From ac1cab0170c65da116ba1a6ed777c71e7d3371e2 Mon Sep 17 00:00:00 2001 From: Dmitry Date: Tue, 4 Sep 2018 13:36:04 +0700 Subject: [PATCH 01/12] Rename virtualbox VM names to predictable Hi! I suggest you to add this to make virtualbox vm names more predictable. Now i suspect that virtualbox vm names are slightly random. cfg.vm.provider "virtualbox" do |vb, override| ... vb.name = "name.windomain.local" ... end --- Vagrant/Vagrantfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 5f50010..5d3ba5d 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -20,6 +20,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true + vb.name = "logger.windomain.local" vb.customize ["modifyvm", :id, "--memory", 4096] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] @@ -80,6 +81,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true + vb.name = "dc.windomain.local" vb.customize ["modifyvm", :id, "--memory", 2560] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] @@ -134,6 +136,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true + vb.name = "wef.windomain.local" vb.customize ["modifyvm", :id, "--memory", 2048] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] @@ -188,6 +191,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true + vb.name = "win10.windomain.local" vb.customize ["modifyvm", :id, "--memory", 2048] vb.customize ["modifyvm", :id, "--cpus", 1] vb.customize ["modifyvm", :id, "--vram", "32"] From 16ecf5bbc8af729065864fb9c89ef82dc2c039ab Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 4 Sep 2018 07:51:21 -0700 Subject: [PATCH 02/12] Add success notification for reloaded vagrants to build.sh [ci skip] If a host finished provisioning successfully after a reload, it would not print the "success!" message. This commit fixes that. This is potentially what caused the problem in #135. [ci skip] --- build.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/build.sh b/build.sh index 9f06a5d..9f1c486 100755 --- a/build.sh +++ b/build.sh @@ -430,7 +430,9 @@ build_vagrant_hosts() { (echo >&2 "Something went wrong while attempting to build the $VAGRANT_HOST box.") (echo >&2 "Attempting to reload and reprovision the host...") RETRY_STATUS=$(vagrant_reload_host "$VAGRANT_HOST") - if [ "$RETRY_STATUS" -ne 0 ]; then + if [ "$RETRY_STATUS" -eq 0 ]; then + (echo >&2 "Good news! $VAGRANT_HOST was built successfully after a reload!") + else (echo >&2 "Failed to bring up $VAGRANT_HOST after a reload. Exiting.") exit 1 fi From 234646af539017942f728f47145d130210b8042c Mon Sep 17 00:00:00 2001 From: Jeff Beley Date: Wed, 5 Sep 2018 02:57:34 -0500 Subject: [PATCH 03/12] added sed line to fix suricata build --- Vagrant/bootstrap.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index fd24081..9d531ea 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -323,6 +323,7 @@ install_suricata() { pip3.6 install --pre --upgrade suricata-update # add DC_SERVERS variable to suricata.yaml in support et-open signatures /root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET' + sed -i '0,/^/s//%YAML 1.1\n---\n/' /etc/suricata/suricata.yaml crudini --set --format=sh /etc/default/suricata '' iface eth1 # update suricata signature sources suricata-update update-sources From 04318c0bffb5c6f17e89a022f1b9070da824adc6 Mon Sep 17 00:00:00 2001 From: Dmitry Date: Wed, 5 Sep 2018 22:24:49 +0700 Subject: [PATCH 04/12] Added vm names to vmmare providers --- Vagrant/Vagrantfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 5d3ba5d..3f8ab76 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -7,12 +7,14 @@ Vagrant.configure("2") do |config| cfg.vm.network :private_network, ip: "192.168.38.5", gateway: "192.168.38.1", dns: "8.8.8.8" cfg.vm.provider "vmware_fusion" do |v, override| + v.vmx["displayname"] = "logger" v.memory = 2048 v.cpus = 1 v.gui = true end cfg.vm.provider "vmware_desktop" do |v, override| + v.vmx["displayname"] = "logger" v.memory = 4096 v.cpus = 2 v.gui = true @@ -20,7 +22,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true - vb.name = "logger.windomain.local" + vb.name = "logger" vb.customize ["modifyvm", :id, "--memory", 4096] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] @@ -66,6 +68,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "dc.windomain.local" v.memory = 2560 v.cpus = 2 v.gui = true @@ -73,6 +76,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_desktop" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "dc.windomain.local" v.memory = 2560 v.cpus = 2 v.gui = true @@ -121,6 +125,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "wef.windomain.local" v.memory = 2048 v.cpus = 2 v.gui = true @@ -128,6 +133,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_desktop" do |v, override| override.vm.box = "../Boxes/windows_2016_vmware.box" + v.vmx["displayname"] = "wef.windomain.local" v.memory = 2048 v.cpus = 2 v.gui = true @@ -171,6 +177,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_fusion" do |v, override| override.vm.box = "../Boxes/windows_10_vmware.box" + v.vmx["displayname"] = "win10.windomain.local" v.vmx["gui.fullscreenatpoweron"] = "FALSE" v.vmx["gui.viewModeAtPowerOn"] = "windowed" v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE" @@ -181,6 +188,7 @@ Vagrant.configure("2") do |config| cfg.vm.provider "vmware_desktop" do |v, override| override.vm.box = "../Boxes/windows_10_vmware.box" + v.vmx["displayname"] = "win10.windomain.local" v.vmx["gui.fullscreenatpoweron"] = "FALSE" v.vmx["gui.viewModeAtPowerOn"] = "windowed" v.memory = 2048 From ba7784e0e80c23f80bb80a53a05d8486ca2a9465 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 6 Sep 2018 22:58:36 -0700 Subject: [PATCH 05/12] Multiple fixes, additions --- README.md | 14 +- Vagrant/Vagrantfile | 17 +- Vagrant/bootstrap.sh | 195 ++++++++++++---------- Vagrant/scripts/install-caldera-agent.ps1 | 2 +- Vagrant/scripts/install-osquery.ps1 | 2 +- Vagrant/scripts/install-splunkuf.ps1 | 2 +- Vagrant/scripts/join-domain.ps1 | 2 +- Vagrant/scripts/provision.ps1 | 2 +- build.ps1 | 8 +- build.sh | 8 +- 10 files changed, 138 insertions(+), 114 deletions(-) diff --git a/README.md b/README.md index 55ee4ee..a46e5e4 100644 --- a/README.md +++ b/README.md @@ -85,9 +85,9 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU * Provision the Win10 host and configure it as a computer in the Workstations OU -7. Navigate to https://192.168.38.5:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) -8. Navigate to https://192.168.38.5:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). -9. Navigate to https://192.168.38.5:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera. +7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) +8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). +9. Navigate to https://192.168.38.105:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera. ## Basic Vagrant Usage Vagrant commands must be run from the "Vagrant" folder. @@ -108,10 +108,10 @@ Vagrant commands must be run from the "Vagrant" folder. ## Lab Information * Domain Name: windomain.local * Admininstrator login: vagrant:vagrant -* Fleet login: https://192.168.38.5:8412 - admin:admin123# -* Splunk login: https://192.168.38.5:8000 - admin:changeme -* Caldera login: https://192.168.38.5:8888 - admin:caldera -* MS ATA login: https://192.168.38.3 - wef\vagrant:vagrant +* Fleet login: https://192.168.38.105:8412 - admin:admin123# +* Splunk login: https://192.168.38.105:8000 - admin:changeme +* Caldera login: https://192.168.38.105:8888 - admin:caldera +* MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant ## Lab Hosts * DC - Windows 2016 Domain Controller diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 3f8ab76..7cc93c7 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -4,7 +4,7 @@ Vagrant.configure("2") do |config| cfg.vm.box = "bento/ubuntu-16.04" cfg.vm.hostname = "logger" config.vm.provision :shell, path: "bootstrap.sh" - cfg.vm.network :private_network, ip: "192.168.38.5", gateway: "192.168.38.1", dns: "8.8.8.8" + cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8" cfg.vm.provider "vmware_fusion" do |v, override| v.vmx["displayname"] = "logger" @@ -45,9 +45,9 @@ Vagrant.configure("2") do |config| cfg.winrm.basic_auth_only = true cfg.winrm.timeout = 300 cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1" + cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2" + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false @@ -64,6 +64,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true + cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true cfg.vm.provider "vmware_fusion" do |v, override| @@ -102,14 +103,15 @@ Vagrant.configure("2") do |config| cfg.winrm.basic_auth_only = true cfg.winrm.timeout = 300 cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2" + cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2" + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true + cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true @@ -158,15 +160,16 @@ Vagrant.configure("2") do |config| cfg.winrm.basic_auth_only = true cfg.winrm.timeout = 300 cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2" + cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2" + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true + cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 9d531ea..a2d5fca 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -14,19 +14,23 @@ apt_install_prerequisites() { fix_eth1_static_ip() { # There's a fun issue where dhclient keeps messing with eth1 despite the fact - # that eth1 has a static IP set. We workaround this by telling dhclient to leave it alone. - echo 'interface "eth1" {}' >> /etc/dhcp/dhclient.conf + # that eth1 has a static IP set. We workaround this by setting a static DHCP lease. + echo -e 'lease { + interface "eth1"; + fixed-address 192.168.38.105; + send dhcp-requested-address 192.168.38.105; + }' >> /etc/dhcp/dhclient.conf systemctl restart networking.service # Fix eth1 if the IP isn't set correctly ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1) - if [ "$ETH1_IP" != "192.168.38.5" ]; then + if [ "$ETH1_IP" != "192.168.38.105" ]; then echo "Incorrect IP Address settings detected. Attempting to fix." ifdown eth1 ip addr flush dev eth1 ifup eth1 ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1) - if [ "$ETH1_IP" == "192.168.38.5" ]; then - echo "The static IP has been fixed and set to 192.168.38.5" + if [ "$ETH1_IP" == "192.168.38.105" ]; then + echo "The static IP has been fixed and set to 192.168.38.105" else echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs." exit 1 @@ -158,30 +162,30 @@ import_osquery_config_into_fleet() { cd /home/vagrant/osquery-configuration/Endpoints/Windows/ || exit # Fleet requires you to login before importing packs # Login - curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/login' -H 'authority: 192.168.38.105:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure sleep 1 - curl 'https://192.168.38.5:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.5:8412' --compressed --insecure + curl 'https://192.168.38.105:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.105:8412' --compressed --insecure sleep 1 # Setup organization name and email address - curl 'https://192.168.38.5:8412/api/v1/setup' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/setup' -H 'authority: 192.168.38.5:8412' --data-binary '{"kolide_server_url":"https://192.168.38.5:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/setup' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/setup' -H 'authority: 192.168.38.105:8412' --data-binary '{"kolide_server_url":"https://192.168.38.105:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure sleep 3 # Import all Windows configs /home/vagrant/configimporter/configimporter -host https://localhost:8412 -user 'admin' -config osquery_to_import.conf # Get auth token - TOKEN=$(curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4) + TOKEN=$(curl 'https://192.168.38.105:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/login' -H 'authority: 192.168.38.105:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4) # Set all packs to be targeted to Windows hosts - curl 'https://192.168.38.5:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure sleep 1 - curl 'https://192.168.38.5:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure sleep 1 - curl 'https://192.168.38.5:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure sleep 1 - curl 'https://192.168.38.5:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure sleep 1 - curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure # Rename primary pack - curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/5/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure + curl 'https://192.168.38.105:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/5/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure # Add Splunk monitors for Fleet /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme' /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' @@ -223,122 +227,139 @@ install_bro() { SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager' SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata' - echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list - curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add - - # update APT repositories + echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list + curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add - + + # update APT repositories apt-get -qq -ym update - apt-get -qq -ym install \ - bro \ - crudini \ - # install tools to build and configure bro + # install tools to build and configure bro + apt-get -qq -ym install bro crudini + # load bro scripts + echo ' + @load protocols/ftp/software + @load protocols/smtp/software + @load protocols/ssh/software + @load protocols/http/software + @load tuning/json-logs + @load policy/integration/collective-intel + @load policy/frameworks/intel/do_notice + @load frameworks/intel/seen + @load frameworks/intel/do_notice + @load frameworks/files/hash-all-files + @load policy/protocols/smb + @load policy/protocols/conn/vlan-logging + @load policy/protocols/conn/mac-logging - # load bro scripts - cat<> /opt/bro/share/bro/site/local.bro - -@load protocols/ftp/software -@load protocols/smtp/software -@load protocols/ssh/software -@load protocols/http/software - -@load tuning/json-logs -@load policy/integration/collective-intel -@load policy/frameworks/intel/do_notice - -@load frameworks/intel/seen -@load frameworks/intel/do_notice -@load frameworks/files/hash-all-files - -@load policy/protocols/smb - -@load policy/protocols/conn/vlan-logging - -@load policy/protocols/conn/mac-logging - -redef Intel::read_files += { + redef Intel::read_files += { "/opt/bro/etc/intel.dat" -}; + }; + ' >> /opt/bro/share/bro/site/local.bro -EOF - - - # configure bro + # Configure Bro crudini --del $NODECFG bro crudini --set $NODECFG manager type manager crudini --set $NODECFG manager host localhost crudini --set $NODECFG proxy type proxy crudini --set $NODECFG proxy host localhost - CPUS=$(lscpu -e |awk /yes/'{print $1'} |wc -l) - # setup $CPUS numbers of bro workers - for i in eth1 - do - crudini --set $NODECFG worker-$i type worker - crudini --set $NODECFG worker-$i host localhost - crudini --set $NODECFG worker-$i interface $i - crudini --set $NODECFG worker-$i lb_method pf_ring - crudini --set $NODECFG worker-$i lb_procs $CPUS - done + # Setup $CPUS numbers of bro workers + crudini --set $NODECFG worker-eth1 type worker + crudini --set $NODECFG worker-eth1 host localhost + crudini --set $NODECFG worker-eth1 interface eth1 + crudini --set $NODECFG worker-eth1 lb_method pf_ring + crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)" - # setup bro to run at boot - cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service + # Setup bro to run at boot + cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service + systemctl enable bro + systemctl start bro - for i in bro - do - systemctl enable $i - systemctl start $i - done - - # setup splunk TA to ingest bro and suricata data + # Setup splunk TA to ingest bro and suricata data git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON mkdir -p $SPLUNK_BRO_JSON/local cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$' crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$' crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0 - - - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json' crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0 - # ensure permissions are correct and restart splunk + # Ensure permissions are correct and restart splunk chown -R splunk $SPLUNK_BRO_JSON - /opt/splunk/bin/splunk restart + /opt/splunk/bin/splunk restart + + # Verify that Bro is running + if ! pgrep -f bro > /dev/null; then + echo "Bro attempted to start but is not running. Exiting" + exit 1 + fi } install_suricata() { - # install yq to maniuplate the suricata.yaml inline + # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts + + # Install yq to maniuplate the suricata.yaml inline /usr/bin/go get -u github.com/mikefarah/yq - # install suricata + # Install suricata add-apt-repository -y ppa:oisf/suricata-stable apt-get -qq -y update && apt-get -qq -y install suricata crudini - # install suricata-update - pip3.6 install --pre --upgrade suricata-update - # add DC_SERVERS variable to suricata.yaml in support et-open signatures + # Install suricata-update + cd /home/vagrant || exit 1 + git clone https://github.com/OISF/suricata-update.git + cd /home/vagrant/suricata-update || exit 1 + python setup.py install + # Add DC_SERVERS variable to suricata.yaml in support et-open signatures /root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET' - sed -i '0,/^/s//%YAML 1.1\n---\n/' /etc/suricata/suricata.yaml + + # It may make sense to store the suricata.yaml file as a resource file if this begins to become too complex + # Add more verbose alert logging + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload true + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-buffer-size 4kb + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-printable yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.packet yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.http yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes + # Turn off traffic flow logging (duplicative of Bro and wrecks Splunk trial license) + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SMTP + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SSH + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Stats + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Flow + # AF packet monitoring should be set to eth1 + /root/go/bin/yq w -i /etc/suricata/suricata.yaml af-packet.0.interface eth1 + crudini --set --format=sh /etc/default/suricata '' iface eth1 # update suricata signature sources suricata-update update-sources # disable protocol decode as it is duplicative of bro echo re:protocol-command-decode >> /etc/suricata/disable.conf # enable et-open and attackdetection sources - for i in et/open ptresearch/attackdetection - do - suricata-update enable-source $i + suricata-update enable-source et/open + suricata-update enable-source ptresearch/attackdetection + # Add the YAML header to the top of the suricata config + echo "Adding the YAML header to /etc/suricata/suricata.yaml" + echo -e "%YAML 1.1\n---\n$(cat /etc/suricata/suricata.yaml)" > /etc/suricata/suricata.yaml - done - # update suricata and restart + # Update suricata and restart suricata-update - systemctl restart suricata + service suricata stop + service suricata start + # Verify that Suricata is running + if ! pgrep -f suricata > /dev/null; then + echo "Suricata attempted to start but is not running. Exiting" + exit 1 + fi } main() { diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 index bd047ee..0d67916 100644 --- a/Vagrant/scripts/install-caldera-agent.ps1 +++ b/Vagrant/scripts/install-caldera-agent.ps1 @@ -2,7 +2,7 @@ If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) { # Add /etc/hosts entry - Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 logger" + Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 logger" # Make the directory New-Item "c:\Program Files\cagent" -type directory diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index 6f9544f..1a6299a 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -19,7 +19,7 @@ If (-not ($service)) { ### --- TLS CONFIG BEGINS --- ### COMMENT ALL LINES BELOW UNTIL "TLS CONFIG ENDS" if using local configuration ## Add entry to hosts file for Kolide for SSL validation - Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 kolide" + Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 kolide" ## Add kolide secret and avoid BOM $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False [System.IO.File]::WriteAllLines("c:\ProgramData\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding) diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 index 925d067..ea291e4 100755 --- a/Vagrant/scripts/install-splunkuf.ps1 +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -6,7 +6,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) Write-Host "Installing & Starting Splunk" (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile) - Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait + Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait } Else { Write-Host "Splunk is already installed. Moving on." } diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 009294f..8c34472 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -4,7 +4,7 @@ Write-Host 'Join the domain' Write-Host "First, set DNS to DC to join the domain" -$newDNSServers = "192.168.38.2" +$newDNSServers = "192.168.38.102" $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} diff --git a/Vagrant/scripts/provision.ps1 b/Vagrant/scripts/provision.ps1 index e308d22..71ca825 100644 --- a/Vagrant/scripts/provision.ps1 +++ b/Vagrant/scripts/provision.ps1 @@ -26,7 +26,7 @@ if ($env:COMPUTERNAME -imatch 'vagrant') { } if ($env:COMPUTERNAME -imatch 'dc') { - . c:\vagrant\scripts\create-domain.ps1 192.168.38.2 + . c:\vagrant\scripts\create-domain.ps1 192.168.38.102 } else { . c:\vagrant\scripts\join-domain.ps1 } diff --git a/build.ps1 b/build.ps1 index 4ffcbf3..b2611d3 100644 --- a/build.ps1 +++ b/build.ps1 @@ -394,19 +394,19 @@ function download { function post_build_checks { Write-Verbose '[post_build_checks] Running Caldera Check.' - $CALDERA_CHECK = download -URL 'https://192.168.38.5:8888' -PatternToMatch 'CALDERA' + $CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch 'CALDERA' Write-Verbose "[post_build_checks] Cladera Result: $CALDERA_CHECK" Write-Verbose '[post_build_checks] Running Splunk Check.' - $SPLUNK_CHECK = download -URL 'https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk' + $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk' Write-Verbose "[post_build_checks] Splunk Result: $SPLUNK_CHECK" Write-Verbose '[post_build_checks] Running Fleet Check.' - $FLEET_CHECK = download -URL 'https://192.168.38.5:8412' -PatternToMatch 'Kolide Fleet' + $FLEET_CHECK = download -URL 'https://192.168.38.105:8412' -PatternToMatch 'Kolide Fleet' Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK" Write-Verbose '[post_build_checks] Running MS ATA Check.' - $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401 + $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401 Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK" diff --git a/build.sh b/build.sh index 9f1c486..962874f 100755 --- a/build.sh +++ b/build.sh @@ -251,10 +251,10 @@ vagrant_reload_host() { post_build_checks() { # If the curl operation fails, we'll just leave the variable equal to 0 # This is needed to prevent the script from exiting if the curl operation fails - CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.5:8888 | grep -c '302: Found' || echo "") - SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") - FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.5:8412 | grep -c 'Kolide Fleet' || echo "") - ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.3 -m 2) + CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.105:8888 | grep -c '302: Found' || echo "") + SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") + FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "") + ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2) [[ $ATA_CHECK == 401 ]] && ATA_CHECK=1 BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -o version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1) From a95143a2d34f068ccf6d519cd31a54e67a9f0c1a Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 7 Sep 2018 14:57:53 -0700 Subject: [PATCH 06/12] Fix formatting, add Splunk ASN lookup app --- Vagrant/Vagrantfile | 6 +- Vagrant/bootstrap.sh | 214 ++++++++++++++++++++++--------------------- 2 files changed, 113 insertions(+), 107 deletions(-) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 7cc93c7..1276cae 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -64,7 +64,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true - cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true + cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true cfg.vm.provider "vmware_fusion" do |v, override| @@ -111,7 +111,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true - cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true + cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true @@ -169,7 +169,7 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true - cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true + cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index a2d5fca..d85f878 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -15,12 +15,11 @@ apt_install_prerequisites() { fix_eth1_static_ip() { # There's a fun issue where dhclient keeps messing with eth1 despite the fact # that eth1 has a static IP set. We workaround this by setting a static DHCP lease. - echo -e 'lease { - interface "eth1"; - fixed-address 192.168.38.105; - send dhcp-requested-address 192.168.38.105; - }' >> /etc/dhcp/dhclient.conf - systemctl restart networking.service + echo -e 'interface "eth1" { + send host-name = gethostname(); + send dhcp-requested-address 192.168.38.105; + }' >> /etc/dhcp/dhclient.conf + service networking restart # Fix eth1 if the IP isn't set correctly ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1) if [ "$ETH1_IP" != "192.168.38.105" ]; then @@ -39,17 +38,17 @@ fix_eth1_static_ip() { } install_python() { -# Install Python 3.6.4 -if ! which /usr/local/bin/python3.6 > /dev/null; then - echo "Installing Python v3.6.4..." - wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz - tar -xvf Python-3.6.4.tgz - cd Python-3.6.4 || exit - ./configure && make && make install - cd /home/vagrant || exit -else - echo "Python seems to be downloaded already.. Skipping." -fi + # Install Python 3.6.4 + if ! which /usr/local/bin/python3.6 > /dev/null; then + echo "Installing Python v3.6.4..." + wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz + tar -xvf Python-3.6.4.tgz + cd Python-3.6.4 || exit + ./configure && make && make install + cd /home/vagrant || exit + else + echo "Python seems to be downloaded already.. Skipping." + fi } install_golang() { @@ -66,6 +65,7 @@ install_golang() { echo 'export GOROOT=/usr/local/go' >> /home/vagrant/.bashrc echo 'export GOPATH=$HOME/.go' >> /root/.bashrc echo 'export GOROOT=/usr/local/go' >> /root/.bashrc + echo 'export PATH=$PATH:/opt/splunk/bin' >> /root/.bashrc source /root/.bashrc sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0 sudo update-alternatives --set go /usr/local/go/bin/go @@ -96,11 +96,15 @@ install_splunk() { /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme' # Add a Splunk TCP input on port 9997 echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf # Add props.conf and transforms.conf cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/ cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/ + cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf + # Bump the memtable limits to allow for the ASN lookup table + sed -i .bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf # Skip Splunk Tour and Change Password Dialog touch /opt/splunk/etc/.ui_login # Enable SSL Login for Splunk @@ -109,6 +113,8 @@ install_splunk() { # Reboot Splunk to make changes take effect /opt/splunk/bin/splunk restart /opt/splunk/bin/splunk enable boot-start + # Generate the ASN lookup table + /opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme' fi } @@ -222,20 +228,20 @@ install_caldera() { } install_bro() { - # environment variables - NODECFG=/opt/bro/etc/node.cfg - SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json - SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager' - SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata' + # Environment variables + NODECFG=/opt/bro/etc/node.cfg + SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json + SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager' + SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata' echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add - - # update APT repositories - apt-get -qq -ym update - # install tools to build and configure bro + # Update APT repositories + apt-get -qq -ym update + # Install tools to build and configure bro apt-get -qq -ym install bro crudini - # load bro scripts - echo ' + # Load bro scripts + echo ' @load protocols/ftp/software @load protocols/smtp/software @load protocols/ssh/software @@ -251,23 +257,23 @@ install_bro() { @load policy/protocols/conn/mac-logging redef Intel::read_files += { - "/opt/bro/etc/intel.dat" + "/opt/bro/etc/intel.dat" }; ' >> /opt/bro/share/bro/site/local.bro # Configure Bro - crudini --del $NODECFG bro - crudini --set $NODECFG manager type manager - crudini --set $NODECFG manager host localhost - crudini --set $NODECFG proxy type proxy - crudini --set $NODECFG proxy host localhost + crudini --del $NODECFG bro + crudini --set $NODECFG manager type manager + crudini --set $NODECFG manager host localhost + crudini --set $NODECFG proxy type proxy + crudini --set $NODECFG proxy host localhost # Setup $CPUS numbers of bro workers - crudini --set $NODECFG worker-eth1 type worker - crudini --set $NODECFG worker-eth1 host localhost - crudini --set $NODECFG worker-eth1 interface eth1 - crudini --set $NODECFG worker-eth1 lb_method pf_ring - crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)" + crudini --set $NODECFG worker-eth1 type worker + crudini --set $NODECFG worker-eth1 host localhost + crudini --set $NODECFG worker-eth1 interface eth1 + crudini --set $NODECFG worker-eth1 lb_method pf_ring + crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)" # Setup bro to run at boot cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service @@ -275,23 +281,23 @@ install_bro() { systemctl start bro # Setup splunk TA to ingest bro and suricata data - git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON + git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON - mkdir -p $SPLUNK_BRO_JSON/local - cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf + mkdir -p $SPLUNK_BRO_JSON/local + cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$' - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$' - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0 - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json' - crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0 + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$' + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$' + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0 + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json' + crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0 # Ensure permissions are correct and restart splunk - chown -R splunk $SPLUNK_BRO_JSON + chown -R splunk $SPLUNK_BRO_JSON /opt/splunk/bin/splunk restart # Verify that Bro is running @@ -302,64 +308,64 @@ install_bro() { } install_suricata() { - # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts + # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts - # Install yq to maniuplate the suricata.yaml inline - /usr/bin/go get -u github.com/mikefarah/yq - # Install suricata - add-apt-repository -y ppa:oisf/suricata-stable - apt-get -qq -y update && apt-get -qq -y install suricata crudini - # Install suricata-update - cd /home/vagrant || exit 1 - git clone https://github.com/OISF/suricata-update.git - cd /home/vagrant/suricata-update || exit 1 - python setup.py install - # Add DC_SERVERS variable to suricata.yaml in support et-open signatures - /root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET' + # Install yq to maniuplate the suricata.yaml inline + /usr/bin/go get -u github.com/mikefarah/yq + # Install suricata + add-apt-repository -y ppa:oisf/suricata-stable + apt-get -qq -y update && apt-get -qq -y install suricata crudini + # Install suricata-update + cd /home/vagrant || exit 1 + git clone https://github.com/OISF/suricata-update.git + cd /home/vagrant/suricata-update || exit 1 + python setup.py install + # Add DC_SERVERS variable to suricata.yaml in support et-open signatures + /root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET' - # It may make sense to store the suricata.yaml file as a resource file if this begins to become too complex - # Add more verbose alert logging - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload true - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-buffer-size 4kb - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-printable yes - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.packet yes - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.http yes - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes - /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes - # Turn off traffic flow logging (duplicative of Bro and wrecks Splunk trial license) - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SMTP - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SSH - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Stats - /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Flow - # AF packet monitoring should be set to eth1 - /root/go/bin/yq w -i /etc/suricata/suricata.yaml af-packet.0.interface eth1 + # It may make sense to store the suricata.yaml file as a resource file if this begins to become too complex + # Add more verbose alert logging + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload true + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-buffer-size 4kb + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-printable yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.packet yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.http yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes + /root/go/bin/yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes + # Turn off traffic flow logging (duplicative of Bro and wrecks Splunk trial license) + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SMTP + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SSH + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Stats + /root/go/bin/yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Flow + # AF packet monitoring should be set to eth1 + /root/go/bin/yq w -i /etc/suricata/suricata.yaml af-packet.0.interface eth1 - crudini --set --format=sh /etc/default/suricata '' iface eth1 - # update suricata signature sources - suricata-update update-sources - # disable protocol decode as it is duplicative of bro - echo re:protocol-command-decode >> /etc/suricata/disable.conf - # enable et-open and attackdetection sources - suricata-update enable-source et/open - suricata-update enable-source ptresearch/attackdetection - # Add the YAML header to the top of the suricata config - echo "Adding the YAML header to /etc/suricata/suricata.yaml" - echo -e "%YAML 1.1\n---\n$(cat /etc/suricata/suricata.yaml)" > /etc/suricata/suricata.yaml + crudini --set --format=sh /etc/default/suricata '' iface eth1 + # update suricata signature sources + suricata-update update-sources + # disable protocol decode as it is duplicative of bro + echo re:protocol-command-decode >> /etc/suricata/disable.conf + # enable et-open and attackdetection sources + suricata-update enable-source et/open + suricata-update enable-source ptresearch/attackdetection + # Add the YAML header to the top of the suricata config + echo "Adding the YAML header to /etc/suricata/suricata.yaml" + echo -e "%YAML 1.1\n---\n$(cat /etc/suricata/suricata.yaml)" > /etc/suricata/suricata.yaml - # Update suricata and restart - suricata-update - service suricata stop - service suricata start + # Update suricata and restart + suricata-update + service suricata stop + service suricata start - # Verify that Suricata is running - if ! pgrep -f suricata > /dev/null; then - echo "Suricata attempted to start but is not running. Exiting" - exit 1 - fi + # Verify that Suricata is running + if ! pgrep -f suricata > /dev/null; then + echo "Suricata attempted to start but is not running. Exiting" + exit 1 + fi } main() { From 9a82f140f41d6cd9be44c1880cbe3c62bad915d8 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 7 Sep 2018 14:58:11 -0700 Subject: [PATCH 07/12] Actually add the app --- .../splunk_server/asn-lookup-generator_012.tgz | Bin 0 -> 102011 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz diff --git a/Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz b/Vagrant/resources/splunk_server/asn-lookup-generator_012.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c374125842d8154c25ce9c0e8e78b971e39eeaef GIT binary patch literal 102011 zcmV(zK<2+6iwFSPOz2nu1MEBrKoi%tsas)OQ0q?BYj6R@Bm@Xl0SP2PDhZeb7Z7ns zCS)MV#F+_;+ZUIL>vKh@QkUmeEVhc3r&V!jal^WTxRvLER;_4Tx7w=j&Ln_>{m}oA z{`Z=rW-{mAd(OG%%sKa*dnc;JgHg(qfSLH5w*~?TKHlE!6+-PR``yD+;3E`xiG(6A zj=;mi)6<&+yx*QkHDIA=lmvi75(NFf^{cP_KNQr}_BUcQszqtE@gIagWPhfgho^^! z-TqAiZ?L}>)1ejv&0`Ra!he;_NUS)8Z#n)_7v>!Z$ORz z+uZ&w_W0iv5M#A| zETY2=m5|B5JZy23=2X7M$$Z*L^VlpvfVZRbKwp7zuDZF$v>w7>%T}; z%m2N+JiP4w-xLsoo1g*=hFAor;uy2z2^NxF%moM%W5HQ`GEU*~?9wkl3}`%NfZxO_ z1qipU&Y_qIBTj@I})DlUQ1<_)ZhQ!TGocX=c$rwpln*}@% zo)A(q!+?Y)U{DA~qUvYW9&j2B-jM%ew8hLzH5wX?M}7Y9<5Bzk$BXH1_x~mUKi1p< z2(W=)yn%peKaJA{%%97+X|;cXU|V=#lLc-7;^^o{W2tn2gwR-wn2BcbLjb#jFoe%f zz-hfD9>7rg2jO#RZs2YbJ0L z?a#HwD~iutZKRoII4;efYuni1)^M+z(ml1#3op981{HoLcyuw zCRl#}9gZ2a{#<5G?2H}#*Z>$1rdCG|@#9->SUjC(#sZkpkOuRWp}}W~FjIO1J*o~t zRl_MdR;$a8Z!_Wl$^Lcy-#{cJKt(rV4p5K(d%^^ucK$E)w%7kn0x^ua;kp}(Bw=an zAuyb$JD|)4iwV{O@$Sr04MRY%^;C#i;n@LkOutyffF-lpz$md&Ayb6f9Bn9&SRbY# zRSk$94mLnO%&{@8#YnPtM=Q35ezgR#$OH>&upLcQW2-qUBGf9W8Z?Y^)#x{IhVjCT zCNO&;F#iB=Am~ve+-o{{O~BW+RaeLcsiq;q)e@|VNG#$4LnQ`cs@%A`!L=$bYY7d- zGpE7q%)}$e1ip|DHA13f8o%}!o}M-u+^U`oSQxzaU{qVo);$h(u(CH`8XC}goC3Bc zKobBG2T&a*nquzysv^Uq6vN}fBIHtjGD+VCx4*U7x1qF0{k#!yrhwLh+(1}o%M77fxvEzLJfE$pMzV4c|9 zBt?&F^tLBb3)gThT*5Wh9<-j>(xeCt4t+)o5{dW$l#M+z5x|^w)=`*>CNb1l&l5zY zQ9LVu_j+tz-B=S`f4@)M>rJsX(r`>aSCrDwxDj)s+(9@alz%^0RyZc)Fvv(;3sEpc zFz@lOz1S!PaaBDS%fs8MGhVh2Zemadcrg(SqMxe~4u{p28)dJr{xVQE|D#FNL@`fa zqrCxA@ASquI`4mYi|qd2Bw&00Yp|xOmZ8#2G@9z@SoInh zLg@*TW_E8Kt=qOW`?arZ>B2S}9tH+mqNXDWBaox1a-69fu~gJ(Heeq1W8nW+P~-pM zvS6t~C4CD#>hXV}KvetuSLo?wKmTnKkjvDt6wqKM3PX@!!kk9p33?j1YTSTO;Nb%# zge3u%Ng$L&F_<3&kwl6KK_W5Ih*Rug4O6FKBo?0r5@6y8i!FEP_!tHV9nk1u(S*4( z^%!bO17=tW!2v`(jp8O)Zvhl&AVUQ9WXnB@(9tO<2@5xq_SND|`|9>GTe(rdl_~JJ zD%%LI8_PtCp#}suvBh6i6G*{nJq#kSJfvt6*Dy5P0dCS5ELui}s%8Uj#BCgy;j9)Y z1QNASa0ZN=?!ZWBaUFBT*lC$9@dljIy94Hp2@;RD&=5&6NLHQh%slu635!010f7{7 zC^tLT8tK?RjOb=Yp|nj!Yz3R5htc!3ncx(nvydjp5@W|`VIfSg9241+*;@7L2!nx0 zVWtL`Z!ONuh#G<*YNjBLCz3ICE>P26f z4#}{G9%Q0%)Bu>@g)sbTPm>4vhe?4dB1An(tds(o3PdU+M#>~o3E+xV@Sf`qM#WG{ha6*5JL5^|Bsr3y6=Hy*<6``#((rb0QU?ZIK>K^ld8(lPKXejQQu#3Vuf2%MXQ@7F3W-?Eqo2gEoW1 zK_XM#^3kxZq^sg7mQ{A*F#CFH52f5Qln{!0_`-g>z);yA0?riq8 ztcrfApVB6}_t_yi_~C5P=r7AklZWJu>@>Sex?k$KXz@Vqp)AhP{yrfXXL=F zSWv73PWzWd?rY6y#aZ>vDe3&{ZFUTo4bJh;={@t?O(E!(L1y3gTdI!SM6W$+;ofqw zXZN%=liL(^5D@2ECgUHMqM2J4e^DGL<(-$ec-C&(mlAD$ZZF+;ZHu-96h0PmL^1m= zv^r)UTJmcjGe7-UcxKPeI$HSSaIejV$B%w(raS6=B5)S(e2Dm=Yx>;cCE4wZH}$)o z&~xg&F`i%dGp^yzzMiOD7T59n9-f_qt#vOPX5RnR%NQXfmuZo%ACzpGx$d_)i^d*K zYANxW7g&BG|I#L>7R|oun7K5pPgE2?-{WQXz9aiaPZ)?6b;wDbu@N8qW9EWOfwNl9 zstCGTkfEQr2OIF7E|W89N^I=VYi?av%O1lkB&Jr zbIPLJ+))<;XP+1`c(22qJt22X*DW-UXuCc)@sooO-W#!SSMCNUG6NYJPBBp<392CZSSzh z|IX90$=~q4bduyNH^*GuUo2h~rCT_Ezyfj`clN~cQ6;{dK#AzsX`cmtqGN%5ALtXK zJ{*>19>#Hz7`h$F%Po=I$m*1L#({f`M{a)7eCTzD=|TJKp8_y_*{| z#Lt~gd*xeW3KY}2gJxM3OC$W=DW7wF#DISsJ^0Tqt2Ykj1j*-Q-{UBgRxRQUO{pyP zSSNEHkX2E%;K`A+Zz>lTt?^DudU(rS)IR;#+@1@UJg%(VX_h7(nwb5-dH9Y!%JVZi zET_BdN}E4{Gc9+Z|JTJE`S<6~npMV`S$X-2b72ZqxdT^jUnXEC>Yrbl_@6WmK%{ki($U%^h*Ng{i@VN}zJddX?n(rnmAh`4Zo6i+=J=MRAVYWVMV(Iuj<|8eVi|YP z-23RGlh32$MvM@jAE#=^S!a6Q_NNQ0{g=+q-KO7mB;iRi+7222>U-|OoTY@}vcLCR#d~|na-`!`9&FzS8*mTCs z&pUpSGjk&z(%a|rGC4MH#prS;*)l||)?1`M?l0cHb!(}9*1PTYz02+R>tnCxtDTyy z+g+5jD?My{`uH{H?##W0{&)uSD_rku02eNwYr#2n@zU)>e?Q!&;HT1&OG`|xiYlgq z{waf}wE5)NKyYK+CdKNjH)Dr7ax%iayhJ?)A0HuDk-3~-u(NXqox`+*m}uGig8Xq& z6&}3ZX(t1UGA>M21vlq>zjpltb>7a=eQqF}~&kQ*Gwd1IXej)4D;wN372p8VJ=s3UIiNw9*23ff2olF_?i_ZL1u|3k#*J|rsEV7< zCTh;;Z|jRDf7|K-J`EZCDbV?ko;Y&KzLKyHH@@3@VvFwC-Qx`1i;o=5?ov71fm4!K zDBkx!4>+NT6J$bt^HYxhOkCRX@HbKC#~yD<-Rjo0K#yi`*Q3Rg0zZBBY~ZsWU7Vyp zen|M8D&ieG+7dw3$M*V!xc9gQNlQy&}+&K?_E;W%4l zzNTHduVO=aJU1nKXhC4W)BVr6YDMb6Ez@7>O~R5B4wH*p#STNhxmKp?v~|nq^lZFWD%AqQknIO275 z!W!4P4@*Zn=iNGW)#Y;O#g6&&e!zQmZnk#$7QYeXVR;fk+|PcHb18A-jnSWO{%pFx zkI!e#?_bGZ5wx~EtE~Low1{E%d^R@wWO--KV%gG=i|uBvd_3!CxAGGQiht-nb%!8m zi@fbu*E_p>clkw%=HaoEC*S+dxiHW3XQ{4T|EFi)2^{dkrG0eCgGY~Y1}5jeoW3S$ z>As)Ju12}^pWVBcfB#E=E0~+wstR%w(t_+gh=~(ecWO3 z_@jBFCL1TT7Q`P|*nOpA*u}sxV^j-XUQiu&>h#&xPb<2g-Q--k<9c4sgk7Vuo_zPq z07Xu~q5OmsEjTxBU0D9xpv=BQm+XE2g~s*9-O?8ai&yt`>(-S&c3HP}iMPA*Te&=b zckR)&?E;&f+OVwa6Om89=nZ8r3VL?Dxpz>P7LmOb^AkUk=I)kFo4RDPR(EsB8DaJZ z7}9+IFVwBg*Kf?pNTH5y-|{c^o&>y!YU=`0Ft02{MBo9Afxf0C4Yaf@l}cMupi)3= z*~F5WCX;q(nh7%rr2?{u$nzlr3PPU(vX)&bhysG5Ac}yp`~^f*kSB|XEV3`}oO|yi zlM+Dx-{1Fr?=#;A$;{k)?%D4-ch0@NzF(&zze zs|}a0JMGmDn8wt8p?S+})1tp0pE|$g)lM0+=50^z>AUd!o_QlSu3vwx$(T*+hL3A; zYsCB^qt6a~Z(Yu$$zUCO^2QqSesF(P=q(FZDf9rOl;l>sHTfI7=BZrtE?8 zZ@-xTV{-SHWi?v1o-}0i{Sotjk=|H0>C}$CvAL7Y@|oi&Iy8>kHSU%2F&~b(*m1bK zPUL`fVbcb;xcv5{6)S%D+h-5$`O(MKZU4Hw>vZ(oq)(T&z0&&fqNb%6bIc|7S%)vx zs9NK^dU~Wa=aqK{OJUnTfmyoO*3y)l6`SAaxsrQ(+JuB7agUzpcId!QXRdedm{ITA zTOTx8vv>NK<=j&e0RX9FKd51FmdrB+uH0KweCMSV`9Wo;a{7cZR@?c zV&le*yXwWv_73~tw6eTg^ z{PU@eHqE&eyKBbTrjKM-tje`iG^u`}T9rf7PF~tMJ> zNrioT?%ez1OV)RvpYYl8vgQ$OMr|8cvD5bM&v{@YjmnP=yg6m<+_7V$(tB@+c)P*3 zQPx-AnAp)-d+d<<)>`}x-|TO0$>rXc#vKc9{ORi*RHw7$%zoX|W2%VU(>*_k2zxK$ z>8f1EwT7yfBgU2UBhpjX-}kV+LA3Aq3)i2$HR{O)=Wm6*@KyYzhBIew!-zFAqo;L6 zIzRS57&QMEeeRV1{cg!$*uCHXB_`dr|D#>PpX+~r$R|Yp*8=~M{O`N488gCe%m3~> zg85(n=eNwrb>(E#AH7LEvpaSDg1+_sk$PtO@|yjhA6?&Syl-!pr|L@EN2Nu@w`gG< zH1dCP#x^$At3GORr^LuIQyW+?k<~K>*TgKC%oC| z;5#EbHo7&n?7ME;W0Ux#yw9_oRr{oj{%H7^t^Bc~DvhN9y&7#xwl?b#-lBH@l;bU{ ze05mep8DQ_jW0D^wXhX8WZU6RMK$_GRsa6{mGIKf9*ZnF^3LX`^LHPd@Uypd!wq}a z?3!Tj^ufHn7axikJs~Th&&lx-jiw%MIr*ElkGeGa`^QGTBgcE)2d=Jd+ob-CLwn|U+DFuUF1*%;%uP#|JpRwdovThx zay8sle@B&X%U^yh=aV7zHr}5j)!d)I^_iS~bE|DVA!d1p+fTnfuj`~Q_BK2hW`25A zmTge^Q(;BP!~0%3y|`z?ZsX$LJ8+<6*4VKJ%HKaRC}-dEPoJH!u-yL1Yr78~Tq16t zT^!cgS~v2_yzj<+DgE&IsGkP>-D;d9m6`{v%emP1Oy9`Nj*lBNX6@PZ@N8q=$6dH) zuZFE&vnG4g<;jiYsfWI_zqP9CTSNA&FMaK`=w3TtPg_#4^t+b*>V>C^tEz0>fB47n z`SVSq8&<8`?$y6EhzsYpFD!OkYPY`noH=iqga%>bdWV-yJ5=`5+$HP0pQhjc!b&Bn z$@J3anjTv=|K0w3;~qNFeR>tgg$IwnIpk<&_Z|yQp303iDnG64vh&8sS)VNG`N+Og zJ;F^plH{pVj_iIi?69d-jZ~}S#?^KY@`Ey^gcToGTOB5?HOyPGZjR%zus!)ZHYcVS zCQtb?^77`*>5G@`FFh_5{u1`cw>Jk?FP+?}(aMUyaDV;gaNVz>Mt|R{wCu!lZ3^B$ zG&f={ld7J3>PqsWoBQ8B)%%G))2B`AaQ1>(|pH6H@`glaz}HAIuldzRDEKN8hv(ZU+esnOLKQFd9CkfH*Z|K@3py)cis3#{VC7X z35y)GW&UTiOuG+T9-LjIuE@PsCvU}!k9=J(tUVg-Ju_=?#kt;V?CT?%mS#Ae3#Uw- zdgPh>7e74JJ0a})^p(A>T(kGaO_;d8bL;48Lp|PQD+VSE zs(tIx9@E;~s9o)c%|#Upefx^54R*WTMW4(pTat96`q8qRjnkqNlag|eAFQyaUyVCu zk372NtNZ6odN#6V^?u);8-M2PmB_bFPqTVA#?~4c-n*9d^=)%gP5u8BUM+LPTj%nx z4NC1FXS|X*W{z*}x+|-TMvWf6pl35v>~yh5Vuo{WLT1jx)@}8=ow+{0VyvgxvHAsZ zOTMX*{^mi)^;>oJUAcOnRDAMBbdmqn0Y_l|&y)VY&H(;jtpDSY5Pz=!{{f$1`TKW! z{H~ht+vT4aAK&^<`Tr50JINoeus+J-Dfz#Tao6}iJ}EJ&UFG<{ZG8Nn=l}j8pXOYk z=r5sle0&`Im&D%po4HK4-C}5NXs(qAIyj%(fjhDaL@v!E*x@Tnt9I+lPH#xCv}Wab z?2$1hnJbZfT#--$kZ`-TPZep!85Z+#;xN1D@nYqGT`uytB*AT`WqV{82E@V*pdeWN zAV8w!gIcW_YsU#*f-rut@*ufYtK#Bfi$IVi+Z|bXo~jkR#sR{lOCPrj&q3Dqf^&H# zxaAQK$H5w9mr#u5ZbH5y((*gN7mr8=BQg6+7XeD37*NkF4LhJ&-vHPpxU~{EE!7R7r7Qpf*wkNVgGXF&KO0g#+aE{>zy>sTvbrdL#)0tlX#F&cQPg4~lC**RR=6Pa8`CQY(?l@3E{NrDa^ zXhnOqa$z01w-t7VzU133!w_z-`WSD+azxZVh8W#usIs~hMdTbJXqbysG1>)}3-QBe z8Y)wzC`>)=&@7*58_p&^ zdMqI-C0aZY0<;Ayv(bZvByS0lQY^Y$7K1gTOIn|-99uUq7eLtPlEH8bWYuf*KY9X- zW#Li#*6lk4?q+xHmeC^v@6!`G3>j98M)#0+-|p+quPJo6{7F zTZ7Hu{0fWl7i*0l3@yAiqK7Gd6|}hJVpEL2%}@b18Q%`Y-vEsD9w4;+%MLNmmv1um z@`#G&kmN!xN;R7OK;i-@1^O$Z*QdA<6NB!O5NBWvAxdSl6Z=z5^xFnf!QyvPQ!gkb zjBuO_6f6$MvUco7ivJ76k~kQ^hmK29sBfjvNJ%+IB}_F0)r=_s^~yvG{NvErAQVui z43iT$JOmOOn?ZLR#l|KFB%*_o!VMqkzh8;K=%SJo0ysK|K!5Y*Tu-^UQn@|&Ufcj5 zVyJ-tE;^S>N#UX?P>NwPj42dx0cIw1X^aoVsjyuVMxc@+W7Nn*lZChe4T&>mi{3cu z7>!(kC^*pN6Yym3rXD)a!xzu%2M-{LgX_41J0GYC`ngTGTbbwjvGl-r9^AC_#4S44WD(=Ezw3|LqPP?R7D7J`RriU}p(fvgSS3#?}#EI30rY^0y2 z+C@U4CU_g=AHzWnC^Y%bfrcb{fdCHmHzCgJ^SJ1yj@#9nbYXz#tWE6-AwWyXLB+@O zly1f;O@JX(*iR#E12ly~eV_^T1uWi3RVK#Fkvp~o|2_B_ll$9rSsOA%r;U$t1Z;{1 zGlWvBs8pfY#RPg6UGf9qc?1A4kPZZGNBOC#HJ8Q=g5k=Bp!UQdD+oH+4m9C1r)PYW zGg=1AlG|jAQd7Wna#5TK&@^)d&lsYPfoqzyP-VfXEE~phiC)=F9}^!a;+eR`z+|^} z;)JcI96XoiVBlzy$vz&P7X^{fQB<$2u)Q~2GJ%oIvpJT>cwf6$IX<&wi^@<4(kZEQ zaBl%d1uDtI$Z0kRmnj^~!~)Ss3Yx&?c?}3$(w#=o+pdUYZD&oc{(wXN& z^PT4z^;uG(SS*o^TTVREs=fkn6$DQB}bwQ7QFN zTp1*sb(qi->U08`Pnr}7N}-C`MH~%$9Zc7m8D&D`459&k<)JmXRmi*6wj0 zMH-6Uow(jWDL+kp7(;ppZb(pEFd5)c&}6qM5(^fNxn@FGtxGH%N zKVT>EFA`DoUfr3{D#4?AN+kv0i0Tu2V@}ZDz!caMnI~efO&EhGTj3#jfT^T#S`JO1 zk!La5>P<1mY^cI?aU>WE0*k49C?plJNFK^!Jq<513#dL1$w|=bl4R8*yU0;S%)b&~ zL~1-A1)WR|nP%(2WJQovGGFt24!|NA2hYb4X_DQP;E7;lmqeC#iiHx*QBXzldvLTk zc#4ZW93GYm(~DV$49)?#!PT#KsAGhSC3Hpy??+uA@pL-M0bho?S}1vJbl4P}cl|Eu z4iP|b#;o1d`Hbi&+;J17M&tB_^G^|`R64UWVR94$!9nGrWBfA#s<+_rh-4jt%EWK> zMHUM#RrcEiv(UTKrl&&4z>)O#E%qqL1y+JYpg~Mr(?38xl-)1Wb=AyoTr4){+u?rB;;hY?*1BlIX8?`aP zF!V(JN+5bNY!H;FNPdhSt}0e$0J?VEO-wu>5>3*}!9Iu{iRHj$w5o}Q1qhWu5OV^( zRhS#q*2?IdtM}Ihcmycjt5yjHfDZ~9e-o{YOr0VL4u`*`jB}?>@St+|0JN1n3D^Kw zUo5#5t3_%;C418?D~dP+1w6+Fzn$f_|18f#5chjBJp{YWgi-fmdXXGJi$v*aFw-*w zlQ(V{b>9{usO;4UPR7~{!Q_H=>!nK)^lwt?dt#nujDcy+DCF58#VwY=RpdjwE%-qM z&Htf=Lt+Ka-^^s}EVxkzLQM04p;_o;F~;b%PxL5^6FLrP*`*HeC^ZI?OKh*PoyDgp z5efiZNou9_Wikw1Q6(#(Hj!Xlq~-^*1bT!az(%@IDM?~n>1_q+r()C^m}l%R5kfmf zmkweW>tC>ic^;%hnB`!>GUN?Dl}l_L&zacY5rrUA0(}O4X^VMWp6p=n=`eet^l*$I zGeeV@6o$}l79oaMZpQJo2#gFL3uMP)FA0KDc6=d2o@7d7p&y9_^``M2S;GSN?(rWJ zsX|WYCz&l@0N7-V6E&FF7V;WKIf?BPgpv>ux^?d4K|QpK&!3zVuEZ*ClfePaXd1La)=xn6H3Fi za8n19_;?|p9bTGSfqwX3w9y>GEs73R%L`Bed~WT{G(gZV5BQf-05|#;&7bO2B97;y zam@fC5D7?eh!|n3_+mp#uC!Z?DPlxU66oAOQ;Yq&gAeVzA%jWM{Cs zL0}v{yGOmL*oJ9iJ*PtMJLTc{+y6$h1ZxFZ^q(C?{RQX}A)6HO?o(o;9m0@xBN} zQX{vF3rq=jeypt#QUv%rogPlNyP~%PHBM9waW&xy@H9u54*_`M*=Q7=L`d+(+6%bgF(YS}F+2hUa6X3E*z6_B&1d6#tp1+a zkxjg)d>XgLJn)Sa-)UFS8xj0`HWiK1EnOLC|1iIYoYZPFxDj4G%zPf1n-6McaWCoe7W=WyRs% z$s$K&&AYyN4YUKqYu7c>=~Aq~UDr6rGWx&>!L4c5pR#5ru?9b6`G7kD@fR3GZf*@G z9$Q%BEwzTA*Mt*z0Vf7)PWx!qWNk|izkag)_z$1;x{^i!22zZ2QmEmj*kv2O;AXzu z+1U8P^ySMhkoEcUPhY@nPwu|t(r_E=3E&;q{ItlY7i4@ox#;8nSRkFgnR2ZoWZyMR zmN8x0!2}B%*~a8X`V-`r&bT+~y9gmb6bMz!Fm$aZe1aI?fGQYjJiZfKtNX)p%(oqhxEe(e*Wk8*>=9O`S|nAozEXX{)F4{Sw++8$&x@$=k!L%4I_|{naFU3 z+N^%^`Br0>qVs?iRy;l%D0yqAg#?AB-oODC<<-q+C}%<=Y@j38sJMVV3KyGUDHqz4 zzATi~emi2gqMARf$a4^v z<339G*xJE>udKx^Z$~Jb12Rt}9=BaJhI?~cO6;ONixiXZP*%PLcMG*!Fqgl+5_put zh|RHSK?wIg9mnz#=CqtmfOMbd!xA-+B#O0FXa|~~Bo<-&b~58Pa!9l?!i^`Y-Lo_5 zzA?6j0myd%z~=Dc27p_Y$9+aN&v_~`MkEUrixmXu1sRIi(iz4;T*b=^8el;a_~&w1 zo@c{VYHO8aor`rWA4b=ikrKG^e6Qg`nwbc@@$Pds90I~^!Z896*;Gx?hy?a8Ao-*i$VGzynoyn!t-`@f%JBrl zamy&ahF-uLbvc2e>9ugucJtM`K_VNpePJsuk=_|$2uv~*9>Eq6D=+Jcz&pe7A~911 zT`lrkosfWJRA{Jz3y`a&4jUmc<@&iln@r%%chG@fc(qmb3e@apVF&gA&5cdQF$wET z<0zU{x@IjrQLO{(qGnYx7`wR0$O;bevglP$CLI@FhMJ-&S8+KiC$zL=^^8&vM|j5S zW5xy&vI_Ec6?40S#)d4BHH%`HG$b~=6$xeuTHj6hnV`G?b5h}Vm0MgClM1ciZm9ny z+^f-63>9aC0$`%`5T?HJWrETR=9}aPQPnzQN3^Tss#Q#7LpKd+GV~QWNvi3#N^`<( z(pRI1sx^v-nBS<>C5DaW&jk!^GFbR>AD~n(1Su$lveLR$C%S2*hvc7e=9-AJj6n9c zHHrw2)CZ7?jvT3IohQ&^j`!9o-4<4vF<9laGLEow0VuPk_1X?Err3kbl_JDxP4CJs zE$yFMQoQ9bIxXrfJkiq$bKH%`EsJ2uFP&&}KGr={t9Ycw+mp#fM0(4{gsH2w#3F|8 zk@SfE`(VU2>TEfK$D&f3oy0T&%c1tFqPvLLFdKVSLlP_U+~jRSC$N?M=gb&zLO+qZ zlRVU+yjD%ZaJ|~R>x}!Js}QZ2!SW@ofL>;o8YE6!im`IpdZ;-!1pV?vx z92^nBidZ{(C9D?W4>Q(k%_?VZ*kIKmCn9YqkdeQOl)$CKTsKbJ?;$F1L2|XTGm#ef zFjee9rymPTXoC@2DLEI0s8NjK9f__SrLuw)@Azvzbk!x;awqpXhAkPi2lCq-!!;hM zT~cZ(WR%~>3H@&EMGtRojc}cOx!irhw(EwwW&$uEqtB6eloKWJsDRs|fQ`4w`Zl*w zad>+BR+-{rY=3M4wZ}LWX;aQrdf!5no^*n-8i0@n(-noW%(I!=; zzD$z=>_TkQ#U`3ed4oe}?kK6m?rJu@+=7{d;H1c?N63$hxsB#?zzoy5fw)c zdU#0e!rZOK?9G9XpBe*7L5{dE4L_`A2MQ0(ehYt|73XcK)bR`Pxw|X!J+?fcXE4!m z?Y;$2GY7!_?4YD`M3x?8H;9%k&WTSRAQdkH_1_b;dR>Y)?{{C0N5B945C-6DnSzmv zbFHft zeTxWxnEDtG;?;0~O5FS^`Z!jF1ad)ndIp8r<)JncqOkSrnCG^hv)_);#ZhEj#x0x~ zA;I-jjY`PL*Tqt41?^5==XdQ@F1OktHlAOewD@7`G-12mS+|JIFw4V zJ2T*|C!6CEOi{dFB{{AT=_M zzc|F$lo(ScKN0(uyMrC9^5XkSpqrnSP**- z;w3#6`bKR}@nfct%~gz0**PoFR)bws~RUlfxe*dx6 z(z9-k?V2p;NqbeIEp(#}`1Qq33%C{GqIXUWKz7cuj09o&8K0 z9MT1<8qkH?4S+_i4^PP62hXsdXnj|^++1`73(N)Mv*-e<`-1I{s@WvB-rtg94A6gg zm#`Fin)}{gUT;zgb5fy{y4@1|X+>;$bPjDzuSnb+#!S2b=9zB*v3Nqwc2<_SnMP)? z#m4!_k&MCOQaq(jvT(C-$Sam8>4gffI13ug0;OW&I?qOHEeGlrt`Al3Ph-I zk82Qq8ccotoxvTzNFt_8tUyXGO6^q)+y$6Hx4w<7bnC|-CqMo;!tJ<@y!Z55Qg@tsU3*B?{S&c!E#w1l-)ZF4|%*Y!~{B z@AGQ^b)6A%{a`enP1m2JA1a2_%Cl?e$P&%hinvr8i{kF(8vI8#M7sBN@8HG$aaZ3S zy?pYQ-qG>l{@(NY6-VzGCJxk2txMQWHB8a+t>?7V@j7ErLwj+F`>mRu-y!L3n+rh4 zy#dq$F=1WC=syQm-}2B6Pi4r*ARp$_T&|FaUOfpa*JP#PTXL+ek(HNEcwXfbq_%kA zKiz+}f4q;|ThxKs)XKieZcLi9p&Q9a&w#U68$8*lv1aNtBC|a*@t^h?8p%(%M2b8q z4OhJ^;;f+c_VT?1y7U$uHd*-M7DSSmXVB*3&Bu0a*>aQDCl`Ny<27+x#$llkjRC=Y zZPcSDkkm)KdVGh-HCj)!dW6MPqeofIHHytpUKdkJ#XWVVbyl&0#DG!>XDy_RV_35{ z9I|>jqIS+4?^icL^i<8^DzO|i62!`*?(8=dv25K*4#me1g_ogsjE(LBS2_Q5j(8Pl zGse{02cC`8Y`9OR01{;f&Ezer8*RP$thpO(&1p>~iuNs@UbRi))DTIcTOp7pI)L9o zdfo}!ii^sfM(!ytuQd>pjXU6*H4*n{!vJY+hj4Fa9tNv?8Mn-gEor%yx7aTB`kjy# zVqI`eLp469z09k#k}d9EwV8&ZZfwXw5seTA8fEvKCd=NbjuMoeylqN{oKM4w02N%oY~2kaGWktEv9LG97#(C z40TW1Er~v}4p-{S=~b(nw6;F~{b#LCq@w$2x8TkR*WU_jd_5_;K-rU*KtQ(s@Q2?g zWOEAtCEq+hUIG*^971BgX0SvZ%LijUvIbqI76vRPfxx63V#QIpPBIM)1@vY;yUcet zyQD#0pX4Nzh8uksNa8xxT%rZ6VCH0ND|w#XVF>8$Wb3n?Pap4WezxSC=(->ZBRnJ* z8*i?Mf20^naFXrLrWfnKZ*@*%OU!5tE8KedmsYF*<1rN2-rW490Ut+jp1&#Z$}=U- z8gTJZ5)%HPZp~ZI2Z;uJY-8;LiyT%_&Xj2VZYUb&pc82?JFl=nJI1B4jmG>ruYHiI zga0j0Cx07bgbFw3_)@}MrH%U(S^Ul_bC6vQPr!_!%cjZ}-gV@DGH+Z>hUti>EQ1+x zy9(|8950HM-xs@EX8?XvZWo67fz|!M>N=kftnLR^_XDf@{#ac+Tzn?r*XC}wKil5? z{Rj5;eXzHWH+LR?`p?ha5)M8fZ(GOd|8|Tmo@Nio)#8l(nk+4<1Kygam3}SB;gW{p zpNPf9p?~0U|7Cex3PS>;=Yyk#cKL&GSrF?X@kr<-r;yE)YJ<$_bI0WhKVAXS5+MU1 z_6x~OyhdlpyK>4B?j4~rZgT@j-SD8B8I_dK#Lx+#5OC7mVel{=da7Xt#Z1A1F+7PW z%pH=r0-kVkkww>~t?;_Uc>Q4arFnOw zFr?r6-cr%K7)6z0s;k!dUK{#y7tQS+>;`xLI~lQOZ+9uf6m)hN`t9S$ZEXHMj@F0U zaX`M08=Ql=Z+=0jZFCRiplFlxVoISGJl`X^J4HCC zB`P(NEau{m%H@FLY^4aIx+aK-%4}TZ< zd}sTUovlCo^J`5EX4Y;3A#VPLdX$Ic-Tm$LK)RU4T>e||=E23_qbj@>nB(=Ms+%}> zgodtann+R6OebxpQysZeAecpZ9>o~~G#|J1^K*+^2PBkkELYDVVD439$;v`D@y{;{ zZY_8lVdwn1N71wLvTF3O!%R?U8DrT5gI|3o zACth@Iz)u(7&bUd4D+9Y-7T!omTe#`LzBXY&2~U1`(=+@&K#-tZOFNsjDrW^A9FZo^QLg~g?Sv79T ztK_Ckbt3q}2@&<#TPDc3Px=C6LY#CGZ;_2aI2>fr>nzUK<>XRhYe31|xE5 z@Ce7^$i}{%giKSbQpvA@;tG666hYv;7!2}}n`j&pj``h{?B;e)Nao!jw;(6APe%C^ z2nxmtgYi)g08{aW%Fi_wdo?w7RhoywDgJg@B=FN9p4Cam$uf&i@hu<9fPyfyYejKS zO5g=Yyg(OTSnIZ|O+7nN>?0Qxe|4Qe?-zK7S`HFL$aa(monXAtam2X;G4 zV(A@XvONR!ee=~S!DAw#sz{5sXElm5oQDgM#+ zCO&AaVnr$~Bf!Sn8F(h2Z zr>RpCX15{sflcFp5zB09VPD?kWEgh%K_Ja;F{18f`}2MqGwQ_ca& zr<|MoxbWNXLb7ax!C30KEc{`(Nh_T1UI?*pME0lwP8)6>6!6j|MM#im1zfzdkpsp% z9lhbOngwa-cuZkYgi3fL8C72BwtH&M>nsn!^JBxU_$!Hd06##$zZAJc+(D03mvdHw z0vo(_K&YW+n!LoL_qM>y_E^C|a%%%zzXUvTk5}jqg$PB9T%`QaF~kq|gxCh2IrsUKA-f)Y_FUpTAOK&{J9Bgs+hg@Re(`(jurvG!~li;G$(IAoYUwW3n3 zsv*VeL(+&EW!&to_->}6DX<1u8ja;D};F_oP1UGs8=uIWD)h&C#K?Sq^q^v3%e@hWTxrORO zgz10j2-7xiBrk)_{_KfAk>YU{14(zCU7~EixbXB52G=N2H0D$A_K$7q?Ch(u9Ojv3 z47XPz3>sIUgtGW4M(E#f80)CDf+LZX%*&R=4ni>_EY(B!A$R>K*K#EGF>%_9atf=C zi^yhHra2;`nIf{Y1%Z%M*(Iz73cGQX5@>7_E2H2kOl7K{ZktX${LGn>0T%IrHrSW%V;263YceDWY_{!B}eO&~= z{Mz=^taBQyh^_-3Rq{26^lVlnSO|LQtcJG;EH5=?17L1?llP^l6-iA}721d|U#p%E}JI7^NP*?{9`_DeX$`%^>4 z2@Dxv(wPX&M44CwCNC@z><h3>$hoXz$qdBrJ~ zdDEO{{nu*wYAKu$ATzhE%4T*XKHa@m69qzP0iHbe{HKQPa_Wj7(OGx!vd!;l-`NAg zv>4)S0Ih2gcjeK_BWqQPob==Z**QA(#l}IFTu+-}c9)a9lv0|pA^~m>7=sp1phpZ! zv)gfAIYprVX{V{BB%(> zDn$+a+@Ts;^k@3Tl!l5?j@+(!Dm(E{30m0U8+_eaJGCWnIsW8U`z7p@jNSAKv7Kxf zB?pxDNXpqR2~D9yyS70gCh?BW?@-!#PA^;W6GwPvH{sA1-q}J0Hv7{7>WXfe3N{1&8sBi(m zhi&*@2B$U3aR$o`Qz-3HQDm5@EEOH)Q(!l{D$a2WVtZ`{!DVd+f|B^C&5*d{BO;Px z%$JFwW-D5bDT!O$RKzQ?QV7_S!Jf3(AckJRjLPHFR%b`k4&$Gbt)2C)Q-wkuGpRtN zn{HkVcO{x86_?^0S^(&4EG>@sb?CN}WMFRYPm=BC1Kc#(bupCW1|xu3(AHzhR*`&n zDzupnD`~;-yOKR6%v-ldF8eOfsey?|d!4;TkkonCLdwlt;B;3qzUrZ_ZZpPy5!XT9 zNnBe#*yR~{n|q}&9+=l5L~2%XIc^iehV!{b0MSQAy86|fiZQxgx5)g9CywPXU< zi;;Eufg*C|aUby-qb6gMd^{w*+!W7LwUr>I33()%e0<{Oq0<|v%Q|opWz#1o|6d(M zbw$y{DLoI(0;c0zM`nf)Hw*LRZjFU>jBlSCI(nZuh?B~3MqDpT@; zdYua^WZ17^%K z9KBrm&(6NtKW6^`bil)JG^-r?&kI7aZrxgJA_YvAt@8Ri6(oAzGHvI;LZQG(y9Ir2 z?Fdz-Oi`z#0CieoquxC^V8bk?bYiO)j+qnVEJI|0YdR-`V1Nqcpn9vNjj{tou)r); zzUS;SXCg8V62yj`r^yiph8T>tp4{7;n>hKOY<}WT2J_bnDM&#u>p1#AX!SrcJLK?#=WVqFzK$wl6z(k5SrcE{1E zCzf2Xd78llk@K3{fu#dxEY2zxHlzzY#)}thgY!F=lC&z*7OpuT&m|C($yCymh}b-B zq>n`I*(RC;y$F3d^SvL9rJV|7^zFh+S$|ed%j=$-1+13)OJMFQ^mYdk#;@s%0Q`5s zZQ8S3GX3%*$^#v&M;NMQCWB!eAunMA#yd1Jv@%jb?PSP1fZm#yELg>NOZfCHAX|#? zN-lAy2I@jVr^uEN_r3LFbYQ9RE8r=g_ zww?^SqY){BYer?S+fnPCIr*?6em%Y~k5f>FjPfg%jyD=E824wU+C+>!>U#!@HuKJe8Y~6zYe(Y+k zTYqZ7gW46;SGuF(!ruO@5cFrS1?zMpF^mJ>Aji9==2;Up$~3M&MBuEv2#fhahVM-Q zgIIJQ$lnL@_ksM`f*;6VGx=*IP(QmAkmHEdNnY}cL%^JnlJ}-yVdRz%BpmLfvZJ5G-|Dm`E(Dq=W33a{f5KtG&{ z0{2I%Zm9m1kC9I3E9d-!cHgYu-rla`&vhf=9e7zw|J#vFM~U`>2*C1aP)G_fIr76~ zl8&3T7zKLpOkA5w6twV_T}JK4-n5pXZfDsA+3E&D0{#P=G>`=;P|Km{VK<^H=jC99 zi+Jfde=tCI_sYzu8c9ZmqQ@(u%t^tysVfoR-R4OEjU-FzKT2Xar;qpyO) zzkJVmiG3;$UB;}g7sU`5jP@|QJ|ASso1Ns%$>wP~EN|&Hj;Z9_7zj4rQ-@w|)*YMV zy-{$ix&s%>vH7#P+UfY71ENh8CC<1Uw|VtCu>r|JfT?NgoqM>Wt*+ORUe=)8=Q4mN z)jh5P^xpBMf44h=AM?vC)O5hwAYEZ-u7^Kjr7Ho&b3~p*TC+-tAaS+cOoarn9(+k! zsFU0G#N3PLtMNKh<*HHd_#ONgIu2?cv?AbZz^Yh1pyM#JZGGaUyZmHxGx?%sLlxN0 zlgp+x1+##hv*SB*8y1Z=c@9fp2S3`JQ{#Xw1BVz4nUYM`ayFa7fE+#IcY2b{d5)nF z`9Oqkt%Sd8B+3AEotY@+Fi|caHvEV+kD~9vlY|X~ScAy=*ll+{9R+yUhc2}r=)#v6 zndXZ&^&(pN07}g-7YcYsk>iqFr|m&{dr{z)}RL`OLwShEUjIlqd_=3^IJyI zJ~cpD=BMVCcaC||*%k=zd?UD&5OSD^BP{NRolRbUj!_Uw)QMRaS_^=Wp8iF77HW%( zN$iLS6!11TMSiQCu<&BU+$9(A96(;ohFEMs#>thhQFxSmjrRfAdw{ZCqnagl%-B`w z{lST9E|nwGf*3B@oij%foZ?WmFou9UmD`|>A^G&q0LZV$)4PZ#`oTyR z3TX-HnGDN|22rp1*Ey@y=d#ZuRo%-U4kUN6?%- zDpBTw!mf~6z`irD6YCILGjrE#kpQV?=qTfE4r*7AR->WpG@*z0^W&r+u14R<-cD-G z`r<#q=M_&ybYX#7J6P*eXXiyKdeep-VO~2-DUQxy1B|8~Dgd|m{Pnldi~=R>Jr^t+ zu+IzmAOIznkX0Y%*tK#6rnM@6hiCRBGkbiVKBqNI{s^hda`4S zo?TX4rZO?(JLYwn zsZp_G<=VFUzLIC!%`;qCGI1nydA0vMX}_8jH(CEK*&khD^Mm9$`X0!Ylf1j2qHCr? zreb5PH6@0<7WP%{bJAv$Thy7EtOw~;Mw4G$urCb(94L6|j-!!WN2 zi23D9NWYV#qh}tnNf6gCWD^eiu1Zl@3$K8kz9^F~ zca!#Z_w()_*sj+dv~imEhEYG;?DC(q#MhPvR8>P@tto(GZ-!Sra^deuksxeUWI2zP zUQd=ie2+v&qD0L`))`cNlO>iF{ffxp7E0inER#_R>DhW)n$9vx0m_bq6a@g?u57U@ zJ`;Q~r4i&lqbS9zrC2MScO4t%d8UOCw}bPF6*Lv3gpMWqSfu z5R<5qBiN<8K`^iU6lWF{oQ~)rcDakuGD{t*-s?Oc!ydZ9BmZl-ZrjFdu6_=)t(fEo znB`1fIGmaQJw_dCTgz#nD*La~DxXTdw)_oulJ#A+Rbh_wMX>XN;jZG3b^5iM6jo$| z5O}HDs}?TIx2*Nmd;q&>YpVD9W1b??b+j{)jzimC<{Cs=!lh3xX z+}5Y?^WT!q2Wfr5XNEp8N%C)#vYgHvM`VOBEfUPunnqN>{0@%IgZn`QXTE$oy zlqxb~@f(Ies3bPzi1k%$cQUJT4k=y^X0-Wrhhte_;DFOVpAk_YW!i;Ct3DF1k7Ns7 zbVxGx2fm5HX)!4KGcWs&^sAiII@T}8ca!4sYHA}o0(O!;JQYu0%etk0vD>H!&UK! z>x#bsnTL(|dzV9(NaQSm!mnrs&@2%f3$ z3M@+v)sCRGK5Rj}dxw}dHeu-Lt>bogT@LtugpKF|TL&zTB0Wup#dR@dB~DddOm8VL z8Z}7nIbE~&-1`+5(Acn}i{f&oS(1uj?vRg{q{XUtJ>vkQ*T`sKzzy_OLmBFIj=E~J zG}H|WlT)$KK@f_b4CN<=&E)AJa9w|Z0wWkEY@0Dg(^ZEY9wvJqVi9k^F7+Ze#|bam zRLpRo$Acnc&6XYZ59Q=_jVO?=2YXC(2rK!&ofjPmLuAV18hU`2{5ht zf#SqP~A#Dn%R$SsOAhPCldaQKn!rT7cB%D5(J-SBl+7WmYM&>#*7AaMZGBm^#oR=;~ zCz+r^Ygmk4)5Ku_2gDQftMBNd8x1iY5?$wvG?QBE6lv+o3%lxgkJmFky5iv;Fk9AX z&rG0fI6X^EKUgQ|tO?<;SkCB_P9^vT)q?j;o$orE0%Z^+Lp1U5tJygR!$o+?cd%DJ z_MEyWTY(x9AH;yI&{d}6ZtiK}GAd+zh|MRWI~-oXR5UX$%boUcZ`3iV)Su6LLzXe~ z+YmP3qy%Ez#Z@@ZhJ;7A6RbBP=3_R}>>ic1%oS8J6Gg`4mE9~f|5bPHQDkVB+Xnn+ z`verRAQxvekHPHe_Q*1<5QmeiToTTiF_6`uGg3V)XSQ+P zfXD66*r%IXye4`nY~&9_@$Au*ztKtX$Ex^<{@&xFKPzVyMl8uDuh~4`a7W5=1uro2mG}ew(h`%ERQ>ZNFT3*Mky}%d7h8du9j$$ z+m79Y95MvmRVilBxSW_&InMTDLbRPG-ymCs%|0>1SI#Oqn(^T(xEj68INQvn$~l~p zi8DcDE)0DpE{^yDU=CrFz~PPaDa?$bACSJ`;IOUNIU1o69J1CoY027sE(#xpq6uoHJJtjw)6rK~{_$~LHmM0isanx15*}1~A0p(q7a8ARfL5mRVQe{rZu3&c;$>JbK zzNs5HnZkY7Y&RL3HRB5U6OvT?Sk8^9r^2Al4NCTa%_lfavZ@#vpIUDu^`qLKv_VH5 z;As8j;)hGU`r_sB!IS;fgn~Vjx;m?j-)`ag1Gu}(Apwz{Qkz*?F9(!fJu_oY;(n}S)TPZ?QwWHn4w2yYK z?F@NXRn6_gA6;VZA(^|ceE}3j6f*%cG3l8-0qgKfFJr0czVLdEluPagky*M3b_y{N zn4^&v3jj_A>o~|evo<4?&!Gh~dSzu3b`}@MuBtxG&UzE`z*lJ_8@iG44A;bQB~;zHt|Fk&ZCS z5o0xqt}LgIErx;|X7$cp>GOTAX2NDsHywmw5X`y`RQt&FUzAgXgx5^S zB)`litXB%}9-<5Q3`n6eAeH#EC?7p2b2ft^mfO(?kq3>Wq9OK0)fkvw!Qp67>Lr;9 z*~`x}{Nk=`C&tLeB>^Z4NS*?t#h{l)shi?0t4UVO9veE-F9H+jB)_~cvY<=$5Z&km0NMkw_4!SRdz zBQ_t{6Bw`d4q?H*d$xC&y!!6&)yt!OK5bcBIAm8DGW;n>>p+?rz7_iD0xLHu$CCot z^PE$_vD+ZwpQX5typ*Ml>|sHO6P+YORv~^cLFW6fF=c(vHXX2UAb)_&}kIF4?f4hD9Pk zOPgI|tZr9^kG0h#z#0cod=e{UgW?4y=M_}~GB7ODMTMLIRSIoUm#4QIR~Hn^d<{W254OT)h8 zNl@bk0na<&4{5>{us91!d9h{37v0$uKU^W}?r+ynSvXhSrd(+Msw`OwN|H`b*-kQ7 z^5!IZ(xq%oW8&n;>Z65`5ZB&3#%Qh$llv04;M(XFJ& zK?9KqvH4syTr?QQA*MXJEw-3zjd(DVH-_f7=ia+JjHW0W(G&^_g=k%A_srn z!6hVV0Z`OCF<)>^_wXHc<<{tu;B&lWg|3)U_|gPrt4r85lQG8RmfKv{2{2LQ!$F0i zf6(xkV`*v3^3{{mRYUklG9jm(i5X2)Rc?LGO*&25PbtZi2yL7_s=)uf!#=BYO_dnI z90`p3A-4nP*miWY6s`FV==mF?2&GFscYq?1k?%IfTENmGCsis=Wf^ZOPFTy=E@Css zdKjx}^*pyGE2JUSo>W+I6*@bYGrexa~eSydQ)yv&^HU5$9g3OO)6DQc`4 z8LTq#>uxhoOxwXBc$n5^klFQE1sG(h|$BSM_nF{~RXn zA3k$FP4@p34>KQN1e0`p_ik;VmH%g-e9~b5zqPsb`R9TC|7V|n_QC%DSNS}0$UdsE zwl_EbkQ`=r*KpNNzD55eK#s}(Sa}5hC9kX?M}oTOr#Zs=Kv<3l)PUQ%6kJyCjKVS;=(S~vKLUDHQ`LopdkCa_bPv5NKo zMr|iUqP(_1k1H`~rSyFSr1EV`qWW1`NMig{)zDd4<>Mvd%C(jO^9~=YhE83bZ|imu1%`o!*3b=@9fAiHmK2^)BOq%0!!73(T}{X-8N)ELPjU;GD%fdw4@7NU zHBGi`thz36Ow;6}K`Z&l0_|9U=yvLZ=a3;ixJ20J!T|4ynv5Hc)$0%QY|?h%)6*G6 zXKVWdc4vmGalDbBF7+hYP59rFQ>Rn#4gZ{)4pDSXI5BcG<(BNpgA&Lg z8)w6Op-F44x$A69(FT(6^N2z~tgnBWoRG&cM#kz=3?ipf#G*LE@z=k~rx;Gnpn#J# z%wKdm9SUaF>Ue;#fdB|@8w|$Alf_e&jwmREGhrC=HC7MtprH;&7m#VL zW1aX?+l>&e9-7ug*3Kk6JbBF_4o_a6o^nhB-TKb#Pp`)w`gfzN4%=yA8I%@M_9=>i zFsWqJ$a>X?cMS{%Rk84q#2xK&;!{+}Uc{jghCsbU0-k52q&6hu&qr7=K1&|^*hH9cR|Ko#z z@VEXn$^S4?-8&2ZLL?ALM_(#>bWa;YzH-Kc7m**luz#>Zg?2 z``wg1JF4jcNN=m_2^2k)dAmW?^GIY4_fYjXGviOJlN5{$DtAlif!W|OiH`l`yBW303{*cTck5N7?Vx_-6f3~vH z>t(}XuZOpR)nS$&oOP~g~YDSxwe=cs=SzfjnR_+kI7%DhV&9uwut7K z)19ntBrHBQX=|k`)J*T`!INW*)P-m4sysV5-hYnI@SxXcf7$;V2lTqrC(jO!s3!8< zFl6e(*FBmDc>1&8{vf|ed5YnxalJ9BHc%A)%SY8J*U%2Q)jvvX-=vguDOL(!Nh$7R ztPs4BGScl>A$)}ka8zEqXfhx*KavbP=Se%i+yPz!71$dTy}ko`5VO4u%kniPWO$UE zmqJ1~^E^uH5Sh!q^}RO&X)7$JMpBN%T2#0$ZHgnnA zi@?w%*TB&H3K&@ag-~!2YCv%Q1qR*G76GAEszKoe;t;hJ8t_+b*&IGBak-+{3qht{+acyaIUGaIn%K0~&Z=J8p zN^t%y0*3Qq0r{Lq>;CsT|ZB5bW;ZV3K1PRHElPA7->vfLLlNY1fi%809pf z*D35+8{?B{K3A0aIa$Srt2TQlb&AZxaB65U^oZfrkV&S2r%sv|)qtM@<6I$?MK zAPK{qb?yU}Mc5g{ijf&~3B3%*9y_}9X3&Z<5$y9;z!_$}NwY&4T1c&!9ke(E1x-H3 zNI}LeEJ!h8%Jb+(Qr<^qCOby z3hF+5ZAvrz8woHM!915(A>EiytgwXLYA&5=*lLEdxMl4=(|sgM`XDrn80!cTqqcPR z=Fz8S0_D&rI^pXl6&-~0rv!PS-Ncy+yCsSGW2bk#W4Yl_=-7%hTlIrj4~b-n^K_TX2{+kxO@u<|2a23TZ(J9sLL>r>Sgm%4I?%nJ@Gx zuERW84IgulW`*FVOG$jzGbS>B;kw&5@uC7P#s*>KyU6FwQ1P0)4+Re*Gwm{gmzGb!)BBDN|Je49A^fW!sB|?W@cystzZI3 ztf{*Jnmb2F?yY1Ruh8d+WR=87oafLQyINnDlKzl8Md?L|WIBUnG6ZaEFSxp!c}Fjk z(NvFIW~oBe5=U1zN4V7KQfr+6i_9z;?(9U$`(T|iN+xlN7N0T-7E60!%?Y$vik~>UA@-^ZKOfEoLS0`_x-qS;nTwY-gFyxzoc%5SwDt5Qi z!;G)w#==1^zk8!QI>R+49bLFHPP(Br)r|sO*fR81GU>+#?0rxEEh)EfRCdLu$jiBd zN%e4Km}8K#p23p|CiaFuDRcmn>{Xa7uYjf{L;=Br_mrTdb&3i0_NcS!A&EI(sHf`; zfkX)MNPyai3c6CYj(6cL2g^A-TZbyh2|!!;Z9>jGXx3TYvV|v;5Hlef7WOa5s~Jh! z3P~0AUF90gK+|upj&B4VspBM$qZ+e_z02UgINi5_?%I^Vqye2x-mvKo8%Y8 z8?>Kcham2&O>?M2m3r9~`y_35O)-70-CAIJ(i$uu9*9CG+H@sgD;{8eJFblYr@;e=0guaWUfYz@Q$ zAqK}3M;ITAtrno)5~Cnw>E39|@!O>I5b5A+Oh7W3R=82y{uuOw`?46#a_>boyFik) zo4h`uH0xNicE-bAp^i}5NKz)e3-imA5)`#{pq*OTpEx@zE<*SUhx~>T2v;XN>szPw zhNL@h^jiBH~#L^|Iar+|NP&QPakNEb3gx^)Bh#cU((Q)lj1;_VFN86mC&1yN4uTY1_rEpCw#T8q`tGsWLf1w>TQ|LrUbi$@}Dv>wQ=!?-6 zO0_ghGv?i)Ca4Om?*y$1cW{1o&P?Z071o}asK~V<+>5hxUS$co#mVKSCa#sp7p9sR zhvoF*KQF;2a+RN8IgDgSGMp^vizEp@BO$%j#bE?PqASv}nmRU&LHlV8Ag*TD*~kWg z4-$1bI^~8Ts2zB63*<>!1?)Scz_`*GmA6D>qoy(R-rEl_F+D)39Ax+0uV5ec_FQ5jL%nyJ+}%vh%rQKiDv z2$2&hS}onSCyx_>tSmt4PI5$CN(*jxNW1mj2<3s7BhI~sl^O0%^7G~|E!hgvkxsO; zv6k7G$%=PfM0zZ*aJOPFwm%q^L5PJ0u(5Icwn*wwS`3On4N|lokAr z$_wM|N(5Dn^wrZP_$*7 zbkzEhB>|=MGR-+X7HbK?7n?B<7Z3Gzq_8Fi4+@SNmjZ9x(xt1V{dT3x53oo+x; z9dj1GQ?!pLrYF(Fu8ru^!Q(q8Wo|@s^f{| z`@Dto0V9TQ{Jw?rK($&Ody;>R#uQ}hJfAF*(S^8b%sI}-gt8-2^`*KBlUA#B(o3`T zpZ3=OkM&dYb#wg>>!)kKgSVZx!WTT{>NpcWFT-=vj60Psr{q&1rQ_HbUFFunkYk{m zNZpk4??U0D14!eM`SwSkR57bKT)cq8`AgSGz9)z}=QE5*&?9?_T_+_wCE)`z`YN@}5vWa#LCstV%EQ zY5#UG!w?@WXcLJ#G)uIdT5eg=egLQXCEO9_(}jXd-J3MPuj|>hP=o92jrrvhYbocF zYg%-v(M-lEstn38dK0u8YlmwT?6$Tx^o7_k;TLHnQY((D`x>fGCq-g}QV)_7K;JGP z?I}m22V^yPDvg_oP?V}0x-e?lO*M?q(Ob`jj9pqpYR3uY-^J^tm?bl(!^%%m$a3RAb=Z2m8 zMJGmWWrXO{I@o2Xi))p=>NL+-*tz#|I4EP_%!Z}PPiGUlXD=Yj11YuyU48%thgR3} zH);ne=7X&rIA69ylTL9xHBWn=ZDLF_>30f0?W@@c^RnjyuYf+B!`_Iw-nbLEpwxO| zfVIabo2NBy-vZg50|W-J7D7rs#(}~2t$9!%&w={*v&}eMZcc%lhPF@NVecHUNxwy( zIdZ!YqeEld=q`8{yizIw`?|(7SBi7VM~Q|JUy9xL;-*-bwE122e+#pbo$*w4@xY5t~WrymwNA;GHr z?JNYM$c7}tsBTjE?#s@Sr<{OJ61ZVTl6*3iaN*p5M>Bj$4aGKx5ujAtJjEcdnCl5c zhn}~(E%V~cMjuwgOEH4}Ep6@MJrn$_!KEM}(^I3cW#F!_Rr zGw{E@dwIOydw%fZ;Q8J&_ek@&Q6rX(aG)xC7rAYt{GH!-t=cUV#LqdYGF!{><(Y6x zo`%jGW1Q;KHtg^bETpns-nG@={$d+fIIvsT5_jIlBOezDwO_CqM8Ge1GR0kq)*8|@ ztaq=QBwy^j0frNGk2`#AJe&=5fUf8onj#;~t|_ZrBZEfIPpF!W)@=F{ddY>veEB;x zsT>_8C3o@XUp(QG^!_0(z~yW@o*|V`J+`xc7-AM`UrL!(#pfqv&> zbM~{loDH*yt8q~o@j}#L4=X9&O)iGnWwpB*B9g=z(RF2qFRw&Yj_!kfJDK@%7rX^B zbS1sZi_Yhqoj?ClyV{va>PC!m>@6=C!TY(y>88_k5=2T~ELNBZ&Cw8XF5WaMN!owf z{qeSQ@}EBrPJg^5#Rzf<>31&|o!Mmc*H)_oOGe{|X=S_TM+Vf5AdW z$i-XU+24M@HgabUf-TT?LdpDIOi93fD0pT+(tb8BrZ7i8_#WzYD>(CP|YD~?Uu@s@H?sr z@vq#<@hfto_!k&N{8QW1_z+N|b^5_MWa-b6_WzV694%|*$-TS)7Ucii`uy`x0{j2R z`1*tW|F7`*VE_NY{{LUe{vUr$;p8x8`^9xOmUrm@ebU)xUfw<_M;FDV94kkh&Qc09 zg;RoNjQr{86MkqIj(s72^1SVpau|?3L=U=fPAA!@GTEvTJ;Yw0CGwS|alXTXH~A30 zPs-V)#H+p`JHT-<&Qb0vtc&(RE&ieY-MGLL_71nr6jPK?&>S>f9OM&|d=im#c1ecm z1X%(DRB5u$A#O;>oQL44QJN~={H-cEpFun8yf10ekj;_|kbv@&X%AL3AI!!*4uAtM zD$Mi+En!?5wvQD{dO-8ANorAS@yC-AGdQ7HWj;0i)2^FdoOL91P@opbhfMG~YisLtS> zz|?|!m1w)KCgrs3m&2re^yF2?I9zNY?rsCsdh#mSRyxdx$%9NjOCMty9P1=t@gLzW z4xv1!U^k9f&+JX%VFjrIjm$R~ag0RJCZY#no#0c>r0`CX+xytb8Ca!{@$IY=M>f#L z6Ne5#j?UwhbCo^Kt{kmkHPfbXdZw9Tv@S&oJb=48MrTGmikHS~5z}uPHBlO2d-6)G zI2y4SVXl0-nnue6t8|#-At!dzxsSj|I;f6F1%WulLtyasssy!1OqTw|J1fR|r`Ik2gC&W0<`mfiq2iYYH zJsICF8Dl93Fco)(!)r(#V1Rs$)Bt+0bS$}(cFEXNwkmGE6qq6XvBk_A;w{C?W6t5u zYf7A+C@p6%m={V>ct)u;sP$;$X>wd52Ls$zfuxNwL)%DtwJ{ZX_Or;vepS0Fm zr)Mb!3uR%5MiZnI(*;@Xi;sfz080?RGrA0B@F^#)+wraLO`ekLpu3gR-vE*|kdAJW z2-ZbWE;_;YK|CD@tqJ)?guo`c!wARLFjn4LV%~AtU~mU^_Q|>GtXqRh*}eyumii{w zOyTm1HY+mr6l&4(-k4CDd_1OxM@ju=N1PM}ohuy25AFi_(~NNrCzxEEc247=fAf{wPSP08J z4$8%g<~C#Kdb}mzJt|YyadXtq*TtKBu;UNq9d|^W2%{z6Xgq74{MZazCnZjw!Iq4p z8OqfR^Qn%w?4LBo7}NtLy)LgqF&K-{P1$FoD1Vsbaz+;@jn0YJ-F)D`(V_d6hgUESn14K{SK;w88{-v^u8YyeGlGIZ=HU>zJl$stwv-^W;u}%fRRla2y)B@7Pttw1fyde6$4$Ly z9+J$qc+;DWIrnDYySD0wcYz+?!WIe7W+F)kV{%y~{7{VPfCWX1x<>xAN!b(x z(QLsH-U!3+&@Er(wFFC<>g>qGtawvr!$NW{RDY;W>eppj3V_Ab0VvRD53}p@L6)?= z=$`tMv8y7dSk2JXLY!03{mbSNbZU;g$k5O-ssRs zCvXhEP_gpz0%$I2tPd+&YU&s_2yI>@oqlB`SDq}|h^?>}dNXFDDFMv6?84*Uv>Sw? zf$cJ*pzeZ%uy1B;ItwS;hW=84V8y`?xSr zAmz;FfnisS8-D)^Wp8Mf?aSR^m#S>pVcc8QoY7*d$8;|ka|bbs4u|ola=f@0Ot>7U z$-y+a0CJ$&PVKOWeBn0^&MRtw5fPOE^V??V8Y(B4021f3-S2fd$=SHo#^JY7e^fSz zvMyu?ch0ycXChqW$oQ8HB2Lmd@*Ip|`@bfjA_r}yg7PB9J7#K3Ay&A8wMv z;x*$7o~gH_K(Rv3ko=sb@y;oR+^2uqsOe)kdvbSh5cHo|Q*b2dbgn~1|Y46R9R+-tQCbe?Y6j3%eZFbyJ(2jx@L16dD~ey@R~k`;=In$ z#Jr4XN05#qYY3b~NK>8LsYId?uofyuLott+Q^=6yO>V}DVLc-HEYWUK*r=74tFf_z z2LRB?Trta3Q;cAvT>Rk~iOXxa_~G>Xmr`V?fvSx;z+Lj{4$ZzW<6b^6dcew;5Rti- zuRM{a0et)}+jxU*=%?U^-&M;q(L|E-D=>3y*Ic;87{3ZVS#443LVnwmkawMqsGdxG zj;gb0bZNceR??Dq4gRb7Lu5h4;S6@!b=1nvo{CE4XgE6y++NlGj|z8;|0`!8z=?dT z9b>iX3wXPQo8kW2$!NFVmnu?{y~snmhZa*Oyctx#ou-nKM=6!59j43cCtrQgPkzu( zzJq?UE~nn=E*4k&$Krhu>|g}!I3dgJRZiE&28J>vF1T=HGI9ePTkV#$G-}pyi85_b zE0;6iAb^Uod*!KVLX)mypk$`6y;5GWck&yrfcq>MD{M{7!?Yq%^ zj<2q^(QL?!6nI7k;L6k)*)KCL)b1Zi2X>obq;?d2a$H_^o{!*zkakuE0DHnYkd0k9 zq8(>1##>u{aY4LZJ5Mjuu0S1@_wf+G~_e?X1M+ z!^9mvYgk zHYJmBa*-87R`+tX)3zM>)fD=U(|$25Z|TsdTPE(Sjn9Aohpp|;Ki{~$x?4xs>jG^Z zp{&BujBYo%NPGIrD<)G_e2siMq+r!8i1qz8%Pu*Cd<#_9p?LGp;vaQq77t;DHcVol;%m%X)Oo$?{270w z$g2SM)nL6-cCznDX6&}RNV;>cxwE)Aclw5Qk2M92QX&@zfctE2bu4gi z3pCe;!~tA0r21-7W&!-w z9h5r`F4=V&>H2FGhKuw2N45yPDcQ;AoGxp6jz(c{dO~^1#2%z7l(blAOQi>p4f%oh zaumzrb(Cq{YclWs-Wg67GRbWORmq%hlJIO0Nd_w{J(fR1DWfP;qaMm^Sicj3x|VUHsRozmUbewv zOl~oNzuqi&xhwU=L-+yoeq9WQZ7Nc~h=zCoNI;j&HUs7}3JJ_Ew+DM**YJ4NbWn_T zae?R?Jt${WeNtiwc=!uPu|9&YemD67n<8_CF(%r<)CWf}EnM4PolWVca&)m?SPHM* zUa>`6ARo-x0n4w^I7O{}dv1HMor~&fsRp}=MZJdhyB>ZvFgSjZWmp-Pv{{tl_NxdB z^Q>fhP2ym*IG!b!cpRc2ui>CHh1qb#J@O-f;Mg2eOVNYSfi;hLk_`wz%WYG_qG!Q%B@z3m#&a+X`DJp-s}K2)Q{YiFq$PLz;i-X>GIlknX`$54#o zU24cH7YWO(AG#jDC0se5ody2b!iv^_aoLQc7m_X@OgS3qI^BWi4J({mJpCAZm#?Pl zQIMMM#O@-TBPW?Fcc;?4V}E4k4A;vP>YUbk~Np8C-6Rt5lX#%-6!cT3chTYB~49f{0NL=3m$O55fN zO^j(AOX7EYp(XMpX2iwty76=PQC)2UOm%&tz*2rGIJ3 zfJnezhpmyQSU2bxqev>AE-b2?rNC#(fR;#L@F2mf>d~TX&M#yA;Q_8$eV`*qG0K;9zm{^{ z0$wGn!cnb~6FIl!cc5OBJ)W;&KMpLqvLb2Vb&ESn{xRZMfyqUgJPpfRbdt_w&*O}v zG~J`EXGi|bRnt3|(aRaS24KTqymbx&`J+4q!X>a@p7mBd{xo7{RLY$olE(9qqpru5 zER9^%L=UKAv5jHGPT8a$qd9;_a<9a=G63Z&uQ1{A*K}#6d>I&7(`i&&!Sf8DQA*T= zR0o7@=xJ3^geE%Q;vI+kpSL5uSG=xYmt{1vo0h^)nx;#EcjR@pfv>X3TQ~57Oxe_1 z0FEI2iivNZbJpSX4u^cK!t*<^k zm5H}Nk)?KU4!LXv>(B0&*W{YO|Bx7rtNJz50LOU3P=L&#RRo=Kqe=?BJxA=WRZcvm zDkr|Hw6v&aV>3)<5sm}Gf=sn#V0mW`p>`RF3}EeYJ}1fh5PD3`hs96fmdPrI$iOS) zxJ&AvuRs(FGCJYfLZ-coSK zpeKgBj_6Q!->aP7SRU4dwdnE)WWPc>)jn5Sn^r`OC9v?%$<8_oM4jTN!N4LJY*RWh z+M#|G?+CKGaSp{MOjq90I~iAkmhbPXQ5z}yZtRv(_Y^yq-RKnUHhHAfi<1;-x82a^ zZa7o(JVu&e_*m6hX09wwd!?E0i@dB$_-d|saLp?xD9**KN|*UgV-P@L&T#*_nWj

li1U`*nPV|0%7l+Aazb0B zXK;uVmm?mYI07Qr?7EzdNRxP8;-R*V7G!ej8~1wR1pdeYHQ-PHE`gLI)U0+nVN*~I zn;{}YPM-TD)@$*2rozSpdIwFR@jUW$j{*!hHB^0iR^TQei-kkQd}C~td>)&4_a>ko zJ8th_oRTRyZ%1saqO+dR75|NDP~9<{!?mcfNy%0kpA$|KyW+_}VaRp-Fm$PgDACTQ zo*>m2qb}lBFW@F94C_T@zYg-Dd_}i*{zl}7zZ!3N{>k3(f&HL%A&s?&|457YkF<#Y zaEtJNXtt|uQd(jD8kEq4v~1SvzjKb4Mpi_3QiHwjC82-Yl(KN3+xaw~EC;5CVjtAG zOtPMJMK$yzZ2;ypCmnf^*5a_7#;ONwEDlR8&TCqwFaQCkNA~!|%8!+(3=gcdq$M!j z*l}&p&C_m_m|N5%Gst2px-ly?;SM!5?<7HnTAQ}N$YQX|rXevSw~d{eW>|MOBk&ya zY`55M5@C>*QJhIN51QX46_OY#+P5J%r4r0i&wCk|T!@=D$A;1lw|dC^)Z25W0BMG? zkjyxxBfqGcUZCr$nX}qxm0p;hJN^Jo%V4OG@#APravx4v+nW^i-PMHCVJ$*_H2plk z7}Xsu+>h))L3p~j8}APM1-DTPqTZ0*GCD{lbkurnv1~f^*hJw})Fvx3_hyKdGsGBX z@jNZodppDL>Iqy$XJO%DL`D{$D4}OOhWJFy8B%;LsKZ2EJVFsM8wKi9X;hfr`CV@; z@uu7Iltbn5vnssWEd(Ors^{aJ#21k*n|wY+ z@z-bQPnIkHLdl0PI?0!z9hoc7A&e!TL@DoNY^pgE*?NA?Cg@;iCu#ls%dTUwKk6pz zKgZ#!W0(7QNScF@qj8KYN!Y83%!@dJwSsr19mCB;`Kq4Jjyb;^o<7clim(w?jSfkp z-`>^2ziWgAEyrN)8(|T{Lg}reCP%<>PJip{QW#&o4${1;ZOD)-Ym`f+UdbM;`=odi zY~HyWH;w||jb4w++fjV=(J#b9G}zBEpyEVd(aYbK=3tYeYDbydWa9abjPG zD#L`MxSQk~qG*@c?nZ-aLm>OXB^8R3S$SDHB8d&=>ntek0z!!Ejf;m?9v%8m^ke=;LvMhIQ5wJ@9GyF?4FF zg$k%my0ga7_ipfo#p@oI5&%nClT*|8eh9I57<#uM>@J(J2f}YT`j?k>^HH*leA_p(H*MLfhVkYXdhxLa zeC;K~;4*+kQgC6s=gYv|LLvdDuqZAotk$th$iideYddY!UFhXyO-`-PLou~J_oUQe zH|`}ZH~1rh<9Cx76A7$0V31DwKVMuN6LZD|zYU$`1B?mbTnG2~$QB5LV~5;Z0b&_Y zqX0Rav_+z0DQ4y-b`*=OX?)fdexWlfzIEZ3ZgGlpH}={roCv#H+C zY}KTwZrQn#Qm>6v$jAE;UAdwmkH6s8mcelOji8X_B3z~-DCF=W9&a*7x^<7lWe3yz z+PCb+4<`avVa&)_L~L*+N`he0t9l|9y|6hfIvLNHkmY1Vdwv%rXw!f{m>mUg7eu8w zCO^t@+>5rGJjP}GBTT9ZJ1%GzigcNS;EtQv#gQ_>ZitjXT}D2QhUPX>mS6$PNdykx zsjU9kp~0N=%Lb`2k42^za{nmYt0yCM5T@0}qs+C6xjvG<~<;Z&seNHVZorxmtY zO&gl@#J9fm)_vW=;kCS*lO1p*0ixHvn84p<7HP*qw|8-L!G)1E*J=!sp`!{8Ki*Hpmftk z;CrPV;S`|___a*`yfSjS&FwA|MtiHD8^N4Ui|^r>X*&*8a}Fr+#PUK_(jj#rdVnd* zAKBDTg^FJExdt~S{QTx8Sg=4oM?*%mS}?-&_#6|Q_skxd8)J$*fLF+w^HA#ID=}Rj zZYOc?XkDkJc6bhVy6zBM{&UgMg`s8eoRFRqhMcfoQ`DMn2eAt~e30Q+O#zJBT3!fL z*J9<V;WXq;ThF9BmUJ6(_UT$>XGyZj^#J0I(Qbd0%#>B5?RMY`EwACWS+ z&a$*8nmu7`vt)1LfW8p_m<=4sJ?=xulluZ!0oIX1Z!SZVi!9N^d zWyxAwzHGocT^7^C9^=CLnSStZ0T1n-Cab%v@=e|a_DxQOIW2A^tG(4)y9^7fk+1kh zLgN{%J5i4CLoXBC$t?i?(dO3rN1MNgIv;I*MgKmbfA`n7zQ!-xTlDYa^^d;(I_V^T zO!h{1N&hOFWPP+=z&OlL|JQdfkM{`~emHt%TJ!pVLOFVXLy}J7a=>_gT-8?_`bGY9 z4c~y-i1t_OYq-I?QNHSDP_Cnzr*~5%-6uecuL9gj5v7IKqLq1$X z;BJ$%+Y^)53hABnU_2?IPWK1yi-e;DfJePRh#!OVI z(=w3hk)T~T7rQvpGjTgM7C4w|Z_2rVM|t9>5oXIyoQ=^>nawF&id7M#+KNl!xWAt` zgB+B+DP*j4(H%I~XfeBs*xQ*gW0lIO5*?&0=5hrh$&3J}M`mD}tP$=o+RL@I!;CBBY7*Aib4-#-OpO zmxp&o_GAnauP^0wt{K#kQX<8{h$9%PAi2$9qjRJQSepJ-S-~X95l3D9)L9ff6KANN z#SGPyNZY!K0!j9sQy>8q3Ze{y$L1~qN2=iBf@SXfvjpY+EWl^Zs7#Xdkt8G5%n_9g zB|t3R!Ifk6ajehJUY-Gr&2+uZ{fk2qn3m4X1@1-*oDjMSWg-L(Gwt z_Hwdc#ENj0y|J48MoqCVsTs0aM&pYc8-U<5kK*@=@th8F;u!P-K1)x9M#y?_B6{2q z&Ttv1*q8asjF!2Vqv9vD7rZT#*9FcP&@f6SpyMJSoN`#6SY!Q;5=~rGZ;Dy<;&hs# zx)5aSAKRslvjR3(@=bA*%Oh__ZDgJZXr$^keM27;Zx&9DQ3MS?RxCSX7JN7S)SoQ- zVSr={n<%&BJi^hwr#8JQqR;ni7&>9u8JTFZQD|mja0`ot$_$CNq;n$RdcEtL9>d(f z9#8Km2eiwpoq2fZqsSj?A|v?_=Wtu#^%O&wlhP@UOgxB6!h|%zqv7Bly`8|-kb{y8 zfUn9X6rH|G+P~|F1EsK!uy31yRrz(X-Yt{HPZ~RB=0@(V ziiKhCe%DDK9xY^N!@6QD89X+1v+*ULw~dBQsx-%|h}My^JM_LKGQI2kngdLiQ;HRr zm_P$Isyk`=DUN~C4!pbS7Kd+0W+t+=#R~fxX_yV^z#v5GPw@dTQVmQYr)GI$qqn%2 zF)qfr;fnr{I^hTEIm3ygGY7>E8mjG_{ePNrbKAa>tYcv{O!uB9&$ID{M657Zhtlb< zvc=)~~<+*Zn8o9q-?xzF|DQ zWq6mKzip3~>!}k6Pljj}X~-+UmSe8Vk}yHS8V+jE>a+0vnqh5dlZ$*~ z-pClGhB*wv3SlO2?ePtVaS4m>%X7cA|4qiG(8U1dE3EjWSFclkxhNco|AgM3^;|LZ#$C;UQ z>Bm0ZVJEg^%D38yIiuLJ(q_QuWmUf@kgIQsB0ZZ7VQ>myHe!v8CRFcNH~RJRr(#@B zz7A;bq+t(In>#GV$_ju=*+#!Ae!{iB#`LV4pZxyQ&p+GjXuwsqxi(^}t?l3c<*Pp? zGZxXp*4x^A{uLwl(W__cTiaV(pA%xEAHd~=@-UVoO&(gIDq&G7c-U(wu+6wK`7dYv zsfMmjekewR^0vaHw5>#vZ88;T{WyVVEL)u3jZx&E5Ymfw0>e||b_6;#&e1<>p%0JtktW^IjZ zWlnT-F`%r945$mpa^C7Do3Ug*G`8#Nrav(>p~|PYq!u{;HqZe6%idQ9FZK@q)^UPj z694rKEu=;wDRv4Da``A_XFGysSy|0SHrk~RRbXcm1GR$k-n z5!K8Z{zA~NM{m(bA8&2&@WsOo?z_%Gz+%wvjn77!9ae0+L;`U5f%;8r8s*i*bU7QAm%Sm(_3#WRG_Z}BZfi&zYji2})G3qtUh`4^V$vde z?!}T^&9`ko!aRr^@WD;9j>5IldU{l@y*rDk%_&KXcqXo$2#HS96n=bRcgmMeFs+wk%Ma+LAXs_W}^1>f-k$9g!jey49^}nt-QH9_1rAUri$n2 zS@VG~LGkUhptlG{rdjb@ZMTp$!j1n?3!`vZmWXQ@RiC!Jjqvj?LA0_k=9;$3L*joUK8+?4o7+^-V~!S=>a^fY%k5jk z$C%pI-6KRs*H6SpALFyp6kxaR%(3;>lPLOgkuO1w+C)|o7Kp`b9%}k?YJ(eU&q8<5 zTD(e4w1Umo8kSI%+Hymy($>l5X>5~N!su=kmtw@WgDueVm&U0X-Pci?bm9aStVP_2 z*QlYC^lY=!@!fD}m)pADMz@dM15wbhZD<6+iU%M5I5n0vLL5|nku0T&&(IBCk8OGI{zUA#xE)O(; zWJas4DE)MRZsE#HrS+}T@A`nq7IP zVYBZZp=_HtlZGGw^v=+eaAKs?F71QHWbQCIu^HvlFZm+beveb9A-J)v6L->J*K^Dd zAcEEGyiK%GFu7;s5 z=12QaufCAO^~;3Yc#f-rmUnqJAb}qHOe6W;;58xJM{g$Df2vP2JZt}H_s84L$$$Ph zIQ{W~*`h+OIS`-fk>JlaqG zfj_=`aq#5j(|tKmqZk<=POGgQ`te8TfHEQeL0?CqCKJ3e8>)=HTt4qea))NDpc z)|P@Hk}*eA))bn)(!7r*L7fpWxq>!d9(9?abV$QYxD~mJ9E-}eokuSnE!rgu2NW7p z7<85_V&#G{S0a?HJ5m%L(4B>MT>^)8XIt0Qq_Mg*!YVh;lm*AlAOnAq88_z6(j_<9 z&_;=x{K!ntDiO=wmIU$RvH&6KicXjzwPzf*L}bccBfF00V(Jm&I*bk z7dIQjg=lK*M*yIjRk>1PJ}cK141{hc#jN#g`EK)9UEE1>j;NFR7k`@ z*<_8o(z4tPqj{_5hozsFE5gpHq|vz3g zJke)7ex?V?%0%4ADAS!}YV%#jhP6m=vacSKKmU@*tznhik>eM2}%UvTE)4HT~(p$=JpCY5u6~ba3Ek|5h8BkX^W=b!@SgV@LOE zbzs};z@=s(cyaK2@0l6)0Uih6lIwqaP2y?5$#E9`ZCEd`?p&8=s0TMxwt!|G&f5e62Kh4_N!pz#$7fXtk80-4S3Q`wraW+RFQB< zN`M|wkvziiFcT87(n1jAS}C=rSeSnov5id?G)2t`YMG3TGpVvsWu@n`@-DJPntG}rJ4;US zFb*tllipQXzTTBs!1l@9yy9-bwiT2wp$(;~?t9I^1Ov^Xwdg)Y2+qxgwX zYg^f+*>xoKWlAD!8TbK_-H$(V+sfQr%h-rCF@MWwsS{@+PMeo0Jky-Dt)Z#-D777b zrDf4niic<_XG=M$c7sOJo_*(>lHx<8SYAJqOU#c4<3ndPZ(Yi+GX)*q#BR?*$f5(Y zy+B)e;EB3;$lERKOsjG0h|h?J*p7n=?N06Uu2aZ`6A!s;l+h*?fWYxGUCm=*FbHy3 zQ$}`3F*aOxm8NlF9=UFEQ5zIT>0qu7UCdH)y`ijgz$&GeKegBaC&&ucBk$4Oq7@> zj0Z$Vx-iw6m!*Namr@Oi0F4#=gbZOZED=t1IF=x;{i1=?g|9jc9N7JbLba9~4maQp z$u}~I*(@J=0jT^@mp(A-VrlFC2YZe^tLbQj;XSM+d}xmtN^u%92K`n=Zb5r^*y zlh?>=Tq);m@EVT4F(u_h4#0Xex5G~Lui(ZkE=QP=E`}J5uQ?=5Sm>E>nV#2>WKNM@ zHyuju$OMY5mtA${GY3^<*zw!m(vEN>g?B5T^NHII6! z0BWsftj|H6VAk?cg@Fl3r(8_$+9AR0NjyoJLHX5VO|SU{q);d}{8@W_8_@2irW$q{ zuDvpoEsbXhoX*K<$1wfP9Z{8M*qu&oXx@3lKknUW50b!$w^Mly-Di4SC_c^WxnbNA zJ|v}FG18X&qjG+Sd!)t;x2j8^Yc4+C%jsk`!mLem7MELypPY>ZGD@VW!{M|AT}MX9 zKLubPApP=ZMfOjuFVGo|^^uR-!C2UA*aO6R`9r8#TpP{&#!C!VpaM2@DJap7NLGrE zt(LnA^YGIywtE_f2lTysDk7)5_k-I`U*~sKz=IR9?U9e&u9rIJVzi?&|MtbGBe6Kz zEef!MK2476#PSf^m=W{5MIkX!P7IK{PK_87s!RcC?AjDkBt@YwU1HG6xb4(;Wd`Uy zq)fI<06g;fZ}C0x_Mde_)|jd^%DAPtX~epcM3bY23F8`4!Bi-=b3{S)WR)Tf43fL@ z6in66Fm$n!9$>_fb53|96}pKiLRkmeiKO}TuM~AN`+N4kc?|W&qE1_OxPoJK18MzK zH>6@|MPFX?%ip!?y}*y>LS);EOpw#}1xplF+K<8{>w2vesqa(rUMb zmZ=r&lq+$AXx*k3z3*5>SErwB8a8 zpnF43i8_nhD7sv!P)zGDz~pQUVs&%06-C<}JywJn>fQxVb=Jm7x! zyHb<-#sqiX zzKKTS5H@lTBzl+rJUn@bEzSMA7$Xo3YMh|KdlP}T;BUCKx7+eHrYvACxq-Qt8b6V@ zxtDllzEnou6VXMOb(U(V00Zwc(l-}PLB7tw<_46;?B>s5>wI;7IOi>#d;Xyvl+2N{RO!_knyFW4b z=kH-1Ssn5t)vUS*sh@_q?6SoNJ&0A~n?`&D1>o*z>J=xW6T-B5af^&z6%toOn}8~S z1wFh}FJI$zF|OAjacsjVG7MkW8)Y`9yO)f1=M2ORE^b<)OyW@D?#NAY5tXejB(cdR9*Uao*_GO>q{qq}tt!*Xe1Z#%$+xpxlXSu5 z-jQGWcupsWsZ(0LQteQUcQkU1dXzlZzHlOrVmi%7nj|Zh7bv;Sr6Uv$tC&<6T@Ee( zBxyvXjc;av=A&tz?}($_wc98L^B!h*Y^%m0j&AdFvt<8Oo+oC0qSto=%`?%6-@rxa zOR>pdDt)9)d)|AJ-8A0RsR*kDDN~PhqWL1hDnPG=wg90&b8abIwY59vN*GfxHh>}f z&&Z8r&TG2MEjiEcf>Xc?vWcW1RrRZ26*(VLgd21>Eqv2T+n@=2R=LRl(Xq5%I8vQI z)f7fOfg_6qNz&z|>bo@yGA51X@DrCl4J@0JF(KM*ViZXAs6FTG?>6d_BwUEJdN5Uw zTDQ``wHnnAchJU;g&*}o_ue`b+q&&k>5|FqE;kV1sa4n;^#W{SmX>y6qTW!m;Jk6D zC-LF+A`unr$GedOB)kGR+T~EiAO=t&opPMUp6-A3-8ZeBq(vcvw4~z&*V;cke0hi^ z=x!1#@%7&E-m|$SFl!1Hz_g07_do0%zQFgl*<@ti)9YX29KrU#7Du2hxvKo&td4LE zs&WEI#F7Qn@t#<-1WtNo9*I-q)9+tBTmS5nPkz7S1Y7shQY8OC2X2#9@51VQcPL$` z#BgQFfrfh~H};^#C)lHWz$rXlaYiI$l}tGC&Bvc^f9mhAM*)ld|IBURTC5yV^AfzmPrGH-wAHPdaA?q

n|>41}27C`?7gmc`13 zk}~rxi?pXTj*g7feH~)d3e_O1Z(c7@9KC*BpNXHE-All?+Ib}Ndc+(0LS8rSEZV+y z8|LCPg5RveBrI=hW4a>uBIo86F)s7#nUXMvq(uHxfS~X$LLQ3u$MeulpQhBHL z5{i9Oz*z*+Otw8puF*8i{6f?YA30dviQ6rNtJA7kk~%k&c8hq)Ig8{?(4^=)mZnWs zJ4+jdoU|Bbih5tq(O{AFf-h5aiqzIWv~IJ2-RV+G7@f59a^M;F6L-xocbc}GEAy0r z2C`0+o3>BdBbYc2NQmE(}^v$p7^r|JT1*{;xBqoL^hr}*&wr^RhuWLA*I&nX{TppO;XoA> zYKw3vl7N6}S=cr$u;ki+eJC#2lxtX0MmPd;ji8O`r%k$J6kAR>>fH1SHiCI0k}wGr z(3Ku`CB-v&UrSIv2_<0i51T0^D{j7yV>|+w-*rj1#?aKzmp2VHhsvuruml)$mqR|I zh*kz~GKku-^Xhgb(jI3xm|c>J({F;JBT)tz4Hiv_yinB3scNZZljfRby{H)*4oTTG zf-$AZ-pJ%oCQs}t>=A2Cnb@`}o3O-Wu+69JjQ^%5T4hRC-DhDCHJS|uk`snftOUcD z>b&4|rgBFR>FOA<4_2|9U0#V?DOehecb$|*4$f=JLv{0Ca|8jw$wlkxE~2++CWWhA zF3G2ck$q+1DA+KIBnUT}mk{9b)YEe1HQ39{yeRHTf!UQ?(qK03F(xl45L{o(L1mf}-^+&q>9Ld}uQN$5YoynbYl^j^ z6RDaGPPhci_-%R1Q9*rx3WZSur=6NbSd!&N2k=Uw!6faYC$Bom4fAChKXcuDoUd~} z%azi?)W$!OS30_XB+!RsE1Cb{QrinkX<;6Ro&S%Um&W-lS4s=ZIFuxsugE>4sO+Rm z5zlr{@W(&s4tshEr6?MZ6SL=}>#%#fCn%`?#|4$var`RlA)7y;sKZXID;i7J85@nn zjKc&aT4FtZm2oH;^45d<9LFmjhYhIon~#GUd5Id$8aH6F)44YUx@ZuW1Ek@rJChu> zPG2-{r&04xi9l0>gsiA29>q_3laUT82!k)T3f{gYf7uoylBT56SZ77Xj-=;wOu9TC z-4XsU%WF8ZI`3P1;>-EcRC=(0Nb=D6XtHT9%y3KM+B0vWFS6v~N6hZz>ynvTh8KZJTcJv0_XpH=ZCQ3zylShk?wn zENpvDKMZ^e&$L0T+=D=WijWLkVAdZ5>S6xIz(fx8L4Y2W&I%G|^e|u%5~JKxXG_(u zpG&Y)%1sGPbLbhx^3Cu#<=vzCGh)b=#Tg!}s`jbudfnGIi<=Z{xL`gYhwKy4wR7RI zNaW17<(VIXWU`b%g)H|!YMLdaZ+GN)G7vpu0-?)?Bj(pXVw|flBKK8xgR-~&Rax|N zJwDJB*FQhZh?hQJ7!i`_W;7{X!s49oBs$eiEi_j7r#jp2dA_`Do%o1@Luyg)V|4=g zN0?b^&QvcUU+K7Y?s2d+H+)YZ=G&47+x!vV1IUu)mTdSQKpv*ymlI0*!~}!XUX+Y7 z#>DMBXv1#-pdb&%= zpETG-gH%w5JfFgLmm-{@AaO3ii%SkkKt~oYq{7nVX_Q_Tk6V9ldwZH}?TNd)aEf0y z9MMZnN)5#?{MdaVA~H~umh5drEDs`JiE_K4lJEn&`+?p4!0t9R{Jz*-pN_f=XLFrU zO&0LG56E>s2)m1)x8XV;gxy{K^Uz$UNJbYjogcW)w`~|d@gwL-m3r^t)} z8T^~Ajhk&Wnv>jTZfsO@x!R46u8j!>Fg$@=SIJRNz7NX&ZYzkYd7KZ2m0~^Z3*ohS zQ(p!K-fT%}0!aztvDtPNL^FsfGHBaiDCumHWSrXkVp5K#>M|i$IAa!5prt8b9{WB> z3T#Bjv!JoBG0pf6PCihpoiiNpnP1|FNj5>+;k#FtuTy@xmgk{bL$=6b&08tYF27;P zV(a1!MDuz_mIYI3@zMkn@|3wTJ0*0MES{5jlc8GD2O5Q#ALFH7t-;g~qGme(K8NL9 zPabY~!6}EYFvb~;k6lmDO2@O@wi{(ok|Fu+RZcc|;A#zm{-EOud|<%_k= zE%RRkGu$Klfu;`=@DWtBF<&%<<@WnKZuB@wb}jZA2G2xT;)_M8Fwy7Y!Y976KjxTU z`U9e1H71mCaXBg{Zr0)Uojb&`<1s6My>d zpXd&@Li00tdWb$4Q8BF;`wF`enj$1mOpGKCm!d7&3)9*1E!M=r_iEDO(>g{P5|cnJzTcz)Fb|d(Z);Qr<8d!yj-I>^=gL%zCV+K2C_b&4V505CDd8Na|Gt~F zoE-p%KzP4`!Eh8nJv5(&U~!L0cD{m#d{FFqxx{M_YCXjK7tvDqiT7K6wkR0Z#cbH> zn2fF1Jf%|Q&@f)b#*s;$CiB)}1A5XmZ!PoIee+v8`Zs)*jQ^02ZVI?2qS)jffgj{E zKmNnk*5;?52k{@aH@CMw#DDlTJ|E&ge2D+>FBbn{SYBRYmjvKtK79sH(D57hXjfdx zzJ*>6^NCj_Wx1i&L`>tunM;)>@PyjrkdR=Uze><3Qy4sZ$DOKG;msXH7Fa{Gn zX{kM=E=ekBYzV)(`Sy@avbql)lZY+w*umMPyx}RO6;J*Sfw?l(x~Z%m(H% zNVij+T||wXf(9s`40sJ|F`EYT1) ze#W)?C3P{+WhO~cJFg5wnOog^Dbr&!+~1ay*VuKtrYO+Kr%0#P>`Jb|RS0G9`j(D8ZuI=sz&Yhw$Vk4?B>0-S)am8TYh1us`cVXYsGkTGQJ$`0pTvQDj$>1Id9N8sjxkdd502F-ROU8t2l2ma^v3a`FI zqofv#3Yf39!tyeV0|Qq}5{;81_6Lbw0G-vhoER)<8KPf%W^|ww*|vGwq%$~iR3nyY zh6KbSPHH|8lGUGoS+#(0Dp`j|xnVeLgE{e9n!wjgPbad9GCPrFe20$3nvT&pn=nBe zy&RV3FrJ>A-^u{@=B$RZW;7y9goa;i<6bmXQ~cj|muV(Q`paBU&$1P}%FPGy@`>j+ znCidta!a|x;6ulByqo;oI(qf&yBB}yef#qHeoI4__pVA{^n94WH=@S14wpMp>v)hY zXz@f)G-vLYSxbypi^EH=_=#Z02s}-iJC} zr(Y|}4TOUdJCmun0~C!=$I=?Jy5|1I>1f<_p?J?Q7+h^>0m@|4>7L*wj4 zvt=ryxO%161Ehl6Hk|7%Z3Bm^J#XE@rfvxJJ%oT?4O9Tvnu!SlkeHixmT$3>M8sAR=98)M?2uHUi^iz*Ue z^6;y2md;Q%l=Ex~y95JnQoFM;cK_4OE|6_oTf~9J{ZA)SWnqAY<4l6jk!b9u#2f}t z=8j^}!VZ{CR0i8GXOk+|28|i2H3yf_st84-M@>Ogb$;&`GL>i8iK-`)gOsL!RhCt* zk>p~*dmS@M-yKo{PEGRba+-62lB3RDmy=wis1l3{_%dONhj$Vox%i0#@?A_QuU!8w zu-BCp)%8M4X*Hk=WN-tbprh0z&K^_%ZdY!JeF&FNYwaujlKaNa$~JowWyabO_fnjgInd+#P(2mv}8Q2H_T)90`64rvX|s zJlF4VSYi(HJihe#MYBJ3GQ`_z}3jAe{QUp-olm;d)=$+y$ zIXW?0aTnV2kx>}tBkBe7LY@+56tLBAWfh$M%n``LCg>wMGK7gNPE(iWg!;K?QZ4tH(ZPN z=P40G&FDhBn;m%wY@%C{aB&R{o7WQaj>`s<$C(re;+qJHJ`X#g4|Lm{7YLbb&IKj&Tkr1zHN?4y?!Q{on}lw!_k6?!EZz^snG% zlk-`?pf%Ed#kWhqP_&64idoc5(SH-Kje9zi9SNo7roxNdy$NSI*cWdMX;(B(SjAqy89wDH8BWYgHj+f`$ z-AE=Xx4nYK+<-_%qDiMwqLs7JgJD6=pbva)o0PZJ8L0-bjs|>cu$CjL&$0 zJ1I#lG1GYjw)PbeSzZqEe2l;44RB+yCI>IgDCKv9inMp`Q~=l6>%52OMsbrj&J64^q#tUKtF|Vn-+GnN8F+4J!KxO6n1j$#}`nmwsjeZ5rV@$@7`g@Y~a}?Plav!RP zgpb@Q&=oS-w@b>*l<>&Uic!vX?=1IzQr$c)GDKefO%bNPg}av)cn&lHwzvM^^zBb` z+-wv7;r_^Z_>#g?eP86a{F{?Y>RbNx0|l4*ek<~9o1gtxRgQW&!R=LqxE(uA9^F@f zy?F*G`*O^bz;Qptd3ryA6&40wkPN_yW&nmQAPz-98E2^PyTo`i)8xq&?DKrE{{~m> zmFkx1K-o$Yqn9(<${tYZavWDsrF?K5HwR$F7pg7>kpIQ%5;&>i-QdHUl8_KHP2ulE z`jJ)6PlQbZ?z?Na)lTl@{KfYs_Cul<^Idc6=Kj_*w`!;=C);Z*9fpjQWVK0taY34r zhLQBg<1RO+9d(HJlh|k=>ZV>w1)()*R$3` zu4JRl(f%BpAxB>gd@L{*c%phXHG%m8Y3O^!sF?P8DphfAwclrxf;G6VHVi`xauhj4 zW^x8&asgw5vq$1c`uah5&=ZS&4kg&*XFd3a&vA@enhU5Qv;7q_XSVj?wvCQQ?$c=1 z_$cuh#f2zo2{uI4dB=i*D(qp{7kU~uJ@92rT%9D)y(>CZp|*3zw!@+%#KECeYRMkH z$LNYgGa_%V8GOTPT{r z1mZ0XIx)7S^f0LC1+9$tOHUNHU%WMF`-SqxY5oQc^;=1c9R`R!Zc`XoE}F7DsX}i6 zY(VC?1DJVoY6M`;s(L;T!AmEUraE>*`)dCp!ek~IGHHK)X#-5*Frqsk7GZU5?dWba z&ED*+t;H+tet|v+U)r@VYO!^XGdJtNfgMR0hT!dn2ctG4z4)>9EaIgevDez zpHti~)8rNU=<%e7F2#73pbtCwVHmHOCL<|ciaFFt)*|{Y#S>q0lg?iuBhGv)^61jR zy5~m&CDtbABNJ`4Ws!&q@18t4JUBjhviIyC`-g`w5C8GQ-r#|A?XYTjwA>6 z%wo@(*Y`8FendRupnUVu!oBRaJqiVH_K7D2q@yCnCF;*!gH0G>r@f9DsDsehfpwh% zzuKKgPF+Yvg*Ooto3X;Yo3wq8?M|S9iMqHcm3Bk{Cj>5?jmLP>oqAQ|j{leZ&bi>b zpSp+QcO#_Um!sk*@ejx4rPg+mpMNoKi9A=9l-BhgbNdhXX8{rGukFu!?6HSNl^|G~ z>KUgxJjS56yk%=zY_l_^*$}B8DDz^}eDJHeu`q8l3OSMc!-@*zmVCDz|93Fpzq^dk>!D z4mx?ZojzoANpX$<~rcq`lyt|6f1VziiW!oEP>0Og* z!wj#xbLXsP4$=TLaywo$kAZ&|U8qA$iCd2yH`HcP5lMO{Ic-H&f;2ToA(yJE>=#tn zC{9B|!)PZAq94^k2d3>s#0lx``#?dnM=1NNs)DRkgWV)OI^=c^XlBB=LyZU-6LUl( zTGUV_QgfvazbXEo=#Iysi7P*)}}G9F7^Ke5kQ%?0sMz7w!F^ zz~BZjJ8nZL41Z43yvv2H^1nD(n1&rUHM4IwCO z{t*RgfLfFDRtG8IMXWO-_5+|P|7c&JDx0)!yH){Lx1TcJ6Pwm}>}6h`Hb6~!n!>-MvLP%mt(aU(a&Z%D+Ri`!Vl$6W7@E{vcj{U_n#NA2J~S~7 z^d8|Y%QqJULIbEcWmc?B|8}B#l;53f?VNJ382qt$N;YCWF%aY0uu$V+1{dNMvKjEw z3-3%(%yvUiJ$0ZksdQdsisj`Q%+TI~6j7E3Cw0FAUSWya!CIfBpv=U71bUO1kSHGN%rafqoF5|cx z@xk+K9Afl5GT=pBuG2HO4f8!EC4am1$G}1rFP=EGgn{X_i|*4-WLlvdhNlrDgtoNZAr?t~;H^UYizwTBEcJCpWl3#+53>I%q*PNHy$4jQJ#u%RGkD#BWvYjPQzc7*1uH zYK*4`AjWKRQ-kEY!vneuW;1v?nihSHZSXoDHMmWpOkq`NYpW6B0r zVv;B(wXW0TF<()r)^qEJDvlJ!<8_=BBzkU;oP>@QJ01_RAlsf|5;?RQjo~yBgU%R) zR1?7%-)#q%N&Ev`XlJf1h`cAkmp3C4rvc3_M`*8z6N;e{iYaMnEVIo3g1&fda4O0M z;OwZvfFrjG^{)<1_ENFc<7-89l(^hYy+d^nCW8!zLGzF%FVSYPFExjVv7TB)Hyg86yAT!UP{EWQQtax;+RxGnz9m?*u6Z;WY-9* zZ$BTGB*>!8727=!50s6oL|_J-PM)r+3&;g zZzFr>BfMe^@y0RTNj^ev7<%QN(a_B;Cv1h}tBf3*Uk_*1l{x{>rYKuIpIux?RN|_* zBrD5$9!4~OGIknHa#BM2D3x;rCGm|POUikH-D_(@aiXsqKV`5Dvo7?9NC31vXEFP@iJ*f;QS3*k#U$Dj(3F9QA{EM zYw$w>XZ%BcJSmWADxGdhA~tl1hjn-26kX<1B7i{L*i=!1l$+p34xL4lE=x^Iqgh+H zHug1(zvfH2EE_7qP{dK$z1igQW*4JY;und?Lcgo&0Byrd_W@u~Z4KFWGsJd|G>$NL zjGHDoJFC>V3X|A!*&#(VnYbam9e7@1T$)5;2Lnj)bhr$mQ;A=VsJ>m$i^f zJ&qRd^jqNpDk3+WR7do-)pnLg7G<8!y9v&A6pld+yqfmrDXyAX3EQ&60?a%7>tfB6 zH>ZC_(m~5krgXIU0bEoLy6Xw~8ib3Uyw8UN=j1Kwz#~ln0lO*k+g&pjdEl4ANX6)F z;2y&84R4H73R!`^l$(ih*-x04F^@fCI?B^uq$ot3JGdL z(S^a)pMUWs!+7F2uAwYcuz(yV;z(fes0|H@fg)w`qxLz}--xXVe&XJ`yb=;55O|w6 z=o2zEisx8yyuwJaxemx~$2@Joa=mh^OM7iz_xjkJuHo&a?U^zWt=A#y!-k0r8#eWt zW>wep1lRi1SJ>-Ecw$EcsI5n@({$KZ>e0RKW3K2(rrvEg@=Qf6$c1 zuj>(P3ZJc2J1#s+XIeYXuzBd?aU{>5GxnQwJnr}CX5%&;BMIFA^yIRN!H&;CSlc}; zVo>yukx<=>CdMe~I$=ZJ$uNH|E`}xAjHQ!lPitAtfdABJ2sYErd(WJ66fNB$uH$z{ zpS@FO%G*&MT>)N4q7gxrNp{w0JYV2F5`>v9>u0Ty3OBv&fwr* zZtRhcL)Ch(J@(+OLA%^XQzIl(Su{1C_~o8+GplmivCEJhEW5aYUxcFwxEi4G)@`_b z-r}b%w6R6nbOYbcTkb5;gGd9dj>~k(CEB|XSl%mO=XYE->3nt>n2U$8`%^09`fR+S zdTwrm$$NiSVlBT z2FQoA5z=fiLH_xdbWsz?WT9971+0(F?$Y2g(1}f5I69uO@TpU?=8c?^!?lCLC)+!x z!Ah&($WQqqp>|OG6uI#lLut-e6fk-uv%=O;$w;kko=Wpur;b;TT9b9U))gr9-SKsg z?*21tt((?3ueY5pG+pH_7W*y%K*Do70iF+i5dDQlj6F8mE{`DExm|`FK1!aD-je8) zsajc|AZodok}b=qg+7o-i0;^=#qGDL8kiT=2`%MJf%(75aFev)UhO4NN&Rp-RK!3J z)(dY>+FDUzDj-`lxH3U8jIjV^Dz{K%DhN+DL^M1Rzx|38ySy;CzNIe-Ga$q9+qRTs z)<_EC%{n3oMt*H0?P_;Al=Y3U#wU|}OX@hYz}r9r4A=$<0u81m2w-cK^K0?oTfR7q zCuxskRIux{5K)UR>+6gzoOo+}y(&%aPYD!=F12JUOQF>@+T(TEf9)>D+nLI_s1Xu) zqb9^bIQPaxTsw@hmPVt@l14K;bem)G8ID2vsH@JZF}JQy%iKsG!L)m~Ex`NBpQf}& z>g{QQz+FcP7{+z6q4pSS78L&EVRB?Tc2?ImKafDkwgqI!*P^zHf4g7$x>a zO#ZgIR>T}jjHf+p?2uaupg5(Xq`T{q2O-aO0rms)t6JrLF6hF;d{m_xbOM8X+2~6l zce%R-OYL}|2b^Z;g6u~+Y1iq=2#6$w5+>K4yRRl?HrOXt&(%QH4VEsHO{ocje0vjj zkUwy|sRqLp_iVAv#Q2wGwGeZrMi>ZTQpjX3D&cFxwYSw3mg}Yyidx|sh5Df`Ylq;} zV0%b55QC~WtP!m79IiY!g6hKCkzzQQ6-uz^PrVhdHBbFMUvfs5zs@XI2AceKp*7SD zj#zYiS7Bm94Ncu3{c;oocD7>jV%6{OChzpT2wiKV3Q^$EltF2DTneC$@ksRhGyjUW5(c(ngXhD zk_HO(vIG2i9L5Pu%xU9WCuio*Tfa0Gi`bYomSu)$xw3J?w8r8x!BtPyOPysSi|g2gF$}HN=AIK*;=L( zxgWC8Md-B*yx3;FH%E6B5Wju2l35N=V0F)6Vj5=lp6$&>`I|9Cmy+(^r^8!y8G~~^ z8`GL459oPJ$o4!YM7!WvHRQFJRA=mTsWFbn>=F#*NrF3ud3@wv#pUbv5uQB*=T;{@ z)EtWjRG3kD-^3tl-Y^GZ=|kiS0myrp1^x3eZrgJiw}=#R+vU>^F*8?~wM^B2PRPcA zQ|B#tI~f_a$N?<4mB1^(N+Qq8!JTv7XM-LE7E@`dSIeC3n#0zDQ3Yi5AV;Q$t6~Ib z)kHSMK=4J7`$7qfAyg(oJMp^dgh7z2eZ6J8yWk*6hqPRqPm6)L9#NVOUL`m@6!0-r7(num{-{O_v}UsDhklZ{i?i#oI&M4|rCokLx;E)|fT}GoBZgAX=$tr#B2G^01w_e^Vqm{% zxRZo!rGhaW!}tDdlT|kPmqESFC|11^EuAsJ3<)CNbt@CP6S-l|1CQ74h$P7hps-}z zYDW@K?qU&j0NaI$+lpHXX)1cE)oIAN&@j_z44;n%QW@F!XwCU%O|D(ouJpdKaFj5) zAF(9f_12v2ks9kQ^x}3uwVQ(=gYkWeXE@8d>Re} zodu*hFQOKT<5^~?!;Ez$T%~Y2-2ze0vv#84$DG)5o{1ld-rvc7I$q^f+%BROIZPtD zaOt$C508r)7we_pR;ueOrE66l$=S+zwUo_f4cQ2;%j7}o`O;(;cqUT-AvGrv6|m4z zx_aSRv!V80kwM>!KgSQ9V{qEzLB=M8-MI#3JRi&;AjB@!?vhb~dnjJk%5+qZONSxe zU@O!%wMFT>+v=P~B*xAaB?!OXHo75yxUuX!j+sD9V^MFVn_UN6iBc#Cv>NDc{)kt^ zhWpU6HUtKL-jf{xe!_hif}&j+gL6M=SyZp#*~8c1*I-21Wfr;lU3pLKKRj#ywq0|0 zdRCd#ZU?BVM$AVSCMF4!a(2n_f;2MxgUMiw+NN2k)NH9UPYJU`U7SZj=5tOm7M15RK5<1BJy>gz@#GG+jiZL5BQ}P6i zSu~Ae8AOCD9TG=zkhd(a}fyNIry{9dvONp-4OBn&ot zxe)%$igPDrDQVO=JXH^cLGA0Cdi=zbYm|H1Xj;Gf9Wv6tYe@tjGM)prIPjZd26n(< zr11P0WWyoCmuTUB0g}mJ>drA7gzZV|$KSR8^y&*V?)b9(r=1^v_v7#Waq^$PJMFA> z@XgL2|M9yHw2wKtuz6Z0WF&^Ub^Xgmi8MiSE=Pr^r!Er_IeX>A3h0Og19l?-49jx- z5GubK3~6I0`3m;MKwad4Orfa+jwt9v2;02om2PN&fS-jP060W0{ z7;q7_f${^L%8AHa!aZPIIcpHqlGyISQ(N4JiA9|!b7QjE%ecjd=5`(qHB7@LiS)4J zKmX!QWo_bW2*VV75({Uz+>ix;#6E1-rNt+w`O_h9-A&9j>Slovo#hcwRt5x9oyV+s7KRsd@#*p!l^JL`Spz-QYpDVamlOGA^5~1x{^N4Dl#V zyxBi7Ur$e+yegLWZ4Bbzc30dhl9;nv(7J6es`KJC<+5{k+;-EByS+k26Md+{H5A?K zQr1MmZE&Tg5VL_^D>Pe*=u;oYNJ(X9_cT(HYWFiza?-Lz`mArE*Af-Zts7&Ci>gP~ zk$Hpb;u1zt5t6F8f4SZQ+Nz&M4eb)NRzHhruI+XmW$^QB)8JsD7t&%gDNE60{k$!0 zra5g?q~5O&OHl0)_`6YX_w#ntJbA91=9HGd3Y-Et8{waLvqq= z%wRzH6&#kuIzreY7Zb#_iykg3Fu6S~WNP6}9z)m;K&~b_jHbfZFBEw%Ux;G#HzG&I?s4IcO4E;XZqvlSTls9>j*v)BM6f@ zT>8_Sp0}sxHGzt&;qV<9nxlcDut#KsoVYfg7S&5&i=QBg?VL$yU8R8Keve&x&M$*Mu6YdDxQz=ndAsS^);4;C}=edX}v;&545)Mnv!V5p2+x&!d+KEr)=Jr z*a&LlT?r@2`%T8Mh35Bha;tg>(G!H|ImLsulbL{2(DRzrWS|_v}yEb?P_m$k-Pg@~^MRU>qx4|!*>0Q=( z2y!Ku0=r^2YvEitIJOlvlc^Wy8*rn{$Sv6&Y-~LtJ ze=Qz~Oxr1jKH^m*#%{0*PyGzxxUI!+Q^NJ;44C_?!E-4(!ucI7?GCbDfJEhF=gdRN zv&6gsL=Wy^Zz#7q#lCMoDA4ym867t;hha&f>HXEHk!scuc?)kN@bYv3 z<9(S=b?SAw=kJV=g`^CJ2A3nW>w(C;_0Mt->$H}mt=?CYucYZ@2==oHOR4N#0(JHIo>QCr3z97?Xh0xhQ^EM4UBimTnOMKW{VaXhn} z4GDT;NFbrj)G~k#X`Ogy_BT64$^-1`3SyJG&9pt-tp}(kV6`aK3^IsS-A%5`!EBfl z5AFu0N7{ElCjwcaGN}_$5FKz4ipSGN^y6YSV!=~^HcRA60hP{h8VX4g%L!-2wLAIZ zYC0WPI~yB=vR|bf4kRrnmmAv~z~WD`$=wEAfwN-N>!nxI>*1GYJt77J^*hxgoBALJ zt24H<9p`F>`a1i{4YcY$=3oZgW*{_sWTavqNBjh7(9|10+=Un>jJF);e5BXAx2v}x z&ftNmKyE3V`>=SO<4^4xvHg9DG{=cJsNoED^sGYnbuES_wluecY=~on?QjWXFHGh^ z4N(wyuh-BBe6@=Or&M8)A<-0sItel!4=rIJw1EPqCE(H`3nk<_PNt6{Xh+PQ-#hIY z>*HCaA3&OFmMAX}`!fozeqkMef>b;%z*snT2cX@CJIU90jVB%rZuEUGmm^zJkrs<1 z#M=g32%0(tew?|jINMs9fetq`Lf6?^D;|WVW}F2I%(ocbkdr~)QtB(EI%}|F;+8$2 zQq!7zN&9?MRZ$=7wYB{>84{SaHGZ%lna~c)6)M-{;omoA)nwzm7;WUEo3Mi8$6OC` zfwT=Z_Bz;Z5;84a|LV|{T&*U{bvdy|`JcU_j$nv!{HVOnL-6hJLBL?7sc$t#S+S^! zgl&pRBi%~oz=^f)9~~wfB2Vp8sVR9iWN~9)nBcJ?Gm;rY6AVQ}`keoL21f>fyANYn3hXnXM69kr=$ zha8i~Cv{f-ZSLoIZ#}C4Sxd^X|p*(aaSU-$%nw?FwD-fcbJ z{Cs=!lh3w4{q)~9w?5nY{Ih>cHs8JJ#h)2!D3avgFdp5!a*N*oi+&!#h9BQeip#5M zvc0*rwGRJ$DtZ38z&-cVl}9U&fT!r^qsqkLKzg`0&S1~zn{Fb}pOfu$GihUiRe7}v z*DlHnm))&AqI(xc>SJaN4|`E0a*Dn2upohyNf#|ZB%xn+mz3vdBMp$y5_f#3hq#mj zW|caOA7saY8^681O*85&G2=rnSZzEzc(VWEXn!3#OjW)c4berx_#?u-IU7TN`oxnC zvs+?FFDE%0?LdDe91Pq9%Zur4Hpu}BP!owU;7*qI4)Ym01xhkYUEMoM4vtonul9}( zj=ISY2gl#O{O%ZF{jhg|mUaQv?^1KT_hDS4%NZ&gE>TKCw&&w~LLQdnj7bp|uL~Bm zRRF0rC?JeL6j9{3wq{QrAs}mO%3e7Z)RofK?u zYJNR3@`ZzHQsh%Y3)YKN68%z|>#qFA(aRSssCjbqeVQDX6uy!od}dXVQwAsr{ZmU# zNgZamB+R*6K@q0uL1ssX9l*kCCVSi(+Z|+%aWWQw%ObJqEVWwEo0dek!p=|V@=0ga zMB>NbsUc<^qU(iAT9#0>5M}`|q<6L=Wh63@$i=vYY*>}IP&jTw7hyA?pWJ3zt7C1Me*1XG4w zaH8woiLBI(T0GQzjU#)N_lCQIVLMAqEL832&DmH`ct9kSK#%J&BZKIOVy~FGeLO)+ zQhdv0>36a!FiEPNX+|ORNnA}nQe%n&EqUk#Zkm-9V~HWG*_-QOnolu3ZQsdNOIPLT zitD;nD_<{effGvfVJ_Gz+AxBSc>o#DW9ClSQ4+~?JNl4W>x<#c6*`BKe0>}fBFfEkha z#Og3n!;QP0 zag0_~FkLp=d3u?4lT~tSTkUj>5My4=VoEaA+6}`MCS8-MFwcuXhh~n^!>9$LC{dJ7 zF$hLHawM{NDgx`h+VR-ph*lQ6-ZPF|p%a)SzNSL{8>^9*Z;k;&gSu8^!mA%uy6xJg zk*){TwT9^Be>a^a>3bbwBN$}X+f+&3^7mLPS6Ow{*kyd#ZfvEa$lHTE7iR1lp&pK} zC^bZWmi<(4C`~Py{FF~hzGX~uK}y6`%A@Sz=w3yv8i{g@KF)zOkm8)__cEU*{i_V~ zLTNN{mZ<@=rN^L6*?e{u>HQhroiQWzz$B||z|r~Sz+euhZHi2iF_T-(&ilA^>;qVx zRYyxF7rTm$zG;E64whPk>1#5zA&%>ebA+9?ma@n}O^FXcs4%=bV~G>YwV)dcd9$0W7!q%5!KH4q4vtpi61hj13j35#d^FT@2gx~s zkh^M++zajqp9i=1=^JB}Dz#5GPkG))q1se>@bNCz^4_8K-~8w(qhx)TIto=g^}5($ z>S1FpHOx96bTiz*+C#Hbfwy~l{Pb&91vTtZih+^SY9K2JuHJ7=>W-aXj1_GWbTi$4MHli<$$@{62#pD+0toJwDQ zv7yga=WlIW*Vb6H&xKEn?s7zEWS18Z>)2u@Y;Jy z#+F?Ei%5k&Qh-G*daZu(rwAB3!n(P<`}zA4;|p5-JGJ^{L!-?D$4|5UuS)>?(GrWv zpneQF><951qOH$wdAU}p#VrTpq9oJ5lg;JNNuNRnO@Sg9l1ssbVFYbtWD7)+seUn)lgL>Nl)vD4L5g}~&?c(8 zGcI$sLzZn)K^^C)tL<;Aw-I*ngn{ca8S{wO z9*ptZyBbGWrxs0aftC4(*G#Ws}%N8 zbyZHgQr*5%nWX6gtKY-d*buuy15POrO7f1J*MK_WEg~PQkEAH=4KjSd+)@}`BoU1e zTH#UOd*u15nE>rZI?spYt@c|aFNDl^+3IH_B(iwtqD$FqGQkiOmu#Pg(yCF#7I?Wp zFmU^r1d92^%&CDCXojQ??)Vw$)+sR;8r!L18Y6jy@==&&L!r{8Iip9sV~Kcd{1+_G z25^-m*vvAWM%%#0_(+*e6aoHymUE^;2Zk$Qg(aYy zsS{=;OBBzM00YI4yK3pho6?062GIpDET@Ekx=oT-Bs+r{g_a!+U?{YjRW zu-}k~l^33D_hJU?q5XEi*uzNKen)6kX=gNXqf>DJtF*6 zIU~y=k#nr2!8L-tOudOPxjek5bsukxjfwWSU0Qxbi+oCE)RIF|mW0YwyX_YFm7xVU zkdam_{}qP%1W4&LyCj9WjHkt>RS1S2Gn_cr%Cw8A;>4h3fyCwuogP{L-PO&1Y^{Eo zCO^d8x?ty(cpUVJMLWlNq>OS*;>%>3V@Ma&qU6Ffa-g_RU<+nLvvzv9 zZvdn$UF@xg+BA_F#ZEsliNHBi(pEe>OMQC;$NS=?YFHF3ywvL9$Kd2*KS<(#EM!Eh zMLwPjqDIFzM7>=Yd4C8?5ypMBy>cgq&fk_C1k5Eax_vzYtOS~obBNYfy;_Ui0yK+W z0}yQ*H^8uBlS17T>XeJmzCbVOFB^bJGzw-!3RIa8R2Bd`mmKUGT^eqix^tUByQuXX z4jWMTKA2+Y)JZ&I_r1`AhNMYPyv_5vb*iCUTeIoK?^|<43C0PwS`;E3KN1h!Hf}sk zJ$Yq)Wb@*rF96(F?-3aiBa@=YO{lvg%kd=rFg;C&`{r1m4mZBAul=n%(H{M={%!v<@& z&~*q8z8g$T>78ZGNI5qmySPKGu1a!SYzYc4$FK+y*fD#c+9$T)r6#0=#!S4qKoB@tN#t3JNS8(DNql;(n+6b#?g={11TX ziGtlbhVWVI0S-EuLhd^G^LEKHhoM1|5y=obCw}m0ufTtqugxhu>=9?97Dk<@g z0+_JYs5B?t1zxyY6x=aSVHO&rJov+o%I!J3AAIK7e>U0widgI+%zx+G|9-Ol>Gmg& z1N+}kKmT<5gZ=NX@%do?`@#PAo$Y^d_E1zZo=s4KYTWU~(zGCvx|o_;OH(wp9hB(i z;MkZ>OMr#uW#z0=jhRY{NoAJfqD)GZ;}WH2;6t=RAUiqK$rK|LqynH}cE|R-{cJo% z9fE=)5iXull2({{#_A&#d66eRk#Yc3qBUz$(Zs?%XppcStXNaf!GL-klHUg1g+rjY z9I<6A&R;)c+YP8u&L(|Me+>BjwOV4p^mF*yn{X!Cf4ns=0V(fV0E_adMd6VyfkQk{ zCBbBlmVkbhSFq(_NH}rB6_Uta=cvBxnt%Y)<`s38)6NNQNtupWa27UyRrv$?zm!XB?4TrS#SXD6h;^G2-{}Dkr7I|Cx3x%#w}cFu4IDa;6$G7XR3& z>Kbo-lpCL3j?q6M>mxLOwX5RbUT#Q8Mq7zgG-h5@FP04fceGKY-l&>F6uBuf0-}qU zVnigFWKzX(kI0YNTxN|mu!JBnC)f_Qhn~e$>C7~*DrZqQhwFn}Dt}`wIZqV^Fk;qB z;I*&HYP#DRme4)?+Uh0)6RyMdUF!CarY2H$9qBKoKDrH>U z%xzXW(bYc4`oWc^wxYVNud*9a8k(eEA$>P^nzY$%p+a(1byrYd2#0HSW9$zw2pxI4 zRjNK4A}*95P?6 zb;&tJ{S!6*js!m;!g&VsHcHO)moZmCiwhj~8c#|kY8 zpm(VPEcP^0a8=oVolo_b@FdtALsF6}@1OAdE?JsL()qm^>R6{TDtSne4`J}oWjX3IhF{a z-cz_r0^|`qPYwTsdCt9e>-~d-duF1vt1*H;4dktn!;Dd$0DsI(T+K ztTUD%ud#=}7V8{TF-n;;5sB4Ie3gw14>h{$W_2PsGOJ zPoC`^9qq>}5kb(J``=Ta{`QIs6Y1R`X%Gc0(qdm99PU5u?LC7j;rSh6@Uo2yyf^ja zhZKb?%Kl%aX~3Zkq1g8ItM888w@BOd<$t{Vio4;MkI1WMFTeR_{}5kp2)V9w5;&Bi z7JR;cbhP&kcR=;n=H1Ju-#yzq3_C$gOg35P&PdtAm(OCjG%1G`-qGIoFfB*>dxuZH zbth2IE>rG!@5TSI7ehC+oqCkC*^QgS%5=EScSo}7nYZIN@F+Kc5BHz!A0T=_6NmeI z&#^r06Bv*|fw9*M>3tcp|pMlx(qZH6K zu>liYm|To0Sdn%*Mo1TR7^atu zh{}X3+pAc6MjoDLXS=&-d3tvC1^@Z-?9BR{RcIyEA=^jxPNTsL%Dh5D2Qj|{)*;^G zz3cPhat2J`VGcKIwA-@%wyAy_I)25;wfH^<{lCcBT2ELFlLUy|oyh)_M9|EKG)y1` zxWK3|%g>(`qd+&PLt+?KxhDLEK_cg0yugVv3v(o?fP=ct*{!4fdr=+%XZ%DDuDfOW zW{$Z#?gKJ)=Q*0%;gnB!>U6#GHyCs=+O~go$67u_QS*Rvq9zxd*23(CZeo~v=9tP^ zLqj$0VL@A_iC~gV3^n!*Ml*wv=3fdLCQaaU0$s*nj?)~d9!V0`IC@@X+dWeE8!~{> zl51jfN4A7;1JQbG^DT_EIufX<=pA5oat_=?GAz7RA~u*hv2Lyw6*_7{J^TapR@tdV ztFLmC`^b)S&#)!l9s^t#a^{BH{hi8*c#K`K3e?{OWs+a3)g&eGrF(sbCangtI>M*u zokCtCJQ|r50)zNrZET?>C$%@hpau5rzjeer$+6BH-ZI``3}o_qm#I-VSY&41C{4Eh z*_lLU@{t+J4%MZ>92W(qzOsG z6?UB_s&W&fC$c$+1k|UWHaqPQPOhY=&Ey=NaAj<~PIy@-w2;9WOr$$9rEqII?sVh{ z0?4->n5l4L2HVT_>M`TXYVt8O@G<`jb|k6+2mfNS2ZK)!f?g z39EfOI9pFJ5ZPo#yT^!W$JzACdIa*!P_$Bd@v$vPvDL+>bb8gsGJNZ_bAvs?=V?9~ zNc{heR)_Op!fMi=j}v(2&VW26@Yu^|CA!981VZSOtf1+ix?b468s`h@+7K%Du%>ac z=rZEFK6uhF1(d@IrfiDf#bZS3b^Ja}CK%Uoh|j&aY5<6>hqSG)WO?3cIu2nw9`fK(fEnY$$#X ztqx(=Cg9L!>ol5z&as=*x!CpK5kKDwlNuKnrnq|FDn!q0Ql6Qzp0A2L?a~(Ru&u#~ zJmhYXb`Qf)l9MGnCK){q>ml%VY4t;fR66?hM-qP<$%^_)P-01e$5Og39KK|jNR+o6 zvx-H0L|h?QSK`TZ(O^kE%)X#$`Z7(^FE;qA<02q1zQ9TSvR?9w4SK;%`9=ZmlKi%- zVYU!)7sY+|Gt{VU6z)uHucT%-Lp^GmjoTf5GI#ATODsue>?0y2!*Fb9%Fb z?`Yh2(kG}hB&!>ICi@8=`8kd-ulZ}g6h47MC#N011pN)>8J`8SjE@-O@f#=c;X?&~ z!*mQOF~#fj3N8VB#xUd&H(^pk9AXGyKwKTa9;1%gr#|xfFAre|KmTHYeT$opCs{Kn zu^`uG9CWACWRn+Q296x@7>`5|WmF<}A$|!Gtin0(gO0x43G029J#J5J$Ui=JomO_- z4d<+=vI%lf%i0DW*M1ok#ZE1+7QO}eQ%anLg5!-h*TcZ-3+ZBocDS637Aes!xuOEk zYwLs-OXNH3x73tBN#}K3j@w)`q&c#*!1AHmcFUMTQIg&z8;)2;*XJpC;@U*lEvTCN z9pTu1HdSSp?=S(d`ZwCwRcnX0rSqJ%mheK6KIJD)5mv;wMfizRM0eee_S<>KK9d7@ zXSeC9JQNoDmrg(%&BhcZkh8yPWHZ=sA#JQ}<{d*6@UA3UTaPTrGqYlHVwtVxtb>Bl zPMD6j*|#&#Mzb*!j1d`Pi)Pd8(`YL$(~M*ctH@03M%G*{hG2?qRR*W8zUDO~!tSh1 zIc7a{q^7=VsCioq2mNdkYg1pjHGhfYtwleKBxFlH}&92X}F9BrK`+Fd{+SwVJs$61t z0~aPQsJPYBcb4LrD1SO?G(D&dg5ur#15kkS4sDI->#E!88KH}K^V4@@kEO@DYWtG5 zZUnCxs?;=5XMmCd998l61PxW109RMpgc3H;bny=~d9h}74)AcYaBl>2rQlXChvj)T zL>XRn2h9F8euI9jl3yR!^aeOZ2VxnbI)Yac{DA~_QKO3HFC8`#~rX5&)} zIWmNWa4c5v>%`mmEZzRtkD)7077d0FCN6(F+GQ(0;m5z4S;qp3q}joX}PMB=P#k~q474#Fd%^FmN0OvyM5ZZX(mk{ZEv7{_EPl!db>*0~30o?Z#{%0bTC2Kc z6I*ij_(L{o#4RW?9bwfv)oAa{kS(pP)v@f$vb+MeK#1(*l8A2`PrA`Q{u0f{P) zrsd>XvAc`@_v8`<$0SrE6U6I$P@sJsD^kw$=`AXHqzfGDmZ@OMz*=aDisp%;sJtvi zBzo?6JYW=21U{bN9ZSvUxFUuAy3N^xZa{gV-~vCrGHucsS*zYz;TQ(g2`!2x+k!3h zqQgRg-d9Kz{?W0b9o?vzrU=U3THfx4g(sv0%+np3eY0~emdQ#ff6x4h*| z_N-l`8sfkN1v^GFGws!J)QKXRxe#jH44Z)y7>XeS!@<8tbaYb|Etcc4N$wz@k_H7O zkDe(&m#j5ac8`&dS&hS1p03ExioRIdVFP@k#*`rF&|Skipmn!w4C<=hM73=OW87kN zLTYxRsVoWSec-J+- zjhhTY>C_`THj*z7QTWWkJ6yUQp@upNKpbmj@9_f!h15b$ESS8}=pcW?VVdBeYb!aB zg+S&)%&Bz`-dRqe$qe)Zi)>qae=PDJ3B^{|SE+}34}6b|^AZitVW&T^vG0wI{g>n% z>%D1ewyBq~-Ymgv*2z{NXn08OQkf28gTH!SPRNeK*x;|iiID*k!!wTu^_fTfprJG- z7AkJCApjrV#adK;c9|9f(2`zF<GEj~y)yW26GRtJ(B&`|n>thXa6*pF`z;5$(i z*Y7|ni-FuYd*X6%uZfd7_ai43Qx3R#KuG-8OU}fB(|ef)@u`p*paOFSe^D+Nxs&5W zV$q|&RL%(RR91^d4yL>`$*DVgV4JIT!V?(qElr5#Oe6Y& z+!KYciaDg5bNarxgm9Ws3EnP^N_G%7Fyw!g=Nb*N7}N$wRv=EcWGGD(p%~031piT< z>+OGTpZ>#ZJ)PtiutHbu#)UvLt@|+v=3=S+Z#WU1o;S`mjcTd6{twg7rjf9p()|Xb zN=KH$;jQShG||sF7y();%@z#t88;n{(t|#Kc+cF2Gu1nE31O zaM-Bln2=cwfZaG)_8RMPB2ILEz2CUW?t)=3=^zK%>Rv>{$&r=~UXF%$P1D2e5Iy({ zw6bWPG{9JJ&G~XSX@A=7MD0QAJ@Dq%^Ssj;4tnLpaH`qouvK}pv)1Z!cPguhZ-~fo zWm~tVTHxzt!G@`?!CSO!Q8vw&*~m=E3dSXC3its&E4D91SB7!m>v$)^7U+7 zVSIQxTdzsj*5yFWJrrY^G_MK07mN z7Y~zN5$E?L@vw>80c#y`6MojvG16Uu)uiock2^c)d1IB3`B%ADpG74(KFxL|{#?MGcj-F$g>G(U^F%Q-@_yX8u?PMTG`DB8Plahyr=7@M zCiVb5S=XdPYi#L^5RH!~y1+_B*vyoZy^=N@9gus0fo)uAXl?-HWMFWPN;S?yQ?lQ*vBk^! z(^=*$sWUh?g<_@AT37%sg?nnBxr(R?qw9F9H#F(##$^?|ed7IcQVur++^XkEq4RG% zDPn9=5JQ|NbJxTSNk`?aBkms*7Z>QKr*TBuvY@-tmMzK2t$Z-ay1@T}00p`DVj+TQ z?4i!V86t61SSFm$rX*IeG2=&K02=-cNNuDy7-PlFzQs(SQ_02|aa@g?*txLJ5pM2a zG$7TJ4a_e(2FhhbiHE1GnaZXbIIv=mIt1M$c{N7>S1f9+7zpfC%l&hpEtHce)~|M4 zKQ_CMHKD_9#Ph9l!meefE;5V5ka|8SfROcvFi zT3%W6jJcPBy#}7=t#1M*$|i%gEPkDvpTkKX3FE=*@AK59Z)xgcW`qm%GAYe(MvF>x zt5KvGdNaXLlr%4N!OCkJw{xxJlKfe{h4~mxVdL)2aV{9TFyB>< zYDsMM_eFL(KQFMcxObwb)}qW7UNANj{9Kq-?yBs8@xS+p&)EACUAVFj>- zN(;HWx+*TEBo`zfQ~4%7bMk9#jgIUW8%C@K7ZaYL(G@G@0a4 zWc`o+GTAj7r*cpz1W6OmB~q_AJCg#x4)=Y>o!xks)}2ec^b#F^NNr&p)6gxJv$I{)oE8d7p@n@{33ia1 zp4M-zOEHPp_`0?xtG7n#xbhk!wNs8#J7H6vFe~vATY77JZsLVBIWHJi!|oN?&6enp zQwxb&{@?b#y}OO$$anwtr0L&mZEkEySESz48bx+R#peV^nh~!uVrn{$~)%E<<>+A-j);yyNBzqYzM&c-znG^pboOO~^ zt;e=c4hfDc0?6y*a?u>S5EPEULT>sIPzVvaMoMS!n+S3Fihy#!+m)(-P^FNnn^sOHxS_pN=&`cb~B3!wS3p1kH|n|d6V-m-r88nheQ#mj0L?eQaWRqxbADO^l{OVoIdZU{q^;HFFZV#Kb} z+-`#^P(6?f=o8R3(=jpu1`6~0HJn_|6SEUX1tUN*eDuRyu@=K-H zzqVnZ?R{|DPu-kx4tVy4>h&VH{B52WQ}?As(b*bj(~J2fpv&xixwrFmd$ShNpFW*- z_Vx;N&`{;OS>81_MDo_+d$;@iZbdOit}UkMQ&LV zTlqQ>R{QavF<=;kR@ zEriQlz%IkrE*+(wlG>3jZ$<?Nfx`mYsupG z&84rve8>1-JnF=Eug2gi23El@QVSYz(UwO)G;1oEV~P;IUZbWG1WQD?b^5N5Cd5P& z0)<lb7l1Yy_ZF61DGYFzCt##&XoDN^p zPYA3;&aD`nUHbMVo(foo(TLO4AwYSGzHcxI;EI4(Uz(g}*O2WZLmzbpel3ZU_w$c{ zyr!=+#Jh#O9pfH3l(b*@&)BJc6#i}pXCB~_pTIZE;YMLFF@Zso6C+}-n66&Uvh)0{ zzgGqW>cYIB+gf*sQwrH%%_RR75jiR2GdRd_o)2sahJ1ZljK%W=b*BQXWOxK=2Yf3F zFfVx%D!~GnZ-Z7;ax3;o@Xbr?pq;k%E9ZgDB7^mykc14FJq!6! zWH>Nukn%%NYAE;)j>D(`t_+1Qiuc3ZEu)Mf%4ruY&h&mM3paT1tb>(b#npd4>=Svx}avdNNdW={B4EG}^N%sghZOh3k? zQgnE*H37Iv;amm#yQg=P_dxcx_oLm|)W{FTb%v6#)p00raS}|C1GfQW1WLjO+fXrc zlELYU4<*7s+4b1M6J6d+=jmI*DZ|W5&?$>xEBTsX$W^2Pl>`i(MsS54^b`X$)3%h1 z1?V6%oNL}1gk=C&0ra%j`#ve+wdLJ3wYa5P6{I!QNJWgcOZHQxnS_$ z4M^k!p)xZ^Fyt;_$U!qwYKc75oS_@DgmNp^X(jb88&Ed{Y4v`ECHf6RDqzc56$CfL zVt=&KHlT4q&f*ce0G5=!fpao}1}v4_4;ghBP(C3O>-995Un>59%LM2=+ z%^v6F*-*DsYBdo+auy|Dg-ER+A2}#fB)@7ty+lNMX$8e5x!P%gsJ4r7cYt!8eBLgR z6S}5k=`t7=U9N6uyqKCyI)yv&hPU1(kWr8{>^|8D;{25xE(K;Gu{O&^$wa62Bxj{z zY0w*ylVNaka0aes`2+~+f^v=fIcs^VcqvWzl4ro94OWyf`QXjQn^iVHvI+vr<#6&? z`@`)})DHr@O`R(;w(C|_dIV!9L=mRO8~SoE@+&nBjv&ZtSZs~`eQyTfLk<6Ma|Pl# zqRe*aEfz3cKGG^g;ks>8$;m*CC!Uqy>b%=u+ub zX3n|7%rXr2u_xHZ=9oHo0}$0gZfa_0&aBC`>^-?qxq-pJdM=q8XauO`W`oaq?=XA5 zE0i~@X4wlf7uqYzpFz#q+iU_b-LD|PY0HK^$+MPet@TPGXcgBAH)CN4kQD=Q2ExkquAzPe%?dFus&Px)*@j>(k zk}%8H`Bk4U4b3V78akW9Bv|j=3N-Gy zng1Kah_@G3#RM2JPs{R>2pTliNYSRNH(k{hPAu`rYW+FWk-3GTs@WY3ogjkUr%Y+`_X;!yN}p0h0u-Vwb84o`@)l4*k^ll~ zx>k+#+?x2w2yb}kL7p{Q@@x{%ODGAo5l_pDgZ5IEWs_)DE8aK_NugWcVUlN@XBJg$ zaD>&JWRisu$SSa+pO!tK7r2QrKV{SA<)n6|k3F1*%CcwGTyS*@AIvRQX_!{rO01f$ ztcIWZQFXO02c0@?v&FQZYWN*rw_O{p>BK=N;7NQBlC9^#@azfGpL9) zmub|g0_Ke7jv>Z#=&fzV7V7B{8BTx@7O-a63DPsTj-X(S^g~4uf&ar1%$du0%mWn3 zbLQQZ*QDwMsa{eg@Z2E7&JG#i0R?9l)9Ou8&4nkeFBhL1`@GnI{J3d`N1_8Li6eQU86E_bPSP2g0+-d?G)eV6I9wD{t5z893r zl+UC9@YlG~*mN!Dz|>klF;O=9hIVHMA3*P%AzNXbC!Ilit3B9s2Y@=#E?q;YdBDAi zIj=F#=fc|t4mHH9SBX<5FNN?|a4iUb6ITHDI~(7l`^r#f@|@r>EegWEy7In@SAxZ{ z00p0#Ehjn|=>gxRqpwx^nKSHeiKh})*6H5D?@ zY#UWC=&fNQRb9OEAfmNK7b#pFFoKHH6(*SCRT{pwX;>!U?tL3S$P8Gk_#I4vXpC4{ z1*bTQDTSq2-);>r?2U#DhVNjAMIPuJGlqQyb}*ll4J$+KCAB0@ftsyDo<#vW;kBRE zIb)v`=uScXhpHsx5`>Yb{k6lSj4>iUka+`-XsY}VnDCyCv{l}jTiP3qc|(38mN zCra;YlOf<$yCf1h$P(+^Z!3p35|!+h1+k7uaIvOUwm8f(GUEGV9dH^RGU{JlIcEhX zMRnouRaFcPp&|DH0#z@?RxBL8C)z@w6nXn)36IMo4~YYEJxE@4~5#S!jU)ae-c7gTlkN00A$kX z3}TB|fHzvQq;eIRl6A29UJ+M9yrV0A*3BJ8Tr$ltG0l!Dq)bzY;LO`kAk-bhWP2C7 zaff;fwn-{A1nI)68VJmQIWDfvwLDI50K0_WgwbQy@WzqhZ9t#SnG_*nBE$G2t?~s2 zead8MNXr$(&6w>0=#${X+H)R1Y7Sq2i3bRT3^s)oo!kw3$*IgAs)p=w1RQf(-6R8@;f?DQVRQ2VB8L0g3RQDknr--T1`&D zzX0o{aI8cmO+{negogtK{K6Kx6$Tl{f(QzgV$07^xhfzNC&=(z z+Te2=XDw*S-1+#AVY%QRl1)`W4%tf=<8hzzg&rhZyNym&Xj}E6lS^@K=YV9iwUMEd zPu~Nm^}yz0b949~q3=nWfV=a!A&|ME+_IUhXt6>m9>TKJB@Bg8*ZqqzKE^rd5_aT27~tGhIMKp6pEhPJOiVP60D%VE`cQ!uvNQ^ zTTDT~B5YoT3pdb+l8KE9p~^1)oAduc zhzeLO2Y@omxtf6)LNIA-`a=hI+l-xS_S!uwUl=K%Qpwb5Jp;t%)-R%vZ+X2ksEiO+Y>ue}%;Da#hGYQQN6)8pr1WNdq~@ zs1A`3{L}`a6)J}_JNADEUUcXlx$@9wgXqfqz zu4k`;cJPuk4ZYoMs^2u!$}`>-%8N!%uRqMq+Wzc)fd1gjip`d9v)cYOGEBagpgDhC zA|#u5AjjDhok#&5VXx|Xv5~xenRd@!VSv!g2>qlGHmCA!PxCoR$CTPkHZg|oIz%al zb|l_~W0-7^+(J{pA}*_GQ!cX} zgD{zHeZKQKdt)&_geXzK!@_#Q(NR8ScQgQ~<%JhPp51<_qC`zC!4hz5*JeC+uA|SwDs_0a+dtg`RuunzU$DA4uVxTx+&ZbsdlWXpYUinzP2gVo zM87VlRMu8mGV4TkHGFPxvZ1&>4~BH`afq3f&GZ9pfmwm&0uX**oa2C(nk@+x%*>W% z6B<%@Bk&NBP5GoyTXKfNDJY~DGfXm@l@ic3zbpWnyC_M3qrlf2>tf_&QB=Rh;p!Uq zeDXULW`4(;9&#bTF7b=Ry?gjV!Q!xC@z&kc5dgI5`xfMez2p4d`6wL^7h_Sm3aqEK z)UZ8O-0Sr;vWJ}S6R!*q)+PVUaY?*T6=!oJW6LAe>w)lNrKbWIBb0%Kl5@sr?h?ao z&;}A11A8AjH2~t3WSmwr$L(TRhBq0-i<5`Hj#}`{-%dp|=eY%=Q`D2Y-fnM2Vle5P zmBkoh&fs0q6=y?@%^zvbJD^&PfK4S(7%*SW1?|IdKlxZ2wc+Xm291Dq9_bV+)^-Ms zL(Hb3FXo$82W{9}v#rozcl|dSdDn0vV-{jy-*^y#hzlAQOBf$S?KWY7*cYTZBa*YSJ z)KkaS@z7098fN*-a+-;MAkQC=Is$5HQ-nUUt|(~8FotHtCp=X-rpZf48ON1g6+uW{ z=$BY-i`gV3roVci#({Xb6rb+l-j|>6HA1M}5jx$v$aL$Y(!F0qI)_Ggx-fP2{-Dt4 zzS!UUYJcbJ73Sd9NOXn#`xY%ESsX`cV)XF@_Hxv6Vzd5~yO-A2jA zq#bX2a*$V+ja(1rV$C;?Au4QC3{iLx-f3Q35x5cqL78`c11)^3!6ebuCx-xQ4x{F> zIun|yhnLv5kmy@LrD`bn34jdwASX)75H*C2;>0VC14dOVl4(ldS6mSITw^$+P^hZW z@VK+zZ1cbPqwB8|>4VrY^J7G+&(CcQ>-)mA?WKn-MsnYQ{*`(B*$sztK`Vhej-8Eb z;~jNjW(5wMwX>>f)IOut13^j*k8eVbDN+*S4CraK6F_#;t1EL&cBnDs3*i(2Sk4iC z=rFh*HTXGso=KBza;ALcqN4O#MpQALT5Ib2uq3SOq^gcN^g(9eeem;K`U-_fe;cmA z=~J~H{nH`u{hnRZz@P6|34_~*Kd-KUeAen=V;^&+O#9^V)i*rX1X^mxROPjm5#n#% zN{IE>=MLYZCM80-Wo6VluUqvR93j`LWu)Z%JO`P5t!fnKXKJujVzpYbcE7?s3YbhU z+YcZOa$EZSlG}Ur+lnpDvPtnqdcU)3KO}0<)WK;E-_|DIJnX4BW>N1J^UGqk;%l%a z$=w*otF5aw%F3Z3T*P&)UTvJ7W#e@!Owy@g$8i4Es0DZxV`RftufwMErWnsk9h+|& zrXKyRaIdgQAAWuH+i&{jP}fc*S$Kb%T`Nyq2{x#KdHCt@^wAFl^U#0v^vS9Ds}Yz$ zXmy9%-SqA{f!Qd|&w;%({4aVOabV&Vq~Xs0p4m9X2K933^vlspFvzR`Q)qZ>7%1O@ z9AgI*QDW>69Z$*l4heMXbjcV;kWMKsFinO=9y3=}GF`yM?74%P8`b$|VEWw(2zsdg zrgh=|oO*hf5lHgMViFt0Dlg-f8r~&K%dP~` z*WirSzr;1s@SZ07L49KGt)xX4ahL`9^wMVarbG>dDKJMk5;`Jb{%vT>a1{MfK8v+x zerCQOG%mn;Sd|$%?}uvcR$2~Qm@y29VXNk4MqG-$jMz2vB5)K2_7MsLSEXk;+F&d} z`6-_@ayTskf&sw4RJ%dngOQoB7*-O~ppCCCQ~O6BJZm^Dn%Nn8jLUp~KWLOD4pb>= z(QFWCcFBZb3EA$>X3T>9BgRea?gX&fNHKg$5vd%4aLLE?H+l(x%n2MW_sN1iK*C-5 z?b~EW3wPuO8cpUa9-@KIs1xrpioiKgEnZ*d<4kH+szOJk);CN_0MQ+ZYb$x zdxm9T6?zIvpdo>pRPuGhtLp5-Yx@29j?M4Eq4`w1W2Wduu(d@X&IkhSXP0tWrO-lG z9o^~GIYPNB{*7&q|%oZMB+vUhTdCxKE27liigMF+60+IJ0_;wRJi=GCz z{t9BMR=sC7{II{KOGd1^LgR>uh_??ZLL{0+MX^)^TUosg7&w0if{jwYehpo8nH*>M6=FJp_*wu)UoHK&4<;rZ5LS`Lo zWs;ZJG9)Mg3kSWxBF=%4)`p9fi`mr-94{|=X8WrE46$$2jT>fNU|P>^$QlC&`XYaW zNMUR+b}<_&i&;8$nIC*NYzuLnJ47}KH>1u8sj1=eSLg6uM*Aine{!SF$$?a=bKMXh zT2oS21n=R#bxW>z)5g4Kr|CQ`FVm_Q^D9M6p3Zol=-Nha1-O;D6B3fazL2gD>-3jl zj!*K5IbgH#P1l9<<`4&?>p`#v1dqaOLxAc85fCXxG3n5nV{0lTmm`t^As)z=M*L$o z2ySLL5?7>b*~A*TaByED7i$UbZoC*~a5DlA#F z)~K53>sj{6+c$boQhpHQwn0R!hgyPM}M$H{Yqe&8KUm!ZXR z(LvHA7;_E&l-HEPq9US9`$)@nZnSnZYhVL$ZmUX9d`eS?ie=Tk(5ZJ0`j=+v+4xh2 zGVAFwB~Vx~#-p zwanFiZb$+YX~i8%IctZyGKfAwu0T2`QRwdDDLO1YF=bVN#;2tV118)KJf56hM<8O7 zPZJ-TTVMomx1#?Yue(1~%PSo4^WIf))loGA(>#{3P^_kw^V7uNqNNdk)hla$iI%jG zt6u3a8aNajT^88j9&qYfaB5l;a~`w71Vq6kE5M4Io@gR2SM% zRqgV;EQn^=^++9A{d&~IR=?L3u+GkiPg-k*&6fo?Xq=CBnLIxF@#yr(i7=X{gO85= zHmn>YOz=R1L^u%OE#XfXNUxZanIQ7tnweQmxAf6B}R+3I;L$KsO^L-TsHwnSJ`+f>##)FAnW~+ob zZU8obD?y+d6!Zv70AY`e?qw4{1ko7O3g&|(P(KQlpx%xwbl)r^=7qqV)1bQ02LB$5 z#b8!WNf2AvdQuSZ784?hM)P?doScS`OZzPbX6g{ok(0PR?l+`g$Y$Wj4??7$+jJ zSYTAg*%PCqM3O@z(Gy+^qrfTABgHJ4!|`H7YF~I4z(AV)LDn1G&}J9Se4x?VB4?%!3K-(t0Gv~bKp1RK)I$IqeRP842O$Z84O9h|Ccq%NQ zqw0QJwkypnO%Wj}ozAy~aR!5QaL4%V^vtzXEasi2BSMJ(uBpfk=+5suve{lLkw;3~ z>=LR_8LX z>akra&I9%=8-*z-Ut?a9u}G3kdt=8;u!zfPm|VD|L^aL%NhB5x+p`VCqJ9xCO~s*! zqEsacTsNDr(w?q>Z+U`K8Q@j&Mxmx(avI=QFWZP`4i?JTVwTHR(m6Mf0ZJf}D{EIO zxWgEZXCl63p-skI$gmo$MrM`|yGcZZPcYK14 z@cv_Mh3}-cm@dji$_dX{RANvgbVIbB4(7pxw05CihqIIgXGLLE=-pkvP1f5M&kj$2 z=s$b@^x4t#)8nHP-XWD<)Mt$dgk`vf+gokmwrYx@+8hhT6x zK?s0@8d@s@DzcnFZ)QC8_JVH8#9CKPV20YmY%Ped9Vu_T6bMyQh-aBJ3W}M!kcnB z&YFS}@q@tG*FLl{*e@#`B*g>ck-{A1CDCEP6sv~rnlt7@BvQF znnzEcd`HMuk_hWpCYJl~<8SLJW7fi)TBZoOEyz>_Z#XYx_M zf8b?)SqA&xV%UFrX%iQ&Q2$%&p~BhVHn-61 z31Qx_@c?jfL|c&N=2tKP`B3y5l(w0Z^^Mxd@Pg+Dy1IfCy+GGkQbTq%FU-L%tkhVL zeRT~&pZoxc=-c1c7J^=q51c^rRVI(2uI7?@JnY(b)>p&V= zc^r~oO_C>7n>R;wc5?+O&(?kgR9)c>=C&PAR&Eqa*Ea^{p;%7A+V-SEyLK1fRzntU z>pRwuar1V9%fT(wOQ;H3t_8Zi0w|oz6;(iu$EmD8PsjzFoIZVi`2A7;+2P5_&rhE} zKC!H%*UV;(Xm({!t?Z31?a@e@Y$dc+shBNzm<)n<4+M15CT~F&=NozBw`lByU+~S} z?z<-(%VHb1u|QbTnJ`HtEDM{DyDH5|SLq^`Z=|Rru5MU6Sx%IN~&FYSG)I%9H^-#XWdbn=OI9u$OXIr6Pd&*4xZgOm8)di%B z3=g##5(9D3?Zdke8Kt#N1+tbi8IF6xMx{#GE(h+spi7NyzDYJ)u|Ya^_}@zFO_J=t z$HdSNArInk*8>D>_R%HmdtKV6`le#YbopX+txvA@!R36a%;B&xv2u3?udb1RmlI9$ z(T$KyAb9qS8%}e(nDL49VFpyjD<-4Rg18~gY|Nx>%Mr!Y$*GE@n)g%*EkYWR)(GWT zpkvqR4Vn*~ZV=v#k(^WimB1(m6uGQY;MM6{H{MB!0F4lTb{zXigwa0MbTM)buHqA| z_RfkFi#37}>&|Y--r~q8KsF2NA&9}kTwY|h2)9>S%8vA_9U?fe;WOG!5z7gY{i1B7 zm98`pNl+vrK|)jJu$UOa0cwLFbUSERxd|}ctojKgpCzsRmiezL?2c{3uRw{OhX~V2 zo`o*2rgbhIX~#0}N;BVIZtcDjvB`9x>h#P0wbZ|m{wPyuB^C4kV3MR&T7|00O9fS{bMZZrVZ=GLU?XM&90(fI zdIBmp84*j(xcY2@j;u(cmqeSHtkoJCu3M5-DtPw@LIn~Z`m)_m7b8Q%UsadJlzQ3b z1|O&M6gY8-`j18^1%q;dNtB8)?32q59t8fNtYze2aNDFih}Y(e-VP=GGIv1)4>4}4 zqv5U}$P`QAZc!evKm9j`!-384?LpG{q8rF3&BR+u)md>G>>)U>#DLKb4s#yE9JahR zmwj4rKe-t{qjboUqO(5j-(->UZwuRX4vRUJ9Bm_h~#Y7Pj6V3rjWb{5tdTj(YL zdW%05`d7^6QNRT@zx+5?5an6r;+ICalc0)XF&k#y7ua?Y8NnxL1$zLVlu3A&~j zzRu>GctOhq7@`DotLLG5BA_F5BH%A_?;?N*stt|J$>c@)J9u??La31jZ+ILPJHzAO zw|tQ_wCq)M#kkjDD*Yh&HEHAOwD*>iI|K#-f(cw?P%l-%O+LFL!HfHM=o*98Fs}9u~#xJnI*;KA=YT$(!B0vvr6d z()r(!PJnXfm)S2<&`Nl8d0xEErkZy@KDX8;YPtg*U}%tuHpzx>==FN_^#3v~`_x|9 z3CMo!2p-`B-Ss}mY1|GM^q4&0hTLl~KDq2{da}t0diY*LAU5S`Vd|mDLgKvXJ=@#s zEW1)ovB7#O9MTm=5{)d53f~6VTXU%JKHyLTXv*xRENCj9UM=Q{g=NHJXAX<#ze?xx ziZQG1MwDg`l9#P#PtA??DLJ8U@Ah`1i{4MqN>uY8Hyri7Z~cHY?9+1J&Ava?aKyTf zA9V)V*?hC6O%RQ)=396cFph_mH1ivLL$pqGbHrQ!?=70}tz($Tt)I+9?k6X>y5?o| zuV~>T$IjV5fHWcsEl+R|xoOs>hlui>%c`;2JY*?@gQ+l#hW;ct^jUBdLKpzjM#=sN zXTJ`DQ?9;Qdd(D-(8UG=FvJc9$=MjTj@f9~LqyJjZ!|-Jsw{}t8&Sl;n2tojK!qZ{ zVqXV6zD(%NPG1HPG+^rnoS&Nn!%$*^zu(O+UO?yw=uG69uy5#W#>u8he}102X$!m>+z(6Vtwn4geJmr6(QMWCFmG34s#x ze5|fh2!fqlLEMd?F6MK*e;KnD4S=>m4ymY84J-9j&pr=?H7@4M7P!Wk@_FHGm9~DD z{9Vk*Ob{Qp~V7HsZ7vW$x($1_HkNcO!ynnWUb6n~TKx6nh z1syUTC!|8Ge!M6M?m6f?x?-8tgxvv9EIbAWys!Pzge>pr z8|N_MBk0Q`>}TkOwg@X8309UEr4vs-m8t2+_!5viiNGj#|OPBjF! z-L4TZL|sDr>Qk80;&n1ErWfd9mrmg~0CGT$zn-B#!la>F_+kzyTh)yo|8%SjYw4{U zbd<(#B+rQ?CPuotfD%j-*V&14aDl1Wi-u-YQpkU>bNxKq%BI1I&LMjZyxop?45l&c zhro+WGPJMJ9Y3!*v{a`PF-&{jpOu4G)i7J&4k!!DZi**d+~Hz0s+m`&|LEG#f){O> zw`}oST1#A5J*Q%%4!6{!onS-Cp_xdHClQnOelWmPr66R+a3irEjomguy$o+rE?Lj~ z4qzmM3Og@YTTp#n)_p*eFo-bkP0cQ6)CX>M2Q{qv@)xY2MO$@G{nMz?l!AnSGa!l| zXaTU0LU{zMg>d{0-7qx%Qph*#RMko@o@a#kjXHeBWlgcHMSfwsJnehc!rQIu>+3C` z3|m%9H%dB&a+x+qsMjHN5qe!8(CVW|oEmj@>+bT&t^bnoqmvcrnBK30-i&5g-SjfLNHDdv!fUSuqDkFZoXL z<)&u^IU;%8b6Eb)!3bN9v&VY zeYt^aLpWsL4*H4!g1GUnOd8`i9bH;0BpJ>?M}j~cK{$sw^6lP zZX2RgnhUnwaHt&M+CgLs#}AS<@R^sa>`-Ej=cbYbl2d#-iQQm3CjXN07~6tL9I=vE zG97cC9CYDbc(7Qkcd=O#3~ekfrjYbVpwzLU*JcXW4W)oO_4$D|@VT58_Ag61M&PCx zNp!a&fQ@|09&`4%l6Qt{>M2n2>m0CI$x&5w1GCJQXP0@k&Pk`W7+tkA!EH?nGooS! zI8pQA)%GmCZf$l2zZ+pd%^8EfK~@w~qNQRwT@BSDOnr;aNvt^Nt+P=}sSnn)lS(yn zed2^hUDz~)ScyQ0^Gi6qhAnJw2LOmUKey#cq1I{Bq_x50Yd4e%yb3S#SLo4i#ut&X z@GN0h531EZOH6;ve}e~~?fMG5c#L#Y%b(O&)z#o1%})G4;l9Oqqz(dw7kDwbs*UKt z^*h?UP1^Mh*!{As8QMN=$LzD9$EJarD|M8L(vE=zDJ%Q*CZVjxm`bAk2HYJ-Sr}=E z^Wb<$5Q1I(Gtar<_R2H$ z;_fsX$&1I&kmj5|dX_MmpQmw0fxdi!_XY3X`9-h4B(yZtI2VUCeL zI874X!{?$(H)FoCusAkdPjMbh4P8kVGkIjeJ@2VEg2xxR-r4TwEvVU00}Fcwl4=YUN(9FN zml<;mL6t32X;xfQ|SF_r^xRsn_b05N^ zZh^3WxICmnz$9Fxiz7T9T%S}-`n_j>7T6gbKyT-3z{q+0Ww zgRcRg#%epM{v4WRiR@aH>`T?hl}!4-(HO9R~}kZ-$Psll(4{K!~Xp z6kpf%8b&hkfhy{x6X@I|y$Y4bt0K=GKY8}zR6=ZV4c10*Gryt9n2drmH&o%b$exVB zHCLci0|K23*bjhCv$9UB;nEU0GT#>%bx|JK-Ef>`F)TG}`M4M^EH>IU(Y$SNwl3$} z(4c7#|Hbyc)m)Ma-9&7$`QmDv5q1I~Gr$xeQcifee21Aq?8ZmIMwh_GMCu9fsbCI0 zZ$vEIfDwwDFf;-am8b%6S>lGSW$*_E5p9EGV+EWGJ}wB7sM@kb(L8f7JzRA&`8L_D z_6~c9_rT%gEWcQo!}vTy*Xg0or}G^q9J8Qw%=#8AaDQ4dpw_1)Ce`T>0fLc4hB6L2 zX4Y<}sb?0&tz%a#+HOoBrWKGRC>;Ok-%Kmuobhz7iggBa0=qK?dUl7y^5FSnO#HEz zHc${*kUJlPvmjuUfk;VdJN?Uz&&3l-IVT^(Gmdg*MJf+(b!wmsq_>&6TR+0CL{Aq^ zL=55%8f-jLIBB;yR`6N*Xkqt0=<&i~t#QQQ1M!$O4b^Qvo&~oXJZsfPa>zlO=QuJi zd$+Aq+weQhnoJes0?a^z%6b>(i&}(G8J{@#=nY;&GH_~EBpWx2_ zn_)VeQTia3Od-{PQ$$z#)VN$ez2JU%3s}{f+Il{eCi)x!QQ_q!65@BN2E>tQvD*WR zw^;(V`3{@_dFuNcfir-hoL^oVIexg9Gfx?W0!IlC5e&tTMK@IpSQ96Qc8^SI?L7I| zm@yjva}F79=XOwLoYyJ&6HE-7IRQHcZXKJ|+9eNl*gBk<3T4-dp25P}A~K`!=2|uGQ{4rT=QGeM(xbb=~m8x)>4z z=ohzwT@+z9a4FwPTIr~@pBxS`tIlI|^C)IFl~Q8j+fTkjj7xM$SeR=KaNWX(VX+sZzEa8p<*^B~S2=YGck4xDP7&E)d-zdIVI8szQrteK9a$?t|LD z^5i<7ZlQz6*0{LXQpn)_l>mnqL~ZgBe~Jb^&TVwJ8ZdHAxQjz0-j z9age=)o}w4{?QFXx3dgED&2k0+Ee4;z$9E~vQN@&G3Pue1=w{VbX!oG4B{GWR*R`t za|Zg*GMl6ELgQ9~pCI;3ObJ!<0R!Uz;|!3L3ICuPVUJD;t4l{%E*(O)WKe5pnzI3t z7fV~!aQ`fTQNBeU6rN|oJ@R&n~(QzqCe(Z=|=Hi|FolM?D;Ieb0hKMR(9QhP&i zq`96uVdYJ{PkfjZ`BZ#S$o<5Jyl@U1by&pic8NHKK1XYex>#09k9tqo{}l;)9h3x` z!V5O+y(8p1Y478JPyzTvz0Zv2^QF!LL6`S@7o-}mlDg`2lEOx!-rFEpnA<58sSwU+ z6m$j(VfdzmF_ATaG7vFP2r;Dh2a${ZYaPV+nUQT%>uoY{L7G_Zc?Q>SE&5PZ*lc}T zZubpGW5dh)Y$bY$hrsQBv4GZOUH|Fu^wAHLbsfOjPt9MIv!j6zWn>+0SDTU`{vX~> z@++I77H4oC!}~2imnSuJf*&3vFO@-+6wUZs)7-ST+r7UQ`Lx5WY&OqE1N0*X`Cqt{{ zVHf|@2!ZA~SA9a4IMW9N5cWrLAWlPV^RmzzNMau|r(Q*!8W(4>m+0^WTX(&eBgVw2BaK$h5B^#Q zdxj5}z@BL*sG<)4D^7`EJof4lbG$1lfiF<38T%|YPwMbnA!*r-n$l9UM#mgEjAals zKY`wI?$P)6Di^)KS2LI1*%Cl>x{hq>r1E4}T&%n< z?!{bvlk(22f1TfKoo{nZ?B{RPW9kbD(W@PIvB;~G^*DLmrE z(PNa=oIpKSkWBukSfCdzMrm;Rj*MbbOvQ4Nbhx)8Tx$=ZZa9iZ&@!) zcloQ2`Ld(n$sd+x63#JL_nTUYWtJ8f; z{!Va+bZYebtL7j2swwXv{;$e!&`C-<3Y=t<<-zoAK3PnZ$rRDi+~%t8sN(#*%;K%l zBNsCXCQfwQY-o-TH#8^X=GN#*f*GY%jw2C<%1B$qY~DBfHr5(#=bUVIP|!j3dP>jnDo;&A3EdW@m3L^8~0!$m$%&SvJQU(&QYH_Oobdj$hc zK(ybR}fCAr3JhFS)8TDX^k;}_h zQqv0L?PgUCwHi$tEJYn1hhou=$~c+0gQZ{LagL>Bl^76smC%O;`cx{;=QD#*EZ>ceC`kZKg6L2jWKbv zwP9uIILn_e#oW(TU+us0TBHOF>omA8EmGB2UV9$R5#~|SRI(b~uz6urIg}&@^`P1W zJ^<3inGJPK#O!gE54ccu`vR8SIGvo0(&X)a@)jXDdgJ0cn{`%Ef(O-Kx|hC+x8f$Q zMBx37{DOY92j`o&m^EaMe;-r#Zc}!bQ)PrG7@!f2+B8)l8?|ejX2lNS z->V#PW+;I5j*jT#kXgo%K-QH)g-)a(dHVZV_F@k*lThQOTm?OMV5T4`&5ALYa*)O!w5Z!khqg-m z#!7J;v{+`pq4`HLE20^QUOEP$CdlGQ75O>BJ(%^p&I#QzHS*3?Oq>a1yqa(@FU%wA z{l_4?eRFK!=tmawF_nPK;aJ3B&ceaE^_n#<5%-GUxD0=muyz}Ua5PKc)xx=F+-CcI7^0GfNQxh50u|-3bX1PdK7d!-YF_sPr0 zuulklaksi(pt3i2^xm~54>=o(ZJ&{Vx84k5<#nepI)^dkw5O{G6S+fdbjTJ&Cs|Fd zG!EU4=znP{YS5Mh4etbgHmhP$?*7kC2p8H zw!-n*O3+ddjvptTljFymb!XWYTiba}(<#d`!w9axn*j0Ntr68<$}Pp=J=;qo?^mKXy=+^ohFY~3Z=3YvONJcIk3>~$Qp1k zG^?eO2g(1#d~C@VfjORXm0;ANVK3zdiKL*Q%p<+M!0-nt2cy&5f%asp1mGleX_k~g z*t8KffGL0nD%-U$`Y9{R^dgJ&5NrhGVqynqH~E=oBB$x@YO733Hh^U zGgw@a5Df8G!SnEWF58s>{+)KlrKJ*CQCNl^gvDBbR(G1FrjBJRkkGoBX0;Y3wqj4R zGMk6)n>8MTfK~xu6;77+F)PgB!wgsxh{FYlY6ZZnp)PU<3_3?f7W9e$S81+S)_I!S zVjrAH_Xm9H2GDcR3Y&MzZC({RG%ft#qDO2me^A+jJ79#5P^9qZ<&FdkAqUZWPQNiC zU+BlTlQQ`2t;!V`2pd|`zoY9?j&X2py6Jo|9p|sJ)o()PgcuqbdH`pA?sPwAnG+P$ z&pavMGtDh``9yIS&Fb-4p2^@`S@H{qcy{%kY?=TP`Gh=+0TlzzZx=QCh#M0BOip- zSi&pFIl1Q*J{qq8Vxr~~BCeEJwe^e%5SpdrBx(!B3i@7d>c8kXJDx&wBB=T3wVJpC zPytxRpot-H$J#Ik6hHD$%?8LKesp#~I`U3B$@juQ$UXYIU?gOkmNFDH%VwY6jsBdE zt!Xb7vl+o1`Vf1VHx~q%e6;QB`tWHoQh#QJ#_FrDi^0}B>5#T;h zNM*>hg?*8V_MSvEd$S34wsv>arurej049!nbV>`+om|rI(o7H7SBS==1s>^4>2lYY z`|SbPkRNn07!3jiF)PF<18#(4^K8GoYbr1V@BxQCO^|{MOLV5i^(ONB9#4-+?dQeT7~*?7^Z9s_$oG4)pWxV*W*|0q zt?5bQH7lA9UV+#U0`nEl!dZ4+kd8z3SEMqURhR$J$h_mRQ}iym6wQm}z33o`*}Xr= z)fky)Glix<<_GiNl`h1^w9d!|;^ria+1R?2$`3L`zNhWNy{g+V&WrF}a<8}zQ1<*} zC)m!igeOpMu!2kCE%KXye?LxqvOpHr`29f8>EM z>=3Hv)-Gz+=9EDURRTet;OSyK?$c`zk{#u2@35U~JrOsOr*E>^EFX=ssZCT2x{bND zVT=&-Clha89{^>|P^(y&RW&HIKBBHU#A>bZDjRSlQ3ewq57bVtEPhq_1&zLJ^MbZt z87Vs-wO>^W)`l!C3sZ?hrA zGpHb_7Q2AAVo*D$raO$ZBYD#pEycEV!1e!_2$GCM0tomE(TbjTIru(4c&%`-X}EVC zWkVNjA}Z$ZsM`)64scfYqXkWI1p{Qb2Q%&AQHk2I7E^UhklT@~Gk>;Mmk0VA?p#yBBGh$ZYj zX>@3LYjrs5DsDoh4K@Ex3YxpHVSxjKx!fGV2rsodzD6-K&};6?S}Y8b4Q>SbLQ|so zlv-QaEv;n8=jasn2Q7MOt12SckH;6)7qc8ppr!JF#(nnY6tb=ofUkoYcQgymm4HQq z=*LjGhW% zRs7yEb}gm{j%|8kx$Ff5TmF2OUJ%`gFmiee-ZON#;43n8vg-F79ew_xI668yyo4W~ zwc%xmu{Oxk=nLqsSsTaMG&43InX{>4Sr|6hP&&Gb_X&acJZC*LJxdThQ-?_-N$40V z7+z@qb@KEH;vYOZ`AYmrVQ6qQo!x*A}O3suC;(KRJS7bGv?$0U@*I-Q981!RtabcvN zcd`c&@4yI~3Ao@~6i)o}Ohik~Lu2aCd$JJy`1JelkDhPdHCxV;_>aPw^U^cp20k*n@HI-ZFV+)v&qhuq5e|{?Yk1-vdn`T%TF#`mF zwvu6?1Vb8>YkQ!07z+y!trdK|ShCqjG65=Ow@|#N8mY|XMZWD&ZaETy7JzrFipxh7 z?Qh*7u*_cMARHpg53IoKMkfGp3}Pu~9k^+tI(mzRnN;Agyv}Y)VOv!5650ZtErn&Y zFCy**&lk!iZt~6j3F=za(nU^6+sjOmQATjWG!E1zH7UsyY=f?Qrfkr^!Jvitcv^!2 z#JnRQ89?5fBJvYQAdULPw9gX9K;4o-iOlfawlUMsKAcqZLoYc>4M$JD139Z9fOATY z=NiOQIeVEIgYKEV-vYhE48EO%lm%bU>3g+v@DTJJHT_c4JR+_P-@>8%(sSw?exvu0 zgRJ>OUhIu63No%{nr8J(*3fOXn*Bu{3NfNY1 z{_6<=_i{Uk_8*;od(~_7*ihk%bo}%xBQLTeNoCP##hM!uA8ED(b#Rot$x~0I3p}LU zC@1NgY((bo)zQ76j_}>9;CtQa-Hn85_}T~-<7{*hyR#47Q$|BDl*x3zw7E;NnNzue zWUdAT+gt4n@~6TYHE0;x46kN$xeJvVM3a|YgiJ$k$hT)1R)j^6lrh7pw)ELs$eN+8 z)kO8!Ip4X4lb7>A0-OyJU<^S42G}=|UwhYM8d>R)#E#Z1w6|YlG1TkQ% zdH6~%8tg$Ma|`9;vQgJhm*3#oQ*&Igs~ka+mD|68^JOrff)7+sOGJOGvl07{@(K4;zM4 zB^_g5)UhGvsE z4L~G&c+^wSOCj7(&q{>cM>WBB$Ip)*_YZ$OdVY$4mm&o=kPQ1NuBX}TK$FsR2&nWu ze6UIj>D5)NzWI5T+T~>m>|d+}eiWz=(O=dra^-9d9f>zv7}8laoEc|pS8l>99ESLI zm9{i-5i8qjLw$Vzwy!A@`t9Ekc{=oAZ{+QK@ zPY`7-em%dy@}<(RQi>JuKpkF!J{wcmwch|j_9zP@CvZg-pGBAZxG;-un@MAa4V3^c za?evkgQ|7KgN?Se@YbSYO_r7@`>=`^$*K;mn!|ZVmsV(sTKd3Ft;@OTjl^!6A`ncH z2Q0)sAn{#YS8Ve*%TzmHEhmWB-1@rqn;vnnVWu|eOy`3kQ#bU}?A9DZ3u^L=~5Qz1fxkZhnJq&b}e?U~6~O@?=MCwmUG> z*{Tv3uLausp8YaBKSB9=@}geN37DOkFl^K-yEON0aKqyCtZ^F#d#}l6WIp~3d*7NX z>ZwKmm6Q5xQfX{xBLr0?llCn-4ExIHEY!pklyZ=Vp6#K+K(QR^2lQ6&W2+ zvY|Ww{!~?PB=J`rB~3aGInFldFbKzc4VYnY7rJ9P1G!idEy=l62kwDu?162|=>=@~ zTxEOPYP`2yAf&k?@?z8!eWxq09)h=)0!F5+rKjsa&D=Ul8EGsVt*n#bk<0z$5zVu4 zF?=l+XO8x_Ep}K_eUt3eLVHHm$CX=AJ7Z6X=|G|kbCKA`@|=^^yYWAK=Jvlmj{^*AziK0{!q7;2zj2nu@NrnBX4Rx!L`G{IU zV|;YL7Dq_+S)GCtX%tndzlKE)Smv0uTwYi!Psu;4w6N+K&1$l+M>NlByVmZk2!Cx4 zZ8ir@ak--D#L(gM{9?g(V9Aw<*OXZir4Y8Xp8JY4xXO{ejX9>Z&3~5LB%g1~8(S4C zjg!m@Q5EuNts)rgUZ7tl!60bS{?Uu;6IM|n@C$7RP^CaK=Nl6nBUqb`UNpwTJ;vkZ z?S5A32V*6ze*C!IR)2p}8Y0U2dvaC-1wPNIR^Z<)Ku7Z#l?}S|czXI#x>svAUwjt^ z2i?1CUziqFws!KlG$P;3cW$ZjfU{zp^(8KQB}FCF0LS<;zhFR4Jn8hZW(f?du9|`nX~&C0rLS zw4nUGAaKgKi2%sAkQTdAO&l!lbkz1Kn{d&Ndb+o8 z3+@$Ay-L5{E$VVb4j4`gP_#>+-b2<=+@2BsuP--X#L(coa=|P5vAg~49{Z+L7^15E z;K32;JRdxGw{WlF3V~ZhPE9$Yf!?#TVwS@*d}8sJ@mENSS!P3XCCH9!@qs^RLGb{S z`7$4m(n?GCE2h^Z_rOY1FR86=>k6n(>(!>FAX>+PSzcTem7_*yaPQ$J4io*L$=QYV zbXvz8%i|8~r)4Yo6f6t2L8T&;pLkT!+{#Y(fcYD%MDie@mIootv`uYTn95O+fnmcc z8~F?icZh7P)$oE-e^)nxS3cUz@ydUlA%X^|p;YPuOdp#8JCG~zqL|v)PK;9)p<(kN zmMpQG{P&Z?pN{%RPfnlzk7Q1?bG0fM&@v#Pdei<&na%@mfEW~zhWSykyp+T-e$j%u zI{iII29_#Vnml81aK)dX=8#V`TID^P-Or{dM>rek!%WSy!@*KD{iQ^Jx3~$^Xq} zg^h&@o5M0bb{I|?ydby}b=8Q7`bf9D;%%p!y!~BQGj5+ls4@sKQ4`i(b5af0-5T-7 zz~i`t0VFuJ%VLtjpY2!GnWt^jCijJYaXsw|ErwVu_Qi@{IO2`o_g4DA7mf8ZTN9&$ z;W#3$Cj^v`u2PG}bGLru2RqgBp%6I}>=*@n>3u-WR^WJs&bMeN1m-!}Bjo7L_?|NPb>Luj`RH++QY z!C*gQmQll0Ln0k=I1+vuIp~0IHiI_%)#ewou}XJD{S<@rZYnd9^m!mm1w=@?jTr;m zThr_qQ!zCt%AP;{(b^ed0{+<)WhDQtq7w^lr+*xs7|9q&&no(!;H>}NbvgHXob~lMxMNn;Mzf0APIh148#aA>q&$ZfST%Zkd3y&rya1|5f)m5+FT5GPD#ntijyjbF}hvm#+ zA^aMcWw~&m{TfPIskA)jgctRgrTIR#(Po@xm4h=KzD}cougcfS+$7?S$K`Dt{nZtD zoETz<(eb^y4tZ{W+)7Jzgd8%K%pka$QbBJD(ZmbU>>j3xOzKKKqE?|pv|s-Gmy@~S zIou|Tu(fw(Zf!$QkC~2bclOF{a_?y~Us>r+GqaXYN7-Av-hTb9D@aH5CGP9u*80zX zN$^#=<2C1B&b}fU=JZo{*5sVH!}|d)1pW+zgo%S`37WOlsxBkcE)6|wmUzYbW~EkL ztKz7VhAlbz+717D6qAH}kdow?(EHXT9;^K)miIZ{VKhUcdzg z;KP$L%xdlf{Jp8g_IqRY)L%;=z>CRM*?Hr0STul_ZG2s?oqU$O20W=Z(LT|X*LO)8 z!*a34D%evVKV#j=YEHL*CsfHh_~tjzC5!-INKWhL5kEiy3(P%vY#M01?J7NfYa z&^}JMM-L*YbRKaK9HOPzO-KniEDfNgTXOvAkiyBwCf7XqoEQg$h48coE!h-0bRI~v z*AQW{#_6E#ffO?MO>bZFYB~_~6#tM=0wBe~qYt`wJZiJ?(1wjbQ}BY~roWQ~rQ@?? zL5VWm!GeY)u5Ll!{~|iF;Vt4yi%~-|@Bq@8Uq#J@B*MC@l9z6!OG(c$Bx=b-fLv>y>4xCPjNpgv9=AG{5Fv%UFBE0sJ3Wf(F%@X<03h|jJ! z{G(q|@dmoEUx)(A>2C-Q=a*2BxBrqpk>)Hf(|yv+>b% zSd2KnM)eY-<2Ox__I6uM46xDcHZ~hanJ5qUhn0^~i#qig)m35jJZ>8%Ph;0%@BAf- zThnKV#dUjStG%agdD7TA9a9zGPuDPB!uovUH=l;uzrWAsURDPnKn(be@!z7$^Z2}C zHt#0me3F}g%GbH+ndS59adw|pTk3(PCm-=k2-B&t@qn&cXx>`J@o+Xvkz*BqY#>)e zb1>F83@owkz$sL0_6Nor4>T|(!|zN7ydr zxNt@Kh_I4JF1LKNPpUJdy2p=u$ua5Q1pJJ0WSoI1BAX34f`9>K{h7^2ORg*NsHZ-u z6bmu4Z2pLDV0W6RzaUY)*)Oehgh&cEZoDr{c zP;`#M+UO^nb8b44;8_DdJ$2dUcd$B@XWK(T_)`M~yt3r=Q_jBihmVwT*9U z@6%g<+jJ9woc6E3RVI8jY9iBZ^I)Mm=`t;s&=lH)BekESbF`FZyz>ObNJ9;BNB46|RI5_)^{lmsmi0hqG|X>ouaqdMa>KEIFdBps{M`#bS#3A9-D=+kLgbe)35IoA za6qKt5&=zB4yIuAUISM*;wQl65{T3`58=ZOYuDG;y%am!D`pqlV=7o~|9Jf9=*h{^mgz87c`+Sl zs8uI0d5~sVmrdzVuQ4ys#f(G4O@AS?Dry4D;(UG$*!~*;s%*rBv&Gz-Ea_cddIb>j zCutp?B*!PMPx9yECy%>HmSY-$>@9jwKqqsU#%$C}P6(XYEuh1RA(m=r#x=cIfWO5B@F$p@ z)-WxT907^Qj*L3Nlq|>_)j{8YbL24;rO-jh-%# zuU=kQc)P*iPn0k{9;<*%Ziy8 z*-eeW->qbaF(utHVmSuqOb{DVJ?H_gx$0~p##w7K`Nj4L4mK}&*n;~ts2<;qxX>ON zn)ndfo}?FcN8=ZGxjz8+7{2}DNj6?-+T^Z0eJ3JA-j&YG(ZN6aFp1pv{5)~LNxxe7 zQ>)T{UDEW52inj?ANH+kN11La@gb8pS2ougHsyPxC|eCjc$f;UGsBsI1q9&+U8GQX{DsRD3^cLPeQ2AqXq4%GU^;t>&!=$?J zOa9y4+1uT%$bWmE-^+g=;&U(m-OGRPF8|GEH_TsA6qR8LdfD8}RBxzcD^P+ToqodW zeT+qsDS-!hR?|YY0rr-K^qShO0O?Vn;j;pee)f zX~emo7FYozU2Tb!Gu?MNjVZ=k4eBc<5WqIg~8 z?967F&lW?B_%Tz3ixmmPqk}#%i+hwPy@ zXzHblECS=s^V*u+oZw#&s2M4SGv4~N_wXFJ;@yW|?d^X3)y~(S_sl)!72d2J>iJ^4 zbewQP#$(|3Za-Yx#_~Z+(P8##KNISM$-f0vTB!-Td=l+b%&6`EAPk`7^G zngL5ji|cY?mPC^(O-inV^Kp^Ru@kvKULsUFocZB+feC{a7~A;JkdYytDE791R2D)Q z&1oAOLA3(2PA`Kcs~<8v1)%W##IA3p1zg=~6YRwA2A-G7usavBIxjF4C+Z^dbDM92 z;{?LV#+^`o7yWLN1mOEzv*ulB7Ui(Jiv=WniZ>l*K^Bsl5I6{>TN&SA{C6?E{o6*E zS!FOdb4tdXLEtGk4%~1+QwePk2LD02B+TqGbwAr%uF}42`rsYMrCtzuj~S042I*C~ z7?Tek56r!XF5Ul#+N#kM%%VR06Fh(^Il%Gy4`3^q2bVf7pMqd<-yF~m@E`G79PpyV z9)ef8EdYxa6vERA1@I65As({>JZ=61nN5JX<3F7Pgk1X)gNJv#e}n!k48(u`^rJhM zsl~*{ir&J~gm(qa;37A_TlT>=eR`Qy>X1(*IjV?UFM%_KFp6yCNM<2E ze`XU722P1IK+FSFEk!)ns9XE|uRGZ=SWVp`iScOPNT#8PdxKVF;W!PuR&{f*(GWB= z24_&iH{VQedM!oq?M-_s9A~G6zxjzH^seDNg4Mp#jay;{8PY&?b;Zq3A_Zk5wQ$RH zY>rX+-Fn=?XM=J&(LI2{@}`Zh8U5TNGr-b94>4d88L{LWsPnC8ohu{b7Hh_3=H_H^ zCey=ot_5{ko2vC}>s&5M~cSJ4P6G1{)XPz1n%U6Bs+6T!? zua{=h@wD4X$8SOGyA;CA&fSn=R0<>Uk#hK@QiOONN6ab(U`I*;KNF9y872)Xhk#A> zP%A1=n`Jw`UbSn68gW@Mic_i{#TAzy%ISl|R0+>~$5fdYba_$*1scHx&&P}Mva|WI z6(RqkpOy4~7R%{&D!^s>zuk)e$L`La$ z{~q~qv8;O%@IXD{{Cic`W|z~d+lpBXUy`~`%&}9{RTWQW zrgjZSVCNSR4qEVQt6rl8Jl&E;_jIEb7RA10FQ&=K%Hb@(qO4?A)1?-bhE|Z@wd+Tu zDYScYezUv;Z{XY9~wUR7VznJ#3Q9iHHMd@OM zY7)~*!GD!6(W3$(0p`TGm7umIE+1p*dtA!Mg66n8pZvvtvAX?K#9LeD(neUSOYQCr}_%C3_+CuxQf*z^D$`|&A*QRrK1tR088`@lR@$V@=4F(XjGE2 zP_Zwp`?HD_#Yx%tA9qVj6W^HC`Bo_$MBPZQ6{S%Z&K&2_f*R$wwjtmaO8_BS%r2D9(0n5WA39}q-4@@hs$6I*&|ITv@JS+t}=EAsG%in=eP6;dPoy|E%uj968A zqIHPA648M;H7XG!3xJzbt8)no$^yIE`s_exDt&A%#{K8EpOy4~!i>Kc{ol^cm%BTm z|KC@i-~0c4kPrFu7?LqI#~XQhRKp;+2MGZs^U>r*09-m_Qzvio^b^u031+t5H5SNq zoWBN({Qf7OATB^nX;%L{_yq1*Ea;>odL(3=p0W=CJtFTS_j@0$4>RvE8eL~p2w&M( zdKxZx48K2iXmZqH)b~gc(*DR3xcuA`_(o6MRTX*5U+hEos*kn)E1iFufm=HOFN^>D z>fu-6`TzW@d;R|h`P}RO@Ady5-T!x8&tIa!t7!jG`JT;F@&-Xj%v$~bq1Nq-XBv7{ zf;{DEAAui7G!KiQXLcbd%~+w&>ay8l>c6fObqc-^-c2BTDLIgxt7IP6m-+CLU2@EG zBVEq(A-3eT*e(->5_SkXm@9XdPXIF-jvAtu*pcOUkEds57p6w^O|R1%--N&_L~_?j z&Uw3Q{p8BZ=-cU{d3~KCnmh$e!M+*0r;YZX^vfL05};5%{^{9|N3B>Pv%#Q*8DG7= z8JE0S#cOq6R)HE*@$yh23f_v|%hv>Xk9^J7lZx}4nb5wdSNop+%QGj~vXlh5Z}Ws7 zaBQkqFqriN9!sw}omw21lrw=j!R!o#SRxiOki)I&$;jh=AKZDs07_3iCeL`u%-4!y zj1)z);*D9Fkv&{pMD`(P(Sn`z{kNILgmF|AQ>Fx~k)p~r&_!Sxps=}yWw)gy&=UsY zMmjHGh9k(}7Er&U)bc1G?`P2QN;;0*8<_kG3{H1hYq+PG9gGeMS_!=9sJJ#D`br0S z@hX}uR`z(t4yCO`r^dGRW4sFm824>W4cID5sS^&keP@+a&Dj^7QO)Cu)+s_3bQ8g& zsyCfS6r8`K{rLyHh1NVyz*Wk&mBRl^TDql^L;GZ7m%rO6tFg z%*f#q^we-WNaQ#mhDM)ZgzCghZF)gEP!{q?N$HDY%vc@IDGw!e2*e{uuuzN$B8Wpn zIZmU?qTU>{SH_|~uu163U@$H&Dm6$J1-v8_C8vImD-zoYmBt*+aUV3?B<4+S&^T0I zk`+Ir$6DSaeK9_HeDtRm--Dcme-MLs{N%f*@Duz?znC5V1b%^k>6fGD&!0kOi5C7r zzkPRjdiW#!hJVycZN*{^GW`K;M8kWG%=a$OhW*WaZI1Usdsrz&BSKf(&E$q>MIX9yJIH{Q}2F9SI(pn&uHUtyvO)na0i=;Q~(gH^h{o zuw`ViY-*!oZZZ|pMR5#>-r1J|2O7f2#X8|(;Uyp^|7x^TbZ1wBtM%l)Q62zZEq{76 zmk%2;(r=%Evh&Cx3N4wC)@HR_Wda=j7JMjv$BX#Frj`6=&XLW=M#r=(=gOa^AB&69 zow)R@SWqAn<&G3LoZ8@YX^C_#wjFe>DnT`c`Te+fyL3KVrh^eEUFmEP{3w(LVvOk( zlsdL_M1`dI|+)22Z z5zol?x{Prm<($jglv<{#+~!V z!qzGd>cT>vEY8GRi0yr_t!DWM#NLZ+-Y?k>*(IjW-0&nnl;$TZ=t}al@r@}Z5eI#I z5!l&cK~;vPF#csV%s|;i2ZPySst}prM4~wo5K=1U+CL`wTzNawh_EdnV`rHRZj?=Z z6sLY4tj;(S{XPUg(SfLuT*Kst{mKT68U6Y$M5j}cT)$*oYvY0lOa!ZDkS$NRJV6M ztZ2?!g2_z{XNa@wZ%xv4Dil@DW1;}HS`*4-+$0(dsq>B5*AS(MVk!}aLa z&}q0O-YL=^F9g^%VJ|^LMrtA_5!?dwDr|t%Nvx?<@hz@3(o4}DUYNC*&M}`7weBgJ z&DqJH`mHcV_TJvWUX%;o6>B$-e_lrkfWFIAr{ZLNsv4Gr54jm6fh>E49&W@@ZiU;}` zW~veS0=saQnc2@)?XhdFtoAsD^=9RlT3;+L6{#eDueMVa*P{S()R+^M;6pPv>Mv%w zT(*_wdg4I*vITv}W>C82T$p$p_02X~tqohe^{UbnfD~kXNJn+9OYt~;0eCD4kYF>k zh&Yjuw}4NA=wdwJhI^d!!7GC3tx^EKpm&y61QZOm2z>D$&k$aFYuMx6{mC+!)yj_hUzFCSnU_XVFs#Jn;%;l z_^H{c#kXL#7)NLAhGs0bLBp3{faV$IAZ8nfU2YL^MHk0YJ-$wFSdx#WMz#BDpW*|; zO`8SNCO4ruD{|DM)EtU6pWCVg$Vv}Tgg26EXP1V%*;Tvy%NUDpss+4qWR0`7reVeE7u|U*6mQ zKE&tV{&#Qxdw2WahfV-Oc0|ZZE5-d}WY)wLQ@d0QUZ}(!`oV+5KBBe{cpI}9#Oo7N z>{XdC@b@9hP<9<6%ms=eG5t|K`*ypynlmF| z7>C(5a1;F191CKZzS#~cMVf^(3)x2X2m{bn1#H&nxv zjk@k${3WJ5Hc1WdeX~v9mKS}vdeP6Dit_oy_FP1QZZALQ#KnE6)FKwKrhk(|sy6=+0TL(IUei`hq}Hnx7HF~|(rQD9cp z@Op4HKQ?dtukcw({;Oy+*YgBjBL6)Euoqwc+xz0nhxhW|hxpvffA{j=N5_A;d-0E? zxj-eSg8r(?x@-z2E+_U8wX+ULUaZ`ez@cG-aaFo7J`u4GhgtQh5mqE7@g?hueBA51 z5ch&^z7I)HdMhR9`|TvWXUHn1aj}hc?@@j2(o9yXa>)B0iyVJhW86-Y=hg3yFAiB> zFSlis2Zl~jDbl6@E=-VrtvVBKN5}bCPPDZOH+#>Ux{uHQ(Vw@^^d0{!;s3t+YA4A5 zz5DR1&+qXcKFDX|-?ta#3>QC}zDcf(d3n$EO}?iz zD26gVqB30o26JSfn>=NsDr-!OS*gQ4_|L-rMYWNXbErmbkUu{CdwzwyBtQJW`PFyk z>nAS4#EfE3zRv7}vKYS3T;K`9pMCPle|mlIVDgCeEQ2!UmF-Q*LUZ!OjGG7CsZ7D< zzPorOO-y);ulLag?ziB`Yi{>8FuCphgwkQ)x01j9*5KSseo5|b=8M@x`K*|}Y@a;)@x_xr_kVc$(^31C=~*@(ZX0&G+;$WPQ^*R< zfu`G=f%jg1?!WRfE&FALw);+-XQ3UL&saT*DRI?!wqn(}32^`RngOj#wf<)EZL(9p zrd<9dm4^Feg*M-1M9~>pXGrCGV=7l0lxa0|VDw+$JPEk7;mj#NF_3a9ov8IAgOWGo zSp{^U_YA(1N6oCm&G=IeU9|Noy-E6Z0$7!X2-_dGFR~)P+6D#&0=3{MEhgLFXT|X|L!1_qy`G_q ziY1E8I^|Who}``DGe{GaC8(eW0hnixp&C8BD@Xt{8^daY?9|yjIM~|>c1_fMS*Z1a z5bBOl^A5C!gk>{u+m7`;+JAA?H7`N^f*yZ`9jw%To(;47jS{G26m$%Od`!pq#eQ!_`T4o&3MQI`f)E># zY$f*V&MQL%wtRnSGouH5XPS+k&HF}}N;`CI_5kj?)Bg7#+g-nrfTVAbi%lECnkJC* zd6>;Wsv6&*AU(?f80`Wea{!pMI8R1}1s*&DoN)7?n7uB;djiJu&EA6td(|y6Nz2!! z;}3mbcl7j^S`TY$?fs#?*5~!LzOJwJMSZQW>T7*jU+c^IT3^-I`l7zp*Y&kNudnro z`dSa`Ywbp^8L76{P%RRUCDlSFe_gG9d+arAkKOwHvD>gecI!9DZo>xIt=}QL4LfAF zev9ljY?0miJ+j-dM|SHs$!^0Y*{$CtyA8W!uYQ;8HtdqU`dzZyuuJypcgb$UF4?Q! zB@LTouYQv>?2*0tJ<_m6_UgAt!w%W2-ysbfWUqdMH0+PP`u)+cJsvg?5&!zR!Hn>~ zwsR1g%zgG*(%NouGz`=*H)9i%GFC;>k@p z&nEKp;j7*#L$0B{n4fQb4a_iQxodA4`Aj6}jwee}FmXD&c%#CKyB?@nAM;iA`Klh)1;m`jEZ$);&00;*F;YJ&% literal 0 HcmV?d00001 From 6ad4dcf2b455657f3e4aa2f4c1bd299aafb8e855 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Fri, 7 Sep 2018 18:07:31 -0700 Subject: [PATCH 08/12] Update CI env, add some packer changes --- Packer/scripts/debloat-windows.ps1 | 30 +++--- Packer/windows_2016.json | 2 + build.sh | 126 ++++++++++++------------- ci/build_machine_bootstrap.sh | 8 +- ci/circle_workflows/vagrant_changes.sh | 5 +- 5 files changed, 90 insertions(+), 81 deletions(-) diff --git a/Packer/scripts/debloat-windows.ps1 b/Packer/scripts/debloat-windows.ps1 index 686943c..0a58025 100755 --- a/Packer/scripts/debloat-windows.ps1 +++ b/Packer/scripts/debloat-windows.ps1 @@ -8,21 +8,27 @@ if ($env:PACKER_BUILDER_TYPE -And $($env:PACKER_BUILDER_TYPE).startsWith("hyperv (New-Object System.Net.WebClient).DownloadFile($url, "$env:TEMP\debloat.zip") Expand-Archive -Path $env:TEMP\debloat.zip -DestinationPath $env:TEMP -Force - #Write-Host Disable scheduled tasks - #. $env:TEMP\Debloat-Windows-10-master\utils\disable-scheduled-tasks.ps1 - #Write-Host Block telemetry - #. $env:TEMP\Debloat-Windows-10-master\scripts\block-telemetry.ps1 - #Write-Host Disable services - #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-services.ps1 + # Disable Windows Defender Write-host Disable Windows Defender - #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-windows-defender.ps1 - Uninstall-WindowsFeature Windows-Defender-Features + $os = (gwmi win32_operatingsystem).caption + if ($os -like "*Windows 10*") { + set-MpPreference -DisableRealtimeMonitoring $true + } else { + Uninstall-WindowsFeature Windows-Defender-Features + } + + # Optimize Windows Update Write-host Optimize Windows Update . $env:TEMP\Debloat-Windows-10-master\scripts\optimize-windows-update.ps1 - #Write-host Disable Windows Update - #Set-Service wuauserv -StartupType Disabled - #Write-Host Remove OneDrive - #. $env:TEMP\Debloat-Windows-10-master\scripts\remove-onedrive.ps1 + Write-host Disable Windows Update + Set-Service wuauserv -StartupType Disabled + + # Turn off shutdown event tracking + if ( -Not (Test-Path 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability')) + { + New-Item -Path 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT' -Name Reliability -Force + } + Set-ItemProperty -Path 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability' -Name ShutdownReasonOn -Value 0 rm $env:TEMP\debloat.zip rm -recurse $env:TEMP\Debloat-Windows-10-master diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json index 355031e..820b2a7 100644 --- a/Packer/windows_2016.json +++ b/Packer/windows_2016.json @@ -32,6 +32,7 @@ "enable_secure_boot":true }, { + "vm_name":"WindowsServer2016", "type": "vmware-iso", "communicator": "winrm", "iso_url": "{{user `iso_url`}}", @@ -70,6 +71,7 @@ } }, { + "vm_name":"WindowsServer2016", "type": "virtualbox-iso", "communicator": "winrm", "iso_url": "{{user `iso_url`}}", diff --git a/build.sh b/build.sh index 962874f..4ae1bbf 100755 --- a/build.sh +++ b/build.sh @@ -8,12 +8,12 @@ # https://github.com/clong/DetectionLab/issues print_usage() { - echo "Usage: ./build.sh " + echo "Usage: ./build.sh <--vagrant-only | --packer-only>" exit 0 } check_packer_path() { -# Check for existence of Packer in PATH + # Check for existence of Packer in PATH if ! which packer >/dev/null; then (echo >&2 "Packer was not found in your PATH.") (echo >&2 "Please correct this before continuing. Quitting.") @@ -23,16 +23,16 @@ check_packer_path() { } check_vagrant_path() { -# Check for existence of Vagrant in PATH -if ! which vagrant >/dev/null; then - (echo >&2 "Vagrant was not found in your PATH.") - (echo >&2 "Please correct this before continuing. Quitting.") - exit 1 -fi -# Ensure Vagrant >= 2.0.0 -if [ "$(vagrant --version | grep -o "[0-9]" | head -1)" -lt 2 ]; then - (echo >&2 "WARNING: It is highly recommended to use Vagrant 2.0.0 or above before continuing") -fi + # Check for existence of Vagrant in PATH + if ! which vagrant >/dev/null; then + (echo >&2 "Vagrant was not found in your PATH.") + (echo >&2 "Please correct this before continuing. Quitting.") + exit 1 + fi + # Ensure Vagrant >= 2.0.0 + if [ "$(vagrant --version | grep -o "[0-9]" | head -1)" -lt 2 ]; then + (echo >&2 "WARNING: It is highly recommended to use Vagrant 2.0.0 or above before continuing") + fi } # Returns 0 if not installed or 1 if installed @@ -64,14 +64,14 @@ check_vmware_desktop_vagrant_plugin_installed() { fi VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT="$(vagrant plugin list | grep -c 'vagrant-vmware-desktop')" if [ "$VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT" -eq 0 ]; then - (echo >&2 "VMWare Fusion is installed, but the vagrant-vmware-desktop plugin is not.") - (echo >&2 "If you are seeing this, you may have the deprecated vagrant-vmware-fusion plugin installed. Please remove it and install the vagrant-vmware-desktop plugin.") - (echo >&2 "Visit https://www.hashicorp.com/blog/introducing-the-vagrant-vmware-desktop-plugin for more information on how to purchase and install it") - (echo >&2 "VMWare Fusion will not be listed as a provider until the vagrant-vmware-desktop plugin has been installed.") - echo "0" -else - echo "$VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT" -fi + (echo >&2 "VMWare Fusion is installed, but the vagrant-vmware-desktop plugin is not.") + (echo >&2 "If you are seeing this, you may have the deprecated vagrant-vmware-fusion plugin installed. Please remove it and install the vagrant-vmware-desktop plugin.") + (echo >&2 "Visit https://www.hashicorp.com/blog/introducing-the-vagrant-vmware-desktop-plugin for more information on how to purchase and install it") + (echo >&2 "VMWare Fusion will not be listed as a provider until the vagrant-vmware-desktop plugin has been installed.") + echo "0" + else + echo "$VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT" + fi } # List the available Vagrant providers present on the system @@ -298,27 +298,27 @@ parse_cli_arguments() { # TODO: Check to make sure they actually have their provider installed case "$1" in virtualbox) - PROVIDER="$1" - PACKER_PROVIDER="$1" - ;; + PROVIDER="$1" + PACKER_PROVIDER="$1" + ;; vmware_desktop) - PROVIDER="$1" - PACKER_PROVIDER="vmware" - ;; + PROVIDER="$1" + PACKER_PROVIDER="vmware" + ;; *) - echo "\"$1\" is not a valid provider. Listing available providers:" - PROVIDER=$(list_providers) - ;; + echo "\"$1\" is not a valid provider. Listing available providers:" + PROVIDER=$(list_providers) + ;; esac fi if [ $# -eq 2 ]; then case "$2" in --packer-only) - PACKER_ONLY=1 - ;; + PACKER_ONLY=1 + ;; --vagrant-only) - VAGRANT_ONLY=1 - ;; + VAGRANT_ONLY=1 + ;; *) echo -e "\"$2\" is not recognized as an option. Available options are:\\n--packer-only\\n--vagrant-only" exit 1 @@ -331,37 +331,37 @@ build_packer_boxes() { PACKER_BOXES=("windows_2016" "windows_10") if [ "$(hostname)" == "packerwindows10" ]; then # Workaround for CI environment - (echo >&2 "CI Environment detected. If you are a user and are seeing this, please file an issue on GitHub.") - RET=$(packer_build_box "windows_10") - if [ "$RET" -eq 0 ]; then - (echo >&2 "Good news! The windows_10 box was built with Packer successfully!") - else - (echo >&2 "Something went wrong while attempting to build the windows_10 box.") - (echo >&2 "To file an issue, please visit https://github.com/clong/DetectionLab/issues/") - exit 1 - fi - elif [ "$(hostname)" == "packerwindows2016" ]; then # Workaround for CI environment - (echo >&2 "CI Environment detected. If you are a user and are seeing this, please file an issue on GitHub.") - RET=$(packer_build_box "windows_2016") - if [ "$RET" -eq 0 ]; then - (echo >&2 "Good news! The windows_2016 box was built with Packer successfully!") - else - (echo >&2 "Something went wrong while attempting to build the windows_2016 box.") - (echo >&2 "To file an issue, please visit https://github.com/clong/DetectionLab/issues/") - exit 1 - fi + (echo >&2 "CI Environment detected. If you are a user and are seeing this, please file an issue on GitHub.") + RET=$(packer_build_box "windows_10") + if [ "$RET" -eq 0 ]; then + (echo >&2 "Good news! The windows_10 box was built with Packer successfully!") else - for PACKER_BOX in "${PACKER_BOXES[@]}"; do # Normal user workflow - RET=$(packer_build_box "$PACKER_BOX") - if [ "$RET" -eq 0 ]; then - (echo >&2 "Good news! $PACKER_BOX was built successfully!") - else - (echo >&2 "Something went wrong while attempting to build the $PACKER_BOX box.") - (echo >&2 "To file an issue, please visit https://github.com/clong/DetectionLab/issues/") - exit 1 - fi - done + (echo >&2 "Something went wrong while attempting to build the windows_10 box.") + (echo >&2 "To file an issue, please visit https://github.com/clong/DetectionLab/issues/") + exit 1 fi +elif [ "$(hostname)" == "packerwindows2016" ]; then # Workaround for CI environment +(echo >&2 "CI Environment detected. If you are a user and are seeing this, please file an issue on GitHub.") +RET=$(packer_build_box "windows_2016") +if [ "$RET" -eq 0 ]; then + (echo >&2 "Good news! The windows_2016 box was built with Packer successfully!") +else + (echo >&2 "Something went wrong while attempting to build the windows_2016 box.") + (echo >&2 "To file an issue, please visit https://github.com/clong/DetectionLab/issues/") + exit 1 +fi +else + for PACKER_BOX in "${PACKER_BOXES[@]}"; do # Normal user workflow + RET=$(packer_build_box "$PACKER_BOX") + if [ "$RET" -eq 0 ]; then + (echo >&2 "Good news! $PACKER_BOX was built successfully!") + else + (echo >&2 "Something went wrong while attempting to build the $PACKER_BOX box.") + (echo >&2 "To file an issue, please visit https://github.com/clong/DetectionLab/issues/") + exit 1 + fi +done +fi } choose_md5_tool() { @@ -467,7 +467,7 @@ main() { build_vagrant_hosts post_build_checks fi - } +} main "$@" exit 0 diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh index eca6399..75f7d5f 100755 --- a/ci/build_machine_bootstrap.sh +++ b/ci/build_machine_bootstrap.sh @@ -51,8 +51,8 @@ if [ "$PACKER_ONLY" -eq 0 ]; then # Install Vagrant mkdir /opt/vagrant cd /opt/vagrant || exit 1 - wget https://releases.hashicorp.com/vagrant/2.1.2/vagrant_2.1.2_x86_64.deb - dpkg -i vagrant_2.1.2_x86_64.deb + wget https://releases.hashicorp.com/vagrant/2.1.4/vagrant_2.1.4_x86_64.deb + dpkg -i vagrant_2.1.4_x86_64.deb vagrant plugin install vagrant-reload # Make the Vagrant instances headless @@ -64,8 +64,8 @@ if [ "$VAGRANT_ONLY" -eq 0 ]; then # Install Packer mkdir /opt/packer cd /opt/packer || exit 1 - wget https://releases.hashicorp.com/packer/1.2.3/packer_1.2.3_linux_amd64.zip - unzip packer_1.2.3_linux_amd64.zip + wget https://releases.hashicorp.com/packer/1.2.5/packer_1.2.5_linux_amd64.zip + unzip packer_1.2.5_linux_amd64.zip cp packer /usr/local/bin/packer # Make the Packer images headless diff --git a/ci/circle_workflows/vagrant_changes.sh b/ci/circle_workflows/vagrant_changes.sh index cf4ff71..27c9d22 100644 --- a/ci/circle_workflows/vagrant_changes.sh +++ b/ci/circle_workflows/vagrant_changes.sh @@ -36,7 +36,7 @@ ssh -i ~/.ssh/id_rsa root@"$IP_ADDRESS" 'bash -s' -- < ci/build_machine_bootstra ## Waiting for Packet server to post build results MINUTES_PAST=0 -while [ "$MINUTES_PAST" -lt 120 ]; do +while [ "$MINUTES_PAST" -lt 180 ]; do STATUS=$(curl $IP_ADDRESS) if [ "$STATUS" == "building" ]; then echo "$STATUS" @@ -44,9 +44,10 @@ while [ "$MINUTES_PAST" -lt 120 ]; do sleep 300 ((MINUTES_PAST += 5)) else + scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ || echo "Vagrant log not yet present" break fi - if [ "$MINUTES_PAST" -gt 120 ]; then + if [ "$MINUTES_PAST" -gt 180 ]; then echo "Serer timed out. Uptime: $MINUTES_PAST minutes." scp -i ~/.ssh/id_rsa root@"$IP_ADDRESS":/opt/DetectionLab/Vagrant/vagrant_up_*.log /tmp/artifacts/ curl -X DELETE --header 'Accept: application/json' --header 'X-Auth-Token: '"$PACKET_API_TOKEN" 'https://api.packet.net/devices/'"$DEVICE_ID" From 0f667e38181f01ba7affb926ed8a56eb0a0e59d8 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 8 Sep 2018 09:55:36 -0700 Subject: [PATCH 09/12] Give suricata time to start [ci skip] The pgrep check is failing if Suricata doesn't start fast enough --- Vagrant/bootstrap.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index d85f878..9a519bd 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -360,6 +360,7 @@ install_suricata() { suricata-update service suricata stop service suricata start + sleep 3 # Verify that Suricata is running if ! pgrep -f suricata > /dev/null; then From 48b01104e1fcfab82fae6a314f54689c43927cbb Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 8 Sep 2018 14:18:17 -0700 Subject: [PATCH 10/12] Update README hashes, add donation buttons [ci skip] --- README.md | 17 ++++++++++++----- build.ps1 | 8 ++++---- build.sh | 8 ++++---- 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index a46e5e4..b239aee 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,13 @@ # Detection Lab CircleCI: [![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=svg)](https://circleci.com/gh/clong/DetectionLab/tree/master) +#### Donate to the project: + +All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below! + +[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](paypal.me/clong0) +[![Donate](https://img.shields.io/badge/Donate-Crypto-blue.svg)](https://commerce.coinbase.com/checkout/838ac7a2-7b9d-4d40-b475-fd1015fdaacd) + ## Purpose This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts. @@ -56,10 +63,10 @@ Windows users will want to use the following script: Provider | Box | URL | MD5 | Size ------------|-----|-----|----|---- -Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | f352c852ed1b849dab18442caef83712 | 6.4GB -Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | ad78b3406dd2c0e3418d1dd61e2abc2c | 5.8GB -VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | da1111c765b2fdc2ce012b6348cf74e2 | 6.7GB -VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | 14e1c4cc15e1dc47aead906b25c5b3cc | 6.0GB +Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | 2a0b5dbc432e27a0223da026cc1f378b | 6.4GB +Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | 94c1ff7264e67af3d7df6d19275086ac | 5.8GB +VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | 634628e04a1c6c94b4036b76d0568948 | 6.7GB +VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | 7d26d3247162dfbf6026fd5bab6a21ee | 6.0GB If you choose to download the boxes, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine. @@ -143,7 +150,7 @@ Vagrant commands must be run from the "Vagrant" folder. * Fleet osquery Manager * Mitre's Caldera Server * Bro - * Suricata + * Suricata ## Splunk Indexes Index Name | Description diff --git a/build.ps1 b/build.ps1 index b2611d3..c908d6b 100644 --- a/build.ps1 +++ b/build.ps1 @@ -180,12 +180,12 @@ function list_providers { function download_boxes { Write-Verbose '[download_boxes] Running..' if ($PackerProvider -eq 'virtualbox') { - $win10Hash = 'ad78b3406dd2c0e3418d1dd61e2abc2c' - $win2016Hash = 'f352c852ed1b849dab18442caef83712' + $win10Hash = '94c1ff7264e67af3d7df6d19275086ac' + $win2016Hash = '2a0b5dbc432e27a0223da026cc1f378b' } if ($PackerProvider -eq 'vmware') { - $win10Hash = '14e1c4cc15e1dc47aead906b25c5b3cc' - $win2016Hash = 'da1111c765b2fdc2ce012b6348cf74e2' + $win10Hash = '7d26d3247162dfbf6026fd5bab6a21ee' + $win2016Hash = '634628e04a1c6c94b4036b76d0568948' } $win10Filename = "windows_10_$PackerProvider.box" diff --git a/build.sh b/build.sh index 4ae1bbf..d971589 100755 --- a/build.sh +++ b/build.sh @@ -397,19 +397,19 @@ download_boxes() { fi # Verify hashes of VirtualBox boxes if [ "$PACKER_PROVIDER" == "virtualbox" ]; then - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "ad78b3406dd2c0e3418d1dd61e2abc2c" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "94c1ff7264e67af3d7df6d19275086ac" ]; then (echo >&2 "Hash mismatch on windows_10_virtualbox.box") fi - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "f352c852ed1b849dab18442caef83712" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "2a0b5dbc432e27a0223da026cc1f378b" ]; then (echo >&2 "Hash mismatch on windows_2016_virtualbox.box") fi # Verify hashes of VMware boxes elif [ "$PACKER_PROVIDER" == "vmware" ]; then - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "14e1c4cc15e1dc47aead906b25c5b3cc" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_10_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "7d26d3247162dfbf6026fd5bab6a21ee" ]; then (echo >&2 "Hash mismatch on windows_10_vmware.box") exit 1 fi - if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "da1111c765b2fdc2ce012b6348cf74e2" ]; then + if [ "$("$MD5TOOL" "$DL_DIR"/Boxes/windows_2016_"$PACKER_PROVIDER".box | cut -d ' ' -f "$CUT_INDEX")" != "634628e04a1c6c94b4036b76d0568948" ]; then (echo >&2 "Hash mismatch on windows_2016_vmware.box") exit 1 fi From a6bcbab794c579355dda492460964eb89fb23c71 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 8 Sep 2018 17:39:50 -0700 Subject: [PATCH 11/12] Fix typo in bootstrap [ci skip] --- Vagrant/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 9a519bd..379d366 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -104,7 +104,7 @@ install_splunk() { cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/ cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf # Bump the memtable limits to allow for the ASN lookup table - sed -i .bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf + sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf # Skip Splunk Tour and Change Password Dialog touch /opt/splunk/etc/.ui_login # Enable SSL Login for Splunk From 63e4b29e4aa6fc72dc0a1def1528c203489d0131 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Thu, 13 Sep 2018 10:40:00 -0700 Subject: [PATCH 12/12] Add boot timeout to win10 host in Vagrantfile [ci skip] --- Vagrant/Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 1276cae..873e98d 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -156,6 +156,7 @@ Vagrant.configure("2") do |config| config.vm.define "win10" do |cfg| cfg.vm.box = "../Boxes/windows_10_virtualbox.box" cfg.vm.hostname = "win10" + cfg.vm.boot_timeout = 600 cfg.vm.communicator = "winrm" cfg.winrm.basic_auth_only = true cfg.winrm.timeout = 300