimer) -- [Technical Concept](#technical-concept) - - [Technical Architecture](#technical-architecture) - - [Services](#services) - - [User Types](#user-types) -- [System Requirements](#system-requirements) - - [Running in a VM](#running-in-a-vm) - - [Running on Hardware](#running-on-hardware) - - [Running in a Cloud](#running-in-a-cloud) - - [Required Ports](#required-ports) -- [System Placement](#system-placement) -- [Installation](#installation) - - [ISO Based](#iso-based) - - [Download ISO Image](#download-iso-image) - - [Create your own ISO Image](#create-your-own-iso-image) - - [Post Install](#post-install) - - [Download Debian Netinstall Image](#download-debian-netinstall-image) - - [Post Install User Method](#post-install-user-method) - - [Post Install Auto Method](#post-install-auto-method) - - [T-Pot Installer](#t-pot-installer) - - [Installation Types](#installation-types) - - [Standalone](#standalone) - - [Distributed](#distributed) - - [Cloud Deployments](#cloud-deployments) - - [Ansible Deployment](#ansible-deployment) - - [Terraform Configuration](#terraform-configuration) -- [First Start](#first-start) - - [Standalone Start](#standalone-first-start) - - [Distributed Deployment](#distributed-deployment) - - [Community Data Submission](#community-data-submission) - - [Opt-In HPFEEDS Data Submission](#opt-in-hpfeeds-data-submission) -- [Remote Access and Tools](#remote-access-and-tools) - - [SSH and Cockpit](#ssh-and-cockpit) - - [T-Pot Landing Page](#t-pot-landing-page) - - [Kibana Dashboard](#kibana-dashboard) - - [Attack Map](#attack-map) - - [Cyberchef](#cyberchef) - - [Elasticvue](#elasticvue) - - [Spiderfoot](#spiderfoot) -- [Maintenance](#maintenance) - - [Updates](#updates) - - [Update from 20.06.x](#update-from-2006x) - - [Updates for 22.04.x](#updates-for-2204x) - - [Known Issues](#known-issues) - - [Grub Fails to Reconfigure](#grub-fails-to-reconfigure) - - [Docker Images Fail to Download](#docker-images-fail-to-download) - - [Network Interface Fails](#network-interface-fails) - - [Start T-Pot](#start-t-pot) - - [Stop T-Pot](#stop-t-pot) - - [T-Pot Data Folder](#t-pot-data-folder) - - [Log Persistence](#log-persistence) - - [Clean Up](#clean-up) - - [Show Containers](#show-containers) - - [Blackhole](#blackhole) - - [Add Users to Nginx (T-Pot WebUI)](#add-users-to-nginx-t-pot-webui) - - [Import and Export Kibana Objects](#import-and-export-kibana-objects) - - [Switch Editions](#switch-editions) - - [Redeploy Hive Sensor](#redeploy-hive-sensor) - - [Adjust tpot.yml](#adjust-tpotyml) - - [Enable Cockpit 2FA](#enable-cockpit-2fa) -- [Troubleshooting](#troubleshooting) - - [Logging](#logging) - - [Fail2Ban](#fail2ban) - - [RAM](#ram-and-storage) -- [Contact](#contact) - - [Issues](#issues) - - [Discussions](#discussions) -- [Licenses](#licenses) -- [Credits](#credits) -- [Testimonials](#testimonials) + +* [T-Pot - The All In One Multi Honeypot Platform](#t-pot---the-all-in-one-multi-honeypot-platform) +* [TL;DR](#tldr) +* [Table of Contents](#table-of-contents) +* [Disclaimer](#disclaimer) +* [Technical Concept](#technical-concept) + * [Technical Architecture](#technical-architecture) + * [Services](#services) + * [User Types](#user-types) +* [System Requirements](#system-requirements) + * [Running in a VM](#running-in-a-vm) + * [Running on Hardware](#running-on-hardware) + * [Running in a Cloud](#running-in-a-cloud) + * [Required Ports](#required-ports) +* [System Placement](#system-placement) +* [Installation](#installation) + * [Choose your distro](#choose-your-distro) + * [Raspberry Pi 4 (8GB) Support](#raspberry-pi-4-8gb-support) + * [Get and install T-Pot](#get-and-install-t-pot) + * [macOS & Windows](#macos--windows) + * [Installation Types](#installation-types) + * [**HIVE**](#hive) + * [**Distributed**](#distributed) + * [Uninstall T-Pot (Linux only!) (to do)](#uninstall-t-pot-linux-only-to-do) +* [First Start](#first-start) + * [Standalone First Start](#standalone-first-start) + * [Distributed Deployment (to do)](#distributed-deployment-to-do) + * [Community Data Submission](#community-data-submission) + * [Opt-In HPFEEDS Data Submission](#opt-in-hpfeeds-data-submission) +* [Remote Access and Tools](#remote-access-and-tools) + * [SSH](#ssh) + * [T-Pot Landing Page](#t-pot-landing-page-) + * [Kibana Dashboard](#kibana-dashboard) + * [Attack Map](#attack-map) + * [Cyberchef](#cyberchef) + * [Elasticvue](#elasticvue) + * [Spiderfoot](#spiderfoot) +* [Configuration](#configuration) + * [T-Pot Config File](#t-pot-config-file) + * [Customize T-Pot Honeypots and Services](#customize-t-pot-honeypots-and-services) + * [Redeploy Hive Sensor (to do)](#redeploy-hive-sensor-to-do) +* [Maintenance](#maintenance) + * [General Updates](#general-updates) + * [Update Script](#update-script) + * [Known Issues](#known-issues) + * [**Docker Images Fail to Download**](#docker-images-fail-to-download) + * [Start T-Pot](#start-t-pot) + * [Stop T-Pot](#stop-t-pot) + * [T-Pot Data Folder](#t-pot-data-folder) + * [Log Persistence](#log-persistence) + * [Factory Reset](#factory-reset) + * [Show Containers](#show-containers) + * [Blackhole](#blackhole) + * [Add Users to Nginx (T-Pot WebUI)](#add-users-to-nginx-t-pot-webui) + * [Import and Export Kibana Objects](#import-and-export-kibana-objects) + * [**Export**](#export) + * [**Import**](#import) +* [Troubleshooting](#troubleshooting) + * [Logs](#logs) + * [RAM and Storage](#ram-and-storage) +* [Contact](#contact) + * [Issues](#issues) + * [Discussions](#discussions) +* [Licenses](#licenses) +* [Credits](#credits) + * [The developers and development communities of](#the-developers-and-development-communities-of) +* [Testimonials](#testimonials) +

# Disclaimer @@ -278,10 +276,6 @@ It is recommended to get yourself familiar with how T-Pot and the honeypots work Once you are familiar with how things work you should choose a network you suspect intruders in or from (i.e. the internet). Otherwise T-Pot will most likely not capture any attacks (unless you want to prove a point)! For starters it is recommended to put T-Pot in an unfiltered zone, where all TCP and UDP traffic is forwarded to T-Pot's network interface. To avoid probing for T-Pot's management ports you should put T-Pot behind a firewall and forward all TCP / UDP traffic in the port range of 1-64000 to T-Pot while allowing access to ports > 64000 only from trusted IPs and / or only expose the [ports](#required-ports) relevant to your use-case. If you wish to catch malware traffic on unknown ports you should not limit the ports you forward since glutton and honeytrap dynamically bind any TCP port that is not occupied by other honeypot daemons and thus give you a better representation of the risks your setup is exposed to.

-# Installation -The T-Pot installation is offered in different variations. While the overall installation of T-Pot is straightforward it heavily depends on a working, non-proxied (unless you made modifications) up and running internet connection (also see [required outgoing ports](#required-ports)). If these conditions are not met the installation **will fail!** either during the execution of the Debian Installer, after the first reboot before the T-Pot Installer is starting up or while the T-Pot installer is trying to download all the necessary dependencies. -

- # Installation [Download](#choose-your-distro) one of the [supported Linux distro images](#choose-your-distro), follow the [TL;DR](#tldr) instructions or `git clone` the T-Pot repository and run the installer `~/tpotce/install.sh`. Running T-Pot on top of a running and supported Linux system is possible, but a clean installation is recommended to avoid port conflicts with running services. The T-Pot installer will require direct access to the internet as described [here](#required-ports).

@@ -298,6 +292,8 @@ Choose a supported distro of your choice. It is recommended to use the minimum / | [Rocky Linux](https://rockylinux.org) | [download](https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.3-x86_64-minimal.iso) | [download](https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.3-aarch64-minimal.iso) | | [Ubuntu](https://ubuntu.com) | [download](https://releases.ubuntu.com/22.04.4/ubuntu-22.04.4-live-server-amd64.iso) | [download](https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04.4-live-server-arm64.iso) | +
+ ## Raspberry Pi 4 (8GB) Support | Distribution Name | arm64 | |:-----------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------| @@ -327,6 +323,24 @@ Choose a supported distro of your choice. It is recommended to use the minimum / 6. Reboot: `$ sudo reboot`

+## macOS & Windows +Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. As Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on [Linux](#choose-your-distro).
+To get things up and running just follow these steps: +1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/). +2. Clone the GitHub repository: `git clone https://github.com/telekom-security/tpotce -b alpha`. +3. Go to: `cd ~/tpotce` +4. Copy `cp compose/mac_win.yml ./docker-compose.yml`. +5. Create a `WEB_USER` by running `~/tpotce/genuser.sh` +6. Adjust the `.env` file by changing `TPOT_OSTYPE=linux` to either `mac` or `win`: + ``` + # OSType (linux, mac, win) + # Most docker features are available on linux + TPOT_OSTYPE=mac + ``` +7. You have to ensure on your own there are no port conflicts keeping T-Pot from starting up. +8. Start T-Pot: `docker compose up` or `docker compose up -d` if you want T-Pot to run in the background. +9. Stop T-Pot: `CTRL-C` (it if was running in the foreground) and / or `docker compose down -v` to stop T-Pot entirely. + ## Installation Types ### **HIVE** @@ -342,6 +356,11 @@ The distributed version of T-Pot requires at least two hosts To finalize the **SENSOR** installation continue to [Distributed Deployment](#distributed-deployment).

+## Uninstall T-Pot (Linux only!) (to do) +To uninstall T-Pot run `~/tpotce/uninstall.sh` and follow the uninstaller instructions, you will have to enter your password at least once.
+Once the uninstall is finished reboot the machine `sudo reboot` +

+ # First Start Once the T-Pot Installer successfully finishes, the system needs to be rebooted (`sudo reboot`). Once rebooted you can log into the system using the user you setup during the installation of the system. Logins are according to the [User Types](#user-types): @@ -363,16 +382,15 @@ There is not much to do except to login and check via `dps.sh` if all services a

## Distributed Deployment (to do) -With the distributed deployment firstly login to **HIVE** and the **HIVE_SENSOR** and check via `dps.sh` if all services and honeypots are starting up correctly. Once you have confirmed everything is working fine you need to deploy the **HIVE_SENSOR** to the **HIVE** in order to transmit honeypot logs to the Elastic Stack. +With the distributed deployment firstly login to **HIVE** and the **SENSOR** and check via `dps` if all services and honeypots are starting up correctly. Once you have confirmed everything is working fine you need to deploy the **SENSOR** to the **HIVE** in order to transmit honeypot logs to the Elastic Stack.

-For **deployment** simply keep the **HIVE** login data ready and follow these steps while the `deploy.sh` script will setup the **HIVE** and **HIVE_SENSOR** for securely shipping and receiving logs: +For **deployment** simply keep the **HIVE** login data ready and follow these steps while the `deploy.sh` script will setup the **HIVE** and **SENSOR** for securely shipping and receiving logs: ``` -sudo su - deploy.sh ``` -The script will ask for the **HIVE** login data, the **HIVE** IP address, will create SSH keys accordingly and deploy them securely over a SSH connection to the **HIVE**. On the **HIVE** machine a user with the **HIVE_SENSOR** hostname is created, belonging to a user group `tpotlogs` which may only open a SSH tunnel via port `64295` and transmit Logstash logs to port `127.0.0.1:64305`, with no permission to login on a shell. You may review the config in `/etc/ssh/sshd_config` and the corresponding `autossh` settings in `docker/elk/logstash/dist/entrypoint.sh`. Settings and keys are stored in `/data/elk/logstash` and loaded as part of `/opt/tpot/etc/tpot.yml`. +The script will ask for the **HIVE** login data, the **HIVE** IP address, will create SSH keys accordingly and deploy them securely over a SSH connection to the **HIVE**. On the **HIVE** machine a user with the **SENSOR** hostname is created, belonging to a user group `tpotlogs` which may only open a SSH tunnel via port `64295` and transmit Logstash logs to port `127.0.0.1:64305`, with no permission to login on a shell. You may review the config in `/etc/ssh/sshd_config` and the corresponding `autossh` settings in `docker/elk/logstash/dist/entrypoint.sh`. Settings and keys are stored in `/data/elk/logstash` and loaded as part of `/opt/tpot/etc/tpot.yml`.

## Community Data Submission @@ -469,6 +487,53 @@ On the T-Pot Landing Page just click on `Spiderfoot` and you will be forwarded t ![Spiderfoot](doc/spiderfoot.png)

+# Configuration + +## T-Pot Config File +T-Pot offers a configuration file providing variables not only for the docker services (i.e. honeypots and tools) but also for the docker compose environment. The configuration file is hidden in `~/tpoce/.env`. There is also an example file (`env.example`) which holds the default configuration.
+Before the first start run `~/tpotce/genuser.sh` or setup the `WEB_USER` manually as described [here](#add-users-to-nginx-t-pot-webui). + +## Customize T-Pot Honeypots and Services + +In `~/tpotce/compose` you will find everything you need to adjust the T-Pot Standard / HIVE installation: +``` +customizer.py +mac_win.yml +mini.yml +mobile.yml +raspberry_showcase.yml +sensor.yml +standard.yml +tpot_services.yml +``` +The `.yml` files are docker compose files, each representing a different set of honeypots and tools with `tpot_services.yml` being a template for `customizer.py` to create a customized docker compose file.

+To activate a compose file follow these steps: +1. Stop T-Pot with `systemctl stop tpot`. +2. Copy the docker compose file `cp ~/tpotce/compose/ ~/tpotce/docker-compose.yml`. +3. Start T-Pot with `systemctl start tpot`. + +To create your customized docker compose file: +1. Go to `cd ~/tpotce/compose`. +2. Run `python3 customizer.py`. +3. The script will guide you through the process of creating your own `docker-compose.yml`. As some honeypots and services occupy the same ports it will check if any port conflicts are present and notify regarding the conflicting services. You then can resolve them manually by adjusting `docker-compose-custom.yml` or re-run the script. +4. Stop T-Pot with `systemctl stop tpot`. +5. Check if everything works by running `docker-compose -f docker-compose-custom.yml up`. In case of errors follow the [Docker Compose Specification](https://docs.docker.com/compose/compose-file/) for mitigation. Most likely it is just a port conflict you can adjust by editing the docker compose file. +6. If everything works just fine press `CTRL-C` to stop the containers and run `docker-compose -f docker-compose-custom.yml down -v`. +7. Copy the customized docker compose file `cp ~/tpotce/compose/docker-compose-custom.yml ~/tpotce/docker-compose.yml`. +8. Start T-Pot with `systemctl start tpot`. +

+ +## Redeploy Hive Sensor (to do) +In case you need to re-deploy your Hive Sensor, i.e. the IP of your Hive has changed or you want to move the Hive Sensor to a new Hive, you simply follow these commands: +``` +sudo su - +systemctl stop tpot +rm /data/elk/logstash/* +deploy.sh +reboot +``` +

+ # Maintenance T-Pot is designed to be low maintenance. Since almost everything is provided through docker images there is basically nothing you have to do but let it run. We will upgrade the docker images regularly to reduce the risks of compromise; however you should read this section closely.

@@ -547,7 +612,7 @@ You can show all T-Pot relevant containers by running `dps` or `dpsw [interval]`

## Blackhole -Some users reported they wanted to have the option to run T-Pot in a stealth mode manner without permanent visits of publicly known scanners and thus reducing the possibility of being exposed. While this is of course always a cat and mouse game T-Pot offers a blackhole feature that is null routing all requests from [known mass scanners](https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt) while still catching the events through Suricata. +Blackhole will run T-Pot in kind of a stealth mode manner without permanent visits of publicly known scanners and thus reducing the possibility of being exposed. While this is of course always a cat and mouse game the blackhole feature is null routing all requests from [known mass scanners](https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt) while still catching the events through Suricata.
The feature is activated by setting `TPOT_BLACKHOLE=DISABLED` in `~/tpotce/.env`, then run `systemctl stop tpot` and `systemctl start tpot` or `sudo reboot`.
@@ -581,125 +646,49 @@ This will export a NDJSON file with all your objects. Always run a full export t When asked: "If any of the objects already exist, do you want to automatically overwrite them?" you answer with "Yes, overwrite all".

-## Switch Editions -You can switch between T-Pot editions (flavors) by running `tped.sh`. -

- -## Redeploy Hive Sensor -In case you need to re-deploy your Hive Sensor, i.e. the IP of your Hive has changed or you want to move the Hive Sensor to a new Hive, you simply follow these commands: -``` -sudo su - -systemctl stop tpot -rm /data/elk/logstash/* -deploy.sh -reboot -``` -

- -## Adjust tpot.yml -Maybe the available T-Pot editions do not apply to your use-case or you need a different set of honeypots. You can adjust `/opt/tpot/etc/tpot.yml` to your own preference. If you need examples of how this works, just follow the configuration of the existing editions (docker-compose files) in `/opt/tpot/etc/compose` and follow the [Docker Compose Specification](https://docs.docker.com/compose/compose-file/). -``` -sudo su - -systemctl stop tpot -vi /opt/tpot/etc/tpot.yml -docker-compose -f /opt/tpot/etc/tpot.yml up (to see if everything works, CTRL+C) -docker-compose -f /opt/tpot/etc/tpot.yml down -v -systemctl start tpot -``` -

- -## Enable Cockpit 2FA -You can enable two-factor-authentication for Cockpit by running `2fa.sh`. -

- # Troubleshooting Generally T-Pot is offered ***as is*** without any commitment regarding support. Issues and discussions can be opened, but be prepared to include basic necessary info, so the community is able to help.

-## Logging -* Check if your containers are running correctly: `dps.sh` - -* Check if your system resources are not exhausted: `htop`, `glances` - +## Logs +* Check if your containers are running correctly: `dps` +* Check if your system resources are not exhausted: `htop`, `docker stats` * Check if there is a port conflict: ``` systemctl stop tpot grc netstat -tulpen -vi /opt/tpot/etc/tpot.yml up -docker-compose -f /opt/tpot/etc/tpot.yml up +mi ~/tpotce/docker-compose.yml +docker-compose -f ~/tpotce/docker-compose.yml up CTRL+C -docker-compose -f /opt/tpot/etc/tpot.yml down -v +docker-compose -f ~/tpotce/docker-compose.yml down -v ``` - -* Check container logs: `docker logs -f ` - -* Check if you were locked out by [fail2ban](#fail2ban). -

- -## Fail2Ban -If you cannot login there are probably three possible reasons: -1. You need to review [User Types](#user-types) and understand the different users. -2. You are trying to SSH into T-Pot, but use `tcp/22` instead of `tcp/64295` or were using the incorrect user for Cockpit or Nginx (T-Pot WebUI). -3. You had too many wrong attempts from the above and got locked out by `fail2ban`. - -To resolve Fail2Ban lockouts run `fail2ban-client status`: - -``` -fail2ban-client status -Status -|- Number of jail: 3 -nginx-http-auth, pam-generic, sshd -``` - -`nginx-http-auth` refers to missed BasicAuth login attempts (Nginx / T-Pot WebUI) on `tcp/64295` - -`sshd` refers to missed OS SSH login attempts on `tcp/64295` - -`pam-generic` refers to missed OS Cockpit login attempts on `tcp/64294` - -Check all jails, i.e. `sshd`: - -``` -fail2ban-client status sshd -Status for the jail: sshd -|- Filter -| |- Currently failed: 0 -| |- Total failed: 0 -| `- File list: /var/log/auth.log -`- Actions - |- Currently banned: 0 - |- Total banned: 0 - `- Banned IP list: -``` - -If there are any banned IPs you can unban these with `fail2ban-client unban --all` or `fail2ban-client unban `. +* Check individual container logs: `docker logs -f ` +* Check `tpotinit` log: `cat ~/tpotce/data/tpotinit.log`

## RAM and Storage -The Elastic Stack is hungry for RAM, specifically `logstash` and `elasticsearch`. If the Elastic Stack is unavailable, does not receive any logs or simply keeps crashing it is most likely a RAM or Storage issue. +The Elastic Stack is hungry for RAM, specifically `logstash` and `elasticsearch`. If the Elastic Stack is unavailable, does not receive any logs or simply keeps crashing it is most likely a RAM or storage issue.
While T-Pot keeps trying to restart the services / containers run `docker logs -f ` (either `logstash` or `elasticsearch`) and check if there are any warnings or failures involving RAM. -Storage failures can be identified easier via `htop` or `glances`. +Storage failures can be identified easier via `htop`.

# Contact T-Pot is provided ***as is*** open source ***without*** any commitment regarding support ([see the disclaimer](#disclaimer)). -If you are a company or institution and wish a personal contact aside from [issues](#issues) and [discussions](#discussions) please get in contact with our [sales team](https://www.t-systems.com/de/en/security). - If you are a security researcher and want to responsibly report an issue please get in touch with our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).

## Issues Please report issues (errors) on our [GitHub Issues](https://github.com/telekom-security/tpotce/issues), but [troubleshoot](#troubleshooting) first. Issues not providing information to address the error will be closed or converted into [discussions](#discussions). -Feel free to use the search function, it is possible a similar issue has been addressed already, with the solution just a search away. +Use the search function first, it is possible a similar issue has been addressed or discussed already, with the solution just a search away.

## Discussions General questions, ideas, show & tell, etc. can be addressed on our [GitHub Discussions](https://github.com/telekom-security/tpotce/discussions). -Feel free to use the search function, it is possible a similar discussion has been opened already, with an answer just a search away. +Use the search function, it is possible a similar discussion has been opened already, with an answer just a search away.

# Licenses @@ -709,25 +698,22 @@ The software that T-Pot is built on uses the following licenses.
Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE)
MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE), [maltrail](https://github.com/stamparm/maltrail/blob/master/LICENSE)
Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE) -
Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/cowrie/cowrie/blob/master/LICENSE.rst), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license) +
Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/cowrie/cowrie/blob/master/LICENSE.rst), [mailoney](https://github.com/awhitehatter/mailoney), [Elastic License](https://www.elastic.co/licensing/elastic-license), [Wordpot](https://github.com/gbrindisi/wordpot)
AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE) +
[Public Domain (CC)](https://creativecommons.org/publicdomain/zero/1.0/): [Harvard Dataverse](https://dataverse.harvard.edu/dataverse/harvard/?q=dicom)

# Credits -Without open source and the fruitful development community (we are proud to be a part of), T-Pot would not have been possible! Our thanks are extended but not limited to the following people and organizations: +Without open source and the development community we are proud to be a part of, T-Pot would not have been possible! Our thanks are extended but not limited to the following people and organizations: ### The developers and development communities of * [adbhoney](https://github.com/huuck/ADBHoney/graphs/contributors) -* [apt-fast](https://github.com/ilikenwf/apt-fast/graphs/contributors) -* [bento](https://github.com/migueravila/Bento/graphs/contributors) * [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/graphs/contributors) * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot/graphs/contributors) -* [cockpit](https://github.com/cockpit-project/cockpit/graphs/contributors) * [conpot](https://github.com/mushorg/conpot/graphs/contributors) * [cowrie](https://github.com/cowrie/cowrie/graphs/contributors) * [ddospot](https://github.com/aelth/ddospot/graphs/contributors) -* [debian](http://www.debian.org/) * [dicompot](https://github.com/nsmfoo/dicompot/graphs/contributors) * [dionaea](https://github.com/DinoTools/dionaea/graphs/contributors) * [docker](https://github.com/docker/docker/graphs/contributors) @@ -751,22 +737,23 @@ Without open source and the fruitful development community (we are proud to be a * [medpot](https://github.com/schmalle/medpot/graphs/contributors) * [p0f](http://lcamtuf.coredump.cx/p0f3/) * [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/graphs/contributors) -* [sentrypeer](https://github.com/SentryPeer/SentryPeer/graphs/contributors), +* [sentrypeer](https://github.com/SentryPeer/SentryPeer/graphs/contributors) * [spiderfoot](https://github.com/smicallef/spiderfoot) * [snare](https://github.com/mushorg/snare/graphs/contributors) * [tanner](https://github.com/mushorg/tanner/graphs/contributors) * [suricata](https://github.com/inliniac/suricata/graphs/contributors) +* [wordpot](https://github.com/gbrindisi/wordpot) **The following companies and organizations** -* [debian](https://www.debian.org/) * [docker](https://www.docker.com/) * [elastic.io](https://www.elastic.co/) * [honeynet project](https://www.honeynet.org/) -* [intel](http://www.intel.com) **... and of course ***you*** for joining the community!**

+Thank you for playing 💖 + # Testimonials One of the greatest feedback we have gotten so far is by one of the Conpot developers:
***"[...] I highly recommend T-Pot which is ... it's not exactly a swiss army knife .. it's more like a swiss army soldier, equipped with a swiss army knife. Inside a tank. A swiss tank. [...]"*** diff --git a/SECURITY.md b/SECURITY.md index 3350e6cb..356ca46e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,18 +3,21 @@ ## Supported Versions | Version | Supported | -|---------| ------------------ | -| 23.12.x | :white_check_mark: | +|---------|--------------------| +| 24.04.x | :white_check_mark: | ## Reporting a Vulnerability -We take security of T-Pot very seriously. If one of T-Pot's components is affected, it is most likely that a upstream component we rely on is involved, such as a honeypot, docker image, tool or package. Together we will find the best possible way to remedy the situation. +We prioritize the security of T-Pot highly. Often, vulnerabilities in T-Pot components stem from upstream dependencies, including honeypots, Docker images, tools, or packages. We are committed to working together to resolve any issues effectively. -Before you submit a possible vulnerability, please ensure you have done the following: -1. You have checked the documentation, issues and discussions if the detected behavior is typical and does not revolve around other issues. I.e. Cowrie will be detected with outgoing conncection requests or T-Pot opening all possible TCP ports which Honeytrap enabled install flavors will do as a feature. -2. You have identified the vulnerable component and isolated your finding (honeypot, docker image, tool, package, etc.). -3. You have a detailed description including log files, possibly debug files, with all steps necessary for us to reproduce / trigger the behaviour or vulnerability. At best you already have a possible solution, hotfix, fix or patch to remedy the situation and want to submit a PR. -4. You have checked if the possible vulnerability is known upstream. If a fix / patch is already available, please provide the necessary info. +Please follow these steps before reporting a potential vulnerability: -We will get back to you as fast as possible. In case you think this is an emergency for the whole T-Pot community feel free to speed things up by **responsibly** informing our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316). +1. Verify that the behavior you've observed isn't already documented as a normal aspect or unrelated issue of T-Pot. For example, Cowrie may initiate outgoing connections, or T-Pot might open all possible TCP ports—a feature enabled by Honeytrap. +2. Clearly identify which component is vulnerable (e.g., a specific honeypot, Docker image, tool, package) and isolate the issue. +3. Provide a detailed description of the issue, including log and, if available, debug files. Include all steps necessary to reproduce the vulnerability. If you have a proposed solution, hotfix, or patch, please be prepared to submit a pull request (PR). +4. Check whether the vulnerability is already known upstream. If there is an existing fix or patch, include that information in your report. + +This approach ensures a thorough and efficient resolution process. + +We aim to respond as quickly as possible. If you believe the issue poses an immediate threat to the entire T-Pot community, you can expedite the process by responsibly alerting our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316). diff --git a/_deprecated/bin/2fa.sh b/_deprecated/bin/2fa.sh deleted file mode 100755 index bbd82c8f..00000000 --- a/_deprecated/bin/2fa.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash - -# Make sure script is started as non-root. -myWHOAMI=$(whoami) -if [ "$myWHOAMI" = "root" ] - then - echo "Need to run as non-root ..." - echo "" - exit -fi - -# set vars, check deps -myPAM_COCKPIT_FILE="/etc/pam.d/cockpit" -if ! [ -s "$myPAM_COCKPIT_FILE" ]; - then - echo "### Cockpit PAM module config does not exist. Something went wrong." - echo "" - exit 1 -fi -myPAM_COCKPIT_GA=" - -# google authenticator for two-factor -auth required pam_google_authenticator.so -" -myAUTHENTICATOR=$(which google-authenticator) -if [ "$myAUTHENTICATOR" == "" ]; - then - echo "### Could not locate google-authenticator, trying to install (if asked provide root password)." - echo "" - sudo apt-get update - sudo apt-get install -y libpam-google-authenticator - exec "$1" "$2" - exit 1 -fi - - -# write PAM changes -function fuWRITE_PAM_CHANGES { - myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google") - if ! [ "$myCHECK" == "0" ]; - then - echo "### PAM config already enabled. Skipped." - echo "" - else - echo "### Updating PAM config for Cockpit (if asked provide root password)." - echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE - sudo systemctl restart cockpit - fi -} - -# create 2fa -function fuGEN_TOKEN { - echo "### Now generating token for Google Authenticator." - echo "" - google-authenticator -t -d -r 3 -R 30 -w 17 -} - - -# main -echo "### This script will enable Two Factor Authentication for Cockpit." -echo "" -echo "### Please download one of the many authenticator apps from the appstore of your choice." -echo "" -while true; - do - read -p "### Ready to start (y/n)? " myANSWER - case $myANSWER in - [Yy]* ) echo "### OK. Starting ..."; break;; - [Nn]* ) echo "### Exiting."; exit;; - esac -done - -fuWRITE_PAM_CHANGES -fuGEN_TOKEN - -echo "Done. Re-run this script by every user who needs Cockpit access." -echo "" diff --git a/_deprecated/bin/backup_es_folders.sh b/_deprecated/bin/backup_es_folders.sh deleted file mode 100755 index 3d15261b..00000000 --- a/_deprecated/bin/backup_es_folders.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash -# Run as root only. -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ]; - then - echo "Need to run as root ..." - exit -fi - -if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ]; - then - echo "Usage: backup_es_folders [all, base]" - echo " all = backup all ES folder" - echo " base = backup only Kibana index". - echo - exit -fi - -# Backup all ES relevant folders -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." - exit - else - echo "### Elasticsearch is available, now continuing." - echo -fi - -# Set vars -myCOUNT=1 -myDATE=$(date +%Y%m%d%H%M) -myELKPATH="/data/elk/data" -myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }') -myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME - -# Let's ensure normal operation on exit or if interrupted ... -function fuCLEANUP { - ### Start ELK - systemctl start tpot - echo "### Now starting T-Pot ..." -} -trap fuCLEANUP EXIT - -# Stop T-Pot to lift db lock -echo "### Now stopping T-Pot" -systemctl stop tpot -sleep 2 - -# Backup DB in 2 flavors -echo "### Now backing up Elasticsearch folders ..." -if [ "$1" == "all" ]; - then - tar cvfz "elkall_"$myDATE".tgz" $myELKPATH -elif [ "$1" == "base" ]; - then - tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH -fi - diff --git a/_deprecated/bin/blackhole.sh b/_deprecated/bin/blackhole.sh deleted file mode 100755 index e2a51af0..00000000 --- a/_deprecated/bin/blackhole.sh +++ /dev/null @@ -1,109 +0,0 @@ -#!/bin/bash - -# Run as root only. -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ] - then - echo "### Need to run as root ..." - echo - exit -fi - -# Disclaimer -if [ "$1" == "" ]; - then - echo "### Warning!" - echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection." - echo "### IPs are neither curated or verified, use at your own risk!" - echo "###" - echo "### As long as is not executed the routes will be re-added on T-Pot start through ." - echo "### Check with or if blackhole is enabled." - echo - echo "Usage: blackhole.sh add (add blackhole routes)" - echo " blackhole.sh del (delete blackhole routes)" - echo - exit -fi - -# QnD paths, files -mkdir -p /etc/blackhole -cd /etc/blackhole -myFILE="mass_scanner.txt" -myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt" -myBASELINE="500" -# Alternatively, using less routes, but blocking complete /24 networks -#myFILE="mass_scanner_cidr.txt" -#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt" - -# Calculate age of downloaded list, read IPs -if [ -f "$myFILE" ]; - then - myNOW=$(date +%s) - myOLD=$(date +%s -r "$myFILE") - myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) )) - echo "### Downloaded $myFILE list is $myDAYS days old." - myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) -fi - -# Let's load ip list -if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]]; - then - echo "### Downloading $myFILE list." - aria2c --allow-overwrite -s16 -x 16 "$myURL" && \ - myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) -fi - -myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w) -# Let's extract mass scanner IPs -if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ]; - then - echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE." - echo "### Aborting." - echo - exit -elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ]; - then - echo "### Blackhole already enabled." - echo "### Aborting." - echo - exit -fi - -# Let's add blackhole routes for all mass scanner IPs -if [ "$1" == "add" ]; - then - echo - echo -n "Now adding $myCOUNT IPs to blackhole." - for i in $myBLACKHOLE_IPS; - do - ip route add blackhole "$i" - echo -n "." - done - echo - echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole." - echo - echo "### Remember!" - echo "### As long as is not executed the routes will be re-added on T-Pot start through ." - echo "### Check with or if blackhole is enabled." - echo - exit -fi - -# Let's delete blackhole routes for all mass scanner IPs -if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ]; - then - echo - echo -n "Now deleting $myCOUNT IPs from blackhole." - for i in $myBLACKHOLE_IPS; - do - ip route del blackhole "$i" - echo -n "." - done - echo - echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole." - echo - rm "$myFILE" - else - echo "### Blackhole already disabled." - echo -fi diff --git a/_deprecated/bin/change_ews_config.sh b/_deprecated/bin/change_ews_config.sh deleted file mode 100755 index 5b660656..00000000 --- a/_deprecated/bin/change_ews_config.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash - -echo """ - -############################## -# T-POT DTAG Data Submission # -# Contact: # -# cert@telekom.de # -############################## -""" - -# Got root? -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ] - then - echo "Need to run as root ..." - sudo ./$0 - exit -fi - -printf "[*] Enter your API UserID: " -read apiUser -printf "[*] Enter your API Token: " -read apiToken -printf "[*] If you have multiple T-Pots running, give them each a unique NUMBER, e.g. '2' for your second T-Pot installation. Enter unique number for THIS T-Pot: " -read indexNumber -if ! [[ "$indexNumber" =~ ^[0-9]+$ ]] - then - echo "Sorry integers only. You have to start over..." - exit 1 -fi -apiURL="https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage" -printf "[*] Currently, your honeypot is configured to transmit data the default backend at 'https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage'. Do you want to change this API endpoint? Only do this if you run your own PEBA backend instance? (N/y): " -read replyAPI -if [[ $replyAPI =~ ^[Yy]$ ]] -then - printf "[*] Enter your API endpoint URL and make sure it contains the full path, e.g. 'https://myDomain.local:9922/ews-0.1/alert/postSimpleMessage': " - read apiURL -fi - - - -echo "" -echo "[*] Recap! You defined: " -echo "############################" -echo "API User: " $apiUser -echo "API Token: " $apiToken -echo "API URL: " $apiURL -echo "Unique numeric ID for your T-Pot Installation: " $indexNumber -echo "Specific honeypot-IDs will look like : -"$apiUser"-"$indexNumber -echo "############################" -echo "" -printf "[*] Is the above correct (y/N)? " -read reply -if [[ ! $reply =~ ^[Yy]$ ]] -then - echo "OK, then run this again..." - exit 1 -fi -echo "" -echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'." -echo "[+] Fetching config file from github. Outgoing https requests must be enabled!" -wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist -if [[ -f "ews.cfg.dist" ]]; then - echo "[+] Successfully downloaded ews.cfg from github." -else - echo "[+] Could not download ews.cfg from github." - exit 1 -fi -echo "[+] Patching ews.cfg API Credentials." -sed 's/community-01-user/'$apiUser'/' ews.cfg.dist > ews.cfg -sed -i 's/foth{a5maiCee8fineu7/'$apiToken'/' ews.cfg -echo "[+] Patching ews.cfg API Url." -apiURL=${apiURL////\\/}; -sed -i 's/https:\/\/community.sicherheitstacho.eu\/ews-0.1\/alert\/postSimpleMessage/'$apiURL'/' ews.cfg -echo "[+] Patching ews.cfg honeypot IDs." -sed -i 's/community-01/'$apiUser'-'$indexNumber'/' ews.cfg - -rm ews.cfg.dist - -echo "[+] Changing tpot.yml to include new ews.cfg." - -cp ews.cfg /data/ews/conf/ews.cfg -cp /opt/tpot/etc/tpot.yml /opt/tpot/etc/tpot.yml.bak -sed -i '/- \/data\/ews\/conf\/ews.ip:\/opt\/ewsposter\/ews.ip/a\ \ \ - \/data\/ews\/conf\/ews.cfg:\/opt\/ewsposter\/ews.cfg' /opt/tpot/etc/tpot.yml - -echo "[+] Restarting T-Pot." -systemctl restart tpot -echo "[+] Done." diff --git a/_deprecated/bin/clean.sh b/_deprecated/bin/clean.sh deleted file mode 100755 index c9e6cb44..00000000 --- a/_deprecated/bin/clean.sh +++ /dev/null @@ -1,372 +0,0 @@ -#!/bin/bash -# T-Pot Container Data Cleaner & Log Rotator -# Set colors -myRED="" -myGREEN="" -myWHITE="" - -# Set pigz -myPIGZ=$(which pigz) - -# Set persistence -myPERSISTENCE=$1 - -# Let's create a function to check if folder is empty -fuEMPTY () { - local myFOLDER=$1 - -echo $(ls $myFOLDER | wc -l) -} - -# Let's create a function to rotate and compress logs -fuLOGROTATE () { - local mySTATUS="/opt/tpot/etc/logrotate/status" - local myCONF="/opt/tpot/etc/logrotate/logrotate.conf" - local myADBHONEYTGZ="/data/adbhoney/downloads.tgz" - local myADBHONEYDL="/data/adbhoney/downloads/" - local myCOWRIETTYLOGS="/data/cowrie/log/tty/" - local myCOWRIETTYTGZ="/data/cowrie/log/ttylogs.tgz" - local myCOWRIEDL="/data/cowrie/downloads/" - local myCOWRIEDLTGZ="/data/cowrie/downloads.tgz" - local myDIONAEABI="/data/dionaea/bistreams/" - local myDIONAEABITGZ="/data/dionaea/bistreams.tgz" - local myDIONAEABIN="/data/dionaea/binaries/" - local myDIONAEABINTGZ="/data/dionaea/binaries.tgz" - local myHONEYTRAPATTACKS="/data/honeytrap/attacks/" - local myHONEYTRAPATTACKSTGZ="/data/honeytrap/attacks.tgz" - local myHONEYTRAPDL="/data/honeytrap/downloads/" - local myHONEYTRAPDLTGZ="/data/honeytrap/downloads.tgz" - local myTANNERF="/data/tanner/files/" - local myTANNERFTGZ="/data/tanner/files.tgz" - -# Ensure correct permissions and ownerships for logrotate to run without issues -chmod 770 /data/ -R -chown tpot:tpot /data -R -chmod 644 /data/nginx/conf -R -chmod 644 /data/nginx/cert -R - -# Run logrotate with force (-f) first, so the status file can be written and race conditions (with tar) be avoided -logrotate -f -s $mySTATUS $myCONF - -# Compressing some folders first and rotate them later -if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar -I $myPIGZ -cvf $myADBHONEYTGZ $myADBHONEYDL; fi -if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi -if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIEDLTGZ $myCOWRIEDL; fi -if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABITGZ $myDIONAEABI; fi -if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABINTGZ $myDIONAEABIN; fi -if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi -if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi -if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar -I $myPIGZ -cvf $myTANNERFTGZ $myTANNERF; fi - -# Ensure correct permissions and ownership for previously created archives -chmod 770 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ -chown tpot:tpot $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ - -# Need to remove subfolders since too many files cause rm to exit with errors -rm -rf $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF - -# Recreate subfolders with correct permissions and ownership -mkdir -p $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF -chmod 770 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF -chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF - -# Run logrotate again to account for previously created archives - DO NOT FORCE HERE! -logrotate -s $mySTATUS $myCONF -} - -# Let's create a function to clean up and prepare honeytrap data -fuADBHONEY () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi - mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/ - chmod 770 /data/adbhoney/ -R - chown tpot:tpot /data/adbhoney/ -R -} - -# Let's create a function to clean up and prepare ciscoasa data -fuCISCOASA () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi - mkdir -p /data/ciscoasa/log - chmod 770 /data/ciscoasa -R - chown tpot:tpot /data/ciscoasa -R -} - -# Let's create a function to clean up and prepare citrixhoneypot data -fuCITRIXHONEYPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi - mkdir -p /data/citrixhoneypot/logs/ - chmod 770 /data/citrixhoneypot/ -R - chown tpot:tpot /data/citrixhoneypot/ -R -} - -# Let's create a function to clean up and prepare conpot data -fuCONPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi - mkdir -p /data/conpot/log - chmod 770 /data/conpot -R - chown tpot:tpot /data/conpot -R -} - -# Let's create a function to clean up and prepare cowrie data -fuCOWRIE () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi - mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ - chmod 770 /data/cowrie -R - chown tpot:tpot /data/cowrie -R -} - -# Let's create a function to clean up and prepare ddospot data -fuDDOSPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi - mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log - chmod 770 /data/ddospot -R - chown tpot:tpot /data/ddospot -R -} - -# Let's create a function to clean up and prepare dicompot data -fuDICOMPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi - mkdir -p /data/dicompot/log - mkdir -p /data/dicompot/images - chmod 770 /data/dicompot -R - chown tpot:tpot /data/dicompot -R -} - -# Let's create a function to clean up and prepare dionaea data -fuDIONAEA () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi - mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp - chmod 770 /data/dionaea -R - chown tpot:tpot /data/dionaea -R -} - -# Let's create a function to clean up and prepare elasticpot data -fuELASTICPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi - mkdir -p /data/elasticpot/log - chmod 770 /data/elasticpot -R - chown tpot:tpot /data/elasticpot -R -} - -# Let's create a function to clean up and prepare elk data -fuELK () { - # ELK data will be kept for <= 90 days, check /etc/crontab for curator modification - # ELK daemon log files will be removed - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi - mkdir -p /data/elk - chmod 770 /data/elk -R - chown tpot:tpot /data/elk -R -} - -# Let's create a function to clean up and prepare endlessh data -fuENDLESSH () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi - mkdir -p /data/endlessh/log - chmod 770 /data/endlessh -R - chown tpot:tpot /data/endlessh -R -} - -# Let's create a function to clean up and prepare fatt data -fuFATT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi - mkdir -p /data/fatt/log - chmod 770 -R /data/fatt - chown tpot:tpot -R /data/fatt -} - -# Let's create a function to clean up and prepare glastopf data -fuGLUTTON () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi - mkdir -p /data/glutton/log - chmod 770 /data/glutton -R - chown tpot:tpot /data/glutton -R -} - -# Let's create a function to clean up and prepare hellpot data -fuHELLPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi - mkdir -p /data/hellpot/log - chmod 770 /data/hellpot -R - chown tpot:tpot /data/hellpot -R -} - -# Let's create a function to clean up and prepare heralding data -fuHERALDING () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi - mkdir -p /data/heralding/log - chmod 770 /data/heralding -R - chown tpot:tpot /data/heralding -R -} - -# Let's create a function to clean up and prepare honeypots data -fuHONEYPOTS () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi - mkdir -p /data/honeypots/log - chmod 770 /data/honeypots -R - chown tpot:tpot /data/honeypots -R -} - -# Let's create a function to clean up and prepare honeysap data -fuHONEYSAP () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi - mkdir -p /data/honeysap/log - chmod 770 /data/honeysap -R - chown tpot:tpot /data/honeysap -R -} - -# Let's create a function to clean up and prepare honeytrap data -fuHONEYTRAP () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi - mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ - chmod 770 /data/honeytrap/ -R - chown tpot:tpot /data/honeytrap/ -R -} - -# Let's create a function to clean up and prepare ipphoney data -fuIPPHONEY () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi - mkdir -p /data/ipphoney/log - chmod 770 /data/ipphoney -R - chown tpot:tpot /data/ipphoney -R -} - -# Let's create a function to clean up and prepare log4pot data -fuLOG4POT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi - mkdir -p /data/log4pot/log - chmod 770 /data/log4pot -R - chown tpot:tpot /data/log4pot -R -} - -# Let's create a function to clean up and prepare mailoney data -fuMAILONEY () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi - mkdir -p /data/mailoney/log/ - chmod 770 /data/mailoney/ -R - chown tpot:tpot /data/mailoney/ -R -} - -# Let's create a function to clean up and prepare mailoney data -fuMEDPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi - mkdir -p /data/medpot/log/ - chmod 770 /data/medpot/ -R - chown tpot:tpot /data/medpot/ -R -} - -# Let's create a function to clean up nginx logs -fuNGINX () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/nginx/log/*; fi - touch /data/nginx/log/error.log - chmod 644 /data/nginx/conf -R - chmod 644 /data/nginx/cert -R -} - -# Let's create a function to clean up and prepare rdpy data -fuRDPY () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi - mkdir -p /data/rdpy/log/ - chmod 770 /data/rdpy/ -R - chown tpot:tpot /data/rdpy/ -R -} - -# Let's create a function to clean up and prepare redishoneypot data -fuREDISHONEYPOT () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi - mkdir -p /data/redishoneypot/log - chmod 770 /data/redishoneypot -R - chown tpot:tpot /data/redishoneypot -R -} - -# Let's create a function to clean up and prepare sentrypeer data -fuSENTRYPEER () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi - mkdir -p /data/sentrypeer/log - chmod 770 /data/sentrypeer -R - chown tpot:tpot /data/sentrypeer -R -} - -# Let's create a function to prepare spiderfoot db -fuSPIDERFOOT () { - mkdir -p /data/spiderfoot - touch /data/spiderfoot/spiderfoot.db - chmod 770 -R /data/spiderfoot - chown tpot:tpot -R /data/spiderfoot -} - -# Let's create a function to clean up and prepare suricata data -fuSURICATA () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi - mkdir -p /data/suricata/log - chmod 770 -R /data/suricata - chown tpot:tpot -R /data/suricata -} - -# Let's create a function to clean up and prepare p0f data -fuP0F () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi - mkdir -p /data/p0f/log - chmod 770 -R /data/p0f - chown tpot:tpot -R /data/p0f -} - -# Let's create a function to clean up and prepare p0f data -fuTANNER () { - if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi - mkdir -p /data/tanner/log /data/tanner/files - chmod 770 -R /data/tanner - chown tpot:tpot -R /data/tanner -} - -# Avoid unwanted cleaning -if [ "$myPERSISTENCE" = "" ]; - then - echo $myRED"!!! WARNING !!! - This will delete ALL honeypot logs. "$myWHITE - while [ "$myQST" != "y" ] && [ "$myQST" != "n" ]; - do - read -p "Continue? (y/n) " myQST - done - if [ "$myQST" = "n" ]; - then - echo $myGREEN"Puuh! That was close! Aborting!"$myWHITE - exit - fi -fi - -# Check persistence, if enabled compress and rotate logs -if [ "$myPERSISTENCE" = "on" ]; - then - echo "Persistence enabled, now rotating and compressing logs." - fuLOGROTATE - else - echo "Cleaning up and preparing data folders." - fuADBHONEY - fuCISCOASA - fuCITRIXHONEYPOT - fuCONPOT - fuCOWRIE - fuDDOSPOT - fuDICOMPOT - fuDIONAEA - fuELASTICPOT - fuELK - fuENDLESSH - fuFATT - fuGLUTTON - fuHERALDING - fuHELLPOT - fuHONEYSAP - fuHONEYPOTS - fuHONEYTRAP - fuIPPHONEY - fuLOG4POT - fuMAILONEY - fuMEDPOT - fuNGINX - fuREDISHONEYPOT - fuRDPY - fuSENTRYPEER - fuSPIDERFOOT - fuSURICATA - fuP0F - fuTANNER - fi diff --git a/_deprecated/bin/deploy.sh b/_deprecated/bin/deploy.sh deleted file mode 100755 index e1d5af4b..00000000 --- a/_deprecated/bin/deploy.sh +++ /dev/null @@ -1,182 +0,0 @@ -#!/bin/bash - -# Do we have root? -function fuGOT_ROOT { -echo -echo -n "### Checking for root: " -if [ "$(whoami)" != "root" ]; - then - echo "[ NOT OK ]" - echo "### Please run as root." - echo "### Example: sudo $0" - exit - else - echo "[ OK ]" -fi -} - -function fuDEPLOY_SENSOR () { -echo -echo "###############################" -echo "# Deploying to T-Pot Hive ... #" -echo "###############################" -echo -sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF -echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME"; -mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh; -echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys; -chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys; -chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh; -chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh' -EOF - -echo -echo "###########################" -echo "# Done. Please reboot ... #" -echo "###########################" -echo - -exit 0 -} - -# Check Hive availability -function fuCHECK_HIVE () { -echo -echo "############################################" -echo "# Checking for T-Pot Hive availability ... #" -echo "############################################" -echo -sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no" -if [ $? -eq 0 ]; - then - echo - echo "#########################" - echo "# T-Pot Hive available! #" - echo "#########################" - echo - myHIVE_OK=$(curl -s http://127.0.0.1:64305) - if [ "$myHIVE_OK" == "ok" ]; - then - echo - echo "##############################" - echo "# T-Pot Hive tunnel test OK! #" - echo "##############################" - echo - kill -9 $(pidof ssh) - else - echo - echo "######################################################" - echo "# T-Pot Hive tunnel test FAILED! #" - echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #" - echo "# Aborting. #" - echo "######################################################" - echo - kill -9 $(pidof ssh) - rm $MY_SENSOR_PUBLICKEYFILE - rm $MY_SENSOR_PRIVATEKEYFILE - rm $MY_LS_ENVCONFIGFILE - exit 1 - fi; - else - echo - echo "#################################################################" - echo "# Something went wrong, most likely T-Pot Hive was unreachable! #" - echo "# Aborting. #" - echo "#################################################################" - echo - rm $MY_SENSOR_PUBLICKEYFILE - rm $MY_SENSOR_PRIVATEKEYFILE - rm $MY_LS_ENVCONFIGFILE - exit 1 -fi; -} - -function fuGET_DEPLOY_DATA () { -echo -echo "### Please provide data from your T-Pot Hive installation." -echo "### This usually is the one running the 'T-Pot Hive' type." -echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN." -echo "### Do not worry, the password will not be persisted!" -echo - -read -p "Username: " MY_TPOT_USERNAME -read -s -p "Password: " SSHPASS -echo -export SSHPASS -read -p "IP / FQDN: " MY_HIVE_IP -MY_HIVE_USERNAME="$(hostname)" -MY_TPOT_TYPE="SENSOR" -MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment" - -MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub" -MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME" -if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ]; - then - echo - echo "##############################" - echo "# Generating ssh keyfile ... #" - echo "##############################" - echo - mkdir -p /data/elk/logstash - ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME" - MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")" - else - echo - echo "#############################################" - echo "# There is already a ssh keyfile. Aborting. #" - echo "#############################################" - echo - exit 1 -fi -echo -echo "###########################################################" -echo "# Writing config to /data/elk/logstash/ls_environment. #" -echo "# If you make changes to this file, you need to reboot or #" -echo "# run /opt/tpot/bin/updateip.sh. #" -echo "###########################################################" -echo -tee $MY_LS_ENVCONFIGFILE << EOF -MY_TPOT_TYPE=$MY_TPOT_TYPE -MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE -MY_HIVE_USERNAME=$MY_HIVE_USERNAME -MY_HIVE_IP=$MY_HIVE_IP -EOF -} - -# Deploy Pot to Hive -fuGOT_ROOT -echo -echo "#################################" -echo "# Ship T-Pot Logs to T-Pot Hive #" -echo "#################################" -echo -echo "If you already have a T-Pot Hive installation running and" -echo "this T-Pot installation is running the type \"Pot\" the" -echo "script will automagically setup this T-Pot to ship and" -echo "prepare the Hive to receive logs from this T-Pot." -echo -echo -echo "###################################" -echo "# Deploy T-Pot Logs to T-Pot Hive #" -echo "###################################" -echo -echo "[c] - Continue deplyoment" -echo "[q] - Abort and exit" -echo -while [ 1 != 2 ] - do - read -s -n 1 -p "Your choice: " mySELECT - echo $mySELECT - case "$mySELECT" in - [c,C]) - fuGET_DEPLOY_DATA - fuCHECK_HIVE - fuDEPLOY_SENSOR - break - ;; - [q,Q]) - echo "Aborted." - exit 0 - ;; - esac -done diff --git a/_deprecated/bin/deprecated/export_kibana-objects.sh b/_deprecated/bin/deprecated/export_kibana-objects.sh deleted file mode 100755 index e5280dd4..00000000 --- a/_deprecated/bin/deprecated/export_kibana-objects.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/bash -# Export all Kibana objects through Kibana Saved Objects API -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myKIBANA="http://127.0.0.1:64296/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." - exit - else - echo "### Elasticsearch is available, now continuing." - echo -fi - -# Set vars -myDATE=$(date +%Y%m%d%H%M) -myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w) -myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"') -myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"') -myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"') -mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"') -myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"') -myCOL1="" -myCOL0="" - -# Let's ensure normal operation on exit or if interrupted ... -function fuCLEANUP { - rm -rf patterns/ dashboards/ visualizations/ searches/ configs/ -} -trap fuCLEANUP EXIT - -# Export index patterns -mkdir -p patterns -echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0 -curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json & -echo - -# Export dashboards -mkdir -p dashboards -echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0 -for i in $myDASHBOARDS; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json & - done; -echo - -# Export visualizations -mkdir -p visualizations -echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0 -for i in $myVISUALIZATIONS; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json & - done; -echo - -# Export searches -mkdir -p searches -echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0 -for i in $mySEARCHES; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json & - done; -echo - -# Export configs -mkdir -p configs -echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0 -for i in $myCONFIGS; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json & - done; -echo - -# Wait for background exports to finish -wait - -# Building tar archive -echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz" -tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null - -# Stats -echo -echo $myCOL1"### Statistics" -echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myCOL0 -echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0 -echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0 -echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0 -echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0 -echo diff --git a/_deprecated/bin/deprecated/hptest.sh b/_deprecated/bin/deprecated/hptest.sh deleted file mode 100755 index 94806a71..00000000 --- a/_deprecated/bin/deprecated/hptest.sh +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash - -myHOST="$1" -myPACKAGES="dcmtk netcat nmap" -myMEDPOTPACKET=" -MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6 -EVN|A01|198808181123 -PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC -NK1|1|JONES^BARBARA^K|SPO|||||20011105 -NK1|1|JONES^MICHAEL^A|FTH -PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0 -AL1|1||^PENICILLIN||CODE16~CODE17~CODE18 -AL1|2||^CAT DANDER||CODE257 -DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F -PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123 -ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201 -GT1|1122|1519|BILL^GATES^A -IN1|001|A357|1234|BCMD|||||132987 -IN2|ID1551001|SSN12345678 -ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201" - -function fuGOTROOT { -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ] - then - echo "Need to run as root ..." - exit -fi -} - -function fuCHECKDEPS { -myINST="" -for myDEPS in $myPACKAGES; -do - myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }'); - if [ "$myOK" != "ok" ] - then - myINST=$(echo $myINST $myDEPS) - fi -done -if [ "$myINST" != "" ] - then - apt-get update -y - for myDEPS in $myINST; - do - apt-get install $myDEPS -y - done -fi -} - -function fuCHECKFORARGS { -if [ "$myHOST" != "" ]; - then - echo "All arguments met. Continuing." - else - echo "Usage: hp_test.sh <[host or ip]>" - exit -fi -} - -function fuGETPORTS { -myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu) -myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done) -echo "Found these ports enabled:" -echo "$myPORTS" -exit -} - -function fuSCAN { -local myTIMEOUT="$1" -local mySCANPORT="$2" -local mySCANIP="$3" -local mySCANOPTS="$4" - -timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} & -} - -# Main -fuGOTROOT -fuCHECKDEPS -fuCHECKFORARGS - -echo "Starting scans ..." -echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 & -curl -XGET "http://$myHOST:9200/logstash-*/_search" & -curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" & -echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 & -findscu -P -k PatientName="*" $myHOST 11112 & -getscu -P -k PatientName="*" $myHOST 11112 & -telnet $myHOST 3299 & -fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV" -fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light" -fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV" -fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV" -fuSCAN "30" "22" "$myHOST" "--script=ssh-brute" -fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light" -fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV" -fuSCAN "180" "42" "$myHOST" "-sC -sS -sV" -fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU" -fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV" -fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light" -fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS" -fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light" -fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS" -fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU" -fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU" -fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU" -fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU" -fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS" -fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS" -fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS" -fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS" -fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV" -fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV" -fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU" -fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU" -fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS" -fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS" -fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS" -wait -reset -echo "Done." diff --git a/_deprecated/bin/deprecated/import_kibana-objects.sh b/_deprecated/bin/deprecated/import_kibana-objects.sh deleted file mode 100755 index cf5a6aa0..00000000 --- a/_deprecated/bin/deprecated/import_kibana-objects.sh +++ /dev/null @@ -1,126 +0,0 @@ -#!/bin/bash -# Import Kibana objects -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myKIBANA="http://127.0.0.1:64296/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." - exit - else - echo "### Elasticsearch is available, now continuing." - echo -fi - -# Set vars -myDUMP=$1 -myCOL1="" -myCOL0="" - -# Let's ensure normal operation on exit or if interrupted ... -function fuCLEANUP { - rm -rf patterns/ dashboards/ visualizations/ searches/ configs/ -} -trap fuCLEANUP EXIT - -# Check if parameter is given and file exists -if [ "$myDUMP" = "" ]; - then - echo $myCOL1"### Please provide a backup file name."$myCOL0 - echo $myCOL1"### import_kibana-objects.sh "$myCOL0 - echo - exit -fi -if ! [ -a $myDUMP ]; - then - echo $myCOL1"### File not found."$myCOL0 - exit -fi - -# Unpack tar -tar xvfz $myDUMP > /dev/null - -# Restore index patterns -myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev) -myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w) -echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0 -curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null -curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null -curl -s -XPOST ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @patterns/$myINDEXID.json > /dev/null & -echo - -# Restore dashboards -myDASHBOARDS=$(ls dashboards/*.json | cut -c 12- | rev | cut -c 6- | rev) -echo $myCOL1"### Now importing "$myCOL0$(echo $myDASHBOARDS | wc -w)$myCOL1 "dashboards." $myCOL0 -for i in $myDASHBOARDS; - do - curl -s -XDELETE ''$myKIBANA'api/saved_objects/dashboard/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null & - done; -wait -for i in $myDASHBOARDS; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XPOST ''$myKIBANA'api/saved_objects/dashboard/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @dashboards/$i.json > /dev/null & - done; -wait -echo - -# Restore visualizations -myVISUALIZATIONS=$(ls visualizations/*.json | cut -c 16- | rev | cut -c 6- | rev) -echo $myCOL1"### Now importing "$myCOL0$(echo $myVISUALIZATIONS | wc -w)$myCOL1 "visualizations." $myCOL0 -for i in $myVISUALIZATIONS; - do - curl -s -XDELETE ''$myKIBANA'api/saved_objects/visualization/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null & - done; -wait -for i in $myVISUALIZATIONS; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XPOST ''$myKIBANA'api/saved_objects/visualization/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @visualizations/$i.json > /dev/null & - done; -wait -echo - -# Restore searches -mySEARCHES=$(ls searches/*.json | cut -c 10- | rev | cut -c 6- | rev) -echo $myCOL1"### Now importing "$myCOL0$(echo $mySEARCHES | wc -w)$myCOL1 "searches." $myCOL0 -for i in $mySEARCHES; - do - curl -s -XDELETE ''$myKIBANA'api/saved_objects/search/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null & - done; -wait -for i in $mySEARCHES; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XPOST ''$myKIBANA'api/saved_objects/search/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @searches/$i.json > /dev/null & - done; -echo -wait - -# Restore configs -myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev) -echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0 -for i in $myCONFIGS; - do - curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null & - done; -wait -for i in $myCONFIGS; - do - echo $myCOL1"###### "$i $myCOL0 - curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null & - done; -echo -wait - -# Stats -echo -echo $myCOL1"### Statistics" -echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myCOL0 -echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0 -echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0 -echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0 -echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0 -echo - diff --git a/_deprecated/bin/dps.sh b/_deprecated/bin/dps.sh deleted file mode 100755 index b5969435..00000000 --- a/_deprecated/bin/dps.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash - -# Run as root only. -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ] - then - echo "Need to run as root ..." - exit -fi - -myPARAM="$1" -if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]]; - then - watch --color -n $myPARAM "$0" - exit -fi - -# Show current status of T-Pot containers -myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")" -myRED="" -myGREEN="" -myBLUE="" -myWHITE="" -myMAGENTA="" - -# Blackhole Status -myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c) -if [ "$myBLACKHOLE_STATUS" -gt "500" ]; - then - myBLACKHOLE_STATUS="${myGREEN}ENABLED" - else - myBLACKHOLE_STATUS="${myRED}DISABLED" -fi - -function fuGETTPOT_STATUS { -# T-Pot Status -myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }') -if [ "$myTPOT_STATUS" == "active" ]; - then - echo "${myGREEN}ACTIVE" - else - echo "${myRED}INACTIVE" -fi -} - -function fuGETSTATUS { -grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort -} - -function fuGETSYS { -printf "[ ========| System |======== ]\n" -printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)" -printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)" -printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)" -printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}" -echo -} - - myDPS=$(fuGETSTATUS) - myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort) - fuGETSYS - printf "%-21s %-28s %s\n" "NAME" "STATUS" "PORTS" - if [ "$myDPS" != "" ]; - then - echo "$myDPS" - fi - for i in $myCONTAINERS; do - myAVAIL=$(echo "$myDPSNAMES" | grep -o "$i" | uniq | wc -l) - if [ "$myAVAIL" = "0" ]; - then - printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE" - fi - done diff --git a/_deprecated/bin/dump_es.sh b/_deprecated/bin/dump_es.sh deleted file mode 100755 index a6e17895..00000000 --- a/_deprecated/bin/dump_es.sh +++ /dev/null @@ -1,45 +0,0 @@ -#/bin/bash -# Dump all ES data -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow") -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." - exit - else - echo "### Elasticsearch is available, now continuing." - echo -fi - -# Let's ensure normal operation on exit or if interrupted ... -function fuCLEANUP { - rm -rf tmp -} -trap fuCLEANUP EXIT - -# Set vars -myDATE=$(date +%Y%m%d%H%M) -myINDICES=$(curl -s -XGET ''$myES'_cat/indices/logstash-*' | awk '{ print $3 }' | sort | grep -v 1970) -myINDICES+=" .kibana" -myCOL1="" -myCOL0="" - -# Dumping Kibana and Logstash data -echo $myCOL1"### The following indices will be dumped: "$myCOL0 -echo $myINDICES -echo - -mkdir tmp -for i in $myINDICES; - do - echo $myCOL1"### Now dumping: "$i $myCOL0 - elasticdump --input=$myES$i --output="tmp/"$i --limit 7500 - echo $myCOL1"### Now compressing: tmp/$i" $myCOL0 - gzip -f "tmp/"$i - done; - -# Build tar archive -echo $myCOL1"### Now building tar archive: es_dump_"$myDATE".tgz" $myCOL0 -tar cvf es_dump_$myDATE.tar tmp/. -echo $myCOL1"### Done."$myCOL0 diff --git a/_deprecated/bin/hpfeeds_optin.sh b/_deprecated/bin/hpfeeds_optin.sh deleted file mode 100755 index b3821522..00000000 --- a/_deprecated/bin/hpfeeds_optin.sh +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash - -# Run as root only. -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ] - then - echo "Need to run as root ..." - exit -fi - -myTPOTYMLFILE="/opt/tpot/etc/tpot.yml" - -function fuGENERIC () { -echo -echo "You chose generic, please provide all the details of the broker" -echo -myENABLE="true" -read -p "Host URL: " myHOST -read -p "Port: " myPORT -read -p "Channel: " myCHANNEL -echo "For generic providers set this to 'false'" -echo "If you received a CA certficate mount it into the ewsposter container by modifying $myTPOTYMLFILE" -read -p "TLS - 'false' or path to CA in container: " myCERT -read -p "Ident: " myIDENT -read -p "Secret: " mySECRET -read -p "Format ews (xml) or json: " myFORMAT -} - -function fuOPTOUT () { -echo -while [ 1 != 2 ] - do - read -s -n 1 -p "You chose to opt out (y/n)? " mySELECT - echo $mySELECT - case "$mySELECT" in - [y,Y]) - echo "Opt out." - break - ;; - [n,N]) - echo "Aborted." - exit - ;; - esac -done -myENABLE="false" -myHOST="host" -myPORT="port" -myCHANNEL="channels" -myCERT="false" -myIDENT="user" -mySECRET="secret" -myFORMAT="json" -} - -function fuWRITETOFILE () { -if [ -f '/data/ews/conf/hpfeeds.cfg' ]; then - echo "Creating backup of current config in /data/ews/conf/hpfeeds.cfg.old" - mv /data/ews/conf/hpfeeds.cfg /data/ews/conf/hpfeeds.cfg.old -fi -echo "Storing new config in /data/ews/conf/hpfeeds.cfg" -cat >> /data/ews/conf/hpfeeds.cfg <" - echo - exit -fi -} - -function fuGETPORTS { -myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu) -myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu) -myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done) -myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done) -} - -# Main -fuGETPORTS -fuGOTROOT -fuCHECKDEPS -fuCHECKFORARGS -echo -echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..." -nmap -sV -sC -v -p $myPORTS $1 & -nmap -sU -sV -sC -v -p $myUDPPORTS $1 & -echo -wait -echo "Done." -echo - diff --git a/_deprecated/bin/myip.sh b/_deprecated/bin/myip.sh deleted file mode 100755 index e464b421..00000000 --- a/_deprecated/bin/myip.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -## Get my external IP - -timeout=2 # seconds to wait for a reply before trying next server -verbose=1 # prints which server was used to STDERR - -dnslist=( - "dig +short myip.opendns.com @resolver1.opendns.com" - "dig +short myip.opendns.com @resolver2.opendns.com" - "dig +short myip.opendns.com @resolver3.opendns.com" - "dig +short myip.opendns.com @resolver4.opendns.com" - "dig +short -4 -t a whoami.akamai.net @ns1-1.akamaitech.net" - "dig +short whoami.akamai.net @ns1-1.akamaitech.net" -) - -httplist=( - alma.ch/myip.cgi - api.infoip.io/ip - api.ipify.org - bot.whatismyipaddress.com - canhazip.com - checkip.amazonaws.com - eth0.me - icanhazip.com - ident.me - ipecho.net/plain - ipinfo.io/ip - ipof.in/txt - ip.tyk.nu - l2.io/ip - smart-ip.net/myip - wgetip.com - whatismyip.akamai.com -) - -# function to check for valid ip -function valid_ip() -{ - local ip=$1 - local stat=1 - - if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - OIFS=$IFS - IFS='.' - ip=($ip) - IFS=$OIFS - [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \ - && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] - stat=$? - fi - return $stat -} - -# function to shuffle the global array "array" -shuffle() { - local i tmp size max rand - size=${#array[*]} - max=$(( 32768 / size * size )) - for ((i=size-1; i>0; i--)); do - while (( (rand=$RANDOM) >= max )); do :; done - rand=$(( rand % (i+1) )) - tmp=${array[i]} array[i]=${array[rand]} array[rand]=$tmp - done -} -# if we have dig and a list of dns methods, try that first -if hash dig 2>/dev/null && [ ${#dnslist[*]} -gt 0 ]; then - eval array=( \"\${dnslist[@]}\" ) - shuffle - for cmd in "${array[@]}"; do - [ "$verbose" == 1 ] && echo Trying: $cmd 1>&2 - ip=$(timeout $timeout $cmd) - if [ -n "$ip" ]; then - if valid_ip $ip; then - echo $ip - exit - fi - fi - done -fi -# if we haven't succeeded with DNS, try HTTP -if [ ${#httplist[*]} == 0 ]; then - echo "No hosts in httplist array!" >&2 - exit 1 -fi -# use curl or wget, depending on which one we find -curl_or_wget=$(if hash curl 2>/dev/null; then echo "curl -s"; elif hash wget 2>/dev/null; then echo "wget -qO-"; fi); -if [ -z "$curl_or_wget" ]; then - echo "Neither curl nor wget found. Cannot use http method." >&2 - exit 1 -fi -eval array=( \"\${httplist[@]}\" ) -shuffle -for url in "${array[@]}"; do - [ "$verbose" == 1 ] && echo Trying: $curl_or_wget "$url" 1>&2 - ip=$(timeout $timeout $curl_or_wget "$url") - if [ -n "$ip" ]; then - if valid_ip $ip; then - echo $ip - exit - fi - fi -done diff --git a/_deprecated/bin/mytopips.sh b/_deprecated/bin/mytopips.sh deleted file mode 100755 index e343ff02..00000000 --- a/_deprecated/bin/mytopips.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start elk'." - exit 1 - else - echo "### Elasticsearch is available, now continuing." - echo -fi - -function fuMYTOPIPS { -curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d' -{ - "aggs": { - "ips": { - "terms": { "field": "src_ip.keyword", "size": 100 } - } - }, - "size" : 0 -}' -} - -echo "### Aggregating top 100 source IPs in ES" -fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"' diff --git a/_deprecated/bin/restore_es.sh b/_deprecated/bin/restore_es.sh deleted file mode 100755 index ffc5f031..00000000 --- a/_deprecated/bin/restore_es.sh +++ /dev/null @@ -1,95 +0,0 @@ -#/bin/bash -# Restore folder based ES backup -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow") -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." - exit - else - echo "### Elasticsearch is available, now continuing." -fi - -# Let's ensure normal operation on exit or if interrupted ... -function fuCLEANUP { - rm -rf tmp -} -trap fuCLEANUP EXIT - -# Set vars -myDUMP=$1 -myCOL1="" -myCOL0="" - -# Check if parameter is given and file exists -if [ "$myDUMP" = "" ]; - then - echo $myCOL1"### Please provide a backup file name."$myCOL0 - echo $myCOL1"### restore-elk.sh "$myCOL0 - echo - exit -fi -if ! [ -a $myDUMP ]; - then - echo $myCOL1"### File not found."$myCOL0 - exit -fi - -# Unpack tar archive -echo $myCOL1"### Now unpacking tar archive: "$myDUMP $myCOL0 -tar xvf $myDUMP - -# Build indices list -myINDICES="$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)" -myINDICES+=" .kibana" -echo $myCOL1"### The following indices will be restored: "$myCOL0 -echo $myINDICES -echo - -# Force single seat template for everything -echo -n $myCOL1"### Forcing single seat template: "$myCOL0 -curl -s XPUT ''$myES'_template/.*' -H 'Content-Type: application/json' -d' -{ "index_patterns": ".*", - "order": 1, - "settings": - { - "number_of_shards": 1, - "number_of_replicas": 0 - } -}' -echo - -# Set logstash template -echo -n $myCOL1"### Setting up logstash template: "$myCOL0 -curl -s XPUT ''$myES'_template/logstash' -H 'Content-Type: application/json' -d' -{ - "index_patterns": "logstash-*", - "settings" : { - "index" : { - "number_of_shards": 1, - "number_of_replicas": 0, - "mapping" : { - "total_fields" : { - "limit" : "2000" - } - } - } - } -}' -echo - -# Restore indices -curl -s -X DELETE ''$myES'.kibana*' > /dev/null -for i in $myINDICES; - do - # Delete index if it already exists - curl -s -X DELETE $myES$i > /dev/null - echo $myCOL1"### Now uncompressing: tmp/$i.gz" $myCOL0 - gunzip -f tmp/$i.gz - # Restore index to ES - echo $myCOL1"### Now restoring: "$i $myCOL0 - elasticdump --input=tmp/$i --output=$myES$i --limit 7500 - rm tmp/$i - done; -echo $myCOL1"### Done."$myCOL0 diff --git a/_deprecated/bin/rules.sh b/_deprecated/bin/rules.sh deleted file mode 100755 index c4a964da..00000000 --- a/_deprecated/bin/rules.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/bash - -### Vars, Ports for Standard services -myHOSTPORTS="7634 64294 64295 64297 64304" -myDOCKERCOMPOSEYML="$1" -myRULESFUNCTION="$2" - -function fuCHECKFORARGS { -### Check if args are present, if not throw error - -if [ "$myDOCKERCOMPOSEYML" != "" ] && ([ "$myRULESFUNCTION" == "set" ] || [ "$myRULESFUNCTION" == "unset" ]); - then - echo "All arguments met. Continuing." - else - echo "Usage: rules.sh <[set, unset]>" - exit -fi -} - -function fuNFQCHECK { -### Check if honeytrap or glutton is actively enabled in docker-compose.yml - -myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | uniq) -if [ "$myNFQCHECK" == "" ]; - then - echo "No NFQ related honeypot detected, no iptables-legacy rules needed. Exiting." - exit - else - echo "Detected $myNFQCHECK as NFQ based honeypot, iptables-legacy rules needed. Continuing." -fi -} - -function fuGETPORTS { -### Get ports from docker-compose.yml - -myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' ) -myDOCKERCOMPOSEPORTS+=" $myHOSTPORTS" -myRULESPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo $i; done | sort -gu) -echo "Setting up / removing these ports:" -echo "$myRULESPORTS" -} - -function fuSETRULES { -### Setting up iptables-legacy rules for honeytrap -if [ "$myNFQCHECK" == "honeytrap" ]; - then - /usr/sbin/iptables-legacy -w -A INPUT -s 127.0.0.1 -j ACCEPT - /usr/sbin/iptables-legacy -w -A INPUT -d 127.0.0.1 -j ACCEPT - - for myPORT in $myRULESPORTS; do - /usr/sbin/iptables-legacy -w -A INPUT -p tcp --dport $myPORT -j ACCEPT - done - - /usr/sbin/iptables-legacy -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE -fi - -### Setting up iptables-legacy rules for glutton -if [ "$myNFQCHECK" == "glutton" ]; - then - /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT - /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT - - for myPORT in $myRULESPORTS; do - /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT - done - # No need for NFQ forwarding, such rules are set up by glutton -fi -} - -function fuUNSETRULES { -### Removing iptables-legacy rules for honeytrap -if [ "$myNFQCHECK" == "honeytrap" ]; - then - /usr/sbin/iptables-legacy -w -D INPUT -s 127.0.0.1 -j ACCEPT - /usr/sbin/iptables-legacy -w -D INPUT -d 127.0.0.1 -j ACCEPT - - for myPORT in $myRULESPORTS; do - /usr/sbin/iptables-legacy -w -D INPUT -p tcp --dport $myPORT -j ACCEPT - done - - /usr/sbin/iptables-legacy -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE -fi - -### Removing iptables-legacy rules for glutton -if [ "$myNFQCHECK" == "glutton" ]; - then - /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT - /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT - - for myPORT in $myRULESPORTS; do - /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT - done - # No need for removing NFQ forwarding, such rules are removed by glutton -fi -} - -# Main -fuCHECKFORARGS -fuNFQCHECK -fuGETPORTS - -if [ "$myRULESFUNCTION" == "set" ]; - then - fuSETRULES - else - fuUNSETRULES -fi diff --git a/_deprecated/bin/tpdclean.sh b/_deprecated/bin/tpdclean.sh deleted file mode 100755 index 7ae50398..00000000 --- a/_deprecated/bin/tpdclean.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# T-Pot Compose and Container Cleaner -# Set colors -myRED="" -myGREEN="" -myWHITE="" - -# Only run with command switch -if [ "$1" != "-y" ]; then - echo $myRED"### WARNING"$myWHITE - echo "" - echo $myRED"###### This script is only intended for the tpot.service."$myWHITE - echo $myRED"###### Run first and then ."$myWHITE - echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE - echo "" - echo $myRED"### WARNING "$myWHITE - echo - exit -fi - -# Remove old containers, images and volumes -docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1 -docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1 -docker network rm $(docker network ls -q) >> /dev/null 2>&1 -docker volume rm $(docker volume ls -q) >> /dev/null 2>&1 -docker rm -v $(docker ps -aq) >> /dev/null 2>&1 -docker rmi $(docker images | grep "" | awk '{print $3}') >> /dev/null 2>&1 -docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1 -exit 0 diff --git a/_deprecated/bin/tped.sh b/_deprecated/bin/tped.sh deleted file mode 100755 index 1eadbdff..00000000 --- a/_deprecated/bin/tped.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash - -# Run as root only. -myWHOAMI=$(whoami) -if [ "$myWHOAMI" != "root" ] - then - echo "Need to run as root ..." - exit -fi - -# set backtitle, get filename -myBACKTITLE="T-Pot Edition Selection Tool" -myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml) -myLINK="/opt/tpot/etc/tpot.yml" - -# Let's load docker images in parallel -function fuPULLIMAGES { -local myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" -for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | uniq) - do - docker pull $name & - done -wait -echo -} - -# setup menu -for i in $myYMLS; - do - myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " -done -myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-) -if [ "$myEDITION" == "" ]; - then - echo "Have a nice day!" - exit -fi -dialog --backtitle "$myBACKTITLE" --title "[ Activate now? ]" --yesno "\n$myEDITION" 7 50 -myOK=$? -if [ "$myOK" == "0" ]; - then - echo "OK - Activating and downloading latest images." - systemctl stop tpot - if [ "$(docker ps -aq)" != "" ]; - then - docker stop $(docker ps -aq) - docker rm $(docker ps -aq) - fi - rm -f $myLINK - ln -s /opt/tpot/etc/compose/$myEDITION $myLINK - fuPULLIMAGES - systemctl start tpot - echo "Done. Use \"dps.sh\" for monitoring" - else - echo "Have a nice day!" -fi diff --git a/_deprecated/bin/unlock_es.sh b/_deprecated/bin/unlock_es.sh deleted file mode 100755 index 606d85eb..00000000 --- a/_deprecated/bin/unlock_es.sh +++ /dev/null @@ -1,19 +0,0 @@ -#/bin/bash -# Unlock all ES indices for read / write mode -# Useful in cases where ES locked all indices after disk quota has been reached -# Make sure ES is available -myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow") -if ! [ "$myESSTATUS" = "1" ] - then - echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." - exit - else - echo "### Elasticsearch is available, now continuing." - echo -fi - -echo "### Trying to unlock all ES indices for read / write operation: " -curl -XPUT -H "Content-Type: application/json" ''$myES'_all/_settings' -d '{"index.blocks.read_only_allow_delete": null}' -echo - diff --git a/_deprecated/bin/updateip.sh b/_deprecated/bin/updateip.sh deleted file mode 100755 index c63a3e64..00000000 --- a/_deprecated/bin/updateip.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash -# Let's add the first local ip to the /etc/issue and external ip to ews.ip file -# If the external IP cannot be detected, the internal IP will be inherited. -source /etc/environment -myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l) -myUUID=$(lsblk -o MOUNTPOINT,UUID | grep -e "^/ " | awk '{ print $2 }') -myLOCALIP=$(hostname -I | awk '{ print $1 }') -myEXTIP=$(/opt/tpot/bin/myip.sh) -if [ "$myEXTIP" = "" ]; - then - myEXTIP=$myLOCALIP - myEXTIP_LAT="49.865835022498125" - myEXTIP_LONG="8.62606472775735" - else - myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc) - myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",") - myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",") -fi - -# Load Blackhole routes if enabled -myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt" -myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt" -if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ]; - then - /opt/tpot/bin/blackhole.sh add -fi - -myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c) -if [ "$myBLACKHOLE_STATUS" -gt "500" ]; - then - myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]" - else - myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]" -fi - -mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1) - -# Export -export myUUID -export myLOCALIP -export myEXTIP -export myEXTIP_LAT -export myEXTIP_LONG -export myBLACKHOLE_STATUS -export mySSHUSER - -# Build issue -echo "" > /etc/issue -toilet -f ivrit -F metal --filter border:metal "T-Pot 22.04" | sed 's/\\/\\\\/g' >> /etc/issue -echo >> /etc/issue -echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue -echo "|" >> /etc/issue -echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue -echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue -if [ "$myCHECKIFSENSOR" == "0" ]; - then - echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue -fi -echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue -echo "$myBLACKHOLE_STATUS" >> /etc/issue -echo "|" >> /etc/issue -echo "\`----" >> /etc/issue -echo >> /etc/issue -tee /data/ews/conf/ews.ip << EOF -[MAIN] -ip = $myEXTIP -EOF -tee /opt/tpot/etc/compose/elk_environment << EOF -HONEY_UUID=$myUUID -MY_EXTIP=$myEXTIP -MY_EXTIP_LAT=$myEXTIP_LAT -MY_EXTIP_LONG=$myEXTIP_LONG -MY_INTIP=$myLOCALIP -MY_HOSTNAME=$HOSTNAME -EOF - -if [ -s "/data/elk/logstash/ls_environment" ]; - then - source /data/elk/logstash/ls_environment - tee -a /opt/tpot/etc/compose/elk_environment << EOF -MY_TPOT_TYPE=$MY_TPOT_TYPE -MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE -MY_HIVE_USERNAME=$MY_HIVE_USERNAME -MY_HIVE_IP=$MY_HIVE_IP -EOF -fi - -chown tpot:tpot /data/ews/conf/ews.ip -chmod 770 /data/ews/conf/ews.ip diff --git a/_deprecated/cloud/.gitignore b/_deprecated/cloud/.gitignore deleted file mode 100644 index f50f50f8..00000000 --- a/_deprecated/cloud/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -# Ansible -*.retry - -# Terraform -**/.terraform -**/terraform.* - -# OpenStack clouds -**/clouds.yaml -**/secure.yaml diff --git a/_deprecated/cloud/ansible/README.md b/_deprecated/cloud/ansible/README.md deleted file mode 100644 index 5be6a912..00000000 --- a/_deprecated/cloud/ansible/README.md +++ /dev/null @@ -1,257 +0,0 @@ -# T-Pot Ansible - -Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/). -It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box. -Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections. - -The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them. - -This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en). - -# Table of contents -- [Preparation of Ansible Master](#ansible-master) - - [Ansible Installation](#ansible) - - [OpenStack Collection Installation](#collection) - - [Agent Forwarding](#agent-forwarding) -- [Preparations in Open Telekom Cloud Console](#preparation) - - [Create new project](#project) - - [Create API user](#api-user) - - [Import Key Pair](#key-pair) -- [Clone Git Repository](#clone-git) -- [Settings and recommended values](#settings) - - [clouds.yaml](#clouds-yaml) - - [Ansible remote user](#remote-user) - - [Number of instances to deploy](#number) - - [Instance settings](#instance-settings) - - [User password](#user-password) - - [Configure `tpot.conf.dist`](#tpot-conf) - - [Optional: Custom `ews.cfg`](#ews-cfg) - - [Optional: Custom HPFEEDS](#hpfeeds) -- [Deploying a T-Pot](#deploy) -- [Further documentation](#documentation) - - -# Preparation of Ansible Master -You can either run the Ansible Playbook locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. -I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too. -Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group. - - -## Ansible Installation -:warning: Ansible 2.10 or newer is required! - -Example for Ubuntu 18.04: - -At first we update the system: -`sudo apt update` -`sudo apt dist-upgrade` - -Then we need to add the repository and install Ansible: -`sudo apt-add-repository --yes --update ppa:ansible/ansible` -`sudo apt install ansible` - -For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). - -If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip). -In short (if you already have Python3/pip3 installed): -``` -pip3 install ansible -``` - - -## OpenStack Collection Installation -For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy: -`ansible-galaxy collection install openstack.cloud` - - -## Agent Forwarding -If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines. -- On Linux or macOS: - - Create or edit `~/.ssh/config` - ``` - Host ANSIBLE_MASTER_IP - ForwardAgent yes - ``` -- On Windows using Putty: -![Putty Agent Forwarding](doc/putty_agent_forwarding.png) - - -# Preparations in Open Telekom Cloud Console -(You can skip this if you have already set up a project and an API account with key pair) -(Just make sure you know the naming for everything, as you need to configure the Ansible variables.) - -Before we can start deploying, we have to prepare the Open Telekom Cloud tenant. -For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user. - - -## Create new project -I strongly advise you to create a separate project for the T-Pots in your tenant. -In my case I named it `tpot`. - -![Create new project](doc/otc_1_project.gif) - - -## Create API user -The next step is to create a new user account, which is restricted to the project. -This ensures that the API access is limited to that project. - -![Create API user](doc/otc_2_user.gif) - - -## Import Key Pair -:warning: Now log in with the newly created API user account and select your project. - -![Login as API user](doc/otc_3_login.gif) - -Import your SSH public key. - -![Import SSH Public Key](doc/otc_4_import_key.gif) - - - -# Clone Git Repository -Clone the `tpotce` repository to your Ansible Master: -`git clone https://github.com/telekom-security/tpotce.git` -All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder. - - -# Settings and recommended values -You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook: - - -## clouds.yaml -Located at [`openstack/clouds.yaml`](openstack/clouds.yaml). -Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name): -``` -clouds: - open-telekom-cloud: - profile: otc - auth: - project_name: eu-de_your_project - username: your_api_user - password: your_password - user_domain_name: OTC-EU-DE-000000000010000XXXXX -``` -You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary. -For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation. - -If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file: -``` -# Enter the name of your cloud to use from clouds.yaml -cloud: open-telekom-cloud -``` - - -## Ansible remote user -You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`). - - -## Number of instances to deploy -You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml): -``` -loop: "{{ range(0, 1) }}" -``` -One instance is set as the default, increase to your liking. - - -## Instance settings -Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml). -Here you can customize your virtual machine specifications: - - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). - - Change the OS image (For T-Pot we need Debian) - - (Optional) Change the volume size - - Specify your key pair (:warning: Mandatory) - - (Optional) Change the instance type (flavor) - `s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor. - A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html). - -``` -availability_zone: eu-de-03 -image: Standard_Debian_10_latest -volume_size: 128 -key_name: your-KeyPair -flavor: s3.medium.8 -``` - - -## User password -Located at [`openstack/roles/install/vars/main.yaml`](openstack/roles/install/vars/main.yaml). -Here you can set the password for your Debian user (**you should definitely change that**). -``` -user_password: LiNuXuSeRPaSs# -``` - - -## Configure `tpot.conf.dist` -The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist). -Here you can choose: - - between the various T-Pot editions - - a username for the web interface - - a password for the web interface (**you should definitely change that**) - - -## Optional: Custom `ews.cfg` -Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook. -``` -# - custom_ews -``` - -You can use a custom config file for `ewsposter`. -e.g. when you have your own credentials for delivering data to our [Sicherheitstacho](https://sicherheitstacho.eu/start/main). -You can find the `ews.cfg` template file here: [`openstack/roles/custom_ews/templates/ews.cfg`](openstack/roles/custom_ews/templates/ews.cfg) and adapt it for your needs. - -For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is): -``` -[MAIN] -... -contact = your_email_address -... - -[EWS] -... -username = your_username -token = your_token -... -``` - - -## Optional: Custom HPFEEDS -Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook. -``` -# - custom_hpfeeds -``` - -You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg). -That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN: -``` -myENABLE=true -myHOST=hpfeeds.sissden.eu -myPORT=10000 -myCHANNEL=t-pot.events -myCERT=/opt/ewsposter/sissden.pem -myIDENT=your_user -mySECRET=your_secret -myFORMAT=json -``` - - -# Deploying a T-Pot :honey_pot::honeybee: -Now, after configuring everything, we can finally start deploying T-Pots! - -Go to the [`openstack`](openstack) folder and run the Ansible Playbook with: -`ansible-playbook deploy_tpot.yaml` -(Yes, it is as easy as that :smile:) - -If you are running on a machine which asks for a sudo password, you can use: -`ansible-playbook --ask-become-pass deploy_tpot.yaml` - -The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances. -After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots. - -Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access). - - -# Further documentation -- [Ansible Documentation](https://docs.ansible.com/ansible/latest/) -- [openstack.cloud.server – Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) -- [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/) diff --git a/_deprecated/cloud/ansible/doc/otc_1_project.gif b/_deprecated/cloud/ansible/doc/otc_1_project.gif deleted file mode 100644 index 3c97d35373bdfe8d5fd8012bd26abef01ceae8cd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209197 zcmX8bWmHoS1IO`EV|1s0bc29MNI1H?OX(B@K^h$0C7seakZzD}knZm8R^Yk+^X$!b zcJ^xfet!4t?w-lWNec*?R3d*wyn6v{f?Ue-^KNTrpP!#IGBTEruD9`h8;Vk|uTE}m zZt}}&^J{v#yL*Nwho`2ei(bAo4$OrXH2u9f-r3pNI=1TD#lg|m&|3Vx*cQ6y z2FM}8Q7gjD>8Fd8M}S9ssC#v~bAPd?u0xcQTf`2T|Gr>+tXE`?PspK6+JQ#Ku}(wyCo6!L#U|p0=Lp*1nsviS(}J(w_O6?&;RyrTUSr=IOnPvHi?}?U9j@ zfr0+z$)4${k%ifz?vd&Kk-3qn>EY?+{+Y$4<>l$o>8u#pBK4>#d>V zt?BKpm4m&7>!ann!@0kgE5pl2{d2q1%Ukm+JH0Dc_d{FDo7>Y{$IIJC^Sk@QTh~)N zS96E=E0_O{4|le94|fia4-XG_4|cDPw=YkQ9`^VDUTxoAZ6BRpZl2sfp5B~XT_4~4 zeYn24ez^JjcyoR8aQ*nGXW>{8>k5ByGyR;p#~i-L9ew6n0;Gb8nXo~x#3Gr}td;VmO^WouW(V@*9n4WqNO^Yi-)16KpHOOJy`+sjuw(>qVI zLsN$ja|hc?+lRYb$G68(_y@1$(7lQsX6aw6%qoWhzk^Db$VbcIn24Wy=AaWphpkaLrM-#bsX7;H- z@Ib2o0U&-LYybjKFVHa1yjM;y5F{WAC>dxNNHnaZ56JlcE`X9FYDR!o0R=zGRskUK z@LC{vAYh<&Aa$U8AZef_AV?tN|EC2c4U_|*22ufJ0epbGfsBE||L+|@Wfl2`v00ba=KmojExFYr&&>=vzrmO~#0-yjI2I>Vu z1(em6R?@K(v4kzyh#K08fD7 ze;C*2fn5T24ConLTcKRY)MAO&g%%mN&M{sCEl9RM!?YPmZD z;0A0O00hthtR;YAT~HQSFknal+CcxnpaJNBNd%<)w~+Y0+lwRH%R2x%U?G9Q1O^Ql zPXN&_b2u9MZ%!Zoow?Qm(*ev8pdPRZtnpRR*wx_d)y@>472pr32e$n`k`Jc< zPXH#cFgIt{z}f>xf!mfv05UKOzz6`Y0m6@S2Y_f`!~gDH0$Tw{2gV;j{q%SO95R6T zAuk{UGz!_u?9KoP0juFaWlnbpE}eXaY*lV=1nFDb<$Vn~9uGh^P$)|=bUc6Ji%Y!vVe||y(&?)6>izo7A<5`V{YHfN`^Kj(~T&GHA%5-aN zSBC1!=6)G>hf@v{7&5%Gp26*st1n+_aNHWoRA{JJX>n)c@r)98sySzNysTxL~&Oit@; zf3S!^wjU~^ZcZS!xPaQXj!qpFZbX)Vc;9knI-D?2Vew`-dp%^1>r|j-oqsX#4%=z* zv$LV!7~B~%l7Fa?`YZQiZl3VsH0^Sf=;ZB)<5JL_V%Qlo-8kP;A_P0WfBHvW@+qd- zb^;%<&4jI&3q;Mms)}|qM8bc6Gs9)pW-n7TEXACyo!-jy>yb6xACXgJ)@;6e;hHG# z9z1KDY>~|X!>AiBbf(11(Eg~mH=n!FbImRJceroNSr53@)@z0pmk6g=A_wtan3$wa z>Tc5{+97(Ip-3VUR9PKhw&Tj4E~`ITKE4vR36;PsyHt>en<1 z{tdkF?a$fd6lQg(AErt^uTRrC!I{Q%Z4(l;^*PxUv+k`*O|+Le^LX`z6{EEeZ(g-` zI@KIhtkwOX>q40jy7J@KAU*#BMdhfqK)PCBDUp4AjP@2<`nST_>!@Kfe9=}j`WD|S z{AX`sg>z{@9N4pRZcI}o{;h1yqP<92TDU`Zz^U9sTm9itrZDf(p3^W==8Mpp-|amA z^?D$Q!@Z&B$0OS^f>-4{;aGI7`w4f0NABFRZ|uxRy=~ueL=yx&j))Wtp`JCD)Q^_9 z76qW+)Zk8(Yqw*D?Q^o<%m^2M@Wu!%b``WLI^5_X`SR~Vap&XtrT(3qXI?v#XB8Yn z|Fj@q!wQ3Augm218-C>v4;w!#iaZq$yX{3eZ~K3+@=IEmK8$nfx}~=GTK`RRenOe} zz+pdtkqttX?TEks;+D2YMJegF|YaA#JW9`Ky8#;kqNa#BHWM%zTn+JQ#Tu^|F0DX%~?n{AkJN2KxA# zCzx%$^Ch?zjDCX0Wgh>eVT*k#l=7T6% z2IciHe;@?VCh!doDtlhWXJZyH%g7C>r(Gr#D;BWo3=U~GUnW*Y7O-2%4eKvnCMk9m zaJmf+e|)@5?!YYM3XvNzB)&=+P%LCV=}24f*h?LcEaWYc8@1KHN}C@ky~YNq)kS7BQP>v{;&dXd>G4I*%HwL{>(A@<&=iHi^i# zoX*f>QuB2IS5%3jmHbrN;&d))TZyvU&{WprbrBS+R5e6@BEdJfSXQZ2J$Y!l@cm86 zAv{d8$d;f~|AtX_M@G9rU#kLprug2!RJUJ#wmR(w&X)+LmyV0CtC%5Q^stI)=_hq80^11V!d$P4je?sqDJ%@>^HqN)V%4<| znjQ1Jt;xnJx4vmYqv`47o{g2FhGho`jCT?1aG4X9UW^F6NN&^yor8%#Ze%i0_)^y0nLmA_&`6u0ldyv6C?ECq!4bT-~C45CK!90bbjuqr&H zYPa(wiOg1wJ7} zp(Zz?4DSR8zF)>6l5y|Og-WmstFGc`%wr0VqkPEti%6PE+-&-yKyvDL&adEV*giRvq+OIyErz*|75H=)qPOBf(>Sl3`)M7iYA9wEvB;)M_OR_zV=@Q+?aQ}nIP9Vc-QLeOjUCZHr`Tt7$V`NYL7Z6=RGs=)YL5>S#Jnoqe5%G^~a{Z zmB_jqo23lM!7*N!>{XgDBc5s`OjPDQwOI~TQV{5;S#6B*GrZhfy4$WCV|}M(aK&i8 z@lY1}EL>TFCTdK&ql7E@*54!qZO^b^6?x*N36AZe>wYAMmb=;Sx>M5dOGHQ;Kjysg zG@|&`iJG4R{%pJQi&&5i$ucdj6#=a-qwnb^M%gCI3W96n)^~aQ_p4Q|7gmA_NN#aZ z6jEjzH!C;42Hn+uzmq;cuQ_9>Y(KgVG`2f)$3%aNBzOHAe{j80)jE=Lhkh-CNAR3h z!MfAYuB9Q!#7T;PV-Dw2rN^Eo3I(n;yRKX0J5S_Rg6eoAkAAACu%I_qK`9>nppRJ1oOJ*Nhri zgG9LYTkf9uh(E}*N3ooEkZ%`EpMSY4$EhOD>LO}7S{!Sm*1W^M*TVMU(yCGgi{T<2 zz`XqV+-P)_5}^J+q_JORqi4bpsi5FTF64LF2oIz&5y6OV!GX{7*e;cbnN{a zh-5Hq=WIl(*q~K&gAi#<>@eh%21F?k67MaloT}j~RU0E%oN%ZIbRJ9G7#$f6Df=7& zT;ji$0Dc9wW$!>Ff;v{a{V;o}L|~eSu!4|mz9JFDq6e(UmWIUefP&&>g5;YLnE3;P zLUi6Xd>sKLY7BZRFZi=G1gh8jyA&nr=p|AVhMFFH96${)d`Or@M%SZ8)rT40NYCeMyZR?RX{MP~&; zW>^wTW5K+tf&bRgzJq=`SH|A$Qm$|z#)E!(pvI3UsCzyrX;CAvk0X{+W7QaAP(#5W z+n~d7G%nTbaU!HPR4kkYG`bEHE=TkZWA_n4u<$?vuYR6*0oaTs$$~7;ALnY0K0p7G|7zXlZJ0?0FtIJoul}9>Vb((`-=P<{>7UjtEe9w;o&s4rpv3 z6fwgXlY%P{|7F2ZOcg;8inuG_=9-PPFc(0vpD`zi&5)u`j|+j6A_s9Hhj}8$gOSD` z5SfhQ|E*_U$;N+KN6bz_h%nBvz0Y@fDE5OE+d{H%Z&9pbkxFC1@1douap3wiWcy;j zULs60XmJ}T=iwG4a}G=W-LX?>?l*>!jhs!AVsrx0pm?8U!=Dm}&q0(rpV3#Rn{q37EQU?%o)TpkjZF6M#xeG=ytTe2! z5Y5g11s0__UX*T)Ni+^tpMZxC#WSs=+>smY2oTi|296c^Io5l#_LuNCB21^|%!VNr zJX%A~4W?AFw>)CLLQAX8OE4C)(qY-f=Rc$&$erQ-9D4`_(#6MQ+3Ecl-?>Wk3k@Lf9gnI)aptecZ^{~pY=e+U5+8kXcGO`{id!d!@xVz`nPh~ zuVP1xgvK16@G@Vb%0|cfYr>WqX(~txf4vtB8<8$DmAmzC3fb2bY+7bA{MRiiGg^6%)#Va%0r>?q~S=3%&Y(jl)i zyIbOe{BVwfk}D{#jiLZ2DhYvOoGvQk%1%{{bdt4glHEs1oPDB9yGKN-m*WL1@yLCW ze$D{wagj) zwi!bXbq%GN{^U>Vb2H{fvz9)y5F*b{jkBLuW*wep9am=v00O@-*vFrvyMueX)2Ep98M5sqfFbh*h zs)L2{Z7h3FD`m@P^F6EEQZbKx@6`jm`f@@WlLFPydvc>FJ~Yv#sL`Nbevr6tu}H=O zs)k$xZ47m=^XPjo)H!k!ZBTH1M{o)hcV|}p^@hg*PJUckvqXgQ51OD!D zo}-3-te}ZKrdN#j%|2c9OhD8^Hjp)AtNfCVdeHAV5VH%HV_{i1RztgI5lg|JR_d)auJJ%-b% zY}i@S;b)0Rnr%h=_-z0E7TvaDV;?LPdyMiMJd1*>>yEII@FwIH>ES;Pih%qT311h> zTC#+5m3Ug;P=@QfPzWXWb2G!WY4H@8o#o9znMS@;X%M%?SiauWu2P2Jx6|!~sXdi! zu^?;){po$Re7QtUi^b^!jbgO|%FOoG&;03oRh zd%64T0`ax3L4H5S3mJb3J}!Ty&TOu%ux-lJwUSt7A?CvZ?duW<3&eSY-_JT4a z%g%f?2VZ0DNr*=^gcM6)+#+9x)?Wgr2RGvj-T17&bPo4*#F;qe+i6D$Y@zFO30w(6 zCrSJ=Q%n9-(3J{Sudm#rRu%KU8;C`aKJ+OYagoh{!)Ra)1*zy$f&Kigw& zU%s%Bx*<+G9=u6O|BIUO=o-7~NklOzSq)dXbTx~aq*FbJfRN?G3heNNf6c!|m4cAs zlIb;pG3j;_?~?+ZKLnGVDHKw%#1x86MfdUs|3W>dMzx0ufkw5mE&G=q7H#)`vM6SA~5$|qw z^Tyb*a({K9_en7=Aq11Xk$JaW(Rg|tDE(%XtXC#33HGBcG1{)OOo+jyYKZY?zBb*6 zu!b6eo^dN)V$%<`&lO(Hm^-tK&lVi3D$SX<6dPb8nn)f+_X?%e^~kpp7IB}YIn$!A z&o+Z%mr2cHC6Xe{KJh>J$))pF$XNtFTJrG_|g;ML8<6_!=TMW^YM=CUB7;CzMV2!(oi5-1CLo$4hpk!t;O8lX$|{yN0g zkTD^J`9sKAU@G4bPs(HFK+vmbq)s5*u_$jrV86{4d_u zQ#zmKsc62w_}p(LfA@VnYIyPeccmip{rT_RTG7F%gAWqDF#?u56dAlD+iGl#M0pQ| zNUQo2MztllG|w4;pM> z+Ph0o?5c(c)siLl^-EBL)j}ocP4ObsCFmH{!W7I+2{b|_nWWXiHS$e~Vo;^nEY%_m zwoOUC1xpoAn^Bt4n~{yWOY;`0McJ9tk+t1R3-qZ)?;vey)OMl^?^Y3cP1C)8y6+bS ztH;79%xUiSBXGvl;v&q==?rxGQ(1Z`|74pp)S1XBTB^sVZ<{lTJYYJ|t0%NA{iLH4 z9Jxx$#t6t%dJ9n?|jh zHB$EinS`cTRJ<3jG9R}0M2?!qJT5h4J{((#Z7uLrknv`t-V})+4624m6Xs%NT1#mi}F7LCruObKr2kL67SXHlXwf*L|EkY7S)rxY73CCauk1$^6O_yj$F%g%L&y+DHmgw!+>V&bX{}O!% zH}=`reF@X54WEJACEDsu4QUs5-IQl_Gbl+EX}1n({pudE`*im>*NEs^;g7}i3C&Bl zoL0Nafbz2`$&w1QXwnPZ*B)+8W}r8$&R3H@12=gyyigxZT${&GZjEKDHDy{~TV`Qz zW$;&jzInE$wBW?b-fL-oNV}m4ixvO(kiqgSabrBzsiTI%@+SIR<1iMxbG(=Ko@hf} zoR))2nVr$GrB2JzyZ$dt5zA-($u-3y4(`2nt4B$9tu9huJeSy3R@#%>&J*AGq^GOi z^||G^7G!x^8GHim>HI#b`vSxIw}!-|+bOd13q*3fhDt)(g_l$bYqK*!w`!~;o#hI- zQuv5GcbUl7vKIQy@&m!olpGeus%L1V4sn@41-AqDleM9l&nl@Wk$q(b=ZG5R*?gZE z@mJ+A!)+s~RG<5oyi?=Ezj;9)F*%({8C0Yt z`QnjkMHQF2z)s8mo6K7+$vNHQGuYpir1e|YTi>nzJ<(sJ<5anq*=XfE!ha^mDZ;OE z-$+`?ynSqsTgA;>o7;*xh?z`u*e`r-WUaykpU62~dip4At1g2wSwdWwt#{I*{F{8X zP`l={g@~QiD*4>o*}77(m7~IC!3kxsE9sujv2h;x!l3$XHBrj0iQVGDpz>vH>ZqL^ zQ^CRlSpJ#oNzLKY-?!&s~2}pIiIQ ziRkyg`D+MnEH9m2{`;;Ha|7VDuqLv0o;Xoqi&qs5JxrYHzBtS49ct25As31s`HPY`r@dd2t4dv2@hi+v2 zSXhWh;1ctk91(;%UD|>j#d`~lmlo#6m%dEopaMh0R!exiUzhP_d^D11RjsG%pqbzj zLxP1BI0+2d1>OgWD|07l1j4U0m|?W}JstAQ95OtQw&6hz1Ye=qNHw5d)Nx;=;i59! z)g~1Bj2GolNywFTO9{yo;+IPn22Vu^?-9Fz|6OOKmiW zT~b7`M|Ggv)jbfaRYG2s!2Uo~P`@Rh1qlKn99c&_g(f~lh>+_BwrIqPNW$L9O3Ijk zFu8(JsF4hd5mDBK;?9vO@sM?Sxc}KTvJ}IlpfFkLAQWS;xNwjzRKk>60u361BhVoe z3p+l-(W`AkNQIF!_9iY!zHs4_=e1-ANULi?LReDng!=rM(YUWWS()2>2D%;YLBftb zN+vy#H2u*FZKOwRzmVRa*K|iY!A_1)LsC1Qr=-y{#Nz~@;B8bNdX!P! zG5(nO7qRre>JdYSCW4K{3`xaMflnqI=1|!hl>jbBbd$i`XUc|Fw0d@42Ly;C>%yph{P7( zm-THN6rS&$UuqX_1pO9j?VTQCX_c-igGJ^?8XU`>BMrtbW5f#&`q9OAL8X(C2U85C zH4H&m%!puF|Mb8?Oh=hn1)=7~xX(25QFh&-83|GuZFFIMI``Nw#Mv;ZV%QO^C)5zB zJYR}qMB$HO3!Xt^d)W_6VWfrhV6g4*NGOPEx}V<=;)RSL%`!$qO|gfGq}Hhv?B67U zAvGw0`o2o|sT(Y6KHxszfffjs$Pexz3{IB}5pEPp9r=@7+pCiD=fglx>$S`{reY>_ z5M=_M5j?n_7ooQ7j}g193w02JETY@8e6cX}7guZo8WM{m#SKMY=J=Qt7YH#Wn9n8Q z{e+B$FpLz`V^rI_EQ=(SFd`A#n=XL4AE~T5f@T^j27ZiJW$rsIiO1PdMrIgY4(N-% zhB{)Z=TJ=QT)zF0E|C`@Oc~iyNf298lb-x}q@1GTyrbtuybAUqva_Z|5$T;6>9%65 zovL$Bn3=bbqapHwM6jF_h_GjvR~9Dz(D4cigJkzoeI8nFM0-$Bi=I;Ub?dP(ymM>B``g98s4Pl5YSybwQ zSNdrVi6L&cWt~{{Hjj-_lJa)D5R3N2R-1tETs>D%!-96va9k?#oX5E~?Sjs?>27zQ zxqC8M4=r>Y;no~xY4+k)yJl_F#BeiVL~7VT+27_Dj~d;=&=AshI{FcOkqqHqQ~Y{s z-oMEv)OZJ%$wR_D2YrIi$A~lt_u_snCWxL9eDgG!k=JN^ESNRCkbAihCyy25qnE;< z|Ml%+)89AQT5KKD>RCSXi4yw75evn2KMPkDih>q%;ulLe=70VjPVZfSYfV&16&B3s zMZC~U4NW z!D`rNzpQX&@ash2z{PNAW~m~;FuiQKbH;GEZXqX1V61Ja7i(p#j@$pqpd)B$lEHA& zXeGl`r8jChJANgiU}Z6rW5@?`d~Z0tW3a@r_|jo-G>Brbda`2r_M_3T!3O2W==aMz z-;8E`KJG>_?j^1sNEuFy8m;si2KoyhwS6oKS~ay@K79Ik-n)7gwR#-%^YY!=uakuv z3&V2q$jv9C^-RONHlrD$Pq#ZCx0P1UN7w#7ebQ@Le#BZGjrxQz`>F8e(_ayNMBh3H zr!lg&v8(kO3f214&f2nwQR&V)=B)8G%Eqv>ajnv)GjtO?K7-458(7jC6IvVjna0{? z4aP(UWXdb(j3)g-Milky6j>$-1%{YOyf=x>8bO*O3bf?fn+&rI0vNfJ6=XjaCJE}_ z?kK@IZCmSlyFgj!W{xR{a?(PXVGfQ6j-BW)#H3piV!9cQC`-(k9eN0al;P4K>EwrC z&+GvOPtf_ zxJGr(Py_TP* zHFAgAKGry*_9zSrLA$Kn7V3;j)eel$P86bgHPzyedk^{EhZEgMz~_OCkQ#`KyWqe~ z#B3a)Xl#`r>SvCEm}G>PlCp1h5B|0ehCiFj`(`mlTXg9mi*TdSrRZYb%V%nn7LOqX zWNa(TA{dSnF;fSO#s>PUnSZ!fbpy9HDC3GWs>M?wr$q%hsgYjPCaJLmhZkZp-kWO9 z>gD62l+0oaiQ1w&g|)W#+U9J(=psSFLIYJ}#)&`p$_B`+mLoxe$0NPl&UHmG^`31_JQ}P~;h+>A3bu#zP6Ianm_l zg56^`zz(6Y7EQ&d(y<|7*db@9wvkCjvA92g-83SzaT_E0fE%)15uiaG(?Eq%g?suC z{AJD8PEGbyDAq5c7)v8CU=cTHyD{{^0kR08_{0lt%nCTHR0N?Sig)-4xTF1n*xVGy z{aHoz-~z*E4?{Z+qh$$yfsJMhljqtc;!mvdl)wmsl@VJEVa4`*vPwGVzr9sD< zxOP*~A!MOZyv0%%UZ+a#R=yzrDN$6!1tiSSFZB0z$SSGoEPF_-91c{WHgdGYF0Y_dp1>Y!~)GCzkst1>VgYNJ2V2iio*mAIly?ha3ak zVudrZFB%Q!H-W=A7?&iB?EB|4lm!OdYfASURTl&@l@JzOq^Vt0>B`79gFqD-zZeR4 zRKsu8g-&EYkzXjY2WTOL){Y1I41T>DmxO8v(J?3tv6nQj{k#AA2b!Pv>xO*IzDZF< zuxh`7_9aF=mnLy-v+}7+zNkZs;dfklW55`^6)a&> z;ScR`x1d+_zzQcZI66z(u|=UiPi%6u*EE zsZp`6AyBV3#kaJ&UZC%$&~t1v_LdM_;OnHv`wN#Q_mpHO$5i*b=m)S{EJmeO!3YX^ zlr&~wSkTK21byrD3HI8Z0k{;Gng&&8+IR!Fgi$n^Ke!~Bo$ zP(#I^|A};EJ5YB8qLc7^-an`53B_kphg)B4_Bx+T+8?`*=Sf3trGH2!sM5(K{5$nC z592lwrS>KKVTU(J%YtKqm?@ShBTY`}z!*z5)x*qwDaA1I9^SYVkOLqaM& ziZvnMm7qaD0`3dM3yF&S${xrQ_AZya6WQ+3;+-?HK13Np7A7~Kl=Z=Mz0tmg|2#S( zIh^F>tpi+uLCBMh=6A;1DHEkeg1NqfNRo-*w~SPfT6*KZ`poAq-T`$zp&sOe7& zHxGz=GQ|~OTT+qwT0N4u7%Mx~?bMcfuR)#!r}FvW@=3wRY`3d6)kz+y@l#KJPUjg0UR7*%ux^C4l;-z6zqz#c5uxX6 zh+R#5`n*)o+-29aux>JRSwfvKWwuZ?3O`;#%|2vzW`S7Y4GL#0JvNFis;GC1^Hkmm zM!cUSFGoq^>{lij7HL*AVZ-2{b9Y^^)q*6gmSfLWn#RB~@lKSUZ4*PXz~TN!q0m^( zmq|I}w6F<*Z<=-EVI}MPU}6>H90+e*sD|{b#C%f>LaUCt5XRVI4eX3x^tB-b_7uqS z?`(qOM%~@@@mXFcQzQRz4VPXF%t`YmL^X_FrDqoJ_S1v9wDI7OPWFzR$T;a9HWVMH=L9mfR~O<$S~Wsf|1 zmKdd79ux^g4>0!U9!3i7yUtX|5|=)=A}O~b-!QPX8|F&bSx5!WV#vl!!^)*56v=hp zRyQtS6^}BS7QM3CFX7Td)e+7r=)fJ0k?jt)2`lF66`T@SFuh>!pI_~Xm#bhzeo1j# z-w}E{%Iep&RlYYw5&u!-V{lc`-;@YBnnlk$jvUnymJ_kbNW-_&Y6_!o@@b+3)rV`P zwU4BqUjlhPgzSgFcFf6|jX7^{VWBM`k+mhziy+Lmwa`XER zzlZhRJwDGV#TeFJ-~n zej=-0E~sg``2_>RjSg5h(Mi2~j3=pAa`GKJ(A2s7zO$uV2PRdhb65CNu^XR`%P?Y8 z|DkbdB>6YwLUDuA=kwZ|=HYpdZ$?bPsM((eyH}NV%S)o)_3N~DA0 zlIXxdp;r{@yOdP1)z#wuR5gic#>gRjB$jB*)2i5q!*tAoVlYI$FXsC-4J|F19D-|Z z0IrAea*`N^VI2~QeNS9Y0_nh|R)l*ny#d`yUdvBzvk2}bEk=<+T=$W)7lvv=1}<`@ z4mI5~&zg~57PTxH%6E@NN+|vRTz}ba^}1wKTS5`a2XSR|Fg*a?to@^ zVdh5!4~BYuX@l~&YL|rB`6QW{g+Df@k=Z8;locJ!aoe((=E~zi{E@EV#wd9S?Jj#4 z=4qOCT-QXCn5HbhVABPjRwY{krC?O`HeK1uMAJ5^7Sf?b!Q{1+E zCUnsltYFUi#XBwDEz^RXUKtTlh8m$ zjCkEnd}?x&1HTP(IXm&7X#B9=xVhHvT%$zFw}yv>$S|CP;Fn$BG|9b{dQAMjco?@| zIc^L`m0Gq`$koy2(r!{8m7_nlqZ1rAxsDOa*BeWhfng@)XR*22S>=zLjezQo64rRe zK!qMie;(dI7wq5?##tK#eid_Qxm6}|Dt!ov>2J6~oayf$gq zqvGPZkSUt!+2AA9mkD|)?1J1 zWpQI=ke5|*!;Vem)snaBD22IkpODDsC7}_BYRrRNJ4?UL`L}sIWU1M^tVJhj6iymr z-|$KKM#=|_D!t=)vR4w`YbsFIF!Fn0J6RV|#29pDci(Awf8lXPlAB_Qi1iMqwj+*n zjlUVV>)FY>)alj&1u<@VYrlVS-&~zJ~*@L?Hu6rpGhTxa8K2e~d^&{Oi8y)t$0quR?5__Kc^k-E@+tMx*>Q(wTu?W!QQSUsJrm)PEDOZ*dX^?zUhW6B z^5n-cz?jBQ4zSe?y>!o=*-9%ZK6)pYpI{)4ucZC zN>d_I1lws$BmIN8WI8mouf5e+Eybw58mX;Ie_!Z*+D@sJN~img2$Pdv4U=4_Nkv7B zpE~ckkn(%7KvJuV_1@^r)XW(CmVV7L-l4g6IIiUdPoq!-t`stgzgWT^m_L>qEDG$* z(99uihx)cj7dA>)buP`3lHtfM*ZCm6mw!RvB}^40@1iqK$2%u+{FiIHP0DCV`wIB+ zJ)@U+IxSCEtfn#LTj8G~})vR*iY*x%45f&15^b~d9^s*H3jEW)Ql&Ia) zMbBX*?FfHISy5k8C7O7!uU9*?KYt-^N<`IJH)fUV|suo z9EDm!v99Df+myQ0w;pP6O62zKhgsUoOiO_TH7MB-Thh>9QKoq8AJo!acDPmaj2$jDeo}#6?xX=?lw&lb$!>NtJViRQ@M~eWRk)^ObfHikv2))ad)owC zwFJ8)QYThM2lA*dA1%%H3Db~ctb+@6I~hI2_fYDlookiYI6Bz+ zx_2KtwL9|GIzXEw2H!@na6gXrg#~8H9PgXTgjm9;ycPdg{NsmpBI7}J5?|Kh!cx)|ma;C@*dL4~9~leVZObZ3%irTw?3PwEv;OkLEiIhPcs%@tcvL}L zRz<~D%~)2=$yVb(R{2;`vuazZY?q~7R;SKZWm$%8!bUR6n)1k2t``5I=X^!v9>dk2Au%qDzLb?fYF>C&A_8oaJ0Q@F{Vn zeDaeCX^yEr_>AbuA4`r2R*t#o<56|{Rl|c>-||`U@`Xc;#lrGMK8_{%@&;S@QaeX` zE&IyX_?6WY_ucZ<_r4#&Bt>qDFojH=uI zoa@3^Qtn0m6$G}Np*39VTl#Ar_%=s}r>A|4DyCD-y=aaseL+!C7qtYpdVUC&8rNC6 zGxwac{_xAbkjIm-f=U8qggA1dC=hq$w=V8Ic=6Y7e4;;!+q) zJ~0wE=w4rUe|evkEShhjaCVQCdv5nAf9{ABh&}DK6nYZ#jYNe+_TE8Nls{|LJHjk6 z#RYs3NK1P8yOj|yjv7#k2qSMsFbq;9)vHRI5!X1V>wF$Zy| zoQgoGBe+mlq+_fz2#o~6qp*_VQ_$`^G7QOHT!Nl}Kmy{qB70Fr|6u<+cF0ie`I8~S z*Rd}P&zjr4A(7YJgyyj3Rw*hSgz_6|FuxOdKQT5lB4c9}k-=+h>rNzus<&|xD8@<} zSj3*eLtf+K3H0JvWz1o_r?k#t+_3DJV`*I34kkZ020mZLmmo zape49RBI55Zdk1B0+boOr2qvT4g(W9GuTjYn@JG;iy--{jPKg6|B|W+Id=x{qyqn_(2Ib8V^{VIJ+y5jA8$JV76$aw(?Of^qG^D9MzqOhSe*;n&1qvJqdA;bShMV1oU%gv2#?f00;cC zRKviAXu>>?feKg%PbUdQW0x!pK|+JxTUP)$Npeb{#y=mJJCgDa3mi9NKr(~?B+Rmj z{;21os|G6n;&nxU2AF^X*vV><031w#P?sVJ+)q^coDX2YA1DRnEl#&^K?OXthJ*lU z+etSwm@G?lD$K_y2f|fU0TqPT7oT)o!SLXg3>rCC@3O%13HNc=g-`Yd9~6!i*!5yqYlt(gy(SUK&#c@+gK}1Jl^hYNX6=RzLdbHAN`LYrO zTnZFHV)Ua3bGdA!H>`Cs2vEm=4+yPkK<{;w1&4xVW44uQw%C#_)XK-#<=k0Q<3aQX zFT?melS2f|8gP*lPjDaxq(Le_fgjK|U$ek%gE0P%!EHY}knzHocLf(xG_z&79kd^Qc+nbpNnU_U4@5LUyySILvJ$Mc^WZtE3ri>Ku@`892>`UPoHr>b zmZEFG47j&`uiI|#10ADAu;;_EXO0F8g$m;14@+4JcthY+J3rh2v#%I2d{#VsHG}*A z1L{1u6IVE6Oacj%8cfSHaY(y+dl!r&1Bj!*8~kwQgzz3K0Vr&Zx^l<+JR|wsUKT(9(A%g<4wO{@3&8~PfWoUgvpr6N z1V(y~_QUu3whw^}Isy)88~#YUnd3og1i^7H5NrL!yKp;J2#2T-;?{*&R!X%m_c^Tp zIfS3(X8S5Rk*6L+7NWB_d~e8UJEI+Gs2-Psd!LA6djf~m@NSfXCfj!%;dcaAwq7{1 zHWMH-T=}{&fzFh|{Tz8Z(`hU~UJaxG$>@nisK%hUv*bsGY9Ku{fB;q;f-&s>Z~`{? zd;9&d6T<{FG22N4FF1P#5qQJhKoYDtBy@sOyv0>~$Z8iyHS3ShBe5mmg;Gxdju$+d zC5Y)OI4yv+=hM5BK9COpg36CQOLTlWu)e}%0tb}B!2h;2NuiKn*OF-mky|oizys^A z$N~k$I7|UhWI!IQJ{2&1?kfT<-GL7D_zZHj$b&UB{0_Hg{h4K2CA*P%P zLOM~X8Idbqr44JKNl@ekkE;|c)7^>jD2Bf@Gz@mjpw3`E9DQ(b61Rc>6F*HfE0{7t z1R9G=ok)ZV0m(zyjC1MMwR;zDUcGxW4t(gB9$ zNoZ)PB&@gyYk(VX#)WxR-;v|U`CZX5WbNCzclU00ak|HlC)MD?j9DolTQr6##2CC6 z)Y$Y;5jVv7CeJH4WzzjqI@+XA=QQVlkn1dsP%sXaE~0DBvufB9Es3;@6XgVc#zA(+3e| zmbgTgOCamUgw8bJkV7Y<41tWCqVPf${hq{1oF<*SgEmEwX>x@aqzMiLl@tsuE@E_J zK?YK2@Q=bjNIFuK1(A3pi#gzE(ajJlh(x;Ua4givL=|1MFZdkgi;d{K;bjl&Fgfop zi}GSh!z7yXZIKO}({Z&7s*u3B8$xSM2~Du1LpacC(7=yBX27H+`6io$34iRY(J|x> zBre29FrbM!EL{0or74oeJ3Y#yC9+aJs0!4QmqxuVQ%8?~k&Z^m0! zTyyz(S21bZ#mI?^Flxk)X!YIqS$DZhOU<~AOhvB|k=(F{bri&KXOGvUEJZaBvyqzs4MSay!8E6^}$6If{ zqG9@E!XLl;5#cBr?%v-n|2*r4x!sGk_QXDYIB}-qx4wfIAr$o3Wlyx*(WfPB?6NP8 zT=EupwxtqCgdcwRr}Ld1`Q(-Vy70WBS4}fAPJXrybgL$ zidmE&5$)n9w-v?=(6h|Xv{=UF(eG;Qu-^>RSiZZ^K@2$5p$<_o4m$qud^a;A%=VbQ z8qS3rJg7$h>^MB2c)}K+xQEXwL76^2GIoFeqzfb#hY;@>Mj^^g5Zkyo~JR+hCJI}$>{bdQ6LQ= zn+R85R9H+OVMvn*3qv*bQpq85QCv9)iwbE8z(fr4GE9SI4v^WSSik`kj3n2%{{;F8`KKu=SI`27hw44}l=< z6f676gQSg1nvks$Wjog%tgWfx0>cwOJJ-c+)f1|nMOzh92gG`HEl6l&T%{n;CRl?G zVp^zUj5~@e&;puBY%E$k#$0ubi#@oaCy~5SUCn;cBc@%UUZZl^s>ZRZ=zbVo+7;XoVXU&ZL;^+>sg!ykfRY%MXk;oyfN;D4Mw1Oh zXdXsxI0-Z?_@dwBVQ@)1+6rHykR|QM7+PT5a`-hpgCw9SD*RuAE;C6vEMk<^%=fOfva2?x5wGWM5D(j??X$04LVyjsIATF zQAdYQpx89BcMymHO?yKR-1VeMgHGl4NebE4!|JLHYzbGWx%TU;E{<05j`dm4Lo%p_ zjnL0>^$x&22A;h~THPZz6b!8H_Yq_pYg_nEvMccSZUf#1Q6k*uaipHS|GFV)d^!=N z<-=orxoz`YI>EWd^baP^=}KMwZRcx4&Ro%u*H+mQ#=d1I!<~_v4|OH0+msGuIBQdQ zv=MK3f~u9xr=tb`GTX_N^{s{d@M$`T-$$^yjT9RL#YSA)C$M_PAJO+|r#;rZ3I@=R zM)ZjIsXn4!Pr^YS^2H=|sbw!{M|W9z(_1(%+aAl^g+QR0FSrc$S*Qngxoo*gP?Rh% z!sa>db3(LUBc|oR+ijtHADqDmS^8Uj@=^OhPUF_4W$0mbz$M{V%lZt>@aF%t&@FU= z_Ei?7cb%7r8k>D0qPPeyQWK zB>bp~0K?C?+`tgN#pjf-40d7%>dHZaZx4jbuMjKdcA)p*EG;JR0XYo9NH6`Sto?ce zPL5_JbS|?0dN1Fg;ki0*$70G8<^ZuuD80bxzDfZtnt;}Z%80<~4A9TKnydO2&;^AM zUx*N_j^MgB0cqk2{+7=+en1`SV-n=b&P>Dodf>`>10AHU2aU`!Agu)q4J))xBDzj7 z{tvGZD#t|cr|N375OD3dX}8XY)(-1i#LxA}P}`(zuy}C$gsj>Cs`dCp2lU_oEf6uN zYzo6L>8!xaY9$d0aWy>4;KoR?Sd9Z}3jGxB0bRifD^UhLkB{1pY*3MWyry(AvH6yb zC{&;e4UV~rZOQlyJC09qQ0*vQkCJ}i=7_HsYp_<3U?m!i2N*Drnqo45N)9Z|v8t}h zB#M3i3b5Ur2K=g!QaDY^LQ$+Dg*AfammK6$@(|yYG4Cp^=3;P*co25D&5hO93BD+oIh28dw{`%M}KXN+d;z%;7|(*fR2feiqG z;X2MBWvxGuW<&OH8Y%%Db+Qj2LF{DfW1uh^BrVxKve>B33kz-t8|<4-NhPJR-p0ia zA?cI00~mIY4)>x039v$1VARsG8;{@*p=2a6>ETXGXR=`WeorTn&ldX;@^B6-JHbr< zmS7F{WanIDnHb{mn!*x^@GsFq!ax!Z7|tPIktEH=FH|urYX=^m#izb!}-C z4l@|+>z)9+&}<(&su1c%4QnduTtqcF>UauF-{L_FBq$bYDj4Fx{LVlYVDnPo3@Bcz z6v71tsc8>XvmbS-{|ZP7)oiG)jW^qgf}}9w-ea*O%e4L}el~Mau=5^9$}M4UEoyIW z0*st6ig45uotDn_lnRWn%lzEZ1AWu0x^Ed*vtCxCaQ}xQe;pnA8v4N0yGS4Eg8115R3?+qVpUD$A~Jy!bWsJMy>(>qrf_I z02lXhdh9Ae>%iC6>qOU+(ZCF{PP7*$&f5m8L+a(6KordGORi{hJV|P_zAX;H^TX7V z&{8j;&@jLpOG%b9$-b)(-VZAi31@(ZHk%VZ!9dTDsLs|C7E!OPtUyT7Gr6KO?Vtcj z@TfYUD@V}Tg;~F~S$kDnO_f~B^;1JN9kex7Wffh=^<3XoQsY%#L5^PQbzZRs(C&v+ z?-gJ3)m8sBSp8LC`>a?C7GNF49;oG3trcP6HC!JSRu5KU6L!8Tc2|+AVZoJHG4@yq z)?@bwWJ6YDHIrmB7Fp?mUE9@NPu5~l(q&(EQe#$CDVAo*4p~=rWN)@)r)(?w@@mTE=FX0tYnoR({wbZfshh%`3P zxHW3U7HZEHZRN{r*S2Td)@{3%Tdx*tXvW+&xmaKHDzJ;Z{^l+ z3wL(*;cyW*arc&SwN_mPf^MUBX&)DI7uRzA$Z<3Gnsx_sIhR${^=Qr3c0jjpKi70a zH*8Z^c{Z1I-?5D**Jochid>g=!>42M_I5iLb$6FvVi%0qXmA78cX`)#i??-q7kO({ zd6ySd=XPURwt1cRc~_TuRVjC`*LbH_d!r_2qnC8M*Z#Oye0lYF%U5$}7k$Aeaz{6O z*Y|F-7k=S~eCKzQtk-_$$82QxeDhaz)z^O;w|)cIVF?&;MHhV4wsH*^dk2_-3H5;m zxPK#4ki`Zxr_@V{mD-82qfz zh-%{?noniQfg8g3!{mu=S9i94WC)l8FdM-Egc*}Xfj5ykH{C=C!mF3lS&ENSnm20& z>X^#JfEXO01KOcOQdG~bnLxqfc{sp;j5#-|kd)?z5gGdU1}Qypi5NNpNrewN>8K(m z!!kO{kMn5C;%K3h;R7h3yqwtt58{~8G}`)4kc%}Yw?n0k1^N^eu4H=TK;fnTq9&C2 z5SnkAD>`YGpq~4AsEZmF*$K)Xxfw%tl|>Gjt1pd-B0(ZrOs3~JS3?5$=LQ;}8g?^8 z=D^Udbf5|44qm_^*@;BL5%~;Ro3Zmu9w3_kV8S$hBB1x-TbQGN?&&@xny!V6raNXp z3F(xEmRL!+e_3K|mYHn65|%!KLyV#(jBFA(8x26iRS1mYQs9T~00bV+EMlT8Mx*jT z`wtZ0_Z~DFQacSK;1cD)=+rW`2VwZCMnPtPp|C;gC>y40qC_iT>Iy+Hr)o6_s~e6% z8@2%-5_OD=b`TI0Cv-3%6}M1D?`VGQe1fdc8>w4v4%HmcuD_d_xxD0YHJm3nD^C32_>Xw?n%l z{@@H?Vm$_L!Tnhra#OIW>YY(}iD5W~A%mrg3+!BrUMgB}60^-1=H-HWn zpfdnOLj+6!k&(?NASPzw5cj|YWP3*9Aq2`G0z{>?vm`1O!3kHGU3>jSl6w>LCN}RJOuhf)MDDm>s(0Jqf=_}pip_(TFY`qhO3*VEzXCg1`};|qv@l1Uu)vMMEn{yA%6u!7K$+_RrdcK#*}4tdK65kyCK$fd!5q|Meb%wr8p4|mb$w7; z2GhGi$P;IBRs-pEUZImcCs<$>2c9?xC6=qrAnGBEyTRJYL6foFb47++_)^kMIhRzU zVjQ6>$o&VPXY=hm5YoL9LO){8lD*mcUARC30^vzWA@o6mG_*gLMWWw-!WEXoO&kaP zRiwZHf*%(uokGm$H6)2OZ|4??@Yihx3|;;z@=*s7MHdRWs97U6B3r*NAzbKN(WM1O zeJ0klTUgQ935Y!ZVxCC>ovz#3b!I!l4SJTQUy4`0rUNb{a6%h3IAtUSB4Z#?TpMn{As0VYEC6K% zpwyrx8cPmIQIZvfqs=?q$YYa80M1Ege+)io*)26-5eFdBc{YkBPB@WMSFjgPyyc^B)0d(1IeJUqZBTlfM^Y=05ypYjgC6S1Dov7Xdy);!Dtsgis6(vN>KEO zn1}Yzn}}M%a2S*jaMTG}uI9MU4M90|=3!1|8Vga6B;e8tasZJjsAWXrm{6Dk@@PTa z`r*+3Bpd)@0!JSD6QOIEBw~tq`_*aZo$=BEL!g`yBjlrZt;I<`+cE)-3T1ks=~B7T z;ejG|@QT=MgS8}BicRc6M8LWdJYFg>$aaIjUs>-Zp0aWMgs*DE9fH5ptdC<(%-hwG7cC*;7v*Y z-=q`M21a4$pxf0;Xex_X5NUzm>$i)EdU>BvET^Ug)xmqYpvmG|hb}dM4|Jm2#{|I^HUkDPa}MNO zFb2T`L|kMJwfk5D?NT@AjYV$Qh@Q!GASceGE(bec8Q};~pY~Z$DBs%+1r27tq+p{G zuh^SVgs4Dd6j2~%vlk5eBEu|dQDiw}(DckU4$=YcG*_%lC}^=UX&|mBvEpC<<1SK) z9{P!IVMGTC39&*f2+Ve9SRd*j(K|l6&L4ENLK6+vgbE(efIx&y`F4n{)$p!tjFVkF zinql~&S`GwNJrb;1~(dV5;N(#o+WqS2|&^*9|T*~^NMf;A!>3ge*ocAE}5oT>ar`N z%1y}A8K%&6p*+jv-JZX@4xddhlm)T2Fash|fJX`2I29@x2 zbDZR)hiF7Onk}@^lx(!qmY6vMGqk3hfQmvFoze)F(Q}{YTwB!KrUo&NvW7a0VI|l_ z#!K=-Z*`J|8Ll}eU<6cl{Jfmn&{)x3W|J#ZD^xoKDokpQtbh8U%E7GZ{Ni&0smc}ZkH|=S>(5cePxS}a`0h`}W8PouUa$aFTDL-$)Q=g8L z9hOArCllmSa{|?)bnBO&s`tcOkWs2+Eo(P7deL996MG^xt6SgNyay4qpO_Ja2429! zyyg{CNrkIl|GG(Idhs&km`He3Xg%c-0kDj1>`!gzpsT(ut8=9*SGDO?ii#(6f$OVd zKMUH6MwNSN9iT;HRRafwcD1a9tet8KTQw%EwY04*TCD;E2)>Y#w(ad-2P)ZzQdX;@ zy-X=(u`U%hj(k$NXz)#?D|x$_uOQnFr?l8@ZR*cRe1yw0CmfG zig&#kf{;d`^PI)<9@tLROv89i$epR$#`kF^JRqr!~T0@J$br7waH z+Qb3ta2C^$4@Uv4$yr<&x&F0_N|%A*=Mqe46 zZdX%=Q5Wu4xuVr@^FUl-(Sj_+Fb?d5hdbU;26w3kCM|f0*V)RH#Y!mCa9O^)QyAM6 zE22=?fA>0YQq6eX>3 zlX;n|5Zetugwoq>r1*)JMtU59E;2pTsJop)W6|;9c*0%XqCPDl)d`bH zGZ@L})(}Qc<>?Qfcp(ZqE;KyU3#mCbF(@kwxr2UzIEYEU`BC~W=hr}(=01cnJC6k+JXJJre!srK=~y)sY0RxcYrYq*BR()wG&RJnGKdvuAez?(oEOC~K$?)I^3U&NnZ(86@u^IXFWghP5g+fm;B!hvn}JXqDvfdflw zK%eZr7r!B?GzUkA40=~P#@7ZT2L~%74t?_feq)n>@8@@luy}@rFrzSY1>-@8vm~C< zdOlY;(;{?s_iKvBF*!E~Bv=a4a(HRie19-5V%Kp==2|b|aFA7g*o9!Iq)Ib%e1Fgb z;!+Akusq8UD5h}=u8;zRKqffELT(@^aga!aB24XaG7sempaukNXi!W@BckFG$p8kCaAk7fgwnz_ zoJTgqrZ-&kg9?#3atDhvp?Q!24?{rzc)OMetI~GB5O(JUY@T<62$oxixEc6jbcAS$ zK2Qm~$BUa#CEG^^p~H%a@-0l5YoK7zQgNZ~^56ZDELk zfpcPp2&WQ+SJ4S%FlPjlD3*w8e-lEefP~BV2E}uZreFo2kZ^HWO}=Gg+T?tw1yQfD zCsEjob$|xh2!(-%EhC`_^VmPrkO*byd^)Ixde8>o*l8X^d_2(utSAz$pdvaUgg=*D zZJ>`HlpI`lfYShu6#{EkXbyFQi`*Cqk(hXnvjf!tetQQy^SCkQ$akEFCj0S-xIhR) z0t&pdjR(naB~yd*RZy_lCtunBCmzsLc|&Z$vj=kEjTsjQ{Ma>eSdN-9dGzy?3)5*< z2y3f@DsG7mSCDyX0BE78cKt(zV-N!y2?hSBB0ta&d;m-6NI6=-IVki7Z<#JnfR%O# zAtQ!|dFTVQ^I$~BJ+9^|ZP$${DTW$?m0ciDYY+{w=?JW;D(bRW z_DG7bk}iVjJ(sd0mf)KGAUW<6Mg!TH2?#59Bt`F34!B8+bygv!sEADAN^|gJ55@k<%ktv$vpHK8XPY{p4wuL&?TboHs6qp+~mVH@g zp0T-Dnx>H}f_T5N1@Mq~x5JvhHj)$bn00t9dLV&@$SVaHoOD@usxvzON0a82oREN< zY;dFZrUlM8f>eTzNFyS7AyE|Clj^9HLu90dbuCjiNh26KgXxLWr(W%qkXtEO!I&D# z7hjg}Z(RYL4@fbB2`hHVC$T6PkkX=W8H;wwg>jTB+T$q!X`(t;EeATMaR83pGMqLl zhV!XCGFq9ogqfLXrq-u!4PvO%#64Yump_qA>vjn2(9lV785 z-zX@$Icf^Zr&`kgsdWmY=~$ekAtz}$2?+u#_##5H+BGOs3Jc1Db$13>@PsOPa=>U= z97-1LR*Z@nA%uvS%ea>pnU*{{s~DF$q^f3*MQBDwqoTA@^W%x-&wY_OBv4d4{EN z0(qR-XP!^Iuwo)8DLa%AfuX`R1Lq1UI;!-NcT`A)SR|(Y6kkj>gAJ=m$b~nL z1aOBmMiFNJJw65u-!^B~gIwCSwP%}#r$7yPmjaP7li+3!JSJ+NRtPyYeT;M(v$kAh zduU-BsYlkG*Y;=3fC#0raBNDp_7iI5W4CTlXWn)_y-;E0K(_4C3}d)lf5bXf^+ILq zI9cnrVYInRT0O1?VYC)t0Oz@&pkMZp3mm2~qC2*j+Y7ePklbme&(k=48@Gr9XKb^I z^?DVo`)w>kxtGXay!c183khmVyOVoR=Y+Z)<2cv=WN4%h(F?bF;k=c*5Zdd#IF@ZJ z24=mpx7>!iB-R<2t3!x&xt1%t*Gr%(7GZH~3XL%)hOhqqkzwwG8#R;EwWtG})T zHvSd=zh6rUWJJ9Kq`cyLY@_>sjaWyT*14LHzmY4t6o$cRTXAP4FJzj#3@bJ8)Lei2 zW6+wZ4{HQF_)NmpUfZL)=vx)CprPp-xY$&}HB7@+akwblS|hAQv2enqM3qD4F1kd- zrgf$t>{y&6!a@whQ=FCROT|}QR#J?`Tb#lw%*9^}QwjM|Q~PjL3&v+0wO)+IYs^Jj z%*JmFxNZ!`a~xxuDK}C4tX50Md)&t8rp9~>$aS2w|kxa?|1<936$JM6Cn9RvSW@C6f$(=09p1jGUJj$1B%540{sT|2R7+GY@m8>lP z%Xz%Yv#iQyY|El-V4sa(s&e9OFy%zzBVz)Z`WyUd&%UBMj9 zm`Tmm?5x*}&DpG#&U{are9YTC#o8>++-$|=%*V=%&ch7NG}OpgCC2Bx&Y4Wk^USdI zY|r;x%K3c8#C%TgJX!4w&il;ITpZ2?{kI2=&~}K=3mwE#3s6*>Zw>9xpheLY{lw~w z(Fv{58_m((9MNTb(H@=A3Qf}bys#&2(0=U1Ds9eoOkALh%PxJzBTds;Jkc$E(=V-= zJN?mSEYmja)7vG~LoI^@ZPYw%(nof)B>&6O0CmxUD9SP*K@tpb$!$}78-4R*La=R1MSyk zP1k{q(`ilET@2JvZPld z-Pql&-iZCx(|z6Tz1)B;-{u|P_3hf)jo-)(&hUNT_(Uc*9GWmZlROOnOfYQV^j5HX7&jk?Vix<-t$4erE-vwW!5!!8C^wnop3eH0lk(h6>CHjG~6R$?8F zYA;??`vz4tt>62d-=`hYn%y752X=8CA#8^!`0{OI1}IfP15V+B@?=<3$Gf&lgyDw0 z|7&huvW4!Vw{!bdUUuQTQ#xqLGWo>J>`iWgLgs5)!$yKGDDa8;;T-pc70lqg(zY8K z0EeU3wJ}Z(wE+)n$_|+ZfR6#;Pi{(r9=F`~P45=H?-u4_UMI$A1|f220Tgd{UJypH zy9i2136xX)&=PaDAXCr)u2I3aCgU?JZyNNDNG)~>}{mVIy z%8)c4)FR-Zx8y3L0&(F18^9At5{4+S0TFQI+h(F*fpjLI0w91T3owOXQ5()-iyDvt z=@5D)5fNcg5ov%2s1*X*-VSM?0mwdbB;WxkA}cHK7~y`AO0kyhG~)l=w;f#OsrVYd zIxZ|=5K>|$f{-rRUI8lr0<`(C>Qxp$+jA`76XXE!zab_sFz_dF3OJwwe1$~nDtfW; z6?+n^I_d1P6{gTh?}wCI_b$YK7f&C~6%Bti*s%fi=N_scm&i^cc|aoFeqNY95LMs- z!(p(>bQX{<7y<8s#QyMYI|t5Q94v4U1~WDvPYro60w}Qm?Hb2IO|L)jZZ>xSvtE@K z5;x(s-roKk)2PkpPtov0s%YC;6&N$;o7QJK)lciJ~0G+ za03c|99m)=XkHPZp6<_1n~k3h-Xbs|(Ht0X95EOV7+@6lQ9fx7smUD9lh*<)j8{Ew z3yI#L&|#-ifbC*{@rN(*NAe?x02?t80qKq+6$T2%Liask0rY6(28#oM@g$C60=++a znP42pFBqR92HOM}^*AnH@HA6j!Td#xEFaF0v{0)t`fN%bnU^C!5(GM@miqc=hr)yeKm802v{8jh zJ{6H3CArfC$VO?MDkK^+A{)dOoFLlKBf!u~@$kjcJ6^XL+mpBhK;!4iogra#Nn!EZw?I>CU8H6q%;1QF_T1wy+X(!;TbG%^7X(>^gF0vT{B z2ZRb(aDcSt>T^gR5IC4mKM8IcBelG!9D@Wh;+tSt{U_xzYlaqSsmpSI#l!h6NWcu=)kVaZo4-C}Nr%%)LjO1If zTgH23MX{>1Z@(P{JgmU?9=ve>!v#N_@4pw{3J^0eRpYI)U=6<+;P(V)$CV(25KcHH zhe&v*%A12HHEg7$~6|NTH3ps4}0 zO!kuP#RhyI^d6_AV;DJ{i7s8xUr_3@GsoNk4Fqz{|4<+T?D#H$lKDgNJkSRp6~Q(> z_=FE3^BNd=C={q$hz-U6U<(r*FBN}q9Wp#8yafVJ9a8L{k0xj$XnYQS4BTKjv}XyW zfzXUDW1I*HH?K6dQH_a%W0&6OM)As6+n1~Fmm}wPyWcpGj{S%id&;|Rv5{6g{zLvL1a$60ZBzE@*(9* z&k0X=t}~u3b!kjr%1xNoR4tH;Ts_qVvl6<>aZ6yqP4KzRlor*f z8Re)bk$JvK$gQD>NCth5I#sHwG^sf|>5N#Xv#NI0tKhRoJ8e4CmCBT?XC>-b(W=&S z&NEXwO(ZH&ScDg}zz@L40=VD>1RiMctA7RTxmdbRtn#Chm&=^yvJ*GL2G+5UMdkP! z8x%Ug;iPTAnJRZ6PRMrFvp-p@Smn5n(X!RFr$wzz-I`N$pp__fsKFT;$(tjIkq%2$ z)j~hJTi(L|m3(4sWQelCy+!ucxSxGvVFwxvO#x2yIRSW z_NuS_Xvs(hqki$BkwuJddI6iq!^$C9635fuM3Kl^^oy!eF zF-uXL4Tku{Kk0^L4;f=oVs6B*w1g;fEQ=D(WfLGqs%RBT)KW@Sg-&q73ju{WP=NGg zPhKulBbhRt*cgp*=rEQ2i_rU0R<}sv`&Bq*V2GjKZ9QhY=7FdL6fbKy7_ zqJ=1qfYCs-nu%>N@u>4!3P7sbL$wxe9n^5w6x4dFnAHTIn2qffO51-kfVLp?0EbfO zVFQGKR<@1fYG~t?Z7F51a&;nKh>j;t+{3GkaWji#pJEeX;CHjp4Dd;q!6Qg$vMsOx z@Fgt#E{c$b8)RIuiZL36ZwwS7KrbDFn(WVGh+|C)x)BM^fZWA;`-aJIN@40foz9K2oQ< z3|42z@}>rDjK9*`(uhN=SzV{Gi=iA{-@}CM-I6+g|4wN?)V*{61tXos&;UF+zbK+eH=cB?4XG*$N}b8&_o>nqL0T) z@S)(U;yw|mpKDM&I>j%6etYtHqs6PSy+mdRj-wYJNVK-Iuzw>pOM|^N5H_E4m)bzU z=99SOLxho_zCtKJ3#$qFlY#|2Kx6}ihLbV7+dU#+x$X0#M0mX(n1rYkf(ir?^C$y3 zP`@$o0|cx<;A;YOKtB~QKOnQYNFuPw>ZmISCooI8G{dhJSc}ehg3DvVDC`R&c@4$xbTw+`9Kx! zxy6xNMI@MnE!i-IKr+{(tCIV@>BB&e;KlU&FaY7OC&U6UFa&b=0ZuHDVw1r)*uk{x zMiaaOzWTRud7KOU#+q}3WctyW4>O5{lmaCA$#M(=)rb*=i$#z$%3|XOn1hIRDY&Y%42$G7jO+_(tBuMM z%MK*N*XTBDfr2QUhET(llhlHJ@PZ6#N*QzsZ0y5l3^fQd!dHk#d9=yHX!^SMw6zIHK4UjyD#c{LzUb+U;Y`Yl^Q8opMIFF}_p%E} z;JxpA9c$z`7qZSCbwD7h(0u8GVFM=AkElZvI;{av845A0&HDJp zhvPf%Sh(c#ACfZyCjih5L^;(1yOjvfZxOR^Tn!xmIs@7IF_#=AWH2v1h>(UeQ5qBi zr$m_uSx5SyvGHqzh|9_s+7r!rf>t{_PHG&7Yv zMqdpE*wRut@KZzmIYv{xE*Z(Znp5<{G*Mm6V_bn9Ku|UvoM6&a!s7*);8s(>EH`@z zb~M7@GeySV__?RaM1J4K`^1iP@`TS#ecYoyAJ63bHu$*Q7O8t9aAl z8L)ofM?L}q$)t;YRZpdrE8@tTu7fP7ZA|-`*r~eLi9=Q^$Skb=T7y#6yUe9qT*6pG zTjN67xTRaQtwaSYG()P}aoUcw9nm%ow7qSnS->;For`2uslHVaU6L%rU9Wg^+{pE$ z#=%?HlHAKZqq)W0%@r)f<=oHhT+apF(H-2XXj;uB-PB!Nzg6AVMOM*u-Pk=`*p=Pd z4NNGHQpgSR_85V=mlQs6<*Y} zUedi=%*$Kk?I#+`swP{{oUpj_F-`&h%wBT|E2mY{^o`y1^*?wUJ@;K&)}>$V-Cj&t zFt7-wa1nw_SkMoF@Z9r(G!{7VNp<^Zz+@#JcI`@mx0?kdo z!${BULKS}94JP8qHR6^TM$`;c$UZ?czhGTc)jCvY6an;;~i#6ax$0yBhw_Sp$zP-OteMPa>$kIrPRr=+P-r%UKv}+)|On?ax@0n(E(tbV)R92uu9}xMoc&rGD2wN#?58*E!Aj%Sf%TNM?=6# zyT1;0xm+byM2u8WCE?JEnQ8zCjh5R}25E&(sFCLAf;Q=jX5@h8-;|cbg?8zG z{^*#tubHN4uX5;LZr+>!Ch5TC>7Lf;p9X5;y-8JarXa(G7t=@Wm|aCq;kfYV#}jIa z-m|F=X`8m{`t@G?Vt@kBka%DK1*qpUG6oI<3=l|w3NYF!7=Q$DYuCW91`w!nsbW3O z-*|T9tiI}d*6Xgt>b^c&RVD`pAb`t!gsy%Ku#+>ep|GBNM5cnY*=VXR;kU+~Y{)j> zrGp!vF`wW_h6zv-oZxJKg8;aOhs&;}rIrb?4vWj)8XVgWnE+uxp1*5U$99%emFxk=_<#erBqUh?EQo;16z%G!Z`uI? z>2{4rDDR&k2C*iF3Gi=fxPc3pp#Gk2&w&8#j*_*EeYD1x7f2M`DXvHlBVK!8Z70s;UR2*4jyxq%0O1_#)PDTwhe@eCWE z@yw8Kct~(p=x$;70tFC;(r$-ESO8T>1Gr`#1~`D#(TUw=odj5eDR=+~1MNR3Y;(x* z0f&+p3UdOFfKSl!JVOcGb=b|Uo0 zj;RC;UjVmufhwr(ZdiZ? zse&FEfCX@X1RwxS0BxB_08Us0Dn}a**zMcOi5%Z@G9YYMKY$C!A%jr>S77p4-w++Y z?>wk(=0*$%-+~)x^$I`sT95X0xPcOwvMm9-1^M%p*4>s?bVMKVa=+qpM|Tm&;PuIp zFTem400})`00-}K{r-R<0q+->fKLDPEU|H62!>#g6}3inRfmB*U~=xr2OFn#8OQZ0 zkZbrJ0B+Cknn3_rhk=17_+pQCGgo#m-;fM=^nS?qY&ZEN$nj+0cw)eIDA#sv>Gn~G zvv3D=ot8YJ|6cbJH}Rcc^j7lupJ((F#{*+nZdIWZ-dh@NqUj zbz(8~E5i0EzyPBslg*fQmq&U;adWndZ<&7x5LoyEukML()=3_75a<9ir}I#8_)bUw z2-kE^kBJWei6oyDvCsBB&m}ux0&utaXX5bV4tk+)e8h5#Bjdhm9QtPc=H82NF509WUiuy+7X!21r6j1_NhAW&=3ZtJ&p z&JTEfwO)j3H~5L~ZwD}KPJf7#$NYV`0keye&@cMg&-O*&@}Ed&x}^qj7xYAz{Gb2+ z$q#?<|8Ht&swT{qipl19?P&gSSUbwbF^GWE#$J}%c8J%0Gi$oN+hZeu(4 z4fMxv7D026JSkN8fr`Rq)+%DGm~dgkUK%5U3@LIX$&w~dqD-lB<;ZmHUc$V0F566c zG7+iCsS{Dgm_BR%WGQqg(V|9=B2B7vDbu1CJGzY8bSl-VRnK*UkF+{}i-jOOF@mMQ<+@;3~WOOnCMgHK&2|r#C@y9{p6amA2ff(UOCpF9v z2|t6>poSkCcG%evhum{V4E~4`;w^jZ5XD`Tn9?5*!Rc1R8t|PaAC5cnXcc?KHP)k$ zLvCdgdVmGi6G!J6*(8xqLYb6nIt}6%aB*B49KKLnT-! zMnrdo6vZ|`9t};0oAV{jw+N!tS`l_x_o|@7o z5k?rsT|$ww0&@D8nPEO5Y|2Fh9+=?4fE5*?N<`7H@vI-@1WEx-Lm;ApaMFzN>>OGY zltK^^tN_A^)Pi7X8qYF!A&P4LfDBt1R8$uWmhOsKuK^Q0-oOPT?46TmrI+MuxFsC1 z!ML_c6df&G@)EhA5vwJ&xNxA$vdzZO3p3*YabP|{9BWB(E!fiSw}gV#)!Y{q_O0#9kddwbhkTe6`l$J={*i|FtR^>yH(0 zT{hNZC*=yqAlWxmm~x0JMm!dr!9};Fs31ojZCtn}qBp+jXctI8!)b>XM^m#gnod#Y zfP_wB_=kZ*qDKrV>Me%7{7kU`C*2s1h8u0rM@bZaD}BnAob(YHQbI z$DX^uXk+Qds3K)~L?O`4h2i8B8e#Jc)ui}@aE*jG$#c}Uu*Gk62vQDx)(R%ztX}6Z zBhkKHJ4T4(XA=z{$q9R1;HuOJhweztzU2J(@BTXe``@-OKNWw?c3G1R{|e|M|DlB? z7ixo?KB5uvNy$XSYl_+^R2l<1Mt>OGph+~y!4FF2NJtW(2SI4U|Mjen7%4yRp%3*p2EaKm7DJxB+f2pEvqMTAZ9j8sHm0@c{VD*`2paNHu-vg1bcuyKOL z8I5POf`9^U)gdD%eFceGTJc)C3}G|oLOhS4Qc92PT@f%8 z1~Iav8`0uTDukksHw-HzfACg8$TyTRZPHgw4CW!ZDY4th|8a{1)Qf*=X37l(!Yvn) zL2*WOFLglg1aq1W5|(9%IhIXeKMYsghx;gbvnB4lJ7)5w%6r zBOe*lfOZ9qg5-~`m|oCA>VqvADHauFRWH49QP_+Vl{o}P7gq3} zIQY(ZdL#)%)3s3+WMD$Y+{1sEN6%;S0t!IzKp@GufEX?UK<2|3Ca&-wFz|B|jG{%q zNTjrKey$8NI;9e!DIJXM!+ZgCV>b<2updV9b}>CDLvnf0JCGp_&(Ui?z%_+6Y=Tp5 zQ^*%K@PrTf=M;e`#2_q0ro4dw5FpT8pqSdYh%BM0{{ubeg8u1NyUsNw+FNKP8v0PQ zS|?@qzyvBjb2>0MAvjl%lt1y7gNn{ptk$GZ6Qt*#92jB~Yv4~Xy08R(#*aguU_*qG zG1k~70b9-W9T6hxO%1k*wPCD8gn+b1!qUt_d75ltH4y^9GWM~ApqtWOh5|)IH5OX{ z#t@M3g*<&JO!`{x+6sHvb9~VfksDJga+Z!svEU3Z@Ixucz=r!wi>;yk?EP*RiZ>w1 zB69VgGtEasGq_9|fO;o{WM7r~J|3WTK28ljdVzyUS)AHD$w=x{61>;)j zCZxayJgBe{a(hBm;gMMc39q$G=o2~ycT#Co4hD2sbKHP%LAOrQS7^1>IS1>j;1IS8 zM=OUCDuDu3kb<2Ra;^m|#VillOkByK!G+qURR_r63-t`bA-J`O1@H#N8ZkixD1~a? zMDC}Wz?cb?+K?MmKm(JNu#t%zJGpA&4C)alRP0DB7#Qjtr3kh)24QB;qT~_mT0sQ- zpkiy^(*^HrAuJiy0qQ08#^KU24GQ98E^P^voNWYvd|l*RRjCq)m^Z!YeI>fiqzm8U zlJ6u1Dn*w9x1`f;7VgpwGMl;7I%sSk{{!J0FlMMf|P3~yp88iGEU-0~6y;K0i`?C*BQ_RC!HW%N-8g)Hr4p;9LhFXmo#qac z873QF52zu+Y2|VZ3YUcEQwnPM#CI@?B~Wxt*sxsemyEA{ z0~(>+G0~MDf92orVcr+prb%wb|67zDp}9GxxxRy-hI!>Y=c(BFrV+H3oYlcyL?<=q zoU3<|0t%-P=E38sNs0sv*935w(G}A4hBvD*(2H*!*TJs8OrUjp2-@Cgjm^{I3{UJ? zgZgaL6%Z2T!BYDbpe)@IB{0J+2@O3|716Oz7~#@K&ELBn#&rNf19jj&$eY)F9VR4# zCrm?($jJzP;Bc5ASCJqrm0$}kQG>Z4El5Kgq@WC%Ad6Vs4c;5btxkeii3k$m5bhuv zh!#ct7n}u@1C~P$Vp$0e#6akS16G7XDbX`!!9xH;4pt!(;?grIAQ(m-RuqyfKp#($s|EscbH;f}AVlJ3wHh!NubmCWA6 z0U(ru8Z^`I&D)&3iyOj6<5?oFz+oH?VnV$O^(}~^_*7*);tz(+DY{`HX5!Yp&Lh+l z6^0<$A%Z0UjlOu-Dk=;n;-ZjnVlVn1T*MH%0phmp;v(r{FEdWn?xF< z?)hRxik1(c9Om2${~*xBB=}jBHRAdZ1u#V97zHA}1>zF*kA@Xd8d;CO zqY$B&k>vW6p^~6v4Y?%a5v6GLl2`<#F4fgV;^RybNk&4Y#Sp`2<9qT`h{`*L{RST}xTYom`e7T&kouD3mm$ zU|r$m719G_>Cm?p74cCN^sPfklsqUr4W3= z06Nc45~Vp1rdOUIV}=AW*vJEdB_-mLER5u7UL9i&;9v3uZR+J<9;IL^=5JOR2EI%v zP~oH8L~rsU|3N~gCKek)!C{Ae$U~wGsHg%k6ap8D*`a~g!;y?yf?1~|UuWRP&L{2wM`{(R@E}bY!BonpcwSXLg_Yd| zpBLPxc&S#pjAwl+Av0V|h8&0Vlum@2=aiL!Njj!-F6UE1M;lU0$+3_^yi!`NRq;eZ zIh+a1B$+L!fOxXmrV=`wd*;or_<$J+3XZ;Kl@B^srBWohLk&8Hze;aUn`BSm@`F9vp;fC*0li;VCl?2!5IYqgDf=LK^8P+?5t; z6hL5yrm33Z(ftitXxPFI_JB3=RGA7QA>bdK?TvYA-tS-*HEN2ahNSi67B<+&(_BkM z!AP?30V+U4u)fnAlnJUHQJKBi*KpLO21lO)f`nuixJv5uoLTp=s;f@a-e78sNDs15 zh&ezUnl`1b;_5wuoijZ}Q5IPy#ZZ7_O+DYA5{Ta8-zlz!^c9Y+9MY#~uO7$et^Hl&Sibc>c3>YZG| z4ch9Xb^#~ADlydPg+8Dk1+0hyY%(%!CUuC($)KTWriN^0>(%Ok$w87eA}*mP=Coe4 z0*CBXD~H0FE#yGlG3*{l0maG0!J!kCRZt`d*JcU<=CLjIoGU<$?ZbW#m5q+bYL+6T z86?U=$5xa=v1c{v0KV1}>^6oHSdHM-?j+Cj+gi5XDd2%YEKtbceY{cp=;PL?8m07Yv8mWFC|DEA_>Xl>z=X{h`x?bBB7HexUJ*c49LRQ06fYR)K=UTlGmZ%19pIE+q5 z(P%!sEdKSI#SJeSq~_UjWDTqaO%arFt$=_9uZ0{!-MSyL2^+&!7vCO1z-2AzhOQns z3>_$fzLMwYO#_*_p2JRQ$2Qp`7TxtyZuV*~Mq=&C;a3U|c4;V?_x>aA8Rw#1+ezrq(bgVX>h;MC?1dtehEF&6bw51Yb9 zcyRcFu;r3)CLxc`P;tCn2~G|nN8nivY6OW1O%t0TFv-Fco~Rht@EF_A{~6b=aptBw zK5=X)xBVgA@a1aUzHn*W(;&&iDMzZ6=oLq0 zDKm*Hr*b0satJ$eFz;#>Uxfsr=pR^;Ec=FVZOG>Y!M|(?&0$tGAeC0Fjjo#Vh7q$c z8*?`o^EZQYIJfdafdX$eDfhcFozQe%ZR8=!0}hp^0Fz9 zvo{B{Kzs5)kFq0|La@-AlA&dktuqXH%DuGB6r6!Md6GRBFg$^Y{}|i>z3`znZ?iZX zG&xh`NFQ`Ln>0z6bcZQRPt*akZlow4o-$8Lx+F?pwSl-u9jQ=rznl~@t1?K3v`DA) z2DT|t7c~y8bW-Pt20fU;HRL4nqdB91u$h=L-<)G*A0C*<7}RsR2pbOe!{7xDPYU%v zGcr@F^f0TnQlD~LuXQKhscBgtF>d64`6Y@NAQ^38fG90`isy#N^cbG?P-iY&gK|GK zGA1LoTeEdzm+=2+a@zT4ark8qyCPnUqb~3An?iP6e>P~#b!a=bVhgJ$I#AG=7Cfd! z1EI2EBQi>pc4?3HY}58p+xA3?GTQ)-ET}N6DIQ1;V{Wq~|7<@taTm#9Be!)(HY_i< z>+CkdrZ#GsBx^sn2F7tAqV;v(_FHpzWJmXRA5cwFH*^qSHHkNN8@G3-x9o&>d#lcI z!}m)%ck#8Gb@GKtzGV`2?OW(1b{i$|Fg6O^!T`>q9+hQeuJ>We_I$^;d^>n?BXxum z?0aL@0RuxxzF^heRTKP;VFG4j!W0XKcu0MnZl3rk{7U+SxLHaKZ?+{AcU4{TYb2^L ziBp4I8m1WEw3#{zEV*zycOi(Q9V;(5g+q5iBl&nMcZ6HGG_^E?zx3oJ)G6gFjrIxY zvSw{bYu{n5g#@-uBN@yJ?+Qd|jG&%cCC+-r!HkTG|DmwJU@t*uo;m;4(jzEUAwZl1 zCrb~!v<2U{o1+4UkP!S7*}%Cf{Bj#b}uh^;mQ!?}8wAL@-b*A@)c zAQ^2mBrtbMsjW)ErY->@JnB#5Y-YERl!rUgL6{KN1#QeD@d$!{< z{l+YFZufImI+II0YM_AC-RLGw0xsW4szpP*m>4uvK*WYX-hiV-6V4EXz}f&L0&f+E zNQ=k_fvJ|m_x6I@iy}Y)8E3(tBTaVHKlp@4P$02eGT?KQ8gKhOx{ESTh9>Lr2tvur zCYVvGdj{?AVl2)6{L!NueLWJIO@#}RDAw-T0C7!yN?jj^> z4Mox$#Va8&O$=KKlsS`TO`A7y=G3`!C&_j`VY2&4?;+5k9&>S{ze*j`1W{QaQbevyn^I~f6d3+wkSU44T|4eCIG;Entf$|+B{^A;0LyE#;ft?E1&{0h>r_-tY z#qx8yLs#3kaaRqyJ9ls2zkvrAKAd-P;>T~7GQ%e^a_7%~gEcOFdeZ99v1ix5efw^u zx|g_yIL7b{AUVvdX1%jqkw^nK1mcj*oGlh`#96=#$b%nb6)Mr-5OO@oq=G>(pzom8 zWO8f{9r99Wy-tXrZ7c~ri>)wKNXg(27ZloL1YI<`XCNgGd5s@T-UF>R?qKxII}>B9 z(Z(BbjB35>a_rH^AG7O+x*@+K(kUaS15(K)nY8W5Bz4j!JocvSsS^!CIERJI6E(2?Bku@NS0}$o}%CN~xKSC1IO*!qfCmuZwRn#Rx)il#mM@?1L9G8L;Cn?*g zNY+_pEd_`;*<(p2T~*rXC|;9V$g*HQod#Hlgq1L%Q@;W>+1Q?Fj@dp}WwlkHs?Ap0 zAg^_G+i$_;>Q_^{CHKj2(M{LMb4dcP50>B!C0<;3v84rE)%8k`7HN_#-|oEqSKxtd zDwp7c5w6K#9#Ku$;e+W5YDlT1#JAuoAI=!yhBfY3)rCC{Ia`K>G#6x%QLgr6s4Aw? z;*?=tm)w|X-ZbEv|8d6AWRgwJ+2+r5=lk=SD-1E-0jEa;H!l)y{`aVH6 zF2Ai-(Ul5Zqt|h|RH@WW7te-mMYN$Ifw9wW$D|M8fv3DTxZ|c35}6AM9xwBnv(&nT>3Ijh7kuxzI~r{q)k8V)~qjfq;hC3f)oyJoW)(3=6(* zu9Fr@hXP2o|Lzg>Q%kc{ViI%c=}6tkf`Y(DsZF4ve3hG71u>Wv%Sml&R*8oX6334c zi4Z>I(+PzjG9vQy2T>~k!39K-0{g6>1)~6h2T1T31^8ieEck&n7$t$)$>||;=s*km z(?c0d!U2dmQSG!wpD?hd8-K~5xXw48mnCnDT>OX=UZI>m+yfJ8I7I<#HATy)K@NXo zP8q9b1zNx{7Diy>IOM1tR0t#%0xXLb%n^t-%x;iDkU{>Y2n;hSa*%k8gV-j>z$+py zb2j-C_|%d~O`4(zV&DleOaQxXkU$q7{6Y-0xT{+stA!wtK^k^Ai1IWd2Kq3;8pLsh zGOXY&|C312Biv`Zf$V`q#C+l;&6h=FUa=|Ycpv7h1I-au1sQoFn)s|#A^4ObOytqS zFFW9h5p+^nz(~UbswoUt20{Z-K!Kk~S*gNkAOdhf<^RTjftA1mMYQQ#BeACs6{KjH zRZ}Lc4wBG$u>=$#{M1<-a)nXYp%Oa)gbu>D35-TTkdvAT8!%aiKZc>9p^#{-cwj5P zXrgOJ2n4mnQA1sBL8NqWA~1zF1~iC*qfPi`^dJ!)?~P@GfRk21FIX&VX7i{wA%+p+ z5{p6sGp0~{!H%j3l1J`i7P6QE3`Nj8DX{YmMgWBgT!2Dc=)p`wxWpI;+8!ukZxb#0 z{{p0ts<@Tqm9Nu`W(S$2%$lULAo4N@y-WgE(P`6^5`e-J_&^5{#3r00xX+$UfX)m= z0|Ya0LKfshpMDb2MPsl5w1Tm}6bJ(cukhzEL6VVvxV5iH6Ko9Ems=y`;C58vXd#w? zg;@YjroxSd6rdqE%|R9yJ0Q{au22I@oOB5oz{G0wAf_&GV7qfY#T8!a1@jydT2rh8 z4{^DJGEk7G_W=VZj!T~E?x?R+lS)>1B{s7aZzoShM-Xa2fnb0@0xW1EYE?-e(+L>B zCIBlj3iH`y6d?+MyFw}+p#dP=??ZA-A#28A2i63lMIWlI1_gU!$N`qcG@_;s|H=`o zg_2mYP*H1C6U0@G0x<))t&l7_QK&^|b{avzpDdy=P*4u>Q5FK{VSP7RV!UX3r5t1l zRa~sS+IC!ct5SP10fUl`0u*FH?r$41td^!i8ZYH!A!e%5)#^0PZ9I`lw+2#Bcds$MaCP!pYWgCQuiHCa%qzLo6PQdjgDKBlfgPCQ|sy77Sq$VVirBZqrtk_Jit zfdWD1u`7-kAycU14)?1WaGMk z&Hje6og^y4oglTsCH^o7SPDghIlx*t(52a%z|x5LyJOX=!cNUTrL7mu|Gf_m(bumE ztfO-y-zZE}7E3sS6M~BGY2l5H;vb9``(hIfLqCzEjKj=wrVh8hw>>I;=Hm(L^*mJIQy z$>?(fJmiz1RQMT2`7R#5+ZCK5<Pi9+WTXwIny>iO2xUaJajir`_jRl$b9=Bxa<1I_;JR-+xW&%vHHm}|MV7UOHej!754AT ztNrAwH`?W*zU8P8J0gX({g(LVdWdCS_aT$L%kzW?mZ!cQg75vm7=Qew#h&@YhII2z zuY7dzUiumHeDLY3If3iF`rx8|_jk|1=KubafY(>_!N0BVr+;9{$BEptVGBOvT|#He zJNwm7e*D)A*s*uMi%p>-q($=fZ)EhZ08!?z?5pv1ClnY>{wRUZjL!hU&zaT_0jF>L z6mSED?Zw#Ujr8mOY)myoBlWf|`_@Kt@G9_rr(hIluc8n9rHG-}&=u5h@}4ZM(#)W8gSL6(l-5@G>1?CybBgpmRXvW}~7+`xUb#ts9A zcjkz>`mo;AXbG9H2`O*^XKx1H=K&w6(jMw?%peT@FnZ!I5h@{!qDv8SDUl$nImBp1 zLXiq34iLen5c!A%5Ce?*K@Z-J*wCkq>S%D>jLph|&Bm}DcnbZX4uM=u5o6{F{mT7- zk8mi;#R%|(My=4`3=Wcw3uwv_PAUN3j0c+Q8BI^8PJ{>qNe`w?6uz)@c8Za@Mib?r zp)Lw|A`qmq%X{i*!YZnyq>D~AvGW*F7!%MKE$R6}|4J`L+q}&9*hRG5%u_32x+jeTK zpb;gntD=8P~KQX;7 zF}boJxGs_pjc^^y>oUgc;9il9@CksTr4~^zuMW^A!%vxZawjGbe%u7Suq)@D;H5GS z460J3Sin5K@U#3!G>8orqW~KY%?O0@cEroxKJv_*>nlr%S^&-rfszg2D=vAc4e7%e z@Z??)u>;N0_i~a3^U-ClsVC!62tFaF6u~nj|H`=_0Ul+lA}1vpJt^;a>b(9g9lk04 zfXWS!vKJ~r(Plu9VyhA4AmlVbI6>nKf8Z2eQwxX77ni9fH&axu&kxqZu&PsD$Vn}0 z$)bKJyLxd54v8U8!67BGunuj~te~XmQYA0U70@E6%CUIvfWcBRy|79eT1q*;%QeI+ z7Y}Xa>*3bXd@4i6vncrlfm}rG$6ZU5D03GObAEWv`uZMPd};T{FGZ}us{b@ zW%@5c74=Z9Pe&Q`EDiNhZxT>>0vK41B68vunjvhwp>3#X_*iEv{DzhCW=Pvlnm`5$ z2~ScXHBwnMR2KAAoe=hd#0#9rhENG5rch77(;FyZ4~%ZV05z0T+y01} zSG8RalxA&qR$Vn`F(p>fr$HZ!Yl3!Y(~fA8U=dIWX}LrW4C&lfU=8eX1cJ&OZsiYF zuwK537%IR}9^*5Pm52uFK|%!Fq~R|4BMiV(UM2xRLeN2gs6VmRy0-Q~5CRj>N*Zk` z2~5DHyo3tKfs`D>Y*9c8Y;_+5C77>&n8%RM1-V3wjmTR>nyJUjE49o>)PHX*@yGSz{ zioj*5K@TKDcO2v3pul-142L+t7^W%)&PrpE&X77w!W?qlK-UC#*MDnxZ1~5Sha6y1( ziwaaJOM2`CQ0s@4|5zY>66dZYGkQk@Rx87-7*LjqmXg>NgdoZIB!&!StiH_!M#%&8 z!(&MYi0~&1jo}Q$c+R3N66h9Y!*^z7xP@m8$RXCF&H;}F6k~#V82KkdEH6uZ5fNy*STV&kVB*_a`7GpK~QrUlx4Y?X}Ok>S&(UXnca1lO_?zc z`Q3Ebne|GRmD!q^*>bfRhO@bwjhO=}hL|8GpS|8!oY*q+;2lGEXlpXr_b`JV~8pgjne5n7; zYVacjElEx9bS5zwpy9Nh7y6#lb)=v9piSDK|BrojBH4)WFZ0K^tl;9V0D7QH3wN;> zNijs-Fj5F{rlI9&$771h$dLsJ6&isub*vJRIxx^?YXJ1(pa=495f^>>qTWa^w+0kp zx)Ae_7TT;5`>;%}AWF^XviR7YNjaq>2WQ#(mKFM~56U5rt**IoZlrmv-jg*YYeI^% zC57i4W0E^HVR(@1cjWIxTcC(NVH@!ZHrc=%C40{t($9zi4ens0G|JC#3Zr1amlQ<3 zJYlo#|EOarNKQm#rCyUi5Kb@t`W@$l97$VsopBo%QcRpPnJo~c-CC|Iw`P4Ct{XbI zNqVhQ?=c-Txjov8F8dPY4F~}ab6t9UEpxYu^QU!33@I#MDZV2#l4&V|po$|N# zMM}gdBHy?Uwt(^oBu_G|;;y?zCTJw(YHRSf_z=wrq+1ucfOp014GBR7_*;L-?a%h~ zqjmI{iMzN1y20BTpP2%}9elVK8HLqy?6S)xis}m^D>h*THF-J}Rujf1MH32VB_e6` zHoLu3^Sd4!z20jJ(ICdUfIpK~Vm13{)#S5lJPV;E6Y6B++9);G)x-k#RPzAzZC{dvV2_p*0!I!<_B7yv)b^%-5X4D?Avv zCAyjbr!fsOhNlJ76iX*GM&)uE497o^6j};#j4CwHNmM_{f#M9VnA{{ZQt^)DTQ;f; zwoFt^4c0%*88YV0oQoGr&q8Y~PX2I>#0E~{1g;Q(bIW6S!7&^x-2BaBnAP)G!p*$a z)x6DbJ=b|#*Iymh?M4h?15Xvl!>+>Zv>aV!ef)ae*KNJaalP4j{n?{k+TWDHmpzipm;nAJpAD%#)8Q|f4;0Ye$*PY^3I^y?T z;W57B9iHPu{@_!ZSB{^fVR=ha={ zCEn+S-sDSO=5s#HV?N!FzT$a4=?#A9ogU_;9_q)}aVLK1$-LRIe&d@y>Z#uAyMF4y zzCgd#b7I9*n+L=bj$gz(CxRG0zAbSl?fuA0bLN9g*C;AL%8OzQ^5(vLh<>EOee1bC z>3Uh|7!?YVOjn0v+Z+s3o)t{1&ETqvS{o*YFB_WP6|*f-~^G;tICOp z{`~3V!b#(vYWxDF(g@^G#*-*hs$9vkrOTHvW6GSlvYpMFIBDwK$+M@=pFo2O9ZD4F zId%7t=3L6ODLto0p(>RcmFm>0SFu{v%C&2{tVy$N#WuF=*QaOG|AIBkR&86fUf-^b z>vnG4qImP_-OIPH-=TDS5^G_IWimixh)jif$Hm}uQ^cfk!Ox2!S1Il-5@Bu=iwRUF zXCxOvgXzneH)9snM4hc75ja5W;HtC+2_5}4($a~8o(_K&gdj1Zk`ie%BmrR(C=m;j zyG#0;l7RDQCAvH!-4rRK=)d5@%d{%Ky!rF!)8`E=x4l@n?A^n+dl#Mj`18Y(&40gt zeg7cgXAXS;{>PMh2qviDg6XkGlQ9GtKCh8fPd(M2rS#{2^Ngu23*iiy7@!Sp>j!V2wA`|GbvY7%epP#5B*jh#@}~ ztm&t?pEDHM5LhAHNlWU5r4foSR{;F)Z$+2)&Y#wq7pW!7ouoeiqV zl}>Xc3CN#-1{z2f5UDcW6b)o|B8Xl{VG9Xom=I(jprNSZNg{GN#R94rljIZ>KvUvG zd;IVoBU(^7L8u#KQ3n!_aCMzwp)K+V4w9{VO?6%x?i;}c5K{(|}PR)^FxP@d?N-DN=hfEgOOu~a4mz2{* z6qqQ|Zbtg}5tc@RxTXk|ZER-*AsO!B2XZ`Ia?&lH|ETM4EK9T&k|E{rA#jg56jsSd zpo|1afMfV8aW4GAfU>t@g30pBFxRQ=%>21YGle%3Xmidv$L#aZ3%VQ=W})l|2_|v~ z3NSII0zFhWRs@*RCSo`pv{Y7St@U3#W83xD*@j)S*kJEW_Sjx8we{L;1LmMigCud7 zN21gV3c~qDgYgXSwXG8{SUtR$-&})B_~D4xbhg=LqmA?8kf$wqkj+xYYWX-62h{Z z9l-QpVoD^a_YM5>;t3D^^xNL<`}Npoul<44|94-#^e&0`Zn`1!JFyx1-s=7O>w(Yy z`z>$Z`|k8xFTc+B+wVU7{Krq<-z_-a;2uW@G;|ITsAvf<1n0IgO~V>0k;W@VvkXf7 zX@dJ0-O3cGI>XSyXZ!1)2=kOb{mrk0^-CfCOo+k}y0CS$gPRoMK*Q15P*83N;L!YZ z3Y#oYUD#;ekfOGaU<7CuT|uG`bAm)s8EP32WFS9&h`gpKQHoFmVig~llq`BAL*wWL zrldfUTp?mm)G!wsvDhLvY$1vi@?tQkHX$#5FN815V_#a>K+CaEg@E+qcmg@OzX_6% z*lHgl^~gx`;4y;BN!NcGB@?D8MHDS4|3VMO;RYzo01`vkfe?UUgijm(Nmde}h`W}wMwEJ2f**nlNYdAvb9Aqu@{#4FkLOH9Da4W__lD#_@PVX{UCvpA(J zx=^uF7@=W-7$!+%u%W7vq)3js73z#B7D#+>BecBCEhUmpHVA?>Y!GEK8WlIzWb+6g zyd%~c$5OI~3q*1Dlx(XAe9H}|Fu+v8*Ck!A#-C-|8RK9y%3Y}NODhOy4vj^6+tuA^B%yMLNT>7j}UZ)$Axl;GKY(yw_ zx0~Go`s6h}I0Na9M$L0+h=&v%Wq1+WN|3tLjqhD!RI$2L$}%Jw_*z0IL*WBWT;aK2 zL|*~1u*=VSbOru>1!UD=|FIP1s=#Kr&__W#;j!)^4g~Iz6nc6uOhHPt{8FP3Fc@5v zGB~VKU{WFe@J9XaV5h8M$e=PD-9&Qt#(!KPj(5Bt>GBx6Z#B$8UWqRr$rWh`i0$4+|txMqrjRD9J7(&&uQq zsk)}7=8Py&%YE36Yo?O19aV)FQD$h3ef;CRp0J2}EwrJ7tY}6uy3u)jbj;KOX@4&A zc9o86k8PZ3O-s7d{QGoX{!jtasEjWV(m-jD;9Zu4Zff3CNi0~P0S;*CC3X;?rw>g? zPzO}hzGfe=gY7+n|0cAC7v#y4Hqs$IU<5g~X5~Z0K?Z_NlcX3y1`uYD8;*g**<_SN z9S|E&VlF2e1KCFxR`3uI=m?X5)ktJqKmkEdk9%6mj{(>CecV$9SQ@JTet?8qL{N3uh%dmg<7v=2gMa;gD7pcRz=Kp59^Xa>X0#ow*y^RFXhz-_>~Lr zraJM&1W2K6_{3#Op$2F+d0+ro-1jeA2YR#jhOA?CF+mOxum(5qd=o$bGXMercmNy_ z1VQKui828?w<@rKaS?C?CJ=;okN`;V2ndi0X|Mn=U;+SWi@X?9tk{OCQ+n6fJ&(p^ z|A|0{c35qtkO-2rEh2J_ycUPs2tAKBDw*YUd6fv5j@igP zWLbMz>1qkE0roZlv;qRwQI9l<6reH*IVl2pkSH$l0TggX11Xe58B=tLj}F;T|7{SJ zX<1#XxR{eRd}xU-T^U+miHG0ln0R8Ajft5s!)S=|9>#D0WKfG)@R?Q6l4Gy{Yk-CP zNE;9U18(2|J>ZvsFalP+^oMEDnK%ds6Z#N<+w=hv00LH61qg5(;+Pq9=L(GnmbiEXba$8Pw-Ke`FQ!Ej zo>!fA)ejp_A-eqniX6Wqd&?(E;^*Y;y=Pv&E(QW`Cs z8awK!Ksk_mCs9CPmr1~6eJQpC7h+6Qm_8;7TXHs7P?K`*WTSQHMub66d;pNBqzjNJ zt4&Y_d&&d0`a}fA1K3bNrw4%^HC&@$OH~yGR0TEeBt#}hZnG+>{|*|N)wKu_5U$bY zYTh-fpNfqa>8eeZ&Mq1^@G*{IFNPaIpV$@1o$;wk5%QR4BiacZrjy0Ai z*{xR!6Cco)D-Z!exDu=>YpUt4=(@5t`>r>Uv+N45gM?X*HJmijtoN!~57is^ic~*f zO$_F$=YmPZ${P1zQW&x0@FS$CwItDUa~* zyq~E!-?FZ2nYqe>x!mhk>iWIltEANxyjPe2hX81dh`y{DMpGn@(15;IShHji9ExCe zXs|rQz`QxY0t8@<4>Oz^^r^-vzUWcF27I%7o50;mzAXEE=X(gm;FA&XzwHaT5x@Ws zKy)TS8hFqN6#Tyl0RafGeFso#DxgCV6qSfDk=k3S{|ua&cNN2$8@@CwoqB7-d<(&d zQVy$f3YjpFiL#fLIE(RXETo_Sl>h-E@CieyFZGK6ltPgsDr9!BN-ylaH_W*Zy2UsQ znaSzJUra4J(XzDEvO>t6Z@`iZQNrMf1wn8C8_d6}5)BYQ0cD_)5@CF}Sa#63c@G$8 zaKO6+9I9eWLfd=DTudQ~JjM^&CVUdEvEeX^dj?MusKGD>64156a7`LO5m)%UbqKg@ zM-rQyhz4w*Fx<$C{GY7c%CGFm&=SjzOv|tw#srrmG3R96?38j>7!RlUtJH49(|! zz=jNRuaTAwrB!LGIr~;fo z8YVzIfcAfy00J(JZd6?gXvZr-;M6nC(>=|U@&FFn;0(o(*2>@v+OQ7tfDhQ~z+=7B zDLU75t;LW;3y`Q4NoJ}sQPeLQES9l*|E5MP-GL}C>lkoZHIFbHGj{_ZJ6MJHvN2~Y zT+n>zSj;-@4%#pbu+R#i9onJ|3&o%f;egZfVb^#4)2dycVy!?CC!$TpdH^%q_A)Rq z;m@oT3PE5fRnm4K0)#^HO_VnZgP= z-O2zCaBa@5P0Wu>Y2oeDuAJMO1P>ZRZ7)hbu4{r3H5_694^yzx6VrUQQmRQU1N?Ge z86^W_VBcPVuadoaG;+z^R^51=&friC+x_6%-QD0_-WGYetWDvrec}E2k4R=g9iGwS z5u{7>61#z$@Ugn|g3+~{{(R}6Nz2t0;;%*LNn9}9>aL_UZ(P2)*;7|)@-si2b3+phQsr}|X z9_NHk(^^HU#3zCLP(GCj=DU2(W8UY(@D1S5;82d{YOdvn9!Q;z<@_T6VpQ_u9b-D1a>Z* zL;YQaU`_!Xipvh5J>+Ex?dz@vUH?(VppMv_sBCT14yuNp%gW&Anw}A|UgpkVW^tnH zxX$kFUY}^y8NYte!>(>%P2%d46aa=*r2Y!-dxg4W3pDm-oP<96aAAtB4_Z47H~0uk z_poxHQW0h^x*+g&{w_$qWtPw`Ju2`Kcti#du$@(Smyux=iWWb?hfktQS?-4=;A{|s$&arkS=$)LrJ68 zNh7NsUR1mNVxtU!s^ln&P;n`TDTEO>ise#Ie^D$zT<#@Q4u64lNkjk;qEdt! zWvhv~F)-AbvnK9|sU5+__-WT}6A@c2G@ZJrXNxR83;p@)_9Gn~G`13X6p|^TMjxNp zw7F7=2ghb3{pE}45&vbU7@f|5i3AMO6F^%=mb3=RBeWTHKHhv75fH8?w1n27$ZrrF zfs>?|;^n4~lTle+NtqaSO`{&Mq=-dHOvfZR4y)HWzVKv+xBhTxh11} zomls8;K79tCr&vwz1Na6BHdW<$_zNL2_viF#7W8}SfV6*PVo^MzF_+7iJEO`_P9ob z6zyWfkF-J}!>Dt(!_TJiSf3mr)LzOoJ9?QUhl8##Vl~{7<0=qaeRPT}n%Q-{3;%e(n zwH|{Ma!4X6(ewx5h)r}bV3!kQq<72uv>DP?o>~Bq!c)IsDu>F zO>gz}*TF0$avWD@;S^T$NXj%o<;(~PSzx`CXO~3{MRX)ZtL@Aed9V~ySY20(c3g5J z^>)`DS^tQth#9g0L1Wr3` z_+g0q^#)=IUoZoR6wDKtVskJ_bz^f#Rdqy?6n2#Qd`n? zxz?X2!R~CznZXUWYqs0&QSClwIAkO)sQ4)a6_S|4fir^G;EfmhFrfkzdXR=-o5zUY zEfoqs=aCIeP@v#EDp16qO+at~o-tPNK#@#X$U7OoTSx`+5G=n#gTb}(JPDnua6!UX zHvf6uoGLhQe61zKa0LYoWZ=&8x#^B%r=ywG%kACPrjmK+qn|D9E`xv_b3b?%X9&Dg znW"C#b*369q(BFr~{A&|(+j|J}-%2~pL6%1M01Tm0Di2gPHZDC)3{DBPNTixgU zcYx19GVnki6&8-&&cBLkA8giwSd+)J?JCLs}wAqniN zRWy`94HO(gA0|iy0QZHs5rCoy$5eXp?2LBSq zERT((ejMyz1zW>MKnAi@9^B1Qw38~xlmlSlN#X3~5Cav04-Vlgqxp7n!bR9|9J2t0 z31skvHN;DfW4OSnOb`JIxNapB7@sUqX z&=V`9lWrBD=Tb5tAM?Z^6?DrVGCieCkA^gvAbpGrdC&$xM9o%$$;Tpf!vC`>PyusH zgxwJ0@Wy^9!IJ$5TmVgC3%_lXp>&%kf%;Mkzont5Niaq#%jhOy;9v0Nh!E~+$Yh`O&+xi}ORdXjn$X*gY^{+&DQ-(KOLm3J2 z#io*TkEbAAQHE$R8i+yzV&K^$sOmE+c7p_P4FU`hBo2Q9K^4Z3z+WQ-43PjKl>4w= z_(%eep?2b)Z5%8c9*f9sT$FYiDxnuTiq)}}Rk!BKZD8aV9aTm0F?8(5OnBy6pGFb{ za-gKpmWIg~_!M_E0Hv}N60-Ba@oyR1M-@}ak1BMwrD~vMK1>lqfB!sfw|vp+R$Bo< zY;6^S46&eC?Ymz5-m16kH61kl```aQA}(hn=L;bS7S2YHfkuzP0OP56uto0DT6J5cK=hO6^ zGibqU@CNo+u@moO420_+0s~k+eGo8mj8h+;l3Wj1xc9wX?d5!V1UIxMSkhJD#_Cj-Okd`#Z{yd9DXF6OS+XQzj9cfBa@Bh)rahQaF>leA`w$OuS zb)W9r7*S*=7fZ_{=H_>5#(etH(PXr0DjkeQPg+&f=rz((*=Jv+#oN<$MNLyd&64WegMJ11I>*ea`Vf1BTih zb)`b%;U0_1qU1jhH_DkFafAy-6QCljt-kW~UzLsGH~*L5GwAC<-q>4Q!zzPy=Hn?! zP@NxX&-J1Qq@G!S6z$Ej4`bjIthmAlk(0o5(SodhyJ5G3?-y5_s4-85W zPbmhvSJ_+L2B-{=!LN_KQiVj&O=ovCOW4|7lnDJCM!?LyRH9Z%TYWTC59Yb{Af?we zMIvZ{*-#p#R(BYP!)m|LalBrC!Oa5u@)vxr$qU$=N;~qIUv0A(TBAg6`l^Q>_z*G1 zO=pix@EZ^PxKC!9gl?u~*v_`YKR)q=cKl0k>nY6^rV%@3Y55DYmVPtY64F5AniQHy z?t>LTSgG0a5^%_~t&1;ubBA3MJ7N;QoVf|f5dVsiXewBmfqlWN##yc}=&U#Lg4b~c zb6TwTd4b6y1=(Ub%3&P834|L{tRg6%JD8`>aj^{p!TO<&9PqI)x}0e;DV<>iirORA z(ibh$10T37iy{$0C>c|$zI{8iz;Fc~>y?C43O%`qqG%JiN*b|91!8fQa)^&F3`4L$ zFZXMe{i~Ibus>;VmbJ5j(o+MOup{JgmOapvH;fKjh(0xp!wfkJjoQQ1Far}&I(_gC zI`qC~f&^2j12`1K68b~AP{cbyzJ`cII9!?ZQ@@S#yD6*z`^m1q5UybPo}qaK4RMup zxCl95nnyGPcyYy3F$-y^ERo2=Or%51(f>s5ki{nYJxz>)E#y9x;Kh_eg*U8&TMENm zkc&hhA!po&Mre;oltnWvM3aevRwTwcNxMEAxiH`)EZ8V5jKfR#MgTzrY6yhn(L-BI zB+W=bvhgZyDF$70z{?}R-57)xFd~Nvzs4X14+sOmVX6ukiX6fzOembSh%-0Pq#R16 zMTo8{(i{|guHxaDkf8$^446s4pF5D6kz^)1SRBo%6%dRAPkJd0SS=;0tS>+UpCX11 zh=mbAuB!>2GH|Z;%Olq_3@YSDL9#xLpdzFsETu$Bk08qDdWAf>3m))C4-pGwXo8N= z0h_=Cn4k--gb7WEiSXzTvcyUrJO4Wk$&VdCgtcq}N2EZK&-f=E#Vx^h*&z%t8PJK}4T&2|7<)zkO7W zyl_NKaFb{RO%Le-DQvt^^vc3i%uaI(Iw+zTkc&?HEV`^s;2MOvU<<`8g|E~h@!Fi!9vkpvINq677bfTCc5 z&bk2(IHaSp&@aeIV5CW6;DELm0qd#2Z8AjGsGACGLX}vG(}TjZa>{R04I&@}MFEnZ3pqN+!-CMXMVt`>^Q28z zD$XX%F-544_jm$5xc^j`aF;TOQ?Ph2yLbw>yaI2-9#|UGfBcVkA_`p93!?Z6nbey= z-3tnw2^~O)*NPwAOox10jU78&N-d`*hVX5&s38`q6iQ8tTCW)3H!-J7;#X#+^5`J zio;X|Ftr5L+y96wI9XZ1g4L{A>m*xtYBQ;zLfpg!K7d9bfCOEIRsJ{#vD^oWaCIieNq3Ruu!nWUzMW*@?J1TeS-nic-T7&yz6P zA1F*o-HKd&BD~}pL(mcP#Nj4>oKckFBti>>khK-5 z;@mtLAcm1!H4!xqpcbgR?aMy=kl{ey5eNz78$s19$i*V~;CDTb<{Zag1!EpisM3t9 zquD-T2xAM8WI&}4Oub_{JqXD-z&^XzMPb1H9MaD0ImqbVfBlnH>tZQu(=;hZ3Vy(3 zs{aImRI(#lDTBabRq5rQmE|oax5h2EaI}%$3774|V$Q9NXO1>rvbc*=Km@#IM$tL# zJ?1pIQI~_bl;hdCyXBctKaiOoDtexx)Ml|N=1%2TX``BS9u=x_XUw3MLQ#@>*ynvd zH-6sduL+xc)z|)vj97Eaob8yqeAH^Q=Rk5ghfXqLj_5&yXo?<}fEH-S_y#H2*KJm3 z?yW-WI#ysHu8Za)Za!&=R$P_lVvBC+Te;rO=$6Ld=xn|(HK{gu{^mm?2Q+j)nAV_| z4(eg{w+td`V@_$L29{|K8)bOvVu)&}mg=dVN6+xOR37RlJgSCPxTS_Squ%MSF8^w= z9&2*8AhU+Irq(kg$zFoSJdl<@n&j%ffXl$sANzB{;bW;i@Pw($lOKyR!RYJoz=`Sb z*Hi;+mvcASI6tyR>$HY8t&VJ=o@~lK6Z~ZB&cN!Aerd0ExvrjT!k|DP3yD9*Q$F~u z+xzPnY0o*WiTDuBPMCowVBZm`({@|NH4+~MamZ(!Qxv)3a!eVp4M@>Uh$>PL)INuU zZi+c=?OFs6-gIJ0%>{9Y#@{xg+J0!uzHG2AYwt#;?hbE4%V^E61qx#6&elBe)d-gx zo#2u=0F8r)gbLzy&R5kF>9S2qZQ8I{%n;H}+8YSsB-g9>%e$;g1pnO7JpZGP63%z& z2rYmQ!GZ{mnA8M!#Fxlg@z8LHAkW{V3r84k53z8R9&hqCE1hQL6hCWVZt-7nhe6S7 zWq60IR&VhBW`vg4qnr@N4n<99P3s8MLKRm`;YF{oTnk;+I4I&1a8h?<171zN5t&vt z;O!c0TYjU9(+Sqj>(eb1RT=PBc4_h?caa>_;ZE9tmUH1VbX5BGRjIAi^kL!?pJ*6Y zpqGX$uKA$BIWfC_G6c&%Lwf`Zn6cD=h8nUoQf?KTrZH{PSD#=5YH$-qup$Y;`@kavHy$W!VoqJg}c2@ z%4DNIh2cjc?lTwEF*RNH1aPnGNBxu!%Cpl)(+%u!JJlefG*maY|3zN#~1b zxKr(@D1gPx{XXBpm77Ia0O(YwU}V`vPzqR*IX5UCa5x4E0*A^ohHKdB6zBGC9~Mim z1+!5GO@Hf72Y4n!88jwi(|*HQRcz0#qT1_2FEykyHto7|!e^b-{do0aiID<%MoT~u zlWF527x@@2)_<}I;Lh6tp>Ba)W677zG!X6K_e=(QZRj{HAZ z>mrS+$V@0c4m3!VqJZTPH?pZ91^|9LV==6_ppv!@ftj_bS+`iY*~G;t9^pF&U44r{2$dqAoQ*n%09 z8m(8Po9Z{8&V|a^F$tDm%&EM1&<4)uPtlX~vhRCdk%x8AcYSvUnhshVUvIisGT#t= z3l4qQ?|EFlzwh-6+{9vBf2kC*9Q+{(6p;E1fP58@{1rG?2CL@>_J`6}m9X#Gf8Trd zp8aiSeTAof-nxG5=M^01-ksv}<3KvwuiIwIB&NSHU+1xyG=w-c3C&fRhf9sH7l&`) z`qP+EpN(wo-+u0&d;jPEJO6h6AD4Rr2vXTx@F>-H_&xN_%K zRLhnw-n@GE^4*GdtyHCY{75`liq=DtGKJLa3v|+!qT|doc5L}_+rNP^bMEZ(D+AiqSs#mWj&H6R$*m_+HK2#XtCvWMkPy73fit5z8))IWTJD%9k@oN?Y@2 z=-2>5Z*KiM_UGBRbBC=R=@r|FH_72OEAa2`>i^d}|IYqBe7fI}Yfm2kKK`!m^YiaN zm40bQ&0)xGm_*_gWBw_)oqY>B_+VYsnI>I*0Nw>5h8bF@A%_p{S5zlb+!hOQ6UEX4 zU>&O1*M=*)cwdDSTH_5fGp0r3bkSWX@Z7>Ex45 zLV4tKHc~_7lu;s?C6--s`K6X%hAF0(Qj*z>Sv7VU4R5EBH>R0eo(X51bJ}?)o@L6Z zq?$RRX^x(O)|n@vgBH4{poc2T8PJ-nKvn=vs8L1rkQHGDW{!!`YEWPiaKgA zq?T$bs;Qo;Dyz7(`YNok%DT*~tJZoeuK&5}x+|}}`uZ!d!3sMpvBesDETuYA?vryfDKEH~cWf5lgJCbf$vhMh;H2amvIUd;BrT zA>%7D$t9bND|8Nr+6W63WMKvn8jbAg$u--2GtN2dyfe?zqO&8Zle7Q`5Mr1Hi9U(U>K zsN7xk=ZTlPcBPPLQg;)e27YwRQUJ61-h6}}wI!fWYT%`|#9V{kAz!GK8;<0Z95oV1dWh|Noc@z=mX#x%y2>xVnPE?2tz0~A;Q#6F_uE!$su@c$RG$i2nmc?0u%eQ;R@Gh zHBDfVaYjIa0&j;pgrU%kS3{vG5=g7>0Ramol%eHVkbx~eEfZ4gp!CpiF&36Eafraw z0cDXu_l4mM66E6<()Y4L03!}>!(a;FNJtrMkYi1Z0}5d91~5i4gYiQoFml&|^35=R z?W^D)T=%vW=#Yh)oSZG(w?rUT5N!~&g2pyMf=G_aU@KcC9(U&i29j+9lO!R`5K%`K zL?L54*q<7Rrh}2(ubbZdCO9?KM37wZdZQC15#snuDfEz=W^`EVs;C1mQZSob=z$*o zHv=|spbQ>>nJFhHz5h%&bBMJ3h!>;~1bh}W4(l^p9f!s{gH|(zXMmsMbays}K$Dt9 z^Jo?>@&>p?t`W~f=Q#n`wtluiiU-{s3FR<`BZzd85e=y*VUP(Q08yfEprx%$_qTUS zuMRa(DJ=t6v>YBTg)Ow`QhPAdskXGC5+$G-44OtY=1v7oFse~ynz1B06opHeB0JN` zi#u@OqSe%?R&TmU9t1RjH}z`wa@V)pt#Xc8b!$AQD$86tbbY`ONyg_MDk z@1#QyG`d41;Qzw0Xgt+yrzZ>5s&5NnE5sbOa1qDuubpD08WU463cFHv1|Ee&Cr%KG zr83tC+Qj4wG?7E2hO!Gr)9p%Ei@=}$5^gX9Eu~_n$7GJqxcjs(1vPqA=rZtvLo{Uz ztxHq<65$UX=ZyD_(S-*t?GkFcw>w>~i`D4^bB3!)nk}+z5i7m1kygKjfS(EpL5O<(SO>8c-J9bq zXNl3%wEt$rn$Qk73n0gVXtKK`$24(6RK&t;{5&xt=1@_Us3E^I5aJbE8{IgH*wB97 ztX#wAU7tRBrY}`6Q_0%t^(M8Vy-4EX?p%qRI#C*DB?b(}`&dz{S<(>Z=$bPeX{K`F zfuFRedi8oK|9Ns~jn?O18#_EB)Gn$JO~Q@Sy5tTU8;f@B$ff?QGE~0cHw$y z@gDKCy~tV)QBB>VF(loZ&MK)LpFSPm(@lFI3$>?jQr;ew+?Qdwgl(nzq)lA=U^~ zIxKZ)cqFm_?lC*D#rtkI-A4DnXlSO*BmT=wG(m_RSLAAm>2Tx(4Wv+rTjU5gWDk#c z$be&E((BTJr4xw7S+ zXfA8s%(=7Y&!9t#9!cgW6PdRyLM6lb;hMeZM(Pc-@t zNG7S|l0r_i2#_04Baj8LSU?RTRL0VVK{sq*K|#_ilBEvPU}>cRVOEKd1sh1y1t?6S-@>nul-Y8MNDZMyj#vYNj7>8x@FXsrO>@<6FUl+in+2Q09MnobJfxN+vGZl|$=*8`CBjQgr~uJ)j+ zrNSbjss`hK2+C5maoxp0*(@Lszc+?9M#*?DNmI z9U84PT8dlr4HnRYNI{&YtV0`?LYy$d?T8C1s00}pAb45NTdA6MW(Y5*QyLR(S#^Z8 z;kXWI4fNY^$1V5Vm01gKx0D{+G(yq@|G2`J0Bem8F41Fg_{)T$#cr-s+o9)g}# z>p>!dYiSUFdOrZ)_C=lIXj)gFcp$uoZ zLK4#OhB(Zj4)d3p9s2NxKn&uu|5z{(JGe|gLQJ9(m&iopu;7UR%uf@iNX05zku|!x zq87Kv#V$f7Z3NMv7sp7(GMe!v@*~Neyu-#ey77&0jH4XqNXI(b@s4=RqaOFj$3FV; zkAMuMAO}gvLK^arh)kp+7r918I`WZ_jHDzdNy$oD@{*X$WF!Bmh=VlajGzpqC`U=k zQkwFVs7$3QSINp&HUx>TjHN7Rc|%Ij@|L*FH7$Amu=&G@)6mZW`n%(9C8Alz9P9*h86j zyT@UE0Rmby)0>_XSz+RN|IL2-^PepNLm)CR5CsUt9AD6l8SIe|Y!m>V39*Mc2tt8- zasfZzyvG>~f`B;mP@{w30xN`Z4Si~q0-+$t9$MIpZ2+`0os7Ot!QkTlqraJYhP>rfor%KhTTJ@?}&8k+n%GIuV^{ZeF zt60ZsRdpa_4ir6TL*$_WY$9Y0uvo?$DiHu&P&5@{7)U70z>R}~Lk|o1WJAYsja#s_ z6a4hdGKj*<%+W4!^NN^cx0cpgO_m-wy=-PN`_subQ<}-NRAfiXS(`pqrUwzNWkseq z$%;g$u#GJOXewLU|JIhLGs*2Vg-Xnq`gUh~1*br=u+}f&LYW6hh$9M8fo2+4AZH*0 zLp2JZFNDDm&A=-+H>%cqv|<2!D1&jq8%85emqAcr7e(;%LWzVbYv%&fxz6>f$qhhq ztDEn9W8t*@ruGKYa1(tI@guf%N<7lYRDfrtGWHEKJk%iS>!7BP{(c0g7{0ABal7H1 zX86M#?x{>YOyaNp_QbSV07AY?iY*ib4}*Ax8(I;@iXQd@*$5{=mU|Ef1fYo0m4_Q( z4BhKySEYRQ>lbJYPV&lhu3caZF&F}sURaqIQ>w!`9O8;8UnCF^s0b`EvZn$ANj&l$ z@cEi)K5Tt#|GwVQ&WsiuAjC2FV-dCh>P!bGAT{Ji08mH>fTSGtNo3F?)~$wZ3*r(p zdeOWEaptTXQ_Z|1w1S;qWgp^Y6mL-;Z!O|TWx-J}RQDE_HV7 zrX{Nb01RkUekRD@RI9LZOS?h>pi08TN$7Qp+dz1l7)MPiAg(HI5|KbgqZPex-m>)3 zxAo~b5uFh&yz{P^wlczpDiE7`VghL7@AP@NV1FNM5|Yx5#_0;g@{n= zh8eow|0U2h(r{6T7nz`&F6han!198amAW_=EEfc_jV^S-77~bq0-{`G=nm7m11-75 zFLMbpFnbrT=tZrTTF-~-)~T{C225bLK7lMPwF6jLgrOO#d_nCy>=K`x=&dzn&T0VN z=IHafrc432>L8Nh)_V)$?bQiTAmIpnI3zL8fp?guE#w6-J^^#xhIhM}NbkO98&rRb z^*$xW$0@@4?goPl?hr0RM(>Abc6#JE%rwYNKlQbK*7^+Rvgs4v*qA_c`W68} z{|ljw&8TxCgR^*q27f}r9Knv#J0#S&B12KitXKTY{dERw~(AS2H zK?o_AR7My~iBJd^=MeIMg5@9zhIMsH z0cm&-RuE}5WqBUp0V6eh2;qwfK?|^WWcT2E4R;5b#|cnyTuVR>E)^0Nz;h^Yd&E^; zA=OZc6$+YHi`1tS6D1Ilum?29V+TQtnP-lhmrh&ghU`cbpWt*_hY=uvT_K%ilo?uxy25rcn^c8 zZyPpD0%vP`hywx<1;f<@pVxUFxC!>8Q@AK|$1qb=#tFcP5UQ|Z1yOqd{}Kang_HO2 zjnmgxBPJ0XV2uP}3I$;erRE20h=q!$4o*N0J;r1dVG9QF3<|LZzc>&X;FOTyaP9b& z5Yc_!mkF%ERC6e3%G7Mi!~jys5Vg={2gM2z@d+2P2`(d+hZYMz0(UDQ0MIlwq9t|( zc{k*SH?AWsuCp+k2q)gcH3HISc*kd#n23$}ez{|40z?d{sEW75{@GuWVSPoWcixa?>h}Vj^=uMm^lYhuua8Qm)cu+A=1fIuSO<)8=Pz|6~j8P~N z#t06|P?S=T3*X0^NstA)a1hT>1PL*e-53!VU=S`a5J8ZP2a$Wm|5;G$_e^AUp6HpL z>baim*`DtCp70r;^66A~>3w*}5a3{bPzQBzsGa&LRW@M(2qr4k#t_rMU*e{JWVdN( zl094^EBB>{f1@0r=sdBr1EFXj>fq5u%h(D40kwhB(Y3E*pc++fF`&L zg7s`*S*5Zu2*!q`5b|Bf_LfX2qyc(=_7!&IA~P1l9SCVQ1(7fqnpn5;Z5yBiAG(+p zgP?Q9kPu}z?Gj)Gk%`~qZWj@o-Zi2T$ZsUrXftX|Njjrz|AkIrr2(9W5JzC8l=>|7 zDHQX7ht8&O5Rs{%6%oLo6D#@IPsjRTB*3Y zD3^*7Kboti>Z*zgtF5Yrg8GpwIG@OxtjfBq%-XEZ`mE3ztdawAJull;L{JO00 z8m|Bwumal{o;t7wd$0(bunN1d4BM~{`>+rju@XD66kD+td$H|!qc8=mlXs}C%CR6@ zdB@76Bg?JA+OZ#tvK||2Yw8?!l!vr8MbL_4!WtF%lDtVtWRHfyz4JF_NRvspW| zWJ|MRYYa~NVO?vsB-XZTo3=OwwO<>zZfm!A3xRois#B|iARDgUy0>?0w{YvWU~8&X zwXIv#aQmiIhR3+;3Atp|nOY^el{;cdRk)eEik1si<5Z&8=ea)Xl}**Ta|^CdWx9>q zXiTNL<9bz~%PvLbx`|7>t&6#*JG!gumA31iv|FORt6tg1wvubRpu4qM6}+>HyTZ%5 zyDPFKdsLkpyRxgT)3;N`8@-!bX}Zh1rTe+c|NFesJH5<1yu@2+-KlEJ|^5xa0#ly({wyuuADrGopyFdV}&Ji{@} z!Zv)vqT|6hyu&=qGdkSEKn$^AB}UsY4wirvYz3MS#T4BoPir6v27wKA zymUPomv0PyO2(yRJjh8Q3d+Z{U-gAm|CJ84Ngyx>9R2%nOW=W3iN=S_b6I>3*3b*B zDMmGU4;)Yf1u&8ws0*z*5GVk6^9r8_kOqD=5M6lyP^nxKfR)391>)CZ)!2D$*~f(Z z%SV9+6vv0mfKU&0g4~p(D|vnLM9egG3Oib~ZOey*DF;l=bnr7o>~lPIY|2 z+&p67%o5m@4oi^9Dr^%j=m$Oti~Dqwyg3Cfr+gA+5P!e{)A%yTYLZ&u3R<{??ks5S z#En7fnoPi)03 zc~4LUMHzX+^$azj1w@yX0&&Vmd6XL%pBfMeZqN|6{9;!O%7Kv33PA>Cc+d`=);!V1 zpWqZ76_3792~r1=efWJqr*b+bM%_mNa=n{vY;&)6Y)uW0B|UM??9?t=oQExHLe^aA zAk^w-4l4T5Nd0%rq=Oo36pFosuXNS~Vb$lv5LA#8HwJ@YBm`aQTm|=h=cNl!tk$rt z6LmcgXn+jrpnj3Z&xzMeuvZRqAeZ5pYKc$`i^bU?$IQFAgts8s%K+1bjR%^L2qJ^n zN4(j$%`V$uSik+zn9$VV|D}vkr+6&UT;L@Hu<#f+2QMA)#S@{FXNZhMy%2@a&#mB; zK&MwlkP8HXod!VwNO=#>@CR1Bs3&EHZ~%hpHwQjv*0J5-HgVHMn+;o;cn~fM@DR|( z&0RHi)79mi=^d8~H^<{(lr_fOa1hfkeQ`{2a_7ff*S(grVBK2D+#9`4D{%yb;02p^ z8G*~afQ-CK8Wc$SqUOTssOn&Fov&!hom6<(3M~mlx z{!5{X)`4E=h7KB)|9$9+zUYkJ=qEPUjvncfUesV)f<>+rH2kxmdSM_u>7G7Ir5Y3% z{OP1#>iCoBrk?7mzUr*r>aPCku+9;v9_zGT>+)*rxbEqFp6k3$zq1ai-61BzKJ3I^ z?8biV$e!%V-jKcC?D=~(p-4m@^D$Nt?N4;=PZT@YJ{5e2?bePV&VEID-mhRa!B`b@ zhjBiVxbE!U?(Y8X@E-5rBkz*PQ62`q(Dr@fUcE6TSWk<{<6C&wE%h~3u8@uL-+|0aG9*?=%Tehpr zxi0^yBTK&i|883pZ@mH!vjnfcvYDPa5Aoa!aQbfYLcj6un`!)h^5fgPHDB}+r=-Jo zs7Y^CH|vZ0uJNJEXeIxgNWZxpU%c_#wJq84AxH8Gf4wxH^3n&4Auqp3u3IS&^GlDl zDeLx?KDZ+Hiy{`bg-Z8uA92~qwN|^RcVG5`Klg>&w!*sb8rJuQDz#nz_)M$0HJ{ab z5BQc2t~(#(anG%kzf4IFeuK}FfQ+?p|L3*kk=`u0E^F|OzxO)}_Nzbn9I5yOSG1vT zvf}!}h%dCXfBLW*`MqEJYxSwp-1>e?_D2rAg`1>9zK)oW`YNCJ17BI1j_=^>w_2O} zdmH=F|1Y;t+PB8v{LP>5lozz&fBwKf^`@Wh7%y7{zI5k*Q%38uNId$D5B^RXqVXTA zL=F(l5)4#E@ZQ0D2@oDkhOpp5h6M#ObLfy@vWXZoTFfYLVTg+zD<<^F&?HHY6CqM0 zsW2hLlOiK(l-Tg)$7LmFD#NKV<<5aAL-K^lvS`Or=ddbxt+wR;${p zdRvP9=+r4%qdSG}t;-g%)SHc~hA8_uE99_)$r85N^KVzCo(0#tsF-nU(~vigCEb>9 z|7FlOwXUvgI-=ONRO!aGTio^A*m6~)UYEC%FZ)-0cV*jE zZC!%d*U8JLtquOV;Pv47_QZT%x_RtRpR>lkJ-YnNFbl9Y?|lWjr;n}M;%1dqeZK@Cr1u&DzNRB}hZnDp<)4W&#{I4Xq;>O>D4?DEPSo6}4| zuiA5Lrb?<4Z_6xUTQfR1vRaG?7H?2$cR80+a z712s(l=IF`F#^!Q$41k2O;J5<6H`+S+iR*Ax9m076w6DNH&T)D)j?0~dDg&PpY;~k zW4+vuIv}B3k;V$AoeilZ6O`%PKQAq@RC)I!71iH>o!7)*`|bD7VaYs`JTQIC7T`sZ ziw92&;eFCQC*4Ijw+m%-7}*TNUAWOc)72P5d~-8~!dt(U*e4gid@wu&Qsvi1e_@{Z zVp}7_SKV`qwX)@sb$xKVWn27_S-A3}GShf})y-&+aSqivTSqgKRZ363|Mt*56J|7A zdtu7v=Wn~MROb<`EgRZ^(-v9mfMG?O>7LaVSnV=HE=_J;cNLTEVQ)M--&*s2+UYw9 zPxNE%><$}m!PkDf@m809JlePy|1fS?5ucoKb_?#f^08sQRp`0*<-1o1Ev6iD%UkCh zZ^H?mP-@vb#8vKD{hYmGxZM&pYmg(R?dH@7oSnOUhwPg%qHTYhdDu0l%Xz>L&(irP z-HcUMh}F~(dvtAIw)Wbkr&F}371tE|eD8gl=HuTdQhC&i{gr$bTNIy5_M0CXEHT}W zSMr)ycIKp+WR+`qU2|0S$_K3?H86dhYg~O;roGS^uX$5bQ`_p+{}<66kXsf4n_t|f zwV+*1X-JzN|1xGlBVBD{tqRV4aORu34X=Crc~S8|hcOKXs$I-67@PdIr@t{LaV}Ka zqa>%bvoXww#Y4}6QZ_Uaa*%}$V&Vp46hqGZi*`5sV8bZ3Hv z+v;LrMkPW6&O<;&ga>gtbK2Y(D@(PM42n_DXcT2JE7Q` z;fr$udUdvb%t*5VXy3sz9w_ zYb7F2f7;PO?o3cfl@k#S2f)FlHJ7AQ;9x&W|ED7?B+5uO((^ggi`6vi-{=b2 zyWMqThDDO&j)X{w*)M@f^e0oPR!Wk-OPo!mn@_u0QAz$UnB$pa7z2B`eq!*E4_zYp zkdsf)Vo_WF(cfp?NKA6Y)k@bi7fICz)F;*xY*h*>7ipzY?|SL8Z6)1ljX7M7I?$6U z^R0OYC0$%HvAx`V?pO$xr^~4oyJ1_ZDd9O@K^bO$GXk=k#((Yed{r6l+(NBb+3K>YhVXk*zp@?S?M}#WG7qM%Vu`7 zJMCui;9A<#UbT6seQj)CI(W|JcDKF#ZE&+#HPJQag|irLbf;V0>)v#6pPX%Y$2-)} zmUq4Ft>*QyTi^TUcfTw8%!QzVlGeU=|G^F3<>wq+;S0ZWzWe=fh)2BH#HtO$Eq-w# zYxW|fE;SlBN%3M!T;wAsIj03za+IfB<JjC%*H^<>C=XuXd zzT!3dTS{krCxQcXFb`u7LC@u{`FpS-H>1> zd)XI_=X+!#>f1JZ+ufdMJu_YI*WNLi=YDr-#~tr`kF|~jjoX*KUGRhN+PnFFcvRPt z@QWAxWEuZ>vx|^<t`R|!qtBF(cD8TI$!+X<~oc5?fUVj-|D~je*3>HHTB28+t$m8`|XeLERkDh ze3gIyk!@Z73qW9#JOL~~Ukf<{Ou$`3r0FU*ySqOKY%@($Kni5Ema0GuJhUN0pbYH5 zNCTSEBDSh&i3lvgS>r7aOhLG#92IQAlc6aWj6vxNi?7MC$dbVrlsOaJK`28(9Q?r* zYqcLt!A}Yz5!9U_1VY>6K_+A}_({SRw3x|*LLx-KaiSAQlLfPRKN4)hq$?jpqlKPO zGAblIFtk8j;I;bmLWWD8|18wPEHtPx{5l9)I{;)ro4>X@v>(8LJKG%(m_w@b!A0YM zs4xUJ3_eK%E=Q|?T`L6?u!TZAIC_dQJy-}mlt4e!I{I6~u0xzeJO~3S(Cjb3xyK+hL320XrM%daEDJ=k`M5Ncj$!{xJfnIzD5vTzd2#48mhK_6jXQ%-? za0Xc5fJT(XdW#9t8nhMwgd)6$P>6~YIEV>2$*35Eg@}e{*u|8f$!tqU7SpxxJG&OB z202`aKZu8Cs0My?iFH^AXXJoyoPi)ng?o@nHgLwAw3(041Z=FxVY5O*%LF=E#wmP* zj!el$K!vwdN?5xmLz7EeXhvRmh9IbgX?%hjhzE$^hAAWgH9&z05l8>f%fvgwLW_cN zIEWX337AX;CJ;1Sz)CBU$h3or4hVu~kbxk8 z2xo{!mx4jIY|FZn4gV-hhcFm|5}<+scm^ssh)6gHxpc>a00SjZ0djcFxZFqP3=4J` zfP)|eR^ZOxM7KwBlSLEEVR!)`=m2Lpg%VH!i1@~XfI8>QNBCsUoFug9ii_~Hy4%=^ z;amu6T!?D8%HxBHhrCbMM9If=gkr$L{anA6qm(r9y~6QNCydI`T!!B zk0v`xe_T%!_=aID$9p(X+Wf>u`+y)7(v>1Kby$c#;K(HHg$d|Vx#UgkBnbrF3?Y-! zJ(|*GTS6HjHvfm>#=Jy@7=Y4*-~*1FkWv^+o`Hv`90q;72d{+At;9~UL{stuI>TGC zI{?a4aLp-@6pPqWZ=lW@paBsaGC}}SLY=?spd=`h%aNo3THs7c2nA40kX4+>QdPwi zXwEJy(?EdCOy#ysRZT*RfG#ad40wh-G=(9M1YEt+usG1qWQQ;{)mW9)ZJMp9`YA+n zhM!bL8l4^3lufS0g_HzI6QI^(Rkq|3LP1*t5(rmnO-PJ1QQd5Wo!r)RyQo=3G*3lH z7kE~L_{Kz~O&Wy+c?b)s%r$jQQZS6+k`_Zy$579EwENdvxa9B+h2ns zH+8lmz*~0f5vTN9#v`)86;Hu+wuzZSf^gVOnijR)!PGfi&AUU%9Xzz6zQ>I~ve7@! z@}tVFJfQpB!KKB_jX;4B-Nu`yp_tITVinYdJWW)N*KNEDoZZX2Am6gxwnHCq@fx@F zF#qJ)MBN3u>Jq8p#YA_D-O{~3y<1-Q^BI2PCGb4n%X1IsWnRmo-rG&a>-D})X#mvw z1hE?+?Tx%l>E7oZCG^GKxLsfEQ!n1LLzi=3??p^kqu=_?tX9Qe>${!uC0;s$h#D*^ zfaPC9>{bJ=KE%3+1nytuZQ$zjo!@FoGeX4wt-9L1;HeWQZlqWZ-eB&9;Mv2NnuxxR zgQgD#;N}%!&oehNW#JJ9q7=s9AX&|VVPF`JVfdS2bnLol%i$I#QXu9#v#Bq0D&QgB zyBp+Ti_D5KOkyI=CMa%U!fK^S8eqnmV!R7sEv7jk?qVfwUobv8cFKs}gD=Hn;{PUQ zE;T;J0~zDFBil9}x@TcrEWTVZhGV2tIz67bl*))c-eWEf4soo8y#|pF<_& zm}6E&US!~kMMr))b7EZwWWGpNIdj=$(p!y6CSwotWS&Fd!X;T84&|3)K~mPn6;@@2 zYnoPeQiScb$U-erlK-W)r^`|{;qPP*{{Tyf@R&#etRUafK-W~REmb%xnz{^qr1C1jT8 zrSurI462H=XK>D4Z|3KD&XafEH)5W!f!^8Qu|p&V=ziYYgH|_+dgz^fFaL=q=vfWs z?mRVyjyF@>=ztz%kG3`Nt7waUu$}ujZz1WwZIqe_>7~?Vl@?M$D(ILlRJNs1kalTX zYc+4JX@)H(ozAvMxk;a%xQ-%{>@BwrD{5~WF1rZoyt9u7hHAR2k#=QjS(T-sWTvpf zYQzoRHKuAv_UfN@XtMt52vsCA&W00)tAD2Iop!^whHKNL+_M%ouuV9+-f4Y73KPyb z(D^fxZm_xD>$*-3FZNsZGi;G2o`g`l>Nu1?BSvIgGD9obCswo^^yhYyu}0epFH6LF z*59*pXZ72_pySWXmPVe*Y|*ULEDM?{oG6jY2_){>q=e-p!fCtqHvc5J1%U;UM1ao6 z)IeY()?OsY9%us#@IcFw<3c0IE|_jEsBY`-0^`01AppuNAa0nb16v?hh>!xa3GR$$ zwCy%o4}M`H0|i2)6LCO@HlT+1=1KpH=TJKU83oNj3vMC!@4mIt*@1%-x<~*8&>m<9 zI>7@9@IqfYy6Z@C28KHgE^r?mx_9G;@#wgDeM$6-J4z z1SWuh(WVnDz<}L>0+@INd2j z@$}|{;$(H>IN>)xh=YYFf$rSNB#3|snM6Ouf-o3| z7jJVD#ZiR}i#s3!gb>GVIEc;^U|7&!B9B7O+ch&)07v71^iBphP=n~~TA1j^0a(a9 z7=ke`*TeOe4)<_Q^VqT-G(s4}7>EQtXoWkd26MmxkQFo{AO|Ptgl&j|Q%C|_;Dai_ zgDUWZs}$hG%=Gil11b2~iQoW7Fvo;o?u4C4Nnl@R*|mk#aj(IHF?Yh~Segb0!ay6k{FY=VWr0sl)+J4-kMszmpLsBc7w^Y=a7 zM|%e*5Ai{>g;n76`P79RfQWC%gK@Y37hqK%4}lKA__lolM>kmlFn03Z9ctGAn4rjM z)KNM)hx$ec0_bxd#BU}8_2@(baAWY zE7+YLxN!HgDd8nFHvr1^#so4bJtcE`24H|%!0`e|au*28?7WAVoE=(Ng8c^dH6TiM z7mEnc)t2q_cO6TC5BMlh$bZ-F&)1Birv~P>VgKU$H%)FgNLvDkfCZ|I2RtBx5-9!M zVFYfVf^8UsX21j{Kmj0#c*tM(@dkv6XUHMg>Vy!0RG@}fI3FVz^`yt>L0eRYgv$aY z15SW?LMwtzh=FhrhVl=EAGm-%Ja*sx;9YP?!hBv!I&39^((P9O)SN8{eJ zx8~5m10H-%6{zaz*_nL>0!iyFLRCmZum4FEh|8?gh|2^n`g!y+=FFNmbMEZXEO&CJ-AxgIFqZm8hv8cH$rm3K(f%a+A){KXH;mGr12j!dYDnv zHe&e2qGbb^a_oPEaH14O+zMGOvZ~0^;UfeYE2JA_R1{1*q*)+N#YjbhF2|QnTGv{l z#smieXmq5NUld$Gi@yvArvI&EOrdN_g=Y*b5IgA{Dn^sSl+%nkURJo{J?H%?amPuI zHIjj=cGTo$yV0ahlMWljY_>r|n+DXWU~}*pT;FOP*=3u3Hri>&$f~*rZYrFtt$vgf zIJ;z}>vT%f1cu&y=NEOdV=pZVm{~~c_qk(lrj7@PBkp&*GNmOGbSM*jYdUdAao=!{ zTQrN>p^H9xXOde*lOqv9VA~cMc>X%g~(8O;#p{zp9Yq$Jc1L^u_y^W^{7t45k#fkp4Z|Z&!c3X^=q%Rywu#>@XRfkN-aW zVd1XkvuxvjR#@p!BLB+-{r8XawBjeg0eS>*1)|OyHdeH#p$A^zdmscOD8UJWMo0Ha zMe`;C4#iQhgC6`K2(xFEmr+L@SYXNs?;r>chOmV$d|?N%N4tq^!hktC;K!cEJ1~8L zXaxKr5GQ7tNO{B!*{VzP;uFLrG7%)}l9XC1k%7hasEJk_;B`>AH(P)SYZHnD48thK zF^;ZZ^NWbd><1GW7Lh!k5Z+3zC`TZE<%V_)!QRGo3SBX7j(#NIn%HF#QnZeYhCC!9 zqk{k(PNxGa)MJObm&i#{vXTRkp{zC`paEgBZDP^iumA)r&unjB6QkU&DB!R}twkOS zbBFu>h%QE6^8ZGQBv1Q9g9%`@1aHwHTv>R@uRm45lEy5X+g`>Io{Vra_S(oMmNpSl zC{7mB%uFdud8t>#QkG}3VGhBr6hV#6POu&7w^roW% z39?SkW1iZZpPDM?FyQqrcuffa7db+QPAubp<>W;wSObD7))O=Ds3#x$mkc@pi%Gkv zWtu*k7XM8kWgQ|3c@l6@*FCgz3mf99fbmj%YA1OwQDlGIWjJV>(rWrNX+$W%JE8u< z6T}b(7alT|GH`PhM?&K$RD+CwQKU8Rpq6DEdQqAph-rdRrdN06ql^%5l>&jKOIE7U zsHqQ_$^SS-29OHCdl0~AMAZcxR=75Zmeie_N*N(p2FbUILSJ0{+w!s_mMmz|hZhNi z%oYZ>^ntV)7agi=o`V2~)Z3YeU<>*&WzdA#!wSf&S{DLMjq~Q6WGe3o64l3Y7&^ z1faVth3L;wVqscfs!(DaWBf=Y$ z!~fSFe2?sALLsoYa2Z0h+Y(oT2(7TN7Hwe;W|kN(ia7&s1wqK!0K*IOqH7xK%MFTL zqM64WBUqOQ76+0OxA^kxa`~jUXCu&0M=wnpS{8}OAVLTG<+b&2N*{#^Zy`` zpLKxNyy*fiROli<2-=c4O#oO(H0uJdc_EINs-0M|rA}9u)qK)mCZ65CIH;Nz(suK| zahB?Y6CBtp{&A2)O08hKx^Dr{oa$9i6KPA2G*Xp1 zc0y2#&A!lps&R(LwL9G_AqNXxAe9k>mU;_jH<}?V0S+!hEovI4b@#vvr2jD}Plx%osA>1TJ2m#X_HrvrigxXdrFp(;n+<7ef3> zA&y=uC%lmQW+{LIZ>V&bNiF^3j0zJN7ZJ`%L2&}VUVg6K{aPN(!q0qqcna@`0eO)@B7ndO2B`B1(LVvz9`L&-x4!a^ua zUKK&rT`+)0X+g8}33>ch>-5xIbqn1&nkc2$Ax_!#s8L(YAg`Sd$JB#rb&>E;OC=K4 z@R(E4xDiQl)8r`LX62P9n4(6}Q+QmK`52%VMi4;ZR7Et;Xn>LztxP?olRFue9_*PG zg@86{5eO)S{uIMe_zyUe7OZ((%wSzM8VaX$Q!AE5VujH=nf z&|X6wqhG<%H3=1c<>D{04KL7#WwDgi%wtA`6QI*j3lw)LEg-|uxHm1}_5yMf8 zOAfM(zr<6&n9wG8V?I(;T;beY?LtH9k3@Q3fe;ZA*$yq;lotv^F`x=d)?_{;1FUi zCVr4s$gRXCy@(nm6HGCtW!i^673F1aCP&;4XMU!3g#Q$1jwU@m(PYNMNf_Fp*(F$# zrfa?yPyVHB&ZY-p(rex(Y~BuT?xr&urcUONX(S+T@@6#Brg0wU_t;{{At!S-C)!M1 zzYOPYex?1WW>_w#b7rS@N+ViICvMu5V|nLi655A}r)y5-K22Rr)WVi_r+tD`NC;Q<=6gz6iZUks#HfmrWq;Br zV$zq`m4=D-XuAbxp{;27kdR{GsEpE}kuIiHCjY5rBB+G=D3n&xi*_f!fM}FnX(a(D zlhP%kp%RvU=^=3_n2xCnxl?;Jhpg;~)sZQif=~lOWt+w+QqJg>4km%hDV|ag0|M!F zlBk#FDWE22Y}KiqT4|sj>T@PqS`w;TcByirCp=!yV=^jXD%PXwD5b8Yp&}}$A`^SD zXr{j9ozkKKZfd8V>eU5ks5a`TqN=M-2a>L;S$Y!Npy^GrN^8ohP)@3@mZg}!DzH`~ zt@i4y(&?KD>7Wv8Q~qkOHY+Jp}O;V>iYU}HHrnj~tfrhKJ zvL;iorz{RDsgkR%ZRnahE4=O%MY5|5y8mmp(kqAUWUlThU&gDy+AF>m-i8M3w+TAb@LFIvlHiZ-idC`h(2z(i3K8~JuzMyX5D#wIPP&NnPs>NT# z9PRO7v^-rMJ}e`N;gNmL#dhXtr2kK8j?2NaX}9>W_st~{Cu8*U|Z=p%o2 zDS@Etb?&JPB^OCHByVIPoIHhP!C>#;8+;uAVhp4k`5ZfGWjhk&IT5GDcJ8Bq!4cd7 zqNo)x`~;^hpjpXOUny>ScHM$#j`u*@NoFQIq;EPBOqN8!)eKbROw(UUuGZ?MAcch; z++jhy-7speKN89OO_W2T1PHu<5Y!6nQ0-qt z_b3SWW?}qAlo}ktg_#2o!2j1TxXgq3K}7w>hp0zY@vnKtqg*O3Oq>l(n1{xEo7T9K zZ^XdwT7@ANgfC!URRN!etXLAv*=iJuH~3z8ofQrsK@v2AlaNLt5W_$e0u+uL0nA&o zB-Em!Z04>-57tyu7(^1}#Sz#92hae-81X)7z~G|BBNK`GT?8ZSK_f3DT>+gD+;QR& z!4Ei}5Fo*x46^zm%OB6BifkmPh6U0{Ay@!{B^cd8&Y4CSfi;we5)#T(poqB9l^wHW z5g1Kitnmigu^>od*i9$DnncIO?6i)>7mq~^C`Td22}Sq@Z%M%v{xP_S5dmJx(=1bl#G=n_F$?F5 zEhJ2u9D86H{l2n8lScQ|(jkw<8l*rHtA$W>^F2I+9~jkb98pD70YvqLMhHb8b6hev zFp`C{avTRjoUa79Op{VA^Q>MQF4L*?v7E%55||ph6@?5ag%i|RC*(jjM8UY#0VYZT z;B}oJaEJQ{Sq=oVr_tCCq@PLWG`|WchhF8?VcGm?L>WNDC%1wDzu_d#*qjtW9J=qS zELrt&u@jU56_5h(x!}E4@su7d?71R+34)F7M8eJVDe_DbhD%XkNqf-qJqUps`rdlz zl$Y@JUNXTJ82Ew z2*VIGG+YC($wALYW}jqFw505q-~sl~l7$^_&QzSWkBCZcD?tkLcO15(ZAiwq`O5^% z@o-;>BcPo6Nx;oiT!>H1RLis_9t}uT)i0i6YfmHTAlK+{pg5IFG*)PNB9F`D;u041|; z=s^_I!68H+GI9l&B?(f?vGd|EfhNGBa}tQwUL%!E-E~KPi{01Cg=SRdWV(C}CoKc{ zkoT-je4=M>?n+~aFk4KKu(lKSw5M2Os;aV3dfku>;rutsx6D7+=x%51g>Tt(8nr;A z#{{;ys$(yt>*d0l+(0|{l0*Z%0w{?0AaBNz#&dPY9Pl2U`+TTPtM*`kRkrvK}N zx)(}T@Eomt^$OR$VNZlly#yuRggl1Y&gs@xa}H0wh)L4+M#Kj^ zuw2D$;>_plY%!T}hKdh>)eHZl%>1o_1y$_o%Ia_{eL%8k5c8jlV`2QcQ~Ca8ZcKu>C9KU)emmlx3Z!++n*yj*-zP(F0&1H=G<0|^#1co1Pi zg$o%rbodZrM2QnAR%FP`9>xS4?{)Op45LSpA2*gv)={G}l^RF3bSctOfpj8Yp+eaa z)JvT^dG_@A6KGJOLx~nOdbFs?dd)s2O+|_3u6HPfS-E8nX;!UUxpwvX_5Z8Vl_j+f zc&SbkQ?P5A63HU*rul3lxr`ekX|yLtCsXqRl( z3_JB?0-8CrZ{?<0<90rjB~|H0so49BveK>QJ})o#{vCYyfzvIM)Cs(CdZQpI$(rz< z{Jl3o32;#WbXB&V!d`CE2}aVyqjAbn ztEVoya0Ii$uv*QfITF-~LE>5|jHH81Y!Jq-k15j_&qqb_!GKqO%Z;n1jE z@F*Z6Jqo;%&a%{dNx#(QSt=ww?_6)H*I!Z{flDeXNj;g?6J`_@s;aBP5E4~N?2!~ZGh7)7jx|%v0~|~) z{Q?}$2I)xKabUeij1yV$tW201{R}XVZV_hET~iAnjch6)w*L%)VKHZuPrjAq*fMNo zmf|$gdvG&0?mEzRoIa0yS;DiYbe#Wt4=ekSo;)!_FOD!{D3K=tzzXQQbD90iev2N>SL=1tq#q%+!f2J~+{4Fq(e6 zZ?zI=aju;Za29iCADUIrK|ME0UVg8sgp03XlA-}J%A6Ke#giT#_D-O1itOVT8 zKnOr&P4eOZ#W4vf7q+917TA!HEbPdU)=|O65;KClF#p32P}HEnA31*fQ1l>_s44~i z!&Aqfl7VB3eDUVEbU1$Y;DanmTp+`|D#80Nyk+0Sw)Kln{SrMAggm_93fMJ5AekCl z>@sAka;Z;u>1tUa%pt+8X~;~~1Ce+*$Qa70hDK##KpY5g8=?^4UXT(Y1W5G}?QxA> z)56q<=A%ERF|S7b8%O?X76?qRYFD3#-bk#`!YyDzb&-l7`YeGpN0dt~1n5fv_8^G( zm?C5yESZ5>4_*`ho`hFePS&PA=$@Lu7O$h)|reTric4+t|lHK4NJ^ z@&lq8@z5v)#G!O*>C%EKibMyJqbh*ICI2W;ho;+r5Mlzws9Un6lC3~MAW3a!M8>!` z91h}Ka?u|!g@-97FfSfWhy*|jhpaao!9#GGRZovL#(9FMf2Y!0JX@lG77C27BDsr1 zw=-2MRW&)5tK?$GvKX&~LRcWhL%M`FigI8vBc>wg+EzEF(&Y-v};hYk*j>?&niex!zwmQ;+Yi%s`4{gbgO<7LxwxMfKCbe zCx_+G07~mAumQYbSb8MG^VEq#cuHb6>8z{-f}~0k*-d4I*hae?&_7SqPoKXWJmp8%%Jv-G@O+$dMkKuT~+iA~G%I211yj zh2u;h^s3`ZPW`7iafk$VE$UjlQd3Y99&j32p~l-?)lQb;!bo;uIenZ4fe{g0ynZzY&5Ij)H)WXO+aF zF^zxX3(%D*8d&v9!z`FhVHDr1NZ5F|NG?_y9~geUFUgM{Nk;SIl(_3@><_0 zau{EE%m15CHIMw}IZr3VchT%R2O;GzUwYGnhfjAued#+t-?*ahW5c%{_?wbcIH1H`iCEW+1cLr*B>AI*=Nk>wcma3 zTYoxW{{Hy0?{`0uAN|KihVDr(eeS0p{>HCw^yy!J_QxOpvA=%)`LFo6gYYpvX!PjI z{tA%!g3ACC@b?f)0UOZvqUMA8PXhDq{Sp8wc<=r&#sN1l@(OPPKhXcEPXjrS1kMC{!hkYF79g32!AW! zj!+5tu9B9}37HTAm+c9s5JsY7_(G5L5ReMDP|G|J2*2>yvV;rAFh-z;4A0Q@JP-#h zkoV$24Mz|S~2?5l>Mu#E=wMu?>Aoa)wY4 zsgD&&QS@ff7CW($P*E3C(G+*l7cFA?{0HY4Fg|Ya6FtxvX;BrE@fdsY7oSl=1n~le zu5#Rv=>MdU87DC~$|D;s(Fy^u8!wRS1Zk_;V-8C+k|9+iG)xi=jiDNI5hPzS2VoK*XOJ$YaTDRuC1r9Z z{ZS=1k{WxG49$=Tfifs1ClWbLw1yG%$c`w-FbmgCb9B-jtx*J}QYO)^DW9-Uw9x&~ z4)n5;3S-hLpRvUB1T4eS`Ob0)2@n_Uq7)^vF4S@h$t(QiGAs+rE@`kH$8sv6t}Y1i z9RH7U8}qUTWzHk{vK{A-F!j>$E^0AL(E6fdD0wCa*YPop5Hl{bFbC5yHIoF<(K9*l zDZvaI$4(H{G4Tu{5v!8Z5L53Q#7=^+5-CP8aL+aIu`TaVDR1)xmjc0V(jrmvAgv^~ zvZ6S#Wh-t7-Qw#;QnSobqYbEm8roq1$Z7){(>Z&iN#F&>uBIgp;0J_22tdTNbk1OS z!Ue>0JmaG0kU|~oV9|cUI{l>0m<9akvrfv>M1F$~p5rO{%wKp@HSv=ZtppbQ1_@vx zD7Ik=B8NA)foh6^>we>g7@*GtVjE_`31czzGLXek3UuHpo(=}B#N=C;z#155C;zO$ zBS3|}PShGmPE3ZTQ2YQ<4uIucLYfK(3C3VAioxARr3gTyP>ALps57f-NHm=>BHrsL zlt3h~3@UBNWDuoCgQYr>%_WdPBu(ZslmQNUR4wR89de+Z_}~b>1zzSYO=ykQ%80`} zq6&TmMG>lwxQ&Xq^BR%>s~kxIGJ;2oQ{7yY>0W|tYDVpH&oTZ{YL220Ldvyp;;e#Y zHpvPDg!D>Ld#L6drNO_dtiD-bcMC}wlg&d~KONa;!WPzMKfslf=5mo_p3Wa94 zBoC@!UhaVhr~wh^0Yg9Y^SUA%q)I53APN+!9!vq&j;xt%21JE%Od`M@_#g&w><4T?QprJm zzM(mM7AaLUQLU;Zx8k}=h$}7u2g<<($N`L)C_z^WCeB1o;Xzo{Mpn%WB?Lnrob|d! z6(K>Q%QmCQ2h(rDg0bXKCGQeeUppG8O6O=$`J=P;e_OAe;U;mx-9)O^aj%*%Q zA!0v5zn)=-D$SO3v^w`HTaS<)<1#nhk}|XICg%{#x+lVhAqVv7Z8@eoN&yGJz!{1_ zJmIKXdRfC{*d6cDv4I$>*P7X`i(QK>|&M(0(9 z;Eli-lfV<(2iC2+S0pdfEwcB|se%S;jyzmil-vpsvl8UJcvfI_biroewPf&*e8 z8Zd!wN0bznzyzv6t(dbV^7aUFHw>PaS4@gsU!r{J=u-#rrnJ%=yK*VPu`J$(C=9nH zlz<9s*2s>57(6j_My4FLHg9)mW^d&O!oUcKtIm$Vp~}RW^p_{57Z?%%cy#LrnqUEj zMA@jK9WYZkK~pHkv#|z%7|wu#u?0a#p(9*0P58Ekt&|%@lzX{1Gxp*RfB+eOfdguw zT?35po+*3jq65gNI)?yE9QY1|z*0cjheh&*Jqm)TxUZ}fLqE1uz*Uk*HFCc+#Wt-g zmPKt_qY7vkaH)a~IyjgFq7<}(duie^_7gxw7#k&XTmN6zXbU7&`G6<*AOetR+`g%X zxA_Oss2b)aR9)g5o&b)SVU87db3gTrF9(>0bW!~TZ)GtfRKY1Zv|2HjB-cV}b0H|K z!E=fBUul8}>dA`q_c%MknEPUWCn{n5rHYz?4Gd|!a)4;HmRUzRp>wH=g_wQ;+N0T& z1F&iU&Vd>PU^nyci33^edTp4wVy&E@o={-N5;+j)W}-ayVnyN^f*_GriA|9SQGEyr z{7WQqp%hGjXW;k+(iv9?kqQVZrxQ9(LB40?N0uoLoM>8{A9IZ2b zxw;8U)-yZ~+*AhR0nIbC}Yu6jSlCLWUrSAON&)JC}kG%_n( zBHW<1dM&UP{KV21CjNyT?t-$Hhio&ImH&Y|!0c#=RcZZf?Y!V*N(3Bl6jtSEH>7?L zI71{UbKLwWcPowyS;4}Wqnk#$YLc{Cww5&Kp!hi4$zg_sAf$^lQekByuU>Rx5Aeb} z4=W?_Vhp79^yU*N-|)hJ;rF#!s10WYp&E2Z=h(dGkI#Q!1!m?TU9im(dWZecWx1V`k0T;M2 zDKU`v3Dbd{d-RzaXGqa{AU!_SYx)h`Magco{2+@FWq zdwqnn^EVtg%4@dV4a?sSQPA-k<_4~FU>#!Gz1mr$oGTqDY%)E`mrp>)8*2_wFG=bUOrlE`zV3uHT*PkJx~l4EOudlyJBL7;^keA@cNj; zp5=0VubhcDEG~Z9JA`!B>PdW_azH>>D!T6;F>(ku&0+)d~`@VO{A zX|UFUULC^6dg|J5WsBpHaQ}ud?7JSyK`O9=zE%Y}+zJ0|33TiulO*0@?Nj3w{9f<{ zOi)*c9+3pyVb3(pwrM4a&z&^fHR~AIP8W!t@IBFIXmWM>N5Y1Gu zr%ciy(E#F}K!MrF5In<+-~}#PAT%2QYG42@8YE^pb!{M=E(Y((J0K8?l~(2kh8mbq zAgz$B_$b&CGGrlL*Z%^58;CQf&Ye7a`uqtrsL-K4lO;GB52-SxM14Bw$))MN4>+a7 zy!S;xhK&NZsT=??oSb2JVgNNUWI+US z@EA&`QH&LwnS?FI3U6bVJVGGkQ7I6a)Xkhb6P?FQ>C(`lJ>%?vva=t1!4!7MnZ+bW zPLdxj6sV3M;VwmXg5xIf?7=R$?wWgzwFnnlaRh3*lhg1ALb$UoK%l#7!);NqLgi=< z$r&-Z@{Bu!6JtZu?Ar@9I$E?*)ADqJB_%akMvZ)B9V~AV6DI8x*%!f0g_B}9f#Zcp zkt`H|M&p?0!2d*Kkwgf0Phy;;#| zf&7{URrf%^fuSQ}1xt9|Zi+{29s$$gvUQHQm8^;T~s?UePhez<||V#uKKO9CnGqE4x>kn-`PTQaIh5;J-#xkx^ihb3!7P!E*(mD4(U~+I zdH-D_mN8EzaQ6V4mBaeOUK9&2$h#u06Jn8{{$S~@Q5=teTt|}L z7_JS1M!T?dzLJ`qG+{>es8#QVPMjb=kS!7zc#j>~n?>g`aui^D{hPHcntQ;uXHRu+ zrw#_bjBRooF^uujbD(VKNe;U@&9V*?2JCqYIST*-@v<=su$(DU@`FTzYGt$w7=}i^ z>k9025{OjTZ-t*xR|qHtI>8Z17)49#_oRwRfCk{}3e7S$7}dBG20vy&${^0^R{ zOnRwu&0iRGCJc_rPFndzCCLDwm?#@@@cq|Bzkls%ZzFiUF*~zi!LI=w@`u-Z)%m4*#9?_PIQt0 zt)PR1q^OZ6ddG$f`ykY=V^XY`K?#m%)n2+nhBfB0Vq5D|L7ub(X(^!$Yl4nPY7{oG z!Awk%LtjvXSFwtv^F4uFXEIQ@JFi}8t2+?|fx5>eh)`k|XEp2PyqO+O$N~W$$VvsQ z_zElS4zCkHz%EL(sbc^}3gO!8w`fYgT#|LMEW_Uc*#kV&d}6J_dgmuxfkq}Bhp@u9 z?5dpR)?}Fvu76!dtR8ZKIZY+9_DM%IGZop>{xVo!Vr^zXFw(j-l4W#&5J=;VoR*Nz*5BY67dmtUrap3;$t3RJ1tBKr-g_ z6H)9ohP$IKW9=s&4ra7Wo=L|@H9?F+uC}t_MQO5-@eAqJjTX8{-Z8H7f%DvaAY30cd!xV>h!wXaQ}XY&o)+`hK6>X>7GlS$^YLj_0+EpUzS&CCk>ckub&R~ zup|8BdBeKdd*|-6tKH6CUAx;IRckc^z1nZDJOAQn_q=;%a3|Nh-)~3jzYD(E+m3mR z!J6r~4}S6Lbhp?a4|!h)p7E3ivLGvud56b&DMhKeq$3ad(BoP&+08uWH_ma>Grs6l z620qR59P_bu=8|R{pwM_F555O^R0)y?|&a?&jWw>#3xs+Pp$dm_rCbdZ$9on@BHX9 zpEbglzV(T(^XqFL_)+eo+-KchK0ct6%JV)cx+;?tZ`P+v&fpu47AsB&(MuKj4d8K!PQ|D!5mwQLCIv?nH^p;k0hkuWcX5L_aY-n5h*)o5CS#1~a)s!5TDXO4D2A8lZ!ZXm9fx{>h>4%*Yu~nsoLGJN z28i;thNGB>h8Sa@=!&DqPHd=(=cZ|gIRA^ZSc~{qcB^EGH28|Y=x5`1ix~HW%Lk0d z2xXw*eZz>0rRZuN5p6Q~jEa~gUWSa>2^Cl+ghtloIoH)3$ukN%m}xQ)4T+^qd-+RKIa8N&Pcd`>tU!-+ z374eUekr+TtQTCo$6iO6dU$6Vl6e%CKrL#?kBPtsMnDWg)e(xtAt(_8y&(|J@CR@p z1dBL6$wCA_aRfr}4GFLWJ|UOdWQUQG2sSg2&-jhVbqQPPAGhNK@EA1Ils;7<1V6w8 zE`S((#hEgBXQQeZIx(Fh;L1WDkMZBs|Lkeq(gD0uKP$ny$##2!=|N3lam=a}Vn< zTWHfYKk*C;AYxh)DO$>&Uc>*MZr}l>NnfLy3j;F?$P#Y}$ZERif<>r|z}lvqcX)d^ zfz@Ym%L#AAI%%gytShN_qIjY^I-<^~e8mNl)+%L6+N}x5t?!Zmb6{TTkTfjwA9X|p zNjeadKp;pp4oQ#;C!rE|Fa*akkv3roQ81y)FawdWaN1M~iwccZ@TEUBrq6(#Taacr zaVw^Ib$ZpTouLja)m=r3oSKk}>9wKb;|QXPBAv=cI{7mqy9%*-lN!*Udb%)3YDYtm z3t%CuPZJg#B%k$Zm9IpWn-K#dAvq+gB@Qa6F5y%<0k5C6AU3B%IkKU^;052hFfZ_* zG}#2Vum(B72FWw3ctHQ3mN~88Xsib~dG%*_yV!#fhl+%>iy(PrTX;YcsGO(>fNp3x z)Hbfo>VQ;&qRA?)H#x2t$hN|$i|HtBkW_WydM*(GvF%YwA7G?LTLl8KpEFUjQ%at! zlq&*J0|W64rg{mO>$xW@5J&JvIY0?WYDzppriIWqF1v)?7k=>suFez`-Bfyx&;%h1 zm!+TvX#)s_LXYT4P?^!Hx3#*e04_SQRH}&^&U+6gfTuIbN`Nq#e$iRA8;Qz@XL$Lq zLUN~@fSjBmv>Xxvlv`dEOH-vvs!D4y9ClZ>^;`9TuOj9_jkz#9HN0-4M2Fx&9&wPZ zcAS>lh}vqvb146|Ea`~R+P%yAh{`&EXsUB2=4jZ8ta_M&%5b(xh=aJNw<=e+$a<{< zsEHL!!Wis^iB^>`2!4u7h2_Gydhkwh@)-4H1;h|o`AVyrBzL$_3hn9_SE~vzd!68r zN?D4XE!z{JyCA8sp+C{9YlkI+nK*q?q4KBc)%*3^?nZEbn0?w5k!ik@hxxFa)C_;6+|NAry+YF!(1C&b&MDWFu zgTMJJrREzXO^`Soa-HO0$o-k7@pH)@`jD8MUJSqh{6fI;#(M|=a@Kmv&?bD*IV{BT>+M2*kVz|?0wlqa!@?l7;qM(n` zWY5gU#;BCYQ)Wt8%^j=E+S_^<%7Rks8Pw|(ni+8FtIQ(oi`YDpj|g4ydP8~3hji;U zI;+9){3sghqJ7uEpqXzVti6r5i138KFBBAxfId`G7vyYxBig{9$$u3~jTgtaftzje ztc|o>!o19cye!eX+|k;ow&>iGpyrtbdBTb7c;aWDhS#@H!GY#{KiDg7U+aEwc9(1u zVsl$)Gb=-PM}&Tikij+6MxqGnV}a9pz^#12sVuFaw#+WW%Fn9Lmnp&ie9>=ch<7H; z`po~;Z@89aTgzMx!NHn%j;EXxU5bQvliDU(jZsMjV_GqYZQ7i9d+UQu;Q_ZrVGKvt zeu#}tt+t)fl5B~YJvN0Vjnu;&%m>JhIcdW6yvXARZ)=hS5Qma42SW+}^N9l>i`t-hVqH2IkL*J_$Q!l0qu zrpfD7#6z|w%q$$q3WGw^`GrWD0FDx!z8MjJH+(?GNo$030feI)l-22VnR`>tF z{%pZyn8N#vx1pWgMd+Fn&4(>nc-rQS?kwJ{IJ?PLw=EsdnC;Qmip%SC%&~?k!z|Xi zWD-1cw|q%0;wua_O5fyCYy_>W77K_soVm0&)n7G;UXN^Onro1t%$n(z{U;X2-ulAy?}T4)pwTQ0}GAn2!6@k6#KIa z7;0aHfi3syC3>I*VYZPO*=$`V$9$ezR)S_E2`1@A)vECxM9~Ef5nO1dqk{Z9|15ya ziZ?q^q>0134X%&RNotn9Vw7H1)Zr5j*^DN7*e5;31MAon&eVn8%A<M~$n))Qjz#jbV?GK{ za^;=95-M_>?O55wK7_8jgkH5`TGfQux8avV@4`3sa@bK+=nv=McMak2UnXIq+P0HSC8lui28ekPdu?KlA zCk2uT@D5se^$8%&1$?qpjiFFJ1QA#inIUEhG2by&A_v}LU$jzIc{%@4Wr|`n)bF(7 zTMDmJ?Mjc6#4q0bRzH;v#56QC9YN|o4re(|P;yb+QIZufXXluDy~K{6x)mILn-|fpKI~r(YqHjL-YU|L{Ta$0mKfm*e-7!9 zW3}U8OyrP52?ht)liTGK2dirh35S!)6k2~q*LE1g{GDH|FH zUBMtNMNZz+OWefvncy>eK?#7oT6Z7_XfGiEaqr%?ESJc95}5x`p{Io7J~Rk`CSklU z4isL*m{H?KjvYOI1esCU$OO$wG7Di0Wk`(|zL?2KFjKt&HErI+$wx{ig$xoJgjisq z6flN{i4h1wi&8n@yo}38>YzXcdB`NK1SgWZ1=}t@YKB#i9x5NOB>l?d;x=#uo6gDf zkZP*~JQLoT_!EoLub{Sg$`(iOscVCv-uu<_kz9dz4l4M`79mT@l{Kb3nOR^x$|iAs z1|3@TXUnBcpGKWp^=j51N9IL*aw4;kAEhtZ}ED08&O_+kWrM zt@LOWh7v@AGz@~zKg8lg5P>-Y_(>3#nD`?Pa0Yk^9D%&pESrq>5`(kNwt-|c5l1Ak z#AGs~2_@P}Q)j1Mba^qxJQPC4#AGh;>7F4V({C*XkfKTop)TSe3I^|Sij^6WtWG*u zxGJg(Wb_#18dx?GgTF@D%O;Qk%t-@5GPdbX$nn@x=$eF-NXpA=9FP)38|S36PCMyD zaYfcX5RbJ2+f%R;1P3~^zH-iZt2P?xbH%F*i!-jaVTiy2!kQlJ3Y??n5G1Ce)9GL_ShQw{HVa!mhCn~_S)?82=6!%h?T|)xHDNh zNm7PJWuJvMT4|@Hwpwei{S3v;^5l)96uEV_q}7PnQa=bhoNGidU&Zx}Dl5`JA zF63xcpbZ6Xv*#o#9060s648HrVDU`kT)A>6av5An#Jo2j289H zhKBR#m=3JDOY$t(s`!iwzWfVwRxB3YA;ZEEH;8r%wYA6$XYgHXil>>B z4Zt+R3KDx}QNFKn=P)*5PXHwMtM+YUY;z0YEI!bRhKb=`Ei~LftYE!mxCH`>iXZiK z(UEdoBz`rbT@Z!XoR$qyM9cFb!Vdp*k0=0!3uYjU7=Uz-xFm!fNd%t=u?QUlDQ|n^ z)4~`iKteEOfflK_#>a^EsQu8vVD&j;8V7M6b7|gNw39iQFfwl$5htvHq$z81 znoq70BPN;-X)tLSPpYy`yAcg8Mbyc#gbReaq|=2&=owzhGC$au-Yk{5$qCxhMqucI z{M2R>VIY%4mMFs?Tk)*3N$ZuPxkxLWIZhiPpk>QMXFAonPLLFDnw99LI4PLQWI0lv zHA;M6PF}~X-s4K&t|sNrZ>f@O{aNM3S#7X%&Y0` zWI9x$I`muJx@S(6x>Tl`l13+OYE-2<)qd8Js#nEoRzqXekx=3`x8Z3}QL0t4mi4MC zL8?B@x>mO06s@T&YFy=-PO)}tu6M;NK}`zOo@SD($zZ1iONp(#7M3NL`DwMb=BsEiz3HJQwxljr?lS44Jf>kYKuZemMB>mvbFI)Z*@(-Mr^^svX$8@1O;NZw zy=#&p)v?WDr^A+qp8!sg*By3ooR7Wizl+1lTx zD7e(hZE|Ndv?`((GtWKk7=yc_8g_TQ*C{-C*BhNQ4sN;iJz3jL6mMT;vw!zJ@X12E zw**J{KH+R-dpBIKXLfkRbr@bSm0WcIsyzEHItEc54}&?QgGLF?)_qFWn>* zDA33=eC&~E;LZ&pa(ZRkoSCeA^;Tu~dUMdec(P{{?vGa%%brY3##bKfl6QQGLa`PV z+~ahnD0+-Gk<8hc_EM?--rf^7uZ-wjAb{xH0Df_a9`Z8MU&_Fxh_Q=a6gUJpBYNnI zWfE=QJgp;7B|MFO9+-<2^3Pw^n=Q|H{rVHR(_j2OA(@(IpdcE^;6SQV@DXQRBm&J? z!bkrkArQRZ;~VPmjWb}P=!?W4P2nZI34j2P7gXaS<-dm?5CV|01&tU1iDN!=3p?ZL zFM-28>gy?+gT4uDG0pO}2b4Na0;*B0w}isLsr#ra#6siI!n0$#BPxNzP(6Y80h2&M*>enm@CF)4J@zYs&Qk~(Ob8id zJ&<@bh-!iVNC9$iLlUS44(P#wpn$okaYG0f@oVX@N#~h97vH34o1A+`3G(HvURE&nvvIY5>k+xZqjEQPiai%*T?e z!t3itm8&buK*WXEn=+IKMfAV`#h|P{ z=M&1J%)-?8zK0ycA25LnLBw3}v1TX*6u^LG_`gWpyn&#`jQD|$D8o4XN*W0THq1(l zDMxY4h!ki__Om)GMf}%($R3%DntIy%fqX%sMNBsCs~rg~+{ad66+} zpgyrc;OiPIA|ep*1O{9P_W6l&NIlD>Khx@(#pDEH$V>#JxRv&Oqmz7jFL3S5YhlD7$ZI0}}tVGBDGFB7l&)&Mv{-#a|T>cMje5GrdR`lLAxj%PgYH{_Eb-6%}Jg7C$BQRxs16{ zg}hd5jTUK}WF#dsAU!3zz3D)Okt?AiNw@rD67}#;@e+oaD5GMirfL;PUD8%&o5IyB zMR5f>a7_tsrAPQA*MQ|TSCu6(siAztFSulvQlBS)ny#(7lg@=M2+pqJyqnu7F zys3^m+n}3M%ShT|fGC;G+H3o-xIHMCr6tT5sM0t%uuVYyx?3p|&AQrC5j-iIam{kiDCHTU10oxwV2JksBY>gr_x|Pvu&^?NB03C(4}@JIKAy=z#sBicpeB z)ZL|k%-PN=Tn`(%k;OKn3oDCtBn3){GlT;oV2)o}95fA%jHt@tg;i(CgKgSVdDYO( z(!k1?kdPQ$=OCEjS%r&8B$Um~zg5nt zE$y(P7f_sgI7ucNg&SNbd8kZNRX}(h$J9~^;rlQAcrFP9`@}cQP`1W ztkowr6H0~1?-(&|Ku0Ww0&*Z17rkNyLxTPVRi?dMatl>dB?$vFS=;CZsl~U}$OcxB zv~>lE306!ilGQRDls5>+OUd6~71M;+L2v)42Feq!7)sKNV&VX@xHG7aQZXYF=^tP@ zOph6u3`*N)RFu#`qpT@q#Bdl|n3x18jLl7j7s8%msmts=y3-hv!My;>&W8IyHok|VI*w1v%fC%$d%5c&CE#GD2QubKnR1nW97SkaF4uP2D$_=L#vQ{~^ zyOMgOS$3a~Aplp1l`ygfz@d;&*;Ex?q5w&;WdIW|Q?;dO!zZy~Ee&Jsjws%cO&*6L2+&T*fq?FV7DR&> zAZjhBN&(Jfp9}#*n?g*g1i+z%#;Gt08;pwBjaV`16dMo3UMNgR9W+QClj(}OX%p~> zFN0M@)POZQ)9lh91X2soT)5y_9s~n{%CxmE92DxZC{}1@AbX9oKv)IhEedWpKlCWn z7kxm61&CW%l$?!2HD1?@XOqb@R5_~q@c(`pWXOHf2uZnfIV-~c}`i9Uz|67t|Ih$x7O;A}I| z#M{jkx2?%DPwRaL%Ov5|69!x+8eMjAvwC16$E{i_+Xx48n>7ujIlawjX-SE4#-iS* z4s&ipzM>8ZNWhsJr-WN*09~NHOMnh6fbudow|`P_JD=+KOsx2BanWoIF(VWzrz;89 zbA98fEjJ1!*H0^IkvjiBbgBZP8i~$G-*X54a|aGi$Bam@crrr2x0eESDib_Fw+uh1 zZ|#H&ogVf3oYOnC^h5J)={x7>n;|;Vi%K|;6$}YH$n()S1xTkRb=U(xTyzmZ#S zK_&LhbohixRL%dCd1Mgqne6Rzzj!i3>8wsRB>f$FVS=ETTU4fuSTTw@K(+fwvO`fp zDH3S-T8pROGj4X#C+dY&`-}f9RELm{XgV@O+GHNThxB9D8SWbR`HL_BZ83C%9%CfK zit3>Mt*CAhK(^3>UJ-IIc0;<+h#ZQ-U}in?db>SVOfZ52;z~_`rsf?42fYX*AQB?u zkp~GGA|4NEC1%-?qQeP;(N~_t<`Rt|g3GF}8E!d)S%A1Fa3C3Y zmo71B0EQARQ3FF2^fK^XASkW2J^X}60iJPQBAF93V1OP$smM&ED3I1bj}tFONtx26 zKn1ACj4FeXAcAW$e*z6EbSTlHL762(nqa9?qfVbfjVg62)v8vnV$Djm9#dsr5q#~M zRDxKg&Blg6I&rB$rc*PFj5`u2S-E!Q?wlxv6~tj_1ftn11|FDMfG-ss3u;RoDj*`- z`O@)ZfeRg5-t2X)0RfMmzTDd5XeQ5^E#qCwW{C3UE`Sejdlb86mt1)U(rLL;Af|#H z1cCql4Z5v_H?OrKM_$$}@w?8SLysO zxx-}Q)U5ZWk{B?@ACkUjFGR`H2h89h6HZplvDabZ#W#>Gyn!Q-L=?#ZOM5Aa(Hn#C z&^8Vlt~9gTJ@hps(>MZ=qfSJR11*OZj6O2g zoL4y-m0~lYL{UsAh4}S>KnWG(o-AOL@l!2SLYdw@D1t)@V606!NQJ=}Qqll5rIwk4 zXqa}KE?+o6gc&m3u>c&SeFy;@WgLK8B=Y1})0JW{;RrUgeIN#d*$~<2SVHpnouvPh zQd+5{mtvafr9y^x)ddG2A?Jwq5Wpfr+1NBul{~Vl>KPwMky0LfLI8}a=18$oCTIMF zb&v&o5Viu!M0nmu7%%h5k)0Kk3Ka@WHN2F%2v1Il3T91 z=MH5TkUg&Zqr2~->l7~uT;PdN!yM(n1eOdYN;$h6NmpC?4)9K=;CiT^j_HV3uuLHQ zbQUq9FbWh)L1EjRz6skKZ;S6rtd_?klU%aNTlL6dHUwwKFv44|1Of#GAGxu9Be`s4 z!^`+vbB8ZYK(Ea}$1HKA5KBdKFK5a8v%);S164YlAX8V=CugN}SCMMkwb%b&gB`Zm zlyV)iSe&w(c05~SE#opKXKYl(ZPUGs+Go<8x88eqn^xMDlIt|zgA-m9S1%@o^?2ZQ zHMZlALvE>#h~M2Vi(9zpqmxe5qc^i%y6UTwu1s^Uk1PyNu?c?E zNP7sB1naviE-qM=x0`v&yc1vi$)MwHyzdl z=t8d*kc2XvAzcpkw-@3thdN|j2zKTjG=0JWPNK^A;=+NSFk%_c7?nJ(fQ#EDK|`9r z%|MFa0vckGQy#oo0aIwduVgWdBvj!J%V@?kY7Kd4Tq7G_=&r0}fkSC*%u@jMkX9V= z9+Mcz0VbiuQOOD%atQ?ywkSp{CU0_HR3lnA)y79ca)F0iVI(VQNzF0xlA7FP*IvfO zr%fdg_LvFP*b@~a&}4hZF%A{if33^^!p_- ziz%J`T<(y{lwKoI$ek2%0&0{Pr6Z$r0bY4%h`L$RC#vQ!K@I=lL0jU&AgH;_{C$y( z>a5*4+qt`S8Z(~8jL|3EX;0S8g?_}DN-BUBmvrpHU-uc;ZSFb3VDfS~x`d}!e8SR9i7@HYSF<3$(h>u&FyN@uuR}=3+8&oLrbcz%n6U7lr$+zZOK1KT{Na`gOM&< zYEw;~uwB;?XG)w=h*rros8R9eB30VIn3saZKydpMh;et_iQk0UZA>(~;W6>!NRuy*uYbgISduUnvia5f8mW2pPENQd0 zR0ozewMqLHDCwCrD}A7wSTzc3Ef%z}Vs5ldH61X5_Dx>wb4xFpz`%+-k;(!CG!pP_ zFN)?{oZU7kfF!PPkDEoYGH|b*4J~&AI9j8rHoQYyl7{Gv61S6mrYthwO zywJ~fH^~2shZe0;P(XgcJX^satnBdL65VPGkrn^gI8Ol}aQG!!q`HKAB;Xp_P+%bs z+r)(ul#y#N3n3D=O^M&cRV)yrHE4Q;95!(VD|ZBE4=FKMzm%9>{usMnT&Rx=ol-qx zO%Mb78Fd?2G$d7kXT+$bJf0ziFNlF1{#pZ2N+A@j-3z!WxkbSe!C*d<_D3)^w4oV# z9SBm15DcNTbq>%96H$O0xf&H3q}b02m*adul`lz>)uk&hBQ;FI24XA$4l@OSK2z3D z8~_Q4ZE8~?6dFgCzFgrFm0=a2DOmYVedqih>c4#YgR}c{kCX5O&`&dATD6-(Ru|f` zJ0jViRDtRb(MbqG0D_lDg{NmFfqnJe_KE*>n>zz_nh68X9Z?Eu$JD0rhC<$W`2KFv|ZZh{wq2iMVaQo%W^;lB? zR<0$Aus0;Gf;KX38EAXEn&VO*+t5LYy7i*!Ra%Kb1X^{9MyI3(+5Ca7IS~gSATtIs zaRW+V*3oHSXgb}B zZyy`hvQqm`B`V=2Pxwo}Psszt|ts6XzSfFNC_3#P7qT6b0E+7 zff^uwk79ix65fcw5|849Tkxi?-w1E*4e$Q1?R)C{nh~wvU+;U9^>>87J?@)XVK zKLwZuT$%=`)p#uz5 zNs@qy0y<4DxJsG)pw%hdyA8p>xq=%Q!bqr{33io;{1=bd7>i}!)$w2dQO+2WA?>M{ z3YlSxp%w~R74X4f9L8aXp^X2*+}~2ni`~o^N@*6@sZ~bNmN22wO@*n zVk}CdbBI+l!j<2E6^+#2G@ez{iHz=9qh8@38WP#ly-`+xfE>c%%s_?Br2(-~<16&x zHr|ev$m5P3Ak@$!H_D>#+@d}4W7pImGd7g}P(tLr+sQr58Jqz-+y&(+Ryc+lAWGy~ z5hU{Pj|}o+MpD&!k=Xx7c0p(CqjTIrAsx+n6pSYrpUb=h(jY)OKFoQ&WPX(cI~A10 z{9+qs7dXDw$2i9pT3sE5VNl{muT@+zo|Ir+2bvH-Q(hPWT7ecwrGQNvQE<>b{D3(* zL=VmcQn*0`(4`L^$ImnYUfqK=cw<{a$12v=?%{~encyhY)EL zAV?(x14P;?!EOpgBODe`aDm|2!*8gA5u}SW$r2y*<+DZMg`5H$ zjN0T70unW+bs!>Rz33v2<3PewRSna0#*8e$VF?b!0w7vTY>&wOL}QK^DF7y>aVC24 z#uey7e&s-rLGszhmKcK4X=o)51p&@V z2vi%U9l`&A5(Lr3$85#Huc&58DBv})8Jbuq#=Xoc+9k$hfLR(2l>PuM{ZobV<~>xy z9`xmXq+11^56*-j29~BZE@OsPq*HBVFKXPYWkD(+s9!<_kS3cS=z#(*!9bl@BzRa+Tu%qY%ui5h==taxe&ab>g+@xnFR+~4MH59hTf<#UlvM_QVS=ns zK^|1-X80U6RVp}eOXs~?Y)p#=T^nFj8yn6~r(mO0kV4xT1+zFsG?d*0tRyXE&spTr z2}bHSd?@1b+T4_CTvVa=eh(|@F?YW^hNOPC`ob4QwUrZ zL|Xq72%LPaK@mhDDlma!O5u47fl&BC=xr=&sluZ=CM2eyq-cdGcqtbUVadr#%wU)U zRtq;No0}ONX3W8eF_=hwpGg$m+9ivZre?IICAt!Q#%zHJK%que&t-%6)OQtTM~!i}k;HYtxf2-2sLW6YM8E{td4;$Z)B zwCiqSp6PL!3w{j%%5Dio-HfUrBh@ZXF_&y!@D&qC382VM!xED~u%~{Kl`UeG*?GBI-^@ zNDyuS8xP?b@C_QPR1^f@)sC&G9+5(D={QdZOBB4+ZQ2N~c4V)xhAroSFv^_H#7=Pa zT1{0r>RAF`XEN{$;}pcMusaoNBZ_dSmT+~rt~zMKk$9p7_ZKV}>Q4fNV;LDp$!*o$ zFb=z))gTTFFDL5QXC8X0k!6*pv@2j#fX_|ECQ9ftQgIclR0B<~5Z7<_;DY}bk5jEc zo?lwqPMAX)j6=YfTdr+ErkU};yb1yot(#EETDa~{Ojm3&YC)#4;YE}Md*fDRqugv$ z#dOoJJyw3q7o6Y?B{##++$3fitUSB{F^-dneC8uG1AmQ*`g$jp0;AnNGRMiUKVC69 zCIU%)@i9dToH&T~e2`Fdf!X<;9yRfvRa>>v7qrP^r9uCAstBrJKsyh@ zF3@Rd8iK00jDX$Aags`R=9|K1GY>!P$GLH!0tLLL3or`^HeAV*wdo@`@Sc=gQI14_ z?HRu)fLw5OhHclkKA6i%s!$s6xpKNnE_eVp!QM#MXo{ zTQ-?lS!2N7Z5v1c=_yO`=YB3PSjdH>snM>&JMun#1L2Rd3w<&ZYMW*C|}= z1puHWY!k@>LX)hh+qo^U9RN*Kn4;Z7UKcS3H(&rPNS|r6wt>^!5km(sKy3&S?)o14 z-OWqGG<4cfF8$xAk}lGLWJp55@OgD>(a9edSZi+QoD5WAxAOlLE=E^UTeMvhLlVbv zXFwiDiO?0t7OVz(@&VG~-k@%^V1pKr$T1KW;BMDtQLGPF(J_W0q#x@vX(nxMC%3tl zG_o+&(r&PU60P}Aw=(1bh9SVRICV&?s3A_ZYri(^jxY&pwN)TZ#B|PnX()0^jy2OV zcX#(nb&hCE#TtQOU=g?&!EJXQLrnW({^`$Lb~uLzHid&$7nzKTyHSXaOh7xHl}s9k zxI_C&4JAXkbZGJh$L8TsZYt`ZmKN-Zhtc91ISu`j2q(Fc%O>4Cfgdmpam0;D+$Zc9 zSJ9*-PHMS8sh$q{^-I(yX1U!G?uTYl`7uD&miKksl&k+XLmdJ`U6UUSGa}4daMsQRSPkNkQlCqbX6Rr81Hr{ z#K+7D=GQ&LwopN#Wa!9c_Q0TR0$RgBZG)lPE5cYB!6Kx${z;tz+~WWRUvGk zKukgOH346)$hIW{g$)F)9$%nL-<&~MMo0ECU9bNS!~34Q4mYcNQaSI(S2#>{JdH?m z9m&AT>IXzV4O@T671)D1xWEUl1sfdvMD)o@d)PgiV9gvsF0g!l(RC3tYq1X|aMB47 zlsbu6#KZK05_q9-zZuQ7(~`%z?de+(i@aG`@q}(X{%qveyZaYeFjUw(F+)N!cx((P zdn#u(EOY=8z=|k1!JiPpn+pg@00kS!^0pr?>TnbZYG`qDL+$`Vu7X0##@EZ5n7w*p zRO2~c!Dau7ee{SpT5NqcqGIK@kJWp=U8sll4h1>j_!ecP*5hFqG&1OOa~4}&>ak1e zva~QZExAJnb5{K=*AM5TldIES=9^U{^FIIdq&t5`#VVAN=`GD^d`-r(&O@`ZGS<3{ zVl^nTG3En*QVmZR5C1#iU-vIhZuQ7IbVK=@KRW1PP%JHDGqehNRq?;&35g;2GtcL{ z7X1sbyk|c|5eGn^6Q~Uu!3PHsKF|j5UPFfutu!RnYJjB)LGpVAE4 zlxkJ0SFvWTI^d^IuUx@~6+4z}S+i%+rd7L^ZCkf*;l`Camo8X%s0JELxHsX#kXX%`A3vWzU~MhZa2=^i0e@wWe0Rnsw`? zGEX;_O`3LX+qZGg?Ut8sZ{OWW&Ps4m=zusTb0=56Jh#-Iu|t^77+rej>ddic*S`HR z^wZqIhZi3{S#jy((Wh50d0l&gdVR;|tL<;CO84Y-$y*g4X~s2&=78m>bVf>L zz=cyk8B9L z2Qf63{Ochf8B)?d3Wh1C!G{0FA#xc@(&+LYLzI+=O9FdjfJ-?7w1`cIhHy|R=ti7P zvqG)wO3+0aZPd}DGJ90gNhz&#fS8fJiwWCj5q$Mr^-1$D2K=o@*u+@Gg7?+91wQBqaiG0X{d>vuF2$~4*q0w8%RJ| zHrR%?v9^pkBG4lXdn($3$6!A&*CT7Xy{C(2T|Mj#2;gu8*Lt@RB#*F zt=6MBAn}Nh0AkwXhyeej;Dj-e3Mq^Xdpd~3SuB_kL?XtLX?YMV8(M{oE4Or`6$OX2 zry(kbWj32I*&NboT9$ouW0DfB8{rEb&Rg%%zOpLe zy#ePGsMzK%-0(&{23hgmx|z!~u1=cqUx_Gz1EN*}4rA(c^BiM>N=8Afusmj524-cO z=3*2sE^66bR?dbQ6-r#U2IxY3gtOhS9YRK1djmP85?%lGx=J&c@nRDu*z`h4**npr z_bC+z@#`04R&n$i8|gk3OQ&YKy)Y_ zfKt&VS+r~u<7mb<>?1;T=!Pmk(rqiNEJ#s?B-k7)#Cq0Wb?{k+eRr!nCDz$iXR z>Md~?ykO%dS(hPkiz0L(VFBWjwfl*vjDKV!{O$+GQm&GfsbQpf`nN~=rBasN3uG;M zf=W2{(UkvQDIdAq*t=b3Du6mk`opIS*Jrc!trPI$35rNi{~D6shJA- zb219rO zNRC#NrKfCZKm$6>cxIHQ<7AOTU4%)A?$ksfl_TNm7*C!K6-5G#&>~;@(Rrp+j7-fQ zMU$E+pGNg>2%suGlL?!d7P6*YEn`D*Dj#?dm8=>9=_nnjK(DTqt*Vr19ItvtfI8KV z{B-}MPw~3G^63w%MvZG@`U+Ep!LqD{&CN~2$~eO=Ha&O@Y=jsaS@fv%oq;5tVDH*d zx*qbJDSc)itJ+ivpj5A#(&uB_r%di;m5&MY>t8YZMajRt7gF_zE_Dt3o^UFyQOnRc}O+-l8LzsOG85Qxah@nT}wMl zk>pa5cf>S4JzCG=sI?^d>oXyX3+qn5Io0)4>Zaf7Wl9V1f3}8AU?I2b4BOhjj~=$E zjO}Y>FFV;+W_D`f=oXtfA|yCU$t{F21Q4behu`2vmxNXvV@WS0p5T_PK=S{M!o1;% zRm=h=0@XAbSOa@#pz&fGeZh4^n%|OcV3egQ>`|O zFog?5;2}6jHwT;{1R*S|#SGX85ny4QhdhG>EN3y32(j@XA=aS_>-W_?x$rJexRwHQU7uR&ZKqVi!`v29FrkxWF-Imez>$?WfzJ$L!#CIfgmOIN zBWQ|lLs*VAJV(JC-u{8%QM2+6OkpQ}dX|}#Fsz4I0|~fbaTTnl=eGZ&gX%`c`su~I zb=BuLsevUpq1;Pp!j6{p)xG6bH9KDi3v#<_H@i+{)$~QM8weKnOlvz#%o5#WU3HD!MPe$JMHAg5!~I43by) z^+!u)pUvOjTWtSI~t4h?L)@707t&7Lm7Y)iZ}C>|bg z2OTAkmTby?@TIoQ_pU3~{0X&Q56hwo?36IRsEG%ma6$gZ(pLWh26<)OphO+aM&pu1 z>XzXKaqt1?&;H1e*R)Ou`)>&o5ZaP32!U|o43MAJ5Wm_m*rMvXK~sp=^Fl1?{l+Vq)$BLl?BthN8n@3}_d6Od~Rlm%M~6 zli?i-j~CViM`GxT0FXd$zucfp0wWjuj>{^Ki@r%0xKcE_aWAyN76%d`(BUH;lPH$b z;=UCG=gqXh3OZ@b=0u0MVGPIx6Ch%30s!xZb94^PNl0f7N~kJkQdH;<9ptk%AM-w) zq9}P1Q9MpIQLn!6Ge8rhy;OqSP_is=CG<+72-IaxMzSM}2phQJa8 zenxpB!iV_8Z|HMz#;{0lk`V=TN$+UVc2D4#G)fQuutfaxKg%xD_U;}@CofH?5`J`P zCR9D6?jFuYvrwg0w#X1nXFc6ThgRrystC~9BvGwR5Oroo3vE~5zz%BFUA#0K zkf0pwgoTu36Gj3LM$lWLrHf2*0VW4aA7KMEpJ6)<8O$!aKk7B*OGsJytCq z6I25ZY#me7pcZfIF&X(bAZeB{+hQgYlT?l3K3GB?uJs6J#Lf(MAKNrm8}~O0;4;-z z5!^sl<)vtVhUKo|2-3_2f?z)gZ%hdPU|fE|a;k?+nZR}w_igcTxR_BiyEe&0s&@Hp zpxEwjSt)Q2!e-UtQ-qfh6U8lLD992Q1()D3njmIgm2DfM3Tgoka^^|sj(XdV4*Y;k zoL~yt<;ONp#*W1yzQG){CRc*(Hto|7%)tdZ;Q*Y)RipAaoRR-#kEzy?ckS_ja2L|j zN`KiaQ$GfHhfknnRsw_c(pVw_$^>gV00zc|1N@*|?f?jk!vl^lT~!oesX!TCpazJ* z1sb9G$k!tP!68h55ui1CV}SCYrFl@`2mr+%<_;5>B?s)SMo~abldO??wl+x(fa|xa zw8Cvmq7ZpZh$p6>UQ>x9NFW#g2f+r+y@;t_$x>!i0(>2!7?6NlPoVXP2MWbr4WfW{Ofg+S4S!=#t!7P; zqY&Y!bZQ|Kd7b4Ume0@p1Yuv3T;8CCow-pS(M%h;Qy#f&IRpV)Vhir=fTvJMQ#6KF zhSu1@0ws4hOY+ZNau0C-fOQx{hBAQ@HmUHuph2_c9wN2RXqY+c*?+HA4Zr!Bp-mbI zhIh)dA))~uOd$O>f}%Y_2Am;1F_vx+d7LZbN*|hIkhVn#IP3a2aSgRdK%o;(n!Vmp zzZ!0)A-dFB!WlfT1*)MzdS;7(Ko2gu1y1-aE20ECBKw#`1`*aJaXOr^)~ceKV&ZRX zL&luDM3J)H4r+PP zB@n;`oUWsXng%fc8t_QlIIN)sf*=$0x&rPXukR?M1t<{=0kAb#vs2=-QV_Qt<&jtV zoKs5&i$Ym3vtF{3w>Rd8;jX2T+q>cml2k(Z3b_%u*CXic4&-`S;vfb7fK8r31STO` z??L&-0sGR&sM*K12OBh)xqH@ovda0%?6)OalA{?UXvDj@ts2UXt-}aZzY&quoVFxL zSUP)|IL%iX1g-p_5(WN|L7t%qxZw!wp)0KqX?P95Um}l2`n|a$rIU0t2#YD|1waz& zEKI>)MS8%=X&UR*EJOipA>^^PEY>s}5djo3`?|wDe4;Sy##sZg7e}j0!(EqRMkt|> zU7RresJ@N=2%%UFU7zVex$7O6p~YAhU0-%hHkQe;(#>{aF&IS4wJRnRc+44+#n%gn z=?bmj5y+i8xI@)(b{x)=J8kWJHGFrmi#%xQyWC!)MykbE@~$L@#f1{}JyVqrkboR) zSSU*Hd2mc-JQ;c=V(20_jT(K0wYvaz$Dq&VxHt3~aKw4`XsD*Np+}RQOC!(0xv~tn zDQdyhHHH*veJc|CcZpZN3wuGHAPQ7w7c}6^JhTC%l?2TMQHyQ?lE(Asxp|c61XuCh z1c8Kg!BZMap6Yf#vx$Ah~))G7>kcM(zyJbDK45bLV>AyyvHYt)n(qWbUT*>yXKjr zQk9n1NzCdj<4VAUX`~iGx6KQ1p@RTLS{Fcf9N|bJo{;wBjf559e+FR#Az0jobOcF; z6kbS$wM*cjSc↱`c!oo$BfQ*{yJ5?8uYK?zV`hb4ge-g5Img5>EvDY{sfieBf5 ziXJEt@V8?zf4k2)+)>h@7ze;*AwDMTQe)9Xz|Esqjv-fPEPZ+fC2@0MIcmzU(j5r@ z$?}Ck@-?5hi^0Sz)=QFn<3>!G_bJ~=j`<+;qZ@(|Ed3sM`jCHGsB@wHD1bBmp77sd zjrN|V_IUV--&1aq$bJ6!aeNt1)1@Dx5Cx`ZM#Ij8xiqZVvuM-*s$I*r ztC;b@=>^Riwd>cgV^i(s)oZ-XIXm)|&AYen-@r|N-c7u?@ysdA zJdDPLpt^^V9Nvpj_=PhCI%R39fV;c*@0X1SA5Xr#dC`39fnU$Qz5Dm~bTd^w{Jj19 z`18w8Pd2^;@c<@Z6e|Y(Fpfk}5QN79>ZIX?5PsML(SZaB6vbx;xM0mK@O9|nhczKJ zSAF`GXyS>yjR@k3EVk$(U1dGA7m762Xd_j3%_kR$PW71Mj83^Ia76Wl1)j&~y)^fw{6*I_}6Q zqbEc0;tQdqzSU?lrKYMXdrkt%XMkdYw(6|3y7elmwdSg;QL!Q!52Guk14b7H;SoR= ztsq&FFbX81~Dv#YLkg{bJc=%UA8US7g_*SPS; z+tWtF9h&aF_y%j|P=ooWn>hi1^Ai=@rc&WU9H1~oGi-P;BOK)a7&HYzM}U9?1aTx0 z0}vGBPy`V|+|sYSyRrr-$tb7n@0jkkobSspyVMji9Hr@F%sA%^Y@lsP@EK9L*u+7k zi=|=&htowopbL;I#+FDJF$pEjYM1DL(iT&!?`lcGudnP+3Cu-GumvE z8KjrNVo^Xkeo~?-QL4lkN5_6h^vn<0Ie|+bHj%?b)KZttBjSv+NzF7nQFG4EW7Ai; z%K)~mx!b>wpk! z)0ZeGrsP?$Mm7_hQO4nbPn4q)6*1rMxHB(~=wdZZQxn|qa*Qa|Oc(Ir86O& zaOx7}a{wMVXp!^n}Gd^6GAXS(-ZkjVCh&0qdWO#Pouq%Zs@qvZB^b8bPP+gU}6gd3z9^4QF7&`mYCj{bAU&yUQP^;W5 zm~~rOD(7QA=S`njfF8KKry0j<$(wEWyf4IyV%N(P$cE<*WcUehAqhL&8W)@NR4Hg zIt{%}CX#Z}l&-XPQ4-LNV)+tZ(86a^63{&3L>N!J6m}c*S_O3Vi5x9RgRIaASs%*` zwB-Vx;js-Zta&0@Fg0?^mytyOEEx_MGRP_j;nhy0mJkee&aE+#3A*ySG8v$s7-k__ zrn*kgc=8^*hO9_lnuV|>JuDK9ndut4bBOIer%BNQT{56Sp`vL}G1?0f(-rn4xQZ^$0+H>r?AMSRlew6rxR7nnJbaT$y9j*~us^i{^!+bc}- zrdigw^ta4`g97j@X zyyh2Zbh}s_lQrk&LYX-Bqu@wx2H^kzSDS({2QLY@2*nkkfC5SA!3aoLfHG|Nki#T( zl}AXbAW(5QgABoS$R_h%=0H^>MC2aNr~(mUmyH8N!X_Bti1i`g@$03xTzaQ`(<7ZC z=-|(2$Iq}NzhV(Zh67dct*Z|5#Fya$M%kY6tV?9R~dYT4)NMRPB)?a6VKl;;c?3W4t zM}Zt6G4WJ*;==|7Q4KahI5;s1IgkxeP%z|Hd3cmTSn25~Ig5h(8v6+Jk^Ar4$O6iZsU(qQC@Vz(E;f2r@+kx6l!S z_YjjH59pIR1c5)|qXbBxFm;Rre}S(m>qOf6Vd^R!(bD^=Z*if8kjIe zNu+4eXn8>qPGezA;)E**d5WFkbRjW5Ji!>(q*nvr1xh181DSmq(1+s)5fP#XASel? zP!rE55moSC?$e7$c@IO=V*8VnIoM1t2|JEh6Hx>awb(Ya7$RB83z4Zd2FZ0R={3g?BbOixEqI1vH+EFCc)0&7uFNzszt-uyq1ySPjj-%Lleex5fFry{02Mpp99Xel>F0#`McL0#T*o#r8i`^1!59X2SunDTgp6*x< zYS&P@fK-P%kp}TP7>Y7)6J$ZLm~7Dn%r+F}6A~PUnNP8tdD4d1vuSn8MKOd!LIDBL zaT8X+6LT;x<**rBB@0ub2TB$!gus}kVs73!6yIfltno)M8Z40(}`ty;xtIn0gq61;rPs#OMmM7I=Qa09VkhRhk{vG(g@H7F)oqHZcaYT2Vbn z4k0j2bAtwObpckVP#*?Y`6ZM_B@fY6qpYA+Xhl|&qAAlP3u~}2_VrmDRaB_>DVQQG zyh=aRR9sWUcxXmkF1RfplmR(MP!}6+rCE|ix<|HprV^0_H-TrYqc+9$bC@Drw$=&; z<2r>mDLF_fD)+@MO9`vRaWP9j1ao%hdMRB7p>0ToTILIE1yMwM zDOLLruUe%s8;O)Mk|IT)KoN0Nq@>tM6pkBko~uRJPT~)iY+xT2yf7<>}f#n!jk)OWhs{_ zM4F+Wac6K~4GUscR~5MpKx-agRz5g8w8oZ|&;_~60Ed7+v&CC-mU_B(udU??*FXu+ zt5$X+XO-$Y(d(^#;0A{%h=C9fv&D}Rkx*%630mN(E(QjDCe3=u4ApAc&H>l+U%l z$@@gqm1oWSz>vVd1=C;+b}_}}Y|rumSn#?A%v_(~wSln>b2YsGPm~GYv8O#jQl&~` zY-AQzx)|8XvPxM4IN?u2)s9tw2Mg0M#aM?~XR?lq0ZU*DO{T43Py~SJf)tVsXO)Uh zpa4#A1ZNPp!$oHyLU)tpOjQtohgPj9VJynT5govx*T7m+^@`4RAwgRPbg37|tH%cW zWmr5{z@-2L7QOy85#1|V4e+3|6TZMOEF;X8P>jW$=tzg$i;tkkl*0*8tZHZ)$iorE z+(xr%{Jz~ZCT_tA4`s=}AQ6)ATF!A+s3vUe5OcF;wD<{Oq4o!KReeF@tyUshblDs{ z{J;P3|;_eES7^V46$_fVyZYo)0}Gmvz5G7*0!ib6k{|q^BG9H zDHeb0v&gkDzrYTAU<3h!0MkbYWN?x9Pz1e9S4wyY2=D@h;0*vN5kyc9IRFd$a|;?! z2u4!~YXElA@-*fku9r{`C3pbBMncx$xV;AvU;vQj@Bv4Vj>8(pvt!2msxoC5C83fV zJv_!3GkoC6EvlS44PXWtE7Q^JG-=ywy;X?{G6uc?TUmzASLIa{@CKTIEU$!RIGSgV z5z3@(g=oQlLpS<&oBJ#7jdR>iU0 zvsA5f7jR{BeSIoCDk1r-Cb|RT`6HgBe8@>tV-OVHOkb~s3F?!3RJRFNPyiI8V&M8Q zh2WDoAwaCa2L32pA2VS6r^K#Ht{-Qz73*Z+>Y2(Hrle=H@R4L^P_Uu~3Xm{VsiTaG z+`xvsd#IgXv;YSO4Yz^Dw!RPtji{wpD z;sBifS+@qT2>(XT+Ifa8;RRN<(%C7BD&3L_+CVN?^BXK;WD z+6tGXBS%!D7T!4_Rc3bqVo7p6E)tlF|VQDaDgO}Q<@V#&K80ai*VGCm9E454svSwwY`29c5q`atHrQZDrpb%gT zson|)?!X3T?JZQBu+#V8ZKG=IshjfKV{>lG@@bq>Vjpg3VFP}Ow}PaY;Ij=z@bf~E z1r4He&%(k6Tn>ax^uUG@wcGRm`o+Y|^}P4E26pWVr)6z)q}EftQ5zOb5D9Dq&55w3 z0rL6^MokABTnj&C(w>+0s7c@+^5!Zb`k~IEsLwdxrG_n28(lFr)6}hh zlDGv`z0Ib;1+HjWU+^gCgJ%y;VXeSg4~)wZYu8Q&34sv`bYCpptG(w6^+V7F!0ljE z_h#6@{IZ}{^UT#LGc~KP+~5}$C&rnYfdI@$=3Iabds#RIF*ypiNjIA74$tdm4-f+c z4kTF6;6a256)r?b579IL5hYHfNb%l1UCJ~jxQMaYykr|iejFK+S%Q)%PpVwm(dA2+ zFX40~dEpw8KrwZ~G}96P9H=cHz`2Ci1kl9+9WHLU=%C{po_GXp8wYb4m`*OGH0=nY z%PcSB!W5u-@eQ~;Pa&Cg>4?rtR9z@7CHLu6TMAvzGG0+~7r_`u?drR#kbra`UJddW2 zl~Sqy0&@ZbW^qb)tmI&m*KFfHoC$n!7~D*nQAZ{*vYADX{4&^M3qp>;L%~+I;UYgv z^y;XKz04_tF2ThAKrfC0%b`QA>~do3o)XhZB)eApqe;T5jFWN3om4`q9vr39aYr6| z^zp~dY`n2MrK zOvh59aZNVcbn{I(<0MR)j@s!f1O&coOiw=VMDsCGnlkdjH~%#BP#(R*PEJM}b@Wk4 zBlUBnHj@bsn?dSfa+%{?^t7YfE;=HHEbI{|EuE-Q)d!*^b@f#_#mjL|L~FJ6R$L3B z?jCVA=#?;#${Uha?uZ4?QWUd<^{_#gb@o|k6)R6xk)pNsT5Pigmex;!LxwQ<6cc06 zZ`g=}OPCn{Fv8S9GhhRp2_|@HD4po(wOMWRy;e=4a`pFLfCDZTnKTDRPEnNfRd`{B zA2k+Fkpz}_Vv2nv_EPua{q`@#GO@1!CZAY<8~Wg|#+;5?x$+QD1toI;KECnNzYWf5 z!_L1d*7?kSx7+z=po0d~VC;@9nA(Rw6MAW;gXXhosH2{kTk=vq&jG3MA`KFAS{ZQ5 zPb=67Wy8L%bD(V+RvXrmlwJF6xZ^I2pr;`&xaYcAl6r5xZyi=hxdRs*?g8BP%s5v* z$i;0GaixkRaC7N)j_{PMu*PMYY4ZyXYH&_j=QbIMCMJ<;%H_0|gvGQJ?w3vs!2 z6nsVhw_Uh_Sn{;s(|h+_GhuU_bXLxf*8O(mlaCc)rGIz+dB_M>y<2I4CF&aGvj=@+ zVYSo#d+>*&x}M?l{<|dT(^tQt-KP!zefSM)%unF3a*36C#fX1@eeYI|e*o@J8H`I^ zNY00}VjXaO3tS)b0{B1(rY<=2YE=X+IJ#vdtbh<>U^_Q24?Y9xr#pQeX^CvO*iW5Qap`;R$i5!_FnEh8*lurv&m8)cBD_!|YSjJM8v!rD$ZFx&m*6WmA!DTOf`O8$& z2$;hpW-*OibRG1a6FufMDSAlja!!s#B$ERikQE ztY&o=TIDJ$OPbZ+Bt&YP=X2M*ad)m!ct!N0;o2jgnANt3Imm~u4^6YWN$iI%r-N#JiXsV^gw{81U9ku z!%Z!&c@rdbi?CNs>|#y&*tfowD;VJ{YgC%8VUN71G$UTg^rjY2A7nb3-t;#mekHVq~&2T*6r-83-OM6(rdc_#pr zt(av2qb0)}+QMVc9=QuH34_5_l-P+B}-Z^heqv3j#x;|cS)$a;w~k~e+hH)mo0UTn^=du&`I>U|cm zK6WyY#mrd~ANJ3(Alr`5Ko<@XnbO9M<MH;fQkEt8rISE8FfgCPEDL2PR0Bno~ z+k`QM+71MuaI#&!;{3eYCXq0Uk+VSrGYnSDtFeQ1n_FZE&(HITC^xQS6H~1h(Q8uLKij{?x0-d%{-#7uCpN>>s;STTo_Ecv}R1 z0a7nPOPMZ1Q_(v0lEc2hS`FKq}=S#l_ruFc5a#(jK zEk1x-zI)uV6J7(GxW+g#Zg@twxVa_KKY$xEo_2&zI?Za-17C7PFFPkzCCz?&~x$f-z7HCOF;Lj*@ zQu^8}tgYL(T8KI^)34@|0+u2h3t=<=pfn~36)fxjy`_-A-{Y>SxRBr@15B_2-0`ct z(lZH*myA2PSx`L%^EXNei=uNp7koh&jKO?TzI36Fl3Nmb`GCO^C8anL%A2iDxP%on zs~BkjvlpscSp)qoDs#gS#g#W6;1N^a9+zUnAj~yGrGdvR6t1!@WD$+X( zx7)?606u;*M=r=jXM>k@+eCG=v*S~dx+nu-Ljo!AyAIhnWGlU1%rwHfgW0f&8pFm+ zkb^hVGgxaqU;HtKG&LZ@g57h&nP`f8^ewq#JAM?g`-!=pXu~^14ZILVmeale%ec*3 zw{gM*Q4mEclmlm6G${Z)(&IQ%J2XzCxlDADL>mOxIJE$?t)c;(-w;1~1h8d^nYNExmIi(NSxM4g?uneYOi%TzaHgXb6 zs)RMK+N*Ku%ktvHzqHG4vB=aLv1R(N0HDUhb3^sg%c?}Wy(%RTjHT)80)mW8^lGfG z>`c%6Owc5&IFZb=+@`tYrj=@}%1S(JYb7Bx%wz`mYN zP2dbp;nba`Q*;NDwvE?JnUSP`P@&JgDYy|PXJvfVhIQU zA^8La$N>KUEC2ui0I&pJ0*3$q04^>rGBPq*MLu42jA3JGXLyKdX=!q8baHcYa(0k+ zdWLt1ka~%jdXuVpyx)9#dwq$1eWba9gM)~OiHM4ph?l2`nY4;{bc%bBijazmlbDWn zT#l%^kFv{urkj|jqnoFzwy3G8sgrrBx5lZx)T*<&tE8i= ztE{WT*Q}$Qth~&vlZ>#hud&nYva+(X$Y?9|M~)Y{zD!>rZIw$|0l*4Nk8==RsjxYy+8+tth4-{{=a z#N6D}+}+&V-s9Zi=-lGk-0Sq+;m_Ui``+W_-@~5aBQfFtZ{h%S;|6%+3wq-ajpNlk<`Q#FQE!bED==q<45GI{7Sj_5U!=+C+6?(pe6l<7g2=}E2W<>u+; z+3D@=>M4clMVabLo$6bu>gnU^_WA2nq3f{M>*VO`^6TsQ`0QJz>}#d$cFOFH$n8>+ z?PRO%Y_je0^6mNi?rN^?dbjU%v+w57@O!uLez@?EvGH`N@r1nbv*Pk@k@AVW@{Pgr z;>z=r#PgfU^Qg4*>*(~P&GhWt^zQTY^X>Ji%k`|%_0P}s=hgM~_4W4o_4)Pn`TF*> z*7mi{_PE#f$Kv<8+4sZT_|xb4%j5a;=K1#Z`S$tx-0S-K?)v)m`{M8W|000R803!(;NU)&6g9sBUT*$DY!-o(fN}NcsqQ#3CGiuz(v7^V2AVZ2ANwTEL zlPFWFT*+&s#X<(2#NxU=WaphJruZ4;J0f8Amgv)7LoEpYzs zts+gkw(Z-vbBB(#uUjTav{=J}l&PF--N=(GU(S5*Z^O?uMIT5?lECTLrDLbg8R7QB z2D@|r|DMUzbCj{>(GnP3-|$Gg)Hk0`zrOwZQHzm#{~8#ta`6PX3^)PCvy63_NRt{c z0D`j~d+-Ff-)jP95}$;%P-jhq(tPq?ERje9&nfVAV-05vN*K#0CKl&gf0Lx>U`nq& zSBr4hvGX8)Jof10j|c*Zk~I75!k#|RIMWYhChoHjJLM>YAc6Yb(~Xq~uEyklPhRHV zlCZgB9(?yec~3FR6e&qJ{(uNgZ0o&gW@?mua*sX50JD!X7h1-ScqQpl41zbhcbzgM z3aRL#j5g{hLPTarW|By*VhS%$?m~-rR0`-?mi=^isXp3hqGvbCgleZevxV53rmHCb z2~B$T498AC_CS;1ndy~7OP!~IBWpH$CdkcuE47F0qs%tz?6b>3qYp1fE~8{T!eZJb zFjLC2i?mi!E0C5^5<94A?40~{%uA-S{pQvlxiR;=4=AKt-YK^ET zosvy9&X8&7G6yF*P%Q^@ThKHIg9q)!7-y`pT9H<(WI5C1sn0wEgD8-3n*zhl$ce57 zGMY%j=jFfLoTu8Y2>0epJhgu8rJV4n+HaRmLKCnulZk86F8;)(@Nn`pZKQ@x`^Fuv z`$)I()?9b(byd>xc}g*7ra7o27uK?Aj^0W$t7ImxCMDY8rpZmJ{Khk8e=c|b4BKn< zTo!8BzdATHs<=8s;PXw?O+g0JeUOXKJ@18Z^&kdmE_Y z+$sy7;*rCGy+LT6UHbRnhcEs}vA8Wwo``DSYQE-69Ao+vTVrx0u{x}ag4wL6{`KPV z!cB{+F%K_h#iwzhPk_aU7q<#ni)GA)76&`uDIn;ulN4%M0od!WO#lg?t$x&nU+@7~1fLILu*Klo3H~_|SVg45ASKhe*UC8u5ro zOrjE($iyZ(@rh83q7VIfsz{6$i_Ch z!;Nr!V;tv5$2!_kj(5zX9{0${KKk*GfDEJ{2T906;?anN+r{9379eCPPpwe_4g$RU8kIK|hER`8g zjVe+Rv4H>x;Hp^7s#dqk)vkK=ss+$!O2C%iG@GHUQ&L zt8j-)+~OMdxbbXlGn$53=3>GhsQra=6Z>43_Q0@+g)R}Y>w`bg!3v}FD`hPMVR_`!a$OI_xQK@JexlZ7LcB25^^fng|?(ITjjUZb3D#5f? z-a&s;OOO8!_{(4>uvpnCjxrlFHG~U6%h)fl=I*XE5iY69n$|q^F<(W+`4z;L9 zO=@JuH^$SgF;Qc~Rzoo159+umVGSFIR&UqGbO6FfZCzx}ZW#cVRWCzKoNUD_fxw&^gcX&8#`ESvl}a4U4LN< zr~dkUiQtDO;6cBqt*d#VE$z1JmfGY_dWd_Id4Llvhx4YBe=3d>N~;0MoN zF3ypE{H77&?Bh@c%XNx`@y4d_+2%+84Ww>M9auof%P%>uRyy0|TYKm5kH1Mv3a0lGH?gnCj*<6S&l_zJ&A~>LzBQ+Cpprme-vqIT`I}8VKP1A$AkQt|uFeLIT_hxT+vL=5* z7}H=V78ivjMmg-F4UiyvN2r9DmxQ<%gqbr9D~C$aa05P<0jf0u8^Bn4NC76Ghu%d3 z8lYw7Cjwgb1%jvo%+LfCAOaWvFb-n?h_G}89^hQEpocu*S0iu(DX?W;Pz2650*c54 zB|rjFmUInR38k0ezJ&s>IaL=mwg?zjXAXdCRmODfP%%h zji;o7r}TF^Xmr@n3R1wt?cO?H$@`HHA0d~;<8Lp24bXnl3(jjf~u44?rfFj|ce z3K;MNT|Au^o*V{ev6EtzKxv`I?rXiCPI zY)%=NtYHIwAOej4fC|?Ym@CPO-IotNNe8#M29<~k7Z3*qumUEaWqwx!6~G1wKmsPf z0)h~g>L~?J$CcvQG*hqu{i$nX84A7F1Q?J4oPd@!wF5IynXiPF;24Ss0E&XybxU?+ ze8~k#um}4YeL;YrI9Lzmrl5`4qAvQPtP}!}8JS|G1v4OHmT80QpbuBZfApXPXLoJ& zIHdO1N~TFn^B^6VW0DFNA*?}!2xgJpp@a$vhfAoOs#%6xh&{B@oUG@CCBmCyn56!K zCz0`yp#*uUf_PA3IZPUy&zYmA6ny89pIB)Kcqj|yc>?2SVLkbiSs((QMU=02lyo4L z$>&O+*fco*X^OEC4I7YbjsO9jNTA?#30|Ox^q_qU+KV@5h!R>;MS7uW$(4Y54j~|n ze7O$v2cmuXmmeT~zQ7E1N`67bfH0b?x~i)(I-_lej#7ZD>v)+`1*D((f|r1-HFpLn zDohK+GLayXAaW}KS9+7doX;tdR9c%(c&)h^8Sn58BlB-g8Z}a4a8Y=M|5%&@=?qL5 zN=70rq_-|IBRB)OFaI{Kj`ysXM>2}Gq{B*wKOkLoItprli9b1>hX@3K(1-(=swI$# zLl9&ca0iU&h~qG^JK21txB{;QWOPMZ&vgz6pk$vIiV$i88{nwIx3UBH0)ij{{AsXa zc}rLSK#NTSvLT>r6Ptk-dk3o;q9cF@SI~$IE3+(ckGs0GO#7mb>8sI(f<`KLPY`%Z z$8>(6gE~s2PK8YaIVP*udJkD1J~(e0S2>Wdt?!C>4A~7|_#Dy_BxU=Y_j-hi28Luf z9MQRY{`had@g@&Pwy?<_nYNH)!ZTCz93q*LDi<4xT8%A-4}ZFSzAy)vT8Y>AxN%3h z-x#_4z;p=)x@P9NoZ3sX3R2-#jYhS)P20MzyO9gbPU^ya8On7JR`NTwD`Czy&;J8T`Q@9Ks?z!lX37 z96VqKOu{O>!YtgvF50UnEMO_@!ZcjNHhja!Wx_E$Z61unKK#Q#9K;iqwF+3oMtsCb zoWx3e#6sM}PW;4B9K}*R#Z+9yR(!=+oW)wa#a!IQUi`&i9L8ci#$;T^X3S!-mc}(W znra-5-`K`*9LI9Z#&f*JZ*0ePoX2$R#(b>De%!}^{KtVT$b>w|hFr*qe8>#{jK@rw z$cntjk;cf6+{l#d$dx?Fl8niBtjU+$$(;PjmJG_GJZ_=v$)jA#rhLk%tjesM%8T5} zuq9-Y!E-B;*r(I)-UFn!G;J<}imJ<#jS(kq?E zF}>3~O~yBk(m+kqA#KwjEyz86)JWaML7me@z0^z{$Vna5Qa!~_J=9Kp)uTMsTD{dj zjMY`$)HS`(Ts_ugt-@bT)K(4FXzkKv-PUex!Dp@3YaQ1{{nmDU*Vu$&dcD_t-PeBo z*MJ?^g6-F~6xMWo*rANqioMv(lt1S2*pMCBl0Dg!UD=j>*_f>hrJ&iD9Up~_*oH0F zY0cQAUE0Q^G+W^g2`$>7J=&~n+OQqlyp*`9JxfB()~!9)D=pi+-P^Q8+ghR8vXt9i z?b@teZK9ctzP;R}4cuALd#fGVx2@aKP2I%}OC(wV39#KKK+oI%xk`XAs@Jv#x43}J zecsvZ+zLSptceuR9o^G?+_*j8#6aKOSl!pHN{&zfRl5maz~6G0%0r-J;5M;RFn9PV z-srvHWUSr^am?LiOe9_7Hh83Q_rYP%!QI{6-C@wd-JQYRT?Tg;+}+*XeQZ1N2uol*_2~Me8jhADBEc zKT^G2a-Ur?J_r2ZIU2c{N|w^i5TvRvDhC5udKGp4@)g7$&AXH8x_abbm z%7VdMC8JFrmi{?}2LZMFICMljvTey(lvuB*-%7$pWYz;gnATMH%l(=QvPqV(0|coh zCQ7z(2S-{Br#*oPqKjk?PU8qpXr3;X?L5(c+h6b5+<~PA7{cu<;8)nu0Kdb-&moL} zzyg)c+T;H~2f!}~;0*~N49C)LgCH(0eNQF<0R;y7pU2Mpx+~mY&bh5{*e`cOxVaku5A|(of|d|+DSPHc z7evJ7_Dl|hYbzew4?0Q?BJUnjv`r_P8<46Et%3{&LMJ8X9i2S&F2A5CkE}S! zTPVl>oN(P&1=G|CJ1l^J2yCd+JLQ}`MVa&*jioEhdFdB~VMcv)$eDAtd*sN1rpg|c z+rDv(IVY*y+LC*Q5s1hmx;WSb^~*>|(XYhY~ zAfn{hB44AC;piWdJDd&@(cEk!K-n&F!7!=0NXUG#Kox^+HQrW5lCRkVdsw(_Xm9! zcUrEeqqsQUyBQLhmz>X57%$)*dED(Uw|cM+aAilA!Zmzk$8Uv4XnZyDs;=#`J3Qk= z&QNb=z{^G{%gO|T+3A?C1OR9%c7l+&PFI4^B#CxHu+;68b=yqycEX6PJi(c(Tmb9l z?m@U1o@=>r=;%WZ2ceFbZac|*X`fh&B3xUMK9UQSyK8ZDe`6~oz{huZZny*$2TAe_ zryEJi{6q&Ss{39A5t_PjCN^4j$03FT8FXfeaC0jZ{CBQ&#KJQU``d}rw-ZJg;*o+n z0t}3VpB33A33b!G-lv!x< zQm2V3oWrRnXo@Pzs?Mrv+Ml^2jc28KMJ>w(RHg1kT-AAWMWMZMmO!bXP`QB_xm3-1 z>7g)Y!HtGxGuJ3*tsmw8ifLjW2srPj2IgPz_C3U1fi*Y#*T1ZI1)7WQJVCOGCP*IF=r-1Be2L|;YIeNPH30(!hx#pCdt|^&nBrDZDywFmW|J*nU0I@X4#$(X@_Boa@c#Oj-iO; z?s*v1;eg36S|<@hQSLv=${T?%KPu`TnExb%G|m^C81x(c%wMurUNMn9^f)JMaQT}% zO7^sAy*I-BW7Z`G6@_QuXa7C@tdw!nElV%t$(-!_04{mB;{>Y0eeWhgwySJ zkX1=B^{WHcf{({F7X|yf)4Z~}_x%VJ#d~x0bJdqWSaCRi=Gq*qQ=B(FAKzWKNtRR} zXR_up0ljcgsII#aAzW_9`6)gge^hO<&&OHS4$h221b?d^>Jt*&ZIrVEz3%4J^%bs1 z_!&JPPvN&5UdHr+K5w^6zQDySTVK7XFiRiccU&O6n*e}Z!TOd<^X2?9R2Qvdo>wbQ3}^QutZXrU&k52l8c5A(*+q5W%DwOgSmm z|3TXj$@@u|NUiec2RArMq??Fq%aE9uh7nrUa(~x(jf~QpByy#jD2=JTws65$EEq~Y z+F-@V@1!KJ633z}F4qwz#@}%_p2T1Z8GS4>^YIEH#CZ-CV?5#05#LM1xWM9L0!fXD z5uU|GU}vM1;f?X}pCu&3l;RT#jLB%-C1p&N5;FFUDR`eH6@r!i&)5-K>9A<)@3?jujv8d1yjlOJ?eDPk@>iSG;(i!<7%i{48wg+-v`(dytCmW$PRnB8 zC=nPKBVjTGL5tyFz$I>%sT&AFk6$UuF{xI3C$lVt)QU&eX@F#r2*FbO5yPQD1dIP9 z1rRlu&o3&e@I0{8A4^b=D{#iolQ<=NP*ABrH3EbS{DcA6FV!*40;>}WtxS5P1bRG( zLD6!%)#Uu5n-7gD)weqe_~YR!Xb2m zZ9_ihlyq2SiBQ4yn+DYgK+_s_2rZ{@H8l4Y+BhR|ZM-m|BY)(TAV1ZBN3$3f>=^Wl z7Dniv7O8ja-BlVh!Y+XuY?7a8Bv^{#&2hmn;1joeoNANNLU~%-o znc4+noEboiYxJV|Fa(64mcBo@rhy*Xg=}PWa?D_LkWAKu$i8h!>oj{1588RM$`}E& zH3k<%7hg2ijXru)o3D6BBE8%7*dZfn&ZCI6bl@#JjOY{(|9j)_TLUb%f;xe#U)VC!$gKeJazf=#8@U^48$ zz9&S5SizC3HSwK@G@{HiznZvoKd|P>l3MxEI}ax|)&rdq?S7cz3I^twvK0KJ3RZ6F zDOrz>!8h0tyi0xESrco-^e}*-W9Z`vbQZ3dGSGunO)Nx9`_Xf|Vd?X#od;U{ECWR_ zU_pYnp|vc*k*jOP^OT8#+w?G*_SN3@cAZ4%F?8^j(bmRMd-K&NA4|qp-soGc-O1$JHj=yLxu# zEIFc^LxpS(@YcQ^f*qz|y>@Z>zWQWuFv_`(P2B?rUUa)M=~IEu=k~r{p1s)pS82T0 zQMS_i;$2zE#RT{Fx^K+5&!e+P9~{oUe5Y{0XC?~s$BE1LifRqK2}1sd0e7D#`Gnrv zV&C_3U*ET*oNlVl&f7J@u_rhIn-_jC7UG9|-c>XK2%YXqdwzfyK4hc-Ok_M1P4`}^ z0Q`9Of};RjBqPF`0J3o`?7jdJydWA+&j)r7qKF`-m0*pwAe@sRc4p59i6BNlJy73bZLl2*Is(H@X%UKo=2W=@$~|7f})6<`MaBC?cUFBAMAQULYbJ+0WcBBJ0#Ay)GheB_j7G zqKG%301y=?6;(MCQQhwcPo$#mPGAHH7;NN^wUR1!4!@juHnYbUkgg>5yFR4Tz&2XTM zM3Bnx=h^f*?>B%K4)u}<&yqz5z0Q3EUOqTt(U53|0j2JCRP0=RpT_`Skd##fEPP7Af`^Vejh;2A^olUXCaFe z9(1Rkh$JZ7SVjL>dnRqix^&msSQorZcl$`s{#Y;ic%M~GBp^e0IM3B-d{89>2e*d2 zy+>b0rcY%UrdMY2ZH$c(&<{T`Ny@awe7sIFbZm+CLrJOT66Tm=s|=>Y}{_jA1+@bLxHsV~~siUIwq zZee}WFmnRt*iQf%fMY&LIUV@2_l+ZW_!1|Lh?4fBB!J`!j3_sNB$jpnjB1UhhObXv zUi$O3JwQIO?14y)J6_E}e5Fd?B=oMFQocl7e$6KcdtJfsT2Cox&O7-s$=)5U6^M4t zGr0nbjF2>lbTCAa>c^0)Fk2AOsv$wuKXIy}2$`jrzRyozAw4EDV(3&369DI)DQz$8 zPv8c|;>H&CBZ$G^*NaY#0Rx0Y$xkV}>8T*5uhw8t%XIm9NUnI3i=Jbm=3_JhU;w*G zh%(fR;zAVVEktT5=26%rUD4Hj|$5&o>ub}G6ZI4O}Ii9)j!bO3M1+_nyb zsbXm-3kJ9+jV2x~|9K!$YzeD`AKEr|0owcr`XoR=1t&_;iZlokIdI4lK)?%zf9$s` zG^_A45S0V8u3q`o%CDnN=^;p20b?P}Es&lAg!^2H^k>R19EJ%8zpH%^qbM;FKVozc zS@{W>h0Gdq1yFYTazjRcjscaXgs@+`0lW}_tR~=EGC_6AV0I>;4ikPGtwGe3k}Syn zHXVUTNpk|R;Z&7#rlLyF9CNcy49x~}Fx&pNZ3FuFQ@fjFx}eX-J1yas zs364pLx0uO6b1Q}L=6rdSRVivvk!uHH3KLQL{V7HUXT{W7u!no@3>uJ(1n920Yd}{ z5Lm-gA=9$pUBggVb3Rpp)Gm)F1Eu}~M#P~y;H=sgzd$uzw!#92DiIJX`1AYERh>Ht z$k>4K4nN9eo!lfaR|L2e-SRfAAY>5vE{OFo+QCM6>?SZ~GVc@@QP312FxNX-Mf})u z(SXm+Dj-U;l2g(orgK}XfI8pP2D-T_J&5ivRlnk>87za1_d2;{+D+C_xGIxPlvo{{ zX-z>B&6)f4yn)qARzE_@ibV{am%7gj!O(1&EI6(j0>}nn*{`xhYv${gn#ov&gKAv- z47b5nz&<#lPjQ1bm?Q3?Qh-;iDbvX$HF!)`rx{U}ap}lpkyC&_7iVf>zeS2(!Rkb+#Zy zC4iZCL*_qqVH5&i$<(PkL5=XK)HYgBkptVa%2+iFC3p=OC^yGURQ568%6@;x-wZz< z=wizj3*C0$Bea_OVzuIWF-lKNg zgN0@WMpc4{Ey9k@<8%)0-&ZAQ8#L;`p&@I^L>RD-=pl>NaOQ#;%PF#Yuj=TmqGut} znd;1E?d%VL=dbUcwXdix_+fWy?yR>d?8z`aEyU{>CXofeGc5FV_=$zm(s39Nvzgk- zO@w4_dsLKUOBtyonc{!=%{$k}wWzKLW$$qX?05J(RRzE}_(g&?FuIKTZ&m=Fw1D`O zv|7RP9*_sGmV0`bO;BoJ8gQy;MFE@(8^ozRe9cNQ=7Cj|%xsi;=Xc=TbjF1E7G+#V zPHZZ%1e1^?rT}~`w*=$h>;>d#ro@STSUa=a5926IX~n8>eCa~mp8{*dQ=apy9r^x@ zh@d+r0iT6mnta~@dpi4)bJ`acsL)*O$@4A`4Ya}5}TXNo|wJ{8KBzXYsP#4#G2!89@j2Tz!BXb&_n0#tnt^*pDw`ih#~2;r<-)Y9HC=$3bIFvCo!M z>-dG2G#70k$g`hG-RyRj4amYY7HEsmPqD8Yv!E1mBu^@X_ZuUx=fowl=!g;5G7EqR zP`LxCEr?0|LXbVH&G`DDcr7(TWYs@DCP!~8Om6M?KqDgFHLs{i1a>hlh97PahO$2X z6sgn__{f3LcBrg#pc{7NeyZ1~d(Y!PP^$D%i?30tT1l3aJM+Au#QUB&Z zRxL|TF^RBzYHHPwQ902>ii%J(fkWT&qH}{Mc4)Zb2&1ZAOXr}9B#uiat>ohj{>B3X zzBJTe{<=5ub?8>JiRyC(Q)i>gjVVTUe5FeNApHgR`;nAVlcUnyy|KDvOYrdUgS;vI zczD(i@DS%NH@Vi58?$1uoGOdbt}%z|$DaN( zmnm28Emxn*$H1URw-9}Q3PBIsA7<6Lz&#~g}N%GH5zSBu&?yg7UVa0AGRc>ug^c>iI=QGb) zN6*T0+m?^qzJ6p7rvc4f>unW}Z#HuZ}ZUj6c31Nv`0W?n~HGMvl9)HGw>!eja4^~+m8Wl(5eFep^gr&FTdAXqFWtK%!;{!mm3 zr3&-wuY-{|><(wg*CfNSU&Z5TEN)0gP5YI8TbI^C?F)S1cA zt2z1Xpp1sZP#hochZ2*oN8s6p!p>mJjuev1EpCwey-_mV!KbSly$D%Mu4}e0WvwC9K?GNV$(%PIoG42n?Q(z%lJy)+W3SUQ| zph8G|o z#%z1>#(8%f~=vF!j&pphvB_b`wpfLJ@E;ew&%MjVX&qnS7a-{WaV7&&|x z%}o$LPMXeGF%C>C!SD#=j}v9DR^E&K2Opc4S<+2CSGnRFX88AAky`e%>aaS=re{54h8 z2wO>op{0rd*pI#nu@b;Qbd5iRDb1P!77-Bu41G1&BIt|$F2iu6zEWH;!JXm2nX!BL zk4(Z~1@q8U?j7!22AlJ?MRNbE`b(dxo$p~CIe)Or0uZLkDO?B2v=0y{=z6Jy70tJ) zv?Ax5Pzli$3_#E$61xSU8u^MDhfGy_fTt-GBp|CJ6yq@TlZ<4jU?V%mAfm$v^FIRJ zap&7>qi}+@1&D}=GMMKTb42b^jbLn=75oI)NKD;utAuk@ zVFp`D4HSR+{gkNP)$~TTZ^CxiqPaJ?;giAYL%L;m+X#-mYAD;z(a9&JsSI3PA$-R0^N4qC*x!L&@sC|u!HR0(6&En?wSjEcYLs=K^m1} zTPEB=Y{WP=85H~=ppD9P<^;h&zd}P!5a)qw#QLMBHUUUPssgFn;!8mmia8E!Nkd+Q z5i}H7!k?>*SJJo9tHi(%#v|S54d*dG?#gkPW?aZY^?ZL_;h(aCd&^9yIr#g9X;4U;VQLe!DCCxz^X z-8^^gxLx2;V8a?>-PvrRApWlkN~x17WyO zlzyCcIu|h=(wE*ENx9h@U>I2mM&2@uAbriTyn6rc%3x!M(YwEuk>%Q#9jHMjzC2jp z;XZThIVzx`d_27pkOrJ z0Vy!?>PO>?a2Q6xQ0CIs`5YO`0VkF8tI*Us5;>^GrO>tA*2r{8rku1MvQ}TOqBq`7 z*u1%@l!yWRJ|43?6EILn!Gm(+CBoS40M$=ntWe9?QJE&YsB6xgh}FuKx6u@v^)XHS`t=CV=hd+IuqYm&)Q;TinOL_Tg8@2fYu;DbJ&p zdgtZO%XT^v8iV(kZpt6V{wSFS5Vw{+P@jvYBvuAc${M|xY+r&XDt16^Q~L-m7(#_< zc9Hm-`$_q(fuV|-yBPY-y>veI!K&j%U#6M|Sc~iS-Qrj76M)}_s4nzGip zPuSSpX6(@%an7|&x@0@1zG|EDepj>e`C!fkr#%)#Yn=|}WBG+vc`VA@Iuq@~Qb0m` zBB|Uuo7~A##Qbg!yuqGy^@%7Frv0Os&^lkl$6BUb`A4;`b)m|KwL*8o1pN7zF6i7C z?L)<>E;Hp~=Lc&|AnlnUTHEpG@f^$DCt?w*_^VQCXQ`u zn;&e=eL&g^`-Haj!^2XA(65m7?FMkuY+w}WK_Mvw5Rg*OLdr^x=kmCZ>mMKN-QaXr z{%GynkXR4BTnWEkm;H1xEZN}|Br^m7g0Ql7?0uICVTR7>ON+c5!@_i*|5p1xIe$xY z%>0?yL=k~ZO*4Vb_E@fpAb^o$>Pz0iLi8=}0UwZaI*{%z53S>P`A+Vao{Ifkx4~gu zS%Bxw4E+*E))6l|*J54OeWhc^sh+yC{rnXR>zDA8uuv6Dx~gy3FC&4goiCk&@AoZp z9TzTL+?z+6rP@n@qrhGDwgSECrat^OcYdB-wCbk;=FR1x$L0lM+owV0&YR>eoD87ff>i2VHf~N)GyHgAO$8|#2 z8($M7d$;Y!eO=f41%(f(od5FUT-V1#7ym~R8u0n33-|%#2Ql6HfFJ_J%mpRbK1Cn` zqay-m%LPBo0^`dC$Pq!P<&KEvLYU@4+7Ll`;6l0(K?mnTM-!EK6Ty7y&_%hhU(;c< zf_d7BfTF{&lSBxMxe$#+1`6OT#^5ja!U2ikraXZ>!&wNJc_;)s4?9G1Zh@50Kmcod zAUlsRLuwx)VjkO_Ft>^!?{O|`Jva>!I0h^+YBVu+vf;I0FO~VCiCZ7*Ss*75FLH`;|p3p9L|K4lcRyg7RQ_Rq@qpA2 z^dR+_R1x!FDyu+_+@u(rOquOqIIrO4Tj38*GF7#M7Ge{Xj}%oKGWFmLg-ucoI(_wM zGEFYM_4}XnAk&(`WZFgt3Q1%-gC-R#1-d~2yx-&q6fjjx57C zH4}rC1qLP>^~60-MM9%sWi;{spt!%;=X0%u_L^>Q4Oi``q76cvUs@IX61 zt7kGp(AQ&W?vx58%&@m{6Zb*#&(_^AC*40N{PY$z5#WDF=~TW4bHN{5A`;NOAq5f$ z;oIqGlT%1Rmi*K+SNJ1oY||6;Kv7~q85(R}QlJ{5bbJ&>8J>KkCwFL;cDz!c+$(~3$n!i_V2pM-UO%aSwB ztooL^SengMkm>U+>Ec^1)qd8?iPnvIE~_dXH4zgGKOHszQQ&J0kpH zJJ`lbf2B;pq4u8$!`%s)VI1S>^#>vz9~OmGe|VXOJ)*(A68)C;agEYN5ug20bOgc2 zqbP!U+bE@y+B3$8L~~^zaC1T5?0!~YntuPihTUCUa6wisXUPLgj=U~mmS~!L1sTDT zxvUxh<0OL|Dj1gg%M-fKHy853F9heR+f)e8J9XM{x0|j7Xc>e^)o^Ip@StLw2u*b* zX1l5#S)vPG>$gb*v2`qsIP-&kLCQK;!9xVXl>oxF_sFG8xT91wRjstsrGge`#A6Z4 zrXN~25xU1FuxHmVrldjuA-t0&Wo}yK7&JLRaap2*B2L8KIfU3)i)1Y*AEvV zbo6(tIk$s0cWTvlY_@7z)erH652lw7KGjdowgqzZPsz4V*##?KL;V%2pBrs&Pr`H; zrH+_Rc6ey(QK4%HCQEPVbWPQg>w~-73ttgyE=tL|z77a-oE9vvDLIJ}J^j#NnTDMZ zLnBgJcz~+8I79>K1>AwmY?pbVOC{D91B8n*S4~>niXTxJ;IIhejHR%yBsVGXR7%SM zwa{%o-IOI+#*4z0zebw_PVtPx+YTkhhG|gofU1@cmjyTU+c;1}e&p1=_JQ>^7+tom zULZD|a$|y0iBEl#RHFmG%aN~brxZ6Ms8`AWi1wQeJ5dVC-IQ_Zf_Qeh#&$*~#9raOu1ySUHvbXPqu$(_uWQ;P+QSoxjdPQAP@uFTr4JW|7Nh=xm4RwWXh zZJc`niUwusdy!ifQGQm{F)b-+RyEhp0_1z0KTc}O}s^Se{;SHKldI%cct3HLf%_l4(oZ*(Pt5*`MAmMUq2L+3lzH zXM;eq=Uij3jn?yGxg$V+LpTUkbHVT4C{+e^8;M+J3#F||phI9J7%Mb%nsL9u%^)?KBoM-AFt zO^RmiD_0qu&F`bzst~t2>eo6r=lZGJ+H#i$xLc{=hx%&Q#;)5kAXlR=H<$ivb3$7q z{p->%&z6Wbo;pvCHsEVppJ)3Rw~sP+N3mzqlt*V%TkEBJ*Xe6lgnPGsZA*@457JfV zl3Op_TQ|5@U!7gEBX_)bdq3e@gjRbGKTnUP*RveY@LJQ5K2I0P)37hkV8YP|^;<9V z+h~H$JG-6!YZFt=CxF+bo** zwC~HDu=gz7`+S7W0@U&XeKn}K_q{dm5>`igAn&!QcVGhVw5K?R=j<<(&(4AN8g_`3{+ z&-2^L6KTr}tcwd@pG(iPOK|E>kSu)3%Qd>aO##k1cNB!tjn6Y2Py>eiSX> zEeXGiW!Hrxa5u)|))V;YSKB6Zbp~`j=K~)?_$%vtpUb;mWBA_m`5$bJ-iP>aADuo< zfiD@ZK$1W2fi6H2s(WE~U@`Cm?FaA``2N^+wbix%*abxL1%BF9K=;3&pMzh4Z)3on z&)SVF7I#ZzJK?y=Loz!d4KeM1p@6K`F|<--aq zd<1?DyL$9Z-|R|!P1Q1rQUu zyuL`pVu>7azeJo*8BAr=XEq0-3E4dWoJ@q0apbJOXj+&|B$6ofdlN^POvlpj><{N# z63pat`28Ut$R z%JKCD0zu&sGG%^o|4i0(lZ?#;+u?@oI%f;K!h#``iTDk|_}K)Fz zfh2H$*g4B~`)zO4_=s1pAO>quQ6q-SKdv~0?|wEjM3|6nhB4gS62cta%y=M55|MsA zNRih+!$(wFF*{0KJFdiUAa-}svXV$VLO}s6Y^NV(9-CL1U|q4An_z#R9n2k4!wwU* zEJ!QLa3__rWvdI7Ql9=c!*VOcfg-CiBZ@7mLO|AbR-EZCkv7L`lIkUqMwUU7C?kXb zp*k;!OS>?ytSGC>V{Xn}$hh*gZGsal4E=|YJniVooUSDA@5*x(1hr+uFxrQD@wNOY z+|UcnSUFAbfutn`@ybT^@3j+ZYt}8QR2jw=dt_g+EE|$mEoOKhSDjX(rmJjrqSQCt z56H0AYYjk4F&~J)AxpG38q`)@AP7=715xBOcG!Nlv(JW{4Y1GoE>xy&2QW@*6#nGA zSl)|ae_Pxc3O8I_aTwBB+D=l1TscSq8b-G?n27mUt!U=Y4X!7%9FUk@ilG1PL8Nr{Zn3>U8Y&kmu{+aV#H}_R+`tjd?s8cr+wbAatN(i zg|tdG5Yk+ms2n~r$-SgMX0vwL1xn~apkc{(fS<6IfqPkpeW`6r0Uo1sGlJ%maq5tI zz;r!8c*(Op*p{zzHzP^0c$3~1HjLe-t@>s$Wf;?Ow_;K4Ju`>D=x(v7O{o2_m5;db zuoFg~E$%JX`Doe-6C-D{QHMF9)LP zCiHS}^^^B*2kBK&cr|vKbEHjuMC$1iE>jG{1>Z%>d+K`^6vH7(`#K8}DvWkx=cRbJ zi^cB7GR#wh>oz)wJ&`KLazV``x&IX{!yKDoGA*x30b`s6tNsVmKWZN^ zw9!~DAsudwlzHc9+??+=Vd3tOU3V}#lrs{GeV&}%9!7S@KOyTpXo;`hu>XGgm*oKK{whm_JrQHod_zI8~X&!KZ&7xCU(G&*r9 zGruR6h~g(JsN+cG(8xi51*Kh+1t)#$lMs`-hqNrs%EF+i7G z+hl(Bofubhgv;f3QUi?%t-a=iO>$kzz$2?r!6SFlNw!MiDZ5 zI+ST6vV+wLabpnB6vVYkraibqJAu^I?65}505rASJ;DS(051o?h!8%IiKlT4@~|c* zsm6#|zj0XO%S~349TXvZ4}ekQHlFt^NX*V1E^|8&{mUshOdTkk4pE>H%(eLkmq&+t zsH5eP&I@s=p2 zKQe3&fSEZRntW1-jG!XqVlx9-Ec6PC3Is|(;T3MFu{nsODj0Q0b5uK(ZKQ)Xlt38o zz?#Dz1Lxw0CH>doM?D&RDWc10X2EgBt;V|Vet}HWxCkg)j*S?b(6}V&2zXs=$!oNC z_?DWh8|T8NXi;`fST8-4>H(vwXFu47Gr=?|TgEf8po6)+{(P5jLT`_~=Emw>QlE7F zV)St@YLJI0X6w<2L<}vtlnMERC}6FrCIrv?f~$eMi=uODz7{n(tH(CO|urrYmx*ca8dagP4v2Ka73_+R`1u316?liD0e(xm$TUJqTYVez>+Xyal zLsGe~LG)n$@K9jWd(-d_PSrE3AmD`48)x!60yS@U@UuJ!_3Ke%O1WV9x$lt%Ks%Z< ztEg?83J6IMxF2?po3?Kk^bnc`5G(S#>om1gmxm59?`&6)ut-~pM7w`3_ke5&wZQ_A zi6BsW6VUe4n=&-uvIZY=XD^i17myPRS23{p-7C@CD`m0>(cRYscCQSvuxoa2z4A|V z-Qenz4QzDCDs%@7HV^RDAg44CDi{5;Q&5>8TdmeFX9!TS)hPIJ>jbp}$+ovrl`ohx z&vM8E8n#2o(SLjp?<#0^e&<4t(htGMT%)3FP)0+1M1v{hK7d3+rqeBtu^FVr+ykR4cy!vKY(=t# zZGcoYys9FmA`#F?aiS_0?R*+j`hoyu26m}}GR+3g6$C>Z91!R=h5)&1E{!`PMizbJkBPnJ>RG*6FeIdTL==!2d&E&ks9(Q%H_)iI z(D=$Nsm!9tP3$Nsn8$}17bTF!18As`YUl%rn0zOC(kG|3Wf1CU*y-zFE(HW}FBa0# zo@kV@{KpUc?8Zam2t-i^oT{c_6GfrxA*7Rs)bL4UM94QVQ74h#CA(9lyoR#t-uF+|Tyrq$As(ufi zt>Gj!TU{taB`u;au%cC}Ao#c3RH7GFEia$L`ynftIICH(Dp@u(JJc&BBs?90sOe%% z8nL$0R9@ROXhhv>#Ib6Ms%oY+Xr|n2<}GOEt7?@xYgHyGm9uJBt7^A2Xm{Le_ps^= zU}!fv>rCA1%rxlCIqNPY>25UWZn5fFtLp7E=)s-b>z%XeUpo(if&J?vKKyS!qK-I^ zo>PRrf%&J2Xy+F8mqm1Na1D)d>pOCfFZ1}-loQ;uH9P2N6RHTf*HO|C)$# z|Cor*TG6#*adBlyA#O?Gp-GW{HN=#Prhh@iir%!kPZO~uqqy-uAYxWtW=>}Be?i2G zzaU~^Y4azDSo{eh0&PDv#FD0=l8*VmCSrbODbVp>6S1e-w?>mW~|V zkIpZSwU_@@5_0f-6tLz$IO1G?-Cq+C*gQYlFhBW;B+h@zi1TZQ3;h)f z69bF;Cx2zcsD!1_mZin9rKP2nz48ALiEBH@YaauDp~SWSff7H7#ND-x>zDr!iU08t zch~3she(Y4*GD`&*}Hi9mq^@L{V$IA|CABu+YVQT|BE9|H6PtS{$&x_;y+EqM$nfwG1ue_T6 zQizWKP>A)r|2l~0Xa98&&u{-ah<{f8B8VlUe-Xs9gZ~!+aqr>j_#Xsu<8f;8UkC9Y z1o8Rh{;z}hdhsuUc>iAn@vjE@|FZr6(MQZF5NW<5{a-#}TT_3jHU%QC$=K<<{q28! z#Lr?EmjxYAOA7iF8ms%w(*NZnvgyjAk!n_G3$FIdHeT%g^$|OlnhcLJa*+~kGz{)e z7fZR>OFBFR&sMq!frvS?3tXCDW)SkeJ{-4?S9@bQK=kFqyJe4q_((ZCrtxEB=1r#M zlEDd12*jW<&UfqlQA>ER{E+~JNu~{Ec&5D(pDK}Fc+NtRSt-^jyG1zPQg@+Wy!0(#*l@lOhiYOR~YuJ^P{~lRg_H( z%XJ%b64LIO#^YTAnYRAd-=d5m8>{YLt zK}sqz{hikFTS|wMD7O-ak^zdj;ngE)C96?5)j-DEc}Ci@s= zhep^W?MYmOU7W&AaAoDZl^Ic1M^*S_C386mT=P*R&Wfo{wpi{|pA5N;Wb-^)M(;$~ z9t#~R_qmPB{U}=2;HQsxzodFUYWB^ma zvfc?~Ly7<6BhuYyhs;fa{zm)s5g8&4HG=IKz;S9kn8x!EU5EP!Uamp}{y%+0Dy{4P z_=p;Ue|^L|&V>K*5zS@t|KlTGN7+T@;~fnXaV^e7yN&PR-wzM*KK$25#JTzO5evS) zH-Gww@o_Q#7jt(N)pi&54LTvXON&Esx8m;Z?(XjH4n+#3Sc?>jySuv-cbDQ$anGcE z-gmxPb2Nu@k`?a1-8&~??d*O1;wUI6Wn?6H&;I#{Tq7fjzE@xW|L7wcjC^+DzR5+2 zfcS{A(=od4xwzvHA8~a0v#)zbQnMIoCbsGqIx@l<3>zv&Qq`1|-%07+6x8xDGd9qn zg{%W&3QjAZlX*k)>27J2#XipcoCqrt?g$o09i1!Wy)99WFIE3W2XOMg`M-TcM^_|f zT+qAht#|?Z9uUuis7`ER1hG7@pypEuW^G~we`Y8whlU7s<^oDfqXzu#R3E}&>4MxS zDV*7DBu@0!f{$@lEO z<`-J;8sr;FwXEb;SHLR}A5q}II$^t>qBytdTQQua4p6`I&bVrD+>Sg6NuNhuf_Ec-@%>1gM5A6Uv}d`8*M8 z$TBc%bLF@B`jp0jv1bRF(KiBExpqTivjq8-Zoz!;W<};?ai6c*gq3UVZW*tRY1cBfSZC9{)+KXVl-U0~swZ03a_ zn2^58LB`!d1?J56HTn{{hscD6gyRWY=bX>L(L(ePbaujeugQJ5XVB6YtyupP=k*tN zaC#d#(?_GGoN)2D#nQ}iJ5m~=Xfl!}WR^g8E^Y$@GBNBSvniLDAFDfml9uM<48jvX z=|z$yKMl(m)>h`N?5aLNCC^?)Fh(-k>uLAlFT+#PzylZ6RzhHzoI|j^Yvk-7U?=1A zw4$W{(EZXcnn*Jp{Cpfz%Ec3Je6f=lU24C7U+~C+_S?0Wgag5Cs9g6e7F@d$R(z_# z%nFt*F`qJwXs0aA#x2!-^SjTSr9P&U`)|84A>&(LSltRE3YrHQ{kJt|M3G6XIBCO( z>?Jc^c3Z$_e+;Qtqkg+;E-?JCDKz2TZ3|q$V6$q8HYtrxQ^H1P*cvbpp63~cz(}Sjy<7;vz}&KJ@S2hQ=pxClFx)h-hc-ehd&_U*&ZXCFEd)q zSsqG1BCQIKm1gl$Mtj6y_mG!HD-#92{N+8iWCx#Y_ETCTaY~W02%4h2!$Mf!-8ruK zFPAFcZAp_BS`@gGpiBM86%wej&kFK<=e~fb`UMV$z-tx7*JCGllq?How-cbQUWP$s zTmU`T!z_LTw|=X}7~USfm)S09LKtpVkOAq+_;~p4_BCtC1$E&>Gk0>Sg9cXn3eLP} z9#o#<0dI}gAt|eWFLRXQ8BuM&z~Y%5u6_$+Z!e`P=^Rp5kNVx&D-%aFxf=zM3pr+y z7f}kA@i*x=bB9>+(COgNFfW-y7KAS$p$K1v9w;3%;CSY@yxUc27A3>Z8%0x9e2fP} z1(yf}4!wd8!hYV%xj~taLc@p)(a3t3B}VXgh4d;8(}zx+9`(0WiAZ3c&Z!QBy!u z;V)ssQ7Xcq{xm;lbSUp`Xh-enwIZOicG3nqjIgD)@lZ&PISADlNLmeFAMExHGGY16 z!1uwHb_&&H3+jUpUbGnUkdMgDL;4xm5n1QaCyFp9gkT zNp1@5gb%ph58jT%Gx3`s%EMt}aJr=^TOy24Vns=~;-OFZa@c!r-;X4A?6h!nBd8x) zzQj+N9WQ>O5{8PKf@XwEaRo#|v%tnRBVswjKu={7!27WPfM(r*VXzlem@}~U4y1}sUxdQs~4yZ5DU)Q;E3Y3%&~Yh@ihjF zA3*Qkl=H~YUygqq2(mJq~$P6#ZEDhu9Z{_9{{>Y?2^Gr!ER*omv z`gxWnM|{Zqx`0IH%`QOs?P1`1M;!;o!8bDL&{Jve_nrwE-yD#S!YV(}0nGERr1J`@ zLqQ{9$O{ntlv^NzF0D4Pc{VYNJ>tW+Afj$~^=8CpI8743r?zS&G87Rba zw#XgPur|BWlSj*N93s3-b1`Tq2tCEa9{7Bnwz`=8um?!Ehcdao^K>61JDVx5q@^fR1uSiyso06E??A*dEA$e0p5H2n7NBKVralL2lt0iB7)^HYRMg(_A-?HXr%Wo z2nP`9RvqcUjrN9^G(i=8S)#3<9<4*G4-@Pj5FK5AndM8TpBken-1L<=F(rIdukt4P zOLN3k>6g!Y5$U?A52J8e-I1cfsk+wj#rSose!0-qrLEw`VD4Wsq@yw+E%pLl2;)mX zhSK48jczq&r$%GFHI#fS@py7Rlt)z{nfh}?B z4xu-HcH}H>D8?Xe`ASS@-4H@n-s#%_dsINsRQTQ-0hKbzv$Ux=I^Ci>`V>%KBJS!O z(L`?%6YZy7LZT)`5D-XUTwkB!qZ6C-ToTsiAIk?xfNCi(&gF!-=>)QT&l*N>o=!5Y zM$QOE)vcb!o~3%FUl5QrIjve%sk(WQpK98I-5k|Y+ol1QZ6}nL`$A75UVVOaQP}iG zlGNW_t$(Oe)XY$h%Y}7Zk_@_9^<~h{T(*lMT5W;*I_gA89K7P1-9d@grrNY^*{hxB z&z%p@t-16@c_%JS4~P%3F>#+{9`)=WW6NIDJGJ&=F7>)${kxBL0oQy+x3S%*FWu;b zJ(z1US8d($oISXiJ^1ZCXJw_>$a*MaJrEy}LcbSZv*!c92C4l&AMvFZao%Q|tM5M_ zkz2oyr5(aD{Ev?)%HJ=p|Gz$Bd%yhu(?^UeZSoo@iyDY28_*x~H+UKNfH-K#FlfFO zZ9zDw=RauOK4_mgV0${~fIQ^FKjb7oWjOAde*Rj|A&OJcO2z%#q~wkuPf_*<&MVFC#p9Ejjjs`TU~=KR6x2!FM<|7zz~D$V@W9rvs2bhLNv*P#E{FtTDJ|5yXz z*o6LAf94ou2gjVh%Q*7*;>*}C{qeQ6@eOMK5zAD03nX^R^ue{rLrQ&kN2(i>?BT?gonxA2F}np~-nM zpjTPdU{>&T(eib~-e4*6OpYx4y-1y`GUJlf>rxcNM`V;!pM4)2FB_J%{JCQpUtl@= zb-7r5S>I(j9c5`6c{y`^si?v}BO*5Eb;X`>1v14^l)Tayzw%vSDCY(qiUk0x3XnH2c>}ksy_VD*RNb-G!LW)*}Q)xc^W5rWh6%VxL!as-KMNV z>$wG=y@lAh1xMVn^g8xqx2PKq4L1j{BCPej0Aie>>M8pf@0EVoKrMrO+Xx5qCW1uy zY`A#f>2s>=(#uYXcKDHz+?97k0MOjoJMLSk85Em{BAf5)Dn5`Qix3mv8KZz1dG>#k zBqZ%dh@jk|Z-G89%%7nU1J+V~Q*^WUpsV)`CjjV=duF!l{Eo8iDE`aU(M2Qxq%HRg z89+cHD$X|)oY=^Aixe*BA5pGJM^ogE1@)adImK^eWHprDON6_x9|nS{qymL^OwcA+ z2nVK+Ig?rEjnU|8h3>?58v=z-f_ITgx4iu3LeSR+jhja{y2b*#eg$?37z1pC_X-7u zR>t?ivOr)?3aHx_>X@B?1jzpFlk<7CMm6GUWnenX#+kE!ZxbvFvFW=OSZ`rJX}qCN z*%#+_s7_NC+?N;0#FxpA@ae=n2tX8Fh0jT|$k2Zf_Nvv7x=(Z>QIs7~m}^NGun=mq zzf&zC=Q*R6D5Caui<10A+EG3MMjfjvE;Jboc^L!56IWEh$^aeb^+bNzc7bem&hwCz z^V_ZL9Y+wKE#1XAVd>+kz?gJEBtsIZR%X`8kC(R3b_--OK9X5?nC0 z68|B$4z<2OkP;;HQQD1gdVqer`Y5F0@a zwyqZaT8-!JKEy{nF^WonzOk_#1(s z%#7Y%qDMy2QDs)M0M?nnx=mEjtCQp9wD z67y1`jd;Pb-1_%?1MGX5Qrpi@f*bRU=LcLVMclS(17}$CPGpO=ulLfsXJ2c72ppU@ zLA`VC?zn2*VW`bfg@)lQZ8eJ!KlZf{)uXF-{tlgzj>H0mbaNtxW}{{qWA^=+3dxXo zB@d1=u0#qC5q(t@4pYNirIc8oPdtk7;enoj2H!6yoc}x9l{Cfw%SZfF7s^XmJy+XW zSbcpV$I|!i`d7Lw{%n_M(HZFM>N)qJe9hd5jK9?{wLGJfDui0@(H1XQLO1Y@t?=T;srb)F{2R-P{m|lo z#AL0mI-udb?L6W!Zy0@nqP)%nn&w#4qn%6dtqM(9T1$Yz_AyVA<9swvRufDz4r@AF z(2F!n^;wG&3!EQk-wls3C?OuRofK3#tn2Y*XPC3h|D@q#Q<&lT1c_z!Ox;Tri2x6j zS#8Xk+f}yRJ=sDHU;S4mV8r`u5_y zpy&1Kv1GQ1!#mK>uIq^kURY<0k+G^aYrNWnnL&!Z@V;2rf+O_W&w#|T9_B^Ge_p{! zGxX?8fz4WA_ZD}d|LCqwisGaUMzGI1LNkOk`J0d#4&+L=EfkRhi;kWi$HjvuxivO;X98B20(JgLAwjM=(M3Pm~?FG zisU~Zk-k4(m`WR+Uc1`kl{^=W9uAL|!)y(SHGr3k7Qlv8i58>y2?`?ZImQbOWM4Cw z*u_Ttjdx)wSw@QWNZm(fsS>NVYr2(K+>ASV5w-th1iR-^5B<3&*6y#5D9vhbLH|ik zedm1*W)Uhey{TZiDSpj^q%f>%VpzEQwAEue;L7EEt2F_Ek;3YBO`BE zo0O4HftYADAcz>9_%D`qgpdK3?%s<$T7TzlD8Xp`dou9}#!@ zo6Gv{H?!)aXc&q7w*!U)vJ)RA&waHY&;Hqb+dk+npRs;`C~0WY29(07)N`ZUwuM?K zri^B0b8<7SX>k7Lva(xj_tlH|_H2~wj@5GB*o(y|ZB^oZ)$@JB@@7A6r`S`^UYm)XvjS!$GN zuhVI@J!w>bpUXBwDbxBTyHHm+Umkc<)R>HmTIBhz!qlKl_sDj!^-Uq~ua8*LpnjCN zje`bc5GM7VY2Rqb545m1Ba$m&4rB*2yT&Q9qGf3JuiVyT?AcqzLn9?Pjv$u%!&~6g z3O$T-{G{rox5PNoSsK)AtfM^@Ww0YVZojRqbf}=Wde(#Zh|Ia`Nsd26+YWO$^V`oH zG$Nk$5APZp5qqF)vM`s!hTWRJX)t)5;2K;;YURx;3_AeB^c@|V8e{-slj>83rRlxU zO2dfwqQSWHl^X5OdrqQ41rr3oQdi1;Uvlo6|_04yqNp;)s-0Orw77g%NeOl)U@~pAV0U zaT!`$ixEc4%`;j%;*_%fvQK8q-8Kr7AN@+T>zpY%oNk>QH-sFG%D)dCT-h7<9^Oiv zx;2D&BgsQ%d7oov0G87862#yT%CeVQ&?zlz2} zhQi?f?P#FgO*S|dLk1D2eVN$vB^1om;PjSMf4R6cjM*-ddA~>Vc7^=Dbi{Ik$Ch)> zQG3R3Z*Rrt90{#~n;>9zS4ktG_Q##b+BwdVC8V?d5EvNnYIkp=w{gvhSBf^c?bMf% zx#QU2cJ%5L%y-h2%X$uOs0eTlC*Wt;S8wioCUTCJTGQ1+eUFEm8*OMo=tQvSJtQ#k zCn1V(mmJ4uM8?rIx#(q=&gk)o+v+eXNb5IS(PP0W5%jffjVN=JPal@HTMnFnZ0TB3 zLWMn2cGv0wDp$!=)|)%Ud%a4>HJ(1dz}xT-_{Vw&ysog09i*biDsl-eU2TD$^#}VW zApy&X;GA!ykHhr1vb?irig)z~1{aLbd}==*gqiz^rf{6^#Yzpm%AYa!{UEWdQNPqh zyq%E}>%~YBcfRL${bnwD5bgGM@TT(b4kv5%TUNO6o-5k86yJ1aq?o+0FD{hO<8Go* z4|8FP?zv)45+HX2E8$Eu^ z%StL--9>-I?j(+CYW*$e^wtkjyFHm~o4XJQ98n5+$lVf;mCuEd+1h-Q#SNrF4npy~ z7TWm5HfjcU%+}4HBgjM(4$$xRk%pO2`*Qb_V9~ByBD$MnD@*{rbEGYqo(9-f4B!xM zzvdGt0Fm9v_0&E8Ty^E?aucr2fqCu|Vln2DOA=W+5xBIgI?50R^FebdckkA9aDEbw z8Wx657GWZRQg-g1SnVE(%~!q@hF8OYu-{$RnOAH*H)8njUqmZUKIVl9Vf7ROclnW% zW0rQB7!Sk19BVy$*F8UFy7{(36@$C5TgZ3#dNI~Q#hrzz4~393!#L-XnLt9Q53HEG zz2$s8nC$OZ;`%#IQdslbd2%AC=Y-(fI}BLFXihOM$wMDOz1%M(qK6_!1ik$Jg1y?p zr)HwmLmzMJfVX`qfrC zHkk{oW5*M}CjI$TI^jh+5n1MoJ&#H9um`d`b{l7lq{wJBV zeyNN#nQZlMnWvIsCo;K&qYix|7h+u=6tV^SqshyXd4wE=ak3@v@M6kkL&8T(Ai1o& zIAzHrc&oD2$Z}RbvQ=|3HT-h*{z;V#zv^Y>n*8PH9%UNY<(kXo+T@2jmSDDlqb>Ts z04;Le$YZ<0$*hMB+_<%+AmQ5G-WImVE-^_n7x{s3`H{G>{`|4g`hl@E`SD#yEbCa? zp*$Lt!Zd|~1Izey{n(uR_>B0to%1-Z`uI?|!dRxlvbn;_n8NB>`s&ELC6DY&YSA?pumEncytXIY`!wOq@)FJIb~UdATl<|bcHmEK;Iz{tvw`HHW7+(3(N zkb*J{r7|pJm6^vBT*MT7mNH_BGE#*ya>o=5;}7KdDb(93G#C{O6ctP&mBcYbOa^(J zybvmMh=3WchFdR$TTdScBE!gex{>UrQ6c6~LEcmTfTBuDG($|ON-i)%CZS4cph~5n zN*$n@YNtw*qDn`^<8TAjw+oa(|3NJbLRtc1V}##BB}v5$6BdwOXUxzUsDU{h)Hnjv zxINT(veZBYv)m18{Nri@>uU58lcZ`*h|3ss-IDUkuX&CLz8^x>3!z>t&gA~_$xt3uRqtR!2n)#AAJiEg&eWq#KM}yZ? zj4SwgU{s+QHJx5Hol#`8;k8UrR2^X!`AD=pBGioYlyo`x`gWQ*s_WsR0WWnKabcZ~ z1yh!Z5ymu&FNDzOIg5U`%_CSm!YuR93Lv<{FA5QSNZwG$2J^4-+F(ia0h5kqM24yN z)xp95ZH)0Hxnhvq&VX2swowQaSM*H0T?m}?BBuc;N}}$I1CTZyiUvJ&-z{7$N6U}0 zC8T1J?s5`OdpTKP3Y$eY+o0A^1oUZdi4{giab1T;Sm(=G%B5I1$)9Dp_6(sZRU?xy zoGp;y@(P;v6b8wvoWv@ex5npopq$%k0s~i>g-%JwYJh=SyZM~m9y+)ks?j*?Lt=0N zk)9MT=>2dA_0%Gs&-~@LDyY3s)!=ZQU>$zS)8(=%aNk~r(CnA~9>Xo8D~ zTKK#HK;vNcC3RB1ux>5dMAyS8QJ6b-Ptz%L7H`Tx`_KKziUr>7owi&uuVa zaKp#qV4~(Y8{{NnYdwNuWUzz*KMAY`&5rfdY!mq^SlRl)4X_X9m^%UsW1?Fn0PqHK)RW5%MKty4=M*hr9Oqusr#H1 zCcy;kuQ0`7u~JfGGf|8mtq#VpHvF(uXM?=}?r`{BTRX3VWQ@cetcYYh+8m<&In*u^ zp#9YpSJ=4I^Qb@ig*csie1=o)9~$Z+L+Tq!N|(ehJs32=sZPvVMom~WKers zn^*_Y+v?$cPqqgX0w5eE9hmtx1FLLXkY(+&7YroXhbCDi`Dh@7Y9SRJ5>**j_IZwK zI5<;d{t?qgyAnO5GdQ;~1kfD(D|)-KlOT7*F#T-?D)Gd-Q47)dW4tFw?Q-LOKD4JJ z+-cAjOCVIc5Bd*^G1|i6z@hCJ(QLK{sAeI|T{AdVE>zrbS?pn1^wqr3(HdU=7-Iu4 z+n~oUY5(RCDon03T75FkeauL6?8FoX{`#3ilS=<8!eK~rhSJisQ^C==ZF?aHS&-%6 z0p-Y@%H}(jov!lHNmhRLzI0MS$g17eH_jt+Yt~RrluXG@dj1yXW-RoXIp>8FZB_ks zBww^?S29>InqphB?1;*1$JiMt64Kh;f51*MBw%FJmaIk(1qv&}9oL+CJu~_Cz7=jMBWZG76 zEuDTzT($`;#_Jo8z@7C6l2gdw50{qKY$3%K!>)c&gTflleH3)2xOJgvLjRV!X%+}HMEzk@=#DXHrt{N8Az*!Jz{I9^ z8OhmMW57uw(3sjvz#hGO?z64)c}u+hMjc1O5qniu$ua~+PnyXB2m>@uaC?1sDLiSc7j#D` zQcDF7NK|xnsk}J~3>{Rq%5gl0GYg;KzNg>V^Q;171~>o>LL3*R2|Mp4mo2zCEmx3s zaW}n)qeIaE?yCD?+mUWyC!DFI{A*q>nXWS>H?wX$hcJ5dmDmOVYV&?g!A@U__MPaG zYRW^znN?NRawO4-wwN1A{-c>ti?%I_iG^e02Yxja{w%9_1aEW}bamE6AKROdpPSan zXrg`ZckmSVoKwO=h}fr5_-CpQgoWL*_5gTVPH>4EJQbF5#rq!**|P#xda&AY(fMJK zb$coAqTj2zNc!SjK7MR+dehKjKfDgDxGbi2Ock0z;L;F|ee_9jDNVB*Kv7Q-&~N0r zVJ?`K-O!aP^_zh4sfB&ISG~}(3PFg_8vvg?zF*njd3pC?F7d^&nt^+s*PM#hH`@Y%_nRo`pV?NtxXG|sAP53^y~j|cSeP~xejZJ|KAf#n0OK$Np= zd{i0WkjwGV{GOrwiWRT@t+bGe`(c&3y1>a<)s(P2#76`h-MWZc2gQ1TjZwXelVj9t374-5 zex zO4%Q)HXTZWv1>eCuD4z+wK%zRSZ#Jb7%k9SOkEfCy4{Cla5IbkG=xK1ux)1f-4|W~ zrgMyIpf?-(l1pVchQ+c!7RY6HKDK;)FqI?q75k{7{;;c9&CUGmsbRA`l~St^vi$07 zB!TvNqhgiIaU@l%P5>o?`)YS6h0RHEn8&?smW46Fk;vk5x!dVr4{a` zs`TbqtR`r$Q{d(HYG<;_2`u>bGIx7jw7Dr13`W4+@{4`PO%jSgTuc&%f_X?1jv>oU z8u4EDfg}>=yvaC{(6`tmiX;Y?>=SvaHCYU8sW(|{Z5EuN4~y?&R^0x)w3!C;RV{gf zz|#YHq6i`n#TN;DABrRyx)zGB3cQaL$ttoulqnjzK9s3Cwk?!t2ELD!=_WBeV5)Bx zoR2?0a}PEberIbOvHWg1%0r#yvEoBbKeYRa`bWUiBXv#)A}>vDMCvChU(U{w!}v{( zW17qaMeL&76kT81!f&>%v_)CIPqf9kzMrh)&Tq}-yfdL)N4#TOpKQzGRO#p{8diMi zD_f3R>8m=PN-0WWeyYGIyIeZsmKKTDfH3H-Ym!T9dXFvhYb7~Ps+Mir&a&5hpBbCC zV=`>2IXp#9xhyVOqEUJIx8n)fs<$LL&qDtY;Y&V<$6}_ld~|BRrrUvHF2r>iMmW23 z8AY7Xm1E3Dm&+t*+|l*_IEZK0{&9#XR+q`kBHZO`s{*_U0x@!1NHq!ZjS5&D%{FtC z7~YnJFlLnc@@Ev1uY95`ArH$R=+RkO-LpO;pLX_H1-@7IITg8a^5NfEdZ(>i>6a3O zI4rAGh_Fxn{lBc2+C-`NKd3PiFt}qn5ph(T$s(LaUY<_-P#aWu3Jr2`Y=s~Ra&Jcv zOjyis;ql##43e}lbe>6iRB&dH@;)dVmd5!H1GQZ)h;u2*O=tg#p?v@MJ3Ma3T%yA zq+LC$k}8hwso9_9@7C!B;As;;n-~6AJ3{azgx`W<8!r3E-wjHBmcTTJg@kB{`r}Lm z<3&^Fvn-MO)1s(QDRt(ArIC2oZl8%Jt<$~A(SBT3GN`zB5iDsZZtQj%C4Z%!of zN!G;_!$p&8m(hjtDr0j)e~wG?0X?K?Rx2^b7zlVHb+w(vIwC{|WQ24>eaImx>X#nG zsqRHWTf-n*(GK=#aDjG){yoc31B6lsV!ziG#ZPz-sxrt)Fgq0^VyF&*zBB>hLQ_yl z?14;sjNwDQ&5&`0d+EiQ{3Jt3na2Qql1~7P zt-aToDNe(4)!=XPN$7ROW2|InG1}^uXWfGUR>htO!BR2kH2@4koCs8WbT3iRG*Af> z6ULuVw5Yly!ol-8WBa8C-dY7n?41MaRozXQu>4WC+c*Q90R`AAfk8~HLp0C^eBd34 zOu@JcrJJJ`=Sh)b8y10Ysw1cWOwz=LIg(PRULa-AGK&3EOP1*2; zV@(|kDo4GLw*dwqQFK#iqv5j53}JN}~( zkqM3;>7pn1m8F{N2&#@B*S}0&mNI|FEQz2X>P1Jt9K}U7sV!%>A?O6ar`cXx_#IlD z=XXbaTd_w(B4S|mdQ$sQiCsMNTXAy%QPlly=DUC>2!T1Kmxd-7r5*VYl#SlwjIOL^ zc)5R8y^OE{C5m8`L(dxz@L*!j)cvh;7-tU%;sz5DUwuhi!EVBtU=9nNublGDo03jNW{>pf z5`74>f~45k*cg$!r+n(em-uoCxF*kD$4F=Flt?ME>dzDGiGLC%l*P8UE2X@w#eRU- z4uHozO8%V0WPo)ck+MhASw?pRhc8=uD#7lfXaf}u0d zzpW?Qkkou@sEl;WAke7Mm~CBX>}<%fjXlxqdzyDTzpV;uJz+=t&qwqawKD?g_4YW< zmVaeDvr%hXX)=WDNUd>AZ=nWp_meYGg){SSUpww&>)qtW+hy($ zgSm(KI)8qNZQrHfdK?j}yh^Df+++0e8U1tRnm*aS&)L;7=92A}b=`ize*ZWb)|s1y zMRX_%Mjv3FaE?`@Kaz)gm`NeNU6c(tR)%1O6_vN;P7oh)h-5mGb$Q_2 zKC!0b%rS^>ZHMXpe|^O3%KMJ%j*CDr-xi4Zp$Dt;GE&HYnY<7p#o+z<9K^p%&ipv? zzdmBsBY51c^E!A^kt>=z%6j~iJ=Em)Z@f+K$-h2gkie-K^Yij-=iOf)@z-obI3v=u ziCoyn@7mEtiH3hlik@2Bs$TZk{__#@m|u^Sg!r`Fq~J038FZB=5Q>$vg7G*(v8lNx zHUe+60b;NJe8eE3mmOyCc?usy{4pOc{Fte9Wj@)SGa2dw!jcBUUlQXCbQ9$MIM&EPtRz8d%t7iT zK^`=Y+xnqA_x{n{_(CBnA%2DFB^HXxFmoga9hDU0ua8KIDVePqjjWmuRzM3+09OFW zjVH0v05pLbBt70GC4v3<*GI%ATlupM)tf=eL`Kf}lU&f0=!uk!><5MDPf9~F zDoe-@Dn?}I+oYyzRFOYvK9kX=lI`8*QfvMs{7y#S_>;bqjN!Kdb>MG`!M{Et(>@tP zsVO5lqucB&yR|uEL3@{Oyq2}TWrdpK8`$gMRE?!JPunpiee};eR3|( zJgz`;?qhKZYcuZDJRXRT2)o1WXvW)^#|QBdv48Upk_-IjBjQZ_kB=xMm?QX>CyYuV zg1vhNlP^M*FUmwACQ2;INg*zoFRp05CXjDY43fN){HaVK<(V(_J5K^rl8r%(onH*e zCxW}$jJ3G$I3QoHlR|#bR2nssBe++AU5rQjZxj!2B88+ZNFXjuskKj9u#dYwRN!V; zc924ivq0^;DW~nOsWymxSd4eeT-6f9+ApT$xyM!_QXbLX2KYr7d&CISZxM zFwMJsj-{|Y^*)8<0)^TzWmG&<&qAxfeIz>YzT%v@*&s+okX#qDkNq7bXR?J%r5Kxf zn4)AKCpwk&29@JJ)$ON!pK_3#t%Y)OpYcMNMrWS|>>lq@p(7JD#78{)L-m~vNG$Hnp#;p-&;TUt^Kq)w*wIk^cmBK&ZU` z0(IbiQD6)?&v{W0#78`bmZ7r>#x4%&wEB4Uo33#;gtIt|ijB#9meV+f*lf9>IBvrFHrG15v$$-!`15%& z%nHrtLHq>RlEj4%hwqK-A43x&X+9%^X}@xo?2C-i#?4Nj_B{3!C#j}?wJb^HC2rt0 zxta@Es0U0e$#t0La0YK;?}j`W;NE3!Cm0^34whunk=BlNzq|T@df7v#FT7f8v)+t+ z7+pd^(u;z-H44bVLqN||{rz*IBv0^o(_rgeH&&Z}->x^1{9DRC!#v}77%F!NfdFal z!dHxV>njnu(!%5Qc}aLgwSD*A0!dW$x%vHF%zfpM3E>C=-|39O+|oC?>Z_G;=!k?A zB~F#?JA25?^n_YNkIU@_BD7{zs$R8bS%V-N9Z7^Rv?$=W3PCfiRiq(tuoxpQK5_jJ z5y@74&1btX1xUA!iE*@SyiIXl*b*$r!zVxcBWRRvCn<4-Fq#HK3 zhp9Z1ilLp1A%wNO|Ejoq#tu=DVGy;Xuks|xvV7>Arr(vpE`VWV#(MbfWJJ|;q|*MA zX8C|3&9A}oh|bf#8T*b=h6%yqVMqJ^{qjjp>(MKQ)HjCdbE~QI@?PwUncqcIWDYY- zjB}n=kZg)M%`<=Eit*5&^NtmB--pmtV!xE;zRzV?c%om-c39+%Y=wtm(-_>dPE99^ zMDU%AhcZ&OpAfS+oBheS8CYmq&bV8i{xOFZDKj3L1PVjH2Wsh9;Yg-qR}s9Ph?8#g zy;V%k#|ZFwiy2y;w7le7D%fE&^4wGPXX{jaSF|wE)EA;NLo`hhiQ6BHYr?pPJ#B<4 z*}pN513%+U1KvE)+D=2xYmwKIlLQLrCu5kdn5@jSbJsGVE_}xy3?`zCt(KDLmpIFt)gj;vZ(dWW=Ri?>YIi9Y6DpMFA7{w&C1dS`bbi-sHxxCf@1w4DElsVeOe zF1ouYcbzEWMJAL^0W8uN6j{nePjnr7>m6fu`8%r`wO(2R)w2@YkGMnm zIE&>2ku`W;6o5kgLFo3%M98Wfz1P|I?~jOO<9uBFC!az)BNFPW8c+Ce4+@ z^NMDuhPH~8t+1B9j+KF#oKC5Bd9aodiM$K@M=7+FZ~GM^xRzB`KAB26<0S<1CH$e~ zmzY51N2RcJR#(cI-pi~QvNZ-4BQ|$WnO$@dOD6IL`Yz`qI;#Nac>pO`;{t0w6Pm&-^(Z4sR19 z_tZF6B-E;Nbyg=60O}Z?1&bRcp8epAQV#b>z7$HYPAKh$G6s&*0$8wLTGXnDbi&pH zt#FSYn^wV02dKJr72a+Xc4O?Nn**GR-n3oD9i%5DBuz-)*T^t?P+{AYi7NhBVQL*_ zK25EJpVC5McdN;)!wgq|_hM4!le=U}g({oYbN`{bR6lNZbe zr=uH}cN>kXm6vzg{mYkouZ$+&CL>oQu6I>j{&h|GeqR2IP5y0MzSngD7hX3aZh=}{ zL2%sH(_Dc_%^~-P-qa5v%-mlLKZZPWhDmXszIugxtq(VP*wf&SIDn7zdid(-jpx@K z9n>6pa3B4nd0XJYEsr~Pwj_qyCU&SfHm%w7S9APHR*+g#5!cQY`#Ce9`m$#GI5^T6?s#nc;ifc3%Q;O+<3oS`}l@ECFr$&`s!Pf!AqOx zTWZIfTld#TOz8D3zi%m?^)34KH1OLu?&PWbx;6f}bp_~Gz3Cf`T~W2x!$UMP>*ZS>k8r{4teo6e17SU@=wU)A1QkwsB8C0Xd4sb8^dXW z1h|Zc-H(H8CWiQXqsoTvUtH7p2fCW3o?j+{uBOQarXg#x**ZqJUS{d<0xZ5>s2uTGQg-;v(7HalYQ-?qu$mgNe5GYf7@z3zy0X1)ewDhb+MyyBRF1NZeh z=iCBiq&g4#1P<-44&?%mGVYG50*}2q_o=N(60WzV*RbW zU7Y@{Lyqortyn$(t+&0t9tI(a9&;aDmgRVEoF-djt|0CHtAlUUAoZFRxPQYinugTNke=Uygzl6ecL;hb14D-Wf_3_L zkdP1JzlvBb*zfi2YZv(7U(XPd9`Xo2a91mz*C$9@Wv?q2L8O1j18K1fECzlH>RK^+ zd*l1pkkHk?8$p0e@ZaW`*ZwxQ`0)1if7>E>{rl-cj_xpMnf9^Xgfa|=GHmr4x{A5d zJ^s6vK{%Rx-&VCpIuV^%oyHE2$McrtFBEAi5wpD#;CJ}hOe&6`$Kr-tl|tt02c<&s z7FCOpR2;EEe;ze*xeV<8k5FXmtxdZv^!v#7^qvcxzN$`z9tcU6?Js@a+8<90BaE0rb~z}qs^ToY9=mcf1ad!sE% ziYc4l`uJeFNUJM5!0-Ozz1wxN0BL{*YFg+Av=?um*B9_Av+(v7{ZuyyLteQD2G1RZ zK%rVqB2~w=r20L4P2WW=@RfW@43+O4dNZsH!*oBEioA*hXkb~KRW&$wpU}fI_K?Uu zzvXd%%`$WHf|BOstHUCyCl^zMEz!YZ= zdcho~8ey0nW1E(*>(MvNpZV#QlWd><7LLg#&(}7FCC~AAIy)%@M44l;K@OFF-{>3{ ziDy}=GgN@>v{OjKf1B?cES9x74hdVyGuO}KSHYF7cE3=XXXic{E z{2aBKaTT)*d?OK!`U+JFTI(Lm4)-P2^#hel(e82bsxDaqT1J*(?u(m2KveB@-yM#6 z3Vr7jiDm!C^~E&{B~0z#pJ*#_r#$o-niYIc*pfAJ1|zh0BR^O+o5ZSs6?OJfaKg3B zOxwoMHOO)9PtmiSGe+nOiJRZ=G=GvSnc(_OoXFp9#H-4tmuh>qhdP zf5s#hbBjQ!Zf=9=-KSOzgxR+s$+b)Nyrv!w5`VaQ`HHSse4BTU0v;DvNo#gTw zjt7+LxlH0Dc>aSTS7v|*oMh&|Z^LgFjG{W+zB@2)JnZlctlQdB_zpT72i@zQFGYA| z`9^=4G<-h$8aK3><`ES=6$-P-f3#ht)TML2?6etxX@|u7;@JrP?DZ`otm@7GX7geb z3|{U-e&le{hROJF`H&`bvWFIo;=Tnky3PrOi47K+O?<>n??yg{3njYQf_uNyv60m$ z*^cy`p|ubT#Zft^6S$3Jf-6?u&&;sxD13XTL@uk z%msxZxtpT-M5mD|eu>c-`*iG_mthugVbLv}dy~W6!6G;vW5K?ImvGx&&5}of3B3lB z!7cfr5k20cJ`cUjvT9!-EFs`#=Yti-H=Y5PAXj#Z*7I~}iMIsnB+^{vOs|G=4Az(i zItrqUMrj4dB)?m%U*utA-8IIbAh+^e((yhSjmjBM_Lp6-vUtlNGudU5dH*i$Z65@R zoN@UxoagC`A&-dQmfp{>&rnJ6OLb!=b*!F(ITuf%<8j8Fh%Xu^?MU8%Rq^}!P2p^@ zjzYvCOGdN(KBvUBf=8vARSi4Q^{9=k`$kgMZT&%izeqI`>&NW<W5pfoW`vvF5HOpv;sxADx<1d=kIJA_)8Q*M%8jr8%*)WZK9*Us~13x6^U@rk)`2l zloXy6DplB~6+)oMz|j)Ty?xCdd`%^T+hT49+pd1_cg+UYk}^YsP2Fw$#djT0Y>SBm z1_RbwbsO`zz5%I5&)>Bikg==6-`g8J`u>9=tsGANL6NERHD4R-EtutW#@^iPvc^xX zcnEZ-l1?!TDk5xDV*fAZ?jkOZ?q3slW8Juu5G=U6Yl6E=g1fuBySrO(cL)$HxJ%>i z?yi9_{l5Qu@62abvz*%2t`=3N&Ut>{Cvxr|DAJ|cQqOB;Y4Tfh(|yQ4P^8R}>&K3N zpvb6*RbX0c9Yc*ng4cgRk+zQcf3*LBB6}fQv4vV%XSQkW>-QIKjrh7(v1uJU43{21 zqjc{dT>ph4x3e~$AW-D}&sq-%6#0CT_WSMr(hrJY>kTozyAQHg3#kcu(EQ#5w7m)< zAus^SK%hvXx)7FZ0~AP25a9y^iXnl%59CG=p%eLwl$QlG~6cCr2Sn z58Mi-&@3NkKtX<%1xFARmLKjM<*2x}G^N)AP~0*5lzVk8|^*tr{5I-QCRTIoKLt#)}5oOrP>Cx$b+;;S>N!T4urSW zyxbrbRF&n0=z!1HVxHTCQ6>OK37_Az0sL9%_ZmioE`;pR?1ZWA1M{KI6O7Zs{aeG^ zA;ye<4(ai!3WR#inoNu#RVRqEqX-R=3V^rb>{*vNS4_ryAeSvc6lf?1{xc{z+#%-@@6$B>Ih0y_#`Wfh=d4`VRBK^fD2=r+EL{HZ zC~uQbD0HV?`3t_IgtKn~#hFrYYh3Vab#Lj#9S3<2eA?2V8K1vLe2=fwGhO~Akf`+1 zw;U`1D%aVcxh6qgt9$Qy{`@Hxxvo@CYZuW}fis;~0R7U`Ra(wJS&d*0k_{6`pwR9}ugPPv1fB3zX zE?gU>LpRt2d=O4yHseBY19vmJxd1MIwSRl(BRPwdpfOwa?%^7aWXF8KwK*X$7D6yX$zVKHjA{H=dxGC{Z4 z?~r!Cm@^~0229KApN!JO8C@Y3D#H5;B8Uj?4c0;C7)RT{O`&K%=Putl>$WxJ(R91t z!zW+9Fr8%EpqeQnc-NtLFr#Knj&`9UO4Px0$K9pJ?BUrXna9K4qE2Mmp=kq9>`@U7 zx-qbrQI!%feZZJZ@d)Jl2rZ1SwzAuZLZ_be=LCQ;JjK6z=bLrN2v`ZT;PJDExZOmD zPZ>(PFLswtTl?q+Ti@ibyJ9YuqVOQ?hFcIuvv$AadR%yG4ITZ`6=QlMZd&sS>RTR6 z)i?_3^w2xGJj@dD$kz^!^CJ5$CJ>@*N9{d zA7z>OW zob_9VH@9Us@5-!@QOePRM6`HCq^ml@oIFyuIuw6akp33lqT_xA(mZZHO3o#WE+d{& z&)L~DV6zte^qMfC{u7)NGlJ82rtP--7Gp}o19t*mqdu{m%r!L0d=1kf;?;OCI^x?U z$@|FVw)P~<_iI>W+xu_&sBQkhjp&)tD}>#It5jApiu28Qv_Iq5a8uow0aNR)+vr;H z@c5W82v_i=i6}F~G&G4Q0<+^~`e>GQ3|Tao@L5 z*Y_r{C7NJG&;{jG9#>E&0R~LZ7`!dY(opd{JgTA@3g}wIhn^FX9(EW!c0vJ+QbvN5 zHWTQ~d5`qV$0gm~B=q))M3$3~zVU`yv{n|K#;lEh5o$oMoS=MIP zEOya!sN%)i)=ZIMv_h7ryYEs?f|`;MNUI!wKo?I?8`7=$U^Mpq{q!q-wMK|p6!&%a zhw`7g=l8nDKYJ->2aOeGZtlhW=ul?5HLY`bN(85A)jZIC>PWhBVEF zBnyU2AB<9zjL1@r1Rjj|J{XH}8c8%8ODz~Hahj;PnrM8`*LpC~`Cw||Y8sbfYV%;~ zz-i{n1jVHU#AIa^lvPbt#rO=( zqs;V-EG;eV?49i0;vrC_V^*VEe5Ge$w^w+Ax3`yHfO|+tNT_#WxQ#}5dRcgBdqh-f zR8o4hPeF{UQ(SyiTtakmhb9PD_eR%PdV#%gD+p%qlF&D*u($ zF!&#(GP|hpM}F@AD3yhc{YC!`RhFhjL7>X=f-HzrS>7^O-Z=~LDJ#ZzD<(E7iwY~N zAWG#zRh&yzWo1>zSanidbxL(zZEZtCLt|BCn-YRk4tD$;9G@Q=9v*JY8g3~YUN{MABXM`zL#XC`N6+sghiDOV36EG2}ZoFDr+ zKRz%&Kff?P_76qbUj?Bkmmm)1_TuvX>FRg=)w%K2?a6-}%8i}1)7$ld+;zycy|%u) zw{i2b4Y1qZSla^|cGu>1Pak*BZuhW!_dfXVQReLJtnVG1?A<=@ z-M;SQ2kk?yd);;F3iR*ENd=2n=dLBE?(|0US1$3veF)bwua&+4)UO&rMSQ&B^?2*2wMB?d|U9?fK2^%{c_8yf2^pho!8oyKi2+KVG_j zxW9jXxPN(hXj*t^8G9JoeV7@0IC^||cz$eOc^p`I>f3laK6oDAeV#seUO0Nbhuk=R zetvj)c>WXY`)BR!U#0Tu&)wL4Uvs@dlFC2;^7KtQ~YA6~>qE@NU9%(2ZOJg<~&6a8`naJXH zI$0ZOES>rx7=%bD-BdPRD49g7Gul)>TdG(nog@9TV!l$n(Q2e`Vf}g(^FK1BxEj-Hk!Yp*4{1@0EbH}uWXehJOS`@#YJnfI z@oj>~3yt5uR&^4)2CmmSy?^}`xlS9MbE-ERn4&?zGImmi zHEu9&T&QURM4cnzJ=uEH4EoJ|6KT9&Bo2nil!XX>hdA7;G;`d2pBS*Eogyh`_}L;j z=d8<6=pk_}BI#P3!ASeX2sR@h{)Z!oOj*+(El`{HU4glOOGG35VX1L~vs=(?nF)Jl zwm`6wVMNa^?VL&>NZK>7I3@87Q`Rb~n{zGW4m%?{ac9ej)Fc^9HpSGmBr+Zdh?LR| z7O&t!XZ`_eag-lUSz#_L@?nHXK$7S=f~t=Dd6YIAAz6-3wIL|VDy%vcnKt=BTq<|& z6>=(@HqjhjLD}~1YRX(Y!j|RW#_M?Co1D_JY_UTAX`IdT#L`gaxRYz6V4U;xtnpVT z!fs)LusTh4)85fW);IY-Cuxe9QAl3NIS2UA9^!~cfoZuNq^0B0w9C_OB7Q)Q`00)Imb znCM&u5hLfrTNKi=$6N(d%jP3KLPweIojFXTuOOO9_TjC7>AIQI-;p_M@c-Xs%He^3 zWJ-PHLfj!-a@dUP=>J=$lpNw+xsFXa4kfy7mH6^fALoZ$L=43_QO-vV0S_7)Tb3sh(yUW%=-)&uK3n6I$z^?U#Sl#_!Sthl$?2AWiD5# zxj6bwA#fX{$sLH@jR6lyq$27Zg%G)-FaF|W_{=#R@SzDEWYsTN!Z_To2eZ0pzh?j! zG*PJ)Cm2HRzgsN{-zQL}2>02%86jsNh$9$%MSUx;sc52y=RtGXF53WjhV&*Q&c4mlQN$6<3U-yH|} zFzCy!iju?(!z3T({kmtrDcpYC>wq>UxO9Pxgu6B)j#3_%Gta_i~Z3uz}D{2L_r3g|XD zXx{KTJy$8|xs-wL*vishRi^Jqwy5)4w)phSWD`| zTD2In*4h4{fI&I3CKuG;%hQuf^1tQ;%6w4Kz6ubagvn4eSzhq}H0&cCZ_TZ*;S~Zi zffFd~5AgaP)Hd%{a_3gE2gl9~4W?I%OZoegK63icaz&EojUQ2Al?!eg!13he{QLrF|!cB4>u4GD9TlhN__O zOLf;E07HHDN0GOOBG!k>Rgb_dlQscIWKkgGqeJ87!EETmkl4c<6zlQ}Mr16(;wnO` z9~ggCgN;{&PQ``CCXVF$s8*BgD@GB4#te#3Gyc&E<(?N#o#%&l1qinXLO%Zs#1WfA z`h&RsTez`66WK#KonGR3rju3a{ko{Uf zLO>ZYQW*2pmRahMN0KmUk|KE%*unD2ONX0rW=o3meL1Yy&9lGMyTlk}UOfV64@$y? z_RfPcjt4CaYj6Ny1Hh3&{&4;jz>sbPX&zvKIuPYb-6huW+0^J+doU1q+}U z54;HgP9+aUlsF|Y-dIN}y0*-B=_iz{2|P7Ftpht z+(EJ5i$sLhmAXndbnvqA5{0`gRcz+3jO=n5toXR6bfxs;r1vr;>nqr3fJaFL2qcv* z6&{q29h~+l9`%`;l!xiMk!>bHz!~TXLq?L0((s26?vXI4mZZV=#iU@|)F2Nid%@@~N!ajs=j$s?AsT2W z|7e>G&?qikPCDWTMId4xG-aOV**6$8W*|m<6un^bi3IF@2tv|Gt{fZOTRF7NP?Vbo zf_xs-!9W@Wm8@ll%lv6o*9uUKNBsB%d&{92y{yY-ZxsxH(5gR_O97;cI`~hv1oIi( znT5Qb(inhD&Tv0Y>CB>j;AcGd%@j15x~O7fG$;RH`AqkllK2=ZS(G6rdN`=CWrts}Dq zRb_#+TIS1;nJ;pcN|;jcXz%0lD*#N5FbjZ|%F90;Do;v5BUFqctV@oh$q;@3(pA9j zU!}}0BGn`M$qr=lwLuD5sveIDy;_vYBBcLv7fn#8!lh^MgvX~5gVa7bM^brE7kWL3 zhg6j!sF9*|jb!Uf=c;fUDzSO_i-aMwe)`qG8gPh6YBq2u2(qZT78fiIvgcxWPh=tTQSC0-emyrM{Rm|u8k9ALmO z*a)Xmv%3N$ew;$FmHeeLeIoOx=2+DfV)Ys@3$s0_Oe)>D9poF~zVTADX(@L^OzG>$ z;PE2mewzT);&586A(Z0b+zDkZq*Ih^nObf}s0^WUO4_-i#`b7sp-IB~Ra!|^u) zl3X_qo&F9 zycLOv-q&EYryM_PQLAU#IF>TIm$sw#iW~~J!v=4>mzDn?nUc-Bhe=zX#rnTw$}Eiz z9&1xRdqes}&a}j;`V|QVl=%k`@2zm%2h_6%G&=^gvjqrjrXg>dFf$V6>*+_BpXnDtI>G&u_ zrmQ#{t>YhSkR4039{U;nuS~f%*7Z78PcYt_J=P~XPPV4xkv;xeIzApfLgO+HJ`3jJ zotTlG2=|_tww~zLo>*QR-*}zaT9a>Cn^>jyS>c}?7@s&In1ryD7aj7)vXlG#Q#Y@Z z58hKx)^gY0ldsybf7Yhnt0q^nr(ku!z)o3!+!P`MxX2rf`UXbNkvYuQRXCb=C=6f#0Y2Qs@4))#|w zz(0Ie%H9maJ6AH+SIXa3>L$Jw%B|F#kJtOGw#F#u>#VjOEcaNf=PG*k8_xa!RB!=89!#)303Hl;2u`Jx0T_L%1nEPSC~oAqZ_55%DIgqmssk`7 zwi9aaf3sCO=MEY@UHzRcUGsnjZx6qXqW8PqDE{~xJbDH5M_5?q z7@AnX=c_0}`wcunz;{6?_?jvcW&n&YK!Ev(`P~7+~DrY(9-T)>ZY#xh_{3GoO@V$cuRD(*$4z4J1m zqoZ_Mzy;yXcSRV^FUkAo8~k8pJ7NIB)$!{w5(T5~*NY<|{S9a^pby^HMjwz`e!TW~ zIs40m+tqP3!HK5e$?98veNDQ-AvBTXE&vflL(x}RrZ9eMeZhV&5|D4%eHzY~@6Q7~ zTnB>CFWz_x<&w_XSI+j{bVDzWR0Q|le^rKnlSKiW>%P~46Z;C2Bd&D-CH+ak(B8P1 z;qSyJ6z6OBcGBz%!ML%oy_xEYp_$q56tHAjFtrrl%l`leHX=GMP*{C8&@OlRbpeQ1 zS1{d8a<{+_?|F!M>a)Igom)pzUjPpB8<*9<@S0`Z-}ejxt5j2dxwig`{BDf)Fbw*j zU$Pf8zgJn(3{TzM)Zm;?uc`~_9)lu*O&fkPIFI#U74e@S^Z2!Dz9+vcw|e{YS$mKV z_?Nq0rS|(1nd7nTR@CaB~DQllG0`fiKLQ2apsKH8EDw|Fl%`z1gA_ltk^ zHQD=p$lA5x=a>C1`|nrRIqk+wb$^&f|15rZq5S$%^mT2!D7MP))vfcP#t*gOYaILK zK?CPQHn`e1uC4#W>*(i|;oom-@9(n9Uq=l5Cd98YMF#f^m|jOW-%fu2?I(Y(Tze&- zdd9i8x>EN!I(mM3M?HK$cS1pbg+(P-|Bp<`XuJg87753okcY^WJ7UqFIBfTprgtUc zNyK8wHD>mtl4;axjF)E&I-Ir*dy5ciN@P8_fA43P&mJn|v7gg(-^7-p^YQmBV>GC2 zP?AyEcI2HDoFK6?SCU`Ns91n&b?stN+R>|Ink?pPOjZ}pwOSqaCn0mz7djmtBNrT_ zEwy@C{w}Btc3ySsj?;l;g$lfF9~VL=adr^FHA;36 z$Fpj>9*pAkPWX+HpkJN#xe~lXjI(P1X(mqUcaWmYa=wwGE+j|crmgHhj$KyNRusY# ziM|;AkZ{K;OEboPE6YBs>Lhpf#W^XDbf5#1j~GNhCC}1B?ljKz$M{x35C+FtQ8+DX zc2poJ@x7W^6l%6nNs^4=zhz319X2KTk7~-LbRWuOCl%ht?^IP))LhhLcv761gov-Y zk-5Nm_usUgASWBzYUn>zm4i%N)D5FJ9@LR_;68w0Gyfw~K4@S8z15a!6XspDY}@Z2 z*bHjtC!)(n<-luB({hg>moRn?ZHM0}Zn~bQKe;HZ(cn0BegAa+D^t2}x!tZmZpk5i zN!Jg>cYWIax~-;e7>vc~ZV=A4;BFMlQT4PFCzPw+8~d+Jxy>iO7cXJDyzhIT;$fO; z)%}b5ypsOWy9s8#-Zx`r zn0I*{3129!xCM8hcXywK7r3nv#h~H5rwBcxCm!GZ0Gj50Z_1l@y+R$rbKU+XW!>-} z+@aC^s|a3u3#USP6kS)YV)2hn*N zw1!?}Njl~BwxPO=wg~zCL0iv?f!kR*$T9AsV}Snl zUq5W1!y}LPqu?tJ<3vt-cp4j%5lSU6_}aL6<^?cW3WrdDNkFO2fma>V!B5v1oN?qP zG;+U&KP)8J&}tdd>1gz;3_5xz6q(TCc#K&QhVdtCn=tu2%jo|rQ<}2Gc*q)4CZ#nP zn*zilM$Hndc(SNxy33Yjt>6DLWrFui;pCj;!UNc{cC(9VO{l)?htC?Ekel&Ye3yZM z@0sHUho=X}^4`Moxvk#CUMEs@eg`UfIj3g)ou4qwsSD7NIHD+YFu`ee2de0V=3<|R zrhHtTk}>NC1>lv1NqUHrjU&W9hm$MCz^d{iCG0-jrO-rbs+NTEl`^m(j)isy;a@zB z;r9}wGm}H%>!bIgB1Qzk+6bX(#fPBT6RXma;}qkTQy~i2cXGVm0Y&BvK-hKSX!`yk z!80L*-jJ8~C8Q#Eyc2e2fLn#2vegJlP+0 z1FDydARkEru!$4l7AQHafcT{wvU;~)5=b1Vq#zc;BRKtD5Zlx6Obv~LDYz!BOdEi% zpKK=LrPKB6XWo%0HP@)p_x78h#E#Yi!8|Bn^_$ zK2ixh6zNK-w(**ZT!{Um(3dD3*s#VXBq9dk2|n~L#3F>KpONS<`jHjE0kycCy@m+@ zy{*uq3Sz|o1D7Z0Cn0xOvUGrY5ZAmgA$Jd(?xCxlbaTv_#mCq95Mu1>?cc+#WbfGn z1mq;>GJE3mTkopW(MI(8coG@9T+J*&N|^94$%O#RCP8@K9;a{mT#{z2_@{}57 zOvE*3l1iM583ZiE%sjPhO`8f!JiNYNV#?@_Sw7Q53X;9 z2KL;096Oh$&m())=RqY0Nje%8za(_+wVu?s4Vc}AYm;xok<5_|{rf}O{T)lBx22mh zrLa+ZLU@on46sM-T*%%XVn2@kB|cq~Fu9p0t$ zH@@O9A$6j|QNxlVKbJ*w1b=rs7|l7-%nMY8OK@bM&KdeM@wkI9htN5tbIBIQs|cFD z`o*-r!`J#}k5GZmF-_;r^l_}ug$|3~r&NAbJjdw-tXuwB099t-nW*E7OBbkhyW@$s zf9k!}X^m}uIQ9_w*X7&OFq-epeJb~y2%}@?iZ2@8Cd}t_1)qRYue;UFrtt=UxO7;Y zF)nl>3OzyR%4n!^Y%b2#!<_5_rY<@{swY0uzur7etD-LxzpsxjZNPsxqZ{d*Pr2-I zTMGI*biu#-oyz;VyWF>a?;^o6pm!s#wLPE0UaWTe<$s#h3KHVw`bBzPE zZE>2qNQODJD~Q|Fc>e@_g_Zv`GxB$vf6-083I1kZQ}f$PHaOc znKszXwvL8|06f(m;<+x;j$V?v7zNriA?Dw5k+kIK6`MPCpSy$8=s4;6g*n!`;Wf(M z`DlW9%fGC{wA|=-GLIE=jEms%i?Ac(3%rVO?)81S6A`5EpSEJBy<->A7Imxa74q(X zG!m8aZsv0qmB|*BHU1@9)i2YOF8eAfebz6hDym37@O8Ie30qV}TTDYnOidL3TeO(6 zmzYvAn?{Eilhc5vs94H#rwmew`&O_Xfw&>PxJ;jzu`G>bQ=f@9YKT_ZNtC!nwzy@L zxK;F^ojRB9nz-orCoxHJ`zCmuwSlzhMyp_PXITjsZAjb1pww}rJ*yXsf8@7 z>$rrEwS>ENqHnZ>Hu(@_c+`UQmk+;WaB`ntM*;+-{6;VofX(40D;c>q)Fhqs9_l=- z7Ch`B+qVP$6^Sh6;ygq(E16`CrL4ra1m+1K7nNlFO7hh1h{XI6xp=+4gM?2aK~yr4 zJiJ3WoFA8lU}QL{Uv%`jn_Rnd&ge6Nc*9sP6VC-U0mD?3ocCSSU7Lx?I&#bx8mrI`>TyLIEi+;u9dQ1Fe95RADXd z66rU76Uwc~SEMoSITh$K^#FEm9d-0x(vj3*t$3g-VWxIRdYP+$!mNOj zNM0VvUo!-4@&!bnpM+WBdHWhj>w7DO0j#MNgLq(nkYpg+5`ZTi8e5zCUEm0S!tIak zAGFOn?0qIhzM9YK4gdrMatH?S!simBS5Q97bSL+3;L5I_kcafvEjr8gIU+vrqF+6c zAosx{_ch242jLFGV0i}N0;Zsi2fOa*f31W$9z|gorpe*SV0X&^wxJ2Nf0N+CD+;rc zaRku#83W$V8DkXz{y=1DQy$)&c@KN?*6D{{*+IO zz&z+3WhGMk0MqLVa&;w?U@XjRBCZoAU+N&C0wurkDSQrT@_dC3S>df;(3InYCBm?o z%$>c`K_BB`sRSzc^m{4fpp3a^f-&jF*{dmSK=4_@!;VaI!2v6>FkVKri1hp?EPY(V zKcoVGu<2B=saNHXft_JVK4(?GA_VfL1kf@oNu~qfdkZuJkX?QDxh=|ATPAgzpIU2K;_EUSJQ+s@0oA7pRa(!)rW36wZw_I&ap$}_b zM`yuAhulhMDMn{GM`xv4XSGvjm0{iebya6hXA_R>edBz6lW>D^MPqJXYe!D^fM=sz zP4_S)|5uEzp_lH73*~X=Msua^xz5H`v4ria?p0^b1;@q}gWk1??j48Ty-CjXdH=o7 z=CsA8X0YB1MVY31DrV%!eG`+E7=~;?E*)|GXA0%o6urIuZK8*5!79v4*f4q> z&5Y^Y-Q@fvR9JVLGX-l9`NT}H~}v8=$RFS$F+v63t$6&%G;Vxi^Yoa<<=Kcic# z7i76$LX!|D4ZfJRC@rK)cNxpw>Jr9g5nPYY2Fa2WE+#Nk$P@GDhsYLNR<}gaZWtJ5 zWQSLH8gi3_C$_^TJ144$@2hwlM_>=ZXSMc$L-Gs_G#EteV5V-pwsD)8S5N4s`%Ptv z;ax|Si5lrm$jykHzTtP*X7bZ;Z;f^0n408@iB9fO`I^>bM>pOf0|>a;^+yx)$J180_MF*?Jo0T; zOZ*bH-4DQdsc_Fd6fr&^_Lgdcsp>LB3H$c-B*2^~W}5ZvK-gzD=t19w4&DkpfeCzg7T>OBVISNaVps7uSJ*EvNA9%Sl3w&NbwQMhyqa11YEjHhAUSLosCR zEhL%`6|GG0TKOD90ve0R3&rBu;jD;aPNiQ=>Fj6BT?6yvkLri#2$cO~z@ccTHkacnXa zB6LG!BUg1(`o<%PyY-ZJk|DOe??`3x3NF@VsQH9h&`%>_80NKj;eq=nu^|^Nq_{*= ze<#=5c>g+f*YexUHFKK918+={;8K|Ci6P}9&_}`-8!wia_5mN&3cbQ-5q+v}7tDc# zL|w4CAHwD6)4wzO*9c0ooNw5g%LFTxX?e{U#o->RQ-}RsD|b{6;>8VfxvD|X3j@`{ z*tUXf&4aAALJ{l(Ir2b2y&!aj5XZV{xsk4K_nZ+)B6rC4P=3u~)K|!cRKI3G1V1VX z7Oypz90(UdUx%-W-yM9890>goxDXG|qOYy89ANBn^baCjy2HBCZ@lVmh%1@s({AV< zfw|R6lr5Z8wbxXesm7?c?_fM9WZqk811I+HbR55lx%`G${cd@qoK6``jD^_w6gc_O z@_52lzo0dL<%)9UzT;iY5~QjWl4utG4sSvnYIbBx%Y@|c6mMJx^f+J>_?jwa=j`Tr zcLHECAqLq}1C1oZOdyQNRj7GRrhD3(K$7Eg5y#uBTDUFMl zd6;r7oa0rfEEDJ(2x#gSrf%k{UK=J$<(j*5FVB?-DB7QK7kFZAr z+WLnW!iQ>ah1%eTn|uTs5{D%(KYXosvrVHg_!_QE6|US8YOLR?um7Mvgy1$5AzOMA zIONJY`KZ0>c3d{|?j~97&h27`4$^=JdX>2tbwi*EpivqyYAV!o>cOzbEsTpI{Htkz zK1faNA)OfH+Ku4S>RMj)Ec)YP^2gQWu%9V$@Fv3{a$nhD(b97+JtST{!pp+4<91*q zUer`P_jx?o^F7O^$jZO!B~g8-{Qbf=`m%cb!iwQl`$$^XLf8;T&iiLY;}2DU zS92PP9o22HF{jq;xT?77ACclIN)P+~IdgZB=X?;)B&ed`t!iU#tRaRzJ+ zvT|RJry$bxUf)5VEELg_s&$VZd0 zq%vO@5{sqnS;R(*cp4AJvR++p&W>-Xz*t$kT|OI}lf6cJNid_B5u?ou`^j9z_eR_E7ml;4n7)h| zq#Kz;dRALi?m1B)4vohn^cT{is5pkUIC_M;0>tPq79SOUXuq|&oUP0bUR>zhC!;k< zBro}g{h;A-=`c^IDUJFRr#W8KbN2?3DPJCMFE8JJTSe;_&Qf}f=Z7J?E|Uy1ZX&y< z@n?^0=b47kORD=U+qC3|670;8_>)AYFQedbccaOr%>9VgtS8GY*`BN&oxxU(hddw zl_@hlC^Ic6?@5$C)9x%M%5w6UWjp?Lr*g5b_*H7DJlNL{N}U6Udh%s71T(P@-0Vn& z+&ohkB}ntq6q_DfP?fk?N}H8P*=o|189aLsM6#`6Nbw(2;K>jixj>D0#D?7UQLJgV||Pj+9YlmUnHuZ*Ysj&Ue#pz-T^l#i+N{^f+B^?4`iu=C;N4^uZ359+|9@mkukp(PlJE34!)rd?tfMrQ9gaWAAGO{a#;_at*(Nwv zy`5s#29X=a`TC;Sz(Pm@?9;0!1Q%11RO^icV*imTQLty#=+1A4RjfKW7IkW)@5l6` z&N-G%vV5AmziV}}uYM_f<6LtXle1VgS|#M%a60Ye+Vp`bb6vMOWN6(C!T06fDZPGW zYd`NL-wu*k?3a=*!XR?r$*}6;IaG&21r{!LCj@292^o)7@@ZqK=yrF;_wSJ9quSZ{ z_C!6e=bU!&U3Tu~45VncGWQ}c!T%Qd4F64466M30!5WNaye?|Np*vZ>J}d(}IquXl zW(e+ecYrufHT>o)i*r4Cm%+id^dKIh&WEfPWrI20V3s0|laU5yQ|4;Q7ckC68!#mdJO zqmiE`gtOMB61}aVH^jixo+HKWgvT4TA&stN8wbvo4NgkQQ?wdvH)Pw#FA4=qt8*I= z8(zgs2PlwkltCe&3x}>i*=bCc2MHq<42c97#PXDF*JHA^a_TxH8bbqd*vd!bns*~j ztwV6XE{iFB3;$Sxy^p6-KH7VX=nkJKL1YNv{kj8wM^GGw!EU08H=-EzT&j!^dBE-1 zxdtN5azp9FCm?o#8<;|Agr4@OCWs6ilNLHm$#@Zxxe^+(%#U%P>%`lUF6xTxru*lNG} zzK2&tOhia4WqmzH=2rML8g1*GY(!5bDYEj@P5aK_tWA;Mlm!ILxJJir1L4e}w=)$a zvr&0~r9mV~nbQ4&hn`0>w&Y5Ym@W|??h(X!DpX@kRg2_(ET>DJ$rzD^DpEVNGeX;> zq-6^*#5gLb`ZDH~Scpe4FbnIEmF#!1 z`f$VOYNXWNd}gEVyZxP4NQKcQi4l;t{S9TPp?Y8gn-OffKTcTAj$*d7qPNqVvf;B4 z&ErJo37%t$<)a)c7ZUvFKCslFTf^j?WtNbH5ge)m&;^$!xB_(Gi>_8!V6n3YeVDvw zQ`eqJ7gabdFR*@Ot%ypd;hZaicx?mL>wFX8J^9OtEFlZgIxbATIze~FbPz1RKMb;O z71wU%Hp;tI$-NrmHy#SoSKfNeb$z&ZtcYu5rJ`NzDZ&s-gz-6D_j=^OXBq4h<^YNg z0~jNCC^QoK+;2q%ojKs3gcdptRJLCu3@|J{`2^poC6XIey%`z9S#)MzIPi)ItD^g; zkp%I`bBUjz;Bk@nKvb=H3dF+1y9nBNQ|a|u&aAn&vMp#~ty8N~1u5s5CJM|LIDy5m z^sl2M%wDQoOfN)_q~VgHBY}BXmI+?>RmXCd7NfogPV?e-QG$LruO!}E_d#bW!$(xbXDF`ZEFHroQyBNrRssqK-0ypL7*UxscXXaSa7IlK3EIXr}0SnNO1T-Xci4Ii1TN z5g{_At2#!rDEYuUF~SEWO!0i|(Zz}R7>YX8g^5LMTau5MNC4AqtiO66V@W>AN8;v^ zIHu&|)fklK8{o8&;1A{#wBg|{7~m4=c1`3HU2JdOtzklx%A0&*RKw3J2E>2!e_#}l zGLl*m7m%#rlZh9Qrviz2Nyp{>ktx+xNeMV(D1Aw(ec`AyNmD`!XmSlz`AKP9NogT6 zWh?<*jUiDNDZ_#xMT{XmFoofQl<8mx|1W9pT>*33&c}@cro=5~N-`GcLi!5QM;bDA z-vTzy!Vltw9JD*^tYnP7V;rtVo1)6NuWh-j z^H8kaRm}fVtY0ys-d45d(0sV&e<36sjPCdG!x%#o7{iqTA;x77Iym0it_vo4j3aH+i^m0Ja}wIvmsYpJ^_ zl{@R9dv0knZmCBBmDkLeTZNfobE&s7iMRZ|_Xd?u*P(3 zACo%pMaJjGERd6$5U-Bpe&a3 z-6)aMf`o`BiMKpiI4gniC|TE{mEkz5mpaweg3R(bf-*WSw%k&cCOMHNQ<*f~&^)u* zf>w7wBd{cE^0+^vJco!f=fL8BF?Ux%bv4?Wuwmiu5*&iNI|O%kcMI+g!5xCTySux) zySsaU5Fn8Cuk8Kpb58%&Rb748HE-6DztUH$#foerF#F@ z^r&)EJlY}=s65Kbbk53RUfN=0>ud$uQr?jqTI*7GYYRQ=Jnzbapvscj!tz|&e0%G! zg|wBav}K#rRqmHX8nk*Nl{KZ6`MsAlpm5=3<;4AE&D&)JpsIM*x*Yu~8P6u4%%+O= zs)3a*f%mFO#HLxshC{`sV6n1(khb-brm*s|-o2_iv9gu1vK^bQL*%dnbYiKo-B?T4 zSy~l1Xw$6&yi!@T>FK0xC!_3bwCPf?>9a2H0oe9)p0_<;R$|lVAkz=f+J3vW8RE6g zWTmgQE*hlNydG}6p6I+DETsQB zNuM!#J)W9Bqd_-ga5ej2JG**1muWkOeKQ|LKmBmE0I-|4zFv%?nti@rLa$j~y+I7A)3Z#GhCdOp3~Z23RYj(+gz#GAM@H@JKtO{+TU#2k9gm9oz`CO z)^5Ks`ls5h!Pi|qFka#@In~z2(>nODGF|cBx#coGgq1xBGCfJ${p7TKwm5h;Vfw*& z`zy%dSJ3r~jO9OQO;0C}f?JqL*2b?=GRkh1q+4)#z*ci_4X(7N{!qK+_arvv_uun6~1 z5RP!V7HB(e&@VA&UDYjL$WgZNCB2FNk-#k-)Ns0mYPWxDiu2c)VqzcVmUk z#+pKt4VJ2jVNirJ7C;68#mn5};`Ug!==^B%NGCCbmzK_C!@@=$%w`5*Y$vLz3{2p} zW#j3pEULIK@@4Chrp-~X&4d*Zn_=38asfd6I7F+e z%ufBp0>cu;`9#O~NbLZjST4$I(m;7#6DJc`Ok=O16hBN zHD9p(?w`nSIbtUc^B zpDcoZ1z>m%;=SNax+o-tFpDNAb9p+8aufFsQuYK1d2rk7J~K_Xc=B=kXSIY~75K`c zF|modC_X8Bd59ag`=mKVp_u42y;$V4;G8u^YjY?n1xGBkN7miPeg_)!GCyPV{IHx4 z=Hu>2IBsRf@QN*ZNSHfN)pS#V?VtqbNhy0uN&6g>mY%A;pp@TW{)H=Y$Rs7rBpt#d z&gGe|9G59c6kAmk55F~A^;cS3hfE(2e$Y=ZCN#!-ue|Rb%m8l!_)ZtLmxA9NDRkca ztG`0N@D@vU7N-?_WaHBpixL}lW?Ay$Y_f2lv2fsamasLHAGNSMzK9JBR($ggt9v7F z9Aev^3+Ga%8|thn@lNoduQ}ofFo$Ts@L_TwD>QVeMKBrkxwG1 zvr*TFi_<68nos1^W7eCm1<2bG{aY|f8Gj%PXGf>g1;4B7cUK$m_X4{@cU4#Sx22w~ zu3kyLzF&N8n!o#gclB%53}JN-5c3aGbq_M}4{>!5ec>OL>>gI+AJOa{G2|ZwnUoG7 zjk0^}8~=EC_xN}IiL~yCJpReD?n&aU$+qsPKK|*k?&&%HnKk~YE&kcF?%6y3xnJFL zK>m4{o_Q331)QD*Vu3}fo<$~sC9a;OF9OSwJ)lGD6_7(|IJjcjv+5wQ=Fzie`mq+? zv;JLRBdup6Phhj`1G_?CtF33NPhi{Tofy%eX}D)+Phj_~XLs*?_gBvz&~Gwt0QO#g zZv|$bSn!al7i3Z%arGY2eRz{Xe~3$d;*mTjML}qM_s|9st_Pz~@e7`Z_nv?EpCd*o z!5V`vmt?_$Z6XMRhm{Pxmw@Zm$L0_||0KBgZS4$S;`H$Yml}M~Sa7{~i&Kg1tFobD)aW8j&O;MG#{HVWJjg7V9haA2~&2;7&CgfGKI zeS^RD;L^daWo4mm1RwUg33dcOWFu}-zMVh}qw(n=+hv;HlZb>u&(O2OT1JXSrqKt& z1>aA{1!eQfKb1$5NhT0Nh+jOSos1`QRu7wa!9*tGt8g!pl7^F_6R;n^ZXBG1Vlpvv z?DqeFu#_p0&ERxzsL}0k|M`XmwAE@b9g9mi7_vkU3(YXS3KWC#a`A8Le?LUil~L`o)s?5}&5p7l2=Q1L+f46=^(AJ(B{%`?k{77=xV0fjyaNfyHBB-X(haL*y4pnJx35+^8g ze9; zJUhQ>Bi*w$38y*NbDQI%;kB=q7v}(1QaxzI2<u1#44#;R4hBHC!s-4cLHa140#pxy5pXZ6v*jJ$#nBRy2OwO=wowgJO0vm@wH4nl+RlB8TI0)2m?6z#9japsYwvLf zJKkFhHBGiE{EEU}N@;M-4`6yH? zPM&wZ5&JJ5v8_`$jr>hu!W}`kQH34q1&=5<}2qzr|K@F>zt3Ya+6gE+cjYV2d_89 z8kU|v-7h_gl&1OmK=33rUxV+9WHQ4_*5{hej)tf#%t@XV)@t6clW@Vv&#wth#fj-k zTFlvXm4WGVmI-I_L$beW@4T|T2!>V8X!0@lb&;Cxqj*k&*L48Fue`_D3ywZEOU`qU z8^0%@mX)?1OHX4TdV?DITLO?jgPcZNTGjwPDa}@0Ok$Z0W1L#8^gL5!cQGM2A4(;A zf7ZnPNYbnabghaxgKp#nD!yj&Qw~OTBDav8JQnx%=9ZJ=7O$FS9jxe^oeAH)bh-6Wi}B5Wzp%8@KBd30)v$3hs){9lE6iTPlp#CMHq$SafVT17AdZo8@TFX1<$_P$ZYlsNDAyWO? z_mzLdvxnjjr~T0d`Zy%C!a0miC-Kc5^{Xm6f!v&QdORONIK4wf2_IS}%5M zL&}ZqS6$t$UF^1wl^Qhw;2*K*?th3yAg<`YtRhpZn15SE_KwaD?%$oAot(3q|FMd~ z|5`==4HczTM1hndzrw#zk-JMwMQ2<>^!J47swYqDndiJCS)Y+X--(RQ*7!HDp z+GmdbT16nJs66%`t7s5p6`l72lZSwr!_7q?uxPZqb#!`ltgU